packages feed

cryptonite 0.22 → 0.30

raw patch · 260 files changed

Files

CHANGELOG.md view
@@ -1,3 +1,104 @@+## 0.30++* Fix some C symbol blake2b prefix to be cryptonite_ prefix (fix mixing with other C library)+* add hmac-lazy+* Fix compilation with GHC 9.2+* Drop support for GHC8.0, GHC8.2, GHC8.4, GHC8.6++## 0.29++* advance compilation with gmp breakage due to change upstream+* Add native EdDSA support++## 0.28++* Add hash constant time capability+* Prevent possible overflow during hashing by hashing in 4GB chunks++## 0.27++* Optimise AES GCM and CCM+* Optimise P256R1 implementation+* Various AES-NI building improvements+* Add better ECDSA support+* Add XSalsa derive+* Implement square roots for ECC binary curve+* Various tests and benchmarks++## 0.26++* Add Rabin cryptosystem (and variants)+* Add bcrypt_pbkdf key derivation function+* Optimize Blowfish implementation+* Add KMAC (Keccak Message Authentication Code)+* Add ECDSA sign/verify digest APIs+* Hash algorithms with runtime output length+* Update blake2 to latest upstream version+* RSA-PSS with arbitrary key size+* SHAKE with output length not divisible by 8+* Add Read and Data instances for Digest type+* Improve P256 scalar primitives+* Fix hash truncation bug in DSA+* Fix cost parsing for bcrypt+* Fix ECC failures on arm64+* Correction to PKCS#1 v1.5 padding+* Use powModSecInteger when available+* Drop GHC 7.8 and GHC 7.10 support, refer to pkg-guidelines+* Optimise GCM mode+* Add little endian serialization of integer++## 0.25++* Improve digest binary conversion efficiency+* AES CCM support+* Add MonadFailure instance for CryptoFailable+* Various misc improvements on documentation+* Edwards25519 lowlevel arithmetic support+* P256 add point negation+* Improvement in ECC (benchmark, better normalization)+* Blake2 improvements to context size+* Use gauge instead of criterion+* Use haskell-ci for CI scripts+* Improve Digest memory representation to be 2 less Ints and one less boxing+  moving from `UArray` to `Block`++## 0.24++* Ed25519: generateSecret & Documentation updates+* Repair tutorial+* RSA: Allow signing digest directly+* IV add: fix overflow behavior+* P256: validate point when decoding+* Compilation fix with deepseq disabled+* Improve Curve448 and use decaf for Ed448+* Compilation flag blake2 sse merged in sse support+* Process unaligned data better in hashes and AES, on architecture needing alignment+* Drop support for ghc 7.6+* Add ability to create random generator Seed from binary data and+  loosen constraint on ChaChaDRG seed from ByteArray to ByteArrayAccess.+* Add 3 associated types with the HashAlgorithm class, to get+  access to the constant for BlockSize, DigestSize and ContextSize at the type level.+  the related function that this replaced will be deprecated in later release, and+  eventually removed.++API CHANGES:++* Improve ECDH safety to return failure for bad inputs (e.g. public point in small order subgroup).+  To go back to previous behavior you can replace `ecdh` by `ecdhRaw`. It's recommended to+  use `ecdh` and handle the error appropriately.+* Users defining their own HashAlgorithm needs to define the+  HashBlockSize, HashDigest, HashInternalContextSize associated types++## 0.23++* Digest memory usage improvement by using unpinned memory+* Fix generateBetween to generate within the right bounds+* Add pure Twofish implementation+* Fix memory allocation in P256 when using a temp point+* Consolidate hash benchmark code+* Add Nat-length Blake2 support (GHC > 8.0)+* Update tutorial+ ## 0.22  * Add Argon2 (Password Hashing Competition winner) hash function
Crypto/Cipher/AES.hs view
@@ -14,12 +14,11 @@  import Crypto.Error import Crypto.Cipher.Types+import Crypto.Cipher.Utils import Crypto.Cipher.Types.Block import Crypto.Cipher.AES.Primitive import Crypto.Internal.Imports -import Data.ByteArray as BA- -- | AES with 128 bit key newtype AES128 = AES128 AES     deriving (NFData)@@ -47,15 +46,6 @@     cipherKeySize _ = KeySizeFixed 32     cipherInit k    = AES256 <$> (initAES =<< validateKeySize (undefined :: AES256) k) -validateKeySize :: (ByteArrayAccess key, Cipher cipher) => cipher -> key -> CryptoFailable key-validateKeySize c k = if validKeyLength-                      then CryptoPassed k-                      else CryptoFailed CryptoError_KeySizeInvalid-  where keyLength = BA.length k-        validKeyLength = case cipherKeySize c of-          KeySizeRange low high -> keyLength >= low && keyLength <= high-          KeySizeEnum lengths -> keyLength `elem` lengths-          KeySizeFixed s -> keyLength == s  #define INSTANCE_BLOCKCIPHER(CSTR) \ instance BlockCipher CSTR where \@@ -67,6 +57,7 @@     ; ctrCombine (CSTR aes) (IV iv) = encryptCTR aes (IV iv) \     ; aeadInit AEAD_GCM (CSTR aes) iv = CryptoPassed $ AEAD (gcmMode aes) (gcmInit aes iv) \     ; aeadInit AEAD_OCB (CSTR aes) iv = CryptoPassed $ AEAD (ocbMode aes) (ocbInit aes iv) \+    ; aeadInit (AEAD_CCM n m l) (CSTR aes) iv = AEAD (ccmMode aes) <$> ccmInit aes iv n m l \     ; aeadInit _        _          _  = CryptoFailed CryptoError_AEADModeNotSupported \     }; \ instance BlockCipher128 CSTR where \
Crypto/Cipher/AES/Primitive.hs view
@@ -11,39 +11,46 @@ -- module Crypto.Cipher.AES.Primitive     (-    -- * block cipher data types+    -- * Block cipher data types       AES      -- * Authenticated encryption block cipher types     , AESGCM     , AESOCB -    -- * creation+    -- * Creation     , initAES -    -- * misc+    -- * Miscellanea     , genCTR     , genCounter -    -- * encryption+    -- * Encryption     , encryptECB     , encryptCBC     , encryptCTR     , encryptXTS -    -- * decryption+    -- * Decryption     , decryptECB     , decryptCBC     , decryptCTR     , decryptXTS -    -- * incremental GCM+    -- * CTR with 32-bit wrapping+    , combineC32++    -- * Incremental GCM     , gcmMode     , gcmInit -    -- * incremental OCB+    -- * Incremental OCB     , ocbMode     , ocbInit++    -- * CCM+    , ccmMode+    , ccmInit     ) where  import           Data.Word@@ -73,6 +80,7 @@     ctrCombine = encryptCTR     aeadInit AEAD_GCM aes iv = CryptoPassed $ AEAD (gcmMode aes) (gcmInit aes iv)     aeadInit AEAD_OCB aes iv = CryptoPassed $ AEAD (ocbMode aes) (ocbInit aes iv)+    aeadInit (AEAD_CCM n m l) aes iv = AEAD (ccmMode aes) <$> ccmInit aes iv n m l     aeadInit _        _   _  = CryptoFailed CryptoError_AEADModeNotSupported instance BlockCipher128 AES where     xtsEncrypt = encryptXTS@@ -96,7 +104,16 @@     , aeadImplFinalize     = ocbFinish aes     } +-- | Create an AES AEAD implementation for CCM+ccmMode :: AES -> AEADModeImpl AESCCM+ccmMode aes = AEADModeImpl+    { aeadImplAppendHeader = ccmAppendAAD aes+    , aeadImplEncrypt      = ccmEncrypt aes+    , aeadImplDecrypt      = ccmDecrypt aes+    , aeadImplFinalize     = ccmFinish aes+    } + -- | AES Context (pre-processed key) newtype AES = AES ScrubbedBytes     deriving (NFData)@@ -109,12 +126,19 @@ newtype AESOCB = AESOCB ScrubbedBytes     deriving (NFData) +-- | AESCCM State+newtype AESCCM = AESCCM ScrubbedBytes+    deriving (NFData)+ sizeGCM :: Int-sizeGCM = 80+sizeGCM = 320  sizeOCB :: Int sizeOCB = 160 +sizeCCM :: Int+sizeCCM = 80+ keyToPtr :: AES -> (Ptr AES -> IO a) -> IO a keyToPtr (AES b) f = withByteArray b (f . castPtr) @@ -152,6 +176,13 @@         a     <- withByteArray newSt $ \gcmStPtr -> f (castPtr gcmStPtr) aesPtr         return (a, AESOCB newSt) +withCCMKeyAndCopySt :: AES -> AESCCM -> (Ptr AESCCM -> Ptr AES -> IO a) -> IO (a, AESCCM)+withCCMKeyAndCopySt aes (AESCCM ccmSt) f =+    keyToPtr aes $ \aesPtr -> do+        newSt <- B.copy ccmSt (\_ -> return ())+        a     <- withByteArray newSt $ \ccmStPtr -> f (castPtr ccmStPtr) aesPtr+        return (a, AESCCM newSt)+ -- | Initialize a new context with a key -- -- Key needs to be of length 16, 24 or 32 bytes. Any other values will return failure@@ -289,6 +320,21 @@            -> ba         -- ^ output decrypted decryptXTS = doXTS c_aes_decrypt_xts +-- | encrypt/decrypt using Counter mode (32-bit wrapping used in AES-GCM-SIV)+{-# NOINLINE combineC32 #-}+combineC32 :: ByteArray ba+           => AES        -- ^ AES Context+           -> IV AES     -- ^ initial vector of AES block size (usually representing a 128 bit integer)+           -> ba         -- ^ plaintext input+           -> ba         -- ^ ciphertext output+combineC32 ctx iv input+    | len <= 0          = B.empty+    | B.length iv /= 16 = error $ "AES error: IV length must be block size (16). Its length is: " ++ show (B.length iv)+    | otherwise = B.allocAndFreeze len doEncrypt+  where doEncrypt o = withKeyAndIV ctx iv $ \k v -> withByteArray input $ \i ->+                      c_aes_encrypt_c32 (castPtr o) k v i (fromIntegral len)+        len = B.length input+ {-# INLINE doECB #-} doECB :: ByteArray ba       => (Ptr b -> Ptr AES -> CString -> CUInt -> IO ())@@ -447,6 +493,78 @@   where computeTag = B.allocAndFreeze 16 $ \t ->                         withOCBKeyAndCopySt ctx ocb (c_aes_ocb_finish (castPtr t)) >> return () +ccmGetM :: CCM_M -> Int+ccmGetL :: CCM_L -> Int+ccmGetM m = case m of+  CCM_M4 -> 4+  CCM_M6 -> 6+  CCM_M8 -> 8+  CCM_M10 -> 10+  CCM_M12 -> 12+  CCM_M14 -> 14+  CCM_M16 -> 16++ccmGetL l = case l of+  CCM_L2 -> 2+  CCM_L3 -> 3+  CCM_L4 -> 4++-- | initialize a ccm context+{-# NOINLINE ccmInit #-}+ccmInit :: ByteArrayAccess iv => AES -> iv -> Int -> CCM_M -> CCM_L -> CryptoFailable AESCCM+ccmInit ctx iv n m l+    | 15 - li /= B.length iv = CryptoFailed CryptoError_IvSizeInvalid+    | otherwise = unsafeDoIO $ do+          sm <- B.alloc sizeCCM $ \ccmStPtr ->+            withKeyAndIV ctx iv $ \k v ->+            c_aes_ccm_init (castPtr ccmStPtr) k v (fromIntegral $ B.length iv) (fromIntegral n) (fromIntegral mi) (fromIntegral li)+          return $ CryptoPassed (AESCCM sm)+  where+    mi = ccmGetM m+    li = ccmGetL l++-- | append data which is only going to be authenticated to the CCM context.+--+-- needs to happen after initialization and before appending encryption/decryption data.+{-# NOINLINE ccmAppendAAD #-}+ccmAppendAAD :: ByteArrayAccess aad => AES -> AESCCM -> aad -> AESCCM+ccmAppendAAD ctx ccm input = unsafeDoIO $ snd <$> withCCMKeyAndCopySt ctx ccm doAppend+  where doAppend ccmStPtr aesPtr =+            withByteArray input $ \i -> c_aes_ccm_aad ccmStPtr aesPtr i (fromIntegral $ B.length input)++-- | append data to encrypt and append to the CCM context+--+-- the bytearray needs to be a multiple of AES block size, unless it's the last call to this function.+-- needs to happen after AAD appending, or after initialization if no AAD data.+{-# NOINLINE ccmEncrypt #-}+ccmEncrypt :: ByteArray ba => AES -> AESCCM -> ba -> (ba, AESCCM)+ccmEncrypt ctx ccm input = unsafeDoIO $ withCCMKeyAndCopySt ctx ccm cbcmacAndIv+  where len = B.length input+        cbcmacAndIv ccmStPtr aesPtr =+            B.alloc len $ \o ->+            withByteArray input $ \i ->+            c_aes_ccm_encrypt (castPtr o) ccmStPtr aesPtr i (fromIntegral len)++-- | append data to decrypt and append to the CCM context+--+-- the bytearray needs to be a multiple of AES block size, unless it's the last call to this function.+-- needs to happen after AAD appending, or after initialization if no AAD data.+{-# NOINLINE ccmDecrypt #-}+ccmDecrypt :: ByteArray ba => AES -> AESCCM -> ba -> (ba, AESCCM)+ccmDecrypt ctx ccm input = unsafeDoIO $ withCCMKeyAndCopySt ctx ccm cbcmacAndIv+  where len = B.length input+        cbcmacAndIv ccmStPtr aesPtr =+            B.alloc len $ \o ->+            withByteArray input $ \i ->+            c_aes_ccm_decrypt (castPtr o) ccmStPtr aesPtr i (fromIntegral len)++-- | Generate the Tag from CCM context+{-# NOINLINE ccmFinish #-}+ccmFinish :: AES -> AESCCM -> Int -> AuthTag+ccmFinish ctx ccm taglen = AuthTag $ B.take taglen computeTag+  where computeTag = B.allocAndFreeze 16 $ \t ->+                        withCCMKeyAndCopySt ctx ccm (c_aes_ccm_finish (castPtr t)) >> return ()+ ------------------------------------------------------------------------ foreign import ccall "cryptonite_aes.h cryptonite_aes_initkey"     c_aes_init :: Ptr AES -> CString -> CUInt -> IO ()@@ -478,6 +596,9 @@ foreign import ccall "cryptonite_aes.h cryptonite_aes_encrypt_ctr"     c_aes_encrypt_ctr :: CString -> Ptr AES -> Ptr Word8 -> CString -> CUInt -> IO () +foreign import ccall "cryptonite_aes.h cryptonite_aes_encrypt_c32"+    c_aes_encrypt_c32 :: CString -> Ptr AES -> Ptr Word8 -> CString -> CUInt -> IO ()+ foreign import ccall "cryptonite_aes.h cryptonite_aes_gcm_init"     c_aes_gcm_init :: Ptr AESGCM -> Ptr AES -> Ptr Word8 -> CUInt -> IO () @@ -508,3 +629,17 @@ foreign import ccall "cryptonite_aes.h cryptonite_aes_ocb_finish"     c_aes_ocb_finish :: CString -> Ptr AESOCB -> Ptr AES -> IO () +foreign import ccall "cryptonite_aes.h cryptonite_aes_ccm_init"+    c_aes_ccm_init :: Ptr AESCCM -> Ptr AES -> Ptr Word8 -> CUInt -> CUInt -> CInt -> CInt -> IO ()++foreign import ccall "cryptonite_aes.h cryptonite_aes_ccm_aad"+    c_aes_ccm_aad :: Ptr AESCCM -> Ptr AES -> CString -> CUInt -> IO ()++foreign import ccall "cryptonite_aes.h cryptonite_aes_ccm_encrypt"+    c_aes_ccm_encrypt :: CString -> Ptr AESCCM -> Ptr AES -> CString -> CUInt -> IO ()++foreign import ccall "cryptonite_aes.h cryptonite_aes_ccm_decrypt"+    c_aes_ccm_decrypt :: CString -> Ptr AESCCM -> Ptr AES -> CString -> CUInt -> IO ()++foreign import ccall "cryptonite_aes.h cryptonite_aes_ccm_finish"+    c_aes_ccm_finish :: CString -> Ptr AESCCM -> Ptr AES -> IO ()
+ Crypto/Cipher/AESGCMSIV.hs view
@@ -0,0 +1,193 @@+-- |+-- Module      : Crypto.Cipher.AESGCMSIV+-- License     : BSD-style+-- Maintainer  : Olivier Chéron <olivier.cheron@gmail.com>+-- Stability   : experimental+-- Portability : unknown+--+-- Implementation of AES-GCM-SIV, an AEAD scheme with nonce misuse resistance+-- defined in <https://tools.ietf.org/html/rfc8452 RFC 8452>.+--+-- To achieve the nonce misuse-resistance property, encryption requires two+-- passes on the plaintext, hence no streaming API is provided.  This AEAD+-- operates on complete inputs held in memory.  For simplicity, the+-- implementation of decryption uses a similar pattern, with performance+-- penalty compared to an implementation which is able to merge both passes.+--+-- The specification allows inputs up to 2^36 bytes but this implementation+-- requires AAD and plaintext/ciphertext to be both smaller than 2^32 bytes.+{-# LANGUAGE ForeignFunctionInterface #-}+{-# LANGUAGE GeneralizedNewtypeDeriving #-}+module Crypto.Cipher.AESGCMSIV+    ( Nonce+    , nonce+    , generateNonce+    , encrypt+    , decrypt+    ) where++import Data.Bits+import Data.Word++import Foreign.C.Types+import Foreign.C.String+import Foreign.Ptr (Ptr, plusPtr)+import Foreign.Storable (peekElemOff, poke, pokeElemOff)++import           Data.ByteArray+import qualified Data.ByteArray as B+import           Data.Memory.Endian (toLE)+import           Data.Memory.PtrMethods (memXor)++import Crypto.Cipher.AES.Primitive+import Crypto.Cipher.Types+import Crypto.Error+import Crypto.Internal.Compat (unsafeDoIO)+import Crypto.Random+++-- 12-byte nonces++-- | Nonce value for AES-GCM-SIV, always 12 bytes.+newtype Nonce = Nonce Bytes deriving (Show, Eq, ByteArrayAccess)++-- | Nonce smart constructor.  Accepts only 12-byte inputs.+nonce :: ByteArrayAccess iv => iv -> CryptoFailable Nonce+nonce iv+    | B.length iv == 12 = CryptoPassed (Nonce $ B.convert iv)+    | otherwise         = CryptoFailed CryptoError_IvSizeInvalid++-- | Generate a random nonce for use with AES-GCM-SIV.+generateNonce :: MonadRandom m => m Nonce+generateNonce = Nonce <$> getRandomBytes 12+++-- POLYVAL (mutable context)++newtype Polyval = Polyval Bytes++polyvalInit :: ScrubbedBytes -> IO Polyval+polyvalInit h = Polyval <$> doInit+  where doInit = B.alloc 272 $ \pctx -> B.withByteArray h $ \ph ->+            c_aes_polyval_init pctx ph++polyvalUpdate :: ByteArrayAccess ba => Polyval -> ba -> IO ()+polyvalUpdate (Polyval ctx) bs = B.withByteArray ctx $ \pctx ->+    B.withByteArray bs $ \pbs -> c_aes_polyval_update pctx pbs sz+  where sz = fromIntegral (B.length bs)++polyvalFinalize :: Polyval -> IO ScrubbedBytes+polyvalFinalize (Polyval ctx) = B.alloc 16 $ \dst ->+    B.withByteArray ctx $ \pctx -> c_aes_polyval_finalize pctx dst++foreign import ccall unsafe "cryptonite_aes.h cryptonite_aes_polyval_init"+    c_aes_polyval_init :: Ptr Polyval -> CString -> IO ()++foreign import ccall "cryptonite_aes.h cryptonite_aes_polyval_update"+    c_aes_polyval_update :: Ptr Polyval -> CString -> CUInt -> IO ()++foreign import ccall unsafe "cryptonite_aes.h cryptonite_aes_polyval_finalize"+    c_aes_polyval_finalize :: Ptr Polyval -> CString -> IO ()+++-- Key Generation++le32iv :: Word32 -> Nonce -> Bytes+le32iv n (Nonce iv) = B.allocAndFreeze 16 $ \ptr -> do+    poke ptr (toLE n)+    copyByteArrayToPtr iv (ptr `plusPtr` 4)++deriveKeys :: BlockCipher128 aes => aes -> Nonce -> (ScrubbedBytes, AES)+deriveKeys aes iv =+    case cipherKeySize aes of+        KeySizeFixed sz | sz `mod` 8 == 0 ->+            let mak = buildKey [0 .. 1]+                key = buildKey [2 .. fromIntegral (sz `div` 8) + 1]+                mek = throwCryptoError (cipherInit key)+             in (mak, mek)+        _ -> error "AESGCMSIV: invalid cipher"+  where+    idx n = ecbEncrypt aes (le32iv n iv) `takeView` 8+    buildKey = B.concat . map idx+++-- Encryption and decryption++lengthInvalid :: ByteArrayAccess ba => ba -> Bool+lengthInvalid bs+    | finiteBitSize len > 32 = len >= 1 `unsafeShiftL` 32+    | otherwise              = False+  where len = B.length bs++-- | AEAD encryption with the specified key and nonce.  The key must be given+-- as an initialized 'Crypto.Cipher.AES.AES128' or 'Crypto.Cipher.AES.AES256'+-- cipher.+--+-- Lengths of additional data and plaintext must be less than 2^32 bytes,+-- otherwise an exception is thrown.+encrypt :: (BlockCipher128 aes, ByteArrayAccess aad, ByteArray ba)+        => aes -> Nonce -> aad -> ba -> (AuthTag, ba)+encrypt aes iv aad plaintext+    | lengthInvalid aad = error "AESGCMSIV: aad is too large"+    | lengthInvalid plaintext = error "AESGCMSIV: plaintext is too large"+    | otherwise = (AuthTag tag, ciphertext)+  where+    (mak, mek) = deriveKeys aes iv+    ss = getSs mak aad plaintext+    tag = buildTag mek ss iv+    ciphertext = combineC32 mek (transformTag tag) plaintext++-- | AEAD decryption with the specified key and nonce.  The key must be given+-- as an initialized 'Crypto.Cipher.AES.AES128' or 'Crypto.Cipher.AES.AES256'+-- cipher.+--+-- Lengths of additional data and ciphertext must be less than 2^32 bytes,+-- otherwise an exception is thrown.+decrypt :: (BlockCipher128 aes, ByteArrayAccess aad, ByteArray ba)+        => aes -> Nonce -> aad -> ba -> AuthTag -> Maybe ba+decrypt aes iv aad ciphertext (AuthTag tag)+    | lengthInvalid aad = error "AESGCMSIV: aad is too large"+    | lengthInvalid ciphertext = error "AESGCMSIV: ciphertext is too large"+    | tag `constEq` buildTag mek ss iv = Just plaintext+    | otherwise = Nothing+  where+    (mak, mek) = deriveKeys aes iv+    ss = getSs mak aad plaintext+    plaintext = combineC32 mek (transformTag tag) ciphertext++-- Calculate S_s = POLYVAL(mak, X_1, X_2, ...).+getSs :: (ByteArrayAccess aad, ByteArrayAccess ba)+      => ScrubbedBytes -> aad -> ba -> ScrubbedBytes+getSs mak aad plaintext = unsafeDoIO $ do+    ctx <- polyvalInit mak+    polyvalUpdate ctx aad+    polyvalUpdate ctx plaintext+    polyvalUpdate ctx (lb :: Bytes)  -- the "length block"+    polyvalFinalize ctx+  where+    lb = B.allocAndFreeze 16 $ \ptr -> do+            pokeElemOff ptr 0 (toLE64 $ B.length aad)+            pokeElemOff ptr 1 (toLE64 $ B.length plaintext)+    toLE64 x = toLE (fromIntegral x * 8 :: Word64)++-- XOR the first 12 bytes of S_s with the nonce and clear the most significant+-- bit of the last byte.+tagInput :: ScrubbedBytes -> Nonce -> Bytes+tagInput ss (Nonce iv) =+    B.copyAndFreeze ss $ \ptr ->+    B.withByteArray iv $ \ivPtr -> do+        memXor ptr ptr ivPtr 12+        b <- peekElemOff ptr 15+        pokeElemOff ptr 15 (b .&. (0x7f :: Word8))++-- Encrypt the result with AES using the message-encryption key to produce the+-- tag.+buildTag :: BlockCipher128 aes => aes -> ScrubbedBytes -> Nonce -> Bytes+buildTag mek ss iv = ecbEncrypt mek (tagInput ss iv)++-- The initial counter block is the tag with the most significant bit of the+-- last byte set to one.+transformTag :: Bytes -> IV AES+transformTag tag = toIV $ B.copyAndFreeze tag $ \ptr ->+    peekElemOff ptr 15 >>= pokeElemOff ptr 15 . (.|. (0x80 :: Word8))+  where toIV bs = let Just iv = makeIV (bs :: Bytes) in iv
Crypto/Cipher/Blowfish/Box.hs view
@@ -5,15 +5,33 @@ -- Portability : Good {-# LANGUAGE MagicHash #-} module Crypto.Cipher.Blowfish.Box-    ( createKeySchedule+    (   KeySchedule(..)+    ,   createKeySchedule+    ,   copyKeySchedule     ) where -import Crypto.Internal.WordArray (mutableArray32FromAddrBE, MutableArray32)+import           Crypto.Internal.WordArray (MutableArray32,+                                            mutableArray32FromAddrBE,+                                            mutableArrayRead32,+                                            mutableArrayWrite32) +newtype KeySchedule = KeySchedule MutableArray32++-- | Copy the state of one key schedule into the other.+--   The first parameter is the destination and the second the source.+copyKeySchedule :: KeySchedule -> KeySchedule -> IO ()+copyKeySchedule (KeySchedule dst) (KeySchedule src) = loop 0+  where+    loop 1042 = return ()+    loop i    = do+        w32 <-mutableArrayRead32 src i+        mutableArrayWrite32 dst i w32+        loop (i + 1)+ -- | Create a key schedule mutable array of the pbox followed by -- all the sboxes.-createKeySchedule :: IO MutableArray32-createKeySchedule = mutableArray32FromAddrBE 1042 "\+createKeySchedule :: IO KeySchedule+createKeySchedule = KeySchedule `fmap` mutableArray32FromAddrBE 1042 "\     \\x24\x3f\x6a\x88\x85\xa3\x08\xd3\x13\x19\x8a\x2e\x03\x70\x73\x44\     \\xa4\x09\x38\x22\x29\x9f\x31\xd0\x08\x2e\xfa\x98\xec\x4e\x6c\x89\     \\x45\x28\x21\xe6\x38\xd0\x13\x77\xbe\x54\x66\xcf\x34\xe9\x0c\x6c\
Crypto/Cipher/Blowfish/Primitive.hs view
@@ -5,197 +5,254 @@ -- Portability : Good  -- Rewritten by Vincent Hanquez (c) 2015+--              Lars Petersen (c) 2018 -- -- Original code: --      Crypto.Cipher.Blowfish.Primitive, copyright (c) 2012 Stijn van Drongelen --      based on: BlowfishAux.hs (C) 2002 HardCore SoftWare, Doug Hoyte --           (as found in Crypto-4.2.4)-+{-# LANGUAGE BangPatterns #-} module Crypto.Cipher.Blowfish.Primitive     ( Context     , initBlowfish     , encrypt     , decrypt-    , eksBlowfish+    , KeySchedule+    , createKeySchedule+    , freezeKeySchedule+    , expandKey+    , expandKeyWithSalt+    , cipherBlockMutable     ) where -import           Control.Monad (when)+import           Control.Monad              (when) import           Data.Bits import           Data.Memory.Endian import           Data.Word +import           Crypto.Cipher.Blowfish.Box import           Crypto.Error+import           Crypto.Internal.ByteArray  (ByteArray, ByteArrayAccess)+import qualified Crypto.Internal.ByteArray  as B import           Crypto.Internal.Compat import           Crypto.Internal.Imports-import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray, Bytes)-import qualified Crypto.Internal.ByteArray as B-import           Crypto.Internal.Words import           Crypto.Internal.WordArray-import           Crypto.Cipher.Blowfish.Box --- | variable keyed blowfish state-data Context = BF (Int -> Word32) -- p-                  (Int -> Word32) -- sbox0-                  (Int -> Word32) -- sbox1-                  (Int -> Word32) -- sbox2-                  (Int -> Word32) -- sbox2+newtype Context = Context Array32  instance NFData Context where-    rnf (BF p a b c d) = p `seq` a `seq` b `seq` c `seq` d `seq` ()+    rnf a = a `seq` () +-- | Initialize a new Blowfish context from a key.+--+-- key needs to be between 0 and 448 bits.+initBlowfish :: ByteArrayAccess key => key -> CryptoFailable Context+initBlowfish key+    | B.length key > (448 `div` 8) = CryptoFailed CryptoError_KeySizeInvalid+    | otherwise                    = CryptoPassed $ unsafeDoIO $ do+        ks <- createKeySchedule+        expandKey ks key+        freezeKeySchedule ks++-- | Get an immutable Blowfish context by freezing a mutable key schedule.+freezeKeySchedule :: KeySchedule -> IO Context+freezeKeySchedule (KeySchedule ma) = Context `fmap` mutableArray32Freeze ma++expandKey :: (ByteArrayAccess key) => KeySchedule -> key -> IO ()+expandKey ks@(KeySchedule ma) key = do+    when (B.length key > 0) $ iterKeyStream key 0 0 $ \i l r a0 a1 cont-> do+        mutableArrayWriteXor32 ma i l+        mutableArrayWriteXor32 ma (i + 1) r+        when (i + 2 < 18) (cont a0 a1)+    loop 0 0 0+    where+        loop i l r = do+            n <- cipherBlockMutable ks (fromIntegral l `shiftL` 32 .|. fromIntegral r)+            let nl = fromIntegral (n `shiftR` 32)+                nr = fromIntegral (n .&. 0xffffffff)+            mutableArrayWrite32 ma i nl+            mutableArrayWrite32 ma (i + 1) nr+            when (i < 18 + 1024) (loop (i + 2) nl nr)++expandKeyWithSalt :: (ByteArrayAccess key, ByteArrayAccess salt)+    => KeySchedule+    -> key+    -> salt+    -> IO ()+expandKeyWithSalt ks key salt+    | B.length salt == 16 = expandKeyWithSalt128 ks key (fromBE $ B.toW64BE salt 0) (fromBE $ B.toW64BE salt 8)+    | otherwise           = expandKeyWithSaltAny ks key salt++expandKeyWithSaltAny :: (ByteArrayAccess key, ByteArrayAccess salt)+    => KeySchedule         -- ^ The key schedule+    -> key                 -- ^ The key+    -> salt                -- ^ The salt+    -> IO ()+expandKeyWithSaltAny ks@(KeySchedule ma) key salt = do+    when (B.length key > 0) $ iterKeyStream key 0 0 $ \i l r a0 a1 cont-> do+        mutableArrayWriteXor32 ma i l+        mutableArrayWriteXor32 ma (i + 1) r+        when (i + 2 < 18) (cont a0 a1)+    -- Go through the entire key schedule overwriting the P-Array and S-Boxes+    when (B.length salt > 0) $ iterKeyStream salt 0 0 $ \i l r a0 a1 cont-> do+        let l' = xor l a0+        let r' = xor r a1+        n <- cipherBlockMutable ks (fromIntegral l' `shiftL` 32 .|. fromIntegral r')+        let nl = fromIntegral (n `shiftR` 32)+            nr = fromIntegral (n .&. 0xffffffff)+        mutableArrayWrite32 ma i nl+        mutableArrayWrite32 ma (i + 1) nr+        when (i + 2 < 18 + 1024) (cont nl nr)++expandKeyWithSalt128 :: ByteArrayAccess ba+    => KeySchedule         -- ^ The key schedule+    -> ba                  -- ^ The key+    -> Word64              -- ^ First word of the salt+    -> Word64              -- ^ Second word of the salt+    -> IO ()+expandKeyWithSalt128 ks@(KeySchedule ma) key salt1 salt2 = do+    when (B.length key > 0) $ iterKeyStream key 0 0 $ \i l r a0 a1 cont-> do+        mutableArrayWriteXor32 ma i l+        mutableArrayWriteXor32 ma (i + 1) r+        when (i + 2 < 18) (cont a0 a1)+    -- Go through the entire key schedule overwriting the P-Array and S-Boxes+    loop 0 salt1 salt1 salt2+    where+        loop i input slt1 slt2+            | i == 1042   = return ()+            | otherwise = do+                n <- cipherBlockMutable ks input+                let nl = fromIntegral (n `shiftR` 32)+                    nr = fromIntegral (n .&. 0xffffffff)+                mutableArrayWrite32 ma i     nl+                mutableArrayWrite32 ma (i+1) nr+                loop (i+2) (n `xor` slt2) slt2 slt1+ -- | Encrypt blocks -- -- Input need to be a multiple of 8 bytes encrypt :: ByteArray ba => Context -> ba -> ba-encrypt = cipher+encrypt ctx ba+    | B.length ba == 0         = B.empty+    | B.length ba `mod` 8 /= 0 = error "invalid data length"+    | otherwise                = B.mapAsWord64 (cipherBlock ctx False) ba  -- | Decrypt blocks -- -- Input need to be a multiple of 8 bytes decrypt :: ByteArray ba => Context -> ba -> ba-decrypt = cipher . decryptContext--decryptContext :: Context -> Context-decryptContext (BF p s0 s1 s2 s3) = BF (\i -> p (17-i)) s0 s1 s2 s3--cipher :: ByteArray ba => Context -> ba -> ba-cipher ctx b-    | B.length b == 0         = B.empty-    | B.length b `mod` 8 /= 0 = error "invalid data length"-    | otherwise               = B.mapAsWord64 (coreCrypto ctx) b---- | Initialize a new Blowfish context from a key.------ key needs to be between 0 and 448 bits.-initBlowfish :: ByteArrayAccess key => key -> CryptoFailable Context-initBlowfish key-    | len > (448 `div` 8) = CryptoFailed CryptoError_KeySizeInvalid-    | otherwise           = CryptoPassed $ makeKeySchedule key (Nothing :: Maybe (Bytes, Int))-  where len = B.length key+decrypt ctx ba+    | B.length ba == 0         = B.empty+    | B.length ba `mod` 8 /= 0 = error "invalid data length"+    | otherwise                = B.mapAsWord64 (cipherBlock ctx True) ba --- | The BCrypt "expensive key schedule" version of blowfish.+-- | Encrypt or decrypt a single block of 64 bits. ----- Salt must be 128 bits--- Cost must be between 4 and 31 inclusive--- See <https://www.usenix.org/conference/1999-usenix-annual-technical-conference/future-adaptable-password-scheme>-eksBlowfish :: (ByteArrayAccess salt, ByteArrayAccess password) => Int -> salt -> password -> Context-eksBlowfish cost salt key-    | B.length salt /= 16 = error "bcrypt salt must be 16 bytes"-    | otherwise           = makeKeySchedule key (Just (salt, cost))--coreCrypto :: Context -> Word64 -> Word64-coreCrypto (BF p s0 s1 s2 s3) input = doRound input 0-  where-    -- transform the input over 16 rounds+-- The inverse argument decides whether to encrypt or decrypt.+cipherBlock :: Context -> Bool -> Word64 -> Word64+cipherBlock (Context ar) inverse input = doRound input 0+    where+    -- | Transform the input over 16 rounds     doRound :: Word64 -> Int -> Word64-    doRound i roundIndex+    doRound !i roundIndex         | roundIndex == 16 =             let final = (fromIntegral (p 16) `shiftL` 32) .|. fromIntegral (p 17)              in rotateL (i `xor` final) 32         | otherwise     =-            let newr = fromIntegral (i `shiftR` 32) `xor` (p roundIndex)-                newi = ((i `shiftL` 32) `xor` (f newr)) .|. (fromIntegral newr)+            let newr = fromIntegral (i `shiftR` 32) `xor` p roundIndex+                newi = ((i `shiftL` 32) `xor` f newr) .|. fromIntegral newr              in doRound newi (roundIndex+1)++    -- | The Blowfish Feistel function F     f   :: Word32 -> Word64-    f t = let a = s0 (fromIntegral $ (t `shiftR` 24) .&. 0xff)-              b = s1 (fromIntegral $ (t `shiftR` 16) .&. 0xff)-              c = s2 (fromIntegral $ (t `shiftR` 8) .&. 0xff)-              d = s3 (fromIntegral $ t .&. 0xff)+    f t = let a = s0 (0xff .&. (t `shiftR` 24))+              b = s1 (0xff .&. (t `shiftR` 16))+              c = s2 (0xff .&. (t `shiftR` 8))+              d = s3 (0xff .&.  t)            in fromIntegral (((a + b) `xor` c) + d) `shiftL` 32 ---- | Create a key schedule for either plain Blowfish or the BCrypt "EKS" version--- For the expensive version, the salt and cost factor are supplied. Salt must be--- a 128-bit byte array.------ The standard case is just a single key expansion with the salt set to zero.-makeKeySchedule :: (ByteArrayAccess key, ByteArrayAccess salt) => key-> Maybe (salt, Int) -> Context-makeKeySchedule keyBytes saltCost =-    let v = unsafeDoIO $ do-              mv <- createKeySchedule-              case saltCost of-                  -- Standard blowfish-                  Nothing -> expandKey mv 0 0 keyBytes-                  -- The expensive case-                  Just (s, cost)  -> do-                      let (salt1, salt2) = splitSalt s-                      expandKey mv salt1 salt2 keyBytes-                      forM_ [1..2^cost :: Int] $ \_ -> do-                          expandKey mv 0 0 keyBytes-                          expandKey mv 0 0 s-              mutableArray32Freeze mv-     in BF (\i -> arrayRead32 v i)-           (\i -> arrayRead32 v (s0+i))-           (\i -> arrayRead32 v (s1+i))-           (\i -> arrayRead32 v (s2+i))-           (\i -> arrayRead32 v (s3+i))-  where-        splitSalt s = (fromBE (B.toW64BE s 0), fromBE (B.toW64BE s 8))--        -- Indices of the S-Box arrays, each containing 256 32-bit words-        -- The first 18 words contain the P-Array of subkeys-        s0 = 18-        s1 = 274-        s2 = 530-        s3 = 786+    -- | S-Box arrays, each containing 256 32-bit words+    --   The first 18 words contain the P-Array of subkeys+    s0, s1, s2, s3 :: Word32 -> Word32+    s0 i            = arrayRead32 ar (fromIntegral i + 18)+    s1 i            = arrayRead32 ar (fromIntegral i + 274)+    s2 i            = arrayRead32 ar (fromIntegral i + 530)+    s3 i            = arrayRead32 ar (fromIntegral i + 786)+    p              :: Int -> Word32+    p i | inverse   = arrayRead32 ar (17 - i)+        | otherwise = arrayRead32 ar i -expandKey :: ByteArrayAccess ba-          => MutableArray32      -- ^ The key schedule-          -> Word64              -- ^ First word of the salt-          -> Word64              -- ^ Second word of the salt-          -> ba                  -- ^ The key-          -> IO ()-expandKey mv salt1 salt2 key = do-    when (len > 0) $ forM_ [0..17] $ \i -> do-        let a = B.index key ((i * 4 + 0) `mod` len)-            b = B.index key ((i * 4 + 1) `mod` len)-            c = B.index key ((i * 4 + 2) `mod` len)-            d = B.index key ((i * 4 + 3) `mod` len)-            k = (fromIntegral a `shiftL` 24) .|.-                (fromIntegral b `shiftL` 16) .|.-                (fromIntegral c `shiftL`  8) .|.-                (fromIntegral d)-        mutableArrayWriteXor32 mv i k-    prepare mv-    return ()-  where-        len = B.length key+-- | Blowfish encrypt a Word using the current state of the key schedule+cipherBlockMutable :: KeySchedule -> Word64 -> IO Word64+cipherBlockMutable (KeySchedule ma) input = doRound input 0+    where+    -- | Transform the input over 16 rounds+    doRound !i roundIndex+        | roundIndex == 16 = do+            pVal1 <- mutableArrayRead32 ma 16+            pVal2 <- mutableArrayRead32 ma 17+            let final = (fromIntegral pVal1 `shiftL` 32) .|. fromIntegral pVal2+            return $ rotateL (i `xor` final) 32+        | otherwise     = do+            pVal <- mutableArrayRead32 ma roundIndex+            let newr = fromIntegral (i `shiftR` 32) `xor` pVal+            newr' <- f newr+            let newi = ((i `shiftL` 32) `xor` newr') .|. fromIntegral newr+            doRound newi (roundIndex+1) -        -- | Go through the entire key schedule overwriting the P-Array and S-Boxes-        prepare mctx = loop 0 salt1 salt1 salt2-          where loop i input slt1 slt2-                  | i == 1042   = return ()-                  | otherwise = do-                      ninput <- coreCryptoMutable input-                      let (nl, nr) = w64to32 ninput-                      mutableArrayWrite32 mctx i     nl-                      mutableArrayWrite32 mctx (i+1) nr-                      loop (i+2) (ninput `xor` slt2) slt2 slt1+    -- | The Blowfish Feistel function F+    f   :: Word32 -> IO Word64+    f t = do+        a <- s0 (0xff .&. (t `shiftR` 24))+        b <- s1 (0xff .&. (t `shiftR` 16))+        c <- s2 (0xff .&. (t `shiftR` 8))+        d <- s3 (0xff .&.  t)+        return (fromIntegral (((a + b) `xor` c) + d) `shiftL` 32) -                -- | Blowfish encrypt a Word using the current state of the key schedule-                coreCryptoMutable :: Word64 -> IO Word64-                coreCryptoMutable input = doRound input 0-                  where doRound i roundIndex-                          | roundIndex == 16 = do-                              pVal1 <- mutableArrayRead32 mctx 16-                              pVal2 <- mutableArrayRead32 mctx 17-                              let final = (fromIntegral pVal1 `shiftL` 32) .|. fromIntegral pVal2-                              return $ rotateL (i `xor` final) 32-                          | otherwise     = do-                              pVal <- mutableArrayRead32 mctx roundIndex-                              let newr = fromIntegral (i `shiftR` 32) `xor` pVal-                              newr' <- f newr-                              let newi = ((i `shiftL` 32) `xor` newr') .|. (fromIntegral newr)-                              doRound newi (roundIndex+1)+    -- | S-Box arrays, each containing 256 32-bit words+    --   The first 18 words contain the P-Array of subkeys+    s0, s1, s2, s3 :: Word32 -> IO Word32+    s0 i = mutableArrayRead32 ma (fromIntegral i + 18)+    s1 i = mutableArrayRead32 ma (fromIntegral i + 274)+    s2 i = mutableArrayRead32 ma (fromIntegral i + 530)+    s3 i = mutableArrayRead32 ma (fromIntegral i + 786) -                -- The Blowfish Feistel function F-                f   :: Word32 -> IO Word64-                f t = do a <- mutableArrayRead32 mctx (s0 + fromIntegral ((t `shiftR` 24) .&. 0xff))-                         b <- mutableArrayRead32 mctx (s1 + fromIntegral ((t `shiftR` 16) .&. 0xff))-                         c <- mutableArrayRead32 mctx (s2 + fromIntegral ((t `shiftR` 8) .&. 0xff))-                         d <- mutableArrayRead32 mctx (s3 + fromIntegral (t .&. 0xff))-                         return (fromIntegral (((a + b) `xor` c) + d) `shiftL` 32)-                  where s0 = 18-                        s1 = 274-                        s2 = 530-                        s3 = 786+iterKeyStream :: (ByteArrayAccess x)+    => x+    -> Word32+    -> Word32+    -> (Int -> Word32 -> Word32 -> Word32 -> Word32 -> (Word32 -> Word32 -> IO ()) -> IO ())+    -> IO ()+iterKeyStream x a0 a1 g = f 0 0 a0 a1+    where+        len          = B.length x+        -- Avoiding the modulo operation when interating over the ring+        -- buffer is assumed to be more efficient here. All other+        -- implementations do this, too. The branch prediction shall prefer+        -- the branch with the increment.+        n j          = if j + 1 >= len then 0 else j + 1+        f i j0 b0 b1 = g i l r b0 b1 (f (i + 2) j8)+            where+                j1 = n j0+                j2 = n j1+                j3 = n j2+                j4 = n j3+                j5 = n j4+                j6 = n j5+                j7 = n j6+                j8 = n j7+                x0 = fromIntegral (B.index x j0)+                x1 = fromIntegral (B.index x j1)+                x2 = fromIntegral (B.index x j2)+                x3 = fromIntegral (B.index x j3)+                x4 = fromIntegral (B.index x j4)+                x5 = fromIntegral (B.index x j5)+                x6 = fromIntegral (B.index x j6)+                x7 = fromIntegral (B.index x j7)+                l  = shiftL x0 24 .|. shiftL x1 16 .|. shiftL x2 8 .|. x3+                r  = shiftL x4 24 .|. shiftL x5 16 .|. shiftL x6 8 .|. x7+{-# INLINE iterKeyStream #-}+-- Benchmarking shows that GHC considers this function too big to inline+-- although forcing inlining causes an actual improvement.+-- It is assumed that all function calls (especially the continuation)+-- collapse into a tight loop after inlining.
+ Crypto/Cipher/CAST5.hs view
@@ -0,0 +1,43 @@+-- |+-- Module      : Crypto.Cipher.CAST5+-- License     : BSD-style+-- Maintainer  : Olivier Chéron <olivier.cheron@gmail.com>+-- Stability   : stable+-- Portability : good+--+module Crypto.Cipher.CAST5+    ( CAST5+    ) where++import           Crypto.Error+import           Crypto.Cipher.Types+import           Crypto.Cipher.CAST5.Primitive+import           Crypto.Internal.ByteArray (ByteArrayAccess)+import qualified Crypto.Internal.ByteArray as B++-- | CAST5 block cipher (also known as CAST-128).  Key is between+-- 40 and 128 bits.+newtype CAST5 = CAST5 Key++instance Cipher CAST5 where+    cipherName    _ = "CAST5"+    cipherKeySize _ = KeySizeRange 5 16+    cipherInit      = initCAST5++instance BlockCipher CAST5 where+    blockSize _ = 8+    ecbEncrypt (CAST5 k) = B.mapAsWord64 (encrypt k)+    ecbDecrypt (CAST5 k) = B.mapAsWord64 (decrypt k)++initCAST5 :: ByteArrayAccess key => key -> CryptoFailable CAST5+initCAST5 bs+    | len <   5 = CryptoFailed CryptoError_KeySizeInvalid+    | len <  16 = CryptoPassed (CAST5 $ buildKey short padded)+    | len == 16 = CryptoPassed (CAST5 $ buildKey False bs)+    | otherwise = CryptoFailed CryptoError_KeySizeInvalid+  where+    len   = B.length bs+    short = len <= 10++    padded :: B.Bytes+    padded = B.convert bs `B.append` B.replicate (16 - len) 0
+ Crypto/Cipher/CAST5/Primitive.hs view
@@ -0,0 +1,573 @@+{-# LANGUAGE MagicHash #-}++-----------------------------------------------------------------------------+-- |+-- Module      :  Crypto.Cipher.CAST5.Primitive+-- License     :  BSD-style+--+-- Haskell implementation of the CAST-128 Encryption Algorithm+--+-----------------------------------------------------------------------------+++module Crypto.Cipher.CAST5.Primitive+    ( encrypt+    , decrypt+    , Key()+    , buildKey+    ) where++import Control.Monad (void, (>=>))++import Data.Bits+import Data.Memory.Endian+import Data.Word++import           Crypto.Internal.ByteArray (ByteArrayAccess)+import qualified Crypto.Internal.ByteArray as B+import           Crypto.Internal.WordArray+++-- Data Types++data P = P {-# UNPACK #-} !Word32 -- left word+           {-# UNPACK #-} !Word32 -- right word++data Q = Q {-# UNPACK #-} !Word32 {-# UNPACK #-} !Word32+           {-# UNPACK #-} !Word32 {-# UNPACK #-} !Word32++-- | All subkeys for 12 or 16 rounds+data Key = K12 {-# UNPACK #-} !Array32 -- [ km1, kr1, km2, kr2, ..., km12, kr12 ]+         | K16 {-# UNPACK #-} !Array32 -- [ km1, kr1, km2, kr2, ..., km16, kr16 ]+++-- Big-endian Transformations++decomp64 :: Word64 -> P+decomp64 x = P (fromIntegral (x `shiftR` 32)) (fromIntegral x)++comp64 :: P -> Word64+comp64 (P l r) = (fromIntegral l `shiftL` 32) .|. fromIntegral r++decomp32 :: Word32 -> (Word8, Word8, Word8, Word8)+decomp32 x =+    let a = fromIntegral (x `shiftR` 24)+        b = fromIntegral (x `shiftR` 16)+        c = fromIntegral (x `shiftR`  8)+        d = fromIntegral x+    in (a, b, c, d)+++-- Encryption++-- | Encrypts a block using the specified key+encrypt :: Key -> Word64 -> Word64+encrypt k = comp64 . cast_enc k . decomp64++cast_enc :: Key -> P -> P+cast_enc (K12 a) (P l0 r0) = P r12 r11+  where+    r1  = type1 a 0  l0  r0+    r2  = type2 a 2  r0  r1+    r3  = type3 a 4  r1  r2+    r4  = type1 a 6  r2  r3+    r5  = type2 a 8  r3  r4+    r6  = type3 a 10 r4  r5+    r7  = type1 a 12 r5  r6+    r8  = type2 a 14 r6  r7+    r9  = type3 a 16 r7  r8+    r10 = type1 a 18 r8  r9+    r11 = type2 a 20 r9  r10+    r12 = type3 a 22 r10 r11++cast_enc (K16 a) p = P r16 r15+  where+    P r12 r11 = cast_enc (K12 a) p++    r13 = type1 a 24 r11 r12+    r14 = type2 a 26 r12 r13+    r15 = type3 a 28 r13 r14+    r16 = type1 a 30 r14 r15++-- Decryption++-- | Decrypts a block using the specified key+decrypt :: Key -> Word64 -> Word64+decrypt k = comp64 . cast_dec k . decomp64++cast_dec :: Key -> P -> P+cast_dec (K12 a) (P r12 r11) = P l0 r0+  where+    r10 = type3 a 22 r12 r11+    r9  = type2 a 20 r11 r10+    r8  = type1 a 18 r10 r9+    r7  = type3 a 16 r9  r8+    r6  = type2 a 14 r8  r7+    r5  = type1 a 12 r7  r6+    r4  = type3 a 10 r6  r5+    r3  = type2 a 8  r5  r4+    r2  = type1 a 6  r4  r3+    r1  = type3 a 4  r3  r2+    r0  = type2 a 2  r2  r1+    l0  = type1 a 0  r1  r0++cast_dec (K16 a) (P r16 r15) = cast_dec (K12 a) (P r12 r11)+  where+    r14 = type1 a 30 r16 r15+    r13 = type3 a 28 r15 r14+    r12 = type2 a 26 r14 r13+    r11 = type1 a 24 r13 r12+++-- Non-Identical Rounds++type1 :: Array32 -> Int -> Word32 -> Word32 -> Word32+type1 arr idx l r =+    let km = arrayRead32 arr idx+        kr = arrayRead32 arr (idx + 1)+        j = (km + r) `rotateL` fromIntegral kr+        (ja, jb, jc, jd) = decomp32 j+     in l `xor` (((sbox_s1 ja `xor` sbox_s2 jb) - sbox_s3 jc) + sbox_s4 jd)++type2 :: Array32 -> Int -> Word32 -> Word32 -> Word32+type2 arr idx l r =+    let km = arrayRead32 arr idx+        kr = arrayRead32 arr (idx + 1)+        j = (km `xor` r) `rotateL` fromIntegral kr+        (ja, jb, jc, jd) = decomp32 j+     in l `xor` (((sbox_s1 ja - sbox_s2 jb) + sbox_s3 jc) `xor` sbox_s4 jd)++type3 :: Array32 -> Int -> Word32 -> Word32 -> Word32+type3 arr idx l r =+    let km = arrayRead32 arr idx+        kr = arrayRead32 arr (idx + 1)+        j = (km - r) `rotateL` fromIntegral kr+        (ja, jb, jc, jd) = decomp32 j+     in l `xor` (((sbox_s1 ja + sbox_s2 jb) `xor` sbox_s3 jc) - sbox_s4 jd)+++-- Key Schedule++-- | Precompute "masking" and "rotation" subkeys+buildKey :: ByteArrayAccess key+         => Bool -- ^ @True@ for short keys that only need 12 rounds+         -> key  -- ^ Input key padded to 16 bytes+         -> Key  -- ^ Output data structure+buildKey isShort key =+    let P x0123 x4567 = decomp64 (fromBE $ B.toW64BE key 0)+        P x89AB xCDEF = decomp64 (fromBE $ B.toW64BE key 8)+     in keySchedule isShort (Q x0123 x4567 x89AB xCDEF)++keySchedule :: Bool -> Q -> Key+keySchedule isShort x+    | isShort   = K12 $ allocArray32AndFreeze 24 $ \ma ->+        void (steps123 ma 0 x >>= skip4 >>= steps123 ma 1)++    | otherwise = K16 $ allocArray32AndFreeze 32 $ \ma ->+        void (steps123 ma 0 x >>= step4 ma 24 >>= steps123 ma 1 >>= step4 ma 25)++  where+    sbox_s56785 a b c d e = sbox_s5 a `xor` sbox_s6 b `xor` sbox_s7 c `xor` sbox_s8 d `xor` sbox_s5 e+    sbox_s56786 a b c d e = sbox_s5 a `xor` sbox_s6 b `xor` sbox_s7 c `xor` sbox_s8 d `xor` sbox_s6 e+    sbox_s56787 a b c d e = sbox_s5 a `xor` sbox_s6 b `xor` sbox_s7 c `xor` sbox_s8 d `xor` sbox_s7 e+    sbox_s56788 a b c d e = sbox_s5 a `xor` sbox_s6 b `xor` sbox_s7 c `xor` sbox_s8 d `xor` sbox_s8 e++    steps123 ma off = step1 ma off >=> step2 ma (off + 8) >=> step3 ma (off + 16)++    step1 :: MutableArray32 -> Int -> Q -> IO Q+    step1 ma off (Q x0123 x4567 x89AB xCDEF) = do+        let (x8, x9, xA, xB) = decomp32 x89AB+            (xC, xD, xE, xF) = decomp32 xCDEF++            z0123 = x0123 `xor` sbox_s56787 xD xF xC xE x8+            z4567 = x89AB `xor` sbox_s56788 z0 z2 z1 z3 xA+            z89AB = xCDEF `xor` sbox_s56785 z7 z6 z5 z4 x9+            zCDEF = x4567 `xor` sbox_s56786 zA z9 zB z8 xB++            (z0, z1, z2, z3) = decomp32 z0123+            (z4, z5, z6, z7) = decomp32 z4567+            (z8, z9, zA, zB) = decomp32 z89AB+            (zC, zD, zE, zF) = decomp32 zCDEF++        mutableArrayWrite32 ma (off + 0) $ sbox_s56785 z8 z9 z7 z6 z2+        mutableArrayWrite32 ma (off + 2) $ sbox_s56786 zA zB z5 z4 z6+        mutableArrayWrite32 ma (off + 4) $ sbox_s56787 zC zD z3 z2 z9+        mutableArrayWrite32 ma (off + 6) $ sbox_s56788 zE zF z1 z0 zC+        return (Q z0123 z4567 z89AB zCDEF)++    step2 :: MutableArray32 -> Int -> Q -> IO Q+    step2 ma off (Q z0123 z4567 z89AB zCDEF) = do+        let (z0, z1, z2, z3) = decomp32 z0123+            (z4, z5, z6, z7) = decomp32 z4567++            x0123 = z89AB `xor` sbox_s56787 z5 z7 z4 z6 z0+            x4567 = z0123 `xor` sbox_s56788 x0 x2 x1 x3 z2+            x89AB = z4567 `xor` sbox_s56785 x7 x6 x5 x4 z1+            xCDEF = zCDEF `xor` sbox_s56786 xA x9 xB x8 z3++            (x0, x1, x2, x3) = decomp32 x0123+            (x4, x5, x6, x7) = decomp32 x4567+            (x8, x9, xA, xB) = decomp32 x89AB+            (xC, xD, xE, xF) = decomp32 xCDEF++        mutableArrayWrite32 ma (off + 0) $ sbox_s56785 x3 x2 xC xD x8+        mutableArrayWrite32 ma (off + 2) $ sbox_s56786 x1 x0 xE xF xD+        mutableArrayWrite32 ma (off + 4) $ sbox_s56787 x7 x6 x8 x9 x3+        mutableArrayWrite32 ma (off + 6) $ sbox_s56788 x5 x4 xA xB x7+        return (Q x0123 x4567 x89AB xCDEF)++    step3 :: MutableArray32 -> Int -> Q -> IO Q+    step3 ma off (Q x0123 x4567 x89AB xCDEF) = do+        let (x8, x9, xA, xB) = decomp32 x89AB+            (xC, xD, xE, xF) = decomp32 xCDEF++            z0123 = x0123 `xor` sbox_s56787 xD xF xC xE x8+            z4567 = x89AB `xor` sbox_s56788 z0 z2 z1 z3 xA+            z89AB = xCDEF `xor` sbox_s56785 z7 z6 z5 z4 x9+            zCDEF = x4567 `xor` sbox_s56786 zA z9 zB z8 xB++            (z0, z1, z2, z3) = decomp32 z0123+            (z4, z5, z6, z7) = decomp32 z4567+            (z8, z9, zA, zB) = decomp32 z89AB+            (zC, zD, zE, zF) = decomp32 zCDEF++        mutableArrayWrite32 ma (off + 0) $ sbox_s56785 z3 z2 zC zD z9+        mutableArrayWrite32 ma (off + 2) $ sbox_s56786 z1 z0 zE zF zC+        mutableArrayWrite32 ma (off + 4) $ sbox_s56787 z7 z6 z8 z9 z2+        mutableArrayWrite32 ma (off + 6) $ sbox_s56788 z5 z4 zA zB z6+        return (Q z0123 z4567 z89AB zCDEF)++    step4 :: MutableArray32 -> Int -> Q -> IO Q+    step4 ma off (Q z0123 z4567 z89AB zCDEF) = do+        let (z0, z1, z2, z3) = decomp32 z0123+            (z4, z5, z6, z7) = decomp32 z4567++            x0123 = z89AB `xor` sbox_s56787 z5 z7 z4 z6 z0+            x4567 = z0123 `xor` sbox_s56788 x0 x2 x1 x3 z2+            x89AB = z4567 `xor` sbox_s56785 x7 x6 x5 x4 z1+            xCDEF = zCDEF `xor` sbox_s56786 xA x9 xB x8 z3++            (x0, x1, x2, x3) = decomp32 x0123+            (x4, x5, x6, x7) = decomp32 x4567+            (x8, x9, xA, xB) = decomp32 x89AB+            (xC, xD, xE, xF) = decomp32 xCDEF++        mutableArrayWrite32 ma (off + 0) $ sbox_s56785 x8 x9 x7 x6 x3+        mutableArrayWrite32 ma (off + 2) $ sbox_s56786 xA xB x5 x4 x7+        mutableArrayWrite32 ma (off + 4) $ sbox_s56787 xC xD x3 x2 x8+        mutableArrayWrite32 ma (off + 6) $ sbox_s56788 xE xF x1 x0 xD+        return (Q x0123 x4567 x89AB xCDEF)++    skip4 :: Q -> IO Q+    skip4 (Q z0123 z4567 z89AB zCDEF) = do+        let (z0, z1, z2, z3) = decomp32 z0123+            (z4, z5, z6, z7) = decomp32 z4567++            x0123 = z89AB `xor` sbox_s56787 z5 z7 z4 z6 z0+            x4567 = z0123 `xor` sbox_s56788 x0 x2 x1 x3 z2+            x89AB = z4567 `xor` sbox_s56785 x7 x6 x5 x4 z1+            xCDEF = zCDEF `xor` sbox_s56786 xA x9 xB x8 z3++            (x0, x1, x2, x3) = decomp32 x0123+            (x4, x5, x6, x7) = decomp32 x4567+            (x8, x9, xA, xB) = decomp32 x89AB++        return (Q x0123 x4567 x89AB xCDEF)++-- S-Boxes++sbox_s1 :: Word8 -> Word32+sbox_s1 i = arrayRead32 t (fromIntegral i)+  where+    t = array32FromAddrBE 256+            "\x30\xfb\x40\xd4\x9f\xa0\xff\x0b\x6b\xec\xcd\x2f\x3f\x25\x8c\x7a\x1e\x21\x3f\x2f\x9c\x00\x4d\xd3\x60\x03\xe5\x40\xcf\x9f\xc9\x49\+            \\xbf\xd4\xaf\x27\x88\xbb\xbd\xb5\xe2\x03\x40\x90\x98\xd0\x96\x75\x6e\x63\xa0\xe0\x15\xc3\x61\xd2\xc2\xe7\x66\x1d\x22\xd4\xff\x8e\+            \\x28\x68\x3b\x6f\xc0\x7f\xd0\x59\xff\x23\x79\xc8\x77\x5f\x50\xe2\x43\xc3\x40\xd3\xdf\x2f\x86\x56\x88\x7c\xa4\x1a\xa2\xd2\xbd\x2d\+            \\xa1\xc9\xe0\xd6\x34\x6c\x48\x19\x61\xb7\x6d\x87\x22\x54\x0f\x2f\x2a\xbe\x32\xe1\xaa\x54\x16\x6b\x22\x56\x8e\x3a\xa2\xd3\x41\xd0\+            \\x66\xdb\x40\xc8\xa7\x84\x39\x2f\x00\x4d\xff\x2f\x2d\xb9\xd2\xde\x97\x94\x3f\xac\x4a\x97\xc1\xd8\x52\x76\x44\xb7\xb5\xf4\x37\xa7\+            \\xb8\x2c\xba\xef\xd7\x51\xd1\x59\x6f\xf7\xf0\xed\x5a\x09\x7a\x1f\x82\x7b\x68\xd0\x90\xec\xf5\x2e\x22\xb0\xc0\x54\xbc\x8e\x59\x35\+            \\x4b\x6d\x2f\x7f\x50\xbb\x64\xa2\xd2\x66\x49\x10\xbe\xe5\x81\x2d\xb7\x33\x22\x90\xe9\x3b\x15\x9f\xb4\x8e\xe4\x11\x4b\xff\x34\x5d\+            \\xfd\x45\xc2\x40\xad\x31\x97\x3f\xc4\xf6\xd0\x2e\x55\xfc\x81\x65\xd5\xb1\xca\xad\xa1\xac\x2d\xae\xa2\xd4\xb7\x6d\xc1\x9b\x0c\x50\+            \\x88\x22\x40\xf2\x0c\x6e\x4f\x38\xa4\xe4\xbf\xd7\x4f\x5b\xa2\x72\x56\x4c\x1d\x2f\xc5\x9c\x53\x19\xb9\x49\xe3\x54\xb0\x46\x69\xfe\+            \\xb1\xb6\xab\x8a\xc7\x13\x58\xdd\x63\x85\xc5\x45\x11\x0f\x93\x5d\x57\x53\x8a\xd5\x6a\x39\x04\x93\xe6\x3d\x37\xe0\x2a\x54\xf6\xb3\+            \\x3a\x78\x7d\x5f\x62\x76\xa0\xb5\x19\xa6\xfc\xdf\x7a\x42\x20\x6a\x29\xf9\xd4\xd5\xf6\x1b\x18\x91\xbb\x72\x27\x5e\xaa\x50\x81\x67\+            \\x38\x90\x10\x91\xc6\xb5\x05\xeb\x84\xc7\xcb\x8c\x2a\xd7\x5a\x0f\x87\x4a\x14\x27\xa2\xd1\x93\x6b\x2a\xd2\x86\xaf\xaa\x56\xd2\x91\+            \\xd7\x89\x43\x60\x42\x5c\x75\x0d\x93\xb3\x9e\x26\x18\x71\x84\xc9\x6c\x00\xb3\x2d\x73\xe2\xbb\x14\xa0\xbe\xbc\x3c\x54\x62\x37\x79\+            \\x64\x45\x9e\xab\x3f\x32\x8b\x82\x77\x18\xcf\x82\x59\xa2\xce\xa6\x04\xee\x00\x2e\x89\xfe\x78\xe6\x3f\xab\x09\x50\x32\x5f\xf6\xc2\+            \\x81\x38\x3f\x05\x69\x63\xc5\xc8\x76\xcb\x5a\xd6\xd4\x99\x74\xc9\xca\x18\x0d\xcf\x38\x07\x82\xd5\xc7\xfa\x5c\xf6\x8a\xc3\x15\x11\+            \\x35\xe7\x9e\x13\x47\xda\x91\xd0\xf4\x0f\x90\x86\xa7\xe2\x41\x9e\x31\x36\x62\x41\x05\x1e\xf4\x95\xaa\x57\x3b\x04\x4a\x80\x5d\x8d\+            \\x54\x83\x00\xd0\x00\x32\x2a\x3c\xbf\x64\xcd\xdf\xba\x57\xa6\x8e\x75\xc6\x37\x2b\x50\xaf\xd3\x41\xa7\xc1\x32\x75\x91\x5a\x0b\xf5\+            \\x6b\x54\xbf\xab\x2b\x0b\x14\x26\xab\x4c\xc9\xd7\x44\x9c\xcd\x82\xf7\xfb\xf2\x65\xab\x85\xc5\xf3\x1b\x55\xdb\x94\xaa\xd4\xe3\x24\+            \\xcf\xa4\xbd\x3f\x2d\xea\xa3\xe2\x9e\x20\x4d\x02\xc8\xbd\x25\xac\xea\xdf\x55\xb3\xd5\xbd\x9e\x98\xe3\x12\x31\xb2\x2a\xd5\xad\x6c\+            \\x95\x43\x29\xde\xad\xbe\x45\x28\xd8\x71\x0f\x69\xaa\x51\xc9\x0f\xaa\x78\x6b\xf6\x22\x51\x3f\x1e\xaa\x51\xa7\x9b\x2a\xd3\x44\xcc\+            \\x7b\x5a\x41\xf0\xd3\x7c\xfb\xad\x1b\x06\x95\x05\x41\xec\xe4\x91\xb4\xc3\x32\xe6\x03\x22\x68\xd4\xc9\x60\x0a\xcc\xce\x38\x7e\x6d\+            \\xbf\x6b\xb1\x6c\x6a\x70\xfb\x78\x0d\x03\xd9\xc9\xd4\xdf\x39\xde\xe0\x10\x63\xda\x47\x36\xf4\x64\x5a\xd3\x28\xd8\xb3\x47\xcc\x96\+            \\x75\xbb\x0f\xc3\x98\x51\x1b\xfb\x4f\xfb\xcc\x35\xb5\x8b\xcf\x6a\xe1\x1f\x0a\xbc\xbf\xc5\xfe\x4a\xa7\x0a\xec\x10\xac\x39\x57\x0a\+            \\x3f\x04\x44\x2f\x61\x88\xb1\x53\xe0\x39\x7a\x2e\x57\x27\xcb\x79\x9c\xeb\x41\x8f\x1c\xac\xd6\x8d\x2a\xd3\x7c\x96\x01\x75\xcb\x9d\+            \\xc6\x9d\xff\x09\xc7\x5b\x65\xf0\xd9\xdb\x40\xd8\xec\x0e\x77\x79\x47\x44\xea\xd4\xb1\x1c\x32\x74\xdd\x24\xcb\x9e\x7e\x1c\x54\xbd\+            \\xf0\x11\x44\xf9\xd2\x24\x0e\xb1\x96\x75\xb3\xfd\xa3\xac\x37\x55\xd4\x7c\x27\xaf\x51\xc8\x5f\x4d\x56\x90\x75\x96\xa5\xbb\x15\xe6\+            \\x58\x03\x04\xf0\xca\x04\x2c\xf1\x01\x1a\x37\xea\x8d\xbf\xaa\xdb\x35\xba\x3e\x4a\x35\x26\xff\xa0\xc3\x7b\x4d\x09\xbc\x30\x6e\xd9\+            \\x98\xa5\x26\x66\x56\x48\xf7\x25\xff\x5e\x56\x9d\x0c\xed\x63\xd0\x7c\x63\xb2\xcf\x70\x0b\x45\xe1\xd5\xea\x50\xf1\x85\xa9\x28\x72\+            \\xaf\x1f\xbd\xa7\xd4\x23\x48\x70\xa7\x87\x0b\xf3\x2d\x3b\x4d\x79\x42\xe0\x41\x98\x0c\xd0\xed\xe7\x26\x47\x0d\xb8\xf8\x81\x81\x4c\+            \\x47\x4d\x6a\xd7\x7c\x0c\x5e\x5c\xd1\x23\x19\x59\x38\x1b\x72\x98\xf5\xd2\xf4\xdb\xab\x83\x86\x53\x6e\x2f\x1e\x23\x83\x71\x9c\x9e\+            \\xbd\x91\xe0\x46\x9a\x56\x45\x6e\xdc\x39\x20\x0c\x20\xc8\xc5\x71\x96\x2b\xda\x1c\xe1\xe6\x96\xff\xb1\x41\xab\x08\x7c\xca\x89\xb9\+            \\x1a\x69\xe7\x83\x02\xcc\x48\x43\xa2\xf7\xc5\x79\x42\x9e\xf4\x7d\x42\x7b\x16\x9c\x5a\xc9\xf0\x49\xdd\x8f\x0f\x00\x5c\x81\x65\xbf"#++sbox_s2 :: Word8 -> Word32+sbox_s2 i = arrayRead32 t (fromIntegral i)+  where+    t = array32FromAddrBE 256+            "\x1f\x20\x10\x94\xef\x0b\xa7\x5b\x69\xe3\xcf\x7e\x39\x3f\x43\x80\xfe\x61\xcf\x7a\xee\xc5\x20\x7a\x55\x88\x9c\x94\x72\xfc\x06\x51\+            \\xad\xa7\xef\x79\x4e\x1d\x72\x35\xd5\x5a\x63\xce\xde\x04\x36\xba\x99\xc4\x30\xef\x5f\x0c\x07\x94\x18\xdc\xdb\x7d\xa1\xd6\xef\xf3\+            \\xa0\xb5\x2f\x7b\x59\xe8\x36\x05\xee\x15\xb0\x94\xe9\xff\xd9\x09\xdc\x44\x00\x86\xef\x94\x44\x59\xba\x83\xcc\xb3\xe0\xc3\xcd\xfb\+            \\xd1\xda\x41\x81\x3b\x09\x2a\xb1\xf9\x97\xf1\xc1\xa5\xe6\xcf\x7b\x01\x42\x0d\xdb\xe4\xe7\xef\x5b\x25\xa1\xff\x41\xe1\x80\xf8\x06\+            \\x1f\xc4\x10\x80\x17\x9b\xee\x7a\xd3\x7a\xc6\xa9\xfe\x58\x30\xa4\x98\xde\x8b\x7f\x77\xe8\x3f\x4e\x79\x92\x92\x69\x24\xfa\x9f\x7b\+            \\xe1\x13\xc8\x5b\xac\xc4\x00\x83\xd7\x50\x35\x25\xf7\xea\x61\x5f\x62\x14\x31\x54\x0d\x55\x4b\x63\x5d\x68\x11\x21\xc8\x66\xc3\x59\+            \\x3d\x63\xcf\x73\xce\xe2\x34\xc0\xd4\xd8\x7e\x87\x5c\x67\x2b\x21\x07\x1f\x61\x81\x39\xf7\x62\x7f\x36\x1e\x30\x84\xe4\xeb\x57\x3b\+            \\x60\x2f\x64\xa4\xd6\x3a\xcd\x9c\x1b\xbc\x46\x35\x9e\x81\x03\x2d\x27\x01\xf5\x0c\x99\x84\x7a\xb4\xa0\xe3\xdf\x79\xba\x6c\xf3\x8c\+            \\x10\x84\x30\x94\x25\x37\xa9\x5e\xf4\x6f\x6f\xfe\xa1\xff\x3b\x1f\x20\x8c\xfb\x6a\x8f\x45\x8c\x74\xd9\xe0\xa2\x27\x4e\xc7\x3a\x34\+            \\xfc\x88\x4f\x69\x3e\x4d\xe8\xdf\xef\x0e\x00\x88\x35\x59\x64\x8d\x8a\x45\x38\x8c\x1d\x80\x43\x66\x72\x1d\x9b\xfd\xa5\x86\x84\xbb\+            \\xe8\x25\x63\x33\x84\x4e\x82\x12\x12\x8d\x80\x98\xfe\xd3\x3f\xb4\xce\x28\x0a\xe1\x27\xe1\x9b\xa5\xd5\xa6\xc2\x52\xe4\x97\x54\xbd\+            \\xc5\xd6\x55\xdd\xeb\x66\x70\x64\x77\x84\x0b\x4d\xa1\xb6\xa8\x01\x84\xdb\x26\xa9\xe0\xb5\x67\x14\x21\xf0\x43\xb7\xe5\xd0\x58\x60\+            \\x54\xf0\x30\x84\x06\x6f\xf4\x72\xa3\x1a\xa1\x53\xda\xdc\x47\x55\xb5\x62\x5d\xbf\x68\x56\x1b\xe6\x83\xca\x6b\x94\x2d\x6e\xd2\x3b\+            \\xec\xcf\x01\xdb\xa6\xd3\xd0\xba\xb6\x80\x3d\x5c\xaf\x77\xa7\x09\x33\xb4\xa3\x4c\x39\x7b\xc8\xd6\x5e\xe2\x2b\x95\x5f\x0e\x53\x04\+            \\x81\xed\x6f\x61\x20\xe7\x43\x64\xb4\x5e\x13\x78\xde\x18\x63\x9b\x88\x1c\xa1\x22\xb9\x67\x26\xd1\x80\x49\xa7\xe8\x22\xb7\xda\x7b\+            \\x5e\x55\x2d\x25\x52\x72\xd2\x37\x79\xd2\x95\x1c\xc6\x0d\x89\x4c\x48\x8c\xb4\x02\x1b\xa4\xfe\x5b\xa4\xb0\x9f\x6b\x1c\xa8\x15\xcf\+            \\xa2\x0c\x30\x05\x88\x71\xdf\x63\xb9\xde\x2f\xcb\x0c\xc6\xc9\xe9\x0b\xee\xff\x53\xe3\x21\x45\x17\xb4\x54\x28\x35\x9f\x63\x29\x3c\+            \\xee\x41\xe7\x29\x6e\x1d\x2d\x7c\x50\x04\x52\x86\x1e\x66\x85\xf3\xf3\x34\x01\xc6\x30\xa2\x2c\x95\x31\xa7\x08\x50\x60\x93\x0f\x13\+            \\x73\xf9\x84\x17\xa1\x26\x98\x59\xec\x64\x5c\x44\x52\xc8\x77\xa9\xcd\xff\x33\xa6\xa0\x2b\x17\x41\x7c\xba\xd9\xa2\x21\x80\x03\x6f\+            \\x50\xd9\x9c\x08\xcb\x3f\x48\x61\xc2\x6b\xd7\x65\x64\xa3\xf6\xab\x80\x34\x26\x76\x25\xa7\x5e\x7b\xe4\xe6\xd1\xfc\x20\xc7\x10\xe6\+            \\xcd\xf0\xb6\x80\x17\x84\x4d\x3b\x31\xee\xf8\x4d\x7e\x08\x24\xe4\x2c\xcb\x49\xeb\x84\x6a\x3b\xae\x8f\xf7\x78\x88\xee\x5d\x60\xf6\+            \\x7a\xf7\x56\x73\x2f\xdd\x5c\xdb\xa1\x16\x31\xc1\x30\xf6\x6f\x43\xb3\xfa\xec\x54\x15\x7f\xd7\xfa\xef\x85\x79\xcc\xd1\x52\xde\x58\+            \\xdb\x2f\xfd\x5e\x8f\x32\xce\x19\x30\x6a\xf9\x7a\x02\xf0\x3e\xf8\x99\x31\x9a\xd5\xc2\x42\xfa\x0f\xa7\xe3\xeb\xb0\xc6\x8e\x49\x06\+            \\xb8\xda\x23\x0c\x80\x82\x30\x28\xdc\xde\xf3\xc8\xd3\x5f\xb1\x71\x08\x8a\x1b\xc8\xbe\xc0\xc5\x60\x61\xa3\xc9\xe8\xbc\xa8\xf5\x4d\+            \\xc7\x2f\xef\xfa\x22\x82\x2e\x99\x82\xc5\x70\xb4\xd8\xd9\x4e\x89\x8b\x1c\x34\xbc\x30\x1e\x16\xe6\x27\x3b\xe9\x79\xb0\xff\xea\xa6\+            \\x61\xd9\xb8\xc6\x00\xb2\x48\x69\xb7\xff\xce\x3f\x08\xdc\x28\x3b\x43\xda\xf6\x5a\xf7\xe1\x97\x98\x76\x19\xb7\x2f\x8f\x1c\x9b\xa4\+            \\xdc\x86\x37\xa0\x16\xa7\xd3\xb1\x9f\xc3\x93\xb7\xa7\x13\x6e\xeb\xc6\xbc\xc6\x3e\x1a\x51\x37\x42\xef\x68\x28\xbc\x52\x03\x65\xd6\+            \\x2d\x6a\x77\xab\x35\x27\xed\x4b\x82\x1f\xd2\x16\x09\x5c\x6e\x2e\xdb\x92\xf2\xfb\x5e\xea\x29\xcb\x14\x58\x92\xf5\x91\x58\x4f\x7f\+            \\x54\x83\x69\x7b\x26\x67\xa8\xcc\x85\x19\x60\x48\x8c\x4b\xac\xea\x83\x38\x60\xd4\x0d\x23\xe0\xf9\x6c\x38\x7e\x8a\x0a\xe6\xd2\x49\+            \\xb2\x84\x60\x0c\xd8\x35\x73\x1d\xdc\xb1\xc6\x47\xac\x4c\x56\xea\x3e\xbd\x81\xb3\x23\x0e\xab\xb0\x64\x38\xbc\x87\xf0\xb5\xb1\xfa\+            \\x8f\x5e\xa2\xb3\xfc\x18\x46\x42\x0a\x03\x6b\x7a\x4f\xb0\x89\xbd\x64\x9d\xa5\x89\xa3\x45\x41\x5e\x5c\x03\x83\x23\x3e\x5d\x3b\xb9\+            \\x43\xd7\x95\x72\x7e\x6d\xd0\x7c\x06\xdf\xdf\x1e\x6c\x6c\xc4\xef\x71\x60\xa5\x39\x73\xbf\xbe\x70\x83\x87\x76\x05\x45\x23\xec\xf1"#++sbox_s3 :: Word8 -> Word32+sbox_s3 i = arrayRead32 t (fromIntegral i)+  where+    t = array32FromAddrBE 256+            "\x8d\xef\xc2\x40\x25\xfa\x5d\x9f\xeb\x90\x3d\xbf\xe8\x10\xc9\x07\x47\x60\x7f\xff\x36\x9f\xe4\x4b\x8c\x1f\xc6\x44\xae\xce\xca\x90\+            \\xbe\xb1\xf9\xbf\xee\xfb\xca\xea\xe8\xcf\x19\x50\x51\xdf\x07\xae\x92\x0e\x88\x06\xf0\xad\x05\x48\xe1\x3c\x8d\x83\x92\x70\x10\xd5\+            \\x11\x10\x7d\x9f\x07\x64\x7d\xb9\xb2\xe3\xe4\xd4\x3d\x4f\x28\x5e\xb9\xaf\xa8\x20\xfa\xde\x82\xe0\xa0\x67\x26\x8b\x82\x72\x79\x2e\+            \\x55\x3f\xb2\xc0\x48\x9a\xe2\x2b\xd4\xef\x97\x94\x12\x5e\x3f\xbc\x21\xff\xfc\xee\x82\x5b\x1b\xfd\x92\x55\xc5\xed\x12\x57\xa2\x40\+            \\x4e\x1a\x83\x02\xba\xe0\x7f\xff\x52\x82\x46\xe7\x8e\x57\x14\x0e\x33\x73\xf7\xbf\x8c\x9f\x81\x88\xa6\xfc\x4e\xe8\xc9\x82\xb5\xa5\+            \\xa8\xc0\x1d\xb7\x57\x9f\xc2\x64\x67\x09\x4f\x31\xf2\xbd\x3f\x5f\x40\xff\xf7\xc1\x1f\xb7\x8d\xfc\x8e\x6b\xd2\xc1\x43\x7b\xe5\x9b\+            \\x99\xb0\x3d\xbf\xb5\xdb\xc6\x4b\x63\x8d\xc0\xe6\x55\x81\x9d\x99\xa1\x97\xc8\x1c\x4a\x01\x2d\x6e\xc5\x88\x4a\x28\xcc\xc3\x6f\x71\+            \\xb8\x43\xc2\x13\x6c\x07\x43\xf1\x83\x09\x89\x3c\x0f\xed\xdd\x5f\x2f\x7f\xe8\x50\xd7\xc0\x7f\x7e\x02\x50\x7f\xbf\x5a\xfb\x9a\x04\+            \\xa7\x47\xd2\xd0\x16\x51\x19\x2e\xaf\x70\xbf\x3e\x58\xc3\x13\x80\x5f\x98\x30\x2e\x72\x7c\xc3\xc4\x0a\x0f\xb4\x02\x0f\x7f\xef\x82\+            \\x8c\x96\xfd\xad\x5d\x2c\x2a\xae\x8e\xe9\x9a\x49\x50\xda\x88\xb8\x84\x27\xf4\xa0\x1e\xac\x57\x90\x79\x6f\xb4\x49\x82\x52\xdc\x15\+            \\xef\xbd\x7d\x9b\xa6\x72\x59\x7d\xad\xa8\x40\xd8\x45\xf5\x45\x04\xfa\x5d\x74\x03\xe8\x3e\xc3\x05\x4f\x91\x75\x1a\x92\x56\x69\xc2\+            \\x23\xef\xe9\x41\xa9\x03\xf1\x2e\x60\x27\x0d\xf2\x02\x76\xe4\xb6\x94\xfd\x65\x74\x92\x79\x85\xb2\x82\x76\xdb\xcb\x02\x77\x81\x76\+            \\xf8\xaf\x91\x8d\x4e\x48\xf7\x9e\x8f\x61\x6d\xdf\xe2\x9d\x84\x0e\x84\x2f\x7d\x83\x34\x0c\xe5\xc8\x96\xbb\xb6\x82\x93\xb4\xb1\x48\+            \\xef\x30\x3c\xab\x98\x4f\xaf\x28\x77\x9f\xaf\x9b\x92\xdc\x56\x0d\x22\x4d\x1e\x20\x84\x37\xaa\x88\x7d\x29\xdc\x96\x27\x56\xd3\xdc\+            \\x8b\x90\x7c\xee\xb5\x1f\xd2\x40\xe7\xc0\x7c\xe3\xe5\x66\xb4\xa1\xc3\xe9\x61\x5e\x3c\xf8\x20\x9d\x60\x94\xd1\xe3\xcd\x9c\xa3\x41\+            \\x5c\x76\x46\x0e\x00\xea\x98\x3b\xd4\xd6\x78\x81\xfd\x47\x57\x2c\xf7\x6c\xed\xd9\xbd\xa8\x22\x9c\x12\x7d\xad\xaa\x43\x8a\x07\x4e\+            \\x1f\x97\xc0\x90\x08\x1b\xdb\x8a\x93\xa0\x7e\xbe\xb9\x38\xca\x15\x97\xb0\x3c\xff\x3d\xc2\xc0\xf8\x8d\x1a\xb2\xec\x64\x38\x0e\x51\+            \\x68\xcc\x7b\xfb\xd9\x0f\x27\x88\x12\x49\x01\x81\x5d\xe5\xff\xd4\xdd\x7e\xf8\x6a\x76\xa2\xe2\x14\xb9\xa4\x03\x68\x92\x5d\x95\x8f\+            \\x4b\x39\xff\xfa\xba\x39\xae\xe9\xa4\xff\xd3\x0b\xfa\xf7\x93\x3b\x6d\x49\x86\x23\x19\x3c\xbc\xfa\x27\x62\x75\x45\x82\x5c\xf4\x7a\+            \\x61\xbd\x8b\xa0\xd1\x1e\x42\xd1\xce\xad\x04\xf4\x12\x7e\xa3\x92\x10\x42\x8d\xb7\x82\x72\xa9\x72\x92\x70\xc4\xa8\x12\x7d\xe5\x0b\+            \\x28\x5b\xa1\xc8\x3c\x62\xf4\x4f\x35\xc0\xea\xa5\xe8\x05\xd2\x31\x42\x89\x29\xfb\xb4\xfc\xdf\x82\x4f\xb6\x6a\x53\x0e\x7d\xc1\x5b\+            \\x1f\x08\x1f\xab\x10\x86\x18\xae\xfc\xfd\x08\x6d\xf9\xff\x28\x89\x69\x4b\xcc\x11\x23\x6a\x5c\xae\x12\xde\xca\x4d\x2c\x3f\x8c\xc5\+            \\xd2\xd0\x2d\xfe\xf8\xef\x58\x96\xe4\xcf\x52\xda\x95\x15\x5b\x67\x49\x4a\x48\x8c\xb9\xb6\xa8\x0c\x5c\x8f\x82\xbc\x89\xd3\x6b\x45\+            \\x3a\x60\x94\x37\xec\x00\xc9\xa9\x44\x71\x52\x53\x0a\x87\x4b\x49\xd7\x73\xbc\x40\x7c\x34\x67\x1c\x02\x71\x7e\xf6\x4f\xeb\x55\x36\+            \\xa2\xd0\x2f\xff\xd2\xbf\x60\xc4\xd4\x3f\x03\xc0\x50\xb4\xef\x6d\x07\x47\x8c\xd1\x00\x6e\x18\x88\xa2\xe5\x3f\x55\xb9\xe6\xd4\xbc\+            \\xa2\x04\x80\x16\x97\x57\x38\x33\xd7\x20\x7d\x67\xde\x0f\x8f\x3d\x72\xf8\x7b\x33\xab\xcc\x4f\x33\x76\x88\xc5\x5d\x7b\x00\xa6\xb0\+            \\x94\x7b\x00\x01\x57\x00\x75\xd2\xf9\xbb\x88\xf8\x89\x42\x01\x9e\x42\x64\xa5\xff\x85\x63\x02\xe0\x72\xdb\xd9\x2b\xee\x97\x1b\x69\+            \\x6e\xa2\x2f\xde\x5f\x08\xae\x2b\xaf\x7a\x61\x6d\xe5\xc9\x87\x67\xcf\x1f\xeb\xd2\x61\xef\xc8\xc2\xf1\xac\x25\x71\xcc\x82\x39\xc2\+            \\x67\x21\x4c\xb8\xb1\xe5\x83\xd1\xb7\xdc\x3e\x62\x7f\x10\xbd\xce\xf9\x0a\x5c\x38\x0f\xf0\x44\x3d\x60\x6e\x6d\xc6\x60\x54\x3a\x49\+            \\x57\x27\xc1\x48\x2b\xe9\x8a\x1d\x8a\xb4\x17\x38\x20\xe1\xbe\x24\xaf\x96\xda\x0f\x68\x45\x84\x25\x99\x83\x3b\xe5\x60\x0d\x45\x7d\+            \\x28\x2f\x93\x50\x83\x34\xb3\x62\xd9\x1d\x11\x20\x2b\x6d\x8d\xa0\x64\x2b\x1e\x31\x9c\x30\x5a\x00\x52\xbc\xe6\x88\x1b\x03\x58\x8a\+            \\xf7\xba\xef\xd5\x41\x42\xed\x9c\xa4\x31\x5c\x11\x83\x32\x3e\xc5\xdf\xef\x46\x36\xa1\x33\xc5\x01\xe9\xd3\x53\x1c\xee\x35\x37\x83"#++sbox_s4 :: Word8 -> Word32+sbox_s4 i = arrayRead32 t (fromIntegral i)+  where+    t = array32FromAddrBE 256+            "\x9d\xb3\x04\x20\x1f\xb6\xe9\xde\xa7\xbe\x7b\xef\xd2\x73\xa2\x98\x4a\x4f\x7b\xdb\x64\xad\x8c\x57\x85\x51\x04\x43\xfa\x02\x0e\xd1\+            \\x7e\x28\x7a\xff\xe6\x0f\xb6\x63\x09\x5f\x35\xa1\x79\xeb\xf1\x20\xfd\x05\x9d\x43\x64\x97\xb7\xb1\xf3\x64\x1f\x63\x24\x1e\x4a\xdf\+            \\x28\x14\x7f\x5f\x4f\xa2\xb8\xcd\xc9\x43\x00\x40\x0c\xc3\x22\x20\xfd\xd3\x0b\x30\xc0\xa5\x37\x4f\x1d\x2d\x00\xd9\x24\x14\x7b\x15\+            \\xee\x4d\x11\x1a\x0f\xca\x51\x67\x71\xff\x90\x4c\x2d\x19\x5f\xfe\x1a\x05\x64\x5f\x0c\x13\xfe\xfe\x08\x1b\x08\xca\x05\x17\x01\x21\+            \\x80\x53\x01\x00\xe8\x3e\x5e\xfe\xac\x9a\xf4\xf8\x7f\xe7\x27\x01\xd2\xb8\xee\x5f\x06\xdf\x42\x61\xbb\x9e\x9b\x8a\x72\x93\xea\x25\+            \\xce\x84\xff\xdf\xf5\x71\x88\x01\x3d\xd6\x4b\x04\xa2\x6f\x26\x3b\x7e\xd4\x84\x00\x54\x7e\xeb\xe6\x44\x6d\x4c\xa0\x6c\xf3\xd6\xf5\+            \\x26\x49\xab\xdf\xae\xa0\xc7\xf5\x36\x33\x8c\xc1\x50\x3f\x7e\x93\xd3\x77\x20\x61\x11\xb6\x38\xe1\x72\x50\x0e\x03\xf8\x0e\xb2\xbb\+            \\xab\xe0\x50\x2e\xec\x8d\x77\xde\x57\x97\x1e\x81\xe1\x4f\x67\x46\xc9\x33\x54\x00\x69\x20\x31\x8f\x08\x1d\xbb\x99\xff\xc3\x04\xa5\+            \\x4d\x35\x18\x05\x7f\x3d\x5c\xe3\xa6\xc8\x66\xc6\x5d\x5b\xcc\xa9\xda\xec\x6f\xea\x9f\x92\x6f\x91\x9f\x46\x22\x2f\x39\x91\x46\x7d\+            \\xa5\xbf\x6d\x8e\x11\x43\xc4\x4f\x43\x95\x83\x02\xd0\x21\x4e\xeb\x02\x20\x83\xb8\x3f\xb6\x18\x0c\x18\xf8\x93\x1e\x28\x16\x58\xe6\+            \\x26\x48\x6e\x3e\x8b\xd7\x8a\x70\x74\x77\xe4\xc1\xb5\x06\xe0\x7c\xf3\x2d\x0a\x25\x79\x09\x8b\x02\xe4\xea\xbb\x81\x28\x12\x3b\x23\+            \\x69\xde\xad\x38\x15\x74\xca\x16\xdf\x87\x1b\x62\x21\x1c\x40\xb7\xa5\x1a\x9e\xf9\x00\x14\x37\x7b\x04\x1e\x8a\xc8\x09\x11\x40\x03\+            \\xbd\x59\xe4\xd2\xe3\xd1\x56\xd5\x4f\xe8\x76\xd5\x2f\x91\xa3\x40\x55\x7b\xe8\xde\x00\xea\xe4\xa7\x0c\xe5\xc2\xec\x4d\xb4\xbb\xa6\+            \\xe7\x56\xbd\xff\xdd\x33\x69\xac\xec\x17\xb0\x35\x06\x57\x23\x27\x99\xaf\xc8\xb0\x56\xc8\xc3\x91\x6b\x65\x81\x1c\x5e\x14\x61\x19\+            \\x6e\x85\xcb\x75\xbe\x07\xc0\x02\xc2\x32\x55\x77\x89\x3f\xf4\xec\x5b\xbf\xc9\x2d\xd0\xec\x3b\x25\xb7\x80\x1a\xb7\x8d\x6d\x3b\x24\+            \\x20\xc7\x63\xef\xc3\x66\xa5\xfc\x9c\x38\x28\x80\x0a\xce\x32\x05\xaa\xc9\x54\x8a\xec\xa1\xd7\xc7\x04\x1a\xfa\x32\x1d\x16\x62\x5a\+            \\x67\x01\x90\x2c\x9b\x75\x7a\x54\x31\xd4\x77\xf7\x91\x26\xb0\x31\x36\xcc\x6f\xdb\xc7\x0b\x8b\x46\xd9\xe6\x6a\x48\x56\xe5\x5a\x79\+            \\x02\x6a\x4c\xeb\x52\x43\x7e\xff\x2f\x8f\x76\xb4\x0d\xf9\x80\xa5\x86\x74\xcd\xe3\xed\xda\x04\xeb\x17\xa9\xbe\x04\x2c\x18\xf4\xdf\+            \\xb7\x74\x7f\x9d\xab\x2a\xf7\xb4\xef\xc3\x4d\x20\x2e\x09\x6b\x7c\x17\x41\xa2\x54\xe5\xb6\xa0\x35\x21\x3d\x42\xf6\x2c\x1c\x7c\x26\+            \\x61\xc2\xf5\x0f\x65\x52\xda\xf9\xd2\xc2\x31\xf8\x25\x13\x0f\x69\xd8\x16\x7f\xa2\x04\x18\xf2\xc8\x00\x1a\x96\xa6\x0d\x15\x26\xab\+            \\x63\x31\x5c\x21\x5e\x0a\x72\xec\x49\xba\xfe\xfd\x18\x79\x08\xd9\x8d\x0d\xbd\x86\x31\x11\x70\xa7\x3e\x9b\x64\x0c\xcc\x3e\x10\xd7\+            \\xd5\xca\xd3\xb6\x0c\xae\xc3\x88\xf7\x30\x01\xe1\x6c\x72\x8a\xff\x71\xea\xe2\xa1\x1f\x9a\xf3\x6e\xcf\xcb\xd1\x2f\xc1\xde\x84\x17\+            \\xac\x07\xbe\x6b\xcb\x44\xa1\xd8\x8b\x9b\x0f\x56\x01\x39\x88\xc3\xb1\xc5\x2f\xca\xb4\xbe\x31\xcd\xd8\x78\x28\x06\x12\xa3\xa4\xe2\+            \\x6f\x7d\xe5\x32\x58\xfd\x7e\xb6\xd0\x1e\xe9\x00\x24\xad\xff\xc2\xf4\x99\x0f\xc5\x97\x11\xaa\xc5\x00\x1d\x7b\x95\x82\xe5\xe7\xd2\+            \\x10\x98\x73\xf6\x00\x61\x30\x96\xc3\x2d\x95\x21\xad\xa1\x21\xff\x29\x90\x84\x15\x7f\xbb\x97\x7f\xaf\x9e\xb3\xdb\x29\xc9\xed\x2a\+            \\x5c\xe2\xa4\x65\xa7\x30\xf3\x2c\xd0\xaa\x3f\xe8\x8a\x5c\xc0\x91\xd4\x9e\x2c\xe7\x0c\xe4\x54\xa9\xd6\x0a\xcd\x86\x01\x5f\x19\x19\+            \\x77\x07\x91\x03\xde\xa0\x3a\xf6\x78\xa8\x56\x5e\xde\xe3\x56\xdf\x21\xf0\x5c\xbe\x8b\x75\xe3\x87\xb3\xc5\x06\x51\xb8\xa5\xc3\xef\+            \\xd8\xee\xb6\xd2\xe5\x23\xbe\x77\xc2\x15\x45\x29\x2f\x69\xef\xdf\xaf\xe6\x7a\xfb\xf4\x70\xc4\xb2\xf3\xe0\xeb\x5b\xd6\xcc\x98\x76\+            \\x39\xe4\x46\x0c\x1f\xda\x85\x38\x19\x87\x83\x2f\xca\x00\x73\x67\xa9\x91\x44\xf8\x29\x6b\x29\x9e\x49\x2f\xc2\x95\x92\x66\xbe\xab\+            \\xb5\x67\x6e\x69\x9b\xd3\xdd\xda\xdf\x7e\x05\x2f\xdb\x25\x70\x1c\x1b\x5e\x51\xee\xf6\x53\x24\xe6\x6a\xfc\xe3\x6c\x03\x16\xcc\x04\+            \\x86\x44\x21\x3e\xb7\xdc\x59\xd0\x79\x65\x29\x1f\xcc\xd6\xfd\x43\x41\x82\x39\x79\x93\x2b\xcd\xf6\xb6\x57\xc3\x4d\x4e\xdf\xd2\x82\+            \\x7a\xe5\x29\x0c\x3c\xb9\x53\x6b\x85\x1e\x20\xfe\x98\x33\x55\x7e\x13\xec\xf0\xb0\xd3\xff\xb3\x72\x3f\x85\xc5\xc1\x0a\xef\x7e\xd2"#++sbox_s5 :: Word8 -> Word32+sbox_s5 i = arrayRead32 t (fromIntegral i)+  where+    t = array32FromAddrBE 256+            "\x7e\xc9\x0c\x04\x2c\x6e\x74\xb9\x9b\x0e\x66\xdf\xa6\x33\x79\x11\xb8\x6a\x7f\xff\x1d\xd3\x58\xf5\x44\xdd\x9d\x44\x17\x31\x16\x7f\+            \\x08\xfb\xf1\xfa\xe7\xf5\x11\xcc\xd2\x05\x1b\x00\x73\x5a\xba\x00\x2a\xb7\x22\xd8\x38\x63\x81\xcb\xac\xf6\x24\x3a\x69\xbe\xfd\x7a\+            \\xe6\xa2\xe7\x7f\xf0\xc7\x20\xcd\xc4\x49\x48\x16\xcc\xf5\xc1\x80\x38\x85\x16\x40\x15\xb0\xa8\x48\xe6\x8b\x18\xcb\x4c\xaa\xde\xff\+            \\x5f\x48\x0a\x01\x04\x12\xb2\xaa\x25\x98\x14\xfc\x41\xd0\xef\xe2\x4e\x40\xb4\x8d\x24\x8e\xb6\xfb\x8d\xba\x1c\xfe\x41\xa9\x9b\x02\+            \\x1a\x55\x0a\x04\xba\x8f\x65\xcb\x72\x51\xf4\xe7\x95\xa5\x17\x25\xc1\x06\xec\xd7\x97\xa5\x98\x0a\xc5\x39\xb9\xaa\x4d\x79\xfe\x6a\+            \\xf2\xf3\xf7\x63\x68\xaf\x80\x40\xed\x0c\x9e\x56\x11\xb4\x95\x8b\xe1\xeb\x5a\x88\x87\x09\xe6\xb0\xd7\xe0\x71\x56\x4e\x29\xfe\xa7\+            \\x63\x66\xe5\x2d\x02\xd1\xc0\x00\xc4\xac\x8e\x05\x93\x77\xf5\x71\x0c\x05\x37\x2a\x57\x85\x35\xf2\x22\x61\xbe\x02\xd6\x42\xa0\xc9\+            \\xdf\x13\xa2\x80\x74\xb5\x5b\xd2\x68\x21\x99\xc0\xd4\x21\xe5\xec\x53\xfb\x3c\xe8\xc8\xad\xed\xb3\x28\xa8\x7f\xc9\x3d\x95\x99\x81\+            \\x5c\x1f\xf9\x00\xfe\x38\xd3\x99\x0c\x4e\xff\x0b\x06\x24\x07\xea\xaa\x2f\x4f\xb1\x4f\xb9\x69\x76\x90\xc7\x95\x05\xb0\xa8\xa7\x74\+            \\xef\x55\xa1\xff\xe5\x9c\xa2\xc2\xa6\xb6\x2d\x27\xe6\x6a\x42\x63\xdf\x65\x00\x1f\x0e\xc5\x09\x66\xdf\xdd\x55\xbc\x29\xde\x06\x55\+            \\x91\x1e\x73\x9a\x17\xaf\x89\x75\x32\xc7\x91\x1c\x89\xf8\x94\x68\x0d\x01\xe9\x80\x52\x47\x55\xf4\x03\xb6\x3c\xc9\x0c\xc8\x44\xb2\+            \\xbc\xf3\xf0\xaa\x87\xac\x36\xe9\xe5\x3a\x74\x26\x01\xb3\xd8\x2b\x1a\x9e\x74\x49\x64\xee\x2d\x7e\xcd\xdb\xb1\xda\x01\xc9\x49\x10\+            \\xb8\x68\xbf\x80\x0d\x26\xf3\xfd\x93\x42\xed\xe7\x04\xa5\xc2\x84\x63\x67\x37\xb6\x50\xf5\xb6\x16\xf2\x47\x66\xe3\x8e\xca\x36\xc1\+            \\x13\x6e\x05\xdb\xfe\xf1\x83\x91\xfb\x88\x7a\x37\xd6\xe7\xf7\xd4\xc7\xfb\x7d\xc9\x30\x63\xfc\xdf\xb6\xf5\x89\xde\xec\x29\x41\xda\+            \\x26\xe4\x66\x95\xb7\x56\x64\x19\xf6\x54\xef\xc5\xd0\x8d\x58\xb7\x48\x92\x54\x01\xc1\xba\xcb\x7f\xe5\xff\x55\x0f\xb6\x08\x30\x49\+            \\x5b\xb5\xd0\xe8\x87\xd7\x2e\x5a\xab\x6a\x6e\xe1\x22\x3a\x66\xce\xc6\x2b\xf3\xcd\x9e\x08\x85\xf9\x68\xcb\x3e\x47\x08\x6c\x01\x0f\+            \\xa2\x1d\xe8\x20\xd1\x8b\x69\xde\xf3\xf6\x57\x77\xfa\x02\xc3\xf6\x40\x7e\xda\xc3\xcb\xb3\xd5\x50\x17\x93\x08\x4d\xb0\xd7\x0e\xba\+            \\x0a\xb3\x78\xd5\xd9\x51\xfb\x0c\xde\xd7\xda\x56\x41\x24\xbb\xe4\x94\xca\x0b\x56\x0f\x57\x55\xd1\xe0\xe1\xe5\x6e\x61\x84\xb5\xbe\+            \\x58\x0a\x24\x9f\x94\xf7\x4b\xc0\xe3\x27\x88\x8e\x9f\x7b\x55\x61\xc3\xdc\x02\x80\x05\x68\x77\x15\x64\x6c\x6b\xd7\x44\x90\x4d\xb3\+            \\x66\xb4\xf0\xa3\xc0\xf1\x64\x8a\x69\x7e\xd5\xaf\x49\xe9\x2f\xf6\x30\x9e\x37\x4f\x2c\xb6\x35\x6a\x85\x80\x85\x73\x49\x91\xf8\x40\+            \\x76\xf0\xae\x02\x08\x3b\xe8\x4d\x28\x42\x1c\x9a\x44\x48\x94\x06\x73\x6e\x4c\xb8\xc1\x09\x29\x10\x8b\xc9\x5f\xc6\x7d\x86\x9c\xf4\+            \\x13\x4f\x61\x6f\x2e\x77\x11\x8d\xb3\x1b\x2b\xe1\xaa\x90\xb4\x72\x3c\xa5\xd7\x17\x7d\x16\x1b\xba\x9c\xad\x90\x10\xaf\x46\x2b\xa2\+            \\x9f\xe4\x59\xd2\x45\xd3\x45\x59\xd9\xf2\xda\x13\xdb\xc6\x54\x87\xf3\xe4\xf9\x4e\x17\x6d\x48\x6f\x09\x7c\x13\xea\x63\x1d\xa5\xc7\+            \\x44\x5f\x73\x82\x17\x56\x83\xf4\xcd\xc6\x6a\x97\x70\xbe\x02\x88\xb3\xcd\xcf\x72\x6e\x5d\xd2\xf3\x20\x93\x60\x79\x45\x9b\x80\xa5\+            \\xbe\x60\xe2\xdb\xa9\xc2\x31\x01\xeb\xa5\x31\x5c\x22\x4e\x42\xf2\x1c\x5c\x15\x72\xf6\x72\x1b\x2c\x1a\xd2\xff\xf3\x8c\x25\x40\x4e\+            \\x32\x4e\xd7\x2f\x40\x67\xb7\xfd\x05\x23\x13\x8e\x5c\xa3\xbc\x78\xdc\x0f\xd6\x6e\x75\x92\x22\x83\x78\x4d\x6b\x17\x58\xeb\xb1\x6e\+            \\x44\x09\x4f\x85\x3f\x48\x1d\x87\xfc\xfe\xae\x7b\x77\xb5\xff\x76\x8c\x23\x02\xbf\xaa\xf4\x75\x56\x5f\x46\xb0\x2a\x2b\x09\x28\x01\+            \\x3d\x38\xf5\xf7\x0c\xa8\x1f\x36\x52\xaf\x4a\x8a\x66\xd5\xe7\xc0\xdf\x3b\x08\x74\x95\x05\x51\x10\x1b\x5a\xd7\xa8\xf6\x1e\xd5\xad\+            \\x6c\xf6\xe4\x79\x20\x75\x81\x84\xd0\xce\xfa\x65\x88\xf7\xbe\x58\x4a\x04\x68\x26\x0f\xf6\xf8\xf3\xa0\x9c\x7f\x70\x53\x46\xab\xa0\+            \\x5c\xe9\x6c\x28\xe1\x76\xed\xa3\x6b\xac\x30\x7f\x37\x68\x29\xd2\x85\x36\x0f\xa9\x17\xe3\xfe\x2a\x24\xb7\x97\x67\xf5\xa9\x6b\x20\+            \\xd6\xcd\x25\x95\x68\xff\x1e\xbf\x75\x55\x44\x2c\xf1\x9f\x06\xbe\xf9\xe0\x65\x9a\xee\xb9\x49\x1d\x34\x01\x07\x18\xbb\x30\xca\xb8\+            \\xe8\x22\xfe\x15\x88\x57\x09\x83\x75\x0e\x62\x49\xda\x62\x7e\x55\x5e\x76\xff\xa8\xb1\x53\x45\x46\x6d\x47\xde\x08\xef\xe9\xe7\xd4"#++sbox_s6 :: Word8 -> Word32+sbox_s6 i = arrayRead32 t (fromIntegral i)+  where+    t = array32FromAddrBE 256+            "\xf6\xfa\x8f\x9d\x2c\xac\x6c\xe1\x4c\xa3\x48\x67\xe2\x33\x7f\x7c\x95\xdb\x08\xe7\x01\x68\x43\xb4\xec\xed\x5c\xbc\x32\x55\x53\xac\+            \\xbf\x9f\x09\x60\xdf\xa1\xe2\xed\x83\xf0\x57\x9d\x63\xed\x86\xb9\x1a\xb6\xa6\xb8\xde\x5e\xbe\x39\xf3\x8f\xf7\x32\x89\x89\xb1\x38\+            \\x33\xf1\x49\x61\xc0\x19\x37\xbd\xf5\x06\xc6\xda\xe4\x62\x5e\x7e\xa3\x08\xea\x99\x4e\x23\xe3\x3c\x79\xcb\xd7\xcc\x48\xa1\x43\x67\+            \\xa3\x14\x96\x19\xfe\xc9\x4b\xd5\xa1\x14\x17\x4a\xea\xa0\x18\x66\xa0\x84\xdb\x2d\x09\xa8\x48\x6f\xa8\x88\x61\x4a\x29\x00\xaf\x98\+            \\x01\x66\x59\x91\xe1\x99\x28\x63\xc8\xf3\x0c\x60\x2e\x78\xef\x3c\xd0\xd5\x19\x32\xcf\x0f\xec\x14\xf7\xca\x07\xd2\xd0\xa8\x20\x72\+            \\xfd\x41\x19\x7e\x93\x05\xa6\xb0\xe8\x6b\xe3\xda\x74\xbe\xd3\xcd\x37\x2d\xa5\x3c\x4c\x7f\x44\x48\xda\xb5\xd4\x40\x6d\xba\x0e\xc3\+            \\x08\x39\x19\xa7\x9f\xba\xee\xd9\x49\xdb\xcf\xb0\x4e\x67\x0c\x53\x5c\x3d\x9c\x01\x64\xbd\xb9\x41\x2c\x0e\x63\x6a\xba\x7d\xd9\xcd\+            \\xea\x6f\x73\x88\xe7\x0b\xc7\x62\x35\xf2\x9a\xdb\x5c\x4c\xdd\x8d\xf0\xd4\x8d\x8c\xb8\x81\x53\xe2\x08\xa1\x98\x66\x1a\xe2\xea\xc8\+            \\x28\x4c\xaf\x89\xaa\x92\x82\x23\x93\x34\xbe\x53\x3b\x3a\x21\xbf\x16\x43\x4b\xe3\x9a\xea\x39\x06\xef\xe8\xc3\x6e\xf8\x90\xcd\xd9\+            \\x80\x22\x6d\xae\xc3\x40\xa4\xa3\xdf\x7e\x9c\x09\xa6\x94\xa8\x07\x5b\x7c\x5e\xcc\x22\x1d\xb3\xa6\x9a\x69\xa0\x2f\x68\x81\x8a\x54\+            \\xce\xb2\x29\x6f\x53\xc0\x84\x3a\xfe\x89\x36\x55\x25\xbf\xe6\x8a\xb4\x62\x8a\xbc\xcf\x22\x2e\xbf\x25\xac\x6f\x48\xa9\xa9\x93\x87\+            \\x53\xbd\xdb\x65\xe7\x6f\xfb\xe7\xe9\x67\xfd\x78\x0b\xa9\x35\x63\x8e\x34\x2b\xc1\xe8\xa1\x1b\xe9\x49\x80\x74\x0d\xc8\x08\x7d\xfc\+            \\x8d\xe4\xbf\x99\xa1\x11\x01\xa0\x7f\xd3\x79\x75\xda\x5a\x26\xc0\xe8\x1f\x99\x4f\x95\x28\xcd\x89\xfd\x33\x9f\xed\xb8\x78\x34\xbf\+            \\x5f\x04\x45\x6d\x22\x25\x86\x98\xc9\xc4\xc8\x3b\x2d\xc1\x56\xbe\x4f\x62\x8d\xaa\x57\xf5\x5e\xc5\xe2\x22\x0a\xbe\xd2\x91\x6e\xbf\+            \\x4e\xc7\x5b\x95\x24\xf2\xc3\xc0\x42\xd1\x5d\x99\xcd\x0d\x7f\xa0\x7b\x6e\x27\xff\xa8\xdc\x8a\xf0\x73\x45\xc1\x06\xf4\x1e\x23\x2f\+            \\x35\x16\x23\x86\xe6\xea\x89\x26\x33\x33\xb0\x94\x15\x7e\xc6\xf2\x37\x2b\x74\xaf\x69\x25\x73\xe4\xe9\xa9\xd8\x48\xf3\x16\x02\x89\+            \\x3a\x62\xef\x1d\xa7\x87\xe2\x38\xf3\xa5\xf6\x76\x74\x36\x48\x53\x20\x95\x10\x63\x45\x76\x69\x8d\xb6\xfa\xd4\x07\x59\x2a\xf9\x50\+            \\x36\xf7\x35\x23\x4c\xfb\x6e\x87\x7d\xa4\xce\xc0\x6c\x15\x2d\xaa\xcb\x03\x96\xa8\xc5\x0d\xfe\x5d\xfc\xd7\x07\xab\x09\x21\xc4\x2f\+            \\x89\xdf\xf0\xbb\x5f\xe2\xbe\x78\x44\x8f\x4f\x33\x75\x46\x13\xc9\x2b\x05\xd0\x8d\x48\xb9\xd5\x85\xdc\x04\x94\x41\xc8\x09\x8f\x9b\+            \\x7d\xed\xe7\x86\xc3\x9a\x33\x73\x42\x41\x00\x05\x6a\x09\x17\x51\x0e\xf3\xc8\xa6\x89\x00\x72\xd6\x28\x20\x76\x82\xa9\xa9\xf7\xbe\+            \\xbf\x32\x67\x9d\xd4\x5b\x5b\x75\xb3\x53\xfd\x00\xcb\xb0\xe3\x58\x83\x0f\x22\x0a\x1f\x8f\xb2\x14\xd3\x72\xcf\x08\xcc\x3c\x4a\x13\+            \\x8c\xf6\x31\x66\x06\x1c\x87\xbe\x88\xc9\x8f\x88\x60\x62\xe3\x97\x47\xcf\x8e\x7a\xb6\xc8\x52\x83\x3c\xc2\xac\xfb\x3f\xc0\x69\x76\+            \\x4e\x8f\x02\x52\x64\xd8\x31\x4d\xda\x38\x70\xe3\x1e\x66\x54\x59\xc1\x09\x08\xf0\x51\x30\x21\xa5\x6c\x5b\x68\xb7\x82\x2f\x8a\xa0\+            \\x30\x07\xcd\x3e\x74\x71\x9e\xef\xdc\x87\x26\x81\x07\x33\x40\xd4\x7e\x43\x2f\xd9\x0c\x5e\xc2\x41\x88\x09\x28\x6c\xf5\x92\xd8\x91\+            \\x08\xa9\x30\xf6\x95\x7e\xf3\x05\xb7\xfb\xff\xbd\xc2\x66\xe9\x6f\x6f\xe4\xac\x98\xb1\x73\xec\xc0\xbc\x60\xb4\x2a\x95\x34\x98\xda\+            \\xfb\xa1\xae\x12\x2d\x4b\xd7\x36\x0f\x25\xfa\xab\xa4\xf3\xfc\xeb\xe2\x96\x91\x23\x25\x7f\x0c\x3d\x93\x48\xaf\x49\x36\x14\x00\xbc\+            \\xe8\x81\x6f\x4a\x38\x14\xf2\x00\xa3\xf9\x40\x43\x9c\x7a\x54\xc2\xbc\x70\x4f\x57\xda\x41\xe7\xf9\xc2\x5a\xd3\x3a\x54\xf4\xa0\x84\+            \\xb1\x7f\x55\x05\x59\x35\x7c\xbe\xed\xbd\x15\xc8\x7f\x97\xc5\xab\xba\x5a\xc7\xb5\xb6\xf6\xde\xaf\x3a\x47\x9c\x3a\x53\x02\xda\x25\+            \\x65\x3d\x7e\x6a\x54\x26\x8d\x49\x51\xa4\x77\xea\x50\x17\xd5\x5b\xd7\xd2\x5d\x88\x44\x13\x6c\x76\x04\x04\xa8\xc8\xb8\xe5\xa1\x21\+            \\xb8\x1a\x92\x8a\x60\xed\x58\x69\x97\xc5\x5b\x96\xea\xec\x99\x1b\x29\x93\x59\x13\x01\xfd\xb7\xf1\x08\x8e\x8d\xfa\x9a\xb6\xf6\xf5\+            \\x3b\x4c\xbf\x9f\x4a\x5d\xe3\xab\xe6\x05\x1d\x35\xa0\xe1\xd8\x55\xd3\x6b\x4c\xf1\xf5\x44\xed\xeb\xb0\xe9\x35\x24\xbe\xbb\x8f\xbd\+            \\xa2\xd7\x62\xcf\x49\xc9\x2f\x54\x38\xb5\xf3\x31\x71\x28\xa4\x54\x48\x39\x29\x05\xa6\x5b\x1d\xb8\x85\x1c\x97\xbd\xd6\x75\xcf\x2f"#++sbox_s7 :: Word8 -> Word32+sbox_s7 i = arrayRead32 t (fromIntegral i)+  where+    t = array32FromAddrBE 256+            "\x85\xe0\x40\x19\x33\x2b\xf5\x67\x66\x2d\xbf\xff\xcf\xc6\x56\x93\x2a\x8d\x7f\x6f\xab\x9b\xc9\x12\xde\x60\x08\xa1\x20\x28\xda\x1f\+            \\x02\x27\xbc\xe7\x4d\x64\x29\x16\x18\xfa\xc3\x00\x50\xf1\x8b\x82\x2c\xb2\xcb\x11\xb2\x32\xe7\x5c\x4b\x36\x95\xf2\xb2\x87\x07\xde\+            \\xa0\x5f\xbc\xf6\xcd\x41\x81\xe9\xe1\x50\x21\x0c\xe2\x4e\xf1\xbd\xb1\x68\xc3\x81\xfd\xe4\xe7\x89\x5c\x79\xb0\xd8\x1e\x8b\xfd\x43\+            \\x4d\x49\x50\x01\x38\xbe\x43\x41\x91\x3c\xee\x1d\x92\xa7\x9c\x3f\x08\x97\x66\xbe\xba\xee\xad\xf4\x12\x86\xbe\xcf\xb6\xea\xcb\x19\+            \\x26\x60\xc2\x00\x75\x65\xbd\xe4\x64\x24\x1f\x7a\x82\x48\xdc\xa9\xc3\xb3\xad\x66\x28\x13\x60\x86\x0b\xd8\xdf\xa8\x35\x6d\x1c\xf2\+            \\x10\x77\x89\xbe\xb3\xb2\xe9\xce\x05\x02\xaa\x8f\x0b\xc0\x35\x1e\x16\x6b\xf5\x2a\xeb\x12\xff\x82\xe3\x48\x69\x11\xd3\x4d\x75\x16\+            \\x4e\x7b\x3a\xff\x5f\x43\x67\x1b\x9c\xf6\xe0\x37\x49\x81\xac\x83\x33\x42\x66\xce\x8c\x93\x41\xb7\xd0\xd8\x54\xc0\xcb\x3a\x6c\x88\+            \\x47\xbc\x28\x29\x47\x25\xba\x37\xa6\x6a\xd2\x2b\x7a\xd6\x1f\x1e\x0c\x5c\xba\xfa\x44\x37\xf1\x07\xb6\xe7\x99\x62\x42\xd2\xd8\x16\+            \\x0a\x96\x12\x88\xe1\xa5\xc0\x6e\x13\x74\x9e\x67\x72\xfc\x08\x1a\xb1\xd1\x39\xf7\xf9\x58\x37\x45\xcf\x19\xdf\x58\xbe\xc3\xf7\x56\+            \\xc0\x6e\xba\x30\x07\x21\x1b\x24\x45\xc2\x88\x29\xc9\x5e\x31\x7f\xbc\x8e\xc5\x11\x38\xbc\x46\xe9\xc6\xe6\xfa\x14\xba\xe8\x58\x4a\+            \\xad\x4e\xbc\x46\x46\x8f\x50\x8b\x78\x29\x43\x5f\xf1\x24\x18\x3b\x82\x1d\xba\x9f\xaf\xf6\x0f\xf4\xea\x2c\x4e\x6d\x16\xe3\x92\x64\+            \\x92\x54\x4a\x8b\x00\x9b\x4f\xc3\xab\xa6\x8c\xed\x9a\xc9\x6f\x78\x06\xa5\xb7\x9a\xb2\x85\x6e\x6e\x1a\xec\x3c\xa9\xbe\x83\x86\x88\+            \\x0e\x08\x04\xe9\x55\xf1\xbe\x56\xe7\xe5\x36\x3b\xb3\xa1\xf2\x5d\xf7\xde\xbb\x85\x61\xfe\x03\x3c\x16\x74\x62\x33\x3c\x03\x4c\x28\+            \\xda\x6d\x0c\x74\x79\xaa\xc5\x6c\x3c\xe4\xe1\xad\x51\xf0\xc8\x02\x98\xf8\xf3\x5a\x16\x26\xa4\x9f\xee\xd8\x2b\x29\x1d\x38\x2f\xe3\+            \\x0c\x4f\xb9\x9a\xbb\x32\x57\x78\x3e\xc6\xd9\x7b\x6e\x77\xa6\xa9\xcb\x65\x8b\x5c\xd4\x52\x30\xc7\x2b\xd1\x40\x8b\x60\xc0\x3e\xb7\+            \\xb9\x06\x8d\x78\xa3\x37\x54\xf4\xf4\x30\xc8\x7d\xc8\xa7\x13\x02\xb9\x6d\x8c\x32\xeb\xd4\xe7\xbe\xbe\x8b\x9d\x2d\x79\x79\xfb\x06\+            \\xe7\x22\x53\x08\x8b\x75\xcf\x77\x11\xef\x8d\xa4\xe0\x83\xc8\x58\x8d\x6b\x78\x6f\x5a\x63\x17\xa6\xfa\x5c\xf7\xa0\x5d\xda\x00\x33\+            \\xf2\x8e\xbf\xb0\xf5\xb9\xc3\x10\xa0\xea\xc2\x80\x08\xb9\x76\x7a\xa3\xd9\xd2\xb0\x79\xd3\x42\x17\x02\x1a\x71\x8d\x9a\xc6\x33\x6a\+            \\x27\x11\xfd\x60\x43\x80\x50\xe3\x06\x99\x08\xa8\x3d\x7f\xed\xc4\x82\x6d\x2b\xef\x4e\xeb\x84\x76\x48\x8d\xcf\x25\x36\xc9\xd5\x66\+            \\x28\xe7\x4e\x41\xc2\x61\x0a\xca\x3d\x49\xa9\xcf\xba\xe3\xb9\xdf\xb6\x5f\x8d\xe6\x92\xae\xaf\x64\x3a\xc7\xd5\xe6\x9e\xa8\x05\x09\+            \\xf2\x2b\x01\x7d\xa4\x17\x3f\x70\xdd\x1e\x16\xc3\x15\xe0\xd7\xf9\x50\xb1\xb8\x87\x2b\x9f\x4f\xd5\x62\x5a\xba\x82\x6a\x01\x79\x62\+            \\x2e\xc0\x1b\x9c\x15\x48\x8a\xa9\xd7\x16\xe7\x40\x40\x05\x5a\x2c\x93\xd2\x9a\x22\xe3\x2d\xbf\x9a\x05\x87\x45\xb9\x34\x53\xdc\x1e\+            \\xd6\x99\x29\x6e\x49\x6c\xff\x6f\x1c\x9f\x49\x86\xdf\xe2\xed\x07\xb8\x72\x42\xd1\x19\xde\x7e\xae\x05\x3e\x56\x1a\x15\xad\x6f\x8c\+            \\x66\x62\x6c\x1c\x71\x54\xc2\x4c\xea\x08\x2b\x2a\x93\xeb\x29\x39\x17\xdc\xb0\xf0\x58\xd4\xf2\xae\x9e\xa2\x94\xfb\x52\xcf\x56\x4c\+            \\x98\x83\xfe\x66\x2e\xc4\x05\x81\x76\x39\x53\xc3\x01\xd6\x69\x2e\xd3\xa0\xc1\x08\xa1\xe7\x16\x0e\xe4\xf2\xdf\xa6\x69\x3e\xd2\x85\+            \\x74\x90\x46\x98\x4c\x2b\x0e\xdd\x4f\x75\x76\x56\x5d\x39\x33\x78\xa1\x32\x23\x4f\x3d\x32\x1c\x5d\xc3\xf5\xe1\x94\x4b\x26\x93\x01\+            \\xc7\x9f\x02\x2f\x3c\x99\x7e\x7e\x5e\x4f\x95\x04\x3f\xfa\xfb\xbd\x76\xf7\xad\x0e\x29\x66\x93\xf4\x3d\x1f\xce\x6f\xc6\x1e\x45\xbe\+            \\xd3\xb5\xab\x34\xf7\x2b\xf9\xb7\x1b\x04\x34\xc0\x4e\x72\xb5\x67\x55\x92\xa3\x3d\xb5\x22\x93\x01\xcf\xd2\xa8\x7f\x60\xae\xb7\x67\+            \\x18\x14\x38\x6b\x30\xbc\xc3\x3d\x38\xa0\xc0\x7d\xfd\x16\x06\xf2\xc3\x63\x51\x9b\x58\x9d\xd3\x90\x54\x79\xf8\xe6\x1c\xb8\xd6\x47\+            \\x97\xfd\x61\xa9\xea\x77\x59\xf4\x2d\x57\x53\x9d\x56\x9a\x58\xcf\xe8\x4e\x63\xad\x46\x2e\x1b\x78\x65\x80\xf8\x7e\xf3\x81\x79\x14\+            \\x91\xda\x55\xf4\x40\xa2\x30\xf3\xd1\x98\x8f\x35\xb6\xe3\x18\xd2\x3f\xfa\x50\xbc\x3d\x40\xf0\x21\xc3\xc0\xbd\xae\x49\x58\xc2\x4c\+            \\x51\x8f\x36\xb2\x84\xb1\xd3\x70\x0f\xed\xce\x83\x87\x8d\xda\xda\xf2\xa2\x79\xc7\x94\xe0\x1b\xe8\x90\x71\x6f\x4b\x95\x4b\x8a\xa3"#++sbox_s8 :: Word8 -> Word32+sbox_s8 i = arrayRead32 t (fromIntegral i)+  where+    t = array32FromAddrBE 256+            "\xe2\x16\x30\x0d\xbb\xdd\xff\xfc\xa7\xeb\xda\xbd\x35\x64\x80\x95\x77\x89\xf8\xb7\xe6\xc1\x12\x1b\x0e\x24\x16\x00\x05\x2c\xe8\xb5\+            \\x11\xa9\xcf\xb0\xe5\x95\x2f\x11\xec\xe7\x99\x0a\x93\x86\xd1\x74\x2a\x42\x93\x1c\x76\xe3\x81\x11\xb1\x2d\xef\x3a\x37\xdd\xdd\xfc\+            \\xde\x9a\xde\xb1\x0a\x0c\xc3\x2c\xbe\x19\x70\x29\x84\xa0\x09\x40\xbb\x24\x3a\x0f\xb4\xd1\x37\xcf\xb4\x4e\x79\xf0\x04\x9e\xed\xfd\+            \\x0b\x15\xa1\x5d\x48\x0d\x31\x68\x8b\xbb\xde\x5a\x66\x9d\xed\x42\xc7\xec\xe8\x31\x3f\x8f\x95\xe7\x72\xdf\x19\x1b\x75\x80\x33\x0d\+            \\x94\x07\x42\x51\x5c\x7d\xcd\xfa\xab\xbe\x6d\x63\xaa\x40\x21\x64\xb3\x01\xd4\x0a\x02\xe7\xd1\xca\x53\x57\x1d\xae\x7a\x31\x82\xa2\+            \\x12\xa8\xdd\xec\xfd\xaa\x33\x5d\x17\x6f\x43\xe8\x71\xfb\x46\xd4\x38\x12\x90\x22\xce\x94\x9a\xd4\xb8\x47\x69\xad\x96\x5b\xd8\x62\+            \\x82\xf3\xd0\x55\x66\xfb\x97\x67\x15\xb8\x0b\x4e\x1d\x5b\x47\xa0\x4c\xfd\xe0\x6f\xc2\x8e\xc4\xb8\x57\xe8\x72\x6e\x64\x7a\x78\xfc\+            \\x99\x86\x5d\x44\x60\x8b\xd5\x93\x6c\x20\x0e\x03\x39\xdc\x5f\xf6\x5d\x0b\x00\xa3\xae\x63\xaf\xf2\x7e\x8b\xd6\x32\x70\x10\x8c\x0c\+            \\xbb\xd3\x50\x49\x29\x98\xdf\x04\x98\x0c\xf4\x2a\x9b\x6d\xf4\x91\x9e\x7e\xdd\x53\x06\x91\x85\x48\x58\xcb\x7e\x07\x3b\x74\xef\x2e\+            \\x52\x2f\xff\xb1\xd2\x47\x08\xcc\x1c\x7e\x27\xcd\xa4\xeb\x21\x5b\x3c\xf1\xd2\xe2\x19\xb4\x7a\x38\x42\x4f\x76\x18\x35\x85\x60\x39\+            \\x9d\x17\xde\xe7\x27\xeb\x35\xe6\xc9\xaf\xf6\x7b\x36\xba\xf5\xb8\x09\xc4\x67\xcd\xc1\x89\x10\xb1\xe1\x1d\xbf\x7b\x06\xcd\x1a\xf8\+            \\x71\x70\xc6\x08\x2d\x5e\x33\x54\xd4\xde\x49\x5a\x64\xc6\xd0\x06\xbc\xc0\xc6\x2c\x3d\xd0\x0d\xb3\x70\x8f\x8f\x34\x77\xd5\x1b\x42\+            \\x26\x4f\x62\x0f\x24\xb8\xd2\xbf\x15\xc1\xb7\x9e\x46\xa5\x25\x64\xf8\xd7\xe5\x4e\x3e\x37\x81\x60\x78\x95\xcd\xa5\x85\x9c\x15\xa5\+            \\xe6\x45\x97\x88\xc3\x7b\xc7\x5f\xdb\x07\xba\x0c\x06\x76\xa3\xab\x7f\x22\x9b\x1e\x31\x84\x2e\x7b\x24\x25\x9f\xd7\xf8\xbe\xf4\x72\+            \\x83\x5f\xfc\xb8\x6d\xf4\xc1\xf2\x96\xf5\xb1\x95\xfd\x0a\xf0\xfc\xb0\xfe\x13\x4c\xe2\x50\x6d\x3d\x4f\x9b\x12\xea\xf2\x15\xf2\x25\+            \\xa2\x23\x73\x6f\x9f\xb4\xc4\x28\x25\xd0\x49\x79\x34\xc7\x13\xf8\xc4\x61\x81\x87\xea\x7a\x6e\x98\x7c\xd1\x6e\xfc\x14\x36\x87\x6c\+            \\xf1\x54\x41\x07\xbe\xde\xee\x14\x56\xe9\xaf\x27\xa0\x4a\xa4\x41\x3c\xf7\xc8\x99\x92\xec\xba\xe6\xdd\x67\x01\x6d\x15\x16\x82\xeb\+            \\xa8\x42\xee\xdf\xfd\xba\x60\xb4\xf1\x90\x7b\x75\x20\xe3\x03\x0f\x24\xd8\xc2\x9e\xe1\x39\x67\x3b\xef\xa6\x3f\xb8\x71\x87\x30\x54\+            \\xb6\xf2\xcf\x3b\x9f\x32\x64\x42\xcb\x15\xa4\xcc\xb0\x1a\x45\x04\xf1\xe4\x7d\x8d\x84\x4a\x1b\xe5\xba\xe7\xdf\xdc\x42\xcb\xda\x70\+            \\xcd\x7d\xae\x0a\x57\xe8\x5b\x7a\xd5\x3f\x5a\xf6\x20\xcf\x4d\x8c\xce\xa4\xd4\x28\x79\xd1\x30\xa4\x34\x86\xeb\xfb\x33\xd3\xcd\xdc\+            \\x77\x85\x3b\x53\x37\xef\xfc\xb5\xc5\x06\x87\x78\xe5\x80\xb3\xe6\x4e\x68\xb8\xf4\xc5\xc8\xb3\x7e\x0d\x80\x9e\xa2\x39\x8f\xeb\x7c\+            \\x13\x2a\x4f\x94\x43\xb7\x95\x0e\x2f\xee\x7d\x1c\x22\x36\x13\xbd\xdd\x06\xca\xa2\x37\xdf\x93\x2b\xc4\x24\x82\x89\xac\xf3\xeb\xc3\+            \\x57\x15\xf6\xb7\xef\x34\x78\xdd\xf2\x67\x61\x6f\xc1\x48\xcb\xe4\x90\x52\x81\x5e\x5e\x41\x0f\xab\xb4\x8a\x24\x65\x2e\xda\x7f\xa4\+            \\xe8\x7b\x40\xe4\xe9\x8e\xa0\x84\x58\x89\xe9\xe1\xef\xd3\x90\xfc\xdd\x07\xd3\x5b\xdb\x48\x56\x94\x38\xd7\xe5\xb2\x57\x72\x01\x01\+            \\x73\x0e\xde\xbc\x5b\x64\x31\x13\x94\x91\x7e\x4f\x50\x3c\x2f\xba\x64\x6f\x12\x82\x75\x23\xd2\x4a\xe0\x77\x96\x95\xf9\xc1\x7a\x8f\+            \\x7a\x5b\x21\x21\xd1\x87\xb8\x96\x29\x26\x3a\x4d\xba\x51\x0c\xdf\x81\xf4\x7c\x9f\xad\x11\x63\xed\xea\x7b\x59\x65\x1a\x00\x72\x6e\+            \\x11\x40\x30\x92\x00\xda\x6d\x77\x4a\x0c\xdd\x61\xad\x1f\x46\x03\x60\x5b\xdf\xb0\x9e\xed\xc3\x64\x22\xeb\xe6\xa8\xce\xe7\xd2\x8a\+            \\xa0\xe7\x36\xa0\x55\x64\xa6\xb9\x10\x85\x32\x09\xc7\xeb\x8f\x37\x2d\xe7\x05\xca\x89\x51\x57\x0f\xdf\x09\x82\x2b\xbd\x69\x1a\x6c\+            \\xaa\x12\xe4\xf2\x87\x45\x1c\x0f\xe0\xf6\xa2\x7a\x3a\xda\x48\x19\x4c\xf1\x76\x4f\x0d\x77\x1c\x2b\x67\xcd\xb1\x56\x35\x0d\x83\x84\+            \\x59\x38\xfa\x0f\x42\x39\x9e\xf3\x36\x99\x7b\x07\x0e\x84\x09\x3d\x4a\xa9\x3e\x61\x83\x60\xd8\x7b\x1f\xa9\x8b\x0c\x11\x49\x38\x2c\+            \\xe9\x76\x25\xa5\x06\x14\xd1\xb7\x0e\x25\x24\x4b\x0c\x76\x83\x47\x58\x9e\x8d\x82\x0d\x20\x59\xd1\xa4\x66\xbb\x1e\xf8\xda\x0a\x82\+            \\x04\xf1\x91\x30\xba\x6e\x4e\xc0\x99\x26\x51\x64\x1e\xe7\x23\x0d\x50\xb2\xad\x80\xea\xee\x68\x01\x8d\xb2\xa2\x83\xea\x8b\xf5\x9e"#
Crypto/Cipher/Camellia/Primitive.hs view
@@ -6,8 +6,8 @@ -- Stability   : experimental -- Portability : Good ----- this only cover Camellia 128 bits for now, API will change once--- 192 and 256 mode are implemented too+-- This only cover Camellia 128 bits for now. The API will change once+-- 192 and 256 mode are implemented too. {-# LANGUAGE MagicHash #-} module Crypto.Cipher.Camellia.Primitive     ( Camellia
Crypto/Cipher/ChaCha.hs view
@@ -12,7 +12,7 @@     , combine     , generate     , State-    -- * simple interface for DRG purpose+    -- * Simple interface for DRG purpose     , initializeSimple     , generateSimple     , StateSimple@@ -41,24 +41,26 @@            -> nonce -- ^ the nonce (64 or 96 bits)            -> State -- ^ the initial ChaCha state initialize nbRounds key nonce-    | not (kLen `elem` [16,32])       = error "ChaCha: key length should be 128 or 256 bits"-    | not (nonceLen `elem` [8,12])    = error "ChaCha: nonce length should be 64 or 96 bits"-    | not (nbRounds `elem` [8,12,20]) = error "ChaCha: rounds should be 8, 12 or 20"+    | kLen `notElem` [16,32]          = error "ChaCha: key length should be 128 or 256 bits"+    | nonceLen `notElem` [8,12]       = error "ChaCha: nonce length should be 64 or 96 bits"+    | nbRounds `notElem` [8,12,20]    = error "ChaCha: rounds should be 8, 12 or 20"     | otherwise                       = unsafeDoIO $ do         stPtr <- B.alloc 132 $ \stPtr ->             B.withByteArray nonce $ \noncePtr  ->             B.withByteArray key   $ \keyPtr ->-                ccryptonite_chacha_init stPtr (fromIntegral nbRounds) kLen keyPtr nonceLen noncePtr+                ccryptonite_chacha_init stPtr  nbRounds kLen keyPtr nonceLen noncePtr         return $ State stPtr   where kLen     = B.length key         nonceLen = B.length nonce  -- | Initialize simple ChaCha State-initializeSimple :: ByteArray seed+--+-- The seed need to be at least 40 bytes long+initializeSimple :: ByteArrayAccess seed                  => seed -- ^ a 40 bytes long seed                  -> StateSimple initializeSimple seed-    | sLen /= 40 = error "ChaCha Random: seed length should be 40 bytes"+    | sLen < 40 = error "ChaCha Random: seed length should be 40 bytes"     | otherwise = unsafeDoIO $ do         stPtr <- B.alloc 64 $ \stPtr ->                     B.withByteArray seed $ \seedPtr ->
Crypto/Cipher/RC4.hs view
@@ -30,6 +30,11 @@ import           Crypto.Internal.Imports  -- | The encryption state for RC4+--+-- This type is an instance of 'ByteArrayAccess' for debugging purpose. Internal+-- layout is architecture dependent, may contain uninitialized data fragments,+-- and change in future versions.  The bytearray should not be used as input to+-- cryptographic algorithms. newtype State = State ScrubbedBytes     deriving (ByteArrayAccess,NFData) 
Crypto/Cipher/Salsa.hs view
@@ -33,14 +33,14 @@            -> nonce  -- ^ the nonce (64 or 96 bits)            -> State  -- ^ the initial Salsa state initialize nbRounds key nonce-    | not (kLen `elem` [16,32])       = error "Salsa: key length should be 128 or 256 bits"-    | not (nonceLen `elem` [8,12])    = error "Salsa: nonce length should be 64 or 96 bits"-    | not (nbRounds `elem` [8,12,20]) = error "Salsa: rounds should be 8, 12 or 20"+    | kLen `notElem` [16,32]          = error "Salsa: key length should be 128 or 256 bits"+    | nonceLen `notElem` [8,12]       = error "Salsa: nonce length should be 64 or 96 bits"+    | nbRounds `notElem` [8,12,20]    = error "Salsa: rounds should be 8, 12 or 20"     | otherwise = unsafeDoIO $ do         stPtr <- B.alloc 132 $ \stPtr ->             B.withByteArray nonce $ \noncePtr  ->             B.withByteArray key   $ \keyPtr ->-                ccryptonite_salsa_init stPtr (fromIntegral nbRounds) kLen keyPtr nonceLen noncePtr+                ccryptonite_salsa_init stPtr nbRounds kLen keyPtr nonceLen noncePtr         return $ State stPtr   where kLen     = B.length key         nonceLen = B.length nonce
+ Crypto/Cipher/Twofish.hs view
@@ -0,0 +1,45 @@+module Crypto.Cipher.Twofish+    ( Twofish128+    , Twofish192+    , Twofish256+    ) where++import Crypto.Cipher.Twofish.Primitive+import Crypto.Cipher.Types+import Crypto.Cipher.Utils++newtype Twofish128 = Twofish128 Twofish++instance Cipher Twofish128 where+    cipherName    _ = "Twofish128"+    cipherKeySize _ = KeySizeFixed 16+    cipherInit key  = Twofish128 <$> (initTwofish =<< validateKeySize (undefined :: Twofish128) key)++instance BlockCipher Twofish128 where+    blockSize                 _ = 16+    ecbEncrypt (Twofish128 key) = encrypt key+    ecbDecrypt (Twofish128 key) = decrypt key++newtype Twofish192 = Twofish192 Twofish++instance Cipher Twofish192 where+    cipherName    _ = "Twofish192"+    cipherKeySize _ = KeySizeFixed 24+    cipherInit key  = Twofish192 <$> (initTwofish =<< validateKeySize (undefined :: Twofish192) key)++instance BlockCipher Twofish192 where+    blockSize                 _ = 16+    ecbEncrypt (Twofish192 key) = encrypt key+    ecbDecrypt (Twofish192 key) = decrypt key++newtype Twofish256 = Twofish256 Twofish++instance Cipher Twofish256 where+    cipherName    _ = "Twofish256"+    cipherKeySize _ = KeySizeFixed 32+    cipherInit key  = Twofish256 <$> (initTwofish =<< validateKeySize (undefined :: Twofish256) key)++instance BlockCipher Twofish256 where+    blockSize                 _ = 16+    ecbEncrypt (Twofish256 key) = encrypt key+    ecbDecrypt (Twofish256 key) = decrypt key
+ Crypto/Cipher/Twofish/Primitive.hs view
@@ -0,0 +1,311 @@+{-# LANGUAGE MagicHash #-}+{-# LANGUAGE BangPatterns #-}+module Crypto.Cipher.Twofish.Primitive+    ( Twofish+    , initTwofish+    , encrypt+    , decrypt+    ) where++import           Crypto.Error+import           Crypto.Internal.ByteArray (ByteArray)+import qualified Crypto.Internal.ByteArray as B+import           Crypto.Internal.WordArray+import           Data.Word+import           Data.Bits+import           Data.List++-- Based on the Golang referance implementation+-- https://github.com/golang/crypto/blob/master/twofish/twofish.go+++-- BlockSize is the constant block size of Twofish.+blockSize :: Int+blockSize = 16++mdsPolynomial, rsPolynomial :: Word32+mdsPolynomial = 0x169 -- x^8 + x^6 + x^5 + x^3 + 1, see [TWOFISH] 4.2+rsPolynomial = 0x14d  -- x^8 + x^6 + x^3 + x^2 + 1, see [TWOFISH] 4.3++data Twofish = Twofish { s :: (Array32, Array32, Array32, Array32)+                       , k :: Array32 }++data ByteSize = Bytes16 | Bytes24 | Bytes32 deriving (Eq)++data KeyPackage ba = KeyPackage { rawKeyBytes :: ba+                                , byteSize :: ByteSize }++buildPackage :: ByteArray ba => ba -> Maybe (KeyPackage ba)+buildPackage key+    | B.length key == 16 = return $ KeyPackage key Bytes16+    | B.length key == 24 = return $ KeyPackage key Bytes24+    | B.length key == 32 = return $ KeyPackage key Bytes32+    | otherwise = Nothing++-- | Initialize a 128-bit, 192-bit, or 256-bit key+--+-- Return the initialized key or a error message if the given+-- keyseed was not 16-bytes in length.+initTwofish :: ByteArray key+            => key -- ^ The key to create the twofish context+            -> CryptoFailable Twofish+initTwofish key =+    case buildPackage key of Nothing -> CryptoFailed CryptoError_KeySizeInvalid+                             Just keyPackage -> CryptoPassed Twofish { k = generatedK, s = generatedS }+                                  where generatedK = array32 40 $ genK keyPackage+                                        generatedS = genSboxes keyPackage $ sWords key++mapBlocks :: ByteArray ba => (ba -> ba) -> ba -> ba+mapBlocks operation input+    | B.null rest = blockOutput+    | otherwise = blockOutput `B.append` mapBlocks operation rest+        where (block, rest) = B.splitAt blockSize input+              blockOutput = operation block++-- | Encrypts the given ByteString using the given Key+encrypt :: ByteArray ba+        => Twofish     -- ^ The key to use+        -> ba           -- ^ The data to encrypt+        -> ba+encrypt cipher = mapBlocks (encryptBlock cipher)++encryptBlock :: ByteArray ba => Twofish -> ba -> ba+encryptBlock Twofish { s = (s1, s2, s3, s4), k = ks } message = store32ls ts+    where (a, b, c, d) = load32ls message+          a' = a `xor` arrayRead32 ks 0+          b' = b `xor` arrayRead32 ks 1+          c' = c `xor` arrayRead32 ks 2+          d' = d `xor` arrayRead32 ks 3+          (!a'', !b'', !c'', !d'') = foldl' shuffle (a', b', c', d') [0..7]+          ts = (c'' `xor` arrayRead32 ks 4, d'' `xor` arrayRead32 ks 5, a'' `xor` arrayRead32 ks 6, b'' `xor` arrayRead32 ks 7)++          shuffle :: (Word32, Word32, Word32, Word32) -> Int -> (Word32, Word32, Word32, Word32)+          shuffle (!retA, !retB, !retC, !retD) ind = (retA', retB', retC', retD')+            where [k0, k1, k2, k3] = fmap (\offset -> arrayRead32 ks $ (8 + 4 * ind) + offset) [0..3]+                  t2 = byteIndex s2 retB `xor` byteIndex s3 (shiftR retB 8) `xor` byteIndex s4 (shiftR retB 16) `xor` byteIndex s1 (shiftR retB 24)+                  t1 = (byteIndex s1 retA `xor` byteIndex s2 (shiftR retA 8) `xor` byteIndex s3 (shiftR retA 16) `xor` byteIndex s4 (shiftR retA 24)) + t2+                  retC' = rotateR (retC `xor` (t1 + k0)) 1+                  retD' = rotateL retD 1 `xor` (t1 + t2 + k1)+                  t2' = byteIndex s2 retD' `xor` byteIndex s3 (shiftR retD' 8) `xor` byteIndex s4 (shiftR retD' 16) `xor` byteIndex s1 (shiftR retD' 24)+                  t1' = (byteIndex s1 retC' `xor` byteIndex s2 (shiftR retC' 8) `xor` byteIndex s3 (shiftR retC' 16) `xor` byteIndex s4 (shiftR retC' 24)) + t2'+                  retA' = rotateR (retA `xor` (t1' + k2)) 1+                  retB' = rotateL retB 1 `xor` (t1' + t2' + k3)++-- Unsafe, no bounds checking+byteIndex :: Array32 -> Word32 -> Word32+byteIndex xs ind  = arrayRead32 xs $ fromIntegral byte+    where byte = ind `mod` 256++-- | Decrypts the given ByteString using the given Key+decrypt :: ByteArray ba+        => Twofish     -- ^ The key to use+        -> ba           -- ^ The data to decrypt+        -> ba+decrypt cipher = mapBlocks (decryptBlock cipher)++{- decryption for 128 bits blocks -}+decryptBlock :: ByteArray ba => Twofish -> ba -> ba+decryptBlock Twofish { s = (s1, s2, s3, s4), k = ks } message = store32ls ixs+    where (a, b, c, d) = load32ls message+          a' = c `xor` arrayRead32 ks 6+          b' = d `xor` arrayRead32 ks 7+          c' = a `xor` arrayRead32 ks 4+          d' = b `xor` arrayRead32 ks 5+          (!a'', !b'', !c'', !d'') = foldl' unshuffle (a', b', c', d') [8, 7..1]+          ixs = (a'' `xor` arrayRead32 ks 0, b'' `xor` arrayRead32 ks 1, c'' `xor` arrayRead32 ks 2, d'' `xor` arrayRead32 ks 3)++          unshuffle :: (Word32, Word32, Word32, Word32) -> Int -> (Word32, Word32, Word32, Word32)+          unshuffle (!retA, !retB, !retC, !retD) ind = (retA', retB', retC', retD')+            where [k0, k1, k2, k3] = fmap (\offset -> arrayRead32 ks $ (4 + 4 * ind) + offset) [0..3]+                  t2 = byteIndex s2 retD `xor` byteIndex s3 (shiftR retD 8) `xor` byteIndex s4 (shiftR retD 16) `xor` byteIndex s1 (shiftR retD 24)+                  t1 = (byteIndex s1 retC `xor` byteIndex s2 (shiftR retC 8) `xor` byteIndex s3 (shiftR retC 16) `xor` byteIndex s4 (shiftR retC 24)) + t2+                  retA' = rotateL retA 1 `xor` (t1 + k2)+                  retB' = rotateR (retB `xor` (t2 + t1 + k3)) 1+                  t2' = byteIndex s2 retB' `xor` byteIndex s3 (shiftR retB' 8) `xor` byteIndex s4 (shiftR retB' 16) `xor` byteIndex s1 (shiftR retB' 24)+                  t1' = (byteIndex s1 retA' `xor` byteIndex s2 (shiftR retA' 8) `xor` byteIndex s3 (shiftR retA' 16) `xor` byteIndex s4 (shiftR retA' 24)) + t2'+                  retC' = rotateL retC 1 `xor` (t1' + k0)+                  retD' = rotateR (retD `xor` (t2' + t1' + k1)) 1++sbox0 :: Int -> Word8+sbox0 = arrayRead8 t+    where t = array8+            "\xa9\x67\xb3\xe8\x04\xfd\xa3\x76\x9a\x92\x80\x78\xe4\xdd\xd1\x38\+            \\x0d\xc6\x35\x98\x18\xf7\xec\x6c\x43\x75\x37\x26\xfa\x13\x94\x48\+            \\xf2\xd0\x8b\x30\x84\x54\xdf\x23\x19\x5b\x3d\x59\xf3\xae\xa2\x82\+            \\x63\x01\x83\x2e\xd9\x51\x9b\x7c\xa6\xeb\xa5\xbe\x16\x0c\xe3\x61\+            \\xc0\x8c\x3a\xf5\x73\x2c\x25\x0b\xbb\x4e\x89\x6b\x53\x6a\xb4\xf1\+            \\xe1\xe6\xbd\x45\xe2\xf4\xb6\x66\xcc\x95\x03\x56\xd4\x1c\x1e\xd7\+            \\xfb\xc3\x8e\xb5\xe9\xcf\xbf\xba\xea\x77\x39\xaf\x33\xc9\x62\x71\+            \\x81\x79\x09\xad\x24\xcd\xf9\xd8\xe5\xc5\xb9\x4d\x44\x08\x86\xe7\+            \\xa1\x1d\xaa\xed\x06\x70\xb2\xd2\x41\x7b\xa0\x11\x31\xc2\x27\x90\+            \\x20\xf6\x60\xff\x96\x5c\xb1\xab\x9e\x9c\x52\x1b\x5f\x93\x0a\xef\+            \\x91\x85\x49\xee\x2d\x4f\x8f\x3b\x47\x87\x6d\x46\xd6\x3e\x69\x64\+            \\x2a\xce\xcb\x2f\xfc\x97\x05\x7a\xac\x7f\xd5\x1a\x4b\x0e\xa7\x5a\+            \\x28\x14\x3f\x29\x88\x3c\x4c\x02\xb8\xda\xb0\x17\x55\x1f\x8a\x7d\+            \\x57\xc7\x8d\x74\xb7\xc4\x9f\x72\x7e\x15\x22\x12\x58\x07\x99\x34\+            \\x6e\x50\xde\x68\x65\xbc\xdb\xf8\xc8\xa8\x2b\x40\xdc\xfe\x32\xa4\+            \\xca\x10\x21\xf0\xd3\x5d\x0f\x00\x6f\x9d\x36\x42\x4a\x5e\xc1\xe0"#++sbox1 :: Int -> Word8+sbox1 = arrayRead8 t+    where t = array8+            "\x75\xf3\xc6\xf4\xdb\x7b\xfb\xc8\x4a\xd3\xe6\x6b\x45\x7d\xe8\x4b\+            \\xd6\x32\xd8\xfd\x37\x71\xf1\xe1\x30\x0f\xf8\x1b\x87\xfa\x06\x3f\+            \\x5e\xba\xae\x5b\x8a\x00\xbc\x9d\x6d\xc1\xb1\x0e\x80\x5d\xd2\xd5\+            \\xa0\x84\x07\x14\xb5\x90\x2c\xa3\xb2\x73\x4c\x54\x92\x74\x36\x51\+            \\x38\xb0\xbd\x5a\xfc\x60\x62\x96\x6c\x42\xf7\x10\x7c\x28\x27\x8c\+            \\x13\x95\x9c\xc7\x24\x46\x3b\x70\xca\xe3\x85\xcb\x11\xd0\x93\xb8\+            \\xa6\x83\x20\xff\x9f\x77\xc3\xcc\x03\x6f\x08\xbf\x40\xe7\x2b\xe2\+            \\x79\x0c\xaa\x82\x41\x3a\xea\xb9\xe4\x9a\xa4\x97\x7e\xda\x7a\x17\+            \\x66\x94\xa1\x1d\x3d\xf0\xde\xb3\x0b\x72\xa7\x1c\xef\xd1\x53\x3e\+            \\x8f\x33\x26\x5f\xec\x76\x2a\x49\x81\x88\xee\x21\xc4\x1a\xeb\xd9\+            \\xc5\x39\x99\xcd\xad\x31\x8b\x01\x18\x23\xdd\x1f\x4e\x2d\xf9\x48\+            \\x4f\xf2\x65\x8e\x78\x5c\x58\x19\x8d\xe5\x98\x57\x67\x7f\x05\x64\+            \\xaf\x63\xb6\xfe\xf5\xb7\x3c\xa5\xce\xe9\x68\x44\xe0\x4d\x43\x69\+            \\x29\x2e\xac\x15\x59\xa8\x0a\x9e\x6e\x47\xdf\x34\x35\x6a\xcf\xdc\+            \\x22\xc9\xc0\x9b\x89\xd4\xed\xab\x12\xa2\x0d\x52\xbb\x02\x2f\xa9\+            \\xd7\x61\x1e\xb4\x50\x04\xf6\xc2\x16\x25\x86\x56\x55\x09\xbe\x91"#++rs :: [[Word8]]+rs = [ [0x01, 0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E]+     , [0xA4, 0x56, 0x82, 0xF3, 0x1E, 0xC6, 0x68, 0xE5]+     , [0x02, 0xA1, 0xFC, 0xC1, 0x47, 0xAE, 0x3D, 0x19]+     , [0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E, 0x03] ]++++load32ls :: ByteArray ba => ba -> (Word32, Word32, Word32, Word32)+load32ls message = (intify q1, intify q2, intify q3, intify q4)+    where (half1, half2) = B.splitAt 8 message+          (q1, q2) = B.splitAt 4 half1+          (q3, q4) = B.splitAt 4 half2++          intify :: ByteArray ba => ba -> Word32+          intify bytes = foldl' (\int (!word, !ind) -> int .|. shiftL (fromIntegral word) (ind * 8) ) 0 (zip (B.unpack bytes) [0..])++store32ls :: ByteArray ba => (Word32, Word32, Word32, Word32) -> ba+store32ls (a, b, c, d) = B.pack $ concatMap splitWordl [a, b, c, d]+    where splitWordl :: Word32 -> [Word8]+          splitWordl w = fmap (\ind -> fromIntegral $ shiftR w (8 * ind)) [0..3]+++-- Create S words+sWords :: ByteArray ba => ba -> [Word8]+sWords key = sWord+    where word64Count = B.length key `div` 2+          sWord = concatMap (\wordIndex ->+                        map (\rsRow ->+                            foldl' (\acc (!rsVal, !colIndex) ->+                                acc `xor` gfMult rsPolynomial (B.index key $ 8 * wordIndex + colIndex) rsVal+                                ) 0 (zip rsRow [0..])+                            ) rs+                    ) [0..word64Count - 1]++data Column = Zero | One | Two | Three deriving (Show, Eq, Enum, Bounded)++genSboxes :: KeyPackage ba -> [Word8] -> (Array32, Array32, Array32, Array32)+genSboxes keyPackage ws = (mkArray b0', mkArray b1', mkArray b2', mkArray b3')+    where range = [0..255]+          mkArray = array32 256+          [w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15] = take 16 ws+          (b0', b1', b2', b3') = sboxBySize $ byteSize keyPackage++          sboxBySize :: ByteSize -> ([Word32], [Word32], [Word32], [Word32])+          sboxBySize Bytes16 = (b0, b1, b2, b3)+            where !b0 = fmap mapper range+                    where mapper :: Int -> Word32+                          mapper byte = mdsColumnMult ((sbox1 . fromIntegral) ((sbox0 . fromIntegral $ sbox0 byte `xor` w0) `xor` w4)) Zero+                  !b1 = fmap mapper range+                    where mapper byte = mdsColumnMult ((sbox0 . fromIntegral) ((sbox0 . fromIntegral $ sbox1 byte `xor` w1) `xor` w5)) One+                  !b2 = fmap mapper range+                    where mapper byte = mdsColumnMult ((sbox1 . fromIntegral) ((sbox1 . fromIntegral $ sbox0 byte `xor` w2) `xor` w6)) Two+                  !b3 = fmap mapper range+                    where mapper byte = mdsColumnMult ((sbox0 . fromIntegral) ((sbox1 . fromIntegral $ sbox1 byte `xor` w3) `xor` w7)) Three++          sboxBySize Bytes24 = (b0, b1, b2, b3)+            where !b0 = fmap mapper range+                    where mapper byte = mdsColumnMult ((sbox1 . fromIntegral) ((sbox0 . fromIntegral) ((sbox0 . fromIntegral $ sbox1 byte `xor` w0) `xor` w4) `xor` w8)) Zero+                  !b1 = fmap mapper range+                    where mapper byte = mdsColumnMult ((sbox0 . fromIntegral) ((sbox0 . fromIntegral) ((sbox1 . fromIntegral $ sbox1 byte `xor` w1) `xor` w5) `xor` w9)) One+                  !b2 = fmap mapper range+                    where mapper byte = mdsColumnMult ((sbox1 . fromIntegral) ((sbox1 . fromIntegral) ((sbox0 . fromIntegral $ sbox0 byte `xor` w2) `xor` w6) `xor` w10)) Two+                  !b3 = fmap mapper range+                    where mapper byte = mdsColumnMult ((sbox0 . fromIntegral) ((sbox1 . fromIntegral) ((sbox1 . fromIntegral $ sbox0 byte `xor` w3) `xor` w7) `xor` w11)) Three++          sboxBySize Bytes32 = (b0, b1, b2, b3)+            where !b0 = fmap mapper range+                    where mapper byte = mdsColumnMult ((sbox1 . fromIntegral) ((sbox0 . fromIntegral) ((sbox0 . fromIntegral) ((sbox1 . fromIntegral $ sbox1 byte `xor` w0) `xor` w4) `xor` w8) `xor` w12)) Zero+                  !b1 = fmap mapper range+                    where mapper byte = mdsColumnMult ((sbox0 . fromIntegral) ((sbox0 . fromIntegral) ((sbox1 . fromIntegral) ((sbox1 . fromIntegral $ sbox0 byte `xor` w1) `xor` w5) `xor` w9) `xor` w13)) One+                  !b2 = fmap mapper range+                    where mapper byte = mdsColumnMult ((sbox1 . fromIntegral) ((sbox1 . fromIntegral) ((sbox0 . fromIntegral) ((sbox0 . fromIntegral $ sbox0 byte `xor` w2) `xor` w6) `xor` w10) `xor` w14)) Two+                  !b3 = fmap mapper range+                    where mapper byte = mdsColumnMult ((sbox0 . fromIntegral) ((sbox1 . fromIntegral) ((sbox1 . fromIntegral) ((sbox0 . fromIntegral $ sbox1 byte `xor` w3) `xor` w7) `xor` w11) `xor` w15)) Three++genK :: (ByteArray ba) => KeyPackage ba -> [Word32]+genK keyPackage = concatMap makeTuple [0..19]+    where makeTuple :: Word8 -> [Word32]+          makeTuple idx = [a + b', rotateL (2 * b' + a) 9]+            where tmp1 = replicate 4 $ 2 * idx+                  tmp2 = fmap (+1) tmp1+                  a = h tmp1 keyPackage 0+                  b = h tmp2 keyPackage 1+                  b' = rotateL b 8++h :: (ByteArray ba) => [Word8] -> KeyPackage ba -> Int -> Word32+h input keyPackage offset =  foldl' xorMdsColMult 0 $ zip [y0f, y1f, y2f, y3f] $ enumFrom Zero+    where key = rawKeyBytes keyPackage+          [y0, y1, y2, y3] = take 4 input+          (!y0f, !y1f, !y2f, !y3f) = run (y0, y1, y2, y3) $ byteSize keyPackage++          run :: (Word8, Word8, Word8, Word8) -> ByteSize -> (Word8, Word8, Word8, Word8)+          run (!y0'', !y1'', !y2'', !y3'') Bytes32 = run (y0', y1', y2', y3') Bytes24+            where y0' = sbox1 (fromIntegral y0'') `xor` B.index key (4 * (6 + offset) + 0)+                  y1' = sbox0 (fromIntegral y1'') `xor` B.index key (4 * (6 + offset) + 1)+                  y2' = sbox0 (fromIntegral y2'') `xor` B.index key (4 * (6 + offset) + 2)+                  y3' = sbox1 (fromIntegral y3'') `xor` B.index key (4 * (6 + offset) + 3)++          run (!y0'', !y1'', !y2'', !y3'') Bytes24 = run (y0', y1', y2', y3') Bytes16+            where y0' = sbox1 (fromIntegral y0'') `xor` B.index key (4 * (4 + offset) + 0)+                  y1' = sbox1 (fromIntegral y1'') `xor` B.index key (4 * (4 + offset) + 1)+                  y2' = sbox0 (fromIntegral y2'') `xor` B.index key (4 * (4 + offset) + 2)+                  y3' = sbox0 (fromIntegral y3'') `xor` B.index key (4 * (4 + offset) + 3)++          run (!y0'', !y1'', !y2'', !y3'') Bytes16 = (y0', y1', y2', y3')+            where y0' = sbox1 . fromIntegral $ (sbox0 . fromIntegral $ (sbox0 (fromIntegral y0'') `xor` B.index key (4 * (2 + offset) + 0))) `xor` B.index key (4 * (0 + offset) + 0)+                  y1' = sbox0 . fromIntegral $ (sbox0 . fromIntegral $ (sbox1 (fromIntegral y1'') `xor` B.index key (4 * (2 + offset) + 1))) `xor` B.index key (4 * (0 + offset) + 1)+                  y2' = sbox1 . fromIntegral $ (sbox1 . fromIntegral $ (sbox0 (fromIntegral y2'') `xor` B.index key (4 * (2 + offset) + 2))) `xor` B.index key (4 * (0 + offset) + 2)+                  y3' = sbox0 . fromIntegral $ (sbox1 . fromIntegral $ (sbox1 (fromIntegral y3'') `xor` B.index key (4 * (2 + offset) + 3))) `xor` B.index key (4 * (0 + offset) + 3)++          xorMdsColMult :: Word32 -> (Word8, Column) -> Word32+          xorMdsColMult acc wordAndIndex = acc `xor` uncurry mdsColumnMult wordAndIndex++mdsColumnMult :: Word8 -> Column -> Word32+mdsColumnMult !byte !col =+    case col of Zero  -> input .|. rotateL mul5B 8 .|. rotateL mulEF 16 .|. rotateL mulEF 24+                One   -> mulEF .|. rotateL mulEF 8 .|. rotateL mul5B 16 .|. rotateL input 24+                Two   -> mul5B .|. rotateL mulEF 8 .|. rotateL input 16 .|. rotateL mulEF 24+                Three -> mul5B .|. rotateL input 8 .|. rotateL mulEF 16 .|. rotateL mul5B 24+        where input = fromIntegral byte+              mul5B = fromIntegral $ gfMult mdsPolynomial byte 0x5B+              mulEF = fromIntegral $ gfMult mdsPolynomial byte 0xEF++tupInd :: (Bits b) => b -> (a, a) -> a+tupInd b+    | testBit b 0 = snd+    | otherwise = fst++gfMult :: Word32 -> Word8 -> Word8 -> Word8+gfMult p a b = fromIntegral $ run a b' p' result 0+    where b' = (0, fromIntegral b)+          p' = (0, p)+          result = 0++          run :: Word8 -> (Word32, Word32) -> (Word32, Word32) -> Word32 -> Int -> Word32+          run a' b'' p'' result' count =+            if count == 7+            then result''+            else run a'' b''' p'' result'' (count + 1)+                where result'' = result' `xor` tupInd (a' .&. 1) b''+                      a'' = shiftR a' 1+                      b''' = (fst b'', tupInd (shiftR (snd b'') 7) p'' `xor` shiftL (snd b'') 1)
Crypto/Cipher/Types.hs view
@@ -5,7 +5,7 @@ -- Stability   : Stable -- Portability : Excellent ----- symmetric cipher basic types+-- Symmetric cipher basic types -- {-# LANGUAGE DeriveDataTypeable #-} module Crypto.Cipher.Types@@ -21,6 +21,8 @@     -- , cfb8Decrypt     -- * AEAD functions     , AEADMode(..)+    , CCM_M(..)+    , CCM_L(..)     , module Crypto.Cipher.Types.AEAD     -- * Initial Vector type and constructor     , IV
Crypto/Cipher/Types/AEAD.hs view
@@ -27,24 +27,24 @@ -- | Authenticated Encryption with Associated Data algorithms data AEAD cipher = forall st . AEAD     { aeadModeImpl :: AEADModeImpl st-    , aeadState    :: st+    , aeadState    :: !st     }  -- | Append some header information to an AEAD context aeadAppendHeader :: ByteArrayAccess aad => AEAD cipher -> aad -> AEAD cipher-aeadAppendHeader (AEAD impl st) aad = AEAD impl $ (aeadImplAppendHeader impl) st aad+aeadAppendHeader (AEAD impl st) aad = AEAD impl $ aeadImplAppendHeader impl st aad  -- | Encrypt some data and update the AEAD context aeadEncrypt :: ByteArray ba => AEAD cipher -> ba -> (ba, AEAD cipher)-aeadEncrypt (AEAD impl st) ba = second (AEAD impl) $ (aeadImplEncrypt impl) st ba+aeadEncrypt (AEAD impl st) ba = second (AEAD impl) $ aeadImplEncrypt impl st ba  -- | Decrypt some data and update the AEAD context aeadDecrypt :: ByteArray ba => AEAD cipher -> ba -> (ba, AEAD cipher)-aeadDecrypt (AEAD impl st) ba = second (AEAD impl) $ (aeadImplDecrypt impl) st ba+aeadDecrypt (AEAD impl st) ba = second (AEAD impl) $ aeadImplDecrypt impl st ba  -- | Finalize the AEAD context and return the authentication tag aeadFinalize :: AEAD cipher -> Int -> AuthTag-aeadFinalize (AEAD impl st) n = (aeadImplFinalize impl) st n+aeadFinalize (AEAD impl st) = aeadImplFinalize impl st  -- | Simple AEAD encryption aeadSimpleEncrypt :: (ByteArrayAccess aad, ByteArray ba)
Crypto/Cipher/Types/Base.hs view
@@ -5,7 +5,7 @@ -- Stability   : Stable -- Portability : Excellent ----- symmetric cipher basic types+-- Symmetric cipher basic types -- {-# LANGUAGE ExistentialQuantification #-} {-# LANGUAGE GeneralizedNewtypeDeriving #-}@@ -14,12 +14,15 @@     , Cipher(..)     , AuthTag(..)     , AEADMode(..)+    , CCM_M(..)+    , CCM_L(..)     , DataUnitOffset     ) where  import           Data.Word import           Crypto.Internal.ByteArray (Bytes, ByteArrayAccess, ByteArray) import qualified Crypto.Internal.ByteArray as B+import           Crypto.Internal.DeepSeq import           Crypto.Error  -- | Different specifier for key size in bytes@@ -34,15 +37,18 @@  -- | Authentication Tag for AE cipher mode newtype AuthTag = AuthTag { unAuthTag :: Bytes }-    deriving (Show, ByteArrayAccess)+    deriving (Show, ByteArrayAccess, NFData)  instance Eq AuthTag where     (AuthTag a) == (AuthTag b) = B.constEq a b +data CCM_M = CCM_M4 | CCM_M6 | CCM_M8 | CCM_M10 | CCM_M12 | CCM_M14 | CCM_M16 deriving (Show, Eq)+data CCM_L = CCM_L2 | CCM_L3 | CCM_L4 deriving (Show, Eq)+ -- | AEAD Mode data AEADMode =       AEAD_OCB -- OCB3-    | AEAD_CCM+    | AEAD_CCM Int CCM_M CCM_L     | AEAD_EAX     | AEAD_CWC     | AEAD_GCM
Crypto/Cipher/Types/Block.hs view
@@ -5,7 +5,7 @@ -- Stability   : Stable -- Portability : Excellent ----- block cipher basic types+-- Block cipher basic types -- {-# LANGUAGE MultiParamTypeClasses #-} {-# LANGUAGE ExistentialQuantification #-}@@ -16,7 +16,7 @@     -- * BlockCipher       BlockCipher(..)     , BlockCipher128(..)-    -- * initialization vector (IV)+    -- * Initialization vector (IV)     , IV(..)     , makeIV     , nullIV@@ -37,7 +37,6 @@     ) where  import           Data.Word-import           Data.Monoid import           Crypto.Error import           Crypto.Cipher.Types.Base import           Crypto.Cipher.Types.GF@@ -164,27 +163,20 @@ -- | Increment an IV by a number. -- -- Assume the IV is in Big Endian format.-ivAdd :: BlockCipher c => IV c -> Int -> IV c+ivAdd :: IV c -> Int -> IV c ivAdd (IV b) i = IV $ copy b   where copy :: ByteArray bs => bs -> bs-        copy bs = B.copyAndFreeze bs $ \p -> do-            let until0 accu = do-                  r <- loop accu (B.length bs - 1) p-                  case r of-                      0 -> return ()-                      _ -> until0 r-            until0 i+        copy bs = B.copyAndFreeze bs $ loop i (B.length bs - 1) -        loop :: Int -> Int -> Ptr Word8 -> IO Int-        loop 0   _   _ = return 0-        loop acc ofs p = do-            v <- peek (p `plusPtr` ofs) :: IO Word8-            let accv    = acc + fromIntegral v-                (hi,lo) = accv `divMod` 256-            poke (p `plusPtr` ofs) (fromIntegral lo :: Word8)-            if ofs == 0-                then return hi-                else loop hi (ofs - 1) p+        loop :: Int -> Int -> Ptr Word8 -> IO ()+        loop acc ofs p+            | ofs < 0   = return ()+            | otherwise = do+                v <- peek (p `plusPtr` ofs) :: IO Word8+                let accv    = acc + fromIntegral v+                    (hi,lo) = accv `divMod` 256+                poke (p `plusPtr` ofs) (fromIntegral lo :: Word8)+                loop hi (ofs - 1) p  cbcEncryptGeneric :: (ByteArray ba, BlockCipher cipher) => cipher -> IV cipher -> ba -> ba cbcEncryptGeneric cipher ivini input = mconcat $ doEnc ivini $ chunk (blockSize cipher) input
Crypto/Cipher/Types/Stream.hs view
@@ -5,7 +5,7 @@ -- Stability   : Stable -- Portability : Excellent ----- stream cipher basic types+-- Stream cipher basic types -- module Crypto.Cipher.Types.Stream     ( StreamCipher(..)
Crypto/Cipher/Types/Utils.hs view
@@ -5,7 +5,7 @@ -- Stability   : Stable -- Portability : Excellent ----- basic utility for cipher related stuff+-- Basic utility for cipher related stuff -- module Crypto.Cipher.Types.Utils where 
+ Crypto/Cipher/Utils.hs view
@@ -0,0 +1,18 @@+module Crypto.Cipher.Utils+    ( validateKeySize+    ) where++import Crypto.Error+import Crypto.Cipher.Types++import Data.ByteArray as BA++validateKeySize :: (ByteArrayAccess key, Cipher cipher) => cipher -> key -> CryptoFailable key+validateKeySize c k = if validKeyLength+                      then CryptoPassed k+                      else CryptoFailed CryptoError_KeySizeInvalid+  where keyLength = BA.length k+        validKeyLength = case cipherKeySize c of+          KeySizeRange low high -> keyLength >= low && keyLength <= high+          KeySizeEnum lengths -> keyLength `elem` lengths+          KeySizeFixed s -> keyLength == s
Crypto/Cipher/XSalsa.hs view
@@ -12,18 +12,17 @@ {-# LANGUAGE ForeignFunctionInterface #-} module Crypto.Cipher.XSalsa     ( initialize+    , derive     , combine     , generate     , State     ) where -import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray, ScrubbedBytes)+import           Crypto.Internal.ByteArray (ByteArrayAccess) import qualified Crypto.Internal.ByteArray as B import           Crypto.Internal.Compat import           Crypto.Internal.Imports import           Foreign.Ptr-import           Foreign.Storable-import           Foreign.C.Types import           Crypto.Cipher.Salsa hiding (initialize)  -- | Initialize a new XSalsa context with the number of rounds,@@ -36,15 +35,41 @@ initialize nbRounds key nonce     | kLen /= 32                      = error "XSalsa: key length should be 256 bits"     | nonceLen /= 24                  = error "XSalsa: nonce length should be 192 bits"-    | not (nbRounds `elem` [8,12,20]) = error "XSalsa: rounds should be 8, 12 or 20"+    | nbRounds `notElem` [8,12,20]    = error "XSalsa: rounds should be 8, 12 or 20"     | otherwise = unsafeDoIO $ do         stPtr <- B.alloc 132 $ \stPtr ->             B.withByteArray nonce $ \noncePtr  ->             B.withByteArray key   $ \keyPtr ->-                ccryptonite_xsalsa_init stPtr (fromIntegral nbRounds) kLen keyPtr nonceLen noncePtr+                ccryptonite_xsalsa_init stPtr nbRounds kLen keyPtr nonceLen noncePtr         return $ State stPtr   where kLen     = B.length key         nonceLen = B.length nonce +-- | Use an already initialized context and new nonce material to derive another+-- XSalsa context.+--+-- This allows a multi-level cascade where a first key @k1@ and nonce @n1@ is+-- used to get @HState(k1,n1)@, and this value is then used as key @k2@ to build+-- @XSalsa(k2,n2)@.  Function 'initialize' is to be called with the first 192+-- bits of @n1|n2@, and the call to @derive@ should add the remaining 128 bits.+--+-- The output context always uses the same number of rounds as the input+-- context.+derive :: ByteArrayAccess nonce+       => State  -- ^ base XSalsa state+       -> nonce  -- ^ the remainder nonce (128 bits)+       -> State  -- ^ the new XSalsa state+derive (State stPtr') nonce+    | nonceLen /= 16 = error "XSalsa: nonce length should be 128 bits"+    | otherwise = unsafeDoIO $ do+        stPtr <- B.copy stPtr' $ \stPtr ->+            B.withByteArray nonce $ \noncePtr  ->+                ccryptonite_xsalsa_derive stPtr nonceLen noncePtr+        return $ State stPtr+  where nonceLen = B.length nonce+ foreign import ccall "cryptonite_xsalsa_init"     ccryptonite_xsalsa_init :: Ptr State -> Int -> Int -> Ptr Word8 -> Int -> Ptr Word8 -> IO ()++foreign import ccall "cryptonite_xsalsa_derive"+    ccryptonite_xsalsa_derive :: Ptr State -> Int -> Ptr Word8 -> IO ()
Crypto/ConstructHash/MiyaguchiPreneel.hs view
@@ -5,7 +5,7 @@ -- Stability   : experimental -- Portability : unknown ----- provide the hash function construction method from block cipher+-- Provide the hash function construction method from block cipher -- <https://en.wikipedia.org/wiki/One-way_compression_function> -- {-# LANGUAGE GeneralizedNewtypeDeriving #-}@@ -44,7 +44,7 @@       where         (hd, tl) = B.splitAt bsz msg --- | Compute Miyaguchi-Preneel one way compress using the infered block cipher.+-- | Compute Miyaguchi-Preneel one way compress using the inferred block cipher. --   Only safe when KEY-SIZE equals to BLOCK-SIZE. -- --   Simple usage /mp' msg :: MiyaguchiPreneel AES128/
Crypto/Data/AFIS.hs view
@@ -5,7 +5,7 @@ -- Stability   : experimental -- Portability : unknown ----- haskell implementation of the Anti-forensic information splitter+-- Haskell implementation of the Anti-forensic information splitter -- available in LUKS. <http://clemens.endorphin.org/AFsplitter> -- -- The algorithm bloats an arbitrary secret with many bits that are necessary for@@ -77,7 +77,7 @@             diffuse hashAlg lastBlock blockSize         fillRandomBlock g blockPtr = do             let (rand :: Bytes, g') = randomBytesGenerate blockSize g-            B.withByteArray rand $ \randPtr -> memCopy blockPtr randPtr (fromIntegral blockSize)+            B.withByteArray rand $ \randPtr -> memCopy blockPtr randPtr blockSize             return g'  -- | Merge previously diffused data back to the original data.
Crypto/Data/Padding.hs view
@@ -6,7 +6,7 @@ -- Portability : unknown -- -- Various cryptographic padding commonly used for block ciphers--- or assymetric systems.+-- or asymmetric systems. -- module Crypto.Data.Padding     ( Format(..)
Crypto/ECC.hs view
@@ -7,6 +7,8 @@ -- -- Elliptic Curve Cryptography --+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE FlexibleContexts #-} {-# LANGUAGE GeneralizedNewtypeDeriving #-} {-# LANGUAGE TypeFamilies #-} {-# LANGUAGE ScopedTypeVariables #-}@@ -16,27 +18,33 @@     , Curve_P521R1(..)     , Curve_X25519(..)     , Curve_X448(..)+    , Curve_Edwards25519(..)     , EllipticCurve(..)     , EllipticCurveDH(..)     , EllipticCurveArith(..)+    , EllipticCurveBasepointArith(..)     , KeyPair(..)     , SharedSecret(..)     ) where  import qualified Crypto.PubKey.ECC.P256 as P256+import qualified Crypto.ECC.Edwards25519 as Edwards25519 import qualified Crypto.ECC.Simple.Types as Simple import qualified Crypto.ECC.Simple.Prim as Simple import           Crypto.Random import           Crypto.Error-import           Crypto.Internal.Proxy import           Crypto.Internal.Imports import           Crypto.Internal.ByteArray (ByteArray, ByteArrayAccess, ScrubbedBytes) import qualified Crypto.Internal.ByteArray as B+import           Crypto.Number.Basic (numBits) import           Crypto.Number.Serialize (i2ospOf_, os2ip)+import qualified Crypto.Number.Serialize.LE as LE import qualified Crypto.PubKey.Curve25519 as X25519 import qualified Crypto.PubKey.Curve448 as X448-import           Data.Function (on) import           Data.ByteArray (convert)+import           Data.Data (Data())+import           Data.Kind (Type)+import           Data.Proxy  -- | An elliptic curve key pair composed of the private part (a scalar), and -- the associated point.@@ -46,14 +54,14 @@     }  newtype SharedSecret = SharedSecret ScrubbedBytes-    deriving (Eq, ByteArrayAccess)+    deriving (Eq, ByteArrayAccess, NFData)  class EllipticCurve curve where     -- | Point on an Elliptic Curve-    type Point curve  :: *+    type Point curve  :: Type      -- | Scalar in the Elliptic Curve domain-    type Scalar curve :: *+    type Scalar curve :: Type      -- | Generate a new random scalar on the curve.     -- The scalar will represent a number between 1 and the order of the curve non included@@ -78,22 +86,69 @@     -- is not hashed.     --     -- use `pointSmul` to keep the result in Point format.-    ecdh :: proxy curve -> Scalar curve -> Point curve -> SharedSecret+    --+    -- /WARNING:/ Curve implementations may return a special value or an+    -- exception when the public point lies in a subgroup of small order.+    -- This function is adequate when the scalar is in expected range and+    -- contributory behaviour is not needed.  Otherwise use 'ecdh'.+    ecdhRaw :: proxy curve -> Scalar curve -> Point curve -> SharedSecret+    ecdhRaw prx s = throwCryptoError . ecdh prx s -class EllipticCurve curve => EllipticCurveArith curve where+    -- | Generate a Diffie hellman secret value and verify that the result+    -- is not the point at infinity.+    --+    -- This additional test avoids risks existing with function 'ecdhRaw'.+    -- Implementations always return a 'CryptoError' instead of a special+    -- value or an exception.+    ecdh :: proxy curve -> Scalar curve -> Point curve -> CryptoFailable SharedSecret++class (EllipticCurve curve, Eq (Point curve)) => EllipticCurveArith curve where     -- | Add points on a curve     pointAdd :: proxy curve -> Point curve -> Point curve -> Point curve +    -- | Negate a curve point+    pointNegate :: proxy curve -> Point curve -> Point curve+     -- | Scalar Multiplication on a curve     pointSmul :: proxy curve -> Scalar curve -> Point curve -> Point curve  --   -- | Scalar Inverse --   scalarInverse :: Scalar curve -> Scalar curve +class (EllipticCurveArith curve, Eq (Scalar curve)) => EllipticCurveBasepointArith curve where+    -- | Get the curve order size in bits+    curveOrderBits :: proxy curve -> Int++    -- | Multiply a scalar with the curve base point+    pointBaseSmul :: proxy curve -> Scalar curve -> Point curve++    -- | Multiply the point @p@ with @s2@ and add a lifted to curve value @s1@+    pointsSmulVarTime :: proxy curve -> Scalar curve -> Scalar curve -> Point curve -> Point curve+    pointsSmulVarTime prx s1 s2 p = pointAdd prx (pointBaseSmul prx s1) (pointSmul prx s2 p)++    -- | Encode an elliptic curve scalar into big-endian form+    encodeScalar :: ByteArray bs => proxy curve -> Scalar curve -> bs++    -- | Try to decode the big-endian form of an elliptic curve scalar+    decodeScalar :: ByteArray bs => proxy curve -> bs -> CryptoFailable (Scalar curve)++    -- | Convert an elliptic curve scalar to an integer+    scalarToInteger :: proxy curve -> Scalar curve -> Integer++    -- | Try to create an elliptic curve scalar from an integer+    scalarFromInteger :: proxy curve -> Integer -> CryptoFailable (Scalar curve)++    -- | Add two scalars and reduce modulo the curve order+    scalarAdd :: proxy curve -> Scalar curve -> Scalar curve -> Scalar curve++    -- | Multiply two scalars and reduce modulo the curve order+    scalarMul :: proxy curve -> Scalar curve -> Scalar curve -> Scalar curve+ -- | P256 Curve -- -- also known as P256 data Curve_P256R1 = Curve_P256R1+    deriving (Show,Data)  instance EllipticCurve Curve_P256R1 where     type Point Curve_P256R1 = P256.Point@@ -111,20 +166,34 @@             uncompressed = B.singleton 4             xy = P256.pointToBinary p     decodePoint _ mxy = case B.uncons mxy of-        Nothing -> CryptoFailed $ CryptoError_PointSizeInvalid+        Nothing -> CryptoFailed CryptoError_PointSizeInvalid         Just (m,xy)             -- uncompressed             | m == 4 -> P256.pointFromBinary xy-            | otherwise -> CryptoFailed $ CryptoError_PointFormatInvalid+            | otherwise -> CryptoFailed CryptoError_PointFormatInvalid  instance EllipticCurveArith Curve_P256R1 where     pointAdd  _ a b = P256.pointAdd a b+    pointNegate _ p = P256.pointNegate p     pointSmul _ s p = P256.pointMul s p  instance EllipticCurveDH Curve_P256R1 where-    ecdh _ s p = SharedSecret $ P256.pointDh s p+    ecdhRaw _ s p = SharedSecret $ P256.pointDh s p+    ecdh  prx s p = checkNonZeroDH (ecdhRaw prx s p) +instance EllipticCurveBasepointArith Curve_P256R1 where+    curveOrderBits _ = 256+    pointBaseSmul _ = P256.toPoint+    pointsSmulVarTime _ = P256.pointsMulVarTime+    encodeScalar _ = P256.scalarToBinary+    decodeScalar _ = P256.scalarFromBinary+    scalarToInteger _ = P256.scalarToInteger+    scalarFromInteger _ = P256.scalarFromInteger+    scalarAdd _ = P256.scalarAdd+    scalarMul _ = P256.scalarMul+ data Curve_P384R1 = Curve_P384R1+    deriving (Show,Data)  instance EllipticCurve Curve_P384R1 where     type Point Curve_P384R1 = Simple.Point Simple.SEC_p384r1@@ -138,15 +207,27 @@  instance EllipticCurveArith Curve_P384R1 where     pointAdd _ a b = Simple.pointAdd a b+    pointNegate _ p = Simple.pointNegate p     pointSmul _ s p = Simple.pointMul s p  instance EllipticCurveDH Curve_P384R1 where-    ecdh _ s p = SharedSecret $ i2ospOf_ (curveSizeBytes prx) x+    ecdh _ s p = encodeECShared prx (Simple.pointMul s p)       where-        prx = Proxy :: Proxy Curve_P384R1-        Simple.Point x _ = pointSmul prx s p+        prx = Proxy :: Proxy Simple.SEC_p384r1 +instance EllipticCurveBasepointArith Curve_P384R1 where+    curveOrderBits _ = 384+    pointBaseSmul _ = Simple.pointBaseMul+    pointsSmulVarTime _ = ecPointsMulVarTime+    encodeScalar _ = ecScalarToBinary+    decodeScalar _ = ecScalarFromBinary+    scalarToInteger _ = ecScalarToInteger+    scalarFromInteger _ = ecScalarFromInteger+    scalarAdd _ = ecScalarAdd+    scalarMul _ = ecScalarMul+ data Curve_P521R1 = Curve_P521R1+    deriving (Show,Data)  instance EllipticCurve Curve_P521R1 where     type Point Curve_P521R1 = Simple.Point Simple.SEC_p521r1@@ -160,15 +241,27 @@  instance EllipticCurveArith Curve_P521R1 where     pointAdd _ a b = Simple.pointAdd a b+    pointNegate _ p = Simple.pointNegate p     pointSmul _ s p = Simple.pointMul s p  instance EllipticCurveDH Curve_P521R1 where-    ecdh _ s p = SharedSecret $ i2ospOf_ (curveSizeBytes prx) x+    ecdh _ s p = encodeECShared prx (Simple.pointMul s p)       where-        prx = Proxy :: Proxy Curve_P521R1-        Simple.Point x _ = pointSmul prx s p+        prx = Proxy :: Proxy Simple.SEC_p521r1 +instance EllipticCurveBasepointArith Curve_P521R1 where+    curveOrderBits _ = 521+    pointBaseSmul _ = Simple.pointBaseMul+    pointsSmulVarTime _ = ecPointsMulVarTime+    encodeScalar _ = ecScalarToBinary+    decodeScalar _ = ecScalarFromBinary+    scalarToInteger _ = ecScalarToInteger+    scalarFromInteger _ = ecScalarFromInteger+    scalarAdd _ = ecScalarAdd+    scalarMul _ = ecScalarMul+ data Curve_X25519 = Curve_X25519+    deriving (Show,Data)  instance EllipticCurve Curve_X25519 where     type Point Curve_X25519 = X25519.PublicKey@@ -182,10 +275,12 @@     decodePoint _ bs = X25519.publicKey bs  instance EllipticCurveDH Curve_X25519 where-    ecdh _ s p = SharedSecret $ convert secret+    ecdhRaw _ s p = SharedSecret $ convert secret       where secret = X25519.dh p s+    ecdh prx s p = checkNonZeroDH (ecdhRaw prx s p)  data Curve_X448 = Curve_X448+    deriving (Show,Data)  instance EllipticCurve Curve_X448 where     type Point Curve_X448 = X448.PublicKey@@ -199,9 +294,53 @@     decodePoint _ bs = X448.publicKey bs  instance EllipticCurveDH Curve_X448 where-    ecdh _ s p = SharedSecret $ convert secret+    ecdhRaw _ s p = SharedSecret $ convert secret       where secret = X448.dh p s+    ecdh prx s p = checkNonZeroDH (ecdhRaw prx s p) +data Curve_Edwards25519 = Curve_Edwards25519+    deriving (Show,Data)++instance EllipticCurve Curve_Edwards25519 where+    type Point Curve_Edwards25519 = Edwards25519.Point+    type Scalar Curve_Edwards25519 = Edwards25519.Scalar+    curveSizeBits _ = 255+    curveGenerateScalar _ = Edwards25519.scalarGenerate+    curveGenerateKeyPair _ = toKeyPair <$> Edwards25519.scalarGenerate+      where toKeyPair scalar = KeyPair (Edwards25519.toPoint scalar) scalar+    encodePoint _ point = Edwards25519.pointEncode point+    decodePoint _ bs = Edwards25519.pointDecode bs++instance EllipticCurveArith Curve_Edwards25519 where+    pointAdd _ a b = Edwards25519.pointAdd a b+    pointNegate _ p = Edwards25519.pointNegate p+    pointSmul _ s p = Edwards25519.pointMul s p++instance EllipticCurveBasepointArith Curve_Edwards25519 where+    curveOrderBits _ = 253+    pointBaseSmul _ = Edwards25519.toPoint+    pointsSmulVarTime _ = Edwards25519.pointsMulVarTime+    encodeScalar _ = B.reverse . Edwards25519.scalarEncode+    decodeScalar _ bs+        | B.length bs == 32 = Edwards25519.scalarDecodeLong (B.reverse bs)+        | otherwise         = CryptoFailed CryptoError_SecretKeySizeInvalid+    scalarToInteger _ s = LE.os2ip (Edwards25519.scalarEncode s :: B.Bytes)+    scalarFromInteger _ i =+        case LE.i2ospOf 32 i of+            Nothing -> CryptoFailed CryptoError_SecretKeySizeInvalid+            Just bs -> Edwards25519.scalarDecodeLong (bs :: B.Bytes)+    scalarAdd _ = Edwards25519.scalarAdd+    scalarMul _ = Edwards25519.scalarMul++checkNonZeroDH :: SharedSecret -> CryptoFailable SharedSecret+checkNonZeroDH s@(SharedSecret b)+    | B.constAllZero b = CryptoFailed CryptoError_ScalarMultiplicationInvalid+    | otherwise        = CryptoPassed s++encodeECShared :: Simple.Curve curve => Proxy curve -> Simple.Point curve -> CryptoFailable SharedSecret+encodeECShared _   Simple.PointO      = CryptoFailed CryptoError_ScalarMultiplicationInvalid+encodeECShared prx (Simple.Point x _) = CryptoPassed . SharedSecret $ i2ospOf_ (Simple.curveSizeBytes prx) x+ encodeECPoint :: forall curve bs . (Simple.Curve curve, ByteArray bs) => Simple.Point curve -> bs encodeECPoint Simple.PointO      = error "encodeECPoint: cannot serialize point at infinity" encodeECPoint (Simple.Point x y) = B.concat [uncompressed,xb,yb]@@ -214,7 +353,7 @@  decodeECPoint :: (Simple.Curve curve, ByteArray bs) => bs -> CryptoFailable (Simple.Point curve) decodeECPoint mxy = case B.uncons mxy of-    Nothing     -> CryptoFailed $ CryptoError_PointSizeInvalid+    Nothing     -> CryptoFailed CryptoError_PointSizeInvalid     Just (m,xy)         -- uncompressed         | m == 4 ->@@ -223,7 +362,47 @@                 x = os2ip xb                 y = os2ip yb              in Simple.pointFromIntegers (x,y)-        | otherwise -> CryptoFailed $ CryptoError_PointFormatInvalid+        | otherwise -> CryptoFailed CryptoError_PointFormatInvalid -curveSizeBytes :: EllipticCurve c => Proxy c -> Int-curveSizeBytes proxy = (curveSizeBits proxy + 7) `div` 8+ecPointsMulVarTime :: forall curve . Simple.Curve curve+                   => Simple.Scalar curve+                   -> Simple.Scalar curve -> Simple.Point curve+                   -> Simple.Point curve+ecPointsMulVarTime n1 = Simple.pointAddTwoMuls n1 g+  where g = Simple.curveEccG $ Simple.curveParameters (Proxy :: Proxy curve)++ecScalarFromBinary :: forall curve bs . (Simple.Curve curve, ByteArrayAccess bs)+                   => bs -> CryptoFailable (Simple.Scalar curve)+ecScalarFromBinary ba+    | B.length ba /= size = CryptoFailed CryptoError_SecretKeySizeInvalid+    | otherwise           = CryptoPassed (Simple.Scalar $ os2ip ba)+  where size = ecCurveOrderBytes (Proxy :: Proxy curve)++ecScalarToBinary :: forall curve bs . (Simple.Curve curve, ByteArray bs)+                 => Simple.Scalar curve -> bs+ecScalarToBinary (Simple.Scalar s) = i2ospOf_ size s+  where size = ecCurveOrderBytes (Proxy :: Proxy curve)++ecScalarFromInteger :: forall curve . Simple.Curve curve+                    => Integer -> CryptoFailable (Simple.Scalar curve)+ecScalarFromInteger s+    | numBits s > nb = CryptoFailed CryptoError_SecretKeySizeInvalid+    | otherwise      = CryptoPassed (Simple.Scalar s)+  where nb = 8 * ecCurveOrderBytes (Proxy :: Proxy curve)++ecScalarToInteger :: Simple.Scalar curve -> Integer+ecScalarToInteger (Simple.Scalar s) = s++ecCurveOrderBytes :: Simple.Curve c => proxy c -> Int+ecCurveOrderBytes prx = (numBits n + 7) `div` 8+  where n = Simple.curveEccN $ Simple.curveParameters prx++ecScalarAdd :: forall curve . Simple.Curve curve+            => Simple.Scalar curve -> Simple.Scalar curve -> Simple.Scalar curve+ecScalarAdd (Simple.Scalar a) (Simple.Scalar b) = Simple.Scalar ((a + b) `mod` n)+  where n = Simple.curveEccN $ Simple.curveParameters (Proxy :: Proxy curve)++ecScalarMul :: forall curve . Simple.Curve curve+            => Simple.Scalar curve -> Simple.Scalar curve -> Simple.Scalar curve+ecScalarMul (Simple.Scalar a) (Simple.Scalar b) = Simple.Scalar ((a * b) `mod` n)+  where n = Simple.curveEccN $ Simple.curveParameters (Proxy :: Proxy curve)
+ Crypto/ECC/Edwards25519.hs view
@@ -0,0 +1,370 @@+-- |+-- Module      : Crypto.ECC.Edwards25519+-- License     : BSD-style+-- Maintainer  : Olivier Chéron <olivier.cheron@gmail.com>+-- Stability   : experimental+-- Portability : unknown+--+-- Arithmetic primitives over curve edwards25519.+--+-- Twisted Edwards curves are a familly of elliptic curves allowing+-- complete addition formulas without any special case and no point at+-- infinity.  Curve edwards25519 is based on prime 2^255 - 19 for+-- efficient implementation.  Equation and parameters are given in+-- <https://tools.ietf.org/html/rfc7748 RFC 7748>.+--+-- This module provides types and primitive operations that are useful+-- to implement cryptographic schemes based on curve edwards25519:+--+-- - arithmetic functions for point addition, doubling, negation,+-- scalar multiplication with an arbitrary point, with the base point,+-- etc.+--+-- - arithmetic functions dealing with scalars modulo the prime order+-- L of the base point+--+-- All functions run in constant time unless noted otherwise.+--+-- Warnings:+--+-- 1. Curve edwards25519 has a cofactor h = 8 so the base point does+-- not generate the entire curve and points with order 2, 4, 8 exist.+-- When implementing cryptographic algorithms, special care must be+-- taken using one of the following methods:+--+--     - points must be checked for membership in the prime-order+--     subgroup+--+--     - or cofactor must be cleared by multiplying points by 8+--+--     Utility functions are provided to implement this.  Testing+--     subgroup membership with 'pointHasPrimeOrder' is 50-time slower+--     than call 'pointMulByCofactor'.+--+-- 2. Scalar arithmetic is always reduced modulo L, allowing fixed+-- length and constant execution time, but this reduction is valid+-- only when points are in the prime-order subgroup.+--+-- 3. Because of modular reduction in this implementation it is not+-- possible to multiply points directly by scalars like 8.s or L.+-- This has to be decomposed into several steps.+--+{-# LANGUAGE GeneralizedNewtypeDeriving #-}+module Crypto.ECC.Edwards25519+    ( Scalar+    , Point+    -- * Scalars+    , scalarGenerate+    , scalarDecodeLong+    , scalarEncode+    -- * Points+    , pointDecode+    , pointEncode+    , pointHasPrimeOrder+    -- * Arithmetic functions+    , toPoint+    , scalarAdd+    , scalarMul+    , pointNegate+    , pointAdd+    , pointDouble+    , pointMul+    , pointMulByCofactor+    , pointsMulVarTime+    ) where++import           Data.Word+import           Foreign.C.Types+import           Foreign.Ptr++import           Crypto.Error+import           Crypto.Internal.ByteArray (Bytes, ScrubbedBytes, withByteArray)+import qualified Crypto.Internal.ByteArray as B+import           Crypto.Internal.Compat+import           Crypto.Internal.Imports+import           Crypto.Random+++scalarArraySize :: Int+scalarArraySize = 40 -- maximum [9 * 4 {- 32 bits -}, 5 * 8 {- 64 bits -}]++-- | A scalar modulo prime order of curve edwards25519.+newtype Scalar = Scalar ScrubbedBytes+    deriving (Show,NFData)++instance Eq Scalar where+    (Scalar s1) == (Scalar s2) = unsafeDoIO $+        withByteArray s1 $ \ps1 ->+        withByteArray s2 $ \ps2 ->+            fmap (/= 0) (ed25519_scalar_eq ps1 ps2)+    {-# NOINLINE (==) #-}++pointArraySize :: Int+pointArraySize = 160 -- maximum [4 * 10 * 4 {- 32 bits -}, 4 * 5 * 8 {- 64 bits -}]++-- | A point on curve edwards25519.+newtype Point = Point Bytes+    deriving NFData++instance Show Point where+    showsPrec d p =+        let bs = pointEncode p :: Bytes+         in showParen (d > 10) $ showString "Point "+                               . shows (B.convertToBase B.Base16 bs :: Bytes)++instance Eq Point where+    (Point p1) == (Point p2) = unsafeDoIO $+        withByteArray p1 $ \pp1 ->+        withByteArray p2 $ \pp2 ->+            fmap (/= 0) (ed25519_point_eq pp1 pp2)+    {-# NOINLINE (==) #-}++-- | Generate a random scalar.+scalarGenerate :: MonadRandom randomly => randomly Scalar+scalarGenerate = throwCryptoError . scalarDecodeLong <$> generate+  where+    -- Scalar generation is based on a fixed number of bytes so that+    -- there is no timing leak.  But because of modular reduction+    -- distribution is not uniform.  We use many more bytes than+    -- necessary so the probability bias is small.  With 512 bits we+    -- get 22% of scalars with a higher frequency, but the relative+    -- probability difference is only 2^(-260).+    generate :: MonadRandom randomly => randomly ScrubbedBytes+    generate = getRandomBytes 64++-- | Serialize a scalar to binary, i.e. a 32-byte little-endian+-- number.+scalarEncode :: B.ByteArray bs => Scalar -> bs+scalarEncode (Scalar s) =+    B.allocAndFreeze 32 $ \out ->+        withByteArray s $ \ps -> ed25519_scalar_encode out ps++-- | Deserialize a little-endian number as a scalar.  Input array can+-- have any length from 0 to 64 bytes.+--+-- Note: it is not advised to put secret information in the 3 lowest+-- bits of a scalar if this scalar may be multiplied to untrusted+-- points outside the prime-order subgroup.+scalarDecodeLong :: B.ByteArrayAccess bs => bs -> CryptoFailable Scalar+scalarDecodeLong bs+    | B.length bs > 64 = CryptoFailed CryptoError_EcScalarOutOfBounds+    | otherwise        = unsafeDoIO $ withByteArray bs initialize+  where+    len = fromIntegral $ B.length bs+    initialize inp = do+        s <- B.alloc scalarArraySize $ \ps ->+                 ed25519_scalar_decode_long ps inp len+        return $ CryptoPassed (Scalar s)+{-# NOINLINE scalarDecodeLong #-}++-- | Add two scalars.+scalarAdd :: Scalar -> Scalar -> Scalar+scalarAdd (Scalar a) (Scalar b) =+    Scalar $ B.allocAndFreeze scalarArraySize $ \out ->+        withByteArray a $ \pa ->+        withByteArray b $ \pb ->+             ed25519_scalar_add out pa pb++-- | Multiply two scalars.+scalarMul :: Scalar -> Scalar -> Scalar+scalarMul (Scalar a) (Scalar b) =+    Scalar $ B.allocAndFreeze scalarArraySize $ \out ->+        withByteArray a $ \pa ->+        withByteArray b $ \pb ->+             ed25519_scalar_mul out pa pb++-- | Multiplies a scalar with the curve base point.+toPoint :: Scalar -> Point+toPoint (Scalar scalar) =+    Point $ B.allocAndFreeze pointArraySize $ \out ->+        withByteArray scalar $ \pscalar ->+            ed25519_point_base_scalarmul out pscalar++-- | Serialize a point to a 32-byte array.+--+-- Format is binary compatible with 'Crypto.PubKey.Ed25519.PublicKey'+-- from module "Crypto.PubKey.Ed25519".+pointEncode :: B.ByteArray bs => Point -> bs+pointEncode (Point p) =+    B.allocAndFreeze 32 $ \out ->+        withByteArray p $ \pp ->+             ed25519_point_encode out pp++-- | Deserialize a 32-byte array as a point, ensuring the point is+-- valid on edwards25519.+--+-- /WARNING:/ variable time+pointDecode :: B.ByteArrayAccess bs => bs -> CryptoFailable Point+pointDecode bs+    | B.length bs == 32 = unsafeDoIO $ withByteArray bs initialize+    | otherwise         = CryptoFailed CryptoError_PointSizeInvalid+  where+    initialize inp = do+        (res, p) <- B.allocRet pointArraySize $ \pp ->+                        ed25519_point_decode_vartime pp inp+        if res == 0 then return $ CryptoFailed CryptoError_PointCoordinatesInvalid+                    else return $ CryptoPassed (Point p)+{-# NOINLINE pointDecode #-}++-- | Test whether a point belongs to the prime-order subgroup+-- generated by the base point.  Result is 'True' for the identity+-- point.+--+-- @+-- pointHasPrimeOrder p = 'pointNegate' p == 'pointMul' l_minus_one p+-- @+pointHasPrimeOrder :: Point -> Bool+pointHasPrimeOrder (Point p) = unsafeDoIO $+    withByteArray p $ \pp ->+        fmap (/= 0) (ed25519_point_has_prime_order pp)+{-# NOINLINE pointHasPrimeOrder #-}++-- | Negate a point.+pointNegate :: Point -> Point+pointNegate (Point a) =+    Point $ B.allocAndFreeze pointArraySize $ \out ->+        withByteArray a $ \pa ->+             ed25519_point_negate out pa++-- | Add two points.+pointAdd :: Point -> Point -> Point+pointAdd (Point a) (Point b) =+    Point $ B.allocAndFreeze pointArraySize $ \out ->+        withByteArray a $ \pa ->+        withByteArray b $ \pb ->+             ed25519_point_add out pa pb++-- | Add a point to itself.+--+-- @+-- pointDouble p = 'pointAdd' p p+-- @+pointDouble :: Point -> Point+pointDouble (Point a) =+    Point $ B.allocAndFreeze pointArraySize $ \out ->+        withByteArray a $ \pa ->+             ed25519_point_double out pa++-- | Multiply a point by h = 8.+--+-- @+-- pointMulByCofactor p = 'pointMul' scalar_8 p+-- @+pointMulByCofactor :: Point -> Point+pointMulByCofactor (Point a) =+    Point $ B.allocAndFreeze pointArraySize $ \out ->+        withByteArray a $ \pa ->+             ed25519_point_mul_by_cofactor out pa++-- | Scalar multiplication over curve edwards25519.+--+-- Note: when the scalar had reduction modulo L and the input point+-- has a torsion component, the output point may not be in the+-- expected subgroup.+pointMul :: Scalar -> Point -> Point+pointMul (Scalar scalar) (Point base) =+    Point $ B.allocAndFreeze pointArraySize $ \out ->+        withByteArray scalar $ \pscalar ->+        withByteArray base   $ \pbase   ->+             ed25519_point_scalarmul out pbase pscalar++-- | Multiply the point @p@ with @s2@ and add a lifted to curve value @s1@.+--+-- @+-- pointsMulVarTime s1 s2 p = 'pointAdd' ('toPoint' s1) ('pointMul' s2 p)+-- @+--+-- /WARNING:/ variable time+pointsMulVarTime :: Scalar -> Scalar -> Point -> Point+pointsMulVarTime (Scalar s1) (Scalar s2) (Point p) =+    Point $ B.allocAndFreeze pointArraySize $ \out ->+        withByteArray s1 $ \ps1 ->+        withByteArray s2 $ \ps2 ->+        withByteArray p  $ \pp  ->+             ed25519_base_double_scalarmul_vartime out ps1 pp ps2++foreign import ccall unsafe "cryptonite_ed25519_scalar_eq"+    ed25519_scalar_eq :: Ptr Scalar+                      -> Ptr Scalar+                      -> IO CInt++foreign import ccall unsafe "cryptonite_ed25519_scalar_encode"+    ed25519_scalar_encode :: Ptr Word8+                          -> Ptr Scalar+                          -> IO ()++foreign import ccall unsafe "cryptonite_ed25519_scalar_decode_long"+    ed25519_scalar_decode_long :: Ptr Scalar+                               -> Ptr Word8+                               -> CSize+                               -> IO ()++foreign import ccall unsafe "cryptonite_ed25519_scalar_add"+    ed25519_scalar_add :: Ptr Scalar -- sum+                       -> Ptr Scalar -- a+                       -> Ptr Scalar -- b+                       -> IO ()++foreign import ccall unsafe "cryptonite_ed25519_scalar_mul"+    ed25519_scalar_mul :: Ptr Scalar -- out+                       -> Ptr Scalar -- a+                       -> Ptr Scalar -- b+                       -> IO ()++foreign import ccall unsafe "cryptonite_ed25519_point_encode"+    ed25519_point_encode :: Ptr Word8+                         -> Ptr Point+                         -> IO ()++foreign import ccall unsafe "cryptonite_ed25519_point_decode_vartime"+    ed25519_point_decode_vartime :: Ptr Point+                                 -> Ptr Word8+                                 -> IO CInt++foreign import ccall unsafe "cryptonite_ed25519_point_eq"+    ed25519_point_eq :: Ptr Point+                     -> Ptr Point+                     -> IO CInt++foreign import ccall "cryptonite_ed25519_point_has_prime_order"+    ed25519_point_has_prime_order :: Ptr Point+                                  -> IO CInt++foreign import ccall unsafe "cryptonite_ed25519_point_negate"+    ed25519_point_negate :: Ptr Point -- minus_a+                         -> Ptr Point -- a+                         -> IO ()++foreign import ccall unsafe "cryptonite_ed25519_point_add"+    ed25519_point_add :: Ptr Point -- sum+                      -> Ptr Point -- a+                      -> Ptr Point -- b+                      -> IO ()++foreign import ccall unsafe "cryptonite_ed25519_point_double"+    ed25519_point_double :: Ptr Point -- two_a+                         -> Ptr Point -- a+                         -> IO ()++foreign import ccall unsafe "cryptonite_ed25519_point_mul_by_cofactor"+    ed25519_point_mul_by_cofactor :: Ptr Point -- eight_a+                                  -> Ptr Point -- a+                                  -> IO ()++foreign import ccall "cryptonite_ed25519_point_base_scalarmul"+    ed25519_point_base_scalarmul :: Ptr Point  -- scaled+                                 -> Ptr Scalar -- scalar+                                 -> IO ()++foreign import ccall "cryptonite_ed25519_point_scalarmul"+    ed25519_point_scalarmul :: Ptr Point  -- scaled+                            -> Ptr Point  -- base+                            -> Ptr Scalar -- scalar+                            -> IO ()++foreign import ccall "cryptonite_ed25519_base_double_scalarmul_vartime"+    ed25519_base_double_scalarmul_vartime :: Ptr Point  -- combo+                                          -> Ptr Scalar -- scalar1+                                          -> Ptr Point  -- base2+                                          -> Ptr Scalar -- scalar2+                                          -> IO ()
Crypto/ECC/Simple/Prim.hs view
@@ -6,6 +6,7 @@     ( scalarGenerate     , scalarFromInteger     , pointAdd+    , pointNegate     , pointDouble     , pointBaseMul     , pointMul@@ -16,8 +17,7 @@     ) where  import Data.Maybe-import Crypto.Internal.Imports-import Crypto.Internal.Proxy+import Data.Proxy import Crypto.Number.ModArithmetic import Crypto.Number.F2m import Crypto.Number.Generate (generateBetween)@@ -49,7 +49,7 @@ pointNegate        PointO     = PointO pointNegate point@(Point x y) =     case curveType point of-        CurvePrime {}  -> Point x (-y)+        CurvePrime (CurvePrimeParam p) -> Point x (p - y)         CurveBinary {} -> Point x (x `addF2m` y)  -- | Elliptic Curve point addition.
Crypto/ECC/Simple/Types.hs view
@@ -1,4 +1,5 @@ {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE GeneralizedNewtypeDeriving #-} -- | -- Module      : Crypto.ECC.Simple.Types -- License     : BSD-style@@ -6,7 +7,7 @@ -- Stability   : Experimental -- Portability : Excellent ----- references:+-- References: --   <https://tools.ietf.org/html/rfc5915> -- {-# OPTIONS_GHC -fno-warn-missing-signatures #-}@@ -20,7 +21,7 @@     , curveSizeBits     , curveSizeBytes     , CurveParameters(..)-    -- * specific curves definition+    -- * Specific curves definition     , SEC_p112r1(..)     , SEC_p112r2(..)     , SEC_p128r1(..)@@ -83,28 +84,28 @@     , curveEccG :: Point curve -- ^ base point     , curveEccN :: Integer     -- ^ order of G     , curveEccH :: Integer     -- ^ cofactor-    } deriving (Show,Eq,Data,Typeable)+    } deriving (Show,Eq,Data)  newtype CurveBinaryParam = CurveBinaryParam Integer-    deriving (Show,Read,Eq,Data,Typeable)+    deriving (Show,Read,Eq,Data)  newtype CurvePrimeParam = CurvePrimeParam Integer-    deriving (Show,Read,Eq,Data,Typeable)+    deriving (Show,Read,Eq,Data)  data CurveType =       CurveBinary CurveBinaryParam     | CurvePrime CurvePrimeParam-    deriving (Show,Read,Eq,Data,Typeable)+    deriving (Show,Read,Eq,Data)  -- | ECC Private Number newtype Scalar curve = Scalar Integer-    deriving (Show,Read,Eq,Data,Typeable)+    deriving (Show,Read,Eq,Data,NFData)  -- | Define a point on a curve. data Point curve =       Point Integer Integer     | PointO -- ^ Point at Infinity-    deriving (Show,Read,Eq,Data,Typeable)+    deriving (Show,Read,Eq,Data)  instance NFData (Point curve) where     rnf (Point x y) = x `seq` y `seq` ()
Crypto/Error/Types.hs view
@@ -8,6 +8,7 @@ -- Cryptographic Error enumeration and handling -- {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE TypeFamilies       #-} module Crypto.Error.Types     ( CryptoError(..)     , CryptoFailable(..)@@ -21,13 +22,14 @@ import qualified Control.Exception as E import           Data.Data -import           Crypto.Internal.Imports+import           Basement.Monad (MonadFailure(..))  -- | Enumeration of all possible errors that can be found in this library data CryptoError =     -- symmetric cipher errors       CryptoError_KeySizeInvalid     | CryptoError_IvSizeInvalid+    | CryptoError_SeedSizeInvalid     | CryptoError_AEADModeNotSupported     -- public key cryptography error     | CryptoError_SecretKeySizeInvalid@@ -40,6 +42,7 @@     | CryptoError_PointFormatInvalid     | CryptoError_PointFormatUnsupported     | CryptoError_PointCoordinatesInvalid+    | CryptoError_ScalarMultiplicationInvalid     -- Message authentification error     | CryptoError_MacKeyInvalid     | CryptoError_AuthenticationTagSizeInvalid@@ -49,7 +52,7 @@     | CryptoError_SaltTooSmall     | CryptoError_OutputLengthTooSmall     | CryptoError_OutputLengthTooBig-    deriving (Show,Eq,Enum,Data,Typeable)+    deriving (Show,Eq,Enum,Data)  instance E.Exception CryptoError @@ -79,11 +82,15 @@     pure a     = CryptoPassed a     (<*>) fm m = fm >>= \p -> m >>= \r2 -> return (p r2) instance Monad CryptoFailable where-    return a = CryptoPassed a+    return = pure     (>>=) m1 m2 = do         case m1 of             CryptoPassed a -> m2 a             CryptoFailed e -> CryptoFailed e++instance MonadFailure CryptoFailable where+    type Failure CryptoFailable = CryptoError+    mFail = CryptoFailed  -- | Throw an CryptoError as exception on CryptoFailed result, -- otherwise return the computed value
Crypto/Hash.hs view
@@ -16,6 +16,8 @@ -- > hexSha3_512 :: ByteString -> String -- > hexSha3_512 bs = show (hash bs :: Digest SHA3_512) --+{-# LANGUAGE ScopedTypeVariables #-}+{-# LANGUAGE BangPatterns        #-} module Crypto.Hash     (     -- * Types@@ -23,78 +25,109 @@     , Digest     -- * Functions     , digestFromByteString-    -- * hash methods parametrized by algorithm+    -- * Hash methods parametrized by algorithm     , hashInitWith     , hashWith-    -- * hash methods+    , hashPrefixWith+    -- * Hash methods     , hashInit     , hashUpdates     , hashUpdate     , hashFinalize+    , hashFinalizePrefix     , hashBlockSize     , hashDigestSize     , hash+    , hashPrefix     , hashlazy     -- * Hash algorithms     , module Crypto.Hash.Algorithms     ) where -import           Control.Monad+import           Basement.Types.OffsetSize (CountOf (..))+import           Basement.Block (Block, unsafeFreeze)+import           Basement.Block.Mutable (copyFromPtr, new)+import           Crypto.Internal.Compat (unsafeDoIO) import           Crypto.Hash.Types import           Crypto.Hash.Algorithms-import           Foreign.Ptr (Ptr)+import           Foreign.Ptr (Ptr, plusPtr) import           Crypto.Internal.ByteArray (ByteArrayAccess) import qualified Crypto.Internal.ByteArray as B import qualified Data.ByteString.Lazy as L+import           Data.Word (Word8)+import           Data.Int (Int32)  -- | Hash a strict bytestring into a digest. hash :: (ByteArrayAccess ba, HashAlgorithm a) => ba -> Digest a hash bs = hashFinalize $ hashUpdate hashInit bs +-- | Hash the first N bytes of a bytestring, with code path independent from N.+hashPrefix :: (ByteArrayAccess ba, HashAlgorithmPrefix a) => ba -> Int -> Digest a+hashPrefix = hashFinalizePrefix hashInit+ -- | Hash a lazy bytestring into a digest. hashlazy :: HashAlgorithm a => L.ByteString -> Digest a hashlazy lbs = hashFinalize $ hashUpdates hashInit (L.toChunks lbs)  -- | Initialize a new context for this hash algorithm-hashInit :: HashAlgorithm a-         => Context a-hashInit = doInit undefined B.allocAndFreeze-  where-        doInit :: HashAlgorithm a => a -> (Int -> (Ptr (Context a) -> IO ()) -> B.Bytes) -> Context a-        doInit alg alloc = Context $ alloc (hashInternalContextSize alg) hashInternalInit-{-# NOINLINE hashInit #-}+hashInit :: forall a . HashAlgorithm a => Context a+hashInit = Context $ B.allocAndFreeze (hashInternalContextSize (undefined :: a)) $ \(ptr :: Ptr (Context a)) ->+    hashInternalInit ptr  -- | run hashUpdates on one single bytestring and return the updated context. hashUpdate :: (ByteArrayAccess ba, HashAlgorithm a) => Context a -> ba -> Context a-hashUpdate ctx b = hashUpdates ctx [b]+hashUpdate ctx b+    | B.null b  = ctx+    | otherwise = hashUpdates ctx [b]  -- | Update the context with a list of strict bytestring, -- and return a new context with the updates.-hashUpdates :: (HashAlgorithm a, ByteArrayAccess ba)+hashUpdates :: forall a ba . (HashAlgorithm a, ByteArrayAccess ba)             => Context a             -> [ba]             -> Context a-hashUpdates c l = doUpdates (B.copyAndFreeze c)-  where doUpdates :: HashAlgorithm a => ((Ptr (Context a) -> IO ()) -> B.Bytes) -> Context a-        doUpdates copy = Context $ copy $ \ctx ->-            mapM_ (\b -> B.withByteArray b $ \d -> hashInternalUpdate ctx d (fromIntegral $ B.length b)) l-{-# NOINLINE hashUpdates #-}+hashUpdates c l+    | null ls   = c+    | otherwise = Context $ B.copyAndFreeze c $ \(ctx :: Ptr (Context a)) ->+        mapM_ (\b -> B.withByteArray b (processBlocks ctx (B.length b))) ls+  where+    ls = filter (not . B.null) l+    -- process the data in 2GB chunks to fit in uint32_t and Int on 32 bit systems+    processBlocks ctx bytesLeft dataPtr+        | bytesLeft == 0 = return ()+        | otherwise = do+            hashInternalUpdate ctx dataPtr (fromIntegral actuallyProcessed)+            processBlocks ctx (bytesLeft - actuallyProcessed) (dataPtr `plusPtr` actuallyProcessed)+        where+            actuallyProcessed = min bytesLeft (fromIntegral (maxBound :: Int32))  -- | Finalize a context and return a digest.-hashFinalize :: HashAlgorithm a+hashFinalize :: forall a . HashAlgorithm a              => Context a              -> Digest a-hashFinalize c = doFinalize undefined (B.copy c) (B.allocAndFreeze)-  where doFinalize :: HashAlgorithm alg-                   => alg-                   -> ((Ptr (Context alg) -> IO ()) -> IO B.Bytes)-                   -> (Int -> (Ptr (Digest alg)  -> IO ()) -> B.Bytes)-                   -> Digest alg-        doFinalize alg copy allocDigest =-            Digest $ allocDigest (hashDigestSize alg) $ \dig ->-                (void $ copy $ \ctx -> hashInternalFinalize ctx dig)-{-# NOINLINE hashFinalize #-}+hashFinalize !c =+    Digest $ B.allocAndFreeze (hashDigestSize (undefined :: a)) $ \(dig :: Ptr (Digest a)) -> do+        ((!_) :: B.Bytes) <- B.copy c $ \(ctx :: Ptr (Context a)) -> hashInternalFinalize ctx dig+        return () +-- | Update the context with the first N bytes of a bytestring and return the+-- digest.  The code path is independent from N but much slower than a normal+-- 'hashUpdate'.  The function can be called for the last bytes of a message, in+-- order to exclude a variable padding, without leaking the padding length.  The+-- begining of the message, never impacted by the padding, should preferably go+-- through 'hashUpdate' for better performance.+hashFinalizePrefix :: forall a ba . (HashAlgorithmPrefix a, ByteArrayAccess ba)+                   => Context a+                   -> ba+                   -> Int+                   -> Digest a+hashFinalizePrefix !c b len =+    Digest $ B.allocAndFreeze (hashDigestSize (undefined :: a)) $ \(dig :: Ptr (Digest a)) -> do+        ((!_) :: B.Bytes) <- B.copy c $ \(ctx :: Ptr (Context a)) ->+            B.withByteArray b $ \d ->+                hashInternalFinalizePrefix ctx d (fromIntegral $ B.length b) (fromIntegral len) dig+        return ()+ -- | Initialize a new context for a specified hash algorithm hashInitWith :: HashAlgorithm alg => alg -> Context alg hashInitWith _ = hashInit@@ -103,14 +136,26 @@ hashWith :: (ByteArrayAccess ba, HashAlgorithm alg) => alg -> ba -> Digest alg hashWith _ = hash +-- | Run the 'hashPrefix' function but takes an explicit hash algorithm parameter+hashPrefixWith :: (ByteArrayAccess ba, HashAlgorithmPrefix alg) => alg -> ba -> Int -> Digest alg+hashPrefixWith _ = hashPrefix+ -- | Try to transform a bytearray into a Digest of specific algorithm. -- -- If the digest is not the right size for the algorithm specified, then -- Nothing is returned.-digestFromByteString :: (HashAlgorithm a, ByteArrayAccess ba) => ba -> Maybe (Digest a)+digestFromByteString :: forall a ba . (HashAlgorithm a, ByteArrayAccess ba) => ba -> Maybe (Digest a) digestFromByteString = from undefined   where-        from :: (HashAlgorithm a, ByteArrayAccess ba) => a -> ba -> Maybe (Digest a)+        from :: a -> ba -> Maybe (Digest a)         from alg bs-            | B.length bs == (hashDigestSize alg) = (Just $ Digest $ B.convert bs)+            | B.length bs == (hashDigestSize alg) = Just $ Digest $ unsafeDoIO $ copyBytes bs             | otherwise                           = Nothing++        copyBytes :: ba -> IO (Block Word8)+        copyBytes ba = do+            muArray <- new count+            B.withByteArray ba $ \ptr -> copyFromPtr ptr muArray 0 count+            unsafeFreeze muArray+          where+            count = CountOf (B.length ba)
Crypto/Hash/Algorithms.hs view
@@ -1,4 +1,3 @@-{-# LANGUAGE CPP #-} -- | -- Module      : Crypto.Hash.Algorithms -- License     : BSD-style@@ -10,7 +9,8 @@ -- module Crypto.Hash.Algorithms     ( HashAlgorithm-    -- * hash algorithms+    , HashAlgorithmPrefix+    -- * Hash algorithms     , Blake2s_160(..)     , Blake2s_224(..)     , Blake2s_256(..)@@ -42,10 +42,10 @@     , SHA3_256(..)     , SHA3_384(..)     , SHA3_512(..)-#if MIN_VERSION_base(4,7,0)     , SHAKE128(..)     , SHAKE256(..)-#endif+    , Blake2b(..), Blake2bp(..)+    , Blake2s(..), Blake2sp(..)     , Skein256_224(..)     , Skein256_256(..)     , Skein512_224(..)@@ -55,7 +55,7 @@     , Whirlpool(..)     ) where -import           Crypto.Hash.Types (HashAlgorithm)+import           Crypto.Hash.Types (HashAlgorithm, HashAlgorithmPrefix) import           Crypto.Hash.Blake2s import           Crypto.Hash.Blake2sp import           Crypto.Hash.Blake2b@@ -76,6 +76,5 @@ import           Crypto.Hash.Skein256 import           Crypto.Hash.Skein512 import           Crypto.Hash.Whirlpool-#if MIN_VERSION_base(4,7,0) import           Crypto.Hash.SHAKE-#endif+import           Crypto.Hash.Blake2
+ Crypto/Hash/Blake2.hs view
@@ -0,0 +1,162 @@+-- |+-- Module      : Crypto.Hash.Blake2+-- License     : BSD-style+-- Maintainer  : Nicolas Di Prima <nicolas@primetype.co.uk>+-- Stability   : experimental+-- Portability : unknown+--+-- Module containing the binding functions to work with the+-- Blake2+--+-- Implementation based from [RFC7693](https://tools.ietf.org/html/rfc7693)+--+-- Please consider the following when chosing a hash:+--+--      Algorithm     | Target | Collision | Digest Size |+--         Identifier |  Arch  |  Security |   in bytes  |+--     ---------------+--------+-----------+-------------++--      id-blake2b160 | 64-bit |   2**80   |         20  |+--      id-blake2b256 | 64-bit |   2**128  |         32  |+--      id-blake2b384 | 64-bit |   2**192  |         48  |+--      id-blake2b512 | 64-bit |   2**256  |         64  |+--     ---------------+--------+-----------+-------------++--      id-blake2s128 | 32-bit |   2**64   |         16  |+--      id-blake2s160 | 32-bit |   2**80   |         20  |+--      id-blake2s224 | 32-bit |   2**112  |         28  |+--      id-blake2s256 | 32-bit |   2**128  |         32  |+--     ---------------+--------+-----------+-------------++--+{-# LANGUAGE ForeignFunctionInterface #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE ScopedTypeVariables #-}+{-# LANGUAGE KindSignatures #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-}+module Crypto.Hash.Blake2+    ( Blake2s(..)+    , Blake2sp(..)+    , Blake2b(..)+    , Blake2bp(..)+    ) where++import           Crypto.Hash.Types+import           Foreign.Ptr (Ptr)+import           Data.Data+import           Data.Word (Word8, Word32)+import           GHC.TypeLits (Nat, KnownNat)+import           Crypto.Internal.Nat++-- | Fast and secure alternative to SHA1 and HMAC-SHA1+--+-- It is espacially known to target 32bits architectures.+--+-- Known supported digest sizes:+--+-- * Blake2s 160+-- * Blake2s 224+-- * Blake2s 256+--+data Blake2s (bitlen :: Nat) = Blake2s+    deriving (Show,Data)++instance (IsDivisibleBy8 bitlen, KnownNat bitlen, IsAtLeast bitlen 8, IsAtMost bitlen 256)+      => HashAlgorithm (Blake2s bitlen)+      where+    type HashBlockSize           (Blake2s bitlen) = 64+    type HashDigestSize          (Blake2s bitlen) = Div8 bitlen+    type HashInternalContextSize (Blake2s bitlen) = 136+    hashBlockSize  _          = 64+    hashDigestSize _          = byteLen (Proxy :: Proxy bitlen)+    hashInternalContextSize _ = 136+    hashInternalInit p        = c_blake2s_init p (integralNatVal (Proxy :: Proxy bitlen))+    hashInternalUpdate        = c_blake2s_update+    hashInternalFinalize p    = c_blake2s_finalize p (integralNatVal (Proxy :: Proxy bitlen))++foreign import ccall unsafe "cryptonite_blake2s_init"+    c_blake2s_init :: Ptr (Context a) -> Word32 -> IO ()+foreign import ccall "cryptonite_blake2s_update"+    c_blake2s_update :: Ptr (Context a) -> Ptr Word8 -> Word32 -> IO ()+foreign import ccall unsafe "cryptonite_blake2s_finalize"+    c_blake2s_finalize :: Ptr (Context a) -> Word32 -> Ptr (Digest a) -> IO ()++-- | Fast cryptographic hash.+--+-- It is especially known to target 64bits architectures.+--+-- Known supported digest sizes:+--+-- * Blake2b 160+-- * Blake2b 224+-- * Blake2b 256+-- * Blake2b 384+-- * Blake2b 512+--+data Blake2b (bitlen :: Nat) = Blake2b+    deriving (Show,Data)++instance (IsDivisibleBy8 bitlen, KnownNat bitlen, IsAtLeast bitlen 8, IsAtMost bitlen 512)+      => HashAlgorithm (Blake2b bitlen)+      where+    type HashBlockSize           (Blake2b bitlen) = 128+    type HashDigestSize          (Blake2b bitlen) = Div8 bitlen+    type HashInternalContextSize (Blake2b bitlen) = 248+    hashBlockSize  _          = 128+    hashDigestSize _          = byteLen (Proxy :: Proxy bitlen)+    hashInternalContextSize _ = 248+    hashInternalInit p        = c_blake2b_init p (integralNatVal (Proxy :: Proxy bitlen))+    hashInternalUpdate        = c_blake2b_update+    hashInternalFinalize p    = c_blake2b_finalize p (integralNatVal (Proxy :: Proxy bitlen))++foreign import ccall unsafe "cryptonite_blake2b_init"+    c_blake2b_init :: Ptr (Context a) -> Word32 -> IO ()+foreign import ccall "cryptonite_blake2b_update"+    c_blake2b_update :: Ptr (Context a) -> Ptr Word8 -> Word32 -> IO ()+foreign import ccall unsafe "cryptonite_blake2b_finalize"+    c_blake2b_finalize :: Ptr (Context a) -> Word32 -> Ptr (Digest a) -> IO ()++data Blake2sp (bitlen :: Nat) = Blake2sp+    deriving (Show,Data)++instance (IsDivisibleBy8 bitlen, KnownNat bitlen, IsAtLeast bitlen 8, IsAtMost bitlen 256)+      => HashAlgorithm (Blake2sp bitlen)+      where+    type HashBlockSize           (Blake2sp bitlen) = 64+    type HashDigestSize          (Blake2sp bitlen) = Div8 bitlen+    type HashInternalContextSize (Blake2sp bitlen) = 2185+    hashBlockSize  _          = 64+    hashDigestSize _          = byteLen (Proxy :: Proxy bitlen)+    hashInternalContextSize _ = 2185+    hashInternalInit p        = c_blake2sp_init p (integralNatVal (Proxy :: Proxy bitlen))+    hashInternalUpdate        = c_blake2sp_update+    hashInternalFinalize p    = c_blake2sp_finalize p (integralNatVal (Proxy :: Proxy bitlen))++foreign import ccall unsafe "cryptonite_blake2sp_init"+    c_blake2sp_init :: Ptr (Context a) -> Word32 -> IO ()+foreign import ccall "cryptonite_blake2sp_update"+    c_blake2sp_update :: Ptr (Context a) -> Ptr Word8 -> Word32 -> IO ()+foreign import ccall unsafe "cryptonite_blake2sp_finalize"+    c_blake2sp_finalize :: Ptr (Context a) -> Word32 -> Ptr (Digest a) -> IO ()++data Blake2bp (bitlen :: Nat) = Blake2bp+    deriving (Show,Data)++instance (IsDivisibleBy8 bitlen, KnownNat bitlen, IsAtLeast bitlen 8, IsAtMost bitlen 512)+      => HashAlgorithm (Blake2bp bitlen)+      where+    type HashBlockSize           (Blake2bp bitlen) = 128+    type HashDigestSize          (Blake2bp bitlen) = Div8 bitlen+    type HashInternalContextSize (Blake2bp bitlen) = 2325+    hashBlockSize  _          = 128+    hashDigestSize _          = byteLen (Proxy :: Proxy bitlen)+    hashInternalContextSize _ = 2325+    hashInternalInit p        = c_blake2bp_init p (integralNatVal (Proxy :: Proxy bitlen))+    hashInternalUpdate        = c_blake2bp_update+    hashInternalFinalize p    = c_blake2bp_finalize p (integralNatVal (Proxy :: Proxy bitlen))+++foreign import ccall unsafe "cryptonite_blake2bp_init"+    c_blake2bp_init :: Ptr (Context a) -> Word32 -> IO ()+foreign import ccall "cryptonite_blake2bp_update"+    c_blake2bp_update :: Ptr (Context a) -> Ptr Word8 -> Word32 -> IO ()+foreign import ccall unsafe "cryptonite_blake2bp_finalize"+    c_blake2bp_finalize :: Ptr (Context a) -> Word32 -> Ptr (Digest a) -> IO ()
Crypto/Hash/Blake2b.hs view
@@ -5,11 +5,13 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- Blake2b cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.Blake2b     (  Blake2b_160 (..), Blake2b_224 (..), Blake2b_256 (..), Blake2b_384 (..), Blake2b_512 (..)     ) where@@ -17,66 +19,80 @@ import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)   -- | Blake2b (160 bits) cryptographic hash algorithm data Blake2b_160 = Blake2b_160-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Blake2b_160 where+    type HashBlockSize           Blake2b_160 = 128+    type HashDigestSize          Blake2b_160 = 20+    type HashInternalContextSize Blake2b_160 = 248     hashBlockSize  _          = 128     hashDigestSize _          = 20-    hashInternalContextSize _ = 361+    hashInternalContextSize _ = 248     hashInternalInit p        = c_blake2b_init p 160     hashInternalUpdate        = c_blake2b_update     hashInternalFinalize p    = c_blake2b_finalize p 160  -- | Blake2b (224 bits) cryptographic hash algorithm data Blake2b_224 = Blake2b_224-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Blake2b_224 where+    type HashBlockSize           Blake2b_224 = 128+    type HashDigestSize          Blake2b_224 = 28+    type HashInternalContextSize Blake2b_224 = 248     hashBlockSize  _          = 128     hashDigestSize _          = 28-    hashInternalContextSize _ = 361+    hashInternalContextSize _ = 248     hashInternalInit p        = c_blake2b_init p 224     hashInternalUpdate        = c_blake2b_update     hashInternalFinalize p    = c_blake2b_finalize p 224  -- | Blake2b (256 bits) cryptographic hash algorithm data Blake2b_256 = Blake2b_256-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Blake2b_256 where+    type HashBlockSize           Blake2b_256 = 128+    type HashDigestSize          Blake2b_256 = 32+    type HashInternalContextSize Blake2b_256 = 248     hashBlockSize  _          = 128     hashDigestSize _          = 32-    hashInternalContextSize _ = 361+    hashInternalContextSize _ = 248     hashInternalInit p        = c_blake2b_init p 256     hashInternalUpdate        = c_blake2b_update     hashInternalFinalize p    = c_blake2b_finalize p 256  -- | Blake2b (384 bits) cryptographic hash algorithm data Blake2b_384 = Blake2b_384-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Blake2b_384 where+    type HashBlockSize           Blake2b_384 = 128+    type HashDigestSize          Blake2b_384 = 48+    type HashInternalContextSize Blake2b_384 = 248     hashBlockSize  _          = 128     hashDigestSize _          = 48-    hashInternalContextSize _ = 361+    hashInternalContextSize _ = 248     hashInternalInit p        = c_blake2b_init p 384     hashInternalUpdate        = c_blake2b_update     hashInternalFinalize p    = c_blake2b_finalize p 384  -- | Blake2b (512 bits) cryptographic hash algorithm data Blake2b_512 = Blake2b_512-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Blake2b_512 where+    type HashBlockSize           Blake2b_512 = 128+    type HashDigestSize          Blake2b_512 = 64+    type HashInternalContextSize Blake2b_512 = 248     hashBlockSize  _          = 128     hashDigestSize _          = 64-    hashInternalContextSize _ = 361+    hashInternalContextSize _ = 248     hashInternalInit p        = c_blake2b_init p 512     hashInternalUpdate        = c_blake2b_update     hashInternalFinalize p    = c_blake2b_finalize p 512
Crypto/Hash/Blake2bp.hs view
@@ -5,11 +5,13 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- Blake2bp cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.Blake2bp     (  Blake2bp_512 (..)     ) where@@ -17,28 +19,30 @@ import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)   -- | Blake2bp (512 bits) cryptographic hash algorithm data Blake2bp_512 = Blake2bp_512-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Blake2bp_512 where+    type HashBlockSize           Blake2bp_512 = 128+    type HashDigestSize          Blake2bp_512 = 64+    type HashInternalContextSize Blake2bp_512 = 1768     hashBlockSize  _          = 128     hashDigestSize _          = 64-    hashInternalContextSize _ = 2325-    hashInternalInit p        = c_blake2sp_init p 512-    hashInternalUpdate        = c_blake2sp_update-    hashInternalFinalize p    = c_blake2sp_finalize p 512+    hashInternalContextSize _ = 1768+    hashInternalInit p        = c_blake2bp_init p 512+    hashInternalUpdate        = c_blake2bp_update+    hashInternalFinalize p    = c_blake2bp_finalize p 512  -foreign import ccall unsafe "cryptonite_blake2sp_init"-    c_blake2sp_init :: Ptr (Context a) -> Word32 -> IO ()+foreign import ccall unsafe "cryptonite_blake2bp_init"+    c_blake2bp_init :: Ptr (Context a) -> Word32 -> IO () -foreign import ccall "cryptonite_blake2sp_update"-    c_blake2sp_update :: Ptr (Context a) -> Ptr Word8 -> Word32 -> IO ()+foreign import ccall "cryptonite_blake2bp_update"+    c_blake2bp_update :: Ptr (Context a) -> Ptr Word8 -> Word32 -> IO () -foreign import ccall unsafe "cryptonite_blake2sp_finalize"-    c_blake2sp_finalize :: Ptr (Context a) -> Word32 -> Ptr (Digest a) -> IO ()+foreign import ccall unsafe "cryptonite_blake2bp_finalize"+    c_blake2bp_finalize :: Ptr (Context a) -> Word32 -> Ptr (Digest a) -> IO ()
Crypto/Hash/Blake2s.hs view
@@ -5,11 +5,13 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- Blake2s cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.Blake2s     (  Blake2s_160 (..), Blake2s_224 (..), Blake2s_256 (..)     ) where@@ -17,42 +19,50 @@ import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)   -- | Blake2s (160 bits) cryptographic hash algorithm data Blake2s_160 = Blake2s_160-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Blake2s_160 where+    type HashBlockSize           Blake2s_160 = 64+    type HashDigestSize          Blake2s_160 = 20+    type HashInternalContextSize Blake2s_160 = 136     hashBlockSize  _          = 64     hashDigestSize _          = 20-    hashInternalContextSize _ = 185+    hashInternalContextSize _ = 136     hashInternalInit p        = c_blake2s_init p 160     hashInternalUpdate        = c_blake2s_update     hashInternalFinalize p    = c_blake2s_finalize p 160  -- | Blake2s (224 bits) cryptographic hash algorithm data Blake2s_224 = Blake2s_224-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Blake2s_224 where+    type HashBlockSize           Blake2s_224 = 64+    type HashDigestSize          Blake2s_224 = 28+    type HashInternalContextSize Blake2s_224 = 136     hashBlockSize  _          = 64     hashDigestSize _          = 28-    hashInternalContextSize _ = 185+    hashInternalContextSize _ = 136     hashInternalInit p        = c_blake2s_init p 224     hashInternalUpdate        = c_blake2s_update     hashInternalFinalize p    = c_blake2s_finalize p 224  -- | Blake2s (256 bits) cryptographic hash algorithm data Blake2s_256 = Blake2s_256-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Blake2s_256 where+    type HashBlockSize           Blake2s_256 = 64+    type HashDigestSize          Blake2s_256 = 32+    type HashInternalContextSize Blake2s_256 = 136     hashBlockSize  _          = 64     hashDigestSize _          = 32-    hashInternalContextSize _ = 185+    hashInternalContextSize _ = 136     hashInternalInit p        = c_blake2s_init p 256     hashInternalUpdate        = c_blake2s_update     hashInternalFinalize p    = c_blake2s_finalize p 256
Crypto/Hash/Blake2sp.hs view
@@ -5,11 +5,13 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- Blake2sp cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.Blake2sp     (  Blake2sp_224 (..), Blake2sp_256 (..)     ) where@@ -17,30 +19,35 @@ import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)   -- | Blake2sp (224 bits) cryptographic hash algorithm data Blake2sp_224 = Blake2sp_224-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Blake2sp_224 where+    type HashBlockSize           Blake2sp_224 = 64+    type HashDigestSize          Blake2sp_224 = 28+    type HashInternalContextSize Blake2sp_224 = 1752     hashBlockSize  _          = 64     hashDigestSize _          = 28-    hashInternalContextSize _ = 2185+    hashInternalContextSize _ = 1752     hashInternalInit p        = c_blake2sp_init p 224     hashInternalUpdate        = c_blake2sp_update     hashInternalFinalize p    = c_blake2sp_finalize p 224  -- | Blake2sp (256 bits) cryptographic hash algorithm data Blake2sp_256 = Blake2sp_256-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Blake2sp_256 where+    type HashBlockSize           Blake2sp_256 = 64+    type HashDigestSize          Blake2sp_256 = 32+    type HashInternalContextSize Blake2sp_256 = 1752     hashBlockSize  _          = 64     hashDigestSize _          = 32-    hashInternalContextSize _ = 2185+    hashInternalContextSize _ = 1752     hashInternalInit p        = c_blake2sp_init p 256     hashInternalUpdate        = c_blake2sp_update     hashInternalFinalize p    = c_blake2sp_finalize p 256
Crypto/Hash/IO.hs view
@@ -8,6 +8,7 @@ -- Generalized impure cryptographic hash interface -- {-# LANGUAGE GeneralizedNewtypeDeriving #-}+{-# LANGUAGE ScopedTypeVariables        #-} module Crypto.Hash.IO     ( HashAlgorithm(..)     , MutableContext@@ -23,6 +24,11 @@ import           Foreign.Ptr  -- | A Mutable hash context+--+-- This type is an instance of 'B.ByteArrayAccess' for debugging purpose.+-- Internal layout is architecture dependent, may contain uninitialized data+-- fragments, and change in future versions.  The bytearray should not be used+-- as input to cryptographic algorithms. newtype MutableContext a = MutableContext B.Bytes     deriving (B.ByteArrayAccess) @@ -51,18 +57,10 @@                 hashInternalUpdate ctx d (fromIntegral $ B.length dat)  -- | Finalize a mutable hash context and compute a digest-hashMutableFinalize :: HashAlgorithm a => MutableContext a -> IO (Digest a)-hashMutableFinalize mc = doFinalize undefined (B.withByteArray mc) B.alloc-  where doFinalize :: HashAlgorithm alg-                   => alg-                   -> ((Ptr (Context alg) -> IO ()) -> IO ())-                   -> (Int -> (Ptr (Digest alg)  -> IO ()) -> IO B.Bytes)-                   -> IO (Digest alg)-        doFinalize alg withCtx allocDigest = do-            b <- allocDigest (hashDigestSize alg) $ \dig ->-                    withCtx $ \ctx ->-                        hashInternalFinalize ctx dig-            return $ Digest b+hashMutableFinalize :: forall a . HashAlgorithm a => MutableContext a -> IO (Digest a)+hashMutableFinalize mc = do+    b <- B.alloc (hashDigestSize (undefined :: a)) $ \dig -> B.withByteArray mc $ \(ctx :: Ptr (Context a)) -> hashInternalFinalize ctx dig+    return $ Digest b  -- | Reset the mutable context to the initial state of the hash hashMutableReset :: HashAlgorithm a => MutableContext a -> IO ()
Crypto/Hash/Keccak.hs view
@@ -5,11 +5,13 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- Keccak cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.Keccak     (  Keccak_224 (..), Keccak_256 (..), Keccak_384 (..), Keccak_512 (..)     ) where@@ -17,15 +19,17 @@ import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)   -- | Keccak (224 bits) cryptographic hash algorithm data Keccak_224 = Keccak_224-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Keccak_224 where+    type HashBlockSize           Keccak_224 = 144+    type HashDigestSize          Keccak_224 = 28+    type HashInternalContextSize Keccak_224 = 352     hashBlockSize  _          = 144     hashDigestSize _          = 28     hashInternalContextSize _ = 352@@ -35,9 +39,12 @@  -- | Keccak (256 bits) cryptographic hash algorithm data Keccak_256 = Keccak_256-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Keccak_256 where+    type HashBlockSize           Keccak_256 = 136+    type HashDigestSize          Keccak_256 = 32+    type HashInternalContextSize Keccak_256 = 344     hashBlockSize  _          = 136     hashDigestSize _          = 32     hashInternalContextSize _ = 344@@ -47,9 +54,12 @@  -- | Keccak (384 bits) cryptographic hash algorithm data Keccak_384 = Keccak_384-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Keccak_384 where+    type HashBlockSize           Keccak_384 = 104+    type HashDigestSize          Keccak_384 = 48+    type HashInternalContextSize Keccak_384 = 312     hashBlockSize  _          = 104     hashDigestSize _          = 48     hashInternalContextSize _ = 312@@ -59,9 +69,12 @@  -- | Keccak (512 bits) cryptographic hash algorithm data Keccak_512 = Keccak_512-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Keccak_512 where+    type HashBlockSize           Keccak_512 = 72+    type HashDigestSize          Keccak_512 = 64+    type HashInternalContextSize Keccak_512 = 280     hashBlockSize  _          = 72     hashDigestSize _          = 64     hashInternalContextSize _ = 280
Crypto/Hash/MD2.hs view
@@ -5,24 +5,28 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- MD2 cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.MD2 ( MD2 (..) ) where  import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)  -- | MD2 cryptographic hash algorithm data MD2 = MD2-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm MD2 where+    type HashBlockSize           MD2 = 16+    type HashDigestSize          MD2 = 16+    type HashInternalContextSize MD2 = 96     hashBlockSize  _          = 16     hashDigestSize _          = 16     hashInternalContextSize _ = 96
Crypto/Hash/MD4.hs view
@@ -5,24 +5,28 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- MD4 cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.MD4 ( MD4 (..) ) where  import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)  -- | MD4 cryptographic hash algorithm data MD4 = MD4-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm MD4 where+    type HashBlockSize           MD4 = 64+    type HashDigestSize          MD4 = 16+    type HashInternalContextSize MD4 = 96     hashBlockSize  _          = 64     hashDigestSize _          = 16     hashInternalContextSize _ = 96
Crypto/Hash/MD5.hs view
@@ -5,24 +5,28 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- MD5 cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.MD5 ( MD5 (..) ) where  import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)  -- | MD5 cryptographic hash algorithm data MD5 = MD5-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm MD5 where+    type HashBlockSize           MD5 = 64+    type HashDigestSize          MD5 = 16+    type HashInternalContextSize MD5 = 96     hashBlockSize  _          = 64     hashDigestSize _          = 16     hashInternalContextSize _ = 96@@ -30,6 +34,9 @@     hashInternalUpdate        = c_md5_update     hashInternalFinalize      = c_md5_finalize +instance HashAlgorithmPrefix MD5 where+    hashInternalFinalizePrefix = c_md5_finalize_prefix+ foreign import ccall unsafe "cryptonite_md5_init"     c_md5_init :: Ptr (Context a)-> IO () @@ -38,3 +45,6 @@  foreign import ccall unsafe "cryptonite_md5_finalize"     c_md5_finalize :: Ptr (Context a) -> Ptr (Digest a) -> IO ()++foreign import ccall "cryptonite_md5_finalize_prefix"+    c_md5_finalize_prefix :: Ptr (Context a) -> Ptr Word8 -> Word32 -> Word32 -> Ptr (Digest a) -> IO ()
Crypto/Hash/RIPEMD160.hs view
@@ -5,24 +5,28 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- RIPEMD160 cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.RIPEMD160 ( RIPEMD160 (..) ) where  import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)  -- | RIPEMD160 cryptographic hash algorithm data RIPEMD160 = RIPEMD160-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm RIPEMD160 where+    type HashBlockSize           RIPEMD160 = 64+    type HashDigestSize          RIPEMD160 = 20+    type HashInternalContextSize RIPEMD160 = 128     hashBlockSize  _          = 64     hashDigestSize _          = 20     hashInternalContextSize _ = 128
Crypto/Hash/SHA1.hs view
@@ -5,24 +5,28 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- SHA1 cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.SHA1 ( SHA1 (..) ) where  import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)  -- | SHA1 cryptographic hash algorithm data SHA1 = SHA1-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm SHA1 where+    type HashBlockSize           SHA1 = 64+    type HashDigestSize          SHA1 = 20+    type HashInternalContextSize SHA1 = 96     hashBlockSize  _          = 64     hashDigestSize _          = 20     hashInternalContextSize _ = 96@@ -30,6 +34,9 @@     hashInternalUpdate        = c_sha1_update     hashInternalFinalize      = c_sha1_finalize +instance HashAlgorithmPrefix SHA1 where+    hashInternalFinalizePrefix = c_sha1_finalize_prefix+ foreign import ccall unsafe "cryptonite_sha1_init"     c_sha1_init :: Ptr (Context a)-> IO () @@ -38,3 +45,6 @@  foreign import ccall unsafe "cryptonite_sha1_finalize"     c_sha1_finalize :: Ptr (Context a) -> Ptr (Digest a) -> IO ()++foreign import ccall "cryptonite_sha1_finalize_prefix"+    c_sha1_finalize_prefix :: Ptr (Context a) -> Ptr Word8 -> Word32 -> Word32 -> Ptr (Digest a) -> IO ()
Crypto/Hash/SHA224.hs view
@@ -5,24 +5,28 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- SHA224 cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.SHA224 ( SHA224 (..) ) where  import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)  -- | SHA224 cryptographic hash algorithm data SHA224 = SHA224-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm SHA224 where+    type HashBlockSize           SHA224 = 64+    type HashDigestSize          SHA224 = 28+    type HashInternalContextSize SHA224 = 192     hashBlockSize  _          = 64     hashDigestSize _          = 28     hashInternalContextSize _ = 192@@ -30,6 +34,9 @@     hashInternalUpdate        = c_sha224_update     hashInternalFinalize      = c_sha224_finalize +instance HashAlgorithmPrefix SHA224 where+    hashInternalFinalizePrefix = c_sha224_finalize_prefix+ foreign import ccall unsafe "cryptonite_sha224_init"     c_sha224_init :: Ptr (Context a)-> IO () @@ -38,3 +45,6 @@  foreign import ccall unsafe "cryptonite_sha224_finalize"     c_sha224_finalize :: Ptr (Context a) -> Ptr (Digest a) -> IO ()++foreign import ccall "cryptonite_sha224_finalize_prefix"+    c_sha224_finalize_prefix :: Ptr (Context a) -> Ptr Word8 -> Word32 -> Word32 -> Ptr (Digest a) -> IO ()
Crypto/Hash/SHA256.hs view
@@ -5,24 +5,28 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- SHA256 cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.SHA256 ( SHA256 (..) ) where  import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)  -- | SHA256 cryptographic hash algorithm data SHA256 = SHA256-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm SHA256 where+    type HashBlockSize           SHA256 = 64+    type HashDigestSize          SHA256 = 32+    type HashInternalContextSize SHA256 = 192     hashBlockSize  _          = 64     hashDigestSize _          = 32     hashInternalContextSize _ = 192@@ -30,6 +34,9 @@     hashInternalUpdate        = c_sha256_update     hashInternalFinalize      = c_sha256_finalize +instance HashAlgorithmPrefix SHA256 where+    hashInternalFinalizePrefix = c_sha256_finalize_prefix+ foreign import ccall unsafe "cryptonite_sha256_init"     c_sha256_init :: Ptr (Context a)-> IO () @@ -38,3 +45,6 @@  foreign import ccall unsafe "cryptonite_sha256_finalize"     c_sha256_finalize :: Ptr (Context a) -> Ptr (Digest a) -> IO ()++foreign import ccall "cryptonite_sha256_finalize_prefix"+    c_sha256_finalize_prefix :: Ptr (Context a) -> Ptr Word8 -> Word32 -> Word32 -> Ptr (Digest a) -> IO ()
Crypto/Hash/SHA3.hs view
@@ -5,11 +5,13 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- SHA3 cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.SHA3     (  SHA3_224 (..), SHA3_256 (..), SHA3_384 (..), SHA3_512 (..)     ) where@@ -17,14 +19,17 @@ import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32) + -- | SHA3 (224 bits) cryptographic hash algorithm data SHA3_224 = SHA3_224-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm SHA3_224 where+    type HashBlockSize           SHA3_224 = 144+    type HashDigestSize          SHA3_224 = 28+    type HashInternalContextSize SHA3_224 = 352     hashBlockSize  _          = 144     hashDigestSize _          = 28     hashInternalContextSize _ = 352@@ -34,9 +39,12 @@  -- | SHA3 (256 bits) cryptographic hash algorithm data SHA3_256 = SHA3_256-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm SHA3_256 where+    type HashBlockSize           SHA3_256 = 136+    type HashDigestSize          SHA3_256 = 32+    type HashInternalContextSize SHA3_256 = 344     hashBlockSize  _          = 136     hashDigestSize _          = 32     hashInternalContextSize _ = 344@@ -46,9 +54,12 @@  -- | SHA3 (384 bits) cryptographic hash algorithm data SHA3_384 = SHA3_384-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm SHA3_384 where+    type HashBlockSize           SHA3_384 = 104+    type HashDigestSize          SHA3_384 = 48+    type HashInternalContextSize SHA3_384 = 312     hashBlockSize  _          = 104     hashDigestSize _          = 48     hashInternalContextSize _ = 312@@ -58,15 +69,19 @@  -- | SHA3 (512 bits) cryptographic hash algorithm data SHA3_512 = SHA3_512-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm SHA3_512 where+    type HashBlockSize           SHA3_512 = 72+    type HashDigestSize          SHA3_512 = 64+    type HashInternalContextSize SHA3_512 = 280     hashBlockSize  _          = 72     hashDigestSize _          = 64     hashInternalContextSize _ = 280     hashInternalInit p        = c_sha3_init p 512     hashInternalUpdate        = c_sha3_update     hashInternalFinalize p    = c_sha3_finalize p 512+  foreign import ccall unsafe "cryptonite_sha3_init"     c_sha3_init :: Ptr (Context a) -> Word32 -> IO ()
Crypto/Hash/SHA384.hs view
@@ -5,24 +5,28 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- SHA384 cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.SHA384 ( SHA384 (..) ) where  import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)  -- | SHA384 cryptographic hash algorithm data SHA384 = SHA384-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm SHA384 where+    type HashBlockSize           SHA384 = 128+    type HashDigestSize          SHA384 = 48+    type HashInternalContextSize SHA384 = 256     hashBlockSize  _          = 128     hashDigestSize _          = 48     hashInternalContextSize _ = 256@@ -30,6 +34,9 @@     hashInternalUpdate        = c_sha384_update     hashInternalFinalize      = c_sha384_finalize +instance HashAlgorithmPrefix SHA384 where+    hashInternalFinalizePrefix = c_sha384_finalize_prefix+ foreign import ccall unsafe "cryptonite_sha384_init"     c_sha384_init :: Ptr (Context a)-> IO () @@ -38,3 +45,6 @@  foreign import ccall unsafe "cryptonite_sha384_finalize"     c_sha384_finalize :: Ptr (Context a) -> Ptr (Digest a) -> IO ()++foreign import ccall "cryptonite_sha384_finalize_prefix"+    c_sha384_finalize_prefix :: Ptr (Context a) -> Ptr Word8 -> Word32 -> Word32 -> Ptr (Digest a) -> IO ()
Crypto/Hash/SHA512.hs view
@@ -5,24 +5,28 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- SHA512 cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.SHA512 ( SHA512 (..) ) where  import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)  -- | SHA512 cryptographic hash algorithm data SHA512 = SHA512-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm SHA512 where+    type HashBlockSize           SHA512 = 128+    type HashDigestSize          SHA512 = 64+    type HashInternalContextSize SHA512 = 256     hashBlockSize  _          = 128     hashDigestSize _          = 64     hashInternalContextSize _ = 256@@ -30,6 +34,9 @@     hashInternalUpdate        = c_sha512_update     hashInternalFinalize      = c_sha512_finalize +instance HashAlgorithmPrefix SHA512 where+    hashInternalFinalizePrefix = c_sha512_finalize_prefix+ foreign import ccall unsafe "cryptonite_sha512_init"     c_sha512_init :: Ptr (Context a)-> IO () @@ -38,3 +45,6 @@  foreign import ccall unsafe "cryptonite_sha512_finalize"     c_sha512_finalize :: Ptr (Context a) -> Ptr (Digest a) -> IO ()++foreign import ccall "cryptonite_sha512_finalize_prefix"+    c_sha512_finalize_prefix :: Ptr (Context a) -> Ptr Word8 -> Word32 -> Word32 -> Ptr (Digest a) -> IO ()
Crypto/Hash/SHA512t.hs view
@@ -5,11 +5,13 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- SHA512t cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.SHA512t     (  SHA512t_224 (..), SHA512t_256 (..)     ) where@@ -17,15 +19,17 @@ import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)   -- | SHA512t (224 bits) cryptographic hash algorithm data SHA512t_224 = SHA512t_224-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm SHA512t_224 where+    type HashBlockSize           SHA512t_224 = 128+    type HashDigestSize          SHA512t_224 = 28+    type HashInternalContextSize SHA512t_224 = 256     hashBlockSize  _          = 128     hashDigestSize _          = 28     hashInternalContextSize _ = 256@@ -35,9 +39,12 @@  -- | SHA512t (256 bits) cryptographic hash algorithm data SHA512t_256 = SHA512t_256-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm SHA512t_256 where+    type HashBlockSize           SHA512t_256 = 128+    type HashDigestSize          SHA512t_256 = 32+    type HashInternalContextSize SHA512t_256 = 256     hashBlockSize  _          = 128     hashDigestSize _          = 32     hashInternalContextSize _ = 256
Crypto/Hash/SHAKE.hs view
@@ -5,79 +5,116 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- SHA3 extendable output functions (SHAKE). -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-} {-# LANGUAGE KindSignatures #-} {-# LANGUAGE DataKinds #-}-{-# LANGUAGE ConstraintKinds #-} {-# LANGUAGE ScopedTypeVariables #-} {-# LANGUAGE TypeOperators #-} {-# LANGUAGE TypeFamilies #-} {-# LANGUAGE UndecidableInstances #-} module Crypto.Hash.SHAKE-    (  SHAKE128 (..), SHAKE256 (..)+    (  SHAKE128 (..), SHAKE256 (..), HashSHAKE (..)     ) where +import           Control.Monad (when) import           Crypto.Hash.Types-import           Foreign.Ptr (Ptr)-import           Data.Typeable+import           Foreign.Ptr (Ptr, castPtr)+import           Foreign.Storable (Storable(..))+import           Data.Bits+import           Data.Data import           Data.Word (Word8, Word32) -import           Data.Proxy (Proxy(..))-import           GHC.TypeLits (Nat, KnownNat, natVal)+import           GHC.TypeLits (Nat, KnownNat, type (+)) import           Crypto.Internal.Nat +-- | Type class of SHAKE algorithms.+class HashAlgorithm a => HashSHAKE a where+    -- | Alternate finalization needed for cSHAKE+    cshakeInternalFinalize :: Ptr (Context a) -> Ptr (Digest a) -> IO ()+    -- | Get the digest bit length+    cshakeOutputLength :: a -> Int+ -- | SHAKE128 (128 bits) extendable output function.  Supports an arbitrary--- digest size (multiple of 8 bits), to be specified as a type parameter--- of kind 'Nat'.+-- digest size, to be specified as a type parameter of kind 'Nat'. -- -- Note: outputs from @'SHAKE128' n@ and @'SHAKE128' m@ for the same input are -- correlated (one being a prefix of the other).  Results are unrelated to -- 'SHAKE256' results. data SHAKE128 (bitlen :: Nat) = SHAKE128-    deriving (Show, Typeable)+    deriving (Show, Data) -instance (IsDivisibleBy8 bitLen, KnownNat bitLen) => HashAlgorithm (SHAKE128 bitLen) where+instance KnownNat bitlen => HashAlgorithm (SHAKE128 bitlen) where+    type HashBlockSize           (SHAKE128 bitlen)  = 168+    type HashDigestSize          (SHAKE128 bitlen) = Div8 (bitlen + 7)+    type HashInternalContextSize (SHAKE128 bitlen) = 376     hashBlockSize  _          = 168-    hashDigestSize _          = byteLen (Proxy :: Proxy bitLen)+    hashDigestSize _          = byteLen (Proxy :: Proxy bitlen)     hashInternalContextSize _ = 376     hashInternalInit p        = c_sha3_init p 128     hashInternalUpdate        = c_sha3_update-    hashInternalFinalize      = shakeFinalizeOutput (Proxy :: Proxy bitLen)+    hashInternalFinalize      = shakeFinalizeOutput (Proxy :: Proxy bitlen) +instance KnownNat bitlen => HashSHAKE (SHAKE128 bitlen) where+    cshakeInternalFinalize = cshakeFinalizeOutput (Proxy :: Proxy bitlen)+    cshakeOutputLength _ = integralNatVal (Proxy :: Proxy bitlen)+ -- | SHAKE256 (256 bits) extendable output function.  Supports an arbitrary--- digest size (multiple of 8 bits), to be specified as a type parameter--- of kind 'Nat'.+-- digest size, to be specified as a type parameter of kind 'Nat'. -- -- Note: outputs from @'SHAKE256' n@ and @'SHAKE256' m@ for the same input are -- correlated (one being a prefix of the other).  Results are unrelated to -- 'SHAKE128' results. data SHAKE256 (bitlen :: Nat) = SHAKE256-    deriving (Show, Typeable)+    deriving (Show, Data) -instance (IsDivisibleBy8 bitLen, KnownNat bitLen) => HashAlgorithm (SHAKE256 bitLen) where+instance KnownNat bitlen => HashAlgorithm (SHAKE256 bitlen) where+    type HashBlockSize           (SHAKE256 bitlen) = 136+    type HashDigestSize          (SHAKE256 bitlen) = Div8 (bitlen + 7)+    type HashInternalContextSize (SHAKE256 bitlen) = 344     hashBlockSize  _          = 136-    hashDigestSize _          = byteLen (Proxy :: Proxy bitLen)+    hashDigestSize _          = byteLen (Proxy :: Proxy bitlen)     hashInternalContextSize _ = 344     hashInternalInit p        = c_sha3_init p 256     hashInternalUpdate        = c_sha3_update-    hashInternalFinalize      = shakeFinalizeOutput (Proxy :: Proxy bitLen)+    hashInternalFinalize      = shakeFinalizeOutput (Proxy :: Proxy bitlen) -shakeFinalizeOutput :: (IsDivisibleBy8 bitLen, KnownNat bitLen)-                    => proxy bitLen+instance KnownNat bitlen => HashSHAKE (SHAKE256 bitlen) where+    cshakeInternalFinalize = cshakeFinalizeOutput (Proxy :: Proxy bitlen)+    cshakeOutputLength _ = integralNatVal (Proxy :: Proxy bitlen)++shakeFinalizeOutput :: KnownNat bitlen+                    => proxy bitlen                     -> Ptr (Context a)                     -> Ptr (Digest a)                     -> IO () shakeFinalizeOutput d ctx dig = do     c_sha3_finalize_shake ctx-    c_sha3_output ctx dig (fromInteger (natVal d `div` 8))+    c_sha3_output ctx dig (byteLen d)+    shakeTruncate d (castPtr dig) -byteLen :: (KnownNat bitlen, IsDivisibleBy8 bitlen, Num a) => proxy bitlen -> a-byteLen d = fromInteger (natVal d `div` 8)+cshakeFinalizeOutput :: KnownNat bitlen+                     => proxy bitlen+                     -> Ptr (Context a)+                     -> Ptr (Digest a)+                     -> IO ()+cshakeFinalizeOutput d ctx dig = do+    c_sha3_finalize_cshake ctx+    c_sha3_output ctx dig (byteLen d)+    shakeTruncate d (castPtr dig) +shakeTruncate :: KnownNat bitlen => proxy bitlen -> Ptr Word8 -> IO ()+shakeTruncate d ptr =+    when (bits > 0) $ do+        byte <- peekElemOff ptr index+        pokeElemOff ptr index (byte .&. mask)+  where+    mask = (1 `shiftL` bits) - 1+    (index, bits) = integralNatVal d `divMod` 8+ foreign import ccall unsafe "cryptonite_sha3_init"     c_sha3_init :: Ptr (Context a) -> Word32 -> IO () @@ -86,6 +123,9 @@  foreign import ccall unsafe "cryptonite_sha3_finalize_shake"     c_sha3_finalize_shake :: Ptr (Context a) -> IO ()++foreign import ccall unsafe "cryptonite_sha3_finalize_cshake"+    c_sha3_finalize_cshake :: Ptr (Context a) -> IO ()  foreign import ccall unsafe "cryptonite_sha3_output"     c_sha3_output :: Ptr (Context a) -> Ptr (Digest a) -> Word32 -> IO ()
Crypto/Hash/Skein256.hs view
@@ -5,11 +5,13 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- Skein256 cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.Skein256     (  Skein256_224 (..), Skein256_256 (..)     ) where@@ -17,15 +19,17 @@ import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)   -- | Skein256 (224 bits) cryptographic hash algorithm data Skein256_224 = Skein256_224-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Skein256_224 where+    type HashBlockSize           Skein256_224 = 32+    type HashDigestSize          Skein256_224 = 28+    type HashInternalContextSize Skein256_224 = 96     hashBlockSize  _          = 32     hashDigestSize _          = 28     hashInternalContextSize _ = 96@@ -35,9 +39,12 @@  -- | Skein256 (256 bits) cryptographic hash algorithm data Skein256_256 = Skein256_256-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Skein256_256 where+    type HashBlockSize           Skein256_256 = 32+    type HashDigestSize          Skein256_256 = 32+    type HashInternalContextSize Skein256_256 = 96     hashBlockSize  _          = 32     hashDigestSize _          = 32     hashInternalContextSize _ = 96
Crypto/Hash/Skein512.hs view
@@ -5,11 +5,13 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- Skein512 cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.Skein512     (  Skein512_224 (..), Skein512_256 (..), Skein512_384 (..), Skein512_512 (..)     ) where@@ -17,15 +19,17 @@ import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)   -- | Skein512 (224 bits) cryptographic hash algorithm data Skein512_224 = Skein512_224-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Skein512_224 where+    type HashBlockSize           Skein512_224 = 64+    type HashDigestSize          Skein512_224 = 28+    type HashInternalContextSize Skein512_224 = 160     hashBlockSize  _          = 64     hashDigestSize _          = 28     hashInternalContextSize _ = 160@@ -35,9 +39,12 @@  -- | Skein512 (256 bits) cryptographic hash algorithm data Skein512_256 = Skein512_256-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Skein512_256 where+    type HashBlockSize           Skein512_256 = 64+    type HashDigestSize          Skein512_256 = 32+    type HashInternalContextSize Skein512_256 = 160     hashBlockSize  _          = 64     hashDigestSize _          = 32     hashInternalContextSize _ = 160@@ -47,9 +54,12 @@  -- | Skein512 (384 bits) cryptographic hash algorithm data Skein512_384 = Skein512_384-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Skein512_384 where+    type HashBlockSize           Skein512_384 = 64+    type HashDigestSize          Skein512_384 = 48+    type HashInternalContextSize Skein512_384 = 160     hashBlockSize  _          = 64     hashDigestSize _          = 48     hashInternalContextSize _ = 160@@ -59,9 +69,12 @@  -- | Skein512 (512 bits) cryptographic hash algorithm data Skein512_512 = Skein512_512-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Skein512_512 where+    type HashBlockSize           Skein512_512 = 64+    type HashDigestSize          Skein512_512 = 64+    type HashInternalContextSize Skein512_512 = 160     hashBlockSize  _          = 64     hashDigestSize _          = 64     hashInternalContextSize _ = 160
Crypto/Hash/Tiger.hs view
@@ -5,24 +5,28 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- Tiger cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.Tiger ( Tiger (..) ) where  import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)  -- | Tiger cryptographic hash algorithm data Tiger = Tiger-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Tiger where+    type HashBlockSize           Tiger = 64+    type HashDigestSize          Tiger = 24+    type HashInternalContextSize Tiger = 96     hashBlockSize  _          = 64     hashDigestSize _          = 24     hashInternalContextSize _ = 96
Crypto/Hash/Types.hs view
@@ -8,8 +8,13 @@ -- Crypto hash types definitions -- {-# LANGUAGE GeneralizedNewtypeDeriving #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE ScopedTypeVariables #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.Types     ( HashAlgorithm(..)+    , HashAlgorithmPrefix(..)     , Context(..)     , Digest(..)     ) where@@ -17,7 +22,15 @@ import           Crypto.Internal.Imports import           Crypto.Internal.ByteArray (ByteArrayAccess, Bytes) import qualified Crypto.Internal.ByteArray as B+import           Control.Monad.ST+import           Data.Char (digitToInt, isHexDigit) import           Foreign.Ptr (Ptr)+import           Basement.Block (Block, unsafeFreeze)+import           Basement.Block.Mutable (MutableBlock, new, unsafeWrite)+import           Basement.NormalForm (deepseq)+import           Basement.Types.OffsetSize (CountOf(..), Offset(..))+import           GHC.TypeLits (Nat)+import           Data.Data (Data)  -- | Class representing hashing algorithms. --@@ -25,6 +38,13 @@ -- and lowlevel. the Hash module takes care of -- hidding the mutable interface properly. class HashAlgorithm a where+    -- | Associated type for the block size of the hash algorithm+    type HashBlockSize a :: Nat+    -- | Associated type for the digest size of the hash algorithm+    type HashDigestSize a :: Nat+    -- | Associated type for the internal context size of the hash algorithm+    type HashInternalContextSize a :: Nat+     -- | Get the block size of a hash algorithm     hashBlockSize           :: a -> Int     -- | Get the digest size of a hash algorithm@@ -40,19 +60,64 @@     -- | Finalize the context and set the digest raw memory to the right value     hashInternalFinalize :: Ptr (Context a) -> Ptr (Digest a) -> IO () +-- | Hashing algorithms with a constant-time implementation.+class HashAlgorithm a => HashAlgorithmPrefix a where+    -- | Update the context with the first N bytes of a buffer and finalize this+    -- context.  The code path executed is independent from N and depends only+    -- on the complete buffer length.+    hashInternalFinalizePrefix :: Ptr (Context a)+                               -> Ptr Word8 -> Word32+                               -> Word32+                               -> Ptr (Digest a)+                               -> IO ()+ {- hashContextGetAlgorithm :: HashAlgorithm a => Context a -> a hashContextGetAlgorithm = undefined -}  -- | Represent a context for a given hash algorithm.+--+-- This type is an instance of 'ByteArrayAccess' for debugging purpose. Internal+-- layout is architecture dependent, may contain uninitialized data fragments,+-- and change in future versions.  The bytearray should not be used as input to+-- cryptographic algorithms. newtype Context a = Context Bytes     deriving (ByteArrayAccess,NFData)  -- | Represent a digest for a given hash algorithm.-newtype Digest a = Digest Bytes-    deriving (Eq,Ord,ByteArrayAccess,NFData)+--+-- This type is an instance of 'ByteArrayAccess' from package+-- <https://hackage.haskell.org/package/memory memory>.+-- Module "Data.ByteArray" provides many primitives to work with those values+-- including conversion to other types.+--+-- Creating a digest from a bytearray is also possible with function+-- 'Crypto.Hash.digestFromByteString'.+newtype Digest a = Digest (Block Word8)+    deriving (Eq,Ord,ByteArrayAccess, Data) +instance NFData (Digest a) where+    rnf (Digest u) = u `deepseq` ()+ instance Show (Digest a) where     show (Digest bs) = map (toEnum . fromIntegral)                      $ B.unpack (B.convertToBase B.Base16 bs :: Bytes)++instance HashAlgorithm a => Read (Digest a) where+    readsPrec _ str = runST $ do mut <- new (CountOf len)+                                 loop mut len str+      where+        len = hashDigestSize (undefined :: a)++        loop :: MutableBlock Word8 s -> Int -> String -> ST s [(Digest a, String)]+        loop mut 0   cs          = (\b -> [(Digest b, cs)]) <$> unsafeFreeze mut+        loop _   _   []          = return []+        loop _   _   [_]         = return []+        loop mut n   (c:(d:ds))+            | not (isHexDigit c) = return []+            | not (isHexDigit d) = return []+            | otherwise          = do+                let w8 = fromIntegral $ digitToInt c * 16 + digitToInt d+                unsafeWrite mut (Offset $ len - n) w8+                loop mut (n - 1) ds
Crypto/Hash/Whirlpool.hs view
@@ -5,24 +5,28 @@ -- Stability   : experimental -- Portability : unknown ----- module containing the binding functions to work with the+-- Module containing the binding functions to work with the -- Whirlpool cryptographic hash. -- {-# LANGUAGE ForeignFunctionInterface #-} {-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeFamilies #-} module Crypto.Hash.Whirlpool ( Whirlpool (..) ) where  import           Crypto.Hash.Types import           Foreign.Ptr (Ptr) import           Data.Data-import           Data.Typeable import           Data.Word (Word8, Word32)  -- | Whirlpool cryptographic hash algorithm data Whirlpool = Whirlpool-    deriving (Show,Data,Typeable)+    deriving (Show,Data)  instance HashAlgorithm Whirlpool where+    type HashBlockSize           Whirlpool = 64+    type HashDigestSize          Whirlpool = 64+    type HashInternalContextSize Whirlpool = 168     hashBlockSize  _          = 64     hashDigestSize _          = 64     hashInternalContextSize _ = 168
+ Crypto/Internal/Builder.hs view
@@ -0,0 +1,53 @@+-- |+-- Module      : Crypto.Internal.Builder+-- License     : BSD-style+-- Maintainer  : Olivier Chéron <olivier.cheron@gmail.com>+-- Stability   : stable+-- Portability : Good+--+-- Delaying and merging ByteArray allocations.  This is similar to module+-- "Data.ByteArray.Pack" except the total length is computed automatically based+-- on what is appended.+--+{-# LANGUAGE BangPatterns #-}+module Crypto.Internal.Builder+    ( Builder+    , buildAndFreeze+    , builderLength+    , byte+    , bytes+    , zero+    ) where++import           Data.ByteArray (ByteArray, ByteArrayAccess)+import qualified Data.ByteArray as B+import           Data.Memory.PtrMethods (memSet)++import           Foreign.Ptr (Ptr, plusPtr)+import           Foreign.Storable (poke)++import           Crypto.Internal.Imports hiding (empty)++data Builder =  Builder !Int (Ptr Word8 -> IO ())  -- size and initializer++instance Semigroup Builder where+    (Builder s1 f1) <> (Builder s2 f2) = Builder (s1 + s2) f+      where f p = f1 p >> f2 (p `plusPtr` s1)++builderLength :: Builder -> Int+builderLength (Builder s _) = s++buildAndFreeze :: ByteArray ba => Builder -> ba+buildAndFreeze (Builder s f) = B.allocAndFreeze s f++byte :: Word8 -> Builder+byte !b = Builder 1 (`poke` b)++bytes :: ByteArrayAccess ba => ba -> Builder+bytes bs = Builder (B.length bs) (B.copyByteArrayToPtr bs)++zero :: Int -> Builder+zero s = if s > 0 then Builder s (\p -> memSet p 0 s) else empty++empty :: Builder+empty = Builder 0 (const $ return ())
Crypto/Internal/ByteArray.hs view
@@ -7,13 +7,33 @@ -- -- Simple and efficient byte array types --+{-# LANGUAGE BangPatterns #-} {-# OPTIONS_HADDOCK hide #-} module Crypto.Internal.ByteArray     ( module Data.ByteArray     , module Data.ByteArray.Mapping     , module Data.ByteArray.Encoding+    , constAllZero     ) where  import Data.ByteArray import Data.ByteArray.Mapping import Data.ByteArray.Encoding++import Data.Bits ((.|.))+import Data.Word (Word8)+import Foreign.Ptr (Ptr)+import Foreign.Storable (peekByteOff)++import Crypto.Internal.Compat (unsafeDoIO)++constAllZero :: ByteArrayAccess ba => ba -> Bool+constAllZero b = unsafeDoIO $ withByteArray b $ \p -> loop p 0 0+  where+    loop :: Ptr b -> Int -> Word8 -> IO Bool+    loop p i !acc+        | i == len  = return $! acc == 0+        | otherwise = do+            e <- peekByteOff p i+            loop p (i+1) (acc .|. e)+    len = Data.ByteArray.length b
Crypto/Internal/Compat.hs view
@@ -5,8 +5,8 @@ -- Stability   : stable -- Portability : Good ----- This module try to keep all the difference between versions of base--- or other needed packages, so that modules don't need to use CPP+-- This module tries to keep all the difference between versions of base+-- or other needed packages, so that modules don't need to use CPP. -- {-# LANGUAGE CPP #-} module Crypto.Internal.Compat@@ -19,10 +19,10 @@ import Data.Word import Data.Bits --- | perform io for hashes that do allocation and ffi.--- unsafeDupablePerformIO is used when possible as the+-- | Perform io for hashes that do allocation and FFI.+-- 'unsafeDupablePerformIO' is used when possible as the -- computation is pure and the output is directly linked--- to the input. we also do not modify anything after it has+-- to the input. We also do not modify anything after it has -- been returned to the user. unsafeDoIO :: IO a -> a #if __GLASGOW_HASKELL__ > 704
Crypto/Internal/CompatPrim.hs view
@@ -5,11 +5,11 @@ -- Stability   : stable -- Portability : Compat ----- This module try to keep all the difference between versions of ghc primitive+-- This module tries to keep all the difference between versions of ghc primitive -- or other needed packages, so that modules don't need to use CPP. -- -- Note that MagicHash and CPP conflicts in places, making it "more interesting"--- to write compat code for primitives+-- to write compat code for primitives. -- {-# LANGUAGE CPP #-} {-# LANGUAGE BangPatterns #-}@@ -23,15 +23,21 @@     , convert4To32     ) where -import GHC.Prim #if !defined(ARCH_IS_LITTLE_ENDIAN) && !defined(ARCH_IS_BIG_ENDIAN) import Data.Memory.Endian (getSystemEndianness, Endianness(..)) #endif --- | byteswap Word# to or from Big Endian+#if __GLASGOW_HASKELL__ >= 902+import GHC.Prim+#else+import GHC.Prim hiding (Word32#)+type Word32# = Word#+#endif++-- | Byteswap Word# to or from Big Endian ----- on a big endian machine, this function is a nop.-be32Prim :: Word# -> Word#+-- On a big endian machine, this function is a nop.+be32Prim :: Word32# -> Word32# #ifdef ARCH_IS_LITTLE_ENDIAN be32Prim = byteswap32Prim #elif defined(ARCH_IS_BIG_ENDIAN)@@ -40,10 +46,10 @@ be32Prim w = if getSystemEndianness == LittleEndian then byteswap32Prim w else w #endif --- | byteswap Word# to or from Little Endian+-- | Byteswap Word# to or from Little Endian ----- on a little endian machine, this function is a nop.-le32Prim :: Word# -> Word#+-- On a little endian machine, this function is a nop.+le32Prim :: Word32# -> Word32# #ifdef ARCH_IS_LITTLE_ENDIAN le32Prim w = w #elif defined(ARCH_IS_BIG_ENDIAN)@@ -54,19 +60,14 @@  -- | Simple compatibility for byteswap the lower 32 bits of a Word# -- at the primitive level-byteswap32Prim :: Word# -> Word#-#if __GLASGOW_HASKELL__ >= 708-byteswap32Prim w = byteSwap32# w+byteswap32Prim :: Word32# -> Word32#+#if __GLASGOW_HASKELL__ >= 902+byteswap32Prim w = wordToWord32# (byteSwap32# (word32ToWord# w)) #else-byteswap32Prim w =-    let !a =       uncheckedShiftL# w 24#-        !b = and# (uncheckedShiftL# w 8#) 0x00ff0000##-        !c = and# (uncheckedShiftRL# w 8#) 0x0000ff00##-        !d = and# (uncheckedShiftRL# w 24#) 0x000000ff##-     in or# a (or# b (or# c d))+byteswap32Prim w = byteSwap32# w #endif --- | combine 4 word8 [a,b,c,d] to a word32 representing [a,b,c,d]+-- | Combine 4 word8 [a,b,c,d] to a word32 representing [a,b,c,d] convert4To32 :: Word# -> Word# -> Word# -> Word#              -> Word# convert4To32 a b c d = or# (or# c1 c2) (or# c3 c4)
Crypto/Internal/DeepSeq.hs view
@@ -30,4 +30,6 @@ instance NFData Bytes where rnf b = b `seq` () instance NFData ScrubbedBytes where rnf b = b `seq` () +instance NFData Integer  where rnf i = i `seq` ()+ #endif
Crypto/Internal/Imports.hs view
@@ -5,11 +5,15 @@ -- Stability   : experimental -- Portability : unknown --+{-# LANGUAGE CPP #-} module Crypto.Internal.Imports     ( module X     ) where  import Data.Word               as X+#if !(MIN_VERSION_base(4,11,0))+import Data.Semigroup          as X (Semigroup(..))+#endif import Control.Applicative     as X import Control.Monad           as X (forM, forM_, void) import Control.Arrow           as X (first, second)
Crypto/Internal/Nat.hs view
@@ -6,12 +6,122 @@ {-# LANGUAGE UndecidableInstances #-} module Crypto.Internal.Nat     ( type IsDivisibleBy8+    , type IsAtMost, type IsAtLeast+    , byteLen+    , integralNatVal+    , type IsDiv8+    , type Div8+    , type Mod8     ) where  import           GHC.TypeLits +byteLen :: (KnownNat bitlen, Num a) => proxy bitlen -> a+byteLen d = fromInteger ((natVal d + 7) `div` 8)++integralNatVal :: (KnownNat bitlen, Num a) => proxy bitlen -> a+integralNatVal = fromInteger . natVal++type family IsLE (bitlen :: Nat) (n :: Nat) (c :: Bool) where+    IsLE _ _ 'True  = 'True+#if MIN_VERSION_base(4,9,0)+    IsLE bitlen n 'False = TypeError+      (     ('Text "bitlen " ':<>: 'ShowType bitlen ':<>: 'Text " is greater than " ':<>: 'ShowType n)+      ':$$: ('Text "You have tried to use an invalid Digest size. Please, refer to the documentation.")+      )+#else+    IsLE bitlen n 'False = 'False+#endif++-- | ensure the given `bitlen` is lesser or equal to `n`+--+type IsAtMost  (bitlen :: Nat) (n :: Nat) = IsLE bitlen n (bitlen <=? n) ~ 'True++type family IsGE (bitlen :: Nat) (n :: Nat) (c :: Bool) where+    IsGE _ _ 'True  = 'True+#if MIN_VERSION_base(4,9,0)+    IsGE bitlen n 'False = TypeError+      (     ('Text "bitlen " ':<>: 'ShowType bitlen ':<>: 'Text " is lesser than " ':<>: 'ShowType n)+      ':$$: ('Text "You have tried to use an invalid Digest size. Please, refer to the documentation.")+      )+#else+    IsGE bitlen n 'False = 'False+#endif++-- | ensure the given `bitlen` is greater or equal to `n`+--+type IsAtLeast (bitlen :: Nat) (n :: Nat) = IsGE bitlen n (n <=? bitlen) ~ 'True++type family Div8 (bitLen :: Nat) where+    Div8 0 = 0+    Div8 1 = 0+    Div8 2 = 0+    Div8 3 = 0+    Div8 4 = 0+    Div8 5 = 0+    Div8 6 = 0+    Div8 7 = 0+    Div8 8 = 1+    Div8 9 = 1+    Div8 10 = 1+    Div8 11 = 1+    Div8 12 = 1+    Div8 13 = 1+    Div8 14 = 1+    Div8 15 = 1+    Div8 16 = 2+    Div8 17 = 2+    Div8 18 = 2+    Div8 19 = 2+    Div8 20 = 2+    Div8 21 = 2+    Div8 22 = 2+    Div8 23 = 2+    Div8 24 = 3+    Div8 25 = 3+    Div8 26 = 3+    Div8 27 = 3+    Div8 28 = 3+    Div8 29 = 3+    Div8 30 = 3+    Div8 31 = 3+    Div8 32 = 4+    Div8 33 = 4+    Div8 34 = 4+    Div8 35 = 4+    Div8 36 = 4+    Div8 37 = 4+    Div8 38 = 4+    Div8 39 = 4+    Div8 40 = 5+    Div8 41 = 5+    Div8 42 = 5+    Div8 43 = 5+    Div8 44 = 5+    Div8 45 = 5+    Div8 46 = 5+    Div8 47 = 5+    Div8 48 = 6+    Div8 49 = 6+    Div8 50 = 6+    Div8 51 = 6+    Div8 52 = 6+    Div8 53 = 6+    Div8 54 = 6+    Div8 55 = 6+    Div8 56 = 7+    Div8 57 = 7+    Div8 58 = 7+    Div8 59 = 7+    Div8 60 = 7+    Div8 61 = 7+    Div8 62 = 7+    Div8 63 = 7+    Div8 64 = 8+    Div8 n  = 8 + Div8 (n - 64)+ type family IsDiv8 (bitLen :: Nat) (n :: Nat) where-    IsDiv8 bitLen 0 = 'True+    IsDiv8 _ 0 = 'True #if MIN_VERSION_base(4,9,0)     IsDiv8 bitLen 1 = TypeError ('Text "bitLen " ':<>: 'ShowType bitLen ':<>: 'Text " is not divisible by 8")     IsDiv8 bitLen 2 = TypeError ('Text "bitLen " ':<>: 'ShowType bitLen ':<>: 'Text " is not divisible by 8")@@ -21,15 +131,15 @@     IsDiv8 bitLen 6 = TypeError ('Text "bitLen " ':<>: 'ShowType bitLen ':<>: 'Text " is not divisible by 8")     IsDiv8 bitLen 7 = TypeError ('Text "bitLen " ':<>: 'ShowType bitLen ':<>: 'Text " is not divisible by 8") #else-    IsDiv8 bitLen 1 = 'False-    IsDiv8 bitLen 2 = 'False-    IsDiv8 bitLen 3 = 'False-    IsDiv8 bitLen 4 = 'False-    IsDiv8 bitLen 5 = 'False-    IsDiv8 bitLen 6 = 'False-    IsDiv8 bitLen 7 = 'False+    IsDiv8 _ 1 = 'False+    IsDiv8 _ 2 = 'False+    IsDiv8 _ 3 = 'False+    IsDiv8 _ 4 = 'False+    IsDiv8 _ 5 = 'False+    IsDiv8 _ 6 = 'False+    IsDiv8 _ 7 = 'False #endif-    IsDiv8 bitLen n = IsDiv8 n (Mod8 n)+    IsDiv8 _ n = IsDiv8 n (Mod8 n)  type family Mod8 (n :: Nat) where     Mod8 0 = 0@@ -98,4 +208,6 @@     Mod8 63 = 7     Mod8 n = Mod8 (n - 64) +-- | ensure the given `bitlen` is divisible by 8+-- type IsDivisibleBy8 bitLen = IsDiv8 bitLen bitLen ~ 'True
− Crypto/Internal/Proxy.hs
@@ -1,13 +0,0 @@--- |--- Module      : Crypto.Internal.Proxy--- License     : BSD-style--- Maintainer  : Vincent Hanquez <vincent@snarc.org>--- Stability   : experimental--- Portability : Good----module Crypto.Internal.Proxy-    ( Proxy(..)-    ) where---- | A type witness for 'a' as phantom type-data Proxy a = Proxy
Crypto/Internal/WordArray.hs view
@@ -1,5 +1,5 @@ -- |--- Module      : Crypto.Internal.Compat+-- Module      : Crypto.Internal.WordArray -- License     : BSD-style -- Maintainer  : Vincent Hanquez <vincent@snarc.org> -- Stability   : stable@@ -8,7 +8,7 @@ -- Small and self contained array representation -- with limited safety for internal use. ----- the array produced should never be exposed to the user directly+-- The array produced should never be exposed to the user directly. -- {-# LANGUAGE BangPatterns #-} {-# LANGUAGE MagicHash #-}@@ -20,6 +20,8 @@     , MutableArray32     , array8     , array32+    , array32FromAddrBE+    , allocArray32AndFreeze     , mutableArray32     , array64     , arrayRead8@@ -58,20 +60,20 @@  -- | Create an Array of Word32 of specific size from a list of Word32 array32 :: Int -> [Word32] -> Array32-array32 (I# n) l = unsafeDoIO $ IO $ \s ->-    case newAlignedPinnedByteArray# (n *# 4#) 4# s of-        (# s', mbarr #) -> loop 0# s' mbarr l-  where-        loop _ st mb [] = freezeArray mb st-        loop i st mb ((W32# x):xs)-            | booleanPrim (i ==# n) = freezeArray mb st-            | otherwise =-                let !st' = writeWord32Array# mb i x st-                 in loop (i +# 1#) st' mb xs-        freezeArray mb st =-            case unsafeFreezeByteArray# mb st of-                (# st', b #) -> (# st', Array32 b #)+array32 n l = unsafeDoIO (mutableArray32 n l >>= mutableArray32Freeze) {-# NOINLINE array32 #-}++-- | Create an Array of BE Word32 aliasing an Addr+array32FromAddrBE :: Int -> Addr# -> Array32+array32FromAddrBE n a =+    unsafeDoIO (mutableArray32FromAddrBE n a >>= mutableArray32Freeze)+{-# NOINLINE array32FromAddrBE #-}++-- | Create an Array of Word32 using an initializer+allocArray32AndFreeze :: Int -> (MutableArray32 -> IO ()) -> Array32+allocArray32AndFreeze n f =+    unsafeDoIO (mutableArray32 n [] >>= \m -> f m >> mutableArray32Freeze m)+{-# NOINLINE allocArray32AndFreeze #-}  -- | Create an Array of Word64 of specific size from a list of Word64 array64 :: Int -> [Word64] -> Array64
Crypto/KDF/Argon2.hs view
@@ -25,7 +25,7 @@     , hash     ) where -import           Crypto.Internal.ByteArray (ScrubbedBytes, ByteArray, ByteArrayAccess)+import           Crypto.Internal.ByteArray (ByteArray, ByteArrayAccess) import qualified Crypto.Internal.ByteArray as B import           Crypto.Error import           Control.Monad (when)@@ -36,13 +36,13 @@ -- | Which variant of Argon2 to use. You should choose the variant that is most -- applicable to your intention to hash inputs. data Variant =-      Argon2d  -- ^ Argon2i uses data-independent memory access, which is preferred+      Argon2d  -- ^ Argon2d is faster than Argon2i and uses data-depending memory access,+               -- which makes it suitable for cryptocurrencies and applications with no+               -- threats from side-channel timing attacks.+    | Argon2i  -- ^ Argon2i uses data-independent memory access, which is preferred                -- for password hashing and password-based key derivation. Argon2i                -- is slower as it makes more passes over the memory to protect from                -- tradeoff attacks.-    | Argon2i -- ^ Argon2d is faster and uses data-depending memory access, which-              -- makes it suitable for cryptocurrencies and applications with no-              -- threats from side-channel timing attacks.     | Argon2id -- ^ Argon2id is a hybrid of Argon2i and Argon2d, using a combination                -- of data-depending and data-independent memory accesses, which gives                -- some of Argon2i's resistance to side-channel cache timing attacks@@ -63,7 +63,7 @@ -- max 'FFI.ARGON2_MIN_MEMORY' (8 * 'hashParallelism') <= 'hashMemory' <= 'FFI.ARGON2_MAX_MEMORY' type MemoryCost = Word32 --- \ A parallelism degree, which defines the number of parallel threads.+-- | A parallelism degree, which defines the number of parallel threads. -- -- 'FFI.ARGON2_MIN_LANES' <= 'hashParallelism' <= 'FFI.ARGON2_MAX_LANES' && 'FFI.ARGON_MIN_THREADS' <= 'hashParallelism' <= 'FFI.ARGON2_MAX_THREADS' type Parallelism = Word32@@ -85,8 +85,10 @@ outputMinLength :: Int outputMinLength = 4 +-- specification allows up to 2^32-1 but this is too big for a signed Int+-- on a 32-bit architecture, so we limit tag length to 2^31-1 bytes outputMaxLength :: Int-outputMaxLength = 0xffffffff+outputMaxLength = 0x7fffffff  defaultOptions :: Options defaultOptions =
Crypto/KDF/BCrypt.hs view
@@ -11,7 +11,7 @@ -- >>> validatePassword password bcryptHash -- >>> True -- >>> let otherPassword = B.pack "otherpassword"--- >>> otherHash <- hashPassword 12 otherPasssword :: IO B.ByteString+-- >>> otherHash <- hashPassword 12 otherPassword :: IO B.ByteString -- >>> validatePassword otherPassword otherHash -- >>> True --@@ -27,13 +27,16 @@ -- salt and hash bytes (each separately Base64 encoded. Incrementing the -- cost parameter approximately doubles the time taken to calculate the hash. ----- The different version numbers have evolved because of bugs in the standard--- C implementations. The most up to date version is @2b@ and this--- implementation the @2b@ version prefix, but will also attempt to validate+-- The different version numbers evolved to account for bugs in the standard+-- C implementations. They don't represent different versions of the algorithm+-- itself and in most cases should produce identical results.+-- The most up to date version is @2b@ and this implementation uses the+-- @2b@ version prefix, but will also attempt to validate -- against hashes with versions @2a@ and @2y@. Version @2@ or @2x@ will be -- rejected. No attempt is made to differentiate between the different versions -- when validating a password, but in practice this shouldn't cause any problems--- if passwords are UTF-8 encoded (which they should be).+-- if passwords are UTF-8 encoded (which they should be) and less than 256+-- characters long. -- -- The cost parameter can be between 4 and 31 inclusive, but anything less than -- 10 is probably not strong enough. High values may be prohibitively slow@@ -49,11 +52,16 @@     ) where -import           Control.Monad (unless, when)-import           Crypto.Cipher.Blowfish.Primitive (eksBlowfish, encrypt)-import           Crypto.Random (MonadRandom, getRandomBytes)-import           Data.ByteArray (ByteArrayAccess, ByteArray, Bytes)-import qualified Data.ByteArray as B+import           Control.Monad                    (forM_, unless, when)+import           Crypto.Cipher.Blowfish.Primitive (Context, createKeySchedule,+                                                   encrypt, expandKey,+                                                   expandKeyWithSalt,+                                                   freezeKeySchedule)+import           Crypto.Internal.Compat+import           Crypto.Random                    (MonadRandom, getRandomBytes)+import           Data.ByteArray                   (ByteArray, ByteArrayAccess,+                                                   Bytes)+import qualified Data.ByteArray                   as B import           Data.ByteArray.Encoding import           Data.Char @@ -93,7 +101,7 @@ bcrypt cost salt password = B.concat [header, B.snoc costBytes dollar, b64 salt, b64 hash]   where     hash   = rawHash 'b' realCost salt password-    header = B.pack [dollar, fromIntegral (ord '2'), fromIntegral (ord 'a'), dollar]+    header = B.pack [dollar, fromIntegral (ord '2'), fromIntegral (ord 'b'), dollar]     dollar = fromIntegral (ord '$')     zero   = fromIntegral (ord '0')     costBytes  = B.pack [zero + fromIntegral (realCost `div` 10), zero + fromIntegral (realCost `mod` 10)]@@ -133,7 +141,7 @@     -- Truncate the password if necessary and append a null byte for C compatibility     key = B.snoc (B.take 72 password) 0 -    ctx = eksBlowfish cost salt key+    ctx = expensiveBlowfishContext key salt cost      -- The BCrypt plaintext: "OrpheanBeholderScryDoubt"     orpheanBeholder = B.pack [79,114,112,104,101,97,110,66,101,104,111,108,100,101,114,83,99,114,121,68,111,117,98,116]@@ -156,10 +164,26 @@     costTens  = fromIntegral (B.index bc 4) - zero     costUnits = fromIntegral (B.index bc 5) - zero     version   = chr (fromIntegral (B.index bc 2))-    cost      = costUnits + (if costTens == 0 then 0 else 10^costTens) :: Int+    cost      = costUnits + 10*costTens :: Int      decodeSaltHash saltHash = do         let (s, h) = B.splitAt 22 saltHash         salt <- convertFromBase Base64OpenBSD s         hash <- convertFromBase Base64OpenBSD h         return (salt, hash)++-- | Create a key schedule for the BCrypt "EKS" version.+--+-- Salt must be a 128-bit byte array.+-- Cost must be between 4 and 31 inclusive+-- See <https://www.usenix.org/conference/1999-usenix-annual-technical-conference/future-adaptable-password-scheme>+expensiveBlowfishContext :: (ByteArrayAccess key, ByteArrayAccess salt) => key-> salt -> Int -> Context+expensiveBlowfishContext keyBytes saltBytes cost+  | B.length saltBytes /= 16 = error "bcrypt salt must be 16 bytes"+  | otherwise = unsafeDoIO $ do+        ks <- createKeySchedule+        expandKeyWithSalt ks keyBytes saltBytes+        forM_ [1..2^cost :: Int] $ \_ -> do+            expandKey ks keyBytes+            expandKey ks saltBytes+        freezeKeySchedule ks
+ Crypto/KDF/BCryptPBKDF.hs view
@@ -0,0 +1,187 @@+-- |+-- Module      : Crypto.KDF.BCryptPBKDF+-- License     : BSD-style+-- Stability   : experimental+-- Portability : Good+--+-- Port of the bcrypt_pbkdf key derivation function from OpenBSD+-- as described at <http://man.openbsd.org/bcrypt_pbkdf.3>.+module Crypto.KDF.BCryptPBKDF+    ( Parameters (..)+    , generate+    , hashInternal+    )+where++import           Basement.Block                   (MutableBlock)+import qualified Basement.Block                   as Block+import qualified Basement.Block.Mutable           as Block+import           Basement.Monad                   (PrimState)+import           Basement.Types.OffsetSize        (CountOf (..), Offset (..))+import           Control.Exception                (finally)+import           Control.Monad                    (when)+import qualified Crypto.Cipher.Blowfish.Box       as Blowfish+import qualified Crypto.Cipher.Blowfish.Primitive as Blowfish+import           Crypto.Hash.Algorithms           (SHA512 (..))+import           Crypto.Hash.Types                (Context,+                                                   hashDigestSize,+                                                   hashInternalContextSize,+                                                   hashInternalFinalize,+                                                   hashInternalInit,+                                                   hashInternalUpdate)+import           Crypto.Internal.Compat           (unsafeDoIO)+import           Data.Bits+import qualified Data.ByteArray                   as B+import           Data.Foldable                    (forM_)+import           Data.Memory.PtrMethods           (memCopy, memSet, memXor)+import           Data.Word+import           Foreign.Ptr                      (Ptr, castPtr)+import           Foreign.Storable                 (peekByteOff, pokeByteOff)++data Parameters = Parameters+  { iterCounts   :: Int -- ^ The number of user-defined iterations for the algorithm+                        --   (must be > 0)+  , outputLength :: Int -- ^ The number of bytes to generate out of BCryptPBKDF+                        --   (must be in 1..1024)+  } deriving (Eq, Ord, Show)++-- | Derive a key of specified length using the bcrypt_pbkdf algorithm.+generate :: (B.ByteArray pass, B.ByteArray salt, B.ByteArray output)+       => Parameters+       -> pass+       -> salt+       -> output+generate params pass salt+    | iterCounts params < 1       = error "BCryptPBKDF: iterCounts must be > 0"+    | keyLen < 1 || keyLen > 1024 = error "BCryptPBKDF: outputLength must be in 1..1024"+    | otherwise                   = B.unsafeCreate keyLen deriveKey+  where+    outLen, tmpLen, blkLen, keyLen, passLen, saltLen, ctxLen, hashLen, blocks :: Int+    outLen  = 32+    tmpLen  = 32+    blkLen  = 4+    passLen = B.length pass+    saltLen = B.length salt+    keyLen  = outputLength params+    ctxLen  = hashInternalContextSize SHA512+    hashLen = hashDigestSize SHA512 -- 64+    blocks  = (keyLen + outLen - 1) `div` outLen++    deriveKey :: Ptr Word8 -> IO ()+    deriveKey keyPtr = do+        -- Allocate all necessary memory. The algorihm shall not allocate+        -- any more dynamic memory after this point. Blocks need to be pinned+        -- as pointers to them are passed to the SHA512 implementation.+        ksClean        <- Blowfish.createKeySchedule+        ksDirty        <- Blowfish.createKeySchedule+        ctxMBlock      <- Block.newPinned (CountOf ctxLen  :: CountOf Word8)+        outMBlock      <- Block.newPinned (CountOf outLen  :: CountOf Word8)+        tmpMBlock      <- Block.newPinned (CountOf tmpLen  :: CountOf Word8)+        blkMBlock      <- Block.newPinned (CountOf blkLen  :: CountOf Word8)+        passHashMBlock <- Block.newPinned (CountOf hashLen :: CountOf Word8)+        saltHashMBlock <- Block.newPinned (CountOf hashLen :: CountOf Word8)+        -- Finally erase all memory areas that contain information from+        -- which the derived key could be reconstructed.+        -- As all MutableBlocks are pinned it shall be guaranteed that+        -- no temporary trampoline buffers are allocated.+        finallyErase outMBlock $ finallyErase passHashMBlock $+            B.withByteArray pass                $ \passPtr->+            B.withByteArray salt                $ \saltPtr->+            Block.withMutablePtr ctxMBlock      $ \ctxPtr->+            Block.withMutablePtr outMBlock      $ \outPtr->+            Block.withMutablePtr tmpMBlock      $ \tmpPtr->+            Block.withMutablePtr blkMBlock      $ \blkPtr->+            Block.withMutablePtr passHashMBlock $ \passHashPtr->+            Block.withMutablePtr saltHashMBlock $ \saltHashPtr-> do+                -- Hash the password.+                let shaPtr = castPtr ctxPtr :: Ptr (Context SHA512)+                hashInternalInit     shaPtr+                hashInternalUpdate   shaPtr passPtr (fromIntegral passLen)+                hashInternalFinalize shaPtr (castPtr passHashPtr)+                passHashBlock <- Block.unsafeFreeze passHashMBlock+                forM_ [1..blocks] $ \block-> do+                    -- Poke the increased block counter.+                    Block.unsafeWrite blkMBlock 0 (fromIntegral $ block `shiftR` 24)+                    Block.unsafeWrite blkMBlock 1 (fromIntegral $ block `shiftR` 16)+                    Block.unsafeWrite blkMBlock 2 (fromIntegral $ block `shiftR`  8)+                    Block.unsafeWrite blkMBlock 3 (fromIntegral $ block `shiftR`  0)+                    -- First round (slightly different).+                    hashInternalInit     shaPtr+                    hashInternalUpdate   shaPtr saltPtr (fromIntegral saltLen)+                    hashInternalUpdate   shaPtr blkPtr  (fromIntegral blkLen)+                    hashInternalFinalize shaPtr (castPtr saltHashPtr)+                    Block.unsafeFreeze saltHashMBlock >>= \x-> do+                        Blowfish.copyKeySchedule ksDirty ksClean+                        hashInternalMutable ksDirty passHashBlock x tmpMBlock+                    memCopy outPtr tmpPtr outLen+                    -- Remaining rounds.+                    forM_ [2..iterCounts params] $ const $ do+                        hashInternalInit     shaPtr+                        hashInternalUpdate   shaPtr tmpPtr (fromIntegral tmpLen)+                        hashInternalFinalize shaPtr (castPtr saltHashPtr)+                        Block.unsafeFreeze saltHashMBlock >>= \x-> do+                            Blowfish.copyKeySchedule ksDirty ksClean+                            hashInternalMutable ksDirty passHashBlock x tmpMBlock+                        memXor outPtr outPtr tmpPtr outLen+                    -- Spread the current out buffer evenly over the key buffer.+                    -- After both loops have run every byte of the key buffer+                    -- will have been written to exactly once and every byte+                    -- of the output will have been used.+                    forM_ [0..outLen - 1] $ \outIdx-> do+                        let keyIdx = outIdx * blocks + block - 1+                        when (keyIdx < keyLen) $ do+                            w8 <- peekByteOff outPtr outIdx :: IO Word8+                            pokeByteOff keyPtr keyIdx w8++-- | Internal hash function used by `generate`.+--+-- Normal users should not need this.+hashInternal :: (B.ByteArrayAccess pass, B.ByteArrayAccess salt, B.ByteArray output)+    => pass+    -> salt+    -> output+hashInternal passHash saltHash+    | B.length passHash /= 64 = error "passHash must be 512 bits"+    | B.length saltHash /= 64 = error "saltHash must be 512 bits"+    | otherwise = unsafeDoIO $ do+        ks0 <- Blowfish.createKeySchedule+        outMBlock <- Block.newPinned 32+        hashInternalMutable ks0 passHash saltHash outMBlock+        B.convert `fmap` Block.freeze outMBlock++hashInternalMutable :: (B.ByteArrayAccess pass, B.ByteArrayAccess salt)+    => Blowfish.KeySchedule+    -> pass+    -> salt+    -> MutableBlock Word8 (PrimState IO)+    -> IO ()+hashInternalMutable bfks passHash saltHash outMBlock = do+    Blowfish.expandKeyWithSalt bfks passHash saltHash+    forM_ [0..63 :: Int] $ const $ do+        Blowfish.expandKey bfks saltHash+        Blowfish.expandKey bfks passHash+    -- "OxychromaticBlowfishSwatDynamite" represented as 4 Word64 in big-endian.+    store  0 =<< cipher 64 0x4f78796368726f6d+    store  8 =<< cipher 64 0x61746963426c6f77+    store 16 =<< cipher 64 0x6669736853776174+    store 24 =<< cipher 64 0x44796e616d697465+    where+        store :: Offset Word8 -> Word64 -> IO ()+        store o w64 = do+            Block.unsafeWrite outMBlock (o + 0) (fromIntegral $ w64 `shiftR` 32)+            Block.unsafeWrite outMBlock (o + 1) (fromIntegral $ w64 `shiftR` 40)+            Block.unsafeWrite outMBlock (o + 2) (fromIntegral $ w64 `shiftR` 48)+            Block.unsafeWrite outMBlock (o + 3) (fromIntegral $ w64 `shiftR` 56)+            Block.unsafeWrite outMBlock (o + 4) (fromIntegral $ w64 `shiftR`  0)+            Block.unsafeWrite outMBlock (o + 5) (fromIntegral $ w64 `shiftR`  8)+            Block.unsafeWrite outMBlock (o + 6) (fromIntegral $ w64 `shiftR` 16)+            Block.unsafeWrite outMBlock (o + 7) (fromIntegral $ w64 `shiftR` 24)+        cipher :: Int -> Word64 -> IO Word64+        cipher 0 block = return block+        cipher i block = Blowfish.cipherBlockMutable bfks block >>= cipher (i - 1)++finallyErase :: MutableBlock Word8 (PrimState IO) -> IO () -> IO ()+finallyErase mblock action =+    action `finally` Block.withMutablePtr mblock (\ptr-> memSet ptr 0 len)+    where+        CountOf len = Block.mutableLengthBytes mblock
Crypto/KDF/PBKDF2.hs view
@@ -24,7 +24,7 @@ import           Data.Bits import           Foreign.Marshal.Alloc import           Foreign.Ptr (plusPtr, Ptr)-import           Foreign.C.Types (CUInt(..), CInt(..), CSize(..))+import           Foreign.C.Types (CUInt(..), CSize(..))  import           Crypto.Hash (HashAlgorithm) import qualified Crypto.MAC.HMAC as HMAC
Crypto/MAC/CMAC.hs view
@@ -5,7 +5,7 @@ -- Stability   : experimental -- Portability : unknown ----- provide the CMAC (Cipher based Message Authentification Code) base algorithm.+-- Provide the CMAC (Cipher based Message Authentification Code) base algorithm. -- <http://en.wikipedia.org/wiki/CMAC> -- <http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf> --@@ -94,7 +94,7 @@   cipherIPT :: BlockCipher k => k -> [Word8]-cipherIPT = expandIPT . blockSize   where+cipherIPT = expandIPT . blockSize  -- Data type which represents the smallest irreducibule binary polynomial -- against specified degree.
Crypto/MAC/HMAC.hs view
@@ -5,15 +5,16 @@ -- Stability   : experimental -- Portability : unknown ----- provide the HMAC (Hash based Message Authentification Code) base algorithm.+-- Provide the HMAC (Hash based Message Authentification Code) base algorithm. -- <http://en.wikipedia.org/wiki/HMAC> -- {-# LANGUAGE BangPatterns #-} {-# LANGUAGE GeneralizedNewtypeDeriving #-} module Crypto.MAC.HMAC     ( hmac+    , hmacLazy     , HMAC(..)-    -- * incremental+    -- * Incremental     , Context(..)     , initialize     , update@@ -24,27 +25,35 @@ import           Crypto.Hash hiding (Context) import qualified Crypto.Hash as Hash (Context) import           Crypto.Hash.IO-import           Crypto.Internal.ByteArray (ScrubbedBytes, ByteArray, ByteArrayAccess)+import           Crypto.Internal.ByteArray (ScrubbedBytes, ByteArrayAccess) import qualified Crypto.Internal.ByteArray as B import           Data.Memory.PtrMethods import           Crypto.Internal.Compat-import           Crypto.Internal.Imports+import qualified Data.ByteString.Lazy as L  -- | Represent an HMAC that is a phantom type with the hash used to produce the mac. ----- The Eq instance is constant time.+-- The Eq instance is constant time.  No Show instance is provided, to avoid+-- printing by mistake. newtype HMAC a = HMAC { hmacGetDigest :: Digest a }     deriving (ByteArrayAccess)  instance Eq (HMAC a) where     (HMAC b1) == (HMAC b2) = B.constEq b1 b2 --- | compute a MAC using the supplied hashing function+-- | Compute a MAC using the supplied hashing function hmac :: (ByteArrayAccess key, ByteArrayAccess message, HashAlgorithm a)      => key     -- ^ Secret key      -> message -- ^ Message to MAC      -> HMAC a hmac secret msg = finalize $ updates (initialize secret) [msg]++-- | Compute a MAC using the supplied hashing function, for a lazy input+hmacLazy :: (ByteArrayAccess key, HashAlgorithm a)+     => key     -- ^ Secret key+     -> L.ByteString -- ^ Message to MAC+     -> HMAC a+hmacLazy secret msg = finalize $ updates (initialize secret) (L.toChunks msg)  -- | Represent an ongoing HMAC state, that can be appended with 'update' -- and finalize to an HMAC with 'hmacFinalize'
+ Crypto/MAC/KMAC.hs view
@@ -0,0 +1,144 @@+-- |+-- Module      : Crypto.MAC.KMAC+-- License     : BSD-style+-- Maintainer  : Olivier Chéron <olivier.cheron@gmail.com>+-- Stability   : experimental+-- Portability : unknown+--+-- Provide the KMAC (Keccak Message Authentication Code) algorithm, derived from+-- the SHA-3 base algorithm Keccak and defined in NIST SP800-185.+--+{-# LANGUAGE BangPatterns #-}+{-# LANGUAGE GeneralizedNewtypeDeriving #-}+{-# LANGUAGE ScopedTypeVariables #-}+module Crypto.MAC.KMAC+    ( HashSHAKE+    , kmac+    , KMAC(..)+    -- * Incremental+    , Context+    , initialize+    , update+    , updates+    , finalize+    ) where++import qualified Crypto.Hash as H+import           Crypto.Hash.SHAKE (HashSHAKE(..))+import           Crypto.Hash.Types (HashAlgorithm(..), Digest(..))+import qualified Crypto.Hash.Types as H+import           Crypto.Internal.Builder+import           Crypto.Internal.Imports+import           Foreign.Ptr (Ptr)+import           Data.Bits (shiftR)+import           Data.ByteArray (ByteArrayAccess)+import qualified Data.ByteArray as B+++-- cSHAKE++cshakeInit :: forall a name string prefix . (HashSHAKE a, ByteArrayAccess name, ByteArrayAccess string, ByteArrayAccess prefix)+           => name -> string -> prefix -> H.Context a+cshakeInit n s p = H.Context $ B.allocAndFreeze c $ \(ptr :: Ptr (H.Context a)) -> do+    hashInternalInit ptr+    B.withByteArray b $ \d -> hashInternalUpdate ptr d (fromIntegral $ B.length b)+    B.withByteArray p $ \d -> hashInternalUpdate ptr d (fromIntegral $ B.length p)+  where+    c = hashInternalContextSize (undefined :: a)+    w = hashBlockSize (undefined :: a)+    x = encodeString n <> encodeString s+    b = buildAndFreeze (bytepad x w) :: B.Bytes++cshakeUpdate :: (HashSHAKE a, ByteArrayAccess ba)+             => H.Context a -> ba -> H.Context a+cshakeUpdate = H.hashUpdate++cshakeUpdates :: (HashSHAKE a, ByteArrayAccess ba)+              => H.Context a -> [ba] -> H.Context a+cshakeUpdates = H.hashUpdates++cshakeFinalize :: forall a suffix . (HashSHAKE a, ByteArrayAccess suffix)+               => H.Context a -> suffix -> Digest a+cshakeFinalize !c s =+    Digest $ B.allocAndFreeze (hashDigestSize (undefined :: a)) $ \dig -> do+        ((!_) :: B.Bytes) <- B.copy c $ \(ctx :: Ptr (H.Context a)) -> do+            B.withByteArray s $ \d ->+                hashInternalUpdate ctx d (fromIntegral $ B.length s)+            cshakeInternalFinalize ctx dig+        return ()+++-- KMAC++-- | Represent a KMAC that is a phantom type with the hash used to produce the+-- mac.+--+-- The Eq instance is constant time.  No Show instance is provided, to avoid+-- printing by mistake.+newtype KMAC a = KMAC { kmacGetDigest :: Digest a }+    deriving (ByteArrayAccess,NFData)++instance Eq (KMAC a) where+    (KMAC b1) == (KMAC b2) = B.constEq b1 b2++-- | Compute a KMAC using the supplied customization string and key.+kmac :: (HashSHAKE a, ByteArrayAccess string, ByteArrayAccess key, ByteArrayAccess ba)+     => string -> key -> ba -> KMAC a+kmac str key msg = finalize $ updates (initialize str key) [msg]++-- | Represent an ongoing KMAC state, that can be appended with 'update' and+-- finalized to a 'KMAC' with 'finalize'.+newtype Context a = Context (H.Context a)++-- | Initialize a new incremental KMAC context with the supplied customization+-- string and key.+initialize :: forall a string key . (HashSHAKE a, ByteArrayAccess string, ByteArrayAccess key)+           => string -> key -> Context a+initialize str key = Context $ cshakeInit n str p+  where+    n = B.pack [75,77,65,67] :: B.Bytes  -- "KMAC"+    w = hashBlockSize (undefined :: a)+    p = buildAndFreeze (bytepad (encodeString key) w) :: B.ScrubbedBytes++-- | Incrementally update a KMAC context.+update :: (HashSHAKE a, ByteArrayAccess ba) => Context a -> ba -> Context a+update (Context ctx) = Context . cshakeUpdate ctx++-- | Incrementally update a KMAC context with multiple inputs.+updates :: (HashSHAKE a, ByteArrayAccess ba) => Context a -> [ba] -> Context a+updates (Context ctx) = Context . cshakeUpdates ctx++-- | Finalize a KMAC context and return the KMAC.+finalize :: forall a . HashSHAKE a => Context a -> KMAC a+finalize (Context ctx) = KMAC $ cshakeFinalize ctx suffix+  where+    l = cshakeOutputLength (undefined :: a)+    suffix = buildAndFreeze (rightEncode l) :: B.Bytes+++-- Utilities++bytepad :: Builder -> Int -> Builder+bytepad x w = prefix <> x <> zero padLen+  where+    prefix = leftEncode w+    padLen = (w - builderLength prefix - builderLength x) `mod` w++encodeString :: ByteArrayAccess bin => bin -> Builder+encodeString s = leftEncode (8 * B.length s) <> bytes s++leftEncode :: Int -> Builder+leftEncode x = byte len <> digits+  where+    digits = i2osp x+    len    = fromIntegral (builderLength digits)++rightEncode :: Int -> Builder+rightEncode x = digits <> byte len+  where+    digits = i2osp x+    len    = fromIntegral (builderLength digits)++i2osp :: Int -> Builder+i2osp i | i >= 256  = i2osp (shiftR i 8) <> byte (fromIntegral i)+        | otherwise = byte (fromIntegral i)
Crypto/MAC/Poly1305.hs view
@@ -33,6 +33,11 @@ import           Crypto.Error  -- | Poly1305 State+--+-- This type is an instance of 'ByteArrayAccess' for debugging purpose. Internal+-- layout is architecture dependent, may contain uninitialized data fragments,+-- and change in future versions.  The bytearray should not be used as input to+-- cryptographic algorithms. newtype State = State ScrubbedBytes     deriving (ByteArrayAccess) 
Crypto/Number/Basic.hs view
@@ -13,12 +13,15 @@     , log2     , numBits     , numBytes+    , asPowerOf2AndOdd     ) where +import Data.Bits+ import Crypto.Number.Compat --- | sqrti returns two integer (l,b) so that l <= sqrt i <= b--- the implementation is quite naive, use an approximation for the first number+-- | @sqrti@ returns two integers @(l,b)@ so that @l <= sqrt i <= b@.+-- The implementation is quite naive, use an approximation for the first number -- and use a dichotomy algorithm to compute the bound relatively efficiently. sqrti :: Integer -> (Integer, Integer) sqrti i@@ -49,7 +52,7 @@                         else iter (lb+d) ub             sq a = a * a --- | get the extended GCD of two integer using integer divMod+-- | Get the extended GCD of two integer using integer divMod -- -- gcde 'a' 'b' find (x,y,gcd(a,b)) where ax + by = d --@@ -63,7 +66,7 @@         let (q, r) = a' `divMod` b' in         f t (r, sa - (q * sb), ta - (q * tb)) --- | check if a list of integer are all even+-- | Check if a list of integer are all even areEven :: [Integer] -> Bool areEven = and . map even @@ -98,3 +101,16 @@ -- | Compute the number of bytes for an integer numBytes :: Integer -> Int numBytes n = gmpSizeInBytes n `onGmpUnsupported` ((numBits n + 7) `div` 8)++-- | Express an integer as an odd number and a power of 2+asPowerOf2AndOdd :: Integer -> (Int, Integer)+asPowerOf2AndOdd a+    | a == 0       = (0, 0)+    | odd a        = (0, a)+    | a < 0        = let (e, a1) = asPowerOf2AndOdd $ abs a in (e, -a1)+    | isPowerOf2 a = (log2 a, 1)+    | otherwise    = loop a 0+        where      +          isPowerOf2 n = (n /= 0) && ((n .&. (n - 1)) == 0)+          loop n pw = if n `mod` 2 == 0 then loop (n `div` 2) (pw + 1)+                      else (pw, n)
Crypto/Number/Compat.hs view
@@ -22,7 +22,9 @@     , gmpSizeInBytes     , gmpSizeInBits     , gmpExportInteger+    , gmpExportIntegerLE     , gmpImportInteger+    , gmpImportIntegerLE     ) where  #ifndef MIN_VERSION_integer_gmp@@ -70,8 +72,12 @@ -- | Compute the power modulus using extra security to remain constant -- time wise through GMP gmpPowModSecInteger :: Integer -> Integer -> Integer -> GmpSupported Integer-#if MIN_VERSION_integer_gmp(1,0,0)+#if MIN_VERSION_integer_gmp(1,1,0) gmpPowModSecInteger _ _ _ = GmpUnsupported+#elif MIN_VERSION_integer_gmp(1,0,2)+gmpPowModSecInteger b e m = GmpSupported (powModSecInteger b e m)+#elif MIN_VERSION_integer_gmp(1,0,0)+gmpPowModSecInteger _ _ _ = GmpUnsupported #elif MIN_VERSION_integer_gmp(0,5,1) gmpPowModSecInteger b e m = GmpSupported (powModSecInteger b e m) #else@@ -99,7 +105,9 @@  -- | Get the next prime from a specific value through GMP gmpNextPrime :: Integer -> GmpSupported Integer-#if MIN_VERSION_integer_gmp(0,5,1)+#if MIN_VERSION_integer_gmp(1,1,0)+gmpNextPrime _ = GmpUnsupported+#elif MIN_VERSION_integer_gmp(0,5,1) gmpNextPrime n = GmpSupported (nextPrimeInteger n) #else gmpNextPrime _ = GmpUnsupported@@ -107,7 +115,9 @@  -- | Test if a number is prime using Miller Rabin gmpTestPrimeMillerRabin :: Int -> Integer -> GmpSupported Bool-#if MIN_VERSION_integer_gmp(0,5,1)+#if MIN_VERSION_integer_gmp(1,1,0)+gmpTestPrimeMillerRabin _ _ = GmpUnsupported+#elif MIN_VERSION_integer_gmp(0,5,1) gmpTestPrimeMillerRabin (I# tries) !n = GmpSupported $     case testPrimeInteger n tries of         0# -> False@@ -132,7 +142,7 @@ gmpSizeInBits _ = GmpUnsupported #endif --- | Export an integer to a memory+-- | Export an integer to a memory (big-endian) gmpExportInteger :: Integer -> Ptr Word8 -> GmpSupported (IO ()) #if MIN_VERSION_integer_gmp(1,0,0) gmpExportInteger n (Ptr addr) = GmpSupported $ do@@ -146,7 +156,21 @@ gmpExportInteger _ _ = GmpUnsupported #endif --- | Import an integer from a memory+-- | Export an integer to a memory (little-endian)+gmpExportIntegerLE :: Integer -> Ptr Word8 -> GmpSupported (IO ())+#if MIN_VERSION_integer_gmp(1,0,0)+gmpExportIntegerLE n (Ptr addr) = GmpSupported $ do+    _ <- exportIntegerToAddr n addr 0#+    return ()+#elif MIN_VERSION_integer_gmp(0,5,1)+gmpExportIntegerLE n (Ptr addr) = GmpSupported $ IO $ \s ->+    case exportIntegerToAddr n addr 0# s of+        (# s2, _ #) -> (# s2, () #)+#else+gmpExportIntegerLE _ _ = GmpUnsupported+#endif++-- | Import an integer from a memory (big-endian) gmpImportInteger :: Int -> Ptr Word8 -> GmpSupported (IO Integer) #if MIN_VERSION_integer_gmp(1,0,0) gmpImportInteger (I# n) (Ptr addr) = GmpSupported $@@ -156,4 +180,16 @@     importIntegerFromAddr addr (int2Word# n) 1# s #else gmpImportInteger _ _ = GmpUnsupported+#endif++-- | Import an integer from a memory (little-endian)+gmpImportIntegerLE :: Int -> Ptr Word8 -> GmpSupported (IO Integer)+#if MIN_VERSION_integer_gmp(1,0,0)+gmpImportIntegerLE (I# n) (Ptr addr) = GmpSupported $+    importIntegerFromAddr addr (int2Word# n) 0#+#elif MIN_VERSION_integer_gmp(0,5,1)+gmpImportIntegerLE (I# n) (Ptr addr) = GmpSupported $ IO $ \s ->+    importIntegerFromAddr addr (int2Word# n) 0# s+#else+gmpImportIntegerLE _ _ = GmpUnsupported #endif
Crypto/Number/F2m.hs view
@@ -16,14 +16,15 @@     , mulF2m     , squareF2m'     , squareF2m+    , powF2m     , modF2m+    , sqrtF2m     , invF2m     , divF2m     ) where  import Data.Bits (xor, shift, testBit, setBit) import Data.List-import Crypto.Internal.Imports import Crypto.Number.Basic  -- | Binary Polynomial represented by an integer@@ -67,8 +68,8 @@ mulF2m fx n1 n2     |    fx < 0       || n1 < 0-      || n2 < 0 = error "mulF2m: negative number represent no binary binary polynomial"-    | fx == 0   = error "modF2m: cannot multiply modulo zero polynomial"+      || n2 < 0 = error "mulF2m: negative number represent no binary polynomial"+    | fx == 0   = error "mulF2m: cannot multiply modulo zero polynomial"     | otherwise = modF2m fx $ go (if n2 `mod` 2 == 1 then n1 else 0) (log2 n2)       where         go n s | s == 0  = n@@ -97,9 +98,36 @@ squareF2m' :: Integer            -> Integer squareF2m' n-    | n < 0     = error "mulF2m: negative number represent no binary binary polynomial"+    | n < 0     = error "mulF2m: negative number represent no binary polynomial"     | otherwise = foldl' (\acc s -> if testBit n s then setBit acc (2 * s) else acc) 0 [0 .. log2 n] {-# INLINE squareF2m' #-}++-- | Exponentiation in F₂m by computing @a^b mod fx@.+--+-- This implements an exponentiation by squaring based solution. It inherits the+-- same restrictions as 'squareF2m'. Negative exponents are disallowed.+powF2m :: BinaryPolynomial -- ^Modulus+       -> Integer          -- ^a+       -> Integer          -- ^b+       -> Integer+powF2m fx a b+  | b < 0     = error "powF2m: negative exponents disallowed"+  | b == 0    = if fx > 1 then 1 else 0+  | even b    = squareF2m fx x+  | otherwise = mulF2m fx a (squareF2m' x)+  where x = powF2m fx a (b `div` 2)++-- | Square rooot in F₂m.+--+-- We exploit the fact that @a^(2^m) = a@, or in particular, @a^(2^m - 1) = 1@+-- from a classical result by Lagrange. Thus the square root is simply @a^(2^(m+-- - 1))@.+sqrtF2m :: BinaryPolynomial -- ^Modulus+        -> Integer          -- ^a+        -> Integer+sqrtF2m fx a = go (log2 fx - 1) a+  where go 0 x = x+        go n x = go (n - 1) (squareF2m fx x)  -- | Extended GCD algorithm for polynomials. For @a@ and @b@ returns @(g, u, v)@ such that @a * u + b * v == g@. --
Crypto/Number/Generate.hs view
@@ -120,6 +120,4 @@  -- | generate a number between the inclusive bound [low,high]. generateBetween :: MonadRandom m => Integer -> Integer -> m Integer-generateBetween low high-    | low == 1  = generateMax high >>= \r -> if r == 0 then generateBetween low high else return r-    | otherwise = (low +) <$> generateMax (high - low + 1)+generateBetween low high = (low +) <$> generateMax (high - low + 1)
Crypto/Number/ModArithmetic.hs view
@@ -1,5 +1,4 @@ {-# LANGUAGE BangPatterns #-}-{-# LANGUAGE DeriveDataTypeable #-} -- | -- Module      : Crypto.Number.ModArithmetic -- License     : BSD-style@@ -9,26 +8,29 @@  module Crypto.Number.ModArithmetic     (-    -- * exponentiation+    -- * Exponentiation       expSafe     , expFast-    -- * inverse computing+    -- * Inverse computing     , inverse     , inverseCoprimes+    , inverseFermat+    -- * Squares+    , jacobi+    , squareRoot     ) where  import Control.Exception (throw, Exception)-import Data.Typeable import Crypto.Number.Basic import Crypto.Number.Compat  -- | Raised when two numbers are supposed to be coprimes but are not. data CoprimesAssertionError = CoprimesAssertionError-    deriving (Show,Typeable)+    deriving (Show)  instance Exception CoprimesAssertionError --- | Compute the modular exponentiation of base^exponant using+-- | Compute the modular exponentiation of base^exponent using -- algorithms design to avoid side channels and timing measurement -- -- Modulo need to be odd otherwise the normal fast modular exponentiation@@ -38,11 +40,10 @@ -- from expFast, and thus provide the same unstudied and dubious -- timing and side channels claims. ----- with GHC 7.10, the powModSecInteger is missing from integer-gmp--- (which is now integer-gmp2), so is has the same security as old--- ghc version.+-- Before GHC 8.4.2, powModSecInteger is missing from integer-gmp,+-- so expSafe has the same security as expFast. expSafe :: Integer -- ^ base-        -> Integer -- ^ exponant+        -> Integer -- ^ exponent         -> Integer -- ^ modulo         -> Integer -- ^ result expSafe b e m@@ -52,30 +53,30 @@     | otherwise = gmpPowModInteger b e m    `onGmpUnsupported`                   exponentiation b e m --- | Compute the modular exponentiation of base^exponant using+-- | Compute the modular exponentiation of base^exponent using -- the fastest algorithm without any consideration for -- hiding parameters. -- -- Use this function when all the parameters are public,--- otherwise 'expSafe' should be prefered.+-- otherwise 'expSafe' should be preferred. expFast :: Integer -- ^ base-        -> Integer -- ^ exponant+        -> Integer -- ^ exponent         -> Integer -- ^ modulo         -> Integer -- ^ result expFast b e m = gmpPowModInteger b e m `onGmpUnsupported` exponentiation b e m --- | exponentiation computes modular exponentiation as b^e mod m+-- | @exponentiation@ computes modular exponentiation as /b^e mod m/ -- using repetitive squaring. exponentiation :: Integer -> Integer -> Integer -> Integer exponentiation b e m     | b == 1    = b     | e == 0    = 1     | e == 1    = b `mod` m-    | even e    = let p = (exponentiation b (e `div` 2) m) `mod` m+    | even e    = let p = exponentiation b (e `div` 2) m `mod` m                    in (p^(2::Integer)) `mod` m     | otherwise = (b * exponentiation b (e-1) m) `mod` m --- | inverse computes the modular inverse as in g^(-1) mod m+-- | @inverse@ computes the modular inverse as in /g^(-1) mod m/. inverse :: Integer -> Integer -> Maybe Integer inverse g m = gmpInverse g m `onGmpUnsupported` v   where@@ -84,14 +85,133 @@         | otherwise = Just (x `mod` m)     (x,_,d) = gcde g m --- | Compute the modular inverse of 2 coprime numbers.+-- | Compute the modular inverse of two coprime numbers. -- This is equivalent to inverse except that the result -- is known to exists. ----- if the numbers are not defined as coprime, this function--- will raise a CoprimesAssertionError.+-- If the numbers are not defined as coprime, this function+-- will raise a 'CoprimesAssertionError'. inverseCoprimes :: Integer -> Integer -> Integer inverseCoprimes g m =     case inverse g m of         Nothing -> throw CoprimesAssertionError         Just i  -> i++-- | Computes the Jacobi symbol (a/n).+-- 0 ≤ a < n; n ≥ 3 and odd.+--+-- The Legendre and Jacobi symbols are indistinguishable exactly when the+-- lower argument is an odd prime, in which case they have the same value.+--+-- See algorithm 2.149 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.+jacobi :: Integer -> Integer -> Maybe Integer+jacobi a n+    | n < 3 || even n  = Nothing+    | a == 0 || a == 1 = Just a+    | n <= a           = jacobi (a `mod` n) n+    | a < 0            =+      let b = if n `mod` 4 == 1 then 1 else -1+       in fmap (*b) (jacobi (-a) n)+    | otherwise        =+      let (e, a1) = asPowerOf2AndOdd a+          nMod8   = n `mod` 8+          nMod4   = n `mod` 4+          a1Mod4  = a1 `mod` 4+          s'      = if even e || nMod8 == 1 || nMod8 == 7 then 1 else -1+          s       = if nMod4 == 3 && a1Mod4 == 3 then -s' else s'+          n1      = n `mod` a1+       in if a1 == 1 then Just s+          else fmap (*s) (jacobi n1 a1)++-- | Modular inverse using Fermat's little theorem.  This works only when+-- the modulus is prime but avoids side channels like in 'expSafe'.+inverseFermat :: Integer -> Integer -> Integer+inverseFermat g p = expSafe g (p - 2) p++-- | Raised when the assumption about the modulus is invalid.+data ModulusAssertionError = ModulusAssertionError+    deriving (Show)++instance Exception ModulusAssertionError++-- | Modular square root of @g@ modulo a prime @p@.+--+-- If the modulus is found not to be prime, the function will raise a+-- 'ModulusAssertionError'.+--+-- This implementation is variable time and should be used with public+-- parameters only.+squareRoot :: Integer -> Integer -> Maybe Integer+squareRoot p+    | p < 2     = throw ModulusAssertionError+    | otherwise =+        case p `divMod` 8 of+           (v, 3) -> method1 (2 * v + 1)+           (v, 7) -> method1 (2 * v + 2)+           (u, 5) -> method2 u+           (_, 1) -> tonelliShanks p+           (0, 2) -> \a -> Just (if even a then 0 else 1)+           _      -> throw ModulusAssertionError++  where+    x `eqMod` y = (x - y) `mod` p == 0++    validate g y | (y * y) `eqMod` g = Just y+                 | otherwise         = Nothing++    -- p == 4u + 3 and u' == u + 1+    method1 u' g =+        let y = expFast g u' p+         in validate g y++    -- p == 8u + 5+    method2 u g =+        let gamma = expFast (2 * g) u p+            g_gamma = g * gamma+            i = (2 * g_gamma * gamma) `mod` p+            y = (g_gamma * (i - 1)) `mod` p+         in validate g y++tonelliShanks :: Integer -> Integer -> Maybe Integer+tonelliShanks p a+    | aa == 0   = Just 0+    | otherwise =+        case expFast aa p2 p of+            b | b == p1   -> Nothing+              | b == 1    -> Just $ go (expFast aa ((s + 1) `div` 2) p)+                                       (expFast aa s p)+                                       (expFast n  s p)+                                       e+              | otherwise -> throw ModulusAssertionError+  where+    aa = a `mod` p+    p1 = p - 1+    p2 = p1 `div` 2+    n  = findN 2++    x `mul` y = (x * y) `mod` p++    pow2m 0 x = x+    pow2m i x = pow2m (i - 1) (x `mul` x)++    (e, s) = asPowerOf2AndOdd p1++    -- find a quadratic non-residue+    findN i+        | expFast i p2 p == p1 = i+        | otherwise            = findN (i + 1)++    -- find m such that b^(2^m) == 1 (mod p)+    findM b i+        | b == 1    = i+        | otherwise = findM (b `mul` b) (i + 1)++    go !x b g !r+        | b == 1    = x+        | otherwise =+            let r' = findM b 0+                z = pow2m (r - r' - 1) g+                x' = x `mul` z+                b' = b `mul` g'+                g' = z `mul` z+             in go x' b' g' r'
+ Crypto/Number/Nat.hs view
@@ -0,0 +1,63 @@+-- |+-- Module      : Crypto.Number.Nat+-- License     : BSD-style+-- Maintainer  : Vincent Hanquez <vincent@snarc.org>+-- Stability   : experimental+-- Portability : Good+--+-- Numbers at type level.+--+-- This module provides extensions to "GHC.TypeLits" and "GHC.TypeNats" useful+-- to work with cryptographic algorithms parameterized with a variable bit+-- length.  Constraints like @'IsDivisibleBy8' n@ ensure that the type-level+-- parameter is applicable to the algorithm.+--+-- Functions are also provided to test whether constraints are satisfied from+-- values known at runtime.  The following example shows how to discharge+-- 'IsDivisibleBy8' in a computation @fn@ requiring this constraint:+--+-- > withDivisibleBy8 :: Integer+-- >                  -> (forall proxy n . (KnownNat n, IsDivisibleBy8 n) => proxy n -> a)+-- >                  -> Maybe a+-- > withDivisibleBy8 len fn = do+-- >     SomeNat p <- someNatVal len+-- >     Refl <- isDivisibleBy8 p+-- >     pure (fn p)+--+-- Function @withDivisibleBy8@ above returns 'Nothing' when the argument @len@+-- is negative or not divisible by 8.+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE TypeOperators #-}+module Crypto.Number.Nat+    ( type IsDivisibleBy8+    , type IsAtMost, type IsAtLeast+    , isDivisibleBy8+    , isAtMost+    , isAtLeast+    ) where++import           Data.Type.Equality+import           GHC.TypeLits+import           Unsafe.Coerce (unsafeCoerce)++import           Crypto.Internal.Nat++-- | get a runtime proof that the constraint @'IsDivisibleBy8' n@ is satified+isDivisibleBy8 :: KnownNat n => proxy n -> Maybe (IsDiv8 n n :~: 'True)+isDivisibleBy8 n+    | mod (natVal n) 8 == 0 = Just (unsafeCoerce Refl)+    | otherwise             = Nothing++-- | get a runtime proof that the constraint @'IsAtMost' value bound@ is+-- satified+isAtMost :: (KnownNat value, KnownNat bound)+         => proxy value -> proxy' bound -> Maybe ((value <=? bound) :~: 'True)+isAtMost x y+    | natVal x <= natVal y  = Just (unsafeCoerce Refl)+    | otherwise             = Nothing++-- | get a runtime proof that the constraint @'IsAtLeast' value bound@ is+-- satified+isAtLeast :: (KnownNat value, KnownNat bound)+          => proxy value -> proxy' bound -> Maybe ((bound <=? value) :~: 'True)+isAtLeast = flip isAtMost
Crypto/Number/Prime.hs view
@@ -19,8 +19,6 @@     , isCoprime     ) where -import Crypto.Internal.Imports- import Crypto.Number.Compat import Crypto.Number.Generate import Crypto.Number.Basic (sqrti, gcde)@@ -31,10 +29,10 @@  import Data.Bits --- | returns if the number is probably prime.--- first a list of small primes are implicitely tested for divisibility,+-- | Returns if the number is probably prime.+-- First a list of small primes are implicitely tested for divisibility, -- then a fermat primality test is used with arbitrary numbers and--- then the Miller Rabin algorithm is used with an accuracy of 30 recursions+-- then the Miller Rabin algorithm is used with an accuracy of 30 recursions. isProbablyPrime :: Integer -> Bool isProbablyPrime !n     | any (\p -> p `divides` n) (filter (< n) firstPrimes) = False@@ -42,14 +40,14 @@     | primalityTestFermat 50 (n `div` 2) n                 = primalityTestMillerRabin 30 n     | otherwise                                            = False --- | generate a prime number of the required bitsize (i.e. in the range---   [2^(b-1)+2^(b-2), 2^b)).+-- | Generate a prime number of the required bitsize (i.e. in the range+-- [2^(b-1)+2^(b-2), 2^b)). -----   May throw a CryptoError_PrimeSizeInvalid if the requested size is less---   than 5 bits, as the smallest prime meeting these conditions is 29.---   This function requires that the two highest bits are set, so that when---   multiplied with another prime to create a key, it is guaranteed to be of---   the proper size.+-- May throw a 'CryptoError_PrimeSizeInvalid' if the requested size is less+-- than 5 bits, as the smallest prime meeting these conditions is 29.+-- This function requires that the two highest bits are set, so that when+-- multiplied with another prime to create a key, it is guaranteed to be of+-- the proper size. generatePrime :: MonadRandom m => Int -> m Integer generatePrime bits = do     if bits < 5 then@@ -61,13 +59,13 @@             return $ prime         else generatePrime bits --- | generate a prime number of the form 2p+1 where p is also prime.+-- | Generate a prime number of the form 2p+1 where p is also prime. -- it is also knowed as a Sophie Germaine prime or safe prime. -- -- The number of safe prime is significantly smaller to the number of prime, -- as such it shouldn't be used if this number is supposed to be kept safe. ----- May throw a CryptoError_PrimeSizeInvalid if the requested size is less than+-- May throw a 'CryptoError_PrimeSizeInvalid' if the requested size is less than -- 6 bits, as the smallest safe prime with the two highest bits set is 59. generateSafePrime :: MonadRandom m => Int -> m Integer generateSafePrime bits = do@@ -81,7 +79,7 @@             return $ val         else generateSafePrime bits --- | find a prime from a starting point where the property hold.+-- | Find a prime from a starting point where the property hold. findPrimeFromWith :: (Integer -> Bool) -> Integer -> Integer findPrimeFromWith prop !n     | even n        = findPrimeFromWith prop (n+1)@@ -93,7 +91,7 @@                     then n                     else findPrimeFromWith prop (n+2) --- | find a prime from a starting point with no specific property.+-- | Find a prime from a starting point with no specific property. findPrimeFrom :: Integer -> Integer findPrimeFrom n =     case gmpNextPrime n of@@ -129,7 +127,7 @@     factorise :: Integer -> Integer -> (Integer, Integer)     factorise !si !vi         | vi `testBit` 0 = (si, vi)-        | otherwise     = factorise (si+1) (vi `shiftR` 1) -- probably faster to not shift v continously, but just once.+        | otherwise     = factorise (si+1) (vi `shiftR` 1) -- probably faster to not shift v continuously, but just once.     expmod = expSafe      -- when iteration reach zero, we have a probable prime@@ -185,7 +183,7 @@ isCoprime :: Integer -> Integer -> Bool isCoprime m n = case gcde m n of (_,_,d) -> d == 1 --- | list of the first primes till 2903..+-- | List of the first primes till 2903. firstPrimes :: [Integer] firstPrimes =     [ 2    , 3    , 5    , 7    , 11   , 13   , 17   , 19   , 23   , 29
Crypto/Number/Serialize.hs view
@@ -5,7 +5,7 @@ -- Stability   : experimental -- Portability : Good ----- fast serialization primitives for integer+-- Fast serialization primitives for integer {-# LANGUAGE BangPatterns #-} module Crypto.Number.Serialize     ( i2osp@@ -19,22 +19,23 @@ import qualified Crypto.Internal.ByteArray as B import qualified Crypto.Number.Serialize.Internal as Internal --- | os2ip converts a byte string into a positive integer+-- | @os2ip@ converts a byte string into a positive integer. os2ip :: B.ByteArrayAccess ba => ba -> Integer os2ip bs = unsafeDoIO $ B.withByteArray bs (\p -> Internal.os2ip p (B.length bs)) --- | i2osp converts a positive integer into a byte string+-- | @i2osp@ converts a positive integer into a byte string. ----- first byte is MSB (most significant byte), last byte is the LSB (least significant byte)+-- The first byte is MSB (most significant byte); the last byte is the LSB (least significant byte) i2osp :: B.ByteArray ba => Integer -> ba i2osp 0 = B.allocAndFreeze 1  (\p -> Internal.i2osp 0 p 1 >> return ()) i2osp m = B.allocAndFreeze sz (\p -> Internal.i2osp m p sz >> return ())   where         !sz = numBytes m --- | just like i2osp, but take an extra parameter for size.--- if the number is too big to fit in @len@ bytes, 'Nothing' is returned+-- | Just like 'i2osp', but takes an extra parameter for size.+-- If the number is too big to fit in @len@ bytes, 'Nothing' is returned -- otherwise the number is padded with 0 to fit the @len@ required.+{-# INLINABLE i2ospOf #-} i2ospOf :: B.ByteArray ba => Int -> Integer -> Maybe ba i2ospOf len m     | len <= 0  = Nothing@@ -44,10 +45,10 @@   where         !sz = numBytes m --- | just like i2ospOf except that it doesn't expect a failure: i.e.--- an integer larger than the number of output bytes requested+-- | Just like 'i2ospOf' except that it doesn't expect a failure: i.e.+-- an integer larger than the number of output bytes requested. ----- for example if you just took a modulo of the number that represent+-- For example if you just took a modulo of the number that represent -- the size (example the RSA modulo n). i2ospOf_ :: B.ByteArray ba => Int -> Integer -> ba i2ospOf_ len = maybe (error "i2ospOf_: integer is larger than expected") id . i2ospOf len
Crypto/Number/Serialize/Internal.hs view
@@ -5,7 +5,7 @@ -- Stability   : experimental -- Portability : Good ----- fast serialization primitives for integer using raw pointers+-- Fast serialization primitives for integer using raw pointers {-# LANGUAGE BangPatterns #-} module Crypto.Number.Serialize.Internal     ( i2osp@@ -21,12 +21,12 @@ import           Foreign.Ptr import           Foreign.Storable --- | fill a pointer with the big endian binary representation of an integer+-- | Fill a pointer with the big endian binary representation of an integer ----- if the room available @ptrSz is less than the number of bytes needed,+-- If the room available @ptrSz@ is less than the number of bytes needed, -- 0 is returned. Likewise if a parameter is invalid, 0 is returned. ----- returns the number of bytes written+-- Returns the number of bytes written i2osp :: Integer -> Ptr Word8 -> Int -> IO Int i2osp m ptr ptrSz     | ptrSz <= 0 = return 0@@ -61,7 +61,7 @@             pokeByteOff p ofs (fromIntegral b :: Word8)             export (ofs-1) i' --- | transform a big endian binary integer representation pointed by a pointer and a size+-- | Transform a big endian binary integer representation pointed by a pointer and a size -- into an integer os2ip :: Ptr Word8 -> Int -> IO Integer os2ip ptr ptrSz@@ -69,7 +69,7 @@     | otherwise  = gmpImportInteger ptrSz ptr `onGmpUnsupported` loop 0 0 ptr   where     loop :: Integer -> Int -> Ptr Word8 -> IO Integer-    loop !acc i p+    loop !acc i !p         | i == ptrSz = return acc         | otherwise  = do             w <- peekByteOff p i :: IO Word8
+ Crypto/Number/Serialize/Internal/LE.hs view
@@ -0,0 +1,75 @@+-- |+-- Module      : Crypto.Number.Serialize.Internal.LE+-- License     : BSD-style+-- Maintainer  : Vincent Hanquez <vincent@snarc.org>+-- Stability   : experimental+-- Portability : Good+--+-- Fast serialization primitives for integer using raw pointers (little endian)+{-# LANGUAGE BangPatterns #-}+module Crypto.Number.Serialize.Internal.LE+    ( i2osp+    , i2ospOf+    , os2ip+    ) where++import           Crypto.Number.Compat+import           Crypto.Number.Basic+import           Data.Bits+import           Data.Memory.PtrMethods+import           Data.Word (Word8)+import           Foreign.Ptr+import           Foreign.Storable++-- | Fill a pointer with the little endian binary representation of an integer+--+-- If the room available @ptrSz@ is less than the number of bytes needed,+-- 0 is returned. Likewise if a parameter is invalid, 0 is returned.+--+-- Returns the number of bytes written+i2osp :: Integer -> Ptr Word8 -> Int -> IO Int+i2osp m ptr ptrSz+    | ptrSz <= 0 = return 0+    | m < 0      = return 0+    | m == 0     = pokeByteOff ptr 0 (0 :: Word8) >> return 1+    | ptrSz < sz = return 0+    | otherwise  = fillPtr ptr sz m >> return sz+  where+    !sz    = numBytes m++-- | Similar to 'i2osp', except it will pad any remaining space with zero.+i2ospOf :: Integer -> Ptr Word8 -> Int -> IO Int+i2ospOf m ptr ptrSz+    | ptrSz <= 0 = return 0+    | m < 0      = return 0+    | ptrSz < sz = return 0+    | otherwise  = do+        memSet ptr 0 ptrSz+        fillPtr ptr sz m+        return ptrSz+  where+    !sz    = numBytes m++fillPtr :: Ptr Word8 -> Int -> Integer -> IO ()+fillPtr p sz m = gmpExportIntegerLE m p `onGmpUnsupported` export 0 m+  where+    export ofs i+        | ofs >= sz = return ()+        | otherwise = do+            let (i', b) = i `divMod` 256+            pokeByteOff p ofs (fromIntegral b :: Word8)+            export (ofs+1) i'++-- | Transform a little endian binary integer representation pointed by a+-- pointer and a size into an integer+os2ip :: Ptr Word8 -> Int -> IO Integer+os2ip ptr ptrSz+    | ptrSz <= 0 = return 0+    | otherwise  = gmpImportIntegerLE ptrSz ptr `onGmpUnsupported` loop 0 (ptrSz-1) ptr+  where+    loop :: Integer -> Int -> Ptr Word8 -> IO Integer+    loop !acc i !p+        | i < 0      = return acc+        | otherwise  = do+            w <- peekByteOff p i :: IO Word8+            loop ((acc `shiftL` 8) .|. fromIntegral w) (i-1) p
+ Crypto/Number/Serialize/LE.hs view
@@ -0,0 +1,54 @@+-- |+-- Module      : Crypto.Number.Serialize.LE+-- License     : BSD-style+-- Maintainer  : Vincent Hanquez <vincent@snarc.org>+-- Stability   : experimental+-- Portability : Good+--+-- Fast serialization primitives for integer (little endian)+{-# LANGUAGE BangPatterns #-}+module Crypto.Number.Serialize.LE+    ( i2osp+    , os2ip+    , i2ospOf+    , i2ospOf_+    ) where++import           Crypto.Number.Basic+import           Crypto.Internal.Compat (unsafeDoIO)+import qualified Crypto.Internal.ByteArray as B+import qualified Crypto.Number.Serialize.Internal.LE as Internal++-- | @os2ip@ converts a byte string into a positive integer.+os2ip :: B.ByteArrayAccess ba => ba -> Integer+os2ip bs = unsafeDoIO $ B.withByteArray bs (\p -> Internal.os2ip p (B.length bs))++-- | @i2osp@ converts a positive integer into a byte string.+--+-- The first byte is LSB (least significant byte); the last byte is the MSB (most significant byte)+i2osp :: B.ByteArray ba => Integer -> ba+i2osp 0 = B.allocAndFreeze 1  (\p -> Internal.i2osp 0 p 1 >> return ())+i2osp m = B.allocAndFreeze sz (\p -> Internal.i2osp m p sz >> return ())+  where+        !sz = numBytes m++-- | Just like 'i2osp', but takes an extra parameter for size.+-- If the number is too big to fit in @len@ bytes, 'Nothing' is returned+-- otherwise the number is padded with 0 to fit the @len@ required.+{-# INLINABLE i2ospOf #-}+i2ospOf :: B.ByteArray ba => Int -> Integer -> Maybe ba+i2ospOf len m+    | len <= 0  = Nothing+    | m < 0     = Nothing+    | sz > len  = Nothing+    | otherwise = Just $ B.unsafeCreate len (\p -> Internal.i2ospOf m p len >> return ())+  where+        !sz = numBytes m++-- | Just like 'i2ospOf' except that it doesn't expect a failure: i.e.+-- an integer larger than the number of output bytes requested.+--+-- For example if you just took a modulo of the number that represent+-- the size (example the RSA modulo n).+i2ospOf_ :: B.ByteArray ba => Int -> Integer -> ba+i2ospOf_ len = maybe (error "i2ospOf_: integer is larger than expected") id . i2ospOf len
Crypto/OTP.hs view
@@ -42,15 +42,14 @@     ) where -import           Data.Bits (shiftL, shiftR, (.&.), (.|.))+import           Data.Bits (shiftL, (.&.), (.|.)) import           Data.ByteArray.Mapping (fromW64BE) import           Data.List (elemIndex) import           Data.Word-import           Foreign.Storable (poke) import           Control.Monad (unless) import           Crypto.Hash (HashAlgorithm, SHA1(..)) import           Crypto.MAC.HMAC-import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray, Bytes)+import           Crypto.Internal.ByteArray (ByteArrayAccess, Bytes) import qualified Crypto.Internal.ByteArray as B  
Crypto/PubKey/Curve25519.hs view
@@ -18,7 +18,7 @@     , dhSecret     , publicKey     , secretKey-    -- * methods+    -- * Methods     , dh     , toPublic     , generateSecretKey@@ -33,9 +33,8 @@ import           Crypto.Error import           Crypto.Internal.Compat import           Crypto.Internal.Imports-import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray, ScrubbedBytes, Bytes, withByteArray)+import           Crypto.Internal.ByteArray (ByteArrayAccess, ScrubbedBytes, Bytes, withByteArray) import qualified Crypto.Internal.ByteArray as B-import           Crypto.Error (CryptoFailable(..)) import           Crypto.Random  -- | A Curve25519 Secret key@@ -92,7 +91,10 @@     | B.length bs == 32 = CryptoPassed $ DhSecret $ B.copyAndFreeze bs (\_ -> return ())     | otherwise         = CryptoFailed CryptoError_SharedSecretSizeInvalid --- | Compute the Diffie Hellman secret from a public key and a secret key+-- | Compute the Diffie Hellman secret from a public key and a secret key.+--+-- This implementation may return an all-zero value as it does not check for+-- the condition. dh :: PublicKey -> SecretKey -> DhSecret dh (PublicKey pub) (SecretKey sec) = DhSecret <$>     B.allocAndFreeze 32        $ \result ->
Crypto/PubKey/Curve448.hs view
@@ -7,8 +7,11 @@ -- -- Curve448 support --+-- Internally uses Decaf point compression to omit the cofactor+-- and implementation by Mike Hamburg.  Externally API and+-- data types are compatible with the encoding specified in RFC 7748.+-- {-# LANGUAGE GeneralizedNewtypeDeriving #-}-{-# LANGUAGE MagicHash #-} module Crypto.PubKey.Curve448     ( SecretKey     , PublicKey@@ -17,7 +20,7 @@     , dhSecret     , publicKey     , secretKey-    -- * methods+    -- * Methods     , dh     , toPublic     , generateSecretKey@@ -25,7 +28,6 @@  import           Data.Word import           Foreign.Ptr-import           GHC.Ptr  import           Crypto.Error import           Crypto.Random@@ -75,13 +77,16 @@     | B.length bs == x448_bytes = CryptoPassed $ DhSecret $ B.copyAndFreeze bs (\_ -> return ())     | otherwise                 = CryptoFailed CryptoError_SharedSecretSizeInvalid --- | Compute the Diffie Hellman secret from a public key and a secret key+-- | Compute the Diffie Hellman secret from a public key and a secret key.+--+-- This implementation may return an all-zero value as it does not check for+-- the condition. dh :: PublicKey -> SecretKey -> DhSecret dh (PublicKey pub) (SecretKey sec) = DhSecret <$>     B.allocAndFreeze x448_bytes $ \result ->     withByteArray sec           $ \psec   ->     withByteArray pub           $ \ppub   ->-        ccryptonite_ed448 result psec ppub+        decaf_x448 result ppub psec {-# NOINLINE dh #-}  -- | Create a public key from a secret key@@ -89,9 +94,7 @@ toPublic (SecretKey sec) = PublicKey <$>     B.allocAndFreeze x448_bytes     $ \result ->     withByteArray sec               $ \psec   ->-        ccryptonite_ed448 result psec basePoint-  where-        basePoint = Ptr "\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"#+        decaf_x448_derive_public_key result psec {-# NOINLINE toPublic #-}  -- | Generate a secret key.@@ -101,8 +104,13 @@ x448_bytes :: Int x448_bytes = 448 `quot` 8 -foreign import ccall "cryptonite_x448"-    ccryptonite_ed448 :: Ptr Word8 -- ^ public-                      -> Ptr Word8 -- ^ secret-                      -> Ptr Word8 -- ^ basepoint-                      -> IO ()+foreign import ccall "cryptonite_decaf_x448"+    decaf_x448 :: Ptr Word8 -- ^ public+               -> Ptr Word8 -- ^ basepoint+               -> Ptr Word8 -- ^ secret+               -> IO ()++foreign import ccall "cryptonite_decaf_x448_derive_public_key"+    decaf_x448_derive_public_key :: Ptr Word8 -- ^ public+                                 -> Ptr Word8 -- ^ secret+                                 -> IO ()
Crypto/PubKey/DH.hs view
@@ -33,19 +33,22 @@     { params_p :: Integer     , params_g :: Integer     , params_bits :: Int-    } deriving (Show,Read,Eq,Data,Typeable)+    } deriving (Show,Read,Eq,Data) +instance NFData Params where+    rnf (Params p g bits) = rnf p `seq` rnf g `seq` bits `seq` ()+ -- | Represent Diffie Hellman public number Y. newtype PublicNumber = PublicNumber Integer-    deriving (Show,Read,Eq,Enum,Real,Num,Ord)+    deriving (Show,Read,Eq,Enum,Real,Num,Ord,NFData)  -- | Represent Diffie Hellman private number X. newtype PrivateNumber = PrivateNumber Integer-    deriving (Show,Read,Eq,Enum,Real,Num,Ord)+    deriving (Show,Read,Eq,Enum,Real,Num,Ord,NFData)  -- | Represent Diffie Hellman shared secret. newtype SharedKey = SharedKey ScrubbedBytes-    deriving (Show,Eq,ByteArrayAccess)+    deriving (Show,Eq,ByteArrayAccess,NFData)  -- | generate params from a specific generator (2 or 5 are common values) -- we generate a safe prime (a prime number of the form 2p+1 where p is also prime)
Crypto/PubKey/DSA.hs view
@@ -14,13 +14,13 @@     , PrivateKey(..)     , PublicNumber     , PrivateNumber-    -- * generation+    -- * Generation     , generatePrivate     , calculatePublic-    -- * signature primitive+    -- * Signature primitive     , sign     , signWith-    -- * verification primitive+    -- * Verification primitive     , verify     -- * Key pair     , KeyPair(..)@@ -28,19 +28,18 @@     , toPrivateKey     ) where -import           Crypto.Random.Types-import           Data.Bits (testBit)-import           Data.Data-import           Data.Maybe-import           Crypto.Number.Basic (numBits)-import           Crypto.Number.ModArithmetic (expFast, expSafe, inverse)-import           Crypto.Number.Serialize-import           Crypto.Number.Generate-import           Crypto.Internal.ByteArray (ByteArrayAccess(length), convert, index, dropView, takeView)-import           Crypto.Internal.Imports-import           Crypto.Hash-import           Prelude hiding (length) +import Data.Data+import Data.Maybe++import Crypto.Number.ModArithmetic (expFast, expSafe, inverse)+import Crypto.Number.Generate+import Crypto.Internal.ByteArray (ByteArrayAccess)+import Crypto.Internal.Imports+import Crypto.Hash+import Crypto.PubKey.Internal (dsaTruncHash)+import Crypto.Random.Types+ -- | DSA Public Number, usually embedded in DSA Public Key type PublicNumber = Integer @@ -52,7 +51,7 @@     { params_p :: Integer -- ^ DSA p     , params_g :: Integer -- ^ DSA g     , params_q :: Integer -- ^ DSA q-    } deriving (Show,Read,Eq,Data,Typeable)+    } deriving (Show,Read,Eq,Data)  instance NFData Params where     rnf (Params p g q) = p `seq` g `seq` q `seq` ()@@ -61,7 +60,7 @@ data Signature = Signature     { sign_r :: Integer -- ^ DSA r     , sign_s :: Integer -- ^ DSA s-    } deriving (Show,Read,Eq,Data,Typeable)+    } deriving (Show,Read,Eq,Data)  instance NFData Signature where     rnf (Signature r s) = r `seq` s `seq` ()@@ -70,7 +69,7 @@ data PublicKey = PublicKey     { public_params :: Params       -- ^ DSA parameters     , public_y      :: PublicNumber -- ^ DSA public Y-    } deriving (Show,Read,Eq,Data,Typeable)+    } deriving (Show,Read,Eq,Data)  instance NFData PublicKey where     rnf (PublicKey params y) = y `seq` params `seq` ()@@ -82,14 +81,14 @@ data PrivateKey = PrivateKey     { private_params :: Params        -- ^ DSA parameters     , private_x      :: PrivateNumber -- ^ DSA private X-    } deriving (Show,Read,Eq,Data,Typeable)+    } deriving (Show,Read,Eq,Data)  instance NFData PrivateKey where     rnf (PrivateKey params x) = x `seq` params `seq` ()  -- | Represent a DSA key pair data KeyPair = KeyPair Params PublicNumber PrivateNumber-    deriving (Show,Read,Eq,Data,Typeable)+    deriving (Show,Read,Eq,Data)  instance NFData KeyPair where     rnf (KeyPair params y x) = x `seq` y `seq` params `seq` ()@@ -126,7 +125,7 @@           x              = private_x pk           -- compute r,s           kInv      = fromJust $ inverse k q-          hm        = os2ip $ hashWith hashAlg msg+          hm        = dsaTruncHash hashAlg msg q           r         = expSafe g k p `mod` q           s         = (kInv * (hm + x * r)) `mod` q @@ -148,11 +147,8 @@     | otherwise                            = v == r     where (Params p g q) = public_params pk           y       = public_y pk-          hm      = os2ip . truncateHash $ hashWith hashAlg m-+          hm      = dsaTruncHash hashAlg m q           w       = fromJust $ inverse s q           u1      = (hm*w) `mod` q           u2      = (r*w) `mod` q           v       = ((expFast g u1 p) * (expFast y u2 p)) `mod` p `mod` q-          -- if the hash is larger than the size of q, truncate it; FIXME: deal with the case of a q not evenly divisible by 8-          truncateHash h = if numBits (os2ip h) > numBits q then takeView h (numBits q `div` 8) else dropView h 0
Crypto/PubKey/ECC/ECDSA.hs view
@@ -11,45 +11,46 @@     , toPublicKey     , toPrivateKey     , signWith+    , signDigestWith     , sign+    , signDigest     , verify+    , verifyDigest     ) where  import Control.Monad-import Crypto.Random.Types-import Data.Bits (shiftR)-import Crypto.Internal.ByteArray (ByteArrayAccess) import Data.Data-import Crypto.Number.Basic (numBits)++import Crypto.Hash+import Crypto.Internal.ByteArray (ByteArrayAccess) import Crypto.Number.ModArithmetic (inverse)-import Crypto.Number.Serialize import Crypto.Number.Generate import Crypto.PubKey.ECC.Types import Crypto.PubKey.ECC.Prim-import Crypto.Hash-import Crypto.Hash.Types (hashDigestSize)+import Crypto.PubKey.Internal (dsaTruncHashDigest)+import Crypto.Random.Types  -- | Represent a ECDSA signature namely R and S. data Signature = Signature     { sign_r :: Integer -- ^ ECDSA r     , sign_s :: Integer -- ^ ECDSA s-    } deriving (Show,Read,Eq,Data,Typeable)+    } deriving (Show,Read,Eq,Data)  -- | ECDSA Private Key. data PrivateKey = PrivateKey     { private_curve :: Curve     , private_d     :: PrivateNumber-    } deriving (Show,Read,Eq,Data,Typeable)+    } deriving (Show,Read,Eq,Data)  -- | ECDSA Public Key. data PublicKey = PublicKey     { public_curve :: Curve     , public_q     :: PublicPoint-    } deriving (Show,Read,Eq,Data,Typeable)+    } deriving (Show,Read,Eq,Data)  -- | ECDSA Key Pair. data KeyPair = KeyPair Curve PublicPoint PrivateNumber-    deriving (Show,Read,Eq,Data,Typeable)+    deriving (Show,Read,Eq,Data)  -- | Public key of a ECDSA Key pair. toPublicKey :: KeyPair -> PublicKey@@ -59,17 +60,16 @@ toPrivateKey :: KeyPair -> PrivateKey toPrivateKey (KeyPair curve _ priv) = PrivateKey curve priv --- | Sign message using the private key and an explicit k number.+-- | Sign digest using the private key and an explicit k number. -- -- /WARNING:/ Vulnerable to timing attacks.-signWith :: (ByteArrayAccess msg, HashAlgorithm hash)-         => Integer    -- ^ k random number-         -> PrivateKey -- ^ private key-         -> hash       -- ^ hash function-         -> msg        -- ^ message to sign-         -> Maybe Signature-signWith k (PrivateKey curve d) hashAlg msg = do-    let z = tHash hashAlg msg n+signDigestWith :: HashAlgorithm hash+               => Integer     -- ^ k random number+               -> PrivateKey  -- ^ private key+               -> Digest hash -- ^ digest to sign+               -> Maybe Signature+signDigestWith k (PrivateKey curve d) digest = do+    let z = dsaTruncHashDigest digest n         CurveCommon _ _ g n _ = common_curve curve     let point = pointMul curve k g     r <- case point of@@ -80,26 +80,44 @@     when (r == 0 || s == 0) Nothing     return $ Signature r s --- | Sign message using the private key.+-- | Sign message using the private key and an explicit k number. -- -- /WARNING:/ Vulnerable to timing attacks.-sign :: (ByteArrayAccess msg, HashAlgorithm hash, MonadRandom m)-     => PrivateKey -> hash -> msg -> m Signature-sign pk hashAlg msg = do+signWith :: (ByteArrayAccess msg, HashAlgorithm hash)+         => Integer    -- ^ k random number+         -> PrivateKey -- ^ private key+         -> hash       -- ^ hash function+         -> msg        -- ^ message to sign+         -> Maybe Signature+signWith k pk hashAlg msg = signDigestWith k pk (hashWith hashAlg msg)++-- | Sign digest using the private key.+--+-- /WARNING:/ Vulnerable to timing attacks.+signDigest :: (HashAlgorithm hash, MonadRandom m)+           => PrivateKey -> Digest hash -> m Signature+signDigest pk digest = do     k <- generateBetween 1 (n - 1)-    case signWith k pk hashAlg msg of-         Nothing  -> sign pk hashAlg msg+    case signDigestWith k pk digest of+         Nothing  -> signDigest pk digest          Just sig -> return sig   where n = ecc_n . common_curve $ private_curve pk --- | Verify a bytestring using the public key.-verify :: (ByteArrayAccess msg, HashAlgorithm hash) => hash -> PublicKey -> Signature -> msg -> Bool-verify _       (PublicKey _ PointO) _ _ = False-verify hashAlg pk@(PublicKey curve q) (Signature r s) msg+-- | Sign message using the private key.+--+-- /WARNING:/ Vulnerable to timing attacks.+sign :: (ByteArrayAccess msg, HashAlgorithm hash, MonadRandom m)+     => PrivateKey -> hash -> msg -> m Signature+sign pk hashAlg msg = signDigest pk (hashWith hashAlg msg)++-- | Verify a digest using the public key.+verifyDigest :: HashAlgorithm hash => PublicKey -> Signature -> Digest hash -> Bool+verifyDigest (PublicKey _ PointO) _ _ = False+verifyDigest pk@(PublicKey curve q) (Signature r s) digest     | r < 1 || r >= n || s < 1 || s >= n = False     | otherwise = maybe False (r ==) $ do         w <- inverse s n-        let z  = tHash hashAlg msg n+        let z  = dsaTruncHashDigest digest n             u1 = z * w `mod` n             u2 = r * w `mod` n             x  = pointAddTwoMuls curve u1 g u2 q@@ -110,10 +128,6 @@         g = ecc_g cc         cc = common_curve $ public_curve pk --- | Truncate and hash.-tHash :: (ByteArrayAccess msg, HashAlgorithm hash) => hash -> msg -> Integer -> Integer-tHash hashAlg m n-    | d > 0 = shiftR e d-    | otherwise = e-  where e = os2ip $ hashWith hashAlg m-        d = hashDigestSize hashAlg * 8 - numBits n+-- | Verify a bytestring using the public key.+verify :: (ByteArrayAccess msg, HashAlgorithm hash) => hash -> PublicKey -> Signature -> msg -> Bool+verify hashAlg pk sig msg = verifyDigest pk sig (hashWith hashAlg msg)
Crypto/PubKey/ECC/P256.hs view
@@ -8,31 +8,37 @@ -- P256 support -- {-# LANGUAGE GeneralizedNewtypeDeriving #-}-{-# LANGUAGE BangPatterns #-} {-# LANGUAGE EmptyDataDecls #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} module Crypto.PubKey.ECC.P256     ( Scalar     , Point-    -- * point arithmetic+    -- * Point arithmetic     , pointBase     , pointAdd+    , pointNegate     , pointMul     , pointDh     , pointsMulVarTime     , pointIsValid+    , pointIsAtInfinity     , toPoint+    , pointX     , pointToIntegers     , pointFromIntegers     , pointToBinary     , pointFromBinary-    -- * scalar arithmetic+    , unsafePointFromBinary+    -- * Scalar arithmetic     , scalarGenerate     , scalarZero+    , scalarN     , scalarIsZero     , scalarAdd     , scalarSub+    , scalarMul     , scalarInv+    , scalarInvSafe     , scalarCmp     , scalarFromBinary     , scalarToBinary@@ -43,7 +49,6 @@ import           Data.Word import           Foreign.Ptr import           Foreign.C.Types-import           Control.Monad  import           Crypto.Internal.Compat import           Crypto.Internal.Imports@@ -57,11 +62,11 @@  -- | A P256 scalar newtype Scalar = Scalar ScrubbedBytes-    deriving (Show,Eq,ByteArrayAccess)+    deriving (Show,Eq,ByteArrayAccess,NFData)  -- | A P256 point newtype Point = Point Bytes-    deriving (Show,Eq)+    deriving (Show,Eq,NFData)  scalarSize :: Int scalarSize = 32@@ -75,6 +80,9 @@ data P256Y data P256X +order :: Integer+order = 0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551+ ------------------------------------------------------------------------ -- Point methods ------------------------------------------------------------------------@@ -105,20 +113,27 @@     withPoint a $ \ax ay -> withPoint b $ \bx by ->         ccryptonite_p256e_point_add ax ay bx by dx dy +-- | Negate a point+pointNegate :: Point -> Point+pointNegate a = withNewPoint $ \dx dy ->+    withPoint a $ \ax ay ->+        ccryptonite_p256e_point_negate ax ay dx dy+ -- | Multiply a point by a scalar -- -- warning: variable time pointMul :: Scalar -> Point -> Point pointMul scalar p = withNewPoint $ \dx dy ->-    withScalar scalar $ \n -> withPoint p $ \px py -> withScalarZero $ \nzero ->-        ccryptonite_p256_points_mul_vartime nzero n px py dx dy+    withScalar scalar $ \n -> withPoint p $ \px py ->+        ccryptonite_p256e_point_mul n px py dx dy --- | Similar to 'pointMul', serializing the x coordinate as binary+-- | Similar to 'pointMul', serializing the x coordinate as binary.+-- When scalar is multiple of point order the result is all zero. pointDh :: ByteArray binary => Scalar -> Point -> binary pointDh scalar p =     B.unsafeCreate scalarSize $ \dst -> withTempPoint $ \dx dy -> do-        withScalar scalar $ \n -> withPoint p $ \px py -> withScalarZero $ \nzero ->-            ccryptonite_p256_points_mul_vartime nzero n px py dx dy+        withScalar scalar $ \n -> withPoint p $ \px py ->+            ccryptonite_p256e_point_mul n px py dx dy         ccryptonite_p256_to_bin (castPtr dx) dst  -- | multiply the point @p with @n2 and add a lifted to curve value @n1@@ -137,6 +152,19 @@     r <- ccryptonite_p256_is_valid_point px py     return (r /= 0) +-- | Check if a 'Point' is the point at infinity+pointIsAtInfinity :: Point -> Bool+pointIsAtInfinity (Point b) = constAllZero b++-- | Return the x coordinate as a 'Scalar' if the point is not at infinity+pointX :: Point -> Maybe Scalar+pointX p+    | pointIsAtInfinity p = Nothing+    | otherwise           = Just $+        withNewScalarFreeze $ \d    ->+        withPoint p         $ \px _ ->+            ccryptonite_p256_mod ccryptonite_SECP256r1_n (castPtr px) (castPtr d)+ -- | Convert a point to (x,y) Integers pointToIntegers :: Point -> (Integer, Integer) pointToIntegers p = unsafeDoIO $ withPoint p $ \px py ->@@ -172,10 +200,19 @@     ccryptonite_p256_to_bin (castPtr px) dst     ccryptonite_p256_to_bin (castPtr py) (dst `plusPtr` 32) --- | Convert from binary to a point+-- | Convert from binary to a valid point pointFromBinary :: ByteArrayAccess ba => ba -> CryptoFailable Point-pointFromBinary ba-    | B.length ba /= pointSize = CryptoFailed $ CryptoError_PublicKeySizeInvalid+pointFromBinary ba = unsafePointFromBinary ba >>= validatePoint+  where+    validatePoint :: Point -> CryptoFailable Point+    validatePoint p+        | pointIsValid p = CryptoPassed p+        | otherwise      = CryptoFailed CryptoError_PointCoordinatesInvalid++-- | Convert from binary to a point, possibly invalid+unsafePointFromBinary :: ByteArrayAccess ba => ba -> CryptoFailable Point+unsafePointFromBinary ba+    | B.length ba /= pointSize = CryptoFailed CryptoError_PublicKeySizeInvalid     | otherwise                =         CryptoPassed $ withNewPoint $ \px py -> B.withByteArray ba $ \src -> do             ccryptonite_p256_from_bin src                        (castPtr px)@@ -198,41 +235,40 @@ scalarZero :: Scalar scalarZero = withNewScalarFreeze $ \d -> ccryptonite_p256_init d +-- | The scalar representing the curve order+scalarN :: Scalar+scalarN = throwCryptoError (scalarFromInteger order)+ -- | Check if the scalar is 0 scalarIsZero :: Scalar -> Bool scalarIsZero s = unsafeDoIO $ withScalar s $ \d -> do     result <- ccryptonite_p256_is_zero d     return $ result /= 0 -scalarNeedReducing :: Ptr P256Scalar -> IO Bool-scalarNeedReducing d = do-    c <- ccryptonite_p256_cmp d ccryptonite_SECP256r1_n-    return (c >= 0)- -- | Perform addition between two scalars -- -- > a + b scalarAdd :: Scalar -> Scalar -> Scalar scalarAdd a b =-    withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb -> do-        carry <- ccryptonite_p256_add pa pb d-        when (carry /= 0) $ void $ ccryptonite_p256_sub d ccryptonite_SECP256r1_n d-        needReducing <- scalarNeedReducing d-        when needReducing $ do-            ccryptonite_p256_mod ccryptonite_SECP256r1_n d d+    withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb ->+        ccryptonite_p256e_modadd ccryptonite_SECP256r1_n pa pb d  -- | Perform subtraction between two scalars -- -- > a - b scalarSub :: Scalar -> Scalar -> Scalar scalarSub a b =-    withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb -> do-        borrow <- ccryptonite_p256_sub pa pb d-        when (borrow /= 0) $ void $ ccryptonite_p256_add d ccryptonite_SECP256r1_n d-        --needReducing <- scalarNeedReducing d-        --when needReducing $ do-        --    ccryptonite_p256_mod ccryptonite_SECP256r1_n d d+    withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb ->+        ccryptonite_p256e_modsub ccryptonite_SECP256r1_n pa pb d +-- | Perform multiplication between two scalars+--+-- > a * b+scalarMul :: Scalar -> Scalar -> Scalar+scalarMul a b =+    withNewScalarFreeze $ \d -> withScalar a $ \pa -> withScalar b $ \pb ->+         ccryptonite_p256_modmul ccryptonite_SECP256r1_n pa 0 pb d+ -- | Give the inverse of the scalar -- -- > 1 / a@@ -243,6 +279,14 @@     withNewScalarFreeze $ \b -> withScalar a $ \pa ->         ccryptonite_p256_modinv_vartime ccryptonite_SECP256r1_n pa b +-- | Give the inverse of the scalar using safe exponentiation+--+-- > 1 / a+scalarInvSafe :: Scalar -> Scalar+scalarInvSafe a =+    withNewScalarFreeze $ \b -> withScalar a $ \pa ->+        ccryptonite_p256e_scalar_invert pa b+ -- | Compare 2 Scalar scalarCmp :: Scalar -> Scalar -> Ordering scalarCmp a b = unsafeDoIO $@@ -253,7 +297,7 @@ -- | convert a scalar from binary scalarFromBinary :: ByteArrayAccess ba => ba -> CryptoFailable Scalar scalarFromBinary ba-    | B.length ba /= scalarSize = CryptoFailed $ CryptoError_SecretKeySizeInvalid+    | B.length ba /= scalarSize = CryptoFailed CryptoError_SecretKeySizeInvalid     | otherwise                 =         CryptoPassed $ withNewScalarFreeze $ \p -> B.withByteArray ba $ \b ->             ccryptonite_p256_from_bin b p@@ -292,20 +336,11 @@ {-# NOINLINE withNewScalarFreeze #-}  withTempPoint :: (Ptr P256X -> Ptr P256Y -> IO a) -> IO a-withTempPoint f = allocTempScrubbed scalarSize (\p -> let px = castPtr p in f px (pxToPy px))--withTempScalar :: (Ptr P256Scalar -> IO a) -> IO a-withTempScalar f = allocTempScrubbed scalarSize (f . castPtr)+withTempPoint f = allocTempScrubbed pointSize (\p -> let px = castPtr p in f px (pxToPy px))  withScalar :: Scalar -> (Ptr P256Scalar -> IO a) -> IO a withScalar (Scalar d) f = B.withByteArray d f -withScalarZero :: (Ptr P256Scalar -> IO a) -> IO a-withScalarZero f =-    withTempScalar $ \d -> do-        ccryptonite_p256_init d-        f d- allocTemp :: Int -> (Ptr Word8 -> IO a) -> IO a allocTemp n f = ignoreSnd <$> B.allocRet n f   where@@ -334,18 +369,20 @@     ccryptonite_p256_is_zero :: Ptr P256Scalar -> IO CInt foreign import ccall "cryptonite_p256_clear"     ccryptonite_p256_clear :: Ptr P256Scalar -> IO ()-foreign import ccall "cryptonite_p256_add"-    ccryptonite_p256_add :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO CInt+foreign import ccall "cryptonite_p256e_modadd"+    ccryptonite_p256e_modadd :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO () foreign import ccall "cryptonite_p256_add_d"     ccryptonite_p256_add_d :: Ptr P256Scalar -> P256Digit -> Ptr P256Scalar -> IO CInt-foreign import ccall "cryptonite_p256_sub"-    ccryptonite_p256_sub :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO CInt+foreign import ccall "cryptonite_p256e_modsub"+    ccryptonite_p256e_modsub :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO () foreign import ccall "cryptonite_p256_cmp"     ccryptonite_p256_cmp :: Ptr P256Scalar -> Ptr P256Scalar -> IO CInt foreign import ccall "cryptonite_p256_mod"     ccryptonite_p256_mod :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO () foreign import ccall "cryptonite_p256_modmul"     ccryptonite_p256_modmul :: Ptr P256Scalar -> Ptr P256Scalar -> P256Digit -> Ptr P256Scalar -> Ptr P256Scalar -> IO ()+foreign import ccall "cryptonite_p256e_scalar_invert"+    ccryptonite_p256e_scalar_invert :: Ptr P256Scalar -> Ptr P256Scalar -> IO () --foreign import ccall "cryptonite_p256_modinv" --    ccryptonite_p256_modinv :: Ptr P256Scalar -> Ptr P256Scalar -> Ptr P256Scalar -> IO () foreign import ccall "cryptonite_p256_modinv_vartime"@@ -359,6 +396,18 @@     ccryptonite_p256e_point_add :: Ptr P256X -> Ptr P256Y                                 -> Ptr P256X -> Ptr P256Y                                 -> Ptr P256X -> Ptr P256Y+                                -> IO ()++foreign import ccall "cryptonite_p256e_point_negate"+    ccryptonite_p256e_point_negate :: Ptr P256X -> Ptr P256Y+                                   -> Ptr P256X -> Ptr P256Y+                                   -> IO ()++-- compute (out_x,out_y) = n * (in_x,in_y)+foreign import ccall "cryptonite_p256e_point_mul"+    ccryptonite_p256e_point_mul :: Ptr P256Scalar -- n+                                -> Ptr P256X -> Ptr P256Y -- in_{x,y}+                                -> Ptr P256X -> Ptr P256Y -- out_{x,y}                                 -> IO ()  -- compute (out_x,out,y) = n1 * G + n2 * (in_x,in_y)
Crypto/PubKey/ECC/Prim.hs view
@@ -4,6 +4,7 @@ module Crypto.PubKey.ECC.Prim     ( scalarGenerate     , pointAdd+    , pointNegate     , pointDouble     , pointBaseMul     , pointMul@@ -30,9 +31,9 @@ -- | Elliptic Curve point negation: -- @pointNegate c p@ returns point @q@ such that @pointAdd c p q == PointO@. pointNegate :: Curve -> Point -> Point-pointNegate _           PointO     = PointO-pointNegate CurveFP{}  (Point x y) = Point x (-y)-pointNegate CurveF2m{} (Point x y) = Point x (x `addF2m` y)+pointNegate _            PointO     = PointO+pointNegate (CurveFP c) (Point x y) = Point x (ecc_p c - y)+pointNegate CurveF2m{}  (Point x y) = Point x (x `addF2m` y)  -- | Elliptic Curve point addition. --
Crypto/PubKey/ECC/Types.hs view
@@ -6,7 +6,7 @@ -- Stability   : Experimental -- Portability : Excellent ----- references:+-- References: --   <https://tools.ietf.org/html/rfc5915> -- module Crypto.PubKey.ECC.Types@@ -21,7 +21,7 @@     , ecc_fx     , ecc_p     , CurveCommon(..)-    -- * recommended curves definition+    -- * Recommended curves definition     , CurveName(..)     , getCurveByName     ) where@@ -33,7 +33,7 @@ -- | Define either a binary curve or a prime curve. data Curve = CurveF2m CurveBinary -- ^ 𝔽(2^m)            | CurveFP  CurvePrime  -- ^ 𝔽p-           deriving (Show,Read,Eq,Data,Typeable)+           deriving (Show,Read,Eq,Data)  -- | ECC Public Point type PublicPoint = Point@@ -44,7 +44,7 @@ -- | Define a point on a curve. data Point = Point Integer Integer            | PointO -- ^ Point at Infinity-           deriving (Show,Read,Eq,Data,Typeable)+           deriving (Show,Read,Eq,Data)  instance NFData Point where     rnf (Point x y) = x `seq` y `seq` ()@@ -53,7 +53,7 @@ -- | Define an elliptic curve in 𝔽(2^m). -- The firt parameter is the Integer representatioin of the irreducible polynomial f(x). data CurveBinary = CurveBinary Integer CurveCommon-    deriving (Show,Read,Eq,Data,Typeable)+    deriving (Show,Read,Eq,Data)  instance NFData CurveBinary where     rnf (CurveBinary i cc) = i `seq` cc `seq` ()@@ -61,7 +61,7 @@ -- | Define an elliptic curve in 𝔽p. -- The first parameter is the Prime Number. data CurvePrime = CurvePrime Integer CurveCommon-    deriving (Show,Read,Eq,Data,Typeable)+    deriving (Show,Read,Eq,Data)  -- | Parameters in common between binary and prime curves. common_curve :: Curve -> CurveCommon@@ -84,7 +84,7 @@     , ecc_g :: Point   -- ^ base point     , ecc_n :: Integer -- ^ order of G     , ecc_h :: Integer -- ^ cofactor-    } deriving (Show,Read,Eq,Data,Typeable)+    } deriving (Show,Read,Eq,Data)  -- | Define names for known recommended curves. data CurveName =@@ -121,7 +121,7 @@     | SEC_t409r1     | SEC_t571k1     | SEC_t571r1-    deriving (Show,Read,Eq,Ord,Enum,Bounded,Data,Typeable)+    deriving (Show,Read,Eq,Ord,Enum,Bounded,Data)  {- curvesOIDs :: [ (CurveName, [Integer]) ]
+ Crypto/PubKey/ECDSA.hs view
@@ -0,0 +1,272 @@+-- |+-- Module      : Crypto.PubKey.ECDSA+-- License     : BSD-style+-- Maintainer  : Vincent Hanquez <vincent@snarc.org>+-- Stability   : experimental+-- Portability : unknown+--+-- Elliptic Curve Digital Signature Algorithm, with the parameterized+-- curve implementations provided by module "Crypto.ECC".+--+-- Public/private key pairs can be generated using+-- 'curveGenerateKeyPair' or decoded from binary.+--+-- /WARNING:/ Only curve P-256 has constant-time implementation.+-- Signature operations with P-384 and P-521 may leak the private key.+--+-- Signature verification should be safe for all curves.+{-# LANGUAGE BangPatterns #-}+{-# LANGUAGE FlexibleContexts #-}+{-# LANGUAGE ScopedTypeVariables #-}+{-# LANGUAGE StandaloneDeriving #-}+{-# LANGUAGE TypeFamilies #-}+{-# LANGUAGE UndecidableInstances #-}+module Crypto.PubKey.ECDSA+    ( EllipticCurveECDSA (..)+    -- * Public keys+    , PublicKey+    , encodePublic+    , decodePublic+    , toPublic+    -- * Private keys+    , PrivateKey+    , encodePrivate+    , decodePrivate+    -- * Signatures+    , Signature(..)+    , signatureFromIntegers+    , signatureToIntegers+    -- * Generation and verification+    , signWith+    , signDigestWith+    , sign+    , signDigest+    , verify+    , verifyDigest+    ) where++import           Control.Monad++import           Crypto.ECC+import qualified Crypto.ECC.Simple.Types as Simple+import           Crypto.Error+import           Crypto.Hash+import           Crypto.Hash.Types+import           Crypto.Internal.ByteArray (ByteArray, ByteArrayAccess)+import           Crypto.Internal.Imports+import           Crypto.Number.ModArithmetic (inverseFermat)+import qualified Crypto.PubKey.ECC.P256 as P256+import           Crypto.Random.Types++import           Data.Bits+import qualified Data.ByteArray as B+import           Data.Data++import           Foreign.Ptr (Ptr)+import           Foreign.Storable (peekByteOff, pokeByteOff)++-- | Represent a ECDSA signature namely R and S.+data Signature curve = Signature+    { sign_r :: Scalar curve -- ^ ECDSA r+    , sign_s :: Scalar curve -- ^ ECDSA s+    }++deriving instance Eq (Scalar curve) => Eq (Signature curve)+deriving instance Show (Scalar curve) => Show (Signature curve)++instance NFData (Scalar curve) => NFData (Signature curve) where+    rnf (Signature r s) = rnf r `seq` rnf s `seq` ()++-- | ECDSA Public Key.+type PublicKey curve = Point curve++-- | ECDSA Private Key.+type PrivateKey curve = Scalar curve++-- | Elliptic curves with ECDSA capabilities.+class EllipticCurveBasepointArith curve => EllipticCurveECDSA curve where+    -- | Is a scalar in the accepted range for ECDSA+    scalarIsValid :: proxy curve -> Scalar curve -> Bool++    -- | Test whether the scalar is zero+    scalarIsZero :: proxy curve -> Scalar curve -> Bool+    scalarIsZero prx s = s == throwCryptoError (scalarFromInteger prx 0)++    -- | Scalar inversion modulo the curve order+    scalarInv :: proxy curve -> Scalar curve -> Maybe (Scalar curve)++    -- | Return the point X coordinate as a scalar+    pointX :: proxy curve -> Point curve -> Maybe (Scalar curve)++instance EllipticCurveECDSA Curve_P256R1 where+    scalarIsValid _ s = not (P256.scalarIsZero s)+                            && P256.scalarCmp s P256.scalarN == LT++    scalarIsZero _ = P256.scalarIsZero++    scalarInv _ s = let inv = P256.scalarInvSafe s+                     in if P256.scalarIsZero inv then Nothing else Just inv++    pointX _  = P256.pointX++instance EllipticCurveECDSA Curve_P384R1 where+    scalarIsValid _ = ecScalarIsValid (Proxy :: Proxy Simple.SEC_p384r1)++    scalarIsZero _ = ecScalarIsZero++    scalarInv _ = ecScalarInv (Proxy :: Proxy Simple.SEC_p384r1)++    pointX _  = ecPointX (Proxy :: Proxy Simple.SEC_p384r1)++instance EllipticCurveECDSA Curve_P521R1 where+    scalarIsValid _ = ecScalarIsValid (Proxy :: Proxy Simple.SEC_p521r1)++    scalarIsZero _ = ecScalarIsZero++    scalarInv _ = ecScalarInv (Proxy :: Proxy Simple.SEC_p521r1)++    pointX _  = ecPointX (Proxy :: Proxy Simple.SEC_p521r1)+++-- | Create a signature from integers (R, S).+signatureFromIntegers :: EllipticCurveECDSA curve+                      => proxy curve -> (Integer, Integer) -> CryptoFailable (Signature curve)+signatureFromIntegers prx (r, s) =+    liftA2 Signature (scalarFromInteger prx r) (scalarFromInteger prx s)++-- | Get integers (R, S) from a signature.+--+-- The values can then be used to encode the signature to binary with+-- ASN.1.+signatureToIntegers :: EllipticCurveECDSA curve+                    => proxy curve -> Signature curve -> (Integer, Integer)+signatureToIntegers prx sig =+    (scalarToInteger prx $ sign_r sig, scalarToInteger prx $ sign_s sig)++-- | Encode a public key into binary form, i.e. the uncompressed encoding+-- referenced from <https://tools.ietf.org/html/rfc5480 RFC 5480> section 2.2.+encodePublic :: (EllipticCurve curve, ByteArray bs)+             => proxy curve -> PublicKey curve -> bs+encodePublic = encodePoint++-- | Try to decode the binary form of a public key.+decodePublic :: (EllipticCurve curve, ByteArray bs)+             => proxy curve -> bs -> CryptoFailable (PublicKey curve)+decodePublic = decodePoint++-- | Encode a private key into binary form, i.e. the @privateKey@ field+-- described in <https://tools.ietf.org/html/rfc5915 RFC 5915>.+encodePrivate :: (EllipticCurveECDSA curve, ByteArray bs)+              => proxy curve -> PrivateKey curve -> bs+encodePrivate = encodeScalar++-- | Try to decode the binary form of a private key.+decodePrivate :: (EllipticCurveECDSA curve, ByteArray bs)+              => proxy curve -> bs -> CryptoFailable (PrivateKey curve)+decodePrivate = decodeScalar++-- | Create a public key from a private key.+toPublic :: EllipticCurveECDSA curve+         => proxy curve -> PrivateKey curve -> PublicKey curve+toPublic = pointBaseSmul++-- | Sign digest using the private key and an explicit k scalar.+signDigestWith :: (EllipticCurveECDSA curve, HashAlgorithm hash)+               => proxy curve -> Scalar curve -> PrivateKey curve -> Digest hash -> Maybe (Signature curve)+signDigestWith prx k d digest = do+    let z = tHashDigest prx digest+        point = pointBaseSmul prx k+    r <- pointX prx point+    kInv <- scalarInv prx k+    let s = scalarMul prx kInv (scalarAdd prx z (scalarMul prx r d))+    when (scalarIsZero prx r || scalarIsZero prx s) Nothing+    return $ Signature r s++-- | Sign message using the private key and an explicit k scalar.+signWith :: (EllipticCurveECDSA curve, ByteArrayAccess msg, HashAlgorithm hash)+         => proxy curve -> Scalar curve -> PrivateKey curve -> hash -> msg -> Maybe (Signature curve)+signWith prx k d hashAlg msg = signDigestWith prx k d (hashWith hashAlg msg)++-- | Sign a digest using hash and private key.+signDigest :: (EllipticCurveECDSA curve, MonadRandom m, HashAlgorithm hash)+           => proxy curve -> PrivateKey curve -> Digest hash -> m (Signature curve)+signDigest prx pk digest = do+    k <- curveGenerateScalar prx+    case signDigestWith prx k pk digest of+        Nothing  -> signDigest prx pk digest+        Just sig -> return sig++-- | Sign a message using hash and private key.+sign :: (EllipticCurveECDSA curve, MonadRandom m, ByteArrayAccess msg, HashAlgorithm hash)+     => proxy curve -> PrivateKey curve -> hash -> msg -> m (Signature curve)+sign prx pk hashAlg msg = signDigest prx pk (hashWith hashAlg msg)++-- | Verify a digest using hash and public key.+verifyDigest :: (EllipticCurveECDSA curve, HashAlgorithm hash)+       => proxy curve -> PublicKey curve -> Signature curve -> Digest hash -> Bool+verifyDigest prx q (Signature r s) digest+    | not (scalarIsValid prx r) = False+    | not (scalarIsValid prx s) = False+    | otherwise = maybe False (r ==) $ do+        w <- scalarInv prx s+        let z  = tHashDigest prx digest+            u1 = scalarMul prx z w+            u2 = scalarMul prx r w+            x  = pointsSmulVarTime prx u1 u2 q+        pointX prx x+    -- Note: precondition q /= PointO is not tested because we assume+    -- point decoding never decodes point at infinity.++-- | Verify a signature using hash and public key.+verify :: (EllipticCurveECDSA curve, ByteArrayAccess msg, HashAlgorithm hash)+       => proxy curve -> hash -> PublicKey curve -> Signature curve -> msg -> Bool+verify prx hashAlg q sig msg = verifyDigest prx q sig (hashWith hashAlg msg)++-- | Truncate a digest based on curve order size.+tHashDigest :: (EllipticCurveECDSA curve, HashAlgorithm hash)+            => proxy curve -> Digest hash -> Scalar curve+tHashDigest prx (Digest digest) = throwCryptoError $ decodeScalar prx encoded+  where m      = curveOrderBits prx+        d      = m - B.length digest * 8+        (n, r) = m `divMod` 8+        n'     = if r > 0 then succ n else n++        encoded+            | d >  0    = B.zero (n' - B.length digest) `B.append` digest+            | d == 0    = digest+            | r == 0    = B.take n digest+            | otherwise = shiftBytes digest++        shiftBytes bs = B.allocAndFreeze n' $ \dst ->+            B.withByteArray bs $ \src -> go dst src 0 0++        go :: Ptr Word8 -> Ptr Word8 -> Word8 -> Int -> IO ()+        go dst src !a i+            | i >= n'   = return ()+            | otherwise = do+                b <- peekByteOff src i+                pokeByteOff dst i (unsafeShiftR b (8 - r) .|. unsafeShiftL a r)+                go dst src b (succ i)+++ecScalarIsValid :: Simple.Curve c => proxy c -> Simple.Scalar c -> Bool+ecScalarIsValid prx (Simple.Scalar s) = s > 0 && s < n+  where n = Simple.curveEccN $ Simple.curveParameters prx++ecScalarIsZero :: forall curve . Simple.Curve curve+               => Simple.Scalar curve -> Bool+ecScalarIsZero (Simple.Scalar a) = a == 0++ecScalarInv :: Simple.Curve c+            => proxy c -> Simple.Scalar c -> Maybe (Simple.Scalar c)+ecScalarInv prx (Simple.Scalar s)+    | i == 0    = Nothing+    | otherwise = Just $ Simple.Scalar i+  where n = Simple.curveEccN $ Simple.curveParameters prx+        i = inverseFermat s n++ecPointX :: Simple.Curve c+         => proxy c -> Simple.Point c -> Maybe (Simple.Scalar c)+ecPointX _   Simple.PointO      = Nothing+ecPointX prx (Simple.Point x _) = Just (Simple.Scalar $ x `mod` n)+  where n = Simple.curveEccN $ Simple.curveParameters prx
Crypto/PubKey/ECIES.hs view
@@ -25,18 +25,18 @@     ) where  import           Crypto.ECC+import           Crypto.Error import           Crypto.Random-import           Crypto.Internal.Proxy  -- | Generate random a new Shared secret and the associated point -- to do a ECIES style encryption deriveEncrypt :: (MonadRandom randomly, EllipticCurveDH curve)               => proxy curve -- ^ representation of the curve               -> Point curve -- ^ the public key of the receiver-              -> randomly (Point curve, SharedSecret)+              -> randomly (CryptoFailable (Point curve, SharedSecret)) deriveEncrypt proxy pub = do     (KeyPair rPoint rScalar) <- curveGenerateKeyPair proxy-    return (rPoint, ecdh proxy rScalar pub)+    return $ (\s -> (rPoint, s)) `fmap` ecdh proxy rScalar pub  -- | Derive the shared secret with the receiver key -- and the R point of the scheme.@@ -44,5 +44,5 @@               => proxy curve  -- ^ representation of the curve               -> Point curve  -- ^ The received R (supposedly, randomly generated on the encrypt side)               -> Scalar curve -- ^ The secret key of the receiver-              -> SharedSecret+              -> CryptoFailable SharedSecret deriveDecrypt proxy point secret = ecdh proxy secret point
Crypto/PubKey/Ed25519.hs view
@@ -7,35 +7,42 @@ -- -- Ed25519 support --+{-# LANGUAGE BangPatterns               #-} {-# LANGUAGE GeneralizedNewtypeDeriving #-}-{-# LANGUAGE BangPatterns #-} module Crypto.PubKey.Ed25519     ( SecretKey     , PublicKey     , Signature+    -- * Size constants+    , publicKeySize+    , secretKeySize+    , signatureSize     -- * Smart constructors     , signature     , publicKey     , secretKey-    -- * methods+    -- * Methods     , toPublic     , sign     , verify+    , generateSecretKey     ) where  import           Data.Word-import           Foreign.Ptr import           Foreign.C.Types+import           Foreign.Ptr +import           Crypto.Error+import           Crypto.Internal.ByteArray (ByteArrayAccess, Bytes,+                                            ScrubbedBytes, withByteArray)+import qualified Crypto.Internal.ByteArray as B import           Crypto.Internal.Compat import           Crypto.Internal.Imports-import           Crypto.Internal.ByteArray (ByteArrayAccess, withByteArray, ScrubbedBytes, Bytes)-import qualified Crypto.Internal.ByteArray as B-import           Crypto.Error+import           Crypto.Random  -- | An Ed25519 Secret key newtype SecretKey = SecretKey ScrubbedBytes-    deriving (Eq,ByteArrayAccess,NFData)+    deriving (Show,Eq,ByteArrayAccess,NFData)  -- | An Ed25519 public key newtype PublicKey = PublicKey Bytes@@ -106,12 +113,19 @@   where     !msgLen = B.length message +-- | Generate a secret key+generateSecretKey :: MonadRandom m => m SecretKey+generateSecretKey = SecretKey <$> getRandomBytes secretKeySize++-- | A public key is 32 bytes publicKeySize :: Int publicKeySize = 32 +-- | A secret key is 32 bytes secretKeySize :: Int secretKeySize = 32 +-- | A signature is 64 bytes signatureSize :: Int signatureSize = 64 
Crypto/PubKey/Ed448.hs view
@@ -1,20 +1,163 @@ -- | -- Module      : Crypto.PubKey.Ed448 -- License     : BSD-style--- Maintainer  : John Galt <jgalt@centromere.net>+-- Maintainer  : Olivier Chéron <olivier.cheron@gmail.com> -- Stability   : experimental -- Portability : unknown -- -- Ed448 support ----- /Functions and types exported here will be DEPRECATED in a future version./--- For Diffie-Hellman over curve448 please use module "Crypto.PubKey.Curve448"--- instead.+-- Internally uses Decaf point compression to omit the cofactor+-- and implementation by Mike Hamburg.  Externally API and+-- data types are compatible with the encoding specified in RFC 8032. --+{-# LANGUAGE BangPatterns               #-} {-# LANGUAGE GeneralizedNewtypeDeriving #-}-{-# LANGUAGE MagicHash #-} module Crypto.PubKey.Ed448-    ( module Crypto.PubKey.Curve448+    ( SecretKey+    , PublicKey+    , Signature+    -- * Size constants+    , publicKeySize+    , secretKeySize+    , signatureSize+    -- * Smart constructors+    , signature+    , publicKey+    , secretKey+    -- * Methods+    , toPublic+    , sign+    , verify+    , generateSecretKey     ) where -import Crypto.PubKey.Curve448+import           Data.Word+import           Foreign.C.Types+import           Foreign.Ptr++import           Crypto.Error+import           Crypto.Internal.ByteArray (ByteArrayAccess, Bytes,+                                            ScrubbedBytes, withByteArray)+import qualified Crypto.Internal.ByteArray as B+import           Crypto.Internal.Compat+import           Crypto.Internal.Imports+import           Crypto.Random++-- | An Ed448 Secret key+newtype SecretKey = SecretKey ScrubbedBytes+    deriving (Show,Eq,ByteArrayAccess,NFData)++-- | An Ed448 public key+newtype PublicKey = PublicKey Bytes+    deriving (Show,Eq,ByteArrayAccess,NFData)++-- | An Ed448 signature+newtype Signature = Signature Bytes+    deriving (Show,Eq,ByteArrayAccess,NFData)++-- | Try to build a public key from a bytearray+publicKey :: ByteArrayAccess ba => ba -> CryptoFailable PublicKey+publicKey bs+    | B.length bs == publicKeySize =+        CryptoPassed $ PublicKey $ B.copyAndFreeze bs (\_ -> return ())+    | otherwise =+        CryptoFailed $ CryptoError_PublicKeySizeInvalid++-- | Try to build a secret key from a bytearray+secretKey :: ByteArrayAccess ba => ba -> CryptoFailable SecretKey+secretKey bs+    | B.length bs == secretKeySize = unsafeDoIO $ withByteArray bs initialize+    | otherwise                    = CryptoFailed CryptoError_SecretKeyStructureInvalid+  where+        initialize inp = do+            valid <- isValidPtr inp+            if valid+                then (CryptoPassed . SecretKey) <$> B.copy bs (\_ -> return ())+                else return $ CryptoFailed CryptoError_SecretKeyStructureInvalid+        isValidPtr _ =+            return True+{-# NOINLINE secretKey #-}++-- | Try to build a signature from a bytearray+signature :: ByteArrayAccess ba => ba -> CryptoFailable Signature+signature bs+    | B.length bs == signatureSize =+        CryptoPassed $ Signature $ B.copyAndFreeze bs (\_ -> return ())+    | otherwise =+        CryptoFailed CryptoError_SecretKeyStructureInvalid++-- | Create a public key from a secret key+toPublic :: SecretKey -> PublicKey+toPublic (SecretKey sec) = PublicKey <$>+    B.allocAndFreeze publicKeySize $ \result ->+    withByteArray sec              $ \psec   ->+        decaf_ed448_derive_public_key result psec+{-# NOINLINE toPublic #-}++-- | Sign a message using the key pair+sign :: ByteArrayAccess ba => SecretKey -> PublicKey -> ba -> Signature+sign secret public message =+    Signature $ B.allocAndFreeze signatureSize $ \sig ->+        withByteArray secret  $ \sec ->+        withByteArray public  $ \pub ->+        withByteArray message $ \msg ->+             decaf_ed448_sign sig sec pub msg (fromIntegral msgLen) 0 no_context 0+  where+    !msgLen = B.length message++-- | Verify a message+verify :: ByteArrayAccess ba => PublicKey -> ba -> Signature -> Bool+verify public message signatureVal = unsafeDoIO $+    withByteArray signatureVal $ \sig ->+    withByteArray public       $ \pub ->+    withByteArray message      $ \msg -> do+      r <- decaf_ed448_verify sig pub msg (fromIntegral msgLen) 0 no_context 0+      return (r /= 0)+  where+    !msgLen = B.length message++-- | Generate a secret key+generateSecretKey :: MonadRandom m => m SecretKey+generateSecretKey = SecretKey <$> getRandomBytes secretKeySize++-- | A public key is 57 bytes+publicKeySize :: Int+publicKeySize = 57++-- | A secret key is 57 bytes+secretKeySize :: Int+secretKeySize = 57++-- | A signature is 114 bytes+signatureSize :: Int+signatureSize = 114++no_context :: Ptr Word8+no_context = nullPtr -- not supported yet++foreign import ccall "cryptonite_decaf_ed448_derive_public_key"+    decaf_ed448_derive_public_key :: Ptr PublicKey -- public key+                                  -> Ptr SecretKey -- secret key+                                  -> IO ()++foreign import ccall "cryptonite_decaf_ed448_sign"+    decaf_ed448_sign :: Ptr Signature -- signature+                     -> Ptr SecretKey -- secret+                     -> Ptr PublicKey -- public+                     -> Ptr Word8     -- message+                     -> CSize         -- message len+                     -> Word8         -- prehashed+                     -> Ptr Word8     -- context+                     -> Word8         -- context len+                     -> IO ()++foreign import ccall "cryptonite_decaf_ed448_verify"+    decaf_ed448_verify :: Ptr Signature -- signature+                       -> Ptr PublicKey -- public+                       -> Ptr Word8     -- message+                       -> CSize         -- message len+                       -> Word8         -- prehashed+                       -> Ptr Word8     -- context+                       -> Word8         -- context len+                       -> IO CInt
+ Crypto/PubKey/EdDSA.hs view
@@ -0,0 +1,390 @@+-- |+-- Module      : Crypto.PubKey.EdDSA+-- License     : BSD-style+-- Maintainer  : Olivier Chéron <olivier.cheron@gmail.com>+-- Stability   : experimental+-- Portability : unknown+--+-- EdDSA signature generation and verification, implemented in Haskell and+-- parameterized with elliptic curve and hash algorithm.  Only edwards25519 is+-- supported at the moment.+--+-- The module provides \"context\" and \"prehash\" variants defined in+-- <https://tools.ietf.org/html/rfc8032 RFC 8032>.+--+-- This implementation is most useful when wanting to customize the hash+-- algorithm.  See module "Crypto.PubKey.Ed25519" for faster Ed25519 with+-- SHA-512.+--+{-# LANGUAGE DataKinds                  #-}+{-# LANGUAGE FlexibleContexts           #-}+{-# LANGUAGE GeneralizedNewtypeDeriving #-}+{-# LANGUAGE OverloadedStrings          #-}+{-# LANGUAGE RankNTypes                 #-}+{-# LANGUAGE ScopedTypeVariables        #-}+{-# LANGUAGE TypeFamilies               #-}+module Crypto.PubKey.EdDSA+    ( SecretKey+    , PublicKey+    , Signature+    -- * Curves with EdDSA implementation+    , EllipticCurveEdDSA(CurveDigestSize)+    , publicKeySize+    , secretKeySize+    , signatureSize+    -- * Smart constructors+    , signature+    , publicKey+    , secretKey+    -- * Methods+    , toPublic+    , sign+    , signCtx+    , signPh+    , verify+    , verifyCtx+    , verifyPh+    , generateSecretKey+    ) where++import           Data.Bits+import           Data.ByteArray (ByteArray, ByteArrayAccess, Bytes, ScrubbedBytes, View)+import qualified Data.ByteArray as B+import           Data.ByteString (ByteString)+import           Data.Proxy++import           Crypto.ECC+import qualified Crypto.ECC.Edwards25519 as Edwards25519+import           Crypto.Error+import           Crypto.Hash (Digest)+import           Crypto.Hash.IO+import           Crypto.Random++import           GHC.TypeLits (KnownNat, Nat)++import           Crypto.Internal.Builder+import           Crypto.Internal.Compat+import           Crypto.Internal.Imports+import           Crypto.Internal.Nat (integralNatVal)++import           Foreign.Storable+++-- API++-- | An EdDSA Secret key+newtype SecretKey curve = SecretKey ScrubbedBytes+    deriving (Show,Eq,ByteArrayAccess,NFData)++-- | An EdDSA public key+newtype PublicKey curve hash = PublicKey Bytes+    deriving (Show,Eq,ByteArrayAccess,NFData)++-- | An EdDSA signature+newtype Signature curve hash = Signature Bytes+    deriving (Show,Eq,ByteArrayAccess,NFData)++-- | Elliptic curves with an implementation of EdDSA+class ( EllipticCurveBasepointArith curve+      , KnownNat (CurveDigestSize curve)+      ) => EllipticCurveEdDSA curve where++    -- | Size of the digest for this curve (in bytes)+    type CurveDigestSize curve :: Nat++    -- | Size of secret keys for this curve (in bytes)+    secretKeySize :: proxy curve -> Int++    -- hash with specified parameters+    hashWithDom :: (HashAlgorithm hash, ByteArrayAccess ctx, ByteArrayAccess msg)+                => proxy curve -> hash -> Bool -> ctx -> Builder -> msg -> Bytes++    -- conversion between scalar, point and public key+    pointPublic :: proxy curve -> Point curve -> PublicKey curve hash+    publicPoint :: proxy curve -> PublicKey curve hash -> CryptoFailable (Point curve)+    encodeScalarLE :: ByteArray bs => proxy curve -> Scalar curve -> bs+    decodeScalarLE :: ByteArrayAccess bs => proxy curve -> bs -> CryptoFailable (Scalar curve)++    -- how to use bits in a secret key+    scheduleSecret :: ( HashAlgorithm hash+                      , HashDigestSize hash ~ CurveDigestSize curve+                      )+                   => proxy curve+                   -> hash+                   -> SecretKey curve+                   -> (Scalar curve, View Bytes)++-- | Size of public keys for this curve (in bytes)+publicKeySize :: EllipticCurveEdDSA curve => proxy curve -> Int+publicKeySize prx = signatureSize prx `div` 2++-- | Size of signatures for this curve (in bytes)+signatureSize :: forall proxy curve . EllipticCurveEdDSA curve+              => proxy curve -> Int+signatureSize _ = integralNatVal (Proxy :: Proxy (CurveDigestSize curve))+++-- Constructors++-- | Try to build a public key from a bytearray+publicKey :: ( EllipticCurveEdDSA curve+             , HashAlgorithm hash+             , HashDigestSize hash ~ CurveDigestSize curve+             , ByteArrayAccess ba+             )+          => proxy curve -> hash -> ba -> CryptoFailable (PublicKey curve hash)+publicKey prx _ bs+    | B.length bs == publicKeySize prx =+        CryptoPassed (PublicKey $ B.convert bs)+    | otherwise =+        CryptoFailed CryptoError_PublicKeySizeInvalid++-- | Try to build a secret key from a bytearray+secretKey :: (EllipticCurveEdDSA curve, ByteArrayAccess ba)+          => proxy curve -> ba -> CryptoFailable (SecretKey curve)+secretKey prx bs+    | B.length bs == secretKeySize prx =+        CryptoPassed (SecretKey $ B.convert bs)+    | otherwise                        =+        CryptoFailed CryptoError_SecretKeyStructureInvalid++-- | Try to build a signature from a bytearray+signature :: ( EllipticCurveEdDSA curve+             , HashAlgorithm hash+             , HashDigestSize hash ~ CurveDigestSize curve+             , ByteArrayAccess ba+             )+          => proxy curve -> hash -> ba -> CryptoFailable (Signature curve hash)+signature prx _ bs+    | B.length bs == signatureSize prx =+        CryptoPassed (Signature $ B.convert bs)+    | otherwise =+        CryptoFailed CryptoError_SecretKeyStructureInvalid+++-- Conversions++-- | Generate a secret key+generateSecretKey :: (EllipticCurveEdDSA curve, MonadRandom m)+                  => proxy curve -> m (SecretKey curve)+generateSecretKey prx = SecretKey <$> getRandomBytes (secretKeySize prx)++-- | Create a public key from a secret key+toPublic :: ( EllipticCurveEdDSA curve+            , HashAlgorithm hash+            , HashDigestSize hash ~ CurveDigestSize curve+            )+         => proxy curve -> hash -> SecretKey curve -> PublicKey curve hash+toPublic prx alg priv =+    let p = pointBaseSmul prx (secretScalar prx alg priv)+     in pointPublic prx p++secretScalar :: ( EllipticCurveEdDSA curve+                , HashAlgorithm hash+                , HashDigestSize hash ~ CurveDigestSize curve+                )+             => proxy curve -> hash -> SecretKey curve -> Scalar curve+secretScalar prx alg priv = fst (scheduleSecret prx alg priv)+++-- EdDSA signature generation & verification++-- | Sign a message using the key pair+sign :: ( EllipticCurveEdDSA curve+        , HashAlgorithm hash+        , HashDigestSize hash ~ CurveDigestSize curve+        , ByteArrayAccess msg+        )+     => proxy curve -> SecretKey curve -> PublicKey curve hash -> msg -> Signature curve hash+sign prx = signCtx prx emptyCtx++-- | Verify a message+verify :: ( EllipticCurveEdDSA curve+          , HashAlgorithm hash+          , HashDigestSize hash ~ CurveDigestSize curve+          , ByteArrayAccess msg+          )+       => proxy curve -> PublicKey curve hash -> msg -> Signature curve hash -> Bool+verify prx = verifyCtx prx emptyCtx++-- | Sign a message using the key pair under context @ctx@+signCtx :: ( EllipticCurveEdDSA curve+           , HashAlgorithm hash+           , HashDigestSize hash ~ CurveDigestSize curve+           , ByteArrayAccess ctx+           , ByteArrayAccess msg+           )+        => proxy curve -> ctx -> SecretKey curve -> PublicKey curve hash -> msg -> Signature curve hash+signCtx prx = signPhCtx prx False++-- | Verify a message under context @ctx@+verifyCtx :: ( EllipticCurveEdDSA curve+             , HashAlgorithm hash+             , HashDigestSize hash ~ CurveDigestSize curve+             , ByteArrayAccess ctx+             , ByteArrayAccess msg+             )+          => proxy curve -> ctx -> PublicKey curve hash -> msg -> Signature curve hash -> Bool+verifyCtx prx = verifyPhCtx prx False++-- | Sign a prehashed message using the key pair under context @ctx@+signPh :: ( EllipticCurveEdDSA curve+          , HashAlgorithm hash+          , HashDigestSize hash ~ CurveDigestSize curve+          , ByteArrayAccess ctx+          )+       => proxy curve -> ctx -> SecretKey curve -> PublicKey curve hash -> Digest prehash -> Signature curve hash+signPh prx = signPhCtx prx True++-- | Verify a prehashed message under context @ctx@+verifyPh :: ( EllipticCurveEdDSA curve+            , HashAlgorithm hash+            , HashDigestSize hash ~ CurveDigestSize curve+            , ByteArrayAccess ctx+            )+         => proxy curve -> ctx -> PublicKey curve hash -> Digest prehash -> Signature curve hash -> Bool+verifyPh prx = verifyPhCtx prx True++signPhCtx :: forall proxy curve hash ctx msg .+             ( EllipticCurveEdDSA curve+             , HashAlgorithm hash+             , HashDigestSize hash ~ CurveDigestSize curve+             , ByteArrayAccess ctx+             , ByteArrayAccess msg+             )+          => proxy curve -> Bool -> ctx -> SecretKey curve -> PublicKey curve hash -> msg -> Signature curve hash+signPhCtx prx ph ctx priv pub msg =+    let alg  = undefined :: hash+        (s, prefix) = scheduleSecret prx alg priv+        digR = hashWithDom prx alg ph ctx (bytes prefix) msg+        r    = decodeScalarNoErr prx digR+        pR   = pointBaseSmul prx r+        bsR  = encodePoint prx pR+        sK   = getK prx ph ctx pub bsR msg+        sS   = scalarAdd prx r (scalarMul prx sK s)+     in encodeSignature prx (bsR, pR, sS)++verifyPhCtx :: ( EllipticCurveEdDSA curve+               , HashAlgorithm hash+               , HashDigestSize hash ~ CurveDigestSize curve+               , ByteArrayAccess ctx+               , ByteArrayAccess msg+               )+            => proxy curve -> Bool -> ctx -> PublicKey curve hash -> msg -> Signature curve hash -> Bool+verifyPhCtx prx ph ctx pub msg sig =+    case doVerify of+        CryptoPassed verified -> verified+        CryptoFailed _        -> False+  where+    doVerify = do+        (bsR, pR, sS) <- decodeSignature prx sig+        nPub <- pointNegate prx `fmap` publicPoint prx pub+        let sK  = getK prx ph ctx pub bsR msg+            pR' = pointsSmulVarTime prx sS sK nPub+        return (pR == pR')++emptyCtx :: Bytes+emptyCtx = B.empty++getK :: forall proxy curve hash ctx msg .+        ( EllipticCurveEdDSA curve+        , HashAlgorithm hash+        , HashDigestSize hash ~ CurveDigestSize curve+        , ByteArrayAccess ctx+        , ByteArrayAccess msg+        )+     => proxy curve -> Bool -> ctx -> PublicKey curve hash -> Bytes -> msg -> Scalar curve+getK prx ph ctx (PublicKey pub) bsR msg =+    let alg  = undefined :: hash+        digK = hashWithDom prx alg ph ctx (bytes bsR <> bytes pub) msg+     in decodeScalarNoErr prx digK++encodeSignature :: EllipticCurveEdDSA curve+                => proxy curve+                -> (Bytes, Point curve, Scalar curve)+                -> Signature curve hash+encodeSignature prx (bsR, _, sS) = Signature $ buildAndFreeze $+    bytes bsR <> bytes bsS <> zero len0+  where+    bsS  = encodeScalarLE prx sS :: Bytes+    len0 = signatureSize prx - B.length bsR - B.length bsS++decodeSignature :: ( EllipticCurveEdDSA curve+                   , HashDigestSize hash ~ CurveDigestSize curve+                   )+                => proxy curve+                -> Signature curve hash+                -> CryptoFailable (Bytes, Point curve, Scalar curve)+decodeSignature prx (Signature bs) = do+    let (bsR, bsS) = B.splitAt (publicKeySize prx) bs+    pR <- decodePoint prx bsR+    sS <- decodeScalarLE prx bsS+    return (bsR, pR, sS)++-- implementations are supposed to decode any scalar up to the size of the digest+decodeScalarNoErr :: (EllipticCurveEdDSA curve, ByteArrayAccess bs)+                  => proxy curve -> bs -> Scalar curve+decodeScalarNoErr prx = unwrap "decodeScalarNoErr" . decodeScalarLE prx++unwrap :: String -> CryptoFailable a -> a+unwrap name (CryptoFailed _) = error (name ++ ": assumption failed")+unwrap _    (CryptoPassed x) = x+++-- Ed25519 implementation++instance EllipticCurveEdDSA Curve_Edwards25519 where+    type CurveDigestSize Curve_Edwards25519 = 64+    secretKeySize _ = 32++    hashWithDom _ alg ph ctx bss+        | not ph && B.null ctx = digestDomMsg alg bss+        | otherwise            = digestDomMsg alg (dom <> bss)+      where dom = bytes ("SigEd25519 no Ed25519 collisions" :: ByteString) <>+                  byte (if ph then 1 else 0) <>+                  byte (fromIntegral $ B.length ctx) <>+                  bytes ctx++    pointPublic _ = PublicKey . Edwards25519.pointEncode+    publicPoint _ = Edwards25519.pointDecode+    encodeScalarLE _ = Edwards25519.scalarEncode+    decodeScalarLE _ = Edwards25519.scalarDecodeLong++    scheduleSecret prx alg priv =+        (decodeScalarNoErr prx clamped, B.dropView hashed 32)+      where+        hashed  = digest alg $ \update -> update priv++        clamped :: Bytes+        clamped = B.copyAndFreeze (B.takeView hashed 32) $ \p -> do+                      b0  <- peekElemOff p 0  :: IO Word8+                      b31 <- peekElemOff p 31 :: IO Word8+                      pokeElemOff p 31 ((b31 .&. 0x7F) .|. 0x40)+                      pokeElemOff p 0  (b0 .&. 0xF8)+++{-+  Optimize hashing by limiting the number of roundtrips between Haskell and C.+  Hash "update" functions do not use unsafe FFI call, so better concanetate+  small fragments together and call the update function once.++  Using the IO hash interface avoids context buffer copies.++  Data type Digest is not used directly but converted to Bytes early. Any use of+  withByteArray on the unpinned Digest backend would require copy through a+  pinned trampoline.+-}++digestDomMsg :: (HashAlgorithm alg, ByteArrayAccess msg)+             => alg -> Builder -> msg -> Bytes+digestDomMsg alg bss bs = digest alg $ \update ->+    update (buildAndFreeze bss :: Bytes) >> update bs++digest :: HashAlgorithm alg+       => alg+       -> ((forall bs . ByteArrayAccess bs => bs -> IO ()) -> IO ())+       -> Bytes+digest alg fn = B.convert $ unsafeDoIO $ do+    mc <- hashMutableInitWith alg+    fn (hashMutableUpdate mc)+    hashMutableFinalize mc
Crypto/PubKey/ElGamal.hs view
@@ -19,17 +19,17 @@     , EphemeralKey(..)     , SharedKey     , Signature-    -- * generation+    -- * Generation     , generatePrivate     , generatePublic-    -- * encryption and decryption with no scheme+    -- * Encryption and decryption with no scheme     , encryptWith     , encrypt     , decrypt-    -- * signature primitives+    -- * Signature primitives     , signWith     , sign-    -- * verification primitives+    -- * Verification primitives     , verify     ) where 
Crypto/PubKey/Internal.hs view
@@ -8,10 +8,18 @@ module Crypto.PubKey.Internal     ( and'     , (&&!)+    , dsaTruncHash+    , dsaTruncHashDigest     ) where +import Data.Bits (shiftR) import Data.List (foldl') +import Crypto.Hash+import Crypto.Internal.ByteArray (ByteArrayAccess)+import Crypto.Number.Basic (numBits)+import Crypto.Number.Serialize+ -- | This is a strict version of and and' :: [Bool] -> Bool and' l = foldl' (&&!) True l@@ -22,3 +30,18 @@ True  &&! False = False False &&! True  = False False &&! False = False++-- | Truncate and hash for DSA and ECDSA.+dsaTruncHash :: (ByteArrayAccess msg, HashAlgorithm hash) => hash -> msg -> Integer -> Integer+dsaTruncHash hashAlg = dsaTruncHashDigest . hashWith hashAlg++-- | Truncate a digest for DSA and ECDSA.+dsaTruncHashDigest :: HashAlgorithm hash => Digest hash -> Integer -> Integer+dsaTruncHashDigest digest n+    | d > 0 = shiftR e d+    | otherwise = e+  where e = os2ip digest+        d = hashDigestSize (getHashAlg digest) * 8 - numBits n++getHashAlg :: Digest hash -> hash+getHashAlg _ = undefined
Crypto/PubKey/RSA.hs view
@@ -10,13 +10,12 @@     , PublicKey(..)     , PrivateKey(..)     , Blinder(..)-    -- * generation function+    -- * Generation function     , generateWith     , generate     , generateBlinder     ) where -import Crypto.Internal.Imports import Crypto.Random.Types import Crypto.Number.ModArithmetic (inverse, inverseCoprimes) import Crypto.Number.Generate (generateMax)@@ -55,7 +54,7 @@ -- generateWith :: (Integer, Integer) -- ^ chosen distinct primes p and q              -> Int                -- ^ size in bytes-             -> Integer            -- ^ RSA public exponant 'e'+             -> Integer            -- ^ RSA public exponent 'e'              -> Maybe (PublicKey, PrivateKey) generateWith (p,q) size e =     case inverse e phi of@@ -81,7 +80,7 @@ -- | generate a pair of (private, public) key of size in bytes. generate :: MonadRandom m          => Int     -- ^ size in bytes-         -> Integer -- ^ RSA public exponant 'e'+         -> Integer -- ^ RSA public exponent 'e'          -> m (PublicKey, PrivateKey) generate size e = loop   where
Crypto/PubKey/RSA/PKCS15.hs view
@@ -7,19 +7,19 @@ -- module Crypto.PubKey.RSA.PKCS15     (-    -- * padding and unpadding+    -- * Padding and unpadding       pad     , padSignature     , unpad-    -- * private key operations+    -- * Private key operations     , decrypt     , decryptSafer     , sign     , signSafer-    -- * public key operations+    -- * Public key operations     , encrypt     , verify-    -- * hash ASN1 description+    -- * Hash ASN1 description     , HashAlgorithmASN1     ) where @@ -111,8 +111,8 @@ -- | Produce a standard PKCS1.5 padding for signature padSignature :: ByteArray signature => Int -> signature -> Either Error signature padSignature klen signature-    | klen < siglen+1 = Left SignatureTooLong-    | otherwise       = Right (B.pack padding `B.append` signature)+    | klen < siglen + 11 = Left SignatureTooLong+    | otherwise          = Right (B.pack padding `B.append` signature)   where         siglen    = B.length signature         padding   = 0 : 1 : (replicate (klen - siglen - 3) 0xff ++ [0])@@ -137,6 +137,8 @@ -- information from the timing of the operation, the blinder can be set to None. -- -- If unsure always set a blinder or use decryptSafer+--+-- The message is returned un-padded. decrypt :: Maybe Blinder -- ^ optional blinder         -> PrivateKey    -- ^ RSA private key         -> ByteString    -- ^ cipher text@@ -156,7 +158,8 @@  -- | encrypt a bytestring using the public key. ----- the message needs to be smaller than the key size - 11+-- The message needs to be smaller than the key size - 11.+-- The message should not be padded. encrypt :: MonadRandom m => PublicKey -> ByteString -> m (Either Error ByteString) encrypt pk m = do     r <- pad (public_size pk) m
Crypto/PubKey/RSA/PSS.hs view
@@ -11,9 +11,13 @@     , defaultPSSParamsSHA1     -- * Sign and verify functions     , signWithSalt+    , signDigestWithSalt     , sign+    , signDigest     , signSafer+    , signDigestSafer     , verify+    , verifyDigest     ) where  import           Crypto.Random.Types@@ -22,11 +26,13 @@ import           Crypto.PubKey.RSA (generateBlinder) import           Crypto.PubKey.MaskGenFunction import           Crypto.Hash+import           Crypto.Number.Basic (numBits) import           Data.Bits (xor, shiftR, (.&.)) import           Data.Word  import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray)-import qualified Crypto.Internal.ByteArray as B (convert)+import qualified Crypto.Internal.ByteArray as B (convert, eq)+ import           Data.ByteString (ByteString) import qualified Data.ByteString as B @@ -56,30 +62,43 @@ -- | Sign using the PSS parameters and the salt explicitely passed as parameters. -- -- the function ignore SaltLength from the PSS Parameters-signWithSalt :: HashAlgorithm hash-             => ByteString    -- ^ Salt to use-             -> Maybe Blinder -- ^ optional blinder to use-             -> PSSParams hash ByteString ByteString -- ^ PSS Parameters to use-             -> PrivateKey    -- ^ RSA Private Key-             -> ByteString    -- ^ Message to sign-             -> Either Error ByteString-signWithSalt salt blinder params pk m-    | k < hashLen + saltLen + 2 = Left InvalidParameters-    | otherwise                 = Right $ dp blinder pk em-    where mHash    = B.convert $ hashWith (pssHash params) m-          k        = private_size pk-          dbLen    = k - hashLen - 1+signDigestWithSalt :: HashAlgorithm hash+                   => ByteString    -- ^ Salt to use+                   -> Maybe Blinder -- ^ optional blinder to use+                   -> PSSParams hash ByteString ByteString -- ^ PSS Parameters to use+                   -> PrivateKey    -- ^ RSA Private Key+                   -> Digest hash   -- ^ Message digest+                   -> Either Error ByteString+signDigestWithSalt salt blinder params pk digest+    | emLen < hashLen + saltLen + 2 = Left InvalidParameters+    | otherwise                     = Right $ dp blinder pk em+    where k        = private_size pk+          emLen    = if emTruncate pubBits then k - 1 else k+          mHash    = B.convert digest+          dbLen    = emLen - hashLen - 1           saltLen  = B.length salt           hashLen  = hashDigestSize (pssHash params)-          pubBits  = private_size pk * 8 -- to change if public_size is converted in bytes-+          pubBits  = numBits (private_n pk)           m'       = B.concat [B.replicate 8 0,mHash,salt]           h        = B.convert $ hashWith (pssHash params) m'           db       = B.concat [B.replicate (dbLen - saltLen - 1) 0,B.singleton 1,salt]-          dbmask   = (pssMaskGenAlg params) h dbLen+          dbmask   = pssMaskGenAlg params h dbLen           maskedDB = B.pack $ normalizeToKeySize pubBits $ B.zipWith xor db dbmask           em       = B.concat [maskedDB, h, B.singleton (pssTrailerField params)] +-- | Sign using the PSS parameters and the salt explicitely passed as parameters.+--+-- the function ignore SaltLength from the PSS Parameters+signWithSalt :: HashAlgorithm hash+             => ByteString    -- ^ Salt to use+             -> Maybe Blinder -- ^ optional blinder to use+             -> PSSParams hash ByteString ByteString -- ^ PSS Parameters to use+             -> PrivateKey    -- ^ RSA Private Key+             -> ByteString    -- ^ Message to sign+             -> Either Error ByteString+signWithSalt salt blinder params pk m = signDigestWithSalt salt blinder params pk mHash+    where mHash    = hashWith (pssHash params) m+ -- | Sign using the PSS Parameters sign :: (HashAlgorithm hash, MonadRandom m)      => Maybe Blinder   -- ^ optional blinder to use@@ -91,6 +110,17 @@     salt <- getRandomBytes (pssSaltLength params)     return (signWithSalt salt blinder params pk m) +-- | Sign using the PSS Parameters+signDigest :: (HashAlgorithm hash, MonadRandom m)+           => Maybe Blinder   -- ^ optional blinder to use+           -> PSSParams hash ByteString ByteString -- ^ PSS Parameters to use+           -> PrivateKey      -- ^ RSA Private Key+           -> Digest hash     -- ^ Message digest+           -> m (Either Error ByteString)+signDigest blinder params pk digest = do+    salt <- getRandomBytes (pssSaltLength params)+    return (signDigestWithSalt salt blinder params pk digest)+ -- | Sign using the PSS Parameters and an automatically generated blinder. signSafer :: (HashAlgorithm hash, MonadRandom m)           => PSSParams hash ByteString ByteString -- ^ PSS Parameters to use@@ -101,6 +131,16 @@     blinder <- generateBlinder (private_n pk)     sign (Just blinder) params pk m +-- | Sign using the PSS Parameters and an automatically generated blinder.+signDigestSafer :: (HashAlgorithm hash, MonadRandom m)+                => PSSParams hash ByteString ByteString -- ^ PSS Parameters to use+                -> PrivateKey     -- ^ private key+                -> Digest hash    -- ^ message digst+                -> m (Either Error ByteString)+signDigestSafer params pk digest = do+    blinder <- generateBlinder (private_n pk)+    signDigest (Just blinder) params pk digest+ -- | Verify a signature using the PSS Parameters verify :: HashAlgorithm hash        => PSSParams hash ByteString ByteString@@ -110,30 +150,50 @@        -> ByteString -- ^ Message to verify        -> ByteString -- ^ Signature        -> Bool-verify params pk m s-    | public_size pk /= B.length s        = False+verify params pk m = verifyDigest params pk mHash+  where mHash     = hashWith (pssHash params) m++-- | Verify a signature using the PSS Parameters+verifyDigest :: HashAlgorithm hash+             => PSSParams hash ByteString ByteString+                            -- ^ PSS Parameters to use to verify,+                            --   this need to be identical to the parameters when signing+             -> PublicKey   -- ^ RSA Public Key+             -> Digest hash -- ^ Digest to verify+             -> ByteString  -- ^ Signature+             -> Bool+verifyDigest params pk digest s+    | B.length s /= k                     = False+    | B.any (/= 0) pre                    = False     | B.last em /= pssTrailerField params = False-    | not (B.all (== 0) ps0)              = False+    | B.any (/= 0) ps0                    = False     | b1 /= B.singleton 1                 = False-    | otherwise                           = h == B.convert h'+    | otherwise                           = B.eq h h'         where -- parameters               hashLen   = hashDigestSize (pssHash params)-              dbLen     = public_size pk - hashLen - 1-              pubBits   = public_size pk * 8 -- to change if public_size is converted in bytes+              mHash     = B.convert digest+              k         = public_size pk+              emLen     = if emTruncate pubBits then k - 1 else k+              dbLen     = emLen - hashLen - 1+              pubBits   = numBits (public_n pk)               -- unmarshall fields-              em        = ep pk s-              maskedDB  = B.take (B.length em - hashLen - 1) em+              (pre, em) = B.splitAt (k - emLen) (ep pk s) -- drop 0..1 byte+              maskedDB  = B.take dbLen em               h         = B.take hashLen $ B.drop (B.length maskedDB) em-              dbmask    = (pssMaskGenAlg params) h dbLen+              dbmask    = pssMaskGenAlg params h dbLen               db        = B.pack $ normalizeToKeySize pubBits $ B.zipWith xor maskedDB dbmask               (ps0,z)   = B.break (== 1) db               (b1,salt) = B.splitAt 1 z-              mHash     = B.convert $ hashWith (pssHash params) m               m'        = B.concat [B.replicate 8 0,mHash,salt]               h'        = hashWith (pssHash params) m' +-- When the modulus has bit length 1 modulo 8 we drop the first byte.+emTruncate :: Int -> Bool+emTruncate bits = ((bits-1) .&. 0x7) == 0+ normalizeToKeySize :: Int -> [Word8] -> [Word8] normalizeToKeySize _    []     = [] -- very unlikely normalizeToKeySize bits (x:xs) = x .&. mask : xs     where mask = if sh > 0 then 0xff `shiftR` (8-sh) else 0xff-          sh   = ((bits-1) .&. 0x7)+          sh   = (bits-1) .&. 0x7+
Crypto/PubKey/RSA/Prim.hs view
@@ -7,9 +7,9 @@ -- module Crypto.PubKey.RSA.Prim     (-    -- * decrypt primitive+    -- * Decrypt primitive       dp-    -- * encrypt primitive+    -- * Encrypt primitive     , ep     ) where 
Crypto/PubKey/RSA/Types.hs view
@@ -41,8 +41,8 @@ data PublicKey = PublicKey     { public_size :: Int      -- ^ size of key in bytes     , public_n    :: Integer  -- ^ public p*q-    , public_e    :: Integer  -- ^ public exponant e-    } deriving (Show,Read,Eq,Data,Typeable)+    , public_e    :: Integer  -- ^ public exponent e+    } deriving (Show,Read,Eq,Data)  instance NFData PublicKey where     rnf (PublicKey sz n e) = rnf n `seq` rnf e `seq` sz `seq` ()@@ -59,13 +59,13 @@ -- data PrivateKey = PrivateKey     { private_pub  :: PublicKey -- ^ public part of a private key (size, n and e)-    , private_d    :: Integer   -- ^ private exponant d+    , private_d    :: Integer   -- ^ private exponent d     , private_p    :: Integer   -- ^ p prime number     , private_q    :: Integer   -- ^ q prime number     , private_dP   :: Integer   -- ^ d mod (p-1)     , private_dQ   :: Integer   -- ^ d mod (q-1)     , private_qinv :: Integer   -- ^ q^(-1) mod p-    } deriving (Show,Read,Eq,Data,Typeable)+    } deriving (Show,Read,Eq,Data)  instance NFData PrivateKey where     rnf (PrivateKey pub d p q dp dq qinv) =@@ -87,7 +87,7 @@ -- -- note the RSA private key contains already an instance of public key for efficiency newtype KeyPair = KeyPair PrivateKey-    deriving (Show,Read,Eq,Data,Typeable,NFData)+    deriving (Show,Read,Eq,Data,NFData)  -- | Public key of a RSA KeyPair toPublicKey :: KeyPair -> PublicKey
+ Crypto/PubKey/Rabin/Basic.hs view
@@ -0,0 +1,230 @@+-- |+-- Module      : Crypto.PubKey.Rabin.Basic+-- License     : BSD-style+-- Maintainer  : Carlos Rodriguez-Vega <crodveg@yahoo.es>+-- Stability   : experimental+-- Portability : unknown+--+-- Rabin cryptosystem for public-key cryptography and digital signature.+--+{-# LANGUAGE DeriveDataTypeable #-}+module Crypto.PubKey.Rabin.Basic+    ( PublicKey(..)+    , PrivateKey(..)+    , Signature(..)+    , generate+    , encrypt+    , encryptWithSeed+    , decrypt+    , sign+    , signWith+    , verify+    ) where++import           Data.ByteString (ByteString)+import qualified Data.ByteString as B+import           Data.Data+import           Data.Either (rights)++import           Crypto.Hash+import           Crypto.Number.Basic (gcde, numBytes)+import           Crypto.Number.ModArithmetic (expSafe, jacobi)+import           Crypto.Number.Serialize (i2osp, i2ospOf_, os2ip)+import           Crypto.PubKey.Rabin.OAEP +import           Crypto.PubKey.Rabin.Types+import           Crypto.Random (MonadRandom, getRandomBytes)++-- | Represent a Rabin public key.+data PublicKey = PublicKey+    { public_size :: Int      -- ^ size of key in bytes+    , public_n    :: Integer  -- ^ public p*q+    } deriving (Show, Read, Eq, Data)++-- | Represent a Rabin private key.+data PrivateKey = PrivateKey+    { private_pub :: PublicKey+    , private_p   :: Integer   -- ^ p prime number+    , private_q   :: Integer   -- ^ q prime number+    , private_a   :: Integer+    , private_b   :: Integer+    } deriving (Show, Read, Eq, Data)++-- | Rabin Signature.+data Signature = Signature (Integer, Integer) deriving (Show, Read, Eq, Data)++-- | Generate a pair of (private, public) key of size in bytes.+-- Primes p and q are both congruent 3 mod 4.+--+-- See algorithm 8.11 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.+generate :: MonadRandom m+         => Int+         -> m (PublicKey, PrivateKey)+generate size = do+    (p, q) <- generatePrimes size (\p -> p `mod` 4 == 3) (\q -> q `mod` 4 == 3)+    return $ generateKeys p q+  where +    generateKeys p q =+        let n = p*q+            (a, b, _) = gcde p q +            publicKey = PublicKey { public_size = size+                                    , public_n    = n }+            privateKey = PrivateKey { private_pub = publicKey+                                    , private_p   = p+                                    , private_q   = q+                                    , private_a   = a+                                    , private_b   = b }+            in (publicKey, privateKey)++-- | Encrypt plaintext using public key an a predefined OAEP seed.+--+-- See algorithm 8.11 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.+encryptWithSeed :: HashAlgorithm hash+                => ByteString                               -- ^ Seed+                -> OAEPParams hash ByteString ByteString    -- ^ OAEP padding+                -> PublicKey                                -- ^ public key+                -> ByteString                               -- ^ plaintext+                -> Either Error ByteString+encryptWithSeed seed oaep pk m =+    let n  = public_n pk+        k  = numBytes n+     in do+        m' <- pad seed oaep k m+        let m'' = os2ip m'+        return $ i2osp $ expSafe m'' 2 n++-- | Encrypt plaintext using public key.+encrypt :: (HashAlgorithm hash, MonadRandom m)+        => OAEPParams hash ByteString ByteString    -- ^ OAEP padding parameters+        -> PublicKey                                -- ^ public key+        -> ByteString                               -- ^ plaintext +        -> m (Either Error ByteString)+encrypt oaep pk m = do+    seed <- getRandomBytes hashLen+    return $ encryptWithSeed seed oaep pk m+  where+    hashLen = hashDigestSize (oaepHash oaep) ++-- | Decrypt ciphertext using private key.+--+-- See algorithm 8.12 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.+decrypt :: HashAlgorithm hash+        => OAEPParams hash ByteString ByteString    -- ^ OAEP padding parameters+        -> PrivateKey                               -- ^ private key+        -> ByteString                               -- ^ ciphertext+        -> Maybe ByteString+decrypt oaep pk c =+    let p  = private_p pk +        q  = private_q pk     +        a  = private_a pk +        b  = private_b pk+        n  = public_n $ private_pub pk+        k  = numBytes n+        c' = os2ip c+        solutions = rights $ toList $ mapTuple (unpad oaep k . i2ospOf_ k) $ sqroot' c' p q a b n+     in if length solutions /= 1 then Nothing+        else Just $ head solutions+      where toList (w, x, y, z) = w:x:y:z:[]+            mapTuple f (w, x, y, z) = (f w, f x, f y, f z)++-- | Sign message using padding, hash algorithm and private key.+--+-- See <https://en.wikipedia.org/wiki/Rabin_signature_algorithm>.+signWith :: HashAlgorithm hash+         => ByteString    -- ^ padding+         -> PrivateKey    -- ^ private key+         -> hash          -- ^ hash function+         -> ByteString    -- ^ message to sign+         -> Either Error Signature+signWith padding pk hashAlg m = do+    h <- calculateHash padding pk hashAlg m+    signature <- calculateSignature h+    return signature+  where+    calculateSignature h =+        let p = private_p pk+            q = private_q pk     +            a = private_a pk +            b = private_b pk+            n = public_n $ private_pub pk+         in if h >= n then Left MessageTooLong+            else let (r, _, _, _) = sqroot' h p q a b n+                  in Right $ Signature (os2ip padding, r)++-- | Sign message using hash algorithm and private key.+--+-- See <https://en.wikipedia.org/wiki/Rabin_signature_algorithm>.+sign :: (MonadRandom m, HashAlgorithm hash)+     => PrivateKey    -- ^ private key+     -> hash          -- ^ hash function+     -> ByteString    -- ^ message to sign+     -> m (Either Error Signature)+sign pk hashAlg m = do+    padding <- findPadding+    return $ signWith padding pk hashAlg m+  where +    findPadding = do+        padding <- getRandomBytes 8+        case calculateHash padding pk hashAlg m of+            Right _ -> return padding+            _       -> findPadding++-- | Calculate hash of message and padding.+-- If the padding is valid, then the result of the hash operation is returned, otherwise an error.+calculateHash :: HashAlgorithm hash+              => ByteString    -- ^ padding+              -> PrivateKey    -- ^ private key+              -> hash          -- ^ hash function+              -> ByteString    -- ^ message to sign+              -> Either Error Integer+calculateHash padding pk hashAlg m = +    let p = private_p pk+        q = private_q pk+        h = os2ip $ hashWith hashAlg $ B.append padding m+     in case (jacobi (h `mod` p) p, jacobi (h `mod` q) q) of+            (Just 1, Just 1) -> Right h+            _                -> Left InvalidParameters++-- | Verify signature using hash algorithm and public key.+--+-- See <https://en.wikipedia.org/wiki/Rabin_signature_algorithm>.+verify :: HashAlgorithm hash+       => PublicKey     -- ^ private key+       -> hash          -- ^ hash function+       -> ByteString    -- ^ message+       -> Signature     -- ^ signature+       -> Bool+verify pk hashAlg m (Signature (padding, s)) =+    let n  = public_n pk+        p  = i2osp padding+        h  = os2ip $ hashWith hashAlg $ B.append p m +        h' = expSafe s 2 n+     in h' == h++-- | Square roots modulo prime p where p is congruent 3 mod 4+-- Value a must be a quadratic residue modulo p (i.e. jacobi symbol (a/n) = 1).+--+-- See algorithm 3.36 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.+sqroot :: Integer+       -> Integer   -- ^ prime p+       -> (Integer, Integer)+sqroot a p =+    let r = expSafe a ((p + 1) `div` 4) p+     in (r, -r)++-- | Square roots modulo n given its prime factors p and q (both congruent 3 mod 4)+-- Value a must be a quadratic residue of both modulo p and modulo q (i.e. jacobi symbols (a/p) = (a/q) = 1).+-- +-- See algorithm 3.44 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.+sqroot' :: Integer +        -> Integer  -- ^ prime p+        -> Integer  -- ^ prime q+        -> Integer  -- ^ c such that c*p + d*q = 1+        -> Integer  -- ^ d such that c*p + d*q = 1+        -> Integer  -- ^ n = p*q+        -> (Integer, Integer, Integer, Integer)+sqroot' a p q c d n =+    let (r, _) = sqroot a p+        (s, _) = sqroot a q+        x      = (r*d*q + s*c*p) `mod` n+        y      = (r*d*q - s*c*p) `mod` n+     in (x, (-x) `mod` n, y, (-y) `mod` n)
+ Crypto/PubKey/Rabin/Modified.hs view
@@ -0,0 +1,101 @@+-- |+-- Module      : Crypto.PubKey.Rabin.Modified+-- License     : BSD-style+-- Maintainer  : Carlos Rodriguez-Vega <crodveg@yahoo.es>+-- Stability   : experimental+-- Portability : unknown+--+-- Modified-Rabin public-key digital signature algorithm.+-- See algorithm 11.30 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.+--+{-# LANGUAGE DeriveDataTypeable #-}+module Crypto.PubKey.Rabin.Modified+    ( PublicKey(..)+    , PrivateKey(..)+    , generate+    , sign+    , verify+    ) where++import           Data.ByteString+import           Data.Data++import           Crypto.Hash+import           Crypto.Number.ModArithmetic (expSafe, jacobi)+import           Crypto.Number.Serialize (os2ip)+import           Crypto.PubKey.Rabin.Types+import           Crypto.Random.Types++-- | Represent a Modified-Rabin public key.+data PublicKey = PublicKey+    { public_size :: Int      -- ^ size of key in bytes+    , public_n    :: Integer  -- ^ public p*q+    } deriving (Show, Read, Eq, Data)++-- | Represent a Modified-Rabin private key.+data PrivateKey = PrivateKey+    { private_pub :: PublicKey+    , private_p   :: Integer   -- ^ p prime number+    , private_q   :: Integer   -- ^ q prime number+    , private_d   :: Integer+    } deriving (Show, Read, Eq, Data)++-- | Generate a pair of (private, public) key of size in bytes.+-- Prime p is congruent 3 mod 8 and prime q is congruent 7 mod 8.+generate :: MonadRandom m+         => Int           +         -> m (PublicKey, PrivateKey)+generate size = do+    (p, q) <- generatePrimes size (\p -> p `mod` 8 == 3) (\q -> q `mod` 8 == 7)+    return $ generateKeys p q+  where +    generateKeys p q =+        let n = p*q   +            d = (n - p - q + 5) `div` 8+            publicKey = PublicKey { public_size = size+                                    , public_n    = n }+            privateKey = PrivateKey { private_pub = publicKey+                                    , private_p   = p+                                    , private_q   = q+                                    , private_d   = d }+            in (publicKey, privateKey)++-- | Sign message using hash algorithm and private key.+sign :: HashAlgorithm hash+     => PrivateKey    -- ^ private key+     -> hash          -- ^ hash function+     -> ByteString    -- ^ message to sign+     -> Either Error Integer+sign pk hashAlg m =+    let d = private_d pk+        n = public_n $ private_pub pk+        h = os2ip $ hashWith hashAlg m+        limit = (n - 6) `div` 16+     in if h > limit then Left MessageTooLong+        else let h' = 16*h + 6+              in case jacobi h' n of+                    Just 1    -> Right $ expSafe h' d n+                    Just (-1) -> Right $ expSafe (h' `div` 2) d n+                    _         -> Left InvalidParameters++-- | Verify signature using hash algorithm and public key.+verify :: HashAlgorithm hash+       => PublicKey     -- ^ public key+       -> hash          -- ^ hash function+       -> ByteString    -- ^ message+       -> Integer       -- ^ signature+       -> Bool+verify pk hashAlg m s =+    let n   = public_n pk+        h   = os2ip $ hashWith hashAlg m+        s'  = expSafe s 2 n+        s'' = case s' `mod` 8 of+            6 -> s'+            3 -> 2*s'+            7 -> n - s'+            2 -> 2*(n - s')+            _ -> 0+     in case s'' `mod` 16 of+            6 -> let h' = (s'' - 6) `div` 16+                  in h' == h +            _ -> False
+ Crypto/PubKey/Rabin/OAEP.hs view
@@ -0,0 +1,100 @@+-- |+-- Module      : Crypto.PubKey.Rabin.OAEP+-- License     : BSD-style+-- Maintainer  : Carlos Rodriguez-Vega <crodveg@yahoo.es>+-- Stability   : experimental+-- Portability : unknown+--+-- OAEP padding scheme.+-- See <http://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding>.+--+module Crypto.PubKey.Rabin.OAEP+    ( OAEPParams(..)+    , defaultOAEPParams+    , pad+    , unpad+    ) where+        +import           Data.ByteString (ByteString)+import qualified Data.ByteString as B+import           Data.Bits (xor)++import           Crypto.Hash+import           Crypto.Internal.ByteArray (ByteArrayAccess, ByteArray)+import qualified Crypto.Internal.ByteArray as B (convert)+import           Crypto.PubKey.MaskGenFunction+import           Crypto.PubKey.Internal (and')+import           Crypto.PubKey.Rabin.Types++-- | Parameters for OAEP padding.+data OAEPParams hash seed output = OAEPParams+    { oaepHash       :: hash                            -- ^ hash function to use+    , oaepMaskGenAlg :: MaskGenAlgorithm seed output    -- ^ mask Gen algorithm to use+    , oaepLabel      :: Maybe ByteString                -- ^ optional label prepended to message+    }++-- | Default Params with a specified hash function.+defaultOAEPParams :: (ByteArrayAccess seed, ByteArray output, HashAlgorithm hash)+                  => hash+                  -> OAEPParams hash seed output+defaultOAEPParams hashAlg =+    OAEPParams { oaepHash       = hashAlg+               , oaepMaskGenAlg = mgf1 hashAlg+               , oaepLabel      = Nothing+               }++-- | Pad a message using OAEP.+pad :: HashAlgorithm hash+    => ByteString                               -- ^ Seed+    -> OAEPParams hash ByteString ByteString    -- ^ OAEP params to use+    -> Int                                      -- ^ size of public key in bytes+    -> ByteString                               -- ^ Message pad+    -> Either Error ByteString+pad seed oaep k msg+    | k < 2*hashLen+2          = Left InvalidParameters+    | B.length seed /= hashLen = Left InvalidParameters+    | mLen > k - 2*hashLen-2   = Left MessageTooLong+    | otherwise                = Right em+    where -- parameters+        mLen       = B.length msg+        mgf        = oaepMaskGenAlg oaep+        labelHash  = hashWith (oaepHash oaep) (maybe B.empty id $ oaepLabel oaep)+        hashLen    = hashDigestSize (oaepHash oaep)+        -- put fields+        ps         = B.replicate (k - mLen - 2*hashLen - 2) 0+        db         = B.concat [B.convert labelHash, ps, B.singleton 0x1, msg]+        dbmask     = mgf seed (k - hashLen - 1)+        maskedDB   = B.pack $ B.zipWith xor db dbmask+        seedMask   = mgf maskedDB hashLen+        maskedSeed = B.pack $ B.zipWith xor seed seedMask+        em         = B.concat [B.singleton 0x0, maskedSeed, maskedDB]++-- | Un-pad a OAEP encoded message.+unpad :: HashAlgorithm hash+      => OAEPParams hash ByteString ByteString  -- ^ OAEP params to use+      -> Int                                    -- ^ size of public key in bytes+      -> ByteString                             -- ^ encoded message (not encrypted)+      -> Either Error ByteString+unpad oaep k em+    | paddingSuccess = Right msg+    | otherwise      = Left MessageNotRecognized+    where -- parameters+        mgf        = oaepMaskGenAlg oaep+        labelHash  = B.convert $ hashWith (oaepHash oaep) (maybe B.empty id $ oaepLabel oaep)+        hashLen    = hashDigestSize (oaepHash oaep)+        -- getting em's fields+        (pb, em0)  = B.splitAt 1 em+        (maskedSeed, maskedDB) = B.splitAt hashLen em0+        seedMask   = mgf maskedDB hashLen+        seed       = B.pack $ B.zipWith xor maskedSeed seedMask+        dbmask     = mgf seed (k - hashLen - 1)+        db         = B.pack $ B.zipWith xor maskedDB dbmask+        -- getting db's fields+        (labelHash', db1) = B.splitAt hashLen db+        (_, db2)   = B.break (/= 0) db1+        (ps1, msg) = B.splitAt 1 db2++        paddingSuccess = and' [ labelHash' == labelHash -- no need for constant eq+                              , ps1        == B.replicate 1 0x1+                              , pb         == B.replicate 1 0x0+                              ]
+ Crypto/PubKey/Rabin/RW.hs view
@@ -0,0 +1,166 @@+-- |+-- Module      : Crypto.PubKey.Rabin.RW+-- License     : BSD-style+-- Maintainer  : Carlos Rodriguez-Vega <crodveg@yahoo.es>+-- Stability   : experimental+-- Portability : unknown+--+-- Rabin-Williams cryptosystem for public-key encryption and digital signature. +-- See pages 323 - 324 in "Computational Number Theory and Modern Cryptography" by Song Y. Yan.+-- Also inspired by https://github.com/vanilala/vncrypt/blob/master/vncrypt/vnrw_gmp.c.+-- +{-# LANGUAGE DeriveDataTypeable #-}+module Crypto.PubKey.Rabin.RW+    ( PublicKey(..)+    , PrivateKey(..)+    , generate+    , encrypt+    , encryptWithSeed+    , decrypt+    , sign+    , verify+    ) where++import           Data.ByteString+import           Data.Data++import           Crypto.Hash+import           Crypto.Number.Basic (numBytes)+import           Crypto.Number.ModArithmetic (expSafe, jacobi)+import           Crypto.Number.Serialize (i2osp, i2ospOf_, os2ip)+import           Crypto.PubKey.Rabin.OAEP+import           Crypto.PubKey.Rabin.Types+import           Crypto.Random.Types++-- | Represent a Rabin-Williams public key.+data PublicKey = PublicKey+    { public_size :: Int      -- ^ size of key in bytes+    , public_n    :: Integer  -- ^ public p*q+    } deriving (Show, Read, Eq, Data)++-- | Represent a Rabin-Williams private key.+data PrivateKey = PrivateKey+    { private_pub :: PublicKey+    , private_p   :: Integer   -- ^ p prime number+    , private_q   :: Integer   -- ^ q prime number+    , private_d   :: Integer+    } deriving (Show, Read, Eq, Data)++-- | Generate a pair of (private, public) key of size in bytes.+-- Prime p is congruent 3 mod 8 and prime q is congruent 7 mod 8.+generate :: MonadRandom m+         => Int           +         -> m (PublicKey, PrivateKey)+generate size = do+    (p, q) <- generatePrimes size (\p -> p `mod` 8 == 3) (\q -> q `mod` 8 == 7) +    return (generateKeys p q)+  where +    generateKeys p q =+        let n = p*q   +            d = ((p - 1)*(q - 1) `div` 4 + 1) `div` 2+            publicKey = PublicKey { public_size = size+                                    , public_n    = n }+            privateKey = PrivateKey { private_pub = publicKey+                                    , private_p   = p+                                    , private_q   = q+                                    , private_d   = d }+            in (publicKey, privateKey)++-- | Encrypt plaintext using public key an a predefined OAEP seed.+--+-- See algorithm 8.11 in "Handbook of Applied Cryptography" by Alfred J. Menezes et al.+encryptWithSeed :: HashAlgorithm hash+                => ByteString                               -- ^ Seed+                -> OAEPParams hash ByteString ByteString    -- ^ OAEP padding+                -> PublicKey                                -- ^ public key+                -> ByteString                               -- ^ plaintext+                -> Either Error ByteString+encryptWithSeed seed oaep pk m =+    let n = public_n pk+        k = numBytes n+     in do+        m'  <- pad seed oaep k m+        m'' <- ep1 n $ os2ip m'+        return $ i2osp $ ep2 n m''++-- | Encrypt plaintext using public key.+encrypt :: (HashAlgorithm hash, MonadRandom m)+        => OAEPParams hash ByteString ByteString    -- ^ OAEP padding parameters+        -> PublicKey                                -- ^ public key+        -> ByteString                               -- ^ plaintext +        -> m (Either Error ByteString)+encrypt oaep pk m = do+    seed <- getRandomBytes hashLen+    return $ encryptWithSeed seed oaep pk m+  where+    hashLen = hashDigestSize (oaepHash oaep)   ++-- | Decrypt ciphertext using private key.+decrypt :: HashAlgorithm hash+        => OAEPParams hash ByteString ByteString    -- ^ OAEP padding parameters+        -> PrivateKey                               -- ^ private key+        -> ByteString                               -- ^ ciphertext+        -> Maybe ByteString+decrypt oaep pk c =+    let d  = private_d pk    +        n  = public_n $ private_pub pk+        k  = numBytes n+        c' = i2ospOf_ k $ dp2 n $ dp1 d n $ os2ip c+     in case unpad oaep k c' of+            Left _  -> Nothing+            Right p -> Just p   ++-- | Sign message using hash algorithm and private key.+sign :: HashAlgorithm hash+     => PrivateKey  -- ^ private key+     -> hash        -- ^ hash function+     -> ByteString  -- ^ message to sign+     -> Either Error Integer+sign pk hashAlg m =+    let d = private_d pk+        n = public_n $ private_pub pk+     in do+        m' <- ep1 n $ os2ip $ hashWith hashAlg m+        return $ dp1 d n m' ++-- | Verify signature using hash algorithm and public key.+verify :: HashAlgorithm hash+       => PublicKey     -- ^ public key+       -> hash          -- ^ hash function+       -> ByteString    -- ^ message+       -> Integer       -- ^ signature+       -> Bool+verify pk hashAlg m s =+    let n  = public_n pk+        h  = os2ip $ hashWith hashAlg m+        h' = dp2 n $ ep2 n s+     in h' == h++-- | Encryption primitive 1+ep1 :: Integer -> Integer -> Either Error Integer+ep1 n m =+    let m'   = 2*m + 1+        m''  = 2*m'+        m''' = 2*m''+     in case jacobi m' n of+            Just (-1) | m'' < n -> Right m''+            Just 1 | m''' < n   -> Right m'''+            _                   -> Left InvalidParameters++-- | Encryption primitive 2+ep2 :: Integer -> Integer -> Integer+ep2 n m = expSafe m 2 n++-- | Decryption primitive 1+dp1 :: Integer -> Integer -> Integer -> Integer+dp1 d n c = expSafe c d n++-- | Decryption primitive 2+dp2 :: Integer -> Integer -> Integer+dp2 n c = let c'  = c `div` 2+              c'' = (n - c) `div` 2+           in case c `mod` 4 of+                0 -> ((c' `div` 2 - 1) `div` 2)+                1 -> ((c'' `div` 2 - 1) `div` 2)+                2 -> ((c' - 1) `div` 2)+                _ -> ((c'' - 1) `div` 2)
+ Crypto/PubKey/Rabin/Types.hs view
@@ -0,0 +1,43 @@+-- |+-- Module      : Crypto.PubKey.Rabin.Types+-- License     : BSD-style+-- Maintainer  : Carlos Rodriguez-Vega <crodveg@yahoo.es>+-- Stability   : experimental+-- Portability : unknown+--+module Crypto.PubKey.Rabin.Types+    ( Error(..)+    , generatePrimes+    ) where++import Crypto.Number.Basic (numBits)+import Crypto.Number.Prime (generatePrime, findPrimeFromWith)+import Crypto.Random.Types++type PrimeCondition = Integer -> Bool++-- | Error possible during encryption, decryption or signing.+data Error = MessageTooLong       -- ^ the message to encrypt is too long+           | MessageNotRecognized -- ^ the message decrypted doesn't have a OAEP structure+           | InvalidParameters    -- ^ some parameters lead to breaking assumptions+           deriving (Show, Eq)++-- | Generate primes p & q+generatePrimes :: MonadRandom m +               => Int                   -- ^ size in bytes          +               -> PrimeCondition        -- ^ condition prime p must satisfy+               -> PrimeCondition        -- ^ condition prime q must satisfy+               -> m (Integer, Integer)  -- ^ chosen distinct primes p and q+generatePrimes size pCond qCond =+    let pBits = (8*(size `div` 2))+        qBits = (8*(size - (size `div` 2)))+     in do+        p <- generatePrime' pBits pCond+        q <- generatePrime' qBits qCond+        return (p, q)+      where+        generatePrime' bits cond = do+            pr' <- generatePrime bits+            let pr = findPrimeFromWith cond pr'+            if numBits pr == bits then return pr+            else generatePrime' bits cond
Crypto/Random.hs view
@@ -16,6 +16,7 @@     , seedNew     , seedFromInteger     , seedToInteger+    , seedFromBinary     -- * Deterministic Random class     , getSystemDRG     , drgNew@@ -29,10 +30,12 @@     , MonadPseudoRandom     ) where +import Crypto.Error import Crypto.Random.Types import Crypto.Random.ChaChaDRG import Crypto.Random.SystemDRG import Data.ByteArray (ByteArray, ByteArrayAccess, ScrubbedBytes)+import qualified Data.ByteArray as B import Crypto.Internal.Imports  import qualified Crypto.Number.Serialize as Serialize@@ -56,6 +59,12 @@ seedFromInteger :: Integer -> Seed seedFromInteger i = Seed $ Serialize.i2ospOf_ seedLength (i `mod` 2^(seedLength * 8)) +-- | Convert a binary to a seed+seedFromBinary :: ByteArrayAccess b => b -> CryptoFailable Seed+seedFromBinary b+    | B.length b /= 40 = CryptoFailed (CryptoError_SeedSizeInvalid)+    | otherwise        = CryptoPassed $ Seed $ B.convert b+ -- | Create a new DRG from system entropy drgNew :: MonadRandom randomly => randomly ChaChaDRG drgNew = drgNewSeed `fmap` seedNew@@ -71,6 +80,13 @@ -- -- It can also be used in other contexts provided the input -- has been properly randomly generated.+--+-- Note that the @Arbitrary@ instance provided by QuickCheck for 'Word64' does+-- not have a uniform distribution.  It is often better to use instead+-- @arbitraryBoundedRandom@.+--+-- System endianness impacts how the tuple is interpreted and therefore changes+-- the resulting DRG. drgNewTest :: (Word64, Word64, Word64, Word64, Word64) -> ChaChaDRG drgNewTest = initializeWords 
Crypto/Random/ChaChaDRG.hs view
@@ -14,7 +14,7 @@  import           Crypto.Random.Types import           Crypto.Internal.Imports-import           Crypto.Internal.ByteArray (ByteArray, ScrubbedBytes)+import           Crypto.Internal.ByteArray (ByteArray, ByteArrayAccess, ScrubbedBytes) import qualified Crypto.Internal.ByteArray as B import           Foreign.Storable (pokeElemOff) @@ -29,7 +29,7 @@  -- | Initialize a new ChaCha context with the number of rounds, -- the key and the nonce associated.-initialize :: ByteArray seed+initialize :: ByteArrayAccess seed            => seed        -- ^ 40 bytes of seed            -> ChaChaDRG   -- ^ the initial ChaCha state initialize seed = ChaChaDRG $ C.initializeSimple seed
Crypto/Random/Entropy/Backend.hs view
@@ -14,6 +14,7 @@     ) where  import Foreign.Ptr+import Data.Proxy import Data.Word (Word8) import Crypto.Random.Entropy.Source #ifdef SUPPORT_RDRAND@@ -30,12 +31,12 @@ supportedBackends =     [ #ifdef SUPPORT_RDRAND-    openBackend (undefined :: RDRand),+    openBackend (Proxy :: Proxy RDRand), #endif #ifdef WINDOWS-    openBackend (undefined :: WinCryptoAPI)+    openBackend (Proxy :: Proxy WinCryptoAPI) #else-    openBackend (undefined :: DevRandom), openBackend (undefined :: DevURandom)+    openBackend (Proxy :: Proxy DevRandom), openBackend (Proxy :: Proxy DevURandom) #endif     ] @@ -43,9 +44,9 @@ data EntropyBackend = forall b . EntropySource b => EntropyBackend b  -- | Open a backend handle-openBackend :: EntropySource b => b -> IO (Maybe EntropyBackend)+openBackend :: EntropySource b => Proxy b -> IO (Maybe EntropyBackend) openBackend b = fmap EntropyBackend `fmap` callOpen b-  where callOpen :: EntropySource b => b -> IO (Maybe b)+  where callOpen :: EntropySource b => Proxy b -> IO (Maybe b)         callOpen _ = entropyOpen  -- | Gather randomness from an open handle
Crypto/Random/Entropy/RDRand.hs view
@@ -21,7 +21,7 @@ foreign import ccall unsafe "cryptonite_get_rand_bytes"   c_get_rand_bytes :: Ptr Word8 -> CInt -> IO CInt --- | fake handle to Intel RDRand entropy cpu instruction+-- | Fake handle to Intel RDRand entropy CPU instruction data RDRand = RDRand  instance EntropySource RDRand where
Crypto/Random/Entropy/Source.hs view
@@ -13,10 +13,10 @@ -- | A handle to an entropy maker, either a system capability -- or a hardware generator. class EntropySource a where-    -- | try to open an handle for this source+    -- | Try to open an handle for this source     entropyOpen   :: IO (Maybe a)-    -- | try to gather a number of entropy bytes into a buffer.-    -- return the number of actual bytes gathered+    -- | Try to gather a number of entropy bytes into a buffer.+    -- Return the number of actual bytes gathered     entropyGather :: a -> Ptr Word8 -> Int -> IO Int     -- | Close an open handle     entropyClose  :: a -> IO ()
Crypto/Random/Entropy/Unix.hs view
@@ -22,10 +22,10 @@ type H = Handle type DeviceName = String --- | Entropy device /dev/random on unix system +-- | Entropy device @/dev/random@ on unix system newtype DevRandom  = DevRandom DeviceName --- | Entropy device /dev/urandom on unix system +-- | Entropy device @/dev/urandom@ on unix system newtype DevURandom = DevURandom DeviceName  instance EntropySource DevRandom where@@ -58,7 +58,7 @@ withDev filepath f = openDev filepath >>= \h ->     case h of         Nothing -> error ("device " ++ filepath ++ " cannot be grabbed")-        Just fd -> f fd >>= \r -> (closeDev fd >> return r)+        Just fd -> f fd `E.finally` closeDev fd  closeDev :: H -> IO () closeDev h = hClose h
Crypto/Random/Entropy/Unsafe.hs view
@@ -16,8 +16,8 @@  -- | Refill the entropy in a buffer ----- call each entropy backend in turn until the buffer has--- been replenish.+-- Call each entropy backend in turn until the buffer has+-- been replenished. -- -- If the buffer cannot be refill after 3 loopings, this will raise -- an User Error exception
Crypto/Random/Entropy/Windows.hs view
@@ -5,7 +5,7 @@ -- Stability   : experimental -- Portability : Good ----- code originally from the entropy package and thus is:+-- Code originally from the entropy package and thus is: --   Copyright (c) Thomas DuBuisson. -- {-# LANGUAGE ForeignFunctionInterface #-}@@ -26,7 +26,7 @@ import Crypto.Random.Entropy.Source  --- | handle to windows crypto API for random generation+-- | Handle to Windows crypto API for random generation data WinCryptoAPI = WinCryptoAPI  instance EntropySource WinCryptoAPI where
Crypto/Random/Probabilistic.hs view
@@ -20,7 +20,7 @@ -- This is useful for probabilistic algorithm like Miller Rabin -- probably prime algorithm, given appropriate choice of the heuristic ----- Generally, it's advise not to use this function.+-- Generally, it's advised not to use this function. probabilistic :: MonadPseudoRandom ChaChaDRG a -> a probabilistic f = fst $ withDRG drg f   where {-# NOINLINE drg #-}
Crypto/Random/SystemDRG.hs view
@@ -14,7 +14,6 @@ import           Crypto.Random.Types import           Crypto.Random.Entropy.Unsafe import           Crypto.Internal.Compat-import           Crypto.Internal.Imports import           Data.ByteArray (ScrubbedBytes, ByteArray) import           Data.Memory.PtrMethods as B (memCopy) import           Data.Maybe (catMaybes)
Crypto/Random/Types.hs view
@@ -15,10 +15,9 @@  import Crypto.Random.Entropy import Crypto.Internal.ByteArray-import Crypto.Internal.Imports  -- | A monad constraint that allows to generate random bytes-class (Functor m, Monad m) => MonadRandom m where+class Monad m => MonadRandom m where     getRandomBytes :: ByteArray byteArray => Int -> m byteArray  -- | A Deterministic Random Generator (DRG) class@@ -47,7 +46,7 @@          in (f a, g3)  instance DRG gen => Monad (MonadPseudoRandom gen) where-    return a    = MonadPseudoRandom $ \g -> (a, g)+    return      = pure     (>>=) m1 m2 = MonadPseudoRandom $ \g1 ->         let (a, g2) = runPseudoRandom m1 g1          in runPseudoRandom (m2 a) g2
+ Crypto/System/CPU.hs view
@@ -0,0 +1,64 @@+-- |+-- Module      : Crypto.System.CPU+-- License     : BSD-style+-- Maintainer  : Olivier Chéron <olivier.cheron@gmail.com>+-- Stability   : experimental+-- Portability : unknown+--+-- Gives information about cryptonite runtime environment.+--+{-# LANGUAGE CPP #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE ForeignFunctionInterface #-}+module Crypto.System.CPU+    ( ProcessorOption (..)+    , processorOptions+    ) where++import Data.Data+import Data.List (findIndices)+#ifdef SUPPORT_RDRAND+import Data.Maybe (isJust)+#endif+import Data.Word (Word8)+import Foreign.Ptr+import Foreign.Storable++import Crypto.Internal.Compat++#ifdef SUPPORT_RDRAND+import Crypto.Random.Entropy.RDRand+import Crypto.Random.Entropy.Source+#endif++-- | CPU options impacting cryptography implementation and library performance.+data ProcessorOption+    = AESNI   -- ^ Support for AES instructions, with flag @support_aesni@+    | PCLMUL  -- ^ Support for CLMUL instructions, with flag @support_pclmuldq@+    | RDRAND  -- ^ Support for RDRAND instruction, with flag @support_rdrand@+    deriving (Show,Eq,Enum,Data)++-- | Options which have been enabled at compile time and are supported by the+-- current CPU.+processorOptions :: [ProcessorOption]+processorOptions = unsafeDoIO $ do+    p <- cryptonite_aes_cpu_init+    options <- traverse (getOption p) aesOptions+    rdrand  <- hasRDRand+    return (decodeOptions options ++ [ RDRAND | rdrand ])+  where+    aesOptions    = [ AESNI .. PCLMUL ]+    getOption p   = peekElemOff p . fromEnum+    decodeOptions = map toEnum . findIndices (> 0)+{-# NOINLINE processorOptions #-}++hasRDRand :: IO Bool+#ifdef SUPPORT_RDRAND+hasRDRand = fmap isJust getRDRand+  where getRDRand = entropyOpen :: IO (Maybe RDRand)+#else+hasRDRand = return False+#endif++foreign import ccall unsafe "cryptonite_aes_cpu_init"+    cryptonite_aes_cpu_init :: IO (Ptr Word8)
Crypto/Tutorial.hs view
@@ -1,34 +1,195 @@-{-# OPTIONS_GHC -fno-warn-unused-imports #-}-{-# LANGUAGE OverloadedStrings #-}+-- | Examples of how to use @cryptonite@.+module Crypto.Tutorial+    ( -- * API design+      -- $api_design -{-| How to use @cryptonite@+      -- * Hash algorithms+      -- $hash_algorithms -> -- | Beware MUST BE 256bits as we use AES256-> import Data.ByteString (ByteString)-> import Crypto.Cipher.AES (AES256)-> import Crypto.Cipher.Types (BlockCipher(..), Cipher(..),nullIV)-> import Crypto.Error (CryptoFailable(..))->-> secretKey :: ByteString-> secretKey = "012-456-89A-CDE-012-456-89A-CDE-"->-> encrypt :: ByteString -> ByteString -> ByteString-> encrypt secret = ctrCombine ctx nullIV->   where->     ctx = cipherInitNoErr (cipherMakeKey (undefined :: AES256) secret)->     cipherInitNoErr :: BlockCipher c => Key c -> c->     cipherInitNoErr (Key k) = case cipherInit k of->       CryptoPassed a -> a->       CryptoFailed e -> error (show e)->     cipherMakeKey :: Cipher cipher => cipher -> ByteString -> Key cipher->     cipherMakeKey _ = Key -- Yeah Lazyness!!!!!!->->-> decrypt :: ByteString -> ByteString -> ByteString-> decrypt = encrypt+      -- * Symmetric block ciphers+      -- $symmetric_block_ciphers -|-}+      -- * Combining primitives+      -- $combining_primitives+    ) where -module Crypto.Tutorial () where+-- $api_design+--+-- APIs in cryptonite are often based on type classes from package+-- <https://hackage.haskell.org/package/memory memory>, notably+-- 'Data.ByteArray.ByteArrayAccess' and 'Data.ByteArray.ByteArray'.+-- Module "Data.ByteArray" provides many primitives that are useful to+-- work with cryptonite types.  For example function 'Data.ByteArray.convert'+-- can transform one 'Data.ByteArray.ByteArrayAccess' concrete type like+-- 'Crypto.Hash.Digest' to a 'Data.ByteString.ByteString'.+--+-- Algorithms and functions needing random bytes are based on type class+-- 'Crypto.Random.Types.MonadRandom'.  Implementation 'IO' uses a system source+-- of entropy.  It is also possible to use a 'Crypto.Random.Types.DRG' with+-- 'Crypto.Random.Types.MonadPseudoRandom'+--+-- Error conditions are returned with data type 'Crypto.Error.CryptoFailable'.+-- Functions in module "Crypto.Error" can convert those values to runtime+-- exceptions, 'Maybe' or 'Either' values. -import Crypto.Cipher.Types+-- $hash_algorithms+--+-- Hashing a complete message:+--+-- > import Crypto.Hash+-- >+-- > import Data.ByteString (ByteString)+-- >+-- > exampleHashWith :: ByteString -> IO ()+-- > exampleHashWith msg = do+-- >     putStrLn $ "  sha1(" ++ show msg ++ ") = " ++ show (hashWith SHA1   msg)+-- >     putStrLn $ "sha256(" ++ show msg ++ ") = " ++ show (hashWith SHA256 msg)+--+-- Hashing incrementally, with intermediate context allocations:+--+-- > {-# LANGUAGE OverloadedStrings #-}+-- >+-- > import Crypto.Hash+-- >+-- > import Data.ByteString (ByteString)+-- >+-- > exampleIncrWithAllocs :: IO ()+-- > exampleIncrWithAllocs = do+-- >     let ctx0 = hashInitWith SHA3_512+-- >         ctx1 = hashUpdate ctx0 ("The "   :: ByteString)+-- >         ctx2 = hashUpdate ctx1 ("quick " :: ByteString)+-- >         ctx3 = hashUpdate ctx2 ("brown " :: ByteString)+-- >         ctx4 = hashUpdate ctx3 ("fox "   :: ByteString)+-- >         ctx5 = hashUpdate ctx4 ("jumps " :: ByteString)+-- >         ctx6 = hashUpdate ctx5 ("over "  :: ByteString)+-- >         ctx7 = hashUpdate ctx6 ("the "   :: ByteString)+-- >         ctx8 = hashUpdate ctx7 ("lazy "  :: ByteString)+-- >         ctx9 = hashUpdate ctx8 ("dog"    :: ByteString)+-- >     print (hashFinalize ctx9)+--+-- Hashing incrementally, updating context in place:+--+-- > {-# LANGUAGE OverloadedStrings #-}+-- >+-- > import Crypto.Hash.Algorithms+-- > import Crypto.Hash.IO+-- >+-- > import Data.ByteString (ByteString)+-- >+-- > exampleIncrInPlace :: IO ()+-- > exampleIncrInPlace = do+-- >     ctx <- hashMutableInitWith SHA3_512+-- >     hashMutableUpdate ctx ("The "   :: ByteString)+-- >     hashMutableUpdate ctx ("quick " :: ByteString)+-- >     hashMutableUpdate ctx ("brown " :: ByteString)+-- >     hashMutableUpdate ctx ("fox "   :: ByteString)+-- >     hashMutableUpdate ctx ("jumps " :: ByteString)+-- >     hashMutableUpdate ctx ("over "  :: ByteString)+-- >     hashMutableUpdate ctx ("the "   :: ByteString)+-- >     hashMutableUpdate ctx ("lazy "  :: ByteString)+-- >     hashMutableUpdate ctx ("dog"    :: ByteString)+-- >     hashMutableFinalize ctx >>= print++-- $symmetric_block_ciphers+--+-- > {-# LANGUAGE OverloadedStrings #-}+-- > {-# LANGUAGE ScopedTypeVariables #-}+-- > {-# LANGUAGE GADTs #-}+-- >+-- > import           Crypto.Cipher.AES (AES256)+-- > import           Crypto.Cipher.Types (BlockCipher(..), Cipher(..), nullIV, KeySizeSpecifier(..), IV, makeIV)+-- > import           Crypto.Error (CryptoFailable(..), CryptoError(..))+-- >+-- > import qualified Crypto.Random.Types as CRT+-- >+-- > import           Data.ByteArray (ByteArray)+-- > import           Data.ByteString (ByteString)+-- >+-- > -- | Not required, but most general implementation+-- > data Key c a where+-- >   Key :: (BlockCipher c, ByteArray a) => a -> Key c a+-- >+-- > -- | Generates a string of bytes (key) of a specific length for a given block cipher+-- > genSecretKey :: forall m c a. (CRT.MonadRandom m, BlockCipher c, ByteArray a) => c -> Int -> m (Key c a)+-- > genSecretKey _ = fmap Key . CRT.getRandomBytes+-- >+-- > -- | Generate a random initialization vector for a given block cipher+-- > genRandomIV :: forall m c. (CRT.MonadRandom m, BlockCipher c) => c -> m (Maybe (IV c))+-- > genRandomIV _ = do+-- >   bytes :: ByteString <- CRT.getRandomBytes $ blockSize (undefined :: c)+-- >   return $ makeIV bytes+-- >+-- > -- | Initialize a block cipher+-- > initCipher :: (BlockCipher c, ByteArray a) => Key c a -> Either CryptoError c+-- > initCipher (Key k) = case cipherInit k of+-- >   CryptoFailed e -> Left e+-- >   CryptoPassed a -> Right a+-- >+-- > encrypt :: (BlockCipher c, ByteArray a) => Key c a -> IV c -> a -> Either CryptoError a+-- > encrypt secretKey initIV msg =+-- >   case initCipher secretKey of+-- >     Left e -> Left e+-- >     Right c -> Right $ ctrCombine c initIV msg+-- >+-- > decrypt :: (BlockCipher c, ByteArray a) => Key c a -> IV c -> a -> Either CryptoError a+-- > decrypt = encrypt+-- >+-- > exampleAES256 :: ByteString -> IO ()+-- > exampleAES256 msg = do+-- >   -- secret key needs 256 bits (32 * 8)+-- >   secretKey <- genSecretKey (undefined :: AES256) 32+-- >   mInitIV <- genRandomIV (undefined :: AES256)+-- >   case mInitIV of+-- >     Nothing -> error "Failed to generate and initialization vector."+-- >     Just initIV -> do+-- >       let encryptedMsg = encrypt secretKey initIV msg+-- >           decryptedMsg = decrypt secretKey initIV =<< encryptedMsg+-- >       case (,) <$> encryptedMsg <*> decryptedMsg of+-- >         Left err -> error $ show err+-- >         Right (eMsg, dMsg) -> do+-- >           putStrLn $ "Original Message: " ++ show msg+-- >           putStrLn $ "Message after encryption: " ++ show eMsg+-- >           putStrLn $ "Message after decryption: " ++ show dMsg++-- $combining_primitives+--+-- This example shows how to use Curve25519, XSalsa and Poly1305 primitives to+-- emulate NaCl's @crypto_box@ construct.+--+-- > import qualified Data.ByteArray as BA+-- > import           Data.ByteString (ByteString)+-- > import qualified Data.ByteString as B+-- >+-- > import qualified Crypto.Cipher.XSalsa as XSalsa+-- > import qualified Crypto.MAC.Poly1305 as Poly1305+-- > import qualified Crypto.PubKey.Curve25519 as X25519+-- >+-- > -- | Build a @crypto_box@ packet encrypting the specified content with a+-- > -- 192-bit nonce, receiver public key and sender private key.+-- > crypto_box content nonce pk sk = BA.convert tag `B.append` c+-- >   where+-- >     zero         = B.replicate 16 0+-- >     shared       = X25519.dh pk sk+-- >     (iv0, iv1)   = B.splitAt 8 nonce+-- >     state0       = XSalsa.initialize 20 shared (zero `B.append` iv0)+-- >     state1       = XSalsa.derive state0 iv1+-- >     (rs, state2) = XSalsa.generate state1 32+-- >     (c, _)       = XSalsa.combine state2 content+-- >     tag          = Poly1305.auth (rs :: ByteString) c+-- >+-- > -- | Try to open a @crypto_box@ packet and recover the content using the+-- > -- 192-bit nonce, sender public key and receiver private key.+-- > crypto_box_open packet nonce pk sk+-- >     | B.length packet < 16 = Nothing+-- >     | BA.constEq tag' tag  = Just content+-- >     | otherwise            = Nothing+-- >   where+-- >     (tag', c)    = B.splitAt 16 packet+-- >     zero         = B.replicate 16 0+-- >     shared       = X25519.dh pk sk+-- >     (iv0, iv1)   = B.splitAt 8 nonce+-- >     state0       = XSalsa.initialize 20 shared (zero `B.append` iv0)+-- >     state1       = XSalsa.derive state0 iv1+-- >     (rs, state2) = XSalsa.generate state1 32+-- >     (content, _) = XSalsa.combine state2 c+-- >     tag          = Poly1305.auth (rs :: ByteString) c
README.md view
@@ -16,13 +16,23 @@  Documentation: [cryptonite on hackage](http://hackage.haskell.org/package/cryptonite) +Stability+---------++Cryptonite APIs are stable, and we only strive to add, not change or remove.+Note that because the API exposed is wide and also expose internals things (for+power users and flexibility), certains APIs can be revised in extreme cases+where we can't just add.+ Versioning ---------- -Development versions are an incremental number prefixed by 0. There is no-API stability between development versions.+Next version of `0.x` is `0.(x+1)`. There's no exceptions, or API related meaning+behind the numbers. -Production versions : TBD+Each versions of stackage (going back 3 stable LTS) has a cryptonite version+that we maintain with security fixes when necessary and are versioned with the+following `0.x.y` scheme.  Coding Style ------------@@ -33,29 +43,7 @@ Support ------- -cryptonite supports the following platforms:--* Windows >= 8-* OSX >= 10.8-* Linux-* BSDs--On the following architectures:--* x86-64-* i386--On the following haskell versions:--* GHC 7.0.x-* GHC 7.4.x-* GHC 7.6.x-* GHC 7.8.x-* GHC 7.10.x--Further platforms and architectures probably work too, but since the-maintainer(s) don't have regular access to them, we can't commit to-further support.+See [Haskell packages guidelines](https://github.com/vincenthz/haskell-pkg-guidelines/blob/master/README.md#support)  Known Building Issues ---------------------@@ -64,6 +52,10 @@ with the lack of autodetection feature builtin in .cabal file, it is left on the user to disable the aesni. See the [Disabling AESNI] section +On CentOS 7 the default C compiler includes intrinsic header files incompatible+with per-function target options.  Solutions are to use GCC >= 4.9 or disable+flag *use_target_attributes* (see flag configuration examples below).+ Disabling AESNI --------------- @@ -84,6 +76,13 @@  For help with cabal flags, see: [stackoverflow : is there a way to define flags for cabal](http://stackoverflow.com/questions/23523869/is-there-any-way-to-define-flags-for-cabal-dependencies) +Enabling PCLMULDQ+-----------------++When the C toolchain supports it, enabling flag *support_pclmuldq* can bring+additional security and performance for AES GCM.  A CPU with the necessary+instruction set will use an alternate implementation selected at runtime.+ Links ----- @@ -100,5 +99,7 @@ * [Scrypt](http://www.tarsnap.com/scrypt.html) * [Curve25519](http://cr.yp.to/ecdh.html) * [Ed25519](http://ed25519.cr.yp.to/papers.html)+* [Ed448-Goldilocks](http://ed448goldilocks.sourceforge.net/)+* [EdDSA-test-vectors](http://www.ietf.org/rfc/rfc8032.txt) * [AFIS](http://clemens.endorphin.org/cryptography) 
+ benchs/Bench.hs view
@@ -0,0 +1,384 @@+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE ExistentialQuantification #-}+{-# LANGUAGE FlexibleContexts #-}+{-# LANGUAGE TypeFamilies #-}+module Main where++import Gauge.Main++import           Crypto.Cipher.AES+import qualified Crypto.Cipher.AESGCMSIV as AESGCMSIV+import           Crypto.Cipher.Blowfish+import           Crypto.Cipher.CAST5+import qualified Crypto.Cipher.ChaChaPoly1305 as CP+import           Crypto.Cipher.DES+import           Crypto.Cipher.Twofish+import           Crypto.Cipher.Types+import           Crypto.ECC+import           Crypto.Error+import           Crypto.Hash+import qualified Crypto.KDF.BCrypt as BCrypt+import qualified Crypto.KDF.PBKDF2 as PBKDF2+import           Crypto.Number.Basic (numBits)+import           Crypto.Number.Generate+import qualified Crypto.PubKey.DH as DH+import qualified Crypto.PubKey.ECC.Types as ECC+import qualified Crypto.PubKey.ECC.Prim as ECC+import qualified Crypto.PubKey.ECDSA as ECDSA+import qualified Crypto.PubKey.Ed25519 as Ed25519+import qualified Crypto.PubKey.EdDSA as EdDSA+import           Crypto.Random++import           Control.DeepSeq (NFData)+import           Data.ByteArray (ByteArray, Bytes)+import qualified Data.ByteString as B++import qualified Crypto.PubKey.ECC.P256 as P256++import Number.F2m++data HashAlg = forall alg . HashAlgorithm alg => HashAlg alg++benchHash =+    [ env oneKB $ \b -> bgroup "1KB" $ map (doHashBench b) hashAlgs+    , env oneMB $ \b -> bgroup "1MB" $ map (doHashBench b) hashAlgs+    ]+  where+    doHashBench b (name, HashAlg alg) = bench name $ nf (hashWith alg) b++    oneKB :: IO Bytes+    oneKB = getRandomBytes 1024++    oneMB :: IO Bytes+    oneMB = getRandomBytes $ 1024 * 1024++    hashAlgs =+        [ ("MD2", HashAlg MD2)+        , ("MD4", HashAlg MD4)+        , ("MD5", HashAlg MD5)+        , ("SHA1", HashAlg SHA1)+        , ("SHA224", HashAlg SHA224)+        , ("SHA256", HashAlg SHA256)+        , ("SHA384", HashAlg SHA384)+        , ("SHA512", HashAlg SHA512)+        , ("SHA512t_224", HashAlg SHA512t_224)+        , ("SHA512t_256", HashAlg SHA512t_256)+        , ("RIPEMD160", HashAlg RIPEMD160)+        , ("Tiger", HashAlg Tiger)+        --, ("Skein256-160", HashAlg Skein256_160)+        , ("Skein256-256", HashAlg Skein256_256)+        --, ("Skein512-160", HashAlg Skein512_160)+        , ("Skein512-384", HashAlg Skein512_384)+        , ("Skein512-512", HashAlg Skein512_512)+        --, ("Skein512-896", HashAlg Skein512_896)+        , ("Whirlpool", HashAlg Whirlpool)+        , ("Keccak-224", HashAlg Keccak_224)+        , ("Keccak-256", HashAlg Keccak_256)+        , ("Keccak-384", HashAlg Keccak_384)+        , ("Keccak-512", HashAlg Keccak_512)+        , ("SHA3-224", HashAlg SHA3_224)+        , ("SHA3-256", HashAlg SHA3_256)+        , ("SHA3-384", HashAlg SHA3_384)+        , ("SHA3-512", HashAlg SHA3_512)+        , ("Blake2b-160", HashAlg Blake2b_160)+        , ("Blake2b-224", HashAlg Blake2b_224)+        , ("Blake2b-256", HashAlg Blake2b_256)+        , ("Blake2b-384", HashAlg Blake2b_384)+        , ("Blake2b-512", HashAlg Blake2b_512)+        , ("Blake2s-160", HashAlg Blake2s_160)+        , ("Blake2s-224", HashAlg Blake2s_224)+        , ("Blake2s-256", HashAlg Blake2s_256)+        ]++benchPBKDF2 =+    [ bgroup "64"+        [ bench "cryptonite-PBKDF2-100-64" $ nf (pbkdf2 64) 100+        , bench "cryptonite-PBKDF2-1000-64" $ nf (pbkdf2 64) 1000+        , bench "cryptonite-PBKDF2-10000-64" $ nf (pbkdf2 64) 10000+        ]+    , bgroup "128"+        [ bench "cryptonite-PBKDF2-100-128" $ nf (pbkdf2 128) 100+        , bench "cryptonite-PBKDF2-1000-128" $ nf (pbkdf2 128) 1000+        , bench "cryptonite-PBKDF2-10000-128" $ nf (pbkdf2 128) 10000+        ]+    ]+  where+        pbkdf2 :: Int -> Int -> B.ByteString+        pbkdf2 n iter = PBKDF2.generate (PBKDF2.prfHMAC SHA512) (params n iter) mypass mysalt++        mypass, mysalt :: B.ByteString+        mypass = "password"+        mysalt = "salt"++        params n iter = PBKDF2.Parameters iter n++benchBCrypt =+    [ bench "cryptonite-BCrypt-4"  $ nf bcrypt 4+    , bench "cryptonite-BCrypt-5"  $ nf bcrypt 5+    , bench "cryptonite-BCrypt-7"  $ nf bcrypt 7+    , bench "cryptonite-BCrypt-11" $ nf bcrypt 11+    ]+  where+        bcrypt :: Int -> B.ByteString+        bcrypt cost = BCrypt.bcrypt cost mysalt mypass++        mypass, mysalt :: B.ByteString+        mypass = "password"+        mysalt = "saltsaltsaltsalt"++benchBlockCipher =+    [ bgroup "ECB" benchECB+    , bgroup "CBC" benchCBC+    ]+  where+        benchECB =+            [ bench "DES-input=1024" $ nf (run (undefined :: DES) cipherInit key8) input1024+            , bench "Blowfish128-input=1024" $ nf (run (undefined :: Blowfish128) cipherInit key16) input1024+            , bench "Twofish128-input=1024" $ nf (run (undefined :: Twofish128) cipherInit key16) input1024+            , bench "CAST5-128-input=1024" $ nf (run (undefined :: CAST5) cipherInit key16) input1024+            , bench "AES128-input=1024" $ nf (run (undefined :: AES128) cipherInit key16) input1024+            , bench "AES256-input=1024" $ nf (run (undefined :: AES256) cipherInit key32) input1024+            ]+          where run :: (ByteArray ba, ByteArray key, BlockCipher c)+                    => c -> (key -> CryptoFailable c) -> key -> ba -> ba+                run _witness initF key input =+                    (ecbEncrypt (throwCryptoError (initF key))) input++        benchCBC =+            [ bench "DES-input=1024" $ nf (run (undefined :: DES) cipherInit key8 iv8) input1024+            , bench "Blowfish128-input=1024" $ nf (run (undefined :: Blowfish128) cipherInit key16 iv8) input1024+            , bench "Twofish128-input=1024" $ nf (run (undefined :: Twofish128) cipherInit key16 iv16) input1024+            , bench "CAST5-128-input=1024" $ nf (run (undefined :: CAST5) cipherInit key16 iv8) input1024+            , bench "AES128-input=1024" $ nf (run (undefined :: AES128) cipherInit key16 iv16) input1024+            , bench "AES256-input=1024" $ nf (run (undefined :: AES256) cipherInit key32 iv16) input1024+            ]+          where run :: (ByteArray ba, ByteArray key, BlockCipher c)+                    => c -> (key -> CryptoFailable c) -> key -> IV c -> ba -> ba+                run _witness initF key iv input =+                    (cbcEncrypt (throwCryptoError (initF key))) iv input++        key8  = B.replicate 8 0+        key16 = B.replicate 16 0+        key32 = B.replicate 32 0+        input1024 = B.replicate 1024 0++        iv8 :: BlockCipher c => IV c+        iv8  = maybe (error "iv size 8") id  $ makeIV key8++        iv16 :: BlockCipher c => IV c+        iv16 = maybe (error "iv size 16") id $ makeIV key16++benchAE =+    [ bench "ChaChaPoly1305" $ nf (cp key32) (input64, input1024)+    , bench "AES-GCM" $ nf (gcm key32) (input64, input1024)+    , bench "AES-CCM" $ nf (ccm key32) (input64, input1024)+    , bench "AES-GCM-SIV" $ nf (gcmsiv key32) (input64, input1024)+    ]+  where cp k (ini, plain) =+            let iniState            = throwCryptoError $ CP.initialize k (throwCryptoError $ CP.nonce12 nonce12)+                afterAAD            = CP.finalizeAAD (CP.appendAAD ini iniState)+                (out, afterEncrypt) = CP.encrypt plain afterAAD+                outtag              = CP.finalize afterEncrypt+             in (outtag, out)++        gcm k (ini, plain) =+            let ctx = throwCryptoError (cipherInit k) :: AES256+                state = throwCryptoError $ aeadInit AEAD_GCM ctx nonce12+             in aeadSimpleEncrypt state ini plain 16++        ccm k (ini, plain) =+            let ctx = throwCryptoError (cipherInit k) :: AES256+                mode = AEAD_CCM 1024 CCM_M16 CCM_L3+                state = throwCryptoError $ aeadInit mode ctx nonce12+             in aeadSimpleEncrypt state ini plain 16++        gcmsiv k (ini, plain) =+            let ctx = throwCryptoError (cipherInit k) :: AES256+                iv = throwCryptoError (AESGCMSIV.nonce nonce12)+             in AESGCMSIV.encrypt ctx iv ini plain++        input64 = B.replicate 64 0+        input1024 = B.replicate 1024 0++        nonce12 :: B.ByteString+        nonce12 = B.replicate 12 0++        key32 = B.replicate 32 0++benchECC =+    [ bench "pointAddTwoMuls-baseline"  $ nf run_b (n1, p1, n2, p2)+    , bench "pointAddTwoMuls-optimized" $ nf run_o (n1, p1, n2, p2)+    , bench "pointAdd-ECC" $ nf run_c (p1, p2)+    , bench "pointMul-ECC" $ nf run_d (n1, p2)+    ]+  where run_b (n, p, k, q) = ECC.pointAdd c (ECC.pointMul c n p)+                                            (ECC.pointMul c k q)++        run_o (n, p, k, q) = ECC.pointAddTwoMuls c n p k q+        run_c (p, q) = ECC.pointAdd c p q+        run_d (n, p) = ECC.pointMul c n p++        c  = ECC.getCurveByName ECC.SEC_p256r1+        p1 = ECC.pointBaseMul c n1+        p2 = ECC.pointBaseMul c n2+        n1 = 0x2ba9daf2363b2819e69b34a39cf496c2458a9b2a21505ea9e7b7cbca42dc7435+        n2 = 0xf054a7f60d10b8c2cf847ee90e9e029f8b0e971b09ca5f55c4d49921a11fadc1++benchP256 =+    [ bench "pointAddTwoMuls-P256"  $ nf run_p (n1, p1, n2, p2)+    , bench "pointAdd-P256"  $ nf run_q (p1, p2)+    , bench "pointMul-P256"  $ nf run_t (n1, p1)+    ]+  where run_p (n, p, k, q) = P256.pointAdd (P256.pointMul n p) (P256.pointMul k q)+        run_q (p, q) = P256.pointAdd p q+        run_t (n, p) = P256.pointMul n p++        xS = 0xde2444bebc8d36e682edd27e0f271508617519b3221a8fa0b77cab3989da97c9+        yS = 0xc093ae7ff36e5380fc01a5aad1e66659702de80f53cec576b6350b243042a256+        xT = 0x55a8b00f8da1d44e62f6b3b25316212e39540dc861c89575bb8cf92e35e0986b+        yT = 0x5421c3209c2d6c704835d82ac4c3dd90f61a8a52598b9e7ab656e9d8c8b24316+        p1 = P256.pointFromIntegers (xS, yS)+        p2 = P256.pointFromIntegers (xT, yT)+        n1 = throwCryptoError $ P256.scalarFromInteger 0x2ba9daf2363b2819e69b34a39cf496c2458a9b2a21505ea9e7b7cbca42dc7435+        n2 = throwCryptoError $ P256.scalarFromInteger 0xf054a7f60d10b8c2cf847ee90e9e029f8b0e971b09ca5f55c4d49921a11fadc1++++benchFFDH = map doFFDHBench primes+  where+    doFFDHBench (e, p) =+        let bits = numBits p+            params = DH.Params { DH.params_p = p, DH.params_g = 2, DH.params_bits = bits }+         in env (generate e params) $ bench (show bits) . nf (run params)++    generate e params = do+        aPriv <- DH.PrivateNumber `fmap` generatePriv e+        bPriv <- DH.PrivateNumber `fmap` generatePriv e+        return (aPriv, DH.calculatePublic params bPriv)++    generatePriv e = generateParams e (Just SetHighest) False++    run params (priv, pub) = DH.getShared params priv pub++    -- RFC 7919: prime p with minimal size of exponent+    primes = [ (225, 0xFFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF97D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD65612433F51F5F066ED0856365553DED1AF3B557135E7F57C935984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE73530ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FBB96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB190B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F619172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD733BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA886B423861285C97FFFFFFFFFFFFFFFF)+             , (275, 0xFFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF97D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD65612433F51F5F066ED0856365553DED1AF3B557135E7F57C935984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE73530ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FBB96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB190B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F619172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD733BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C023861B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91CAEFE130985139270B4130C93BC437944F4FD4452E2D74DD364F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0DABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF3C1B20EE3FD59D7C25E41D2B66C62E37FFFFFFFFFFFFFFFF)+             , (325, 0xFFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF97D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD65612433F51F5F066ED0856365553DED1AF3B557135E7F57C935984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE73530ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FBB96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB190B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F619172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD733BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C023861B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91CAEFE130985139270B4130C93BC437944F4FD4452E2D74DD364F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0DABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB7930E9E4E58857B6AC7D5F42D69F6D187763CF1D5503400487F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832A907600A918130C46DC778F971AD0038092999A333CB8B7A1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E655F6AFFFFFFFFFFFFFFFF)+             , (375, 0xFFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF97D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD65612433F51F5F066ED0856365553DED1AF3B557135E7F57C935984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE73530ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FBB96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB190B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F619172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD733BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C023861B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91CAEFE130985139270B4130C93BC437944F4FD4452E2D74DD364F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0DABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB7930E9E4E58857B6AC7D5F42D69F6D187763CF1D5503400487F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832A907600A918130C46DC778F971AD0038092999A333CB8B7A1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD9020BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA63BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3ACDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477A52471F7A9A96910B855322EDB6340D8A00EF092350511E30ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538CD72B03746AE77F5E62292C311562A846505DC82DB854338AE49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B045B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1A41D570D7938DAD4A40E329CD0E40E65FFFFFFFFFFFFFFFF)+             , (400, 0xFFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF97D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD65612433F51F5F066ED0856365553DED1AF3B557135E7F57C935984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE73530ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FBB96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB190B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F619172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD733BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C023861B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91CAEFE130985139270B4130C93BC437944F4FD4452E2D74DD364F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0DABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB7930E9E4E58857B6AC7D5F42D69F6D187763CF1D5503400487F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832A907600A918130C46DC778F971AD0038092999A333CB8B7A1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD9020BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA63BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3ACDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477A52471F7A9A96910B855322EDB6340D8A00EF092350511E30ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538CD72B03746AE77F5E62292C311562A846505DC82DB854338AE49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B045B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1A41D570D7938DAD4A40E329CCFF46AAA36AD004CF600C8381E425A31D951AE64FDB23FCEC9509D43687FEB69EDD1CC5E0B8CC3BDF64B10EF86B63142A3AB8829555B2F747C932665CB2C0F1CC01BD70229388839D2AF05E454504AC78B7582822846C0BA35C35F5C59160CC046FD8251541FC68C9C86B022BB7099876A460E7451A8A93109703FEE1C217E6C3826E52C51AA691E0E423CFC99E9E31650C1217B624816CDAD9A95F9D5B8019488D9C0A0A1FE3075A577E23183F81D4A3F2FA4571EFC8CE0BA8A4FE8B6855DFE72B0A66EDED2FBABFBE58A30FAFABE1C5D71A87E2F741EF8C1FE86FEA6BBFDE530677F0D97D11D49F7A8443D0822E506A9F4614E011E2A94838FF88CD68C8BB7C5C6424CFFFFFFFFFFFFFFFF)+             ]++data CurveDH = forall c . (EllipticCurveDH c, NFData (Scalar c), NFData (Point c)) => CurveDH c++benchECDH = map doECDHBench curves+  where+    doECDHBench (name, CurveDH c) =+        let proxy = Just c -- using Maybe as Proxy+         in env (generate proxy) $ bench name . nf (run proxy)++    generate proxy = do+        KeyPair _      aScalar <- curveGenerateKeyPair proxy+        KeyPair bPoint _       <- curveGenerateKeyPair proxy+        return (aScalar, bPoint)++    run proxy (s, p) = throwCryptoError (ecdh proxy s p)++    curves = [ ("P256R1", CurveDH Curve_P256R1)+             , ("P384R1", CurveDH Curve_P384R1)+             , ("P521R1", CurveDH Curve_P521R1)+             , ("X25519", CurveDH Curve_X25519)+             , ("X448",   CurveDH Curve_X448)+             ]++data CurveHashECDSA =+    forall curve hashAlg . (ECDSA.EllipticCurveECDSA curve,+                            NFData (Scalar curve),+                            NFData (Point curve),+                            HashAlgorithm hashAlg) => CurveHashECDSA curve hashAlg++benchECDSA = map doECDSABench curveHashes+  where+    doECDSABench (name, CurveHashECDSA c hashAlg) =+        let proxy = Just c -- using Maybe as Proxy+         in bgroup name+                [ env (signGenerate proxy) $ bench "sign" . nfIO . signRun proxy hashAlg+                , env (verifyGenerate proxy hashAlg) $ bench "verify" . nf (verifyRun proxy hashAlg)+                ]++    signGenerate proxy = do+        m <- tenKB+        s <- curveGenerateScalar proxy+        return (s, m)++    signRun proxy hashAlg (priv, msg) = ECDSA.sign proxy priv hashAlg msg++    verifyGenerate proxy hashAlg = do+        m <- tenKB+        KeyPair p s <- curveGenerateKeyPair proxy+        sig <- ECDSA.sign proxy s hashAlg m+        return (p, sig, m)++    verifyRun proxy hashAlg (pub, sig, msg) = ECDSA.verify proxy hashAlg pub sig msg++    tenKB :: IO Bytes+    tenKB = getRandomBytes 10240++    curveHashes = [ ("secp256r1_sha256", CurveHashECDSA Curve_P256R1 SHA256)+                  , ("secp384r1_sha384", CurveHashECDSA Curve_P384R1 SHA384)+                  , ("secp521r1_sha512", CurveHashECDSA Curve_P521R1 SHA512)+                  ]++benchEdDSA =+    [ bgroup "EdDSA-Ed25519" benchGenEd25519+    , bgroup "Ed25519"       benchEd25519+    ]+  where+    benchGen prx alg =+        [ bench "sign"   $ perBatchEnv (genEnv prx alg) (run_gen_sign   prx)+        , bench "verify" $ perBatchEnv (genEnv prx alg) (run_gen_verify prx)+        ]++    benchGenEd25519 = benchGen (Just Curve_Edwards25519) SHA512+    benchEd25519    =+        [ bench "sign"   $ perBatchEnv ed25519Env run_ed25519_sign+        , bench "verify" $ perBatchEnv ed25519Env run_ed25519_verify+        ]++    msg = B.empty -- empty message = worst-case scenario showing API overhead++    genEnv prx alg _ = do+        sec <- EdDSA.generateSecretKey prx+        let pub = EdDSA.toPublic prx alg sec+            sig = EdDSA.sign prx sec pub msg+        return (sec, pub, sig)++    run_gen_sign prx (sec, pub, _) = return (EdDSA.sign prx sec pub msg)++    run_gen_verify prx (_, pub, sig) = return (EdDSA.verify prx pub msg sig)++    ed25519Env _ = do+        sec <- Ed25519.generateSecretKey+        let pub = Ed25519.toPublic sec+            sig = Ed25519.sign sec pub msg+        return (sec, pub, sig)++    run_ed25519_sign (sec, pub, _) = return (Ed25519.sign sec pub msg)++    run_ed25519_verify (_, pub, sig) = return (Ed25519.verify pub msg sig)++main = defaultMain+    [ bgroup "hash" benchHash+    , bgroup "block-cipher" benchBlockCipher+    , bgroup "AE" benchAE+    , bgroup "pbkdf2" benchPBKDF2+    , bgroup "bcrypt" benchBCrypt+    , bgroup "ECC" benchECC+    , bgroup "P256" benchP256+    , bgroup "DH"+          [ bgroup "FFDH" benchFFDH+          , bgroup "ECDH" benchECDH+          ]+    , bgroup "ECDSA" benchECDSA+    , bgroup "EdDSA" benchEdDSA+    , bgroup "F2m" benchF2m+    ]
+ benchs/Number/F2m.hs view
@@ -0,0 +1,53 @@+{-# LANGUAGE PackageImports #-}++module Number.F2m (benchF2m) where++import Gauge.Main+import System.Random++import Crypto.Number.Basic (log2)+import Crypto.Number.F2m++genInteger :: Int -> Int -> Integer+genInteger salt bits+    = head+    . dropWhile ((< bits) . log2)+    . scanl (\a r -> a * 2^(31 :: Int) + abs r) 0+    . randoms+    . mkStdGen+    $ salt + bits++benchMod :: Int -> Benchmark+benchMod bits = bench (show bits) $ nf (modF2m m) a+  where+    m = genInteger 0 bits+    a = genInteger 1 (2 * bits)++benchMul :: Int -> Benchmark+benchMul bits = bench (show bits) $ nf (mulF2m m a) b+  where+    m = genInteger 0 bits+    a = genInteger 1 bits+    b = genInteger 2 bits++benchSquare :: Int -> Benchmark+benchSquare bits = bench (show bits) $ nf (squareF2m m) a+  where+    m = genInteger 0 bits+    a = genInteger 1 bits++benchInv :: Int -> Benchmark+benchInv bits = bench (show bits) $ nf (invF2m m) a+  where+    m = genInteger 0 bits+    a = genInteger 1 bits++bitsList :: [Int]+bitsList = [64, 128, 256, 512, 1024, 2048]++benchF2m =+    [ bgroup    "modF2m" $ map benchMod    bitsList+    , bgroup    "mulF2m" $ map benchMul    bitsList+    , bgroup "squareF2m" $ map benchSquare bitsList+    , bgroup    "invF2m" $ map benchInv    bitsList+    ]
cbits/aes/block128.h view
@@ -32,6 +32,7 @@ #define BLOCK128_H  #include <cryptonite_bitfn.h>+#include <cryptonite_align.h>  typedef union {        uint64_t q[2];@@ -40,40 +41,80 @@        uint8_t  b[16]; } block128; -static inline void block128_copy_bytes(block128 *block, uint8_t *src, uint32_t len)+static inline void block128_copy_bytes(block128 *block, const uint8_t *src, uint32_t len) { 	int i; 	for (i = 0; i < len; i++) block->b[i] = src[i]; } -static inline void block128_copy(block128 *d, const block128 *s)+static inline void block128_copy_aligned(block128 *d, const block128 *s) { 	d->q[0] = s->q[0]; d->q[1] = s->q[1]; } +static inline void block128_copy(block128 *d, const block128 *s)+{+	if (need_alignment(d, 8) || need_alignment(s, 8)) {+		block128_copy_bytes(d, (const uint8_t *) s, 16);+	} else {+		block128_copy_aligned(d, s);+	}+}+ static inline void block128_zero(block128 *d) { 	d->q[0] = 0; d->q[1] = 0; } -static inline void block128_xor(block128 *d, const block128 *s)+static inline void block128_xor_bytes(block128 *block, const uint8_t *src, uint32_t len) {+	int i;+	for (i = 0; i < len; i++) block->b[i] ^= src[i];+}++static inline void block128_xor_aligned(block128 *d, const block128 *s)+{ 	d->q[0] ^= s->q[0]; 	d->q[1] ^= s->q[1]; } -static inline void block128_vxor(block128 *d, const block128 *s1, const block128 *s2)+static inline void block128_xor(block128 *d, const block128 *s) {+	if (need_alignment(d, 8) || need_alignment(s, 8)) {+		block128_xor_bytes(d, (const uint8_t *) s, 16);+	} else {+		block128_xor_aligned(d, s);+	}+}++static inline void block128_vxor_bytes(block128 *block, const uint8_t *src1, const uint8_t *src2, uint32_t len)+{+	int i;+	for (i = 0; i < len; i++) block->b[i] = src1[i] ^ src2[i];+}++static inline void block128_vxor_aligned(block128 *d, const block128 *s1, const block128 *s2)+{ 	d->q[0] = s1->q[0] ^ s2->q[0]; 	d->q[1] = s1->q[1] ^ s2->q[1]; } -static inline void block128_xor_bytes(block128 *block, uint8_t *src, uint32_t len)+static inline void block128_vxor(block128 *d, const block128 *s1, const block128 *s2) {-	int i;-	for (i = 0; i < len; i++) block->b[i] ^= src[i];+	if (need_alignment(d, 8) || need_alignment(s1, 8) || need_alignment(s2, 8)) {+		block128_vxor_bytes(d, (const uint8_t *) s1, (const uint8_t *) s2, 16);+	} else {+		block128_vxor_aligned(d, s1, s2);+	} } +static inline void block128_byte_reverse(block128 *a)+{+	uint64_t s0 = a->q[0], s1 = a->q[1];+	a->q[0] = bitfn_swap64(s1);+	a->q[1] = bitfn_swap64(s0);+}+ static inline void block128_inc_be(block128 *b) { 	uint64_t v = be64_to_cpu(b->q[1]);@@ -82,6 +123,16 @@ 		b->q[1] = 0; 	} else 		b->q[1] = cpu_to_be64(v);+}++static inline void block128_inc32_be(block128 *b)+{+	b->d[3] = cpu_to_be32(be32_to_cpu(b->d[3]) + 1);+}++static inline void block128_inc32_le(block128 *b)+{+	b->d[0] = cpu_to_le32(le32_to_cpu(b->d[0]) + 1); }  #ifdef IMPL_DEBUG
cbits/aes/generic.c view
@@ -324,21 +324,22 @@ static void aes_main(aes_key *key, uint8_t *state) { 	int i = 0;-	uint8_t rk[16];+	uint32_t rk[4];+	uint8_t *rkptr = (uint8_t *) rk; -	create_round_key(key->data, rk);-	add_round_key(state, rk);+	create_round_key(key->data, rkptr);+	add_round_key(state, rkptr);  	for (i = 1; i < key->nbr; i++) {-		create_round_key(key->data + 16 * i, rk);+		create_round_key(key->data + 16 * i, rkptr); 		shift_rows(state); 		mix_columns(state);-		add_round_key(state, rk);+		add_round_key(state, rkptr); 	} -	create_round_key(key->data + 16 * key->nbr, rk);+	create_round_key(key->data + 16 * key->nbr, rkptr); 	shift_rows(state);-	add_round_key(state, rk);+	add_round_key(state, rkptr); }  static void shift_rows_inv(uint8_t *state)@@ -374,21 +375,22 @@ static void aes_main_inv(aes_key *key, uint8_t *state) { 	int i = 0;-	uint8_t rk[16];+	uint32_t rk[4];+	uint8_t *rkptr = (uint8_t *) rk; -	create_round_key(key->data + 16 * key->nbr, rk);-	add_round_key(state, rk);+	create_round_key(key->data + 16 * key->nbr, rkptr);+	add_round_key(state, rkptr);  	for (i = key->nbr - 1; i > 0; i--) {-		create_round_key(key->data + 16 * i, rk);+		create_round_key(key->data + 16 * i, rkptr); 		shift_rows_inv(state);-		add_round_key(state, rk);+		add_round_key(state, rkptr); 		mix_columns_inv(state); 	} -	create_round_key(key->data, rk);+	create_round_key(key->data, rkptr); 	shift_rows_inv(state);-	add_round_key(state, rk);+	add_round_key(state, rkptr); }  /* Set the block values, for the block:@@ -405,26 +407,28 @@  void cryptonite_aes_generic_encrypt_block(aes_block *output, aes_key *key, aes_block *input) {-	uint8_t block[16];-	uint8_t *iptr, *optr;+	uint32_t block[4];+	uint8_t *iptr, *optr, *bptr;  	iptr = (uint8_t *) input; 	optr = (uint8_t *) output;-	swap_block(block, iptr);-	aes_main(key, block);-	swap_block(optr, block);+	bptr = (uint8_t *) block;+	swap_block(bptr, iptr);+	aes_main(key, bptr);+	swap_block(optr, bptr); }  void cryptonite_aes_generic_decrypt_block(aes_block *output, aes_key *key, aes_block *input) {-	uint8_t block[16];-	uint8_t *iptr, *optr;+	uint32_t block[4];+	uint8_t *iptr, *optr, *bptr;  	iptr = (uint8_t *) input; 	optr = (uint8_t *) output;-	swap_block(block, iptr);-	aes_main_inv(key, block);-	swap_block(optr, block);+	bptr = (uint8_t *) block;+	swap_block(bptr, iptr);+	aes_main_inv(key, bptr);+	swap_block(optr, bptr); }  void cryptonite_aes_generic_init(aes_key *key, uint8_t *origkey, uint8_t size)
cbits/aes/gf.c view
@@ -34,39 +34,113 @@ #include <aes/gf.h> #include <aes/x86ni.h> -/* this is a really inefficient way to GF multiply.- * the alternative without hw accel is building small tables- * to speed up the multiplication.- * TODO: optimise with tables+/* inplace GFMUL for xts mode */+void cryptonite_aes_generic_gf_mulx(block128 *a)+{+	const uint64_t gf_mask = cpu_to_le64(0x8000000000000000ULL);+	uint64_t r = ((a->q[1] & gf_mask) ? cpu_to_le64(0x87) : 0);+	a->q[1] = cpu_to_le64((le64_to_cpu(a->q[1]) << 1) | (a->q[0] & gf_mask ? 1 : 0));+	a->q[0] = cpu_to_le64(le64_to_cpu(a->q[0]) << 1) ^ r;+}+++/*+ * GF multiplication with Shoup's method and 4-bit table.+ *+ * We precompute the products of H with all 4-bit polynomials and store them in+ * a 'table_4bit' array.  To avoid unnecessary byte swapping, the 16 blocks are+ * written to the table with qwords already converted to CPU order.  Table+ * indices use the reflected bit ordering, i.e. polynomials X^0, X^1, X^2, X^3+ * map to bit positions 3, 2, 1, 0 respectively.+ *+ * To multiply an arbitrary block with H, the input block is decomposed in 4-bit+ * segments.  We get the final result after 32 table lookups and additions, one+ * for each segment, interleaving multiplication by P(X)=X^4.  */-void cryptonite_gf_mul(block128 *a, block128 *b)++/* convert block128 qwords between BE and CPU order */+static inline void block128_cpu_swap_be(block128 *a, const block128 *b) {-	uint64_t a0, a1, v0, v1;+	a->q[1] = cpu_to_be64(b->q[1]);+	a->q[0] = cpu_to_be64(b->q[0]);+}++/* multiplication by P(X)=X, assuming qwords already in CPU order */+static inline void cpu_gf_mulx(block128 *a, const block128 *b)+{+	uint64_t v0 = b->q[0];+	uint64_t v1 = b->q[1];+	a->q[1] = v1 >> 1 | v0 << 63;+	a->q[0] = v0 >> 1 ^ ((0-(v1 & 1)) & 0xe100000000000000ULL);+}++static const uint64_t r4_0[] =+	{ 0x0000000000000000ULL, 0x1c20000000000000ULL+	, 0x3840000000000000ULL, 0x2460000000000000ULL+	, 0x7080000000000000ULL, 0x6ca0000000000000ULL+	, 0x48c0000000000000ULL, 0x54e0000000000000ULL+	, 0xe100000000000000ULL, 0xfd20000000000000ULL+	, 0xd940000000000000ULL, 0xc560000000000000ULL+	, 0x9180000000000000ULL, 0x8da0000000000000ULL+	, 0xa9c0000000000000ULL, 0xb5e0000000000000ULL+	};++/* multiplication by P(X)=X^4, assuming qwords already in CPU order */+static inline void cpu_gf_mulx4(block128 *a, const block128 *b)+{+	uint64_t v0 = b->q[0];+	uint64_t v1 = b->q[1];+	a->q[1] = v1 >> 4 | v0 << 60;+	a->q[0] = v0 >> 4 ^ r4_0[v1 & 0xf];+}++/* initialize the 4-bit table given H */+void cryptonite_aes_generic_hinit(table_4bit htable, const block128 *h)+{+	block128 v, *p; 	int i, j; -	a0 = a1 = 0;-	v0 = cpu_to_be64(a->q[0]);-	v1 = cpu_to_be64(a->q[1]);+	/* multiplication by 0 is 0 */+	block128_zero(&htable[0]); -	for (i = 0; i < 16; i++)-		for (j = 0x80; j != 0; j >>= 1) {-			uint8_t x = b->b[i] & j;-			a0 ^= x ? v0 : 0;-			a1 ^= x ? v1 : 0;-			x = (uint8_t) v1 & 1;-			v1 = (v1 >> 1) | (v0 << 63);-			v0 = (v0 >> 1) ^ (x ? (0xe1ULL << 56) : 0);+	/* at index 8=2^3 we have H.X^0 = H */+	i = 8;+	block128_cpu_swap_be(&htable[i], h); /* in CPU order */+	p = &htable[i];++	/* for other powers of 2, repeat multiplication by P(X)=X */+	for (i = 4; i > 0; i >>= 1)+	{+		cpu_gf_mulx(&htable[i], p);+		p = &htable[i];+	}++	/* remaining elements are linear combinations */+	for (i = 2; i < 16; i <<= 1) {+		p = &htable[i];+		v = *p;+		for (j = 1; j < i; j++) {+			p[j] = v;+			block128_xor_aligned(&p[j], &htable[j]); 		}-	a->q[0] = cpu_to_be64(a0);-	a->q[1] = cpu_to_be64(a1);+	} } -/* inplace GFMUL for xts mode */-void cryptonite_gf_mulx(block128 *a)+/* multiply a block with H */+void cryptonite_aes_generic_gf_mul(block128 *a, const table_4bit htable) {-	const uint64_t gf_mask = cpu_to_le64(0x8000000000000000ULL);-	uint64_t r = ((a->q[1] & gf_mask) ? cpu_to_le64(0x87) : 0);-	a->q[1] = cpu_to_le64((le64_to_cpu(a->q[1]) << 1) | (a->q[0] & gf_mask ? 1 : 0));-	a->q[0] = cpu_to_le64(le64_to_cpu(a->q[0]) << 1) ^ r;+	block128 b;+	int i;+	block128_zero(&b);+	for (i = 15; i >= 0; i--)+	{+		uint8_t v = a->b[i];+		block128_xor_aligned(&b, &htable[v & 0xf]); /* high bits (reflected) */+		cpu_gf_mulx4(&b, &b);+		block128_xor_aligned(&b, &htable[v >> 4]);  /* low bits (reflected) */+		if (i > 0)+			cpu_gf_mulx4(&b, &b);+		else+			block128_cpu_swap_be(a, &b); /* restore BE order when done */+	} }-
cbits/aes/gf.h view
@@ -32,7 +32,11 @@  #include "aes/block128.h" -void cryptonite_gf_mul(block128 *a, block128 *b);-void cryptonite_gf_mulx(block128 *a);+typedef block128 table_4bit[16];++void cryptonite_aes_generic_gf_mulx(block128 *a);++void cryptonite_aes_generic_hinit(table_4bit htable, const block128 *h);+void cryptonite_aes_generic_gf_mul(block128 *a, const table_4bit htable);  #endif
cbits/aes/x86ni.c view
@@ -35,6 +35,7 @@ #include <string.h> #include <cryptonite_aes.h> #include <cryptonite_cpu.h>+#include <aes/gf.h> #include <aes/x86ni.h> #include <aes/block128.h> @@ -45,6 +46,7 @@ /* old GCC version doesn't cope with the shuffle parameters, that can take 2 values (0xff and 0xaa)  * in our case, passed as argument despite being a immediate 8 bits constant anyway.  * un-factorise aes_128_key_expansion into 2 version that have the shuffle parameter explicitly set */+TARGET_AESNI static __m128i aes_128_key_expansion_ff(__m128i key, __m128i keygened) { 	keygened = _mm_shuffle_epi32(keygened, 0xff);@@ -54,6 +56,7 @@ 	return _mm_xor_si128(key, keygened); } +TARGET_AESNI static __m128i aes_128_key_expansion_aa(__m128i key, __m128i keygened) { 	keygened = _mm_shuffle_epi32(keygened, 0xaa);@@ -63,6 +66,7 @@ 	return _mm_xor_si128(key, keygened); } +TARGET_AESNI void cryptonite_aesni_init(aes_key *key, uint8_t *ikey, uint8_t size) { 	__m128i k[28];@@ -144,6 +148,7 @@ /* TO OPTIMISE: use pcmulqdq... or some faster code.  * this is the lamest way of doing it, but i'm out of time.  * this is basically a copy of gf_mulx in gf.c */+TARGET_AESNI static __m128i gfmulx(__m128i v) { 	uint64_t v_[2] ALIGNMENT(16);@@ -157,38 +162,113 @@ 	return v; } -static void unopt_gf_mul(block128 *a, block128 *b)+TARGET_AESNI+static __m128i gfmul_generic(__m128i tag, const table_4bit htable) {-	uint64_t a0, a1, v0, v1;-	int i, j;+	aes_block _t;+	_mm_store_si128((__m128i *) &_t, tag);+	cryptonite_aes_generic_gf_mul(&_t, htable);+	tag = _mm_load_si128((__m128i *) &_t);+	return tag;+} -	a0 = a1 = 0;-	v0 = cpu_to_be64(a->q[0]);-	v1 = cpu_to_be64(a->q[1]);+#ifdef WITH_PCLMUL -	for (i = 0; i < 16; i++)-		for (j = 0x80; j != 0; j >>= 1) {-			uint8_t x = b->b[i] & j;-			a0 ^= x ? v0 : 0;-			a1 ^= x ? v1 : 0;-			x = (uint8_t) v1 & 1;-			v1 = (v1 >> 1) | (v0 << 63);-			v0 = (v0 >> 1) ^ (x ? (0xe1ULL << 56) : 0);-		}-	a->q[0] = cpu_to_be64(a0);-	a->q[1] = cpu_to_be64(a1);+__m128i (*gfmul_branch_ptr)(__m128i a, const table_4bit t) = gfmul_generic;+#define gfmul(a,t) ((*gfmul_branch_ptr)(a,t))++/* See Intel carry-less-multiplication-instruction-in-gcm-mode-paper.pdf+ *+ * Adapted from figure 5, with additional byte swapping so that interface+ * is simimar to cryptonite_aes_generic_gf_mul.+ */+TARGET_AESNI_PCLMUL+static __m128i gfmul_pclmuldq(__m128i a, const table_4bit htable)+{+	__m128i b, tmp2, tmp3, tmp4, tmp5, tmp6, tmp7, tmp8, tmp9;+	__m128i bswap_mask = _mm_set_epi8(0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15);++	a = _mm_shuffle_epi8(a, bswap_mask);+	b = _mm_loadu_si128((__m128i *) htable);++	tmp3 = _mm_clmulepi64_si128(a, b, 0x00);+	tmp4 = _mm_clmulepi64_si128(a, b, 0x10);+	tmp5 = _mm_clmulepi64_si128(a, b, 0x01);+	tmp6 = _mm_clmulepi64_si128(a, b, 0x11);++	tmp4 = _mm_xor_si128(tmp4, tmp5);+	tmp5 = _mm_slli_si128(tmp4, 8);+	tmp4 = _mm_srli_si128(tmp4, 8);+	tmp3 = _mm_xor_si128(tmp3, tmp5);+	tmp6 = _mm_xor_si128(tmp6, tmp4);++	tmp7 = _mm_srli_epi32(tmp3, 31);+	tmp8 = _mm_srli_epi32(tmp6, 31);+	tmp3 = _mm_slli_epi32(tmp3, 1);+	tmp6 = _mm_slli_epi32(tmp6, 1);++	tmp9 = _mm_srli_si128(tmp7, 12);+	tmp8 = _mm_slli_si128(tmp8, 4);+	tmp7 = _mm_slli_si128(tmp7, 4);+	tmp3 = _mm_or_si128(tmp3, tmp7);+	tmp6 = _mm_or_si128(tmp6, tmp8);+	tmp6 = _mm_or_si128(tmp6, tmp9);++	tmp7 = _mm_slli_epi32(tmp3, 31);+	tmp8 = _mm_slli_epi32(tmp3, 30);+	tmp9 = _mm_slli_epi32(tmp3, 25);++	tmp7 = _mm_xor_si128(tmp7, tmp8);+	tmp7 = _mm_xor_si128(tmp7, tmp9);+	tmp8 = _mm_srli_si128(tmp7, 4);+	tmp7 = _mm_slli_si128(tmp7, 12);+	tmp3 = _mm_xor_si128(tmp3, tmp7);++	tmp2 = _mm_srli_epi32(tmp3, 1);+	tmp4 = _mm_srli_epi32(tmp3, 2);+	tmp5 = _mm_srli_epi32(tmp3, 7);+	tmp2 = _mm_xor_si128(tmp2, tmp4);+	tmp2 = _mm_xor_si128(tmp2, tmp5);+	tmp2 = _mm_xor_si128(tmp2, tmp8);+	tmp3 = _mm_xor_si128(tmp3, tmp2);+	tmp6 = _mm_xor_si128(tmp6, tmp3);++	return _mm_shuffle_epi8(tmp6, bswap_mask); } -static __m128i ghash_add(__m128i tag, __m128i h, __m128i m)+void cryptonite_aesni_hinit_pclmul(table_4bit htable, const block128 *h) {-	aes_block _t, _h;-	tag = _mm_xor_si128(tag, m);+	/* When pclmul is active we don't need to fill the table.  Instead we just+	 * store H at index 0.  It is written in reverse order, so function+	 * gfmul_pclmuldq will not byte-swap this value.+	 */+	htable->q[0] = bitfn_swap64(h->q[1]);+	htable->q[1] = bitfn_swap64(h->q[0]);+} -	_mm_store_si128((__m128i *) &_t, tag);-	_mm_store_si128((__m128i *) &_h, h);-	unopt_gf_mul(&_t, &_h);-	tag = _mm_load_si128((__m128i *) &_t);-	return tag;+TARGET_AESNI_PCLMUL+void cryptonite_aesni_gf_mul_pclmul(block128 *a, const table_4bit htable)+{+	__m128i _a, _b;+	_a = _mm_loadu_si128((__m128i *) a);+	_b = gfmul_pclmuldq(_a, htable);+	_mm_storeu_si128((__m128i *) a, _b);+}++void cryptonite_aesni_init_pclmul(void)+{+	gfmul_branch_ptr = gfmul_pclmuldq;+}++#else+#define gfmul(a,t) (gfmul_generic(a,t))+#endif++TARGET_AESNI+static inline __m128i ghash_add(__m128i tag, const table_4bit htable, __m128i m)+{+	tag = _mm_xor_si128(tag, m);+	return gfmul(tag, htable); }  #define PRELOAD_ENC_KEYS128(k) \
cbits/aes/x86ni.h view
@@ -40,7 +40,16 @@ #include <cryptonite_aes.h> #include <aes/block128.h> +#ifdef WITH_TARGET_ATTRIBUTES+#define TARGET_AESNI __attribute__((target("ssse3,aes")))+#define TARGET_AESNI_PCLMUL __attribute__((target("sse4.1,aes,pclmul")))+#else+#define TARGET_AESNI+#define TARGET_AESNI_PCLMUL+#endif+ #ifdef IMPL_DEBUG+TARGET_AESNI static void block128_sse_print(__m128i m) { 	block128 b;@@ -64,6 +73,8 @@ void cryptonite_aesni_decrypt_cbc256(aes_block *out, aes_key *key, aes_block *_iv, aes_block *in, uint32_t blocks); void cryptonite_aesni_encrypt_ctr128(uint8_t *out, aes_key *key, aes_block *_iv, uint8_t *in, uint32_t length); void cryptonite_aesni_encrypt_ctr256(uint8_t *out, aes_key *key, aes_block *_iv, uint8_t *in, uint32_t length);+void cryptonite_aesni_encrypt_c32_128(uint8_t *out, aes_key *key, aes_block *_iv, uint8_t *in, uint32_t length);+void cryptonite_aesni_encrypt_c32_256(uint8_t *out, aes_key *key, aes_block *_iv, uint8_t *in, uint32_t length); void cryptonite_aesni_encrypt_xts128(aes_block *out, aes_key *key1, aes_key *key2,                            aes_block *_tweak, uint32_t spoint, aes_block *in, uint32_t blocks); void cryptonite_aesni_encrypt_xts256(aes_block *out, aes_key *key1, aes_key *key2,@@ -72,7 +83,11 @@ void cryptonite_aesni_gcm_encrypt128(uint8_t *out, aes_gcm *gcm, aes_key *key, uint8_t *in, uint32_t length); void cryptonite_aesni_gcm_encrypt256(uint8_t *out, aes_gcm *gcm, aes_key *key, uint8_t *in, uint32_t length); -void gf_mul_x86ni(block128 *res, block128 *a_, block128 *b_);+#ifdef WITH_PCLMUL+void cryptonite_aesni_init_pclmul(void);+void cryptonite_aesni_hinit_pclmul(table_4bit htable, const block128 *h);+void cryptonite_aesni_gf_mul_pclmul(block128 *a, const table_4bit htable);+#endif  #endif 
cbits/aes/x86ni_impl.c view
@@ -28,6 +28,7 @@  * SUCH DAMAGE.  */ +TARGET_AESNI void SIZED(cryptonite_aesni_encrypt_block)(aes_block *out, aes_key *key, aes_block *in) { 	__m128i *k = (__m128i *) key->data;@@ -37,6 +38,7 @@ 	_mm_storeu_si128((__m128i *) out, m); } +TARGET_AESNI void SIZED(cryptonite_aesni_decrypt_block)(aes_block *out, aes_key *key, aes_block *in) { 	__m128i *k = (__m128i *) key->data;@@ -46,6 +48,7 @@ 	_mm_storeu_si128((__m128i *) out, m); } +TARGET_AESNI void SIZED(cryptonite_aesni_encrypt_ecb)(aes_block *out, aes_key *key, aes_block *in, uint32_t blocks) { 	__m128i *k = (__m128i *) key->data;@@ -58,6 +61,7 @@ 	} } +TARGET_AESNI void SIZED(cryptonite_aesni_decrypt_ecb)(aes_block *out, aes_key *key, aes_block *in, uint32_t blocks) { 	__m128i *k = (__m128i *) key->data;@@ -71,6 +75,7 @@ 	} } +TARGET_AESNI void SIZED(cryptonite_aesni_encrypt_cbc)(aes_block *out, aes_key *key, aes_block *_iv, aes_block *in, uint32_t blocks) { 	__m128i *k = (__m128i *) key->data;@@ -87,6 +92,7 @@ 	} } +TARGET_AESNI void SIZED(cryptonite_aesni_decrypt_cbc)(aes_block *out, aes_key *key, aes_block *_iv, aes_block *in, uint32_t blocks) { 	__m128i *k = (__m128i *) key->data;@@ -106,6 +112,7 @@ 	} } +TARGET_AESNI void SIZED(cryptonite_aesni_encrypt_ctr)(uint8_t *output, aes_key *key, aes_block *_iv, uint8_t *input, uint32_t len) { 	__m128i *k = (__m128i *) key->data;@@ -151,6 +158,49 @@ 	return ; } +TARGET_AESNI+void SIZED(cryptonite_aesni_encrypt_c32_)(uint8_t *output, aes_key *key, aes_block *_iv, uint8_t *input, uint32_t len)+{+	__m128i *k = (__m128i *) key->data;+	__m128i one        = _mm_set_epi32(0,0,0,1);+	uint32_t nb_blocks = len / 16;+	uint32_t part_block_len = len % 16;++	/* get the IV */+	__m128i iv = _mm_loadu_si128((__m128i *) _iv);++	PRELOAD_ENC(k);++	for (; nb_blocks-- > 0; output += 16, input += 16) {+		/* encrypt the iv and and xor it the input block */+		__m128i tmp = iv;+		DO_ENC_BLOCK(tmp);+		__m128i m = _mm_loadu_si128((__m128i *) input);+		m = _mm_xor_si128(m, tmp);++		_mm_storeu_si128((__m128i *) output, m);+		/* iv += 1 */+		iv = _mm_add_epi32(iv, one);+	}++	if (part_block_len != 0) {+		aes_block block;+		memset(&block.b, 0, 16);+		memcpy(&block.b, input, part_block_len);++		__m128i m = _mm_loadu_si128((__m128i *) &block);+		__m128i tmp = iv;++		DO_ENC_BLOCK(tmp);+		m = _mm_xor_si128(m, tmp);+		_mm_storeu_si128((__m128i *) &block.b, m);+		memcpy(output, &block.b, part_block_len);+	}++	return ;+}++TARGET_AESNI void SIZED(cryptonite_aesni_encrypt_xts)(aes_block *out, aes_key *key1, aes_key *key2,                                aes_block *_tweak, uint32_t spoint, aes_block *in, uint32_t blocks) {@@ -181,6 +231,7 @@ 	} while (0); } +TARGET_AESNI void SIZED(cryptonite_aesni_gcm_encrypt)(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length) { 	__m128i *k = (__m128i *) key->data;@@ -191,7 +242,6 @@  	gcm->length_input += length; -	__m128i h  = _mm_loadu_si128((__m128i *) &gcm->h); 	__m128i tag = _mm_loadu_si128((__m128i *) &gcm->tag); 	__m128i iv = _mm_loadu_si128((__m128i *) &gcm->civ); 	iv = _mm_shuffle_epi8(iv, bswap_mask);@@ -200,7 +250,7 @@  	for (; nb_blocks-- > 0; output += 16, input += 16) { 		/* iv += 1 */-		iv = _mm_add_epi64(iv, one);+		iv = _mm_add_epi32(iv, one);  		/* put back iv in big endian, encrypt it, 		 * and xor it to input */@@ -209,7 +259,7 @@ 		__m128i m = _mm_loadu_si128((__m128i *) input); 		m = _mm_xor_si128(m, tmp); -		tag = ghash_add(tag, h, m);+		tag = ghash_add(tag, gcm->htable, m);  		/* store it out */ 		_mm_storeu_si128((__m128i *) output, m);@@ -240,7 +290,7 @@ 		block128_copy_bytes(&block, input, part_block_len);  		/* iv += 1 */-		iv = _mm_add_epi64(iv, one);+		iv = _mm_add_epi32(iv, one);  		/* put back iv in big endian mode, encrypt it and xor it with input */ 		__m128i tmp = _mm_shuffle_epi8(iv, bswap_mask);@@ -250,7 +300,7 @@ 		m = _mm_xor_si128(m, tmp); 		m = _mm_shuffle_epi8(m, mask); -		tag = ghash_add(tag, h, m);+		tag = ghash_add(tag, gcm->htable, m);  		/* make output */ 		_mm_storeu_si128((__m128i *) &block.b, m);
cbits/argon2/core.c view
@@ -4,7 +4,7 @@  * Copyright 2015  * Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves  *- * You may use this work under the terms of a Creative Commons CC0 1.0 + * You may use this work under the terms of a Creative Commons CC0 1.0  * License/Waiver or the Apache Public License 2.0, at your option. The terms of  * these licenses can be found at:  *@@ -83,25 +83,25 @@     } while ((void)0, 0)      if (outlen <= BLAKE2B_OUTBYTES) {-        TRY(blake2b_init(&blake_state, outlen));-        TRY(blake2b_update(&blake_state, outlen_bytes, sizeof(outlen_bytes)));-        TRY(blake2b_update(&blake_state, in, inlen));-        TRY(blake2b_final(&blake_state, out, outlen));+        TRY(_cryptonite_blake2b_init(&blake_state, outlen));+        TRY(_cryptonite_blake2b_update(&blake_state, outlen_bytes, sizeof(outlen_bytes)));+        TRY(_cryptonite_blake2b_update(&blake_state, in, inlen));+        TRY(_cryptonite_blake2b_final(&blake_state, out, outlen));     } else {         uint32_t toproduce;         uint8_t out_buffer[BLAKE2B_OUTBYTES];         uint8_t in_buffer[BLAKE2B_OUTBYTES];-        TRY(blake2b_init(&blake_state, BLAKE2B_OUTBYTES));-        TRY(blake2b_update(&blake_state, outlen_bytes, sizeof(outlen_bytes)));-        TRY(blake2b_update(&blake_state, in, inlen));-        TRY(blake2b_final(&blake_state, out_buffer, BLAKE2B_OUTBYTES));+        TRY(_cryptonite_blake2b_init(&blake_state, BLAKE2B_OUTBYTES));+        TRY(_cryptonite_blake2b_update(&blake_state, outlen_bytes, sizeof(outlen_bytes)));+        TRY(_cryptonite_blake2b_update(&blake_state, in, inlen));+        TRY(_cryptonite_blake2b_final(&blake_state, out_buffer, BLAKE2B_OUTBYTES));         memcpy(out, out_buffer, BLAKE2B_OUTBYTES / 2);         out += BLAKE2B_OUTBYTES / 2;         toproduce = (uint32_t)outlen - BLAKE2B_OUTBYTES / 2;          while (toproduce > BLAKE2B_OUTBYTES) {             memcpy(in_buffer, out_buffer, BLAKE2B_OUTBYTES);-            TRY(blake2b(out_buffer, BLAKE2B_OUTBYTES, in_buffer,+            TRY(_cryptonite_blake2b(out_buffer, BLAKE2B_OUTBYTES, in_buffer,                         BLAKE2B_OUTBYTES, NULL, 0));             memcpy(out, out_buffer, BLAKE2B_OUTBYTES / 2);             out += BLAKE2B_OUTBYTES / 2;@@ -109,7 +109,7 @@         }          memcpy(in_buffer, out_buffer, BLAKE2B_OUTBYTES);-        TRY(blake2b(out_buffer, toproduce, in_buffer, BLAKE2B_OUTBYTES, NULL,+        TRY(_cryptonite_blake2b(out_buffer, toproduce, in_buffer, BLAKE2B_OUTBYTES, NULL,                     0));         memcpy(out, out_buffer, toproduce);     }@@ -149,7 +149,7 @@ }  /***************Memory functions*****************/-static +static int allocate_memory(const argon2_context *context, uint8_t **memory,                     size_t num, size_t size) {     size_t memory_size = num*size;@@ -175,7 +175,7 @@      return ARGON2_OK; }-static +static void free_memory(const argon2_context *context, uint8_t *memory,                  size_t num, size_t size) {     size_t memory_size = num*size;@@ -425,7 +425,7 @@ }  #endif /* ARGON2_NO_THREADS */-static +static int fill_memory_blocks(argon2_instance_t *instance) { 	if (instance == NULL || instance->lanes == 0) { 	    return ARGON2_INCORRECT_PARAMETER;@@ -437,7 +437,7 @@ 			fill_memory_blocks_st(instance) : fill_memory_blocks_mt(instance); #endif }-static +static int validate_inputs(const argon2_context *context) {     if (NULL == context) {         return ARGON2_INCORRECT_PARAMETER;@@ -564,7 +564,7 @@      return ARGON2_OK; }-static +static void fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance) {     uint32_t l;     /* Make the first and second block in each lane as G(H0||i||0) or@@ -587,7 +587,7 @@     }     clear_internal_memory(blockhash_bytes, ARGON2_BLOCK_SIZE); }-static +static void initial_hash(uint8_t *blockhash, argon2_context *context,                   argon2_type type) {     blake2b_state BlakeHash;@@ -597,31 +597,31 @@         return;     } -    blake2b_init(&BlakeHash, ARGON2_PREHASH_DIGEST_LENGTH);+    _cryptonite_blake2b_init(&BlakeHash, ARGON2_PREHASH_DIGEST_LENGTH);      store32(&value, context->lanes);-    blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));+    _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));      store32(&value, context->outlen);-    blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));+    _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));      store32(&value, context->m_cost);-    blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));+    _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));      store32(&value, context->t_cost);-    blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));+    _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));      store32(&value, context->version);-    blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));+    _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));      store32(&value, (uint32_t)type);-    blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));+    _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));      store32(&value, context->pwdlen);-    blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));+    _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));      if (context->pwd != NULL) {-        blake2b_update(&BlakeHash, (const uint8_t *)context->pwd,+        _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)context->pwd,                        context->pwdlen);          if (context->flags & ARGON2_FLAG_CLEAR_PASSWORD) {@@ -631,18 +631,18 @@     }      store32(&value, context->saltlen);-    blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));+    _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));      if (context->salt != NULL) {-        blake2b_update(&BlakeHash, (const uint8_t *)context->salt,+        _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)context->salt,                        context->saltlen);     }      store32(&value, context->secretlen);-    blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));+    _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));      if (context->secret != NULL) {-        blake2b_update(&BlakeHash, (const uint8_t *)context->secret,+        _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)context->secret,                        context->secretlen);          if (context->flags & ARGON2_FLAG_CLEAR_SECRET) {@@ -652,16 +652,16 @@     }      store32(&value, context->adlen);-    blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));+    _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value));      if (context->ad != NULL) {-        blake2b_update(&BlakeHash, (const uint8_t *)context->ad,+        _cryptonite_blake2b_update(&BlakeHash, (const uint8_t *)context->ad,                        context->adlen);     } -    blake2b_final(&BlakeHash, blockhash, ARGON2_PREHASH_DIGEST_LENGTH);+    _cryptonite_blake2b_final(&BlakeHash, blockhash, ARGON2_PREHASH_DIGEST_LENGTH); }-static +static int initialize(argon2_instance_t *instance, argon2_context *context) {     uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH];     int result = ARGON2_OK;
cbits/blake2/ref/blake2-impl.h view
@@ -72,8 +72,8 @@   return w; #else   const uint8_t *p = ( const uint8_t * )src;-  return (( uint16_t )( p[0] ) <<  0) |-         (( uint16_t )( p[1] ) <<  8) ;+  return ( uint16_t )((( uint32_t )( p[0] ) <<  0) |+                      (( uint32_t )( p[1] ) <<  8)); #endif } 
cbits/blake2/ref/blake2.h view
@@ -142,51 +142,51 @@   };    /* Streaming API */-  int blake2s_init( blake2s_state *S, size_t outlen );-  int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen );-  int blake2s_init_param( blake2s_state *S, const blake2s_param *P );-  int blake2s_update( blake2s_state *S, const void *in, size_t inlen );-  int blake2s_final( blake2s_state *S, void *out, size_t outlen );+  int _cryptonite_blake2s_init( blake2s_state *S, size_t outlen );+  int _cryptonite_blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen );+  int _cryptonite_blake2s_init_param( blake2s_state *S, const blake2s_param *P );+  int _cryptonite_blake2s_update( blake2s_state *S, const void *in, size_t inlen );+  int _cryptonite_blake2s_final( blake2s_state *S, void *out, size_t outlen ); -  int blake2b_init( blake2b_state *S, size_t outlen );-  int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen );-  int blake2b_init_param( blake2b_state *S, const blake2b_param *P );-  int blake2b_update( blake2b_state *S, const void *in, size_t inlen );-  int blake2b_final( blake2b_state *S, void *out, size_t outlen );+  int _cryptonite_blake2b_init( blake2b_state *S, size_t outlen );+  int _cryptonite_blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen );+  int _cryptonite_blake2b_init_param( blake2b_state *S, const blake2b_param *P );+  int _cryptonite_blake2b_update( blake2b_state *S, const void *in, size_t inlen );+  int _cryptonite_blake2b_final( blake2b_state *S, void *out, size_t outlen ); -  int blake2sp_init( blake2sp_state *S, size_t outlen );-  int blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen );-  int blake2sp_update( blake2sp_state *S, const void *in, size_t inlen );-  int blake2sp_final( blake2sp_state *S, void *out, size_t outlen );+  int _cryptonite_blake2sp_init( blake2sp_state *S, size_t outlen );+  int _cryptonite_blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen );+  int _cryptonite_blake2sp_update( blake2sp_state *S, const void *in, size_t inlen );+  int _cryptonite_blake2sp_final( blake2sp_state *S, void *out, size_t outlen ); -  int blake2bp_init( blake2bp_state *S, size_t outlen );-  int blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen );-  int blake2bp_update( blake2bp_state *S, const void *in, size_t inlen );-  int blake2bp_final( blake2bp_state *S, void *out, size_t outlen );+  int _cryptonite_blake2bp_init( blake2bp_state *S, size_t outlen );+  int _cryptonite_blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen );+  int _cryptonite_blake2bp_update( blake2bp_state *S, const void *in, size_t inlen );+  int _cryptonite_blake2bp_final( blake2bp_state *S, void *out, size_t outlen );    /* Variable output length API */-  int blake2xs_init( blake2xs_state *S, const size_t outlen );-  int blake2xs_init_key( blake2xs_state *S, const size_t outlen, const void *key, size_t keylen );-  int blake2xs_update( blake2xs_state *S, const void *in, size_t inlen );-  int blake2xs_final(blake2xs_state *S, void *out, size_t outlen);+  int _cryptonite_blake2xs_init( blake2xs_state *S, const size_t outlen );+  int _cryptonite_blake2xs_init_key( blake2xs_state *S, const size_t outlen, const void *key, size_t keylen );+  int _cryptonite_blake2xs_update( blake2xs_state *S, const void *in, size_t inlen );+  int _cryptonite_blake2xs_final(blake2xs_state *S, void *out, size_t outlen); -  int blake2xb_init( blake2xb_state *S, const size_t outlen );-  int blake2xb_init_key( blake2xb_state *S, const size_t outlen, const void *key, size_t keylen );-  int blake2xb_update( blake2xb_state *S, const void *in, size_t inlen );-  int blake2xb_final(blake2xb_state *S, void *out, size_t outlen);+  int _cryptonite_blake2xb_init( blake2xb_state *S, const size_t outlen );+  int _cryptonite_blake2xb_init_key( blake2xb_state *S, const size_t outlen, const void *key, size_t keylen );+  int _cryptonite_blake2xb_update( blake2xb_state *S, const void *in, size_t inlen );+  int _cryptonite_blake2xb_final(blake2xb_state *S, void *out, size_t outlen);    /* Simple API */-  int blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );-  int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); -  int blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );-  int blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); -  int blake2xs( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );-  int blake2xb( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2xs( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2xb( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );    /* This is simply an alias for blake2b */-  int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );  #if defined(__cplusplus) }
cbits/blake2/ref/blake2b-ref.c view
@@ -78,7 +78,7 @@ }  /* init xors IV with input parameter block */-int blake2b_init_param( blake2b_state *S, const blake2b_param *P )+int _cryptonite_blake2b_init_param( blake2b_state *S, const blake2b_param *P ) {   const uint8_t *p = ( const uint8_t * )( P );   size_t i;@@ -95,7 +95,7 @@   -int blake2b_init( blake2b_state *S, size_t outlen )+int _cryptonite_blake2b_init( blake2b_state *S, size_t outlen ) {   blake2b_param P[1]; @@ -113,11 +113,11 @@   memset( P->reserved, 0, sizeof( P->reserved ) );   memset( P->salt,     0, sizeof( P->salt ) );   memset( P->personal, 0, sizeof( P->personal ) );-  return blake2b_init_param( S, P );+  return _cryptonite_blake2b_init_param( S, P ); }  -int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen )+int _cryptonite_blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen ) {   blake2b_param P[1]; @@ -138,13 +138,13 @@   memset( P->salt,     0, sizeof( P->salt ) );   memset( P->personal, 0, sizeof( P->personal ) ); -  if( blake2b_init_param( S, P ) < 0 ) return -1;+  if( _cryptonite_blake2b_init_param( S, P ) < 0 ) return -1;    {     uint8_t block[BLAKE2B_BLOCKBYTES];     memset( block, 0, BLAKE2B_BLOCKBYTES );     memcpy( block, key, keylen );-    blake2b_update( S, block, BLAKE2B_BLOCKBYTES );+    _cryptonite_blake2b_update( S, block, BLAKE2B_BLOCKBYTES );     secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */   }   return 0;@@ -218,7 +218,7 @@ #undef G #undef ROUND -int blake2b_update( blake2b_state *S, const void *pin, size_t inlen )+int _cryptonite_blake2b_update( blake2b_state *S, const void *pin, size_t inlen ) {   const unsigned char * in = (const unsigned char *)pin;   if( inlen > 0 )@@ -245,7 +245,7 @@   return 0; } -int blake2b_final( blake2b_state *S, void *out, size_t outlen )+int _cryptonite_blake2b_final( blake2b_state *S, void *out, size_t outlen ) {   uint8_t buffer[BLAKE2B_OUTBYTES] = {0};   size_t i;@@ -270,7 +270,7 @@ }  /* inlen, at least, should be uint64_t. Others can be size_t. */-int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen )+int _cryptonite_blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {   blake2b_state S[1]; @@ -287,26 +287,26 @@    if( keylen > 0 )   {-    if( blake2b_init_key( S, outlen, key, keylen ) < 0 ) return -1;+    if( _cryptonite_blake2b_init_key( S, outlen, key, keylen ) < 0 ) return -1;   }   else   {-    if( blake2b_init( S, outlen ) < 0 ) return -1;+    if( _cryptonite_blake2b_init( S, outlen ) < 0 ) return -1;   } -  blake2b_update( S, ( const uint8_t * )in, inlen );-  blake2b_final( S, out, outlen );+  _cryptonite_blake2b_update( S, ( const uint8_t * )in, inlen );+  _cryptonite_blake2b_final( S, out, outlen );   return 0; } -int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {-  return blake2b(out, outlen, in, inlen, key, keylen);+int _cryptonite_blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {+  return _cryptonite_blake2b(out, outlen, in, inlen, key, keylen); }  #if defined(SUPERCOP) int crypto_hash( unsigned char *out, unsigned char *in, unsigned long long inlen ) {-  return blake2b( out, BLAKE2B_OUTBYTES, in, inlen, NULL, 0 );+  return _cryptonite_blake2b( out, BLAKE2B_OUTBYTES, in, inlen, NULL, 0 ); } #endif @@ -329,9 +329,9 @@   for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )   {     uint8_t hash[BLAKE2B_OUTBYTES];-    blake2b( hash, BLAKE2B_OUTBYTES, buf, i, key, BLAKE2B_KEYBYTES );+    _cryptonite_blake2b( hash, BLAKE2B_OUTBYTES, buf, i, key, BLAKE2B_KEYBYTES ); -    if( 0 != memcmp( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )+    if( 0 != memcmp( hash, _cryptonite_blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )     {       goto fail;     }@@ -346,25 +346,25 @@       size_t mlen = i;       int err = 0; -      if( (err = blake2b_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) {+      if( (err = _cryptonite_blake2b_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) {         goto fail;       }        while (mlen >= step) {-        if ( (err = blake2b_update(&S, p, step)) < 0 ) {+        if ( (err = _cryptonite_blake2b_update(&S, p, step)) < 0 ) {           goto fail;         }         mlen -= step;         p += step;       }-      if ( (err = blake2b_update(&S, p, mlen)) < 0) {+      if ( (err = _cryptonite_blake2b_update(&S, p, mlen)) < 0) {         goto fail;       }-      if ( (err = blake2b_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) {+      if ( (err = _cryptonite_blake2b_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) {         goto fail;       } -      if (0 != memcmp(hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES)) {+      if (0 != memcmp(hash, _cryptonite_blake2b_keyed_kat[i], BLAKE2B_OUTBYTES)) {         goto fail;       }     }
cbits/blake2/ref/blake2bp-ref.c view
@@ -36,7 +36,7 @@ */ static int blake2bp_init_leaf_param( blake2b_state *S, const blake2b_param *P ) {-  int err = blake2b_init_param(S, P);+  int err = _cryptonite_blake2b_init_param(S, P);   S->outlen = P->inner_length;   return err; }@@ -74,11 +74,11 @@   memset( P->reserved, 0, sizeof( P->reserved ) );   memset( P->salt, 0, sizeof( P->salt ) );   memset( P->personal, 0, sizeof( P->personal ) );-  return blake2b_init_param( S, P );+  return _cryptonite_blake2b_init_param( S, P ); }  -int blake2bp_init( blake2bp_state *S, size_t outlen )+int _cryptonite_blake2bp_init( blake2bp_state *S, size_t outlen ) {   size_t i; @@ -99,7 +99,7 @@   return 0; } -int blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen )+int _cryptonite_blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen ) {   size_t i; @@ -125,7 +125,7 @@     memcpy( block, key, keylen );      for( i = 0; i < PARALLELISM_DEGREE; ++i )-      blake2b_update( S->S[i], block, BLAKE2B_BLOCKBYTES );+      _cryptonite_blake2b_update( S->S[i], block, BLAKE2B_BLOCKBYTES );      secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */   }@@ -133,7 +133,7 @@ }  -int blake2bp_update( blake2bp_state *S, const void *pin, size_t inlen )+int _cryptonite_blake2bp_update( blake2bp_state *S, const void *pin, size_t inlen ) {   const unsigned char * in = (const unsigned char *)pin;   size_t left = S->buflen;@@ -145,7 +145,7 @@     memcpy( S->buf + left, in, fill );      for( i = 0; i < PARALLELISM_DEGREE; ++i )-      blake2b_update( S->S[i], S->buf + i * BLAKE2B_BLOCKBYTES, BLAKE2B_BLOCKBYTES );+      _cryptonite_blake2b_update( S->S[i], S->buf + i * BLAKE2B_BLOCKBYTES, BLAKE2B_BLOCKBYTES );      in += fill;     inlen -= fill;@@ -168,7 +168,7 @@      while( inlen__ >= PARALLELISM_DEGREE * BLAKE2B_BLOCKBYTES )     {-      blake2b_update( S->S[i], in__, BLAKE2B_BLOCKBYTES );+      _cryptonite_blake2b_update( S->S[i], in__, BLAKE2B_BLOCKBYTES );       in__ += PARALLELISM_DEGREE * BLAKE2B_BLOCKBYTES;       inlen__ -= PARALLELISM_DEGREE * BLAKE2B_BLOCKBYTES;     }@@ -184,7 +184,7 @@   return 0; } -int blake2bp_final( blake2bp_state *S, void *out, size_t outlen )+int _cryptonite_blake2bp_final( blake2bp_state *S, void *out, size_t outlen ) {   uint8_t hash[PARALLELISM_DEGREE][BLAKE2B_OUTBYTES];   size_t i;@@ -201,19 +201,19 @@        if( left > BLAKE2B_BLOCKBYTES ) left = BLAKE2B_BLOCKBYTES; -      blake2b_update( S->S[i], S->buf + i * BLAKE2B_BLOCKBYTES, left );+      _cryptonite_blake2b_update( S->S[i], S->buf + i * BLAKE2B_BLOCKBYTES, left );     } -    blake2b_final( S->S[i], hash[i], BLAKE2B_OUTBYTES );+    _cryptonite_blake2b_final( S->S[i], hash[i], BLAKE2B_OUTBYTES );   }    for( i = 0; i < PARALLELISM_DEGREE; ++i )-    blake2b_update( S->R, hash[i], BLAKE2B_OUTBYTES );+    _cryptonite_blake2b_update( S->R, hash[i], BLAKE2B_OUTBYTES ); -  return blake2b_final( S->R, out, S->outlen );+  return _cryptonite_blake2b_final( S->R, out, S->outlen ); } -int blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen )+int _cryptonite_blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {   uint8_t hash[PARALLELISM_DEGREE][BLAKE2B_OUTBYTES];   blake2b_state S[PARALLELISM_DEGREE][1];@@ -243,7 +243,7 @@     memcpy( block, key, keylen );      for( i = 0; i < PARALLELISM_DEGREE; ++i )-      blake2b_update( S[i], block, BLAKE2B_BLOCKBYTES );+      _cryptonite_blake2b_update( S[i], block, BLAKE2B_BLOCKBYTES );      secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */   }@@ -264,7 +264,7 @@      while( inlen__ >= PARALLELISM_DEGREE * BLAKE2B_BLOCKBYTES )     {-      blake2b_update( S[i], in__, BLAKE2B_BLOCKBYTES );+      _cryptonite_blake2b_update( S[i], in__, BLAKE2B_BLOCKBYTES );       in__ += PARALLELISM_DEGREE * BLAKE2B_BLOCKBYTES;       inlen__ -= PARALLELISM_DEGREE * BLAKE2B_BLOCKBYTES;     }@@ -273,10 +273,10 @@     {       const size_t left = inlen__ - i * BLAKE2B_BLOCKBYTES;       const size_t len = left <= BLAKE2B_BLOCKBYTES ? left : BLAKE2B_BLOCKBYTES;-      blake2b_update( S[i], in__, len );+      _cryptonite_blake2b_update( S[i], in__, len );     } -    blake2b_final( S[i], hash[i], BLAKE2B_OUTBYTES );+    _cryptonite_blake2b_final( S[i], hash[i], BLAKE2B_OUTBYTES );   }    if( blake2bp_init_root( FS, outlen, keylen ) < 0 )@@ -285,9 +285,9 @@   FS->last_node = 1; /* Mark as last node */    for( i = 0; i < PARALLELISM_DEGREE; ++i )-    blake2b_update( FS, hash[i], BLAKE2B_OUTBYTES );+    _cryptonite_blake2b_update( FS, hash[i], BLAKE2B_OUTBYTES ); -  return blake2b_final( FS, out, outlen );;+  return _cryptonite_blake2b_final( FS, out, outlen );; }  #if defined(BLAKE2BP_SELFTEST)@@ -326,21 +326,21 @@       size_t mlen = i;       int err = 0; -      if( (err = blake2bp_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) {+      if( (err = _cryptonite_blake2bp_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) {         goto fail;       }        while (mlen >= step) {-        if ( (err = blake2bp_update(&S, p, step)) < 0 ) {+        if ( (err = _cryptonite_blake2bp_update(&S, p, step)) < 0 ) {           goto fail;         }         mlen -= step;         p += step;       }-      if ( (err = blake2bp_update(&S, p, mlen)) < 0) {+      if ( (err = _cryptonite_blake2bp_update(&S, p, mlen)) < 0) {         goto fail;       }-      if ( (err = blake2bp_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) {+      if ( (err = _cryptonite_blake2bp_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) {         goto fail;       } 
cbits/blake2/ref/blake2s-ref.c view
@@ -73,7 +73,7 @@ }  /* init2 xors IV with input parameter block */-int blake2s_init_param( blake2s_state *S, const blake2s_param *P )+int _cryptonite_blake2s_init_param( blake2s_state *S, const blake2s_param *P ) {   const unsigned char *p = ( const unsigned char * )( P );   size_t i;@@ -90,7 +90,7 @@   /* Sequential blake2s initialization */-int blake2s_init( blake2s_state *S, size_t outlen )+int _cryptonite_blake2s_init( blake2s_state *S, size_t outlen ) {   blake2s_param P[1]; @@ -109,10 +109,10 @@   /* memset(P->reserved, 0, sizeof(P->reserved) ); */   memset( P->salt,     0, sizeof( P->salt ) );   memset( P->personal, 0, sizeof( P->personal ) );-  return blake2s_init_param( S, P );+  return _cryptonite_blake2s_init_param( S, P ); } -int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen )+int _cryptonite_blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen ) {   blake2s_param P[1]; @@ -133,13 +133,13 @@   memset( P->salt,     0, sizeof( P->salt ) );   memset( P->personal, 0, sizeof( P->personal ) ); -  if( blake2s_init_param( S, P ) < 0 ) return -1;+  if( _cryptonite_blake2s_init_param( S, P ) < 0 ) return -1;    {     uint8_t block[BLAKE2S_BLOCKBYTES];     memset( block, 0, BLAKE2S_BLOCKBYTES );     memcpy( block, key, keylen );-    blake2s_update( S, block, BLAKE2S_BLOCKBYTES );+    _cryptonite_blake2s_update( S, block, BLAKE2S_BLOCKBYTES );     secure_zero_memory( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */   }   return 0;@@ -211,7 +211,7 @@ #undef G #undef ROUND -int blake2s_update( blake2s_state *S, const void *pin, size_t inlen )+int _cryptonite_blake2s_update( blake2s_state *S, const void *pin, size_t inlen ) {   const unsigned char * in = (const unsigned char *)pin;   if( inlen > 0 )@@ -238,7 +238,7 @@   return 0; } -int blake2s_final( blake2s_state *S, void *out, size_t outlen )+int _cryptonite_blake2s_final( blake2s_state *S, void *out, size_t outlen ) {   uint8_t buffer[BLAKE2S_OUTBYTES] = {0};   size_t i;@@ -262,7 +262,7 @@   return 0; } -int blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen )+int _cryptonite_blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {   blake2s_state S[1]; @@ -279,22 +279,22 @@    if( keylen > 0 )   {-    if( blake2s_init_key( S, outlen, key, keylen ) < 0 ) return -1;+    if( _cryptonite_blake2s_init_key( S, outlen, key, keylen ) < 0 ) return -1;   }   else   {-    if( blake2s_init( S, outlen ) < 0 ) return -1;+    if( _cryptonite_blake2s_init( S, outlen ) < 0 ) return -1;   } -  blake2s_update( S, ( const uint8_t * )in, inlen );-  blake2s_final( S, out, outlen );+  _cryptonite_blake2s_update( S, ( const uint8_t * )in, inlen );+  _cryptonite_blake2s_final( S, out, outlen );   return 0; }  #if defined(SUPERCOP) int crypto_hash( unsigned char *out, unsigned char *in, unsigned long long inlen ) {-  return blake2s( out, BLAKE2S_OUTBYTES in, inlen, NULL, 0 );+  return _cryptonite_blake2s( out, BLAKE2S_OUTBYTES, in, inlen, NULL, 0 ); } #endif @@ -317,7 +317,7 @@   for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )   {     uint8_t hash[BLAKE2S_OUTBYTES];-    blake2s( hash, BLAKE2S_OUTBYTES, buf, i, key, BLAKE2S_KEYBYTES );+    _cryptonite_blake2s( hash, BLAKE2S_OUTBYTES, buf, i, key, BLAKE2S_KEYBYTES );      if( 0 != memcmp( hash, blake2s_keyed_kat[i], BLAKE2S_OUTBYTES ) )     {@@ -334,21 +334,21 @@       size_t mlen = i;       int err = 0; -      if( (err = blake2s_init_key(&S, BLAKE2S_OUTBYTES, key, BLAKE2S_KEYBYTES)) < 0 ) {+      if( (err = _cryptonite_blake2s_init_key(&S, BLAKE2S_OUTBYTES, key, BLAKE2S_KEYBYTES)) < 0 ) {         goto fail;       }        while (mlen >= step) {-        if ( (err = blake2s_update(&S, p, step)) < 0 ) {+        if ( (err = _cryptonite_blake2s_update(&S, p, step)) < 0 ) {           goto fail;         }         mlen -= step;         p += step;       }-      if ( (err = blake2s_update(&S, p, mlen)) < 0) {+      if ( (err = _cryptonite_blake2s_update(&S, p, mlen)) < 0) {         goto fail;       }-      if ( (err = blake2s_final(&S, hash, BLAKE2S_OUTBYTES)) < 0) {+      if ( (err = _cryptonite_blake2s_final(&S, hash, BLAKE2S_OUTBYTES)) < 0) {         goto fail;       } 
cbits/blake2/ref/blake2sp-ref.c view
@@ -35,7 +35,7 @@ */ static int blake2sp_init_leaf_param( blake2s_state *S, const blake2s_param *P ) {-  int err = blake2s_init_param(S, P);+  int err = _cryptonite_blake2s_init_param(S, P);   S->outlen = P->inner_length;   return err; }@@ -71,11 +71,11 @@   P->inner_length = BLAKE2S_OUTBYTES;   memset( P->salt, 0, sizeof( P->salt ) );   memset( P->personal, 0, sizeof( P->personal ) );-  return blake2s_init_param( S, P );+  return _cryptonite_blake2s_init_param( S, P ); }  -int blake2sp_init( blake2sp_state *S, size_t outlen )+int _cryptonite_blake2sp_init( blake2sp_state *S, size_t outlen ) {   size_t i; @@ -96,7 +96,7 @@   return 0; } -int blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen )+int _cryptonite_blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen ) {   size_t i; @@ -122,7 +122,7 @@     memcpy( block, key, keylen );      for( i = 0; i < PARALLELISM_DEGREE; ++i )-      blake2s_update( S->S[i], block, BLAKE2S_BLOCKBYTES );+      _cryptonite_blake2s_update( S->S[i], block, BLAKE2S_BLOCKBYTES );      secure_zero_memory( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */   }@@ -130,7 +130,7 @@ }  -int blake2sp_update( blake2sp_state *S, const void *pin, size_t inlen )+int _cryptonite_blake2sp_update( blake2sp_state *S, const void *pin, size_t inlen ) {   const unsigned char * in = (const unsigned char *)pin;   size_t left = S->buflen;@@ -142,7 +142,7 @@     memcpy( S->buf + left, in, fill );      for( i = 0; i < PARALLELISM_DEGREE; ++i )-      blake2s_update( S->S[i], S->buf + i * BLAKE2S_BLOCKBYTES, BLAKE2S_BLOCKBYTES );+      _cryptonite_blake2s_update( S->S[i], S->buf + i * BLAKE2S_BLOCKBYTES, BLAKE2S_BLOCKBYTES );      in += fill;     inlen -= fill;@@ -164,7 +164,7 @@      while( inlen__ >= PARALLELISM_DEGREE * BLAKE2S_BLOCKBYTES )     {-      blake2s_update( S->S[i], in__, BLAKE2S_BLOCKBYTES );+      _cryptonite_blake2s_update( S->S[i], in__, BLAKE2S_BLOCKBYTES );       in__ += PARALLELISM_DEGREE * BLAKE2S_BLOCKBYTES;       inlen__ -= PARALLELISM_DEGREE * BLAKE2S_BLOCKBYTES;     }@@ -181,7 +181,7 @@ }  -int blake2sp_final( blake2sp_state *S, void *out, size_t outlen )+int _cryptonite_blake2sp_final( blake2sp_state *S, void *out, size_t outlen ) {   uint8_t hash[PARALLELISM_DEGREE][BLAKE2S_OUTBYTES];   size_t i;@@ -198,20 +198,20 @@        if( left > BLAKE2S_BLOCKBYTES ) left = BLAKE2S_BLOCKBYTES; -      blake2s_update( S->S[i], S->buf + i * BLAKE2S_BLOCKBYTES, left );+      _cryptonite_blake2s_update( S->S[i], S->buf + i * BLAKE2S_BLOCKBYTES, left );     } -    blake2s_final( S->S[i], hash[i], BLAKE2S_OUTBYTES );+    _cryptonite_blake2s_final( S->S[i], hash[i], BLAKE2S_OUTBYTES );   }    for( i = 0; i < PARALLELISM_DEGREE; ++i )-    blake2s_update( S->R, hash[i], BLAKE2S_OUTBYTES );+    _cryptonite_blake2s_update( S->R, hash[i], BLAKE2S_OUTBYTES ); -  return blake2s_final( S->R, out, S->outlen );+  return _cryptonite_blake2s_final( S->R, out, S->outlen ); }  -int blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen )+int _cryptonite_blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {   uint8_t hash[PARALLELISM_DEGREE][BLAKE2S_OUTBYTES];   blake2s_state S[PARALLELISM_DEGREE][1];@@ -241,7 +241,7 @@     memcpy( block, key, keylen );      for( i = 0; i < PARALLELISM_DEGREE; ++i )-      blake2s_update( S[i], block, BLAKE2S_BLOCKBYTES );+      _cryptonite_blake2s_update( S[i], block, BLAKE2S_BLOCKBYTES );      secure_zero_memory( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */   }@@ -262,7 +262,7 @@      while( inlen__ >= PARALLELISM_DEGREE * BLAKE2S_BLOCKBYTES )     {-      blake2s_update( S[i], in__, BLAKE2S_BLOCKBYTES );+      _cryptonite_blake2s_update( S[i], in__, BLAKE2S_BLOCKBYTES );       in__ += PARALLELISM_DEGREE * BLAKE2S_BLOCKBYTES;       inlen__ -= PARALLELISM_DEGREE * BLAKE2S_BLOCKBYTES;     }@@ -271,10 +271,10 @@     {       const size_t left = inlen__ - i * BLAKE2S_BLOCKBYTES;       const size_t len = left <= BLAKE2S_BLOCKBYTES ? left : BLAKE2S_BLOCKBYTES;-      blake2s_update( S[i], in__, len );+      _cryptonite_blake2s_update( S[i], in__, len );     } -    blake2s_final( S[i], hash[i], BLAKE2S_OUTBYTES );+    _cryptonite_blake2s_final( S[i], hash[i], BLAKE2S_OUTBYTES );   }    if( blake2sp_init_root( FS, outlen, keylen ) < 0 )@@ -283,9 +283,9 @@   FS->last_node = 1;    for( i = 0; i < PARALLELISM_DEGREE; ++i )-    blake2s_update( FS, hash[i], BLAKE2S_OUTBYTES );+    _cryptonite_blake2s_update( FS, hash[i], BLAKE2S_OUTBYTES ); -  return blake2s_final( FS, out, outlen );+  return _cryptonite_blake2s_final( FS, out, outlen ); }  @@ -309,7 +309,7 @@   for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )   {     uint8_t hash[BLAKE2S_OUTBYTES];-    blake2sp( hash, BLAKE2S_OUTBYTES, buf, i, key, BLAKE2S_KEYBYTES );+    _cryptonite_blake2sp( hash, BLAKE2S_OUTBYTES, buf, i, key, BLAKE2S_KEYBYTES );      if( 0 != memcmp( hash, blake2sp_keyed_kat[i], BLAKE2S_OUTBYTES ) )     {@@ -326,21 +326,21 @@       size_t mlen = i;       int err = 0; -      if( (err = blake2sp_init_key(&S, BLAKE2S_OUTBYTES, key, BLAKE2S_KEYBYTES)) < 0 ) {+      if( (err = _cryptonite_blake2sp_init_key(&S, BLAKE2S_OUTBYTES, key, BLAKE2S_KEYBYTES)) < 0 ) {         goto fail;       }        while (mlen >= step) {-        if ( (err = blake2sp_update(&S, p, step)) < 0 ) {+        if ( (err = _cryptonite_blake2sp_update(&S, p, step)) < 0 ) {           goto fail;         }         mlen -= step;         p += step;       }-      if ( (err = blake2sp_update(&S, p, mlen)) < 0) {+      if ( (err = _cryptonite_blake2sp_update(&S, p, mlen)) < 0) {         goto fail;       }-      if ( (err = blake2sp_final(&S, hash, BLAKE2S_OUTBYTES)) < 0) {+      if ( (err = _cryptonite_blake2sp_final(&S, hash, BLAKE2S_OUTBYTES)) < 0) {         goto fail;       } 
cbits/blake2/sse/blake2-impl.h view
@@ -72,8 +72,8 @@   return w; #else   const uint8_t *p = ( const uint8_t * )src;-  return (( uint16_t )( p[0] ) <<  0) |-         (( uint16_t )( p[1] ) <<  8) ;+  return ( uint16_t )((( uint32_t )( p[0] ) <<  0) |+                      (( uint32_t )( p[1] ) <<  8)); #endif } 
cbits/blake2/sse/blake2.h view
@@ -142,51 +142,51 @@   };    /* Streaming API */-  int blake2s_init( blake2s_state *S, size_t outlen );-  int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen );-  int blake2s_init_param( blake2s_state *S, const blake2s_param *P );-  int blake2s_update( blake2s_state *S, const void *in, size_t inlen );-  int blake2s_final( blake2s_state *S, void *out, size_t outlen );+  int _cryptonite_blake2s_init( blake2s_state *S, size_t outlen );+  int _cryptonite_blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen );+  int _cryptonite_blake2s_init_param( blake2s_state *S, const blake2s_param *P );+  int _cryptonite_blake2s_update( blake2s_state *S, const void *in, size_t inlen );+  int _cryptonite_blake2s_final( blake2s_state *S, void *out, size_t outlen ); -  int blake2b_init( blake2b_state *S, size_t outlen );-  int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen );-  int blake2b_init_param( blake2b_state *S, const blake2b_param *P );-  int blake2b_update( blake2b_state *S, const void *in, size_t inlen );-  int blake2b_final( blake2b_state *S, void *out, size_t outlen );+  int _cryptonite_blake2b_init( blake2b_state *S, size_t outlen );+  int _cryptonite_blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen );+  int _cryptonite_blake2b_init_param( blake2b_state *S, const blake2b_param *P );+  int _cryptonite_blake2b_update( blake2b_state *S, const void *in, size_t inlen );+  int _cryptonite_blake2b_final( blake2b_state *S, void *out, size_t outlen ); -  int blake2sp_init( blake2sp_state *S, size_t outlen );-  int blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen );-  int blake2sp_update( blake2sp_state *S, const void *in, size_t inlen );-  int blake2sp_final( blake2sp_state *S, void *out, size_t outlen );+  int _cryptonite_blake2sp_init( blake2sp_state *S, size_t outlen );+  int _cryptonite_blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen );+  int _cryptonite_blake2sp_update( blake2sp_state *S, const void *in, size_t inlen );+  int _cryptonite_blake2sp_final( blake2sp_state *S, void *out, size_t outlen ); -  int blake2bp_init( blake2bp_state *S, size_t outlen );-  int blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen );-  int blake2bp_update( blake2bp_state *S, const void *in, size_t inlen );-  int blake2bp_final( blake2bp_state *S, void *out, size_t outlen );+  int _cryptonite_blake2bp_init( blake2bp_state *S, size_t outlen );+  int _cryptonite_blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen );+  int _cryptonite_blake2bp_update( blake2bp_state *S, const void *in, size_t inlen );+  int _cryptonite_blake2bp_final( blake2bp_state *S, void *out, size_t outlen );    /* Variable output length API */-  int blake2xs_init( blake2xs_state *S, const size_t outlen );-  int blake2xs_init_key( blake2xs_state *S, const size_t outlen, const void *key, size_t keylen );-  int blake2xs_update( blake2xs_state *S, const void *in, size_t inlen );-  int blake2xs_final(blake2xs_state *S, void *out, size_t outlen);+  int _cryptonite_blake2xs_init( blake2xs_state *S, const size_t outlen );+  int _cryptonite_blake2xs_init_key( blake2xs_state *S, const size_t outlen, const void *key, size_t keylen );+  int _cryptonite_blake2xs_update( blake2xs_state *S, const void *in, size_t inlen );+  int _cryptonite_blake2xs_final(blake2xs_state *S, void *out, size_t outlen); -  int blake2xb_init( blake2xb_state *S, const size_t outlen );-  int blake2xb_init_key( blake2xb_state *S, const size_t outlen, const void *key, size_t keylen );-  int blake2xb_update( blake2xb_state *S, const void *in, size_t inlen );-  int blake2xb_final(blake2xb_state *S, void *out, size_t outlen);+  int _cryptonite_blake2xb_init( blake2xb_state *S, const size_t outlen );+  int _cryptonite_blake2xb_init_key( blake2xb_state *S, const size_t outlen, const void *key, size_t keylen );+  int _cryptonite_blake2xb_update( blake2xb_state *S, const void *in, size_t inlen );+  int _cryptonite_blake2xb_final(blake2xb_state *S, void *out, size_t outlen);    /* Simple API */-  int blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );-  int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); -  int blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );-  int blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); -  int blake2xs( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );-  int blake2xb( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2xs( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2xb( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );    /* This is simply an alias for blake2b */-  int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );+  int _cryptonite_blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );  #if defined(__cplusplus) }
cbits/blake2/sse/blake2b.c view
@@ -74,7 +74,7 @@ }  /* init xors IV with input parameter block */-int blake2b_init_param( blake2b_state *S, const blake2b_param *P )+int _cryptonite_blake2b_init_param( blake2b_state *S, const blake2b_param *P ) {   size_t i;   /*blake2b_init0( S ); */@@ -92,7 +92,7 @@   /* Some sort of default parameter block initialization, for sequential blake2b */-int blake2b_init( blake2b_state *S, size_t outlen )+int _cryptonite_blake2b_init( blake2b_state *S, size_t outlen ) {   blake2b_param P[1]; @@ -111,10 +111,10 @@   memset( P->salt,     0, sizeof( P->salt ) );   memset( P->personal, 0, sizeof( P->personal ) ); -  return blake2b_init_param( S, P );+  return _cryptonite_blake2b_init_param( S, P ); } -int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen )+int _cryptonite_blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen ) {   blake2b_param P[1]; @@ -135,14 +135,14 @@   memset( P->salt,     0, sizeof( P->salt ) );   memset( P->personal, 0, sizeof( P->personal ) ); -  if( blake2b_init_param( S, P ) < 0 )+  if( _cryptonite_blake2b_init_param( S, P ) < 0 )     return 0;    {     uint8_t block[BLAKE2B_BLOCKBYTES];     memset( block, 0, BLAKE2B_BLOCKBYTES );     memcpy( block, key, keylen );-    blake2b_update( S, block, BLAKE2B_BLOCKBYTES );+    _cryptonite_blake2b_update( S, block, BLAKE2B_BLOCKBYTES );     secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */   }   return 0;@@ -218,7 +218,7 @@ }  -int blake2b_update( blake2b_state *S, const void *pin, size_t inlen )+int _cryptonite_blake2b_update( blake2b_state *S, const void *pin, size_t inlen ) {   const unsigned char * in = (const unsigned char *)pin;   if( inlen > 0 )@@ -246,7 +246,7 @@ }  -int blake2b_final( blake2b_state *S, void *out, size_t outlen )+int _cryptonite_blake2b_final( blake2b_state *S, void *out, size_t outlen ) {   if( out == NULL || outlen < S->outlen )     return -1;@@ -264,7 +264,7 @@ }  -int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen )+int _cryptonite_blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {   blake2b_state S[1]; @@ -281,26 +281,26 @@    if( keylen )   {-    if( blake2b_init_key( S, outlen, key, keylen ) < 0 ) return -1;+    if( _cryptonite_blake2b_init_key( S, outlen, key, keylen ) < 0 ) return -1;   }   else   {-    if( blake2b_init( S, outlen ) < 0 ) return -1;+    if( _cryptonite_blake2b_init( S, outlen ) < 0 ) return -1;   } -  blake2b_update( S, ( const uint8_t * )in, inlen );-  blake2b_final( S, out, outlen );+  _cryptonite_blake2b_update( S, ( const uint8_t * )in, inlen );+  _cryptonite_blake2b_final( S, out, outlen );   return 0; } -int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {-  return blake2b(out, outlen, in, inlen, key, keylen);+int _cryptonite_blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {+  return _cryptonite_blake2b(out, outlen, in, inlen, key, keylen); }  #if defined(SUPERCOP) int crypto_hash( unsigned char *out, unsigned char *in, unsigned long long inlen ) {-  return blake2b( out, BLAKE2B_OUTBYTES, in, inlen, NULL, 0 );+  return _cryptonite_blake2b( out, BLAKE2B_OUTBYTES, in, inlen, NULL, 0 ); } #endif @@ -340,21 +340,21 @@       size_t mlen = i;       int err = 0; -      if( (err = blake2b_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) {+      if( (err = _cryptonite_blake2b_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) {         goto fail;       }        while (mlen >= step) {-        if ( (err = blake2b_update(&S, p, step)) < 0 ) {+        if ( (err = _cryptonite_blake2b_update(&S, p, step)) < 0 ) {           goto fail;         }         mlen -= step;         p += step;       }-      if ( (err = blake2b_update(&S, p, mlen)) < 0) {+      if ( (err = _cryptonite_blake2b_update(&S, p, mlen)) < 0) {         goto fail;       }-      if ( (err = blake2b_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) {+      if ( (err = _cryptonite_blake2b_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) {         goto fail;       } 
cbits/blake2/sse/blake2bp.c view
@@ -36,7 +36,7 @@ */ static int blake2bp_init_leaf_param( blake2b_state *S, const blake2b_param *P ) {-  int err = blake2b_init_param(S, P);+  int err = _cryptonite_blake2b_init_param(S, P);   S->outlen = P->inner_length;   return err; }@@ -74,11 +74,11 @@   memset( P->reserved, 0, sizeof( P->reserved ) );   memset( P->salt, 0, sizeof( P->salt ) );   memset( P->personal, 0, sizeof( P->personal ) );-  return blake2b_init_param( S, P );+  return _cryptonite_blake2b_init_param( S, P ); }  -int blake2bp_init( blake2bp_state *S, size_t outlen )+int _cryptonite_blake2bp_init( blake2bp_state *S, size_t outlen ) {   size_t i;   if( !outlen || outlen > BLAKE2B_OUTBYTES ) return -1;@@ -98,7 +98,7 @@   return 0; } -int blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen )+int _cryptonite_blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen ) {   size_t i; @@ -124,7 +124,7 @@     memcpy( block, key, keylen );      for( i = 0; i < PARALLELISM_DEGREE; ++i )-      blake2b_update( S->S[i], block, BLAKE2B_BLOCKBYTES );+      _cryptonite_blake2b_update( S->S[i], block, BLAKE2B_BLOCKBYTES );      secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */   }@@ -132,7 +132,7 @@ }  -int blake2bp_update( blake2bp_state *S, const void *pin, size_t inlen )+int _cryptonite_blake2bp_update( blake2bp_state *S, const void *pin, size_t inlen ) {   const unsigned char * in = (const unsigned char *)pin;   size_t left = S->buflen;@@ -144,7 +144,7 @@     memcpy( S->buf + left, in, fill );      for( i = 0; i < PARALLELISM_DEGREE; ++i )-      blake2b_update( S->S[i], S->buf + i * BLAKE2B_BLOCKBYTES, BLAKE2B_BLOCKBYTES );+      _cryptonite_blake2b_update( S->S[i], S->buf + i * BLAKE2B_BLOCKBYTES, BLAKE2B_BLOCKBYTES );      in += fill;     inlen -= fill;@@ -167,7 +167,7 @@      while( inlen__ >= PARALLELISM_DEGREE * BLAKE2B_BLOCKBYTES )     {-      blake2b_update( S->S[i], in__, BLAKE2B_BLOCKBYTES );+      _cryptonite_blake2b_update( S->S[i], in__, BLAKE2B_BLOCKBYTES );       in__ += PARALLELISM_DEGREE * BLAKE2B_BLOCKBYTES;       inlen__ -= PARALLELISM_DEGREE * BLAKE2B_BLOCKBYTES;     }@@ -185,7 +185,7 @@   -int blake2bp_final( blake2bp_state *S, void *out, size_t outlen )+int _cryptonite_blake2bp_final( blake2bp_state *S, void *out, size_t outlen ) {   uint8_t hash[PARALLELISM_DEGREE][BLAKE2B_OUTBYTES];   size_t i;@@ -202,19 +202,19 @@        if( left > BLAKE2B_BLOCKBYTES ) left = BLAKE2B_BLOCKBYTES; -      blake2b_update( S->S[i], S->buf + i * BLAKE2B_BLOCKBYTES, left );+      _cryptonite_blake2b_update( S->S[i], S->buf + i * BLAKE2B_BLOCKBYTES, left );     } -    blake2b_final( S->S[i], hash[i], BLAKE2B_OUTBYTES );+    _cryptonite_blake2b_final( S->S[i], hash[i], BLAKE2B_OUTBYTES );   }    for( i = 0; i < PARALLELISM_DEGREE; ++i )-    blake2b_update( S->R, hash[i], BLAKE2B_OUTBYTES );+    _cryptonite_blake2b_update( S->R, hash[i], BLAKE2B_OUTBYTES ); -  return blake2b_final( S->R, out, S->outlen );+  return _cryptonite_blake2b_final( S->R, out, S->outlen ); } -int blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen )+int _cryptonite_blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {   uint8_t hash[PARALLELISM_DEGREE][BLAKE2B_OUTBYTES];   blake2b_state S[PARALLELISM_DEGREE][1];@@ -244,7 +244,7 @@     memcpy( block, key, keylen );      for( i = 0; i < PARALLELISM_DEGREE; ++i )-      blake2b_update( S[i], block, BLAKE2B_BLOCKBYTES );+      _cryptonite_blake2b_update( S[i], block, BLAKE2B_BLOCKBYTES );      secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */   }@@ -265,7 +265,7 @@      while( inlen__ >= PARALLELISM_DEGREE * BLAKE2B_BLOCKBYTES )     {-      blake2b_update( S[i], in__, BLAKE2B_BLOCKBYTES );+      _cryptonite_blake2b_update( S[i], in__, BLAKE2B_BLOCKBYTES );       in__ += PARALLELISM_DEGREE * BLAKE2B_BLOCKBYTES;       inlen__ -= PARALLELISM_DEGREE * BLAKE2B_BLOCKBYTES;     }@@ -274,10 +274,10 @@     {       const size_t left = inlen__ - i * BLAKE2B_BLOCKBYTES;       const size_t len = left <= BLAKE2B_BLOCKBYTES ? left : BLAKE2B_BLOCKBYTES;-      blake2b_update( S[i], in__, len );+      _cryptonite_blake2b_update( S[i], in__, len );     } -    blake2b_final( S[i], hash[i], BLAKE2B_OUTBYTES );+    _cryptonite_blake2b_final( S[i], hash[i], BLAKE2B_OUTBYTES );   }    if( blake2bp_init_root( FS, outlen, keylen ) < 0 )@@ -286,9 +286,9 @@   FS->last_node = 1; /* Mark as last node */    for( i = 0; i < PARALLELISM_DEGREE; ++i )-    blake2b_update( FS, hash[i], BLAKE2B_OUTBYTES );+    _cryptonite_blake2b_update( FS, hash[i], BLAKE2B_OUTBYTES ); -  return blake2b_final( FS, out, outlen );+  return _cryptonite_blake2b_final( FS, out, outlen ); }  @@ -311,7 +311,7 @@   for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )   {     uint8_t hash[BLAKE2B_OUTBYTES];-    blake2bp( hash, BLAKE2B_OUTBYTES, buf, i, key, BLAKE2B_KEYBYTES );+    _cryptonite_blake2bp( hash, BLAKE2B_OUTBYTES, buf, i, key, BLAKE2B_KEYBYTES );      if( 0 != memcmp( hash, blake2bp_keyed_kat[i], BLAKE2B_OUTBYTES ) )     {@@ -328,21 +328,21 @@       size_t mlen = i;       int err = 0; -      if( (err = blake2bp_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) {+      if( (err = _cryptonite_blake2bp_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) {         goto fail;       }        while (mlen >= step) {-        if ( (err = blake2bp_update(&S, p, step)) < 0 ) {+        if ( (err = _cryptonite_blake2bp_update(&S, p, step)) < 0 ) {           goto fail;         }         mlen -= step;         p += step;       }-      if ( (err = blake2bp_update(&S, p, mlen)) < 0) {+      if ( (err = _cryptonite_blake2bp_update(&S, p, mlen)) < 0) {         goto fail;       }-      if ( (err = blake2bp_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) {+      if ( (err = _cryptonite_blake2bp_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) {         goto fail;       } 
cbits/blake2/sse/blake2s.c view
@@ -72,7 +72,7 @@ }  /* init2 xors IV with input parameter block */-int blake2s_init_param( blake2s_state *S, const blake2s_param *P )+int _cryptonite_blake2s_init_param( blake2s_state *S, const blake2s_param *P ) {   size_t i;   /*blake2s_init0( S ); */@@ -90,7 +90,7 @@   /* Some sort of default parameter block initialization, for sequential blake2s */-int blake2s_init( blake2s_state *S, size_t outlen )+int _cryptonite_blake2s_init( blake2s_state *S, size_t outlen ) {   blake2s_param P[1]; @@ -110,11 +110,11 @@   memset( P->salt,     0, sizeof( P->salt ) );   memset( P->personal, 0, sizeof( P->personal ) ); -  return blake2s_init_param( S, P );+  return _cryptonite_blake2s_init_param( S, P ); }  -int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen )+int _cryptonite_blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen ) {   blake2s_param P[1]; @@ -136,14 +136,14 @@   memset( P->salt,     0, sizeof( P->salt ) );   memset( P->personal, 0, sizeof( P->personal ) ); -  if( blake2s_init_param( S, P ) < 0 )+  if( _cryptonite_blake2s_init_param( S, P ) < 0 )     return -1;    {     uint8_t block[BLAKE2S_BLOCKBYTES];     memset( block, 0, BLAKE2S_BLOCKBYTES );     memcpy( block, key, keylen );-    blake2s_update( S, block, BLAKE2S_BLOCKBYTES );+    _cryptonite_blake2s_update( S, block, BLAKE2S_BLOCKBYTES );     secure_zero_memory( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */   }   return 0;@@ -206,7 +206,7 @@   STOREU( &S->h[4], _mm_xor_si128( ff1, _mm_xor_si128( row2, row4 ) ) ); } -int blake2s_update( blake2s_state *S, const void *pin, size_t inlen )+int _cryptonite_blake2s_update( blake2s_state *S, const void *pin, size_t inlen ) {   const unsigned char * in = (const unsigned char *)pin;   if( inlen > 0 )@@ -233,7 +233,7 @@   return 0; } -int blake2s_final( blake2s_state *S, void *out, size_t outlen )+int _cryptonite_blake2s_final( blake2s_state *S, void *out, size_t outlen ) {   uint8_t buffer[BLAKE2S_OUTBYTES] = {0};   size_t i;@@ -275,15 +275,15 @@    if( keylen > 0 )   {-    if( blake2s_init_key( S, outlen, key, keylen ) < 0 ) return -1;+    if( _cryptonite_blake2s_init_key( S, outlen, key, keylen ) < 0 ) return -1;   }   else   {-    if( blake2s_init( S, outlen ) < 0 ) return -1;+    if( _cryptonite_blake2s_init( S, outlen ) < 0 ) return -1;   } -  blake2s_update( S, ( const uint8_t * )in, inlen );-  blake2s_final( S, out, outlen );+  _cryptonite_blake2s_update( S, ( const uint8_t * )in, inlen );+  _cryptonite_blake2s_final( S, out, outlen );   return 0; } @@ -330,21 +330,21 @@       size_t mlen = i;       int err = 0; -      if( (err = blake2s_init_key(&S, BLAKE2S_OUTBYTES, key, BLAKE2S_KEYBYTES)) < 0 ) {+      if( (err = _cryptonite_blake2s_init_key(&S, BLAKE2S_OUTBYTES, key, BLAKE2S_KEYBYTES)) < 0 ) {         goto fail;       }        while (mlen >= step) {-        if ( (err = blake2s_update(&S, p, step)) < 0 ) {+        if ( (err = _cryptonite_blake2s_update(&S, p, step)) < 0 ) {           goto fail;         }         mlen -= step;         p += step;       }-      if ( (err = blake2s_update(&S, p, mlen)) < 0) {+      if ( (err = _cryptonite_blake2s_update(&S, p, mlen)) < 0) {         goto fail;       }-      if ( (err = blake2s_final(&S, hash, BLAKE2S_OUTBYTES)) < 0) {+      if ( (err = _cryptonite_blake2s_final(&S, hash, BLAKE2S_OUTBYTES)) < 0) {         goto fail;       } 
cbits/blake2/sse/blake2sp.c view
@@ -35,7 +35,7 @@ */ static int blake2sp_init_leaf_param( blake2s_state *S, const blake2s_param *P ) {-  int err = blake2s_init_param(S, P);+  int err = _cryptonite_blake2s_init_param(S, P);   S->outlen = P->inner_length;   return err; }@@ -71,11 +71,11 @@   P->inner_length = BLAKE2S_OUTBYTES;   memset( P->salt, 0, sizeof( P->salt ) );   memset( P->personal, 0, sizeof( P->personal ) );-  return blake2s_init_param( S, P );+  return _cryptonite_blake2s_init_param( S, P ); }  -int blake2sp_init( blake2sp_state *S, size_t outlen )+int _cryptonite_blake2sp_init( blake2sp_state *S, size_t outlen ) {   size_t i; @@ -96,7 +96,7 @@   return 0; } -int blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen )+int _cryptonite_blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen ) {   size_t i; @@ -122,7 +122,7 @@     memcpy( block, key, keylen );      for( i = 0; i < PARALLELISM_DEGREE; ++i )-      blake2s_update( S->S[i], block, BLAKE2S_BLOCKBYTES );+      _cryptonite_blake2s_update( S->S[i], block, BLAKE2S_BLOCKBYTES );      secure_zero_memory( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */   }@@ -130,7 +130,7 @@ }  -int blake2sp_update( blake2sp_state *S, const void *pin, size_t inlen )+int _cryptonite_blake2sp_update( blake2sp_state *S, const void *pin, size_t inlen ) {   const unsigned char * in = (const unsigned char *)pin;   size_t left = S->buflen;@@ -142,7 +142,7 @@     memcpy( S->buf + left, in, fill );      for( i = 0; i < PARALLELISM_DEGREE; ++i )-      blake2s_update( S->S[i], S->buf + i * BLAKE2S_BLOCKBYTES, BLAKE2S_BLOCKBYTES );+      _cryptonite_blake2s_update( S->S[i], S->buf + i * BLAKE2S_BLOCKBYTES, BLAKE2S_BLOCKBYTES );      in += fill;     inlen -= fill;@@ -165,7 +165,7 @@      while( inlen__ >= PARALLELISM_DEGREE * BLAKE2S_BLOCKBYTES )     {-      blake2s_update( S->S[i], in__, BLAKE2S_BLOCKBYTES );+      _cryptonite_blake2s_update( S->S[i], in__, BLAKE2S_BLOCKBYTES );       in__ += PARALLELISM_DEGREE * BLAKE2S_BLOCKBYTES;       inlen__ -= PARALLELISM_DEGREE * BLAKE2S_BLOCKBYTES;     }@@ -182,7 +182,7 @@ }  -int blake2sp_final( blake2sp_state *S, void *out, size_t outlen )+int _cryptonite_blake2sp_final( blake2sp_state *S, void *out, size_t outlen ) {   uint8_t hash[PARALLELISM_DEGREE][BLAKE2S_OUTBYTES];   size_t i;@@ -199,20 +199,20 @@        if( left > BLAKE2S_BLOCKBYTES ) left = BLAKE2S_BLOCKBYTES; -      blake2s_update( S->S[i], S->buf + i * BLAKE2S_BLOCKBYTES, left );+      _cryptonite_blake2s_update( S->S[i], S->buf + i * BLAKE2S_BLOCKBYTES, left );     } -    blake2s_final( S->S[i], hash[i], BLAKE2S_OUTBYTES );+    _cryptonite_blake2s_final( S->S[i], hash[i], BLAKE2S_OUTBYTES );   }    for( i = 0; i < PARALLELISM_DEGREE; ++i )-    blake2s_update( S->R, hash[i], BLAKE2S_OUTBYTES );+    _cryptonite_blake2s_update( S->R, hash[i], BLAKE2S_OUTBYTES ); -  return blake2s_final( S->R, out, S->outlen );+  return _cryptonite_blake2s_final( S->R, out, S->outlen ); }  -int blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen )+int _cryptonite_blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {   uint8_t hash[PARALLELISM_DEGREE][BLAKE2S_OUTBYTES];   blake2s_state S[PARALLELISM_DEGREE][1];@@ -242,7 +242,7 @@     memcpy( block, key, keylen );      for( i = 0; i < PARALLELISM_DEGREE; ++i )-      blake2s_update( S[i], block, BLAKE2S_BLOCKBYTES );+      _cryptonite_blake2s_update( S[i], block, BLAKE2S_BLOCKBYTES );      secure_zero_memory( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */   }@@ -263,7 +263,7 @@      while( inlen__ >= PARALLELISM_DEGREE * BLAKE2S_BLOCKBYTES )     {-      blake2s_update( S[i], in__, BLAKE2S_BLOCKBYTES );+      _cryptonite_blake2s_update( S[i], in__, BLAKE2S_BLOCKBYTES );       in__ += PARALLELISM_DEGREE * BLAKE2S_BLOCKBYTES;       inlen__ -= PARALLELISM_DEGREE * BLAKE2S_BLOCKBYTES;     }@@ -272,10 +272,10 @@     {       const size_t left = inlen__ - i * BLAKE2S_BLOCKBYTES;       const size_t len = left <= BLAKE2S_BLOCKBYTES ? left : BLAKE2S_BLOCKBYTES;-      blake2s_update( S[i], in__, len );+      _cryptonite_blake2s_update( S[i], in__, len );     } -    blake2s_final( S[i], hash[i], BLAKE2S_OUTBYTES );+    _cryptonite_blake2s_final( S[i], hash[i], BLAKE2S_OUTBYTES );   }    if( blake2sp_init_root( FS, outlen, keylen ) < 0 )@@ -284,9 +284,9 @@   FS->last_node = 1;    for( i = 0; i < PARALLELISM_DEGREE; ++i )-    blake2s_update( FS, hash[i], BLAKE2S_OUTBYTES );+    _cryptonite_blake2s_update( FS, hash[i], BLAKE2S_OUTBYTES ); -  return blake2s_final( FS, out, outlen );+  return _cryptonite_blake2s_final( FS, out, outlen ); }  #if defined(BLAKE2SP_SELFTEST)@@ -308,7 +308,7 @@   for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )   {     uint8_t hash[BLAKE2S_OUTBYTES];-    blake2sp( hash, BLAKE2S_OUTBYTES, buf, i, key, BLAKE2S_KEYBYTES );+    _cryptonite_blake2sp( hash, BLAKE2S_OUTBYTES, buf, i, key, BLAKE2S_KEYBYTES );      if( 0 != memcmp( hash, blake2sp_keyed_kat[i], BLAKE2S_OUTBYTES ) )     {@@ -325,21 +325,21 @@       size_t mlen = i;       int err = 0; -      if( (err = blake2sp_init_key(&S, BLAKE2S_OUTBYTES, key, BLAKE2S_KEYBYTES)) < 0 ) {+      if( (err = _cryptonite_blake2sp_init_key(&S, BLAKE2S_OUTBYTES, key, BLAKE2S_KEYBYTES)) < 0 ) {         goto fail;       }        while (mlen >= step) {-        if ( (err = blake2sp_update(&S, p, step)) < 0 ) {+        if ( (err = _cryptonite_blake2sp_update(&S, p, step)) < 0 ) {           goto fail;         }         mlen -= step;         p += step;       }-      if ( (err = blake2sp_update(&S, p, mlen)) < 0) {+      if ( (err = _cryptonite_blake2sp_update(&S, p, mlen)) < 0) {         goto fail;       }-      if ( (err = blake2sp_final(&S, hash, BLAKE2S_OUTBYTES)) < 0) {+      if ( (err = _cryptonite_blake2sp_final(&S, hash, BLAKE2S_OUTBYTES)) < 0) {         goto fail;       } 
cbits/cryptonite_aes.c view
@@ -44,6 +44,7 @@ void cryptonite_aes_generic_encrypt_cbc(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks); void cryptonite_aes_generic_decrypt_cbc(aes_block *output, aes_key *key, aes_block *iv, aes_block *input, uint32_t nb_blocks); void cryptonite_aes_generic_encrypt_ctr(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t length);+void cryptonite_aes_generic_encrypt_c32(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t length); void cryptonite_aes_generic_encrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,                              uint32_t spoint, aes_block *input, uint32_t nb_blocks); void cryptonite_aes_generic_decrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,@@ -52,6 +53,8 @@ void cryptonite_aes_generic_gcm_decrypt(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length); void cryptonite_aes_generic_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length); void cryptonite_aes_generic_ocb_decrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);+void cryptonite_aes_generic_ccm_encrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);+void cryptonite_aes_generic_ccm_decrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);  enum { 	/* init */@@ -67,6 +70,8 @@ 	DECRYPT_CBC_128, DECRYPT_CBC_192, DECRYPT_CBC_256, 	/* ctr */ 	ENCRYPT_CTR_128, ENCRYPT_CTR_192, ENCRYPT_CTR_256,+	/* ctr with 32-bit wrapping */+	ENCRYPT_C32_128, ENCRYPT_C32_192, ENCRYPT_C32_256, 	/* xts */ 	ENCRYPT_XTS_128, ENCRYPT_XTS_192, ENCRYPT_XTS_256, 	DECRYPT_XTS_128, DECRYPT_XTS_192, DECRYPT_XTS_256,@@ -76,6 +81,11 @@ 	/* ocb */ 	ENCRYPT_OCB_128, ENCRYPT_OCB_192, ENCRYPT_OCB_256, 	DECRYPT_OCB_128, DECRYPT_OCB_192, DECRYPT_OCB_256,+	/* ccm */+	ENCRYPT_CCM_128, ENCRYPT_CCM_192, ENCRYPT_CCM_256,+	DECRYPT_CCM_128, DECRYPT_CCM_192, DECRYPT_CCM_256,+	/* ghash */+	GHASH_HINIT, GHASH_GF_MUL, };  void *cryptonite_aes_branch_table[] = {@@ -108,6 +118,10 @@ 	[ENCRYPT_CTR_128]   = cryptonite_aes_generic_encrypt_ctr, 	[ENCRYPT_CTR_192]   = cryptonite_aes_generic_encrypt_ctr, 	[ENCRYPT_CTR_256]   = cryptonite_aes_generic_encrypt_ctr,+	/* CTR with 32-bit wrapping */+	[ENCRYPT_C32_128]   = cryptonite_aes_generic_encrypt_c32,+	[ENCRYPT_C32_192]   = cryptonite_aes_generic_encrypt_c32,+	[ENCRYPT_C32_256]   = cryptonite_aes_generic_encrypt_c32, 	/* XTS */ 	[ENCRYPT_XTS_128]   = cryptonite_aes_generic_encrypt_xts, 	[ENCRYPT_XTS_192]   = cryptonite_aes_generic_encrypt_xts,@@ -129,6 +143,16 @@ 	[DECRYPT_OCB_128]   = cryptonite_aes_generic_ocb_decrypt, 	[DECRYPT_OCB_192]   = cryptonite_aes_generic_ocb_decrypt, 	[DECRYPT_OCB_256]   = cryptonite_aes_generic_ocb_decrypt,+	/* CCM */+	[ENCRYPT_CCM_128]   = cryptonite_aes_generic_ccm_encrypt,+	[ENCRYPT_CCM_192]   = cryptonite_aes_generic_ccm_encrypt,+	[ENCRYPT_CCM_256]   = cryptonite_aes_generic_ccm_encrypt,+	[DECRYPT_CCM_128]   = cryptonite_aes_generic_ccm_decrypt,+	[DECRYPT_CCM_192]   = cryptonite_aes_generic_ccm_decrypt,+	[DECRYPT_CCM_256]   = cryptonite_aes_generic_ccm_decrypt,+	/* GHASH */+	[GHASH_HINIT]       = cryptonite_aes_generic_hinit,+	[GHASH_GF_MUL]      = cryptonite_aes_generic_gf_mul, };  typedef void (*init_f)(aes_key *, uint8_t *, uint8_t);@@ -138,7 +162,10 @@ typedef void (*xts_f)(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit, uint32_t spoint, aes_block *input, uint32_t nb_blocks); typedef void (*gcm_crypt_f)(uint8_t *output, aes_gcm *gcm, aes_key *key, uint8_t *input, uint32_t length); typedef void (*ocb_crypt_f)(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length);+typedef void (*ccm_crypt_f)(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length); typedef void (*block_f)(aes_block *output, aes_key *key, aes_block *input);+typedef void (*hinit_f)(table_4bit htable, const block128 *h);+typedef void (*gf_mul_f)(block128 *a, const table_4bit htable);  #ifdef WITH_AESNI #define GET_INIT(strength) \@@ -153,6 +180,8 @@ 	((cbc_f) (cryptonite_aes_branch_table[DECRYPT_CBC_128 + strength])) #define GET_CTR_ENCRYPT(strength) \ 	((ctr_f) (cryptonite_aes_branch_table[ENCRYPT_CTR_128 + strength]))+#define GET_C32_ENCRYPT(strength) \+	((ctr_f) (cryptonite_aes_branch_table[ENCRYPT_C32_128 + strength])) #define GET_XTS_ENCRYPT(strength) \ 	((xts_f) (cryptonite_aes_branch_table[ENCRYPT_XTS_128 + strength])) #define GET_XTS_DECRYPT(strength) \@@ -165,10 +194,18 @@ 	((ocb_crypt_f) (cryptonite_aes_branch_table[ENCRYPT_OCB_128 + strength])) #define GET_OCB_DECRYPT(strength) \ 	((ocb_crypt_f) (cryptonite_aes_branch_table[DECRYPT_OCB_128 + strength]))+#define GET_CCM_ENCRYPT(strength) \+	((ccm_crypt_f) (cryptonite_aes_branch_table[ENCRYPT_CCM_128 + strength]))+#define GET_CCM_DECRYPT(strength) \+	((ccm_crypt_f) (cryptonite_aes_branch_table[DECRYPT_CCM_128 + strength])) #define cryptonite_aes_encrypt_block(o,k,i) \ 	(((block_f) (cryptonite_aes_branch_table[ENCRYPT_BLOCK_128 + k->strength]))(o,k,i)) #define cryptonite_aes_decrypt_block(o,k,i) \ 	(((block_f) (cryptonite_aes_branch_table[DECRYPT_BLOCK_128 + k->strength]))(o,k,i))+#define cryptonite_hinit(t,h) \+	(((hinit_f) (cryptonite_aes_branch_table[GHASH_HINIT]))(t,h))+#define cryptonite_gf_mul(a,t) \+	(((gf_mul_f) (cryptonite_aes_branch_table[GHASH_GF_MUL]))(a,t)) #else #define GET_INIT(strenght) cryptonite_aes_generic_init #define GET_ECB_ENCRYPT(strength) cryptonite_aes_generic_encrypt_ecb@@ -176,21 +213,34 @@ #define GET_CBC_ENCRYPT(strength) cryptonite_aes_generic_encrypt_cbc #define GET_CBC_DECRYPT(strength) cryptonite_aes_generic_decrypt_cbc #define GET_CTR_ENCRYPT(strength) cryptonite_aes_generic_encrypt_ctr+#define GET_C32_ENCRYPT(strength) cryptonite_aes_generic_encrypt_c32 #define GET_XTS_ENCRYPT(strength) cryptonite_aes_generic_encrypt_xts #define GET_XTS_DECRYPT(strength) cryptonite_aes_generic_decrypt_xts #define GET_GCM_ENCRYPT(strength) cryptonite_aes_generic_gcm_encrypt #define GET_GCM_DECRYPT(strength) cryptonite_aes_generic_gcm_decrypt #define GET_OCB_ENCRYPT(strength) cryptonite_aes_generic_ocb_encrypt #define GET_OCB_DECRYPT(strength) cryptonite_aes_generic_ocb_decrypt+#define GET_CCM_ENCRYPT(strength) cryptonite_aes_generic_ccm_encrypt+#define GET_CCM_DECRYPT(strength) cryptonite_aes_generic_ccm_decrypt #define cryptonite_aes_encrypt_block(o,k,i) cryptonite_aes_generic_encrypt_block(o,k,i) #define cryptonite_aes_decrypt_block(o,k,i) cryptonite_aes_generic_decrypt_block(o,k,i)+#define cryptonite_hinit(t,h) cryptonite_aes_generic_hinit(t,h)+#define cryptonite_gf_mul(a,t) cryptonite_aes_generic_gf_mul(a,t) #endif +#define CPU_AESNI        0+#define CPU_PCLMUL       1+#define CPU_OPTION_COUNT 2++static uint8_t cryptonite_aes_cpu_options[CPU_OPTION_COUNT] = {};+ #if defined(ARCH_X86) && defined(WITH_AESNI) static void initialize_table_ni(int aesni, int pclmul) { 	if (!aesni) 		return;+	cryptonite_aes_cpu_options[CPU_AESNI] = 1;+ 	cryptonite_aes_branch_table[INIT_128] = cryptonite_aesni_init; 	cryptonite_aes_branch_table[INIT_256] = cryptonite_aesni_init; @@ -211,6 +261,9 @@ 	/* CTR */ 	cryptonite_aes_branch_table[ENCRYPT_CTR_128] = cryptonite_aesni_encrypt_ctr128; 	cryptonite_aes_branch_table[ENCRYPT_CTR_256] = cryptonite_aesni_encrypt_ctr256;+	/* CTR with 32-bit wrapping */+	cryptonite_aes_branch_table[ENCRYPT_C32_128] = cryptonite_aesni_encrypt_c32_128;+	cryptonite_aes_branch_table[ENCRYPT_C32_256] = cryptonite_aesni_encrypt_c32_256; 	/* XTS */ 	cryptonite_aes_branch_table[ENCRYPT_XTS_128] = cryptonite_aesni_encrypt_xts128; 	cryptonite_aes_branch_table[ENCRYPT_XTS_256] = cryptonite_aesni_encrypt_xts256;@@ -222,9 +275,27 @@ 	cryptonite_aes_branch_table[ENCRYPT_OCB_128] = cryptonite_aesni_ocb_encrypt128; 	cryptonite_aes_branch_table[ENCRYPT_OCB_256] = cryptonite_aesni_ocb_encrypt256; 	*/+#ifdef WITH_PCLMUL+	if (!pclmul)+		return;+	cryptonite_aes_cpu_options[CPU_PCLMUL] = 1;++	/* GHASH */+	cryptonite_aes_branch_table[GHASH_HINIT]     = cryptonite_aesni_hinit_pclmul,+	cryptonite_aes_branch_table[GHASH_GF_MUL]    = cryptonite_aesni_gf_mul_pclmul,+	cryptonite_aesni_init_pclmul();+#endif } #endif +uint8_t *cryptonite_aes_cpu_init(void)+{+#if defined(ARCH_X86) && defined(WITH_AESNI)+	cryptonite_aesni_initialize_hw(initialize_table_ni);+#endif+	return cryptonite_aes_cpu_options;+}+ void cryptonite_aes_initkey(aes_key *key, uint8_t *origkey, uint8_t size) { 	switch (size) {@@ -232,9 +303,7 @@ 	case 24: key->nbr = 12; key->strength = 1; break; 	case 32: key->nbr = 14; key->strength = 2; break; 	}-#if defined(ARCH_X86) && defined(WITH_AESNI)-	cryptonite_aesni_initialize_hw(initialize_table_ni);-#endif+	cryptonite_aes_cpu_init(); 	init_f _init = GET_INIT(key->strength); 	_init(key, origkey, size); }@@ -296,6 +365,12 @@ 	e(output, key, iv, input, len); } +void cryptonite_aes_encrypt_c32(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t len)+{+	ctr_f e = GET_C32_ENCRYPT(key->strength);+	e(output, key, iv, input, len);+}+ void cryptonite_aes_encrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,                      uint32_t spoint, aes_block *input, uint32_t nb_blocks) {@@ -321,6 +396,18 @@ 	d(output, gcm, key, input, length); } +void cryptonite_aes_ccm_encrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)+{+	ccm_crypt_f e = GET_CCM_ENCRYPT(key->strength);+	e(output, ccm, key, input, length);+}++void cryptonite_aes_ccm_decrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)+{+	ccm_crypt_f d = GET_CCM_DECRYPT(key->strength);+	d(output, ccm, key, input, length);+}+ void cryptonite_aes_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length) { 	ocb_crypt_f e = GET_OCB_ENCRYPT(key->strength);@@ -336,20 +423,22 @@ static void gcm_ghash_add(aes_gcm *gcm, block128 *b) { 	block128_xor(&gcm->tag, b);-	cryptonite_gf_mul(&gcm->tag, &gcm->h);+	cryptonite_gf_mul(&gcm->tag, gcm->htable); }  void cryptonite_aes_gcm_init(aes_gcm *gcm, aes_key *key, uint8_t *iv, uint32_t len) {+	block128 h; 	gcm->length_aad = 0; 	gcm->length_input = 0; -	block128_zero(&gcm->h);+	block128_zero(&h); 	block128_zero(&gcm->tag); 	block128_zero(&gcm->iv);  	/* prepare H : encrypt_K(0^128) */-	cryptonite_aes_encrypt_block(&gcm->h, key, &gcm->h);+	cryptonite_aes_encrypt_block(&h, key, &h);+	cryptonite_hinit(gcm->htable, &h);  	if (len == 12) { 		block128_copy_bytes(&gcm->iv, iv, 12);@@ -359,18 +448,18 @@ 		int i; 		for (; len >= 16; len -= 16, iv += 16) { 			block128_xor(&gcm->iv, (block128 *) iv);-			cryptonite_gf_mul(&gcm->iv, &gcm->h);+			cryptonite_gf_mul(&gcm->iv, gcm->htable); 		} 		if (len > 0) { 			block128_xor_bytes(&gcm->iv, iv, len);-			cryptonite_gf_mul(&gcm->iv, &gcm->h);+			cryptonite_gf_mul(&gcm->iv, gcm->htable); 		} 		for (i = 15; origlen; --i, origlen >>= 8) 			gcm->iv.b[i] ^= (uint8_t) origlen;-		cryptonite_gf_mul(&gcm->iv, &gcm->h);+		cryptonite_gf_mul(&gcm->iv, gcm->htable); 	} -	block128_copy(&gcm->civ, &gcm->iv);+	block128_copy_aligned(&gcm->civ, &gcm->iv); }  void cryptonite_aes_gcm_aad(aes_gcm *gcm, uint8_t *input, uint32_t length)@@ -399,13 +488,147 @@ 	gcm_ghash_add(gcm, &lblock);  	cryptonite_aes_encrypt_block(&lblock, key, &gcm->iv);-	block128_xor(&gcm->tag, &lblock);+	block128_xor_aligned(&gcm->tag, &lblock);  	for (i = 0; i < 16; i++) { 		tag[i] = gcm->tag.b[i]; 	} } +static inline uint8_t ccm_b0_flags(uint32_t has_adata, uint32_t m, uint32_t l)+{+	return 8*m + l + (has_adata? 64: 0);+}++/* depends on input size */+static void ccm_encode_b0(block128* output, aes_ccm* ccm, uint32_t has_adata)+{+	int last = 15;+	uint32_t m = ccm->length_M;+	uint32_t l = ccm->length_L;+	uint32_t msg_len = ccm->length_input;++	block128_zero(output);+	block128_copy_aligned(output, &ccm->nonce);+	output->b[0] = ccm_b0_flags(has_adata, (m-2)/2, l-1);+	while (msg_len > 0) {+		output->b[last--] = msg_len & 0xff;+		msg_len >>= 8;+	}+}++/* encode adata length */+static int ccm_encode_la(block128* output, uint32_t la)+{+	if (la < ( (1 << 16) - (1 << 8)) ) {+		output->b[0] = (la >> 8) & 0xff;+		output->b[1] = la        & 0xff;+		return 2;+	} else {+		output->b[0] = 0xff;+		output->b[1] = 0xfe;+		output->b[2] = (la >> 24) & 0xff;+		output->b[3] = (la >> 16) & 0xff;+		output->b[4] = (la >>  8) & 0xff;+		output->b[5] = la         & 0xff;+		return 6;+	}+}++static void ccm_encode_ctr(block128* out, aes_ccm* ccm, unsigned int cnt)+{+	int last = 15;+	block128_copy_aligned(out, &ccm->nonce);+	out->b[0] = ccm->length_L - 1;++	while (cnt > 0) {+		out->b[last--] = cnt & 0xff;+		cnt >>= 8;+	}+}++static void ccm_cbcmac_add(aes_ccm* ccm, aes_key* key, block128* bi)+{+	block128_xor_aligned(&ccm->xi, bi);+	cryptonite_aes_encrypt_block(&ccm->xi, key, &ccm->xi);+}++/* even though it is possible to support message size as large as 2^64, we support up to 2^32 only */+void cryptonite_aes_ccm_init(aes_ccm *ccm, aes_key *key, uint8_t *nonce, uint32_t nonce_len, uint32_t input_size, int m, int l)+{+	memset(ccm, 0, sizeof(aes_ccm));++	if (l < 2 || l > 4) return;+	if (m != 4 && m != 6 && m != 8 && m != 10+		   && m != 12 && m != 14 && m != 16) return;++	if (nonce_len > 15 - l) {+		nonce_len = 15 - l;+	}++	if (l <= 4) {+		if (input_size >= (1ull << (8*l))) return;+	}++	ccm->length_L = l;+	ccm->length_M = m;+	ccm->length_input = input_size;++	memcpy(&ccm->nonce.b[1], nonce, nonce_len);++	ccm_encode_b0(&ccm->b0, ccm, 1); /* assume aad is present */+	cryptonite_aes_encrypt_block(&ccm->xi, key, &ccm->b0);+}++/* even though l(a) can be as large as 2^64, we only handle aad up to 2 ^ 32 for practical reasons.+  Also we don't support incremental aad add, because the 1st encoded adata has length information+ */+void cryptonite_aes_ccm_aad(aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)+{+	block128 tmp;++	if (ccm->length_aad != 0) return;++	ccm->length_aad = length;+	int len_len;++	block128_zero(&tmp);+	len_len = ccm_encode_la(&tmp, length);++	if (length < 16 - len_len) {+		memcpy(&tmp.b[len_len], input, length);+		length = 0;+	} else {+		memcpy(&tmp.b[len_len], input, 16 - len_len);+		input += 16 - len_len;+		length -= 16 - len_len;+	}++	ccm_cbcmac_add(ccm, key, &tmp);++	for (; length >= 16; input += 16, length -= 16) {+		block128_copy(&tmp, (block128*)input);+		ccm_cbcmac_add(ccm, key, &tmp);++	}+	if (length > 0) {+		block128_zero(&tmp);+		block128_copy_bytes(&tmp, input, length);+		ccm_cbcmac_add(ccm, key, &tmp);+	}+	block128_copy_aligned(&ccm->header_cbcmac, &ccm->xi);+}++void cryptonite_aes_ccm_finish(uint8_t *tag, aes_ccm *ccm, aes_key *key)+{+	block128 iv, s0;++	block128_zero(&iv);+	ccm_encode_ctr(&iv, ccm, 0);+	cryptonite_aes_encrypt_block(&s0, key, &iv);+	block128_vxor((block128*)tag, &ccm->xi, &s0);+}+ static inline void ocb_block_double(block128 *d, block128 *s) { 	unsigned int i;@@ -464,7 +687,7 @@ 	memcpy(stretch, ktop.b, 16);  	memcpy(tmp.b, ktop.b + 1, 8);-	block128_xor(&tmp, &ktop);+	block128_xor_aligned(&tmp, &ktop); 	memcpy(stretch + 16, tmp.b, 8);  	/* initialize the encryption offset from stretch */@@ -490,22 +713,22 @@  	for (i=1; i<= length/16; i++, input=input+16) { 		ocb_get_L_i(&tmp, ocb->li, i);-		block128_xor(&ocb->offset_aad, &tmp);+		block128_xor_aligned(&ocb->offset_aad, &tmp);  		block128_vxor(&tmp, &ocb->offset_aad, (block128 *) input); 		cryptonite_aes_encrypt_block(&tmp, key, &tmp);-		block128_xor(&ocb->sum_aad, &tmp);+		block128_xor_aligned(&ocb->sum_aad, &tmp); 	}  	length = length % 16; /* Bytes in final block */ 	if (length > 0) {-		block128_xor(&ocb->offset_aad, &ocb->lstar);+		block128_xor_aligned(&ocb->offset_aad, &ocb->lstar); 		block128_zero(&tmp); 		block128_copy_bytes(&tmp, input, length); 		tmp.b[length] = 0x80;-		block128_xor(&tmp, &ocb->offset_aad);+		block128_xor_aligned(&tmp, &ocb->offset_aad); 		cryptonite_aes_encrypt_block(&tmp, key, &tmp);-		block128_xor(&ocb->sum_aad, &tmp);+		block128_xor_aligned(&ocb->sum_aad, &tmp); 	} } @@ -513,8 +736,8 @@ { 	block128 tmp; -	block128_vxor(&tmp, &ocb->sum_enc, &ocb->offset_enc);-	block128_xor(&tmp, &ocb->ldollar);+	block128_vxor_aligned(&tmp, &ocb->sum_enc, &ocb->offset_enc);+	block128_xor_aligned(&tmp, &ocb->ldollar); 	cryptonite_aes_encrypt_block((block128 *) tag, key, &tmp); 	block128_xor((block128 *) tag, &ocb->sum_aad); }@@ -585,6 +808,30 @@ 	} } +void cryptonite_aes_generic_encrypt_c32(uint8_t *output, aes_key *key, aes_block *iv, uint8_t *input, uint32_t len)+{+	aes_block block, o;+	uint32_t nb_blocks = len / 16;+	int i;++	/* preload IV in block */+	block128_copy(&block, iv);++	for ( ; nb_blocks-- > 0; block128_inc32_le(&block), output += 16, input += 16) {+		cryptonite_aes_encrypt_block(&o, key, &block);+		block128_vxor((block128 *) output, &o, (block128 *) input);+	}++	if ((len % 16) != 0) {+		cryptonite_aes_encrypt_block(&o, key, &block);+		for (i = 0; i < (len % 16); i++) {+			*output = ((uint8_t *) &o)[i] ^ *input;+			output++;+			input++;+		}+	}+}+ void cryptonite_aes_generic_encrypt_xts(aes_block *output, aes_key *k1, aes_key *k2, aes_block *dataunit,                              uint32_t spoint, aes_block *input, uint32_t nb_blocks) {@@ -596,9 +843,9 @@  	/* TO OPTIMISE: this is really inefficient way to do that */ 	while (spoint-- > 0)-		cryptonite_gf_mulx(&tweak);+		cryptonite_aes_generic_gf_mulx(&tweak); -	for ( ; nb_blocks-- > 0; input++, output++, cryptonite_gf_mulx(&tweak)) {+	for ( ; nb_blocks-- > 0; input++, output++, cryptonite_aes_generic_gf_mulx(&tweak)) { 		block128_vxor(&block, input, &tweak); 		cryptonite_aes_encrypt_block(&block, k1, &block); 		block128_vxor(output, &block, &tweak);@@ -616,9 +863,9 @@  	/* TO OPTIMISE: this is really inefficient way to do that */ 	while (spoint-- > 0)-		cryptonite_gf_mulx(&tweak);+		cryptonite_aes_generic_gf_mulx(&tweak); -	for ( ; nb_blocks-- > 0; input++, output++, cryptonite_gf_mulx(&tweak)) {+	for ( ; nb_blocks-- > 0; input++, output++, cryptonite_aes_generic_gf_mulx(&tweak)) { 		block128_vxor(&block, input, &tweak); 		cryptonite_aes_decrypt_block(&block, k1, &block); 		block128_vxor(output, &block, &tweak);@@ -631,7 +878,7 @@  	gcm->length_input += length; 	for (; length >= 16; input += 16, output += 16, length -= 16) {-		block128_inc_be(&gcm->civ);+		block128_inc32_be(&gcm->civ);  		cryptonite_aes_encrypt_block(&out, key, &gcm->civ); 		block128_xor(&out, (block128 *) input);@@ -642,7 +889,7 @@ 		aes_block tmp; 		int i; -		block128_inc_be(&gcm->civ);+		block128_inc32_be(&gcm->civ); 		/* create e(civ) in out */ 		cryptonite_aes_encrypt_block(&out, key, &gcm->civ); 		/* initialize a tmp as input and xor it to e(civ) */@@ -664,7 +911,7 @@  	gcm->length_input += length; 	for (; length >= 16; input += 16, output += 16, length -= 16) {-		block128_inc_be(&gcm->civ);+		block128_inc32_be(&gcm->civ);  		cryptonite_aes_encrypt_block(&out, key, &gcm->civ); 		gcm_ghash_add(gcm, (block128 *) input);@@ -675,7 +922,7 @@ 		aes_block tmp; 		int i; -		block128_inc_be(&gcm->civ);+		block128_inc32_be(&gcm->civ);  		block128_zero(&tmp); 		block128_copy_bytes(&tmp, input, length);@@ -699,7 +946,7 @@ 	for (i = 1; i <= length/16; i++, input += 16, output += 16) { 		/* Offset_i = Offset_{i-1} xor L_{ntz(i)} */ 		ocb_get_L_i(&tmp, ocb->li, i);-		block128_xor(&ocb->offset_enc, &tmp);+		block128_xor_aligned(&ocb->offset_enc, &tmp);  		block128_vxor(&tmp, &ocb->offset_enc, (block128 *) input); 		if (encrypt) {@@ -716,29 +963,89 @@ 	/* process the last partial block if any */ 	length = length % 16; 	if (length > 0) {-		block128_xor(&ocb->offset_enc, &ocb->lstar);+		block128_xor_aligned(&ocb->offset_enc, &ocb->lstar); 		cryptonite_aes_encrypt_block(&pad, key, &ocb->offset_enc);  		if (encrypt) { 			block128_zero(&tmp); 			block128_copy_bytes(&tmp, input, length); 			tmp.b[length] = 0x80;-			block128_xor(&ocb->sum_enc, &tmp);-			block128_xor(&pad, &tmp);+			block128_xor_aligned(&ocb->sum_enc, &tmp);+			block128_xor_aligned(&pad, &tmp); 			memcpy(output, pad.b, length); 			output += length; 		} else {-			block128_copy(&tmp, &pad);+			block128_copy_aligned(&tmp, &pad); 			block128_copy_bytes(&tmp, input, length);-			block128_xor(&tmp, &pad);+			block128_xor_aligned(&tmp, &pad); 			tmp.b[length] = 0x80; 			memcpy(output, tmp.b, length);-			block128_xor(&ocb->sum_enc, &tmp);+			block128_xor_aligned(&ocb->sum_enc, &tmp); 			input += length; 		} 	} } +void cryptonite_aes_generic_ccm_encrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)+{+	block128 tmp, ctr;++	/* when aad is absent, reset b0 block */+	if (ccm->length_aad == 0) {+		ccm_encode_b0(&ccm->b0, ccm, 0); /* assume aad is present */+		cryptonite_aes_encrypt_block(&ccm->xi, key, &ccm->b0);+		block128_copy_aligned(&ccm->header_cbcmac, &ccm->xi);+	}++	if (length != ccm->length_input) {+		return;+	}++	ccm_encode_ctr(&ctr, ccm, 1);+	cryptonite_aes_encrypt_ctr(output, key, &ctr, input, length);++	for (;length >= 16; input += 16, length -= 16) {+		block128_copy(&tmp, (block128*)input);+		ccm_cbcmac_add(ccm, key, &tmp);+	}+	if (length > 0) {+		block128_zero(&tmp);+		block128_copy_bytes(&tmp, input, length);+		ccm_cbcmac_add(ccm, key, &tmp);+	}+}++void cryptonite_aes_generic_ccm_decrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length)+{+	block128 tmp, ctr;++	if (length != ccm->length_input) {+		return;+	}++	/* when aad is absent, reset b0 block */+	if (ccm->length_aad == 0) {+		ccm_encode_b0(&ccm->b0, ccm, 0); /* assume aad is present */+		cryptonite_aes_encrypt_block(&ccm->xi, key, &ccm->b0);+		block128_copy_aligned(&ccm->header_cbcmac, &ccm->xi);+	}++	ccm_encode_ctr(&ctr, ccm, 1);+	cryptonite_aes_encrypt_ctr(output, key, &ctr, input, length);+	block128_copy_aligned(&ccm->xi, &ccm->header_cbcmac);+	input = output;++	for (;length >= 16; input += 16, length -= 16) {+		block128_copy(&tmp, (block128*)input);+		ccm_cbcmac_add(ccm, key, &tmp);+	}+	if (length > 0) {+		block128_zero(&tmp);+		block128_copy_bytes(&tmp, input, length);+		ccm_cbcmac_add(ccm, key, &tmp);+	}+}+ void cryptonite_aes_generic_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length) { 	ocb_generic_crypt(output, ocb, key, input, length, 1);@@ -747,4 +1054,56 @@ void cryptonite_aes_generic_ocb_decrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length) { 	ocb_generic_crypt(output, ocb, key, input, length, 0);+}++static inline void gf_mulx_rev(block128 *a, const block128 *h)+{+	uint64_t v1 = cpu_to_le64(h->q[0]);+	uint64_t v0 = cpu_to_le64(h->q[1]);+	a->q[1] = cpu_to_be64(v1 >> 1 | v0 << 63);+	a->q[0] = cpu_to_be64(v0 >> 1 ^ ((0-(v1 & 1)) & 0xe100000000000000ULL));+}++void cryptonite_aes_polyval_init(aes_polyval *ctx, const aes_block *h)+{+	aes_block r;++	/* ByteReverse(S_0) = 0 */+	block128_zero(&ctx->s);++	/* ByteReverse(H) * x */+	gf_mulx_rev(&r, h);+	cryptonite_hinit(ctx->htable, &r);+}++void cryptonite_aes_polyval_update(aes_polyval *ctx, const uint8_t *input, uint32_t length)+{+	aes_block r;+	const uint8_t *p;+	uint32_t sz;++	/* This automatically pads with zeros if input is not a multiple of the+	   block size. */+	for (p = input; length > 0; p += 16, length -= sz)+	{+		sz = length < 16 ? length : 16;++		/* ByteReverse(X_j) */+		block128_zero(&r);+		memcpy(&r, p, sz);+		block128_byte_reverse(&r);++		/* ByteReverse(S_{j-1}) + ByteReverse(X_j) */+		block128_xor_aligned(&ctx->s, &r);++		/* ByteReverse(S_j) */+		cryptonite_gf_mul(&ctx->s, ctx->htable);+	}+}++void cryptonite_aes_polyval_finalize(aes_polyval *ctx, aes_block *dst)+{+	/* S_s */+	block128_copy_aligned(dst, &ctx->s);+	block128_byte_reverse(dst); }
cbits/cryptonite_aes.h view
@@ -45,17 +45,29 @@ 	uint8_t data[16*14*2]; } aes_key; -/* size = 4*16+2*8= 80 */+/* size = 19*16+2*8= 320 */ typedef struct { 	aes_block tag;-	aes_block h;+	aes_block htable[16]; 	aes_block iv; 	aes_block civ; 	uint64_t length_aad; 	uint64_t length_input; } aes_gcm; +/* size = 4*16+4*4= 80 */ typedef struct {+	aes_block xi;+	aes_block header_cbcmac;+	aes_block b0;+	aes_block nonce;+	uint32_t length_aad;+	uint32_t length_input;+	uint32_t length_M;+	uint32_t length_L;+} aes_ccm;++typedef struct { 	block128 offset_aad; 	block128 offset_enc; 	block128 sum_aad;@@ -65,6 +77,12 @@ 	block128 li[4]; } aes_ocb; +/* size = 17*16= 272 */+typedef struct {+	aes_block htable[16];+	aes_block s;+} aes_polyval;+ /* in bytes: either 16,24,32 */ void cryptonite_aes_initkey(aes_key *ctx, uint8_t *key, uint8_t size); @@ -96,5 +114,17 @@ void cryptonite_aes_ocb_encrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length); void cryptonite_aes_ocb_decrypt(uint8_t *output, aes_ocb *ocb, aes_key *key, uint8_t *input, uint32_t length); void cryptonite_aes_ocb_finish(uint8_t *tag, aes_ocb *ocb, aes_key *key);++void cryptonite_aes_ccm_init(aes_ccm *ccm, aes_key *key, uint8_t *nonce, uint32_t len, uint32_t msg_size, int m, int l);+void cryptonite_aes_ccm_aad(aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);+void cryptonite_aes_ccm_encrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);+void cryptonite_aes_ccm_decrypt(uint8_t *output, aes_ccm *ccm, aes_key *key, uint8_t *input, uint32_t length);+void cryptonite_aes_ccm_finish(uint8_t *tag, aes_ccm *ccm, aes_key *key);++uint8_t *cryptonite_aes_cpu_init(void);++void cryptonite_aes_polyval_init(aes_polyval *ctx, const aes_block *h);+void cryptonite_aes_polyval_update(aes_polyval *ctx, const uint8_t *input, uint32_t length);+void cryptonite_aes_polyval_finalize(aes_polyval *ctx, aes_block *dst);  #endif
cbits/cryptonite_align.h view
@@ -44,11 +44,21 @@ 	*((uint32_t *) dst) = cpu_to_le32(v); } +static inline void xor_le32_aligned(uint8_t *dst, const uint32_t v)+{+	*((uint32_t *) dst) ^= cpu_to_le32(v);+}+ static inline void store_be32_aligned(uint8_t *dst, const uint32_t v) { 	*((uint32_t *) dst) = cpu_to_be32(v); } +static inline void xor_be32_aligned(uint8_t *dst, const uint32_t v)+{+	*((uint32_t *) dst) ^= cpu_to_be32(v);+}+ static inline void store_le64_aligned(uint8_t *dst, const uint64_t v) { 	*((uint64_t *) dst) = cpu_to_le64(v);@@ -59,6 +69,11 @@ 	*((uint64_t *) dst) = cpu_to_be64(v); } +static inline void xor_be64_aligned(uint8_t *dst, const uint64_t v)+{+	*((uint64_t *) dst) ^= cpu_to_be64(v);+}+ #ifdef UNALIGNED_ACCESS_OK #define load_le32(a) load_le32_aligned(a) #else@@ -70,20 +85,30 @@  #ifdef UNALIGNED_ACCESS_OK #define store_le32(a, b) store_le32_aligned(a, b)+#define xor_le32(a, b) xor_le32_aligned(a, b) #else static inline void store_le32(uint8_t *dst, const uint32_t v) { 	dst[0] = v; dst[1] = v >> 8; dst[2] = v >> 16; dst[3] = v >> 24; }+static inline void xor_le32(uint8_t *dst, const uint32_t v)+{+	dst[0] ^= v; dst[1] ^= v >> 8; dst[2] ^= v >> 16; dst[3] ^= v >> 24;+} #endif  #ifdef UNALIGNED_ACCESS_OK #define store_be32(a, b) store_be32_aligned(a, b)+#define xor_be32(a, b) xor_be32_aligned(a, b) #else static inline void store_be32(uint8_t *dst, const uint32_t v) { 	dst[3] = v; dst[2] = v >> 8; dst[1] = v >> 16; dst[0] = v >> 24; }+static inline void xor_be32(uint8_t *dst, const uint32_t v)+{+	dst[3] ^= v; dst[2] ^= v >> 8; dst[1] ^= v >> 16; dst[0] ^= v >> 24;+} #endif  #ifdef UNALIGNED_ACCESS_OK@@ -98,11 +123,17 @@  #ifdef UNALIGNED_ACCESS_OK #define store_be64(a, b) store_be64_aligned(a, b)+#define xor_be64(a, b) xor_be64_aligned(a, b) #else static inline void store_be64(uint8_t *dst, const uint64_t v) { 	dst[7] = v      ; dst[6] = v >> 8 ; dst[5] = v >> 16; dst[4] = v >> 24; 	dst[3] = v >> 32; dst[2] = v >> 40; dst[1] = v >> 48; dst[0] = v >> 56;+}+static inline void xor_be64(uint8_t *dst, const uint64_t v)+{+	dst[7] ^= v      ; dst[6] ^= v >> 8 ; dst[5] ^= v >> 16; dst[4] ^= v >> 24;+	dst[3] ^= v >> 32; dst[2] ^= v >> 40; dst[1] ^= v >> 48; dst[0] ^= v >> 56; } #endif 
cbits/cryptonite_blake2b.c view
@@ -2,15 +2,15 @@  void cryptonite_blake2b_init(blake2b_ctx *ctx, uint32_t hashlen) {-	blake2b_init(ctx, hashlen / 8);+	_cryptonite_blake2b_init(ctx, hashlen / 8); }  void cryptonite_blake2b_update(blake2b_ctx *ctx, const uint8_t *data, uint32_t len) {-	blake2b_update(ctx, data, len);+	_cryptonite_blake2b_update(ctx, data, len); }  void cryptonite_blake2b_finalize(blake2b_ctx *ctx, uint32_t hashlen, uint8_t *out) {-	blake2b_final(ctx, out, hashlen / 8);+	_cryptonite_blake2b_final(ctx, out, hashlen / 8); }
cbits/cryptonite_blake2bp.c view
@@ -2,15 +2,15 @@  void cryptonite_blake2bp_init(blake2bp_ctx *ctx, uint32_t hashlen) {-	blake2bp_init(ctx, hashlen / 8);+	_cryptonite_blake2bp_init(ctx, hashlen / 8); }  void cryptonite_blake2bp_update(blake2bp_ctx *ctx, const uint8_t *data, uint32_t len) {-	blake2bp_update(ctx, data, len);+	_cryptonite_blake2bp_update(ctx, data, len); }  void cryptonite_blake2bp_finalize(blake2bp_ctx *ctx, uint32_t hashlen, uint8_t *out) {-	blake2bp_final(ctx, out, hashlen / 8);+	_cryptonite_blake2bp_final(ctx, out, hashlen / 8); }
cbits/cryptonite_blake2s.c view
@@ -2,15 +2,15 @@  void cryptonite_blake2s_init(blake2s_ctx *ctx, uint32_t hashlen) {-	blake2s_init(ctx, hashlen / 8);+	_cryptonite_blake2s_init(ctx, hashlen / 8); }  void cryptonite_blake2s_update(blake2s_ctx *ctx, const uint8_t *data, uint32_t len) {-	blake2s_update(ctx, data, len);+	_cryptonite_blake2s_update(ctx, data, len); }  void cryptonite_blake2s_finalize(blake2s_ctx *ctx, uint32_t hashlen, uint8_t *out) {-	blake2s_final(ctx, out, hashlen / 8);+	_cryptonite_blake2s_final(ctx, out, hashlen / 8); }
cbits/cryptonite_blake2sp.c view
@@ -2,15 +2,15 @@  void cryptonite_blake2sp_init(blake2sp_ctx *ctx, uint32_t hashlen) {-	blake2sp_init(ctx, hashlen / 8);+	_cryptonite_blake2sp_init(ctx, hashlen / 8); }  void cryptonite_blake2sp_update(blake2sp_ctx *ctx, const uint8_t *data, uint32_t len) {-	blake2sp_update(ctx, data, len);+	_cryptonite_blake2sp_update(ctx, data, len); }  void cryptonite_blake2sp_finalize(blake2sp_ctx *ctx, uint32_t hashlen, uint8_t *out) {-	blake2sp_final(ctx, out, hashlen / 8);+	_cryptonite_blake2sp_final(ctx, out, hashlen / 8); }
cbits/cryptonite_chacha.c view
@@ -98,7 +98,6 @@                                  uint32_t ivlen, const uint8_t *iv) { 	const uint8_t *constants = (keylen == 32) ? sigma : tau;-	int i;  	ASSERT_ALIGNMENT(constants, 4); 
+ cbits/cryptonite_hash_prefix.c view
@@ -0,0 +1,90 @@+/*+ * Copyright (C) 2020 Olivier Chéron <olivier.cheron@gmail.com>+ *+ * Redistribution and use in source and binary forms, with or without+ * modification, are permitted provided that the following conditions+ * are met:+ * 1. Redistributions of source code must retain the above copyright+ *    notice, this list of conditions and the following disclaimer.+ * 2. Redistributions in binary form must reproduce the above copyright+ *    notice, this list of conditions and the following disclaimer in the+ *    documentation and/or other materials provided with the distribution.+ *+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.+ */++#include <cryptonite_hash_prefix.h>++void CRYPTONITE_HASHED(finalize_prefix)(struct HASHED_LOWER(ctx) *ctx, const uint8_t *data, uint32_t len, uint32_t n, uint8_t *out)+{+	uint64_t bits[HASHED(BITS_ELEMS)];+	uint8_t *p = (uint8_t *) &bits;+	uint32_t index, padidx, padlen, pos, out_mask;+	static const uint32_t cut_off = HASHED(BLOCK_SIZE) - sizeof(bits);++	/* Make sure n <= len */+	n += (len - n) & constant_time_lt(len, n);++	/* Initial index, based on current context state */+	index = CRYPTONITE_HASHED(get_index)(ctx);++	/* Final size after n bytes */+	CRYPTONITE_HASHED(incr_sz)(ctx, bits, n);++	/* Padding index and length */+	padidx = CRYPTONITE_HASHED(get_index)(ctx);+	padlen = HASHED(BLOCK_SIZE) + cut_off - padidx;+	padlen -= HASHED(BLOCK_SIZE) & constant_time_lt(padidx, cut_off);++	/* Initialize buffers because we will XOR into them */+	memset(ctx->buf + index, 0, HASHED(BLOCK_SIZE) - index);+	memset(out, 0, HASHED(DIGEST_SIZE));+	pos = 0;++	/* Iterate based on the full buffer length, regardless of n, and include+	 * the maximum overhead with padding and size bytes+	 */+	while (pos < len + HASHED(BLOCK_SIZE) + sizeof(bits)) {+		uint8_t b;++		/* Take as many bytes from the input buffer as possible */+		if (pos < len)+			b = *(data++) & (uint8_t) constant_time_lt(pos, n);+		else+			b = 0;++		/* First padding byte */+		b |= 0x80 & (uint8_t) constant_time_eq(pos, n);++		/* Size bytes are always at the end of a block */+		if (index >= cut_off)+			b |= p[index - cut_off] & (uint8_t) constant_time_ge(pos, n + padlen);++		/* Store this byte into the buffer */+		ctx->buf[index++] ^= b;+		pos++;++		/* Process a full block, at a boundary which is independent from n */+		if (index >= HASHED(BLOCK_SIZE)) {+			index = 0;+			HASHED_LOWER(do_chunk)(ctx, (void *) ctx->buf);+			memset(ctx->buf, 0, HASHED(BLOCK_SIZE));++			/* Try to store the result: this is a no-op except when we reach the+			 * actual size based on n, more iterations may continue after that+			 * when len is really larger+			 */+			out_mask = constant_time_eq(pos, n + padlen + sizeof(bits));+			CRYPTONITE_HASHED(select_digest)(ctx, out, out_mask);+		}+	}+}
+ cbits/cryptonite_hash_prefix.h view
@@ -0,0 +1,65 @@+/*+ * Copyright (C) 2020 Olivier Chéron <olivier.cheron@gmail.com>+ *+ * Redistribution and use in source and binary forms, with or without+ * modification, are permitted provided that the following conditions+ * are met:+ * 1. Redistributions of source code must retain the above copyright+ *	notice, this list of conditions and the following disclaimer.+ * 2. Redistributions in binary form must reproduce the above copyright+ *	notice, this list of conditions and the following disclaimer in the+ *	documentation and/or other materials provided with the distribution.+ *+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.+ */++#ifndef CRYPTONITE_HASH_PREFIX_H+#define CRYPTONITE_HASH_PREFIX_H++#include <stdint.h>++static inline uint32_t constant_time_msb(uint32_t a)+{+	return 0 - (a >> 31);+}++static inline uint32_t constant_time_lt(uint32_t a, uint32_t b)+{+	return constant_time_msb(a ^ ((a ^ b) | ((a - b) ^ b)));+}++static inline uint32_t constant_time_ge(uint32_t a, uint32_t b)+{+	return ~constant_time_lt(a, b);+}++static inline uint32_t constant_time_is_zero(uint32_t a)+{+	return constant_time_msb(~a & (a - 1));+}++static inline uint32_t constant_time_eq(uint32_t a, uint32_t b)+{+	return constant_time_is_zero(a ^ b);+}++static inline uint64_t constant_time_msb_64(uint64_t a)+{+	return 0 - (a >> 63);+}++static inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b)+{+	return constant_time_msb_64(a ^ ((a ^ b) | ((a - b) ^ b)));+}++#endif
cbits/cryptonite_md4.c view
@@ -25,6 +25,7 @@ #include <string.h> #include <stdio.h> #include "cryptonite_bitfn.h"+#include "cryptonite_align.h" #include "cryptonite_md4.h"  void cryptonite_md4_init(struct md4_ctx *ctx)@@ -130,9 +131,18 @@ 		index = 0; 	} -	/* process as much 64-block as possible */-	for (; len >= 64; len -= 64, data += 64)-		md4_do_chunk(ctx, (uint32_t *) data);+	if (need_alignment(data, 4)) {+		uint32_t tramp[16];+		ASSERT_ALIGNMENT(tramp, 4);+		for (; len >= 64; len -= 64, data += 64) {+			memcpy(tramp, data, 64);+			md4_do_chunk(ctx, tramp);+		}+	} else {+		/* process as much 64-block as possible */+		for (; len >= 64; len -= 64, data += 64)+			md4_do_chunk(ctx, (uint32_t *) data);+	}  	/* append data into buf */ 	if (len)@@ -157,5 +167,8 @@ 	cryptonite_md4_update(ctx, (uint8_t *) &bits, sizeof(bits));  	/* output hash */-	le32_to_cpu_array((uint32_t *) out, ctx->h, 4);+	store_le32(out   , ctx->h[0]);+	store_le32(out+ 4, ctx->h[1]);+	store_le32(out+ 8, ctx->h[2]);+	store_le32(out+12, ctx->h[3]); }
cbits/cryptonite_md5.c view
@@ -25,6 +25,7 @@ #include <string.h> #include <stdio.h> #include "cryptonite_bitfn.h"+#include "cryptonite_align.h" #include "cryptonite_md5.h"  void cryptonite_md5_init(struct md5_ctx *ctx)@@ -143,9 +144,18 @@ 		index = 0; 	} -	/* process as much 64-block as possible */-	for (; len >= 64; len -= 64, data += 64)-		md5_do_chunk(ctx, (uint32_t *) data);+	if (need_alignment(data, 4)) {+		uint32_t tramp[16];+		ASSERT_ALIGNMENT(tramp, 4);+		for (; len >= 64; len -= 64, data += 64) {+			memcpy(tramp, data, 64);+			md5_do_chunk(ctx, tramp);+		}+	} else {+		/* process as much 64-block as possible */+		for (; len >= 64; len -= 64, data += 64)+			md5_do_chunk(ctx, (uint32_t *) data);+	}  	/* append data into buf */ 	if (len)@@ -157,7 +167,6 @@ 	static uint8_t padding[64] = { 0x80, }; 	uint64_t bits; 	uint32_t index, padlen;-	uint32_t *p = (uint32_t *) out;  	/* add padding and update data with it */ 	bits = cpu_to_le64(ctx->sz << 3);@@ -171,8 +180,35 @@ 	cryptonite_md5_update(ctx, (uint8_t *) &bits, sizeof(bits));  	/* output hash */-	p[0] = cpu_to_le32(ctx->h[0]);-	p[1] = cpu_to_le32(ctx->h[1]);-	p[2] = cpu_to_le32(ctx->h[2]);-	p[3] = cpu_to_le32(ctx->h[3]);+	store_le32(out   , ctx->h[0]);+	store_le32(out+ 4, ctx->h[1]);+	store_le32(out+ 8, ctx->h[2]);+	store_le32(out+12, ctx->h[3]); }++#define HASHED(m) MD5_##m+#define HASHED_LOWER(m) md5_##m+#define CRYPTONITE_HASHED(m) cryptonite_md5_##m+#define MD5_BLOCK_SIZE 64+#define MD5_BITS_ELEMS 1++static inline uint32_t cryptonite_md5_get_index(const struct md5_ctx *ctx)+{+	return (uint32_t) (ctx->sz & 0x3f);+}++static inline void cryptonite_md5_incr_sz(struct md5_ctx *ctx, uint64_t *bits, uint32_t n)+{+	ctx->sz += n;+	*bits = cpu_to_le64(ctx->sz << 3);+}++static inline void cryptonite_md5_select_digest(const struct md5_ctx *ctx, uint8_t *out, uint32_t out_mask)+{+	xor_le32(out   , ctx->h[0] & out_mask);+	xor_le32(out+ 4, ctx->h[1] & out_mask);+	xor_le32(out+ 8, ctx->h[2] & out_mask);+	xor_le32(out+12, ctx->h[3] & out_mask);+}++#include <cryptonite_hash_prefix.c>
cbits/cryptonite_md5.h view
@@ -39,5 +39,6 @@ void cryptonite_md5_init(struct md5_ctx *ctx); void cryptonite_md5_update(struct md5_ctx *ctx, const uint8_t *data, uint32_t len); void cryptonite_md5_finalize(struct md5_ctx *ctx, uint8_t *out);+void cryptonite_md5_finalize_prefix(struct md5_ctx *ctx, const uint8_t *data, uint32_t len, uint32_t n, uint8_t *out);  #endif
cbits/cryptonite_poly1305.c view
@@ -37,11 +37,7 @@ #include <string.h> #include "cryptonite_poly1305.h" #include "cryptonite_bitfn.h"--static inline uint32_t load32(uint8_t *p)-{-	return (le32_to_cpu(*((uint32_t *) p)));-}+#include "cryptonite_align.h"  static void poly1305_do_chunk(poly1305_ctx *ctx, uint8_t *data, int blocks, int final) {@@ -61,11 +57,11 @@ 	s1 = r1 * 5; s2 = r2 * 5; s3 = r3 * 5; s4 = r4 * 5;  	while (blocks--) {-		h0 += (load32(data+ 0)     ) & 0x3ffffff;-		h1 += (load32(data+ 3) >> 2) & 0x3ffffff;-		h2 += (load32(data+ 6) >> 4) & 0x3ffffff;-		h3 += (load32(data+ 9) >> 6) & 0x3ffffff;-		h4 += (load32(data+12) >> 8) | hibit;+		h0 += (load_le32(data+ 0)     ) & 0x3ffffff;+		h1 += (load_le32(data+ 3) >> 2) & 0x3ffffff;+		h2 += (load_le32(data+ 6) >> 4) & 0x3ffffff;+		h3 += (load_le32(data+ 9) >> 6) & 0x3ffffff;+		h4 += (load_le32(data+12) >> 8) | hibit;  		d0 = ((uint64_t)h0 * r0) + ((uint64_t)h1 * s4) + ((uint64_t)h2 * s3) + ((uint64_t)h3 * s2) + ((uint64_t)h4 * s1); 		d1 = ((uint64_t)h0 * r1) + ((uint64_t)h1 * r0) + ((uint64_t)h2 * s4) + ((uint64_t)h3 * s3) + ((uint64_t)h4 * s2);@@ -94,16 +90,16 @@  	memset(ctx, 0, sizeof(poly1305_ctx)); -	ctx->r[0] = (load32(&k[ 0])     ) & 0x3ffffff;-	ctx->r[1] = (load32(&k[ 3]) >> 2) & 0x3ffff03;-	ctx->r[2] = (load32(&k[ 6]) >> 4) & 0x3ffc0ff;-	ctx->r[3] = (load32(&k[ 9]) >> 6) & 0x3f03fff;-	ctx->r[4] = (load32(&k[12]) >> 8) & 0x00fffff;+	ctx->r[0] = (load_le32(&k[ 0])     ) & 0x3ffffff;+	ctx->r[1] = (load_le32(&k[ 3]) >> 2) & 0x3ffff03;+	ctx->r[2] = (load_le32(&k[ 6]) >> 4) & 0x3ffc0ff;+	ctx->r[3] = (load_le32(&k[ 9]) >> 6) & 0x3f03fff;+	ctx->r[4] = (load_le32(&k[12]) >> 8) & 0x00fffff; -	ctx->pad[0] = load32(&k[16]);-	ctx->pad[1] = load32(&k[20]);-	ctx->pad[2] = load32(&k[24]);-	ctx->pad[3] = load32(&k[28]);+	ctx->pad[0] = load_le32(&k[16]);+	ctx->pad[1] = load_le32(&k[20]);+	ctx->pad[2] = load_le32(&k[24]);+	ctx->pad[3] = load_le32(&k[28]);  	ctx->index = 0; }
cbits/cryptonite_rdrand.c view
@@ -91,7 +91,7 @@ } #endif -/* Returns the number of bytes succesfully generated */+/* Returns the number of bytes successfully generated */ int cryptonite_get_rand_bytes(uint8_t *buffer, size_t len) { 	RDRAND_T tmp;
cbits/cryptonite_ripemd.c view
@@ -24,6 +24,7 @@  #include "cryptonite_ripemd.h" #include "cryptonite_bitfn.h"+#include "cryptonite_align.h" #include <string.h>  void cryptonite_ripemd160_init(struct ripemd160_ctx *ctx)@@ -265,9 +266,20 @@ 		index = 0; 	} -	for (; len >= 64; len -= 64, data += 64)-		ripemd160_do_chunk(ctx, (uint32_t *) data);+	if (need_alignment(data, 4)) {+		uint32_t tramp[16];+		ASSERT_ALIGNMENT(tramp, 4);+		for (; len >= 64; len -= 64, data += 64) {+			memcpy(tramp, data, 64);+			ripemd160_do_chunk(ctx, tramp);+		}+	} else {+		/* process as much 64-block as possible */+		for (; len >= 64; len -= 64, data += 64)+			ripemd160_do_chunk(ctx, (uint32_t *) data);+	} +	/* append data into buf */ 	if (len) 		memcpy(ctx->buf + index, data, len); }@@ -277,7 +289,6 @@ 	static uint8_t padding[64] = { 0x80, }; 	uint64_t bits; 	uint32_t index, padlen;-	uint32_t *p = (uint32_t *) out;  	/* add padding and update data with it */ 	bits = cpu_to_le64(ctx->sz << 3);@@ -291,9 +302,9 @@ 	cryptonite_ripemd160_update(ctx, (uint8_t *) &bits, sizeof(bits));  	/* output digest */-	p[0] = cpu_to_le32(ctx->h[0]);-	p[1] = cpu_to_le32(ctx->h[1]);-	p[2] = cpu_to_le32(ctx->h[2]);-	p[3] = cpu_to_le32(ctx->h[3]);-	p[4] = cpu_to_le32(ctx->h[4]);+	store_le32(out   , ctx->h[0]);+	store_le32(out+ 4, ctx->h[1]);+	store_le32(out+ 8, ctx->h[2]);+	store_le32(out+12, ctx->h[3]);+	store_le32(out+16, ctx->h[4]); }
cbits/cryptonite_salsa.c view
@@ -33,6 +33,7 @@ #include <stdio.h> #include "cryptonite_salsa.h" #include "cryptonite_bitfn.h"+#include "cryptonite_align.h"  static const uint8_t sigma[16] = "expand 32-byte k"; static const uint8_t tau[16] = "expand 16-byte k";@@ -58,11 +59,6 @@ 		QR (x15,x12,x13,x14); \ 	} -static inline uint32_t load32(const uint8_t *p)-{-	return le32_to_cpu(*((uint32_t *) p));-}- static void salsa_core(int rounds, block *out, const cryptonite_salsa_state *in) { 	uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;@@ -124,36 +120,35 @@                                 uint32_t ivlen, const uint8_t *iv) { 	const uint8_t *constants = (keylen == 32) ? sigma : tau;-	int i; -	st->d[0] = load32(constants + 0);-	st->d[5] = load32(constants + 4);-	st->d[10] = load32(constants + 8);-	st->d[15] = load32(constants + 12);+	st->d[0] = load_le32_aligned(constants + 0);+	st->d[5] = load_le32_aligned(constants + 4);+	st->d[10] = load_le32_aligned(constants + 8);+	st->d[15] = load_le32_aligned(constants + 12); -	st->d[1] = load32(key + 0);-	st->d[2] = load32(key + 4);-	st->d[3] = load32(key + 8);-	st->d[4] = load32(key + 12);+	st->d[1] = load_le32(key + 0);+	st->d[2] = load_le32(key + 4);+	st->d[3] = load_le32(key + 8);+	st->d[4] = load_le32(key + 12); 	/* we repeat the key on 128 bits */ 	if (keylen == 32) 		key += 16;-	st->d[11] = load32(key + 0);-	st->d[12] = load32(key + 4);-	st->d[13] = load32(key + 8);-	st->d[14] = load32(key + 12);+	st->d[11] = load_le32(key + 0);+	st->d[12] = load_le32(key + 4);+	st->d[13] = load_le32(key + 8);+	st->d[14] = load_le32(key + 12);  	st->d[9] = 0; 	switch (ivlen) { 	case 8:-		st->d[6] = load32(iv + 0);-		st->d[7] = load32(iv + 4);+		st->d[6] = load_le32(iv + 0);+		st->d[7] = load_le32(iv + 4); 		st->d[8] = 0; 		break; 	case 12:-		st->d[6] = load32(iv + 0);-		st->d[7] = load32(iv + 4);-		st->d[8] = load32(iv + 8);+		st->d[6] = load_le32(iv + 0);+		st->d[7] = load_le32(iv + 4);+		st->d[8] = load_le32(iv + 8); 	default: 		return; 	}
cbits/cryptonite_scrypt.c view
@@ -27,6 +27,7 @@ #include <stdint.h> #include <string.h> #include "cryptonite_bitfn.h"+#include "cryptonite_align.h" #include "cryptonite_salsa.h"  static void blockmix_salsa8(uint32_t *in, uint32_t *out, uint32_t *X, const uint32_t r)@@ -49,16 +50,6 @@ 	return B[(2*r-1) * 16] | (uint64_t)B[(2*r-1) * 16 + 1] << 32; } -static inline uint32_t load32(const uint8_t *p)-{-	return le32_to_cpu(*((uint32_t *) p));-}--static inline void store32(const uint8_t *p, uint32_t val)-{-	*((uint32_t *) p) = cpu_to_le32(val);-}- void cryptonite_scrypt_smix(uint8_t *B, const uint32_t r, const uint64_t N, uint32_t *V, uint32_t *XY) { 	uint32_t *X = XY;@@ -69,7 +60,7 @@ 	const int r32 = 32*r;  	for (k = 0; k < r32; k++)-		X[k] = load32(&B[4 * k]);+		X[k] = load_le32_aligned(&B[4 * k]); 	for (i = 0; i < N; i += 2) { 		array_copy32(&V[i * r32], X, r32); 		blockmix_salsa8(X, Y, Z, r);@@ -86,5 +77,5 @@ 		blockmix_salsa8(Y, X, Z, r); 	} 	for (k = 0; k < r32; k++)-		store32(&B[4*k], X[k]);+		store_le32_aligned(&B[4*k], X[k]); }
cbits/cryptonite_sha1.c view
@@ -25,6 +25,7 @@ #include <string.h> #include "cryptonite_sha1.h" #include "cryptonite_bitfn.h"+#include "cryptonite_align.h"  void cryptonite_sha1_init(struct sha1_ctx *ctx) {@@ -173,9 +174,18 @@ 		index = 0; 	} -	/* process as much 64-block as possible */-	for (; len >= 64; len -= 64, data += 64)-		sha1_do_chunk(ctx, (uint32_t *) data);+	if (need_alignment(data, 4)) {+		uint32_t tramp[16];+		ASSERT_ALIGNMENT(tramp, 4);+		for (; len >= 64; len -= 64, data += 64) {+			memcpy(tramp, data, 64);+			sha1_do_chunk(ctx, tramp);+		}+	} else {+		/* process as much 64-block as possible */+		for (; len >= 64; len -= 64, data += 64)+			sha1_do_chunk(ctx, (uint32_t *) data);+	}  	/* append data into buf */ 	if (len)@@ -187,7 +197,6 @@ 	static uint8_t padding[64] = { 0x80, }; 	uint64_t bits; 	uint32_t index, padlen;-	uint32_t *p = (uint32_t *) out;  	/* add padding and update data with it */ 	bits = cpu_to_be64(ctx->sz << 3);@@ -201,9 +210,37 @@ 	cryptonite_sha1_update(ctx, (uint8_t *) &bits, sizeof(bits));  	/* output hash */-	p[0] = cpu_to_be32(ctx->h[0]);-	p[1] = cpu_to_be32(ctx->h[1]);-	p[2] = cpu_to_be32(ctx->h[2]);-	p[3] = cpu_to_be32(ctx->h[3]);-	p[4] = cpu_to_be32(ctx->h[4]);+	store_be32(out   , ctx->h[0]);+	store_be32(out+ 4, ctx->h[1]);+	store_be32(out+ 8, ctx->h[2]);+	store_be32(out+12, ctx->h[3]);+	store_be32(out+16, ctx->h[4]); }++#define HASHED(m) SHA1_##m+#define HASHED_LOWER(m) sha1_##m+#define CRYPTONITE_HASHED(m) cryptonite_sha1_##m+#define SHA1_BLOCK_SIZE 64+#define SHA1_BITS_ELEMS 1++static inline uint32_t cryptonite_sha1_get_index(const struct sha1_ctx *ctx)+{+	return (uint32_t) (ctx->sz & 0x3f);+}++static inline void cryptonite_sha1_incr_sz(struct sha1_ctx *ctx, uint64_t *bits, uint32_t n)+{+	ctx->sz += n;+	*bits = cpu_to_be64(ctx->sz << 3);+}++static inline void cryptonite_sha1_select_digest(const struct sha1_ctx *ctx, uint8_t *out, uint32_t out_mask)+{+	xor_be32(out   , ctx->h[0] & out_mask);+	xor_be32(out+ 4, ctx->h[1] & out_mask);+	xor_be32(out+ 8, ctx->h[2] & out_mask);+	xor_be32(out+12, ctx->h[3] & out_mask);+	xor_be32(out+16, ctx->h[4] & out_mask);+}++#include <cryptonite_hash_prefix.c>
cbits/cryptonite_sha1.h view
@@ -41,5 +41,6 @@ void cryptonite_sha1_init(struct sha1_ctx *ctx); void cryptonite_sha1_update(struct sha1_ctx *ctx, const uint8_t *data, uint32_t len); void cryptonite_sha1_finalize(struct sha1_ctx *ctx, uint8_t *out);+void cryptonite_sha1_finalize_prefix(struct sha1_ctx *ctx, const uint8_t *data, uint32_t len, uint32_t n, uint8_t *out);  #endif
cbits/cryptonite_sha256.c view
@@ -25,6 +25,7 @@ #include <string.h> #include "cryptonite_sha256.h" #include "cryptonite_bitfn.h"+#include "cryptonite_align.h"  void cryptonite_sha224_init(struct sha224_ctx *ctx) {@@ -134,9 +135,18 @@ 		index = 0; 	} -	/* process as much 64-block as possible */-	for (; len >= 64; len -= 64, data += 64)-		sha256_do_chunk(ctx, (uint32_t *) data);+	if (need_alignment(data, 4)) {+		uint32_t tramp[16];+		ASSERT_ALIGNMENT(tramp, 4);+		for (; len >= 64; len -= 64, data += 64) {+			memcpy(tramp, data, 64);+			sha256_do_chunk(ctx, tramp);+		}+	} else {+		/* process as much 64-block as possible */+		for (; len >= 64; len -= 64, data += 64)+			sha256_do_chunk(ctx, (uint32_t *) data);+	}  	/* append data into buf */ 	if (len)@@ -151,12 +161,19 @@ 	memcpy(out, intermediate, SHA224_DIGEST_SIZE); } +void cryptonite_sha224_finalize_prefix(struct sha224_ctx *ctx, const uint8_t *data, uint32_t len, uint32_t n, uint8_t *out)+{+	uint8_t intermediate[SHA256_DIGEST_SIZE];++	cryptonite_sha256_finalize_prefix(ctx, data, len, n, intermediate);+	memcpy(out, intermediate, SHA224_DIGEST_SIZE);+}+ void cryptonite_sha256_finalize(struct sha256_ctx *ctx, uint8_t *out) { 	static uint8_t padding[64] = { 0x80, }; 	uint64_t bits; 	uint32_t i, index, padlen;-	uint32_t *p = (uint32_t *) out;  	/* cpu -> big endian */ 	bits = cpu_to_be64(ctx->sz << 3);@@ -171,5 +188,31 @@  	/* store to digest */ 	for (i = 0; i < 8; i++)-		p[i] = cpu_to_be32(ctx->h[i]);+		store_be32(out+4*i, ctx->h[i]); }++#define HASHED(m) SHA256_##m+#define HASHED_LOWER(m) sha256_##m+#define CRYPTONITE_HASHED(m) cryptonite_sha256_##m+#define SHA256_BLOCK_SIZE 64+#define SHA256_BITS_ELEMS 1++static inline uint32_t cryptonite_sha256_get_index(const struct sha256_ctx *ctx)+{+	return (uint32_t) (ctx->sz & 0x3f);+}++static inline void cryptonite_sha256_incr_sz(struct sha256_ctx *ctx, uint64_t *bits, uint32_t n)+{+	ctx->sz += n;+	*bits = cpu_to_be64(ctx->sz << 3);+}++static inline void cryptonite_sha256_select_digest(const struct sha256_ctx *ctx, uint8_t *out, uint32_t out_mask)+{+	uint32_t i;+	for (i = 0; i < 8; i++)+		xor_be32(out+4*i, ctx->h[i] & out_mask);+}++#include <cryptonite_hash_prefix.c>
cbits/cryptonite_sha256.h view
@@ -47,9 +47,11 @@ void cryptonite_sha224_init(struct sha224_ctx *ctx); void cryptonite_sha224_update(struct sha224_ctx *ctx, const uint8_t *data, uint32_t len); void cryptonite_sha224_finalize(struct sha224_ctx *ctx, uint8_t *out);+void cryptonite_sha224_finalize_prefix(struct sha224_ctx *ctx, const uint8_t *data, uint32_t len, uint32_t n, uint8_t *out);  void cryptonite_sha256_init(struct sha256_ctx *ctx); void cryptonite_sha256_update(struct sha256_ctx *ctx, const uint8_t *data, uint32_t len); void cryptonite_sha256_finalize(struct sha256_ctx *ctx, uint8_t *out);+void cryptonite_sha256_finalize_prefix(struct sha256_ctx *ctx, const uint8_t *data, uint32_t len, uint32_t n, uint8_t *out);  #endif
cbits/cryptonite_sha3.c view
@@ -99,8 +99,11 @@ }  /*- * Initialize a SHA-3 / SHAKE context: hashlen is the security level (and- * half the capacity) in bits+ * Initialize a SHA-3 / SHAKE / cSHAKE context: hashlen is the security level+ * (and half the capacity) in bits.+ *+ * In case of cSHAKE, the message prefix with encoded N and S must be added with+ * cryptonite_sha3_update.  */ void cryptonite_sha3_init(struct sha3_ctx *ctx, uint32_t hashlen) {@@ -110,7 +113,7 @@ 	ctx->bufsz = bufsz; } -/* Update a SHA-3 / SHAKE context */+/* Update a SHA-3 / SHAKE / cSHAKE context */ void cryptonite_sha3_update(struct sha3_ctx *ctx, const uint8_t *data, uint32_t len) { 	uint32_t to_fill;@@ -135,8 +138,8 @@ 		uint64_t tramp[SHA3_BUF_SIZE_MAX/8]; 		ASSERT_ALIGNMENT(tramp, 8); 		for (; len >= ctx->bufsz; len -= ctx->bufsz, data += ctx->bufsz) {-			memcpy(tramp, data, ctx->bufsz / 8);-			sha3_do_chunk(ctx->state, (uint64_t *) data, ctx->bufsz / 8);+			memcpy(tramp, data, ctx->bufsz);+			sha3_do_chunk(ctx->state, tramp, ctx->bufsz / 8); 		} 	} else { 		/* process as much ctx->bufsz-block */@@ -171,7 +174,7 @@ }  /*- * Extract some bytes from a finalized SHA-3 / SHAKE context.+ * Extract some bytes from a finalized SHA-3 / SHAKE / cSHAKE context.  * May be called multiple times.  */ void cryptonite_sha3_output(struct sha3_ctx *ctx, uint8_t *out, uint32_t len)@@ -224,6 +227,12 @@ void cryptonite_sha3_finalize_shake(struct sha3_ctx *ctx) { 	cryptonite_sha3_finalize_with_pad_byte(ctx, 0x1F);+}++/* Finalize a cSHAKE context. Output is read using cryptonite_sha3_output. */+void cryptonite_sha3_finalize_cshake(struct sha3_ctx *ctx)+{+	cryptonite_sha3_finalize_with_pad_byte(ctx, 0x04); }  void cryptonite_keccak_init(struct sha3_ctx *ctx, uint32_t hashlen)
cbits/cryptonite_sha3.h view
@@ -57,6 +57,7 @@ void cryptonite_sha3_finalize(struct sha3_ctx *ctx, uint32_t hashlen, uint8_t *out);  void cryptonite_sha3_finalize_shake(struct sha3_ctx *ctx);+void cryptonite_sha3_finalize_cshake(struct sha3_ctx *ctx); void cryptonite_sha3_output(struct sha3_ctx *ctx, uint8_t *out, uint32_t len);  void cryptonite_keccak_init(struct sha3_ctx *ctx, uint32_t hashlen);
cbits/cryptonite_sha512.c view
@@ -24,6 +24,7 @@  #include <string.h> #include "cryptonite_bitfn.h"+#include "cryptonite_align.h" #include "cryptonite_sha512.h"  void cryptonite_sha384_init(struct sha512_ctx *ctx)@@ -153,9 +154,18 @@ 		index = 0; 	} -	/* process as much 128-block as possible */-	for (; len >= 128; len -= 128, data += 128)-		sha512_do_chunk(ctx, (uint64_t *) data);+	if (need_alignment(data, 8)) {+		uint64_t tramp[16];+		ASSERT_ALIGNMENT(tramp, 8);+		for (; len >= 128; len -= 128, data += 128) {+			memcpy(tramp, data, 128);+			sha512_do_chunk(ctx, tramp);+		}+	} else {+		/* process as much 128-block as possible */+		for (; len >= 128; len -= 128, data += 128)+			sha512_do_chunk(ctx, (uint64_t *) data);+	}  	/* append data into buf */ 	if (len)@@ -170,12 +180,19 @@ 	memcpy(out, intermediate, SHA384_DIGEST_SIZE); } +void cryptonite_sha384_finalize_prefix(struct sha384_ctx *ctx, const uint8_t *data, uint32_t len, uint32_t n, uint8_t *out)+{+	uint8_t intermediate[SHA512_DIGEST_SIZE];++	cryptonite_sha512_finalize_prefix(ctx, data, len, n, intermediate);+	memcpy(out, intermediate, SHA384_DIGEST_SIZE);+}+ void cryptonite_sha512_finalize(struct sha512_ctx *ctx, uint8_t *out) { 	static uint8_t padding[128] = { 0x80, }; 	uint32_t i, index, padlen; 	uint64_t bits[2];-	uint64_t *p = (uint64_t *) out;  	/* cpu -> big endian */ 	bits[0] = cpu_to_be64((ctx->sz[1] << 3 | ctx->sz[0] >> 61));@@ -191,8 +208,40 @@  	/* store to digest */ 	for (i = 0; i < 8; i++)-		p[i] = cpu_to_be64(ctx->h[i]);+		store_be64(out+8*i, ctx->h[i]); }++#define HASHED(m) SHA512_##m+#define HASHED_LOWER(m) sha512_##m+#define CRYPTONITE_HASHED(m) cryptonite_sha512_##m+#define SHA512_BLOCK_SIZE 128+#define SHA512_BITS_ELEMS 2++#include <cryptonite_hash_prefix.h>++static inline uint32_t cryptonite_sha512_get_index(const struct sha512_ctx *ctx)+{+	return (uint32_t) (ctx->sz[0] & 0x7f);+}++static inline void cryptonite_sha512_incr_sz(struct sha512_ctx *ctx, uint64_t *bits, uint32_t n)+{+	ctx->sz[0] += n;+	ctx->sz[1] += 1 & constant_time_lt_64(ctx->sz[0], n);+	bits[0] = cpu_to_be64((ctx->sz[1] << 3 | ctx->sz[0] >> 61));+	bits[1] = cpu_to_be64((ctx->sz[0] << 3));+}++static inline void cryptonite_sha512_select_digest(const struct sha512_ctx *ctx, uint8_t *out, uint32_t out_mask)+{+	uint32_t i;+	uint64_t out_mask_64 = out_mask;+	out_mask_64 |= out_mask_64 << 32;+	for (i = 0; i < 8; i++)+		xor_be64(out+8*i, ctx->h[i] & out_mask_64);+}++#include <cryptonite_hash_prefix.c>  #include <stdio.h> 
cbits/cryptonite_sha512.h view
@@ -46,10 +46,12 @@ void cryptonite_sha384_init(struct sha384_ctx *ctx); void cryptonite_sha384_update(struct sha384_ctx *ctx, const uint8_t *data, uint32_t len); void cryptonite_sha384_finalize(struct sha384_ctx *ctx, uint8_t *out);+void cryptonite_sha384_finalize_prefix(struct sha384_ctx *ctx, const uint8_t *data, uint32_t len, uint32_t n, uint8_t *out);  void cryptonite_sha512_init(struct sha512_ctx *ctx); void cryptonite_sha512_update(struct sha512_ctx *ctx, const uint8_t *data, uint32_t len); void cryptonite_sha512_finalize(struct sha512_ctx *ctx, uint8_t *out);+void cryptonite_sha512_finalize_prefix(struct sha512_ctx *ctx, const uint8_t *data, uint32_t len, uint32_t n, uint8_t *out);  /* only multiples of 8 are supported as valid t values */ void cryptonite_sha512t_init(struct sha512_ctx *ctx, uint32_t hashlen);
cbits/cryptonite_skein256.c view
@@ -26,6 +26,7 @@ #include "cryptonite_skein.h" #include "cryptonite_skein256.h" #include "cryptonite_bitfn.h"+#include "cryptonite_align.h"  static const uint8_t K256_0[2] = { 14, 16, }; static const uint8_t K256_1[2] = { 52, 57, };@@ -143,9 +144,18 @@ 		ctx->bufindex = 0; 	} -	/* process as much 32-block as possible except the last one in case we finalize */-	for (; len > 32; len -= 32, data += 32)-		skein256_do_chunk(ctx, (uint64_t *) data, 32);+	if (need_alignment(data, 8)) {+		uint64_t tramp[4];+		ASSERT_ALIGNMENT(tramp, 8);+		for (; len > 32; len -= 32, data += 32) {+			memcpy(tramp, data, 32);+			skein256_do_chunk(ctx, tramp, 32);+		}+	} else {+		/* process as much 32-block as possible except the last one in case we finalize */+		for (; len > 32; len -= 32, data += 32)+			skein256_do_chunk(ctx, (uint64_t *) data, 32);+	}  	/* append data into buf */ 	if (len) {@@ -157,7 +167,6 @@ void cryptonite_skein256_finalize(struct skein256_ctx *ctx, uint32_t hashlen, uint8_t *out) { 	uint32_t outsize;-	uint64_t *p = (uint64_t *) out; 	uint64_t x[4]; 	int i, j, n; 
cbits/cryptonite_skein512.c view
@@ -26,6 +26,7 @@ #include "cryptonite_skein.h" #include "cryptonite_skein512.h" #include "cryptonite_bitfn.h"+#include "cryptonite_align.h"  static const uint8_t K512_0[4] = { 46, 36, 19, 37, }; static const uint8_t K512_1[4] = { 33, 27, 14, 42, };@@ -161,9 +162,18 @@ 		ctx->bufindex = 0; 	} -	/* process as much 64-block as possible except the last one in case we finalize */-	for (; len > 64; len -= 64, data += 64)-		skein512_do_chunk(ctx, (uint64_t *) data, 64);+	if (need_alignment(data, 8)) {+		uint64_t tramp[8];+		ASSERT_ALIGNMENT(tramp, 8);+		for (; len > 64; len -= 64, data += 64) {+			memcpy(tramp, data, 64);+			skein512_do_chunk(ctx, tramp, 64);+		}+	} else {+		/* process as much 64-block as possible except the last one in case we finalize */+		for (; len > 64; len -= 64, data += 64)+			skein512_do_chunk(ctx, (uint64_t *) data, 64);+	}  	/* append data into buf */ 	if (len) {@@ -175,7 +185,6 @@ void cryptonite_skein512_finalize(struct skein512_ctx *ctx, uint32_t hashlen, uint8_t *out) { 	uint32_t outsize;-	uint64_t *p = (uint64_t *) out; 	uint64_t x[8]; 	int i, j, n; 
cbits/cryptonite_tiger.c view
@@ -25,6 +25,7 @@ #include <string.h> #include "cryptonite_tiger.h" #include "cryptonite_bitfn.h"+#include "cryptonite_align.h"  static const uint64_t t1[256] = { 	0x02aab17cf7e90c5eULL,0xac424b03e243a8ecULL,0x72cd5be30dd5fcd3ULL,0x6d019b93f6f97f3aULL,@@ -381,9 +382,18 @@ 		index = 0; 	} -	/* process as much 64-block as possible */-	for (; len >= 64; len -= 64, data += 64)-		tiger_do_chunk(ctx, (uint64_t *) data);+	if (need_alignment(data, 8)) {+		uint64_t tramp[8];+		ASSERT_ALIGNMENT(tramp, 8);+		for (; len >= 64; len -= 64, data += 64) {+			memcpy(tramp, data, 64);+			tiger_do_chunk(ctx, tramp);+		}+	} else {+		/* process as much 64-block as possible */+		for (; len >= 64; len -= 64, data += 64)+			tiger_do_chunk(ctx, (uint64_t *) data);+	}  	/* append data into buf */ 	if (len)@@ -395,7 +405,6 @@ 	static uint8_t padding[64] = { 0x01, }; 	uint64_t bits; 	uint32_t index, padlen;-	uint64_t *p = (uint64_t *) out;  	/* add padding and update data with it */ 	bits = cpu_to_le64(ctx->sz << 3);@@ -409,7 +418,7 @@ 	cryptonite_tiger_update(ctx, (uint8_t *) &bits, sizeof(bits));  	/* output hash */-	p[0] = cpu_to_le64(ctx->h[0]);-	p[1] = cpu_to_le64(ctx->h[1]);-	p[2] = cpu_to_le64(ctx->h[2]);+	store_le64(out   , ctx->h[0]);+	store_le64(out+ 8, ctx->h[1]);+	store_le64(out+16, ctx->h[2]); }
cbits/cryptonite_whirlpool.c view
@@ -777,7 +777,6 @@ 	uint64_t K[8];        /* the round key */ 	uint64_t block[8];    /* mu(buffer) */ 	uint64_t state[8];    /* the cipher state */-	uint64_t L[8]; 	uint8_t *buffer = ctx->buffer;  	/*
cbits/cryptonite_xsalsa.c view
@@ -30,13 +30,9 @@ #include <stdint.h> #include <string.h> #include "cryptonite_xsalsa.h"+#include "cryptonite_align.h" #include "cryptonite_bitfn.h" -static inline uint32_t load32(const uint8_t *p)-{-  return le32_to_cpu(*((uint32_t *) p));-}- /* XSalsa20 algorithm as described in https://cr.yp.to/snuffle/xsalsa-20081128.pdf */ void cryptonite_xsalsa_init(cryptonite_salsa_context *ctx, uint8_t nb_rounds,                             uint32_t keylen, const uint8_t *key,@@ -51,13 +47,27 @@        (x6, x7, x8, x9) is the first 128 bits of a 192-bit nonce   */   cryptonite_salsa_init_core(&ctx->st, keylen, key, 8, iv);-  ctx->st.d[ 8] = load32(iv + 8);-  ctx->st.d[ 9] = load32(iv + 12); +  /* Continue initialization in a separate function that may also+     be called independently */+  cryptonite_xsalsa_derive(ctx, ivlen - 8, iv + 8);+}++void cryptonite_xsalsa_derive(cryptonite_salsa_context *ctx,+                              uint32_t ivlen, const uint8_t *iv)+{+  /* Finish creating initial 512-bit input block:+       (x6, x7, x8, x9) is the first 128 bits of a 192-bit nonce++     Except iv has been shifted by 64 bits so there are now only 128 bits ahead.+  */+  ctx->st.d[ 8] += load_le32(iv + 0);+  ctx->st.d[ 9] += load_le32(iv + 4);+   /* Compute (z0, z1, . . . , z15) = doubleround ^(r/2) (x0, x1, . . . , x15) */   block hSalsa;   memset(&hSalsa, 0, sizeof(block));-  cryptonite_salsa_core_xor(nb_rounds, &hSalsa, &ctx->st);+  cryptonite_salsa_core_xor(ctx->nb_rounds, &hSalsa, &ctx->st);     /* Build a new 512-bit input block (x′0, x′1, . . . , x′15):        (x′0, x′5, x′10, x′15) is the Salsa20 constant@@ -73,8 +83,8 @@   ctx->st.d[12] = hSalsa.d[ 7] - ctx->st.d[ 7];   ctx->st.d[13] = hSalsa.d[ 8] - ctx->st.d[ 8];   ctx->st.d[14] = hSalsa.d[ 9] - ctx->st.d[ 9];-  ctx->st.d[ 6] = load32(iv + 16);-  ctx->st.d[ 7] = load32(iv + 20);+  ctx->st.d[ 6] = load_le32(iv + 8);+  ctx->st.d[ 7] = load_le32(iv + 12);   ctx->st.d[ 8] = 0;   ctx->st.d[ 9] = 0; }
cbits/cryptonite_xsalsa.h view
@@ -33,5 +33,6 @@ #include "cryptonite_salsa.h"  void cryptonite_xsalsa_init(cryptonite_salsa_context *ctx, uint8_t nb_rounds, uint32_t keylen, const uint8_t *key, uint32_t ivlen, const uint8_t *iv);+void cryptonite_xsalsa_derive(cryptonite_salsa_context *ctx, uint32_t ivlen, const uint8_t *iv);  #endif
+ cbits/decaf/ed448goldilocks/decaf.c view
@@ -0,0 +1,1642 @@+/**+ * @file ed448goldilocks/decaf.c+ * @author Mike Hamburg+ *+ * @copyright+ *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n+ *   Released under the MIT License.  See LICENSE.txt for license information.+ *+ * @brief Decaf high-level functions.+ *+ * @warning This file was automatically generated in Python.+ * Please do not edit it.+ */+#define _XOPEN_SOURCE 600 /* for posix_memalign */+#include "word.h"+#include "field.h"++#include <decaf.h>+#include <decaf/ed448.h>++/* Template stuff */+#define API_NS(_id) cryptonite_decaf_448_##_id+#define SCALAR_BITS CRYPTONITE_DECAF_448_SCALAR_BITS+#define SCALAR_SER_BYTES CRYPTONITE_DECAF_448_SCALAR_BYTES+#define SCALAR_LIMBS CRYPTONITE_DECAF_448_SCALAR_LIMBS+#define scalar_t API_NS(scalar_t)+#define point_t API_NS(point_t)+#define precomputed_s API_NS(precomputed_s)+#define IMAGINE_TWIST 0+#define COFACTOR 4++/* Comb config: number of combs, n, t, s. */+#define COMBS_N 5+#define COMBS_T 5+#define COMBS_S 18+#define CRYPTONITE_DECAF_WINDOW_BITS 5+#define CRYPTONITE_DECAF_WNAF_FIXED_TABLE_BITS 5+#define CRYPTONITE_DECAF_WNAF_VAR_TABLE_BITS 3++#define EDDSA_USE_SIGMA_ISOGENY 0++static const int EDWARDS_D = -39081;+static const scalar_t point_scalarmul_adjustment = {{{+    SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)+}}}, precomputed_scalarmul_adjustment = {{{+    SC_LIMB(0xc873d6d54a7bb0cf), SC_LIMB(0xe933d8d723a70aad), SC_LIMB(0xbb124b65129c96fd), SC_LIMB(0x00000008335dc163)+}}};++const uint8_t cryptonite_decaf_x448_base_point[CRYPTONITE_DECAF_X448_PUBLIC_BYTES] = { 0x05 };++#if COFACTOR==8 || EDDSA_USE_SIGMA_ISOGENY+    static const gf SQRT_ONE_MINUS_D = {FIELD_LITERAL(+        /* NONE */+    )};+#endif++/* End of template stuff */++/* Sanity */+#if (COFACTOR == 8) && !IMAGINE_TWIST && !UNSAFE_CURVE_HAS_POINTS_AT_INFINITY+/* FUTURE MAGIC: Curve41417 doesn't have these properties. */+#error "Currently require IMAGINE_TWIST (and thus p=5 mod 8) for cofactor 8"+        /* OK, but why?+         * Two reasons: #1: There are bugs when COFACTOR == && IMAGINE_TWIST+         # #2: +         */+#endif++#if IMAGINE_TWIST && (P_MOD_8 != 5)+    #error "Cannot use IMAGINE_TWIST except for p == 5 mod 8"+#endif++#if (COFACTOR != 8) && (COFACTOR != 4)+    #error "COFACTOR must be 4 or 8"+#endif+ +#if IMAGINE_TWIST+    extern const gf SQRT_MINUS_ONE;+#endif++#define WBITS CRYPTONITE_DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */++extern const point_t API_NS(point_base);++/* Projective Niels coordinates */+typedef struct { gf a, b, c; } niels_s, niels_t[1];+typedef struct { niels_t n; gf z; } VECTOR_ALIGNED pniels_s, pniels_t[1];++/* Precomputed base */+struct precomputed_s { niels_t table [COMBS_N<<(COMBS_T-1)]; };++extern const gf API_NS(precomputed_base_as_fe)[];+const precomputed_s *API_NS(precomputed_base) =+    (const precomputed_s *) &API_NS(precomputed_base_as_fe);++const size_t API_NS(sizeof_precomputed_s) = sizeof(precomputed_s);+const size_t API_NS(alignof_precomputed_s) = sizeof(big_register_t);++/** Inverse. */+static void+cryptonite_gf_invert(gf y, const gf x, int assert_nonzero) {+    gf t1, t2;+    cryptonite_gf_sqr(t1, x); // o^2+    mask_t ret = cryptonite_gf_isr(t2, t1); // +-1/sqrt(o^2) = +-1/o+    (void)ret;+    if (assert_nonzero) assert(ret);+    cryptonite_gf_sqr(t1, t2);+    cryptonite_gf_mul(t2, t1, x); // not direct to y in case of alias.+    cryptonite_gf_copy(y, t2);+}++/** Return high bit of x = low bit of 2x mod p */+static mask_t cryptonite_gf_lobit(const gf x) {+    gf y;+    cryptonite_gf_copy(y,x);+    cryptonite_gf_strong_reduce(y);+    return -(y->limb[0]&1);+}++/** identity = (0,1) */+const point_t API_NS(point_identity) = {{{{{0}}},{{{1}}},{{{1}}},{{{0}}}}};++void API_NS(deisogenize) (+    cryptonite_gf_s *__restrict__ s,+    cryptonite_gf_s *__restrict__ minus_t_over_s,+    const point_t p,+    mask_t toggle_hibit_s,+    mask_t toggle_hibit_t_over_s,+    mask_t toggle_rotation+);++void API_NS(deisogenize) (+    cryptonite_gf_s *__restrict__ s,+    cryptonite_gf_s *__restrict__ minus_t_over_s,+    const point_t p,+    mask_t toggle_hibit_s,+    mask_t toggle_hibit_t_over_s,+    mask_t toggle_rotation+) {+#if COFACTOR == 4 && !IMAGINE_TWIST+    (void) toggle_rotation;+    +    gf b, d;+    cryptonite_gf_s *c = s, *a = minus_t_over_s;+    cryptonite_gf_mulw(a, p->y, 1-EDWARDS_D);+    cryptonite_gf_mul(c, a, p->t);     /* -dYT, with EDWARDS_D = d-1 */+    cryptonite_gf_mul(a, p->x, p->z); +    cryptonite_gf_sub(d, c, a);  /* aXZ-dYT with a=-1 */+    cryptonite_gf_add(a, p->z, p->y); +    cryptonite_gf_sub(b, p->z, p->y); +    cryptonite_gf_mul(c, b, a);+    cryptonite_gf_mulw(b, c, -EDWARDS_D); /* (a-d)(Z+Y)(Z-Y) */+    mask_t ok = cryptonite_gf_isr (a,b); /* r in the paper */+    (void)ok; assert(ok | cryptonite_gf_eq(b,ZERO));+    cryptonite_gf_mulw (b, a, -EDWARDS_D); /* u in the paper */++    cryptonite_gf_mul(c,a,d); /* r(aZX-dYT) */+    cryptonite_gf_mul(a,b,p->z); /* uZ */+    cryptonite_gf_add(a,a,a); /* 2uZ */+    +    mask_t tg = toggle_hibit_t_over_s ^ ~cryptonite_gf_hibit(minus_t_over_s);+    cryptonite_gf_cond_neg(minus_t_over_s, tg); /* t/s <-? -t/s */+    cryptonite_gf_cond_neg(c, tg); /* u <- -u if negative. */+    +    cryptonite_gf_add(d,c,p->y);+    cryptonite_gf_mul(s,b,d);+    cryptonite_gf_cond_neg(s, toggle_hibit_s ^ cryptonite_gf_hibit(s));+#else+    /* More complicated because of rotation */+    /* MAGIC This code is wrong for certain non-Curve25519 curves;+     * check if it's because of Cofactor==8 or IMAGINE_TWIST */+    +    gf c, d;+    cryptonite_gf_s *b = s, *a = minus_t_over_s;++    #if IMAGINE_TWIST+        gf x, t;+        cryptonite_gf_div_qnr(x,p->x);+        cryptonite_gf_div_qnr(t,p->t);+        cryptonite_gf_add ( a, p->z, x );+        cryptonite_gf_sub ( b, p->z, x );+        cryptonite_gf_mul ( c, a, b ); /* "zx" = Z^2 - aX^2 = Z^2 - X^2 */+    #else+        const cryptonite_gf_s *x = p->x, *t = p->t;+        cryptonite_gf_sqr ( a, p->z );+        cryptonite_gf_sqr ( b, p->x );+        cryptonite_gf_add ( c, a, b ); /* "zx" = Z^2 - aX^2 = Z^2 + X^2 */+    #endif+    /* Here: c = "zx" in the SAGE code = Z^2 - aX^2 */+    +    cryptonite_gf_mul ( a, p->z, t ); /* "tz" = T*Z */+    cryptonite_gf_sqr ( b, a );+    cryptonite_gf_mul ( d, b, c ); /* (TZ)^2 * (Z^2-aX^2) */+    mask_t ok = cryptonite_gf_isr(b, d);+    (void)ok; assert(ok | cryptonite_gf_eq(d,ZERO));+    cryptonite_gf_mul ( d, b, a ); /* "osx" = 1 / sqrt(z^2-ax^2) */+    cryptonite_gf_mul ( a, b, c ); +    cryptonite_gf_mul ( b, a, d ); /* 1/tz */++    mask_t rotate;+    #if (COFACTOR == 8)+        gf e;+        cryptonite_gf_sqr(e, p->z);+        cryptonite_gf_mul(a, e, b); /* z^2 / tz = z/t = 1/xy */+        rotate = cryptonite_gf_hibit(a) ^ toggle_rotation;+        /* Curve25519: cond select between zx * 1/tz or sqrt(1-d); y=-x */+        cryptonite_gf_mul ( a, b, c ); +        cryptonite_gf_cond_sel ( a, a, SQRT_ONE_MINUS_D, rotate );+        cryptonite_gf_cond_sel ( e, p->y, x, rotate );+    #else+        const cryptonite_gf_s *e = x;+        (void)toggle_rotation;+        rotate = 0;+    #endif+    +    cryptonite_gf_mul ( c, a, d ); // new "osx"+    cryptonite_gf_mul ( a, c, p->z );+    cryptonite_gf_add ( minus_t_over_s, a, a ); // 2 * "osx" * Z+    cryptonite_gf_mul ( d, b, p->z );+    +    mask_t tg = toggle_hibit_t_over_s ^~ cryptonite_gf_hibit(minus_t_over_s);+    cryptonite_gf_cond_neg ( minus_t_over_s, tg );+    cryptonite_gf_cond_neg ( c, rotate ^ tg );+    cryptonite_gf_add ( d, d, c );+    cryptonite_gf_mul ( s, d, e ); /* here "x" = y unless rotate */+    cryptonite_gf_cond_neg ( s, toggle_hibit_s ^ cryptonite_gf_hibit(s) );+#endif+}++void API_NS(point_encode)( unsigned char ser[SER_BYTES], const point_t p ) {+    gf s, mtos;+    API_NS(deisogenize)(s,mtos,p,0,0,0);+    cryptonite_gf_serialize(ser,s,0);+}++cryptonite_decaf_error_t API_NS(point_decode) (+    point_t p,+    const unsigned char ser[SER_BYTES],+    cryptonite_decaf_bool_t allow_identity+) {+    gf s, a, b, c, d, e, f;+    mask_t succ = cryptonite_gf_deserialize(s, ser, 0);+    mask_t zero = cryptonite_gf_eq(s, ZERO);+    succ &= bool_to_mask(allow_identity) | ~zero;+    cryptonite_gf_sqr ( a, s ); /* s^2 */+#if IMAGINE_TWIST+    cryptonite_gf_sub ( f, ONE, a ); /* f = 1-as^2 = 1-s^2*/+#else+    cryptonite_gf_add ( f, ONE, a ); /* f = 1-as^2 = 1+s^2 */+#endif+    succ &= ~ cryptonite_gf_eq( f, ZERO );+    cryptonite_gf_sqr ( b, f );  /* (1-as^2)^2 = 1 - 2as^2 + a^2 s^4 */+    cryptonite_gf_mulw ( c, a, 4*IMAGINE_TWIST-4*EDWARDS_D ); +    cryptonite_gf_add ( c, c, b ); /* t^2 = 1 + (2a-4d) s^2 + s^4 */+    cryptonite_gf_mul ( d, f, s ); /* s * (1-as^2) for denoms */+    cryptonite_gf_sqr ( e, d );    /* s^2 * (1-as^2)^2 */+    cryptonite_gf_mul ( b, c, e ); /* t^2 * s^2 * (1-as^2)^2 */+    +    succ &= cryptonite_gf_isr(e,b) | cryptonite_gf_eq(b,ZERO); /* e = 1/(t s (1-as^2)) */+    cryptonite_gf_mul ( b, e, d ); /* 1 / t */+    cryptonite_gf_mul ( d, e, c ); /* t / (s(1-as^2)) */+    cryptonite_gf_mul ( e, d, f ); /* t / s */+    mask_t negtos = cryptonite_gf_hibit(e);+    cryptonite_gf_cond_neg(b, negtos);+    cryptonite_gf_cond_neg(d, negtos);++#if IMAGINE_TWIST+    cryptonite_gf_add ( p->z, ONE, a); /* Z = 1+as^2 = 1-s^2 */+#else+    cryptonite_gf_sub ( p->z, ONE, a); /* Z = 1+as^2 = 1-s^2 */+#endif++#if COFACTOR == 8+    cryptonite_gf_mul ( a, p->z, d); /* t(1+s^2) / s(1-s^2) = 2/xy */+    succ &= ~cryptonite_gf_lobit(a); /* = ~cryptonite_gf_hibit(a/2), since cryptonite_gf_hibit(x) = cryptonite_gf_lobit(2x) */+#endif+    +    cryptonite_gf_mul ( a, f, b ); /* y = (1-s^2) / t */+    cryptonite_gf_mul ( p->y, p->z, a ); /* Y = yZ */+#if IMAGINE_TWIST+    cryptonite_gf_add ( b, s, s );+    cryptonite_gf_mul(p->x, b, SQRT_MINUS_ONE); /* Curve25519 */+#else+    cryptonite_gf_add ( p->x, s, s );+#endif+    cryptonite_gf_mul ( p->t, p->x, a ); /* T = 2s (1-as^2)/t */+    +#if UNSAFE_CURVE_HAS_POINTS_AT_INFINITY+    /* This can't happen for any of the supported configurations.+     *+     * If it can happen (because s=1), it's because the curve has points+     * at infinity, which means that there may be critical security bugs+     * elsewhere in the library.  In that case, it's better that you hit+     * the assertion in point_valid, which will happen in the test suite+     * since it tests s=1.+     *+     * This debugging option is to allow testing of IMAGINE_TWIST = 0 on+     * Ed25519, without hitting that assertion.  Don't use it in+     * production.+     */+    succ &= ~cryptonite_gf_eq(p->z,ZERO);+#endif+    +    p->y->limb[0] -= zero;+    assert(API_NS(point_valid)(p) | ~succ);+    +    return cryptonite_decaf_succeed_if(mask_to_bool(succ));+}++#if IMAGINE_TWIST+#define TWISTED_D (-(EDWARDS_D))+#else+#define TWISTED_D ((EDWARDS_D)-1)+#endif++#if TWISTED_D < 0+#define EFF_D (-(TWISTED_D))+#define NEG_D 1+#else+#define EFF_D TWISTED_D+#define NEG_D 0+#endif++void API_NS(point_sub) (+    point_t p,+    const point_t q,+    const point_t r+) {+    gf a, b, c, d;+    cryptonite_gf_sub_nr ( b, q->y, q->x ); /* 3+e */+    cryptonite_gf_sub_nr ( d, r->y, r->x ); /* 3+e */+    cryptonite_gf_add_nr ( c, r->y, r->x ); /* 2+e */+    cryptonite_gf_mul ( a, c, b );+    cryptonite_gf_add_nr ( b, q->y, q->x ); /* 2+e */+    cryptonite_gf_mul ( p->y, d, b );+    cryptonite_gf_mul ( b, r->t, q->t );+    cryptonite_gf_mulw ( p->x, b, 2*EFF_D );+    cryptonite_gf_add_nr ( b, a, p->y );    /* 2+e */+    cryptonite_gf_sub_nr ( c, p->y, a );    /* 3+e */+    cryptonite_gf_mul ( a, q->z, r->z );+    cryptonite_gf_add_nr ( a, a, a );       /* 2+e */+    if (GF_HEADROOM <= 3) cryptonite_gf_weak_reduce(a); /* or 1+e */+#if NEG_D+    cryptonite_gf_sub_nr ( p->y, a, p->x ); /* 4+e or 3+e */+    cryptonite_gf_add_nr ( a, a, p->x );    /* 3+e or 2+e */+#else+    cryptonite_gf_add_nr ( p->y, a, p->x ); /* 3+e or 2+e */+    cryptonite_gf_sub_nr ( a, a, p->x );    /* 4+e or 3+e */+#endif+    cryptonite_gf_mul ( p->z, a, p->y );+    cryptonite_gf_mul ( p->x, p->y, c );+    cryptonite_gf_mul ( p->y, a, b );+    cryptonite_gf_mul ( p->t, b, c );+}+    +void API_NS(point_add) (+    point_t p,+    const point_t q,+    const point_t r+) {+    gf a, b, c, d;+    cryptonite_gf_sub_nr ( b, q->y, q->x ); /* 3+e */+    cryptonite_gf_sub_nr ( c, r->y, r->x ); /* 3+e */+    cryptonite_gf_add_nr ( d, r->y, r->x ); /* 2+e */+    cryptonite_gf_mul ( a, c, b );+    cryptonite_gf_add_nr ( b, q->y, q->x ); /* 2+e */+    cryptonite_gf_mul ( p->y, d, b );+    cryptonite_gf_mul ( b, r->t, q->t );+    cryptonite_gf_mulw ( p->x, b, 2*EFF_D );+    cryptonite_gf_add_nr ( b, a, p->y );    /* 2+e */+    cryptonite_gf_sub_nr ( c, p->y, a );    /* 3+e */+    cryptonite_gf_mul ( a, q->z, r->z );+    cryptonite_gf_add_nr ( a, a, a );       /* 2+e */+    if (GF_HEADROOM <= 3) cryptonite_gf_weak_reduce(a); /* or 1+e */+#if NEG_D+    cryptonite_gf_add_nr ( p->y, a, p->x ); /* 3+e or 2+e */+    cryptonite_gf_sub_nr ( a, a, p->x );    /* 4+e or 3+e */+#else+    cryptonite_gf_sub_nr ( p->y, a, p->x ); /* 4+e or 3+e */+    cryptonite_gf_add_nr ( a, a, p->x );    /* 3+e or 2+e */+#endif+    cryptonite_gf_mul ( p->z, a, p->y );+    cryptonite_gf_mul ( p->x, p->y, c );+    cryptonite_gf_mul ( p->y, a, b );+    cryptonite_gf_mul ( p->t, b, c );+}++static CRYPTONITE_DECAF_NOINLINE void+point_double_internal (+    point_t p,+    const point_t q,+    int before_double+) {+    gf a, b, c, d;+    cryptonite_gf_sqr ( c, q->x );+    cryptonite_gf_sqr ( a, q->y );+    cryptonite_gf_add_nr ( d, c, a );             /* 2+e */+    cryptonite_gf_add_nr ( p->t, q->y, q->x );    /* 2+e */+    cryptonite_gf_sqr ( b, p->t );+    cryptonite_gf_subx_nr ( b, b, d, 3 );         /* 4+e */+    cryptonite_gf_sub_nr ( p->t, a, c );          /* 3+e */+    cryptonite_gf_sqr ( p->x, q->z );+    cryptonite_gf_add_nr ( p->z, p->x, p->x );    /* 2+e */+    cryptonite_gf_subx_nr ( a, p->z, p->t, 4 );   /* 6+e */+    if (GF_HEADROOM == 5) cryptonite_gf_weak_reduce(a); /* or 1+e */+    cryptonite_gf_mul ( p->x, a, b );+    cryptonite_gf_mul ( p->z, p->t, a );+    cryptonite_gf_mul ( p->y, p->t, d );+    if (!before_double) cryptonite_gf_mul ( p->t, b, d );+}++void API_NS(point_double)(point_t p, const point_t q) {+    point_double_internal(p,q,0);+}++void API_NS(point_negate) (+   point_t nega,+   const point_t a+) {+    cryptonite_gf_sub(nega->x, ZERO, a->x);+    cryptonite_gf_copy(nega->y, a->y);+    cryptonite_gf_copy(nega->z, a->z);+    cryptonite_gf_sub(nega->t, ZERO, a->t);+}++/* Operations on [p]niels */+static CRYPTONITE_DECAF_INLINE void+cond_neg_niels (+    niels_t n,+    mask_t neg+) {+    cryptonite_gf_cond_swap(n->a, n->b, neg);+    cryptonite_gf_cond_neg(n->c, neg);+}++static CRYPTONITE_DECAF_NOINLINE void pt_to_pniels (+    pniels_t b,+    const point_t a+) {+    cryptonite_gf_sub ( b->n->a, a->y, a->x );+    cryptonite_gf_add ( b->n->b, a->x, a->y );+    cryptonite_gf_mulw ( b->n->c, a->t, 2*TWISTED_D );+    cryptonite_gf_add ( b->z, a->z, a->z );+}++static CRYPTONITE_DECAF_NOINLINE void pniels_to_pt (+    point_t e,+    const pniels_t d+) {+    gf eu;+    cryptonite_gf_add ( eu, d->n->b, d->n->a );+    cryptonite_gf_sub ( e->y, d->n->b, d->n->a );+    cryptonite_gf_mul ( e->t, e->y, eu);+    cryptonite_gf_mul ( e->x, d->z, e->y );+    cryptonite_gf_mul ( e->y, d->z, eu );+    cryptonite_gf_sqr ( e->z, d->z );+}++static CRYPTONITE_DECAF_NOINLINE void+niels_to_pt (+    point_t e,+    const niels_t n+) {+    cryptonite_gf_add ( e->y, n->b, n->a );+    cryptonite_gf_sub ( e->x, n->b, n->a );+    cryptonite_gf_mul ( e->t, e->y, e->x );+    cryptonite_gf_copy ( e->z, ONE );+}++static CRYPTONITE_DECAF_NOINLINE void+add_niels_to_pt (+    point_t d,+    const niels_t e,+    int before_double+) {+    gf a, b, c;+    cryptonite_gf_sub_nr ( b, d->y, d->x ); /* 3+e */+    cryptonite_gf_mul ( a, e->a, b );+    cryptonite_gf_add_nr ( b, d->x, d->y ); /* 2+e */+    cryptonite_gf_mul ( d->y, e->b, b );+    cryptonite_gf_mul ( d->x, e->c, d->t );+    cryptonite_gf_add_nr ( c, a, d->y );    /* 2+e */+    cryptonite_gf_sub_nr ( b, d->y, a );    /* 3+e */+    cryptonite_gf_sub_nr ( d->y, d->z, d->x ); /* 3+e */+    cryptonite_gf_add_nr ( a, d->x, d->z ); /* 2+e */+    cryptonite_gf_mul ( d->z, a, d->y );+    cryptonite_gf_mul ( d->x, d->y, b );+    cryptonite_gf_mul ( d->y, a, c );+    if (!before_double) cryptonite_gf_mul ( d->t, b, c );+}++static CRYPTONITE_DECAF_NOINLINE void+sub_niels_from_pt (+    point_t d,+    const niels_t e,+    int before_double+) {+    gf a, b, c;+    cryptonite_gf_sub_nr ( b, d->y, d->x ); /* 3+e */+    cryptonite_gf_mul ( a, e->b, b );+    cryptonite_gf_add_nr ( b, d->x, d->y ); /* 2+e */+    cryptonite_gf_mul ( d->y, e->a, b );+    cryptonite_gf_mul ( d->x, e->c, d->t );+    cryptonite_gf_add_nr ( c, a, d->y );    /* 2+e */+    cryptonite_gf_sub_nr ( b, d->y, a );    /* 3+e */+    cryptonite_gf_add_nr ( d->y, d->z, d->x ); /* 2+e */+    cryptonite_gf_sub_nr ( a, d->z, d->x ); /* 3+e */+    cryptonite_gf_mul ( d->z, a, d->y );+    cryptonite_gf_mul ( d->x, d->y, b );+    cryptonite_gf_mul ( d->y, a, c );+    if (!before_double) cryptonite_gf_mul ( d->t, b, c );+}++static void+add_pniels_to_pt (+    point_t p,+    const pniels_t pn,+    int before_double+) {+    gf L0;+    cryptonite_gf_mul ( L0, p->z, pn->z );+    cryptonite_gf_copy ( p->z, L0 );+    add_niels_to_pt( p, pn->n, before_double );+}++static void+sub_pniels_from_pt (+    point_t p,+    const pniels_t pn,+    int before_double+) {+    gf L0;+    cryptonite_gf_mul ( L0, p->z, pn->z );+    cryptonite_gf_copy ( p->z, L0 );+    sub_niels_from_pt( p, pn->n, before_double );+}++static CRYPTONITE_DECAF_NOINLINE void+prepare_fixed_window(+    pniels_t *multiples,+    const point_t b,+    int ntable+) {+    point_t tmp;+    pniels_t pn;+    int i;+    +    point_double_internal(tmp, b, 0);+    pt_to_pniels(pn, tmp);+    pt_to_pniels(multiples[0], b);+    API_NS(point_copy)(tmp, b);+    for (i=1; i<ntable; i++) {+        add_pniels_to_pt(tmp, pn, 0);+        pt_to_pniels(multiples[i], tmp);+    }+    +    cryptonite_decaf_bzero(pn,sizeof(pn));+    cryptonite_decaf_bzero(tmp,sizeof(tmp));+}++void API_NS(point_scalarmul) (+    point_t a,+    const point_t b,+    const scalar_t scalar+) {+    const int WINDOW = CRYPTONITE_DECAF_WINDOW_BITS,+        WINDOW_MASK = (1<<WINDOW)-1,+        WINDOW_T_MASK = WINDOW_MASK >> 1,+        NTABLE = 1<<(WINDOW-1);+        +    scalar_t scalar1x;+    API_NS(scalar_add)(scalar1x, scalar, point_scalarmul_adjustment);+    API_NS(scalar_halve)(scalar1x,scalar1x);+    +    /* Set up a precomputed table with odd multiples of b. */+    pniels_t pn, multiples[NTABLE];+    point_t tmp;+    prepare_fixed_window(multiples, b, NTABLE);++    /* Initialize. */+    int i,j,first=1;+    i = SCALAR_BITS - ((SCALAR_BITS-1) % WINDOW) - 1;++    for (; i>=0; i-=WINDOW) {+        /* Fetch another block of bits */+        word_t bits = scalar1x->limb[i/WBITS] >> (i%WBITS);+        if (i%WBITS >= WBITS-WINDOW && i/WBITS<SCALAR_LIMBS-1) {+            bits ^= scalar1x->limb[i/WBITS+1] << (WBITS - (i%WBITS));+        }+        bits &= WINDOW_MASK;+        mask_t inv = (bits>>(WINDOW-1))-1;+        bits ^= inv;+    +        /* Add in from table.  Compute t only on last iteration. */+        constant_time_lookup(pn, multiples, sizeof(pn), NTABLE, bits & WINDOW_T_MASK);+        cond_neg_niels(pn->n, inv);+        if (first) {+            pniels_to_pt(tmp, pn);+            first = 0;+        } else {+           /* Using Hisil et al's lookahead method instead of extensible here+            * for no particular reason.  Double WINDOW times, but only compute t on+            * the last one.+            */+            for (j=0; j<WINDOW-1; j++)+                point_double_internal(tmp, tmp, -1);+            point_double_internal(tmp, tmp, 0);+            add_pniels_to_pt(tmp, pn, i ? -1 : 0);+        }+    }+    +    /* Write out the answer */+    API_NS(point_copy)(a,tmp);+    +    cryptonite_decaf_bzero(scalar1x,sizeof(scalar1x));+    cryptonite_decaf_bzero(pn,sizeof(pn));+    cryptonite_decaf_bzero(multiples,sizeof(multiples));+    cryptonite_decaf_bzero(tmp,sizeof(tmp));+}++void API_NS(point_double_scalarmul) (+    point_t a,+    const point_t b,+    const scalar_t scalarb,+    const point_t c,+    const scalar_t scalarc+) {+    const int WINDOW = CRYPTONITE_DECAF_WINDOW_BITS,+        WINDOW_MASK = (1<<WINDOW)-1,+        WINDOW_T_MASK = WINDOW_MASK >> 1,+        NTABLE = 1<<(WINDOW-1);+        +    scalar_t scalar1x, scalar2x;+    API_NS(scalar_add)(scalar1x, scalarb, point_scalarmul_adjustment);+    API_NS(scalar_halve)(scalar1x,scalar1x);+    API_NS(scalar_add)(scalar2x, scalarc, point_scalarmul_adjustment);+    API_NS(scalar_halve)(scalar2x,scalar2x);+    +    /* Set up a precomputed table with odd multiples of b. */+    pniels_t pn, multiples1[NTABLE], multiples2[NTABLE];+    point_t tmp;+    prepare_fixed_window(multiples1, b, NTABLE);+    prepare_fixed_window(multiples2, c, NTABLE);++    /* Initialize. */+    int i,j,first=1;+    i = SCALAR_BITS - ((SCALAR_BITS-1) % WINDOW) - 1;++    for (; i>=0; i-=WINDOW) {+        /* Fetch another block of bits */+        word_t bits1 = scalar1x->limb[i/WBITS] >> (i%WBITS),+                     bits2 = scalar2x->limb[i/WBITS] >> (i%WBITS);+        if (i%WBITS >= WBITS-WINDOW && i/WBITS<SCALAR_LIMBS-1) {+            bits1 ^= scalar1x->limb[i/WBITS+1] << (WBITS - (i%WBITS));+            bits2 ^= scalar2x->limb[i/WBITS+1] << (WBITS - (i%WBITS));+        }+        bits1 &= WINDOW_MASK;+        bits2 &= WINDOW_MASK;+        mask_t inv1 = (bits1>>(WINDOW-1))-1;+        mask_t inv2 = (bits2>>(WINDOW-1))-1;+        bits1 ^= inv1;+        bits2 ^= inv2;+    +        /* Add in from table.  Compute t only on last iteration. */+        constant_time_lookup(pn, multiples1, sizeof(pn), NTABLE, bits1 & WINDOW_T_MASK);+        cond_neg_niels(pn->n, inv1);+        if (first) {+            pniels_to_pt(tmp, pn);+            first = 0;+        } else {+           /* Using Hisil et al's lookahead method instead of extensible here+            * for no particular reason.  Double WINDOW times, but only compute t on+            * the last one.+            */+            for (j=0; j<WINDOW-1; j++)+                point_double_internal(tmp, tmp, -1);+            point_double_internal(tmp, tmp, 0);+            add_pniels_to_pt(tmp, pn, 0);+        }+        constant_time_lookup(pn, multiples2, sizeof(pn), NTABLE, bits2 & WINDOW_T_MASK);+        cond_neg_niels(pn->n, inv2);+        add_pniels_to_pt(tmp, pn, i?-1:0);+    }+    +    /* Write out the answer */+    API_NS(point_copy)(a,tmp);+    ++    cryptonite_decaf_bzero(scalar1x,sizeof(scalar1x));+    cryptonite_decaf_bzero(scalar2x,sizeof(scalar2x));+    cryptonite_decaf_bzero(pn,sizeof(pn));+    cryptonite_decaf_bzero(multiples1,sizeof(multiples1));+    cryptonite_decaf_bzero(multiples2,sizeof(multiples2));+    cryptonite_decaf_bzero(tmp,sizeof(tmp));+}++void API_NS(point_dual_scalarmul) (+    point_t a1,+    point_t a2,+    const point_t b,+    const scalar_t scalar1,+    const scalar_t scalar2+) {+    const int WINDOW = CRYPTONITE_DECAF_WINDOW_BITS,+        WINDOW_MASK = (1<<WINDOW)-1,+        WINDOW_T_MASK = WINDOW_MASK >> 1,+        NTABLE = 1<<(WINDOW-1);+        +    scalar_t scalar1x, scalar2x;+    API_NS(scalar_add)(scalar1x, scalar1, point_scalarmul_adjustment);+    API_NS(scalar_halve)(scalar1x,scalar1x);+    API_NS(scalar_add)(scalar2x, scalar2, point_scalarmul_adjustment);+    API_NS(scalar_halve)(scalar2x,scalar2x);+    +    /* Set up a precomputed table with odd multiples of b. */+    point_t multiples1[NTABLE], multiples2[NTABLE], working, tmp;+    pniels_t pn;+    +    API_NS(point_copy)(working, b);++    /* Initialize. */+    int i,j;+    +    for (i=0; i<NTABLE; i++) {+        API_NS(point_copy)(multiples1[i], API_NS(point_identity));+        API_NS(point_copy)(multiples2[i], API_NS(point_identity));+    }++    for (i=0; i<SCALAR_BITS; i+=WINDOW) {   +        if (i) {+            for (j=0; j<WINDOW-1; j++)+                point_double_internal(working, working, -1);+            point_double_internal(working, working, 0);+        }+        +        /* Fetch another block of bits */+        word_t bits1 = scalar1x->limb[i/WBITS] >> (i%WBITS),+               bits2 = scalar2x->limb[i/WBITS] >> (i%WBITS);+        if (i%WBITS >= WBITS-WINDOW && i/WBITS<SCALAR_LIMBS-1) {+            bits1 ^= scalar1x->limb[i/WBITS+1] << (WBITS - (i%WBITS));+            bits2 ^= scalar2x->limb[i/WBITS+1] << (WBITS - (i%WBITS));+        }+        bits1 &= WINDOW_MASK;+        bits2 &= WINDOW_MASK;+        mask_t inv1 = (bits1>>(WINDOW-1))-1;+        mask_t inv2 = (bits2>>(WINDOW-1))-1;+        bits1 ^= inv1;+        bits2 ^= inv2;+        +        pt_to_pniels(pn, working);++        constant_time_lookup(tmp, multiples1, sizeof(tmp), NTABLE, bits1 & WINDOW_T_MASK);+        cond_neg_niels(pn->n, inv1);+        /* add_pniels_to_pt(multiples1[bits1 & WINDOW_T_MASK], pn, 0); */+        add_pniels_to_pt(tmp, pn, 0);+        constant_time_insert(multiples1, tmp, sizeof(tmp), NTABLE, bits1 & WINDOW_T_MASK);+        +        +        constant_time_lookup(tmp, multiples2, sizeof(tmp), NTABLE, bits2 & WINDOW_T_MASK);+        cond_neg_niels(pn->n, inv1^inv2);+        /* add_pniels_to_pt(multiples2[bits2 & WINDOW_T_MASK], pn, 0); */+        add_pniels_to_pt(tmp, pn, 0);+        constant_time_insert(multiples2, tmp, sizeof(tmp), NTABLE, bits2 & WINDOW_T_MASK);+    }+    +    if (NTABLE > 1) {+        API_NS(point_copy)(working, multiples1[NTABLE-1]);+        API_NS(point_copy)(tmp    , multiples2[NTABLE-1]);+    +        for (i=NTABLE-1; i>1; i--) {+            API_NS(point_add)(multiples1[i-1], multiples1[i-1], multiples1[i]);+            API_NS(point_add)(multiples2[i-1], multiples2[i-1], multiples2[i]);+            API_NS(point_add)(working, working, multiples1[i-1]);+            API_NS(point_add)(tmp,     tmp,     multiples2[i-1]);+        }+    +        API_NS(point_add)(multiples1[0], multiples1[0], multiples1[1]);+        API_NS(point_add)(multiples2[0], multiples2[0], multiples2[1]);+        point_double_internal(working, working, 0);+        point_double_internal(tmp,         tmp, 0);+        API_NS(point_add)(a1, working, multiples1[0]);+        API_NS(point_add)(a2, tmp,     multiples2[0]);+    } else {+        API_NS(point_copy)(a1, multiples1[0]);+        API_NS(point_copy)(a2, multiples2[0]);+    }++    cryptonite_decaf_bzero(scalar1x,sizeof(scalar1x));+    cryptonite_decaf_bzero(scalar2x,sizeof(scalar2x));+    cryptonite_decaf_bzero(pn,sizeof(pn));+    cryptonite_decaf_bzero(multiples1,sizeof(multiples1));+    cryptonite_decaf_bzero(multiples2,sizeof(multiples2));+    cryptonite_decaf_bzero(tmp,sizeof(tmp));+    cryptonite_decaf_bzero(working,sizeof(working));+}++cryptonite_decaf_bool_t API_NS(point_eq) ( const point_t p, const point_t q ) {+    /* equality mod 2-torsion compares x/y */+    gf a, b;+    cryptonite_gf_mul ( a, p->y, q->x );+    cryptonite_gf_mul ( b, q->y, p->x );+    mask_t succ = cryptonite_gf_eq(a,b);+    +    #if (COFACTOR == 8) && IMAGINE_TWIST+        cryptonite_gf_mul ( a, p->y, q->y );+        cryptonite_gf_mul ( b, q->x, p->x );+        #if !(IMAGINE_TWIST)+            cryptonite_gf_sub ( a, ZERO, a );+        #else+           /* Interesting note: the 4tor would normally be rotation.+            * But because of the *i twist, it's actually+            * (x,y) <-> (iy,ix)+            */+    +           /* No code, just a comment. */+        #endif+        succ |= cryptonite_gf_eq(a,b);+    #endif+    +    return mask_to_bool(succ);+}++cryptonite_decaf_bool_t API_NS(point_valid) (+    const point_t p+) {+    gf a,b,c;+    cryptonite_gf_mul(a,p->x,p->y);+    cryptonite_gf_mul(b,p->z,p->t);+    mask_t out = cryptonite_gf_eq(a,b);+    cryptonite_gf_sqr(a,p->x);+    cryptonite_gf_sqr(b,p->y);+    cryptonite_gf_sub(a,b,a);+    cryptonite_gf_sqr(b,p->t);+    cryptonite_gf_mulw(c,b,TWISTED_D);+    cryptonite_gf_sqr(b,p->z);+    cryptonite_gf_add(b,b,c);+    out &= cryptonite_gf_eq(a,b);+    out &= ~cryptonite_gf_eq(p->z,ZERO);+    return mask_to_bool(out);+}++void API_NS(point_debugging_torque) (+    point_t q,+    const point_t p+) {+#if COFACTOR == 8 && IMAGINE_TWIST+    gf tmp;+    cryptonite_gf_mul(tmp,p->x,SQRT_MINUS_ONE);+    cryptonite_gf_mul(q->x,p->y,SQRT_MINUS_ONE);+    cryptonite_gf_copy(q->y,tmp);+    cryptonite_gf_copy(q->z,p->z);+    cryptonite_gf_sub(q->t,ZERO,p->t);+#else+    cryptonite_gf_sub(q->x,ZERO,p->x);+    cryptonite_gf_sub(q->y,ZERO,p->y);+    cryptonite_gf_copy(q->z,p->z);+    cryptonite_gf_copy(q->t,p->t);+#endif+}++void API_NS(point_debugging_pscale) (+    point_t q,+    const point_t p,+    const uint8_t factor[SER_BYTES]+) {+    gf gfac,tmp;+    /* NB this means you'll never pscale by negative numbers for p521 */+    ignore_result(cryptonite_gf_deserialize(gfac,factor,0));+    cryptonite_gf_cond_sel(gfac,gfac,ONE,cryptonite_gf_eq(gfac,ZERO));+    cryptonite_gf_mul(tmp,p->x,gfac);+    cryptonite_gf_copy(q->x,tmp);+    cryptonite_gf_mul(tmp,p->y,gfac);+    cryptonite_gf_copy(q->y,tmp);+    cryptonite_gf_mul(tmp,p->z,gfac);+    cryptonite_gf_copy(q->z,tmp);+    cryptonite_gf_mul(tmp,p->t,gfac);+    cryptonite_gf_copy(q->t,tmp);+}++static void cryptonite_gf_batch_invert (+    gf *__restrict__ out,+    const gf *in,+    unsigned int n+) {+    gf t1;+    assert(n>1);+  +    cryptonite_gf_copy(out[1], in[0]);+    int i;+    for (i=1; i<(int) (n-1); i++) {+        cryptonite_gf_mul(out[i+1], out[i], in[i]);+    }+    cryptonite_gf_mul(out[0], out[n-1], in[n-1]);++    cryptonite_gf_invert(out[0], out[0], 1);++    for (i=n-1; i>0; i--) {+        cryptonite_gf_mul(t1, out[i], out[0]);+        cryptonite_gf_copy(out[i], t1);+        cryptonite_gf_mul(t1, out[0], in[i]);+        cryptonite_gf_copy(out[0], t1);+    }+}++static void batch_normalize_niels (+    niels_t *table,+    const gf *zs,+    gf *__restrict__ zis,+    int n+) {+    int i;+    gf product;+    cryptonite_gf_batch_invert(zis, zs, n);++    for (i=0; i<n; i++) {+        cryptonite_gf_mul(product, table[i]->a, zis[i]);+        cryptonite_gf_strong_reduce(product);+        cryptonite_gf_copy(table[i]->a, product);+        +        cryptonite_gf_mul(product, table[i]->b, zis[i]);+        cryptonite_gf_strong_reduce(product);+        cryptonite_gf_copy(table[i]->b, product);+        +        cryptonite_gf_mul(product, table[i]->c, zis[i]);+        cryptonite_gf_strong_reduce(product);+        cryptonite_gf_copy(table[i]->c, product);+    }+    +    cryptonite_decaf_bzero(product,sizeof(product));+}++void API_NS(precompute) (+    precomputed_s *table,+    const point_t base+) { +    const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;+    assert(n*t*s >= SCALAR_BITS);+  +    point_t working, start, doubles[t-1];+    API_NS(point_copy)(working, base);+    pniels_t pn_tmp;+  +    gf zs[n<<(t-1)], zis[n<<(t-1)];+  +    unsigned int i,j,k;+    +    /* Compute n tables */+    for (i=0; i<n; i++) {++        /* Doubling phase */+        for (j=0; j<t; j++) {+            if (j) API_NS(point_add)(start, start, working);+            else API_NS(point_copy)(start, working);++            if (j==t-1 && i==n-1) break;++            point_double_internal(working, working,0);+            if (j<t-1) API_NS(point_copy)(doubles[j], working);++            for (k=0; k<s-1; k++)+                point_double_internal(working, working, k<s-2);+        }++        /* Gray-code phase */+        for (j=0;; j++) {+            int gray = j ^ (j>>1);+            int idx = (((i+1)<<(t-1))-1) ^ gray;++            pt_to_pniels(pn_tmp, start);+            memcpy(table->table[idx], pn_tmp->n, sizeof(pn_tmp->n));+            cryptonite_gf_copy(zs[idx], pn_tmp->z);+			+            if (j >= (1u<<(t-1)) - 1) break;+            int delta = (j+1) ^ ((j+1)>>1) ^ gray;++            for (k=0; delta>1; k++)+                delta >>=1;+            +            if (gray & (1<<k)) {+                API_NS(point_add)(start, start, doubles[k]);+            } else {+                API_NS(point_sub)(start, start, doubles[k]);+            }+        }+    }+    +    batch_normalize_niels(table->table,(const gf *)zs,zis,n<<(t-1));+    +    cryptonite_decaf_bzero(zs,sizeof(zs));+    cryptonite_decaf_bzero(zis,sizeof(zis));+    cryptonite_decaf_bzero(pn_tmp,sizeof(pn_tmp));+    cryptonite_decaf_bzero(working,sizeof(working));+    cryptonite_decaf_bzero(start,sizeof(start));+    cryptonite_decaf_bzero(doubles,sizeof(doubles));+}++static CRYPTONITE_DECAF_INLINE void+constant_time_lookup_niels (+    niels_s *__restrict__ ni,+    const niels_t *table,+    int nelts,+    int idx+) {+    constant_time_lookup(ni, table, sizeof(niels_s), nelts, idx);+}++void API_NS(precomputed_scalarmul) (+    point_t out,+    const precomputed_s *table,+    const scalar_t scalar+) {+    int i;+    unsigned j,k;+    const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;+    +    scalar_t scalar1x;+    API_NS(scalar_add)(scalar1x, scalar, precomputed_scalarmul_adjustment);+    API_NS(scalar_halve)(scalar1x,scalar1x);+    +    niels_t ni;+    +    for (i=s-1; i>=0; i--) {+        if (i != (int)s-1) point_double_internal(out,out,0);+        +        for (j=0; j<n; j++) {+            int tab = 0;+         +            for (k=0; k<t; k++) {+                unsigned int bit = i + s*(k + j*t);+                if (bit < SCALAR_BITS) {+                    tab |= (scalar1x->limb[bit/WBITS] >> (bit%WBITS) & 1) << k;+                }+            }+            +            mask_t invert = (tab>>(t-1))-1;+            tab ^= invert;+            tab &= (1<<(t-1)) - 1;++            constant_time_lookup_niels(ni, &table->table[j<<(t-1)], 1<<(t-1), tab);++            cond_neg_niels(ni, invert);+            if ((i!=(int)s-1)||j) {+                add_niels_to_pt(out, ni, j==n-1 && i);+            } else {+                niels_to_pt(out, ni);+            }+        }+    }+    +    cryptonite_decaf_bzero(ni,sizeof(ni));+    cryptonite_decaf_bzero(scalar1x,sizeof(scalar1x));+}++void API_NS(point_cond_sel) (+    point_t out,+    const point_t a,+    const point_t b,+    cryptonite_decaf_bool_t pick_b+) {+    constant_time_select(out,a,b,sizeof(point_t),bool_to_mask(pick_b),0);+}++/* FUTURE: restore Curve25519 Montgomery ladder? */+cryptonite_decaf_error_t API_NS(direct_scalarmul) (+    uint8_t scaled[SER_BYTES],+    const uint8_t base[SER_BYTES],+    const scalar_t scalar,+    cryptonite_decaf_bool_t allow_identity,+    cryptonite_decaf_bool_t short_circuit+) {+    point_t basep;+    cryptonite_decaf_error_t succ = API_NS(point_decode)(basep, base, allow_identity);+    if (short_circuit && succ != CRYPTONITE_DECAF_SUCCESS) return succ;+    API_NS(point_cond_sel)(basep, API_NS(point_base), basep, succ);+    API_NS(point_scalarmul)(basep, basep, scalar);+    API_NS(point_encode)(scaled, basep);+    API_NS(point_destroy)(basep);+    return succ;+}++void API_NS(point_mul_by_cofactor_and_encode_like_eddsa) (+    uint8_t enc[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+    const point_t p+) {+    +    /* The point is now on the twisted curve.  Move it to untwisted. */+    gf x, y, z, t;+    point_t q;+#if COFACTOR == 8+    API_NS(point_double)(q,p);+#else+    API_NS(point_copy)(q,p);+#endif+    +#if EDDSA_USE_SIGMA_ISOGENY+    {+        /* Use 4-isogeny like ed25519:+         *   2*x*y*sqrt(d/a-1)/(ax^2 + y^2 - 2)+         *   (y^2 - ax^2)/(y^2 + ax^2)+         * with a = -1, d = -EDWARDS_D:+         *   -2xysqrt(EDWARDS_D-1)/(2z^2-y^2+x^2)+         *   (y^2+x^2)/(y^2-x^2)+         */+        gf u;+        cryptonite_gf_sqr ( x, q->x ); // x^2+        cryptonite_gf_sqr ( t, q->y ); // y^2+        cryptonite_gf_add( u, x, t ); // x^2 + y^2+        cryptonite_gf_add( z, q->y, q->x );+        cryptonite_gf_sqr ( y, z);+        cryptonite_gf_sub ( y, u, y ); // -2xy+        cryptonite_gf_sub ( z, t, x ); // y^2 - x^2+        cryptonite_gf_sqr ( x, q->z );+        cryptonite_gf_add ( t, x, x);+        cryptonite_gf_sub ( t, t, z);  // 2z^2 - y^2 + x^2+        cryptonite_gf_mul ( x, y, z ); // 2xy(y^2-x^2)+        cryptonite_gf_mul ( y, u, t ); // (x^2+y^2)(2z^2-y^2+x^2)+        cryptonite_gf_mul ( u, z, t );+        cryptonite_gf_copy( z, u );+        cryptonite_gf_mul ( u, x, SQRT_ONE_MINUS_D );+        cryptonite_gf_copy( x, u );+        cryptonite_decaf_bzero(u,sizeof(u));+    }+#elif IMAGINE_TWIST+    {+        API_NS(point_double)(q,q);+        API_NS(point_double)(q,q);+        cryptonite_gf_mul_qnr(x, q->x);+        cryptonite_gf_copy(y, q->y);+        cryptonite_gf_copy(z, q->z);+    }+#else+    {+        /* 4-isogeny: 2xy/(y^+x^2), (y^2-x^2)/(2z^2-y^2+x^2) */+        gf u;+        cryptonite_gf_sqr ( x, q->x );+        cryptonite_gf_sqr ( t, q->y );+        cryptonite_gf_add( u, x, t );+        cryptonite_gf_add( z, q->y, q->x );+        cryptonite_gf_sqr ( y, z);+        cryptonite_gf_sub ( y, u, y );+        cryptonite_gf_sub ( z, t, x );+        cryptonite_gf_sqr ( x, q->z );+        cryptonite_gf_add ( t, x, x); +        cryptonite_gf_sub ( t, t, z);+        cryptonite_gf_mul ( x, t, y );+        cryptonite_gf_mul ( y, z, u );+        cryptonite_gf_mul ( z, u, t );+        cryptonite_decaf_bzero(u,sizeof(u));+    }+#endif+    /* Affinize */+    cryptonite_gf_invert(z,z,1);+    cryptonite_gf_mul(t,x,z);+    cryptonite_gf_mul(x,y,z);+    +    /* Encode */+    enc[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES-1] = 0;+    cryptonite_gf_serialize(enc, x, 1);+    enc[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES-1] |= 0x80 & cryptonite_gf_lobit(t);++    cryptonite_decaf_bzero(x,sizeof(x));+    cryptonite_decaf_bzero(y,sizeof(y));+    cryptonite_decaf_bzero(z,sizeof(z));+    cryptonite_decaf_bzero(t,sizeof(t));+    API_NS(point_destroy)(q);+}+++cryptonite_decaf_error_t API_NS(point_decode_like_eddsa_and_ignore_cofactor) (+    point_t p,+    const uint8_t enc[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES]+) {+    uint8_t enc2[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES];+    memcpy(enc2,enc,sizeof(enc2));++    mask_t low = ~word_is_zero(enc2[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES-1] & 0x80);+    enc2[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES-1] &= ~0x80;+    +    mask_t succ = cryptonite_gf_deserialize(p->y, enc2, 1);+#if 0 == 0+    succ &= word_is_zero(enc2[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES-1]);+#endif++    cryptonite_gf_sqr(p->x,p->y);+    cryptonite_gf_sub(p->z,ONE,p->x); /* num = 1-y^2 */+    #if EDDSA_USE_SIGMA_ISOGENY+        cryptonite_gf_mulw(p->t,p->z,EDWARDS_D); /* d-dy^2 */+        cryptonite_gf_mulw(p->x,p->z,EDWARDS_D-1); /* num = (1-y^2)(d-1) */+        cryptonite_gf_copy(p->z,p->x);+    #else+        cryptonite_gf_mulw(p->t,p->x,EDWARDS_D); /* dy^2 */+    #endif+    cryptonite_gf_sub(p->t,ONE,p->t); /* denom = 1-dy^2 or 1-d + dy^2 */+    +    cryptonite_gf_mul(p->x,p->z,p->t);+    succ &= cryptonite_gf_isr(p->t,p->x); /* 1/sqrt(num * denom) */+    +    cryptonite_gf_mul(p->x,p->t,p->z); /* sqrt(num / denom) */+    cryptonite_gf_cond_neg(p->x,~cryptonite_gf_lobit(p->x)^low);+    cryptonite_gf_copy(p->z,ONE);+  +    #if EDDSA_USE_SIGMA_ISOGENY+    {+       /* Use 4-isogeny like ed25519:+        *   2*x*y/sqrt(1-d/a)/(ax^2 + y^2 - 2)+        *   (y^2 - ax^2)/(y^2 + ax^2)+        * (MAGIC: above formula may be off by a factor of -a+        * or something somewhere; check it for other a)+        *+        * with a = -1, d = -EDWARDS_D:+        *   -2xy/sqrt(1-EDWARDS_D)/(2z^2-y^2+x^2)+        *   (y^2+x^2)/(y^2-x^2)+        */+        gf a, b, c, d;+        cryptonite_gf_sqr ( c, p->x );+        cryptonite_gf_sqr ( a, p->y );+        cryptonite_gf_add ( d, c, a ); // x^2 + y^2+        cryptonite_gf_add ( p->t, p->y, p->x );+        cryptonite_gf_sqr ( b, p->t );+        cryptonite_gf_sub ( b, b, d ); // 2xy+        cryptonite_gf_sub ( p->t, a, c ); // y^2 - x^2+        cryptonite_gf_sqr ( p->x, p->z );+        cryptonite_gf_add ( p->z, p->x, p->x );+        cryptonite_gf_sub ( a, p->z, p->t ); // 2z^2 - y^2 + x^2+        cryptonite_gf_mul ( c, a, SQRT_ONE_MINUS_D );+        cryptonite_gf_mul ( p->x, b, p->t); // (2xy)(y^2-x^2)+        cryptonite_gf_mul ( p->z, p->t, c ); // (y^2-x^2)sd(2z^2 - y^2 + x^2)+        cryptonite_gf_mul ( p->y, d, c ); // (y^2+x^2)sd(2z^2 - y^2 + x^2)+        cryptonite_gf_mul ( p->t, d, b );+        cryptonite_decaf_bzero(a,sizeof(a));+        cryptonite_decaf_bzero(b,sizeof(b));+        cryptonite_decaf_bzero(c,sizeof(c));+        cryptonite_decaf_bzero(d,sizeof(d));+    } +    #elif IMAGINE_TWIST+    {+        cryptonite_gf_mul(p->t,p->x,SQRT_MINUS_ONE);+        cryptonite_gf_copy(p->x,p->t);+        cryptonite_gf_mul(p->t,p->x,p->y);+    }+    #else+    {+        /* 4-isogeny 2xy/(y^2-ax^2), (y^2+ax^2)/(2-y^2-ax^2) */+        gf a, b, c, d;+        cryptonite_gf_sqr ( c, p->x );+        cryptonite_gf_sqr ( a, p->y );+        cryptonite_gf_add ( d, c, a );+        cryptonite_gf_add ( p->t, p->y, p->x );+        cryptonite_gf_sqr ( b, p->t );+        cryptonite_gf_sub ( b, b, d );+        cryptonite_gf_sub ( p->t, a, c );+        cryptonite_gf_sqr ( p->x, p->z );+        cryptonite_gf_add ( p->z, p->x, p->x );+        cryptonite_gf_sub ( a, p->z, d );+        cryptonite_gf_mul ( p->x, a, b );+        cryptonite_gf_mul ( p->z, p->t, a );+        cryptonite_gf_mul ( p->y, p->t, d );+        cryptonite_gf_mul ( p->t, b, d );+        cryptonite_decaf_bzero(a,sizeof(a));+        cryptonite_decaf_bzero(b,sizeof(b));+        cryptonite_decaf_bzero(c,sizeof(c));+        cryptonite_decaf_bzero(d,sizeof(d));+    }+    #endif+    +    cryptonite_decaf_bzero(enc2,sizeof(enc2));+    assert(API_NS(point_valid)(p) || ~succ);+    return cryptonite_decaf_succeed_if(mask_to_bool(succ));+}++cryptonite_decaf_error_t cryptonite_decaf_x448 (+    uint8_t out[X_PUBLIC_BYTES],+    const uint8_t base[X_PUBLIC_BYTES],+    const uint8_t scalar[X_PRIVATE_BYTES]+) {+    gf x1, x2, z2, x3, z3, t1, t2;+    ignore_result(cryptonite_gf_deserialize(x1,base,1));+    cryptonite_gf_copy(x2,ONE);+    cryptonite_gf_copy(z2,ZERO);+    cryptonite_gf_copy(x3,x1);+    cryptonite_gf_copy(z3,ONE);+    +    int t;+    mask_t swap = 0;+    +    for (t = X_PRIVATE_BITS-1; t>=0; t--) {+        uint8_t sb = scalar[t/8];+        +        /* Scalar conditioning */+        if (t/8==0) sb &= -(uint8_t)COFACTOR;+        else if (t == X_PRIVATE_BITS-1) sb = -1;+        +        mask_t k_t = (sb>>(t%8)) & 1;+        k_t = -k_t; /* set to all 0s or all 1s */+        +        swap ^= k_t;+        cryptonite_gf_cond_swap(x2,x3,swap);+        cryptonite_gf_cond_swap(z2,z3,swap);+        swap = k_t;+        +        cryptonite_gf_add_nr(t1,x2,z2); /* A = x2 + z2 */        /* 2+e */+        cryptonite_gf_sub_nr(t2,x2,z2); /* B = x2 - z2 */        /* 3+e */+        cryptonite_gf_sub_nr(z2,x3,z3); /* D = x3 - z3 */        /* 3+e */+        cryptonite_gf_mul(x2,t1,z2);    /* DA */+        cryptonite_gf_add_nr(z2,z3,x3); /* C = x3 + z3 */        /* 2+e */+        cryptonite_gf_mul(x3,t2,z2);    /* CB */+        cryptonite_gf_sub_nr(z3,x2,x3); /* DA-CB */              /* 3+e */+        cryptonite_gf_sqr(z2,z3);       /* (DA-CB)^2 */+        cryptonite_gf_mul(z3,x1,z2);    /* z3 = x1(DA-CB)^2 */+        cryptonite_gf_add_nr(z2,x2,x3); /* (DA+CB) */            /* 2+e */+        cryptonite_gf_sqr(x3,z2);       /* x3 = (DA+CB)^2 */+        +        cryptonite_gf_sqr(z2,t1);       /* AA = A^2 */+        cryptonite_gf_sqr(t1,t2);       /* BB = B^2 */+        cryptonite_gf_mul(x2,z2,t1);    /* x2 = AA*BB */+        cryptonite_gf_sub_nr(t2,z2,t1); /* E = AA-BB */          /* 3+e */+        +        cryptonite_gf_mulw(t1,t2,-EDWARDS_D); /* E*-d = a24*E */+        cryptonite_gf_add_nr(t1,t1,z2); /* AA + a24*E */         /* 2+e */+        cryptonite_gf_mul(z2,t2,t1); /* z2 = E(AA+a24*E) */+    }+    +    /* Finish */+    cryptonite_gf_cond_swap(x2,x3,swap);+    cryptonite_gf_cond_swap(z2,z3,swap);+    cryptonite_gf_invert(z2,z2,0);+    cryptonite_gf_mul(x1,x2,z2);+    cryptonite_gf_serialize(out,x1,1);+    mask_t nz = ~cryptonite_gf_eq(x1,ZERO);+    +    cryptonite_decaf_bzero(x1,sizeof(x1));+    cryptonite_decaf_bzero(x2,sizeof(x2));+    cryptonite_decaf_bzero(z2,sizeof(z2));+    cryptonite_decaf_bzero(x3,sizeof(x3));+    cryptonite_decaf_bzero(z3,sizeof(z3));+    cryptonite_decaf_bzero(t1,sizeof(t1));+    cryptonite_decaf_bzero(t2,sizeof(t2));+    +    return cryptonite_decaf_succeed_if(mask_to_bool(nz));+}++/* Thanks Johan Pascal */+void cryptonite_decaf_ed448_convert_public_key_to_x448 (+    uint8_t x[CRYPTONITE_DECAF_X448_PUBLIC_BYTES],+    const uint8_t ed[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES]+) {+    gf y;+    {+        uint8_t enc2[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES];+        memcpy(enc2,ed,sizeof(enc2));++        /* retrieve y from the ed compressed point */+        enc2[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES-1] &= ~0x80;+        ignore_result(cryptonite_gf_deserialize(y, enc2, 0));+        cryptonite_decaf_bzero(enc2,sizeof(enc2));+    }+    +    {+        gf n,d;+        +#if EDDSA_USE_SIGMA_ISOGENY+        /* u = (1+y)/(1-y)*/+        cryptonite_gf_add(n, y, ONE); /* n = y+1 */+        cryptonite_gf_sub(d, ONE, y); /* d = 1-y */+        cryptonite_gf_invert(d, d, 0); /* d = 1/(1-y) */+        cryptonite_gf_mul(y, n, d); /* u = (y+1)/(1-y) */+        cryptonite_gf_serialize(x,y,1);+#else /* EDDSA_USE_SIGMA_ISOGENY */+        /* u = y^2 * (1-dy^2) / (1-y^2) */+        cryptonite_gf_sqr(n,y); /* y^2*/+        cryptonite_gf_sub(d,ONE,n); /* 1-y^2*/+        cryptonite_gf_invert(d,d,0); /* 1/(1-y^2)*/+        cryptonite_gf_mul(y,n,d); /* y^2 / (1-y^2) */+        cryptonite_gf_mulw(d,n,EDWARDS_D); /* dy^2*/+        cryptonite_gf_sub(d, ONE, d); /* 1-dy^2*/+        cryptonite_gf_mul(n, y, d); /* y^2 * (1-dy^2) / (1-y^2) */+        cryptonite_gf_serialize(x,n,1);+#endif /* EDDSA_USE_SIGMA_ISOGENY */+        +        cryptonite_decaf_bzero(y,sizeof(y));+        cryptonite_decaf_bzero(n,sizeof(n));+        cryptonite_decaf_bzero(d,sizeof(d));+    }+}++void cryptonite_decaf_x448_generate_key (+    uint8_t out[X_PUBLIC_BYTES],+    const uint8_t scalar[X_PRIVATE_BYTES]+) {+    cryptonite_decaf_x448_derive_public_key(out,scalar);+}++void cryptonite_decaf_x448_derive_public_key (+    uint8_t out[X_PUBLIC_BYTES],+    const uint8_t scalar[X_PRIVATE_BYTES]+) {+    /* Scalar conditioning */+    uint8_t scalar2[X_PRIVATE_BYTES];+    memcpy(scalar2,scalar,sizeof(scalar2));+    scalar2[0] &= -(uint8_t)COFACTOR;+    +    scalar2[X_PRIVATE_BYTES-1] &= ~(-1u<<((X_PRIVATE_BITS+7)%8));+    scalar2[X_PRIVATE_BYTES-1] |= 1<<((X_PRIVATE_BITS+7)%8);+    +    scalar_t the_scalar;+    API_NS(scalar_decode_long)(the_scalar,scalar2,sizeof(scalar2));+    +    /* We're gonna isogenize by 2, so divide by 2.+     *+     * Why by 2, even though it's a 4-isogeny?+     *+     * The isogeny map looks like+     * Montgomery <-2-> Jacobi <-2-> Edwards+     *+     * Since the Jacobi base point is the PREimage of the iso to+     * the Montgomery curve, and we're going+     * Jacobi -> Edwards -> Jacobi -> Montgomery,+     * we pick up only a factor of 2 over Jacobi -> Montgomery. +     */+    API_NS(scalar_halve)(the_scalar,the_scalar);+    point_t p;+    API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),the_scalar);+    +    /* Isogenize to Montgomery curve.+     *+     * Why isn't this just a separate function, eg cryptonite_decaf_encode_like_x448?+     * Basically because in general it does the wrong thing if there is a cofactor+     * component in the input.  In this function though, there isn't a cofactor+     * component in the input.+     */+    cryptonite_gf_invert(p->t,p->x,0); /* 1/x */+    cryptonite_gf_mul(p->z,p->t,p->y); /* y/x */+    cryptonite_gf_sqr(p->y,p->z); /* (y/x)^2 */+#if IMAGINE_TWIST+    cryptonite_gf_sub(p->y,ZERO,p->y);+#endif+    cryptonite_gf_serialize(out,p->y,1);+        +    cryptonite_decaf_bzero(scalar2,sizeof(scalar2));+    API_NS(scalar_destroy)(the_scalar);+    API_NS(point_destroy)(p);+}++/**+ * @cond internal+ * Control for variable-time scalar multiply algorithms.+ */+struct smvt_control {+  int power, addend;+};++static int recode_wnaf (+    struct smvt_control *control, /* [nbits/(table_bits+1) + 3] */+    const scalar_t scalar,+    unsigned int table_bits+) {+    unsigned int table_size = SCALAR_BITS/(table_bits+1) + 3;+    int position = table_size - 1; /* at the end */+    +    /* place the end marker */+    control[position].power = -1;+    control[position].addend = 0;+    position--;++    /* PERF: Could negate scalar if it's large.  But then would need more cases+     * in the actual code that uses it, all for an expected reduction of like 1/5 op.+     * Probably not worth it.+     */+    +    uint64_t current = scalar->limb[0] & 0xFFFF;+    uint32_t mask = (1<<(table_bits+1))-1;++    unsigned int w;+    const unsigned int B_OVER_16 = sizeof(scalar->limb[0]) / 2;+    for (w = 1; w<(SCALAR_BITS-1)/16+3; w++) {+        if (w < (SCALAR_BITS-1)/16+1) {+            /* Refill the 16 high bits of current */+            current += (uint32_t)((scalar->limb[w/B_OVER_16]>>(16*(w%B_OVER_16)))<<16);+        }+        +        while (current & 0xFFFF) {+            assert(position >= 0);+            uint32_t pos = __builtin_ctz((uint32_t)current), odd = (uint32_t)current >> pos;+            int32_t delta = odd & mask;+            if (odd & 1<<(table_bits+1)) delta -= (1<<(table_bits+1));+            current -= delta << pos;+            control[position].power = pos + 16*(w-1);+            control[position].addend = delta;+            position--;+        }+        current >>= 16;+    }+    assert(current==0);+    +    position++;+    unsigned int n = table_size - position;+    unsigned int i;+    for (i=0; i<n; i++) {+        control[i] = control[i+position];+    }+    return n-1;+}++static void+prepare_wnaf_table(+    pniels_t *output,+    const point_t working,+    unsigned int tbits+) {+    point_t tmp;+    int i;+    pt_to_pniels(output[0], working);++    if (tbits == 0) return;++    API_NS(point_double)(tmp,working);+    pniels_t twop;+    pt_to_pniels(twop, tmp);++    add_pniels_to_pt(tmp, output[0],0);+    pt_to_pniels(output[1], tmp);++    for (i=2; i < 1<<tbits; i++) {+        add_pniels_to_pt(tmp, twop,0);+        pt_to_pniels(output[i], tmp);+    }+    +    API_NS(point_destroy)(tmp);+    cryptonite_decaf_bzero(twop,sizeof(twop));+}++extern const gf API_NS(precomputed_wnaf_as_fe)[];+static const niels_t *API_NS(wnaf_base) = (const niels_t *)API_NS(precomputed_wnaf_as_fe);+const size_t API_NS(sizeof_precomputed_wnafs)+    = sizeof(niels_t)<<CRYPTONITE_DECAF_WNAF_FIXED_TABLE_BITS;++void API_NS(precompute_wnafs) (+    niels_t out[1<<CRYPTONITE_DECAF_WNAF_FIXED_TABLE_BITS],+    const point_t base+);++void API_NS(precompute_wnafs) (+    niels_t out[1<<CRYPTONITE_DECAF_WNAF_FIXED_TABLE_BITS],+    const point_t base+) {+    pniels_t tmp[1<<CRYPTONITE_DECAF_WNAF_FIXED_TABLE_BITS];+    gf zs[1<<CRYPTONITE_DECAF_WNAF_FIXED_TABLE_BITS], zis[1<<CRYPTONITE_DECAF_WNAF_FIXED_TABLE_BITS];+    int i;+    prepare_wnaf_table(tmp,base,CRYPTONITE_DECAF_WNAF_FIXED_TABLE_BITS);+    for (i=0; i<1<<CRYPTONITE_DECAF_WNAF_FIXED_TABLE_BITS; i++) {+        memcpy(out[i], tmp[i]->n, sizeof(niels_t));+        cryptonite_gf_copy(zs[i], tmp[i]->z);+    }+    batch_normalize_niels(out, (const gf *)zs, zis, 1<<CRYPTONITE_DECAF_WNAF_FIXED_TABLE_BITS);+    +    cryptonite_decaf_bzero(tmp,sizeof(tmp));+    cryptonite_decaf_bzero(zs,sizeof(zs));+    cryptonite_decaf_bzero(zis,sizeof(zis));+}++void API_NS(base_double_scalarmul_non_secret) (+    point_t combo,+    const scalar_t scalar1,+    const point_t base2,+    const scalar_t scalar2+) {+    const int table_bits_var = CRYPTONITE_DECAF_WNAF_VAR_TABLE_BITS,+        table_bits_pre = CRYPTONITE_DECAF_WNAF_FIXED_TABLE_BITS;+    struct smvt_control control_var[SCALAR_BITS/(table_bits_var+1)+3];+    struct smvt_control control_pre[SCALAR_BITS/(table_bits_pre+1)+3];+    +    int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);+    int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);+  +    pniels_t precmp_var[1<<table_bits_var];+    prepare_wnaf_table(precmp_var, base2, table_bits_var);+  +    int contp=0, contv=0, i = control_var[0].power;++    if (i < 0) {+        API_NS(point_copy)(combo, API_NS(point_identity));+        return;+    } else if (i > control_pre[0].power) {+        pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]);+        contv++;+    } else if (i == control_pre[0].power && i >=0 ) {+        pniels_to_pt(combo, precmp_var[control_var[0].addend >> 1]);+        add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend >> 1], i);+        contv++; contp++;+    } else {+        i = control_pre[0].power;+        niels_to_pt(combo, API_NS(wnaf_base)[control_pre[0].addend >> 1]);+        contp++;+    }+    +    for (i--; i >= 0; i--) {+        int cv = (i==control_var[contv].power), cp = (i==control_pre[contp].power);+        point_double_internal(combo,combo,i && !(cv||cp));++        if (cv) {+            assert(control_var[contv].addend);++            if (control_var[contv].addend > 0) {+                add_pniels_to_pt(combo, precmp_var[control_var[contv].addend >> 1], i&&!cp);+            } else {+                sub_pniels_from_pt(combo, precmp_var[(-control_var[contv].addend) >> 1], i&&!cp);+            }+            contv++;+        }++        if (cp) {+            assert(control_pre[contp].addend);++            if (control_pre[contp].addend > 0) {+                add_niels_to_pt(combo, API_NS(wnaf_base)[control_pre[contp].addend >> 1], i);+            } else {+                sub_niels_from_pt(combo, API_NS(wnaf_base)[(-control_pre[contp].addend) >> 1], i);+            }+            contp++;+        }+    }+    +    /* This function is non-secret, but whatever this is cheap. */+    cryptonite_decaf_bzero(control_var,sizeof(control_var));+    cryptonite_decaf_bzero(control_pre,sizeof(control_pre));+    cryptonite_decaf_bzero(precmp_var,sizeof(precmp_var));++    assert(contv == ncb_var); (void)ncb_var;+    assert(contp == ncb_pre); (void)ncb_pre;+}++void API_NS(point_destroy) (+    point_t point+) {+    cryptonite_decaf_bzero(point, sizeof(point_t));+}++void API_NS(precomputed_destroy) (+    precomputed_s *pre+) {+    cryptonite_decaf_bzero(pre, API_NS(sizeof_precomputed_s));+}
+ cbits/decaf/ed448goldilocks/decaf_all.c view
@@ -0,0 +1,3 @@+/* Combined to avoid link failure on OpenBSD with --strip-unneeded, see #186 */+#include "decaf.c"+#include "decaf_tables.c"
+ cbits/decaf/ed448goldilocks/decaf_tables.c view
@@ -0,0 +1,354 @@+/** @warning: this file was automatically generated. */+#include "field.h"++#include <decaf.h>++#define API_NS(_id) cryptonite_decaf_448_##_id+const API_NS(point_t) API_NS(point_base) = {{+{FIELD_LITERAL(0x00fffffffffffffe,0x00ffffffffffffff,0x00ffffffffffffff,0x00ffffffffffffff,0x0000000000000003,0x0000000000000000,0x0000000000000000,0x0000000000000000)},+  {FIELD_LITERAL(0x0081e6d37f752992,0x003078ead1c28721,0x00135cfd2394666c,0x0041149c50506061,0x0031d30e4f5490b3,0x00902014990dc141,0x0052341b04c1e328,0x0014237853c10a1b)},+  {FIELD_LITERAL(0x00fffffffffffffb,0x00ffffffffffffff,0x00ffffffffffffff,0x00ffffffffffffff,0x00fffffffffffffe,0x00ffffffffffffff,0x00ffffffffffffff,0x00ffffffffffffff)},+  {FIELD_LITERAL(0x008f205b70660415,0x00881c60cfd3824f,0x00377a638d08500d,0x008c66d5d4672615,0x00e52fa558e08e13,0x0087770ae1b6983d,0x004388f55a0aa7ff,0x00b4d9a785cf1a91)}+}};+const gf API_NS(precomputed_base_as_fe)[240]+VECTOR_ALIGNED = {+  {FIELD_LITERAL(0x00e614a9f7278dc5,0x002e454ad04c5124,0x00d8f58cee1436f3,0x00c83ed46e4180ec,0x00a41e93274a38fa,0x00c1e7e53257771e,0x0043e0ff03c0392f,0x002c7c6405ce61df)},+  {FIELD_LITERAL(0x0033c4f9dc990b33,0x00c291cb1ceb55c3,0x002ae3f58ade88b2,0x006b1f9f11395474,0x002ded6e4b27ff7c,0x0041012ed4aa10e1,0x003c22d20a36bae7,0x001f584eed472b19)},+  {FIELD_LITERAL(0x00c3514779ee6f60,0x001574c873b20c2b,0x004cd6a46a5a5e65,0x0059a068aeb4204a,0x004c610458bc354d,0x00e94567479d02d2,0x00feaf77ed118e28,0x00f58a8bf115eeb5)},+  {FIELD_LITERAL(0x0046110878fcb20f,0x00df43db21cc6f32,0x00ffdde9f4516644,0x00519917791686b9,0x00b72b441fd34473,0x008d45684cb1c72b,0x0015181370fc17a5,0x00a456d1307f74d3)},+  {FIELD_LITERAL(0x001430f149b607dc,0x00e992ccd16715fc,0x00a62209b0a32a09,0x00b889cedc26b8e4,0x0059bf9a3ac109cf,0x006871bb3b7feac2,0x00f4a4d5fd9a0e6b,0x00b95db460cd69a5)},+  {FIELD_LITERAL(0x0036304418bda702,0x007bc56861561558,0x00f344bc8e30416f,0x00a64537080f59d7,0x00b4c20077d00ace,0x00ee79620b26f8cc,0x00a6a558e0b5403d,0x008f1d2c766f3d19)},+  {FIELD_LITERAL(0x00ef21c0297d3112,0x0073f89bd27c35b1,0x00ec44f9b1ff5e33,0x006bee51d878f1ee,0x001571a4b2aceddb,0x00cd0182d55131d1,0x0026761dbc1844be,0x00f01865af716474)},+  {FIELD_LITERAL(0x0021dfef3f5fe8cc,0x0038c659ed1dbd68,0x0058ded9bcebe283,0x00077bbb094983ee,0x00b7b484e913d70c,0x0063e477a9506397,0x0000b996a6e01629,0x00ab68b41f75cd37)},+  {FIELD_LITERAL(0x00a1fbd946403a4e,0x00be5a4e2d611b05,0x00ea4f210888bc6e,0x0043e9b0e0ae50fe,0x002abc4f6bd86845,0x00c3ed649c67f663,0x00d4eeb391a520e7,0x004b19cf1bfe7584)},+  {FIELD_LITERAL(0x0099a75e6f22999e,0x001f16454c79f659,0x00d776a37fddc812,0x0095fdd63b6b0a78,0x00d232169366e947,0x002ea77dd21e9de7,0x00e8c46e85f97a90,0x00358758651f8cd9)},+  {FIELD_LITERAL(0x002b6f5036a07bdf,0x004f6940af3e2646,0x00866028f8986799,0x00838b26ccb50415,0x0010557417f00b11,0x008a3b6bc447e96b,0x003de3d035e9e0c9,0x00188fca2b6d4011)},+  {FIELD_LITERAL(0x001ca4038635312b,0x0078dc75c1e01c44,0x004340f00b3100a4,0x005e63e36bf6646e,0x008e1efd4b624688,0x00a61c2ffb1525e1,0x0072587505a75b81,0x00a8637140d96e78)},+  {FIELD_LITERAL(0x004a7c41ffac8a41,0x005bf37075b1c20b,0x00c053b570a42408,0x002bb7e278d328e7,0x00b2378b63245100,0x003318bf2a1a368a,0x00f4e3e0bdbe02de,0x0058921e4b1e32f8)},+  {FIELD_LITERAL(0x005e93d6fa1118a0,0x0062b43515d381e2,0x002c42864052e620,0x00af258bae6ccbd3,0x00954247094d654d,0x005db01f5b010810,0x009c8cf25efa8204,0x005f73ced3714ef7)},+  {FIELD_LITERAL(0x0085f89aff2cf49d,0x00f591ee8480f6f0,0x00378ed518114265,0x00f04293e2a09008,0x00c58688db9140ed,0x00e9912696399ff1,0x0055bd1b96367413,0x0023a70cf830f999)},+  {FIELD_LITERAL(0x001c83772944584e,0x00c1ba881e472bcc,0x00af2715a0aef13f,0x00bd0360d25610a6,0x00c42f8b3eebebde,0x00a9e474849788b1,0x00dcd1a1a2efec5c,0x009480d34c2818c0)},+  {FIELD_LITERAL(0x00b4b6e09a565d74,0x0095efcf6175aa48,0x00498defe7ae7810,0x00309b684ed26470,0x007a8873a91d4e44,0x00ea4b3f857eb27a,0x00979b8619d25a9e,0x00721a2770eeb6e9)},+  {FIELD_LITERAL(0x00b422f0f4be195f,0x00e88cfa83bfa2db,0x009fd60666ea4268,0x0095a458f5e801d0,0x00b9eee6882081f6,0x00b27edb37604948,0x00a7f67c4d44d8db,0x00df840ccf290c01)},+  {FIELD_LITERAL(0x00c9fed0d47c9103,0x00ba73ed9294a043,0x005cbbc928e652e1,0x0068419e98ee8215,0x00f63de63786300b,0x009aa9bb6c19f8aa,0x0066c536b573213f,0x00d2b77a5b2f2450)},+  {FIELD_LITERAL(0x00810236c68d5b74,0x00d0a1af1872a011,0x007f23ee29e3801a,0x009a55a678f8dba4,0x0065445dcff9be40,0x00f3978789a9abc5,0x00001f010d23f5e8,0x00ff80042934b0c5)},+  {FIELD_LITERAL(0x00a6749f4b3f9745,0x003ab85f4180e502,0x006a7de9b530ed50,0x0050b5353b0441bf,0x00a093583ac6ede4,0x00c4918ad1406299,0x000f75cf2a353a2b,0x001c6644a0683a56)},+  {FIELD_LITERAL(0x00e8694156c09bfe,0x00f6f3a5bd17ad96,0x0098dbed45edad12,0x00edfe2b84921821,0x0097884330199b67,0x004aab02685b3e9e,0x0068ac0bd2453c30,0x00167c1c1c87d8f5)},+  {FIELD_LITERAL(0x008bba5fbf63f599,0x0059a3c960c7d63f,0x00ce2db75b08b7d9,0x0097e80cb2104171,0x009b68be26a140d0,0x002b9b9954e94c68,0x00023ca8fc411beb,0x00cbc4bcccbada07)},+  {FIELD_LITERAL(0x0053c100e77b678d,0x000f115c400fa96f,0x005928d3de22afa2,0x00e47cd9bdbdbe96,0x00597ecfe84abf19,0x0058bb428e4c7a32,0x00dd582f76ecf584,0x00b1211365eccb79)},+  {FIELD_LITERAL(0x00dbfb9a00a58e68,0x004468189350d82f,0x00b4b12407ee92c6,0x00e27a7908f73455,0x00f071170071b5ae,0x00221a5e6ba229dd,0x001903e3f6a81f83,0x00be36325402775f)},+  {FIELD_LITERAL(0x004d298d6e691756,0x00775644dfce310b,0x00a861887823ea98,0x00cf0b6014fa6e6f,0x005f4e296380826f,0x00bf423392627f90,0x002893bfc8122f6a,0x00440dbc89bea228)},+  {FIELD_LITERAL(0x00acbb4f40a4ab73,0x00d6a82f48fa3366,0x000a7958fc6faac2,0x008a4cdd60a7c33c,0x005e5587dd8b6f1a,0x00e40f63086a88e8,0x0030940cbbcda0ad,0x009a42e3dc35c130)},+  {FIELD_LITERAL(0x00d37716cad825f1,0x00883870cba9552a,0x008ef785f5c762e3,0x006cb253e0469242,0x007b8f17fee9d967,0x00a43de6932b52b6,0x001aca9fe2af783c,0x008967778ff0b680)},+  {FIELD_LITERAL(0x006400c4cdc6c9c3,0x001e8c978691083f,0x00ad74f01f68e0c5,0x00f7feb0372b5f6a,0x002f60d175ade13a,0x0098ec54a221a678,0x00fcfea8a71f244e,0x00dea6660e45ded2)},+  {FIELD_LITERAL(0x002585b4aa8d6752,0x00e62da7615a2089,0x0010c1c741f39b68,0x00569bb1eced9f65,0x00ba6d09e4daa724,0x007d3e20aef281b9,0x00bd7f65aca3ffdc,0x00dea434a50288a8)},+  {FIELD_LITERAL(0x007ba92a2489170f,0x00cd356354d31e9c,0x00a60d47406e5430,0x009c3d5fde8ed877,0x00079eaa50dd08d1,0x0024674d593ffa5f,0x005391be9596c53b,0x00856ca8d50acdd9)},+  {FIELD_LITERAL(0x00d4620aa5e5bdec,0x002303c4b9b5d941,0x003b061f857ebb2a,0x00371f9e856d49fd,0x0071c36c5335051e,0x0040e4346a4d359f,0x00b31dbd959ec40c,0x00d99353a71bf6de)},+  {FIELD_LITERAL(0x0078898adf0f21dd,0x006e09bfedd8604a,0x00efaf0e0f9bb666,0x00b0f685db8852c3,0x0094c86ec566b841,0x00e5c2879ba50dbe,0x00a87cd444cff758,0x00d3e26fd47f23df)},+  {FIELD_LITERAL(0x00b82c07fb1854f8,0x0057f654a06fad9f,0x004c00383250cf92,0x008b91713d291af6,0x002f2521777859b9,0x00533111421f22c8,0x00643da86fab9794,0x00dc7fb0680e3d40)},+  {FIELD_LITERAL(0x00e59ffd40e87788,0x006431e9755a50af,0x00a03ce700fb580a,0x00ad7e70aa3c9b9e,0x0078970a2b4db503,0x00c800451849637a,0x00e7e6a5b49e123f,0x00e1ed15f77bcb4d)},+  {FIELD_LITERAL(0x00bc1d1d1af47f28,0x00ebc5501bbd81f0,0x00aa6b5513547aa4,0x0074ed33551343fe,0x00d2114f6ef7d43b,0x006335b41d518aeb,0x00ebd46919692fb8,0x0052d5d4e3fada95)},+  {FIELD_LITERAL(0x00ebfc9f489799a4,0x00497535b6980688,0x00fef76499e6a51b,0x00018eedde7a18da,0x00f435d9e72b69c7,0x005ab0faa8281675,0x003232d06e290be8,0x005473ec8be0286c)},+  {FIELD_LITERAL(0x00c6eb0d0ebb4874,0x00856a2274119097,0x00380bc7b29e3719,0x00b1ae149f0e424d,0x0009b41855b9de26,0x0098684013d0f53f,0x0082e8554c38a6ff,0x00e76c18c353743a)},+  {FIELD_LITERAL(0x008da1194e1ab61f,0x008edb5f89688805,0x00f4970252f851bd,0x007a46f632b6ad20,0x006d2d1c37e9f90a,0x0060dd09353f665f,0x000a625a80d86657,0x000f93f6fedd0888)},+  {FIELD_LITERAL(0x003b019b31992fb4,0x004f6a2ad1f64c28,0x008a744134e5c571,0x000ca33172f9af3f,0x00d478755a67bb8b,0x009d1f5c48abb223,0x004da4d6f12ee901,0x0084f09541f4140d)},+  {FIELD_LITERAL(0x0031f412f5cacd43,0x00e5afb75dd20e94,0x001ce24b3452740e,0x00176d6dedf30ff1,0x0082e22e564fffca,0x001d56fbe007097f,0x0095b37c851a6918,0x008ec50ef97f8f4c)},+  {FIELD_LITERAL(0x007e2b1c52251f57,0x00cbef37c9380033,0x0037ed652761bceb,0x00f1c2a5dc6dd232,0x0026e1b90d63ce0b,0x00938d732173a6b8,0x00d439aa45da993f,0x00d356b8deaccef7)},+  {FIELD_LITERAL(0x00ed32377f56c67d,0x00c3b6a4de32e4a7,0x00481a36c0dd5d91,0x00bb557d20466ba7,0x00645f6d3200163e,0x005eb4c54df7c48c,0x00fd8e3d08f1e3b4,0x001156353f099147)},+  {FIELD_LITERAL(0x00ae1b4c089b2756,0x00e686d2b916fb5f,0x007ac43ec2437dd8,0x00f7bfdf7e860ed2,0x0097dbcb8b786dc9,0x00ec7a90401c8b2f,0x00425ed017989bdb,0x00444bc9ca6d914d)},+  {FIELD_LITERAL(0x00e5e7b83b53ab7f,0x004e4bed6ca44fc5,0x0008bd7a67c40d4d,0x009dbec74a4a2f0e,0x0077df3f4fc2c73f,0x0046b1af5e73ea8d,0x009f096cb7be8670,0x003ad0a29929141d)},+  {FIELD_LITERAL(0x00991a1222e9b2e1,0x00be7583901d7dc7,0x00fd1d0c8169d3da,0x000fe0a94a68acf9,0x00b77bd05afc78a2,0x00a84f1697f87ebc,0x000097cfdb0c2ecb,0x007d51d70352ed1b)},+  {FIELD_LITERAL(0x0025dc2a60643159,0x001f0d8ff85f95b4,0x00ed74a4bc598a73,0x00f30afe6f0574a9,0x0003788545d4d28c,0x009dc410ad120ac0,0x001950947e69961d,0x001ceb23cb0355b0)},+  {FIELD_LITERAL(0x00ee2202ded9f1bd,0x002fa4fce658976d,0x00e7c15bc9716470,0x004f7ea99d500369,0x004b995a18318376,0x00246c4f8af91911,0x00cc77a07d09dbfe,0x007906f6f1364be6)},+  {FIELD_LITERAL(0x003c97e6384da36e,0x00423d53eac81a09,0x00b70d68f3cdce35,0x00ee7959b354b92c,0x00f4e9718819c8ca,0x009349f12acbffe9,0x005aee7b62cb7da6,0x00d97764154ffc86)},+  {FIELD_LITERAL(0x00d95d1c5fcb435a,0x0016d1ed6b5086f9,0x00792aa0b7e54d71,0x0067b65715f1925d,0x00a219755ec6176b,0x00bc3f026b12c28f,0x00700c897ffeb93e,0x0089b83f6ec50b46)},+  {FIELD_LITERAL(0x00ad9cdb4544b923,0x00d11664c7284061,0x00815ae86b8f910b,0x005414fb2591c3c6,0x0094ba83e2d7ef9e,0x0001dbc16599386c,0x00c8721f0493911b,0x00c1be6b463c346c)},+  {FIELD_LITERAL(0x0079680ce111ed3b,0x001a1ed82806122c,0x000c2e7466d15df3,0x002c407f6f7150fd,0x00c5e7c96b1b0ce3,0x009aa44626863ff9,0x00887b8b5b80be42,0x00b6023cec964825)},+  {FIELD_LITERAL(0x00fed3cd80ca2292,0x0015b043a73ca613,0x000a9fd7bf9be227,0x003b5e03de2db983,0x005af72d46904ef7,0x00c0f1b5c49faa99,0x00dc86fc3bd305e1,0x00c92f08c1cb1797)},+  {FIELD_LITERAL(0x001b571efb768f37,0x009d778487cf5cfd,0x00430e37327ebfd4,0x00a92447e5970a41,0x00eb13127c0edbac,0x00ec61e5aefeaf20,0x00447eebf57d2e5c,0x00f01433e550e558)},+  {FIELD_LITERAL(0x0039dd7ce7fc6860,0x00d64f6425653da1,0x003e037c7f57d0af,0x0063477a06e2bcf2,0x001727dbb7ac67e6,0x0049589f5efafe2e,0x00fc0fef2e813d54,0x008baa5d087fb50d)},+  {FIELD_LITERAL(0x00a7527958238159,0x0013ec9537a84cd6,0x001d7fee7d562525,0x00b9eefa6191d5e5,0x00dbc97db70bcb8a,0x00481affc7a4d395,0x006f73d3e70c31bb,0x00183f324ed96a61)},+  {FIELD_LITERAL(0x00db04a6264ba838,0x00582b1f9fddc1b3,0x003ee72e4aaa027f,0x007d1de938cd0dd5,0x0032d5d66cf76afa,0x00c9c717c95c1ec2,0x00f27aa11764b8d6,0x00713a482b7ef36e)},+  {FIELD_LITERAL(0x00ece96f95f2b66f,0x00ece7952813a27b,0x0026fc36592e489e,0x007157d1a2de0f66,0x00759dc111d86ddf,0x0012881e5780bb0f,0x00c8ccc83ad29496,0x0012b9bd1929eb71)},+  {FIELD_LITERAL(0x001bf51f7d65cdfd,0x00d14cdafa16a97d,0x002c38e60fcd10e7,0x00a27446e393efbd,0x000b5d8946a71fdd,0x0063df2cde128f2f,0x006c8679569b1888,0x0059ffc4925d732d)},+  {FIELD_LITERAL(0x00f05ea5df25a20f,0x00cb6224e5b932ce,0x00d3aed52e2718d9,0x00fb89ee0996ce72,0x006197045a6e1e80,0x00bcdf20057fc6f9,0x0059bf78b6ae5c2c,0x0049cacb87455db0)},+  {FIELD_LITERAL(0x006a15bb20f75c0c,0x0079a144027a5d0c,0x00d19116ce0b4d70,0x0059b83bcb0b268e,0x005f58f63f16c127,0x0079958318ee2c37,0x00defbb063d07f82,0x00f1f0b931d2d446)},+  {FIELD_LITERAL(0x009696510000d333,0x00ec2f788bc04826,0x000e4d02b1f67ba5,0x00659aa8dace08b6,0x00d7a38a3a3ae533,0x008856defa8c746b,0x004d7a4402d3da1a,0x00ea82e06229260f)},+  {FIELD_LITERAL(0x0034a1b3c3ca2bdd,0x0072077a35bca880,0x0005af4e935c1b8e,0x00a5f1a71e8b7737,0x004d3133292cb2e5,0x000fe2a2dca1c916,0x0024d181b41935bb,0x00d9f54880ca0332)},+  {FIELD_LITERAL(0x009ffd90abfeae96,0x00cba3c2b624a516,0x005ef08bcee46c91,0x00e6fde30afb6185,0x00f0b4db4f818ce4,0x006c54f45d2127f5,0x00040125035854c7,0x00372658a3287e13)},+  {FIELD_LITERAL(0x006f6fd9baac61d5,0x002a7710a020a895,0x009de0db7fc03d4d,0x00cdedcb1875f40b,0x00050caf9b6b1e22,0x005e3a6654456ab0,0x00775fdf8c4423d4,0x0028701ea5738b5d)},+  {FIELD_LITERAL(0x0028f8f04e414d54,0x0087037ba56c7694,0x00976b5b4d0ddb59,0x00a4227e6d462421,0x004c77c678b4c560,0x0006c9e74fb485a8,0x00c1c138a02d3981,0x0040a19403d6b6b5)},+  {FIELD_LITERAL(0x0045e8dda9400888,0x002ff12e5fc05db7,0x00a7098d54afe69c,0x00cdbe846a500585,0x00879c1593ca1882,0x003f7a7fea76c8b0,0x002cd73dd0c8e0a1,0x00645d6ce96f51fe)},+  {FIELD_LITERAL(0x00f19224ebba2aa5,0x0074f89d358e694d,0x00eea486597135ad,0x0081579a4555c7e1,0x0010b9b872930a9d,0x00f002e87a30ecc0,0x009b9d66b6de56e2,0x00a3c4f45e8004eb)},+  {FIELD_LITERAL(0x00d4817c1edc2929,0x00c67cb908be637f,0x00bd6dd1aa6bfe9c,0x00a1803a9fe7795c,0x001770d311e2cefb,0x0018054eca0d1c88,0x004fa667b240f212,0x00f631f7f055a447)},+  {FIELD_LITERAL(0x00f89335c2a59286,0x00a0f5c905d55141,0x00b41fb836ee9382,0x00e235d51730ca43,0x00a5cb37b5c0a69a,0x009b966ffe136c45,0x00cb2ea10bf80ed1,0x00fb2b370b40dc35)},+  {FIELD_LITERAL(0x0085e78af7758979,0x00275a4ee1631a3a,0x00d26bc0ed78b683,0x004f8355ea21064f,0x00d618e1a32696e5,0x008d8d7b150e5680,0x00a74cd854b278d2,0x001dd62702203ea0)},+  {FIELD_LITERAL(0x0029782e92b11745,0x008eadf422f96200,0x00217a39f2cdcaa2,0x00782d1ca9aefd0b,0x00321c6e47203654,0x001e72961020101a,0x00b562fa6e6ab16e,0x0005c92274af111a)},+  {FIELD_LITERAL(0x006bc3d53011f470,0x00032d6e692b83e8,0x00059722f497cd0b,0x0009b4e6f0c497cc,0x0058a804b7cce6c0,0x002b71d3302bbd5d,0x00e2f82a36765fce,0x008dded99524c703)},+  {FIELD_LITERAL(0x002e788749a865f7,0x006e4dc3116861ea,0x009f1428c37276e6,0x00e7d2e0fc1e1226,0x003aeebc6b6c45f6,0x0071a8073bf500c9,0x004b22ad986b530c,0x00f439e63c0d79d4)},+  {FIELD_LITERAL(0x00b2fa76ac8b829b,0x008fe6bf01865590,0x0059df538e389f40,0x006acd49eeea748a,0x00ab81280b990cfe,0x00c34a54ac57bfe5,0x003889ce9731cedf,0x0081b71cc1b4654d)},+  {FIELD_LITERAL(0x002f194eaafa46dc,0x008e38f57fe87613,0x00dc8e5ae25f4ab2,0x000a17809575e6bd,0x00d3ec7923ba366a,0x003a7e72e0ad75e3,0x0010024b88436e0a,0x00ed3c5444b64051)},+  {FIELD_LITERAL(0x001b2fc57bf3c738,0x006a3f918993fb80,0x0026f7a14fdec288,0x0075a2cdccef08db,0x00d3ecbc9eecdbf1,0x0048c40f06e5bf7f,0x00d63e423009896b,0x000598bc99c056a8)},+  {FIELD_LITERAL(0x007ce03ecbf50cbd,0x00369ba996b992ca,0x00896d4b33a5f7f0,0x00602b5b8536da60,0x00e1122082ba6d73,0x00c3fbb903ba0d74,0x00d3f8ec55c1daf8,0x006a8f96ca0f0be1)},+  {FIELD_LITERAL(0x001fb73475c45509,0x00d2b2e5ea43345a,0x00cb3c3842077bd1,0x0029f90ad820946e,0x007c11b2380778aa,0x009e54ece62c1704,0x004bc60c41ca01c3,0x004525679a5a0b03)},+  {FIELD_LITERAL(0x00766ae4190ec6d8,0x0065768cabc71380,0x00b902598416cdc2,0x00380021ad38df52,0x008f0b89d6551134,0x004254d4cc62c5a5,0x000d79f4484b9b94,0x00b516732ae3c50e)},+  {FIELD_LITERAL(0x0039b0422412784c,0x00bf9fe2ee8ce055,0x0063ddb8a4906298,0x00db48625178a0ea,0x009e9012c0fd3c4e,0x00ff30c60950d2c4,0x003b9453f5565977,0x0054dc1d7ff25dfb)},+  {FIELD_LITERAL(0x0017085f4a346148,0x00c7cf7a37f62272,0x001776e129bc5c30,0x009955134c9eef2a,0x001ba5bdf1df07be,0x00ec39497103a55c,0x006578354fda6cfb,0x005f02719d4f15ee)},+  {FIELD_LITERAL(0x000b3a37617632b0,0x00597199fe1cfb6c,0x0042a7ccdfeafdd6,0x004cc9f15ebcea17,0x00f436e596a6b4a4,0x00168861142df0d8,0x000753edfec26af5,0x000c495d7e388116)},+  {FIELD_LITERAL(0x00ad46264a269aa2,0x002b13845e4b9e3c,0x0006a20b68b0d7f4,0x00c271a35ee514ae,0x002b67e14a58f4d8,0x00f5065b099a60d6,0x00ba6737b90514bc,0x00b6265e7c5b898f)},+  {FIELD_LITERAL(0x00b60167d9e7d065,0x00e60ba0d07381e8,0x003a4f17b725c2d4,0x006c19fe176b64fa,0x003b57b31af86ccb,0x0021047c286180fd,0x00bdc8fb00c6dbb6,0x00fe4a9f4bab4f3f)},+  {FIELD_LITERAL(0x000a72d23dcb3f1f,0x00a3737f84011727,0x00f870c0fbbf4a47,0x00a7aadd04b5c9ca,0x000c7715c67bd072,0x00015a136afcd74e,0x0080d5caea499634,0x0026b448ec7514b7)},+  {FIELD_LITERAL(0x0077003c5e9eee08,0x006eaa1bdba2f437,0x007ae297ddfa8d2a,0x00aa8531e1aeb2d6,0x00ce283cc626efdc,0x00efe2f51d153115,0x00db954c07c84995,0x002ade92c7e00acf)},+  {FIELD_LITERAL(0x00a6295218dc136a,0x00563b3af0e9c012,0x00d3753b0145db1b,0x004550389c043dc1,0x00ea94ae27401bdf,0x002b0b949f2b7956,0x00c63f780ad8e23c,0x00e591c47d6bab15)},+  {FIELD_LITERAL(0x0057e7ea35f36dae,0x00f47d7ad15de22e,0x00d757ea4b105115,0x008311457d579d7e,0x00b49b75b1edd4eb,0x0081c7ff742fd63a,0x00ddda3187433df6,0x00475727d55f9c66)},+  {FIELD_LITERAL(0x00be93a7d4fa7149,0x00bef825a4d3396a,0x004c32daa951139b,0x003f4be7d981a85e,0x00e866d6ca8642d0,0x00b912bba6f1b2f8,0x00e28ba64c9cf5e1,0x0039504574996955)},+  {FIELD_LITERAL(0x002419222c607674,0x00a7f23af89188b3,0x00ad127284e73d1c,0x008bba582fae1c51,0x00fc6aa7ca9ecab1,0x003df5319eb6c2ba,0x002a05af8a8b199a,0x004bf8354558407c)},+  {FIELD_LITERAL(0x008d6009b26da3f8,0x00898e88ca06b1ca,0x00edb22b2ed7fe62,0x00fbc93516aabe80,0x008b4b470c42ce0d,0x00e0032ba7d0dcbb,0x00d76da3a956ecc8,0x007f20fe74e3852a)},+  {FIELD_LITERAL(0x003182b5cf0f0340,0x002fd3d8d9d60fc2,0x00b73ffe08bff43d,0x00d3dec97fee6a72,0x00675aafc6e16949,0x00d27f499c6f0c86,0x00e0578789f3387a,0x00e52031ab49ec2a)},+  {FIELD_LITERAL(0x006b7a0674f9f8de,0x00a742414e5c7cff,0x0041cbf3c6e13221,0x00e3a64fd207af24,0x0087c05f15fbe8d1,0x004c50936d9e8a33,0x001306ec21042b6d,0x00a4f4137d1141c2)},+  {FIELD_LITERAL(0x001ed4dc71fa2523,0x005d0bff19bf9b5c,0x00c3801cee065a64,0x001ed0b504323fbf,0x0003ab9fdcbbc593,0x00df82070178b8d2,0x00a2bcaa9c251f85,0x00c628a3674bd02e)},+  {FIELD_LITERAL(0x00f619046dea974f,0x004c39fedfde6ee7,0x00d593cb9f22afc5,0x00624e10ee9ab4ab,0x009c1b40f41869fd,0x0098f2cb44da6d46,0x002311d093becf31,0x004d97d1771880ab)},+  {FIELD_LITERAL(0x00ddbe0750dd1add,0x004b3c7b885844b8,0x00363e7ecf12f1ae,0x0062e953e6438f9d,0x0023cc73b076afe9,0x00b09fa083b4da32,0x00c7c3d2456c541d,0x005b591ec6b694d4)},+  {FIELD_LITERAL(0x000d5b4b3da135ab,0x00838f3e5064d81d,0x00d44eb50f6d94ed,0x0008931ab502ac6d,0x00debe01ca3d3586,0x0025c206775f0641,0x005ad4b6ae912763,0x007e2c318ad8f247)},+  {FIELD_LITERAL(0x00d79a91e629d030,0x00ad5b50fc20eb72,0x00edd89a222eb1bd,0x000ddad6fb098ea8,0x00b8be69a49c90c4,0x009bbe2d69ecd346,0x00a1def906a95a48,0x00db8fd6a6d2cca3)},+  {FIELD_LITERAL(0x00c41d1f9c1f1ac1,0x007b2df4e9f19146,0x00b469355fd5ba7a,0x00b5e1965afc852a,0x00388d5f1e2d8217,0x0022079e4c09ae93,0x0014268acd4ef518,0x00c1dd8d9640464c)},+  {FIELD_LITERAL(0x003fe038eb92f894,0x000e6da1b72e8e32,0x003a1411bfcbe0fa,0x00b55d473164a9e4,0x00b9a775ac2df48d,0x0002ddf350659e21,0x00a279a69eb19cb3,0x00f844eab25cba44)},+  {FIELD_LITERAL(0x00c7ad952112f3aa,0x00229739f81c017a,0x0008b9222b75a2a8,0x00bd0d6ad469c483,0x00e344297892a13c,0x00a1cbeb8f435a3d,0x0078e2be1f7a0bec,0x001ac54f670ba8cd)},+  {FIELD_LITERAL(0x00adb2c1566e8b8f,0x0096c68a35771a9a,0x00869933356f334a,0x00ba9c93459f5962,0x009ec73fb6e8ca4b,0x003c3802c27202e1,0x0031f5b733e0c008,0x00f9058c19611fa9)},+  {FIELD_LITERAL(0x004d51124797c831,0x008f5ae3750347ad,0x0070ced94c1a0c8e,0x00f6db2043898e64,0x000d00c9a5750cd0,0x000741ec59bad712,0x003c9d11aab37b7f,0x00a67ba169807714)},+  {FIELD_LITERAL(0x00dc70fe7eb5cbde,0x003cda5bb49331d7,0x00dec9068514f18c,0x00f3537d975b501d,0x00dd02de725b8e4b,0x0062327200072106,0x0034607e7e266644,0x00ebc51a91215cb6)},+  {FIELD_LITERAL(0x00a5187e6ee7341b,0x00e6d52e82d83b6e,0x00df3c41323094a7,0x00b3324f444e9de9,0x00689eb21a35bfe5,0x00f16363becd548d,0x00e187cc98e7f60f,0x00127d9062f0ccab)},+  {FIELD_LITERAL(0x0000623bf87622c5,0x00a1966fdd069496,0x00c315b7b812f9fc,0x00bdf5efcd128b97,0x001d464f532e3e16,0x003cd94f081bfd7e,0x00ed9dae12ce4009,0x002756f5736eee70)},+  {FIELD_LITERAL(0x00b528e4ce3d61bf,0x005a03531ed051d6,0x00bbda4aa68d7f12,0x001810a28e93ccb9,0x00ef4ac525bef536,0x006dcefdd9f9f364,0x006e3d9ed78d6381,0x00774bd6ff0713c4)},+  {FIELD_LITERAL(0x00c13c5aae3ae341,0x009c6c9ed98373e7,0x00098f26864577a8,0x0015b886e9488b45,0x0037692c42aadba5,0x00b83170b8e7791c,0x001670952ece1b44,0x00fd932a39276da2)},+  {FIELD_LITERAL(0x00f1e26e9762d4a8,0x00d9d74082183414,0x00ffec9bd57a0282,0x000919e128fd497a,0x00ab7ae7d00fe5f8,0x0054dc442851ff68,0x00c9ebeb3b861687,0x00507f7cab8b698f)},+  {FIELD_LITERAL(0x007e5cda6410cc67,0x00ab7f000be9ef84,0x0031b09f82de4167,0x00c003f7b4be2064,0x00bc2f44effafd2d,0x0013ca0a8a45cd9e,0x0035e70988cff10c,0x001744f57d827ab7)},+  {FIELD_LITERAL(0x009ae3b93a56c404,0x004a410b7a456699,0x00023a619355e6b2,0x009cdc7297387257,0x0055b94d4ae70d04,0x002cbd607f65b005,0x003208b489697166,0x00ea2aa058867370)},+  {FIELD_LITERAL(0x00df76b3328ada72,0x002e20621604a7c2,0x00f910638a105b09,0x00ef4724d96ef2cd,0x00377d83d6b8a2f7,0x00b4f48805ade324,0x001cd5da8b152018,0x0045af671a20ca7f)},+  {FIELD_LITERAL(0x000d62da6711c0cd,0x004b53ac7a27d523,0x0089cc150fb20e64,0x0055d2c2883154fe,0x00b5dcfd03448874,0x006d80dda2a505cb,0x00b57162afb80dc8,0x007ddb5162431acf)},+  {FIELD_LITERAL(0x00c845923c084294,0x00072419a201bc25,0x0045f408b5f8e669,0x00e9d6a186b74dfe,0x00e19108c68fa075,0x0017b91d874177b7,0x002f0ca2c7912c5a,0x009400aa385a90a2)},+  {FIELD_LITERAL(0x001cf640859b02f8,0x00758d1d5d5ce427,0x00763c784ef4604c,0x005fa81aee205270,0x00ac537bfdfc44cb,0x004b919bd342d670,0x00238508d9bf4b7a,0x00154888795644f3)},+  {FIELD_LITERAL(0x008eeef4feb7de7b,0x003012ffbb0d4107,0x00cb0d6fe30b99d1,0x00c4b51d598067cb,0x003356469016b7ee,0x00addaf85188542f,0x004538bdd8de18c1,0x00999dd4f0c59d4f)},+  {FIELD_LITERAL(0x0026ef1614e160af,0x00c023f9edfc9c76,0x00cff090da5f57ba,0x0076db7a66643ae9,0x0019462f8c646999,0x008fec00b3854b22,0x00d55041692a0a1c,0x0065db894215ca00)},+  {FIELD_LITERAL(0x00f8ac5cf4705b6a,0x00867d82dcb457e3,0x007e13ab2ccc2ce9,0x009ee9a018d3930e,0x008370f8ecb42df8,0x002d9f019add263e,0x003302385b92d196,0x00a15654536e2c0c)},+  {FIELD_LITERAL(0x0056dafc91f5bae3,0x00d5fc6f3c94933e,0x000d8fdf26f76b0b,0x00726f2ad342c280,0x001e2fec8c6d0c46,0x000fe83ea74ae570,0x00353cec2c128243,0x0046657e1c14bd2c)},+  {FIELD_LITERAL(0x008cc9cd236315c0,0x0031d9c5b39fda54,0x00a5713ef37e1171,0x00293d5ae2886325,0x00c4aba3e05015e1,0x0003f35ef78e4fc6,0x0039d6bd3ac1527b,0x0019d7c3afb77106)},+  {FIELD_LITERAL(0x00b54850275fe626,0x0053a3fd1ec71140,0x00e3d2d7dbe096fa,0x00e4ac7b595cce4c,0x0077bad449c0a494,0x00b7c98814afd5b3,0x0057226f58486cf9,0x00b1557154f0cc57)},+  {FIELD_LITERAL(0x0084e9d6ce567a50,0x0052bf5d1f2558ec,0x00920d83bff60ee7,0x00afc160b1d17413,0x008ae58837d3e7d1,0x00fd676c8896dba4,0x00004e170540611a,0x00f7ccb8f91f6541)},+  {FIELD_LITERAL(0x004246bfcecc627a,0x004ba431246c03a4,0x00bd1d101872d497,0x003b73d3f185ee16,0x001feb2e2678c0e3,0x00ff13c5a89dec76,0x00ed06042e771d8f,0x00a4fd2a897a83dd)},+  {FIELD_LITERAL(0x00dbca4e98a7dcd9,0x00ee29cfc78bde99,0x00e4a3b6995f52e9,0x0045d70189ae8096,0x00fd2a8a3b9b0d1b,0x00af1793b107d8e1,0x00dbf92cbe4afa20,0x00da60f798e3681d)},+  {FIELD_LITERAL(0x0065b5c41af29a68,0x0021ce9a03a5ef69,0x00b0c0a91cba4f38,0x0008408de2a54743,0x00bcec1b84f673ae,0x001b382a3f1e5244,0x00d1c1c24c9afae1,0x005b7f3d32956904)},+  {FIELD_LITERAL(0x004ede34af2813f3,0x00d4a8e11c9e8216,0x004796d5041de8a5,0x00c4c6b4d21cc987,0x00e8a433ee07fa1e,0x0055720b5abcc5a1,0x008873ea9c74b080,0x005b3fec1ab65d48)},+  {FIELD_LITERAL(0x00417fa30a7119ed,0x00af257758419751,0x00d358a487b463d4,0x0089703cc720b00d,0x00ce56314ff7f271,0x0064db171ade62c1,0x00640b36d4a22fed,0x00424eb88696d23f)},+  {FIELD_LITERAL(0x00b81ad88248f13a,0x00f5f69399248294,0x004be9b33e8cfea6,0x00b56087c018df01,0x0057e8846bbb6242,0x006a5db00b65a660,0x00963e3a87daf343,0x00badfe6dec2140b)},+  {FIELD_LITERAL(0x001bd59c09e982ea,0x00f72daeb937b289,0x0018b76dca908e0e,0x00edb498512384ad,0x00ce0243b6cc9538,0x00f96ff690cb4e70,0x007c77bf9f673c8d,0x005bf704c088a528)},+  {FIELD_LITERAL(0x0021ce99e09ebda3,0x00fcbd9f91875ad0,0x009bbf6b7b7a0b5f,0x00388886a69b1940,0x00926a56d0f81f12,0x00e12903c3358d46,0x005dfce4e8e1ce9d,0x0044cfa94e2f7e23)},+  {FIELD_LITERAL(0x006c2b9d7234cc41,0x006ad9c2ae2bda7d,0x00b64cdddba701f9,0x00180318c49ac580,0x00c35d14319f4c95,0x003a21dc65cd415b,0x009c474c28e04940,0x00c65114875e57c6)},+  {FIELD_LITERAL(0x00fb22bb5fd3ce50,0x0017b48aada7ae54,0x00fd5c44ad19a536,0x000ccc4e4e55e45c,0x00fd637d45b4c3f5,0x0038914e023c37cf,0x00ac1881d6a8d898,0x00611ed8d3d943a8)},+  {FIELD_LITERAL(0x007dc52da400336c,0x001fded1e15b9457,0x00902e00f5568e3a,0x00219bef40456d2d,0x005684161fb3dbc9,0x004a4e9be49a76ea,0x006e685ae88b78ff,0x0021c42f13042d3c)},+  {FIELD_LITERAL(0x00a91dda62eec2d4,0x00a6b7e64d7b13e9,0x00384086b44c9969,0x008de118af683239,0x0008e416fb85d76c,0x0020945ebda9b120,0x0096a7f485e7b172,0x000fa91c7035f011)},+  {FIELD_LITERAL(0x005e8694077a1535,0x008bef75f71c8f1d,0x000a7c1316423511,0x00906e1d70604320,0x003fc46c1a2ffbd6,0x00d1d5022e68f360,0x002515fba37bbf46,0x00ca16234e023b44)},+  {FIELD_LITERAL(0x009df98566a18c6d,0x00cf3a200968f219,0x0044ba60da6d9086,0x00dbc9c0e344da03,0x000f9401c4466855,0x00d46a57c5b0a8d1,0x00875a635d7ac7c6,0x00ef4a933b7e0ae6)},+  {FIELD_LITERAL(0x00878366a9e0b96f,0x0057a8573ea9e0d8,0x005ef206ddc3f601,0x0046756a9d1c4eab,0x00bccf478bb3c12c,0x001f97ed7f813a3b,0x001b309582460e1c,0x0026a4f760ecd5cb)},+  {FIELD_LITERAL(0x00139078397030bd,0x000e3c447e859a00,0x0064a5b334c82393,0x00b8aabeb7358093,0x00020778bb9ae73b,0x0032ee94c7892a18,0x008215253cb41bda,0x005e2797593517ae)},+  {FIELD_LITERAL(0x002922b39ca33eec,0x0090d12a5f3ab194,0x00ab60c02fb5f8ed,0x00188d292abba1cf,0x00e10edec9698f6e,0x0069a4d9934133c8,0x0024aac40e6d3d06,0x001702c2177661b0)},+  {FIELD_LITERAL(0x007c89a5a07aa2b5,0x00ae492ecae4711d,0x00ee921ab74f0844,0x007842778fc5005f,0x006a4d33cb28022c,0x007b327e4ac0f437,0x007a9d0366acaf12,0x005c6544e6c9ae1c)},+  {FIELD_LITERAL(0x0091868594265aa2,0x00797accae98ca6d,0x0008d8c5f0f8a184,0x00d1f4f1c2b2fe6e,0x0036783dfb48a006,0x008c165120503527,0x0025fd780058ce9b,0x0068beb007be7d27)},+  {FIELD_LITERAL(0x0019e23f0474b114,0x00eb94c2ad3b437e,0x006ddb34683b75ac,0x00391f9209b564c6,0x00083b3bb3bff7aa,0x00eedcd0f6dceefc,0x00b50817f794fe01,0x0036474deaaa75c9)},+  {FIELD_LITERAL(0x002f007755836f3d,0x004d39f2530acc6b,0x006b58d7b2699929,0x004126fdd3185e62,0x003aeaac0f32897c,0x003c0478f4edb66d,0x0072f43ac66a9364,0x0003730da744777a)},+  {FIELD_LITERAL(0x0045fdc16487cda3,0x00b2d8e844cf2ed7,0x00612c50e88c1607,0x00a08aabc66c1672,0x006031fdcbb24d97,0x001b639525744b93,0x004409d62639ab17,0x00a1853d0347ab1d)},+  {FIELD_LITERAL(0x003667bf998406f8,0x0000115c43a12975,0x001e662f3b20e8fd,0x0019ffa534cb24eb,0x00016be0dc8efb45,0x00ff76a8b26243f5,0x00ae20d241a541e3,0x0069bd6af13cd430)},+  {FIELD_LITERAL(0x008a5e5a9140a3de,0x005c18d41653ac12,0x0010321e9d6e8f3d,0x00fbdda016e10aca,0x0077fb6038c20257,0x00b5438b7a81ed77,0x00db1dbcb9a8ce83,0x0026734c2c1aabc3)},+  {FIELD_LITERAL(0x007e32c049b5c477,0x009d2bfdbd9bcfd8,0x00636e93045938c6,0x007fde4af7687298,0x0046a5184fafa5d3,0x0079b1e7f13a359b,0x00875adf1fb927d6,0x00333e21c61bcad2)},+  {FIELD_LITERAL(0x00b4b53eab6bdb19,0x009b22d8b43711d0,0x00d948b9d961785d,0x00cb167b6f279ead,0x00191de3a678e1c9,0x00d9dd9511095c2e,0x00f284324cd43067,0x00ed74fa535151dd)},+  {FIELD_LITERAL(0x00fb7feb08c27472,0x008a97b55f699c77,0x006d41820f923b83,0x006831432f0aa975,0x00a58ffb263b3955,0x004f13449a66db38,0x0026fccd22b6d583,0x00a803eb20eeb6c2)},+  {FIELD_LITERAL(0x007df6cbb926830b,0x00d336058ae37865,0x007af47dac696423,0x0048d3011ec64ac8,0x006b87666e40049f,0x0036a2e0e51303d7,0x00ba319bd79dbc55,0x003e2737ecc94f53)},+  {FIELD_LITERAL(0x0008ed8ea0ad95be,0x0041d324b9709645,0x00e25412257a19b4,0x0058df9f3423d8d2,0x00a9ab20def71304,0x009ae0dbf8ac4a81,0x00c9565977e4392a,0x003c9269444baf55)},+  {FIELD_LITERAL(0x002d69008d9d8d26,0x00092f686d7030a8,0x001f19e95aa28fec,0x002150bab1261538,0x008c5a941210b26c,0x009330209036d1e6,0x0062e11ec8e58de7,0x0011c3d11bb9d27f)},+  {FIELD_LITERAL(0x008132ae5c5d8cd1,0x00121d68324a1d9f,0x00d6be9dafcb8c76,0x00684d9070edf745,0x00519fbc96d7448e,0x00388182fdc1f27e,0x000235baed41f158,0x00bf6cf6f1a1796a)},+  {FIELD_LITERAL(0x00437bce9bccdf9d,0x00e0c8e2f85dc0a3,0x00c91a7073995a19,0x00856ec9fe294559,0x009e4b33394b156e,0x00e245b0dc497e5c,0x006a54e687eeaeff,0x00f1cd1cd00fdb7c)},+  {FIELD_LITERAL(0x00d523b4b2eb7de6,0x00cf7b525f2c56f5,0x00b9217554f0d1b1,0x00bad2cbd5984a02,0x002b4af0fe2b21dd,0x002492603f310486,0x0073e7b3795b9d32,0x001e837c89b2bd25)},+  {FIELD_LITERAL(0x00ce382dc7993d92,0x00021153e938b4c8,0x00096f7567f48f51,0x0058f81ddfe4b0d5,0x00cc379a56b355c7,0x002c760770d3e819,0x00ee22d1d26e5a40,0x00de6d93d5b082d7)},+  {FIELD_LITERAL(0x007b2743b9a1e01a,0x007847ffd42688c4,0x006c7844d610a316,0x00f0cb8b250aa4b0,0x00a19060143b3ae6,0x0014eb10b77cfd80,0x000170905729dd06,0x00063b5b9cd72477)},+  {FIELD_LITERAL(0x00f56e5bd3ad1fa9,0x00e7a09488031815,0x00f7fc3ae69d094a,0x00ddad7a7d45a9c2,0x00bc07fbf167a928,0x007a5d6137e0479f,0x00a0659eeab60a00,0x003e068b1342b4f9)},+  {FIELD_LITERAL(0x00ffc5c89d2b0cba,0x00d363d42e3e6fc3,0x0019a1a0118e2e8a,0x00f7baeff48882e1,0x001bd5af28c6b514,0x0055476ca2253cb2,0x00d8eb1977e2ddf3,0x00b173b1adb228a1)},+  {FIELD_LITERAL(0x005b64c6fd65ec97,0x00c1fdd7f877bc7f,0x000d9cc6c89f841c,0x005c97b7f1aff9ad,0x0075e3c61475d47e,0x001ecb1ba8153011,0x00fe7f1c8d71d40d,0x003fa9757a229832)},+  {FIELD_LITERAL(0x000d346622f528f8,0x001e1f7497a62227,0x00fff70d2f9af433,0x002812c6d079ea3c,0x006898af56b25d7f,0x00c17c44f1349645,0x00207172ea3eb539,0x000608e8bd6a263d)},+  {FIELD_LITERAL(0x002389319450f9ba,0x003677f31aa1250a,0x0092c3db642f38cb,0x00f8b64c0dfc9773,0x00cd49fe3505b795,0x0068105a4090a510,0x00df0ba2072a8bb6,0x00eb396143afd8be)},+  {FIELD_LITERAL(0x00f11cc8e0e70bcb,0x00e5dc689974e7dd,0x0014e409f9ee5870,0x00826e6689acbd63,0x008a6f4e3d895d88,0x00b26a8da41fd4ad,0x000fb7723f83efd7,0x009c749db0a5f6c3)},+  {FIELD_LITERAL(0x005f2b1304db3200,0x0022507ff7459b86,0x000f4c1c92b4f0bb,0x00c8cb42c50e0eb9,0x004781d1038aad80,0x002dcf20aa2254af,0x00d9ecda851a93e2,0x0043f6b92eca6cb2)},+  {FIELD_LITERAL(0x0067f8f0c4fe26c9,0x0079c4a3cc8f67b9,0x0082b1e62f23550d,0x00f2d409caefd7f5,0x0080e67dcdb26e81,0x0087ae993ea1f98a,0x00aa108becf61d03,0x001acf11efb608a3)},+  {FIELD_LITERAL(0x00468711bd994651,0x0033108fa67561bf,0x0089d760192a54b4,0x00adc433de9f1871,0x000467d05f36e050,0x007847e0f0579f7f,0x00a2314ad320052d,0x00b3a93649f0b243)},+  {FIELD_LITERAL(0x007dda014454af26,0x000c49fa1b22df7c,0x005cd4d7e761dc2d,0x002af81a1a14b368,0x00a5e57b1cfd7ddf,0x00f90ab3e3a0f738,0x005cb83734d7bc0f,0x00f608c16abb405a)},+  {FIELD_LITERAL(0x00e828333c297f8b,0x009ef3cf8c3f7e1f,0x00ab45f8fff31cb9,0x00c8b4178cb0b013,0x00d0c50dd3260a3f,0x0097126ac257f5bc,0x0042376cc90c705a,0x001d96fdb4a1071e)},+  {FIELD_LITERAL(0x006c59c9ae744185,0x009fc32f1b4282cd,0x004d6348ca59b1ac,0x00105376881be067,0x00af4096013147dc,0x004abfb5a5cb3124,0x000d2a7f8626c354,0x009c6ed568e07431)},+  {FIELD_LITERAL(0x00abd2bb27611e57,0x00cf99bd1fbbd267,0x006f7ac78d478cc7,0x00dc9d340dd23fbb,0x00d3ddd520099c46,0x009836dbb6a03486,0x00f19de267c36883,0x0020885613349904)},+  {FIELD_LITERAL(0x00832d02369b482c,0x00cba52ff0d93450,0x003fa9c908d554db,0x008d1e357b54122f,0x00abd91c2dc950c6,0x007eff1df4c0ec69,0x003f6aeb13fb2d31,0x00002d6179fc5b2c)},+  {FIELD_LITERAL(0x002809e4bbf1814a,0x00b9e854f9fafb32,0x00d35e67c10f7a67,0x008f1bcb76e748cf,0x004224d9515687d2,0x005ba0b774e620c4,0x00b5e57db5d54119,0x00e15babe5683282)},+  {FIELD_LITERAL(0x00b9361257e36376,0x0049f348e3709d03,0x00dd0a597c455aa7,0x00078ce603320668,0x00635f64ae3195dc,0x00a4ed450b508288,0x0075b9adb5e1cc1d,0x00fca588167741f2)},+  {FIELD_LITERAL(0x00a9e7730a819691,0x00d9cc73c4992b70,0x00e299bde067de5a,0x008c314eb705192a,0x00e7226f17e8a3cc,0x0029dfd956e65a47,0x0053a8e839073b12,0x006f942b2ab1597e)},+  {FIELD_LITERAL(0x00a7efe46a7dbe2f,0x002f66fd55014fe7,0x006a428afa1ff026,0x0056caaa9604ab72,0x0033f3bcd7fac8ae,0x00ccb1aa01c86764,0x00158d1edf13bf40,0x009848ee76fcf3b4)},+  {FIELD_LITERAL(0x00e3c287f132a1c6,0x006b0db804233a01,0x002a387902ad889b,0x00490b258b0f24d5,0x007f0e0745232a02,0x000c95c8c52d1dc4,0x0007fb060bcbc40d,0x002e50bf139dc67d)},+  {FIELD_LITERAL(0x0039343746531ebe,0x00c8509d835d429d,0x00e79eceff6b0018,0x004abfd31e8efce5,0x007bbfaaa1e20210,0x00e3be89c193e179,0x001c420f4c31d585,0x00f414a315bef5ae)},+  {FIELD_LITERAL(0x0082aeace5f1b144,0x00f68b3108cf4dd3,0x00634af01dde3020,0x000beab5df5c2355,0x00e8b790d1b49b0b,0x00e48d15854e36f4,0x0040ab2d95f3db9f,0x002711c4ed9e899a)},+  {FIELD_LITERAL(0x0083d695db66f207,0x002a2f8ada58aa77,0x002271eec16b4818,0x008443a70141f337,0x00d60ae50640352b,0x00816cee1385490c,0x006577b21e989cbc,0x00af2a0d2317b416)},+  {FIELD_LITERAL(0x0098cddc8b39549a,0x006da37e3b05d22c,0x00ce633cfd4eb3cb,0x00fda288ef526acd,0x0025338878c5d30a,0x00f34438c4e5a1b4,0x00584efea7c310f1,0x0041a551f1b660ad)},+  {FIELD_LITERAL(0x005fa020cca2450a,0x00491c29db6416d8,0x0037cefe3f9f9a85,0x003d405230647066,0x0049e835f0fdbe89,0x00feb78ac1a0815c,0x00828e4b32dc9724,0x00db84f2dc8d6fd4)},+  {FIELD_LITERAL(0x002808570429bc85,0x009d78dbec40c8ac,0x0052b4434bc3a7b4,0x00801b6419fe281c,0x008839a68764540a,0x0014ba034f958be4,0x00a31dbb6ec068f7,0x0077bd9bfe8c9cd9)},+  {FIELD_LITERAL(0x00a0b68ec1eb72d2,0x002c03235c0d45a0,0x00553627323fe8c5,0x006186e94b17af94,0x00a9906196e29f14,0x0025b3aee6567733,0x007e0dd840080517,0x0018eb5801a4ba93)},+  {FIELD_LITERAL(0x007bf562ca768d7c,0x006c1f3a174e387c,0x00f024b447fee939,0x007e7af75f01143f,0x003adb70b4eed89d,0x00e43544021ad79a,0x0091f7f7042011f6,0x0093c1a1ee3a0ddc)},+  {FIELD_LITERAL(0x0028018fe84095bf,0x0091c0f9db41f3bd,0x0000445dfaca7dba,0x000603d307e6bdc6,0x00726c4c840ea4b0,0x009220d1c741716a,0x00d4918640a03006,0x0054caa25bda1d21)},+  {FIELD_LITERAL(0x003973d8938971d6,0x002aca26fa80c1f5,0x00108af1faa6b513,0x00daae275d7924e6,0x0053634ced721308,0x00d2355fe0bbd443,0x00357612b2d22095,0x00f9bb9dd4136cf3)},+  {FIELD_LITERAL(0x00938f97e20be973,0x0099141a36aaf306,0x0057b0ca29e545a1,0x0085db571f9fbc13,0x008b333c554b4693,0x0043ab6ef3e241cb,0x0054fb20aa1e5c70,0x00be0ff852760adf)},+  {FIELD_LITERAL(0x00d400ed30a1fc5a,0x00e424e0575e6307,0x0036e3986c07b2c6,0x0007960e4d145650,0x00a643ab823cdc93,0x0026e9ee292c7976,0x001f9d2555d3fdeb,0x0012c3fb833d437d)},+  {FIELD_LITERAL(0x0062dd0fb31be374,0x00fcc96b84c8e727,0x003f64f1375e6ae3,0x0057d9b6dd1af004,0x00d6a167b1103c7b,0x00dd28f3180fb537,0x004ff27ad7167128,0x008934c33461f2ac)},+  {FIELD_LITERAL(0x000050d70c32b31a,0x001939d576d437b3,0x00d709e598bf9fe6,0x00a885b34bd2ee9e,0x00dd4b5c08ab1a50,0x0091bebd50b55639,0x00cf79ff64acdbc6,0x006067a39d826336)},+  {FIELD_LITERAL(0x009a4b8d486fffbc,0x00458102d00ef9b4,0x00f498293b3cfdf0,0x00ed2d7b960b1b92,0x00ce3cd6c68fc137,0x004b60f431eccf99,0x00081efbe9e7e2b8,0x00a36f0ae7981133)},+  {FIELD_LITERAL(0x0006918f5dfce6dc,0x00d4bf1c793c57fb,0x0069a3f649435364,0x00e89a50e5b0cd6e,0x00b9f6a237e973af,0x006d4ed8b104e41d,0x00498946a3924cd2,0x00c136ec5ac9d4f7)},+  {FIELD_LITERAL(0x0051207abd179101,0x00fc2a5c20d9c5da,0x00fb9d5f2701b6df,0x002dd040fdea82b8,0x00f163b0738442ff,0x00d9736bd68855b8,0x00e0d8e93005e61c,0x00df5a40b3988570)},+  {FIELD_LITERAL(0x00ee563d6f53acc9,0x00d465d2b5959acc,0x006575973bba26c8,0x00c9e4d84f81a1a3,0x00c3fbc4e8aa468a,0x0048149930eeaa11,0x008850a6f611000d,0x006709f6788337f9)},+  {FIELD_LITERAL(0x00b373076597455f,0x00e83f1af53ac0f5,0x0041f63c01dc6840,0x0097dea19b0c6f4b,0x007f9d63b4c1572c,0x00e692d492d0f5f0,0x00cbcb392e83b4ad,0x0069c0f39ed9b1a8)},+  {FIELD_LITERAL(0x00ab13af436bf8f4,0x000bcf0a0dac8574,0x00d50c864f705045,0x00c40e611debc842,0x0085010489bd5caa,0x007c5050acec026f,0x00f67d943c8da6d1,0x00de1da0278074c6)},+  {FIELD_LITERAL(0x0079efcffed8f836,0x00604423802b5504,0x0070a6e294aab7dd,0x0020f75be15e7521,0x0062827c19bd5414,0x006738e425c48700,0x00dd37618fde0ffa,0x00bb2d65c01e1c3b)},+  {FIELD_LITERAL(0x00c903ee6d825540,0x00add6c4cf98473e,0x007636efed4227f1,0x00905124ae55e772,0x00e6b38fab12ed53,0x0045e132b863fe55,0x003974662edb366a,0x00b1787052be8208)},+  {FIELD_LITERAL(0x00e748cd7b5c52f2,0x00ea9df883f89cc3,0x0018970df156b6c7,0x00c5a46c2a33a847,0x00cbde395e32aa09,0x0072474ebb423140,0x00fb00053086a23d,0x001dafcfe22d4e1f)},+  {FIELD_LITERAL(0x0059eb4ff288a383,0x00283876be3388ab,0x00bdd22974a2543b,0x0059eef0fe982d74,0x0097a5cf63dad778,0x004bc6002aebc99f,0x00c9a91d6118c690,0x0038364612a527ab)},+  {FIELD_LITERAL(0x00006e34a35d9fbc,0x00eee4e48b2f019a,0x006b344743003a5f,0x00541d514f04a7e3,0x00e81f9ee7647455,0x005e2b916c438f81,0x00116f8137b7eff0,0x009bd3decc7039d1)},+  {FIELD_LITERAL(0x0040f7e7c5b37bf2,0x0064e4dc81181bba,0x00a8767ae2a366b6,0x001496b4f90546f2,0x002a28493f860441,0x0021f59513049a3a,0x00852d369a8b7ee3,0x00dd2e7d8b7d30a9)},+  {FIELD_LITERAL(0x00fa2dd90bcbeef2,0x00507d774710de2a,0x00b585ad10e7e373,0x0041f487e4b4f921,0x00191c9d8212f81d,0x001bc55cbdd8d474,0x0017954bdba8827b,0x0004d6d3a991ca44)},+  {FIELD_LITERAL(0x00e38abece3c82ab,0x005a51f18a2c7a86,0x009dafa2e86d592e,0x00495a62eb688678,0x00b79df74c0eb212,0x0023e8cc78b75982,0x005998cb91075e13,0x00735aa9ba61bc76)},+  {FIELD_LITERAL(0x00334f5303ea1222,0x00dfb3dbeb0a5d3e,0x002940d9592335c1,0x00706a7a63e8938a,0x005a533558bc4caf,0x00558e33192022a9,0x00970d9faf74c133,0x002979fcb63493ca)},+  {FIELD_LITERAL(0x00260857d22419d7,0x005e0387d77651f0,0x008e0025ed2eb499,0x00c830b135804c2a,0x0037f43dbd3a77f6,0x008a4073d2f7379c,0x0072be0ce503ad58,0x00e6869d130c78be)},+  {FIELD_LITERAL(0x00bfc5fa1e4ea21f,0x00c21d7b6bb892e6,0x00cf043f3acf0291,0x00c13f2f849b3c90,0x00d1a97ebef10891,0x0061e130a445e7fe,0x0019513fdedbf22b,0x001d60c813bff841)},+  {FIELD_LITERAL(0x006e9f475cccf2ee,0x00454b9cd506430c,0x00224a4fb79ee479,0x0062e3347ef0b5e2,0x0034fd2a3512232a,0x00b8b3cb0f457046,0x00eb20165daa38ec,0x00128eebc2d9c0f7)},+  {FIELD_LITERAL(0x00e6a9e38030fdec,0x001c23597bc14288,0x0097156a46356df1,0x00642048f0daca6a,0x003970a6e7955fd4,0x00a511e335e3cfc6,0x0054865756c85e31,0x00465f1ab66a6190)},+  {FIELD_LITERAL(0x003e4964fa8a8fc8,0x00f6a1cdbcf41689,0x00943cb18fe7fda7,0x00606dafbf34440a,0x005d37a86399c789,0x00e79a2a69417403,0x00fe34f7e68b8866,0x0011f448ed2df10e)},+  {FIELD_LITERAL(0x00c79e0b6d97dfbd,0x00917c71fd2bc6e8,0x00db7529ccfb63d8,0x00be5be957f17866,0x00a9e11fdc2cdac1,0x007b91a8e1f44443,0x00a3065e4057d80f,0x004825f5b8d5f6d4)},+  {FIELD_LITERAL(0x000e0a81033e033b,0x00aec986ee821eab,0x00d1a4a48379273c,0x00609b79a9e06304,0x00e9618b4fe8f307,0x006ffdfa50b50969,0x009530224887ac0c,0x0020e7b36f0cef97)},+  {FIELD_LITERAL(0x00fd579ffb691713,0x00b76af4f81c412d,0x00f239de96110f82,0x00e965fb437f0306,0x00ca7e9436900921,0x00e487f1325fa24a,0x00633907de476380,0x00721c62ac5b8ea0)},+  {FIELD_LITERAL(0x00b37396c3320791,0x00fc7b67175c5783,0x00c36d2cd73ecc38,0x0080ebcc0b328fc5,0x0043a5b22b35d35d,0x00466c9f1713c9da,0x0026ad346dcaa8da,0x007c684e701183a6)},+  {FIELD_LITERAL(0x003f2ab1abd14b06,0x00b129a8e8e37230,0x0048bc5b083d5c64,0x0002606c12933a98,0x00cf8051ceec1a73,0x00a755a8836c3ce6,0x002dabaa90ca4cb9,0x00b6e5525ddfc0f2)},+  {FIELD_LITERAL(0x00c4a1fb48635413,0x00b5dd54423ad59f,0x009ff5d53fd24a88,0x003c98d267fc06a7,0x002db7cb20013641,0x00bd1d6716e191f2,0x006dbc8b29094241,0x0044bbf233dafa2c)},+  {FIELD_LITERAL(0x00dff3103786ff34,0x000144553b1f20c3,0x0095613baeb930e4,0x00098058275ea5d4,0x007cd1402b046756,0x0074d74e4d58aee3,0x005f93fc343ff69b,0x00873df17296b3b0)},+  {FIELD_LITERAL(0x00aa7c72be0ace19,0x004095d22fc37e4d,0x00a7d85f9e3b7c61,0x00ff21d344c9553c,0x00d105d6268e8b86,0x000616d733758845,0x003ecb4ba7210610,0x006a75e7dddc03b7)},+  {FIELD_LITERAL(0x007860d99db787cf,0x00fda8983018f4a8,0x008c8866bac4743c,0x00ef471f84c82a3f,0x00abea5976d3b8e7,0x00714882896cd015,0x00b49fae584ddac5,0x008e33a1a0b69c81)},+  {FIELD_LITERAL(0x000a9ee23c06881f,0x002c727d3d871945,0x00f47d971512d24a,0x00671e816f9ef31a,0x00883af2cfaad673,0x00601f98583d6c9a,0x00b435f5adc79655,0x00ad87b71c04bff2)},+  {FIELD_LITERAL(0x0084911d36175613,0x00dbaa24427629dd,0x009b6f30b1554fc7,0x0026da093cf7ea9e,0x00eac4cfb8218c7c,0x00c4bde074231490,0x0089e5b5afb62587,0x0067fcb73adfdbcc)},+  {FIELD_LITERAL(0x00eebfd4e2312cc3,0x00474b2564e4fc8c,0x003303ef14b1da9b,0x003c93e0e66beb1d,0x0013619b0566925a,0x008817c24d901bf3,0x00b62bd8898d218b,0x0075a7716f1e88a2)},+  {FIELD_LITERAL(0x007f8a43da97dd5c,0x00058539c800fc7b,0x0040f3cf5a28414a,0x00d68dd0d95283d6,0x004adce9da90146e,0x00befa41c7d4f908,0x007603bc2e3c3060,0x00bdf360ab3545db)},+  {FIELD_LITERAL(0x00f6de725e1976f0,0x00d96f80a02fda8a,0x00b25412a0e629fa,0x00c540e7e78fdb62,0x004ad02fb7336d3a,0x004922ae1bea5a3a,0x0026147d42d4bfeb,0x00d379a5bc4b94bc)},+  {FIELD_LITERAL(0x00c338b915d8fef0,0x00a893292045c39a,0x0028ab4f2eba6887,0x0060743cb519fd61,0x0006213964093ac0,0x007c0b7a43f6266d,0x008e3557c4fa5bda,0x002da976de7b8d9d)},+  {FIELD_LITERAL(0x0070047189452f4c,0x00f7ad12e1ce78d5,0x00af1ba51ec44a8b,0x005f39f63e667cd6,0x00058eac4648425e,0x00d7fdab42bea03b,0x0028576a5688de15,0x00af973209e77c10)},+  {FIELD_LITERAL(0x00b78d6075749232,0x0001dc47a33b2cdc,0x0018c7b2e91b24f1,0x00b5bdc68f9876bd,0x0013f489ccba2b44,0x003b8846066128de,0x003d6252c8884dcf,0x00e3ae84b9908209)},+  {FIELD_LITERAL(0x00aa2261022d883f,0x00ebcca4548010ac,0x002528512e28a437,0x0070ca7676b66082,0x0084bda170f7c6d3,0x00581b4747c9b8bb,0x005c96a01061c7e2,0x00fb7c4a362b5273)},+  {FIELD_LITERAL(0x006366c380f7b574,0x001c7d1f09ff0438,0x003e20a7301f5b22,0x00d3efb1916d28f6,0x0049f4f81060ce83,0x00c69d91ea43ced1,0x002b6f3e5cd269ed,0x005b0fb22ce9ec65)},+  {FIELD_LITERAL(0x003cffdf14aed2fd,0x009f0d77d7c5b2d9,0x004812ec41321d9f,0x008a1448bddf0916,0x008fef86030175df,0x00e3d703200a76c7,0x00d1babb470b2094,0x009f3a43b0e5828c)},+  {FIELD_LITERAL(0x00a94700032a093f,0x0076e96c225216e7,0x00a63a4316e45f91,0x007d8bbb4645d3b2,0x00340a6ff22793eb,0x006f935d4572aeb7,0x00b1fb69f00afa28,0x009e8f3423161ed3)},+  {FIELD_LITERAL(0x00ae307cf069f701,0x005859f222dd618b,0x00212d6c46ec0b0d,0x00a0fe4642afb62d,0x00420d8e4a0a8903,0x00a80ff639bdf7b0,0x0019bee1490b5d8e,0x007439e4b9c27a86)},+  {FIELD_LITERAL(0x00610b6394a312e8,0x005aaa19d96160f5,0x008190e286138c4a,0x006538796a5cd53b,0x00fe28804432a97c,0x007315e011f55112,0x000bd4157d5acb9d,0x00d1b95469350336)},+  {FIELD_LITERAL(0x0060db815bc4786c,0x006fab25beedc434,0x00c610d06084797c,0x000c48f08537bec0,0x0031aba51c5b93da,0x007968fa6e01f347,0x0030070da52840c6,0x00c043c225a4837f)},+  {FIELD_LITERAL(0x0051cfcc5885377a,0x00dce566cb1803ca,0x00430c7643f2c7d4,0x00dce1a1337bdcc0,0x0010d5bd7283c128,0x003b1b547f9b46fe,0x000f245e37e770ab,0x007b72511f022b37)},+  {FIELD_LITERAL(0x00e4302ff9b6116c,0x0092314b81d5f02a,0x000d31425f30702f,0x004946262e04213c,0x007ead9d19b6f9ed,0x001080a31ce8989f,0x001b632f36672a74,0x00a03933d9645a83)},+  {FIELD_LITERAL(0x004a2902926f8d3f,0x00ad79b42637ab75,0x0088f60b90f2d4e8,0x0030f54ef0e398c4,0x00021dc9bf99681e,0x007ebf66fde74ee3,0x004ade654386e9a4,0x00e7485066be4c27)},+  {FIELD_LITERAL(0x008940211aa0d633,0x00addae28136571d,0x00d68fdbba20d673,0x003bc6129bc9e21a,0x000346cf184ebe9a,0x0068774d741ebc7f,0x0019d5e9e6966557,0x0003cbd7f981b651)},+  {FIELD_LITERAL(0x00bba0ed9c67c41f,0x00b30c8e225ba195,0x008bb5762a5cef18,0x00e0df31b06fb7cc,0x0018b912141991d5,0x00f6ed54e093eac2,0x0009e288264dbbb3,0x00feb663299b89ef)}+};+const gf API_NS(precomputed_wnaf_as_fe)[96]+VECTOR_ALIGNED = {+  {FIELD_LITERAL(0x00cfc32590115acd,0x0079f0e2a5c7af1b,0x00dd94605b8d7332,0x0097dd6c75f5f3f3,0x00d9c59e36156de9,0x00edfbfd6cde47d7,0x0095b97c9f67c39a,0x007d7b90f587debc)},+  {FIELD_LITERAL(0x00cfc32590115acd,0x0079f0e2a5c7af1b,0x00dd94605b8d7332,0x0017dd6c75f5f3f3,0x00d9c59e36156de8,0x00edfbfd6cde47d7,0x0095b97c9f67c39a,0x00fd7b90f587debc)},+  {FIELD_LITERAL(0x001071dd4d8ae672,0x004f14ebe5f4f174,0x00e0987625c34c73,0x0092d00712c6f8c1,0x009ef424965e980b,0x00a8e0cf9369764b,0x000aa81907b4d207,0x00d5002c74d37924)},+  {FIELD_LITERAL(0x00f3c4efe62b8b17,0x001e6acc1b6add7b,0x003367ef45836df5,0x000efc2d87a6ba53,0x00405a96933964ca,0x00572c2ae16357c6,0x00a9dc34ba6a7946,0x00151831e32ad161)},+  {FIELD_LITERAL(0x00315f0372d1774a,0x007de9ed2960e79d,0x008b3d7c4c198add,0x00a5e6a45fa57892,0x00f32201aa80115a,0x007fb9386a433a1a,0x00abf6960b291ee6,0x002d8069294ebc2a)},+  {FIELD_LITERAL(0x00fa5e878ae22827,0x00d33c7bb3963bd0,0x0053401a101efac6,0x0063df0bcbce59a5,0x007bca269c8b584b,0x00611a8a9978842c,0x00bb96e8da12b8a8,0x00e17844d01d394d)},+  {FIELD_LITERAL(0x00c107c50e9b4d0d,0x00f6b65a5fada2f2,0x000bb67e79353fae,0x0018853f610ed92d,0x008c51f4d36d6915,0x00e3e9c096dd1c12,0x009d6b9ea6cde415,0x00304864dd66f4c6)},+  {FIELD_LITERAL(0x00f3123b214085fb,0x00d005bafffb8f53,0x00d1606987dfe6ea,0x00e825edf73b018d,0x0082aa733829a933,0x00c857d8d7830d76,0x00ebdb8d2cbbe7e6,0x0063de0e9930722e)},+  {FIELD_LITERAL(0x004ffebce35619ab,0x00d281a1543365c5,0x00ad17eeb3d098b8,0x008653b06bb7806d,0x0040026e64a28b62,0x00d9e06d52ea19df,0x008e7c684856876a,0x003ebbc191443f3b)},+  {FIELD_LITERAL(0x00c0a062813b8884,0x0054d18cc36e636b,0x00e4493fcadba51a,0x005cda5b6577c9cf,0x00cc165615c315cf,0x001bbd5e155f17bb,0x004dee92a4f18e47,0x003e95412929bfb8)},+  {FIELD_LITERAL(0x0015326f3e1f5fb6,0x0076886ca4eb6041,0x00fb34645ee36c23,0x006042a4cb8f7bb2,0x00b43e736403dd2f,0x00a8986566e7c60c,0x0010ea48904bf6d1,0x008b5ae8c5ddafbe)},+  {FIELD_LITERAL(0x003a9f4a12faee9a,0x00e6ba523a29af6b,0x001dde79a8ef06ef,0x0033ed4361647314,0x00b0556ae76eb1c9,0x00e8b892762bd092,0x004709c83705e374,0x0077382d86f79b47)},+  {FIELD_LITERAL(0x006638c5cee4113d,0x005c100c7276ed52,0x00d10562e281768d,0x0008e851e1eb2ed9,0x00d7cc086a7af373,0x00993ed528eb7942,0x0051677625b7df14,0x0029fbbcf6aaa3f7)},+  {FIELD_LITERAL(0x001081503e396419,0x007a2c7aa8870415,0x00d372a4baf3490a,0x00b18821a1e18013,0x00b83fa876c54211,0x00e4bcf47a2ae1e9,0x0069a384ba9bf3c3,0x00b784d44ee9d468)},+  {FIELD_LITERAL(0x00b4e3ad7c2ea1be,0x009962715cf7008a,0x00fbc6fdcc089d5e,0x001e29847c349313,0x00c1145569b3874d,0x0094f50069a1499b,0x004cec2bb8f423c8,0x0077eb0034c34627)},+  {FIELD_LITERAL(0x008f00d279b21a44,0x00a5c81149c8116a,0x00cc8be3da721e9f,0x001935a34e6770b9,0x00e315426d5db99d,0x00cf6a842aff01bf,0x00e3cc9d5016ed3a,0x00ae78776098742d)},+  {FIELD_LITERAL(0x0068db473197248f,0x0089874a12ff90c2,0x00420b4763f5428c,0x00d668b71fb38392,0x0022279b6d3c3687,0x003a5801405cf566,0x00127b8ea4b4fd44,0x00ce6a975208fb79)},+  {FIELD_LITERAL(0x00797ca039d44238,0x0063cae935b6ef5e,0x006a938e072ff87c,0x006a3870309cdca0,0x0003800945fa3ddc,0x0032274c0728b5ad,0x0053a51e9217da91,0x00162b41712b79db)},+  {FIELD_LITERAL(0x000911f06768bdc6,0x00bd27650f82c5b0,0x007b948017bcb94a,0x0095de039572c65e,0x0053743dabe00d25,0x0092b1d5888cd8cd,0x0065c6496b33c0d0,0x007a3f55d5bfb370)},+  {FIELD_LITERAL(0x003f31eebfa20d27,0x00b1c0c84d6c2849,0x00dbefe8d1e53924,0x00472400b407ebc2,0x00c584bf62a91498,0x00c1f095f2010650,0x007e3b1b2c9ba41e,0x003189f894ed89dc)},+  {FIELD_LITERAL(0x004d9eefe5de7ab7,0x003e35169bdbd884,0x0079625f58822d97,0x0043f4f607137c15,0x0029efd80717d455,0x0055b37a66623198,0x00153cecd460c01e,0x000464f30e396a2d)},+  {FIELD_LITERAL(0x0057b28375dc4b6e,0x00771e6557974d80,0x00fa6792bc187316,0x000d7fed0f9f92d7,0x00e821281efdb64b,0x00a12bf7b4dc5064,0x00464f56bfa9bb8d,0x00526fa933114e0b)},+  {FIELD_LITERAL(0x00bcf86d6aaed0f2,0x00b95ff679e8a71f,0x00c11d7bd57f8c87,0x00cb3362ed671b05,0x0068bb14b2ce4c10,0x00505313699af32f,0x005376e4cec89e51,0x00179b292d918f75)},+  {FIELD_LITERAL(0x00246e4ca8018aa1,0x005e55abb4eaca63,0x0050b6ce5fe6aa8b,0x008979edb01ee510,0x002e152c38461080,0x00550a03a7f073ea,0x0018d841eb811e13,0x00c39e3e1ea88479)},+  {FIELD_LITERAL(0x007f1264364f8cc7,0x000315388ba2d9ad,0x007562aa0a0d3396,0x0069318d20cfe53a,0x000acdcd1868b277,0x008e8d738518c6b8,0x006faf89fda8f887,0x00347e30277c4e4d)},+  {FIELD_LITERAL(0x0062c03567cddf30,0x0032ee53437ac23b,0x00e8a6fbf62d80e2,0x002de89967f7d7fd,0x0005fedae4d7c736,0x0022d685f264ae39,0x0028936d3fba7df5,0x00acb4383b936fcc)},+  {FIELD_LITERAL(0x00afee55215c8c25,0x00c57a8713769fcb,0x000df59aca05928e,0x00aead2ce1a57830,0x00d453e3719735cd,0x004f1cdc24b3ec7e,0x000e2a69482a51da,0x00151ba7f6834b1f)},+  {FIELD_LITERAL(0x003eaec329954173,0x00fec61feee76bb2,0x009b544347f7f444,0x004c4f7dfdb8cebd,0x0039d610da25dbfb,0x000f513ccef26480,0x00af4ddd8b8d2732,0x00093756dd2be04b)},+  {FIELD_LITERAL(0x006df537f064f2de,0x0007f0808cbfedb9,0x00792c87b64aa829,0x00fd42b4ce848ad1,0x004d9b9c66c5bd43,0x00df8fbdd58c4ed6,0x00cbe5355fc7f34c,0x00abe6eb22995e4d)},+  {FIELD_LITERAL(0x00ef8a330d9484e0,0x0044944dece8fbcc,0x0016b6e52d9d2586,0x00610b0b72d2c7b3,0x00766d88f8990f61,0x00ea7bc69494eefe,0x0050c07989360110,0x00db9fc3bfd96ee7)},+  {FIELD_LITERAL(0x0069991db096c6b8,0x0008ebceed962ba0,0x00ef0053e2f37ae3,0x009917f3c8c9cb68,0x000e0b52fef39f4e,0x00ea378bf7b8f008,0x009ae2a16388995b,0x007ec77e628ee921)},+  {FIELD_LITERAL(0x0062284cece6ad83,0x00e18536b7278c56,0x0005ab4b910698c5,0x009910472a4fd019,0x008ab4e2c6d75150,0x00fbd9d538d59094,0x0086482b65914fd9,0x00ced958acabfefd)},+  {FIELD_LITERAL(0x00c6cb4ee3a8dac4,0x0010cf7120de0b91,0x001ab166385e9e67,0x007f2a8eca89b19c,0x008ae3d846b943da,0x0022c7631b161ed6,0x005e5d402e327b23,0x00d0518c1aeb64cd)},+  {FIELD_LITERAL(0x000d45c95be55ebb,0x005f3dd26b911e70,0x00755171065eb066,0x00110b2864e644c9,0x00718a31c2d84e02,0x0059a255fc4d65d8,0x0026337c97b14eba,0x0061e127f33d128b)},+  {FIELD_LITERAL(0x006ee9a82004b322,0x003eff4833aac2f9,0x00bb62f8a13b9833,0x008f9deff439b18f,0x00bc30790842de17,0x000bfe23b4868215,0x00addb504d09d19a,0x002e121c04a5bd41)},+  {FIELD_LITERAL(0x004126ac2e668677,0x0046c12e8a5dbed7,0x0078e3a69c049c9a,0x0035d20dffeb5878,0x000a263e2f4cbcdc,0x00090a6bd7e724f5,0x00b33f6e0b6366f9,0x00175e7759f40060)},+  {FIELD_LITERAL(0x0083b4b835838c18,0x00ac69ddefc68cb4,0x00749b220f1ba281,0x004052a50d7a193d,0x007138ee3a4e5e56,0x003099ccfedc8067,0x006e811c0e9aaed9,0x00bead0cc8101227)},+  {FIELD_LITERAL(0x00cd3889dfcd0517,0x001bf78dcd1f43de,0x000898cbb491727a,0x00440c964893d55d,0x0075e0b9391ea8f2,0x00ec9732687fc960,0x008ca65c62f86bcf,0x00fc9b9aed6debcb)},+  {FIELD_LITERAL(0x00f8381236cfa255,0x00f5999b0d8c8fe3,0x000918786a1dff4e,0x00a2fa46132db8c1,0x00eb0a0e8379a878,0x003802d2e990566a,0x00b6c65d27147f1f,0x00ddbb45f6bd3e66)},+  {FIELD_LITERAL(0x000f68a71ee1c67a,0x00e96102429b052c,0x0017776482925329,0x00ca322a71577df6,0x004325b8a79280b5,0x00c322234d786f77,0x00e9258fe7816ab4,0x006aa915d16d5532)},+  {FIELD_LITERAL(0x00cde18980fd9d30,0x00d1a82889350971,0x0040d36b7eb0fbc8,0x003cc6e695329dd0,0x00e24b3318e1d88e,0x00e212a22459111d,0x00879f754eaab372,0x00f9801f5489c9a4)},+  {FIELD_LITERAL(0x007354e942e00768,0x004c7668d3208ac0,0x0015712e1b92023f,0x00b018106b3a760b,0x00d4751647fa130b,0x00da3f7276d78b5a,0x00dc6c71672bb3b3,0x0008a6ecb3540963)},+  {FIELD_LITERAL(0x00e13a624c26a6f1,0x00e161c0e3c0e7d2,0x00ba563c13d354eb,0x00f7e67a8d51498c,0x0088c48bf9742e97,0x00edaca155c6abcb,0x00bb24561c4448b5,0x00d045b2c38b42f1)},+  {FIELD_LITERAL(0x0093d57b9871b4c4,0x0085e6b5532e7970,0x0012fdda50bdb89e,0x0025f590d6c39b47,0x00ef9d53a39585e6,0x00cf0a88a575110b,0x00fd53552894850f,0x00bef47029c5a860)},+  {FIELD_LITERAL(0x00bd40f701996dd3,0x00cce747044b6173,0x0028a6b9ffb55eb3,0x0009fea794bd40e3,0x0038b30e26ed0198,0x005434c968b4cf52,0x00814878df362d47,0x0060ab54842b207a)},+  {FIELD_LITERAL(0x00bd19d97479e8ae,0x00f722fb96aff3e9,0x004ae4a83cc75c02,0x0033bb6827a30094,0x00d0ec294a83cb5a,0x007c9ad150cfeefa,0x0033cbbd6b336c57,0x009f0b2fd7ef1d8f)},+  {FIELD_LITERAL(0x00246036b708c7d9,0x000574c8b9127116,0x00ecd349a550414d,0x003c900c0186da47,0x007c82512cac2d00,0x001399e41f99830b,0x00a414712d16fdfb,0x0028822961a9b698)},+  {FIELD_LITERAL(0x00576abc9c32ae74,0x0052e8eedb433484,0x009a0b95b52551ff,0x00e4e5a4d5691aff,0x00bc01db07dccd79,0x00996692751e0d3c,0x003acf0cd9be9606,0x003f06d2f83095a8)},+  {FIELD_LITERAL(0x0028c4051a1ff7bb,0x0040ba689904a0ad,0x009e4b0a5acec321,0x00bc6d2b3c46aaeb,0x00f2caae4ef88adb,0x00ff6677bf11a28e,0x0092191cbfbb7484,0x00dae55afb78a291)},+  {FIELD_LITERAL(0x00c95aa397ea26bc,0x007372e21066c24c,0x00d1f1e17008ce70,0x00277c5b46d24ff5,0x00d0a187e51cc6f8,0x00e58d524dca3f92,0x000d1a618c916355,0x00e5b4a71cfce6eb)},+  {FIELD_LITERAL(0x00c40cbcbd853cbd,0x00523f5879bd473a,0x00fc476ce8a57ceb,0x009e5cb521a8fc43,0x0015c157448e29cc,0x0041f2065e0e673d,0x00b9227183e9ca04,0x000eadc022da2a1a)},+  {FIELD_LITERAL(0x00d6313aad8c08f2,0x008fbb11d8a39cbf,0x00bf09c856cfea1d,0x00cc7448724a5516,0x00eb6e4d59ecdeb7,0x005eda293019421c,0x00a0853a9e457996,0x00e2a1515c045530)},+  {FIELD_LITERAL(0x009cc09c03622bf9,0x0018ec007f1fb5bc,0x009f39168f0d29de,0x005a83280f20e76e,0x000dbf95aaf9af43,0x004f9bd6f102397b,0x00e154febb2e86e9,0x0032ea079c3d6c54)},+  {FIELD_LITERAL(0x00fab169ca1c41ce,0x00f1bc0ce1d78d41,0x002fa4e361cc67be,0x009053af427e0267,0x0032387ad15144f5,0x00b00ae64f9e66e4,0x006f6617ef82b37a,0x00d8c1db3c95b59e)},+  {FIELD_LITERAL(0x0035175500c7799c,0x00a167c5ca225e38,0x00854efcf271c80b,0x001b76bf0a2fcd01,0x0095c90610cf4ccd,0x0064190fc6a738a8,0x0079dce31456ebff,0x00742f0847dc1855)},+  {FIELD_LITERAL(0x00f8f4bbbe10d3b9,0x00105a4fd7fe5ef6,0x0040f473c119b520,0x0075981f4cbad167,0x00e6e94e0d05858a,0x00287e587009323c,0x00797d31a81a36e6,0x0033eef622def25c)},+  {FIELD_LITERAL(0x003077e1410a5ba5,0x00b14158718390d3,0x006f256df630d95f,0x0021d4d1b388a47b,0x008e29fce3c3ea50,0x002616d810e8828f,0x0076b1173dc76902,0x001c4c4bfe1be552)},+  {FIELD_LITERAL(0x00a2657cac024d24,0x00aa33dfb739670f,0x00093b53769a8de7,0x00adafcb28c0514d,0x00bca8890425c381,0x008f15acedcdc343,0x0085efa2bb2f9604,0x0092437292387955)},+  {FIELD_LITERAL(0x00dfb010d979be8f,0x007e6d963a211f07,0x00404b8ec1368699,0x00d9cc6590cb2087,0x00e0d919b389e23c,0x001001c50cec349f,0x001e848fec709fe4,0x000e91e3326121a1)},+  {FIELD_LITERAL(0x00e8300e632c6b13,0x00010847ef6dda78,0x0019b7c68f200ab7,0x00220c952978bd9b,0x0019e887adc0331c,0x006c5993f36c4db5,0x0002c98eeb248079,0x0089ad282231d922)},+  {FIELD_LITERAL(0x0059811830606614,0x00a8ec4d8a0d0097,0x000e2ac957beaec2,0x007dc4a64fdb8ed1,0x0063b9462f2c7312,0x00324ea6a55d282b,0x007c8a4cbdc26507,0x00f54f4ae9268708)},+  {FIELD_LITERAL(0x0026d312845ed7bc,0x0051563888e17918,0x00b99c696ccab084,0x0059d7244957f3b8,0x00c5f4faf8c8d6ab,0x00bdeeec54ba3f26,0x001aba0f7c9d5485,0x00d731f784b29269)},+  {FIELD_LITERAL(0x00bd7234c3aef4f0,0x00a7a9f815db44b1,0x00c8c940e9fc9785,0x003b81a973b01c38,0x00c32ffd7d7b79f9,0x00bc5b783c46e6c6,0x00b003fb1ef6a5f9,0x005b36765c2b46e7)},+  {FIELD_LITERAL(0x0030b09f9659a719,0x00ac35ad7a6bc959,0x009b466b281c1ee8,0x0034b96465f80acb,0x00304970c66162b7,0x000f2347253e3918,0x000d54980ac74c5a,0x00aaabb0e875468a)},+  {FIELD_LITERAL(0x00578872f1bd6085,0x00b3fd4fa6efa597,0x00e99ac49f625c00,0x002aef842e5ed2d8,0x004b8f706588e353,0x00449c499dfcc096,0x008d0cdddbf18dea,0x00e6bba4a6396ddd)},+  {FIELD_LITERAL(0x0066485d97a2ac73,0x001d0e768483ffe7,0x00c5253731b7251c,0x00f76d892a3af3f3,0x00e8d035f85298e7,0x0034e58d0abf961a,0x00b11bd0eccaba4c,0x0087a079aec9d0e9)},+  {FIELD_LITERAL(0x00d38488bd2e2026,0x00d35414e79dc3fe,0x00faa0a1c1fbbbb9,0x0093df0c4b10ab45,0x0039ffebe1394c9f,0x00cab0bc80e5cd5c,0x00453b9db5cadf06,0x003b7c08cb56f96e)},+  {FIELD_LITERAL(0x00b63453c7af61ee,0x00eadcbafa2bd320,0x0086b04f4a7bf0e3,0x00b69bc8cbbfba5a,0x00ce4926bb1b064e,0x004df8ce753e0a27,0x00ff37bf2580a3a2,0x00ad90c8c5a377eb)},+  {FIELD_LITERAL(0x00ac58c82bdd6e72,0x0008035e278a79da,0x003c9fcc92524fb3,0x000c71c26ea75e47,0x009631c4be717b38,0x00a2e968135e9152,0x00074295ca131ec2,0x00877a203d4a5015)},+  {FIELD_LITERAL(0x00a49896f002be26,0x00ad6b0d720ae906,0x005786d8dbed0346,0x00f6749d6592e372,0x000542c37faf79a4,0x003281a4f5c7863a,0x00eacdc7def0cbdc,0x00ca8353efe160bd)},+  {FIELD_LITERAL(0x003c9e851d9f8893,0x004df23c1696dd28,0x005e587fddb98f95,0x00359afa5adbfdbb,0x00ddb949d26e687c,0x00ebc6efd285564c,0x001750eec619bdd3,0x0037772e4ad0d4fa)},+  {FIELD_LITERAL(0x0076e84babbbb048,0x000a6db83681bbe4,0x0059dff597eaead2,0x00f65bdd79fe2dab,0x00e3fc9faa642c8a,0x008a9cc9dfc634c9,0x00428a4b728b1cd4,0x00e80aea53cb6617)},+  {FIELD_LITERAL(0x002ab17fdf7d2bd3,0x005aa55f23183393,0x009b88469f8c0eb9,0x007d101b314bca6b,0x0056dd4345fd97b9,0x00880e62e548ae7d,0x003d44d8c87b91a6,0x00fb2811386e22cc)},+  {FIELD_LITERAL(0x00eacd58001be3a5,0x0014e1231ca72940,0x0022453384987584,0x0075848f0c37be5c,0x000e6dc40d82c0b2,0x00f4d8ec1270878c,0x00550981d6fb86fd,0x00bb66b58f4c6892)},+  {FIELD_LITERAL(0x00bba772e57e297f,0x004f56f68df71b07,0x00ded9facaf23a81,0x00d78e832d78eedc,0x0004f7c3eff02685,0x00ba5fa931f9c020,0x005a29fb4b2295be,0x00e2543f745b1dc9)},+  {FIELD_LITERAL(0x00712177652580f9,0x00e9ee16e21d1eca,0x0002465ba75b8e46,0x00a9cb7b1fc8ef2e,0x00ce337e6da1cf8e,0x009d3684c507fffa,0x00058cc115d71214,0x0017dba81e144377)},+  {FIELD_LITERAL(0x003b778e67285805,0x00dbb06704ba87b5,0x00ba6ee1ea5ea2fe,0x00e2cdc2c8b3f699,0x006983c6eae69a9c,0x00c6c8c542d0c398,0x00f2d3a9ebcedbdc,0x00be30ddeabbd31c)},+  {FIELD_LITERAL(0x0095f20a016490a6,0x005f2b00b9fbf26d,0x00b583124906cdaf,0x002e2077aa473ca8,0x0018c5b9f7902fa6,0x00b704f5229201a6,0x00e1fc5d70e4b1c2,0x00578e366ccf7289)},+  {FIELD_LITERAL(0x00932127be1d579d,0x00e6729f50f54904,0x00e70f6247f618af,0x00b1953989fe9d9c,0x0015032e9df69633,0x00d3687b35cb6e82,0x00ab0fff86869218,0x0026054a3a68ddfb)},+  {FIELD_LITERAL(0x00cf244d2e899137,0x00a793f52ec7aaa1,0x002e5cb0616e3883,0x009cbf752f176feb,0x0029edce4fa090a3,0x00f6540a960a0275,0x00513985eef0e3bc,0x00ce2e586f6c7228)},+  {FIELD_LITERAL(0x00b42f011dbc757c,0x004a8e19d4f07c42,0x00a6d7828318b7ff,0x0004c9ce49ba3c0f,0x005fe71688087b6a,0x006e1d8f9a3d84ed,0x0089693e7e8e9a1f,0x0073bf4183ba45c5)},+  {FIELD_LITERAL(0x0029e8ce35530d30,0x00d20f389f61fe3a,0x00cf9e8ddf74e1d4,0x004bec01b04d4979,0x007d92c9f6fd5ddd,0x00c072fa91981808,0x009afda4fe8a1676,0x00c96522ee879a14)},+  {FIELD_LITERAL(0x005f0cd9cd83497b,0x00e382f098d97f00,0x0073e37e004eed2e,0x000707fe98b12237,0x0016d92a2b73d561,0x00a42926ab390165,0x00b394db4b1cc8fc,0x002fa14a3f6efa33)},+  {FIELD_LITERAL(0x0055076a513d05ee,0x00f076d43cec14ad,0x00a4e386b252faf4,0x00c0713b79b313eb,0x00507efa72f46f19,0x00141bc1e7c66844,0x005629ef060c19ea,0x0085327113d1772c)},+  {FIELD_LITERAL(0x00ed490108514e35,0x006bed897e6b4958,0x0000f2cae0dc546c,0x008175eb3e5008e4,0x0093e3fe8f3aed42,0x00e9dbc15fd54d1a,0x00844979a4cfc0c1,0x00ea3194d64ea60b)},+  {FIELD_LITERAL(0x00b64d054ec7ed5c,0x007b924cd329fbce,0x00fe8805a8737293,0x00fb82f1d52b43ae,0x004ea745c72e1a76,0x0095ba2552861c0c,0x00f66846c3547784,0x003b815bd05dc23c)},+  {FIELD_LITERAL(0x00669e32fd197ef7,0x001dfca2c5e2f7c9,0x00a2ae0964a1e5e2,0x00b4334b15c91232,0x0096419585110d96,0x009c0b2262172a58,0x009d7c87cf6d35ca,0x008a5ce50d3cabf6)},+  {FIELD_LITERAL(0x00888b9c1cf73530,0x00375346c6afecd2,0x00142240b35b74d3,0x00d952835f86a5f5,0x000665c2658eaf9a,0x00f29f43062b2033,0x00a19a58c5bc85f9,0x00e62ac95724a937)},+  {FIELD_LITERAL(0x003bedc9ae9d1730,0x00fedd7c04cbc775,0x00c19abc4540c61d,0x00115294c57fb687,0x00663fceb174cd8f,0x001671f572b885b0,0x002d14694ed85978,0x00127282078a8e44)},+  {FIELD_LITERAL(0x00e6d2822aa72eca,0x00d832957cdc0058,0x00dc60e5bed23e18,0x00b94b4c418b03a3,0x00df3b85d410a430,0x0055e81b70bc79d4,0x00081d9369cbd1a0,0x00f7fee3acf0c656)},+  {FIELD_LITERAL(0x003baba41b5abffb,0x00661ee09fca8193,0x00e0c6c92e6aea59,0x00886c207bcbe591,0x00aef9e7798e8004,0x00164f599f4d707a,0x00bb1597a76d21f2,0x00fda82d5e025626)},+  {FIELD_LITERAL(0x00552b53a9640f0e,0x005985236f4d88bf,0x00b7aaec965a8ae5,0x00cedada7b5ccf95,0x007b1ea2088f1902,0x0028445e38b4a7fa,0x0057f10ddc50efed,0x007637a3147bc5cb)},+  {FIELD_LITERAL(0x008174fe4db53757,0x00930c4f4a35ecc8,0x000e9f82c1c95a8f,0x00c6480547d66e5e,0x00dce888f9a7bf39,0x006671a5022cb906,0x004823c19b5337a0,0x00455338b7fec529)},+  {FIELD_LITERAL(0x005ac123fdc45964,0x00395057c2221d17,0x003c09c74cf84eb1,0x00b5ca859bbebf9d,0x001b26b274a7d235,0x00e8c63508e96a48,0x00edbce4d51d721e,0x00c49436797d6f83)},+  {FIELD_LITERAL(0x0071595be88a7f40,0x00a05e6ac1c0fc87,0x00a01bf6538b29eb,0x00badcd80b881fb8,0x005bfe7af8049f8b,0x0084918e6ae35537,0x00ed4bd54759316e,0x007f135988d6b548)},+  {FIELD_LITERAL(0x0075656c41e06629,0x0086059d83396637,0x004f304ecb457b37,0x00e3b4887db6be65,0x0020b54c263bb0be,0x0060a69193e561c3,0x00e6863f20dc8ce9,0x00afe16ac56e6478)}+};
+ cbits/decaf/ed448goldilocks/eddsa.c view
@@ -0,0 +1,326 @@+/**+ * @file ed448goldilocks/eddsa.c+ * @author Mike Hamburg+ *+ * @copyright+ *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n+ *   Released under the MIT License.  See LICENSE.txt for license information.+ *+ * @cond internal+ * @brief EdDSA routines.+ *+ * @warning This file was automatically generated in Python.+ * Please do not edit it.+ */+#include "word.h"+#include <decaf/ed448.h>+#include <decaf/shake.h>+#include <decaf/sha512.h>+#include <string.h>++#define API_NAME "cryptonite_decaf_448"+#define API_NS(_id) cryptonite_decaf_448_##_id++#define hash_ctx_t   cryptonite_decaf_shake256_ctx_t+#define hash_init    cryptonite_decaf_shake256_init+#define hash_update  cryptonite_decaf_shake256_update+#define hash_final   cryptonite_decaf_shake256_final+#define hash_destroy cryptonite_decaf_shake256_destroy+#define hash_hash    cryptonite_decaf_shake256_hash++#define NO_CONTEXT CRYPTONITE_DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS+#define EDDSA_USE_SIGMA_ISOGENY 0+#define COFACTOR 4++#if NO_CONTEXT+const uint8_t CRYPTONITE_NO_CONTEXT_POINTS_HERE = 0;+const uint8_t * const CRYPTONITE_DECAF_ED448_NO_CONTEXT = &CRYPTONITE_NO_CONTEXT_POINTS_HERE;+#endif++/* EDDSA_BASE_POINT_RATIO = 1 or 2+ * Because EdDSA25519 is not on E_d but on the isogenous E_sigma_d,+ * its base point is twice ours.+ */+#define EDDSA_BASE_POINT_RATIO (1+EDDSA_USE_SIGMA_ISOGENY)++static void clamp (+    uint8_t secret_scalar_ser[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES]+) {+    /* Blarg */+    secret_scalar_ser[0] &= -COFACTOR;+    uint8_t hibit = (1<<0)>>1;+    if (hibit == 0) {+        secret_scalar_ser[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES - 1] = 0;+        secret_scalar_ser[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES - 2] |= 0x80;+    } else {+        secret_scalar_ser[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES - 1] &= hibit-1;+        secret_scalar_ser[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES - 1] |= hibit;+    }+}++static void hash_init_with_dom(+    hash_ctx_t hash,+    uint8_t prehashed,+    uint8_t for_prehash,+    const uint8_t *context,+    uint8_t context_len+) {+    hash_init(hash);++#if NO_CONTEXT+    if (context_len == 0 && context == CRYPTONITE_DECAF_ED448_NO_CONTEXT) {+        (void)prehashed;+        (void)for_prehash;+        (void)context;+        (void)context_len;+        return;+    }+#endif+    const char *dom_s = "SigEd448";+    const uint8_t dom[2] = {2+word_is_zero(prehashed)+word_is_zero(for_prehash), context_len};+    hash_update(hash,(const unsigned char *)dom_s, strlen(dom_s));+    hash_update(hash,dom,2);+    hash_update(hash,context,context_len);+}++void cryptonite_decaf_ed448_prehash_init (+    hash_ctx_t hash+) {+    hash_init(hash);+}++/* In this file because it uses the hash */+void cryptonite_decaf_ed448_convert_private_key_to_x448 (+    uint8_t x[CRYPTONITE_DECAF_X448_PRIVATE_BYTES],+    const uint8_t ed[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES]+) {+    /* pass the private key through hash_hash function */+    /* and keep the first CRYPTONITE_DECAF_X448_PRIVATE_BYTES bytes */+    hash_hash(+        x,+        CRYPTONITE_DECAF_X448_PRIVATE_BYTES,+        ed,+        CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES+    );+}+    +void cryptonite_decaf_ed448_derive_public_key (+    uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+    const uint8_t privkey[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES]+) {+    /* only this much used for keygen */+    uint8_t secret_scalar_ser[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES];+    +    hash_hash(+        secret_scalar_ser,+        sizeof(secret_scalar_ser),+        privkey,+        CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES+    );+    clamp(secret_scalar_ser);+        +    API_NS(scalar_t) secret_scalar;+    API_NS(scalar_decode_long)(secret_scalar, secret_scalar_ser, sizeof(secret_scalar_ser));+    +    /* Since we are going to mul_by_cofactor during encoding, divide by it here.+     * However, the EdDSA base point is not the same as the decaf base point if+     * the sigma isogeny is in use: the EdDSA base point is on Etwist_d/(1-d) and+     * the decaf base point is on Etwist_d, and when converted it effectively+     * picks up a factor of 2 from the isogenies.  So we might start at 2 instead of 1. +     */+    for (unsigned int c = EDDSA_BASE_POINT_RATIO; c < COFACTOR; c <<= 1) {+        API_NS(scalar_halve)(secret_scalar,secret_scalar);+    }+    +    API_NS(point_t) p;+    API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),secret_scalar);+    +    API_NS(point_mul_by_cofactor_and_encode_like_eddsa)(pubkey, p);+        +    /* Cleanup */+    API_NS(scalar_destroy)(secret_scalar);+    API_NS(point_destroy)(p);+    cryptonite_decaf_bzero(secret_scalar_ser, sizeof(secret_scalar_ser));+}++void cryptonite_decaf_ed448_sign (+    uint8_t signature[CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES],+    const uint8_t privkey[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES],+    const uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+    const uint8_t *message,+    size_t message_len,+    uint8_t prehashed,+    const uint8_t *context,+    uint8_t context_len+) {+    API_NS(scalar_t) secret_scalar;+    hash_ctx_t hash;+    {+        /* Schedule the secret key */+        struct {+            uint8_t secret_scalar_ser[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES];+            uint8_t seed[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES];+        } __attribute__((packed)) expanded;+        hash_hash(+            (uint8_t *)&expanded,+            sizeof(expanded),+            privkey,+            CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES+        );+        clamp(expanded.secret_scalar_ser);   +        API_NS(scalar_decode_long)(secret_scalar, expanded.secret_scalar_ser, sizeof(expanded.secret_scalar_ser));+    +        /* Hash to create the nonce */+        hash_init_with_dom(hash,prehashed,0,context,context_len);+        hash_update(hash,expanded.seed,sizeof(expanded.seed));+        hash_update(hash,message,message_len);+        cryptonite_decaf_bzero(&expanded, sizeof(expanded));+    }+    +    /* Decode the nonce */+    API_NS(scalar_t) nonce_scalar;+    {+        uint8_t nonce[2*CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES];+        hash_final(hash,nonce,sizeof(nonce));+        API_NS(scalar_decode_long)(nonce_scalar, nonce, sizeof(nonce));+        cryptonite_decaf_bzero(nonce, sizeof(nonce));+    }+    +    uint8_t nonce_point[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES] = {0};+    {+        /* Scalarmul to create the nonce-point */+        API_NS(scalar_t) nonce_scalar_2;+        API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar);+        for (unsigned int c = 2*EDDSA_BASE_POINT_RATIO; c < COFACTOR; c <<= 1) {+            API_NS(scalar_halve)(nonce_scalar_2,nonce_scalar_2);+        }+        +        API_NS(point_t) p;+        API_NS(precomputed_scalarmul)(p,API_NS(precomputed_base),nonce_scalar_2);+        API_NS(point_mul_by_cofactor_and_encode_like_eddsa)(nonce_point, p);+        API_NS(point_destroy)(p);+        API_NS(scalar_destroy)(nonce_scalar_2);+    }+    +    API_NS(scalar_t) challenge_scalar;+    {+        /* Compute the challenge */+        hash_init_with_dom(hash,prehashed,0,context,context_len);+        hash_update(hash,nonce_point,sizeof(nonce_point));+        hash_update(hash,pubkey,CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES);+        hash_update(hash,message,message_len);+        uint8_t challenge[2*CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES];+        hash_final(hash,challenge,sizeof(challenge));+        hash_destroy(hash);+        API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));+        cryptonite_decaf_bzero(challenge,sizeof(challenge));+    }+    +    API_NS(scalar_mul)(challenge_scalar,challenge_scalar,secret_scalar);+    API_NS(scalar_add)(challenge_scalar,challenge_scalar,nonce_scalar);+    +    cryptonite_decaf_bzero(signature,CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES);+    memcpy(signature,nonce_point,sizeof(nonce_point));+    API_NS(scalar_encode)(&signature[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],challenge_scalar);+    +    API_NS(scalar_destroy)(secret_scalar);+    API_NS(scalar_destroy)(nonce_scalar);+    API_NS(scalar_destroy)(challenge_scalar);+}+++void cryptonite_decaf_ed448_sign_prehash (+    uint8_t signature[CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES],+    const uint8_t privkey[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES],+    const uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+    const cryptonite_decaf_ed448_prehash_ctx_t hash,+    const uint8_t *context,+    uint8_t context_len+) {+    uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */+    {+        cryptonite_decaf_ed448_prehash_ctx_t hash_too;+        memcpy(hash_too,hash,sizeof(hash_too));+        hash_final(hash_too,hash_output,sizeof(hash_output));+        hash_destroy(hash_too);+    }++    cryptonite_decaf_ed448_sign(signature,privkey,pubkey,hash_output,sizeof(hash_output),1,context,context_len);+    cryptonite_decaf_bzero(hash_output,sizeof(hash_output));+}++cryptonite_decaf_error_t cryptonite_decaf_ed448_verify (+    const uint8_t signature[CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES],+    const uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+    const uint8_t *message,+    size_t message_len,+    uint8_t prehashed,+    const uint8_t *context,+    uint8_t context_len+) { +    API_NS(point_t) pk_point, r_point;+    cryptonite_decaf_error_t error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(pk_point,pubkey);+    if (CRYPTONITE_DECAF_SUCCESS != error) { return error; }+    +    error = API_NS(point_decode_like_eddsa_and_ignore_cofactor)(r_point,signature);+    if (CRYPTONITE_DECAF_SUCCESS != error) { return error; }+    +    API_NS(scalar_t) challenge_scalar;+    {+        /* Compute the challenge */+        hash_ctx_t hash;+        hash_init_with_dom(hash,prehashed,0,context,context_len);+        hash_update(hash,signature,CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES);+        hash_update(hash,pubkey,CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES);+        hash_update(hash,message,message_len);+        uint8_t challenge[2*CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES];+        hash_final(hash,challenge,sizeof(challenge));+        hash_destroy(hash);+        API_NS(scalar_decode_long)(challenge_scalar,challenge,sizeof(challenge));+        cryptonite_decaf_bzero(challenge,sizeof(challenge));+    }+    API_NS(scalar_sub)(challenge_scalar, API_NS(scalar_zero), challenge_scalar);+    +    API_NS(scalar_t) response_scalar;+    API_NS(scalar_decode_long)(+        response_scalar,+        &signature[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+        CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES+    );+#if EDDSA_BASE_POINT_RATIO == 2+    API_NS(scalar_add)(response_scalar,response_scalar,response_scalar);+#endif+    +    +    /* pk_point = -c(x(P)) + (cx + k)G = kG */+    API_NS(base_double_scalarmul_non_secret)(+        pk_point,+        response_scalar,+        pk_point,+        challenge_scalar+    );+    return cryptonite_decaf_succeed_if(API_NS(point_eq(pk_point,r_point)));+}+++cryptonite_decaf_error_t cryptonite_decaf_ed448_verify_prehash (+    const uint8_t signature[CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES],+    const uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+    const cryptonite_decaf_ed448_prehash_ctx_t hash,+    const uint8_t *context,+    uint8_t context_len+) {+    cryptonite_decaf_error_t ret;+    +    uint8_t hash_output[64]; /* MAGIC but true for all existing schemes */+    {+        cryptonite_decaf_ed448_prehash_ctx_t hash_too;+        memcpy(hash_too,hash,sizeof(hash_too));+        hash_final(hash_too,hash_output,sizeof(hash_output));+        hash_destroy(hash_too);+    }+    +    ret = cryptonite_decaf_ed448_verify(signature,pubkey,hash_output,sizeof(hash_output),1,context,context_len);+    +    return ret;+}
+ cbits/decaf/ed448goldilocks/scalar.c view
@@ -0,0 +1,341 @@+/**+ * @file ed448goldilocks/scalar.c+ * @author Mike Hamburg+ *+ * @copyright+ *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n+ *   Released under the MIT License.  See LICENSE.txt for license information.+ *+ * @brief Decaf high-level functions.+ *+ * @warning This file was automatically generated in Python.+ * Please do not edit it.+ */+#include "word.h"+#include "constant_time.h"+#include <decaf.h>++/* Template stuff */+#define API_NS(_id) cryptonite_decaf_448_##_id+#define SCALAR_BITS CRYPTONITE_DECAF_448_SCALAR_BITS+#define SCALAR_SER_BYTES CRYPTONITE_DECAF_448_SCALAR_BYTES+#define SCALAR_LIMBS CRYPTONITE_DECAF_448_SCALAR_LIMBS+#define scalar_t API_NS(scalar_t)++static const cryptonite_decaf_word_t MONTGOMERY_FACTOR = (cryptonite_decaf_word_t)0x3bd440fae918bc5ull;+static const scalar_t sc_p = {{{+    SC_LIMB(0x2378c292ab5844f3), SC_LIMB(0x216cc2728dc58f55), SC_LIMB(0xc44edb49aed63690), SC_LIMB(0xffffffff7cca23e9), SC_LIMB(0xffffffffffffffff), SC_LIMB(0xffffffffffffffff), SC_LIMB(0x3fffffffffffffff)+}}}, sc_r2 = {{{+    SC_LIMB(0xe3539257049b9b60), SC_LIMB(0x7af32c4bc1b195d9), SC_LIMB(0x0d66de2388ea1859), SC_LIMB(0xae17cf725ee4d838), SC_LIMB(0x1a9cc14ba3c47c44), SC_LIMB(0x2052bcb7e4d070af), SC_LIMB(0x3402a939f823b729)+}}};+/* End of template stuff */++#define WBITS CRYPTONITE_DECAF_WORD_BITS /* NB this may be different from ARCH_WORD_BITS */++const scalar_t API_NS(scalar_one) = {{{1}}}, API_NS(scalar_zero) = {{{0}}};++/** {extra,accum} - sub +? p+ * Must have extra <= 1+ */+static CRYPTONITE_DECAF_NOINLINE void sc_subx(+    scalar_t out,+    const cryptonite_decaf_word_t accum[SCALAR_LIMBS],+    const scalar_t sub,+    const scalar_t p,+    cryptonite_decaf_word_t extra+) {+    cryptonite_decaf_dsword_t chain = 0;+    unsigned int i;+    for (i=0; i<SCALAR_LIMBS; i++) {+        chain = (chain + accum[i]) - sub->limb[i];+        out->limb[i] = chain;+        chain >>= WBITS;+    }+    cryptonite_decaf_word_t borrow = chain+extra; /* = 0 or -1 */+    +    chain = 0;+    for (i=0; i<SCALAR_LIMBS; i++) {+        chain = (chain + out->limb[i]) + (p->limb[i] & borrow);+        out->limb[i] = chain;+        chain >>= WBITS;+    }+}++static CRYPTONITE_DECAF_NOINLINE void sc_montmul (+    scalar_t out,+    const scalar_t a,+    const scalar_t b+) {+    unsigned int i,j;+    cryptonite_decaf_word_t accum[SCALAR_LIMBS+1] = {0};+    cryptonite_decaf_word_t hi_carry = 0;+    +    for (i=0; i<SCALAR_LIMBS; i++) {+        cryptonite_decaf_word_t mand = a->limb[i];+        const cryptonite_decaf_word_t *mier = b->limb;+        +        cryptonite_decaf_dword_t chain = 0;+        for (j=0; j<SCALAR_LIMBS; j++) {+            chain += ((cryptonite_decaf_dword_t)mand)*mier[j] + accum[j];+            accum[j] = chain;+            chain >>= WBITS;+        }+        accum[j] = chain;+        +        mand = accum[0] * MONTGOMERY_FACTOR;+        chain = 0;+        mier = sc_p->limb;+        for (j=0; j<SCALAR_LIMBS; j++) {+            chain += (cryptonite_decaf_dword_t)mand*mier[j] + accum[j];+            if (j) accum[j-1] = chain;+            chain >>= WBITS;+        }+        chain += accum[j];+        chain += hi_carry;+        accum[j-1] = chain;+        hi_carry = chain >> WBITS;+    }+    +    sc_subx(out, accum, sc_p, sc_p, hi_carry);+}++void API_NS(scalar_mul) (+    scalar_t out,+    const scalar_t a,+    const scalar_t b+) {+    sc_montmul(out,a,b);+    sc_montmul(out,out,sc_r2);+}++/* PERF: could implement this */+static CRYPTONITE_DECAF_INLINE void sc_montsqr (scalar_t out, const scalar_t a) {+    sc_montmul(out,a,a);+}++cryptonite_decaf_error_t API_NS(scalar_invert) (+    scalar_t out,+    const scalar_t a+) {+    /* Fermat's little theorem, sliding window.+     * Sliding window is fine here because the modulus isn't secret.+     */+    const int SCALAR_WINDOW_BITS = 3;+    scalar_t precmp[1<<SCALAR_WINDOW_BITS];+    const int LAST = (1<<SCALAR_WINDOW_BITS)-1;++    /* Precompute precmp = [a^1,a^3,...] */+    sc_montmul(precmp[0],a,sc_r2);+    if (LAST > 0) sc_montmul(precmp[LAST],precmp[0],precmp[0]);++    int i;+    for (i=1; i<=LAST; i++) {+        sc_montmul(precmp[i],precmp[i-1],precmp[LAST]);+    }+    +    /* Sliding window */+    unsigned residue = 0, trailing = 0, started = 0;+    for (i=SCALAR_BITS-1; i>=-SCALAR_WINDOW_BITS; i--) {+        +        if (started) sc_montsqr(out,out);+        +        cryptonite_decaf_word_t w = (i>=0) ? sc_p->limb[i/WBITS] : 0;+        if (i >= 0 && i<WBITS) {+            assert(w >= 2);+            w-=2;+        }+        +        residue = (residue<<1) | ((w>>(i%WBITS))&1);+        if (residue>>SCALAR_WINDOW_BITS != 0) {+            assert(trailing == 0);+            trailing = residue;+            residue = 0;+        }+        +        if (trailing > 0 && (trailing & ((1<<SCALAR_WINDOW_BITS)-1)) == 0) {+            if (started) {+                sc_montmul(out,out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);+            } else {+                API_NS(scalar_copy)(out,precmp[trailing>>(SCALAR_WINDOW_BITS+1)]);+                started = 1;+            }+            trailing = 0;+        }+        trailing <<= 1;+        +    }+    assert(residue==0);+    assert(trailing==0);+    +    /* Demontgomerize */+    sc_montmul(out,out,API_NS(scalar_one));+    cryptonite_decaf_bzero(precmp, sizeof(precmp));+    return cryptonite_decaf_succeed_if(~API_NS(scalar_eq)(out,API_NS(scalar_zero)));+}++void API_NS(scalar_sub) (+    scalar_t out,+    const scalar_t a,+    const scalar_t b+) {+    sc_subx(out, a->limb, b, sc_p, 0);+}++void API_NS(scalar_add) (+    scalar_t out,+    const scalar_t a,+    const scalar_t b+) {+    cryptonite_decaf_dword_t chain = 0;+    unsigned int i;+    for (i=0; i<SCALAR_LIMBS; i++) {+        chain = (chain + a->limb[i]) + b->limb[i];+        out->limb[i] = chain;+        chain >>= WBITS;+    }+    sc_subx(out, out->limb, sc_p, sc_p, chain);+}++void+API_NS(scalar_set_unsigned) (+    scalar_t out,+    uint64_t w+) {+    memset(out,0,sizeof(scalar_t));+    unsigned int i = 0;+    for (; i<sizeof(uint64_t)/sizeof(cryptonite_decaf_word_t); i++) {+        out->limb[i] = w;+#if CRYPTONITE_DECAF_WORD_BITS < 64+        w >>= 8*sizeof(cryptonite_decaf_word_t);+#endif+    }+}++cryptonite_decaf_bool_t+API_NS(scalar_eq) (+    const scalar_t a,+    const scalar_t b+) {+    cryptonite_decaf_word_t diff = 0;+    unsigned int i;+    for (i=0; i<SCALAR_LIMBS; i++) {+        diff |= a->limb[i] ^ b->limb[i];+    }+    return mask_to_bool(word_is_zero(diff));+}++static CRYPTONITE_DECAF_INLINE void scalar_decode_short (+    scalar_t s,+    const unsigned char *ser,+    unsigned int nbytes+) {+    unsigned int i,j,k=0;+    for (i=0; i<SCALAR_LIMBS; i++) {+        cryptonite_decaf_word_t out = 0;+        for (j=0; j<sizeof(cryptonite_decaf_word_t) && k<nbytes; j++,k++) {+            out |= ((cryptonite_decaf_word_t)ser[k])<<(8*j);+        }+        s->limb[i] = out;+    }+}++cryptonite_decaf_error_t API_NS(scalar_decode)(+    scalar_t s,+    const unsigned char ser[SCALAR_SER_BYTES]+) {+    unsigned int i;+    scalar_decode_short(s, ser, SCALAR_SER_BYTES);+    cryptonite_decaf_dsword_t accum = 0;+    for (i=0; i<SCALAR_LIMBS; i++) {+        accum = (accum + s->limb[i] - sc_p->limb[i]) >> WBITS;+    }+    /* Here accum == 0 or -1 */+    +    API_NS(scalar_mul)(s,s,API_NS(scalar_one)); /* ham-handed reduce */+    +    return cryptonite_decaf_succeed_if(~word_is_zero(accum));+}++void API_NS(scalar_destroy) (+    scalar_t scalar+) {+    cryptonite_decaf_bzero(scalar, sizeof(scalar_t));+}++void API_NS(scalar_decode_long)(+    scalar_t s,+    const unsigned char *ser,+    size_t ser_len+) {+    if (ser_len == 0) {+        API_NS(scalar_copy)(s, API_NS(scalar_zero));+        return;+    }+    +    size_t i;+    scalar_t t1, t2;++    i = ser_len - (ser_len%SCALAR_SER_BYTES);+    if (i==ser_len) i -= SCALAR_SER_BYTES;+    +    scalar_decode_short(t1, &ser[i], ser_len-i);++    if (ser_len == sizeof(scalar_t)) {+        assert(i==0);+        /* ham-handed reduce */+        API_NS(scalar_mul)(s,t1,API_NS(scalar_one));+        API_NS(scalar_destroy)(t1);+        return;+    }++    while (i) {+        i -= SCALAR_SER_BYTES;+        sc_montmul(t1,t1,sc_r2);+        ignore_result( API_NS(scalar_decode)(t2, ser+i) );+        API_NS(scalar_add)(t1, t1, t2);+    }++    API_NS(scalar_copy)(s, t1);+    API_NS(scalar_destroy)(t1);+    API_NS(scalar_destroy)(t2);+}++void API_NS(scalar_encode)(+    unsigned char ser[SCALAR_SER_BYTES],+    const scalar_t s+) {+    unsigned int i,j,k=0;+    for (i=0; i<SCALAR_LIMBS; i++) {+        for (j=0; j<sizeof(cryptonite_decaf_word_t); j++,k++) {+            ser[k] = s->limb[i] >> (8*j);+        }+    }+}++void API_NS(scalar_cond_sel) (+    scalar_t out,+    const scalar_t a,+    const scalar_t b,+    cryptonite_decaf_bool_t pick_b+) {+    constant_time_select(out,a,b,sizeof(scalar_t),bool_to_mask(pick_b),sizeof(out->limb[0]));+}++void API_NS(scalar_halve) (+    scalar_t out,+    const scalar_t a+) {+    cryptonite_decaf_word_t mask = -(a->limb[0] & 1);+    cryptonite_decaf_dword_t chain = 0;+    unsigned int i;+    for (i=0; i<SCALAR_LIMBS; i++) {+        chain = (chain + a->limb[i]) + (sc_p->limb[i] & mask);+        out->limb[i] = chain;+        chain >>= CRYPTONITE_DECAF_WORD_BITS;+    }+    for (i=0; i<SCALAR_LIMBS-1; i++) {+        out->limb[i] = out->limb[i]>>1 | out->limb[i+1]<<(WBITS-1);+    }+    out->limb[i] = out->limb[i]>>1 | chain<<(WBITS-1);+}+
+ cbits/decaf/include/arch_32/arch_intrinsics.h view
@@ -0,0 +1,22 @@+/* Copyright (c) 2016 Cryptography Research, Inc.+ * Released under the MIT License.  See LICENSE.txt for license information.+ */++#ifndef __ARCH_ARCH_32_ARCH_INTRINSICS_H__+#define __ARCH_ARCH_32_ARCH_INTRINSICS_H__++#define ARCH_WORD_BITS 32++static __inline__ __attribute((always_inline,unused))+uint32_t word_is_zero(uint32_t a) {+    /* let's hope the compiler isn't clever enough to optimize this. */+    return (((uint64_t)a)-1)>>32;+}++static __inline__ __attribute((always_inline,unused))+uint64_t widemul(uint32_t a, uint32_t b) {+    return ((uint64_t)a) * b;+}++#endif /* __ARCH_ARM_32_ARCH_INTRINSICS_H__ */+
+ cbits/decaf/include/arch_ref64/arch_intrinsics.h view
@@ -0,0 +1,22 @@+/* Copyright (c) 2016 Cryptography Research, Inc.+ * Released under the MIT License.  See LICENSE.txt for license information.+ */++#ifndef __ARCH_REF64_ARCH_INTRINSICS_H__+#define __ARCH_REF64_ARCH_INTRINSICS_H__++#define ARCH_WORD_BITS 64++static __inline__ __attribute((always_inline,unused))+uint64_t word_is_zero(uint64_t a) {+    /* let's hope the compiler isn't clever enough to optimize this. */+    return (((__uint128_t)a)-1)>>64;+}++static __inline__ __attribute((always_inline,unused))+__uint128_t widemul(uint64_t a, uint64_t b) {+    return ((__uint128_t)a) * b; +}++#endif /* ARCH_REF64_ARCH_INTRINSICS_H__ */+
+ cbits/decaf/include/constant_time.h view
@@ -0,0 +1,362 @@+/**+ * @file constant_time.h+ * @copyright+ *   Copyright (c) 2014 Cryptography Research, Inc.  \n+ *   Released under the MIT License.  See LICENSE.txt for license information.+ * @author Mike Hamburg+ *+ * @brief Constant-time routines.+ */++#ifndef __CONSTANT_TIME_H__+#define __CONSTANT_TIME_H__ 1++#include "word.h"+#include <string.h>++/*+ * Constant-time operations on hopefully-compile-time-sized memory+ * regions.  Needed for flexibility / demagication: not all fields+ * have sizes which are multiples of the vector width, necessitating+ * a change from the Ed448 versions.+ *+ * These routines would be much simpler to define at the byte level,+ * but if not vectorized they would be a significant fraction of the+ * runtime.  Eg on NEON-less ARM, constant_time_lookup is like 15% of+ * signing time, vs 6% on Haswell with its fancy AVX2 vectors.+ *+ * If the compiler could do a good job of autovectorizing the code,+ * we could just leave it with the byte definition.  But that's unlikely+ * on most deployed compilers, especially if you consider that pcmpeq[size]+ * is much faster than moving a scalar to the vector unit (which is what+ * a naive autovectorizer will do with constant_time_lookup on Intel).+ *+ * Instead, we're putting our trust in the loop unroller and unswitcher.+ */+++/**+ * Unaligned big (vector?) register.+ */+typedef struct {+    big_register_t unaligned;+} __attribute__((packed)) unaligned_br_t;++/**+ * Unaligned word register, for architectures where that matters.+ */+typedef struct {+    word_t unaligned;+} __attribute__((packed)) unaligned_word_t;++/**+ * @brief Constant-time conditional swap.+ *+ * If doswap, then swap elem_bytes between *a and *b.+ *+ * *a and *b must not alias.  Also, they must be at least as aligned+ * as their sizes, if the CPU cares about that sort of thing.+ */+static __inline__ void+__attribute__((unused,always_inline))+constant_time_cond_swap (+    void *__restrict__ a_,+    void *__restrict__ b_,+    word_t elem_bytes,+    mask_t doswap+) {+    word_t k;+    unsigned char *a = (unsigned char *)a_;+    unsigned char *b = (unsigned char *)b_;+    +    big_register_t br_mask = br_set_to_mask(doswap);+    for (k=0; k<=elem_bytes-sizeof(big_register_t); k+=sizeof(big_register_t)) {+        if (elem_bytes % sizeof(big_register_t)) {+            /* unaligned */+            big_register_t xor =+                ((unaligned_br_t*)(&a[k]))->unaligned+              ^ ((unaligned_br_t*)(&b[k]))->unaligned;+            xor &= br_mask;+            ((unaligned_br_t*)(&a[k]))->unaligned ^= xor;+            ((unaligned_br_t*)(&b[k]))->unaligned ^= xor;+        } else {+            /* aligned */+            big_register_t xor =+                *((big_register_t*)(&a[k]))+              ^ *((big_register_t*)(&b[k]));+            xor &= br_mask;+            *((big_register_t*)(&a[k])) ^= xor;+            *((big_register_t*)(&b[k])) ^= xor;+        }+    }++    if (elem_bytes % sizeof(big_register_t) >= sizeof(word_t)) {+        for (; k<=elem_bytes-sizeof(word_t); k+=sizeof(word_t)) {+            if (elem_bytes % sizeof(word_t)) {+                /* unaligned */+                word_t xor =+                    ((unaligned_word_t*)(&a[k]))->unaligned+                  ^ ((unaligned_word_t*)(&b[k]))->unaligned;+                xor &= doswap;+                ((unaligned_word_t*)(&a[k]))->unaligned ^= xor;+                ((unaligned_word_t*)(&b[k]))->unaligned ^= xor;+            } else {+                /* aligned */+                word_t xor =+                    *((word_t*)(&a[k]))+                  ^ *((word_t*)(&b[k]));+                xor &= doswap;+                *((word_t*)(&a[k])) ^= xor;+                *((word_t*)(&b[k])) ^= xor;+            }+        }+    }+    +    if (elem_bytes % sizeof(word_t)) {+        for (; k<elem_bytes; k+=1) {+            unsigned char xor = a[k] ^ b[k];+            xor &= doswap;+            a[k] ^= xor;+            b[k] ^= xor;+        }+    }+}++/**+ * @brief Constant-time equivalent of memcpy(out, table + elem_bytes*idx, elem_bytes);+ *+ * The table must be at least as aligned as elem_bytes.  The output must be word aligned,+ * and if the input size is vector aligned it must also be vector aligned.+ *+ * The table and output must not alias.+ */+static __inline__ void+__attribute__((unused,always_inline))+constant_time_lookup (+    void *__restrict__ out_,+    const void *table_,+    word_t elem_bytes,+    word_t n_table,+    word_t idx+) {+    big_register_t big_one = br_set_to_mask(1), big_i = br_set_to_mask(idx);+    +    /* Can't do pointer arithmetic on void* */+    unsigned char *out = (unsigned char *)out_;+    const unsigned char *table = (const unsigned char *)table_;+    word_t j,k;+    +    memset(out, 0, elem_bytes);+    for (j=0; j<n_table; j++, big_i-=big_one) {        +        big_register_t br_mask = br_is_zero(big_i);+        for (k=0; k<=elem_bytes-sizeof(big_register_t); k+=sizeof(big_register_t)) {+            if (elem_bytes % sizeof(big_register_t)) {+                /* unaligned */+                ((unaligned_br_t *)(out+k))->unaligned+			|= br_mask & ((const unaligned_br_t*)(&table[k+j*elem_bytes]))->unaligned;+            } else {+                /* aligned */+                *(big_register_t *)(out+k) |= br_mask & *(const big_register_t*)(&table[k+j*elem_bytes]);+            }+        }++        word_t mask = word_is_zero(idx^j);+        if (elem_bytes % sizeof(big_register_t) >= sizeof(word_t)) {+            for (; k<=elem_bytes-sizeof(word_t); k+=sizeof(word_t)) {+                if (elem_bytes % sizeof(word_t)) {+                    /* input unaligned, output aligned */+                    *(word_t *)(out+k) |= mask & ((const unaligned_word_t*)(&table[k+j*elem_bytes]))->unaligned;+                } else {+                    /* aligned */+                    *(word_t *)(out+k) |= mask & *(const word_t*)(&table[k+j*elem_bytes]);+                }+            }+        }+        +        if (elem_bytes % sizeof(word_t)) {+            for (; k<elem_bytes; k+=1) {+                out[k] |= mask & table[k+j*elem_bytes];+            }+        }+    }+}++/**+ * @brief Constant-time equivalent of memcpy(table + elem_bytes*idx, in, elem_bytes);+ *+ * The table must be at least as aligned as elem_bytes.  The input must be word aligned,+ * and if the output size is vector aligned it must also be vector aligned.+ *+ * The table and input must not alias.+ */+static __inline__ void+__attribute__((unused,always_inline))+constant_time_insert (+    void *__restrict__ table_,+    const void *in_,+    word_t elem_bytes,+    word_t n_table,+    word_t idx+) {+    big_register_t big_one = br_set_to_mask(1), big_i = br_set_to_mask(idx);+    +    /* Can't do pointer arithmetic on void* */+    const unsigned char *in = (const unsigned char *)in_;+    unsigned char *table = (unsigned char *)table_;+    word_t j,k;+    +    for (j=0; j<n_table; j++, big_i-=big_one) {        +        big_register_t br_mask = br_is_zero(big_i);+        for (k=0; k<=elem_bytes-sizeof(big_register_t); k+=sizeof(big_register_t)) {+            if (elem_bytes % sizeof(big_register_t)) {+                /* unaligned */+                ((unaligned_br_t*)(&table[k+j*elem_bytes]))->unaligned+                    = ( ((unaligned_br_t*)(&table[k+j*elem_bytes]))->unaligned & ~br_mask )+                    | ( ((const unaligned_br_t *)(in+k))->unaligned & br_mask );+            } else {+                /* aligned */+                *(big_register_t*)(&table[k+j*elem_bytes])+                    = ( *(big_register_t*)(&table[k+j*elem_bytes]) & ~br_mask )+                    | ( *(const big_register_t *)(in+k) & br_mask );+            }+        }++        word_t mask = word_is_zero(idx^j);+        if (elem_bytes % sizeof(big_register_t) >= sizeof(word_t)) {+            for (; k<=elem_bytes-sizeof(word_t); k+=sizeof(word_t)) {+                if (elem_bytes % sizeof(word_t)) {+                    /* output unaligned, input aligned */+                    ((unaligned_word_t*)(&table[k+j*elem_bytes]))->unaligned+                        = ( ((unaligned_word_t*)(&table[k+j*elem_bytes]))->unaligned & ~mask )+                        | ( *(const word_t *)(in+k) & mask );+                } else {+                    /* aligned */+                    *(word_t*)(&table[k+j*elem_bytes])+                        = ( *(word_t*)(&table[k+j*elem_bytes]) & ~mask )+                        | ( *(const word_t *)(in+k) & mask );+                }+            }+        }+        +        if (elem_bytes % sizeof(word_t)) {+            for (; k<elem_bytes; k+=1) {+                table[k+j*elem_bytes]+                    = ( table[k+j*elem_bytes] & ~mask )+                    | ( in[k] & mask );+            }+        }+    }+}++/**+ * @brief Constant-time a = b&mask.+ *+ * The input and output must be at least as aligned as elem_bytes.+ */+static __inline__ void+__attribute__((unused,always_inline))+constant_time_mask (+    void * a_,+    const void *b_,+    word_t elem_bytes,+    mask_t mask+) {+    unsigned char *a = (unsigned char *)a_;+    const unsigned char *b = (const unsigned char *)b_;+    +    word_t k;+    big_register_t br_mask = br_set_to_mask(mask);+    for (k=0; k<=elem_bytes-sizeof(big_register_t); k+=sizeof(big_register_t)) {+        if (elem_bytes % sizeof(big_register_t)) {+            /* unaligned */+            ((unaligned_br_t*)(&a[k]))->unaligned = br_mask & ((const unaligned_br_t*)(&b[k]))->unaligned;+        } else {+            /* aligned */+            *(big_register_t *)(a+k) = br_mask & *(const big_register_t*)(&b[k]);+        }+    }++    if (elem_bytes % sizeof(big_register_t) >= sizeof(word_t)) {+        for (; k<=elem_bytes-sizeof(word_t); k+=sizeof(word_t)) {+            if (elem_bytes % sizeof(word_t)) {+                /* unaligned */+                ((unaligned_word_t*)(&a[k]))->unaligned = mask & ((const unaligned_word_t*)(&b[k]))->unaligned;+            } else {+                /* aligned */+                *(word_t *)(a+k) = mask & *(const word_t*)(&b[k]);+            }+        }+    }+    +    if (elem_bytes % sizeof(word_t)) {+        for (; k<elem_bytes; k+=1) {+            a[k] = mask & b[k];+        }+    }+}++/**+ * @brief Constant-time a = mask ? bTrue : bFalse.+ *+ * The input and output must be at least as aligned as alignment_bytes+ * or their size, whichever is smaller.+ *+ * Note that the output is not __restrict__, but if it overlaps either+ * input, it must be equal and not partially overlap.+ */+static __inline__ void+__attribute__((unused,always_inline))+constant_time_select (+    void *a_,+    const void *bFalse_,+    const void *bTrue_,+    word_t elem_bytes,+    mask_t mask,+    size_t alignment_bytes+) {+    unsigned char *a = (unsigned char *)a_;+    const unsigned char *bTrue = (const unsigned char *)bTrue_;+    const unsigned char *bFalse = (const unsigned char *)bFalse_;+    +    alignment_bytes |= elem_bytes;++    word_t k;+    big_register_t br_mask = br_set_to_mask(mask);+    for (k=0; k<=elem_bytes-sizeof(big_register_t); k+=sizeof(big_register_t)) {+        if (alignment_bytes % sizeof(big_register_t)) {+            /* unaligned */+            ((unaligned_br_t*)(&a[k]))->unaligned =+		  ( br_mask & ((const unaligned_br_t*)(&bTrue [k]))->unaligned)+		| (~br_mask & ((const unaligned_br_t*)(&bFalse[k]))->unaligned);+        } else {+            /* aligned */+            *(big_register_t *)(a+k) =+		  ( br_mask & *(const big_register_t*)(&bTrue [k]))+		| (~br_mask & *(const big_register_t*)(&bFalse[k]));+        }+    }++    if (elem_bytes % sizeof(big_register_t) >= sizeof(word_t)) {+        for (; k<=elem_bytes-sizeof(word_t); k+=sizeof(word_t)) {+            if (alignment_bytes % sizeof(word_t)) {+                /* unaligned */+                ((unaligned_word_t*)(&a[k]))->unaligned =+		    ( mask & ((const unaligned_word_t*)(&bTrue [k]))->unaligned)+		  | (~mask & ((const unaligned_word_t*)(&bFalse[k]))->unaligned);+            } else {+                /* aligned */+                *(word_t *)(a+k) =+		    ( mask & *(const word_t*)(&bTrue [k]))+		  | (~mask & *(const word_t*)(&bFalse[k]));+            }+        }+    }+    +    if (elem_bytes % sizeof(word_t)) {+        for (; k<elem_bytes; k+=1) {+            a[k] = ( mask & bTrue[k]) | (~mask & bFalse[k]);+        }+    }+}++#endif /* __CONSTANT_TIME_H__ */
+ cbits/decaf/include/decaf.h view
@@ -0,0 +1,32 @@+/**+ * @file decaf.h+ * @author Mike Hamburg+ *+ * @copyright+ *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n+ *   Released under the MIT License.  See LICENSE.txt for license information.+ *+ * Master header for Decaf library.+ *+ * The Decaf library implements cryptographic operations on a elliptic curve+ * groups of prime order p.  It accomplishes this by using a twisted Edwards+ * curve (isogenous to Ed448-Goldilocks or Ed25519) and wiping out the cofactor.+ *+ * The formulas are all complete and have no special cases.  However, some+ * functions can fail.  For example, decoding functions can fail because not+ * every string is the encoding of a valid group element.+ *+ * The formulas contain no data-dependent branches, timing or memory accesses,+ * except for cryptonite_decaf_XXX_base_double_scalarmul_non_secret.+ *+ * @warning This file was automatically generated in Python.+ * Please do not edit it.+ */++#ifndef __CRYPTONITE_DECAF_H__+#define __CRYPTONITE_DECAF_H__ 1++#include <decaf/point_255.h>+#include <decaf/point_448.h>++#endif /* __CRYPTONITE_DECAF_H__ */
+ cbits/decaf/include/decaf/common.h view
@@ -0,0 +1,116 @@+/**+ * @file decaf/common.h+ * @author Mike Hamburg+ *+ * @copyright+ *   Copyright (c) 2015 Cryptography Research, Inc.  \n+ *   Released under the MIT License.  See LICENSE.txt for license information.+ *+ * @brief Common utility headers for Decaf library.+ */++#ifndef __CRYPTONITE_DECAF_COMMON_H__+#define __CRYPTONITE_DECAF_COMMON_H__ 1++#include <stdint.h>+#include <sys/types.h>++#ifdef __cplusplus+extern "C" {+#endif++/* Goldilocks' build flags default to hidden and stripping executables. */+/** @cond internal */+#if defined(DOXYGEN) && !defined(__attribute__)+#define __attribute__((x))+#endif+#define CRYPTONITE_DECAF_API_VIS __attribute__((visibility("default")))+#define CRYPTONITE_DECAF_NOINLINE  __attribute__((noinline))+#define CRYPTONITE_DECAF_WARN_UNUSED __attribute__((warn_unused_result))+#define CRYPTONITE_DECAF_NONNULL __attribute__((nonnull))+#define CRYPTONITE_DECAF_INLINE inline __attribute__((always_inline,unused))+// Cribbed from libnotmuch+#if defined (__clang_major__) && __clang_major__ >= 3 \+    || defined (__GNUC__) && __GNUC__ >= 5 \+    || defined (__GNUC__) && __GNUC__ == 4 && __GNUC_MINOR__ >= 5+#define CRYPTONITE_DECAF_DEPRECATED(msg) __attribute__ ((deprecated(msg)))+#else+#define CRYPTONITE_DECAF_DEPRECATED(msg) __attribute__ ((deprecated))+#endif+/** @endcond */++/* Internal word types.+ *+ * Somewhat tricky.  This could be decided separately per platform.  However,+ * the structs do need to be all the same size and alignment on a given+ * platform to support dynamic linking, since even if you header was built+ * with eg arch_neon, you might end up linking a library built with arch_arm32.+ */+#ifndef CRYPTONITE_DECAF_WORD_BITS+    #if (defined(__ILP64__) || defined(__amd64__) || defined(__x86_64__) || (((__UINT_FAST32_MAX__)>>30)>>30))+        #define CRYPTONITE_DECAF_WORD_BITS 64 /**< The number of bits in a word */+    #else+        #define CRYPTONITE_DECAF_WORD_BITS 32 /**< The number of bits in a word */+    #endif+#endif+    +#if CRYPTONITE_DECAF_WORD_BITS == 64+typedef uint64_t cryptonite_decaf_word_t;      /**< Word size for internal computations */+typedef int64_t cryptonite_decaf_sword_t;      /**< Signed word size for internal computations */+typedef uint64_t cryptonite_decaf_bool_t;      /**< "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */+typedef __uint128_t cryptonite_decaf_dword_t;  /**< Double-word size for internal computations */+typedef __int128_t cryptonite_decaf_dsword_t;  /**< Signed double-word size for internal computations */+#elif CRYPTONITE_DECAF_WORD_BITS == 32         /**< The number of bits in a word */+typedef uint32_t cryptonite_decaf_word_t;      /**< Word size for internal computations */+typedef int32_t cryptonite_decaf_sword_t;      /**< Signed word size for internal computations */+typedef uint32_t cryptonite_decaf_bool_t;      /**< "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */+typedef uint64_t cryptonite_decaf_dword_t;     /**< Double-word size for internal computations */+typedef int64_t cryptonite_decaf_dsword_t;     /**< Signed double-word size for internal computations */+#else+#error "Only supporting CRYPTONITE_DECAF_WORD_BITS = 32 or 64 for now"+#endif+    +/** CRYPTONITE_DECAF_TRUE = -1 so that CRYPTONITE_DECAF_TRUE & x = x */+static const cryptonite_decaf_bool_t CRYPTONITE_DECAF_TRUE = -(cryptonite_decaf_bool_t)1;++/** CRYPTONITE_DECAF_FALSE = 0 so that CRYPTONITE_DECAF_FALSE & x = 0 */+static const cryptonite_decaf_bool_t CRYPTONITE_DECAF_FALSE = 0;++/** Another boolean type used to indicate success or failure. */+typedef enum {+    CRYPTONITE_DECAF_SUCCESS = -1, /**< The operation succeeded. */+    CRYPTONITE_DECAF_FAILURE = 0   /**< The operation failed. */+} cryptonite_decaf_error_t;+++/** Return success if x is true */+static CRYPTONITE_DECAF_INLINE cryptonite_decaf_error_t+cryptonite_decaf_succeed_if(cryptonite_decaf_bool_t x) {+    return (cryptonite_decaf_error_t)x;+}++/** Return CRYPTONITE_DECAF_TRUE iff x == CRYPTONITE_DECAF_SUCCESS */+static CRYPTONITE_DECAF_INLINE cryptonite_decaf_bool_t+cryptonite_decaf_successful(cryptonite_decaf_error_t e) {+    cryptonite_decaf_dword_t w = ((cryptonite_decaf_word_t)e) ^  ((cryptonite_decaf_word_t)CRYPTONITE_DECAF_SUCCESS);+    return (w-1)>>CRYPTONITE_DECAF_WORD_BITS;+}+    +/** Overwrite data with zeros.  Uses memset_s if available. */+void cryptonite_decaf_bzero (+    void *data,+    size_t size+) CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_API_VIS;++/** Compare two buffers, returning CRYPTONITE_DECAF_TRUE if they are equal. */+cryptonite_decaf_bool_t cryptonite_decaf_memeq (+    const void *data1,+    const void *data2,+    size_t size+) CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_WARN_UNUSED CRYPTONITE_DECAF_API_VIS;+    +#ifdef __cplusplus+} /* extern "C" */+#endif+    +#endif /* __CRYPTONITE_DECAF_COMMON_H__ */
+ cbits/decaf/include/decaf/ed448.h view
@@ -0,0 +1,227 @@+/**+ * @file decaf/ed448.h+ * @author Mike Hamburg+ *+ * @copyright+ *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n+ *   Released under the MIT License.  See LICENSE.txt for license information.+ *+ * @brief A group of prime order p, based on Ed448-Goldilocks.+ *+ * @warning This file was automatically generated in Python.+ * Please do not edit it.+ */++#ifndef __CRYPTONITE_DECAF_ED448_H__+#define __CRYPTONITE_DECAF_ED448_H__ 1++#include <decaf/point_448.h>+#include <decaf/shake.h>+#include <decaf/sha512.h>++#ifdef __cplusplus+extern "C" {+#endif++/** Number of bytes in an EdDSA public key. */+#define CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES 57++/** Number of bytes in an EdDSA private key. */+#define CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES++/** Number of bytes in an EdDSA private key. */+#define CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES (CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES + CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES)++/** Does EdDSA support non-contextual signatures? */+#define CRYPTONITE_DECAF_EDDSA_448_SUPPORTS_CONTEXTLESS_SIGS 0++/** Prehash context renaming macros. */+#define cryptonite_decaf_ed448_prehash_ctx_s   cryptonite_decaf_shake256_ctx_s+#define cryptonite_decaf_ed448_prehash_ctx_t   cryptonite_decaf_shake256_ctx_t+#define cryptonite_decaf_ed448_prehash_update  cryptonite_decaf_shake256_update+#define cryptonite_decaf_ed448_prehash_destroy cryptonite_decaf_shake256_destroy++/**+ * @brief EdDSA key generation.  This function uses a different (non-Decaf)+ * encoding.+ *+ * @param [out] pubkey The public key.+ * @param [in] privkey The private key.+ */    +void cryptonite_decaf_ed448_derive_public_key (+    uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+    const uint8_t privkey[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES]+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief EdDSA signing.+ *+ * @param [out] signature The signature.+ * @param [in] privkey The private key.+ * @param [in] pubkey The public key.+ * @param [in] message The message to sign.+ * @param [in] message_len The length of the message.+ * @param [in] prehashed Nonzero if the message is actually the hash of something you want to sign.+ * @param [in] context A "context" for this signature of up to 255 bytes.+ * @param [in] context_len Length of the context.+ *+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed+ * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is+ * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives+ * you no seat belt.+ */  +void cryptonite_decaf_ed448_sign (+    uint8_t signature[CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES],+    const uint8_t privkey[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES],+    const uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+    const uint8_t *message,+    size_t message_len,+    uint8_t prehashed,+    const uint8_t *context,+    uint8_t context_len+) CRYPTONITE_DECAF_API_VIS __attribute__((nonnull(1,2,3))) CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief EdDSA signing with prehash.+ *+ * @param [out] signature The signature.+ * @param [in] privkey The private key.+ * @param [in] pubkey The public key.+ * @param [in] hash The hash of the message.  This object will not be modified by the call.+ * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.+ * @param [in] context_len Length of the context.+ *+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed+ * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is+ * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives+ * you no seat belt.+ */  +void cryptonite_decaf_ed448_sign_prehash (+    uint8_t signature[CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES],+    const uint8_t privkey[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES],+    const uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+    const cryptonite_decaf_ed448_prehash_ctx_t hash,+    const uint8_t *context,+    uint8_t context_len+) CRYPTONITE_DECAF_API_VIS __attribute__((nonnull(1,2,3,4))) CRYPTONITE_DECAF_NOINLINE;+    +/**+ * @brief Prehash initialization, with contexts if supported.+ *+ * @param [out] hash The hash object to be initialized.+ */+void cryptonite_decaf_ed448_prehash_init (+    cryptonite_decaf_ed448_prehash_ctx_t hash+) CRYPTONITE_DECAF_API_VIS __attribute__((nonnull(1))) CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief EdDSA signature verification.+ *+ * Uses the standard (i.e. less-strict) verification formula.+ *+ * @param [in] signature The signature.+ * @param [in] pubkey The public key.+ * @param [in] message The message to verify.+ * @param [in] message_len The length of the message.+ * @param [in] prehashed Nonzero if the message is actually the hash of something you want to verify.+ * @param [in] context A "context" for this signature of up to 255 bytes.+ * @param [in] context_len Length of the context.+ *+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed+ * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is+ * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives+ * you no seat belt.+ */+cryptonite_decaf_error_t cryptonite_decaf_ed448_verify (+    const uint8_t signature[CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES],+    const uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+    const uint8_t *message,+    size_t message_len,+    uint8_t prehashed,+    const uint8_t *context,+    uint8_t context_len+) CRYPTONITE_DECAF_API_VIS __attribute__((nonnull(1,2))) CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief EdDSA signature verification.+ *+ * Uses the standard (i.e. less-strict) verification formula.+ *+ * @param [in] signature The signature.+ * @param [in] pubkey The public key.+ * @param [in] hash The hash of the message.  This object will not be modified by the call.+ * @param [in] context A "context" for this signature of up to 255 bytes.  Must be the same as what was used for the prehash.+ * @param [in] context_len Length of the context.+ *+ * @warning For Ed25519, it is unsafe to use the same key for both prehashed and non-prehashed+ * messages, at least without some very careful protocol-level disambiguation.  For Ed448 it is+ * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives+ * you no seat belt.+ */+cryptonite_decaf_error_t cryptonite_decaf_ed448_verify_prehash (+    const uint8_t signature[CRYPTONITE_DECAF_EDDSA_448_SIGNATURE_BYTES],+    const uint8_t pubkey[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+    const cryptonite_decaf_ed448_prehash_ctx_t hash,+    const uint8_t *context,+    uint8_t context_len+) CRYPTONITE_DECAF_API_VIS __attribute__((nonnull(1,2))) CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief EdDSA point encoding.  Used internally, exposed externally.+ * Multiplies the point by the current cofactor first.+ *+ * @param [out] enc The encoded point.+ * @param [in] p The point.+ */       +void cryptonite_decaf_448_point_mul_by_cofactor_and_encode_like_eddsa (+    uint8_t enc[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES],+    const cryptonite_decaf_448_point_t p+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief EdDSA point decoding.  Remember that while points on the+ * EdDSA curves have cofactor information, Decaf ignores (quotients+ * out) all cofactor information.+ *+ * @param [out] enc The encoded point.+ * @param [in] p The point.+ */       +cryptonite_decaf_error_t cryptonite_decaf_448_point_decode_like_eddsa_and_ignore_cofactor (+    cryptonite_decaf_448_point_t p,+    const uint8_t enc[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES]+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief EdDSA to ECDH public key conversion+ * Deserialize the point to get y on Edwards curve,+ * Convert it to u coordinate on Montgomery curve.+ *+ * @warning This function does not check that the public key being converted+ * is a valid EdDSA public key (FUTURE?)+ *+ * @param[out] x The ECDH public key as in RFC7748(point on Montgomery curve)+ * @param[in] ed The EdDSA public key(point on Edwards curve)+ */+void cryptonite_decaf_ed448_convert_public_key_to_x448 (+    uint8_t x[CRYPTONITE_DECAF_X448_PUBLIC_BYTES],+    const uint8_t ed[CRYPTONITE_DECAF_EDDSA_448_PUBLIC_BYTES]+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief EdDSA to ECDH private key conversion+ * Using the appropriate hash function, hash the EdDSA private key+ * and keep only the lower bytes to get the ECDH private key+ *+ * @param[out] x The ECDH private key as in RFC7748+ * @param[in] ed The EdDSA private key+ */+void cryptonite_decaf_ed448_convert_private_key_to_x448 (+    uint8_t x[CRYPTONITE_DECAF_X448_PRIVATE_BYTES],+    const uint8_t ed[CRYPTONITE_DECAF_EDDSA_448_PRIVATE_BYTES]+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++#ifdef __cplusplus+} /* extern "C" */+#endif++#endif /* __CRYPTONITE_DECAF_ED448_H__ */
+ cbits/decaf/include/decaf/point_255.h view
@@ -0,0 +1,1 @@+/* Not needed if 448-only */
+ cbits/decaf/include/decaf/point_448.h view
@@ -0,0 +1,724 @@+/**+ * @file decaf/point_448.h+ * @author Mike Hamburg+ *+ * @copyright+ *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n+ *   Released under the MIT License.  See LICENSE.txt for license information.+ *+ * @brief A group of prime order p, based on Ed448-Goldilocks.+ *+ * @warning This file was automatically generated in Python.+ * Please do not edit it.+ */++#ifndef __CRYPTONITE_DECAF_POINT_448_H__+#define __CRYPTONITE_DECAF_POINT_448_H__ 1++#include <decaf/common.h>++#ifdef __cplusplus+extern "C" {+#endif++/** @cond internal */+#define CRYPTONITE_DECAF_448_SCALAR_LIMBS ((446-1)/CRYPTONITE_DECAF_WORD_BITS+1)+/** @endcond */++/** The number of bits in a scalar */+#define CRYPTONITE_DECAF_448_SCALAR_BITS 446++/** @cond internal */+#ifndef __CRYPTONITE_DECAF_448_GF_DEFINED__+#define __CRYPTONITE_DECAF_448_GF_DEFINED__ 1+/** @brief Galois field element internal structure */+typedef struct cryptonite_gf_448_s {+    cryptonite_decaf_word_t limb[512/CRYPTONITE_DECAF_WORD_BITS];+} __attribute__((aligned(16))) cryptonite_gf_448_s, cryptonite_gf_448_t[1];+#endif /* __CRYPTONITE_DECAF_448_GF_DEFINED__ */+/** @endcond */++/** Number of bytes in a serialized point. */+#define CRYPTONITE_DECAF_448_SER_BYTES 56++/** Number of bytes in an elligated point.  For now set the same as SER_BYTES+ * but could be different for other curves.+ */+#define CRYPTONITE_DECAF_448_HASH_BYTES 56++/** Number of bytes in a serialized scalar. */+#define CRYPTONITE_DECAF_448_SCALAR_BYTES 56++/** Number of bits in the "which" field of an elligator inverse */+#define CRYPTONITE_DECAF_448_INVERT_ELLIGATOR_WHICH_BITS 3++/** Number of bytes in an x448 public key */+#define CRYPTONITE_DECAF_X448_PUBLIC_BYTES 56++/** Number of bytes in an x448 private key */+#define CRYPTONITE_DECAF_X448_PRIVATE_BYTES 56++/** Twisted Edwards extended homogeneous coordinates */+typedef struct cryptonite_decaf_448_point_s {+    /** @cond internal */+    cryptonite_gf_448_t x,y,z,t;+    /** @endcond */+} cryptonite_decaf_448_point_t[1];++/** Precomputed table based on a point.  Can be trivial implementation. */+struct cryptonite_decaf_448_precomputed_s;++/** Precomputed table based on a point.  Can be trivial implementation. */+typedef struct cryptonite_decaf_448_precomputed_s cryptonite_decaf_448_precomputed_s; ++/** Size and alignment of precomputed point tables. */+extern const size_t cryptonite_decaf_448_sizeof_precomputed_s CRYPTONITE_DECAF_API_VIS, cryptonite_decaf_448_alignof_precomputed_s CRYPTONITE_DECAF_API_VIS;++/** Scalar is stored packed, because we don't need the speed. */+typedef struct cryptonite_decaf_448_scalar_s {+    /** @cond internal */+    cryptonite_decaf_word_t limb[CRYPTONITE_DECAF_448_SCALAR_LIMBS];+    /** @endcond */+} cryptonite_decaf_448_scalar_t[1];++/** A scalar equal to 1. */+extern const cryptonite_decaf_448_scalar_t cryptonite_decaf_448_scalar_one CRYPTONITE_DECAF_API_VIS;++/** A scalar equal to 0. */+extern const cryptonite_decaf_448_scalar_t cryptonite_decaf_448_scalar_zero CRYPTONITE_DECAF_API_VIS;++/** The identity point on the curve. */+extern const cryptonite_decaf_448_point_t cryptonite_decaf_448_point_identity CRYPTONITE_DECAF_API_VIS;++/** An arbitrarily chosen base point on the curve. */+extern const cryptonite_decaf_448_point_t cryptonite_decaf_448_point_base CRYPTONITE_DECAF_API_VIS;++/** Precomputed table for the base point on the curve. */+extern const struct cryptonite_decaf_448_precomputed_s *cryptonite_decaf_448_precomputed_base CRYPTONITE_DECAF_API_VIS;++/**+ * @brief Read a scalar from wire format or from bytes.+ *+ * @param [in] ser Serialized form of a scalar.+ * @param [out] out Deserialized form.+ *+ * @retval CRYPTONITE_DECAF_SUCCESS The scalar was correctly encoded.+ * @retval CRYPTONITE_DECAF_FAILURE The scalar was greater than the modulus,+ * and has been reduced modulo that modulus.+ */+cryptonite_decaf_error_t cryptonite_decaf_448_scalar_decode (+    cryptonite_decaf_448_scalar_t out,+    const unsigned char ser[CRYPTONITE_DECAF_448_SCALAR_BYTES]+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_WARN_UNUSED CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Read a scalar from wire format or from bytes.  Reduces mod+ * scalar prime.+ *+ * @param [in] ser Serialized form of a scalar.+ * @param [in] ser_len Length of serialized form.+ * @param [out] out Deserialized form.+ */+void cryptonite_decaf_448_scalar_decode_long (+    cryptonite_decaf_448_scalar_t out,+    const unsigned char *ser,+    size_t ser_len+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;+    +/**+ * @brief Serialize a scalar to wire format.+ *+ * @param [out] ser Serialized form of a scalar.+ * @param [in] s Deserialized scalar.+ */+void cryptonite_decaf_448_scalar_encode (+    unsigned char ser[CRYPTONITE_DECAF_448_SCALAR_BYTES],+    const cryptonite_decaf_448_scalar_t s+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE CRYPTONITE_DECAF_NOINLINE;+        +/**+ * @brief Add two scalars.  The scalars may use the same memory.+ * @param [in] a One scalar.+ * @param [in] b Another scalar.+ * @param [out] out a+b.+ */+void cryptonite_decaf_448_scalar_add (+    cryptonite_decaf_448_scalar_t out,+    const cryptonite_decaf_448_scalar_t a,+    const cryptonite_decaf_448_scalar_t b+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Compare two scalars.+ * @param [in] a One scalar.+ * @param [in] b Another scalar.+ * @retval CRYPTONITE_DECAF_TRUE The scalars are equal.+ * @retval CRYPTONITE_DECAF_FALSE The scalars are not equal.+ */    +cryptonite_decaf_bool_t cryptonite_decaf_448_scalar_eq (+    const cryptonite_decaf_448_scalar_t a,+    const cryptonite_decaf_448_scalar_t b+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_WARN_UNUSED CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Subtract two scalars.  The scalars may use the same memory.+ * @param [in] a One scalar.+ * @param [in] b Another scalar.+ * @param [out] out a-b.+ */  +void cryptonite_decaf_448_scalar_sub (+    cryptonite_decaf_448_scalar_t out,+    const cryptonite_decaf_448_scalar_t a,+    const cryptonite_decaf_448_scalar_t b+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Multiply two scalars.  The scalars may use the same memory.+ * @param [in] a One scalar.+ * @param [in] b Another scalar.+ * @param [out] out a*b.+ */  +void cryptonite_decaf_448_scalar_mul (+    cryptonite_decaf_448_scalar_t out,+    const cryptonite_decaf_448_scalar_t a,+    const cryptonite_decaf_448_scalar_t b+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;+        +/**+* @brief Halve a scalar.  The scalars may use the same memory.+* @param [in] a A scalar.+* @param [out] out a/2.+*/+void cryptonite_decaf_448_scalar_halve (+   cryptonite_decaf_448_scalar_t out,+   const cryptonite_decaf_448_scalar_t a+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Invert a scalar.  When passed zero, return 0.  The input and output may alias.+ * @param [in] a A scalar.+ * @param [out] out 1/a.+ * @return CRYPTONITE_DECAF_SUCCESS The input is nonzero.+ */  +cryptonite_decaf_error_t cryptonite_decaf_448_scalar_invert (+    cryptonite_decaf_448_scalar_t out,+    const cryptonite_decaf_448_scalar_t a+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_WARN_UNUSED CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Copy a scalar.  The scalars may use the same memory, in which+ * case this function does nothing.+ * @param [in] a A scalar.+ * @param [out] out Will become a copy of a.+ */+static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_448_scalar_copy (+    cryptonite_decaf_448_scalar_t out,+    const cryptonite_decaf_448_scalar_t a+) {+    *out = *a;+}++/**+ * @brief Set a scalar to an unsigned 64-bit integer.+ * @param [in] a An integer.+ * @param [out] out Will become equal to a.+ */  +void cryptonite_decaf_448_scalar_set_unsigned (+    cryptonite_decaf_448_scalar_t out,+    uint64_t a+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL;++/**+ * @brief Encode a point as a sequence of bytes.+ *+ * @param [out] ser The byte representation of the point.+ * @param [in] pt The point to encode.+ */+void cryptonite_decaf_448_point_encode (+    uint8_t ser[CRYPTONITE_DECAF_448_SER_BYTES],+    const cryptonite_decaf_448_point_t pt+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Decode a point from a sequence of bytes.+ *+ * Every point has a unique encoding, so not every+ * sequence of bytes is a valid encoding.  If an invalid+ * encoding is given, the output is undefined.+ *+ * @param [out] pt The decoded point.+ * @param [in] ser The serialized version of the point.+ * @param [in] allow_identity CRYPTONITE_DECAF_TRUE if the identity is a legal input.+ * @retval CRYPTONITE_DECAF_SUCCESS The decoding succeeded.+ * @retval CRYPTONITE_DECAF_FAILURE The decoding didn't succeed, because+ * ser does not represent a point.+ */+cryptonite_decaf_error_t cryptonite_decaf_448_point_decode (+    cryptonite_decaf_448_point_t pt,+    const uint8_t ser[CRYPTONITE_DECAF_448_SER_BYTES],+    cryptonite_decaf_bool_t allow_identity+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_WARN_UNUSED CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Copy a point.  The input and output may alias,+ * in which case this function does nothing.+ *+ * @param [out] a A copy of the point.+ * @param [in] b Any point.+ */+static inline void CRYPTONITE_DECAF_NONNULL cryptonite_decaf_448_point_copy (+    cryptonite_decaf_448_point_t a,+    const cryptonite_decaf_448_point_t b+) {+    *a=*b;+}++/**+ * @brief Test whether two points are equal.  If yes, return+ * CRYPTONITE_DECAF_TRUE, else return CRYPTONITE_DECAF_FALSE.+ *+ * @param [in] a A point.+ * @param [in] b Another point.+ * @retval CRYPTONITE_DECAF_TRUE The points are equal.+ * @retval CRYPTONITE_DECAF_FALSE The points are not equal.+ */+cryptonite_decaf_bool_t cryptonite_decaf_448_point_eq (+    const cryptonite_decaf_448_point_t a,+    const cryptonite_decaf_448_point_t b+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_WARN_UNUSED CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Add two points to produce a third point.  The+ * input points and output point can be pointers to the same+ * memory.+ *+ * @param [out] sum The sum a+b.+ * @param [in] a An addend.+ * @param [in] b An addend.+ */+void cryptonite_decaf_448_point_add (+    cryptonite_decaf_448_point_t sum,+    const cryptonite_decaf_448_point_t a,+    const cryptonite_decaf_448_point_t b+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL;++/**+ * @brief Double a point.  Equivalent to+ * cryptonite_decaf_448_point_add(two_a,a,a), but potentially faster.+ *+ * @param [out] two_a The sum a+a.+ * @param [in] a A point.+ */+void cryptonite_decaf_448_point_double (+    cryptonite_decaf_448_point_t two_a,+    const cryptonite_decaf_448_point_t a+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL;++/**+ * @brief Subtract two points to produce a third point.  The+ * input points and output point can be pointers to the same+ * memory.+ *+ * @param [out] diff The difference a-b.+ * @param [in] a The minuend.+ * @param [in] b The subtrahend.+ */+void cryptonite_decaf_448_point_sub (+    cryptonite_decaf_448_point_t diff,+    const cryptonite_decaf_448_point_t a,+    const cryptonite_decaf_448_point_t b+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL;+    +/**+ * @brief Negate a point to produce another point.  The input+ * and output points can use the same memory.+ *+ * @param [out] nega The negated input point+ * @param [in] a The input point.+ */+void cryptonite_decaf_448_point_negate (+   cryptonite_decaf_448_point_t nega,+   const cryptonite_decaf_448_point_t a+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL;++/**+ * @brief Multiply a base point by a scalar: scaled = scalar*base.+ *+ * @param [out] scaled The scaled point base*scalar+ * @param [in] base The point to be scaled.+ * @param [in] scalar The scalar to multiply by.+ */+void cryptonite_decaf_448_point_scalarmul (+    cryptonite_decaf_448_point_t scaled,+    const cryptonite_decaf_448_point_t base,+    const cryptonite_decaf_448_scalar_t scalar+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Multiply a base point by a scalar: scaled = scalar*base.+ * This function operates directly on serialized forms.+ *+ * @warning This function is experimental.  It may not be supported+ * long-term.+ *+ * @param [out] scaled The scaled point base*scalar+ * @param [in] base The point to be scaled.+ * @param [in] scalar The scalar to multiply by.+ * @param [in] allow_identity Allow the input to be the identity.+ * @param [in] short_circuit Allow a fast return if the input is illegal.+ *+ * @retval CRYPTONITE_DECAF_SUCCESS The scalarmul succeeded.+ * @retval CRYPTONITE_DECAF_FAILURE The scalarmul didn't succeed, because+ * base does not represent a point.+ */+cryptonite_decaf_error_t cryptonite_decaf_448_direct_scalarmul (+    uint8_t scaled[CRYPTONITE_DECAF_448_SER_BYTES],+    const uint8_t base[CRYPTONITE_DECAF_448_SER_BYTES],+    const cryptonite_decaf_448_scalar_t scalar,+    cryptonite_decaf_bool_t allow_identity,+    cryptonite_decaf_bool_t short_circuit+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_WARN_UNUSED CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief RFC 7748 Diffie-Hellman scalarmul.  This function uses a different+ * (non-Decaf) encoding.+ *+ * @param [out] scaled The scaled point base*scalar+ * @param [in] base The point to be scaled.+ * @param [in] scalar The scalar to multiply by.+ *+ * @retval CRYPTONITE_DECAF_SUCCESS The scalarmul succeeded.+ * @retval CRYPTONITE_DECAF_FAILURE The scalarmul didn't succeed, because the base+ * point is in a small subgroup.+ */+cryptonite_decaf_error_t cryptonite_decaf_x448 (+    uint8_t out[CRYPTONITE_DECAF_X448_PUBLIC_BYTES],+    const uint8_t base[CRYPTONITE_DECAF_X448_PUBLIC_BYTES],+    const uint8_t scalar[CRYPTONITE_DECAF_X448_PRIVATE_BYTES]+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_WARN_UNUSED CRYPTONITE_DECAF_NOINLINE;++/** The base point for X448 Diffie-Hellman */+extern const uint8_t cryptonite_decaf_x448_base_point[CRYPTONITE_DECAF_X448_PUBLIC_BYTES] CRYPTONITE_DECAF_API_VIS;++/**+ * @brief RFC 7748 Diffie-Hellman base point scalarmul.  This function uses+ * a different (non-Decaf) encoding.+ *+ * @deprecated Renamed to cryptonite_decaf_x448_derive_public_key.+ * I have no particular timeline for removing this name.+ *+ * @param [out] scaled The scaled point base*scalar+ * @param [in] scalar The scalar to multiply by.+ */+void cryptonite_decaf_x448_generate_key (+    uint8_t out[CRYPTONITE_DECAF_X448_PUBLIC_BYTES],+    const uint8_t scalar[CRYPTONITE_DECAF_X448_PRIVATE_BYTES]+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE CRYPTONITE_DECAF_DEPRECATED("Renamed to cryptonite_decaf_x448_derive_public_key");+    +/**+ * @brief RFC 7748 Diffie-Hellman base point scalarmul.  This function uses+ * a different (non-Decaf) encoding.+ *+ * Does exactly the same thing as cryptonite_decaf_x448_generate_key,+ * but has a better name.+ *+ * @param [out] scaled The scaled point base*scalar+ * @param [in] scalar The scalar to multiply by.+ */+void cryptonite_decaf_x448_derive_public_key (+    uint8_t out[CRYPTONITE_DECAF_X448_PUBLIC_BYTES],+    const uint8_t scalar[CRYPTONITE_DECAF_X448_PRIVATE_BYTES]+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/* FUTURE: uint8_t cryptonite_decaf_448_encode_like_curve448) */++/**+ * @brief Precompute a table for fast scalar multiplication.+ * Some implementations do not include precomputed points; for+ * those implementations, this implementation simply copies the+ * point.+ *+ * @param [out] a A precomputed table of multiples of the point.+ * @param [in] b Any point.+ */+void cryptonite_decaf_448_precompute (+    cryptonite_decaf_448_precomputed_s *a,+    const cryptonite_decaf_448_point_t b+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Multiply a precomputed base point by a scalar:+ * scaled = scalar*base.+ * Some implementations do not include precomputed points; for+ * those implementations, this function is the same as+ * cryptonite_decaf_448_point_scalarmul+ *+ * @param [out] scaled The scaled point base*scalar+ * @param [in] base The point to be scaled.+ * @param [in] scalar The scalar to multiply by.+ */+void cryptonite_decaf_448_precomputed_scalarmul (+    cryptonite_decaf_448_point_t scaled,+    const cryptonite_decaf_448_precomputed_s *base,+    const cryptonite_decaf_448_scalar_t scalar+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Multiply two base points by two scalars:+ * scaled = scalar1*base1 + scalar2*base2.+ *+ * Equivalent to two calls to cryptonite_decaf_448_point_scalarmul, but may be+ * faster.+ *+ * @param [out] combo The linear combination scalar1*base1 + scalar2*base2.+ * @param [in] base1 A first point to be scaled.+ * @param [in] scalar1 A first scalar to multiply by.+ * @param [in] base2 A second point to be scaled.+ * @param [in] scalar2 A second scalar to multiply by.+ */+void cryptonite_decaf_448_point_double_scalarmul (+    cryptonite_decaf_448_point_t combo,+    const cryptonite_decaf_448_point_t base1,+    const cryptonite_decaf_448_scalar_t scalar1,+    const cryptonite_decaf_448_point_t base2,+    const cryptonite_decaf_448_scalar_t scalar2+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;+    +/**+ * Multiply one base point by two scalars:+ *+ * a1 = scalar1 * base+ * a2 = scalar2 * base+ *+ * Equivalent to two calls to cryptonite_decaf_448_point_scalarmul, but may be+ * faster.+ *+ * @param [out] a1 The first multiple.  It may be the same as the input point.+ * @param [out] a2 The second multiple.  It may be the same as the input point.+ * @param [in] base1 A point to be scaled.+ * @param [in] scalar1 A first scalar to multiply by.+ * @param [in] scalar2 A second scalar to multiply by.+ */+void cryptonite_decaf_448_point_dual_scalarmul (+    cryptonite_decaf_448_point_t a1,+    cryptonite_decaf_448_point_t a2,+    const cryptonite_decaf_448_point_t base1,+    const cryptonite_decaf_448_scalar_t scalar1,+    const cryptonite_decaf_448_scalar_t scalar2+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Multiply two base points by two scalars:+ * scaled = scalar1*cryptonite_decaf_448_point_base + scalar2*base2.+ *+ * Otherwise equivalent to cryptonite_decaf_448_point_double_scalarmul, but may be+ * faster at the expense of being variable time.+ *+ * @param [out] combo The linear combination scalar1*base + scalar2*base2.+ * @param [in] scalar1 A first scalar to multiply by.+ * @param [in] base2 A second point to be scaled.+ * @param [in] scalar2 A second scalar to multiply by.+ *+ * @warning: This function takes variable time, and may leak the scalars+ * used.  It is designed for signature verification.+ */+void cryptonite_decaf_448_base_double_scalarmul_non_secret (+    cryptonite_decaf_448_point_t combo,+    const cryptonite_decaf_448_scalar_t scalar1,+    const cryptonite_decaf_448_point_t base2,+    const cryptonite_decaf_448_scalar_t scalar2+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Constant-time decision between two points.  If pick_b+ * is zero, out = a; else out = b.+ *+ * @param [out] out The output.  It may be the same as either input.+ * @param [in] a Any point.+ * @param [in] b Any point.+ * @param [in] pick_b If nonzero, choose point b.+ */+void cryptonite_decaf_448_point_cond_sel (+    cryptonite_decaf_448_point_t out,+    const cryptonite_decaf_448_point_t a,+    const cryptonite_decaf_448_point_t b,+    cryptonite_decaf_word_t pick_b+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Constant-time decision between two scalars.  If pick_b+ * is zero, out = a; else out = b.+ *+ * @param [out] out The output.  It may be the same as either input.+ * @param [in] a Any scalar.+ * @param [in] b Any scalar.+ * @param [in] pick_b If nonzero, choose scalar b.+ */+void cryptonite_decaf_448_scalar_cond_sel (+    cryptonite_decaf_448_scalar_t out,+    const cryptonite_decaf_448_scalar_t a,+    const cryptonite_decaf_448_scalar_t b,+    cryptonite_decaf_word_t pick_b+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Test that a point is valid, for debugging purposes.+ *+ * @param [in] to_test The point to test.+ * @retval CRYPTONITE_DECAF_TRUE The point is valid.+ * @retval CRYPTONITE_DECAF_FALSE The point is invalid.+ */+cryptonite_decaf_bool_t cryptonite_decaf_448_point_valid (+    const cryptonite_decaf_448_point_t to_test+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_WARN_UNUSED CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Torque a point, for debugging purposes.  The output+ * will be equal to the input.+ *+ * @param [out] q The point to torque.+ * @param [in] p The point to torque.+ */+void cryptonite_decaf_448_point_debugging_torque (+    cryptonite_decaf_448_point_t q,+    const cryptonite_decaf_448_point_t p+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Projectively scale a point, for debugging purposes.+ * The output will be equal to the input, and will be valid+ * even if the factor is zero.+ *+ * @param [out] q The point to scale.+ * @param [in] p The point to scale.+ * @param [in] factor Serialized GF factor to scale.+ */+void cryptonite_decaf_448_point_debugging_pscale (+    cryptonite_decaf_448_point_t q,+    const cryptonite_decaf_448_point_t p,+    const unsigned char factor[CRYPTONITE_DECAF_448_SER_BYTES]+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Almost-Elligator-like hash to curve.+ *+ * Call this function with the output of a hash to make a hash to the curve.+ *+ * This function runs Elligator2 on the cryptonite_decaf_448 Jacobi quartic model.  It then+ * uses the isogeny to put the result in twisted Edwards form.  As a result,+ * it is safe (cannot produce points of order 4), and would be compatible with+ * hypothetical other implementations of Decaf using a Montgomery or untwisted+ * Edwards model.+ *+ * Unlike Elligator, this function may be up to 4:1 on [0,(p-1)/2]:+ *   A factor of 2 due to the isogeny.+ *   A factor of 2 because we quotient out the 2-torsion.+ *+ * This makes it about 8:1 overall, or 16:1 overall on curves with cofactor 8.+ *+ * Negating the input (mod q) results in the same point.  Inverting the input+ * (mod q) results in the negative point.  This is the same as Elligator.+ *+ * This function isn't quite indifferentiable from a random oracle.+ * However, it is suitable for many protocols, including SPEKE and SPAKE2 EE. + * Furthermore, calling it twice with independent seeds and adding the results+ * is indifferentiable from a random oracle.+ *+ * @param [in] hashed_data Output of some hash function.+ * @param [out] pt The data hashed to the curve.+ */+void+cryptonite_decaf_448_point_from_hash_nonuniform (+    cryptonite_decaf_448_point_t pt,+    const unsigned char hashed_data[CRYPTONITE_DECAF_448_HASH_BYTES]+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Indifferentiable hash function encoding to curve.+ *+ * Equivalent to calling cryptonite_decaf_448_point_from_hash_nonuniform twice and adding.+ *+ * @param [in] hashed_data Output of some hash function.+ * @param [out] pt The data hashed to the curve.+ */ +void cryptonite_decaf_448_point_from_hash_uniform (+    cryptonite_decaf_448_point_t pt,+    const unsigned char hashed_data[2*CRYPTONITE_DECAF_448_HASH_BYTES]+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE;++/**+ * @brief Inverse of elligator-like hash to curve.+ *+ * This function writes to the buffer, to make it so that+ * cryptonite_decaf_448_point_from_hash_nonuniform(buffer) = pt if+ * possible.  Since there may be multiple preimages, the+ * "which" parameter chooses between them.  To ensure uniform+ * inverse sampling, this function succeeds or fails+ * independently for different "which" values.+ *+ * @param [out] recovered_hash Encoded data.+ * @param [in] pt The point to encode.+ * @param [in] which A value determining which inverse point+ * to return.+ *+ * @retval CRYPTONITE_DECAF_SUCCESS The inverse succeeded.+ * @retval CRYPTONITE_DECAF_FAILURE The inverse failed.+ */+cryptonite_decaf_error_t+cryptonite_decaf_448_invert_elligator_nonuniform (+    unsigned char recovered_hash[CRYPTONITE_DECAF_448_HASH_BYTES],+    const cryptonite_decaf_448_point_t pt,+    uint32_t which+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE CRYPTONITE_DECAF_WARN_UNUSED;++/**+ * @brief Inverse of elligator-like hash to curve.+ *+ * This function writes to the buffer, to make it so that+ * cryptonite_decaf_448_point_from_hash_uniform(buffer) = pt if+ * possible.  Since there may be multiple preimages, the+ * "which" parameter chooses between them.  To ensure uniform+ * inverse sampling, this function succeeds or fails+ * independently for different "which" values.+ *+ * @param [out] recovered_hash Encoded data.+ * @param [in] pt The point to encode.+ * @param [in] which A value determining which inverse point+ * to return.+ *+ * @retval CRYPTONITE_DECAF_SUCCESS The inverse succeeded.+ * @retval CRYPTONITE_DECAF_FAILURE The inverse failed.+ */+cryptonite_decaf_error_t+cryptonite_decaf_448_invert_elligator_uniform (+    unsigned char recovered_hash[2*CRYPTONITE_DECAF_448_HASH_BYTES],+    const cryptonite_decaf_448_point_t pt,+    uint32_t which+) CRYPTONITE_DECAF_API_VIS CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_NOINLINE CRYPTONITE_DECAF_WARN_UNUSED;++/**+ * @brief Overwrite scalar with zeros.+ */+void cryptonite_decaf_448_scalar_destroy (+    cryptonite_decaf_448_scalar_t scalar+) CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_API_VIS;++/**+ * @brief Overwrite point with zeros.+ */+void cryptonite_decaf_448_point_destroy (+    cryptonite_decaf_448_point_t point+) CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_API_VIS;++/**+ * @brief Overwrite precomputed table with zeros.+ */+void cryptonite_decaf_448_precomputed_destroy (+    cryptonite_decaf_448_precomputed_s *pre+) CRYPTONITE_DECAF_NONNULL CRYPTONITE_DECAF_API_VIS;++#ifdef __cplusplus+} /* extern "C" */+#endif++#endif /* __CRYPTONITE_DECAF_POINT_448_H__ */
+ cbits/decaf/include/decaf/sha512.h view
@@ -0,0 +1,1 @@+/* Not needed if 448-only */
+ cbits/decaf/include/decaf/shake.h view
@@ -0,0 +1,96 @@+/*+ * Copyright (C) 2006-2009 Vincent Hanquez <vincent@snarc.org>+ *+ * Redistribution and use in source and binary forms, with or without+ * modification, are permitted provided that the following conditions+ * are met:+ * 1. Redistributions of source code must retain the above copyright+ *    notice, this list of conditions and the following disclaimer.+ * 2. Redistributions in binary form must reproduce the above copyright+ *    notice, this list of conditions and the following disclaimer in the+ *    documentation and/or other materials provided with the distribution.+ *+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.+ */+#ifndef CRYPTONITE_DECAF_SHAKE_H+#define CRYPTONITE_DECAF_SHAKE_H++#include "cryptonite_sha3.h"++#include <decaf/common.h>++#define CHUNK_SIZE_32 0x80000000++typedef struct sha3_shake256_ctx+{+        struct sha3_ctx    sc[1];+        uint8_t            filler[136];    // 200 - 2*(256/8)+}+cryptonite_decaf_shake256_ctx_t[1];++static inline void cryptonite_decaf_shake256_init(cryptonite_decaf_shake256_ctx_t ctx)+{+        cryptonite_sha3_init(ctx -> sc, 256);+}++static inline void cryptonite_decaf_shake256_update(cryptonite_decaf_shake256_ctx_t ctx, const uint8_t *in, size_t inlen)+{+#if __SIZE_MAX__ > UINT32_MAX+        // split data over 4 GB in 2-GB chunks+        while (inlen > UINT32_MAX) {+                cryptonite_sha3_update(ctx -> sc, in, CHUNK_SIZE_32);+                inlen -= CHUNK_SIZE_32;+                in += CHUNK_SIZE_32;+        }+#endif+        cryptonite_sha3_update(ctx -> sc, in, (uint32_t) inlen);+}++static inline void cryptonite_decaf_shake256_output(cryptonite_decaf_shake256_ctx_t ctx, uint8_t *out, size_t outlen) {+#if __SIZE_MAX__ > UINT32_MAX+        // split data over 4 GB in 2-GB chunks+        while (outlen > UINT32_MAX) {+                cryptonite_sha3_output(ctx -> sc, out, CHUNK_SIZE_32);+                outlen -= CHUNK_SIZE_32;+                out += CHUNK_SIZE_32;+        }+#endif+        cryptonite_sha3_output(ctx -> sc, out, (uint32_t) outlen);+}++static inline void cryptonite_decaf_shake256_final(cryptonite_decaf_shake256_ctx_t ctx, uint8_t *out, size_t outlen)+{+        cryptonite_sha3_finalize_shake(ctx -> sc);+        cryptonite_decaf_shake256_output(ctx, out, outlen);++        cryptonite_decaf_shake256_init(ctx);+}++static inline void cryptonite_decaf_shake256_destroy(cryptonite_decaf_shake256_ctx_t ctx)+{+        cryptonite_decaf_bzero(ctx, sizeof(*ctx));+}++static inline void cryptonite_decaf_shake256_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen)+{+        cryptonite_decaf_shake256_ctx_t ctx;++        cryptonite_decaf_shake256_init(ctx);+        cryptonite_decaf_shake256_update(ctx, in, inlen);++        cryptonite_sha3_finalize_shake(ctx -> sc);+        cryptonite_decaf_shake256_output(ctx, out, outlen);++        cryptonite_decaf_shake256_destroy(ctx);+}++#endif
+ cbits/decaf/include/field.h view
@@ -0,0 +1,107 @@+/**+ * @file field.h+ * @brief Generic gf header.+ * @copyright+ *   Copyright (c) 2014 Cryptography Research, Inc.  \n+ *   Released under the MIT License.  See LICENSE.txt for license information.+ * @author Mike Hamburg+ */++#ifndef __GF_H__+#define __GF_H__++#include "constant_time.h"+#include "f_field.h"+#include <string.h>+    +/** Square x, n times. */+static CRYPTONITE_DECAF_INLINE void cryptonite_gf_sqrn (+    cryptonite_gf_s *__restrict__ y,+    const gf x,+    int n+) {+    gf tmp;+    assert(n>0);+    if (n&1) {+        cryptonite_gf_sqr(y,x);+        n--;+    } else {+        cryptonite_gf_sqr(tmp,x);+        cryptonite_gf_sqr(y,tmp);+        n-=2;+    }+    for (; n; n-=2) {+        cryptonite_gf_sqr(tmp,y);+        cryptonite_gf_sqr(y,tmp);+    }+}++#define cryptonite_gf_add_nr cryptonite_gf_add_RAW++/** Subtract mod p.  Bias by 2 and don't reduce  */+static inline void cryptonite_gf_sub_nr ( gf c, const gf a, const gf b ) {+    cryptonite_gf_sub_RAW(c,a,b);+    cryptonite_gf_bias(c, 2);+    if (GF_HEADROOM < 3) cryptonite_gf_weak_reduce(c);+}++/** Subtract mod p. Bias by amt but don't reduce.  */+static inline void cryptonite_gf_subx_nr ( gf c, const gf a, const gf b, int amt ) {+    cryptonite_gf_sub_RAW(c,a,b);+    cryptonite_gf_bias(c, amt);+    if (GF_HEADROOM < amt+1) cryptonite_gf_weak_reduce(c);+}++/** Mul by signed int.  Not constant-time WRT the sign of that int. */+static inline void cryptonite_gf_mulw(gf c, const gf a, int32_t w) {+    if (w>0) {+        cryptonite_gf_mulw_unsigned(c, a, w);+    } else {+        cryptonite_gf_mulw_unsigned(c, a, -w);+        cryptonite_gf_sub(c,ZERO,c);+    }+}++/** Constant time, x = is_z ? z : y */+static inline void cryptonite_gf_cond_sel(gf x, const gf y, const gf z, mask_t is_z) {+    constant_time_select(x,y,z,sizeof(gf),is_z,0);+}++/** Constant time, if (neg) x=-x; */+static inline void cryptonite_gf_cond_neg(gf x, mask_t neg) {+    gf y;+    cryptonite_gf_sub(y,ZERO,x);+    cryptonite_gf_cond_sel(x,x,y,neg);+}++/** Constant time, if (swap) (x,y) = (y,x); */+static inline void+cryptonite_gf_cond_swap(gf x, cryptonite_gf_s *__restrict__ y, mask_t swap) {+    constant_time_cond_swap(x,y,sizeof(cryptonite_gf_s),swap);+}++static CRYPTONITE_DECAF_INLINE void cryptonite_gf_mul_qnr(cryptonite_gf_s *__restrict__ out, const gf x) {+#if P_MOD_8 == 5+    /* r = QNR * r0^2 */+    cryptonite_gf_mul(out,x,SQRT_MINUS_ONE);+#elif P_MOD_8 == 3 || P_MOD_8 == 7+    cryptonite_gf_sub(out,ZERO,x);+#else+    #error "Only supporting p=3,5,7 mod 8"+#endif+}++static CRYPTONITE_DECAF_INLINE void cryptonite_gf_div_qnr(cryptonite_gf_s *__restrict__ out, const gf x) {+#if P_MOD_8 == 5+    /* r = QNR * r0^2 */+    cryptonite_gf_mul(out,x,SQRT_MINUS_ONE);+    cryptonite_gf_sub(out,ZERO,out);+#elif P_MOD_8 == 3 || P_MOD_8 == 7+    cryptonite_gf_sub(out,ZERO,x);+#else+    #error "Only supporting p=3,5,7 mod 8"+#endif+}+++#endif // __GF_H__
+ cbits/decaf/include/portable_endian.h view
@@ -0,0 +1,6 @@+/* portable_endian.h not used */++#if defined(__MINGW32__)+// does not exist on MinGW, but unused anyway+extern int posix_memalign(void **, size_t, size_t);+#endif
+ cbits/decaf/include/word.h view
@@ -0,0 +1,281 @@+/* Copyright (c) 2014 Cryptography Research, Inc.+ * Released under the MIT License.  See LICENSE.txt for license information.+ */++#ifndef __WORD_H__+#define __WORD_H__++/* for posix_memalign */+#define _XOPEN_SOURCE 600+#define __STDC_WANT_LIB_EXT1__ 1 /* for memset_s */+#include <string.h>+#if defined(__sun) && defined(__SVR4)+extern int posix_memalign(void **, size_t, size_t);+#endif++#include <assert.h>+#include <stdint.h>+#include "arch_intrinsics.h"++#include <decaf/common.h>++#ifndef _BSD_SOURCE+#define _BSD_SOURCE 1+#endif++#ifndef _DEFAULT_SOURCE+#define _DEFAULT_SOURCE 1+#endif++#include "portable_endian.h"++#include <stdlib.h>+#include <sys/types.h>+#include <inttypes.h>++#if defined(__ARM_NEON__)+#include <arm_neon.h>+#elif defined(__SSE2__)+    #if !defined(__GNUC__) || __clang__ || __GNUC__ >= 5 || (__GNUC__==4 && __GNUC_MINOR__ >= 4)+        #include <immintrin.h>+    #else+        #include <emmintrin.h>+    #endif+#endif++#if (ARCH_WORD_BITS == 64)+    typedef uint64_t word_t, mask_t;+    typedef __uint128_t dword_t;+    typedef int32_t hsword_t;+    typedef int64_t sword_t;+    typedef __int128_t dsword_t;+#elif (ARCH_WORD_BITS == 32)+    typedef uint32_t word_t, mask_t;+    typedef uint64_t dword_t;+    typedef int16_t hsword_t;+    typedef int32_t sword_t;+    typedef int64_t dsword_t;+#else+    #error "For now, libdecaf only supports 32- and 64-bit architectures."+#endif+    +/* Scalar limbs are keyed off of the API word size instead of the arch word size. */+#if CRYPTONITE_DECAF_WORD_BITS == 64+    #define SC_LIMB(x) (x##ull)+#elif CRYPTONITE_DECAF_WORD_BITS == 32+    #define SC_LIMB(x) ((uint32_t)x##ull),(x##ull>>32)+#else+    #error "For now, libdecaf only supports 32- and 64-bit architectures."+#endif++#ifdef __ARM_NEON__+    typedef uint32x4_t vecmask_t;+#elif __clang__+    typedef uint64_t uint64x2_t __attribute__((ext_vector_type(2)));+    typedef int64_t  int64x2_t __attribute__((ext_vector_type(2)));+    typedef uint64_t uint64x4_t __attribute__((ext_vector_type(4)));+    typedef int64_t  int64x4_t __attribute__((ext_vector_type(4)));+    typedef uint32_t uint32x4_t __attribute__((ext_vector_type(4)));+    typedef int32_t  int32x4_t __attribute__((ext_vector_type(4)));+    typedef uint32_t uint32x2_t __attribute__((ext_vector_type(2)));+    typedef int32_t  int32x2_t __attribute__((ext_vector_type(2)));+    typedef uint32_t uint32x8_t __attribute__((ext_vector_type(8)));+    typedef int32_t  int32x8_t __attribute__((ext_vector_type(8)));+    typedef word_t vecmask_t __attribute__((ext_vector_type(4)));+#else /* GCC, hopefully? */+    typedef uint64_t uint64x2_t __attribute__((vector_size(16)));+    typedef int64_t  int64x2_t __attribute__((vector_size(16)));+    typedef uint64_t uint64x4_t __attribute__((vector_size(32)));+    typedef int64_t  int64x4_t __attribute__((vector_size(32)));+    typedef uint32_t uint32x4_t __attribute__((vector_size(16)));+    typedef int32_t  int32x4_t __attribute__((vector_size(16)));+    typedef uint32_t uint32x2_t __attribute__((vector_size(8)));+    typedef int32_t  int32x2_t __attribute__((vector_size(8)));+    typedef uint32_t uint32x8_t __attribute__((vector_size(32)));+    typedef int32_t  int32x8_t __attribute__((vector_size(32)));+    typedef word_t vecmask_t __attribute__((vector_size(32)));+#endif++#if __AVX2__+    #define VECTOR_ALIGNED __attribute__((aligned(32)))+    typedef uint32x8_t big_register_t;+    typedef uint64x4_t uint64xn_t;+    typedef uint32x8_t uint32xn_t;++    static CRYPTONITE_DECAF_INLINE big_register_t+    br_set_to_mask(mask_t x) {+        uint32_t y = (uint32_t)x;+        big_register_t ret = {y,y,y,y,y,y,y,y};+        return ret;+    }+#elif __SSE2__+    #define VECTOR_ALIGNED __attribute__((aligned(16)))+    typedef uint32x4_t big_register_t;+    typedef uint64x2_t uint64xn_t;+    typedef uint32x4_t uint32xn_t;++    static CRYPTONITE_DECAF_INLINE big_register_t+    br_set_to_mask(mask_t x) {+        uint32_t y = x;+        big_register_t ret = {y,y,y,y};+        return ret;+    }+#elif __ARM_NEON__+    #define VECTOR_ALIGNED __attribute__((aligned(16)))+    typedef uint32x4_t big_register_t;+    typedef uint64x2_t uint64xn_t;+    typedef uint32x4_t uint32xn_t;+    +    static CRYPTONITE_DECAF_INLINE big_register_t+    br_set_to_mask(mask_t x) {+        return vdupq_n_u32(x);+    }+#elif _WIN64 || __amd64__ || __X86_64__ || __aarch64__+    #define VECTOR_ALIGNED __attribute__((aligned(8)))+    typedef uint64_t big_register_t, uint64xn_t;++    typedef uint32_t uint32xn_t;+    static CRYPTONITE_DECAF_INLINE big_register_t+    br_set_to_mask(mask_t x) {+        return (big_register_t)x;+    }+#else+    #define VECTOR_ALIGNED __attribute__((aligned(4)))+    typedef uint64_t uint64xn_t;+    typedef uint32_t uint32xn_t;+    typedef uint32_t big_register_t;++    static CRYPTONITE_DECAF_INLINE big_register_t+    br_set_to_mask(mask_t x) {+        return (big_register_t)x;+    }+#endif++typedef struct {+    uint64xn_t unaligned;+} __attribute__((packed)) unaligned_uint64xn_t;++typedef struct {+    uint32xn_t unaligned;+} __attribute__((packed)) unaligned_uint32xn_t;++#if __AVX2__+    static CRYPTONITE_DECAF_INLINE big_register_t+    br_is_zero(big_register_t x) {+        return (big_register_t)(x == br_set_to_mask(0));+    }+#elif __SSE2__+    static CRYPTONITE_DECAF_INLINE big_register_t+    br_is_zero(big_register_t x) {+        return (big_register_t)_mm_cmpeq_epi32((__m128i)x, _mm_setzero_si128());+        //return (big_register_t)(x == br_set_to_mask(0));+    }+#elif __ARM_NEON__+    static CRYPTONITE_DECAF_INLINE big_register_t+    br_is_zero(big_register_t x) {+        return vceqq_u32(x,x^x);+    }+#else+    #define br_is_zero word_is_zero+#endif++/**+ * Really call memset, in a way that prevents the compiler from optimizing it out.+ * @param p The object to zeroize.+ * @param c The char to set it to (probably zero).+ * @param s The size of the object.+ */+#if defined(__DARWIN_C_LEVEL) || defined(__STDC_LIB_EXT1__)+#define HAS_MEMSET_S+#endif++#if !defined(__STDC_WANT_LIB_EXT1__) || __STDC_WANT_LIB_EXT1__ != 1+#define NEED_MEMSET_S_EXTERN+#endif++#ifdef HAS_MEMSET_S+    #ifdef NEED_MEMSET_S_EXTERN+        extern int memset_s(void *, size_t, int, size_t);+    #endif+    static CRYPTONITE_DECAF_INLINE void+    really_memset(void *p, char c, size_t s) {+        memset_s(p, s, c, s);+    }+#else+    /* PERF: use words? */+    static CRYPTONITE_DECAF_INLINE void+    really_memset(void *p, char c, size_t s) {+        volatile char *pv = (volatile char *)p;+        size_t i;+        for (i=0; i<s; i++) pv[i] = c;+    }+#endif++/**+ * Allocate memory which is sufficiently aligned to be used for the+ * largest vector on the system (for now that's a big_register_t).+ *+ * Man malloc says that it does this, but at least for AVX2 on MacOS X,+ * it's lying.+ *+ * @param size The size of the region to allocate.+ * @return A suitable pointer, which can be free'd with free(),+ * or NULL if no memory can be allocated.+ */+static CRYPTONITE_DECAF_INLINE void *+malloc_vector(size_t size) {+    void *out = NULL;+    +    int ret = posix_memalign(&out, sizeof(big_register_t), size);+    +    if (ret) {+        return NULL;+    } else {+        return out;+    }+}++/* PERF: vectorize vs unroll */+#ifdef __clang__+#if 100*__clang_major__ + __clang_minor__ > 305+#define UNROLL _Pragma("clang loop unroll(full)")+#endif+#endif++#ifndef UNROLL+#define UNROLL+#endif++/* The plan on booleans:+ *+ * The external interface uses cryptonite_decaf_bool_t, but this might be a different+ * size than our particular arch's word_t (and thus mask_t).  Also, the caller+ * isn't guaranteed to pass it as nonzero.  So bool_to_mask converts word sizes+ * and checks nonzero.+ *+ * On the flip side, mask_t is always -1 or 0, but it might be a different size+ * than cryptonite_decaf_bool_t.+ *+ * On the third hand, we have success vs boolean types, but that's handled in+ * common.h: it converts between cryptonite_decaf_bool_t and cryptonite_decaf_error_t.+ */+static CRYPTONITE_DECAF_INLINE cryptonite_decaf_bool_t mask_to_bool (mask_t m) {+    return (cryptonite_decaf_sword_t)(sword_t)m;+}++static CRYPTONITE_DECAF_INLINE mask_t bool_to_mask (cryptonite_decaf_bool_t m) {+    /* On most arches this will be optimized to a simple cast. */+    mask_t ret = 0;+    unsigned int limit = sizeof(cryptonite_decaf_bool_t)/sizeof(mask_t);+    if (limit < 1) limit = 1;+    for (unsigned int i=0; i<limit; i++) {+        ret |= ~ word_is_zero(m >> (i*8*sizeof(word_t)));+    }+    return ret;+}++static CRYPTONITE_DECAF_INLINE void ignore_result ( cryptonite_decaf_bool_t boo ) {+    (void)boo;+}++#endif /* __WORD_H__ */
+ cbits/decaf/p448/arch_32/f_impl.c view
@@ -0,0 +1,101 @@+/* Copyright (c) 2014 Cryptography Research, Inc.+ * Released under the MIT License.  See LICENSE.txt for license information.+ */++#include "f_field.h"++#if (defined(__OPTIMIZE__) && !defined(__OPTIMIZE_SIZE__) && !I_HATE_UNROLLED_LOOPS) \+     || defined(CRYPTONITE_DECAF_FORCE_UNROLL)+#define REPEAT8(_x) _x _x _x _x _x _x _x _x+#define FOR_LIMB(_i,_start,_end,_x) do { _i=_start; REPEAT8( if (_i<_end) { _x; } _i++;) } while (0)+#else+#define FOR_LIMB(_i,_start,_end,_x) do { for (_i=_start; _i<_end; _i++) _x; } while (0)+#endif++void cryptonite_gf_mul (cryptonite_gf_s *__restrict__ cs, const gf as, const gf bs) { +    const uint32_t *a = as->limb, *b = bs->limb;+    uint32_t *c = cs->limb;++    uint64_t accum0 = 0, accum1 = 0, accum2 = 0;+    uint32_t mask = (1<<28) - 1;  ++    uint32_t aa[8], bb[8];+    +    int i,j;+    for (i=0; i<8; i++) {+        aa[i] = a[i] + a[i+8];+        bb[i] = b[i] + b[i+8];+    }+    +    FOR_LIMB(j,0,8,{+        accum2 = 0;+    +        FOR_LIMB (i,0,j+1,{+            accum2 += widemul(a[j-i],b[i]);+            accum1 += widemul(aa[j-i],bb[i]);+            accum0 += widemul(a[8+j-i], b[8+i]);+        });+        +        accum1 -= accum2;+        accum0 += accum2;+        accum2 = 0;+    +        FOR_LIMB (i,j+1,8,{+            accum0 -= widemul(a[8+j-i], b[i]);+            accum2 += widemul(aa[8+j-i], bb[i]);+            accum1 += widemul(a[16+j-i], b[8+i]);+        });++        accum1 += accum2;+        accum0 += accum2;++        c[j] = ((uint32_t)(accum0)) & mask;+        c[j+8] = ((uint32_t)(accum1)) & mask;++        accum0 >>= 28;+        accum1 >>= 28;+    });+    +    accum0 += accum1;+    accum0 += c[8];+    accum1 += c[0];+    c[8] = ((uint32_t)(accum0)) & mask;+    c[0] = ((uint32_t)(accum1)) & mask;+    +    accum0 >>= 28;+    accum1 >>= 28;+    c[9] += ((uint32_t)(accum0));+    c[1] += ((uint32_t)(accum1));+}++void cryptonite_gf_mulw_unsigned (cryptonite_gf_s *__restrict__ cs, const gf as, uint32_t b) {+    assert(b<1<<28);+    +    const uint32_t *a = as->limb;+    uint32_t *c = cs->limb;++    uint64_t accum0 = 0, accum8 = 0;+    uint32_t mask = (1ull<<28)-1;  ++    int i;+    FOR_LIMB(i,0,8,{+        accum0 += widemul(b, a[i]);+        accum8 += widemul(b, a[i+8]);++        c[i] = accum0 & mask; accum0 >>= 28;+        c[i+8] = accum8 & mask; accum8 >>= 28;+    });++    accum0 += accum8 + c[8];+    c[8] = accum0 & mask;+    c[9] += accum0 >> 28;++    accum8 += c[0];+    c[0] = accum8 & mask;+    c[1] += accum8 >> 28;+}++void cryptonite_gf_sqr (cryptonite_gf_s *__restrict__ cs, const gf as) {+    cryptonite_gf_mul(cs,as,as); /* Performs better with a dedicated square */+}+
+ cbits/decaf/p448/arch_32/f_impl.h view
@@ -0,0 +1,40 @@+/* Copyright (c) 2014-2016 Cryptography Research, Inc.+ * Released under the MIT License.  See LICENSE.txt for license information.+ */++#define GF_HEADROOM 2+#define LIMB(x) (x##ull)&((1ull<<28)-1), (x##ull)>>28+#define FIELD_LITERAL(a,b,c,d,e,f,g,h) \+    {{LIMB(a),LIMB(b),LIMB(c),LIMB(d),LIMB(e),LIMB(f),LIMB(g),LIMB(h)}}+    +#define LIMB_PLACE_VALUE(i) 28++void cryptonite_gf_add_RAW (gf out, const gf a, const gf b) {+    for (unsigned int i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {+        out->limb[i] = a->limb[i] + b->limb[i];+    }+}++void cryptonite_gf_sub_RAW (gf out, const gf a, const gf b) {+    for (unsigned int i=0; i<sizeof(*out)/sizeof(out->limb[0]); i++) {+        out->limb[i] = a->limb[i] - b->limb[i];+    }+}++void cryptonite_gf_bias (gf a, int amt) {    +    uint32_t co1 = ((1ull<<28)-1)*amt, co2 = co1-amt;+    for (unsigned int i=0; i<sizeof(*a)/sizeof(a->limb[0]); i++) {+        a->limb[i] += (i==sizeof(*a)/sizeof(a->limb[0])/2) ? co2 : co1;+    }+}++void cryptonite_gf_weak_reduce (gf a) {+    uint32_t mask = (1ull<<28) - 1;+    uint32_t tmp = a->limb[15] >> 28;+    a->limb[8] += tmp;+    for (unsigned int i=15; i>0; i--) {+        a->limb[i] = (a->limb[i] & mask) + (a->limb[i-1]>>28);+    }+    a->limb[0] = (a->limb[0] & mask) + tmp;+}+
+ cbits/decaf/p448/arch_ref64/f_impl.c view
@@ -0,0 +1,302 @@+/* Copyright (c) 2014 Cryptography Research, Inc.+ * Released under the MIT License.  See LICENSE.txt for license information.+ */++#include "f_field.h"++void cryptonite_gf_mul (cryptonite_gf_s *__restrict__ cs, const gf as, const gf bs) {+    const uint64_t *a = as->limb, *b = bs->limb;+    uint64_t *c = cs->limb;++    __uint128_t accum0 = 0, accum1 = 0, accum2;+    uint64_t mask = (1ull<<56) - 1;  ++    uint64_t aa[4], bb[4], bbb[4];++    unsigned int i;+    for (i=0; i<4; i++) {+        aa[i]  = a[i] + a[i+4];+        bb[i]  = b[i] + b[i+4];+        bbb[i] = bb[i] + b[i+4];+    }++    int I_HATE_UNROLLED_LOOPS = 0;++    if (I_HATE_UNROLLED_LOOPS) {+        /* The compiler probably won't unroll this,+         * so it's like 80% slower.+         */+        for (i=0; i<4; i++) {+            accum2 = 0;++            unsigned int j;+            for (j=0; j<=i; j++) {+                accum2 += widemul(a[j],   b[i-j]);+                accum1 += widemul(aa[j], bb[i-j]);+                accum0 += widemul(a[j+4], b[i-j+4]);+            }+            for (; j<4; j++) {+                accum2 += widemul(a[j],   b[i-j+8]);+                accum1 += widemul(aa[j], bbb[i-j+4]);+                accum0 += widemul(a[j+4], bb[i-j+4]);+            }++            accum1 -= accum2;+            accum0 += accum2;++            c[i]   = ((uint64_t)(accum0)) & mask;+            c[i+4] = ((uint64_t)(accum1)) & mask;++            accum0 >>= 56;+            accum1 >>= 56;+        }+    } else {+        accum2  = widemul(a[0],  b[0]);+        accum1 += widemul(aa[0], bb[0]);+        accum0 += widemul(a[4],  b[4]);++        accum2 += widemul(a[1],  b[7]);+        accum1 += widemul(aa[1], bbb[3]);+        accum0 += widemul(a[5],  bb[3]);++        accum2 += widemul(a[2],  b[6]);+        accum1 += widemul(aa[2], bbb[2]);+        accum0 += widemul(a[6],  bb[2]);++        accum2 += widemul(a[3],  b[5]);+        accum1 += widemul(aa[3], bbb[1]);+        accum0 += widemul(a[7],  bb[1]);++        accum1 -= accum2;+        accum0 += accum2;++        c[0] = ((uint64_t)(accum0)) & mask;+        c[4] = ((uint64_t)(accum1)) & mask;++        accum0 >>= 56;+        accum1 >>= 56;++        accum2  = widemul(a[0],  b[1]);+        accum1 += widemul(aa[0], bb[1]);+        accum0 += widemul(a[4],  b[5]);++        accum2 += widemul(a[1],  b[0]);+        accum1 += widemul(aa[1], bb[0]);+        accum0 += widemul(a[5],  b[4]);++        accum2 += widemul(a[2],  b[7]);+        accum1 += widemul(aa[2], bbb[3]);+        accum0 += widemul(a[6],  bb[3]);++        accum2 += widemul(a[3],  b[6]);+        accum1 += widemul(aa[3], bbb[2]);+        accum0 += widemul(a[7],  bb[2]);++        accum1 -= accum2;+        accum0 += accum2;++        c[1] = ((uint64_t)(accum0)) & mask;+        c[5] = ((uint64_t)(accum1)) & mask;++        accum0 >>= 56;+        accum1 >>= 56;++        accum2  = widemul(a[0],  b[2]);+        accum1 += widemul(aa[0], bb[2]);+        accum0 += widemul(a[4],  b[6]);++        accum2 += widemul(a[1],  b[1]);+        accum1 += widemul(aa[1], bb[1]);+        accum0 += widemul(a[5],  b[5]);++        accum2 += widemul(a[2],  b[0]);+        accum1 += widemul(aa[2], bb[0]);+        accum0 += widemul(a[6],  b[4]);++        accum2 += widemul(a[3],  b[7]);+        accum1 += widemul(aa[3], bbb[3]);+        accum0 += widemul(a[7],  bb[3]);++        accum1 -= accum2;+        accum0 += accum2;++        c[2] = ((uint64_t)(accum0)) & mask;+        c[6] = ((uint64_t)(accum1)) & mask;++        accum0 >>= 56;+        accum1 >>= 56;++        accum2  = widemul(a[0],  b[3]);+        accum1 += widemul(aa[0], bb[3]);+        accum0 += widemul(a[4],  b[7]);++        accum2 += widemul(a[1],  b[2]);+        accum1 += widemul(aa[1], bb[2]);+        accum0 += widemul(a[5],  b[6]);++        accum2 += widemul(a[2],  b[1]);+        accum1 += widemul(aa[2], bb[1]);+        accum0 += widemul(a[6],  b[5]);++        accum2 += widemul(a[3],  b[0]);+        accum1 += widemul(aa[3], bb[0]);+        accum0 += widemul(a[7],  b[4]);++        accum1 -= accum2;+        accum0 += accum2;++        c[3] = ((uint64_t)(accum0)) & mask;+        c[7] = ((uint64_t)(accum1)) & mask;++        accum0 >>= 56;+        accum1 >>= 56;+    } /* !I_HATE_UNROLLED_LOOPS */++    accum0 += accum1;+    accum0 += c[4];+    accum1 += c[0];+    c[4] = ((uint64_t)(accum0)) & mask;+    c[0] = ((uint64_t)(accum1)) & mask;++    accum0 >>= 56;+    accum1 >>= 56;++    c[5] += ((uint64_t)(accum0));+    c[1] += ((uint64_t)(accum1));+}++void cryptonite_gf_mulw_unsigned (cryptonite_gf_s *__restrict__ cs, const gf as, uint32_t b) {+    const uint64_t *a = as->limb;+    uint64_t *c = cs->limb;++    __uint128_t accum0 = 0, accum4 = 0;+    uint64_t mask = (1ull<<56) - 1;  ++    int i;+    for (i=0; i<4; i++) {+        accum0 += widemul(b, a[i]);+        accum4 += widemul(b, a[i+4]);+        c[i]   = accum0 & mask; accum0 >>= 56;+        c[i+4] = accum4 & mask; accum4 >>= 56;+    }+    +    accum0 += accum4 + c[4];+    c[4] = accum0 & mask;+    c[5] += accum0 >> 56;++    accum4 += c[0];+    c[0] = accum4 & mask;+    c[1] += accum4 >> 56;+}++void cryptonite_gf_sqr (cryptonite_gf_s *__restrict__ cs, const gf as) {+    const uint64_t *a = as->limb;+    uint64_t *c = cs->limb;++    __uint128_t accum0 = 0, accum1 = 0, accum2;+    uint64_t mask = (1ull<<56) - 1;  ++    uint64_t aa[4];++    /* For some reason clang doesn't vectorize this without prompting? */+    unsigned int i;+    for (i=0; i<4; i++) {+        aa[i] = a[i] + a[i+4];+    }++    accum2  = widemul(a[0],a[3]);+    accum0  = widemul(aa[0],aa[3]);+    accum1  = widemul(a[4],a[7]);++    accum2 += widemul(a[1], a[2]);+    accum0 += widemul(aa[1], aa[2]);+    accum1 += widemul(a[5], a[6]);++    accum0 -= accum2;+    accum1 += accum2;++    c[3] = ((uint64_t)(accum1))<<1 & mask;+    c[7] = ((uint64_t)(accum0))<<1 & mask;++    accum0 >>= 55;+    accum1 >>= 55;++    accum0 += widemul(2*aa[1],aa[3]);+    accum1 += widemul(2*a[5], a[7]);+    accum0 += widemul(aa[2], aa[2]);+    accum1 += accum0;++    accum0 -= widemul(2*a[1], a[3]);+    accum1 += widemul(a[6], a[6]);+    +    accum2 = widemul(a[0],a[0]);+    accum1 -= accum2;+    accum0 += accum2;++    accum0 -= widemul(a[2], a[2]);+    accum1 += widemul(aa[0], aa[0]);+    accum0 += widemul(a[4], a[4]);++    c[0] = ((uint64_t)(accum0)) & mask;+    c[4] = ((uint64_t)(accum1)) & mask;++    accum0 >>= 56;+    accum1 >>= 56;++    accum2  = widemul(2*aa[2],aa[3]);+    accum0 -= widemul(2*a[2], a[3]);+    accum1 += widemul(2*a[6], a[7]);++    accum1 += accum2;+    accum0 += accum2;++    accum2  = widemul(2*a[0],a[1]);+    accum1 += widemul(2*aa[0], aa[1]);+    accum0 += widemul(2*a[4], a[5]);++    accum1 -= accum2;+    accum0 += accum2;++    c[1] = ((uint64_t)(accum0)) & mask;+    c[5] = ((uint64_t)(accum1)) & mask;++    accum0 >>= 56;+    accum1 >>= 56;++    accum2  = widemul(aa[3],aa[3]);+    accum0 -= widemul(a[3], a[3]);+    accum1 += widemul(a[7], a[7]);++    accum1 += accum2;+    accum0 += accum2;++    accum2  = widemul(2*a[0],a[2]);+    accum1 += widemul(2*aa[0], aa[2]);+    accum0 += widemul(2*a[4], a[6]);++    accum2 += widemul(a[1], a[1]);+    accum1 += widemul(aa[1], aa[1]);+    accum0 += widemul(a[5], a[5]);++    accum1 -= accum2;+    accum0 += accum2;++    c[2] = ((uint64_t)(accum0)) & mask;+    c[6] = ((uint64_t)(accum1)) & mask;++    accum0 >>= 56;+    accum1 >>= 56;++    accum0 += c[3];+    accum1 += c[7];+    c[3] = ((uint64_t)(accum0)) & mask;+    c[7] = ((uint64_t)(accum1)) & mask;++    /* we could almost stop here, but it wouldn't be stable, so... */++    accum0 >>= 56;+    accum1 >>= 56;+    c[4] += ((uint64_t)(accum0)) + ((uint64_t)(accum1));+    c[0] += ((uint64_t)(accum1));+}+
+ cbits/decaf/p448/arch_ref64/f_impl.h view
@@ -0,0 +1,38 @@+/* Copyright (c) 2014-2016 Cryptography Research, Inc.+ * Released under the MIT License.  See LICENSE.txt for license information.+ */++#define GF_HEADROOM 9999 /* Everything is reduced anyway */+#define FIELD_LITERAL(a,b,c,d,e,f,g,h) {{a,b,c,d,e,f,g,h}}+    +#define LIMB_PLACE_VALUE(i) 56++void cryptonite_gf_add_RAW (gf out, const gf a, const gf b) {+    for (unsigned int i=0; i<8; i++) {+        out->limb[i] = a->limb[i] + b->limb[i];+    }+    cryptonite_gf_weak_reduce(out);+}++void cryptonite_gf_sub_RAW (gf out, const gf a, const gf b) {+    uint64_t co1 = ((1ull<<56)-1)*2, co2 = co1-2;+    for (unsigned int i=0; i<8; i++) {+        out->limb[i] = a->limb[i] - b->limb[i] + ((i==4) ? co2 : co1);+    }+    cryptonite_gf_weak_reduce(out);+}++void cryptonite_gf_bias (gf a, int amt) {+    (void) a;+    (void) amt;+}++void cryptonite_gf_weak_reduce (gf a) {+    uint64_t mask = (1ull<<56) - 1;+    uint64_t tmp = a->limb[7] >> 56;+    a->limb[4] += tmp;+    for (unsigned int i=7; i>0; i--) {+        a->limb[i] = (a->limb[i] & mask) + (a->limb[i-1]>>56);+    }+    a->limb[0] = (a->limb[0] & mask) + tmp;+}
+ cbits/decaf/p448/f_arithmetic.c view
@@ -0,0 +1,46 @@+/**+ * @cond internal+ * @file f_arithmetic.c+ * @copyright+ *   Copyright (c) 2014 Cryptography Research, Inc.  \n+ *   Released under the MIT License.  See LICENSE.txt for license information.+ * @author Mike Hamburg+ * @brief Field-specific arithmetic.+ */++#include "field.h"++mask_t cryptonite_gf_isr (+    gf a,+    const gf x+) {+    gf L0, L1, L2;+    cryptonite_gf_sqr  (L1,     x );+    cryptonite_gf_mul  (L2,     x,   L1 );+    cryptonite_gf_sqr  (L1,   L2 );+    cryptonite_gf_mul  (L2,     x,   L1 );+    cryptonite_gf_sqrn (L1,   L2,     3 );+    cryptonite_gf_mul  (L0,   L2,   L1 );+    cryptonite_gf_sqrn (L1,   L0,     3 );+    cryptonite_gf_mul  (L0,   L2,   L1 );+    cryptonite_gf_sqrn (L2,   L0,     9 );+    cryptonite_gf_mul  (L1,   L0,   L2 );+    cryptonite_gf_sqr  (L0,   L1 );+    cryptonite_gf_mul  (L2,     x,   L0 );+    cryptonite_gf_sqrn (L0,   L2,    18 );+    cryptonite_gf_mul  (L2,   L1,   L0 );+    cryptonite_gf_sqrn (L0,   L2,    37 );+    cryptonite_gf_mul  (L1,   L2,   L0 );+    cryptonite_gf_sqrn (L0,   L1,    37 );+    cryptonite_gf_mul  (L1,   L2,   L0 );+    cryptonite_gf_sqrn (L0,   L1,   111 );+    cryptonite_gf_mul  (L2,   L1,   L0 );+    cryptonite_gf_sqr  (L0,   L2 );+    cryptonite_gf_mul  (L1,     x,   L0 );+    cryptonite_gf_sqrn (L0,   L1,   223 );+    cryptonite_gf_mul  (L1,   L2,   L0 );+    cryptonite_gf_sqr  (L2, L1);+    cryptonite_gf_mul  (L0, L2, x);+    cryptonite_gf_copy(a,L1);+    return cryptonite_gf_eq(L0,ONE);+}
+ cbits/decaf/p448/f_field.h view
@@ -0,0 +1,108 @@+/**+ * @file p448/f_field.h+ * @author Mike Hamburg+ *+ * @copyright+ *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n+ *   Released under the MIT License.  See LICENSE.txt for license information.+ *+ * @brief Field-specific code for 2^448 - 2^224 - 1.+ *+ * @warning This file was automatically generated in Python.+ * Please do not edit it.+ */++#ifndef __P448_F_FIELD_H__+#define __P448_F_FIELD_H__ 1++#include "constant_time.h"+#include <string.h>+#include <assert.h>++#include "word.h"++#define __CRYPTONITE_DECAF_448_GF_DEFINED__ 1+#define NLIMBS (64/sizeof(word_t))+#define X_SER_BYTES 56+#define SER_BYTES 56+typedef struct cryptonite_gf_448_s {+    word_t limb[NLIMBS];+} __attribute__((aligned(16))) cryptonite_gf_448_s, cryptonite_gf_448_t[1];++#define GF_LIT_LIMB_BITS  56+#define GF_BITS           448+#define ZERO              cryptonite_gf_448_ZERO+#define ONE               cryptonite_gf_448_ONE+#define MODULUS           cryptonite_gf_448_MODULUS+#define gf                cryptonite_gf_448_t+#define cryptonite_gf_s              cryptonite_gf_448_s+#define cryptonite_gf_eq             cryptonite_gf_448_eq+#define cryptonite_gf_hibit          cryptonite_gf_448_hibit+#define cryptonite_gf_copy           cryptonite_gf_448_copy+#define cryptonite_gf_add            cryptonite_gf_448_add+#define cryptonite_gf_sub            cryptonite_gf_448_sub+#define cryptonite_gf_add_RAW        cryptonite_gf_448_add_RAW+#define cryptonite_gf_sub_RAW        cryptonite_gf_448_sub_RAW+#define cryptonite_gf_bias           cryptonite_gf_448_bias+#define cryptonite_gf_weak_reduce    cryptonite_gf_448_weak_reduce+#define cryptonite_gf_strong_reduce  cryptonite_gf_448_strong_reduce+#define cryptonite_gf_mul            cryptonite_gf_448_mul+#define cryptonite_gf_sqr            cryptonite_gf_448_sqr+#define cryptonite_gf_mulw_unsigned  cryptonite_gf_448_mulw_unsigned+#define cryptonite_gf_isr            cryptonite_gf_448_isr+#define cryptonite_gf_serialize      cryptonite_gf_448_serialize+#define cryptonite_gf_deserialize    cryptonite_gf_448_deserialize++/* RFC 7748 support */+#define X_PUBLIC_BYTES  X_SER_BYTES+#define X_PRIVATE_BYTES X_PUBLIC_BYTES+#define X_PRIVATE_BITS  448++#define SQRT_MINUS_ONE    P448_SQRT_MINUS_ONE /* might not be defined */++#define INLINE_UNUSED __inline__ __attribute__((unused,always_inline))++#ifdef __cplusplus+extern "C" {+#endif++/* Defined below in f_impl.h */+static INLINE_UNUSED void cryptonite_gf_copy (gf out, const gf a) { *out = *a; }+static INLINE_UNUSED void cryptonite_gf_add_RAW (gf out, const gf a, const gf b);+static INLINE_UNUSED void cryptonite_gf_sub_RAW (gf out, const gf a, const gf b);+static INLINE_UNUSED void cryptonite_gf_bias (gf inout, int amount);+static INLINE_UNUSED void cryptonite_gf_weak_reduce (gf inout);++void cryptonite_gf_strong_reduce (gf inout);   +void cryptonite_gf_add (gf out, const gf a, const gf b);+void cryptonite_gf_sub (gf out, const gf a, const gf b);+void cryptonite_gf_mul (cryptonite_gf_s *__restrict__ out, const gf a, const gf b);+void cryptonite_gf_mulw_unsigned (cryptonite_gf_s *__restrict__ out, const gf a, uint32_t b);+void cryptonite_gf_sqr (cryptonite_gf_s *__restrict__ out, const gf a);+mask_t cryptonite_gf_isr(gf a, const gf x); /** a^2 x = 1, QNR, or 0 if x=0.  Return true if successful */+mask_t cryptonite_gf_eq (const gf x, const gf y);+mask_t cryptonite_gf_hibit (const gf x);++void cryptonite_gf_serialize (uint8_t *serial, const gf x,int with_highbit);+mask_t cryptonite_gf_deserialize (gf x, const uint8_t serial[SER_BYTES],int with_highbit);+++#ifdef __cplusplus+} /* extern "C" */+#endif++#include "f_impl.h" /* Bring in the inline implementations */++#define P_MOD_8 7+#if P_MOD_8 == 5+    extern const gf SQRT_MINUS_ONE;+#endif++#ifndef LIMBPERM+  #define LIMBPERM(i) (i)+#endif+#define LIMB_MASK(i) (((1ull)<<LIMB_PLACE_VALUE(i))-1)++static const gf ZERO = {{{0}}}, ONE = {{{ [LIMBPERM(0)] = 1 }}};++#endif /* __P448_F_FIELD_H__ */
+ cbits/decaf/p448/f_generic.c view
@@ -0,0 +1,133 @@+/**+ * @file p448/f_generic.c+ * @author Mike Hamburg+ *+ * @copyright+ *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n+ *   Released under the MIT License.  See LICENSE.txt for license information.+ *+ * @brief Generic arithmetic which has to be compiled per field.+ *+ * @warning This file was automatically generated in Python.+ * Please do not edit it.+ */+#include "field.h"++static const gf MODULUS = {FIELD_LITERAL(+    0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff, 0xfffffffffffffe, 0xffffffffffffff, 0xffffffffffffff, 0xffffffffffffff+)};+    +#if P_MOD_8 == 5+    const gf SQRT_MINUS_ONE = {FIELD_LITERAL(+        /* NOPE */+    )};+#endif++/** Serialize to wire format. */+void cryptonite_gf_serialize (uint8_t serial[SER_BYTES], const gf x, int with_hibit) {+    gf red;+    cryptonite_gf_copy(red, x);+    cryptonite_gf_strong_reduce(red);+    if (!with_hibit) { assert(cryptonite_gf_hibit(red) == 0); }+    +    unsigned int j=0, fill=0;+    dword_t buffer = 0;+    UNROLL for (unsigned int i=0; i<(with_hibit ? X_SER_BYTES : SER_BYTES); i++) {+        if (fill < 8 && j < NLIMBS) {+            buffer |= ((dword_t)red->limb[LIMBPERM(j)]) << fill;+            fill += LIMB_PLACE_VALUE(LIMBPERM(j));+            j++;+        }+        serial[i] = buffer;+        fill -= 8;+        buffer >>= 8;+    }+}++/** Return high bit of x = low bit of 2x mod p */+mask_t cryptonite_gf_hibit(const gf x) {+    gf y;+    cryptonite_gf_add(y,x,x);+    cryptonite_gf_strong_reduce(y);+    return -(y->limb[0]&1);+}++/** Deserialize from wire format; return -1 on success and 0 on failure. */+mask_t cryptonite_gf_deserialize (gf x, const uint8_t serial[SER_BYTES], int with_hibit) {+    unsigned int j=0, fill=0;+    dword_t buffer = 0;+    dsword_t scarry = 0;+    UNROLL for (unsigned int i=0; i<NLIMBS; i++) {+        UNROLL while (fill < LIMB_PLACE_VALUE(LIMBPERM(i)) && j < (with_hibit ? X_SER_BYTES : SER_BYTES)) {+            buffer |= ((dword_t)serial[j]) << fill;+            fill += 8;+            j++;+        }+        x->limb[LIMBPERM(i)] = (i<NLIMBS-1) ? buffer & LIMB_MASK(LIMBPERM(i)) : buffer;+        fill -= LIMB_PLACE_VALUE(LIMBPERM(i));+        buffer >>= LIMB_PLACE_VALUE(LIMBPERM(i));+        scarry = (scarry + x->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)]) >> (8*sizeof(word_t));+    }+    mask_t succ = with_hibit ? -(mask_t)1 : ~cryptonite_gf_hibit(x);+    return succ & word_is_zero(buffer) & ~word_is_zero(scarry);+}++/** Reduce to canonical form. */+void cryptonite_gf_strong_reduce (gf a) {+    /* first, clear high */+    cryptonite_gf_weak_reduce(a); /* Determined to have negligible perf impact. */++    /* now the total is less than 2p */++    /* compute total_value - p.  No need to reduce mod p. */+    dsword_t scarry = 0;+    for (unsigned int i=0; i<NLIMBS; i++) {+        scarry = scarry + a->limb[LIMBPERM(i)] - MODULUS->limb[LIMBPERM(i)];+        a->limb[LIMBPERM(i)] = scarry & LIMB_MASK(LIMBPERM(i));+        scarry >>= LIMB_PLACE_VALUE(LIMBPERM(i));+    }++    /* uncommon case: it was >= p, so now scarry = 0 and this = x+     * common case: it was < p, so now scarry = -1 and this = x - p + 2^255+     * so let's add back in p.  will carry back off the top for 2^255.+     */+    assert(word_is_zero(scarry) | word_is_zero(scarry+1));++    word_t scarry_0 = scarry;+    dword_t carry = 0;++    /* add it back */+    for (unsigned int i=0; i<NLIMBS; i++) {+        carry = carry + a->limb[LIMBPERM(i)] + (scarry_0 & MODULUS->limb[LIMBPERM(i)]);+        a->limb[LIMBPERM(i)] = carry & LIMB_MASK(LIMBPERM(i));+        carry >>= LIMB_PLACE_VALUE(LIMBPERM(i));+    }++    assert(word_is_zero(carry + scarry_0));+}++/** Subtract two gf elements d=a-b */+void cryptonite_gf_sub (gf d, const gf a, const gf b) {+    cryptonite_gf_sub_RAW ( d, a, b );+    cryptonite_gf_bias( d, 2 );+    cryptonite_gf_weak_reduce ( d );+}++/** Add two field elements d = a+b */+void cryptonite_gf_add (gf d, const gf a, const gf b) {+    cryptonite_gf_add_RAW ( d, a, b );+    cryptonite_gf_weak_reduce ( d );+}++/** Compare a==b */+mask_t cryptonite_gf_eq(const gf a, const gf b) {+    gf c;+    cryptonite_gf_sub(c,a,b);+    cryptonite_gf_strong_reduce(c);+    mask_t ret=0;+    for (unsigned int i=0; i<NLIMBS; i++) {+        ret |= c->limb[LIMBPERM(i)];+    }++    return word_is_zero(ret);+}
+ cbits/decaf/utils.c view
@@ -0,0 +1,43 @@+/* Copyright (c) 2015 Cryptography Research, Inc.+ * Released under the MIT License.  See LICENSE.txt for license information.+ */++/**+ * @file utils.c+ * @author Mike Hamburg+ * @brief Decaf utility functions.+ */++#include <decaf/common.h>++void cryptonite_decaf_bzero (+    void *s,+    size_t size+) {+#ifdef __STDC_LIB_EXT1__+    memset_s(s, size, 0, size);+#else+    const size_t sw = sizeof(cryptonite_decaf_word_t);+    volatile uint8_t *destroy = (volatile uint8_t *)s;+    for (; size && ((uintptr_t)destroy)%sw; size--, destroy++)+        *destroy = 0;+    for (; size >= sw; size -= sw, destroy += sw)+        *(volatile cryptonite_decaf_word_t *)destroy = 0;+    for (; size; size--, destroy++)+        *destroy = 0;+#endif+}++cryptonite_decaf_bool_t cryptonite_decaf_memeq (+   const void *data1_,+   const void *data2_,+   size_t size+) {+    const unsigned char *data1 = (const unsigned char *)data1_;+    const unsigned char *data2 = (const unsigned char *)data2_;+    unsigned char ret = 0;+    for (; size; size--, data1++, data2++) {+        ret |= *data1 ^ *data2;+    }+    return (((cryptonite_decaf_dword_t)ret) - 1) >> 8;+}
+ cbits/ed25519/ed25519-cryptonite-exts.h view
@@ -0,0 +1,246 @@+/*+    Public domain by Olivier Chéron <olivier.cheron@gmail.com>++    Arithmetic extensions to Ed25519-donna+*/+++/*+    Scalar functions+*/++void+ED25519_FN(ed25519_scalar_encode) (unsigned char out[32], const bignum256modm in) {+    contract256_modm(out, in);+}++void+ED25519_FN(ed25519_scalar_decode_long) (bignum256modm out, const unsigned char *in, size_t len) {+    expand256_modm(out, in, len);+}++int+ED25519_FN(ed25519_scalar_eq) (const bignum256modm a, const bignum256modm b) {+    bignum256modm_element_t e = 0;++    for (int i = 0; i < bignum256modm_limb_size; i++) {+        e |= a[i] ^ b[i];+    }++    return (int) (1 & ((e - 1) >> bignum256modm_bits_per_limb));+}++void+ED25519_FN(ed25519_scalar_add) (bignum256modm r, const bignum256modm x, const bignum256modm y) {+    add256_modm(r, x, y);+}++void+ED25519_FN(ed25519_scalar_mul) (bignum256modm r, const bignum256modm x, const bignum256modm y) {+    mul256_modm(r, x, y);+}+++/*+    Point functions+*/++void+ED25519_FN(ed25519_point_encode) (unsigned char r[32], const ge25519 *p) {+    ge25519_pack(r, p);+}++int+ED25519_FN(ed25519_point_decode_vartime) (ge25519 *r, const unsigned char p[32]) {+    unsigned char p_neg[32];++    // invert parity bit of X coordinate so the point is negated twice+    // (once here, once in ge25519_unpack_negative_vartime)+    for (int i = 0; i < 31; i++) {+        p_neg[i] = p[i];+    }+    p_neg[31] = p[31] ^ 0x80;++    return ge25519_unpack_negative_vartime(r, p_neg);+}++int+ED25519_FN(ed25519_point_eq) (const ge25519 *p, const ge25519 *q) {+    bignum25519 a, b;+    unsigned char contract_a[32], contract_b[32];+    int eq;++    // pX * qZ = qX * pZ+    curve25519_mul(a, p->x, q->z);+    curve25519_contract(contract_a, a);+    curve25519_mul(b, q->x, p->z);+    curve25519_contract(contract_b, b);+    eq = ed25519_verify(contract_a, contract_b, 32);++    // pY * qZ = qY * pZ+    curve25519_mul(a, p->y, q->z);+    curve25519_contract(contract_a, a);+    curve25519_mul(b, q->y, p->z);+    curve25519_contract(contract_b, b);+    eq &= ed25519_verify(contract_a, contract_b, 32);++    return eq;+}++static int+ED25519_FN(ed25519_point_is_identity) (const ge25519 *p) {+    static const unsigned char zero[32] = {0};+    unsigned char check[32];+    bignum25519 d;+    int eq;++    // pX = 0+    curve25519_contract(check, p->x);+    eq = ed25519_verify(check, zero, 32);++    // pY - pZ = 0+    curve25519_sub_reduce(d, p->y, p->z);+    curve25519_contract(check, d);+    eq &= ed25519_verify(check, zero, 32);++    return eq;+}++void+ED25519_FN(ed25519_point_negate) (ge25519 *r, const ge25519 *p) {+    curve25519_neg(r->x, p->x);+    curve25519_copy(r->y, p->y);+    curve25519_copy(r->z, p->z);+    curve25519_neg(r->t, p->t);+}++void+ED25519_FN(ed25519_point_add) (ge25519 *r, const ge25519 *p, const ge25519 *q) {+    ge25519_add(r, p, q);+}++void+ED25519_FN(ed25519_point_double) (ge25519 *r, const ge25519 *p) {+    ge25519_double(r, p);+}++void+ED25519_FN(ed25519_point_mul_by_cofactor) (ge25519 *r, const ge25519 *p) {+    ge25519_double_partial(r, p);+    ge25519_double_partial(r, r);+    ge25519_double(r, r);+}++void+ED25519_FN(ed25519_point_base_scalarmul) (ge25519 *r, const bignum256modm s) {+    ge25519_scalarmult_base_niels(r, ge25519_niels_base_multiples, s);+}++#if defined(ED25519_64BIT)+typedef uint64_t ed25519_move_cond_word;+#else+typedef uint32_t ed25519_move_cond_word;+#endif++/* out = (flag) ? in : out */+DONNA_INLINE static void+ed25519_move_cond_pniels(ge25519_pniels *out, const ge25519_pniels *in, uint32_t flag) {+    const int word_count = sizeof(ge25519_pniels) / sizeof(ed25519_move_cond_word);+    const ed25519_move_cond_word nb = (ed25519_move_cond_word) flag - 1, b = ~nb;++    ed25519_move_cond_word *outw = (ed25519_move_cond_word *) out;+    const ed25519_move_cond_word *inw  = (const ed25519_move_cond_word *) in;++    // ge25519_pniels has 4 coordinates, so word_count is divisible by 4+    for (int i = 0; i < word_count; i += 4) {+        outw[i + 0] = (outw[i + 0] & nb) | (inw[i + 0] & b);+        outw[i + 1] = (outw[i + 1] & nb) | (inw[i + 1] & b);+        outw[i + 2] = (outw[i + 2] & nb) | (inw[i + 2] & b);+        outw[i + 3] = (outw[i + 3] & nb) | (inw[i + 3] & b);+    }+}++static void+ed25519_point_scalarmul_w_choose_pniels(ge25519_pniels *t, const ge25519_pniels table[15], uint32_t pos) {+    // initialize t to identity, i.e. (1, 1, 1, 0)+    memset(t, 0, sizeof(ge25519_pniels));+    t->ysubx[0] = 1;+    t->xaddy[0] = 1;+    t->z[0] = 1;++    // move one entry from table matching requested position,+    // scanning all table to avoid cache-timing attack+    //+    // when pos == 0, no entry matches and this returns+    // identity as expected+    for (uint32_t i = 1; i < 16; i++) {+        uint32_t flag = ((i ^ pos) - 1) >> 31;+        ed25519_move_cond_pniels(t, table + i - 1, flag);+    }+}++void+ED25519_FN(ed25519_point_scalarmul) (ge25519 *r, const ge25519 *p, const bignum256modm s) {+    ge25519_pniels mult[15];+    ge25519_pniels pn;+    ge25519_p1p1 t;+    unsigned char ss[32];++    // transform scalar as little-endian number+    contract256_modm(ss, s);++    // initialize r to identity, i.e. ge25519 (0, 1, 1, 0)+    memset(r, 0, sizeof(ge25519));+    r->y[0] = 1;+    r->z[0] = 1;++    // precompute multiples of P: 1.P, 2.P, ..., 15.P+    ge25519_full_to_pniels(&mult[0], p);+    for (int i = 1; i < 15; i++) {+        ge25519_pnielsadd(&mult[i], p, &mult[i-1]);+    }++    // 4-bit fixed window, still 256 doublings but 64 additions+    for (int i = 31; i >= 0; i--) {+        // higher bits in ss[i]+        ed25519_point_scalarmul_w_choose_pniels(&pn, mult, ss[i] >> 4);+        ge25519_pnielsadd_p1p1(&t, r, &pn, 0);+        ge25519_p1p1_to_partial(r, &t);++        ge25519_double_partial(r, r);+        ge25519_double_partial(r, r);+        ge25519_double_partial(r, r);+        ge25519_double(r, r);++        // lower bits in ss[i]+        ed25519_point_scalarmul_w_choose_pniels(&pn, mult, ss[i] & 0x0F);+        ge25519_pnielsadd_p1p1(&t, r, &pn, 0);+        if (i > 0) {+            ge25519_p1p1_to_partial(r, &t);++            ge25519_double_partial(r, r);+            ge25519_double_partial(r, r);+            ge25519_double_partial(r, r);+            ge25519_double(r, r);+        } else {+            ge25519_p1p1_to_full(r, &t);+        }+    }+}++void+ED25519_FN(ed25519_base_double_scalarmul_vartime) (ge25519 *r, const bignum256modm s1, const ge25519 *p2, const bignum256modm s2) {+    // computes [s1]basepoint + [s2]p2+    ge25519_double_scalarmult_vartime(r, p2, s2, s1);+}++int+ED25519_FN(ed25519_point_has_prime_order) (const ge25519 *p) {+    static const bignum256modm sc_zero = {0};+    ge25519 q;++    // computes Q = m.P, vartime allowed because m is not secret+    ED25519_FN(ed25519_base_double_scalarmul_vartime) (&q, sc_zero, p, modm_m);++    return ED25519_FN(ed25519_point_is_identity) (&q);+}
cbits/ed25519/ed25519-donna-impl-base.h view
@@ -287,7 +287,13 @@ 			ge25519_nielsadd2_p1p1(&t, r, &ge25519_niels_sliding_multiples[abs(slide2[i]) / 2], (unsigned char)slide2[i] >> 7); 		} -		ge25519_p1p1_to_partial(r, &t);+		// diverges from the original source code and resolves bug explained+		// in <https://github.com/floodyberry/ed25519-donna/issues/31>+		if (i == 0) {+			ge25519_p1p1_to_full(r, &t);+		} else {+			ge25519_p1p1_to_partial(r, &t);+		} 	} } 
cbits/ed25519/ed25519.c view
@@ -11,6 +11,7 @@ #include "ed25519.h" #include "ed25519-randombytes.h" #include "ed25519-hash.h"+#include "ed25519-cryptonite-exts.h"  /* 	Generates a (extsk[0..31]) and aExt (extsk[32..63])
− cbits/ed448/x448.c
@@ -1,311 +0,0 @@-/* Copyright (c) 2015 Cryptography Research, Inc.- * Released under the MIT License.  See LICENSE.txt for license information.- */--/**- * @file decaf.c- * @author Mike Hamburg- * @brief Decaf high-level functions.- */--#include <stdint.h>-#include "x448.h"--#ifdef ARCH_X86_64-#define WBITS 64-#else-#define WBITS 32-#endif--#define LBITS (WBITS * 7 / 8)-#define X448_LIMBS (448/LBITS)--#if WBITS == 64-typedef uint64_t decaf_word_t;-typedef int64_t decaf_sword_t;-typedef __uint128_t decaf_dword_t;-typedef __int128_t decaf_sdword_t;-#elif WBITS == 32-typedef uint32_t decaf_word_t;-typedef int32_t decaf_sword_t;-typedef uint64_t decaf_dword_t;-typedef int64_t decaf_sdword_t;-#else-#error "WBITS must be 32 or 64"-#endif--typedef struct { decaf_word_t limb[X448_LIMBS]; } gf_s, gf[1];--static const unsigned char X448_BASE_POINT[X448_BYTES] = {5};--static const gf ZERO = {{{0}}}, ONE = {{{1}}};--#define LMASK ((((decaf_word_t)1)<<LBITS)-1)-#if WBITS == 64-static const gf P = {{{ LMASK, LMASK, LMASK, LMASK, LMASK-1, LMASK, LMASK, LMASK }}};-#else-static const gf P = {{{ LMASK,   LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK,-		      LMASK-1, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK, LMASK }}};-#endif-static const int EDWARDS_D = -39081;--#if (defined(__OPTIMIZE__) && !defined(__OPTIMIZE_SIZE__)) || defined(DECAF_FORCE_UNROLL)-    #if X448_LIMBS==8-    #define FOR_LIMB_U(i,op) { unsigned int i=0; \-       op;i++; op;i++; op;i++; op;i++; op;i++; op;i++; op;i++; op;i++; \-    }-    #elif X448_LIMBS==16-    #define FOR_LIMB_U(i,op) { unsigned int i=0; \-       op;i++; op;i++; op;i++; op;i++; op;i++; op;i++; op;i++; op;i++; \-       op;i++; op;i++; op;i++; op;i++; op;i++; op;i++; op;i++; op;i++; \-    }-    #else-    #define FOR_LIMB_U(i,op) { unsigned int i=0; for (i=0; i<X448_LIMBS; i++)  { op; }}-    #endif-#else-#define FOR_LIMB_U(i,op) { unsigned int i=0; for (i=0; i<X448_LIMBS; i++)  { op; }}-#endif--#define FOR_LIMB(i,op) { unsigned int i=0; for (i=0; i<X448_LIMBS; i++)  { op; }}--/** Copy x = y */-static void gf_cpy(gf x, const gf y) {-    FOR_LIMB_U(i, x->limb[i] = y->limb[i]);-}--/** Mostly-unoptimized multiply (PERF), but at least it's unrolled. */-static void-gf_mul (gf c, const gf a, const gf b) {-    gf aa;-    gf_cpy(aa,a);--    decaf_dword_t accum[X448_LIMBS] = {0};-    FOR_LIMB_U(i, {-        FOR_LIMB_U(j,{ accum[(i+j)%X448_LIMBS] += (decaf_dword_t)b->limb[i] * aa->limb[j]; });-        aa->limb[(X448_LIMBS-1-i)^(X448_LIMBS/2)] += aa->limb[X448_LIMBS-1-i];-    });--    accum[X448_LIMBS-1] += accum[X448_LIMBS-2] >> LBITS;-    accum[X448_LIMBS-2] &= LMASK;-    accum[X448_LIMBS/2] += accum[X448_LIMBS-1] >> LBITS;-    FOR_LIMB_U(j,{-        accum[j] += accum[(j-1)%X448_LIMBS] >> LBITS;-        accum[(j-1)%X448_LIMBS] &= LMASK;-    });-    FOR_LIMB_U(j, c->limb[j] = accum[j] );-}--/** No dedicated square (PERF) */-#define gf_sqr(c,a) gf_mul(c,a,a)--/** Inverse square root using addition chain. */-static void-gf_isqrt(gf y, const gf x) {-    int i;-#define STEP(s,m,n) gf_mul(s,m,c); gf_cpy(c,s); for (i=0;i<n;i++) gf_sqr(c,c);-    gf a, b, c;-    gf_sqr ( c,   x );-    STEP(b,x,1);-    STEP(b,x,3);-    STEP(a,b,3);-    STEP(a,b,9);-    STEP(b,a,1);-    STEP(a,x,18);-    STEP(a,b,37);-    STEP(b,a,37);-    STEP(b,a,111);-    STEP(a,b,1);-    STEP(b,x,223);-    gf_mul(y,a,c);-}--static void-gf_inv(gf y, const gf x) {-    gf z,w;-    gf_sqr(z,x); /* x^2 */-    gf_isqrt(w,z); /* +- 1/sqrt(x^2) = +- 1/x */-    gf_sqr(z,w); /* 1/x^2 */-    gf_mul(w,x,z); /* 1/x */-    gf_cpy(y,w);-}--/** Weak reduce mod p. */-static void-gf_reduce(gf x) {-    x->limb[X448_LIMBS/2] += x->limb[X448_LIMBS-1] >> LBITS;-    FOR_LIMB_U(j,{-        x->limb[j] += x->limb[(j-1)%X448_LIMBS] >> LBITS;-        x->limb[(j-1)%X448_LIMBS] &= LMASK;-    });-}--/** Add mod p.  Conservatively always weak-reduce. (PERF) */-static void-gf_add ( gf x, const gf y, const gf z ) {-    FOR_LIMB_U(i, x->limb[i] = y->limb[i] + z->limb[i] );-    gf_reduce(x);-}--/** Subtract mod p.  Conservatively always weak-reduce. (PERF) */-static void-gf_sub ( gf x, const gf y, const gf z ) {-    FOR_LIMB_U(i, x->limb[i] = y->limb[i] - z->limb[i] + 2*P->limb[i] );-    gf_reduce(x);-}--/** Constant time, if (swap) (x,y) = (y,x); */-static void-cond_swap(gf x, gf_s *__restrict__ y, decaf_word_t swap) {-    FOR_LIMB_U(i, {-        decaf_word_t s = (x->limb[i] ^ y->limb[i]) & swap;-        x->limb[i] ^= s;-        y->limb[i] ^= s;-    });-}--/**- * Mul by signed int.  Not constant-time WRT the sign of that int.- * Just uses a full mul (PERF)- */-static inline void-gf_mlw(gf a, const gf b, int w) {-    if (w>0) {-        gf ww = {{{w}}};-        gf_mul(a,b,ww);-    } else {-        gf ww = {{{-w}}};-        gf_mul(a,b,ww);-        gf_sub(a,ZERO,a);-    }-}--/** Canonicalize */-static void gf_canon ( gf a ) {-    gf_reduce(a);--    /* subtract p with borrow */-    decaf_sdword_t carry = 0;-    FOR_LIMB(i, {-        carry = carry + a->limb[i] - P->limb[i];-        a->limb[i] = carry & LMASK;-        carry >>= LBITS;-    });--    decaf_word_t addback = carry;-    carry = 0;--    /* add it back */-    FOR_LIMB(i, {-        carry = carry + a->limb[i] + (P->limb[i] & addback);-        a->limb[i] = carry & LMASK;-        carry >>= LBITS;-    });-}--/* Deserialize */-static decaf_word_t-gf_deser(gf s, const unsigned char ser[X448_BYTES]) {-    unsigned int i, k=0, bits=0;-    decaf_dword_t buf=0;-    for (i=0; i<X448_BYTES; i++) {-        buf |= (decaf_dword_t)ser[i]<<bits;-        for (bits += 8; (bits>=LBITS || i==X448_BYTES-1) && k<X448_LIMBS; bits-=LBITS, buf>>=LBITS) {-            s->limb[k++] = buf & LMASK;-        }-    }--    decaf_sdword_t accum = 0;-    FOR_LIMB(i, accum = (accum + s->limb[i] - P->limb[i]) >> WBITS );-    return accum;-}--/* Serialize */-static void-gf_ser(uint8_t ser[X448_BYTES], gf a) {-    gf_canon(a);-    int k=0, bits=0;-    decaf_dword_t buf=0;-    FOR_LIMB(i, {-        buf |= (decaf_dword_t)a->limb[i]<<bits;-        for (bits += LBITS; (bits>=8 || i==X448_LIMBS-1) && k<X448_BYTES; bits-=8, buf>>=8) {-            ser[k++]=buf;-        }-    });-}--int __attribute__((visibility("default"))) cryptonite_x448 (-    unsigned char out[X448_BYTES],-    const unsigned char scalar[X448_BYTES],-    const unsigned char base[X448_BYTES]-) {-    gf x1, x2, z2, x3, z3, t1, t2;-    gf_deser(x1,base);-    gf_cpy(x2,ONE);-    gf_cpy(z2,ZERO);-    gf_cpy(x3,x1);-    gf_cpy(z3,ONE);--    int t;-    decaf_word_t swap = 0;--    for (t = 448-1; t>=0; t--) {-        uint8_t sb = scalar[t/8];--        /* Scalar conditioning */-        if (t/8==0) sb &= 0xFC;-        else if (t/8 == X448_BYTES-1) sb |= 0x80;--        decaf_word_t k_t = (sb>>(t%8)) & 1;-        k_t = -k_t; /* set to all 0s or all 1s */--        swap ^= k_t;-        cond_swap(x2,x3,swap);-        cond_swap(z2,z3,swap);-        swap = k_t;--        gf_add(t1,x2,z2); /* A = x2 + z2 */-        gf_sub(t2,x2,z2); /* B = x2 - z2 */-        gf_sub(z2,x3,z3); /* D = x3 - z3 */-        gf_mul(x2,t1,z2); /* DA */-        gf_add(z2,z3,x3); /* C = x3 + z3 */-        gf_mul(x3,t2,z2); /* CB */-        gf_sub(z3,x2,x3); /* DA-CB */-        gf_sqr(z2,z3);    /* (DA-CB)^2 */-        gf_mul(z3,x1,z2); /* z3 = x1(DA-CB)^2 */-        gf_add(z2,x2,x3); /* (DA+CB) */-        gf_sqr(x3,z2);    /* x3 = (DA+CB)^2 */--        gf_sqr(z2,t1);    /* AA = A^2 */-        gf_sqr(t1,t2);    /* BB = B^2 */-        gf_mul(x2,z2,t1); /* x2 = AA*BB */-        gf_sub(t2,z2,t1); /* E = AA-BB */--        gf_mlw(t1,t2,-EDWARDS_D); /* E*-d = a24*E */-        gf_add(t1,t1,z2); /* AA + a24*E */-        gf_mul(z2,t2,t1); /* z2 = E(AA+a24*E) */-    }--    /* Finish */-    cond_swap(x2,x3,swap);-    cond_swap(z2,z3,swap);-    gf_inv(z2,z2);-    gf_mul(x1,x2,z2);-    gf_ser(out,x1);--    decaf_sword_t nz = 0;-    for (t=0; t<X448_BYTES; t++) {-        nz |= out[t];-    }-    nz = (nz-1)>>8; /* 0 = succ, -1 = fail */--    /* return value: 0 = succ, -1 = fail */-    return nz;-}--int __attribute__((visibility("default")))-cryptonite_x448_base (-    unsigned char out[X448_BYTES],-    const unsigned char scalar[X448_BYTES]-) {-    return cryptonite_x448(out,scalar,X448_BASE_POINT);-}
− cbits/ed448/x448.h
@@ -1,25 +0,0 @@--#define X448_BYTES (448/8)--/* The base point (5) */-//extern const unsigned char X448_BASE_POINT[X448_BYTES];--/* Returns 0 on success, -1 on failure */-int __attribute__((visibility("default")))-cryptonite_x448 (-    unsigned char out[X448_BYTES],-    const unsigned char scalar[X448_BYTES],-    const unsigned char base[X448_BYTES]-);--/* Returns 0 on success, -1 on failure- *- * Same as x448(out,scalar,X448_BASE_POINT), except that- * an implementation may optimize it.- */-int __attribute__((visibility("default")))-cryptonite_x448_base (-    unsigned char out[X448_BYTES],-    const unsigned char scalar[X448_BYTES]-);-
+ cbits/include32/p256/p256.h view
@@ -0,0 +1,167 @@+/*+ * Copyright 2013 The Android Open Source Project+ *+ * Redistribution and use in source and binary forms, with or without+ * modification, are permitted provided that the following conditions are met:+ *     * Redistributions of source code must retain the above copyright+ *       notice, this list of conditions and the following disclaimer.+ *     * Redistributions in binary form must reproduce the above copyright+ *       notice, this list of conditions and the following disclaimer in the+ *       documentation and/or other materials provided with the distribution.+ *     * Neither the name of Google Inc. nor the names of its contributors may+ *       be used to endorse or promote products derived from this software+ *       without specific prior written permission.+ *+ * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO+ * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.+ */++#ifndef SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_+#define SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_++// Collection of routines manipulating 256 bit unsigned integers.+// Just enough to implement ecdsa-p256 and related algorithms.++#include <stdint.h>++#ifdef __cplusplus+extern "C" {+#endif++#define P256_BITSPERDIGIT 32+#define P256_NDIGITS 8+#define P256_NBYTES 32++// n' such as n * n' = -1 mod (2^32)+#define P256_MONTGOMERY_FACTOR 0xEE00BC4F++#define P256_LITERAL(lo,hi) (lo), (hi)++typedef int cryptonite_p256_err;+typedef uint32_t cryptonite_p256_digit;+typedef int32_t cryptonite_p256_sdigit;+typedef uint64_t cryptonite_p256_ddigit;+typedef int64_t cryptonite_p256_sddigit;++// Defining cryptonite_p256_int as struct to leverage struct assigment.+typedef struct {+  cryptonite_p256_digit a[P256_NDIGITS];+} cryptonite_p256_int;++extern const cryptonite_p256_int cryptonite_SECP256r1_n;  // Curve order+extern const cryptonite_p256_int cryptonite_SECP256r1_p;  // Curve prime+extern const cryptonite_p256_int cryptonite_SECP256r1_b;  // Curve param++// Initialize a cryptonite_p256_int to zero.+void cryptonite_p256_init(cryptonite_p256_int* a);++// Clear a cryptonite_p256_int to zero.+void cryptonite_p256_clear(cryptonite_p256_int* a);++// Return bit. Index 0 is least significant.+int cryptonite_p256_get_bit(const cryptonite_p256_int* a, int index);++// b := a % MOD+void cryptonite_p256_mod(+    const cryptonite_p256_int* MOD,+    const cryptonite_p256_int* a,+    cryptonite_p256_int* b);++// c := a * (top_b | b) % MOD+void cryptonite_p256_modmul(+    const cryptonite_p256_int* MOD,+    const cryptonite_p256_int* a,+    const cryptonite_p256_digit top_b,+    const cryptonite_p256_int* b,+    cryptonite_p256_int* c);++// b := 1 / a % MOD+// MOD best be SECP256r1_n+void cryptonite_p256_modinv(+    const cryptonite_p256_int* MOD,+    const cryptonite_p256_int* a,+    cryptonite_p256_int* b);++// b := 1 / a % MOD+// MOD best be SECP256r1_n+// Faster than cryptonite_p256_modinv()+void cryptonite_p256_modinv_vartime(+    const cryptonite_p256_int* MOD,+    const cryptonite_p256_int* a,+    cryptonite_p256_int* b);++// b := a << (n % P256_BITSPERDIGIT)+// Returns the bits shifted out of most significant digit.+cryptonite_p256_digit cryptonite_p256_shl(const cryptonite_p256_int* a, int n, cryptonite_p256_int* b);++// b := a >> (n % P256_BITSPERDIGIT)+void cryptonite_p256_shr(const cryptonite_p256_int* a, int n, cryptonite_p256_int* b);++int cryptonite_p256_is_zero(const cryptonite_p256_int* a);+int cryptonite_p256_is_odd(const cryptonite_p256_int* a);+int cryptonite_p256_is_even(const cryptonite_p256_int* a);++// Returns -1, 0 or 1.+int cryptonite_p256_cmp(const cryptonite_p256_int* a, const cryptonite_p256_int *b);++// c: = a - b+// Returns -1 on borrow.+int cryptonite_p256_sub(const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c);++// c := a + b+// Returns 1 on carry.+int cryptonite_p256_add(const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c);++// c := a + (single digit)b+// Returns carry 1 on carry.+int cryptonite_p256_add_d(const cryptonite_p256_int* a, cryptonite_p256_digit b, cryptonite_p256_int* c);++// ec routines.++// {out_x,out_y} := nG+void cryptonite_p256_base_point_mul(const cryptonite_p256_int *n,+                         cryptonite_p256_int *out_x,+                         cryptonite_p256_int *out_y);++// {out_x,out_y} := n{in_x,in_y}+void cryptonite_p256_point_mul(const cryptonite_p256_int *n,+                    const cryptonite_p256_int *in_x,+                    const cryptonite_p256_int *in_y,+                    cryptonite_p256_int *out_x,+                    cryptonite_p256_int *out_y);++// {out_x,out_y} := n1G + n2{in_x,in_y}+void cryptonite_p256_points_mul_vartime(+    const cryptonite_p256_int *n1, const cryptonite_p256_int *n2,+    const cryptonite_p256_int *in_x, const cryptonite_p256_int *in_y,+    cryptonite_p256_int *out_x, cryptonite_p256_int *out_y);++// Return whether point {x,y} is on curve.+int cryptonite_p256_is_valid_point(const cryptonite_p256_int* x, const cryptonite_p256_int* y);++// Outputs big-endian binary form. No leading zero skips.+void cryptonite_p256_to_bin(const cryptonite_p256_int* src, uint8_t dst[P256_NBYTES]);++// Reads from big-endian binary form,+// thus pre-pad with leading zeros if short.+void cryptonite_p256_from_bin(const uint8_t src[P256_NBYTES], cryptonite_p256_int* dst);++#define P256_DIGITS(x) ((x)->a)+#define P256_DIGIT(x,y) ((x)->a[y])++#define P256_ZERO {{0}}+#define P256_ONE {{1}}++#ifdef __cplusplus+}+#endif++#endif  // SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_
+ cbits/include32/p256/p256_gf.h view
@@ -0,0 +1,779 @@+/*+ * Copyright 2013 The Android Open Source Project+ *+ * Redistribution and use in source and binary forms, with or without+ * modification, are permitted provided that the following conditions are met:+ *     * Redistributions of source code must retain the above copyright+ *       notice, this list of conditions and the following disclaimer.+ *     * Redistributions in binary form must reproduce the above copyright+ *       notice, this list of conditions and the following disclaimer in the+ *       documentation and/or other materials provided with the distribution.+ *     * Neither the name of Google Inc. nor the names of its contributors may+ *       be used to endorse or promote products derived from this software+ *       without specific prior written permission.+ *+ * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO+ * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.+ */++// This is an implementation of the P256 finite field. It's written to be+// portable and still constant-time.+//+// WARNING: Implementing these functions in a constant-time manner is far from+//          obvious. Be careful when touching this code.+//+// See http://www.imperialviolet.org/2010/12/04/ecc.html ([1]) for background.++#include <stdint.h>+#include <stdio.h>++#include <string.h>+#include <stdlib.h>++#include "p256/p256.h"++typedef uint8_t u8;+typedef uint32_t u32;+typedef int32_t s32;+typedef uint64_t u64;++/* Our field elements are represented as nine 32-bit limbs.+ *+ * The value of an felem (field element) is:+ *   x[0] + (x[1] * 2**29) + (x[2] * 2**57) + ... + (x[8] * 2**228)+ *+ * That is, each limb is alternately 29 or 28-bits wide in little-endian+ * order.+ *+ * This means that an felem hits 2**257, rather than 2**256 as we would like. A+ * 28, 29, ... pattern would cause us to hit 2**256, but that causes problems+ * when multiplying as terms end up one bit short of a limb which would require+ * much bit-shifting to correct.+ *+ * Finally, the values stored in an felem are in Montgomery form. So the value+ * |y| is stored as (y*R) mod p, where p is the P-256 prime and R is 2**257.+ */+typedef u32 limb;+#define NLIMBS 9+typedef limb felem[NLIMBS];++static const limb kBottom28Bits = 0xfffffff;+static const limb kBottom29Bits = 0x1fffffff;++/* kOne is the number 1 as an felem. It's 2**257 mod p split up into 29 and+ * 28-bit words. */+static const felem kOne = {+    2, 0, 0, 0xffff800,+    0x1fffffff, 0xfffffff, 0x1fbfffff, 0x1ffffff,+    0+};+static const felem kZero = {0};+static const felem kP = {+    0x1fffffff, 0xfffffff, 0x1fffffff, 0x3ff,+    0, 0, 0x200000, 0xf000000,+    0xfffffff+};+static const felem k2P = {+    0x1ffffffe, 0xfffffff, 0x1fffffff, 0x7ff,+    0, 0, 0x400000, 0xe000000,+    0x1fffffff+};+/* kPrecomputed contains precomputed values to aid the calculation of scalar+ * multiples of the base point, G. It's actually two, equal length, tables+ * concatenated.+ *+ * The first table contains (x,y) felem pairs for 16 multiples of the base+ * point, G.+ *+ *   Index  |  Index (binary) | Value+ *       0  |           0000  | 0G (all zeros, omitted)+ *       1  |           0001  | G+ *       2  |           0010  | 2**64G+ *       3  |           0011  | 2**64G + G+ *       4  |           0100  | 2**128G+ *       5  |           0101  | 2**128G + G+ *       6  |           0110  | 2**128G + 2**64G+ *       7  |           0111  | 2**128G + 2**64G + G+ *       8  |           1000  | 2**192G+ *       9  |           1001  | 2**192G + G+ *      10  |           1010  | 2**192G + 2**64G+ *      11  |           1011  | 2**192G + 2**64G + G+ *      12  |           1100  | 2**192G + 2**128G+ *      13  |           1101  | 2**192G + 2**128G + G+ *      14  |           1110  | 2**192G + 2**128G + 2**64G+ *      15  |           1111  | 2**192G + 2**128G + 2**64G + G+ *+ * The second table follows the same style, but the terms are 2**32G,+ * 2**96G, 2**160G, 2**224G.+ *+ * This is ~2KB of data. */+static const limb kPrecomputed[NLIMBS * 2 * 15 * 2] = {+    0x11522878, 0xe730d41, 0xdb60179, 0x4afe2ff, 0x12883add, 0xcaddd88, 0x119e7edc, 0xd4a6eab, 0x3120bee,+    0x1d2aac15, 0xf25357c, 0x19e45cdd, 0x5c721d0, 0x1992c5a5, 0xa237487, 0x154ba21, 0x14b10bb, 0xae3fe3,+    0xd41a576, 0x922fc51, 0x234994f, 0x60b60d3, 0x164586ae, 0xce95f18, 0x1fe49073, 0x3fa36cc, 0x5ebcd2c,+    0xb402f2f, 0x15c70bf, 0x1561925c, 0x5a26704, 0xda91e90, 0xcdc1c7f, 0x1ea12446, 0xe1ade1e, 0xec91f22,+    0x26f7778, 0x566847e, 0xa0bec9e, 0x234f453, 0x1a31f21a, 0xd85e75c, 0x56c7109, 0xa267a00, 0xb57c050,+    0x98fb57, 0xaa837cc, 0x60c0792, 0xcfa5e19, 0x61bab9e, 0x589e39b, 0xa324c5, 0x7d6dee7, 0x2976e4b,+    0x1fc4124a, 0xa8c244b, 0x1ce86762, 0xcd61c7e, 0x1831c8e0, 0x75774e1, 0x1d96a5a9, 0x843a649, 0xc3ab0fa,+    0x6e2e7d5, 0x7673a2a, 0x178b65e8, 0x4003e9b, 0x1a1f11c2, 0x7816ea, 0xf643e11, 0x58c43df, 0xf423fc2,+    0x19633ffa, 0x891f2b2, 0x123c231c, 0x46add8c, 0x54700dd, 0x59e2b17, 0x172db40f, 0x83e277d, 0xb0dd609,+    0xfd1da12, 0x35c6e52, 0x19ede20c, 0xd19e0c0, 0x97d0f40, 0xb015b19, 0x449e3f5, 0xe10c9e, 0x33ab581,+    0x56a67ab, 0x577734d, 0x1dddc062, 0xc57b10d, 0x149b39d, 0x26a9e7b, 0xc35df9f, 0x48764cd, 0x76dbcca,+    0xca4b366, 0xe9303ab, 0x1a7480e7, 0x57e9e81, 0x1e13eb50, 0xf466cf3, 0x6f16b20, 0x4ba3173, 0xc168c33,+    0x15cb5439, 0x6a38e11, 0x73658bd, 0xb29564f, 0x3f6dc5b, 0x53b97e, 0x1322c4c0, 0x65dd7ff, 0x3a1e4f6,+    0x14e614aa, 0x9246317, 0x1bc83aca, 0xad97eed, 0xd38ce4a, 0xf82b006, 0x341f077, 0xa6add89, 0x4894acd,+    0x9f162d5, 0xf8410ef, 0x1b266a56, 0xd7f223, 0x3e0cb92, 0xe39b672, 0x6a2901a, 0x69a8556, 0x7e7c0,+    0x9b7d8d3, 0x309a80, 0x1ad05f7f, 0xc2fb5dd, 0xcbfd41d, 0x9ceb638, 0x1051825c, 0xda0cf5b, 0x812e881,+    0x6f35669, 0x6a56f2c, 0x1df8d184, 0x345820, 0x1477d477, 0x1645db1, 0xbe80c51, 0xc22be3e, 0xe35e65a,+    0x1aeb7aa0, 0xc375315, 0xf67bc99, 0x7fdd7b9, 0x191fc1be, 0x61235d, 0x2c184e9, 0x1c5a839, 0x47a1e26,+    0xb7cb456, 0x93e225d, 0x14f3c6ed, 0xccc1ac9, 0x17fe37f3, 0x4988989, 0x1a90c502, 0x2f32042, 0xa17769b,+    0xafd8c7c, 0x8191c6e, 0x1dcdb237, 0x16200c0, 0x107b32a1, 0x66c08db, 0x10d06a02, 0x3fc93, 0x5620023,+    0x16722b27, 0x68b5c59, 0x270fcfc, 0xfad0ecc, 0xe5de1c2, 0xeab466b, 0x2fc513c, 0x407f75c, 0xbaab133,+    0x9705fe9, 0xb88b8e7, 0x734c993, 0x1e1ff8f, 0x19156970, 0xabd0f00, 0x10469ea7, 0x3293ac0, 0xcdc98aa,+    0x1d843fd, 0xe14bfe8, 0x15be825f, 0x8b5212, 0xeb3fb67, 0x81cbd29, 0xbc62f16, 0x2b6fcc7, 0xf5a4e29,+    0x13560b66, 0xc0b6ac2, 0x51ae690, 0xd41e271, 0xf3e9bd4, 0x1d70aab, 0x1029f72, 0x73e1c35, 0xee70fbc,+    0xad81baf, 0x9ecc49a, 0x86c741e, 0xfe6be30, 0x176752e7, 0x23d416, 0x1f83de85, 0x27de188, 0x66f70b8,+    0x181cd51f, 0x96b6e4c, 0x188f2335, 0xa5df759, 0x17a77eb6, 0xfeb0e73, 0x154ae914, 0x2f3ec51, 0x3826b59,+    0xb91f17d, 0x1c72949, 0x1362bf0a, 0xe23fddf, 0xa5614b0, 0xf7d8f, 0x79061, 0x823d9d2, 0x8213f39,+    0x1128ae0b, 0xd095d05, 0xb85c0c2, 0x1ecb2ef, 0x24ddc84, 0xe35e901, 0x18411a4a, 0xf5ddc3d, 0x3786689,+    0x52260e8, 0x5ae3564, 0x542b10d, 0x8d93a45, 0x19952aa4, 0x996cc41, 0x1051a729, 0x4be3499, 0x52b23aa,+    0x109f307e, 0x6f5b6bb, 0x1f84e1e7, 0x77a0cfa, 0x10c4df3f, 0x25a02ea, 0xb048035, 0xe31de66, 0xc6ecaa3,+    0x28ea335, 0x2886024, 0x1372f020, 0xf55d35, 0x15e4684c, 0xf2a9e17, 0x1a4a7529, 0xcb7beb1, 0xb2a78a1,+    0x1ab21f1f, 0x6361ccf, 0x6c9179d, 0xb135627, 0x1267b974, 0x4408bad, 0x1cbff658, 0xe3d6511, 0xc7d76f,+    0x1cc7a69, 0xe7ee31b, 0x54fab4f, 0x2b914f, 0x1ad27a30, 0xcd3579e, 0xc50124c, 0x50daa90, 0xb13f72,+    0xb06aa75, 0x70f5cc6, 0x1649e5aa, 0x84a5312, 0x329043c, 0x41c4011, 0x13d32411, 0xb04a838, 0xd760d2d,+    0x1713b532, 0xbaa0c03, 0x84022ab, 0x6bcf5c1, 0x2f45379, 0x18ae070, 0x18c9e11e, 0x20bca9a, 0x66f496b,+    0x3eef294, 0x67500d2, 0xd7f613c, 0x2dbbeb, 0xb741038, 0xe04133f, 0x1582968d, 0xbe985f7, 0x1acbc1a,+    0x1a6a939f, 0x33e50f6, 0xd665ed4, 0xb4b7bd6, 0x1e5a3799, 0x6b33847, 0x17fa56ff, 0x65ef930, 0x21dc4a,+    0x2b37659, 0x450fe17, 0xb357b65, 0xdf5efac, 0x15397bef, 0x9d35a7f, 0x112ac15f, 0x624e62e, 0xa90ae2f,+    0x107eecd2, 0x1f69bbe, 0x77d6bce, 0x5741394, 0x13c684fc, 0x950c910, 0x725522b, 0xdc78583, 0x40eeabb,+    0x1fde328a, 0xbd61d96, 0xd28c387, 0x9e77d89, 0x12550c40, 0x759cb7d, 0x367ef34, 0xae2a960, 0x91b8bdc,+    0x93462a9, 0xf469ef, 0xb2e9aef, 0xd2ca771, 0x54e1f42, 0x7aaa49, 0x6316abb, 0x2413c8e, 0x5425bf9,+    0x1bed3e3a, 0xf272274, 0x1f5e7326, 0x6416517, 0xea27072, 0x9cedea7, 0x6e7633, 0x7c91952, 0xd806dce,+    0x8e2a7e1, 0xe421e1a, 0x418c9e1, 0x1dbc890, 0x1b395c36, 0xa1dc175, 0x1dc4ef73, 0x8956f34, 0xe4b5cf2,+    0x1b0d3a18, 0x3194a36, 0x6c2641f, 0xe44124c, 0xa2f4eaa, 0xa8c25ba, 0xf927ed7, 0x627b614, 0x7371cca,+    0xba16694, 0x417bc03, 0x7c0a7e3, 0x9c35c19, 0x1168a205, 0x8b6b00d, 0x10e3edc9, 0x9c19bf2, 0x5882229,+    0x1b2b4162, 0xa5cef1a, 0x1543622b, 0x9bd433e, 0x364e04d, 0x7480792, 0x5c9b5b3, 0xe85ff25, 0x408ef57,+    0x1814cfa4, 0x121b41b, 0xd248a0f, 0x3b05222, 0x39bb16a, 0xc75966d, 0xa038113, 0xa4a1769, 0x11fbc6c,+    0x917e50e, 0xeec3da8, 0x169d6eac, 0x10c1699, 0xa416153, 0xf724912, 0x15cd60b7, 0x4acbad9, 0x5efc5fa,+    0xf150ed7, 0x122b51, 0x1104b40a, 0xcb7f442, 0xfbb28ff, 0x6ac53ca, 0x196142cc, 0x7bf0fa9, 0x957651,+    0x4e0f215, 0xed439f8, 0x3f46bd5, 0x5ace82f, 0x110916b6, 0x6db078, 0xffd7d57, 0xf2ecaac, 0xca86dec,+    0x15d6b2da, 0x965ecc9, 0x1c92b4c2, 0x1f3811, 0x1cb080f5, 0x2d8b804, 0x19d1c12d, 0xf20bd46, 0x1951fa7,+    0xa3656c3, 0x523a425, 0xfcd0692, 0xd44ddc8, 0x131f0f5b, 0xaf80e4a, 0xcd9fc74, 0x99bb618, 0x2db944c,+    0xa673090, 0x1c210e1, 0x178c8d23, 0x1474383, 0x10b8743d, 0x985a55b, 0x2e74779, 0x576138, 0x9587927,+    0x133130fa, 0xbe05516, 0x9f4d619, 0xbb62570, 0x99ec591, 0xd9468fe, 0x1d07782d, 0xfc72e0b, 0x701b298,+    0x1863863b, 0x85954b8, 0x121a0c36, 0x9e7fedf, 0xf64b429, 0x9b9d71e, 0x14e2f5d8, 0xf858d3a, 0x942eea8,+    0xda5b765, 0x6edafff, 0xa9d18cc, 0xc65e4ba, 0x1c747e86, 0xe4ea915, 0x1981d7a1, 0x8395659, 0x52ed4e2,+    0x87d43b7, 0x37ab11b, 0x19d292ce, 0xf8d4692, 0x18c3053f, 0x8863e13, 0x4c146c0, 0x6bdf55a, 0x4e4457d,+    0x16152289, 0xac78ec2, 0x1a59c5a2, 0x2028b97, 0x71c2d01, 0x295851f, 0x404747b, 0x878558d, 0x7d29aa4,+    0x13d8341f, 0x8daefd7, 0x139c972d, 0x6b7ea75, 0xd4a9dde, 0xff163d8, 0x81d55d7, 0xa5bef68, 0xb7b30d8,+    0xbe73d6f, 0xaa88141, 0xd976c81, 0x7e7a9cc, 0x18beb771, 0xd773cbd, 0x13f51951, 0x9d0c177, 0x1c49a78,+};+++/* Field element operations: */++/* NON_ZERO_TO_ALL_ONES returns:+ *   0xffffffff for 0 < x <= 2**31+ *   0 for x == 0 or x > 2**31.+ *+ * x must be a u32 or an equivalent type such as limb. */+#define NON_ZERO_TO_ALL_ONES(x) ((((u32)(x) - 1) >> 31) - 1)++/* felem_reduce_carry adds a multiple of p in order to cancel |carry|,+ * which is a term at 2**257.+ *+ * On entry: carry < 2**3, inout[0,2,...] < 2**29, inout[1,3,...] < 2**28.+ * On exit: inout[0,2,..] < 2**30, inout[1,3,...] < 2**29. */+static void felem_reduce_carry(felem inout, limb carry) {+  const u32 carry_mask = NON_ZERO_TO_ALL_ONES(carry);++  inout[0] += carry << 1;+  inout[3] += 0x10000000 & carry_mask;+  /* carry < 2**3 thus (carry << 11) < 2**14 and we added 2**28 in the+   * previous line therefore this doesn't underflow. */+  inout[3] -= carry << 11;+  inout[4] += (0x20000000 - 1) & carry_mask;+  inout[5] += (0x10000000 - 1) & carry_mask;+  inout[6] += (0x20000000 - 1) & carry_mask;+  inout[6] -= carry << 22;+  /* This may underflow if carry is non-zero but, if so, we'll fix it in the+   * next line. */+  inout[7] -= 1 & carry_mask;+  inout[7] += carry << 25;+}++/* felem_sum sets out = in+in2.+ *+ * On entry, in[i]+in2[i] must not overflow a 32-bit word.+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29 */+static void felem_sum(felem out, const felem in, const felem in2) {+  limb carry = 0;+  unsigned i;++  for (i = 0;; i++) {+    out[i] = in[i] + in2[i];+    out[i] += carry;+    carry = out[i] >> 29;+    out[i] &= kBottom29Bits;++    i++;+    if (i == NLIMBS)+      break;++    out[i] = in[i] + in2[i];+    out[i] += carry;+    carry = out[i] >> 28;+    out[i] &= kBottom28Bits;+  }++  felem_reduce_carry(out, carry);+}++#define two31m3 (((limb)1) << 31) - (((limb)1) << 3)+#define two30m2 (((limb)1) << 30) - (((limb)1) << 2)+#define two30p13m2 (((limb)1) << 30) + (((limb)1) << 13) - (((limb)1) << 2)+#define two31m2 (((limb)1) << 31) - (((limb)1) << 2)+#define two31p24m2 (((limb)1) << 31) + (((limb)1) << 24) - (((limb)1) << 2)+#define two30m27m2 (((limb)1) << 30) - (((limb)1) << 27) - (((limb)1) << 2)++/* zero31 is 0 mod p. */+static const felem zero31 = { two31m3, two30m2, two31m2, two30p13m2, two31m2, two30m2, two31p24m2, two30m27m2, two31m2 };++/* felem_diff sets out = in-in2.+ *+ * On entry: in[0,2,...] < 2**30, in[1,3,...] < 2**29 and+ *           in2[0,2,...] < 2**30, in2[1,3,...] < 2**29.+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */+static void felem_diff(felem out, const felem in, const felem in2) {+  limb carry = 0;+  unsigned i;++   for (i = 0;; i++) {+    out[i] = in[i] - in2[i];+    out[i] += zero31[i];+    out[i] += carry;+    carry = out[i] >> 29;+    out[i] &= kBottom29Bits;++    i++;+    if (i == NLIMBS)+      break;++    out[i] = in[i] - in2[i];+    out[i] += zero31[i];+    out[i] += carry;+    carry = out[i] >> 28;+    out[i] &= kBottom28Bits;+  }++  felem_reduce_carry(out, carry);+}++/* felem_reduce_degree sets out = tmp/R mod p where tmp contains 64-bit words+ * with the same 29,28,... bit positions as an felem.+ *+ * The values in felems are in Montgomery form: x*R mod p where R = 2**257.+ * Since we just multiplied two Montgomery values together, the result is+ * x*y*R*R mod p. We wish to divide by R in order for the result also to be+ * in Montgomery form.+ *+ * On entry: tmp[i] < 2**64+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29 */+static void felem_reduce_degree(felem out, u64 tmp[17]) {+   /* The following table may be helpful when reading this code:+    *+    * Limb number:   0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10...+    * Width (bits):  29| 28| 29| 28| 29| 28| 29| 28| 29| 28| 29+    * Start bit:     0 | 29| 57| 86|114|143|171|200|228|257|285+    *   (odd phase): 0 | 28| 57| 85|114|142|171|199|228|256|285 */+  limb tmp2[18], carry, x, xMask;+  unsigned i;++  /* tmp contains 64-bit words with the same 29,28,29-bit positions as an+   * felem. So the top of an element of tmp might overlap with another+   * element two positions down. The following loop eliminates this+   * overlap. */+  tmp2[0] = (limb)(tmp[0] & kBottom29Bits);++  /* In the following we use "(limb) tmp[x]" and "(limb) (tmp[x]>>32)" to try+   * and hint to the compiler that it can do a single-word shift by selecting+   * the right register rather than doing a double-word shift and truncating+   * afterwards. */+  tmp2[1] = ((limb) tmp[0]) >> 29;+  tmp2[1] |= (((limb)(tmp[0] >> 32)) << 3) & kBottom28Bits;+  tmp2[1] += ((limb) tmp[1]) & kBottom28Bits;+  carry = tmp2[1] >> 28;+  tmp2[1] &= kBottom28Bits;++  for (i = 2; i < 17; i++) {+    tmp2[i] = ((limb)(tmp[i - 2] >> 32)) >> 25;+    tmp2[i] += ((limb)(tmp[i - 1])) >> 28;+    tmp2[i] += (((limb)(tmp[i - 1] >> 32)) << 4) & kBottom29Bits;+    tmp2[i] += ((limb) tmp[i]) & kBottom29Bits;+    tmp2[i] += carry;+    carry = tmp2[i] >> 29;+    tmp2[i] &= kBottom29Bits;++    i++;+    if (i == 17)+      break;+    tmp2[i] = ((limb)(tmp[i - 2] >> 32)) >> 25;+    tmp2[i] += ((limb)(tmp[i - 1])) >> 29;+    tmp2[i] += (((limb)(tmp[i - 1] >> 32)) << 3) & kBottom28Bits;+    tmp2[i] += ((limb) tmp[i]) & kBottom28Bits;+    tmp2[i] += carry;+    carry = tmp2[i] >> 28;+    tmp2[i] &= kBottom28Bits;+  }++  tmp2[17] = ((limb)(tmp[15] >> 32)) >> 25;+  tmp2[17] += ((limb)(tmp[16])) >> 29;+  tmp2[17] += (((limb)(tmp[16] >> 32)) << 3);+  tmp2[17] += carry;++  /* Montgomery elimination of terms.+   *+   * Since R is 2**257, we can divide by R with a bitwise shift if we can+   * ensure that the right-most 257 bits are all zero. We can make that true by+   * adding multiplies of p without affecting the value.+   *+   * So we eliminate limbs from right to left. Since the bottom 29 bits of p+   * are all ones, then by adding tmp2[0]*p to tmp2 we'll make tmp2[0] == 0.+   * We can do that for 8 further limbs and then right shift to eliminate the+   * extra factor of R. */+  for (i = 0;; i += 2) {+    tmp2[i + 1] += tmp2[i] >> 29;+    x = tmp2[i] & kBottom29Bits;+    xMask = NON_ZERO_TO_ALL_ONES(x);+    tmp2[i] = 0;++    /* The bounds calculations for this loop are tricky. Each iteration of+     * the loop eliminates two words by adding values to words to their+     * right.+     *+     * The following table contains the amounts added to each word (as an+     * offset from the value of i at the top of the loop). The amounts are+     * accounted for from the first and second half of the loop separately+     * and are written as, for example, 28 to mean a value <2**28.+     *+     * Word:                   3   4   5   6   7   8   9   10+     * Added in top half:     28  11      29  21  29  28+     *                                        28  29+     *                                            29+     * Added in bottom half:      29  10      28  21  28   28+     *                                            29+     *+     * The value that is currently offset 7 will be offset 5 for the next+     * iteration and then offset 3 for the iteration after that. Therefore+     * the total value added will be the values added at 7, 5 and 3.+     *+     * The following table accumulates these values. The sums at the bottom+     * are written as, for example, 29+28, to mean a value < 2**29+2**28.+     *+     * Word:                   3   4   5   6   7   8   9  10  11  12  13+     *                        28  11  10  29  21  29  28  28  28  28  28+     *                            29  28  11  28  29  28  29  28  29  28+     *                                    29  28  21  21  29  21  29  21+     *                                        10  29  28  21  28  21  28+     *                                        28  29  28  29  28  29  28+     *                                            11  10  29  10  29  10+     *                                            29  28  11  28  11+     *                                                    29      29+     *                        --------------------------------------------+     *                                                30+ 31+ 30+ 31+ 30++     *                                                28+ 29+ 28+ 29+ 21++     *                                                21+ 28+ 21+ 28+ 10+     *                                                10  21+ 10  21++     *                                                    11      11+     *+     * So the greatest amount is added to tmp2[10] and tmp2[12]. If+     * tmp2[10/12] has an initial value of <2**29, then the maximum value+     * will be < 2**31 + 2**30 + 2**28 + 2**21 + 2**11, which is < 2**32,+     * as required. */+    tmp2[i + 3] += (x << 10) & kBottom28Bits;+    tmp2[i + 4] += (x >> 18);++    tmp2[i + 6] += (x << 21) & kBottom29Bits;+    tmp2[i + 7] += x >> 8;++    /* At position 200, which is the starting bit position for word 7, we+     * have a factor of 0xf000000 = 2**28 - 2**24. */+    tmp2[i + 7] += 0x10000000 & xMask;+    /* Word 7 is 28 bits wide, so the 2**28 term exactly hits word 8. */+    tmp2[i + 8] += (x - 1) & xMask;+    tmp2[i + 7] -= (x << 24) & kBottom28Bits;+    tmp2[i + 8] -= x >> 4;++    tmp2[i + 8] += 0x20000000 & xMask;+    tmp2[i + 8] -= x;+    tmp2[i + 8] += (x << 28) & kBottom29Bits;+    tmp2[i + 9] += ((x >> 1) - 1) & xMask;++    if (i+1 == NLIMBS)+      break;+    tmp2[i + 2] += tmp2[i + 1] >> 28;+    x = tmp2[i + 1] & kBottom28Bits;+    xMask = NON_ZERO_TO_ALL_ONES(x);+    tmp2[i + 1] = 0;++    tmp2[i + 4] += (x << 11) & kBottom29Bits;+    tmp2[i + 5] += (x >> 18);++    tmp2[i + 7] += (x << 21) & kBottom28Bits;+    tmp2[i + 8] += x >> 7;++    /* At position 199, which is the starting bit of the 8th word when+     * dealing with a context starting on an odd word, we have a factor of+     * 0x1e000000 = 2**29 - 2**25. Since we have not updated i, the 8th+     * word from i+1 is i+8. */+    tmp2[i + 8] += 0x20000000 & xMask;+    tmp2[i + 9] += (x - 1) & xMask;+    tmp2[i + 8] -= (x << 25) & kBottom29Bits;+    tmp2[i + 9] -= x >> 4;++    tmp2[i + 9] += 0x10000000 & xMask;+    tmp2[i + 9] -= x;+    tmp2[i + 10] += (x - 1) & xMask;+  }++  /* We merge the right shift with a carry chain. The words above 2**257 have+   * widths of 28,29,... which we need to correct when copying them down.  */+  carry = 0;+  for (i = 0; i < 8; i++) {+    /* The maximum value of tmp2[i + 9] occurs on the first iteration and+     * is < 2**30+2**29+2**28. Adding 2**29 (from tmp2[i + 10]) is+     * therefore safe. */+    out[i] = tmp2[i + 9];+    out[i] += carry;+    out[i] += (tmp2[i + 10] << 28) & kBottom29Bits;+    carry = out[i] >> 29;+    out[i] &= kBottom29Bits;++    i++;+    out[i] = tmp2[i + 9] >> 1;+    out[i] += carry;+    carry = out[i] >> 28;+    out[i] &= kBottom28Bits;+  }++  out[8] = tmp2[17];+  out[8] += carry;+  carry = out[8] >> 29;+  out[8] &= kBottom29Bits;++  felem_reduce_carry(out, carry);+}++/* felem_square sets out=in*in.+ *+ * On entry: in[0,2,...] < 2**30, in[1,3,...] < 2**29.+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */+static void felem_square(felem out, const felem in) {+  u64 tmp[17];++  tmp[0] = ((u64) in[0]) * in[0];+  tmp[1] = ((u64) in[0]) * (in[1] << 1);+  tmp[2] = ((u64) in[0]) * (in[2] << 1) ++           ((u64) in[1]) * (in[1] << 1);+  tmp[3] = ((u64) in[0]) * (in[3] << 1) ++           ((u64) in[1]) * (in[2] << 1);+  tmp[4] = ((u64) in[0]) * (in[4] << 1) ++           ((u64) in[1]) * (in[3] << 2) + ((u64) in[2]) * in[2];+  tmp[5] = ((u64) in[0]) * (in[5] << 1) + ((u64) in[1]) *+           (in[4] << 1) + ((u64) in[2]) * (in[3] << 1);+  tmp[6] = ((u64) in[0]) * (in[6] << 1) + ((u64) in[1]) *+           (in[5] << 2) + ((u64) in[2]) * (in[4] << 1) ++           ((u64) in[3]) * (in[3] << 1);+  tmp[7] = ((u64) in[0]) * (in[7] << 1) + ((u64) in[1]) *+           (in[6] << 1) + ((u64) in[2]) * (in[5] << 1) ++           ((u64) in[3]) * (in[4] << 1);+  /* tmp[8] has the greatest value of 2**61 + 2**60 + 2**61 + 2**60 + 2**60,+   * which is < 2**64 as required. */+  tmp[8] = ((u64) in[0]) * (in[8] << 1) + ((u64) in[1]) *+           (in[7] << 2) + ((u64) in[2]) * (in[6] << 1) ++           ((u64) in[3]) * (in[5] << 2) + ((u64) in[4]) * in[4];+  tmp[9] = ((u64) in[1]) * (in[8] << 1) + ((u64) in[2]) *+           (in[7] << 1) + ((u64) in[3]) * (in[6] << 1) ++           ((u64) in[4]) * (in[5] << 1);+  tmp[10] = ((u64) in[2]) * (in[8] << 1) + ((u64) in[3]) *+            (in[7] << 2) + ((u64) in[4]) * (in[6] << 1) ++            ((u64) in[5]) * (in[5] << 1);+  tmp[11] = ((u64) in[3]) * (in[8] << 1) + ((u64) in[4]) *+            (in[7] << 1) + ((u64) in[5]) * (in[6] << 1);+  tmp[12] = ((u64) in[4]) * (in[8] << 1) ++            ((u64) in[5]) * (in[7] << 2) + ((u64) in[6]) * in[6];+  tmp[13] = ((u64) in[5]) * (in[8] << 1) ++            ((u64) in[6]) * (in[7] << 1);+  tmp[14] = ((u64) in[6]) * (in[8] << 1) ++            ((u64) in[7]) * (in[7] << 1);+  tmp[15] = ((u64) in[7]) * (in[8] << 1);+  tmp[16] = ((u64) in[8]) * in[8];++  felem_reduce_degree(out, tmp);+}++/* felem_mul sets out=in*in2.+ *+ * On entry: in[0,2,...] < 2**30, in[1,3,...] < 2**29 and+ *           in2[0,2,...] < 2**30, in2[1,3,...] < 2**29.+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */+static void felem_mul(felem out, const felem in, const felem in2) {+  u64 tmp[17];++  tmp[0] = ((u64) in[0]) * in2[0];+  tmp[1] = ((u64) in[0]) * (in2[1] << 0) ++           ((u64) in[1]) * (in2[0] << 0);+  tmp[2] = ((u64) in[0]) * (in2[2] << 0) + ((u64) in[1]) *+           (in2[1] << 1) + ((u64) in[2]) * (in2[0] << 0);+  tmp[3] = ((u64) in[0]) * (in2[3] << 0) + ((u64) in[1]) *+           (in2[2] << 0) + ((u64) in[2]) * (in2[1] << 0) ++           ((u64) in[3]) * (in2[0] << 0);+  tmp[4] = ((u64) in[0]) * (in2[4] << 0) + ((u64) in[1]) *+           (in2[3] << 1) + ((u64) in[2]) * (in2[2] << 0) ++           ((u64) in[3]) * (in2[1] << 1) ++           ((u64) in[4]) * (in2[0] << 0);+  tmp[5] = ((u64) in[0]) * (in2[5] << 0) + ((u64) in[1]) *+           (in2[4] << 0) + ((u64) in[2]) * (in2[3] << 0) ++           ((u64) in[3]) * (in2[2] << 0) + ((u64) in[4]) *+           (in2[1] << 0) + ((u64) in[5]) * (in2[0] << 0);+  tmp[6] = ((u64) in[0]) * (in2[6] << 0) + ((u64) in[1]) *+           (in2[5] << 1) + ((u64) in[2]) * (in2[4] << 0) ++           ((u64) in[3]) * (in2[3] << 1) + ((u64) in[4]) *+           (in2[2] << 0) + ((u64) in[5]) * (in2[1] << 1) ++           ((u64) in[6]) * (in2[0] << 0);+  tmp[7] = ((u64) in[0]) * (in2[7] << 0) + ((u64) in[1]) *+           (in2[6] << 0) + ((u64) in[2]) * (in2[5] << 0) ++           ((u64) in[3]) * (in2[4] << 0) + ((u64) in[4]) *+           (in2[3] << 0) + ((u64) in[5]) * (in2[2] << 0) ++           ((u64) in[6]) * (in2[1] << 0) ++           ((u64) in[7]) * (in2[0] << 0);+  /* tmp[8] has the greatest value but doesn't overflow. See logic in+   * felem_square. */+  tmp[8] = ((u64) in[0]) * (in2[8] << 0) + ((u64) in[1]) *+           (in2[7] << 1) + ((u64) in[2]) * (in2[6] << 0) ++           ((u64) in[3]) * (in2[5] << 1) + ((u64) in[4]) *+           (in2[4] << 0) + ((u64) in[5]) * (in2[3] << 1) ++           ((u64) in[6]) * (in2[2] << 0) + ((u64) in[7]) *+           (in2[1] << 1) + ((u64) in[8]) * (in2[0] << 0);+  tmp[9] = ((u64) in[1]) * (in2[8] << 0) + ((u64) in[2]) *+           (in2[7] << 0) + ((u64) in[3]) * (in2[6] << 0) ++           ((u64) in[4]) * (in2[5] << 0) + ((u64) in[5]) *+           (in2[4] << 0) + ((u64) in[6]) * (in2[3] << 0) ++           ((u64) in[7]) * (in2[2] << 0) ++           ((u64) in[8]) * (in2[1] << 0);+  tmp[10] = ((u64) in[2]) * (in2[8] << 0) + ((u64) in[3]) *+            (in2[7] << 1) + ((u64) in[4]) * (in2[6] << 0) ++            ((u64) in[5]) * (in2[5] << 1) + ((u64) in[6]) *+            (in2[4] << 0) + ((u64) in[7]) * (in2[3] << 1) ++            ((u64) in[8]) * (in2[2] << 0);+  tmp[11] = ((u64) in[3]) * (in2[8] << 0) + ((u64) in[4]) *+            (in2[7] << 0) + ((u64) in[5]) * (in2[6] << 0) ++            ((u64) in[6]) * (in2[5] << 0) + ((u64) in[7]) *+            (in2[4] << 0) + ((u64) in[8]) * (in2[3] << 0);+  tmp[12] = ((u64) in[4]) * (in2[8] << 0) + ((u64) in[5]) *+            (in2[7] << 1) + ((u64) in[6]) * (in2[6] << 0) ++            ((u64) in[7]) * (in2[5] << 1) ++            ((u64) in[8]) * (in2[4] << 0);+  tmp[13] = ((u64) in[5]) * (in2[8] << 0) + ((u64) in[6]) *+            (in2[7] << 0) + ((u64) in[7]) * (in2[6] << 0) ++            ((u64) in[8]) * (in2[5] << 0);+  tmp[14] = ((u64) in[6]) * (in2[8] << 0) + ((u64) in[7]) *+            (in2[7] << 1) + ((u64) in[8]) * (in2[6] << 0);+  tmp[15] = ((u64) in[7]) * (in2[8] << 0) ++            ((u64) in[8]) * (in2[7] << 0);+  tmp[16] = ((u64) in[8]) * (in2[8] << 0);++  felem_reduce_degree(out, tmp);+}++static void felem_assign(felem out, const felem in) {+  memcpy(out, in, sizeof(felem));+}++/* felem_scalar_3 sets out=3*out.+ *+ * On entry: out[0,2,...] < 2**30, out[1,3,...] < 2**29.+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */+static void felem_scalar_3(felem out) {+  limb carry = 0;+  unsigned i;++  for (i = 0;; i++) {+    out[i] *= 3;+    out[i] += carry;+    carry = out[i] >> 29;+    out[i] &= kBottom29Bits;++    i++;+    if (i == NLIMBS)+      break;++    out[i] *= 3;+    out[i] += carry;+    carry = out[i] >> 28;+    out[i] &= kBottom28Bits;+  }++  felem_reduce_carry(out, carry);+}++/* felem_scalar_4 sets out=4*out.+ *+ * On entry: out[0,2,...] < 2**30, out[1,3,...] < 2**29.+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */+static void felem_scalar_4(felem out) {+  limb carry = 0, next_carry;+  unsigned i;++  for (i = 0;; i++) {+    next_carry = out[i] >> 27;+    out[i] <<= 2;+    out[i] &= kBottom29Bits;+    out[i] += carry;+    carry = next_carry + (out[i] >> 29);+    out[i] &= kBottom29Bits;++    i++;+    if (i == NLIMBS)+      break;++    next_carry = out[i] >> 26;+    out[i] <<= 2;+    out[i] &= kBottom28Bits;+    out[i] += carry;+    carry = next_carry + (out[i] >> 28);+    out[i] &= kBottom28Bits;+  }++  felem_reduce_carry(out, carry);+}++/* felem_scalar_8 sets out=8*out.+ *+ * On entry: out[0,2,...] < 2**30, out[1,3,...] < 2**29.+ * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */+static void felem_scalar_8(felem out) {+  limb carry = 0, next_carry;+  unsigned i;++  for (i = 0;; i++) {+    next_carry = out[i] >> 26;+    out[i] <<= 3;+    out[i] &= kBottom29Bits;+    out[i] += carry;+    carry = next_carry + (out[i] >> 29);+    out[i] &= kBottom29Bits;++    i++;+    if (i == NLIMBS)+      break;++    next_carry = out[i] >> 25;+    out[i] <<= 3;+    out[i] &= kBottom28Bits;+    out[i] += carry;+    carry = next_carry + (out[i] >> 28);+    out[i] &= kBottom28Bits;+  }++  felem_reduce_carry(out, carry);+}++/* felem_is_zero_vartime returns 1 iff |in| == 0. It takes a variable amount of+ * time depending on the value of |in|. */+static char felem_is_zero_vartime(const felem in) {+  limb carry;+  int i;+  limb tmp[NLIMBS];++  felem_assign(tmp, in);++  /* First, reduce tmp to a minimal form. */+  do {+    carry = 0;+    for (i = 0;; i++) {+      tmp[i] += carry;+      carry = tmp[i] >> 29;+      tmp[i] &= kBottom29Bits;++      i++;+      if (i == NLIMBS)+        break;++      tmp[i] += carry;+      carry = tmp[i] >> 28;+      tmp[i] &= kBottom28Bits;+    }++    felem_reduce_carry(tmp, carry);+  } while (carry);++  /* tmp < 2**257, so the only possible zero values are 0, p and 2p. */+  return memcmp(tmp, kZero, sizeof(tmp)) == 0 ||+         memcmp(tmp, kP, sizeof(tmp)) == 0 ||+         memcmp(tmp, k2P, sizeof(tmp)) == 0;+}+++/* Montgomery operations: */++#define kRDigits {2, 0, 0, 0xfffffffe, 0xffffffff, 0xffffffff, 0xfffffffd, 1} // 2^257 mod p256.p++#define kRInvDigits {0x80000000, 1, 0xffffffff, 0, 0x80000001, 0xfffffffe, 1, 0x7fffffff}  // 1 / 2^257 mod p256.p++static const cryptonite_p256_int kR = { kRDigits };+static const cryptonite_p256_int kRInv = { kRInvDigits };++/* to_montgomery sets out = R*in. */+static void to_montgomery(felem out, const cryptonite_p256_int* in) {+  cryptonite_p256_int in_shifted;+  int i;++  cryptonite_p256_init(&in_shifted);+  cryptonite_p256_modmul(&cryptonite_SECP256r1_p, in, 0, &kR, &in_shifted);++  for (i = 0; i < NLIMBS; i++) {+    if ((i & 1) == 0) {+      out[i] = P256_DIGIT(&in_shifted, 0) & kBottom29Bits;+      cryptonite_p256_shr(&in_shifted, 29, &in_shifted);+    } else {+      out[i] = P256_DIGIT(&in_shifted, 0) & kBottom28Bits;+      cryptonite_p256_shr(&in_shifted, 28, &in_shifted);+    }+  }++  cryptonite_p256_clear(&in_shifted);+}++/* from_montgomery sets out=in/R. */+static void from_montgomery(cryptonite_p256_int* out, const felem in) {+  cryptonite_p256_int result, tmp;+  int i, top;++  cryptonite_p256_init(&result);+  cryptonite_p256_init(&tmp);++  cryptonite_p256_add_d(&tmp, in[NLIMBS - 1], &result);+  for (i = NLIMBS - 2; i >= 0; i--) {+    if ((i & 1) == 0) {+      top = cryptonite_p256_shl(&result, 29, &tmp);+    } else {+      top = cryptonite_p256_shl(&result, 28, &tmp);+    }+    top |= cryptonite_p256_add_d(&tmp, in[i], &result);+  }++  cryptonite_p256_modmul(&cryptonite_SECP256r1_p, &kRInv, top, &result, out);++  cryptonite_p256_clear(&result);+  cryptonite_p256_clear(&tmp);+}
+ cbits/include64/p256/p256.h view
@@ -0,0 +1,167 @@+/*+ * Copyright 2013 The Android Open Source Project+ *+ * Redistribution and use in source and binary forms, with or without+ * modification, are permitted provided that the following conditions are met:+ *     * Redistributions of source code must retain the above copyright+ *       notice, this list of conditions and the following disclaimer.+ *     * Redistributions in binary form must reproduce the above copyright+ *       notice, this list of conditions and the following disclaimer in the+ *       documentation and/or other materials provided with the distribution.+ *     * Neither the name of Google Inc. nor the names of its contributors may+ *       be used to endorse or promote products derived from this software+ *       without specific prior written permission.+ *+ * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO+ * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.+ */++#ifndef SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_+#define SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_++// Collection of routines manipulating 256 bit unsigned integers.+// Just enough to implement ecdsa-p256 and related algorithms.++#include <stdint.h>++#ifdef __cplusplus+extern "C" {+#endif++#define P256_BITSPERDIGIT 64+#define P256_NDIGITS 4+#define P256_NBYTES 32++// n' such as n * n' = -1 mod (2^64)+#define P256_MONTGOMERY_FACTOR 0xCCD1C8AAEE00BC4F++#define P256_LITERAL(lo,hi) (((uint32_t) (lo)) + (((uint64_t) (hi)) << 32))++typedef int cryptonite_p256_err;+typedef uint64_t cryptonite_p256_digit;+typedef int64_t cryptonite_p256_sdigit;+typedef __uint128_t cryptonite_p256_ddigit;+typedef __int128_t cryptonite_p256_sddigit;++// Defining cryptonite_p256_int as struct to leverage struct assigment.+typedef struct {+  cryptonite_p256_digit a[P256_NDIGITS];+} cryptonite_p256_int;++extern const cryptonite_p256_int cryptonite_SECP256r1_n;  // Curve order+extern const cryptonite_p256_int cryptonite_SECP256r1_p;  // Curve prime+extern const cryptonite_p256_int cryptonite_SECP256r1_b;  // Curve param++// Initialize a cryptonite_p256_int to zero.+void cryptonite_p256_init(cryptonite_p256_int* a);++// Clear a cryptonite_p256_int to zero.+void cryptonite_p256_clear(cryptonite_p256_int* a);++// Return bit. Index 0 is least significant.+int cryptonite_p256_get_bit(const cryptonite_p256_int* a, int index);++// b := a % MOD+void cryptonite_p256_mod(+    const cryptonite_p256_int* MOD,+    const cryptonite_p256_int* a,+    cryptonite_p256_int* b);++// c := a * (top_b | b) % MOD+void cryptonite_p256_modmul(+    const cryptonite_p256_int* MOD,+    const cryptonite_p256_int* a,+    const cryptonite_p256_digit top_b,+    const cryptonite_p256_int* b,+    cryptonite_p256_int* c);++// b := 1 / a % MOD+// MOD best be SECP256r1_n+void cryptonite_p256_modinv(+    const cryptonite_p256_int* MOD,+    const cryptonite_p256_int* a,+    cryptonite_p256_int* b);++// b := 1 / a % MOD+// MOD best be SECP256r1_n+// Faster than cryptonite_p256_modinv()+void cryptonite_p256_modinv_vartime(+    const cryptonite_p256_int* MOD,+    const cryptonite_p256_int* a,+    cryptonite_p256_int* b);++// b := a << (n % P256_BITSPERDIGIT)+// Returns the bits shifted out of most significant digit.+cryptonite_p256_digit cryptonite_p256_shl(const cryptonite_p256_int* a, int n, cryptonite_p256_int* b);++// b := a >> (n % P256_BITSPERDIGIT)+void cryptonite_p256_shr(const cryptonite_p256_int* a, int n, cryptonite_p256_int* b);++int cryptonite_p256_is_zero(const cryptonite_p256_int* a);+int cryptonite_p256_is_odd(const cryptonite_p256_int* a);+int cryptonite_p256_is_even(const cryptonite_p256_int* a);++// Returns -1, 0 or 1.+int cryptonite_p256_cmp(const cryptonite_p256_int* a, const cryptonite_p256_int *b);++// c: = a - b+// Returns -1 on borrow.+int cryptonite_p256_sub(const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c);++// c := a + b+// Returns 1 on carry.+int cryptonite_p256_add(const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c);++// c := a + (single digit)b+// Returns carry 1 on carry.+int cryptonite_p256_add_d(const cryptonite_p256_int* a, cryptonite_p256_digit b, cryptonite_p256_int* c);++// ec routines.++// {out_x,out_y} := nG+void cryptonite_p256_base_point_mul(const cryptonite_p256_int *n,+                         cryptonite_p256_int *out_x,+                         cryptonite_p256_int *out_y);++// {out_x,out_y} := n{in_x,in_y}+void cryptonite_p256_point_mul(const cryptonite_p256_int *n,+                    const cryptonite_p256_int *in_x,+                    const cryptonite_p256_int *in_y,+                    cryptonite_p256_int *out_x,+                    cryptonite_p256_int *out_y);++// {out_x,out_y} := n1G + n2{in_x,in_y}+void cryptonite_p256_points_mul_vartime(+    const cryptonite_p256_int *n1, const cryptonite_p256_int *n2,+    const cryptonite_p256_int *in_x, const cryptonite_p256_int *in_y,+    cryptonite_p256_int *out_x, cryptonite_p256_int *out_y);++// Return whether point {x,y} is on curve.+int cryptonite_p256_is_valid_point(const cryptonite_p256_int* x, const cryptonite_p256_int* y);++// Outputs big-endian binary form. No leading zero skips.+void cryptonite_p256_to_bin(const cryptonite_p256_int* src, uint8_t dst[P256_NBYTES]);++// Reads from big-endian binary form,+// thus pre-pad with leading zeros if short.+void cryptonite_p256_from_bin(const uint8_t src[P256_NBYTES], cryptonite_p256_int* dst);++#define P256_DIGITS(x) ((x)->a)+#define P256_DIGIT(x,y) ((x)->a[y])++#define P256_ZERO {{0}}+#define P256_ONE {{1}}++#ifdef __cplusplus+}+#endif++#endif  // SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_
+ cbits/include64/p256/p256_gf.h view
@@ -0,0 +1,713 @@+/*+ * Copyright 2013 The Android Open Source Project+ *+ * Redistribution and use in source and binary forms, with or without+ * modification, are permitted provided that the following conditions are met:+ *     * Redistributions of source code must retain the above copyright+ *       notice, this list of conditions and the following disclaimer.+ *     * Redistributions in binary form must reproduce the above copyright+ *       notice, this list of conditions and the following disclaimer in the+ *       documentation and/or other materials provided with the distribution.+ *     * Neither the name of Google Inc. nor the names of its contributors may+ *       be used to endorse or promote products derived from this software+ *       without specific prior written permission.+ *+ * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO+ * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.+ */++// This is an implementation of the P256 finite field. It's written to be+// portable and still constant-time.+//+// WARNING: Implementing these functions in a constant-time manner is far from+//          obvious. Be careful when touching this code.+//+// See http://www.imperialviolet.org/2010/12/04/ecc.html ([1]) for background.++#include <stdint.h>+#include <stdio.h>++#include <string.h>+#include <stdlib.h>++#include "p256/p256.h"++typedef uint8_t u8;+typedef uint32_t u32;+typedef uint64_t u64;+typedef int64_t s64;+typedef __uint128_t u128;++/* Our field elements are represented as five 64-bit limbs.+ *+ * The value of an felem (field element) is:+ *   x[0] + (x[1] * 2**51) + (x[2] * 2**103) + ... + (x[4] * 2**206)+ *+ * That is, each limb is alternately 51 or 52-bits wide in little-endian+ * order.+ *+ * This means that an felem hits 2**257, rather than 2**256 as we would like.+ *+ * Finally, the values stored in an felem are in Montgomery form. So the value+ * |y| is stored as (y*R) mod p, where p is the P-256 prime and R is 2**257.+ */+typedef u64 limb;+#define NLIMBS 5+typedef limb felem[NLIMBS];++static const limb kBottom51Bits = 0x7ffffffffffff;+static const limb kBottom52Bits = 0xfffffffffffff;++/* kOne is the number 1 as an felem. It's 2**257 mod p split up into 51 and+ * 52-bit words. */+static const felem kOne = {+    2, 0xfc00000000000, 0x7ffffffffffff, 0xfff7fffffffff, 0x7ffff+};+static const felem kZero = {0};+static const felem kP = {+    0x7ffffffffffff, 0x1fffffffffff, 0, 0x4000000000, 0x3fffffffc0000+};+static const felem k2P = {+    0x7fffffffffffe, 0x3fffffffffff, 0, 0x8000000000, 0x7fffffff80000+};+/* kPrecomputed contains precomputed values to aid the calculation of scalar+ * multiples of the base point, G. It's actually two, equal length, tables+ * concatenated.+ *+ * The first table contains (x,y) felem pairs for 16 multiples of the base+ * point, G.+ *+ *   Index  |  Index (binary) | Value+ *       0  |           0000  | 0G (all zeros, omitted)+ *       1  |           0001  | G+ *       2  |           0010  | 2**64G+ *       3  |           0011  | 2**64G + G+ *       4  |           0100  | 2**128G+ *       5  |           0101  | 2**128G + G+ *       6  |           0110  | 2**128G + 2**64G+ *       7  |           0111  | 2**128G + 2**64G + G+ *       8  |           1000  | 2**192G+ *       9  |           1001  | 2**192G + G+ *      10  |           1010  | 2**192G + 2**64G+ *      11  |           1011  | 2**192G + 2**64G + G+ *      12  |           1100  | 2**192G + 2**128G+ *      13  |           1101  | 2**192G + 2**128G + G+ *      14  |           1110  | 2**192G + 2**128G + 2**64G+ *      15  |           1111  | 2**192G + 2**128G + 2**64G + G+ *+ * The second table follows the same style, but the terms are 2**32G,+ * 2**96G, 2**160G, 2**224G.+ *+ * This is ~2KB of data. */+static const limb kPrecomputed[NLIMBS * 2 * 15 * 2] = {+    0x661a831522878, 0xf17fb6d805e79, 0x5889441d6ea57, 0xae33cfdb995bb, 0xc482fbb529ba,+    0x4a6af9d2aac15, 0x90e867917377c, 0x487cc962d2ae3, 0xec2a97443446e, 0x2b8ff8c52c42,+    0x45f8a2d41a576, 0xb06988d2653e4, 0x718b22c357305, 0x33fc920e79d2b, 0x17af34b0fe8db,+    0x38e17eb402f2f, 0x3382558649705, 0x47f6d48f482d1, 0x7bd42488d9b83, 0x3b247c8b86b78,+    0x4d08fc26f7778, 0x7a29a82fb2795, 0x75cd18f90d11a, 0xad8e213b0bc, 0x2d5f0142899e8,+    0x506f98098fb57, 0x2f0c98301e4aa, 0x39b30dd5cf67d, 0x9c146498ab13c, 0xa5db92df5b7b,+    0x184897fc4124a, 0xe3f73a19d8aa, 0x4e1c18e47066b, 0x27b2d4b52eaee, 0x30eac3ea10e99,+    0x4e74546e2e7d5, 0x1f4dde2d97a1d, 0x6ead0f88e1200, 0x7dec87c220f02, 0x3d08ff096310f,+    0x23e5659633ffa, 0x6ec648f08c722, 0x3172a3806ea35, 0xf6e5b681eb3c5, 0x2c3758260f89d,+    0x38dca4fd1da12, 0xf06067b78830d, 0x3194be87a068c, 0x78893c7eb602b, 0xcead60438432,+    0x6ee69a56a67ab, 0xd886f77701895, 0x67b0a4d9cee2b, 0x3586bbf3e4d53, 0x1db6f32921d93,+    0x260756ca4b366, 0x4f40e9d2039fa, 0x4f3f09f5a82bf, 0xccde2d641e8cd, 0x305a30cd2e8c5,+    0x471c235cb5439, 0xab279cd962f5a, 0x17e1fb6e2dd94, 0xfe64589800a77, 0xe8793d99775f,+    0x48c62f4e614aa, 0xbf76ef20eb2a4, 0x669c672556c, 0x24683e0eff056, 0x12252b369ab76,+    0x821de9f162d5, 0xf911ec99a95be, 0x6721f065c906b, 0x58d452035c736, 0x1f9f01a6a15,+    0x6135009b7d8d3, 0xdaeeeb417dfc0, 0x63865fea0ee17, 0x6e0a304b939d6, 0x204ba2076833d,+    0x4ade586f35669, 0x2c1077e34611a, 0x5b1a3bea3b81a, 0xf97d018a22c8b, 0x38d7996b08af8,+    0x6ea62baeb7aa0, 0xebdcbd9ef2670, 0x35dc8fe0df3fe, 0xe458309d20c24, 0x11e87898716a0,+    0x7c44bab7cb456, 0xd64d3cf1bb64, 0x189bff1bf9e66, 0xb5218a049311, 0x285dda6cbcc81,+    0x3238dcafd8c7c, 0x607736c8de0, 0xdb83d99508b1, 0x4e1a0d404cd81, 0x1588008c00ff2,+    0x16b8b36722b27, 0x876609c3f3f1a, 0x66b72ef0e17d6, 0x705f8a279d568, 0x2eaac4cd01fdd,+    0x1171ce9705fe9, 0xffc79cd3264ee, 0x700c8ab4b80f0, 0x208d3d4f57a1, 0x337262a8ca4eb,+    0x297fd01d843fd, 0xa90956fa097f8, 0x529759fdb3845, 0x1d78c5e2d0397, 0x3d6938a4adbf3,+    0x16d5853560b66, 0xf138946b9a430, 0x2ab79f4dea6a0, 0xd42053ee43ae1, 0x3b9c3ef1cf870,+    0x598934ad81baf, 0x5f1821b1d07a7, 0x416bb3a973ff3, 0x23f07bd0a047a, 0x19bdc2e09f786,+    0x56dc9981cd51f, 0xfbace23c8cd65, 0x673bd3bf5b52e, 0x46a95d229fd61, 0xe09ad64bcfb1,+    0xe5292b91f17d, 0xfeefcd8afc287, 0x58f52b0a58711, 0x4800f20c201ef, 0x2084fce608f67,+    0x12ba0b128ae0b, 0x5977ae17030b4, 0x101126ee420f6, 0xf70823495c6bd, 0xde19a27d7770,+    0x5c6ac852260e8, 0x9d22950ac4356, 0x441cca955246c, 0x660a34e5332d9, 0x14ac8ea92f8d2,+    0x6b6d7709f307e, 0x67d7e13879db, 0x2ea8626f9fbbd, 0x99609006a4b40, 0x31bb2a8f8c779,+    0x10c04828ea335, 0xae9acdcbc080a, 0x617af2342607a, 0xc7494ea53e553, 0x2ca9e2872defa,+    0x6c399fab21f1f, 0xab139b245e758, 0x3ad933dcba589, 0x4797fecb08811, 0x31f5dbf8f594,+    0x7dc6361cc7a69, 0xc8a7953ead3f9, 0x79ed693d18015, 0x418a024999a6a, 0x2c4fdc9436aa,+    0x1eb98cb06aa75, 0x2989592796a9c, 0x11194821e425, 0xe27a648228388, 0x35d834b6c12a0,+    0x541807713b532, 0x7ae0a1008aaee, 0x7017a29bcb5e, 0x6b193c23c315c, 0x19bd25ac82f2a,+    0x6a01a43eef294, 0xddf5b5fd84f19, 0x33f5ba081c016, 0xdeb052d1bc082, 0x6b2f06afa617,+    0x7ca1eda6a939f, 0xbdeb35997b50c, 0x47f2d1bccda5, 0xc2ff4adfed667, 0x87712997be4,+    0x21fc2e2b37659, 0xf7d62cd5ed951, 0x27fa9cbdf7efa, 0xba25582bf3a6b, 0x2a42b8bd89398,+    0x6d377d07eecd2, 0x9ca1df5af387, 0x1109e3427e2ba, 0xce4aa4572a19, 0x103baaef71e16,+    0x2c3b2dfde328a, 0xbec4b4a30e1ef, 0x37d92a86204f3, 0x806cfde68eb39, 0x246e2f72b8aa5,+    0x68d3de93462a9, 0x53b8acba6bbc3, 0x2492a70fa1696, 0x38c62d5760f55, 0x15096fe4904f2,+    0x4e44e9bed3e3a, 0xb28bfd79cc9bc, 0x6a77513839320, 0x480dcec6739db, 0x3601b739f2465,+    0x43c348e2a7e1, 0xe448106327879, 0x175d9cae1b0ed, 0xd3b89dee743b8, 0x392d73ca255bc,+    0x32946db0d3a18, 0x9261b09907cc, 0x5ba517a755722, 0x51f24fdaf5184, 0x1cdc732989ed8,+    0x2f7806ba16694, 0xae0c9f029f8d0, 0xd8b45102ce1, 0xca1c7db9316d6, 0x162088a67066f,+    0x39de35b2b4162, 0xa19f550d88ae9, 0x7921b27026cde, 0x94b936b66e900, 0x1023bd5fa17fc,+    0x436837814cfa4, 0x29113492283c4, 0x66d1cdd8b51d8, 0xa540702278eb2, 0x47ef1b29285d,+    0x587b50917e50e, 0xb4cda75bab3b, 0x112520b0a9886, 0x66b9ac16fee49, 0x17bf17e92b2eb,+    0x2456a2f150ed7, 0xfa214412d0280, 0x3ca7dd947fe5b, 0xa72c28598d58a, 0x255d945efc3e,+    0x2873f04e0f215, 0x74178fd1af57b, 0x788848b5b2d6, 0xb1ffafaae0db6, 0x32a1b7b3cbb2a,+    0x4bd9935d6b2da, 0x9c08f24ad30a5, 0x4e58407a80f, 0x1b3a3825a5b17, 0x6547e9fc82f5,+    0x47484aa3656c3, 0x6ee43f341a494, 0x64a98f87adea2, 0x619b3f8e95f01, 0xb6e513266ed8,+    0x421c2a673090, 0xa1c1de32348c7, 0x55b85c3a1e8a3, 0xe05ce8ef330b4, 0x2561e49c15d84,+    0x40aa2d33130fa, 0x12b827d35866f, 0xfe4cf62c8ddb, 0x2fa0ef05bb28d, 0x1c06ca63f1cb8,+    0x32a971863863b, 0xff6fc86830da1, 0x71e7b25a14cf3, 0xea9c5ebb1373a, 0x250bbaa3e1634,+    0x5b5ffeda5b765, 0xf25d2a746331b, 0x115e3a3f43632, 0x67303af43c9d5, 0x14bb538a0e559,+    0x75623687d43b7, 0xa349674a4b38d, 0x613c61829ffc6, 0x689828d8110c7, 0x139115f5af7d5,+    0xf1d856152289, 0x45cbe967168ab, 0x51f38e1680901, 0x34808e8f652b0, 0x1f4a6a921e156,+    0x35dfaf3d8341f, 0xf53ace725cb63, 0x3d86a54eef35b, 0xa103aabaffe2c, 0x2decc36296fbd,+    0x510282be73d6f, 0xd4e6365db206a, 0x4bdc5f5bb8bf3, 0xde7ea32a3aee7, 0x71269e274305,+};+++/* Field element operations: */++/* NON_ZERO_TO_ALL_ONES returns:+ *   0xffffffffffffffff for 0 < x <= 2**63+ *   0 for x == 0 or x > 2**63.+ *+ * x must be a u64 or an equivalent type such as limb. */+#define NON_ZERO_TO_ALL_ONES(x) ((((u64)(x) - 1) >> 63) - 1)++/* felem_reduce_carry adds a multiple of p in order to cancel |carry|,+ * which is a term at 2**257.+ *+ * On entry: carry < 2**6, inout[0,2,...] < 2**51, inout[1,3,...] < 2**52.+ * On exit: inout[0,2,..] < 2**52, inout[1,3,...] < 2**53. */+static void felem_reduce_carry(felem inout, limb carry) {+  const u64 carry_mask = NON_ZERO_TO_ALL_ONES(carry);++  inout[0] += carry << 1;+  inout[1] += 0x10000000000000 & carry_mask;+  /* carry < 2**6 thus (carry << 46) < 2**52 and we added 2**52 in the+   * previous line therefore this doesn't underflow. */+  inout[1] -= carry << 46;+  inout[2] += (0x8000000000000 - 1) & carry_mask;+  inout[3] += (0x10000000000000 - 1) & carry_mask;+  inout[3] -= carry << 39;+  /* This may underflow if carry is non-zero but, if so, we'll fix it in the+   * next line. */+  inout[4] -= 1 & carry_mask;+  inout[4] += carry << 19;+}++/* felem_sum sets out = in+in2.+ *+ * On entry, in[i]+in2[i] must not overflow a 64-bit word.+ * On exit: out[0,2,...] < 2**52, out[1,3,...] < 2**53 */+static void felem_sum(felem out, const felem in, const felem in2) {+  limb carry = 0;+  unsigned i;++  for (i = 0;; i++) {+    out[i] = in[i] + in2[i];+    out[i] += carry;+    carry = out[i] >> 51;+    out[i] &= kBottom51Bits;++    i++;+    if (i == NLIMBS)+      break;++    out[i] = in[i] + in2[i];+    out[i] += carry;+    carry = out[i] >> 52;+    out[i] &= kBottom52Bits;+  }++  felem_reduce_carry(out, carry);+}++#define two53m3 (((limb)1) << 53) - (((limb)1) << 3)+#define two54m52p48m2 (((limb)1) << 54) - (((limb)1) << 52) + (((limb)1) << 48) - (((limb)1) << 2)+#define two53m2p0 (((limb)1) << 53) - (((limb)1) << 2) + (((limb)1) << 0)+#define two54m52p41m2 (((limb)1) << 54) - (((limb)1) << 52) + (((limb)1) << 41) - (((limb)1) << 2)+#define two53m21m2p0 (((limb)1) << 53) - (((limb)1) << 21) - (((limb)1) << 2) + (((limb)1) << 0)++/* zero53 is 0 mod p. */+static const felem zero53 = { two53m3, two54m52p48m2, two53m2p0, two54m52p41m2, two53m21m2p0 };++/* felem_diff sets out = in-in2.+ *+ * On entry: in[0,2,...] < 2**52, in[1,3,...] < 2**53 and+ *           in2[0,2,...] < 2**52, in2[1,3,...] < 2**53.+ * On exit: out[0,2,...] < 2**52, out[1,3,...] < 2**53. */+static void felem_diff(felem out, const felem in, const felem in2) {+  limb carry = 0;+  unsigned i;++   for (i = 0;; i++) {+    out[i] = in[i] - in2[i];+    out[i] += zero53[i];+    out[i] += carry;+    carry = out[i] >> 51;+    out[i] &= kBottom51Bits;++    i++;+    if (i == NLIMBS)+      break;++    out[i] = in[i] - in2[i];+    out[i] += zero53[i];+    out[i] += carry;+    carry = out[i] >> 52;+    out[i] &= kBottom52Bits;+  }++  felem_reduce_carry(out, carry);+}++/* felem_reduce_degree sets out = tmp/R mod p where tmp contains 64-bit words+ * with the same 51,52,... bit positions as an felem.+ *+ * The values in felems are in Montgomery form: x*R mod p where R = 2**257.+ * Since we just multiplied two Montgomery values together, the result is+ * x*y*R*R mod p. We wish to divide by R in order for the result also to be+ * in Montgomery form.+ *+ * On entry: tmp[i] < 2**128+ * On exit: out[0,2,...] < 2**52, out[1,3,...] < 2**53 */+static void felem_reduce_degree(felem out, u128 tmp[9]) {+   /* The following table may be helpful when reading this code:+    *+    * Limb number:   0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10+    * Width (bits):  51| 52| 51| 52| 51| 52| 51| 52| 51| 52| 51+    * Start bit:     0 | 51|103|154|206|257|309|360|412|463|515+    *   (odd phase): 0 | 52|103|155|206|258|309|361|412|464|515 */+  limb tmp2[10], carry, x, xShiftedMask;+  unsigned i;++  /* tmp contains 128-bit words with the same 51,52,51-bit positions as an+   * felem. So the top of an element of tmp might overlap with another+   * element two positions down. The following loop eliminates this+   * overlap. */+  tmp2[0] = (limb)(tmp[0] & kBottom51Bits);++  /* In the following we use "(limb) tmp[x]" and "(limb) (tmp[x]>>64)" to try+   * and hint to the compiler that it can do a single-word shift by selecting+   * the right register rather than doing a double-word shift and truncating+   * afterwards. */+  tmp2[1] = ((limb) tmp[0]) >> 51;+  tmp2[1] |= (((limb)(tmp[0] >> 64)) << 13) & kBottom52Bits;+  tmp2[1] += ((limb) tmp[1]) & kBottom52Bits;+  carry = tmp2[1] >> 52;+  tmp2[1] &= kBottom52Bits;++  for (i = 2; i < 9; i++) {+    tmp2[i] = ((limb)(tmp[i - 2] >> 64)) >> 39;+    tmp2[i] += ((limb)(tmp[i - 1])) >> 52;+    tmp2[i] += (((limb)(tmp[i - 1] >> 64)) << 12) & kBottom51Bits;+    tmp2[i] += ((limb) tmp[i]) & kBottom51Bits;+    tmp2[i] += carry;+    carry = tmp2[i] >> 51;+    tmp2[i] &= kBottom51Bits;++    i++;+    if (i == 9)+      break;+    tmp2[i] = ((limb)(tmp[i - 2] >> 64)) >> 39;+    tmp2[i] += ((limb)(tmp[i - 1])) >> 51;+    tmp2[i] += (((limb)(tmp[i - 1] >> 64)) << 13) & kBottom52Bits;+    tmp2[i] += ((limb) tmp[i]) & kBottom52Bits;+    tmp2[i] += carry;+    carry = tmp2[i] >> 52;+    tmp2[i] &= kBottom52Bits;+  }++  tmp2[9] = ((limb)(tmp[7] >> 64)) >> 39;+  tmp2[9] += ((limb)(tmp[8])) >> 51;+  tmp2[9] += (((limb)(tmp[8] >> 64)) << 13);+  tmp2[9] += carry;++  /* Montgomery elimination of terms.+   *+   * Since R is 2**257, we can divide by R with a bitwise shift if we can+   * ensure that the right-most 257 bits are all zero. We can make that true by+   * adding multiplies of p without affecting the value.+   *+   * So we eliminate limbs from right to left. Since the bottom 51 bits of p+   * are all ones, then by adding tmp2[0]*p to tmp2 we'll make tmp2[0] == 0.+   * We can do that for 8 further limbs and then right shift to eliminate the+   * extra factor of R. */+  for (i = 0;; i += 2) {+    tmp2[i + 1] += tmp2[i] >> 51;+    x = tmp2[i] & kBottom51Bits;+    xShiftedMask = NON_ZERO_TO_ALL_ONES(x >> 1);+    tmp2[i] = 0;++    /* The bounds calculations for this loop are tricky. Each iteration of+     * the loop eliminates two words by adding values to words to their+     * right.+     *+     * The following table contains the amounts added to each word (as an+     * offset from the value of i at the top of the loop). The amounts are+     * accounted for from the first and second half of the loop separately+     * and are written as, for example, 51 to mean a value <2**51.+     *+     * Word:                   1   2   3   4   5   6+     * Added in top half:     52  44  52  37  50+     *                                    51+     *                                    51+     * Added in bottom half:      51  45  51  38  50+     *                                        52+     *                                        52+     *+     * The value that is currently offset 5 will be offset 3 for the next+     * iteration and then offset 1 for the iteration after that. Therefore+     * the total value added will be the values added at 5, 3 and 1.+     *+     * The following table accumulates these values. The sums at the bottom+     * are written as, for example, 53+45, to mean a value < 2**53+2**45.+     *+     * Word:                   1   2   3   4   5   6   7   8   9+     *                        52  44  52  37  50  50  50  50  50+     *                            51  45  51  38  37  38  37+     *                                52  51  52  51  52  51+     *                                    51  52  51  52  51+     *                                    44  52  51  52+     *                                    51  45  44+     *                                        52+     *                        ------------------------------------+     *                                53+ 53+ 54+ 52+ 53+ 52++     *                                45  44+ 50+ 51+ 52+ 50++     *                                    37  45+ 50+ 50+ 37+     *                                        38  44+ 38+     *                                            37+     *+     * So the greatest amount is added to tmp2[5]. If tmp2[5] has an initial+     * value of <2**52, then the maximum value will be < 2**54 + 2**52 + 2**50 ++     * 2**45 + 2**38, which is < 2**64, as required. */+    tmp2[i + 1] += (x << 45) & kBottom52Bits;+    tmp2[i + 2] += x >> 7;++    tmp2[i + 3] += (x << 38) & kBottom52Bits;+    tmp2[i + 4] += x >> 14;++    /* On tmp2[i + 4], when x < 2**1, the subtraction with (x << 18) will not+     * underflow because it is balanced with the (x << 50) term.  On the next+     * word tmp2[i + 5], terms with (x >> 1) and (x >> 33) are both zero and+     * there is no underflow either.+     *+     * When x >= 2**1, we add 2**51 to tmp2[i + 4] to avoid an underflow.+     * Removing 1 from tmp2[i + 5] is safe because (x >> 1) - (x >> 33) is+     * strictly positive.+     */+    tmp2[i + 4] += 0x8000000000000 & xShiftedMask;+    tmp2[i + 5] -= 1 & xShiftedMask;++    tmp2[i + 4] -= (x << 18) & kBottom51Bits;+    tmp2[i + 4] += (x << 50) & kBottom51Bits;+    tmp2[i + 5] += (x >> 1) - (x >> 33);++    if (i+1 == NLIMBS)+      break;+    tmp2[i + 2] += tmp2[i + 1] >> 52;+    x = tmp2[i + 1] & kBottom52Bits;+    xShiftedMask = NON_ZERO_TO_ALL_ONES(x >> 2);+    tmp2[i + 1] = 0;++    tmp2[i + 2] += (x << 44) & kBottom51Bits;+    tmp2[i + 3] += x >> 7;++    tmp2[i + 4] += (x << 37) & kBottom51Bits;+    tmp2[i + 5] += x >> 14;++    /* On tmp2[i + 5], when x < 2**2, the subtraction with (x << 18) will not+     * underflow because it is balanced with the (x << 50) term.  On the next+     * word tmp2[i + 6], terms with (x >> 2) and (x >> 34) are both zero and+     * there is no underflow either.+     *+     * When x >= 2**2, we add 2**52 to tmp2[i + 5] to avoid an underflow.+     * Removing 1 from tmp2[i + 6] is safe because (x >> 2) - (x >> 34) is+     * stricly positive.+     */+    tmp2[i + 5] += 0x10000000000000 & xShiftedMask;+    tmp2[i + 6] -= 1 & xShiftedMask;++    tmp2[i + 5] -= (x << 18) & kBottom52Bits;+    tmp2[i + 5] += (x << 50) & kBottom52Bits;+    tmp2[i + 6] += (x >> 2) - (x >> 34);+  }++  /* We merge the right shift with a carry chain. The words above 2**257 have+   * widths of 52,51,... which we need to correct when copying them down.  */+  carry = 0;+  for (i = 0; i < 4; i++) {+    out[i] = tmp2[i + 5];+    out[i] += carry;+    carry = out[i] >> 51;+    out[i] &= kBottom51Bits;++    i++;+    out[i] = tmp2[i + 5] << 1;+    out[i] += carry;+    carry = out[i] >> 52;+    out[i] &= kBottom52Bits;+  }++  out[4] = tmp2[9];+  out[4] += carry;+  carry = out[4] >> 51;+  out[4] &= kBottom51Bits;++  felem_reduce_carry(out, carry);+}++/* felem_square sets out=in*in.+ *+ * On entry: in[0,2,...] < 2**52, in[1,3,...] < 2**53.+ * On exit: out[0,2,...] < 2**52, out[1,3,...] < 2**53. */+static void felem_square(felem out, const felem in) {+  u128 tmp[9], x1x1, x3x3;++  x1x1 = ((u128) in[1]) * in[1];+  x3x3 = ((u128) in[3]) * in[3];++  tmp[0] = ((u128) in[0]) * (in[0] << 0);+  tmp[1] = ((u128) in[0]) * (in[1] << 1) + ((x1x1 & 1) << 51);+  tmp[2] = ((u128) in[0]) * (in[2] << 1) + (x1x1 >> 1);+  tmp[3] = ((u128) in[0]) * (in[3] << 1) ++           ((u128) in[1]) * (in[2] << 1);+  tmp[4] = ((u128) in[0]) * (in[4] << 1) ++           ((u128) in[1]) * (in[3] << 0) ++           ((u128) in[2]) * (in[2] << 0);+  tmp[5] = ((u128) in[1]) * (in[4] << 1) ++           ((u128) in[2]) * (in[3] << 1) + ((x3x3 & 1) << 51);+  tmp[6] = ((u128) in[2]) * (in[4] << 1) + (x3x3 >> 1);+  tmp[7] = ((u128) in[3]) * (in[4] << 1);+  tmp[8] = ((u128) in[4]) * (in[4] << 0);++  felem_reduce_degree(out, tmp);+}++/* felem_mul sets out=in*in2.+ *+ * On entry: in[0,2,...] < 2**52, in[1,3,...] < 2**53 and+ *           in2[0,2,...] < 2**52, in2[1,3,...] < 2**53.+ * On exit: out[0,2,...] < 2**52, out[1,3,...] < 2**53. */+static void felem_mul(felem out, const felem in, const felem in2) {+  u128 tmp[9], x1y1, x1y3, x3y1, x3y3;++  x1y1 = ((u128) in[1]) * in2[1];+  x1y3 = ((u128) in[1]) * in2[3];+  x3y1 = ((u128) in[3]) * in2[1];+  x3y3 = ((u128) in[3]) * in2[3];++  tmp[0] = ((u128) in[0]) * in2[0];+  tmp[1] = ((u128) in[0]) * in2[1] ++           ((u128) in[1]) * in2[0] + ((x1y1 & 1) << 51);+  tmp[2] = ((u128) in[0]) * in2[2] + (x1y1 >> 1) ++           ((u128) in[2]) * in2[0];+  tmp[3] = ((u128) in[0]) * in2[3] ++           ((u128) in[1]) * in2[2] ++           ((u128) in[2]) * in2[1] + ((x1y3 & 1) << 51) ++           ((u128) in[3]) * in2[0] + ((x3y1 & 1) << 51);+  tmp[4] = ((u128) in[0]) * in2[4] + (x1y3 >> 1) ++           ((u128) in[2]) * in2[2] + (x3y1 >> 1) ++           ((u128) in[4]) * in2[0];+  tmp[5] = ((u128) in[1]) * in2[4] ++           ((u128) in[2]) * in2[3] ++           ((u128) in[3]) * in2[2] ++           ((u128) in[4]) * in2[1] + ((x3y3 & 1) << 51);+  tmp[6] = ((u128) in[2]) * in2[4] + (x3y3 >> 1) ++           ((u128) in[4]) * in2[2];+  tmp[7] = ((u128) in[3]) * in2[4] ++           ((u128) in[4]) * in2[3];+  tmp[8] = ((u128) in[4]) * in2[4];++  felem_reduce_degree(out, tmp);+}++static void felem_assign(felem out, const felem in) {+  memcpy(out, in, sizeof(felem));+}++/* felem_scalar_3 sets out=3*out.+ *+ * On entry: out[0,2,...] < 2**52, out[1,3,...] < 2**53.+ * On exit: out[0,2,...] < 2**52, out[1,3,...] < 2**53. */+static void felem_scalar_3(felem out) {+  limb carry = 0;+  unsigned i;++  for (i = 0;; i++) {+    out[i] *= 3;+    out[i] += carry;+    carry = out[i] >> 51;+    out[i] &= kBottom51Bits;++    i++;+    if (i == NLIMBS)+      break;++    out[i] *= 3;+    out[i] += carry;+    carry = out[i] >> 52;+    out[i] &= kBottom52Bits;+  }++  felem_reduce_carry(out, carry);+}++/* felem_scalar_4 sets out=4*out.+ *+ * On entry: out[0,2,...] < 2**52, out[1,3,...] < 2**53.+ * On exit: out[0,2,...] < 2**52, out[1,3,...] < 2**53. */+static void felem_scalar_4(felem out) {+  limb carry = 0, next_carry;+  unsigned i;++  for (i = 0;; i++) {+    next_carry = out[i] >> 49;+    out[i] <<= 2;+    out[i] &= kBottom51Bits;+    out[i] += carry;+    carry = next_carry + (out[i] >> 51);+    out[i] &= kBottom51Bits;++    i++;+    if (i == NLIMBS)+      break;++    next_carry = out[i] >> 50;+    out[i] <<= 2;+    out[i] &= kBottom52Bits;+    out[i] += carry;+    carry = next_carry + (out[i] >> 52);+    out[i] &= kBottom52Bits;+  }++  felem_reduce_carry(out, carry);+}++/* felem_scalar_8 sets out=8*out.+ *+ * On entry: out[0,2,...] < 2**52, out[1,3,...] < 2**53.+ * On exit: out[0,2,...] < 2**52, out[1,3,...] < 2**53. */+static void felem_scalar_8(felem out) {+  limb carry = 0, next_carry;+  unsigned i;++  for (i = 0;; i++) {+    next_carry = out[i] >> 48;+    out[i] <<= 3;+    out[i] &= kBottom51Bits;+    out[i] += carry;+    carry = next_carry + (out[i] >> 51);+    out[i] &= kBottom51Bits;++    i++;+    if (i == NLIMBS)+      break;++    next_carry = out[i] >> 49;+    out[i] <<= 3;+    out[i] &= kBottom52Bits;+    out[i] += carry;+    carry = next_carry + (out[i] >> 52);+    out[i] &= kBottom52Bits;+  }++  felem_reduce_carry(out, carry);+}++/* felem_is_zero_vartime returns 1 iff |in| == 0. It takes a variable amount of+ * time depending on the value of |in|. */+static char felem_is_zero_vartime(const felem in) {+  limb carry;+  int i;+  limb tmp[NLIMBS];++  felem_assign(tmp, in);++  /* First, reduce tmp to a minimal form. */+  do {+    carry = 0;+    for (i = 0;; i++) {+      tmp[i] += carry;+      carry = tmp[i] >> 51;+      tmp[i] &= kBottom51Bits;++      i++;+      if (i == NLIMBS)+        break;++      tmp[i] += carry;+      carry = tmp[i] >> 52;+      tmp[i] &= kBottom52Bits;+    }++    felem_reduce_carry(tmp, carry);+  } while (carry);++  /* tmp < 2**257, so the only possible zero values are 0, p and 2p. */+  return memcmp(tmp, kZero, sizeof(tmp)) == 0 ||+         memcmp(tmp, kP, sizeof(tmp)) == 0 ||+         memcmp(tmp, k2P, sizeof(tmp)) == 0;+}+++/* Montgomery operations: */++#define kRDigits {2, 0xfffffffe00000000, 0xffffffffffffffff, 0x1fffffffd} // 2^257 mod p256.p++#define kRInvDigits {0x180000000, 0xffffffff, 0xfffffffe80000001, 0x7fffffff00000001}  // 1 / 2^257 mod p256.p++static const cryptonite_p256_int kR = { kRDigits };+static const cryptonite_p256_int kRInv = { kRInvDigits };++/* to_montgomery sets out = R*in. */+static void to_montgomery(felem out, const cryptonite_p256_int* in) {+  cryptonite_p256_int in_shifted;+  int i;++  cryptonite_p256_init(&in_shifted);+  cryptonite_p256_modmul(&cryptonite_SECP256r1_p, in, 0, &kR, &in_shifted);++  for (i = 0; i < NLIMBS; i++) {+    if ((i & 1) == 0) {+      out[i] = P256_DIGIT(&in_shifted, 0) & kBottom51Bits;+      cryptonite_p256_shr(&in_shifted, 51, &in_shifted);+    } else {+      out[i] = P256_DIGIT(&in_shifted, 0) & kBottom52Bits;+      cryptonite_p256_shr(&in_shifted, 52, &in_shifted);+    }+  }++  cryptonite_p256_clear(&in_shifted);+}++/* from_montgomery sets out=in/R. */+static void from_montgomery(cryptonite_p256_int* out, const felem in) {+  cryptonite_p256_int result, tmp;+  int i, top;++  cryptonite_p256_init(&result);+  cryptonite_p256_init(&tmp);++  cryptonite_p256_add_d(&tmp, in[NLIMBS - 1], &result);+  for (i = NLIMBS - 2; i >= 0; i--) {+    if ((i & 1) == 0) {+      top = cryptonite_p256_shl(&result, 51, &tmp);+    } else {+      top = cryptonite_p256_shl(&result, 52, &tmp);+    }+    top += cryptonite_p256_add_d(&tmp, in[i], &result);+  }++  cryptonite_p256_modmul(&cryptonite_SECP256r1_p, &kRInv, top, &result, out);++  cryptonite_p256_clear(&result);+  cryptonite_p256_clear(&tmp);+}
cbits/p256/p256.c view
@@ -25,7 +25,7 @@  */  // This is an implementation of the P256 elliptic curve group. It's written to-// be portable 32-bit, although it's still constant-time.+// be portable and still constant-time. // // WARNING: Implementing these functions in a constant-time manner is far from //          obvious. Be careful when touching this code.@@ -40,14 +40,16 @@ #include "p256/p256.h"  const cryptonite_p256_int cryptonite_SECP256r1_n =  // curve order-  {{0xfc632551, 0xf3b9cac2, 0xa7179e84, 0xbce6faad, -1, -1, 0, -1}};+  {{P256_LITERAL(0xfc632551, 0xf3b9cac2), P256_LITERAL(0xa7179e84, 0xbce6faad),+    P256_LITERAL(-1, -1), P256_LITERAL(0, -1)}};  const cryptonite_p256_int cryptonite_SECP256r1_p =  // curve field size-  {{-1, -1, -1, 0, 0, 0, 1, -1 }};+  {{P256_LITERAL(-1, -1), P256_LITERAL(-1, 0),+    P256_LITERAL(0, 0), P256_LITERAL(1, -1) }};  const cryptonite_p256_int cryptonite_SECP256r1_b =  // curve b-  {{0x27d2604b, 0x3bce3c3e, 0xcc53b0f6, 0x651d06b0,-    0x769886bc, 0xb3ebbd55, 0xaa3a93e7, 0x5ac635d8}};+  {{P256_LITERAL(0x27d2604b, 0x3bce3c3e), P256_LITERAL(0xcc53b0f6, 0x651d06b0),+    P256_LITERAL(0x769886bc, 0xb3ebbd55), P256_LITERAL(0xaa3a93e7, 0x5ac635d8)}};  void cryptonite_p256_init(cryptonite_p256_int* a) {   memset(a, 0, sizeof(*a));@@ -61,9 +63,10 @@ }  int cryptonite_p256_is_zero(const cryptonite_p256_int* a) {-  int i, result = 0;+  cryptonite_p256_digit result = 0;+  int i = 0;   for (i = 0; i < P256_NDIGITS; ++i) result |= P256_DIGIT(a, i);-  return !result;+  return result == 0; }  // top, c[] += a[] * b@@ -167,6 +170,10 @@     // top can be any value at this point.     // Guestimate reducer as top * MOD, since msw of MOD is -1.     top_reducer = mulAdd(MOD, top, 0, reducer);+#if P256_BITSPERDIGIT > 32+    // Correction when msw of MOD has only high 32 bits set+    top_reducer += mulAdd(MOD, top >> 32, 0, reducer);+#endif      // Subtract reducer from top | tmp.     top = subTop(top_reducer, reducer, top, tmp + i);@@ -229,7 +236,7 @@     P256_DIGIT(b, i) = accu;   }   P256_DIGIT(b, i) = (P256_DIGIT(a, i) >> 1) |-      (highbit << (P256_BITSPERDIGIT - 1));+      (((cryptonite_p256_sdigit) highbit) << (P256_BITSPERDIGIT - 1)); }  // Return -1, 0, 1 for a < b, a == b or a > b respectively.@@ -359,30 +366,163 @@ }  void cryptonite_p256_from_bin(const uint8_t src[P256_NBYTES], cryptonite_p256_int* dst) {-  int i;+  int i, n;   const uint8_t* p = &src[0];    for (i = P256_NDIGITS - 1; i >= 0; --i) {-    P256_DIGIT(dst, i) =-        (p[0] << 24) |-        (p[1] << 16) |-        (p[2] << 8) |-        p[3];-    p += 4;+    cryptonite_p256_digit dig = 0;+    n = P256_BITSPERDIGIT;+    while (n > 0) {+      n -= 8;+      dig |= ((cryptonite_p256_digit) *(p++)) << n;+    }+    P256_DIGIT(dst, i) = dig;   } }  void cryptonite_p256_to_bin(const cryptonite_p256_int* src, uint8_t dst[P256_NBYTES]) {-	int i;+	int i, n; 	uint8_t* p = &dst[0];  	for (i = P256_NDIGITS -1; i >= 0; --i) { 		const cryptonite_p256_digit dig = P256_DIGIT(src, i);-		p[0] = dig >> 24;-		p[1] = dig >> 16;-		p[2] = dig >> 8;-		p[3] = dig;-		p += 4;+		n = P256_BITSPERDIGIT;+		while (n > 0) {+			n -= 8;+			*(p++) = dig >> n;+		} 	}+}++/*+  "p256e" functions are not part of the original source+*/++#define MSB_COMPLEMENT(x) (((x) >> (P256_BITSPERDIGIT - 1)) - 1)++// c = a + b mod MOD+void cryptonite_p256e_modadd(const cryptonite_p256_int* MOD, const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c) {+  assert(c);  /* avoid repeated checks inside inlined cryptonite_p256_add */+  cryptonite_p256_digit top = cryptonite_p256_add(a, b, c);+  top = subM(MOD, top, P256_DIGITS(c), -1);+  top = subM(MOD, top, P256_DIGITS(c), MSB_COMPLEMENT(top));+  addM(MOD, 0, P256_DIGITS(c), top);+}++// c = a - b mod MOD+void cryptonite_p256e_modsub(const cryptonite_p256_int* MOD, const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c) {+  assert(c); /* avoid repeated checks inside inlined cryptonite_p256_sub */+  cryptonite_p256_digit top = cryptonite_p256_sub(a, b, c);+  top = addM(MOD, top, P256_DIGITS(c), ~MSB_COMPLEMENT(top));+  top = subM(MOD, top, P256_DIGITS(c), MSB_COMPLEMENT(top));+  addM(MOD, 0, P256_DIGITS(c), top);+}++#define NTH_DOUBLE_THEN_ADD(i, a, nth, b, out)   \+    cryptonite_p256e_montmul(a, a, out);         \+    for (i = 1; i < nth; i++)                    \+        cryptonite_p256e_montmul(out, out, out); \+    cryptonite_p256e_montmul(out, b, out);++const cryptonite_p256_int cryptonite_SECP256r1_r2 = // r^2 mod n+  {{P256_LITERAL(0xBE79EEA2, 0x83244C95), P256_LITERAL(0x49BD6FA6, 0x4699799C),+    P256_LITERAL(0x2B6BEC59, 0x2845B239), P256_LITERAL(0xF3D95620, 0x66E12D94)}};++const cryptonite_p256_int cryptonite_SECP256r1_one = {{1}};++// Montgomery multiplication, i.e. c = ab/r mod n with r = 2^256.+// Implementation is adapted from 'sc_montmul' in libdecaf.+static void cryptonite_p256e_montmul(const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c) {+  int i, j, borrow;+  cryptonite_p256_digit accum[P256_NDIGITS+1] = {0};+  cryptonite_p256_digit hi_carry = 0;++  for (i=0; i<P256_NDIGITS; i++) {+    cryptonite_p256_digit mand = P256_DIGIT(a, i);+    const cryptonite_p256_digit *mier = P256_DIGITS(b);++    cryptonite_p256_ddigit chain = 0;+    for (j=0; j<P256_NDIGITS; j++) {+      chain += ((cryptonite_p256_ddigit)mand)*mier[j] + accum[j];+      accum[j] = chain;+      chain >>= P256_BITSPERDIGIT;+    }+    accum[j] = chain;++    mand = accum[0] * P256_MONTGOMERY_FACTOR;+    chain = 0;+    mier = P256_DIGITS(&cryptonite_SECP256r1_n);+    for (j=0; j<P256_NDIGITS; j++) {+      chain += (cryptonite_p256_ddigit)mand*mier[j] + accum[j];+      if (j) accum[j-1] = chain;+      chain >>= P256_BITSPERDIGIT;+    }+    chain += accum[j];+    chain += hi_carry;+    accum[j-1] = chain;+    hi_carry = chain >> P256_BITSPERDIGIT;+  }++  memcpy(P256_DIGITS(c), accum, sizeof(*c));+  borrow = cryptonite_p256_sub(c, &cryptonite_SECP256r1_n, c);+  addM(&cryptonite_SECP256r1_n, 0, P256_DIGITS(c), borrow + hi_carry);+}++// b = 1/a mod n, using Fermat's little theorem.+void cryptonite_p256e_scalar_invert(const cryptonite_p256_int* a, cryptonite_p256_int* b) {+  cryptonite_p256_int _1, _10, _11, _101, _111, _1010, _1111;+  cryptonite_p256_int _10101, _101010, _101111, x6, x8, x16, x32;+  int i;++  // Montgomerize+  cryptonite_p256e_montmul(a, &cryptonite_SECP256r1_r2, &_1);++  // P-256 (secp256r1) Scalar Inversion+  // <https://briansmith.org/ecc-inversion-addition-chains-01>+  cryptonite_p256e_montmul(&_1     , &_1     , &_10);+  cryptonite_p256e_montmul(&_10    , &_1     , &_11);+  cryptonite_p256e_montmul(&_10    , &_11    , &_101);+  cryptonite_p256e_montmul(&_10    , &_101   , &_111);+  cryptonite_p256e_montmul(&_101   , &_101   , &_1010);+  cryptonite_p256e_montmul(&_101   , &_1010  , &_1111);+  NTH_DOUBLE_THEN_ADD(i, &_1010,  1   , &_1     , &_10101);+  cryptonite_p256e_montmul(&_10101 , &_10101 , &_101010);+  cryptonite_p256e_montmul(&_101   , &_101010, &_101111);+  cryptonite_p256e_montmul(&_10101 , &_101010, &x6);+  NTH_DOUBLE_THEN_ADD(i, &x6   ,  2   , &_11    , &x8);+  NTH_DOUBLE_THEN_ADD(i, &x8   ,  8   , &x8     , &x16);+  NTH_DOUBLE_THEN_ADD(i, &x16  , 16   , &x16    , &x32);++  NTH_DOUBLE_THEN_ADD(i, &x32  , 32+32, &x32    , b);+  NTH_DOUBLE_THEN_ADD(i, b     ,    32, &x32    , b);+  NTH_DOUBLE_THEN_ADD(i, b     ,     6, &_101111, b);+  NTH_DOUBLE_THEN_ADD(i, b     , 2 + 3, &_111   , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 2 + 2, &_11    , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 1 + 4, &_1111  , b);+  NTH_DOUBLE_THEN_ADD(i, b     ,     5, &_10101 , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 1 + 3, &_101   , b);+  NTH_DOUBLE_THEN_ADD(i, b     ,     3, &_101   , b);+  NTH_DOUBLE_THEN_ADD(i, b     ,     3, &_101   , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 2 + 3, &_111   , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 3 + 6, &_101111, b);+  NTH_DOUBLE_THEN_ADD(i, b     , 2 + 4, &_1111  , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 1 + 1, &_1     , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 4 + 1, &_1     , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 2 + 4, &_1111  , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 2 + 3, &_111   , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 1 + 3, &_111   , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 2 + 3, &_111   , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 2 + 3, &_101   , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 1 + 2, &_11    , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 4 + 6, &_101111, b);+  NTH_DOUBLE_THEN_ADD(i, b     ,     2, &_11    , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 3 + 2, &_11    , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 3 + 2, &_11    , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 2 + 1, &_1     , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 2 + 5, &_10101 , b);+  NTH_DOUBLE_THEN_ADD(i, b     , 2 + 4, &_1111  , b);++  // Demontgomerize+  cryptonite_p256e_montmul(b, &cryptonite_SECP256r1_one, b); }
− cbits/p256/p256.h
@@ -1,162 +0,0 @@-/*- * Copyright 2013 The Android Open Source Project- *- * Redistribution and use in source and binary forms, with or without- * modification, are permitted provided that the following conditions are met:- *     * Redistributions of source code must retain the above copyright- *       notice, this list of conditions and the following disclaimer.- *     * Redistributions in binary form must reproduce the above copyright- *       notice, this list of conditions and the following disclaimer in the- *       documentation and/or other materials provided with the distribution.- *     * Neither the name of Google Inc. nor the names of its contributors may- *       be used to endorse or promote products derived from this software- *       without specific prior written permission.- *- * THIS SOFTWARE IS PROVIDED BY Google Inc. ``AS IS'' AND ANY EXPRESS OR- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO- * EVENT SHALL Google Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR- * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.- */--#ifndef SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_-#define SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_--// Collection of routines manipulating 256 bit unsigned integers.-// Just enough to implement ecdsa-p256 and related algorithms.--#include <stdint.h>--#ifdef __cplusplus-extern "C" {-#endif--#define P256_BITSPERDIGIT 32-#define P256_NDIGITS 8-#define P256_NBYTES 32--typedef int cryptonite_p256_err;-typedef uint32_t cryptonite_p256_digit;-typedef int32_t cryptonite_p256_sdigit;-typedef uint64_t cryptonite_p256_ddigit;-typedef int64_t cryptonite_p256_sddigit;--// Defining cryptonite_p256_int as struct to leverage struct assigment.-typedef struct {-  cryptonite_p256_digit a[P256_NDIGITS];-} cryptonite_p256_int;--extern const cryptonite_p256_int cryptonite_SECP256r1_n;  // Curve order-extern const cryptonite_p256_int cryptonite_SECP256r1_p;  // Curve prime-extern const cryptonite_p256_int cryptonite_SECP256r1_b;  // Curve param--// Initialize a cryptonite_p256_int to zero.-void cryptonite_p256_init(cryptonite_p256_int* a);--// Clear a cryptonite_p256_int to zero.-void cryptonite_p256_clear(cryptonite_p256_int* a);--// Return bit. Index 0 is least significant.-int cryptonite_p256_get_bit(const cryptonite_p256_int* a, int index);--// b := a % MOD-void cryptonite_p256_mod(-    const cryptonite_p256_int* MOD,-    const cryptonite_p256_int* a,-    cryptonite_p256_int* b);--// c := a * (top_b | b) % MOD-void cryptonite_p256_modmul(-    const cryptonite_p256_int* MOD,-    const cryptonite_p256_int* a,-    const cryptonite_p256_digit top_b,-    const cryptonite_p256_int* b,-    cryptonite_p256_int* c);--// b := 1 / a % MOD-// MOD best be SECP256r1_n-void cryptonite_p256_modinv(-    const cryptonite_p256_int* MOD,-    const cryptonite_p256_int* a,-    cryptonite_p256_int* b);--// b := 1 / a % MOD-// MOD best be SECP256r1_n-// Faster than cryptonite_p256_modinv()-void cryptonite_p256_modinv_vartime(-    const cryptonite_p256_int* MOD,-    const cryptonite_p256_int* a,-    cryptonite_p256_int* b);--// b := a << (n % P256_BITSPERDIGIT)-// Returns the bits shifted out of most significant digit.-cryptonite_p256_digit cryptonite_p256_shl(const cryptonite_p256_int* a, int n, cryptonite_p256_int* b);--// b := a >> (n % P256_BITSPERDIGIT)-void cryptonite_p256_shr(const cryptonite_p256_int* a, int n, cryptonite_p256_int* b);--int cryptonite_p256_is_zero(const cryptonite_p256_int* a);-int cryptonite_p256_is_odd(const cryptonite_p256_int* a);-int cryptonite_p256_is_even(const cryptonite_p256_int* a);--// Returns -1, 0 or 1.-int cryptonite_p256_cmp(const cryptonite_p256_int* a, const cryptonite_p256_int *b);--// c: = a - b-// Returns -1 on borrow.-int cryptonite_p256_sub(const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c);--// c := a + b-// Returns 1 on carry.-int cryptonite_p256_add(const cryptonite_p256_int* a, const cryptonite_p256_int* b, cryptonite_p256_int* c);--// c := a + (single digit)b-// Returns carry 1 on carry.-int cryptonite_p256_add_d(const cryptonite_p256_int* a, cryptonite_p256_digit b, cryptonite_p256_int* c);--// ec routines.--// {out_x,out_y} := nG-void cryptonite_p256_base_point_mul(const cryptonite_p256_int *n,-                         cryptonite_p256_int *out_x,-                         cryptonite_p256_int *out_y);--// {out_x,out_y} := n{in_x,in_y}-void cryptonite_p256_point_mul(const cryptonite_p256_int *n,-                    const cryptonite_p256_int *in_x,-                    const cryptonite_p256_int *in_y,-                    cryptonite_p256_int *out_x,-                    cryptonite_p256_int *out_y);--// {out_x,out_y} := n1G + n2{in_x,in_y}-void cryptonite_p256_points_mul_vartime(-    const cryptonite_p256_int *n1, const cryptonite_p256_int *n2,-    const cryptonite_p256_int *in_x, const cryptonite_p256_int *in_y,-    cryptonite_p256_int *out_x, cryptonite_p256_int *out_y);--// Return whether point {x,y} is on curve.-int cryptonite_p256_is_valid_point(const cryptonite_p256_int* x, const cryptonite_p256_int* y);--// Outputs big-endian binary form. No leading zero skips.-void cryptonite_p256_to_bin(const cryptonite_p256_int* src, uint8_t dst[P256_NBYTES]);--// Reads from big-endian binary form,-// thus pre-pad with leading zeros if short.-void cryptonite_p256_from_bin(const uint8_t src[P256_NBYTES], cryptonite_p256_int* dst);--#define P256_DIGITS(x) ((x)->a)-#define P256_DIGIT(x,y) ((x)->a[y])--#define P256_ZERO {{0}}-#define P256_ONE {{1}}--#ifdef __cplusplus-}-#endif--#endif  // SYSTEM_CORE_INCLUDE_MINCRYPT_LITE_P256_H_
cbits/p256/p256_ec.c view
@@ -25,580 +25,18 @@  */  // This is an implementation of the P256 elliptic curve group. It's written to-// be portable 32-bit, although it's still constant-time.+// be portable and still constant-time. // // WARNING: Implementing these functions in a constant-time manner is far from //          obvious. Be careful when touching this code. // // See http://www.imperialviolet.org/2010/12/04/ecc.html ([1]) for background. -#include <stdint.h>-#include <stdio.h>--#include <string.h>-#include <stdlib.h>--#include "p256/p256.h"--typedef uint8_t u8;-typedef uint32_t u32;-typedef int32_t s32;-typedef uint64_t u64;--/* Our field elements are represented as nine 32-bit limbs.- *- * The value of an felem (field element) is:- *   x[0] + (x[1] * 2**29) + (x[2] * 2**57) + ... + (x[8] * 2**228)- *- * That is, each limb is alternately 29 or 28-bits wide in little-endian- * order.- *- * This means that an felem hits 2**257, rather than 2**256 as we would like. A- * 28, 29, ... pattern would cause us to hit 2**256, but that causes problems- * when multiplying as terms end up one bit short of a limb which would require- * much bit-shifting to correct.- *- * Finally, the values stored in an felem are in Montgomery form. So the value- * |y| is stored as (y*R) mod p, where p is the P-256 prime and R is 2**257.- */-typedef u32 limb;-#define NLIMBS 9-typedef limb felem[NLIMBS];--static const limb kBottom28Bits = 0xfffffff;-static const limb kBottom29Bits = 0x1fffffff;--/* kOne is the number 1 as an felem. It's 2**257 mod p split up into 29 and- * 28-bit words. */-static const felem kOne = {-    2, 0, 0, 0xffff800,-    0x1fffffff, 0xfffffff, 0x1fbfffff, 0x1ffffff,-    0-};-static const felem kZero = {0};-static const felem kP = {-    0x1fffffff, 0xfffffff, 0x1fffffff, 0x3ff,-    0, 0, 0x200000, 0xf000000,-    0xfffffff-};-static const felem k2P = {-    0x1ffffffe, 0xfffffff, 0x1fffffff, 0x7ff,-    0, 0, 0x400000, 0xe000000,-    0x1fffffff-};-/* kPrecomputed contains precomputed values to aid the calculation of scalar- * multiples of the base point, G. It's actually two, equal length, tables- * concatenated.- *- * The first table contains (x,y) felem pairs for 16 multiples of the base- * point, G.- *- *   Index  |  Index (binary) | Value- *       0  |           0000  | 0G (all zeros, omitted)- *       1  |           0001  | G- *       2  |           0010  | 2**64G- *       3  |           0011  | 2**64G + G- *       4  |           0100  | 2**128G- *       5  |           0101  | 2**128G + G- *       6  |           0110  | 2**128G + 2**64G- *       7  |           0111  | 2**128G + 2**64G + G- *       8  |           1000  | 2**192G- *       9  |           1001  | 2**192G + G- *      10  |           1010  | 2**192G + 2**64G- *      11  |           1011  | 2**192G + 2**64G + G- *      12  |           1100  | 2**192G + 2**128G- *      13  |           1101  | 2**192G + 2**128G + G- *      14  |           1110  | 2**192G + 2**128G + 2**64G- *      15  |           1111  | 2**192G + 2**128G + 2**64G + G- *- * The second table follows the same style, but the terms are 2**32G,- * 2**96G, 2**160G, 2**224G.- *- * This is ~2KB of data. */-static const limb kPrecomputed[NLIMBS * 2 * 15 * 2] = {-    0x11522878, 0xe730d41, 0xdb60179, 0x4afe2ff, 0x12883add, 0xcaddd88, 0x119e7edc, 0xd4a6eab, 0x3120bee,-    0x1d2aac15, 0xf25357c, 0x19e45cdd, 0x5c721d0, 0x1992c5a5, 0xa237487, 0x154ba21, 0x14b10bb, 0xae3fe3,-    0xd41a576, 0x922fc51, 0x234994f, 0x60b60d3, 0x164586ae, 0xce95f18, 0x1fe49073, 0x3fa36cc, 0x5ebcd2c,-    0xb402f2f, 0x15c70bf, 0x1561925c, 0x5a26704, 0xda91e90, 0xcdc1c7f, 0x1ea12446, 0xe1ade1e, 0xec91f22,-    0x26f7778, 0x566847e, 0xa0bec9e, 0x234f453, 0x1a31f21a, 0xd85e75c, 0x56c7109, 0xa267a00, 0xb57c050,-    0x98fb57, 0xaa837cc, 0x60c0792, 0xcfa5e19, 0x61bab9e, 0x589e39b, 0xa324c5, 0x7d6dee7, 0x2976e4b,-    0x1fc4124a, 0xa8c244b, 0x1ce86762, 0xcd61c7e, 0x1831c8e0, 0x75774e1, 0x1d96a5a9, 0x843a649, 0xc3ab0fa,-    0x6e2e7d5, 0x7673a2a, 0x178b65e8, 0x4003e9b, 0x1a1f11c2, 0x7816ea, 0xf643e11, 0x58c43df, 0xf423fc2,-    0x19633ffa, 0x891f2b2, 0x123c231c, 0x46add8c, 0x54700dd, 0x59e2b17, 0x172db40f, 0x83e277d, 0xb0dd609,-    0xfd1da12, 0x35c6e52, 0x19ede20c, 0xd19e0c0, 0x97d0f40, 0xb015b19, 0x449e3f5, 0xe10c9e, 0x33ab581,-    0x56a67ab, 0x577734d, 0x1dddc062, 0xc57b10d, 0x149b39d, 0x26a9e7b, 0xc35df9f, 0x48764cd, 0x76dbcca,-    0xca4b366, 0xe9303ab, 0x1a7480e7, 0x57e9e81, 0x1e13eb50, 0xf466cf3, 0x6f16b20, 0x4ba3173, 0xc168c33,-    0x15cb5439, 0x6a38e11, 0x73658bd, 0xb29564f, 0x3f6dc5b, 0x53b97e, 0x1322c4c0, 0x65dd7ff, 0x3a1e4f6,-    0x14e614aa, 0x9246317, 0x1bc83aca, 0xad97eed, 0xd38ce4a, 0xf82b006, 0x341f077, 0xa6add89, 0x4894acd,-    0x9f162d5, 0xf8410ef, 0x1b266a56, 0xd7f223, 0x3e0cb92, 0xe39b672, 0x6a2901a, 0x69a8556, 0x7e7c0,-    0x9b7d8d3, 0x309a80, 0x1ad05f7f, 0xc2fb5dd, 0xcbfd41d, 0x9ceb638, 0x1051825c, 0xda0cf5b, 0x812e881,-    0x6f35669, 0x6a56f2c, 0x1df8d184, 0x345820, 0x1477d477, 0x1645db1, 0xbe80c51, 0xc22be3e, 0xe35e65a,-    0x1aeb7aa0, 0xc375315, 0xf67bc99, 0x7fdd7b9, 0x191fc1be, 0x61235d, 0x2c184e9, 0x1c5a839, 0x47a1e26,-    0xb7cb456, 0x93e225d, 0x14f3c6ed, 0xccc1ac9, 0x17fe37f3, 0x4988989, 0x1a90c502, 0x2f32042, 0xa17769b,-    0xafd8c7c, 0x8191c6e, 0x1dcdb237, 0x16200c0, 0x107b32a1, 0x66c08db, 0x10d06a02, 0x3fc93, 0x5620023,-    0x16722b27, 0x68b5c59, 0x270fcfc, 0xfad0ecc, 0xe5de1c2, 0xeab466b, 0x2fc513c, 0x407f75c, 0xbaab133,-    0x9705fe9, 0xb88b8e7, 0x734c993, 0x1e1ff8f, 0x19156970, 0xabd0f00, 0x10469ea7, 0x3293ac0, 0xcdc98aa,-    0x1d843fd, 0xe14bfe8, 0x15be825f, 0x8b5212, 0xeb3fb67, 0x81cbd29, 0xbc62f16, 0x2b6fcc7, 0xf5a4e29,-    0x13560b66, 0xc0b6ac2, 0x51ae690, 0xd41e271, 0xf3e9bd4, 0x1d70aab, 0x1029f72, 0x73e1c35, 0xee70fbc,-    0xad81baf, 0x9ecc49a, 0x86c741e, 0xfe6be30, 0x176752e7, 0x23d416, 0x1f83de85, 0x27de188, 0x66f70b8,-    0x181cd51f, 0x96b6e4c, 0x188f2335, 0xa5df759, 0x17a77eb6, 0xfeb0e73, 0x154ae914, 0x2f3ec51, 0x3826b59,-    0xb91f17d, 0x1c72949, 0x1362bf0a, 0xe23fddf, 0xa5614b0, 0xf7d8f, 0x79061, 0x823d9d2, 0x8213f39,-    0x1128ae0b, 0xd095d05, 0xb85c0c2, 0x1ecb2ef, 0x24ddc84, 0xe35e901, 0x18411a4a, 0xf5ddc3d, 0x3786689,-    0x52260e8, 0x5ae3564, 0x542b10d, 0x8d93a45, 0x19952aa4, 0x996cc41, 0x1051a729, 0x4be3499, 0x52b23aa,-    0x109f307e, 0x6f5b6bb, 0x1f84e1e7, 0x77a0cfa, 0x10c4df3f, 0x25a02ea, 0xb048035, 0xe31de66, 0xc6ecaa3,-    0x28ea335, 0x2886024, 0x1372f020, 0xf55d35, 0x15e4684c, 0xf2a9e17, 0x1a4a7529, 0xcb7beb1, 0xb2a78a1,-    0x1ab21f1f, 0x6361ccf, 0x6c9179d, 0xb135627, 0x1267b974, 0x4408bad, 0x1cbff658, 0xe3d6511, 0xc7d76f,-    0x1cc7a69, 0xe7ee31b, 0x54fab4f, 0x2b914f, 0x1ad27a30, 0xcd3579e, 0xc50124c, 0x50daa90, 0xb13f72,-    0xb06aa75, 0x70f5cc6, 0x1649e5aa, 0x84a5312, 0x329043c, 0x41c4011, 0x13d32411, 0xb04a838, 0xd760d2d,-    0x1713b532, 0xbaa0c03, 0x84022ab, 0x6bcf5c1, 0x2f45379, 0x18ae070, 0x18c9e11e, 0x20bca9a, 0x66f496b,-    0x3eef294, 0x67500d2, 0xd7f613c, 0x2dbbeb, 0xb741038, 0xe04133f, 0x1582968d, 0xbe985f7, 0x1acbc1a,-    0x1a6a939f, 0x33e50f6, 0xd665ed4, 0xb4b7bd6, 0x1e5a3799, 0x6b33847, 0x17fa56ff, 0x65ef930, 0x21dc4a,-    0x2b37659, 0x450fe17, 0xb357b65, 0xdf5efac, 0x15397bef, 0x9d35a7f, 0x112ac15f, 0x624e62e, 0xa90ae2f,-    0x107eecd2, 0x1f69bbe, 0x77d6bce, 0x5741394, 0x13c684fc, 0x950c910, 0x725522b, 0xdc78583, 0x40eeabb,-    0x1fde328a, 0xbd61d96, 0xd28c387, 0x9e77d89, 0x12550c40, 0x759cb7d, 0x367ef34, 0xae2a960, 0x91b8bdc,-    0x93462a9, 0xf469ef, 0xb2e9aef, 0xd2ca771, 0x54e1f42, 0x7aaa49, 0x6316abb, 0x2413c8e, 0x5425bf9,-    0x1bed3e3a, 0xf272274, 0x1f5e7326, 0x6416517, 0xea27072, 0x9cedea7, 0x6e7633, 0x7c91952, 0xd806dce,-    0x8e2a7e1, 0xe421e1a, 0x418c9e1, 0x1dbc890, 0x1b395c36, 0xa1dc175, 0x1dc4ef73, 0x8956f34, 0xe4b5cf2,-    0x1b0d3a18, 0x3194a36, 0x6c2641f, 0xe44124c, 0xa2f4eaa, 0xa8c25ba, 0xf927ed7, 0x627b614, 0x7371cca,-    0xba16694, 0x417bc03, 0x7c0a7e3, 0x9c35c19, 0x1168a205, 0x8b6b00d, 0x10e3edc9, 0x9c19bf2, 0x5882229,-    0x1b2b4162, 0xa5cef1a, 0x1543622b, 0x9bd433e, 0x364e04d, 0x7480792, 0x5c9b5b3, 0xe85ff25, 0x408ef57,-    0x1814cfa4, 0x121b41b, 0xd248a0f, 0x3b05222, 0x39bb16a, 0xc75966d, 0xa038113, 0xa4a1769, 0x11fbc6c,-    0x917e50e, 0xeec3da8, 0x169d6eac, 0x10c1699, 0xa416153, 0xf724912, 0x15cd60b7, 0x4acbad9, 0x5efc5fa,-    0xf150ed7, 0x122b51, 0x1104b40a, 0xcb7f442, 0xfbb28ff, 0x6ac53ca, 0x196142cc, 0x7bf0fa9, 0x957651,-    0x4e0f215, 0xed439f8, 0x3f46bd5, 0x5ace82f, 0x110916b6, 0x6db078, 0xffd7d57, 0xf2ecaac, 0xca86dec,-    0x15d6b2da, 0x965ecc9, 0x1c92b4c2, 0x1f3811, 0x1cb080f5, 0x2d8b804, 0x19d1c12d, 0xf20bd46, 0x1951fa7,-    0xa3656c3, 0x523a425, 0xfcd0692, 0xd44ddc8, 0x131f0f5b, 0xaf80e4a, 0xcd9fc74, 0x99bb618, 0x2db944c,-    0xa673090, 0x1c210e1, 0x178c8d23, 0x1474383, 0x10b8743d, 0x985a55b, 0x2e74779, 0x576138, 0x9587927,-    0x133130fa, 0xbe05516, 0x9f4d619, 0xbb62570, 0x99ec591, 0xd9468fe, 0x1d07782d, 0xfc72e0b, 0x701b298,-    0x1863863b, 0x85954b8, 0x121a0c36, 0x9e7fedf, 0xf64b429, 0x9b9d71e, 0x14e2f5d8, 0xf858d3a, 0x942eea8,-    0xda5b765, 0x6edafff, 0xa9d18cc, 0xc65e4ba, 0x1c747e86, 0xe4ea915, 0x1981d7a1, 0x8395659, 0x52ed4e2,-    0x87d43b7, 0x37ab11b, 0x19d292ce, 0xf8d4692, 0x18c3053f, 0x8863e13, 0x4c146c0, 0x6bdf55a, 0x4e4457d,-    0x16152289, 0xac78ec2, 0x1a59c5a2, 0x2028b97, 0x71c2d01, 0x295851f, 0x404747b, 0x878558d, 0x7d29aa4,-    0x13d8341f, 0x8daefd7, 0x139c972d, 0x6b7ea75, 0xd4a9dde, 0xff163d8, 0x81d55d7, 0xa5bef68, 0xb7b30d8,-    0xbe73d6f, 0xaa88141, 0xd976c81, 0x7e7a9cc, 0x18beb771, 0xd773cbd, 0x13f51951, 0x9d0c177, 0x1c49a78,-};+#include "p256/p256_gf.h"   /* Field element operations: */ -/* NON_ZERO_TO_ALL_ONES returns:- *   0xffffffff for 0 < x <= 2**31- *   0 for x == 0 or x > 2**31.- *- * x must be a u32 or an equivalent type such as limb. */-#define NON_ZERO_TO_ALL_ONES(x) ((((u32)(x) - 1) >> 31) - 1)--/* felem_reduce_carry adds a multiple of p in order to cancel |carry|,- * which is a term at 2**257.- *- * On entry: carry < 2**3, inout[0,2,...] < 2**29, inout[1,3,...] < 2**28.- * On exit: inout[0,2,..] < 2**30, inout[1,3,...] < 2**29. */-static void felem_reduce_carry(felem inout, limb carry) {-  const u32 carry_mask = NON_ZERO_TO_ALL_ONES(carry);--  inout[0] += carry << 1;-  inout[3] += 0x10000000 & carry_mask;-  /* carry < 2**3 thus (carry << 11) < 2**14 and we added 2**28 in the-   * previous line therefore this doesn't underflow. */-  inout[3] -= carry << 11;-  inout[4] += (0x20000000 - 1) & carry_mask;-  inout[5] += (0x10000000 - 1) & carry_mask;-  inout[6] += (0x20000000 - 1) & carry_mask;-  inout[6] -= carry << 22;-  /* This may underflow if carry is non-zero but, if so, we'll fix it in the-   * next line. */-  inout[7] -= 1 & carry_mask;-  inout[7] += carry << 25;-}--/* felem_sum sets out = in+in2.- *- * On entry, in[i]+in2[i] must not overflow a 32-bit word.- * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29 */-static void felem_sum(felem out, const felem in, const felem in2) {-  limb carry = 0;-  unsigned i;--  for (i = 0;; i++) {-    out[i] = in[i] + in2[i];-    out[i] += carry;-    carry = out[i] >> 29;-    out[i] &= kBottom29Bits;--    i++;-    if (i == NLIMBS)-      break;--    out[i] = in[i] + in2[i];-    out[i] += carry;-    carry = out[i] >> 28;-    out[i] &= kBottom28Bits;-  }--  felem_reduce_carry(out, carry);-}--#define two31m3 (((limb)1) << 31) - (((limb)1) << 3)-#define two30m2 (((limb)1) << 30) - (((limb)1) << 2)-#define two30p13m2 (((limb)1) << 30) + (((limb)1) << 13) - (((limb)1) << 2)-#define two31m2 (((limb)1) << 31) - (((limb)1) << 2)-#define two31p24m2 (((limb)1) << 31) + (((limb)1) << 24) - (((limb)1) << 2)-#define two30m27m2 (((limb)1) << 30) - (((limb)1) << 27) - (((limb)1) << 2)--/* zero31 is 0 mod p. */-static const felem zero31 = { two31m3, two30m2, two31m2, two30p13m2, two31m2, two30m2, two31p24m2, two30m27m2, two31m2 };--/* felem_diff sets out = in-in2.- *- * On entry: in[0,2,...] < 2**30, in[1,3,...] < 2**29 and- *           in2[0,2,...] < 2**30, in2[1,3,...] < 2**29.- * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */-static void felem_diff(felem out, const felem in, const felem in2) {-  limb carry = 0;-  unsigned i;--   for (i = 0;; i++) {-    out[i] = in[i] - in2[i];-    out[i] += zero31[i];-    out[i] += carry;-    carry = out[i] >> 29;-    out[i] &= kBottom29Bits;--    i++;-    if (i == NLIMBS)-      break;--    out[i] = in[i] - in2[i];-    out[i] += zero31[i];-    out[i] += carry;-    carry = out[i] >> 28;-    out[i] &= kBottom28Bits;-  }--  felem_reduce_carry(out, carry);-}--/* felem_reduce_degree sets out = tmp/R mod p where tmp contains 64-bit words- * with the same 29,28,... bit positions as an felem.- *- * The values in felems are in Montgomery form: x*R mod p where R = 2**257.- * Since we just multiplied two Montgomery values together, the result is- * x*y*R*R mod p. We wish to divide by R in order for the result also to be- * in Montgomery form.- *- * On entry: tmp[i] < 2**64- * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29 */-static void felem_reduce_degree(felem out, u64 tmp[17]) {-   /* The following table may be helpful when reading this code:-    *-    * Limb number:   0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10...-    * Width (bits):  29| 28| 29| 28| 29| 28| 29| 28| 29| 28| 29-    * Start bit:     0 | 29| 57| 86|114|143|171|200|228|257|285-    *   (odd phase): 0 | 28| 57| 85|114|142|171|199|228|256|285 */-  limb tmp2[18], carry, x, xMask;-  unsigned i;--  /* tmp contains 64-bit words with the same 29,28,29-bit positions as an-   * felem. So the top of an element of tmp might overlap with another-   * element two positions down. The following loop eliminates this-   * overlap. */-  tmp2[0] = (limb)(tmp[0] & kBottom29Bits);--  /* In the following we use "(limb) tmp[x]" and "(limb) (tmp[x]>>32)" to try-   * and hint to the compiler that it can do a single-word shift by selecting-   * the right register rather than doing a double-word shift and truncating-   * afterwards. */-  tmp2[1] = ((limb) tmp[0]) >> 29;-  tmp2[1] |= (((limb)(tmp[0] >> 32)) << 3) & kBottom28Bits;-  tmp2[1] += ((limb) tmp[1]) & kBottom28Bits;-  carry = tmp2[1] >> 28;-  tmp2[1] &= kBottom28Bits;--  for (i = 2; i < 17; i++) {-    tmp2[i] = ((limb)(tmp[i - 2] >> 32)) >> 25;-    tmp2[i] += ((limb)(tmp[i - 1])) >> 28;-    tmp2[i] += (((limb)(tmp[i - 1] >> 32)) << 4) & kBottom29Bits;-    tmp2[i] += ((limb) tmp[i]) & kBottom29Bits;-    tmp2[i] += carry;-    carry = tmp2[i] >> 29;-    tmp2[i] &= kBottom29Bits;--    i++;-    if (i == 17)-      break;-    tmp2[i] = ((limb)(tmp[i - 2] >> 32)) >> 25;-    tmp2[i] += ((limb)(tmp[i - 1])) >> 29;-    tmp2[i] += (((limb)(tmp[i - 1] >> 32)) << 3) & kBottom28Bits;-    tmp2[i] += ((limb) tmp[i]) & kBottom28Bits;-    tmp2[i] += carry;-    carry = tmp2[i] >> 28;-    tmp2[i] &= kBottom28Bits;-  }--  tmp2[17] = ((limb)(tmp[15] >> 32)) >> 25;-  tmp2[17] += ((limb)(tmp[16])) >> 29;-  tmp2[17] += (((limb)(tmp[16] >> 32)) << 3);-  tmp2[17] += carry;--  /* Montgomery elimination of terms.-   *-   * Since R is 2**257, we can divide by R with a bitwise shift if we can-   * ensure that the right-most 257 bits are all zero. We can make that true by-   * adding multiplies of p without affecting the value.-   *-   * So we eliminate limbs from right to left. Since the bottom 29 bits of p-   * are all ones, then by adding tmp2[0]*p to tmp2 we'll make tmp2[0] == 0.-   * We can do that for 8 further limbs and then right shift to eliminate the-   * extra factor of R. */-  for (i = 0;; i += 2) {-    tmp2[i + 1] += tmp2[i] >> 29;-    x = tmp2[i] & kBottom29Bits;-    xMask = NON_ZERO_TO_ALL_ONES(x);-    tmp2[i] = 0;--    /* The bounds calculations for this loop are tricky. Each iteration of-     * the loop eliminates two words by adding values to words to their-     * right.-     *-     * The following table contains the amounts added to each word (as an-     * offset from the value of i at the top of the loop). The amounts are-     * accounted for from the first and second half of the loop separately-     * and are written as, for example, 28 to mean a value <2**28.-     *-     * Word:                   3   4   5   6   7   8   9   10-     * Added in top half:     28  11      29  21  29  28-     *                                        28  29-     *                                            29-     * Added in bottom half:      29  10      28  21  28   28-     *                                            29-     *-     * The value that is currently offset 7 will be offset 5 for the next-     * iteration and then offset 3 for the iteration after that. Therefore-     * the total value added will be the values added at 7, 5 and 3.-     *-     * The following table accumulates these values. The sums at the bottom-     * are written as, for example, 29+28, to mean a value < 2**29+2**28.-     *-     * Word:                   3   4   5   6   7   8   9  10  11  12  13-     *                        28  11  10  29  21  29  28  28  28  28  28-     *                            29  28  11  28  29  28  29  28  29  28-     *                                    29  28  21  21  29  21  29  21-     *                                        10  29  28  21  28  21  28-     *                                        28  29  28  29  28  29  28-     *                                            11  10  29  10  29  10-     *                                            29  28  11  28  11-     *                                                    29      29-     *                        ---------------------------------------------     *                                                30+ 31+ 30+ 31+ 30+-     *                                                28+ 29+ 28+ 29+ 21+-     *                                                21+ 28+ 21+ 28+ 10-     *                                                10  21+ 10  21+-     *                                                    11      11-     *-     * So the greatest amount is added to tmp2[10] and tmp2[12]. If-     * tmp2[10/12] has an initial value of <2**29, then the maximum value-     * will be < 2**31 + 2**30 + 2**28 + 2**21 + 2**11, which is < 2**32,-     * as required. */-    tmp2[i + 3] += (x << 10) & kBottom28Bits;-    tmp2[i + 4] += (x >> 18);--    tmp2[i + 6] += (x << 21) & kBottom29Bits;-    tmp2[i + 7] += x >> 8;--    /* At position 200, which is the starting bit position for word 7, we-     * have a factor of 0xf000000 = 2**28 - 2**24. */-    tmp2[i + 7] += 0x10000000 & xMask;-    /* Word 7 is 28 bits wide, so the 2**28 term exactly hits word 8. */-    tmp2[i + 8] += (x - 1) & xMask;-    tmp2[i + 7] -= (x << 24) & kBottom28Bits;-    tmp2[i + 8] -= x >> 4;--    tmp2[i + 8] += 0x20000000 & xMask;-    tmp2[i + 8] -= x;-    tmp2[i + 8] += (x << 28) & kBottom29Bits;-    tmp2[i + 9] += ((x >> 1) - 1) & xMask;--    if (i+1 == NLIMBS)-      break;-    tmp2[i + 2] += tmp2[i + 1] >> 28;-    x = tmp2[i + 1] & kBottom28Bits;-    xMask = NON_ZERO_TO_ALL_ONES(x);-    tmp2[i + 1] = 0;--    tmp2[i + 4] += (x << 11) & kBottom29Bits;-    tmp2[i + 5] += (x >> 18);--    tmp2[i + 7] += (x << 21) & kBottom28Bits;-    tmp2[i + 8] += x >> 7;--    /* At position 199, which is the starting bit of the 8th word when-     * dealing with a context starting on an odd word, we have a factor of-     * 0x1e000000 = 2**29 - 2**25. Since we have not updated i, the 8th-     * word from i+1 is i+8. */-    tmp2[i + 8] += 0x20000000 & xMask;-    tmp2[i + 9] += (x - 1) & xMask;-    tmp2[i + 8] -= (x << 25) & kBottom29Bits;-    tmp2[i + 9] -= x >> 4;--    tmp2[i + 9] += 0x10000000 & xMask;-    tmp2[i + 9] -= x;-    tmp2[i + 10] += (x - 1) & xMask;-  }--  /* We merge the right shift with a carry chain. The words above 2**257 have-   * widths of 28,29,... which we need to correct when copying them down.  */-  carry = 0;-  for (i = 0; i < 8; i++) {-    /* The maximum value of tmp2[i + 9] occurs on the first iteration and-     * is < 2**30+2**29+2**28. Adding 2**29 (from tmp2[i + 10]) is-     * therefore safe. */-    out[i] = tmp2[i + 9];-    out[i] += carry;-    out[i] += (tmp2[i + 10] << 28) & kBottom29Bits;-    carry = out[i] >> 29;-    out[i] &= kBottom29Bits;--    i++;-    out[i] = tmp2[i + 9] >> 1;-    out[i] += carry;-    carry = out[i] >> 28;-    out[i] &= kBottom28Bits;-  }--  out[8] = tmp2[17];-  out[8] += carry;-  carry = out[8] >> 29;-  out[8] &= kBottom29Bits;--  felem_reduce_carry(out, carry);-}--/* felem_square sets out=in*in.- *- * On entry: in[0,2,...] < 2**30, in[1,3,...] < 2**29.- * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */-static void felem_square(felem out, const felem in) {-  u64 tmp[17];--  tmp[0] = ((u64) in[0]) * in[0];-  tmp[1] = ((u64) in[0]) * (in[1] << 1);-  tmp[2] = ((u64) in[0]) * (in[2] << 1) +-           ((u64) in[1]) * (in[1] << 1);-  tmp[3] = ((u64) in[0]) * (in[3] << 1) +-           ((u64) in[1]) * (in[2] << 1);-  tmp[4] = ((u64) in[0]) * (in[4] << 1) +-           ((u64) in[1]) * (in[3] << 2) + ((u64) in[2]) * in[2];-  tmp[5] = ((u64) in[0]) * (in[5] << 1) + ((u64) in[1]) *-           (in[4] << 1) + ((u64) in[2]) * (in[3] << 1);-  tmp[6] = ((u64) in[0]) * (in[6] << 1) + ((u64) in[1]) *-           (in[5] << 2) + ((u64) in[2]) * (in[4] << 1) +-           ((u64) in[3]) * (in[3] << 1);-  tmp[7] = ((u64) in[0]) * (in[7] << 1) + ((u64) in[1]) *-           (in[6] << 1) + ((u64) in[2]) * (in[5] << 1) +-           ((u64) in[3]) * (in[4] << 1);-  /* tmp[8] has the greatest value of 2**61 + 2**60 + 2**61 + 2**60 + 2**60,-   * which is < 2**64 as required. */-  tmp[8] = ((u64) in[0]) * (in[8] << 1) + ((u64) in[1]) *-           (in[7] << 2) + ((u64) in[2]) * (in[6] << 1) +-           ((u64) in[3]) * (in[5] << 2) + ((u64) in[4]) * in[4];-  tmp[9] = ((u64) in[1]) * (in[8] << 1) + ((u64) in[2]) *-           (in[7] << 1) + ((u64) in[3]) * (in[6] << 1) +-           ((u64) in[4]) * (in[5] << 1);-  tmp[10] = ((u64) in[2]) * (in[8] << 1) + ((u64) in[3]) *-            (in[7] << 2) + ((u64) in[4]) * (in[6] << 1) +-            ((u64) in[5]) * (in[5] << 1);-  tmp[11] = ((u64) in[3]) * (in[8] << 1) + ((u64) in[4]) *-            (in[7] << 1) + ((u64) in[5]) * (in[6] << 1);-  tmp[12] = ((u64) in[4]) * (in[8] << 1) +-            ((u64) in[5]) * (in[7] << 2) + ((u64) in[6]) * in[6];-  tmp[13] = ((u64) in[5]) * (in[8] << 1) +-            ((u64) in[6]) * (in[7] << 1);-  tmp[14] = ((u64) in[6]) * (in[8] << 1) +-            ((u64) in[7]) * (in[7] << 1);-  tmp[15] = ((u64) in[7]) * (in[8] << 1);-  tmp[16] = ((u64) in[8]) * in[8];--  felem_reduce_degree(out, tmp);-}--/* felem_mul sets out=in*in2.- *- * On entry: in[0,2,...] < 2**30, in[1,3,...] < 2**29 and- *           in2[0,2,...] < 2**30, in2[1,3,...] < 2**29.- * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */-static void felem_mul(felem out, const felem in, const felem in2) {-  u64 tmp[17];--  tmp[0] = ((u64) in[0]) * in2[0];-  tmp[1] = ((u64) in[0]) * (in2[1] << 0) +-           ((u64) in[1]) * (in2[0] << 0);-  tmp[2] = ((u64) in[0]) * (in2[2] << 0) + ((u64) in[1]) *-           (in2[1] << 1) + ((u64) in[2]) * (in2[0] << 0);-  tmp[3] = ((u64) in[0]) * (in2[3] << 0) + ((u64) in[1]) *-           (in2[2] << 0) + ((u64) in[2]) * (in2[1] << 0) +-           ((u64) in[3]) * (in2[0] << 0);-  tmp[4] = ((u64) in[0]) * (in2[4] << 0) + ((u64) in[1]) *-           (in2[3] << 1) + ((u64) in[2]) * (in2[2] << 0) +-           ((u64) in[3]) * (in2[1] << 1) +-           ((u64) in[4]) * (in2[0] << 0);-  tmp[5] = ((u64) in[0]) * (in2[5] << 0) + ((u64) in[1]) *-           (in2[4] << 0) + ((u64) in[2]) * (in2[3] << 0) +-           ((u64) in[3]) * (in2[2] << 0) + ((u64) in[4]) *-           (in2[1] << 0) + ((u64) in[5]) * (in2[0] << 0);-  tmp[6] = ((u64) in[0]) * (in2[6] << 0) + ((u64) in[1]) *-           (in2[5] << 1) + ((u64) in[2]) * (in2[4] << 0) +-           ((u64) in[3]) * (in2[3] << 1) + ((u64) in[4]) *-           (in2[2] << 0) + ((u64) in[5]) * (in2[1] << 1) +-           ((u64) in[6]) * (in2[0] << 0);-  tmp[7] = ((u64) in[0]) * (in2[7] << 0) + ((u64) in[1]) *-           (in2[6] << 0) + ((u64) in[2]) * (in2[5] << 0) +-           ((u64) in[3]) * (in2[4] << 0) + ((u64) in[4]) *-           (in2[3] << 0) + ((u64) in[5]) * (in2[2] << 0) +-           ((u64) in[6]) * (in2[1] << 0) +-           ((u64) in[7]) * (in2[0] << 0);-  /* tmp[8] has the greatest value but doesn't overflow. See logic in-   * felem_square. */-  tmp[8] = ((u64) in[0]) * (in2[8] << 0) + ((u64) in[1]) *-           (in2[7] << 1) + ((u64) in[2]) * (in2[6] << 0) +-           ((u64) in[3]) * (in2[5] << 1) + ((u64) in[4]) *-           (in2[4] << 0) + ((u64) in[5]) * (in2[3] << 1) +-           ((u64) in[6]) * (in2[2] << 0) + ((u64) in[7]) *-           (in2[1] << 1) + ((u64) in[8]) * (in2[0] << 0);-  tmp[9] = ((u64) in[1]) * (in2[8] << 0) + ((u64) in[2]) *-           (in2[7] << 0) + ((u64) in[3]) * (in2[6] << 0) +-           ((u64) in[4]) * (in2[5] << 0) + ((u64) in[5]) *-           (in2[4] << 0) + ((u64) in[6]) * (in2[3] << 0) +-           ((u64) in[7]) * (in2[2] << 0) +-           ((u64) in[8]) * (in2[1] << 0);-  tmp[10] = ((u64) in[2]) * (in2[8] << 0) + ((u64) in[3]) *-            (in2[7] << 1) + ((u64) in[4]) * (in2[6] << 0) +-            ((u64) in[5]) * (in2[5] << 1) + ((u64) in[6]) *-            (in2[4] << 0) + ((u64) in[7]) * (in2[3] << 1) +-            ((u64) in[8]) * (in2[2] << 0);-  tmp[11] = ((u64) in[3]) * (in2[8] << 0) + ((u64) in[4]) *-            (in2[7] << 0) + ((u64) in[5]) * (in2[6] << 0) +-            ((u64) in[6]) * (in2[5] << 0) + ((u64) in[7]) *-            (in2[4] << 0) + ((u64) in[8]) * (in2[3] << 0);-  tmp[12] = ((u64) in[4]) * (in2[8] << 0) + ((u64) in[5]) *-            (in2[7] << 1) + ((u64) in[6]) * (in2[6] << 0) +-            ((u64) in[7]) * (in2[5] << 1) +-            ((u64) in[8]) * (in2[4] << 0);-  tmp[13] = ((u64) in[5]) * (in2[8] << 0) + ((u64) in[6]) *-            (in2[7] << 0) + ((u64) in[7]) * (in2[6] << 0) +-            ((u64) in[8]) * (in2[5] << 0);-  tmp[14] = ((u64) in[6]) * (in2[8] << 0) + ((u64) in[7]) *-            (in2[7] << 1) + ((u64) in[8]) * (in2[6] << 0);-  tmp[15] = ((u64) in[7]) * (in2[8] << 0) +-            ((u64) in[8]) * (in2[7] << 0);-  tmp[16] = ((u64) in[8]) * (in2[8] << 0);--  felem_reduce_degree(out, tmp);-}--static void felem_assign(felem out, const felem in) {-  memcpy(out, in, sizeof(felem));-}- /* felem_inv calculates |out| = |in|^{-1}  *  * Based on Fermat's Little Theorem:@@ -667,131 +105,7 @@   felem_mul(out, ftmp2, ftmp); /* 2^256 - 2^224 + 2^192 + 2^96 - 3 */ } -/* felem_scalar_3 sets out=3*out.- *- * On entry: out[0,2,...] < 2**30, out[1,3,...] < 2**29.- * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */-static void felem_scalar_3(felem out) {-  limb carry = 0;-  unsigned i; -  for (i = 0;; i++) {-    out[i] *= 3;-    out[i] += carry;-    carry = out[i] >> 29;-    out[i] &= kBottom29Bits;--    i++;-    if (i == NLIMBS)-      break;--    out[i] *= 3;-    out[i] += carry;-    carry = out[i] >> 28;-    out[i] &= kBottom28Bits;-  }--  felem_reduce_carry(out, carry);-}--/* felem_scalar_4 sets out=4*out.- *- * On entry: out[0,2,...] < 2**30, out[1,3,...] < 2**29.- * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */-static void felem_scalar_4(felem out) {-  limb carry = 0, next_carry;-  unsigned i;--  for (i = 0;; i++) {-    next_carry = out[i] >> 27;-    out[i] <<= 2;-    out[i] &= kBottom29Bits;-    out[i] += carry;-    carry = next_carry + (out[i] >> 29);-    out[i] &= kBottom29Bits;--    i++;-    if (i == NLIMBS)-      break;--    next_carry = out[i] >> 26;-    out[i] <<= 2;-    out[i] &= kBottom28Bits;-    out[i] += carry;-    carry = next_carry + (out[i] >> 28);-    out[i] &= kBottom28Bits;-  }--  felem_reduce_carry(out, carry);-}--/* felem_scalar_8 sets out=8*out.- *- * On entry: out[0,2,...] < 2**30, out[1,3,...] < 2**29.- * On exit: out[0,2,...] < 2**30, out[1,3,...] < 2**29. */-static void felem_scalar_8(felem out) {-  limb carry = 0, next_carry;-  unsigned i;--  for (i = 0;; i++) {-    next_carry = out[i] >> 26;-    out[i] <<= 3;-    out[i] &= kBottom29Bits;-    out[i] += carry;-    carry = next_carry + (out[i] >> 29);-    out[i] &= kBottom29Bits;--    i++;-    if (i == NLIMBS)-      break;--    next_carry = out[i] >> 25;-    out[i] <<= 3;-    out[i] &= kBottom28Bits;-    out[i] += carry;-    carry = next_carry + (out[i] >> 28);-    out[i] &= kBottom28Bits;-  }--  felem_reduce_carry(out, carry);-}--/* felem_is_zero_vartime returns 1 iff |in| == 0. It takes a variable amount of- * time depending on the value of |in|. */-static char felem_is_zero_vartime(const felem in) {-  limb carry;-  int i;-  limb tmp[NLIMBS];--  felem_assign(tmp, in);--  /* First, reduce tmp to a minimal form. */-  do {-    carry = 0;-    for (i = 0;; i++) {-      tmp[i] += carry;-      carry = tmp[i] >> 29;-      tmp[i] &= kBottom29Bits;--      i++;-      if (i == NLIMBS)-        break;--      tmp[i] += carry;-      carry = tmp[i] >> 28;-      tmp[i] &= kBottom28Bits;-    }--    felem_reduce_carry(tmp, carry);-  } while (carry);--  /* tmp < 2**257, so the only possible zero values are 0, p and 2p. */-  return memcmp(tmp, kZero, sizeof(tmp)) == 0 ||-         memcmp(tmp, kP, sizeof(tmp)) == 0 ||-         memcmp(tmp, k2P, sizeof(tmp)) == 0;-}-- /* Group operations:  *  * Elements of the elliptic curve group are represented in Jacobian@@ -971,9 +285,9 @@   felem_diff(y_out, y_out, tmp); } -/* copy_conditional sets out=in if mask = 0xffffffff in constant time.+/* copy_conditional sets out=in if mask = -1 in constant time.  *- * On entry: mask is either 0 or 0xffffffff. */+ * On entry: mask is either 0 or -1. */ static void copy_conditional(felem out, const felem in, limb mask) {   int i; @@ -1168,58 +482,6 @@   } } -#define kRDigits {2, 0, 0, 0xfffffffe, 0xffffffff, 0xffffffff, 0xfffffffd, 1} // 2^257 mod p256.p--#define kRInvDigits {0x80000000, 1, 0xffffffff, 0, 0x80000001, 0xfffffffe, 1, 0x7fffffff}  // 1 / 2^257 mod p256.p--static const cryptonite_p256_int kR = { kRDigits };-static const cryptonite_p256_int kRInv = { kRInvDigits };--/* to_montgomery sets out = R*in. */-static void to_montgomery(felem out, const cryptonite_p256_int* in) {-  cryptonite_p256_int in_shifted;-  int i;--  cryptonite_p256_init(&in_shifted);-  cryptonite_p256_modmul(&cryptonite_SECP256r1_p, in, 0, &kR, &in_shifted);--  for (i = 0; i < NLIMBS; i++) {-    if ((i & 1) == 0) {-      out[i] = P256_DIGIT(&in_shifted, 0) & kBottom29Bits;-      cryptonite_p256_shr(&in_shifted, 29, &in_shifted);-    } else {-      out[i] = P256_DIGIT(&in_shifted, 0) & kBottom28Bits;-      cryptonite_p256_shr(&in_shifted, 28, &in_shifted);-    }-  }--  cryptonite_p256_clear(&in_shifted);-}--/* from_montgomery sets out=in/R. */-static void from_montgomery(cryptonite_p256_int* out, const felem in) {-  cryptonite_p256_int result, tmp;-  int i, top;--  cryptonite_p256_init(&result);-  cryptonite_p256_init(&tmp);--  cryptonite_p256_add_d(&tmp, in[NLIMBS - 1], &result);-  for (i = NLIMBS - 2; i >= 0; i--) {-    if ((i & 1) == 0) {-      top = cryptonite_p256_shl(&result, 29, &tmp);-    } else {-      top = cryptonite_p256_shl(&result, 28, &tmp);-    }-    top |= cryptonite_p256_add_d(&tmp, in[i], &result);-  }--  cryptonite_p256_modmul(&cryptonite_SECP256r1_p, &kRInv, top, &result, out);--  cryptonite_p256_clear(&result);-  cryptonite_p256_clear(&tmp);-}- /* cryptonite_p256_base_point_mul sets {out_x,out_y} = nG, where n is < the  * order of the group. */ void cryptonite_p256_base_point_mul(const cryptonite_p256_int* n, cryptonite_p256_int* out_x, cryptonite_p256_int* out_y) {@@ -1287,19 +549,44 @@     const cryptonite_p256_int *in_x2, const cryptonite_p256_int *in_y2,     cryptonite_p256_int *out_x, cryptonite_p256_int *out_y) {-    felem x1, y1, z1, x2, y2, z2, px1, py1, px2, py2;-    const cryptonite_p256_int one = P256_ONE;+    felem x, y, z, px1, py1, px2, py2;      to_montgomery(px1, in_x1);     to_montgomery(py1, in_y1);     to_montgomery(px2, in_x2);     to_montgomery(py2, in_y2); -    scalar_mult(x1, y1, z1, px1, py1, &one);-    scalar_mult(x2, y2, z2, px2, py2, &one);-    point_add_or_double_vartime(x1, y1, z1, x1, y1, z1, x2, y2, z2);+    point_add_or_double_vartime(x, y, z, px1, py1, kOne, px2, py2, kOne); -    point_to_affine(px1, py1, x1, y1, z1);+    point_to_affine(px1, py1, x, y, z);     from_montgomery(out_x, px1);     from_montgomery(out_y, py1);+}++/* this function is not part of the original source+   negate a point, i.e. (out_x, out_y) = (in_x, -in_y)+ */+void cryptonite_p256e_point_negate(+    const cryptonite_p256_int *in_x, const cryptonite_p256_int *in_y,+    cryptonite_p256_int *out_x, cryptonite_p256_int *out_y)+{+    memcpy(out_x, in_x, P256_NBYTES);+    cryptonite_p256_sub(&cryptonite_SECP256r1_p, in_y, out_y);+}++/* this function is not part of the original source+   cryptonite_p256e_point_mul sets {out_x,out_y} = n*{in_x,in_y}, where+   n is < the order of the group.+ */+void cryptonite_p256e_point_mul(const cryptonite_p256_int* n,+    const cryptonite_p256_int* in_x, const cryptonite_p256_int* in_y,+    cryptonite_p256_int* out_x, cryptonite_p256_int* out_y) {+  felem x, y, z, px, py;++  to_montgomery(px, in_x);+  to_montgomery(py, in_y);+  scalar_mult(x, y, z, px, py, n);+  point_to_affine(px, py, x, y, z);+  from_montgomery(out_x, px);+  from_montgomery(out_y, py); }
cryptonite.cabal view
@@ -1,25 +1,25 @@ Name:                cryptonite-Version:             0.22+version:             0.30 Synopsis:            Cryptography Primitives sink Description:     A repository of cryptographic primitives.     .-    * Symmetric ciphers: AES, DES, 3DES, Blowfish, Camellia, RC4, Salsa, XSalsa, ChaCha.+    * Symmetric ciphers: AES, DES, 3DES, CAST5, Blowfish, Twofish, Camellia, RC4, Salsa, XSalsa, ChaCha.     .     * Hash: SHA1, SHA2, SHA3, SHAKE, MD2, MD4, MD5, Keccak, Skein, Ripemd, Tiger, Whirlpool, Blake2     .-    * MAC: HMAC, Poly1305+    * MAC: HMAC, KMAC, Poly1305     .-    * Asymmetric crypto: DSA, RSA, DH, ECDH, ECDSA, ECC, Curve25519, Curve448, Ed25519+    * Asymmetric crypto: DSA, RSA, DH, ECDH, ECDSA, ECC, Curve25519, Curve448, Ed25519, Ed448     .-    * Key Derivation Function: PBKDF2, Scrypt, HKDF, Argon2+    * Key Derivation Function: PBKDF2, Scrypt, HKDF, Argon2, BCrypt, BCryptPBKDF     .     * Cryptographic Random generation: System Entropy, Deterministic Random Generator     .     * Data related: Anti-Forensic Information Splitter (AFIS)     .     If anything cryptographic related is missing from here, submit-    a pull request to have it added. This package strive to be a+    a pull request to have it added. This package strives to be a     cryptographic kitchen sink that provides cryptography for everyone.     .     Evaluate the security related to your requirements before using.@@ -35,18 +35,29 @@ Build-Type:          Simple Homepage:            https://github.com/haskell-crypto/cryptonite Bug-reports:         https://github.com/haskell-crypto/cryptonite/issues-Cabal-Version:       >=1.18+Cabal-Version:       1.18+tested-with:         GHC==9.2.2, GHC==9.0.2, GHC==8.10.7, GHC==8.8.4 extra-doc-files:     README.md CHANGELOG.md extra-source-files:  cbits/*.h                      cbits/aes/*.h                      cbits/ed25519/*.h-                     cbits/ed448/*.h-                     cbits/p256/*.h+                     cbits/decaf/include/*.h+                     cbits/decaf/include/decaf/*.h+                     cbits/decaf/include/arch_32/*.h+                     cbits/decaf/include/arch_ref64/*.h+                     cbits/decaf/p448/arch_32/*.h+                     cbits/decaf/p448/arch_ref64/*.h+                     cbits/decaf/p448/*.h+                     cbits/decaf/ed448goldilocks/decaf_tables.c+                     cbits/decaf/ed448goldilocks/decaf.c+                     cbits/include32/p256/*.h+                     cbits/include64/p256/*.h                      cbits/blake2/ref/*.h                      cbits/blake2/sse/*.h                      cbits/argon2/*.h                      cbits/argon2/*.c                      cbits/aes/x86ni_impl.c+                     cbits/cryptonite_hash_prefix.c                      tests/*.hs  source-repository head@@ -69,12 +80,7 @@   Manual:            True  Flag support_sse-  Description:       Use SSE optimized version when existing (BLAKE2, ARGON2)-  Default:           False-  Manual:            True--Flag support_blake2_sse-  Description:       Use SSE optimized version of BLAKE2.+  Description:       Use SSE optimized version of (BLAKE2, ARGON2)   Default:           False   Manual:            True @@ -98,9 +104,16 @@   Default:           False   Manual:            True +Flag use_target_attributes+  Description:       use GCC / clang function attributes instead of global target options.+  Default:           True+  Manual:            True+ Library   Exposed-modules:   Crypto.Cipher.AES+                     Crypto.Cipher.AESGCMSIV                      Crypto.Cipher.Blowfish+                     Crypto.Cipher.CAST5                      Crypto.Cipher.Camellia                      Crypto.Cipher.ChaCha                      Crypto.Cipher.ChaChaPoly1305@@ -108,27 +121,35 @@                      Crypto.Cipher.RC4                      Crypto.Cipher.Salsa                      Crypto.Cipher.TripleDES+                     Crypto.Cipher.Twofish                      Crypto.Cipher.Types+                     Crypto.Cipher.Utils                      Crypto.Cipher.XSalsa                      Crypto.ConstructHash.MiyaguchiPreneel                      Crypto.Data.AFIS                      Crypto.Data.Padding                      Crypto.ECC+                     Crypto.ECC.Edwards25519                      Crypto.Error                      Crypto.MAC.CMAC                      Crypto.MAC.Poly1305                      Crypto.MAC.HMAC+                     Crypto.MAC.KMAC                      Crypto.Number.Basic                      Crypto.Number.F2m                      Crypto.Number.Generate                      Crypto.Number.ModArithmetic+                     Crypto.Number.Nat                      Crypto.Number.Prime                      Crypto.Number.Serialize+                     Crypto.Number.Serialize.LE                      Crypto.Number.Serialize.Internal+                     Crypto.Number.Serialize.Internal.LE                      Crypto.KDF.Argon2                      Crypto.KDF.PBKDF2                      Crypto.KDF.Scrypt                      Crypto.KDF.BCrypt+                     Crypto.KDF.BCryptPBKDF                      Crypto.KDF.HKDF                      Crypto.Hash                      Crypto.Hash.IO@@ -145,26 +166,36 @@                      Crypto.PubKey.ECC.ECDSA                      Crypto.PubKey.ECC.P256                      Crypto.PubKey.ECC.Types+                     Crypto.PubKey.ECDSA                      Crypto.PubKey.ECIES                      Crypto.PubKey.Ed25519                      Crypto.PubKey.Ed448+                     Crypto.PubKey.EdDSA                      Crypto.PubKey.RSA                      Crypto.PubKey.RSA.PKCS15                      Crypto.PubKey.RSA.Prim                      Crypto.PubKey.RSA.PSS                      Crypto.PubKey.RSA.OAEP                      Crypto.PubKey.RSA.Types+                     Crypto.PubKey.Rabin.OAEP+                     Crypto.PubKey.Rabin.Basic+                     Crypto.PubKey.Rabin.Modified+                     Crypto.PubKey.Rabin.RW+                     Crypto.PubKey.Rabin.Types                      Crypto.Random                      Crypto.Random.Types                      Crypto.Random.Entropy                      Crypto.Random.EntropyPool                      Crypto.Random.Entropy.Unsafe+                     Crypto.System.CPU                      Crypto.Tutorial   Other-modules:     Crypto.Cipher.AES.Primitive                      Crypto.Cipher.Blowfish.Box                      Crypto.Cipher.Blowfish.Primitive+                     Crypto.Cipher.CAST5.Primitive                      Crypto.Cipher.Camellia.Primitive                      Crypto.Cipher.DES.Primitive+                     Crypto.Cipher.Twofish.Primitive                      Crypto.Cipher.Types.AEAD                      Crypto.Cipher.Types.Base                      Crypto.Cipher.Types.Block@@ -174,6 +205,7 @@                      Crypto.Error.Types                      Crypto.Number.Compat                      Crypto.Hash.Types+                     Crypto.Hash.Blake2                      Crypto.Hash.Blake2s                      Crypto.Hash.Blake2sp                      Crypto.Hash.Blake2b@@ -185,6 +217,7 @@                      Crypto.Hash.SHA512                      Crypto.Hash.SHA512t                      Crypto.Hash.SHA3+                     Crypto.Hash.SHAKE                      Crypto.Hash.Keccak                      Crypto.Hash.MD2                      Crypto.Hash.MD4@@ -203,22 +236,27 @@                      Crypto.PubKey.ElGamal                      Crypto.ECC.Simple.Types                      Crypto.ECC.Simple.Prim-                     Crypto.Internal.Proxy+                     Crypto.Internal.Builder                      Crypto.Internal.ByteArray                      Crypto.Internal.Compat                      Crypto.Internal.CompatPrim                      Crypto.Internal.DeepSeq                      Crypto.Internal.Imports+                     Crypto.Internal.Nat                      Crypto.Internal.Words                      Crypto.Internal.WordArray-  if impl(ghc >= 7.8)-    Other-modules:   Crypto.Hash.SHAKE-                     Crypto.Internal.Nat-  Build-depends:     base >= 4.3 && < 5-                   , bytestring-                   , memory >= 0.12+  if impl(ghc < 8.8)+    Buildable: False+  else+    Build-depends:   base++  Build-depends:     bytestring+                   , memory >= 0.14.18+                   , basement >= 0.0.6                    , ghc-prim-  ghc-options:       -Wall -fwarn-tabs -optc-O3 -fno-warn-unused-imports+  ghc-options:       -Wall -fwarn-tabs -optc-O3+  if os(linux)+    extra-libraries: pthread   default-language:  Haskell2010   cc-options:        -std=gnu99   if flag(old_toolchain_inliner)@@ -228,8 +266,6 @@                    , cbits/cryptonite_xsalsa.c                    , cbits/cryptonite_rc4.c                    , cbits/cryptonite_cpu.c-                   , cbits/ed25519/ed25519.c-                   , cbits/ed448/x448.c                    , cbits/p256/p256.c                    , cbits/p256/p256_ec.c                    , cbits/cryptonite_blake2s.c@@ -251,9 +287,41 @@                    , cbits/cryptonite_whirlpool.c                    , cbits/cryptonite_scrypt.c                    , cbits/cryptonite_pbkdf2.c-  include-dirs:  cbits cbits/ed25519+                   , cbits/ed25519/ed25519.c+  include-dirs:      cbits+                   , cbits/ed25519+                   , cbits/decaf/include+                   , cbits/decaf/p448 -  if arch(x86_64)+  if arch(x86_64) || arch(aarch64)+    include-dirs:      cbits/include64+  else+    include-dirs:      cbits/include32++  if arch(x86_64) || arch(aarch64)+    C-sources:         cbits/decaf/p448/arch_ref64/f_impl.c+                     , cbits/decaf/p448/f_generic.c+                     , cbits/decaf/p448/f_arithmetic.c+                     , cbits/decaf/utils.c+                     , cbits/decaf/ed448goldilocks/scalar.c+                     , cbits/decaf/ed448goldilocks/decaf_all.c+                     , cbits/decaf/ed448goldilocks/eddsa.c++    include-dirs:      cbits/decaf/include/arch_ref64+                     , cbits/decaf/p448/arch_ref64+  else+    C-sources:         cbits/decaf/p448/arch_32/f_impl.c+                     , cbits/decaf/p448/f_generic.c+                     , cbits/decaf/p448/f_arithmetic.c+                     , cbits/decaf/utils.c+                     , cbits/decaf/ed448goldilocks/scalar.c+                     , cbits/decaf/ed448goldilocks/decaf_all.c+                     , cbits/decaf/ed448goldilocks/eddsa.c++    include-dirs:      cbits/decaf/include/arch_32+                     , cbits/decaf/p448/arch_32++  if arch(x86_64) || arch(aarch64)     C-sources: cbits/curve25519/curve25519-donna-c64.c   else     C-sources: cbits/curve25519/curve25519-donna.c@@ -276,9 +344,13 @@     c-sources:      cbits/cryptonite_rdrand.c    if flag(support_aesni) && (os(linux) || os(freebsd) || os(osx)) && (arch(i386) || arch(x86_64))-    CC-options:     -mssse3 -maes -DWITH_AESNI+    CC-options:     -DWITH_AESNI+    if !flag(use_target_attributes)+      CC-options:     -mssse3 -maes     if flag(support_pclmuldq)-       CC-options:  -msse4.1 -mpclmul -DWITH_PCLMUL+      CC-options:   -DWITH_PCLMUL+      if !flag(use_target_attributes)+        CC-options:     -msse4.1 -mpclmul     C-sources:       cbits/aes/x86ni.c                    , cbits/aes/generic.c                    , cbits/aes/gf.c@@ -288,7 +360,7 @@                    , cbits/aes/gf.c                    , cbits/cryptonite_aes.c -  if arch(x86_64) || flag(support_blake2_sse)+  if arch(x86_64) || flag(support_sse)     C-sources:      cbits/blake2/sse/blake2s.c                   , cbits/blake2/sse/blake2sp.c                   , cbits/blake2/sse/blake2b.c@@ -303,6 +375,8 @@    if arch(x86_64) || flag(support_sse)     CPP-options:    -DSUPPORT_SSE+    if arch(i386)+      CC-options:   -msse2    C-sources:      cbits/argon2/argon2.c   include-dirs:   cbits/argon2@@ -323,6 +397,8 @@     Build-depends:   deepseq   if flag(check_alignment)     cc-options:     -DWITH_ASSERT_ALIGNMENT+  if flag(use_target_attributes)+    cc-options:     -DWITH_TARGET_ATTRIBUTES  Test-Suite test-cryptonite   type:              exitcode-stdio-1.0@@ -331,25 +407,35 @@   Other-modules:     BlockCipher                      ChaCha                      BCrypt+                     BCryptPBKDF+                     ECC+                     ECC.Edwards25519+                     ECDSA                      Hash                      Imports                      KAT_AES.KATCBC                      KAT_AES.KATECB                      KAT_AES.KATGCM+                     KAT_AES.KATCCM                      KAT_AES.KATOCB3                      KAT_AES.KATXTS                      KAT_AES+                     KAT_AESGCMSIV                      KAT_AFIS                      KAT_Argon2                      KAT_Blowfish+                     KAT_CAST5                      KAT_Camellia                      KAT_Curve25519                      KAT_Curve448                      KAT_DES                      KAT_Ed25519+                     KAT_Ed448+                     KAT_EdDSA                      KAT_CMAC                      KAT_HKDF                      KAT_HMAC+                     KAT_KMAC                      KAT_MiyaguchiPreneel                      KAT_PBKDF2                      KAT_OTP@@ -359,10 +445,13 @@                      KAT_PubKey.OAEP                      KAT_PubKey.PSS                      KAT_PubKey.P256+                     KAT_PubKey.RSA+                     KAT_PubKey.Rabin                      KAT_PubKey                      KAT_RC4                      KAT_Scrypt                      KAT_TripleDES+                     KAT_Twofish                      ChaChaPoly1305                      Number                      Number.F2m@@ -371,7 +460,7 @@                      Salsa                      Utils                      XSalsa-  Build-Depends:     base >= 3 && < 5+  Build-Depends:     base >= 0 && < 10                    , bytestring                    , memory                    , tasty@@ -379,5 +468,20 @@                    , tasty-hunit                    , tasty-kat                    , cryptonite-  ghc-options:       -Wall -fno-warn-orphans -fno-warn-missing-signatures -fno-warn-unused-imports -rtsopts+  ghc-options:       -Wall -fno-warn-orphans -fno-warn-missing-signatures -rtsopts+  default-language:  Haskell2010++Benchmark bench-cryptonite+  type:              exitcode-stdio-1.0+  hs-source-dirs:    benchs+  Main-is:           Bench.hs+  Other-modules:     Number.F2m+  Build-Depends:     base+                   , bytestring+                   , deepseq+                   , memory+                   , gauge+                   , random+                   , cryptonite+  ghc-options:       -Wall -fno-warn-missing-signatures   default-language:  Haskell2010
tests/BCrypt.hs view
@@ -75,4 +75,8 @@ tests = testGroup "bcrypt"     [ testGroup "KATs" makeKATs     , testCase "Invalid hash length" (assertEqual "" (Left "Invalid hash format") (validatePasswordEither B.empty ("$2a$06$DCq7YPn5Rq63x1Lad4cll.TV4S6ytwfsfvkgY8jIucDrjc8deX1s" :: B.ByteString)))+    , testCase "Hash and validate" (assertBool "Hashed password should validate" (validatePassword somePassword (bcrypt 5 aSalt somePassword :: B.ByteString)))     ]+  where+    somePassword = "some password" :: B.ByteString+    aSalt = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f" :: B.ByteString
+ tests/BCryptPBKDF.hs view
@@ -0,0 +1,75 @@+{-# LANGUAGE OverloadedStrings #-}++module BCryptPBKDF (tests) where++import qualified Data.ByteString        as B++import           Test.Tasty+import           Test.Tasty.HUnit++import           Crypto.KDF.BCryptPBKDF (Parameters (..), generate,+                                         hashInternal)++tests :: TestTree+tests = testGroup "BCryptPBKDF"+    [ testGroup "generate"+        [ testCase "1" generate1+        , testCase "2" generate2+        , testCase "3" generate3+        ]+    , testGroup "hashInternal"+        [ testCase "1" hashInternal1+        ]+    ]+  where+    -- test vector taken from the go implementation by @dchest+    generate1 = expected @=? generate params pass salt+        where+            params   = Parameters 12 32+            pass     = "password" :: B.ByteString+            salt     = "salt"     :: B.ByteString+            expected = B.pack+                [ 0x1a, 0xe4, 0x2c, 0x05, 0xd4, 0x87, 0xbc, 0x02+                , 0xf6, 0x49, 0x21, 0xa4, 0xeb, 0xe4, 0xea, 0x93+                , 0xbc, 0xac, 0xfe, 0x13, 0x5f, 0xda, 0x99, 0x97+                , 0x4c, 0x06, 0xb7, 0xb0, 0x1f, 0xae, 0x14, 0x9a+                ] :: B.ByteString++    -- test vector generated with the go implemenation by @dchest+    generate2 = expected @=? generate params pass salt+        where+            params   = Parameters 7 71+            pass     = "DieWuerdeDesMenschenIstUnantastbar" :: B.ByteString+            salt     = "Tafelsalz"                          :: B.ByteString+            expected = B.pack+                [ 0x17, 0xb4, 0x76, 0xaa, 0xd7, 0x42, 0x33, 0x49+                , 0x5c, 0xe8, 0x79, 0x49, 0x15, 0x74, 0x4c, 0x71+                , 0xf9, 0x99, 0x66, 0x89, 0x7a, 0x60, 0xc3, 0x70+                , 0xb4, 0x3c, 0xa8, 0x83, 0x80, 0x5a, 0x56, 0xde+                , 0x38, 0xbc, 0x51, 0x8c, 0xd4, 0xeb, 0xd1, 0xcf+                , 0x46, 0x0a, 0x68, 0x3d, 0xc8, 0x12, 0xcf, 0xf8+                , 0x43, 0xce, 0x21, 0x9d, 0x98, 0x81, 0x20, 0x26+                , 0x6e, 0x42, 0x0f, 0xaa, 0x75, 0x5d, 0x09, 0x8d+                , 0x45, 0xda, 0xd5, 0x15, 0x6e, 0x65, 0x1d+                ] :: B.ByteString++    -- test vector generated with the go implemenation by @dchest+    generate3 = expected @=? generate params pass salt+        where+            params    = Parameters 5 5+            pass      = "ABC" :: B.ByteString+            salt      = "DEF" :: B.ByteString+            expected  = B.pack+                [ 0xdd, 0x6e, 0xa0, 0x69, 0x29+                ] :: B.ByteString++    hashInternal1 = expected @=? hashInternal passHash saltHash+        where+            passHash = B.pack [ 0  ..  63 ] :: B.ByteString+            saltHash = B.pack [ 64 .. 127 ] :: B.ByteString+            expected = B.pack+                [ 0x87, 0x90, 0x48, 0x70, 0xee, 0xf9, 0xde, 0xdd+                , 0xf8, 0xe7, 0x61, 0x1a, 0x14, 0x01, 0x06, 0xe6+                , 0xaa, 0xf1, 0xa3, 0x63, 0xd9, 0xa2, 0xc5, 0x04+                , 0xdb, 0x35, 0x64, 0x43, 0x72, 0x1e, 0xb5, 0x55+                ] :: B.ByteString
tests/BlockCipher.hs view
@@ -16,8 +16,8 @@ import           Data.Maybe import           Crypto.Error import           Crypto.Cipher.Types-import           Data.ByteArray as B hiding (pack, null)-import qualified Data.ByteString as B+import           Data.ByteArray as B hiding (pack, null, length)+import qualified Data.ByteString as B hiding (all, take, replicate)  ------------------------------------------------------------------------ -- KAT@@ -161,7 +161,7 @@      ++ maybeGroup makeCFBTest "CFB" (kat_CFB kats)      ++ maybeGroup makeCTRTest "CTR" (kat_CTR kats)      -- ++ maybeGroup makeXTSTest "XTS" (kat_XTS kats)-     -- ++ maybeGroup makeAEADTest "AEAD" (kat_AEAD kats)+     ++ maybeGroup makeAEADTest "AEAD" (kat_AEAD kats)     )   where makeECBTest i d =             [ testCase ("E" ++ i) (ecbEncrypt ctx (ecbPlaintext d) @?= ecbCiphertext d)@@ -191,25 +191,24 @@             [ testCase ("E" ++ i) (xtsEncrypt ctx iv 0 (xtsPlaintext d) @?= xtsCiphertext d)             , testCase ("D" ++ i) (xtsDecrypt ctx iv 0 (xtsCiphertext d) @?= xtsPlaintext d)             ]-          where ctx1 = cipherInit (cipherMakeKey cipher $ xtsKey1 d)-                ctx2 = cipherInit (cipherMakeKey cipher $ xtsKey2 d)+          where ctx1 = cipherInitNoErr (cipherMakeKey cipher $ xtsKey1 d)+                ctx2 = cipherInitNoErr (cipherMakeKey cipher $ xtsKey2 d)                 ctx  = (ctx1, ctx2)                 iv   = cipherMakeIV cipher $ xtsIV d+-}         makeAEADTest i d =-            [ testCase ("AE" ++ i) (etag @?= aeadTag d)-            , testCase ("AD" ++ i) (dtag @?= aeadTag d)+            [ testCase ("AE" ++ i) (etag @?= AuthTag (B.convert (aeadTag d)))+            , testCase ("AD" ++ i) (dtag @?= AuthTag (B.convert (aeadTag d)))             , testCase ("E" ++ i)  (ebs @?= aeadCiphertext d)             , testCase ("D" ++ i)  (dbs @?= aeadPlaintext d)             ]-          where ctx  = cipherInit (cipherMakeKey cipher $ aeadKey d)-                aead = maybe (error $ "cipher doesn't support aead mode: " ++ show (aeadMode d)) id-                     $ aeadInit (aeadMode d) ctx (aeadIV d)+          where ctx  = cipherInitNoErr (cipherMakeKey cipher $ aeadKey d)+                aead = aeadInitNoErr (aeadMode d) ctx (aeadIV d)                 aeadHeaded     = aeadAppendHeader aead (aeadHeader d)                 (ebs,aeadEFinal) = aeadEncrypt aeadHeaded (aeadPlaintext d)                 (dbs,aeadDFinal) = aeadDecrypt aeadHeaded (aeadCiphertext d)                 etag = aeadFinalize aeadEFinal (aeadTaglen d)                 dtag = aeadFinalize aeadDFinal (aeadTaglen d)--}          cipherInitNoErr :: BlockCipher c => Key c -> c         cipherInitNoErr (Key k) =@@ -217,6 +216,11 @@                 CryptoPassed a -> a                 CryptoFailed e -> error (show e) +        aeadInitNoErr :: (ByteArrayAccess iv, BlockCipher cipher) => AEADMode -> cipher -> iv -> AEAD cipher+        aeadInitNoErr mode ct iv =+            case aeadInit mode ct iv of+                CryptoPassed a -> a+                CryptoFailed _ -> error $ "cipher doesn't support aead mode: " ++ show mode ------------------------------------------------------------------------ -- Properties ------------------------------------------------------------------------@@ -389,7 +393,7 @@ testBlockCipherAEAD :: BlockCipher a => a -> [TestTree] testBlockCipherAEAD cipher =     [ testProperty "OCB" (aeadProp AEAD_OCB)-    , testProperty "CCM" (aeadProp AEAD_CCM)+    , testProperty "CCM" (aeadProp (AEAD_CCM 0 CCM_M16 CCM_L2))     , testProperty "EAX" (aeadProp AEAD_EAX)     , testProperty "CWC" (aeadProp AEAD_CWC)     , testProperty "GCM" (aeadProp AEAD_GCM)@@ -398,7 +402,7 @@         toTests :: BlockCipher a => a -> (AEADMode -> AEADUnit a -> Bool)         toTests _ = testProperty_AEAD         testProperty_AEAD mode (AEADUnit key testIV (unPlaintext -> aad) (unPlaintext -> plaintext)) = withCtx key $ \ctx ->-            case aeadInit mode ctx testIV of+            case aeadInit mode' ctx iv' of                 CryptoPassed iniAead ->                     let aead           = aeadAppendHeader iniAead aad                         (eText, aeadE) = aeadEncrypt aead plaintext@@ -409,6 +413,10 @@                 CryptoFailed err                     | err == CryptoError_AEADModeNotSupported -> True                     | otherwise                               -> error ("testProperty_AEAD: " ++ show err)+            where (mode', iv') = updateCcmInputSize mode (B.length plaintext) testIV+                  updateCcmInputSize aeadmode k iv = case aeadmode of+                    AEAD_CCM _ m l -> (AEAD_CCM k m l, B.take 13 (iv <> (B.replicate 15 0)))+                    aeadOther      -> (aeadOther, iv)  withCtx :: Cipher c => Key c -> (c -> a) -> a withCtx (Key key) f =@@ -437,11 +445,33 @@         (testBlockCipherBasic cipher ++ testBlockCipherModes cipher ++ testBlockCipherAEAD cipher)     ] +-- | Test IV arithmetic (based on the cipher block size)+testIvArith :: BlockCipher a => a -> [TestTree]+testIvArith cipher =+    [ testCase "nullIV is null" $+          True @=? B.all (== 0) (ivNull cipher)+    , testProperty "ivAdd is linear" $ \a b -> do+          iv <- generateIvFromCipher cipher+          return $ ivAdd iv (a + b) `propertyEq` ivAdd (ivAdd iv a) b+    ]+  where+    ivNull :: BlockCipher a => a -> IV a+    ivNull = const nullIV++    -- uses IV pattern <00 .. 00 FF .. FF> to test carry propagation+    generateIvFromCipher :: BlockCipher a => a -> Gen (IV a)+    generateIvFromCipher c = do+        let n = blockSize c+        i <- choose (0, n)+        let zeros = Prelude.replicate (n - i) 0x00+            ones  = Prelude.replicate i 0xFF+        return $ cipherMakeIV c (B.pack $ zeros ++ ones)+ -- | Return tests for a specific blockcipher and a list of KATs testBlockCipher :: BlockCipher a => KATs -> a -> TestTree testBlockCipher kats cipher = testGroup (cipherName cipher)     (  (if kats == defaultKATs  then [] else [testKATs kats cipher])-    ++ testModes cipher+    ++ testModes cipher ++ testIvArith cipher     )  cipherMakeKey :: Cipher cipher => cipher -> ByteString -> Key cipher
+ tests/ECC.hs view
@@ -0,0 +1,343 @@+{-# LANGUAGE ExistentialQuantification #-}+{-# LANGUAGE FlexibleContexts #-}+{-# LANGUAGE OverloadedStrings #-}+module ECC (tests) where++import           Crypto.Error+import qualified Crypto.ECC as ECC++import           Data.ByteArray.Encoding++import Imports++data Curve = forall curve. (ECC.EllipticCurveDH curve, Show curve, Eq (ECC.Point curve)) => Curve curve++instance Show Curve where+    showsPrec d (Curve curve) = showsPrec d curve++instance Arbitrary Curve where+    arbitrary = elements+        [ Curve ECC.Curve_P256R1+        , Curve ECC.Curve_P384R1+        , Curve ECC.Curve_P521R1+        , Curve ECC.Curve_X25519+        , Curve ECC.Curve_X448+        ]++data CurveArith = forall curve. (ECC.EllipticCurveBasepointArith curve, Show curve) => CurveArith curve++instance Show CurveArith where+    showsPrec d (CurveArith curve) = showsPrec d curve++instance Arbitrary CurveArith where+    arbitrary = elements+        [ CurveArith ECC.Curve_P256R1+        , CurveArith ECC.Curve_P384R1+        , CurveArith ECC.Curve_P521R1+        , CurveArith ECC.Curve_Edwards25519+        ]++data VectorPoint = VectorPoint+    { vpCurve :: Curve+    , vpHex   :: ByteString+    , vpError :: Maybe CryptoError+    }++vectorsPoint =+    [ VectorPoint+        { vpCurve = Curve ECC.Curve_P256R1+        , vpHex   = ""+        , vpError = Just CryptoError_PointSizeInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P256R1+        , vpHex   = "00"+        , vpError = Just CryptoError_PointFormatInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P256R1+        , vpHex   = "0408edd7b50085a952172228aca391beebe9ba942a0ae9eb15bcc8d50795d1a5505221c7b9b3bb4310f165fc3ac3114339db8170ceae6697e0f9736698b33551b8"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P256R1+        , vpHex   = "04216f25b00717d46deef3402628f6abf265bfa12aea515ae8f100ce415e251e72cd5cd8f47f613a0f4e0f4f9410dd9c85c149cffcb320c2d52bf550a397ec92e5"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P256R1+        , vpHex   = "0421eba6080610926609bb8d52afd3331ed1b07e0ba4c1441a118b62497d3e85f39a50c865027cdd84298cdf094b7818f2a65ae59f46c971a32ab4ea3c2c93c959"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P256R1+        , vpHex   = "0400d7fc4050dfe73475502d5d1fadc105d7725508f48da2cd4729bf191fd6490a0001a16f417a27530e756efeb4a228f02db878072b9f833e99a2821d85fa78fc"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P256R1+        , vpHex   = "040000fc4050dfe73475502d5d1fadc105d7725508f48da2cd4729bf191fd6490a0001a16f417a27530e756efeb4a228f02db878072b9f833e99a2821d85fa78fc"+        , vpError = Just CryptoError_PointCoordinatesInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P256R1+        , vpHex   = "04d7fc4050dfe73475502d5d1fadc105d7725508f48da2cd4729bf191fd6490a01a16f417a27530e756efeb4a228f02db878072b9f833e99a2821d85fa78fc"+        , vpError = Just CryptoError_PublicKeySizeInvalid -- tests leading zeros+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P256R1+        , vpHex   = "040000d7fc4050dfe73475502d5d1fadc105d7725508f48da2cd4729bf191fd6490a000001a16f417a27530e756efeb4a228f02db878072b9f833e99a2821d85fa78fc"+        , vpError = Just CryptoError_PublicKeySizeInvalid -- tests leading zeros+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P384R1+        , vpHex   = ""+        , vpError = Just CryptoError_PointSizeInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P384R1+        , vpHex   = "00"+        , vpError = Just CryptoError_PointFormatInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P384R1+        , vpHex   = "0409281a103fb1773445e16eec86adb095e32928ccc9c806bd210c649712813bdb6cab40163a8cb163b578ea8dda5eb32cfb5208ebf0d31a6c590fa92f5a61f32dbc0d518b166ea5a9adf9dd21c1bd09932ca21c6a5725ca89542ac57b6a9eca6f"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P384R1+        , vpHex   = "040c7b3fb575c1db7bc61fe7a456cc34a8289f41e167938a56e5ba2787723f3de2c645112705e13ed24f477730173935ca4e0ff468e7e0acf78a9f59dadff8193a0e23789eb3737730c089b27a0f94de7d95b8db4466d017fb21a5710d6ca85775"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P384R1+        , vpHex   = "0438e7705220b60460194be63d21c8945be2a211957168fa60f26b2ad4e8f5cd96a7779e7edff4deda9ded63243c2127e273d4444edaaba03b79b6caafc5033432af13776f851c0c7e1080c60d7ee3b61740720ab98461813dab5fb8c31bfa9ed9"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P384R1+        , vpHex   = "04000836bf09614bf5b3c0ffe9b0822a2cc109a90b13d4d3510ce14f766e7d90875ec4bc8d6bee11fc1fdf97473a67884c00b1e2685367bdb846c95181b0f35a35cfbee04451122cc55a1e363acaa6c002e71b0b6ff7d0f5dc830a32f0e5086189"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P384R1+        , vpHex   = "04000036bf09614bf5b3c0ffe9b0822a2cc109a90b13d4d3510ce14f766e7d90875ec4bc8d6bee11fc1fdf97473a67884c00b1e2685367bdb846c95181b0f35a35cfbee04451122cc55a1e363acaa6c002e71b0b6ff7d0f5dc830a32f0e5086189"+        , vpError = Just CryptoError_PointCoordinatesInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P384R1+        , vpHex   = "040836bf09614bf5b3c0ffe9b0822a2cc109a90b13d4d3510ce14f766e7d90875ec4bc8d6bee11fc1fdf97473a67884cb1e2685367bdb846c95181b0f35a35cfbee04451122cc55a1e363acaa6c002e71b0b6ff7d0f5dc830a32f0e5086189"+        , vpError = Nothing -- ignores leading zeros+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P384R1+        , vpHex   = "0400000836bf09614bf5b3c0ffe9b0822a2cc109a90b13d4d3510ce14f766e7d90875ec4bc8d6bee11fc1fdf97473a67884c0000b1e2685367bdb846c95181b0f35a35cfbee04451122cc55a1e363acaa6c002e71b0b6ff7d0f5dc830a32f0e5086189"+        , vpError = Nothing -- ignores leading zeros+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P521R1+        , vpHex   = ""+        , vpError = Just CryptoError_PointSizeInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P521R1+        , vpHex   = "00"+        , vpError = Just CryptoError_PointFormatInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P521R1+        , vpHex   = "04000ce5c207335134567026063743df82c1b551a009cf616471f0e23fa9767a50cc7f8771ef13a65c49ce7e1cd1ac3ad721dcc3ddd35f98ae5d380a0832f87a9f0ca4012914911d6bea7f3c481d694fb1645be27c7b66b09b28e261f8030b3fb8206f6a95f6ad73db755765b64f592a799234f8f451cb787abe95b1a54991a799ad0d69da"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P521R1+        , vpHex   = "04003a5e6c1ce3a6a323757005da17b357db991bd1ad835e6201411f458b5c2edb3c66786b727b7e15fbad7dd74a4b0eb542183b5242e5952061cb85e7229353eb0dc300aac2dbd5232d582481ba7a59a993eb04c4466a1b17ba0015b65c616ce8703e70880969d8d58e633acb29c3ca017eb1b88649387b867466090ce1a57c2b4f8376bb"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P521R1+        , vpHex   = "04003e0659fe9498695a3d8c88b8e25fa8133c30ab10eccbe9094344c99924f89fb69d9b3acf03bf438328f9cba55fa28a05be9a7e18780706b3728abfee2592aeb86d0001ea5ff64f2ca7a6453c79f80550e971843e073f4f8fec75bad2e52a4483ebf1f16f43d0de27e1967ea22f9722527652fa74439fdc03a569fba29e2d6f7c012db6"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P521R1+        , vpHex   = "040043f91fd92d9ccd6d5584b265a2a775d222f4a41ff98190677d985e0889737cbe631d525835fe04faffcdebeccb783538280f4600ae82347b0470583abd9def306000a2e9bdc34f42b134517fc1e961befea0affd1f9666361a039192082a892dd722931d5865b62b69d7369e74895120e540cb10030cccb6049d809fbcf3f54537b378"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P521R1+        , vpHex   = "040000f91fd92d9ccd6d5584b265a2a775d222f4a41ff98190677d985e0889737cbe631d525835fe04faffcdebeccb783538280f4600ae82347b0470583abd9def306000a2e9bdc34f42b134517fc1e961befea0affd1f9666361a039192082a892dd722931d5865b62b69d7369e74895120e540cb10030cccb6049d809fbcf3f54537b378"+        , vpError = Just CryptoError_PointCoordinatesInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P521R1+        , vpHex   = "0443f91fd92d9ccd6d5584b265a2a775d222f4a41ff98190677d985e0889737cbe631d525835fe04faffcdebeccb783538280f4600ae82347b0470583abd9def3060a2e9bdc34f42b134517fc1e961befea0affd1f9666361a039192082a892dd722931d5865b62b69d7369e74895120e540cb10030cccb6049d809fbcf3f54537b378"+        , vpError = Nothing -- ignores leading zeros+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_P521R1+        , vpHex   = "04000043f91fd92d9ccd6d5584b265a2a775d222f4a41ff98190677d985e0889737cbe631d525835fe04faffcdebeccb783538280f4600ae82347b0470583abd9def30600000a2e9bdc34f42b134517fc1e961befea0affd1f9666361a039192082a892dd722931d5865b62b69d7369e74895120e540cb10030cccb6049d809fbcf3f54537b378"+        , vpError = Nothing -- ignores leading zeros+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X25519+        , vpHex   = ""+        , vpError = Just CryptoError_PublicKeySizeInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X25519+        , vpHex   = "22cd98c65fb50db3be0d6d359456c0cd3516952a6e7229ff672893944f703f10"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X25519+        , vpHex   = "23cd98c65fb50db3be0d6d359456c0cd3516952a6e7229ff672893944f703f10"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X25519+        , vpHex   = "0023cd98c65fb50db3be0d6d359456c0cd3516952a6e7229ff672893944f703f10"+        , vpError = Just CryptoError_PublicKeySizeInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X448+        , vpHex   = ""+        , vpError = Just CryptoError_PublicKeySizeInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X448+        , vpHex   = "2b162c2fef165ecbb203e40975ae4424f0f8db25ab582cb96b2e5ffe90a31798b35480b594c99dc32b437e61a74f792d8ecf5fc3e8cfeb75"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X448+        , vpHex   = "2c162c2fef165ecbb203e40975ae4424f0f8db25ab582cb96b2e5ffe90a31798b35480b594c99dc32b437e61a74f792d8ecf5fc3e8cfeb75"+        , vpError = Nothing+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X448+        , vpHex   = "002c162c2fef165ecbb203e40975ae4424f0f8db25ab582cb96b2e5ffe90a31798b35480b594c99dc32b437e61a74f792d8ecf5fc3e8cfeb75"+        , vpError = Just CryptoError_PublicKeySizeInvalid+        }+    ]++vectorsWeakPoint =+    [ VectorPoint+        { vpCurve = Curve ECC.Curve_X25519+        , vpHex   = "0000000000000000000000000000000000000000000000000000000000000000"+        , vpError = Just CryptoError_ScalarMultiplicationInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X25519+        , vpHex   = "0100000000000000000000000000000000000000000000000000000000000000"+        , vpError = Just CryptoError_ScalarMultiplicationInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X25519+        , vpHex   = "e0eb7a7c3b41b8ae1656e3faf19fc46ada098deb9c32b1fd866205165f49b800"+        , vpError = Just CryptoError_ScalarMultiplicationInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X25519+        , vpHex   = "5f9c95bca3508c24b1d0b1559c83ef5b04445cc4581c8e86d8224eddd09f1157"+        , vpError = Just CryptoError_ScalarMultiplicationInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X25519+        , vpHex   = "ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f"+        , vpError = Just CryptoError_ScalarMultiplicationInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X25519+        , vpHex   = "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f"+        , vpError = Just CryptoError_ScalarMultiplicationInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X25519+        , vpHex   = "eeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f"+        , vpError = Just CryptoError_ScalarMultiplicationInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X448+        , vpHex   = "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"+        , vpError = Just CryptoError_ScalarMultiplicationInvalid+        }+    , VectorPoint+        { vpCurve = Curve ECC.Curve_X448+        , vpHex   = "0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"+        , vpError = Just CryptoError_ScalarMultiplicationInvalid+        }+    ]++vpEncodedPoint :: VectorPoint -> ByteString+vpEncodedPoint vector = let Right bs = convertFromBase Base16 (vpHex vector) in bs++cryptoError :: CryptoFailable a -> Maybe CryptoError+cryptoError = onCryptoFailure Just (const Nothing)++doPointDecodeTest i vector =+    case vpCurve vector of+        Curve curve ->+            let prx = Just curve -- using Maybe as Proxy+             in testCase (show i) (vpError vector @=? cryptoError (ECC.decodePoint prx $ vpEncodedPoint vector))++doWeakPointECDHTest i vector =+    case vpCurve vector of+        Curve curve -> testCase (show i) $ do+            let prx = Just curve -- using Maybe as Proxy+                CryptoPassed public = ECC.decodePoint prx $ vpEncodedPoint vector+            keyPair <- ECC.curveGenerateKeyPair prx+            vpError vector @=? cryptoError (ECC.ecdh prx (ECC.keypairGetPrivate keyPair) public)++tests = testGroup "ECC"+    [ testGroup "decodePoint" $ zipWith doPointDecodeTest [katZero..] vectorsPoint+    , testGroup "ECDH weak points" $ zipWith doWeakPointECDHTest [katZero..] vectorsWeakPoint+    , testGroup "property"+        [ testProperty "decodePoint.encodePoint==id" $ \testDRG (Curve curve) ->+            let prx = Just curve -- using Maybe as Proxy+                keyPair = withTestDRG testDRG $ ECC.curveGenerateKeyPair prx+                p1 = ECC.keypairGetPublic keyPair+                bs = ECC.encodePoint prx p1 :: ByteString+                p2 = ECC.decodePoint prx bs+             in CryptoPassed p1 == p2+        , localOption (QuickCheckTests 20) $ testProperty "ECDH commutes" $ \testDRG (Curve curve) ->+            let prx = Just curve -- using Maybe as Proxy+                (alice, bob) = withTestDRG testDRG $+                                   (,) <$> ECC.curveGenerateKeyPair prx+                                       <*> ECC.curveGenerateKeyPair prx+                aliceShared  = ECC.ecdh    prx (ECC.keypairGetPrivate alice) (ECC.keypairGetPublic bob)+                bobShared    = ECC.ecdh    prx (ECC.keypairGetPrivate bob) (ECC.keypairGetPublic alice)+                aliceShared' = ECC.ecdhRaw prx (ECC.keypairGetPrivate alice) (ECC.keypairGetPublic bob)+                bobShared'   = ECC.ecdhRaw prx (ECC.keypairGetPrivate bob) (ECC.keypairGetPublic alice)+             in aliceShared == bobShared && aliceShared == CryptoPassed aliceShared'+                                         && bobShared   == CryptoPassed bobShared'+        , testProperty "decodeScalar.encodeScalar==id" $ \testDRG (CurveArith curve) ->+            let prx = Just curve -- using Maybe as Proxy+                s1 = withTestDRG testDRG $ ECC.curveGenerateScalar prx+                bs = ECC.encodeScalar prx s1 :: ByteString+                s2 = ECC.decodeScalar prx bs+             in CryptoPassed s1 == s2+        , testProperty "scalarFromInteger.scalarToInteger==id" $ \testDRG (CurveArith curve) ->+            let prx = Just curve -- using Maybe as Proxy+                s1 = withTestDRG testDRG $ ECC.curveGenerateScalar prx+                bs = ECC.scalarToInteger prx s1+                s2 = ECC.scalarFromInteger prx bs+             in CryptoPassed s1 == s2+        , localOption (QuickCheckTests 20) $ testProperty "(a + b).P = a.P + b.P" $ \testDRG (CurveArith curve) ->+            let prx = Just curve -- using Maybe as Proxy+                (s, a, b) = withTestDRG testDRG $+                                (,,) <$> ECC.curveGenerateScalar prx+                                     <*> ECC.curveGenerateScalar prx+                                     <*> ECC.curveGenerateScalar prx+                p = ECC.pointBaseSmul prx s+             in ECC.pointSmul prx (ECC.scalarAdd prx a b) p == ECC.pointAdd prx (ECC.pointSmul prx a p) (ECC.pointSmul prx b p)+        , localOption (QuickCheckTests 20) $ testProperty "(a * b).P = a.(b.P)" $ \testDRG (CurveArith curve) ->+            let prx = Just curve -- using Maybe as Proxy+                (s, a, b) = withTestDRG testDRG $+                                (,,) <$> ECC.curveGenerateScalar prx+                                     <*> ECC.curveGenerateScalar prx+                                     <*> ECC.curveGenerateScalar prx+                p = ECC.pointBaseSmul prx s+             in ECC.pointSmul prx (ECC.scalarMul prx a b) p == ECC.pointSmul prx a (ECC.pointSmul prx b p)+        ]+    ]
+ tests/ECC/Edwards25519.hs view
@@ -0,0 +1,147 @@+{-# LANGUAGE OverloadedStrings #-}+module ECC.Edwards25519 ( tests ) where++import           Crypto.Error+import           Crypto.ECC.Edwards25519+import qualified Data.ByteString as B+import           Data.Word (Word8)+import           Imports++instance Arbitrary Scalar where+    arbitrary = fmap (throwCryptoError . scalarDecodeLong)+                     (arbitraryBS 64)++smallScalar :: Word8 -> Scalar+smallScalar = throwCryptoError . scalarDecodeLong . B.singleton++newtype PrimeOrder = PrimeOrder Point+    deriving Show++-- points in the prime-order subgroup+instance Arbitrary PrimeOrder where+    arbitrary = (PrimeOrder . toPoint) `fmap` arbitrary++-- arbitrary curve point, including points with a torsion component+instance Arbitrary Point where+    arbitrary = do a <- arbitrary+                   b <- elements $ map smallScalar [0 .. 7]+                   return (pointsMulVarTime a b torsion8)++-- an 8-torsion point+torsion8 :: Point+torsion8 = throwCryptoError $ pointDecode ("\199\ETBjp=M\216O\186<\vv\r\DLEg\SI* S\250,9\204\198N\199\253w\146\172\ETXz" :: ByteString)++tests = testGroup "ECC.Edwards25519"+    [ testGroup "vectors"+        [ testCase "11*G"         $ p011 @=? toPoint s011+        , testCase "123*G"        $ p123 @=? toPoint s123+        , testCase "134*G"        $ p134 @=? toPoint s134+        , testCase "123*G + 11*G" $ p134 @=? pointAdd p123 p011+        ]+    , testGroup "scalar arithmetic"+        [ testProperty "scalarDecodeLong.scalarEncode==id" $ \s ->+            let bs = scalarEncode s :: ByteString+                ss = scalarDecodeLong bs+             in CryptoPassed s `propertyEq` ss+        , testCase "curve order" $ s0 @=? sN+        , testProperty "addition with zero" $ \s ->+            propertyHold [ eqTest "zero left"  s (scalarAdd s0 s)+                         , eqTest "zero right" s (scalarAdd s s0)+                         ]+        , testProperty "addition associative" $ \sa sb sc ->+            scalarAdd sa (scalarAdd sb sc) === scalarAdd (scalarAdd sa sb) sc+        , testProperty "addition commutative" $ \sa sb ->+            scalarAdd sa sb === scalarAdd sb sa+        , testProperty "multiplication with zero" $ \s ->+            propertyHold [ eqTest "zero left"  s0 (scalarMul s0 s)+                         , eqTest "zero right" s0 (scalarMul s s0)+                         ]+        , testProperty "multiplication with one" $ \s ->+            propertyHold [ eqTest "one left"  s (scalarMul s1 s)+                         , eqTest "one right" s (scalarMul s s1)+                         ]+        , testProperty "multiplication associative" $ \sa sb sc ->+            scalarMul sa (scalarMul sb sc) === scalarMul (scalarMul sa sb) sc+        , testProperty "multiplication commutative" $ \sa sb ->+            scalarMul sa sb === scalarMul sb sa+        , testProperty "multiplication distributive" $ \sa sb sc ->+            propertyHold [ eqTest "distributive left"  ((sa `scalarMul` sb) `scalarAdd` (sa `scalarMul` sc))+                                                       (sa `scalarMul` (sb `scalarAdd` sc))+                         , eqTest "distributive right" ((sb `scalarMul` sa) `scalarAdd` (sc `scalarMul` sa))+                                                       ((sb `scalarAdd` sc) `scalarMul` sa)+                         ]+        ]+    , testGroup "point arithmetic"+        [ testProperty "pointDecode.pointEncode==id" $ \p ->+            let bs = pointEncode p :: ByteString+                p' = pointDecode bs+             in CryptoPassed p `propertyEq` p'+        , testProperty "pointEncode.pointDecode==id" $ \p ->+            let b  = pointEncode p :: ByteString+                p' = pointDecode b+                b' = pointEncode `fmap` p'+             in CryptoPassed b `propertyEq` b'+        , testProperty "addition with identity" $ \p ->+            propertyHold [ eqTest "identity left"  p (pointAdd p0 p)+                         , eqTest "identity right" p (pointAdd p p0)+                         ]+        , testProperty "addition associative" $ \pa pb pc ->+            pointAdd pa (pointAdd pb pc) === pointAdd (pointAdd pa pb) pc+        , testProperty "addition commutative" $ \pa pb ->+            pointAdd pa pb === pointAdd pb pa+        , testProperty "negation" $ \p ->+            p0 `propertyEq` pointAdd p (pointNegate p)+        , testProperty "doubling" $ \p ->+            pointAdd p p `propertyEq` pointDouble p+        , testProperty "multiplication by cofactor" $ \p ->+            pointMul s8 p `propertyEq` pointMulByCofactor p+        , testProperty "prime order" $ \(PrimeOrder p) ->+            True `propertyEq` pointHasPrimeOrder p+        , testCase "8-torsion point" $ do+            assertBool "mul by 4" $ p0 /= pointMul s4 torsion8+            assertBool "mul by 8" $ p0 == pointMul s8 torsion8+        , testProperty "scalarmult with zero" $ \p ->+            p0 `propertyEq` pointMul s0 p+        , testProperty "scalarmult with one" $ \p ->+            p `propertyEq` pointMul s1 p+        , testProperty "scalarmult with two" $ \p ->+            pointDouble p `propertyEq` pointMul s2 p+        , testProperty "scalarmult with curve order - 1" $ \p ->+            pointHasPrimeOrder p === (pointNegate p == pointMul sI p)+        , testProperty "scalarmult commutative" $ \a b ->+            pointMul a (toPoint b) === pointMul b (toPoint a)+        , testProperty "scalarmult distributive" $ \x y (PrimeOrder p) ->+            let pR = pointMul x p `pointAdd` pointMul y p+             in pR `propertyEq` pointMul (x `scalarAdd` y) p+        , testProperty "double scalarmult" $ \n1 n2 p ->+            let pR = pointAdd (toPoint n1) (pointMul n2 p)+             in pR `propertyEq` pointsMulVarTime n1 n2 p+        ]+    ]+  where+    p0 = toPoint s0+    s0 = smallScalar 0+    s1 = smallScalar 1+    s2 = smallScalar 2+    s4 = smallScalar 4+    s8 = smallScalar 8+    sI = throwCryptoError $ scalarDecodeLong ("\236\211\245\\\SUBc\DC2X\214\156\247\162\222\249\222\DC4\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\DLE" :: ByteString)+    sN = throwCryptoError $ scalarDecodeLong ("\237\211\245\\\SUBc\DC2X\214\156\247\162\222\249\222\DC4\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\NUL\DLE" :: ByteString)++    s011 = throwCryptoError $ scalarDecodeLong ("\011" :: ByteString)+    s123 = throwCryptoError $ scalarDecodeLong ("\123" :: ByteString)+    s134 = throwCryptoError $ scalarDecodeLong ("\134" :: ByteString)++    p011 = throwCryptoError $ pointDecode ("\x13\x37\x03\x6a\xc3\x2d\x8f\x30\xd4\x58\x9c\x3c\x1c\x59\x58\x12\xce\x0f\xff\x40\xe3\x7c\x6f\x5a\x97\xab\x21\x3f\x31\x82\x90\xad" :: ByteString)+    p123 = throwCryptoError $ pointDecode ("\xc4\xb8\x00\xc8\x70\x10\xf9\x46\x83\x03\xde\xea\x87\x65\x03\xe8\x86\xbf\xde\x19\x00\xe9\xe8\x46\xfd\x4c\x3c\xd0\x9c\x1c\xbc\x9f" :: ByteString)+    p134 = throwCryptoError $ pointDecode ("\x51\x20\xab\xe0\x3c\xa2\xaf\x66\xc7\x7c\xa3\x20\xf0\xb2\x1f\xb5\x56\xf6\xb6\x5f\xdd\x7e\x32\x64\xc1\x4a\x30\xd9\x7b\xf7\xa7\x6f" :: ByteString)++    -- Using <http://cr.yp.to/python/py>:+    --+    -- >>> import ed25519+    -- >>> encodepoint(scalarmult(B, 11)).encode('hex')+    -- '1337036ac32d8f30d4589c3c1c595812ce0fff40e37c6f5a97ab213f318290ad'+    -- >>> encodepoint(scalarmult(B, 123)).encode('hex')+    -- 'c4b800c87010f9468303deea876503e886bfde1900e9e846fd4c3cd09c1cbc9f'+    -- >>> encodepoint(scalarmult(B, 134)).encode('hex')+    -- '5120abe03ca2af66c77ca320f0b21fb556f6b65fdd7e3264c14a30d97bf7a76f'
+ tests/ECDSA.hs view
@@ -0,0 +1,61 @@+{-# LANGUAGE ExistentialQuantification #-}+{-# LANGUAGE FlexibleContexts #-}+module ECDSA (tests) where++import qualified Crypto.ECC as ECDSA+import qualified Crypto.PubKey.ECC.ECDSA as ECC+import qualified Crypto.PubKey.ECC.Types as ECC+import qualified Crypto.PubKey.ECDSA as ECDSA+import Crypto.Hash.Algorithms+import Crypto.Error+import qualified Data.ByteString as B++import Imports++data Curve = forall curve. (ECDSA.EllipticCurveECDSA curve, Show (ECDSA.Scalar curve)) => Curve curve ECC.Curve ECC.CurveName++instance Show Curve where+    showsPrec d (Curve _ _ name) = showsPrec d name++instance Arbitrary Curve where+    arbitrary = elements+        [ makeCurve ECDSA.Curve_P256R1 ECC.SEC_p256r1+        , makeCurve ECDSA.Curve_P384R1 ECC.SEC_p384r1+        , makeCurve ECDSA.Curve_P521R1 ECC.SEC_p521r1+        ]+      where+        makeCurve c name = Curve c (ECC.getCurveByName name) name++arbitraryScalar curve = choose (1, n - 1)+  where n = ECC.ecc_n (ECC.common_curve curve)++sigECCToECDSA :: ECDSA.EllipticCurveECDSA curve+              => proxy curve -> ECC.Signature -> ECDSA.Signature curve+sigECCToECDSA prx (ECC.Signature r s) =+    ECDSA.Signature (throwCryptoError $ ECDSA.scalarFromInteger prx r)+                    (throwCryptoError $ ECDSA.scalarFromInteger prx s)++tests = localOption (QuickCheckTests 5) $ testGroup "ECDSA"+    [ testProperty "SHA1"   $ propertyECDSA SHA1+    , testProperty "SHA224" $ propertyECDSA SHA224+    , testProperty "SHA256" $ propertyECDSA SHA256+    , testProperty "SHA384" $ propertyECDSA SHA384+    , testProperty "SHA512" $ propertyECDSA SHA512+    ]+  where+    propertyECDSA hashAlg (Curve c curve _) (ArbitraryBS0_2901 msg) = do+        d    <- arbitraryScalar curve+        kECC <- arbitraryScalar curve+        let privECC   = ECC.PrivateKey curve d+            prx       = Just c -- using Maybe as Proxy+            kECDSA    = throwCryptoError $ ECDSA.scalarFromInteger prx kECC+            privECDSA = throwCryptoError $ ECDSA.scalarFromInteger prx d+            pubECDSA  = ECDSA.toPublic prx privECDSA+            Just sigECC   = ECC.signWith kECC privECC hashAlg msg+            Just sigECDSA = ECDSA.signWith prx kECDSA privECDSA hashAlg msg+            sigECDSA' = sigECCToECDSA prx sigECC+            msg' = msg `B.append` B.singleton 42+        return $ propertyHold [ eqTest "signature" sigECDSA sigECDSA'+                              , eqTest "verification" True (ECDSA.verify prx hashAlg pubECDSA sigECDSA' msg)+                              , eqTest "alteration"  False (ECDSA.verify prx hashAlg pubECDSA sigECDSA msg')+                              ]
tests/Hash.hs view
@@ -1,10 +1,6 @@-{-# LANGUAGE CPP #-} {-# LANGUAGE OverloadedStrings #-}-{-# LANGUAGE ViewPatterns #-}-#if MIN_VERSION_base(4,7,0) {-# LANGUAGE ExistentialQuantification #-} {-# LANGUAGE DataKinds #-}-#endif module Hash     ( tests     ) where@@ -12,7 +8,9 @@ import Crypto.Hash  import qualified Data.ByteString as B+import           Data.ByteArray (convert) import qualified Data.ByteArray.Encoding as B (convertToBase, Base(..))+import           GHC.TypeLits import Imports  v0,v1,v2 :: ByteString@@ -174,7 +172,6 @@         "69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9",         "606beeec743ccbeff6cbcdf5d5302aa855c256c29b88c8ed331ea1a6bf3c8812",         "94662583a600a12dff357c0a6f1b514a710ef0f587a38e8d2e4d7f67e9c81667" ])-#if MIN_VERSION_base(4,7,0)     , ("SHAKE128_4096", HashAlg (SHAKE128 :: SHAKE128 4096), [         "7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef263cb1eea988004b93103cfb0aeefd2a686e01fa4a58e8a3639ca8a1e3f9ae57e235b8cc873c23dc62b8d260169afa2f75ab916a58d974918835d25e6a435085b2badfd6dfaac359a5efbb7bcc4b59d538df9a04302e10c8bc1cbf1a0b3a5120ea17cda7cfad765f5623474d368ccca8af0007cd9f5e4c849f167a580b14aabdefaee7eef47cb0fca9767be1fda69419dfb927e9df07348b196691abaeb580b32def58538b8d23f87732ea63b02b4fa0f4873360e2841928cd60dd4cee8cc0d4c922a96188d032675c8ac850933c7aff1533b94c834adbb69c6115bad4692d8619f90b0cdf8a7b9c264029ac185b70b83f2801f2f4b3f70c593ea3aeeb613a7f1b1de33fd75081f592305f2e4526edc09631b10958f464d889f31ba010250fda7f1368ec2967fc84ef2ae9aff268e0b1700affc6820b523a3d917135f2dff2ee06bfe72b3124721d4a26c04e53a75e30e73a7a9c4a95d91c55d495e9f51dd0b5e9d83c6d5e8ce803aa62b8d654db53d09b8dcff273cdfeb573fad8bcd45578bec2e770d01efde86e721a3f7c6cce275dabe6e2143f1af18da7efddc4c7b70b5e345db93cc936bea323491ccb38a388f546a9ff00dd4e1300b9b2153d2041d205b443e41b45a653f2a5c4492c1add544512dda2529833462b71a41a45be97290b6f",         "f4202e3c5852f9182a0430fd8144f0a74b95e7417ecae17db0f8cfeed0e3e66eb5585ec6f86021cacf272c798bcf97d368b886b18fec3a571f096086a523717a3732d50db2b0b7998b4117ae66a761ccf1847a1616f4c07d5178d0d965f9feba351420f8bfb6f5ab9a0cb102568eabf3dfa4e22279f8082dce8143eb78235a1a54914ab71abb07f2f3648468370b9fbb071e074f1c030a4030225f40c39480339f3dc71d0f04f71326de1381674cc89e259e219927fae8ea2799a03da862a55afafe670957a2af3318d919d0a3358f3b891236d6a8e8d19999d1076b529968faefbd880d77bb300829dca87e9c8e4c28e0800ff37490a5bd8c36c0b0bdb2701a5d58d03378b9dbd384389e3ef0fd4003b08998fd3f32fe1a0810fc0eccaad94bca8dd83b34559c333f0b16dfc2896ed87b30ba14c81f87cd8b4bb6317db89b0e7e94c0616f9a665fba5b0e6fb3549c9d7b68e66d08a86eb2faec05cc462a771806b93cc38b0a4feb9935c6c8945da6a589891ba5ee99753cfdd38e1abc7147fd74b7c7d1ce0609b6680a2e18888d84949b6e6cf6a2aa4113535aaee079459e3f257b569a9450523c41f5b5ba4b79b3ba5949140a74bb048de0657d04954bdd71dae76f61e2a1f88aecb91cfa5b36c1bf3350a798dc4dcf48628effe3a0c5340c756bd922f78d0e36ef7df12ce78c179cc721ad087e15ea496bf5f60b21b5822d",@@ -183,7 +180,38 @@         "46b9dd2b0ba88d13233b3feb743eeb243fcd52ea62b81b82b50c27646ed5762fd75dc4ddd8c0f200cb05019d67b592f6fc821c49479ab48640292eacb3b7c4be141e96616fb13957692cc7edd0b45ae3dc07223c8e92937bef84bc0eab862853349ec75546f58fb7c2775c38462c5010d846c185c15111e595522a6bcd16cf86f3d122109e3b1fdd943b6aec468a2d621a7c06c6a957c62b54dafc3be87567d677231395f6147293b68ceab7a9e0c58d864e8efde4e1b9a46cbe854713672f5caaae314ed9083dab4b099f8e300f01b8650f1f4b1d8fcf3f3cb53fb8e9eb2ea203bdc970f50ae55428a91f7f53ac266b28419c3778a15fd248d339ede785fb7f5a1aaa96d313eacc890936c173cdcd0fab882c45755feb3aed96d477ff96390bf9a66d1368b208e21f7c10d04a3dbd4e360633e5db4b602601c14cea737db3dcf722632cc77851cbdde2aaf0a33a07b373445df490cc8fc1e4160ff118378f11f0477de055a81a9eda57a4a2cfb0c83929d310912f729ec6cfa36c6ac6a75837143045d791cc85eff5b21932f23861bcf23a52b5da67eaf7baae0f5fb1369db78f3ac45f8c4ac5671d85735cdddb09d2b1e34a1fc066ff4a162cb263d6541274ae2fcc865f618abe27c124cd8b074ccd516301b91875824d09958f341ef274bdab0bae316339894304e35877b0c28a9b1fd166c796b9cc258a064a8f57e27f2a",         "2f671343d9b2e1604dc9dcf0753e5fe15c7c64a0d283cbbf722d411a0e36f6ca1d01d1369a23539cd80f7c054b6e5daf9c962cad5b8ed5bd11998b40d5734442bed798f6e5c915bd8bb07e0188d0a55c1290074f1c287af06352299184492cbdec9acba737ee292e5adaa445547355e72a03a3bac3aac770fe5d6b66600ff15d37d5b4789994ea2aeb097f550aa5e88e4d8ff0ba07b88c1c88573063f5d96df820abc2abd177ab037f351c375e553af917132cf2f563c79a619e1bb76e8e2266b0c5617d695f2c496a25f4073b6840c1833757ebb386f16757a8e16a21e9355e9b248f3b33be672da700266be99b8f8725e8ab06075f0219e655ebc188976364b7db139390d34a6ea67b4b223229183a94cf455ece91fdaf5b9c707fa4b40ec39816c1120c7aaaf47920977be900e6b9ca4b8940e192b927c475bd58e836f512ae3e52924e36ff8e9b1d0251047770a5e465905622b1f159be121ab93819c5e5c6dae299ac73bf1c4ed4a1e2c7fa3caa1039b05e94c9f993d04feb272b6e00bb0276939cf746c42936831fc8f2b4cb0cf94808ae0af405ce4bc67d1e7acfc6fd6590d3de91f795df5aaf57e2cee1845a303d0ea564be3f1299acdce67efe0d62cfc6d6829ff4ecc0a05153c24696c4d34c076453827e796f3062f94f62f4528b7cfc870f0dcd615b7c97b95da4b9be5830e8b3f66cce71e0f622c771994443e2",         "fffcaac0606c0edb7bc0d15f033accb68538159016e5ae8470bf9ebea89fa6c9fcc3e027d94f7f967b7246346bd9f6b8084e45a057b976847c4db03bf383c834054866f6a8282a497368c46e1852fc09e20f22c45607a27c8b2a4798ebefada54f8d3795b9f07606b1cd6e41f90d765480ef5c0d5790659cf1d210adfd412378b92e1dd9bd7fd95a1a66677fc6baa0e3a53c9031c1fb59cbad9f5dc5881a3c8e25c80ecb1abf0971488ada1f533dcbf8d37031335378574b8d3fad61159c9fae28caa543b3072ce308d369be340e78c6edc664cc6dde9b2f0a4ad2e60ce9c8b1e5722b8d5b73d0962b74fb9ed86307a180f53933339f9d56d3b345c2a0e98fcf5de7754f3845f6be30089f0e142ad4602f18abdc750bda7c91c3f32872e66640db46045ab4c276b379f1b834c2cbb1bd8601305649ec6b3bf20618695136dee6541492d1d985ea1fb765fd7a559e810eba30f2f710233ae5a411b94ddcaa01a08f1c31320d111c0714422cd5e987c9a76fc865de34003ab12664081be8017d23d977f2bf4ed9e3ce09ea3d64bb4ae8ebfa9d0721f57841008c297e2f455a0441a2bd618ca379dbd239a21e410defb4001b1e11f87e36bf894c222f76f12ddcc3771bbb17d5c0dfd86d89a3e13e084f6dc1c4762bcd393c1757db7afb1434221569e7ddaaffd6318253ec3df8cf5f826b81896d6474ee06a2e30ccc8c6a96bdd5" ])-#endif+    , ("Blake2b 160", HashAlg (Blake2b :: Blake2b 160), [+        "3345524abf6bbe1809449224b5972c41790b6cf2",+        "3c523ed102ab45a37d54f5610d5a983162fde84f",+        "a3d365b5fba5d36fbb19c03b7fde496058969c5a" ])+    , ("Blake2b 224", HashAlg (Blake2b :: Blake2b 224), [+        "836cc68931c2e4e3e838602eca1902591d216837bafddfe6f0c8cb07",+        "477c3985751dd4d1b8c93827ea5310b33bb02a26463a050dffd3e857",+        "a4a1b6851be66891a3deff406c4d7556879ebf952407450755f90eb6" ])+    , ("Blake2b 256", HashAlg (Blake2b :: Blake2b 256), [+        "0e5751c026e543b2e8ab2eb06099daa1d1e5df47778f7787faab45cdf12fe3a8",+        "01718cec35cd3d796dd00020e0bfecb473ad23457d063b75eff29c0ffa2e58a9",+        "036c13096926b3dfccfe3f233bd1b2f583b818b8b15c01be65af69238e900b2c" ])+    , ("Blake2b 384", HashAlg (Blake2b :: Blake2b 384), [+        "b32811423377f52d7862286ee1a72ee540524380fda1724a6f25d7978c6fd3244a6caf0498812673c5e05ef583825100",+        "b7c81b228b6bd912930e8f0b5387989691c1cee1e65aade4da3b86a3c9f678fc8018f6ed9e2906720c8d2a3aeda9c03d",+        "927a1f297873cbe887a93b2183c4e2eba53966ba92c6db8b87029a1d8c673471d09740676cced79c5016838973f630c3" ])+    , ("Blake2b 512", HashAlg (Blake2b :: Blake2b 512), [+        "786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce",+        "a8add4bdddfd93e4877d2746e62817b116364a1fa7bc148d95090bc7333b3673f82401cf7aa2e4cb1ecd90296e3f14cb5413f8ed77be73045b13914cdcd6a918",+        "af438eea5d8cdb209336a7e85bf58090dc21b49d823f89a7d064c119f127bd361af9c7d109edda0f0e91bdce078d1d86b8e6f25727c98f6d3bb6f50acb2dd376" ])+    , ("Blake2s 160", HashAlg (Blake2s :: Blake2s 160), [+        "354c9c33f735962418bdacb9479873429c34916f",+        "5a604fec9713c369e84b0ed68daed7d7504ef240",+        "759bef6d041bcbd861b8b51baaece6c8fffd0acf" ])+    , ("Blake2s 224", HashAlg (Blake2s :: Blake2s 224), [+        "1fa1291e65248b37b3433475b2a0dd63d54a11ecc4e3e034e7bc1ef4",+        "e4e5cb6c7cae41982b397bf7b7d2d9d1949823ae78435326e8db4912",+        "e220025fd46a9a635c3f7f60bb96a84c01019ac0817f5901e7eeaa2c" ])+    , ("Blake2s 256", HashAlg (Blake2s ::Blake2s 256), [+        "69217a3079908094e11121d042354a7c1f55b6482ca1a51e1b250dfd1ed0eef9",+        "606beeec743ccbeff6cbcdf5d5302aa855c256c29b88c8ed331ea1a6bf3c8812",+        "94662583a600a12dff357c0a6f1b514a710ef0f587a38e8d2e4d7f67e9c81667" ])     ]  runhash :: HashAlg -> ByteString -> ByteString@@ -193,6 +221,24 @@ runhashinc (HashAlg hashAlg) v = B.convertToBase B.Base16 $ hashinc $ v   where hashinc = hashFinalize . foldl hashUpdate (hashInitWith hashAlg) +data HashPrefixAlg = forall alg . HashAlgorithmPrefix alg => HashPrefixAlg alg++expectedPrefix :: [ (String, HashPrefixAlg) ]+expectedPrefix =+    [ ("MD5", HashPrefixAlg MD5)+    , ("SHA1", HashPrefixAlg SHA1)+    , ("SHA224", HashPrefixAlg SHA224)+    , ("SHA256", HashPrefixAlg SHA256)+    , ("SHA384", HashPrefixAlg SHA384)+    , ("SHA512", HashPrefixAlg SHA512)+    ]++runhashpfx :: HashPrefixAlg -> ByteString -> ByteString+runhashpfx (HashPrefixAlg hashAlg) v = B.convertToBase B.Base16 $ hashWith hashAlg v++runhashpfxpfx :: HashPrefixAlg -> ByteString -> Int -> ByteString+runhashpfxpfx (HashPrefixAlg hashAlg) v len = B.convertToBase B.Base16 $ hashPrefixWith hashAlg v len+ makeTestAlg (name, hashAlg, results) =     testGroup name $ concatMap maketest (zip3 is vectors results)   where@@ -208,7 +254,40 @@         runhash hashAlg inp `propertyEq` runhashinc hashAlg (chunkS ckLen inp)     ] +makeTestPrefix (hashName, hashAlg) =+    [ testProperty hashName $ \(ArbitraryBS0_2901 inp) (Int0_2901 len) ->+        runhashpfx hashAlg (B.take len inp) `propertyEq` runhashpfxpfx hashAlg inp len+    ]++makeTestHybrid (hashName, HashPrefixAlg alg) =+    [ testProperty hashName $ \(ArbitraryBS0_2901 start) (ArbitraryBS0_2901 end) -> do+        len <- choose (0, B.length end)+        let ref = hashWith alg (start `B.append` B.take len end)+            hyb = hashFinalizePrefix (hashUpdate (hashInitWith alg) start) end len+        return (ref `propertyEq` hyb)+    ]++-- SHAKE128 truncation example with expected byte at final position+-- <https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/ShakeTruncation.pdf>+shake128TruncationBytes = [0x01, 0x03, 0x07, 0x0f, 0x0f, 0x2f, 0x6f, 0x6f]++makeTestSHAKE128Truncation i byte =+    testCase (show i) $ xof 4088 `B.snoc` byte @=? xof (4088 + i)+  where+    hashEmpty :: KnownNat n => proxy n -> Digest (SHAKE128 n)+    hashEmpty _ = hash B.empty++    xof n = case someNatVal n of+                Nothing          -> error ("invalid Nat: " ++ show n)+                Just (SomeNat p) -> convert (hashEmpty p)+ tests = testGroup "hash"     [ testGroup "KATs" (map makeTestAlg expected)     , testGroup "Chunking" (concatMap makeTestChunk expected)+    , testGroup "Prefix" (concatMap makeTestPrefix expectedPrefix)+    , testGroup "Hybrid" (concatMap makeTestHybrid expectedPrefix)+    , testGroup "Truncating"+        [ testGroup "SHAKE128"+            (zipWith makeTestSHAKE128Truncation [1..] shake128TruncationBytes)+        ]     ]
tests/KAT_AES.hs view
@@ -3,13 +3,16 @@  import Imports import BlockCipher+import Data.Maybe import Crypto.Cipher.Types import qualified Crypto.Cipher.AES as AES+import qualified Data.ByteString as B  import qualified KAT_AES.KATECB as KATECB import qualified KAT_AES.KATCBC as KATCBC import qualified KAT_AES.KATXTS as KATXTS import qualified KAT_AES.KATGCM as KATGCM+import qualified KAT_AES.KATCCM as KATCCM import qualified KAT_AES.KATOCB3 as KATOCB3  {-@@ -37,6 +40,23 @@ toKatGCM = toKatAEAD AEAD_GCM toKatOCB = toKatAEAD AEAD_OCB +toKatCCM (k,iv,h,i,o,m) =+  KAT_AEAD { aeadMode = AEAD_CCM (B.length i) (ccmMVal m) CCM_L2+           , aeadKey  = k+           , aeadIV   = iv+           , aeadHeader = h+           , aeadPlaintext = i+           , aeadCiphertext = ct+           , aeadTaglen = m+           , aeadTag = at+           }+  where ccmMVal x = fromMaybe (error $ "unsupported CCM tag length: " ++ show x) $+                        lookup x [ (4, CCM_M4), (6, CCM_M6), (8, CCM_M8), (10, CCM_M10)+                                 , (12, CCM_M12), (14, CCM_M14), (16, CCM_M16)+                                 ]+        ctWithTag = B.drop (B.length h) o+        (ct, at)  = B.splitAt (B.length ctWithTag - m) ctWithTag+ kats128 = defaultKATs     { kat_ECB  = map toKatECB KATECB.vectors_aes128_enc     , kat_CBC  = map toKatCBC KATCBC.vectors_aes128_enc@@ -48,7 +68,8 @@                  ]     , kat_XTS  = map toKatXTS KATXTS.vectors_aes128_enc     , kat_AEAD = map toKatGCM KATGCM.vectors_aes128_enc ++-                 map toKatOCB KATOCB3.vectors_aes128_enc+                 map toKatOCB KATOCB3.vectors_aes128_enc +++                 map toKatCCM KATCCM.vectors_aes128_enc     }  kats192 = defaultKATs
+ tests/KAT_AES/KATCCM.hs view
@@ -0,0 +1,155 @@+{-# LANGUAGE OverloadedStrings #-}+module KAT_AES.KATCCM where++import qualified Data.ByteString as B++-- (key, iv, header, in, out+atag, taglen)+type KATCCM = (B.ByteString, B.ByteString, B.ByteString, B.ByteString, B.ByteString, Int)++vectors_aes128_enc :: [KATCCM]+vectors_aes128_enc =+  [ ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+    , {- iv  = -} "\x00\x00\x00\x03\x02\x01\x00\xa0\xa1\xa2\xa3\xa4\xa5"+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07"+    , {- in  = -} "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e"+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x58\x8c\x97\x9a\x61\xc6\x63\xd2\xf0\x66\xd0\xc2\xc0\xf9\x89\x80\x6d\x5f\x6b\x61\xda\xc3\x84\x17\xe8\xd1\x2c\xfd\xf9\x26\xe0"+    , {-  M  = -} 8)+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+    , {- iv  = -} "\x00\x00\x00\x04\x03\x02\x01\xa0\xa1\xa2\xa3\xa4\xa5"+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07"+    , {- in  = -} "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x72\xc9\x1a\x36\xe1\x35\xf8\xcf\x29\x1c\xa8\x94\x08\x5c\x87\xe3\xcc\x15\xc4\x39\xc9\xe4\x3a\x3b\xa0\x91\xd5\x6e\x10\x40\x09\x16"+    , {-  M  = -} 8)+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+    , {- iv  = -} "\x00\x00\x00\x05\x04\x03\x02\xa0\xa1\xa2\xa3\xa4\xa5"+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07"+    , {- in  = -} "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x51\xb1\xe5\xf4\x4a\x19\x7d\x1d\xa4\x6b\x0f\x8e\x2d\x28\x2a\xe8\x71\xe8\x38\xbb\x64\xda\x85\x96\x57\x4a\xda\xa7\x6f\xbd\x9f\xb0\xc5"+    , {-  M  = -} 8)+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+    , {- iv  = -} "\x00\x00\x00\x06\x05\x04\x03\xa0\xa1\xa2\xa3\xa4\xa5"+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"+    , {- in  = -} "\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e"+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\xa2\x8c\x68\x65\x93\x9a\x9a\x79\xfa\xaa\x5c\x4c\x2a\x9d\x4a\x91\xcd\xac\x8c\x96\xc8\x61\xb9\xc9\xe6\x1e\xf1"+    , {-  M  = -} 8)+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+    , {- iv  = -} "\x00\x00\x00\x07\x06\x05\x04\xa0\xa1\xa2\xa3\xa4\xa5"+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"+    , {- in  = -} "\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\xdc\xf1\xfb\x7b\x5d\x9e\x23\xfb\x9d\x4e\x13\x12\x53\x65\x8a\xd8\x6e\xbd\xca\x3e\x51\xe8\x3f\x07\x7d\x9c\x2d\x93"+    , {-  M  = -} 8)+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+    , {- iv  = -} "\x00\x00\x00\x08\x07\x06\x05\xa0\xa1\xa2\xa3\xa4\xa5"+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"+    , {- in  = -} "\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x6f\xc1\xb0\x11\xf0\x06\x56\x8b\x51\x71\xa4\x2d\x95\x3d\x46\x9b\x25\x70\xa4\xbd\x87\x40\x5a\x04\x43\xac\x91\xcb\x94"+    , {-  M  = -} 8)+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+    , {- iv  = -} "\x00\x00\x00\x09\x08\x07\x06\xa0\xa1\xa2\xa3\xa4\xa5"+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07"+    , {- in  = -} "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e"+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x01\x35\xd1\xb2\xc9\x5f\x41\xd5\xd1\xd4\xfe\xc1\x85\xd1\x66\xb8\x09\x4e\x99\x9d\xfe\xd9\x6c\x04\x8c\x56\x60\x2c\x97\xac\xbb\x74\x90"+    , {-  M  = -} 10)+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+    , {- iv  = -} "\x00\x00\x00\x0a\x09\x08\x07\xa0\xa1\xa2\xa3\xa4\xa5"+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07"+    , {- in  = -} "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x7b\x75\x39\x9a\xc0\x83\x1d\xd2\xf0\xbb\xd7\x58\x79\xa2\xfd\x8f\x6c\xae\x6b\x6c\xd9\xb7\xdb\x24\xc1\x7b\x44\x33\xf4\x34\x96\x3f\x34\xb4"+    , {-  M  = -} 10)+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+    , {- iv  = -} "\x00\x00\x00\x0b\x0a\x09\x08\xa0\xa1\xa2\xa3\xa4\xa5"+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07"+    , {- in  = -} "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x82\x53\x1a\x60\xcc\x24\x94\x5a\x4b\x82\x79\x18\x1a\xb5\xc8\x4d\xf2\x1c\xe7\xf9\xb7\x3f\x42\xe1\x97\xea\x9c\x07\xe5\x6b\x5e\xb1\x7e\x5f\x4e"+    , {-  M  = -} 10)+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+    , {- iv  = -} "\x00\x00\x00\x0c\x0b\x0a\x09\xa0\xa1\xa2\xa3\xa4\xa5"+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"+    , {- in  = -} "\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e"+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x07\x34\x25\x94\x15\x77\x85\x15\x2b\x07\x40\x98\x33\x0a\xbb\x14\x1b\x94\x7b\x56\x6a\xa9\x40\x6b\x4d\x99\x99\x88\xdd"+    , {-  M  = -} 10)+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+    , {- iv  = -} "\x00\x00\x00\x0d\x0c\x0b\x0a\xa0\xa1\xa2\xa3\xa4\xa5"+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"+    , {- in  = -} "\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x67\x6b\xb2\x03\x80\xb0\xe3\x01\xe8\xab\x79\x59\x0a\x39\x6d\xa7\x8b\x83\x49\x34\xf5\x3a\xa2\xe9\x10\x7a\x8b\x6c\x02\x2c"+    , {-  M  = -} 10)+  , ( {- key = -} "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"+    , {- iv  = -} "\x00\x00\x00\x0e\x0d\x0c\x0b\xa0\xa1\xa2\xa3\xa4\xa5"+    , {- hdr = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b"+    , {- in  = -} "\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"+    , {- out = -} "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\xc0\xff\xa0\xd6\xf0\x5b\xdb\x67\xf2\x4d\x43\xa4\x33\x8d\x2a\xa4\xbe\xd7\xb2\x0e\x43\xcd\x1a\xa3\x16\x62\xe7\xad\x65\xd6\xdb"+    , {-  M  = -} 10)+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"+    , {- iv  = -} "\x00\x41\x2b\x4e\xa9\xcd\xbe\x3c\x96\x96\x76\x6c\xfa"+    , {- hdr = -} "\x0b\xe1\xa8\x8b\xac\xe0\x18\xb1"+    , {- in  = -} "\x08\xe8\xcf\x97\xd8\x20\xea\x25\x84\x60\xe9\x6a\xd9\xcf\x52\x89\x05\x4d\x89\x5c\xea\xc4\x7c"+    , {- out = -} "\x0b\xe1\xa8\x8b\xac\xe0\x18\xb1\x4c\xb9\x7f\x86\xa2\xa4\x68\x9a\x87\x79\x47\xab\x80\x91\xef\x53\x86\xa6\xff\xbd\xd0\x80\xf8\xe7\x8c\xf7\xcb\x0c\xdd\xd7\xb3"+    , {-  M  = -} 8)+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"+    , {- iv  = -} "\x00\x33\x56\x8e\xf7\xb2\x63\x3c\x96\x96\x76\x6c\xfa"+    , {- hdr = -} "\x63\x01\x8f\x76\xdc\x8a\x1b\xcb"+    , {- in  = -} "\x90\x20\xea\x6f\x91\xbd\xd8\x5a\xfa\x00\x39\xba\x4b\xaf\xf9\xbf\xb7\x9c\x70\x28\x94\x9c\xd0\xec"+    , {- out = -} "\x63\x01\x8f\x76\xdc\x8a\x1b\xcb\x4c\xcb\x1e\x7c\xa9\x81\xbe\xfa\xa0\x72\x6c\x55\xd3\x78\x06\x12\x98\xc8\x5c\x92\x81\x4a\xbc\x33\xc5\x2e\xe8\x1d\x7d\x77\xc0\x8a"+    , {-  M  = -} 8)+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"+    , {- iv  = -} "\x00\x10\x3f\xe4\x13\x36\x71\x3c\x96\x96\x76\x6c\xfa"+    , {- hdr = -} "\xaa\x6c\xfa\x36\xca\xe8\x6b\x40"+    , {- in  = -} "\xb9\x16\xe0\xea\xcc\x1c\x00\xd7\xdc\xec\x68\xec\x0b\x3b\xbb\x1a\x02\xde\x8a\x2d\x1a\xa3\x46\x13\x2e"+    , {- out = -} "\xaa\x6c\xfa\x36\xca\xe8\x6b\x40\xb1\xd2\x3a\x22\x20\xdd\xc0\xac\x90\x0d\x9a\xa0\x3c\x61\xfc\xf4\xa5\x59\xa4\x41\x77\x67\x08\x97\x08\xa7\x76\x79\x6e\xdb\x72\x35\x06"+    , {-  M  = -} 8)+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"+    , {- iv  = -} "\x00\x76\x4c\x63\xb8\x05\x8e\x3c\x96\x96\x76\x6c\xfa"+    , {- hdr = -} "\xd0\xd0\x73\x5c\x53\x1e\x1b\xec\xf0\x49\xc2\x44"+    , {- in  = -} "\x12\xda\xac\x56\x30\xef\xa5\x39\x6f\x77\x0c\xe1\xa6\x6b\x21\xf7\xb2\x10\x1c"+    , {- out = -} "\xd0\xd0\x73\x5c\x53\x1e\x1b\xec\xf0\x49\xc2\x44\x14\xd2\x53\xc3\x96\x7b\x70\x60\x9b\x7c\xbb\x7c\x49\x91\x60\x28\x32\x45\x26\x9a\x6f\x49\x97\x5b\xca\xde\xaf"+    , {-  M  = -} 8)+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"+    , {- iv  = -} "\x00\xf8\xb6\x78\x09\x4e\x3b\x3c\x96\x96\x76\x6c\xfa"+    , {- hdr = -} "\x77\xb6\x0f\x01\x1c\x03\xe1\x52\x58\x99\xbc\xae"+    , {- in  = -} "\xe8\x8b\x6a\x46\xc7\x8d\x63\xe5\x2e\xb8\xc5\x46\xef\xb5\xde\x6f\x75\xe9\xcc\x0d"+    , {- out = -} "\x77\xb6\x0f\x01\x1c\x03\xe1\x52\x58\x99\xbc\xae\x55\x45\xff\x1a\x08\x5e\xe2\xef\xbf\x52\xb2\xe0\x4b\xee\x1e\x23\x36\xc7\x3e\x3f\x76\x2c\x0c\x77\x44\xfe\x7e\x3c"+    , {-  M  = -} 8)+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"+    , {- iv  = -} "\x00\xd5\x60\x91\x2d\x3f\x70\x3c\x96\x96\x76\x6c\xfa"+    , {- hdr = -} "\xcd\x90\x44\xd2\xb7\x1f\xdb\x81\x20\xea\x60\xc0"+    , {- in  = -} "\x64\x35\xac\xba\xfb\x11\xa8\x2e\x2f\x07\x1d\x7c\xa4\xa5\xeb\xd9\x3a\x80\x3b\xa8\x7f"+    , {- out = -} "\xcd\x90\x44\xd2\xb7\x1f\xdb\x81\x20\xea\x60\xc0\x00\x97\x69\xec\xab\xdf\x48\x62\x55\x94\xc5\x92\x51\xe6\x03\x57\x22\x67\x5e\x04\xc8\x47\x09\x9e\x5a\xe0\x70\x45\x51"+    , {-  M  = -} 8)+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"+    , {- iv  = -} "\x00\x42\xff\xf8\xf1\x95\x1c\x3c\x96\x96\x76\x6c\xfa"+    , {- hdr = -} "\xd8\x5b\xc7\xe6\x9f\x94\x4f\xb8"+    , {- in  = -} "\x8a\x19\xb9\x50\xbc\xf7\x1a\x01\x8e\x5e\x67\x01\xc9\x17\x87\x65\x98\x09\xd6\x7d\xbe\xdd\x18"+    , {- out = -} "\xd8\x5b\xc7\xe6\x9f\x94\x4f\xb8\xbc\x21\x8d\xaa\x94\x74\x27\xb6\xdb\x38\x6a\x99\xac\x1a\xef\x23\xad\xe0\xb5\x29\x39\xcb\x6a\x63\x7c\xf9\xbe\xc2\x40\x88\x97\xc6\xba"+    , {-  M  = -} 10)+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"+    , {- iv  = -} "\x00\x92\x0f\x40\xe5\x6c\xdc\x3c\x96\x96\x76\x6c\xfa"+    , {- hdr = -} "\x74\xa0\xeb\xc9\x06\x9f\x5b\x37"+    , {- in  = -} "\x17\x61\x43\x3c\x37\xc5\xa3\x5f\xc1\xf3\x9f\x40\x63\x02\xeb\x90\x7c\x61\x63\xbe\x38\xc9\x84\x37"+    , {- out = -} "\x74\xa0\xeb\xc9\x06\x9f\x5b\x37\x58\x10\xe6\xfd\x25\x87\x40\x22\xe8\x03\x61\xa4\x78\xe3\xe9\xcf\x48\x4a\xb0\x4f\x44\x7e\xff\xf6\xf0\xa4\x77\xcc\x2f\xc9\xbf\x54\x89\x44"+    , {-  M  = -} 10)+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"+    , {- iv  = -} "\x00\x27\xca\x0c\x71\x20\xbc\x3c\x96\x96\x76\x6c\xfa"+    , {- hdr = -} "\x44\xa3\xaa\x3a\xae\x64\x75\xca"+    , {- in  = -} "\xa4\x34\xa8\xe5\x85\x00\xc6\xe4\x15\x30\x53\x88\x62\xd6\x86\xea\x9e\x81\x30\x1b\x5a\xe4\x22\x6b\xfa"+    , {- out = -} "\x44\xa3\xaa\x3a\xae\x64\x75\xca\xf2\xbe\xed\x7b\xc5\x09\x8e\x83\xfe\xb5\xb3\x16\x08\xf8\xe2\x9c\x38\x81\x9a\x89\xc8\xe7\x76\xf1\x54\x4d\x41\x51\xa4\xed\x3a\x8b\x87\xb9\xce"+    , {-  M  = -} 10)+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"+    , {- iv  = -} "\x00\x5b\x8c\xcb\xcd\x9a\xf8\x3c\x96\x96\x76\x6c\xfa"+    , {- hdr = -} "\xec\x46\xbb\x63\xb0\x25\x20\xc3\x3c\x49\xfd\x70"+    , {- in  = -} "\xb9\x6b\x49\xe2\x1d\x62\x17\x41\x63\x28\x75\xdb\x7f\x6c\x92\x43\xd2\xd7\xc2"+    , {- out = -} "\xec\x46\xbb\x63\xb0\x25\x20\xc3\x3c\x49\xfd\x70\x31\xd7\x50\xa0\x9d\xa3\xed\x7f\xdd\xd4\x9a\x20\x32\xaa\xbf\x17\xec\x8e\xbf\x7d\x22\xc8\x08\x8c\x66\x6b\xe5\xc1\x97"+    , {-  M  = -} 10)+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"+    , {- iv  = -} "\x00\x3e\xbe\x94\x04\x4b\x9a\x3c\x96\x96\x76\x6c\xfa"+    , {- hdr = -} "\x47\xa6\x5a\xc7\x8b\x3d\x59\x42\x27\xe8\x5e\x71"+    , {- in  = -} "\xe2\xfc\xfb\xb8\x80\x44\x2c\x73\x1b\xf9\x51\x67\xc8\xff\xd7\x89\x5e\x33\x70\x76"+    , {- out = -} "\x47\xa6\x5a\xc7\x8b\x3d\x59\x42\x27\xe8\x5e\x71\xe8\x82\xf1\xdb\xd3\x8c\xe3\xed\xa7\xc2\x3f\x04\xdd\x65\x07\x1e\xb4\x13\x42\xac\xdf\x7e\x00\xdc\xce\xc7\xae\x52\x98\x7d"+    , {-  M  = -} 10)+  , ( {- key = -} "\xd7\x82\x8d\x13\xb2\xb0\xbd\xc3\x25\xa7\x62\x36\xdf\x93\xcc\x6b"+    , {- iv  = -} "\x00\x8d\x49\x3b\x30\xae\x8b\x3c\x96\x96\x76\x6c\xfa"+    , {- hdr = -} "\x6e\x37\xa6\xef\x54\x6d\x95\x5d\x34\xab\x60\x59"+    , {- in  = -} "\xab\xf2\x1c\x0b\x02\xfe\xb8\x8f\x85\x6d\xf4\xa3\x73\x81\xbc\xe3\xcc\x12\x85\x17\xd4"+    , {- out = -} "\x6e\x37\xa6\xef\x54\x6d\x95\x5d\x34\xab\x60\x59\xf3\x29\x05\xb8\x8a\x64\x1b\x04\xb9\xc9\xff\xb5\x8c\xc3\x90\x90\x0f\x3d\xa1\x2a\xb1\x6d\xce\x9e\x82\xef\xa1\x6d\xa6\x20\x59"+    , {-  M  = -} 10)+  ]
tests/KAT_AES/KATGCM.hs view
@@ -56,6 +56,14 @@         , {-out = -}"\xe4\x42\xf8\xc4\xc6\x67\x84\x86\x4a\x5a\x6e\xc7\xe0\xca\x68\xac\x16\xbc\x5b\xbf\xf7\xd5\xf3\xfa\xf3\xb2\xcb\xb0\xa2\x14\xa1"         , {-taglen = -}16         , {-tag = -}"\x94\xd1\x47\xc3\xa2\xca\x93\xe9\x66\x93\x1e\x3b\xb3\xbb\x67\x01")+    -- vector 6 tests 32-bit counter wrapping+    ,   ( {-key = -}"\x01\x02\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , {-iv = -}"\xe8\x38\x84\x1d\x75\xae\x33\xb5\x4b\x51\x57\x89\xc9\x5f\xbe\x65"+        , {-aad = -}"\x54\x68\x65\x20\x66\x69\x76\x65\x20\x62\x6f\x78\x69\x6e\x67\x20\x77\x69\x7a\x61\x72\x64\x73\x20\x6a\x75\x6d\x70\x20\x71\x75\x69\x63\x6b\x6c\x79\x2e"+        , {-input = -}"\x54\x68\x65\x20\x71\x75\x69\x63\x6b\x20\x62\x72\x6f\x77\x6e\x20\x66\x6f\x78\x20\x6a\x75\x6d\x70\x73\x20\x6f\x76\x65\x72\x20\x74\x68\x65\x20\x6c\x61\x7a\x79\x20\x64\x6f\x67"+        , {-out = -}"\x82\x31\x9e\x5a\x6a\x7f\x43\xd0\x42\x8c\xf1\x01\xcf\x0c\x75\xf1\x5d\xda\x4f\xa1\x28\x95\xcd\xd7\x7b\xd5\x42\x68\x2f\xcd\x10\x1b\x0c\x75\x05\x54\xf4\x2f\x2b\xf6\x69\x96\x29"+        , {-taglen = -}16+        , {-tag = -}"\x9a\xfa\xf4\xea\xae\x2e\x6f\x40\x00\xf4\x89\x77\xd0\x1e\xd5\x14")     ]  vectors_aes256_enc :: [KATGCM]
+ tests/KAT_AESGCMSIV.hs view
@@ -0,0 +1,494 @@+{-# LANGUAGE FlexibleInstances #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE Rank2Types #-}+{-# LANGUAGE RecordWildCards #-}+module KAT_AESGCMSIV (tests) where++import Imports++import Data.Proxy+import qualified Data.ByteArray as B++import Crypto.Cipher.AES+import Crypto.Cipher.AESGCMSIV+import Crypto.Cipher.Types+import Crypto.Error++data Vector c = Vector+    { vecPlaintext  :: ByteString+    , vecAAD        :: ByteString+    , vecKey        :: ByteString+    , vecNonce      :: ByteString+    , vecTag        :: ByteString+    , vecCiphertext :: ByteString+    }++vecCipher :: Cipher c => Vector c -> c+vecCipher = throwCryptoError . cipherInit . vecKey++vectors128 :: [Vector AES128]+vectors128 =+    [ Vector+        { vecPlaintext  = ""+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xdc\x20\xe2\xd8\x3f\x25\x70\x5b\xb4\x9e\x43\x9e\xca\x56\xde\x25"+        , vecCiphertext = ""+        }+    , Vector+        { vecPlaintext  = "\x01\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x57\x87\x82\xff\xf6\x01\x3b\x81\x5b\x28\x7c\x22\x49\x3a\x36\x4c"+        , vecCiphertext = "\xb5\xd8\x39\x33\x0a\xc7\xb7\x86"+        }+    , Vector+        { vecPlaintext  = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xa4\x97\x8d\xb3\x57\x39\x1a\x0b\xc4\xfd\xec\x8b\x0d\x10\x66\x39"+        , vecCiphertext = "\x73\x23\xea\x61\xd0\x59\x32\x26\x00\x47\xd9\x42"+        }+    , Vector+        { vecPlaintext  = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x30\x3a\xaf\x90\xf6\xfe\x21\x19\x9c\x60\x68\x57\x74\x37\xa0\xc4"+        , vecCiphertext = "\x74\x3f\x7c\x80\x77\xab\x25\xf8\x62\x4e\x2e\x94\x85\x79\xcf\x77"+        }+    , Vector+        { vecPlaintext  = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x1a\x8e\x45\xdc\xd4\x57\x8c\x66\x7c\xd8\x68\x47\xbf\x61\x55\xff"+        , vecCiphertext = "\x84\xe0\x7e\x62\xba\x83\xa6\x58\x54\x17\x24\x5d\x7e\xc4\x13\xa9\xfe\x42\x7d\x63\x15\xc0\x9b\x57\xce\x45\xf2\xe3\x93\x6a\x94\x45"+        }+    , Vector+        { vecPlaintext  = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x5e\x6e\x31\x1d\xbf\x39\x5d\x35\xb0\xfe\x39\xc2\x71\x43\x88\xf8"+        , vecCiphertext = "\x3f\xd2\x4c\xe1\xf5\xa6\x7b\x75\xbf\x23\x51\xf1\x81\xa4\x75\xc7\xb8\x00\xa5\xb4\xd3\xdc\xf7\x01\x06\xb1\xee\xa8\x2f\xa1\xd6\x4d\xf4\x2b\xf7\x22\x61\x22\xfa\x92\xe1\x7a\x40\xee\xaa\xc1\x20\x1b"+        }+    , Vector+        { vecPlaintext  = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x8a\x26\x3d\xd3\x17\xaa\x88\xd5\x6b\xdf\x39\x36\xdb\xa7\x5b\xb8"+        , vecCiphertext = "\x24\x33\x66\x8f\x10\x58\x19\x0f\x6d\x43\xe3\x60\xf4\xf3\x5c\xd8\xe4\x75\x12\x7c\xfc\xa7\x02\x8e\xa8\xab\x5c\x20\xf7\xab\x2a\xf0\x25\x16\xa2\xbd\xcb\xc0\x8d\x52\x1b\xe3\x7f\xf2\x8c\x15\x2b\xba\x36\x69\x7f\x25\xb4\xcd\x16\x9c\x65\x90\xd1\xdd\x39\x56\x6d\x3f"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = "\x01"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x3b\x0a\x1a\x25\x60\x96\x9c\xdf\x79\x0d\x99\x75\x9a\xbd\x15\x08"+        , vecCiphertext = "\x1e\x6d\xab\xa3\x56\x69\xf4\x27"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = "\x01"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x08\x29\x9c\x51\x02\x74\x5a\xaa\x3a\x0c\x46\x9f\xad\x9e\x07\x5a"+        , vecCiphertext = "\x29\x6c\x78\x89\xfd\x99\xf4\x19\x17\xf4\x46\x20"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = "\x01"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x8f\x89\x36\xec\x03\x9e\x4e\x4b\xb9\x7e\xbd\x8c\x44\x57\x44\x1f"+        , vecCiphertext = "\xe2\xb0\xc5\xda\x79\xa9\x01\xc1\x74\x5f\x70\x05\x25\xcb\x33\x5b"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = "\x01"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xe6\xaf\x6a\x7f\x87\x28\x7d\xa0\x59\xa7\x16\x84\xed\x34\x98\xe1"+        , vecCiphertext = "\x62\x00\x48\xef\x3c\x1e\x73\xe5\x7e\x02\xbb\x85\x62\xc4\x16\xa3\x19\xe7\x3e\x4c\xaa\xc8\xe9\x6a\x1e\xcb\x29\x33\x14\x5a\x1d\x71"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = "\x01"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x6a\x8c\xc3\x86\x5f\x76\x89\x7c\x2e\x4b\x24\x5c\xf3\x1c\x51\xf2"+        , vecCiphertext = "\x50\xc8\x30\x3e\xa9\x39\x25\xd6\x40\x90\xd0\x7b\xd1\x09\xdf\xd9\x51\x5a\x5a\x33\x43\x10\x19\xc1\x7d\x93\x46\x59\x99\xa8\xb0\x05\x32\x01\xd7\x23\x12\x0a\x85\x62\xb8\x38\xcd\xff\x25\xbf\x9d\x1e"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = "\x01"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xcd\xc4\x6a\xe4\x75\x56\x3d\xe0\x37\x00\x1e\xf8\x4a\xe2\x17\x44"+        , vecCiphertext = "\x2f\x5c\x64\x05\x9d\xb5\x5e\xe0\xfb\x84\x7e\xd5\x13\x00\x37\x46\xac\xa4\xe6\x1c\x71\x1b\x5d\xe2\xe7\xa7\x7f\xfd\x02\xda\x42\xfe\xec\x60\x19\x10\xd3\x46\x7b\xb8\xb3\x6e\xbb\xae\xbc\xe5\xfb\xa3\x0d\x36\xc9\x5f\x48\xa3\xe7\x98\x0f\x0e\x7a\xc2\x99\x33\x2a\x80"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00"+        , vecAAD        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x07\xeb\x1f\x84\xfb\x28\xf8\xcb\x73\xde\x8e\x99\xe2\xf4\x8a\x14"+        , vecCiphertext = "\xa8\xfe\x3e\x87"+        }+    , Vector+        { vecPlaintext  = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00"+        , vecAAD        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x24\xaf\xc9\x80\x5e\x97\x6f\x45\x1e\x6d\x87\xf6\xfe\x10\x65\x14"+        , vecCiphertext = "\x6b\xb0\xfe\xcf\x5d\xed\x9b\x77\xf9\x02\xc7\xd5\xda\x23\x6a\x43\x91\xdd\x02\x97"+        }+    , Vector+        { vecPlaintext  = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00"+        , vecAAD        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xbf\xf9\xb2\xef\x00\xfb\x47\x92\x0c\xc7\x2a\x0c\x0f\x13\xb9\xfd"+        , vecCiphertext = "\x44\xd0\xaa\xf6\xfb\x2f\x1f\x34\xad\xd5\xe8\x06\x4e\x83\xe1\x2a\x2a\xda"+        }+    , Vector+        { vecPlaintext  = ""+        , vecAAD        = ""+        , vecKey        = "\xe6\x60\x21\xd5\xeb\x8e\x4f\x40\x66\xd4\xad\xb9\xc3\x35\x60\xe4"+        , vecNonce      = "\xf4\x6e\x44\xbb\x3d\xa0\x01\x5c\x94\xf7\x08\x87"+        , vecTag        = "\xa4\x19\x4b\x79\x07\x1b\x01\xa8\x7d\x65\xf7\x06\xe3\x94\x95\x78"+        , vecCiphertext = ""+        }+    , Vector+        { vecPlaintext  = "\x7a\x80\x6c"+        , vecAAD        = "\x46\xbb\x91\xc3\xc5"+        , vecKey        = "\x36\x86\x42\x00\xe0\xea\xf5\x28\x4d\x88\x4a\x0e\x77\xd3\x16\x46"+        , vecNonce      = "\xba\xe8\xe3\x7f\xc8\x34\x41\xb1\x60\x34\x56\x6b"+        , vecTag        = "\x71\x1b\xd8\x5b\xc1\xe4\xd3\xe0\xa4\x62\xe0\x74\xee\xa4\x28\xa8"+        , vecCiphertext = "\xaf\x60\xeb"+        }+    , Vector+        { vecPlaintext  = "\xbd\xc6\x6f\x14\x65\x45"+        , vecAAD        = "\xfc\x88\x0c\x94\xa9\x51\x98\x87\x42\x96"+        , vecKey        = "\xae\xdb\x64\xa6\xc5\x90\xbc\x84\xd1\xa5\xe2\x69\xe4\xb4\x78\x01"+        , vecNonce      = "\xaf\xc0\x57\x7e\x34\x69\x9b\x9e\x67\x1f\xdd\x4f"+        , vecTag        = "\xd6\xa9\xc4\x55\x45\xcf\xc1\x1f\x03\xad\x74\x3d\xba\x20\xf9\x66"+        , vecCiphertext = "\xbb\x93\xa3\xe3\x4d\x3c"+        }+    , Vector+        { vecPlaintext  = "\x11\x77\x44\x1f\x19\x54\x95\x86\x0f"+        , vecAAD        = "\x04\x67\x87\xf3\xea\x22\xc1\x27\xaa\xf1\x95\xd1\x89\x47\x28"+        , vecKey        = "\xd5\xcc\x1f\xd1\x61\x32\x0b\x69\x20\xce\x07\x78\x7f\x86\x74\x3b"+        , vecNonce      = "\x27\x5d\x1a\xb3\x2f\x6d\x1f\x04\x34\xd8\x84\x8c"+        , vecTag        = "\x1d\x02\xfd\x0c\xd1\x74\xc8\x4f\xc5\xda\xe2\xf6\x0f\x52\xfd\x2b"+        , vecCiphertext = "\x4f\x37\x28\x1f\x7a\xd1\x29\x49\xd0"+        }+    , Vector+        { vecPlaintext  = "\x9f\x57\x2c\x61\x4b\x47\x45\x91\x44\x74\xe7\xc7"+        , vecAAD        = "\xc9\x88\x2e\x53\x86\xfd\x9f\x92\xec\x48\x9c\x8f\xde\x2b\xe2\xcf\x97\xe7\x4e\x93"+        , vecKey        = "\xb3\xfe\xd1\x47\x3c\x52\x8b\x84\x26\xa5\x82\x99\x59\x29\xa1\x49"+        , vecNonce      = "\x9e\x9a\xd8\x78\x0c\x8d\x63\xd0\xab\x41\x49\xc0"+        , vecTag        = "\xc1\xdc\x2f\x87\x1f\xb7\x56\x1d\xa1\x28\x6e\x65\x5e\x24\xb7\xb0"+        , vecCiphertext = "\xf5\x46\x73\xc5\xdd\xf7\x10\xc7\x45\x64\x1c\x8b"+        }+    , Vector+        { vecPlaintext  = "\x0d\x8c\x84\x51\x17\x80\x82\x35\x5c\x9e\x94\x0f\xea\x2f\x58"+        , vecAAD        = "\x29\x50\xa7\x0d\x5a\x1d\xb2\x31\x6f\xd5\x68\x37\x8d\xa1\x07\xb5\x2b\x0d\xa5\x52\x10\xcc\x1c\x1b\x0a"+        , vecKey        = "\x2d\x4e\xd8\x7d\xa4\x41\x02\x95\x2e\xf9\x4b\x02\xb8\x05\x24\x9b"+        , vecNonce      = "\xac\x80\xe6\xf6\x14\x55\xbf\xac\x83\x08\xa2\xd4"+        , vecTag        = "\x83\xb3\x44\x9b\x9f\x39\x55\x2d\xe9\x9d\xc2\x14\xa1\x19\x0b\x0b"+        , vecCiphertext = "\xc9\xff\x54\x5e\x07\xb8\x8a\x01\x5f\x05\xb2\x74\x54\x0a\xa1"+        }+    , Vector+        { vecPlaintext  = "\x6b\x3d\xb4\xda\x3d\x57\xaa\x94\x84\x2b\x98\x03\xa9\x6e\x07\xfb\x6d\xe7"+        , vecAAD        = "\x18\x60\xf7\x62\xeb\xfb\xd0\x82\x84\xe4\x21\x70\x2d\xe0\xde\x18\xba\xa9\xc9\x59\x62\x91\xb0\x84\x66\xf3\x7d\xe2\x1c\x7f"+        , vecKey        = "\xbd\xe3\xb2\xf2\x04\xd1\xe9\xf8\xb0\x6b\xc4\x7f\x97\x45\xb3\xd1"+        , vecNonce      = "\xae\x06\x55\x6f\xb6\xaa\x78\x90\xbe\xbc\x18\xfe"+        , vecTag        = "\x3e\x37\x70\x94\xf0\x47\x09\xf6\x4d\x7b\x98\x53\x10\xa4\xdb\x84"+        , vecCiphertext = "\x62\x98\xb2\x96\xe2\x4e\x8c\xc3\x5d\xce\x0b\xed\x48\x4b\x7f\x30\xd5\x80"+        }+    , Vector+        { vecPlaintext  = "\xe4\x2a\x3c\x02\xc2\x5b\x64\x86\x9e\x14\x6d\x7b\x23\x39\x87\xbd\xdf\xc2\x40\x87\x1d"+        , vecAAD        = "\x75\x76\xf7\x02\x8e\xc6\xeb\x5e\xa7\xe2\x98\x34\x2a\x94\xd4\xb2\x02\xb3\x70\xef\x97\x68\xec\x65\x61\xc4\xfe\x6b\x7e\x72\x96\xfa\x85\x9c\x21"+        , vecKey        = "\xf9\x01\xcf\xe8\xa6\x96\x15\xa9\x3f\xdf\x7a\x98\xca\xd4\x81\x79"+        , vecNonce      = "\x62\x45\x70\x9f\xb1\x88\x53\xf6\x8d\x83\x36\x40"+        , vecTag        = "\x2d\x15\x50\x6c\x84\xa9\xed\xd6\x5e\x13\xe9\xd2\x4a\x2a\x6e\x70"+        , vecCiphertext = "\x39\x1c\xc3\x28\xd4\x84\xa4\xf4\x64\x06\x18\x1b\xcd\x62\xef\xd9\xb3\xee\x19\x7d\x05"+        }+    ]++vectors256 :: [Vector AES256]+vectors256 =+    [ Vector+        { vecPlaintext  = ""+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x07\xf5\xf4\x16\x9b\xbf\x55\xa8\x40\x0c\xd4\x7e\xa6\xfd\x40\x0f"+        , vecCiphertext = ""+        }+    , Vector+        { vecPlaintext  = "\x01\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x84\x31\x22\x13\x0f\x73\x64\xb7\x61\xe0\xb9\x74\x27\xe3\xdf\x28"+        , vecCiphertext = "\xc2\xef\x32\x8e\x5c\x71\xc8\x3b"+        }+    , Vector+        { vecPlaintext  = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x8c\xa5\x0d\xa9\xae\x65\x59\xe4\x8f\xd1\x0f\x6e\x5c\x9c\xa1\x7e"+        , vecCiphertext = "\x9a\xab\x2a\xeb\x3f\xaa\x0a\x34\xae\xa8\xe2\xb1"+        }+    , Vector+        { vecPlaintext  = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xc9\xea\xc6\xfa\x70\x09\x42\x70\x2e\x90\x86\x23\x83\xc6\xc3\x66"+        , vecCiphertext = "\x85\xa0\x1b\x63\x02\x5b\xa1\x9b\x7f\xd3\xdd\xfc\x03\x3b\x3e\x76"+        }+    , Vector+        { vecPlaintext  = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xe8\x19\xe6\x3a\xbc\xd0\x20\xb0\x06\xa9\x76\x39\x76\x32\xeb\x5d"+        , vecCiphertext = "\x4a\x6a\x9d\xb4\xc8\xc6\x54\x92\x01\xb9\xed\xb5\x30\x06\xcb\xa8\x21\xec\x9c\xf8\x50\x94\x8a\x7c\x86\xc6\x8a\xc7\x53\x9d\x02\x7f"+        }+    , Vector+        { vecPlaintext  = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x79\x0b\xc9\x68\x80\xa9\x9b\xa8\x04\xbd\x12\xc0\xe6\xa2\x2c\xc4"+        , vecCiphertext = "\xc0\x0d\x12\x18\x93\xa9\xfa\x60\x3f\x48\xcc\xc1\xca\x3c\x57\xce\x74\x99\x24\x5e\xa0\x04\x6d\xb1\x6c\x53\xc7\xc6\x6f\xe7\x17\xe3\x9c\xf6\xc7\x48\x83\x7b\x61\xf6\xee\x3a\xdc\xee\x17\x53\x4e\xd5"+        }+    , Vector+        { vecPlaintext  = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x11\x28\x64\xc2\x69\xfc\x0d\x9d\x88\xc6\x1f\xa4\x7e\x39\xaa\x08"+        , vecCiphertext = "\xc2\xd5\x16\x0a\x1f\x86\x83\x83\x49\x10\xac\xda\xfc\x41\xfb\xb1\x63\x2d\x4a\x35\x3e\x8b\x90\x5e\xc9\xa5\x49\x9a\xc3\x4f\x96\xc7\xe1\x04\x9e\xb0\x80\x88\x38\x91\xa4\xdb\x8c\xaa\xa1\xf9\x9d\xd0\x04\xd8\x04\x87\x54\x07\x35\x23\x4e\x37\x44\x51\x2c\x6f\x90\xce"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = "\x01"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x91\x21\x3f\x26\x7e\x3b\x45\x2f\x02\xd0\x1a\xe3\x3e\x4e\xc8\x54"+        , vecCiphertext = "\x1d\xe2\x29\x67\x23\x7a\x81\x32"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = "\x01"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xc1\xa4\xa1\x9a\xe8\x00\x94\x1c\xcd\xc5\x7c\xc8\x41\x3c\x27\x7f"+        , vecCiphertext = "\x16\x3d\x6f\x9c\xc1\xb3\x46\xcd\x45\x3a\x2e\x4c"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = "\x01"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xb2\x92\xd2\x8f\xf6\x11\x89\xe8\xe4\x9f\x38\x75\xef\x91\xaf\xf7"+        , vecCiphertext = "\xc9\x15\x45\x82\x3c\xc2\x4f\x17\xdb\xb0\xe9\xe8\x07\xd5\xec\x17"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = "\x01"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xae\xa1\xba\xd1\x27\x02\xe1\x96\x56\x04\x37\x4a\xab\x96\xdb\xbc"+        , vecCiphertext = "\x07\xda\xd3\x64\xbf\xc2\xb9\xda\x89\x11\x6d\x7b\xef\x6d\xaa\xaf\x6f\x25\x55\x10\xaa\x65\x4f\x92\x0a\xc8\x1b\x94\xe8\xba\xd3\x65"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = "\x01"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x03\x33\x27\x42\xb2\x28\xc6\x47\x17\x36\x16\xcf\xd4\x4c\x54\xeb"+        , vecCiphertext = "\xc6\x7a\x1f\x0f\x56\x7a\x51\x98\xaa\x1f\xcc\x8e\x3f\x21\x31\x43\x36\xf7\xf5\x1c\xa8\xb1\xaf\x61\xfe\xac\x35\xa8\x64\x16\xfa\x47\xfb\xca\x3b\x5f\x74\x9c\xdf\x56\x45\x27\xf2\x31\x4f\x42\xfe\x25"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = "\x01"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x5b\xde\x02\x85\x03\x7c\x5d\xe8\x1e\x5b\x57\x0a\x04\x9b\x62\xa0"+        , vecCiphertext = "\x67\xfd\x45\xe1\x26\xbf\xb9\xa7\x99\x30\xc4\x3a\xad\x2d\x36\x96\x7d\x3f\x0e\x4d\x21\x7c\x1e\x55\x1f\x59\x72\x78\x70\xbe\xef\xc9\x8c\xb9\x33\xa8\xfc\xe9\xde\x88\x7b\x1e\x40\x79\x99\x88\xdb\x1f\xc3\xf9\x18\x80\xed\x40\x5b\x2d\xd2\x98\x31\x88\x58\x46\x7c\x89"+        }+    , Vector+        { vecPlaintext  = "\x02\x00\x00\x00"+        , vecAAD        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\x18\x35\xe5\x17\x74\x1d\xfd\xdc\xcf\xa0\x7f\xa4\x66\x1b\x74\xcf"+        , vecCiphertext = "\x22\xb3\xf4\xcd"+        }+    , Vector+        { vecPlaintext  = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00"+        , vecAAD        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xb8\x79\xad\x97\x6d\x82\x42\xac\xc1\x88\xab\x59\xca\xbf\xe3\x07"+        , vecCiphertext = "\x43\xdd\x01\x63\xcd\xb4\x8f\x9f\xe3\x21\x2b\xf6\x1b\x20\x19\x76\x06\x7f\x34\x2b"+        }+    , Vector+        { vecPlaintext  = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00"+        , vecAAD        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00"+        , vecKey        = "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xcf\xcd\xf5\x04\x21\x12\xaa\x29\x68\x5c\x91\x2f\xc2\x05\x65\x43"+        , vecCiphertext = "\x46\x24\x01\x72\x4b\x5c\xe6\x58\x8d\x5a\x54\xaa\xe5\x37\x55\x13\xa0\x75"+        }+    , Vector+        { vecPlaintext  = ""+        , vecAAD        = ""+        , vecKey        = "\xe6\x60\x21\xd5\xeb\x8e\x4f\x40\x66\xd4\xad\xb9\xc3\x35\x60\xe4\xf4\x6e\x44\xbb\x3d\xa0\x01\x5c\x94\xf7\x08\x87\x36\x86\x42\x00"+        , vecNonce      = "\xe0\xea\xf5\x28\x4d\x88\x4a\x0e\x77\xd3\x16\x46"+        , vecTag        = "\x16\x9f\xbb\x2f\xbf\x38\x9a\x99\x5f\x63\x90\xaf\x22\x22\x8a\x62"+        , vecCiphertext = ""+        }+    , Vector+        { vecPlaintext  = "\x67\x1f\xdd"+        , vecAAD        = "\x4f\xbd\xc6\x6f\x14"+        , vecKey        = "\xba\xe8\xe3\x7f\xc8\x34\x41\xb1\x60\x34\x56\x6b\x7a\x80\x6c\x46\xbb\x91\xc3\xc5\xae\xdb\x64\xa6\xc5\x90\xbc\x84\xd1\xa5\xe2\x69"+        , vecNonce      = "\xe4\xb4\x78\x01\xaf\xc0\x57\x7e\x34\x69\x9b\x9e"+        , vecTag        = "\x93\xda\x9b\xb8\x13\x33\xae\xe0\xc7\x85\xb2\x40\xd3\x19\x71\x9d"+        , vecCiphertext = "\x0e\xac\xcb"+        }+    , Vector+        { vecPlaintext  = "\x19\x54\x95\x86\x0f\x04"+        , vecAAD        = "\x67\x87\xf3\xea\x22\xc1\x27\xaa\xf1\x95"+        , vecKey        = "\x65\x45\xfc\x88\x0c\x94\xa9\x51\x98\x87\x42\x96\xd5\xcc\x1f\xd1\x61\x32\x0b\x69\x20\xce\x07\x78\x7f\x86\x74\x3b\x27\x5d\x1a\xb3"+        , vecNonce      = "\x2f\x6d\x1f\x04\x34\xd8\x84\x8c\x11\x77\x44\x1f"+        , vecTag        = "\x6b\x62\xb8\x4d\xc4\x0c\x84\x63\x6a\x5e\xc1\x20\x20\xec\x8c\x2c"+        , vecCiphertext = "\xa2\x54\xda\xd4\xf3\xf9"+        }+    , Vector+        { vecPlaintext  = "\xc9\x88\x2e\x53\x86\xfd\x9f\x92\xec"+        , vecAAD        = "\x48\x9c\x8f\xde\x2b\xe2\xcf\x97\xe7\x4e\x93\x2d\x4e\xd8\x7d"+        , vecKey        = "\xd1\x89\x47\x28\xb3\xfe\xd1\x47\x3c\x52\x8b\x84\x26\xa5\x82\x99\x59\x29\xa1\x49\x9e\x9a\xd8\x78\x0c\x8d\x63\xd0\xab\x41\x49\xc0"+        , vecNonce      = "\x9f\x57\x2c\x61\x4b\x47\x45\x91\x44\x74\xe7\xc7"+        , vecTag        = "\xc0\xfd\x3d\xc6\x62\x8d\xfe\x55\xeb\xb0\xb9\xfb\x22\x95\xc8\xc2"+        , vecCiphertext = "\x0d\xf9\xe3\x08\x67\x82\x44\xc4\x4b"+        }+    , Vector+        { vecPlaintext  = "\x1d\xb2\x31\x6f\xd5\x68\x37\x8d\xa1\x07\xb5\x2b"+        , vecAAD        = "\x0d\xa5\x52\x10\xcc\x1c\x1b\x0a\xbd\xe3\xb2\xf2\x04\xd1\xe9\xf8\xb0\x6b\xc4\x7f"+        , vecKey        = "\xa4\x41\x02\x95\x2e\xf9\x4b\x02\xb8\x05\x24\x9b\xac\x80\xe6\xf6\x14\x55\xbf\xac\x83\x08\xa2\xd4\x0d\x8c\x84\x51\x17\x80\x82\x35"+        , vecNonce      = "\x5c\x9e\x94\x0f\xea\x2f\x58\x29\x50\xa7\x0d\x5a"+        , vecTag        = "\x40\x40\x99\xc2\x58\x7f\x64\x97\x9f\x21\x82\x67\x06\xd4\x97\xd5"+        , vecCiphertext = "\x8d\xbe\xb9\xf7\x25\x5b\xf5\x76\x9d\xd5\x66\x92"+        }+    , Vector+        { vecPlaintext  = "\x21\x70\x2d\xe0\xde\x18\xba\xa9\xc9\x59\x62\x91\xb0\x84\x66"+        , vecAAD        = "\xf3\x7d\xe2\x1c\x7f\xf9\x01\xcf\xe8\xa6\x96\x15\xa9\x3f\xdf\x7a\x98\xca\xd4\x81\x79\x62\x45\x70\x9f"+        , vecKey        = "\x97\x45\xb3\xd1\xae\x06\x55\x6f\xb6\xaa\x78\x90\xbe\xbc\x18\xfe\x6b\x3d\xb4\xda\x3d\x57\xaa\x94\x84\x2b\x98\x03\xa9\x6e\x07\xfb"+        , vecNonce      = "\x6d\xe7\x18\x60\xf7\x62\xeb\xfb\xd0\x82\x84\xe4"+        , vecTag        = "\xb3\x08\x0d\x28\xf6\xeb\xb5\xd3\x64\x8c\xe9\x7b\xd5\xba\x67\xfd"+        , vecCiphertext = "\x79\x35\x76\xdf\xa5\xc0\xf8\x87\x29\xa7\xed\x3c\x2f\x1b\xff"+        }+    , Vector+        { vecPlaintext  = "\xb2\x02\xb3\x70\xef\x97\x68\xec\x65\x61\xc4\xfe\x6b\x7e\x72\x96\xfa\x85"+        , vecAAD        = "\x9c\x21\x59\x05\x8b\x1f\x0f\xe9\x14\x33\xa5\xbd\xc2\x0e\x21\x4e\xab\x7f\xec\xef\x44\x54\xa1\x0e\xf0\x65\x7d\xf2\x1a\xc7"+        , vecKey        = "\xb1\x88\x53\xf6\x8d\x83\x36\x40\xe4\x2a\x3c\x02\xc2\x5b\x64\x86\x9e\x14\x6d\x7b\x23\x39\x87\xbd\xdf\xc2\x40\x87\x1d\x75\x76\xf7"+        , vecNonce      = "\x02\x8e\xc6\xeb\x5e\xa7\xe2\x98\x34\x2a\x94\xd4"+        , vecTag        = "\x45\x4f\xc2\xa1\x54\xfe\xa9\x1f\x83\x63\xa3\x9f\xec\x7d\x0a\x49"+        , vecCiphertext = "\x85\x7e\x16\xa6\x49\x15\xa7\x87\x63\x76\x87\xdb\x4a\x95\x19\x63\x5c\xdd"+        }+    , Vector+        { vecPlaintext  = "\xce\xd5\x32\xce\x41\x59\xb0\x35\x27\x7d\x4d\xfb\xb7\xdb\x62\x96\x8b\x13\xcd\x4e\xec"+        , vecAAD        = "\x73\x43\x20\xcc\xc9\xd9\xbb\xbb\x19\xcb\x81\xb2\xaf\x4e\xcb\xc3\xe7\x28\x34\x32\x1f\x7a\xa0\xf7\x0b\x72\x82\xb4\xf3\x3d\xf2\x3f\x16\x75\x41"+        , vecKey        = "\x3c\x53\x5d\xe1\x92\xea\xed\x38\x22\xa2\xfb\xbe\x2c\xa9\xdf\xc8\x82\x55\xe1\x4a\x66\x1b\x8a\xa8\x2c\xc5\x42\x36\x09\x3b\xbc\x23"+        , vecNonce      = "\x68\x80\x89\xe5\x55\x40\xdb\x18\x72\x50\x4e\x1c"+        , vecTag        = "\x9d\x6c\x70\x29\x67\x5b\x89\xea\xf4\xba\x1d\xed\x1a\x28\x65\x94"+        , vecCiphertext = "\x62\x66\x60\xc2\x6e\xa6\x61\x2f\xb1\x7a\xd9\x1e\x8e\x76\x76\x39\xed\xd6\xc9\xfa\xee"+        }+    ]++vectorsWrap256 :: [Vector AES256]+vectorsWrap256 =+    [ Vector+        { vecPlaintext  = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4d\xb9\x23\xdc\x79\x3e\xe6\x49\x7c\x76\xdc\xc0\x3a\x98\xe1\x08"+        , vecAAD        = ""+        , vecKey        = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecCiphertext = "\xf3\xf8\x0f\x2c\xf0\xcb\x2d\xd9\xc5\x98\x4f\xcd\xa9\x08\x45\x6c\xc5\x37\x70\x3b\x5b\xa7\x03\x24\xa6\x79\x3a\x7b\xf2\x18\xd3\xea"+        }+    , Vector+        { vecPlaintext  = "\xeb\x36\x40\x27\x7c\x7f\xfd\x13\x03\xc7\xa5\x42\xd0\x2d\x3e\x4c\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecAAD        = ""+        , vecKey        = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecNonce      = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecTag        = "\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+        , vecCiphertext = "\x18\xce\x4f\x0b\x8c\xb4\xd0\xca\xc6\x5f\xea\x8f\x79\x25\x7b\x20\x88\x8e\x53\xe7\x22\x99\xe5\x6d"+        }+    ]++makeEncryptionTest :: BlockCipher128 aes => Int -> Vector aes -> TestTree+makeEncryptionTest i vec@Vector{..} =+    testCase (show i) $+        (t, vecCiphertext) @=? encrypt (vecCipher vec) n vecAAD vecPlaintext+  where t = AuthTag (B.convert vecTag)+        n = throwCryptoError (nonce vecNonce)++makeDecryptionTest :: BlockCipher128 aes => Int -> Vector aes -> TestTree+makeDecryptionTest i vec@Vector{..} =+    testCase (show i) $+        Just vecPlaintext @=? decrypt (vecCipher vec) n vecAAD vecCiphertext t+  where t = AuthTag (B.convert vecTag)+        n = throwCryptoError (nonce vecNonce)++katTests :: TestName+         -> (forall c . BlockCipher128 c => Int -> Vector c -> TestTree)+         -> TestTree+katTests name makeTest = testGroup name+    [ testGroup "AES128" $ zipWith makeTest [1..] vectors128+    , testGroup "AES256" $ zipWith makeTest [1..] vectors256+    , testGroup "CounterWrap" $ zipWith makeTest [1..] vectorsWrap256+    ]++newtype Key c = Key ByteString+    deriving (Show,Eq)++instance Arbitrary (Key AES128) where+    arbitrary = Key <$> arbitraryBS 16++instance Arbitrary (Key AES256) where+    arbitrary = Key <$> arbitraryBS 32++instance Arbitrary Nonce where+    arbitrary = throwCryptoError . nonce <$> arbitraryBS 12++encDecTest :: BlockCipher128 c+           => Proxy c -> Key c -> Nonce+           -> ArbitraryBS0_2901 -> ArbitraryBS0_2901 -> Property+encDecTest prx (Key key) iv (ArbitraryBS0_2901 aad) (ArbitraryBS0_2901 input) =+    let c = throwCryptoError (cipherInit key) `asProxyTypeOf` prx+        (tag, ciphertext) = encrypt c iv aad input+     in decrypt c iv aad ciphertext tag === Just input++tests :: TestTree+tests = testGroup "AES-GCM-SIV"+    [ testGroup "KATs"+        [ katTests "encrypt" makeEncryptionTest+        , katTests "decrypt" makeDecryptionTest+        ]+    , testGroup "properties"+        [ testProperty "AES128" $ encDecTest (Proxy :: Proxy AES128)+        , testProperty "AES256" $ encDecTest (Proxy :: Proxy AES256)+        ]+    ]
tests/KAT_AFIS.hs view
@@ -23,8 +23,8 @@       )     ] -mergeKATs = map toProp $ zip mergeVec [(0 :: Int)..]-  where toProp ((nbExpands, hashAlg, expected, dat), i) =+mergeKATs = zipWith toProp mergeVec [(0 :: Int)..]+  where toProp (nbExpands, hashAlg, expected, dat) i =             testCase ("merge " ++ show i) (expected @=? AFIS.merge hashAlg nbExpands dat)  data AFISParams = AFISParams B.ByteString Int SHA1 ChaChaDRG
tests/KAT_Argon2.hs view
@@ -28,9 +28,9 @@     ]  kdfTests :: [TestTree]-kdfTests = map toKDFTest $ zip is vectors+kdfTests = zipWith toKDFTest is vectors   where-    toKDFTest (i, v) =+    toKDFTest i v =         testCase (show i)             (CryptoPassed (kdfResult v) @=? Argon2.hash (kdfOptions v) (kdfPass v) (kdfSalt v) (B.length $ kdfResult v)) 
+ tests/KAT_CAST5.hs view
@@ -0,0 +1,15 @@+{-# LANGUAGE OverloadedStrings #-}+module KAT_CAST5 (tests) where++import BlockCipher+import qualified Crypto.Cipher.CAST5 as CAST5++vectors_ecb = -- key plaintext ciphertext+    [ KAT_ECB "\x01\x23\x45\x67\x12\x34\x56\x78\x23\x45\x67\x89\x34\x56\x78\x9A" "\x01\x23\x45\x67\x89\xAB\xCD\xEF" "\x23\x8B\x4F\xE5\x84\x7E\x44\xB2"+    , KAT_ECB "\x01\x23\x45\x67\x12\x34\x56\x78\x23\x45"                         "\x01\x23\x45\x67\x89\xAB\xCD\xEF" "\xEB\x6A\x71\x1A\x2C\x02\x27\x1B"+    , KAT_ECB "\x01\x23\x45\x67\x12"                                             "\x01\x23\x45\x67\x89\xAB\xCD\xEF" "\x7A\xC8\x16\xD1\x6E\x9B\x30\x2E"+    ]++kats = defaultKATs { kat_ECB = vectors_ecb }++tests = testBlockCipher kats (undefined :: CAST5.CAST5)
tests/KAT_Curve25519.hs view
@@ -16,6 +16,8 @@ katTests =     [ testCase "0" (aliceMultBob @=? B.convert (Curve25519.dh alicePublic bobPrivate))     , testCase "1" (aliceMultBob @=? B.convert (Curve25519.dh bobPublic alicePrivate))+    , testCase "2" (alicePublic  @=? Curve25519.toPublic alicePrivate)+    , testCase "3" (bobPublic    @=? Curve25519.toPublic bobPrivate)     ]  tests = testGroup "Curve25519"
tests/KAT_Ed25519.hs view
@@ -1,5 +1,5 @@+{-# LANGUAGE BangPatterns      #-} {-# LANGUAGE OverloadedStrings #-}-{-# LANGUAGE BangPatterns #-} module KAT_Ed25519 ( tests ) where  import           Crypto.Error@@ -13,26 +13,60 @@     , vecSig :: ByteString     } deriving (Show,Eq) -vec1 = Vec-    { vecSec = "\x4c\xcd\x08\x9b\x28\xff\x96\xda\x9d\xb6\xc3\x46\xec\x11\x4e\x0f\x5b\x8a\x31\x9f\x35\xab\xa6\x24\xda\x8c\xf6\xed\x4f\xb8\xa6\xfb"-    , vecPub = "\x3d\x40\x17\xc3\xe8\x43\x89\x5a\x92\xb7\x0a\xa7\x4d\x1b\x7e\xbc\x9c\x98\x2c\xcf\x2e\xc4\x96\x8c\xc0\xcd\x55\xf1\x2a\xf4\x66\x0c"-    , vecMsg = "\x72"-    , vecSig = "\x92\xa0\x09\xa9\xf0\xd4\xca\xb8\x72\x0e\x82\x0b\x5f\x64\x25\x40\xa2\xb2\x7b\x54\x16\x50\x3f\x8f\xb3\x76\x22\x23\xeb\xdb\x69\xda\x08\x5a\xc1\xe4\x3e\x15\x99\x6e\x45\x8f\x36\x13\xd0\xf1\x1d\x8c\x38\x7b\x2e\xae\xb4\x30\x2a\xee\xb0\x0d\x29\x16\x12\xbb\x0c\x00"-    }--testVec :: String -> Vec -> [TestTree]-testVec s vec =-    [ testCase (s ++ " gen publickey") (pub @=? Ed25519.toPublic sec)-    , testCase (s ++ " gen signature") (sig @=? Ed25519.sign sec pub (vecMsg vec))+vectors =+    [ Vec+        { vecSec = "\x9d\x61\xb1\x9d\xef\xfd\x5a\x60\xba\x84\x4a\xf4\x92\xec\x2c\xc4\x44\x49\xc5\x69\x7b\x32\x69\x19\x70\x3b\xac\x03\x1c\xae\x7f\x60"+        , vecPub = "\xd7\x5a\x98\x01\x82\xb1\x0a\xb7\xd5\x4b\xfe\xd3\xc9\x64\x07\x3a\x0e\xe1\x72\xf3\xda\xa6\x23\x25\xaf\x02\x1a\x68\xf7\x07\x51\x1a"+        , vecMsg = ""+        , vecSig = "\xe5\x56\x43\x00\xc3\x60\xac\x72\x90\x86\xe2\xcc\x80\x6e\x82\x8a\x84\x87\x7f\x1e\xb8\xe5\xd9\x74\xd8\x73\xe0\x65\x22\x49\x01\x55\x5f\xb8\x82\x15\x90\xa3\x3b\xac\xc6\x1e\x39\x70\x1c\xf9\xb4\x6b\xd2\x5b\xf5\xf0\x59\x5b\xbe\x24\x65\x51\x41\x43\x8e\x7a\x10\x0b"+        }+    , Vec+        { vecSec = "\x4c\xcd\x08\x9b\x28\xff\x96\xda\x9d\xb6\xc3\x46\xec\x11\x4e\x0f\x5b\x8a\x31\x9f\x35\xab\xa6\x24\xda\x8c\xf6\xed\x4f\xb8\xa6\xfb"+        , vecPub = "\x3d\x40\x17\xc3\xe8\x43\x89\x5a\x92\xb7\x0a\xa7\x4d\x1b\x7e\xbc\x9c\x98\x2c\xcf\x2e\xc4\x96\x8c\xc0\xcd\x55\xf1\x2a\xf4\x66\x0c"+        , vecMsg = "\x72"+        , vecSig = "\x92\xa0\x09\xa9\xf0\xd4\xca\xb8\x72\x0e\x82\x0b\x5f\x64\x25\x40\xa2\xb2\x7b\x54\x16\x50\x3f\x8f\xb3\x76\x22\x23\xeb\xdb\x69\xda\x08\x5a\xc1\xe4\x3e\x15\x99\x6e\x45\x8f\x36\x13\xd0\xf1\x1d\x8c\x38\x7b\x2e\xae\xb4\x30\x2a\xee\xb0\x0d\x29\x16\x12\xbb\x0c\x00"+        }+    , Vec+        { vecSec = "\xc5\xaa\x8d\xf4\x3f\x9f\x83\x7b\xed\xb7\x44\x2f\x31\xdc\xb7\xb1\x66\xd3\x85\x35\x07\x6f\x09\x4b\x85\xce\x3a\x2e\x0b\x44\x58\xf7"+        , vecPub = "\xfc\x51\xcd\x8e\x62\x18\xa1\xa3\x8d\xa4\x7e\xd0\x02\x30\xf0\x58\x08\x16\xed\x13\xba\x33\x03\xac\x5d\xeb\x91\x15\x48\x90\x80\x25"+        , vecMsg = "\xaf\x82"+        , vecSig = "\x62\x91\xd6\x57\xde\xec\x24\x02\x48\x27\xe6\x9c\x3a\xbe\x01\xa3\x0c\xe5\x48\xa2\x84\x74\x3a\x44\x5e\x36\x80\xd7\xdb\x5a\xc3\xac\x18\xff\x9b\x53\x8d\x16\xf2\x90\xae\x67\xf7\x60\x98\x4d\xc6\x59\x4a\x7c\x15\xe9\x71\x6e\xd2\x8d\xc0\x27\xbe\xce\xea\x1e\xc4\x0a"+        }+    , Vec+        { vecSec = "\xf5\xe5\x76\x7c\xf1\x53\x31\x95\x17\x63\x0f\x22\x68\x76\xb8\x6c\x81\x60\xcc\x58\x3b\xc0\x13\x74\x4c\x6b\xf2\x55\xf5\xcc\x0e\xe5"+        , vecPub = "\x27\x81\x17\xfc\x14\x4c\x72\x34\x0f\x67\xd0\xf2\x31\x6e\x83\x86\xce\xff\xbf\x2b\x24\x28\xc9\xc5\x1f\xef\x7c\x59\x7f\x1d\x42\x6e"+        , vecMsg = "\x08\xb8\xb2\xb7\x33\x42\x42\x43\x76\x0f\xe4\x26\xa4\xb5\x49\x08\x63\x21\x10\xa6\x6c\x2f\x65\x91\xea\xbd\x33\x45\xe3\xe4\xeb\x98\xfa\x6e\x26\x4b\xf0\x9e\xfe\x12\xee\x50\xf8\xf5\x4e\x9f\x77\xb1\xe3\x55\xf6\xc5\x05\x44\xe2\x3f\xb1\x43\x3d\xdf\x73\xbe\x84\xd8\x79\xde\x7c\x00\x46\xdc\x49\x96\xd9\xe7\x73\xf4\xbc\x9e\xfe\x57\x38\x82\x9a\xdb\x26\xc8\x1b\x37\xc9\x3a\x1b\x27\x0b\x20\x32\x9d\x65\x86\x75\xfc\x6e\xa5\x34\xe0\x81\x0a\x44\x32\x82\x6b\xf5\x8c\x94\x1e\xfb\x65\xd5\x7a\x33\x8b\xbd\x2e\x26\x64\x0f\x89\xff\xbc\x1a\x85\x8e\xfc\xb8\x55\x0e\xe3\xa5\xe1\x99\x8b\xd1\x77\xe9\x3a\x73\x63\xc3\x44\xfe\x6b\x19\x9e\xe5\xd0\x2e\x82\xd5\x22\xc4\xfe\xba\x15\x45\x2f\x80\x28\x8a\x82\x1a\x57\x91\x16\xec\x6d\xad\x2b\x3b\x31\x0d\xa9\x03\x40\x1a\xa6\x21\x00\xab\x5d\x1a\x36\x55\x3e\x06\x20\x3b\x33\x89\x0c\xc9\xb8\x32\xf7\x9e\xf8\x05\x60\xcc\xb9\xa3\x9c\xe7\x67\x96\x7e\xd6\x28\xc6\xad\x57\x3c\xb1\x16\xdb\xef\xef\xd7\x54\x99\xda\x96\xbd\x68\xa8\xa9\x7b\x92\x8a\x8b\xbc\x10\x3b\x66\x21\xfc\xde\x2b\xec\xa1\x23\x1d\x20\x6b\xe6\xcd\x9e\xc7\xaf\xf6\xf6\xc9\x4f\xcd\x72\x04\xed\x34\x55\xc6\x8c\x83\xf4\xa4\x1d\xa4\xaf\x2b\x74\xef\x5c\x53\xf1\xd8\xac\x70\xbd\xcb\x7e\xd1\x85\xce\x81\xbd\x84\x35\x9d\x44\x25\x4d\x95\x62\x9e\x98\x55\xa9\x4a\x7c\x19\x58\xd1\xf8\xad\xa5\xd0\x53\x2e\xd8\xa5\xaa\x3f\xb2\xd1\x7b\xa7\x0e\xb6\x24\x8e\x59\x4e\x1a\x22\x97\xac\xbb\xb3\x9d\x50\x2f\x1a\x8c\x6e\xb6\xf1\xce\x22\xb3\xde\x1a\x1f\x40\xcc\x24\x55\x41\x19\xa8\x31\xa9\xaa\xd6\x07\x9c\xad\x88\x42\x5d\xe6\xbd\xe1\xa9\x18\x7e\xbb\x60\x92\xcf\x67\xbf\x2b\x13\xfd\x65\xf2\x70\x88\xd7\x8b\x7e\x88\x3c\x87\x59\xd2\xc4\xf5\xc6\x5a\xdb\x75\x53\x87\x8a\xd5\x75\xf9\xfa\xd8\x78\xe8\x0a\x0c\x9b\xa6\x3b\xcb\xcc\x27\x32\xe6\x94\x85\xbb\xc9\xc9\x0b\xfb\xd6\x24\x81\xd9\x08\x9b\xec\xcf\x80\xcf\xe2\xdf\x16\xa2\xcf\x65\xbd\x92\xdd\x59\x7b\x07\x07\xe0\x91\x7a\xf4\x8b\xbb\x75\xfe\xd4\x13\xd2\x38\xf5\x55\x5a\x7a\x56\x9d\x80\xc3\x41\x4a\x8d\x08\x59\xdc\x65\xa4\x61\x28\xba\xb2\x7a\xf8\x7a\x71\x31\x4f\x31\x8c\x78\x2b\x23\xeb\xfe\x80\x8b\x82\xb0\xce\x26\x40\x1d\x2e\x22\xf0\x4d\x83\xd1\x25\x5d\xc5\x1a\xdd\xd3\xb7\x5a\x2b\x1a\xe0\x78\x45\x04\xdf\x54\x3a\xf8\x96\x9b\xe3\xea\x70\x82\xff\x7f\xc9\x88\x8c\x14\x4d\xa2\xaf\x58\x42\x9e\xc9\x60\x31\xdb\xca\xd3\xda\xd9\xaf\x0d\xcb\xaa\xaf\x26\x8c\xb8\xfc\xff\xea\xd9\x4f\x3c\x7c\xa4\x95\xe0\x56\xa9\xb4\x7a\xcd\xb7\x51\xfb\x73\xe6\x66\xc6\xc6\x55\xad\xe8\x29\x72\x97\xd0\x7a\xd1\xba\x5e\x43\xf1\xbc\xa3\x23\x01\x65\x13\x39\xe2\x29\x04\xcc\x8c\x42\xf5\x8c\x30\xc0\x4a\xaf\xdb\x03\x8d\xda\x08\x47\xdd\x98\x8d\xcd\xa6\xf3\xbf\xd1\x5c\x4b\x4c\x45\x25\x00\x4a\xa0\x6e\xef\xf8\xca\x61\x78\x3a\xac\xec\x57\xfb\x3d\x1f\x92\xb0\xfe\x2f\xd1\xa8\x5f\x67\x24\x51\x7b\x65\xe6\x14\xad\x68\x08\xd6\xf6\xee\x34\xdf\xf7\x31\x0f\xdc\x82\xae\xbf\xd9\x04\xb0\x1e\x1d\xc5\x4b\x29\x27\x09\x4b\x2d\xb6\x8d\x6f\x90\x3b\x68\x40\x1a\xde\xbf\x5a\x7e\x08\xd7\x8f\xf4\xef\x5d\x63\x65\x3a\x65\x04\x0c\xf9\xbf\xd4\xac\xa7\x98\x4a\x74\xd3\x71\x45\x98\x67\x80\xfc\x0b\x16\xac\x45\x16\x49\xde\x61\x88\xa7\xdb\xdf\x19\x1f\x64\xb5\xfc\x5e\x2a\xb4\x7b\x57\xf7\xf7\x27\x6c\xd4\x19\xc1\x7a\x3c\xa8\xe1\xb9\x39\xae\x49\xe4\x88\xac\xba\x6b\x96\x56\x10\xb5\x48\x01\x09\xc8\xb1\x7b\x80\xe1\xb7\xb7\x50\xdf\xc7\x59\x8d\x5d\x50\x11\xfd\x2d\xcc\x56\x00\xa3\x2e\xf5\xb5\x2a\x1e\xcc\x82\x0e\x30\x8a\xa3\x42\x72\x1a\xac\x09\x43\xbf\x66\x86\xb6\x4b\x25\x79\x37\x65\x04\xcc\xc4\x93\xd9\x7e\x6a\xed\x3f\xb0\xf9\xcd\x71\xa4\x3d\xd4\x97\xf0\x1f\x17\xc0\xe2\xcb\x37\x97\xaa\x2a\x2f\x25\x66\x56\x16\x8e\x6c\x49\x6a\xfc\x5f\xb9\x32\x46\xf6\xb1\x11\x63\x98\xa3\x46\xf1\xa6\x41\xf3\xb0\x41\xe9\x89\xf7\x91\x4f\x90\xcc\x2c\x7f\xff\x35\x78\x76\xe5\x06\xb5\x0d\x33\x4b\xa7\x7c\x22\x5b\xc3\x07\xba\x53\x71\x52\xf3\xf1\x61\x0e\x4e\xaf\xe5\x95\xf6\xd9\xd9\x0d\x11\xfa\xa9\x33\xa1\x5e\xf1\x36\x95\x46\x86\x8a\x7f\x3a\x45\xa9\x67\x68\xd4\x0f\xd9\xd0\x34\x12\xc0\x91\xc6\x31\x5c\xf4\xfd\xe7\xcb\x68\x60\x69\x37\x38\x0d\xb2\xea\xaa\x70\x7b\x4c\x41\x85\xc3\x2e\xdd\xcd\xd3\x06\x70\x5e\x4d\xc1\xff\xc8\x72\xee\xee\x47\x5a\x64\xdf\xac\x86\xab\xa4\x1c\x06\x18\x98\x3f\x87\x41\xc5\xef\x68\xd3\xa1\x01\xe8\xa3\xb8\xca\xc6\x0c\x90\x5c\x15\xfc\x91\x08\x40\xb9\x4c\x00\xa0\xb9\xd0"+        , vecSig = "\x0a\xab\x4c\x90\x05\x01\xb3\xe2\x4d\x7c\xdf\x46\x63\x32\x6a\x3a\x87\xdf\x5e\x48\x43\xb2\xcb\xdb\x67\xcb\xf6\xe4\x60\xfe\xc3\x50\xaa\x53\x71\xb1\x50\x8f\x9f\x45\x28\xec\xea\x23\xc4\x36\xd9\x4b\x5e\x8f\xcd\x4f\x68\x1e\x30\xa6\xac\x00\xa9\x70\x4a\x18\x8a\x03"+        }+    , Vec+        { vecSec = "\x83\x3f\xe6\x24\x09\x23\x7b\x9d\x62\xec\x77\x58\x75\x20\x91\x1e\x9a\x75\x9c\xec\x1d\x19\x75\x5b\x7d\xa9\x01\xb9\x6d\xca\x3d\x42"+        , vecPub = "\xec\x17\x2b\x93\xad\x5e\x56\x3b\xf4\x93\x2c\x70\xe1\x24\x50\x34\xc3\x54\x67\xef\x2e\xfd\x4d\x64\xeb\xf8\x19\x68\x34\x67\xe2\xbf"+        , vecMsg = "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f"+        , vecSig = "\xdc\x2a\x44\x59\xe7\x36\x96\x33\xa5\x2b\x1b\xf2\x77\x83\x9a\x00\x20\x10\x09\xa3\xef\xbf\x3e\xcb\x69\xbe\xa2\x18\x6c\x26\xb5\x89\x09\x35\x1f\xc9\xac\x90\xb3\xec\xfd\xfb\xc7\xc6\x64\x31\xe0\x30\x3d\xca\x17\x9c\x13\x8a\xc1\x7a\xd9\xbe\xf1\x17\x73\x31\xa7\x04"+        }     ]+++doPublicKeyTest i vec = testCase (show i) (pub @=? Ed25519.toPublic sec)   where+        !pub = throwCryptoError $ Ed25519.publicKey (vecPub vec)+        !sec = throwCryptoError $ Ed25519.secretKey (vecSec vec)++doSignatureTest i vec = testCase (show i) (sig @=? Ed25519.sign sec pub (vecMsg vec))+  where         !sig = throwCryptoError $ Ed25519.signature (vecSig vec)         !pub = throwCryptoError $ Ed25519.publicKey (vecPub vec)         !sec = throwCryptoError $ Ed25519.secretKey (vecSec vec) -katTests :: [TestTree]-katTests = testVec "vec 1" vec1+doVerifyTest i vec = testCase (show i) (True @=? Ed25519.verify pub (vecMsg vec) sig)+  where+        !sig = throwCryptoError $ Ed25519.signature (vecSig vec)+        !pub = throwCryptoError $ Ed25519.publicKey (vecPub vec) + tests = testGroup "Ed25519"-    [ testGroup "KATs" katTests+    [ testCase  "gen secretkey" (Ed25519.generateSecretKey *> pure ())+    , testGroup "gen publickey" $ zipWith doPublicKeyTest [katZero..] vectors+    , testGroup "gen signature" $ zipWith doSignatureTest [katZero..] vectors+    , testGroup "verify sig" $ zipWith doVerifyTest [katZero..] vectors     ]
+ tests/KAT_Ed448.hs view
@@ -0,0 +1,90 @@+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE BangPatterns #-}+module KAT_Ed448 ( tests ) where++import           Crypto.Error+import qualified Crypto.PubKey.Ed448 as Ed448+import           Imports++data Vec = Vec+    { vecSec :: ByteString+    , vecPub :: ByteString+    , vecMsg :: ByteString+    , vecSig :: ByteString+    } deriving (Show,Eq)++vectors =+    [ Vec+        { vecSec = "\x6c\x82\xa5\x62\xcb\x80\x8d\x10\xd6\x32\xbe\x89\xc8\x51\x3e\xbf\x6c\x92\x9f\x34\xdd\xfa\x8c\x9f\x63\xc9\x96\x0e\xf6\xe3\x48\xa3\x52\x8c\x8a\x3f\xcc\x2f\x04\x4e\x39\xa3\xfc\x5b\x94\x49\x2f\x8f\x03\x2e\x75\x49\xa2\x00\x98\xf9\x5b"+        , vecPub = "\x5f\xd7\x44\x9b\x59\xb4\x61\xfd\x2c\xe7\x87\xec\x61\x6a\xd4\x6a\x1d\xa1\x34\x24\x85\xa7\x0e\x1f\x8a\x0e\xa7\x5d\x80\xe9\x67\x78\xed\xf1\x24\x76\x9b\x46\xc7\x06\x1b\xd6\x78\x3d\xf1\xe5\x0f\x6c\xd1\xfa\x1a\xbe\xaf\xe8\x25\x61\x80"+        , vecMsg = ""+        , vecSig = "\x53\x3a\x37\xf6\xbb\xe4\x57\x25\x1f\x02\x3c\x0d\x88\xf9\x76\xae\x2d\xfb\x50\x4a\x84\x3e\x34\xd2\x07\x4f\xd8\x23\xd4\x1a\x59\x1f\x2b\x23\x3f\x03\x4f\x62\x82\x81\xf2\xfd\x7a\x22\xdd\xd4\x7d\x78\x28\xc5\x9b\xd0\xa2\x1b\xfd\x39\x80\xff\x0d\x20\x28\xd4\xb1\x8a\x9d\xf6\x3e\x00\x6c\x5d\x1c\x2d\x34\x5b\x92\x5d\x8d\xc0\x0b\x41\x04\x85\x2d\xb9\x9a\xc5\xc7\xcd\xda\x85\x30\xa1\x13\xa0\xf4\xdb\xb6\x11\x49\xf0\x5a\x73\x63\x26\x8c\x71\xd9\x58\x08\xff\x2e\x65\x26\x00"+        }+    , Vec+        { vecSec = "\xc4\xea\xb0\x5d\x35\x70\x07\xc6\x32\xf3\xdb\xb4\x84\x89\x92\x4d\x55\x2b\x08\xfe\x0c\x35\x3a\x0d\x4a\x1f\x00\xac\xda\x2c\x46\x3a\xfb\xea\x67\xc5\xe8\xd2\x87\x7c\x5e\x3b\xc3\x97\xa6\x59\x94\x9e\xf8\x02\x1e\x95\x4e\x0a\x12\x27\x4e"+        , vecPub = "\x43\xba\x28\xf4\x30\xcd\xff\x45\x6a\xe5\x31\x54\x5f\x7e\xcd\x0a\xc8\x34\xa5\x5d\x93\x58\xc0\x37\x2b\xfa\x0c\x6c\x67\x98\xc0\x86\x6a\xea\x01\xeb\x00\x74\x28\x02\xb8\x43\x8e\xa4\xcb\x82\x16\x9c\x23\x51\x60\x62\x7b\x4c\x3a\x94\x80"+        , vecMsg = "\x03"+        , vecSig = "\x26\xb8\xf9\x17\x27\xbd\x62\x89\x7a\xf1\x5e\x41\xeb\x43\xc3\x77\xef\xb9\xc6\x10\xd4\x8f\x23\x35\xcb\x0b\xd0\x08\x78\x10\xf4\x35\x25\x41\xb1\x43\xc4\xb9\x81\xb7\xe1\x8f\x62\xde\x8c\xcd\xf6\x33\xfc\x1b\xf0\x37\xab\x7c\xd7\x79\x80\x5e\x0d\xbc\xc0\xaa\xe1\xcb\xce\xe1\xaf\xb2\xe0\x27\xdf\x36\xbc\x04\xdc\xec\xbf\x15\x43\x36\xc1\x9f\x0a\xf7\xe0\xa6\x47\x29\x05\xe7\x99\xf1\x95\x3d\x2a\x0f\xf3\x34\x8a\xb2\x1a\xa4\xad\xaf\xd1\xd2\x34\x44\x1c\xf8\x07\xc0\x3a\x00"+        }+    , Vec+        { vecSec = "\xcd\x23\xd2\x4f\x71\x42\x74\xe7\x44\x34\x32\x37\xb9\x32\x90\xf5\x11\xf6\x42\x5f\x98\xe6\x44\x59\xff\x20\x3e\x89\x85\x08\x3f\xfd\xf6\x05\x00\x55\x3a\xbc\x0e\x05\xcd\x02\x18\x4b\xdb\x89\xc4\xcc\xd6\x7e\x18\x79\x51\x26\x7e\xb3\x28"+        , vecPub = "\xdc\xea\x9e\x78\xf3\x5a\x1b\xf3\x49\x9a\x83\x1b\x10\xb8\x6c\x90\xaa\xc0\x1c\xd8\x4b\x67\xa0\x10\x9b\x55\xa3\x6e\x93\x28\xb1\xe3\x65\xfc\xe1\x61\xd7\x1c\xe7\x13\x1a\x54\x3e\xa4\xcb\x5f\x7e\x9f\x1d\x8b\x00\x69\x64\x47\x00\x14\x00"+        , vecMsg = "\x0c\x3e\x54\x40\x74\xec\x63\xb0\x26\x5e\x0c"+        , vecSig = "\x1f\x0a\x88\x88\xce\x25\xe8\xd4\x58\xa2\x11\x30\x87\x9b\x84\x0a\x90\x89\xd9\x99\xaa\xba\x03\x9e\xaf\x3e\x3a\xfa\x09\x0a\x09\xd3\x89\xdb\xa8\x2c\x4f\xf2\xae\x8a\xc5\xcd\xfb\x7c\x55\xe9\x4d\x5d\x96\x1a\x29\xfe\x01\x09\x94\x1e\x00\xb8\xdb\xde\xea\x6d\x3b\x05\x10\x68\xdf\x72\x54\xc0\xcd\xc1\x29\xcb\xe6\x2d\xb2\xdc\x95\x7d\xbb\x47\xb5\x1f\xd3\xf2\x13\xfb\x86\x98\xf0\x64\x77\x42\x50\xa5\x02\x89\x61\xc9\xbf\x8f\xfd\x97\x3f\xe5\xd5\xc2\x06\x49\x2b\x14\x0e\x00"+        }+    , Vec+        { vecSec = "\x25\x8c\xdd\x4a\xda\x32\xed\x9c\x9f\xf5\x4e\x63\x75\x6a\xe5\x82\xfb\x8f\xab\x2a\xc7\x21\xf2\xc8\xe6\x76\xa7\x27\x68\x51\x3d\x93\x9f\x63\xdd\xdb\x55\x60\x91\x33\xf2\x9a\xdf\x86\xec\x99\x29\xdc\xcb\x52\xc1\xc5\xfd\x2f\xf7\xe2\x1b"+        , vecPub = "\x3b\xa1\x6d\xa0\xc6\xf2\xcc\x1f\x30\x18\x77\x40\x75\x6f\x5e\x79\x8d\x6b\xc5\xfc\x01\x5d\x7c\x63\xcc\x95\x10\xee\x3f\xd4\x4a\xdc\x24\xd8\xe9\x68\xb6\xe4\x6e\x6f\x94\xd1\x9b\x94\x53\x61\x72\x6b\xd7\x5e\x14\x9e\xf0\x98\x17\xf5\x80"+        , vecMsg = "\x64\xa6\x5f\x3c\xde\xdc\xdd\x66\x81\x1e\x29\x15"+        , vecSig = "\x7e\xee\xab\x7c\x4e\x50\xfb\x79\x9b\x41\x8e\xe5\xe3\x19\x7f\xf6\xbf\x15\xd4\x3a\x14\xc3\x43\x89\xb5\x9d\xd1\xa7\xb1\xb8\x5b\x4a\xe9\x04\x38\xac\xa6\x34\xbe\xa4\x5e\x3a\x26\x95\xf1\x27\x0f\x07\xfd\xcd\xf7\xc6\x2b\x8e\xfe\xaf\x00\xb4\x5c\x2c\x96\xba\x45\x7e\xb1\xa8\xbf\x07\x5a\x3d\xb2\x8e\x5c\x24\xf6\xb9\x23\xed\x4a\xd7\x47\xc3\xc9\xe0\x3c\x70\x79\xef\xb8\x7c\xb1\x10\xd3\xa9\x98\x61\xe7\x20\x03\xcb\xae\x6d\x6b\x8b\x82\x7e\x4e\x6c\x14\x30\x64\xff\x3c\x00"+        }+    , Vec+        { vecSec = "\x7e\xf4\xe8\x45\x44\x23\x67\x52\xfb\xb5\x6b\x8f\x31\xa2\x3a\x10\xe4\x28\x14\xf5\xf5\x5c\xa0\x37\xcd\xcc\x11\xc6\x4c\x9a\x3b\x29\x49\xc1\xbb\x60\x70\x03\x14\x61\x17\x32\xa6\xc2\xfe\xa9\x8e\xeb\xc0\x26\x6a\x11\xa9\x39\x70\x10\x0e"+        , vecPub = "\xb3\xda\x07\x9b\x0a\xa4\x93\xa5\x77\x20\x29\xf0\x46\x7b\xae\xbe\xe5\xa8\x11\x2d\x9d\x3a\x22\x53\x23\x61\xda\x29\x4f\x7b\xb3\x81\x5c\x5d\xc5\x9e\x17\x6b\x4d\x9f\x38\x1c\xa0\x93\x8e\x13\xc6\xc0\x7b\x17\x4b\xe6\x5d\xfa\x57\x8e\x80"+        , vecMsg = "\x64\xa6\x5f\x3c\xde\xdc\xdd\x66\x81\x1e\x29\x15\xe7"+        , vecSig = "\x6a\x12\x06\x6f\x55\x33\x1b\x6c\x22\xac\xd5\xd5\xbf\xc5\xd7\x12\x28\xfb\xda\x80\xae\x8d\xec\x26\xbd\xd3\x06\x74\x3c\x50\x27\xcb\x48\x90\x81\x0c\x16\x2c\x02\x74\x68\x67\x5e\xcf\x64\x5a\x83\x17\x6c\x0d\x73\x23\xa2\xcc\xde\x2d\x80\xef\xe5\xa1\x26\x8e\x8a\xca\x1d\x6f\xbc\x19\x4d\x3f\x77\xc4\x49\x86\xeb\x4a\xb4\x17\x79\x19\xad\x8b\xec\x33\xeb\x47\xbb\xb5\xfc\x6e\x28\x19\x6f\xd1\xca\xf5\x6b\x4e\x7e\x0b\xa5\x51\x92\x34\xd0\x47\x15\x5a\xc7\x27\xa1\x05\x31\x00"+        }+    , Vec+        { vecSec = "\xd6\x5d\xf3\x41\xad\x13\xe0\x08\x56\x76\x88\xba\xed\xda\x8e\x9d\xcd\xc1\x7d\xc0\x24\x97\x4e\xa5\xb4\x22\x7b\x65\x30\xe3\x39\xbf\xf2\x1f\x99\xe6\x8c\xa6\x96\x8f\x3c\xca\x6d\xfe\x0f\xb9\xf4\xfa\xb4\xfa\x13\x5d\x55\x42\xea\x3f\x01"+        , vecPub = "\xdf\x97\x05\xf5\x8e\xdb\xab\x80\x2c\x7f\x83\x63\xcf\xe5\x56\x0a\xb1\xc6\x13\x2c\x20\xa9\xf1\xdd\x16\x34\x83\xa2\x6f\x8a\xc5\x3a\x39\xd6\x80\x8b\xf4\xa1\xdf\xbd\x26\x1b\x09\x9b\xb0\x3b\x3f\xb5\x09\x06\xcb\x28\xbd\x8a\x08\x1f\x00"+        , vecMsg = "\xbd\x0f\x6a\x37\x47\xcd\x56\x1b\xdd\xdf\x46\x40\xa3\x32\x46\x1a\x4a\x30\xa1\x2a\x43\x4c\xd0\xbf\x40\xd7\x66\xd9\xc6\xd4\x58\xe5\x51\x22\x04\xa3\x0c\x17\xd1\xf5\x0b\x50\x79\x63\x1f\x64\xeb\x31\x12\x18\x2d\xa3\x00\x58\x35\x46\x11\x13\x71\x8d\x1a\x5e\xf9\x44"+        , vecSig = "\x55\x4b\xc2\x48\x08\x60\xb4\x9e\xab\x85\x32\xd2\xa5\x33\xb7\xd5\x78\xef\x47\x3e\xeb\x58\xc9\x8b\xb2\xd0\xe1\xce\x48\x8a\x98\xb1\x8d\xfd\xe9\xb9\xb9\x07\x75\xe6\x7f\x47\xd4\xa1\xc3\x48\x20\x58\xef\xc9\xf4\x0d\x2c\xa0\x33\xa0\x80\x1b\x63\xd4\x5b\x3b\x72\x2e\xf5\x52\xba\xd3\xb4\xcc\xb6\x67\xda\x35\x01\x92\xb6\x1c\x50\x8c\xf7\xb6\xb5\xad\xad\xc2\xc8\xd9\xa4\x46\xef\x00\x3f\xb0\x5c\xba\x5f\x30\xe8\x8e\x36\xec\x27\x03\xb3\x49\xca\x22\x9c\x26\x70\x83\x39\x00"+        }+    , Vec+        { vecSec = "\x2e\xc5\xfe\x3c\x17\x04\x5a\xbd\xb1\x36\xa5\xe6\xa9\x13\xe3\x2a\xb7\x5a\xe6\x8b\x53\xd2\xfc\x14\x9b\x77\xe5\x04\x13\x2d\x37\x56\x9b\x7e\x76\x6b\xa7\x4a\x19\xbd\x61\x62\x34\x3a\x21\xc8\x59\x0a\xa9\xce\xbc\xa9\x01\x4c\x63\x6d\xf5"+        , vecPub = "\x79\x75\x6f\x01\x4d\xcf\xe2\x07\x9f\x5d\xd9\xe7\x18\xbe\x41\x71\xe2\xef\x24\x86\xa0\x8f\x25\x18\x6f\x6b\xff\x43\xa9\x93\x6b\x9b\xfe\x12\x40\x2b\x08\xae\x65\x79\x8a\x3d\x81\xe2\x2e\x9e\xc8\x0e\x76\x90\x86\x2e\xf3\xd4\xed\x3a\x00"+        , vecMsg = "\x15\x77\x75\x32\xb0\xbd\xd0\xd1\x38\x9f\x63\x6c\x5f\x6b\x9b\xa7\x34\xc9\x0a\xf5\x72\x87\x7e\x2d\x27\x2d\xd0\x78\xaa\x1e\x56\x7c\xfa\x80\xe1\x29\x28\xbb\x54\x23\x30\xe8\x40\x9f\x31\x74\x50\x41\x07\xec\xd5\xef\xac\x61\xae\x75\x04\xda\xbe\x2a\x60\x2e\xde\x89\xe5\xcc\xa6\x25\x7a\x7c\x77\xe2\x7a\x70\x2b\x3a\xe3\x9f\xc7\x69\xfc\x54\xf2\x39\x5a\xe6\xa1\x17\x8c\xab\x47\x38\xe5\x43\x07\x2f\xc1\xc1\x77\xfe\x71\xe9\x2e\x25\xbf\x03\xe4\xec\xb7\x2f\x47\xb6\x4d\x04\x65\xaa\xea\x4c\x7f\xad\x37\x25\x36\xc8\xba\x51\x6a\x60\x39\xc3\xc2\xa3\x9f\x0e\x4d\x83\x2b\xe4\x32\xdf\xa9\xa7\x06\xa6\xe5\xc7\xe1\x9f\x39\x79\x64\xca\x42\x58\x00\x2f\x7c\x05\x41\xb5\x90\x31\x6d\xbc\x56\x22\xb6\xb2\xa6\xfe\x7a\x4a\xbf\xfd\x96\x10\x5e\xca\x76\xea\x7b\x98\x81\x6a\xf0\x74\x8c\x10\xdf\x04\x8c\xe0\x12\xd9\x01\x01\x5a\x51\xf1\x89\xf3\x88\x81\x45\xc0\x36\x50\xaa\x23\xce\x89\x4c\x3b\xd8\x89\xe0\x30\xd5\x65\x07\x1c\x59\xf4\x09\xa9\x98\x1b\x51\x87\x8f\xd6\xfc\x11\x06\x24\xdc\xbc\xde\x0b\xf7\xa6\x9c\xcc\xe3\x8f\xab\xdf\x86\xf3\xbe\xf6\x04\x48\x19\xde\x11"+        , vecSig = "\xc6\x50\xdd\xbb\x06\x01\xc1\x9c\xa1\x14\x39\xe1\x64\x0d\xd9\x31\xf4\x3c\x51\x8e\xa5\xbe\xa7\x0d\x3d\xcd\xe5\xf4\x19\x1f\xe5\x3f\x00\xcf\x96\x65\x46\xb7\x2b\xcc\x7d\x58\xbe\x2b\x9b\xad\xef\x28\x74\x39\x54\xe3\xa4\x4a\x23\xf8\x80\xe8\xd4\xf1\xcf\xce\x2d\x7a\x61\x45\x2d\x26\xda\x05\x89\x6f\x0a\x50\xda\x66\xa2\x39\xa8\xa1\x88\xb6\xd8\x25\xb3\x30\x5a\xd7\x7b\x73\xfb\xac\x08\x36\xec\xc6\x09\x87\xfd\x08\x52\x7c\x1a\x8e\x80\xd5\x82\x3e\x65\xca\xfe\x2a\x3d\x00"+        }+    , Vec+        { vecSec = "\x87\x2d\x09\x37\x80\xf5\xd3\x73\x0d\xf7\xc2\x12\x66\x4b\x37\xb8\xa0\xf2\x4f\x56\x81\x0d\xaa\x83\x82\xcd\x4f\xa3\xf7\x76\x34\xec\x44\xdc\x54\xf1\xc2\xed\x9b\xea\x86\xfa\xfb\x76\x32\xd8\xbe\x19\x9e\xa1\x65\xf5\xad\x55\xdd\x9c\xe8"+        , vecPub = "\xa8\x1b\x2e\x8a\x70\xa5\xac\x94\xff\xdb\xcc\x9b\xad\xfc\x3f\xeb\x08\x01\xf2\x58\x57\x8b\xb1\x14\xad\x44\xec\xe1\xec\x0e\x79\x9d\xa0\x8e\xff\xb8\x1c\x5d\x68\x5c\x0c\x56\xf6\x4e\xec\xae\xf8\xcd\xf1\x1c\xc3\x87\x37\x83\x8c\xf4\x00"+        , vecMsg = "\x6d\xdf\x80\x2e\x1a\xae\x49\x86\x93\x5f\x7f\x98\x1b\xa3\xf0\x35\x1d\x62\x73\xc0\xa0\xc2\x2c\x9c\x0e\x83\x39\x16\x8e\x67\x54\x12\xa3\xde\xbf\xaf\x43\x5e\xd6\x51\x55\x80\x07\xdb\x43\x84\xb6\x50\xfc\xc0\x7e\x3b\x58\x6a\x27\xa4\xf7\xa0\x0a\xc8\xa6\xfe\xc2\xcd\x86\xae\x4b\xf1\x57\x0c\x41\xe6\xa4\x0c\x93\x1d\xb2\x7b\x2f\xaa\x15\xa8\xce\xdd\x52\xcf\xf7\x36\x2c\x4e\x6e\x23\xda\xec\x0f\xbc\x3a\x79\xb6\x80\x6e\x31\x6e\xfc\xc7\xb6\x81\x19\xbf\x46\xbc\x76\xa2\x60\x67\xa5\x3f\x29\x6d\xaf\xdb\xdc\x11\xc7\x7f\x77\x77\xe9\x72\x66\x0c\xf4\xb6\xa9\xb3\x69\xa6\x66\x5f\x02\xe0\xcc\x9b\x6e\xdf\xad\x13\x6b\x4f\xab\xe7\x23\xd2\x81\x3d\xb3\x13\x6c\xfd\xe9\xb6\xd0\x44\x32\x2f\xee\x29\x47\x95\x2e\x03\x1b\x73\xab\x5c\x60\x33\x49\xb3\x07\xbd\xc2\x7b\xc6\xcb\x8b\x8b\xbd\x7b\xd3\x23\x21\x9b\x80\x33\xa5\x81\xb5\x9e\xad\xeb\xb0\x9b\x3c\x4f\x3d\x22\x77\xd4\xf0\x34\x36\x24\xac\xc8\x17\x80\x47\x28\xb2\x5a\xb7\x97\x17\x2b\x4c\x5c\x21\xa2\x2f\x9c\x78\x39\xd6\x43\x00\x23\x2e\xb6\x6e\x53\xf3\x1c\x72\x3f\xa3\x7f\xe3\x87\xc7\xd3\xe5\x0b\xdf\x98\x13\xa3\x0e\x5b\xb1\x2c\xf4\xcd\x93\x0c\x40\xcf\xb4\xe1\xfc\x62\x25\x92\xa4\x95\x88\x79\x44\x94\xd5\x6d\x24\xea\x4b\x40\xc8\x9f\xc0\x59\x6c\xc9\xeb\xb9\x61\xc8\xcb\x10\xad\xde\x97\x6a\x5d\x60\x2b\x1c\x3f\x85\xb9\xb9\xa0\x01\xed\x3c\x6a\x4d\x3b\x14\x37\xf5\x20\x96\xcd\x19\x56\xd0\x42\xa5\x97\xd5\x61\xa5\x96\xec\xd3\xd1\x73\x5a\x8d\x57\x0e\xa0\xec\x27\x22\x5a\x2c\x4a\xaf\xf2\x63\x06\xd1\x52\x6c\x1a\xf3\xca\x6d\x9c\xf5\xa2\xc9\x8f\x47\xe1\xc4\x6d\xb9\xa3\x32\x34\xcf\xd4\xd8\x1f\x2c\x98\x53\x8a\x09\xeb\xe7\x69\x98\xd0\xd8\xfd\x25\x99\x7c\x7d\x25\x5c\x6d\x66\xec\xe6\xfa\x56\xf1\x11\x44\x95\x0f\x02\x77\x95\xe6\x53\x00\x8f\x4b\xd7\xca\x2d\xee\x85\xd8\xe9\x0f\x3d\xc3\x15\x13\x0c\xe2\xa0\x03\x75\xa3\x18\xc7\xc3\xd9\x7b\xe2\xc8\xce\x5b\x6d\xb4\x1a\x62\x54\xff\x26\x4f\xa6\x15\x5b\xae\xe3\xb0\x77\x3c\x0f\x49\x7c\x57\x3f\x19\xbb\x4f\x42\x40\x28\x1f\x0b\x1f\x4f\x7b\xe8\x57\xa4\xe5\x9d\x41\x6c\x06\xb4\xc5\x0f\xa0\x9e\x18\x10\xdd\xc6\xb1\x46\x7b\xae\xac\x5a\x36\x68\xd1\x1b\x6e\xca\xa9\x01\x44\x00\x16\xf3\x89\xf8\x0a\xcc\x4d\xb9\x77\x02\x5e\x7f\x59\x24\x38\x8c\x7e\x34\x0a\x73\x2e\x55\x44\x40\xe7\x65\x70\xf8\xdd\x71\xb7\xd6\x40\xb3\x45\x0d\x1f\xd5\xf0\x41\x0a\x18\xf9\xa3\x49\x4f\x70\x7c\x71\x7b\x79\xb4\xbf\x75\xc9\x84\x00\xb0\x96\xb2\x16\x53\xb5\xd2\x17\xcf\x35\x65\xc9\x59\x74\x56\xf7\x07\x03\x49\x7a\x07\x87\x63\x82\x9b\xc0\x1b\xb1\xcb\xc8\xfa\x04\xea\xdc\x9a\x6e\x3f\x66\x99\x58\x7a\x9e\x75\xc9\x4e\x5b\xab\x00\x36\xe0\xb2\xe7\x11\x39\x2c\xff\x00\x47\xd0\xd6\xb0\x5b\xd2\xa5\x88\xbc\x10\x97\x18\x95\x42\x59\xf1\xd8\x66\x78\xa5\x79\xa3\x12\x0f\x19\xcf\xb2\x96\x3f\x17\x7a\xeb\x70\xf2\xd4\x84\x48\x26\x26\x2e\x51\xb8\x02\x71\x27\x20\x68\xef\x5b\x38\x56\xfa\x85\x35\xaa\x2a\x88\xb2\xd4\x1f\x2a\x0e\x2f\xda\x76\x24\xc2\x85\x02\x72\xac\x4a\x2f\x56\x1f\x8f\x2f\x7a\x31\x8b\xfd\x5c\xaf\x96\x96\x14\x9e\x4a\xc8\x24\xad\x34\x60\x53\x8f\xdc\x25\x42\x1b\xee\xc2\xcc\x68\x18\x16\x2d\x06\xbb\xed\x0c\x40\xa3\x87\x19\x23\x49\xdb\x67\xa1\x18\xba\xda\x6c\xd5\xab\x01\x40\xee\x27\x32\x04\xf6\x28\xaa\xd1\xc1\x35\xf7\x70\x27\x9a\x65\x1e\x24\xd8\xc1\x4d\x75\xa6\x05\x9d\x76\xb9\x6a\x6f\xd8\x57\xde\xf5\xe0\xb3\x54\xb2\x7a\xb9\x37\xa5\x81\x5d\x16\xb5\xfa\xe4\x07\xff\x18\x22\x2c\x6d\x1e\xd2\x63\xbe\x68\xc9\x5f\x32\xd9\x08\xbd\x89\x5c\xd7\x62\x07\xae\x72\x64\x87\x56\x7f\x9a\x67\xda\xd7\x9a\xbe\xc3\x16\xf6\x83\xb1\x7f\x2d\x02\xbf\x07\xe0\xac\x8b\x5b\xc6\x16\x2c\xf9\x46\x97\xb3\xc2\x7c\xd1\xfe\xa4\x9b\x27\xf2\x3b\xa2\x90\x18\x71\x96\x25\x06\x52\x0c\x39\x2d\xa8\xb6\xad\x0d\x99\xf7\x01\x3f\xbc\x06\xc2\xc1\x7a\x56\x95\x00\xc8\xa7\x69\x64\x81\xc1\xcd\x33\xe9\xb1\x4e\x40\xb8\x2e\x79\xa5\xf5\xdb\x82\x57\x1b\xa9\x7b\xae\x3a\xd3\xe0\x47\x95\x15\xbb\x0e\x2b\x0f\x3b\xfc\xd1\xfd\x33\x03\x4e\xfc\x62\x45\xed\xdd\x7e\xe2\x08\x6d\xda\xe2\x60\x0d\x8c\xa7\x3e\x21\x4e\x8c\x2b\x0b\xdb\x2b\x04\x7c\x6a\x46\x4a\x56\x2e\xd7\x7b\x73\xd2\xd8\x41\xc4\xb3\x49\x73\x55\x12\x57\x71\x3b\x75\x36\x32\xef\xba\x34\x81\x69\xab\xc9\x0a\x68\xf4\x26\x11\xa4\x01\x26\xd7\xcb\x21\xb5\x86\x95\x56\x81\x86\xf7\xe5\x69\xd2\xff\x0f\x9e\x74\x5d\x04\x87\xdd\x2e\xb9\x97\xca\xfc\x5a\xbf\x9d\xd1\x02\xe6\x2f\xf6\x6c\xba\x87"+        , vecSig = "\xe3\x01\x34\x5a\x41\xa3\x9a\x4d\x72\xff\xf8\xdf\x69\xc9\x80\x75\xa0\xcc\x08\x2b\x80\x2f\xc9\xb2\xb6\xbc\x50\x3f\x92\x6b\x65\xbd\xdf\x7f\x4c\x8f\x1c\xb4\x9f\x63\x96\xaf\xc8\xa7\x0a\xbe\x6d\x8a\xef\x0d\xb4\x78\xd4\xc6\xb2\x97\x00\x76\xc6\xa0\x48\x4f\xe7\x6d\x76\xb3\xa9\x76\x25\xd7\x9f\x1c\xe2\x40\xe7\xc5\x76\x75\x0d\x29\x55\x28\x28\x6f\x71\x9b\x41\x3d\xe9\xad\xa3\xe8\xeb\x78\xed\x57\x36\x03\xce\x30\xd8\xbb\x76\x17\x85\xdc\x30\xdb\xc3\x20\x86\x9e\x1a\x00"+        }+    ]+++doPublicKeyTest i vec = testCase (show i) (pub @=? Ed448.toPublic sec)+  where+        !pub = throwCryptoError $ Ed448.publicKey (vecPub vec)+        !sec = throwCryptoError $ Ed448.secretKey (vecSec vec)++doSignatureTest i vec = testCase (show i) (sig @=? Ed448.sign sec pub (vecMsg vec))+  where+        !sig = throwCryptoError $ Ed448.signature (vecSig vec)+        !pub = throwCryptoError $ Ed448.publicKey (vecPub vec)+        !sec = throwCryptoError $ Ed448.secretKey (vecSec vec)++doVerifyTest i vec = testCase (show i) (True @=? Ed448.verify pub (vecMsg vec) sig)+  where+        !sig = throwCryptoError $ Ed448.signature (vecSig vec)+        !pub = throwCryptoError $ Ed448.publicKey (vecPub vec)+++tests = testGroup "Ed448"+    [ testCase  "gen secretkey" (Ed448.generateSecretKey *> pure ())+    , testGroup "gen publickey" $ zipWith doPublicKeyTest [katZero..] vectors+    , testGroup "gen signature" $ zipWith doSignatureTest [katZero..] vectors+    , testGroup "verify sig" $ zipWith doVerifyTest [katZero..] vectors+    ]
+ tests/KAT_EdDSA.hs view
@@ -0,0 +1,131 @@+{-# LANGUAGE BangPatterns #-}+{-# LANGUAGE ExistentialQuantification #-}+{-# LANGUAGE GADTs #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE RecordWildCards #-}+module KAT_EdDSA ( tests ) where++import           Crypto.Error+import           Crypto.ECC+import           Crypto.Hash.Algorithms+import           Crypto.Hash.IO+import qualified Crypto.PubKey.EdDSA as EdDSA+import           Imports++data Vec = forall curve hash .+           ( EdDSA.EllipticCurveEdDSA curve+           , HashAlgorithm hash+           , HashDigestSize hash ~ EdDSA.CurveDigestSize curve+           ) => Vec+    { vecPrx :: Maybe curve+    , vecAlg :: hash+    , vecSec :: ByteString+    , vecPub :: ByteString+    , vecMsg :: ByteString+    , vecSig :: ByteString+    }++vectors =+    [ Vec+        { vecPrx = Just Curve_Edwards25519+        , vecAlg = SHA512+        , vecSec = "\x9d\x61\xb1\x9d\xef\xfd\x5a\x60\xba\x84\x4a\xf4\x92\xec\x2c\xc4\x44\x49\xc5\x69\x7b\x32\x69\x19\x70\x3b\xac\x03\x1c\xae\x7f\x60"+        , vecPub = "\xd7\x5a\x98\x01\x82\xb1\x0a\xb7\xd5\x4b\xfe\xd3\xc9\x64\x07\x3a\x0e\xe1\x72\xf3\xda\xa6\x23\x25\xaf\x02\x1a\x68\xf7\x07\x51\x1a"+        , vecMsg = ""+        , vecSig = "\xe5\x56\x43\x00\xc3\x60\xac\x72\x90\x86\xe2\xcc\x80\x6e\x82\x8a\x84\x87\x7f\x1e\xb8\xe5\xd9\x74\xd8\x73\xe0\x65\x22\x49\x01\x55\x5f\xb8\x82\x15\x90\xa3\x3b\xac\xc6\x1e\x39\x70\x1c\xf9\xb4\x6b\xd2\x5b\xf5\xf0\x59\x5b\xbe\x24\x65\x51\x41\x43\x8e\x7a\x10\x0b"+        }+    , Vec+        { vecPrx = Just Curve_Edwards25519+        , vecAlg = SHA512+        , vecSec = "\x4c\xcd\x08\x9b\x28\xff\x96\xda\x9d\xb6\xc3\x46\xec\x11\x4e\x0f\x5b\x8a\x31\x9f\x35\xab\xa6\x24\xda\x8c\xf6\xed\x4f\xb8\xa6\xfb"+        , vecPub = "\x3d\x40\x17\xc3\xe8\x43\x89\x5a\x92\xb7\x0a\xa7\x4d\x1b\x7e\xbc\x9c\x98\x2c\xcf\x2e\xc4\x96\x8c\xc0\xcd\x55\xf1\x2a\xf4\x66\x0c"+        , vecMsg = "\x72"+        , vecSig = "\x92\xa0\x09\xa9\xf0\xd4\xca\xb8\x72\x0e\x82\x0b\x5f\x64\x25\x40\xa2\xb2\x7b\x54\x16\x50\x3f\x8f\xb3\x76\x22\x23\xeb\xdb\x69\xda\x08\x5a\xc1\xe4\x3e\x15\x99\x6e\x45\x8f\x36\x13\xd0\xf1\x1d\x8c\x38\x7b\x2e\xae\xb4\x30\x2a\xee\xb0\x0d\x29\x16\x12\xbb\x0c\x00"+        }+    , Vec+        { vecPrx = Just Curve_Edwards25519+        , vecAlg = SHA512+        , vecSec = "\xc5\xaa\x8d\xf4\x3f\x9f\x83\x7b\xed\xb7\x44\x2f\x31\xdc\xb7\xb1\x66\xd3\x85\x35\x07\x6f\x09\x4b\x85\xce\x3a\x2e\x0b\x44\x58\xf7"+        , vecPub = "\xfc\x51\xcd\x8e\x62\x18\xa1\xa3\x8d\xa4\x7e\xd0\x02\x30\xf0\x58\x08\x16\xed\x13\xba\x33\x03\xac\x5d\xeb\x91\x15\x48\x90\x80\x25"+        , vecMsg = "\xaf\x82"+        , vecSig = "\x62\x91\xd6\x57\xde\xec\x24\x02\x48\x27\xe6\x9c\x3a\xbe\x01\xa3\x0c\xe5\x48\xa2\x84\x74\x3a\x44\x5e\x36\x80\xd7\xdb\x5a\xc3\xac\x18\xff\x9b\x53\x8d\x16\xf2\x90\xae\x67\xf7\x60\x98\x4d\xc6\x59\x4a\x7c\x15\xe9\x71\x6e\xd2\x8d\xc0\x27\xbe\xce\xea\x1e\xc4\x0a"+        }+    , Vec+        { vecPrx = Just Curve_Edwards25519+        , vecAlg = SHA512+        , vecSec = "\xf5\xe5\x76\x7c\xf1\x53\x31\x95\x17\x63\x0f\x22\x68\x76\xb8\x6c\x81\x60\xcc\x58\x3b\xc0\x13\x74\x4c\x6b\xf2\x55\xf5\xcc\x0e\xe5"+        , vecPub = "\x27\x81\x17\xfc\x14\x4c\x72\x34\x0f\x67\xd0\xf2\x31\x6e\x83\x86\xce\xff\xbf\x2b\x24\x28\xc9\xc5\x1f\xef\x7c\x59\x7f\x1d\x42\x6e"+        , vecMsg = "\x08\xb8\xb2\xb7\x33\x42\x42\x43\x76\x0f\xe4\x26\xa4\xb5\x49\x08\x63\x21\x10\xa6\x6c\x2f\x65\x91\xea\xbd\x33\x45\xe3\xe4\xeb\x98\xfa\x6e\x26\x4b\xf0\x9e\xfe\x12\xee\x50\xf8\xf5\x4e\x9f\x77\xb1\xe3\x55\xf6\xc5\x05\x44\xe2\x3f\xb1\x43\x3d\xdf\x73\xbe\x84\xd8\x79\xde\x7c\x00\x46\xdc\x49\x96\xd9\xe7\x73\xf4\xbc\x9e\xfe\x57\x38\x82\x9a\xdb\x26\xc8\x1b\x37\xc9\x3a\x1b\x27\x0b\x20\x32\x9d\x65\x86\x75\xfc\x6e\xa5\x34\xe0\x81\x0a\x44\x32\x82\x6b\xf5\x8c\x94\x1e\xfb\x65\xd5\x7a\x33\x8b\xbd\x2e\x26\x64\x0f\x89\xff\xbc\x1a\x85\x8e\xfc\xb8\x55\x0e\xe3\xa5\xe1\x99\x8b\xd1\x77\xe9\x3a\x73\x63\xc3\x44\xfe\x6b\x19\x9e\xe5\xd0\x2e\x82\xd5\x22\xc4\xfe\xba\x15\x45\x2f\x80\x28\x8a\x82\x1a\x57\x91\x16\xec\x6d\xad\x2b\x3b\x31\x0d\xa9\x03\x40\x1a\xa6\x21\x00\xab\x5d\x1a\x36\x55\x3e\x06\x20\x3b\x33\x89\x0c\xc9\xb8\x32\xf7\x9e\xf8\x05\x60\xcc\xb9\xa3\x9c\xe7\x67\x96\x7e\xd6\x28\xc6\xad\x57\x3c\xb1\x16\xdb\xef\xef\xd7\x54\x99\xda\x96\xbd\x68\xa8\xa9\x7b\x92\x8a\x8b\xbc\x10\x3b\x66\x21\xfc\xde\x2b\xec\xa1\x23\x1d\x20\x6b\xe6\xcd\x9e\xc7\xaf\xf6\xf6\xc9\x4f\xcd\x72\x04\xed\x34\x55\xc6\x8c\x83\xf4\xa4\x1d\xa4\xaf\x2b\x74\xef\x5c\x53\xf1\xd8\xac\x70\xbd\xcb\x7e\xd1\x85\xce\x81\xbd\x84\x35\x9d\x44\x25\x4d\x95\x62\x9e\x98\x55\xa9\x4a\x7c\x19\x58\xd1\xf8\xad\xa5\xd0\x53\x2e\xd8\xa5\xaa\x3f\xb2\xd1\x7b\xa7\x0e\xb6\x24\x8e\x59\x4e\x1a\x22\x97\xac\xbb\xb3\x9d\x50\x2f\x1a\x8c\x6e\xb6\xf1\xce\x22\xb3\xde\x1a\x1f\x40\xcc\x24\x55\x41\x19\xa8\x31\xa9\xaa\xd6\x07\x9c\xad\x88\x42\x5d\xe6\xbd\xe1\xa9\x18\x7e\xbb\x60\x92\xcf\x67\xbf\x2b\x13\xfd\x65\xf2\x70\x88\xd7\x8b\x7e\x88\x3c\x87\x59\xd2\xc4\xf5\xc6\x5a\xdb\x75\x53\x87\x8a\xd5\x75\xf9\xfa\xd8\x78\xe8\x0a\x0c\x9b\xa6\x3b\xcb\xcc\x27\x32\xe6\x94\x85\xbb\xc9\xc9\x0b\xfb\xd6\x24\x81\xd9\x08\x9b\xec\xcf\x80\xcf\xe2\xdf\x16\xa2\xcf\x65\xbd\x92\xdd\x59\x7b\x07\x07\xe0\x91\x7a\xf4\x8b\xbb\x75\xfe\xd4\x13\xd2\x38\xf5\x55\x5a\x7a\x56\x9d\x80\xc3\x41\x4a\x8d\x08\x59\xdc\x65\xa4\x61\x28\xba\xb2\x7a\xf8\x7a\x71\x31\x4f\x31\x8c\x78\x2b\x23\xeb\xfe\x80\x8b\x82\xb0\xce\x26\x40\x1d\x2e\x22\xf0\x4d\x83\xd1\x25\x5d\xc5\x1a\xdd\xd3\xb7\x5a\x2b\x1a\xe0\x78\x45\x04\xdf\x54\x3a\xf8\x96\x9b\xe3\xea\x70\x82\xff\x7f\xc9\x88\x8c\x14\x4d\xa2\xaf\x58\x42\x9e\xc9\x60\x31\xdb\xca\xd3\xda\xd9\xaf\x0d\xcb\xaa\xaf\x26\x8c\xb8\xfc\xff\xea\xd9\x4f\x3c\x7c\xa4\x95\xe0\x56\xa9\xb4\x7a\xcd\xb7\x51\xfb\x73\xe6\x66\xc6\xc6\x55\xad\xe8\x29\x72\x97\xd0\x7a\xd1\xba\x5e\x43\xf1\xbc\xa3\x23\x01\x65\x13\x39\xe2\x29\x04\xcc\x8c\x42\xf5\x8c\x30\xc0\x4a\xaf\xdb\x03\x8d\xda\x08\x47\xdd\x98\x8d\xcd\xa6\xf3\xbf\xd1\x5c\x4b\x4c\x45\x25\x00\x4a\xa0\x6e\xef\xf8\xca\x61\x78\x3a\xac\xec\x57\xfb\x3d\x1f\x92\xb0\xfe\x2f\xd1\xa8\x5f\x67\x24\x51\x7b\x65\xe6\x14\xad\x68\x08\xd6\xf6\xee\x34\xdf\xf7\x31\x0f\xdc\x82\xae\xbf\xd9\x04\xb0\x1e\x1d\xc5\x4b\x29\x27\x09\x4b\x2d\xb6\x8d\x6f\x90\x3b\x68\x40\x1a\xde\xbf\x5a\x7e\x08\xd7\x8f\xf4\xef\x5d\x63\x65\x3a\x65\x04\x0c\xf9\xbf\xd4\xac\xa7\x98\x4a\x74\xd3\x71\x45\x98\x67\x80\xfc\x0b\x16\xac\x45\x16\x49\xde\x61\x88\xa7\xdb\xdf\x19\x1f\x64\xb5\xfc\x5e\x2a\xb4\x7b\x57\xf7\xf7\x27\x6c\xd4\x19\xc1\x7a\x3c\xa8\xe1\xb9\x39\xae\x49\xe4\x88\xac\xba\x6b\x96\x56\x10\xb5\x48\x01\x09\xc8\xb1\x7b\x80\xe1\xb7\xb7\x50\xdf\xc7\x59\x8d\x5d\x50\x11\xfd\x2d\xcc\x56\x00\xa3\x2e\xf5\xb5\x2a\x1e\xcc\x82\x0e\x30\x8a\xa3\x42\x72\x1a\xac\x09\x43\xbf\x66\x86\xb6\x4b\x25\x79\x37\x65\x04\xcc\xc4\x93\xd9\x7e\x6a\xed\x3f\xb0\xf9\xcd\x71\xa4\x3d\xd4\x97\xf0\x1f\x17\xc0\xe2\xcb\x37\x97\xaa\x2a\x2f\x25\x66\x56\x16\x8e\x6c\x49\x6a\xfc\x5f\xb9\x32\x46\xf6\xb1\x11\x63\x98\xa3\x46\xf1\xa6\x41\xf3\xb0\x41\xe9\x89\xf7\x91\x4f\x90\xcc\x2c\x7f\xff\x35\x78\x76\xe5\x06\xb5\x0d\x33\x4b\xa7\x7c\x22\x5b\xc3\x07\xba\x53\x71\x52\xf3\xf1\x61\x0e\x4e\xaf\xe5\x95\xf6\xd9\xd9\x0d\x11\xfa\xa9\x33\xa1\x5e\xf1\x36\x95\x46\x86\x8a\x7f\x3a\x45\xa9\x67\x68\xd4\x0f\xd9\xd0\x34\x12\xc0\x91\xc6\x31\x5c\xf4\xfd\xe7\xcb\x68\x60\x69\x37\x38\x0d\xb2\xea\xaa\x70\x7b\x4c\x41\x85\xc3\x2e\xdd\xcd\xd3\x06\x70\x5e\x4d\xc1\xff\xc8\x72\xee\xee\x47\x5a\x64\xdf\xac\x86\xab\xa4\x1c\x06\x18\x98\x3f\x87\x41\xc5\xef\x68\xd3\xa1\x01\xe8\xa3\xb8\xca\xc6\x0c\x90\x5c\x15\xfc\x91\x08\x40\xb9\x4c\x00\xa0\xb9\xd0"+        , vecSig = "\x0a\xab\x4c\x90\x05\x01\xb3\xe2\x4d\x7c\xdf\x46\x63\x32\x6a\x3a\x87\xdf\x5e\x48\x43\xb2\xcb\xdb\x67\xcb\xf6\xe4\x60\xfe\xc3\x50\xaa\x53\x71\xb1\x50\x8f\x9f\x45\x28\xec\xea\x23\xc4\x36\xd9\x4b\x5e\x8f\xcd\x4f\x68\x1e\x30\xa6\xac\x00\xa9\x70\x4a\x18\x8a\x03"+        }+    , Vec+        { vecPrx = Just Curve_Edwards25519+        , vecAlg = SHA512+        , vecSec = "\x83\x3f\xe6\x24\x09\x23\x7b\x9d\x62\xec\x77\x58\x75\x20\x91\x1e\x9a\x75\x9c\xec\x1d\x19\x75\x5b\x7d\xa9\x01\xb9\x6d\xca\x3d\x42"+        , vecPub = "\xec\x17\x2b\x93\xad\x5e\x56\x3b\xf4\x93\x2c\x70\xe1\x24\x50\x34\xc3\x54\x67\xef\x2e\xfd\x4d\x64\xeb\xf8\x19\x68\x34\x67\xe2\xbf"+        , vecMsg = "\xdd\xaf\x35\xa1\x93\x61\x7a\xba\xcc\x41\x73\x49\xae\x20\x41\x31\x12\xe6\xfa\x4e\x89\xa9\x7e\xa2\x0a\x9e\xee\xe6\x4b\x55\xd3\x9a\x21\x92\x99\x2a\x27\x4f\xc1\xa8\x36\xba\x3c\x23\xa3\xfe\xeb\xbd\x45\x4d\x44\x23\x64\x3c\xe8\x0e\x2a\x9a\xc9\x4f\xa5\x4c\xa4\x9f"+        , vecSig = "\xdc\x2a\x44\x59\xe7\x36\x96\x33\xa5\x2b\x1b\xf2\x77\x83\x9a\x00\x20\x10\x09\xa3\xef\xbf\x3e\xcb\x69\xbe\xa2\x18\x6c\x26\xb5\x89\x09\x35\x1f\xc9\xac\x90\xb3\xec\xfd\xfb\xc7\xc6\x64\x31\xe0\x30\x3d\xca\x17\x9c\x13\x8a\xc1\x7a\xd9\xbe\xf1\x17\x73\x31\xa7\x04"+        }+    , Vec+        { vecPrx = Just Curve_Edwards25519+        , vecAlg = Blake2b_512+        , vecSec = "\x9d\x61\xb1\x9d\xef\xfd\x5a\x60\xba\x84\x4a\xf4\x92\xec\x2c\xc4\x44\x49\xc5\x69\x7b\x32\x69\x19\x70\x3b\xac\x03\x1c\xae\x7f\x60"+        , vecPub = "\x78\xe6\x5b\xf3\x0f\x89\x3d\x32\xfc\x57\xef\x05\x1c\x34\x1b\xde\xde\x24\x25\x44\xfc\x2a\x21\x12\xf0\xfa\x2c\x7a\xfd\xeb\xc0\x2f"+        , vecMsg = ""+        , vecSig = "\x99\xa5\x23\xbd\x46\x16\xc8\x16\x11\x44\xd6\xa9\x9d\x3c\x32\x40\x0c\xb4\xa3\x26\xf4\xd7\x9e\x30\x73\x40\xf6\xaf\xa1\x17\x50\xa0\x08\x5d\x7d\x84\x62\x6b\xc9\xe4\xb1\x53\xfc\x0e\x39\x6d\x15\xce\x44\xc3\x9b\xae\x45\x33\x80\x4d\xb1\xfe\x5b\x52\xf2\xb1\xb8\x05"+        }+    , Vec+        { vecPrx = Just Curve_Edwards25519+        , vecAlg = Blake2b_512+        , vecSec = "\x4c\xcd\x08\x9b\x28\xff\x96\xda\x9d\xb6\xc3\x46\xec\x11\x4e\x0f\x5b\x8a\x31\x9f\x35\xab\xa6\x24\xda\x8c\xf6\xed\x4f\xb8\xa6\xfb"+        , vecPub = "\x5e\x71\x39\x2d\x91\xe6\xa5\x8f\xed\xeb\x08\x50\x36\x4f\x56\xcd\x15\x8a\x60\x44\x75\x57\xd7\x89\x03\x89\xc9\xb3\xd4\x57\x6d\x4d"+        , vecMsg = "\x72"+        , vecSig = "\x6d\xa7\x5e\x15\xb5\x70\x7f\x4d\xe5\xa1\x53\xc4\x8a\x5d\x83\x9f\xb8\x50\x74\xc3\x8a\xeb\x62\x85\x97\x7f\x03\xa1\x39\x77\x59\x7f\x97\x60\x69\xfd\xb9\x03\xf1\x83\x47\x4a\xaa\x5e\xd0\xcf\xe8\x78\xba\x8e\xf8\x68\xc5\xe4\x7c\xa3\xf9\x6c\xcf\xb3\xa8\x9b\x2a\x06"+        }+    , Vec+        { vecPrx = Just Curve_Edwards25519+        , vecAlg = Blake2b_512+        , vecSec = "\xc5\xaa\x8d\xf4\x3f\x9f\x83\x7b\xed\xb7\x44\x2f\x31\xdc\xb7\xb1\x66\xd3\x85\x35\x07\x6f\x09\x4b\x85\xce\x3a\x2e\x0b\x44\x58\xf7"+        , vecPub = "\x8d\x53\xca\x70\xf0\xea\xb2\x3b\x91\x78\x34\x57\x85\xfc\xdb\x69\xed\x67\x23\xf8\x14\x8f\x7e\x33\x9e\x88\x65\x37\x00\xb7\x18\xda"+        , vecMsg = "\xaf\x82"+        , vecSig = "\x7c\xc3\xc1\x38\x52\xbd\x12\xab\xf3\xce\x4c\xa8\xca\x28\x36\xcb\xf8\x6d\xa9\x6c\x46\x34\xc5\x0d\xf3\xfb\x80\xdc\x80\x9e\x29\xdb\x0e\x10\x9c\x36\x13\x53\x40\x7c\x12\x36\xa9\x04\xf6\x36\x86\x8a\xa3\x39\x77\xa9\x9d\x3f\x84\x45\x98\xdb\x15\x38\xb4\x29\x52\x03"+        }+    , Vec+        { vecPrx = Just Curve_Edwards25519+        , vecAlg = Blake2b_512+        , vecSec = "\xf5\xe5\x76\x7c\xf1\x53\x31\x95\x17\x63\x0f\x22\x68\x76\xb8\x6c\x81\x60\xcc\x58\x3b\xc0\x13\x74\x4c\x6b\xf2\x55\xf5\xcc\x0e\xe5"+        , vecPub = "\x9e\x3c\xa4\x9b\xb2\xd9\xe3\x6b\x8f\x0c\x94\x4a\x7b\x1c\x29\x26\x45\xda\x87\xce\x6f\xa6\xb4\x28\x86\xe5\xd7\xc8\x68\x33\xa7\x14"+        , vecMsg = "\x08\xb8\xb2\xb7\x33\x42\x42\x43\x76\x0f\xe4\x26\xa4\xb5\x49\x08\x63\x21\x10\xa6\x6c\x2f\x65\x91\xea\xbd\x33\x45\xe3\xe4\xeb\x98\xfa\x6e\x26\x4b\xf0\x9e\xfe\x12\xee\x50\xf8\xf5\x4e\x9f\x77\xb1\xe3\x55\xf6\xc5\x05\x44\xe2\x3f\xb1\x43\x3d\xdf\x73\xbe\x84\xd8\x79\xde\x7c\x00\x46\xdc\x49\x96\xd9\xe7\x73\xf4\xbc\x9e\xfe\x57\x38\x82\x9a\xdb\x26\xc8\x1b\x37\xc9\x3a\x1b\x27\x0b\x20\x32\x9d\x65\x86\x75\xfc\x6e\xa5\x34\xe0\x81\x0a\x44\x32\x82\x6b\xf5\x8c\x94\x1e\xfb\x65\xd5\x7a\x33\x8b\xbd\x2e\x26\x64\x0f\x89\xff\xbc\x1a\x85\x8e\xfc\xb8\x55\x0e\xe3\xa5\xe1\x99\x8b\xd1\x77\xe9\x3a\x73\x63\xc3\x44\xfe\x6b\x19\x9e\xe5\xd0\x2e\x82\xd5\x22\xc4\xfe\xba\x15\x45\x2f\x80\x28\x8a\x82\x1a\x57\x91\x16\xec\x6d\xad\x2b\x3b\x31\x0d\xa9\x03\x40\x1a\xa6\x21\x00\xab\x5d\x1a\x36\x55\x3e\x06\x20\x3b\x33\x89\x0c\xc9\xb8\x32\xf7\x9e\xf8\x05\x60\xcc\xb9\xa3\x9c\xe7\x67\x96\x7e\xd6\x28\xc6\xad\x57\x3c\xb1\x16\xdb\xef\xef\xd7\x54\x99\xda\x96\xbd\x68\xa8\xa9\x7b\x92\x8a\x8b\xbc\x10\x3b\x66\x21\xfc\xde\x2b\xec\xa1\x23\x1d\x20\x6b\xe6\xcd\x9e\xc7\xaf\xf6\xf6\xc9\x4f\xcd\x72\x04\xed\x34\x55\xc6\x8c\x83\xf4\xa4\x1d\xa4\xaf\x2b\x74\xef\x5c\x53\xf1\xd8\xac\x70\xbd\xcb\x7e\xd1\x85\xce\x81\xbd\x84\x35\x9d\x44\x25\x4d\x95\x62\x9e\x98\x55\xa9\x4a\x7c\x19\x58\xd1\xf8\xad\xa5\xd0\x53\x2e\xd8\xa5\xaa\x3f\xb2\xd1\x7b\xa7\x0e\xb6\x24\x8e\x59\x4e\x1a\x22\x97\xac\xbb\xb3\x9d\x50\x2f\x1a\x8c\x6e\xb6\xf1\xce\x22\xb3\xde\x1a\x1f\x40\xcc\x24\x55\x41\x19\xa8\x31\xa9\xaa\xd6\x07\x9c\xad\x88\x42\x5d\xe6\xbd\xe1\xa9\x18\x7e\xbb\x60\x92\xcf\x67\xbf\x2b\x13\xfd\x65\xf2\x70\x88\xd7\x8b\x7e\x88\x3c\x87\x59\xd2\xc4\xf5\xc6\x5a\xdb\x75\x53\x87\x8a\xd5\x75\xf9\xfa\xd8\x78\xe8\x0a\x0c\x9b\xa6\x3b\xcb\xcc\x27\x32\xe6\x94\x85\xbb\xc9\xc9\x0b\xfb\xd6\x24\x81\xd9\x08\x9b\xec\xcf\x80\xcf\xe2\xdf\x16\xa2\xcf\x65\xbd\x92\xdd\x59\x7b\x07\x07\xe0\x91\x7a\xf4\x8b\xbb\x75\xfe\xd4\x13\xd2\x38\xf5\x55\x5a\x7a\x56\x9d\x80\xc3\x41\x4a\x8d\x08\x59\xdc\x65\xa4\x61\x28\xba\xb2\x7a\xf8\x7a\x71\x31\x4f\x31\x8c\x78\x2b\x23\xeb\xfe\x80\x8b\x82\xb0\xce\x26\x40\x1d\x2e\x22\xf0\x4d\x83\xd1\x25\x5d\xc5\x1a\xdd\xd3\xb7\x5a\x2b\x1a\xe0\x78\x45\x04\xdf\x54\x3a\xf8\x96\x9b\xe3\xea\x70\x82\xff\x7f\xc9\x88\x8c\x14\x4d\xa2\xaf\x58\x42\x9e\xc9\x60\x31\xdb\xca\xd3\xda\xd9\xaf\x0d\xcb\xaa\xaf\x26\x8c\xb8\xfc\xff\xea\xd9\x4f\x3c\x7c\xa4\x95\xe0\x56\xa9\xb4\x7a\xcd\xb7\x51\xfb\x73\xe6\x66\xc6\xc6\x55\xad\xe8\x29\x72\x97\xd0\x7a\xd1\xba\x5e\x43\xf1\xbc\xa3\x23\x01\x65\x13\x39\xe2\x29\x04\xcc\x8c\x42\xf5\x8c\x30\xc0\x4a\xaf\xdb\x03\x8d\xda\x08\x47\xdd\x98\x8d\xcd\xa6\xf3\xbf\xd1\x5c\x4b\x4c\x45\x25\x00\x4a\xa0\x6e\xef\xf8\xca\x61\x78\x3a\xac\xec\x57\xfb\x3d\x1f\x92\xb0\xfe\x2f\xd1\xa8\x5f\x67\x24\x51\x7b\x65\xe6\x14\xad\x68\x08\xd6\xf6\xee\x34\xdf\xf7\x31\x0f\xdc\x82\xae\xbf\xd9\x04\xb0\x1e\x1d\xc5\x4b\x29\x27\x09\x4b\x2d\xb6\x8d\x6f\x90\x3b\x68\x40\x1a\xde\xbf\x5a\x7e\x08\xd7\x8f\xf4\xef\x5d\x63\x65\x3a\x65\x04\x0c\xf9\xbf\xd4\xac\xa7\x98\x4a\x74\xd3\x71\x45\x98\x67\x80\xfc\x0b\x16\xac\x45\x16\x49\xde\x61\x88\xa7\xdb\xdf\x19\x1f\x64\xb5\xfc\x5e\x2a\xb4\x7b\x57\xf7\xf7\x27\x6c\xd4\x19\xc1\x7a\x3c\xa8\xe1\xb9\x39\xae\x49\xe4\x88\xac\xba\x6b\x96\x56\x10\xb5\x48\x01\x09\xc8\xb1\x7b\x80\xe1\xb7\xb7\x50\xdf\xc7\x59\x8d\x5d\x50\x11\xfd\x2d\xcc\x56\x00\xa3\x2e\xf5\xb5\x2a\x1e\xcc\x82\x0e\x30\x8a\xa3\x42\x72\x1a\xac\x09\x43\xbf\x66\x86\xb6\x4b\x25\x79\x37\x65\x04\xcc\xc4\x93\xd9\x7e\x6a\xed\x3f\xb0\xf9\xcd\x71\xa4\x3d\xd4\x97\xf0\x1f\x17\xc0\xe2\xcb\x37\x97\xaa\x2a\x2f\x25\x66\x56\x16\x8e\x6c\x49\x6a\xfc\x5f\xb9\x32\x46\xf6\xb1\x11\x63\x98\xa3\x46\xf1\xa6\x41\xf3\xb0\x41\xe9\x89\xf7\x91\x4f\x90\xcc\x2c\x7f\xff\x35\x78\x76\xe5\x06\xb5\x0d\x33\x4b\xa7\x7c\x22\x5b\xc3\x07\xba\x53\x71\x52\xf3\xf1\x61\x0e\x4e\xaf\xe5\x95\xf6\xd9\xd9\x0d\x11\xfa\xa9\x33\xa1\x5e\xf1\x36\x95\x46\x86\x8a\x7f\x3a\x45\xa9\x67\x68\xd4\x0f\xd9\xd0\x34\x12\xc0\x91\xc6\x31\x5c\xf4\xfd\xe7\xcb\x68\x60\x69\x37\x38\x0d\xb2\xea\xaa\x70\x7b\x4c\x41\x85\xc3\x2e\xdd\xcd\xd3\x06\x70\x5e\x4d\xc1\xff\xc8\x72\xee\xee\x47\x5a\x64\xdf\xac\x86\xab\xa4\x1c\x06\x18\x98\x3f\x87\x41\xc5\xef\x68\xd3\xa1\x01\xe8\xa3\xb8\xca\xc6\x0c\x90\x5c\x15\xfc\x91\x08\x40\xb9\x4c\x00\xa0\xb9\xd0"+        , vecSig = "\xd0\x39\x65\xac\x31\x6a\x20\xf5\xa4\x7a\xb2\xd6\x18\x5e\xb3\xf0\xae\xea\x9c\x2e\xb8\xab\xe9\x22\xe9\x6d\x31\x7b\x3b\xd0\xef\x02\xe8\xd4\x7f\xd9\x23\x84\xe2\x86\x15\xeb\x33\x14\xad\xbc\x71\xc4\x67\x59\x96\x09\x9e\x48\x4c\xeb\x16\x28\x47\xc4\x0c\x32\x44\x0e"+        }+    ]+++doPublicKeyTest :: Int -> Vec -> TestTree+doPublicKeyTest i Vec{..} =+    testCase (show i) (pub @=? EdDSA.toPublic vecPrx vecAlg sec)+  where+    !pub = throwCryptoError $ EdDSA.publicKey vecPrx vecAlg vecPub+    !sec = throwCryptoError $ EdDSA.secretKey vecPrx vecSec++doSignatureTest :: Int -> Vec -> TestTree+doSignatureTest i Vec{..} =+    testCase (show i) (sig @=? EdDSA.sign vecPrx sec pub vecMsg)+  where+    !sig = throwCryptoError $ EdDSA.signature vecPrx vecAlg vecSig+    !pub = throwCryptoError $ EdDSA.publicKey vecPrx vecAlg vecPub+    !sec = throwCryptoError $ EdDSA.secretKey vecPrx vecSec++doVerifyTest :: Int -> Vec -> TestTree+doVerifyTest i Vec{..} =+    testCase (show i) (True @=? EdDSA.verify vecPrx pub vecMsg sig)+  where+    !sig = throwCryptoError $ EdDSA.signature vecPrx vecAlg vecSig+    !pub = throwCryptoError $ EdDSA.publicKey vecPrx vecAlg vecPub+++tests = testGroup "EdDSA"+    [ testGroup "gen publickey" $ zipWith doPublicKeyTest [katZero..] vectors+    , testGroup "gen signature" $ zipWith doSignatureTest [katZero..] vectors+    , testGroup "verify sig" $ zipWith doVerifyTest [katZero..] vectors+    ]
tests/KAT_HKDF.hs view
@@ -2,10 +2,7 @@ module KAT_HKDF (tests) where  import qualified Crypto.KDF.HKDF as HKDF-import Crypto.Hash (MD5(..), SHA1(..), SHA256(..)-                   , Keccak_224(..), Keccak_256(..), Keccak_384(..), Keccak_512(..)-                   , SHA3_224(..), SHA3_256(..), SHA3_384(..), SHA3_512(..)-                   , HashAlgorithm, digestFromByteString)+import Crypto.Hash (SHA256(..), HashAlgorithm) import qualified Data.ByteString as B  import Imports
tests/KAT_HMAC.hs view
@@ -132,17 +132,17 @@  macIncrementalTests :: [TestTree] macIncrementalTests =-    [ testProperties MD5-    , testProperties SHA1-    , testProperties SHA256-    , testProperties SHA3_224-    , testProperties SHA3_256-    , testProperties SHA3_384-    , testProperties SHA3_512+    [ testIncrProperties MD5+    , testIncrProperties SHA1+    , testIncrProperties SHA256+    , testIncrProperties SHA3_224+    , testIncrProperties SHA3_256+    , testIncrProperties SHA3_384+    , testIncrProperties SHA3_512     ]   where-        --testProperties :: HashAlgorithm a => a -> [Property]-        testProperties a = testGroup (show a)+        --testIncrProperties :: HashAlgorithm a => a -> [Property]+        testIncrProperties a = testGroup (show a)             [ testProperty "list-one" (prop_inc0 a)             , testProperty "list-multi" (prop_inc1 a)             ]
+ tests/KAT_KMAC.hs view
@@ -0,0 +1,129 @@+{-# LANGUAGE DataKinds #-}+{-# LANGUAGE FlexibleContexts #-}+{-# LANGUAGE FlexibleInstances #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE RecordWildCards #-}+module KAT_KMAC (tests) where++import           Crypto.Hash (SHAKE128(..), SHAKE256(..),+                              HashAlgorithm, digestFromByteString)+import qualified Crypto.MAC.KMAC as KMAC++import qualified Data.ByteString as B++import Imports++data MACVector hash = MACVector+    { macString :: ByteString+    , macKey    :: ByteString+    , macSecret :: ByteString+    , macResult :: KMAC.KMAC hash+    }++instance Show (KMAC.KMAC a) where+    show (KMAC.KMAC d) = show d++digest :: HashAlgorithm hash => ByteString -> KMAC.KMAC hash+digest = maybe (error "cannot get digest") KMAC.KMAC . digestFromByteString++vectors128 :: [MACVector (SHAKE128 256)]+vectors128 =+    [ MACVector+        { macString = ""+        , macKey    = B.pack [ 0x40 .. 0x5f ]+        , macSecret = B.pack [ 0x00 .. 0x03 ]+        , macResult = digest "\xe5\x78\x0b\x0d\x3e\xa6\xf7\xd3\xa4\x29\xc5\x70\x6a\xa4\x3a\x00\xfa\xdb\xd7\xd4\x96\x28\x83\x9e\x31\x87\x24\x3f\x45\x6e\xe1\x4e"+        }+    , MACVector+        { macString = "My Tagged Application"+        , macKey    = B.pack [ 0x40 .. 0x5f ]+        , macSecret = B.pack [ 0x00 .. 0x03 ]+        , macResult = digest "\x3b\x1f\xba\x96\x3c\xd8\xb0\xb5\x9e\x8c\x1a\x6d\x71\x88\x8b\x71\x43\x65\x1a\xf8\xba\x0a\x70\x70\xc0\x97\x9e\x28\x11\x32\x4a\xa5"+        }+    , MACVector+        { macString = "My Tagged Application"+        , macKey    = B.pack [ 0x40 .. 0x5f ]+        , macSecret = B.pack [ 0x00 .. 0xc7 ]+        , macResult = digest "\x1f\x5b\x4e\x6c\xca\x02\x20\x9e\x0d\xcb\x5c\xa6\x35\xb8\x9a\x15\xe2\x71\xec\xc7\x60\x07\x1d\xfd\x80\x5f\xaa\x38\xf9\x72\x92\x30"+        }+    ]++vectors256 :: [MACVector (SHAKE256 512)]+vectors256 =+    [ MACVector+        { macString = "My Tagged Application"+        , macKey    = B.pack [ 0x40 .. 0x5f ]+        , macSecret = B.pack [ 0x00 .. 0x03 ]+        , macResult = digest "\x20\xc5\x70\xc3\x13\x46\xf7\x03\xc9\xac\x36\xc6\x1c\x03\xcb\x64\xc3\x97\x0d\x0c\xfc\x78\x7e\x9b\x79\x59\x9d\x27\x3a\x68\xd2\xf7\xf6\x9d\x4c\xc3\xde\x9d\x10\x4a\x35\x16\x89\xf2\x7c\xf6\xf5\x95\x1f\x01\x03\xf3\x3f\x4f\x24\x87\x10\x24\xd9\xc2\x77\x73\xa8\xdd"+        }+    , MACVector+        { macString = ""+        , macKey    = B.pack [ 0x40 .. 0x5f ]+        , macSecret = B.pack [ 0x00 .. 0xc7 ]+        , macResult = digest "\x75\x35\x8c\xf3\x9e\x41\x49\x4e\x94\x97\x07\x92\x7c\xee\x0a\xf2\x0a\x3f\xf5\x53\x90\x4c\x86\xb0\x8f\x21\xcc\x41\x4b\xcf\xd6\x91\x58\x9d\x27\xcf\x5e\x15\x36\x9c\xbb\xff\x8b\x9a\x4c\x2e\xb1\x78\x00\x85\x5d\x02\x35\xff\x63\x5d\xa8\x25\x33\xec\x6b\x75\x9b\x69"+        }+    , MACVector+        { macString = "My Tagged Application"+        , macKey    = B.pack [ 0x40 .. 0x5f ]+        , macSecret = B.pack [ 0x00 .. 0xc7 ]+        , macResult = digest "\xb5\x86\x18\xf7\x1f\x92\xe1\xd5\x6c\x1b\x8c\x55\xdd\xd7\xcd\x18\x8b\x97\xb4\xca\x4d\x99\x83\x1e\xb2\x69\x9a\x83\x7d\xa2\xe4\xd9\x70\xfb\xac\xfd\xe5\x00\x33\xae\xa5\x85\xf1\xa2\x70\x85\x10\xc3\x2d\x07\x88\x08\x01\xbd\x18\x28\x98\xfe\x47\x68\x76\xfc\x89\x65"+        }+    ]++macTests :: [TestTree]+macTests =+    [ testGroup "SHAKE128" (concatMap toMACTest $ zip is vectors128)+    , testGroup "SHAKE256" (concatMap toMACTest $ zip is vectors256)+    ]+    where toMACTest (i, MACVector{..}) =+            [ testCase (show i) (macResult @=? KMAC.kmac macString macKey macSecret)+            , testCase ("incr-" ++ show i) (macResult @=?+                        KMAC.finalize (KMAC.update (KMAC.initialize macString macKey) macSecret))+            ]+          is :: [Int]+          is = [1..]++data MacIncremental a = MacIncremental ByteString ByteString ByteString (KMAC.KMAC a)+    deriving (Show,Eq)++instance KMAC.HashSHAKE a => Arbitrary (MacIncremental a) where+    arbitrary = do+        str <- arbitraryBSof 0 49+        key <- arbitraryBSof 1 89+        msg <- arbitraryBSof 1 99+        return $ MacIncremental str key msg (KMAC.kmac str key msg)++data MacIncrementalList a = MacIncrementalList ByteString ByteString [ByteString] (KMAC.KMAC a)+    deriving (Show,Eq)++instance KMAC.HashSHAKE a => Arbitrary (MacIncrementalList a) where+    arbitrary = do+        str  <- arbitraryBSof 0 49+        key  <- arbitraryBSof 1 89+        msgs <- choose (1,20) >>= \n -> replicateM n (arbitraryBSof 1 99)+        return $ MacIncrementalList str key msgs (KMAC.kmac str key (B.concat msgs))++macIncrementalTests :: [TestTree]+macIncrementalTests =+    [ testIncrProperties "SHAKE128_256" (SHAKE128 :: SHAKE128 256)+    , testIncrProperties "SHAKE256_512" (SHAKE256 :: SHAKE256 512)+    ]+  where+        testIncrProperties :: KMAC.HashSHAKE a => TestName -> a -> TestTree+        testIncrProperties name a = testGroup name+            [ testProperty "list-one" (prop_inc0 a)+            , testProperty "list-multi" (prop_inc1 a)+            ]++        prop_inc0 :: KMAC.HashSHAKE a => a -> MacIncremental a -> Bool+        prop_inc0 _ (MacIncremental str secret msg result) =+            result `assertEq` KMAC.finalize (KMAC.update (KMAC.initialize str secret) msg)++        prop_inc1 :: KMAC.HashSHAKE a => a -> MacIncrementalList a -> Bool+        prop_inc1 _ (MacIncrementalList str secret msgs result) =+            result `assertEq` KMAC.finalize (foldl' KMAC.update (KMAC.initialize str secret) msgs)++tests = testGroup "KMAC"+    [ testGroup "KATs" macTests+    , testGroup "properties" macIncrementalTests+    ]
tests/KAT_MiyaguchiPreneel.hs view
@@ -6,7 +6,6 @@  import           Imports -import           Data.Char (digitToInt) import qualified Data.ByteString.Char8 as B8 import qualified Data.ByteArray as B import Data.ByteArray.Encoding (Base (Base16), convertFromBase)
tests/KAT_OTP.hs view
@@ -8,7 +8,6 @@  import Crypto.Hash.Algorithms (SHA1(..), SHA256(..), SHA512(..)) import Crypto.OTP-import Data.ByteString (ByteString) import Imports  -- | Test values from Appendix D of http://tools.ietf.org/html/rfc4226@@ -94,9 +93,9 @@         ]     , testGroup "TOTP"         [ testGroup "KATs"-            [ testGroup "SHA1" (makeKATs (totp totpSHA1Params otpKey . fromIntegral) totpSHA1Expected)-            , testGroup "SHA256" (makeKATs (totp totpSHA256Params totpSHA256Key . fromIntegral) totpSHA256Expected)-            , testGroup "SHA512" (makeKATs (totp totpSHA512Params totpSHA512Key . fromIntegral) totpSHA512Expected)+            [ testGroup "SHA1" (makeKATs (totp totpSHA1Params otpKey) totpSHA1Expected)+            , testGroup "SHA256" (makeKATs (totp totpSHA256Params totpSHA256Key) totpSHA256Expected)+            , testGroup "SHA512" (makeKATs (totp totpSHA512Params totpSHA512Key) totpSHA512Expected)             ]         ]     ]
tests/KAT_PBKDF2.hs view
@@ -67,21 +67,21 @@     , testGroup "KATs-HMAC-SHA512" (katTests (PBKDF2.prfHMAC SHA512) vectors_hmac_sha512)     , testGroup "KATs-HMAC-SHA512 (fast)" (katTestFastPBKDF2_SHA512 vectors_hmac_sha512)     ]-  where katTests prf vects = map (toKatTest prf) $ zip is vects+  where katTests prf = zipWith (toKatTest prf) is -        toKatTest prf (i, ((pass, salt, iter, dkLen), output)) =+        toKatTest prf i ((pass, salt, iter, dkLen), output) =             testCase (show i) (output @=? PBKDF2.generate prf (PBKDF2.Parameters iter dkLen) pass salt) -        katTestFastPBKDF2_SHA1 = map toKatTestFastPBKDF2_SHA1 . zip is-        toKatTestFastPBKDF2_SHA1 (i, ((pass, salt, iter, dkLen), output)) =+        katTestFastPBKDF2_SHA1 = zipWith toKatTestFastPBKDF2_SHA1 is+        toKatTestFastPBKDF2_SHA1 i ((pass, salt, iter, dkLen), output) =             testCase (show i) (output @=? PBKDF2.fastPBKDF2_SHA1 (PBKDF2.Parameters iter dkLen) pass salt) -        katTestFastPBKDF2_SHA256 = map toKatTestFastPBKDF2_SHA256 . zip is-        toKatTestFastPBKDF2_SHA256 (i, ((pass, salt, iter, dkLen), output)) =+        katTestFastPBKDF2_SHA256 = zipWith toKatTestFastPBKDF2_SHA256 is+        toKatTestFastPBKDF2_SHA256 i ((pass, salt, iter, dkLen), output) =             testCase (show i) (output @=? PBKDF2.fastPBKDF2_SHA256 (PBKDF2.Parameters iter dkLen) pass salt) -        katTestFastPBKDF2_SHA512 = map toKatTestFastPBKDF2_SHA512 . zip is-        toKatTestFastPBKDF2_SHA512 (i, ((pass, salt, iter, dkLen), output)) =+        katTestFastPBKDF2_SHA512 = zipWith toKatTestFastPBKDF2_SHA512 is+        toKatTestFastPBKDF2_SHA512 i ((pass, salt, iter, dkLen), output) =             testCase (show i) (output @=? PBKDF2.fastPBKDF2_SHA512 (PBKDF2.Parameters iter dkLen) pass salt)  
tests/KAT_PubKey.hs view
@@ -16,6 +16,8 @@ import KAT_PubKey.DSA import KAT_PubKey.ECC import KAT_PubKey.ECDSA+import KAT_PubKey.RSA+import KAT_PubKey.Rabin import Utils import qualified KAT_PubKey.P256 as P256 @@ -23,7 +25,7 @@                            , dbMask :: ByteString                            } -doMGFTest (i, vmgf) = testCase (show i) (dbMask vmgf @=? actual)+doMGFTest i vmgf = testCase (show i) (dbMask vmgf @=? actual)     where actual = mgf1 SHA1 (seed vmgf) (B.length $ dbMask vmgf)  vectorsMGF =@@ -34,13 +36,15 @@     ]  tests = testGroup "PubKey"-    [ testGroup "MGF1" $ map doMGFTest (zip [katZero..] vectorsMGF)+    [ testGroup "MGF1" $ zipWith doMGFTest [katZero..] vectorsMGF+    , rsaTests     , pssTests     , oaepTests     , dsaTests     , eccTests     , ecdsaTests     , P256.tests+    , rabinTests     ]  --newKats = [ eccKatTests ]
tests/KAT_PubKey/DSA.hs view
@@ -106,7 +106,43 @@         , r = 0x8c2fab489c34672140415d41a65cef1e70192e23         , s = 0x3df86a9e2efe944a1c7ea9c30cac331d00599a0e         , pgq = dsaParams-        } +        }+    , VectorDSA -- 1024-bit example from RFC 6979 with SHA-1+        { msg = "sample"+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B+        , k = 0x7BDB6B0FF756E1BB5D53583EF979082F9AD5BD5B+        , r = 0x2E1A0C2562B2912CAAF89186FB0F42001585DA55+        , s = 0x29EFB6B0AFF2D7A68EB70CA313022253B9A88DF5+        , pgq = rfc6979Params1024+        }+    , VectorDSA -- 1024-bit example from RFC 6979 with SHA-1+        { msg = "test"+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B+        , k = 0x5C842DF4F9E344EE09F056838B42C7A17F4A6433+        , r = 0x42AB2052FD43E123F0607F115052A67DCD9C5C77+        , s = 0x183916B0230D45B9931491D4C6B0BD2FB4AAF088+        , pgq = rfc6979Params1024+        }+    , VectorDSA -- 2048-bit example from RFC 6979 with SHA-1+        { msg = "sample"+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF+        , k = 0x888FA6F7738A41BDC9846466ABDB8174C0338250AE50CE955CA16230F9CBD53E+        , r = 0x3A1B2DBD7489D6ED7E608FD036C83AF396E290DBD602408E8677DAABD6E7445A+        , s = 0xD26FCBA19FA3E3058FFC02CA1596CDBB6E0D20CB37B06054F7E36DED0CDBBCCF+        , pgq = rfc6979Params2048+        }+    , VectorDSA -- 2048-bit example from RFC 6979 with SHA-1+        { msg = "test"+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF+        , k = 0x6EEA486F9D41A037B2C640BC5645694FF8FF4B98D066A25F76BE641CCB24BA4F+        , r = 0xC18270A93CFC6063F57A4DFA86024F700D980E4CF4E2CB65A504397273D98EA0+        , s = 0x414F22E5F31A8B6D33295C7539C1C1BA3A6160D7D68D50AC0D3A5BEAC2884FAA+        , pgq = rfc6979Params2048+        }     ]     where -- (p,g,q)           dsaParams = DSA.Params@@ -115,6 +151,174 @@             , DSA.params_q = 0xf85f0f83ac4df7ea0cdf8f469bfeeaea14156495             } +vectorsSHA224 =+    [ VectorDSA+        { msg = "sample"+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B+        , k = 0x562097C06782D60C3037BA7BE104774344687649+        , r = 0x4BC3B686AEA70145856814A6F1BB53346F02101E+        , s = 0x410697B92295D994D21EDD2F4ADA85566F6F94C1+        , pgq = rfc6979Params1024+        }+    , VectorDSA+        { msg = "test"+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B+        , k = 0x4598B8EFC1A53BC8AECD58D1ABBB0C0C71E67297+        , r = 0x6868E9964E36C1689F6037F91F28D5F2C30610F2+        , s = 0x49CEC3ACDC83018C5BD2674ECAAD35B8CD22940F+        , pgq = rfc6979Params1024+        }+    , VectorDSA+        { msg = "sample"+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF+        , k = 0xBC372967702082E1AA4FCE892209F71AE4AD25A6DFD869334E6F153BD0C4D806+        , r = 0xDC9F4DEADA8D8FF588E98FED0AB690FFCE858DC8C79376450EB6B76C24537E2C+        , s = 0xA65A9C3BC7BABE286B195D5DA68616DA8D47FA0097F36DD19F517327DC848CEC+        , pgq = rfc6979Params2048+        }+    , VectorDSA+        { msg = "test"+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF+        , k = 0x06BD4C05ED74719106223BE33F2D95DA6B3B541DAD7BFBD7AC508213B6DA6670+        , r = 0x272ABA31572F6CC55E30BF616B7A265312018DD325BE031BE0CC82AA17870EA3+        , s = 0xE9CC286A52CCE201586722D36D1E917EB96A4EBDB47932F9576AC645B3A60806+        , pgq = rfc6979Params2048+        }+    ]++vectorsSHA256 =+    [ VectorDSA+        { msg = "sample"+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B+        , k = 0x519BA0546D0C39202A7D34D7DFA5E760B318BCFB+        , r = 0x81F2F5850BE5BC123C43F71A3033E9384611C545+        , s = 0x4CDD914B65EB6C66A8AAAD27299BEE6B035F5E89+        , pgq = rfc6979Params1024+        }+    , VectorDSA+        { msg = "test"+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B+        , k = 0x5A67592E8128E03A417B0484410FB72C0B630E1A+        , r = 0x22518C127299B0F6FDC9872B282B9E70D0790812+        , s = 0x6837EC18F150D55DE95B5E29BE7AF5D01E4FE160+        , pgq = rfc6979Params1024+        }+    , VectorDSA+        { msg = "sample"+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF+        , k = 0x8926A27C40484216F052F4427CFD5647338B7B3939BC6573AF4333569D597C52+        , r = 0xEACE8BDBBE353C432A795D9EC556C6D021F7A03F42C36E9BC87E4AC7932CC809+        , s = 0x7081E175455F9247B812B74583E9E94F9EA79BD640DC962533B0680793A38D53+        , pgq = rfc6979Params2048+        }+    , VectorDSA+        { msg = "test"+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF+        , k = 0x1D6CE6DDA1C5D37307839CD03AB0A5CBB18E60D800937D67DFB4479AAC8DEAD7+        , r = 0x8190012A1969F9957D56FCCAAD223186F423398D58EF5B3CEFD5A4146A4476F0+        , s = 0x7452A53F7075D417B4B013B278D1BB8BBD21863F5E7B1CEE679CF2188E1AB19E+        , pgq = rfc6979Params2048+        }+    ]++vectorsSHA384 =+    [ VectorDSA+        { msg = "sample"+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B+        , k = 0x95897CD7BBB944AA932DBC579C1C09EB6FCFC595+        , r = 0x07F2108557EE0E3921BC1774F1CA9B410B4CE65A+        , s = 0x54DF70456C86FAC10FAB47C1949AB83F2C6F7595+        , pgq = rfc6979Params1024+        }+    , VectorDSA+        { msg = "test"+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B+        , k = 0x220156B761F6CA5E6C9F1B9CF9C24BE25F98CD89+        , r = 0x854CF929B58D73C3CBFDC421E8D5430CD6DB5E66+        , s = 0x91D0E0F53E22F898D158380676A871A157CDA622+        , pgq = rfc6979Params1024+        }+    , VectorDSA+        { msg = "sample"+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF+        , k = 0xC345D5AB3DA0A5BCB7EC8F8FB7A7E96069E03B206371EF7D83E39068EC564920+        , r = 0xB2DA945E91858834FD9BF616EBAC151EDBC4B45D27D0DD4A7F6A22739F45C00B+        , s = 0x19048B63D9FD6BCA1D9BAE3664E1BCB97F7276C306130969F63F38FA8319021B+        , pgq = rfc6979Params2048+        }+    , VectorDSA+        { msg = "test"+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF+        , k = 0x206E61F73DBE1B2DC8BE736B22B079E9DACD974DB00EEBBC5B64CAD39CF9F91C+        , r = 0x239E66DDBE8F8C230A3D071D601B6FFBDFB5901F94D444C6AF56F732BEB954BE+        , s = 0x6BD737513D5E72FE85D1C750E0F73921FE299B945AAD1C802F15C26A43D34961+        , pgq = rfc6979Params2048+        }+    ]++vectorsSHA512 =+    [ VectorDSA+        { msg = "sample"+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B+        , k = 0x09ECE7CA27D0F5A4DD4E556C9DF1D21D28104F8B+        , r = 0x16C3491F9B8C3FBBDD5E7A7B667057F0D8EE8E1B+        , s = 0x02C36A127A7B89EDBB72E4FFBC71DABC7D4FC69C+        , pgq = rfc6979Params1024+        }+    , VectorDSA+        { msg = "test"+        , x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7+        , y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B+        , k = 0x65D2C2EEB175E370F28C75BFCDC028D22C7DBE9C+        , r = 0x8EA47E475BA8AC6F2D821DA3BD212D11A3DEB9A0+        , s = 0x7C670C7AD72B6C050C109E1790008097125433E8+        , pgq = rfc6979Params1024+        }+    , VectorDSA+        { msg = "sample"+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF+        , k = 0x5A12994431785485B3F5F067221517791B85A597B7A9436995C89ED0374668FC+        , r = 0x2016ED092DC5FB669B8EFB3D1F31A91EECB199879BE0CF78F02BA062CB4C942E+        , s = 0xD0C76F84B5F091E141572A639A4FB8C230807EEA7D55C8A154A224400AFF2351+        , pgq = rfc6979Params2048+        }+    , VectorDSA+        { msg = "test"+        , x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC+        , y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF+        , k = 0xAFF1651E4CD6036D57AA8B2A05CCF1A9D5A40166340ECBBDC55BE10B568AA0AA+        , r = 0x89EC4BB1400ECCFF8E7D9AA515CD1DE7803F2DAFF09693EE7FD1353E90A68307+        , s = 0xC9F0BDABCC0D880BB137A994CC7F3980CE91CC10FAF529FC46565B15CEA854E1+        , pgq = rfc6979Params2048+        }+    ]++rfc6979Params1024 = DSA.Params+    { DSA.params_p = 0x86F5CA03DCFEB225063FF830A0C769B9DD9D6153AD91D7CE27F787C43278B447E6533B86B18BED6E8A48B784A14C252C5BE0DBF60B86D6385BD2F12FB763ED8873ABFD3F5BA2E0A8C0A59082EAC056935E529DAF7C610467899C77ADEDFC846C881870B7B19B2B58F9BE0521A17002E3BDD6B86685EE90B3D9A1B02B782B1779+    , DSA.params_g = 0x07B0F92546150B62514BB771E2A0C0CE387F03BDA6C56B505209FF25FD3C133D89BBCD97E904E09114D9A7DEFDEADFC9078EA544D2E401AEECC40BB9FBBF78FD87995A10A1C27CB7789B594BA7EFB5C4326A9FE59A070E136DB77175464ADCA417BE5DCE2F40D10A46A3A3943F26AB7FD9C0398FF8C76EE0A56826A8A88F1DBD+    , DSA.params_q = 0x996F967F6C8E388D9E28D01E205FBA957A5698B1+    }++rfc6979Params2048 = DSA.Params+    { DSA.params_p = 0x9DB6FB5951B66BB6FE1E140F1D2CE5502374161FD6538DF1648218642F0B5C48C8F7A41AADFA187324B87674FA1822B00F1ECF8136943D7C55757264E5A1A44FFE012E9936E00C1D3E9310B01C7D179805D3058B2A9F4BB6F9716BFE6117C6B5B3CC4D9BE341104AD4A80AD6C94E005F4B993E14F091EB51743BF33050C38DE235567E1B34C3D6A5C0CEAA1A0F368213C3D19843D0B4B09DCB9FC72D39C8DE41F1BF14D4BB4563CA28371621CAD3324B6A2D392145BEBFAC748805236F5CA2FE92B871CD8F9C36D3292B5509CA8CAA77A2ADFC7BFD77DDA6F71125A7456FEA153E433256A2261C6A06ED3693797E7995FAD5AABBCFBE3EDA2741E375404AE25B+    , DSA.params_g = 0x5C7FF6B06F8F143FE8288433493E4769C4D988ACE5BE25A0E24809670716C613D7B0CEE6932F8FAA7C44D2CB24523DA53FBE4F6EC3595892D1AA58C4328A06C46A15662E7EAA703A1DECF8BBB2D05DBE2EB956C142A338661D10461C0D135472085057F3494309FFA73C611F78B32ADBB5740C361C9F35BE90997DB2014E2EF5AA61782F52ABEB8BD6432C4DD097BC5423B285DAFB60DC364E8161F4A2A35ACA3A10B1C4D203CC76A470A33AFDCBDD92959859ABD8B56E1725252D78EAC66E71BA9AE3F1DD2487199874393CD4D832186800654760E1E34C09E4D155179F9EC0DC4473F996BDCE6EED1CABED8B6F116F7AD9CF505DF0F998E34AB27514B0FFE7+    , DSA.params_q = 0xF2C3119374CE76C9356990B465374A17F23F9ED35089BD969F61C6DDE9998C1F+    }+ vectorToPrivate :: VectorDSA -> DSA.PrivateKey vectorToPrivate vector = DSA.PrivateKey     { DSA.private_x      = x vector@@ -127,16 +331,32 @@     , DSA.public_params = pgq vector     } -doSignatureTest (i, vector) = testCase (show i) (expected @=? actual)+doSignatureTest hashAlg i vector = testCase (show i) (expected @=? actual)     where expected = Just $ DSA.Signature (r vector) (s vector)-          actual   = DSA.signWith (k vector) (vectorToPrivate vector) SHA1 (msg vector)+          actual   = DSA.signWith (k vector) (vectorToPrivate vector) hashAlg (msg vector) -doVerifyTest (i, vector) = testCase (show i) (True @=? actual)-    where actual = DSA.verify SHA1 (vectorToPublic vector) (DSA.Signature (r vector) (s vector)) (msg vector)+doVerifyTest hashAlg i vector = testCase (show i) (True @=? actual)+    where actual = DSA.verify hashAlg (vectorToPublic vector) (DSA.Signature (r vector) (s vector)) (msg vector)  dsaTests = testGroup "DSA"     [ testGroup "SHA1"-        [ testGroup "signature" $ map doSignatureTest (zip [katZero..] vectorsSHA1)-        , testGroup "verify" $ map doVerifyTest (zip [katZero..] vectorsSHA1)+        [ testGroup "signature" $ zipWith (doSignatureTest SHA1) [katZero..] vectorsSHA1+        , testGroup "verify" $ zipWith (doVerifyTest SHA1) [katZero..] vectorsSHA1+        ]+    , testGroup "SHA224"+        [ testGroup "signature" $ zipWith (doSignatureTest SHA224) [katZero..] vectorsSHA224+        , testGroup "verify" $ zipWith (doVerifyTest SHA224) [katZero..] vectorsSHA224+        ]+    , testGroup "SHA256"+        [ testGroup "signature" $ zipWith (doSignatureTest SHA256) [katZero..] vectorsSHA256+        , testGroup "verify" $ zipWith (doVerifyTest SHA256) [katZero..] vectorsSHA256+        ]+    , testGroup "SHA384"+        [ testGroup "signature" $ zipWith (doSignatureTest SHA384) [katZero..] vectorsSHA384+        , testGroup "verify" $ zipWith (doVerifyTest SHA384) [katZero..] vectorsSHA384+        ]+    , testGroup "SHA512"+        [ testGroup "signature" $ zipWith (doSignatureTest SHA512) [katZero..] vectorsSHA512+        , testGroup "verify" $ zipWith (doVerifyTest SHA512) [katZero..] vectorsSHA512         ]     ]
tests/KAT_PubKey/ECC.hs view
@@ -136,7 +136,7 @@         }     ] -doPointValidTest (i, vector) = testCase (show i) (valid vector @=? ECC.isPointValid (curve vector) (ECC.Point (x vector) (y vector)))+doPointValidTest i vector = testCase (show i) (valid vector @=? ECC.isPointValid (curve vector) (ECC.Point (x vector) (y vector)))  arbitraryPoint :: ECC.Curve -> Gen ECC.Point arbitraryPoint aCurve =@@ -146,8 +146,8 @@     pointGen = ECC.pointBaseMul aCurve <$> choose (1, n - 1)  eccTests = testGroup "ECC"-    [ testGroup "valid-point" $ map doPointValidTest (zip [katZero..] vectorsPoint)-    , testGroup "property"+    [ testGroup "valid-point" $ zipWith doPointValidTest [katZero..] vectorsPoint+    , localOption (QuickCheckTests 20) $ testGroup "property"         [ testProperty "point-add" $ \aCurve (QAInteger r1) (QAInteger r2) ->             let curveN   = ECC.ecc_n . ECC.common_curve $ aCurve                 curveGen = ECC.ecc_g . ECC.common_curve $ aCurve@@ -155,14 +155,19 @@                 p2       = ECC.pointMul aCurve r2 curveGen                 pR       = ECC.pointMul aCurve ((r1 + r2) `mod` curveN) curveGen              in pR `propertyEq` ECC.pointAdd aCurve p1 p2-        , localOption (QuickCheckTests 20) $-          testProperty "point-mul-mul" $ \aCurve (QAInteger n1) (QAInteger n2) -> do+        , testProperty "point-negate-add" $ \aCurve -> do             p <- arbitraryPoint aCurve+            let o = ECC.pointAdd aCurve p (ECC.pointNegate aCurve p)+            return $ ECC.PointO `propertyEq` o+        , testProperty "point-negate-negate" $ \aCurve -> do+            p <- arbitraryPoint aCurve+            return $ p `propertyEq` ECC.pointNegate aCurve (ECC.pointNegate aCurve p)+        , testProperty "point-mul-mul" $ \aCurve (QAInteger n1) (QAInteger n2) -> do+            p <- arbitraryPoint aCurve             let pRes = ECC.pointMul aCurve (n1 * n2) p             let pDef = ECC.pointMul aCurve n1 (ECC.pointMul aCurve n2 p)             return $ pRes `propertyEq` pDef-        , localOption (QuickCheckTests 20) $-          testProperty "double-scalar-mult" $ \aCurve (QAInteger n1) (QAInteger n2) -> do+        , testProperty "double-scalar-mult" $ \aCurve (QAInteger n1) (QAInteger n2) -> do             p1 <- arbitraryPoint aCurve             p2 <- arbitraryPoint aCurve             let pRes = ECC.pointAddTwoMuls aCurve n1 p1 n2 p2
tests/KAT_PubKey/ECDSA.hs view
@@ -490,32 +490,32 @@ vectorToPublic :: VectorECDSA -> ECDSA.PublicKey vectorToPublic vector = ECDSA.PublicKey (curve vector) (q vector) -doSignatureTest hashAlg (i, vector) = testCase (show i) (expected @=? actual)+doSignatureTest hashAlg i vector = testCase (show i) (expected @=? actual)   where expected = Just $ ECDSA.Signature (r vector) (s vector)         actual   = ECDSA.signWith (k vector) (vectorToPrivate vector) hashAlg (msg vector) -doVerifyTest hashAlg (i, vector) = testCase (show i) (True @=? actual)+doVerifyTest hashAlg i vector = testCase (show i) (True @=? actual)   where actual = ECDSA.verify hashAlg (vectorToPublic vector) (ECDSA.Signature (r vector) (s vector)) (msg vector)  ecdsaTests = testGroup "ECDSA"     [ testGroup "SHA1"-        [ testGroup "signature" $ map (doSignatureTest SHA1) (zip [katZero..] vectorsSHA1)-        , testGroup "verify" $ map (doVerifyTest SHA1) (zip [katZero..] vectorsSHA1)+        [ testGroup "signature" $ zipWith (doSignatureTest SHA1) [katZero..] vectorsSHA1+        , testGroup "verify" $ zipWith (doVerifyTest SHA1) [katZero..] vectorsSHA1         ]     , testGroup "SHA224"-        [ testGroup "signature" $ map (doSignatureTest SHA224) (zip [katZero..] rfc6979_vectorsSHA224)-        , testGroup "verify" $ map (doVerifyTest SHA224) (zip [katZero..] rfc6979_vectorsSHA224)+        [ testGroup "signature" $ zipWith (doSignatureTest SHA224) [katZero..] rfc6979_vectorsSHA224+        , testGroup "verify" $ zipWith (doVerifyTest SHA224) [katZero..] rfc6979_vectorsSHA224         ]     , testGroup "SHA256"-        [ testGroup "signature" $ map (doSignatureTest SHA256) (zip [katZero..] rfc6979_vectorsSHA256)-        , testGroup "verify" $ map (doVerifyTest SHA256) (zip [katZero..] rfc6979_vectorsSHA256)+        [ testGroup "signature" $ zipWith (doSignatureTest SHA256) [katZero..] rfc6979_vectorsSHA256+        , testGroup "verify" $ zipWith (doVerifyTest SHA256) [katZero..] rfc6979_vectorsSHA256         ]     , testGroup "SHA384"-        [ testGroup "signature" $ map (doSignatureTest SHA384) (zip [katZero..] rfc6979_vectorsSHA384)-        , testGroup "verify" $ map (doVerifyTest SHA384) (zip [katZero..] rfc6979_vectorsSHA384)+        [ testGroup "signature" $ zipWith (doSignatureTest SHA384) [katZero..] rfc6979_vectorsSHA384+        , testGroup "verify" $ zipWith (doVerifyTest SHA384) [katZero..] rfc6979_vectorsSHA384         ]     , testGroup "SHA512"-        [ testGroup "signature" $ map (doSignatureTest SHA512) (zip [katZero..] rfc6979_vectorsSHA512)-        , testGroup "verify" $ map (doVerifyTest SHA512) (zip [katZero..] rfc6979_vectorsSHA512)+        [ testGroup "signature" $ zipWith (doSignatureTest SHA512) [katZero..] rfc6979_vectorsSHA512+        , testGroup "verify" $ zipWith (doVerifyTest SHA512) [katZero..] rfc6979_vectorsSHA512         ]     ]
tests/KAT_PubKey/OAEP.hs view
@@ -81,17 +81,17 @@         }     ] -doEncryptionTest key (i, vec) = testCase (show i) (Right (cipherText vec) @=? actual)-    where actual = OAEP.encryptWithSeed (seed vec) (OAEP.defaultOAEPParams SHA1) key (message vec) +doEncryptionTest key i vec = testCase (show i) (Right (cipherText vec) @=? actual)+    where actual = OAEP.encryptWithSeed (seed vec) (OAEP.defaultOAEPParams SHA1) key (message vec) -doDecryptionTest key (i, vec) = testCase (show i) (Right (message vec) @=? actual)+doDecryptionTest key i vec = testCase (show i) (Right (message vec) @=? actual)     where actual = OAEP.decrypt Nothing (OAEP.defaultOAEPParams SHA1) key (cipherText vec)  oaepTests = testGroup "RSA-OAEP"     [ testGroup "internal"-        [ doEncryptionTest (private_pub rsaKeyInt) (0 :: Int, vectorInt)-        , doDecryptionTest rsaKeyInt (0 :: Int, vectorInt)+        [ doEncryptionTest (private_pub rsaKeyInt) (0 :: Int) vectorInt+        , doDecryptionTest rsaKeyInt (0 :: Int) vectorInt         ]-    , testGroup "encryption key 1024 bits" $ map (doEncryptionTest $ private_pub rsaKey1) (zip [katZero..] vectorsKey1)-    , testGroup "decryption key 1024 bits" $ map (doDecryptionTest rsaKey1) (zip [katZero..] vectorsKey1)+    , testGroup "encryption key 1024 bits" $ zipWith (doEncryptionTest $ private_pub rsaKey1) [katZero..] vectorsKey1+    , testGroup "decryption key 1024 bits" $ zipWith (doDecryptionTest rsaKey1) [katZero..] vectorsKey1     ]
tests/KAT_PubKey/P256.hs view
@@ -17,7 +17,19 @@     deriving (Show,Eq,Ord)  instance Arbitrary P256Scalar where-    arbitrary = P256Scalar . getQAInteger <$> arbitrary+    -- Cover the full range up to 2^256-1 except 0 and curveN.  To test edge+    -- cases with arithmetic functions, some values close to 0, curveN and+    -- 2^256 are given higher frequency.+    arbitrary = P256Scalar <$> oneof+        [ choose (1, w)+        , choose (w + 1, curveN - w - 1)+        , choose (curveN - w, curveN - 1)+        , choose (curveN + 1, curveN + w)+        , choose (curveN + w + 1, high - w - 1)+        , choose (high - w, high - 1)+        ]+      where high = 2^(256 :: Int)+            w    = 100  curve  = ECC.getCurveByName ECC.SEC_p256r1 curveN = ECC.ecc_n . ECC.common_curve $ curve@@ -26,23 +38,25 @@ pointP256ToECC :: P256.Point -> ECC.Point pointP256ToECC = uncurry ECC.Point . P256.pointToIntegers +i2ospScalar :: Integer -> Bytes+i2ospScalar i =+    case i2ospOf 32 i of+        Nothing -> error "invalid size of P256 scalar"+        Just b  -> b+ unP256Scalar :: P256Scalar -> P256.Scalar-unP256Scalar (P256Scalar r') =-    let r = if r' == 0 then 0x2901 else (r' `mod` curveN)-        rBytes = i2ospScalar r+unP256Scalar (P256Scalar r) =+    let rBytes = i2ospScalar r      in case P256.scalarFromBinary rBytes of                     CryptoFailed err    -> error ("cannot convert scalar: " ++ show err)                     CryptoPassed scalar -> scalar-  where-    i2ospScalar :: Integer -> Bytes-    i2ospScalar i =-        case i2ospOf 32 i of-            Nothing -> error "invalid size of P256 scalar"-            Just b  -> b  unP256 :: P256Scalar -> Integer-unP256 (P256Scalar r') = if r' == 0 then 0x2901 else (r' `mod` curveN)+unP256 (P256Scalar r) = r +modP256Scalar :: P256Scalar -> P256Scalar+modP256Scalar (P256Scalar r) = P256Scalar (r `mod` curveN)+ p256ScalarToInteger :: P256.Scalar -> Integer p256ScalarToInteger s = os2ip (P256.scalarToBinary s :: Bytes) @@ -55,9 +69,8 @@  tests = testGroup "P256"     [ testGroup "scalar"-        [ testProperty "marshalling" $ \(QAInteger r') ->-            let r = r' `mod` curveN-                rBytes = i2ospScalar r+        [ testProperty "marshalling" $ \(QAInteger r) ->+            let rBytes = i2ospScalar r              in case P256.scalarFromBinary rBytes of                     CryptoFailed err    -> error (show err)                     CryptoPassed scalar -> rBytes `propertyEq` P256.scalarToBinary scalar@@ -66,14 +79,9 @@                 r' = P256.scalarAdd (unP256Scalar r1) (unP256Scalar r2)              in r `propertyEq` p256ScalarToInteger r'         , testProperty "add0" $ \r ->-            let v = unP256 r+            let v = unP256 r `mod` curveN                 v' = P256.scalarAdd (unP256Scalar r) P256.scalarZero              in v `propertyEq` p256ScalarToInteger v'-        , testProperty "add-n-1" $ \r ->-            let nm1 = throwCryptoError $ P256.scalarFromInteger (curveN - 1)-                v   = unP256 r-                v'  = P256.scalarAdd (unP256Scalar r) nm1-             in (((curveN - 1) + v) `mod` curveN) `propertyEq` p256ScalarToInteger v'         , testProperty "sub" $ \r1 r2 ->             let r = (unP256 r1 - unP256 r2) `mod` curveN                 r' = P256.scalarSub (unP256Scalar r1) (unP256Scalar r2)@@ -83,21 +91,38 @@                     [ eqTest "r1-r2" r (p256ScalarToInteger r')                     , eqTest "r2-r1" v (p256ScalarToInteger v')                     ]-        , testProperty "sub-n-1" $ \r ->-            let nm1 = throwCryptoError $ P256.scalarFromInteger (curveN - 1)-                v = unP256 r-                v' = P256.scalarSub (unP256Scalar r) nm1-             in ((v - (curveN - 1)) `mod` curveN) `propertyEq` p256ScalarToInteger v'+        , testProperty "sub0" $ \r ->+            let v = unP256 r `mod` curveN+                v' = P256.scalarSub (unP256Scalar r) P256.scalarZero+             in v `propertyEq` p256ScalarToInteger v'+        , testProperty "mul" $ \r1 r2 ->+            let r = (unP256 r1 * unP256 r2) `mod` curveN+                r' = P256.scalarMul (unP256Scalar r1) (unP256Scalar r2)+             in r `propertyEq` p256ScalarToInteger r'         , testProperty "inv" $ \r' ->             let inv  = inverseCoprimes (unP256 r') curveN                 inv' = P256.scalarInv (unP256Scalar r')-             in if unP256 r' == 0 then True else inv `propertyEq` p256ScalarToInteger inv'+             in unP256 r' /= 0 ==> inv `propertyEq` p256ScalarToInteger inv'+        , testProperty "inv-safe" $ \r' ->+            let inv  = P256.scalarInv (unP256Scalar r')+                inv' = P256.scalarInvSafe (unP256Scalar r')+             in unP256 r' /= 0 ==> inv `propertyEq` inv'+        , testProperty "inv-safe-mul" $ \r' ->+            let inv = P256.scalarInvSafe (unP256Scalar r')+                res = P256.scalarMul (unP256Scalar r') inv+             in unP256 r' /= 0 ==> 1 `propertyEq` p256ScalarToInteger res+        , testProperty "inv-safe-zero" $+            let inv0 = P256.scalarInvSafe P256.scalarZero+                invN = P256.scalarInvSafe P256.scalarN+             in propertyHold [ eqTest "scalarZero" P256.scalarZero inv0+                             , eqTest "scalarN"    P256.scalarZero invN+                             ]         ]     , testGroup "point"         [ testProperty "marshalling" $ \rx ry ->             let p = P256.pointFromIntegers (unP256 rx, unP256 ry)                 b = P256.pointToBinary p :: Bytes-                p' = P256.pointFromBinary b+                p' = P256.unsafePointFromBinary b              in propertyHold [ eqTest "point" (CryptoPassed p) p' ]         , testProperty "marshalling-integer" $ \rx ry ->             let p = P256.pointFromIntegers (unP256 rx, unP256 ry)@@ -111,8 +136,16 @@                 t = P256.pointFromIntegers (xT, yT)                 r = P256.pointFromIntegers (xR, yR)              in r @=? P256.pointAdd s t-        , testProperty "lift-to-curve" $ propertyLiftToCurve-        , testProperty "point-add" $ propertyPointAdd+        , testProperty "lift-to-curve" propertyLiftToCurve+        , testProperty "point-add" propertyPointAdd+        , testProperty "point-negate" propertyPointNegate+        , testProperty "point-mul" propertyPointMul+        , testProperty "infinity" $+            let gN = P256.toPoint P256.scalarN+                g1 = P256.pointBase+             in propertyHold [ eqTest "zero" True  (P256.pointIsAtInfinity gN)+                             , eqTest "base" False (P256.pointIsAtInfinity g1)+                             ]         ]     ]   where@@ -132,12 +165,24 @@             pe2   = ECC.pointMul curve (unP256 r2) curveGen             pR    = P256.toPoint (P256.scalarAdd (unP256Scalar r1) (unP256Scalar r2))             peR   = ECC.pointAdd curve pe1 pe2-         in propertyHold [ eqTest "p256" pR (P256.pointAdd p1 p2)+         in (unP256 r1 + unP256 r2) `mod` curveN /= 0 ==>+            propertyHold [ eqTest "p256" pR (P256.pointAdd p1 p2)                          , eqTest "ecc" peR (pointP256ToECC pR)                          ] -    i2ospScalar :: Integer -> Bytes-    i2ospScalar i =-        case i2ospOf 32 i of-            Nothing -> error "invalid size of P256 scalar"-            Just b  -> b+    propertyPointNegate r =+        let p  = P256.toPoint (unP256Scalar r)+            pe = ECC.pointMul curve (unP256 r) curveGen+            pR = P256.pointNegate p+         in ECC.pointNegate curve pe `propertyEq` pointP256ToECC pR++    propertyPointMul s' r' =+        let s     = modP256Scalar s'+            r     = modP256Scalar r'+            p     = P256.toPoint (unP256Scalar r)+            pe    = ECC.pointMul curve (unP256 r) curveGen+            pR    = P256.toPoint (P256.scalarMul (unP256Scalar s) (unP256Scalar r))+            peR   = ECC.pointMul curve (unP256 s) pe+         in propertyHold [ eqTest "p256" pR (P256.pointMul (unP256Scalar s) p)+                         , eqTest "ecc" peR (pointP256ToECC pR)+                         ]
tests/KAT_PubKey/PSS.hs view
@@ -6,6 +6,9 @@  import Imports +-- Module contains one vector generated by the implementation itself and other+-- vectors from <ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip>+ data VectorPSS = VectorPSS { message :: ByteString                            , salt :: ByteString                            , signature :: ByteString@@ -149,325 +152,197 @@         }     ] -{--# ===================================-# Example 10: A 2048-bit RSA Key Pair-# ===================================--# -------------------------------# Components of the RSA Key Pair-# --------------------------------# RSA modulus n: -a5 dd 86 7a c4 cb 02 f9 0b 94 57 d4 8c 14 a7 70 -ef 99 1c 56 c3 9c 0e c6 5f d1 1a fa 89 37 ce a5 -7b 9b e7 ac 73 b4 5c 00 17 61 5b 82 d6 22 e3 18 -75 3b 60 27 c0 fd 15 7b e1 2f 80 90 fe e2 a7 ad -cd 0e ef 75 9f 88 ba 49 97 c7 a4 2d 58 c9 aa 12 -cb 99 ae 00 1f e5 21 c1 3b b5 43 14 45 a8 d5 ae -4f 5e 4c 7e 94 8a c2 27 d3 60 40 71 f2 0e 57 7e -90 5f be b1 5d fa f0 6d 1d e5 ae 62 53 d6 3a 6a -21 20 b3 1a 5d a5 da bc 95 50 60 0e 20 f2 7d 37 -39 e2 62 79 25 fe a3 cc 50 9f 21 df f0 4e 6e ea -45 49 c5 40 d6 80 9f f9 30 7e ed e9 1f ff 58 73 -3d 83 85 a2 37 d6 d3 70 5a 33 e3 91 90 09 92 07 -0d f7 ad f1 35 7c f7 e3 70 0c e3 66 7d e8 3f 17 -b8 df 17 78 db 38 1d ce 09 cb 4a d0 58 a5 11 00 -1a 73 81 98 ee 27 cf 55 a1 3b 75 45 39 90 65 82 -ec 8b 17 4b d5 8d 5d 1f 3d 76 7c 61 37 21 ae 05 --# RSA public exponent e: -01 00 01 --# RSA private exponent d: -2d 2f f5 67 b3 fe 74 e0 61 91 b7 fd ed 6d e1 12 -29 0c 67 06 92 43 0d 59 69 18 40 47 da 23 4c 96 -93 de ed 16 73 ed 42 95 39 c9 69 d3 72 c0 4d 6b -47 e0 f5 b8 ce e0 84 3e 5c 22 83 5d bd 3b 05 a0 -99 79 84 ae 60 58 b1 1b c4 90 7c bf 67 ed 84 fa -9a e2 52 df b0 d0 cd 49 e6 18 e3 5d fd fe 59 bc -a3 dd d6 6c 33 ce bb c7 7a d4 41 aa 69 5e 13 e3 -24 b5 18 f0 1c 60 f5 a8 5c 99 4a d1 79 f2 a6 b5 -fb e9 34 02 b1 17 67 be 01 bf 07 34 44 d6 ba 1d -d2 bc a5 bd 07 4d 4a 5f ae 35 31 ad 13 03 d8 4b -30 d8 97 31 8c bb ba 04 e0 3c 2e 66 de 6d 91 f8 -2f 96 ea 1d 4b b5 4a 5a ae 10 2d 59 46 57 f5 c9 -78 95 53 51 2b 29 6d ea 29 d8 02 31 96 35 7e 3e -3a 6e 95 8f 39 e3 c2 34 40 38 ea 60 4b 31 ed c6 -f0 f7 ff 6e 71 81 a5 7c 92 82 6a 26 8f 86 76 8e -96 f8 78 56 2f c7 1d 85 d6 9e 44 86 12 f7 04 8f --# Prime p: -cf d5 02 83 fe ee b9 7f 6f 08 d7 3c bc 7b 38 36 -f8 2b bc d4 99 47 9f 5e 6f 76 fd fc b8 b3 8c 4f -71 dc 9e 88 bd 6a 6f 76 37 1a fd 65 d2 af 18 62 -b3 2a fb 34 a9 5f 71 b8 b1 32 04 3f fe be 3a 95 -2b af 75 92 44 81 48 c0 3f 9c 69 b1 d6 8e 4c e5 -cf 32 c8 6b af 46 fe d3 01 ca 1a b4 03 06 9b 32 -f4 56 b9 1f 71 89 8a b0 81 cd 8c 42 52 ef 52 71 -91 5c 97 94 b8 f2 95 85 1d a7 51 0f 99 cb 73 eb --# Prime q: -cc 4e 90 d2 a1 b3 a0 65 d3 b2 d1 f5 a8 fc e3 1b -54 44 75 66 4e ab 56 1d 29 71 b9 9f b7 be f8 44 -e8 ec 1f 36 0b 8c 2a c8 35 96 92 97 1e a6 a3 8f -72 3f cc 21 1f 5d bc b1 77 a0 fd ac 51 64 a1 d4 -ff 7f bb 4e 82 99 86 35 3c b9 83 65 9a 14 8c dd -42 0c 7d 31 ba 38 22 ea 90 a3 2b e4 6c 03 0e 8c -17 e1 fa 0a d3 78 59 e0 6b 0a a6 fa 3b 21 6d 9c -be 6c 0e 22 33 97 69 c0 a6 15 91 3e 5d a7 19 cf --# p's CRT exponent dP: -1c 2d 1f c3 2f 6b c4 00 4f d8 5d fd e0 fb bf 9a -4c 38 f9 c7 c4 e4 1d ea 1a a8 82 34 a2 01 cd 92 -f3 b7 da 52 65 83 a9 8a d8 5b b3 60 fb 98 3b 71 -1e 23 44 9d 56 1d 17 78 d7 a5 15 48 6b cb f4 7b -46 c9 e9 e1 a3 a1 f7 70 00 ef be b0 9a 8a fe 47 -e5 b8 57 cd a9 9c b1 6d 7f ff 9b 71 2e 3b d6 0c -a9 6d 9c 79 73 d6 16 d4 69 34 a9 c0 50 28 1c 00 -43 99 ce ff 1d b7 dd a7 87 66 a8 a9 b9 cb 08 73 --# q's CRT exponent dQ: -cb 3b 3c 04 ca a5 8c 60 be 7d 9b 2d eb b3 e3 96 -43 f4 f5 73 97 be 08 23 6a 1e 9e af aa 70 65 36 -e7 1c 3a cf e0 1c c6 51 f2 3c 9e 05 85 8f ee 13 -bb 6a 8a fc 47 df 4e dc 9a 4b a3 0b ce cb 73 d0 -15 78 52 32 7e e7 89 01 5c 2e 8d ee 7b 9f 05 a0 -f3 1a c9 4e b6 17 31 64 74 0c 5c 95 14 7c d5 f3 -b5 ae 2c b4 a8 37 87 f0 1d 8a b3 1f 27 c2 d0 ee -a2 dd 8a 11 ab 90 6a ba 20 7c 43 c6 ee 12 53 31 --# CRT coefficient qInv: -12 f6 b2 cf 13 74 a7 36 fa d0 56 16 05 0f 96 ab -4b 61 d1 17 7c 7f 9d 52 5a 29 f3 d1 80 e7 76 67 -e9 9d 99 ab f0 52 5d 07 58 66 0f 37 52 65 5b 0f -25 b8 df 84 31 d9 a8 ff 77 c1 6c 12 a0 a5 12 2a -9f 0b f7 cf d5 a2 66 a3 5c 15 9f 99 12 08 b9 03 -16 ff 44 4f 3e 0b 6b d0 e9 3b 8a 7a 24 48 e9 57 -e3 dd a6 cf cf 22 66 b1 06 01 3a c4 68 08 d3 b3 -88 7b 3b 00 34 4b aa c9 53 0b 4c e7 08 fc 32 b6 --# ----------------------------------# RSASSA-PSS Signature Example 10.1-# -----------------------------------# Message to be signed:-88 31 77 e5 12 6b 9b e2 d9 a9 68 03 27 d5 37 0c -6f 26 86 1f 58 20 c4 3d a6 7a 3a d6 09 --# Salt:-04 e2 15 ee 6f f9 34 b9 da 70 d7 73 0c 87 34 ab -fc ec de 89 --# Signature:-82 c2 b1 60 09 3b 8a a3 c0 f7 52 2b 19 f8 73 54 -06 6c 77 84 7a bf 2a 9f ce 54 2d 0e 84 e9 20 c5 -af b4 9f fd fd ac e1 65 60 ee 94 a1 36 96 01 14 -8e ba d7 a0 e1 51 cf 16 33 17 91 a5 72 7d 05 f2 -1e 74 e7 eb 81 14 40 20 69 35 d7 44 76 5a 15 e7 -9f 01 5c b6 6c 53 2c 87 a6 a0 59 61 c8 bf ad 74 -1a 9a 66 57 02 28 94 39 3e 72 23 73 97 96 c0 2a -77 45 5d 0f 55 5b 0e c0 1d df 25 9b 62 07 fd 0f -d5 76 14 ce f1 a5 57 3b aa ff 4e c0 00 69 95 16 -59 b8 5f 24 30 0a 25 16 0c a8 52 2d c6 e6 72 7e -57 d0 19 d7 e6 36 29 b8 fe 5e 89 e2 5c c1 5b eb -3a 64 75 77 55 92 99 28 0b 9b 28 f7 9b 04 09 00 -0b e2 5b bd 96 40 8b a3 b4 3c c4 86 18 4d d1 c8 -e6 25 53 fa 1a f4 04 0f 60 66 3d e7 f5 e4 9c 04 -38 8e 25 7f 1c e8 9c 95 da b4 8a 31 5d 9b 66 b1 -b7 62 82 33 87 6f f2 38 52 30 d0 70 d0 7e 16 66 --# ----------------------------------# RSASSA-PSS Signature Example 10.2-# -----------------------------------# Message to be signed:-dd 67 0a 01 46 58 68 ad c9 3f 26 13 19 57 a5 0c -52 fb 77 7c db aa 30 89 2c 9e 12 36 11 64 ec 13 -97 9d 43 04 81 18 e4 44 5d b8 7b ee 58 dd 98 7b -34 25 d0 20 71 d8 db ae 80 70 8b 03 9d bb 64 db -d1 de 56 57 d9 fe d0 c1 18 a5 41 43 74 2e 0f f3 -c8 7f 74 e4 58 57 64 7a f3 f7 9e b0 a1 4c 9d 75 -ea 9a 1a 04 b7 cf 47 8a 89 7a 70 8f d9 88 f4 8e -80 1e db 0b 70 39 df 8c 23 bb 3c 56 f4 e8 21 ac --# Salt:-8b 2b dd 4b 40 fa f5 45 c7 78 dd f9 bc 1a 49 cb -57 f9 b7 1b --# Signature:-14 ae 35 d9 dd 06 ba 92 f7 f3 b8 97 97 8a ed 7c -d4 bf 5f f0 b5 85 a4 0b d4 6c e1 b4 2c d2 70 30 -53 bb 90 44 d6 4e 81 3d 8f 96 db 2d d7 00 7d 10 -11 8f 6f 8f 84 96 09 7a d7 5e 1f f6 92 34 1b 28 -92 ad 55 a6 33 a1 c5 5e 7f 0a 0a d5 9a 0e 20 3a -5b 82 78 ae c5 4d d8 62 2e 28 31 d8 71 74 f8 ca -ff 43 ee 6c 46 44 53 45 d8 4a 59 65 9b fb 92 ec -d4 c8 18 66 86 95 f3 47 06 f6 68 28 a8 99 59 63 -7f 2b f3 e3 25 1c 24 bd ba 4d 4b 76 49 da 00 22 -21 8b 11 9c 84 e7 9a 65 27 ec 5b 8a 5f 86 1c 15 -99 52 e2 3e c0 5e 1e 71 73 46 fa ef e8 b1 68 68 -25 bd 2b 26 2f b2 53 10 66 c0 de 09 ac de 2e 42 -31 69 07 28 b5 d8 5e 11 5a 2f 6b 92 b7 9c 25 ab -c9 bd 93 99 ff 8b cf 82 5a 52 ea 1f 56 ea 76 dd -26 f4 3b aa fa 18 bf a9 2a 50 4c bd 35 69 9e 26 -d1 dc c5 a2 88 73 85 f3 c6 32 32 f0 6f 32 44 c3 --# ----------------------------------# RSASSA-PSS Signature Example 10.3-# -----------------------------------# Message to be signed:-48 b2 b6 a5 7a 63 c8 4c ea 85 9d 65 c6 68 28 4b -08 d9 6b dc aa be 25 2d b0 e4 a9 6c b1 ba c6 01 -93 41 db 6f be fb 8d 10 6b 0e 90 ed a6 bc c6 c6 -26 2f 37 e7 ea 9c 7e 5d 22 6b d7 df 85 ec 5e 71 -ef ff 2f 54 c5 db 57 7f f7 29 ff 91 b8 42 49 1d -e2 74 1d 0c 63 16 07 df 58 6b 90 5b 23 b9 1a f1 -3d a1 23 04 bf 83 ec a8 a7 3e 87 1f f9 db --# Salt:-4e 96 fc 1b 39 8f 92 b4 46 71 01 0c 0d c3 ef d6 -e2 0c 2d 73 --# Signature:-6e 3e 4d 7b 6b 15 d2 fb 46 01 3b 89 00 aa 5b bb -39 39 cf 2c 09 57 17 98 70 42 02 6e e6 2c 74 c5 -4c ff d5 d7 d5 7e fb bf 95 0a 0f 5c 57 4f a0 9d -3f c1 c9 f5 13 b0 5b 4f f5 0d d8 df 7e df a2 01 -02 85 4c 35 e5 92 18 01 19 a7 0c e5 b0 85 18 2a -a0 2d 9e a2 aa 90 d1 df 03 f2 da ae 88 5b a2 f5 -d0 5a fd ac 97 47 6f 06 b9 3b 5b c9 4a 1a 80 aa -91 16 c4 d6 15 f3 33 b0 98 89 2b 25 ff ac e2 66 -f5 db 5a 5a 3b cc 10 a8 24 ed 55 aa d3 5b 72 78 -34 fb 8c 07 da 28 fc f4 16 a5 d9 b2 22 4f 1f 8b -44 2b 36 f9 1e 45 6f de a2 d7 cf e3 36 72 68 de -03 07 a4 c7 4e 92 41 59 ed 33 39 3d 5e 06 55 53 -1c 77 32 7b 89 82 1b de df 88 01 61 c7 8c d4 19 -6b 54 19 f7 ac c3 f1 3e 5e bf 16 1b 6e 7c 67 24 -71 6c a3 3b 85 c2 e2 56 40 19 2a c2 85 96 51 d5 -0b de 7e b9 76 e5 1c ec 82 8b 98 b6 56 3b 86 bb --# ----------------------------------# RSASSA-PSS Signature Example 10.4-# -----------------------------------# Message to be signed:-0b 87 77 c7 f8 39 ba f0 a6 4b bb db c5 ce 79 75 -5c 57 a2 05 b8 45 c1 74 e2 d2 e9 05 46 a0 89 c4 -e6 ec 8a df fa 23 a7 ea 97 ba e6 b6 5d 78 2b 82 -db 5d 2b 5a 56 d2 2a 29 a0 5e 7c 44 33 e2 b8 2a -62 1a bb a9 0a dd 05 ce 39 3f c4 8a 84 05 42 45 -1a --# Salt:-c7 cd 69 8d 84 b6 51 28 d8 83 5e 3a 8b 1e b0 e0 -1c b5 41 ec --# Signature:-34 04 7f f9 6c 4d c0 dc 90 b2 d4 ff 59 a1 a3 61 -a4 75 4b 25 5d 2e e0 af 7d 8b f8 7c 9b c9 e7 dd -ee de 33 93 4c 63 ca 1c 0e 3d 26 2c b1 45 ef 93 -2a 1f 2c 0a 99 7a a6 a3 4f 8e ae e7 47 7d 82 cc -f0 90 95 a6 b8 ac ad 38 d4 ee c9 fb 7e ab 7a d0 -2d a1 d1 1d 8e 54 c1 82 5e 55 bf 58 c2 a2 32 34 -b9 02 be 12 4f 9e 90 38 a8 f6 8f a4 5d ab 72 f6 -6e 09 45 bf 1d 8b ac c9 04 4c 6f 07 09 8c 9f ce -c5 8a 3a ab 10 0c 80 51 78 15 5f 03 0a 12 4c 45 -0e 5a cb da 47 d0 e4 f1 0b 80 a2 3f 80 3e 77 4d -02 3b 00 15 c2 0b 9f 9b be 7c 91 29 63 38 d5 ec -b4 71 ca fb 03 20 07 b6 7a 60 be 5f 69 50 4a 9f -01 ab b3 cb 46 7b 26 0e 2b ce 86 0b e8 d9 5b f9 -2c 0c 8e 14 96 ed 1e 52 85 93 a4 ab b6 df 46 2d -de 8a 09 68 df fe 46 83 11 68 57 a2 32 f5 eb f6 -c8 5b e2 38 74 5a d0 f3 8f 76 7a 5f db f4 86 fb --# ----------------------------------# RSASSA-PSS Signature Example 10.5-# ---------------------------------+-- ==================================+-- Example 2: A 1025-bit RSA Key Pair+-- ================================== -# Message to be signed:-f1 03 6e 00 8e 71 e9 64 da dc 92 19 ed 30 e1 7f -06 b4 b6 8a 95 5c 16 b3 12 b1 ed df 02 8b 74 97 -6b ed 6b 3f 6a 63 d4 e7 78 59 24 3c 9c cc dc 98 -01 65 23 ab b0 24 83 b3 55 91 c3 3a ad 81 21 3b -b7 c7 bb 1a 47 0a ab c1 0d 44 25 6c 4d 45 59 d9 -16 +rsaKey2 = PrivateKey+    { private_pub = PublicKey+        { public_n = 0x01d40c1bcf97a68ae7cdbd8a7bf3e34fa19dcca4ef75a47454375f94514d88fed006fb829f8419ff87d6315da68a1ff3a0938e9abb3464011c303ad99199cf0c7c7a8b477dce829e8844f625b115e5e9c4a59cf8f8113b6834336a2fd2689b472cbb5e5cabe674350c59b6c17e176874fb42f8fc3d176a017edc61fd326c4b33c9+        , public_e = 0x010001+        , public_size = 129+        }+    , private_d = 0x027d147e4673057377fd1ea201565772176a7dc38358d376045685a2e787c23c15576bc16b9f444402d6bfc5d98a3e88ea13ef67c353eca0c0ddba9255bd7b8bb50a644afdfd1dd51695b252d22e7318d1b6687a1c10ff75545f3db0fe602d5f2b7f294e3601eab7b9d1cecd767f64692e3e536ca2846cb0c2dd486a39fa75b1+    , private_p = 0x016601e926a0f8c9e26ecab769ea65a5e7c52cc9e080ef519457c644da6891c5a104d3ea7955929a22e7c68a7af9fcad777c3ccc2b9e3d3650bce404399b7e59d1+    , private_q = 0x014eafa1d4d0184da7e31f877d1281ddda625664869e8379e67ad3b75eae74a580e9827abd6eb7a002cb5411f5266797768fb8e95ae40e3e8a01f35ff89e56c079+    , private_dP = 0xe247cce504939b8f0a36090de200938755e2444b29539a7da7a902f6056835c0db7b52559497cfe2c61a8086d0213c472c78851800b171f6401de2e9c2756f31+    , private_dQ = 0xb12fba757855e586e46f64c38a70c68b3f548d93d787b399999d4c8f0bbd2581c21e19ed0018a6d5d3df86424b3abcad40199d31495b61309f27c1bf55d487c1+    , private_qinv = 0x564b1e1fa003bda91e89090425aac05b91da9ee25061e7628d5f51304a84992fdc33762bd378a59f030a334d532bd0dae8f298ea9ed844636ad5fb8cbdc03cad+    } -# Salt:-ef a8 bf f9 62 12 b2 f4 a3 f3 71 a1 0d 57 41 52 -65 5f 5d fb +vectorsKey2 =+    [+    -- Example 2.1+      VectorPSS+        { message = "\xda\xba\x03\x20\x66\x26\x3f\xae\xdb\x65\x98\x48\x11\x52\x78\xa5\x2c\x44\xfa\xa3\xa7\x6f\x37\x51\x5e\xd3\x36\x32\x10\x72\xc4\x0a\x9d\x9b\x53\xbc\x05\x01\x40\x78\xad\xf5\x20\x87\x51\x46\xaa\xe7\x0f\xf0\x60\x22\x6d\xcb\x7b\x1f\x1f\xc2\x7e\x93\x60"+        , salt = "\x57\xbf\x16\x0b\xcb\x02\xbb\x1d\xc7\x28\x0c\xf0\x45\x85\x30\xb7\xd2\x83\x2f\xf7"+        , signature = "\x01\x4c\x5b\xa5\x33\x83\x28\xcc\xc6\xe7\xa9\x0b\xf1\xc0\xab\x3f\xd6\x06\xff\x47\x96\xd3\xc1\x2e\x4b\x63\x9e\xd9\x13\x6a\x5f\xec\x6c\x16\xd8\x88\x4b\xdd\x99\xcf\xdc\x52\x14\x56\xb0\x74\x2b\x73\x68\x68\xcf\x90\xde\x09\x9a\xdb\x8d\x5f\xfd\x1d\xef\xf3\x9b\xa4\x00\x7a\xb7\x46\xce\xfd\xb2\x2d\x7d\xf0\xe2\x25\xf5\x46\x27\xdc\x65\x46\x61\x31\x72\x1b\x90\xaf\x44\x53\x63\xa8\x35\x8b\x9f\x60\x76\x42\xf7\x8f\xab\x0a\xb0\xf4\x3b\x71\x68\xd6\x4b\xae\x70\xd8\x82\x78\x48\xd8\xef\x1e\x42\x1c\x57\x54\xdd\xf4\x2c\x25\x89\xb5\xb3"+        }+    -- Example 2.2+    , VectorPSS+        { message = "\xe4\xf8\x60\x1a\x8a\x6d\xa1\xbe\x34\x44\x7c\x09\x59\xc0\x58\x57\x0c\x36\x68\xcf\xd5\x1d\xd5\xf9\xcc\xd6\xad\x44\x11\xfe\x82\x13\x48\x6d\x78\xa6\xc4\x9f\x93\xef\xc2\xca\x22\x88\xce\xbc\x2b\x9b\x60\xbd\x04\xb1\xe2\x20\xd8\x6e\x3d\x48\x48\xd7\x09\xd0\x32\xd1\xe8\xc6\xa0\x70\xc6\xaf\x9a\x49\x9f\xcf\x95\x35\x4b\x14\xba\x61\x27\xc7\x39\xde\x1b\xb0\xfd\x16\x43\x1e\x46\x93\x8a\xec\x0c\xf8\xad\x9e\xb7\x2e\x83\x2a\x70\x35\xde\x9b\x78\x07\xbd\xc0\xed\x8b\x68\xeb\x0f\x5a\xc2\x21\x6b\xe4\x0c\xe9\x20\xc0\xdb\x0e\xdd\xd3\x86\x0e\xd7\x88\xef\xac\xca\xca\x50\x2d\x8f\x2b\xd6\xd1\xa7\xc1\xf4\x1f\xf4\x6f\x16\x81\xc8\xf1\xf8\x18\xe9\xc4\xf6\xd9\x1a\x0c\x78\x03\xcc\xc6\x3d\x76\xa6\x54\x4d\x84\x3e\x08\x4e\x36\x3b\x8a\xcc\x55\xaa\x53\x17\x33\xed\xb5\xde\xe5\xb5\x19\x6e\x9f\x03\xe8\xb7\x31\xb3\x77\x64\x28\xd9\xe4\x57\xfe\x3f\xbc\xb3\xdb\x72\x74\x44\x2d\x78\x58\x90\xe9\xcb\x08\x54\xb6\x44\x4d\xac\xe7\x91\xd7\x27\x3d\xe1\x88\x97\x19\x33\x8a\x77\xfe"+        , salt = "\x7f\x6d\xd3\x59\xe6\x04\xe6\x08\x70\xe8\x98\xe4\x7b\x19\xbf\x2e\x5a\x7b\x2a\x90"+        , signature = "\x01\x09\x91\x65\x6c\xca\x18\x2b\x7f\x29\xd2\xdb\xc0\x07\xe7\xae\x0f\xec\x15\x8e\xb6\x75\x9c\xb9\xc4\x5c\x5f\xf8\x7c\x76\x35\xdd\x46\xd1\x50\x88\x2f\x4d\xe1\xe9\xae\x65\xe7\xf7\xd9\x01\x8f\x68\x36\x95\x4a\x47\xc0\xa8\x1a\x8a\x6b\x6f\x83\xf2\x94\x4d\x60\x81\xb1\xaa\x7c\x75\x9b\x25\x4b\x2c\x34\xb6\x91\xda\x67\xcc\x02\x26\xe2\x0b\x2f\x18\xb4\x22\x12\x76\x1d\xcd\x4b\x90\x8a\x62\xb3\x71\xb5\x91\x8c\x57\x42\xaf\x4b\x53\x7e\x29\x69\x17\x67\x4f\xb9\x14\x19\x47\x61\x62\x1c\xc1\x9a\x41\xf6\xfb\x95\x3f\xbc\xbb\x64\x9d\xea"+        }+    -- Example 2.3+    , VectorPSS+        { message = "\x52\xa1\xd9\x6c\x8a\xc3\x9e\x41\xe4\x55\x80\x98\x01\xb9\x27\xa5\xb4\x45\xc1\x0d\x90\x2a\x0d\xcd\x38\x50\xd2\x2a\x66\xd2\xbb\x07\x03\xe6\x7d\x58\x67\x11\x45\x95\xaa\xbf\x5a\x7a\xeb\x5a\x8f\x87\x03\x4b\xbb\x30\xe1\x3c\xfd\x48\x17\xa9\xbe\x76\x23\x00\x23\x60\x6d\x02\x86\xa3\xfa\xf8\xa4\xd2\x2b\x72\x8e\xc5\x18\x07\x9f\x9e\x64\x52\x6e\x3a\x0c\xc7\x94\x1a\xa3\x38\xc4\x37\x99\x7c\x68\x0c\xca\xc6\x7c\x66\xbf\xa1"+        , salt = "\xfc\xa8\x62\x06\x8b\xce\x22\x46\x72\x4b\x70\x8a\x05\x19\xda\x17\xe6\x48\x68\x8c"+        , signature = "\x00\x7f\x00\x30\x01\x8f\x53\xcd\xc7\x1f\x23\xd0\x36\x59\xfd\xe5\x4d\x42\x41\xf7\x58\xa7\x50\xb4\x2f\x18\x5f\x87\x57\x85\x20\xc3\x07\x42\xaf\xd8\x43\x59\xb6\xe6\xe8\xd3\xed\x95\x9d\xc6\xfe\x48\x6b\xed\xc8\xe2\xcf\x00\x1f\x63\xa7\xab\xe1\x62\x56\xa1\xb8\x4d\xf0\xd2\x49\xfc\x05\xd3\x19\x4c\xe5\xf0\x91\x27\x42\xdb\xbf\x80\xdd\x17\x4f\x6c\x51\xf6\xba\xd7\xf1\x6c\xf3\x36\x4e\xba\x09\x5a\x06\x26\x7d\xc3\x79\x38\x03\xac\x75\x26\xae\xbe\x0a\x47\x5d\x38\xb8\xc2\x24\x7a\xb5\x1c\x48\x98\xdf\x70\x47\xdc\x6a\xdf\x52\xc6\xc4"+        }+    -- Example 2.4+    , VectorPSS+        { message = "\xa7\x18\x2c\x83\xac\x18\xbe\x65\x70\xa1\x06\xaa\x9d\x5c\x4e\x3d\xbb\xd4\xaf\xae\xb0\xc6\x0c\x4a\x23\xe1\x96\x9d\x79\xff"+        , salt = "\x80\x70\xef\x2d\xe9\x45\xc0\x23\x87\x68\x4b\xa0\xd3\x30\x96\x73\x22\x35\xd4\x40"+        , signature = "\x00\x9c\xd2\xf4\xed\xbe\x23\xe1\x23\x46\xae\x8c\x76\xdd\x9a\xd3\x23\x0a\x62\x07\x61\x41\xf1\x6c\x15\x2b\xa1\x85\x13\xa4\x8e\xf6\xf0\x10\xe0\xe3\x7f\xd3\xdf\x10\xa1\xec\x62\x9a\x0c\xb5\xa3\xb5\xd2\x89\x30\x07\x29\x8c\x30\x93\x6a\x95\x90\x3b\x6b\xa8\x55\x55\xd9\xec\x36\x73\xa0\x61\x08\xfd\x62\xa2\xfd\xa5\x6d\x1c\xe2\xe8\x5c\x4d\xb6\xb2\x4a\x81\xca\x3b\x49\x6c\x36\xd4\xfd\x06\xeb\x7c\x91\x66\xd8\xe9\x48\x77\xc4\x2b\xea\x62\x2b\x3b\xfe\x92\x51\xfd\xc2\x1d\x8d\x53\x71\xba\xda\xd7\x8a\x48\x82\x14\x79\x63\x35\xb4\x0b"+        }+    -- Example 2.5+    , VectorPSS+        { message = "\x86\xa8\x3d\x4a\x72\xee\x93\x2a\x4f\x56\x30\xaf\x65\x79\xa3\x86\xb7\x8f\xe8\x89\x99\xe0\xab\xd2\xd4\x90\x34\xa4\xbf\xc8\x54\xdd\x94\xf1\x09\x4e\x2e\x8c\xd7\xa1\x79\xd1\x95\x88\xe4\xae\xfc\x1b\x1b\xd2\x5e\x95\xe3\xdd\x46\x1f"+        , salt = "\x17\x63\x9a\x4e\x88\xd7\x22\xc4\xfc\xa2\x4d\x07\x9a\x8b\x29\xc3\x24\x33\xb0\xc9"+        , signature = "\x00\xec\x43\x08\x24\x93\x1e\xbd\x3b\xaa\x43\x03\x4d\xae\x98\xba\x64\x6b\x8c\x36\x01\x3d\x16\x71\xc3\xcf\x1c\xf8\x26\x0c\x37\x4b\x19\xf8\xe1\xcc\x8d\x96\x50\x12\x40\x5e\x7e\x9b\xf7\x37\x86\x12\xdf\xcc\x85\xfc\xe1\x2c\xda\x11\xf9\x50\xbd\x0b\xa8\x87\x67\x40\x43\x6c\x1d\x25\x95\xa6\x4a\x1b\x32\xef\xcf\xb7\x4a\x21\xc8\x73\xb3\xcc\x33\xaa\xf4\xe3\xdc\x39\x53\xde\x67\xf0\x67\x4c\x04\x53\xb4\xfd\x9f\x60\x44\x06\xd4\x41\xb8\x16\x09\x8c\xb1\x06\xfe\x34\x72\xbc\x25\x1f\x81\x5f\x59\xdb\x2e\x43\x78\xa3\xad\xdc\x18\x1e\xcf"+        }+    -- Example 2.6+    , VectorPSS+        { message = "\x04\x9f\x91\x54\xd8\x71\xac\x4a\x7c\x7a\xb4\x53\x25\xba\x75\x45\xa1\xed\x08\xf7\x05\x25\xb2\x66\x7c\xf1"+        , salt = "\x37\x81\x0d\xef\x10\x55\xed\x92\x2b\x06\x3d\xf7\x98\xde\x5d\x0a\xab\xf8\x86\xee"+        , signature = "\x00\x47\x5b\x16\x48\xf8\x14\xa8\xdc\x0a\xbd\xc3\x7b\x55\x27\xf5\x43\xb6\x66\xbb\x6e\x39\xd3\x0e\x5b\x49\xd3\xb8\x76\xdc\xcc\x58\xea\xc1\x4e\x32\xa2\xd5\x5c\x26\x16\x01\x44\x56\xad\x2f\x24\x6f\xc8\xe3\xd5\x60\xda\x3d\xdf\x37\x9a\x1c\x0b\xd2\x00\xf1\x02\x21\xdf\x07\x8c\x21\x9a\x15\x1b\xc8\xd4\xec\x9d\x2f\xc2\x56\x44\x67\x81\x10\x14\xef\x15\xd8\xea\x01\xc2\xeb\xbf\xf8\xc2\xc8\xef\xab\x38\x09\x6e\x55\xfc\xbe\x32\x85\xc7\xaa\x55\x88\x51\x25\x4f\xaf\xfa\x92\xc1\xc7\x2b\x78\x75\x86\x63\xef\x45\x82\x84\x31\x39\xd7\xa6"+        }+    ] -# Signature:-7e 09 35 ea 18 f4 d6 c1 d1 7c e8 2e b2 b3 83 6c -55 b3 84 58 9c e1 9d fe 74 33 63 ac 99 48 d1 f3 -46 b7 bf dd fe 92 ef d7 8a db 21 fa ef c8 9a de -42 b1 0f 37 40 03 fe 12 2e 67 42 9a 1c b8 cb d1 -f8 d9 01 45 64 c4 4d 12 01 16 f4 99 0f 1a 6e 38 -77 4c 19 4b d1 b8 21 32 86 b0 77 b0 49 9d 2e 7b -3f 43 4a b1 22 89 c5 56 68 4d ee d7 81 31 93 4b -b3 dd 65 37 23 6f 7c 6f 3d cb 09 d4 76 be 07 72 -1e 37 e1 ce ed 9b 2f 7b 40 68 87 bd 53 15 73 05 -e1 c8 b4 f8 4d 73 3b c1 e1 86 fe 06 cc 59 b6 ed -b8 f4 bd 7f fe fd f4 f7 ba 9c fb 9d 57 06 89 b5 -a1 a4 10 9a 74 6a 69 08 93 db 37 99 25 5a 0c b9 -21 5d 2d 1c d4 90 59 0e 95 2e 8c 87 86 aa 00 11 -26 52 52 47 0c 04 1d fb c3 ee c7 c3 cb f7 1c 24 -86 9d 11 5c 0c b4 a9 56 f5 6d 53 0b 80 ab 58 9a -cf ef c6 90 75 1d df 36 e8 d3 83 f8 3c ed d2 cc +-- ==================================+-- Example 3: A 1026-bit RSA Key Pair+-- ================================== -# ----------------------------------# RSASSA-PSS Signature Example 10.6-# ---------------------------------+rsaKey3 = PrivateKey+    { private_pub = PublicKey+        { public_n = 0x02f246ef451ed3eebb9a310200cc25859c048e4be798302991112eb68ce6db674e280da21feded1ae74880ca522b18db249385012827c515f0e466a1ffa691d98170574e9d0eadb087586ca48933da3cc953d95bd0ed50de10ddcb6736107d6c831c7f663e833ca4c097e700ce0fb945f88fb85fe8e5a773172565b914a471a443+        , public_e = 0x010001+        , public_size = 129+        }+    , private_d = 0x651451733b56de5ac0a689a4aeb6e6894a69014e076c88dd7a667eab3232bbccd2fc44ba2fa9c31db46f21edd1fdb23c5c128a5da5bab91e7f952b67759c7cff705415ac9fa0907c7ca6178f668fb948d869da4cc3b7356f4008dfd5449d32ee02d9a477eb69fc29266e5d9070512375a50fbbcc27e238ad98425f6ebbf88991+    , private_p = 0x01bd36e18ece4b0fdb2e9c9d548bd1a7d6e2c21c6fdc35074a1d05b1c6c8b3d558ea2639c9a9a421680169317252558bd148ad215aac550e2dcf12a82d0ebfe853+    , private_q = 0x01b1b656ad86d8e19d5dc86292b3a192fdf6e0dd37877bad14822fa00190cab265f90d3f02057b6f54d6ecb14491e5adeacebc48bf0ebd2a2ad26d402e54f61651+    , private_dP = 0x1f2779fd2e3e5e6bae05539518fba0cd0ead1aa4513a7cba18f1cf10e3f68195693d278a0f0ee72f89f9bc760d80e2f9d0261d516501c6ae39f14a476ce2ccf5+    , private_dQ = 0x011a0d36794b04a854aab4b2462d439a5046c91d940b2bc6f75b62956fef35a2a6e63c5309817f307bbff9d59e7e331bd363f6d66849b18346adea169f0ae9aec1+    , private_qinv = 0x0b30f0ecf558752fb3a6ce4ba2b8c675f659eba6c376585a1b39712d038ae3d2b46fcb418ae15d0905da6440e1513a30b9b7d6668fbc5e88e5ab7a175e73ba35+    } -# Message to be signed:-25 f1 08 95 a8 77 16 c1 37 45 0b b9 51 9d fa a1 -f2 07 fa a9 42 ea 88 ab f7 1e 9c 17 98 00 85 b5 -55 ae ba b7 62 64 ae 2a 3a b9 3c 2d 12 98 11 91 -dd ac 6f b5 94 9e b3 6a ee 3c 5d a9 40 f0 07 52 -c9 16 d9 46 08 fa 7d 97 ba 6a 29 15 b6 88 f2 03 -23 d4 e9 d9 68 01 d8 9a 72 ab 58 92 dc 21 17 c0 -74 34 fc f9 72 e0 58 cf 8c 41 ca 4b 4f f5 54 f7 -d5 06 8a d3 15 5f ce d0 f3 12 5b c0 4f 91 93 37 -8a 8f 5c 4c 3b 8c b4 dd 6d 1c c6 9d 30 ec ca 6e -aa 51 e3 6a 05 73 0e 9e 34 2e 85 5b af 09 9d ef -b8 af d7 +vectorsKey3 =+    [+    -- Example 3.1+      VectorPSS+        { message = "\x59\x4b\x37\x33\x3b\xbb\x2c\x84\x52\x4a\x87\xc1\xa0\x1f\x75\xfc\xec\x0e\x32\x56\xf1\x08\xe3\x8d\xca\x36\xd7\x0d\x00\x57"+        , salt = "\xf3\x1a\xd6\xc8\xcf\x89\xdf\x78\xed\x77\xfe\xac\xbc\xc2\xf8\xb0\xa8\xe4\xcf\xaa"+        , signature = "\x00\x88\xb1\x35\xfb\x17\x94\xb6\xb9\x6c\x4a\x3e\x67\x81\x97\xf8\xca\xc5\x2b\x64\xb2\xfe\x90\x7d\x6f\x27\xde\x76\x11\x24\x96\x4a\x99\xa0\x1a\x88\x27\x40\xec\xfa\xed\x6c\x01\xa4\x74\x64\xbb\x05\x18\x23\x13\xc0\x13\x38\xa8\xcd\x09\x72\x14\xcd\x68\xca\x10\x3b\xd5\x7d\x3b\xc9\xe8\x16\x21\x3e\x61\xd7\x84\xf1\x82\x46\x7a\xbf\x8a\x01\xcf\x25\x3e\x99\xa1\x56\xea\xa8\xe3\xe1\xf9\x0e\x3c\x6e\x4e\x3a\xa2\xd8\x3e\xd0\x34\x5b\x89\xfa\xfc\x9c\x26\x07\x7c\x14\xb6\xac\x51\x45\x4f\xa2\x6e\x44\x6e\x3a\x2f\x15\x3b\x2b\x16\x79\x7f"+        }+    -- Example 3.2+    , VectorPSS+        { message = "\x8b\x76\x95\x28\x88\x4a\x0d\x1f\xfd\x09\x0c\xf1\x02\x99\x3e\x79\x6d\xad\xcf\xbd\xdd\x38\xe4\x4f\xf6\x32\x4c\xa4\x51"+        , salt = "\xfc\xf9\xf0\xe1\xf1\x99\xa3\xd1\xd0\xda\x68\x1c\x5b\x86\x06\xfc\x64\x29\x39\xf7"+        , signature = "\x02\xa5\xf0\xa8\x58\xa0\x86\x4a\x4f\x65\x01\x7a\x7d\x69\x45\x4f\x3f\x97\x3a\x29\x99\x83\x9b\x7b\xbc\x48\xbf\x78\x64\x11\x69\x17\x95\x56\xf5\x95\xfa\x41\xf6\xff\x18\xe2\x86\xc2\x78\x30\x79\xbc\x09\x10\xee\x9c\xc3\x4f\x49\xba\x68\x11\x24\xf9\x23\xdf\xa8\x8f\x42\x61\x41\xa3\x68\xa5\xf5\xa9\x30\xc6\x28\xc2\xc3\xc2\x00\xe1\x8a\x76\x44\x72\x1a\x0c\xbe\xc6\xdd\x3f\x62\x79\xbd\xe3\xe8\xf2\xbe\x5e\x2d\x4e\xe5\x6f\x97\xe7\xce\xaf\x33\x05\x4b\xe7\x04\x2b\xd9\x1a\x63\xbb\x09\xf8\x97\xbd\x41\xe8\x11\x97\xde\xe9\x9b\x11\xaf"+        }+    -- Example 3.3+    , VectorPSS+        { message = "\x1a\xbd\xba\x48\x9c\x5a\xda\x2f\x99\x5e\xd1\x6f\x19\xd5\xa9\x4d\x9e\x6e\xc3\x4a\x8d\x84\xf8\x45\x57\xd2\x6e\x5e\xf9\xb0\x2b\x22\x88\x7e\x3f\x9a\x4b\x69\x0a\xd1\x14\x92\x09\xc2\x0c\x61\x43\x1f\x0c\x01\x7c\x36\xc2\x65\x7b\x35\xd7\xb0\x7d\x3f\x5a\xd8\x70\x85\x07\xa9\xc1\xb8\x31\xdf\x83\x5a\x56\xf8\x31\x07\x18\x14\xea\x5d\x3d\x8d\x8f\x6a\xde\x40\xcb\xa3\x8b\x42\xdb\x7a\x2d\x3d\x7a\x29\xc8\xf0\xa7\x9a\x78\x38\xcf\x58\xa9\x75\x7f\xa2\xfe\x4c\x40\xdf\x9b\xaa\x19\x3b\xfc\x6f\x92\xb1\x23\xad\x57\xb0\x7a\xce\x3e\x6a\xc0\x68\xc9\xf1\x06\xaf\xd9\xee\xb0\x3b\x4f\x37\xc2\x5d\xbf\xbc\xfb\x30\x71\xf6\xf9\x77\x17\x66\xd0\x72\xf3\xbb\x07\x0a\xf6\x60\x55\x32\x97\x3a\xe2\x50\x51"+        , salt = "\x98\x6e\x7c\x43\xdb\xb6\x71\xbd\x41\xb9\xa7\xf4\xb6\xaf\xc8\x0e\x80\x5f\x24\x23"+        , signature = "\x02\x44\xbc\xd1\xc8\xc1\x69\x55\x73\x6c\x80\x3b\xe4\x01\x27\x2e\x18\xcb\x99\x08\x11\xb1\x4f\x72\xdb\x96\x41\x24\xd5\xfa\x76\x06\x49\xcb\xb5\x7a\xfb\x87\x55\xdb\xb6\x2b\xf5\x1f\x46\x6c\xf2\x3a\x0a\x16\x07\x57\x6e\x98\x3d\x77\x8f\xce\xff\xa9\x2d\xf7\x54\x8a\xea\x8e\xa4\xec\xad\x2c\x29\xdd\x9f\x95\xbc\x07\xfe\x91\xec\xf8\xbe\xe2\x55\xbf\xe8\x76\x2f\xd7\x69\x0a\xa9\xbf\xa4\xfa\x08\x49\xef\x72\x8c\x2c\x42\xc4\x53\x23\x64\x52\x2d\xf2\xab\x7f\x9f\x8a\x03\xb6\x3f\x7a\x49\x91\x75\x82\x86\x68\xf5\xef\x5a\x29\xe3\x80\x2c"+        }+    -- Example 3.4+    , VectorPSS+        { message = "\x8f\xb4\x31\xf5\xee\x79\x2b\x6c\x2a\xc7\xdb\x53\xcc\x42\x86\x55\xae\xb3\x2d\x03\xf4\xe8\x89\xc5\xc2\x5d\xe6\x83\xc4\x61\xb5\x3a\xcf\x89\xf9\xf8\xd3\xaa\xbd\xf6\xb9\xf0\xc2\xa1\xde\x12\xe1\x5b\x49\xed\xb3\x91\x9a\x65\x2f\xe9\x49\x1c\x25\xa7\xfc\xe1\xf7\x22\xc2\x54\x36\x08\xb6\x9d\xc3\x75\xec"+        , salt = "\xf8\x31\x2d\x9c\x8e\xea\x13\xec\x0a\x4c\x7b\x98\x12\x0c\x87\x50\x90\x87\xc4\x78"+        , signature = "\x01\x96\xf1\x2a\x00\x5b\x98\x12\x9c\x8d\xf1\x3c\x4c\xb1\x6f\x8a\xa8\x87\xd3\xc4\x0d\x96\xdf\x3a\x88\xe7\x53\x2e\xf3\x9c\xd9\x92\xf2\x73\xab\xc3\x70\xbc\x1b\xe6\xf0\x97\xcf\xeb\xbf\x01\x18\xfd\x9e\xf4\xb9\x27\x15\x5f\x3d\xf2\x2b\x90\x4d\x90\x70\x2d\x1f\x7b\xa7\xa5\x2b\xed\x8b\x89\x42\xf4\x12\xcd\x7b\xd6\x76\xc9\xd1\x8e\x17\x03\x91\xdc\xd3\x45\xc0\x6a\x73\x09\x64\xb3\xf3\x0b\xcc\xe0\xbb\x20\xba\x10\x6f\x9a\xb0\xee\xb3\x9c\xf8\xa6\x60\x7f\x75\xc0\x34\x7f\x0a\xf7\x9f\x16\xaf\xa0\x81\xd2\xc9\x2d\x1e\xe6\xf8\x36\xb8"+        }+    -- Example 3.5+    , VectorPSS+        { message = "\xfe\xf4\x16\x1d\xfa\xaf\x9c\x52\x95\x05\x1d\xfc\x1f\xf3\x81\x0c\x8c\x9e\xc2\xe8\x66\xf7\x07\x54\x22\xc8\xec\x42\x16\xa9\xc4\xff\x49\x42\x7d\x48\x3c\xae\x10\xc8\x53\x4a\x41\xb2\xfd\x15\xfe\xe0\x69\x60\xec\x6f\xb3\xf7\xa7\xe9\x4a\x2f\x8a\x2e\x3e\x43\xdc\x4a\x40\x57\x6c\x30\x97\xac\x95\x3b\x1d\xe8\x6f\x0b\x4e\xd3\x6d\x64\x4f\x23\xae\x14\x42\x55\x29\x62\x24\x64\xca\x0c\xbf\x0b\x17\x41\x34\x72\x38\x15\x7f\xab\x59\xe4\xde\x55\x24\x09\x6d\x62\xba\xec\x63\xac\x64"+        , salt = "\x50\x32\x7e\xfe\xc6\x29\x2f\x98\x01\x9f\xc6\x7a\x2a\x66\x38\x56\x3e\x9b\x6e\x2d"+        , signature = "\x02\x1e\xca\x3a\xb4\x89\x22\x64\xec\x22\x41\x1a\x75\x2d\x92\x22\x10\x76\xd4\xe0\x1c\x0e\x6f\x0d\xde\x9a\xfd\x26\xba\x5a\xcf\x6d\x73\x9e\xf9\x87\x54\x5d\x16\x68\x3e\x56\x74\xc9\xe7\x0f\x1d\xe6\x49\xd7\xe6\x1d\x48\xd0\xca\xeb\x4f\xb4\xd8\xb2\x4f\xba\x84\xa6\xe3\x10\x8f\xee\x7d\x07\x05\x97\x32\x66\xac\x52\x4b\x4a\xd2\x80\xf7\xae\x17\xdc\x59\xd9\x6d\x33\x51\x58\x6b\x5a\x3b\xdb\x89\x5d\x1e\x1f\x78\x20\xac\x61\x35\xd8\x75\x34\x80\x99\x83\x82\xba\x32\xb7\x34\x95\x59\x60\x8c\x38\x74\x52\x90\xa8\x5e\xf4\xe9\xf9\xbd\x83"+        }+    -- Example 3.6+    , VectorPSS+        { message = "\xef\xd2\x37\xbb\x09\x8a\x44\x3a\xee\xb2\xbf\x6c\x3f\x8c\x81\xb8\xc0\x1b\x7f\xcb\x3f\xeb"+        , salt = "\xb0\xde\x3f\xc2\x5b\x65\xf5\xaf\x96\xb1\xd5\xcc\x3b\x27\xd0\xc6\x05\x30\x87\xb3"+        , signature = "\x01\x2f\xaf\xec\x86\x2f\x56\xe9\xe9\x2f\x60\xab\x0c\x77\x82\x4f\x42\x99\xa0\xca\x73\x4e\xd2\x6e\x06\x44\xd5\xd2\x22\xc7\xf0\xbd\xe0\x39\x64\xf8\xe7\x0a\x5c\xb6\x5e\xd4\x4e\x44\xd5\x6a\xe0\xed\xf1\xff\x86\xca\x03\x2c\xc5\xdd\x44\x04\xdb\xb7\x6a\xb8\x54\x58\x6c\x44\xee\xd8\x33\x6d\x08\xd4\x57\xce\x6c\x03\x69\x3b\x45\xc0\xf1\xef\xef\x93\x62\x4b\x95\xb8\xec\x16\x9c\x61\x6d\x20\xe5\x53\x8e\xbc\x0b\x67\x37\xa6\xf8\x2b\x4b\xc0\x57\x09\x24\xfc\x6b\x35\x75\x9a\x33\x48\x42\x62\x79\xf8\xb3\xd7\x74\x4e\x2d\x22\x24\x26\xce"+        }+    ] -# Salt:-ad 8b 15 23 70 36 46 22 4b 66 0b 55 08 85 91 7c -a2 d1 df 28 +-- ==================================+-- Example 8: A 1031-bit RSA Key Pair+-- ================================== -# Signature:-6d 3b 5b 87 f6 7e a6 57 af 21 f7 54 41 97 7d 21 -80 f9 1b 2c 5f 69 2d e8 29 55 69 6a 68 67 30 d9 -b9 77 8d 97 07 58 cc b2 60 71 c2 20 9f fb d6 12 -5b e2 e9 6e a8 1b 67 cb 9b 93 08 23 9f da 17 f7 -b2 b6 4e cd a0 96 b6 b9 35 64 0a 5a 1c b4 2a 91 -55 b1 c9 ef 7a 63 3a 02 c5 9f 0d 6e e5 9b 85 2c -43 b3 50 29 e7 3c 94 0f f0 41 0e 8f 11 4e ed 46 -bb d0 fa e1 65 e4 2b e2 52 8a 40 1c 3b 28 fd 81 -8e f3 23 2d ca 9f 4d 2a 0f 51 66 ec 59 c4 23 96 -d6 c1 1d bc 12 15 a5 6f a1 71 69 db 95 75 34 3e -f3 4f 9d e3 2a 49 cd c3 17 49 22 f2 29 c2 3e 18 -e4 5d f9 35 31 19 ec 43 19 ce dc e7 a1 7c 64 08 -8c 1f 6f 52 be 29 63 41 00 b3 91 9d 38 f3 d1 ed -94 e6 89 1e 66 a7 3b 8f b8 49 f5 87 4d f5 94 59 -e2 98 c7 bb ce 2e ee 78 2a 19 5a a6 6f e2 d0 73 -2b 25 e5 95 f5 7d 3e 06 1b 1f c3 e4 06 3b f9 8f +rsaKey8 = PrivateKey+    { private_pub = PublicKey+        { public_n = 0x495370a1fb18543c16d3631e3163255df62be6eee890d5f25509e4f778a8ea6fbbbcdf85dff64e0d972003ab3681fbba6dd41fd541829b2e582de9f2a4a4e0a2d0900bef4753db3cee0ee06c7dfae8b1d53b5953218f9cceea695b08668edeaadced9463b1d790d5ebf27e9115b46cad4d9a2b8efab0561b0810344739ada0733f+        , public_e = 0x010001+        , public_size = 129+        }+    , private_d = 0x6c66ffe98980c38fcdeab5159898836165f4b4b817c4f6a8d486ee4ea9130fe9b9092bd136d184f95f504a607eac565846d2fdd6597a8967c7396ef95a6eeebb4578a643966dca4d8ee3de842de63279c618159c1ab54a89437b6a6120e4930afb52a4ba6ced8a4947ac64b30a3497cbe701c2d6266d517219ad0ec6d347dbe9+    , private_p = 0x08dad7f11363faa623d5d6d5e8a319328d82190d7127d2846c439b0ab72619b0a43a95320e4ec34fc3a9cea876422305bd76c5ba7be9e2f410c8060645a1d29edb+    , private_q = 0x0847e732376fc7900f898ea82eb2b0fc418565fdae62f7d9ec4ce2217b97990dd272db157f99f63c0dcbb9fbacdbd4c4dadb6df67756358ca4174825b48f49706d+    , private_dP = 0x05c2a83c124b3621a2aa57ea2c3efe035eff4560f33ddebb7adab81fce69a0c8c2edc16520dda83d59a23be867963ac65f2cc710bbcfb96ee103deb771d105fd85+    , private_dQ = 0x04cae8aa0d9faa165c87b682ec140b8ed3b50b24594b7a3b2c220b3669bb819f984f55310a1ae7823651d4a02e99447972595139363434e5e30a7e7d241551e1b9+    , private_qinv = 0x07d3e47bf686600b11ac283ce88dbb3f6051e8efd04680e44c171ef531b80b2b7c39fc766320e2cf15d8d99820e96ff30dc69691839c4b40d7b06e45307dc91f3f+    } --}+vectorsKey8 =+    [+    -- Example 8.1+      VectorPSS+        { message = "\x81\x33\x2f\x4b\xe6\x29\x48\x41\x5e\xa1\xd8\x99\x79\x2e\xea\xcf\x6c\x6e\x1d\xb1\xda\x8b\xe1\x3b\x5c\xea\x41\xdb\x2f\xed\x46\x70\x92\xe1\xff\x39\x89\x14\xc7\x14\x25\x97\x75\xf5\x95\xf8\x54\x7f\x73\x56\x92\xa5\x75\xe6\x92\x3a\xf7\x8f\x22\xc6\x99\x7d\xdb\x90\xfb\x6f\x72\xd7\xbb\x0d\xd5\x74\x4a\x31\xde\xcd\x3d\xc3\x68\x58\x49\x83\x6e\xd3\x4a\xec\x59\x63\x04\xad\x11\x84\x3c\x4f\x88\x48\x9f\x20\x97\x35\xf5\xfb\x7f\xda\xf7\xce\xc8\xad\xdc\x58\x18\x16\x8f\x88\x0a\xcb\xf4\x90\xd5\x10\x05\xb7\xa8\xe8\x4e\x43\xe5\x42\x87\x97\x75\x71\xdd\x99\xee\xa4\xb1\x61\xeb\x2d\xf1\xf5\x10\x8f\x12\xa4\x14\x2a\x83\x32\x2e\xdb\x05\xa7\x54\x87\xa3\x43\x5c\x9a\x78\xce\x53\xed\x93\xbc\x55\x08\x57\xd7\xa9\xfb"+        , salt = "\x1d\x65\x49\x1d\x79\xc8\x64\xb3\x73\x00\x9b\xe6\xf6\xf2\x46\x7b\xac\x4c\x78\xfa"+        , signature = "\x02\x62\xac\x25\x4b\xfa\x77\xf3\xc1\xac\xa2\x2c\x51\x79\xf8\xf0\x40\x42\x2b\x3c\x5b\xaf\xd4\x0a\x8f\x21\xcf\x0f\xa5\xa6\x67\xcc\xd5\x99\x3d\x42\xdb\xaf\xb4\x09\xc5\x20\xe2\x5f\xce\x2b\x1e\xe1\xe7\x16\x57\x7f\x1e\xfa\x17\xf3\xda\x28\x05\x2f\x40\xf0\x41\x9b\x23\x10\x6d\x78\x45\xaa\xf0\x11\x25\xb6\x98\xe7\xa4\xdf\xe9\x2d\x39\x67\xbb\x00\xc4\xd0\xd3\x5b\xa3\x55\x2a\xb9\xa8\xb3\xee\xf0\x7c\x7f\xec\xdb\xc5\x42\x4a\xc4\xdb\x1e\x20\xcb\x37\xd0\xb2\x74\x47\x69\x94\x0e\xa9\x07\xe1\x7f\xbb\xca\x67\x3b\x20\x52\x23\x80\xc5"+        }+    -- Example 8.2+    , VectorPSS+        { message = "\xe2\xf9\x6e\xaf\x0e\x05\xe7\xba\x32\x6e\xcc\xa0\xba\x7f\xd2\xf7\xc0\x23\x56\xf3\xce\xde\x9d\x0f\xaa\xbf\x4f\xcc\x8e\x60\xa9\x73\xe5\x59\x5f\xd9\xea\x08"+        , salt = "\x43\x5c\x09\x8a\xa9\x90\x9e\xb2\x37\x7f\x12\x48\xb0\x91\xb6\x89\x87\xff\x18\x38"+        , signature = "\x27\x07\xb9\xad\x51\x15\xc5\x8c\x94\xe9\x32\xe8\xec\x0a\x28\x0f\x56\x33\x9e\x44\xa1\xb5\x8d\x4d\xdc\xff\x2f\x31\x2e\x5f\x34\xdc\xfe\x39\xe8\x9c\x6a\x94\xdc\xee\x86\xdb\xbd\xae\x5b\x79\xba\x4e\x08\x19\xa9\xe7\xbf\xd9\xd9\x82\xe7\xee\x6c\x86\xee\x68\x39\x6e\x8b\x3a\x14\xc9\xc8\xf3\x4b\x17\x8e\xb7\x41\xf9\xd3\xf1\x21\x10\x9b\xf5\xc8\x17\x2f\xad\xa2\xe7\x68\xf9\xea\x14\x33\x03\x2c\x00\x4a\x8a\xa0\x7e\xb9\x90\x00\x0a\x48\xdc\x94\xc8\xba\xc8\xaa\xbe\x2b\x09\xb1\xaa\x46\xc0\xa2\xaa\x0e\x12\xf6\x3f\xbb\xa7\x75\xba\x7e"+        }+    -- Example 8.3+    , VectorPSS+        { message = "\xe3\x5c\x6e\xd9\x8f\x64\xa6\xd5\xa6\x48\xfc\xab\x8a\xdb\x16\x33\x1d\xb3\x2e\x5d\x15\xc7\x4a\x40\xed\xf9\x4c\x3d\xc4\xa4\xde\x79\x2d\x19\x08\x89\xf2\x0f\x1e\x24\xed\x12\x05\x4a\x6b\x28\x79\x8f\xcb\x42\xd1\xc5\x48\x76\x9b\x73\x4c\x96\x37\x31\x42\x09\x2a\xed\x27\x76\x03\xf4\x73\x8d\xf4\xdc\x14\x46\x58\x6d\x0e\xc6\x4d\xa4\xfb\x60\x53\x6d\xb2\xae\x17\xfc\x7e\x3c\x04\xbb\xfb\xbb\xd9\x07\xbf\x11\x7c\x08\x63\x6f\xa1\x6f\x95\xf5\x1a\x62\x16\x93\x4d\x3e\x34\xf8\x50\x30\xf1\x7b\xbb\xc5\xba\x69\x14\x40\x58\xaf\xf0\x81\xe0\xb1\x9c\xf0\x3c\x17\x19\x5c\x5e\x88\x8b\xa5\x8f\x6f\xe0\xa0\x2e\x5c\x3b\xda\x97\x19\xa7"+        , salt = "\xc6\xeb\xbe\x76\xdf\x0c\x4a\xea\x32\xc4\x74\x17\x5b\x2f\x13\x68\x62\xd0\x45\x29"+        , signature = "\x2a\xd2\x05\x09\xd7\x8c\xf2\x6d\x1b\x6c\x40\x61\x46\x08\x6e\x4b\x0c\x91\xa9\x1c\x2b\xd1\x64\xc8\x7b\x96\x6b\x8f\xaa\x42\xaa\x0c\xa4\x46\x02\x23\x23\xba\x4b\x1a\x1b\x89\x70\x6d\x7f\x4c\x3b\xe5\x7d\x7b\x69\x70\x2d\x16\x8a\xb5\x95\x5e\xe2\x90\x35\x6b\x8c\x4a\x29\xed\x46\x7d\x54\x7e\xc2\x3c\xba\xdf\x28\x6c\xcb\x58\x63\xc6\x67\x9d\xa4\x67\xfc\x93\x24\xa1\x51\xc7\xec\x55\xaa\xc6\xdb\x40\x84\xf8\x27\x26\x82\x5c\xfe\x1a\xa4\x21\xbc\x64\x04\x9f\xb4\x2f\x23\x14\x8f\x9c\x25\xb2\xdc\x30\x04\x37\xc3\x8d\x42\x8a\xa7\x5f\x96"+        }+    -- Example 8.4+    , VectorPSS+        { message = "\xdb\xc5\xf7\x50\xa7\xa1\x4b\xe2\xb9\x3e\x83\x8d\x18\xd1\x4a\x86\x95\xe5\x2e\x8a\xdd\x9c\x0a\xc7\x33\xb8\xf5\x6d\x27\x47\xe5\x29\xa0\xcc\xa5\x32\xdd\x49\xb9\x02\xae\xfe\xd5\x14\x44\x7f\x9e\x81\xd1\x61\x95\xc2\x85\x38\x68\xcb\x9b\x30\xf7\xd0\xd4\x95\xc6\x9d\x01\xb5\xc5\xd5\x0b\x27\x04\x5d\xb3\x86\x6c\x23\x24\xa4\x4a\x11\x0b\x17\x17\x74\x6d\xe4\x57\xd1\xc8\xc4\x5c\x3c\xd2\xa9\x29\x70\xc3\xd5\x96\x32\x05\x5d\x4c\x98\xa4\x1d\x6e\x99\xe2\xa3\xdd\xd5\xf7\xf9\x97\x9a\xb3\xcd\x18\xf3\x75\x05\xd2\x51\x41\xde\x2a\x1b\xff\x17\xb3\xa7\xdc\xe9\x41\x9e\xcc\x38\x5c\xf1\x1d\x72\x84\x0f\x19\x95\x3f\xd0\x50\x92\x51\xf6\xca\xfd\xe2\x89\x3d\x0e\x75\xc7\x81\xba\x7a\x50\x12\xca\x40\x1a\x4f\xa9\x9e\x04\xb3\xc3\x24\x9f\x92\x6d\x5a\xfe\x82\xcc\x87\xda\xb2\x2c\x3c\x1b\x10\x5d\xe4\x8e\x34\xac\xe9\xc9\x12\x4e\x59\x59\x7a\xc7\xeb\xf8"+        , salt = "\x02\x1f\xdc\xc6\xeb\xb5\xe1\x9b\x1c\xb1\x6e\x9c\x67\xf2\x76\x81\x65\x7f\xe2\x0a"+        , signature = "\x1e\x24\xe6\xe5\x86\x28\xe5\x17\x50\x44\xa9\xeb\x6d\x83\x7d\x48\xaf\x12\x60\xb0\x52\x0e\x87\x32\x7d\xe7\x89\x7e\xe4\xd5\xb9\xf0\xdf\x0b\xe3\xe0\x9e\xd4\xde\xa8\xc1\x45\x4f\xf3\x42\x3b\xb0\x8e\x17\x93\x24\x5a\x9d\xf8\xbf\x6a\xb3\x96\x8c\x8e\xdd\xc3\xb5\x32\x85\x71\xc7\x7f\x09\x1c\xc5\x78\x57\x69\x12\xdf\xeb\xd1\x64\xb9\xde\x54\x54\xfe\x0b\xe1\xc1\xf6\x38\x5b\x32\x83\x60\xce\x67\xec\x7a\x05\xf6\xe3\x0e\xb4\x5c\x17\xc4\x8a\xc7\x00\x41\xd2\xca\xb6\x7f\x0a\x2a\xe7\xaa\xfd\xcc\x8d\x24\x5e\xa3\x44\x2a\x63\x00\xcc\xc7"+        }+    -- Example 8.5+    , VectorPSS+        { message = "\x04\xdc\x25\x1b\xe7\x2e\x88\xe5\x72\x34\x85\xb6\x38\x3a\x63\x7e\x2f\xef\xe0\x76\x60\xc5\x19\xa5\x60\xb8\xbc\x18\xbd\xed\xb8\x6e\xae\x23\x64\xea\x53\xba\x9d\xca\x6e\xb3\xd2\xe7\xd6\xb8\x06\xaf\x42\xb3\xe8\x7f\x29\x1b\x4a\x88\x81\xd5\xbf\x57\x2c\xc9\xa8\x5e\x19\xc8\x6a\xcb\x28\xf0\x98\xf9\xda\x03\x83\xc5\x66\xd3\xc0\xf5\x8c\xfd\x8f\x39\x5d\xcf\x60\x2e\x5c\xd4\x0e\x8c\x71\x83\xf7\x14\x99\x6e\x22\x97\xef"+        , salt = "\xc5\x58\xd7\x16\x7c\xbb\x45\x08\xad\xa0\x42\x97\x1e\x71\xb1\x37\x7e\xea\x42\x69"+        , signature = "\x33\x34\x1b\xa3\x57\x6a\x13\x0a\x50\xe2\xa5\xcf\x86\x79\x22\x43\x88\xd5\x69\x3f\x5a\xcc\xc2\x35\xac\x95\xad\xd6\x8e\x5e\xb1\xee\xc3\x16\x66\xd0\xca\x7a\x1c\xda\x6f\x70\xa1\xaa\x76\x2c\x05\x75\x2a\x51\x95\x0c\xdb\x8a\xf3\xc5\x37\x9f\x18\xcf\xe6\xb5\xbc\x55\xa4\x64\x82\x26\xa1\x5e\x91\x2e\xf1\x9a\xd7\x7a\xde\xea\x91\x1d\x67\xcf\xef\xd6\x9b\xa4\x3f\xa4\x11\x91\x35\xff\x64\x21\x17\xba\x98\x5a\x7e\x01\x00\x32\x5e\x95\x19\xf1\xca\x6a\x92\x16\xbd\xa0\x55\xb5\x78\x50\x15\x29\x11\x25\xe9\x0d\xcd\x07\xa2\xca\x96\x73\xee"+        }+    -- Example 8.6+    , VectorPSS+        { message = "\x0e\xa3\x7d\xf9\xa6\xfe\xa4\xa8\xb6\x10\x37\x3c\x24\xcf\x39\x0c\x20\xfa\x6e\x21\x35\xc4\x00\xc8\xa3\x4f\x5c\x18\x3a\x7e\x8e\xa4\xc9\xae\x09\x0e\xd3\x17\x59\xf4\x2d\xc7\x77\x19\xcc\xa4\x00\xec\xdc\xc5\x17\xac\xfc\x7a\xc6\x90\x26\x75\xb2\xef\x30\xc5\x09\x66\x5f\x33\x21\x48\x2f\xc6\x9a\x9f\xb5\x70\xd1\x5e\x01\xc8\x45\xd0\xd8\xe5\x0d\x2a\x24\xcb\xf1\xcf\x0e\x71\x49\x75\xa5\xdb\x7b\x18\xd9\xe9\xe9\xcb\x91\xb5\xcb\x16\x86\x90\x60\xed\x18\xb7\xb5\x62\x45\x50\x3f\x0c\xaf\x90\x35\x2b\x8d\xe8\x1c\xb5\xa1\xd9\xc6\x33\x60\x92\xf0\xcd"+        , salt = "\x76\xfd\x4e\x64\xfd\xc9\x8e\xb9\x27\xa0\x40\x3e\x35\xa0\x84\xe7\x6b\xa9\xf9\x2a"+        , signature = "\x1e\xd1\xd8\x48\xfb\x1e\xdb\x44\x12\x9b\xd9\xb3\x54\x79\x5a\xf9\x7a\x06\x9a\x7a\x00\xd0\x15\x10\x48\x59\x3e\x0c\x72\xc3\x51\x7f\xf9\xff\x2a\x41\xd0\xcb\x5a\x0a\xc8\x60\xd7\x36\xa1\x99\x70\x4f\x7c\xb6\xa5\x39\x86\xa8\x8b\xbd\x8a\xbc\xc0\x07\x6a\x2c\xe8\x47\x88\x00\x31\x52\x5d\x44\x9d\xa2\xac\x78\x35\x63\x74\xc5\x36\xe3\x43\xfa\xa7\xcb\xa4\x2a\x5a\xaa\x65\x06\x08\x77\x91\xc0\x6a\x8e\x98\x93\x35\xae\xd1\x9b\xfa\xb2\xd5\xe6\x7e\x27\xfb\x0c\x28\x75\xaf\x89\x6c\x21\xb6\xe8\xe7\x30\x9d\x04\xe4\xf6\x72\x7e\x69\x46\x3e"+        }+    ] -doSignTest key (i, vector) = testCase (show i) (Right (signature vector) @=? actual)+doSignTest key i vector = testCase (show i) (Right (signature vector) @=? actual)     where actual = PSS.signWithSalt (salt vector) Nothing PSS.defaultPSSParamsSHA1 key (message vector) -doVerifyTest key (i, vector) = testCase (show i) (True @=? actual)+doVerifyTest key i vector = testCase (show i) (True @=? actual)     where actual = PSS.verify PSS.defaultPSSParamsSHA1 (private_pub key) (message vector) (signature vector)  pssTests = testGroup "RSA-PSS"     [ testGroup "signature internal"-        [ doSignTest rsaKeyInt (katZero, vectorInt) ]+        [ doSignTest rsaKeyInt katZero vectorInt ]     , testGroup "verify internal"-        [ doVerifyTest rsaKeyInt (katZero, vectorInt) ]-    , testGroup "signature key 1024" $ map (doSignTest rsaKey1) (zip [katZero..] vectorsKey1)-    , testGroup "verify key 1024" $ map (doVerifyTest rsaKey1) (zip [katZero..] vectorsKey1)+        [ doVerifyTest rsaKeyInt katZero vectorInt ]+    , testGroup "signature key 1024" $ zipWith (doSignTest rsaKey1) [katZero..] vectorsKey1+    , testGroup "verify key 1024" $ zipWith (doVerifyTest rsaKey1) [katZero..] vectorsKey1+    , testGroup "signature key 1025" $ zipWith (doSignTest rsaKey2) [katZero..] vectorsKey2+    , testGroup "verify key 1025" $ zipWith (doVerifyTest rsaKey2) [katZero..] vectorsKey2+    , testGroup "signature key 1026" $ zipWith (doSignTest rsaKey3) [katZero..] vectorsKey3+    , testGroup "verify key 1026" $ zipWith (doVerifyTest rsaKey3) [katZero..] vectorsKey3+    , testGroup "signature key 1031" $ zipWith (doSignTest rsaKey8) [katZero..] vectorsKey8+    , testGroup "verify key 1031" $ zipWith (doVerifyTest rsaKey8) [katZero..] vectorsKey8     ]
+ tests/KAT_PubKey/RSA.hs view
@@ -0,0 +1,102 @@+{-# LANGUAGE OverloadedStrings #-}+module KAT_PubKey.RSA (rsaTests) where++import qualified Crypto.PubKey.RSA        as RSA+import qualified Crypto.PubKey.RSA.PKCS15 as RSA+import           Crypto.Hash++import           Imports++import           Data.Either (isRight)++data VectorRSA = VectorRSA+    { size :: Int+    , msg  :: ByteString+    , n    :: Integer+    , e    :: Integer+    , d    :: Integer+    , p    :: Integer+    , q    :: Integer+    , dP   :: Integer+    , dQ   :: Integer+    , qinv :: Integer+    , sig  :: Either RSA.Error ByteString+    }++vectorsSHA1 =+    [ VectorRSA+        { size = 2048 `div` 8+        , msg  = "The quick brown fox jumps over the lazy dog"+        , n    = 0x00c896c245fcca81775346c5f4f958229cab1aee08196dab4ee5959018b856aab93e4486f37a32da1a6804403c88473ecf9f1b9266fc682400d45329b6ec195710c98d9ba728bc09d767e7e9d9b8b102c3b7e7529b87f649a2a5ebe165da21863ec7842de600a834a8be2227bc989145b52f84ba685d45484a3d530745598a5d8a9e7551b3278bf139a770929f776aed5d43559205fe937df93eeb8ff3fb3f2ce22d4b8a5c17aeafd19758ac5e6251df09ef6a2858e8558a7f476dde4efe859ff2fcb97767614563033fd1d2d300196b1abf256f7badb16c17def3804946d1bf9cd51760176b41bbd506b44ff2bfe5bcd5052180da3cfbbc6cd6f662c06a8baed9+        , e    = 0x10001+        , d    = 0x58aa533bae8f310536d95cdd796e5cf655a7f4b9bdcbbd62859743f7b95c0de10e462a44ebaa18c07d640ba4f6344fee648d427ca56bbf2662b45407187be70173a655bc6104257182eb7f720ef2a79f2de6619c804ffca299a7179df6fac4a57179daf4052c550295f0f111ab7ae38e406ff219f9c88b38cdbcaac51bdc4e961361b87e100d168fc08b298626a806b3bfeaa9579f400bbe6e3e6e4ae9b27446e1c5ce8c10c848b9ad7b6ed3a6b3871ad6a1a88af24e581da054845c197e8bae1582858410087c1180c4f0cc61689abfd0f61b8031910f3b3779e11a7fbe823d9a704c63c313f78c994975de834ee9ead5faf6c18b3e4248c51ba307776bf845+        , p    = 0x00f85bfcfe55af59445f21f67ab1d8617d1f84360556eeb660d5c466f29e4d2228f9cc3fde4c594ea97069a19c666b68b6d905b65738ae63de6c11f9181ee9262313e5165591651bb3abec192abbc8c3694550bcffa451a2e2d1976bf3ecbc4480354f8d8646133298156aaa626b8807c5295850f93686400835466b6a5ccec61b+        , q    = 0x00cec28b22b1d37c6c60d25e9747cb1bebd1270f0306db56ed8533f392d6a0cfe6b3dde13789758cf89febac214ba96667e46599f89ca210dced550ca6092a854ff95dff80ea48ff1a83455f4bb93f2ececa782da03b85a789239e8be5264130628724ceab57c8f76e4c7e822bf4fbf334c7d32610bec65047433e0e3b636afe1b+        , dP   = 0x52fe0a50c339514f33ab19be6e67ac4c2f97f2a55e236ef674f8a89e329ffbe64d731f749d76ca7e7c7e0fef3f9a6ce78d260784a600408736fdda8b60e8f0419088612a3ee7d695f7c171b78200d8abf8e9bdfe7f5e785beb45fa610c9eed151abb76c383ef2e5cfbeb24fcb68a426e741e7b108c53d859e5d39e5970a1f839+        , dQ   = 0x39ef91853b47038a6ae707d2642fa9b73e782f60adbf307085eeb4c5e496532b56234a4481a40ac870275da846c74506bf9d28b3dd501c618baf5548013185018fe2a301c0a48bb726297e367dc6129ba7685d8094ad32f0dea64295074f24fbb6dabd7e8daea686a5b09d512be89d91a09cae01eb332eb389480e3cddf2d119+        , qinv = 0x09ce1fa29008ef4b9798e5b8ec213dbdfec4fab4403ebf4b8786ad401ef33bc880c40a990b0826f72415192a206a504b27d2ba45ca555706200ea8e7a9b42d4077e9e6e0d80d4144966c53a36d23d30d987322dcc0013efe8df3b6b5914a2ceefc22cc5de6d569731794e9894f18f11d36a79558dc4c3ae5db1ce9bd05e7bf2e+        , sig  = Right "\x56\x66\x99\x0f\xd4\xea\x2b\xe0\x6d\x46\x3b\x10\x99\x5b\x06\x32\x5e\xec\x29\xfe\xa4\x63\x4d\x54\xf6\x31\x74\x5d\x01\x5a\x67\x09\x2e\xa7\x02\x8a\x48\x00\x3c\x0d\xef\x04\xe7\x52\x46\xe0\xfa\xb1\x42\x26\x89\xe7\xec\x25\x44\x76\xa0\x86\x33\xb0\xbe\x22\x17\x88\x9b\x18\x4d\x3e\xc2\x9b\xd4\x61\x2b\x9e\xde\x08\x56\xf8\xd5\xee\xb8\x38\xf4\x3d\xda\x9a\xbb\x34\x58\x87\x71\x1d\x1a\x7e\xc7\x3d\x46\x39\x01\x79\x29\x8b\xa4\xcd\xce\xd7\xab\xcb\x2e\x94\x5c\xfd\x54\xcc\xef\x80\x31\xfc\x5e\x8f\xc2\x4d\x76\x1e\x4c\xbc\x50\x7a\x9b\x08\xae\x85\xeb\x6a\xe0\x80\xdc\xff\x60\x13\xb0\x31\x94\x14\x9d\x8f\x9f\x48\x38\xcf\x4c\x82\x9d\x3b\x68\xc6\xe4\xe9\x5d\x94\x74\xa2\xac\x1f\xb9\x84\x41\x86\x11\xeb\x2c\x50\x64\xd7\x00\xe0\x85\x21\x5a\xd7\xae\x9b\x4c\x8e\x6a\x92\x97\xac\xcc\xb8\x38\x4f\x41\xb9\x3d\xa9\xfe\x69\x8b\x04\x81\xad\xfb\x0f\x49\x74\xfe\x26\x9c\x86\x0c\xf3\xd1\x8e\xa1\xb5\xaf\xef\x85\x3d\xfe\xd0\x7c\xcf\x18\xe4\x0f\x14\x99\xea\x93\x61\x79\x16\xbf\x38\xac\xa2\xa2\xac\xac\x2d\xae\x21\x85\x71\x94\xda\x5d\xa1\x82\xa8\x76\x82\xe5\x2f"+        }+    , VectorRSA+        { size = 360 `div` 8+        , msg  = "The quick brown fox jumps over the lazy dog"+        , n    = 0x00bc2d7481c83c8be55da4caeaf1a30dbf9a1226ba7443c0a66213180d3eb8e29c3162401b7be067dff8f571a8eb+        , e    = 0x10001+        , d    = 0x726fb62d82c707507a2d5055a6934136270d28ce350c3a36d89066e26fb54f5b33da0bc9a05c2084f2b39be4e1+        , p    = 0x0e3ff89e1f95a461c9f5ee480fd7b13529a225f3ee07fb+        , q    = 0x0d349ebc89329b493c03451ad20155de9775df55c55fd1+        , dP   = 0x00943adef9fb93a561967bab33f198c2c7414e777df997+        , dQ   = 0x078de99ceb5392f7f327dfb97717a27ae2e4606dddaa71+        , qinv = 0x0c54d59eaa029844fb3fe33a180161590b1cb103cc668e+        , sig  = Left RSA.SignatureTooLong+        }+    , VectorRSA+        { size = 368 `div` 8+        , msg  = "The quick brown fox jumps over the lazy dog"+        , n    = 0x009cff2fd20246e390d6860b48a3926e83086d1386f7147e9f195623cf8f18546ceb20d428b77e0748864c8f611cb7+        , e    = 0x10001+        , d    = 0x0097706cbf6624dd448c3a36ce35c27d49762a4948ca33804178d2ff826f8d336aaed622801c8d76d442be371da841+        , p    = 0x00d12519f81441069ab1a86c38e0065e9578a46e655d5a17+        , q    = 0x00c02b485ac3ee241d57b6b282f830d7d5bf6f4de75c1661+        , dP   = 0x00a1af4611444f34f4d88d7504cf23fd711e70382c42ec07+        , dQ   = 0x04226a4219a90bf9dda33e9ff6bb0649c0fea20c723cc1+        , qinv = 0x5dd87bf3c1e295dcc8602859a7cd74f05a2fe91a9d5877+        , sig  = Right "\x51\xe4\xdd\x98\xee\xd5\x06\xef\x7a\xa5\x3c\xaf\x29\x33\xa4\x91\xfa\x8b\xb8\x09\xcf\x3e\xa1\x64\x92\x71\xad\x7b\x3a\x83\xb2\xa0\x77\x94\x4e\x59\xdf\x69\x58\x2e\xc8\x8d\xa0\x70\xfe\x7d"+        }+    ]++vectorToPrivate :: VectorRSA -> RSA.PrivateKey+vectorToPrivate vector = RSA.PrivateKey+    { RSA.private_pub  = vectorToPublic vector+    , RSA.private_d    = d vector+    , RSA.private_p    = p vector+    , RSA.private_q    = q vector+    , RSA.private_dP   = dP vector+    , RSA.private_dQ   = dQ vector+    , RSA.private_qinv = qinv vector+    }++vectorToPublic :: VectorRSA -> RSA.PublicKey+vectorToPublic vector = RSA.PublicKey+    { RSA.public_size = size vector+    , RSA.public_n    = n vector+    , RSA.public_e    = e vector+    }++vectorHasSignature :: VectorRSA -> Bool+vectorHasSignature = isRight . sig++doSignatureTest i vector = testCase (show i) (expected @=? actual)+    where expected = sig vector+          actual   = RSA.sign Nothing (Just SHA1) (vectorToPrivate vector) (msg vector)++doVerifyTest i vector = testCase (show i) (True @=? actual)+    where actual = RSA.verify (Just SHA1) (vectorToPublic vector) (msg vector) bs+          Right bs = sig vector++rsaTests = testGroup "RSA"+    [ testGroup "SHA1"+        [ testGroup "signature" $ zipWith doSignatureTest [katZero..] vectorsSHA1+        , testGroup "verify" $ zipWith doVerifyTest [katZero..] $ filter vectorHasSignature vectorsSHA1+        ]+    ]
+ tests/KAT_PubKey/Rabin.hs view
@@ -0,0 +1,145 @@+{-# LANGUAGE OverloadedStrings #-}+module KAT_PubKey.Rabin (rabinTests) where++import qualified Data.ByteString as B++import           Crypto.Hash+import           Crypto.Number.Serialize (os2ip)+import qualified Crypto.PubKey.Rabin.Basic as BRabin+import qualified Crypto.PubKey.Rabin.Modified as MRabin+import qualified Crypto.PubKey.Rabin.OAEP as OAEP+import qualified Crypto.PubKey.Rabin.RW as RW++import           Imports++basicRabinKey = BRabin.PrivateKey+    { BRabin.private_pub = BRabin.PublicKey+        { BRabin.public_n = 0xc9c4b0df9db989d93df4137fc2de2a9cee2610523f7a450ecbbf252babe98fba2f8e389c3e420c081e18f584c5746ca43f77f6af1fc79161f8bf8fbcb9564779986ecbe656dd16740cb8e399c33ff1dcc679e73c9c98a58c65a8673b7de57290a2d3191cb27e29d627f7ec6e874b1406051ffe9181e4d90d1b487b100ad30685 +        , BRabin.public_size = 128+        }+    , BRabin.private_p = 0xe071f231ab5912285a1f8db199795f5efdea4c32f646a3436eaec091ba853a3092216f26b539bbac1fe2ab2e4fbb20aad272a434a1e909bf6d3028aecae2a7b7+    , BRabin.private_q = 0xe6229470dc7da58bfcd962f1b3ddcf52304efbfb91d31c8ed84dbae2380c1ad2e338a523b4250863a689b3f262f949bd7a9f1a603c36634bb932dd71bf5daba3+    , BRabin.private_a = 0x65956653f711a63b776ce45862d4cd78f1ad7b1f8ed118bb8b5ea5fffd59762da5dc7c5298e236a8e45d5c93477cbc51f214b1cd1a4980eda859c1cb05e55666+    , BRabin.private_b = -0x63126dd9c5d6b5215f62012885570e1306b6a47ec1c46553f3b13ceae869149d14544438dbb976800cd62fbb52266f9a6405bc91f192a462c974bc8a6f832e03+    }++modifiedRabinKey = MRabin.PrivateKey+    { MRabin.private_pub = MRabin.PublicKey+        { MRabin.public_n = 0x9461a6e7c55cb610f20fd9af5d642404a63332a8d7c4fe7aa559cbcaec691e7216eed5d9322cb6a8619c220a0241b44e0d0a7cefda01fb84e59722b4e842ab5e190d214424bbdfed6d523426fc57a28045dfbb6e8159123077c542c0278ee2daf2d8993e286bf709a10a948da6b13008441581a22233f0ad3d5ebc5858ff7be5 +        , MRabin.public_size = 128+        }+    , MRabin.private_p = 0xc401e0ddbe565a8797292389bebb561c35eb019116ba25cc6c865a8d3d7bc599626ddf0bc4f575c22f89144fe99fc3300dd497ec2b7acc0221e729a61756b3f3+    , MRabin.private_q = 0xc1cc0e35f23f5086691a18c755881e3fe6937581948b109f47605b45d055e7b352e19ff729dfb33fbecb1d28b115e590449e5e4e228ab1876d889d3d41d87ec7 +    , MRabin.private_d = 0x128c34dcf8ab96c21e41fb35ebac848094c666551af89fcf54ab39795d8d23ce42dddabb264596d50c33844140483689c1a14f9dfb403f709cb2e4569d08556b9267e6460e84c69beda1defabd0285c4852c288b7ac27b78987bd19da337a6b1c7b123476732d9c0f656cc62a17f70e8fe34516cfa85ce6475bddeae9ffa0926+    }++rwKey = RW.PrivateKey+    { RW.private_pub = RW.PublicKey+        { RW.public_n = 0x992db4c84564c68d4ee2fe0903d938b41e83bcac48dfe8f2219ccee2ccbdefda4cbeea9f1c98a515c5f39a458f5ea11bca97102aaa3d9ac69e000093024e7b968359287cdf57bdacff5df1893df3539c7e358f037d49b5c6ae7110ab8117220c73b6265987039c2c97078fccacdd3f5a560aff5076fdc3958c532db28ab9a855 +        , RW.public_size = 128+        }+    , RW.private_p = 0xc144dd739c45397d61868ca944a9729a7ad34cf90466c8f5c98a88f5ab5e3288bcfd31d4af1d441d23a756a60abd4cf05c3e0b0053eb150166a327ae31e9347b+    , RW.private_q = 0xcae5a381f25a27ae2c359068753118fc384471cd6027e88b8b910306fb940781261089259a3c569546677aebd268704c767a071dbd4f50cb9f15fe448788856f+    , RW.private_d = 0x1325b69908ac98d1a9dc5fc1207b271683d07795891bfd1e443399dc5997bdfb4997dd53e39314a2b8be7348b1ebd4237952e2055547b358d3c000126049cf729ee5d4f0ea170b902e343a8ef0831900b963ba07a3176088ab2ab095db449d0052150d6be7b5402f459f17c759f6f043b06a5da64cb86bb910d340f7fa28fdce+    }++data EncryptionVector = EncryptionVector+    { seed :: ByteString+    , plainText :: ByteString+    , cipherText :: ByteString+    }++data SignatureVector = SignatureVector +    { message :: ByteString+    , padding :: ByteString+    , signature :: Integer+    }++basicRabinEncryptionVectors =+    [ EncryptionVector+        { plainText = "\x75\x0c\x40\x47\xf5\x47\xe8\xe4\x14\x11\x85\x65\x23\x29\x8a\xc9\xba\xe2\x45\xef\xaf\x13\x97\xfb\xe5\x6f\x9d\xd5"+        , seed = "\x0c\xc7\x42\xce\x4a\x9b\x7f\x32\xf9\x51\xbc\xb2\x51\xef\xd9\x25\xfe\x4f\xe3\x5f"+        , cipherText = "\xaf\xc7\x03\xe3\x9d\x2f\x81\xc6\x3a\x80\x2a\xd1\x44\x26\x3f\x17\x0c\x0a\xe6\x48\x68\x98\x23\x14\x8f\x95\xd2\xce\xbb\xe7\x3f\x49\x34\x76\x1d\x99\x30\x7b\xeb\x84\xe5\x2a\x10\xd2\x1e\x11\x7e\x65\xe8\x88\x24\xc1\x12\xeb\x19\x0d\x97\xcd\x12\x25\x6b\x1f\x9b\x0c\x40\x40\xa3\x47\x00\xb7\x11\xf8\x50\x08\x51\x79\xe8\x1b\xd1\x77\xe0\x99\xa7\xe1\x5c\x63\xda\x29\xc7\xde\x28\x5d\x60\xed\x8e\xb2\x12\xd4\xfe\xb8\x1a\x5d\x17\x65\x80\x62\x6e\x65\x5c\x37\x07\x1c\xfa\xff\xe6\x21\xa5\x9f\xcd\x6a\x6a\xce\xa6\x96\xb2\xc5\x08\xe6"+        }   +    ]++basicRabinSignatureVectors =+    [ SignatureVector+        { message = "\x75\x0c\x40\x47\xf5\x47\xe8\xe4\x14\x11\x85\x65\x23\x29\x8a\xc9\xba\xe2\x45\xef\xaf\x13\x97\xfb\xe5\x6f\x9d\xd5"+        , padding = "\xe9\x87\x17\x15\xa2\xe4\x30\x15"+        , signature = 0xac95807bdd03ca975690151d39d23d75e5db2731c4ba30b83c3f3ea74709e4d4e340d7dab952356a76c9b8705b214e28d59f5bdc7c7fdff4e104569e30359b5c65c2dcd5b94db58505cd8b188267121700beebd7edbee492e374514646471b5c3fa252a2580dc7343f455683815d6d7c590dd3bcaa7df41d8b08197ccb183408+        }   +    ]++modifiedRabinSignatureVectors =+    [ SignatureVector+        { message = "\x75\x0c\x40\x47\xf5\x47\xe8\xe4\x14\x11\x85\x65\x23\x29\x8a\xc9\xba\xe2\x45\xef\xaf\x13\x97\xfb\xe5\x6f\x9d\xd5"+        , padding = B.empty -- not used+        , signature = 0x278c7c269119218ab7f501ea53a97ab15a3a5a263c6daed8980abec78291e9729e0e3457731cdea8ec31a7566e93d10fc9b2615fe3e54f4533a5506ac24a3bd286e270324e538066f0ddf503f9b5e0c18e18379659834906ebd99c0d31588c66e70fc653bc8865b9239999cbd35704917d8647d1199286c533233e3e03582dd+        }   +    ]+    +rwEncryptionVectors =+    [ EncryptionVector+        { plainText = "\x75\x0c\x40\x47\xf5\x47\xe8\xe4\x14\x11\x85\x65\x23\x29\x8a\xc9\xba\xe2\x45\xef\xaf\x13\x97\xfb\xe5\x6f\x9d\xd5"+        , seed = "\x0c\xc7\x42\xce\x4a\x9b\x7f\x32\xf9\x51\xbc\xb2\x51\xef\xd9\x25\xfe\x4f\xe3\x5f"+        , cipherText = "\x40\xc2\xe3\x36\xac\x46\x72\x8a\xaf\x33\x75\xe1\x27\xd0\x38\x40\xe2\x24\x4e\x20\xa7\x5d\x85\xd3\x74\x81\x21\xfd\xc9\x40\x90\x80\x8c\xed\x2d\xd3\x5b\xc4\xb7\xc9\x7c\x80\xa5\x2f\x63\x86\x34\x4e\x8c\x92\x07\x86\x9e\xda\xfd\xf8\x11\x83\x8a\x5a\x23\xc1\xe6\x77\x37\x5d\xf9\x5c\x60\xd1\x6d\xfd\x0c\x54\xd1\x00\xe9\xab\x97\x6d\x8e\x83\x8b\x6e\x1a\x38\x73\x43\xe2\x24\xc2\xe2\x4e\x74\x3f\xe4\x4d\xdd\x27\xed\xc7\x72\x88\xd3\x0f\x93\xb3\xdb\xa2\xb7\xaf\x6d\xe9\xab\x76\x53\x63\xf9\x62\xd7\x52\x44\x61\x60\x5d\x2e\x9b\xf7"+        }   +    ]++rwSignatureVectors =+    [ SignatureVector+        { message = "\x75\x0c\x40\x47\xf5\x47\xe8\xe4\x14\x11\x85\x65\x23\x29\x8a\xc9\xba\xe2\x45\xef\xaf\x13\x97\xfb\xe5\x6f\x9d\xd5"+        , padding = B.empty -- not used+        , signature = 0x1e57b554a8e83aacd9d4067f9535991e7db47803250cded5cc8af5458a6bb11fea852139e0afe143f9339dd94a518e354e702134d1ae222460127829d92e8bf6441336f5ae7044ec7b6c3ad8b9aeeb1ea02a49798e020cb5b558120bbb51f060eb1608ba68f90cac7edb1051c177d3bdbb99d1ad92e8d75d6f72f1d06f1d25be+        }   +    ]++doBasicRabinEncryptTest key i vector = testCase (show i) (Right (cipherText vector) @=? actual)+    where actual = BRabin.encryptWithSeed (seed vector) (OAEP.defaultOAEPParams SHA1) key (plainText vector)++doBasicRabinDecryptTest key i vector = testCase (show i) (Just (plainText vector) @=? actual)+    where actual = BRabin.decrypt (OAEP.defaultOAEPParams SHA1) key (cipherText vector)++doBasicRabinSignTest key i vector = testCase (show i) (Right (BRabin.Signature ((os2ip $ padding vector), (signature vector))) @=? actual)+    where actual = BRabin.signWith (padding vector) key SHA1 (message vector)++doBasicRabinVerifyTest key i vector = testCase (show i) (True @=? actual)+    where actual = BRabin.verify key SHA1 (message vector) (BRabin.Signature ((os2ip $ padding vector), (signature vector)))++doModifiedRabinSignTest key i vector = testCase (show i) (Right (signature vector) @=? actual)+    where actual = MRabin.sign key SHA1 (message vector)++doModifiedRabinVerifyTest key i vector = testCase (show i) (True @=? actual)+    where actual = MRabin.verify key SHA1 (message vector) (signature vector)++doRwEncryptTest key i vector = testCase (show i) (Right (cipherText vector) @=? actual)+    where actual = RW.encryptWithSeed (seed vector) (OAEP.defaultOAEPParams SHA1) key (plainText vector)++doRwDecryptTest key i vector = testCase (show i) (Just (plainText vector) @=? actual)+    where actual = RW.decrypt (OAEP.defaultOAEPParams SHA1) key (cipherText vector)++doRwSignTest key i vector = testCase (show i) (Right (signature vector) @=? actual)+    where actual = RW.sign key SHA1 (message vector)++doRwVerifyTest key i vector = testCase (show i) (True @=? actual)+    where actual = RW.verify key SHA1 (message vector) (signature vector)++rabinTests = testGroup "Rabin"+    [ testGroup "Basic"+        [ testGroup "encrypt" $ zipWith (doBasicRabinEncryptTest $ BRabin.private_pub basicRabinKey) [katZero..] basicRabinEncryptionVectors+        , testGroup "decrypt" $ zipWith (doBasicRabinDecryptTest basicRabinKey) [katZero..] basicRabinEncryptionVectors+        , testGroup "sign" $ zipWith (doBasicRabinSignTest basicRabinKey) [katZero..] basicRabinSignatureVectors+        , testGroup "verify" $ zipWith (doBasicRabinVerifyTest $ BRabin.private_pub basicRabinKey) [katZero..] basicRabinSignatureVectors+        ]+    , testGroup "Modified"+        [ testGroup "sign" $ zipWith (doModifiedRabinSignTest modifiedRabinKey) [katZero..] modifiedRabinSignatureVectors+        , testGroup "verify" $ zipWith (doModifiedRabinVerifyTest $ MRabin.private_pub modifiedRabinKey) [katZero..] modifiedRabinSignatureVectors+        ]+    , testGroup "RW"+        [ testGroup "encrypt" $ zipWith (doRwEncryptTest $ RW.private_pub rwKey) [katZero..] rwEncryptionVectors+        , testGroup "decrypt" $ zipWith (doRwDecryptTest rwKey) [katZero..] rwEncryptionVectors+        , testGroup "sign" $ zipWith (doRwSignTest rwKey) [katZero..] rwSignatureVectors+        , testGroup "verify" $ zipWith (doRwVerifyTest $ RW.private_pub rwKey) [katZero..] rwSignatureVectors+        ]+    ]
tests/KAT_RC4.hs view
@@ -27,8 +27,8 @@     ]  tests = testGroup "RC4"-    $ map toKatTest $ zip is vectors-  where toKatTest (i, (key, plainText, cipherText)) =+    $ zipWith toKatTest is vectors+  where toKatTest i (key, plainText, cipherText) =             testCase (show i) (cipherText @=? snd (RC4.combine (RC4.initialize key) plainText))         is :: [Int]         is = [1..]
tests/KAT_Scrypt.hs view
@@ -28,6 +28,6 @@     ]  tests = testGroup "Scrypt"-    $ map toCase $ zip [(1::Int)..] vectors-  where toCase (i, ((pass,salt,n,r,p,dklen), output)) =+    $ zipWith toCase [(1::Int)..] vectors+  where toCase i ((pass,salt,n,r,p,dklen), output) =             testCase (show i) (output @=? Scrypt.generate (Scrypt.Parameters n r p dklen) pass salt)
+ tests/KAT_Twofish.hs view
@@ -0,0 +1,45 @@+module KAT_Twofish (tests) where++import Imports+import BlockCipher++import qualified Data.ByteString as B+import Crypto.Cipher.Twofish+++vectors_twofish128 =+    [ KAT_ECB (B.replicate 16 0x00) (B.replicate 16 0x00) (B.pack [0x9F,0x58,0x9F,0x5C,0xF6,0x12,0x2C,0x32,0xB6,0xBF,0xEC,0x2F,0x2A,0xE8,0xC3,0x5A])+    , KAT_ECB (B.pack [0x9F,0x58,0x9F,0x5C,0xF6,0x12,0x2C,0x32,0xB6,0xBF,0xEC,0x2F,0x2A,0xE8,0xC3,0x5A])+              (B.pack [0xD4, 0x91, 0xDB, 0x16, 0xE7, 0xB1, 0xC3, 0x9E, 0x86, 0xCB, 0x08, 0x6B, 0x78, 0x9F, 0x54, 0x19])+              (B.pack [0x01, 0x9F, 0x98, 0x09, 0xDE, 0x17, 0x11, 0x85, 0x8F, 0xAA, 0xC3, 0xA3, 0xBA, 0x20, 0xFB, 0xC3])+    ]++vectors_twofish192 =+    [ KAT_ECB (B.pack [0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,+                       0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77])+              (B.pack [0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00])+              (B.pack [0xCF, 0xD1, 0xD2, 0xE5, 0xA9, 0xBE, 0x9C, 0xDF, 0x50, 0x1F, 0x13, 0xB8, 0x92, 0xBD, 0x22, 0x48])+    , KAT_ECB (B.pack [0x88, 0xB2, 0xB2, 0x70, 0x6B, 0x10, 0x5E, 0x36, 0xB4, 0x46, 0xBB, 0x6D, 0x73, 0x1A, 0x1E, 0x88,+                       0xEF, 0xA7, 0x1F, 0x78, 0x89, 0x65, 0xBD, 0x44])+              (B.pack [0x39, 0xDA, 0x69, 0xD6, 0xBA, 0x49, 0x97, 0xD5, 0x85, 0xB6, 0xDC, 0x07, 0x3C, 0xA3, 0x41, 0xB2])+              (B.pack [0x18, 0x2B, 0x02, 0xD8, 0x14, 0x97, 0xEA, 0x45, 0xF9, 0xDA, 0xAC, 0xDC, 0x29, 0x19, 0x3A, 0x65])]++vectors_twofish256 =+    [ KAT_ECB (B.pack [0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,+                       0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF])+              (B.pack [0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00])+              (B.pack [0x37, 0x52, 0x7B, 0xE0, 0x05, 0x23, 0x34, 0xB8, 0x9F, 0x0C, 0xFC, 0xCA, 0xE8, 0x7C, 0xFA, 0x20])+    , KAT_ECB (B.pack [0xD4, 0x3B, 0xB7, 0x55, 0x6E, 0xA3, 0x2E, 0x46, 0xF2, 0xA2, 0x82, 0xB7, 0xD4, 0x5B, 0x4E, 0x0D,+                       0x57, 0xFF, 0x73, 0x9D, 0x4D, 0xC9, 0x2C, 0x1B, 0xD7, 0xFC, 0x01, 0x70, 0x0C, 0xC8, 0x21, 0x6F])+              (B.pack [0x90, 0xAF, 0xE9, 0x1B, 0xB2, 0x88, 0x54, 0x4F, 0x2C, 0x32, 0xDC, 0x23, 0x9B, 0x26, 0x35, 0xE6])+              (B.pack [0x6C, 0xB4, 0x56, 0x1C, 0x40, 0xBF, 0x0A, 0x97, 0x05, 0x93, 0x1C, 0xB6, 0xD4, 0x08, 0xE7, 0xFA])]++kats128 = defaultKATs { kat_ECB = vectors_twofish128 }+kats192 = defaultKATs { kat_ECB = vectors_twofish192 }+kats256 = defaultKATs { kat_ECB = vectors_twofish256 }++tests = testGroup "Twofish"+            [ testBlockCipher kats128 (undefined :: Twofish128)+            , testBlockCipher kats192 (undefined :: Twofish192)+            , testBlockCipher kats256 (undefined :: Twofish256) ]+
tests/Number.hs view
@@ -4,10 +4,13 @@ import Imports  import Data.ByteArray (Bytes)+import qualified Data.ByteArray as B import Crypto.Number.Basic import Crypto.Number.Generate-import Crypto.Number.Serialize+import qualified Crypto.Number.Serialize    as BE+import qualified Crypto.Number.Serialize.LE as LE import Crypto.Number.Prime+import Crypto.Number.ModArithmetic import Data.Bits  serializationVectors :: [(Int, Integer, ByteString)]@@ -50,11 +53,35 @@             bits = 6 + baseBits             prime = withTestDRG testDRG $ generateSafePrime bits          in bits == numBits prime-    , testProperty "marshalling" $ \qaInt ->-        getQAInteger qaInt == os2ip (i2osp (getQAInteger qaInt) :: Bytes)-    , testGroup "marshalling-kat-to-bytearray" $ map toSerializationKat $ zip [katZero..] serializationVectors-    , testGroup "marshalling-kat-to-integer" $ map toSerializationKatInteger $ zip [katZero..] serializationVectors+    , testProperty "as-power-of-2-and-odd" $ \n ->+        let (e, a1) = asPowerOf2AndOdd n+         in n == (2^e)*a1+    , testProperty "squareRoot" $ \testDRG (Int0_2901 baseBits') -> do+        let baseBits = baseBits' `mod` 500+            bits = 5 + baseBits -- generating lower than 5 bits causes an error ..+            p = withTestDRG testDRG $ generatePrime bits+        g <- choose (1, p - 1)+        let square x = (x * x) `mod` p+            r = square <$> squareRoot p g+        case jacobi g p of+            Just   1  -> return $ Just g `assertEq` r+            Just (-1) -> return $ Nothing `assertEq` r+            _         -> error "invalid jacobi result"+    , testProperty "marshalling-be" $ \qaInt ->+        getQAInteger qaInt == BE.os2ip (BE.i2osp (getQAInteger qaInt) :: Bytes)+    , testProperty "marshalling-le" $ \qaInt ->+        getQAInteger qaInt == LE.os2ip (LE.i2osp (getQAInteger qaInt) :: Bytes)+    , testProperty "be-rev-le" $ \qaInt ->+        getQAInteger qaInt == LE.os2ip (B.reverse (BE.i2osp (getQAInteger qaInt) :: Bytes))+    , testProperty "be-rev-le-40" $ \qaInt ->+        getQAInteger qaInt == LE.os2ip (B.reverse (BE.i2ospOf_ 40 (getQAInteger qaInt) :: Bytes))+    , testProperty "le-rev-be" $ \qaInt ->+        getQAInteger qaInt == BE.os2ip (B.reverse (LE.i2osp (getQAInteger qaInt) :: Bytes))+    , testProperty "le-rev-be-40" $ \qaInt ->+        getQAInteger qaInt == BE.os2ip (B.reverse (LE.i2ospOf_ 40 (getQAInteger qaInt) :: Bytes))+    , testGroup "marshalling-kat-to-bytearray" $ zipWith toSerializationKat [katZero..] serializationVectors+    , testGroup "marshalling-kat-to-integer" $ zipWith toSerializationKatInteger [katZero..] serializationVectors     ]   where-    toSerializationKat (i, (sz, n, ba)) = testCase (show i) (ba @=? i2ospOf_ sz n)-    toSerializationKatInteger (i, (_, n, ba)) = testCase (show i) (n @=? os2ip ba)+    toSerializationKat i (sz, n, ba) = testCase (show i) (ba @=? BE.i2ospOf_ sz n)+    toSerializationKatInteger i (_, n, ba) = testCase (show i) (n @=? BE.os2ip ba)
tests/Number/F2m.hs view
@@ -2,6 +2,7 @@  import Imports hiding ((.&.)) import Data.Bits+import Data.Maybe import Crypto.Number.Basic (log2) import Crypto.Number.F2m @@ -52,8 +53,34 @@ squareTests = testGroup "squareF2m"     [ testProperty "sqr(a) == a * a"         $ \(Positive m) (NonNegative a) -> mulF2m m a a == squareF2m m a+    -- disabled because we require @m@ to be a suitable modulus and there is no+    -- way to guarantee this+    -- , testProperty "sqrt(a) * sqrt(a) = a"+    --     $ \(Positive m) (NonNegative aa) -> let a = sqrtF2m m aa in mulF2m m a a == modF2m m aa+    , testProperty "sqrt(a) * sqrt(a) = a in GF(2^16)"+        $ let m = 65581 :: Integer -- x^16 + x^5 + x^3 + x^2 + 1+              nums = [0 .. 65535 :: Integer]+          in  nums == [let y = sqrtF2m m x in squareF2m m y | x <- nums]     ] +powTests = testGroup "powF2m"+    [ testProperty "2 is square"+        $ \(Positive m) (NonNegative a) -> powF2m m a 2 == squareF2m m a+    , testProperty "1 is identity"+        $ \(Positive m) (NonNegative a) -> powF2m m a 1 == modF2m m a+    , testProperty "0 is annihilator"+        $ \(Positive m) (NonNegative a) -> powF2m m a 0 == modF2m m 1+    , testProperty "(a * b) ^ c == (a ^ c) * (b ^ c)"+        $ \(Positive m) (NonNegative a) (NonNegative b) (NonNegative c)+            -> powF2m m (mulF2m m a b) c == mulF2m m (powF2m m a c) (powF2m m b c)+    , testProperty "a ^ (b + c) == (a ^ b) * (a ^ c)"+        $ \(Positive m) (NonNegative a) (NonNegative b) (NonNegative c)+            -> powF2m m a (b + c) == mulF2m m (powF2m m a b) (powF2m m a c)+    , testProperty "a ^ (b * c) == (a ^ b) ^ c"+        $ \(Positive m) (NonNegative a) (NonNegative b) (NonNegative c)+            -> powF2m m a (b * c) == powF2m m (powF2m m a b) c+    ]+ invTests = testGroup "invF2m"     [ testProperty "1 / a * a == 1"         $ \(Positive m) (NonNegative a)@@ -70,7 +97,7 @@             -> divF2m m a b == (mulF2m m a <$> invF2m m b)     , testProperty "a * b / b == a"         $ \(Positive m) (NonNegative a) (NonNegative b)-            -> invF2m m b == Nothing || divF2m m (mulF2m m a b) b == Just (modF2m m a)+            -> isNothing (invF2m m b) || divF2m m (mulF2m m a b) b == Just (modF2m m a)     ]  tests = testGroup "number.F2m"@@ -78,6 +105,7 @@     , modTests     , mulTests     , squareTests+    , powTests     , invTests     , divTests     ]
tests/Padding.hs view
@@ -3,7 +3,6 @@  import qualified Data.ByteString as B import Imports-import Crypto.Error  import Crypto.Data.Padding @@ -34,6 +33,6 @@                                          ]  tests = testGroup "Padding"-    [ testGroup "Cases" $ map (uncurry testPad) (zip [1..] cases)-    , testGroup "ZeroCases" $ map (uncurry testZeroPad) (zip [1..] zeroCases)+    [ testGroup "Cases" $ zipWith testPad [1..] cases+    , testGroup "ZeroCases" $ zipWith testZeroPad [1..] zeroCases     ]
tests/Salsa.hs view
@@ -37,7 +37,7 @@  tests = testGroup "Salsa"     [ testGroup "KAT" $-        map (\(i,f) -> testCase (show (i :: Int)) f) $ zip [1..] $ map (\(r, k,i,e) -> salsaRunSimple e r k i) vectors+        zipWith (\i (r,k,n,e) -> testCase (show (i :: Int)) $ salsaRunSimple e r k n) [1..] vectors     , testProperty "generate-combine" salsaGenerateCombine     , testProperty "chunking-generate" salsaGenerateChunks     , testProperty "chunking-combine" salsaCombineChunks
tests/Tests.hs view
@@ -3,9 +3,15 @@  import Imports +import Crypto.System.CPU+ import qualified Number import qualified Number.F2m import qualified BCrypt+import qualified BCryptPBKDF+import qualified ECC+import qualified ECC.Edwards25519+import qualified ECDSA import qualified Hash import qualified Poly1305 import qualified Salsa@@ -15,28 +21,37 @@ import qualified KAT_MiyaguchiPreneel import qualified KAT_CMAC import qualified KAT_HMAC+import qualified KAT_KMAC import qualified KAT_HKDF import qualified KAT_Argon2 import qualified KAT_PBKDF2 import qualified KAT_Curve25519 import qualified KAT_Curve448 import qualified KAT_Ed25519+import qualified KAT_Ed448+import qualified KAT_EdDSA import qualified KAT_OTP import qualified KAT_PubKey import qualified KAT_Scrypt -- symmetric cipher -------------------- import qualified KAT_AES+import qualified KAT_AESGCMSIV import qualified KAT_Blowfish+import qualified KAT_CAST5 import qualified KAT_Camellia import qualified KAT_DES import qualified KAT_RC4 import qualified KAT_TripleDES+import qualified KAT_Twofish -- misc -------------------------------- import qualified KAT_AFIS import qualified Padding  tests = testGroup "cryptonite"-    [ Number.tests+    [ testGroup "runtime"+        [ testCaseInfo "CPU" (return $ show processorOptions)+        ]+    , Number.tests     , Number.F2m.tests     , Hash.tests     , Padding.tests@@ -47,25 +62,32 @@         [ Poly1305.tests         , KAT_CMAC.tests         , KAT_HMAC.tests+        , KAT_KMAC.tests         ]     , KAT_Curve25519.tests     , KAT_Curve448.tests     , KAT_Ed25519.tests+    , KAT_Ed448.tests+    , KAT_EdDSA.tests     , KAT_PubKey.tests     , KAT_OTP.tests     , testGroup "KDF"         [ KAT_PBKDF2.tests         , KAT_Scrypt.tests         , BCrypt.tests+        , BCryptPBKDF.tests         , KAT_HKDF.tests         , KAT_Argon2.tests         ]     , testGroup "block-cipher"         [ KAT_AES.tests+        , KAT_AESGCMSIV.tests         , KAT_Blowfish.tests+        , KAT_CAST5.tests         , KAT_Camellia.tests         , KAT_DES.tests         , KAT_TripleDES.tests+        , KAT_Twofish.tests         ]     , testGroup "stream-cipher"         [ KAT_RC4.tests@@ -75,6 +97,9 @@         , XSalsa.tests         ]     , KAT_AFIS.tests+    , ECC.tests+    , ECC.Edwards25519.tests+    , ECDSA.tests     ]  main = defaultMain tests
tests/Utils.hs view
@@ -2,7 +2,6 @@ module Utils where  import Control.Applicative-import Control.Monad (replicateM) import Data.Char import Data.Word import Data.List@@ -20,7 +19,7 @@     deriving (Show,Eq)  instance Arbitrary TestDRG where-    arbitrary = TestDRG `fmap` arbitrary+    arbitrary = TestDRG `fmap` arbitrary  -- distribution not uniform  withTestDRG (TestDRG l) f = fst $ withDRG (drgNewTest l) f @@ -28,13 +27,13 @@     deriving (Show,Eq)  instance Arbitrary ChunkingLen where-    arbitrary = ChunkingLen `fmap` replicateM 16 (choose (0,14))+    arbitrary = ChunkingLen `fmap` vectorOf 16 (choose (0,14))  newtype ChunkingLen0_127 = ChunkingLen0_127 [Int]     deriving (Show,Eq)  instance Arbitrary ChunkingLen0_127 where-    arbitrary = ChunkingLen0_127 `fmap` replicateM 16 (choose (0,127))+    arbitrary = ChunkingLen0_127 `fmap` vectorOf 16 (choose (0,127))   newtype ArbitraryBS0_2901 = ArbitraryBS0_2901 ByteString@@ -63,7 +62,7 @@     arbitrary = oneof         [ QAInteger . fromIntegral <$> (choose (0, 65536) :: Gen Int)  -- small integer         , larger <$> choose (0,4096) <*> choose (0, 65536) -- medium integer-        , QAInteger . os2ip . B.pack <$> (choose (0,32) >>= \n -> replicateM n arbitrary) -- [ 0 .. 2^32 ] sized integer+        , QAInteger . os2ip <$> arbitraryBSof 0 32 -- [ 0 .. 2^32 ] sized integer         ]       where         larger :: Int -> Int -> QAInteger@@ -73,10 +72,10 @@         somePrime = 18446744073709551557  arbitraryBS :: Int -> Gen ByteString-arbitraryBS n = B.pack `fmap` replicateM n arbitrary+arbitraryBS = fmap B.pack . vector  arbitraryBSof :: Int -> Int -> Gen ByteString-arbitraryBSof minSize maxSize = choose (minSize, maxSize) >>= \n -> (B.pack `fmap` replicateM n arbitrary)+arbitraryBSof minSize maxSize = choose (minSize, maxSize) >>= arbitraryBS  chunkS :: ChunkingLen -> ByteString -> [ByteString] chunkS (ChunkingLen originalChunks) = loop originalChunks
tests/XSalsa.hs view
@@ -98,11 +98,31 @@        , "\xB2\xB7\x95\xFE\x6C\x1D\x4C\x83\xC1\x32\x7E\x01\x5A\x67\xD4\x46\x5F\xD8\xE3\x28\x13\x57\x5C\xBA\xB2\x63\xE2\x0E\xF0\x58\x64\xD2\xDC\x17\xE0\xE4\xEB\x81\x43\x6A\xDF\xE9\xF6\x38\xDC\xC1\xC8\xD7\x8F\x6B\x03\x06\xBA\xF9\x38\xE5\xD2\xAB\x0B\x3E\x05\xE7\x35\xCC\x6F\xFF\x2D\x6E\x02\xE3\xD6\x04\x84\xBE\xA7\xC7\xA8\xE1\x3E\x23\x19\x7F\xEA\x7B\x04\xD4\x7D\x48\xF4\xA4\xE5\x94\x41\x74\x53\x94\x92\x80\x0D\x3E\xF5\x1E\x2E\xE5\xE4\xC8\xA0\xBD\xF0\x50\xC2\xDD\x3D\xD7\x4F\xCE\x5E\x7E\x5C\x37\x36\x4F\x75\x47\xA1\x14\x80\xA3\x06\x3B\x9A\x0A\x15\x7B\x15\xB1\x0A\x5A\x95\x4D\xE2\x73\x1C\xED\x05\x5A\xA2\xE2\x76\x7F\x08\x91\xD4\x32\x9C\x42\x6F\x38\x08\xEE\x86\x7B\xED\x0D\xC7\x5B\x59\x22\xB7\xCF\xB8\x95\x70\x0F\xDA\x01\x61\x05\xA4\xC7\xB7\xF0\xBB\x90\xF0\x29\xF6\xBB\xCB\x04\xAC\x36\xAC\x16")      ] +-- Test vector from paper "Cryptography in NaCl"+vectorsCB :: [Vector]+vectorsCB =+    [ ( 20+       , "\x4A\x5D\x9D\x5B\xA4\xCE\x2D\xE1\x72\x8E\x3B\xF4\x80\x35\x0F\x25\xE0\x7E\x21\xC9\x47\xD1\x9E\x33\x76\xF0\x9B\x3C\x1E\x16\x17\x42"+       , "\x69\x69\x6E\xE9\x55\xB6\x2B\x73\xCD\x62\xBD\xA8\x75\xFC\x73\xD6\x82\x19\xE0\x03\x6B\x7A\x0B\x37"+       , "\xBE\x07\x5F\xC5\x3C\x81\xF2\xD5\xCF\x14\x13\x16\xEB\xEB\x0C\x7B\x52\x28\xC5\x2A\x4C\x62\xCB\xD4\x4B\x66\x84\x9B\x64\x24\x4F\xFC\xE5\xEC\xBA\xAF\x33\xBD\x75\x1A\x1A\xC7\x28\xD4\x5E\x6C\x61\x29\x6C\xDC\x3C\x01\x23\x35\x61\xF4\x1D\xB6\x6C\xCE\x31\x4A\xDB\x31\x0E\x3B\xE8\x25\x0C\x46\xF0\x6D\xCE\xEA\x3A\x7F\xA1\x34\x80\x57\xE2\xF6\x55\x6A\xD6\xB1\x31\x8A\x02\x4A\x83\x8F\x21\xAF\x1F\xDE\x04\x89\x77\xEB\x48\xF5\x9F\xFD\x49\x24\xCA\x1C\x60\x90\x2E\x52\xF0\xA0\x89\xBC\x76\x89\x70\x40\xE0\x82\xF9\x37\x76\x38\x48\x64\x5E\x07\x05"+       , "\x8E\x99\x3B\x9F\x48\x68\x12\x73\xC2\x96\x50\xBA\x32\xFC\x76\xCE\x48\x33\x2E\xA7\x16\x4D\x96\xA4\x47\x6F\xB8\xC5\x31\xA1\x18\x6A\xC0\xDF\xC1\x7C\x98\xDC\xE8\x7B\x4D\xA7\xF0\x11\xEC\x48\xC9\x72\x71\xD2\xC2\x0F\x9B\x92\x8F\xE2\x27\x0D\x6F\xB8\x63\xD5\x17\x38\xB4\x8E\xEE\xE3\x14\xA7\xCC\x8A\xB9\x32\x16\x45\x48\xE5\x26\xAE\x90\x22\x43\x68\x51\x7A\xCF\xEA\xBD\x6B\xB3\x73\x2B\xC0\xE9\xDA\x99\x83\x2B\x61\xCA\x01\xB6\xDE\x56\x24\x4A\x9E\x88\xD5\xF9\xB3\x79\x73\xF6\x22\xA4\x3D\x14\xA6\x59\x9B\x1F\x65\x4C\xB4\x5A\x74\xE3\x55\xA5")+    ]+ tests = testGroup "XSalsa"     [ testGroup "KAT" $-        map (\(i,f) -> testCase (show (i :: Int)) f) $ zip [1..] $ map (\(r, k, i, p, e) -> salsaRunSimple r k i p e) vectors+        zipWith (\i (r, k, n, p, e) -> testCase (show (i :: Int)) $ salsaRunSimple r k n p e) [1..] vectors+    , testGroup "crypto_box encryption" $+        zipWith (\i (r, k, n, p, e) -> testCase (show (i :: Int)) $ cryptoBoxEnc r k n p e) [1..] vectorsCB     ]   where       salsaRunSimple rounds key nonce plain expected =           let salsa = XSalsa.initialize rounds key nonce           in fst (XSalsa.combine salsa plain) @?= expected++      cryptoBoxEnc rounds shared nonce plain expected =+          let zero        = B.replicate 16 0+              (iv0, iv1)  = B.splitAt 8 nonce+              salsa0      = XSalsa.initialize rounds shared (zero `B.append` iv0)+              salsa1      = XSalsa.derive salsa0 iv1+              (_, salsa2) = XSalsa.generate salsa1 32 :: (B.ByteString, XSalsa.State)+          in fst (XSalsa.combine salsa2 plain) @?= expected