tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
AES leaks, cgd ciphers, and vector units in the kernel
[bcc tech-crypto, tech-security; followups to tech-kern]
It's been well-known since 2005[1] that naive AES software, like we
use today in the NetBSD kernel, is vulnerable to cache-timing attacks
(CVE-2005-1797). These attacks have gotten progressively better over
time, and over a decade ago were even applied to Linux dm-crypt disk
encryption[2].
Timing side channel attacks are not theoretical: shared virtual hosts
and JavaScript engines in web browsers provide adversaries with
abundant attack surfaces to trigger disk I/O, prime/probe/flush/reload
caches, and measure high-resolution timings.
We already replaced NIST CTR_DRBG-AES by NIST Hash_DRBG-SHA256 for
/dev/u?random in part because of AES timing side channel attacks.
It's long since overdue for us to address them in cgd(4), and anything
else in the kernel that uses AES.
The attached patch set provides a three-pronged approach to addressing
the problem:
1. Replace the variable-time AES reference implementation we've been
using by constant-time AES software from Thomas Pornin's
high-quality BearSSL libary.
Security impact: This essentially plugs the leak on all NetBSD
platforms for all existing disk setups (and anything else in the
kernel like IPsec) that already use AES as long as they run an
updated kernel.
(In principle a C compiler could compile the BearSSL logic gates
into secret-dependent branches and memory references, and in
principle a machine could implement logic gates in variable time,
but realistically this goes a long way to plugging the leak.)
Performance impact: The cost is that constant-time AES software is
much slower -- cgd AES-CBC encryption throughput is reduced to
about 1/3, and decryption to about 1/2 (very roughly). This is
bad, obviously, but it is mostly addressed by the next two parts.
2. Add support for CPU AES instructions on Intel, AMD, VIA, and
aarch64 CPUs to implement the kernel's synchronous AES API,
including machinery to allow the kernel to use the CPU's vector
unit.
Security impact: This generally plugs the leak (except perhaps in
software CPU emulators like qemu) on all relevant hardware just
by updating the kernel.
Performance impact: This significantly improves performance over
what it was before with variable-time AES software, on CPUs that
have AES instructions we can use -- cgd AES-CBC throughput very
roughly doubles on a VIA laptop I tried, for instance.
So on ~all amd64 and aarch64 CPUs of the last decade (and VIA
CPUs), this patch set improves security _and_ performance.
3. Add an alternative cgd cipher Adiantum[3], which is built out of
AES (used only once per disk sector), Poly1305, NH, and XChaCha12,
and has been deployed by Google for disk encryption on lower-end
ARM systems.
Security impact: Adiantum generally provides better disk
encryption security than AES-CBC or AES-XTS because it encrypts
an entire disk sector at a time, rather than individual cipher
blocks independently like AES-XTS does or suffixes in units of
cipher blocks like AES-CBC does, so two snapshots of a disk
reveal less information with Adiantum than with AES-CBC or
AES-XTS. Of course, Adiantum is a different cipher so you have
to create new cgd volumes if you want to use it.
(The Adiantum implementation uses the same AES logic as the rest
of the kernel for the one invocation per disk sector it needs, so
it will take advantage of constant-time software or hardware
support.)
Performance impact: Adiantum provides much better software
performance than AES-CBC, AES-XTS, or generally anything that
feeds all the data through AES. (The one AES invocation per disk
sector accounts for only a small fraction of Adiantum's time,
<10%.) This should generally provide performance that is at
least as good as the leaky AES software was on machines that
don't have CPU support for AES.
The net effect is:
(a) there is no more variable-time AES software in the kernel at all,
(b) on most machines of the past decade, AES is (a lot) faster, and
(c) there's an alternative to AES-CBC/AES-XTS in cgd for machines
where fixing the security vulnerability made it slower.
Some additional notes:
* Vector unit in the kernel.
All the CPU AES instructions I dealt with (AES-NI, VIA Padlock,
ARMv8.0-AES) require using the CPU's vector unit. The mechanism is
that we disable interrupts and save any user lwp vector unit state
before computing AES, and then zero the vector registers afterward
to prevent any Spectre-class attacks:
- If the kernel is using the vector unit while in a user lwp, we
have to disable preemption because there's nowhere to save the
kernel's vector registers alongside the user's vector registers.
- If we ever want to compute AES in interrupt context we also need
to disable interrputs, but if we decide never to do AES in
interrupt context (which would be reasonable, just not a
proposition I'm committing to at the moment) then disabling
preemption instead of disabling interrupts would be sufficient.
As future work, in kthreads, we don't need to disable preemption at
all since there's no user lwp state so we can save the kernel's
vector registers in the lwp pcb. Also, in kthreads, we can avoid
zeroing the vector registers after every AES subroutine, since user
code can't even run until after switching to another lwp anyway.
I experimented with doing this in cgd -- adding fpu_kthread_enter
and fpu_kthread_leave around cgd_cipher to set a bit MDL_SYSTEM_FPU
in the lwp, and teaching fpu save/restore to allow saving and
restoring to kthreads with MDL_SYSTEM_FPU set -- and cgd throughput
on my VIA laptop improved by about 1.2x on top of the already huge
throughput increase from using the CPU instructions in the first
place.
I'm not settled on how this should manifest in an MI API yet,
though, so the experiment is not included in the patch set other
than to define fpu_kthread_enter/leave for experimentation.
* Other CPUs' AES instructions.
With a little more effort we could:
- adapt the x86 AES-NI logic to 32-bit mode
- add support for Cavium MIPS CPUs
- adopt vectorized MD constant-time software for CPUs with vector
units like Altivec, NEON, VFP, &c., even if they don't have AES
instructions per se
I didn't do any of that because I was going for low-hanging fruit,
but I would be happy to help if you want to adopt other
implementations.
We could also use a similar mechanism for, e.g., synchronous SHA-256
instructions, to make /dev/urandom (which uses NIST Hash_DRBG with
SHA-256) faster on, e.g., aarch64 and Cavium MIPS CPUs. Also not a
high priority for me because SHA-256 does not invite side channel
threats like AES does, but happy to help if you want to work on it.
* Adiantum components.
Adiantum is built out of components that are useful in their own
right for other applications like Wireguard, notably Poly1305 and
ChaCha, so we could fruitfully factor them out into their own
modules and provide vectorized MD implementations of them from (say)
SUPERCOP to further improve performance.
This makes Adiantum more attractive than, e.g., Threefish as I
suggested some years ago, which is a primitive that almost nobody
uses in the real world.
* cgd disk sector sizes and Adiantum.
cgd currently uses the underlying disk's sector size as advertised
by getdisksize (i.e., DIOCGWEDGEINFO or DIOCGPARTINFO). On almost
all disks today that's 512 bytes, even if the disk actually uses
4096-byte sectors and requires r/m/w cycles to do 512-byte writes.
The sector size should really be a parameter to cgd like the name of
the cipher, because it qualitatively changes the cipher that cgd
computes -- and if some chain of adapters causes a disk with
4096-byte sectors to be presented with 512 bytes or vice versa,
you'll see garbage on your disk.
Unlike AES-CBC or AES-XTS (which don't really care what the sector
size is), Adiantum also takes better advantage of larger sectors --
cursory measurements suggest that it's about 1.5x throughput for
4096-byte sectors over 512-byte sectors.
I did not add any mechanism for configuring the sector size, but it
would be good if we taught cgd to do that (and an upgrade path for
storing it in the parameters file).
* Other existing ciphers.
Our 3DES, Blowfish, CAST128, Camellia, and Skipjack software in the
kernel also obviously relies on secret-dependent array indices.
These are not as high a priority because frankly I don't think
anyone should be using these, and I'd rather get rid of them -- or
maybe reduce 3DES and Blowfish to decryption only, to read old cgd
disks -- than spend any other effort on them.
* Performance measurement.
Most of the performance measurement I did -- which was very rough,
enough to convince me that hardware AES as implemented here clearly
wins in practice over even variable-time software AES, and that my
totally untuned first draft of Adiantum is not worse than
variable-time software AES -- was with:
dd if=/dev/zero of=/tmp/disk bs=1m count=512 progress=$((512/80))
vnconfig -cv vnd0 /tmp/disk
cgdconfig -s cgd0 /dev/vnd0 aes-cbc 256 < /dev/zero
# measure decryption throughput
dd if=/dev/rcgd0d of=/dev/null bs=64k progress=$((512*1024/64/80))
# measure encryption throughput
dd if=/dev/zero of=/dev/rcgd0d bs=64k progress=$((512*1024/64/80))
(Substitute `aes-xts 512' or `adiantum 256' in the cgdconfig
incantation for a fair comparison.)
Thoughts? Comments? Objections? Musical numbers by Groucho Marx on
the nature of consensus?
[1] Daniel J. Bernstein, `Cache-timing attacks on AES', 2004-11-11.
https://cr.yp.to/papers.html#cachetiming
[2] Eran Tromer, Dag Arne Osvik, and Adi Shamir, `Efficient cache
attacks on AES, and countermeasures', Journal of Cryptology 23(1),
pp. 37--71, Springer, 2010. DOI: 10.1007/s00145-009-9049-y
http://www.cs.tau.ac.il/~tromer/papers/cache-joc-official.pdf
[3] Paul Crowley and Eric Biggers, `Adiantum: length-preserving
encryption for entry-level processors', IACR Transactions on
Symmetric Cryptology 2018(4), pp. 39--61.
https://doi.org/10.13154/tosc.v2018.i4.39-61
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592424014 0
# Wed Jun 17 20:00:14 2020 +0000
# Branch trunk
# Node ID 4a0394d9dc15ee6e51a1f1d6ec158d6f172bb9e0
# Parent 9d717769d8e9978731b1dc571cacd36aa44c7d3d
# EXP-Topic riastradh-kernelcrypto
Spell `blowfish-cbc' as such, not like `bf-cbc'.
Gotta match the name we actually use for this to work!
diff -r 9d717769d8e9 -r 4a0394d9dc15 sys/dev/cgd.c
--- a/sys/dev/cgd.c Mon Jun 15 01:24:20 2020 +0000
+++ b/sys/dev/cgd.c Wed Jun 17 20:00:14 2020 +0000
@@ -1298,7 +1298,7 @@ cgd_ioctl_set(struct cgd_softc *sc, void
if (encblkno[i].v != CGD_CIPHER_CBC_ENCBLKNO1) {
if (strcmp(sc->sc_cfuncs->cf_name, "aes-cbc") &&
strcmp(sc->sc_cfuncs->cf_name, "3des-cbc") &&
- strcmp(sc->sc_cfuncs->cf_name, "bf-cbc")) {
+ strcmp(sc->sc_cfuncs->cf_name, "blowfish-cbc")) {
log(LOG_WARNING, "cgd: %s only makes sense for cbc,"
" not for %s; ignoring\n",
encblkno[i].n, sc->sc_cfuncs->cf_name);
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1591241685 0
# Thu Jun 04 03:34:45 2020 +0000
# Branch trunk
# Node ID 08a86cf7e9ffdc8949751596b2f93934c8f3b692
# Parent 4a0394d9dc15ee6e51a1f1d6ec158d6f172bb9e0
# EXP-Topic riastradh-kernelcrypto
Draft fpu_kthread_enter/leave on x86.
Only fit for kthreads, not user lwps. Preemptible, nestable.
diff -r 4a0394d9dc15 -r 08a86cf7e9ff sys/arch/amd64/include/proc.h
--- a/sys/arch/amd64/include/proc.h Wed Jun 17 20:00:14 2020 +0000
+++ b/sys/arch/amd64/include/proc.h Thu Jun 04 03:34:45 2020 +0000
@@ -55,6 +55,7 @@ struct mdlwp {
#define MDL_COMPAT32 0x0008 /* i386, always return via iret */
#define MDL_IRET 0x0010 /* force return via iret, not sysret */
#define MDL_FPU_IN_CPU 0x0020 /* the FPU state is in the CPU */
+#define MDL_SYSTEM_FPU 0x0040 /* system thread is allowed FPU use */
struct mdproc {
int md_flags;
diff -r 4a0394d9dc15 -r 08a86cf7e9ff sys/arch/i386/include/proc.h
--- a/sys/arch/i386/include/proc.h Wed Jun 17 20:00:14 2020 +0000
+++ b/sys/arch/i386/include/proc.h Thu Jun 04 03:34:45 2020 +0000
@@ -44,6 +44,7 @@ struct pmap;
struct vm_page;
#define MDL_FPU_IN_CPU 0x0020 /* the FPU state is in the CPU */
+#define MDL_SYSTEM_FPU 0x0040 /* system thread is allowed FPU use */
struct mdlwp {
volatile uint64_t md_tsc; /* last TSC reading */
diff -r 4a0394d9dc15 -r 08a86cf7e9ff sys/arch/x86/include/fpu.h
--- a/sys/arch/x86/include/fpu.h Wed Jun 17 20:00:14 2020 +0000
+++ b/sys/arch/x86/include/fpu.h Thu Jun 04 03:34:45 2020 +0000
@@ -33,6 +33,9 @@ void fpu_lwp_abandon(struct lwp *l);
void fpu_kern_enter(void);
void fpu_kern_leave(void);
+int fpu_kthread_enter(void);
+void fpu_kthread_leave(int);
+
void process_write_fpregs_xmm(struct lwp *, const struct fxsave *);
void process_write_fpregs_s87(struct lwp *, const struct save87 *);
diff -r 4a0394d9dc15 -r 08a86cf7e9ff sys/arch/x86/x86/fpu.c
--- a/sys/arch/x86/x86/fpu.c Wed Jun 17 20:00:14 2020 +0000
+++ b/sys/arch/x86/x86/fpu.c Thu Jun 04 03:34:45 2020 +0000
@@ -137,7 +137,8 @@ fpu_lwp_area(struct lwp *l)
struct pcb *pcb = lwp_getpcb(l);
union savefpu *area = &pcb->pcb_savefpu;
- KASSERT((l->l_flag & LW_SYSTEM) == 0);
+ KASSERT((l->l_flag & LW_SYSTEM) == 0 ||
+ (l->l_md.md_flags & MDL_SYSTEM_FPU));
if (l == curlwp) {
fpu_save();
}
@@ -154,7 +155,8 @@ fpu_save_lwp(struct lwp *l)
kpreempt_disable();
if (l->l_md.md_flags & MDL_FPU_IN_CPU) {
- KASSERT((l->l_flag & LW_SYSTEM) == 0);
+ KASSERT((l->l_flag & LW_SYSTEM) == 0 ||
+ (l->l_md.md_flags & MDL_SYSTEM_FPU));
fpu_area_save(area, x86_xsave_features);
l->l_md.md_flags &= ~MDL_FPU_IN_CPU;
}
@@ -343,6 +345,75 @@ fpu_lwp_abandon(struct lwp *l)
/* -------------------------------------------------------------------------- */
+static const union savefpu zero_fpu __aligned(64);
+
+/*
+ * s = fpu_kthread_enter()
+ *
+ * Allow the current kthread to use the FPU without disabling
+ * preemption as fpu_kern_enter/leave do. Must not be used in a
+ * user lwp. When done, call fpu_kthread_leave(s). May be
+ * recursively nested.
+ *
+ * Must not be invoked while in a fpu_kern_enter/leave block.
+ */
+int
+fpu_kthread_enter(void)
+{
+ struct lwp *l = curlwp;
+ int system_fpu = l->l_md.md_flags & MDL_SYSTEM_FPU;
+
+ KASSERTMSG(l->l_flag & LW_SYSTEM,
+ "fpu_kthread_enter is allowed only in kthreads");
+ KASSERTMSG(curcpu()->ci_kfpu_spl == -1,
+ "fpu_kthread_enter is not allowed between fpu_kern_enter/leave");
+
+ if (!system_fpu) {
+ /*
+ * Notify the FPU fault handler to save the FPU state
+ * for us.
+ */
+ l->l_md.md_flags |= MDL_SYSTEM_FPU;
+
+ /* Clear CR0_TS to enable the FPU. */
+ clts();
+ }
+
+ return system_fpu;
+}
+
+/*
+ * fpu_kthread_leave(s)
+ *
+ * Return to the previous state of whether the current kthread can
+ * use the FPU without disabling preemption.
+ */
+void
+fpu_kthread_leave(int system_fpu)
+{
+ struct lwp *l = curlwp;
+
+ KASSERTMSG(l->l_flag & LW_SYSTEM,
+ "fpu_kthread_leave is allowed only in kthreads");
+ KASSERTMSG(l->l_md.md_flags & MDL_SYSTEM_FPU,
+ "fpu_kthread_leave without fpu_kthread_enter");
+
+ if (!system_fpu) {
+ /*
+ * Zero the fpu registers; otherwise we might leak
+ * secrets through Spectre-class attacks to userland,
+ * even if there are no bugs in fpu state management.
+ */
+ fpu_area_restore(&zero_fpu, x86_xsave_features);
+
+ /* Set CR0_TS to disable use of the FPU. */
+ stts();
+
+ /* Stop asking to save our FPU state. */
+ l->l_md.md_flags &= ~MDL_SYSTEM_FPU;
+ }
+}
+
/*
* fpu_kern_enter()
*
@@ -359,6 +430,10 @@ fpu_kern_enter(void)
struct cpu_info *ci;
int s;
+ /* Nothing needed if we're in a kthread with FPU enabled. */
+ if (l->l_md.md_flags & MDL_SYSTEM_FPU)
+ return;
+
s = splhigh();
ci = curcpu();
@@ -392,10 +467,14 @@ fpu_kern_enter(void)
void
fpu_kern_leave(void)
{
- static const union savefpu zero_fpu __aligned(64);
+ struct lwp *l = curlwp;
struct cpu_info *ci = curcpu();
int s;
+ /* Nothing needed if we're in a kthread with FPU enabled. */
+ if (l->l_md.md_flags & MDL_SYSTEM_FPU)
+ return;
+
KASSERT(ci->ci_ilevel == IPL_HIGH);
KASSERT(ci->ci_kfpu_spl != -1);
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1591240980 0
# Thu Jun 04 03:23:00 2020 +0000
# Branch trunk
# Node ID e7941432a3cd362134c7e5195b5c9725e332de7f
# Parent 08a86cf7e9ffdc8949751596b2f93934c8f3b692
# EXP-Topic riastradh-kernelcrypto
Draft fpu_kern_enter/leave on aarch64.
diff -r 08a86cf7e9ff -r e7941432a3cd sys/arch/aarch64/aarch64/cpu.c
--- a/sys/arch/aarch64/aarch64/cpu.c Thu Jun 04 03:34:45 2020 +0000
+++ b/sys/arch/aarch64/aarch64/cpu.c Thu Jun 04 03:23:00 2020 +0000
@@ -133,6 +133,8 @@ cpu_attach(device_t dv, cpuid_t id)
ci->ci_dev = dv;
dv->dv_private = ci;
+ ci->ci_kfpu_spl = -1;
+
arm_cpu_do_topology(ci);
cpu_identify(ci->ci_dev, ci);
diff -r 08a86cf7e9ff -r e7941432a3cd sys/arch/aarch64/aarch64/fpu.c
--- a/sys/arch/aarch64/aarch64/fpu.c Thu Jun 04 03:34:45 2020 +0000
+++ b/sys/arch/aarch64/aarch64/fpu.c Thu Jun 04 03:23:00 2020 +0000
@@ -38,6 +38,8 @@
#include <sys/lwp.h>
#include <sys/evcnt.h>
+#include <aarch64/fpu.h>
+#include <aarch64/locore.h>
#include <aarch64/reg.h>
#include <aarch64/pcb.h>
#include <aarch64/armreg.h>
@@ -172,3 +174,68 @@ fpu_state_release(lwp_t *l)
reg_cpacr_el1_write(CPACR_FPEN_NONE);
__asm __volatile ("isb");
}
+
+void
+fpu_kern_enter(void)
+{
+ struct lwp *l = curlwp;
+ struct cpu_info *ci;
+ int s;
+
+ /*
+ * Block all interrupts. We must block preemption since -- if
+ * this is a user thread -- there is nowhere to save the kernel
+ * fpu state, and if we want this to be usable in interrupts,
+ * we can't let interrupts interfere with the fpu state in use
+ * since there's nowhere for them to save it.
+ */
+ s = splhigh();
+ ci = curcpu();
+ KASSERT(ci->ci_kfpu_spl == -1);
+ ci->ci_kfpu_spl = s;
+
+ /*
+ * If we are in a softint and have a pinned lwp, the fpu state
+ * is that of the pinned lwp, so save it there.
+ */
+ if ((l->l_pflag & LP_INTR) && (l->l_switchto != NULL))
+ l = l->l_switchto;
+ if (fpu_used_p(l))
+ fpu_save(l);
+
+ /*
+ * Enable the fpu, and wait until it is enabled before
+ * executing any further instructions.
+ */
+ reg_cpacr_el1_write(CPACR_FPEN_ALL);
+ arm_isb();
+}
+
+void
+fpu_kern_leave(void)
+{
+ static const struct fpreg zero_fpreg;
+ struct cpu_info *ci = curcpu();
+ int s;
+
+ KASSERT(ci->ci_cpl == IPL_HIGH);
+ KASSERT(ci->ci_kfpu_spl != -1);
+
+ /*
+ * Zero the fpu registers; otherwise we might leak secrets
+ * through Spectre-class attacks to userland, even if there are
+ * no bugs in fpu state management.
+ */
+ load_fpregs(&zero_fpreg);
+
+ /*
+ * Disable the fpu so that the kernel can't accidentally use
+ * it again.
+ */
+ reg_cpacr_el1_write(CPACR_FPEN_NONE);
+ arm_isb();
+
+ s = ci->ci_kfpu_spl;
+ ci->ci_kfpu_spl = -1;
+ splx(s);
+}
diff -r 08a86cf7e9ff -r e7941432a3cd sys/arch/aarch64/include/cpu.h
--- a/sys/arch/aarch64/include/cpu.h Thu Jun 04 03:34:45 2020 +0000
+++ b/sys/arch/aarch64/include/cpu.h Thu Jun 04 03:23:00 2020 +0000
@@ -89,6 +89,8 @@ struct cpu_info {
volatile u_int ci_astpending;
volatile u_int ci_intr_depth;
+ int ci_kfpu_spl;
+
/* event counters */
struct evcnt ci_vfp_use;
struct evcnt ci_vfp_reuse;
diff -r 08a86cf7e9ff -r e7941432a3cd sys/arch/aarch64/include/fpu.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/arch/aarch64/include/fpu.h Thu Jun 04 03:23:00 2020 +0000
@@ -0,0 +1,35 @@
+/* $NetBSD$ */
+
+/*
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _AARCH64_FPU_H_
+#define _AARCH64_FPU_H_
+
+void fpu_kern_enter(void);
+void fpu_kern_leave(void);
+
+#endif /* _AARCH64_FPU_H_ */
diff -r 08a86cf7e9ff -r e7941432a3cd sys/arch/aarch64/include/machdep.h
--- a/sys/arch/aarch64/include/machdep.h Thu Jun 04 03:34:45 2020 +0000
+++ b/sys/arch/aarch64/include/machdep.h Thu Jun 04 03:23:00 2020 +0000
@@ -142,8 +142,11 @@ void aarch64_setregs_ptrauth(struct lwp
/* fpu.c */
void fpu_attach(struct cpu_info *);
struct fpreg;
-void load_fpregs(struct fpreg *);
+void load_fpregs(const struct fpreg *);
void save_fpregs(struct fpreg *);
+void fpu_kern_enter(void);
+void fpu_kern_leave(void);
+
#ifdef TRAP_SIGDEBUG
#define do_trapsignal(l, signo, code, addr, trap) \
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592418582 0
# Wed Jun 17 18:29:42 2020 +0000
# Branch trunk
# Node ID 5f0c9efc2bac72063928aca09b8529df4e63e77a
# Parent e7941432a3cd362134c7e5195b5c9725e332de7f
# EXP-Topic riastradh-kernelcrypto
Draft fpu_kthread_enter/leave for aarch64.
diff -r e7941432a3cd -r 5f0c9efc2bac sys/arch/aarch64/aarch64/fpu.c
--- a/sys/arch/aarch64/aarch64/fpu.c Thu Jun 04 03:23:00 2020 +0000
+++ b/sys/arch/aarch64/aarch64/fpu.c Wed Jun 17 18:29:42 2020 +0000
@@ -175,6 +175,59 @@ fpu_state_release(lwp_t *l)
__asm __volatile ("isb");
}
+static const struct fpreg zero_fpreg;
+
+int
+fpu_kthread_enter(void)
+{
+ struct lwp *l = curlwp;
+ int system_fpu = l->l_md.md_flags & MDL_SYSTEM_FPU;
+
+ KASSERTMSG(l->l_flag & LW_SYSTEM,
+ "fpu_kthread_enter is allowed only in kthreads");
+ KASSERTMSG(curcpu()->ci_kfpu_spl == -1,
+ "fpu_kthread_enter is not allowed between fpu_kern_enter/leave");
+
+ if (!system_fpu) {
+ /*
+ * Notify the FPU fault handler to save the FPU state
+ * for us.
+ */
+ l->l_md.md_flags |= MDL_SYSTEM_FPU;
+
+ /* Enable the FPU. */
+ fpu_state_load(l, 0);
+ }
+
+ return system_fpu;
+}
+
+void
+fpu_kthread_leave(int system_fpu)
+{
+ struct lwp *l = curlwp;
+
+ KASSERTMSG(l->l_flag & LW_SYSTEM,
+ "fpu_kthread_leave is allowed only in kthreads");
+ KASSERTMSG(l->l_md.md_flags & MDL_SYSTEM_FPU,
+ "fpu_kthread_leave without fpu_kthread_enter");
+
+ if (!system_fpu) {
+ /*
+ * Zero the fpu registers; otherwise we might leak
+ * secrets through Spectre-class attacks to userland,
+ * even if there are no bugs in fpu state management.
+ */
+ load_fpregs(&zero_fpreg);
+
+ /* Disable the FPU. */
+ fpu_state_release(l);
+
+ /* Stop asking to save our FPU state. */
+ l->l_md.md_flags &= ~MDL_SYSTEM_FPU;
+ }
+}
+
void
fpu_kern_enter(void)
{
@@ -182,6 +235,10 @@ fpu_kern_enter(void)
struct cpu_info *ci;
int s;
+ /* Nothing needed if we're in a kthread with FPU enabled. */
+ if (l->l_md.md_flags & MDL_SYSTEM_FPU)
+ return;
+
/*
* Block all interrupts. We must block preemption since -- if
* this is a user thread -- there is nowhere to save the kernel
@@ -214,10 +271,14 @@ fpu_kern_enter(void)
void
fpu_kern_leave(void)
{
- static const struct fpreg zero_fpreg;
+ struct lwp *l = curlwp;
struct cpu_info *ci = curcpu();
int s;
+ /* Nothing needed if we're in a kthread with FPU enabled. */
+ if (l->l_md.md_flags & MDL_SYSTEM_FPU)
+ return;
+
KASSERT(ci->ci_cpl == IPL_HIGH);
KASSERT(ci->ci_kfpu_spl != -1);
diff -r e7941432a3cd -r 5f0c9efc2bac sys/arch/aarch64/include/fpu.h
--- a/sys/arch/aarch64/include/fpu.h Thu Jun 04 03:23:00 2020 +0000
+++ b/sys/arch/aarch64/include/fpu.h Wed Jun 17 18:29:42 2020 +0000
@@ -29,6 +29,9 @@
#ifndef _AARCH64_FPU_H_
#define _AARCH64_FPU_H_
+int fpu_kthread_enter(void);
+void fpu_kthread_leave(int);
+
void fpu_kern_enter(void);
void fpu_kern_leave(void);
diff -r e7941432a3cd -r 5f0c9efc2bac sys/arch/aarch64/include/proc.h
--- a/sys/arch/aarch64/include/proc.h Thu Jun 04 03:23:00 2020 +0000
+++ b/sys/arch/aarch64/include/proc.h Wed Jun 17 18:29:42 2020 +0000
@@ -43,6 +43,7 @@ struct mdlwp {
struct trapframe *md_utf;
uint64_t md_cpacr;
uint32_t md_flags;
+#define MDL_SYSTEM_FPU __BIT(0)
uint64_t md_ia_kern[2]; /* APIAKey{Lo,Hi}_EL1 used in the kernel */
uint64_t md_ia_user[2]; /* APIAKey{Lo,Hi}_EL1 used in user-process */
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592150319 0
# Sun Jun 14 15:58:39 2020 +0000
# Branch trunk
# Node ID 81a487955535865a6bb603c585be109c3dd1adf5
# Parent 5f0c9efc2bac72063928aca09b8529df4e63e77a
# EXP-Topic riastradh-kernelcrypto
Draft aarch64 zero_fpregs.
Just a series of sad donkeys, with no memory references.
diff -r 5f0c9efc2bac -r 81a487955535 sys/arch/aarch64/aarch64/cpuswitch.S
--- a/sys/arch/aarch64/aarch64/cpuswitch.S Wed Jun 17 18:29:42 2020 +0000
+++ b/sys/arch/aarch64/aarch64/cpuswitch.S Sun Jun 14 15:58:39 2020 +0000
@@ -538,3 +538,43 @@ ENTRY_NP(save_fpregs)
str w9, [x0, #FPREG_FPSR]
ret
END(save_fpregs)
+
+ENTRY_NP(zero_fpregs)
+ eor v0.16b, v0.16b, v0.16b
+ eor v1.16b, v1.16b, v1.16b
+ eor v2.16b, v2.16b, v2.16b
+ eor v3.16b, v3.16b, v3.16b
+ eor v4.16b, v4.16b, v4.16b
+ eor v5.16b, v5.16b, v5.16b
+ eor v6.16b, v6.16b, v6.16b
+ eor v7.16b, v7.16b, v7.16b
+ eor v8.16b, v8.16b, v8.16b
+ eor v9.16b, v9.16b, v9.16b
+ eor v10.16b, v10.16b, v10.16b
+ eor v11.16b, v11.16b, v11.16b
+ eor v12.16b, v12.16b, v12.16b
+ eor v13.16b, v13.16b, v13.16b
+ eor v14.16b, v14.16b, v14.16b
+ eor v15.16b, v15.16b, v15.16b
+ eor v16.16b, v16.16b, v16.16b
+ eor v17.16b, v17.16b, v17.16b
+ eor v18.16b, v18.16b, v18.16b
+ eor v19.16b, v19.16b, v19.16b
+ eor v20.16b, v20.16b, v20.16b
+ eor v21.16b, v21.16b, v21.16b
+ eor v22.16b, v22.16b, v22.16b
+ eor v23.16b, v23.16b, v23.16b
+ eor v24.16b, v24.16b, v24.16b
+ eor v25.16b, v25.16b, v25.16b
+ eor v26.16b, v26.16b, v26.16b
+ eor v27.16b, v27.16b, v27.16b
+ eor v28.16b, v28.16b, v28.16b
+ eor v29.16b, v29.16b, v29.16b
+ eor v30.16b, v30.16b, v30.16b
+ eor v31.16b, v31.16b, v31.16b
+ eor x8, x8, x8
+ eor x9, x9, x9
+ msr fpcr, x8
+ msr fpsr, x9
+ ret
+END(zero_fpregs)
diff -r 5f0c9efc2bac -r 81a487955535 sys/arch/aarch64/include/machdep.h
--- a/sys/arch/aarch64/include/machdep.h Wed Jun 17 18:29:42 2020 +0000
+++ b/sys/arch/aarch64/include/machdep.h Sun Jun 14 15:58:39 2020 +0000
@@ -144,6 +144,7 @@ void fpu_attach(struct cpu_info *);
struct fpreg;
void load_fpregs(const struct fpreg *);
void save_fpregs(struct fpreg *);
+void zero_fpregs(void);
void fpu_kern_enter(void);
void fpu_kern_leave(void);
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1591939006 0
# Fri Jun 12 05:16:46 2020 +0000
# Branch trunk
# Node ID 9d6b84c40f6517bb55848159faa9478ef1a23d02
# Parent 81a487955535865a6bb603c585be109c3dd1adf5
# EXP-Topic riastradh-kernelcrypto
Rework AES in kernel to finally address CVE-2005-1797.
1. Rip out old variable-time reference implementation.
2. Replace it by BearSSL's constant-time 32-bit logic.
=> Obtained from commit dda1f8a0c46e15b4a235163470ff700b2f13dcc5.
=> We could conditionally adopt the 64-bit logic too, which would
likely give a modest performance boost on 64-bit platforms
without AES-NI, but that's a bit more trouble.
3. Select the AES implementation at boot-time; allow an MD override.
=> Use self-tests to verify basic correctness at boot.
=> The implementation selection policy is rather rudimentary at
the moment but it is isolated to one place so it's easy to
change later on.
This (a) plugs a host of timing attacks on, e.g., cgd, and (b) paves
the way to take advantage of CPU support for AES -- both things we
should've done a decade ago. Downside: Computing AES takes 2-3x the
CPU time. But that's what hardware support will be coming for.
Rudimentary measurement of performance impact done by:
mount -t tmpfs tmpfs /tmp
dd if=/dev/zero of=/tmp/disk bs=1m count=512
vnconfig -cv vnd0 /tmp/disk
cgdconfig -s cgd0 /dev/vnd0 aes-cbc 256 < /dev/zero
dd if=/dev/rcgd0d of=/dev/null bs=64k
dd if=/dev/zero of=/dev/rcgd0d bs=64k
The AES-CBC encryption performance impact is closer to 3x because it
is inherently sequential; the AES-CBC decryption impact is closer to
2x because the bitsliced AES logic can process two blocks at once.
diff -r 81a487955535 -r 9d6b84c40f65 sys/conf/files
--- a/sys/conf/files Sun Jun 14 15:58:39 2020 +0000
+++ b/sys/conf/files Fri Jun 12 05:16:46 2020 +0000
@@ -200,10 +200,10 @@ defflag opt_machdep.h MACHDEP
# use it.
# Individual crypto transforms
+include "crypto/aes/files.aes"
include "crypto/des/files.des"
include "crypto/blowfish/files.blowfish"
include "crypto/cast128/files.cast128"
-include "crypto/rijndael/files.rijndael"
include "crypto/skipjack/files.skipjack"
include "crypto/camellia/files.camellia"
# General-purpose crypto processing framework.
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/aes/aes.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/aes.h Fri Jun 12 05:16:46 2020 +0000
@@ -0,0 +1,101 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _CRYPTO_AES_AES_H
+#define _CRYPTO_AES_AES_H
+
+#include <sys/types.h>
+#include <sys/cdefs.h>
+
+/*
+ * struct aes
+ *
+ * Expanded round keys.
+ */
+struct aes {
+ uint32_t aes_rk[60];
+} __aligned(16);
+
+#define AES_128_NROUNDS 10
+#define AES_192_NROUNDS 12
+#define AES_256_NROUNDS 14
+
+struct aesenc {
+ struct aes aese_aes;
+};
+
+struct aesdec {
+ struct aes aesd_aes;
+};
+
+struct aes_impl {
+ const char *ai_name;
+ int (*ai_probe)(void);
+ void (*ai_setenckey)(struct aesenc *, const uint8_t *, uint32_t);
+ void (*ai_setdeckey)(struct aesdec *, const uint8_t *, uint32_t);
+ void (*ai_enc)(const struct aesenc *, const uint8_t[static 16],
+ uint8_t[static 16], uint32_t);
+ void (*ai_dec)(const struct aesdec *, const uint8_t[static 16],
+ uint8_t[static 16], uint32_t);
+ void (*ai_cbc_enc)(const struct aesenc *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+ void (*ai_cbc_dec)(const struct aesdec *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+ void (*ai_xts_enc)(const struct aesenc *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+ void (*ai_xts_dec)(const struct aesdec *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+};
+
+int aes_selftest(const struct aes_impl *);
+
+uint32_t aes_setenckey128(struct aesenc *, const uint8_t[static 16]);
+uint32_t aes_setenckey192(struct aesenc *, const uint8_t[static 24]);
+uint32_t aes_setenckey256(struct aesenc *, const uint8_t[static 32]);
+uint32_t aes_setdeckey128(struct aesdec *, const uint8_t[static 16]);
+uint32_t aes_setdeckey192(struct aesdec *, const uint8_t[static 24]);
+uint32_t aes_setdeckey256(struct aesdec *, const uint8_t[static 32]);
+
+void aes_enc(const struct aesenc *, const uint8_t[static 16],
+ uint8_t[static 16], uint32_t);
+void aes_dec(const struct aesdec *, const uint8_t[static 16],
+ uint8_t[static 16], uint32_t);
+
+void aes_cbc_enc(struct aesenc *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+void aes_cbc_dec(struct aesdec *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+
+void aes_xts_enc(struct aesenc *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+void aes_xts_dec(struct aesdec *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+
+void aes_md_init(const struct aes_impl *);
+
+#endif /* _CRYPTO_AES_AES_H */
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/aes/aes_bear.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/aes_bear.c Fri Jun 12 05:16:46 2020 +0000
@@ -0,0 +1,617 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(1, "$NetBSD$");
+
+#include <sys/types.h>
+#include <sys/endian.h>
+#include <sys/systm.h>
+
+#include <crypto/aes/aes.h>
+#include <crypto/aes/aes_bear.h>
+
+static void
+aesbear_setkey(uint32_t rk[static 60], const void *key, uint32_t nrounds)
+{
+ size_t key_len;
+
+ switch (nrounds) {
+ case 10:
+ key_len = 16;
+ break;
+ case 12:
+ key_len = 24;
+ break;
+ case 14:
+ key_len = 32;
+ break;
+ default:
+ panic("invalid AES nrounds: %u", nrounds);
+ }
+
+ br_aes_ct_keysched(rk, key, key_len);
+}
+
+static void
+aesbear_setenckey(struct aesenc *enc, const uint8_t *key, uint32_t nrounds)
+{
+
+ aesbear_setkey(enc->aese_aes.aes_rk, key, nrounds);
+}
+
+static void
+aesbear_setdeckey(struct aesdec *dec, const uint8_t *key, uint32_t nrounds)
+{
+
+ /*
+ * BearSSL computes InvMixColumns on the fly -- no need for
+ * distinct decryption round keys.
+ */
+ aesbear_setkey(dec->aesd_aes.aes_rk, key, nrounds);
+}
+
+static void
+aesbear_enc(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], uint32_t nrounds)
+{
+ uint32_t sk_exp[120];
+ uint32_t q[8];
+
+ /* Expand round keys for bitslicing. */
+ br_aes_ct_skey_expand(sk_exp, nrounds, enc->aese_aes.aes_rk);
+
+ /* Load input block interleaved with garbage block. */
+ q[2*0] = le32dec(in + 4*0);
+ q[2*1] = le32dec(in + 4*1);
+ q[2*2] = le32dec(in + 4*2);
+ q[2*3] = le32dec(in + 4*3);
+ q[1] = q[3] = q[5] = q[7] = 0;
+
+ /* Transform to bitslice, decrypt, transform from bitslice. */
+ br_aes_ct_ortho(q);
+ br_aes_ct_bitslice_encrypt(nrounds, sk_exp, q);
+ br_aes_ct_ortho(q);
+
+ /* Store output block. */
+ le32enc(out + 4*0, q[2*0]);
+ le32enc(out + 4*1, q[2*1]);
+ le32enc(out + 4*2, q[2*2]);
+ le32enc(out + 4*3, q[2*3]);
+
+ /* Paranoia: Zero temporary buffers. */
+ explicit_memset(sk_exp, 0, sizeof sk_exp);
+ explicit_memset(q, 0, sizeof q);
+}
+
+static void
+aesbear_dec(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], uint32_t nrounds)
+{
+ uint32_t sk_exp[120];
+ uint32_t q[8];
+
+ /* Expand round keys for bitslicing. */
+ br_aes_ct_skey_expand(sk_exp, nrounds, dec->aesd_aes.aes_rk);
+
+ /* Load input block interleaved with garbage. */
+ q[2*0] = le32dec(in + 4*0);
+ q[2*1] = le32dec(in + 4*1);
+ q[2*2] = le32dec(in + 4*2);
+ q[2*3] = le32dec(in + 4*3);
+ q[1] = q[3] = q[5] = q[7] = 0;
+
+ /* Transform to bitslice, decrypt, transform from bitslice. */
+ br_aes_ct_ortho(q);
+ br_aes_ct_bitslice_decrypt(nrounds, sk_exp, q);
+ br_aes_ct_ortho(q);
+
+ /* Store output block. */
+ le32enc(out + 4*0, q[2*0]);
+ le32enc(out + 4*1, q[2*1]);
+ le32enc(out + 4*2, q[2*2]);
+ le32enc(out + 4*3, q[2*3]);
+
+ /* Paranoia: Zero temporary buffers. */
+ explicit_memset(sk_exp, 0, sizeof sk_exp);
+ explicit_memset(q, 0, sizeof q);
+}
+
+static void
+aesbear_cbc_enc(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
+ uint32_t nrounds)
+{
+ uint32_t sk_exp[120];
+ uint32_t q[8];
+ uint32_t cv0, cv1, cv2, cv3;
+
+ KASSERT(nbytes % 16 == 0);
+
+ /* Skip if there's nothing to do. */
+ if (nbytes == 0)
+ return;
+
+ /* Expand round keys for bitslicing. */
+ br_aes_ct_skey_expand(sk_exp, nrounds, enc->aese_aes.aes_rk);
+
+ /* Initialize garbage block. */
+ q[1] = q[3] = q[5] = q[7] = 0;
+
+ /* Load IV. */
+ cv0 = le32dec(iv + 4*0);
+ cv1 = le32dec(iv + 4*1);
+ cv2 = le32dec(iv + 4*2);
+ cv3 = le32dec(iv + 4*3);
+
+ for (; nbytes; nbytes -= 16, in += 16, out += 16) {
+ /* Load input block and apply CV. */
+ q[2*0] = cv0 ^ le32dec(in + 4*0);
+ q[2*1] = cv1 ^ le32dec(in + 4*1);
+ q[2*2] = cv2 ^ le32dec(in + 4*2);
+ q[2*3] = cv3 ^ le32dec(in + 4*3);
+
+ /* Transform to bitslice, encrypt, transform from bitslice. */
+ br_aes_ct_ortho(q);
+ br_aes_ct_bitslice_encrypt(nrounds, sk_exp, q);
+ br_aes_ct_ortho(q);
+
+ /* Remember ciphertext as CV and store output block. */
+ cv0 = q[2*0];
+ cv1 = q[2*1];
+ cv2 = q[2*2];
+ cv3 = q[2*3];
+ le32enc(out + 4*0, cv0);
+ le32enc(out + 4*1, cv1);
+ le32enc(out + 4*2, cv2);
+ le32enc(out + 4*3, cv3);
+ }
+
+ /* Store updated IV. */
+ le32enc(iv + 4*0, cv0);
+ le32enc(iv + 4*1, cv1);
+ le32enc(iv + 4*2, cv2);
+ le32enc(iv + 4*3, cv3);
+
+ /* Paranoia: Zero temporary buffers. */
+ explicit_memset(sk_exp, 0, sizeof sk_exp);
+ explicit_memset(q, 0, sizeof q);
+}
+
+static void
+aesbear_cbc_dec(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
+ uint32_t nrounds)
+{
+ uint32_t sk_exp[120];
+ uint32_t q[8];
+ uint32_t cv0, cv1, cv2, cv3, iv0, iv1, iv2, iv3;
+
+ KASSERT(nbytes % 16 == 0);
+
+ /* Skip if there's nothing to do. */
+ if (nbytes == 0)
+ return;
+
+ /* Expand round keys for bitslicing. */
+ br_aes_ct_skey_expand(sk_exp, nrounds, dec->aesd_aes.aes_rk);
+
+ /* Load the IV. */
+ iv0 = le32dec(iv + 4*0);
+ iv1 = le32dec(iv + 4*1);
+ iv2 = le32dec(iv + 4*2);
+ iv3 = le32dec(iv + 4*3);
+
+ /* Load the last cipher block. */
+ cv0 = le32dec(in + nbytes - 16 + 4*0);
+ cv1 = le32dec(in + nbytes - 16 + 4*1);
+ cv2 = le32dec(in + nbytes - 16 + 4*2);
+ cv3 = le32dec(in + nbytes - 16 + 4*3);
+
+ /* Store the updated IV. */
+ le32enc(iv + 4*0, cv0);
+ le32enc(iv + 4*1, cv1);
+ le32enc(iv + 4*2, cv2);
+ le32enc(iv + 4*3, cv3);
+
+ /* Handle the last cipher block separately if odd number. */
+ if (nbytes % 32) {
+ KASSERT(nbytes % 32 == 16);
+
+ /* Set up the last cipher block and a garbage block. */
+ q[2*0] = cv0;
+ q[2*1] = cv1;
+ q[2*2] = cv2;
+ q[2*3] = cv3;
+ q[1] = q[3] = q[5] = q[7] = 0;
+
+ /* Encrypt. */
+ br_aes_ct_ortho(q);
+ br_aes_ct_bitslice_decrypt(nrounds, sk_exp, q);
+ br_aes_ct_ortho(q);
+
+ /* If this was the only cipher block, we're done. */
+ nbytes -= 16;
+ if (nbytes == 0)
+ goto out;
+
+ /*
+ * Otherwise, load up the penultimate cipher block, and
+ * store the output block.
+ */
+ cv0 = le32dec(in + nbytes - 16 + 4*0);
+ cv1 = le32dec(in + nbytes - 16 + 4*1);
+ cv2 = le32dec(in + nbytes - 16 + 4*2);
+ cv3 = le32dec(in + nbytes - 16 + 4*3);
+ le32enc(out + nbytes + 4*0, cv0 ^ q[2*0]);
+ le32enc(out + nbytes + 4*1, cv1 ^ q[2*1]);
+ le32enc(out + nbytes + 4*2, cv2 ^ q[2*2]);
+ le32enc(out + nbytes + 4*3, cv3 ^ q[2*3]);
+ }
+
+ for (;;) {
+ KASSERT(nbytes >= 32);
+
+ /*
+ * 1. Set up upper cipher block from cvN.
+ * 2. Load lower cipher block into cvN and set it up.
+ * 3. Decrypt.
+ */
+ q[2*0 + 1] = cv0;
+ q[2*1 + 1] = cv1;
+ q[2*2 + 1] = cv2;
+ q[2*3 + 1] = cv3;
+ cv0 = q[2*0] = le32dec(in + nbytes - 32 + 4*0);
+ cv1 = q[2*1] = le32dec(in + nbytes - 32 + 4*1);
+ cv2 = q[2*2] = le32dec(in + nbytes - 32 + 4*2);
+ cv3 = q[2*3] = le32dec(in + nbytes - 32 + 4*3);
+
+ br_aes_ct_ortho(q);
+ br_aes_ct_bitslice_decrypt(nrounds, sk_exp, q);
+ br_aes_ct_ortho(q);
+
+ /* Store the upper output block. */
+ le32enc(out + nbytes - 16 + 4*0, q[2*0 + 1] ^ cv0);
+ le32enc(out + nbytes - 16 + 4*1, q[2*1 + 1] ^ cv1);
+ le32enc(out + nbytes - 16 + 4*2, q[2*2 + 1] ^ cv2);
+ le32enc(out + nbytes - 16 + 4*3, q[2*3 + 1] ^ cv3);
+
+ /* Stop if we've reached the first output block. */
+ nbytes -= 32;
+ if (nbytes == 0)
+ goto out;
+
+ /*
+ * Load the preceding cipher block, and apply it as the
+ * chaining value to this one.
+ */
+ cv0 = le32dec(in + nbytes - 16 + 4*0);
+ cv1 = le32dec(in + nbytes - 16 + 4*1);
+ cv2 = le32dec(in + nbytes - 16 + 4*2);
+ cv3 = le32dec(in + nbytes - 16 + 4*3);
+ le32enc(out + nbytes + 4*0, q[2*0] ^ cv0);
+ le32enc(out + nbytes + 4*1, q[2*1] ^ cv1);
+ le32enc(out + nbytes + 4*2, q[2*2] ^ cv2);
+ le32enc(out + nbytes + 4*3, q[2*3] ^ cv3);
+ }
+
+out: /* Store the first output block. */
+ le32enc(out + 4*0, q[2*0] ^ iv0);
+ le32enc(out + 4*1, q[2*1] ^ iv1);
+ le32enc(out + 4*2, q[2*2] ^ iv2);
+ le32enc(out + 4*3, q[2*3] ^ iv3);
+
+ /* Paranoia: Zero temporary buffers. */
+ explicit_memset(sk_exp, 0, sizeof sk_exp);
+ explicit_memset(q, 0, sizeof q);
+}
+
+static inline void
+aesbear_xts_update(uint32_t *t0, uint32_t *t1, uint32_t *t2, uint32_t *t3)
+{
+ uint32_t s0, s1, s2, s3;
+
+ s0 = *t0 >> 31;
+ s1 = *t1 >> 31;
+ s2 = *t2 >> 31;
+ s3 = *t3 >> 31;
+ *t0 = (*t0 << 1) ^ (-s3 & 0x87);
+ *t1 = (*t1 << 1) ^ s0;
+ *t2 = (*t2 << 1) ^ s1;
+ *t3 = (*t3 << 1) ^ s2;
+}
+
+static int
+aesbear_xts_update_selftest(void)
+{
+ static const struct {
+ uint32_t in[4], out[4];
+ } cases[] = {
+ { {1}, {2} },
+ { {0x80000000U,0,0,0}, {0,1,0,0} },
+ { {0,0x80000000U,0,0}, {0,0,1,0} },
+ { {0,0,0x80000000U,0}, {0,0,0,1} },
+ { {0,0,0,0x80000000U}, {0x87,0,0,0} },
+ { {0,0x80000000U,0,0x80000000U}, {0x87,0,1,0} },
+ };
+ unsigned i;
+ uint32_t t0, t1, t2, t3;
+
+ for (i = 0; i < sizeof(cases)/sizeof(cases[0]); i++) {
+ t0 = cases[i].in[0];
+ t1 = cases[i].in[1];
+ t2 = cases[i].in[2];
+ t3 = cases[i].in[3];
+ aesbear_xts_update(&t0, &t1, &t2, &t3);
+ if (t0 != cases[i].out[0] ||
+ t1 != cases[i].out[1] ||
+ t2 != cases[i].out[2] ||
+ t3 != cases[i].out[3])
+ return -1;
+ }
+
+ /* Success! */
+ return 0;
+}
+
+static void
+aesbear_xts_enc(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t tweak[static 16],
+ uint32_t nrounds)
+{
+ uint32_t sk_exp[120];
+ uint32_t q[8];
+ uint32_t t0, t1, t2, t3, u0, u1, u2, u3;
+
+ KASSERT(nbytes % 16 == 0);
+
+ /* Skip if there's nothing to do. */
+ if (nbytes == 0)
+ return;
+
+ /* Expand round keys for bitslicing. */
+ br_aes_ct_skey_expand(sk_exp, nrounds, enc->aese_aes.aes_rk);
+
+ /* Load tweak. */
+ t0 = le32dec(tweak + 4*0);
+ t1 = le32dec(tweak + 4*1);
+ t2 = le32dec(tweak + 4*2);
+ t3 = le32dec(tweak + 4*3);
+
+ /* Handle the first block separately if odd number. */
+ if (nbytes % 32) {
+ KASSERT(nbytes % 32 == 16);
+
+ /* Load up the first block and a garbage block. */
+ q[2*0] = le32dec(in + 4*0) ^ t0;
+ q[2*1] = le32dec(in + 4*1) ^ t1;
+ q[2*2] = le32dec(in + 4*2) ^ t2;
+ q[2*3] = le32dec(in + 4*3) ^ t3;
+ q[1] = q[3] = q[5] = q[7] = 0;
+
+ /* Encrypt two blocks. */
+ br_aes_ct_ortho(q);
+ br_aes_ct_bitslice_encrypt(nrounds, sk_exp, q);
+ br_aes_ct_ortho(q);
+
+ /* Store the first cipher block. */
+ le32enc(out + 4*0, q[2*0] ^ t0);
+ le32enc(out + 4*1, q[2*1] ^ t1);
+ le32enc(out + 4*2, q[2*2] ^ t2);
+ le32enc(out + 4*3, q[2*3] ^ t3);
+
+ /* Advance to the next block. */
+ aesbear_xts_update(&t0, &t1, &t2, &t3);
+ if ((nbytes -= 16) == 0)
+ goto out;
+ in += 16;
+ out += 16;
+ }
+
+ do {
+ KASSERT(nbytes >= 32);
+
+ /* Compute the upper tweak. */
+ u0 = t0; u1 = t1; u2 = t2; u3 = t3;
+ aesbear_xts_update(&u0, &u1, &u2, &u3);
+
+ /* Load lower and upper blocks. */
+ q[2*0] = le32dec(in + 4*0) ^ t0;
+ q[2*1] = le32dec(in + 4*1) ^ t1;
+ q[2*2] = le32dec(in + 4*2) ^ t2;
+ q[2*3] = le32dec(in + 4*3) ^ t3;
+ q[2*0 + 1] = le32dec(in + 16 + 4*0) ^ u0;
+ q[2*1 + 1] = le32dec(in + 16 + 4*1) ^ u1;
+ q[2*2 + 1] = le32dec(in + 16 + 4*2) ^ u2;
+ q[2*3 + 1] = le32dec(in + 16 + 4*3) ^ u3;
+
+ /* Encrypt two blocks. */
+ br_aes_ct_ortho(q);
+ br_aes_ct_bitslice_encrypt(nrounds, sk_exp, q);
+ br_aes_ct_ortho(q);
+
+ /* Store lower and upper blocks. */
+ le32enc(out + 4*0, q[2*0] ^ t0);
+ le32enc(out + 4*1, q[2*1] ^ t1);
+ le32enc(out + 4*2, q[2*2] ^ t2);
+ le32enc(out + 4*3, q[2*3] ^ t3);
+ le32enc(out + 16 + 4*0, q[2*0 + 1] ^ u0);
+ le32enc(out + 16 + 4*1, q[2*1 + 1] ^ u1);
+ le32enc(out + 16 + 4*2, q[2*2 + 1] ^ u2);
+ le32enc(out + 16 + 4*3, q[2*3 + 1] ^ u3);
+
+ /* Advance to the next pair of blocks. */
+ t0 = u0; t1 = u1; t2 = u2; t3 = u3;
+ aesbear_xts_update(&t0, &t1, &t2, &t3);
+ in += 32;
+ out += 32;
+ } while (nbytes -= 32, nbytes);
+
+out: /* Store the updated tweak. */
+ le32enc(tweak + 4*0, t0);
+ le32enc(tweak + 4*1, t1);
+ le32enc(tweak + 4*2, t2);
+ le32enc(tweak + 4*3, t3);
+
+ /* Paranoia: Zero temporary buffers. */
+ explicit_memset(sk_exp, 0, sizeof sk_exp);
+ explicit_memset(q, 0, sizeof q);
+}
+
+static void
+aesbear_xts_dec(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t tweak[static 16],
+ uint32_t nrounds)
+{
+ uint32_t sk_exp[120];
+ uint32_t q[8];
+ uint32_t t0, t1, t2, t3, u0, u1, u2, u3;
+
+ KASSERT(nbytes % 16 == 0);
+
+ /* Skip if there's nothing to do. */
+ if (nbytes == 0)
+ return;
+
+ /* Expand round keys for bitslicing. */
+ br_aes_ct_skey_expand(sk_exp, nrounds, dec->aesd_aes.aes_rk);
+
+ /* Load tweak. */
+ t0 = le32dec(tweak + 4*0);
+ t1 = le32dec(tweak + 4*1);
+ t2 = le32dec(tweak + 4*2);
+ t3 = le32dec(tweak + 4*3);
+
+ /* Handle the first block separately if odd number. */
+ if (nbytes % 32) {
+ KASSERT(nbytes % 32 == 16);
+
+ /* Load up the first block and a garbage block. */
+ q[2*0] = le32dec(in + 4*0) ^ t0;
+ q[2*1] = le32dec(in + 4*1) ^ t1;
+ q[2*2] = le32dec(in + 4*2) ^ t2;
+ q[2*3] = le32dec(in + 4*3) ^ t3;
+ q[1] = q[3] = q[5] = q[7] = 0;
+
+ /* Decrypt two blocks. */
+ br_aes_ct_ortho(q);
+ br_aes_ct_bitslice_decrypt(nrounds, sk_exp, q);
+ br_aes_ct_ortho(q);
+
+ /* Store the first cipher block. */
+ le32enc(out + 4*0, q[2*0] ^ t0);
+ le32enc(out + 4*1, q[2*1] ^ t1);
+ le32enc(out + 4*2, q[2*2] ^ t2);
+ le32enc(out + 4*3, q[2*3] ^ t3);
+
+ /* Advance to the next block. */
+ aesbear_xts_update(&t0, &t1, &t2, &t3);
+ if ((nbytes -= 16) == 0)
+ goto out;
+ in += 16;
+ out += 16;
+ }
+
+ do {
+ KASSERT(nbytes >= 32);
+
+ /* Compute the upper tweak. */
+ u0 = t0; u1 = t1; u2 = t2; u3 = t3;
+ aesbear_xts_update(&u0, &u1, &u2, &u3);
+
+ /* Load lower and upper blocks. */
+ q[2*0] = le32dec(in + 4*0) ^ t0;
+ q[2*1] = le32dec(in + 4*1) ^ t1;
+ q[2*2] = le32dec(in + 4*2) ^ t2;
+ q[2*3] = le32dec(in + 4*3) ^ t3;
+ q[2*0 + 1] = le32dec(in + 16 + 4*0) ^ u0;
+ q[2*1 + 1] = le32dec(in + 16 + 4*1) ^ u1;
+ q[2*2 + 1] = le32dec(in + 16 + 4*2) ^ u2;
+ q[2*3 + 1] = le32dec(in + 16 + 4*3) ^ u3;
+
+ /* Encrypt two blocks. */
+ br_aes_ct_ortho(q);
+ br_aes_ct_bitslice_decrypt(nrounds, sk_exp, q);
+ br_aes_ct_ortho(q);
+
+ /* Store lower and upper blocks. */
+ le32enc(out + 4*0, q[2*0] ^ t0);
+ le32enc(out + 4*1, q[2*1] ^ t1);
+ le32enc(out + 4*2, q[2*2] ^ t2);
+ le32enc(out + 4*3, q[2*3] ^ t3);
+ le32enc(out + 16 + 4*0, q[2*0 + 1] ^ u0);
+ le32enc(out + 16 + 4*1, q[2*1 + 1] ^ u1);
+ le32enc(out + 16 + 4*2, q[2*2 + 1] ^ u2);
+ le32enc(out + 16 + 4*3, q[2*3 + 1] ^ u3);
+
+ /* Advance to the next pair of blocks. */
+ t0 = u0; t1 = u1; t2 = u2; t3 = u3;
+ aesbear_xts_update(&t0, &t1, &t2, &t3);
+ in += 32;
+ out += 32;
+ } while (nbytes -= 32, nbytes);
+
+out: /* Store the updated tweak. */
+ le32enc(tweak + 4*0, t0);
+ le32enc(tweak + 4*1, t1);
+ le32enc(tweak + 4*2, t2);
+ le32enc(tweak + 4*3, t3);
+
+ /* Paranoia: Zero temporary buffers. */
+ explicit_memset(sk_exp, 0, sizeof sk_exp);
+ explicit_memset(q, 0, sizeof q);
+}
+
+static int
+aesbear_probe(void)
+{
+
+ if (aesbear_xts_update_selftest())
+ return -1;
+
+ /* XXX test br_aes_ct_bitslice_decrypt */
+ /* XXX test br_aes_ct_bitslice_encrypt */
+ /* XXX test br_aes_ct_keysched */
+ /* XXX test br_aes_ct_ortho */
+ /* XXX test br_aes_ct_skey_expand */
+
+ return 0;
+}
+
+struct aes_impl aes_bear_impl = {
+ .ai_name = "BearSSL aes_ct",
+ .ai_probe = aesbear_probe,
+ .ai_setenckey = aesbear_setenckey,
+ .ai_setdeckey = aesbear_setdeckey,
+ .ai_enc = aesbear_enc,
+ .ai_dec = aesbear_dec,
+ .ai_cbc_enc = aesbear_cbc_enc,
+ .ai_cbc_dec = aesbear_cbc_dec,
+ .ai_xts_enc = aesbear_xts_enc,
+ .ai_xts_dec = aesbear_xts_dec,
+};
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/aes/aes_bear.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/aes_bear.h Fri Jun 12 05:16:46 2020 +0000
@@ -0,0 +1,50 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _CRYPTO_AES_AES_BEAR_H
+#define _CRYPTO_AES_AES_BEAR_H
+
+#include <sys/types.h>
+#include <sys/endian.h>
+
+#include <crypto/aes/aes.h>
+
+#define br_dec32le le32dec
+#define br_enc32le le32enc
+
+void br_aes_ct_bitslice_Sbox(uint32_t *);
+void br_aes_ct_bitslice_invSbox(uint32_t *);
+void br_aes_ct_ortho(uint32_t *);
+u_int br_aes_ct_keysched(uint32_t *, const void *, size_t);
+void br_aes_ct_skey_expand(uint32_t *, unsigned, const uint32_t *);
+void br_aes_ct_bitslice_encrypt(unsigned, const uint32_t *, uint32_t *);
+void br_aes_ct_bitslice_decrypt(unsigned, const uint32_t *, uint32_t *);
+
+extern struct aes_impl aes_bear_impl;
+
+#endif /* _CRYPTO_AES_AES_BEAR_H */
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/aes/aes_ct.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/aes_ct.c Fri Jun 12 05:16:46 2020 +0000
@@ -0,0 +1,335 @@
+/* $NetBSD$ */
+
+/*
+ * Copyright (c) 2016 Thomas Pornin <pornin%bolet.org@localhost>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(1, "$NetBSD$");
+
+#include <sys/types.h>
+
+#include <crypto/aes/aes_bear.h>
+
+/* see inner.h */
+void
+br_aes_ct_bitslice_Sbox(uint32_t *q)
+{
+ /*
+ * This S-box implementation is a straightforward translation of
+ * the circuit described by Boyar and Peralta in "A new
+ * combinational logic minimization technique with applications
+ * to cryptology" (https://eprint.iacr.org/2009/191.pdf).
+ *
+ * Note that variables x* (input) and s* (output) are numbered
+ * in "reverse" order (x0 is the high bit, x7 is the low bit).
+ */
+
+ uint32_t x0, x1, x2, x3, x4, x5, x6, x7;
+ uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9;
+ uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19;
+ uint32_t y20, y21;
+ uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9;
+ uint32_t z10, z11, z12, z13, z14, z15, z16, z17;
+ uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9;
+ uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19;
+ uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29;
+ uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39;
+ uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49;
+ uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59;
+ uint32_t t60, t61, t62, t63, t64, t65, t66, t67;
+ uint32_t s0, s1, s2, s3, s4, s5, s6, s7;
+
+ x0 = q[7];
+ x1 = q[6];
+ x2 = q[5];
+ x3 = q[4];
+ x4 = q[3];
+ x5 = q[2];
+ x6 = q[1];
+ x7 = q[0];
+
+ /*
+ * Top linear transformation.
+ */
+ y14 = x3 ^ x5;
+ y13 = x0 ^ x6;
+ y9 = x0 ^ x3;
+ y8 = x0 ^ x5;
+ t0 = x1 ^ x2;
+ y1 = t0 ^ x7;
+ y4 = y1 ^ x3;
+ y12 = y13 ^ y14;
+ y2 = y1 ^ x0;
+ y5 = y1 ^ x6;
+ y3 = y5 ^ y8;
+ t1 = x4 ^ y12;
+ y15 = t1 ^ x5;
+ y20 = t1 ^ x1;
+ y6 = y15 ^ x7;
+ y10 = y15 ^ t0;
+ y11 = y20 ^ y9;
+ y7 = x7 ^ y11;
+ y17 = y10 ^ y11;
+ y19 = y10 ^ y8;
+ y16 = t0 ^ y11;
+ y21 = y13 ^ y16;
+ y18 = x0 ^ y16;
+
+ /*
+ * Non-linear section.
+ */
+ t2 = y12 & y15;
+ t3 = y3 & y6;
+ t4 = t3 ^ t2;
+ t5 = y4 & x7;
+ t6 = t5 ^ t2;
+ t7 = y13 & y16;
+ t8 = y5 & y1;
+ t9 = t8 ^ t7;
+ t10 = y2 & y7;
+ t11 = t10 ^ t7;
+ t12 = y9 & y11;
+ t13 = y14 & y17;
+ t14 = t13 ^ t12;
+ t15 = y8 & y10;
+ t16 = t15 ^ t12;
+ t17 = t4 ^ t14;
+ t18 = t6 ^ t16;
+ t19 = t9 ^ t14;
+ t20 = t11 ^ t16;
+ t21 = t17 ^ y20;
+ t22 = t18 ^ y19;
+ t23 = t19 ^ y21;
+ t24 = t20 ^ y18;
+
+ t25 = t21 ^ t22;
+ t26 = t21 & t23;
+ t27 = t24 ^ t26;
+ t28 = t25 & t27;
+ t29 = t28 ^ t22;
+ t30 = t23 ^ t24;
+ t31 = t22 ^ t26;
+ t32 = t31 & t30;
+ t33 = t32 ^ t24;
+ t34 = t23 ^ t33;
+ t35 = t27 ^ t33;
+ t36 = t24 & t35;
+ t37 = t36 ^ t34;
+ t38 = t27 ^ t36;
+ t39 = t29 & t38;
+ t40 = t25 ^ t39;
+
+ t41 = t40 ^ t37;
+ t42 = t29 ^ t33;
+ t43 = t29 ^ t40;
+ t44 = t33 ^ t37;
+ t45 = t42 ^ t41;
+ z0 = t44 & y15;
+ z1 = t37 & y6;
+ z2 = t33 & x7;
+ z3 = t43 & y16;
+ z4 = t40 & y1;
+ z5 = t29 & y7;
+ z6 = t42 & y11;
+ z7 = t45 & y17;
+ z8 = t41 & y10;
+ z9 = t44 & y12;
+ z10 = t37 & y3;
+ z11 = t33 & y4;
+ z12 = t43 & y13;
+ z13 = t40 & y5;
+ z14 = t29 & y2;
+ z15 = t42 & y9;
+ z16 = t45 & y14;
+ z17 = t41 & y8;
+
+ /*
+ * Bottom linear transformation.
+ */
+ t46 = z15 ^ z16;
+ t47 = z10 ^ z11;
+ t48 = z5 ^ z13;
+ t49 = z9 ^ z10;
+ t50 = z2 ^ z12;
+ t51 = z2 ^ z5;
+ t52 = z7 ^ z8;
+ t53 = z0 ^ z3;
+ t54 = z6 ^ z7;
+ t55 = z16 ^ z17;
+ t56 = z12 ^ t48;
+ t57 = t50 ^ t53;
+ t58 = z4 ^ t46;
+ t59 = z3 ^ t54;
+ t60 = t46 ^ t57;
+ t61 = z14 ^ t57;
+ t62 = t52 ^ t58;
+ t63 = t49 ^ t58;
+ t64 = z4 ^ t59;
+ t65 = t61 ^ t62;
+ t66 = z1 ^ t63;
+ s0 = t59 ^ t63;
+ s6 = t56 ^ ~t62;
+ s7 = t48 ^ ~t60;
+ t67 = t64 ^ t65;
+ s3 = t53 ^ t66;
+ s4 = t51 ^ t66;
+ s5 = t47 ^ t65;
+ s1 = t64 ^ ~s3;
+ s2 = t55 ^ ~t67;
+
+ q[7] = s0;
+ q[6] = s1;
+ q[5] = s2;
+ q[4] = s3;
+ q[3] = s4;
+ q[2] = s5;
+ q[1] = s6;
+ q[0] = s7;
+}
+
+/* see inner.h */
+void
+br_aes_ct_ortho(uint32_t *q)
+{
+#define SWAPN(cl, ch, s, x, y) do { \
+ uint32_t a, b; \
+ a = (x); \
+ b = (y); \
+ (x) = (a & (uint32_t)cl) | ((b & (uint32_t)cl) << (s)); \
+ (y) = ((a & (uint32_t)ch) >> (s)) | (b & (uint32_t)ch); \
+ } while (0)
+
+#define SWAP2(x, y) SWAPN(0x55555555, 0xAAAAAAAA, 1, x, y)
+#define SWAP4(x, y) SWAPN(0x33333333, 0xCCCCCCCC, 2, x, y)
+#define SWAP8(x, y) SWAPN(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y)
+
+ SWAP2(q[0], q[1]);
+ SWAP2(q[2], q[3]);
+ SWAP2(q[4], q[5]);
+ SWAP2(q[6], q[7]);
+
+ SWAP4(q[0], q[2]);
+ SWAP4(q[1], q[3]);
+ SWAP4(q[4], q[6]);
+ SWAP4(q[5], q[7]);
+
+ SWAP8(q[0], q[4]);
+ SWAP8(q[1], q[5]);
+ SWAP8(q[2], q[6]);
+ SWAP8(q[3], q[7]);
+}
+
+static const unsigned char Rcon[] = {
+ 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36
+};
+
+static uint32_t
+sub_word(uint32_t x)
+{
+ uint32_t q[8];
+ int i;
+
+ for (i = 0; i < 8; i ++) {
+ q[i] = x;
+ }
+ br_aes_ct_ortho(q);
+ br_aes_ct_bitslice_Sbox(q);
+ br_aes_ct_ortho(q);
+ return q[0];
+}
+
+/* see inner.h */
+unsigned
+br_aes_ct_keysched(uint32_t *comp_skey, const void *key, size_t key_len)
+{
+ unsigned num_rounds;
+ int i, j, k, nk, nkf;
+ uint32_t tmp;
+ uint32_t skey[120];
+
+ switch (key_len) {
+ case 16:
+ num_rounds = 10;
+ break;
+ case 24:
+ num_rounds = 12;
+ break;
+ case 32:
+ num_rounds = 14;
+ break;
+ default:
+ /* abort(); */
+ return 0;
+ }
+ nk = (int)(key_len >> 2);
+ nkf = (int)((num_rounds + 1) << 2);
+ tmp = 0;
+ for (i = 0; i < nk; i ++) {
+ tmp = br_dec32le((const unsigned char *)key + (i << 2));
+ skey[(i << 1) + 0] = tmp;
+ skey[(i << 1) + 1] = tmp;
+ }
+ for (i = nk, j = 0, k = 0; i < nkf; i ++) {
+ if (j == 0) {
+ tmp = (tmp << 24) | (tmp >> 8);
+ tmp = sub_word(tmp) ^ Rcon[k];
+ } else if (nk > 6 && j == 4) {
+ tmp = sub_word(tmp);
+ }
+ tmp ^= skey[(i - nk) << 1];
+ skey[(i << 1) + 0] = tmp;
+ skey[(i << 1) + 1] = tmp;
+ if (++ j == nk) {
+ j = 0;
+ k ++;
+ }
+ }
+ for (i = 0; i < nkf; i += 4) {
+ br_aes_ct_ortho(skey + (i << 1));
+ }
+ for (i = 0, j = 0; i < nkf; i ++, j += 2) {
+ comp_skey[i] = (skey[j + 0] & 0x55555555)
+ | (skey[j + 1] & 0xAAAAAAAA);
+ }
+ return num_rounds;
+}
+
+/* see inner.h */
+void
+br_aes_ct_skey_expand(uint32_t *skey,
+ unsigned num_rounds, const uint32_t *comp_skey)
+{
+ unsigned u, v, n;
+
+ n = (num_rounds + 1) << 2;
+ for (u = 0, v = 0; u < n; u ++, v += 2) {
+ uint32_t x, y;
+
+ x = y = comp_skey[u];
+ x &= 0x55555555;
+ skey[v + 0] = x | (x << 1);
+ y &= 0xAAAAAAAA;
+ skey[v + 1] = y | (y >> 1);
+ }
+}
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/aes/aes_ct_dec.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/aes_ct_dec.c Fri Jun 12 05:16:46 2020 +0000
@@ -0,0 +1,177 @@
+/* $NetBSD$ */
+
+/*
+ * Copyright (c) 2016 Thomas Pornin <pornin%bolet.org@localhost>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(1, "$NetBSD$");
+
+#include <sys/types.h>
+
+#include <crypto/aes/aes_bear.h>
+
+/* see inner.h */
+void
+br_aes_ct_bitslice_invSbox(uint32_t *q)
+{
+ /*
+ * AES S-box is:
+ * S(x) = A(I(x)) ^ 0x63
+ * where I() is inversion in GF(256), and A() is a linear
+ * transform (0 is formally defined to be its own inverse).
+ * Since inversion is an involution, the inverse S-box can be
+ * computed from the S-box as:
+ * iS(x) = B(S(B(x ^ 0x63)) ^ 0x63)
+ * where B() is the inverse of A(). Indeed, for any y in GF(256):
+ * iS(S(y)) = B(A(I(B(A(I(y)) ^ 0x63 ^ 0x63))) ^ 0x63 ^ 0x63) = y
+ *
+ * Note: we reuse the implementation of the forward S-box,
+ * instead of duplicating it here, so that total code size is
+ * lower. By merging the B() transforms into the S-box circuit
+ * we could make faster CBC decryption, but CBC decryption is
+ * already quite faster than CBC encryption because we can
+ * process two blocks in parallel.
+ */
+ uint32_t q0, q1, q2, q3, q4, q5, q6, q7;
+
+ q0 = ~q[0];
+ q1 = ~q[1];
+ q2 = q[2];
+ q3 = q[3];
+ q4 = q[4];
+ q5 = ~q[5];
+ q6 = ~q[6];
+ q7 = q[7];
+ q[7] = q1 ^ q4 ^ q6;
+ q[6] = q0 ^ q3 ^ q5;
+ q[5] = q7 ^ q2 ^ q4;
+ q[4] = q6 ^ q1 ^ q3;
+ q[3] = q5 ^ q0 ^ q2;
+ q[2] = q4 ^ q7 ^ q1;
+ q[1] = q3 ^ q6 ^ q0;
+ q[0] = q2 ^ q5 ^ q7;
+
+ br_aes_ct_bitslice_Sbox(q);
+
+ q0 = ~q[0];
+ q1 = ~q[1];
+ q2 = q[2];
+ q3 = q[3];
+ q4 = q[4];
+ q5 = ~q[5];
+ q6 = ~q[6];
+ q7 = q[7];
+ q[7] = q1 ^ q4 ^ q6;
+ q[6] = q0 ^ q3 ^ q5;
+ q[5] = q7 ^ q2 ^ q4;
+ q[4] = q6 ^ q1 ^ q3;
+ q[3] = q5 ^ q0 ^ q2;
+ q[2] = q4 ^ q7 ^ q1;
+ q[1] = q3 ^ q6 ^ q0;
+ q[0] = q2 ^ q5 ^ q7;
+}
+
+static void
+add_round_key(uint32_t *q, const uint32_t *sk)
+{
+ int i;
+
+ for (i = 0; i < 8; i ++) {
+ q[i] ^= sk[i];
+ }
+}
+
+static void
+inv_shift_rows(uint32_t *q)
+{
+ int i;
+
+ for (i = 0; i < 8; i ++) {
+ uint32_t x;
+
+ x = q[i];
+ q[i] = (x & 0x000000FF)
+ | ((x & 0x00003F00) << 2) | ((x & 0x0000C000) >> 6)
+ | ((x & 0x000F0000) << 4) | ((x & 0x00F00000) >> 4)
+ | ((x & 0x03000000) << 6) | ((x & 0xFC000000) >> 2);
+ }
+}
+
+static inline uint32_t
+rotr16(uint32_t x)
+{
+ return (x << 16) | (x >> 16);
+}
+
+static void
+inv_mix_columns(uint32_t *q)
+{
+ uint32_t q0, q1, q2, q3, q4, q5, q6, q7;
+ uint32_t r0, r1, r2, r3, r4, r5, r6, r7;
+
+ q0 = q[0];
+ q1 = q[1];
+ q2 = q[2];
+ q3 = q[3];
+ q4 = q[4];
+ q5 = q[5];
+ q6 = q[6];
+ q7 = q[7];
+ r0 = (q0 >> 8) | (q0 << 24);
+ r1 = (q1 >> 8) | (q1 << 24);
+ r2 = (q2 >> 8) | (q2 << 24);
+ r3 = (q3 >> 8) | (q3 << 24);
+ r4 = (q4 >> 8) | (q4 << 24);
+ r5 = (q5 >> 8) | (q5 << 24);
+ r6 = (q6 >> 8) | (q6 << 24);
+ r7 = (q7 >> 8) | (q7 << 24);
+
+ q[0] = q5 ^ q6 ^ q7 ^ r0 ^ r5 ^ r7 ^ rotr16(q0 ^ q5 ^ q6 ^ r0 ^ r5);
+ q[1] = q0 ^ q5 ^ r0 ^ r1 ^ r5 ^ r6 ^ r7 ^ rotr16(q1 ^ q5 ^ q7 ^ r1 ^ r5 ^ r6);
+ q[2] = q0 ^ q1 ^ q6 ^ r1 ^ r2 ^ r6 ^ r7 ^ rotr16(q0 ^ q2 ^ q6 ^ r2 ^ r6 ^ r7);
+ q[3] = q0 ^ q1 ^ q2 ^ q5 ^ q6 ^ r0 ^ r2 ^ r3 ^ r5 ^ rotr16(q0 ^ q1 ^ q3 ^ q5 ^ q6 ^ q7 ^ r0 ^ r3 ^ r5 ^ r7);
+ q[4] = q1 ^ q2 ^ q3 ^ q5 ^ r1 ^ r3 ^ r4 ^ r5 ^ r6 ^ r7 ^ rotr16(q1 ^ q2 ^ q4 ^ q5 ^ q7 ^ r1 ^ r4 ^ r5 ^ r6);
+ q[5] = q2 ^ q3 ^ q4 ^ q6 ^ r2 ^ r4 ^ r5 ^ r6 ^ r7 ^ rotr16(q2 ^ q3 ^ q5 ^ q6 ^ r2 ^ r5 ^ r6 ^ r7);
+ q[6] = q3 ^ q4 ^ q5 ^ q7 ^ r3 ^ r5 ^ r6 ^ r7 ^ rotr16(q3 ^ q4 ^ q6 ^ q7 ^ r3 ^ r6 ^ r7);
+ q[7] = q4 ^ q5 ^ q6 ^ r4 ^ r6 ^ r7 ^ rotr16(q4 ^ q5 ^ q7 ^ r4 ^ r7);
+}
+
+/* see inner.h */
+void
+br_aes_ct_bitslice_decrypt(unsigned num_rounds,
+ const uint32_t *skey, uint32_t *q)
+{
+ unsigned u;
+
+ add_round_key(q, skey + (num_rounds << 3));
+ for (u = num_rounds - 1; u > 0; u --) {
+ inv_shift_rows(q);
+ br_aes_ct_bitslice_invSbox(q);
+ add_round_key(q, skey + (u << 3));
+ inv_mix_columns(q);
+ }
+ inv_shift_rows(q);
+ br_aes_ct_bitslice_invSbox(q);
+ add_round_key(q, skey);
+}
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/aes/aes_ct_enc.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/aes_ct_enc.c Fri Jun 12 05:16:46 2020 +0000
@@ -0,0 +1,119 @@
+/* $NetBSD$ */
+
+/*
+ * Copyright (c) 2016 Thomas Pornin <pornin%bolet.org@localhost>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining
+ * a copy of this software and associated documentation files (the
+ * "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish,
+ * distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(1, "$NetBSD$");
+
+#include <sys/types.h>
+
+#include <crypto/aes/aes_bear.h>
+
+static inline void
+add_round_key(uint32_t *q, const uint32_t *sk)
+{
+ q[0] ^= sk[0];
+ q[1] ^= sk[1];
+ q[2] ^= sk[2];
+ q[3] ^= sk[3];
+ q[4] ^= sk[4];
+ q[5] ^= sk[5];
+ q[6] ^= sk[6];
+ q[7] ^= sk[7];
+}
+
+static inline void
+shift_rows(uint32_t *q)
+{
+ int i;
+
+ for (i = 0; i < 8; i ++) {
+ uint32_t x;
+
+ x = q[i];
+ q[i] = (x & 0x000000FF)
+ | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6)
+ | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4)
+ | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2);
+ }
+}
+
+static inline uint32_t
+rotr16(uint32_t x)
+{
+ return (x << 16) | (x >> 16);
+}
+
+static inline void
+mix_columns(uint32_t *q)
+{
+ uint32_t q0, q1, q2, q3, q4, q5, q6, q7;
+ uint32_t r0, r1, r2, r3, r4, r5, r6, r7;
+
+ q0 = q[0];
+ q1 = q[1];
+ q2 = q[2];
+ q3 = q[3];
+ q4 = q[4];
+ q5 = q[5];
+ q6 = q[6];
+ q7 = q[7];
+ r0 = (q0 >> 8) | (q0 << 24);
+ r1 = (q1 >> 8) | (q1 << 24);
+ r2 = (q2 >> 8) | (q2 << 24);
+ r3 = (q3 >> 8) | (q3 << 24);
+ r4 = (q4 >> 8) | (q4 << 24);
+ r5 = (q5 >> 8) | (q5 << 24);
+ r6 = (q6 >> 8) | (q6 << 24);
+ r7 = (q7 >> 8) | (q7 << 24);
+
+ q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0);
+ q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1);
+ q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2);
+ q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3);
+ q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4);
+ q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5);
+ q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6);
+ q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7);
+}
+
+/* see inner.h */
+void
+br_aes_ct_bitslice_encrypt(unsigned num_rounds,
+ const uint32_t *skey, uint32_t *q)
+{
+ unsigned u;
+
+ add_round_key(q, skey);
+ for (u = 1; u < num_rounds; u ++) {
+ br_aes_ct_bitslice_Sbox(q);
+ shift_rows(q);
+ mix_columns(q);
+ add_round_key(q, skey + (u << 3));
+ }
+ br_aes_ct_bitslice_Sbox(q);
+ shift_rows(q);
+ add_round_key(q, skey + (num_rounds << 3));
+}
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/aes/aes_impl.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/aes_impl.c Fri Jun 12 05:16:46 2020 +0000
@@ -0,0 +1,256 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(1, "$NetBSD$");
+
+#include <sys/types.h>
+#include <sys/kernel.h>
+#include <sys/module.h>
+#include <sys/once.h>
+#include <sys/systm.h>
+
+#include <crypto/aes/aes.h>
+#include <crypto/aes/aes_bear.h> /* default implementation */
+
+static const struct aes_impl *aes_md_impl __read_mostly;
+static const struct aes_impl *aes_impl __read_mostly;
+
+/*
+ * The timing of AES implementation selection is finicky:
+ *
+ * 1. It has to be done _after_ cpu_attach for implementations,
+ * such as AES-NI, that rely on fpu initialization done by
+ * fpu_attach.
+ *
+ * 2. It has to be done _before_ the cgd self-tests or anything
+ * else that might call AES.
+ *
+ * For the moment, doing it in module init works. However, if a
+ * driver-class module depended on the aes module, that would break.
+ */
+
+static int
+aes_select(void)
+{
+
+ KASSERT(aes_impl == NULL);
+
+ if (aes_md_impl) {
+ if (aes_selftest(aes_md_impl))
+ aprint_error("aes: self-test failed: %s\n",
+ aes_md_impl->ai_name);
+ else
+ aes_impl = aes_md_impl;
+ }
+ if (aes_impl == NULL) {
+ if (aes_selftest(&aes_bear_impl))
+ aprint_error("aes: self-test failed: %s\n",
+ aes_bear_impl.ai_name);
+ else
+ aes_impl = &aes_bear_impl;
+ }
+ if (aes_impl == NULL)
+ panic("AES self-tests failed");
+
+ aprint_verbose("aes: %s\n", aes_impl->ai_name);
+ return 0;
+}
+
+MODULE(MODULE_CLASS_MISC, aes, NULL);
+
+static int
+aes_modcmd(modcmd_t cmd, void *opaque)
+{
+
+ switch (cmd) {
+ case MODULE_CMD_INIT:
+ return aes_select();
+ case MODULE_CMD_FINI:
+ return 0;
+ default:
+ return ENOTTY;
+ }
+}
+
+static void
+aes_guarantee_selected(void)
+{
+#if 0
+ static once_t once;
+ int error;
+
+ error = RUN_ONCE(&once, aes_select);
+ KASSERT(error == 0);
+#endif
+}
+
+void
+aes_md_init(const struct aes_impl *impl)
+{
+
+ KASSERT(cold);
+ KASSERTMSG(aes_impl == NULL,
+ "AES implementation `%s' already chosen, can't offer `%s'",
+ aes_impl->ai_name, impl->ai_name);
+ KASSERTMSG(aes_md_impl == NULL,
+ "AES implementation `%s' already offered, can't offer `%s'",
+ aes_md_impl->ai_name, impl->ai_name);
+
+ aes_md_impl = impl;
+}
+
+static void
+aes_setenckey(struct aesenc *enc, const uint8_t key[static 16],
+ uint32_t nrounds)
+{
+
+ aes_guarantee_selected();
+ aes_impl->ai_setenckey(enc, key, nrounds);
+}
+
+uint32_t
+aes_setenckey128(struct aesenc *enc, const uint8_t key[static 16])
+{
+ uint32_t nrounds = AES_128_NROUNDS;
+
+ aes_setenckey(enc, key, nrounds);
+ return nrounds;
+}
+
+uint32_t
+aes_setenckey192(struct aesenc *enc, const uint8_t key[static 24])
+{
+ uint32_t nrounds = AES_192_NROUNDS;
+
+ aes_setenckey(enc, key, nrounds);
+ return nrounds;
+}
+
+uint32_t
+aes_setenckey256(struct aesenc *enc, const uint8_t key[static 32])
+{
+ uint32_t nrounds = AES_256_NROUNDS;
+
+ aes_setenckey(enc, key, nrounds);
+ return nrounds;
+}
+
+static void
+aes_setdeckey(struct aesdec *dec, const uint8_t key[static 16],
+ uint32_t nrounds)
+{
+
+ aes_guarantee_selected();
+ aes_impl->ai_setdeckey(dec, key, nrounds);
+}
+
+uint32_t
+aes_setdeckey128(struct aesdec *dec, const uint8_t key[static 16])
+{
+ uint32_t nrounds = AES_128_NROUNDS;
+
+ aes_setdeckey(dec, key, nrounds);
+ return nrounds;
+}
+
+uint32_t
+aes_setdeckey192(struct aesdec *dec, const uint8_t key[static 24])
+{
+ uint32_t nrounds = AES_192_NROUNDS;
+
+ aes_setdeckey(dec, key, nrounds);
+ return nrounds;
+}
+
+uint32_t
+aes_setdeckey256(struct aesdec *dec, const uint8_t key[static 32])
+{
+ uint32_t nrounds = AES_256_NROUNDS;
+
+ aes_setdeckey(dec, key, nrounds);
+ return nrounds;
+}
+
+void
+aes_enc(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], uint32_t nrounds)
+{
+
+ aes_guarantee_selected();
+ aes_impl->ai_enc(enc, in, out, nrounds);
+}
+
+void
+aes_dec(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], uint32_t nrounds)
+{
+
+ aes_guarantee_selected();
+ aes_impl->ai_dec(dec, in, out, nrounds);
+}
+
+void
+aes_cbc_enc(struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
+ uint32_t nrounds)
+{
+
+ aes_guarantee_selected();
+ aes_impl->ai_cbc_enc(enc, in, out, nbytes, iv, nrounds);
+}
+
+void
+aes_cbc_dec(struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
+ uint32_t nrounds)
+{
+
+ aes_guarantee_selected();
+ aes_impl->ai_cbc_dec(dec, in, out, nbytes, iv, nrounds);
+}
+
+void
+aes_xts_enc(struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t tweak[static 16],
+ uint32_t nrounds)
+{
+
+ aes_guarantee_selected();
+ aes_impl->ai_xts_enc(enc, in, out, nbytes, tweak, nrounds);
+}
+
+void
+aes_xts_dec(struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t tweak[static 16],
+ uint32_t nrounds)
+{
+
+ aes_guarantee_selected();
+ aes_impl->ai_xts_dec(dec, in, out, nbytes, tweak, nrounds);
+}
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/aes/aes_rijndael.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/aes_rijndael.c Fri Jun 12 05:16:46 2020 +0000
@@ -0,0 +1,306 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Legacy `Rijndael' API
+ *
+ * rijndael_set_key
+ * rijndael_encrypt
+ * rijndael_decrypt
+ *
+ * rijndaelKeySetupEnc
+ * rijndaelKeySetupDec
+ * rijndaelEncrypt
+ * rijndaelDecrypt
+ * rijndael_makeKey
+ * rijndael_cipherInit
+ * rijndael_blockEncrypt
+ * rijndael_blockDecrypt
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(1, "$NetBSD$");
+
+#include <sys/types.h>
+#include <sys/systm.h>
+
+#include <crypto/aes/aes.h>
+#include <crypto/rijndael/rijndael.h>
+#include <crypto/rijndael/rijndael-alg-fst.h>
+#include <crypto/rijndael/rijndael-api-fst.h>
+
+void
+rijndael_set_key(rijndael_ctx *ctx, const uint8_t *key, int keybits)
+{
+
+ ctx->Nr = rijndaelKeySetupEnc(ctx->ek, key, keybits);
+ rijndaelKeySetupDec(ctx->dk, key, keybits);
+}
+
+void
+rijndael_encrypt(const rijndael_ctx *ctx, const uint8_t *in, uint8_t *out)
+{
+
+ rijndaelEncrypt(ctx->ek, ctx->Nr, in, out);
+}
+
+void
+rijndael_decrypt(const rijndael_ctx *ctx, const u_char *in, uint8_t *out)
+{
+
+ rijndaelDecrypt(ctx->dk, ctx->Nr, in, out);
+}
+
+int
+rijndaelKeySetupEnc(uint32_t *rk, const uint8_t *key, int keybits)
+{
+ struct aesenc enc;
+ unsigned nrounds;
+
+ switch (keybits) {
+ case 128:
+ nrounds = aes_setenckey128(&enc, key);
+ break;
+ case 192:
+ nrounds = aes_setenckey192(&enc, key);
+ break;
+ case 256:
+ nrounds = aes_setenckey256(&enc, key);
+ break;
+ default:
+ panic("invalid AES key bits: %d", keybits);
+ }
+
+ memcpy(rk, enc.aese_aes.aes_rk, 4*(nrounds + 1)*sizeof(rk[0]));
+ explicit_memset(&enc, 0, sizeof enc);
+
+ return nrounds;
+}
+
+int
+rijndaelKeySetupDec(uint32_t *rk, const uint8_t *key, int keybits)
+{
+ struct aesdec dec;
+ unsigned nrounds;
+
+ switch (keybits) {
+ case 128:
+ nrounds = aes_setdeckey128(&dec, key);
+ break;
+ case 192:
+ nrounds = aes_setdeckey192(&dec, key);
+ break;
+ case 256:
+ nrounds = aes_setdeckey256(&dec, key);
+ break;
+ default:
+ panic("invalid AES key bits: %d", keybits);
+ }
+
+ memcpy(rk, dec.aesd_aes.aes_rk, 4*(nrounds + 1)*sizeof(rk[0]));
+ explicit_memset(&dec, 0, sizeof dec);
+
+ return nrounds;
+}
+
+void
+rijndaelEncrypt(const uint32_t *rk, int nrounds, const uint8_t in[16],
+ uint8_t out[16])
+{
+ struct aesenc enc;
+
+ memcpy(enc.aese_aes.aes_rk, rk, 4*(nrounds + 1)*sizeof(rk[0]));
+ aes_enc(&enc, in, out, nrounds);
+ explicit_memset(&enc, 0, sizeof enc);
+}
+
+void
+rijndaelDecrypt(const uint32_t *rk, int nrounds, const uint8_t in[16],
+ uint8_t out[16])
+{
+ struct aesdec dec;
+
+ memcpy(dec.aesd_aes.aes_rk, rk, 4*(nrounds + 1)*sizeof(rk[0]));
+ aes_dec(&dec, in, out, nrounds);
+ explicit_memset(&dec, 0, sizeof dec);
+}
+
+int
+rijndael_makeKey(keyInstance *key, BYTE direction, int keybits,
+ const char *keyp)
+{
+
+ if (key == NULL)
+ return BAD_KEY_INSTANCE;
+
+ memset(key, 0x1a, sizeof(*key));
+
+ switch (direction) {
+ case DIR_ENCRYPT:
+ case DIR_DECRYPT:
+ key->direction = direction;
+ break;
+ default:
+ return BAD_KEY_DIR;
+ }
+
+ switch (keybits) {
+ case 128:
+ case 192:
+ case 256:
+ key->keyLen = keybits;
+ break;
+ default:
+ return BAD_KEY_MAT;
+ }
+
+ if (keyp)
+ memcpy(key->keyMaterial, keyp, keybits/8);
+
+ switch (direction) {
+ case DIR_ENCRYPT:
+ key->Nr = rijndaelKeySetupEnc(key->rk,
+ (const uint8_t *)key->keyMaterial, keybits);
+ break;
+ case DIR_DECRYPT:
+ key->Nr = rijndaelKeySetupDec(key->rk,
+ (const uint8_t *)key->keyMaterial, keybits);
+ break;
+ default:
+ panic("unknown encryption direction %d", direction);
+ }
+ rijndaelKeySetupEnc(key->ek, (const uint8_t *)key->keyMaterial,
+ keybits);
+
+ return 1;
+}
+
+int
+rijndael_cipherInit(cipherInstance *cipher, BYTE mode, const char *iv)
+{
+
+ switch (mode) {
+ case MODE_ECB: /* used only for encrypting one block */
+ case MODE_CBC:
+ case MODE_XTS:
+ cipher->mode = mode;
+ break;
+ case MODE_CFB1: /* unused */
+ default:
+ return BAD_CIPHER_MODE;
+ }
+
+ if (iv)
+ memcpy(cipher->IV, iv, RIJNDAEL_MAX_IV_SIZE);
+ else
+ memset(cipher->IV, 0, RIJNDAEL_MAX_IV_SIZE);
+
+ return 1;
+}
+
+int
+rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
+ const BYTE *in, int nbits, BYTE *out)
+{
+ struct aesenc enc;
+
+ if (cipher == NULL)
+ return BAD_CIPHER_STATE;
+ if (key == NULL)
+ return BAD_CIPHER_STATE;
+ if (key->direction != DIR_ENCRYPT)
+ return BAD_CIPHER_STATE;
+
+ if (in == NULL || nbits <= 0)
+ return 0;
+
+ memcpy(enc.aese_aes.aes_rk, key->rk,
+ 4*(key->Nr + 1)*sizeof(key->rk[0]));
+ switch (cipher->mode) {
+ case MODE_ECB:
+ KASSERT(nbits == 128);
+ aes_enc(&enc, in, out, key->Nr);
+ break;
+ case MODE_CBC:
+ KASSERT(nbits % 128 == 0);
+ aes_cbc_enc(&enc, in, out, nbits/8, (uint8_t *)cipher->IV,
+ key->Nr);
+ break;
+ case MODE_XTS:
+ KASSERT(nbits % 128 == 0);
+ aes_xts_enc(&enc, in, out, nbits/8, (uint8_t *)cipher->IV,
+ key->Nr);
+ break;
+ default:
+ panic("invalid AES mode: %d", cipher->mode);
+ }
+ explicit_memset(&enc, 0, sizeof enc);
+
+ return nbits;
+}
+
+int
+rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
+ const BYTE *in, int nbits, BYTE *out)
+{
+ struct aesdec dec;
+
+ if (cipher == NULL)
+ return BAD_CIPHER_STATE;
+ if (key == NULL)
+ return BAD_CIPHER_STATE;
+ if (key->direction != DIR_DECRYPT)
+ return BAD_CIPHER_STATE;
+
+ if (in == NULL || nbits <= 0)
+ return 0;
+
+ memcpy(dec.aesd_aes.aes_rk, key->rk,
+ 4*(key->Nr + 1)*sizeof(key->rk[0]));
+ switch (cipher->mode) {
+ case MODE_ECB:
+ KASSERT(nbits == 128);
+ aes_dec(&dec, in, out, key->Nr);
+ break;
+ case MODE_CBC:
+ KASSERT(nbits % 128 == 0);
+ aes_cbc_dec(&dec, in, out, nbits/8, (uint8_t *)cipher->IV,
+ key->Nr);
+ break;
+ case MODE_XTS:
+ KASSERT(nbits % 128 == 0);
+ aes_xts_dec(&dec, in, out, nbits/8, (uint8_t *)cipher->IV,
+ key->Nr);
+ break;
+ default:
+ panic("invalid AES mode: %d", cipher->mode);
+ }
+ explicit_memset(&dec, 0, sizeof dec);
+
+ return nbits;
+}
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/aes/aes_selftest.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/aes_selftest.c Fri Jun 12 05:16:46 2020 +0000
@@ -0,0 +1,387 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(1, "$NetBSD$");
+
+#include <sys/types.h>
+#include <sys/systm.h>
+
+#include <lib/libkern/libkern.h>
+
+#include <crypto/aes/aes.h>
+
+static const unsigned aes_keybytes[] __unused = { 16, 24, 32 };
+static const unsigned aes_keybits[] __unused = { 128, 192, 256 };
+static const unsigned aes_nrounds[] = { 10, 12, 14 };
+
+#define aes_selftest_fail(impl, actual, expected, nbytes, fmt, args...) \
+({ \
+ printf("%s "fmt": self-test failed\n", (impl)->ai_name, ##args); \
+ hexdump(printf, "was", (actual), (nbytes)); \
+ hexdump(printf, "expected", (expected), (nbytes)); \
+ -1; \
+})
+
+static int
+aes_selftest_encdec(const struct aes_impl *impl)
+{
+ /*
+ * head -c 16 < /dev/zero | openssl enc -aes-{128,192,256}-ecb
+ * -nopad -K 000102030405060708090a0b0c0d... | hexdump -C
+ */
+ static const uint8_t expected[3][16] = {
+ [0] = {
+ 0xc6,0xa1,0x3b,0x37,0x87,0x8f,0x5b,0x82,
+ 0x6f,0x4f,0x81,0x62,0xa1,0xc8,0xd8,0x79,
+ },
+ [1] = {
+ 0x91,0x62,0x51,0x82,0x1c,0x73,0xa5,0x22,
+ 0xc3,0x96,0xd6,0x27,0x38,0x01,0x96,0x07,
+ },
+ [2] = {
+ 0xf2,0x90,0x00,0xb6,0x2a,0x49,0x9f,0xd0,
+ 0xa9,0xf3,0x9a,0x6a,0xdd,0x2e,0x77,0x80,
+ },
+ };
+ struct aesenc enc;
+ struct aesdec dec;
+ uint8_t key[32];
+ uint8_t in[16];
+ uint8_t outbuf[18] = { [0] = 0x1a, [17] = 0x1a }, *out = outbuf + 1;
+ unsigned i;
+
+ for (i = 0; i < 32; i++)
+ key[i] = i;
+ for (i = 0; i < 16; i++)
+ in[i] = 0;
+
+ for (i = 0; i < 3; i++) {
+ impl->ai_setenckey(&enc, key, aes_nrounds[i]);
+ impl->ai_setdeckey(&dec, key, aes_nrounds[i]);
+ impl->ai_enc(&enc, in, out, aes_nrounds[i]);
+ if (memcmp(out, expected[i], 16))
+ return aes_selftest_fail(impl, out, expected[i], 16,
+ "AES-%u enc", aes_keybits[i]);
+ impl->ai_dec(&dec, out, out, aes_nrounds[i]);
+ if (memcmp(out, in, 16))
+ return aes_selftest_fail(impl, out, in, 16,
+ "AES-%u dec", aes_keybits[i]);
+ }
+
+ if (outbuf[0] != 0x1a)
+ return aes_selftest_fail(impl, outbuf,
+ (const uint8_t[1]){0x1a}, 1,
+ "AES overrun preceding");
+ if (outbuf[17] != 0x1a)
+ return aes_selftest_fail(impl, outbuf + 17,
+ (const uint8_t[1]){0x1a}, 1,
+ "AES overrun folllowing");
+
+ /* Success! */
+ return 0;
+}
+
+static int
+aes_selftest_encdec_cbc(const struct aes_impl *impl)
+{
+ static const uint8_t expected[3][144] = {
+ [0] = {
+ 0xfe,0xf1,0xa8,0xb6,0x25,0xf0,0xc4,0x3a,
+ 0x71,0x08,0xb6,0x23,0xa6,0xfb,0x90,0xca,
+ 0x9e,0x64,0x6d,0x95,0xb5,0xf5,0x41,0x24,
+ 0xd2,0xe6,0x60,0xda,0x6c,0x69,0xc4,0xa0,
+ 0x4d,0xaa,0x94,0xf6,0x66,0x1e,0xaa,0x85,
+ 0x68,0xc5,0x6b,0x2e,0x77,0x7a,0x68,0xff,
+ 0x45,0x15,0x45,0xc5,0x9c,0xbb,0x3a,0x23,
+ 0x08,0x3a,0x06,0xdd,0xc0,0x52,0xd2,0xb7,
+ 0x47,0xaa,0x1c,0xc7,0xb5,0xa9,0x7d,0x04,
+ 0x60,0x67,0x78,0xf6,0xb9,0xba,0x26,0x84,
+ 0x45,0x72,0x44,0xed,0xa3,0xd3,0xa0,0x3f,
+ 0x19,0xee,0x3f,0x94,0x59,0x52,0x4b,0x13,
+ 0xfd,0x81,0xcc,0xf9,0xf2,0x29,0xd7,0xec,
+ 0xde,0x03,0x56,0x01,0x4a,0x19,0x86,0xc0,
+ 0x87,0xce,0xe1,0xcc,0x13,0xf1,0x2e,0xda,
+ 0x3f,0xfe,0xa4,0x64,0xe7,0x48,0xb4,0x7b,
+ 0x73,0x62,0x5a,0x80,0x5e,0x01,0x20,0xa5,
+ 0x0a,0xd7,0x98,0xa7,0xd9,0x8b,0xff,0xc2,
+ },
+ [1] = {
+ 0xa6,0x87,0xf0,0x92,0x68,0xc8,0xd6,0x42,
+ 0xa8,0x83,0x1c,0x92,0x65,0x8c,0xd9,0xfe,
+ 0x0b,0x1a,0xc6,0x96,0x27,0x44,0xd4,0x14,
+ 0xfc,0xe7,0x85,0xb2,0x71,0xc7,0x11,0x39,
+ 0xed,0x36,0xd3,0x5c,0xa7,0xf7,0x3d,0xc9,
+ 0xa2,0x54,0x8b,0xb4,0xfa,0xe8,0x21,0xf9,
+ 0xfd,0x6a,0x42,0x85,0xde,0x66,0xd4,0xc0,
+ 0xa7,0xd3,0x5b,0xe1,0xe6,0xac,0xea,0xf9,
+ 0xa3,0x15,0x68,0xf4,0x66,0x4c,0x23,0x75,
+ 0x58,0xba,0x7f,0xca,0xbf,0x40,0x56,0x79,
+ 0x2f,0xbf,0xdf,0x5f,0x56,0xcb,0xa0,0xe4,
+ 0x22,0x65,0x6a,0x8f,0x4f,0xff,0x11,0x6b,
+ 0x57,0xeb,0x45,0xeb,0x9d,0x7f,0xfe,0x9c,
+ 0x8b,0x30,0xa8,0xb0,0x7e,0x27,0xf8,0xbc,
+ 0x1f,0xf8,0x15,0x34,0x36,0x4f,0x46,0x73,
+ 0x81,0x90,0x4b,0x4b,0x46,0x4d,0x01,0x45,
+ 0xa1,0xc3,0x0b,0xa8,0x5a,0xab,0xc1,0x88,
+ 0x66,0xc8,0x1a,0x94,0x17,0x64,0x6f,0xf4,
+ },
+ [2] = {
+ 0x22,0x4c,0x27,0xf4,0xba,0x37,0x8b,0x27,
+ 0xd3,0xd6,0x88,0x8a,0xdc,0xed,0x64,0x42,
+ 0x19,0x60,0x31,0x09,0xf3,0x72,0xd2,0xc2,
+ 0xd3,0xe3,0xff,0xce,0xc5,0x03,0x9f,0xce,
+ 0x99,0x49,0x8a,0xf2,0xe1,0xba,0xe2,0xa8,
+ 0xd7,0x32,0x07,0x2d,0xb0,0xb3,0xbc,0x67,
+ 0x32,0x9a,0x3e,0x7d,0x16,0x23,0xe7,0x24,
+ 0x84,0xe1,0x15,0x03,0x9c,0xa2,0x7a,0x95,
+ 0x34,0xa8,0x04,0x4e,0x79,0x31,0x50,0x26,
+ 0x76,0xd1,0x10,0xce,0xec,0x13,0xf7,0xfb,
+ 0x94,0x6b,0x76,0x50,0x5f,0xb2,0x3e,0x7c,
+ 0xbe,0x97,0xe7,0x13,0x06,0x9e,0x2d,0xc4,
+ 0x46,0x65,0xa7,0x69,0x37,0x07,0x25,0x37,
+ 0xe5,0x48,0x51,0xa8,0x58,0xe8,0x4d,0x7c,
+ 0xb5,0xbe,0x25,0x13,0xbc,0x11,0xc2,0xde,
+ 0xdb,0x00,0xef,0x1c,0x1d,0xeb,0xe3,0x49,
+ 0x1c,0xc0,0x78,0x29,0x76,0xc0,0xde,0x3a,
+ 0x0e,0x96,0x8f,0xea,0xd7,0x42,0x4e,0xb4,
+ },
+ };
+ struct aesenc enc;
+ struct aesdec dec;
+ uint8_t key[32];
+ uint8_t in[144];
+ uint8_t outbuf[146] = { [0] = 0x1a, [145] = 0x1a }, *out = outbuf + 1;
+ uint8_t iv0[16], iv[16];
+ unsigned i;
+
+ for (i = 0; i < 32; i++)
+ key[i] = i;
+ for (i = 0; i < 16; i++)
+ iv0[i] = 0x20 ^ i;
+ for (i = 0; i < 144; i++)
+ in[i] = 0x80 ^ i;
+
+ for (i = 0; i < 3; i++) {
+ impl->ai_setenckey(&enc, key, aes_nrounds[i]);
+ impl->ai_setdeckey(&dec, key, aes_nrounds[i]);
+
+ /* Try one swell foop. */
+ memcpy(iv, iv0, 16);
+ impl->ai_cbc_enc(&enc, in, out, 144, iv, aes_nrounds[i]);
+ if (memcmp(out, expected[i], 144))
+ return aes_selftest_fail(impl, out, expected[i], 144,
+ "AES-%u-CBC enc", aes_keybits[i]);
+
+ memcpy(iv, iv0, 16);
+ impl->ai_cbc_dec(&dec, out, out, 144, iv, aes_nrounds[i]);
+ if (memcmp(out, in, 144))
+ return aes_selftest_fail(impl, out, in, 144,
+ "AES-%u-CBC dec", aes_keybits[i]);
+
+ /* Try incrementally, with IV update. */
+ memcpy(iv, iv0, 16);
+ impl->ai_cbc_enc(&enc, in, out, 16, iv, aes_nrounds[i]);
+ impl->ai_cbc_enc(&enc, in + 16, out + 16, 128, iv,
+ aes_nrounds[i]);
+ if (memcmp(out, expected[i], 144))
+ return aes_selftest_fail(impl, out, expected[i], 144,
+ "AES-%u-CBC enc incremental", aes_keybits[i]);
+
+ memcpy(iv, iv0, 16);
+ impl->ai_cbc_dec(&dec, out, out, 128, iv, aes_nrounds[i]);
+ impl->ai_cbc_dec(&dec, out + 128, out + 128, 16, iv,
+ aes_nrounds[i]);
+ if (memcmp(out, in, 144))
+ return aes_selftest_fail(impl, out, in, 144,
+ "AES-%u-CBC dec incremental", aes_keybits[i]);
+ }
+
+ if (outbuf[0] != 0x1a)
+ return aes_selftest_fail(impl, outbuf,
+ (const uint8_t[1]){0x1a}, 1,
+ "AES-CBC overrun preceding");
+ if (outbuf[145] != 0x1a)
+ return aes_selftest_fail(impl, outbuf + 145,
+ (const uint8_t[1]){0x1a}, 1,
+ "AES-CBC overrun following");
+
+ /* Success! */
+ return 0;
+}
+
+static int
+aes_selftest_encdec_xts(const struct aes_impl *impl)
+{
+ uint64_t blkno[3] = { 0, 1, 0xff };
+ static const uint8_t expected[3][144] = {
+ [0] = {
+ /* IEEE P1619-D16, XTS-AES-128, Vector 4, truncated */
+ 0x27,0xa7,0x47,0x9b,0xef,0xa1,0xd4,0x76,
+ 0x48,0x9f,0x30,0x8c,0xd4,0xcf,0xa6,0xe2,
+ 0xa9,0x6e,0x4b,0xbe,0x32,0x08,0xff,0x25,
+ 0x28,0x7d,0xd3,0x81,0x96,0x16,0xe8,0x9c,
+ 0xc7,0x8c,0xf7,0xf5,0xe5,0x43,0x44,0x5f,
+ 0x83,0x33,0xd8,0xfa,0x7f,0x56,0x00,0x00,
+ 0x05,0x27,0x9f,0xa5,0xd8,0xb5,0xe4,0xad,
+ 0x40,0xe7,0x36,0xdd,0xb4,0xd3,0x54,0x12,
+ 0x32,0x80,0x63,0xfd,0x2a,0xab,0x53,0xe5,
+ 0xea,0x1e,0x0a,0x9f,0x33,0x25,0x00,0xa5,
+ 0xdf,0x94,0x87,0xd0,0x7a,0x5c,0x92,0xcc,
+ 0x51,0x2c,0x88,0x66,0xc7,0xe8,0x60,0xce,
+ 0x93,0xfd,0xf1,0x66,0xa2,0x49,0x12,0xb4,
+ 0x22,0x97,0x61,0x46,0xae,0x20,0xce,0x84,
+ 0x6b,0xb7,0xdc,0x9b,0xa9,0x4a,0x76,0x7a,
+ 0xae,0xf2,0x0c,0x0d,0x61,0xad,0x02,0x65,
+ 0x5e,0xa9,0x2d,0xc4,0xc4,0xe4,0x1a,0x89,
+ 0x52,0xc6,0x51,0xd3,0x31,0x74,0xbe,0x51,
+ },
+ [1] = {
+ },
+ [2] = {
+ /* IEEE P1619-D16, XTS-AES-256, Vector 10, truncated */
+ 0x1c,0x3b,0x3a,0x10,0x2f,0x77,0x03,0x86,
+ 0xe4,0x83,0x6c,0x99,0xe3,0x70,0xcf,0x9b,
+ 0xea,0x00,0x80,0x3f,0x5e,0x48,0x23,0x57,
+ 0xa4,0xae,0x12,0xd4,0x14,0xa3,0xe6,0x3b,
+ 0x5d,0x31,0xe2,0x76,0xf8,0xfe,0x4a,0x8d,
+ 0x66,0xb3,0x17,0xf9,0xac,0x68,0x3f,0x44,
+ 0x68,0x0a,0x86,0xac,0x35,0xad,0xfc,0x33,
+ 0x45,0xbe,0xfe,0xcb,0x4b,0xb1,0x88,0xfd,
+ 0x57,0x76,0x92,0x6c,0x49,0xa3,0x09,0x5e,
+ 0xb1,0x08,0xfd,0x10,0x98,0xba,0xec,0x70,
+ 0xaa,0xa6,0x69,0x99,0xa7,0x2a,0x82,0xf2,
+ 0x7d,0x84,0x8b,0x21,0xd4,0xa7,0x41,0xb0,
+ 0xc5,0xcd,0x4d,0x5f,0xff,0x9d,0xac,0x89,
+ 0xae,0xba,0x12,0x29,0x61,0xd0,0x3a,0x75,
+ 0x71,0x23,0xe9,0x87,0x0f,0x8a,0xcf,0x10,
+ 0x00,0x02,0x08,0x87,0x89,0x14,0x29,0xca,
+ 0x2a,0x3e,0x7a,0x7d,0x7d,0xf7,0xb1,0x03,
+ 0x55,0x16,0x5c,0x8b,0x9a,0x6d,0x0a,0x7d,
+ },
+ };
+ static const uint8_t key1[32] = {
+ 0x27,0x18,0x28,0x18,0x28,0x45,0x90,0x45,
+ 0x23,0x53,0x60,0x28,0x74,0x71,0x35,0x26,
+ 0x62,0x49,0x77,0x57,0x24,0x70,0x93,0x69,
+ 0x99,0x59,0x57,0x49,0x66,0x96,0x76,0x27,
+ };
+ static const uint8_t key2[32] = {
+ 0x31,0x41,0x59,0x26,0x53,0x58,0x97,0x93,
+ 0x23,0x84,0x62,0x64,0x33,0x83,0x27,0x95,
+ 0x02,0x88,0x41,0x97,0x16,0x93,0x99,0x37,
+ 0x51,0x05,0x82,0x09,0x74,0x94,0x45,0x92,
+ };
+ struct aesenc enc;
+ struct aesdec dec;
+ uint8_t in[144];
+ uint8_t outbuf[146] = { [0] = 0x1a, [145] = 0x1a }, *out = outbuf + 1;
+ uint8_t blkno_buf[16];
+ uint8_t iv0[16], iv[16];
+ unsigned i;
+
+ for (i = 0; i < 144; i++)
+ in[i] = i;
+
+ for (i = 0; i < 3; i++) {
+ if (i == 1) /* XXX missing AES-192 test vector */
+ continue;
+
+ /* Format the data unit sequence number. */
+ memset(blkno_buf, 0, sizeof blkno_buf);
+ le64enc(blkno_buf, blkno[i]);
+
+ /* Generate the tweak. */
+ impl->ai_setenckey(&enc, key2, aes_nrounds[i]);
+ impl->ai_enc(&enc, blkno_buf, iv0, aes_nrounds[i]);
+
+ /* Load the data encryption key. */
+ impl->ai_setenckey(&enc, key1, aes_nrounds[i]);
+ impl->ai_setdeckey(&dec, key1, aes_nrounds[i]);
+
+ /* Try one swell foop. */
+ memcpy(iv, iv0, 16);
+ impl->ai_xts_enc(&enc, in, out, 144, iv, aes_nrounds[i]);
+ if (memcmp(out, expected[i], 144))
+ return aes_selftest_fail(impl, out, expected[i], 144,
+ "AES-%u-XTS enc", aes_keybits[i]);
+
+ memcpy(iv, iv0, 16);
+ impl->ai_xts_dec(&dec, out, out, 144, iv, aes_nrounds[i]);
+ if (memcmp(out, in, 144))
+ return aes_selftest_fail(impl, out, in, 144,
+ "AES-%u-XTS dec", aes_keybits[i]);
+
+ /* Try incrementally, with IV update. */
+ memcpy(iv, iv0, 16);
+ impl->ai_xts_enc(&enc, in, out, 16, iv, aes_nrounds[i]);
+ impl->ai_xts_enc(&enc, in + 16, out + 16, 128, iv,
+ aes_nrounds[i]);
+ if (memcmp(out, expected[i], 144))
+ return aes_selftest_fail(impl, out, expected[i], 144,
+ "AES-%u-XTS enc incremental", aes_keybits[i]);
+
+ memcpy(iv, iv0, 16);
+ impl->ai_xts_dec(&dec, out, out, 128, iv, aes_nrounds[i]);
+ impl->ai_xts_dec(&dec, out + 128, out + 128, 16, iv,
+ aes_nrounds[i]);
+ if (memcmp(out, in, 144))
+ return aes_selftest_fail(impl, out, in, 144,
+ "AES-%u-XTS dec incremental", aes_keybits[i]);
+ }
+
+ if (outbuf[0] != 0x1a)
+ return aes_selftest_fail(impl, outbuf,
+ (const uint8_t[1]){0x1a}, 1,
+ "AES-XTS overrun preceding");
+ if (outbuf[145] != 0x1a)
+ return aes_selftest_fail(impl, outbuf + 145,
+ (const uint8_t[1]){0x1a}, 1,
+ "AES-XTS overrun following");
+
+ /* Success! */
+ return 0;
+}
+
+int
+aes_selftest(const struct aes_impl *impl)
+{
+ int result = 0;
+
+ if (impl->ai_probe())
+ return -1;
+
+ if (aes_selftest_encdec(impl))
+ result = -1;
+ if (aes_selftest_encdec_cbc(impl))
+ result = -1;
+ if (aes_selftest_encdec_xts(impl))
+ result = -1;
+
+ return result;
+}
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/aes/files.aes
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/files.aes Fri Jun 12 05:16:46 2020 +0000
@@ -0,0 +1,12 @@
+# $NetBSD$
+
+define aes
+define rijndael: aes # legacy Rijndael API
+
+file crypto/aes/aes_bear.c aes
+file crypto/aes/aes_ct.c aes
+file crypto/aes/aes_ct_dec.c aes
+file crypto/aes/aes_ct_enc.c aes
+file crypto/aes/aes_impl.c aes
+file crypto/aes/aes_rijndael.c rijndael
+file crypto/aes/aes_selftest.c aes
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/rijndael/files.rijndael
--- a/sys/crypto/rijndael/files.rijndael Sun Jun 14 15:58:39 2020 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,7 +0,0 @@
-# $NetBSD: files.rijndael,v 1.7 2020/04/22 09:15:40 rin Exp $
-
-define rijndael
-
-file crypto/rijndael/rijndael-alg-fst.c rijndael
-file crypto/rijndael/rijndael-api-fst.c rijndael
-file crypto/rijndael/rijndael.c rijndael
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/rijndael/rijndael-alg-fst.c
--- a/sys/crypto/rijndael/rijndael-alg-fst.c Sun Jun 14 15:58:39 2020 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1225 +0,0 @@
-/* $NetBSD: rijndael-alg-fst.c,v 1.7 2005/12/11 12:20:52 christos Exp $ */
-/* $KAME: rijndael-alg-fst.c,v 1.10 2003/07/15 10:47:16 itojun Exp $ */
-/**
- * rijndael-alg-fst.c
- *
- * @version 3.0 (December 2000)
- *
- * Optimised ANSI C code for the Rijndael cipher (now AES)
- *
- * @author Vincent Rijmen <vincent.rijmen%esat.kuleuven.ac.be@localhost>
- * @author Antoon Bosselaers <antoon.bosselaers%esat.kuleuven.ac.be@localhost>
- * @author Paulo Barreto <paulo.barreto%terra.com.br@localhost>
- *
- * This code is hereby placed in the public domain.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
- * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rijndael-alg-fst.c,v 1.7 2005/12/11 12:20:52 christos Exp $");
-
-#include <sys/types.h>
-#ifdef _KERNEL
-#include <sys/systm.h>
-#else
-#include <string.h>
-#endif
-
-#include <crypto/rijndael/rijndael-alg-fst.h>
-#include <crypto/rijndael/rijndael_local.h>
-
-/*
-Te0[x] = S [x].[02, 01, 01, 03];
-Te1[x] = S [x].[03, 02, 01, 01];
-Te2[x] = S [x].[01, 03, 02, 01];
-Te3[x] = S [x].[01, 01, 03, 02];
-Te4[x] = S [x].[01, 01, 01, 01];
-
-Td0[x] = Si[x].[0e, 09, 0d, 0b];
-Td1[x] = Si[x].[0b, 0e, 09, 0d];
-Td2[x] = Si[x].[0d, 0b, 0e, 09];
-Td3[x] = Si[x].[09, 0d, 0b, 0e];
-Td4[x] = Si[x].[01, 01, 01, 01];
-*/
-
-static const u32 Te0[256] = {
- 0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
- 0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
- 0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
- 0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
- 0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
- 0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
- 0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
- 0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
- 0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
- 0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
- 0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
- 0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
- 0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
- 0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
- 0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
- 0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
- 0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
- 0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
- 0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
- 0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
- 0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
- 0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
- 0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
- 0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
- 0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
- 0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
- 0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
- 0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
- 0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
- 0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
- 0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
- 0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
- 0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
- 0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
- 0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
- 0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
- 0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
- 0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
- 0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
- 0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
- 0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
- 0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
- 0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
- 0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
- 0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
- 0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
- 0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
- 0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
- 0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
- 0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
- 0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
- 0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
- 0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
- 0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
- 0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
- 0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
- 0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
- 0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
- 0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
- 0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
- 0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
- 0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
- 0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
- 0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
-};
-static const u32 Te1[256] = {
- 0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
- 0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
- 0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
- 0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
- 0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
- 0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
- 0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
- 0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
- 0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
- 0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
- 0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
- 0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
- 0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
- 0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
- 0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
- 0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
- 0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
- 0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
- 0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
- 0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
- 0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
- 0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
- 0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
- 0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
- 0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
- 0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
- 0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
- 0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
- 0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
- 0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
- 0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
- 0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
- 0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
- 0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
- 0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
- 0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
- 0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
- 0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
- 0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
- 0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
- 0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
- 0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
- 0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
- 0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
- 0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
- 0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
- 0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
- 0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
- 0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
- 0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
- 0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
- 0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
- 0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
- 0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
- 0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
- 0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
- 0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
- 0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
- 0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
- 0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
- 0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
- 0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
- 0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
- 0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
-};
-static const u32 Te2[256] = {
- 0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
- 0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
- 0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
- 0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
- 0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
- 0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
- 0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
- 0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
- 0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
- 0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
- 0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
- 0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
- 0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
- 0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
- 0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
- 0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
- 0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
- 0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
- 0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
- 0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
- 0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
- 0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
- 0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
- 0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
- 0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
- 0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
- 0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
- 0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
- 0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
- 0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
- 0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
- 0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
- 0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
- 0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
- 0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
- 0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
- 0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
- 0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
- 0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
- 0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
- 0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
- 0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
- 0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
- 0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
- 0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
- 0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
- 0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
- 0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
- 0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
- 0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
- 0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
- 0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
- 0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
- 0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
- 0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
- 0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
- 0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
- 0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
- 0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
- 0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
- 0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
- 0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
- 0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
- 0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
-};
-static const u32 Te3[256] = {
-
- 0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
- 0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
- 0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
- 0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
- 0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
- 0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
- 0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
- 0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
- 0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
- 0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
- 0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
- 0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
- 0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
- 0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
- 0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
- 0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
- 0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
- 0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
- 0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
- 0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
- 0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
- 0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
- 0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
- 0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
- 0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
- 0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
- 0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
- 0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
- 0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
- 0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
- 0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
- 0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
- 0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
- 0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
- 0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
- 0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
- 0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
- 0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
- 0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
- 0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
- 0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
- 0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
- 0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
- 0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
- 0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
- 0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
- 0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
- 0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
- 0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
- 0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
- 0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
- 0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
- 0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
- 0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
- 0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
- 0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
- 0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
- 0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
- 0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
- 0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
- 0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
- 0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
- 0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
- 0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
-};
-static const u32 Te4[256] = {
- 0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
- 0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
- 0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
- 0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
- 0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
- 0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
- 0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
- 0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
- 0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
- 0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
- 0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
- 0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
- 0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
- 0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
- 0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
- 0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
- 0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
- 0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
- 0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
- 0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
- 0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
- 0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
- 0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
- 0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
- 0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
- 0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
- 0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
- 0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
- 0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
- 0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
- 0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
- 0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
- 0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
- 0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
- 0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
- 0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
- 0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
- 0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
- 0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
- 0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
- 0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
- 0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
- 0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
- 0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
- 0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
- 0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
- 0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
- 0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
- 0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
- 0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
- 0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
- 0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
- 0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
- 0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
- 0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
- 0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
- 0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
- 0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
- 0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
- 0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
- 0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
- 0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
- 0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
- 0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
-};
-static const u32 Td0[256] = {
- 0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
- 0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
- 0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
- 0x4fe5d7fcU, 0xc52acbd7U, 0x26354480U, 0xb562a38fU,
- 0xdeb15a49U, 0x25ba1b67U, 0x45ea0e98U, 0x5dfec0e1U,
- 0xc32f7502U, 0x814cf012U, 0x8d4697a3U, 0x6bd3f9c6U,
- 0x038f5fe7U, 0x15929c95U, 0xbf6d7aebU, 0x955259daU,
- 0xd4be832dU, 0x587421d3U, 0x49e06929U, 0x8ec9c844U,
- 0x75c2896aU, 0xf48e7978U, 0x99583e6bU, 0x27b971ddU,
- 0xbee14fb6U, 0xf088ad17U, 0xc920ac66U, 0x7dce3ab4U,
- 0x63df4a18U, 0xe51a3182U, 0x97513360U, 0x62537f45U,
- 0xb16477e0U, 0xbb6bae84U, 0xfe81a01cU, 0xf9082b94U,
- 0x70486858U, 0x8f45fd19U, 0x94de6c87U, 0x527bf8b7U,
- 0xab73d323U, 0x724b02e2U, 0xe31f8f57U, 0x6655ab2aU,
- 0xb2eb2807U, 0x2fb5c203U, 0x86c57b9aU, 0xd33708a5U,
- 0x302887f2U, 0x23bfa5b2U, 0x02036abaU, 0xed16825cU,
- 0x8acf1c2bU, 0xa779b492U, 0xf307f2f0U, 0x4e69e2a1U,
- 0x65daf4cdU, 0x0605bed5U, 0xd134621fU, 0xc4a6fe8aU,
- 0x342e539dU, 0xa2f355a0U, 0x058ae132U, 0xa4f6eb75U,
- 0x0b83ec39U, 0x4060efaaU, 0x5e719f06U, 0xbd6e1051U,
- 0x3e218af9U, 0x96dd063dU, 0xdd3e05aeU, 0x4de6bd46U,
- 0x91548db5U, 0x71c45d05U, 0x0406d46fU, 0x605015ffU,
- 0x1998fb24U, 0xd6bde997U, 0x894043ccU, 0x67d99e77U,
- 0xb0e842bdU, 0x07898b88U, 0xe7195b38U, 0x79c8eedbU,
- 0xa17c0a47U, 0x7c420fe9U, 0xf8841ec9U, 0x00000000U,
- 0x09808683U, 0x322bed48U, 0x1e1170acU, 0x6c5a724eU,
- 0xfd0efffbU, 0x0f853856U, 0x3daed51eU, 0x362d3927U,
- 0x0a0fd964U, 0x685ca621U, 0x9b5b54d1U, 0x24362e3aU,
- 0x0c0a67b1U, 0x9357e70fU, 0xb4ee96d2U, 0x1b9b919eU,
- 0x80c0c54fU, 0x61dc20a2U, 0x5a774b69U, 0x1c121a16U,
- 0xe293ba0aU, 0xc0a02ae5U, 0x3c22e043U, 0x121b171dU,
- 0x0e090d0bU, 0xf28bc7adU, 0x2db6a8b9U, 0x141ea9c8U,
- 0x57f11985U, 0xaf75074cU, 0xee99ddbbU, 0xa37f60fdU,
- 0xf701269fU, 0x5c72f5bcU, 0x44663bc5U, 0x5bfb7e34U,
- 0x8b432976U, 0xcb23c6dcU, 0xb6edfc68U, 0xb8e4f163U,
- 0xd731dccaU, 0x42638510U, 0x13972240U, 0x84c61120U,
- 0x854a247dU, 0xd2bb3df8U, 0xaef93211U, 0xc729a16dU,
- 0x1d9e2f4bU, 0xdcb230f3U, 0x0d8652ecU, 0x77c1e3d0U,
- 0x2bb3166cU, 0xa970b999U, 0x119448faU, 0x47e96422U,
- 0xa8fc8cc4U, 0xa0f03f1aU, 0x567d2cd8U, 0x223390efU,
- 0x87494ec7U, 0xd938d1c1U, 0x8ccaa2feU, 0x98d40b36U,
- 0xa6f581cfU, 0xa57ade28U, 0xdab78e26U, 0x3fadbfa4U,
- 0x2c3a9de4U, 0x5078920dU, 0x6a5fcc9bU, 0x547e4662U,
- 0xf68d13c2U, 0x90d8b8e8U, 0x2e39f75eU, 0x82c3aff5U,
- 0x9f5d80beU, 0x69d0937cU, 0x6fd52da9U, 0xcf2512b3U,
- 0xc8ac993bU, 0x10187da7U, 0xe89c636eU, 0xdb3bbb7bU,
- 0xcd267809U, 0x6e5918f4U, 0xec9ab701U, 0x834f9aa8U,
- 0xe6956e65U, 0xaaffe67eU, 0x21bccf08U, 0xef15e8e6U,
- 0xbae79bd9U, 0x4a6f36ceU, 0xea9f09d4U, 0x29b07cd6U,
- 0x31a4b2afU, 0x2a3f2331U, 0xc6a59430U, 0x35a266c0U,
- 0x744ebc37U, 0xfc82caa6U, 0xe090d0b0U, 0x33a7d815U,
- 0xf104984aU, 0x41ecdaf7U, 0x7fcd500eU, 0x1791f62fU,
- 0x764dd68dU, 0x43efb04dU, 0xccaa4d54U, 0xe49604dfU,
- 0x9ed1b5e3U, 0x4c6a881bU, 0xc12c1fb8U, 0x4665517fU,
- 0x9d5eea04U, 0x018c355dU, 0xfa877473U, 0xfb0b412eU,
- 0xb3671d5aU, 0x92dbd252U, 0xe9105633U, 0x6dd64713U,
- 0x9ad7618cU, 0x37a10c7aU, 0x59f8148eU, 0xeb133c89U,
- 0xcea927eeU, 0xb761c935U, 0xe11ce5edU, 0x7a47b13cU,
- 0x9cd2df59U, 0x55f2733fU, 0x1814ce79U, 0x73c737bfU,
- 0x53f7cdeaU, 0x5ffdaa5bU, 0xdf3d6f14U, 0x7844db86U,
- 0xcaaff381U, 0xb968c43eU, 0x3824342cU, 0xc2a3405fU,
- 0x161dc372U, 0xbce2250cU, 0x283c498bU, 0xff0d9541U,
- 0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
- 0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
-};
-static const u32 Td1[256] = {
- 0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
- 0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
- 0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,
- 0xfc4fe5d7U, 0xd7c52acbU, 0x80263544U, 0x8fb562a3U,
- 0x49deb15aU, 0x6725ba1bU, 0x9845ea0eU, 0xe15dfec0U,
- 0x02c32f75U, 0x12814cf0U, 0xa38d4697U, 0xc66bd3f9U,
- 0xe7038f5fU, 0x9515929cU, 0xebbf6d7aU, 0xda955259U,
- 0x2dd4be83U, 0xd3587421U, 0x2949e069U, 0x448ec9c8U,
- 0x6a75c289U, 0x78f48e79U, 0x6b99583eU, 0xdd27b971U,
- 0xb6bee14fU, 0x17f088adU, 0x66c920acU, 0xb47dce3aU,
- 0x1863df4aU, 0x82e51a31U, 0x60975133U, 0x4562537fU,
- 0xe0b16477U, 0x84bb6baeU, 0x1cfe81a0U, 0x94f9082bU,
- 0x58704868U, 0x198f45fdU, 0x8794de6cU, 0xb7527bf8U,
- 0x23ab73d3U, 0xe2724b02U, 0x57e31f8fU, 0x2a6655abU,
- 0x07b2eb28U, 0x032fb5c2U, 0x9a86c57bU, 0xa5d33708U,
- 0xf2302887U, 0xb223bfa5U, 0xba02036aU, 0x5ced1682U,
- 0x2b8acf1cU, 0x92a779b4U, 0xf0f307f2U, 0xa14e69e2U,
- 0xcd65daf4U, 0xd50605beU, 0x1fd13462U, 0x8ac4a6feU,
- 0x9d342e53U, 0xa0a2f355U, 0x32058ae1U, 0x75a4f6ebU,
- 0x390b83ecU, 0xaa4060efU, 0x065e719fU, 0x51bd6e10U,
- 0xf93e218aU, 0x3d96dd06U, 0xaedd3e05U, 0x464de6bdU,
- 0xb591548dU, 0x0571c45dU, 0x6f0406d4U, 0xff605015U,
- 0x241998fbU, 0x97d6bde9U, 0xcc894043U, 0x7767d99eU,
- 0xbdb0e842U, 0x8807898bU, 0x38e7195bU, 0xdb79c8eeU,
- 0x47a17c0aU, 0xe97c420fU, 0xc9f8841eU, 0x00000000U,
- 0x83098086U, 0x48322bedU, 0xac1e1170U, 0x4e6c5a72U,
- 0xfbfd0effU, 0x560f8538U, 0x1e3daed5U, 0x27362d39U,
- 0x640a0fd9U, 0x21685ca6U, 0xd19b5b54U, 0x3a24362eU,
- 0xb10c0a67U, 0x0f9357e7U, 0xd2b4ee96U, 0x9e1b9b91U,
- 0x4f80c0c5U, 0xa261dc20U, 0x695a774bU, 0x161c121aU,
- 0x0ae293baU, 0xe5c0a02aU, 0x433c22e0U, 0x1d121b17U,
- 0x0b0e090dU, 0xadf28bc7U, 0xb92db6a8U, 0xc8141ea9U,
- 0x8557f119U, 0x4caf7507U, 0xbbee99ddU, 0xfda37f60U,
- 0x9ff70126U, 0xbc5c72f5U, 0xc544663bU, 0x345bfb7eU,
- 0x768b4329U, 0xdccb23c6U, 0x68b6edfcU, 0x63b8e4f1U,
- 0xcad731dcU, 0x10426385U, 0x40139722U, 0x2084c611U,
- 0x7d854a24U, 0xf8d2bb3dU, 0x11aef932U, 0x6dc729a1U,
- 0x4b1d9e2fU, 0xf3dcb230U, 0xec0d8652U, 0xd077c1e3U,
- 0x6c2bb316U, 0x99a970b9U, 0xfa119448U, 0x2247e964U,
- 0xc4a8fc8cU, 0x1aa0f03fU, 0xd8567d2cU, 0xef223390U,
- 0xc787494eU, 0xc1d938d1U, 0xfe8ccaa2U, 0x3698d40bU,
- 0xcfa6f581U, 0x28a57adeU, 0x26dab78eU, 0xa43fadbfU,
- 0xe42c3a9dU, 0x0d507892U, 0x9b6a5fccU, 0x62547e46U,
- 0xc2f68d13U, 0xe890d8b8U, 0x5e2e39f7U, 0xf582c3afU,
- 0xbe9f5d80U, 0x7c69d093U, 0xa96fd52dU, 0xb3cf2512U,
- 0x3bc8ac99U, 0xa710187dU, 0x6ee89c63U, 0x7bdb3bbbU,
- 0x09cd2678U, 0xf46e5918U, 0x01ec9ab7U, 0xa8834f9aU,
- 0x65e6956eU, 0x7eaaffe6U, 0x0821bccfU, 0xe6ef15e8U,
- 0xd9bae79bU, 0xce4a6f36U, 0xd4ea9f09U, 0xd629b07cU,
- 0xaf31a4b2U, 0x312a3f23U, 0x30c6a594U, 0xc035a266U,
- 0x37744ebcU, 0xa6fc82caU, 0xb0e090d0U, 0x1533a7d8U,
- 0x4af10498U, 0xf741ecdaU, 0x0e7fcd50U, 0x2f1791f6U,
- 0x8d764dd6U, 0x4d43efb0U, 0x54ccaa4dU, 0xdfe49604U,
- 0xe39ed1b5U, 0x1b4c6a88U, 0xb8c12c1fU, 0x7f466551U,
- 0x049d5eeaU, 0x5d018c35U, 0x73fa8774U, 0x2efb0b41U,
- 0x5ab3671dU, 0x5292dbd2U, 0x33e91056U, 0x136dd647U,
- 0x8c9ad761U, 0x7a37a10cU, 0x8e59f814U, 0x89eb133cU,
- 0xeecea927U, 0x35b761c9U, 0xede11ce5U, 0x3c7a47b1U,
- 0x599cd2dfU, 0x3f55f273U, 0x791814ceU, 0xbf73c737U,
- 0xea53f7cdU, 0x5b5ffdaaU, 0x14df3d6fU, 0x867844dbU,
- 0x81caaff3U, 0x3eb968c4U, 0x2c382434U, 0x5fc2a340U,
- 0x72161dc3U, 0x0cbce225U, 0x8b283c49U, 0x41ff0d95U,
- 0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
- 0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U,
-};
-static const u32 Td2[256] = {
- 0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
- 0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
- 0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U,
- 0xd7fc4fe5U, 0xcbd7c52aU, 0x44802635U, 0xa38fb562U,
- 0x5a49deb1U, 0x1b6725baU, 0x0e9845eaU, 0xc0e15dfeU,
- 0x7502c32fU, 0xf012814cU, 0x97a38d46U, 0xf9c66bd3U,
- 0x5fe7038fU, 0x9c951592U, 0x7aebbf6dU, 0x59da9552U,
- 0x832dd4beU, 0x21d35874U, 0x692949e0U, 0xc8448ec9U,
- 0x896a75c2U, 0x7978f48eU, 0x3e6b9958U, 0x71dd27b9U,
- 0x4fb6bee1U, 0xad17f088U, 0xac66c920U, 0x3ab47dceU,
- 0x4a1863dfU, 0x3182e51aU, 0x33609751U, 0x7f456253U,
- 0x77e0b164U, 0xae84bb6bU, 0xa01cfe81U, 0x2b94f908U,
- 0x68587048U, 0xfd198f45U, 0x6c8794deU, 0xf8b7527bU,
- 0xd323ab73U, 0x02e2724bU, 0x8f57e31fU, 0xab2a6655U,
- 0x2807b2ebU, 0xc2032fb5U, 0x7b9a86c5U, 0x08a5d337U,
- 0x87f23028U, 0xa5b223bfU, 0x6aba0203U, 0x825ced16U,
- 0x1c2b8acfU, 0xb492a779U, 0xf2f0f307U, 0xe2a14e69U,
- 0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
- 0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
- 0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
-
- 0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
- 0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
- 0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
- 0x42bdb0e8U, 0x8b880789U, 0x5b38e719U, 0xeedb79c8U,
- 0x0a47a17cU, 0x0fe97c42U, 0x1ec9f884U, 0x00000000U,
- 0x86830980U, 0xed48322bU, 0x70ac1e11U, 0x724e6c5aU,
- 0xfffbfd0eU, 0x38560f85U, 0xd51e3daeU, 0x3927362dU,
- 0xd9640a0fU, 0xa621685cU, 0x54d19b5bU, 0x2e3a2436U,
- 0x67b10c0aU, 0xe70f9357U, 0x96d2b4eeU, 0x919e1b9bU,
- 0xc54f80c0U, 0x20a261dcU, 0x4b695a77U, 0x1a161c12U,
- 0xba0ae293U, 0x2ae5c0a0U, 0xe0433c22U, 0x171d121bU,
- 0x0d0b0e09U, 0xc7adf28bU, 0xa8b92db6U, 0xa9c8141eU,
- 0x198557f1U, 0x074caf75U, 0xddbbee99U, 0x60fda37fU,
- 0x269ff701U, 0xf5bc5c72U, 0x3bc54466U, 0x7e345bfbU,
- 0x29768b43U, 0xc6dccb23U, 0xfc68b6edU, 0xf163b8e4U,
- 0xdccad731U, 0x85104263U, 0x22401397U, 0x112084c6U,
- 0x247d854aU, 0x3df8d2bbU, 0x3211aef9U, 0xa16dc729U,
- 0x2f4b1d9eU, 0x30f3dcb2U, 0x52ec0d86U, 0xe3d077c1U,
- 0x166c2bb3U, 0xb999a970U, 0x48fa1194U, 0x642247e9U,
- 0x8cc4a8fcU, 0x3f1aa0f0U, 0x2cd8567dU, 0x90ef2233U,
- 0x4ec78749U, 0xd1c1d938U, 0xa2fe8ccaU, 0x0b3698d4U,
- 0x81cfa6f5U, 0xde28a57aU, 0x8e26dab7U, 0xbfa43fadU,
- 0x9de42c3aU, 0x920d5078U, 0xcc9b6a5fU, 0x4662547eU,
- 0x13c2f68dU, 0xb8e890d8U, 0xf75e2e39U, 0xaff582c3U,
- 0x80be9f5dU, 0x937c69d0U, 0x2da96fd5U, 0x12b3cf25U,
- 0x993bc8acU, 0x7da71018U, 0x636ee89cU, 0xbb7bdb3bU,
- 0x7809cd26U, 0x18f46e59U, 0xb701ec9aU, 0x9aa8834fU,
- 0x6e65e695U, 0xe67eaaffU, 0xcf0821bcU, 0xe8e6ef15U,
- 0x9bd9bae7U, 0x36ce4a6fU, 0x09d4ea9fU, 0x7cd629b0U,
- 0xb2af31a4U, 0x23312a3fU, 0x9430c6a5U, 0x66c035a2U,
- 0xbc37744eU, 0xcaa6fc82U, 0xd0b0e090U, 0xd81533a7U,
- 0x984af104U, 0xdaf741ecU, 0x500e7fcdU, 0xf62f1791U,
- 0xd68d764dU, 0xb04d43efU, 0x4d54ccaaU, 0x04dfe496U,
- 0xb5e39ed1U, 0x881b4c6aU, 0x1fb8c12cU, 0x517f4665U,
- 0xea049d5eU, 0x355d018cU, 0x7473fa87U, 0x412efb0bU,
- 0x1d5ab367U, 0xd25292dbU, 0x5633e910U, 0x47136dd6U,
- 0x618c9ad7U, 0x0c7a37a1U, 0x148e59f8U, 0x3c89eb13U,
- 0x27eecea9U, 0xc935b761U, 0xe5ede11cU, 0xb13c7a47U,
- 0xdf599cd2U, 0x733f55f2U, 0xce791814U, 0x37bf73c7U,
- 0xcdea53f7U, 0xaa5b5ffdU, 0x6f14df3dU, 0xdb867844U,
- 0xf381caafU, 0xc43eb968U, 0x342c3824U, 0x405fc2a3U,
- 0xc372161dU, 0x250cbce2U, 0x498b283cU, 0x9541ff0dU,
- 0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
- 0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U,
-};
-static const u32 Td3[256] = {
- 0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
- 0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
- 0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U,
- 0xe5d7fc4fU, 0x2acbd7c5U, 0x35448026U, 0x62a38fb5U,
- 0xb15a49deU, 0xba1b6725U, 0xea0e9845U, 0xfec0e15dU,
- 0x2f7502c3U, 0x4cf01281U, 0x4697a38dU, 0xd3f9c66bU,
- 0x8f5fe703U, 0x929c9515U, 0x6d7aebbfU, 0x5259da95U,
- 0xbe832dd4U, 0x7421d358U, 0xe0692949U, 0xc9c8448eU,
- 0xc2896a75U, 0x8e7978f4U, 0x583e6b99U, 0xb971dd27U,
- 0xe14fb6beU, 0x88ad17f0U, 0x20ac66c9U, 0xce3ab47dU,
- 0xdf4a1863U, 0x1a3182e5U, 0x51336097U, 0x537f4562U,
- 0x6477e0b1U, 0x6bae84bbU, 0x81a01cfeU, 0x082b94f9U,
- 0x48685870U, 0x45fd198fU, 0xde6c8794U, 0x7bf8b752U,
- 0x73d323abU, 0x4b02e272U, 0x1f8f57e3U, 0x55ab2a66U,
- 0xeb2807b2U, 0xb5c2032fU, 0xc57b9a86U, 0x3708a5d3U,
- 0x2887f230U, 0xbfa5b223U, 0x036aba02U, 0x16825cedU,
- 0xcf1c2b8aU, 0x79b492a7U, 0x07f2f0f3U, 0x69e2a14eU,
- 0xdaf4cd65U, 0x05bed506U, 0x34621fd1U, 0xa6fe8ac4U,
- 0x2e539d34U, 0xf355a0a2U, 0x8ae13205U, 0xf6eb75a4U,
- 0x83ec390bU, 0x60efaa40U, 0x719f065eU, 0x6e1051bdU,
- 0x218af93eU, 0xdd063d96U, 0x3e05aeddU, 0xe6bd464dU,
- 0x548db591U, 0xc45d0571U, 0x06d46f04U, 0x5015ff60U,
- 0x98fb2419U, 0xbde997d6U, 0x4043cc89U, 0xd99e7767U,
- 0xe842bdb0U, 0x898b8807U, 0x195b38e7U, 0xc8eedb79U,
- 0x7c0a47a1U, 0x420fe97cU, 0x841ec9f8U, 0x00000000U,
- 0x80868309U, 0x2bed4832U, 0x1170ac1eU, 0x5a724e6cU,
- 0x0efffbfdU, 0x8538560fU, 0xaed51e3dU, 0x2d392736U,
- 0x0fd9640aU, 0x5ca62168U, 0x5b54d19bU, 0x362e3a24U,
- 0x0a67b10cU, 0x57e70f93U, 0xee96d2b4U, 0x9b919e1bU,
- 0xc0c54f80U, 0xdc20a261U, 0x774b695aU, 0x121a161cU,
- 0x93ba0ae2U, 0xa02ae5c0U, 0x22e0433cU, 0x1b171d12U,
- 0x090d0b0eU, 0x8bc7adf2U, 0xb6a8b92dU, 0x1ea9c814U,
- 0xf1198557U, 0x75074cafU, 0x99ddbbeeU, 0x7f60fda3U,
- 0x01269ff7U, 0x72f5bc5cU, 0x663bc544U, 0xfb7e345bU,
- 0x4329768bU, 0x23c6dccbU, 0xedfc68b6U, 0xe4f163b8U,
- 0x31dccad7U, 0x63851042U, 0x97224013U, 0xc6112084U,
- 0x4a247d85U, 0xbb3df8d2U, 0xf93211aeU, 0x29a16dc7U,
- 0x9e2f4b1dU, 0xb230f3dcU, 0x8652ec0dU, 0xc1e3d077U,
- 0xb3166c2bU, 0x70b999a9U, 0x9448fa11U, 0xe9642247U,
- 0xfc8cc4a8U, 0xf03f1aa0U, 0x7d2cd856U, 0x3390ef22U,
- 0x494ec787U, 0x38d1c1d9U, 0xcaa2fe8cU, 0xd40b3698U,
- 0xf581cfa6U, 0x7ade28a5U, 0xb78e26daU, 0xadbfa43fU,
- 0x3a9de42cU, 0x78920d50U, 0x5fcc9b6aU, 0x7e466254U,
- 0x8d13c2f6U, 0xd8b8e890U, 0x39f75e2eU, 0xc3aff582U,
- 0x5d80be9fU, 0xd0937c69U, 0xd52da96fU, 0x2512b3cfU,
- 0xac993bc8U, 0x187da710U, 0x9c636ee8U, 0x3bbb7bdbU,
- 0x267809cdU, 0x5918f46eU, 0x9ab701ecU, 0x4f9aa883U,
- 0x956e65e6U, 0xffe67eaaU, 0xbccf0821U, 0x15e8e6efU,
- 0xe79bd9baU, 0x6f36ce4aU, 0x9f09d4eaU, 0xb07cd629U,
- 0xa4b2af31U, 0x3f23312aU, 0xa59430c6U, 0xa266c035U,
- 0x4ebc3774U, 0x82caa6fcU, 0x90d0b0e0U, 0xa7d81533U,
- 0x04984af1U, 0xecdaf741U, 0xcd500e7fU, 0x91f62f17U,
- 0x4dd68d76U, 0xefb04d43U, 0xaa4d54ccU, 0x9604dfe4U,
- 0xd1b5e39eU, 0x6a881b4cU, 0x2c1fb8c1U, 0x65517f46U,
- 0x5eea049dU, 0x8c355d01U, 0x877473faU, 0x0b412efbU,
- 0x671d5ab3U, 0xdbd25292U, 0x105633e9U, 0xd647136dU,
- 0xd7618c9aU, 0xa10c7a37U, 0xf8148e59U, 0x133c89ebU,
- 0xa927eeceU, 0x61c935b7U, 0x1ce5ede1U, 0x47b13c7aU,
- 0xd2df599cU, 0xf2733f55U, 0x14ce7918U, 0xc737bf73U,
- 0xf7cdea53U, 0xfdaa5b5fU, 0x3d6f14dfU, 0x44db8678U,
- 0xaff381caU, 0x68c43eb9U, 0x24342c38U, 0xa3405fc2U,
- 0x1dc37216U, 0xe2250cbcU, 0x3c498b28U, 0x0d9541ffU,
- 0xa8017139U, 0x0cb3de08U, 0xb4e49cd8U, 0x56c19064U,
- 0xcb84617bU, 0x32b670d5U, 0x6c5c7448U, 0xb85742d0U,
-};
-static const u32 Td4[256] = {
- 0x52525252U, 0x09090909U, 0x6a6a6a6aU, 0xd5d5d5d5U,
- 0x30303030U, 0x36363636U, 0xa5a5a5a5U, 0x38383838U,
- 0xbfbfbfbfU, 0x40404040U, 0xa3a3a3a3U, 0x9e9e9e9eU,
- 0x81818181U, 0xf3f3f3f3U, 0xd7d7d7d7U, 0xfbfbfbfbU,
- 0x7c7c7c7cU, 0xe3e3e3e3U, 0x39393939U, 0x82828282U,
- 0x9b9b9b9bU, 0x2f2f2f2fU, 0xffffffffU, 0x87878787U,
- 0x34343434U, 0x8e8e8e8eU, 0x43434343U, 0x44444444U,
- 0xc4c4c4c4U, 0xdedededeU, 0xe9e9e9e9U, 0xcbcbcbcbU,
- 0x54545454U, 0x7b7b7b7bU, 0x94949494U, 0x32323232U,
- 0xa6a6a6a6U, 0xc2c2c2c2U, 0x23232323U, 0x3d3d3d3dU,
- 0xeeeeeeeeU, 0x4c4c4c4cU, 0x95959595U, 0x0b0b0b0bU,
- 0x42424242U, 0xfafafafaU, 0xc3c3c3c3U, 0x4e4e4e4eU,
- 0x08080808U, 0x2e2e2e2eU, 0xa1a1a1a1U, 0x66666666U,
- 0x28282828U, 0xd9d9d9d9U, 0x24242424U, 0xb2b2b2b2U,
- 0x76767676U, 0x5b5b5b5bU, 0xa2a2a2a2U, 0x49494949U,
- 0x6d6d6d6dU, 0x8b8b8b8bU, 0xd1d1d1d1U, 0x25252525U,
- 0x72727272U, 0xf8f8f8f8U, 0xf6f6f6f6U, 0x64646464U,
- 0x86868686U, 0x68686868U, 0x98989898U, 0x16161616U,
- 0xd4d4d4d4U, 0xa4a4a4a4U, 0x5c5c5c5cU, 0xccccccccU,
- 0x5d5d5d5dU, 0x65656565U, 0xb6b6b6b6U, 0x92929292U,
- 0x6c6c6c6cU, 0x70707070U, 0x48484848U, 0x50505050U,
- 0xfdfdfdfdU, 0xededededU, 0xb9b9b9b9U, 0xdadadadaU,
- 0x5e5e5e5eU, 0x15151515U, 0x46464646U, 0x57575757U,
- 0xa7a7a7a7U, 0x8d8d8d8dU, 0x9d9d9d9dU, 0x84848484U,
- 0x90909090U, 0xd8d8d8d8U, 0xababababU, 0x00000000U,
- 0x8c8c8c8cU, 0xbcbcbcbcU, 0xd3d3d3d3U, 0x0a0a0a0aU,
- 0xf7f7f7f7U, 0xe4e4e4e4U, 0x58585858U, 0x05050505U,
- 0xb8b8b8b8U, 0xb3b3b3b3U, 0x45454545U, 0x06060606U,
- 0xd0d0d0d0U, 0x2c2c2c2cU, 0x1e1e1e1eU, 0x8f8f8f8fU,
- 0xcacacacaU, 0x3f3f3f3fU, 0x0f0f0f0fU, 0x02020202U,
- 0xc1c1c1c1U, 0xafafafafU, 0xbdbdbdbdU, 0x03030303U,
- 0x01010101U, 0x13131313U, 0x8a8a8a8aU, 0x6b6b6b6bU,
- 0x3a3a3a3aU, 0x91919191U, 0x11111111U, 0x41414141U,
- 0x4f4f4f4fU, 0x67676767U, 0xdcdcdcdcU, 0xeaeaeaeaU,
- 0x97979797U, 0xf2f2f2f2U, 0xcfcfcfcfU, 0xcecececeU,
- 0xf0f0f0f0U, 0xb4b4b4b4U, 0xe6e6e6e6U, 0x73737373U,
- 0x96969696U, 0xacacacacU, 0x74747474U, 0x22222222U,
- 0xe7e7e7e7U, 0xadadadadU, 0x35353535U, 0x85858585U,
- 0xe2e2e2e2U, 0xf9f9f9f9U, 0x37373737U, 0xe8e8e8e8U,
- 0x1c1c1c1cU, 0x75757575U, 0xdfdfdfdfU, 0x6e6e6e6eU,
- 0x47474747U, 0xf1f1f1f1U, 0x1a1a1a1aU, 0x71717171U,
- 0x1d1d1d1dU, 0x29292929U, 0xc5c5c5c5U, 0x89898989U,
- 0x6f6f6f6fU, 0xb7b7b7b7U, 0x62626262U, 0x0e0e0e0eU,
- 0xaaaaaaaaU, 0x18181818U, 0xbebebebeU, 0x1b1b1b1bU,
- 0xfcfcfcfcU, 0x56565656U, 0x3e3e3e3eU, 0x4b4b4b4bU,
- 0xc6c6c6c6U, 0xd2d2d2d2U, 0x79797979U, 0x20202020U,
- 0x9a9a9a9aU, 0xdbdbdbdbU, 0xc0c0c0c0U, 0xfefefefeU,
- 0x78787878U, 0xcdcdcdcdU, 0x5a5a5a5aU, 0xf4f4f4f4U,
- 0x1f1f1f1fU, 0xddddddddU, 0xa8a8a8a8U, 0x33333333U,
- 0x88888888U, 0x07070707U, 0xc7c7c7c7U, 0x31313131U,
- 0xb1b1b1b1U, 0x12121212U, 0x10101010U, 0x59595959U,
- 0x27272727U, 0x80808080U, 0xececececU, 0x5f5f5f5fU,
- 0x60606060U, 0x51515151U, 0x7f7f7f7fU, 0xa9a9a9a9U,
- 0x19191919U, 0xb5b5b5b5U, 0x4a4a4a4aU, 0x0d0d0d0dU,
- 0x2d2d2d2dU, 0xe5e5e5e5U, 0x7a7a7a7aU, 0x9f9f9f9fU,
- 0x93939393U, 0xc9c9c9c9U, 0x9c9c9c9cU, 0xefefefefU,
- 0xa0a0a0a0U, 0xe0e0e0e0U, 0x3b3b3b3bU, 0x4d4d4d4dU,
- 0xaeaeaeaeU, 0x2a2a2a2aU, 0xf5f5f5f5U, 0xb0b0b0b0U,
- 0xc8c8c8c8U, 0xebebebebU, 0xbbbbbbbbU, 0x3c3c3c3cU,
- 0x83838383U, 0x53535353U, 0x99999999U, 0x61616161U,
- 0x17171717U, 0x2b2b2b2bU, 0x04040404U, 0x7e7e7e7eU,
- 0xbabababaU, 0x77777777U, 0xd6d6d6d6U, 0x26262626U,
- 0xe1e1e1e1U, 0x69696969U, 0x14141414U, 0x63636363U,
- 0x55555555U, 0x21212121U, 0x0c0c0c0cU, 0x7d7d7d7dU,
-};
-static const u32 rcon[] = {
- 0x01000000, 0x02000000, 0x04000000, 0x08000000,
- 0x10000000, 0x20000000, 0x40000000, 0x80000000,
- 0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
-};
-
-#define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
-
-#ifdef _MSC_VER
-#define GETU32(p) SWAP(*((u32 *)(p)))
-#define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
-#else
-#define GETU32(pt) (((u32)(pt)[0] << 24) ^ ((u32)(pt)[1] << 16) ^ ((u32)(pt)[2] << 8) ^ ((u32)(pt)[3]))
-#define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >> 8); (ct)[3] = (u8)(st); }
-#endif
-
-/**
- * Expand the cipher key into the encryption key schedule.
- *
- * @return the number of rounds for the given cipher key size.
- */
-int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) {
- int i = 0;
- u32 temp;
-
- rk[0] = GETU32(cipherKey );
- rk[1] = GETU32(cipherKey + 4);
- rk[2] = GETU32(cipherKey + 8);
- rk[3] = GETU32(cipherKey + 12);
- if (keyBits == 128) {
- for (;;) {
- temp = rk[3];
- rk[4] = rk[0] ^
- (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
- (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^
- (Te4[(temp ) & 0xff] & 0x0000ff00) ^
- (Te4[(temp >> 24) ] & 0x000000ff) ^
- rcon[i];
- rk[5] = rk[1] ^ rk[4];
- rk[6] = rk[2] ^ rk[5];
- rk[7] = rk[3] ^ rk[6];
- if (++i == 10) {
- return 10;
- }
- rk += 4;
- }
- }
- rk[4] = GETU32(cipherKey + 16);
- rk[5] = GETU32(cipherKey + 20);
- if (keyBits == 192) {
- for (;;) {
- temp = rk[ 5];
- rk[ 6] = rk[ 0] ^
- (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
- (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^
- (Te4[(temp ) & 0xff] & 0x0000ff00) ^
- (Te4[(temp >> 24) ] & 0x000000ff) ^
- rcon[i];
- rk[ 7] = rk[ 1] ^ rk[ 6];
- rk[ 8] = rk[ 2] ^ rk[ 7];
- rk[ 9] = rk[ 3] ^ rk[ 8];
- if (++i == 8) {
- return 12;
- }
- rk[10] = rk[ 4] ^ rk[ 9];
- rk[11] = rk[ 5] ^ rk[10];
- rk += 6;
- }
- }
- rk[6] = GETU32(cipherKey + 24);
- rk[7] = GETU32(cipherKey + 28);
- if (keyBits == 256) {
- for (;;) {
- temp = rk[ 7];
- rk[ 8] = rk[ 0] ^
- (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
- (Te4[(temp >> 8) & 0xff] & 0x00ff0000) ^
- (Te4[(temp ) & 0xff] & 0x0000ff00) ^
- (Te4[(temp >> 24) ] & 0x000000ff) ^
- rcon[i];
- rk[ 9] = rk[ 1] ^ rk[ 8];
- rk[10] = rk[ 2] ^ rk[ 9];
- rk[11] = rk[ 3] ^ rk[10];
- if (++i == 7) {
- return 14;
- }
- temp = rk[11];
- rk[12] = rk[ 4] ^
- (Te4[(temp >> 24) ] & 0xff000000) ^
- (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
- (Te4[(temp >> 8) & 0xff] & 0x0000ff00) ^
- (Te4[(temp ) & 0xff] & 0x000000ff);
- rk[13] = rk[ 5] ^ rk[12];
- rk[14] = rk[ 6] ^ rk[13];
- rk[15] = rk[ 7] ^ rk[14];
-
- rk += 8;
- }
- }
- return 0;
-}
-
-/**
- * Expand the cipher key into the decryption key schedule.
- *
- * @return the number of rounds for the given cipher key size.
- */
-int rijndaelKeySetupDec(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) {
- int Nr, i, j;
- u32 temp;
-
- /* expand the cipher key: */
- Nr = rijndaelKeySetupEnc(rk, cipherKey, keyBits);
- /* invert the order of the round keys: */
- for (i = 0, j = 4*Nr; i < j; i += 4, j -= 4) {
- temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp;
- temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
- temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;
- temp = rk[i + 3]; rk[i + 3] = rk[j + 3]; rk[j + 3] = temp;
- }
- /* apply the inverse MixColumn transform to all round keys but the first and the last: */
- for (i = 1; i < Nr; i++) {
- rk += 4;
- rk[0] =
- Td0[Te4[(rk[0] >> 24) ] & 0xff] ^
- Td1[Te4[(rk[0] >> 16) & 0xff] & 0xff] ^
- Td2[Te4[(rk[0] >> 8) & 0xff] & 0xff] ^
- Td3[Te4[(rk[0] ) & 0xff] & 0xff];
- rk[1] =
- Td0[Te4[(rk[1] >> 24) ] & 0xff] ^
- Td1[Te4[(rk[1] >> 16) & 0xff] & 0xff] ^
- Td2[Te4[(rk[1] >> 8) & 0xff] & 0xff] ^
- Td3[Te4[(rk[1] ) & 0xff] & 0xff];
- rk[2] =
- Td0[Te4[(rk[2] >> 24) ] & 0xff] ^
- Td1[Te4[(rk[2] >> 16) & 0xff] & 0xff] ^
- Td2[Te4[(rk[2] >> 8) & 0xff] & 0xff] ^
- Td3[Te4[(rk[2] ) & 0xff] & 0xff];
- rk[3] =
- Td0[Te4[(rk[3] >> 24) ] & 0xff] ^
- Td1[Te4[(rk[3] >> 16) & 0xff] & 0xff] ^
- Td2[Te4[(rk[3] >> 8) & 0xff] & 0xff] ^
- Td3[Te4[(rk[3] ) & 0xff] & 0xff];
- }
- return Nr;
-}
-
-void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16], u8 ct[16]) {
- u32 s0, s1, s2, s3, t0, t1, t2, t3;
-#ifndef FULL_UNROLL
- int r;
-#endif /* ?FULL_UNROLL */
-
- /*
- * map byte array block to cipher state
- * and add initial round key:
- */
- s0 = GETU32(pt ) ^ rk[0];
- s1 = GETU32(pt + 4) ^ rk[1];
- s2 = GETU32(pt + 8) ^ rk[2];
- s3 = GETU32(pt + 12) ^ rk[3];
-#ifdef FULL_UNROLL
- /* round 1: */
- t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4];
- t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5];
- t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6];
- t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7];
- /* round 2: */
- s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8];
- s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9];
- s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10];
- s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11];
- /* round 3: */
- t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12];
- t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13];
- t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14];
- t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15];
- /* round 4: */
- s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16];
- s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17];
- s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18];
- s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19];
- /* round 5: */
- t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20];
- t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21];
- t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22];
- t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23];
- /* round 6: */
- s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24];
- s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25];
- s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26];
- s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27];
- /* round 7: */
- t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28];
- t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29];
- t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30];
- t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31];
- /* round 8: */
- s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32];
- s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33];
- s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34];
- s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35];
- /* round 9: */
- t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36];
- t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37];
- t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38];
- t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39];
- if (Nr > 10) {
- /* round 10: */
- s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40];
- s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[41];
- s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[42];
- s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[43];
- /* round 11: */
- t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[44];
- t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[45];
- t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[46];
- t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[47];
- if (Nr > 12) {
- /* round 12: */
- s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[48];
- s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[49];
- s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[50];
- s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[51];
- /* round 13: */
- t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[52];
- t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[53];
- t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[54];
- t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[55];
- }
- }
- rk += Nr << 2;
-#else /* !FULL_UNROLL */
- /*
- * Nr - 1 full rounds:
- */
- r = Nr >> 1;
- for (;;) {
- t0 =
- Te0[(s0 >> 24) ] ^
- Te1[(s1 >> 16) & 0xff] ^
- Te2[(s2 >> 8) & 0xff] ^
- Te3[(s3 ) & 0xff] ^
- rk[4];
- t1 =
- Te0[(s1 >> 24) ] ^
- Te1[(s2 >> 16) & 0xff] ^
- Te2[(s3 >> 8) & 0xff] ^
- Te3[(s0 ) & 0xff] ^
- rk[5];
- t2 =
- Te0[(s2 >> 24) ] ^
- Te1[(s3 >> 16) & 0xff] ^
- Te2[(s0 >> 8) & 0xff] ^
- Te3[(s1 ) & 0xff] ^
- rk[6];
- t3 =
- Te0[(s3 >> 24) ] ^
- Te1[(s0 >> 16) & 0xff] ^
- Te2[(s1 >> 8) & 0xff] ^
- Te3[(s2 ) & 0xff] ^
- rk[7];
-
- rk += 8;
- if (--r == 0) {
- break;
- }
-
- s0 =
- Te0[(t0 >> 24) ] ^
- Te1[(t1 >> 16) & 0xff] ^
- Te2[(t2 >> 8) & 0xff] ^
- Te3[(t3 ) & 0xff] ^
- rk[0];
- s1 =
- Te0[(t1 >> 24) ] ^
- Te1[(t2 >> 16) & 0xff] ^
- Te2[(t3 >> 8) & 0xff] ^
- Te3[(t0 ) & 0xff] ^
- rk[1];
- s2 =
- Te0[(t2 >> 24) ] ^
- Te1[(t3 >> 16) & 0xff] ^
- Te2[(t0 >> 8) & 0xff] ^
- Te3[(t1 ) & 0xff] ^
- rk[2];
- s3 =
- Te0[(t3 >> 24) ] ^
- Te1[(t0 >> 16) & 0xff] ^
- Te2[(t1 >> 8) & 0xff] ^
- Te3[(t2 ) & 0xff] ^
- rk[3];
- }
-#endif /* ?FULL_UNROLL */
- /*
- * apply last round and
- * map cipher state to byte array block:
- */
- s0 =
- (Te4[(t0 >> 24) ] & 0xff000000) ^
- (Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
- (Te4[(t2 >> 8) & 0xff] & 0x0000ff00) ^
- (Te4[(t3 ) & 0xff] & 0x000000ff) ^
- rk[0];
- PUTU32(ct , s0);
- s1 =
- (Te4[(t1 >> 24) ] & 0xff000000) ^
- (Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
- (Te4[(t3 >> 8) & 0xff] & 0x0000ff00) ^
- (Te4[(t0 ) & 0xff] & 0x000000ff) ^
- rk[1];
- PUTU32(ct + 4, s1);
- s2 =
- (Te4[(t2 >> 24) ] & 0xff000000) ^
- (Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
- (Te4[(t0 >> 8) & 0xff] & 0x0000ff00) ^
- (Te4[(t1 ) & 0xff] & 0x000000ff) ^
- rk[2];
- PUTU32(ct + 8, s2);
- s3 =
- (Te4[(t3 >> 24) ] & 0xff000000) ^
- (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
- (Te4[(t1 >> 8) & 0xff] & 0x0000ff00) ^
- (Te4[(t2 ) & 0xff] & 0x000000ff) ^
- rk[3];
- PUTU32(ct + 12, s3);
-}
-
-void rijndaelDecrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 ct[16], u8 pt[16]) {
- u32 s0, s1, s2, s3, t0, t1, t2, t3;
-#ifndef FULL_UNROLL
- int r;
-#endif /* ?FULL_UNROLL */
-
- /*
- * map byte array block to cipher state
- * and add initial round key:
- */
- s0 = GETU32(ct ) ^ rk[0];
- s1 = GETU32(ct + 4) ^ rk[1];
- s2 = GETU32(ct + 8) ^ rk[2];
- s3 = GETU32(ct + 12) ^ rk[3];
-#ifdef FULL_UNROLL
- /* round 1: */
- t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[ 4];
- t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[ 5];
- t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[ 6];
- t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[ 7];
- /* round 2: */
- s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[ 8];
- s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[ 9];
- s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[10];
- s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[11];
- /* round 3: */
- t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[12];
- t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[13];
- t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[14];
- t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[15];
- /* round 4: */
- s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[16];
- s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[17];
- s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[18];
- s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[19];
- /* round 5: */
- t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[20];
- t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[21];
- t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[22];
- t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[23];
- /* round 6: */
- s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[24];
- s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[25];
- s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[26];
- s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[27];
- /* round 7: */
- t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[28];
- t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[29];
- t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[30];
- t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[31];
- /* round 8: */
- s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[32];
- s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[33];
- s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[34];
- s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[35];
- /* round 9: */
- t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[36];
- t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[37];
- t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[38];
- t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[39];
- if (Nr > 10) {
- /* round 10: */
- s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[40];
- s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[41];
- s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[42];
- s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[43];
- /* round 11: */
- t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[44];
- t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[45];
- t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[46];
- t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[47];
- if (Nr > 12) {
- /* round 12: */
- s0 = Td0[t0 >> 24] ^ Td1[(t3 >> 16) & 0xff] ^ Td2[(t2 >> 8) & 0xff] ^ Td3[t1 & 0xff] ^ rk[48];
- s1 = Td0[t1 >> 24] ^ Td1[(t0 >> 16) & 0xff] ^ Td2[(t3 >> 8) & 0xff] ^ Td3[t2 & 0xff] ^ rk[49];
- s2 = Td0[t2 >> 24] ^ Td1[(t1 >> 16) & 0xff] ^ Td2[(t0 >> 8) & 0xff] ^ Td3[t3 & 0xff] ^ rk[50];
- s3 = Td0[t3 >> 24] ^ Td1[(t2 >> 16) & 0xff] ^ Td2[(t1 >> 8) & 0xff] ^ Td3[t0 & 0xff] ^ rk[51];
- /* round 13: */
- t0 = Td0[s0 >> 24] ^ Td1[(s3 >> 16) & 0xff] ^ Td2[(s2 >> 8) & 0xff] ^ Td3[s1 & 0xff] ^ rk[52];
- t1 = Td0[s1 >> 24] ^ Td1[(s0 >> 16) & 0xff] ^ Td2[(s3 >> 8) & 0xff] ^ Td3[s2 & 0xff] ^ rk[53];
- t2 = Td0[s2 >> 24] ^ Td1[(s1 >> 16) & 0xff] ^ Td2[(s0 >> 8) & 0xff] ^ Td3[s3 & 0xff] ^ rk[54];
- t3 = Td0[s3 >> 24] ^ Td1[(s2 >> 16) & 0xff] ^ Td2[(s1 >> 8) & 0xff] ^ Td3[s0 & 0xff] ^ rk[55];
- }
- }
- rk += Nr << 2;
-#else /* !FULL_UNROLL */
- /*
- * Nr - 1 full rounds:
- */
- r = Nr >> 1;
- for (;;) {
- t0 =
- Td0[(s0 >> 24) ] ^
- Td1[(s3 >> 16) & 0xff] ^
- Td2[(s2 >> 8) & 0xff] ^
- Td3[(s1 ) & 0xff] ^
- rk[4];
- t1 =
- Td0[(s1 >> 24) ] ^
- Td1[(s0 >> 16) & 0xff] ^
- Td2[(s3 >> 8) & 0xff] ^
- Td3[(s2 ) & 0xff] ^
- rk[5];
- t2 =
- Td0[(s2 >> 24) ] ^
- Td1[(s1 >> 16) & 0xff] ^
- Td2[(s0 >> 8) & 0xff] ^
- Td3[(s3 ) & 0xff] ^
- rk[6];
- t3 =
- Td0[(s3 >> 24) ] ^
- Td1[(s2 >> 16) & 0xff] ^
- Td2[(s1 >> 8) & 0xff] ^
- Td3[(s0 ) & 0xff] ^
- rk[7];
-
- rk += 8;
- if (--r == 0) {
- break;
- }
-
- s0 =
- Td0[(t0 >> 24) ] ^
- Td1[(t3 >> 16) & 0xff] ^
- Td2[(t2 >> 8) & 0xff] ^
- Td3[(t1 ) & 0xff] ^
- rk[0];
- s1 =
- Td0[(t1 >> 24) ] ^
- Td1[(t0 >> 16) & 0xff] ^
- Td2[(t3 >> 8) & 0xff] ^
- Td3[(t2 ) & 0xff] ^
- rk[1];
- s2 =
- Td0[(t2 >> 24) ] ^
- Td1[(t1 >> 16) & 0xff] ^
- Td2[(t0 >> 8) & 0xff] ^
- Td3[(t3 ) & 0xff] ^
- rk[2];
- s3 =
- Td0[(t3 >> 24) ] ^
- Td1[(t2 >> 16) & 0xff] ^
- Td2[(t1 >> 8) & 0xff] ^
- Td3[(t0 ) & 0xff] ^
- rk[3];
- }
-#endif /* ?FULL_UNROLL */
- /*
- * apply last round and
- * map cipher state to byte array block:
- */
- s0 =
- (Td4[(t0 >> 24) ] & 0xff000000) ^
- (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
- (Td4[(t2 >> 8) & 0xff] & 0x0000ff00) ^
- (Td4[(t1 ) & 0xff] & 0x000000ff) ^
- rk[0];
- PUTU32(pt , s0);
- s1 =
- (Td4[(t1 >> 24) ] & 0xff000000) ^
- (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
- (Td4[(t3 >> 8) & 0xff] & 0x0000ff00) ^
- (Td4[(t2 ) & 0xff] & 0x000000ff) ^
- rk[1];
- PUTU32(pt + 4, s1);
- s2 =
- (Td4[(t2 >> 24) ] & 0xff000000) ^
- (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
- (Td4[(t0 >> 8) & 0xff] & 0x0000ff00) ^
- (Td4[(t3 ) & 0xff] & 0x000000ff) ^
- rk[2];
- PUTU32(pt + 8, s2);
- s3 =
- (Td4[(t3 >> 24) ] & 0xff000000) ^
- (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
- (Td4[(t1 >> 8) & 0xff] & 0x0000ff00) ^
- (Td4[(t0 ) & 0xff] & 0x000000ff) ^
- rk[3];
- PUTU32(pt + 12, s3);
-}
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/rijndael/rijndael-api-fst.c
--- a/sys/crypto/rijndael/rijndael-api-fst.c Sun Jun 14 15:58:39 2020 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,430 +0,0 @@
-/* $NetBSD: rijndael-api-fst.c,v 1.25 2016/12/11 00:28:44 alnsn Exp $ */
-
-/**
- * rijndael-api-fst.c
- *
- * @version 2.9 (December 2000)
- *
- * Optimised ANSI C code for the Rijndael cipher (now AES)
- *
- * @author Vincent Rijmen <vincent.rijmen%esat.kuleuven.ac.be@localhost>
- * @author Antoon Bosselaers <antoon.bosselaers%esat.kuleuven.ac.be@localhost>
- * @author Paulo Barreto <paulo.barreto%terra.com.br@localhost>
- *
- * This code is hereby placed in the public domain.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
- * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * Acknowledgements:
- *
- * We are deeply indebted to the following people for their bug reports,
- * fixes, and improvement suggestions to this implementation. Though we
- * tried to list all contributions, we apologise in advance for any
- * missing reference.
- *
- * Andrew Bales <Andrew.Bales%Honeywell.com@localhost>
- * Markus Friedl <markus.friedl%informatik.uni-erlangen.de@localhost>
- * John Skodon <skodonj%webquill.com@localhost>
- */
-
-#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rijndael-api-fst.c,v 1.25 2016/12/11 00:28:44 alnsn Exp $");
-
-#include <sys/param.h>
-#ifdef _KERNEL
-#include <sys/systm.h>
-#else
-#include <stdlib.h>
-#include <string.h>
-#endif
-
-#include <crypto/rijndael/rijndael_local.h>
-#include <crypto/rijndael/rijndael-alg-fst.h>
-#include <crypto/rijndael/rijndael-api-fst.h>
-
-#define XTS_ALPHA 0x87
-
-static void xor16(uint8_t *d, const uint8_t *a, const uint8_t* b)
-{
- for (size_t i = 0; i < 4; i++) {
- *d++ = *a++ ^ *b++;
- *d++ = *a++ ^ *b++;
- *d++ = *a++ ^ *b++;
- *d++ = *a++ ^ *b++;
- }
-}
-
-static void
-xts_exponentiate(uint8_t *iv)
-{
- unsigned int carry = 0;
-
- for (size_t i = 0; i < 16; i++) {
- unsigned int msb = iv[i] >> 7;
-
- iv[i] = (iv[i] << 1) | carry;
- carry = msb;
- }
-
- if (carry != 0)
- iv[0] ^= XTS_ALPHA;
-}
-
-int
-rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen,
- const char *keyMaterial)
-{
- u_int8_t cipherKey[RIJNDAEL_MAXKB];
-
- if (key == NULL) {
- return BAD_KEY_INSTANCE;
- }
-
- if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) {
- key->direction = direction;
- } else {
- return BAD_KEY_DIR;
- }
-
- if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) {
- key->keyLen = keyLen;
- } else {
- return BAD_KEY_MAT;
- }
-
- if (keyMaterial != NULL) {
- memcpy(key->keyMaterial, keyMaterial, keyLen/8);
- }
-
- /* initialize key schedule: */
- memcpy(cipherKey, key->keyMaterial, keyLen/8);
- if (direction == DIR_ENCRYPT) {
- key->Nr = rijndaelKeySetupEnc(key->rk, cipherKey, keyLen);
- } else {
- key->Nr = rijndaelKeySetupDec(key->rk, cipherKey, keyLen);
- }
- rijndaelKeySetupEnc(key->ek, cipherKey, keyLen);
- return TRUE;
-}
-
-int
-rijndael_cipherInit(cipherInstance *cipher, BYTE mode, const char *IV)
-{
- if ((mode == MODE_ECB) || (mode == MODE_CBC) ||
- (mode == MODE_XTS) || (mode == MODE_CFB1)) {
- cipher->mode = mode;
- } else {
- return BAD_CIPHER_MODE;
- }
- if (IV != NULL) {
- memcpy(cipher->IV, IV, RIJNDAEL_MAX_IV_SIZE);
- } else {
- memset(cipher->IV, 0, RIJNDAEL_MAX_IV_SIZE);
- }
- return TRUE;
-}
-
-int
-rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
- const BYTE *input, int inputLen, BYTE *outBuffer)
-{
- int i, k, t, numBlocks;
- u_int8_t block[16], *iv;
-
- if (cipher == NULL ||
- key == NULL ||
- key->direction == DIR_DECRYPT) {
- return BAD_CIPHER_STATE;
- }
- if (input == NULL || inputLen <= 0) {
- return 0; /* nothing to do */
- }
-
- numBlocks = inputLen/128;
-
- switch (cipher->mode) {
- case MODE_ECB:
- for (i = numBlocks; i > 0; i--) {
- rijndaelEncrypt(key->rk, key->Nr, input, outBuffer);
- input += 16;
- outBuffer += 16;
- }
- break;
-
- case MODE_CBC:
- iv = (u_int8_t *)cipher->IV;
- for (i = numBlocks; i > 0; i--) {
- xor16(block, input, iv);
- rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
- iv = outBuffer;
- input += 16;
- outBuffer += 16;
- }
- break;
-
- case MODE_XTS:
- iv = (u_int8_t *)cipher->IV;
- for (i = numBlocks; i > 0; i--) {
- xor16(block, input, iv);
- rijndaelEncrypt(key->rk, key->Nr, block, block);
- xor16(outBuffer, block, iv);
- xts_exponentiate(iv);
- input += 16;
- outBuffer += 16;
- }
- break;
-
- case MODE_CFB1:
- iv = (u_int8_t *)cipher->IV;
- for (i = numBlocks; i > 0; i--) {
- memcpy(outBuffer, input, 16);
- for (k = 0; k < 128; k++) {
- rijndaelEncrypt(key->ek, key->Nr, iv, block);
- outBuffer[k >> 3] ^=
- (block[0] & 0x80U) >> (k & 7);
- for (t = 0; t < 15; t++) {
- iv[t] = (iv[t] << 1) | (iv[t + 1] >> 7);
- }
- iv[15] = (iv[15] << 1) |
- ((outBuffer[k >> 3] >> (7 - (k & 7))) & 1);
- }
- outBuffer += 16;
- input += 16;
- }
- break;
-
- default:
- return BAD_CIPHER_STATE;
- }
-
- return 128 * numBlocks;
-}
-
-/**
- * Encrypt data partitioned in octets, using RFC 2040-like padding.
- *
- * @param input data to be encrypted (octet sequence)
- * @param inputOctets input length in octets (not bits)
- * @param outBuffer encrypted output data
- *
- * @return length in octets (not bits) of the encrypted output buffer.
- */
-int
-rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
- const BYTE *input, int inputOctets, BYTE *outBuffer)
-{
- int i, numBlocks, padLen;
- u_int8_t block[16], *iv;
-
- if (cipher == NULL ||
- key == NULL ||
- key->direction == DIR_DECRYPT) {
- return BAD_CIPHER_STATE;
- }
- if (input == NULL || inputOctets <= 0) {
- return 0; /* nothing to do */
- }
-
- numBlocks = inputOctets / 16;
-
- switch (cipher->mode) {
- case MODE_ECB:
- for (i = numBlocks; i > 0; i--) {
- rijndaelEncrypt(key->rk, key->Nr, input, outBuffer);
- input += 16;
- outBuffer += 16;
- }
- padLen = 16 - (inputOctets - 16*numBlocks);
- memcpy(block, input, 16 - padLen);
- memset(block + 16 - padLen, padLen, padLen);
- rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
- break;
-
- case MODE_CBC:
- iv = (u_int8_t *)cipher->IV;
- for (i = numBlocks; i > 0; i--) {
- xor16(block, input, iv);
- rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
- iv = outBuffer;
- input += 16;
- outBuffer += 16;
- }
- padLen = 16 - (inputOctets - 16*numBlocks);
- for (i = 0; i < 16 - padLen; i++) {
- block[i] = input[i] ^ iv[i];
- }
- for (i = 16 - padLen; i < 16; i++) {
- block[i] = (BYTE)padLen ^ iv[i];
- }
- rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
- break;
-
- default:
- return BAD_CIPHER_STATE;
- }
-
- return 16 * (numBlocks + 1);
-}
-
-int
-rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
- const BYTE *input, int inputLen, BYTE *outBuffer)
-{
- int i, k, t, numBlocks;
- u_int8_t block[16], *iv;
-
- if (cipher == NULL ||
- key == NULL ||
- (cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) {
- return BAD_CIPHER_STATE;
- }
- if (input == NULL || inputLen <= 0) {
- return 0; /* nothing to do */
- }
-
- numBlocks = inputLen/128;
-
- switch (cipher->mode) {
- case MODE_ECB:
- for (i = numBlocks; i > 0; i--) {
- rijndaelDecrypt(key->rk, key->Nr, input, outBuffer);
- input += 16;
- outBuffer += 16;
- }
- break;
-
- case MODE_CBC:
- iv = (u_int8_t *)cipher->IV;
- for (i = numBlocks; i > 0; i--) {
- rijndaelDecrypt(key->rk, key->Nr, input, block);
- xor16(block, block, iv);
- memcpy(cipher->IV, input, 16);
- memcpy(outBuffer, block, 16);
- input += 16;
- outBuffer += 16;
- }
- break;
-
- case MODE_XTS:
- iv = (u_int8_t *)cipher->IV;
- for (i = numBlocks; i > 0; i--) {
- xor16(block, input, iv);
- rijndaelDecrypt(key->rk, key->Nr, block, block);
- xor16(outBuffer, block, iv);
- xts_exponentiate(iv);
- input += 16;
- outBuffer += 16;
- }
- break;
-
- case MODE_CFB1:
- iv = (u_int8_t *)cipher->IV;
- for (i = numBlocks; i > 0; i--) {
- memcpy(outBuffer, input, 16);
- for (k = 0; k < 128; k++) {
- rijndaelEncrypt(key->ek, key->Nr, iv, block);
- for (t = 0; t < 15; t++) {
- iv[t] = (iv[t] << 1) | (iv[t + 1] >> 7);
- }
- iv[15] = (iv[15] << 1) |
- ((input[k >> 3] >> (7 - (k & 7))) & 1);
- outBuffer[k >> 3] ^= (block[0] & 0x80U) >>
- (k & 7);
- }
- outBuffer += 16;
- input += 16;
- }
- break;
-
- default:
- return BAD_CIPHER_STATE;
- }
-
- return 128 * numBlocks;
-}
-
-int
-rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
- const BYTE *input, int inputOctets, BYTE *outBuffer)
-{
- int i, numBlocks, padLen;
- u_int8_t block[16], *iv;
-
- if (cipher == NULL ||
- key == NULL ||
- key->direction == DIR_ENCRYPT) {
- return BAD_CIPHER_STATE;
- }
- if (input == NULL || inputOctets <= 0) {
- return 0; /* nothing to do */
- }
- if (inputOctets % 16 != 0) {
- return BAD_DATA;
- }
-
- numBlocks = inputOctets/16;
-
- switch (cipher->mode) {
- case MODE_ECB:
- /* all blocks but last */
- for (i = numBlocks - 1; i > 0; i--) {
- rijndaelDecrypt(key->rk, key->Nr, input, outBuffer);
- input += 16;
- outBuffer += 16;
- }
- /* last block */
- rijndaelDecrypt(key->rk, key->Nr, input, block);
- padLen = block[15];
- if (padLen >= 16) {
- return BAD_DATA;
- }
- for (i = 16 - padLen; i < 16; i++) {
- if (block[i] != padLen) {
- return BAD_DATA;
- }
- }
- memcpy(outBuffer, block, 16 - padLen);
- break;
-
- case MODE_CBC:
- iv = (u_int8_t *)cipher->IV;
- /* all blocks but last */
- for (i = numBlocks - 1; i > 0; i--) {
- rijndaelDecrypt(key->rk, key->Nr, input, block);
- xor16(block, block, iv);
- memcpy(cipher->IV, input, 16);
- memcpy(outBuffer, block, 16);
- input += 16;
- outBuffer += 16;
- }
- /* last block */
- rijndaelDecrypt(key->rk, key->Nr, input, block);
- xor16(block, block, iv);
- padLen = block[15];
- if (padLen <= 0 || padLen > 16) {
- return BAD_DATA;
- }
- for (i = 16 - padLen; i < 16; i++) {
- if (block[i] != padLen) {
- return BAD_DATA;
- }
- }
- memcpy(outBuffer, block, 16 - padLen);
- break;
-
- default:
- return BAD_CIPHER_STATE;
- }
-
- return 16 * numBlocks - padLen;
-}
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/rijndael/rijndael.c
--- a/sys/crypto/rijndael/rijndael.c Sun Jun 14 15:58:39 2020 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,57 +0,0 @@
-/* $NetBSD: rijndael.c,v 1.8 2005/12/11 12:20:52 christos Exp $ */
-
-/**
- * rijndael-alg-fst.c
- *
- * @version 3.0 (December 2000)
- *
- * Optimised ANSI C code for the Rijndael cipher (now AES)
- *
- * @author Vincent Rijmen <vincent.rijmen%esat.kuleuven.ac.be@localhost>
- * @author Antoon Bosselaers <antoon.bosselaers%esat.kuleuven.ac.be@localhost>
- * @author Paulo Barreto <paulo.barreto%terra.com.br@localhost>
- *
- * This code is hereby placed in the public domain.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
- * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
- * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
- * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
- * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rijndael.c,v 1.8 2005/12/11 12:20:52 christos Exp $");
-
-#include <sys/types.h>
-#include <sys/systm.h>
-
-#include <crypto/rijndael/rijndael.h>
-
-void
-rijndael_set_key(rijndael_ctx *ctx, const u_char *key, int bits)
-{
-
- ctx->Nr = rijndaelKeySetupEnc(ctx->ek, key, bits);
- rijndaelKeySetupDec(ctx->dk, key, bits);
-}
-
-void
-rijndael_decrypt(const rijndael_ctx *ctx, const u_char *src, u_char *dst)
-{
-
- rijndaelDecrypt(ctx->dk, ctx->Nr, src, dst);
-}
-
-void
-rijndael_encrypt(const rijndael_ctx *ctx, const u_char *src, u_char *dst)
-{
-
- rijndaelEncrypt(ctx->ek, ctx->Nr, src, dst);
-}
diff -r 81a487955535 -r 9d6b84c40f65 sys/crypto/rijndael/rijndael_local.h
--- a/sys/crypto/rijndael/rijndael_local.h Sun Jun 14 15:58:39 2020 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,7 +0,0 @@
-/* $NetBSD: rijndael_local.h,v 1.6 2005/12/11 12:20:52 christos Exp $ */
-/* $KAME: rijndael_local.h,v 1.4 2003/07/15 10:47:16 itojun Exp $ */
-
-/* the file should not be used from outside */
-typedef u_int8_t u8;
-typedef u_int16_t u16;
-typedef u_int32_t u32;
diff -r 81a487955535 -r 9d6b84c40f65 sys/rump/kern/lib/libcrypto/Makefile
--- a/sys/rump/kern/lib/libcrypto/Makefile Sun Jun 14 15:58:39 2020 +0000
+++ b/sys/rump/kern/lib/libcrypto/Makefile Fri Jun 12 05:16:46 2020 +0000
@@ -1,11 +1,11 @@
# $NetBSD: Makefile,v 1.6 2019/12/05 03:57:55 riastradh Exp $
#
-.PATH: ${.CURDIR}/../../../../crypto/blowfish \
+.PATH: ${.CURDIR}/../../../../crypto/aes \
+ ${.CURDIR}/../../../../crypto/blowfish \
${.CURDIR}/../../../../crypto/camellia \
${.CURDIR}/../../../../crypto/cast128 \
${.CURDIR}/../../../../crypto/des \
- ${.CURDIR}/../../../../crypto/rijndael \
${.CURDIR}/../../../../crypto/skipjack
LIB= rumpkern_crypto
@@ -23,8 +23,14 @@ SRCS+= cast128.c
# DES
SRCS+= des_ecb.c des_setkey.c des_enc.c des_cbc.c des_module.c
-# rijndael
-SRCS+= rijndael-alg-fst.c rijndael-api-fst.c rijndael.c
+# AES
+SRCS+= aes_bear.c
+SRCS+= aes_ct.c
+SRCS+= aes_ct_dec.c
+SRCS+= aes_ct_enc.c
+SRCS+= aes_impl.c
+SRCS+= aes_rijndael.c
+SRCS+= aes_selftest.c
# skipjack
SRCS+= skipjack.c
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592435129 0
# Wed Jun 17 23:05:29 2020 +0000
# Branch trunk
# Node ID fea7aeacc09cf9da68d32a15edf9550ce78a4d45
# Parent 9d6b84c40f6517bb55848159faa9478ef1a23d02
# EXP-Topic riastradh-kernelcrypto
Add x86 AES-NI support.
Limited to amd64 for now. In principle, AES-NI should work in 32-bit
mode, and there may even be some 32-bit-only CPUs that support
AES-NI, but that requires work to adapt the assembly.
diff -r 9d6b84c40f65 -r fea7aeacc09c sys/arch/x86/conf/files.x86
--- a/sys/arch/x86/conf/files.x86 Fri Jun 12 05:16:46 2020 +0000
+++ b/sys/arch/x86/conf/files.x86 Wed Jun 17 23:05:29 2020 +0000
@@ -165,3 +165,6 @@ file arch/x86/pci/pciide_machdep.c pciid
file arch/x86/pci/pci_bus_fixup.c pci_bus_fixup
file arch/x86/pci/pci_addr_fixup.c pci_addr_fixup
+
+# AES-NI
+include "crypto/aes/arch/x86/files.aesni"
diff -r 9d6b84c40f65 -r fea7aeacc09c sys/arch/x86/x86/identcpu.c
--- a/sys/arch/x86/x86/identcpu.c Fri Jun 12 05:16:46 2020 +0000
+++ b/sys/arch/x86/x86/identcpu.c Wed Jun 17 23:05:29 2020 +0000
@@ -39,6 +39,8 @@
#include <sys/device.h>
#include <sys/cpu.h>
+#include <crypto/aes/arch/x86/aes_ni.h>
+
#include <uvm/uvm_extern.h>
#include <machine/specialreg.h>
@@ -995,6 +997,10 @@ cpu_probe(struct cpu_info *ci)
/* Early patch of text segment. */
x86_patch(true);
#endif
+#ifdef __x86_64__ /* not yet implemented on i386 */
+ if (cpu_feature[1] & CPUID2_AES)
+ aes_md_init(&aes_ni_impl);
+#endif
} else {
/*
* If not first. Warn about cpu_feature mismatch for
diff -r 9d6b84c40f65 -r fea7aeacc09c sys/crypto/aes/arch/x86/aes_ni.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/arch/x86/aes_ni.c Wed Jun 17 23:05:29 2020 +0000
@@ -0,0 +1,252 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(1, "$NetBSD$");
+
+#include <sys/types.h>
+#include <sys/systm.h>
+
+#include <crypto/aes/aes.h>
+#include <crypto/aes/arch/x86/aes_ni.h>
+
+#include <x86/cpuvar.h>
+#include <x86/fpu.h>
+#include <x86/specialreg.h>
+
+static void
+aesni_setenckey(struct aesenc *enc, const uint8_t key[static 16],
+ uint32_t nrounds)
+{
+
+ switch (nrounds) {
+ case 10:
+ aesni_setenckey128(enc, key);
+ break;
+ case 12:
+ aesni_setenckey192(enc, key);
+ break;
+ case 14:
+ aesni_setenckey256(enc, key);
+ break;
+ default:
+ panic("invalid AES rounds: %u", nrounds);
+ }
+}
+
+static void
+aesni_setenckey_impl(struct aesenc *enc, const uint8_t key[static 16],
+ uint32_t nrounds)
+{
+
+ fpu_kern_enter();
+ aesni_setenckey(enc, key, nrounds);
+ fpu_kern_leave();
+}
+
+static void
+aesni_setdeckey_impl(struct aesdec *dec, const uint8_t key[static 16],
+ uint32_t nrounds)
+{
+ struct aesenc enc;
+
+ fpu_kern_enter();
+ aesni_setenckey(&enc, key, nrounds);
+ aesni_enctodec(&enc, dec, nrounds);
+ fpu_kern_leave();
+
+ explicit_memset(&enc, 0, sizeof enc);
+}
+
+static void
+aesni_enc_impl(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], uint32_t nrounds)
+{
+
+ fpu_kern_enter();
+ aesni_enc(enc, in, out, nrounds);
+ fpu_kern_leave();
+}
+
+static void
+aesni_dec_impl(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], uint32_t nrounds)
+{
+
+ fpu_kern_enter();
+ aesni_dec(dec, in, out, nrounds);
+ fpu_kern_leave();
+}
+
+static void
+aesni_cbc_enc_impl(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
+ uint32_t nrounds)
+{
+
+ KASSERT(nbytes % 16 == 0);
+
+ fpu_kern_enter();
+ aesni_cbc_enc(enc, in, out, nbytes, iv, nrounds);
+ fpu_kern_leave();
+}
+
+static void
+aesni_cbc_dec_impl(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
+ uint32_t nrounds)
+{
+
+ KASSERT(nbytes % 16 == 0);
+
+ fpu_kern_enter();
+
+ if (nbytes % 128) {
+ aesni_cbc_dec1(dec, in, out, nbytes % 128, iv, nrounds);
+ in += nbytes % 128;
+ out += nbytes % 128;
+ nbytes -= nbytes % 128;
+ }
+
+ KASSERT(nbytes % 128 == 0);
+ if (nbytes)
+ aesni_cbc_dec8(dec, in, out, nbytes, iv, nrounds);
+
+ fpu_kern_leave();
+}
+
+static void
+aesni_xts_enc_impl(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
+ uint32_t nrounds)
+{
+
+ KASSERT(nbytes % 16 == 0);
+
+ fpu_kern_enter();
+
+ if (nbytes % 128) {
+ aesni_xts_enc1(enc, in, out, nbytes % 128, iv, nrounds);
+ in += nbytes % 128;
+ out += nbytes % 128;
+ nbytes -= nbytes % 128;
+ }
+
+ KASSERT(nbytes % 128 == 0);
+ if (nbytes)
+ aesni_xts_enc8(enc, in, out, nbytes, iv, nrounds);
+
+ fpu_kern_leave();
+}
+
+static void
+aesni_xts_dec_impl(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
+ uint32_t nrounds)
+{
+
+ KASSERT(nbytes % 16 == 0);
+
+ fpu_kern_enter();
+
+ if (nbytes % 128) {
+ aesni_xts_dec1(dec, in, out, nbytes % 128, iv, nrounds);
+ in += nbytes % 128;
+ out += nbytes % 128;
+ nbytes -= nbytes % 128;
+ }
+
+ KASSERT(nbytes % 128 == 0);
+ if (nbytes)
+ aesni_xts_dec8(dec, in, out, nbytes, iv, nrounds);
+
+ fpu_kern_leave();
+}
+
+static int
+aesni_xts_update_selftest(void)
+{
+ static const struct {
+ uint8_t in[16], out[16];
+ } cases[] = {
+ {{1}, {2}},
+ {{0,0,0,0x80}, {0,0,0,0,1}},
+ {{0,0,0,0,0,0,0,0x80}, {0,0,0,0,0,0,0,0,1}},
+ {{0,0,0,0x80,0,0,0,0x80}, {0,0,0,0,1,0,0,0,1}},
+ {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0x80}, {0x87}},
+ {{0,0,0,0,0,0,0,0x80,0,0,0,0,0,0,0,0x80},
+ {0x87,0,0,0,0,0,0,0,1}},
+ {{0,0,0,0x80,0,0,0,0,0,0,0,0,0,0,0,0x80}, {0x87,0,0,0,1}},
+ {{0,0,0,0x80,0,0,0,0x80,0,0,0,0,0,0,0,0x80},
+ {0x87,0,0,0,1,0,0,0,1}},
+ };
+ unsigned i;
+ uint8_t tweak[16];
+
+ for (i = 0; i < sizeof(cases)/sizeof(cases[0]); i++) {
+ aesni_xts_update(cases[i].in, tweak);
+ if (memcmp(tweak, cases[i].out, 16))
+ return -1;
+ }
+
+ /* Success! */
+ return 0;
+}
+
+static int
+aesni_probe(void)
+{
+ int result = 0;
+
+ /* Verify that the CPU supports AES-NI. */
+ if ((cpu_feature[1] & CPUID2_AES) == 0)
+ return -1;
+
+ fpu_kern_enter();
+
+ /* Verify that our XTS tweak update logic works. */
+ if (aesni_xts_update_selftest())
+ result = -1;
+
+ fpu_kern_leave();
+
+ return result;
+}
+
+struct aes_impl aes_ni_impl = {
+ .ai_name = "Intel AES-NI",
+ .ai_probe = aesni_probe,
+ .ai_setenckey = aesni_setenckey_impl,
+ .ai_setdeckey = aesni_setdeckey_impl,
+ .ai_enc = aesni_enc_impl,
+ .ai_dec = aesni_dec_impl,
+ .ai_cbc_enc = aesni_cbc_enc_impl,
+ .ai_cbc_dec = aesni_cbc_dec_impl,
+ .ai_xts_enc = aesni_xts_enc_impl,
+ .ai_xts_dec = aesni_xts_dec_impl,
+};
diff -r 9d6b84c40f65 -r fea7aeacc09c sys/crypto/aes/arch/x86/aes_ni.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/arch/x86/aes_ni.h Wed Jun 17 23:05:29 2020 +0000
@@ -0,0 +1,68 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _CRYPTO_AES_ARCH_X86_AES_NI_H
+#define _CRYPTO_AES_ARCH_X86_AES_NI_H
+
+#include <sys/types.h>
+
+#include <crypto/aes/aes.h>
+
+/* Assembly routines */
+
+void aesni_setenckey128(struct aesenc *, const uint8_t[static 16]);
+void aesni_setenckey192(struct aesenc *, const uint8_t[static 24]);
+void aesni_setenckey256(struct aesenc *, const uint8_t[static 32]);
+
+void aesni_enctodec(const struct aesenc *, struct aesdec *, uint32_t);
+
+void aesni_enc(const struct aesenc *, const uint8_t[static 16],
+ uint8_t[static 16], uint32_t);
+void aesni_dec(const struct aesdec *, const uint8_t[static 16],
+ uint8_t[static 16], uint32_t);
+
+void aesni_cbc_enc(const struct aesenc *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+void aesni_cbc_dec1(const struct aesdec *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, const uint8_t[static 16], uint32_t);
+void aesni_cbc_dec8(const struct aesdec *, const uint8_t[static 128],
+ uint8_t[static 128], size_t, const uint8_t[static 16], uint32_t);
+
+void aesni_xts_enc1(const struct aesenc *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+void aesni_xts_enc8(const struct aesenc *, const uint8_t[static 128],
+ uint8_t[static 128], size_t, uint8_t[static 16], uint32_t);
+void aesni_xts_dec1(const struct aesdec *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+void aesni_xts_dec8(const struct aesdec *, const uint8_t[static 128],
+ uint8_t[static 128], size_t, uint8_t[static 16], uint32_t);
+void aesni_xts_update(const uint8_t[static 16], uint8_t[static 16]);
+
+extern struct aes_impl aes_ni_impl;
+
+#endif /* _CRYPTO_AES_ARCH_X86_AES_NI_H */
diff -r 9d6b84c40f65 -r fea7aeacc09c sys/crypto/aes/arch/x86/aesnifunc.S
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/arch/x86/aesnifunc.S Wed Jun 17 23:05:29 2020 +0000
@@ -0,0 +1,1097 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <machine/asm.h>
+
+/*
+ * MOVDQA/MOVDQU are Move Double Quadword (Aligned/Unaligned), defined
+ * to operate on integers; MOVAPS/MOVUPS are Move (Aligned/Unaligned)
+ * Packed Single, defined to operate on binary32 floats. They have
+ * exactly the same architectural effects (move a 128-bit quantity from
+ * memory into an xmm register).
+ *
+ * In principle, they might have different microarchitectural effects
+ * so that MOVAPS/MOVUPS might incur a penalty when the register is
+ * later used for integer paths, but in practice they don't. So we use
+ * the one whose instruction encoding is shorter -- MOVAPS/MOVUPS.
+ */
+#define movdqa movaps
+#define movdqu movups
+
+/*
+ * aesni_setenckey128(struct aesenc *enckey@rdi, const uint8_t key[16] @rsi)
+ *
+ * Expand a 16-byte AES-128 key into 10 round keys.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_setenckey128)
+ movdqu (%rsi),%xmm0 /* load master key into %xmm0 */
+ movdqa %xmm0,(%rdi) /* store master key as the first round key */
+ lea 0x10(%rdi),%rdi /* advance %rdi to next round key */
+ aeskeygenassist $0x1,%xmm0,%xmm2
+ call aesni_expand128
+ aeskeygenassist $0x2,%xmm0,%xmm2
+ call aesni_expand128
+ aeskeygenassist $0x4,%xmm0,%xmm2
+ call aesni_expand128
+ aeskeygenassist $0x8,%xmm0,%xmm2
+ call aesni_expand128
+ aeskeygenassist $0x10,%xmm0,%xmm2
+ call aesni_expand128
+ aeskeygenassist $0x20,%xmm0,%xmm2
+ call aesni_expand128
+ aeskeygenassist $0x40,%xmm0,%xmm2
+ call aesni_expand128
+ aeskeygenassist $0x80,%xmm0,%xmm2
+ call aesni_expand128
+ aeskeygenassist $0x1b,%xmm0,%xmm2
+ call aesni_expand128
+ aeskeygenassist $0x36,%xmm0,%xmm2
+ call aesni_expand128
+ ret
+END(aesni_setenckey128)
+
+/*
+ * aesni_setenckey192(struct aesenc *enckey@rdi, const uint8_t key[24] @rsi)
+ *
+ * Expand a 24-byte AES-192 key into 12 round keys.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_setenckey192)
+ movdqu (%rsi),%xmm0 /* load master key [0:128) into %xmm0 */
+ movq 0x10(%rsi),%xmm1 /* load master key [128:192) into %xmm1 */
+ movdqa %xmm0,(%rdi) /* store master key [0:128) as round key */
+ lea 0x10(%rdi),%rdi /* advance %rdi to next round key */
+ aeskeygenassist $0x1,%xmm1,%xmm2
+ call aesni_expand192a
+ aeskeygenassist $0x2,%xmm0,%xmm2
+ call aesni_expand192b
+ aeskeygenassist $0x4,%xmm1,%xmm2
+ call aesni_expand192a
+ aeskeygenassist $0x8,%xmm0,%xmm2
+ call aesni_expand192b
+ aeskeygenassist $0x10,%xmm1,%xmm2
+ call aesni_expand192a
+ aeskeygenassist $0x20,%xmm0,%xmm2
+ call aesni_expand192b
+ aeskeygenassist $0x40,%xmm1,%xmm2
+ call aesni_expand192a
+ aeskeygenassist $0x80,%xmm0,%xmm2
+ call aesni_expand192b
+ ret
+END(aesni_setenckey192)
+
+/*
+ * aesni_setenckey256(struct aesenc *enckey@rdi, const uint8_t key[32] @rsi)
+ *
+ * Expand a 32-byte AES-256 key into 14 round keys.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_setenckey256)
+ movdqu (%rsi),%xmm0 /* load master key [0:128) into %xmm0 */
+ movdqu 0x10(%rsi),%xmm1 /* load master key [128:256) into %xmm1 */
+ movdqa %xmm0,(%rdi) /* store master key [0:128) as round key */
+ movdqa %xmm1,0x10(%rdi) /* store master key [128:256) as round key */
+ lea 0x20(%rdi),%rdi /* advance %rdi to next round key */
+ aeskeygenassist $0x1,%xmm1,%xmm2
+ call aesni_expand256a
+ aeskeygenassist $0x1,%xmm0,%xmm2
+ call aesni_expand256b
+ aeskeygenassist $0x2,%xmm1,%xmm2
+ call aesni_expand256a
+ aeskeygenassist $0x2,%xmm0,%xmm2
+ call aesni_expand256b
+ aeskeygenassist $0x4,%xmm1,%xmm2
+ call aesni_expand256a
+ aeskeygenassist $0x4,%xmm0,%xmm2
+ call aesni_expand256b
+ aeskeygenassist $0x8,%xmm1,%xmm2
+ call aesni_expand256a
+ aeskeygenassist $0x8,%xmm0,%xmm2
+ call aesni_expand256b
+ aeskeygenassist $0x10,%xmm1,%xmm2
+ call aesni_expand256a
+ aeskeygenassist $0x10,%xmm0,%xmm2
+ call aesni_expand256b
+ aeskeygenassist $0x20,%xmm1,%xmm2
+ call aesni_expand256a
+ aeskeygenassist $0x20,%xmm0,%xmm2
+ call aesni_expand256b
+ aeskeygenassist $0x40,%xmm1,%xmm2
+ call aesni_expand256a
+ ret
+END(aesni_setenckey256)
+
+/*
+ * aesni_expand128(uint128_t *rkp@rdi, uint128_t prk@xmm0,
+ * uint128_t keygenassist@xmm2)
+ *
+ * 1. Compute the AES-128 round key using the previous round key.
+ * 2. Store it at *rkp.
+ * 3. Set %xmm0 to it.
+ * 4. Advance %rdi to point at the next round key.
+ *
+ * Internal ABI. On entry:
+ *
+ * %rdi = rkp, pointer to round key to compute
+ * %xmm0 = (prk[0], prk[1], prk[2], prk[3])
+ * %xmm2 = (xxx, xxx, xxx, t = Rot(SubWord(prk[3])) ^ RCON)
+ *
+ * On exit:
+ *
+ * %rdi = &rkp[1], rkp advanced by one round key
+ * %xmm0 = rk, the round key we just computed
+ * %xmm2 = garbage
+ * %xmm4 = garbage
+ * %xmm5 = garbage
+ * %xmm6 = garbage
+ *
+ * Note: %xmm1 is preserved (as are %xmm3 and %xmm7 through %xmm15,
+ * and all other registers).
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesni_expand128,@function
+aesni_expand128:
+ /*
+ * %xmm2 := (%xmm2[3], %xmm2[3], %xmm2[3], %xmm2[3]),
+ * i.e., set each word of %xmm2 to t := Rot(SubWord(prk[3])) ^ RCON.
+ */
+ pshufd $0b11111111,%xmm2,%xmm2
+
+ /*
+ * %xmm4 := (0, prk[0], prk[1], prk[2])
+ * %xmm5 := (0, 0, prk[0], prk[1])
+ * %xmm6 := (0, 0, 0, prk[0])
+ */
+ movdqa %xmm0,%xmm4
+ movdqa %xmm0,%xmm5
+ movdqa %xmm0,%xmm6
+ pslldq $4,%xmm4
+ pslldq $8,%xmm5
+ pslldq $12,%xmm6
+
+ /*
+ * %xmm0 := (rk[0] = t ^ prk[0],
+ * rk[1] = t ^ prk[0] ^ prk[1],
+ * rk[2] = t ^ prk[0] ^ prk[1] ^ prk[2],
+ * rk[3] = t ^ prk[0] ^ prk[1] ^ prk[2] ^ prk[3])
+ */
+ pxor %xmm2,%xmm0
+ pxor %xmm4,%xmm0
+ pxor %xmm5,%xmm0
+ pxor %xmm6,%xmm0
+
+ movdqa %xmm0,(%rdi) /* store round key */
+ lea 0x10(%rdi),%rdi /* advance to next round key address */
+ ret
+END(aesni_expand128)
+
+/*
+ * aesni_expand192a(uint128_t *rkp@rdi, uint128_t prk@xmm0,
+ * uint64_t rklo@xmm1, uint128_t keygenassist@xmm2)
+ *
+ * Set even-numbered AES-192 round key.
+ *
+ * Internal ABI. On entry:
+ *
+ * %rdi = rkp, pointer to two round keys to compute
+ * %xmm0 = (prk[0], prk[1], prk[2], prk[3])
+ * %xmm1 = (rklo[0], rklo[1], xxx, xxx)
+ * %xmm2 = (xxx, t = Rot(SubWord(rklo[1])) ^ RCON, xxx, xxx)
+ *
+ * On exit:
+ *
+ * %rdi = &rkp[2], rkp advanced by two round keys
+ * %xmm0 = nrk, second round key we just computed
+ * %xmm1 = rk, first round key we just computed
+ * %xmm2 = garbage
+ * %xmm4 = garbage
+ * %xmm5 = garbage
+ * %xmm6 = garbage
+ * %xmm7 = garbage
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesni_expand192a,@function
+aesni_expand192a:
+ /*
+ * %xmm2 := (%xmm2[1], %xmm2[1], %xmm2[1], %xmm2[1]),
+ * i.e., set each word of %xmm2 to t := Rot(SubWord(rklo[1])) ^ RCON.
+ */
+ pshufd $0b01010101,%xmm2,%xmm2
+
+ /*
+ * We need to compute:
+ *
+ * rk[0] := rklo[0]
+ * rk[1] := rklo[1]
+ * rk[2] := Rot(Sub(rklo[1])) ^ RCON ^ prk[0]
+ * rk[3] := Rot(Sub(rklo[1])) ^ RCON ^ prk[0] ^ prk[1]
+ * nrk[0] := Rot(Sub(rklo[1])) ^ RCON ^ prk[0] ^ prk[1] ^ prk[2]
+ * nrk[1] := Rot(Sub(rklo[1])) ^ RCON ^ prk[0] ^ ... ^ prk[3]
+ * nrk[2] := Rot(Sub(rklo[1])) ^ RCON ^ prk[0] ^ ... ^ prk[3] ^ rklo[0]
+ * nrk[3] := Rot(Sub(rklo[1])) ^ RCON ^ prk[0] ^ ... ^ prk[3] ^ rklo[0]
+ * ^ rklo[1]
+ */
+
+ /*
+ * %xmm4 := (prk[0], prk[1], prk[2], prk[3])
+ * %xmm5 := (0, prk[0], prk[1], prk[2])
+ * %xmm6 := (0, 0, prk[0], prk[1])
+ * %xmm7 := (0, 0, 0, prk[0])
+ */
+ movdqa %xmm0,%xmm4
+ movdqa %xmm0,%xmm5
+ movdqa %xmm0,%xmm6
+ movdqa %xmm0,%xmm7
+ pslldq $4,%xmm5
+ pslldq $8,%xmm6
+ pslldq $12,%xmm7
+
+ /* %xmm4 := (rk[2], rk[3], nrk[0], nrk[1]) */
+ pxor %xmm2,%xmm4
+ pxor %xmm5,%xmm4
+ pxor %xmm6,%xmm4
+ pxor %xmm7,%xmm4
+
+ /*
+ * At this point, rk is split across %xmm1 (rk[0],rk[1],...) and
+ * %xmm4 (rk[2],rk[3],...); nrk is in %xmm4 (...,nrk[0],nrk[1]);
+ * and we have yet to compute nrk[2] or nrk[3], which requires
+ * rklo[0] and rklo[1] in %xmm1 (rklo[0], rklo[1], ...). We need
+ * nrk to end up in %xmm0 at the end, so gather rk into %xmm1 and
+ * nrk into %xmm0.
+ */
+
+ /* %xmm0 := (nrk[0], nrk[1], nrk[1], nrk[1]) */
+ pshufd $0b11111110,%xmm4,%xmm0
+
+ /*
+ * %xmm6 := (0, 0, rklo[0], rklo[1])
+ * %xmm7 := (0, 0, 0, rklo[0])
+ */
+ movdqa %xmm1,%xmm6
+ movdqa %xmm1,%xmm7
+
+ pslldq $8,%xmm6
+ pslldq $12,%xmm7
+
+ /*
+ * %xmm0 := (nrk[0],
+ * nrk[1],
+ * nrk[2] = nrk[1] ^ rklo[0],
+ * nrk[3] = nrk[1] ^ rklo[0] ^ rklo[1])
+ */
+ pxor %xmm6,%xmm0
+ pxor %xmm7,%xmm0
+
+ /* %xmm1 := (rk[0], rk[1], rk[2], rk[3]) */
+ shufps $0b01000100,%xmm4,%xmm1
+
+ movdqa %xmm1,(%rdi) /* store round key */
+ movdqa %xmm0,0x10(%rdi) /* store next round key */
+ lea 0x20(%rdi),%rdi /* advance two round keys */
+ ret
+END(aesni_expand192a)
+
+/*
+ * aesni_expand192b(uint128_t *roundkey@rdi, uint128_t prk@xmm0,
+ * uint128_t keygenassist@xmm2)
+ *
+ * Set odd-numbered AES-192 round key.
+ *
+ * Internal ABI. On entry:
+ *
+ * %rdi = rkp, pointer to round key to compute
+ * %xmm0 = (prk[0], prk[1], prk[2], prk[3])
+ * %xmm1 = (xxx, xxx, pprk[2], pprk[3])
+ * %xmm2 = (xxx, xxx, xxx, t = Rot(Sub(prk[3])) ^ RCON)
+ *
+ * On exit:
+ *
+ * %rdi = &rkp[1], rkp advanced by one round key
+ * %xmm0 = rk, the round key we just computed
+ * %xmm1 = (nrk[0], nrk[1], xxx, xxx), half of next round key
+ * %xmm2 = garbage
+ * %xmm4 = garbage
+ * %xmm5 = garbage
+ * %xmm6 = garbage
+ * %xmm7 = garbage
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesni_expand192b,@function
+aesni_expand192b:
+ /*
+ * %xmm2 := (%xmm2[3], %xmm2[3], %xmm2[3], %xmm2[3]),
+ * i.e., set each word of %xmm2 to t := Rot(Sub(prk[3])) ^ RCON.
+ */
+ pshufd $0b11111111,%xmm2,%xmm2
+
+ /*
+ * We need to compute:
+ *
+ * rk[0] := Rot(Sub(prk[3])) ^ RCON ^ pprk[2]
+ * rk[1] := Rot(Sub(prk[3])) ^ RCON ^ pprk[2] ^ pprk[3]
+ * rk[2] := Rot(Sub(prk[3])) ^ RCON ^ pprk[2] ^ pprk[3] ^ prk[0]
+ * rk[3] := Rot(Sub(prk[3])) ^ RCON ^ pprk[2] ^ pprk[3] ^ prk[0]
+ * ^ prk[1]
+ * nrk[0] := Rot(Sub(prk[3])) ^ RCON ^ pprk[2] ^ pprk[3] ^ prk[0]
+ * ^ prk[1] ^ prk[2]
+ * nrk[1] := Rot(Sub(prk[3])) ^ RCON ^ pprk[2] ^ pprk[3] ^ prk[0]
+ * ^ prk[1] ^ prk[2] ^ prk[3]
+ */
+
+ /* %xmm1 := (pprk[2], pprk[3], prk[0], prk[1]) */
+ shufps $0b01001110,%xmm0,%xmm1
+
+ /*
+ * %xmm5 := (0, pprk[2], pprk[3], prk[0])
+ * %xmm6 := (0, 0, pprk[2], pprk[3])
+ * %xmm7 := (0, 0, 0, pprk[2])
+ */
+ movdqa %xmm1,%xmm5
+ movdqa %xmm1,%xmm6
+ movdqa %xmm1,%xmm7
+ pslldq $4,%xmm5
+ pslldq $8,%xmm6
+ pslldq $12,%xmm7
+
+ /* %xmm1 := (rk[0], rk[1], rk[2], rk[3) */
+ pxor %xmm2,%xmm1
+ pxor %xmm5,%xmm1
+ pxor %xmm6,%xmm1
+ pxor %xmm7,%xmm1
+
+ /* %xmm4 := (prk[2], prk[3], xxx, xxx) */
+ pshufd $0b00001110,%xmm0,%xmm4
+
+ /* %xmm5 := (0, prk[2], xxx, xxx) */
+ movdqa %xmm4,%xmm5
+ pslldq $4,%xmm5
+
+ /* %xmm0 := (rk[0], rk[1], rk[2], rk[3]) */
+ movdqa %xmm1,%xmm0
+
+ /* %xmm1 := (rk[3], rk[3], xxx, xxx) */
+ shufps $0b00001111,%xmm1,%xmm1
+
+ /*
+ * %xmm1 := (nrk[0] = rk[3] ^ prk[2],
+ * nrk[1] = rk[3] ^ prk[2] ^ prk[3],
+ * xxx,
+ * xxx)
+ */
+ pxor %xmm4,%xmm1
+ pxor %xmm5,%xmm1
+
+ movdqa %xmm0,(%rdi) /* store round key */
+ lea 0x10(%rdi),%rdi /* advance to next round key address */
+ ret
+END(aesni_expand192b)
+
+/*
+ * aesni_expand256a(uint128_t *rkp@rdi, uint128_t pprk@xmm0,
+ * uint128_t prk@xmm1, uint128_t keygenassist@xmm2)
+ *
+ * Set even-numbered AES-256 round key.
+ *
+ * Internal ABI. On entry:
+ *
+ * %rdi = rkp, pointer to round key to compute
+ * %xmm0 = (pprk[0], pprk[1], pprk[2], pprk[3])
+ * %xmm1 = (prk[0], prk[1], prk[2], prk[3])
+ * %xmm2 = (xxx, xxx, xxx, t = Rot(SubWord(prk[3])))
+ *
+ * On exit:
+ *
+ * %rdi = &rkp[1], rkp advanced by one round key
+ * %xmm0 = rk, the round key we just computed
+ * %xmm1 = prk, previous round key, preserved from entry
+ * %xmm2 = garbage
+ * %xmm4 = garbage
+ * %xmm5 = garbage
+ * %xmm6 = garbage
+ *
+ * The computation turns out to be the same as for AES-128; the
+ * previous round key does not figure into it, only the
+ * previous-previous round key.
+ */
+ aesni_expand256a = aesni_expand128
+
+/*
+ * aesni_expand256b(uint128_t *rkp@rdi, uint128_t prk@xmm0,
+ * uint128_t pprk@xmm1, uint128_t keygenassist@xmm2)
+ *
+ * Set odd-numbered AES-256 round key.
+ *
+ * Internal ABI. On entry:
+ *
+ * %rdi = rkp, pointer to round key to compute
+ * %xmm0 = (prk[0], prk[1], prk[2], prk[3])
+ * %xmm1 = (pprk[0], pprk[1], pprk[2], pprk[3])
+ * %xmm2 = (xxx, xxx, t = Sub(prk[3]), xxx)
+ *
+ * On exit:
+ *
+ * %rdi = &rkp[1], rkp advanced by one round key
+ * %xmm0 = prk, previous round key, preserved from entry
+ * %xmm1 = rk, the round key we just computed
+ * %xmm2 = garbage
+ * %xmm4 = garbage
+ * %xmm5 = garbage
+ * %xmm6 = garbage
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesni_expand256b,@function
+aesni_expand256b:
+ /*
+ * %xmm2 := (%xmm2[3], %xmm2[3], %xmm2[3], %xmm2[3]),
+ * i.e., set each word of %xmm2 to t := Sub(prk[3]).
+ */
+ pshufd $0b10101010,%xmm2,%xmm2
+
+ /*
+ * %xmm4 := (0, pprk[0], pprk[1], pprk[2])
+ * %xmm5 := (0, 0, pprk[0], pprk[1])
+ * %xmm6 := (0, 0, 0, pprk[0])
+ */
+ movdqa %xmm1,%xmm4
+ movdqa %xmm1,%xmm5
+ movdqa %xmm1,%xmm6
+ pslldq $4,%xmm4
+ pslldq $8,%xmm5
+ pslldq $12,%xmm6
+
+ /*
+ * %xmm0 := (rk[0] = t ^ pprk[0],
+ * rk[1] = t ^ pprk[0] ^ pprk[1],
+ * rk[2] = t ^ pprk[0] ^ pprk[1] ^ pprk[2],
+ * rk[3] = t ^ pprk[0] ^ pprk[1] ^ pprk[2] ^ pprk[3])
+ */
+ pxor %xmm2,%xmm1
+ pxor %xmm4,%xmm1
+ pxor %xmm5,%xmm1
+ pxor %xmm6,%xmm1
+
+ movdqa %xmm1,(%rdi) /* store round key */
+ lea 0x10(%rdi),%rdi /* advance to next round key address */
+ ret
+END(aesni_expand256b)
+
+/*
+ * aesni_enctodec(const struct aesenc *enckey@rdi, struct aesdec *deckey@rsi,
+ * uint32_t nrounds@rdx)
+ *
+ * Convert AES encryption round keys to AES decryption round keys.
+ * `rounds' must be between 10 and 14.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_enctodec)
+ shl $4,%edx /* rdx := byte offset of last round key */
+ movdqa (%rdi,%rdx),%xmm0 /* load last round key */
+ movdqa %xmm0,(%rsi) /* store last round key verbatim */
+1: sub $0x10,%rdx /* advance to next round key */
+ lea 0x10(%rsi),%rsi
+ jz 2f /* stop if this is the last one */
+ movdqa (%rdi,%rdx),%xmm0 /* load round key */
+ aesimc %xmm0,%xmm0 /* convert encryption to decryption */
+ movdqa %xmm0,(%rsi) /* store round key */
+ jmp 1b
+2: movdqa (%rdi),%xmm0 /* load first round key */
+ movdqa %xmm0,(%rsi) /* store first round key verbatim */
+ ret
+END(aesni_enctodec)
+
+/*
+ * aesni_enc(const struct aesenc *enckey@rdi, const uint8_t in[16] @rsi,
+ * uint8_t out[16] @rdx, uint32_t nrounds@ecx)
+ *
+ * Encrypt a single block.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_enc)
+ movdqu (%rsi),%xmm0
+ call aesni_enc1
+ movdqu %xmm0,(%rdx)
+ ret
+END(aesni_enc)
+
+/*
+ * aesni_dec(const struct aesdec *deckey@rdi, const uint8_t in[16] @rsi,
+ * uint8_t out[16] @rdx, uint32_t nrounds@ecx)
+ *
+ * Decrypt a single block.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_dec)
+ movdqu (%rsi),%xmm0
+ call aesni_dec1
+ movdqu %xmm0,(%rdx)
+ ret
+END(aesni_dec)
+
+/*
+ * aesni_cbc_enc(const struct aesenc *enckey@rdi, const uint8_t *in@rsi,
+ * uint8_t *out@rdx, size_t nbytes@rcx, uint8_t iv[16] @r8,
+ * uint32_t nrounds@r9d)
+ *
+ * Encrypt a contiguous sequence of blocks with AES-CBC.
+ *
+ * nbytes must be an integral multiple of 16.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_cbc_enc)
+ cmp $0,%rcx
+ jz 2f
+ mov %rcx,%r10 /* r10 := nbytes */
+ movdqu (%r8),%xmm0 /* xmm0 := chaining value */
+1: movdqu (%rsi),%xmm1 /* xmm1 := plaintext block */
+ lea 0x10(%rsi),%rsi
+ pxor %xmm1,%xmm0 /* xmm0 := cv ^ ptxt */
+ mov %r9d,%ecx /* ecx := nrounds */
+ call aesni_enc1 /* xmm0 := ciphertext block */
+ movdqu %xmm0,(%rdx)
+ lea 0x10(%rdx),%rdx
+ sub $0x10,%r10
+ jnz 1b /* repeat if r10 is nonzero */
+ movdqu %xmm0,(%r8) /* store chaining value */
+2: ret
+END(aesni_cbc_enc)
+
+/*
+ * aesni_cbc_dec1(const struct aesdec *deckey@rdi, const uint8_t *in@rsi,
+ * uint8_t *out@rdx, size_t nbytes@rcx, const uint8_t iv[16] @r8,
+ * uint32_t nrounds@r9)
+ *
+ * Decrypt a contiguous sequence of blocks with AES-CBC.
+ *
+ * nbytes must be a positive integral multiple of 16. This routine
+ * is not vectorized; use aesni_cbc_dec8 for >=8 blocks at once.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_cbc_dec1)
+ push %rbp /* create stack frame uint128[1] */
+ mov %rsp,%rbp
+ sub $0x10,%rsp
+ movdqu (%r8),%xmm8 /* xmm8 := iv */
+ movdqa %xmm8,(%rsp) /* save iv */
+ mov %rcx,%r10 /* r10 := nbytes */
+ movdqu -0x10(%rsi,%r10),%xmm0 /* xmm0 := last ciphertext block */
+ movdqu %xmm0,(%r8) /* update iv */
+1: mov %r9d,%ecx /* ecx := nrounds */
+ call aesni_dec1 /* xmm0 := cv ^ ptxt */
+ sub $0x10,%r10
+ jz 2f /* first block if r10 is now zero */
+ movdqu -0x10(%rsi,%r10),%xmm8 /* xmm8 := chaining value */
+ pxor %xmm8,%xmm0 /* xmm0 := ptxt */
+ movdqu %xmm0,(%rdx,%r10) /* store plaintext block */
+ movdqa %xmm8,%xmm0 /* move cv = ciphertext block */
+ jmp 1b
+2: pxor (%rsp),%xmm0 /* xmm0 := ptxt */
+ movdqu %xmm0,(%rdx) /* store first plaintext block */
+ leave
+ ret
+END(aesni_cbc_dec1)
+
+/*
+ * aesni_cbc_dec8(const struct aesdec *deckey@rdi, const uint8_t *in@rsi,
+ * uint8_t *out@rdx, size_t nbytes@rcx, const uint8_t iv[16] @r8,
+ * uint32_t nrounds@r9)
+ *
+ * Decrypt a contiguous sequence of 8-block units with AES-CBC.
+ *
+ * nbytes must be a positive integral multiple of 128.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_cbc_dec8)
+ push %rbp /* create stack frame uint128[1] */
+ mov %rsp,%rbp
+ sub $0x10,%rsp
+ movdqu (%r8),%xmm8 /* xmm8 := iv */
+ movdqa %xmm8,(%rsp) /* save iv */
+ mov %rcx,%r10 /* r10 := nbytes */
+ movdqu -0x10(%rsi,%r10),%xmm7 /* xmm7 := ciphertext block[n-1] */
+ movdqu %xmm7,(%r8) /* update iv */
+1: movdqu -0x20(%rsi,%r10),%xmm6 /* xmm6 := ciphertext block[n-2] */
+ movdqu -0x30(%rsi,%r10),%xmm5 /* xmm5 := ciphertext block[n-3] */
+ movdqu -0x40(%rsi,%r10),%xmm4 /* xmm4 := ciphertext block[n-4] */
+ movdqu -0x50(%rsi,%r10),%xmm3 /* xmm3 := ciphertext block[n-5] */
+ movdqu -0x60(%rsi,%r10),%xmm2 /* xmm2 := ciphertext block[n-6] */
+ movdqu -0x70(%rsi,%r10),%xmm1 /* xmm1 := ciphertext block[n-7] */
+ movdqu -0x80(%rsi,%r10),%xmm0 /* xmm0 := ciphertext block[n-8] */
+ movdqa %xmm6,%xmm15 /* xmm[8+i] := cv[i], 0<i<8 */
+ movdqa %xmm5,%xmm14
+ movdqa %xmm4,%xmm13
+ movdqa %xmm3,%xmm12
+ movdqa %xmm2,%xmm11
+ movdqa %xmm1,%xmm10
+ movdqa %xmm0,%xmm9
+ mov %r9d,%ecx /* ecx := nrounds */
+ call aesni_dec8 /* xmm[i] := cv[i] ^ ptxt[i], 0<=i<8 */
+ pxor %xmm15,%xmm7 /* xmm[i] := ptxt[i], 0<i<8 */
+ pxor %xmm14,%xmm6
+ pxor %xmm13,%xmm5
+ pxor %xmm12,%xmm4
+ pxor %xmm11,%xmm3
+ pxor %xmm10,%xmm2
+ pxor %xmm9,%xmm1
+ movdqu %xmm7,-0x10(%rdx,%r10) /* store plaintext blocks */
+ movdqu %xmm6,-0x20(%rdx,%r10)
+ movdqu %xmm5,-0x30(%rdx,%r10)
+ movdqu %xmm4,-0x40(%rdx,%r10)
+ movdqu %xmm3,-0x50(%rdx,%r10)
+ movdqu %xmm2,-0x60(%rdx,%r10)
+ movdqu %xmm1,-0x70(%rdx,%r10)
+ sub $0x80,%r10
+ jz 2f /* first block if r10 is now zero */
+ movdqu -0x10(%rsi,%r10),%xmm7 /* xmm7 := cv[0] */
+ pxor %xmm7,%xmm0 /* xmm0 := ptxt[0] */
+ movdqu %xmm0,(%rdx,%r10) /* store plaintext block */
+ jmp 1b
+2: pxor (%rsp),%xmm0 /* xmm0 := ptxt[0] */
+ movdqu %xmm0,(%rdx) /* store first plaintext block */
+ leave
+ ret
+END(aesni_cbc_dec8)
+
+/*
+ * aesni_xts_enc1(const struct aesenc *enckey@rdi, const uint8_t *in@rsi,
+ * uint8_t *out@rdx, size_t nbytes@rcx, uint8_t tweak[16] @r8,
+ * uint32_t nrounds@r9d)
+ *
+ * Encrypt a contiguous sequence of blocks with AES-XTS.
+ *
+ * nbytes must be a positive integral multiple of 16. This routine
+ * is not vectorized; use aesni_xts_enc8 for >=8 blocks at once.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_xts_enc1)
+ mov %rcx,%r10 /* r10 := nbytes */
+ movdqu (%r8),%xmm9 /* xmm9 := tweak */
+1: movdqu (%rsi),%xmm0 /* xmm0 := ptxt */
+ lea 0x10(%rsi),%rsi /* advance rdi to next block */
+ pxor %xmm9,%xmm0 /* xmm0 := ptxt ^ tweak */
+ mov %r9d,%ecx /* ecx := nrounds */
+ call aesni_enc1 /* xmm0 := AES(ptxt ^ tweak) */
+ pxor %xmm9,%xmm0 /* xmm0 := AES(ptxt ^ tweak) ^ tweak */
+ movdqu %xmm0,(%rdx) /* store ciphertext block */
+ lea 0x10(%rdx),%rdx /* advance rsi to next block */
+ call aesni_xts_mulx /* xmm9 *= x; trash xmm0 */
+ sub $0x10,%r10
+ jnz 1b /* repeat if more blocks */
+ movdqu %xmm9,(%r8) /* update tweak */
+ ret
+END(aesni_xts_enc1)
+
+/*
+ * aesni_xts_enc8(const struct aesenc *enckey@rdi, const uint8_t *in@rsi,
+ * uint8_t *out@rdx, size_t nbytes@rcx, uint8_t tweak[16] @r8,
+ * uint32_t nrounds@r9d)
+ *
+ * Encrypt a contiguous sequence of blocks with AES-XTS.
+ *
+ * nbytes must be a positive integral multiple of 128.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_xts_enc8)
+ push %rbp /* create stack frame uint128[2] */
+ mov %rsp,%rbp
+ sub $0x20,%rsp
+ mov %rcx,%r10 /* r10 := nbytes */
+ movdqu (%r8),%xmm9 /* xmm9 := tweak[0] */
+1: movdqa %xmm9,(%rsp) /* save tweak[0] */
+ call aesni_xts_mulx /* xmm9 := tweak[1] */
+ movdqa %xmm9,0x10(%rsp) /* save tweak[1] */
+ call aesni_xts_mulx /* xmm9 := tweak[2] */
+ movdqa %xmm9,%xmm10 /* xmm10 := tweak[2] */
+ call aesni_xts_mulx /* xmm9 := tweak[3] */
+ movdqa %xmm9,%xmm11 /* xmm11 := tweak[3] */
+ call aesni_xts_mulx /* xmm9 := tweak[4] */
+ movdqa %xmm9,%xmm12 /* xmm12 := tweak[4] */
+ call aesni_xts_mulx /* xmm9 := tweak[5] */
+ movdqa %xmm9,%xmm13 /* xmm13 := tweak[5] */
+ call aesni_xts_mulx /* xmm9 := tweak[6] */
+ movdqa %xmm9,%xmm14 /* xmm14 := tweak[6] */
+ call aesni_xts_mulx /* xmm9 := tweak[7] */
+ movdqa %xmm9,%xmm15 /* xmm15 := tweak[7] */
+ movdqu (%rsi),%xmm0 /* xmm[i] := ptxt[i] */
+ movdqu 0x10(%rsi),%xmm1
+ movdqu 0x20(%rsi),%xmm2
+ movdqu 0x30(%rsi),%xmm3
+ movdqu 0x40(%rsi),%xmm4
+ movdqu 0x50(%rsi),%xmm5
+ movdqu 0x60(%rsi),%xmm6
+ movdqu 0x70(%rsi),%xmm7
+ lea 0x80(%rsi),%rsi /* advance rsi to next block group */
+ pxor (%rsp),%xmm0 /* xmm[i] := ptxt[i] ^ tweak[i] */
+ pxor 0x10(%rsp),%xmm1
+ pxor %xmm10,%xmm2
+ pxor %xmm11,%xmm3
+ pxor %xmm12,%xmm4
+ pxor %xmm13,%xmm5
+ pxor %xmm14,%xmm6
+ pxor %xmm15,%xmm7
+ mov %r9d,%ecx /* ecx := nrounds */
+ call aesni_enc8 /* xmm[i] := AES(ptxt[i] ^ tweak[i]) */
+ pxor (%rsp),%xmm0 /* xmm[i] := AES(...) ^ tweak[i] */
+ pxor 0x10(%rsp),%xmm1
+ pxor %xmm10,%xmm2
+ pxor %xmm11,%xmm3
+ pxor %xmm12,%xmm4
+ pxor %xmm13,%xmm5
+ pxor %xmm14,%xmm6
+ pxor %xmm15,%xmm7
+ movdqu %xmm0,(%rdx) /* store ciphertext blocks */
+ movdqu %xmm1,0x10(%rdx)
+ movdqu %xmm2,0x20(%rdx)
+ movdqu %xmm3,0x30(%rdx)
+ movdqu %xmm4,0x40(%rdx)
+ movdqu %xmm5,0x50(%rdx)
+ movdqu %xmm6,0x60(%rdx)
+ movdqu %xmm7,0x70(%rdx)
+ lea 0x80(%rdx),%rdx /* advance rdx to next block group */
+ movdqa %xmm15,%xmm9 /* xmm9 := tweak[7] */
+ call aesni_xts_mulx /* xmm9 := tweak[8] */
+ sub $0x80,%r10
+ jnz 1b /* repeat if more block groups */
+ movdqu %xmm9,(%r8) /* update tweak */
+ leave
+ ret
+END(aesni_xts_enc8)
+
+/*
+ * aesni_xts_dec1(const struct aesdec *deckey@rdi, const uint8_t *in@rsi,
+ * uint8_t *out@rdx, size_t nbytes@rcx, uint8_t tweak[16] @r8,
+ * uint32_t nrounds@r9d)
+ *
+ * Decrypt a contiguous sequence of blocks with AES-XTS.
+ *
+ * nbytes must be a positive integral multiple of 16. This routine
+ * is not vectorized; use aesni_xts_dec8 for >=8 blocks at once.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_xts_dec1)
+ mov %rcx,%r10 /* r10 := nbytes */
+ movdqu (%r8),%xmm9 /* xmm9 := tweak */
+1: movdqu (%rsi),%xmm0 /* xmm0 := ctxt */
+ lea 0x10(%rsi),%rsi /* advance rdi to next block */
+ pxor %xmm9,%xmm0 /* xmm0 := ctxt ^ tweak */
+ mov %r9d,%ecx /* ecx := nrounds */
+ call aesni_dec1 /* xmm0 := AES(ctxt ^ tweak) */
+ pxor %xmm9,%xmm0 /* xmm0 := AES(ctxt ^ tweak) ^ tweak */
+ movdqu %xmm0,(%rdx) /* store plaintext block */
+ lea 0x10(%rdx),%rdx /* advance rsi to next block */
+ call aesni_xts_mulx /* xmm9 *= x; trash xmm0 */
+ sub $0x10,%r10
+ jnz 1b /* repeat if more blocks */
+ movdqu %xmm9,(%r8) /* update tweak */
+ ret
+END(aesni_xts_dec1)
+
+/*
+ * aesni_xts_dec8(const struct aesdec *deckey@rdi, const uint8_t *in@rsi,
+ * uint8_t *out@rdx, size_t nbytes@rcx, uint8_t tweak[16] @r8,
+ * uint32_t nrounds@r9d)
+ *
+ * Decrypt a contiguous sequence of blocks with AES-XTS.
+ *
+ * nbytes must be a positive integral multiple of 128.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_xts_dec8)
+ push %rbp /* create stack frame uint128[2] */
+ mov %rsp,%rbp
+ sub $0x20,%rsp
+ mov %rcx,%r10 /* r10 := nbytes */
+ movdqu (%r8),%xmm9 /* xmm9 := tweak[0] */
+1: movdqa %xmm9,(%rsp) /* save tweak[0] */
+ call aesni_xts_mulx /* xmm9 := tweak[1] */
+ movdqa %xmm9,0x10(%rsp) /* save tweak[1] */
+ call aesni_xts_mulx /* xmm9 := tweak[2] */
+ movdqa %xmm9,%xmm10 /* xmm10 := tweak[2] */
+ call aesni_xts_mulx /* xmm9 := tweak[3] */
+ movdqa %xmm9,%xmm11 /* xmm11 := tweak[3] */
+ call aesni_xts_mulx /* xmm9 := tweak[4] */
+ movdqa %xmm9,%xmm12 /* xmm12 := tweak[4] */
+ call aesni_xts_mulx /* xmm9 := tweak[5] */
+ movdqa %xmm9,%xmm13 /* xmm13 := tweak[5] */
+ call aesni_xts_mulx /* xmm9 := tweak[6] */
+ movdqa %xmm9,%xmm14 /* xmm14 := tweak[6] */
+ call aesni_xts_mulx /* xmm9 := tweak[7] */
+ movdqa %xmm9,%xmm15 /* xmm15 := tweak[7] */
+ movdqu (%rsi),%xmm0 /* xmm[i] := ptxt[i] */
+ movdqu 0x10(%rsi),%xmm1
+ movdqu 0x20(%rsi),%xmm2
+ movdqu 0x30(%rsi),%xmm3
+ movdqu 0x40(%rsi),%xmm4
+ movdqu 0x50(%rsi),%xmm5
+ movdqu 0x60(%rsi),%xmm6
+ movdqu 0x70(%rsi),%xmm7
+ lea 0x80(%rsi),%rsi /* advance rsi to next block group */
+ pxor (%rsp),%xmm0 /* xmm[i] := ptxt[i] ^ tweak[i] */
+ pxor 0x10(%rsp),%xmm1
+ pxor %xmm10,%xmm2
+ pxor %xmm11,%xmm3
+ pxor %xmm12,%xmm4
+ pxor %xmm13,%xmm5
+ pxor %xmm14,%xmm6
+ pxor %xmm15,%xmm7
+ mov %r9d,%ecx /* ecx := nrounds */
+ call aesni_dec8 /* xmm[i] := AES(ptxt[i] ^ tweak[i]) */
+ pxor (%rsp),%xmm0 /* xmm[i] := AES(...) ^ tweak[i] */
+ pxor 0x10(%rsp),%xmm1
+ pxor %xmm10,%xmm2
+ pxor %xmm11,%xmm3
+ pxor %xmm12,%xmm4
+ pxor %xmm13,%xmm5
+ pxor %xmm14,%xmm6
+ pxor %xmm15,%xmm7
+ movdqu %xmm0,(%rdx) /* store ciphertext blocks */
+ movdqu %xmm1,0x10(%rdx)
+ movdqu %xmm2,0x20(%rdx)
+ movdqu %xmm3,0x30(%rdx)
+ movdqu %xmm4,0x40(%rdx)
+ movdqu %xmm5,0x50(%rdx)
+ movdqu %xmm6,0x60(%rdx)
+ movdqu %xmm7,0x70(%rdx)
+ lea 0x80(%rdx),%rdx /* advance rdx to next block group */
+ movdqa %xmm15,%xmm9 /* xmm9 := tweak[7] */
+ call aesni_xts_mulx /* xmm9 := tweak[8] */
+ sub $0x80,%r10
+ jnz 1b /* repeat if more block groups */
+ movdqu %xmm9,(%r8) /* update tweak */
+ leave
+ ret
+END(aesni_xts_dec8)
+
+/*
+ * aesni_xts_mulx(tweak@xmm9)
+ *
+ * Multiply xmm9 by x, modulo x^128 + x^7 + x^2 + x + 1, in place.
+ * Uses %xmm0 as temporary.
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesni_xts_mulx,@function
+aesni_xts_mulx:
+ /*
+ * Simultaneously determine
+ * (a) whether the high bit of the low quadword must be
+ * shifted into the low bit of the high quadword, and
+ * (b) whether the high bit of the high quadword must be
+ * carried into x^128 = x^7 + x^2 + x + 1.
+ */
+ pxor %xmm0,%xmm0 /* xmm0 := 0 */
+ pcmpgtq %xmm9,%xmm0 /* xmm0[i] := -1 if 0 > xmm9[i], 0 otherwise */
+ pshufd $0b01001110,%xmm0,%xmm0 /* swap halves of xmm0 */
+ pand xtscarry,%xmm0 /* copy xtscarry according to mask */
+ psllq $1,%xmm9 /* shift */
+ pxor %xmm0,%xmm9 /* incorporate (a) and (b) */
+ ret
+END(aesni_xts_mulx)
+
+ .section .rodata
+ .align 16
+ .type xtscarry,@object
+xtscarry:
+ .byte 0x87,0,0,0, 0,0,0,0, 1,0,0,0, 0,0,0,0
+END(xtscarry)
+
+/*
+ * aesni_xts_update(const uint8_t in[16] @rdi, uint8_t out[16] @rsi)
+ *
+ * Update an AES-XTS tweak.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesni_xts_update)
+ movdqu (%rdi),%xmm9
+ call aesni_xts_mulx
+ movdqu %xmm9,(%rsi)
+ ret
+END(aesni_xts_update)
+
+/*
+ * aesni_enc1(const struct aesenc *enckey@rdi, uint128_t block@xmm0,
+ * uint32_t nrounds@ecx)
+ *
+ * Encrypt a single AES block in %xmm0.
+ *
+ * Internal ABI. Uses %rax and %xmm8 as temporaries. Destroys %ecx.
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesni_enc1,@function
+aesni_enc1:
+ pxor (%rdi),%xmm0 /* xor in first round key */
+ shl $4,%ecx /* ecx := total byte size of round keys */
+ lea 0x10(%rdi,%rcx),%rax /* rax := end of round key array */
+ neg %rcx /* rcx := byte offset of round key from end */
+1: movdqa (%rax,%rcx),%xmm8 /* load round key */
+ add $0x10,%rcx
+ jz 2f /* stop if this is the last one */
+ aesenc %xmm8,%xmm0
+ jmp 1b
+2: aesenclast %xmm8,%xmm0
+ ret
+END(aesni_enc1)
+
+/*
+ * aesni_enc8(const struct aesenc *enckey@rdi, uint128_t block0@xmm0, ...,
+ * block7@xmm7, uint32_t nrounds@ecx)
+ *
+ * Encrypt eight AES blocks in %xmm0 through %xmm7 in parallel.
+ *
+ * Internal ABI. Uses %rax and %xmm8 as temporaries. Destroys %ecx.
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesni_enc8,@function
+aesni_enc8:
+ movdqa (%rdi),%xmm8 /* xor in first round key */
+ pxor %xmm8,%xmm0
+ pxor %xmm8,%xmm1
+ pxor %xmm8,%xmm2
+ pxor %xmm8,%xmm3
+ pxor %xmm8,%xmm4
+ pxor %xmm8,%xmm5
+ pxor %xmm8,%xmm6
+ pxor %xmm8,%xmm7
+ shl $4,%ecx /* ecx := total byte size of round keys */
+ lea 0x10(%rdi,%rcx),%rax /* rax := end of round key array */
+ neg %rcx /* rcx := byte offset of round key from end */
+1: movdqa (%rax,%rcx),%xmm8 /* load round key */
+ add $0x10,%rcx
+ jz 2f /* stop if this is the last one */
+ aesenc %xmm8,%xmm0
+ aesenc %xmm8,%xmm1
+ aesenc %xmm8,%xmm2
+ aesenc %xmm8,%xmm3
+ aesenc %xmm8,%xmm4
+ aesenc %xmm8,%xmm5
+ aesenc %xmm8,%xmm6
+ aesenc %xmm8,%xmm7
+ jmp 1b
+2: aesenclast %xmm8,%xmm0
+ aesenclast %xmm8,%xmm1
+ aesenclast %xmm8,%xmm2
+ aesenclast %xmm8,%xmm3
+ aesenclast %xmm8,%xmm4
+ aesenclast %xmm8,%xmm5
+ aesenclast %xmm8,%xmm6
+ aesenclast %xmm8,%xmm7
+ ret
+END(aesni_enc8)
+
+/*
+ * aesni_dec1(const struct aesdec *deckey@rdi, uint128_t block@xmm0,
+ * uint32_t nrounds@ecx)
+ *
+ * Decrypt a single AES block in %xmm0.
+ *
+ * Internal ABI. Uses %rax and %xmm8 as temporaries. Destroys %ecx.
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesni_dec1,@function
+aesni_dec1:
+ pxor (%rdi),%xmm0 /* xor in first round key */
+ shl $4,%ecx /* ecx := byte offset of round key */
+ lea 0x10(%rdi,%rcx),%rax /* rax := pointer to round key */
+ neg %rcx /* rcx := byte offset of round key from end */
+1: movdqa (%rax,%rcx),%xmm8 /* load round key */
+ add $0x10,%rcx
+ jz 2f /* stop if this is the last one */
+ aesdec %xmm8,%xmm0
+ jmp 1b
+2: aesdeclast %xmm8,%xmm0
+ ret
+END(aesni_dec1)
+
+/*
+ * aesni_dec8(const struct aesdec *deckey@rdi, uint128_t block0@xmm0, ...,
+ * block7@xmm7, uint32_t nrounds@ecx)
+ *
+ * Decrypt eight AES blocks in %xmm0 through %xmm7 in parallel.
+ *
+ * Internal ABI. Uses %xmm8 as temporary. Destroys %rcx.
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesni_dec8,@function
+aesni_dec8:
+ movdqa (%rdi),%xmm8 /* xor in first round key */
+ pxor %xmm8,%xmm0
+ pxor %xmm8,%xmm1
+ pxor %xmm8,%xmm2
+ pxor %xmm8,%xmm3
+ pxor %xmm8,%xmm4
+ pxor %xmm8,%xmm5
+ pxor %xmm8,%xmm6
+ pxor %xmm8,%xmm7
+ shl $4,%ecx /* ecx := byte offset of round key */
+ lea 0x10(%rdi,%rcx),%rax /* rax := pointer to round key */
+ neg %rcx /* rcx := byte offset of round key from end */
+1: movdqa (%rax,%rcx),%xmm8 /* load round key */
+ add $0x10,%rcx
+ jz 2f /* stop if this is the last one */
+ aesdec %xmm8,%xmm0
+ aesdec %xmm8,%xmm1
+ aesdec %xmm8,%xmm2
+ aesdec %xmm8,%xmm3
+ aesdec %xmm8,%xmm4
+ aesdec %xmm8,%xmm5
+ aesdec %xmm8,%xmm6
+ aesdec %xmm8,%xmm7
+ jmp 1b
+2: aesdeclast %xmm8,%xmm0
+ aesdeclast %xmm8,%xmm1
+ aesdeclast %xmm8,%xmm2
+ aesdeclast %xmm8,%xmm3
+ aesdeclast %xmm8,%xmm4
+ aesdeclast %xmm8,%xmm5
+ aesdeclast %xmm8,%xmm6
+ aesdeclast %xmm8,%xmm7
+ ret
+END(aesni_dec8)
diff -r 9d6b84c40f65 -r fea7aeacc09c sys/crypto/aes/arch/x86/files.aesni
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/arch/x86/files.aesni Wed Jun 17 23:05:29 2020 +0000
@@ -0,0 +1,6 @@
+# $NetBSD$
+
+ifdef amd64 # amd64-only for now; i386 left as exercise for reader
+file crypto/aes/arch/x86/aes_ni.c aes
+file crypto/aes/arch/x86/aesnifunc.S aes
+endif
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592066612 0
# Sat Jun 13 16:43:32 2020 +0000
# Branch trunk
# Node ID 87d9e1c86afcd441a167bf5f6d485e98d8094594
# Parent fea7aeacc09cf9da68d32a15edf9550ce78a4d45
# EXP-Topic riastradh-kernelcrypto
Implement AES in kernel using ARMv8.0-AES on aarch64.
diff -r fea7aeacc09c -r 87d9e1c86afc sys/arch/aarch64/aarch64/cpu.c
--- a/sys/arch/aarch64/aarch64/cpu.c Wed Jun 17 23:05:29 2020 +0000
+++ b/sys/arch/aarch64/aarch64/cpu.c Sat Jun 13 16:43:32 2020 +0000
@@ -44,6 +44,8 @@
#include <sys/sysctl.h>
#include <sys/systm.h>
+#include <crypto/aes/arch/aarch64/aes_arm.h>
+
#include <aarch64/armreg.h>
#include <aarch64/cpu.h>
#include <aarch64/cpufunc.h>
@@ -70,6 +72,7 @@ static void cpu_init_counter(struct cpu_
static void cpu_setup_id(struct cpu_info *);
static void cpu_setup_sysctl(device_t, struct cpu_info *);
static void cpu_setup_rng(device_t, struct cpu_info *);
+static void cpu_setup_aes(device_t, struct cpu_info *);
#ifdef MULTIPROCESSOR
#define NCPUINFO MAXCPUS
@@ -158,6 +161,7 @@ cpu_attach(device_t dv, cpuid_t id)
cpu_setup_sysctl(dv, ci);
cpu_setup_rng(dv, ci);
+ cpu_setup_aes(dv, ci);
}
struct cpuidtab {
@@ -589,6 +593,26 @@ cpu_setup_rng(device_t dv, struct cpu_in
RND_FLAG_DEFAULT|RND_FLAG_HASCB);
}
+/*
+ * setup the AES implementation
+ */
+static void
+cpu_setup_aes(device_t dv, struct cpu_info *ci)
+{
+ struct aarch64_sysctl_cpu_id *id = &ci->ci_id;
+
+ /* Verify that it is supported. */
+ switch (__SHIFTOUT(id->ac_aa64isar0, ID_AA64ISAR0_EL1_AES)) {
+ case ID_AA64ISAR0_EL1_AES_AES:
+ case ID_AA64ISAR0_EL1_AES_PMUL:
+ break;
+ default:
+ return;
+ }
+
+ aes_md_init(&aes_arm_impl);
+}
+
#ifdef MULTIPROCESSOR
void
cpu_hatch(struct cpu_info *ci)
diff -r fea7aeacc09c -r 87d9e1c86afc sys/arch/aarch64/conf/files.aarch64
--- a/sys/arch/aarch64/conf/files.aarch64 Wed Jun 17 23:05:29 2020 +0000
+++ b/sys/arch/aarch64/conf/files.aarch64 Sat Jun 13 16:43:32 2020 +0000
@@ -138,3 +138,6 @@ file arch/aarch64/aarch64/netbsd32_sysca
# profiling support
file dev/tprof/tprof_armv8.c tprof needs-flag
+
+# AES
+include "crypto/aes/arch/aarch64/files.aesarm"
diff -r fea7aeacc09c -r 87d9e1c86afc sys/crypto/aes/arch/aarch64/aes_arm.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/arch/aarch64/aes_arm.c Sat Jun 13 16:43:32 2020 +0000
@@ -0,0 +1,257 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(1, "$NetBSD$");
+
+#include <sys/types.h>
+#include <sys/proc.h>
+#include <sys/systm.h>
+
+#include <crypto/aes/aes.h>
+#include <crypto/aes/arch/aarch64/aes_arm.h>
+
+#include <aarch64/machdep.h>
+
+static void
+aesarm_setenckey(struct aesenc *enc, const uint8_t key[static 16],
+ uint32_t nrounds)
+{
+
+ switch (nrounds) {
+ case 10:
+ aesarm_setenckey128(enc, key);
+ break;
+ case 12:
+ aesarm_setenckey192(enc, key);
+ break;
+ case 14:
+ aesarm_setenckey256(enc, key);
+ break;
+ default:
+ panic("invalid AES rounds: %u", nrounds);
+ }
+}
+
+static void
+aesarm_setenckey_impl(struct aesenc *enc, const uint8_t key[static 16],
+ uint32_t nrounds)
+{
+
+ fpu_kern_enter();
+ aesarm_setenckey(enc, key, nrounds);
+ fpu_kern_leave();
+}
+
+static void
+aesarm_setdeckey_impl(struct aesdec *dec, const uint8_t key[static 16],
+ uint32_t nrounds)
+{
+ struct aesenc enc;
+
+ fpu_kern_enter();
+ aesarm_setenckey(&enc, key, nrounds);
+ aesarm_enctodec(&enc, dec, nrounds);
+ fpu_kern_leave();
+
+ explicit_memset(&enc, 0, sizeof enc);
+}
+
+static void
+aesarm_enc_impl(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], uint32_t nrounds)
+{
+
+ fpu_kern_enter();
+ aesarm_enc(enc, in, out, nrounds);
+ fpu_kern_leave();
+}
+
+static void
+aesarm_dec_impl(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], uint32_t nrounds)
+{
+
+ fpu_kern_enter();
+ aesarm_dec(dec, in, out, nrounds);
+ fpu_kern_leave();
+}
+
+static void
+aesarm_cbc_enc_impl(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
+ uint32_t nrounds)
+{
+
+ KASSERT(nbytes % 16 == 0);
+
+ fpu_kern_enter();
+ aesarm_cbc_enc(enc, in, out, nbytes, iv, nrounds);
+ fpu_kern_leave();
+}
+
+static void
+aesarm_cbc_dec_impl(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
+ uint32_t nrounds)
+{
+
+ KASSERT(nbytes % 16 == 0);
+
+ fpu_kern_enter();
+
+ if (nbytes % 128) {
+ aesarm_cbc_dec1(dec, in, out, nbytes % 128, iv, nrounds);
+ in += nbytes % 128;
+ out += nbytes % 128;
+ nbytes -= nbytes % 128;
+ }
+
+ KASSERT(nbytes % 128 == 0);
+ if (nbytes)
+ aesarm_cbc_dec8(dec, in, out, nbytes, iv, nrounds);
+
+ fpu_kern_leave();
+}
+
+static void
+aesarm_xts_enc_impl(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t tweak[static 16],
+ uint32_t nrounds)
+{
+
+ KASSERT(nbytes % 16 == 0);
+
+ fpu_kern_enter();
+
+ if (nbytes % 128) {
+ aesarm_xts_enc1(enc, in, out, nbytes % 128, tweak, nrounds);
+ in += nbytes % 128;
+ out += nbytes % 128;
+ nbytes -= nbytes % 128;
+ }
+
+ KASSERT(nbytes % 128 == 0);
+ if (nbytes)
+ aesarm_xts_enc8(enc, in, out, nbytes, tweak, nrounds);
+
+ fpu_kern_leave();
+}
+
+static void
+aesarm_xts_dec_impl(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t tweak[static 16],
+ uint32_t nrounds)
+{
+
+ KASSERT(nbytes % 16 == 0);
+
+ fpu_kern_enter();
+
+ if (nbytes % 128) {
+ aesarm_xts_dec1(dec, in, out, nbytes % 128, tweak, nrounds);
+ in += nbytes % 128;
+ out += nbytes % 128;
+ nbytes -= nbytes % 128;
+ }
+
+ KASSERT(nbytes % 128 == 0);
+ if (nbytes)
+ aesarm_xts_dec8(dec, in, out, nbytes, tweak, nrounds);
+
+ fpu_kern_leave();
+}
+
+static int
+aesarm_xts_update_selftest(void)
+{
+ static const struct {
+ uint8_t in[16], out[16];
+ } cases[] = {
+ {{1}, {2}},
+ {{0,0,0,0x80}, {0,0,0,0,1}},
+ {{0,0,0,0,0,0,0,0x80}, {0,0,0,0,0,0,0,0,1}},
+ {{0,0,0,0x80,0,0,0,0x80}, {0,0,0,0,1,0,0,0,1}},
+ {{0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0x80}, {0x87}},
+ {{0,0,0,0,0,0,0,0x80,0,0,0,0,0,0,0,0x80},
+ {0x87,0,0,0,0,0,0,0,1}},
+ {{0,0,0,0x80,0,0,0,0,0,0,0,0,0,0,0,0x80}, {0x87,0,0,0,1}},
+ {{0,0,0,0x80,0,0,0,0x80,0,0,0,0,0,0,0,0x80},
+ {0x87,0,0,0,1,0,0,0,1}},
+ };
+ unsigned i;
+ uint8_t tweak[16];
+
+ for (i = 0; i < sizeof(cases)/sizeof(cases[0]); i++) {
+ aesarm_xts_update(cases[i].in, tweak);
+ if (memcmp(tweak, cases[i].out, 16))
+ return -1;
+ }
+
+ /* Success! */
+ return 0;
+}
+
+static int
+aesarm_probe(void)
+{
+ struct aarch64_sysctl_cpu_id *id = &curcpu()->ci_id;
+ int result = 0;
+
+ /* Verify that the CPU supports AES. */
+ switch (__SHIFTOUT(id->ac_aa64isar0, ID_AA64ISAR0_EL1_AES)) {
+ case ID_AA64ISAR0_EL1_AES_AES:
+ case ID_AA64ISAR0_EL1_AES_PMUL:
+ break;
+ default:
+ return -1;
+ }
+
+ fpu_kern_enter();
+
+ /* Verify that our XTS tweak update logic works. */
+ if (aesarm_xts_update_selftest())
+ result = -1;
+
+ fpu_kern_leave();
+
+ return result;
+}
+
+struct aes_impl aes_arm_impl = {
+ .ai_name = "AArch64 ARMv8.0-AES",
+ .ai_probe = aesarm_probe,
+ .ai_setenckey = aesarm_setenckey_impl,
+ .ai_setdeckey = aesarm_setdeckey_impl,
+ .ai_enc = aesarm_enc_impl,
+ .ai_dec = aesarm_dec_impl,
+ .ai_cbc_enc = aesarm_cbc_enc_impl,
+ .ai_cbc_dec = aesarm_cbc_dec_impl,
+ .ai_xts_enc = aesarm_xts_enc_impl,
+ .ai_xts_dec = aesarm_xts_dec_impl,
+};
diff -r fea7aeacc09c -r 87d9e1c86afc sys/crypto/aes/arch/aarch64/aes_arm.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/arch/aarch64/aes_arm.h Sat Jun 13 16:43:32 2020 +0000
@@ -0,0 +1,68 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _CRYPTO_AES_AES_ARCH_AARCH64_AES_ARM_H
+#define _CRYPTO_AES_AES_ARCH_AARCH64_AES_ARM_H
+
+#include <sys/types.h>
+
+#include <crypto/aes/aes.h>
+
+/* Assembly routines */
+
+void aesarm_setenckey128(struct aesenc *, const uint8_t[static 16]);
+void aesarm_setenckey192(struct aesenc *, const uint8_t[static 24]);
+void aesarm_setenckey256(struct aesenc *, const uint8_t[static 32]);
+
+void aesarm_enctodec(const struct aesenc *, struct aesdec *, uint32_t);
+
+void aesarm_enc(const struct aesenc *, const uint8_t[static 16],
+ uint8_t[static 16], uint32_t);
+void aesarm_dec(const struct aesdec *, const uint8_t[static 16],
+ uint8_t[static 16], uint32_t);
+
+void aesarm_cbc_enc(const struct aesenc *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+void aesarm_cbc_dec1(const struct aesdec *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, const uint8_t[static 16], uint32_t);
+void aesarm_cbc_dec8(const struct aesdec *, const uint8_t[static 128],
+ uint8_t[static 128], size_t, const uint8_t[static 16], uint32_t);
+
+void aesarm_xts_enc1(const struct aesenc *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+void aesarm_xts_enc8(const struct aesenc *, const uint8_t[static 128],
+ uint8_t[static 128], size_t, const uint8_t[static 16], uint32_t);
+void aesarm_xts_dec1(const struct aesdec *, const uint8_t[static 16],
+ uint8_t[static 16], size_t, uint8_t[static 16], uint32_t);
+void aesarm_xts_dec8(const struct aesdec *, const uint8_t[static 128],
+ uint8_t[static 128], size_t, const uint8_t[static 16], uint32_t);
+void aesarm_xts_update(const uint8_t[static 16], uint8_t[static 16]);
+
+extern struct aes_impl aes_arm_impl;
+
+#endif /* _CRYPTO_AES_AES_ARCH_AARCH64_AES_ARM_H */
diff -r fea7aeacc09c -r 87d9e1c86afc sys/crypto/aes/arch/aarch64/aesarmfunc.S
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/arch/aarch64/aesarmfunc.S Sat Jun 13 16:43:32 2020 +0000
@@ -0,0 +1,1014 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <aarch64/asm.h>
+
+ .arch_extension crypto
+
+/*
+ * uint32_t rcon[10]
+ *
+ * Table mapping n ---> x^n mod (x^8 + x^4 + x^3 + x + 1) in GF(2).
+ * Such elements of GF(8) need only eight bits to be represented,
+ * but we store them in 4-byte units so we can copy one into all
+ * four 4-byte lanes of a vector register with a single LD1R. The
+ * access pattern is fixed, so indices into this table are never
+ * secret.
+ */
+ .section .rodata
+ .align 4
+ .type rcon,@object
+rcon:
+ .long 0x01
+ .long 0x02
+ .long 0x04
+ .long 0x08
+ .long 0x10
+ .long 0x20
+ .long 0x40
+ .long 0x80
+ .long 0x1b
+ .long 0x36
+END(rcon)
+
+/*
+ * uint128_t unshiftrows_rotword_1
+ *
+ * Table for TBL instruction to undo ShiftRows, and then do
+ * RotWord on word 1, and then copy it into all the other words.
+ */
+ .section .rodata
+ .align 16
+ .type unshiftrows_rotword_1,@object
+unshiftrows_rotword_1:
+ .byte 0x01,0x0e,0x0b,0x04
+ .byte 0x01,0x0e,0x0b,0x04
+ .byte 0x01,0x0e,0x0b,0x04
+ .byte 0x01,0x0e,0x0b,0x04
+END(unshiftrows_rotword_1)
+
+/*
+ * uint128_t unshiftrows_3
+ *
+ * Table for TBL instruction to undo ShiftRows, and then copy word
+ * 3 into all the other words.
+ */
+ .section .rodata
+ .align 16
+ .type unshiftrows_3,@object
+unshiftrows_3:
+ .byte 0x0c,0x09,0x06,0x03
+ .byte 0x0c,0x09,0x06,0x03
+ .byte 0x0c,0x09,0x06,0x03
+ .byte 0x0c,0x09,0x06,0x03
+END(unshiftrows_3)
+
+/*
+ * uint128_t unshiftrows_rotword_3
+ *
+ * Table for TBL instruction to undo ShiftRows, and then do
+ * RotWord on word 3, and then copy it into all the other words.
+ */
+ .section .rodata
+ .align 16
+ .type unshiftrows_rotword_3,@object
+unshiftrows_rotword_3:
+ .byte 0x09,0x06,0x03,0x0c
+ .byte 0x09,0x06,0x03,0x0c
+ .byte 0x09,0x06,0x03,0x0c
+ .byte 0x09,0x06,0x03,0x0c
+END(unshiftrows_rotword_3)
+
+/*
+ * aesarm_setenckey128(struct aesenc *enckey@x0, const uint8_t key[16] @x1)
+ *
+ * Expand a 16-byte AES-128 key into 10 round keys.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_setenckey128)
+ ldr q1, [x1] /* q1 := master key */
+
+ adrl x4, unshiftrows_rotword_3
+ eor v0.16b, v0.16b, v0.16b /* q0 := 0 */
+ ldr q8, [x4] /* q8 := unshiftrows_rotword_3 table */
+
+ str q1, [x0], #0x10 /* store master key as first round key */
+ mov x2, #10 /* round count */
+ adrl x3, rcon /* round constant */
+
+1: /*
+ * q0 = 0
+ * v1.4s = (prk[0], prk[1], prk[2], prk[3])
+ * x0 = pointer to round key to compute
+ * x2 = round count
+ * x3 = rcon pointer
+ */
+
+ /* q3 := ShiftRows(SubBytes(q1)) */
+ mov v3.16b, v1.16b
+ aese v3.16b, v0.16b
+
+ /* v3.4s[i] := RotWords(SubBytes(prk[3])) ^ RCON */
+ ld1r {v4.4s}, [x3], #4
+ tbl v3.16b, {v3.16b}, v8.16b
+ eor v3.16b, v3.16b, v4.16b
+
+ /*
+ * v5.4s := (0,prk[0],prk[1],prk[2])
+ * v6.4s := (0,0,prk[0],prk[1])
+ * v7.4s := (0,0,0,prk[0])
+ */
+ ext v5.16b, v0.16b, v1.16b, #12
+ ext v6.16b, v0.16b, v1.16b, #8
+ ext v7.16b, v0.16b, v1.16b, #4
+
+ /* v1.4s := (rk[0], rk[1], rk[2], rk[3]) */
+ eor v1.16b, v1.16b, v3.16b
+ eor v1.16b, v1.16b, v5.16b
+ eor v1.16b, v1.16b, v6.16b
+ eor v1.16b, v1.16b, v7.16b
+
+ subs x2, x2, #1 /* count down rounds */
+ str q1, [x0], #0x10 /* store round key */
+ b.ne 1b
+
+ ret
+END(aesarm_setenckey128)
+
+/*
+ * aesarm_setenckey192(struct aesenc *enckey@x0, const uint8_t key[24] @x1)
+ *
+ * Expand a 24-byte AES-192 key into 12 round keys.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_setenckey192)
+ ldr q1, [x1], #0x10 /* q1 := master key[0:128) */
+ ldr d2, [x1] /* d2 := master key[128:192) */
+
+ adrl x4, unshiftrows_rotword_1
+ adrl x5, unshiftrows_rotword_3
+ eor v0.16b, v0.16b, v0.16b /* q0 := 0 */
+ ldr q8, [x4] /* q8 := unshiftrows_rotword_1 */
+ ldr q9, [x5] /* q9 := unshiftrows_rotword_3 */
+
+ str q1, [x0], #0x10 /* store master key[0:128) as round key */
+ mov x2, #12 /* round count */
+ adrl x3, rcon /* round constant */
+
+1: /*
+ * q0 = 0
+ * v1.4s = (prk[0], prk[1], prk[2], prk[3])
+ * v2.4s = (rklo[0], rklo[1], xxx, xxx)
+ * x0 = pointer to three round keys to compute
+ * x2 = round count
+ * x3 = rcon pointer
+ */
+
+ /* q3 := ShiftRows(SubBytes(q2)) */
+ mov v3.16b, v2.16b
+ aese v3.16b, v0.16b
+
+ /* v3.4s[i] := RotWords(SubBytes(rklo[1])) ^ RCON */
+ ld1r {v4.4s}, [x3], #4
+ tbl v3.16b, {v3.16b}, v8.16b
+ eor v3.16b, v3.16b, v4.16b
+
+ /*
+ * We need to compute:
+ *
+ * rk[0] := rklo[0]
+ * rk[1] := rklo[1]
+ * rk[2] := Rot(Sub(rklo[1])) ^ RCON ^ prk[0]
+ * rk[3] := Rot(Sub(rklo[1])) ^ RCON ^ prk[0] ^ prk[1]
+ * nrk[0] := Rot(Sub(rklo[1])) ^ RCON ^ prk[0] ^ prk[1] ^ prk[2]
+ * nrk[1] := Rot(Sub(rklo[1])) ^ RCON ^ prk[0] ^ ... ^ prk[3]
+ * nrk[2] := Rot(Sub(rklo[1])) ^ RCON ^ prk[0] ^ ... ^ prk[3] ^ rklo[0]
+ * nrk[3] := Rot(Sub(rklo[1])) ^ RCON ^ prk[0] ^ ... ^ prk[3] ^ rklo[0]
+ * ^ rklo[1]
+ */
+
+ /*
+ * v5.4s := (0,prk[0],prk[1],prk[2])
+ * v6.4s := (0,0,prk[0],prk[1])
+ * v7.4s := (0,0,0,prk[0])
+ */
+ ext v5.16b, v0.16b, v1.16b, #12
+ ext v6.16b, v0.16b, v1.16b, #8
+ ext v7.16b, v0.16b, v1.16b, #4
+
+ /* v5.4s := (rk[2], rk[3], nrk[0], nrk[1]) */
+ eor v5.16b, v5.16b, v1.16b
+ eor v5.16b, v5.16b, v3.16b
+ eor v5.16b, v5.16b, v6.16b
+ eor v5.16b, v5.16b, v7.16b
+
+ /*
+ * At this point, rk is split across v2.4s = (rk[0],rk[1],...)
+ * and v5.4s = (rk[2],rk[3],...); nrk is in v5.4s =
+ * (...,nrk[0],nrk[1]); and we have yet to compute nrk[2] or
+ * nrk[3], which requires rklo[0] and rklo[1] in v2.4s =
+ * (rklo[0],rklo[1],...).
+ */
+
+ /* v1.4s := (nrk[0], nrk[1], nrk[1], nrk[1]) */
+ dup v1.4s, v5.4s[3]
+ mov v1.4s[0], v5.4s[2]
+
+ /*
+ * v6.4s := (0, 0, rklo[0], rklo[1])
+ * v7.4s := (0, 0, 0, rklo[0])
+ */
+ ext v6.16b, v0.16b, v2.16b, #8
+ ext v7.16b, v0.16b, v2.16b, #4
+
+ /* v3.4s := (nrk[0], nrk[1], nrk[2], nrk[3]) */
+ eor v3.16b, v1.16b, v6.16b
+ eor v3.16b, v3.16b, v7.16b
+
+ /*
+ * Recall v2.4s = (rk[0], rk[1], xxx, xxx)
+ * and v5.4s = (rk[2], rk[3], xxx, xxx). Set
+ * v2.4s := (rk[0], rk[1], rk[2], rk[3])
+ */
+ mov v2.2d[1], v5.2d[0]
+
+ /* store two round keys */
+ stp q2, q3, [x0], #0x20
+
+ /*
+ * Live vector registers at this point:
+ *
+ * q0 = zero
+ * q2 = rk
+ * q3 = nrk
+ * v5.4s = (rk[2], rk[3], nrk[0], nrk[1])
+ * q8 = unshiftrows_rotword_1
+ * q9 = unshiftrows_rotword_3
+ *
+ * We have to compute, in q1:
+ *
+ * nnrk[0] := Rot(Sub(nrk[3])) ^ RCON' ^ rk[2]
+ * nnrk[1] := Rot(Sub(nrk[3])) ^ RCON' ^ rk[2] ^ rk[3]
+ * nnrk[2] := Rot(Sub(nrk[3])) ^ RCON' ^ rk[2] ^ rk[3] ^ nrk[0]
+ * nnrk[3] := Rot(Sub(nrk[3])) ^ RCON' ^ rk[2] ^ rk[3] ^ nrk[0]
+ * ^ nrk[1]
+ *
+ * And, if there's any more afterward, in q2:
+ *
+ * nnnrklo[0] := Rot(Sub(nrk[3])) ^ RCON' ^ rk[2] ^ rk[3] ^ nrk[0]
+ * ^ nrk[1] ^ nrk[2]
+ * nnnrklo[1] := Rot(Sub(nrk[3])) ^ RCON' ^ rk[2] ^ rk[3] ^ nrk[0]
+ * ^ nrk[1] ^ nrk[2] ^ nrk[3]
+ */
+
+ /* q1 := RotWords(SubBytes(q3)) */
+ mov v1.16b, v3.16b
+ aese v1.16b, v0.16b
+
+ /* v1.4s[i] := RotWords(SubBytes(nrk[3])) ^ RCON' */
+ ld1r {v4.4s}, [x3], #4
+ tbl v1.16b, {v1.16b}, v9.16b
+ eor v1.16b, v1.16b, v4.16b
+
+ /*
+ * v5.4s := (rk[2], rk[3], nrk[0], nrk[1]) [already]
+ * v4.4s := (0, rk[2], rk[3], nrk[0])
+ * v6.4s := (0, 0, rk[2], rk[3])
+ * v7.4s := (0, 0, 0, rk[2])
+ */
+ ext v4.16b, v0.16b, v5.16b, #12
+ ext v6.16b, v0.16b, v5.16b, #8
+ ext v7.16b, v0.16b, v5.16b, #4
+
+ /* v1.4s := (nnrk[0], nnrk[1], nnrk[2], nnrk[3]) */
+ eor v1.16b, v1.16b, v5.16b
+ eor v1.16b, v1.16b, v4.16b
+ eor v1.16b, v1.16b, v6.16b
+ eor v1.16b, v1.16b, v7.16b
+
+ subs x2, x2, #3 /* count down three rounds */
+ str q1, [x0], #0x10 /* store third round key */
+ b.eq 2f
+
+ /*
+ * v4.4s := (nrk[2], nrk[3], xxx, xxx)
+ * v5.4s := (0, nrk[2], xxx, xxx)
+ */
+ ext v4.16b, v3.16b, v0.16b, #8
+ ext v5.16b, v0.16b, v4.16b, #12
+
+ /* v2.4s := (nnrk[3], nnrk[3], xxx, xxx) */
+ dup v2.4s, v1.4s[3]
+
+ /*
+ * v2.4s := (nnnrklo[0] = nnrk[3] ^ nrk[2],
+ * nnnrklo[1] = nnrk[3] ^ nrk[2] ^ nrk[3],
+ * xxx, xxx)
+ */
+ eor v2.16b, v2.16b, v4.16b
+ eor v2.16b, v2.16b, v5.16b
+
+ b 1b
+
+2: ret
+END(aesarm_setenckey192)
+
+/*
+ * aesarm_setenckey256(struct aesenc *enckey@x0, const uint8_t key[32] @x1)
+ *
+ * Expand a 32-byte AES-256 key into 14 round keys.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_setenckey256)
+ /* q1 := key[0:128), q2 := key[128:256) */
+ ldp q1, q2, [x1], #0x20
+
+ adrl x4, unshiftrows_rotword_3
+ adrl x5, unshiftrows_3
+ eor v0.16b, v0.16b, v0.16b /* q0 := 0 */
+ ldr q8, [x4] /* q8 := unshiftrows_rotword_3 */
+ ldr q9, [x5] /* q9 := unshiftrows_3 */
+
+ /* store master key as first two round keys */
+ stp q1, q2, [x0], #0x20
+ mov x2, #14 /* round count */
+ adrl x3, rcon /* round constant */
+
+1: /*
+ * q0 = 0
+ * v1.4s = (pprk[0], pprk[1], pprk[2], pprk[3])
+ * v2.4s = (prk[0], prk[1], prk[2], prk[3])
+ * x2 = round count
+ * x3 = rcon pointer
+ */
+
+ /* q3 := ShiftRows(SubBytes(q2)) */
+ mov v3.16b, v2.16b
+ aese v3.16b, v0.16b
+
+ /* v3.4s[i] := RotWords(SubBytes(prk[3])) ^ RCON */
+ ld1r {v4.4s}, [x3], #4
+ tbl v3.16b, {v3.16b}, v8.16b
+ eor v3.16b, v3.16b, v4.16b
+
+ /*
+ * v5.4s := (0,pprk[0],pprk[1],pprk[2])
+ * v6.4s := (0,0,pprk[0],pprk[1])
+ * v7.4s := (0,0,0,pprk[0])
+ */
+ ext v5.16b, v0.16b, v1.16b, #12
+ ext v6.16b, v0.16b, v1.16b, #8
+ ext v7.16b, v0.16b, v1.16b, #4
+
+ /* v1.4s := (rk[0], rk[1], rk[2], rk[3]) */
+ eor v1.16b, v1.16b, v3.16b
+ eor v1.16b, v1.16b, v5.16b
+ eor v1.16b, v1.16b, v6.16b
+ eor v1.16b, v1.16b, v7.16b
+
+ subs x2, x2, #2 /* count down two rounds */
+ b.eq 2f /* stop if this is the last one */
+
+ /* q3 := ShiftRows(SubBytes(q1)) */
+ mov v3.16b, v1.16b
+ aese v3.16b, v0.16b
+
+ /* v3.4s[i] := SubBytes(rk[3]) */
+ tbl v3.16b, {v3.16b}, v9.16b
+
+ /*
+ * v5.4s := (0,prk[0],prk[1],prk[2])
+ * v6.4s := (0,0,prk[0],prk[1])
+ * v7.4s := (0,0,0,prk[0])
+ */
+ ext v5.16b, v0.16b, v2.16b, #12
+ ext v6.16b, v0.16b, v2.16b, #8
+ ext v7.16b, v0.16b, v2.16b, #4
+
+ /* v2.4s := (nrk[0], nrk[1], nrk[2], nrk[3]) */
+ eor v2.16b, v2.16b, v3.16b
+ eor v2.16b, v2.16b, v5.16b
+ eor v2.16b, v2.16b, v6.16b
+ eor v2.16b, v2.16b, v7.16b
+
+ stp q1, q2, [x0], #0x20 /* store two round keys */
+ b 1b
+
+2: str q1, [x0] /* store last round key */
+ ret
+END(aesarm_setenckey256)
+
+/*
+ * aesarm_enctodec(const struct aesenc *enckey@x0, struct aesdec *deckey@x1,
+ * uint32_t nrounds@x2)
+ *
+ * Convert AES encryption round keys to AES decryption round keys.
+ * `rounds' must be between 10 and 14.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_enctodec)
+ ldr q0, [x0, x2, lsl #4] /* load last round key */
+1: str q0, [x1], #0x10 /* store round key */
+ subs x2, x2, #1 /* count down round */
+ ldr q0, [x0, x2, lsl #4] /* load previous round key */
+ b.eq 2f /* stop if this is the last one */
+ aesimc v0.16b, v0.16b /* convert encryption to decryption */
+ b 1b
+2: str q0, [x1] /* store first round key verbatim */
+ ret
+END(aesarm_enctodec)
+
+/*
+ * aesarm_enc(const struct aesenc *enckey@x0, const uint8_t in[16] @x1,
+ * uint8_t out[16] @x2, uint32_t nrounds@x3)
+ *
+ * Encrypt a single block.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_enc)
+ stp fp, lr, [sp, #-16]! /* push stack frame */
+ mov fp, sp
+ ldr q0, [x1] /* q0 := block */
+ bl aesarm_enc1
+ str q0, [x2] /* store block */
+ ldp fp, lr, [sp], #16 /* pop stack frame */
+ ret
+END(aesarm_enc)
+
+/*
+ * aesarm_dec(const struct aesdec *deckey@x0, const uint8_t in[16] @x1,
+ * uint8_t out[16] @x2, uint32_t nrounds@x3)
+ *
+ * Decrypt a single block.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_dec)
+ stp fp, lr, [sp, #-16]! /* push stack frame */
+ mov fp, sp
+ ldr q0, [x1] /* q0 := block */
+ bl aesarm_dec1
+ str q0, [x2] /* store block */
+ ldp fp, lr, [sp], #16 /* pop stack frame */
+ ret
+END(aesarm_dec)
+
+/*
+ * aesarm_cbc_enc(const struct aesenc *enckey@x0, const uint8_t *in@x1,
+ * uint8_t *out@x2, size_t nbytes@x3, uint8_t iv[16] @x4,
+ * uint32_t nrounds@x5)
+ *
+ * Encrypt a contiguous sequence of blocks with AES-CBC.
+ *
+ * nbytes must be an integral multiple of 16.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_cbc_enc)
+ cbz x3, 2f /* stop if nothing to do */
+ stp fp, lr, [sp, #-16]! /* push stack frame */
+ mov fp, sp
+ mov x9, x0 /* x9 := enckey */
+ mov x10, x3 /* x10 := nbytes */
+ ldr q0, [x4] /* q0 := chaining value */
+1: ldr q1, [x1], #0x10 /* q1 := plaintext block */
+ eor v0.16b, v0.16b, v1.16b /* q0 := cv ^ ptxt */
+ mov x0, x9 /* x0 := enckey */
+ mov x3, x5 /* x3 := nrounds */
+ bl aesarm_enc1 /* q0 := ciphertext block */
+ subs x10, x10, #0x10 /* count down nbytes */
+ str q0, [x2], #0x10 /* store ciphertext block */
+ b.ne 1b /* repeat if x10 is nonzero */
+ str q0, [x4] /* store chaining value */
+ ldp fp, lr, [sp], #16 /* pop stack frame */
+2: ret
+END(aesarm_cbc_enc)
+
+/*
+ * aesarm_cbc_dec1(const struct aesdec *deckey@x0, const uint8_t *in@x1,
+ * uint8_t *out@x2, size_t nbytes@x3, const uint8_t iv[16] @x4,
+ * uint32_t nrounds@x5)
+ *
+ * Decrypt a contiguous sequence of blocks with AES-CBC.
+ *
+ * nbytes must be a positive integral multiple of 16. This routine
+ * is not vectorized; use aesarm_cbc_dec8 for >=8 blocks at once.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_cbc_dec1)
+ stp fp, lr, [sp, #-32]! /* push stack frame with uint128 */
+ mov fp, sp
+ ldr q8, [x4] /* q8 := iv */
+ str q8, [sp, #16] /* save iv */
+ mov x9, x0 /* x9 := enckey */
+ mov x10, x3 /* x10 := nbytes */
+ add x1, x1, x3 /* x1 := pointer past end of in */
+ add x2, x2, x3 /* x2 := pointer past end of out */
+ ldr q0, [x1, #-0x10]! /* q0 := last ciphertext block */
+ str q0, [x4] /* update iv */
+1: mov x0, x9 /* x0 := enckey */
+ mov x3, x5 /* x3 := nrounds */
+ bl aesarm_dec1 /* q0 := cv ^ ptxt; trash x0/x3 */
+ subs x10, x10, #0x10 /* count down nbytes */
+ b.eq 2f /* stop if this is the first block */
+ ldr q8, [x1, #-0x10]! /* q8 := chaining value */
+ eor v0.16b, v0.16b, v8.16b /* q0 := plaintext block */
+ str q0, [x2, #-0x10]! /* store plaintext block */
+ mov v0.16b, v8.16b /* move cv = ciphertext block */
+ b 1b
+2: ldr q8, [sp, #16] /* q8 := iv */
+ eor v0.16b, v0.16b, v8.16b /* q0 := first plaintext block */
+ str q0, [x2, #-0x10]! /* store first plaintext block */
+ ldp fp, lr, [sp], #32 /* pop stack frame */
+ ret
+END(aesarm_cbc_dec1)
+
+/*
+ * aesarm_cbc_dec8(const struct aesdec *deckey@x0, const uint8_t *in@x1,
+ * uint8_t *out@x2, size_t nbytes@x3, const uint8_t iv[16] @x4,
+ * uint32_t nrounds@x5)
+ *
+ * Decrypt a contiguous sequence of 8-block units with AES-CBC.
+ *
+ * nbytes must be a positive integral multiple of 128.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_cbc_dec8)
+ stp fp, lr, [sp, #-32]! /* push stack frame with uint128 */
+ mov fp, sp
+ ldr q8, [x4] /* q8 := iv */
+ str q8, [sp, #16] /* save iv */
+ mov x9, x0 /* x9 := enckey */
+ mov x10, x3 /* x10 := nbytes */
+ add x1, x1, x3 /* x1 := pointer past end of in */
+ add x2, x2, x3 /* x2 := pointer past end of out */
+ ldp q6, q7, [x1, #-0x20]! /* q6, q7 := last ciphertext blocks */
+ str q7, [x4] /* update iv */
+1: ldp q4, q5, [x1, #-0x20]!
+ ldp q2, q3, [x1, #-0x20]!
+ ldp q0, q1, [x1, #-0x20]!
+ mov v15.16b, v6.16b /* q[8+i] := cv[i], 0<i<8 */
+ mov v14.16b, v5.16b
+ mov v13.16b, v4.16b
+ mov v12.16b, v3.16b
+ mov v11.16b, v2.16b
+ mov v10.16b, v1.16b
+ mov v9.16b, v0.16b
+ mov x0, x9 /* x0 := enckey */
+ mov x3, x5 /* x3 := nrounds */
+ bl aesarm_dec8 /* q[i] := cv[i] ^ pt[i] */
+ eor v7.16b, v7.16b, v15.16b /* q[i] := pt[i] */
+ eor v6.16b, v6.16b, v14.16b
+ eor v5.16b, v5.16b, v13.16b
+ eor v4.16b, v4.16b, v12.16b
+ eor v3.16b, v3.16b, v11.16b
+ eor v2.16b, v2.16b, v10.16b
+ eor v1.16b, v1.16b, v9.16b
+ subs x10, x10, #0x80 /* count down nbytes */
+ stp q6, q7, [x2, #-0x20]! /* store plaintext blocks */
+ stp q4, q5, [x2, #-0x20]!
+ stp q2, q3, [x2, #-0x20]!
+ b.eq 2f /* stop if this is the first block */
+ ldp q6, q7, [x1, #-0x20]!
+ eor v0.16b, v0.16b, v7.16b /* q0 := pt0 */
+ stp q0, q1, [x2, #-0x20]!
+ b 1b
+2: ldr q8, [sp, #16] /* q8 := iv */
+ eor v0.16b, v0.16b, v8.16b /* q0 := pt0 */
+ stp q0, q1, [x2, #-0x20]! /* store first two plaintext blocks */
+ ldp fp, lr, [sp], #32 /* pop stack frame */
+ ret
+END(aesarm_cbc_dec8)
+
+/*
+ * aesarm_xts_enc1(const struct aesenc *enckey@x0, const uint8_t *in@x1,
+ * uint8_t *out@x2, size_t nbytes@x3, uint8_t tweak[16] @x4,
+ * uint32_t nrounds@x5)
+ *
+ * Encrypt a contiguous sequence of blocks with AES-XTS.
+ *
+ * nbytes must be a positive integral multiple of 16. This routine
+ * is not vectorized; use aesarm_xts_enc8 for >=8 blocks at once.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_xts_enc1)
+ stp fp, lr, [sp, #-16]! /* push stack frame */
+ mov fp, sp
+ mov x9, x0 /* x9 := enckey */
+ mov x10, x3 /* x10 := nbytes */
+ ldr q9, [x4] /* q9 := tweak */
+1: ldr q0, [x1], #0x10 /* q0 := ptxt */
+ mov x0, x9 /* x0 := enckey */
+ mov x3, x5 /* x3 := nrounds */
+ eor v0.16b, v0.16b, v9.16b /* q0 := ptxt ^ tweak */
+ bl aesarm_enc1 /* q0 := AES(ptxt ^ tweak) */
+ eor v0.16b, v0.16b, v9.16b /* q0 := AES(ptxt ^ tweak) ^ tweak */
+ str q0, [x2], #0x10 /* store ciphertext block */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ subs x10, x10, #0x10 /* count down nbytes */
+ b.ne 1b /* repeat if more blocks */
+ str q9, [x4] /* update tweak */
+ ldp fp, lr, [sp], #16 /* pop stack frame */
+ ret
+END(aesarm_xts_enc1)
+
+/*
+ * aesarm_xts_enc8(const struct aesenc *enckey@x0, const uint8_t *in@x1,
+ * uint8_t *out@x2, size_t nbytes@x3, uint8_t tweak[16] @x4,
+ * uint32_t nrounds@x5)
+ *
+ * Encrypt a contiguous sequence of blocks with AES-XTS.
+ *
+ * nbytes must be a positive integral multiple of 128.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_xts_enc8)
+ stp fp, lr, [sp, #-48]! /* push stack frame uint128[2] */
+ mov fp, sp
+ mov x9, x0 /* x9 := enckey */
+ mov x10, x3 /* x10 := nbytes */
+ ldr q9, [x4] /* q9 := tweak */
+1: str q9, [sp, #16] /* save tweak[0] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ str q9, [sp, #32] /* save tweak[1] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ mov v10.16b, v9.16b /* q10 := tweak[2] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ mov v11.16b, v9.16b /* q11 := tweak[3] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ mov v12.16b, v9.16b /* q11 := tweak[4] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ mov v13.16b, v9.16b /* q11 := tweak[5] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ mov v14.16b, v9.16b /* q11 := tweak[6] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ mov v15.16b, v9.16b /* q11 := tweak[7] */
+ ldp q8, q9, [sp, #16] /* q8 := tweak[0], q9 := tweak[1] */
+ ldp q0, q1, [x1], #0x20 /* q[i] := pt[i] */
+ ldp q2, q3, [x1], #0x20
+ ldp q4, q5, [x1], #0x20
+ ldp q6, q7, [x1], #0x20
+ eor v0.16b, v0.16b, v8.16b /* q[i] := pt[i] ^ tweak[i] */
+ eor v1.16b, v1.16b, v9.16b
+ eor v2.16b, v2.16b, v10.16b
+ eor v3.16b, v3.16b, v11.16b
+ eor v4.16b, v4.16b, v12.16b
+ eor v5.16b, v5.16b, v13.16b
+ eor v6.16b, v6.16b, v14.16b
+ eor v7.16b, v7.16b, v15.16b
+ mov x0, x9 /* x0 := enckey */
+ mov x3, x5 /* x3 := nrounds */
+ bl aesarm_enc8 /* encrypt q0,...,q7; trash x0/x3/q8 */
+ ldr q8, [sp, #16] /* reload q8 := tweak[0] */
+ eor v1.16b, v1.16b, v9.16b /* q[i] := AES(...) ^ tweak[i] */
+ eor v2.16b, v2.16b, v10.16b
+ eor v3.16b, v3.16b, v11.16b
+ eor v0.16b, v0.16b, v8.16b
+ eor v4.16b, v4.16b, v12.16b
+ eor v5.16b, v5.16b, v13.16b
+ eor v6.16b, v6.16b, v14.16b
+ eor v7.16b, v7.16b, v15.16b
+ stp q0, q1, [x2], #0x20 /* store ciphertext blocks */
+ stp q2, q3, [x2], #0x20 /* store ciphertext blocks */
+ stp q4, q5, [x2], #0x20 /* store ciphertext blocks */
+ stp q6, q7, [x2], #0x20 /* store ciphertext blocks */
+ mov v9.16b, v15.16b /* q9 := q15 = tweak[7] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ subs x10, x10, #0x80 /* count down nbytes */
+ b.ne 1b /* repeat if more block groups */
+ str q9, [x4] /* update tweak */
+ ldp fp, lr, [sp], #48 /* pop stack frame */
+ ret
+END(aesarm_xts_enc8)
+
+/*
+ * aesarm_xts_dec1(const struct aesdec *deckey@x0, const uint8_t *in@x1,
+ * uint8_t *out@x2, size_t nbytes@x3, uint8_t tweak[16] @x4,
+ * uint32_t nrounds@x5)
+ *
+ * Decrypt a contiguous sequence of blocks with AES-XTS.
+ *
+ * nbytes must be a positive integral multiple of 16. This routine
+ * is not vectorized; use aesarm_xts_dec8 for >=8 blocks at once.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_xts_dec1)
+ stp fp, lr, [sp, #-16]! /* push stack frame */
+ mov fp, sp
+ mov x9, x0 /* x9 := deckey */
+ mov x10, x3 /* x10 := nbytes */
+ ldr q9, [x4] /* q9 := tweak */
+1: ldr q0, [x1], #0x10 /* q0 := ptxt */
+ mov x0, x9 /* x0 := deckey */
+ mov x3, x5 /* x3 := nrounds */
+ eor v0.16b, v0.16b, v9.16b /* q0 := ptxt ^ tweak */
+ bl aesarm_dec1 /* q0 := AES(ptxt ^ tweak) */
+ eor v0.16b, v0.16b, v9.16b /* q0 := AES(ptxt ^ tweak) ^ tweak */
+ str q0, [x2], #0x10 /* store ciphertext block */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ subs x10, x10, #0x10 /* count down nbytes */
+ b.ne 1b /* repeat if more blocks */
+ str q9, [x4] /* update tweak */
+ ldp fp, lr, [sp], #16 /* pop stack frame */
+ ret
+END(aesarm_xts_dec1)
+
+/*
+ * aesarm_xts_dec8(const struct aesdec *deckey@x0, const uint8_t *in@x1,
+ * uint8_t *out@x2, size_t nbytes@x3, uint8_t tweak[16] @x4,
+ * uint32_t nrounds@x5)
+ *
+ * Decrypt a contiguous sequence of blocks with AES-XTS.
+ *
+ * nbytes must be a positive integral multiple of 128.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_xts_dec8)
+ stp fp, lr, [sp, #-48]! /* push stack frame uint128[2] */
+ mov fp, sp
+ mov x9, x0 /* x9 := deckey */
+ mov x10, x3 /* x10 := nbytes */
+ ldr q9, [x4] /* q9 := tweak */
+1: str q9, [sp, #16] /* save tweak[0] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ str q9, [sp, #32] /* save tweak[1] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ mov v10.16b, v9.16b /* q10 := tweak[2] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ mov v11.16b, v9.16b /* q11 := tweak[3] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ mov v12.16b, v9.16b /* q11 := tweak[4] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ mov v13.16b, v9.16b /* q11 := tweak[5] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ mov v14.16b, v9.16b /* q11 := tweak[6] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ mov v15.16b, v9.16b /* q11 := tweak[7] */
+ ldp q8, q9, [sp, #16] /* q8 := tweak[0], q9 := tweak[1] */
+ ldp q0, q1, [x1], #0x20 /* q[i] := pt[i] */
+ ldp q2, q3, [x1], #0x20
+ ldp q4, q5, [x1], #0x20
+ ldp q6, q7, [x1], #0x20
+ eor v0.16b, v0.16b, v8.16b /* q[i] := pt[i] ^ tweak[i] */
+ eor v1.16b, v1.16b, v9.16b
+ eor v2.16b, v2.16b, v10.16b
+ eor v3.16b, v3.16b, v11.16b
+ eor v4.16b, v4.16b, v12.16b
+ eor v5.16b, v5.16b, v13.16b
+ eor v6.16b, v6.16b, v14.16b
+ eor v7.16b, v7.16b, v15.16b
+ mov x0, x9 /* x0 := deckey */
+ mov x3, x5 /* x3 := nrounds */
+ bl aesarm_dec8 /* decrypt q0,...,q7; trash x0/x3/q8 */
+ ldr q8, [sp, #16] /* reload q8 := tweak[0] */
+ eor v1.16b, v1.16b, v9.16b /* q[i] := AES(...) ^ tweak[i] */
+ eor v2.16b, v2.16b, v10.16b
+ eor v3.16b, v3.16b, v11.16b
+ eor v0.16b, v0.16b, v8.16b
+ eor v4.16b, v4.16b, v12.16b
+ eor v5.16b, v5.16b, v13.16b
+ eor v6.16b, v6.16b, v14.16b
+ eor v7.16b, v7.16b, v15.16b
+ stp q0, q1, [x2], #0x20 /* store ciphertext blocks */
+ stp q2, q3, [x2], #0x20 /* store ciphertext blocks */
+ stp q4, q5, [x2], #0x20 /* store ciphertext blocks */
+ stp q6, q7, [x2], #0x20 /* store ciphertext blocks */
+ mov v9.16b, v15.16b /* q9 := q15 = tweak[7] */
+ bl aesarm_xts_mulx /* q9 *= x; trash x0/q0/q1 */
+ subs x10, x10, #0x80 /* count down nbytes */
+ b.ne 1b /* repeat if more block groups */
+ str q9, [x4] /* update tweak */
+ ldp fp, lr, [sp], #48 /* pop stack frame */
+ ret
+END(aesarm_xts_dec8)
+
+/*
+ * aesarm_xts_mulx(tweak@q9)
+ *
+ * Multiply q9 by x, modulo x^128 + x^7 + x^2 + x + 1, in place.
+ * Uses x0 and q0/q1 as temporaries.
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesarm_xts_mulx,@function
+aesarm_xts_mulx:
+ /*
+ * Simultaneously determine
+ * (a) whether the high bit of the low half must be
+ * shifted into the low bit of the high half, and
+ * (b) whether the high bit of the high half must be
+ * carried into x^128 = x^7 + x^2 + x + 1.
+ */
+ adrl x0, xtscarry
+ cmlt v1.2d, v9.2d, #0 /* v1.2d[i] := -1 if v9.2d[i] < 0, else 0 */
+ ldr q0, [x0] /* q0 := xtscarry */
+ ext v1.16b, v1.16b, v1.16b, #8 /* swap halves of q1 */
+ shl v9.2d, v9.2d, #1 /* shift */
+ and v0.16b, v0.16b, v1.16b /* copy xtscarry according to mask */
+ eor v9.16b, v9.16b, v0.16b /* incorporate (a) and (b) */
+ ret
+END(aesarm_xts_mulx)
+
+ .section .rodata
+ .align 16
+ .type xtscarry,@object
+xtscarry:
+ .byte 0x87,0,0,0, 0,0,0,0, 1,0,0,0, 0,0,0,0
+END(xtscarry)
+
+/*
+ * aesarm_xts_update(const uint8_t in[16] @x0, uint8_t out[16] @x1)
+ *
+ * Update an AES-XTS tweak.
+ *
+ * Standard ABI calling convention.
+ */
+ENTRY(aesarm_xts_update)
+ stp fp, lr, [sp, #-16]! /* push stack frame */
+ mov fp, sp
+ ldr q9, [x0] /* load tweak */
+ bl aesarm_xts_mulx /* q9 *= x */
+ str q9, [x1] /* store tweak */
+ ldp fp, lr, [sp], #16 /* pop stack frame */
+ ret
+END(aesarm_xts_update)
+
+/*
+ * aesarm_enc1(const struct aesenc *enckey@x0,
+ * uint128_t block@q0, uint32_t nrounds@x3)
+ *
+ * Encrypt a single AES block in q0.
+ *
+ * Internal ABI. Uses q8 as temporary. Destroys x0 and x3.
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesarm_enc1,@function
+aesarm_enc1:
+ ldr q8, [x0], #0x10 /* load round key */
+1: subs x3, x3, #1
+ /* q0 := ShiftRows(SubBytes(AddRoundKey_q8(q0))) */
+ aese v0.16b, v8.16b
+ ldr q8, [x0], #0x10 /* load next round key */
+ b.eq 2f
+ /* q0 := MixColumns(q0) */
+ aesmc v0.16b, v0.16b
+ b 1b
+2: eor v0.16b, v0.16b, v8.16b
+ ret
+END(aesarm_enc1)
+
+/*
+ * aesarm_enc8(const struct aesenc *enckey@x0,
+ * uint128_t block0@q0, ..., uint128_t block7@q7,
+ * uint32_t nrounds@x3)
+ *
+ * Encrypt eight AES blocks in q0 through q7 in parallel.
+ *
+ * Internal ABI. Uses q8 as temporary. Destroys x0 and x3.
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesarm_enc8,@function
+aesarm_enc8:
+ ldr q8, [x0], #0x10 /* load round key */
+1: subs x3, x3, #1
+ /* q[i] := ShiftRows(SubBytes(AddRoundKey_q8(q[i]))) */
+ aese v0.16b, v8.16b
+ aese v1.16b, v8.16b
+ aese v2.16b, v8.16b
+ aese v3.16b, v8.16b
+ aese v4.16b, v8.16b
+ aese v5.16b, v8.16b
+ aese v6.16b, v8.16b
+ aese v7.16b, v8.16b
+ ldr q8, [x0], #0x10 /* load next round key */
+ b.eq 2f
+ /* q[i] := MixColumns(q[i]) */
+ aesmc v0.16b, v0.16b
+ aesmc v1.16b, v1.16b
+ aesmc v2.16b, v2.16b
+ aesmc v3.16b, v3.16b
+ aesmc v4.16b, v4.16b
+ aesmc v5.16b, v5.16b
+ aesmc v6.16b, v6.16b
+ aesmc v7.16b, v7.16b
+ b 1b
+2: eor v0.16b, v0.16b, v8.16b /* AddRoundKey */
+ eor v1.16b, v1.16b, v8.16b
+ eor v2.16b, v2.16b, v8.16b
+ eor v3.16b, v3.16b, v8.16b
+ eor v4.16b, v4.16b, v8.16b
+ eor v5.16b, v5.16b, v8.16b
+ eor v6.16b, v6.16b, v8.16b
+ eor v7.16b, v7.16b, v8.16b
+ ret
+END(aesarm_enc8)
+
+/*
+ * aesarm_dec1(const struct aesdec *deckey@x0,
+ * uint128_t block@q0, uint32_t nrounds@x3)
+ *
+ * Decrypt a single AES block in q0.
+ *
+ * Internal ABI. Uses q8 as temporary. Destroys x0 and x3.
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesarm_dec1,@function
+aesarm_dec1:
+ ldr q8, [x0], #0x10 /* load round key */
+1: subs x3, x3, #1
+ /* q0 := InSubBytes(InShiftRows(AddRoundKey_q8(q0))) */
+ aesd v0.16b, v8.16b
+ ldr q8, [x0], #0x10 /* load next round key */
+ b.eq 2f
+ /* q0 := InMixColumns(q0) */
+ aesimc v0.16b, v0.16b
+ b 1b
+2: eor v0.16b, v0.16b, v8.16b
+ ret
+END(aesarm_dec1)
+
+/*
+ * aesarm_dec8(const struct aesdec *deckey@x0,
+ * uint128_t block0@q0, ..., uint128_t block7@q7,
+ * uint32_t nrounds@x3)
+ *
+ * Decrypt eight AES blocks in q0 through q7 in parallel.
+ *
+ * Internal ABI. Uses q8 as temporary. Destroys x0 and x3.
+ */
+ .text
+ _ALIGN_TEXT
+ .type aesarm_dec8,@function
+aesarm_dec8:
+ ldr q8, [x0], #0x10 /* load round key */
+1: subs x3, x3, #1
+ /* q[i] := InSubBytes(InShiftRows(AddRoundKey_q8(q[i]))) */
+ aesd v0.16b, v8.16b
+ aesd v1.16b, v8.16b
+ aesd v2.16b, v8.16b
+ aesd v3.16b, v8.16b
+ aesd v4.16b, v8.16b
+ aesd v5.16b, v8.16b
+ aesd v6.16b, v8.16b
+ aesd v7.16b, v8.16b
+ ldr q8, [x0], #0x10 /* load next round key */
+ b.eq 2f
+ /* q[i] := InMixColumns(q[i]) */
+ aesimc v0.16b, v0.16b
+ aesimc v1.16b, v1.16b
+ aesimc v2.16b, v2.16b
+ aesimc v3.16b, v3.16b
+ aesimc v4.16b, v4.16b
+ aesimc v5.16b, v5.16b
+ aesimc v6.16b, v6.16b
+ aesimc v7.16b, v7.16b
+ b 1b
+2: eor v0.16b, v0.16b, v8.16b /* AddRoundKey */
+ eor v1.16b, v1.16b, v8.16b
+ eor v2.16b, v2.16b, v8.16b
+ eor v3.16b, v3.16b, v8.16b
+ eor v4.16b, v4.16b, v8.16b
+ eor v5.16b, v5.16b, v8.16b
+ eor v6.16b, v6.16b, v8.16b
+ eor v7.16b, v7.16b, v8.16b
+ ret
+END(aesarm_dec8)
diff -r fea7aeacc09c -r 87d9e1c86afc sys/crypto/aes/arch/aarch64/files.aesarm
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/arch/aarch64/files.aesarm Sat Jun 13 16:43:32 2020 +0000
@@ -0,0 +1,4 @@
+# $NetBSD$
+
+file crypto/aes/arch/aarch64/aes_arm.c aes
+file crypto/aes/arch/aarch64/aesarmfunc.S aes
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592164233 0
# Sun Jun 14 19:50:33 2020 +0000
# Branch trunk
# Node ID 3ded3c0a82b5fec12d521ba1d98285d446d016d9
# Parent 87d9e1c86afcd441a167bf5f6d485e98d8094594
# EXP-Topic riastradh-kernelcrypto
glxsb(4): Remove rijndael dependency.
This doesn't actually seem to depend on it in any way.
XXX Compile-tested only.
diff -r 87d9e1c86afc -r 3ded3c0a82b5 sys/arch/i386/conf/files.i386
--- a/sys/arch/i386/conf/files.i386 Sat Jun 13 16:43:32 2020 +0000
+++ b/sys/arch/i386/conf/files.i386 Sun Jun 14 19:50:33 2020 +0000
@@ -416,7 +416,7 @@ obsolete defparam opt_vesafb.h VESAFB_WI
obsolete defflag opt_vesafb.h VESAFB_PM
# AMD Geode LX Security Block
-device glxsb: opencrypto, rijndael
+device glxsb: opencrypto
attach glxsb at pci
file arch/i386/pci/glxsb.c glxsb
diff -r 87d9e1c86afc -r 3ded3c0a82b5 sys/arch/i386/pci/glxsb.c
--- a/sys/arch/i386/pci/glxsb.c Sat Jun 13 16:43:32 2020 +0000
+++ b/sys/arch/i386/pci/glxsb.c Sun Jun 14 19:50:33 2020 +0000
@@ -44,7 +44,6 @@
#include <dev/pci/pcidevs.h>
#include <opencrypto/cryptodev.h>
-#include <crypto/rijndael/rijndael.h>
#define SB_GLD_MSR_CAP 0x58002000 /* RO - Capabilities */
#define SB_GLD_MSR_CONFIG 0x58002001 /* RW - Master Config */
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592164303 0
# Sun Jun 14 19:51:43 2020 +0000
# Branch trunk
# Node ID 0eb81d1b858c9205fde1d048bd1fa6640ec93928
# Parent 3ded3c0a82b5fec12d521ba1d98285d446d016d9
# EXP-Topic riastradh-kernelcrypto
padlock(4): Convert legacy rijndael API to new aes API.
XXX Compile-tested only.
XXX The byte-order business here seems highly questionable.
diff -r 3ded3c0a82b5 -r 0eb81d1b858c sys/arch/x86/conf/files.x86
--- a/sys/arch/x86/conf/files.x86 Sun Jun 14 19:50:33 2020 +0000
+++ b/sys/arch/x86/conf/files.x86 Sun Jun 14 19:51:43 2020 +0000
@@ -59,7 +59,7 @@ device odcm
attach odcm at cpufeaturebus
file arch/x86/x86/odcm.c odcm
-device padlock: opencrypto, rijndael
+device padlock: opencrypto, aes
attach padlock at cpufeaturebus
file arch/x86/x86/via_padlock.c padlock
diff -r 3ded3c0a82b5 -r 0eb81d1b858c sys/arch/x86/include/via_padlock.h
--- a/sys/arch/x86/include/via_padlock.h Sun Jun 14 19:50:33 2020 +0000
+++ b/sys/arch/x86/include/via_padlock.h Sun Jun 14 19:51:43 2020 +0000
@@ -25,7 +25,8 @@
#include <sys/rndsource.h>
#include <sys/callout.h>
-#include <crypto/rijndael/rijndael.h>
+
+#include <crypto/aes/aes.h>
/* VIA C3 xcrypt-* instruction context control options */
#define C3_CRYPT_CWLO_ROUND_M 0x0000000f
@@ -43,9 +44,8 @@
#define C3_CRYPT_CWLO_KEY256 0x0000080e /* 256bit, 15 rds */
struct via_padlock_session {
- uint32_t ses_ekey[4 * (RIJNDAEL_MAXNR + 1) + 4]; /* 128 bit aligned */
- uint32_t ses_dkey[4 * (RIJNDAEL_MAXNR + 1) + 4]; /* 128 bit aligned */
- uint8_t ses_iv[16]; /* 128 bit aligned */
+ struct aesenc ses_ekey;
+ struct aesdec ses_dkey;
uint32_t ses_cw0;
struct swcr_data *swd;
int ses_klen;
diff -r 3ded3c0a82b5 -r 0eb81d1b858c sys/arch/x86/x86/via_padlock.c
--- a/sys/arch/x86/x86/via_padlock.c Sun Jun 14 19:50:33 2020 +0000
+++ b/sys/arch/x86/x86/via_padlock.c Sun Jun 14 19:51:43 2020 +0000
@@ -37,10 +37,11 @@
#include <machine/cpufunc.h>
#include <machine/cpuvar.h>
+#include <crypto/aes/aes.h>
+
#include <opencrypto/cryptodev.h>
#include <opencrypto/cryptosoft.h>
#include <opencrypto/xform.h>
-#include <crypto/rijndael/rijndael.h>
#include <opencrypto/cryptosoft_xform.c>
@@ -176,12 +177,18 @@ via_padlock_crypto_newsession(void *arg,
case CRYPTO_AES_CBC:
switch (c->cri_klen) {
case 128:
+ aes_setenckey128(&ses->ses_ekey, c->cri_key);
+ aes_setdeckey128(&ses->ses_dkey, c->cri_key);
cw0 = C3_CRYPT_CWLO_KEY128;
break;
case 192:
+ aes_setenckey192(&ses->ses_ekey, c->cri_key);
+ aes_setdeckey192(&ses->ses_dkey, c->cri_key);
cw0 = C3_CRYPT_CWLO_KEY192;
break;
case 256:
+ aes_setenckey256(&ses->ses_ekey, c->cri_key);
+ aes_setdeckey256(&ses->ses_dkey, c->cri_key);
cw0 = C3_CRYPT_CWLO_KEY256;
break;
default:
@@ -194,14 +201,12 @@ via_padlock_crypto_newsession(void *arg,
ses->ses_klen = c->cri_klen;
ses->ses_cw0 = cw0;
- /* Build expanded keys for both directions */
- rijndaelKeySetupEnc(ses->ses_ekey, c->cri_key,
- c->cri_klen);
- rijndaelKeySetupDec(ses->ses_dkey, c->cri_key,
- c->cri_klen);
- for (i = 0; i < 4 * (RIJNDAEL_MAXNR + 1); i++) {
- ses->ses_ekey[i] = ntohl(ses->ses_ekey[i]);
- ses->ses_dkey[i] = ntohl(ses->ses_dkey[i]);
+ /* Convert words to host byte order (???) */
+ for (i = 0; i < 4 * (AES_256_NROUNDS + 1); i++) {
+ ses->ses_ekey.aese_aes.aes_rk[i] =
+ ntohl(ses->ses_ekey.aese_aes.aes_rk[i]);
+ ses->ses_dkey.aesd_aes.aes_rk[i] =
+ ntohl(ses->ses_dkey.aesd_aes.aes_rk[i]);
}
break;
@@ -379,7 +384,7 @@ via_padlock_crypto_encdec(struct cryptop
if (crd->crd_flags & CRD_F_ENCRYPT) {
sc->op_cw[0] = ses->ses_cw0 | C3_CRYPT_CWLO_ENCRYPT;
- key = ses->ses_ekey;
+ key = ses->ses_ekey.aese_aes.aes_rk;
if (crd->crd_flags & CRD_F_IV_EXPLICIT)
memcpy(sc->op_iv, crd->crd_iv, 16);
else
@@ -398,7 +403,7 @@ via_padlock_crypto_encdec(struct cryptop
}
} else {
sc->op_cw[0] = ses->ses_cw0 | C3_CRYPT_CWLO_DECRYPT;
- key = ses->ses_dkey;
+ key = ses->ses_dkey.aesd_aes.aes_rk;
if (crd->crd_flags & CRD_F_IV_EXPLICIT)
memcpy(sc->op_iv, crd->crd_iv, 16);
else {
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592164567 0
# Sun Jun 14 19:56:07 2020 +0000
# Branch trunk
# Node ID f2bfdffcb27b2e0de26513dbac99e057635654bb
# Parent 0eb81d1b858c9205fde1d048bd1fa6640ec93928
# EXP-Topic riastradh-kernelcrypto
cgd(4): Switch from legacy rijndael API to new aes API.
diff -r 0eb81d1b858c -r f2bfdffcb27b sys/conf/files
--- a/sys/conf/files Sun Jun 14 19:51:43 2020 +0000
+++ b/sys/conf/files Sun Jun 14 19:56:07 2020 +0000
@@ -1395,7 +1395,7 @@ file dev/ic/amdccp.c amdccp
defpseudodev vnd: disk
defflag opt_vnd.h VND_COMPRESSION
defpseudo ccd: disk
-defpseudodev cgd: disk, des, blowfish, cast128, rijndael
+defpseudodev cgd: disk, des, blowfish, cast128, aes
defpseudodev md: disk
defpseudodev fss: disk
diff -r 0eb81d1b858c -r f2bfdffcb27b sys/dev/cgd_crypto.c
--- a/sys/dev/cgd_crypto.c Sun Jun 14 19:51:43 2020 +0000
+++ b/sys/dev/cgd_crypto.c Sun Jun 14 19:56:07 2020 +0000
@@ -45,9 +45,9 @@
#include <dev/cgd_crypto.h>
+#include <crypto/aes/aes.h>
#include <crypto/blowfish/blowfish.h>
#include <crypto/des/des.h>
-#include <crypto/rijndael/rijndael-api-fst.h>
/*
* The general framework provides only one generic function.
@@ -114,8 +114,9 @@ cryptfuncs_find(const char *alg)
*/
struct aes_privdata {
- keyInstance ap_enckey;
- keyInstance ap_deckey;
+ struct aesenc ap_enckey;
+ struct aesdec ap_deckey;
+ uint32_t ap_nrounds;
};
static void *
@@ -132,8 +133,23 @@ cgd_cipher_aes_cbc_init(size_t keylen, c
if (*blocksize != 128)
return NULL;
ap = kmem_zalloc(sizeof(*ap), KM_SLEEP);
- rijndael_makeKey(&ap->ap_enckey, DIR_ENCRYPT, keylen, key);
- rijndael_makeKey(&ap->ap_deckey, DIR_DECRYPT, keylen, key);
+ switch (keylen) {
+ case 128:
+ aes_setenckey128(&ap->ap_enckey, key);
+ aes_setdeckey128(&ap->ap_deckey, key);
+ ap->ap_nrounds = AES_128_NROUNDS;
+ break;
+ case 192:
+ aes_setenckey192(&ap->ap_enckey, key);
+ aes_setdeckey192(&ap->ap_deckey, key);
+ ap->ap_nrounds = AES_192_NROUNDS;
+ break;
+ case 256:
+ aes_setenckey256(&ap->ap_enckey, key);
+ aes_setdeckey256(&ap->ap_deckey, key);
+ ap->ap_nrounds = AES_256_NROUNDS;
+ break;
+ }
return ap;
}
@@ -152,25 +168,18 @@ cgd_cipher_aes_cbc(void *privdata, void
{
struct aes_privdata *apd = privdata;
uint8_t iv[CGD_AES_BLOCK_SIZE] = {0};
- cipherInstance cipher;
- int cipher_ok __diagused;
/* Compute the CBC IV as AES_k(blkno). */
- cipher_ok = rijndael_cipherInit(&cipher, MODE_ECB, NULL);
- KASSERT(cipher_ok > 0);
- rijndael_blockEncrypt(&cipher, &apd->ap_enckey, blkno, /*nbits*/128,
- iv);
+ aes_enc(&apd->ap_enckey, blkno, iv, apd->ap_nrounds);
- cipher_ok = rijndael_cipherInit(&cipher, MODE_CBC, iv);
- KASSERT(cipher_ok > 0);
switch (dir) {
case CGD_CIPHER_ENCRYPT:
- rijndael_blockEncrypt(&cipher, &apd->ap_enckey, src,
- /*nbits*/nbytes * 8, dst);
+ aes_cbc_enc(&apd->ap_enckey, src, dst, nbytes, iv,
+ apd->ap_nrounds);
break;
case CGD_CIPHER_DECRYPT:
- rijndael_blockDecrypt(&cipher, &apd->ap_deckey, src,
- /*nbits*/nbytes * 8, dst);
+ aes_cbc_dec(&apd->ap_deckey, src, dst, nbytes, iv,
+ apd->ap_nrounds);
break;
default:
panic("%s: unrecognised direction %d", __func__, dir);
@@ -182,9 +191,10 @@ cgd_cipher_aes_cbc(void *privdata, void
*/
struct aesxts {
- keyInstance ax_enckey;
- keyInstance ax_deckey;
- keyInstance ax_tweakkey;
+ struct aesenc ax_enckey;
+ struct aesdec ax_deckey;
+ struct aesenc ax_tweakkey;
+ uint32_t ax_nrounds;
};
static void *
@@ -207,9 +217,20 @@ cgd_cipher_aes_xts_init(size_t keylen, c
key = xtskey;
key2 = key + keylen / CHAR_BIT;
- rijndael_makeKey(&ax->ax_enckey, DIR_ENCRYPT, keylen, key);
- rijndael_makeKey(&ax->ax_deckey, DIR_DECRYPT, keylen, key);
- rijndael_makeKey(&ax->ax_tweakkey, DIR_ENCRYPT, keylen, key2);
+ switch (keylen) {
+ case 128:
+ aes_setenckey128(&ax->ax_enckey, key);
+ aes_setdeckey128(&ax->ax_deckey, key);
+ aes_setenckey128(&ax->ax_tweakkey, key2);
+ ax->ax_nrounds = AES_128_NROUNDS;
+ break;
+ case 256:
+ aes_setenckey256(&ax->ax_enckey, key);
+ aes_setdeckey256(&ax->ax_deckey, key);
+ aes_setenckey256(&ax->ax_tweakkey, key2);
+ ax->ax_nrounds = AES_256_NROUNDS;
+ break;
+ }
return ax;
}
@@ -229,25 +250,18 @@ cgd_cipher_aes_xts(void *cookie, void *d
{
struct aesxts *ax = cookie;
uint8_t tweak[CGD_AES_BLOCK_SIZE];
- cipherInstance cipher;
- int cipher_ok __diagused;
/* Compute the initial tweak as AES_k(blkno). */
- cipher_ok = rijndael_cipherInit(&cipher, MODE_ECB, NULL);
- KASSERT(cipher_ok > 0);
- rijndael_blockEncrypt(&cipher, &ax->ax_tweakkey, blkno, /*nbits*/128,
- tweak);
+ aes_enc(&ax->ax_tweakkey, blkno, tweak, ax->ax_nrounds);
- cipher_ok = rijndael_cipherInit(&cipher, MODE_XTS, tweak);
- KASSERT(cipher_ok > 0);
switch (dir) {
case CGD_CIPHER_ENCRYPT:
- rijndael_blockEncrypt(&cipher, &ax->ax_enckey, src,
- /*nbits*/nbytes * 8, dst);
+ aes_xts_enc(&ax->ax_enckey, src, dst, nbytes, tweak,
+ ax->ax_nrounds);
break;
case CGD_CIPHER_DECRYPT:
- rijndael_blockDecrypt(&cipher, &ax->ax_deckey, src,
- /*nbits*/nbytes * 8, dst);
+ aes_xts_dec(&ax->ax_deckey, src, dst, nbytes, tweak,
+ ax->ax_nrounds);
break;
default:
panic("%s: unrecognised direction %d", __func__, dir);
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592164643 0
# Sun Jun 14 19:57:23 2020 +0000
# Branch trunk
# Node ID b7131a05bde780d6bbcc795e46ecfde3a45e9bfb
# Parent f2bfdffcb27b2e0de26513dbac99e057635654bb
# EXP-Topic riastradh-kernelcrypto
uvm(9): Switch from legacy rijndael API to new aes API.
diff -r f2bfdffcb27b -r b7131a05bde7 sys/uvm/files.uvm
--- a/sys/uvm/files.uvm Sun Jun 14 19:56:07 2020 +0000
+++ b/sys/uvm/files.uvm Sun Jun 14 19:57:23 2020 +0000
@@ -8,7 +8,7 @@ defflag opt_uvmhist.h UVMHIST_PRINT: KE
defparam opt_uvmhist.h UVMHIST_MAPHIST_SIZE UVMHIST_PDHIST_SIZE
defflag opt_uvm.h USE_TOPDOWN_VM UVMMAP_COUNTERS
defparam opt_uvm.h UVM_RESERVED_PAGES_PER_CPU
-defflag opt_vmswap.h VMSWAP : rijndael
+defflag opt_vmswap.h VMSWAP : aes
defflag opt_readahead.h READAHEAD_STATS
defflag opt_ubc.h UBC_STATS
defparam opt_pagermap.h PAGER_MAP_SIZE
diff -r f2bfdffcb27b -r b7131a05bde7 sys/uvm/uvm_swap.c
--- a/sys/uvm/uvm_swap.c Sun Jun 14 19:56:07 2020 +0000
+++ b/sys/uvm/uvm_swap.c Sun Jun 14 19:57:23 2020 +0000
@@ -65,7 +65,7 @@
#include <miscfs/specfs/specdev.h>
-#include <crypto/rijndael/rijndael-api-fst.h>
+#include <crypto/aes/aes.h>
/*
* uvm_swap.c: manage configuration and i/o to swap space.
@@ -148,8 +148,8 @@ struct swapdev {
int swd_active; /* number of active buffers */
volatile uint32_t *swd_encmap; /* bitmap of encrypted slots */
- keyInstance swd_enckey; /* AES key expanded for enc */
- keyInstance swd_deckey; /* AES key expanded for dec */
+ struct aesenc swd_enckey; /* AES key expanded for enc */
+ struct aesdec swd_deckey; /* AES key expanded for dec */
bool swd_encinit; /* true if keys initialized */
};
@@ -2073,8 +2073,8 @@ uvm_swap_genkey(struct swapdev *sdp)
KASSERT(!sdp->swd_encinit);
cprng_strong(kern_cprng, key, sizeof key, 0);
- rijndael_makeKey(&sdp->swd_enckey, DIR_ENCRYPT, 256, key);
- rijndael_makeKey(&sdp->swd_deckey, DIR_DECRYPT, 256, key);
+ aes_setenckey256(&sdp->swd_enckey, key);
+ aes_setdeckey256(&sdp->swd_deckey, key);
explicit_memset(key, 0, sizeof key);
sdp->swd_encinit = true;
@@ -2089,27 +2089,17 @@ uvm_swap_genkey(struct swapdev *sdp)
static void
uvm_swap_encryptpage(struct swapdev *sdp, void *kva, int slot)
{
- cipherInstance aes;
uint8_t preiv[16] = {0}, iv[16];
- int ok __diagused, nbits __diagused;
/* iv := AES_k(le32enc(slot) || 0^96) */
le32enc(preiv, slot);
- ok = rijndael_cipherInit(&aes, MODE_ECB, NULL);
- KASSERT(ok);
- nbits = rijndael_blockEncrypt(&aes, &sdp->swd_enckey, preiv,
- /*length in bits*/128, iv);
- KASSERT(nbits == 128);
+ aes_enc(&sdp->swd_enckey, (const void *)preiv, iv, AES_256_NROUNDS);
/* *kva := AES-CBC_k(iv, *kva) */
- ok = rijndael_cipherInit(&aes, MODE_CBC, iv);
- KASSERT(ok);
- nbits = rijndael_blockEncrypt(&aes, &sdp->swd_enckey, kva,
- /*length in bits*/PAGE_SIZE*NBBY, kva);
- KASSERT(nbits == PAGE_SIZE*NBBY);
+ aes_cbc_enc(&sdp->swd_enckey, kva, kva, PAGE_SIZE, iv,
+ AES_256_NROUNDS);
explicit_memset(&iv, 0, sizeof iv);
- explicit_memset(&aes, 0, sizeof aes);
}
/*
@@ -2121,28 +2111,17 @@ uvm_swap_encryptpage(struct swapdev *sdp
static void
uvm_swap_decryptpage(struct swapdev *sdp, void *kva, int slot)
{
- cipherInstance aes;
uint8_t preiv[16] = {0}, iv[16];
- int ok __diagused, nbits __diagused;
/* iv := AES_k(le32enc(slot) || 0^96) */
le32enc(preiv, slot);
- ok = rijndael_cipherInit(&aes, MODE_ECB, NULL);
- KASSERT(ok);
- nbits = rijndael_blockEncrypt(&aes, &sdp->swd_enckey, preiv,
- /*length in bits*/128, iv);
- KASSERTMSG(nbits == 128, "nbits=%d expected %d\n", nbits, 128);
+ aes_enc(&sdp->swd_enckey, (const void *)preiv, iv, AES_256_NROUNDS);
/* *kva := AES-CBC^{-1}_k(iv, *kva) */
- ok = rijndael_cipherInit(&aes, MODE_CBC, iv);
- KASSERT(ok);
- nbits = rijndael_blockDecrypt(&aes, &sdp->swd_deckey, kva,
- /*length in bits*/PAGE_SIZE*NBBY, kva);
- KASSERTMSG(nbits == PAGE_SIZE*NBBY,
- "nbits=%d expected %d\n", nbits, PAGE_SIZE*NBBY);
+ aes_cbc_dec(&sdp->swd_deckey, kva, kva, PAGE_SIZE, iv,
+ AES_256_NROUNDS);
explicit_memset(&iv, 0, sizeof iv);
- explicit_memset(&aes, 0, sizeof aes);
}
SYSCTL_SETUP(sysctl_uvmswap_setup, "sysctl uvmswap setup")
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592164753 0
# Sun Jun 14 19:59:13 2020 +0000
# Branch trunk
# Node ID a97bc0abe60d9a77b10f27d63951d60b0be7b987
# Parent b7131a05bde780d6bbcc795e46ecfde3a45e9bfb
# EXP-Topic riastradh-kernelcrypto
opencrypto: Switch from legacy rijndael API to new aes API.
While here, apply various rijndael->aes renames, reduce the size
of aesxcbc_ctx by 480 bytes, and convert some malloc->kmem.
Leave in the symbol enc_xform_rijndael128 for now, though, so this
doesn't break any kernel ABI.
diff -r b7131a05bde7 -r a97bc0abe60d sys/opencrypto/aesxcbcmac.c
--- a/sys/opencrypto/aesxcbcmac.c Sun Jun 14 19:57:23 2020 +0000
+++ b/sys/opencrypto/aesxcbcmac.c Sun Jun 14 19:59:13 2020 +0000
@@ -34,7 +34,8 @@
#include <sys/param.h>
#include <sys/systm.h>
-#include <crypto/rijndael/rijndael.h>
+
+#include <crypto/aes/aes.h>
#include <opencrypto/aesxcbcmac.h>
@@ -47,24 +48,31 @@ aes_xcbc_mac_init(void *vctx, const uint
{ 2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2 };
static const uint8_t k3seed[AES_BLOCKSIZE] =
{ 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3 };
- u_int32_t r_ks[(RIJNDAEL_MAXNR+1)*4];
+ struct aesenc r_ks;
aesxcbc_ctx *ctx;
uint8_t k1[AES_BLOCKSIZE];
ctx = vctx;
memset(ctx, 0, sizeof(*ctx));
- if ((ctx->r_nr = rijndaelKeySetupEnc(r_ks, key, keylen * 8)) == 0)
- return -1;
- rijndaelEncrypt(r_ks, ctx->r_nr, k1seed, k1);
- rijndaelEncrypt(r_ks, ctx->r_nr, k2seed, ctx->k2);
- rijndaelEncrypt(r_ks, ctx->r_nr, k3seed, ctx->k3);
- if (rijndaelKeySetupEnc(ctx->r_k1s, k1, AES_BLOCKSIZE * 8) == 0)
- return -1;
- if (rijndaelKeySetupEnc(ctx->r_k2s, ctx->k2, AES_BLOCKSIZE * 8) == 0)
- return -1;
- if (rijndaelKeySetupEnc(ctx->r_k3s, ctx->k3, AES_BLOCKSIZE * 8) == 0)
- return -1;
+ switch (keylen) {
+ case 16:
+ ctx->r_nr = aes_setenckey128(&r_ks, key);
+ break;
+ case 24:
+ ctx->r_nr = aes_setenckey192(&r_ks, key);
+ break;
+ case 32:
+ ctx->r_nr = aes_setenckey256(&r_ks, key);
+ break;
+ }
+ aes_enc(&r_ks, k1seed, k1, ctx->r_nr);
+ aes_enc(&r_ks, k2seed, ctx->k2, ctx->r_nr);
+ aes_enc(&r_ks, k3seed, ctx->k3, ctx->r_nr);
+ aes_setenckey128(&ctx->r_k1s, k1);
+
+ explicit_memset(&r_ks, 0, sizeof(r_ks));
+ explicit_memset(k1, 0, sizeof(k1));
return 0;
}
@@ -83,7 +91,7 @@ aes_xcbc_mac_loop(void *vctx, const uint
if (ctx->buflen == sizeof(ctx->buf)) {
for (i = 0; i < sizeof(ctx->e); i++)
ctx->buf[i] ^= ctx->e[i];
- rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e);
+ aes_enc(&ctx->r_k1s, ctx->buf, ctx->e, ctx->r_nr);
ctx->buflen = 0;
}
if (ctx->buflen + len < sizeof(ctx->buf)) {
@@ -96,7 +104,7 @@ aes_xcbc_mac_loop(void *vctx, const uint
sizeof(ctx->buf) - ctx->buflen);
for (i = 0; i < sizeof(ctx->e); i++)
ctx->buf[i] ^= ctx->e[i];
- rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, ctx->e);
+ aes_enc(&ctx->r_k1s, ctx->buf, ctx->e, ctx->r_nr);
addr += sizeof(ctx->buf) - ctx->buflen;
ctx->buflen = 0;
}
@@ -105,7 +113,7 @@ aes_xcbc_mac_loop(void *vctx, const uint
memcpy(buf, addr, AES_BLOCKSIZE);
for (i = 0; i < sizeof(buf); i++)
buf[i] ^= ctx->e[i];
- rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, buf, ctx->e);
+ aes_enc(&ctx->r_k1s, buf, ctx->e, ctx->r_nr);
addr += AES_BLOCKSIZE;
}
if (addr < ep) {
@@ -129,7 +137,7 @@ aes_xcbc_mac_result(uint8_t *addr, void
ctx->buf[i] ^= ctx->e[i];
ctx->buf[i] ^= ctx->k2[i];
}
- rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest);
+ aes_enc(&ctx->r_k1s, ctx->buf, digest, ctx->r_nr);
} else {
for (i = ctx->buflen; i < sizeof(ctx->buf); i++)
ctx->buf[i] = (i == ctx->buflen) ? 0x80 : 0x00;
@@ -137,7 +145,7 @@ aes_xcbc_mac_result(uint8_t *addr, void
ctx->buf[i] ^= ctx->e[i];
ctx->buf[i] ^= ctx->k3[i];
}
- rijndaelEncrypt(ctx->r_k1s, ctx->r_nr, ctx->buf, digest);
+ aes_enc(&ctx->r_k1s, ctx->buf, digest, ctx->r_nr);
}
memcpy(addr, digest, sizeof(digest));
diff -r b7131a05bde7 -r a97bc0abe60d sys/opencrypto/aesxcbcmac.h
--- a/sys/opencrypto/aesxcbcmac.h Sun Jun 14 19:57:23 2020 +0000
+++ b/sys/opencrypto/aesxcbcmac.h Sun Jun 14 19:59:13 2020 +0000
@@ -1,5 +1,8 @@
/* $NetBSD: aesxcbcmac.h,v 1.1 2011/05/24 19:10:09 drochner Exp $ */
+#ifndef _OPENCRYPTO_AESXCBCMAC_H
+#define _OPENCRYPTO_AESXCBCMAC_H
+
#include <sys/types.h>
#define AES_BLOCKSIZE 16
@@ -8,9 +11,7 @@ typedef struct {
u_int8_t e[AES_BLOCKSIZE];
u_int8_t buf[AES_BLOCKSIZE];
size_t buflen;
- u_int32_t r_k1s[(RIJNDAEL_MAXNR+1)*4];
- u_int32_t r_k2s[(RIJNDAEL_MAXNR+1)*4];
- u_int32_t r_k3s[(RIJNDAEL_MAXNR+1)*4];
+ struct aesenc r_k1s;
int r_nr; /* key-length-dependent number of rounds */
u_int8_t k2[AES_BLOCKSIZE];
u_int8_t k3[AES_BLOCKSIZE];
@@ -19,3 +20,5 @@ typedef struct {
int aes_xcbc_mac_init(void *, const u_int8_t *, u_int16_t);
int aes_xcbc_mac_loop(void *, const u_int8_t *, u_int16_t);
void aes_xcbc_mac_result(u_int8_t *, void *);
+
+#endif /* _OPENCRYPTO_AESXCBCMAC_H */
diff -r b7131a05bde7 -r a97bc0abe60d sys/opencrypto/cryptosoft.c
--- a/sys/opencrypto/cryptosoft.c Sun Jun 14 19:57:23 2020 +0000
+++ b/sys/opencrypto/cryptosoft.c Sun Jun 14 19:59:13 2020 +0000
@@ -831,8 +831,8 @@ swcr_newsession(void *arg, u_int32_t *si
case CRYPTO_SKIPJACK_CBC:
txf = &swcr_enc_xform_skipjack;
goto enccommon;
- case CRYPTO_RIJNDAEL128_CBC:
- txf = &swcr_enc_xform_rijndael128;
+ case CRYPTO_AES_CBC:
+ txf = &swcr_enc_xform_aes;
goto enccommon;
case CRYPTO_CAMELLIA_CBC:
txf = &swcr_enc_xform_camellia;
@@ -890,15 +890,13 @@ swcr_newsession(void *arg, u_int32_t *si
axf = &swcr_auth_hash_hmac_ripemd_160_96;
goto authcommon; /* leave this for safety */
authcommon:
- (*swd)->sw_ictx = malloc(axf->ctxsize,
- M_CRYPTO_DATA, M_NOWAIT);
+ (*swd)->sw_ictx = kmem_alloc(axf->ctxsize, KM_NOSLEEP);
if ((*swd)->sw_ictx == NULL) {
swcr_freesession(NULL, i);
return ENOBUFS;
}
- (*swd)->sw_octx = malloc(axf->ctxsize,
- M_CRYPTO_DATA, M_NOWAIT);
+ (*swd)->sw_octx = kmem_alloc(axf->ctxsize, KM_NOSLEEP);
if ((*swd)->sw_octx == NULL) {
swcr_freesession(NULL, i);
return ENOBUFS;
@@ -936,16 +934,15 @@ swcr_newsession(void *arg, u_int32_t *si
CTASSERT(SHA1_DIGEST_LENGTH >= MD5_DIGEST_LENGTH);
axf = &swcr_auth_hash_key_sha1;
auth2common:
- (*swd)->sw_ictx = malloc(axf->ctxsize,
- M_CRYPTO_DATA, M_NOWAIT);
+ (*swd)->sw_ictx = kmem_alloc(axf->ctxsize, KM_NOSLEEP);
if ((*swd)->sw_ictx == NULL) {
swcr_freesession(NULL, i);
return ENOBUFS;
}
/* Store the key so we can "append" it to the payload */
- (*swd)->sw_octx = malloc(cri->cri_klen / 8, M_CRYPTO_DATA,
- M_NOWAIT);
+ (*swd)->sw_octx = kmem_alloc(cri->cri_klen / 8,
+ KM_NOSLEEP);
if ((*swd)->sw_octx == NULL) {
swcr_freesession(NULL, i);
return ENOBUFS;
@@ -968,8 +965,7 @@ swcr_newsession(void *arg, u_int32_t *si
case CRYPTO_SHA1:
axf = &swcr_auth_hash_sha1;
auth3common:
- (*swd)->sw_ictx = malloc(axf->ctxsize,
- M_CRYPTO_DATA, M_NOWAIT);
+ (*swd)->sw_ictx = kmem_alloc(axf->ctxsize, KM_NOSLEEP);
if ((*swd)->sw_ictx == NULL) {
swcr_freesession(NULL, i);
return ENOBUFS;
@@ -991,8 +987,7 @@ swcr_newsession(void *arg, u_int32_t *si
case CRYPTO_AES_256_GMAC:
axf = &swcr_auth_hash_gmac_aes_256;
auth4common:
- (*swd)->sw_ictx = malloc(axf->ctxsize,
- M_CRYPTO_DATA, M_NOWAIT);
+ (*swd)->sw_ictx = kmem_alloc(axf->ctxsize, KM_NOSLEEP);
if ((*swd)->sw_ictx == NULL) {
swcr_freesession(NULL, i);
return ENOBUFS;
@@ -1057,7 +1052,7 @@ swcr_freesession(void *arg, u_int64_t ti
case CRYPTO_BLF_CBC:
case CRYPTO_CAST_CBC:
case CRYPTO_SKIPJACK_CBC:
- case CRYPTO_RIJNDAEL128_CBC:
+ case CRYPTO_AES_CBC:
case CRYPTO_CAMELLIA_CBC:
case CRYPTO_AES_CTR:
case CRYPTO_AES_GCM_16:
@@ -1083,11 +1078,11 @@ swcr_freesession(void *arg, u_int64_t ti
if (swd->sw_ictx) {
explicit_memset(swd->sw_ictx, 0, axf->ctxsize);
- free(swd->sw_ictx, M_CRYPTO_DATA);
+ kmem_free(swd->sw_ictx, axf->ctxsize);
}
if (swd->sw_octx) {
explicit_memset(swd->sw_octx, 0, axf->ctxsize);
- free(swd->sw_octx, M_CRYPTO_DATA);
+ kmem_free(swd->sw_octx, axf->ctxsize);
}
break;
@@ -1097,11 +1092,11 @@ swcr_freesession(void *arg, u_int64_t ti
if (swd->sw_ictx) {
explicit_memset(swd->sw_ictx, 0, axf->ctxsize);
- free(swd->sw_ictx, M_CRYPTO_DATA);
+ kmem_free(swd->sw_ictx, axf->ctxsize);
}
if (swd->sw_octx) {
explicit_memset(swd->sw_octx, 0, swd->sw_klen);
- free(swd->sw_octx, M_CRYPTO_DATA);
+ kmem_free(swd->sw_octx, axf->ctxsize);
}
break;
@@ -1115,7 +1110,7 @@ swcr_freesession(void *arg, u_int64_t ti
if (swd->sw_ictx) {
explicit_memset(swd->sw_ictx, 0, axf->ctxsize);
- free(swd->sw_ictx, M_CRYPTO_DATA);
+ kmem_free(swd->sw_ictx, axf->ctxsize);
}
break;
@@ -1193,7 +1188,7 @@ swcr_process(void *arg, struct cryptop *
case CRYPTO_BLF_CBC:
case CRYPTO_CAST_CBC:
case CRYPTO_SKIPJACK_CBC:
- case CRYPTO_RIJNDAEL128_CBC:
+ case CRYPTO_AES_CBC:
case CRYPTO_CAMELLIA_CBC:
case CRYPTO_AES_CTR:
if ((crp->crp_etype = swcr_encdec(crd, sw,
@@ -1294,7 +1289,7 @@ swcr_init(void)
REGISTER(CRYPTO_AES_128_GMAC);
REGISTER(CRYPTO_AES_192_GMAC);
REGISTER(CRYPTO_AES_256_GMAC);
- REGISTER(CRYPTO_RIJNDAEL128_CBC);
+ REGISTER(CRYPTO_AES_CBC);
REGISTER(CRYPTO_DEFLATE_COMP);
REGISTER(CRYPTO_DEFLATE_COMP_NOGROW);
REGISTER(CRYPTO_GZIP_COMP);
diff -r b7131a05bde7 -r a97bc0abe60d sys/opencrypto/cryptosoft_xform.c
--- a/sys/opencrypto/cryptosoft_xform.c Sun Jun 14 19:57:23 2020 +0000
+++ b/sys/opencrypto/cryptosoft_xform.c Sun Jun 14 19:59:13 2020 +0000
@@ -42,21 +42,22 @@
#include <sys/cdefs.h>
__KERNEL_RCSID(1, "$NetBSD: cryptosoft_xform.c,v 1.28 2019/10/12 00:49:30 christos Exp $");
-#include <crypto/blowfish/blowfish.h>
-#include <crypto/cast128/cast128.h>
-#include <crypto/des/des.h>
-#include <crypto/rijndael/rijndael.h>
-#include <crypto/skipjack/skipjack.h>
-#include <crypto/camellia/camellia.h>
-
-#include <opencrypto/deflate.h>
-
+#include <sys/cprng.h>
+#include <sys/kmem.h>
#include <sys/md5.h>
#include <sys/rmd160.h>
#include <sys/sha1.h>
#include <sys/sha2.h>
-#include <sys/cprng.h>
+
+#include <crypto/aes/aes.h>
+#include <crypto/blowfish/blowfish.h>
+#include <crypto/camellia/camellia.h>
+#include <crypto/cast128/cast128.h>
+#include <crypto/des/des.h>
+#include <crypto/skipjack/skipjack.h>
+
#include <opencrypto/aesxcbcmac.h>
+#include <opencrypto/deflate.h>
#include <opencrypto/gmac.h>
struct swcr_auth_hash {
@@ -94,7 +95,7 @@ static int des3_setkey(u_int8_t **, cons
static int blf_setkey(u_int8_t **, const u_int8_t *, int);
static int cast5_setkey(u_int8_t **, const u_int8_t *, int);
static int skipjack_setkey(u_int8_t **, const u_int8_t *, int);
-static int rijndael128_setkey(u_int8_t **, const u_int8_t *, int);
+static int aes_setkey(u_int8_t **, const u_int8_t *, int);
static int cml_setkey(u_int8_t **, const u_int8_t *, int);
static int aes_ctr_setkey(u_int8_t **, const u_int8_t *, int);
static int aes_gmac_setkey(u_int8_t **, const u_int8_t *, int);
@@ -103,14 +104,14 @@ static void des3_encrypt(void *, u_int8_
static void blf_encrypt(void *, u_int8_t *);
static void cast5_encrypt(void *, u_int8_t *);
static void skipjack_encrypt(void *, u_int8_t *);
-static void rijndael128_encrypt(void *, u_int8_t *);
+static void aes_encrypt(void *, u_int8_t *);
static void cml_encrypt(void *, u_int8_t *);
static void des1_decrypt(void *, u_int8_t *);
static void des3_decrypt(void *, u_int8_t *);
static void blf_decrypt(void *, u_int8_t *);
static void cast5_decrypt(void *, u_int8_t *);
static void skipjack_decrypt(void *, u_int8_t *);
-static void rijndael128_decrypt(void *, u_int8_t *);
+static void aes_decrypt(void *, u_int8_t *);
static void cml_decrypt(void *, u_int8_t *);
static void aes_ctr_crypt(void *, u_int8_t *);
static void des1_zerokey(u_int8_t **);
@@ -118,7 +119,7 @@ static void des3_zerokey(u_int8_t **);
static void blf_zerokey(u_int8_t **);
static void cast5_zerokey(u_int8_t **);
static void skipjack_zerokey(u_int8_t **);
-static void rijndael128_zerokey(u_int8_t **);
+static void aes_zerokey(u_int8_t **);
static void cml_zerokey(u_int8_t **);
static void aes_ctr_zerokey(u_int8_t **);
static void aes_gmac_zerokey(u_int8_t **);
@@ -204,12 +205,12 @@ static const struct swcr_enc_xform swcr_
NULL
};
-static const struct swcr_enc_xform swcr_enc_xform_rijndael128 = {
+static const struct swcr_enc_xform swcr_enc_xform_aes = {
&enc_xform_rijndael128,
- rijndael128_encrypt,
- rijndael128_decrypt,
- rijndael128_setkey,
- rijndael128_zerokey,
+ aes_encrypt,
+ aes_decrypt,
+ aes_setkey,
+ aes_zerokey,
NULL
};
@@ -599,38 +600,68 @@ skipjack_zerokey(u_int8_t **sched)
*sched = NULL;
}
+struct aes_ctx {
+ struct aesenc enc;
+ struct aesdec dec;
+ uint32_t nr;
+};
+
static void
-rijndael128_encrypt(void *key, u_int8_t *blk)
+aes_encrypt(void *key, u_int8_t *blk)
{
- rijndael_encrypt((rijndael_ctx *) key, (u_char *) blk, (u_char *) blk);
+ struct aes_ctx *ctx = key;
+
+ aes_enc(&ctx->enc, blk, blk, ctx->nr);
}
static void
-rijndael128_decrypt(void *key, u_int8_t *blk)
+aes_decrypt(void *key, u_int8_t *blk)
{
- rijndael_decrypt((rijndael_ctx *) key, (u_char *) blk,
- (u_char *) blk);
+ struct aes_ctx *ctx = key;
+
+ aes_dec(&ctx->dec, blk, blk, ctx->nr);
}
static int
-rijndael128_setkey(u_int8_t **sched, const u_int8_t *key, int len)
+aes_setkey(u_int8_t **sched, const u_int8_t *key, int len)
{
+ struct aes_ctx *ctx;
if (len != 16 && len != 24 && len != 32)
return EINVAL;
- *sched = malloc(sizeof(rijndael_ctx), M_CRYPTO_DATA,
- M_NOWAIT|M_ZERO);
- if (*sched == NULL)
+ ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP);
+ if (ctx == NULL)
return ENOMEM;
- rijndael_set_key((rijndael_ctx *) *sched, key, len * 8);
+
+ switch (len) {
+ case 16:
+ aes_setenckey128(&ctx->enc, key);
+ aes_setdeckey128(&ctx->dec, key);
+ ctx->nr = AES_128_NROUNDS;
+ break;
+ case 24:
+ aes_setenckey192(&ctx->enc, key);
+ aes_setdeckey192(&ctx->dec, key);
+ ctx->nr = AES_192_NROUNDS;
+ break;
+ case 32:
+ aes_setenckey256(&ctx->enc, key);
+ aes_setdeckey256(&ctx->dec, key);
+ ctx->nr = AES_256_NROUNDS;
+ break;
+ }
+
+ *sched = (void *)ctx;
return 0;
}
static void
-rijndael128_zerokey(u_int8_t **sched)
+aes_zerokey(u_int8_t **sched)
{
- memset(*sched, 0, sizeof(rijndael_ctx));
- free(*sched, M_CRYPTO_DATA);
+ struct aes_ctx *ctx = (void *)*sched;
+
+ explicit_memset(ctx, 0, sizeof(*ctx));
+ kmem_free(ctx, sizeof(*ctx));
*sched = NULL;
}
@@ -678,7 +709,7 @@ cml_zerokey(u_int8_t **sched)
struct aes_ctr_ctx {
/* need only encryption half */
- u_int32_t ac_ek[4*(RIJNDAEL_MAXNR + 1)];
+ struct aesenc ac_ek;
u_int8_t ac_block[AESCTR_BLOCKSIZE];
int ac_nr;
struct {
@@ -699,10 +730,10 @@ aes_ctr_crypt(void *key, u_int8_t *blk)
i >= AESCTR_NONCESIZE + AESCTR_IVSIZE; i--)
if (++ctx->ac_block[i]) /* continue on overflow */
break;
- rijndaelEncrypt(ctx->ac_ek, ctx->ac_nr, ctx->ac_block, keystream);
+ aes_enc(&ctx->ac_ek, ctx->ac_block, keystream, ctx->ac_nr);
for (i = 0; i < AESCTR_BLOCKSIZE; i++)
blk[i] ^= keystream[i];
- memset(keystream, 0, sizeof(keystream));
+ explicit_memset(keystream, 0, sizeof(keystream));
}
int
@@ -713,13 +744,20 @@ aes_ctr_setkey(u_int8_t **sched, const u
if (len < AESCTR_NONCESIZE)
return EINVAL;
- ctx = malloc(sizeof(struct aes_ctr_ctx), M_CRYPTO_DATA,
- M_NOWAIT|M_ZERO);
+ ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP);
if (!ctx)
return ENOMEM;
- ctx->ac_nr = rijndaelKeySetupEnc(ctx->ac_ek, (const u_char *)key,
- (len - AESCTR_NONCESIZE) * 8);
- if (!ctx->ac_nr) { /* wrong key len */
+ switch (len) {
+ case 16 + AESCTR_NONCESIZE:
+ ctx->ac_nr = aes_setenckey128(&ctx->ac_ek, key);
+ break;
+ case 24 + AESCTR_NONCESIZE:
+ ctx->ac_nr = aes_setenckey192(&ctx->ac_ek, key);
+ break;
+ case 32 + AESCTR_NONCESIZE:
+ ctx->ac_nr = aes_setenckey256(&ctx->ac_ek, key);
+ break;
+ default:
aes_ctr_zerokey((u_int8_t **)&ctx);
return EINVAL;
}
@@ -733,9 +771,10 @@ aes_ctr_setkey(u_int8_t **sched, const u
void
aes_ctr_zerokey(u_int8_t **sched)
{
+ struct aes_ctr_ctx *ctx = (void *)*sched;
- memset(*sched, 0, sizeof(struct aes_ctr_ctx));
- free(*sched, M_CRYPTO_DATA);
+ explicit_memset(ctx, 0, sizeof(*ctx));
+ kmem_free(ctx, sizeof(*ctx));
*sched = NULL;
}
@@ -783,8 +822,7 @@ aes_gmac_setkey(u_int8_t **sched, const
{
struct aes_gmac_ctx *ctx;
- ctx = malloc(sizeof(struct aes_gmac_ctx), M_CRYPTO_DATA,
- M_NOWAIT|M_ZERO);
+ ctx = kmem_zalloc(sizeof(*ctx), KM_NOSLEEP);
if (!ctx)
return ENOMEM;
@@ -797,8 +835,9 @@ aes_gmac_setkey(u_int8_t **sched, const
void
aes_gmac_zerokey(u_int8_t **sched)
{
+ struct aes_gmac_ctx *ctx = (void *)*sched;
- free(*sched, M_CRYPTO_DATA);
+ kmem_free(ctx, sizeof(*ctx));
*sched = NULL;
}
diff -r b7131a05bde7 -r a97bc0abe60d sys/opencrypto/files.opencrypto
--- a/sys/opencrypto/files.opencrypto Sun Jun 14 19:57:23 2020 +0000
+++ b/sys/opencrypto/files.opencrypto Sun Jun 14 19:59:13 2020 +0000
@@ -7,7 +7,7 @@
# that use the opencrypto framework, should list opencrypto as a dependency
# to pull in the framework.
-define opencrypto: rijndael
+define opencrypto: aes
file opencrypto/criov.c opencrypto
file opencrypto/xform.c opencrypto
file opencrypto/crypto.c opencrypto
diff -r b7131a05bde7 -r a97bc0abe60d sys/opencrypto/gmac.c
--- a/sys/opencrypto/gmac.c Sun Jun 14 19:57:23 2020 +0000
+++ b/sys/opencrypto/gmac.c Sun Jun 14 19:59:13 2020 +0000
@@ -26,7 +26,8 @@
#include <sys/param.h>
#include <sys/systm.h>
-#include <crypto/rijndael/rijndael.h>
+#include <crypto/aes/aes.h>
+
#include <opencrypto/gmac.h>
void ghash_gfmul(const GMAC_INT *, const GMAC_INT *, GMAC_INT *);
@@ -114,13 +115,25 @@ AES_GMAC_Setkey(AES_GMAC_CTX *ctx, const
{
int i;
- ctx->rounds = rijndaelKeySetupEnc(ctx->K, (const u_char *)key,
- (klen - AESCTR_NONCESIZE) * 8);
+ switch (klen) {
+ case 16 + AESCTR_NONCESIZE:
+ ctx->rounds = aes_setenckey128(&ctx->K, key);
+ break;
+ case 24 + AESCTR_NONCESIZE:
+ ctx->rounds = aes_setenckey192(&ctx->K, key);
+ break;
+ case 32 + AESCTR_NONCESIZE:
+ ctx->rounds = aes_setenckey256(&ctx->K, key);
+ break;
+ default:
+ panic("invalid AES_GMAC_Setkey length in bytes: %u",
+ (unsigned)klen);
+ }
/* copy out salt to the counter block */
memcpy(ctx->J, key + klen - AESCTR_NONCESIZE, AESCTR_NONCESIZE);
/* prepare a hash subkey */
- rijndaelEncrypt(ctx->K, ctx->rounds, (void *)ctx->ghash.H,
- (void *)ctx->ghash.H);
+ aes_enc(&ctx->K, (const void *)ctx->ghash.H, (void *)ctx->ghash.H,
+ ctx->rounds);
#if GMAC_INTLEN == 8
for (i = 0; i < 2; i++)
ctx->ghash.H[i] = be64toh(ctx->ghash.H[i]);
@@ -163,7 +176,7 @@ AES_GMAC_Final(uint8_t digest[GMAC_DIGES
/* do one round of GCTR */
ctx->J[GMAC_BLOCK_LEN - 1] = 1;
- rijndaelEncrypt(ctx->K, ctx->rounds, ctx->J, keystream);
+ aes_enc(&ctx->K, ctx->J, keystream, ctx->rounds);
k = keystream;
d = digest;
#if GMAC_INTLEN == 8
diff -r b7131a05bde7 -r a97bc0abe60d sys/opencrypto/gmac.h
--- a/sys/opencrypto/gmac.h Sun Jun 14 19:57:23 2020 +0000
+++ b/sys/opencrypto/gmac.h Sun Jun 14 19:59:13 2020 +0000
@@ -20,7 +20,7 @@
#ifndef _GMAC_H_
#define _GMAC_H_
-#include <crypto/rijndael/rijndael.h>
+#include <crypto/aes/aes.h>
#define GMAC_BLOCK_LEN 16
#define GMAC_DIGEST_LEN 16
@@ -41,7 +41,7 @@ typedef struct _GHASH_CTX {
typedef struct _AES_GMAC_CTX {
GHASH_CTX ghash;
- uint32_t K[4*(RIJNDAEL_MAXNR + 1)];
+ struct aesenc K;
uint8_t J[GMAC_BLOCK_LEN]; /* counter block */
int rounds;
} AES_GMAC_CTX;
diff -r b7131a05bde7 -r a97bc0abe60d sys/opencrypto/xform.c
--- a/sys/opencrypto/xform.c Sun Jun 14 19:57:23 2020 +0000
+++ b/sys/opencrypto/xform.c Sun Jun 14 19:59:13 2020 +0000
@@ -145,8 +145,8 @@ const struct enc_xform enc_xform_skipjac
};
const struct enc_xform enc_xform_rijndael128 = {
- .type = CRYPTO_RIJNDAEL128_CBC,
- .name = "Rijndael-128/AES",
+ .type = CRYPTO_AES_CBC,
+ .name = "AES",
.blocksize = 16,
.ivsize = 16,
.minkey = 16,
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592251492 0
# Mon Jun 15 20:04:52 2020 +0000
# Branch trunk
# Node ID 401917dcba81934295869fc7e7a3c4c7755ff186
# Parent a97bc0abe60d9a77b10f27d63951d60b0be7b987
# EXP-Topic riastradh-kernelcrypto
cgd(4): Print which key size is broken when a self-test fails.
Can be gleaned from the test index but this is a little quicker.
diff -r a97bc0abe60d -r 401917dcba81 sys/dev/cgd.c
--- a/sys/dev/cgd.c Sun Jun 14 19:59:13 2020 +0000
+++ b/sys/dev/cgd.c Mon Jun 15 20:04:52 2020 +0000
@@ -1699,8 +1699,8 @@ cgd_selftest(void)
if (memcmp(buf, selftests[i].ctxt, txtlen) != 0) {
hexdump(printf, "was", buf, txtlen);
hexdump(printf, "exp", selftests[i].ctxt, txtlen);
- panic("cgd %s encryption is broken [%zu]",
- selftests[i].alg, i);
+ panic("cgd %s-%d encryption is broken [%zu]",
+ selftests[i].alg, keylen, i);
}
cgd_cipher(&sc, buf, buf, txtlen, selftests[i].blkno,
@@ -1708,8 +1708,8 @@ cgd_selftest(void)
if (memcmp(buf, selftests[i].ptxt, txtlen) != 0) {
hexdump(printf, "was", buf, txtlen);
hexdump(printf, "exp", selftests[i].ptxt, txtlen);
- panic("cgd %s decryption is broken [%zu]",
- selftests[i].alg, i);
+ panic("cgd %s-%d decryption is broken [%zu]",
+ selftests[i].alg, keylen, i);
}
kmem_free(buf, txtlen);
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592251571 0
# Mon Jun 15 20:06:11 2020 +0000
# Branch trunk
# Node ID 375cb5e0f08e74a884c537b40ac52fe31c512837
# Parent 401917dcba81934295869fc7e7a3c4c7755ff186
# EXP-Topic riastradh-kernelcrypto
cgd(4): Align IVs on the stack.
This will make it easier for some hardware crypto support.
diff -r 401917dcba81 -r 375cb5e0f08e sys/dev/cgd.c
--- a/sys/dev/cgd.c Mon Jun 15 20:04:52 2020 +0000
+++ b/sys/dev/cgd.c Mon Jun 15 20:06:11 2020 +0000
@@ -1587,7 +1587,7 @@ cgd_cipher(struct cgd_softc *sc, void *d
cfunc_cipher *cipher = sc->sc_cfuncs->cf_cipher;
size_t blocksize = sc->sc_cdata.cf_blocksize;
size_t todo;
- char blkno_buf[CGD_MAXBLOCKSIZE];
+ char blkno_buf[CGD_MAXBLOCKSIZE] __aligned(CGD_BLOCKALIGN);
DPRINTF_FOLLOW(("cgd_cipher() dir=%d\n", dir));
diff -r 401917dcba81 -r 375cb5e0f08e sys/dev/cgd_crypto.c
--- a/sys/dev/cgd_crypto.c Mon Jun 15 20:04:52 2020 +0000
+++ b/sys/dev/cgd_crypto.c Mon Jun 15 20:06:11 2020 +0000
@@ -167,7 +167,7 @@ cgd_cipher_aes_cbc(void *privdata, void
const void *blkno, int dir)
{
struct aes_privdata *apd = privdata;
- uint8_t iv[CGD_AES_BLOCK_SIZE] = {0};
+ uint8_t iv[CGD_AES_BLOCK_SIZE] __aligned(CGD_AES_BLOCK_SIZE) = {0};
/* Compute the CBC IV as AES_k(blkno). */
aes_enc(&apd->ap_enckey, blkno, iv, apd->ap_nrounds);
diff -r 401917dcba81 -r 375cb5e0f08e sys/dev/cgd_crypto.h
--- a/sys/dev/cgd_crypto.h Mon Jun 15 20:04:52 2020 +0000
+++ b/sys/dev/cgd_crypto.h Mon Jun 15 20:06:11 2020 +0000
@@ -39,6 +39,8 @@
#define CGD_3DES_BLOCK_SIZE 8
#define CGD_BF_BLOCK_SIZE 8
+#define CGD_BLOCKALIGN 16
+
typedef void *(cfunc_init)(size_t, const void *, size_t *);
typedef void (cfunc_destroy)(void *);
typedef void (cfunc_cipher)(void *, void *, const void *, size_t,
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592237969 0
# Mon Jun 15 16:19:29 2020 +0000
# Branch trunk
# Node ID 28973955038a44907a800f3333d8dec03c77c8b2
# Parent 375cb5e0f08e74a884c537b40ac52fe31c512837
# EXP-Topic riastradh-kernelcrypto
Provide the standard AES key schedule.
Different AES implementations prefer different variations on it, but
some of them -- notably VIA -- require the standard key schedule to
be available and don't provide hardware support for computing it
themselves. So adapt BearSSL's logic to generate the standard key
schedule (and decryption keys, with InvMixColumns), rather than the
bitsliced key schedule that BearSSL uses natively.
diff -r 375cb5e0f08e -r 28973955038a sys/crypto/aes/aes_bear.h
--- a/sys/crypto/aes/aes_bear.h Mon Jun 15 20:06:11 2020 +0000
+++ b/sys/crypto/aes/aes_bear.h Mon Jun 15 16:19:29 2020 +0000
@@ -45,6 +45,12 @@ void br_aes_ct_skey_expand(uint32_t *, u
void br_aes_ct_bitslice_encrypt(unsigned, const uint32_t *, uint32_t *);
void br_aes_ct_bitslice_decrypt(unsigned, const uint32_t *, uint32_t *);
+/* NetBSD additions */
+
+void br_aes_ct_inv_mix_columns(uint32_t *);
+u_int br_aes_ct_keysched_stdenc(uint32_t *, const void *, size_t);
+u_int br_aes_ct_keysched_stddec(uint32_t *, const void *, size_t);
+
extern struct aes_impl aes_bear_impl;
#endif /* _CRYPTO_AES_AES_BEAR_H */
diff -r 375cb5e0f08e -r 28973955038a sys/crypto/aes/aes_ct.c
--- a/sys/crypto/aes/aes_ct.c Mon Jun 15 20:06:11 2020 +0000
+++ b/sys/crypto/aes/aes_ct.c Mon Jun 15 16:19:29 2020 +0000
@@ -29,6 +29,8 @@
#include <sys/types.h>
+#include <lib/libkern/libkern.h>
+
#include <crypto/aes/aes_bear.h>
/* see inner.h */
@@ -333,3 +335,92 @@ br_aes_ct_skey_expand(uint32_t *skey,
skey[v + 1] = y | (y >> 1);
}
}
+
+/* NetBSD additions, for computing the standard AES key schedule */
+
+unsigned
+br_aes_ct_keysched_stdenc(uint32_t *skey, const void *key, size_t key_len)
+{
+ unsigned num_rounds;
+ int i, j, k, nk, nkf;
+ uint32_t tmp;
+
+ switch (key_len) {
+ case 16:
+ num_rounds = 10;
+ break;
+ case 24:
+ num_rounds = 12;
+ break;
+ case 32:
+ num_rounds = 14;
+ break;
+ default:
+ /* abort(); */
+ return 0;
+ }
+ nk = (int)(key_len >> 2);
+ nkf = (int)((num_rounds + 1) << 2);
+ tmp = 0;
+ for (i = 0; i < nk; i ++) {
+ tmp = br_dec32le((const unsigned char *)key + (i << 2));
+ skey[i] = tmp;
+ }
+ for (i = nk, j = 0, k = 0; i < nkf; i ++) {
+ if (j == 0) {
+ tmp = (tmp << 24) | (tmp >> 8);
+ tmp = sub_word(tmp) ^ Rcon[k];
+ } else if (nk > 6 && j == 4) {
+ tmp = sub_word(tmp);
+ }
+ tmp ^= skey[i - nk];
+ skey[i] = tmp;
+ if (++ j == nk) {
+ j = 0;
+ k ++;
+ }
+ }
+ return num_rounds;
+}
+
+unsigned
+br_aes_ct_keysched_stddec(uint32_t *skey, const void *key, size_t key_len)
+{
+ uint32_t tkey[60];
+ uint32_t q[8];
+ unsigned num_rounds;
+ unsigned i;
+
+ num_rounds = br_aes_ct_keysched_stdenc(skey, key, key_len);
+ if (num_rounds == 0)
+ return 0;
+
+ tkey[0] = skey[4*num_rounds + 0];
+ tkey[1] = skey[4*num_rounds + 1];
+ tkey[2] = skey[4*num_rounds + 2];
+ tkey[3] = skey[4*num_rounds + 3];
+ for (i = 1; i < num_rounds; i++) {
+ q[2*0] = skey[4*i + 0];
+ q[2*1] = skey[4*i + 1];
+ q[2*2] = skey[4*i + 2];
+ q[2*3] = skey[4*i + 3];
+ q[1] = q[3] = q[5] = q[7] = 0;
+
+ br_aes_ct_ortho(q);
+ br_aes_ct_inv_mix_columns(q);
+ br_aes_ct_ortho(q);
+
+ tkey[4*(num_rounds - i) + 0] = q[2*0];
+ tkey[4*(num_rounds - i) + 1] = q[2*1];
+ tkey[4*(num_rounds - i) + 2] = q[2*2];
+ tkey[4*(num_rounds - i) + 3] = q[2*3];
+ }
+ tkey[4*num_rounds + 0] = skey[0];
+ tkey[4*num_rounds + 1] = skey[1];
+ tkey[4*num_rounds + 2] = skey[2];
+ tkey[4*num_rounds + 3] = skey[3];
+
+ memcpy(skey, tkey, 4*(num_rounds + 1)*sizeof(uint32_t));
+ explicit_memset(tkey, 0, 4*(num_rounds + 1)*sizeof(uint32_t));
+ return num_rounds;
+}
diff -r 375cb5e0f08e -r 28973955038a sys/crypto/aes/aes_ct_dec.c
--- a/sys/crypto/aes/aes_ct_dec.c Mon Jun 15 20:06:11 2020 +0000
+++ b/sys/crypto/aes/aes_ct_dec.c Mon Jun 15 16:19:29 2020 +0000
@@ -175,3 +175,11 @@ br_aes_ct_bitslice_decrypt(unsigned num_
br_aes_ct_bitslice_invSbox(q);
add_round_key(q, skey);
}
+
+/* NetBSD addition, for generating compatible decryption keys */
+void
+br_aes_ct_inv_mix_columns(uint32_t *q)
+{
+
+ inv_mix_columns(q);
+}
diff -r 375cb5e0f08e -r 28973955038a sys/crypto/aes/aes_impl.c
--- a/sys/crypto/aes/aes_impl.c Mon Jun 15 20:06:11 2020 +0000
+++ b/sys/crypto/aes/aes_impl.c Mon Jun 15 16:19:29 2020 +0000
@@ -38,6 +38,8 @@
#include <crypto/aes/aes.h>
#include <crypto/aes/aes_bear.h> /* default implementation */
+static int aes_selftest_stdkeysched(void);
+
static const struct aes_impl *aes_md_impl __read_mostly;
static const struct aes_impl *aes_impl __read_mostly;
@@ -61,6 +63,9 @@ aes_select(void)
KASSERT(aes_impl == NULL);
+ if (aes_selftest_stdkeysched())
+ panic("AES is busted");
+
if (aes_md_impl) {
if (aes_selftest(aes_md_impl))
aprint_error("aes: self-test failed: %s\n",
@@ -254,3 +259,131 @@ aes_xts_dec(struct aesdec *dec, const ui
aes_guarantee_selected();
aes_impl->ai_xts_dec(dec, in, out, nbytes, tweak, nrounds);
}
+
+/*
+ * Known-answer self-tests for the standard key schedule.
+ */
+static int
+aes_selftest_stdkeysched(void)
+{
+ static const uint8_t key[32] = {
+ 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+ 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
+ 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
+ 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f,
+ };
+ static const uint32_t rk128enc[] = {
+ 0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
+ 0xfd74aad6, 0xfa72afd2, 0xf178a6da, 0xfe76abd6,
+ 0x0bcf92b6, 0xf1bd3d64, 0x00c59bbe, 0xfeb33068,
+ 0x4e74ffb6, 0xbfc9c2d2, 0xbf0c596c, 0x41bf6904,
+ 0xbcf7f747, 0x033e3595, 0xbc326cf9, 0xfd8d05fd,
+ 0xe8a3aa3c, 0xeb9d9fa9, 0x57aff350, 0xaa22f6ad,
+ 0x7d0f395e, 0x9692a6f7, 0xc13d55a7, 0x6b1fa30a,
+ 0x1a70f914, 0x8ce25fe3, 0x4ddf0a44, 0x26c0a94e,
+ 0x35874347, 0xb9651ca4, 0xf4ba16e0, 0xd27abfae,
+ 0xd1329954, 0x685785f0, 0x9ced9310, 0x4e972cbe,
+ 0x7f1d1113, 0x174a94e3, 0x8ba707f3, 0xc5302b4d,
+ };
+ static const uint32_t rk192enc[] = {
+ 0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
+ 0x13121110, 0x17161514, 0xf9f24658, 0xfef4435c,
+ 0xf5fe4a54, 0xfaf04758, 0xe9e25648, 0xfef4435c,
+ 0xb349f940, 0x4dbdba1c, 0xb843f048, 0x42b3b710,
+ 0xab51e158, 0x55a5a204, 0x41b5ff7e, 0x0c084562,
+ 0xb44bb52a, 0xf6f8023a, 0x5da9e362, 0x080c4166,
+ 0x728501f5, 0x7e8d4497, 0xcac6f1bd, 0x3c3ef387,
+ 0x619710e5, 0x699b5183, 0x9e7c1534, 0xe0f151a3,
+ 0x2a37a01e, 0x16095399, 0x779e437c, 0x1e0512ff,
+ 0x880e7edd, 0x68ff2f7e, 0x42c88f60, 0x54c1dcf9,
+ 0x235f9f85, 0x3d5a8d7a, 0x5229c0c0, 0x3ad6efbe,
+ 0x781e60de, 0x2cdfbc27, 0x0f8023a2, 0x32daaed8,
+ 0x330a97a4, 0x09dc781a, 0x71c218c4, 0x5d1da4e3,
+ };
+ static const uint32_t rk256enc[] = {
+ 0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
+ 0x13121110, 0x17161514, 0x1b1a1918, 0x1f1e1d1c,
+ 0x9fc273a5, 0x98c476a1, 0x93ce7fa9, 0x9cc072a5,
+ 0xcda85116, 0xdabe4402, 0xc1a45d1a, 0xdeba4006,
+ 0xf0df87ae, 0x681bf10f, 0xfbd58ea6, 0x6715fc03,
+ 0x48f1e16d, 0x924fa56f, 0x53ebf875, 0x8d51b873,
+ 0x7f8256c6, 0x1799a7c9, 0xec4c296f, 0x8b59d56c,
+ 0x753ae23d, 0xe7754752, 0xb49ebf27, 0x39cf0754,
+ 0x5f90dc0b, 0x48097bc2, 0xa44552ad, 0x2f1c87c1,
+ 0x60a6f545, 0x87d3b217, 0x334d0d30, 0x0a820a64,
+ 0x1cf7cf7c, 0x54feb4be, 0xf0bbe613, 0xdfa761d2,
+ 0xfefa1af0, 0x7929a8e7, 0x4a64a5d7, 0x40e6afb3,
+ 0x71fe4125, 0x2500f59b, 0xd5bb1388, 0x0a1c725a,
+ 0x99665a4e, 0xe04ff2a9, 0xaa2b577e, 0xeacdf8cd,
+ 0xcc79fc24, 0xe97909bf, 0x3cc21a37, 0x36de686d,
+ };
+ static const uint32_t rk128dec[] = {
+ 0x7f1d1113, 0x174a94e3, 0x8ba707f3, 0xc5302b4d,
+ 0xbe29aa13, 0xf6af8f9c, 0x80f570f7, 0x03bff700,
+ 0x63a46213, 0x4886258f, 0x765aff6b, 0x834a87f7,
+ 0x74fc828d, 0x2b22479c, 0x3edcdae4, 0xf510789c,
+ 0x8d09e372, 0x5fdec511, 0x15fe9d78, 0xcbcca278,
+ 0x2710c42e, 0xd2d72663, 0x4a205869, 0xde323f00,
+ 0x04f5a2a8, 0xf5c7e24d, 0x98f77e0a, 0x94126769,
+ 0x91e3c6c7, 0xf13240e5, 0x6d309c47, 0x0ce51963,
+ 0x9902dba0, 0x60d18622, 0x9c02dca2, 0x61d58524,
+ 0xf0df568c, 0xf9d35d82, 0xfcd35a80, 0xfdd75986,
+ 0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
+ };
+ static const uint32_t rk192dec[] = {
+ 0x330a97a4, 0x09dc781a, 0x71c218c4, 0x5d1da4e3,
+ 0x0dbdbed6, 0x49ea09c2, 0x8073b04d, 0xb91b023e,
+ 0xc999b98f, 0x3968b273, 0x9dd8f9c7, 0x728cc685,
+ 0xc16e7df7, 0xef543f42, 0x7f317853, 0x4457b714,
+ 0x90654711, 0x3b66cf47, 0x8dce0e9b, 0xf0f10bfc,
+ 0xb6a8c1dc, 0x7d3f0567, 0x4a195ccc, 0x2e3a42b5,
+ 0xabb0dec6, 0x64231e79, 0xbe5f05a4, 0xab038856,
+ 0xda7c1bdd, 0x155c8df2, 0x1dab498a, 0xcb97c4bb,
+ 0x08f7c478, 0xd63c8d31, 0x01b75596, 0xcf93c0bf,
+ 0x10efdc60, 0xce249529, 0x15efdb62, 0xcf20962f,
+ 0xdbcb4e4b, 0xdacf4d4d, 0xc7d75257, 0xdecb4949,
+ 0x1d181f1a, 0x191c1b1e, 0xd7c74247, 0xdecb4949,
+ 0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
+ };
+ static const uint32_t rk256dec[] = {
+ 0xcc79fc24, 0xe97909bf, 0x3cc21a37, 0x36de686d,
+ 0xffd1f134, 0x2faacebf, 0x5fe2e9fc, 0x6e015825,
+ 0xeb48165e, 0x0a354c38, 0x46b77175, 0x84e680dc,
+ 0x8005a3c8, 0xd07b3f8b, 0x70482743, 0x31e3b1d9,
+ 0x138e70b5, 0xe17d5a66, 0x4c823d4d, 0xc251f1a9,
+ 0xa37bda74, 0x507e9c43, 0xa03318c8, 0x41ab969a,
+ 0x1597a63c, 0xf2f32ad3, 0xadff672b, 0x8ed3cce4,
+ 0xf3c45ff8, 0xf3054637, 0xf04d848b, 0xe1988e52,
+ 0x9a4069de, 0xe7648cef, 0x5f0c4df8, 0x232cabcf,
+ 0x1658d5ae, 0x00c119cf, 0x0348c2bc, 0x11d50ad9,
+ 0xbd68c615, 0x7d24e531, 0xb868c117, 0x7c20e637,
+ 0x0f85d77f, 0x1699cc61, 0x0389db73, 0x129dc865,
+ 0xc940282a, 0xc04c2324, 0xc54c2426, 0xc4482720,
+ 0x1d181f1a, 0x191c1b1e, 0x15101712, 0x11141316,
+ 0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
+ };
+ static const struct {
+ unsigned len;
+ unsigned nr;
+ const uint32_t *enc, *dec;
+ } C[] = {
+ { 16, AES_128_NROUNDS, rk128enc, rk128dec },
+ { 24, AES_192_NROUNDS, rk192enc, rk192dec },
+ { 32, AES_256_NROUNDS, rk256enc, rk256dec },
+ };
+ uint32_t rk[60];
+ unsigned i;
+
+ for (i = 0; i < __arraycount(C); i++) {
+ if (br_aes_ct_keysched_stdenc(rk, key, C[i].len) != C[i].nr)
+ return -1;
+ if (memcmp(rk, C[i].enc, 4*(C[i].nr + 1)))
+ return -1;
+ if (br_aes_ct_keysched_stddec(rk, key, C[i].len) != C[i].nr)
+ return -1;
+ if (memcmp(rk, C[i].dec, 4*(C[i].nr + 1)))
+ return -1;
+ }
+
+ return 0;
+}
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592238453 0
# Mon Jun 15 16:27:33 2020 +0000
# Branch trunk
# Node ID 86fed1861ac3279e6d19505769e4331842fea55c
# Parent 28973955038a44907a800f3333d8dec03c77c8b2
# EXP-Topic riastradh-kernelcrypto
Add AES implementation with VIA ACE.
diff -r 28973955038a -r 86fed1861ac3 sys/arch/x86/conf/files.x86
--- a/sys/arch/x86/conf/files.x86 Mon Jun 15 16:19:29 2020 +0000
+++ b/sys/arch/x86/conf/files.x86 Mon Jun 15 16:27:33 2020 +0000
@@ -168,3 +168,6 @@ file arch/x86/pci/pci_addr_fixup.c pci_a
# AES-NI
include "crypto/aes/arch/x86/files.aesni"
+
+# VIA ACE
+include "crypto/aes/arch/x86/files.aesvia"
diff -r 28973955038a -r 86fed1861ac3 sys/arch/x86/x86/identcpu.c
--- a/sys/arch/x86/x86/identcpu.c Mon Jun 15 16:19:29 2020 +0000
+++ b/sys/arch/x86/x86/identcpu.c Mon Jun 15 16:27:33 2020 +0000
@@ -40,6 +40,7 @@
#include <sys/cpu.h>
#include <crypto/aes/arch/x86/aes_ni.h>
+#include <crypto/aes/arch/x86/aes_via.h>
#include <uvm/uvm_extern.h>
@@ -1000,7 +1001,10 @@ cpu_probe(struct cpu_info *ci)
#ifdef __x86_64__ /* not yet implemented on i386 */
if (cpu_feature[1] & CPUID2_AES)
aes_md_init(&aes_ni_impl);
+ else
#endif
+ if (cpu_feature[4] & CPUID_VIA_HAS_ACE)
+ aes_md_init(&aes_via_impl);
} else {
/*
* If not first. Warn about cpu_feature mismatch for
diff -r 28973955038a -r 86fed1861ac3 sys/crypto/aes/arch/x86/aes_via.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/arch/x86/aes_via.c Mon Jun 15 16:27:33 2020 +0000
@@ -0,0 +1,626 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(1, "$NetBSD$");
+
+#include <sys/types.h>
+#include <sys/evcnt.h>
+#include <sys/systm.h>
+
+#include <crypto/aes/aes.h>
+#include <crypto/aes/aes_bear.h>
+
+#include <x86/cpufunc.h>
+#include <x86/cpuvar.h>
+#include <x86/fpu.h>
+#include <x86/specialreg.h>
+#include <x86/via_padlock.h>
+
+static void
+aesvia_reload_keys(void)
+{
+
+ asm volatile("pushf; popf");
+}
+
+static uint32_t
+aesvia_keylen_cw0(unsigned nrounds)
+{
+
+ /*
+ * Determine the control word bits for the key size / number of
+ * rounds. For AES-128, the hardware can do key expansion on
+ * the fly; for AES-192 and AES-256, software must do it.
+ */
+ switch (nrounds) {
+ case AES_128_NROUNDS:
+ return C3_CRYPT_CWLO_KEY128;
+ case AES_192_NROUNDS:
+ return C3_CRYPT_CWLO_KEY192 | C3_CRYPT_CWLO_KEYGEN_SW;
+ case AES_256_NROUNDS:
+ return C3_CRYPT_CWLO_KEY256 | C3_CRYPT_CWLO_KEYGEN_SW;
+ default:
+ panic("invalid AES nrounds: %u", nrounds);
+ }
+}
+
+static void
+aesvia_setenckey(struct aesenc *enc, const uint8_t *key, uint32_t nrounds)
+{
+ size_t key_len;
+
+ switch (nrounds) {
+ case AES_128_NROUNDS:
+ enc->aese_aes.aes_rk[0] = le32dec(key + 4*0);
+ enc->aese_aes.aes_rk[1] = le32dec(key + 4*1);
+ enc->aese_aes.aes_rk[2] = le32dec(key + 4*2);
+ enc->aese_aes.aes_rk[3] = le32dec(key + 4*3);
+ return;
+ case AES_192_NROUNDS:
+ key_len = 24;
+ break;
+ case AES_256_NROUNDS:
+ key_len = 32;
+ break;
+ default:
+ panic("invalid AES nrounds: %u", nrounds);
+ }
+ br_aes_ct_keysched_stdenc(enc->aese_aes.aes_rk, key, key_len);
+}
+
+static void
+aesvia_setdeckey(struct aesdec *dec, const uint8_t *key, uint32_t nrounds)
+{
+ size_t key_len;
+
+ switch (nrounds) {
+ case AES_128_NROUNDS:
+ dec->aesd_aes.aes_rk[0] = le32dec(key + 4*0);
+ dec->aesd_aes.aes_rk[1] = le32dec(key + 4*1);
+ dec->aesd_aes.aes_rk[2] = le32dec(key + 4*2);
+ dec->aesd_aes.aes_rk[3] = le32dec(key + 4*3);
+ return;
+ case AES_192_NROUNDS:
+ key_len = 24;
+ break;
+ case AES_256_NROUNDS:
+ key_len = 32;
+ break;
+ default:
+ panic("invalid AES nrounds: %u", nrounds);
+ }
+ br_aes_ct_keysched_stddec(dec->aesd_aes.aes_rk, key, key_len);
+}
+
+static inline void
+aesvia_enc1(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], uint32_t cw0)
+{
+ const uint32_t cw[4] __aligned(16) = {
+ [0] = (cw0
+ | C3_CRYPT_CWLO_ALG_AES
+ | C3_CRYPT_CWLO_ENCRYPT
+ | C3_CRYPT_CWLO_NORMAL),
+ };
+ size_t nblocks = 1;
+
+ KASSERT(((uintptr_t)enc & 0xf) == 0);
+ KASSERT(((uintptr_t)in & 0xf) == 0);
+ KASSERT(((uintptr_t)out & 0xf) == 0);
+
+ asm volatile("rep xcrypt-ecb"
+ : "+c"(nblocks), "+S"(in), "+D"(out)
+ : "b"(enc), "d"(cw)
+ : "memory", "cc");
+}
+
+static inline void
+aesvia_dec1(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], uint32_t cw0)
+{
+ const uint32_t cw[4] __aligned(16) = {
+ [0] = (cw0
+ | C3_CRYPT_CWLO_ALG_AES
+ | C3_CRYPT_CWLO_DECRYPT
+ | C3_CRYPT_CWLO_NORMAL),
+ };
+ size_t nblocks = 1;
+
+ KASSERT(((uintptr_t)dec & 0xf) == 0);
+ KASSERT(((uintptr_t)in & 0xf) == 0);
+ KASSERT(((uintptr_t)out & 0xf) == 0);
+
+ asm volatile("rep xcrypt-ecb"
+ : "+c"(nblocks), "+S"(in), "+D"(out)
+ : "b"(dec), "d"(cw)
+ : "memory", "cc");
+}
+
+static struct evcnt enc_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
+ NULL, "aesvia", "enc aligned");
+EVCNT_ATTACH_STATIC(enc_aligned_evcnt);
+static struct evcnt enc_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
+ NULL, "aesvia", "dec unaligned");
+EVCNT_ATTACH_STATIC(enc_unaligned_evcnt);
+
+static void
+aesvia_enc(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], uint32_t nrounds)
+{
+ const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
+
+ fpu_kern_enter();
+ aesvia_reload_keys();
+ if ((((uintptr_t)in | (uintptr_t)out) & 0xf) == 0 &&
+ ((uintptr_t)in & 0xff0) != 0xff0) {
+ enc_aligned_evcnt.ev_count++;
+ aesvia_enc1(enc, in, out, cw0);
+ } else {
+ enc_unaligned_evcnt.ev_count++;
+ /*
+ * VIA requires 16-byte/128-bit alignment, and
+ * xcrypt-ecb reads one block past the one we're
+ * working on -- which may go past the end of the page
+ * into unmapped territory. Use a bounce buffer if
+ * either constraint is violated.
+ */
+ uint8_t inbuf[16] __aligned(16);
+ uint8_t outbuf[16] __aligned(16);
+
+ memcpy(inbuf, in, 16);
+ aesvia_enc1(enc, inbuf, outbuf, cw0);
+ memcpy(out, outbuf, 16);
+
+ explicit_memset(inbuf, 0, sizeof inbuf);
+ explicit_memset(outbuf, 0, sizeof outbuf);
+ }
+ fpu_kern_leave();
+}
+
+static struct evcnt dec_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
+ NULL, "aesvia", "dec aligned");
+EVCNT_ATTACH_STATIC(dec_aligned_evcnt);
+static struct evcnt dec_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
+ NULL, "aesvia", "dec unaligned");
+EVCNT_ATTACH_STATIC(dec_unaligned_evcnt);
+
+static void
+aesvia_dec(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], uint32_t nrounds)
+{
+ const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
+
+ fpu_kern_enter();
+ aesvia_reload_keys();
+ if ((((uintptr_t)in | (uintptr_t)out) & 0xf) == 0 &&
+ ((uintptr_t)in & 0xff0) != 0xff0) {
+ dec_aligned_evcnt.ev_count++;
+ aesvia_dec1(dec, in, out, cw0);
+ } else {
+ dec_unaligned_evcnt.ev_count++;
+ /*
+ * VIA requires 16-byte/128-bit alignment, and
+ * xcrypt-ecb reads one block past the one we're
+ * working on -- which may go past the end of the page
+ * into unmapped territory. Use a bounce buffer if
+ * either constraint is violated.
+ */
+ uint8_t inbuf[16] __aligned(16);
+ uint8_t outbuf[16] __aligned(16);
+
+ memcpy(inbuf, in, 16);
+ aesvia_dec1(dec, inbuf, outbuf, cw0);
+ memcpy(out, outbuf, 16);
+
+ explicit_memset(inbuf, 0, sizeof inbuf);
+ explicit_memset(outbuf, 0, sizeof outbuf);
+ }
+ fpu_kern_leave();
+}
+
+static inline void
+aesvia_cbc_enc1(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nblocks, uint8_t **ivp, uint32_t cw0)
+{
+ const uint32_t cw[4] __aligned(16) = {
+ [0] = (cw0
+ | C3_CRYPT_CWLO_ALG_AES
+ | C3_CRYPT_CWLO_ENCRYPT
+ | C3_CRYPT_CWLO_NORMAL),
+ };
+
+ KASSERT(((uintptr_t)enc & 0xf) == 0);
+ KASSERT(((uintptr_t)in & 0xf) == 0);
+ KASSERT(((uintptr_t)out & 0xf) == 0);
+ KASSERT(((uintptr_t)*ivp & 0xf) == 0);
+
+ /*
+ * Register effects:
+ * - Counts nblocks down to zero.
+ * - Advances in by nblocks (units of blocks).
+ * - Advances out by nblocks (units of blocks).
+ * - Updates *ivp to point at the last block of out.
+ */
+ asm volatile("rep xcrypt-cbc"
+ : "+c"(nblocks), "+S"(in), "+D"(out), "+a"(*ivp)
+ : "b"(enc), "d"(cw)
+ : "memory", "cc");
+}
+
+static inline void
+aesvia_cbc_dec1(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nblocks, uint8_t iv[static 16],
+ uint32_t cw0)
+{
+ const uint32_t cw[4] __aligned(16) = {
+ [0] = (cw0
+ | C3_CRYPT_CWLO_ALG_AES
+ | C3_CRYPT_CWLO_DECRYPT
+ | C3_CRYPT_CWLO_NORMAL),
+ };
+
+ KASSERT(((uintptr_t)dec & 0xf) == 0);
+ KASSERT(((uintptr_t)in & 0xf) == 0);
+ KASSERT(((uintptr_t)out & 0xf) == 0);
+ KASSERT(((uintptr_t)iv & 0xf) == 0);
+
+ /*
+ * Register effects:
+ * - Counts nblocks down to zero.
+ * - Advances in by nblocks (units of blocks).
+ * - Advances out by nblocks (units of blocks).
+ * Memory side effects:
+ * - Writes what was the last block of in at the address iv.
+ */
+ asm volatile("rep xcrypt-cbc"
+ : "+c"(nblocks), "+S"(in), "+D"(out)
+ : "a"(iv), "b"(dec), "d"(cw)
+ : "memory", "cc");
+}
+
+static inline void
+xor128(void *x, const void *a, const void *b)
+{
+ uint32_t *x32 = x;
+ const uint32_t *a32 = a;
+ const uint32_t *b32 = b;
+
+ x32[0] = a32[0] ^ b32[0];
+ x32[1] = a32[1] ^ b32[1];
+ x32[2] = a32[2] ^ b32[2];
+ x32[3] = a32[3] ^ b32[3];
+}
+
+static struct evcnt cbcenc_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
+ NULL, "aesvia", "cbcenc aligned");
+EVCNT_ATTACH_STATIC(cbcenc_aligned_evcnt);
+static struct evcnt cbcenc_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
+ NULL, "aesvia", "cbcenc unaligned");
+EVCNT_ATTACH_STATIC(cbcenc_unaligned_evcnt);
+
+static void
+aesvia_cbc_enc(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
+ uint32_t nrounds)
+{
+ const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
+
+ KASSERT(nbytes % 16 == 0);
+ if (nbytes == 0)
+ return;
+
+ fpu_kern_enter();
+ aesvia_reload_keys();
+ if ((((uintptr_t)in | (uintptr_t)out | (uintptr_t)iv) & 0xf) == 0) {
+ cbcenc_aligned_evcnt.ev_count++;
+ uint8_t *ivp = iv;
+ aesvia_cbc_enc1(enc, in, out, nbytes/16, &ivp, cw0);
+ memcpy(iv, ivp, 16);
+ } else {
+ cbcenc_unaligned_evcnt.ev_count++;
+ uint8_t cv[16] __aligned(16);
+ uint8_t tmp[16] __aligned(16);
+
+ memcpy(cv, iv, 16);
+ for (; nbytes; nbytes -= 16, in += 16, out += 16) {
+ memcpy(tmp, in, 16);
+ xor128(tmp, tmp, cv);
+ aesvia_enc1(enc, tmp, cv, cw0);
+ memcpy(out, cv, 16);
+ }
+ memcpy(iv, cv, 16);
+ }
+ fpu_kern_leave();
+}
+
+static struct evcnt cbcdec_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
+ NULL, "aesvia", "cbcdec aligned");
+EVCNT_ATTACH_STATIC(cbcdec_aligned_evcnt);
+static struct evcnt cbcdec_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
+ NULL, "aesvia", "cbcdec unaligned");
+EVCNT_ATTACH_STATIC(cbcdec_unaligned_evcnt);
+
+static void
+aesvia_cbc_dec(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t iv[static 16],
+ uint32_t nrounds)
+{
+ const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
+
+ KASSERT(nbytes % 16 == 0);
+ if (nbytes == 0)
+ return;
+
+ fpu_kern_enter();
+ aesvia_reload_keys();
+ if ((((uintptr_t)in | (uintptr_t)out | (uintptr_t)iv) & 0xf) == 0) {
+ cbcdec_aligned_evcnt.ev_count++;
+ aesvia_cbc_dec1(dec, in, out, nbytes/16, iv, cw0);
+ } else {
+ cbcdec_unaligned_evcnt.ev_count++;
+ uint8_t iv0[16] __aligned(16);
+ uint8_t cv[16] __aligned(16);
+ uint8_t tmp[16] __aligned(16);
+
+ memcpy(iv0, iv, 16);
+ memcpy(cv, in + nbytes - 16, 16);
+ memcpy(iv, cv, 16);
+
+ for (;;) {
+ aesvia_dec1(dec, cv, tmp, cw0);
+ if ((nbytes -= 16) == 0)
+ break;
+ memcpy(cv, in + nbytes - 16, 16);
+ xor128(tmp, tmp, cv);
+ memcpy(out + nbytes, tmp, 16);
+ }
+
+ xor128(tmp, tmp, iv0);
+ memcpy(out, tmp, 16);
+ explicit_memset(tmp, 0, sizeof tmp);
+ }
+ fpu_kern_leave();
+}
+
+static inline void
+aesvia_xts_update(uint32_t *t0, uint32_t *t1, uint32_t *t2, uint32_t *t3)
+{
+ uint32_t s0, s1, s2, s3;
+
+ s0 = *t0 >> 31;
+ s1 = *t1 >> 31;
+ s2 = *t2 >> 31;
+ s3 = *t3 >> 31;
+ *t0 = (*t0 << 1) ^ (-s3 & 0x87);
+ *t1 = (*t1 << 1) ^ s0;
+ *t2 = (*t2 << 1) ^ s1;
+ *t3 = (*t3 << 1) ^ s2;
+}
+
+static int
+aesvia_xts_update_selftest(void)
+{
+ static const struct {
+ uint32_t in[4], out[4];
+ } cases[] = {
+ { {1}, {2} },
+ { {0x80000000U,0,0,0}, {0,1,0,0} },
+ { {0,0x80000000U,0,0}, {0,0,1,0} },
+ { {0,0,0x80000000U,0}, {0,0,0,1} },
+ { {0,0,0,0x80000000U}, {0x87,0,0,0} },
+ { {0,0x80000000U,0,0x80000000U}, {0x87,0,1,0} },
+ };
+ unsigned i;
+ uint32_t t0, t1, t2, t3;
+
+ for (i = 0; i < sizeof(cases)/sizeof(cases[0]); i++) {
+ t0 = cases[i].in[0];
+ t1 = cases[i].in[1];
+ t2 = cases[i].in[2];
+ t3 = cases[i].in[3];
+ aesvia_xts_update(&t0, &t1, &t2, &t3);
+ if (t0 != cases[i].out[0] ||
+ t1 != cases[i].out[1] ||
+ t2 != cases[i].out[2] ||
+ t3 != cases[i].out[3])
+ return -1;
+ }
+
+ /* Success! */
+ return 0;
+}
+
+static struct evcnt xtsenc_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
+ NULL, "aesvia", "xtsenc aligned");
+EVCNT_ATTACH_STATIC(xtsenc_aligned_evcnt);
+static struct evcnt xtsenc_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
+ NULL, "aesvia", "xtsenc unaligned");
+EVCNT_ATTACH_STATIC(xtsenc_unaligned_evcnt);
+
+static void
+aesvia_xts_enc(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t tweak[static 16],
+ uint32_t nrounds)
+{
+ const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
+ uint32_t t[4];
+
+ KASSERT(nbytes % 16 == 0);
+
+ memcpy(t, tweak, 16);
+
+ fpu_kern_enter();
+ aesvia_reload_keys();
+ if ((((uintptr_t)in | (uintptr_t)out) & 0xf) == 0) {
+ xtsenc_aligned_evcnt.ev_count++;
+ unsigned lastblock = 0;
+
+ /*
+ * Make sure the last block is not the last block of a
+ * page. (Note that we store the AES input in `out' as
+ * a temporary buffer, rather than reading it directly
+ * from `in', since we have to combine the tweak
+ * first.)
+ */
+ lastblock = 16*(((uintptr_t)(out + nbytes) & 0xfff) == 0);
+ nbytes -= lastblock;
+
+ for (; nbytes; nbytes -= 16, in += 16, out += 16) {
+ xor128(out, in, t);
+ aesvia_enc1(enc, out, out, cw0);
+ xor128(out, out, t);
+ aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
+ }
+
+ /* Handle the last block of a page, if necessary. */
+ if (lastblock) {
+ uint8_t buf[16] __aligned(16);
+ xor128(buf, in, t);
+ aesvia_enc1(enc, buf, out, cw0);
+ explicit_memset(buf, 0, sizeof buf);
+ }
+ } else {
+ xtsenc_unaligned_evcnt.ev_count++;
+ uint8_t buf[16] __aligned(16);
+
+ for (; nbytes; nbytes -= 16, in += 16, out += 16) {
+ memcpy(buf, in, 16);
+ xor128(buf, buf, t);
+ aesvia_enc1(enc, buf, buf, cw0);
+ xor128(buf, buf, t);
+ memcpy(out, buf, 16);
+ aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
+ }
+
+ explicit_memset(buf, 0, sizeof buf);
+ }
+ fpu_kern_leave();
+
+ memcpy(tweak, t, 16);
+ explicit_memset(t, 0, sizeof t);
+}
+
+static struct evcnt xtsdec_aligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
+ NULL, "aesvia", "xtsdec aligned");
+EVCNT_ATTACH_STATIC(xtsdec_aligned_evcnt);
+static struct evcnt xtsdec_unaligned_evcnt = EVCNT_INITIALIZER(EVCNT_TYPE_MISC,
+ NULL, "aesvia", "xtsdec unaligned");
+EVCNT_ATTACH_STATIC(xtsdec_unaligned_evcnt);
+
+static void
+aesvia_xts_dec(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nbytes, uint8_t tweak[static 16],
+ uint32_t nrounds)
+{
+ const uint32_t cw0 = aesvia_keylen_cw0(nrounds);
+ uint32_t t[4];
+
+ KASSERT(nbytes % 16 == 0);
+
+ memcpy(t, tweak, 16);
+
+ fpu_kern_enter();
+ aesvia_reload_keys();
+ if ((((uintptr_t)in | (uintptr_t)out) & 0xf) == 0) {
+ xtsdec_aligned_evcnt.ev_count++;
+ unsigned lastblock = 0;
+
+ /*
+ * Make sure the last block is not the last block of a
+ * page. (Note that we store the AES input in `out' as
+ * a temporary buffer, rather than reading it directly
+ * from `in', since we have to combine the tweak
+ * first.)
+ */
+ lastblock = 16*(((uintptr_t)(out + nbytes) & 0xfff) == 0);
+ nbytes -= lastblock;
+
+ for (; nbytes; nbytes -= 16, in += 16, out += 16) {
+ xor128(out, in, t);
+ aesvia_dec1(dec, out, out, cw0);
+ xor128(out, out, t);
+ aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
+ }
+
+ /* Handle the last block of a page, if necessary. */
+ if (lastblock) {
+ uint8_t buf[16] __aligned(16);
+ xor128(buf, in, t);
+ aesvia_dec1(dec, buf, out, cw0);
+ explicit_memset(buf, 0, sizeof buf);
+ }
+ } else {
+ xtsdec_unaligned_evcnt.ev_count++;
+ uint8_t buf[16] __aligned(16);
+
+ for (; nbytes; nbytes -= 16, in += 16, out += 16) {
+ memcpy(buf, in, 16);
+ xor128(buf, buf, t);
+ aesvia_dec1(dec, buf, buf, cw0);
+ xor128(buf, buf, t);
+ memcpy(out, buf, 16);
+ aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
+ }
+
+ explicit_memset(buf, 0, sizeof buf);
+ }
+ fpu_kern_leave();
+
+ memcpy(tweak, t, 16);
+ explicit_memset(t, 0, sizeof t);
+}
+
+static int
+aesvia_probe(void)
+{
+
+ /* Verify that the CPU advertises VIA ACE support. */
+ if ((cpu_feature[4] & CPUID_VIA_HAS_ACE) == 0)
+ return -1;
+
+ /* Verify that our XTS tweak update logic works. */
+ if (aesvia_xts_update_selftest())
+ return -1;
+
+ /* Success! */
+ return 0;
+}
+
+struct aes_impl aes_via_impl = {
+ .ai_name = "VIA ACE",
+ .ai_probe = aesvia_probe,
+ .ai_setenckey = aesvia_setenckey,
+ .ai_setdeckey = aesvia_setdeckey,
+ .ai_enc = aesvia_enc,
+ .ai_dec = aesvia_dec,
+ .ai_cbc_enc = aesvia_cbc_enc,
+ .ai_cbc_dec = aesvia_cbc_dec,
+ .ai_xts_enc = aesvia_xts_enc,
+ .ai_xts_dec = aesvia_xts_dec,
+};
diff -r 28973955038a -r 86fed1861ac3 sys/crypto/aes/arch/x86/aes_via.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/arch/x86/aes_via.h Mon Jun 15 16:27:33 2020 +0000
@@ -0,0 +1,36 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _CRYPTO_AES_ARCH_X86_AES_VIA_H
+#define _CRYPTO_AES_ARCH_X86_AES_VIA_H
+
+#include <crypto/aes/aes.h>
+
+extern struct aes_impl aes_via_impl;
+
+#endif /* _CRYPTO_AES_ARCH_X86_AES_VIA_H */
diff -r 28973955038a -r 86fed1861ac3 sys/crypto/aes/arch/x86/files.aesvia
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/aes/arch/x86/files.aesvia Mon Jun 15 16:27:33 2020 +0000
@@ -0,0 +1,3 @@
+# $NetBSD$
+
+file crypto/aes/arch/x86/aes_via.c aes
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592258370 0
# Mon Jun 15 21:59:30 2020 +0000
# Branch trunk
# Node ID 1ff6250fd07e4ed180d6b61958c9e7ae3667d4f7
# Parent 86fed1861ac3279e6d19505769e4331842fea55c
# EXP-Topic riastradh-kernelcrypto
uvm: Make sure swap encryption IV is 128-bit-aligned on stack.
Will help hardware-assisted AES.
diff -r 86fed1861ac3 -r 1ff6250fd07e sys/uvm/uvm_swap.c
--- a/sys/uvm/uvm_swap.c Mon Jun 15 16:27:33 2020 +0000
+++ b/sys/uvm/uvm_swap.c Mon Jun 15 21:59:30 2020 +0000
@@ -2089,7 +2089,7 @@ uvm_swap_genkey(struct swapdev *sdp)
static void
uvm_swap_encryptpage(struct swapdev *sdp, void *kva, int slot)
{
- uint8_t preiv[16] = {0}, iv[16];
+ uint8_t preiv[16] __aligned(16) = {0}, iv[16] __aligned(16);
/* iv := AES_k(le32enc(slot) || 0^96) */
le32enc(preiv, slot);
@@ -2111,7 +2111,7 @@ uvm_swap_encryptpage(struct swapdev *sdp
static void
uvm_swap_decryptpage(struct swapdev *sdp, void *kva, int slot)
{
- uint8_t preiv[16] = {0}, iv[16];
+ uint8_t preiv[16] __aligned(16) = {0}, iv[16] __aligned(16);
/* iv := AES_k(le32enc(slot) || 0^96) */
le32enc(preiv, slot);
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592261759 0
# Mon Jun 15 22:55:59 2020 +0000
# Branch trunk
# Node ID 36794fee0d0481ed3f3253e8d4ef6b87c96c13b7
# Parent 1ff6250fd07e4ed180d6b61958c9e7ae3667d4f7
# EXP-Topic riastradh-kernelcrypto
Batch AES-XTS computation into eight blocks at a time.
Experimental -- performance improvement is not clearly worth the
complexity.
diff -r 1ff6250fd07e -r 36794fee0d04 sys/crypto/aes/arch/x86/aes_via.c
--- a/sys/crypto/aes/arch/x86/aes_via.c Mon Jun 15 21:59:30 2020 +0000
+++ b/sys/crypto/aes/arch/x86/aes_via.c Mon Jun 15 22:55:59 2020 +0000
@@ -119,8 +119,8 @@ aesvia_setdeckey(struct aesdec *dec, con
}
static inline void
-aesvia_enc1(const struct aesenc *enc, const uint8_t in[static 16],
- uint8_t out[static 16], uint32_t cw0)
+aesvia_encN(const struct aesenc *enc, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nblocks, uint32_t cw0)
{
const uint32_t cw[4] __aligned(16) = {
[0] = (cw0
@@ -128,7 +128,6 @@ aesvia_enc1(const struct aesenc *enc, co
| C3_CRYPT_CWLO_ENCRYPT
| C3_CRYPT_CWLO_NORMAL),
};
- size_t nblocks = 1;
KASSERT(((uintptr_t)enc & 0xf) == 0);
KASSERT(((uintptr_t)in & 0xf) == 0);
@@ -141,8 +140,8 @@ aesvia_enc1(const struct aesenc *enc, co
}
static inline void
-aesvia_dec1(const struct aesdec *dec, const uint8_t in[static 16],
- uint8_t out[static 16], uint32_t cw0)
+aesvia_decN(const struct aesdec *dec, const uint8_t in[static 16],
+ uint8_t out[static 16], size_t nblocks, uint32_t cw0)
{
const uint32_t cw[4] __aligned(16) = {
[0] = (cw0
@@ -150,7 +149,6 @@ aesvia_dec1(const struct aesdec *dec, co
| C3_CRYPT_CWLO_DECRYPT
| C3_CRYPT_CWLO_NORMAL),
};
- size_t nblocks = 1;
KASSERT(((uintptr_t)dec & 0xf) == 0);
KASSERT(((uintptr_t)in & 0xf) == 0);
@@ -180,7 +178,7 @@ aesvia_enc(const struct aesenc *enc, con
if ((((uintptr_t)in | (uintptr_t)out) & 0xf) == 0 &&
((uintptr_t)in & 0xff0) != 0xff0) {
enc_aligned_evcnt.ev_count++;
- aesvia_enc1(enc, in, out, cw0);
+ aesvia_encN(enc, in, out, 1, cw0);
} else {
enc_unaligned_evcnt.ev_count++;
/*
@@ -194,7 +192,7 @@ aesvia_enc(const struct aesenc *enc, con
uint8_t outbuf[16] __aligned(16);
memcpy(inbuf, in, 16);
- aesvia_enc1(enc, inbuf, outbuf, cw0);
+ aesvia_encN(enc, inbuf, outbuf, 1, cw0);
memcpy(out, outbuf, 16);
explicit_memset(inbuf, 0, sizeof inbuf);
@@ -221,7 +219,7 @@ aesvia_dec(const struct aesdec *dec, con
if ((((uintptr_t)in | (uintptr_t)out) & 0xf) == 0 &&
((uintptr_t)in & 0xff0) != 0xff0) {
dec_aligned_evcnt.ev_count++;
- aesvia_dec1(dec, in, out, cw0);
+ aesvia_decN(dec, in, out, 1, cw0);
} else {
dec_unaligned_evcnt.ev_count++;
/*
@@ -235,7 +233,7 @@ aesvia_dec(const struct aesdec *dec, con
uint8_t outbuf[16] __aligned(16);
memcpy(inbuf, in, 16);
- aesvia_dec1(dec, inbuf, outbuf, cw0);
+ aesvia_decN(dec, inbuf, outbuf, 1, cw0);
memcpy(out, outbuf, 16);
explicit_memset(inbuf, 0, sizeof inbuf);
@@ -245,7 +243,7 @@ aesvia_dec(const struct aesdec *dec, con
}
static inline void
-aesvia_cbc_enc1(const struct aesenc *enc, const uint8_t in[static 16],
+aesvia_cbc_encN(const struct aesenc *enc, const uint8_t in[static 16],
uint8_t out[static 16], size_t nblocks, uint8_t **ivp, uint32_t cw0)
{
const uint32_t cw[4] __aligned(16) = {
@@ -274,7 +272,7 @@ aesvia_cbc_enc1(const struct aesenc *enc
}
static inline void
-aesvia_cbc_dec1(const struct aesdec *dec, const uint8_t in[static 16],
+aesvia_cbc_decN(const struct aesdec *dec, const uint8_t in[static 16],
uint8_t out[static 16], size_t nblocks, uint8_t iv[static 16],
uint32_t cw0)
{
@@ -340,7 +338,7 @@ aesvia_cbc_enc(const struct aesenc *enc,
if ((((uintptr_t)in | (uintptr_t)out | (uintptr_t)iv) & 0xf) == 0) {
cbcenc_aligned_evcnt.ev_count++;
uint8_t *ivp = iv;
- aesvia_cbc_enc1(enc, in, out, nbytes/16, &ivp, cw0);
+ aesvia_cbc_encN(enc, in, out, nbytes/16, &ivp, cw0);
memcpy(iv, ivp, 16);
} else {
cbcenc_unaligned_evcnt.ev_count++;
@@ -351,7 +349,7 @@ aesvia_cbc_enc(const struct aesenc *enc,
for (; nbytes; nbytes -= 16, in += 16, out += 16) {
memcpy(tmp, in, 16);
xor128(tmp, tmp, cv);
- aesvia_enc1(enc, tmp, cv, cw0);
+ aesvia_encN(enc, tmp, cv, 1, cw0);
memcpy(out, cv, 16);
}
memcpy(iv, cv, 16);
@@ -381,7 +379,7 @@ aesvia_cbc_dec(const struct aesdec *dec,
aesvia_reload_keys();
if ((((uintptr_t)in | (uintptr_t)out | (uintptr_t)iv) & 0xf) == 0) {
cbcdec_aligned_evcnt.ev_count++;
- aesvia_cbc_dec1(dec, in, out, nbytes/16, iv, cw0);
+ aesvia_cbc_decN(dec, in, out, nbytes/16, iv, cw0);
} else {
cbcdec_unaligned_evcnt.ev_count++;
uint8_t iv0[16] __aligned(16);
@@ -393,7 +391,7 @@ aesvia_cbc_dec(const struct aesdec *dec,
memcpy(iv, cv, 16);
for (;;) {
- aesvia_dec1(dec, cv, tmp, cw0);
+ aesvia_decN(dec, cv, tmp, 1, cw0);
if ((nbytes -= 16) == 0)
break;
memcpy(cv, in + nbytes - 16, 16);
@@ -480,6 +478,7 @@ aesvia_xts_enc(const struct aesenc *enc,
if ((((uintptr_t)in | (uintptr_t)out) & 0xf) == 0) {
xtsenc_aligned_evcnt.ev_count++;
unsigned lastblock = 0;
+ uint32_t buf[8*4] __aligned(16);
/*
* Make sure the last block is not the last block of a
@@ -491,20 +490,43 @@ aesvia_xts_enc(const struct aesenc *enc,
lastblock = 16*(((uintptr_t)(out + nbytes) & 0xfff) == 0);
nbytes -= lastblock;
- for (; nbytes; nbytes -= 16, in += 16, out += 16) {
- xor128(out, in, t);
- aesvia_enc1(enc, out, out, cw0);
- xor128(out, out, t);
- aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
+ /*
+ * Handle an odd number of initial blocks so we can
+ * process the rest in eight-block (128-byte) chunks.
+ */
+ if (nbytes % 128) {
+ unsigned nbytes128 = nbytes % 128;
+
+ nbytes -= nbytes128;
+ for (; nbytes128; nbytes128 -= 16, in += 16, out += 16)
+ {
+ xor128(out, in, t);
+ aesvia_encN(enc, out, out, 1, cw0);
+ xor128(out, out, t);
+ aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
+ }
+ }
+
+ /* Process eight blocks at a time. */
+ for (; nbytes; nbytes -= 128, in += 128, out += 128) {
+ unsigned i;
+ for (i = 0; i < 8; i++) {
+ memcpy(buf + 4*i, t, 16);
+ xor128(out + 4*i, in + 4*i, t);
+ aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
+ }
+ aesvia_encN(enc, out, out, 8, cw0);
+ for (i = 0; i < 8; i++)
+ xor128(out + 4*i, in + 4*i, buf + 4*i);
}
/* Handle the last block of a page, if necessary. */
if (lastblock) {
- uint8_t buf[16] __aligned(16);
xor128(buf, in, t);
- aesvia_enc1(enc, buf, out, cw0);
- explicit_memset(buf, 0, sizeof buf);
+ aesvia_encN(enc, (const void *)buf, out, 1, cw0);
}
+
+ explicit_memset(buf, 0, sizeof buf);
} else {
xtsenc_unaligned_evcnt.ev_count++;
uint8_t buf[16] __aligned(16);
@@ -512,7 +534,7 @@ aesvia_xts_enc(const struct aesenc *enc,
for (; nbytes; nbytes -= 16, in += 16, out += 16) {
memcpy(buf, in, 16);
xor128(buf, buf, t);
- aesvia_enc1(enc, buf, buf, cw0);
+ aesvia_encN(enc, buf, buf, 1, cw0);
xor128(buf, buf, t);
memcpy(out, buf, 16);
aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
@@ -550,6 +572,7 @@ aesvia_xts_dec(const struct aesdec *dec,
if ((((uintptr_t)in | (uintptr_t)out) & 0xf) == 0) {
xtsdec_aligned_evcnt.ev_count++;
unsigned lastblock = 0;
+ uint32_t buf[8*4] __aligned(16);
/*
* Make sure the last block is not the last block of a
@@ -561,20 +584,43 @@ aesvia_xts_dec(const struct aesdec *dec,
lastblock = 16*(((uintptr_t)(out + nbytes) & 0xfff) == 0);
nbytes -= lastblock;
- for (; nbytes; nbytes -= 16, in += 16, out += 16) {
- xor128(out, in, t);
- aesvia_dec1(dec, out, out, cw0);
- xor128(out, out, t);
- aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
+ /*
+ * Handle an odd number of initial blocks so we can
+ * process the rest in eight-block (128-byte) chunks.
+ */
+ if (nbytes % 128) {
+ unsigned nbytes128 = nbytes % 128;
+
+ nbytes -= nbytes128;
+ for (; nbytes128; nbytes128 -= 16, in += 16, out += 16)
+ {
+ xor128(out, in, t);
+ aesvia_decN(dec, out, out, 1, cw0);
+ xor128(out, out, t);
+ aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
+ }
+ }
+
+ /* Process eight blocks at a time. */
+ for (; nbytes; nbytes -= 128, in += 128, out += 128) {
+ unsigned i;
+ for (i = 0; i < 8; i++) {
+ memcpy(buf + 4*i, t, 16);
+ xor128(out + 4*i, in + 4*i, t);
+ aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
+ }
+ aesvia_decN(dec, out, out, 8, cw0);
+ for (i = 0; i < 8; i++)
+ xor128(out + 4*i, in + 4*i, buf + 4*i);
}
/* Handle the last block of a page, if necessary. */
if (lastblock) {
- uint8_t buf[16] __aligned(16);
xor128(buf, in, t);
- aesvia_dec1(dec, buf, out, cw0);
- explicit_memset(buf, 0, sizeof buf);
+ aesvia_decN(dec, (const void *)buf, out, 1, cw0);
}
+
+ explicit_memset(buf, 0, sizeof buf);
} else {
xtsdec_unaligned_evcnt.ev_count++;
uint8_t buf[16] __aligned(16);
@@ -582,7 +628,7 @@ aesvia_xts_dec(const struct aesdec *dec,
for (; nbytes; nbytes -= 16, in += 16, out += 16) {
memcpy(buf, in, 16);
xor128(buf, buf, t);
- aesvia_dec1(dec, buf, buf, cw0);
+ aesvia_decN(dec, buf, buf, 1, cw0);
xor128(buf, buf, t);
memcpy(out, buf, 16);
aesvia_xts_update(&t[0], &t[1], &t[2], &t[3]);
# HG changeset patch
# User Taylor R Campbell <riastradh%NetBSD.org@localhost>
# Date 1592362063 0
# Wed Jun 17 02:47:43 2020 +0000
# Branch trunk
# Node ID 9fde04e138c10fd0fca4362c7d93fd3ef4b325ad
# Parent 36794fee0d0481ed3f3253e8d4ef6b87c96c13b7
# EXP-Topic riastradh-kernelcrypto
New cgd cipher adiantum.
Adiantum is a wide-block cipher, built out of AES, XChaCha12,
Poly1305, and NH, defined in
Paul Crowley and Eric Biggers, `Adiantum: length-preserving
encryption for entry-level processors', IACR Transactions on
Symmetric Cryptology 2018(4), pp. 39--61.
Adiantum provides better security than a narrow-block cipher with CBC
or XTS, because every bit of each sector affects every other bit,
whereas with CBC each block of plaintext only affects the following
blocks of ciphertext in the disk sector, and with XTS each block of
plaintext only affects its own block of ciphertext and nothing else.
Adiantum generally provides much better performance than
constant-time AES-CBC or AES-XTS software do without hardware
support, and performance comparable to or better than the
variable-time (i.e., leaky) AES-CBC and AES-XTS software we had
before. (Note: Adiantum also uses AES as a subroutine, but only once
per disk sector. It takes only a small fraction of the time spent by
Adiantum, so there's relatively little performance impact to using
constant-time AES software over using variable-time AES software for
it.)
Adiantum naturally scales to essentially arbitrary disk sector sizes;
sizes >=1024-bytes take the most advantage of Adiantum's design for
performance, so 4096-byte sectors would be a natural choice if we
taught cgd to change the disk sector size. (However, it's a
different cipher for each disk sector size, so it _must_ be a cgd
parameter.)
The paper presents a similar construction HPolyC. The salient
difference is that HPolyC uses Poly1305 directly, whereas Adiantum
uses Poly1395(NH(...)). NH is annoying because it requires a
1072-byte key, which means the test vectors are ginormous, and
changing keys is costly; HPolyC avoids these shortcomings by using
Poly1305 directly, but HPolyC is measurably slower, costing about
1.5x what Adiantum costs on 4096-byte sectors.
For the purposes of cgd, we will reuse each key for many messages,
and there will be very few keys in total (one per cgd volume) so --
except for the annoying verbosity of test vectors -- the tradeoff
weighs in the favour of Adiantum, especially if we teach cgd to do
>>512-byte sectors.
For now, everything that Adiantum needs beyond what's already in the
kernel is gathered into a single file, including NH, Poly1305, and
XChaCha12. We can split those out -- and reuse them, and provide MD
tuned implementations, and so on -- as needed; this is just a first
pass to get Adiantum implemented for experimentation.
diff -r 36794fee0d04 -r 9fde04e138c1 sys/conf/files
--- a/sys/conf/files Mon Jun 15 22:55:59 2020 +0000
+++ b/sys/conf/files Wed Jun 17 02:47:43 2020 +0000
@@ -200,6 +200,7 @@ defflag opt_machdep.h MACHDEP
# use it.
# Individual crypto transforms
+include "crypto/adiantum/files.adiantum"
include "crypto/aes/files.aes"
include "crypto/des/files.des"
include "crypto/blowfish/files.blowfish"
@@ -1395,7 +1396,7 @@ file dev/ic/amdccp.c amdccp
defpseudodev vnd: disk
defflag opt_vnd.h VND_COMPRESSION
defpseudo ccd: disk
-defpseudodev cgd: disk, des, blowfish, cast128, aes
+defpseudodev cgd: disk, des, blowfish, cast128, aes, adiantum
defpseudodev md: disk
defpseudodev fss: disk
diff -r 36794fee0d04 -r 9fde04e138c1 sys/crypto/adiantum/adiantum.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/adiantum/adiantum.c Wed Jun 17 02:47:43 2020 +0000
@@ -0,0 +1,2316 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * The Adiantum wide-block cipher, from
+ *
+ * Paul Crowley and Eric Biggers, `Adiantum: length-preserving
+ * encryption for entry-level processors', IACR Transactions on
+ * Symmetric Cryptology 2018(4), pp. 39--61.
+ *
+ * https://doi.org/10.13154/tosc.v2018.i4.39-61
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(1, "$NetBSD$");
+
+#include <sys/types.h>
+#include <sys/endian.h>
+
+#ifdef _KERNEL
+
+#include <sys/module.h>
+#include <sys/systm.h>
+
+#include <lib/libkern/libkern.h>
+
+#include <crypto/adiantum/adiantum.h>
+#include <crypto/aes/aes.h>
+
+#else /* !defined(_KERNEL) */
+
+#include <sys/cdefs.h>
+
+#include <assert.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/aes.h>
+
+struct aesenc {
+ AES_KEY enckey;
+};
+
+struct aesdec {
+ AES_KEY deckey;
+};
+
+#define AES_256_NROUNDS 14
+#define aes_setenckey256(E, K) AES_set_encrypt_key((K), 256, &(E)->enckey)
+#define aes_setdeckey256(D, K) AES_set_decrypt_key((K), 256, &(D)->deckey)
+#define aes_enc(E, P, C, NR) AES_encrypt(P, C, &(E)->enckey)
+#define aes_dec(D, C, P, NR) AES_decrypt(C, P, &(D)->deckey)
+
+#include "adiantum.h"
+
+#define CTASSERT __CTASSERT
+#define KASSERT assert
+#define MIN(x,y) ((x) < (y) ? (x) : (y))
+
+static void
+hexdump(int (*prf)(const char *, ...) __printflike(1,2), const char *prefix,
+ const void *buf, size_t len)
+{
+ const uint8_t *p = buf;
+ size_t i;
+
+ (*prf)("%s (%zu bytes)\n", prefix, len);
+ for (i = 0; i < len; i++) {
+ if (i % 16 == 8)
+ (*prf)(" ");
+ else
+ (*prf)(" ");
+ (*prf)("%02hhx", p[i]);
+ if ((i + 1) % 16 == 0)
+ (*prf)("\n");
+ }
+ if (i % 16)
+ (*prf)("\n");
+}
+
+#endif /* _KERNEL */
+
+/* Arithmetic modulo 2^128, represented by 16-digit strings in radix 2^8. */
+
+/* s := a + b (mod 2^128) */
+static inline void
+add128(uint8_t s[restrict static 16],
+ const uint8_t a[static 16], const uint8_t b[static 16])
+{
+ unsigned i, c;
+
+ c = 0;
+ for (i = 0; i < 16; i++) {
+ c = a[i] + b[i] + c;
+ s[i] = c & 0xff;
+ c >>= 8;
+ }
+}
+
+/* s := a - b (mod 2^128) */
+static inline void
+sub128(uint8_t d[restrict static 16],
+ const uint8_t a[static 16], const uint8_t b[static 16])
+{
+ unsigned i, c;
+
+ c = 0;
+ for (i = 0; i < 16; i++) {
+ c = a[i] - b[i] - c;
+ d[i] = c & 0xff;
+ c = 1 & (c >> 8);
+ }
+}
+
+static int
+addsub128_selftest(void)
+{
+ static const uint8_t zero[16] = {
+ 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
+ };
+ static const uint8_t one[16] = {
+ 0x01,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
+ };
+ static const uint8_t negativeone[16] = {
+ 0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,
+ 0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,
+ };
+ static const uint8_t a[16] = {
+ 0x03,0x80,0x00,0x00, 0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
+ };
+ static const uint8_t b[16] = {
+ 0x01,0x82,0x00,0x00, 0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
+ };
+ static const uint8_t c[16] = {
+ 0x02,0xfe,0xff,0xff, 0xff,0xff,0xff,0xff,
+ 0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,
+ };
+ uint8_t r[16];
+ int result = 0;
+
+ sub128(r, zero, one);
+ if (memcmp(r, negativeone, 16)) {
+ hexdump(printf, "sub128 1", r, sizeof r);
+ result = -1;
+ }
+
+ sub128(r, a, b);
+ if (memcmp(r, c, 16)) {
+ hexdump(printf, "sub128 2", r, sizeof r);
+ result = -1;
+ }
+
+ return result;
+}
+
+/* Poly1305 */
+
+struct poly1305 {
+ uint32_t r[5]; /* evaluation point */
+ uint32_t h[5]; /* value */
+};
+
+static void
+poly1305_init(struct poly1305 *P, const uint8_t key[static 16])
+{
+
+ /* clamp */
+ P->r[0] = (le32dec(key + 0) >> 0) & 0x03ffffff;
+ P->r[1] = (le32dec(key + 3) >> 2) & 0x03ffff03;
+ P->r[2] = (le32dec(key + 6) >> 4) & 0x03ffc0ff;
+ P->r[3] = (le32dec(key + 9) >> 6) & 0x03f03fff;
+ P->r[4] = (le32dec(key + 12) >> 8) & 0x000fffff;
+
+ /* initialize polynomial evaluation */
+ P->h[0] = P->h[1] = P->h[2] = P->h[3] = P->h[4] = 0;
+}
+
+static void
+poly1305_update_internal(struct poly1305 *P, const uint8_t m[static 16],
+ uint32_t pad)
+{
+ uint32_t r0 = P->r[0];
+ uint32_t r1 = P->r[1];
+ uint32_t r2 = P->r[2];
+ uint32_t r3 = P->r[3];
+ uint32_t r4 = P->r[4];
+ uint32_t h0 = P->h[0];
+ uint32_t h1 = P->h[1];
+ uint32_t h2 = P->h[2];
+ uint32_t h3 = P->h[3];
+ uint32_t h4 = P->h[4];
+ uint64_t k0, k1, k2, k3, k4; /* 64-bit extension of h */
+ uint64_t p0, p1, p2, p3, p4; /* columns of product */
+ uint32_t c; /* carry */
+
+ /* h' := h + m */
+ h0 += (le32dec(m + 0) >> 0) & 0x03ffffff;
+ h1 += (le32dec(m + 3) >> 2) & 0x03ffffff;
+ h2 += (le32dec(m + 6) >> 4) & 0x03ffffff;
+ h3 += (le32dec(m + 9) >> 6);
+ h4 += (le32dec(m + 12) >> 8) | (pad << 24);
+
+ /* extend to 64 bits */
+ k0 = h0;
+ k1 = h1;
+ k2 = h2;
+ k3 = h3;
+ k4 = h4;
+
+ /* p := h' * r = (h + m)*r mod 2^130 - 5 */
+ p0 = r0*k0 + 5*r4*k1 + 5*r3*k2 + 5*r2*k3 + 5*r1*k4;
+ p1 = r1*k0 + r0*k1 + 5*r4*k2 + 5*r3*k3 + 5*r2*k4;
+ p2 = r2*k0 + r1*k1 + r0*k2 + 5*r4*k3 + 5*r3*k4;
+ p3 = r3*k0 + r2*k1 + r1*k2 + r0*k3 + 5*r4*k4;
+ p4 = r4*k0 + r3*k1 + r2*k2 + r1*k3 + r0*k4;
+
+ /* propagate carries */
+ p0 += 0; c = p0 >> 26; h0 = p0 & 0x03ffffff;
+ p1 += c; c = p1 >> 26; h1 = p1 & 0x03ffffff;
+ p2 += c; c = p2 >> 26; h2 = p2 & 0x03ffffff;
+ p3 += c; c = p3 >> 26; h3 = p3 & 0x03ffffff;
+ p4 += c; c = p4 >> 26; h4 = p4 & 0x03ffffff;
+
+ /* reduce 2^130 = 5 */
+ h0 += c*5; c = h0 >> 26; h0 &= 0x03ffffff;
+ h1 += c;
+
+ /* update hash values */
+ P->h[0] = h0;
+ P->h[1] = h1;
+ P->h[2] = h2;
+ P->h[3] = h3;
+ P->h[4] = h4;
+}
+
+static void
+poly1305_update_block(struct poly1305 *P, const uint8_t m[static 16])
+{
+
+ poly1305_update_internal(P, m, 1);
+}
+
+static void
+poly1305_update_last(struct poly1305 *P, const uint8_t *m, size_t mlen)
+{
+ uint8_t buf[16];
+ unsigned i;
+
+ if (mlen == 16) {
+ poly1305_update_internal(P, m, 1);
+ return;
+ }
+
+ for (i = 0; i < mlen; i++)
+ buf[i] = m[i];
+ buf[i++] = 1;
+ for (; i < 16; i++)
+ buf[i] = 0;
+ poly1305_update_internal(P, buf, 0);
+}
+
+static void
+poly1305_final(uint8_t *h, struct poly1305 *P)
+{
+ uint32_t h0 = P->h[0];
+ uint32_t h1 = P->h[1];
+ uint32_t h2 = P->h[2];
+ uint32_t h3 = P->h[3];
+ uint32_t h4 = P->h[4];
+ uint32_t s0, s1, s2, s3, s4; /* h - (2^130 - 5) */
+ uint32_t m; /* mask */
+ uint32_t c;
+
+ /* propagate carries */
+ h1 += 0; c = h1 >> 26; h1 &= 0x03ffffff;
+ h2 += c; c = h2 >> 26; h2 &= 0x03ffffff;
+ h3 += c; c = h3 >> 26; h3 &= 0x03ffffff;
+ h4 += c; c = h4 >> 26; h4 &= 0x03ffffff;
+
+ /* reduce 2^130 = 5 */
+ h0 += c*5; c = h0 >> 26; h0 &= 0x03ffffff;
+ h1 += c;
+
+ /* s := h - (2^130 - 5) */
+ c = 5;
+ s0 = h0 + c; c = s0 >> 26; s0 &= 0x03ffffff;
+ s1 = h1 + c; c = s1 >> 26; s1 &= 0x03ffffff;
+ s2 = h2 + c; c = s2 >> 26; s2 &= 0x03ffffff;
+ s3 = h3 + c; c = s3 >> 26; s3 &= 0x03ffffff;
+ s4 = h4 + c;
+ s4 -= 0x04000000;
+
+ /* m := -1 if h < 2^130 - 5 else 0 */
+ m = -(s4 >> 31);
+
+ /* conditional subtract */
+ h0 = (m & h0) | (~m & s0);
+ h1 = (m & h1) | (~m & s1);
+ h2 = (m & h2) | (~m & s2);
+ h3 = (m & h3) | (~m & s3);
+ h4 = (m & h4) | (~m & s4);
+
+ /* reduce modulo 2^128 */
+ le32enc(h + 0, ((h1 << 26) | (h0 >> 0)) & 0xffffffff);
+ le32enc(h + 4, ((h2 << 20) | (h1 >> 6)) & 0xffffffff);
+ le32enc(h + 8, ((h3 << 14) | (h2 >> 12)) & 0xffffffff);
+ le32enc(h + 12, ((h4 << 8) | (h3 >> 18)) & 0xffffffff);
+}
+
+static void
+poly1305(uint8_t h[static 16], const uint8_t *m, size_t mlen,
+ const uint8_t k[static 16])
+{
+ struct poly1305 P;
+
+ poly1305_init(&P, k);
+ for (; mlen > 16; mlen -= 16, m += 16)
+ poly1305_update_block(&P, m);
+ poly1305_update_last(&P, m, mlen);
+ poly1305_final(h, &P);
+}
+
+static int
+poly1305_selftest(void)
+{
+ /* https://tools.ietf.org/html/rfc7539#section-2.5.2 */
+ static const uint8_t r[16] = {
+ 0x85,0xd6,0xbe,0x78, 0x57,0x55,0x6d,0x33,
+ 0x7f,0x44,0x52,0xfe, 0x42,0xd5,0x06,0xa8,
+ };
+ static const uint8_t s[16] = {
+ 0x01,0x03,0x80,0x8a, 0xfb,0x0d,0xb2,0xfd,
+ 0x4a,0xbf,0xf6,0xaf, 0x41,0x49,0xf5,0x1b,
+ };
+ static const uint8_t m[] = {
+ 0x43,0x72,0x79,0x70, 0x74,0x6f,0x67,0x72,
+ 0x61,0x70,0x68,0x69, 0x63,0x20,0x46,0x6f,
+ 0x72,0x75,0x6d,0x20, 0x52,0x65,0x73,0x65,
+ 0x61,0x72,0x63,0x68, 0x20,0x47,0x72,0x6f,
+ 0x75,0x70,
+ };
+ static const uint8_t expected[16] = {
+ 0xa8,0x06,0x1d,0xc1, 0x30,0x51,0x36,0xc6,
+ 0xc2,0x2b,0x8b,0xaf, 0x0c,0x01,0x27,0xa9,
+ };
+ uint8_t h[16], t[16];
+ int result = 0;
+
+ poly1305(h, m, sizeof m, r);
+ add128(t, h, s);
+ if (memcmp(t, expected, 16)) {
+ hexdump(printf, "poly1305 h", h, sizeof h);
+ hexdump(printf, "poly1305 t", t, sizeof t);
+ result = -1;
+ }
+
+ return result;
+}
+
+/* NHPoly1305 */
+
+static void
+nh(uint8_t h[32], const uint8_t *m, size_t mlen,
+ const uint32_t k[268 /* u/w + 2s(r - 1) */])
+{
+ const unsigned w = 32; /* word size */
+ const unsigned s = 2; /* stride */
+ const unsigned r = 4; /* rounds */
+ const unsigned u = 8192; /* unit count (bits per msg unit) */
+ uint64_t h0 = 0, h1 = 0, h2 = 0, h3 = 0;
+ unsigned i;
+
+ CTASSERT(r*w/8 == 16);
+
+ KASSERT(mlen <= u/8);
+ KASSERT(mlen % 16 == 0);
+
+ for (i = 0; i < mlen/16; i++) {
+ uint32_t m0 = le32dec(m + 16*i + 4*0);
+ uint32_t m1 = le32dec(m + 16*i + 4*1);
+ uint32_t m2 = le32dec(m + 16*i + 4*2);
+ uint32_t m3 = le32dec(m + 16*i + 4*3);
+
+ uint32_t k00 = k[4*i + 4*0 + 0];
+ uint32_t k01 = k[4*i + 4*0 + 1];
+ uint32_t k02 = k[4*i + 4*0 + 2];
+ uint32_t k03 = k[4*i + 4*0 + 3];
+ uint32_t k10 = k[4*i + 4*1 + 0];
+ uint32_t k11 = k[4*i + 4*1 + 1];
+ uint32_t k12 = k[4*i + 4*1 + 2];
+ uint32_t k13 = k[4*i + 4*1 + 3];
+ uint32_t k20 = k[4*i + 4*2 + 0];
+ uint32_t k21 = k[4*i + 4*2 + 1];
+ uint32_t k22 = k[4*i + 4*2 + 2];
+ uint32_t k23 = k[4*i + 4*2 + 3];
+ uint32_t k30 = k[4*i + 4*3 + 0];
+ uint32_t k31 = k[4*i + 4*3 + 1];
+ uint32_t k32 = k[4*i + 4*3 + 2];
+ uint32_t k33 = k[4*i + 4*3 + 3];
+
+ CTASSERT(s == 2);
+ h0 += (uint64_t)(m0 + k00) * (m2 + k02);
+ h1 += (uint64_t)(m0 + k10) * (m2 + k12);
+ h2 += (uint64_t)(m0 + k20) * (m2 + k22);
+ h3 += (uint64_t)(m0 + k30) * (m2 + k32);
+ h0 += (uint64_t)(m1 + k01) * (m3 + k03);
+ h1 += (uint64_t)(m1 + k11) * (m3 + k13);
+ h2 += (uint64_t)(m1 + k21) * (m3 + k23);
+ h3 += (uint64_t)(m1 + k31) * (m3 + k33);
+ }
+
+ le64enc(h + 8*0, h0);
+ le64enc(h + 8*1, h1);
+ le64enc(h + 8*2, h2);
+ le64enc(h + 8*3, h3);
+}
+
+static void
+nhpoly1305(uint8_t h[restrict static 16], const uint8_t *m, size_t mlen,
+ const uint8_t pk[static 16],
+ const uint32_t nhk[static 268 /* u/w + 2s(r - 1) */])
+{
+ struct poly1305 P;
+ uint8_t h0[32];
+
+ /*
+ * In principle NHPoly1305 is defined on uneven message
+ * lengths, but that's a pain in the patootie.
+ */
+ KASSERT(mlen % 16 == 0);
+
+ poly1305_init(&P, pk);
+ for (; mlen; m += MIN(mlen, 1024), mlen -= MIN(mlen, 1024)) {
+ nh(h0, m, MIN(mlen, 1024), nhk);
+ poly1305_update_block(&P, h0 + 16*0);
+ poly1305_update_block(&P, h0 + 16*1);
+ }
+ poly1305_final(h, &P);
+}
+
+/* https://github.com/google/adiantum/blob/68971e9c6684121b2203b4b05a22768b84051b58/test_vectors/ours/NH/NH.json */
+static int
+nh_selftest(void)
+{
+ static const struct {
+ uint8_t k[1072];
+ unsigned mlen;
+ uint8_t m[1024];
+ uint8_t h[32];
+ } C[] = {
+ [0] = { /* 16-byte message */
+ .k = {
+ 0x22,0x5b,0x80,0xc8, 0x18,0x05,0x37,0x09,
+ 0x76,0x14,0x4b,0x67, 0xc4,0x50,0x7f,0x2b,
+ 0x2c,0xff,0x56,0xc5, 0xd5,0x66,0x45,0x68,
+ 0x35,0xe6,0xd2,0x9a, 0xe5,0xd0,0xc1,0xfb,
+ 0xac,0x59,0x81,0x1a, 0x60,0xb0,0x3d,0x81,
+ 0x4b,0xa3,0x5b,0xa9, 0xcc,0xb3,0xfe,0x2d,
+ 0xc2,0x4d,0xd9,0x26, 0xad,0x36,0xcf,0x8c,
+ 0x05,0x11,0x3b,0x8a, 0x99,0x15,0x81,0xc8,
+ 0x23,0xf5,0x5a,0x94, 0x10,0x2f,0x92,0x80,
+ 0x38,0xc5,0xb2,0x63, 0x80,0xd5,0xdc,0xa3,
+ 0x6c,0x2f,0xaa,0x03, 0x96,0x4a,0x75,0x33,
+ 0x4c,0xa8,0x60,0x05, 0x96,0xbf,0xe5,0x7a,
+ 0xc8,0x4f,0x5c,0x22, 0xf9,0x92,0x74,0x4a,
+ 0x75,0x5f,0xa2,0x2a, 0x8d,0x3f,0xe2,0x43,
+ 0xfd,0xd9,0x04,0x8c, 0x8e,0xea,0x84,0xcc,
+ 0x4d,0x3f,0x94,0x96, 0xed,0x1a,0x51,0xbb,
+ 0x2f,0xc4,0x63,0x28, 0x31,0x0b,0xda,0x92,
+ 0x1e,0x4d,0xe2,0x1d, 0x82,0xb5,0x65,0xb4,
+ 0x75,0x69,0xd7,0x6f, 0x29,0xe4,0xbe,0x7e,
+ 0xcc,0xbd,0x95,0xbd, 0x7a,0x62,0xea,0xfa,
+ 0x33,0x34,0x80,0x58, 0xbf,0xfa,0x00,0x7e,
+ 0xa7,0xb4,0xc9,0x32, 0x7c,0xc7,0x8f,0x8a,
+ 0x28,0x27,0xdd,0xeb, 0xb9,0x1c,0x01,0xad,
+ 0xec,0xf4,0x30,0x5e, 0xce,0x3b,0xaa,0x22,
+ 0x60,0xbd,0x84,0xd9, 0x9e,0xaf,0xe8,0x4c,
+ 0x44,0xb6,0x84,0x2d, 0x5c,0xe6,0x26,0xee,
+ 0x8a,0xa2,0x0d,0xe3, 0x97,0xed,0xf5,0x47,
+ 0xdb,0x50,0x72,0x4a, 0x5e,0x9a,0x8d,0x10,
+ 0xc2,0x25,0xdd,0x5b, 0xd0,0x39,0xc4,0x5b,
+ 0x2a,0x79,0x81,0xb7, 0x5c,0xda,0xed,0x77,
+ 0x17,0x53,0xb5,0x8b, 0x1e,0x5f,0xf3,0x48,
+ 0x30,0xac,0x97,0x7d, 0x29,0xe3,0xc9,0x18,
+ 0xe1,0x2b,0x31,0xa0, 0x08,0xe9,0x15,0x59,
+ 0x29,0xdb,0x84,0x2a, 0x33,0x98,0x8a,0xd4,
+ 0xc3,0xfc,0xf7,0xca, 0x65,0x02,0x4d,0x9f,
+ 0xe2,0xb1,0x5e,0xa6, 0x6a,0x01,0xf9,0xcf,
+ 0x7e,0xa6,0x09,0xd9, 0x16,0x90,0x14,0x5f,
+ 0x3a,0xf8,0xd8,0x34, 0x38,0xd6,0x1f,0x89,
+ 0x0c,0x81,0xc2,0x68, 0xc4,0x65,0x78,0xf3,
+ 0xfe,0x27,0x48,0x70, 0x38,0x43,0x48,0x5a,
+ 0xc1,0x24,0xc5,0x6f, 0x65,0x63,0x1b,0xb0,
+ 0x5b,0xb4,0x07,0x1e, 0x69,0x08,0x8f,0xfc,
+ 0x93,0x29,0x04,0x16, 0x6a,0x8b,0xb3,0x3d,
+ 0x0f,0xba,0x5f,0x46, 0xff,0xfe,0x77,0xa1,
+ 0xb9,0xdc,0x29,0x66, 0x9a,0xd1,0x08,0xdd,
+ 0x32,0xe3,0x21,0x7b, 0xcc,0x2e,0x5c,0xf7,
+ 0x79,0x68,0xd4,0xc1, 0x8b,0x3c,0x5d,0x0e,
+ 0xd4,0x26,0xa6,0x19, 0x92,0x45,0xf7,0x19,
+ 0x0e,0xa2,0x17,0xd8, 0x1c,0x7f,0x8d,0xd6,
+ 0x68,0x37,0x6c,0xbf, 0xb1,0x8a,0x5e,0x36,
+ 0x4b,0xc0,0xca,0x21, 0x02,0x24,0x69,0x9b,
+ 0x2b,0x19,0x0a,0x1b, 0xe3,0x17,0x30,0x57,
+ 0xf6,0xfc,0xd6,0x66, 0x36,0x30,0xc2,0x11,
+ 0x08,0x8d,0xc5,0x84, 0x67,0xa0,0x89,0xc3,
+ 0x74,0x48,0x15,0xca, 0x6e,0x0c,0x6d,0x78,
+ 0x66,0x15,0x73,0x85, 0xf9,0x8b,0xba,0xb2,
+ 0x09,0xda,0x79,0xe6, 0x00,0x08,0x2a,0xda,
+ 0x6b,0xd7,0xd1,0xa7, 0x8b,0x5f,0x11,0x87,
+ 0x96,0x1b,0x23,0xb0, 0x6c,0x55,0xb6,0x86,
+ 0xfb,0xff,0xe3,0x69, 0xac,0x43,0xcd,0x8f,
+ 0x8a,0xe7,0x1c,0x3c, 0xa0,0x6a,0xd5,0x63,
+ 0x80,0x66,0xd8,0x7f, 0xb5,0xb8,0x96,0xd4,
+ 0xe2,0x20,0x40,0x53, 0x6d,0x0d,0x8b,0x6d,
+ 0xd5,0x5d,0x51,0xfb, 0x4d,0x80,0x82,0x01,
+ 0x14,0x97,0x96,0x9b, 0x13,0xb8,0x1d,0x76,
+ 0x7a,0xa1,0xca,0x19, 0x90,0xec,0x7b,0xe0,
+ 0x8e,0xa8,0xb4,0xf2, 0x33,0x67,0x0e,0x10,
+ 0xb1,0xa2,0x82,0xea, 0x81,0x82,0xa2,0xc6,
+ 0x78,0x51,0xa6,0xd3, 0x25,0xe4,0x9c,0xf2,
+ 0x6b,0xa8,0xec,0xfb, 0xd4,0x1d,0x5b,0xa4,
+ 0x79,0x66,0x62,0xb8, 0x2b,0x6f,0x9e,0x0f,
+ 0xcc,0xcb,0x9e,0x92, 0x6f,0x06,0xdb,0xf0,
+ 0x97,0xce,0x3f,0x90, 0xa2,0x1f,0xbe,0x3b,
+ 0x7b,0x10,0xf0,0x23, 0x30,0x0c,0xc5,0x0c,
+ 0x6c,0x78,0xfc,0xa8, 0x71,0x62,0xcf,0x98,
+ 0xa2,0xb1,0x44,0xb5, 0xc6,0x3b,0x5c,0x63,
+ 0x83,0x1d,0x35,0xf2, 0xc7,0x42,0x67,0x5d,
+ 0xc1,0x26,0x36,0xc8, 0x6e,0x1d,0xf6,0xd5,
+ 0x52,0x35,0xa4,0x9e, 0xce,0x4c,0x3b,0x92,
+ 0x20,0x86,0xb7,0x89, 0x63,0x73,0x1a,0x8b,
+ 0xa6,0x35,0xfe,0xb9, 0xdf,0x5e,0x0e,0x53,
+ 0x0b,0xf2,0xb3,0x4d, 0x34,0x1d,0x66,0x33,
+ 0x1f,0x08,0xf5,0xf5, 0x0a,0xab,0x76,0x19,
+ 0xde,0x82,0x2f,0xcf, 0x11,0xa6,0xcb,0xb3,
+ 0x17,0xec,0x8d,0xaf, 0xcb,0xf0,0x92,0x1e,
+ 0xb8,0xa3,0x04,0x0a, 0xac,0x2c,0xae,0xc5,
+ 0x0b,0xc4,0x4e,0xef, 0x0a,0xe2,0xda,0xe9,
+ 0xd7,0x75,0x2d,0x95, 0xc7,0x1b,0xf3,0x0b,
+ 0x43,0x19,0x16,0xd7, 0xc6,0x90,0x2d,0x6b,
+ 0xe1,0xb2,0xce,0xbe, 0xd0,0x7d,0x15,0x99,
+ 0x24,0x37,0xbc,0xb6, 0x8c,0x89,0x7a,0x8c,
+ 0xcb,0xa7,0xf7,0x0b, 0x5f,0xd4,0x96,0x8d,
+ 0xf5,0x80,0xa3,0xce, 0xf5,0x9e,0xed,0x60,
+ 0x00,0x92,0xa5,0x67, 0xc9,0x21,0x79,0x0b,
+ 0xfb,0xe2,0x57,0x0e, 0xdf,0xb6,0x16,0x90,
+ 0xd3,0x75,0xf6,0xb0, 0xa3,0x4e,0x43,0x9a,
+ 0xb7,0xf4,0x73,0xd8, 0x34,0x46,0xc6,0xbe,
+ 0x80,0xec,0x4a,0xc0, 0x7f,0x9e,0xb6,0xb0,
+ 0x58,0xc2,0xae,0xa1, 0xf3,0x60,0x04,0x62,
+ 0x11,0xea,0x0f,0x90, 0xa9,0xea,0x6f,0x0c,
+ 0x4c,0xcf,0xe8,0xd0, 0xea,0xbf,0xdb,0xf2,
+ 0x53,0x0c,0x09,0x4d, 0xd4,0xed,0xf3,0x22,
+ 0x10,0x99,0xc6,0x4f, 0xcf,0xcf,0x96,0xc9,
+ 0xd9,0x6b,0x08,0x3b, 0xf0,0x62,0x2d,0xac,
+ 0x55,0x38,0xd5,0x5c, 0x57,0xad,0x51,0xc3,
+ 0xf5,0xd2,0x37,0x45, 0xb3,0x3f,0x6d,0xaf,
+ 0x10,0x62,0x57,0xb9, 0x58,0x40,0xb3,0x3c,
+ 0x6a,0x98,0x97,0x1a, 0x9c,0xeb,0x66,0xf1,
+ 0xa5,0x93,0x0b,0xe7, 0x8b,0x29,0x0f,0xff,
+ 0x2c,0xd0,0x90,0xf2, 0x67,0xa0,0x69,0xcd,
+ 0xd3,0x59,0xad,0xad, 0xf1,0x1f,0xd7,0xad,
+ 0x24,0x74,0x29,0xcd, 0x06,0xd5,0x42,0x90,
+ 0xf9,0x96,0x4a,0xd9, 0xa0,0x37,0xe4,0x64,
+ 0x8e,0x13,0x2a,0x2a, 0xe7,0xc2,0x1e,0xf6,
+ 0xb2,0xd3,0xdc,0x9f, 0x33,0x32,0x0c,0x50,
+ 0x88,0x37,0x8b,0x9b, 0xfe,0x6f,0xfd,0x05,
+ 0x96,0x26,0x6c,0x96, 0x73,0x73,0xe1,0x09,
+ 0x28,0xf3,0x7f,0xa6, 0x59,0xc5,0x2e,0xf4,
+ 0xd3,0xd5,0xda,0x6b, 0xca,0x42,0x05,0xe5,
+ 0xed,0x13,0xe2,0x4e, 0xcd,0xd5,0xd0,0xfb,
+ 0x6e,0xf7,0x8a,0x3e, 0x91,0x9d,0x6b,0xc5,
+ 0x33,0x05,0x07,0x86, 0xb2,0x26,0x41,0x6e,
+ 0xf8,0x38,0x38,0x7a, 0xf0,0x6c,0x27,0x5a,
+ 0x01,0xd8,0x03,0xe5, 0x91,0x33,0xaa,0x20,
+ 0xcd,0xa7,0x4f,0x18, 0xa0,0x91,0x28,0x74,
+ 0xc0,0x58,0x27,0x0f, 0x9b,0xa8,0x85,0xb0,
+ 0xe0,0xfd,0x5b,0xdb, 0x5b,0xb8,0x86,0x79,
+ 0x94,0x6d,0xde,0x26, 0x64,0x2d,0x6c,0xb9,
+ 0xba,0xc7,0xf0,0xd7, 0xaa,0x68,0x68,0xd0,
+ 0x40,0x71,0xdb,0x94, 0x54,0x62,0xa5,0x7f,
+ 0x98,0xea,0xe3,0x4c, 0xe4,0x44,0x9a,0x03,
+ 0xf9,0x1c,0x20,0x36, 0xeb,0x0d,0xa4,0x41,
+ 0x24,0x06,0xcb,0x94, 0x86,0x35,0x22,0x62,
+ 0x80,0x19,0x16,0xba, 0x2c,0x10,0x38,0x96,
+ },
+ .mlen = 16,
+ .m = {
+ 0xd3,0x82,0xe7,0x04, 0x35,0xcc,0xf7,0xa4,
+ 0xf9,0xb2,0xc5,0xed, 0x5a,0xd9,0x58,0xeb,
+ },
+ .h = {
+ 0x41,0xd9,0xad,0x54, 0x5a,0x0d,0xcc,0x53,
+ 0x48,0xf6,0x4c,0x75, 0x43,0x5d,0xdd,0x77,
+ 0xda,0xca,0x7d,0xec, 0x91,0x3b,0x53,0x16,
+ 0x5c,0x4b,0x58,0xdc, 0x70,0x0a,0x7b,0x37,
+ },
+ },
+ [1] = { /* 1008-byte message */
+ .k = {
+ 0xd9,0x94,0x65,0xda, 0xc2,0x60,0xdd,0xa9,
+ 0x39,0xe5,0x37,0x11, 0xf6,0x74,0xa5,0x95,
+ 0x36,0x07,0x24,0x99, 0x64,0x6b,0xda,0xe2,
+ 0xd5,0xd1,0xd2,0xd9, 0x25,0xd5,0xcc,0x48,
+ 0xf8,0xa5,0x9e,0xff, 0x84,0x5a,0xd1,0x6f,
+ 0xb7,0x6a,0x4d,0xd2, 0xc8,0x13,0x3d,0xde,
+ 0x17,0xed,0x64,0xf1, 0x2b,0xcc,0xdd,0x65,
+ 0x11,0x16,0xf2,0xaf, 0x34,0xd2,0xc5,0x31,
+ 0xaa,0x69,0x33,0x0a, 0x0b,0xc1,0xb4,0x6d,
+ 0xaa,0xcd,0x43,0xc4, 0x0b,0xef,0xf9,0x7d,
+ 0x97,0x3c,0xa7,0x22, 0xda,0xa6,0x6a,0xf0,
+ 0xad,0xe3,0x6f,0xde, 0xfb,0x33,0xf3,0xd8,
+ 0x96,0x5f,0xca,0xda, 0x18,0x63,0x03,0xd0,
+ 0x8f,0xb6,0xc4,0x62, 0x9d,0x50,0x6c,0x8f,
+ 0x85,0xdd,0x6d,0x52, 0x2d,0x45,0x01,0x36,
+ 0x57,0x9f,0x51,0xf0, 0x70,0xe0,0xb2,0x99,
+ 0x3a,0x11,0x68,0xbd, 0xe5,0xfa,0x7c,0x59,
+ 0x12,0x5a,0xbc,0xd9, 0xd6,0x9a,0x09,0xe6,
+ 0xa2,0x80,0x1f,0xd6, 0x47,0x20,0x82,0x4e,
+ 0xac,0xb5,0x6d,0xde, 0x5b,0xff,0x9c,0xd4,
+ 0x2a,0xae,0x27,0x7c, 0x0f,0x5a,0x5d,0x35,
+ 0x2d,0xff,0x07,0xf9, 0x79,0x6a,0xf9,0x3e,
+ 0xd9,0x22,0x62,0x30, 0x40,0xce,0xe1,0xf4,
+ 0x46,0x0a,0x24,0xca, 0x7a,0x3e,0xa1,0x92,
+ 0x1a,0x29,0xa0,0xbf, 0x23,0x95,0x99,0x31,
+ 0xe3,0x51,0x25,0x3d, 0xaf,0x1e,0xfc,0xb3,
+ 0x65,0xa2,0x10,0x37, 0xe6,0xa7,0x20,0xa0,
+ 0xe3,0x6a,0xd4,0x81, 0x2c,0x8d,0xa0,0x87,
+ 0xec,0xae,0x9f,0x44, 0x10,0xda,0x2e,0x17,
+ 0xba,0xb2,0xa5,0x5c, 0x89,0xc6,0xfa,0x70,
+ 0x7e,0xc2,0xe3,0xb6, 0xa0,0x98,0x9c,0xb8,
+ 0x14,0x33,0x27,0x3a, 0x6e,0x4d,0x94,0x72,
+ 0x4b,0xc8,0xac,0x24, 0x2f,0x85,0xd9,0xa4,
+ 0xda,0x22,0x95,0xc5, 0xb3,0xfc,0xbe,0xd2,
+ 0x96,0x57,0x91,0xf9, 0xfd,0x18,0x9c,0x56,
+ 0x70,0x15,0x5f,0xe7, 0x40,0x45,0x28,0xb3,
+ 0x2b,0x56,0x44,0xca, 0x6a,0x2b,0x0e,0x25,
+ 0x66,0x3e,0x32,0x04, 0xe2,0xb7,0x91,0xc8,
+ 0xd2,0x02,0x79,0x0f, 0x7e,0xa9,0xb3,0x86,
+ 0xb2,0x76,0x74,0x18, 0x57,0x16,0x63,0x06,
+ 0x6e,0x16,0xfa,0xef, 0x52,0x3c,0x5e,0x0d,
+ 0x33,0x55,0xd2,0x8d, 0x57,0x4d,0xfe,0x54,
+ 0x65,0x7a,0x54,0x52, 0xf0,0x7b,0x2c,0xf8,
+ 0xd5,0x43,0xba,0x92, 0xa5,0x2e,0xbe,0x1a,
+ 0xce,0x25,0x4f,0x34, 0x31,0xe7,0xa3,0xff,
+ 0x90,0xf6,0xbc,0x0c, 0xbc,0x98,0xdf,0x4a,
+ 0xc3,0xeb,0xb6,0x27, 0x68,0xa9,0xb5,0x33,
+ 0xbc,0x13,0xe8,0x13, 0x7c,0x6b,0xec,0x31,
+ 0xd9,0x79,0x2a,0xa7, 0xe4,0x02,0x4f,0x02,
+ 0xd4,0x5c,0x57,0x4f, 0xa4,0xbc,0xa3,0xe1,
+ 0x7e,0x36,0x8a,0xde, 0x11,0x55,0xec,0xb3,
+ 0x8b,0x65,0x06,0x02, 0x9a,0x68,0x06,0x64,
+ 0x63,0xc7,0x9a,0x67, 0xdc,0x70,0xbf,0xb5,
+ 0xf8,0x49,0x2a,0xe1, 0x59,0x4c,0xe4,0x1e,
+ 0xb5,0x56,0xa5,0xad, 0x24,0x82,0x8c,0xd0,
+ 0x66,0xe4,0x72,0x79, 0x02,0x5d,0x0d,0xf9,
+ 0x19,0x44,0xe3,0x86, 0x1a,0xda,0xda,0xf0,
+ 0x2d,0x47,0xc0,0x07, 0x47,0x0b,0xf8,0x06,
+ 0xf6,0x45,0x8a,0x7f, 0xb9,0xf9,0x33,0x2e,
+ 0xc2,0xf1,0xf1,0x81, 0x41,0x99,0xcd,0xf6,
+ 0xb1,0x71,0x1b,0xfa, 0x21,0x53,0x7c,0xa1,
+ 0xeb,0x2a,0x38,0x5b, 0x9b,0xfe,0x96,0xa5,
+ 0xe3,0x78,0x77,0x47, 0x98,0x0f,0x7d,0xef,
+ 0xf6,0x05,0x37,0x88, 0x79,0x0c,0x21,0x8d,
+ 0x87,0x1f,0xae,0xce, 0x83,0xaf,0xa3,0xd6,
+ 0x6e,0xc5,0x3c,0x47, 0xc6,0xd6,0x4a,0xdc,
+ 0x7c,0xcc,0xdc,0x11, 0x7c,0x7d,0x0f,0x03,
+ 0xc1,0x80,0x75,0x2a, 0x64,0x76,0xf0,0x08,
+ 0x0c,0x11,0x4b,0xe4, 0x05,0x41,0x78,0x0f,
+ 0x86,0xa0,0xd6,0x61, 0xb0,0xfb,0x15,0x3d,
+ 0x3c,0xc3,0xd5,0x1b, 0x72,0x0e,0x79,0x53,
+ 0x07,0xd2,0x2c,0x6e, 0x83,0xbd,0x72,0x88,
+ 0x41,0x07,0x4b,0xd2, 0xe9,0xcc,0x2a,0x9d,
+ 0x5b,0x82,0x0d,0x02, 0x29,0x6e,0xf3,0xbc,
+ 0x34,0x31,0x62,0x8d, 0x83,0xc1,0x7e,0x94,
+ 0x21,0xd5,0xfd,0xa6, 0x6a,0x2b,0xe8,0x86,
+ 0x05,0x48,0x97,0x41, 0xad,0xca,0xef,0x79,
+ 0x5e,0xd8,0x51,0xc4, 0xae,0xf7,0xfa,0xac,
+ 0x3d,0x74,0x2e,0xf4, 0x41,0x3b,0x19,0xc2,
+ 0x04,0xf3,0x40,0xfe, 0x77,0x7c,0x6a,0x4c,
+ 0x8e,0x24,0x84,0xe0, 0x70,0xe4,0xb2,0x19,
+ 0x6c,0x0c,0x85,0x9e, 0xe1,0xad,0xa4,0x73,
+ 0x90,0xdd,0xbf,0x7d, 0x1b,0x6f,0x8b,0x4d,
+ 0x3b,0xec,0xd7,0xb0, 0xd9,0x90,0xf1,0xf5,
+ 0xb9,0x32,0xe3,0x79, 0x15,0x08,0x3e,0x71,
+ 0xed,0x91,0xc4,0x5c, 0x18,0xe8,0x16,0x52,
+ 0xae,0x9d,0xf3,0x09, 0xac,0x57,0x11,0xf8,
+ 0x16,0x55,0xd0,0x28, 0x60,0xc1,0x7e,0x6d,
+ 0x87,0xc1,0x7a,0xe8, 0x5d,0xc5,0x12,0x68,
+ 0x6d,0x63,0x39,0x27, 0x49,0xb8,0x0c,0x78,
+ 0x92,0xea,0x6f,0x52, 0xeb,0x43,0xc2,0x0b,
+ 0xd8,0x28,0x77,0xe5, 0x43,0x5f,0xb8,0xa6,
+ 0x32,0xb7,0xaa,0x01, 0x1e,0xa6,0xde,0xe4,
+ 0x9b,0x0f,0xb6,0x49, 0xcc,0x6f,0x2c,0x04,
+ 0x41,0xcb,0xd8,0x80, 0xd1,0x15,0x5e,0x57,
+ 0x1e,0x4a,0x77,0xbf, 0xc4,0xcb,0x09,0x7c,
+ 0x6e,0x81,0xb8,0x64, 0x51,0x6a,0xf2,0x71,
+ 0x06,0xf6,0x00,0xac, 0x79,0x2c,0x83,0x7a,
+ 0x6c,0xa4,0x85,0x89, 0x69,0x06,0x26,0x72,
+ 0xe1,0x00,0x66,0xc0, 0xc5,0x8e,0xc8,0x51,
+ 0x6e,0x25,0xdd,0xc9, 0x54,0x98,0x45,0x64,
+ 0xaa,0x51,0x18,0x1b, 0xe4,0xbe,0x1b,0xee,
+ 0x13,0xd6,0x34,0x50, 0x4c,0xcf,0x3c,0x31,
+ 0x9b,0xd2,0x6f,0x07, 0x79,0xf4,0x63,0x3f,
+ 0x09,0x01,0x64,0xf1, 0xc1,0xf1,0xae,0xa9,
+ 0x0c,0x60,0xc9,0x62, 0x84,0xf6,0xe8,0x15,
+ 0x55,0xdf,0xdd,0x71, 0x95,0xa9,0x0f,0x65,
+ 0x97,0x40,0x79,0x86, 0x95,0xd9,0x57,0x23,
+ 0x2f,0x61,0x51,0xb5, 0x16,0x18,0x62,0xd2,
+ 0x1a,0xd9,0x8b,0x88, 0x84,0xa9,0x9b,0x47,
+ 0xd7,0x22,0x68,0xe9, 0x9c,0x69,0x68,0x74,
+ 0x13,0x95,0xd3,0x99, 0x33,0xdb,0x30,0x96,
+ 0xbf,0x01,0xc6,0x68, 0xbd,0x19,0x32,0xc1,
+ 0xf8,0xa9,0x7f,0x2b, 0xc5,0x69,0x2f,0xa2,
+ 0xce,0x5a,0x46,0x43, 0x8d,0x36,0x9c,0xfa,
+ 0x5c,0x7f,0x03,0xe0, 0x80,0xaa,0xc7,0x9e,
+ 0x3b,0xa3,0x27,0x6b, 0x2e,0xc6,0x59,0x0a,
+ 0xf6,0x36,0x37,0xa6, 0xc0,0xd1,0xa1,0xa1,
+ 0x7e,0xc1,0xf8,0x5b, 0x0f,0x9b,0xdd,0x6d,
+ 0x9f,0x54,0x16,0x6b, 0x6e,0x53,0xfd,0xe8,
+ 0x72,0xd0,0x3e,0x46, 0xce,0xaf,0x94,0x36,
+ 0x85,0xa8,0xae,0x4c, 0x8d,0xb5,0xc2,0x1b,
+ 0x5d,0x29,0x46,0x40, 0x87,0x50,0x59,0xdd,
+ 0x04,0xbe,0xba,0x8f, 0x0b,0x9b,0xd2,0x50,
+ 0x67,0x19,0x83,0x80, 0x87,0x5c,0x58,0x86,
+ 0x20,0x39,0xbf,0xdf, 0xd2,0xc8,0xbb,0xe8,
+ 0xc8,0xd8,0xe8,0x8d, 0xcc,0x97,0xe0,0xc9,
+ 0x6c,0x2f,0x47,0xb6, 0x75,0x8f,0x0d,0x37,
+ 0x5a,0x83,0xb0,0xce, 0x59,0xc2,0x0b,0x84,
+ 0xa2,0x54,0xe5,0x38, 0x59,0x29,0x0f,0xa8,
+ 0x26,0x2d,0x11,0xa9, 0x89,0x0e,0x0b,0x75,
+ 0xe0,0xbc,0xf0,0xf8, 0x92,0x1f,0x29,0x71,
+ 0x91,0xc4,0x63,0xcc, 0xf8,0x52,0xb5,0xd4,
+ 0xb8,0x94,0x6a,0x30, 0x90,0xf7,0x44,0xbe,
+ },
+ .mlen = 1008,
+ .m = {
+ 0x05,0xe3,0x6f,0x44, 0xa4,0x40,0x35,0xf6,
+ 0xeb,0x86,0xa9,0x6d, 0xed,0x16,0xdb,0xb6,
+ 0x5b,0x59,0xda,0x30, 0x54,0x6c,0x59,0x35,
+ 0x42,0x59,0x56,0x45, 0x9a,0x85,0x20,0x73,
+ 0xcf,0x21,0xf5,0x98, 0x58,0x07,0x0e,0x7f,
+ 0x44,0x1f,0xf1,0x53, 0x92,0xc7,0x81,0x53,
+ 0x5e,0x97,0x8a,0x23, 0x1d,0xe8,0xad,0xca,
+ 0x19,0x55,0x96,0x9d, 0x9b,0xfd,0x0a,0x0a,
+ 0xad,0xa8,0x0f,0x76, 0xe2,0x6a,0x8f,0x33,
+ 0x36,0xbf,0xcb,0x7a, 0xfd,0x61,0xc6,0xfb,
+ 0x75,0xea,0xd4,0x09, 0x5e,0x70,0xfb,0x32,
+ 0x54,0xe3,0x47,0x48, 0xd4,0x8c,0xa9,0x7c,
+ 0x72,0xdb,0xdb,0xf7, 0x09,0x6d,0x58,0xa6,
+ 0x42,0xb5,0x74,0x8c, 0x98,0x66,0x83,0x7a,
+ 0x6d,0xeb,0x91,0xfb, 0x22,0x1c,0x78,0x3d,
+ 0x22,0xa6,0xf8,0xb0, 0xd1,0x9f,0xc8,0x69,
+ 0x8a,0xba,0xd3,0x78, 0x21,0xb0,0x7b,0x9f,
+ 0xb8,0xed,0xe0,0x65, 0xff,0xa0,0x8b,0x4c,
+ 0x17,0x9e,0xf7,0x3e, 0xa2,0x5f,0x82,0x77,
+ 0xce,0x2a,0xda,0x41, 0x76,0x07,0x68,0xa4,
+ 0xa1,0xbb,0xe0,0x1d, 0x7b,0xab,0x9c,0x03,
+ 0x90,0x2c,0xd2,0x93, 0x46,0x43,0x3a,0x44,
+ 0x29,0xe8,0xb5,0x7a, 0x23,0xbb,0xe9,0xaf,
+ 0x2b,0x17,0x88,0x8f, 0x7a,0x81,0x7a,0x25,
+ 0x3b,0xc7,0x1e,0x6e, 0xde,0x3e,0x54,0xbc,
+ 0xc6,0xff,0x07,0xdc, 0xe6,0x29,0x02,0x4c,
+ 0x95,0x57,0x0e,0x44, 0xc4,0x9c,0xc7,0x45,
+ 0x01,0xd7,0x17,0xfd, 0x0f,0x1a,0x83,0x74,
+ 0xa0,0xd5,0xb3,0x1a, 0xc0,0x97,0xdc,0xc3,
+ 0x0f,0x3d,0x5d,0x8c, 0x02,0x58,0xc6,0x4d,
+ 0x43,0x10,0xae,0xc9, 0x94,0xe2,0x9b,0xcd,
+ 0xf9,0xcc,0xfe,0xbd, 0x9c,0x69,0xd0,0xec,
+ 0xf8,0x67,0xde,0x98, 0xe5,0x50,0x5e,0x93,
+ 0x6a,0x5b,0x31,0x2a, 0x62,0xee,0x03,0xbe,
+ 0x76,0x9c,0x1d,0x13, 0x16,0x13,0xcf,0x63,
+ 0x30,0x18,0x7d,0x1e, 0x55,0x94,0xf5,0x29,
+ 0xb4,0x91,0xb4,0x76, 0x1c,0x31,0x9e,0xe5,
+ 0x1b,0x0a,0xee,0x89, 0xb4,0xd9,0x45,0x19,
+ 0xd7,0x47,0x2c,0x01, 0x20,0xe6,0x1d,0x7c,
+ 0xb3,0x5e,0x1b,0x2a, 0x8c,0x3d,0x4d,0x1a,
+ 0x6b,0x35,0x84,0x41, 0x6a,0xe4,0x32,0x8f,
+ 0x9a,0x0d,0xbf,0x90, 0xff,0xcf,0x4c,0xfb,
+ 0x9b,0x07,0x81,0x94, 0xcf,0x8e,0x1a,0x8a,
+ 0xfc,0xbd,0x91,0xfe, 0xc3,0xe1,0x18,0xc7,
+ 0x1f,0x0d,0x8e,0x1c, 0x2e,0xfc,0x02,0xe8,
+ 0x39,0xbf,0x05,0x90, 0x58,0x94,0xee,0xe7,
+ 0x15,0x31,0x5d,0x9f, 0x68,0x36,0x64,0x32,
+ 0x25,0x49,0xdd,0x3e, 0xc8,0xb6,0x83,0x5e,
+ 0x09,0x90,0xcd,0x48, 0xaf,0x9e,0xfe,0xd6,
+ 0x79,0x8e,0x69,0x4b, 0x94,0xd5,0xf4,0x84,
+ 0x7b,0xce,0xea,0x2f, 0x9b,0x79,0x7a,0x7c,
+ 0x22,0x28,0x4d,0xa1, 0x38,0x1a,0x66,0x24,
+ 0x79,0xa3,0xfa,0xfa, 0x8d,0x98,0x7c,0x54,
+ 0x71,0x54,0xef,0x37, 0xa6,0xf1,0x97,0x54,
+ 0xad,0xe7,0x67,0xa0, 0xf3,0x33,0xcf,0x4f,
+ 0x4e,0xa3,0x47,0xee, 0x31,0xd3,0x98,0xf9,
+ 0x7f,0x9f,0x44,0x18, 0x2f,0x13,0x1b,0x44,
+ 0x57,0xcd,0x15,0x5b, 0xde,0x8f,0x1a,0x3c,
+ 0xb5,0x1e,0xa7,0x2d, 0x4d,0xbe,0x85,0x08,
+ 0x78,0xeb,0xe2,0x35, 0x3a,0xbe,0x55,0x6b,
+ 0xc3,0xe1,0x0f,0x77, 0x43,0x41,0x11,0x5a,
+ 0x61,0xc9,0x3b,0xbc, 0xad,0x88,0x9e,0xba,
+ 0xc6,0xd2,0xdc,0x87, 0xd9,0x54,0xcc,0x86,
+ 0x46,0xe6,0xa5,0x29, 0x2c,0x08,0x49,0x53,
+ 0x2c,0xe3,0x0e,0x60, 0xc5,0x48,0xca,0x62,
+ 0x3f,0xf6,0x93,0xc1, 0xba,0x8d,0x36,0x49,
+ 0xe7,0x0f,0x9c,0x49, 0x7d,0xee,0x2a,0x22,
+ 0xc3,0xe5,0x11,0x21, 0xfa,0xc7,0xeb,0x79,
+ 0xcc,0x4d,0x75,0x4e, 0x66,0x33,0xf5,0x09,
+ 0xa3,0xb9,0x60,0xa5, 0xd6,0xbd,0x38,0x75,
+ 0x0c,0x2f,0x5f,0x1f, 0xea,0xa5,0x9d,0x45,
+ 0x3c,0xe4,0x41,0xb8, 0xf6,0x4e,0x15,0x87,
+ 0x0b,0x7f,0x42,0x4e, 0x51,0x3d,0xc4,0x9a,
+ 0xb2,0xca,0x37,0x16, 0x0f,0xed,0x9e,0x0b,
+ 0x93,0x86,0x12,0x93, 0x36,0x5e,0x39,0xc4,
+ 0xf0,0xf4,0x48,0xdb, 0xeb,0x18,0x5e,0x50,
+ 0x71,0x30,0x83,0xe5, 0x0f,0xb1,0x73,0xa7,
+ 0xc6,0xf0,0xca,0x29, 0x0e,0xc4,0x07,0x5b,
+ 0x8b,0x09,0x68,0x68, 0x10,0x32,0x92,0x62,
+ 0x6a,0x6c,0x56,0x8b, 0x01,0x46,0x9a,0x20,
+ 0x89,0xe0,0x93,0x85, 0x8c,0x53,0x87,0xf6,
+ 0x02,0xd3,0x8d,0x72, 0x31,0x35,0xa1,0x34,
+ 0x63,0x70,0x61,0x80, 0x06,0xf1,0x54,0xb3,
+ 0x5d,0xdf,0xad,0x9c, 0x7e,0x3a,0xc2,0x8f,
+ 0x76,0x8b,0x4c,0x74, 0x2c,0x8c,0x6f,0x0a,
+ 0x60,0x13,0xa8,0xce, 0x4c,0x49,0x70,0x90,
+ 0x59,0x57,0xf5,0x7b, 0x03,0x94,0x37,0x87,
+ 0xfa,0xfe,0xeb,0xe7, 0x2d,0x01,0x45,0x69,
+ 0xb4,0x10,0x80,0x6d, 0x13,0x26,0xe3,0x9b,
+ 0x49,0x2a,0x0b,0xb1, 0x36,0xf9,0x62,0x63,
+ 0x33,0x2a,0xee,0x51, 0x5e,0x35,0xa4,0x2e,
+ 0x34,0xa1,0x77,0xac, 0x27,0x99,0x03,0xc6,
+ 0xe2,0x83,0x11,0x72, 0x77,0x30,0x8b,0xb7,
+ 0xde,0x1a,0xa1,0x4b, 0xa9,0x9c,0x07,0x02,
+ 0xf2,0xdc,0x06,0x45, 0xf2,0xab,0x31,0x46,
+ 0x50,0x25,0x34,0x54, 0xa8,0x06,0x88,0x6c,
+ 0xfc,0x88,0xb5,0xae, 0x30,0xbd,0xe1,0xe7,
+ 0xfe,0x51,0x46,0x05, 0x9a,0x29,0xd9,0x93,
+ 0x99,0x60,0x69,0x4a, 0x5c,0xb2,0x29,0x6b,
+ 0xa1,0xbb,0x9d,0xe4, 0x9b,0x7d,0x4a,0xe5,
+ 0x37,0xcb,0x16,0x6f, 0x44,0x93,0xe4,0x71,
+ 0x34,0x7b,0x54,0xec, 0x5b,0x2b,0xe0,0xf7,
+ 0x32,0xed,0x77,0xa6, 0xb3,0x7c,0x8d,0x1a,
+ 0xc0,0x57,0xbe,0x2b, 0x6d,0x7f,0xd7,0x35,
+ 0xe6,0x93,0xed,0x90, 0x26,0xfe,0x41,0xf3,
+ 0x58,0x55,0x03,0xb7, 0xb2,0x94,0xe2,0x0c,
+ 0x34,0xc3,0x06,0xc6, 0x9e,0x4b,0x17,0xc7,
+ 0xb9,0x58,0x23,0x58, 0xd3,0x73,0x18,0x5e,
+ 0xcf,0x28,0xac,0x90, 0xa0,0xba,0x35,0x90,
+ 0x96,0xb3,0xc7,0x6c, 0xe1,0x07,0xdf,0x5d,
+ 0xaa,0x2c,0xa6,0x6b, 0x82,0x2d,0x71,0x66,
+ 0xb7,0x76,0x37,0xdb, 0x39,0x7f,0x22,0x8f,
+ 0x38,0x70,0xd4,0xeb, 0xf8,0xf0,0x73,0xed,
+ 0xb6,0x67,0x75,0xaf, 0xd7,0x5d,0x01,0x01,
+ 0xc4,0xd6,0x7c,0xbc, 0xc3,0xe6,0xad,0x9a,
+ 0x9c,0x6a,0x43,0x9b, 0xfb,0x34,0x55,0x47,
+ 0xcd,0xeb,0x4e,0x2c, 0x29,0x6f,0xb0,0xeb,
+ 0xb5,0x08,0xdb,0x6b, 0x40,0x26,0x51,0x54,
+ 0x5a,0x97,0x64,0x74, 0x95,0xe6,0xae,0x8a,
+ 0x4c,0xe9,0x44,0x47, 0x85,0xd6,0xcf,0xe0,
+ 0x11,0x65,0x45,0xb3, 0xe1,0xfc,0x6a,0x01,
+ 0x38,0x40,0x8a,0x71, 0xc5,0xd6,0x64,0xa8,
+ 0x36,0x95,0x44,0x9c, 0x10,0x41,0xa3,0x71,
+ 0xb4,0x70,0x02,0xdf, 0xf9,0xad,0x2b,0xec,
+ 0x75,0xf7,0x09,0x6c, 0x5d,0x2a,0xd0,0x0b,
+ 0x2e,0xb3,0xf0,0xd3, 0xce,0xdb,0x26,0x80,
+ },
+ .h = {
+ 0x2d,0xb3,0x7e,0x73, 0xde,0x6a,0x9e,0xa9,
+ 0x54,0x9a,0x0f,0xb3, 0x0b,0xcc,0xc9,0xde,
+ 0x7a,0x4e,0x4a,0x71, 0x07,0x33,0xee,0x06,
+ 0x5c,0x9a,0xa1,0x30, 0x5e,0x39,0x4e,0x10,
+ },
+ },
+ [2] = { /* 1024-byte message */
+ .k = {
+ 0x4c,0xe4,0x3c,0x6e, 0xa0,0xe3,0x0e,0x64,
+ 0x35,0x44,0x3e,0x0b, 0x4d,0x29,0xbe,0x04,
+ 0xa7,0xaa,0x88,0xe0, 0xe0,0x07,0x7d,0xa8,
+ 0x2b,0x87,0x7d,0x08, 0xa6,0x59,0xd0,0xa5,
+ 0x03,0xae,0x9b,0xee, 0xd4,0x11,0x39,0x7d,
+ 0x9e,0x1d,0x89,0xe3, 0xc6,0x92,0x36,0x07,
+ 0xa4,0x43,0xad,0x2f, 0xd5,0x71,0x84,0x2d,
+ 0xc0,0x37,0xed,0x62, 0x4e,0x2b,0x8c,0xd5,
+ 0x1d,0xf7,0x00,0xbb, 0x3d,0x5e,0xcc,0xc5,
+ 0x6d,0xdd,0x17,0xf2, 0x89,0x25,0x30,0x16,
+ 0x04,0xd7,0x1f,0x84, 0x7d,0x61,0xa0,0x7a,
+ 0x49,0x88,0x44,0x46, 0xc6,0x05,0xd1,0xc9,
+ 0xa0,0x2a,0x86,0xdd, 0xd3,0x80,0x40,0xa4,
+ 0x28,0xb3,0xa4,0x3b, 0x71,0x0a,0x7f,0x2d,
+ 0x3b,0xcd,0xe6,0xac, 0x59,0xda,0x43,0x56,
+ 0x6e,0x9a,0x3f,0x1e, 0x82,0xcf,0xb3,0xa0,
+ 0xa1,0x46,0xcf,0x2e, 0x32,0x05,0xcd,0x68,
+ 0xbb,0x51,0x71,0x8a, 0x16,0x75,0xbe,0x49,
+ 0x7e,0xb3,0x63,0x30, 0x95,0x34,0xe6,0x85,
+ 0x7e,0x9a,0xdd,0xe6, 0x43,0xd6,0x59,0xf8,
+ 0x6a,0xb8,0x8f,0x5f, 0x5d,0xd9,0x55,0x41,
+ 0x12,0xf9,0x98,0xc6, 0x93,0x7c,0x3f,0x46,
+ 0xab,0x7c,0x8b,0x28, 0xde,0x9a,0xb1,0xf0,
+ 0x6c,0x43,0x2a,0xb3, 0x70,0xc5,0x9d,0xc0,
+ 0x26,0xcf,0xad,0x9c, 0x87,0x9b,0x3f,0x7c,
+ 0x24,0xac,0xe7,0xd4, 0xe8,0x14,0xe3,0x3e,
+ 0xf6,0x8a,0x97,0x87, 0x63,0x2c,0x88,0xdc,
+ 0xc5,0x23,0x68,0x6e, 0x94,0xe1,0x09,0xc4,
+ 0x44,0xda,0x8f,0xa7, 0x9f,0xc4,0x52,0xa4,
+ 0x18,0x1d,0x3c,0x08, 0xca,0x0a,0x3e,0xb4,
+ 0xbf,0xbe,0xc6,0x47, 0xe2,0x89,0x2b,0x07,
+ 0x71,0xd9,0xc8,0x6a, 0x06,0xd5,0xd0,0x47,
+ 0x4e,0x07,0x4f,0x6b, 0xdb,0xdf,0x3d,0xf0,
+ 0x7c,0x5f,0x49,0x70, 0x17,0x4f,0x9f,0x33,
+ 0x7e,0x4b,0x72,0x3b, 0x8c,0x68,0x22,0xf9,
+ 0xd2,0xad,0xe4,0xe4, 0xb2,0x61,0x9d,0xb8,
+ 0xc2,0x5c,0xf0,0x3b, 0x08,0xb2,0x75,0x30,
+ 0x3a,0xd0,0x7d,0xf9, 0xb2,0x00,0x40,0x56,
+ 0x79,0xe2,0x0d,0x31, 0x72,0xe2,0xc2,0xd1,
+ 0x2e,0x27,0xe7,0xc8, 0x96,0x1a,0xc6,0x7e,
+ 0xb8,0xc1,0x93,0xfb, 0x1d,0xbc,0xed,0x97,
+ 0x2f,0x2f,0xea,0xa1, 0x40,0x49,0xf6,0x1d,
+ 0xab,0x54,0x46,0x2e, 0x73,0xf2,0x74,0xf1,
+ 0x6d,0x5c,0xe6,0xa0, 0xd4,0x73,0x1c,0xbc,
+ 0x07,0x81,0xf5,0x94, 0xe6,0x18,0xdc,0x42,
+ 0x68,0xb9,0xeb,0xfb, 0xa3,0x76,0x8c,0x83,
+ 0x98,0xe9,0x96,0xa6, 0xa6,0x5e,0x0e,0xd1,
+ 0xfc,0xb7,0x8e,0x8b, 0x9e,0xa4,0x00,0x76,
+ 0x0e,0x35,0x92,0x5e, 0x05,0xa1,0x92,0xc4,
+ 0x0c,0xd1,0xec,0x8c, 0x04,0x8e,0x65,0x56,
+ 0x43,0xae,0x16,0x18, 0x2e,0x3e,0xfe,0x47,
+ 0x92,0xe1,0x76,0x1b, 0xb6,0xcc,0x0b,0x82,
+ 0xe1,0x8c,0x7b,0x43, 0xe4,0x90,0xed,0x28,
+ 0x0b,0xe6,0x05,0xea, 0x4a,0xc0,0xf1,0x12,
+ 0x54,0x09,0x93,0xda, 0xfc,0xf4,0x86,0xff,
+ 0x4c,0xaa,0x7d,0xbe, 0xd0,0x4a,0xa6,0x9d,
+ 0x6b,0x27,0x8f,0xb1, 0xb5,0x3a,0x9b,0xce,
+ 0xe2,0x5c,0x29,0x35, 0xd6,0xe7,0xf3,0xa4,
+ 0x5e,0x70,0xf6,0xc6, 0xde,0x63,0x86,0xf7,
+ 0xc9,0xab,0x42,0xb9, 0xe7,0x5d,0x1c,0x68,
+ 0x73,0xa3,0xed,0xb0, 0xa0,0xb6,0x18,0x15,
+ 0xe6,0x57,0x4c,0x21, 0xf7,0xf3,0xc6,0x32,
+ 0x4d,0x07,0x4a,0x14, 0xde,0xb2,0xc7,0xca,
+ 0xf0,0x78,0xc4,0x85, 0xe3,0xdc,0xfb,0x35,
+ 0x7c,0x6b,0xc0,0xb8, 0xcd,0x7a,0x22,0xfc,
+ 0xe4,0xe8,0xe2,0x98, 0x6c,0x8e,0xdf,0x37,
+ 0x8e,0x0f,0x25,0x23, 0xdd,0xea,0x40,0x6f,
+ 0xb3,0x07,0x7e,0x7a, 0x6b,0xa1,0xa1,0xcf,
+ 0x24,0xd9,0xad,0x72, 0x7a,0x45,0x49,0xca,
+ 0xfe,0xc7,0x2e,0x6d, 0xaa,0xc1,0x08,0x2c,
+ 0xe6,0xde,0xde,0x73, 0x01,0x9c,0xdc,0x65,
+ 0x3a,0xdf,0xc6,0x15, 0x37,0x62,0x0b,0x2c,
+ 0x9a,0x36,0xed,0x37, 0xd9,0xfc,0xa9,0xb3,
+ 0x32,0xc3,0xde,0x26, 0xe7,0xf0,0x3f,0x02,
+ 0xed,0x35,0x74,0xea, 0xdd,0x32,0xe9,0x96,
+ 0x75,0x66,0xb8,0xf0, 0x75,0x98,0x8f,0x3a,
+ 0xd0,0xc2,0xa1,0x98, 0x5f,0xf9,0x32,0x31,
+ 0x00,0x18,0x7d,0xc5, 0x9d,0x15,0x5b,0xdc,
+ 0x13,0x37,0x69,0xfc, 0x95,0x7a,0x62,0x0e,
+ 0x8a,0x86,0xed,0x18, 0x78,0x3c,0x49,0xf4,
+ 0x18,0x73,0xcd,0x2e, 0x7b,0xa3,0x40,0xd7,
+ 0x01,0xf6,0xc7,0x2a, 0xc5,0xce,0x13,0x09,
+ 0xb1,0xe5,0x25,0x17, 0xdf,0x9d,0x7e,0x0b,
+ 0x50,0x46,0x62,0x78, 0xb5,0x25,0xb2,0xd9,
+ 0x65,0xfa,0x5b,0xf7, 0xfe,0xc6,0xe0,0x7b,
+ 0x7b,0x4e,0x14,0x2e, 0x0d,0x3a,0xd0,0xe0,
+ 0xa0,0xd2,0xeb,0x4d, 0x87,0x11,0x42,0x28,
+ 0x02,0x7e,0xa8,0x56, 0x5b,0x53,0xbd,0x76,
+ 0x47,0x8f,0x5f,0x8b, 0xc7,0xd9,0x72,0xf7,
+ 0x11,0xbb,0x94,0xdb, 0x0d,0x07,0xb7,0x0a,
+ 0xcc,0x41,0x00,0xcd, 0xd0,0x50,0x25,0x31,
+ 0xc9,0x47,0x6b,0xdd, 0x3f,0x70,0x24,0x3e,
+ 0xde,0x02,0x62,0x6c, 0xb4,0x44,0x92,0x8e,
+ 0x98,0x9c,0x0e,0x30, 0x2f,0x80,0xb9,0x5e,
+ 0x75,0x90,0xa6,0x02, 0xf0,0xed,0xb0,0x8b,
+ 0x44,0xa3,0x59,0x2d, 0xc3,0x08,0xe5,0xd9,
+ 0x89,0x6a,0x71,0x44, 0x04,0xc4,0xb2,0x61,
+ 0x5b,0xf5,0x46,0x44, 0xdc,0x36,0x2e,0xfd,
+ 0x41,0xf5,0xa1,0x3a, 0xb3,0x93,0x74,0x7d,
+ 0x54,0x5e,0x64,0xdc, 0xbc,0xd7,0x07,0x48,
+ 0x3e,0x73,0x81,0x22, 0x9c,0x5a,0xf6,0xde,
+ 0x94,0x42,0xe1,0x6c, 0x92,0xe7,0x6d,0xa0,
+ 0x5e,0xc3,0xd6,0xe9, 0x84,0xd9,0xba,0x57,
+ 0xef,0x85,0x6a,0x9b, 0xe6,0x9a,0x2b,0xf8,
+ 0x8d,0xfe,0x9d,0xad, 0x70,0x26,0x05,0x14,
+ 0x45,0x07,0xcb,0x72, 0xd4,0x8b,0x14,0x44,
+ 0x74,0x40,0x9c,0x29, 0x8b,0xba,0x40,0x09,
+ 0x52,0xfc,0xc5,0x40, 0xb1,0x25,0x69,0xaa,
+ 0x8f,0x12,0xc4,0xc6, 0x2b,0x3f,0x73,0x9d,
+ 0xff,0x52,0xd4,0xac, 0x77,0x43,0xdc,0xd2,
+ 0x06,0x9a,0x1b,0xfc, 0x0c,0x8f,0x6b,0x59,
+ 0xa5,0xd4,0xde,0x06, 0x16,0x34,0xef,0x75,
+ 0x22,0x54,0x9c,0x53, 0x38,0x0b,0x57,0xc7,
+ 0xaa,0x78,0x2d,0x3a, 0x9b,0xdd,0xed,0xb5,
+ 0x0b,0xb0,0x08,0x5f, 0x57,0xdb,0xfc,0xbe,
+ 0x44,0xfd,0x71,0x5f, 0x71,0x14,0xd5,0x14,
+ 0x70,0xb6,0xee,0xd0, 0xf3,0x37,0x6f,0x57,
+ 0x55,0x3c,0x7c,0x23, 0x6f,0xbe,0x83,0x5c,
+ 0xb5,0x64,0xfd,0x6d, 0x7c,0xe4,0x05,0x2b,
+ 0xdb,0xc4,0xf5,0xa0, 0xd3,0xa6,0x15,0x48,
+ 0xc2,0x50,0xf8,0xf7, 0xc2,0xab,0xb5,0x6a,
+ 0x0d,0x1a,0xb5,0x30, 0x33,0xf8,0x12,0x2d,
+ 0xfb,0xa6,0x2e,0xe5, 0xbe,0x40,0xba,0x48,
+ 0xef,0x05,0xc8,0x37, 0x3a,0x36,0xad,0x99,
+ 0x77,0x87,0x84,0xac, 0xd8,0xcb,0x7a,0x88,
+ 0x3e,0x2d,0x8b,0xbe, 0x9a,0x35,0x88,0x26,
+ 0xe9,0x20,0xd4,0x66, 0x80,0x8b,0xf8,0x54,
+ 0xba,0xcd,0xa8,0x47, 0x35,0x1b,0xc4,0x09,
+ 0x6d,0xff,0x0e,0x60, 0x7c,0xf3,0x68,0xbf,
+ 0xe3,0xe9,0x73,0x07, 0x84,0xf0,0x08,0x45,
+ 0x97,0x65,0x94,0xd1, 0x35,0x4e,0x67,0x0c,
+ 0xe3,0xb7,0x61,0x7b, 0x09,0x22,0xed,0x18,
+ 0xee,0x0b,0x54,0xc0, 0xab,0x8b,0xaa,0x71,
+ 0x4c,0x40,0xbf,0xf7, 0xe0,0x7e,0x08,0xaa,
+ },
+ .mlen = 1024,
+ .m = {
+ 0x1d,0xea,0xe5,0x2b, 0x4c,0x22,0x4d,0xf3,
+ 0x15,0x53,0xcb,0x41, 0xf5,0xcf,0x0b,0x7b,
+ 0xc9,0x80,0xc0,0x95, 0xd2,0x7b,0x08,0x4b,
+ 0x3d,0xcd,0xd8,0x3b, 0x2f,0x18,0xd4,0x70,
+ 0x38,0xb2,0xa7,0x2f, 0x7f,0xba,0xd8,0xed,
+ 0xbc,0x8f,0xac,0xe4, 0xe2,0x11,0x2d,0x6d,
+ 0xe6,0xa4,0x36,0x90, 0xc2,0x7f,0xdf,0xe3,
+ 0xdc,0x50,0xdb,0x6c, 0x56,0xcf,0x7d,0xd6,
+ 0xd0,0xcb,0xd6,0x9b, 0x01,0xbb,0xef,0x1c,
+ 0x0a,0x6c,0x92,0x23, 0xeb,0x77,0xf9,0xd1,
+ 0x25,0xdc,0x94,0x30, 0x30,0xa4,0x96,0x3e,
+ 0xdf,0x52,0x4c,0xe7, 0xdf,0x27,0x9f,0x73,
+ 0x78,0x0c,0x8c,0x7f, 0x9d,0xae,0x79,0x5d,
+ 0x91,0x5e,0x4b,0x02, 0xa9,0x31,0x9c,0xff,
+ 0x46,0x73,0xec,0x0d, 0x5a,0xb8,0xeb,0x48,
+ 0x19,0x9c,0x44,0xe0, 0xc8,0x81,0x96,0x4c,
+ 0x47,0x0c,0xe7,0x1d, 0x2a,0x9c,0xd5,0xe0,
+ 0xe7,0xd6,0xa0,0x88, 0xf0,0xf6,0xda,0xa7,
+ 0x6a,0xdd,0xfd,0x4f, 0x00,0x6e,0x25,0x7d,
+ 0xb9,0x81,0x19,0x2f, 0x4e,0xcc,0x8d,0x6e,
+ 0xa6,0x92,0xcf,0xd8, 0x6e,0x78,0x0a,0xf6,
+ 0x8a,0x43,0xeb,0x60, 0x0c,0x8b,0x93,0x50,
+ 0x88,0xd1,0x67,0x05, 0x0c,0xdc,0x43,0x85,
+ 0x50,0x91,0x63,0xa4, 0x32,0x14,0x66,0x84,
+ 0xdb,0x04,0x9f,0x77, 0x95,0x60,0x19,0xc6,
+ 0x98,0x60,0x62,0xe4, 0xc6,0xee,0x70,0x76,
+ 0xb0,0x59,0x80,0x59, 0x46,0xae,0x99,0x26,
+ 0x62,0x4a,0xf0,0x45, 0x8f,0xf0,0x70,0x5b,
+ 0x52,0xfc,0xee,0x4d, 0x30,0x47,0xc8,0xae,
+ 0xe2,0xbc,0x2c,0x73, 0x78,0x67,0xf1,0x00,
+ 0xb4,0xda,0x01,0xad, 0x3b,0xc4,0x5c,0x6c,
+ 0x65,0xca,0x84,0x22, 0x95,0x32,0x95,0x20,
+ 0x4d,0xdc,0x96,0x2e, 0x61,0xe4,0xc8,0xec,
+ 0x2d,0xbf,0xc1,0x5d, 0x70,0xf9,0x75,0xf2,
+ 0xad,0x0a,0xc9,0xd7, 0x0a,0x81,0x3c,0xa1,
+ 0x13,0xec,0x63,0xd4, 0xd0,0x67,0xf4,0xcc,
+ 0x6e,0xb8,0x52,0x08, 0x46,0xc9,0x2a,0x92,
+ 0x59,0xd9,0x14,0x17, 0xde,0x2f,0xc7,0x36,
+ 0xd5,0xd5,0xfc,0x8a, 0x63,0xd5,0x5f,0xe3,
+ 0xdd,0x55,0x00,0x8e, 0x5e,0xc9,0xed,0x04,
+ 0x1d,0xeb,0xae,0xc5, 0xd0,0xf9,0x73,0x28,
+ 0xf3,0x81,0xd5,0xb4, 0x60,0xb2,0x42,0x81,
+ 0x68,0xf3,0xb9,0x73, 0x07,0x2e,0x34,0x8e,
+ 0x47,0x12,0xae,0x7c, 0xa8,0xc2,0xce,0xad,
+ 0x0f,0x6e,0x44,0xa5, 0x35,0x5e,0x61,0x6b,
+ 0xfc,0x67,0x9c,0x82, 0xa1,0xd2,0xff,0xfe,
+ 0x60,0x7c,0x40,0x02, 0x24,0x9e,0x8b,0x90,
+ 0xa0,0x89,0xd9,0x83, 0x04,0xd8,0xef,0x9c,
+ 0x96,0x28,0x77,0x3e, 0xe3,0xb0,0xf8,0x3d,
+ 0xfb,0x91,0x8f,0x6f, 0x83,0x58,0x1e,0x4b,
+ 0x64,0xc7,0xf6,0xe0, 0x85,0x03,0xe3,0xf9,
+ 0x6b,0xc9,0x9e,0x9d, 0x57,0x25,0xe4,0x69,
+ 0x08,0x59,0x28,0x4a, 0x52,0x9c,0x49,0x19,
+ 0x24,0x49,0xba,0xb1, 0x82,0xd4,0xcf,0xd0,
+ 0x1e,0x1d,0xc2,0x02, 0x42,0x4e,0xdf,0xf7,
+ 0x2b,0x3d,0x99,0xf6, 0x99,0xa4,0x3a,0xe1,
+ 0x9d,0x68,0xc8,0x08, 0xec,0xec,0x1c,0xa8,
+ 0x41,0x4a,0x27,0x84, 0xe9,0x0d,0x95,0x54,
+ 0x1a,0xca,0x5f,0x5d, 0x5a,0x96,0xb9,0x5b,
+ 0x6e,0xbc,0x39,0x7f, 0x7a,0x20,0xc5,0xb2,
+ 0x60,0x0c,0xa3,0x78, 0xc3,0x2b,0x87,0xcc,
+ 0xea,0xb0,0x4d,0x27, 0xfb,0x6c,0x58,0x51,
+ 0xce,0x90,0xca,0xd6, 0x86,0x91,0x4d,0x2c,
+ 0x8c,0x82,0xf0,0xc9, 0x9a,0x0a,0x73,0xb3,
+ 0xcb,0xa9,0xd4,0x26, 0x4d,0x74,0xbe,0x0e,
+ 0x4a,0x6e,0x10,0xeb, 0x4e,0xba,0x4e,0xba,
+ 0x0d,0x26,0x69,0x87, 0x5e,0x08,0x2b,0x43,
+ 0xbe,0x97,0x4e,0x2a, 0x63,0xbc,0x52,0xb7,
+ 0xda,0x23,0x23,0x11, 0xfa,0xcf,0x89,0xac,
+ 0x90,0x5f,0x60,0x7a, 0x50,0xb7,0xbe,0x79,
+ 0x0b,0x2c,0xf0,0x27, 0xf0,0xfb,0xaf,0x64,
+ 0xc8,0x57,0x7c,0xeb, 0x1c,0xf7,0x36,0xec,
+ 0x09,0x97,0x66,0x31, 0x54,0xe4,0x00,0xcf,
+ 0x68,0x24,0x77,0x1a, 0xbc,0x27,0x3a,0xad,
+ 0x8a,0x01,0x7e,0x45, 0xe7,0xe4,0xa4,0xeb,
+ 0x38,0x62,0x9d,0x90, 0xea,0x00,0x9c,0x03,
+ 0x5e,0xb2,0x7d,0xd8, 0x2f,0xe9,0xc9,0x3c,
+ 0x1a,0x5c,0x21,0x1a, 0x59,0x45,0x62,0x47,
+ 0x93,0x1b,0xdc,0xd8, 0x3e,0x07,0x8b,0x75,
+ 0xd0,0x6d,0xcc,0x8d, 0xec,0x79,0xa8,0x9a,
+ 0x51,0xa5,0x50,0x18, 0xae,0x44,0x93,0x75,
+ 0xc1,0xc8,0x1e,0x10, 0x59,0x1e,0x0b,0xb3,
+ 0x06,0x30,0xa8,0x66, 0x8d,0x8e,0xd6,0x4d,
+ 0x0d,0x8a,0xb4,0x28, 0xdc,0xfb,0x5d,0x59,
+ 0xe0,0x92,0x77,0x38, 0xfa,0xad,0x46,0x46,
+ 0x25,0x15,0x4c,0xca, 0x09,0x2b,0x31,0xe9,
+ 0x36,0xe8,0xc2,0x67, 0x34,0x4d,0x5e,0xa0,
+ 0x8f,0x9a,0xe8,0x7f, 0xf2,0x2a,0x92,0x78,
+ 0xde,0x09,0x75,0xe7, 0xe5,0x50,0x0a,0x2e,
+ 0x88,0x63,0xc0,0x8f, 0xa8,0x73,0x0f,0xe5,
+ 0x1e,0x9d,0xdb,0xce, 0x53,0xe0,0x42,0x94,
+ 0x7b,0x5c,0xa1,0x5e, 0x1e,0x8f,0x0a,0x6e,
+ 0x8b,0x1a,0xad,0x93, 0x70,0x86,0xf1,0x69,
+ 0x70,0x93,0x24,0xe3, 0x83,0x2f,0xa8,0x04,
+ 0xba,0x27,0x0a,0x2e, 0x03,0xeb,0x69,0xd9,
+ 0x56,0x0e,0xc4,0x10, 0x55,0x31,0x2c,0x3f,
+ 0xd1,0xb2,0x94,0x0f, 0x28,0x15,0x3c,0x02,
+ 0x15,0x5e,0xec,0x26, 0x9c,0xc3,0xfc,0xa7,
+ 0x5c,0xb0,0xfa,0xc0, 0x02,0xf9,0x01,0x3f,
+ 0x01,0x73,0x24,0x22, 0x50,0x28,0x2a,0xca,
+ 0xb1,0xf2,0x03,0x00, 0x2f,0xc6,0x6f,0x28,
+ 0x4f,0x4b,0x4f,0x1a, 0x9a,0xb8,0x16,0x93,
+ 0x31,0x60,0x7c,0x3d, 0x35,0xc8,0xd6,0x90,
+ 0xde,0x8c,0x89,0x39, 0xbd,0x21,0x11,0x05,
+ 0xe8,0xc4,0x04,0x3b, 0x65,0xa5,0x15,0xcf,
+ 0xcf,0x15,0x14,0xf6, 0xe7,0x2e,0x3c,0x47,
+ 0x59,0x0b,0xaa,0xc0, 0xd4,0xab,0x04,0x14,
+ 0x9c,0xd7,0xe2,0x43, 0xc7,0x87,0x09,0x03,
+ 0x27,0xd2,0x0a,0xff, 0x8d,0xd5,0x80,0x34,
+ 0x93,0xa2,0x2c,0xb1, 0x4e,0x16,0x2d,0x82,
+ 0x51,0x5c,0x3c,0xe5, 0x75,0x51,0x7b,0xb4,
+ 0xd8,0x1e,0x59,0x98, 0x0f,0x75,0xed,0x02,
+ 0x1c,0x13,0xf6,0x02, 0xda,0xf9,0x47,0xf7,
+ 0x45,0x25,0x0f,0x58, 0x22,0x5d,0xef,0xf0,
+ 0x1b,0xdb,0xae,0xaf, 0xbe,0xc6,0xe1,0xcd,
+ 0x70,0x46,0x6e,0x03, 0x9a,0x20,0x77,0x00,
+ 0x3c,0x32,0xb5,0x8f, 0x04,0xb6,0x6f,0xa2,
+ 0x31,0xc9,0x7c,0xf9, 0x84,0x67,0x87,0xfb,
+ 0x7b,0x13,0xb0,0x4d, 0x35,0xfd,0x37,0x5b,
+ 0xf4,0x25,0xf0,0x02, 0x74,0xa0,0x69,0xd4,
+ 0x53,0x61,0x4b,0x54, 0x68,0x94,0x0e,0x08,
+ 0x25,0x82,0x90,0xfc, 0x25,0xb6,0x63,0xe2,
+ 0x07,0x9f,0x42,0xf1, 0xbb,0x33,0xea,0xab,
+ 0x92,0x54,0x2b,0x9f, 0x88,0xc0,0x31,0x2b,
+ 0xfd,0x36,0x50,0x80, 0xfc,0x1a,0xff,0xab,
+ 0xe8,0xc4,0x7f,0xb6, 0x98,0xb9,0x2e,0x17,
+ 0xca,0x28,0x3d,0xdf, 0x0f,0x07,0x43,0x20,
+ 0xf0,0x07,0xea,0xe5, 0xcd,0x4e,0x81,0x34,
+ },
+ .h = {
+ 0x9d,0x22,0x88,0xfd, 0x41,0x43,0x88,0x45,
+ 0x34,0xfe,0x85,0xc4, 0xb9,0xff,0xe1,0x55,
+ 0x40,0x1d,0x25,0x37, 0xd1,0xf8,0xfc,0x2b,
+ 0x3a,0xf5,0x3b,0x69, 0xbf,0xa6,0x9d,0xed,
+ },
+ },
+ };
+ static uint32_t k[268];
+ uint8_t h[32];
+ unsigned i, j;
+ int result = 0;
+
+ for (i = 0; i < __arraycount(C); i++) {
+ for (j = 0; j < 268; j++)
+ k[j] = le32dec(C[i].k + 4*j);
+ nh(h, C[i].m, C[i].mlen, k);
+ if (memcmp(h, C[i].h, 32)) {
+ char prefix[10];
+ snprintf(prefix, sizeof prefix, "nh %u", i);
+ hexdump(printf, prefix, h, 32);
+ result = -1;
+ }
+ }
+
+ return result;
+}
+
+/* https://github.com/google/adiantum/blob/a5ad5134ab11b10a3ee982c52385953fac88fedc/test_vectors/ours/NHPoly1305/NHPoly1305.json */
+static int
+nhpoly1305_selftest(void)
+{
+ static const struct {
+ uint8_t k[1088];
+ unsigned mlen;
+ uint8_t m[1024];
+ uint8_t h[16];
+ } C[] = {
+ [0] = { /* 0-byte message */
+ .k = {
+ /* Poly1305 key */
+ 0xd2,0x5d,0x4c,0xdd, 0x8d,0x2b,0x7f,0x7a,
+ 0xd9,0xbe,0x71,0xec, 0xd1,0x83,0x52,0xe3,
+
+ /* NH key */
+ 0xe1,0xad,0xd7,0x5c, 0x0a,0x75,0x9d,0xec,
+ 0x1d,0x13,0x7e,0x5d, 0x71,0x07,0xc9,0xe4,
+ 0x57,0x2d,0x44,0x68, 0xcf,0xd8,0xd6,0xc5,
+ 0x39,0x69,0x7d,0x32, 0x75,0x51,0x4f,0x7e,
+ 0xb2,0x4c,0xc6,0x90, 0x51,0x6e,0xd9,0xd6,
+ 0xa5,0x8b,0x2d,0xf1, 0x94,0xf9,0xf7,0x5e,
+ 0x2c,0x84,0x7b,0x41, 0x0f,0x88,0x50,0x89,
+ 0x30,0xd9,0xa1,0x38, 0x46,0x6c,0xc0,0x4f,
+ 0xe8,0xdf,0xdc,0x66, 0xab,0x24,0x43,0x41,
+ 0x91,0x55,0x29,0x65, 0x86,0x28,0x5e,0x45,
+ 0xd5,0x2d,0xb7,0x80, 0x08,0x9a,0xc3,0xd4,
+ 0x9a,0x77,0x0a,0xd4, 0xef,0x3e,0xe6,0x3f,
+ 0x6f,0x2f,0x9b,0x3a, 0x7d,0x12,0x1e,0x80,
+ 0x6c,0x44,0xa2,0x25, 0xe1,0xf6,0x60,0xe9,
+ 0x0d,0xaf,0xc5,0x3c, 0xa5,0x79,0xae,0x64,
+ 0xbc,0xa0,0x39,0xa3, 0x4d,0x10,0xe5,0x4d,
+ 0xd5,0xe7,0x89,0x7a, 0x13,0xee,0x06,0x78,
+ 0xdc,0xa4,0xdc,0x14, 0x27,0xe6,0x49,0x38,
+ 0xd0,0xe0,0x45,0x25, 0x36,0xc5,0xf4,0x79,
+ 0x2e,0x9a,0x98,0x04, 0xe4,0x2b,0x46,0x52,
+ 0x7c,0x33,0xca,0xe2, 0x56,0x51,0x50,0xe2,
+ 0xa5,0x9a,0xae,0x18, 0x6a,0x13,0xf8,0xd2,
+ 0x21,0x31,0x66,0x02, 0xe2,0xda,0x8d,0x7e,
+ 0x41,0x19,0xb2,0x61, 0xee,0x48,0x8f,0xf1,
+ 0x65,0x24,0x2e,0x1e, 0x68,0xce,0x05,0xd9,
+ 0x2a,0xcf,0xa5,0x3a, 0x57,0xdd,0x35,0x91,
+ 0x93,0x01,0xca,0x95, 0xfc,0x2b,0x36,0x04,
+ 0xe6,0x96,0x97,0x28, 0xf6,0x31,0xfe,0xa3,
+ 0x9d,0xf6,0x6a,0x1e, 0x80,0x8d,0xdc,0xec,
+ 0xaf,0x66,0x11,0x13, 0x02,0x88,0xd5,0x27,
+ 0x33,0xb4,0x1a,0xcd, 0xa3,0xf6,0xde,0x31,
+ 0x8e,0xc0,0x0e,0x6c, 0xd8,0x5a,0x97,0x5e,
+ 0xdd,0xfd,0x60,0x69, 0x38,0x46,0x3f,0x90,
+ 0x5e,0x97,0xd3,0x32, 0x76,0xc7,0x82,0x49,
+ 0xfe,0xba,0x06,0x5f, 0x2f,0xa2,0xfd,0xff,
+ 0x80,0x05,0x40,0xe4, 0x33,0x03,0xfb,0x10,
+ 0xc0,0xde,0x65,0x8c, 0xc9,0x8d,0x3a,0x9d,
+ 0xb5,0x7b,0x36,0x4b, 0xb5,0x0c,0xcf,0x00,
+ 0x9c,0x87,0xe4,0x49, 0xad,0x90,0xda,0x4a,
+ 0xdd,0xbd,0xff,0xe2, 0x32,0x57,0xd6,0x78,
+ 0x36,0x39,0x6c,0xd3, 0x5b,0x9b,0x88,0x59,
+ 0x2d,0xf0,0x46,0xe4, 0x13,0x0e,0x2b,0x35,
+ 0x0d,0x0f,0x73,0x8a, 0x4f,0x26,0x84,0x75,
+ 0x88,0x3c,0xc5,0x58, 0x66,0x18,0x1a,0xb4,
+ 0x64,0x51,0x34,0x27, 0x1b,0xa4,0x11,0xc9,
+ 0x6d,0x91,0x8a,0xfa, 0x32,0x60,0x9d,0xd7,
+ 0x87,0xe5,0xaa,0x43, 0x72,0xf8,0xda,0xd1,
+ 0x48,0x44,0x13,0x61, 0xdc,0x8c,0x76,0x17,
+ 0x0c,0x85,0x4e,0xf3, 0xdd,0xa2,0x42,0xd2,
+ 0x74,0xc1,0x30,0x1b, 0xeb,0x35,0x31,0x29,
+ 0x5b,0xd7,0x4c,0x94, 0x46,0x35,0xa1,0x23,
+ 0x50,0xf2,0xa2,0x8e, 0x7e,0x4f,0x23,0x4f,
+ 0x51,0xff,0xe2,0xc9, 0xa3,0x7d,0x56,0x8b,
+ 0x41,0xf2,0xd0,0xc5, 0x57,0x7e,0x59,0xac,
+ 0xbb,0x65,0xf3,0xfe, 0xf7,0x17,0xef,0x63,
+ 0x7c,0x6f,0x23,0xdd, 0x22,0x8e,0xed,0x84,
+ 0x0e,0x3b,0x09,0xb3, 0xf3,0xf4,0x8f,0xcd,
+ 0x37,0xa8,0xe1,0xa7, 0x30,0xdb,0xb1,0xa2,
+ 0x9c,0xa2,0xdf,0x34, 0x17,0x3e,0x68,0x44,
+ 0xd0,0xde,0x03,0x50, 0xd1,0x48,0x6b,0x20,
+ 0xe2,0x63,0x45,0xa5, 0xea,0x87,0xc2,0x42,
+ 0x95,0x03,0x49,0x05, 0xed,0xe0,0x90,0x29,
+ 0x1a,0xb8,0xcf,0x9b, 0x43,0xcf,0x29,0x7a,
+ 0x63,0x17,0x41,0x9f, 0xe0,0xc9,0x10,0xfd,
+ 0x2c,0x56,0x8c,0x08, 0x55,0xb4,0xa9,0x27,
+ 0x0f,0x23,0xb1,0x05, 0x6a,0x12,0x46,0xc7,
+ 0xe1,0xfe,0x28,0x93, 0x93,0xd7,0x2f,0xdc,
+ 0x98,0x30,0xdb,0x75, 0x8a,0xbe,0x97,0x7a,
+ 0x02,0xfb,0x8c,0xba, 0xbe,0x25,0x09,0xbe,
+ 0xce,0xcb,0xa2,0xef, 0x79,0x4d,0x0e,0x9d,
+ 0x1b,0x9d,0xb6,0x39, 0x34,0x38,0xfa,0x07,
+ 0xec,0xe8,0xfc,0x32, 0x85,0x1d,0xf7,0x85,
+ 0x63,0xc3,0x3c,0xc0, 0x02,0x75,0xd7,0x3f,
+ 0xb2,0x68,0x60,0x66, 0x65,0x81,0xc6,0xb1,
+ 0x42,0x65,0x4b,0x4b, 0x28,0xd7,0xc7,0xaa,
+ 0x9b,0xd2,0xdc,0x1b, 0x01,0xe0,0x26,0x39,
+ 0x01,0xc1,0x52,0x14, 0xd1,0x3f,0xb7,0xe6,
+ 0x61,0x41,0xc7,0x93, 0xd2,0xa2,0x67,0xc6,
+ 0xf7,0x11,0xb5,0xf5, 0xea,0xdd,0x19,0xfb,
+ 0x4d,0x21,0x12,0xd6, 0x7d,0xf1,0x10,0xb0,
+ 0x89,0x07,0xc7,0x5a, 0x52,0x73,0x70,0x2f,
+ 0x32,0xef,0x65,0x2b, 0x12,0xb2,0xf0,0xf5,
+ 0x20,0xe0,0x90,0x59, 0x7e,0x64,0xf1,0x4c,
+ 0x41,0xb3,0xa5,0x91, 0x08,0xe6,0x5e,0x5f,
+ 0x05,0x56,0x76,0xb4, 0xb0,0xcd,0x70,0x53,
+ 0x10,0x48,0x9c,0xff, 0xc2,0x69,0x55,0x24,
+ 0x87,0xef,0x84,0xea, 0xfb,0xa7,0xbf,0xa0,
+ 0x91,0x04,0xad,0x4f, 0x8b,0x57,0x54,0x4b,
+ 0xb6,0xe9,0xd1,0xac, 0x37,0x2f,0x1d,0x2e,
+ 0xab,0xa5,0xa4,0xe8, 0xff,0xfb,0xd9,0x39,
+ 0x2f,0xb7,0xac,0xd1, 0xfe,0x0b,0x9a,0x80,
+ 0x0f,0xb6,0xf4,0x36, 0x39,0x90,0x51,0xe3,
+ 0x0a,0x2f,0xb6,0x45, 0x76,0x89,0xcd,0x61,
+ 0xfe,0x48,0x5f,0x75, 0x1d,0x13,0x00,0x62,
+ 0x80,0x24,0x47,0xe7, 0xbc,0x37,0xd7,0xe3,
+ 0x15,0xe8,0x68,0x22, 0xaf,0x80,0x6f,0x4b,
+ 0xa8,0x9f,0x01,0x10, 0x48,0x14,0xc3,0x02,
+ 0x52,0xd2,0xc7,0x75, 0x9b,0x52,0x6d,0x30,
+ 0xac,0x13,0x85,0xc8, 0xf7,0xa3,0x58,0x4b,
+ 0x49,0xf7,0x1c,0x45, 0x55,0x8c,0x39,0x9a,
+ 0x99,0x6d,0x97,0x27, 0x27,0xe6,0xab,0xdd,
+ 0x2c,0x42,0x1b,0x35, 0xdd,0x9d,0x73,0xbb,
+ 0x6c,0xf3,0x64,0xf1, 0xfb,0xb9,0xf7,0xe6,
+ 0x4a,0x3c,0xc0,0x92, 0xc0,0x2e,0xb7,0x1a,
+ 0xbe,0xab,0xb3,0x5a, 0xe5,0xea,0xb1,0x48,
+ 0x58,0x13,0x53,0x90, 0xfd,0xc3,0x8e,0x54,
+ 0xf9,0x18,0x16,0x73, 0xe8,0xcb,0x6d,0x39,
+ 0x0e,0xd7,0xe0,0xfe, 0xb6,0x9f,0x43,0x97,
+ 0xe8,0xd0,0x85,0x56, 0x83,0x3e,0x98,0x68,
+ 0x7f,0xbd,0x95,0xa8, 0x9a,0x61,0x21,0x8f,
+ 0x06,0x98,0x34,0xa6, 0xc8,0xd6,0x1d,0xf3,
+ 0x3d,0x43,0xa4,0x9a, 0x8c,0xe5,0xd3,0x5a,
+ 0x32,0xa2,0x04,0x22, 0xa4,0x19,0x1a,0x46,
+ 0x42,0x7e,0x4d,0xe5, 0xe0,0xe6,0x0e,0xca,
+ 0xd5,0x58,0x9d,0x2c, 0xaf,0xda,0x33,0x5c,
+ 0xb0,0x79,0x9e,0xc9, 0xfc,0xca,0xf0,0x2f,
+ 0xa8,0xb2,0x77,0xeb, 0x7a,0xa2,0xdd,0x37,
+ 0x35,0x83,0x07,0xd6, 0x02,0x1a,0xb6,0x6c,
+ 0x24,0xe2,0x59,0x08, 0x0e,0xfd,0x3e,0x46,
+ 0xec,0x40,0x93,0xf4, 0x00,0x26,0x4f,0x2a,
+ 0xff,0x47,0x2f,0xeb, 0x02,0x92,0x26,0x5b,
+ 0x53,0x17,0xc2,0x8d, 0x2a,0xc7,0xa3,0x1b,
+ 0xcd,0xbc,0xa7,0xe8, 0xd1,0x76,0xe3,0x80,
+ 0x21,0xca,0x5d,0x3b, 0xe4,0x9c,0x8f,0xa9,
+ 0x5b,0x7f,0x29,0x7f, 0x7c,0xd8,0xed,0x6d,
+ 0x8c,0xb2,0x86,0x85, 0xe7,0x77,0xf2,0x85,
+ 0xab,0x38,0xa9,0x9d, 0xc1,0x4e,0xc5,0x64,
+ 0x33,0x73,0x8b,0x59, 0x03,0xad,0x05,0xdf,
+ 0x25,0x98,0x31,0xde, 0xef,0x13,0xf1,0x9b,
+ 0x3c,0x91,0x9d,0x7b, 0xb1,0xfa,0xe6,0xbf,
+ 0x5b,0xed,0xa5,0x55, 0xe6,0xea,0x6c,0x74,
+ 0xf4,0xb9,0xe4,0x45, 0x64,0x72,0x81,0xc2,
+ 0x4c,0x28,0xd4,0xcd, 0xac,0xe2,0xde,0xf9,
+ 0xeb,0x5c,0xeb,0x61, 0x60,0x5a,0xe5,0x28,
+ },
+ .mlen = 0,
+ .h = {0},
+ },
+ [1] = { /* 16-byte message */
+ .k = {
+ /* Poly1305 key */
+ 0x29,0x21,0x43,0xcb, 0xcb,0x13,0x07,0xde,
+ 0xbf,0x48,0xdf,0x8a, 0x7f,0xa2,0x84,0xde,
+
+ /* NH key */
+ 0x72,0x23,0x9d,0xf5, 0xf0,0x07,0xf2,0x4c,
+ 0x20,0x3a,0x93,0xb9, 0xcd,0x5d,0xfe,0xcb,
+ 0x99,0x2c,0x2b,0x58, 0xc6,0x50,0x5f,0x94,
+ 0x56,0xc3,0x7c,0x0d, 0x02,0x3f,0xb8,0x5e,
+ 0x7b,0xc0,0x6c,0x51, 0x34,0x76,0xc0,0x0e,
+ 0xc6,0x22,0xc8,0x9e, 0x92,0xa0,0x21,0xc9,
+ 0x85,0x5c,0x7c,0xf8, 0xe2,0x64,0x47,0xc9,
+ 0xe4,0xa2,0x57,0x93, 0xf8,0xa2,0x69,0xcd,
+ 0x62,0x98,0x99,0xf4, 0xd7,0x7b,0x14,0xb1,
+ 0xd8,0x05,0xff,0x04, 0x15,0xc9,0xe1,0x6e,
+ 0x9b,0xe6,0x50,0x6b, 0x0b,0x3f,0x22,0x1f,
+ 0x08,0xde,0x0c,0x5b, 0x08,0x7e,0xc6,0x2f,
+ 0x6c,0xed,0xd6,0xb2, 0x15,0xa4,0xb3,0xf9,
+ 0xa7,0x46,0x38,0x2a, 0xea,0x69,0xa5,0xde,
+ 0x02,0xc3,0x96,0x89, 0x4d,0x55,0x3b,0xed,
+ 0x3d,0x3a,0x85,0x77, 0xbf,0x97,0x45,0x5c,
+ 0x9e,0x02,0x69,0xe2, 0x1b,0x68,0xbe,0x96,
+ 0xfb,0x64,0x6f,0x0f, 0xf6,0x06,0x40,0x67,
+ 0xfa,0x04,0xe3,0x55, 0xfa,0xbe,0xa4,0x60,
+ 0xef,0x21,0x66,0x97, 0xe6,0x9d,0x5c,0x1f,
+ 0x62,0x37,0xaa,0x31, 0xde,0xe4,0x9c,0x28,
+ 0x95,0xe0,0x22,0x86, 0xf4,0x4d,0xf3,0x07,
+ 0xfd,0x5f,0x3a,0x54, 0x2c,0x51,0x80,0x71,
+ 0xba,0x78,0x69,0x5b, 0x65,0xab,0x1f,0x81,
+ 0xed,0x3b,0xff,0x34, 0xa3,0xfb,0xbc,0x73,
+ 0x66,0x7d,0x13,0x7f, 0xdf,0x6e,0xe2,0xe2,
+ 0xeb,0x4f,0x6c,0xda, 0x7d,0x33,0x57,0xd0,
+ 0xd3,0x7c,0x95,0x4f, 0x33,0x58,0x21,0xc7,
+ 0xc0,0xe5,0x6f,0x42, 0x26,0xc6,0x1f,0x5e,
+ 0x85,0x1b,0x98,0x9a, 0xa2,0x1e,0x55,0x77,
+ 0x23,0xdf,0x81,0x5e, 0x79,0x55,0x05,0xfc,
+ 0xfb,0xda,0xee,0xba, 0x5a,0xba,0xf7,0x77,
+ 0x7f,0x0e,0xd3,0xe1, 0x37,0xfe,0x8d,0x2b,
+ 0xd5,0x3f,0xfb,0xd0, 0xc0,0x3c,0x0b,0x3f,
+ 0xcf,0x3c,0x14,0xcf, 0xfb,0x46,0x72,0x4c,
+ 0x1f,0x39,0xe2,0xda, 0x03,0x71,0x6d,0x23,
+ 0xef,0x93,0xcd,0x39, 0xd9,0x37,0x80,0x4d,
+ 0x65,0x61,0xd1,0x2c, 0x03,0xa9,0x47,0x72,
+ 0x4d,0x1e,0x0e,0x16, 0x33,0x0f,0x21,0x17,
+ 0xec,0x92,0xea,0x6f, 0x37,0x22,0xa4,0xd8,
+ 0x03,0x33,0x9e,0xd8, 0x03,0x69,0x9a,0xe8,
+ 0xb2,0x57,0xaf,0x78, 0x99,0x05,0x12,0xab,
+ 0x48,0x90,0x80,0xf0, 0x12,0x9b,0x20,0x64,
+ 0x7a,0x1d,0x47,0x5f, 0xba,0x3c,0xf9,0xc3,
+ 0x0a,0x0d,0x8d,0xa1, 0xf9,0x1b,0x82,0x13,
+ 0x3e,0x0d,0xec,0x0a, 0x83,0xc0,0x65,0xe1,
+ 0xe9,0x95,0xff,0x97, 0xd6,0xf2,0xe4,0xd5,
+ 0x86,0xc0,0x1f,0x29, 0x27,0x63,0xd7,0xde,
+ 0xb7,0x0a,0x07,0x99, 0x04,0x2d,0xa3,0x89,
+ 0xa2,0x43,0xcf,0xf3, 0xe1,0x43,0xac,0x4a,
+ 0x06,0x97,0xd0,0x05, 0x4f,0x87,0xfa,0xf9,
+ 0x9b,0xbf,0x52,0x70, 0xbd,0xbc,0x6c,0xf3,
+ 0x03,0x13,0x60,0x41, 0x28,0x09,0xec,0xcc,
+ 0xb1,0x1a,0xec,0xd6, 0xfb,0x6f,0x2a,0x89,
+ 0x5d,0x0b,0x53,0x9c, 0x59,0xc1,0x84,0x21,
+ 0x33,0x51,0x47,0x19, 0x31,0x9c,0xd4,0x0a,
+ 0x4d,0x04,0xec,0x50, 0x90,0x61,0xbd,0xbc,
+ 0x7e,0xc8,0xd9,0x6c, 0x98,0x1d,0x45,0x41,
+ 0x17,0x5e,0x97,0x1c, 0xc5,0xa8,0xe8,0xea,
+ 0x46,0x58,0x53,0xf7, 0x17,0xd5,0xad,0x11,
+ 0xc8,0x54,0xf5,0x7a, 0x33,0x90,0xf5,0x19,
+ 0xba,0x36,0xb4,0xfc, 0x52,0xa5,0x72,0x3d,
+ 0x14,0xbb,0x55,0xa7, 0xe9,0xe3,0x12,0xf7,
+ 0x1c,0x30,0xa2,0x82, 0x03,0xbf,0x53,0x91,
+ 0x2e,0x60,0x41,0x9f, 0x5b,0x69,0x39,0xf6,
+ 0x4d,0xc8,0xf8,0x46, 0x7a,0x7f,0xa4,0x98,
+ 0x36,0xff,0x06,0xcb, 0xca,0xe7,0x33,0xf2,
+ 0xc0,0x4a,0xf4,0x3c, 0x14,0x44,0x5f,0x6b,
+ 0x75,0xef,0x02,0x36, 0x75,0x08,0x14,0xfd,
+ 0x10,0x8e,0xa5,0x58, 0xd0,0x30,0x46,0x49,
+ 0xaf,0x3a,0xf8,0x40, 0x3d,0x35,0xdb,0x84,
+ 0x11,0x2e,0x97,0x6a, 0xb7,0x87,0x7f,0xad,
+ 0xf1,0xfa,0xa5,0x63, 0x60,0xd8,0x5e,0xbf,
+ 0x41,0x78,0x49,0xcf, 0x77,0xbb,0x56,0xbb,
+ 0x7d,0x01,0x67,0x05, 0x22,0xc8,0x8f,0x41,
+ 0xba,0x81,0xd2,0xca, 0x2c,0x38,0xac,0x76,
+ 0x06,0xc1,0x1a,0xc2, 0xce,0xac,0x90,0x67,
+ 0x57,0x3e,0x20,0x12, 0x5b,0xd9,0x97,0x58,
+ 0x65,0x05,0xb7,0x04, 0x61,0x7e,0xd8,0x3a,
+ 0xbf,0x55,0x3b,0x13, 0xe9,0x34,0x5a,0x37,
+ 0x36,0xcb,0x94,0x45, 0xc5,0x32,0xb3,0xa0,
+ 0x0c,0x3e,0x49,0xc5, 0xd3,0xed,0xa7,0xf0,
+ 0x1c,0x69,0xcc,0xea, 0xcc,0x83,0xc9,0x16,
+ 0x95,0x72,0x4b,0xf4, 0x89,0xd5,0xb9,0x10,
+ 0xf6,0x2d,0x60,0x15, 0xea,0x3c,0x06,0x66,
+ 0x9f,0x82,0xad,0x17, 0xce,0xd2,0xa4,0x48,
+ 0x7c,0x65,0xd9,0xf8, 0x02,0x4d,0x9b,0x4c,
+ 0x89,0x06,0x3a,0x34, 0x85,0x48,0x89,0x86,
+ 0xf9,0x24,0xa9,0x54, 0x72,0xdb,0x44,0x95,
+ 0xc7,0x44,0x1c,0x19, 0x11,0x4c,0x04,0xdc,
+ 0x13,0xb9,0x67,0xc8, 0xc3,0x3a,0x6a,0x50,
+ 0xfa,0xd1,0xfb,0xe1, 0x88,0xb6,0xf1,0xa3,
+ 0xc5,0x3b,0xdc,0x38, 0x45,0x16,0x26,0x02,
+ 0x3b,0xb8,0x8f,0x8b, 0x58,0x7d,0x23,0x04,
+ 0x50,0x6b,0x81,0x9f, 0xae,0x66,0xac,0x6f,
+ 0xcf,0x2a,0x9d,0xf1, 0xfd,0x1d,0x57,0x07,
+ 0xbe,0x58,0xeb,0x77, 0x0c,0xe3,0xc2,0x19,
+ 0x14,0x74,0x1b,0x51, 0x1c,0x4f,0x41,0xf3,
+ 0x32,0x89,0xb3,0xe7, 0xde,0x62,0xf6,0x5f,
+ 0xc7,0x6a,0x4a,0x2a, 0x5b,0x0f,0x5f,0x87,
+ 0x9c,0x08,0xb9,0x02, 0x88,0xc8,0x29,0xb7,
+ 0x94,0x52,0xfa,0x52, 0xfe,0xaa,0x50,0x10,
+ 0xba,0x48,0x75,0x5e, 0x11,0x1b,0xe6,0x39,
+ 0xd7,0x82,0x2c,0x87, 0xf1,0x1e,0xa4,0x38,
+ 0x72,0x3e,0x51,0xe7, 0xd8,0x3e,0x5b,0x7b,
+ 0x31,0x16,0x89,0xba, 0xd6,0xad,0x18,0x5e,
+ 0xba,0xf8,0x12,0xb3, 0xf4,0x6c,0x47,0x30,
+ 0xc0,0x38,0x58,0xb3, 0x10,0x8d,0x58,0x5d,
+ 0xb4,0xfb,0x19,0x7e, 0x41,0xc3,0x66,0xb8,
+ 0xd6,0x72,0x84,0xe1, 0x1a,0xc2,0x71,0x4c,
+ 0x0d,0x4a,0x21,0x7a, 0xab,0xa2,0xc0,0x36,
+ 0x15,0xc5,0xe9,0x46, 0xd7,0x29,0x17,0x76,
+ 0x5e,0x47,0x36,0x7f, 0x72,0x05,0xa7,0xcc,
+ 0x36,0x63,0xf9,0x47, 0x7d,0xe6,0x07,0x3c,
+ 0x8b,0x79,0x1d,0x96, 0x61,0x8d,0x90,0x65,
+ 0x7c,0xf5,0xeb,0x4e, 0x6e,0x09,0x59,0x6d,
+ 0x62,0x50,0x1b,0x0f, 0xe0,0xdc,0x78,0xf2,
+ 0x5b,0x83,0x1a,0xa1, 0x11,0x75,0xfd,0x18,
+ 0xd7,0xe2,0x8d,0x65, 0x14,0x21,0xce,0xbe,
+ 0xb5,0x87,0xe3,0x0a, 0xda,0x24,0x0a,0x64,
+ 0xa9,0x9f,0x03,0x8d, 0x46,0x5d,0x24,0x1a,
+ 0x8a,0x0c,0x42,0x01, 0xca,0xb1,0x5f,0x7c,
+ 0xa5,0xac,0x32,0x4a, 0xb8,0x07,0x91,0x18,
+ 0x6f,0xb0,0x71,0x3c, 0xc9,0xb1,0xa8,0xf8,
+ 0x5f,0x69,0xa5,0xa1, 0xca,0x9e,0x7a,0xaa,
+ 0xac,0xe9,0xc7,0x47, 0x41,0x75,0x25,0xc3,
+ 0x73,0xe2,0x0b,0xdd, 0x6d,0x52,0x71,0xbe,
+ 0xc5,0xdc,0xb4,0xe7, 0x01,0x26,0x53,0x77,
+ 0x86,0x90,0x85,0x68, 0x6b,0x7b,0x03,0x53,
+ 0xda,0x52,0x52,0x51, 0x68,0xc8,0xf3,0xec,
+ 0x6c,0xd5,0x03,0x7a, 0xa3,0x0e,0xb4,0x02,
+ 0x5f,0x1a,0xab,0xee, 0xca,0x67,0x29,0x7b,
+ 0xbd,0x96,0x59,0xb3, 0x8b,0x32,0x7a,0x92,
+ 0x9f,0xd8,0x25,0x2b, 0xdf,0xc0,0x4c,0xda,
+ },
+ .mlen = 16,
+ .m = {
+ 0xbc,0xda,0x81,0xa8, 0x78,0x79,0x1c,0xbf,
+ 0x77,0x53,0xba,0x4c, 0x30,0x5b,0xb8,0x33,
+ },
+ .h = {
+ 0x04,0xbf,0x7f,0x6a, 0xce,0x72,0xea,0x6a,
+ 0x79,0xdb,0xb0,0xc9, 0x60,0xf6,0x12,0xcc,
+ },
+ },
+ [2] = { /* 1024-byte message */
+ .k = {
+ 0x65,0x4d,0xe3,0xf8, 0xd2,0x4c,0xac,0x28,
+ 0x68,0xf5,0xb3,0x81, 0x71,0x4b,0xa1,0xfa,
+ 0x04,0x0e,0xd3,0x81, 0x36,0xbe,0x0c,0x81,
+ 0x5e,0xaf,0xbc,0x3a, 0xa4,0xc0,0x8e,0x8b,
+ 0x55,0x63,0xd3,0x52, 0x97,0x88,0xd6,0x19,
+ 0xbc,0x96,0xdf,0x49, 0xff,0x04,0x63,0xf5,
+ 0x0c,0x11,0x13,0xaa, 0x9e,0x1f,0x5a,0xf7,
+ 0xdd,0xbd,0x37,0x80, 0xc3,0xd0,0xbe,0xa7,
+ 0x05,0xc8,0x3c,0x98, 0x1e,0x05,0x3c,0x84,
+ 0x39,0x61,0xc4,0xed, 0xed,0x71,0x1b,0xc4,
+ 0x74,0x45,0x2c,0xa1, 0x56,0x70,0x97,0xfd,
+ 0x44,0x18,0x07,0x7d, 0xca,0x60,0x1f,0x73,
+ 0x3b,0x6d,0x21,0xcb, 0x61,0x87,0x70,0x25,
+ 0x46,0x21,0xf1,0x1f, 0x21,0x91,0x31,0x2d,
+ 0x5d,0xcc,0xb7,0xd1, 0x84,0x3e,0x3d,0xdb,
+ 0x03,0x53,0x2a,0x82, 0xa6,0x9a,0x95,0xbc,
+ 0x1a,0x1e,0x0a,0x5e, 0x07,0x43,0xab,0x43,
+ 0xaf,0x92,0x82,0x06, 0x91,0x04,0x09,0xf4,
+ 0x17,0x0a,0x9a,0x2c, 0x54,0xdb,0xb8,0xf4,
+ 0xd0,0xf0,0x10,0x66, 0x24,0x8d,0xcd,0xda,
+ 0xfe,0x0e,0x45,0x9d, 0x6f,0xc4,0x4e,0xf4,
+ 0x96,0xaf,0x13,0xdc, 0xa9,0xd4,0x8c,0xc4,
+ 0xc8,0x57,0x39,0x3c, 0xc2,0xd3,0x0a,0x76,
+ 0x4a,0x1f,0x75,0x83, 0x44,0xc7,0xd1,0x39,
+ 0xd8,0xb5,0x41,0xba, 0x73,0x87,0xfa,0x96,
+ 0xc7,0x18,0x53,0xfb, 0x9b,0xda,0xa0,0x97,
+ 0x1d,0xee,0x60,0x85, 0x9e,0x14,0xc3,0xce,
+ 0xc4,0x05,0x29,0x3b, 0x95,0x30,0xa3,0xd1,
+ 0x9f,0x82,0x6a,0x04, 0xf5,0xa7,0x75,0x57,
+ 0x82,0x04,0xfe,0x71, 0x51,0x71,0xb1,0x49,
+ 0x50,0xf8,0xe0,0x96, 0xf1,0xfa,0xa8,0x88,
+ 0x3f,0xa0,0x86,0x20, 0xd4,0x60,0x79,0x59,
+ 0x17,0x2d,0xd1,0x09, 0xf4,0xec,0x05,0x57,
+ 0xcf,0x62,0x7e,0x0e, 0x7e,0x60,0x78,0xe6,
+ 0x08,0x60,0x29,0xd8, 0xd5,0x08,0x1a,0x24,
+ 0xc4,0x6c,0x24,0xe7, 0x92,0x08,0x3d,0x8a,
+ 0x98,0x7a,0xcf,0x99, 0x0a,0x65,0x0e,0xdc,
+ 0x8c,0x8a,0xbe,0x92, 0x82,0x91,0xcc,0x62,
+ 0x30,0xb6,0xf4,0x3f, 0xc6,0x8a,0x7f,0x12,
+ 0x4a,0x8a,0x49,0xfa, 0x3f,0x5c,0xd4,0x5a,
+ 0xa6,0x82,0xa3,0xe6, 0xaa,0x34,0x76,0xb2,
+ 0xab,0x0a,0x30,0xef, 0x6c,0x77,0x58,0x3f,
+ 0x05,0x6b,0xcc,0x5c, 0xae,0xdc,0xd7,0xb9,
+ 0x51,0x7e,0x8d,0x32, 0x5b,0x24,0x25,0xbe,
+ 0x2b,0x24,0x01,0xcf, 0x80,0xda,0x16,0xd8,
+ 0x90,0x72,0x2c,0xad, 0x34,0x8d,0x0c,0x74,
+ 0x02,0xcb,0xfd,0xcf, 0x6e,0xef,0x97,0xb5,
+ 0x4c,0xf2,0x68,0xca, 0xde,0x43,0x9e,0x8a,
+ 0xc5,0x5f,0x31,0x7f, 0x14,0x71,0x38,0xec,
+ 0xbd,0x98,0xe5,0x71, 0xc4,0xb5,0xdb,0xef,
+ 0x59,0xd2,0xca,0xc0, 0xc1,0x86,0x75,0x01,
+ 0xd4,0x15,0x0d,0x6f, 0xa4,0xf7,0x7b,0x37,
+ 0x47,0xda,0x18,0x93, 0x63,0xda,0xbe,0x9e,
+ 0x07,0xfb,0xb2,0x83, 0xd5,0xc4,0x34,0x55,
+ 0xee,0x73,0xa1,0x42, 0x96,0xf9,0x66,0x41,
+ 0xa4,0xcc,0xd2,0x93, 0x6e,0xe1,0x0a,0xbb,
+ 0xd2,0xdd,0x18,0x23, 0xe6,0x6b,0x98,0x0b,
+ 0x8a,0x83,0x59,0x2c, 0xc3,0xa6,0x59,0x5b,
+ 0x01,0x22,0x59,0xf7, 0xdc,0xb0,0x87,0x7e,
+ 0xdb,0x7d,0xf4,0x71, 0x41,0xab,0xbd,0xee,
+ 0x79,0xbe,0x3c,0x01, 0x76,0x0b,0x2d,0x0a,
+ 0x42,0xc9,0x77,0x8c, 0xbb,0x54,0x95,0x60,
+ 0x43,0x2e,0xe0,0x17, 0x52,0xbd,0x90,0xc9,
+ 0xc2,0x2c,0xdd,0x90, 0x24,0x22,0x76,0x40,
+ 0x5c,0xb9,0x41,0xc9, 0xa1,0xd5,0xbd,0xe3,
+ 0x44,0xe0,0xa4,0xab, 0xcc,0xb8,0xe2,0x32,
+ 0x02,0x15,0x04,0x1f, 0x8c,0xec,0x5d,0x14,
+ 0xac,0x18,0xaa,0xef, 0x6e,0x33,0x19,0x6e,
+ 0xde,0xfe,0x19,0xdb, 0xeb,0x61,0xca,0x18,
+ 0xad,0xd8,0x3d,0xbf, 0x09,0x11,0xc7,0xa5,
+ 0x86,0x0b,0x0f,0xe5, 0x3e,0xde,0xe8,0xd9,
+ 0x0a,0x69,0x9e,0x4c, 0x20,0xff,0xf9,0xc5,
+ 0xfa,0xf8,0xf3,0x7f, 0xa5,0x01,0x4b,0x5e,
+ 0x0f,0xf0,0x3b,0x68, 0xf0,0x46,0x8c,0x2a,
+ 0x7a,0xc1,0x8f,0xa0, 0xfe,0x6a,0x5b,0x44,
+ 0x70,0x5c,0xcc,0x92, 0x2c,0x6f,0x0f,0xbd,
+ 0x25,0x3e,0xb7,0x8e, 0x73,0x58,0xda,0xc9,
+ 0xa5,0xaa,0x9e,0xf3, 0x9b,0xfd,0x37,0x3e,
+ 0xe2,0x88,0xa4,0x7b, 0xc8,0x5c,0xa8,0x93,
+ 0x0e,0xe7,0x9a,0x9c, 0x2e,0x95,0x18,0x9f,
+ 0xc8,0x45,0x0c,0x88, 0x9e,0x53,0x4f,0x3a,
+ 0x76,0xc1,0x35,0xfa, 0x17,0xd8,0xac,0xa0,
+ 0x0c,0x2d,0x47,0x2e, 0x4f,0x69,0x9b,0xf7,
+ 0xd0,0xb6,0x96,0x0c, 0x19,0xb3,0x08,0x01,
+ 0x65,0x7a,0x1f,0xc7, 0x31,0x86,0xdb,0xc8,
+ 0xc1,0x99,0x8f,0xf8, 0x08,0x4a,0x9d,0x23,
+ 0x22,0xa8,0xcf,0x27, 0x01,0x01,0x88,0x93,
+ 0x9c,0x86,0x45,0xbd, 0xe0,0x51,0xca,0x52,
+ 0x84,0xba,0xfe,0x03, 0xf7,0xda,0xc5,0xce,
+ 0x3e,0x77,0x75,0x86, 0xaf,0x84,0xc8,0x05,
+ 0x44,0x01,0x0f,0x02, 0xf3,0x58,0xb0,0x06,
+ 0x5a,0xd7,0x12,0x30, 0x8d,0xdf,0x1f,0x1f,
+ 0x0a,0xe6,0xd2,0xea, 0xf6,0x3a,0x7a,0x99,
+ 0x63,0xe8,0xd2,0xc1, 0x4a,0x45,0x8b,0x40,
+ 0x4d,0x0a,0xa9,0x76, 0x92,0xb3,0xda,0x87,
+ 0x36,0x33,0xf0,0x78, 0xc3,0x2f,0x5f,0x02,
+ 0x1a,0x6a,0x2c,0x32, 0xcd,0x76,0xbf,0xbd,
+ 0x5a,0x26,0x20,0x28, 0x8c,0x8c,0xbc,0x52,
+ 0x3d,0x0a,0xc9,0xcb, 0xab,0xa4,0x21,0xb0,
+ 0x54,0x40,0x81,0x44, 0xc7,0xd6,0x1c,0x11,
+ 0x44,0xc6,0x02,0x92, 0x14,0x5a,0xbf,0x1a,
+ 0x09,0x8a,0x18,0xad, 0xcd,0x64,0x3d,0x53,
+ 0x4a,0xb6,0xa5,0x1b, 0x57,0x0e,0xef,0xe0,
+ 0x8c,0x44,0x5f,0x7d, 0xbd,0x6c,0xfd,0x60,
+ 0xae,0x02,0x24,0xb6, 0x99,0xdd,0x8c,0xaf,
+ 0x59,0x39,0x75,0x3c, 0xd1,0x54,0x7b,0x86,
+ 0xcc,0x99,0xd9,0x28, 0x0c,0xb0,0x94,0x62,
+ 0xf9,0x51,0xd1,0x19, 0x96,0x2d,0x66,0xf5,
+ 0x55,0xcf,0x9e,0x59, 0xe2,0x6b,0x2c,0x08,
+ 0xc0,0x54,0x48,0x24, 0x45,0xc3,0x8c,0x73,
+ 0xea,0x27,0x6e,0x66, 0x7d,0x1d,0x0e,0x6e,
+ 0x13,0xe8,0x56,0x65, 0x3a,0xb0,0x81,0x5c,
+ 0xf0,0xe8,0xd8,0x00, 0x6b,0xcd,0x8f,0xad,
+ 0xdd,0x53,0xf3,0xa4, 0x6c,0x43,0xd6,0x31,
+ 0xaf,0xd2,0x76,0x1e, 0x91,0x12,0xdb,0x3c,
+ 0x8c,0xc2,0x81,0xf0, 0x49,0xdb,0xe2,0x6b,
+ 0x76,0x62,0x0a,0x04, 0xe4,0xaa,0x8a,0x7c,
+ 0x08,0x0b,0x5d,0xd0, 0xee,0x1d,0xfb,0xc4,
+ 0x02,0x75,0x42,0xd6, 0xba,0xa7,0x22,0xa8,
+ 0x47,0x29,0xb7,0x85, 0x6d,0x93,0x3a,0xdb,
+ 0x00,0x53,0x0b,0xa2, 0xeb,0xf8,0xfe,0x01,
+ 0x6f,0x8a,0x31,0xd6, 0x17,0x05,0x6f,0x67,
+ 0x88,0x95,0x32,0xfe, 0x4f,0xa6,0x4b,0xf8,
+ 0x03,0xe4,0xcd,0x9a, 0x18,0xe8,0x4e,0x2d,
+ 0xf7,0x97,0x9a,0x0c, 0x7d,0x9f,0x7e,0x44,
+ 0x69,0x51,0xe0,0x32, 0x6b,0x62,0x86,0x8f,
+ 0xa6,0x8e,0x0b,0x21, 0x96,0xe5,0xaf,0x77,
+ 0xc0,0x83,0xdf,0xa5, 0x0e,0xd0,0xa1,0x04,
+ 0xaf,0xc1,0x10,0xcb, 0x5a,0x40,0xe4,0xe3,
+ 0x38,0x7e,0x07,0xe8, 0x4d,0xfa,0xed,0xc5,
+ 0xf0,0x37,0xdf,0xbb, 0x8a,0xcf,0x3d,0xdc,
+ 0x61,0xd2,0xc6,0x2b, 0xff,0x07,0xc9,0x2f,
+ 0x0c,0x2d,0x5c,0x07, 0xa8,0x35,0x6a,0xfc,
+ 0xae,0x09,0x03,0x45, 0x74,0x51,0x4d,0xc4,
+ 0xb8,0x23,0x87,0x4a, 0x99,0x27,0x20,0x87,
+ 0x62,0x44,0x0a,0x4a, 0xce,0x78,0x47,0x22,
+ },
+ .mlen = 1024,
+ .m = {
+ 0x8e,0xb0,0x4c,0xde, 0x9c,0x4a,0x04,0x5a,
+ 0xf6,0xa9,0x7f,0x45, 0x25,0xa5,0x7b,0x3a,
+ 0xbc,0x4d,0x73,0x39, 0x81,0xb5,0xbd,0x3d,
+ 0x21,0x6f,0xd7,0x37, 0x50,0x3c,0x7b,0x28,
+ 0xd1,0x03,0x3a,0x17, 0xed,0x7b,0x7c,0x2a,
+ 0x16,0xbc,0xdf,0x19, 0x89,0x52,0x71,0x31,
+ 0xb6,0xc0,0xfd,0xb5, 0xd3,0xba,0x96,0x99,
+ 0xb6,0x34,0x0b,0xd0, 0x99,0x93,0xfc,0x1a,
+ 0x01,0x3c,0x85,0xc6, 0x9b,0x78,0x5c,0x8b,
+ 0xfe,0xae,0xd2,0xbf, 0xb2,0x6f,0xf9,0xed,
+ 0xc8,0x25,0x17,0xfe, 0x10,0x3b,0x7d,0xda,
+ 0xf4,0x8d,0x35,0x4b, 0x7c,0x7b,0x82,0xe7,
+ 0xc2,0xb3,0xee,0x60, 0x4a,0x03,0x86,0xc9,
+ 0x4e,0xb5,0xc4,0xbe, 0xd2,0xbd,0x66,0xf1,
+ 0x13,0xf1,0x09,0xab, 0x5d,0xca,0x63,0x1f,
+ 0xfc,0xfb,0x57,0x2a, 0xfc,0xca,0x66,0xd8,
+ 0x77,0x84,0x38,0x23, 0x1d,0xac,0xd3,0xb3,
+ 0x7a,0xad,0x4c,0x70, 0xfa,0x9c,0xc9,0x61,
+ 0xa6,0x1b,0xba,0x33, 0x4b,0x4e,0x33,0xec,
+ 0xa0,0xa1,0x64,0x39, 0x40,0x05,0x1c,0xc2,
+ 0x3f,0x49,0x9d,0xae, 0xf2,0xc5,0xf2,0xc5,
+ 0xfe,0xe8,0xf4,0xc2, 0xf9,0x96,0x2d,0x28,
+ 0x92,0x30,0x44,0xbc, 0xd2,0x7f,0xe1,0x6e,
+ 0x62,0x02,0x8f,0x3d, 0x1c,0x80,0xda,0x0e,
+ 0x6a,0x90,0x7e,0x75, 0xff,0xec,0x3e,0xc4,
+ 0xcd,0x16,0x34,0x3b, 0x05,0x6d,0x4d,0x20,
+ 0x1c,0x7b,0xf5,0x57, 0x4f,0xfa,0x3d,0xac,
+ 0xd0,0x13,0x55,0xe8, 0xb3,0xe1,0x1b,0x78,
+ 0x30,0xe6,0x9f,0x84, 0xd4,0x69,0xd1,0x08,
+ 0x12,0x77,0xa7,0x4a, 0xbd,0xc0,0xf2,0xd2,
+ 0x78,0xdd,0xa3,0x81, 0x12,0xcb,0x6c,0x14,
+ 0x90,0x61,0xe2,0x84, 0xc6,0x2b,0x16,0xcc,
+ 0x40,0x99,0x50,0x88, 0x01,0x09,0x64,0x4f,
+ 0x0a,0x80,0xbe,0x61, 0xae,0x46,0xc9,0x0a,
+ 0x5d,0xe0,0xfb,0x72, 0x7a,0x1a,0xdd,0x61,
+ 0x63,0x20,0x05,0xa0, 0x4a,0xf0,0x60,0x69,
+ 0x7f,0x92,0xbc,0xbf, 0x4e,0x39,0x4d,0xdd,
+ 0x74,0xd1,0xb7,0xc0, 0x5a,0x34,0xb7,0xae,
+ 0x76,0x65,0x2e,0xbc, 0x36,0xb9,0x04,0x95,
+ 0x42,0xe9,0x6f,0xca, 0x78,0xb3,0x72,0x07,
+ 0xa3,0xba,0x02,0x94, 0x67,0x4c,0xb1,0xd7,
+ 0xe9,0x30,0x0d,0xf0, 0x3b,0xb8,0x10,0x6d,
+ 0xea,0x2b,0x21,0xbf, 0x74,0x59,0x82,0x97,
+ 0x85,0xaa,0xf1,0xd7, 0x54,0x39,0xeb,0x05,
+ 0xbd,0xf3,0x40,0xa0, 0x97,0xe6,0x74,0xfe,
+ 0xb4,0x82,0x5b,0xb1, 0x36,0xcb,0xe8,0x0d,
+ 0xce,0x14,0xd9,0xdf, 0xf1,0x94,0x22,0xcd,
+ 0xd6,0x00,0xba,0x04, 0x4c,0x05,0x0c,0xc0,
+ 0xd1,0x5a,0xeb,0x52, 0xd5,0xa8,0x8e,0xc8,
+ 0x97,0xa1,0xaa,0xc1, 0xea,0xc1,0xbe,0x7c,
+ 0x36,0xb3,0x36,0xa0, 0xc6,0x76,0x66,0xc5,
+ 0xe2,0xaf,0xd6,0x5c, 0xe2,0xdb,0x2c,0xb3,
+ 0x6c,0xb9,0x99,0x7f, 0xff,0x9f,0x03,0x24,
+ 0xe1,0x51,0x44,0x66, 0xd8,0x0c,0x5d,0x7f,
+ 0x5c,0x85,0x22,0x2a, 0xcf,0x6d,0x79,0x28,
+ 0xab,0x98,0x01,0x72, 0xfe,0x80,0x87,0x5f,
+ 0x46,0xba,0xef,0x81, 0x24,0xee,0xbf,0xb0,
+ 0x24,0x74,0xa3,0x65, 0x97,0x12,0xc4,0xaf,
+ 0x8b,0xa0,0x39,0xda, 0x8a,0x7e,0x74,0x6e,
+ 0x1b,0x42,0xb4,0x44, 0x37,0xfc,0x59,0xfd,
+ 0x86,0xed,0xfb,0x8c, 0x66,0x33,0xda,0x63,
+ 0x75,0xeb,0xe1,0xa4, 0x85,0x4f,0x50,0x8f,
+ 0x83,0x66,0x0d,0xd3, 0x37,0xfa,0xe6,0x9c,
+ 0x4f,0x30,0x87,0x35, 0x18,0xe3,0x0b,0xb7,
+ 0x6e,0x64,0x54,0xcd, 0x70,0xb3,0xde,0x54,
+ 0xb7,0x1d,0xe6,0x4c, 0x4d,0x55,0x12,0x12,
+ 0xaf,0x5f,0x7f,0x5e, 0xee,0x9d,0xe8,0x8e,
+ 0x32,0x9d,0x4e,0x75, 0xeb,0xc6,0xdd,0xaa,
+ 0x48,0x82,0xa4,0x3f, 0x3c,0xd7,0xd3,0xa8,
+ 0x63,0x9e,0x64,0xfe, 0xe3,0x97,0x00,0x62,
+ 0xe5,0x40,0x5d,0xc3, 0xad,0x72,0xe1,0x28,
+ 0x18,0x50,0xb7,0x75, 0xef,0xcd,0x23,0xbf,
+ 0x3f,0xc0,0x51,0x36, 0xf8,0x41,0xc3,0x08,
+ 0xcb,0xf1,0x8d,0x38, 0x34,0xbd,0x48,0x45,
+ 0x75,0xed,0xbc,0x65, 0x7b,0xb5,0x0c,0x9b,
+ 0xd7,0x67,0x7d,0x27, 0xb4,0xc4,0x80,0xd7,
+ 0xa9,0xb9,0xc7,0x4a, 0x97,0xaa,0xda,0xc8,
+ 0x3c,0x74,0xcf,0x36, 0x8f,0xe4,0x41,0xe3,
+ 0xd4,0xd3,0x26,0xa7, 0xf3,0x23,0x9d,0x8f,
+ 0x6c,0x20,0x05,0x32, 0x3e,0xe0,0xc3,0xc8,
+ 0x56,0x3f,0xa7,0x09, 0xb7,0xfb,0xc7,0xf7,
+ 0xbe,0x2a,0xdd,0x0f, 0x06,0x7b,0x0d,0xdd,
+ 0xb0,0xb4,0x86,0x17, 0xfd,0xb9,0x04,0xe5,
+ 0xc0,0x64,0x5d,0xad, 0x2a,0x36,0x38,0xdb,
+ 0x24,0xaf,0x5b,0xff, 0xca,0xf9,0x41,0xe8,
+ 0xf9,0x2f,0x1e,0x5e, 0xf9,0xf5,0xd5,0xf2,
+ 0xb2,0x88,0xca,0xc9, 0xa1,0x31,0xe2,0xe8,
+ 0x10,0x95,0x65,0xbf, 0xf1,0x11,0x61,0x7a,
+ 0x30,0x1a,0x54,0x90, 0xea,0xd2,0x30,0xf6,
+ 0xa5,0xad,0x60,0xf9, 0x4d,0x84,0x21,0x1b,
+ 0xe4,0x42,0x22,0xc8, 0x12,0x4b,0xb0,0x58,
+ 0x3e,0x9c,0x2d,0x32, 0x95,0x0a,0x8e,0xb0,
+ 0x0a,0x7e,0x77,0x2f, 0xe8,0x97,0x31,0x6a,
+ 0xf5,0x59,0xb4,0x26, 0xe6,0x37,0x12,0xc9,
+ 0xcb,0xa0,0x58,0x33, 0x6f,0xd5,0x55,0x55,
+ 0x3c,0xa1,0x33,0xb1, 0x0b,0x7e,0x2e,0xb4,
+ 0x43,0x2a,0x84,0x39, 0xf0,0x9c,0xf4,0x69,
+ 0x4f,0x1e,0x79,0xa6, 0x15,0x1b,0x87,0xbb,
+ 0xdb,0x9b,0xe0,0xf1, 0x0b,0xba,0xe3,0x6e,
+ 0xcc,0x2f,0x49,0x19, 0x22,0x29,0xfc,0x71,
+ 0xbb,0x77,0x38,0x18, 0x61,0xaf,0x85,0x76,
+ 0xeb,0xd1,0x09,0xcc, 0x86,0x04,0x20,0x9a,
+ 0x66,0x53,0x2f,0x44, 0x8b,0xc6,0xa3,0xd2,
+ 0x5f,0xc7,0x79,0x82, 0x66,0xa8,0x6e,0x75,
+ 0x7d,0x94,0xd1,0x86, 0x75,0x0f,0xa5,0x4f,
+ 0x3c,0x7a,0x33,0xce, 0xd1,0x6e,0x9d,0x7b,
+ 0x1f,0x91,0x37,0xb8, 0x37,0x80,0xfb,0xe0,
+ 0x52,0x26,0xd0,0x9a, 0xd4,0x48,0x02,0x41,
+ 0x05,0xe3,0x5a,0x94, 0xf1,0x65,0x61,0x19,
+ 0xb8,0x88,0x4e,0x2b, 0xea,0xba,0x8b,0x58,
+ 0x8b,0x42,0x01,0x00, 0xa8,0xfe,0x00,0x5c,
+ 0xfe,0x1c,0xee,0x31, 0x15,0x69,0xfa,0xb3,
+ 0x9b,0x5f,0x22,0x8e, 0x0d,0x2c,0xe3,0xa5,
+ 0x21,0xb9,0x99,0x8a, 0x8e,0x94,0x5a,0xef,
+ 0x13,0x3e,0x99,0x96, 0x79,0x6e,0xd5,0x42,
+ 0x36,0x03,0xa9,0xe2, 0xca,0x65,0x4e,0x8a,
+ 0x8a,0x30,0xd2,0x7d, 0x74,0xe7,0xf0,0xaa,
+ 0x23,0x26,0xdd,0xcb, 0x82,0x39,0xfc,0x9d,
+ 0x51,0x76,0x21,0x80, 0xa2,0xbe,0x93,0x03,
+ 0x47,0xb0,0xc1,0xb6, 0xdc,0x63,0xfd,0x9f,
+ 0xca,0x9d,0xa5,0xca, 0x27,0x85,0xe2,0xd8,
+ 0x15,0x5b,0x7e,0x14, 0x7a,0xc4,0x89,0xcc,
+ 0x74,0x14,0x4b,0x46, 0xd2,0xce,0xac,0x39,
+ 0x6b,0x6a,0x5a,0xa4, 0x0e,0xe3,0x7b,0x15,
+ 0x94,0x4b,0x0f,0x74, 0xcb,0x0c,0x7f,0xa9,
+ 0xbe,0x09,0x39,0xa3, 0xdd,0x56,0x5c,0xc7,
+ 0x99,0x56,0x65,0x39, 0xf4,0x0b,0x7d,0x87,
+ 0xec,0xaa,0xe3,0x4d, 0x22,0x65,0x39,0x4e,
+ },
+ .h = {
+ 0x64,0x3a,0xbc,0xc3, 0x3f,0x74,0x40,0x51,
+ 0x6e,0x56,0x01,0x1a, 0x51,0xec,0x36,0xde,
+ },
+ },
+ };
+ const uint8_t *pk;
+ const uint8_t *nhk;
+ static uint32_t nhk32[268];
+ uint8_t h[16];
+ unsigned i, j;
+ int result = 0;
+
+ for (i = 0; i < __arraycount(C); i++) {
+ pk = C[i].k;
+ nhk = C[i].k + 16;
+ for (j = 0; j < 268; j++)
+ nhk32[j] = le32dec(nhk + 4*j);
+ nhpoly1305(h, C[i].m, C[i].mlen, pk, nhk32);
+ if (memcmp(h, C[i].h, 16)) {
+ char prefix[16];
+ snprintf(prefix, sizeof prefix, "nhpoly1305 %u", i);
+ hexdump(printf, prefix, h, 32);
+ result = -1;
+ }
+ }
+
+ return result;
+}
+
+/* ChaCha core */
+
+static uint32_t
+rol32(uint32_t u, unsigned c)
+{
+
+ return (u << c) | (u >> (32 - c));
+}
+
+#define CHACHA_QUARTERROUND(a, b, c, d) do { \
+ (a) += (b); (d) ^= (a); (d) = rol32((d), 16); \
+ (c) += (d); (b) ^= (c); (b) = rol32((b), 12); \
+ (a) += (b); (d) ^= (a); (d) = rol32((d), 8); \
+ (c) += (d); (b) ^= (c); (b) = rol32((b), 7); \
+} while (/*CONSTCOND*/0)
+
+const uint8_t chacha_const32[16] = "expand 32-byte k";
+
+static void
+chacha_core(uint8_t out[restrict static 64], const uint8_t in[static 16],
+ const uint8_t k[static 32], const uint8_t c[static 16], unsigned nr)
+{
+ uint32_t x0,x1,x2,x3,x4,x5,x6,x7,x8,x9,x10,x11,x12,x13,x14,x15;
+ uint32_t y0,y1,y2,y3,y4,y5,y6,y7,y8,y9,y10,y11,y12,y13,y14,y15;
+ int i;
+
+ x0 = y0 = le32dec(c + 0);
+ x1 = y1 = le32dec(c + 4);
+ x2 = y2 = le32dec(c + 8);
+ x3 = y3 = le32dec(c + 12);
+ x4 = y4 = le32dec(k + 0);
+ x5 = y5 = le32dec(k + 4);
+ x6 = y6 = le32dec(k + 8);
+ x7 = y7 = le32dec(k + 12);
+ x8 = y8 = le32dec(k + 16);
+ x9 = y9 = le32dec(k + 20);
+ x10 = y10 = le32dec(k + 24);
+ x11 = y11 = le32dec(k + 28);
+ x12 = y12 = le32dec(in + 0);
+ x13 = y13 = le32dec(in + 4);
+ x14 = y14 = le32dec(in + 8);
+ x15 = y15 = le32dec(in + 12);
+
+ for (i = nr; i > 0; i -= 2) {
+ CHACHA_QUARTERROUND( y0, y4, y8,y12);
+ CHACHA_QUARTERROUND( y1, y5, y9,y13);
+ CHACHA_QUARTERROUND( y2, y6,y10,y14);
+ CHACHA_QUARTERROUND( y3, y7,y11,y15);
+ CHACHA_QUARTERROUND( y0, y5,y10,y15);
+ CHACHA_QUARTERROUND( y1, y6,y11,y12);
+ CHACHA_QUARTERROUND( y2, y7, y8,y13);
+ CHACHA_QUARTERROUND( y3, y4, y9,y14);
+ }
+
+ le32enc(out + 0, x0 + y0);
+ le32enc(out + 4, x1 + y1);
+ le32enc(out + 8, x2 + y2);
+ le32enc(out + 12, x3 + y3);
+ le32enc(out + 16, x4 + y4);
+ le32enc(out + 20, x5 + y5);
+ le32enc(out + 24, x6 + y6);
+ le32enc(out + 28, x7 + y7);
+ le32enc(out + 32, x8 + y8);
+ le32enc(out + 36, x9 + y9);
+ le32enc(out + 40, x10 + y10);
+ le32enc(out + 44, x11 + y11);
+ le32enc(out + 48, x12 + y12);
+ le32enc(out + 52, x13 + y13);
+ le32enc(out + 56, x14 + y14);
+ le32enc(out + 60, x15 + y15);
+}
+
+/* https://tools.ietf.org/html/draft-strombergson-chacha-test-vectors-00 */
+static int
+chacha_core_selftest(void)
+{
+ /* TC1, 32-byte key, rounds=12, keystream block 1 */
+ static const uint8_t zero[32];
+ static const uint8_t expected0[64] = {
+ 0x9b,0xf4,0x9a,0x6a, 0x07,0x55,0xf9,0x53,
+ 0x81,0x1f,0xce,0x12, 0x5f,0x26,0x83,0xd5,
+ 0x04,0x29,0xc3,0xbb, 0x49,0xe0,0x74,0x14,
+ 0x7e,0x00,0x89,0xa5, 0x2e,0xae,0x15,0x5f,
+ 0x05,0x64,0xf8,0x79, 0xd2,0x7a,0xe3,0xc0,
+ 0x2c,0xe8,0x28,0x34, 0xac,0xfa,0x8c,0x79,
+ 0x3a,0x62,0x9f,0x2c, 0xa0,0xde,0x69,0x19,
+ 0x61,0x0b,0xe8,0x2f, 0x41,0x13,0x26,0xbe,
+ };
+ /* TC7, 32-byte key, rounds=12, keystream block 2 */
+ static const uint8_t k1[32] = {
+ 0x00,0x11,0x22,0x33, 0x44,0x55,0x66,0x77,
+ 0x88,0x99,0xaa,0xbb, 0xcc,0xdd,0xee,0xff,
+ 0xff,0xee,0xdd,0xcc, 0xbb,0xaa,0x99,0x88,
+ 0x77,0x66,0x55,0x44, 0x33,0x22,0x11,0x00,
+ };
+ static const uint8_t in1[16] = {
+ 0x01,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,
+ 0x0f,0x1e,0x2d,0x3c, 0x4b,0x59,0x68,0x77,
+ };
+ static const uint8_t expected1[64] = {
+ 0xcd,0x9a,0x2a,0xa9, 0xea,0x93,0xc2,0x67,
+ 0x5e,0x82,0x88,0x14, 0x08,0xde,0x85,0x2c,
+ 0x62,0xfa,0x74,0x6a, 0x30,0xe5,0x2b,0x45,
+ 0xa2,0x69,0x62,0xcf, 0x43,0x51,0xe3,0x04,
+ 0xd3,0x13,0x20,0xbb, 0xd6,0xaa,0x6c,0xc8,
+ 0xf3,0x26,0x37,0xf9, 0x59,0x34,0xe4,0xc1,
+ 0x45,0xef,0xd5,0x62, 0x31,0xef,0x31,0x61,
+ 0x03,0x28,0x36,0xf4, 0x96,0x71,0x83,0x3e,
+ };
+ uint8_t out[64];
+ int result = 0;
+
+ chacha_core(out, zero, zero, chacha_const32, 12);
+ if (memcmp(out, expected0, 64)) {
+ hexdump(printf, "chacha core 1", out, sizeof out);
+ result = -1;
+ }
+
+ chacha_core(out, in1, k1, chacha_const32, 12);
+ if (memcmp(out, expected1, 64)) {
+ hexdump(printf, "chacha core 2", out, sizeof out);
+ result = -1;
+ }
+
+ return result;
+}
+
+/* HChaCha */
+
+static void
+hchacha(uint8_t out[restrict static 32], const uint8_t in[static 16],
+ const uint8_t k[static 32], const uint8_t c[static 16], unsigned nr)
+{
+ uint8_t t[64];
+
+ chacha_core(t, in, k, c, nr);
+ le32enc(out + 0, le32dec(t + 0) - le32dec(c + 0));
+ le32enc(out + 4, le32dec(t + 4) - le32dec(c + 4));
+ le32enc(out + 8, le32dec(t + 8) - le32dec(c + 8));
+ le32enc(out + 12, le32dec(t + 12) - le32dec(c + 12));
+ le32enc(out + 16, le32dec(t + 48) - le32dec(in + 0));
+ le32enc(out + 20, le32dec(t + 52) - le32dec(in + 4));
+ le32enc(out + 24, le32dec(t + 56) - le32dec(in + 8));
+ le32enc(out + 28, le32dec(t + 60) - le32dec(in + 12));
+}
+
+static int
+hchacha_selftest(void)
+{
+ /* https://tools.ietf.org/html/draft-irtf-cfrg-xchacha-03, §2.2.1 */
+ static const uint8_t k[32] = {
+ 0x00,0x01,0x02,0x03, 0x04,0x05,0x06,0x07,
+ 0x08,0x09,0x0a,0x0b, 0x0c,0x0d,0x0e,0x0f,
+ 0x10,0x11,0x12,0x13, 0x14,0x15,0x16,0x17,
+ 0x18,0x19,0x1a,0x1b, 0x1c,0x1d,0x1e,0x1f,
+ };
+ static const uint8_t in[16] = {
+ 0x00,0x00,0x00,0x09, 0x00,0x00,0x00,0x4a,
+ 0x00,0x00,0x00,0x00, 0x31,0x41,0x59,0x27,
+ };
+ static const uint8_t expected[32] = {
+ 0x82,0x41,0x3b,0x42, 0x27,0xb2,0x7b,0xfe,
+ 0xd3,0x0e,0x42,0x50, 0x8a,0x87,0x7d,0x73,
+ 0xa0,0xf9,0xe4,0xd5, 0x8a,0x74,0xa8,0x53,
+ 0xc1,0x2e,0xc4,0x13, 0x26,0xd3,0xec,0xdc,
+ };
+ uint8_t out[32];
+ int result = 0;
+
+ hchacha(out, in, k, chacha_const32, 20);
+ if (memcmp(out, expected, 32)) {
+ hexdump(printf, "hchacha", out, sizeof out);
+ result = -1;
+ }
+
+ return result;
+}
+
+/* XChaCha */
+
+static void
+xchacha_xor(uint8_t *c, const uint8_t *p, size_t nbytes,
+ const uint8_t nonce[static 24], const uint8_t k[static 32], unsigned nr)
+{
+ uint8_t h[32];
+ uint8_t in[16];
+ uint8_t block[64];
+ unsigned i;
+
+ hchacha(h, nonce, k, chacha_const32, nr);
+ memset(in, 0, 8);
+ memcpy(in + 8, nonce + 16, 8);
+
+ for (; nbytes; nbytes -= i, c += i, p += i) {
+ chacha_core(block, in, h, chacha_const32, nr);
+ for (i = 0; i < MIN(nbytes, 64); i++)
+ c[i] = p[i] ^ block[i];
+ le32enc(in, 1 + le32dec(in));
+ }
+}
+
+static int
+xchacha_selftest(void)
+{
+ /* https://tools.ietf.org/html/draft-irtf-cfrg-xchacha-03, A.2.2 */
+ static const uint8_t k[32] = {
+ 0x80,0x81,0x82,0x83, 0x84,0x85,0x86,0x87,
+ 0x88,0x89,0x8a,0x8b, 0x8c,0x8d,0x8e,0x8f,
+ 0x90,0x91,0x92,0x93, 0x94,0x95,0x96,0x97,
+ 0x98,0x99,0x9a,0x9b, 0x9c,0x9d,0x9e,0x9f,
+ };
+ static const uint8_t nonce[24] = {
+ 0x40,0x41,0x42,0x43, 0x44,0x45,0x46,0x47,
+ 0x48,0x49,0x4a,0x4b, 0x4c,0x4d,0x4e,0x4f,
+ 0x50,0x51,0x52,0x53, 0x54,0x55,0x56,0x58,
+ };
+ static const uint8_t p[128] = {
+ 0x54,0x68,0x65,0x20, 0x64,0x68,0x6f,0x6c,
+ 0x65,0x20,0x28,0x70, 0x72,0x6f,0x6e,0x6f,
+ 0x75,0x6e,0x63,0x65, 0x64,0x20,0x22,0x64,
+ 0x6f,0x6c,0x65,0x22, 0x29,0x20,0x69,0x73,
+ 0x20,0x61,0x6c,0x73, 0x6f,0x20,0x6b,0x6e,
+ 0x6f,0x77,0x6e,0x20, 0x61,0x73,0x20,0x74,
+ 0x68,0x65,0x20,0x41, 0x73,0x69,0x61,0x74,
+ 0x69,0x63,0x20,0x77, 0x69,0x6c,0x64,0x20,
+ 0x64,0x6f,0x67,0x2c, 0x20,0x72,0x65,0x64,
+ 0x20,0x64,0x6f,0x67, 0x2c,0x20,0x61,0x6e,
+ 0x64,0x20,0x77,0x68, 0x69,0x73,0x74,0x6c,
+ 0x69,0x6e,0x67,0x20, 0x64,0x6f,0x67,0x2e,
+ 0x20,0x49,0x74,0x20, 0x69,0x73,0x20,0x61,
+ 0x62,0x6f,0x75,0x74, 0x20,0x74,0x68,0x65,
+ 0x20,0x73,0x69,0x7a, 0x65,0x20,0x6f,0x66,
+ 0x20,0x61,0x20,0x47, 0x65,0x72,0x6d,0x61,
+ };
+ static const uint8_t expected[128] = {
+ 0x45,0x59,0xab,0xba, 0x4e,0x48,0xc1,0x61,
+ 0x02,0xe8,0xbb,0x2c, 0x05,0xe6,0x94,0x7f,
+ 0x50,0xa7,0x86,0xde, 0x16,0x2f,0x9b,0x0b,
+ 0x7e,0x59,0x2a,0x9b, 0x53,0xd0,0xd4,0xe9,
+ 0x8d,0x8d,0x64,0x10, 0xd5,0x40,0xa1,0xa6,
+ 0x37,0x5b,0x26,0xd8, 0x0d,0xac,0xe4,0xfa,
+ 0xb5,0x23,0x84,0xc7, 0x31,0xac,0xbf,0x16,
+ 0xa5,0x92,0x3c,0x0c, 0x48,0xd3,0x57,0x5d,
+ 0x4d,0x0d,0x2c,0x67, 0x3b,0x66,0x6f,0xaa,
+ 0x73,0x10,0x61,0x27, 0x77,0x01,0x09,0x3a,
+ 0x6b,0xf7,0xa1,0x58, 0xa8,0x86,0x42,0x92,
+ 0xa4,0x1c,0x48,0xe3, 0xa9,0xb4,0xc0,0xda,
+ 0xec,0xe0,0xf8,0xd9, 0x8d,0x0d,0x7e,0x05,
+ 0xb3,0x7a,0x30,0x7b, 0xbb,0x66,0x33,0x31,
+ 0x64,0xec,0x9e,0x1b, 0x24,0xea,0x0d,0x6c,
+ 0x3f,0xfd,0xdc,0xec, 0x4f,0x68,0xe7,0x44,
+ };
+ uint8_t c[128];
+ int result = 0;
+
+ xchacha_xor(c, p, 128, nonce, k, 20);
+ if (memcmp(c, expected, 128)) {
+ hexdump(printf, "xchacha", c, sizeof c);
+ result = -1;
+ }
+
+ return result;
+}
+
+void
+adiantum_init(struct adiantum *A, const uint8_t key[static 32])
+{
+ uint8_t nonce[24] = {1};
+ unsigned i;
+
+ memcpy(A->ks, key, 32);
+
+ /* Relies on ordering of struct members. */
+ memset(A->kk, 0, 32 + 16 + 16 + 1072);
+ xchacha_xor(A->kk, A->kk, 32 + 16 + 16 + 1072, nonce, A->ks, 12);
+
+ /* Put the NH key words into host byte order. */
+ for (i = 0; i < __arraycount(A->kn); i++)
+ A->kn[i] = le32toh(A->kn[i]);
+
+ /* Expand the AES key. */
+ aes_setenckey256(&A->kk_enc, A->kk);
+ aes_setdeckey256(&A->kk_dec, A->kk);
+}
+
+static void
+adiantum_hash(uint8_t h[static 16], const void *l, size_t llen,
+ const void *t, size_t tlen,
+ const uint8_t kt[static 16],
+ const uint8_t kl[static 16],
+ const uint32_t kn[static 268])
+{
+ const uint8_t *t8 = t;
+ struct poly1305 P;
+ uint8_t llenbuf[16];
+ uint8_t ht[16];
+ uint8_t hl[16];
+
+ KASSERT(llen % 16 == 0);
+
+ memset(llenbuf, 0, sizeof llenbuf);
+ le64enc(llenbuf, 8*llen);
+
+ /* Compute H_T := Poly1305_{K_T}(le128(|l|) || tweak). */
+ poly1305_init(&P, kt);
+ if (tlen == 0) {
+ poly1305_update_last(&P, llenbuf, 16);
+ } else {
+ poly1305_update_block(&P, llenbuf);
+ for (; tlen > 16; t8 += 16, tlen -= 16)
+ poly1305_update_block(&P, t8);
+ poly1305_update_last(&P, t8, tlen);
+ }
+ poly1305_final(ht, &P);
+
+ /* Compute H_L := Poly1305_{K_L}(NH(pad_128(l))). */
+ nhpoly1305(hl, l, llen, kl, kn);
+
+ /* Compute H := H_T + H_L (mod 2^128). */
+ add128(h, ht, hl);
+}
+
+void
+adiantum_enc(void *c, const void *p, size_t len, const void *t, size_t tlen,
+ const struct adiantum *A)
+{
+ size_t Rlen = 16;
+ size_t Llen = len - Rlen;
+ uint8_t *c8 = c;
+ uint8_t *cL = c8;
+ uint8_t *cR = c8 + Llen;
+ const uint8_t *p8 = p;
+ const uint8_t *pL = p8;
+ const uint8_t *pR = p8 + Llen;
+ uint8_t h[16];
+ uint8_t buf[16] __aligned(16);
+ uint8_t nonce[24];
+
+ KASSERT(len % 16 == 0);
+
+ aes_enc(&A->kk_enc, p, buf, AES_256_NROUNDS);
+
+ adiantum_hash(h, pL, Llen, t, tlen, A->kt, A->kl, A->kn);
+ add128(buf, pR, h); /* buf := P_M */
+ aes_enc(&A->kk_enc, buf, buf, AES_256_NROUNDS); /* buf := C_M */
+
+ memcpy(nonce, buf, 16);
+ le64enc(nonce + 16, 1);
+ xchacha_xor(cL, pL, Llen, nonce, A->ks, 12);
+
+ adiantum_hash(h, cL, Llen, t, tlen, A->kt, A->kl, A->kn);
+ sub128(cR, buf, h);
+
+ explicit_memset(h, 0, sizeof h);
+ explicit_memset(buf, 0, sizeof buf);
+}
+
+void
+adiantum_dec(void *p, const void *c, size_t len, const void *t, size_t tlen,
+ const struct adiantum *A)
+{
+ size_t Rlen = 16;
+ size_t Llen = len - Rlen;
+ const uint8_t *c8 = c;
+ const uint8_t *cL = c8;
+ const uint8_t *cR = c8 + Llen;
+ uint8_t *p8 = p;
+ uint8_t *pL = p8;
+ uint8_t *pR = p8 + Llen;
+ uint8_t h[16];
+ uint8_t buf[16] __aligned(16);
+ uint8_t nonce[24];
+
+ KASSERT(len % 16 == 0);
+
+ adiantum_hash(h, cL, Llen, t, tlen, A->kt, A->kl, A->kn);
+ add128(buf, cR, h); /* buf := P_M */
+
+ memcpy(nonce, buf, 16);
+ le64enc(nonce + 16, 1);
+ xchacha_xor(pL, cL, Llen, nonce, A->ks, 12);
+
+ aes_dec(&A->kk_dec, buf, buf, AES_256_NROUNDS); /* buf := P_M */
+ adiantum_hash(h, pL, Llen, t, tlen, A->kt, A->kl, A->kn);
+ sub128(pR, buf, h);
+
+ explicit_memset(h, 0, sizeof h);
+ explicit_memset(buf, 0, sizeof buf);
+}
+
+#ifdef _KERNEL
+
+MODULE(MODULE_CLASS_MISC, adiantum, "aes");
+
+static int
+adiantum_modcmd(modcmd_t cmd, void *opaque)
+{
+
+ switch (cmd) {
+ case MODULE_CMD_INIT: {
+ int result = 0;
+ result |= addsub128_selftest();
+ result |= poly1305_selftest();
+ result |= nh_selftest();
+ result |= nhpoly1305_selftest();
+ result |= chacha_core_selftest();
+ result |= hchacha_selftest();
+ result |= xchacha_selftest();
+ result |= adiantum_selftest();
+ if (result)
+ panic("adiantum self-tests failed");
+ return 0;
+ }
+ case MODULE_CMD_FINI:
+ return 0;
+ default:
+ return ENOTTY;
+ }
+}
+
+#else /* !defined(_KERNEL) */
+
+#include <err.h>
+#include <stdio.h>
+#include <unistd.h>
+
+static int
+read_block(int fd, void *buf, size_t len)
+{
+ char *p = buf;
+ size_t n = len;
+ ssize_t nread;
+
+ for (;;) {
+ if ((nread = read(fd, p, n)) == -1)
+ err(1, "read");
+ if (nread == 0) {
+ if (n < len)
+ errx(1, "partial block");
+ return -1; /* eof */
+ }
+ if ((size_t)nread >= n)
+ break;
+ p += (size_t)nread;
+ n -= (size_t)nread;
+ }
+
+ return 0;
+}
+
+static void
+write_block(int fd, const void *buf, size_t len)
+{
+ const char *p = buf;
+ size_t n = len;
+ ssize_t nwrit;
+
+ for (;;) {
+ if ((nwrit = write(fd, p, n)) == -1)
+ err(1, "write");
+ if ((size_t)nwrit >= n)
+ break;
+ p += (size_t)nwrit;
+ n -= (size_t)nwrit;
+ }
+}
+
+#define SECSIZE 512
+
+static void
+process(void)
+{
+ static const uint8_t k[32] = {0};
+ static uint8_t buf[65536];
+ static struct adiantum C;
+ uint8_t blkno[8] = {0};
+ unsigned i;
+
+ adiantum_init(&C, k);
+ while (read_block(STDIN_FILENO, buf, sizeof buf) == 0) {
+ for (i = 0; i < sizeof buf; i += SECSIZE) {
+ adiantum_enc(buf + i, buf + i, SECSIZE, blkno, 8, &C);
+ le64enc(blkno, 1 + le32dec(blkno));
+ }
+ write_block(STDOUT_FILENO, buf, sizeof buf);
+ if (le64dec(blkno) == 1024*1024*1024/SECSIZE)
+ return;
+ }
+}
+
+int
+main(void)
+{
+ int result = 0;
+
+ result |= addsub128_selftest();
+ result |= poly1305_selftest();
+ result |= nh_selftest();
+ result |= nhpoly1305_selftest();
+ result |= chacha_core_selftest();
+ result |= hchacha_selftest();
+ result |= xchacha_selftest();
+ result |= adiantum_selftest();
+ if (result)
+ return result;
+
+ process();
+ return 0;
+}
+
+#endif /* _KERNEL */
diff -r 36794fee0d04 -r 9fde04e138c1 sys/crypto/adiantum/adiantum_selftest.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/adiantum/adiantum_selftest.c Wed Jun 17 02:47:43 2020 +0000
@@ -0,0 +1,1835 @@
+/* $NetBSD$ */
+
+/*-
+ * Copyright (c) 2020 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(1, "$NetBSD$");
+
+#include <sys/types.h>
+
+#ifdef _KERNEL
+
+#include <sys/systm.h>
+
+#include <lib/libkern/libkern.h>
+
+#else
+
+#include <string.h>
+#include <stdio.h>
+
+#include <openssl/aes.h>
+
+struct aesenc {
+ AES_KEY enckey;
+};
+
+struct aesdec {
+ AES_KEY deckey;
+};
+
+static void
+hexdump(int (*prf)(const char *, ...) __printflike(1,2), const char *prefix,
+ const void *buf, size_t len)
+{
+ const uint8_t *p = buf;
+ size_t i;
+
+ (*prf)("%s (%zu bytes)\n", prefix, len);
+ for (i = 0; i < len; i++) {
+ if (i % 16 == 8)
+ (*prf)(" ");
+ else
+ (*prf)(" ");
+ (*prf)("%02hhx", p[i]);
+ if ((i + 1) % 16 == 0)
+ (*prf)("\n");
+ }
+ if (i % 16)
+ (*prf)("\n");
+}
+
+#endif
+
+#include "adiantum.h"
+
+/* https://github.com/google/adiantum/blob/aab35db7bfb6e05d5ad0b41b5088a9f5a840bde3/test_vectors/ours/Adiantum/Adiantum_XChaCha12_32_AES256.json */
+
+int
+adiantum_selftest(void)
+{
+ static const struct {
+ uint8_t k[32];
+ unsigned tlen;
+ uint8_t t[64];
+ unsigned len;
+ uint8_t p[4096];
+ uint8_t c[4096];
+ } C[] = {
+ [0] = {
+ .k = {
+ 0x7f,0xc7,0x15,0x2a, 0xe1,0xf5,0xfd,0xa4,
+ 0x17,0x67,0x69,0xae, 0xc9,0x2b,0xba,0x82,
+ 0xa3,0x14,0xe7,0xcf, 0xad,0xfd,0x85,0x40,
+ 0xda,0x7b,0x7d,0x24, 0xbd,0xf1,0x7d,0x07,
+ },
+ .tlen = 0,
+ .len = 16,
+ .p = {
+ 0x9b,0xe3,0x82,0xc6, 0x5a,0xc1,0x9f,0xad,
+ 0x46,0x59,0xb8,0x0b, 0xac,0xc8,0x57,0xa0,
+ },
+ .c = {
+ 0x82,0x0a,0xe4,0x44, 0x77,0xdd,0x9a,0x18,
+ 0x6f,0x80,0x28,0x8b, 0x25,0x07,0x0e,0x85,
+ },
+ },
+ [1] = {
+ .k = {
+ 0x26,0x6a,0xf9,0x4a, 0x21,0x49,0x6b,0x4e,
+ 0x3e,0xff,0x43,0x46, 0x9c,0xc1,0xfa,0x72,
+ 0x0e,0x77,0x9a,0xd5, 0x37,0x47,0x00,0x38,
+ 0xb3,0x6f,0x58,0x6c, 0xde,0xc0,0xa6,0x74,
+ },
+ .tlen = 0,
+ .len = 128,
+ .p = {
+ 0xdd,0x07,0xfe,0x61, 0x97,0x0c,0x31,0x48,
+ 0x09,0xbf,0xdb,0x9b, 0x4b,0x7d,0x9c,0x80,
+ 0xe6,0x11,0xe5,0x76, 0x5b,0xcc,0x76,0xdf,
+ 0x34,0xd5,0x23,0xcd, 0xe1,0xdc,0x4e,0x4f,
+ 0x65,0x20,0x58,0x8e, 0xe8,0x2c,0xc2,0x64,
+ 0x32,0x83,0x7a,0xbf, 0xe1,0xca,0x0b,0x4b,
+ 0xc6,0xec,0x0d,0xc5, 0x4a,0xb6,0x9b,0xa5,
+ 0xc4,0x01,0x54,0xf5, 0xb5,0xfa,0x8f,0x58,
+ 0x45,0x72,0x28,0xd8, 0x55,0x21,0xa2,0x5c,
+ 0x7d,0xc8,0x0c,0x3c, 0x3c,0x99,0xc4,0x1a,
+ 0xc2,0xe7,0x1c,0x0c, 0x14,0x72,0x1d,0xf8,
+ 0x45,0xb7,0x9c,0x97, 0x07,0x04,0x9b,0x91,
+ 0x5e,0x95,0xef,0x5f, 0xe6,0xad,0xbd,0xbb,
+ 0xe7,0xd1,0x22,0xc3, 0x98,0x44,0x89,0x05,
+ 0xe8,0x63,0x0d,0x44, 0xcb,0x36,0xd5,0x43,
+ 0xcc,0x05,0x7c,0x31, 0xd3,0xbc,0x17,0x7f,
+ },
+ .c = {
+ 0xba,0xd3,0xbf,0xbf, 0xb2,0x4e,0x1a,0xfd,
+ 0x59,0xbe,0x9d,0x40, 0xe0,0x27,0x94,0xdd,
+ 0x5c,0x08,0x1c,0xa5, 0xd0,0x25,0x87,0xca,
+ 0x15,0x6a,0x35,0xe9, 0x8a,0x05,0x67,0x53,
+ 0x04,0x4d,0xdf,0x35, 0x07,0x19,0x25,0xa0,
+ 0x44,0x1a,0x5b,0xd6, 0x8b,0x0f,0xd3,0x36,
+ 0x8a,0x60,0x8c,0x6b, 0x53,0xdb,0x69,0xb0,
+ 0x37,0x69,0xb5,0x1b, 0x1f,0xf5,0xd5,0xab,
+ 0x47,0x3a,0x45,0xb2, 0x37,0x6c,0xc3,0xc1,
+ 0x1f,0xdb,0x74,0x6b, 0x1f,0x3b,0x2c,0x1a,
+ 0xee,0xff,0xe9,0x28, 0xfe,0xa3,0x49,0x96,
+ 0x7a,0xb3,0x68,0x4e, 0xb1,0xc4,0x85,0xdc,
+ 0x18,0x87,0xfd,0xbf, 0x84,0x39,0xb2,0x20,
+ 0x29,0x46,0x8a,0x3e, 0xa9,0xf9,0xcc,0x56,
+ 0x6b,0x2f,0x43,0x4a, 0x1b,0x48,0x6b,0xd6,
+ 0x03,0x1d,0x66,0xa1, 0x49,0xba,0xe9,0xf5,
+ },
+ },
+ [2] = {
+ .k = {
+ 0x7c,0xab,0xc4,0x63, 0xc0,0x40,0x5e,0xad,
+ 0x8f,0x02,0x5a,0xa9, 0xba,0x68,0x58,0xe3,
+ 0xb6,0xbb,0x03,0xc9, 0xe6,0x1e,0xe7,0xc3,
+ 0xd7,0x2c,0xf7,0x7a, 0xf7,0x2c,0xd1,0x07,
+ },
+ .tlen = 0,
+ .len = 512,
+ .p = {
+ 0x4f,0xc9,0x8f,0xa7, 0x81,0x81,0x3a,0xb7,
+ 0x3c,0x55,0x8f,0x8f, 0x18,0xc4,0x7a,0xd2,
+ 0x13,0x70,0x94,0x0f, 0x46,0xb2,0x0f,0x53,
+ 0xde,0xdf,0x06,0xf8, 0x60,0x34,0xad,0x39,
+ 0xe9,0x47,0x23,0x31, 0x94,0xf3,0x59,0x88,
+ 0x96,0x14,0x52,0x3b, 0x88,0xb7,0x55,0xe9,
+ 0x4a,0xbc,0x41,0xea, 0x24,0x03,0x35,0x78,
+ 0xb7,0x4b,0x9f,0x8b, 0xe4,0x36,0x77,0x0a,
+ 0x70,0x19,0x90,0x9b, 0xb1,0x70,0x27,0x23,
+ 0x31,0xd9,0xe5,0x26, 0x36,0x71,0x06,0xc7,
+ 0xd3,0xb1,0xb8,0x52, 0x6a,0xe1,0x95,0x86,
+ 0x76,0xc3,0x02,0x2c, 0xd2,0xe7,0xc2,0x1c,
+ 0x6f,0xcb,0x61,0x56, 0xfc,0x5e,0xf2,0x57,
+ 0x90,0x46,0xfb,0x6a, 0xc1,0x5e,0x56,0x5b,
+ 0x18,0x8d,0x0e,0x4f, 0x4e,0x14,0x4c,0x6d,
+ 0x97,0xf9,0x73,0xed, 0xc5,0x41,0x94,0x24,
+ 0xaa,0x35,0x2f,0x01, 0xef,0x8f,0xb2,0xfd,
+ 0xc2,0xc7,0x8b,0x9c, 0x9b,0x10,0x89,0xec,
+ 0x64,0xbb,0x54,0xa5, 0x01,0xdc,0x51,0x57,
+ 0xc8,0x5a,0x03,0xcb, 0x91,0x73,0xb2,0x08,
+ 0xc3,0xcc,0x3c,0x1b, 0xae,0x3e,0x0f,0xf3,
+ 0x93,0xb9,0xc3,0x27, 0xd7,0x88,0x66,0xa2,
+ 0x40,0xf9,0xfd,0x02, 0x61,0xe1,0x2b,0x5d,
+ 0xc9,0xe8,0xd6,0xac, 0xf0,0xd0,0xe3,0x79,
+ 0x94,0xff,0x50,0x09, 0x4e,0x68,0xe8,0x5e,
+ 0x3f,0x58,0xc8,0xb8, 0x0f,0xd7,0xc2,0x2d,
+ 0x91,0x3e,0x47,0x10, 0x50,0x98,0xa6,0xf9,
+ 0x37,0xd6,0x90,0xed, 0xb7,0x5e,0x3a,0xd0,
+ 0xd7,0x50,0xc4,0x69, 0xe6,0x29,0xb8,0x9a,
+ 0xc1,0x5c,0x2b,0x34, 0x6d,0x44,0x58,0xd6,
+ 0xd4,0x7e,0xe2,0x42, 0x67,0x45,0xe5,0x64,
+ 0x48,0xac,0x00,0xe9, 0xb6,0xd0,0xc3,0xc5,
+ 0x5d,0x9e,0x95,0x4e, 0x10,0x18,0x29,0x86,
+ 0xaa,0x37,0xa3,0x3c, 0xe1,0xd6,0x5d,0x6d,
+ 0x4a,0xca,0xc3,0xe2, 0x25,0xb7,0x49,0x4a,
+ 0x36,0x67,0xc0,0xe1, 0x02,0x45,0xcc,0xd4,
+ 0x11,0x37,0x11,0x8e, 0x54,0xf5,0xea,0x80,
+ 0x04,0x72,0x06,0x36, 0x8f,0xf9,0x1e,0xed,
+ 0x91,0x14,0x9d,0x42, 0x59,0xc1,0x87,0xb8,
+ 0xf1,0xce,0xb2,0x17, 0x42,0xa1,0x2f,0x96,
+ 0xa3,0x50,0xe9,0x01, 0x24,0x9e,0xe5,0xbb,
+ 0x97,0x83,0x31,0x12, 0xa8,0x7c,0xca,0x7b,
+ 0x90,0x33,0xad,0x1c, 0x99,0x81,0x1a,0xb8,
+ 0xa1,0xe0,0xf1,0x5a, 0xbc,0x08,0xde,0xab,
+ 0x69,0x0a,0x89,0xa0, 0x9f,0x02,0x5e,0x3a,
+ 0xf3,0xba,0xb9,0x6e, 0x34,0xdf,0x15,0x13,
+ 0x64,0x51,0xa9,0x55, 0x67,0xa3,0xba,0x6b,
+ 0x35,0xb0,0x8a,0x05, 0xf5,0x79,0x84,0x97,
+ 0x92,0x8e,0x11,0xeb, 0xef,0xec,0x65,0xb5,
+ 0xe6,0x42,0xfb,0x06, 0x33,0x93,0x6b,0xff,
+ 0xc2,0x49,0x15,0x71, 0xb0,0xca,0x62,0xd1,
+ 0x81,0x40,0xd2,0xab, 0x0b,0x7d,0x7e,0x1a,
+ 0xe9,0xec,0xfc,0xde, 0xdb,0xd5,0xa7,0x56,
+ 0x83,0x25,0x0e,0x5e, 0xac,0x0c,0x42,0x26,
+ 0x00,0x59,0x55,0x17, 0x8b,0x5a,0x03,0x7b,
+ 0x85,0xe9,0xc1,0xa3, 0xe4,0xeb,0xd3,0xde,
+ 0xd8,0x81,0xf5,0x31, 0x2c,0xda,0x21,0xbc,
+ 0xb5,0xd9,0x7a,0xd0, 0x1e,0x2a,0x6b,0xcf,
+ 0xad,0x06,0x3c,0xf2, 0xf7,0x5c,0x3a,0xf1,
+ 0xa7,0x0f,0x5f,0x53, 0xe9,0x3f,0x3c,0xf1,
+ 0xb7,0x47,0x53,0x16, 0x19,0xd9,0xef,0xf0,
+ 0xcb,0x16,0xe4,0xc9, 0xa3,0x8f,0xd6,0x3f,
+ 0xf8,0xb2,0x22,0x65, 0xf9,0xa1,0xa3,0x03,
+ 0xe4,0x06,0x75,0x69, 0xf5,0x32,0x48,0x80,
+ },
+ .c = {
+ 0x66,0x3f,0xf7,0x7a, 0x20,0xa4,0x35,0xd6,
+ 0x0e,0xe8,0x17,0x32, 0x84,0xae,0xee,0x18,
+ 0x0f,0x64,0x83,0x66, 0xa4,0xf4,0x24,0x53,
+ 0xe6,0x58,0x2e,0xd5, 0x61,0x58,0xdd,0x5f,
+ 0x1d,0xb9,0xba,0x34, 0xd0,0xd3,0x64,0xde,
+ 0x99,0x47,0x92,0x3a, 0x26,0x90,0xbb,0x98,
+ 0xb0,0xbd,0xf4,0x5e, 0x26,0x57,0xe0,0xe1,
+ 0x09,0x27,0xc1,0xc4, 0x86,0x2b,0x4b,0x48,
+ 0xbb,0xcd,0xec,0x2f, 0xd1,0x54,0xe9,0x21,
+ 0xa0,0x40,0x76,0x01, 0x2d,0xb1,0xe7,0x75,
+ 0xa1,0xd7,0x04,0x23, 0x9d,0xd3,0x0f,0x3b,
+ 0x7e,0xb8,0xd0,0x37, 0xe4,0xd9,0x48,0xaa,
+ 0xe1,0x4d,0x0f,0xf6, 0xae,0x29,0x20,0xae,
+ 0xda,0x35,0x18,0x97, 0x2c,0xc2,0xa9,0xdd,
+ 0x6e,0x50,0x73,0x52, 0x0a,0x8a,0x2a,0xd2,
+ 0x2a,0xf4,0x12,0xe9, 0x7d,0x88,0x37,0xae,
+ 0x12,0x81,0x92,0x96, 0xbe,0xea,0x15,0xa4,
+ 0x3c,0x53,0xad,0x1f, 0x75,0x54,0x24,0x81,
+ 0xaa,0x1b,0x92,0x84, 0x7c,0xb2,0xd7,0x10,
+ 0x5e,0xb6,0xab,0x83, 0x25,0xf7,0x03,0x2b,
+ 0xd9,0x53,0x4d,0xf9, 0x41,0x21,0xef,0xef,
+ 0x40,0x3a,0x2d,0x54, 0xa9,0xf0,0x72,0xff,
+ 0x03,0x59,0x2e,0x91, 0x07,0xff,0xe2,0x86,
+ 0x33,0x59,0x98,0xdf, 0xa4,0x7d,0x9e,0x52,
+ 0x95,0xd9,0x77,0x4b, 0xdf,0x93,0xc8,0x2d,
+ 0xbc,0x81,0x2b,0x77, 0x89,0xae,0x52,0xdc,
+ 0xfc,0xb7,0x22,0xf0, 0x1a,0x9d,0xc1,0x28,
+ 0x70,0xe2,0x15,0xe4, 0x77,0x11,0x49,0x09,
+ 0x89,0xf4,0x06,0x00, 0x64,0x78,0xb6,0x3f,
+ 0x63,0x36,0xfd,0x9f, 0x35,0x33,0x85,0x52,
+ 0x18,0x26,0xc1,0x0d, 0xf7,0xab,0x5a,0x06,
+ 0x9c,0x3a,0xab,0x5f, 0x81,0x36,0x39,0xe3,
+ 0xe6,0xf7,0x33,0xb0, 0xec,0xe6,0x8d,0x05,
+ 0xbd,0xc7,0xbd,0x20, 0x5f,0x74,0xdf,0x98,
+ 0x3a,0xa9,0xde,0xae, 0x89,0xee,0xcc,0x60,
+ 0x8b,0x23,0xed,0x0f, 0x55,0x4d,0x56,0xd2,
+ 0x69,0xa5,0xf8,0xff, 0x94,0x62,0x99,0xc6,
+ 0xd4,0x02,0x0b,0xcf, 0xe4,0x86,0x23,0x5e,
+ 0xed,0x12,0x12,0x2e, 0x0a,0x0f,0xda,0x12,
+ 0x0a,0x68,0x56,0xea, 0x16,0x92,0xa5,0xdb,
+ 0xf5,0x9d,0x0e,0xe6, 0x39,0x5d,0x76,0x50,
+ 0x41,0x85,0xb4,0xcc, 0xb3,0x9e,0x84,0x46,
+ 0xd3,0x93,0xcf,0xa1, 0xee,0x5b,0x51,0x94,
+ 0x05,0x46,0x16,0xbb, 0xd1,0xae,0x94,0xe4,
+ 0x1c,0x3d,0xeb,0xf4, 0x09,0x00,0xf7,0x86,
+ 0x57,0x60,0x49,0x94, 0xf5,0xa7,0x7e,0x4b,
+ 0x32,0x4a,0x6a,0xae, 0x2c,0x5f,0x30,0x2d,
+ 0x7c,0xa1,0x71,0x5e, 0x63,0x7a,0x70,0x56,
+ 0x1f,0xaf,0x3e,0xf3, 0x46,0xb5,0x68,0x61,
+ 0xe2,0xd4,0x16,0x6b, 0xaf,0x94,0x07,0xa9,
+ 0x5d,0x7a,0xee,0x4c, 0xad,0x85,0xcc,0x3e,
+ 0x99,0xf3,0xfa,0x21, 0xab,0x9d,0x12,0xdf,
+ 0x33,0x32,0x23,0x68, 0x96,0x8f,0x8f,0x78,
+ 0xb3,0x63,0xa0,0x83, 0x16,0x06,0x64,0xbd,
+ 0xea,0x1f,0x69,0x73, 0x9c,0x54,0xe1,0x60,
+ 0xe8,0x98,0xc9,0x94, 0xe9,0xdf,0x0c,0xee,
+ 0xf4,0x38,0x1e,0x9f, 0x26,0xda,0x3f,0x4c,
+ 0xfd,0x6d,0xf5,0xee, 0x75,0x91,0x7c,0x4f,
+ 0x4d,0xc2,0xe8,0x1a, 0x7b,0x1b,0xa9,0x52,
+ 0x1e,0x24,0x22,0x5a, 0x73,0xa5,0x10,0xa2,
+ 0x37,0x39,0x1e,0xd2, 0xf7,0xe0,0xab,0x77,
+ 0xb7,0x93,0x5d,0x30, 0xd2,0x5a,0x33,0xf4,
+ 0x63,0x98,0xe8,0x6d, 0x3f,0x34,0x4a,0xb9,
+ 0x44,0x57,0x39,0xe7, 0xa9,0xdd,0xac,0x91,
+ },
+ },
+ [3] = {
+ .k = {
+ 0xac,0x95,0xec,0x00, 0xa5,0x57,0x8e,0x99,
+ 0x14,0x54,0x95,0x60, 0xdc,0xae,0x56,0x66,
+ 0x03,0x22,0xa1,0x55, 0xbf,0xa5,0x2b,0x1c,
+ 0x02,0xc9,0x0c,0x2f, 0xa1,0x5d,0x1b,0x84,
+ },
+ .tlen = 0,
+ .len = 1536,
+ .p = {
+ 0xd2,0x80,0x06,0x95, 0xcd,0xe1,0x71,0x2c,
+ 0xcf,0x89,0xa6,0xc7, 0x8b,0xa7,0xe3,0xcb,
+ 0x66,0x3e,0x6b,0x58, 0x2a,0x20,0xd1,0xc4,
+ 0x07,0xd6,0x3b,0x03, 0xdc,0x26,0xda,0x1b,
+ 0xe0,0x51,0xd5,0x1c, 0x4c,0xed,0xd0,0xf5,
+ 0xe2,0x7f,0x89,0xe8, 0x3d,0x41,0x1a,0xa0,
+ 0xb1,0xed,0x61,0xa8, 0xc7,0x0a,0xe8,0x69,
+ 0x4d,0xb8,0x18,0x81, 0x6c,0x76,0x67,0x83,
+ 0x8a,0x47,0xa2,0x4b, 0xfb,0xfd,0x6f,0x65,
+ 0x88,0xa8,0xf6,0x6d, 0x9f,0x71,0x6e,0x33,
+ 0x4f,0x82,0xee,0x8f, 0x38,0x5c,0xe4,0x9b,
+ 0x45,0x29,0xca,0xda, 0x9b,0x5d,0x65,0x06,
+ 0xab,0xf5,0x86,0x28, 0x8c,0x3e,0x20,0x38,
+ 0x1a,0x4c,0xb2,0xd9, 0x1f,0xc0,0x10,0x59,
+ 0x6b,0x2c,0xb5,0x41, 0x41,0xc5,0xd9,0xb7,
+ 0x4f,0xc3,0x36,0x08, 0xd4,0xdc,0xff,0x57,
+ 0xd7,0x97,0x77,0x45, 0xc4,0x28,0x93,0x2c,
+ 0xbe,0xdc,0xae,0x1d, 0x18,0xc8,0xfa,0x9a,
+ 0xd4,0x41,0x2e,0x5a, 0x26,0x03,0xae,0x7a,
+ 0xb2,0x6a,0xc0,0x0c, 0xb6,0x3e,0xf0,0x73,
+ 0x36,0xed,0xea,0xc1, 0xae,0x9d,0xc9,0xa1,
+ 0x85,0x4c,0x57,0x14, 0xb0,0xf3,0xf8,0x4e,
+ 0x91,0x99,0x06,0x65, 0x17,0x66,0xc2,0x9a,
+ 0x7a,0x4f,0x39,0x77, 0x32,0x44,0xc8,0x3f,
+ 0xe2,0x3c,0xc2,0x31, 0x0b,0x40,0x84,0xee,
+ 0xa1,0xeb,0xc6,0xc2, 0xb4,0x48,0xe6,0x09,
+ 0xc5,0xf5,0x3d,0x96, 0x90,0xa2,0x1d,0xf2,
+ 0x89,0x26,0x9f,0x10, 0x49,0x30,0x0f,0xe1,
+ 0x5e,0xca,0x1c,0x3f, 0x82,0xda,0xcb,0x8d,
+ 0x91,0x6d,0x08,0x96, 0x9e,0x57,0x88,0x16,
+ 0xee,0xa7,0x9e,0xe8, 0x1b,0xc1,0x63,0xb0,
+ 0x57,0xfa,0xfd,0x56, 0x49,0xec,0x51,0x1d,
+ 0x34,0x2e,0xc6,0xda, 0xc0,0x1d,0x02,0x3e,
+ 0x52,0xaf,0x44,0x24, 0xc6,0x80,0x12,0x64,
+ 0xbe,0x44,0xa8,0x46, 0xb5,0x8d,0x80,0xfd,
+ 0x95,0x4a,0xeb,0x3d, 0x4f,0x85,0x1f,0x1c,
+ 0xa4,0x3f,0x5c,0x0c, 0x71,0xed,0x96,0x41,
+ 0xde,0xb0,0xbd,0x08, 0xf3,0x4d,0x37,0xd2,
+ 0xb1,0x4f,0x71,0x04, 0xf1,0x14,0x66,0x4a,
+ 0x59,0x73,0xdc,0x98, 0x5b,0x61,0x56,0xfd,
+ 0x50,0xe5,0x76,0xd9, 0x6a,0x9f,0x30,0x82,
+ 0x6f,0xdf,0x6e,0x7b, 0x91,0xc2,0x5e,0x4f,
+ 0x74,0x92,0x92,0xb8, 0x24,0xd3,0x30,0x21,
+ 0x5d,0x4b,0xb1,0x01, 0xf7,0x62,0x27,0x94,
+ 0xb3,0x88,0x86,0x75, 0xe8,0xab,0xe8,0x42,
+ 0x50,0x15,0xb7,0xde, 0xc0,0xc4,0x8d,0x4e,
+ 0x08,0x17,0xcb,0xf9, 0x4a,0x2e,0xe3,0x69,
+ 0xbd,0xe7,0xdb,0xd1, 0xf1,0xfa,0x47,0xed,
+ 0x78,0xa9,0x26,0xf0, 0xd1,0xbb,0x02,0xa1,
+ 0x07,0x5c,0x1f,0xe8, 0x2f,0x52,0xd8,0x95,
+ 0xd7,0xa9,0x2b,0x79, 0x77,0xf4,0xee,0xee,
+ 0xbc,0x1f,0xaa,0x46, 0xe7,0x66,0x75,0xb1,
+ 0x43,0x01,0x35,0xac, 0xc6,0x85,0xad,0x44,
+ 0x23,0x59,0x50,0x0b, 0x39,0x47,0x51,0x54,
+ 0x68,0x92,0x89,0x00, 0x08,0xa3,0xaa,0x24,
+ 0x03,0x3f,0xf6,0xab, 0x19,0x42,0xff,0x0c,
+ 0xc5,0xa3,0x96,0xcb, 0xd9,0x6d,0xa0,0xcc,
+ 0x24,0x9e,0x71,0xb1, 0x87,0x95,0x7a,0x2e,
+ 0x31,0x5e,0x17,0x26, 0x5a,0x1b,0xa1,0x33,
+ 0x10,0x3f,0xd7,0xce, 0xa0,0xd9,0xbc,0xd8,
+ 0x72,0xbe,0x75,0xc4, 0x78,0x3b,0x67,0xf5,
+ 0xc3,0x82,0x2d,0x21, 0x49,0x74,0x2e,0xd5,
+ 0x63,0xaa,0xa2,0x54, 0xc5,0xe2,0x98,0x82,
+ 0x39,0xd9,0xda,0x14, 0x3c,0x75,0x18,0xc8,
+ 0x75,0x6a,0xa1,0x7d, 0xfa,0x72,0x0f,0x9b,
+ 0x5a,0xb3,0x7c,0x15, 0xc2,0xa5,0x6d,0x98,
+ 0x02,0x6c,0xa2,0x26, 0xaa,0xc0,0x69,0xc5,
+ 0xa7,0xa2,0xca,0xf5, 0xf3,0x8c,0x80,0x4e,
+ 0x7e,0x47,0xc9,0x87, 0x47,0x36,0xd6,0xc6,
+ 0xe8,0x49,0xb5,0x97, 0xa8,0xdc,0x4a,0x55,
+ 0x6f,0x02,0x79,0x83, 0xe4,0x7c,0x4c,0x69,
+ 0xa6,0x4d,0x4f,0x8a, 0x48,0x18,0x00,0xf9,
+ 0xad,0xd1,0xb2,0xca, 0xc4,0x50,0x47,0x21,
+ 0x4e,0xa7,0xce,0x6e, 0xdf,0xbd,0x2a,0x4d,
+ 0xca,0x13,0x33,0xde, 0xa2,0x30,0xe1,0x03,
+ 0xcd,0x2c,0x74,0xd3, 0x30,0x0d,0x61,0xe6,
+ 0x9d,0xf3,0x09,0xc5, 0x27,0x99,0x0e,0x23,
+ 0xbc,0x21,0xdb,0xdb, 0xeb,0x77,0xea,0xd4,
+ 0x4b,0xbf,0x9b,0x49, 0x30,0xd4,0xc2,0xe7,
+ 0x5e,0x85,0xe8,0xb6, 0xa5,0xe3,0x4e,0x64,
+ 0xf0,0x45,0x95,0x04, 0x9a,0xed,0xaa,0x4d,
+ 0xbd,0x5e,0x03,0x9f, 0xd4,0x2b,0xae,0x14,
+ 0x1a,0x3d,0x49,0x92, 0xd6,0x6f,0x64,0xc7,
+ 0xca,0x18,0x32,0x16, 0xf6,0x07,0x00,0x22,
+ 0xfd,0xe1,0x45,0xe6, 0x19,0x24,0x5b,0x6e,
+ 0xd3,0x67,0xf2,0x60, 0x36,0xf5,0x22,0xeb,
+ 0x5f,0x42,0xba,0x70, 0x38,0xfc,0x98,0x96,
+ 0x58,0x72,0xbf,0x13, 0x60,0xcc,0x32,0x45,
+ 0x8d,0x00,0x44,0x60, 0xaf,0x7a,0x19,0xd6,
+ 0xc0,0x14,0x33,0x96, 0xf3,0x33,0xc3,0xa8,
+ 0x34,0x77,0x69,0x0c, 0x50,0xe5,0xfc,0x1b,
+ 0x42,0x39,0x96,0x24, 0x3a,0x3a,0x47,0x0e,
+ 0x27,0x66,0xa8,0x18, 0x50,0xdf,0x6d,0xa7,
+ 0xad,0x4f,0xe5,0x88, 0x79,0xea,0x30,0xe2,
+ 0xcd,0x27,0x05,0x36, 0x0c,0x3c,0x97,0x12,
+ 0x69,0xa6,0xc0,0xa2, 0xa7,0x58,0x82,0x20,
+ 0x68,0xfc,0xd0,0x81, 0x49,0xc0,0xcf,0xba,
+ 0x90,0xe1,0x03,0xce, 0x70,0xd6,0x94,0x1a,
+ 0xc0,0x22,0x3b,0xdc, 0x7f,0x63,0x6b,0xc4,
+ 0x91,0xc2,0x21,0xdc, 0x84,0x42,0x80,0x04,
+ 0x6f,0x14,0xc3,0x2c, 0x79,0x49,0x3c,0xb1,
+ 0x5f,0xc7,0x69,0x4a, 0x4f,0xf5,0xd5,0x4b,
+ 0x7c,0xe7,0x83,0x79, 0x30,0xff,0x74,0xe0,
+ 0xf7,0xd3,0x6c,0x95, 0xef,0x77,0xe8,0x7b,
+ 0x1f,0x54,0xad,0xc7, 0x4b,0xe8,0x5a,0x37,
+ 0xd7,0xe9,0xfe,0xcb, 0x11,0x7b,0x54,0xb8,
+ 0xd2,0xc7,0x80,0x1d, 0x80,0x17,0xdd,0x21,
+ 0xa6,0xed,0x20,0x2c, 0x8a,0xa1,0x0b,0x3a,
+ 0x08,0xde,0x34,0xe4, 0xa0,0xff,0x68,0xfa,
+ 0x4a,0x01,0xcc,0x4f, 0x57,0x5f,0x84,0x95,
+ 0x88,0xe2,0x7f,0xb7, 0x5d,0x35,0x36,0xe2,
+ 0xa1,0xca,0xc0,0x9b, 0x4a,0xb0,0x6f,0x35,
+ 0xef,0x08,0xd7,0x5a, 0xec,0x4f,0x97,0x20,
+ 0x92,0x2a,0x63,0x1d, 0x15,0x07,0x73,0x1f,
+ 0x97,0xcf,0x28,0x41, 0x65,0x0d,0x41,0xee,
+ 0xca,0xd8,0x90,0x65, 0xaa,0x3d,0x04,0x7f,
+ 0x35,0x4b,0x9e,0xe9, 0x96,0xa9,0x61,0xcb,
+ 0x43,0xc9,0xfa,0x1d, 0xc8,0x85,0x40,0x64,
+ 0x88,0x89,0xea,0xb5, 0xf7,0xe5,0xe4,0xfe,
+ 0xaf,0x8e,0x52,0xf9, 0x7e,0x7d,0x83,0x92,
+ 0x90,0x51,0x4c,0xf0, 0x49,0x52,0x5e,0x56,
+ 0xc9,0xb7,0x4c,0xca, 0x57,0x01,0x3d,0x28,
+ 0xe2,0x7d,0xaa,0x96, 0xd7,0xad,0xad,0xd9,
+ 0xd5,0x1a,0xd5,0xc2, 0xd0,0x5a,0xd3,0x7a,
+ 0x9a,0x91,0xa0,0xb8, 0x6f,0x28,0xff,0xa0,
+ 0x1c,0x1d,0xf1,0x5e, 0x45,0x53,0x3f,0x85,
+ 0x1b,0xc2,0x76,0x51, 0xbf,0x25,0x02,0xf7,
+ 0x10,0xde,0xb7,0x1a, 0x04,0x6c,0x9a,0xeb,
+ 0xb9,0x4b,0x67,0xfb, 0xa1,0x5b,0xa8,0x02,
+ 0x01,0x1f,0x38,0xa9, 0x9d,0x96,0x50,0x07,
+ 0xef,0xa7,0xc3,0xb4, 0x0f,0xcd,0x1b,0x9f,
+ 0xd2,0x08,0x87,0xca, 0xd5,0x65,0x1a,0x5e,
+ 0x1a,0xff,0x97,0xb0, 0x4b,0x43,0x67,0x51,
+ 0x22,0xfd,0x49,0xcd, 0x54,0x2f,0xf8,0x9b,
+ 0xed,0x46,0x7e,0x00, 0x5b,0x67,0x06,0xeb,
+ 0xb7,0x4d,0x1c,0x72, 0x74,0xdd,0xbd,0xb1,
+ 0x71,0x0a,0x28,0xc7, 0x7b,0xa8,0x12,0xac,
+ 0x58,0x53,0xa4,0xfb, 0x41,0x74,0xb4,0x52,
+ 0x95,0x99,0xf6,0x38, 0x53,0xff,0x2d,0x26,
+ 0xef,0x12,0x91,0xc6, 0x52,0xe1,0xa9,0x50,
+ 0xfa,0x8e,0x2e,0x82, 0x8b,0x4f,0xb7,0xad,
+ 0xe1,0x74,0x0d,0xbf, 0x73,0x04,0xdf,0x3f,
+ 0xf6,0xf8,0x09,0x9d, 0xdf,0x18,0x07,0x13,
+ 0xe6,0x60,0xf0,0x6a, 0x98,0x22,0x15,0xdf,
+ 0x0c,0x72,0x6a,0x9d, 0x6e,0x67,0x76,0x61,
+ 0xda,0xbe,0x10,0xd6, 0xf0,0x5f,0x06,0x74,
+ 0x76,0xce,0x63,0xee, 0x91,0x39,0x24,0xa9,
+ 0xcf,0xc7,0xca,0xd5, 0xb4,0xff,0x30,0x6e,
+ 0x05,0x32,0x0c,0x9d, 0xeb,0xfb,0xc6,0x3e,
+ 0xe4,0xc6,0x20,0xc5, 0x3e,0x1d,0x5c,0xd6,
+ 0x05,0xbe,0xb8,0xc3, 0x44,0xe3,0xc9,0xc1,
+ 0x38,0xaa,0xc5,0xc8, 0xe3,0x11,0x8d,0xde,
+ 0xdc,0x48,0x8e,0xe9, 0x38,0xe5,0x80,0xec,
+ 0x82,0x17,0xf2,0xcf, 0x26,0x55,0xf7,0xdc,
+ 0x78,0x7f,0xfb,0xc1, 0xb4,0x6c,0x80,0xcc,
+ 0xf8,0x5a,0xbc,0x8f, 0x9d,0x62,0xfe,0x35,
+ 0x17,0x7c,0x10,0xb7, 0x4a,0x0f,0x81,0x43,
+ 0x11,0xbd,0x33,0x47, 0x9c,0x61,0x02,0xec,
+ 0xab,0xde,0xb2,0x3f, 0x73,0x48,0xfb,0x5c,
+ 0x84,0x4a,0xeb,0xab, 0x58,0x07,0x18,0xdc,
+ 0x57,0x85,0xb8,0xe7, 0xff,0x9c,0xc2,0xc8,
+ 0xb3,0xef,0x5b,0x50, 0x16,0xb1,0x38,0x6e,
+ 0xa7,0xd7,0x9c,0xb1, 0x29,0x6b,0x74,0x9c,
+ 0x50,0xcc,0x90,0xee, 0x86,0x2a,0x7c,0x07,
+ 0xd4,0xcb,0xc2,0x24, 0x53,0xb0,0x3f,0x4f,
+ 0x9b,0xc4,0x62,0x73, 0x85,0x3d,0x1e,0x54,
+ 0x86,0xda,0x1e,0x5e, 0x70,0x73,0x6a,0x2a,
+ 0x29,0x75,0xb7,0x18, 0x1a,0x72,0x81,0x64,
+ 0x58,0xa0,0xb3,0x70, 0x61,0x9f,0x22,0x37,
+ 0xac,0xdc,0xe8,0xaf, 0xe2,0x74,0xe4,0xa7,
+ 0xed,0x92,0x5c,0x47, 0xff,0xc3,0xaf,0x9e,
+ 0x59,0xe1,0x09,0x22, 0x72,0x18,0x96,0x35,
+ 0x23,0x91,0x00,0xa3, 0x7d,0x95,0x25,0x95,
+ 0xd5,0xad,0xf8,0x6e, 0xcc,0x14,0x31,0xb2,
+ 0x52,0x20,0x2a,0x41, 0xf1,0xaf,0x9a,0xaf,
+ 0xdd,0xbd,0x04,0x5a, 0xcd,0x1a,0x86,0xb1,
+ 0x45,0x1b,0x6f,0x7a, 0x02,0x45,0x05,0xef,
+ 0x74,0xdf,0xe8,0x72, 0x1c,0x82,0x57,0xea,
+ 0x2a,0x24,0x1b,0x46, 0x3f,0x66,0x89,0x9f,
+ 0x00,0xb9,0xec,0xf7, 0x59,0x6d,0xeb,0xac,
+ 0xca,0x82,0x14,0x79, 0xbf,0x7f,0xd5,0x18,
+ 0x26,0x6b,0xee,0x34, 0x44,0xee,0x6d,0x8a,
+ 0x82,0x8f,0x4f,0xa3, 0x1a,0xc3,0x9b,0x2e,
+ 0x57,0x83,0xb8,0x7d, 0xa0,0x21,0xc6,0x66,
+ 0x96,0x7d,0x30,0x81, 0x29,0xc7,0x05,0x46,
+ 0x99,0xd4,0x35,0x7b, 0x40,0xe8,0x87,0x60,
+ 0x13,0xa5,0xa6,0xb9, 0x24,0x59,0xca,0xa8,
+ 0xcd,0x62,0xeb,0xc5, 0x22,0xff,0x49,0x64,
+ 0x03,0x2d,0x42,0x01, 0xa2,0x09,0x4a,0x45,
+ 0x41,0x34,0x88,0x44, 0xf4,0xe1,0xa3,0x48,
+ 0xcf,0x2d,0xee,0xee, 0xbf,0x83,0x1a,0x42,
+ 0x8d,0xa4,0x15,0x3d, 0xfc,0x92,0x67,0x91,
+ },
+ .c = {
+ 0x5c,0xb9,0xab,0x7c, 0xe4,0x0b,0xbe,0xa5,
+ 0x17,0x18,0xdf,0xd7, 0x17,0x13,0x98,0xbd,
+ 0xcb,0x1c,0xa3,0x39, 0x9c,0xbc,0x19,0x1f,
+ 0xca,0xcb,0x50,0x89, 0x1d,0x69,0xc3,0xcb,
+ 0xd1,0x76,0x70,0x6b, 0x7c,0x62,0x49,0xe8,
+ 0xb1,0xa8,0xb7,0x58, 0x87,0xf6,0x79,0xf7,
+ 0xf2,0xc1,0xd8,0xb2, 0x1d,0xd2,0x1a,0xf5,
+ 0xa0,0x41,0xda,0x17, 0x3f,0xaa,0xdb,0xf6,
+ 0xa9,0xf2,0x49,0x1c, 0x6f,0x20,0xf3,0xae,
+ 0x4a,0x5e,0x55,0xdd, 0xa6,0x9e,0xc4,0x03,
+ 0x07,0x22,0xc0,0xbe, 0x5e,0x58,0xdd,0xf0,
+ 0x7e,0xfe,0xcf,0x2c, 0x96,0x33,0x32,0xbd,
+ 0xe8,0xdf,0x84,0x71, 0x45,0x35,0x40,0x48,
+ 0xcf,0x10,0x45,0x47, 0x97,0x4c,0x20,0x6b,
+ 0x3a,0xdd,0x73,0xd0, 0xce,0x0c,0x4c,0xf1,
+ 0x78,0xcd,0x93,0xd2, 0x21,0x70,0xeb,0x2f,
+ 0x23,0x99,0x64,0xbb, 0x97,0x28,0xe9,0xde,
+ 0xef,0x9c,0xf2,0x7f, 0x4b,0x4d,0x2c,0x66,
+ 0x7b,0x6e,0x70,0xf7, 0x25,0x68,0xea,0x93,
+ 0x3a,0x27,0xbd,0x04, 0x8b,0xcd,0xd9,0xed,
+ 0x1a,0x9d,0xca,0x8f, 0x15,0x2d,0xa1,0x25,
+ 0xb8,0x66,0x1b,0x3d, 0xd4,0xd4,0x9b,0xab,
+ 0x3a,0xa8,0xe8,0x88, 0xc6,0xd2,0x5a,0x28,
+ 0x51,0x4d,0x11,0xb6, 0x4a,0x2b,0x6d,0xe4,
+ 0xc9,0xc1,0x20,0x6f, 0xba,0x23,0x72,0xc9,
+ 0x6d,0x44,0xf0,0xaa, 0x06,0x8c,0x9b,0xbb,
+ 0x4b,0xd2,0xa0,0x94, 0x5f,0x0b,0xc8,0xa3,
+ 0x4c,0xe9,0xe2,0x8a, 0xe5,0xf9,0xe3,0x2c,
+ 0xc7,0x87,0x75,0xc1, 0xc9,0x62,0xb5,0xb4,
+ 0x04,0x86,0x6a,0x31, 0x54,0x0e,0x31,0xf7,
+ 0xad,0xea,0xbb,0xa6, 0x8e,0x6c,0xac,0x24,
+ 0x52,0x2c,0x9d,0x1f, 0xde,0x70,0xfd,0xc4,
+ 0x93,0x8b,0x75,0x6c, 0xef,0xa7,0x89,0xaf,
+ 0x2c,0x4c,0xf6,0x38, 0xdd,0x79,0xfa,0x70,
+ 0x54,0x1e,0x92,0xd4, 0xb4,0x04,0x69,0x8e,
+ 0x6b,0x9e,0x12,0xfe, 0x15,0x15,0xf7,0x99,
+ 0xb6,0x2f,0xfc,0xfa, 0x66,0xe9,0x40,0xb5,
+ 0xd3,0x10,0xbb,0x42, 0xf9,0x68,0x64,0xd4,
+ 0x2a,0xcd,0x43,0x75, 0xb0,0x9c,0x61,0x34,
+ 0xc1,0xc4,0x42,0xf3, 0xf1,0xa7,0x65,0xf4,
+ 0xcb,0x42,0xe9,0xc2, 0x5a,0x05,0xdf,0x98,
+ 0xa3,0xba,0xf7,0xe0, 0x15,0xa1,0xdf,0xf7,
+ 0xce,0xd5,0xf0,0x62, 0x89,0xe1,0x44,0x3a,
+ 0x4f,0x6f,0x75,0x3e, 0xfc,0x19,0xe3,0x5f,
+ 0x36,0x48,0xc1,0x95, 0x08,0x22,0x09,0xf9,
+ 0x07,0x74,0x1c,0xa4, 0x1b,0x7e,0xa8,0x82,
+ 0xca,0x0b,0xd9,0x1e, 0xe3,0x5b,0x1c,0xb5,
+ 0x57,0x13,0x7d,0xbd, 0xbd,0x16,0x88,0xd4,
+ 0xb1,0x8e,0xdb,0x6f, 0x2f,0x7b,0x55,0x72,
+ 0x79,0xc9,0x49,0x7b, 0xf7,0x86,0xa9,0x3d,
+ 0x2d,0x11,0x33,0x7d, 0x82,0x38,0xc7,0xb5,
+ 0x7c,0x6b,0x0b,0x28, 0x42,0x50,0x47,0x69,
+ 0xd8,0x48,0xc6,0x85, 0x0b,0x1b,0xca,0x08,
+ 0x85,0x36,0x6d,0x97, 0xe9,0x3e,0xeb,0xe2,
+ 0x28,0x6a,0x17,0x61, 0x7d,0xcb,0xb6,0xb3,
+ 0x23,0x44,0x76,0xd3, 0x57,0x39,0x9b,0x1d,
+ 0x69,0x30,0xd8,0x3f, 0x21,0xe8,0x68,0x94,
+ 0x82,0x85,0x97,0xb1, 0x1f,0x0c,0x99,0x6e,
+ 0x6e,0x44,0xa6,0x82, 0xd0,0xa2,0xe6,0xfe,
+ 0xff,0x08,0x41,0x49, 0x54,0x18,0x51,0x88,
+ 0x23,0xd5,0x14,0xbd, 0xfe,0xea,0x5d,0x15,
+ 0xd4,0x0b,0x2d,0x92, 0x94,0x8d,0xd4,0xe5,
+ 0xaf,0x60,0x88,0x2b, 0x67,0xae,0xbb,0xa8,
+ 0xec,0xae,0x9b,0x35, 0xa2,0xd7,0xe8,0xb6,
+ 0xe5,0xaa,0x12,0xd5, 0xef,0x05,0x5a,0x64,
+ 0xe0,0xff,0x79,0x16, 0xb6,0xa3,0xdb,0x1e,
+ 0xee,0xe8,0xb7,0xd6, 0x71,0xbd,0x76,0xbf,
+ 0x66,0x2a,0x9c,0xec, 0xbe,0x8c,0xb5,0x8e,
+ 0x8e,0xc0,0x89,0x07, 0x5d,0x22,0xd8,0xe0,
+ 0x27,0xcf,0x58,0x8a, 0x8c,0x4d,0xc7,0xa4,
+ 0x45,0xfc,0xe5,0xa4, 0x32,0x7c,0xbf,0x86,
+ 0xf0,0x82,0x96,0x05, 0x1e,0x86,0x03,0x0f,
+ 0x1f,0x0d,0xf2,0xfc, 0x28,0x62,0x90,0x53,
+ 0xfe,0xd4,0x28,0x52, 0x4f,0xa6,0xbc,0x4d,
+ 0xba,0x5d,0x04,0xc0, 0x83,0x61,0xf6,0x41,
+ 0xc8,0x58,0x40,0x49, 0x1d,0x27,0xd5,0x9f,
+ 0x93,0x4f,0xb5,0x7a, 0xea,0x7b,0x86,0x31,
+ 0x2b,0xe5,0x92,0x51, 0x3e,0x7a,0xbe,0xdb,
+ 0x04,0xae,0x21,0x71, 0x5a,0x70,0xf9,0x9b,
+ 0xa8,0xb6,0xdb,0xcd, 0x21,0x56,0x75,0x2e,
+ 0x98,0x38,0x78,0x4d, 0x51,0x4a,0xa6,0x03,
+ 0x8a,0x84,0xb2,0xf9, 0x6b,0x98,0x6d,0xf3,
+ 0x12,0xaa,0xd4,0xea, 0xb3,0x7c,0xb0,0xd9,
+ 0x5e,0x1c,0xb0,0x69, 0x48,0x67,0x13,0x26,
+ 0xf0,0x25,0x04,0x93, 0x6d,0xc6,0x6c,0xb2,
+ 0xcd,0x7c,0x36,0x62, 0x6d,0x38,0x44,0xe9,
+ 0x6b,0xe2,0x7f,0xc1, 0x40,0xdb,0x55,0xe1,
+ 0xa6,0x71,0x94,0x0a, 0x13,0x5f,0x9e,0x66,
+ 0x3b,0xb3,0x11,0x90, 0xbb,0x68,0xd4,0x11,
+ 0xf2,0xb7,0x61,0xbd, 0xac,0x4a,0x56,0xf4,
+ 0x9e,0xe2,0xd0,0x1e, 0xb4,0xa1,0xb8,0x4e,
+ 0xbb,0xc2,0x73,0x63, 0x04,0x99,0x97,0x9f,
+ 0x76,0x18,0x82,0x11, 0x7e,0xe1,0xcc,0x58,
+ 0xb7,0xb5,0x37,0x78, 0x60,0x19,0x6c,0x2b,
+ 0x6e,0x65,0x15,0x10, 0x3c,0x93,0xf0,0xc5,
+ 0x3d,0x9e,0xeb,0x77, 0x72,0x25,0x95,0xf0,
+ 0x27,0xe8,0xbd,0x81, 0x9c,0x22,0x38,0xa7,
+ 0x8d,0xe9,0x94,0xf2, 0x27,0x8d,0x3a,0x34,
+ 0x36,0xba,0x26,0xa0, 0xd7,0x3e,0xd8,0xbe,
+ 0x60,0xd1,0x53,0x58, 0x56,0xe6,0xf3,0xa1,
+ 0x0d,0x62,0x5e,0x44, 0xd3,0x7c,0xc9,0x25,
+ 0x87,0xc8,0x1a,0x57, 0x7f,0xfa,0x79,0x4a,
+ 0x15,0xf6,0x3e,0x2e, 0xd0,0x6b,0x83,0x9b,
+ 0xe6,0xfe,0x6c,0xd3, 0x8e,0x40,0x4a,0x12,
+ 0x57,0x41,0xc9,0x5a, 0x42,0x91,0x0b,0x28,
+ 0x56,0x38,0xfc,0x45, 0x4b,0x26,0xbf,0x3a,
+ 0xa3,0x46,0x75,0x73, 0xde,0x7e,0x18,0x7c,
+ 0x82,0x92,0x73,0xe6, 0xb5,0xd2,0x1f,0x1c,
+ 0xdd,0xb3,0xd5,0x71, 0x9f,0xd2,0xa5,0xf4,
+ 0xf1,0xcb,0xfe,0xfb, 0xd3,0xb6,0x32,0xbd,
+ 0x8e,0x0d,0x73,0x0a, 0xb6,0xb1,0xfd,0x31,
+ 0xa5,0xa4,0x7a,0xb1, 0xa1,0xbb,0xf0,0x0b,
+ 0x97,0x21,0x27,0xe1, 0xbb,0x6a,0x2a,0x5b,
+ 0x95,0xda,0x01,0xd3, 0x06,0x8e,0x53,0xd8,
+ 0x23,0xa3,0xa9,0x82, 0x8a,0xa2,0x8f,0xdb,
+ 0x87,0x37,0x41,0x41, 0x2b,0x36,0xf3,0xb3,
+ 0xa6,0x32,0x5f,0x3e, 0xbf,0x70,0x3a,0x13,
+ 0xba,0x11,0xa1,0x4e, 0x11,0xa8,0xc0,0xb7,
+ 0xb2,0x1b,0xab,0xc8, 0xcb,0x38,0x35,0x2e,
+ 0x76,0xa7,0x0b,0x5a, 0x6c,0x53,0x83,0x60,
+ 0x4f,0xee,0x91,0xe8, 0xca,0x1e,0x7f,0x76,
+ 0x2b,0x4c,0xe7,0xd4, 0xcb,0xf8,0xeb,0x94,
+ 0x76,0x17,0x68,0x23, 0x95,0x93,0x7f,0x60,
+ 0x80,0x7a,0x85,0x70, 0x95,0x56,0xb9,0x76,
+ 0x76,0xb6,0x8f,0xe2, 0x93,0x60,0xfc,0x70,
+ 0x57,0x4a,0x27,0xc0, 0xfb,0x49,0x2f,0xac,
+ 0xde,0x87,0x2f,0x1a, 0x80,0xca,0x68,0x5e,
+ 0xc6,0x18,0x4e,0x3a, 0x4b,0x36,0xdc,0x24,
+ 0x78,0x7e,0xb0,0x58, 0x85,0x4d,0xa9,0xbc,
+ 0x0d,0x87,0xdd,0x02, 0xa6,0x0d,0x46,0xae,
+ 0xf7,0x2f,0x8e,0xeb, 0xf4,0x29,0xe0,0xbc,
+ 0x9a,0x34,0x30,0xc3, 0x29,0xea,0x2c,0xb3,
+ 0xb4,0xa2,0x9c,0x45, 0x6e,0xcb,0xa4,0x9d,
+ 0x22,0xe6,0x71,0xe0, 0xcb,0x9f,0x05,0xef,
+ 0x2f,0xf7,0x12,0xfd, 0x5d,0x48,0x6c,0x9e,
+ 0x8b,0xaa,0x90,0xb6, 0xa8,0x78,0xeb,0xde,
+ 0xeb,0x4c,0xce,0x7b, 0x62,0x60,0x69,0xc0,
+ 0x54,0xc3,0x13,0x76, 0xdc,0x7e,0xd1,0xc3,
+ 0x8e,0x24,0x58,0x43, 0x3c,0xbc,0xa0,0x75,
+ 0xf2,0x7c,0x2d,0x1e, 0x94,0xec,0x40,0x15,
+ 0xe1,0x78,0xac,0x4a, 0x93,0xef,0x87,0xec,
+ 0x99,0x94,0xcb,0x65, 0xde,0xcb,0x38,0xd7,
+ 0x89,0x90,0xa2,0x68, 0xcf,0xfd,0x98,0xf8,
+ 0x1f,0x06,0xd5,0x6c, 0x53,0x1d,0xd3,0xa7,
+ 0x06,0x0b,0xa9,0x92, 0xbb,0x6e,0x6f,0xaa,
+ 0x5a,0x54,0x71,0xb7, 0x90,0x00,0x06,0x6b,
+ 0xf9,0x34,0xba,0x41, 0x73,0x58,0x98,0xfc,
+ 0xca,0x98,0xbd,0xd3, 0x7d,0xa4,0x49,0xcc,
+ 0xa8,0x19,0xc1,0x40, 0x75,0x81,0x02,0x33,
+ 0xac,0x90,0xcd,0x58, 0xeb,0x1b,0xb4,0x4e,
+ 0xe0,0x8a,0xa9,0x0f, 0x15,0x8e,0x51,0x85,
+ 0x06,0x09,0x92,0x40, 0xe3,0x75,0x60,0x64,
+ 0xcf,0x9b,0x88,0xc7, 0xb0,0xab,0x37,0x5d,
+ 0x43,0x21,0x18,0x09, 0xff,0xec,0xa0,0xb3,
+ 0x47,0x09,0x22,0x4c, 0x55,0xc2,0x2d,0x2b,
+ 0xce,0xb9,0x3a,0xcc, 0xd7,0x0c,0xb2,0x9a,
+ 0xff,0x2a,0x73,0xac, 0x7a,0xf2,0x11,0x73,
+ 0x94,0xd9,0xbe,0x31, 0x9f,0xae,0x62,0xab,
+ 0x03,0xac,0x5f,0xe2, 0x99,0x90,0xfb,0xa5,
+ 0x74,0xc0,0xfa,0xb9, 0x3c,0x96,0x7c,0x36,
+ 0x25,0xab,0xff,0x2f, 0x24,0x65,0x73,0x21,
+ 0xc3,0x21,0x73,0xc9, 0x23,0x06,0x22,0x6c,
+ 0xb2,0x22,0x26,0x1d, 0x88,0x6f,0xd3,0x5f,
+ 0x6f,0x4d,0xf0,0x6d, 0x13,0x70,0x7d,0x67,
+ 0xe8,0x5c,0x3b,0x35, 0x27,0x8a,0x8c,0x65,
+ 0xae,0x50,0x78,0xe1, 0x26,0x07,0xf8,0x18,
+ 0xfc,0xea,0xa3,0x58, 0x73,0x2b,0xca,0x92,
+ 0x10,0xdc,0xb5,0x39, 0xd5,0x2d,0x21,0xfe,
+ 0x79,0xac,0x7d,0xe8, 0x0c,0xe9,0x6d,0x3e,
+ 0xb4,0x8a,0x23,0x65, 0x08,0xbc,0x57,0x51,
+ 0xe1,0xf8,0x8d,0x5b, 0xe4,0xfe,0x14,0x60,
+ 0x02,0xe7,0xd1,0xc2, 0xd2,0x2c,0x3f,0x4d,
+ 0x08,0xd1,0xd0,0xe7, 0x3b,0xcb,0x85,0x84,
+ 0x32,0xd6,0xb9,0xfb, 0xf7,0x45,0xa1,0xaf,
+ 0x9c,0xa3,0x8d,0x37, 0xde,0x03,0x6b,0xf4,
+ 0xae,0x58,0x03,0x26, 0x58,0x4f,0x73,0x49,
+ 0xc8,0x7f,0xa3,0xdd, 0x51,0xf2,0xec,0x34,
+ 0x8f,0xd5,0xe0,0xc2, 0xe5,0x33,0xf7,0x31,
+ 0x33,0xe7,0x98,0x5f, 0x26,0x14,0x4f,0xbb,
+ 0x88,0x1f,0xb3,0x92, 0x4e,0x97,0x2d,0xee,
+ 0x08,0x5f,0x9c,0x14, 0x5f,0xaf,0x6c,0x10,
+ 0xf9,0x47,0x41,0x81, 0xe9,0x99,0x49,0x52,
+ 0x86,0x29,0x55,0xba, 0x2e,0xb6,0x62,0x24,
+ 0x58,0xf7,0x4d,0x99, 0xce,0x75,0xa8,0x45,
+ 0x66,0x27,0x48,0x3f, 0x78,0xe3,0x48,0x7c,
+ 0xd7,0x1a,0x6c,0x89, 0x9d,0xb2,0x6a,0x23,
+ 0x9d,0xd7,0xed,0x82, 0x31,0x94,0x40,0x66,
+ 0xc8,0x28,0x52,0x23, 0xe7,0x61,0xde,0x71,
+ 0x69,0xf2,0x53,0x43, 0x30,0xce,0x6a,0x1a,
+ 0xfe,0x1e,0xeb,0xc2, 0x9f,0x61,0x81,0x94,
+ 0x18,0xed,0x58,0xbb, 0x01,0x13,0x92,0xb3,
+ 0xa6,0x90,0x7f,0xb5, 0xf4,0xbd,0xff,0xae,
+ },
+ },
+ [4] = {
+ .k = {
+ 0x7f,0x56,0x7d,0x15, 0x77,0xe6,0x83,0xac,
+ 0xd3,0xc5,0xb7,0x39, 0x9e,0x9f,0xf9,0x17,
+ 0xc7,0xff,0x50,0xb0, 0x33,0xee,0x8f,0xd7,
+ 0x3a,0xab,0x0b,0xfe, 0x6d,0xd1,0x41,0x8a,
+ },
+ .tlen = 0,
+ .len = 4096,
+ .p = {
+ 0x95,0x96,0x98,0xef, 0x73,0x92,0xb5,0x20,
+ 0xec,0xfc,0x4d,0x91, 0x54,0xbf,0x8d,0x9d,
+ 0x54,0xbc,0x4f,0x0f, 0x94,0xfc,0x94,0xcf,
+ 0x07,0xf6,0xef,0xbb, 0xed,0x3f,0xd3,0x60,
+ 0xba,0x85,0x1d,0x04, 0x08,0x54,0x92,0x08,
+ 0x06,0x52,0x7f,0x33, 0xfd,0xf3,0xdf,0x2a,
+ 0x17,0x2d,0xda,0x73, 0x03,0x56,0x21,0xa9,
+ 0xa3,0xab,0xf7,0x24, 0x17,0x39,0x7e,0x0f,
+ 0x00,0xdd,0xac,0x55, 0xb0,0x8b,0x2d,0x72,
+ 0x3b,0x9a,0x36,0x5a, 0xd9,0x0a,0x8e,0x0f,
+ 0xe2,0x1d,0xe8,0x85, 0xc3,0xc1,0x17,0x11,
+ 0xa7,0x2c,0x87,0x77, 0x9d,0x6c,0x3a,0xa6,
+ 0x90,0x59,0x10,0x24, 0xb0,0x92,0xe1,0xb6,
+ 0xa9,0x89,0x7c,0x95, 0x0a,0xf2,0xb2,0xa3,
+ 0x4a,0x40,0x88,0x35, 0x71,0x4e,0xa5,0xc9,
+ 0xde,0xba,0xd7,0x62, 0x56,0x46,0x40,0x1e,
+ 0xda,0x80,0xaf,0x28, 0x5d,0x40,0x36,0xf6,
+ 0x09,0x06,0x29,0x6e, 0xaa,0xca,0xe3,0x9e,
+ 0x9a,0x4f,0x4c,0x7e, 0x71,0x81,0x6f,0x9e,
+ 0x50,0x05,0x91,0x58, 0x13,0x6c,0x75,0x6a,
+ 0xd3,0x0e,0x7e,0xaf, 0xe1,0xbc,0xd9,0x38,
+ 0x18,0x47,0x73,0x3a, 0xf3,0x78,0x6f,0xcc,
+ 0x3e,0xea,0x52,0x82, 0xb9,0x0a,0xc5,0xfe,
+ 0x77,0xd6,0x25,0x56, 0x2f,0xec,0x04,0x59,
+ 0xda,0xd0,0xc9,0x22, 0xb1,0x01,0x60,0x7c,
+ 0x48,0x1a,0x31,0x3e, 0xcd,0x3d,0xc4,0x87,
+ 0xe4,0x83,0xc2,0x06, 0x91,0xf7,0x02,0x86,
+ 0xd2,0x9b,0xfd,0x26, 0x5b,0x9b,0x32,0xd1,
+ 0x5c,0xfd,0xb4,0xa8, 0x58,0x3f,0xd8,0x10,
+ 0x8a,0x56,0xee,0x04, 0xd0,0xbc,0xaa,0xa7,
+ 0x62,0xfd,0x9a,0x52, 0xec,0xb6,0x80,0x52,
+ 0x39,0x9e,0x07,0xc8, 0xb4,0x50,0xba,0x5a,
+ 0xb4,0x9a,0x27,0xdb, 0x93,0xb6,0x98,0xfe,
+ 0x52,0x08,0xa9,0x45, 0xeb,0x03,0x28,0x89,
+ 0x26,0x3c,0x9e,0x97, 0x0f,0x0d,0x0b,0x67,
+ 0xb0,0x00,0x01,0x71, 0x4b,0xa0,0x57,0x62,
+ 0xfe,0xb2,0x6d,0xbb, 0xe6,0xe4,0xdf,0xe9,
+ 0xbf,0xe6,0x21,0x58, 0xd7,0xf6,0x97,0x69,
+ 0xce,0xad,0xd8,0xfa, 0xce,0xe6,0x80,0xa5,
+ 0x60,0x10,0x2a,0x13, 0xb2,0x0b,0xbb,0x88,
+ 0xfb,0x64,0x66,0x00, 0x72,0x8c,0x4e,0x21,
+ 0x47,0x33,0x00,0x1f, 0x85,0xa6,0x3a,0xd3,
+ 0xe2,0x6c,0xc7,0x42, 0xb6,0x7b,0xc0,0x56,
+ 0x75,0xe2,0x61,0x72, 0x15,0xd1,0x88,0x08,
+ 0x3f,0x4d,0xfd,0xe2, 0x68,0x64,0xe5,0x7a,
+ 0x23,0x9b,0x3f,0x6c, 0xc3,0xd6,0x51,0x08,
+ 0x24,0x33,0x24,0x47, 0x7e,0xea,0x23,0xdc,
+ 0x07,0x41,0x66,0xa2, 0xa4,0xeb,0x23,0xa1,
+ 0x37,0x31,0xc0,0x7a, 0xe6,0xa4,0x63,0x05,
+ 0x20,0x44,0xe2,0x70, 0xd3,0x3e,0xee,0xd8,
+ 0x24,0x34,0x5d,0x80, 0xde,0xc2,0x34,0x66,
+ 0x5a,0x2b,0x6a,0x20, 0x4c,0x99,0x0d,0xbc,
+ 0x37,0x59,0xc5,0x8b, 0x70,0x4d,0xb4,0x0e,
+ 0x51,0xec,0x59,0xf6, 0x4f,0x08,0x1e,0x54,
+ 0x3d,0x45,0x31,0x99, 0x4d,0x5e,0x29,0x5f,
+ 0x12,0x57,0x46,0x09, 0x33,0xb9,0xf2,0x66,
+ 0xb4,0xc2,0xfa,0x63, 0xbe,0x42,0x6c,0x21,
+ 0x68,0x33,0x40,0xc6, 0xbd,0xd8,0x8a,0x55,
+ 0xd7,0x90,0x27,0x25, 0x7d,0x1e,0xed,0x02,
+ 0x50,0xd8,0xb1,0xac, 0xfa,0xd9,0xd4,0xcb,
+ 0x1c,0xc9,0x43,0x60, 0x44,0xab,0xd8,0x97,
+ 0x04,0xac,0xef,0x72, 0xa3,0x88,0xdc,0xb0,
+ 0xb0,0xb6,0xc6,0xd4, 0xd0,0x38,0xaf,0xc7,
+ 0xcd,0x8d,0x2a,0xa4, 0x13,0x53,0xd9,0xfd,
+ 0x2d,0x0b,0x91,0xb4, 0x3c,0x3a,0x72,0x11,
+ 0x6c,0x8b,0x96,0xa3, 0xc6,0x0b,0xd6,0x9a,
+ 0xa2,0xb9,0xae,0x76, 0xad,0xfd,0x01,0x90,
+ 0xab,0x93,0x9c,0x4b, 0xde,0x7e,0xf2,0x82,
+ 0x96,0xb9,0x98,0x55, 0xe2,0x68,0xe0,0xd8,
+ 0x61,0xb8,0x91,0x9a, 0xaf,0x92,0xd7,0xe5,
+ 0xeb,0x88,0xc5,0xb0, 0xcb,0x75,0x55,0xa9,
+ 0x94,0x7c,0x9c,0x11, 0x14,0x81,0x1a,0x09,
+ 0x61,0xd8,0x22,0x44, 0x13,0xba,0xe8,0x06,
+ 0x78,0xfd,0xd5,0x82, 0x73,0x19,0x9a,0xd1,
+ 0x5d,0x16,0xf5,0xd8, 0x86,0x7e,0xe3,0xcd,
+ 0xdc,0xe8,0x6a,0x18, 0x05,0xba,0x10,0xe4,
+ 0x06,0xc7,0xb2,0xf3, 0xb2,0x3e,0x1c,0x74,
+ 0x86,0xdd,0xad,0x8c, 0x82,0xf0,0x73,0x15,
+ 0x34,0xac,0x1d,0x95, 0x5e,0xba,0x2a,0xba,
+ 0xf8,0xac,0xbd,0xd7, 0x28,0x74,0x28,0xc7,
+ 0x29,0xa0,0x00,0x11, 0xda,0x31,0x7c,0xab,
+ 0x66,0x4d,0xb2,0x5e, 0xae,0x71,0xc5,0x31,
+ 0xcc,0x2b,0x9f,0x36, 0x2e,0xe6,0x97,0xa4,
+ 0xe1,0xb8,0x4b,0xc9, 0x00,0x87,0x7b,0x54,
+ 0xaa,0xeb,0xff,0x1a, 0x15,0xe8,0x3e,0x11,
+ 0xf7,0x25,0x3a,0xce, 0x94,0x23,0x27,0x44,
+ 0x77,0x80,0x6e,0xdd, 0x3f,0x8e,0x5a,0x92,
+ 0xae,0xee,0xb9,0x00, 0x79,0xc3,0x1d,0xab,
+ 0x17,0xb8,0x2b,0xff, 0x0d,0x64,0x29,0xb7,
+ 0x61,0x4d,0xd0,0x8d, 0x3d,0x36,0x3d,0x13,
+ 0xed,0x12,0xe8,0x08, 0xdd,0x4b,0x37,0xf7,
+ 0x2b,0xe7,0xeb,0x92, 0x78,0x98,0xc2,0xd6,
+ 0x13,0x15,0x94,0xff, 0xef,0xdc,0xda,0x27,
+ 0x7b,0xf9,0x58,0x5b, 0x90,0xf3,0xcd,0x1b,
+ 0x38,0x8a,0x00,0x38, 0x9b,0x95,0xcb,0x18,
+ 0x1f,0x97,0xd2,0x1f, 0x60,0x9d,0x6c,0xac,
+ 0xb8,0x72,0x08,0xd9, 0xc1,0xf4,0x98,0x72,
+ 0xf9,0x44,0xf2,0x2b, 0xe1,0x6e,0x76,0x15,
+ 0x63,0xfc,0x57,0x12, 0x23,0x4a,0xff,0xd3,
+ 0x1f,0x0d,0x0c,0xb9, 0x14,0xf9,0x98,0x52,
+ 0xce,0x90,0x34,0x8c, 0xd4,0x54,0x14,0x9e,
+ 0xf7,0x2c,0xba,0x5f, 0x80,0xb0,0x02,0x68,
+ 0x4f,0xca,0xb0,0xda, 0x44,0x11,0xb4,0xbd,
+ 0x12,0x14,0x80,0x6b, 0xc1,0xce,0xa7,0xfe,
+ 0x0e,0x16,0x69,0x19, 0x3c,0xe7,0xb6,0xfe,
+ 0x5a,0x59,0x02,0xf6, 0x78,0x3e,0xa4,0x65,
+ 0x57,0xa1,0xf2,0x65, 0xad,0x64,0xfc,0xba,
+ 0xd8,0x47,0xc8,0x8d, 0x11,0xf9,0x6a,0x25,
+ 0x22,0xa7,0x7f,0xa9, 0x43,0xe4,0x07,0x6b,
+ 0x49,0x26,0x42,0xe4, 0x03,0x1f,0x56,0xcd,
+ 0xf1,0x49,0xf8,0x0d, 0xea,0x1d,0x4f,0x77,
+ 0x5c,0x3c,0xcd,0x6d, 0x58,0xa8,0x92,0x6d,
+ 0x50,0x4a,0x81,0x6e, 0x09,0x2a,0x15,0x9e,
+ 0x3b,0x56,0xd3,0xb4, 0xef,0xe6,0x12,0xaf,
+ 0x60,0x3b,0x73,0xe7, 0xd8,0x2e,0xab,0x13,
+ 0xfb,0x7e,0xea,0xb1, 0x7b,0x54,0xc5,0x26,
+ 0x41,0x93,0x31,0xda, 0xb5,0x7a,0xe3,0x46,
+ 0x7a,0x8a,0xb0,0x81, 0xab,0xd5,0x90,0x85,
+ 0x4b,0xef,0x30,0x11, 0xb8,0x00,0x19,0x39,
+ 0xd3,0x11,0x54,0x53, 0x48,0x7a,0x7e,0xc5,
+ 0x4e,0x52,0xe5,0x4c, 0xeb,0xa2,0x9f,0x7a,
+ 0xdc,0xb5,0xc8,0x4e, 0x3b,0x5c,0x92,0x0f,
+ 0x19,0xcb,0x0a,0x9d, 0xda,0x01,0xfc,0x17,
+ 0x62,0xc3,0x46,0x63, 0x8b,0x4e,0x85,0x92,
+ 0x75,0x01,0x00,0xb3, 0x74,0xa8,0x23,0xd1,
+ 0xd2,0x91,0x53,0x0f, 0xd0,0xe9,0xed,0x90,
+ 0xde,0x9c,0x8c,0xb7, 0xf1,0x6a,0xd6,0x49,
+ 0x3c,0x22,0x2b,0xd7, 0x73,0x76,0x38,0x79,
+ 0xb5,0x88,0x1e,0xee, 0xdf,0xed,0x9f,0xfd,
+ 0x1a,0x0e,0xe7,0xd5, 0xc6,0xc9,0xfb,0x03,
+ 0xcc,0x84,0xb5,0xd2, 0x49,0xca,0x49,0x0a,
+ 0x1b,0x7c,0x78,0xe4, 0xd1,0x2e,0x7c,0x14,
+ 0x80,0x38,0x9d,0xba, 0x64,0x13,0xd3,0xf8,
+ 0x8e,0x05,0x4a,0xd6, 0x0d,0x73,0x09,0x1e,
+ 0xf1,0x75,0x63,0x59, 0xed,0xfc,0xbe,0x83,
+ 0x56,0x91,0x22,0x84, 0xd2,0x1e,0xf2,0x61,
+ 0x12,0x3d,0x50,0x6c, 0x9f,0xea,0x6b,0xcd,
+ 0x8c,0xac,0x28,0x0d, 0xad,0xf4,0xfd,0x77,
+ 0x45,0x68,0x17,0xb6, 0x03,0x13,0x54,0x7a,
+ 0xc0,0x8e,0x6b,0x56, 0x8a,0xd2,0xc6,0x1b,
+ 0xb3,0x3e,0x4f,0x68, 0x91,0x2e,0x2d,0x35,
+ 0x2a,0x32,0x27,0x86, 0x67,0x36,0x73,0xb8,
+ 0xfc,0x08,0xb8,0xf8, 0x1f,0x67,0x0b,0x32,
+ 0x89,0x00,0xfb,0x2d, 0xbe,0x74,0xae,0x41,
+ 0x3a,0xd3,0xed,0xf1, 0x67,0xee,0xe5,0x26,
+ 0xd4,0x59,0xdc,0x3b, 0x6b,0xf7,0x33,0x67,
+ 0xed,0xef,0xb0,0x5d, 0x5e,0x43,0x34,0xa2,
+ 0x3d,0x55,0x16,0x99, 0x4b,0x90,0x49,0x40,
+ 0x82,0x35,0x0d,0x82, 0xa6,0x16,0xd2,0x41,
+ 0xc8,0x65,0xd4,0xe7, 0x1a,0xdb,0xad,0xe6,
+ 0x48,0x5e,0xeb,0x94, 0xa6,0x9f,0x97,0x1e,
+ 0xd4,0x38,0x5d,0xff, 0x6e,0x17,0x0c,0xd0,
+ 0xb3,0xd5,0xb4,0x06, 0xd7,0xcb,0x8e,0xa3,
+ 0x27,0x75,0x24,0xb5, 0x14,0xe9,0x55,0x94,
+ 0x51,0x14,0xaf,0x15, 0x02,0xd3,0x9c,0x5f,
+ 0x43,0xfe,0x97,0xf4, 0x0b,0x4e,0x4d,0x89,
+ 0x15,0x33,0x4a,0x04, 0x10,0xf3,0xeb,0x13,
+ 0x71,0x86,0xb4,0x8a, 0x2c,0x75,0x04,0x47,
+ 0xb9,0x60,0xe9,0x2a, 0x5a,0xe8,0x7e,0x8b,
+ 0x91,0xa7,0x01,0x49, 0xcf,0xfc,0x48,0x83,
+ 0xa7,0x42,0xc8,0x2f, 0x80,0x92,0x04,0x64,
+ 0x03,0xf7,0x9f,0x1d, 0xc2,0x82,0x0b,0x14,
+ 0x65,0x4d,0x04,0x09, 0x13,0x5f,0xb8,0x66,
+ 0x19,0x14,0x7a,0x09, 0xa7,0xf8,0x73,0x2d,
+ 0x4d,0x90,0x86,0x14, 0x25,0xd6,0xd6,0xf5,
+ 0x82,0x9c,0x32,0xab, 0x5c,0x37,0x12,0x28,
+ 0xd1,0xfe,0xfa,0x0d, 0x90,0x8d,0x28,0x20,
+ 0xb1,0x1e,0xbe,0x30, 0x80,0xd7,0xb1,0x63,
+ 0xd9,0x23,0x83,0x0b, 0x9d,0xf5,0x0e,0x9c,
+ 0xa2,0x88,0x5f,0x2c, 0xf2,0xa6,0x9d,0x23,
+ 0x45,0x1c,0x9b,0x7a, 0xd2,0x60,0xa6,0x0f,
+ 0x44,0xba,0x91,0x3d, 0xc6,0xf7,0xef,0x2f,
+ 0x5c,0xa8,0x5e,0x2b, 0x50,0xd3,0xd1,0x85,
+ 0xfd,0xed,0x52,0x48, 0xe2,0xd9,0xd2,0x12,
+ 0x4e,0x03,0xc9,0x3d, 0x8f,0x8d,0x1f,0x8e,
+ 0x6b,0xd8,0xe3,0x32, 0xa7,0x5b,0x39,0x57,
+ 0x91,0x08,0x52,0x09, 0xa4,0x7a,0x40,0xc6,
+ 0xcf,0xcf,0x68,0xba, 0xb1,0x97,0xf8,0x38,
+ 0x94,0x1d,0x18,0x69, 0x80,0x6a,0x11,0x15,
+ 0xc2,0xfb,0x2d,0x6c, 0xd1,0xd4,0x88,0x50,
+ 0xbb,0xca,0x8c,0x56, 0x36,0xb6,0xc4,0x41,
+ 0x97,0xe6,0xb0,0x5c, 0x7f,0x51,0x00,0x6f,
+ 0x17,0xe5,0xde,0x27, 0xf7,0xb4,0x85,0x3b,
+ 0xc5,0xa1,0x60,0x1c, 0xba,0x21,0xd6,0xed,
+ 0xd5,0x08,0x62,0x80, 0xb4,0x85,0x52,0x15,
+ 0x5c,0x94,0x19,0x3a, 0x10,0x92,0xa4,0x06,
+ 0xf1,0x86,0x02,0xce, 0x94,0xd3,0xd5,0x33,
+ 0xe7,0x59,0x47,0x72, 0x12,0xf4,0x8b,0x06,
+ 0x29,0xa3,0xb0,0x39, 0x78,0x8f,0x46,0x56,
+ 0x4a,0x42,0x4f,0x89, 0x1b,0x3f,0x09,0x12,
+ 0xc4,0x24,0x0b,0x22, 0xf0,0x27,0x04,0x4d,
+ 0x39,0xd8,0x59,0xc8, 0x7c,0x59,0x18,0x0a,
+ 0x36,0xa8,0x3c,0xba, 0x42,0xe2,0xf7,0x7a,
+ 0x23,0x90,0x73,0xff, 0xd6,0xa3,0xb2,0xcf,
+ 0x60,0xc6,0x62,0x76, 0x61,0xa3,0xcd,0x53,
+ 0x94,0x37,0x3c,0x24, 0x4b,0xc1,0xc5,0x3b,
+ 0x26,0xf8,0x67,0x1d, 0xca,0xdd,0x08,0xcb,
+ 0xdb,0x00,0x96,0x34, 0xd0,0x5d,0xef,0x4e,
+ 0x64,0x18,0xb1,0xdc, 0x46,0x13,0xc1,0x8c,
+ 0x87,0xbf,0xa3,0xfe, 0xd7,0x49,0x7e,0xb3,
+ 0x94,0xe4,0x38,0x70, 0x2a,0xde,0xaf,0x73,
+ 0x46,0xda,0xff,0xec, 0xfc,0x18,0xe2,0x02,
+ 0x64,0x5f,0x9b,0xd2, 0xdf,0x8b,0xa8,0xd0,
+ 0x4c,0xd7,0x5c,0xc7, 0x80,0x59,0x4d,0x66,
+ 0x68,0xd3,0x4a,0x51, 0xc3,0x68,0xe2,0x0a,
+ 0x17,0x31,0x4b,0xd7, 0x23,0x28,0x25,0x26,
+ 0x4a,0xef,0x02,0xd7, 0x3a,0x53,0xdb,0x09,
+ 0x19,0x85,0x68,0xab, 0xa9,0x8c,0xff,0x7e,
+ 0x30,0xfb,0x42,0x08, 0xa1,0x5a,0xd1,0xc9,
+ 0x3f,0xc9,0x00,0xfb, 0xd4,0x3e,0xb0,0x1c,
+ 0x99,0xba,0xdc,0xb4, 0x69,0xe7,0xe1,0xb0,
+ 0x67,0x53,0x46,0xa6, 0xc6,0x34,0x5c,0x94,
+ 0xfa,0xd3,0x9b,0x48, 0x92,0xa1,0xd3,0xe5,
+ 0xa7,0xea,0xe1,0x86, 0x5e,0x90,0x26,0x2d,
+ 0x4b,0x85,0xe1,0x68, 0xee,0xc2,0xf1,0x25,
+ 0xb7,0xff,0x01,0x96, 0x61,0x54,0xba,0xf3,
+ 0x09,0x62,0x7f,0xa3, 0x92,0x6b,0xe7,0x00,
+ 0xfc,0xd4,0x04,0xfd, 0x2d,0x42,0x7e,0x56,
+ 0x91,0x33,0x6e,0xf8, 0x08,0x94,0xff,0xce,
+ 0x03,0x7e,0x4d,0x0a, 0x91,0x41,0x4f,0xaa,
+ 0xdd,0xd1,0x8c,0x34, 0x99,0x46,0xb5,0xfb,
+ 0x0e,0x09,0x26,0xcc, 0x6d,0x35,0x58,0x0a,
+ 0xc6,0xc0,0x89,0xa0, 0xbd,0xb6,0x89,0xd1,
+ 0x51,0x64,0x85,0x96, 0x4d,0x6a,0x16,0x26,
+ 0x30,0xb7,0xb3,0xe4, 0x80,0x46,0xaa,0x37,
+ 0x4c,0x9b,0x2b,0xa3, 0x76,0x5e,0x8b,0x52,
+ 0x13,0x42,0xe5,0xe3, 0xa8,0xe9,0xaf,0x83,
+ 0x60,0xc0,0xb0,0xf8, 0x3d,0x82,0x0a,0x21,
+ 0x60,0xd2,0x3f,0x1c, 0xb4,0xb5,0x53,0x31,
+ 0x2e,0x16,0xfd,0xf3, 0xc3,0x46,0xfa,0xcc,
+ 0x45,0x1f,0xd1,0xac, 0x22,0xe2,0x41,0xb5,
+ 0x21,0xf3,0xdd,0x1f, 0x81,0xbf,0x03,0xaf,
+ 0xd6,0x31,0xc1,0x6a, 0x2e,0xff,0xc1,0x2d,
+ 0x44,0x53,0xd0,0xb5, 0xa2,0x7c,0x5f,0xf4,
+ 0x47,0xf7,0x4d,0x1e, 0x77,0xe2,0x29,0xcc,
+ 0xd2,0x46,0x85,0xfa, 0xdb,0x7f,0x46,0xf5,
+ 0xc9,0x60,0x4a,0x2c, 0xb7,0xf2,0xa2,0x2c,
+ 0x9d,0x76,0xcd,0x82, 0x67,0xae,0xbb,0xe0,
+ 0x92,0x56,0x48,0xcb, 0xe5,0xf5,0x3c,0x2c,
+ 0xe0,0xe8,0x6a,0x6a, 0x5a,0x0a,0x20,0x7c,
+ 0xa6,0x9d,0x8e,0x84, 0xfa,0xfe,0x61,0x13,
+ 0x54,0x79,0xe0,0x83, 0xd2,0x15,0xe0,0x33,
+ 0xe4,0xf9,0xad,0xb8, 0x1e,0x75,0x35,0xd3,
+ 0xee,0x7e,0x4a,0x63, 0x2f,0xeb,0xf1,0xe6,
+ 0x22,0xac,0x77,0x74, 0xa1,0xc0,0xa0,0x21,
+ 0x66,0x59,0x7c,0x48, 0x7f,0xaa,0x05,0xe8,
+ 0x51,0xd9,0xc7,0xed, 0xb9,0xea,0x7a,0xdd,
+ 0x23,0x53,0xea,0x8f, 0xef,0xaa,0xe6,0x9e,
+ 0x19,0x21,0x84,0x27, 0xc5,0x78,0x2e,0x8c,
+ 0x52,0x40,0x15,0x1c, 0x2b,0x91,0xb3,0x4c,
+ 0xe8,0xfa,0xd3,0x64, 0x0f,0xf9,0xf4,0xb8,
+ 0x59,0x4d,0x6b,0x2d, 0x44,0x6c,0x8d,0xb2,
+ 0xdb,0x73,0x29,0x66, 0xb1,0xc2,0x28,0xfc,
+ 0x85,0xba,0x60,0x5e, 0x27,0x8f,0xfb,0xb3,
+ 0xc9,0x20,0x43,0xb1, 0x3e,0x18,0x97,0x42,
+ 0x63,0x2d,0x0c,0x97, 0xf2,0xcc,0xcd,0x90,
+ 0x46,0x5f,0x1a,0x85, 0xca,0x44,0x2a,0x1a,
+ 0x52,0xf7,0xbb,0x4e, 0xd1,0xab,0xd5,0xa3,
+ 0x58,0x6b,0xb6,0x5a, 0x88,0x1c,0x9d,0x3b,
+ 0xe2,0x46,0xe4,0x3b, 0x33,0x64,0x6c,0xfd,
+ 0xeb,0x36,0x8e,0x32, 0x1f,0x71,0xbd,0x95,
+ 0xb6,0xfd,0x1a,0xcb, 0xfb,0x4a,0x88,0x27,
+ 0xd6,0x28,0x7b,0x5e, 0xa3,0x8a,0x0c,0x36,
+ 0xa8,0x5d,0x2f,0x28, 0xa9,0xad,0xb2,0x88,
+ 0x9e,0x62,0x9d,0x4a, 0x07,0x74,0x00,0x04,
+ 0x0c,0xc1,0x6a,0x09, 0xe1,0x0b,0xfa,0xf3,
+ 0xd1,0x41,0xdd,0x94, 0x52,0x06,0xb8,0x9e,
+ 0xba,0x81,0xe0,0x52, 0xdf,0x52,0x5d,0x74,
+ 0x40,0x59,0x36,0x05, 0xf2,0x30,0xc4,0x84,
+ 0x85,0xdc,0xb8,0xba, 0xd9,0xf4,0x5f,0x11,
+ 0x83,0xce,0x25,0x57, 0x97,0xf5,0x0f,0xb5,
+ 0x0b,0xd6,0x6d,0x1c, 0xfb,0xf2,0x30,0xda,
+ 0xc2,0x05,0xa8,0xe1, 0xc2,0x57,0x0a,0x05,
+ 0x2d,0x4c,0x8b,0xb7, 0x5a,0xc0,0x8a,0xba,
+ 0xa9,0x85,0x7c,0xf0, 0xb8,0xce,0x72,0x79,
+ 0xf5,0x27,0x99,0xd7, 0xed,0xcf,0x85,0xfa,
+ 0x92,0x15,0xf1,0x47, 0x02,0x24,0x39,0x07,
+ 0x89,0xb6,0xdd,0x4a, 0xb8,0xbc,0xd5,0x9d,
+ 0x4c,0x03,0x8b,0x1d, 0x45,0x58,0x1c,0x86,
+ 0x46,0x71,0x0a,0x0d, 0x7c,0x5b,0xf9,0xdc,
+ 0x60,0xb5,0xb0,0x00, 0x70,0x47,0x83,0xa6,
+ 0x8e,0x79,0xba,0x1d, 0x21,0x20,0xc0,0x24,
+ 0x56,0x35,0x6a,0x49, 0xb6,0xa3,0x58,0x87,
+ 0x16,0xae,0xd9,0x77, 0x62,0xa0,0x61,0xce,
+ 0x3d,0xe6,0x77,0x9e, 0x83,0xec,0xc2,0x04,
+ 0x8c,0xba,0x62,0xac, 0x32,0xda,0xf0,0x89,
+ 0x7b,0x2b,0xb0,0xa3, 0x3a,0x5f,0x8b,0x0d,
+ 0xbd,0xe9,0x14,0xcd, 0x5b,0x7a,0xde,0xd5,
+ 0x0d,0xc3,0x4b,0x38, 0x92,0x31,0x97,0xd8,
+ 0xae,0x89,0x17,0x2c, 0xc9,0x54,0x96,0x66,
+ 0xd0,0x9f,0x60,0x7a, 0x7d,0x63,0x67,0xfc,
+ 0xb6,0x02,0xce,0xcc, 0x97,0x36,0x9c,0x3c,
+ 0x1e,0x69,0x3e,0xdb, 0x54,0x84,0x0a,0x77,
+ 0x6d,0x0b,0x6e,0x10, 0x9f,0xfb,0x2a,0xb1,
+ 0x49,0x31,0x71,0xf2, 0xd1,0x1e,0xea,0x87,
+ 0xb9,0xd6,0x4a,0x4c, 0x57,0x17,0xbc,0x8b,
+ 0x38,0x66,0x2d,0x5f, 0x25,0xca,0x6d,0x10,
+ 0xc6,0x2e,0xd7,0x2c, 0x89,0xf1,0x4c,0x1d,
+ 0xc9,0x9c,0x02,0x23, 0xc6,0x1f,0xd6,0xc3,
+ 0xb8,0xc7,0x85,0x29, 0x75,0x40,0x1e,0x04,
+ 0x6e,0xc7,0xb4,0x60, 0xfc,0xea,0x30,0x8b,
+ 0x4d,0x9d,0xb7,0x5d, 0x91,0xfb,0x8e,0xb8,
+ 0xc2,0x54,0xdf,0xdb, 0x79,0x58,0x32,0xda,
+ 0xd0,0xa1,0xd6,0xd6, 0xc4,0xc8,0xa4,0x16,
+ 0x95,0xbb,0xe5,0x58, 0xd2,0xb6,0x83,0x76,
+ 0x1d,0xd7,0x45,0xbc, 0xb8,0x14,0x79,0x3b,
+ 0x4e,0x1a,0x0b,0x5c, 0xfc,0xa5,0xa0,0xc3,
+ 0xf1,0x64,0x74,0xb0, 0x0d,0x82,0x90,0x62,
+ 0x87,0x02,0x0f,0x71, 0xc7,0xab,0x7d,0x2b,
+ 0x70,0xf1,0x9b,0x9e, 0xe7,0x6b,0x99,0x18,
+ 0x6c,0x54,0x17,0x0b, 0xf5,0x44,0x58,0x54,
+ 0x44,0x9b,0x54,0x30, 0x5e,0xaf,0xa6,0xfa,
+ 0x42,0x37,0xe8,0x67, 0xbf,0xf7,0x6c,0x1e,
+ 0x73,0xd8,0xc7,0x5c, 0xfa,0x51,0xd5,0x1f,
+ 0xab,0xfc,0x91,0x03, 0xc1,0xc1,0x22,0x58,
+ 0xc7,0xe8,0x60,0xae, 0xb6,0x58,0x44,0xad,
+ 0x1e,0x07,0x5d,0x3c, 0x90,0x33,0x43,0xe0,
+ 0x67,0x44,0x9f,0x8c, 0xf3,0xef,0xce,0x3a,
+ 0x22,0x2b,0x1b,0x97, 0x83,0x6f,0x9f,0xd3,
+ 0x46,0xc3,0xa1,0xdf, 0xde,0x60,0xf0,0x32,
+ 0x2e,0xcf,0xed,0x72, 0x27,0x0d,0xa7,0xd0,
+ 0x91,0x6a,0xf0,0x6d, 0x41,0xfa,0x77,0x2e,
+ 0xd8,0x43,0xce,0xe2, 0xf5,0x7a,0x9e,0x04,
+ 0x30,0x4c,0xe7,0x08, 0xf3,0x2e,0x13,0x05,
+ 0x5e,0xfa,0x16,0x2c, 0x6c,0x53,0x02,0xb5,
+ 0x2f,0x2c,0x7d,0x86, 0x61,0x0e,0x5f,0x96,
+ 0xe1,0x1c,0x37,0x87, 0xf0,0x84,0xe4,0x1d,
+ 0x53,0x4d,0xb1,0x13, 0xe2,0xcb,0x71,0x6e,
+ 0x86,0x7b,0xad,0x97, 0x3e,0x16,0xb3,0xb4,
+ 0x0f,0x32,0x01,0x69, 0x31,0x1f,0x49,0x99,
+ 0x7a,0x46,0xd9,0x9b, 0x5f,0x17,0x3d,0xcb,
+ 0xe4,0xfd,0xbc,0xbb, 0xe3,0xec,0x8c,0x54,
+ 0xc4,0x14,0x44,0x89, 0xa3,0x65,0x25,0xc0,
+ 0x06,0x9b,0x7d,0x9b, 0x7f,0x15,0x8f,0x84,
+ 0xe1,0x08,0x0d,0x2c, 0x0a,0x91,0x9a,0x85,
+ 0x4e,0xa1,0x50,0xee, 0x72,0x70,0xf4,0xd2,
+ 0x1c,0x67,0x20,0x1f, 0xe6,0xb2,0x9d,0x95,
+ 0x85,0x7e,0xf2,0x9d, 0xf0,0x73,0x10,0xe7,
+ 0xfc,0x62,0x9d,0xea, 0x8d,0x63,0xdc,0x70,
+ 0xe0,0x2b,0x30,0x01, 0x7c,0xcd,0x24,0x22,
+ 0x03,0xf9,0x8b,0xe4, 0x77,0xef,0x2c,0xdc,
+ 0xa5,0xfb,0x29,0x66, 0x50,0x1c,0xd7,0x4e,
+ 0x8f,0x0f,0xbf,0x61, 0x0c,0xea,0xc0,0xe6,
+ 0xc6,0xc3,0xa1,0xae, 0xf3,0xea,0x4c,0xfb,
+ 0x21,0x96,0xd1,0x38, 0x64,0xe0,0xdd,0xa8,
+ 0xa4,0xd0,0x33,0x82, 0xf0,0xdd,0x91,0x6e,
+ 0x88,0x27,0xe1,0x0d, 0x8b,0xfb,0xc6,0x36,
+ 0xc5,0x9a,0x9d,0xbc, 0x32,0x8f,0x8a,0x3a,
+ 0xfb,0xd0,0x88,0x1e, 0xe5,0xb8,0x68,0x35,
+ 0x4b,0x22,0x72,0x55, 0x9e,0x77,0x39,0x1d,
+ 0x64,0x81,0x6e,0xfd, 0xe3,0x29,0xb8,0xa5,
+ 0x3e,0xc8,0x4c,0x6f, 0x41,0xc2,0xbd,0xb6,
+ 0x15,0xd1,0xd5,0xe9, 0x77,0x97,0xb6,0x54,
+ 0x9e,0x60,0xdd,0xf3, 0x48,0xdb,0x65,0x04,
+ 0x54,0xa2,0x93,0x12, 0xf0,0x66,0x6c,0xae,
+ 0xa2,0x2c,0xb9,0xeb, 0xf0,0x7c,0x9c,0xae,
+ 0x8e,0x49,0xf5,0x0f, 0xfc,0x4b,0x2a,0xdb,
+ 0xaf,0xff,0x96,0x0d, 0xa6,0x05,0xe9,0x37,
+ 0x81,0x43,0x41,0xb2, 0x69,0x88,0xd5,0x2c,
+ 0xa2,0xa9,0x9b,0xf2, 0xf1,0x77,0x68,0x05,
+ 0x84,0x0f,0x6a,0xee, 0xd0,0xb5,0x65,0x4b,
+ 0x35,0x18,0xeb,0x34, 0xba,0x09,0x4f,0xc3,
+ 0x5a,0xac,0x44,0x5b, 0x03,0xf5,0xf5,0x1d,
+ 0x10,0x04,0xfd,0xb5, 0xc4,0x26,0x84,0x13,
+ 0x8a,0xde,0x8d,0xbb, 0x51,0xd0,0x6f,0x58,
+ 0xc1,0xe5,0x9e,0x12, 0xe6,0xba,0x13,0x73,
+ 0x27,0x3e,0x3f,0xf0, 0x4f,0x0f,0x64,0x6c,
+ 0x0e,0x36,0xe9,0xcc, 0x38,0x93,0x9b,0xda,
+ 0xf9,0xfd,0xc2,0xe9, 0x44,0x7a,0x93,0xa6,
+ 0x73,0xf6,0x2a,0xc0, 0x21,0x42,0xbc,0x58,
+ 0x9e,0xe3,0x0c,0x6f, 0xa1,0xd0,0xdd,0x67,
+ 0x14,0x3d,0x49,0xf1, 0x5b,0xc3,0xc3,0xa4,
+ 0x52,0xa3,0xe7,0x0f, 0xb4,0x26,0xf4,0x62,
+ 0x73,0xf5,0x9f,0x75, 0x5b,0x6e,0x38,0xc8,
+ 0x4a,0xcc,0xf6,0xfa, 0xcf,0xfb,0x28,0x02,
+ 0x8a,0xdb,0x6b,0x63, 0x52,0x17,0x94,0x87,
+ 0x71,0xa2,0xf5,0x5a, 0x1d,0x94,0xe3,0xcd,
+ 0x28,0x70,0x96,0xd5, 0xb1,0xaf,0xec,0xd6,
+ 0xea,0xf4,0xfc,0xe9, 0x10,0x66,0xd9,0x8a,
+ 0x1e,0x03,0x03,0xf1, 0x54,0x2d,0xc5,0x8c,
+ 0x85,0x71,0xed,0xa7, 0xa4,0x1e,0x5a,0xff,
+ 0xab,0xb8,0x07,0xb3, 0x0b,0x84,0x00,0x0a,
+ 0x7f,0xa5,0x38,0x20, 0x66,0x33,0x84,0x2f,
+ 0xec,0x16,0x94,0x78, 0xa8,0x42,0x98,0x55,
+ 0xa3,0xe5,0xd3,0x62, 0x2a,0xfc,0xed,0xec,
+ 0x7a,0x96,0x41,0x35, 0xc0,0xd2,0xe6,0x53,
+ 0xf8,0x0f,0x59,0x94, 0x0a,0xa0,0x50,0xef,
+ 0x0d,0x9f,0x04,0x1c, 0x5f,0x48,0xfe,0x33,
+ 0x20,0xca,0x8d,0x09, 0xdd,0x0b,0xf8,0x59,
+ 0xd3,0x63,0x8a,0xa4, 0xf5,0x73,0x6b,0x3e,
+ 0x7e,0x0f,0xff,0xdb, 0x96,0x62,0x4d,0x3a,
+ 0xdb,0x8d,0x8c,0x9b, 0x8c,0xb3,0xa1,0xff,
+ 0x16,0xb9,0x2c,0x8c, 0xf6,0xbb,0x0d,0x9e,
+ 0x6f,0xff,0x24,0x6f, 0x59,0xee,0x02,0xe6,
+ 0x57,0x38,0xbd,0x5f, 0xbd,0xd4,0xe5,0x74,
+ 0x14,0xea,0x85,0xbb, 0x0c,0xfe,0xad,0xad,
+ 0x98,0x82,0x8a,0x81, 0x0b,0x37,0xdc,0x7d,
+ 0xda,0x13,0x74,0x8a, 0xa5,0xaf,0x74,0x82,
+ 0x95,0x35,0x1f,0x0b, 0x03,0x88,0x17,0xf3,
+ 0x67,0x11,0x40,0xd1, 0x9d,0x48,0xec,0x9b,
+ 0xc8,0xb2,0xcc,0xb4, 0x93,0xd2,0x0b,0x0a,
+ 0xd6,0x6f,0x34,0x32, 0xd1,0x9a,0x0d,0x89,
+ 0x93,0x1f,0x96,0x5a, 0x7a,0x57,0x06,0x02,
+ 0x1d,0xbf,0x57,0x3c, 0x9e,0xca,0x5d,0x68,
+ 0xe8,0x4e,0xea,0x4f, 0x0b,0x11,0xf0,0x35,
+ 0x73,0x5a,0x77,0x24, 0x29,0xc3,0x60,0x51,
+ 0xf0,0x15,0x93,0x45, 0x6b,0xb1,0x70,0xe0,
+ 0xda,0xf7,0xf4,0x0a, 0x70,0xd1,0x73,0x3f,
+ 0x9c,0x9d,0x07,0x19, 0xad,0xb2,0x28,0xae,
+ 0xf2,0xe2,0xb6,0xf4, 0xbc,0x71,0x63,0x00,
+ 0xde,0xe3,0xdc,0xb1, 0xa3,0xd5,0x4c,0x34,
+ 0xf8,0x6b,0x68,0x4c, 0x73,0x84,0xab,0xd4,
+ 0x89,0xae,0x07,0x1a, 0x0d,0x3d,0x8e,0xaa,
+ 0x6c,0xa2,0x54,0xb3, 0xd9,0x46,0x81,0x87,
+ 0xe2,0xdc,0x49,0xb1, 0x14,0x5c,0xcc,0x72,
+ 0x56,0xf0,0x0f,0xa9, 0x3d,0x31,0x2f,0x08,
+ 0xbc,0x15,0xb7,0xd3, 0x0d,0x4f,0xd1,0xc9,
+ 0x4e,0xde,0x1c,0x03, 0xd1,0xae,0xaf,0x14,
+ 0x62,0xbc,0x1f,0x33, 0x5c,0x00,0xeb,0xf4,
+ 0x8e,0xf6,0x3e,0x13, 0x6a,0x64,0x42,0x07,
+ 0x60,0x71,0x35,0xf1, 0xd0,0xff,0x8d,0x1f,
+ 0x88,0xc0,0x1c,0x3c, 0x6c,0x1c,0x54,0x71,
+ 0x6b,0x65,0x4a,0xe2, 0xe3,0x5f,0x77,0x56,
+ 0x1c,0x8d,0x2a,0x8d, 0xef,0x92,0x4a,0xa9,
+ 0xf6,0xcf,0xa5,0x67, 0x89,0x8e,0x5a,0xd9,
+ 0x60,0xaa,0x94,0x14, 0x55,0x66,0x8a,0xb0,
+ 0x18,0x4f,0x9e,0x8e, 0xf4,0xdb,0xc1,0x88,
+ 0x9b,0xf0,0x84,0x33, 0x2f,0xcd,0x2c,0xeb,
+ 0x65,0xe6,0x5d,0xde, 0x30,0x97,0xad,0xe6,
+ 0xbc,0xcb,0x83,0x93, 0xf3,0xfd,0x65,0xdc,
+ 0x07,0x27,0xf9,0x0f, 0x4a,0x56,0x5c,0xf7,
+ 0xff,0xa3,0xd1,0xad, 0xd4,0xd1,0x38,0x13,
+ 0x71,0xc9,0x42,0x0f, 0x0d,0x35,0x12,0x32,
+ 0xd2,0x2d,0x2b,0x96, 0xe4,0x01,0xdc,0x55,
+ 0xd8,0x71,0x2c,0x0c, 0xc4,0x55,0x3f,0x16,
+ 0xe8,0xaa,0xe7,0xe8, 0x45,0xfa,0x23,0x23,
+ 0x5e,0x21,0x02,0xab, 0xc8,0x6b,0x88,0x5e,
+ 0xdc,0x90,0x13,0xb5, 0xe7,0x47,0xfa,0x12,
+ 0xd5,0xa7,0x0a,0x06, 0xd2,0x7c,0x62,0x80,
+ 0xb7,0x8e,0x4f,0x77, 0x88,0xb7,0xa2,0x12,
+ 0xdb,0x19,0x1f,0xd8, 0x00,0x82,0xf5,0xf2,
+ 0x59,0x34,0xec,0x91, 0xa8,0xc1,0xd7,0x6e,
+ 0x76,0x10,0xf3,0x15, 0xa6,0x86,0xfa,0xfd,
+ 0x45,0x2f,0x86,0x18, 0x16,0x83,0x16,0x8c,
+ 0x6e,0x99,0x7e,0x43, 0x3f,0x0a,0xba,0x32,
+ 0x94,0x5b,0x15,0x32, 0x66,0xc2,0x3a,0xdc,
+ 0xf3,0xd3,0x1d,0xd1, 0x5d,0x6f,0x5f,0x9a,
+ 0x7f,0xa2,0x90,0xf1, 0xa1,0xd0,0x17,0x33,
+ 0xdf,0x9a,0x2e,0xa2, 0xdc,0x89,0xe6,0xb0,
+ 0xda,0x23,0x2b,0xf6, 0xe9,0x1f,0x82,0x3c,
+ 0x07,0x90,0xab,0x3a, 0xb9,0x87,0xb0,0x02,
+ 0xcc,0xb9,0xe7,0x2e, 0xe7,0xc6,0xee,0xfa,
+ 0xe2,0x16,0xc8,0xc3, 0xd0,0x40,0x15,0xc5,
+ 0xa7,0xc8,0x20,0x42, 0xb7,0x09,0xf8,0x66,
+ 0xeb,0x0e,0x4b,0xd7, 0x91,0x74,0xa3,0x8b,
+ 0x17,0x2a,0x0c,0xee, 0x7f,0xc1,0xea,0x63,
+ 0xc6,0x3c,0x1e,0xea, 0x8b,0xa2,0xd1,0x2e,
+ 0xf3,0xa6,0x0f,0x36, 0xff,0xdd,0x81,0x06,
+ 0xe3,0x63,0xfc,0x0c, 0x38,0xb0,0x23,0xfb,
+ 0x83,0x66,0x81,0x73, 0x5c,0x0b,0x9c,0xd4,
+ 0x23,0xdc,0x7f,0x5c, 0x00,0x8c,0xa6,0xa7,
+ 0x52,0xd4,0xc1,0x00, 0xea,0x99,0x6b,0x59,
+ 0x19,0x8e,0x34,0x32, 0x24,0xea,0x0c,0x61,
+ 0x95,0x9d,0xdb,0xf0, 0x63,0xcc,0xa9,0xfd,
+ 0x1b,0xeb,0xd7,0xbc, 0x0c,0xa4,0x74,0x24,
+ 0xfd,0xfa,0x32,0x58, 0xe3,0x74,0x1c,0x8f,
+ 0x76,0xa6,0x53,0x0d, 0xea,0xde,0x50,0x92,
+ 0xbd,0x3f,0x3d,0x56, 0x8f,0x48,0x4e,0xb7,
+ 0x8c,0x5e,0x83,0x2c, 0xf7,0xec,0x04,0x2c,
+ 0x35,0xdf,0xa9,0x72, 0xc0,0x77,0xf5,0x44,
+ 0xe5,0xa7,0x56,0x3e, 0xa4,0x8d,0xb8,0x6e,
+ 0x31,0x86,0x15,0x1d, 0xc4,0x66,0x86,0x75,
+ 0xf8,0x1a,0xea,0x2f, 0x3a,0xb7,0xbf,0x97,
+ 0xe9,0x11,0x53,0x64, 0xa8,0x71,0xc6,0x78,
+ 0x8a,0x70,0xb5,0x18, 0xd7,0x9c,0xe3,0x44,
+ 0x1a,0x7c,0x6b,0x1b, 0x41,0xe1,0x1c,0x0d,
+ 0x98,0x43,0x67,0x28, 0xb8,0x14,0xb4,0x48,
+ 0x01,0x85,0x79,0x20, 0x94,0x36,0x25,0x3a,
+ 0x5c,0x48,0xd2,0x2e, 0x91,0x91,0xfd,0x85,
+ 0x38,0xc1,0xc5,0xa5, 0x4d,0x52,0x1f,0xb4,
+ 0xe7,0x44,0x7a,0xff, 0xb1,0x65,0xdf,0x53,
+ 0x86,0x2a,0xff,0x25, 0x2b,0xeb,0x3e,0xdc,
+ 0x3d,0xec,0x72,0xae, 0xa9,0xd1,0xdf,0xe9,
+ 0x4a,0x3e,0xe8,0xf1, 0x74,0xe0,0xee,0xd6,
+ 0x0b,0xba,0x9b,0x14, 0x9b,0x0c,0x4a,0xf9,
+ 0x55,0xee,0x7e,0x82, 0xa4,0xb5,0xa5,0xb7,
+ 0x2f,0x75,0x48,0x51, 0x60,0xcc,0x41,0x8e,
+ 0x65,0xe3,0xb7,0x29, 0xe0,0x32,0xe7,0x1b,
+ 0x2f,0xa0,0x80,0xce, 0x73,0x28,0x6c,0xf4,
+ 0xd0,0xc7,0x05,0x69, 0xbd,0x3e,0x2e,0x77,
+ 0x1a,0x7f,0x9a,0x98, 0x60,0x31,0xdb,0x47,
+ 0xc2,0xa2,0x12,0xcb, 0x8c,0x35,0xff,0x58,
+ 0xe3,0x07,0x22,0xe4, 0x2f,0x26,0x87,0x30,
+ 0x16,0xea,0x64,0x4f, 0x44,0x64,0x3d,0xe4,
+ 0x7b,0x41,0x06,0xca, 0xee,0x02,0xcf,0xf3,
+ 0x26,0x4c,0xfe,0x9c, 0xf6,0x64,0x96,0xd4,
+ 0xd9,0x7e,0x04,0x47, 0x1d,0xdb,0xc7,0x8c,
+ 0xae,0xd7,0x9d,0xea, 0xe3,0x3a,0xee,0x24,
+ 0xa9,0x2d,0x65,0xba, 0xd5,0x9f,0x38,0x81,
+ 0x61,0x42,0x15,0xdf, 0xcc,0x29,0xd9,0xf7,
+ 0xd4,0x30,0xb9,0xc9, 0x86,0x76,0xdc,0xee,
+ 0xa5,0x27,0xa6,0x27, 0xa3,0xbb,0x8f,0x3b,
+ 0xaa,0xca,0x01,0x52, 0x37,0x12,0xc0,0x55,
+ 0x39,0x4a,0xb2,0xce, 0x85,0x73,0xf2,0x10,
+ 0x9c,0x7f,0xa6,0x34, 0x7f,0x0f,0x69,0x63,
+ 0x03,0xc4,0xde,0xe2, 0x7b,0x10,0xbf,0x91,
+ 0x3e,0x7e,0xad,0xb7, 0xa8,0x85,0xc7,0x99,
+ 0xae,0x8e,0x7c,0x2e, 0x02,0x25,0x5b,0xd5,
+ 0xf4,0x46,0xd1,0x49, 0x48,0xa0,0x12,0x6a,
+ 0x6a,0x01,0x23,0xb9, 0x7e,0x67,0x8b,0x48,
+ 0xac,0xf7,0x88,0x88, 0xeb,0xd9,0x39,0x3a,
+ 0xc8,0xa0,0x06,0xd9, 0x0b,0x80,0xc4,0x84,
+ },
+ .c = {
+ 0x10,0x46,0xb6,0xc8, 0xaa,0x83,0x67,0x7b,
+ 0xc5,0x9a,0x9a,0x0d, 0xe2,0xec,0x6f,0x9a,
+ 0x3e,0x74,0xa7,0xfa, 0x43,0x93,0x9d,0xc5,
+ 0x23,0x27,0xad,0x99, 0x74,0xb4,0xc0,0xe4,
+ 0xd7,0x70,0x5c,0x95, 0x58,0xe3,0x8f,0x72,
+ 0xe3,0x03,0x3d,0xc2, 0xd9,0x69,0x37,0x3e,
+ 0x8e,0x2a,0x0c,0x2b, 0x75,0x59,0x05,0x18,
+ 0x4a,0x50,0x67,0xd4, 0xf5,0x4b,0xb0,0x59,
+ 0x08,0xaf,0xbc,0x6f, 0xb1,0x95,0xa1,0x32,
+ 0xe7,0x77,0x1a,0xfd, 0xaf,0xe8,0x4d,0x32,
+ 0x87,0x9c,0x87,0x90, 0x5e,0xe8,0x08,0xc3,
+ 0xb4,0x0c,0x80,0x9a, 0x9e,0x23,0xeb,0x5a,
+ 0x5c,0x18,0x4a,0x7c, 0xd0,0x4a,0x91,0x57,
+ 0x7e,0x6c,0x53,0xde, 0x98,0xc0,0x09,0x80,
+ 0x8d,0x41,0x0b,0xbc, 0x56,0x5e,0x69,0x61,
+ 0xd3,0x56,0x48,0x43, 0x19,0x49,0x49,0xaf,
+ 0xcf,0xad,0x98,0x3e, 0x88,0x4b,0x44,0x69,
+ 0x73,0xd2,0xcb,0xdf, 0x30,0xdb,0x76,0x1d,
+ 0xfb,0x4b,0xc5,0x66, 0x22,0x34,0x6f,0x07,
+ 0x0b,0xcd,0x1c,0xed, 0x88,0xd9,0x0d,0x30,
+ 0xe9,0x96,0xcb,0xf5, 0xde,0x57,0x5f,0x0b,
+ 0x12,0x11,0xcf,0x52, 0xf5,0x0d,0xf8,0x29,
+ 0x39,0x87,0xb2,0xa5, 0x7f,0x7a,0x2b,0x9d,
+ 0x66,0x11,0x32,0xf4, 0xd4,0x37,0x16,0x75,
+ 0xe3,0x0b,0x55,0x98, 0x44,0x6f,0xc7,0x5c,
+ 0xd4,0x89,0xf8,0xb3, 0xee,0xe4,0x5e,0x45,
+ 0x34,0xc2,0xc0,0xef, 0xdd,0x4d,0xbb,0xb4,
+ 0x0a,0x7b,0xda,0xe3, 0x6e,0x41,0xe1,0xb4,
+ 0x73,0xf8,0x9b,0x65, 0x1c,0x5f,0xdf,0x9c,
+ 0xd7,0x71,0x91,0x72, 0x6f,0x9e,0x8f,0x96,
+ 0x5d,0x45,0x11,0xd1, 0xb9,0x99,0x63,0x50,
+ 0xda,0x36,0xe9,0x75, 0x21,0x9a,0xce,0xc5,
+ 0x1a,0x8a,0x12,0x81, 0x8b,0xeb,0x51,0x7c,
+ 0x00,0x5f,0x58,0x5a, 0x3e,0x65,0x10,0x9e,
+ 0xe3,0x9e,0xf0,0x6b, 0xfe,0x49,0x50,0x2a,
+ 0x2a,0x3b,0xa5,0x42, 0x1b,0x15,0x2b,0x5b,
+ 0x88,0xb8,0xfb,0x6f, 0x0c,0x5d,0x16,0x76,
+ 0x48,0x77,0x4d,0x22, 0xb9,0xf0,0x0a,0x3f,
+ 0xa6,0xdd,0xc8,0x32, 0xcc,0x98,0x76,0x41,
+ 0x84,0x36,0x24,0x6d, 0x88,0x62,0x65,0x40,
+ 0xa4,0x55,0xdc,0x39, 0x74,0xed,0x0f,0x50,
+ 0x08,0xcf,0x69,0x5f, 0x1d,0x31,0xd6,0xb4,
+ 0x39,0x94,0x5b,0x18, 0x88,0x0f,0xcb,0x56,
+ 0xfb,0xf7,0x19,0xe0, 0x80,0xe0,0x4f,0x67,
+ 0x9c,0xab,0x35,0x78, 0xc9,0xca,0x95,0xfa,
+ 0x31,0xf0,0x5f,0xa6, 0xf9,0x71,0xbd,0x7f,
+ 0xb1,0xe2,0x42,0x67, 0x9d,0xfb,0x7f,0xde,
+ 0x41,0xa6,0x7f,0xc7, 0x7f,0x75,0xd8,0x8d,
+ 0x43,0xce,0xe6,0xeb, 0x74,0xee,0x4e,0x35,
+ 0xbc,0x7b,0x7c,0xfc, 0x8b,0x4f,0x1f,0xa2,
+ 0x5e,0x34,0x3b,0x5f, 0xd0,0x05,0x9d,0x4f,
+ 0xfe,0x47,0x59,0xa3, 0xf6,0xb7,0x27,0xb0,
+ 0xa1,0xec,0x1d,0x09, 0x86,0x70,0x48,0x00,
+ 0x03,0x0a,0x15,0x98, 0x2e,0x6d,0x48,0x2a,
+ 0x81,0xa2,0xde,0x11, 0xe4,0xde,0x8b,0xb0,
+ 0x06,0x28,0x03,0x82, 0xe4,0x6e,0x40,0xfb,
+ 0x3c,0x35,0x2d,0x1b, 0x62,0x56,0x87,0xd4,
+ 0xd6,0x06,0x36,0xce, 0x70,0x26,0x2f,0x21,
+ 0xf5,0x47,0x3f,0xf8, 0x57,0x17,0xa9,0x15,
+ 0x30,0xfd,0x1f,0xa6, 0x7a,0x24,0x1c,0xf8,
+ 0x33,0xf3,0xef,0xe1, 0x6c,0xb5,0x0b,0x04,
+ 0x21,0x5d,0xb5,0xff, 0x4f,0xdb,0xd1,0x3d,
+ 0x8f,0x01,0x56,0x7f, 0x0b,0xa4,0xf1,0xf9,
+ 0xdd,0xa3,0x38,0xcb, 0xa9,0xd3,0xdd,0xe3,
+ 0x29,0x5b,0x2b,0x22, 0xd7,0xe8,0x4f,0x02,
+ 0xb1,0x73,0x83,0x80, 0xda,0xd0,0x8e,0x11,
+ 0x9f,0x4d,0xd4,0x0a, 0x86,0x45,0x11,0xa1,
+ 0x9e,0x2e,0xa9,0x59, 0x6d,0x95,0x49,0xc5,
+ 0xc9,0xcd,0x7c,0x71, 0x81,0xac,0x6b,0xb8,
+ 0x1b,0x94,0xe8,0xe3, 0xb2,0xb7,0x8a,0x9b,
+ 0xda,0x5b,0xb7,0xc6, 0x00,0xcb,0x40,0x47,
+ 0x0c,0x38,0x75,0xb8, 0xba,0x6f,0x2b,0x9d,
+ 0x01,0xf3,0xf2,0xc8, 0xf7,0xde,0xcf,0xfb,
+ 0x82,0xa8,0x8f,0x10, 0x75,0x0e,0x27,0xc5,
+ 0x4b,0x9f,0xfe,0x1d, 0x60,0x84,0x69,0x96,
+ 0xac,0xb1,0xd3,0xdd, 0x07,0x4c,0x50,0x94,
+ 0xb1,0x17,0x53,0x23, 0x98,0xbf,0x22,0xf9,
+ 0x2c,0xb0,0x3f,0x62, 0x16,0xa7,0x8f,0xea,
+ 0x43,0x25,0xfb,0x21, 0x18,0xec,0x1a,0xf6,
+ 0x5e,0x64,0xbd,0x3d, 0xcf,0x27,0xf5,0x02,
+ 0xf2,0xaf,0x1b,0x2d, 0x2c,0xcb,0xaa,0x6d,
+ 0x7d,0xa0,0xae,0x31, 0x05,0x51,0x80,0x7f,
+ 0x99,0xcf,0xbd,0x0f, 0x12,0x5a,0xda,0x4a,
+ 0x56,0x22,0xd4,0x22, 0x95,0x2c,0x46,0x5a,
+ 0xb3,0x5a,0x5e,0xd4, 0x27,0x7f,0x06,0xbd,
+ 0x3c,0xf6,0xf2,0x0f, 0x9d,0xbb,0x0c,0x14,
+ 0x8c,0xb1,0x72,0xf2, 0xb0,0xaf,0xda,0xf7,
+ 0x05,0x33,0x78,0x9c, 0x79,0xe9,0xe0,0xc5,
+ 0x8c,0x4b,0x23,0x65, 0xd1,0x70,0x81,0x3d,
+ 0x74,0xfa,0xb6,0xff, 0xf2,0x65,0x21,0x3f,
+ 0xe4,0xc2,0x9e,0x9d, 0x49,0x0e,0xad,0xaf,
+ 0xc2,0x21,0x18,0xa8, 0x19,0xa8,0x69,0x32,
+ 0xcb,0x8e,0xc2,0x9d, 0xf5,0xbd,0x50,0x60,
+ 0x72,0xa2,0xa6,0xad, 0xe6,0x6b,0xd2,0x01,
+ 0x52,0xf9,0xac,0x18, 0xfa,0xe8,0x8d,0x4a,
+ 0x98,0x25,0xd3,0xa8, 0x0e,0x97,0x2d,0xa3,
+ 0xf6,0xf1,0x34,0x7c, 0xf0,0x15,0x06,0x05,
+ 0x31,0xdf,0xc7,0x86, 0x54,0xfb,0x62,0xe2,
+ 0xd5,0x3b,0x72,0xd2, 0x70,0x7c,0x3c,0x62,
+ 0x2f,0xbd,0x47,0x0d, 0x20,0x97,0xf5,0x1f,
+ 0xa1,0xe8,0x4c,0x3e, 0x13,0xec,0xb3,0xcc,
+ 0xc9,0x15,0x01,0x23, 0xe5,0x1f,0x3b,0x2e,
+ 0xc5,0xdd,0x71,0xe3, 0xfa,0x6a,0x44,0x07,
+ 0x25,0x64,0xa5,0xa5, 0x16,0x64,0x14,0xb8,
+ 0x86,0xb1,0xae,0x6f, 0xc5,0xdb,0x6b,0xfa,
+ 0x0f,0x8f,0xc5,0x89, 0x57,0x52,0xeb,0xb3,
+ 0xca,0x4e,0x23,0xac, 0xbd,0xad,0xf5,0x77,
+ 0x58,0x72,0x18,0x2c, 0xb8,0x37,0x0b,0xfd,
+ 0xfd,0x04,0x49,0x4a, 0x7b,0x11,0x82,0x1b,
+ 0xc4,0x5f,0x54,0x46, 0x97,0xe9,0xac,0x64,
+ 0xa7,0x13,0x04,0x56, 0x5a,0x3b,0x17,0x2c,
+ 0x08,0xff,0xa4,0xe2, 0xe4,0x43,0x05,0xfa,
+ 0x94,0x3a,0xbc,0x24, 0xec,0xa8,0x89,0x02,
+ 0xd0,0xbc,0xcf,0x4a, 0xef,0x0f,0x90,0x50,
+ 0xfb,0x6a,0x25,0x4f, 0xdb,0x67,0x5b,0xd8,
+ 0xa1,0x1e,0x95,0x4d, 0xe5,0xd6,0xf3,0x22,
+ 0x2e,0x6f,0x01,0x50, 0xd8,0x2f,0x91,0x47,
+ 0x82,0x0e,0xae,0x18, 0xbf,0x3a,0xc9,0x5a,
+ 0x71,0xcf,0x5e,0xbf, 0x9e,0xec,0x1d,0x11,
+ 0x96,0x33,0x32,0x5e, 0x5e,0xee,0xc8,0xee,
+ 0x52,0x03,0xbc,0x8d, 0x97,0xd2,0x55,0xc5,
+ 0xaf,0x52,0xb0,0x55, 0x8f,0xb8,0x9b,0x83,
+ 0x60,0x9f,0x60,0x92, 0x47,0x1d,0xf2,0x6e,
+ 0xd1,0x93,0xfe,0xc2, 0x77,0x8c,0xb6,0x49,
+ 0x5e,0x3e,0xdb,0xb9, 0x7a,0x58,0x4d,0x18,
+ 0x66,0xc8,0xc2,0x67, 0xf8,0x37,0x7d,0x06,
+ 0x50,0xcc,0x42,0xab, 0x08,0x27,0x8e,0x81,
+ 0x6f,0xb3,0x03,0xbd, 0x41,0x11,0xeb,0x13,
+ 0xf1,0xaf,0xee,0x56, 0xae,0xb3,0x36,0x41,
+ 0xb8,0xc9,0x0a,0x96, 0x88,0x1d,0x98,0x25,
+ 0xc6,0x45,0xeb,0x76, 0x07,0xc1,0xfe,0xae,
+ 0xbc,0x26,0x1f,0xc4, 0x5f,0x70,0x0c,0xae,
+ 0x70,0x00,0xcf,0xc6, 0x77,0x5c,0x9c,0x24,
+ 0x8b,0x4b,0x83,0x32, 0x09,0xb7,0xb1,0x43,
+ 0x4a,0x01,0x42,0x04, 0x4d,0xca,0x5f,0x4e,
+ 0x9b,0x2b,0xa9,0xcb, 0x99,0x0b,0x0e,0x57,
+ 0x09,0xd6,0xe2,0xa0, 0xc1,0x12,0x79,0xf2,
+ 0x6f,0xe1,0x6c,0x7f, 0x0a,0x1a,0xec,0xc1,
+ 0x82,0x4a,0xf8,0x98, 0x22,0xc9,0x81,0x81,
+ 0x5d,0xf8,0x7d,0x9d, 0x86,0x97,0xdd,0x9e,
+ 0x8a,0xb5,0xce,0x6c, 0xfb,0x06,0xc3,0x8a,
+ 0x0d,0x53,0xda,0x12, 0x0c,0x4b,0x6f,0xa0,
+ 0x3f,0x8d,0xc3,0x07, 0x27,0x10,0xaf,0xc5,
+ 0x27,0xfe,0x64,0x17, 0x18,0xa5,0x3a,0xfe,
+ 0x9b,0x91,0xae,0xd0, 0x2d,0x34,0x34,0x9e,
+ 0x9f,0x31,0x5d,0x3e, 0x4c,0x26,0x1e,0xcb,
+ 0x62,0x05,0xd2,0x83, 0x8d,0x71,0xb8,0x57,
+ 0xef,0x3a,0x94,0xb3, 0x3a,0x67,0x1b,0x21,
+ 0x33,0x1f,0x7f,0x10, 0xd8,0xd7,0x89,0x1b,
+ 0x4f,0x51,0x74,0x97, 0x4a,0x0e,0x74,0x59,
+ 0x74,0x66,0xef,0xdd, 0x26,0xb6,0xa1,0x53,
+ 0xd4,0x2f,0xd7,0x76, 0x51,0x27,0xcc,0xe4,
+ 0x94,0xe3,0xed,0x26, 0x13,0x4e,0xe8,0x2c,
+ 0x11,0x6e,0xb3,0x63, 0x51,0x36,0x9c,0x91,
+ 0x2d,0x66,0x2c,0x3e, 0x0a,0xf7,0xa4,0x97,
+ 0x70,0x6d,0x04,0xaa, 0x89,0xe8,0x2c,0x5e,
+ 0xdd,0x01,0x46,0xfc, 0x99,0xce,0xe6,0x32,
+ 0x8a,0x85,0xe6,0x07, 0x1e,0x71,0x5d,0x29,
+ 0x07,0x16,0x0e,0xf9, 0xd4,0xdf,0x54,0xb4,
+ 0x7b,0x7b,0x3f,0xe0, 0xeb,0x73,0xe0,0xe1,
+ 0x92,0x51,0x50,0x74, 0xb5,0x6e,0x08,0x7e,
+ 0x57,0x70,0xb2,0x1b, 0x9c,0xf2,0xa2,0x6b,
+ 0x52,0xa3,0x35,0xf7, 0x22,0x40,0xa6,0x11,
+ 0x30,0xd3,0x5b,0x4b, 0x78,0xc9,0xd7,0x84,
+ 0x9a,0x88,0x9a,0x44, 0xb4,0x88,0xfe,0x8c,
+ 0x3f,0x10,0xab,0xc7, 0xc9,0xb6,0x59,0x9a,
+ 0xf3,0xe6,0xe6,0x4d, 0xea,0x3e,0xe0,0xeb,
+ 0x9e,0xb4,0x41,0xf6, 0xcb,0xfc,0x04,0x73,
+ 0x7d,0xc8,0x00,0xc6, 0xf2,0x10,0x00,0xcf,
+ 0x59,0xed,0x05,0x2a, 0x6a,0xde,0x7a,0xdf,
+ 0x7d,0xa9,0x25,0xc8, 0x6e,0x08,0x60,0xf9,
+ 0xd8,0x23,0x9b,0x20, 0xe5,0x93,0x9c,0x90,
+ 0x3d,0xe0,0xd0,0x33, 0x2d,0xce,0x86,0x93,
+ 0xdc,0xb3,0x9c,0x40, 0x33,0x9a,0xf0,0x71,
+ 0x47,0x0e,0xc4,0xb9, 0x58,0xc4,0x36,0xf1,
+ 0x4c,0x82,0xcf,0x91, 0x9f,0x16,0xce,0x43,
+ 0x58,0x72,0x54,0x51, 0x0d,0x8e,0x1e,0x3d,
+ 0x5e,0x67,0x7e,0x96, 0x6e,0x12,0xb8,0xee,
+ 0x1f,0x8b,0x15,0x3b, 0x49,0x95,0x2f,0xd9,
+ 0xec,0x63,0x56,0xec, 0x4e,0x88,0x37,0x2f,
+ 0xa7,0xd5,0xe5,0x4a, 0x97,0x1f,0x6f,0xa0,
+ 0x40,0x68,0x69,0xee, 0x6a,0xc6,0xbe,0x83,
+ 0xba,0x69,0xb8,0x08, 0x0a,0x5c,0x2f,0xd2,
+ 0x3e,0x3b,0x73,0x40, 0x9c,0x62,0xcc,0xe1,
+ 0x99,0x44,0xa2,0xaa, 0xb8,0xe9,0x48,0xf4,
+ 0x79,0x07,0xe8,0xe8, 0x16,0x99,0x84,0x7b,
+ 0x3d,0x53,0xb2,0x5d, 0x2d,0xa4,0xb0,0x12,
+ 0xb9,0xa9,0x0d,0x77, 0x98,0xa1,0x98,0x90,
+ 0x4e,0xe2,0x14,0xd4, 0x15,0x35,0xd0,0x85,
+ 0xbf,0xa1,0x0f,0x54, 0x05,0xa0,0x90,0x2a,
+ 0x74,0xe3,0xd3,0x1b, 0x5e,0x16,0x07,0xcf,
+ 0x36,0xbd,0xea,0x9b, 0x2d,0x35,0x47,0xea,
+ 0xea,0xb7,0xd1,0xda, 0x66,0x47,0x42,0x47,
+ 0x4e,0x76,0xe5,0x90, 0x0c,0x82,0x15,0x3f,
+ 0x17,0x1b,0xa6,0x04, 0xb6,0x58,0x67,0x42,
+ 0xfb,0x19,0x2a,0xc2, 0xd7,0x6a,0x48,0x36,
+ 0x87,0x53,0x90,0x95, 0x53,0xb7,0xf1,0xbe,
+ 0x0d,0x9f,0xa3,0x74, 0x5f,0x3d,0x89,0xef,
+ 0x29,0x07,0xe1,0xc1, 0x13,0xe0,0xc7,0xf6,
+ 0x53,0xc2,0xe5,0x7e, 0x96,0xdf,0x1f,0x12,
+ 0x98,0xd6,0x7b,0x2d, 0xdb,0x3e,0x01,0x03,
+ 0x05,0xbe,0x66,0x29, 0x42,0xeb,0x5d,0xab,
+ 0xa8,0x13,0x78,0x7f, 0x1e,0x0e,0xfd,0x7f,
+ 0xf1,0xd2,0x59,0xb2, 0x46,0x13,0x1c,0xb8,
+ 0x42,0x4f,0x87,0xb3, 0x26,0x0b,0xed,0x26,
+ 0xb2,0xd5,0x27,0xfc, 0xf1,0xec,0x32,0x66,
+ 0xe1,0x2d,0x27,0x2a, 0xe2,0x80,0xf2,0x72,
+ 0x90,0x3c,0x54,0xfa, 0xaa,0xe6,0x31,0xb0,
+ 0xb7,0xdd,0x97,0x0d, 0x22,0xb5,0x16,0x46,
+ 0x66,0x6d,0x02,0x13, 0x9a,0x7c,0x52,0xfc,
+ 0xf8,0x73,0x0c,0x81, 0xac,0xa3,0x8f,0x40,
+ 0x50,0x2e,0x80,0x3b, 0xb6,0xdf,0x88,0xbb,
+ 0xb5,0xa8,0x13,0xfa, 0xd2,0xd6,0xb8,0x07,
+ 0x47,0x7b,0xa0,0x09, 0x9f,0xc3,0x42,0xab,
+ 0xb8,0xd6,0xca,0xfa, 0x41,0xdc,0x9a,0xb5,
+ 0x96,0xf4,0xfa,0xfd, 0x09,0xca,0x8e,0x47,
+ 0x1d,0x8f,0x8d,0x54, 0x3f,0xbf,0xfd,0x22,
+ 0x30,0x25,0xbd,0xea, 0xb3,0xf6,0x90,0x68,
+ 0x6e,0x2b,0x78,0x8e, 0xc4,0x58,0x1c,0xbd,
+ 0x6b,0x36,0xdc,0x9d, 0x9f,0x27,0xce,0xf6,
+ 0x4f,0x1b,0xeb,0x41, 0x2c,0x07,0xa1,0x1f,
+ 0xaa,0xc3,0x65,0xe0, 0x78,0x85,0x80,0x22,
+ 0x00,0x94,0x1a,0x9f, 0x34,0x2b,0x2b,0x51,
+ 0x94,0x93,0x23,0x20, 0x48,0x2e,0x16,0xd6,
+ 0xdf,0x09,0xa2,0xfa, 0xb8,0x9b,0xf0,0x64,
+ 0x18,0x36,0x78,0xbc, 0xb8,0x5b,0x87,0x90,
+ 0xba,0xd2,0x2e,0x30, 0xe6,0xc5,0xe0,0x0c,
+ 0x81,0x32,0x69,0x9a, 0x8a,0x5a,0x3d,0x6f,
+ 0x06,0xe1,0x3f,0xa9, 0xf2,0x0e,0x21,0xfe,
+ 0x9e,0x63,0x31,0xa9, 0xc3,0x3e,0xb4,0xcd,
+ 0xcb,0x60,0xd9,0x45, 0xc6,0x5f,0xc5,0xca,
+ 0x9e,0xd8,0x40,0x72, 0x39,0x04,0x59,0x2d,
+ 0x4c,0xac,0xdf,0xea, 0x4a,0x78,0xa9,0xd5,
+ 0x87,0xb1,0xd6,0x59, 0x77,0x58,0x4d,0xa7,
+ 0xd3,0x9b,0xfc,0xe3, 0xdd,0x8d,0xf5,0x57,
+ 0x06,0xb3,0x96,0xf1, 0xbe,0xd9,0x07,0x54,
+ 0x36,0xa4,0x8b,0xaa, 0x0b,0xcb,0xd3,0x80,
+ 0x13,0xa6,0x53,0x8e, 0xcc,0x23,0x15,0x02,
+ 0x1e,0x1b,0x2f,0x0a, 0x02,0x5b,0xca,0x50,
+ 0x11,0x28,0x27,0x0e, 0xbe,0xfe,0x76,0x60,
+ 0x1b,0x78,0x58,0x9b, 0xe6,0x0a,0x0a,0xef,
+ 0xa3,0xa5,0x33,0x0d, 0x5b,0x65,0xe1,0x03,
+ 0x38,0xdd,0xf8,0x22, 0x92,0xcd,0x50,0x87,
+ 0x02,0xbc,0x91,0x16, 0xfd,0x05,0x9c,0xcd,
+ 0x72,0xae,0x4c,0xd7, 0xef,0xb3,0x57,0x1a,
+ 0x3f,0x79,0x23,0xfd, 0xf0,0xc3,0xfb,0x68,
+ 0xb4,0xc9,0x93,0x22, 0x33,0xd3,0x01,0x74,
+ 0xe3,0x00,0x31,0xcf, 0x0f,0x23,0xc5,0xf7,
+ 0x09,0x95,0x5a,0xa0, 0x56,0xf9,0xb0,0x20,
+ 0xb1,0xcc,0x8d,0x88, 0xd6,0x27,0x97,0x8d,
+ 0x0e,0xa3,0x3d,0x33, 0x94,0x04,0x44,0x93,
+ 0x67,0x10,0xb6,0xa0, 0x0c,0x2a,0x28,0xd4,
+ 0x1b,0x41,0x86,0xe7, 0x29,0x2c,0x68,0x2a,
+ 0x94,0xf3,0x4f,0x20, 0xa1,0xb4,0x6c,0x9d,
+ 0x85,0x6b,0xa0,0x31, 0xa2,0xbd,0x74,0xf0,
+ 0x0b,0xe5,0x2f,0xb7, 0x8a,0x33,0xd9,0x1f,
+ 0xf2,0xb5,0xad,0x85, 0xc3,0xad,0x47,0x2f,
+ 0x27,0x2a,0xc9,0x32, 0xd8,0xd9,0x05,0xc2,
+ 0x9d,0xbf,0x21,0x88, 0x02,0x05,0x12,0x6e,
+ 0x0f,0xb6,0x64,0x43, 0xa8,0xc3,0x87,0xea,
+ 0xb0,0x81,0x5b,0x51, 0x51,0xf1,0x83,0x7d,
+ 0x94,0x46,0x7f,0x0a, 0x9a,0xef,0xcc,0x68,
+ 0x73,0xef,0x9d,0x3c, 0x0e,0xfc,0x37,0x91,
+ 0xca,0x36,0x2d,0x1d, 0x72,0x7e,0x39,0x9e,
+ 0xad,0xd3,0x55,0x1b, 0x10,0x1e,0xff,0x00,
+ 0xc1,0x45,0x80,0xe7, 0xb4,0xcc,0xc8,0xb0,
+ 0x62,0xbd,0xf9,0xa5, 0x8f,0x05,0xaa,0x3b,
+ 0x86,0x73,0x14,0xf9, 0xee,0x95,0xd0,0xfd,
+ 0x95,0x30,0x68,0x22, 0xc9,0x70,0x66,0x1d,
+ 0x91,0x3f,0xc0,0x19, 0x93,0x07,0x19,0x2d,
+ 0x3c,0x21,0x6b,0xc1, 0x2a,0xeb,0xaa,0xf2,
+ 0xa4,0x45,0x35,0xff, 0x8f,0x24,0x46,0x2c,
+ 0xc8,0x75,0x58,0x68, 0x0f,0x3b,0x87,0x11,
+ 0xcb,0x9f,0xf7,0x28, 0xbd,0x66,0x91,0x01,
+ 0xeb,0x70,0x8e,0x8d, 0xe6,0x01,0xc8,0x48,
+ 0x94,0xfe,0x4e,0xa8, 0xeb,0x90,0xbf,0xd1,
+ 0xcd,0x89,0xc2,0x98, 0x34,0x92,0xf9,0x08,
+ 0xb9,0xbc,0xd4,0x34, 0x1a,0x59,0xcc,0x80,
+ 0x9a,0xe6,0xbc,0xbb, 0x23,0x12,0x9c,0xa4,
+ 0x5b,0x79,0xc6,0x8a, 0xc0,0x03,0x2b,0x16,
+ 0xe5,0x1c,0x0f,0x02, 0x37,0x4f,0x3e,0xc2,
+ 0xf3,0x4d,0x7c,0xcb, 0xde,0x9b,0x66,0x52,
+ 0xf3,0xdd,0x86,0x42, 0x4a,0x81,0x5b,0x96,
+ 0x83,0x2a,0xb1,0x48, 0x31,0x42,0x16,0x16,
+ 0xf8,0x97,0xa3,0x52, 0xeb,0xb6,0xbe,0x99,
+ 0xe1,0xbc,0xa1,0x3a, 0xdd,0xea,0x00,0xfa,
+ 0x11,0x2f,0x0b,0xf8, 0xc7,0xcc,0xba,0x1a,
+ 0xf3,0x36,0x20,0x3f, 0x59,0xea,0xf1,0xc8,
+ 0x08,0xd0,0x6d,0x8e, 0x91,0x1e,0x90,0x91,
+ 0x7b,0x80,0xdc,0xcb, 0x5c,0x94,0x74,0x26,
+ 0xd3,0x5d,0x1a,0x2d, 0xad,0xcf,0xef,0xfa,
+ 0xe9,0xa0,0x17,0xb7, 0x2b,0x7c,0x37,0x83,
+ 0x31,0x78,0x1a,0xcf, 0x04,0xa0,0xe7,0x83,
+ 0x66,0x12,0x4f,0x9d, 0x31,0x6b,0x4d,0xc5,
+ 0x31,0x1b,0x3a,0xd9, 0x79,0x76,0x49,0xc3,
+ 0x19,0xf0,0x3f,0xb5, 0xbc,0x7d,0xa4,0xa7,
+ 0x24,0x44,0x75,0xbb, 0x6d,0x65,0x59,0xf8,
+ 0xe0,0xb9,0xd7,0x29, 0x79,0xce,0x14,0x32,
+ 0xd2,0x3e,0xb8,0x22, 0x4a,0x0a,0x2a,0x6c,
+ 0xb2,0xbd,0xa5,0xd4, 0xc4,0xc5,0x68,0xb3,
+ 0x63,0xe7,0x46,0x05, 0x3a,0x18,0xa5,0xad,
+ 0xcc,0x61,0xc3,0xec, 0x3d,0x42,0xb0,0xa7,
+ 0x23,0x72,0x1e,0x14, 0xd8,0x7e,0x68,0x60,
+ 0xec,0xe9,0x1d,0x5b, 0x1f,0x86,0xda,0x5e,
+ 0x34,0x74,0x00,0xd3, 0x98,0x98,0x7e,0xbd,
+ 0x6a,0x8b,0xd3,0x6f, 0x31,0xf1,0x62,0xb3,
+ 0xa3,0x86,0x95,0x02, 0x76,0x7d,0x58,0xbc,
+ 0xf8,0xb1,0x52,0xc3, 0x0b,0xd5,0x6b,0x74,
+ 0xa5,0x84,0xef,0xf2, 0x31,0xc1,0xe4,0x83,
+ 0x42,0x12,0xb5,0xe7, 0x61,0xdd,0xba,0x43,
+ 0x39,0xf2,0x44,0x0a, 0xb4,0x62,0x06,0x32,
+ 0x5b,0x33,0x67,0x2e, 0x7a,0x93,0x85,0x1a,
+ 0x07,0x36,0x9f,0xab, 0xf7,0x2a,0x6e,0x3d,
+ 0x3e,0xe3,0x59,0x1b, 0xf8,0xd3,0xe8,0x5f,
+ 0xe5,0x24,0xb3,0x59, 0x80,0xd5,0x11,0x14,
+ 0x98,0x3a,0xb4,0x7d, 0x8f,0x37,0x18,0xb2,
+ 0xa7,0x25,0xf4,0x31, 0x74,0x61,0x3a,0x42,
+ 0x62,0x77,0x37,0x3d, 0x72,0x1b,0x67,0x87,
+ 0xb3,0x59,0x4b,0x08, 0x07,0xdb,0x0b,0x57,
+ 0xfd,0x61,0x99,0x28, 0x3b,0xe5,0x7a,0xb4,
+ 0x6c,0x06,0x95,0x65, 0x2c,0x1c,0x41,0x71,
+ 0x21,0xd7,0x94,0x51, 0x1c,0x8d,0xe6,0x38,
+ 0xc5,0x95,0x7f,0x30, 0xd5,0xc5,0xcc,0xd2,
+ 0x03,0x7f,0x69,0x2e, 0xae,0xc7,0x28,0x2e,
+ 0xc6,0xa9,0x28,0x4b, 0x77,0xc3,0xcf,0xa3,
+ 0xc3,0xd3,0x2d,0x43, 0x47,0x87,0xde,0x38,
+ 0xeb,0x3a,0xb6,0xf9, 0xe7,0x3c,0xb6,0x92,
+ 0x19,0x42,0xf8,0xc2, 0x87,0x50,0xed,0xe6,
+ 0x3d,0x2b,0xb5,0xf8, 0x89,0x14,0x42,0xf7,
+ 0x2c,0x7a,0xbe,0xdc, 0x2f,0x5d,0x49,0x83,
+ 0xf5,0x60,0xe0,0xcf, 0xbc,0x23,0x13,0x4f,
+ 0xb3,0x16,0xd7,0x9a, 0xca,0x16,0x8b,0xa5,
+ 0x08,0x80,0xcf,0x21, 0xbb,0xd8,0x32,0x5e,
+ 0x07,0x8a,0xb3,0x48, 0xba,0x99,0xd4,0xd7,
+ 0x6a,0xae,0x4b,0x9b, 0xb4,0xd7,0x2f,0x87,
+ 0xb0,0x0a,0xd1,0x1b, 0xf1,0x8b,0xf6,0x21,
+ 0x81,0x8e,0xc4,0x79, 0x9a,0x5c,0x75,0xbe,
+ 0x87,0x99,0xe5,0x11, 0xf9,0x9a,0xe1,0xf9,
+ 0x76,0xa2,0x92,0xc6, 0xc0,0xd8,0x05,0xc9,
+ 0x7d,0x8c,0x27,0xc2, 0x7f,0xf4,0xe9,0x4f,
+ 0xb7,0xbc,0xa3,0x3e, 0x66,0x3b,0xaf,0xed,
+ 0x7a,0xd9,0x78,0x20, 0x6b,0xd5,0xe1,0xfe,
+ 0xd5,0x06,0x65,0x11, 0x49,0xac,0x22,0x38,
+ 0x02,0x80,0xec,0x91, 0x11,0x18,0x1a,0x61,
+ 0x3c,0x59,0x4e,0x7a, 0xd8,0xca,0xda,0xd4,
+ 0x27,0xbd,0xf4,0x00, 0x9c,0x1b,0xde,0xf3,
+ 0x6c,0x1f,0x20,0x9a, 0x30,0xc9,0x9b,0x3c,
+ 0xe5,0x55,0xb7,0xb3, 0xc8,0x52,0x9c,0x05,
+ 0xad,0xe8,0x13,0x9e, 0x31,0xc2,0x2c,0xd4,
+ 0x3f,0x18,0x00,0xc4, 0xcf,0x08,0x05,0x7b,
+ 0x5e,0x2a,0x8e,0x11, 0x61,0x03,0xc8,0x39,
+ 0x2b,0x54,0x1a,0xd9, 0x08,0x04,0xc6,0xe9,
+ 0xda,0x69,0xb3,0x0c, 0x83,0x44,0xcd,0xe8,
+ 0x50,0x04,0x72,0xa2, 0xb4,0x10,0x17,0x39,
+ 0x68,0x32,0xdb,0xab, 0xe3,0xee,0x57,0x1b,
+ 0x05,0x45,0x1f,0x5a, 0xdc,0xdc,0x56,0x81,
+ 0x98,0x20,0xfe,0x69, 0x0a,0xa4,0xd6,0x9d,
+ 0x25,0xdd,0x7e,0xd0, 0x2b,0x33,0x41,0x75,
+ 0xf6,0x59,0xa8,0xa3, 0x3c,0xdd,0xd9,0x6b,
+ 0xa8,0xcd,0x1d,0x1f, 0xc5,0x78,0x5b,0x93,
+ 0xdf,0x10,0x71,0xeb, 0xcc,0xbd,0x35,0x4c,
+ 0x07,0x21,0x5f,0xb7, 0x47,0x21,0x6d,0x55,
+ 0x8b,0x72,0x0e,0x4a, 0x2c,0x17,0xfc,0x75,
+ 0x21,0xdd,0x76,0xfd, 0x34,0xfc,0x0f,0x1b,
+ 0xa6,0x77,0x53,0xf9, 0xdb,0x09,0x07,0x58,
+ 0xb0,0x18,0x32,0x03, 0x98,0x79,0xdf,0x55,
+ 0xd3,0x95,0xba,0xa9, 0xb6,0x9f,0xad,0xc4,
+ 0x9d,0xba,0x76,0x36, 0x47,0xb1,0xde,0x78,
+ 0x18,0xa0,0x2f,0x16, 0x41,0xeb,0x4a,0x96,
+ 0x82,0xc4,0xa4,0xde, 0x4b,0xdf,0xee,0xc7,
+ 0x33,0xdf,0xb7,0xde, 0xd3,0xa7,0x0f,0xc7,
+ 0x23,0x61,0x6b,0xd9, 0x15,0xc8,0x09,0xf7,
+ 0xe7,0xf9,0x44,0xba, 0x14,0xdc,0x94,0x5e,
+ 0xd9,0xcc,0x74,0xb2, 0x3d,0xef,0x78,0x15,
+ 0xb5,0xb9,0x56,0xd5, 0xfb,0x47,0x49,0x3a,
+ 0xbc,0x53,0x71,0x8b, 0x72,0x8b,0xb2,0xe3,
+ 0x58,0xbf,0xea,0x47, 0x7a,0x76,0x03,0x48,
+ 0xdd,0x8c,0x30,0x99, 0x81,0x2c,0x5f,0xf6,
+ 0xd3,0x9b,0x8e,0x77, 0x1c,0xb7,0xbd,0x1e,
+ 0xd4,0x28,0x05,0xf7, 0xff,0xdf,0xd6,0xb9,
+ 0x83,0x99,0xbc,0x94, 0xb7,0x41,0x93,0xc4,
+ 0x66,0xff,0x29,0x4d, 0x5c,0xba,0x79,0xd9,
+ 0x6e,0x79,0x47,0x45, 0xd6,0x2d,0xcd,0x79,
+ 0xa1,0xfa,0x49,0xee, 0x8e,0x7f,0x2b,0x08,
+ 0x3f,0x60,0x56,0xcf, 0xcb,0xe8,0x0d,0x55,
+ 0xee,0xa5,0xaf,0x04, 0xde,0x01,0xde,0xce,
+ 0xb6,0x9c,0x68,0x4e, 0xb0,0x88,0xcd,0x89,
+ 0x83,0x6b,0x01,0xb5, 0x78,0xac,0x85,0x3c,
+ 0x2c,0xcf,0x39,0xb6, 0xc8,0x5f,0x0e,0xac,
+ 0x02,0x08,0x56,0xbe, 0xd1,0x8d,0x7d,0x55,
+ 0x69,0x0c,0x33,0x33, 0xff,0x1a,0xd6,0x0b,
+ 0xcf,0x57,0x18,0x01, 0x56,0x5f,0x9c,0x6f,
+ 0xe2,0x24,0xda,0xc3, 0x9f,0x81,0xc3,0x27,
+ 0x46,0x7a,0xb4,0xae, 0xec,0xa4,0x0e,0x41,
+ 0x8b,0xb7,0x16,0xe3, 0x9b,0x2e,0x32,0x75,
+ 0xd9,0x86,0xa2,0x13, 0x68,0x4e,0xbc,0x43,
+ 0xa2,0x78,0x64,0x1a, 0x7c,0xac,0x13,0x70,
+ 0x1c,0x23,0x15,0x5b, 0xda,0x99,0xa5,0x24,
+ 0x3d,0xcf,0x29,0xf7, 0xbc,0x1d,0x10,0xe8,
+ 0x95,0x1a,0x11,0xec, 0xfc,0xfb,0x20,0x1f,
+ 0x09,0x1b,0xe3,0x3d, 0xae,0x82,0x70,0xd7,
+ 0x9e,0xf3,0x18,0x97, 0x89,0xfa,0x42,0x67,
+ 0x70,0x9c,0xc8,0xbe, 0x62,0x98,0xf1,0x82,
+ 0xfc,0x2b,0xf0,0x40, 0xaa,0xdc,0x27,0xf9,
+ 0x21,0x5a,0xc1,0x25, 0x8b,0xef,0xd5,0x48,
+ 0x6c,0x68,0xae,0xbc, 0xcd,0xa9,0x3c,0x1e,
+ 0xe9,0xcf,0xe2,0xd1, 0xc0,0x98,0xa9,0x62,
+ 0x5d,0x1f,0x57,0x7a, 0xca,0x8a,0x0f,0xfb,
+ 0xe3,0xc9,0x7e,0x98, 0x44,0x84,0x67,0x12,
+ 0x60,0x60,0xe5,0xc7, 0xcc,0x72,0x90,0x64,
+ 0x67,0x30,0x6a,0xd8, 0xa1,0x11,0xd5,0x7e,
+ 0x5e,0x0c,0x74,0xa2, 0x6f,0x0a,0xff,0x41,
+ 0xd3,0x9a,0x30,0x56, 0xd4,0xec,0x9a,0x5f,
+ 0x22,0x71,0x6b,0x4e, 0xe6,0xe0,0x19,0x69,
+ 0x56,0x4a,0xba,0x9d, 0x50,0x8a,0x73,0x6a,
+ 0xf1,0x59,0x48,0xd6, 0xcd,0xfa,0xaa,0x0c,
+ 0xbb,0x7c,0xa4,0xbc, 0xf5,0x32,0x95,0x55,
+ 0x1c,0xe9,0x9a,0x60, 0x43,0x10,0xbd,0x27,
+ 0x88,0x2f,0x05,0xcf, 0xce,0x21,0x25,0x3a,
+ 0x07,0xab,0x37,0xfd, 0xf6,0x2f,0xd6,0x51,
+ 0xbe,0xe6,0xcc,0x58, 0x3a,0xab,0x60,0x23,
+ 0x45,0xa0,0xe5,0x79, 0xe5,0xaa,0xed,0xa4,
+ 0x28,0xd0,0x4d,0x37, 0x9c,0x6a,0xd7,0xc2,
+ 0x39,0x22,0xb9,0x3e, 0x0d,0xb8,0x94,0x65,
+ 0x48,0x4d,0x4c,0x02, 0x31,0x7e,0x9c,0xc9,
+ 0xb7,0xd6,0x23,0x1a, 0x94,0x5a,0x13,0x55,
+ 0x78,0x7a,0x29,0x4a, 0xa2,0xfd,0x37,0x24,
+ 0xd8,0xd0,0x9e,0x47, 0x24,0xab,0x26,0x34,
+ 0x28,0xb5,0x2d,0x82, 0x9a,0x4d,0xdd,0x17,
+ 0x68,0xe0,0x07,0x5d, 0xb9,0x2d,0xff,0xa9,
+ 0x0c,0x11,0x59,0x75, 0xda,0x98,0xe9,0xd5,
+ 0xfa,0xb5,0x18,0x16, 0x28,0x17,0x7c,0xad,
+ 0xab,0xee,0x65,0x10, 0x13,0x0d,0x26,0xfa,
+ 0x7f,0xac,0x06,0x43, 0x4d,0x5d,0x3a,0xf4,
+ 0x77,0xe7,0x03,0x17, 0x39,0x9f,0xbe,0x52,
+ 0x9b,0x68,0x2b,0x7f, 0xd3,0xa2,0x7e,0x5c,
+ 0x78,0x22,0xc5,0xe3, 0x17,0x73,0xc6,0x9e,
+ 0x68,0x17,0x74,0x50, 0xf4,0xc5,0xa8,0xc3,
+ 0x66,0xe1,0x05,0xed, 0xdd,0xdb,0xd3,0x11,
+ 0x16,0xad,0x05,0x3a, 0x38,0x55,0x1c,0xf0,
+ 0x93,0x0b,0x22,0x83, 0xc8,0x34,0xc5,0x43,
+ 0x4d,0x65,0x57,0xf3, 0x03,0x56,0x21,0xa9,
+ 0xbd,0x04,0x41,0x49, 0x62,0xfd,0xcc,0xc2,
+ 0x75,0x59,0x09,0xb9, 0x28,0x38,0xcf,0xfb,
+ 0x54,0x64,0x51,0xc2, 0x3e,0xad,0x35,0x3e,
+ 0x31,0x87,0x6e,0xfe, 0xf0,0x41,0xef,0x1d,
+ 0xb8,0x46,0xbe,0x85, 0xb9,0xff,0xa3,0xdb,
+ 0x87,0xf9,0x65,0x95, 0x60,0x53,0x7c,0x9d,
+ 0x26,0x83,0xfc,0xa7, 0xad,0x5a,0xcb,0x8d,
+ 0x81,0xec,0x28,0xeb, 0xdd,0x96,0x25,0x31,
+ 0x24,0x3f,0x59,0x28, 0x60,0x0b,0xc0,0x59,
+ 0xea,0x36,0x15,0xad, 0x70,0xd8,0x70,0xff,
+ 0x9b,0x15,0x76,0xc5, 0x84,0xe6,0x81,0x75,
+ 0x1a,0x1e,0xc9,0xec, 0x33,0xbe,0x10,0xd4,
+ 0x6f,0x10,0x1b,0xa2, 0xdb,0xc6,0x1b,0x0a,
+ 0xfb,0xe9,0x3f,0x4d, 0x04,0x4e,0x33,0x87,
+ 0xb3,0x21,0xad,0x41, 0xbe,0xce,0x26,0x0c,
+ 0x0c,0x84,0x0f,0x9a, 0xb9,0xa7,0xa2,0x36,
+ 0x70,0x49,0xce,0x25, 0x0f,0x69,0x4a,0x4a,
+ 0x3d,0xf5,0xa0,0x9e, 0xad,0x69,0x2d,0x79,
+ 0xdb,0x8b,0x85,0xf6, 0xb8,0x55,0xcd,0xf1,
+ 0xbb,0x04,0x35,0xad, 0xa8,0xb6,0x0d,0x3f,
+ 0x23,0xec,0x39,0xd7, 0xef,0x02,0x95,0x42,
+ 0x11,0xc9,0x70,0xc6, 0xa4,0x65,0x37,0x4d,
+ 0x9f,0x51,0x99,0xd6, 0x9e,0xb1,0x18,0xcf,
+ 0x31,0x81,0xde,0x95, 0x0a,0x8c,0x0c,0x80,
+ 0xdc,0xf7,0x19,0x5d, 0xdc,0x3e,0xee,0x0c,
+ 0x17,0xaf,0xc4,0x9c, 0xbf,0x65,0xf2,0xe1,
+ 0xc9,0xdb,0xc0,0x2a, 0xd0,0xbd,0xa1,0x7f,
+ 0x4b,0x9c,0x5b,0xe6, 0x91,0x98,0xa6,0xdb,
+ 0x72,0xef,0x14,0x38, 0x24,0x77,0x1e,0x71,
+ 0x74,0x63,0x0c,0xd9, 0x16,0x90,0x23,0x4a,
+ 0xe6,0xa4,0xc1,0x53, 0x8b,0xb4,0x7e,0x90,
+ 0x1b,0x68,0x32,0x48, 0x93,0xd8,0x72,0x43,
+ 0x8e,0x32,0x09,0x1e, 0x48,0xfc,0x3a,0xc6,
+ 0x15,0xb9,0x79,0x57, 0x02,0x61,0xc6,0x4b,
+ 0x56,0x1e,0x68,0x4e, 0x65,0x26,0xe5,0x1c,
+ 0xb1,0xd1,0x86,0x1d, 0xea,0x93,0x5a,0x88,
+ 0x4c,0x3b,0x10,0xd1, 0xf7,0x5a,0x4c,0xa3,
+ 0xe7,0x59,0xf5,0x04, 0x7d,0xd7,0xe3,0x2e,
+ 0x2c,0x3e,0x14,0x14, 0x83,0xed,0x3d,0x0b,
+ 0xa4,0xab,0x65,0xcf, 0x39,0xee,0xbe,0x0c,
+ 0x5e,0x4b,0x62,0x5e, 0xb4,0xd2,0x16,0xc7,
+ 0xe0,0x71,0x2b,0x92, 0x1e,0x21,0x45,0x02,
+ 0xfd,0xa1,0xda,0x0b, 0xbe,0xa6,0xe5,0x7f,
+ 0x31,0x8b,0x5a,0xcb, 0x8f,0xb8,0x0c,0xfb,
+ 0x7f,0x2d,0x7e,0xa2, 0x14,0xfd,0xe0,0xbb,
+ 0xa4,0x1b,0xce,0x81, 0x6f,0x25,0xbd,0x72,
+ 0x44,0x00,0x13,0x18, 0x75,0x04,0xf3,0x06,
+ 0xdc,0xf1,0x5b,0xa0, 0xb1,0x5a,0x9a,0xd8,
+ 0x4f,0xe7,0x94,0xe1, 0x65,0xe5,0xb2,0xd1,
+ 0x47,0x6d,0xd8,0x81, 0x22,0x96,0x09,0xd8,
+ 0x5e,0x12,0x73,0x62, 0xd6,0x2c,0xcb,0x45,
+ 0x71,0xa9,0xc1,0x21, 0x16,0x6f,0xf0,0xaa,
+ 0xce,0x19,0x1f,0x68, 0xee,0x17,0x07,0x94,
+ 0x4f,0x93,0x9a,0x12, 0xf7,0x91,0xe1,0xc6,
+ 0x9c,0x29,0xe5,0x06, 0x7a,0x40,0xf5,0xf6,
+ 0x51,0xc8,0x32,0x94, 0x52,0xd9,0x6b,0x9b,
+ 0x3e,0xb5,0xcf,0x1a, 0xf1,0x6c,0x7b,0x0a,
+ 0x16,0x47,0xee,0xa6, 0x46,0x0f,0xed,0xe0,
+ 0x1b,0x3f,0x39,0xfa, 0x4c,0x69,0xeb,0xfb,
+ 0xd0,0x36,0x3b,0x3a, 0x04,0x94,0xa4,0x2f,
+ 0x51,0xe1,0x1a,0x47, 0xc9,0xdb,0xf6,0x09,
+ 0xab,0x35,0x46,0x2c, 0x2f,0xb7,0x19,0xed,
+ 0x55,0x7e,0xa3,0x2c, 0xec,0xff,0x39,0xba,
+ 0x0f,0xfb,0x4f,0x8b, 0xfc,0x36,0x4e,0x5e,
+ 0xa1,0xe8,0x49,0x15, 0x65,0xd2,0xfb,0x11,
+ 0x4b,0x10,0xe6,0x07, 0x82,0x3a,0x5d,0x3f,
+ 0xeb,0xc0,0x0b,0x76, 0x66,0xb5,0xed,0x65,
+ 0xb3,0x9d,0x06,0x13, 0x3b,0x18,0x70,0x7a,
+ 0xbd,0xf7,0xd8,0x20, 0x81,0xc7,0x76,0x2e,
+ 0x21,0x6f,0xdb,0x8e, 0xba,0x83,0x42,0xb1,
+ },
+ },
+ [5] = {
+ .k = {
+ 0x79,0xce,0xb0,0x8e, 0xf8,0x7a,0x67,0xc6,
+ 0x48,0x2c,0x2a,0xc0, 0xa5,0x45,0x06,0x49,
+ 0xc8,0x90,0xb8,0xe9, 0xc6,0xb6,0xb3,0x50,
+ 0xbd,0x9e,0x46,0x56, 0x26,0xf2,0xb0,0x3b,
+ },
+ .tlen = 17,
+ .t = {
+ 0xe6,0x93,0xbe,0x89, 0xf5,0xee,0x40,0xde,
+ 0xf2,0x9c,0xb5,0xec, 0x6a,0x37,0x23,0x46,
+ 0x0e,
+ },
+ .len = 16,
+ .p = {
+ 0x5d,0x83,0x98,0x37, 0xc6,0x33,0x9e,0x7e,
+ 0x59,0xad,0xd2,0x5b, 0x8a,0x3a,0x9d,0x03,
+ },
+ .c = {
+ 0x96,0x23,0x2f,0x7d, 0x52,0xfc,0x98,0x63,
+ 0x98,0xa5,0x8b,0xdf, 0xca,0xbc,0x85,0x2f,
+ },
+ },
+ [6] = {
+ .k = {
+ 0x9f,0xd3,0x36,0xb1, 0x85,0x07,0xdf,0x19,
+ 0x01,0xea,0xf9,0x52, 0x68,0xbf,0xce,0xe7,
+ 0xd0,0x49,0xf3,0xba, 0x58,0xfb,0x87,0x18,
+ 0x9f,0xca,0x24,0xca, 0x61,0xa3,0xf0,0xda,
+ },
+ .tlen = 17,
+ .t = {
+ 0xea,0xc6,0x72,0x5e, 0x66,0xd4,0xc7,0xbd,
+ 0xa1,0x6e,0xab,0x09, 0xb5,0x58,0x39,0xae,
+ 0x40,
+ },
+ .len = 128,
+ .p = {
+ 0xc7,0xd6,0x73,0x65, 0xcb,0xf3,0xf5,0x3e,
+ 0xb9,0xa7,0xbf,0xb1, 0x54,0xcb,0xac,0x01,
+ 0xee,0xb5,0x94,0x17, 0x40,0x92,0xfd,0xad,
+ 0x8f,0xdb,0x27,0x22, 0x3d,0xb1,0x0b,0xf7,
+ 0xa7,0x46,0x70,0xd0, 0x31,0xdb,0xf9,0xdb,
+ 0xb9,0xb9,0x40,0x4a, 0x0a,0xba,0x77,0x6f,
+ 0x35,0x36,0x9e,0xeb, 0x68,0xe2,0x9e,0xd7,
+ 0xef,0xc2,0x5e,0x21, 0x0d,0xb3,0xb0,0x87,
+ 0xd6,0x43,0x35,0x6e, 0x22,0xa0,0xb7,0xec,
+ 0x26,0xe0,0x7d,0x48, 0xf5,0x5d,0x58,0xd3,
+ 0x29,0xb7,0x1f,0x7e, 0xe9,0x5a,0x02,0xa4,
+ 0xb1,0xde,0x10,0x9f, 0xe1,0xa8,0x5e,0x05,
+ 0xb6,0xa2,0x59,0xca, 0x3e,0xbc,0xd1,0x94,
+ 0x09,0x4e,0x1b,0x37, 0x29,0x9c,0x15,0xef,
+ 0x8c,0x72,0x53,0xbe, 0x6f,0x25,0x2c,0x68,
+ 0x88,0x08,0x0c,0x00, 0x80,0x7a,0x85,0x64,
+ },
+ .c = {
+ 0x49,0x36,0x97,0xd2, 0xde,0xa4,0xde,0x92,
+ 0x7d,0x30,0x08,0xc3, 0xd9,0x47,0xd4,0xcb,
+ 0x5b,0x41,0x27,0x2c, 0x06,0xb8,0x2b,0xef,
+ 0x7b,0x57,0x59,0xb7, 0x5b,0x81,0x38,0xb4,
+ 0xd1,0x81,0xb3,0xe8, 0xac,0xf0,0xa0,0x06,
+ 0xcb,0x74,0x31,0x01, 0xe1,0x3d,0xcf,0x6d,
+ 0x57,0xd1,0x65,0xcd, 0xe7,0x33,0x6c,0x03,
+ 0x54,0xf0,0x2c,0x41, 0xb8,0x75,0x07,0x1d,
+ 0x70,0xf0,0x9c,0xbd, 0x8f,0x6b,0xdb,0x76,
+ 0x86,0x5b,0xe0,0xfd, 0xad,0x61,0x7a,0x4c,
+ 0xd6,0xf1,0x85,0x0b, 0xfd,0x0b,0x3a,0x5f,
+ 0xcf,0xfc,0xb0,0x0b, 0x2b,0xc7,0x31,0x07,
+ 0x9d,0x75,0x82,0xd9, 0x14,0xd4,0x33,0xd3,
+ 0xff,0x20,0xf7,0x14, 0xcf,0xe4,0xda,0xca,
+ 0x11,0xcc,0x57,0x8f, 0x51,0x52,0x9d,0x90,
+ 0x01,0xc8,0x4e,0x1f, 0x2a,0x89,0xe2,0x52,
+ },
+ },
+ };
+ static struct adiantum A;
+ static uint8_t buf[4096];
+ unsigned i;
+ int result = 0;
+
+ for (i = 0; i < __arraycount(C); i++) {
+ adiantum_init(&A, C[i].k);
+ adiantum_enc(buf, C[i].p, C[i].len, C[i].t, C[i].tlen, &A);
+ if (memcmp(buf, C[i].c, C[i].len)) {
+ char prefix[16];
+ snprintf(prefix, sizeof prefix, "adiantum enc %u", i);
+ hexdump(printf, prefix, buf, C[i].len);
+ result = -1;
+ }
+ memset(buf, 0, sizeof buf); /* paranoia */
+ adiantum_dec(buf, C[i].c, C[i].len, C[i].t, C[i].tlen, &A);
+ if (memcmp(buf, C[i].p, C[i].len)) {
+ char prefix[16];
+ snprintf(prefix, sizeof prefix, "adiantum dec %u", i);
+ hexdump(printf, prefix, buf, C[i].len);
+ result = -1;
+ }
+ }
+
+ return result;
+}
diff -r 36794fee0d04 -r 9fde04e138c1 sys/crypto/adiantum/files.adiantum
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sys/crypto/adiantum/files.adiantum Wed Jun 17 02:47:43 2020 +0000
@@ -0,0 +1,6 @@
+# $NetBSD$
+
+define adiantum
+
+file crypto/adiantum/adiantum.c adiantum
+file crypto/adiantum/adiantum_selftest.c adiantum
diff -r 36794fee0d04 -r 9fde04e138c1 sys/dev/cgd_crypto.c
--- a/sys/dev/cgd_crypto.c Mon Jun 15 22:55:59 2020 +0000
+++ b/sys/dev/cgd_crypto.c Wed Jun 17 02:47:43 2020 +0000
@@ -45,6 +45,7 @@
#include <dev/cgd_crypto.h>
+#include <crypto/adiantum/adiantum.h>
#include <crypto/aes/aes.h>
#include <crypto/blowfish/blowfish.h>
#include <crypto/des/des.h>
@@ -72,6 +73,10 @@ static cfunc_init cgd_cipher_bf_init;
static cfunc_destroy cgd_cipher_bf_destroy;
static cfunc_cipher cgd_cipher_bf_cbc;
+static cfunc_init cgd_cipher_adiantum_init;
+static cfunc_destroy cgd_cipher_adiantum_destroy;
+static cfunc_cipher cgd_cipher_adiantum_crypt;
+
static const struct cryptfuncs cf[] = {
{
.cf_name = "aes-xts",
@@ -97,6 +102,12 @@ static const struct cryptfuncs cf[] = {
.cf_destroy = cgd_cipher_bf_destroy,
.cf_cipher = cgd_cipher_bf_cbc,
},
+ {
+ .cf_name = "adiantum",
+ .cf_init = cgd_cipher_adiantum_init,
+ .cf_destroy = cgd_cipher_adiantum_destroy,
+ .cf_cipher = cgd_cipher_adiantum_crypt,
+ },
};
const struct cryptfuncs *
cryptfuncs_find(const char *alg)
@@ -409,3 +420,61 @@ cgd_cipher_bf_cbc(void *privdata, void *
panic("%s: unrecognised direction %d", __func__, dir);
}
}
+
+/*
+ * Adiantum
+ */
+
+static void *
+cgd_cipher_adiantum_init(size_t keylen, const void *key, size_t *blocksize)
+{
+ struct adiantum *A;
+
+ if (!blocksize)
+ return NULL;
+ if (keylen != 256)
+ return NULL;
+ if (*blocksize == (size_t)-1)
+ *blocksize = 128;
+ if (*blocksize != 128)
+ return NULL;
+
+ A = kmem_zalloc(sizeof(*A), KM_SLEEP);
+ adiantum_init(A, key);
+
+ return A;
+}
+
+static void
+cgd_cipher_adiantum_destroy(void *cookie)
+{
+ struct adiantum *A = cookie;
+
+ explicit_memset(A, 0, sizeof(*A));
+ kmem_free(A, sizeof(*A));
+}
+
+static void
+cgd_cipher_adiantum_crypt(void *cookie, void *dst, const void *src,
+ size_t nbytes, const void *blkno, int dir)
+{
+ /*
+ * Treat the block number as a 128-bit block. This is more
+ * than twice as big as the largest number of reasonable
+ * blocks, but it doesn't hurt (it would be rounded up to a
+ * 128-bit input anyway).
+ */
+ const unsigned tweaklen = 16;
+ struct adiantum *A = cookie;
+
+ switch (dir) {
+ case CGD_CIPHER_ENCRYPT:
+ adiantum_enc(dst, src, nbytes, blkno, tweaklen, A);
+ break;
+ case CGD_CIPHER_DECRYPT:
+ adiantum_dec(dst, src, nbytes, blkno, tweaklen, A);
+ break;
+ default:
+ panic("%s: unrecognised direction %d", __func__, dir);
+ }
+}
diff -r 36794fee0d04 -r 9fde04e138c1 sys/rump/kern/lib/libcrypto/Makefile
--- a/sys/rump/kern/lib/libcrypto/Makefile Mon Jun 15 22:55:59 2020 +0000
+++ b/sys/rump/kern/lib/libcrypto/Makefile Wed Jun 17 02:47:43 2020 +0000
@@ -1,7 +1,8 @@
# $NetBSD: Makefile,v 1.6 2019/12/05 03:57:55 riastradh Exp $
#
-.PATH: ${.CURDIR}/../../../../crypto/aes \
+.PATH: ${.CURDIR}/../../../../crypto/adiantum \
+ ${.CURDIR}/../../../../crypto/aes \
${.CURDIR}/../../../../crypto/blowfish \
${.CURDIR}/../../../../crypto/camellia \
${.CURDIR}/../../../../crypto/cast128 \
@@ -11,6 +12,10 @@
LIB= rumpkern_crypto
COMMENT=Cryptographic routines
+# Adiantum
+SRCS+= adiantum.c
+SRCS+= adiantum_selftest.c
+
# blowfish
SRCS+= bf_ecb.c bf_enc.c bf_cbc.c bf_skey.c bf_module.c
Home |
Main Index |
Thread Index |
Old Index