Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:5.4 commit in: /
Date: Mon, 01 Mar 2021 23:49:07
Message-Id: 1614642527.9bc980ab3b6206a214be03992f91f995efee3e0b.mpagano@gentoo
1 commit: 9bc980ab3b6206a214be03992f91f995efee3e0b
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Mon Mar 1 23:48:47 2021 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Mon Mar 1 23:48:47 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=9bc980ab
7
8 Remove old wireguard patch
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 2400_wireguard-backport-v1.0.20201112.patch | 45504 --------------------------
13 1 file changed, 45504 deletions(-)
14
15 diff --git a/2400_wireguard-backport-v1.0.20201112.patch b/2400_wireguard-backport-v1.0.20201112.patch
16 deleted file mode 100644
17 index b63d7f5..0000000
18 --- a/2400_wireguard-backport-v1.0.20201112.patch
19 +++ /dev/null
20 @@ -1,45504 +0,0 @@
21 ---- b/crypto/Kconfig
22 -+++ b/crypto/Kconfig
23 -@@ -136,8 +136,6 @@
24 - Userspace configuration for cryptographic instantiations such as
25 - cbc(aes).
26 -
27 --if CRYPTO_MANAGER2
28 --
29 - config CRYPTO_MANAGER_DISABLE_TESTS
30 - bool "Disable run-time self tests"
31 - default y
32 -@@ -147,7 +145,7 @@
33 -
34 - config CRYPTO_MANAGER_EXTRA_TESTS
35 - bool "Enable extra run-time crypto self tests"
36 -- depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS
37 -+ depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
38 - help
39 - Enable extra run-time self tests of registered crypto algorithms,
40 - including randomized fuzz tests.
41 -@@ -155,8 +153,6 @@
42 - This is intended for developer use only, as these tests take much
43 - longer to run than the normal self tests.
44 -
45 --endif # if CRYPTO_MANAGER2
46 --
47 - config CRYPTO_GF128MUL
48 - tristate
49 -
50 -@@ -264,6 +260,17 @@
51 - standard algorithms (called GOST algorithms). Only signature verification
52 - is implemented.
53 -
54 -+config CRYPTO_CURVE25519
55 -+ tristate "Curve25519 algorithm"
56 -+ select CRYPTO_KPP
57 -+ select CRYPTO_LIB_CURVE25519_GENERIC
58 -+
59 -+config CRYPTO_CURVE25519_X86
60 -+ tristate "x86_64 accelerated Curve25519 scalar multiplication library"
61 -+ depends on X86 && 64BIT
62 -+ select CRYPTO_LIB_CURVE25519_GENERIC
63 -+ select CRYPTO_ARCH_HAVE_LIB_CURVE25519
64 -+
65 - comment "Authenticated Encryption with Associated Data"
66 -
67 - config CRYPTO_CCM
68 -@@ -446,7 +453,7 @@
69 - config CRYPTO_NHPOLY1305
70 - tristate
71 - select CRYPTO_HASH
72 -- select CRYPTO_POLY1305
73 -+ select CRYPTO_LIB_POLY1305_GENERIC
74 -
75 - config CRYPTO_NHPOLY1305_SSE2
76 - tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
77 -@@ -467,7 +474,7 @@
78 - config CRYPTO_ADIANTUM
79 - tristate "Adiantum support"
80 - select CRYPTO_CHACHA20
81 -- select CRYPTO_POLY1305
82 -+ select CRYPTO_LIB_POLY1305_GENERIC
83 - select CRYPTO_NHPOLY1305
84 - select CRYPTO_MANAGER
85 - help
86 -@@ -639,6 +646,30 @@
87 - xxHash non-cryptographic hash algorithm. Extremely fast, working at
88 - speeds close to RAM limits.
89 -
90 -+config CRYPTO_BLAKE2S
91 -+ tristate "BLAKE2s digest algorithm"
92 -+ select CRYPTO_LIB_BLAKE2S_GENERIC
93 -+ select CRYPTO_HASH
94 -+ help
95 -+ Implementation of cryptographic hash function BLAKE2s
96 -+ optimized for 8-32bit platforms and can produce digests of any size
97 -+ between 1 to 32. The keyed hash is also implemented.
98 -+
99 -+ This module provides the following algorithms:
100 -+
101 -+ - blake2s-128
102 -+ - blake2s-160
103 -+ - blake2s-224
104 -+ - blake2s-256
105 -+
106 -+ See https://blake2.net for further information.
107 -+
108 -+config CRYPTO_BLAKE2S_X86
109 -+ tristate "BLAKE2s digest algorithm (x86 accelerated version)"
110 -+ depends on X86 && 64BIT
111 -+ select CRYPTO_LIB_BLAKE2S_GENERIC
112 -+ select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
113 -+
114 - config CRYPTO_CRCT10DIF
115 - tristate "CRCT10DIF algorithm"
116 - select CRYPTO_HASH
117 -@@ -686,6 +717,7 @@
118 - config CRYPTO_POLY1305
119 - tristate "Poly1305 authenticator algorithm"
120 - select CRYPTO_HASH
121 -+ select CRYPTO_LIB_POLY1305_GENERIC
122 - help
123 - Poly1305 authenticator algorithm, RFC7539.
124 -
125 -@@ -696,7 +728,8 @@
126 - config CRYPTO_POLY1305_X86_64
127 - tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
128 - depends on X86 && 64BIT
129 -- select CRYPTO_POLY1305
130 -+ select CRYPTO_LIB_POLY1305_GENERIC
131 -+ select CRYPTO_ARCH_HAVE_LIB_POLY1305
132 - help
133 - Poly1305 authenticator algorithm, RFC7539.
134 -
135 -@@ -705,6 +738,11 @@
136 - in IETF protocols. This is the x86_64 assembler implementation using SIMD
137 - instructions.
138 -
139 -+config CRYPTO_POLY1305_MIPS
140 -+ tristate "Poly1305 authenticator algorithm (MIPS optimized)"
141 -+ depends on CPU_MIPS32 || (CPU_MIPS64 && 64BIT)
142 -+ select CRYPTO_ARCH_HAVE_LIB_POLY1305
143 -+
144 - config CRYPTO_MD4
145 - tristate "MD4 digest algorithm"
146 - select CRYPTO_HASH
147 -@@ -878,9 +916,6 @@
148 - SHA-1 secure hash standard (DFIPS 180-4) implemented
149 - using powerpc SPE SIMD instruction set.
150 -
151 --config CRYPTO_LIB_SHA256
152 -- tristate
153 --
154 - config CRYPTO_SHA256
155 - tristate "SHA224 and SHA256 digest algorithm"
156 - select CRYPTO_HASH
157 -@@ -1019,9 +1054,6 @@
158 -
159 - comment "Ciphers"
160 -
161 --config CRYPTO_LIB_AES
162 -- tristate
163 --
164 - config CRYPTO_AES
165 - tristate "AES cipher algorithms"
166 - select CRYPTO_ALGAPI
167 -@@ -1150,9 +1182,6 @@
168 - <https://www.cosic.esat.kuleuven.be/nessie/reports/>
169 - <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
170 -
171 --config CRYPTO_LIB_ARC4
172 -- tristate
173 --
174 - config CRYPTO_ARC4
175 - tristate "ARC4 cipher algorithm"
176 - select CRYPTO_BLKCIPHER
177 -@@ -1339,9 +1368,6 @@
178 - This module provides the Cast6 cipher algorithm that processes
179 - eight blocks parallel using the AVX instruction set.
180 -
181 --config CRYPTO_LIB_DES
182 -- tristate
183 --
184 - config CRYPTO_DES
185 - tristate "DES and Triple DES EDE cipher algorithms"
186 - select CRYPTO_ALGAPI
187 -@@ -1405,6 +1431,7 @@
188 -
189 - config CRYPTO_CHACHA20
190 - tristate "ChaCha stream cipher algorithms"
191 -+ select CRYPTO_LIB_CHACHA_GENERIC
192 - select CRYPTO_BLKCIPHER
193 - help
194 - The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
195 -@@ -1428,11 +1455,18 @@
196 - tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
197 - depends on X86 && 64BIT
198 - select CRYPTO_BLKCIPHER
199 -- select CRYPTO_CHACHA20
200 -+ select CRYPTO_LIB_CHACHA_GENERIC
201 -+ select CRYPTO_ARCH_HAVE_LIB_CHACHA
202 - help
203 - SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
204 - XChaCha20, and XChaCha12 stream ciphers.
205 -
206 -+config CRYPTO_CHACHA_MIPS
207 -+ tristate "ChaCha stream cipher algorithms (MIPS 32r2 optimized)"
208 -+ depends on CPU_MIPS32_R2
209 -+ select CRYPTO_BLKCIPHER
210 -+ select CRYPTO_ARCH_HAVE_LIB_CHACHA
211 -+
212 - config CRYPTO_SEED
213 - tristate "SEED cipher algorithm"
214 - select CRYPTO_ALGAPI
215 -@@ -1845,6 +1879,7 @@
216 - config CRYPTO_HASH_INFO
217 - bool
218 -
219 -+source "lib/crypto/Kconfig"
220 - source "drivers/crypto/Kconfig"
221 - source "crypto/asymmetric_keys/Kconfig"
222 - source "certs/Kconfig"
223 ---- b/lib/crypto/Kconfig
224 -+++ b/lib/crypto/Kconfig
225 -@@ -0,0 +1,130 @@
226 -+# SPDX-License-Identifier: GPL-2.0
227 -+
228 -+comment "Crypto library routines"
229 -+
230 -+config CRYPTO_LIB_AES
231 -+ tristate
232 -+
233 -+config CRYPTO_LIB_ARC4
234 -+ tristate
235 -+
236 -+config CRYPTO_ARCH_HAVE_LIB_BLAKE2S
237 -+ tristate
238 -+ help
239 -+ Declares whether the architecture provides an arch-specific
240 -+ accelerated implementation of the Blake2s library interface,
241 -+ either builtin or as a module.
242 -+
243 -+config CRYPTO_LIB_BLAKE2S_GENERIC
244 -+ tristate
245 -+ help
246 -+ This symbol can be depended upon by arch implementations of the
247 -+ Blake2s library interface that require the generic code as a
248 -+ fallback, e.g., for SIMD implementations. If no arch specific
249 -+ implementation is enabled, this implementation serves the users
250 -+ of CRYPTO_LIB_BLAKE2S.
251 -+
252 -+config CRYPTO_LIB_BLAKE2S
253 -+ tristate "BLAKE2s hash function library"
254 -+ depends on CRYPTO_ARCH_HAVE_LIB_BLAKE2S || !CRYPTO_ARCH_HAVE_LIB_BLAKE2S
255 -+ select CRYPTO_LIB_BLAKE2S_GENERIC if CRYPTO_ARCH_HAVE_LIB_BLAKE2S=n
256 -+ help
257 -+ Enable the Blake2s library interface. This interface may be fulfilled
258 -+ by either the generic implementation or an arch-specific one, if one
259 -+ is available and enabled.
260 -+
261 -+config CRYPTO_ARCH_HAVE_LIB_CHACHA
262 -+ tristate
263 -+ help
264 -+ Declares whether the architecture provides an arch-specific
265 -+ accelerated implementation of the ChaCha library interface,
266 -+ either builtin or as a module.
267 -+
268 -+config CRYPTO_LIB_CHACHA_GENERIC
269 -+ tristate
270 -+ select CRYPTO_ALGAPI
271 -+ help
272 -+ This symbol can be depended upon by arch implementations of the
273 -+ ChaCha library interface that require the generic code as a
274 -+ fallback, e.g., for SIMD implementations. If no arch specific
275 -+ implementation is enabled, this implementation serves the users
276 -+ of CRYPTO_LIB_CHACHA.
277 -+
278 -+config CRYPTO_LIB_CHACHA
279 -+ tristate "ChaCha library interface"
280 -+ depends on CRYPTO_ARCH_HAVE_LIB_CHACHA || !CRYPTO_ARCH_HAVE_LIB_CHACHA
281 -+ select CRYPTO_LIB_CHACHA_GENERIC if CRYPTO_ARCH_HAVE_LIB_CHACHA=n
282 -+ help
283 -+ Enable the ChaCha library interface. This interface may be fulfilled
284 -+ by either the generic implementation or an arch-specific one, if one
285 -+ is available and enabled.
286 -+
287 -+config CRYPTO_ARCH_HAVE_LIB_CURVE25519
288 -+ tristate
289 -+ help
290 -+ Declares whether the architecture provides an arch-specific
291 -+ accelerated implementation of the Curve25519 library interface,
292 -+ either builtin or as a module.
293 -+
294 -+config CRYPTO_LIB_CURVE25519_GENERIC
295 -+ tristate
296 -+ help
297 -+ This symbol can be depended upon by arch implementations of the
298 -+ Curve25519 library interface that require the generic code as a
299 -+ fallback, e.g., for SIMD implementations. If no arch specific
300 -+ implementation is enabled, this implementation serves the users
301 -+ of CRYPTO_LIB_CURVE25519.
302 -+
303 -+config CRYPTO_LIB_CURVE25519
304 -+ tristate "Curve25519 scalar multiplication library"
305 -+ depends on CRYPTO_ARCH_HAVE_LIB_CURVE25519 || !CRYPTO_ARCH_HAVE_LIB_CURVE25519
306 -+ select CRYPTO_LIB_CURVE25519_GENERIC if CRYPTO_ARCH_HAVE_LIB_CURVE25519=n
307 -+ help
308 -+ Enable the Curve25519 library interface. This interface may be
309 -+ fulfilled by either the generic implementation or an arch-specific
310 -+ one, if one is available and enabled.
311 -+
312 -+config CRYPTO_LIB_DES
313 -+ tristate
314 -+
315 -+config CRYPTO_LIB_POLY1305_RSIZE
316 -+ int
317 -+ default 2 if MIPS
318 -+ default 11 if X86_64
319 -+ default 9 if ARM || ARM64
320 -+ default 1
321 -+
322 -+config CRYPTO_ARCH_HAVE_LIB_POLY1305
323 -+ tristate
324 -+ help
325 -+ Declares whether the architecture provides an arch-specific
326 -+ accelerated implementation of the Poly1305 library interface,
327 -+ either builtin or as a module.
328 -+
329 -+config CRYPTO_LIB_POLY1305_GENERIC
330 -+ tristate
331 -+ help
332 -+ This symbol can be depended upon by arch implementations of the
333 -+ Poly1305 library interface that require the generic code as a
334 -+ fallback, e.g., for SIMD implementations. If no arch specific
335 -+ implementation is enabled, this implementation serves the users
336 -+ of CRYPTO_LIB_POLY1305.
337 -+
338 -+config CRYPTO_LIB_POLY1305
339 -+ tristate "Poly1305 library interface"
340 -+ depends on CRYPTO_ARCH_HAVE_LIB_POLY1305 || !CRYPTO_ARCH_HAVE_LIB_POLY1305
341 -+ select CRYPTO_LIB_POLY1305_GENERIC if CRYPTO_ARCH_HAVE_LIB_POLY1305=n
342 -+ help
343 -+ Enable the Poly1305 library interface. This interface may be fulfilled
344 -+ by either the generic implementation or an arch-specific one, if one
345 -+ is available and enabled.
346 -+
347 -+config CRYPTO_LIB_CHACHA20POLY1305
348 -+ tristate "ChaCha20-Poly1305 AEAD support (8-byte nonce library version)"
349 -+ depends on CRYPTO_ARCH_HAVE_LIB_CHACHA || !CRYPTO_ARCH_HAVE_LIB_CHACHA
350 -+ depends on CRYPTO_ARCH_HAVE_LIB_POLY1305 || !CRYPTO_ARCH_HAVE_LIB_POLY1305
351 -+ select CRYPTO_LIB_CHACHA
352 -+ select CRYPTO_LIB_POLY1305
353 -+
354 -+config CRYPTO_LIB_SHA256
355 -+ tristate
356 ---- b/lib/crypto/Makefile
357 -+++ b/lib/crypto/Makefile
358 -@@ -3,11 +3,43 @@
359 --obj-$(CONFIG_CRYPTO_LIB_AES) += libaes.o
360 --libaes-y := aes.o
361 -+# chacha is used by the /dev/random driver which is always builtin
362 -+obj-y += chacha.o
363 -+obj-$(CONFIG_CRYPTO_LIB_CHACHA_GENERIC) += libchacha.o
364 -
365 --obj-$(CONFIG_CRYPTO_LIB_ARC4) += libarc4.o
366 --libarc4-y := arc4.o
367 -+obj-$(CONFIG_CRYPTO_LIB_AES) += libaes.o
368 -+libaes-y := aes.o
369 -
370 --obj-$(CONFIG_CRYPTO_LIB_DES) += libdes.o
371 --libdes-y := des.o
372 -+obj-$(CONFIG_CRYPTO_LIB_ARC4) += libarc4.o
373 -+libarc4-y := arc4.o
374 -
375 --obj-$(CONFIG_CRYPTO_LIB_SHA256) += libsha256.o
376 --libsha256-y := sha256.o
377 -+obj-$(CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC) += libblake2s-generic.o
378 -+libblake2s-generic-y += blake2s-generic.o
379 -+
380 -+obj-$(CONFIG_CRYPTO_LIB_BLAKE2S) += libblake2s.o
381 -+libblake2s-y += blake2s.o
382 -+
383 -+obj-$(CONFIG_CRYPTO_LIB_CHACHA20POLY1305) += libchacha20poly1305.o
384 -+libchacha20poly1305-y += chacha20poly1305.o
385 -+
386 -+obj-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) += libcurve25519-generic.o
387 -+libcurve25519-generic-y := curve25519-fiat32.o
388 -+libcurve25519-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := curve25519-hacl64.o
389 -+libcurve25519-generic-y += curve25519-generic.o
390 -+
391 -+obj-$(CONFIG_CRYPTO_LIB_CURVE25519) += libcurve25519.o
392 -+libcurve25519-y += curve25519.o
393 -+
394 -+obj-$(CONFIG_CRYPTO_LIB_DES) += libdes.o
395 -+libdes-y := des.o
396 -+
397 -+obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC) += libpoly1305.o
398 -+libpoly1305-y := poly1305-donna32.o
399 -+libpoly1305-$(CONFIG_ARCH_SUPPORTS_INT128) := poly1305-donna64.o
400 -+libpoly1305-y += poly1305.o
401 -+
402 -+obj-$(CONFIG_CRYPTO_LIB_SHA256) += libsha256.o
403 -+libsha256-y := sha256.o
404 -+
405 -+ifneq ($(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS),y)
406 -+libblake2s-y += blake2s-selftest.o
407 -+libchacha20poly1305-y += chacha20poly1305-selftest.o
408 -+libcurve25519-y += curve25519-selftest.o
409 -+endif
410 ---- b/arch/arm/crypto/chacha-neon-glue.c
411 -+++ /dev/null
412 -@@ -1,202 +0,0 @@
413 --/*
414 -- * ARM NEON accelerated ChaCha and XChaCha stream ciphers,
415 -- * including ChaCha20 (RFC7539)
416 -- *
417 -- * Copyright (C) 2016 Linaro, Ltd. <ard.biesheuvel@××××××.org>
418 -- *
419 -- * This program is free software; you can redistribute it and/or modify
420 -- * it under the terms of the GNU General Public License version 2 as
421 -- * published by the Free Software Foundation.
422 -- *
423 -- * Based on:
424 -- * ChaCha20 256-bit cipher algorithm, RFC7539, SIMD glue code
425 -- *
426 -- * Copyright (C) 2015 Martin Willi
427 -- *
428 -- * This program is free software; you can redistribute it and/or modify
429 -- * it under the terms of the GNU General Public License as published by
430 -- * the Free Software Foundation; either version 2 of the License, or
431 -- * (at your option) any later version.
432 -- */
433 --
434 --#include <crypto/algapi.h>
435 --#include <crypto/chacha.h>
436 --#include <crypto/internal/simd.h>
437 --#include <crypto/internal/skcipher.h>
438 --#include <linux/kernel.h>
439 --#include <linux/module.h>
440 --
441 --#include <asm/hwcap.h>
442 --#include <asm/neon.h>
443 --#include <asm/simd.h>
444 --
445 --asmlinkage void chacha_block_xor_neon(const u32 *state, u8 *dst, const u8 *src,
446 -- int nrounds);
447 --asmlinkage void chacha_4block_xor_neon(const u32 *state, u8 *dst, const u8 *src,
448 -- int nrounds);
449 --asmlinkage void hchacha_block_neon(const u32 *state, u32 *out, int nrounds);
450 --
451 --static void chacha_doneon(u32 *state, u8 *dst, const u8 *src,
452 -- unsigned int bytes, int nrounds)
453 --{
454 -- u8 buf[CHACHA_BLOCK_SIZE];
455 --
456 -- while (bytes >= CHACHA_BLOCK_SIZE * 4) {
457 -- chacha_4block_xor_neon(state, dst, src, nrounds);
458 -- bytes -= CHACHA_BLOCK_SIZE * 4;
459 -- src += CHACHA_BLOCK_SIZE * 4;
460 -- dst += CHACHA_BLOCK_SIZE * 4;
461 -- state[12] += 4;
462 -- }
463 -- while (bytes >= CHACHA_BLOCK_SIZE) {
464 -- chacha_block_xor_neon(state, dst, src, nrounds);
465 -- bytes -= CHACHA_BLOCK_SIZE;
466 -- src += CHACHA_BLOCK_SIZE;
467 -- dst += CHACHA_BLOCK_SIZE;
468 -- state[12]++;
469 -- }
470 -- if (bytes) {
471 -- memcpy(buf, src, bytes);
472 -- chacha_block_xor_neon(state, buf, buf, nrounds);
473 -- memcpy(dst, buf, bytes);
474 -- }
475 --}
476 --
477 --static int chacha_neon_stream_xor(struct skcipher_request *req,
478 -- const struct chacha_ctx *ctx, const u8 *iv)
479 --{
480 -- struct skcipher_walk walk;
481 -- u32 state[16];
482 -- int err;
483 --
484 -- err = skcipher_walk_virt(&walk, req, false);
485 --
486 -- crypto_chacha_init(state, ctx, iv);
487 --
488 -- while (walk.nbytes > 0) {
489 -- unsigned int nbytes = walk.nbytes;
490 --
491 -- if (nbytes < walk.total)
492 -- nbytes = round_down(nbytes, walk.stride);
493 --
494 -- kernel_neon_begin();
495 -- chacha_doneon(state, walk.dst.virt.addr, walk.src.virt.addr,
496 -- nbytes, ctx->nrounds);
497 -- kernel_neon_end();
498 -- err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
499 -- }
500 --
501 -- return err;
502 --}
503 --
504 --static int chacha_neon(struct skcipher_request *req)
505 --{
506 -- struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
507 -- struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
508 --
509 -- if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
510 -- return crypto_chacha_crypt(req);
511 --
512 -- return chacha_neon_stream_xor(req, ctx, req->iv);
513 --}
514 --
515 --static int xchacha_neon(struct skcipher_request *req)
516 --{
517 -- struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
518 -- struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
519 -- struct chacha_ctx subctx;
520 -- u32 state[16];
521 -- u8 real_iv[16];
522 --
523 -- if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
524 -- return crypto_xchacha_crypt(req);
525 --
526 -- crypto_chacha_init(state, ctx, req->iv);
527 --
528 -- kernel_neon_begin();
529 -- hchacha_block_neon(state, subctx.key, ctx->nrounds);
530 -- kernel_neon_end();
531 -- subctx.nrounds = ctx->nrounds;
532 --
533 -- memcpy(&real_iv[0], req->iv + 24, 8);
534 -- memcpy(&real_iv[8], req->iv + 16, 8);
535 -- return chacha_neon_stream_xor(req, &subctx, real_iv);
536 --}
537 --
538 --static struct skcipher_alg algs[] = {
539 -- {
540 -- .base.cra_name = "chacha20",
541 -- .base.cra_driver_name = "chacha20-neon",
542 -- .base.cra_priority = 300,
543 -- .base.cra_blocksize = 1,
544 -- .base.cra_ctxsize = sizeof(struct chacha_ctx),
545 -- .base.cra_module = THIS_MODULE,
546 --
547 -- .min_keysize = CHACHA_KEY_SIZE,
548 -- .max_keysize = CHACHA_KEY_SIZE,
549 -- .ivsize = CHACHA_IV_SIZE,
550 -- .chunksize = CHACHA_BLOCK_SIZE,
551 -- .walksize = 4 * CHACHA_BLOCK_SIZE,
552 -- .setkey = crypto_chacha20_setkey,
553 -- .encrypt = chacha_neon,
554 -- .decrypt = chacha_neon,
555 -- }, {
556 -- .base.cra_name = "xchacha20",
557 -- .base.cra_driver_name = "xchacha20-neon",
558 -- .base.cra_priority = 300,
559 -- .base.cra_blocksize = 1,
560 -- .base.cra_ctxsize = sizeof(struct chacha_ctx),
561 -- .base.cra_module = THIS_MODULE,
562 --
563 -- .min_keysize = CHACHA_KEY_SIZE,
564 -- .max_keysize = CHACHA_KEY_SIZE,
565 -- .ivsize = XCHACHA_IV_SIZE,
566 -- .chunksize = CHACHA_BLOCK_SIZE,
567 -- .walksize = 4 * CHACHA_BLOCK_SIZE,
568 -- .setkey = crypto_chacha20_setkey,
569 -- .encrypt = xchacha_neon,
570 -- .decrypt = xchacha_neon,
571 -- }, {
572 -- .base.cra_name = "xchacha12",
573 -- .base.cra_driver_name = "xchacha12-neon",
574 -- .base.cra_priority = 300,
575 -- .base.cra_blocksize = 1,
576 -- .base.cra_ctxsize = sizeof(struct chacha_ctx),
577 -- .base.cra_module = THIS_MODULE,
578 --
579 -- .min_keysize = CHACHA_KEY_SIZE,
580 -- .max_keysize = CHACHA_KEY_SIZE,
581 -- .ivsize = XCHACHA_IV_SIZE,
582 -- .chunksize = CHACHA_BLOCK_SIZE,
583 -- .walksize = 4 * CHACHA_BLOCK_SIZE,
584 -- .setkey = crypto_chacha12_setkey,
585 -- .encrypt = xchacha_neon,
586 -- .decrypt = xchacha_neon,
587 -- }
588 --};
589 --
590 --static int __init chacha_simd_mod_init(void)
591 --{
592 -- if (!(elf_hwcap & HWCAP_NEON))
593 -- return -ENODEV;
594 --
595 -- return crypto_register_skciphers(algs, ARRAY_SIZE(algs));
596 --}
597 --
598 --static void __exit chacha_simd_mod_fini(void)
599 --{
600 -- crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
601 --}
602 --
603 --module_init(chacha_simd_mod_init);
604 --module_exit(chacha_simd_mod_fini);
605 --
606 --MODULE_DESCRIPTION("ChaCha and XChaCha stream ciphers (NEON accelerated)");
607 --MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@××××××.org>");
608 --MODULE_LICENSE("GPL v2");
609 --MODULE_ALIAS_CRYPTO("chacha20");
610 --MODULE_ALIAS_CRYPTO("chacha20-neon");
611 --MODULE_ALIAS_CRYPTO("xchacha20");
612 --MODULE_ALIAS_CRYPTO("xchacha20-neon");
613 --MODULE_ALIAS_CRYPTO("xchacha12");
614 --MODULE_ALIAS_CRYPTO("xchacha12-neon");
615 ---- b/arch/arm64/crypto/chacha-neon-glue.c
616 -+++ b/arch/arm64/crypto/chacha-neon-glue.c
617 -@@ -1,5 +1,5 @@
618 - /*
619 -- * ARM NEON accelerated ChaCha and XChaCha stream ciphers,
620 -+ * ARM NEON and scalar accelerated ChaCha and XChaCha stream ciphers,
621 - * including ChaCha20 (RFC7539)
622 - *
623 - * Copyright (C) 2016 - 2017 Linaro, Ltd. <ard.biesheuvel@××××××.org>
624 -@@ -20,9 +20,10 @@
625 - */
626 -
627 - #include <crypto/algapi.h>
628 --#include <crypto/chacha.h>
629 -+#include <crypto/internal/chacha.h>
630 - #include <crypto/internal/simd.h>
631 - #include <crypto/internal/skcipher.h>
632 -+#include <linux/jump_label.h>
633 - #include <linux/kernel.h>
634 - #include <linux/module.h>
635 -
636 -@@ -36,6 +37,8 @@
637 - int nrounds, int bytes);
638 - asmlinkage void hchacha_block_neon(const u32 *state, u32 *out, int nrounds);
639 -
640 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
641 -+
642 - static void chacha_doneon(u32 *state, u8 *dst, const u8 *src,
643 - int bytes, int nrounds)
644 - {
645 -@@ -52,12 +55,51 @@
646 - break;
647 - }
648 - chacha_4block_xor_neon(state, dst, src, nrounds, l);
649 -- bytes -= CHACHA_BLOCK_SIZE * 5;
650 -- src += CHACHA_BLOCK_SIZE * 5;
651 -- dst += CHACHA_BLOCK_SIZE * 5;
652 -- state[12] += 5;
653 -+ bytes -= l;
654 -+ src += l;
655 -+ dst += l;
656 -+ state[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE);
657 -+ }
658 -+}
659 -+
660 -+void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds)
661 -+{
662 -+ if (!static_branch_likely(&have_neon) || !crypto_simd_usable()) {
663 -+ hchacha_block_generic(state, stream, nrounds);
664 -+ } else {
665 -+ kernel_neon_begin();
666 -+ hchacha_block_neon(state, stream, nrounds);
667 -+ kernel_neon_end();
668 - }
669 - }
670 -+EXPORT_SYMBOL(hchacha_block_arch);
671 -+
672 -+void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv)
673 -+{
674 -+ chacha_init_generic(state, key, iv);
675 -+}
676 -+EXPORT_SYMBOL(chacha_init_arch);
677 -+
678 -+void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes,
679 -+ int nrounds)
680 -+{
681 -+ if (!static_branch_likely(&have_neon) || bytes <= CHACHA_BLOCK_SIZE ||
682 -+ !crypto_simd_usable())
683 -+ return chacha_crypt_generic(state, dst, src, bytes, nrounds);
684 -+
685 -+ do {
686 -+ unsigned int todo = min_t(unsigned int, bytes, SZ_4K);
687 -+
688 -+ kernel_neon_begin();
689 -+ chacha_doneon(state, dst, src, todo, nrounds);
690 -+ kernel_neon_end();
691 -+
692 -+ bytes -= todo;
693 -+ src += todo;
694 -+ dst += todo;
695 -+ } while (bytes);
696 -+}
697 -+EXPORT_SYMBOL(chacha_crypt_arch);
698 -
699 - static int chacha_neon_stream_xor(struct skcipher_request *req,
700 - const struct chacha_ctx *ctx, const u8 *iv)
701 -@@ -68,7 +110,7 @@
702 -
703 - err = skcipher_walk_virt(&walk, req, false);
704 -
705 -- crypto_chacha_init(state, ctx, iv);
706 -+ chacha_init_generic(state, ctx->key, iv);
707 -
708 - while (walk.nbytes > 0) {
709 - unsigned int nbytes = walk.nbytes;
710 -@@ -76,10 +118,17 @@
711 - if (nbytes < walk.total)
712 - nbytes = rounddown(nbytes, walk.stride);
713 -
714 -- kernel_neon_begin();
715 -- chacha_doneon(state, walk.dst.virt.addr, walk.src.virt.addr,
716 -- nbytes, ctx->nrounds);
717 -- kernel_neon_end();
718 -+ if (!static_branch_likely(&have_neon) ||
719 -+ !crypto_simd_usable()) {
720 -+ chacha_crypt_generic(state, walk.dst.virt.addr,
721 -+ walk.src.virt.addr, nbytes,
722 -+ ctx->nrounds);
723 -+ } else {
724 -+ kernel_neon_begin();
725 -+ chacha_doneon(state, walk.dst.virt.addr,
726 -+ walk.src.virt.addr, nbytes, ctx->nrounds);
727 -+ kernel_neon_end();
728 -+ }
729 - err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
730 - }
731 -
732 -@@ -91,9 +140,6 @@
733 - struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
734 - struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
735 -
736 -- if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
737 -- return crypto_chacha_crypt(req);
738 --
739 - return chacha_neon_stream_xor(req, ctx, req->iv);
740 - }
741 -
742 -@@ -105,14 +151,8 @@
743 - u32 state[16];
744 - u8 real_iv[16];
745 -
746 -- if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
747 -- return crypto_xchacha_crypt(req);
748 --
749 -- crypto_chacha_init(state, ctx, req->iv);
750 --
751 -- kernel_neon_begin();
752 -- hchacha_block_neon(state, subctx.key, ctx->nrounds);
753 -- kernel_neon_end();
754 -+ chacha_init_generic(state, ctx->key, req->iv);
755 -+ hchacha_block_arch(state, subctx.key, ctx->nrounds);
756 - subctx.nrounds = ctx->nrounds;
757 -
758 - memcpy(&real_iv[0], req->iv + 24, 8);
759 -@@ -134,7 +174,7 @@
760 - .ivsize = CHACHA_IV_SIZE,
761 - .chunksize = CHACHA_BLOCK_SIZE,
762 - .walksize = 5 * CHACHA_BLOCK_SIZE,
763 -- .setkey = crypto_chacha20_setkey,
764 -+ .setkey = chacha20_setkey,
765 - .encrypt = chacha_neon,
766 - .decrypt = chacha_neon,
767 - }, {
768 -@@ -150,7 +190,7 @@
769 - .ivsize = XCHACHA_IV_SIZE,
770 - .chunksize = CHACHA_BLOCK_SIZE,
771 - .walksize = 5 * CHACHA_BLOCK_SIZE,
772 -- .setkey = crypto_chacha20_setkey,
773 -+ .setkey = chacha20_setkey,
774 - .encrypt = xchacha_neon,
775 - .decrypt = xchacha_neon,
776 - }, {
777 -@@ -166,7 +206,7 @@
778 - .ivsize = XCHACHA_IV_SIZE,
779 - .chunksize = CHACHA_BLOCK_SIZE,
780 - .walksize = 5 * CHACHA_BLOCK_SIZE,
781 -- .setkey = crypto_chacha12_setkey,
782 -+ .setkey = chacha12_setkey,
783 - .encrypt = xchacha_neon,
784 - .decrypt = xchacha_neon,
785 - }
786 -@@ -175,14 +215,18 @@
787 - static int __init chacha_simd_mod_init(void)
788 - {
789 - if (!cpu_have_named_feature(ASIMD))
790 -- return -ENODEV;
791 -+ return 0;
792 -+
793 -+ static_branch_enable(&have_neon);
794 -
795 -- return crypto_register_skciphers(algs, ARRAY_SIZE(algs));
796 -+ return IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER) ?
797 -+ crypto_register_skciphers(algs, ARRAY_SIZE(algs)) : 0;
798 - }
799 -
800 - static void __exit chacha_simd_mod_fini(void)
801 - {
802 -- crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
803 -+ if (IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER) && cpu_have_named_feature(ASIMD))
804 -+ crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
805 - }
806 -
807 - module_init(chacha_simd_mod_init);
808 ---- b/arch/x86/crypto/chacha_glue.c
809 -+++ b/arch/x86/crypto/chacha_glue.c
810 -@@ -7,38 +7,36 @@
811 - */
812 -
813 - #include <crypto/algapi.h>
814 --#include <crypto/chacha.h>
815 -+#include <crypto/internal/chacha.h>
816 - #include <crypto/internal/simd.h>
817 - #include <crypto/internal/skcipher.h>
818 - #include <linux/kernel.h>
819 - #include <linux/module.h>
820 - #include <asm/simd.h>
821 -
822 --#define CHACHA_STATE_ALIGN 16
823 --
824 - asmlinkage void chacha_block_xor_ssse3(u32 *state, u8 *dst, const u8 *src,
825 - unsigned int len, int nrounds);
826 - asmlinkage void chacha_4block_xor_ssse3(u32 *state, u8 *dst, const u8 *src,
827 - unsigned int len, int nrounds);
828 - asmlinkage void hchacha_block_ssse3(const u32 *state, u32 *out, int nrounds);
829 --#ifdef CONFIG_AS_AVX2
830 -+
831 - asmlinkage void chacha_2block_xor_avx2(u32 *state, u8 *dst, const u8 *src,
832 - unsigned int len, int nrounds);
833 - asmlinkage void chacha_4block_xor_avx2(u32 *state, u8 *dst, const u8 *src,
834 - unsigned int len, int nrounds);
835 - asmlinkage void chacha_8block_xor_avx2(u32 *state, u8 *dst, const u8 *src,
836 - unsigned int len, int nrounds);
837 --static bool chacha_use_avx2;
838 --#ifdef CONFIG_AS_AVX512
839 -+
840 - asmlinkage void chacha_2block_xor_avx512vl(u32 *state, u8 *dst, const u8 *src,
841 - unsigned int len, int nrounds);
842 - asmlinkage void chacha_4block_xor_avx512vl(u32 *state, u8 *dst, const u8 *src,
843 - unsigned int len, int nrounds);
844 - asmlinkage void chacha_8block_xor_avx512vl(u32 *state, u8 *dst, const u8 *src,
845 - unsigned int len, int nrounds);
846 --static bool chacha_use_avx512vl;
847 --#endif
848 --#endif
849 -+
850 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_simd);
851 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_avx2);
852 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_avx512vl);
853 -
854 - static unsigned int chacha_advance(unsigned int len, unsigned int maxblocks)
855 - {
856 -@@ -49,9 +47,8 @@
857 - static void chacha_dosimd(u32 *state, u8 *dst, const u8 *src,
858 - unsigned int bytes, int nrounds)
859 - {
860 --#ifdef CONFIG_AS_AVX2
861 --#ifdef CONFIG_AS_AVX512
862 -- if (chacha_use_avx512vl) {
863 -+ if (IS_ENABLED(CONFIG_AS_AVX512) &&
864 -+ static_branch_likely(&chacha_use_avx512vl)) {
865 - while (bytes >= CHACHA_BLOCK_SIZE * 8) {
866 - chacha_8block_xor_avx512vl(state, dst, src, bytes,
867 - nrounds);
868 -@@ -79,8 +76,9 @@
869 - return;
870 - }
871 - }
872 --#endif
873 -- if (chacha_use_avx2) {
874 -+
875 -+ if (IS_ENABLED(CONFIG_AS_AVX2) &&
876 -+ static_branch_likely(&chacha_use_avx2)) {
877 - while (bytes >= CHACHA_BLOCK_SIZE * 8) {
878 - chacha_8block_xor_avx2(state, dst, src, bytes, nrounds);
879 - bytes -= CHACHA_BLOCK_SIZE * 8;
880 -@@ -104,7 +102,7 @@
881 - return;
882 - }
883 - }
884 --#endif
885 -+
886 - while (bytes >= CHACHA_BLOCK_SIZE * 4) {
887 - chacha_4block_xor_ssse3(state, dst, src, bytes, nrounds);
888 - bytes -= CHACHA_BLOCK_SIZE * 4;
889 -@@ -123,37 +121,75 @@
890 - }
891 - }
892 -
893 --static int chacha_simd_stream_xor(struct skcipher_walk *walk,
894 -- const struct chacha_ctx *ctx, const u8 *iv)
895 -+void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds)
896 - {
897 -- u32 *state, state_buf[16 + 2] __aligned(8);
898 -- int next_yield = 4096; /* bytes until next FPU yield */
899 -- int err = 0;
900 -+ if (!static_branch_likely(&chacha_use_simd) || !crypto_simd_usable()) {
901 -+ hchacha_block_generic(state, stream, nrounds);
902 -+ } else {
903 -+ kernel_fpu_begin();
904 -+ hchacha_block_ssse3(state, stream, nrounds);
905 -+ kernel_fpu_end();
906 -+ }
907 -+}
908 -+EXPORT_SYMBOL(hchacha_block_arch);
909 -
910 -- BUILD_BUG_ON(CHACHA_STATE_ALIGN != 16);
911 -- state = PTR_ALIGN(state_buf + 0, CHACHA_STATE_ALIGN);
912 -+void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv)
913 -+{
914 -+ chacha_init_generic(state, key, iv);
915 -+}
916 -+EXPORT_SYMBOL(chacha_init_arch);
917 -
918 -- crypto_chacha_init(state, ctx, iv);
919 -+void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes,
920 -+ int nrounds)
921 -+{
922 -+ if (!static_branch_likely(&chacha_use_simd) || !crypto_simd_usable() ||
923 -+ bytes <= CHACHA_BLOCK_SIZE)
924 -+ return chacha_crypt_generic(state, dst, src, bytes, nrounds);
925 -+
926 -+ do {
927 -+ unsigned int todo = min_t(unsigned int, bytes, SZ_4K);
928 -+
929 -+ kernel_fpu_begin();
930 -+ chacha_dosimd(state, dst, src, todo, nrounds);
931 -+ kernel_fpu_end();
932 -+
933 -+ bytes -= todo;
934 -+ src += todo;
935 -+ dst += todo;
936 -+ } while (bytes);
937 -+}
938 -+EXPORT_SYMBOL(chacha_crypt_arch);
939 -
940 -- while (walk->nbytes > 0) {
941 -- unsigned int nbytes = walk->nbytes;
942 -+static int chacha_simd_stream_xor(struct skcipher_request *req,
943 -+ const struct chacha_ctx *ctx, const u8 *iv)
944 -+{
945 -+ u32 state[CHACHA_STATE_WORDS] __aligned(8);
946 -+ struct skcipher_walk walk;
947 -+ int err;
948 -
949 -- if (nbytes < walk->total) {
950 -- nbytes = round_down(nbytes, walk->stride);
951 -- next_yield -= nbytes;
952 -- }
953 -+ err = skcipher_walk_virt(&walk, req, false);
954 -
955 -- chacha_dosimd(state, walk->dst.virt.addr, walk->src.virt.addr,
956 -- nbytes, ctx->nrounds);
957 -+ chacha_init_generic(state, ctx->key, iv);
958 -
959 -- if (next_yield <= 0) {
960 -- /* temporarily allow preemption */
961 -- kernel_fpu_end();
962 -+ while (walk.nbytes > 0) {
963 -+ unsigned int nbytes = walk.nbytes;
964 -+
965 -+ if (nbytes < walk.total)
966 -+ nbytes = round_down(nbytes, walk.stride);
967 -+
968 -+ if (!static_branch_likely(&chacha_use_simd) ||
969 -+ !crypto_simd_usable()) {
970 -+ chacha_crypt_generic(state, walk.dst.virt.addr,
971 -+ walk.src.virt.addr, nbytes,
972 -+ ctx->nrounds);
973 -+ } else {
974 - kernel_fpu_begin();
975 -- next_yield = 4096;
976 -+ chacha_dosimd(state, walk.dst.virt.addr,
977 -+ walk.src.virt.addr, nbytes,
978 -+ ctx->nrounds);
979 -+ kernel_fpu_end();
980 - }
981 --
982 -- err = skcipher_walk_done(walk, walk->nbytes - nbytes);
983 -+ err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
984 - }
985 -
986 - return err;
987 -@@ -163,55 +199,32 @@
988 - {
989 - struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
990 - struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
991 -- struct skcipher_walk walk;
992 -- int err;
993 -
994 -- if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
995 -- return crypto_chacha_crypt(req);
996 --
997 -- err = skcipher_walk_virt(&walk, req, true);
998 -- if (err)
999 -- return err;
1000 --
1001 -- kernel_fpu_begin();
1002 -- err = chacha_simd_stream_xor(&walk, ctx, req->iv);
1003 -- kernel_fpu_end();
1004 -- return err;
1005 -+ return chacha_simd_stream_xor(req, ctx, req->iv);
1006 - }
1007 -
1008 - static int xchacha_simd(struct skcipher_request *req)
1009 - {
1010 - struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
1011 - struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
1012 -- struct skcipher_walk walk;
1013 -+ u32 state[CHACHA_STATE_WORDS] __aligned(8);
1014 - struct chacha_ctx subctx;
1015 -- u32 *state, state_buf[16 + 2] __aligned(8);
1016 - u8 real_iv[16];
1017 -- int err;
1018 -
1019 -- if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
1020 -- return crypto_xchacha_crypt(req);
1021 -+ chacha_init_generic(state, ctx->key, req->iv);
1022 -
1023 -- err = skcipher_walk_virt(&walk, req, true);
1024 -- if (err)
1025 -- return err;
1026 --
1027 -- BUILD_BUG_ON(CHACHA_STATE_ALIGN != 16);
1028 -- state = PTR_ALIGN(state_buf + 0, CHACHA_STATE_ALIGN);
1029 -- crypto_chacha_init(state, ctx, req->iv);
1030 --
1031 -- kernel_fpu_begin();
1032 --
1033 -- hchacha_block_ssse3(state, subctx.key, ctx->nrounds);
1034 -+ if (req->cryptlen > CHACHA_BLOCK_SIZE && crypto_simd_usable()) {
1035 -+ kernel_fpu_begin();
1036 -+ hchacha_block_ssse3(state, subctx.key, ctx->nrounds);
1037 -+ kernel_fpu_end();
1038 -+ } else {
1039 -+ hchacha_block_generic(state, subctx.key, ctx->nrounds);
1040 -+ }
1041 - subctx.nrounds = ctx->nrounds;
1042 -
1043 - memcpy(&real_iv[0], req->iv + 24, 8);
1044 - memcpy(&real_iv[8], req->iv + 16, 8);
1045 -- err = chacha_simd_stream_xor(&walk, &subctx, real_iv);
1046 --
1047 -- kernel_fpu_end();
1048 --
1049 -- return err;
1050 -+ return chacha_simd_stream_xor(req, &subctx, real_iv);
1051 - }
1052 -
1053 - static struct skcipher_alg algs[] = {
1054 -@@ -227,7 +240,7 @@
1055 - .max_keysize = CHACHA_KEY_SIZE,
1056 - .ivsize = CHACHA_IV_SIZE,
1057 - .chunksize = CHACHA_BLOCK_SIZE,
1058 -- .setkey = crypto_chacha20_setkey,
1059 -+ .setkey = chacha20_setkey,
1060 - .encrypt = chacha_simd,
1061 - .decrypt = chacha_simd,
1062 - }, {
1063 -@@ -242,7 +255,7 @@
1064 - .max_keysize = CHACHA_KEY_SIZE,
1065 - .ivsize = XCHACHA_IV_SIZE,
1066 - .chunksize = CHACHA_BLOCK_SIZE,
1067 -- .setkey = crypto_chacha20_setkey,
1068 -+ .setkey = chacha20_setkey,
1069 - .encrypt = xchacha_simd,
1070 - .decrypt = xchacha_simd,
1071 - }, {
1072 -@@ -257,7 +270,7 @@
1073 - .max_keysize = CHACHA_KEY_SIZE,
1074 - .ivsize = XCHACHA_IV_SIZE,
1075 - .chunksize = CHACHA_BLOCK_SIZE,
1076 -- .setkey = crypto_chacha12_setkey,
1077 -+ .setkey = chacha12_setkey,
1078 - .encrypt = xchacha_simd,
1079 - .decrypt = xchacha_simd,
1080 - },
1081 -@@ -266,24 +279,29 @@
1082 - static int __init chacha_simd_mod_init(void)
1083 - {
1084 - if (!boot_cpu_has(X86_FEATURE_SSSE3))
1085 -- return -ENODEV;
1086 -+ return 0;
1087 -
1088 --#ifdef CONFIG_AS_AVX2
1089 -- chacha_use_avx2 = boot_cpu_has(X86_FEATURE_AVX) &&
1090 -- boot_cpu_has(X86_FEATURE_AVX2) &&
1091 -- cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL);
1092 --#ifdef CONFIG_AS_AVX512
1093 -- chacha_use_avx512vl = chacha_use_avx2 &&
1094 -- boot_cpu_has(X86_FEATURE_AVX512VL) &&
1095 -- boot_cpu_has(X86_FEATURE_AVX512BW); /* kmovq */
1096 --#endif
1097 --#endif
1098 -- return crypto_register_skciphers(algs, ARRAY_SIZE(algs));
1099 -+ static_branch_enable(&chacha_use_simd);
1100 -+
1101 -+ if (IS_ENABLED(CONFIG_AS_AVX2) &&
1102 -+ boot_cpu_has(X86_FEATURE_AVX) &&
1103 -+ boot_cpu_has(X86_FEATURE_AVX2) &&
1104 -+ cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL)) {
1105 -+ static_branch_enable(&chacha_use_avx2);
1106 -+
1107 -+ if (IS_ENABLED(CONFIG_AS_AVX512) &&
1108 -+ boot_cpu_has(X86_FEATURE_AVX512VL) &&
1109 -+ boot_cpu_has(X86_FEATURE_AVX512BW)) /* kmovq */
1110 -+ static_branch_enable(&chacha_use_avx512vl);
1111 -+ }
1112 -+ return IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER) ?
1113 -+ crypto_register_skciphers(algs, ARRAY_SIZE(algs)) : 0;
1114 - }
1115 -
1116 - static void __exit chacha_simd_mod_fini(void)
1117 - {
1118 -- crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
1119 -+ if (IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER) && boot_cpu_has(X86_FEATURE_SSSE3))
1120 -+ crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
1121 - }
1122 -
1123 - module_init(chacha_simd_mod_init);
1124 ---- b/crypto/chacha_generic.c
1125 -+++ b/crypto/chacha_generic.c
1126 -@@ -8,29 +8,10 @@
1127 -
1128 - #include <asm/unaligned.h>
1129 - #include <crypto/algapi.h>
1130 --#include <crypto/chacha.h>
1131 -+#include <crypto/internal/chacha.h>
1132 - #include <crypto/internal/skcipher.h>
1133 - #include <linux/module.h>
1134 -
1135 --static void chacha_docrypt(u32 *state, u8 *dst, const u8 *src,
1136 -- unsigned int bytes, int nrounds)
1137 --{
1138 -- /* aligned to potentially speed up crypto_xor() */
1139 -- u8 stream[CHACHA_BLOCK_SIZE] __aligned(sizeof(long));
1140 --
1141 -- while (bytes >= CHACHA_BLOCK_SIZE) {
1142 -- chacha_block(state, stream, nrounds);
1143 -- crypto_xor_cpy(dst, src, stream, CHACHA_BLOCK_SIZE);
1144 -- bytes -= CHACHA_BLOCK_SIZE;
1145 -- dst += CHACHA_BLOCK_SIZE;
1146 -- src += CHACHA_BLOCK_SIZE;
1147 -- }
1148 -- if (bytes) {
1149 -- chacha_block(state, stream, nrounds);
1150 -- crypto_xor_cpy(dst, src, stream, bytes);
1151 -- }
1152 --}
1153 --
1154 - static int chacha_stream_xor(struct skcipher_request *req,
1155 - const struct chacha_ctx *ctx, const u8 *iv)
1156 - {
1157 -@@ -40,7 +21,7 @@
1158 -
1159 - err = skcipher_walk_virt(&walk, req, false);
1160 -
1161 -- crypto_chacha_init(state, ctx, iv);
1162 -+ chacha_init_generic(state, ctx->key, iv);
1163 -
1164 - while (walk.nbytes > 0) {
1165 - unsigned int nbytes = walk.nbytes;
1166 -@@ -48,75 +29,23 @@
1167 - if (nbytes < walk.total)
1168 - nbytes = round_down(nbytes, CHACHA_BLOCK_SIZE);
1169 -
1170 -- chacha_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
1171 -- nbytes, ctx->nrounds);
1172 -+ chacha_crypt_generic(state, walk.dst.virt.addr,
1173 -+ walk.src.virt.addr, nbytes, ctx->nrounds);
1174 - err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
1175 - }
1176 -
1177 - return err;
1178 - }
1179 -
1180 --void crypto_chacha_init(u32 *state, const struct chacha_ctx *ctx, const u8 *iv)
1181 --{
1182 -- state[0] = 0x61707865; /* "expa" */
1183 -- state[1] = 0x3320646e; /* "nd 3" */
1184 -- state[2] = 0x79622d32; /* "2-by" */
1185 -- state[3] = 0x6b206574; /* "te k" */
1186 -- state[4] = ctx->key[0];
1187 -- state[5] = ctx->key[1];
1188 -- state[6] = ctx->key[2];
1189 -- state[7] = ctx->key[3];
1190 -- state[8] = ctx->key[4];
1191 -- state[9] = ctx->key[5];
1192 -- state[10] = ctx->key[6];
1193 -- state[11] = ctx->key[7];
1194 -- state[12] = get_unaligned_le32(iv + 0);
1195 -- state[13] = get_unaligned_le32(iv + 4);
1196 -- state[14] = get_unaligned_le32(iv + 8);
1197 -- state[15] = get_unaligned_le32(iv + 12);
1198 --}
1199 --EXPORT_SYMBOL_GPL(crypto_chacha_init);
1200 --
1201 --static int chacha_setkey(struct crypto_skcipher *tfm, const u8 *key,
1202 -- unsigned int keysize, int nrounds)
1203 --{
1204 -- struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
1205 -- int i;
1206 --
1207 -- if (keysize != CHACHA_KEY_SIZE)
1208 -- return -EINVAL;
1209 --
1210 -- for (i = 0; i < ARRAY_SIZE(ctx->key); i++)
1211 -- ctx->key[i] = get_unaligned_le32(key + i * sizeof(u32));
1212 --
1213 -- ctx->nrounds = nrounds;
1214 -- return 0;
1215 --}
1216 --
1217 --int crypto_chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
1218 -- unsigned int keysize)
1219 --{
1220 -- return chacha_setkey(tfm, key, keysize, 20);
1221 --}
1222 --EXPORT_SYMBOL_GPL(crypto_chacha20_setkey);
1223 --
1224 --int crypto_chacha12_setkey(struct crypto_skcipher *tfm, const u8 *key,
1225 -- unsigned int keysize)
1226 --{
1227 -- return chacha_setkey(tfm, key, keysize, 12);
1228 --}
1229 --EXPORT_SYMBOL_GPL(crypto_chacha12_setkey);
1230 --
1231 --int crypto_chacha_crypt(struct skcipher_request *req)
1232 -+static int crypto_chacha_crypt(struct skcipher_request *req)
1233 - {
1234 - struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
1235 - struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
1236 -
1237 - return chacha_stream_xor(req, ctx, req->iv);
1238 - }
1239 --EXPORT_SYMBOL_GPL(crypto_chacha_crypt);
1240 -
1241 --int crypto_xchacha_crypt(struct skcipher_request *req)
1242 -+static int crypto_xchacha_crypt(struct skcipher_request *req)
1243 - {
1244 - struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
1245 - struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
1246 -@@ -125,8 +54,8 @@
1247 - u8 real_iv[16];
1248 -
1249 - /* Compute the subkey given the original key and first 128 nonce bits */
1250 -- crypto_chacha_init(state, ctx, req->iv);
1251 -- hchacha_block(state, subctx.key, ctx->nrounds);
1252 -+ chacha_init_generic(state, ctx->key, req->iv);
1253 -+ hchacha_block_generic(state, subctx.key, ctx->nrounds);
1254 - subctx.nrounds = ctx->nrounds;
1255 -
1256 - /* Build the real IV */
1257 -@@ -136,7 +65,6 @@
1258 - /* Generate the stream and XOR it with the data */
1259 - return chacha_stream_xor(req, &subctx, real_iv);
1260 - }
1261 --EXPORT_SYMBOL_GPL(crypto_xchacha_crypt);
1262 -
1263 - static struct skcipher_alg algs[] = {
1264 - {
1265 -@@ -151,7 +79,7 @@
1266 - .max_keysize = CHACHA_KEY_SIZE,
1267 - .ivsize = CHACHA_IV_SIZE,
1268 - .chunksize = CHACHA_BLOCK_SIZE,
1269 -- .setkey = crypto_chacha20_setkey,
1270 -+ .setkey = chacha20_setkey,
1271 - .encrypt = crypto_chacha_crypt,
1272 - .decrypt = crypto_chacha_crypt,
1273 - }, {
1274 -@@ -166,7 +94,7 @@
1275 - .max_keysize = CHACHA_KEY_SIZE,
1276 - .ivsize = XCHACHA_IV_SIZE,
1277 - .chunksize = CHACHA_BLOCK_SIZE,
1278 -- .setkey = crypto_chacha20_setkey,
1279 -+ .setkey = chacha20_setkey,
1280 - .encrypt = crypto_xchacha_crypt,
1281 - .decrypt = crypto_xchacha_crypt,
1282 - }, {
1283 -@@ -181,7 +109,7 @@
1284 - .max_keysize = CHACHA_KEY_SIZE,
1285 - .ivsize = XCHACHA_IV_SIZE,
1286 - .chunksize = CHACHA_BLOCK_SIZE,
1287 -- .setkey = crypto_chacha12_setkey,
1288 -+ .setkey = chacha12_setkey,
1289 - .encrypt = crypto_xchacha_crypt,
1290 - .decrypt = crypto_xchacha_crypt,
1291 - }
1292 ---- b/include/crypto/chacha.h
1293 -+++ b/include/crypto/chacha.h
1294 -@@ -15,9 +15,8 @@
1295 - #ifndef _CRYPTO_CHACHA_H
1296 - #define _CRYPTO_CHACHA_H
1297 -
1298 --#include <crypto/skcipher.h>
1299 -+#include <asm/unaligned.h>
1300 - #include <linux/types.h>
1301 --#include <linux/crypto.h>
1302 -
1303 - /* 32-bit stream position, then 96-bit nonce (RFC7539 convention) */
1304 - #define CHACHA_IV_SIZE 16
1305 -@@ -27,28 +26,74 @@
1306 - #define CHACHAPOLY_IV_SIZE 12
1307 -
1308 -+#define CHACHA_STATE_WORDS (CHACHA_BLOCK_SIZE / sizeof(u32))
1309 -+
1310 - /* 192-bit nonce, then 64-bit stream position */
1311 - #define XCHACHA_IV_SIZE 32
1312 -
1313 --struct chacha_ctx {
1314 -- u32 key[8];
1315 -- int nrounds;
1316 --};
1317 --
1318 --void chacha_block(u32 *state, u8 *stream, int nrounds);
1319 -+void chacha_block_generic(u32 *state, u8 *stream, int nrounds);
1320 - static inline void chacha20_block(u32 *state, u8 *stream)
1321 - {
1322 -- chacha_block(state, stream, 20);
1323 -+ chacha_block_generic(state, stream, 20);
1324 -+}
1325 -+
1326 -+void hchacha_block_arch(const u32 *state, u32 *out, int nrounds);
1327 -+void hchacha_block_generic(const u32 *state, u32 *out, int nrounds);
1328 -+
1329 -+static inline void hchacha_block(const u32 *state, u32 *out, int nrounds)
1330 -+{
1331 -+ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
1332 -+ hchacha_block_arch(state, out, nrounds);
1333 -+ else
1334 -+ hchacha_block_generic(state, out, nrounds);
1335 -+}
1336 -+
1337 -+void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);
1338 -+static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv)
1339 -+{
1340 -+ state[0] = 0x61707865; /* "expa" */
1341 -+ state[1] = 0x3320646e; /* "nd 3" */
1342 -+ state[2] = 0x79622d32; /* "2-by" */
1343 -+ state[3] = 0x6b206574; /* "te k" */
1344 -+ state[4] = key[0];
1345 -+ state[5] = key[1];
1346 -+ state[6] = key[2];
1347 -+ state[7] = key[3];
1348 -+ state[8] = key[4];
1349 -+ state[9] = key[5];
1350 -+ state[10] = key[6];
1351 -+ state[11] = key[7];
1352 -+ state[12] = get_unaligned_le32(iv + 0);
1353 -+ state[13] = get_unaligned_le32(iv + 4);
1354 -+ state[14] = get_unaligned_le32(iv + 8);
1355 -+ state[15] = get_unaligned_le32(iv + 12);
1356 -+}
1357 -+
1358 -+static inline void chacha_init(u32 *state, const u32 *key, const u8 *iv)
1359 -+{
1360 -+ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
1361 -+ chacha_init_arch(state, key, iv);
1362 -+ else
1363 -+ chacha_init_generic(state, key, iv);
1364 - }
1365 --void hchacha_block(const u32 *in, u32 *out, int nrounds);
1366 -
1367 --void crypto_chacha_init(u32 *state, const struct chacha_ctx *ctx, const u8 *iv);
1368 -+void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src,
1369 -+ unsigned int bytes, int nrounds);
1370 -+void chacha_crypt_generic(u32 *state, u8 *dst, const u8 *src,
1371 -+ unsigned int bytes, int nrounds);
1372 -
1373 --int crypto_chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
1374 -- unsigned int keysize);
1375 --int crypto_chacha12_setkey(struct crypto_skcipher *tfm, const u8 *key,
1376 -- unsigned int keysize);
1377 -+static inline void chacha_crypt(u32 *state, u8 *dst, const u8 *src,
1378 -+ unsigned int bytes, int nrounds)
1379 -+{
1380 -+ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
1381 -+ chacha_crypt_arch(state, dst, src, bytes, nrounds);
1382 -+ else
1383 -+ chacha_crypt_generic(state, dst, src, bytes, nrounds);
1384 -+}
1385 -
1386 --int crypto_chacha_crypt(struct skcipher_request *req);
1387 --int crypto_xchacha_crypt(struct skcipher_request *req);
1388 -+static inline void chacha20_crypt(u32 *state, u8 *dst, const u8 *src,
1389 -+ unsigned int bytes)
1390 -+{
1391 -+ chacha_crypt(state, dst, src, bytes, 20);
1392 -+}
1393 -
1394 - #endif /* _CRYPTO_CHACHA_H */
1395 ---- b/include/crypto/internal/chacha.h
1396 -+++ b/include/crypto/internal/chacha.h
1397 -@@ -0,0 +1,43 @@
1398 -+/* SPDX-License-Identifier: GPL-2.0 */
1399 -+
1400 -+#ifndef _CRYPTO_INTERNAL_CHACHA_H
1401 -+#define _CRYPTO_INTERNAL_CHACHA_H
1402 -+
1403 -+#include <crypto/chacha.h>
1404 -+#include <crypto/internal/skcipher.h>
1405 -+#include <linux/crypto.h>
1406 -+
1407 -+struct chacha_ctx {
1408 -+ u32 key[8];
1409 -+ int nrounds;
1410 -+};
1411 -+
1412 -+static inline int chacha_setkey(struct crypto_skcipher *tfm, const u8 *key,
1413 -+ unsigned int keysize, int nrounds)
1414 -+{
1415 -+ struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
1416 -+ int i;
1417 -+
1418 -+ if (keysize != CHACHA_KEY_SIZE)
1419 -+ return -EINVAL;
1420 -+
1421 -+ for (i = 0; i < ARRAY_SIZE(ctx->key); i++)
1422 -+ ctx->key[i] = get_unaligned_le32(key + i * sizeof(u32));
1423 -+
1424 -+ ctx->nrounds = nrounds;
1425 -+ return 0;
1426 -+}
1427 -+
1428 -+static inline int chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
1429 -+ unsigned int keysize)
1430 -+{
1431 -+ return chacha_setkey(tfm, key, keysize, 20);
1432 -+}
1433 -+
1434 -+static inline int chacha12_setkey(struct crypto_skcipher *tfm, const u8 *key,
1435 -+ unsigned int keysize)
1436 -+{
1437 -+ return chacha_setkey(tfm, key, keysize, 12);
1438 -+}
1439 -+
1440 -+#endif /* _CRYPTO_CHACHA_H */
1441 ---- a/lib/Makefile
1442 -+++ b/lib/Makefile
1443 -@@ -26,8 +26,7 @@ endif
1444 -
1445 - lib-y := ctype.o string.o vsprintf.o cmdline.o \
1446 - rbtree.o radix-tree.o timerqueue.o xarray.o \
1447 -- idr.o extable.o \
1448 -- sha1.o chacha.o irq_regs.o argv_split.o \
1449 -+ idr.o extable.o sha1.o irq_regs.o argv_split.o \
1450 - flex_proportions.o ratelimit.o show_mem.o \
1451 - is_single_threaded.o plist.o decompress.o kobject_uevent.o \
1452 - earlycpio.o seq_buf.o siphash.o dec_and_lock.o \
1453 ---- a/lib/chacha.c
1454 -+++ /dev/null
1455 -@@ -1,113 +0,0 @@
1456 --// SPDX-License-Identifier: GPL-2.0-or-later
1457 --/*
1458 -- * The "hash function" used as the core of the ChaCha stream cipher (RFC7539)
1459 -- *
1460 -- * Copyright (C) 2015 Martin Willi
1461 -- */
1462 --
1463 --#include <linux/kernel.h>
1464 --#include <linux/export.h>
1465 --#include <linux/bitops.h>
1466 --#include <linux/cryptohash.h>
1467 --#include <asm/unaligned.h>
1468 --#include <crypto/chacha.h>
1469 --
1470 --static void chacha_permute(u32 *x, int nrounds)
1471 --{
1472 -- int i;
1473 --
1474 -- /* whitelist the allowed round counts */
1475 -- WARN_ON_ONCE(nrounds != 20 && nrounds != 12);
1476 --
1477 -- for (i = 0; i < nrounds; i += 2) {
1478 -- x[0] += x[4]; x[12] = rol32(x[12] ^ x[0], 16);
1479 -- x[1] += x[5]; x[13] = rol32(x[13] ^ x[1], 16);
1480 -- x[2] += x[6]; x[14] = rol32(x[14] ^ x[2], 16);
1481 -- x[3] += x[7]; x[15] = rol32(x[15] ^ x[3], 16);
1482 --
1483 -- x[8] += x[12]; x[4] = rol32(x[4] ^ x[8], 12);
1484 -- x[9] += x[13]; x[5] = rol32(x[5] ^ x[9], 12);
1485 -- x[10] += x[14]; x[6] = rol32(x[6] ^ x[10], 12);
1486 -- x[11] += x[15]; x[7] = rol32(x[7] ^ x[11], 12);
1487 --
1488 -- x[0] += x[4]; x[12] = rol32(x[12] ^ x[0], 8);
1489 -- x[1] += x[5]; x[13] = rol32(x[13] ^ x[1], 8);
1490 -- x[2] += x[6]; x[14] = rol32(x[14] ^ x[2], 8);
1491 -- x[3] += x[7]; x[15] = rol32(x[15] ^ x[3], 8);
1492 --
1493 -- x[8] += x[12]; x[4] = rol32(x[4] ^ x[8], 7);
1494 -- x[9] += x[13]; x[5] = rol32(x[5] ^ x[9], 7);
1495 -- x[10] += x[14]; x[6] = rol32(x[6] ^ x[10], 7);
1496 -- x[11] += x[15]; x[7] = rol32(x[7] ^ x[11], 7);
1497 --
1498 -- x[0] += x[5]; x[15] = rol32(x[15] ^ x[0], 16);
1499 -- x[1] += x[6]; x[12] = rol32(x[12] ^ x[1], 16);
1500 -- x[2] += x[7]; x[13] = rol32(x[13] ^ x[2], 16);
1501 -- x[3] += x[4]; x[14] = rol32(x[14] ^ x[3], 16);
1502 --
1503 -- x[10] += x[15]; x[5] = rol32(x[5] ^ x[10], 12);
1504 -- x[11] += x[12]; x[6] = rol32(x[6] ^ x[11], 12);
1505 -- x[8] += x[13]; x[7] = rol32(x[7] ^ x[8], 12);
1506 -- x[9] += x[14]; x[4] = rol32(x[4] ^ x[9], 12);
1507 --
1508 -- x[0] += x[5]; x[15] = rol32(x[15] ^ x[0], 8);
1509 -- x[1] += x[6]; x[12] = rol32(x[12] ^ x[1], 8);
1510 -- x[2] += x[7]; x[13] = rol32(x[13] ^ x[2], 8);
1511 -- x[3] += x[4]; x[14] = rol32(x[14] ^ x[3], 8);
1512 --
1513 -- x[10] += x[15]; x[5] = rol32(x[5] ^ x[10], 7);
1514 -- x[11] += x[12]; x[6] = rol32(x[6] ^ x[11], 7);
1515 -- x[8] += x[13]; x[7] = rol32(x[7] ^ x[8], 7);
1516 -- x[9] += x[14]; x[4] = rol32(x[4] ^ x[9], 7);
1517 -- }
1518 --}
1519 --
1520 --/**
1521 -- * chacha_block - generate one keystream block and increment block counter
1522 -- * @state: input state matrix (16 32-bit words)
1523 -- * @stream: output keystream block (64 bytes)
1524 -- * @nrounds: number of rounds (20 or 12; 20 is recommended)
1525 -- *
1526 -- * This is the ChaCha core, a function from 64-byte strings to 64-byte strings.
1527 -- * The caller has already converted the endianness of the input. This function
1528 -- * also handles incrementing the block counter in the input matrix.
1529 -- */
1530 --void chacha_block(u32 *state, u8 *stream, int nrounds)
1531 --{
1532 -- u32 x[16];
1533 -- int i;
1534 --
1535 -- memcpy(x, state, 64);
1536 --
1537 -- chacha_permute(x, nrounds);
1538 --
1539 -- for (i = 0; i < ARRAY_SIZE(x); i++)
1540 -- put_unaligned_le32(x[i] + state[i], &stream[i * sizeof(u32)]);
1541 --
1542 -- state[12]++;
1543 --}
1544 --EXPORT_SYMBOL(chacha_block);
1545 --
1546 --/**
1547 -- * hchacha_block - abbreviated ChaCha core, for XChaCha
1548 -- * @in: input state matrix (16 32-bit words)
1549 -- * @out: output (8 32-bit words)
1550 -- * @nrounds: number of rounds (20 or 12; 20 is recommended)
1551 -- *
1552 -- * HChaCha is the ChaCha equivalent of HSalsa and is an intermediate step
1553 -- * towards XChaCha (see https://cr.yp.to/snuffle/xsalsa-20081128.pdf). HChaCha
1554 -- * skips the final addition of the initial state, and outputs only certain words
1555 -- * of the state. It should not be used for streaming directly.
1556 -- */
1557 --void hchacha_block(const u32 *in, u32 *out, int nrounds)
1558 --{
1559 -- u32 x[16];
1560 --
1561 -- memcpy(x, in, 64);
1562 --
1563 -- chacha_permute(x, nrounds);
1564 --
1565 -- memcpy(&out[0], &x[0], 16);
1566 -- memcpy(&out[4], &x[12], 16);
1567 --}
1568 --EXPORT_SYMBOL(hchacha_block);
1569 ---- /dev/null
1570 -+++ b/lib/crypto/chacha.c
1571 -@@ -0,0 +1,115 @@
1572 -+// SPDX-License-Identifier: GPL-2.0-or-later
1573 -+/*
1574 -+ * The "hash function" used as the core of the ChaCha stream cipher (RFC7539)
1575 -+ *
1576 -+ * Copyright (C) 2015 Martin Willi
1577 -+ */
1578 -+
1579 -+#include <linux/bug.h>
1580 -+#include <linux/kernel.h>
1581 -+#include <linux/export.h>
1582 -+#include <linux/bitops.h>
1583 -+#include <linux/string.h>
1584 -+#include <linux/cryptohash.h>
1585 -+#include <asm/unaligned.h>
1586 -+#include <crypto/chacha.h>
1587 -+
1588 -+static void chacha_permute(u32 *x, int nrounds)
1589 -+{
1590 -+ int i;
1591 -+
1592 -+ /* whitelist the allowed round counts */
1593 -+ WARN_ON_ONCE(nrounds != 20 && nrounds != 12);
1594 -+
1595 -+ for (i = 0; i < nrounds; i += 2) {
1596 -+ x[0] += x[4]; x[12] = rol32(x[12] ^ x[0], 16);
1597 -+ x[1] += x[5]; x[13] = rol32(x[13] ^ x[1], 16);
1598 -+ x[2] += x[6]; x[14] = rol32(x[14] ^ x[2], 16);
1599 -+ x[3] += x[7]; x[15] = rol32(x[15] ^ x[3], 16);
1600 -+
1601 -+ x[8] += x[12]; x[4] = rol32(x[4] ^ x[8], 12);
1602 -+ x[9] += x[13]; x[5] = rol32(x[5] ^ x[9], 12);
1603 -+ x[10] += x[14]; x[6] = rol32(x[6] ^ x[10], 12);
1604 -+ x[11] += x[15]; x[7] = rol32(x[7] ^ x[11], 12);
1605 -+
1606 -+ x[0] += x[4]; x[12] = rol32(x[12] ^ x[0], 8);
1607 -+ x[1] += x[5]; x[13] = rol32(x[13] ^ x[1], 8);
1608 -+ x[2] += x[6]; x[14] = rol32(x[14] ^ x[2], 8);
1609 -+ x[3] += x[7]; x[15] = rol32(x[15] ^ x[3], 8);
1610 -+
1611 -+ x[8] += x[12]; x[4] = rol32(x[4] ^ x[8], 7);
1612 -+ x[9] += x[13]; x[5] = rol32(x[5] ^ x[9], 7);
1613 -+ x[10] += x[14]; x[6] = rol32(x[6] ^ x[10], 7);
1614 -+ x[11] += x[15]; x[7] = rol32(x[7] ^ x[11], 7);
1615 -+
1616 -+ x[0] += x[5]; x[15] = rol32(x[15] ^ x[0], 16);
1617 -+ x[1] += x[6]; x[12] = rol32(x[12] ^ x[1], 16);
1618 -+ x[2] += x[7]; x[13] = rol32(x[13] ^ x[2], 16);
1619 -+ x[3] += x[4]; x[14] = rol32(x[14] ^ x[3], 16);
1620 -+
1621 -+ x[10] += x[15]; x[5] = rol32(x[5] ^ x[10], 12);
1622 -+ x[11] += x[12]; x[6] = rol32(x[6] ^ x[11], 12);
1623 -+ x[8] += x[13]; x[7] = rol32(x[7] ^ x[8], 12);
1624 -+ x[9] += x[14]; x[4] = rol32(x[4] ^ x[9], 12);
1625 -+
1626 -+ x[0] += x[5]; x[15] = rol32(x[15] ^ x[0], 8);
1627 -+ x[1] += x[6]; x[12] = rol32(x[12] ^ x[1], 8);
1628 -+ x[2] += x[7]; x[13] = rol32(x[13] ^ x[2], 8);
1629 -+ x[3] += x[4]; x[14] = rol32(x[14] ^ x[3], 8);
1630 -+
1631 -+ x[10] += x[15]; x[5] = rol32(x[5] ^ x[10], 7);
1632 -+ x[11] += x[12]; x[6] = rol32(x[6] ^ x[11], 7);
1633 -+ x[8] += x[13]; x[7] = rol32(x[7] ^ x[8], 7);
1634 -+ x[9] += x[14]; x[4] = rol32(x[4] ^ x[9], 7);
1635 -+ }
1636 -+}
1637 -+
1638 -+/**
1639 -+ * chacha_block - generate one keystream block and increment block counter
1640 -+ * @state: input state matrix (16 32-bit words)
1641 -+ * @stream: output keystream block (64 bytes)
1642 -+ * @nrounds: number of rounds (20 or 12; 20 is recommended)
1643 -+ *
1644 -+ * This is the ChaCha core, a function from 64-byte strings to 64-byte strings.
1645 -+ * The caller has already converted the endianness of the input. This function
1646 -+ * also handles incrementing the block counter in the input matrix.
1647 -+ */
1648 -+void chacha_block_generic(u32 *state, u8 *stream, int nrounds)
1649 -+{
1650 -+ u32 x[16];
1651 -+ int i;
1652 -+
1653 -+ memcpy(x, state, 64);
1654 -+
1655 -+ chacha_permute(x, nrounds);
1656 -+
1657 -+ for (i = 0; i < ARRAY_SIZE(x); i++)
1658 -+ put_unaligned_le32(x[i] + state[i], &stream[i * sizeof(u32)]);
1659 -+
1660 -+ state[12]++;
1661 -+}
1662 -+EXPORT_SYMBOL(chacha_block_generic);
1663 -+
1664 -+/**
1665 -+ * hchacha_block_generic - abbreviated ChaCha core, for XChaCha
1666 -+ * @state: input state matrix (16 32-bit words)
1667 -+ * @out: output (8 32-bit words)
1668 -+ * @nrounds: number of rounds (20 or 12; 20 is recommended)
1669 -+ *
1670 -+ * HChaCha is the ChaCha equivalent of HSalsa and is an intermediate step
1671 -+ * towards XChaCha (see https://cr.yp.to/snuffle/xsalsa-20081128.pdf). HChaCha
1672 -+ * skips the final addition of the initial state, and outputs only certain words
1673 -+ * of the state. It should not be used for streaming directly.
1674 -+ */
1675 -+void hchacha_block_generic(const u32 *state, u32 *stream, int nrounds)
1676 -+{
1677 -+ u32 x[16];
1678 -+
1679 -+ memcpy(x, state, 64);
1680 -+
1681 -+ chacha_permute(x, nrounds);
1682 -+
1683 -+ memcpy(&stream[0], &x[0], 16);
1684 -+ memcpy(&stream[4], &x[12], 16);
1685 -+}
1686 -+EXPORT_SYMBOL(hchacha_block_generic);
1687 ---- /dev/null
1688 -+++ b/lib/crypto/libchacha.c
1689 -@@ -0,0 +1,35 @@
1690 -+// SPDX-License-Identifier: GPL-2.0-or-later
1691 -+/*
1692 -+ * The ChaCha stream cipher (RFC7539)
1693 -+ *
1694 -+ * Copyright (C) 2015 Martin Willi
1695 -+ */
1696 -+
1697 -+#include <linux/kernel.h>
1698 -+#include <linux/export.h>
1699 -+#include <linux/module.h>
1700 -+
1701 -+#include <crypto/algapi.h> // for crypto_xor_cpy
1702 -+#include <crypto/chacha.h>
1703 -+
1704 -+void chacha_crypt_generic(u32 *state, u8 *dst, const u8 *src,
1705 -+ unsigned int bytes, int nrounds)
1706 -+{
1707 -+ /* aligned to potentially speed up crypto_xor() */
1708 -+ u8 stream[CHACHA_BLOCK_SIZE] __aligned(sizeof(long));
1709 -+
1710 -+ while (bytes >= CHACHA_BLOCK_SIZE) {
1711 -+ chacha_block_generic(state, stream, nrounds);
1712 -+ crypto_xor_cpy(dst, src, stream, CHACHA_BLOCK_SIZE);
1713 -+ bytes -= CHACHA_BLOCK_SIZE;
1714 -+ dst += CHACHA_BLOCK_SIZE;
1715 -+ src += CHACHA_BLOCK_SIZE;
1716 -+ }
1717 -+ if (bytes) {
1718 -+ chacha_block_generic(state, stream, nrounds);
1719 -+ crypto_xor_cpy(dst, src, stream, bytes);
1720 -+ }
1721 -+}
1722 -+EXPORT_SYMBOL(chacha_crypt_generic);
1723 -+
1724 -+MODULE_LICENSE("GPL");
1725 ---- b/arch/arm64/crypto/Kconfig
1726 -+++ b/arch/arm64/crypto/Kconfig
1727 -@@ -103,7 +103,14 @@
1728 - tristate "ChaCha20, XChaCha20, and XChaCha12 stream ciphers using NEON instructions"
1729 - depends on KERNEL_MODE_NEON
1730 - select CRYPTO_BLKCIPHER
1731 -- select CRYPTO_CHACHA20
1732 -+ select CRYPTO_LIB_CHACHA_GENERIC
1733 -+ select CRYPTO_ARCH_HAVE_LIB_CHACHA
1734 -+
1735 -+config CRYPTO_POLY1305_NEON
1736 -+ tristate "Poly1305 hash function using scalar or NEON instructions"
1737 -+ depends on KERNEL_MODE_NEON
1738 -+ select CRYPTO_HASH
1739 -+ select CRYPTO_ARCH_HAVE_LIB_POLY1305
1740 -
1741 - config CRYPTO_NHPOLY1305_NEON
1742 - tristate "NHPoly1305 hash function using NEON instructions (for Adiantum)"
1743 ---- b/arch/arm/crypto/chacha-scalar-core.S
1744 -+++ b/arch/arm/crypto/chacha-scalar-core.S
1745 -@@ -0,0 +1,460 @@
1746 -+/* SPDX-License-Identifier: GPL-2.0 */
1747 -+/*
1748 -+ * Copyright (C) 2018 Google, Inc.
1749 -+ */
1750 -+
1751 -+#include <linux/linkage.h>
1752 -+#include <asm/assembler.h>
1753 -+
1754 -+/*
1755 -+ * Design notes:
1756 -+ *
1757 -+ * 16 registers would be needed to hold the state matrix, but only 14 are
1758 -+ * available because 'sp' and 'pc' cannot be used. So we spill the elements
1759 -+ * (x8, x9) to the stack and swap them out with (x10, x11). This adds one
1760 -+ * 'ldrd' and one 'strd' instruction per round.
1761 -+ *
1762 -+ * All rotates are performed using the implicit rotate operand accepted by the
1763 -+ * 'add' and 'eor' instructions. This is faster than using explicit rotate
1764 -+ * instructions. To make this work, we allow the values in the second and last
1765 -+ * rows of the ChaCha state matrix (rows 'b' and 'd') to temporarily have the
1766 -+ * wrong rotation amount. The rotation amount is then fixed up just in time
1767 -+ * when the values are used. 'brot' is the number of bits the values in row 'b'
1768 -+ * need to be rotated right to arrive at the correct values, and 'drot'
1769 -+ * similarly for row 'd'. (brot, drot) start out as (0, 0) but we make it such
1770 -+ * that they end up as (25, 24) after every round.
1771 -+ */
1772 -+
1773 -+ // ChaCha state registers
1774 -+ X0 .req r0
1775 -+ X1 .req r1
1776 -+ X2 .req r2
1777 -+ X3 .req r3
1778 -+ X4 .req r4
1779 -+ X5 .req r5
1780 -+ X6 .req r6
1781 -+ X7 .req r7
1782 -+ X8_X10 .req r8 // shared by x8 and x10
1783 -+ X9_X11 .req r9 // shared by x9 and x11
1784 -+ X12 .req r10
1785 -+ X13 .req r11
1786 -+ X14 .req r12
1787 -+ X15 .req r14
1788 -+
1789 -+.macro __rev out, in, t0, t1, t2
1790 -+.if __LINUX_ARM_ARCH__ >= 6
1791 -+ rev \out, \in
1792 -+.else
1793 -+ lsl \t0, \in, #24
1794 -+ and \t1, \in, #0xff00
1795 -+ and \t2, \in, #0xff0000
1796 -+ orr \out, \t0, \in, lsr #24
1797 -+ orr \out, \out, \t1, lsl #8
1798 -+ orr \out, \out, \t2, lsr #8
1799 -+.endif
1800 -+.endm
1801 -+
1802 -+.macro _le32_bswap x, t0, t1, t2
1803 -+#ifdef __ARMEB__
1804 -+ __rev \x, \x, \t0, \t1, \t2
1805 -+#endif
1806 -+.endm
1807 -+
1808 -+.macro _le32_bswap_4x a, b, c, d, t0, t1, t2
1809 -+ _le32_bswap \a, \t0, \t1, \t2
1810 -+ _le32_bswap \b, \t0, \t1, \t2
1811 -+ _le32_bswap \c, \t0, \t1, \t2
1812 -+ _le32_bswap \d, \t0, \t1, \t2
1813 -+.endm
1814 -+
1815 -+.macro __ldrd a, b, src, offset
1816 -+#if __LINUX_ARM_ARCH__ >= 6
1817 -+ ldrd \a, \b, [\src, #\offset]
1818 -+#else
1819 -+ ldr \a, [\src, #\offset]
1820 -+ ldr \b, [\src, #\offset + 4]
1821 -+#endif
1822 -+.endm
1823 -+
1824 -+.macro __strd a, b, dst, offset
1825 -+#if __LINUX_ARM_ARCH__ >= 6
1826 -+ strd \a, \b, [\dst, #\offset]
1827 -+#else
1828 -+ str \a, [\dst, #\offset]
1829 -+ str \b, [\dst, #\offset + 4]
1830 -+#endif
1831 -+.endm
1832 -+
1833 -+.macro _halfround a1, b1, c1, d1, a2, b2, c2, d2
1834 -+
1835 -+ // a += b; d ^= a; d = rol(d, 16);
1836 -+ add \a1, \a1, \b1, ror #brot
1837 -+ add \a2, \a2, \b2, ror #brot
1838 -+ eor \d1, \a1, \d1, ror #drot
1839 -+ eor \d2, \a2, \d2, ror #drot
1840 -+ // drot == 32 - 16 == 16
1841 -+
1842 -+ // c += d; b ^= c; b = rol(b, 12);
1843 -+ add \c1, \c1, \d1, ror #16
1844 -+ add \c2, \c2, \d2, ror #16
1845 -+ eor \b1, \c1, \b1, ror #brot
1846 -+ eor \b2, \c2, \b2, ror #brot
1847 -+ // brot == 32 - 12 == 20
1848 -+
1849 -+ // a += b; d ^= a; d = rol(d, 8);
1850 -+ add \a1, \a1, \b1, ror #20
1851 -+ add \a2, \a2, \b2, ror #20
1852 -+ eor \d1, \a1, \d1, ror #16
1853 -+ eor \d2, \a2, \d2, ror #16
1854 -+ // drot == 32 - 8 == 24
1855 -+
1856 -+ // c += d; b ^= c; b = rol(b, 7);
1857 -+ add \c1, \c1, \d1, ror #24
1858 -+ add \c2, \c2, \d2, ror #24
1859 -+ eor \b1, \c1, \b1, ror #20
1860 -+ eor \b2, \c2, \b2, ror #20
1861 -+ // brot == 32 - 7 == 25
1862 -+.endm
1863 -+
1864 -+.macro _doubleround
1865 -+
1866 -+ // column round
1867 -+
1868 -+ // quarterrounds: (x0, x4, x8, x12) and (x1, x5, x9, x13)
1869 -+ _halfround X0, X4, X8_X10, X12, X1, X5, X9_X11, X13
1870 -+
1871 -+ // save (x8, x9); restore (x10, x11)
1872 -+ __strd X8_X10, X9_X11, sp, 0
1873 -+ __ldrd X8_X10, X9_X11, sp, 8
1874 -+
1875 -+ // quarterrounds: (x2, x6, x10, x14) and (x3, x7, x11, x15)
1876 -+ _halfround X2, X6, X8_X10, X14, X3, X7, X9_X11, X15
1877 -+
1878 -+ .set brot, 25
1879 -+ .set drot, 24
1880 -+
1881 -+ // diagonal round
1882 -+
1883 -+ // quarterrounds: (x0, x5, x10, x15) and (x1, x6, x11, x12)
1884 -+ _halfround X0, X5, X8_X10, X15, X1, X6, X9_X11, X12
1885 -+
1886 -+ // save (x10, x11); restore (x8, x9)
1887 -+ __strd X8_X10, X9_X11, sp, 8
1888 -+ __ldrd X8_X10, X9_X11, sp, 0
1889 -+
1890 -+ // quarterrounds: (x2, x7, x8, x13) and (x3, x4, x9, x14)
1891 -+ _halfround X2, X7, X8_X10, X13, X3, X4, X9_X11, X14
1892 -+.endm
1893 -+
1894 -+.macro _chacha_permute nrounds
1895 -+ .set brot, 0
1896 -+ .set drot, 0
1897 -+ .rept \nrounds / 2
1898 -+ _doubleround
1899 -+ .endr
1900 -+.endm
1901 -+
1902 -+.macro _chacha nrounds
1903 -+
1904 -+.Lnext_block\@:
1905 -+ // Stack: unused0-unused1 x10-x11 x0-x15 OUT IN LEN
1906 -+ // Registers contain x0-x9,x12-x15.
1907 -+
1908 -+ // Do the core ChaCha permutation to update x0-x15.
1909 -+ _chacha_permute \nrounds
1910 -+
1911 -+ add sp, #8
1912 -+ // Stack: x10-x11 orig_x0-orig_x15 OUT IN LEN
1913 -+ // Registers contain x0-x9,x12-x15.
1914 -+ // x4-x7 are rotated by 'brot'; x12-x15 are rotated by 'drot'.
1915 -+
1916 -+ // Free up some registers (r8-r12,r14) by pushing (x8-x9,x12-x15).
1917 -+ push {X8_X10, X9_X11, X12, X13, X14, X15}
1918 -+
1919 -+ // Load (OUT, IN, LEN).
1920 -+ ldr r14, [sp, #96]
1921 -+ ldr r12, [sp, #100]
1922 -+ ldr r11, [sp, #104]
1923 -+
1924 -+ orr r10, r14, r12
1925 -+
1926 -+ // Use slow path if fewer than 64 bytes remain.
1927 -+ cmp r11, #64
1928 -+ blt .Lxor_slowpath\@
1929 -+
1930 -+ // Use slow path if IN and/or OUT isn't 4-byte aligned. Needed even on
1931 -+ // ARMv6+, since ldmia and stmia (used below) still require alignment.
1932 -+ tst r10, #3
1933 -+ bne .Lxor_slowpath\@
1934 -+
1935 -+ // Fast path: XOR 64 bytes of aligned data.
1936 -+
1937 -+ // Stack: x8-x9 x12-x15 x10-x11 orig_x0-orig_x15 OUT IN LEN
1938 -+ // Registers: r0-r7 are x0-x7; r8-r11 are free; r12 is IN; r14 is OUT.
1939 -+ // x4-x7 are rotated by 'brot'; x12-x15 are rotated by 'drot'.
1940 -+
1941 -+ // x0-x3
1942 -+ __ldrd r8, r9, sp, 32
1943 -+ __ldrd r10, r11, sp, 40
1944 -+ add X0, X0, r8
1945 -+ add X1, X1, r9
1946 -+ add X2, X2, r10
1947 -+ add X3, X3, r11
1948 -+ _le32_bswap_4x X0, X1, X2, X3, r8, r9, r10
1949 -+ ldmia r12!, {r8-r11}
1950 -+ eor X0, X0, r8
1951 -+ eor X1, X1, r9
1952 -+ eor X2, X2, r10
1953 -+ eor X3, X3, r11
1954 -+ stmia r14!, {X0-X3}
1955 -+
1956 -+ // x4-x7
1957 -+ __ldrd r8, r9, sp, 48
1958 -+ __ldrd r10, r11, sp, 56
1959 -+ add X4, r8, X4, ror #brot
1960 -+ add X5, r9, X5, ror #brot
1961 -+ ldmia r12!, {X0-X3}
1962 -+ add X6, r10, X6, ror #brot
1963 -+ add X7, r11, X7, ror #brot
1964 -+ _le32_bswap_4x X4, X5, X6, X7, r8, r9, r10
1965 -+ eor X4, X4, X0
1966 -+ eor X5, X5, X1
1967 -+ eor X6, X6, X2
1968 -+ eor X7, X7, X3
1969 -+ stmia r14!, {X4-X7}
1970 -+
1971 -+ // x8-x15
1972 -+ pop {r0-r7} // (x8-x9,x12-x15,x10-x11)
1973 -+ __ldrd r8, r9, sp, 32
1974 -+ __ldrd r10, r11, sp, 40
1975 -+ add r0, r0, r8 // x8
1976 -+ add r1, r1, r9 // x9
1977 -+ add r6, r6, r10 // x10
1978 -+ add r7, r7, r11 // x11
1979 -+ _le32_bswap_4x r0, r1, r6, r7, r8, r9, r10
1980 -+ ldmia r12!, {r8-r11}
1981 -+ eor r0, r0, r8 // x8
1982 -+ eor r1, r1, r9 // x9
1983 -+ eor r6, r6, r10 // x10
1984 -+ eor r7, r7, r11 // x11
1985 -+ stmia r14!, {r0,r1,r6,r7}
1986 -+ ldmia r12!, {r0,r1,r6,r7}
1987 -+ __ldrd r8, r9, sp, 48
1988 -+ __ldrd r10, r11, sp, 56
1989 -+ add r2, r8, r2, ror #drot // x12
1990 -+ add r3, r9, r3, ror #drot // x13
1991 -+ add r4, r10, r4, ror #drot // x14
1992 -+ add r5, r11, r5, ror #drot // x15
1993 -+ _le32_bswap_4x r2, r3, r4, r5, r9, r10, r11
1994 -+ ldr r9, [sp, #72] // load LEN
1995 -+ eor r2, r2, r0 // x12
1996 -+ eor r3, r3, r1 // x13
1997 -+ eor r4, r4, r6 // x14
1998 -+ eor r5, r5, r7 // x15
1999 -+ subs r9, #64 // decrement and check LEN
2000 -+ stmia r14!, {r2-r5}
2001 -+
2002 -+ beq .Ldone\@
2003 -+
2004 -+.Lprepare_for_next_block\@:
2005 -+
2006 -+ // Stack: x0-x15 OUT IN LEN
2007 -+
2008 -+ // Increment block counter (x12)
2009 -+ add r8, #1
2010 -+
2011 -+ // Store updated (OUT, IN, LEN)
2012 -+ str r14, [sp, #64]
2013 -+ str r12, [sp, #68]
2014 -+ str r9, [sp, #72]
2015 -+
2016 -+ mov r14, sp
2017 -+
2018 -+ // Store updated block counter (x12)
2019 -+ str r8, [sp, #48]
2020 -+
2021 -+ sub sp, #16
2022 -+
2023 -+ // Reload state and do next block
2024 -+ ldmia r14!, {r0-r11} // load x0-x11
2025 -+ __strd r10, r11, sp, 8 // store x10-x11 before state
2026 -+ ldmia r14, {r10-r12,r14} // load x12-x15
2027 -+ b .Lnext_block\@
2028 -+
2029 -+.Lxor_slowpath\@:
2030 -+ // Slow path: < 64 bytes remaining, or unaligned input or output buffer.
2031 -+ // We handle it by storing the 64 bytes of keystream to the stack, then
2032 -+ // XOR-ing the needed portion with the data.
2033 -+
2034 -+ // Allocate keystream buffer
2035 -+ sub sp, #64
2036 -+ mov r14, sp
2037 -+
2038 -+ // Stack: ks0-ks15 x8-x9 x12-x15 x10-x11 orig_x0-orig_x15 OUT IN LEN
2039 -+ // Registers: r0-r7 are x0-x7; r8-r11 are free; r12 is IN; r14 is &ks0.
2040 -+ // x4-x7 are rotated by 'brot'; x12-x15 are rotated by 'drot'.
2041 -+
2042 -+ // Save keystream for x0-x3
2043 -+ __ldrd r8, r9, sp, 96
2044 -+ __ldrd r10, r11, sp, 104
2045 -+ add X0, X0, r8
2046 -+ add X1, X1, r9
2047 -+ add X2, X2, r10
2048 -+ add X3, X3, r11
2049 -+ _le32_bswap_4x X0, X1, X2, X3, r8, r9, r10
2050 -+ stmia r14!, {X0-X3}
2051 -+
2052 -+ // Save keystream for x4-x7
2053 -+ __ldrd r8, r9, sp, 112
2054 -+ __ldrd r10, r11, sp, 120
2055 -+ add X4, r8, X4, ror #brot
2056 -+ add X5, r9, X5, ror #brot
2057 -+ add X6, r10, X6, ror #brot
2058 -+ add X7, r11, X7, ror #brot
2059 -+ _le32_bswap_4x X4, X5, X6, X7, r8, r9, r10
2060 -+ add r8, sp, #64
2061 -+ stmia r14!, {X4-X7}
2062 -+
2063 -+ // Save keystream for x8-x15
2064 -+ ldm r8, {r0-r7} // (x8-x9,x12-x15,x10-x11)
2065 -+ __ldrd r8, r9, sp, 128
2066 -+ __ldrd r10, r11, sp, 136
2067 -+ add r0, r0, r8 // x8
2068 -+ add r1, r1, r9 // x9
2069 -+ add r6, r6, r10 // x10
2070 -+ add r7, r7, r11 // x11
2071 -+ _le32_bswap_4x r0, r1, r6, r7, r8, r9, r10
2072 -+ stmia r14!, {r0,r1,r6,r7}
2073 -+ __ldrd r8, r9, sp, 144
2074 -+ __ldrd r10, r11, sp, 152
2075 -+ add r2, r8, r2, ror #drot // x12
2076 -+ add r3, r9, r3, ror #drot // x13
2077 -+ add r4, r10, r4, ror #drot // x14
2078 -+ add r5, r11, r5, ror #drot // x15
2079 -+ _le32_bswap_4x r2, r3, r4, r5, r9, r10, r11
2080 -+ stmia r14, {r2-r5}
2081 -+
2082 -+ // Stack: ks0-ks15 unused0-unused7 x0-x15 OUT IN LEN
2083 -+ // Registers: r8 is block counter, r12 is IN.
2084 -+
2085 -+ ldr r9, [sp, #168] // LEN
2086 -+ ldr r14, [sp, #160] // OUT
2087 -+ cmp r9, #64
2088 -+ mov r0, sp
2089 -+ movle r1, r9
2090 -+ movgt r1, #64
2091 -+ // r1 is number of bytes to XOR, in range [1, 64]
2092 -+
2093 -+.if __LINUX_ARM_ARCH__ < 6
2094 -+ orr r2, r12, r14
2095 -+ tst r2, #3 // IN or OUT misaligned?
2096 -+ bne .Lxor_next_byte\@
2097 -+.endif
2098 -+
2099 -+ // XOR a word at a time
2100 -+.rept 16
2101 -+ subs r1, #4
2102 -+ blt .Lxor_words_done\@
2103 -+ ldr r2, [r12], #4
2104 -+ ldr r3, [r0], #4
2105 -+ eor r2, r2, r3
2106 -+ str r2, [r14], #4
2107 -+.endr
2108 -+ b .Lxor_slowpath_done\@
2109 -+.Lxor_words_done\@:
2110 -+ ands r1, r1, #3
2111 -+ beq .Lxor_slowpath_done\@
2112 -+
2113 -+ // XOR a byte at a time
2114 -+.Lxor_next_byte\@:
2115 -+ ldrb r2, [r12], #1
2116 -+ ldrb r3, [r0], #1
2117 -+ eor r2, r2, r3
2118 -+ strb r2, [r14], #1
2119 -+ subs r1, #1
2120 -+ bne .Lxor_next_byte\@
2121 -+
2122 -+.Lxor_slowpath_done\@:
2123 -+ subs r9, #64
2124 -+ add sp, #96
2125 -+ bgt .Lprepare_for_next_block\@
2126 -+
2127 -+.Ldone\@:
2128 -+.endm // _chacha
2129 -+
2130 -+/*
2131 -+ * void chacha_doarm(u8 *dst, const u8 *src, unsigned int bytes,
2132 -+ * const u32 *state, int nrounds);
2133 -+ */
2134 -+ENTRY(chacha_doarm)
2135 -+ cmp r2, #0 // len == 0?
2136 -+ reteq lr
2137 -+
2138 -+ ldr ip, [sp]
2139 -+ cmp ip, #12
2140 -+
2141 -+ push {r0-r2,r4-r11,lr}
2142 -+
2143 -+ // Push state x0-x15 onto stack.
2144 -+ // Also store an extra copy of x10-x11 just before the state.
2145 -+
2146 -+ add X12, r3, #48
2147 -+ ldm X12, {X12,X13,X14,X15}
2148 -+ push {X12,X13,X14,X15}
2149 -+ sub sp, sp, #64
2150 -+
2151 -+ __ldrd X8_X10, X9_X11, r3, 40
2152 -+ __strd X8_X10, X9_X11, sp, 8
2153 -+ __strd X8_X10, X9_X11, sp, 56
2154 -+ ldm r3, {X0-X9_X11}
2155 -+ __strd X0, X1, sp, 16
2156 -+ __strd X2, X3, sp, 24
2157 -+ __strd X4, X5, sp, 32
2158 -+ __strd X6, X7, sp, 40
2159 -+ __strd X8_X10, X9_X11, sp, 48
2160 -+
2161 -+ beq 1f
2162 -+ _chacha 20
2163 -+
2164 -+0: add sp, #76
2165 -+ pop {r4-r11, pc}
2166 -+
2167 -+1: _chacha 12
2168 -+ b 0b
2169 -+ENDPROC(chacha_doarm)
2170 -+
2171 -+/*
2172 -+ * void hchacha_block_arm(const u32 state[16], u32 out[8], int nrounds);
2173 -+ */
2174 -+ENTRY(hchacha_block_arm)
2175 -+ push {r1,r4-r11,lr}
2176 -+
2177 -+ cmp r2, #12 // ChaCha12 ?
2178 -+
2179 -+ mov r14, r0
2180 -+ ldmia r14!, {r0-r11} // load x0-x11
2181 -+ push {r10-r11} // store x10-x11 to stack
2182 -+ ldm r14, {r10-r12,r14} // load x12-x15
2183 -+ sub sp, #8
2184 -+
2185 -+ beq 1f
2186 -+ _chacha_permute 20
2187 -+
2188 -+ // Skip over (unused0-unused1, x10-x11)
2189 -+0: add sp, #16
2190 -+
2191 -+ // Fix up rotations of x12-x15
2192 -+ ror X12, X12, #drot
2193 -+ ror X13, X13, #drot
2194 -+ pop {r4} // load 'out'
2195 -+ ror X14, X14, #drot
2196 -+ ror X15, X15, #drot
2197 -+
2198 -+ // Store (x0-x3,x12-x15) to 'out'
2199 -+ stm r4, {X0,X1,X2,X3,X12,X13,X14,X15}
2200 -+
2201 -+ pop {r4-r11,pc}
2202 -+
2203 -+1: _chacha_permute 12
2204 -+ b 0b
2205 -+ENDPROC(hchacha_block_arm)
2206 ---- b/arch/arm/crypto/Kconfig
2207 -+++ b/arch/arm/crypto/Kconfig
2208 -@@ -129,12 +129,22 @@
2209 - config CRYPTO_CHACHA20_NEON
2210 -- tristate "NEON accelerated ChaCha stream cipher algorithms"
2211 -- depends on KERNEL_MODE_NEON
2212 -+ tristate "NEON and scalar accelerated ChaCha stream cipher algorithms"
2213 - select CRYPTO_BLKCIPHER
2214 -- select CRYPTO_CHACHA20
2215 -+ select CRYPTO_ARCH_HAVE_LIB_CHACHA
2216 -+
2217 -+config CRYPTO_POLY1305_ARM
2218 -+ tristate "Accelerated scalar and SIMD Poly1305 hash implementations"
2219 -+ select CRYPTO_HASH
2220 -+ select CRYPTO_ARCH_HAVE_LIB_POLY1305
2221 -
2222 - config CRYPTO_NHPOLY1305_NEON
2223 - tristate "NEON accelerated NHPoly1305 hash function (for Adiantum)"
2224 - depends on KERNEL_MODE_NEON
2225 - select CRYPTO_NHPOLY1305
2226 -
2227 -+config CRYPTO_CURVE25519_NEON
2228 -+ tristate "NEON accelerated Curve25519 scalar multiplication library"
2229 -+ depends on KERNEL_MODE_NEON
2230 -+ select CRYPTO_LIB_CURVE25519_GENERIC
2231 -+ select CRYPTO_ARCH_HAVE_LIB_CURVE25519
2232 -+
2233 - endif
2234 ---- b/arch/arm/crypto/Makefile
2235 -+++ b/arch/arm/crypto/Makefile
2236 -@@ -10,7 +10,9 @@
2237 - obj-$(CONFIG_CRYPTO_SHA256_ARM) += sha256-arm.o
2238 - obj-$(CONFIG_CRYPTO_SHA512_ARM) += sha512-arm.o
2239 - obj-$(CONFIG_CRYPTO_CHACHA20_NEON) += chacha-neon.o
2240 -+obj-$(CONFIG_CRYPTO_POLY1305_ARM) += poly1305-arm.o
2241 - obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) += nhpoly1305-neon.o
2242 -+obj-$(CONFIG_CRYPTO_CURVE25519_NEON) += curve25519-neon.o
2243 -
2244 - ce-obj-$(CONFIG_CRYPTO_AES_ARM_CE) += aes-arm-ce.o
2245 - ce-obj-$(CONFIG_CRYPTO_SHA1_ARM_CE) += sha1-arm-ce.o
2246 -@@ -53,13 +55,19 @@
2247 - ghash-arm-ce-y := ghash-ce-core.o ghash-ce-glue.o
2248 - crct10dif-arm-ce-y := crct10dif-ce-core.o crct10dif-ce-glue.o
2249 - crc32-arm-ce-y:= crc32-ce-core.o crc32-ce-glue.o
2250 --chacha-neon-y := chacha-neon-core.o chacha-neon-glue.o
2251 -+chacha-neon-y := chacha-scalar-core.o chacha-glue.o
2252 -+chacha-neon-$(CONFIG_KERNEL_MODE_NEON) += chacha-neon-core.o
2253 -+poly1305-arm-y := poly1305-core.o poly1305-glue.o
2254 - nhpoly1305-neon-y := nh-neon-core.o nhpoly1305-neon-glue.o
2255 -+curve25519-neon-y := curve25519-core.o curve25519-glue.o
2256 -
2257 - ifdef REGENERATE_ARM_CRYPTO
2258 - quiet_cmd_perl = PERL $@
2259 - cmd_perl = $(PERL) $(<) > $(@)
2260 -
2261 -+$(src)/poly1305-core.S_shipped: $(src)/poly1305-armv4.pl
2262 -+ $(call cmd,perl)
2263 -+
2264 - $(src)/sha256-core.S_shipped: $(src)/sha256-armv4.pl
2265 - $(call cmd,perl)
2266 -
2267 -@@ -70 +78,6 @@
2268 --clean-files += sha256-core.S sha512-core.S
2269 -+clean-files += poly1305-core.S sha256-core.S sha512-core.S
2270 -+
2271 -+# massage the perlasm code a bit so we only get the NEON routine if we need it
2272 -+poly1305-aflags-$(CONFIG_CPU_V7) := -U__LINUX_ARM_ARCH__ -D__LINUX_ARM_ARCH__=5
2273 -+poly1305-aflags-$(CONFIG_KERNEL_MODE_NEON) := -U__LINUX_ARM_ARCH__ -D__LINUX_ARM_ARCH__=7
2274 -+AFLAGS_poly1305-core.o += $(poly1305-aflags-y)
2275 ---- b/arch/arm/crypto/chacha-glue.c
2276 -+++ b/arch/arm/crypto/chacha-glue.c
2277 -@@ -0,0 +1,357 @@
2278 -+// SPDX-License-Identifier: GPL-2.0
2279 -+/*
2280 -+ * ARM NEON accelerated ChaCha and XChaCha stream ciphers,
2281 -+ * including ChaCha20 (RFC7539)
2282 -+ *
2283 -+ * Copyright (C) 2016-2019 Linaro, Ltd. <ard.biesheuvel@××××××.org>
2284 -+ * Copyright (C) 2015 Martin Willi
2285 -+ */
2286 -+
2287 -+#include <crypto/algapi.h>
2288 -+#include <crypto/internal/chacha.h>
2289 -+#include <crypto/internal/simd.h>
2290 -+#include <crypto/internal/skcipher.h>
2291 -+#include <linux/jump_label.h>
2292 -+#include <linux/kernel.h>
2293 -+#include <linux/module.h>
2294 -+
2295 -+#include <asm/cputype.h>
2296 -+#include <asm/hwcap.h>
2297 -+#include <asm/neon.h>
2298 -+#include <asm/simd.h>
2299 -+
2300 -+asmlinkage void chacha_block_xor_neon(const u32 *state, u8 *dst, const u8 *src,
2301 -+ int nrounds);
2302 -+asmlinkage void chacha_4block_xor_neon(const u32 *state, u8 *dst, const u8 *src,
2303 -+ int nrounds, unsigned int nbytes);
2304 -+asmlinkage void hchacha_block_arm(const u32 *state, u32 *out, int nrounds);
2305 -+asmlinkage void hchacha_block_neon(const u32 *state, u32 *out, int nrounds);
2306 -+
2307 -+asmlinkage void chacha_doarm(u8 *dst, const u8 *src, unsigned int bytes,
2308 -+ const u32 *state, int nrounds);
2309 -+
2310 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(use_neon);
2311 -+
2312 -+static inline bool neon_usable(void)
2313 -+{
2314 -+ return static_branch_likely(&use_neon) && crypto_simd_usable();
2315 -+}
2316 -+
2317 -+static void chacha_doneon(u32 *state, u8 *dst, const u8 *src,
2318 -+ unsigned int bytes, int nrounds)
2319 -+{
2320 -+ u8 buf[CHACHA_BLOCK_SIZE];
2321 -+
2322 -+ while (bytes > CHACHA_BLOCK_SIZE) {
2323 -+ unsigned int l = min(bytes, CHACHA_BLOCK_SIZE * 4U);
2324 -+
2325 -+ chacha_4block_xor_neon(state, dst, src, nrounds, l);
2326 -+ bytes -= l;
2327 -+ src += l;
2328 -+ dst += l;
2329 -+ state[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE);
2330 -+ }
2331 -+ if (bytes) {
2332 -+ const u8 *s = src;
2333 -+ u8 *d = dst;
2334 -+
2335 -+ if (bytes != CHACHA_BLOCK_SIZE)
2336 -+ s = d = memcpy(buf, src, bytes);
2337 -+ chacha_block_xor_neon(state, d, s, nrounds);
2338 -+ if (d != dst)
2339 -+ memcpy(dst, buf, bytes);
2340 -+ }
2341 -+}
2342 -+
2343 -+void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds)
2344 -+{
2345 -+ if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon_usable()) {
2346 -+ hchacha_block_arm(state, stream, nrounds);
2347 -+ } else {
2348 -+ kernel_neon_begin();
2349 -+ hchacha_block_neon(state, stream, nrounds);
2350 -+ kernel_neon_end();
2351 -+ }
2352 -+}
2353 -+EXPORT_SYMBOL(hchacha_block_arch);
2354 -+
2355 -+void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv)
2356 -+{
2357 -+ chacha_init_generic(state, key, iv);
2358 -+}
2359 -+EXPORT_SYMBOL(chacha_init_arch);
2360 -+
2361 -+void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes,
2362 -+ int nrounds)
2363 -+{
2364 -+ if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon_usable() ||
2365 -+ bytes <= CHACHA_BLOCK_SIZE) {
2366 -+ chacha_doarm(dst, src, bytes, state, nrounds);
2367 -+ state[12] += DIV_ROUND_UP(bytes, CHACHA_BLOCK_SIZE);
2368 -+ return;
2369 -+ }
2370 -+
2371 -+ do {
2372 -+ unsigned int todo = min_t(unsigned int, bytes, SZ_4K);
2373 -+
2374 -+ kernel_neon_begin();
2375 -+ chacha_doneon(state, dst, src, todo, nrounds);
2376 -+ kernel_neon_end();
2377 -+
2378 -+ bytes -= todo;
2379 -+ src += todo;
2380 -+ dst += todo;
2381 -+ } while (bytes);
2382 -+}
2383 -+EXPORT_SYMBOL(chacha_crypt_arch);
2384 -+
2385 -+static int chacha_stream_xor(struct skcipher_request *req,
2386 -+ const struct chacha_ctx *ctx, const u8 *iv,
2387 -+ bool neon)
2388 -+{
2389 -+ struct skcipher_walk walk;
2390 -+ u32 state[16];
2391 -+ int err;
2392 -+
2393 -+ err = skcipher_walk_virt(&walk, req, false);
2394 -+
2395 -+ chacha_init_generic(state, ctx->key, iv);
2396 -+
2397 -+ while (walk.nbytes > 0) {
2398 -+ unsigned int nbytes = walk.nbytes;
2399 -+
2400 -+ if (nbytes < walk.total)
2401 -+ nbytes = round_down(nbytes, walk.stride);
2402 -+
2403 -+ if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon) {
2404 -+ chacha_doarm(walk.dst.virt.addr, walk.src.virt.addr,
2405 -+ nbytes, state, ctx->nrounds);
2406 -+ state[12] += DIV_ROUND_UP(nbytes, CHACHA_BLOCK_SIZE);
2407 -+ } else {
2408 -+ kernel_neon_begin();
2409 -+ chacha_doneon(state, walk.dst.virt.addr,
2410 -+ walk.src.virt.addr, nbytes, ctx->nrounds);
2411 -+ kernel_neon_end();
2412 -+ }
2413 -+ err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
2414 -+ }
2415 -+
2416 -+ return err;
2417 -+}
2418 -+
2419 -+static int do_chacha(struct skcipher_request *req, bool neon)
2420 -+{
2421 -+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
2422 -+ struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
2423 -+
2424 -+ return chacha_stream_xor(req, ctx, req->iv, neon);
2425 -+}
2426 -+
2427 -+static int chacha_arm(struct skcipher_request *req)
2428 -+{
2429 -+ return do_chacha(req, false);
2430 -+}
2431 -+
2432 -+static int chacha_neon(struct skcipher_request *req)
2433 -+{
2434 -+ return do_chacha(req, neon_usable());
2435 -+}
2436 -+
2437 -+static int do_xchacha(struct skcipher_request *req, bool neon)
2438 -+{
2439 -+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
2440 -+ struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
2441 -+ struct chacha_ctx subctx;
2442 -+ u32 state[16];
2443 -+ u8 real_iv[16];
2444 -+
2445 -+ chacha_init_generic(state, ctx->key, req->iv);
2446 -+
2447 -+ if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon) {
2448 -+ hchacha_block_arm(state, subctx.key, ctx->nrounds);
2449 -+ } else {
2450 -+ kernel_neon_begin();
2451 -+ hchacha_block_neon(state, subctx.key, ctx->nrounds);
2452 -+ kernel_neon_end();
2453 -+ }
2454 -+ subctx.nrounds = ctx->nrounds;
2455 -+
2456 -+ memcpy(&real_iv[0], req->iv + 24, 8);
2457 -+ memcpy(&real_iv[8], req->iv + 16, 8);
2458 -+ return chacha_stream_xor(req, &subctx, real_iv, neon);
2459 -+}
2460 -+
2461 -+static int xchacha_arm(struct skcipher_request *req)
2462 -+{
2463 -+ return do_xchacha(req, false);
2464 -+}
2465 -+
2466 -+static int xchacha_neon(struct skcipher_request *req)
2467 -+{
2468 -+ return do_xchacha(req, neon_usable());
2469 -+}
2470 -+
2471 -+static struct skcipher_alg arm_algs[] = {
2472 -+ {
2473 -+ .base.cra_name = "chacha20",
2474 -+ .base.cra_driver_name = "chacha20-arm",
2475 -+ .base.cra_priority = 200,
2476 -+ .base.cra_blocksize = 1,
2477 -+ .base.cra_ctxsize = sizeof(struct chacha_ctx),
2478 -+ .base.cra_module = THIS_MODULE,
2479 -+
2480 -+ .min_keysize = CHACHA_KEY_SIZE,
2481 -+ .max_keysize = CHACHA_KEY_SIZE,
2482 -+ .ivsize = CHACHA_IV_SIZE,
2483 -+ .chunksize = CHACHA_BLOCK_SIZE,
2484 -+ .setkey = chacha20_setkey,
2485 -+ .encrypt = chacha_arm,
2486 -+ .decrypt = chacha_arm,
2487 -+ }, {
2488 -+ .base.cra_name = "xchacha20",
2489 -+ .base.cra_driver_name = "xchacha20-arm",
2490 -+ .base.cra_priority = 200,
2491 -+ .base.cra_blocksize = 1,
2492 -+ .base.cra_ctxsize = sizeof(struct chacha_ctx),
2493 -+ .base.cra_module = THIS_MODULE,
2494 -+
2495 -+ .min_keysize = CHACHA_KEY_SIZE,
2496 -+ .max_keysize = CHACHA_KEY_SIZE,
2497 -+ .ivsize = XCHACHA_IV_SIZE,
2498 -+ .chunksize = CHACHA_BLOCK_SIZE,
2499 -+ .setkey = chacha20_setkey,
2500 -+ .encrypt = xchacha_arm,
2501 -+ .decrypt = xchacha_arm,
2502 -+ }, {
2503 -+ .base.cra_name = "xchacha12",
2504 -+ .base.cra_driver_name = "xchacha12-arm",
2505 -+ .base.cra_priority = 200,
2506 -+ .base.cra_blocksize = 1,
2507 -+ .base.cra_ctxsize = sizeof(struct chacha_ctx),
2508 -+ .base.cra_module = THIS_MODULE,
2509 -+
2510 -+ .min_keysize = CHACHA_KEY_SIZE,
2511 -+ .max_keysize = CHACHA_KEY_SIZE,
2512 -+ .ivsize = XCHACHA_IV_SIZE,
2513 -+ .chunksize = CHACHA_BLOCK_SIZE,
2514 -+ .setkey = chacha12_setkey,
2515 -+ .encrypt = xchacha_arm,
2516 -+ .decrypt = xchacha_arm,
2517 -+ },
2518 -+};
2519 -+
2520 -+static struct skcipher_alg neon_algs[] = {
2521 -+ {
2522 -+ .base.cra_name = "chacha20",
2523 -+ .base.cra_driver_name = "chacha20-neon",
2524 -+ .base.cra_priority = 300,
2525 -+ .base.cra_blocksize = 1,
2526 -+ .base.cra_ctxsize = sizeof(struct chacha_ctx),
2527 -+ .base.cra_module = THIS_MODULE,
2528 -+
2529 -+ .min_keysize = CHACHA_KEY_SIZE,
2530 -+ .max_keysize = CHACHA_KEY_SIZE,
2531 -+ .ivsize = CHACHA_IV_SIZE,
2532 -+ .chunksize = CHACHA_BLOCK_SIZE,
2533 -+ .walksize = 4 * CHACHA_BLOCK_SIZE,
2534 -+ .setkey = chacha20_setkey,
2535 -+ .encrypt = chacha_neon,
2536 -+ .decrypt = chacha_neon,
2537 -+ }, {
2538 -+ .base.cra_name = "xchacha20",
2539 -+ .base.cra_driver_name = "xchacha20-neon",
2540 -+ .base.cra_priority = 300,
2541 -+ .base.cra_blocksize = 1,
2542 -+ .base.cra_ctxsize = sizeof(struct chacha_ctx),
2543 -+ .base.cra_module = THIS_MODULE,
2544 -+
2545 -+ .min_keysize = CHACHA_KEY_SIZE,
2546 -+ .max_keysize = CHACHA_KEY_SIZE,
2547 -+ .ivsize = XCHACHA_IV_SIZE,
2548 -+ .chunksize = CHACHA_BLOCK_SIZE,
2549 -+ .walksize = 4 * CHACHA_BLOCK_SIZE,
2550 -+ .setkey = chacha20_setkey,
2551 -+ .encrypt = xchacha_neon,
2552 -+ .decrypt = xchacha_neon,
2553 -+ }, {
2554 -+ .base.cra_name = "xchacha12",
2555 -+ .base.cra_driver_name = "xchacha12-neon",
2556 -+ .base.cra_priority = 300,
2557 -+ .base.cra_blocksize = 1,
2558 -+ .base.cra_ctxsize = sizeof(struct chacha_ctx),
2559 -+ .base.cra_module = THIS_MODULE,
2560 -+
2561 -+ .min_keysize = CHACHA_KEY_SIZE,
2562 -+ .max_keysize = CHACHA_KEY_SIZE,
2563 -+ .ivsize = XCHACHA_IV_SIZE,
2564 -+ .chunksize = CHACHA_BLOCK_SIZE,
2565 -+ .walksize = 4 * CHACHA_BLOCK_SIZE,
2566 -+ .setkey = chacha12_setkey,
2567 -+ .encrypt = xchacha_neon,
2568 -+ .decrypt = xchacha_neon,
2569 -+ }
2570 -+};
2571 -+
2572 -+static int __init chacha_simd_mod_init(void)
2573 -+{
2574 -+ int err = 0;
2575 -+
2576 -+ if (IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER)) {
2577 -+ err = crypto_register_skciphers(arm_algs, ARRAY_SIZE(arm_algs));
2578 -+ if (err)
2579 -+ return err;
2580 -+ }
2581 -+
2582 -+ if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && (elf_hwcap & HWCAP_NEON)) {
2583 -+ int i;
2584 -+
2585 -+ switch (read_cpuid_part()) {
2586 -+ case ARM_CPU_PART_CORTEX_A7:
2587 -+ case ARM_CPU_PART_CORTEX_A5:
2588 -+ /*
2589 -+ * The Cortex-A7 and Cortex-A5 do not perform well with
2590 -+ * the NEON implementation but do incredibly with the
2591 -+ * scalar one and use less power.
2592 -+ */
2593 -+ for (i = 0; i < ARRAY_SIZE(neon_algs); i++)
2594 -+ neon_algs[i].base.cra_priority = 0;
2595 -+ break;
2596 -+ default:
2597 -+ static_branch_enable(&use_neon);
2598 -+ }
2599 -+
2600 -+ if (IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER)) {
2601 -+ err = crypto_register_skciphers(neon_algs, ARRAY_SIZE(neon_algs));
2602 -+ if (err)
2603 -+ crypto_unregister_skciphers(arm_algs, ARRAY_SIZE(arm_algs));
2604 -+ }
2605 -+ }
2606 -+ return err;
2607 -+}
2608 -+
2609 -+static void __exit chacha_simd_mod_fini(void)
2610 -+{
2611 -+ if (IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER)) {
2612 -+ crypto_unregister_skciphers(arm_algs, ARRAY_SIZE(arm_algs));
2613 -+ if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && (elf_hwcap & HWCAP_NEON))
2614 -+ crypto_unregister_skciphers(neon_algs, ARRAY_SIZE(neon_algs));
2615 -+ }
2616 -+}
2617 -+
2618 -+module_init(chacha_simd_mod_init);
2619 -+module_exit(chacha_simd_mod_fini);
2620 -+
2621 -+MODULE_DESCRIPTION("ChaCha and XChaCha stream ciphers (scalar and NEON accelerated)");
2622 -+MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@××××××.org>");
2623 -+MODULE_LICENSE("GPL v2");
2624 -+MODULE_ALIAS_CRYPTO("chacha20");
2625 -+MODULE_ALIAS_CRYPTO("chacha20-arm");
2626 -+MODULE_ALIAS_CRYPTO("xchacha20");
2627 -+MODULE_ALIAS_CRYPTO("xchacha20-arm");
2628 -+MODULE_ALIAS_CRYPTO("xchacha12");
2629 -+MODULE_ALIAS_CRYPTO("xchacha12-arm");
2630 -+#ifdef CONFIG_KERNEL_MODE_NEON
2631 -+MODULE_ALIAS_CRYPTO("chacha20-neon");
2632 -+MODULE_ALIAS_CRYPTO("xchacha20-neon");
2633 -+MODULE_ALIAS_CRYPTO("xchacha12-neon");
2634 -+#endif
2635 ---- b/arch/mips/crypto/chacha-core.S
2636 -+++ b/arch/mips/crypto/chacha-core.S
2637 -@@ -0,0 +1,497 @@
2638 -+/* SPDX-License-Identifier: GPL-2.0 OR MIT */
2639 -+/*
2640 -+ * Copyright (C) 2016-2018 René van Dorst <opensource@××××××.com>. All Rights Reserved.
2641 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
2642 -+ */
2643 -+
2644 -+#define MASK_U32 0x3c
2645 -+#define CHACHA20_BLOCK_SIZE 64
2646 -+#define STACK_SIZE 32
2647 -+
2648 -+#define X0 $t0
2649 -+#define X1 $t1
2650 -+#define X2 $t2
2651 -+#define X3 $t3
2652 -+#define X4 $t4
2653 -+#define X5 $t5
2654 -+#define X6 $t6
2655 -+#define X7 $t7
2656 -+#define X8 $t8
2657 -+#define X9 $t9
2658 -+#define X10 $v1
2659 -+#define X11 $s6
2660 -+#define X12 $s5
2661 -+#define X13 $s4
2662 -+#define X14 $s3
2663 -+#define X15 $s2
2664 -+/* Use regs which are overwritten on exit for Tx so we don't leak clear data. */
2665 -+#define T0 $s1
2666 -+#define T1 $s0
2667 -+#define T(n) T ## n
2668 -+#define X(n) X ## n
2669 -+
2670 -+/* Input arguments */
2671 -+#define STATE $a0
2672 -+#define OUT $a1
2673 -+#define IN $a2
2674 -+#define BYTES $a3
2675 -+
2676 -+/* Output argument */
2677 -+/* NONCE[0] is kept in a register and not in memory.
2678 -+ * We don't want to touch original value in memory.
2679 -+ * Must be incremented every loop iteration.
2680 -+ */
2681 -+#define NONCE_0 $v0
2682 -+
2683 -+/* SAVED_X and SAVED_CA are set in the jump table.
2684 -+ * Use regs which are overwritten on exit else we don't leak clear data.
2685 -+ * They are used to handling the last bytes which are not multiple of 4.
2686 -+ */
2687 -+#define SAVED_X X15
2688 -+#define SAVED_CA $s7
2689 -+
2690 -+#define IS_UNALIGNED $s7
2691 -+
2692 -+#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
2693 -+#define MSB 0
2694 -+#define LSB 3
2695 -+#define ROTx rotl
2696 -+#define ROTR(n) rotr n, 24
2697 -+#define CPU_TO_LE32(n) \
2698 -+ wsbh n; \
2699 -+ rotr n, 16;
2700 -+#else
2701 -+#define MSB 3
2702 -+#define LSB 0
2703 -+#define ROTx rotr
2704 -+#define CPU_TO_LE32(n)
2705 -+#define ROTR(n)
2706 -+#endif
2707 -+
2708 -+#define FOR_EACH_WORD(x) \
2709 -+ x( 0); \
2710 -+ x( 1); \
2711 -+ x( 2); \
2712 -+ x( 3); \
2713 -+ x( 4); \
2714 -+ x( 5); \
2715 -+ x( 6); \
2716 -+ x( 7); \
2717 -+ x( 8); \
2718 -+ x( 9); \
2719 -+ x(10); \
2720 -+ x(11); \
2721 -+ x(12); \
2722 -+ x(13); \
2723 -+ x(14); \
2724 -+ x(15);
2725 -+
2726 -+#define FOR_EACH_WORD_REV(x) \
2727 -+ x(15); \
2728 -+ x(14); \
2729 -+ x(13); \
2730 -+ x(12); \
2731 -+ x(11); \
2732 -+ x(10); \
2733 -+ x( 9); \
2734 -+ x( 8); \
2735 -+ x( 7); \
2736 -+ x( 6); \
2737 -+ x( 5); \
2738 -+ x( 4); \
2739 -+ x( 3); \
2740 -+ x( 2); \
2741 -+ x( 1); \
2742 -+ x( 0);
2743 -+
2744 -+#define PLUS_ONE_0 1
2745 -+#define PLUS_ONE_1 2
2746 -+#define PLUS_ONE_2 3
2747 -+#define PLUS_ONE_3 4
2748 -+#define PLUS_ONE_4 5
2749 -+#define PLUS_ONE_5 6
2750 -+#define PLUS_ONE_6 7
2751 -+#define PLUS_ONE_7 8
2752 -+#define PLUS_ONE_8 9
2753 -+#define PLUS_ONE_9 10
2754 -+#define PLUS_ONE_10 11
2755 -+#define PLUS_ONE_11 12
2756 -+#define PLUS_ONE_12 13
2757 -+#define PLUS_ONE_13 14
2758 -+#define PLUS_ONE_14 15
2759 -+#define PLUS_ONE_15 16
2760 -+#define PLUS_ONE(x) PLUS_ONE_ ## x
2761 -+#define _CONCAT3(a,b,c) a ## b ## c
2762 -+#define CONCAT3(a,b,c) _CONCAT3(a,b,c)
2763 -+
2764 -+#define STORE_UNALIGNED(x) \
2765 -+CONCAT3(.Lchacha_mips_xor_unaligned_, PLUS_ONE(x), _b: ;) \
2766 -+ .if (x != 12); \
2767 -+ lw T0, (x*4)(STATE); \
2768 -+ .endif; \
2769 -+ lwl T1, (x*4)+MSB ## (IN); \
2770 -+ lwr T1, (x*4)+LSB ## (IN); \
2771 -+ .if (x == 12); \
2772 -+ addu X ## x, NONCE_0; \
2773 -+ .else; \
2774 -+ addu X ## x, T0; \
2775 -+ .endif; \
2776 -+ CPU_TO_LE32(X ## x); \
2777 -+ xor X ## x, T1; \
2778 -+ swl X ## x, (x*4)+MSB ## (OUT); \
2779 -+ swr X ## x, (x*4)+LSB ## (OUT);
2780 -+
2781 -+#define STORE_ALIGNED(x) \
2782 -+CONCAT3(.Lchacha_mips_xor_aligned_, PLUS_ONE(x), _b: ;) \
2783 -+ .if (x != 12); \
2784 -+ lw T0, (x*4)(STATE); \
2785 -+ .endif; \
2786 -+ lw T1, (x*4) ## (IN); \
2787 -+ .if (x == 12); \
2788 -+ addu X ## x, NONCE_0; \
2789 -+ .else; \
2790 -+ addu X ## x, T0; \
2791 -+ .endif; \
2792 -+ CPU_TO_LE32(X ## x); \
2793 -+ xor X ## x, T1; \
2794 -+ sw X ## x, (x*4) ## (OUT);
2795 -+
2796 -+/* Jump table macro.
2797 -+ * Used for setup and handling the last bytes, which are not multiple of 4.
2798 -+ * X15 is free to store Xn
2799 -+ * Every jumptable entry must be equal in size.
2800 -+ */
2801 -+#define JMPTBL_ALIGNED(x) \
2802 -+.Lchacha_mips_jmptbl_aligned_ ## x: ; \
2803 -+ .set noreorder; \
2804 -+ b .Lchacha_mips_xor_aligned_ ## x ## _b; \
2805 -+ .if (x == 12); \
2806 -+ addu SAVED_X, X ## x, NONCE_0; \
2807 -+ .else; \
2808 -+ addu SAVED_X, X ## x, SAVED_CA; \
2809 -+ .endif; \
2810 -+ .set reorder
2811 -+
2812 -+#define JMPTBL_UNALIGNED(x) \
2813 -+.Lchacha_mips_jmptbl_unaligned_ ## x: ; \
2814 -+ .set noreorder; \
2815 -+ b .Lchacha_mips_xor_unaligned_ ## x ## _b; \
2816 -+ .if (x == 12); \
2817 -+ addu SAVED_X, X ## x, NONCE_0; \
2818 -+ .else; \
2819 -+ addu SAVED_X, X ## x, SAVED_CA; \
2820 -+ .endif; \
2821 -+ .set reorder
2822 -+
2823 -+#define AXR(A, B, C, D, K, L, M, N, V, W, Y, Z, S) \
2824 -+ addu X(A), X(K); \
2825 -+ addu X(B), X(L); \
2826 -+ addu X(C), X(M); \
2827 -+ addu X(D), X(N); \
2828 -+ xor X(V), X(A); \
2829 -+ xor X(W), X(B); \
2830 -+ xor X(Y), X(C); \
2831 -+ xor X(Z), X(D); \
2832 -+ rotl X(V), S; \
2833 -+ rotl X(W), S; \
2834 -+ rotl X(Y), S; \
2835 -+ rotl X(Z), S;
2836 -+
2837 -+.text
2838 -+.set reorder
2839 -+.set noat
2840 -+.globl chacha_crypt_arch
2841 -+.ent chacha_crypt_arch
2842 -+chacha_crypt_arch:
2843 -+ .frame $sp, STACK_SIZE, $ra
2844 -+
2845 -+ /* Load number of rounds */
2846 -+ lw $at, 16($sp)
2847 -+
2848 -+ addiu $sp, -STACK_SIZE
2849 -+
2850 -+ /* Return bytes = 0. */
2851 -+ beqz BYTES, .Lchacha_mips_end
2852 -+
2853 -+ lw NONCE_0, 48(STATE)
2854 -+
2855 -+ /* Save s0-s7 */
2856 -+ sw $s0, 0($sp)
2857 -+ sw $s1, 4($sp)
2858 -+ sw $s2, 8($sp)
2859 -+ sw $s3, 12($sp)
2860 -+ sw $s4, 16($sp)
2861 -+ sw $s5, 20($sp)
2862 -+ sw $s6, 24($sp)
2863 -+ sw $s7, 28($sp)
2864 -+
2865 -+ /* Test IN or OUT is unaligned.
2866 -+ * IS_UNALIGNED = ( IN | OUT ) & 0x00000003
2867 -+ */
2868 -+ or IS_UNALIGNED, IN, OUT
2869 -+ andi IS_UNALIGNED, 0x3
2870 -+
2871 -+ b .Lchacha_rounds_start
2872 -+
2873 -+.align 4
2874 -+.Loop_chacha_rounds:
2875 -+ addiu IN, CHACHA20_BLOCK_SIZE
2876 -+ addiu OUT, CHACHA20_BLOCK_SIZE
2877 -+ addiu NONCE_0, 1
2878 -+
2879 -+.Lchacha_rounds_start:
2880 -+ lw X0, 0(STATE)
2881 -+ lw X1, 4(STATE)
2882 -+ lw X2, 8(STATE)
2883 -+ lw X3, 12(STATE)
2884 -+
2885 -+ lw X4, 16(STATE)
2886 -+ lw X5, 20(STATE)
2887 -+ lw X6, 24(STATE)
2888 -+ lw X7, 28(STATE)
2889 -+ lw X8, 32(STATE)
2890 -+ lw X9, 36(STATE)
2891 -+ lw X10, 40(STATE)
2892 -+ lw X11, 44(STATE)
2893 -+
2894 -+ move X12, NONCE_0
2895 -+ lw X13, 52(STATE)
2896 -+ lw X14, 56(STATE)
2897 -+ lw X15, 60(STATE)
2898 -+
2899 -+.Loop_chacha_xor_rounds:
2900 -+ addiu $at, -2
2901 -+ AXR( 0, 1, 2, 3, 4, 5, 6, 7, 12,13,14,15, 16);
2902 -+ AXR( 8, 9,10,11, 12,13,14,15, 4, 5, 6, 7, 12);
2903 -+ AXR( 0, 1, 2, 3, 4, 5, 6, 7, 12,13,14,15, 8);
2904 -+ AXR( 8, 9,10,11, 12,13,14,15, 4, 5, 6, 7, 7);
2905 -+ AXR( 0, 1, 2, 3, 5, 6, 7, 4, 15,12,13,14, 16);
2906 -+ AXR(10,11, 8, 9, 15,12,13,14, 5, 6, 7, 4, 12);
2907 -+ AXR( 0, 1, 2, 3, 5, 6, 7, 4, 15,12,13,14, 8);
2908 -+ AXR(10,11, 8, 9, 15,12,13,14, 5, 6, 7, 4, 7);
2909 -+ bnez $at, .Loop_chacha_xor_rounds
2910 -+
2911 -+ addiu BYTES, -(CHACHA20_BLOCK_SIZE)
2912 -+
2913 -+ /* Is data src/dst unaligned? Jump */
2914 -+ bnez IS_UNALIGNED, .Loop_chacha_unaligned
2915 -+
2916 -+ /* Set number rounds here to fill delayslot. */
2917 -+ lw $at, (STACK_SIZE+16)($sp)
2918 -+
2919 -+ /* BYTES < 0, it has no full block. */
2920 -+ bltz BYTES, .Lchacha_mips_no_full_block_aligned
2921 -+
2922 -+ FOR_EACH_WORD_REV(STORE_ALIGNED)
2923 -+
2924 -+ /* BYTES > 0? Loop again. */
2925 -+ bgtz BYTES, .Loop_chacha_rounds
2926 -+
2927 -+ /* Place this here to fill delay slot */
2928 -+ addiu NONCE_0, 1
2929 -+
2930 -+ /* BYTES < 0? Handle last bytes */
2931 -+ bltz BYTES, .Lchacha_mips_xor_bytes
2932 -+
2933 -+.Lchacha_mips_xor_done:
2934 -+ /* Restore used registers */
2935 -+ lw $s0, 0($sp)
2936 -+ lw $s1, 4($sp)
2937 -+ lw $s2, 8($sp)
2938 -+ lw $s3, 12($sp)
2939 -+ lw $s4, 16($sp)
2940 -+ lw $s5, 20($sp)
2941 -+ lw $s6, 24($sp)
2942 -+ lw $s7, 28($sp)
2943 -+
2944 -+ /* Write NONCE_0 back to right location in state */
2945 -+ sw NONCE_0, 48(STATE)
2946 -+
2947 -+.Lchacha_mips_end:
2948 -+ addiu $sp, STACK_SIZE
2949 -+ jr $ra
2950 -+
2951 -+.Lchacha_mips_no_full_block_aligned:
2952 -+ /* Restore the offset on BYTES */
2953 -+ addiu BYTES, CHACHA20_BLOCK_SIZE
2954 -+
2955 -+ /* Get number of full WORDS */
2956 -+ andi $at, BYTES, MASK_U32
2957 -+
2958 -+ /* Load upper half of jump table addr */
2959 -+ lui T0, %hi(.Lchacha_mips_jmptbl_aligned_0)
2960 -+
2961 -+ /* Calculate lower half jump table offset */
2962 -+ ins T0, $at, 1, 6
2963 -+
2964 -+ /* Add offset to STATE */
2965 -+ addu T1, STATE, $at
2966 -+
2967 -+ /* Add lower half jump table addr */
2968 -+ addiu T0, %lo(.Lchacha_mips_jmptbl_aligned_0)
2969 -+
2970 -+ /* Read value from STATE */
2971 -+ lw SAVED_CA, 0(T1)
2972 -+
2973 -+ /* Store remaining bytecounter as negative value */
2974 -+ subu BYTES, $at, BYTES
2975 -+
2976 -+ jr T0
2977 -+
2978 -+ /* Jump table */
2979 -+ FOR_EACH_WORD(JMPTBL_ALIGNED)
2980 -+
2981 -+
2982 -+.Loop_chacha_unaligned:
2983 -+ /* Set number rounds here to fill delayslot. */
2984 -+ lw $at, (STACK_SIZE+16)($sp)
2985 -+
2986 -+ /* BYTES > 0, it has no full block. */
2987 -+ bltz BYTES, .Lchacha_mips_no_full_block_unaligned
2988 -+
2989 -+ FOR_EACH_WORD_REV(STORE_UNALIGNED)
2990 -+
2991 -+ /* BYTES > 0? Loop again. */
2992 -+ bgtz BYTES, .Loop_chacha_rounds
2993 -+
2994 -+ /* Write NONCE_0 back to right location in state */
2995 -+ sw NONCE_0, 48(STATE)
2996 -+
2997 -+ .set noreorder
2998 -+ /* Fall through to byte handling */
2999 -+ bgez BYTES, .Lchacha_mips_xor_done
3000 -+.Lchacha_mips_xor_unaligned_0_b:
3001 -+.Lchacha_mips_xor_aligned_0_b:
3002 -+ /* Place this here to fill delay slot */
3003 -+ addiu NONCE_0, 1
3004 -+ .set reorder
3005 -+
3006 -+.Lchacha_mips_xor_bytes:
3007 -+ addu IN, $at
3008 -+ addu OUT, $at
3009 -+ /* First byte */
3010 -+ lbu T1, 0(IN)
3011 -+ addiu $at, BYTES, 1
3012 -+ CPU_TO_LE32(SAVED_X)
3013 -+ ROTR(SAVED_X)
3014 -+ xor T1, SAVED_X
3015 -+ sb T1, 0(OUT)
3016 -+ beqz $at, .Lchacha_mips_xor_done
3017 -+ /* Second byte */
3018 -+ lbu T1, 1(IN)
3019 -+ addiu $at, BYTES, 2
3020 -+ ROTx SAVED_X, 8
3021 -+ xor T1, SAVED_X
3022 -+ sb T1, 1(OUT)
3023 -+ beqz $at, .Lchacha_mips_xor_done
3024 -+ /* Third byte */
3025 -+ lbu T1, 2(IN)
3026 -+ ROTx SAVED_X, 8
3027 -+ xor T1, SAVED_X
3028 -+ sb T1, 2(OUT)
3029 -+ b .Lchacha_mips_xor_done
3030 -+
3031 -+.Lchacha_mips_no_full_block_unaligned:
3032 -+ /* Restore the offset on BYTES */
3033 -+ addiu BYTES, CHACHA20_BLOCK_SIZE
3034 -+
3035 -+ /* Get number of full WORDS */
3036 -+ andi $at, BYTES, MASK_U32
3037 -+
3038 -+ /* Load upper half of jump table addr */
3039 -+ lui T0, %hi(.Lchacha_mips_jmptbl_unaligned_0)
3040 -+
3041 -+ /* Calculate lower half jump table offset */
3042 -+ ins T0, $at, 1, 6
3043 -+
3044 -+ /* Add offset to STATE */
3045 -+ addu T1, STATE, $at
3046 -+
3047 -+ /* Add lower half jump table addr */
3048 -+ addiu T0, %lo(.Lchacha_mips_jmptbl_unaligned_0)
3049 -+
3050 -+ /* Read value from STATE */
3051 -+ lw SAVED_CA, 0(T1)
3052 -+
3053 -+ /* Store remaining bytecounter as negative value */
3054 -+ subu BYTES, $at, BYTES
3055 -+
3056 -+ jr T0
3057 -+
3058 -+ /* Jump table */
3059 -+ FOR_EACH_WORD(JMPTBL_UNALIGNED)
3060 -+.end chacha_crypt_arch
3061 -+.set at
3062 -+
3063 -+/* Input arguments
3064 -+ * STATE $a0
3065 -+ * OUT $a1
3066 -+ * NROUND $a2
3067 -+ */
3068 -+
3069 -+#undef X12
3070 -+#undef X13
3071 -+#undef X14
3072 -+#undef X15
3073 -+
3074 -+#define X12 $a3
3075 -+#define X13 $at
3076 -+#define X14 $v0
3077 -+#define X15 STATE
3078 -+
3079 -+.set noat
3080 -+.globl hchacha_block_arch
3081 -+.ent hchacha_block_arch
3082 -+hchacha_block_arch:
3083 -+ .frame $sp, STACK_SIZE, $ra
3084 -+
3085 -+ addiu $sp, -STACK_SIZE
3086 -+
3087 -+ /* Save X11(s6) */
3088 -+ sw X11, 0($sp)
3089 -+
3090 -+ lw X0, 0(STATE)
3091 -+ lw X1, 4(STATE)
3092 -+ lw X2, 8(STATE)
3093 -+ lw X3, 12(STATE)
3094 -+ lw X4, 16(STATE)
3095 -+ lw X5, 20(STATE)
3096 -+ lw X6, 24(STATE)
3097 -+ lw X7, 28(STATE)
3098 -+ lw X8, 32(STATE)
3099 -+ lw X9, 36(STATE)
3100 -+ lw X10, 40(STATE)
3101 -+ lw X11, 44(STATE)
3102 -+ lw X12, 48(STATE)
3103 -+ lw X13, 52(STATE)
3104 -+ lw X14, 56(STATE)
3105 -+ lw X15, 60(STATE)
3106 -+
3107 -+.Loop_hchacha_xor_rounds:
3108 -+ addiu $a2, -2
3109 -+ AXR( 0, 1, 2, 3, 4, 5, 6, 7, 12,13,14,15, 16);
3110 -+ AXR( 8, 9,10,11, 12,13,14,15, 4, 5, 6, 7, 12);
3111 -+ AXR( 0, 1, 2, 3, 4, 5, 6, 7, 12,13,14,15, 8);
3112 -+ AXR( 8, 9,10,11, 12,13,14,15, 4, 5, 6, 7, 7);
3113 -+ AXR( 0, 1, 2, 3, 5, 6, 7, 4, 15,12,13,14, 16);
3114 -+ AXR(10,11, 8, 9, 15,12,13,14, 5, 6, 7, 4, 12);
3115 -+ AXR( 0, 1, 2, 3, 5, 6, 7, 4, 15,12,13,14, 8);
3116 -+ AXR(10,11, 8, 9, 15,12,13,14, 5, 6, 7, 4, 7);
3117 -+ bnez $a2, .Loop_hchacha_xor_rounds
3118 -+
3119 -+ /* Restore used register */
3120 -+ lw X11, 0($sp)
3121 -+
3122 -+ sw X0, 0(OUT)
3123 -+ sw X1, 4(OUT)
3124 -+ sw X2, 8(OUT)
3125 -+ sw X3, 12(OUT)
3126 -+ sw X12, 16(OUT)
3127 -+ sw X13, 20(OUT)
3128 -+ sw X14, 24(OUT)
3129 -+ sw X15, 28(OUT)
3130 -+
3131 -+ addiu $sp, STACK_SIZE
3132 -+ jr $ra
3133 -+.end hchacha_block_arch
3134 -+.set at
3135 ---- a/arch/mips/Makefile
3136 -+++ b/arch/mips/Makefile
3137 -@@ -334,7 +334,7 @@ libs-$(CONFIG_MIPS_FP_SUPPORT) += arch/mips/math-emu/
3138 - # See arch/mips/Kbuild for content of core part of the kernel
3139 - core-y += arch/mips/
3140 -
3141 --drivers-$(CONFIG_MIPS_CRC_SUPPORT) += arch/mips/crypto/
3142 -+drivers-y += arch/mips/crypto/
3143 - drivers-$(CONFIG_OPROFILE) += arch/mips/oprofile/
3144 -
3145 - # suspend and hibernation support
3146 ---- b/arch/mips/crypto/Makefile
3147 -+++ b/arch/mips/crypto/Makefile
3148 -@@ -6,0 +7,18 @@
3149 -+
3150 -+obj-$(CONFIG_CRYPTO_CHACHA_MIPS) += chacha-mips.o
3151 -+chacha-mips-y := chacha-core.o chacha-glue.o
3152 -+AFLAGS_chacha-core.o += -O2 # needed to fill branch delay slots
3153 -+
3154 -+obj-$(CONFIG_CRYPTO_POLY1305_MIPS) += poly1305-mips.o
3155 -+poly1305-mips-y := poly1305-core.o poly1305-glue.o
3156 -+
3157 -+perlasm-flavour-$(CONFIG_CPU_MIPS32) := o32
3158 -+perlasm-flavour-$(CONFIG_CPU_MIPS64) := 64
3159 -+
3160 -+quiet_cmd_perlasm = PERLASM $@
3161 -+ cmd_perlasm = $(PERL) $(<) $(perlasm-flavour-y) $(@)
3162 -+
3163 -+$(obj)/poly1305-core.S: $(src)/poly1305-mips.pl FORCE
3164 -+ $(call if_changed,perlasm)
3165 -+
3166 -+targets += poly1305-core.S
3167 ---- b/arch/mips/crypto/chacha-glue.c
3168 -+++ b/arch/mips/crypto/chacha-glue.c
3169 -@@ -0,0 +1,152 @@
3170 -+// SPDX-License-Identifier: GPL-2.0
3171 -+/*
3172 -+ * MIPS accelerated ChaCha and XChaCha stream ciphers,
3173 -+ * including ChaCha20 (RFC7539)
3174 -+ *
3175 -+ * Copyright (C) 2019 Linaro, Ltd. <ard.biesheuvel@××××××.org>
3176 -+ */
3177 -+
3178 -+#include <asm/byteorder.h>
3179 -+#include <crypto/algapi.h>
3180 -+#include <crypto/internal/chacha.h>
3181 -+#include <crypto/internal/skcipher.h>
3182 -+#include <linux/kernel.h>
3183 -+#include <linux/module.h>
3184 -+
3185 -+asmlinkage void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src,
3186 -+ unsigned int bytes, int nrounds);
3187 -+EXPORT_SYMBOL(chacha_crypt_arch);
3188 -+
3189 -+asmlinkage void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds);
3190 -+EXPORT_SYMBOL(hchacha_block_arch);
3191 -+
3192 -+void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv)
3193 -+{
3194 -+ chacha_init_generic(state, key, iv);
3195 -+}
3196 -+EXPORT_SYMBOL(chacha_init_arch);
3197 -+
3198 -+static int chacha_mips_stream_xor(struct skcipher_request *req,
3199 -+ const struct chacha_ctx *ctx, const u8 *iv)
3200 -+{
3201 -+ struct skcipher_walk walk;
3202 -+ u32 state[16];
3203 -+ int err;
3204 -+
3205 -+ err = skcipher_walk_virt(&walk, req, false);
3206 -+
3207 -+ chacha_init_generic(state, ctx->key, iv);
3208 -+
3209 -+ while (walk.nbytes > 0) {
3210 -+ unsigned int nbytes = walk.nbytes;
3211 -+
3212 -+ if (nbytes < walk.total)
3213 -+ nbytes = round_down(nbytes, walk.stride);
3214 -+
3215 -+ chacha_crypt(state, walk.dst.virt.addr, walk.src.virt.addr,
3216 -+ nbytes, ctx->nrounds);
3217 -+ err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
3218 -+ }
3219 -+
3220 -+ return err;
3221 -+}
3222 -+
3223 -+static int chacha_mips(struct skcipher_request *req)
3224 -+{
3225 -+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
3226 -+ struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
3227 -+
3228 -+ return chacha_mips_stream_xor(req, ctx, req->iv);
3229 -+}
3230 -+
3231 -+static int xchacha_mips(struct skcipher_request *req)
3232 -+{
3233 -+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
3234 -+ struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
3235 -+ struct chacha_ctx subctx;
3236 -+ u32 state[16];
3237 -+ u8 real_iv[16];
3238 -+
3239 -+ chacha_init_generic(state, ctx->key, req->iv);
3240 -+
3241 -+ hchacha_block(state, subctx.key, ctx->nrounds);
3242 -+ subctx.nrounds = ctx->nrounds;
3243 -+
3244 -+ memcpy(&real_iv[0], req->iv + 24, 8);
3245 -+ memcpy(&real_iv[8], req->iv + 16, 8);
3246 -+ return chacha_mips_stream_xor(req, &subctx, real_iv);
3247 -+}
3248 -+
3249 -+static struct skcipher_alg algs[] = {
3250 -+ {
3251 -+ .base.cra_name = "chacha20",
3252 -+ .base.cra_driver_name = "chacha20-mips",
3253 -+ .base.cra_priority = 200,
3254 -+ .base.cra_blocksize = 1,
3255 -+ .base.cra_ctxsize = sizeof(struct chacha_ctx),
3256 -+ .base.cra_module = THIS_MODULE,
3257 -+
3258 -+ .min_keysize = CHACHA_KEY_SIZE,
3259 -+ .max_keysize = CHACHA_KEY_SIZE,
3260 -+ .ivsize = CHACHA_IV_SIZE,
3261 -+ .chunksize = CHACHA_BLOCK_SIZE,
3262 -+ .setkey = chacha20_setkey,
3263 -+ .encrypt = chacha_mips,
3264 -+ .decrypt = chacha_mips,
3265 -+ }, {
3266 -+ .base.cra_name = "xchacha20",
3267 -+ .base.cra_driver_name = "xchacha20-mips",
3268 -+ .base.cra_priority = 200,
3269 -+ .base.cra_blocksize = 1,
3270 -+ .base.cra_ctxsize = sizeof(struct chacha_ctx),
3271 -+ .base.cra_module = THIS_MODULE,
3272 -+
3273 -+ .min_keysize = CHACHA_KEY_SIZE,
3274 -+ .max_keysize = CHACHA_KEY_SIZE,
3275 -+ .ivsize = XCHACHA_IV_SIZE,
3276 -+ .chunksize = CHACHA_BLOCK_SIZE,
3277 -+ .setkey = chacha20_setkey,
3278 -+ .encrypt = xchacha_mips,
3279 -+ .decrypt = xchacha_mips,
3280 -+ }, {
3281 -+ .base.cra_name = "xchacha12",
3282 -+ .base.cra_driver_name = "xchacha12-mips",
3283 -+ .base.cra_priority = 200,
3284 -+ .base.cra_blocksize = 1,
3285 -+ .base.cra_ctxsize = sizeof(struct chacha_ctx),
3286 -+ .base.cra_module = THIS_MODULE,
3287 -+
3288 -+ .min_keysize = CHACHA_KEY_SIZE,
3289 -+ .max_keysize = CHACHA_KEY_SIZE,
3290 -+ .ivsize = XCHACHA_IV_SIZE,
3291 -+ .chunksize = CHACHA_BLOCK_SIZE,
3292 -+ .setkey = chacha12_setkey,
3293 -+ .encrypt = xchacha_mips,
3294 -+ .decrypt = xchacha_mips,
3295 -+ }
3296 -+};
3297 -+
3298 -+static int __init chacha_simd_mod_init(void)
3299 -+{
3300 -+ return IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER) ?
3301 -+ crypto_register_skciphers(algs, ARRAY_SIZE(algs)) : 0;
3302 -+}
3303 -+
3304 -+static void __exit chacha_simd_mod_fini(void)
3305 -+{
3306 -+ if (IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER))
3307 -+ crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
3308 -+}
3309 -+
3310 -+module_init(chacha_simd_mod_init);
3311 -+module_exit(chacha_simd_mod_fini);
3312 -+
3313 -+MODULE_DESCRIPTION("ChaCha and XChaCha stream ciphers (MIPS accelerated)");
3314 -+MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@××××××.org>");
3315 -+MODULE_LICENSE("GPL v2");
3316 -+MODULE_ALIAS_CRYPTO("chacha20");
3317 -+MODULE_ALIAS_CRYPTO("chacha20-mips");
3318 -+MODULE_ALIAS_CRYPTO("xchacha20");
3319 -+MODULE_ALIAS_CRYPTO("xchacha20-mips");
3320 -+MODULE_ALIAS_CRYPTO("xchacha12");
3321 -+MODULE_ALIAS_CRYPTO("xchacha12-mips");
3322 ---- b/arch/x86/crypto/poly1305_glue.c
3323 -+++ b/arch/x86/crypto/poly1305_glue.c
3324 -@@ -1,131 +1,173 @@
3325 --// SPDX-License-Identifier: GPL-2.0-or-later
3326 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
3327 - /*
3328 -- * Poly1305 authenticator algorithm, RFC7539, SIMD glue code
3329 -- *
3330 -- * Copyright (C) 2015 Martin Willi
3331 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
3332 - */
3333 -
3334 - #include <crypto/algapi.h>
3335 - #include <crypto/internal/hash.h>
3336 -+#include <crypto/internal/poly1305.h>
3337 - #include <crypto/internal/simd.h>
3338 --#include <crypto/poly1305.h>
3339 - #include <linux/crypto.h>
3340 -+#include <linux/jump_label.h>
3341 - #include <linux/kernel.h>
3342 - #include <linux/module.h>
3343 -+#include <asm/intel-family.h>
3344 - #include <asm/simd.h>
3345 -
3346 --struct poly1305_simd_desc_ctx {
3347 -- struct poly1305_desc_ctx base;
3348 -- /* derived key u set? */
3349 -- bool uset;
3350 --#ifdef CONFIG_AS_AVX2
3351 -- /* derived keys r^3, r^4 set? */
3352 -- bool wset;
3353 --#endif
3354 -- /* derived Poly1305 key r^2 */
3355 -- u32 u[5];
3356 -- /* ... silently appended r^3 and r^4 when using AVX2 */
3357 -+asmlinkage void poly1305_init_x86_64(void *ctx,
3358 -+ const u8 key[POLY1305_KEY_SIZE]);
3359 -+asmlinkage void poly1305_blocks_x86_64(void *ctx, const u8 *inp,
3360 -+ const size_t len, const u32 padbit);
3361 -+asmlinkage void poly1305_emit_x86_64(void *ctx, u8 mac[POLY1305_DIGEST_SIZE],
3362 -+ const u32 nonce[4]);
3363 -+asmlinkage void poly1305_emit_avx(void *ctx, u8 mac[POLY1305_DIGEST_SIZE],
3364 -+ const u32 nonce[4]);
3365 -+asmlinkage void poly1305_blocks_avx(void *ctx, const u8 *inp, const size_t len,
3366 -+ const u32 padbit);
3367 -+asmlinkage void poly1305_blocks_avx2(void *ctx, const u8 *inp, const size_t len,
3368 -+ const u32 padbit);
3369 -+asmlinkage void poly1305_blocks_avx512(void *ctx, const u8 *inp,
3370 -+ const size_t len, const u32 padbit);
3371 -+
3372 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx);
3373 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx2);
3374 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx512);
3375 -+
3376 -+struct poly1305_arch_internal {
3377 -+ union {
3378 -+ struct {
3379 -+ u32 h[5];
3380 -+ u32 is_base2_26;
3381 -+ };
3382 -+ u64 hs[3];
3383 -+ };
3384 -+ u64 r[2];
3385 -+ u64 pad;
3386 -+ struct { u32 r2, r1, r4, r3; } rn[9];
3387 - };
3388 -
3389 --asmlinkage void poly1305_block_sse2(u32 *h, const u8 *src,
3390 -- const u32 *r, unsigned int blocks);
3391 --asmlinkage void poly1305_2block_sse2(u32 *h, const u8 *src, const u32 *r,
3392 -- unsigned int blocks, const u32 *u);
3393 --#ifdef CONFIG_AS_AVX2
3394 --asmlinkage void poly1305_4block_avx2(u32 *h, const u8 *src, const u32 *r,
3395 -- unsigned int blocks, const u32 *u);
3396 --static bool poly1305_use_avx2;
3397 --#endif
3398 --
3399 --static int poly1305_simd_init(struct shash_desc *desc)
3400 -+/* The AVX code uses base 2^26, while the scalar code uses base 2^64. If we hit
3401 -+ * the unfortunate situation of using AVX and then having to go back to scalar
3402 -+ * -- because the user is silly and has called the update function from two
3403 -+ * separate contexts -- then we need to convert back to the original base before
3404 -+ * proceeding. It is possible to reason that the initial reduction below is
3405 -+ * sufficient given the implementation invariants. However, for an avoidance of
3406 -+ * doubt and because this is not performance critical, we do the full reduction
3407 -+ * anyway. Z3 proof of below function: https://xn--4db.cc/ltPtHCKN/py
3408 -+ */
3409 -+static void convert_to_base2_64(void *ctx)
3410 - {
3411 -- struct poly1305_simd_desc_ctx *sctx = shash_desc_ctx(desc);
3412 -+ struct poly1305_arch_internal *state = ctx;
3413 -+ u32 cy;
3414 -+
3415 -+ if (!state->is_base2_26)
3416 -+ return;
3417 -
3418 -- sctx->uset = false;
3419 --#ifdef CONFIG_AS_AVX2
3420 -- sctx->wset = false;
3421 --#endif
3422 -+ cy = state->h[0] >> 26; state->h[0] &= 0x3ffffff; state->h[1] += cy;
3423 -+ cy = state->h[1] >> 26; state->h[1] &= 0x3ffffff; state->h[2] += cy;
3424 -+ cy = state->h[2] >> 26; state->h[2] &= 0x3ffffff; state->h[3] += cy;
3425 -+ cy = state->h[3] >> 26; state->h[3] &= 0x3ffffff; state->h[4] += cy;
3426 -+ state->hs[0] = ((u64)state->h[2] << 52) | ((u64)state->h[1] << 26) | state->h[0];
3427 -+ state->hs[1] = ((u64)state->h[4] << 40) | ((u64)state->h[3] << 14) | (state->h[2] >> 12);
3428 -+ state->hs[2] = state->h[4] >> 24;
3429 -+#define ULT(a, b) ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1))
3430 -+ cy = (state->hs[2] >> 2) + (state->hs[2] & ~3ULL);
3431 -+ state->hs[2] &= 3;
3432 -+ state->hs[0] += cy;
3433 -+ state->hs[1] += (cy = ULT(state->hs[0], cy));
3434 -+ state->hs[2] += ULT(state->hs[1], cy);
3435 -+#undef ULT
3436 -+ state->is_base2_26 = 0;
3437 -+}
3438 -
3439 -- return crypto_poly1305_init(desc);
3440 -+static void poly1305_simd_init(void *ctx, const u8 key[POLY1305_KEY_SIZE])
3441 -+{
3442 -+ poly1305_init_x86_64(ctx, key);
3443 - }
3444 -
3445 --static void poly1305_simd_mult(u32 *a, const u32 *b)
3446 -+static void poly1305_simd_blocks(void *ctx, const u8 *inp, size_t len,
3447 -+ const u32 padbit)
3448 - {
3449 -- u8 m[POLY1305_BLOCK_SIZE];
3450 -+ struct poly1305_arch_internal *state = ctx;
3451 -
3452 -- memset(m, 0, sizeof(m));
3453 -- /* The poly1305 block function adds a hi-bit to the accumulator which
3454 -- * we don't need for key multiplication; compensate for it. */
3455 -- a[4] -= 1 << 24;
3456 -- poly1305_block_sse2(a, m, b, 1);
3457 -+ /* SIMD disables preemption, so relax after processing each page. */
3458 -+ BUILD_BUG_ON(SZ_4K < POLY1305_BLOCK_SIZE ||
3459 -+ SZ_4K % POLY1305_BLOCK_SIZE);
3460 -+
3461 -+ if (!IS_ENABLED(CONFIG_AS_AVX) || !static_branch_likely(&poly1305_use_avx) ||
3462 -+ (len < (POLY1305_BLOCK_SIZE * 18) && !state->is_base2_26) ||
3463 -+ !crypto_simd_usable()) {
3464 -+ convert_to_base2_64(ctx);
3465 -+ poly1305_blocks_x86_64(ctx, inp, len, padbit);
3466 -+ return;
3467 -+ }
3468 -+
3469 -+ do {
3470 -+ const size_t bytes = min_t(size_t, len, SZ_4K);
3471 -+
3472 -+ kernel_fpu_begin();
3473 -+ if (IS_ENABLED(CONFIG_AS_AVX512) && static_branch_likely(&poly1305_use_avx512))
3474 -+ poly1305_blocks_avx512(ctx, inp, bytes, padbit);
3475 -+ else if (IS_ENABLED(CONFIG_AS_AVX2) && static_branch_likely(&poly1305_use_avx2))
3476 -+ poly1305_blocks_avx2(ctx, inp, bytes, padbit);
3477 -+ else
3478 -+ poly1305_blocks_avx(ctx, inp, bytes, padbit);
3479 -+ kernel_fpu_end();
3480 -+
3481 -+ len -= bytes;
3482 -+ inp += bytes;
3483 -+ } while (len);
3484 - }
3485 -
3486 --static unsigned int poly1305_simd_blocks(struct poly1305_desc_ctx *dctx,
3487 -- const u8 *src, unsigned int srclen)
3488 -+static void poly1305_simd_emit(void *ctx, u8 mac[POLY1305_DIGEST_SIZE],
3489 -+ const u32 nonce[4])
3490 - {
3491 -- struct poly1305_simd_desc_ctx *sctx;
3492 -- unsigned int blocks, datalen;
3493 -+ if (!IS_ENABLED(CONFIG_AS_AVX) || !static_branch_likely(&poly1305_use_avx))
3494 -+ poly1305_emit_x86_64(ctx, mac, nonce);
3495 -+ else
3496 -+ poly1305_emit_avx(ctx, mac, nonce);
3497 -+}
3498 -
3499 -- BUILD_BUG_ON(offsetof(struct poly1305_simd_desc_ctx, base));
3500 -- sctx = container_of(dctx, struct poly1305_simd_desc_ctx, base);
3501 -+void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 *key)
3502 -+{
3503 -+ poly1305_simd_init(&dctx->h, key);
3504 -+ dctx->s[0] = get_unaligned_le32(&key[16]);
3505 -+ dctx->s[1] = get_unaligned_le32(&key[20]);
3506 -+ dctx->s[2] = get_unaligned_le32(&key[24]);
3507 -+ dctx->s[3] = get_unaligned_le32(&key[28]);
3508 -+ dctx->buflen = 0;
3509 -+ dctx->sset = true;
3510 -+}
3511 -+EXPORT_SYMBOL(poly1305_init_arch);
3512 -
3513 -+static unsigned int crypto_poly1305_setdctxkey(struct poly1305_desc_ctx *dctx,
3514 -+ const u8 *inp, unsigned int len)
3515 -+{
3516 -+ unsigned int acc = 0;
3517 - if (unlikely(!dctx->sset)) {
3518 -- datalen = crypto_poly1305_setdesckey(dctx, src, srclen);
3519 -- src += srclen - datalen;
3520 -- srclen = datalen;
3521 -- }
3522 --
3523 --#ifdef CONFIG_AS_AVX2
3524 -- if (poly1305_use_avx2 && srclen >= POLY1305_BLOCK_SIZE * 4) {
3525 -- if (unlikely(!sctx->wset)) {
3526 -- if (!sctx->uset) {
3527 -- memcpy(sctx->u, dctx->r.r, sizeof(sctx->u));
3528 -- poly1305_simd_mult(sctx->u, dctx->r.r);
3529 -- sctx->uset = true;
3530 -- }
3531 -- memcpy(sctx->u + 5, sctx->u, sizeof(sctx->u));
3532 -- poly1305_simd_mult(sctx->u + 5, dctx->r.r);
3533 -- memcpy(sctx->u + 10, sctx->u + 5, sizeof(sctx->u));
3534 -- poly1305_simd_mult(sctx->u + 10, dctx->r.r);
3535 -- sctx->wset = true;
3536 -+ if (!dctx->rset && len >= POLY1305_BLOCK_SIZE) {
3537 -+ poly1305_simd_init(&dctx->h, inp);
3538 -+ inp += POLY1305_BLOCK_SIZE;
3539 -+ len -= POLY1305_BLOCK_SIZE;
3540 -+ acc += POLY1305_BLOCK_SIZE;
3541 -+ dctx->rset = 1;
3542 - }
3543 -- blocks = srclen / (POLY1305_BLOCK_SIZE * 4);
3544 -- poly1305_4block_avx2(dctx->h.h, src, dctx->r.r, blocks,
3545 -- sctx->u);
3546 -- src += POLY1305_BLOCK_SIZE * 4 * blocks;
3547 -- srclen -= POLY1305_BLOCK_SIZE * 4 * blocks;
3548 -- }
3549 --#endif
3550 -- if (likely(srclen >= POLY1305_BLOCK_SIZE * 2)) {
3551 -- if (unlikely(!sctx->uset)) {
3552 -- memcpy(sctx->u, dctx->r.r, sizeof(sctx->u));
3553 -- poly1305_simd_mult(sctx->u, dctx->r.r);
3554 -- sctx->uset = true;
3555 -+ if (len >= POLY1305_BLOCK_SIZE) {
3556 -+ dctx->s[0] = get_unaligned_le32(&inp[0]);
3557 -+ dctx->s[1] = get_unaligned_le32(&inp[4]);
3558 -+ dctx->s[2] = get_unaligned_le32(&inp[8]);
3559 -+ dctx->s[3] = get_unaligned_le32(&inp[12]);
3560 -+ acc += POLY1305_BLOCK_SIZE;
3561 -+ dctx->sset = true;
3562 - }
3563 -- blocks = srclen / (POLY1305_BLOCK_SIZE * 2);
3564 -- poly1305_2block_sse2(dctx->h.h, src, dctx->r.r, blocks,
3565 -- sctx->u);
3566 -- src += POLY1305_BLOCK_SIZE * 2 * blocks;
3567 -- srclen -= POLY1305_BLOCK_SIZE * 2 * blocks;
3568 -- }
3569 -- if (srclen >= POLY1305_BLOCK_SIZE) {
3570 -- poly1305_block_sse2(dctx->h.h, src, dctx->r.r, 1);
3571 -- srclen -= POLY1305_BLOCK_SIZE;
3572 - }
3573 -- return srclen;
3574 -+ return acc;
3575 - }
3576 -
3577 --static int poly1305_simd_update(struct shash_desc *desc,
3578 -- const u8 *src, unsigned int srclen)
3579 -+void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
3580 -+ unsigned int srclen)
3581 - {
3582 -- struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
3583 -- unsigned int bytes;
3584 --
3585 -- /* kernel_fpu_begin/end is costly, use fallback for small updates */
3586 -- if (srclen <= 288 || !crypto_simd_usable())
3587 -- return crypto_poly1305_update(desc, src, srclen);
3588 --
3589 -- kernel_fpu_begin();
3590 -+ unsigned int bytes, used;
3591 -
3592 - if (unlikely(dctx->buflen)) {
3593 - bytes = min(srclen, POLY1305_BLOCK_SIZE - dctx->buflen);
3594 -@@ -135,34 +177,76 @@
3595 - dctx->buflen += bytes;
3596 -
3597 - if (dctx->buflen == POLY1305_BLOCK_SIZE) {
3598 -- poly1305_simd_blocks(dctx, dctx->buf,
3599 -- POLY1305_BLOCK_SIZE);
3600 -+ if (likely(!crypto_poly1305_setdctxkey(dctx, dctx->buf, POLY1305_BLOCK_SIZE)))
3601 -+ poly1305_simd_blocks(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 1);
3602 - dctx->buflen = 0;
3603 - }
3604 - }
3605 -
3606 - if (likely(srclen >= POLY1305_BLOCK_SIZE)) {
3607 -- bytes = poly1305_simd_blocks(dctx, src, srclen);
3608 -- src += srclen - bytes;
3609 -- srclen = bytes;
3610 -+ bytes = round_down(srclen, POLY1305_BLOCK_SIZE);
3611 -+ srclen -= bytes;
3612 -+ used = crypto_poly1305_setdctxkey(dctx, src, bytes);
3613 -+ if (likely(bytes - used))
3614 -+ poly1305_simd_blocks(&dctx->h, src + used, bytes - used, 1);
3615 -+ src += bytes;
3616 - }
3617 -
3618 -- kernel_fpu_end();
3619 --
3620 - if (unlikely(srclen)) {
3621 - dctx->buflen = srclen;
3622 - memcpy(dctx->buf, src, srclen);
3623 - }
3624 -+}
3625 -+EXPORT_SYMBOL(poly1305_update_arch);
3626 -
3627 -+void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
3628 -+{
3629 -+ if (unlikely(dctx->buflen)) {
3630 -+ dctx->buf[dctx->buflen++] = 1;
3631 -+ memset(dctx->buf + dctx->buflen, 0,
3632 -+ POLY1305_BLOCK_SIZE - dctx->buflen);
3633 -+ poly1305_simd_blocks(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
3634 -+ }
3635 -+
3636 -+ poly1305_simd_emit(&dctx->h, dst, dctx->s);
3637 -+ *dctx = (struct poly1305_desc_ctx){};
3638 -+}
3639 -+EXPORT_SYMBOL(poly1305_final_arch);
3640 -+
3641 -+static int crypto_poly1305_init(struct shash_desc *desc)
3642 -+{
3643 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
3644 -+
3645 -+ *dctx = (struct poly1305_desc_ctx){};
3646 -+ return 0;
3647 -+}
3648 -+
3649 -+static int crypto_poly1305_update(struct shash_desc *desc,
3650 -+ const u8 *src, unsigned int srclen)
3651 -+{
3652 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
3653 -+
3654 -+ poly1305_update_arch(dctx, src, srclen);
3655 -+ return 0;
3656 -+}
3657 -+
3658 -+static int crypto_poly1305_final(struct shash_desc *desc, u8 *dst)
3659 -+{
3660 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
3661 -+
3662 -+ if (unlikely(!dctx->sset))
3663 -+ return -ENOKEY;
3664 -+
3665 -+ poly1305_final_arch(dctx, dst);
3666 - return 0;
3667 - }
3668 -
3669 - static struct shash_alg alg = {
3670 - .digestsize = POLY1305_DIGEST_SIZE,
3671 -- .init = poly1305_simd_init,
3672 -- .update = poly1305_simd_update,
3673 -+ .init = crypto_poly1305_init,
3674 -+ .update = crypto_poly1305_update,
3675 - .final = crypto_poly1305_final,
3676 -- .descsize = sizeof(struct poly1305_simd_desc_ctx),
3677 -+ .descsize = sizeof(struct poly1305_desc_ctx),
3678 - .base = {
3679 - .cra_name = "poly1305",
3680 - .cra_driver_name = "poly1305-simd",
3681 -@@ -174,30 +258,33 @@
3682 -
3683 - static int __init poly1305_simd_mod_init(void)
3684 - {
3685 -- if (!boot_cpu_has(X86_FEATURE_XMM2))
3686 -- return -ENODEV;
3687 --
3688 --#ifdef CONFIG_AS_AVX2
3689 -- poly1305_use_avx2 = boot_cpu_has(X86_FEATURE_AVX) &&
3690 -- boot_cpu_has(X86_FEATURE_AVX2) &&
3691 -- cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL);
3692 -- alg.descsize = sizeof(struct poly1305_simd_desc_ctx);
3693 -- if (poly1305_use_avx2)
3694 -- alg.descsize += 10 * sizeof(u32);
3695 --#endif
3696 -- return crypto_register_shash(&alg);
3697 -+ if (IS_ENABLED(CONFIG_AS_AVX) && boot_cpu_has(X86_FEATURE_AVX) &&
3698 -+ cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL))
3699 -+ static_branch_enable(&poly1305_use_avx);
3700 -+ if (IS_ENABLED(CONFIG_AS_AVX2) && boot_cpu_has(X86_FEATURE_AVX) &&
3701 -+ boot_cpu_has(X86_FEATURE_AVX2) &&
3702 -+ cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL))
3703 -+ static_branch_enable(&poly1305_use_avx2);
3704 -+ if (IS_ENABLED(CONFIG_AS_AVX512) && boot_cpu_has(X86_FEATURE_AVX) &&
3705 -+ boot_cpu_has(X86_FEATURE_AVX2) && boot_cpu_has(X86_FEATURE_AVX512F) &&
3706 -+ cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM | XFEATURE_MASK_AVX512, NULL) &&
3707 -+ /* Skylake downclocks unacceptably much when using zmm, but later generations are fast. */
3708 -+ boot_cpu_data.x86_model != INTEL_FAM6_SKYLAKE_X)
3709 -+ static_branch_enable(&poly1305_use_avx512);
3710 -+ return IS_REACHABLE(CONFIG_CRYPTO_HASH) ? crypto_register_shash(&alg) : 0;
3711 - }
3712 -
3713 - static void __exit poly1305_simd_mod_exit(void)
3714 - {
3715 -- crypto_unregister_shash(&alg);
3716 -+ if (IS_REACHABLE(CONFIG_CRYPTO_HASH))
3717 -+ crypto_unregister_shash(&alg);
3718 - }
3719 -
3720 - module_init(poly1305_simd_mod_init);
3721 - module_exit(poly1305_simd_mod_exit);
3722 -
3723 - MODULE_LICENSE("GPL");
3724 --MODULE_AUTHOR("Martin Willi <martin@××××××××××.org>");
3725 -+MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
3726 - MODULE_DESCRIPTION("Poly1305 authenticator");
3727 - MODULE_ALIAS_CRYPTO("poly1305");
3728 - MODULE_ALIAS_CRYPTO("poly1305-simd");
3729 ---- b/crypto/adiantum.c
3730 -+++ b/crypto/adiantum.c
3731 -@@ -33,6 +33,7 @@
3732 - #include <crypto/b128ops.h>
3733 - #include <crypto/chacha.h>
3734 - #include <crypto/internal/hash.h>
3735 -+#include <crypto/internal/poly1305.h>
3736 - #include <crypto/internal/skcipher.h>
3737 - #include <crypto/nhpoly1305.h>
3738 - #include <crypto/scatterwalk.h>
3739 -@@ -71,7 +72,7 @@
3740 - struct crypto_skcipher *streamcipher;
3741 - struct crypto_cipher *blockcipher;
3742 - struct crypto_shash *hash;
3743 -- struct poly1305_key header_hash_key;
3744 -+ struct poly1305_core_key header_hash_key;
3745 - };
3746 -
3747 - struct adiantum_request_ctx {
3748 -@@ -242,13 +243,13 @@
3749 -
3750 - BUILD_BUG_ON(sizeof(header) % POLY1305_BLOCK_SIZE != 0);
3751 - poly1305_core_blocks(&state, &tctx->header_hash_key,
3752 -- &header, sizeof(header) / POLY1305_BLOCK_SIZE);
3753 -+ &header, sizeof(header) / POLY1305_BLOCK_SIZE, 1);
3754 -
3755 - BUILD_BUG_ON(TWEAK_SIZE % POLY1305_BLOCK_SIZE != 0);
3756 - poly1305_core_blocks(&state, &tctx->header_hash_key, req->iv,
3757 -- TWEAK_SIZE / POLY1305_BLOCK_SIZE);
3758 -+ TWEAK_SIZE / POLY1305_BLOCK_SIZE, 1);
3759 -
3760 -- poly1305_core_emit(&state, &rctx->header_hash);
3761 -+ poly1305_core_emit(&state, NULL, &rctx->header_hash);
3762 - }
3763 -
3764 - /* Hash the left-hand part (the "bulk") of the message using NHPoly1305 */
3765 ---- b/crypto/nhpoly1305.c
3766 -+++ b/crypto/nhpoly1305.c
3767 -@@ -33,6 +33,7 @@
3768 - #include <asm/unaligned.h>
3769 - #include <crypto/algapi.h>
3770 - #include <crypto/internal/hash.h>
3771 -+#include <crypto/internal/poly1305.h>
3772 - #include <crypto/nhpoly1305.h>
3773 - #include <linux/crypto.h>
3774 - #include <linux/kernel.h>
3775 -@@ -78,7 +79,7 @@
3776 - BUILD_BUG_ON(NH_HASH_BYTES % POLY1305_BLOCK_SIZE != 0);
3777 -
3778 - poly1305_core_blocks(&state->poly_state, &key->poly_key, state->nh_hash,
3779 -- NH_HASH_BYTES / POLY1305_BLOCK_SIZE);
3780 -+ NH_HASH_BYTES / POLY1305_BLOCK_SIZE, 1);
3781 - }
3782 -
3783 - /*
3784 -@@ -209,7 +210,7 @@
3785 - if (state->nh_remaining)
3786 - process_nh_hash_value(state, key);
3787 -
3788 -- poly1305_core_emit(&state->poly_state, dst);
3789 -+ poly1305_core_emit(&state->poly_state, NULL, dst);
3790 - return 0;
3791 - }
3792 - EXPORT_SYMBOL(crypto_nhpoly1305_final_helper);
3793 ---- b/crypto/poly1305_generic.c
3794 -+++ b/crypto/poly1305_generic.c
3795 -@@ -13,65 +13,33 @@
3796 -
3797 - #include <crypto/algapi.h>
3798 - #include <crypto/internal/hash.h>
3799 --#include <crypto/poly1305.h>
3800 -+#include <crypto/internal/poly1305.h>
3801 - #include <linux/crypto.h>
3802 - #include <linux/kernel.h>
3803 - #include <linux/module.h>
3804 - #include <asm/unaligned.h>
3805 -
3806 --static inline u64 mlt(u64 a, u64 b)
3807 --{
3808 -- return a * b;
3809 --}
3810 --
3811 --static inline u32 sr(u64 v, u_char n)
3812 --{
3813 -- return v >> n;
3814 --}
3815 --
3816 --static inline u32 and(u32 v, u32 mask)
3817 --{
3818 -- return v & mask;
3819 --}
3820 --
3821 --int crypto_poly1305_init(struct shash_desc *desc)
3822 -+static int crypto_poly1305_init(struct shash_desc *desc)
3823 - {
3824 - struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
3825 -
3826 - poly1305_core_init(&dctx->h);
3827 - dctx->buflen = 0;
3828 -- dctx->rset = false;
3829 -+ dctx->rset = 0;
3830 - dctx->sset = false;
3831 -
3832 - return 0;
3833 - }
3834 --EXPORT_SYMBOL_GPL(crypto_poly1305_init);
3835 --
3836 --void poly1305_core_setkey(struct poly1305_key *key, const u8 *raw_key)
3837 --{
3838 -- /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
3839 -- key->r[0] = (get_unaligned_le32(raw_key + 0) >> 0) & 0x3ffffff;
3840 -- key->r[1] = (get_unaligned_le32(raw_key + 3) >> 2) & 0x3ffff03;
3841 -- key->r[2] = (get_unaligned_le32(raw_key + 6) >> 4) & 0x3ffc0ff;
3842 -- key->r[3] = (get_unaligned_le32(raw_key + 9) >> 6) & 0x3f03fff;
3843 -- key->r[4] = (get_unaligned_le32(raw_key + 12) >> 8) & 0x00fffff;
3844 --}
3845 --EXPORT_SYMBOL_GPL(poly1305_core_setkey);
3846 -
3847 --/*
3848 -- * Poly1305 requires a unique key for each tag, which implies that we can't set
3849 -- * it on the tfm that gets accessed by multiple users simultaneously. Instead we
3850 -- * expect the key as the first 32 bytes in the update() call.
3851 -- */
3852 --unsigned int crypto_poly1305_setdesckey(struct poly1305_desc_ctx *dctx,
3853 -- const u8 *src, unsigned int srclen)
3854 -+static unsigned int crypto_poly1305_setdesckey(struct poly1305_desc_ctx *dctx,
3855 -+ const u8 *src, unsigned int srclen)
3856 - {
3857 - if (!dctx->sset) {
3858 - if (!dctx->rset && srclen >= POLY1305_BLOCK_SIZE) {
3859 -- poly1305_core_setkey(&dctx->r, src);
3860 -+ poly1305_core_setkey(&dctx->core_r, src);
3861 - src += POLY1305_BLOCK_SIZE;
3862 - srclen -= POLY1305_BLOCK_SIZE;
3863 -- dctx->rset = true;
3864 -+ dctx->rset = 2;
3865 - }
3866 - if (srclen >= POLY1305_BLOCK_SIZE) {
3867 - dctx->s[0] = get_unaligned_le32(src + 0);
3868 -@@ -85,86 +53,9 @@
3869 - }
3870 - return srclen;
3871 - }
3872 --EXPORT_SYMBOL_GPL(crypto_poly1305_setdesckey);
3873 -
3874 --static void poly1305_blocks_internal(struct poly1305_state *state,
3875 -- const struct poly1305_key *key,
3876 -- const void *src, unsigned int nblocks,
3877 -- u32 hibit)
3878 --{
3879 -- u32 r0, r1, r2, r3, r4;
3880 -- u32 s1, s2, s3, s4;
3881 -- u32 h0, h1, h2, h3, h4;
3882 -- u64 d0, d1, d2, d3, d4;
3883 --
3884 -- if (!nblocks)
3885 -- return;
3886 --
3887 -- r0 = key->r[0];
3888 -- r1 = key->r[1];
3889 -- r2 = key->r[2];
3890 -- r3 = key->r[3];
3891 -- r4 = key->r[4];
3892 --
3893 -- s1 = r1 * 5;
3894 -- s2 = r2 * 5;
3895 -- s3 = r3 * 5;
3896 -- s4 = r4 * 5;
3897 --
3898 -- h0 = state->h[0];
3899 -- h1 = state->h[1];
3900 -- h2 = state->h[2];
3901 -- h3 = state->h[3];
3902 -- h4 = state->h[4];
3903 --
3904 -- do {
3905 -- /* h += m[i] */
3906 -- h0 += (get_unaligned_le32(src + 0) >> 0) & 0x3ffffff;
3907 -- h1 += (get_unaligned_le32(src + 3) >> 2) & 0x3ffffff;
3908 -- h2 += (get_unaligned_le32(src + 6) >> 4) & 0x3ffffff;
3909 -- h3 += (get_unaligned_le32(src + 9) >> 6) & 0x3ffffff;
3910 -- h4 += (get_unaligned_le32(src + 12) >> 8) | hibit;
3911 --
3912 -- /* h *= r */
3913 -- d0 = mlt(h0, r0) + mlt(h1, s4) + mlt(h2, s3) +
3914 -- mlt(h3, s2) + mlt(h4, s1);
3915 -- d1 = mlt(h0, r1) + mlt(h1, r0) + mlt(h2, s4) +
3916 -- mlt(h3, s3) + mlt(h4, s2);
3917 -- d2 = mlt(h0, r2) + mlt(h1, r1) + mlt(h2, r0) +
3918 -- mlt(h3, s4) + mlt(h4, s3);
3919 -- d3 = mlt(h0, r3) + mlt(h1, r2) + mlt(h2, r1) +
3920 -- mlt(h3, r0) + mlt(h4, s4);
3921 -- d4 = mlt(h0, r4) + mlt(h1, r3) + mlt(h2, r2) +
3922 -- mlt(h3, r1) + mlt(h4, r0);
3923 --
3924 -- /* (partial) h %= p */
3925 -- d1 += sr(d0, 26); h0 = and(d0, 0x3ffffff);
3926 -- d2 += sr(d1, 26); h1 = and(d1, 0x3ffffff);
3927 -- d3 += sr(d2, 26); h2 = and(d2, 0x3ffffff);
3928 -- d4 += sr(d3, 26); h3 = and(d3, 0x3ffffff);
3929 -- h0 += sr(d4, 26) * 5; h4 = and(d4, 0x3ffffff);
3930 -- h1 += h0 >> 26; h0 = h0 & 0x3ffffff;
3931 --
3932 -- src += POLY1305_BLOCK_SIZE;
3933 -- } while (--nblocks);
3934 --
3935 -- state->h[0] = h0;
3936 -- state->h[1] = h1;
3937 -- state->h[2] = h2;
3938 -- state->h[3] = h3;
3939 -- state->h[4] = h4;
3940 --}
3941 --
3942 --void poly1305_core_blocks(struct poly1305_state *state,
3943 -- const struct poly1305_key *key,
3944 -- const void *src, unsigned int nblocks)
3945 --{
3946 -- poly1305_blocks_internal(state, key, src, nblocks, 1 << 24);
3947 --}
3948 --EXPORT_SYMBOL_GPL(poly1305_core_blocks);
3949 --
3950 --static void poly1305_blocks(struct poly1305_desc_ctx *dctx,
3951 -- const u8 *src, unsigned int srclen, u32 hibit)
3952 -+static void poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
3953 -+ unsigned int srclen)
3954 - {
3955 - unsigned int datalen;
3956 -
3957 -@@ -174,12 +65,12 @@
3958 - srclen = datalen;
3959 - }
3960 -
3961 -- poly1305_blocks_internal(&dctx->h, &dctx->r,
3962 -- src, srclen / POLY1305_BLOCK_SIZE, hibit);
3963 -+ poly1305_core_blocks(&dctx->h, &dctx->core_r, src,
3964 -+ srclen / POLY1305_BLOCK_SIZE, 1);
3965 - }
3966 -
3967 --int crypto_poly1305_update(struct shash_desc *desc,
3968 -- const u8 *src, unsigned int srclen)
3969 -+static int crypto_poly1305_update(struct shash_desc *desc,
3970 -+ const u8 *src, unsigned int srclen)
3971 - {
3972 - struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
3973 - unsigned int bytes;
3974 -@@ -193,13 +84,13 @@
3975 -
3976 - if (dctx->buflen == POLY1305_BLOCK_SIZE) {
3977 - poly1305_blocks(dctx, dctx->buf,
3978 -- POLY1305_BLOCK_SIZE, 1 << 24);
3979 -+ POLY1305_BLOCK_SIZE);
3980 - dctx->buflen = 0;
3981 - }
3982 - }
3983 -
3984 - if (likely(srclen >= POLY1305_BLOCK_SIZE)) {
3985 -- poly1305_blocks(dctx, src, srclen, 1 << 24);
3986 -+ poly1305_blocks(dctx, src, srclen);
3987 - src += srclen - (srclen % POLY1305_BLOCK_SIZE);
3988 - srclen %= POLY1305_BLOCK_SIZE;
3989 - }
3990 -@@ -211,87 +102,17 @@
3991 -
3992 - return 0;
3993 - }
3994 --EXPORT_SYMBOL_GPL(crypto_poly1305_update);
3995 --
3996 --void poly1305_core_emit(const struct poly1305_state *state, void *dst)
3997 --{
3998 -- u32 h0, h1, h2, h3, h4;
3999 -- u32 g0, g1, g2, g3, g4;
4000 -- u32 mask;
4001 --
4002 -- /* fully carry h */
4003 -- h0 = state->h[0];
4004 -- h1 = state->h[1];
4005 -- h2 = state->h[2];
4006 -- h3 = state->h[3];
4007 -- h4 = state->h[4];
4008 --
4009 -- h2 += (h1 >> 26); h1 = h1 & 0x3ffffff;
4010 -- h3 += (h2 >> 26); h2 = h2 & 0x3ffffff;
4011 -- h4 += (h3 >> 26); h3 = h3 & 0x3ffffff;
4012 -- h0 += (h4 >> 26) * 5; h4 = h4 & 0x3ffffff;
4013 -- h1 += (h0 >> 26); h0 = h0 & 0x3ffffff;
4014 --
4015 -- /* compute h + -p */
4016 -- g0 = h0 + 5;
4017 -- g1 = h1 + (g0 >> 26); g0 &= 0x3ffffff;
4018 -- g2 = h2 + (g1 >> 26); g1 &= 0x3ffffff;
4019 -- g3 = h3 + (g2 >> 26); g2 &= 0x3ffffff;
4020 -- g4 = h4 + (g3 >> 26) - (1 << 26); g3 &= 0x3ffffff;
4021 --
4022 -- /* select h if h < p, or h + -p if h >= p */
4023 -- mask = (g4 >> ((sizeof(u32) * 8) - 1)) - 1;
4024 -- g0 &= mask;
4025 -- g1 &= mask;
4026 -- g2 &= mask;
4027 -- g3 &= mask;
4028 -- g4 &= mask;
4029 -- mask = ~mask;
4030 -- h0 = (h0 & mask) | g0;
4031 -- h1 = (h1 & mask) | g1;
4032 -- h2 = (h2 & mask) | g2;
4033 -- h3 = (h3 & mask) | g3;
4034 -- h4 = (h4 & mask) | g4;
4035 --
4036 -- /* h = h % (2^128) */
4037 -- put_unaligned_le32((h0 >> 0) | (h1 << 26), dst + 0);
4038 -- put_unaligned_le32((h1 >> 6) | (h2 << 20), dst + 4);
4039 -- put_unaligned_le32((h2 >> 12) | (h3 << 14), dst + 8);
4040 -- put_unaligned_le32((h3 >> 18) | (h4 << 8), dst + 12);
4041 --}
4042 --EXPORT_SYMBOL_GPL(poly1305_core_emit);
4043 -
4044 --int crypto_poly1305_final(struct shash_desc *desc, u8 *dst)
4045 -+static int crypto_poly1305_final(struct shash_desc *desc, u8 *dst)
4046 - {
4047 - struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
4048 -- __le32 digest[4];
4049 -- u64 f = 0;
4050 -
4051 - if (unlikely(!dctx->sset))
4052 - return -ENOKEY;
4053 -
4054 -- if (unlikely(dctx->buflen)) {
4055 -- dctx->buf[dctx->buflen++] = 1;
4056 -- memset(dctx->buf + dctx->buflen, 0,
4057 -- POLY1305_BLOCK_SIZE - dctx->buflen);
4058 -- poly1305_blocks(dctx, dctx->buf, POLY1305_BLOCK_SIZE, 0);
4059 -- }
4060 --
4061 -- poly1305_core_emit(&dctx->h, digest);
4062 --
4063 -- /* mac = (h + s) % (2^128) */
4064 -- f = (f >> 32) + le32_to_cpu(digest[0]) + dctx->s[0];
4065 -- put_unaligned_le32(f, dst + 0);
4066 -- f = (f >> 32) + le32_to_cpu(digest[1]) + dctx->s[1];
4067 -- put_unaligned_le32(f, dst + 4);
4068 -- f = (f >> 32) + le32_to_cpu(digest[2]) + dctx->s[2];
4069 -- put_unaligned_le32(f, dst + 8);
4070 -- f = (f >> 32) + le32_to_cpu(digest[3]) + dctx->s[3];
4071 -- put_unaligned_le32(f, dst + 12);
4072 --
4073 -+ poly1305_final_generic(dctx, dst);
4074 - return 0;
4075 - }
4076 --EXPORT_SYMBOL_GPL(crypto_poly1305_final);
4077 -
4078 - static struct shash_alg poly1305_alg = {
4079 - .digestsize = POLY1305_DIGEST_SIZE,
4080 ---- b/include/crypto/internal/poly1305.h
4081 -+++ b/include/crypto/internal/poly1305.h
4082 -@@ -0,0 +1,33 @@
4083 -+/* SPDX-License-Identifier: GPL-2.0 */
4084 -+/*
4085 -+ * Common values for the Poly1305 algorithm
4086 -+ */
4087 -+
4088 -+#ifndef _CRYPTO_INTERNAL_POLY1305_H
4089 -+#define _CRYPTO_INTERNAL_POLY1305_H
4090 -+
4091 -+#include <asm/unaligned.h>
4092 -+#include <linux/types.h>
4093 -+#include <crypto/poly1305.h>
4094 -+
4095 -+/*
4096 -+ * Poly1305 core functions. These only accept whole blocks; the caller must
4097 -+ * handle any needed block buffering and padding. 'hibit' must be 1 for any
4098 -+ * full blocks, or 0 for the final block if it had to be padded. If 'nonce' is
4099 -+ * non-NULL, then it's added at the end to compute the Poly1305 MAC. Otherwise,
4100 -+ * only the ε-almost-∆-universal hash function (not the full MAC) is computed.
4101 -+ */
4102 -+
4103 -+void poly1305_core_setkey(struct poly1305_core_key *key, const u8 *raw_key);
4104 -+static inline void poly1305_core_init(struct poly1305_state *state)
4105 -+{
4106 -+ *state = (struct poly1305_state){};
4107 -+}
4108 -+
4109 -+void poly1305_core_blocks(struct poly1305_state *state,
4110 -+ const struct poly1305_core_key *key, const void *src,
4111 -+ unsigned int nblocks, u32 hibit);
4112 -+void poly1305_core_emit(const struct poly1305_state *state, const u32 nonce[4],
4113 -+ void *dst);
4114 -+
4115 -+#endif
4116 ---- b/include/crypto/poly1305.h
4117 -+++ b/include/crypto/poly1305.h
4118 -@@ -14,51 +14,84 @@
4119 - #define POLY1305_DIGEST_SIZE 16
4120 -
4121 -+/* The poly1305_key and poly1305_state types are mostly opaque and
4122 -+ * implementation-defined. Limbs might be in base 2^64 or base 2^26, or
4123 -+ * different yet. The union type provided keeps these 64-bit aligned for the
4124 -+ * case in which this is implemented using 64x64 multiplies.
4125 -+ */
4126 -+
4127 - struct poly1305_key {
4128 -- u32 r[5]; /* key, base 2^26 */
4129 -+ union {
4130 -+ u32 r[5];
4131 -+ u64 r64[3];
4132 -+ };
4133 -+};
4134 -+
4135 -+struct poly1305_core_key {
4136 -+ struct poly1305_key key;
4137 -+ struct poly1305_key precomputed_s;
4138 - };
4139 -
4140 - struct poly1305_state {
4141 -- u32 h[5]; /* accumulator, base 2^26 */
4142 -+ union {
4143 -+ u32 h[5];
4144 -+ u64 h64[3];
4145 -+ };
4146 - };
4147 -
4148 - struct poly1305_desc_ctx {
4149 -- /* key */
4150 -- struct poly1305_key r;
4151 -- /* finalize key */
4152 -- u32 s[4];
4153 -- /* accumulator */
4154 -- struct poly1305_state h;
4155 - /* partial buffer */
4156 - u8 buf[POLY1305_BLOCK_SIZE];
4157 - /* bytes used in partial buffer */
4158 - unsigned int buflen;
4159 -- /* r key has been set */
4160 -- bool rset;
4161 -- /* s key has been set */
4162 -+ /* how many keys have been set in r[] */
4163 -+ unsigned short rset;
4164 -+ /* whether s[] has been set */
4165 - bool sset;
4166 -+ /* finalize key */
4167 -+ u32 s[4];
4168 -+ /* accumulator */
4169 -+ struct poly1305_state h;
4170 -+ /* key */
4171 -+ union {
4172 -+ struct poly1305_key opaque_r[CONFIG_CRYPTO_LIB_POLY1305_RSIZE];
4173 -+ struct poly1305_core_key core_r;
4174 -+ };
4175 - };
4176 -
4177 --/*
4178 -- * Poly1305 core functions. These implement the ε-almost-∆-universal hash
4179 -- * function underlying the Poly1305 MAC, i.e. they don't add an encrypted nonce
4180 -- * ("s key") at the end. They also only support block-aligned inputs.
4181 -- */
4182 --void poly1305_core_setkey(struct poly1305_key *key, const u8 *raw_key);
4183 --static inline void poly1305_core_init(struct poly1305_state *state)
4184 -+void poly1305_init_arch(struct poly1305_desc_ctx *desc, const u8 *key);
4185 -+void poly1305_init_generic(struct poly1305_desc_ctx *desc, const u8 *key);
4186 -+
4187 -+static inline void poly1305_init(struct poly1305_desc_ctx *desc, const u8 *key)
4188 -+{
4189 -+ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
4190 -+ poly1305_init_arch(desc, key);
4191 -+ else
4192 -+ poly1305_init_generic(desc, key);
4193 -+}
4194 -+
4195 -+void poly1305_update_arch(struct poly1305_desc_ctx *desc, const u8 *src,
4196 -+ unsigned int nbytes);
4197 -+void poly1305_update_generic(struct poly1305_desc_ctx *desc, const u8 *src,
4198 -+ unsigned int nbytes);
4199 -+
4200 -+static inline void poly1305_update(struct poly1305_desc_ctx *desc,
4201 -+ const u8 *src, unsigned int nbytes)
4202 -+{
4203 -+ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
4204 -+ poly1305_update_arch(desc, src, nbytes);
4205 -+ else
4206 -+ poly1305_update_generic(desc, src, nbytes);
4207 -+}
4208 -+
4209 -+void poly1305_final_arch(struct poly1305_desc_ctx *desc, u8 *digest);
4210 -+void poly1305_final_generic(struct poly1305_desc_ctx *desc, u8 *digest);
4211 -+
4212 -+static inline void poly1305_final(struct poly1305_desc_ctx *desc, u8 *digest)
4213 - {
4214 -- memset(state->h, 0, sizeof(state->h));
4215 -+ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
4216 -+ poly1305_final_arch(desc, digest);
4217 -+ else
4218 -+ poly1305_final_generic(desc, digest);
4219 - }
4220 --void poly1305_core_blocks(struct poly1305_state *state,
4221 -- const struct poly1305_key *key,
4222 -- const void *src, unsigned int nblocks);
4223 --void poly1305_core_emit(const struct poly1305_state *state, void *dst);
4224 --
4225 --/* Crypto API helper functions for the Poly1305 MAC */
4226 --int crypto_poly1305_init(struct shash_desc *desc);
4227 --unsigned int crypto_poly1305_setdesckey(struct poly1305_desc_ctx *dctx,
4228 -- const u8 *src, unsigned int srclen);
4229 --int crypto_poly1305_update(struct shash_desc *desc,
4230 -- const u8 *src, unsigned int srclen);
4231 --int crypto_poly1305_final(struct shash_desc *desc, u8 *dst);
4232 -
4233 - #endif
4234 ---- b/lib/crypto/poly1305.c
4235 -+++ b/lib/crypto/poly1305.c
4236 -@@ -0,0 +1,77 @@
4237 -+// SPDX-License-Identifier: GPL-2.0-or-later
4238 -+/*
4239 -+ * Poly1305 authenticator algorithm, RFC7539
4240 -+ *
4241 -+ * Copyright (C) 2015 Martin Willi
4242 -+ *
4243 -+ * Based on public domain code by Andrew Moon and Daniel J. Bernstein.
4244 -+ */
4245 -+
4246 -+#include <crypto/internal/poly1305.h>
4247 -+#include <linux/kernel.h>
4248 -+#include <linux/module.h>
4249 -+#include <asm/unaligned.h>
4250 -+
4251 -+void poly1305_init_generic(struct poly1305_desc_ctx *desc, const u8 *key)
4252 -+{
4253 -+ poly1305_core_setkey(&desc->core_r, key);
4254 -+ desc->s[0] = get_unaligned_le32(key + 16);
4255 -+ desc->s[1] = get_unaligned_le32(key + 20);
4256 -+ desc->s[2] = get_unaligned_le32(key + 24);
4257 -+ desc->s[3] = get_unaligned_le32(key + 28);
4258 -+ poly1305_core_init(&desc->h);
4259 -+ desc->buflen = 0;
4260 -+ desc->sset = true;
4261 -+ desc->rset = 2;
4262 -+}
4263 -+EXPORT_SYMBOL_GPL(poly1305_init_generic);
4264 -+
4265 -+void poly1305_update_generic(struct poly1305_desc_ctx *desc, const u8 *src,
4266 -+ unsigned int nbytes)
4267 -+{
4268 -+ unsigned int bytes;
4269 -+
4270 -+ if (unlikely(desc->buflen)) {
4271 -+ bytes = min(nbytes, POLY1305_BLOCK_SIZE - desc->buflen);
4272 -+ memcpy(desc->buf + desc->buflen, src, bytes);
4273 -+ src += bytes;
4274 -+ nbytes -= bytes;
4275 -+ desc->buflen += bytes;
4276 -+
4277 -+ if (desc->buflen == POLY1305_BLOCK_SIZE) {
4278 -+ poly1305_core_blocks(&desc->h, &desc->core_r, desc->buf,
4279 -+ 1, 1);
4280 -+ desc->buflen = 0;
4281 -+ }
4282 -+ }
4283 -+
4284 -+ if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
4285 -+ poly1305_core_blocks(&desc->h, &desc->core_r, src,
4286 -+ nbytes / POLY1305_BLOCK_SIZE, 1);
4287 -+ src += nbytes - (nbytes % POLY1305_BLOCK_SIZE);
4288 -+ nbytes %= POLY1305_BLOCK_SIZE;
4289 -+ }
4290 -+
4291 -+ if (unlikely(nbytes)) {
4292 -+ desc->buflen = nbytes;
4293 -+ memcpy(desc->buf, src, nbytes);
4294 -+ }
4295 -+}
4296 -+EXPORT_SYMBOL_GPL(poly1305_update_generic);
4297 -+
4298 -+void poly1305_final_generic(struct poly1305_desc_ctx *desc, u8 *dst)
4299 -+{
4300 -+ if (unlikely(desc->buflen)) {
4301 -+ desc->buf[desc->buflen++] = 1;
4302 -+ memset(desc->buf + desc->buflen, 0,
4303 -+ POLY1305_BLOCK_SIZE - desc->buflen);
4304 -+ poly1305_core_blocks(&desc->h, &desc->core_r, desc->buf, 1, 0);
4305 -+ }
4306 -+
4307 -+ poly1305_core_emit(&desc->h, desc->s, dst);
4308 -+ *desc = (struct poly1305_desc_ctx){};
4309 -+}
4310 -+EXPORT_SYMBOL_GPL(poly1305_final_generic);
4311 -+
4312 -+MODULE_LICENSE("GPL");
4313 -+MODULE_AUTHOR("Martin Willi <martin@××××××××××.org>");
4314 ---- a/arch/arm64/crypto/Makefile
4315 -+++ b/arch/arm64/crypto/Makefile
4316 -@@ -50,6 +50,10 @@ sha512-arm64-y := sha512-glue.o sha512-core.o
4317 - obj-$(CONFIG_CRYPTO_CHACHA20_NEON) += chacha-neon.o
4318 - chacha-neon-y := chacha-neon-core.o chacha-neon-glue.o
4319 -
4320 -+obj-$(CONFIG_CRYPTO_POLY1305_NEON) += poly1305-neon.o
4321 -+poly1305-neon-y := poly1305-core.o poly1305-glue.o
4322 -+AFLAGS_poly1305-core.o += -Dpoly1305_init=poly1305_init_arm64
4323 -+
4324 - obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) += nhpoly1305-neon.o
4325 - nhpoly1305-neon-y := nh-neon-core.o nhpoly1305-neon-glue.o
4326 -
4327 -@@ -68,11 +72,15 @@ ifdef REGENERATE_ARM64_CRYPTO
4328 - quiet_cmd_perlasm = PERLASM $@
4329 - cmd_perlasm = $(PERL) $(<) void $(@)
4330 -
4331 -+$(src)/poly1305-core.S_shipped: $(src)/poly1305-armv8.pl
4332 -+ $(call cmd,perlasm)
4333 -+
4334 - $(src)/sha256-core.S_shipped: $(src)/sha512-armv8.pl
4335 - $(call cmd,perlasm)
4336 -
4337 - $(src)/sha512-core.S_shipped: $(src)/sha512-armv8.pl
4338 - $(call cmd,perlasm)
4339 -+
4340 - endif
4341 -
4342 --clean-files += sha256-core.S sha512-core.S
4343 -+clean-files += poly1305-core.S sha256-core.S sha512-core.S
4344 ---- /dev/null
4345 -+++ b/arch/arm64/crypto/poly1305-armv8.pl
4346 -@@ -0,0 +1,913 @@
4347 -+#!/usr/bin/env perl
4348 -+# SPDX-License-Identifier: GPL-1.0+ OR BSD-3-Clause
4349 -+#
4350 -+# ====================================================================
4351 -+# Written by Andy Polyakov, @dot-asm, initially for the OpenSSL
4352 -+# project.
4353 -+# ====================================================================
4354 -+#
4355 -+# This module implements Poly1305 hash for ARMv8.
4356 -+#
4357 -+# June 2015
4358 -+#
4359 -+# Numbers are cycles per processed byte with poly1305_blocks alone.
4360 -+#
4361 -+# IALU/gcc-4.9 NEON
4362 -+#
4363 -+# Apple A7 1.86/+5% 0.72
4364 -+# Cortex-A53 2.69/+58% 1.47
4365 -+# Cortex-A57 2.70/+7% 1.14
4366 -+# Denver 1.64/+50% 1.18(*)
4367 -+# X-Gene 2.13/+68% 2.27
4368 -+# Mongoose 1.77/+75% 1.12
4369 -+# Kryo 2.70/+55% 1.13
4370 -+# ThunderX2 1.17/+95% 1.36
4371 -+#
4372 -+# (*) estimate based on resources availability is less than 1.0,
4373 -+# i.e. measured result is worse than expected, presumably binary
4374 -+# translator is not almighty;
4375 -+
4376 -+$flavour=shift;
4377 -+$output=shift;
4378 -+
4379 -+if ($flavour && $flavour ne "void") {
4380 -+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
4381 -+ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
4382 -+ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
4383 -+ die "can't locate arm-xlate.pl";
4384 -+
4385 -+ open STDOUT,"| \"$^X\" $xlate $flavour $output";
4386 -+} else {
4387 -+ open STDOUT,">$output";
4388 -+}
4389 -+
4390 -+my ($ctx,$inp,$len,$padbit) = map("x$_",(0..3));
4391 -+my ($mac,$nonce)=($inp,$len);
4392 -+
4393 -+my ($h0,$h1,$h2,$r0,$r1,$s1,$t0,$t1,$d0,$d1,$d2) = map("x$_",(4..14));
4394 -+
4395 -+$code.=<<___;
4396 -+#ifndef __KERNEL__
4397 -+# include "arm_arch.h"
4398 -+.extern OPENSSL_armcap_P
4399 -+#endif
4400 -+
4401 -+.text
4402 -+
4403 -+// forward "declarations" are required for Apple
4404 -+.globl poly1305_blocks
4405 -+.globl poly1305_emit
4406 -+
4407 -+.globl poly1305_init
4408 -+.type poly1305_init,%function
4409 -+.align 5
4410 -+poly1305_init:
4411 -+ cmp $inp,xzr
4412 -+ stp xzr,xzr,[$ctx] // zero hash value
4413 -+ stp xzr,xzr,[$ctx,#16] // [along with is_base2_26]
4414 -+
4415 -+ csel x0,xzr,x0,eq
4416 -+ b.eq .Lno_key
4417 -+
4418 -+#ifndef __KERNEL__
4419 -+ adrp x17,OPENSSL_armcap_P
4420 -+ ldr w17,[x17,#:lo12:OPENSSL_armcap_P]
4421 -+#endif
4422 -+
4423 -+ ldp $r0,$r1,[$inp] // load key
4424 -+ mov $s1,#0xfffffffc0fffffff
4425 -+ movk $s1,#0x0fff,lsl#48
4426 -+#ifdef __AARCH64EB__
4427 -+ rev $r0,$r0 // flip bytes
4428 -+ rev $r1,$r1
4429 -+#endif
4430 -+ and $r0,$r0,$s1 // &=0ffffffc0fffffff
4431 -+ and $s1,$s1,#-4
4432 -+ and $r1,$r1,$s1 // &=0ffffffc0ffffffc
4433 -+ mov w#$s1,#-1
4434 -+ stp $r0,$r1,[$ctx,#32] // save key value
4435 -+ str w#$s1,[$ctx,#48] // impossible key power value
4436 -+
4437 -+#ifndef __KERNEL__
4438 -+ tst w17,#ARMV7_NEON
4439 -+
4440 -+ adr $d0,.Lpoly1305_blocks
4441 -+ adr $r0,.Lpoly1305_blocks_neon
4442 -+ adr $d1,.Lpoly1305_emit
4443 -+
4444 -+ csel $d0,$d0,$r0,eq
4445 -+
4446 -+# ifdef __ILP32__
4447 -+ stp w#$d0,w#$d1,[$len]
4448 -+# else
4449 -+ stp $d0,$d1,[$len]
4450 -+# endif
4451 -+#endif
4452 -+ mov x0,#1
4453 -+.Lno_key:
4454 -+ ret
4455 -+.size poly1305_init,.-poly1305_init
4456 -+
4457 -+.type poly1305_blocks,%function
4458 -+.align 5
4459 -+poly1305_blocks:
4460 -+.Lpoly1305_blocks:
4461 -+ ands $len,$len,#-16
4462 -+ b.eq .Lno_data
4463 -+
4464 -+ ldp $h0,$h1,[$ctx] // load hash value
4465 -+ ldp $h2,x17,[$ctx,#16] // [along with is_base2_26]
4466 -+ ldp $r0,$r1,[$ctx,#32] // load key value
4467 -+
4468 -+#ifdef __AARCH64EB__
4469 -+ lsr $d0,$h0,#32
4470 -+ mov w#$d1,w#$h0
4471 -+ lsr $d2,$h1,#32
4472 -+ mov w15,w#$h1
4473 -+ lsr x16,$h2,#32
4474 -+#else
4475 -+ mov w#$d0,w#$h0
4476 -+ lsr $d1,$h0,#32
4477 -+ mov w#$d2,w#$h1
4478 -+ lsr x15,$h1,#32
4479 -+ mov w16,w#$h2
4480 -+#endif
4481 -+
4482 -+ add $d0,$d0,$d1,lsl#26 // base 2^26 -> base 2^64
4483 -+ lsr $d1,$d2,#12
4484 -+ adds $d0,$d0,$d2,lsl#52
4485 -+ add $d1,$d1,x15,lsl#14
4486 -+ adc $d1,$d1,xzr
4487 -+ lsr $d2,x16,#24
4488 -+ adds $d1,$d1,x16,lsl#40
4489 -+ adc $d2,$d2,xzr
4490 -+
4491 -+ cmp x17,#0 // is_base2_26?
4492 -+ add $s1,$r1,$r1,lsr#2 // s1 = r1 + (r1 >> 2)
4493 -+ csel $h0,$h0,$d0,eq // choose between radixes
4494 -+ csel $h1,$h1,$d1,eq
4495 -+ csel $h2,$h2,$d2,eq
4496 -+
4497 -+.Loop:
4498 -+ ldp $t0,$t1,[$inp],#16 // load input
4499 -+ sub $len,$len,#16
4500 -+#ifdef __AARCH64EB__
4501 -+ rev $t0,$t0
4502 -+ rev $t1,$t1
4503 -+#endif
4504 -+ adds $h0,$h0,$t0 // accumulate input
4505 -+ adcs $h1,$h1,$t1
4506 -+
4507 -+ mul $d0,$h0,$r0 // h0*r0
4508 -+ adc $h2,$h2,$padbit
4509 -+ umulh $d1,$h0,$r0
4510 -+
4511 -+ mul $t0,$h1,$s1 // h1*5*r1
4512 -+ umulh $t1,$h1,$s1
4513 -+
4514 -+ adds $d0,$d0,$t0
4515 -+ mul $t0,$h0,$r1 // h0*r1
4516 -+ adc $d1,$d1,$t1
4517 -+ umulh $d2,$h0,$r1
4518 -+
4519 -+ adds $d1,$d1,$t0
4520 -+ mul $t0,$h1,$r0 // h1*r0
4521 -+ adc $d2,$d2,xzr
4522 -+ umulh $t1,$h1,$r0
4523 -+
4524 -+ adds $d1,$d1,$t0
4525 -+ mul $t0,$h2,$s1 // h2*5*r1
4526 -+ adc $d2,$d2,$t1
4527 -+ mul $t1,$h2,$r0 // h2*r0
4528 -+
4529 -+ adds $d1,$d1,$t0
4530 -+ adc $d2,$d2,$t1
4531 -+
4532 -+ and $t0,$d2,#-4 // final reduction
4533 -+ and $h2,$d2,#3
4534 -+ add $t0,$t0,$d2,lsr#2
4535 -+ adds $h0,$d0,$t0
4536 -+ adcs $h1,$d1,xzr
4537 -+ adc $h2,$h2,xzr
4538 -+
4539 -+ cbnz $len,.Loop
4540 -+
4541 -+ stp $h0,$h1,[$ctx] // store hash value
4542 -+ stp $h2,xzr,[$ctx,#16] // [and clear is_base2_26]
4543 -+
4544 -+.Lno_data:
4545 -+ ret
4546 -+.size poly1305_blocks,.-poly1305_blocks
4547 -+
4548 -+.type poly1305_emit,%function
4549 -+.align 5
4550 -+poly1305_emit:
4551 -+.Lpoly1305_emit:
4552 -+ ldp $h0,$h1,[$ctx] // load hash base 2^64
4553 -+ ldp $h2,$r0,[$ctx,#16] // [along with is_base2_26]
4554 -+ ldp $t0,$t1,[$nonce] // load nonce
4555 -+
4556 -+#ifdef __AARCH64EB__
4557 -+ lsr $d0,$h0,#32
4558 -+ mov w#$d1,w#$h0
4559 -+ lsr $d2,$h1,#32
4560 -+ mov w15,w#$h1
4561 -+ lsr x16,$h2,#32
4562 -+#else
4563 -+ mov w#$d0,w#$h0
4564 -+ lsr $d1,$h0,#32
4565 -+ mov w#$d2,w#$h1
4566 -+ lsr x15,$h1,#32
4567 -+ mov w16,w#$h2
4568 -+#endif
4569 -+
4570 -+ add $d0,$d0,$d1,lsl#26 // base 2^26 -> base 2^64
4571 -+ lsr $d1,$d2,#12
4572 -+ adds $d0,$d0,$d2,lsl#52
4573 -+ add $d1,$d1,x15,lsl#14
4574 -+ adc $d1,$d1,xzr
4575 -+ lsr $d2,x16,#24
4576 -+ adds $d1,$d1,x16,lsl#40
4577 -+ adc $d2,$d2,xzr
4578 -+
4579 -+ cmp $r0,#0 // is_base2_26?
4580 -+ csel $h0,$h0,$d0,eq // choose between radixes
4581 -+ csel $h1,$h1,$d1,eq
4582 -+ csel $h2,$h2,$d2,eq
4583 -+
4584 -+ adds $d0,$h0,#5 // compare to modulus
4585 -+ adcs $d1,$h1,xzr
4586 -+ adc $d2,$h2,xzr
4587 -+
4588 -+ tst $d2,#-4 // see if it's carried/borrowed
4589 -+
4590 -+ csel $h0,$h0,$d0,eq
4591 -+ csel $h1,$h1,$d1,eq
4592 -+
4593 -+#ifdef __AARCH64EB__
4594 -+ ror $t0,$t0,#32 // flip nonce words
4595 -+ ror $t1,$t1,#32
4596 -+#endif
4597 -+ adds $h0,$h0,$t0 // accumulate nonce
4598 -+ adc $h1,$h1,$t1
4599 -+#ifdef __AARCH64EB__
4600 -+ rev $h0,$h0 // flip output bytes
4601 -+ rev $h1,$h1
4602 -+#endif
4603 -+ stp $h0,$h1,[$mac] // write result
4604 -+
4605 -+ ret
4606 -+.size poly1305_emit,.-poly1305_emit
4607 -+___
4608 -+my ($R0,$R1,$S1,$R2,$S2,$R3,$S3,$R4,$S4) = map("v$_.4s",(0..8));
4609 -+my ($IN01_0,$IN01_1,$IN01_2,$IN01_3,$IN01_4) = map("v$_.2s",(9..13));
4610 -+my ($IN23_0,$IN23_1,$IN23_2,$IN23_3,$IN23_4) = map("v$_.2s",(14..18));
4611 -+my ($ACC0,$ACC1,$ACC2,$ACC3,$ACC4) = map("v$_.2d",(19..23));
4612 -+my ($H0,$H1,$H2,$H3,$H4) = map("v$_.2s",(24..28));
4613 -+my ($T0,$T1,$MASK) = map("v$_",(29..31));
4614 -+
4615 -+my ($in2,$zeros)=("x16","x17");
4616 -+my $is_base2_26 = $zeros; # borrow
4617 -+
4618 -+$code.=<<___;
4619 -+.type poly1305_mult,%function
4620 -+.align 5
4621 -+poly1305_mult:
4622 -+ mul $d0,$h0,$r0 // h0*r0
4623 -+ umulh $d1,$h0,$r0
4624 -+
4625 -+ mul $t0,$h1,$s1 // h1*5*r1
4626 -+ umulh $t1,$h1,$s1
4627 -+
4628 -+ adds $d0,$d0,$t0
4629 -+ mul $t0,$h0,$r1 // h0*r1
4630 -+ adc $d1,$d1,$t1
4631 -+ umulh $d2,$h0,$r1
4632 -+
4633 -+ adds $d1,$d1,$t0
4634 -+ mul $t0,$h1,$r0 // h1*r0
4635 -+ adc $d2,$d2,xzr
4636 -+ umulh $t1,$h1,$r0
4637 -+
4638 -+ adds $d1,$d1,$t0
4639 -+ mul $t0,$h2,$s1 // h2*5*r1
4640 -+ adc $d2,$d2,$t1
4641 -+ mul $t1,$h2,$r0 // h2*r0
4642 -+
4643 -+ adds $d1,$d1,$t0
4644 -+ adc $d2,$d2,$t1
4645 -+
4646 -+ and $t0,$d2,#-4 // final reduction
4647 -+ and $h2,$d2,#3
4648 -+ add $t0,$t0,$d2,lsr#2
4649 -+ adds $h0,$d0,$t0
4650 -+ adcs $h1,$d1,xzr
4651 -+ adc $h2,$h2,xzr
4652 -+
4653 -+ ret
4654 -+.size poly1305_mult,.-poly1305_mult
4655 -+
4656 -+.type poly1305_splat,%function
4657 -+.align 4
4658 -+poly1305_splat:
4659 -+ and x12,$h0,#0x03ffffff // base 2^64 -> base 2^26
4660 -+ ubfx x13,$h0,#26,#26
4661 -+ extr x14,$h1,$h0,#52
4662 -+ and x14,x14,#0x03ffffff
4663 -+ ubfx x15,$h1,#14,#26
4664 -+ extr x16,$h2,$h1,#40
4665 -+
4666 -+ str w12,[$ctx,#16*0] // r0
4667 -+ add w12,w13,w13,lsl#2 // r1*5
4668 -+ str w13,[$ctx,#16*1] // r1
4669 -+ add w13,w14,w14,lsl#2 // r2*5
4670 -+ str w12,[$ctx,#16*2] // s1
4671 -+ str w14,[$ctx,#16*3] // r2
4672 -+ add w14,w15,w15,lsl#2 // r3*5
4673 -+ str w13,[$ctx,#16*4] // s2
4674 -+ str w15,[$ctx,#16*5] // r3
4675 -+ add w15,w16,w16,lsl#2 // r4*5
4676 -+ str w14,[$ctx,#16*6] // s3
4677 -+ str w16,[$ctx,#16*7] // r4
4678 -+ str w15,[$ctx,#16*8] // s4
4679 -+
4680 -+ ret
4681 -+.size poly1305_splat,.-poly1305_splat
4682 -+
4683 -+#ifdef __KERNEL__
4684 -+.globl poly1305_blocks_neon
4685 -+#endif
4686 -+.type poly1305_blocks_neon,%function
4687 -+.align 5
4688 -+poly1305_blocks_neon:
4689 -+.Lpoly1305_blocks_neon:
4690 -+ ldr $is_base2_26,[$ctx,#24]
4691 -+ cmp $len,#128
4692 -+ b.lo .Lpoly1305_blocks
4693 -+
4694 -+ .inst 0xd503233f // paciasp
4695 -+ stp x29,x30,[sp,#-80]!
4696 -+ add x29,sp,#0
4697 -+
4698 -+ stp d8,d9,[sp,#16] // meet ABI requirements
4699 -+ stp d10,d11,[sp,#32]
4700 -+ stp d12,d13,[sp,#48]
4701 -+ stp d14,d15,[sp,#64]
4702 -+
4703 -+ cbz $is_base2_26,.Lbase2_64_neon
4704 -+
4705 -+ ldp w10,w11,[$ctx] // load hash value base 2^26
4706 -+ ldp w12,w13,[$ctx,#8]
4707 -+ ldr w14,[$ctx,#16]
4708 -+
4709 -+ tst $len,#31
4710 -+ b.eq .Leven_neon
4711 -+
4712 -+ ldp $r0,$r1,[$ctx,#32] // load key value
4713 -+
4714 -+ add $h0,x10,x11,lsl#26 // base 2^26 -> base 2^64
4715 -+ lsr $h1,x12,#12
4716 -+ adds $h0,$h0,x12,lsl#52
4717 -+ add $h1,$h1,x13,lsl#14
4718 -+ adc $h1,$h1,xzr
4719 -+ lsr $h2,x14,#24
4720 -+ adds $h1,$h1,x14,lsl#40
4721 -+ adc $d2,$h2,xzr // can be partially reduced...
4722 -+
4723 -+ ldp $d0,$d1,[$inp],#16 // load input
4724 -+ sub $len,$len,#16
4725 -+ add $s1,$r1,$r1,lsr#2 // s1 = r1 + (r1 >> 2)
4726 -+
4727 -+#ifdef __AARCH64EB__
4728 -+ rev $d0,$d0
4729 -+ rev $d1,$d1
4730 -+#endif
4731 -+ adds $h0,$h0,$d0 // accumulate input
4732 -+ adcs $h1,$h1,$d1
4733 -+ adc $h2,$h2,$padbit
4734 -+
4735 -+ bl poly1305_mult
4736 -+
4737 -+ and x10,$h0,#0x03ffffff // base 2^64 -> base 2^26
4738 -+ ubfx x11,$h0,#26,#26
4739 -+ extr x12,$h1,$h0,#52
4740 -+ and x12,x12,#0x03ffffff
4741 -+ ubfx x13,$h1,#14,#26
4742 -+ extr x14,$h2,$h1,#40
4743 -+
4744 -+ b .Leven_neon
4745 -+
4746 -+.align 4
4747 -+.Lbase2_64_neon:
4748 -+ ldp $r0,$r1,[$ctx,#32] // load key value
4749 -+
4750 -+ ldp $h0,$h1,[$ctx] // load hash value base 2^64
4751 -+ ldr $h2,[$ctx,#16]
4752 -+
4753 -+ tst $len,#31
4754 -+ b.eq .Linit_neon
4755 -+
4756 -+ ldp $d0,$d1,[$inp],#16 // load input
4757 -+ sub $len,$len,#16
4758 -+ add $s1,$r1,$r1,lsr#2 // s1 = r1 + (r1 >> 2)
4759 -+#ifdef __AARCH64EB__
4760 -+ rev $d0,$d0
4761 -+ rev $d1,$d1
4762 -+#endif
4763 -+ adds $h0,$h0,$d0 // accumulate input
4764 -+ adcs $h1,$h1,$d1
4765 -+ adc $h2,$h2,$padbit
4766 -+
4767 -+ bl poly1305_mult
4768 -+
4769 -+.Linit_neon:
4770 -+ ldr w17,[$ctx,#48] // first table element
4771 -+ and x10,$h0,#0x03ffffff // base 2^64 -> base 2^26
4772 -+ ubfx x11,$h0,#26,#26
4773 -+ extr x12,$h1,$h0,#52
4774 -+ and x12,x12,#0x03ffffff
4775 -+ ubfx x13,$h1,#14,#26
4776 -+ extr x14,$h2,$h1,#40
4777 -+
4778 -+ cmp w17,#-1 // is value impossible?
4779 -+ b.ne .Leven_neon
4780 -+
4781 -+ fmov ${H0},x10
4782 -+ fmov ${H1},x11
4783 -+ fmov ${H2},x12
4784 -+ fmov ${H3},x13
4785 -+ fmov ${H4},x14
4786 -+
4787 -+ ////////////////////////////////// initialize r^n table
4788 -+ mov $h0,$r0 // r^1
4789 -+ add $s1,$r1,$r1,lsr#2 // s1 = r1 + (r1 >> 2)
4790 -+ mov $h1,$r1
4791 -+ mov $h2,xzr
4792 -+ add $ctx,$ctx,#48+12
4793 -+ bl poly1305_splat
4794 -+
4795 -+ bl poly1305_mult // r^2
4796 -+ sub $ctx,$ctx,#4
4797 -+ bl poly1305_splat
4798 -+
4799 -+ bl poly1305_mult // r^3
4800 -+ sub $ctx,$ctx,#4
4801 -+ bl poly1305_splat
4802 -+
4803 -+ bl poly1305_mult // r^4
4804 -+ sub $ctx,$ctx,#4
4805 -+ bl poly1305_splat
4806 -+ sub $ctx,$ctx,#48 // restore original $ctx
4807 -+ b .Ldo_neon
4808 -+
4809 -+.align 4
4810 -+.Leven_neon:
4811 -+ fmov ${H0},x10
4812 -+ fmov ${H1},x11
4813 -+ fmov ${H2},x12
4814 -+ fmov ${H3},x13
4815 -+ fmov ${H4},x14
4816 -+
4817 -+.Ldo_neon:
4818 -+ ldp x8,x12,[$inp,#32] // inp[2:3]
4819 -+ subs $len,$len,#64
4820 -+ ldp x9,x13,[$inp,#48]
4821 -+ add $in2,$inp,#96
4822 -+ adr $zeros,.Lzeros
4823 -+
4824 -+ lsl $padbit,$padbit,#24
4825 -+ add x15,$ctx,#48
4826 -+
4827 -+#ifdef __AARCH64EB__
4828 -+ rev x8,x8
4829 -+ rev x12,x12
4830 -+ rev x9,x9
4831 -+ rev x13,x13
4832 -+#endif
4833 -+ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
4834 -+ and x5,x9,#0x03ffffff
4835 -+ ubfx x6,x8,#26,#26
4836 -+ ubfx x7,x9,#26,#26
4837 -+ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
4838 -+ extr x8,x12,x8,#52
4839 -+ extr x9,x13,x9,#52
4840 -+ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
4841 -+ fmov $IN23_0,x4
4842 -+ and x8,x8,#0x03ffffff
4843 -+ and x9,x9,#0x03ffffff
4844 -+ ubfx x10,x12,#14,#26
4845 -+ ubfx x11,x13,#14,#26
4846 -+ add x12,$padbit,x12,lsr#40
4847 -+ add x13,$padbit,x13,lsr#40
4848 -+ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
4849 -+ fmov $IN23_1,x6
4850 -+ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
4851 -+ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
4852 -+ fmov $IN23_2,x8
4853 -+ fmov $IN23_3,x10
4854 -+ fmov $IN23_4,x12
4855 -+
4856 -+ ldp x8,x12,[$inp],#16 // inp[0:1]
4857 -+ ldp x9,x13,[$inp],#48
4858 -+
4859 -+ ld1 {$R0,$R1,$S1,$R2},[x15],#64
4860 -+ ld1 {$S2,$R3,$S3,$R4},[x15],#64
4861 -+ ld1 {$S4},[x15]
4862 -+
4863 -+#ifdef __AARCH64EB__
4864 -+ rev x8,x8
4865 -+ rev x12,x12
4866 -+ rev x9,x9
4867 -+ rev x13,x13
4868 -+#endif
4869 -+ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
4870 -+ and x5,x9,#0x03ffffff
4871 -+ ubfx x6,x8,#26,#26
4872 -+ ubfx x7,x9,#26,#26
4873 -+ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
4874 -+ extr x8,x12,x8,#52
4875 -+ extr x9,x13,x9,#52
4876 -+ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
4877 -+ fmov $IN01_0,x4
4878 -+ and x8,x8,#0x03ffffff
4879 -+ and x9,x9,#0x03ffffff
4880 -+ ubfx x10,x12,#14,#26
4881 -+ ubfx x11,x13,#14,#26
4882 -+ add x12,$padbit,x12,lsr#40
4883 -+ add x13,$padbit,x13,lsr#40
4884 -+ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
4885 -+ fmov $IN01_1,x6
4886 -+ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
4887 -+ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
4888 -+ movi $MASK.2d,#-1
4889 -+ fmov $IN01_2,x8
4890 -+ fmov $IN01_3,x10
4891 -+ fmov $IN01_4,x12
4892 -+ ushr $MASK.2d,$MASK.2d,#38
4893 -+
4894 -+ b.ls .Lskip_loop
4895 -+
4896 -+.align 4
4897 -+.Loop_neon:
4898 -+ ////////////////////////////////////////////////////////////////
4899 -+ // ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2
4900 -+ // ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^3+inp[7]*r
4901 -+ // \___________________/
4902 -+ // ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2+inp[8])*r^2
4903 -+ // ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^4+inp[7]*r^2+inp[9])*r
4904 -+ // \___________________/ \____________________/
4905 -+ //
4906 -+ // Note that we start with inp[2:3]*r^2. This is because it
4907 -+ // doesn't depend on reduction in previous iteration.
4908 -+ ////////////////////////////////////////////////////////////////
4909 -+ // d4 = h0*r4 + h1*r3 + h2*r2 + h3*r1 + h4*r0
4910 -+ // d3 = h0*r3 + h1*r2 + h2*r1 + h3*r0 + h4*5*r4
4911 -+ // d2 = h0*r2 + h1*r1 + h2*r0 + h3*5*r4 + h4*5*r3
4912 -+ // d1 = h0*r1 + h1*r0 + h2*5*r4 + h3*5*r3 + h4*5*r2
4913 -+ // d0 = h0*r0 + h1*5*r4 + h2*5*r3 + h3*5*r2 + h4*5*r1
4914 -+
4915 -+ subs $len,$len,#64
4916 -+ umull $ACC4,$IN23_0,${R4}[2]
4917 -+ csel $in2,$zeros,$in2,lo
4918 -+ umull $ACC3,$IN23_0,${R3}[2]
4919 -+ umull $ACC2,$IN23_0,${R2}[2]
4920 -+ ldp x8,x12,[$in2],#16 // inp[2:3] (or zero)
4921 -+ umull $ACC1,$IN23_0,${R1}[2]
4922 -+ ldp x9,x13,[$in2],#48
4923 -+ umull $ACC0,$IN23_0,${R0}[2]
4924 -+#ifdef __AARCH64EB__
4925 -+ rev x8,x8
4926 -+ rev x12,x12
4927 -+ rev x9,x9
4928 -+ rev x13,x13
4929 -+#endif
4930 -+
4931 -+ umlal $ACC4,$IN23_1,${R3}[2]
4932 -+ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
4933 -+ umlal $ACC3,$IN23_1,${R2}[2]
4934 -+ and x5,x9,#0x03ffffff
4935 -+ umlal $ACC2,$IN23_1,${R1}[2]
4936 -+ ubfx x6,x8,#26,#26
4937 -+ umlal $ACC1,$IN23_1,${R0}[2]
4938 -+ ubfx x7,x9,#26,#26
4939 -+ umlal $ACC0,$IN23_1,${S4}[2]
4940 -+ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
4941 -+
4942 -+ umlal $ACC4,$IN23_2,${R2}[2]
4943 -+ extr x8,x12,x8,#52
4944 -+ umlal $ACC3,$IN23_2,${R1}[2]
4945 -+ extr x9,x13,x9,#52
4946 -+ umlal $ACC2,$IN23_2,${R0}[2]
4947 -+ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
4948 -+ umlal $ACC1,$IN23_2,${S4}[2]
4949 -+ fmov $IN23_0,x4
4950 -+ umlal $ACC0,$IN23_2,${S3}[2]
4951 -+ and x8,x8,#0x03ffffff
4952 -+
4953 -+ umlal $ACC4,$IN23_3,${R1}[2]
4954 -+ and x9,x9,#0x03ffffff
4955 -+ umlal $ACC3,$IN23_3,${R0}[2]
4956 -+ ubfx x10,x12,#14,#26
4957 -+ umlal $ACC2,$IN23_3,${S4}[2]
4958 -+ ubfx x11,x13,#14,#26
4959 -+ umlal $ACC1,$IN23_3,${S3}[2]
4960 -+ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
4961 -+ umlal $ACC0,$IN23_3,${S2}[2]
4962 -+ fmov $IN23_1,x6
4963 -+
4964 -+ add $IN01_2,$IN01_2,$H2
4965 -+ add x12,$padbit,x12,lsr#40
4966 -+ umlal $ACC4,$IN23_4,${R0}[2]
4967 -+ add x13,$padbit,x13,lsr#40
4968 -+ umlal $ACC3,$IN23_4,${S4}[2]
4969 -+ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
4970 -+ umlal $ACC2,$IN23_4,${S3}[2]
4971 -+ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
4972 -+ umlal $ACC1,$IN23_4,${S2}[2]
4973 -+ fmov $IN23_2,x8
4974 -+ umlal $ACC0,$IN23_4,${S1}[2]
4975 -+ fmov $IN23_3,x10
4976 -+
4977 -+ ////////////////////////////////////////////////////////////////
4978 -+ // (hash+inp[0:1])*r^4 and accumulate
4979 -+
4980 -+ add $IN01_0,$IN01_0,$H0
4981 -+ fmov $IN23_4,x12
4982 -+ umlal $ACC3,$IN01_2,${R1}[0]
4983 -+ ldp x8,x12,[$inp],#16 // inp[0:1]
4984 -+ umlal $ACC0,$IN01_2,${S3}[0]
4985 -+ ldp x9,x13,[$inp],#48
4986 -+ umlal $ACC4,$IN01_2,${R2}[0]
4987 -+ umlal $ACC1,$IN01_2,${S4}[0]
4988 -+ umlal $ACC2,$IN01_2,${R0}[0]
4989 -+#ifdef __AARCH64EB__
4990 -+ rev x8,x8
4991 -+ rev x12,x12
4992 -+ rev x9,x9
4993 -+ rev x13,x13
4994 -+#endif
4995 -+
4996 -+ add $IN01_1,$IN01_1,$H1
4997 -+ umlal $ACC3,$IN01_0,${R3}[0]
4998 -+ umlal $ACC4,$IN01_0,${R4}[0]
4999 -+ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
5000 -+ umlal $ACC2,$IN01_0,${R2}[0]
5001 -+ and x5,x9,#0x03ffffff
5002 -+ umlal $ACC0,$IN01_0,${R0}[0]
5003 -+ ubfx x6,x8,#26,#26
5004 -+ umlal $ACC1,$IN01_0,${R1}[0]
5005 -+ ubfx x7,x9,#26,#26
5006 -+
5007 -+ add $IN01_3,$IN01_3,$H3
5008 -+ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
5009 -+ umlal $ACC3,$IN01_1,${R2}[0]
5010 -+ extr x8,x12,x8,#52
5011 -+ umlal $ACC4,$IN01_1,${R3}[0]
5012 -+ extr x9,x13,x9,#52
5013 -+ umlal $ACC0,$IN01_1,${S4}[0]
5014 -+ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
5015 -+ umlal $ACC2,$IN01_1,${R1}[0]
5016 -+ fmov $IN01_0,x4
5017 -+ umlal $ACC1,$IN01_1,${R0}[0]
5018 -+ and x8,x8,#0x03ffffff
5019 -+
5020 -+ add $IN01_4,$IN01_4,$H4
5021 -+ and x9,x9,#0x03ffffff
5022 -+ umlal $ACC3,$IN01_3,${R0}[0]
5023 -+ ubfx x10,x12,#14,#26
5024 -+ umlal $ACC0,$IN01_3,${S2}[0]
5025 -+ ubfx x11,x13,#14,#26
5026 -+ umlal $ACC4,$IN01_3,${R1}[0]
5027 -+ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
5028 -+ umlal $ACC1,$IN01_3,${S3}[0]
5029 -+ fmov $IN01_1,x6
5030 -+ umlal $ACC2,$IN01_3,${S4}[0]
5031 -+ add x12,$padbit,x12,lsr#40
5032 -+
5033 -+ umlal $ACC3,$IN01_4,${S4}[0]
5034 -+ add x13,$padbit,x13,lsr#40
5035 -+ umlal $ACC0,$IN01_4,${S1}[0]
5036 -+ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
5037 -+ umlal $ACC4,$IN01_4,${R0}[0]
5038 -+ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
5039 -+ umlal $ACC1,$IN01_4,${S2}[0]
5040 -+ fmov $IN01_2,x8
5041 -+ umlal $ACC2,$IN01_4,${S3}[0]
5042 -+ fmov $IN01_3,x10
5043 -+ fmov $IN01_4,x12
5044 -+
5045 -+ /////////////////////////////////////////////////////////////////
5046 -+ // lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
5047 -+ // and P. Schwabe
5048 -+ //
5049 -+ // [see discussion in poly1305-armv4 module]
5050 -+
5051 -+ ushr $T0.2d,$ACC3,#26
5052 -+ xtn $H3,$ACC3
5053 -+ ushr $T1.2d,$ACC0,#26
5054 -+ and $ACC0,$ACC0,$MASK.2d
5055 -+ add $ACC4,$ACC4,$T0.2d // h3 -> h4
5056 -+ bic $H3,#0xfc,lsl#24 // &=0x03ffffff
5057 -+ add $ACC1,$ACC1,$T1.2d // h0 -> h1
5058 -+
5059 -+ ushr $T0.2d,$ACC4,#26
5060 -+ xtn $H4,$ACC4
5061 -+ ushr $T1.2d,$ACC1,#26
5062 -+ xtn $H1,$ACC1
5063 -+ bic $H4,#0xfc,lsl#24
5064 -+ add $ACC2,$ACC2,$T1.2d // h1 -> h2
5065 -+
5066 -+ add $ACC0,$ACC0,$T0.2d
5067 -+ shl $T0.2d,$T0.2d,#2
5068 -+ shrn $T1.2s,$ACC2,#26
5069 -+ xtn $H2,$ACC2
5070 -+ add $ACC0,$ACC0,$T0.2d // h4 -> h0
5071 -+ bic $H1,#0xfc,lsl#24
5072 -+ add $H3,$H3,$T1.2s // h2 -> h3
5073 -+ bic $H2,#0xfc,lsl#24
5074 -+
5075 -+ shrn $T0.2s,$ACC0,#26
5076 -+ xtn $H0,$ACC0
5077 -+ ushr $T1.2s,$H3,#26
5078 -+ bic $H3,#0xfc,lsl#24
5079 -+ bic $H0,#0xfc,lsl#24
5080 -+ add $H1,$H1,$T0.2s // h0 -> h1
5081 -+ add $H4,$H4,$T1.2s // h3 -> h4
5082 -+
5083 -+ b.hi .Loop_neon
5084 -+
5085 -+.Lskip_loop:
5086 -+ dup $IN23_2,${IN23_2}[0]
5087 -+ add $IN01_2,$IN01_2,$H2
5088 -+
5089 -+ ////////////////////////////////////////////////////////////////
5090 -+ // multiply (inp[0:1]+hash) or inp[2:3] by r^2:r^1
5091 -+
5092 -+ adds $len,$len,#32
5093 -+ b.ne .Long_tail
5094 -+
5095 -+ dup $IN23_2,${IN01_2}[0]
5096 -+ add $IN23_0,$IN01_0,$H0
5097 -+ add $IN23_3,$IN01_3,$H3
5098 -+ add $IN23_1,$IN01_1,$H1
5099 -+ add $IN23_4,$IN01_4,$H4
5100 -+
5101 -+.Long_tail:
5102 -+ dup $IN23_0,${IN23_0}[0]
5103 -+ umull2 $ACC0,$IN23_2,${S3}
5104 -+ umull2 $ACC3,$IN23_2,${R1}
5105 -+ umull2 $ACC4,$IN23_2,${R2}
5106 -+ umull2 $ACC2,$IN23_2,${R0}
5107 -+ umull2 $ACC1,$IN23_2,${S4}
5108 -+
5109 -+ dup $IN23_1,${IN23_1}[0]
5110 -+ umlal2 $ACC0,$IN23_0,${R0}
5111 -+ umlal2 $ACC2,$IN23_0,${R2}
5112 -+ umlal2 $ACC3,$IN23_0,${R3}
5113 -+ umlal2 $ACC4,$IN23_0,${R4}
5114 -+ umlal2 $ACC1,$IN23_0,${R1}
5115 -+
5116 -+ dup $IN23_3,${IN23_3}[0]
5117 -+ umlal2 $ACC0,$IN23_1,${S4}
5118 -+ umlal2 $ACC3,$IN23_1,${R2}
5119 -+ umlal2 $ACC2,$IN23_1,${R1}
5120 -+ umlal2 $ACC4,$IN23_1,${R3}
5121 -+ umlal2 $ACC1,$IN23_1,${R0}
5122 -+
5123 -+ dup $IN23_4,${IN23_4}[0]
5124 -+ umlal2 $ACC3,$IN23_3,${R0}
5125 -+ umlal2 $ACC4,$IN23_3,${R1}
5126 -+ umlal2 $ACC0,$IN23_3,${S2}
5127 -+ umlal2 $ACC1,$IN23_3,${S3}
5128 -+ umlal2 $ACC2,$IN23_3,${S4}
5129 -+
5130 -+ umlal2 $ACC3,$IN23_4,${S4}
5131 -+ umlal2 $ACC0,$IN23_4,${S1}
5132 -+ umlal2 $ACC4,$IN23_4,${R0}
5133 -+ umlal2 $ACC1,$IN23_4,${S2}
5134 -+ umlal2 $ACC2,$IN23_4,${S3}
5135 -+
5136 -+ b.eq .Lshort_tail
5137 -+
5138 -+ ////////////////////////////////////////////////////////////////
5139 -+ // (hash+inp[0:1])*r^4:r^3 and accumulate
5140 -+
5141 -+ add $IN01_0,$IN01_0,$H0
5142 -+ umlal $ACC3,$IN01_2,${R1}
5143 -+ umlal $ACC0,$IN01_2,${S3}
5144 -+ umlal $ACC4,$IN01_2,${R2}
5145 -+ umlal $ACC1,$IN01_2,${S4}
5146 -+ umlal $ACC2,$IN01_2,${R0}
5147 -+
5148 -+ add $IN01_1,$IN01_1,$H1
5149 -+ umlal $ACC3,$IN01_0,${R3}
5150 -+ umlal $ACC0,$IN01_0,${R0}
5151 -+ umlal $ACC4,$IN01_0,${R4}
5152 -+ umlal $ACC1,$IN01_0,${R1}
5153 -+ umlal $ACC2,$IN01_0,${R2}
5154 -+
5155 -+ add $IN01_3,$IN01_3,$H3
5156 -+ umlal $ACC3,$IN01_1,${R2}
5157 -+ umlal $ACC0,$IN01_1,${S4}
5158 -+ umlal $ACC4,$IN01_1,${R3}
5159 -+ umlal $ACC1,$IN01_1,${R0}
5160 -+ umlal $ACC2,$IN01_1,${R1}
5161 -+
5162 -+ add $IN01_4,$IN01_4,$H4
5163 -+ umlal $ACC3,$IN01_3,${R0}
5164 -+ umlal $ACC0,$IN01_3,${S2}
5165 -+ umlal $ACC4,$IN01_3,${R1}
5166 -+ umlal $ACC1,$IN01_3,${S3}
5167 -+ umlal $ACC2,$IN01_3,${S4}
5168 -+
5169 -+ umlal $ACC3,$IN01_4,${S4}
5170 -+ umlal $ACC0,$IN01_4,${S1}
5171 -+ umlal $ACC4,$IN01_4,${R0}
5172 -+ umlal $ACC1,$IN01_4,${S2}
5173 -+ umlal $ACC2,$IN01_4,${S3}
5174 -+
5175 -+.Lshort_tail:
5176 -+ ////////////////////////////////////////////////////////////////
5177 -+ // horizontal add
5178 -+
5179 -+ addp $ACC3,$ACC3,$ACC3
5180 -+ ldp d8,d9,[sp,#16] // meet ABI requirements
5181 -+ addp $ACC0,$ACC0,$ACC0
5182 -+ ldp d10,d11,[sp,#32]
5183 -+ addp $ACC4,$ACC4,$ACC4
5184 -+ ldp d12,d13,[sp,#48]
5185 -+ addp $ACC1,$ACC1,$ACC1
5186 -+ ldp d14,d15,[sp,#64]
5187 -+ addp $ACC2,$ACC2,$ACC2
5188 -+ ldr x30,[sp,#8]
5189 -+ .inst 0xd50323bf // autiasp
5190 -+
5191 -+ ////////////////////////////////////////////////////////////////
5192 -+ // lazy reduction, but without narrowing
5193 -+
5194 -+ ushr $T0.2d,$ACC3,#26
5195 -+ and $ACC3,$ACC3,$MASK.2d
5196 -+ ushr $T1.2d,$ACC0,#26
5197 -+ and $ACC0,$ACC0,$MASK.2d
5198 -+
5199 -+ add $ACC4,$ACC4,$T0.2d // h3 -> h4
5200 -+ add $ACC1,$ACC1,$T1.2d // h0 -> h1
5201 -+
5202 -+ ushr $T0.2d,$ACC4,#26
5203 -+ and $ACC4,$ACC4,$MASK.2d
5204 -+ ushr $T1.2d,$ACC1,#26
5205 -+ and $ACC1,$ACC1,$MASK.2d
5206 -+ add $ACC2,$ACC2,$T1.2d // h1 -> h2
5207 -+
5208 -+ add $ACC0,$ACC0,$T0.2d
5209 -+ shl $T0.2d,$T0.2d,#2
5210 -+ ushr $T1.2d,$ACC2,#26
5211 -+ and $ACC2,$ACC2,$MASK.2d
5212 -+ add $ACC0,$ACC0,$T0.2d // h4 -> h0
5213 -+ add $ACC3,$ACC3,$T1.2d // h2 -> h3
5214 -+
5215 -+ ushr $T0.2d,$ACC0,#26
5216 -+ and $ACC0,$ACC0,$MASK.2d
5217 -+ ushr $T1.2d,$ACC3,#26
5218 -+ and $ACC3,$ACC3,$MASK.2d
5219 -+ add $ACC1,$ACC1,$T0.2d // h0 -> h1
5220 -+ add $ACC4,$ACC4,$T1.2d // h3 -> h4
5221 -+
5222 -+ ////////////////////////////////////////////////////////////////
5223 -+ // write the result, can be partially reduced
5224 -+
5225 -+ st4 {$ACC0,$ACC1,$ACC2,$ACC3}[0],[$ctx],#16
5226 -+ mov x4,#1
5227 -+ st1 {$ACC4}[0],[$ctx]
5228 -+ str x4,[$ctx,#8] // set is_base2_26
5229 -+
5230 -+ ldr x29,[sp],#80
5231 -+ ret
5232 -+.size poly1305_blocks_neon,.-poly1305_blocks_neon
5233 -+
5234 -+.align 5
5235 -+.Lzeros:
5236 -+.long 0,0,0,0,0,0,0,0
5237 -+.asciz "Poly1305 for ARMv8, CRYPTOGAMS by \@dot-asm"
5238 -+.align 2
5239 -+#if !defined(__KERNEL__) && !defined(_WIN64)
5240 -+.comm OPENSSL_armcap_P,4,4
5241 -+.hidden OPENSSL_armcap_P
5242 -+#endif
5243 -+___
5244 -+
5245 -+foreach (split("\n",$code)) {
5246 -+ s/\b(shrn\s+v[0-9]+)\.[24]d/$1.2s/ or
5247 -+ s/\b(fmov\s+)v([0-9]+)[^,]*,\s*x([0-9]+)/$1d$2,x$3/ or
5248 -+ (m/\bdup\b/ and (s/\.[24]s/.2d/g or 1)) or
5249 -+ (m/\b(eor|and)/ and (s/\.[248][sdh]/.16b/g or 1)) or
5250 -+ (m/\bum(ul|la)l\b/ and (s/\.4s/.2s/g or 1)) or
5251 -+ (m/\bum(ul|la)l2\b/ and (s/\.2s/.4s/g or 1)) or
5252 -+ (m/\bst[1-4]\s+{[^}]+}\[/ and (s/\.[24]d/.s/g or 1));
5253 -+
5254 -+ s/\.[124]([sd])\[/.$1\[/;
5255 -+ s/w#x([0-9]+)/w$1/g;
5256 -+
5257 -+ print $_,"\n";
5258 -+}
5259 -+close STDOUT;
5260 ---- /dev/null
5261 -+++ b/arch/arm64/crypto/poly1305-core.S_shipped
5262 -@@ -0,0 +1,835 @@
5263 -+#ifndef __KERNEL__
5264 -+# include "arm_arch.h"
5265 -+.extern OPENSSL_armcap_P
5266 -+#endif
5267 -+
5268 -+.text
5269 -+
5270 -+// forward "declarations" are required for Apple
5271 -+.globl poly1305_blocks
5272 -+.globl poly1305_emit
5273 -+
5274 -+.globl poly1305_init
5275 -+.type poly1305_init,%function
5276 -+.align 5
5277 -+poly1305_init:
5278 -+ cmp x1,xzr
5279 -+ stp xzr,xzr,[x0] // zero hash value
5280 -+ stp xzr,xzr,[x0,#16] // [along with is_base2_26]
5281 -+
5282 -+ csel x0,xzr,x0,eq
5283 -+ b.eq .Lno_key
5284 -+
5285 -+#ifndef __KERNEL__
5286 -+ adrp x17,OPENSSL_armcap_P
5287 -+ ldr w17,[x17,#:lo12:OPENSSL_armcap_P]
5288 -+#endif
5289 -+
5290 -+ ldp x7,x8,[x1] // load key
5291 -+ mov x9,#0xfffffffc0fffffff
5292 -+ movk x9,#0x0fff,lsl#48
5293 -+#ifdef __AARCH64EB__
5294 -+ rev x7,x7 // flip bytes
5295 -+ rev x8,x8
5296 -+#endif
5297 -+ and x7,x7,x9 // &=0ffffffc0fffffff
5298 -+ and x9,x9,#-4
5299 -+ and x8,x8,x9 // &=0ffffffc0ffffffc
5300 -+ mov w9,#-1
5301 -+ stp x7,x8,[x0,#32] // save key value
5302 -+ str w9,[x0,#48] // impossible key power value
5303 -+
5304 -+#ifndef __KERNEL__
5305 -+ tst w17,#ARMV7_NEON
5306 -+
5307 -+ adr x12,.Lpoly1305_blocks
5308 -+ adr x7,.Lpoly1305_blocks_neon
5309 -+ adr x13,.Lpoly1305_emit
5310 -+
5311 -+ csel x12,x12,x7,eq
5312 -+
5313 -+# ifdef __ILP32__
5314 -+ stp w12,w13,[x2]
5315 -+# else
5316 -+ stp x12,x13,[x2]
5317 -+# endif
5318 -+#endif
5319 -+ mov x0,#1
5320 -+.Lno_key:
5321 -+ ret
5322 -+.size poly1305_init,.-poly1305_init
5323 -+
5324 -+.type poly1305_blocks,%function
5325 -+.align 5
5326 -+poly1305_blocks:
5327 -+.Lpoly1305_blocks:
5328 -+ ands x2,x2,#-16
5329 -+ b.eq .Lno_data
5330 -+
5331 -+ ldp x4,x5,[x0] // load hash value
5332 -+ ldp x6,x17,[x0,#16] // [along with is_base2_26]
5333 -+ ldp x7,x8,[x0,#32] // load key value
5334 -+
5335 -+#ifdef __AARCH64EB__
5336 -+ lsr x12,x4,#32
5337 -+ mov w13,w4
5338 -+ lsr x14,x5,#32
5339 -+ mov w15,w5
5340 -+ lsr x16,x6,#32
5341 -+#else
5342 -+ mov w12,w4
5343 -+ lsr x13,x4,#32
5344 -+ mov w14,w5
5345 -+ lsr x15,x5,#32
5346 -+ mov w16,w6
5347 -+#endif
5348 -+
5349 -+ add x12,x12,x13,lsl#26 // base 2^26 -> base 2^64
5350 -+ lsr x13,x14,#12
5351 -+ adds x12,x12,x14,lsl#52
5352 -+ add x13,x13,x15,lsl#14
5353 -+ adc x13,x13,xzr
5354 -+ lsr x14,x16,#24
5355 -+ adds x13,x13,x16,lsl#40
5356 -+ adc x14,x14,xzr
5357 -+
5358 -+ cmp x17,#0 // is_base2_26?
5359 -+ add x9,x8,x8,lsr#2 // s1 = r1 + (r1 >> 2)
5360 -+ csel x4,x4,x12,eq // choose between radixes
5361 -+ csel x5,x5,x13,eq
5362 -+ csel x6,x6,x14,eq
5363 -+
5364 -+.Loop:
5365 -+ ldp x10,x11,[x1],#16 // load input
5366 -+ sub x2,x2,#16
5367 -+#ifdef __AARCH64EB__
5368 -+ rev x10,x10
5369 -+ rev x11,x11
5370 -+#endif
5371 -+ adds x4,x4,x10 // accumulate input
5372 -+ adcs x5,x5,x11
5373 -+
5374 -+ mul x12,x4,x7 // h0*r0
5375 -+ adc x6,x6,x3
5376 -+ umulh x13,x4,x7
5377 -+
5378 -+ mul x10,x5,x9 // h1*5*r1
5379 -+ umulh x11,x5,x9
5380 -+
5381 -+ adds x12,x12,x10
5382 -+ mul x10,x4,x8 // h0*r1
5383 -+ adc x13,x13,x11
5384 -+ umulh x14,x4,x8
5385 -+
5386 -+ adds x13,x13,x10
5387 -+ mul x10,x5,x7 // h1*r0
5388 -+ adc x14,x14,xzr
5389 -+ umulh x11,x5,x7
5390 -+
5391 -+ adds x13,x13,x10
5392 -+ mul x10,x6,x9 // h2*5*r1
5393 -+ adc x14,x14,x11
5394 -+ mul x11,x6,x7 // h2*r0
5395 -+
5396 -+ adds x13,x13,x10
5397 -+ adc x14,x14,x11
5398 -+
5399 -+ and x10,x14,#-4 // final reduction
5400 -+ and x6,x14,#3
5401 -+ add x10,x10,x14,lsr#2
5402 -+ adds x4,x12,x10
5403 -+ adcs x5,x13,xzr
5404 -+ adc x6,x6,xzr
5405 -+
5406 -+ cbnz x2,.Loop
5407 -+
5408 -+ stp x4,x5,[x0] // store hash value
5409 -+ stp x6,xzr,[x0,#16] // [and clear is_base2_26]
5410 -+
5411 -+.Lno_data:
5412 -+ ret
5413 -+.size poly1305_blocks,.-poly1305_blocks
5414 -+
5415 -+.type poly1305_emit,%function
5416 -+.align 5
5417 -+poly1305_emit:
5418 -+.Lpoly1305_emit:
5419 -+ ldp x4,x5,[x0] // load hash base 2^64
5420 -+ ldp x6,x7,[x0,#16] // [along with is_base2_26]
5421 -+ ldp x10,x11,[x2] // load nonce
5422 -+
5423 -+#ifdef __AARCH64EB__
5424 -+ lsr x12,x4,#32
5425 -+ mov w13,w4
5426 -+ lsr x14,x5,#32
5427 -+ mov w15,w5
5428 -+ lsr x16,x6,#32
5429 -+#else
5430 -+ mov w12,w4
5431 -+ lsr x13,x4,#32
5432 -+ mov w14,w5
5433 -+ lsr x15,x5,#32
5434 -+ mov w16,w6
5435 -+#endif
5436 -+
5437 -+ add x12,x12,x13,lsl#26 // base 2^26 -> base 2^64
5438 -+ lsr x13,x14,#12
5439 -+ adds x12,x12,x14,lsl#52
5440 -+ add x13,x13,x15,lsl#14
5441 -+ adc x13,x13,xzr
5442 -+ lsr x14,x16,#24
5443 -+ adds x13,x13,x16,lsl#40
5444 -+ adc x14,x14,xzr
5445 -+
5446 -+ cmp x7,#0 // is_base2_26?
5447 -+ csel x4,x4,x12,eq // choose between radixes
5448 -+ csel x5,x5,x13,eq
5449 -+ csel x6,x6,x14,eq
5450 -+
5451 -+ adds x12,x4,#5 // compare to modulus
5452 -+ adcs x13,x5,xzr
5453 -+ adc x14,x6,xzr
5454 -+
5455 -+ tst x14,#-4 // see if it's carried/borrowed
5456 -+
5457 -+ csel x4,x4,x12,eq
5458 -+ csel x5,x5,x13,eq
5459 -+
5460 -+#ifdef __AARCH64EB__
5461 -+ ror x10,x10,#32 // flip nonce words
5462 -+ ror x11,x11,#32
5463 -+#endif
5464 -+ adds x4,x4,x10 // accumulate nonce
5465 -+ adc x5,x5,x11
5466 -+#ifdef __AARCH64EB__
5467 -+ rev x4,x4 // flip output bytes
5468 -+ rev x5,x5
5469 -+#endif
5470 -+ stp x4,x5,[x1] // write result
5471 -+
5472 -+ ret
5473 -+.size poly1305_emit,.-poly1305_emit
5474 -+.type poly1305_mult,%function
5475 -+.align 5
5476 -+poly1305_mult:
5477 -+ mul x12,x4,x7 // h0*r0
5478 -+ umulh x13,x4,x7
5479 -+
5480 -+ mul x10,x5,x9 // h1*5*r1
5481 -+ umulh x11,x5,x9
5482 -+
5483 -+ adds x12,x12,x10
5484 -+ mul x10,x4,x8 // h0*r1
5485 -+ adc x13,x13,x11
5486 -+ umulh x14,x4,x8
5487 -+
5488 -+ adds x13,x13,x10
5489 -+ mul x10,x5,x7 // h1*r0
5490 -+ adc x14,x14,xzr
5491 -+ umulh x11,x5,x7
5492 -+
5493 -+ adds x13,x13,x10
5494 -+ mul x10,x6,x9 // h2*5*r1
5495 -+ adc x14,x14,x11
5496 -+ mul x11,x6,x7 // h2*r0
5497 -+
5498 -+ adds x13,x13,x10
5499 -+ adc x14,x14,x11
5500 -+
5501 -+ and x10,x14,#-4 // final reduction
5502 -+ and x6,x14,#3
5503 -+ add x10,x10,x14,lsr#2
5504 -+ adds x4,x12,x10
5505 -+ adcs x5,x13,xzr
5506 -+ adc x6,x6,xzr
5507 -+
5508 -+ ret
5509 -+.size poly1305_mult,.-poly1305_mult
5510 -+
5511 -+.type poly1305_splat,%function
5512 -+.align 4
5513 -+poly1305_splat:
5514 -+ and x12,x4,#0x03ffffff // base 2^64 -> base 2^26
5515 -+ ubfx x13,x4,#26,#26
5516 -+ extr x14,x5,x4,#52
5517 -+ and x14,x14,#0x03ffffff
5518 -+ ubfx x15,x5,#14,#26
5519 -+ extr x16,x6,x5,#40
5520 -+
5521 -+ str w12,[x0,#16*0] // r0
5522 -+ add w12,w13,w13,lsl#2 // r1*5
5523 -+ str w13,[x0,#16*1] // r1
5524 -+ add w13,w14,w14,lsl#2 // r2*5
5525 -+ str w12,[x0,#16*2] // s1
5526 -+ str w14,[x0,#16*3] // r2
5527 -+ add w14,w15,w15,lsl#2 // r3*5
5528 -+ str w13,[x0,#16*4] // s2
5529 -+ str w15,[x0,#16*5] // r3
5530 -+ add w15,w16,w16,lsl#2 // r4*5
5531 -+ str w14,[x0,#16*6] // s3
5532 -+ str w16,[x0,#16*7] // r4
5533 -+ str w15,[x0,#16*8] // s4
5534 -+
5535 -+ ret
5536 -+.size poly1305_splat,.-poly1305_splat
5537 -+
5538 -+#ifdef __KERNEL__
5539 -+.globl poly1305_blocks_neon
5540 -+#endif
5541 -+.type poly1305_blocks_neon,%function
5542 -+.align 5
5543 -+poly1305_blocks_neon:
5544 -+.Lpoly1305_blocks_neon:
5545 -+ ldr x17,[x0,#24]
5546 -+ cmp x2,#128
5547 -+ b.lo .Lpoly1305_blocks
5548 -+
5549 -+ .inst 0xd503233f // paciasp
5550 -+ stp x29,x30,[sp,#-80]!
5551 -+ add x29,sp,#0
5552 -+
5553 -+ stp d8,d9,[sp,#16] // meet ABI requirements
5554 -+ stp d10,d11,[sp,#32]
5555 -+ stp d12,d13,[sp,#48]
5556 -+ stp d14,d15,[sp,#64]
5557 -+
5558 -+ cbz x17,.Lbase2_64_neon
5559 -+
5560 -+ ldp w10,w11,[x0] // load hash value base 2^26
5561 -+ ldp w12,w13,[x0,#8]
5562 -+ ldr w14,[x0,#16]
5563 -+
5564 -+ tst x2,#31
5565 -+ b.eq .Leven_neon
5566 -+
5567 -+ ldp x7,x8,[x0,#32] // load key value
5568 -+
5569 -+ add x4,x10,x11,lsl#26 // base 2^26 -> base 2^64
5570 -+ lsr x5,x12,#12
5571 -+ adds x4,x4,x12,lsl#52
5572 -+ add x5,x5,x13,lsl#14
5573 -+ adc x5,x5,xzr
5574 -+ lsr x6,x14,#24
5575 -+ adds x5,x5,x14,lsl#40
5576 -+ adc x14,x6,xzr // can be partially reduced...
5577 -+
5578 -+ ldp x12,x13,[x1],#16 // load input
5579 -+ sub x2,x2,#16
5580 -+ add x9,x8,x8,lsr#2 // s1 = r1 + (r1 >> 2)
5581 -+
5582 -+#ifdef __AARCH64EB__
5583 -+ rev x12,x12
5584 -+ rev x13,x13
5585 -+#endif
5586 -+ adds x4,x4,x12 // accumulate input
5587 -+ adcs x5,x5,x13
5588 -+ adc x6,x6,x3
5589 -+
5590 -+ bl poly1305_mult
5591 -+
5592 -+ and x10,x4,#0x03ffffff // base 2^64 -> base 2^26
5593 -+ ubfx x11,x4,#26,#26
5594 -+ extr x12,x5,x4,#52
5595 -+ and x12,x12,#0x03ffffff
5596 -+ ubfx x13,x5,#14,#26
5597 -+ extr x14,x6,x5,#40
5598 -+
5599 -+ b .Leven_neon
5600 -+
5601 -+.align 4
5602 -+.Lbase2_64_neon:
5603 -+ ldp x7,x8,[x0,#32] // load key value
5604 -+
5605 -+ ldp x4,x5,[x0] // load hash value base 2^64
5606 -+ ldr x6,[x0,#16]
5607 -+
5608 -+ tst x2,#31
5609 -+ b.eq .Linit_neon
5610 -+
5611 -+ ldp x12,x13,[x1],#16 // load input
5612 -+ sub x2,x2,#16
5613 -+ add x9,x8,x8,lsr#2 // s1 = r1 + (r1 >> 2)
5614 -+#ifdef __AARCH64EB__
5615 -+ rev x12,x12
5616 -+ rev x13,x13
5617 -+#endif
5618 -+ adds x4,x4,x12 // accumulate input
5619 -+ adcs x5,x5,x13
5620 -+ adc x6,x6,x3
5621 -+
5622 -+ bl poly1305_mult
5623 -+
5624 -+.Linit_neon:
5625 -+ ldr w17,[x0,#48] // first table element
5626 -+ and x10,x4,#0x03ffffff // base 2^64 -> base 2^26
5627 -+ ubfx x11,x4,#26,#26
5628 -+ extr x12,x5,x4,#52
5629 -+ and x12,x12,#0x03ffffff
5630 -+ ubfx x13,x5,#14,#26
5631 -+ extr x14,x6,x5,#40
5632 -+
5633 -+ cmp w17,#-1 // is value impossible?
5634 -+ b.ne .Leven_neon
5635 -+
5636 -+ fmov d24,x10
5637 -+ fmov d25,x11
5638 -+ fmov d26,x12
5639 -+ fmov d27,x13
5640 -+ fmov d28,x14
5641 -+
5642 -+ ////////////////////////////////// initialize r^n table
5643 -+ mov x4,x7 // r^1
5644 -+ add x9,x8,x8,lsr#2 // s1 = r1 + (r1 >> 2)
5645 -+ mov x5,x8
5646 -+ mov x6,xzr
5647 -+ add x0,x0,#48+12
5648 -+ bl poly1305_splat
5649 -+
5650 -+ bl poly1305_mult // r^2
5651 -+ sub x0,x0,#4
5652 -+ bl poly1305_splat
5653 -+
5654 -+ bl poly1305_mult // r^3
5655 -+ sub x0,x0,#4
5656 -+ bl poly1305_splat
5657 -+
5658 -+ bl poly1305_mult // r^4
5659 -+ sub x0,x0,#4
5660 -+ bl poly1305_splat
5661 -+ sub x0,x0,#48 // restore original x0
5662 -+ b .Ldo_neon
5663 -+
5664 -+.align 4
5665 -+.Leven_neon:
5666 -+ fmov d24,x10
5667 -+ fmov d25,x11
5668 -+ fmov d26,x12
5669 -+ fmov d27,x13
5670 -+ fmov d28,x14
5671 -+
5672 -+.Ldo_neon:
5673 -+ ldp x8,x12,[x1,#32] // inp[2:3]
5674 -+ subs x2,x2,#64
5675 -+ ldp x9,x13,[x1,#48]
5676 -+ add x16,x1,#96
5677 -+ adr x17,.Lzeros
5678 -+
5679 -+ lsl x3,x3,#24
5680 -+ add x15,x0,#48
5681 -+
5682 -+#ifdef __AARCH64EB__
5683 -+ rev x8,x8
5684 -+ rev x12,x12
5685 -+ rev x9,x9
5686 -+ rev x13,x13
5687 -+#endif
5688 -+ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
5689 -+ and x5,x9,#0x03ffffff
5690 -+ ubfx x6,x8,#26,#26
5691 -+ ubfx x7,x9,#26,#26
5692 -+ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
5693 -+ extr x8,x12,x8,#52
5694 -+ extr x9,x13,x9,#52
5695 -+ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
5696 -+ fmov d14,x4
5697 -+ and x8,x8,#0x03ffffff
5698 -+ and x9,x9,#0x03ffffff
5699 -+ ubfx x10,x12,#14,#26
5700 -+ ubfx x11,x13,#14,#26
5701 -+ add x12,x3,x12,lsr#40
5702 -+ add x13,x3,x13,lsr#40
5703 -+ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
5704 -+ fmov d15,x6
5705 -+ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
5706 -+ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
5707 -+ fmov d16,x8
5708 -+ fmov d17,x10
5709 -+ fmov d18,x12
5710 -+
5711 -+ ldp x8,x12,[x1],#16 // inp[0:1]
5712 -+ ldp x9,x13,[x1],#48
5713 -+
5714 -+ ld1 {v0.4s,v1.4s,v2.4s,v3.4s},[x15],#64
5715 -+ ld1 {v4.4s,v5.4s,v6.4s,v7.4s},[x15],#64
5716 -+ ld1 {v8.4s},[x15]
5717 -+
5718 -+#ifdef __AARCH64EB__
5719 -+ rev x8,x8
5720 -+ rev x12,x12
5721 -+ rev x9,x9
5722 -+ rev x13,x13
5723 -+#endif
5724 -+ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
5725 -+ and x5,x9,#0x03ffffff
5726 -+ ubfx x6,x8,#26,#26
5727 -+ ubfx x7,x9,#26,#26
5728 -+ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
5729 -+ extr x8,x12,x8,#52
5730 -+ extr x9,x13,x9,#52
5731 -+ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
5732 -+ fmov d9,x4
5733 -+ and x8,x8,#0x03ffffff
5734 -+ and x9,x9,#0x03ffffff
5735 -+ ubfx x10,x12,#14,#26
5736 -+ ubfx x11,x13,#14,#26
5737 -+ add x12,x3,x12,lsr#40
5738 -+ add x13,x3,x13,lsr#40
5739 -+ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
5740 -+ fmov d10,x6
5741 -+ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
5742 -+ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
5743 -+ movi v31.2d,#-1
5744 -+ fmov d11,x8
5745 -+ fmov d12,x10
5746 -+ fmov d13,x12
5747 -+ ushr v31.2d,v31.2d,#38
5748 -+
5749 -+ b.ls .Lskip_loop
5750 -+
5751 -+.align 4
5752 -+.Loop_neon:
5753 -+ ////////////////////////////////////////////////////////////////
5754 -+ // ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2
5755 -+ // ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^3+inp[7]*r
5756 -+ // ___________________/
5757 -+ // ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2+inp[8])*r^2
5758 -+ // ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^4+inp[7]*r^2+inp[9])*r
5759 -+ // ___________________/ ____________________/
5760 -+ //
5761 -+ // Note that we start with inp[2:3]*r^2. This is because it
5762 -+ // doesn't depend on reduction in previous iteration.
5763 -+ ////////////////////////////////////////////////////////////////
5764 -+ // d4 = h0*r4 + h1*r3 + h2*r2 + h3*r1 + h4*r0
5765 -+ // d3 = h0*r3 + h1*r2 + h2*r1 + h3*r0 + h4*5*r4
5766 -+ // d2 = h0*r2 + h1*r1 + h2*r0 + h3*5*r4 + h4*5*r3
5767 -+ // d1 = h0*r1 + h1*r0 + h2*5*r4 + h3*5*r3 + h4*5*r2
5768 -+ // d0 = h0*r0 + h1*5*r4 + h2*5*r3 + h3*5*r2 + h4*5*r1
5769 -+
5770 -+ subs x2,x2,#64
5771 -+ umull v23.2d,v14.2s,v7.s[2]
5772 -+ csel x16,x17,x16,lo
5773 -+ umull v22.2d,v14.2s,v5.s[2]
5774 -+ umull v21.2d,v14.2s,v3.s[2]
5775 -+ ldp x8,x12,[x16],#16 // inp[2:3] (or zero)
5776 -+ umull v20.2d,v14.2s,v1.s[2]
5777 -+ ldp x9,x13,[x16],#48
5778 -+ umull v19.2d,v14.2s,v0.s[2]
5779 -+#ifdef __AARCH64EB__
5780 -+ rev x8,x8
5781 -+ rev x12,x12
5782 -+ rev x9,x9
5783 -+ rev x13,x13
5784 -+#endif
5785 -+
5786 -+ umlal v23.2d,v15.2s,v5.s[2]
5787 -+ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
5788 -+ umlal v22.2d,v15.2s,v3.s[2]
5789 -+ and x5,x9,#0x03ffffff
5790 -+ umlal v21.2d,v15.2s,v1.s[2]
5791 -+ ubfx x6,x8,#26,#26
5792 -+ umlal v20.2d,v15.2s,v0.s[2]
5793 -+ ubfx x7,x9,#26,#26
5794 -+ umlal v19.2d,v15.2s,v8.s[2]
5795 -+ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
5796 -+
5797 -+ umlal v23.2d,v16.2s,v3.s[2]
5798 -+ extr x8,x12,x8,#52
5799 -+ umlal v22.2d,v16.2s,v1.s[2]
5800 -+ extr x9,x13,x9,#52
5801 -+ umlal v21.2d,v16.2s,v0.s[2]
5802 -+ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
5803 -+ umlal v20.2d,v16.2s,v8.s[2]
5804 -+ fmov d14,x4
5805 -+ umlal v19.2d,v16.2s,v6.s[2]
5806 -+ and x8,x8,#0x03ffffff
5807 -+
5808 -+ umlal v23.2d,v17.2s,v1.s[2]
5809 -+ and x9,x9,#0x03ffffff
5810 -+ umlal v22.2d,v17.2s,v0.s[2]
5811 -+ ubfx x10,x12,#14,#26
5812 -+ umlal v21.2d,v17.2s,v8.s[2]
5813 -+ ubfx x11,x13,#14,#26
5814 -+ umlal v20.2d,v17.2s,v6.s[2]
5815 -+ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
5816 -+ umlal v19.2d,v17.2s,v4.s[2]
5817 -+ fmov d15,x6
5818 -+
5819 -+ add v11.2s,v11.2s,v26.2s
5820 -+ add x12,x3,x12,lsr#40
5821 -+ umlal v23.2d,v18.2s,v0.s[2]
5822 -+ add x13,x3,x13,lsr#40
5823 -+ umlal v22.2d,v18.2s,v8.s[2]
5824 -+ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
5825 -+ umlal v21.2d,v18.2s,v6.s[2]
5826 -+ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
5827 -+ umlal v20.2d,v18.2s,v4.s[2]
5828 -+ fmov d16,x8
5829 -+ umlal v19.2d,v18.2s,v2.s[2]
5830 -+ fmov d17,x10
5831 -+
5832 -+ ////////////////////////////////////////////////////////////////
5833 -+ // (hash+inp[0:1])*r^4 and accumulate
5834 -+
5835 -+ add v9.2s,v9.2s,v24.2s
5836 -+ fmov d18,x12
5837 -+ umlal v22.2d,v11.2s,v1.s[0]
5838 -+ ldp x8,x12,[x1],#16 // inp[0:1]
5839 -+ umlal v19.2d,v11.2s,v6.s[0]
5840 -+ ldp x9,x13,[x1],#48
5841 -+ umlal v23.2d,v11.2s,v3.s[0]
5842 -+ umlal v20.2d,v11.2s,v8.s[0]
5843 -+ umlal v21.2d,v11.2s,v0.s[0]
5844 -+#ifdef __AARCH64EB__
5845 -+ rev x8,x8
5846 -+ rev x12,x12
5847 -+ rev x9,x9
5848 -+ rev x13,x13
5849 -+#endif
5850 -+
5851 -+ add v10.2s,v10.2s,v25.2s
5852 -+ umlal v22.2d,v9.2s,v5.s[0]
5853 -+ umlal v23.2d,v9.2s,v7.s[0]
5854 -+ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
5855 -+ umlal v21.2d,v9.2s,v3.s[0]
5856 -+ and x5,x9,#0x03ffffff
5857 -+ umlal v19.2d,v9.2s,v0.s[0]
5858 -+ ubfx x6,x8,#26,#26
5859 -+ umlal v20.2d,v9.2s,v1.s[0]
5860 -+ ubfx x7,x9,#26,#26
5861 -+
5862 -+ add v12.2s,v12.2s,v27.2s
5863 -+ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
5864 -+ umlal v22.2d,v10.2s,v3.s[0]
5865 -+ extr x8,x12,x8,#52
5866 -+ umlal v23.2d,v10.2s,v5.s[0]
5867 -+ extr x9,x13,x9,#52
5868 -+ umlal v19.2d,v10.2s,v8.s[0]
5869 -+ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
5870 -+ umlal v21.2d,v10.2s,v1.s[0]
5871 -+ fmov d9,x4
5872 -+ umlal v20.2d,v10.2s,v0.s[0]
5873 -+ and x8,x8,#0x03ffffff
5874 -+
5875 -+ add v13.2s,v13.2s,v28.2s
5876 -+ and x9,x9,#0x03ffffff
5877 -+ umlal v22.2d,v12.2s,v0.s[0]
5878 -+ ubfx x10,x12,#14,#26
5879 -+ umlal v19.2d,v12.2s,v4.s[0]
5880 -+ ubfx x11,x13,#14,#26
5881 -+ umlal v23.2d,v12.2s,v1.s[0]
5882 -+ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
5883 -+ umlal v20.2d,v12.2s,v6.s[0]
5884 -+ fmov d10,x6
5885 -+ umlal v21.2d,v12.2s,v8.s[0]
5886 -+ add x12,x3,x12,lsr#40
5887 -+
5888 -+ umlal v22.2d,v13.2s,v8.s[0]
5889 -+ add x13,x3,x13,lsr#40
5890 -+ umlal v19.2d,v13.2s,v2.s[0]
5891 -+ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
5892 -+ umlal v23.2d,v13.2s,v0.s[0]
5893 -+ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
5894 -+ umlal v20.2d,v13.2s,v4.s[0]
5895 -+ fmov d11,x8
5896 -+ umlal v21.2d,v13.2s,v6.s[0]
5897 -+ fmov d12,x10
5898 -+ fmov d13,x12
5899 -+
5900 -+ /////////////////////////////////////////////////////////////////
5901 -+ // lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
5902 -+ // and P. Schwabe
5903 -+ //
5904 -+ // [see discussion in poly1305-armv4 module]
5905 -+
5906 -+ ushr v29.2d,v22.2d,#26
5907 -+ xtn v27.2s,v22.2d
5908 -+ ushr v30.2d,v19.2d,#26
5909 -+ and v19.16b,v19.16b,v31.16b
5910 -+ add v23.2d,v23.2d,v29.2d // h3 -> h4
5911 -+ bic v27.2s,#0xfc,lsl#24 // &=0x03ffffff
5912 -+ add v20.2d,v20.2d,v30.2d // h0 -> h1
5913 -+
5914 -+ ushr v29.2d,v23.2d,#26
5915 -+ xtn v28.2s,v23.2d
5916 -+ ushr v30.2d,v20.2d,#26
5917 -+ xtn v25.2s,v20.2d
5918 -+ bic v28.2s,#0xfc,lsl#24
5919 -+ add v21.2d,v21.2d,v30.2d // h1 -> h2
5920 -+
5921 -+ add v19.2d,v19.2d,v29.2d
5922 -+ shl v29.2d,v29.2d,#2
5923 -+ shrn v30.2s,v21.2d,#26
5924 -+ xtn v26.2s,v21.2d
5925 -+ add v19.2d,v19.2d,v29.2d // h4 -> h0
5926 -+ bic v25.2s,#0xfc,lsl#24
5927 -+ add v27.2s,v27.2s,v30.2s // h2 -> h3
5928 -+ bic v26.2s,#0xfc,lsl#24
5929 -+
5930 -+ shrn v29.2s,v19.2d,#26
5931 -+ xtn v24.2s,v19.2d
5932 -+ ushr v30.2s,v27.2s,#26
5933 -+ bic v27.2s,#0xfc,lsl#24
5934 -+ bic v24.2s,#0xfc,lsl#24
5935 -+ add v25.2s,v25.2s,v29.2s // h0 -> h1
5936 -+ add v28.2s,v28.2s,v30.2s // h3 -> h4
5937 -+
5938 -+ b.hi .Loop_neon
5939 -+
5940 -+.Lskip_loop:
5941 -+ dup v16.2d,v16.d[0]
5942 -+ add v11.2s,v11.2s,v26.2s
5943 -+
5944 -+ ////////////////////////////////////////////////////////////////
5945 -+ // multiply (inp[0:1]+hash) or inp[2:3] by r^2:r^1
5946 -+
5947 -+ adds x2,x2,#32
5948 -+ b.ne .Long_tail
5949 -+
5950 -+ dup v16.2d,v11.d[0]
5951 -+ add v14.2s,v9.2s,v24.2s
5952 -+ add v17.2s,v12.2s,v27.2s
5953 -+ add v15.2s,v10.2s,v25.2s
5954 -+ add v18.2s,v13.2s,v28.2s
5955 -+
5956 -+.Long_tail:
5957 -+ dup v14.2d,v14.d[0]
5958 -+ umull2 v19.2d,v16.4s,v6.4s
5959 -+ umull2 v22.2d,v16.4s,v1.4s
5960 -+ umull2 v23.2d,v16.4s,v3.4s
5961 -+ umull2 v21.2d,v16.4s,v0.4s
5962 -+ umull2 v20.2d,v16.4s,v8.4s
5963 -+
5964 -+ dup v15.2d,v15.d[0]
5965 -+ umlal2 v19.2d,v14.4s,v0.4s
5966 -+ umlal2 v21.2d,v14.4s,v3.4s
5967 -+ umlal2 v22.2d,v14.4s,v5.4s
5968 -+ umlal2 v23.2d,v14.4s,v7.4s
5969 -+ umlal2 v20.2d,v14.4s,v1.4s
5970 -+
5971 -+ dup v17.2d,v17.d[0]
5972 -+ umlal2 v19.2d,v15.4s,v8.4s
5973 -+ umlal2 v22.2d,v15.4s,v3.4s
5974 -+ umlal2 v21.2d,v15.4s,v1.4s
5975 -+ umlal2 v23.2d,v15.4s,v5.4s
5976 -+ umlal2 v20.2d,v15.4s,v0.4s
5977 -+
5978 -+ dup v18.2d,v18.d[0]
5979 -+ umlal2 v22.2d,v17.4s,v0.4s
5980 -+ umlal2 v23.2d,v17.4s,v1.4s
5981 -+ umlal2 v19.2d,v17.4s,v4.4s
5982 -+ umlal2 v20.2d,v17.4s,v6.4s
5983 -+ umlal2 v21.2d,v17.4s,v8.4s
5984 -+
5985 -+ umlal2 v22.2d,v18.4s,v8.4s
5986 -+ umlal2 v19.2d,v18.4s,v2.4s
5987 -+ umlal2 v23.2d,v18.4s,v0.4s
5988 -+ umlal2 v20.2d,v18.4s,v4.4s
5989 -+ umlal2 v21.2d,v18.4s,v6.4s
5990 -+
5991 -+ b.eq .Lshort_tail
5992 -+
5993 -+ ////////////////////////////////////////////////////////////////
5994 -+ // (hash+inp[0:1])*r^4:r^3 and accumulate
5995 -+
5996 -+ add v9.2s,v9.2s,v24.2s
5997 -+ umlal v22.2d,v11.2s,v1.2s
5998 -+ umlal v19.2d,v11.2s,v6.2s
5999 -+ umlal v23.2d,v11.2s,v3.2s
6000 -+ umlal v20.2d,v11.2s,v8.2s
6001 -+ umlal v21.2d,v11.2s,v0.2s
6002 -+
6003 -+ add v10.2s,v10.2s,v25.2s
6004 -+ umlal v22.2d,v9.2s,v5.2s
6005 -+ umlal v19.2d,v9.2s,v0.2s
6006 -+ umlal v23.2d,v9.2s,v7.2s
6007 -+ umlal v20.2d,v9.2s,v1.2s
6008 -+ umlal v21.2d,v9.2s,v3.2s
6009 -+
6010 -+ add v12.2s,v12.2s,v27.2s
6011 -+ umlal v22.2d,v10.2s,v3.2s
6012 -+ umlal v19.2d,v10.2s,v8.2s
6013 -+ umlal v23.2d,v10.2s,v5.2s
6014 -+ umlal v20.2d,v10.2s,v0.2s
6015 -+ umlal v21.2d,v10.2s,v1.2s
6016 -+
6017 -+ add v13.2s,v13.2s,v28.2s
6018 -+ umlal v22.2d,v12.2s,v0.2s
6019 -+ umlal v19.2d,v12.2s,v4.2s
6020 -+ umlal v23.2d,v12.2s,v1.2s
6021 -+ umlal v20.2d,v12.2s,v6.2s
6022 -+ umlal v21.2d,v12.2s,v8.2s
6023 -+
6024 -+ umlal v22.2d,v13.2s,v8.2s
6025 -+ umlal v19.2d,v13.2s,v2.2s
6026 -+ umlal v23.2d,v13.2s,v0.2s
6027 -+ umlal v20.2d,v13.2s,v4.2s
6028 -+ umlal v21.2d,v13.2s,v6.2s
6029 -+
6030 -+.Lshort_tail:
6031 -+ ////////////////////////////////////////////////////////////////
6032 -+ // horizontal add
6033 -+
6034 -+ addp v22.2d,v22.2d,v22.2d
6035 -+ ldp d8,d9,[sp,#16] // meet ABI requirements
6036 -+ addp v19.2d,v19.2d,v19.2d
6037 -+ ldp d10,d11,[sp,#32]
6038 -+ addp v23.2d,v23.2d,v23.2d
6039 -+ ldp d12,d13,[sp,#48]
6040 -+ addp v20.2d,v20.2d,v20.2d
6041 -+ ldp d14,d15,[sp,#64]
6042 -+ addp v21.2d,v21.2d,v21.2d
6043 -+ ldr x30,[sp,#8]
6044 -+ .inst 0xd50323bf // autiasp
6045 -+
6046 -+ ////////////////////////////////////////////////////////////////
6047 -+ // lazy reduction, but without narrowing
6048 -+
6049 -+ ushr v29.2d,v22.2d,#26
6050 -+ and v22.16b,v22.16b,v31.16b
6051 -+ ushr v30.2d,v19.2d,#26
6052 -+ and v19.16b,v19.16b,v31.16b
6053 -+
6054 -+ add v23.2d,v23.2d,v29.2d // h3 -> h4
6055 -+ add v20.2d,v20.2d,v30.2d // h0 -> h1
6056 -+
6057 -+ ushr v29.2d,v23.2d,#26
6058 -+ and v23.16b,v23.16b,v31.16b
6059 -+ ushr v30.2d,v20.2d,#26
6060 -+ and v20.16b,v20.16b,v31.16b
6061 -+ add v21.2d,v21.2d,v30.2d // h1 -> h2
6062 -+
6063 -+ add v19.2d,v19.2d,v29.2d
6064 -+ shl v29.2d,v29.2d,#2
6065 -+ ushr v30.2d,v21.2d,#26
6066 -+ and v21.16b,v21.16b,v31.16b
6067 -+ add v19.2d,v19.2d,v29.2d // h4 -> h0
6068 -+ add v22.2d,v22.2d,v30.2d // h2 -> h3
6069 -+
6070 -+ ushr v29.2d,v19.2d,#26
6071 -+ and v19.16b,v19.16b,v31.16b
6072 -+ ushr v30.2d,v22.2d,#26
6073 -+ and v22.16b,v22.16b,v31.16b
6074 -+ add v20.2d,v20.2d,v29.2d // h0 -> h1
6075 -+ add v23.2d,v23.2d,v30.2d // h3 -> h4
6076 -+
6077 -+ ////////////////////////////////////////////////////////////////
6078 -+ // write the result, can be partially reduced
6079 -+
6080 -+ st4 {v19.s,v20.s,v21.s,v22.s}[0],[x0],#16
6081 -+ mov x4,#1
6082 -+ st1 {v23.s}[0],[x0]
6083 -+ str x4,[x0,#8] // set is_base2_26
6084 -+
6085 -+ ldr x29,[sp],#80
6086 -+ ret
6087 -+.size poly1305_blocks_neon,.-poly1305_blocks_neon
6088 -+
6089 -+.align 5
6090 -+.Lzeros:
6091 -+.long 0,0,0,0,0,0,0,0
6092 -+.asciz "Poly1305 for ARMv8, CRYPTOGAMS by @dot-asm"
6093 -+.align 2
6094 -+#if !defined(__KERNEL__) && !defined(_WIN64)
6095 -+.comm OPENSSL_armcap_P,4,4
6096 -+.hidden OPENSSL_armcap_P
6097 -+#endif
6098 ---- b/arch/arm64/crypto/poly1305-glue.c
6099 -+++ b/arch/arm64/crypto/poly1305-glue.c
6100 -@@ -0,0 +1,231 @@
6101 -+// SPDX-License-Identifier: GPL-2.0
6102 -+/*
6103 -+ * OpenSSL/Cryptogams accelerated Poly1305 transform for arm64
6104 -+ *
6105 -+ * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@××××××.org>
6106 -+ */
6107 -+
6108 -+#include <asm/hwcap.h>
6109 -+#include <asm/neon.h>
6110 -+#include <asm/simd.h>
6111 -+#include <asm/unaligned.h>
6112 -+#include <crypto/algapi.h>
6113 -+#include <crypto/internal/hash.h>
6114 -+#include <crypto/internal/poly1305.h>
6115 -+#include <crypto/internal/simd.h>
6116 -+#include <linux/cpufeature.h>
6117 -+#include <linux/crypto.h>
6118 -+#include <linux/jump_label.h>
6119 -+#include <linux/module.h>
6120 -+
6121 -+asmlinkage void poly1305_init_arm64(void *state, const u8 *key);
6122 -+asmlinkage void poly1305_blocks(void *state, const u8 *src, u32 len, u32 hibit);
6123 -+asmlinkage void poly1305_blocks_neon(void *state, const u8 *src, u32 len, u32 hibit);
6124 -+asmlinkage void poly1305_emit(void *state, u8 *digest, const u32 *nonce);
6125 -+
6126 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
6127 -+
6128 -+void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 *key)
6129 -+{
6130 -+ poly1305_init_arm64(&dctx->h, key);
6131 -+ dctx->s[0] = get_unaligned_le32(key + 16);
6132 -+ dctx->s[1] = get_unaligned_le32(key + 20);
6133 -+ dctx->s[2] = get_unaligned_le32(key + 24);
6134 -+ dctx->s[3] = get_unaligned_le32(key + 28);
6135 -+ dctx->buflen = 0;
6136 -+}
6137 -+EXPORT_SYMBOL(poly1305_init_arch);
6138 -+
6139 -+static int neon_poly1305_init(struct shash_desc *desc)
6140 -+{
6141 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
6142 -+
6143 -+ dctx->buflen = 0;
6144 -+ dctx->rset = 0;
6145 -+ dctx->sset = false;
6146 -+
6147 -+ return 0;
6148 -+}
6149 -+
6150 -+static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
6151 -+ u32 len, u32 hibit, bool do_neon)
6152 -+{
6153 -+ if (unlikely(!dctx->sset)) {
6154 -+ if (!dctx->rset) {
6155 -+ poly1305_init_arch(dctx, src);
6156 -+ src += POLY1305_BLOCK_SIZE;
6157 -+ len -= POLY1305_BLOCK_SIZE;
6158 -+ dctx->rset = 1;
6159 -+ }
6160 -+ if (len >= POLY1305_BLOCK_SIZE) {
6161 -+ dctx->s[0] = get_unaligned_le32(src + 0);
6162 -+ dctx->s[1] = get_unaligned_le32(src + 4);
6163 -+ dctx->s[2] = get_unaligned_le32(src + 8);
6164 -+ dctx->s[3] = get_unaligned_le32(src + 12);
6165 -+ src += POLY1305_BLOCK_SIZE;
6166 -+ len -= POLY1305_BLOCK_SIZE;
6167 -+ dctx->sset = true;
6168 -+ }
6169 -+ if (len < POLY1305_BLOCK_SIZE)
6170 -+ return;
6171 -+ }
6172 -+
6173 -+ len &= ~(POLY1305_BLOCK_SIZE - 1);
6174 -+
6175 -+ if (static_branch_likely(&have_neon) && likely(do_neon))
6176 -+ poly1305_blocks_neon(&dctx->h, src, len, hibit);
6177 -+ else
6178 -+ poly1305_blocks(&dctx->h, src, len, hibit);
6179 -+}
6180 -+
6181 -+static void neon_poly1305_do_update(struct poly1305_desc_ctx *dctx,
6182 -+ const u8 *src, u32 len, bool do_neon)
6183 -+{
6184 -+ if (unlikely(dctx->buflen)) {
6185 -+ u32 bytes = min(len, POLY1305_BLOCK_SIZE - dctx->buflen);
6186 -+
6187 -+ memcpy(dctx->buf + dctx->buflen, src, bytes);
6188 -+ src += bytes;
6189 -+ len -= bytes;
6190 -+ dctx->buflen += bytes;
6191 -+
6192 -+ if (dctx->buflen == POLY1305_BLOCK_SIZE) {
6193 -+ neon_poly1305_blocks(dctx, dctx->buf,
6194 -+ POLY1305_BLOCK_SIZE, 1, false);
6195 -+ dctx->buflen = 0;
6196 -+ }
6197 -+ }
6198 -+
6199 -+ if (likely(len >= POLY1305_BLOCK_SIZE)) {
6200 -+ neon_poly1305_blocks(dctx, src, len, 1, do_neon);
6201 -+ src += round_down(len, POLY1305_BLOCK_SIZE);
6202 -+ len %= POLY1305_BLOCK_SIZE;
6203 -+ }
6204 -+
6205 -+ if (unlikely(len)) {
6206 -+ dctx->buflen = len;
6207 -+ memcpy(dctx->buf, src, len);
6208 -+ }
6209 -+}
6210 -+
6211 -+static int neon_poly1305_update(struct shash_desc *desc,
6212 -+ const u8 *src, unsigned int srclen)
6213 -+{
6214 -+ bool do_neon = crypto_simd_usable() && srclen > 128;
6215 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
6216 -+
6217 -+ if (static_branch_likely(&have_neon) && do_neon)
6218 -+ kernel_neon_begin();
6219 -+ neon_poly1305_do_update(dctx, src, srclen, do_neon);
6220 -+ if (static_branch_likely(&have_neon) && do_neon)
6221 -+ kernel_neon_end();
6222 -+ return 0;
6223 -+}
6224 -+
6225 -+void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
6226 -+ unsigned int nbytes)
6227 -+{
6228 -+ if (unlikely(dctx->buflen)) {
6229 -+ u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
6230 -+
6231 -+ memcpy(dctx->buf + dctx->buflen, src, bytes);
6232 -+ src += bytes;
6233 -+ nbytes -= bytes;
6234 -+ dctx->buflen += bytes;
6235 -+
6236 -+ if (dctx->buflen == POLY1305_BLOCK_SIZE) {
6237 -+ poly1305_blocks(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 1);
6238 -+ dctx->buflen = 0;
6239 -+ }
6240 -+ }
6241 -+
6242 -+ if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
6243 -+ unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE);
6244 -+
6245 -+ if (static_branch_likely(&have_neon) && crypto_simd_usable()) {
6246 -+ do {
6247 -+ unsigned int todo = min_t(unsigned int, len, SZ_4K);
6248 -+
6249 -+ kernel_neon_begin();
6250 -+ poly1305_blocks_neon(&dctx->h, src, todo, 1);
6251 -+ kernel_neon_end();
6252 -+
6253 -+ len -= todo;
6254 -+ src += todo;
6255 -+ } while (len);
6256 -+ } else {
6257 -+ poly1305_blocks(&dctx->h, src, len, 1);
6258 -+ src += len;
6259 -+ }
6260 -+ nbytes %= POLY1305_BLOCK_SIZE;
6261 -+ }
6262 -+
6263 -+ if (unlikely(nbytes)) {
6264 -+ dctx->buflen = nbytes;
6265 -+ memcpy(dctx->buf, src, nbytes);
6266 -+ }
6267 -+}
6268 -+EXPORT_SYMBOL(poly1305_update_arch);
6269 -+
6270 -+void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
6271 -+{
6272 -+ if (unlikely(dctx->buflen)) {
6273 -+ dctx->buf[dctx->buflen++] = 1;
6274 -+ memset(dctx->buf + dctx->buflen, 0,
6275 -+ POLY1305_BLOCK_SIZE - dctx->buflen);
6276 -+ poly1305_blocks(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
6277 -+ }
6278 -+
6279 -+ poly1305_emit(&dctx->h, dst, dctx->s);
6280 -+ *dctx = (struct poly1305_desc_ctx){};
6281 -+}
6282 -+EXPORT_SYMBOL(poly1305_final_arch);
6283 -+
6284 -+static int neon_poly1305_final(struct shash_desc *desc, u8 *dst)
6285 -+{
6286 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
6287 -+
6288 -+ if (unlikely(!dctx->sset))
6289 -+ return -ENOKEY;
6290 -+
6291 -+ poly1305_final_arch(dctx, dst);
6292 -+ return 0;
6293 -+}
6294 -+
6295 -+static struct shash_alg neon_poly1305_alg = {
6296 -+ .init = neon_poly1305_init,
6297 -+ .update = neon_poly1305_update,
6298 -+ .final = neon_poly1305_final,
6299 -+ .digestsize = POLY1305_DIGEST_SIZE,
6300 -+ .descsize = sizeof(struct poly1305_desc_ctx),
6301 -+
6302 -+ .base.cra_name = "poly1305",
6303 -+ .base.cra_driver_name = "poly1305-neon",
6304 -+ .base.cra_priority = 200,
6305 -+ .base.cra_blocksize = POLY1305_BLOCK_SIZE,
6306 -+ .base.cra_module = THIS_MODULE,
6307 -+};
6308 -+
6309 -+static int __init neon_poly1305_mod_init(void)
6310 -+{
6311 -+ if (!cpu_have_named_feature(ASIMD))
6312 -+ return 0;
6313 -+
6314 -+ static_branch_enable(&have_neon);
6315 -+
6316 -+ return IS_REACHABLE(CONFIG_CRYPTO_HASH) ?
6317 -+ crypto_register_shash(&neon_poly1305_alg) : 0;
6318 -+}
6319 -+
6320 -+static void __exit neon_poly1305_mod_exit(void)
6321 -+{
6322 -+ if (IS_REACHABLE(CONFIG_CRYPTO_HASH) && cpu_have_named_feature(ASIMD))
6323 -+ crypto_unregister_shash(&neon_poly1305_alg);
6324 -+}
6325 -+
6326 -+module_init(neon_poly1305_mod_init);
6327 -+module_exit(neon_poly1305_mod_exit);
6328 -+
6329 -+MODULE_LICENSE("GPL v2");
6330 -+MODULE_ALIAS_CRYPTO("poly1305");
6331 -+MODULE_ALIAS_CRYPTO("poly1305-neon");
6332 ---- /dev/null
6333 -+++ b/arch/arm/crypto/poly1305-armv4.pl
6334 -@@ -0,0 +1,1236 @@
6335 -+#!/usr/bin/env perl
6336 -+# SPDX-License-Identifier: GPL-1.0+ OR BSD-3-Clause
6337 -+#
6338 -+# ====================================================================
6339 -+# Written by Andy Polyakov, @dot-asm, initially for the OpenSSL
6340 -+# project.
6341 -+# ====================================================================
6342 -+#
6343 -+# IALU(*)/gcc-4.4 NEON
6344 -+#
6345 -+# ARM11xx(ARMv6) 7.78/+100% -
6346 -+# Cortex-A5 6.35/+130% 3.00
6347 -+# Cortex-A8 6.25/+115% 2.36
6348 -+# Cortex-A9 5.10/+95% 2.55
6349 -+# Cortex-A15 3.85/+85% 1.25(**)
6350 -+# Snapdragon S4 5.70/+100% 1.48(**)
6351 -+#
6352 -+# (*) this is for -march=armv6, i.e. with bunch of ldrb loading data;
6353 -+# (**) these are trade-off results, they can be improved by ~8% but at
6354 -+# the cost of 15/12% regression on Cortex-A5/A7, it's even possible
6355 -+# to improve Cortex-A9 result, but then A5/A7 loose more than 20%;
6356 -+
6357 -+$flavour = shift;
6358 -+if ($flavour=~/\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
6359 -+else { while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} }
6360 -+
6361 -+if ($flavour && $flavour ne "void") {
6362 -+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
6363 -+ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
6364 -+ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
6365 -+ die "can't locate arm-xlate.pl";
6366 -+
6367 -+ open STDOUT,"| \"$^X\" $xlate $flavour $output";
6368 -+} else {
6369 -+ open STDOUT,">$output";
6370 -+}
6371 -+
6372 -+($ctx,$inp,$len,$padbit)=map("r$_",(0..3));
6373 -+
6374 -+$code.=<<___;
6375 -+#ifndef __KERNEL__
6376 -+# include "arm_arch.h"
6377 -+#else
6378 -+# define __ARM_ARCH__ __LINUX_ARM_ARCH__
6379 -+# define __ARM_MAX_ARCH__ __LINUX_ARM_ARCH__
6380 -+# define poly1305_init poly1305_init_arm
6381 -+# define poly1305_blocks poly1305_blocks_arm
6382 -+# define poly1305_emit poly1305_emit_arm
6383 -+.globl poly1305_blocks_neon
6384 -+#endif
6385 -+
6386 -+#if defined(__thumb2__)
6387 -+.syntax unified
6388 -+.thumb
6389 -+#else
6390 -+.code 32
6391 -+#endif
6392 -+
6393 -+.text
6394 -+
6395 -+.globl poly1305_emit
6396 -+.globl poly1305_blocks
6397 -+.globl poly1305_init
6398 -+.type poly1305_init,%function
6399 -+.align 5
6400 -+poly1305_init:
6401 -+.Lpoly1305_init:
6402 -+ stmdb sp!,{r4-r11}
6403 -+
6404 -+ eor r3,r3,r3
6405 -+ cmp $inp,#0
6406 -+ str r3,[$ctx,#0] @ zero hash value
6407 -+ str r3,[$ctx,#4]
6408 -+ str r3,[$ctx,#8]
6409 -+ str r3,[$ctx,#12]
6410 -+ str r3,[$ctx,#16]
6411 -+ str r3,[$ctx,#36] @ clear is_base2_26
6412 -+ add $ctx,$ctx,#20
6413 -+
6414 -+#ifdef __thumb2__
6415 -+ it eq
6416 -+#endif
6417 -+ moveq r0,#0
6418 -+ beq .Lno_key
6419 -+
6420 -+#if __ARM_MAX_ARCH__>=7
6421 -+ mov r3,#-1
6422 -+ str r3,[$ctx,#28] @ impossible key power value
6423 -+# ifndef __KERNEL__
6424 -+ adr r11,.Lpoly1305_init
6425 -+ ldr r12,.LOPENSSL_armcap
6426 -+# endif
6427 -+#endif
6428 -+ ldrb r4,[$inp,#0]
6429 -+ mov r10,#0x0fffffff
6430 -+ ldrb r5,[$inp,#1]
6431 -+ and r3,r10,#-4 @ 0x0ffffffc
6432 -+ ldrb r6,[$inp,#2]
6433 -+ ldrb r7,[$inp,#3]
6434 -+ orr r4,r4,r5,lsl#8
6435 -+ ldrb r5,[$inp,#4]
6436 -+ orr r4,r4,r6,lsl#16
6437 -+ ldrb r6,[$inp,#5]
6438 -+ orr r4,r4,r7,lsl#24
6439 -+ ldrb r7,[$inp,#6]
6440 -+ and r4,r4,r10
6441 -+
6442 -+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
6443 -+# if !defined(_WIN32)
6444 -+ ldr r12,[r11,r12] @ OPENSSL_armcap_P
6445 -+# endif
6446 -+# if defined(__APPLE__) || defined(_WIN32)
6447 -+ ldr r12,[r12]
6448 -+# endif
6449 -+#endif
6450 -+ ldrb r8,[$inp,#7]
6451 -+ orr r5,r5,r6,lsl#8
6452 -+ ldrb r6,[$inp,#8]
6453 -+ orr r5,r5,r7,lsl#16
6454 -+ ldrb r7,[$inp,#9]
6455 -+ orr r5,r5,r8,lsl#24
6456 -+ ldrb r8,[$inp,#10]
6457 -+ and r5,r5,r3
6458 -+
6459 -+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
6460 -+ tst r12,#ARMV7_NEON @ check for NEON
6461 -+# ifdef __thumb2__
6462 -+ adr r9,.Lpoly1305_blocks_neon
6463 -+ adr r11,.Lpoly1305_blocks
6464 -+ it ne
6465 -+ movne r11,r9
6466 -+ adr r12,.Lpoly1305_emit
6467 -+ orr r11,r11,#1 @ thumb-ify addresses
6468 -+ orr r12,r12,#1
6469 -+# else
6470 -+ add r12,r11,#(.Lpoly1305_emit-.Lpoly1305_init)
6471 -+ ite eq
6472 -+ addeq r11,r11,#(.Lpoly1305_blocks-.Lpoly1305_init)
6473 -+ addne r11,r11,#(.Lpoly1305_blocks_neon-.Lpoly1305_init)
6474 -+# endif
6475 -+#endif
6476 -+ ldrb r9,[$inp,#11]
6477 -+ orr r6,r6,r7,lsl#8
6478 -+ ldrb r7,[$inp,#12]
6479 -+ orr r6,r6,r8,lsl#16
6480 -+ ldrb r8,[$inp,#13]
6481 -+ orr r6,r6,r9,lsl#24
6482 -+ ldrb r9,[$inp,#14]
6483 -+ and r6,r6,r3
6484 -+
6485 -+ ldrb r10,[$inp,#15]
6486 -+ orr r7,r7,r8,lsl#8
6487 -+ str r4,[$ctx,#0]
6488 -+ orr r7,r7,r9,lsl#16
6489 -+ str r5,[$ctx,#4]
6490 -+ orr r7,r7,r10,lsl#24
6491 -+ str r6,[$ctx,#8]
6492 -+ and r7,r7,r3
6493 -+ str r7,[$ctx,#12]
6494 -+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
6495 -+ stmia r2,{r11,r12} @ fill functions table
6496 -+ mov r0,#1
6497 -+#else
6498 -+ mov r0,#0
6499 -+#endif
6500 -+.Lno_key:
6501 -+ ldmia sp!,{r4-r11}
6502 -+#if __ARM_ARCH__>=5
6503 -+ ret @ bx lr
6504 -+#else
6505 -+ tst lr,#1
6506 -+ moveq pc,lr @ be binary compatible with V4, yet
6507 -+ bx lr @ interoperable with Thumb ISA:-)
6508 -+#endif
6509 -+.size poly1305_init,.-poly1305_init
6510 -+___
6511 -+{
6512 -+my ($h0,$h1,$h2,$h3,$h4,$r0,$r1,$r2,$r3)=map("r$_",(4..12));
6513 -+my ($s1,$s2,$s3)=($r1,$r2,$r3);
6514 -+
6515 -+$code.=<<___;
6516 -+.type poly1305_blocks,%function
6517 -+.align 5
6518 -+poly1305_blocks:
6519 -+.Lpoly1305_blocks:
6520 -+ stmdb sp!,{r3-r11,lr}
6521 -+
6522 -+ ands $len,$len,#-16
6523 -+ beq .Lno_data
6524 -+
6525 -+ add $len,$len,$inp @ end pointer
6526 -+ sub sp,sp,#32
6527 -+
6528 -+#if __ARM_ARCH__<7
6529 -+ ldmia $ctx,{$h0-$r3} @ load context
6530 -+ add $ctx,$ctx,#20
6531 -+ str $len,[sp,#16] @ offload stuff
6532 -+ str $ctx,[sp,#12]
6533 -+#else
6534 -+ ldr lr,[$ctx,#36] @ is_base2_26
6535 -+ ldmia $ctx!,{$h0-$h4} @ load hash value
6536 -+ str $len,[sp,#16] @ offload stuff
6537 -+ str $ctx,[sp,#12]
6538 -+
6539 -+ adds $r0,$h0,$h1,lsl#26 @ base 2^26 -> base 2^32
6540 -+ mov $r1,$h1,lsr#6
6541 -+ adcs $r1,$r1,$h2,lsl#20
6542 -+ mov $r2,$h2,lsr#12
6543 -+ adcs $r2,$r2,$h3,lsl#14
6544 -+ mov $r3,$h3,lsr#18
6545 -+ adcs $r3,$r3,$h4,lsl#8
6546 -+ mov $len,#0
6547 -+ teq lr,#0
6548 -+ str $len,[$ctx,#16] @ clear is_base2_26
6549 -+ adc $len,$len,$h4,lsr#24
6550 -+
6551 -+ itttt ne
6552 -+ movne $h0,$r0 @ choose between radixes
6553 -+ movne $h1,$r1
6554 -+ movne $h2,$r2
6555 -+ movne $h3,$r3
6556 -+ ldmia $ctx,{$r0-$r3} @ load key
6557 -+ it ne
6558 -+ movne $h4,$len
6559 -+#endif
6560 -+
6561 -+ mov lr,$inp
6562 -+ cmp $padbit,#0
6563 -+ str $r1,[sp,#20]
6564 -+ str $r2,[sp,#24]
6565 -+ str $r3,[sp,#28]
6566 -+ b .Loop
6567 -+
6568 -+.align 4
6569 -+.Loop:
6570 -+#if __ARM_ARCH__<7
6571 -+ ldrb r0,[lr],#16 @ load input
6572 -+# ifdef __thumb2__
6573 -+ it hi
6574 -+# endif
6575 -+ addhi $h4,$h4,#1 @ 1<<128
6576 -+ ldrb r1,[lr,#-15]
6577 -+ ldrb r2,[lr,#-14]
6578 -+ ldrb r3,[lr,#-13]
6579 -+ orr r1,r0,r1,lsl#8
6580 -+ ldrb r0,[lr,#-12]
6581 -+ orr r2,r1,r2,lsl#16
6582 -+ ldrb r1,[lr,#-11]
6583 -+ orr r3,r2,r3,lsl#24
6584 -+ ldrb r2,[lr,#-10]
6585 -+ adds $h0,$h0,r3 @ accumulate input
6586 -+
6587 -+ ldrb r3,[lr,#-9]
6588 -+ orr r1,r0,r1,lsl#8
6589 -+ ldrb r0,[lr,#-8]
6590 -+ orr r2,r1,r2,lsl#16
6591 -+ ldrb r1,[lr,#-7]
6592 -+ orr r3,r2,r3,lsl#24
6593 -+ ldrb r2,[lr,#-6]
6594 -+ adcs $h1,$h1,r3
6595 -+
6596 -+ ldrb r3,[lr,#-5]
6597 -+ orr r1,r0,r1,lsl#8
6598 -+ ldrb r0,[lr,#-4]
6599 -+ orr r2,r1,r2,lsl#16
6600 -+ ldrb r1,[lr,#-3]
6601 -+ orr r3,r2,r3,lsl#24
6602 -+ ldrb r2,[lr,#-2]
6603 -+ adcs $h2,$h2,r3
6604 -+
6605 -+ ldrb r3,[lr,#-1]
6606 -+ orr r1,r0,r1,lsl#8
6607 -+ str lr,[sp,#8] @ offload input pointer
6608 -+ orr r2,r1,r2,lsl#16
6609 -+ add $s1,$r1,$r1,lsr#2
6610 -+ orr r3,r2,r3,lsl#24
6611 -+#else
6612 -+ ldr r0,[lr],#16 @ load input
6613 -+ it hi
6614 -+ addhi $h4,$h4,#1 @ padbit
6615 -+ ldr r1,[lr,#-12]
6616 -+ ldr r2,[lr,#-8]
6617 -+ ldr r3,[lr,#-4]
6618 -+# ifdef __ARMEB__
6619 -+ rev r0,r0
6620 -+ rev r1,r1
6621 -+ rev r2,r2
6622 -+ rev r3,r3
6623 -+# endif
6624 -+ adds $h0,$h0,r0 @ accumulate input
6625 -+ str lr,[sp,#8] @ offload input pointer
6626 -+ adcs $h1,$h1,r1
6627 -+ add $s1,$r1,$r1,lsr#2
6628 -+ adcs $h2,$h2,r2
6629 -+#endif
6630 -+ add $s2,$r2,$r2,lsr#2
6631 -+ adcs $h3,$h3,r3
6632 -+ add $s3,$r3,$r3,lsr#2
6633 -+
6634 -+ umull r2,r3,$h1,$r0
6635 -+ adc $h4,$h4,#0
6636 -+ umull r0,r1,$h0,$r0
6637 -+ umlal r2,r3,$h4,$s1
6638 -+ umlal r0,r1,$h3,$s1
6639 -+ ldr $r1,[sp,#20] @ reload $r1
6640 -+ umlal r2,r3,$h2,$s3
6641 -+ umlal r0,r1,$h1,$s3
6642 -+ umlal r2,r3,$h3,$s2
6643 -+ umlal r0,r1,$h2,$s2
6644 -+ umlal r2,r3,$h0,$r1
6645 -+ str r0,[sp,#0] @ future $h0
6646 -+ mul r0,$s2,$h4
6647 -+ ldr $r2,[sp,#24] @ reload $r2
6648 -+ adds r2,r2,r1 @ d1+=d0>>32
6649 -+ eor r1,r1,r1
6650 -+ adc lr,r3,#0 @ future $h2
6651 -+ str r2,[sp,#4] @ future $h1
6652 -+
6653 -+ mul r2,$s3,$h4
6654 -+ eor r3,r3,r3
6655 -+ umlal r0,r1,$h3,$s3
6656 -+ ldr $r3,[sp,#28] @ reload $r3
6657 -+ umlal r2,r3,$h3,$r0
6658 -+ umlal r0,r1,$h2,$r0
6659 -+ umlal r2,r3,$h2,$r1
6660 -+ umlal r0,r1,$h1,$r1
6661 -+ umlal r2,r3,$h1,$r2
6662 -+ umlal r0,r1,$h0,$r2
6663 -+ umlal r2,r3,$h0,$r3
6664 -+ ldr $h0,[sp,#0]
6665 -+ mul $h4,$r0,$h4
6666 -+ ldr $h1,[sp,#4]
6667 -+
6668 -+ adds $h2,lr,r0 @ d2+=d1>>32
6669 -+ ldr lr,[sp,#8] @ reload input pointer
6670 -+ adc r1,r1,#0
6671 -+ adds $h3,r2,r1 @ d3+=d2>>32
6672 -+ ldr r0,[sp,#16] @ reload end pointer
6673 -+ adc r3,r3,#0
6674 -+ add $h4,$h4,r3 @ h4+=d3>>32
6675 -+
6676 -+ and r1,$h4,#-4
6677 -+ and $h4,$h4,#3
6678 -+ add r1,r1,r1,lsr#2 @ *=5
6679 -+ adds $h0,$h0,r1
6680 -+ adcs $h1,$h1,#0
6681 -+ adcs $h2,$h2,#0
6682 -+ adcs $h3,$h3,#0
6683 -+ adc $h4,$h4,#0
6684 -+
6685 -+ cmp r0,lr @ done yet?
6686 -+ bhi .Loop
6687 -+
6688 -+ ldr $ctx,[sp,#12]
6689 -+ add sp,sp,#32
6690 -+ stmdb $ctx,{$h0-$h4} @ store the result
6691 -+
6692 -+.Lno_data:
6693 -+#if __ARM_ARCH__>=5
6694 -+ ldmia sp!,{r3-r11,pc}
6695 -+#else
6696 -+ ldmia sp!,{r3-r11,lr}
6697 -+ tst lr,#1
6698 -+ moveq pc,lr @ be binary compatible with V4, yet
6699 -+ bx lr @ interoperable with Thumb ISA:-)
6700 -+#endif
6701 -+.size poly1305_blocks,.-poly1305_blocks
6702 -+___
6703 -+}
6704 -+{
6705 -+my ($ctx,$mac,$nonce)=map("r$_",(0..2));
6706 -+my ($h0,$h1,$h2,$h3,$h4,$g0,$g1,$g2,$g3)=map("r$_",(3..11));
6707 -+my $g4=$ctx;
6708 -+
6709 -+$code.=<<___;
6710 -+.type poly1305_emit,%function
6711 -+.align 5
6712 -+poly1305_emit:
6713 -+.Lpoly1305_emit:
6714 -+ stmdb sp!,{r4-r11}
6715 -+
6716 -+ ldmia $ctx,{$h0-$h4}
6717 -+
6718 -+#if __ARM_ARCH__>=7
6719 -+ ldr ip,[$ctx,#36] @ is_base2_26
6720 -+
6721 -+ adds $g0,$h0,$h1,lsl#26 @ base 2^26 -> base 2^32
6722 -+ mov $g1,$h1,lsr#6
6723 -+ adcs $g1,$g1,$h2,lsl#20
6724 -+ mov $g2,$h2,lsr#12
6725 -+ adcs $g2,$g2,$h3,lsl#14
6726 -+ mov $g3,$h3,lsr#18
6727 -+ adcs $g3,$g3,$h4,lsl#8
6728 -+ mov $g4,#0
6729 -+ adc $g4,$g4,$h4,lsr#24
6730 -+
6731 -+ tst ip,ip
6732 -+ itttt ne
6733 -+ movne $h0,$g0
6734 -+ movne $h1,$g1
6735 -+ movne $h2,$g2
6736 -+ movne $h3,$g3
6737 -+ it ne
6738 -+ movne $h4,$g4
6739 -+#endif
6740 -+
6741 -+ adds $g0,$h0,#5 @ compare to modulus
6742 -+ adcs $g1,$h1,#0
6743 -+ adcs $g2,$h2,#0
6744 -+ adcs $g3,$h3,#0
6745 -+ adc $g4,$h4,#0
6746 -+ tst $g4,#4 @ did it carry/borrow?
6747 -+
6748 -+#ifdef __thumb2__
6749 -+ it ne
6750 -+#endif
6751 -+ movne $h0,$g0
6752 -+ ldr $g0,[$nonce,#0]
6753 -+#ifdef __thumb2__
6754 -+ it ne
6755 -+#endif
6756 -+ movne $h1,$g1
6757 -+ ldr $g1,[$nonce,#4]
6758 -+#ifdef __thumb2__
6759 -+ it ne
6760 -+#endif
6761 -+ movne $h2,$g2
6762 -+ ldr $g2,[$nonce,#8]
6763 -+#ifdef __thumb2__
6764 -+ it ne
6765 -+#endif
6766 -+ movne $h3,$g3
6767 -+ ldr $g3,[$nonce,#12]
6768 -+
6769 -+ adds $h0,$h0,$g0
6770 -+ adcs $h1,$h1,$g1
6771 -+ adcs $h2,$h2,$g2
6772 -+ adc $h3,$h3,$g3
6773 -+
6774 -+#if __ARM_ARCH__>=7
6775 -+# ifdef __ARMEB__
6776 -+ rev $h0,$h0
6777 -+ rev $h1,$h1
6778 -+ rev $h2,$h2
6779 -+ rev $h3,$h3
6780 -+# endif
6781 -+ str $h0,[$mac,#0]
6782 -+ str $h1,[$mac,#4]
6783 -+ str $h2,[$mac,#8]
6784 -+ str $h3,[$mac,#12]
6785 -+#else
6786 -+ strb $h0,[$mac,#0]
6787 -+ mov $h0,$h0,lsr#8
6788 -+ strb $h1,[$mac,#4]
6789 -+ mov $h1,$h1,lsr#8
6790 -+ strb $h2,[$mac,#8]
6791 -+ mov $h2,$h2,lsr#8
6792 -+ strb $h3,[$mac,#12]
6793 -+ mov $h3,$h3,lsr#8
6794 -+
6795 -+ strb $h0,[$mac,#1]
6796 -+ mov $h0,$h0,lsr#8
6797 -+ strb $h1,[$mac,#5]
6798 -+ mov $h1,$h1,lsr#8
6799 -+ strb $h2,[$mac,#9]
6800 -+ mov $h2,$h2,lsr#8
6801 -+ strb $h3,[$mac,#13]
6802 -+ mov $h3,$h3,lsr#8
6803 -+
6804 -+ strb $h0,[$mac,#2]
6805 -+ mov $h0,$h0,lsr#8
6806 -+ strb $h1,[$mac,#6]
6807 -+ mov $h1,$h1,lsr#8
6808 -+ strb $h2,[$mac,#10]
6809 -+ mov $h2,$h2,lsr#8
6810 -+ strb $h3,[$mac,#14]
6811 -+ mov $h3,$h3,lsr#8
6812 -+
6813 -+ strb $h0,[$mac,#3]
6814 -+ strb $h1,[$mac,#7]
6815 -+ strb $h2,[$mac,#11]
6816 -+ strb $h3,[$mac,#15]
6817 -+#endif
6818 -+ ldmia sp!,{r4-r11}
6819 -+#if __ARM_ARCH__>=5
6820 -+ ret @ bx lr
6821 -+#else
6822 -+ tst lr,#1
6823 -+ moveq pc,lr @ be binary compatible with V4, yet
6824 -+ bx lr @ interoperable with Thumb ISA:-)
6825 -+#endif
6826 -+.size poly1305_emit,.-poly1305_emit
6827 -+___
6828 -+{
6829 -+my ($R0,$R1,$S1,$R2,$S2,$R3,$S3,$R4,$S4) = map("d$_",(0..9));
6830 -+my ($D0,$D1,$D2,$D3,$D4, $H0,$H1,$H2,$H3,$H4) = map("q$_",(5..14));
6831 -+my ($T0,$T1,$MASK) = map("q$_",(15,4,0));
6832 -+
6833 -+my ($in2,$zeros,$tbl0,$tbl1) = map("r$_",(4..7));
6834 -+
6835 -+$code.=<<___;
6836 -+#if __ARM_MAX_ARCH__>=7
6837 -+.fpu neon
6838 -+
6839 -+.type poly1305_init_neon,%function
6840 -+.align 5
6841 -+poly1305_init_neon:
6842 -+.Lpoly1305_init_neon:
6843 -+ ldr r3,[$ctx,#48] @ first table element
6844 -+ cmp r3,#-1 @ is value impossible?
6845 -+ bne .Lno_init_neon
6846 -+
6847 -+ ldr r4,[$ctx,#20] @ load key base 2^32
6848 -+ ldr r5,[$ctx,#24]
6849 -+ ldr r6,[$ctx,#28]
6850 -+ ldr r7,[$ctx,#32]
6851 -+
6852 -+ and r2,r4,#0x03ffffff @ base 2^32 -> base 2^26
6853 -+ mov r3,r4,lsr#26
6854 -+ mov r4,r5,lsr#20
6855 -+ orr r3,r3,r5,lsl#6
6856 -+ mov r5,r6,lsr#14
6857 -+ orr r4,r4,r6,lsl#12
6858 -+ mov r6,r7,lsr#8
6859 -+ orr r5,r5,r7,lsl#18
6860 -+ and r3,r3,#0x03ffffff
6861 -+ and r4,r4,#0x03ffffff
6862 -+ and r5,r5,#0x03ffffff
6863 -+
6864 -+ vdup.32 $R0,r2 @ r^1 in both lanes
6865 -+ add r2,r3,r3,lsl#2 @ *5
6866 -+ vdup.32 $R1,r3
6867 -+ add r3,r4,r4,lsl#2
6868 -+ vdup.32 $S1,r2
6869 -+ vdup.32 $R2,r4
6870 -+ add r4,r5,r5,lsl#2
6871 -+ vdup.32 $S2,r3
6872 -+ vdup.32 $R3,r5
6873 -+ add r5,r6,r6,lsl#2
6874 -+ vdup.32 $S3,r4
6875 -+ vdup.32 $R4,r6
6876 -+ vdup.32 $S4,r5
6877 -+
6878 -+ mov $zeros,#2 @ counter
6879 -+
6880 -+.Lsquare_neon:
6881 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
6882 -+ @ d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
6883 -+ @ d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
6884 -+ @ d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
6885 -+ @ d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
6886 -+ @ d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
6887 -+
6888 -+ vmull.u32 $D0,$R0,${R0}[1]
6889 -+ vmull.u32 $D1,$R1,${R0}[1]
6890 -+ vmull.u32 $D2,$R2,${R0}[1]
6891 -+ vmull.u32 $D3,$R3,${R0}[1]
6892 -+ vmull.u32 $D4,$R4,${R0}[1]
6893 -+
6894 -+ vmlal.u32 $D0,$R4,${S1}[1]
6895 -+ vmlal.u32 $D1,$R0,${R1}[1]
6896 -+ vmlal.u32 $D2,$R1,${R1}[1]
6897 -+ vmlal.u32 $D3,$R2,${R1}[1]
6898 -+ vmlal.u32 $D4,$R3,${R1}[1]
6899 -+
6900 -+ vmlal.u32 $D0,$R3,${S2}[1]
6901 -+ vmlal.u32 $D1,$R4,${S2}[1]
6902 -+ vmlal.u32 $D3,$R1,${R2}[1]
6903 -+ vmlal.u32 $D2,$R0,${R2}[1]
6904 -+ vmlal.u32 $D4,$R2,${R2}[1]
6905 -+
6906 -+ vmlal.u32 $D0,$R2,${S3}[1]
6907 -+ vmlal.u32 $D3,$R0,${R3}[1]
6908 -+ vmlal.u32 $D1,$R3,${S3}[1]
6909 -+ vmlal.u32 $D2,$R4,${S3}[1]
6910 -+ vmlal.u32 $D4,$R1,${R3}[1]
6911 -+
6912 -+ vmlal.u32 $D3,$R4,${S4}[1]
6913 -+ vmlal.u32 $D0,$R1,${S4}[1]
6914 -+ vmlal.u32 $D1,$R2,${S4}[1]
6915 -+ vmlal.u32 $D2,$R3,${S4}[1]
6916 -+ vmlal.u32 $D4,$R0,${R4}[1]
6917 -+
6918 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
6919 -+ @ lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
6920 -+ @ and P. Schwabe
6921 -+ @
6922 -+ @ H0>>+H1>>+H2>>+H3>>+H4
6923 -+ @ H3>>+H4>>*5+H0>>+H1
6924 -+ @
6925 -+ @ Trivia.
6926 -+ @
6927 -+ @ Result of multiplication of n-bit number by m-bit number is
6928 -+ @ n+m bits wide. However! Even though 2^n is a n+1-bit number,
6929 -+ @ m-bit number multiplied by 2^n is still n+m bits wide.
6930 -+ @
6931 -+ @ Sum of two n-bit numbers is n+1 bits wide, sum of three - n+2,
6932 -+ @ and so is sum of four. Sum of 2^m n-m-bit numbers and n-bit
6933 -+ @ one is n+1 bits wide.
6934 -+ @
6935 -+ @ >>+ denotes Hnext += Hn>>26, Hn &= 0x3ffffff. This means that
6936 -+ @ H0, H2, H3 are guaranteed to be 26 bits wide, while H1 and H4
6937 -+ @ can be 27. However! In cases when their width exceeds 26 bits
6938 -+ @ they are limited by 2^26+2^6. This in turn means that *sum*
6939 -+ @ of the products with these values can still be viewed as sum
6940 -+ @ of 52-bit numbers as long as the amount of addends is not a
6941 -+ @ power of 2. For example,
6942 -+ @
6943 -+ @ H4 = H4*R0 + H3*R1 + H2*R2 + H1*R3 + H0 * R4,
6944 -+ @
6945 -+ @ which can't be larger than 5 * (2^26 + 2^6) * (2^26 + 2^6), or
6946 -+ @ 5 * (2^52 + 2*2^32 + 2^12), which in turn is smaller than
6947 -+ @ 8 * (2^52) or 2^55. However, the value is then multiplied by
6948 -+ @ by 5, so we should be looking at 5 * 5 * (2^52 + 2^33 + 2^12),
6949 -+ @ which is less than 32 * (2^52) or 2^57. And when processing
6950 -+ @ data we are looking at triple as many addends...
6951 -+ @
6952 -+ @ In key setup procedure pre-reduced H0 is limited by 5*4+1 and
6953 -+ @ 5*H4 - by 5*5 52-bit addends, or 57 bits. But when hashing the
6954 -+ @ input H0 is limited by (5*4+1)*3 addends, or 58 bits, while
6955 -+ @ 5*H4 by 5*5*3, or 59[!] bits. How is this relevant? vmlal.u32
6956 -+ @ instruction accepts 2x32-bit input and writes 2x64-bit result.
6957 -+ @ This means that result of reduction have to be compressed upon
6958 -+ @ loop wrap-around. This can be done in the process of reduction
6959 -+ @ to minimize amount of instructions [as well as amount of
6960 -+ @ 128-bit instructions, which benefits low-end processors], but
6961 -+ @ one has to watch for H2 (which is narrower than H0) and 5*H4
6962 -+ @ not being wider than 58 bits, so that result of right shift
6963 -+ @ by 26 bits fits in 32 bits. This is also useful on x86,
6964 -+ @ because it allows to use paddd in place for paddq, which
6965 -+ @ benefits Atom, where paddq is ridiculously slow.
6966 -+
6967 -+ vshr.u64 $T0,$D3,#26
6968 -+ vmovn.i64 $D3#lo,$D3
6969 -+ vshr.u64 $T1,$D0,#26
6970 -+ vmovn.i64 $D0#lo,$D0
6971 -+ vadd.i64 $D4,$D4,$T0 @ h3 -> h4
6972 -+ vbic.i32 $D3#lo,#0xfc000000 @ &=0x03ffffff
6973 -+ vadd.i64 $D1,$D1,$T1 @ h0 -> h1
6974 -+ vbic.i32 $D0#lo,#0xfc000000
6975 -+
6976 -+ vshrn.u64 $T0#lo,$D4,#26
6977 -+ vmovn.i64 $D4#lo,$D4
6978 -+ vshr.u64 $T1,$D1,#26
6979 -+ vmovn.i64 $D1#lo,$D1
6980 -+ vadd.i64 $D2,$D2,$T1 @ h1 -> h2
6981 -+ vbic.i32 $D4#lo,#0xfc000000
6982 -+ vbic.i32 $D1#lo,#0xfc000000
6983 -+
6984 -+ vadd.i32 $D0#lo,$D0#lo,$T0#lo
6985 -+ vshl.u32 $T0#lo,$T0#lo,#2
6986 -+ vshrn.u64 $T1#lo,$D2,#26
6987 -+ vmovn.i64 $D2#lo,$D2
6988 -+ vadd.i32 $D0#lo,$D0#lo,$T0#lo @ h4 -> h0
6989 -+ vadd.i32 $D3#lo,$D3#lo,$T1#lo @ h2 -> h3
6990 -+ vbic.i32 $D2#lo,#0xfc000000
6991 -+
6992 -+ vshr.u32 $T0#lo,$D0#lo,#26
6993 -+ vbic.i32 $D0#lo,#0xfc000000
6994 -+ vshr.u32 $T1#lo,$D3#lo,#26
6995 -+ vbic.i32 $D3#lo,#0xfc000000
6996 -+ vadd.i32 $D1#lo,$D1#lo,$T0#lo @ h0 -> h1
6997 -+ vadd.i32 $D4#lo,$D4#lo,$T1#lo @ h3 -> h4
6998 -+
6999 -+ subs $zeros,$zeros,#1
7000 -+ beq .Lsquare_break_neon
7001 -+
7002 -+ add $tbl0,$ctx,#(48+0*9*4)
7003 -+ add $tbl1,$ctx,#(48+1*9*4)
7004 -+
7005 -+ vtrn.32 $R0,$D0#lo @ r^2:r^1
7006 -+ vtrn.32 $R2,$D2#lo
7007 -+ vtrn.32 $R3,$D3#lo
7008 -+ vtrn.32 $R1,$D1#lo
7009 -+ vtrn.32 $R4,$D4#lo
7010 -+
7011 -+ vshl.u32 $S2,$R2,#2 @ *5
7012 -+ vshl.u32 $S3,$R3,#2
7013 -+ vshl.u32 $S1,$R1,#2
7014 -+ vshl.u32 $S4,$R4,#2
7015 -+ vadd.i32 $S2,$S2,$R2
7016 -+ vadd.i32 $S1,$S1,$R1
7017 -+ vadd.i32 $S3,$S3,$R3
7018 -+ vadd.i32 $S4,$S4,$R4
7019 -+
7020 -+ vst4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]!
7021 -+ vst4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]!
7022 -+ vst4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
7023 -+ vst4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
7024 -+ vst1.32 {${S4}[0]},[$tbl0,:32]
7025 -+ vst1.32 {${S4}[1]},[$tbl1,:32]
7026 -+
7027 -+ b .Lsquare_neon
7028 -+
7029 -+.align 4
7030 -+.Lsquare_break_neon:
7031 -+ add $tbl0,$ctx,#(48+2*4*9)
7032 -+ add $tbl1,$ctx,#(48+3*4*9)
7033 -+
7034 -+ vmov $R0,$D0#lo @ r^4:r^3
7035 -+ vshl.u32 $S1,$D1#lo,#2 @ *5
7036 -+ vmov $R1,$D1#lo
7037 -+ vshl.u32 $S2,$D2#lo,#2
7038 -+ vmov $R2,$D2#lo
7039 -+ vshl.u32 $S3,$D3#lo,#2
7040 -+ vmov $R3,$D3#lo
7041 -+ vshl.u32 $S4,$D4#lo,#2
7042 -+ vmov $R4,$D4#lo
7043 -+ vadd.i32 $S1,$S1,$D1#lo
7044 -+ vadd.i32 $S2,$S2,$D2#lo
7045 -+ vadd.i32 $S3,$S3,$D3#lo
7046 -+ vadd.i32 $S4,$S4,$D4#lo
7047 -+
7048 -+ vst4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]!
7049 -+ vst4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]!
7050 -+ vst4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
7051 -+ vst4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
7052 -+ vst1.32 {${S4}[0]},[$tbl0]
7053 -+ vst1.32 {${S4}[1]},[$tbl1]
7054 -+
7055 -+.Lno_init_neon:
7056 -+ ret @ bx lr
7057 -+.size poly1305_init_neon,.-poly1305_init_neon
7058 -+
7059 -+.type poly1305_blocks_neon,%function
7060 -+.align 5
7061 -+poly1305_blocks_neon:
7062 -+.Lpoly1305_blocks_neon:
7063 -+ ldr ip,[$ctx,#36] @ is_base2_26
7064 -+
7065 -+ cmp $len,#64
7066 -+ blo .Lpoly1305_blocks
7067 -+
7068 -+ stmdb sp!,{r4-r7}
7069 -+ vstmdb sp!,{d8-d15} @ ABI specification says so
7070 -+
7071 -+ tst ip,ip @ is_base2_26?
7072 -+ bne .Lbase2_26_neon
7073 -+
7074 -+ stmdb sp!,{r1-r3,lr}
7075 -+ bl .Lpoly1305_init_neon
7076 -+
7077 -+ ldr r4,[$ctx,#0] @ load hash value base 2^32
7078 -+ ldr r5,[$ctx,#4]
7079 -+ ldr r6,[$ctx,#8]
7080 -+ ldr r7,[$ctx,#12]
7081 -+ ldr ip,[$ctx,#16]
7082 -+
7083 -+ and r2,r4,#0x03ffffff @ base 2^32 -> base 2^26
7084 -+ mov r3,r4,lsr#26
7085 -+ veor $D0#lo,$D0#lo,$D0#lo
7086 -+ mov r4,r5,lsr#20
7087 -+ orr r3,r3,r5,lsl#6
7088 -+ veor $D1#lo,$D1#lo,$D1#lo
7089 -+ mov r5,r6,lsr#14
7090 -+ orr r4,r4,r6,lsl#12
7091 -+ veor $D2#lo,$D2#lo,$D2#lo
7092 -+ mov r6,r7,lsr#8
7093 -+ orr r5,r5,r7,lsl#18
7094 -+ veor $D3#lo,$D3#lo,$D3#lo
7095 -+ and r3,r3,#0x03ffffff
7096 -+ orr r6,r6,ip,lsl#24
7097 -+ veor $D4#lo,$D4#lo,$D4#lo
7098 -+ and r4,r4,#0x03ffffff
7099 -+ mov r1,#1
7100 -+ and r5,r5,#0x03ffffff
7101 -+ str r1,[$ctx,#36] @ set is_base2_26
7102 -+
7103 -+ vmov.32 $D0#lo[0],r2
7104 -+ vmov.32 $D1#lo[0],r3
7105 -+ vmov.32 $D2#lo[0],r4
7106 -+ vmov.32 $D3#lo[0],r5
7107 -+ vmov.32 $D4#lo[0],r6
7108 -+ adr $zeros,.Lzeros
7109 -+
7110 -+ ldmia sp!,{r1-r3,lr}
7111 -+ b .Lhash_loaded
7112 -+
7113 -+.align 4
7114 -+.Lbase2_26_neon:
7115 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7116 -+ @ load hash value
7117 -+
7118 -+ veor $D0#lo,$D0#lo,$D0#lo
7119 -+ veor $D1#lo,$D1#lo,$D1#lo
7120 -+ veor $D2#lo,$D2#lo,$D2#lo
7121 -+ veor $D3#lo,$D3#lo,$D3#lo
7122 -+ veor $D4#lo,$D4#lo,$D4#lo
7123 -+ vld4.32 {$D0#lo[0],$D1#lo[0],$D2#lo[0],$D3#lo[0]},[$ctx]!
7124 -+ adr $zeros,.Lzeros
7125 -+ vld1.32 {$D4#lo[0]},[$ctx]
7126 -+ sub $ctx,$ctx,#16 @ rewind
7127 -+
7128 -+.Lhash_loaded:
7129 -+ add $in2,$inp,#32
7130 -+ mov $padbit,$padbit,lsl#24
7131 -+ tst $len,#31
7132 -+ beq .Leven
7133 -+
7134 -+ vld4.32 {$H0#lo[0],$H1#lo[0],$H2#lo[0],$H3#lo[0]},[$inp]!
7135 -+ vmov.32 $H4#lo[0],$padbit
7136 -+ sub $len,$len,#16
7137 -+ add $in2,$inp,#32
7138 -+
7139 -+# ifdef __ARMEB__
7140 -+ vrev32.8 $H0,$H0
7141 -+ vrev32.8 $H3,$H3
7142 -+ vrev32.8 $H1,$H1
7143 -+ vrev32.8 $H2,$H2
7144 -+# endif
7145 -+ vsri.u32 $H4#lo,$H3#lo,#8 @ base 2^32 -> base 2^26
7146 -+ vshl.u32 $H3#lo,$H3#lo,#18
7147 -+
7148 -+ vsri.u32 $H3#lo,$H2#lo,#14
7149 -+ vshl.u32 $H2#lo,$H2#lo,#12
7150 -+ vadd.i32 $H4#hi,$H4#lo,$D4#lo @ add hash value and move to #hi
7151 -+
7152 -+ vbic.i32 $H3#lo,#0xfc000000
7153 -+ vsri.u32 $H2#lo,$H1#lo,#20
7154 -+ vshl.u32 $H1#lo,$H1#lo,#6
7155 -+
7156 -+ vbic.i32 $H2#lo,#0xfc000000
7157 -+ vsri.u32 $H1#lo,$H0#lo,#26
7158 -+ vadd.i32 $H3#hi,$H3#lo,$D3#lo
7159 -+
7160 -+ vbic.i32 $H0#lo,#0xfc000000
7161 -+ vbic.i32 $H1#lo,#0xfc000000
7162 -+ vadd.i32 $H2#hi,$H2#lo,$D2#lo
7163 -+
7164 -+ vadd.i32 $H0#hi,$H0#lo,$D0#lo
7165 -+ vadd.i32 $H1#hi,$H1#lo,$D1#lo
7166 -+
7167 -+ mov $tbl1,$zeros
7168 -+ add $tbl0,$ctx,#48
7169 -+
7170 -+ cmp $len,$len
7171 -+ b .Long_tail
7172 -+
7173 -+.align 4
7174 -+.Leven:
7175 -+ subs $len,$len,#64
7176 -+ it lo
7177 -+ movlo $in2,$zeros
7178 -+
7179 -+ vmov.i32 $H4,#1<<24 @ padbit, yes, always
7180 -+ vld4.32 {$H0#lo,$H1#lo,$H2#lo,$H3#lo},[$inp] @ inp[0:1]
7181 -+ add $inp,$inp,#64
7182 -+ vld4.32 {$H0#hi,$H1#hi,$H2#hi,$H3#hi},[$in2] @ inp[2:3] (or 0)
7183 -+ add $in2,$in2,#64
7184 -+ itt hi
7185 -+ addhi $tbl1,$ctx,#(48+1*9*4)
7186 -+ addhi $tbl0,$ctx,#(48+3*9*4)
7187 -+
7188 -+# ifdef __ARMEB__
7189 -+ vrev32.8 $H0,$H0
7190 -+ vrev32.8 $H3,$H3
7191 -+ vrev32.8 $H1,$H1
7192 -+ vrev32.8 $H2,$H2
7193 -+# endif
7194 -+ vsri.u32 $H4,$H3,#8 @ base 2^32 -> base 2^26
7195 -+ vshl.u32 $H3,$H3,#18
7196 -+
7197 -+ vsri.u32 $H3,$H2,#14
7198 -+ vshl.u32 $H2,$H2,#12
7199 -+
7200 -+ vbic.i32 $H3,#0xfc000000
7201 -+ vsri.u32 $H2,$H1,#20
7202 -+ vshl.u32 $H1,$H1,#6
7203 -+
7204 -+ vbic.i32 $H2,#0xfc000000
7205 -+ vsri.u32 $H1,$H0,#26
7206 -+
7207 -+ vbic.i32 $H0,#0xfc000000
7208 -+ vbic.i32 $H1,#0xfc000000
7209 -+
7210 -+ bls .Lskip_loop
7211 -+
7212 -+ vld4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]! @ load r^2
7213 -+ vld4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]! @ load r^4
7214 -+ vld4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
7215 -+ vld4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
7216 -+ b .Loop_neon
7217 -+
7218 -+.align 5
7219 -+.Loop_neon:
7220 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7221 -+ @ ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2
7222 -+ @ ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^3+inp[7]*r
7223 -+ @ \___________________/
7224 -+ @ ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2+inp[8])*r^2
7225 -+ @ ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^4+inp[7]*r^2+inp[9])*r
7226 -+ @ \___________________/ \____________________/
7227 -+ @
7228 -+ @ Note that we start with inp[2:3]*r^2. This is because it
7229 -+ @ doesn't depend on reduction in previous iteration.
7230 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7231 -+ @ d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
7232 -+ @ d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
7233 -+ @ d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
7234 -+ @ d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
7235 -+ @ d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
7236 -+
7237 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7238 -+ @ inp[2:3]*r^2
7239 -+
7240 -+ vadd.i32 $H2#lo,$H2#lo,$D2#lo @ accumulate inp[0:1]
7241 -+ vmull.u32 $D2,$H2#hi,${R0}[1]
7242 -+ vadd.i32 $H0#lo,$H0#lo,$D0#lo
7243 -+ vmull.u32 $D0,$H0#hi,${R0}[1]
7244 -+ vadd.i32 $H3#lo,$H3#lo,$D3#lo
7245 -+ vmull.u32 $D3,$H3#hi,${R0}[1]
7246 -+ vmlal.u32 $D2,$H1#hi,${R1}[1]
7247 -+ vadd.i32 $H1#lo,$H1#lo,$D1#lo
7248 -+ vmull.u32 $D1,$H1#hi,${R0}[1]
7249 -+
7250 -+ vadd.i32 $H4#lo,$H4#lo,$D4#lo
7251 -+ vmull.u32 $D4,$H4#hi,${R0}[1]
7252 -+ subs $len,$len,#64
7253 -+ vmlal.u32 $D0,$H4#hi,${S1}[1]
7254 -+ it lo
7255 -+ movlo $in2,$zeros
7256 -+ vmlal.u32 $D3,$H2#hi,${R1}[1]
7257 -+ vld1.32 ${S4}[1],[$tbl1,:32]
7258 -+ vmlal.u32 $D1,$H0#hi,${R1}[1]
7259 -+ vmlal.u32 $D4,$H3#hi,${R1}[1]
7260 -+
7261 -+ vmlal.u32 $D0,$H3#hi,${S2}[1]
7262 -+ vmlal.u32 $D3,$H1#hi,${R2}[1]
7263 -+ vmlal.u32 $D4,$H2#hi,${R2}[1]
7264 -+ vmlal.u32 $D1,$H4#hi,${S2}[1]
7265 -+ vmlal.u32 $D2,$H0#hi,${R2}[1]
7266 -+
7267 -+ vmlal.u32 $D3,$H0#hi,${R3}[1]
7268 -+ vmlal.u32 $D0,$H2#hi,${S3}[1]
7269 -+ vmlal.u32 $D4,$H1#hi,${R3}[1]
7270 -+ vmlal.u32 $D1,$H3#hi,${S3}[1]
7271 -+ vmlal.u32 $D2,$H4#hi,${S3}[1]
7272 -+
7273 -+ vmlal.u32 $D3,$H4#hi,${S4}[1]
7274 -+ vmlal.u32 $D0,$H1#hi,${S4}[1]
7275 -+ vmlal.u32 $D4,$H0#hi,${R4}[1]
7276 -+ vmlal.u32 $D1,$H2#hi,${S4}[1]
7277 -+ vmlal.u32 $D2,$H3#hi,${S4}[1]
7278 -+
7279 -+ vld4.32 {$H0#hi,$H1#hi,$H2#hi,$H3#hi},[$in2] @ inp[2:3] (or 0)
7280 -+ add $in2,$in2,#64
7281 -+
7282 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7283 -+ @ (hash+inp[0:1])*r^4 and accumulate
7284 -+
7285 -+ vmlal.u32 $D3,$H3#lo,${R0}[0]
7286 -+ vmlal.u32 $D0,$H0#lo,${R0}[0]
7287 -+ vmlal.u32 $D4,$H4#lo,${R0}[0]
7288 -+ vmlal.u32 $D1,$H1#lo,${R0}[0]
7289 -+ vmlal.u32 $D2,$H2#lo,${R0}[0]
7290 -+ vld1.32 ${S4}[0],[$tbl0,:32]
7291 -+
7292 -+ vmlal.u32 $D3,$H2#lo,${R1}[0]
7293 -+ vmlal.u32 $D0,$H4#lo,${S1}[0]
7294 -+ vmlal.u32 $D4,$H3#lo,${R1}[0]
7295 -+ vmlal.u32 $D1,$H0#lo,${R1}[0]
7296 -+ vmlal.u32 $D2,$H1#lo,${R1}[0]
7297 -+
7298 -+ vmlal.u32 $D3,$H1#lo,${R2}[0]
7299 -+ vmlal.u32 $D0,$H3#lo,${S2}[0]
7300 -+ vmlal.u32 $D4,$H2#lo,${R2}[0]
7301 -+ vmlal.u32 $D1,$H4#lo,${S2}[0]
7302 -+ vmlal.u32 $D2,$H0#lo,${R2}[0]
7303 -+
7304 -+ vmlal.u32 $D3,$H0#lo,${R3}[0]
7305 -+ vmlal.u32 $D0,$H2#lo,${S3}[0]
7306 -+ vmlal.u32 $D4,$H1#lo,${R3}[0]
7307 -+ vmlal.u32 $D1,$H3#lo,${S3}[0]
7308 -+ vmlal.u32 $D3,$H4#lo,${S4}[0]
7309 -+
7310 -+ vmlal.u32 $D2,$H4#lo,${S3}[0]
7311 -+ vmlal.u32 $D0,$H1#lo,${S4}[0]
7312 -+ vmlal.u32 $D4,$H0#lo,${R4}[0]
7313 -+ vmov.i32 $H4,#1<<24 @ padbit, yes, always
7314 -+ vmlal.u32 $D1,$H2#lo,${S4}[0]
7315 -+ vmlal.u32 $D2,$H3#lo,${S4}[0]
7316 -+
7317 -+ vld4.32 {$H0#lo,$H1#lo,$H2#lo,$H3#lo},[$inp] @ inp[0:1]
7318 -+ add $inp,$inp,#64
7319 -+# ifdef __ARMEB__
7320 -+ vrev32.8 $H0,$H0
7321 -+ vrev32.8 $H1,$H1
7322 -+ vrev32.8 $H2,$H2
7323 -+ vrev32.8 $H3,$H3
7324 -+# endif
7325 -+
7326 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7327 -+ @ lazy reduction interleaved with base 2^32 -> base 2^26 of
7328 -+ @ inp[0:3] previously loaded to $H0-$H3 and smashed to $H0-$H4.
7329 -+
7330 -+ vshr.u64 $T0,$D3,#26
7331 -+ vmovn.i64 $D3#lo,$D3
7332 -+ vshr.u64 $T1,$D0,#26
7333 -+ vmovn.i64 $D0#lo,$D0
7334 -+ vadd.i64 $D4,$D4,$T0 @ h3 -> h4
7335 -+ vbic.i32 $D3#lo,#0xfc000000
7336 -+ vsri.u32 $H4,$H3,#8 @ base 2^32 -> base 2^26
7337 -+ vadd.i64 $D1,$D1,$T1 @ h0 -> h1
7338 -+ vshl.u32 $H3,$H3,#18
7339 -+ vbic.i32 $D0#lo,#0xfc000000
7340 -+
7341 -+ vshrn.u64 $T0#lo,$D4,#26
7342 -+ vmovn.i64 $D4#lo,$D4
7343 -+ vshr.u64 $T1,$D1,#26
7344 -+ vmovn.i64 $D1#lo,$D1
7345 -+ vadd.i64 $D2,$D2,$T1 @ h1 -> h2
7346 -+ vsri.u32 $H3,$H2,#14
7347 -+ vbic.i32 $D4#lo,#0xfc000000
7348 -+ vshl.u32 $H2,$H2,#12
7349 -+ vbic.i32 $D1#lo,#0xfc000000
7350 -+
7351 -+ vadd.i32 $D0#lo,$D0#lo,$T0#lo
7352 -+ vshl.u32 $T0#lo,$T0#lo,#2
7353 -+ vbic.i32 $H3,#0xfc000000
7354 -+ vshrn.u64 $T1#lo,$D2,#26
7355 -+ vmovn.i64 $D2#lo,$D2
7356 -+ vaddl.u32 $D0,$D0#lo,$T0#lo @ h4 -> h0 [widen for a sec]
7357 -+ vsri.u32 $H2,$H1,#20
7358 -+ vadd.i32 $D3#lo,$D3#lo,$T1#lo @ h2 -> h3
7359 -+ vshl.u32 $H1,$H1,#6
7360 -+ vbic.i32 $D2#lo,#0xfc000000
7361 -+ vbic.i32 $H2,#0xfc000000
7362 -+
7363 -+ vshrn.u64 $T0#lo,$D0,#26 @ re-narrow
7364 -+ vmovn.i64 $D0#lo,$D0
7365 -+ vsri.u32 $H1,$H0,#26
7366 -+ vbic.i32 $H0,#0xfc000000
7367 -+ vshr.u32 $T1#lo,$D3#lo,#26
7368 -+ vbic.i32 $D3#lo,#0xfc000000
7369 -+ vbic.i32 $D0#lo,#0xfc000000
7370 -+ vadd.i32 $D1#lo,$D1#lo,$T0#lo @ h0 -> h1
7371 -+ vadd.i32 $D4#lo,$D4#lo,$T1#lo @ h3 -> h4
7372 -+ vbic.i32 $H1,#0xfc000000
7373 -+
7374 -+ bhi .Loop_neon
7375 -+
7376 -+.Lskip_loop:
7377 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7378 -+ @ multiply (inp[0:1]+hash) or inp[2:3] by r^2:r^1
7379 -+
7380 -+ add $tbl1,$ctx,#(48+0*9*4)
7381 -+ add $tbl0,$ctx,#(48+1*9*4)
7382 -+ adds $len,$len,#32
7383 -+ it ne
7384 -+ movne $len,#0
7385 -+ bne .Long_tail
7386 -+
7387 -+ vadd.i32 $H2#hi,$H2#lo,$D2#lo @ add hash value and move to #hi
7388 -+ vadd.i32 $H0#hi,$H0#lo,$D0#lo
7389 -+ vadd.i32 $H3#hi,$H3#lo,$D3#lo
7390 -+ vadd.i32 $H1#hi,$H1#lo,$D1#lo
7391 -+ vadd.i32 $H4#hi,$H4#lo,$D4#lo
7392 -+
7393 -+.Long_tail:
7394 -+ vld4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]! @ load r^1
7395 -+ vld4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]! @ load r^2
7396 -+
7397 -+ vadd.i32 $H2#lo,$H2#lo,$D2#lo @ can be redundant
7398 -+ vmull.u32 $D2,$H2#hi,$R0
7399 -+ vadd.i32 $H0#lo,$H0#lo,$D0#lo
7400 -+ vmull.u32 $D0,$H0#hi,$R0
7401 -+ vadd.i32 $H3#lo,$H3#lo,$D3#lo
7402 -+ vmull.u32 $D3,$H3#hi,$R0
7403 -+ vadd.i32 $H1#lo,$H1#lo,$D1#lo
7404 -+ vmull.u32 $D1,$H1#hi,$R0
7405 -+ vadd.i32 $H4#lo,$H4#lo,$D4#lo
7406 -+ vmull.u32 $D4,$H4#hi,$R0
7407 -+
7408 -+ vmlal.u32 $D0,$H4#hi,$S1
7409 -+ vld4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
7410 -+ vmlal.u32 $D3,$H2#hi,$R1
7411 -+ vld4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
7412 -+ vmlal.u32 $D1,$H0#hi,$R1
7413 -+ vmlal.u32 $D4,$H3#hi,$R1
7414 -+ vmlal.u32 $D2,$H1#hi,$R1
7415 -+
7416 -+ vmlal.u32 $D3,$H1#hi,$R2
7417 -+ vld1.32 ${S4}[1],[$tbl1,:32]
7418 -+ vmlal.u32 $D0,$H3#hi,$S2
7419 -+ vld1.32 ${S4}[0],[$tbl0,:32]
7420 -+ vmlal.u32 $D4,$H2#hi,$R2
7421 -+ vmlal.u32 $D1,$H4#hi,$S2
7422 -+ vmlal.u32 $D2,$H0#hi,$R2
7423 -+
7424 -+ vmlal.u32 $D3,$H0#hi,$R3
7425 -+ it ne
7426 -+ addne $tbl1,$ctx,#(48+2*9*4)
7427 -+ vmlal.u32 $D0,$H2#hi,$S3
7428 -+ it ne
7429 -+ addne $tbl0,$ctx,#(48+3*9*4)
7430 -+ vmlal.u32 $D4,$H1#hi,$R3
7431 -+ vmlal.u32 $D1,$H3#hi,$S3
7432 -+ vmlal.u32 $D2,$H4#hi,$S3
7433 -+
7434 -+ vmlal.u32 $D3,$H4#hi,$S4
7435 -+ vorn $MASK,$MASK,$MASK @ all-ones, can be redundant
7436 -+ vmlal.u32 $D0,$H1#hi,$S4
7437 -+ vshr.u64 $MASK,$MASK,#38
7438 -+ vmlal.u32 $D4,$H0#hi,$R4
7439 -+ vmlal.u32 $D1,$H2#hi,$S4
7440 -+ vmlal.u32 $D2,$H3#hi,$S4
7441 -+
7442 -+ beq .Lshort_tail
7443 -+
7444 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7445 -+ @ (hash+inp[0:1])*r^4:r^3 and accumulate
7446 -+
7447 -+ vld4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]! @ load r^3
7448 -+ vld4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]! @ load r^4
7449 -+
7450 -+ vmlal.u32 $D2,$H2#lo,$R0
7451 -+ vmlal.u32 $D0,$H0#lo,$R0
7452 -+ vmlal.u32 $D3,$H3#lo,$R0
7453 -+ vmlal.u32 $D1,$H1#lo,$R0
7454 -+ vmlal.u32 $D4,$H4#lo,$R0
7455 -+
7456 -+ vmlal.u32 $D0,$H4#lo,$S1
7457 -+ vld4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
7458 -+ vmlal.u32 $D3,$H2#lo,$R1
7459 -+ vld4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
7460 -+ vmlal.u32 $D1,$H0#lo,$R1
7461 -+ vmlal.u32 $D4,$H3#lo,$R1
7462 -+ vmlal.u32 $D2,$H1#lo,$R1
7463 -+
7464 -+ vmlal.u32 $D3,$H1#lo,$R2
7465 -+ vld1.32 ${S4}[1],[$tbl1,:32]
7466 -+ vmlal.u32 $D0,$H3#lo,$S2
7467 -+ vld1.32 ${S4}[0],[$tbl0,:32]
7468 -+ vmlal.u32 $D4,$H2#lo,$R2
7469 -+ vmlal.u32 $D1,$H4#lo,$S2
7470 -+ vmlal.u32 $D2,$H0#lo,$R2
7471 -+
7472 -+ vmlal.u32 $D3,$H0#lo,$R3
7473 -+ vmlal.u32 $D0,$H2#lo,$S3
7474 -+ vmlal.u32 $D4,$H1#lo,$R3
7475 -+ vmlal.u32 $D1,$H3#lo,$S3
7476 -+ vmlal.u32 $D2,$H4#lo,$S3
7477 -+
7478 -+ vmlal.u32 $D3,$H4#lo,$S4
7479 -+ vorn $MASK,$MASK,$MASK @ all-ones
7480 -+ vmlal.u32 $D0,$H1#lo,$S4
7481 -+ vshr.u64 $MASK,$MASK,#38
7482 -+ vmlal.u32 $D4,$H0#lo,$R4
7483 -+ vmlal.u32 $D1,$H2#lo,$S4
7484 -+ vmlal.u32 $D2,$H3#lo,$S4
7485 -+
7486 -+.Lshort_tail:
7487 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7488 -+ @ horizontal addition
7489 -+
7490 -+ vadd.i64 $D3#lo,$D3#lo,$D3#hi
7491 -+ vadd.i64 $D0#lo,$D0#lo,$D0#hi
7492 -+ vadd.i64 $D4#lo,$D4#lo,$D4#hi
7493 -+ vadd.i64 $D1#lo,$D1#lo,$D1#hi
7494 -+ vadd.i64 $D2#lo,$D2#lo,$D2#hi
7495 -+
7496 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7497 -+ @ lazy reduction, but without narrowing
7498 -+
7499 -+ vshr.u64 $T0,$D3,#26
7500 -+ vand.i64 $D3,$D3,$MASK
7501 -+ vshr.u64 $T1,$D0,#26
7502 -+ vand.i64 $D0,$D0,$MASK
7503 -+ vadd.i64 $D4,$D4,$T0 @ h3 -> h4
7504 -+ vadd.i64 $D1,$D1,$T1 @ h0 -> h1
7505 -+
7506 -+ vshr.u64 $T0,$D4,#26
7507 -+ vand.i64 $D4,$D4,$MASK
7508 -+ vshr.u64 $T1,$D1,#26
7509 -+ vand.i64 $D1,$D1,$MASK
7510 -+ vadd.i64 $D2,$D2,$T1 @ h1 -> h2
7511 -+
7512 -+ vadd.i64 $D0,$D0,$T0
7513 -+ vshl.u64 $T0,$T0,#2
7514 -+ vshr.u64 $T1,$D2,#26
7515 -+ vand.i64 $D2,$D2,$MASK
7516 -+ vadd.i64 $D0,$D0,$T0 @ h4 -> h0
7517 -+ vadd.i64 $D3,$D3,$T1 @ h2 -> h3
7518 -+
7519 -+ vshr.u64 $T0,$D0,#26
7520 -+ vand.i64 $D0,$D0,$MASK
7521 -+ vshr.u64 $T1,$D3,#26
7522 -+ vand.i64 $D3,$D3,$MASK
7523 -+ vadd.i64 $D1,$D1,$T0 @ h0 -> h1
7524 -+ vadd.i64 $D4,$D4,$T1 @ h3 -> h4
7525 -+
7526 -+ cmp $len,#0
7527 -+ bne .Leven
7528 -+
7529 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7530 -+ @ store hash value
7531 -+
7532 -+ vst4.32 {$D0#lo[0],$D1#lo[0],$D2#lo[0],$D3#lo[0]},[$ctx]!
7533 -+ vst1.32 {$D4#lo[0]},[$ctx]
7534 -+
7535 -+ vldmia sp!,{d8-d15} @ epilogue
7536 -+ ldmia sp!,{r4-r7}
7537 -+ ret @ bx lr
7538 -+.size poly1305_blocks_neon,.-poly1305_blocks_neon
7539 -+
7540 -+.align 5
7541 -+.Lzeros:
7542 -+.long 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
7543 -+#ifndef __KERNEL__
7544 -+.LOPENSSL_armcap:
7545 -+# ifdef _WIN32
7546 -+.word OPENSSL_armcap_P
7547 -+# else
7548 -+.word OPENSSL_armcap_P-.Lpoly1305_init
7549 -+# endif
7550 -+.comm OPENSSL_armcap_P,4,4
7551 -+.hidden OPENSSL_armcap_P
7552 -+#endif
7553 -+#endif
7554 -+___
7555 -+} }
7556 -+$code.=<<___;
7557 -+.asciz "Poly1305 for ARMv4/NEON, CRYPTOGAMS by \@dot-asm"
7558 -+.align 2
7559 -+___
7560 -+
7561 -+foreach (split("\n",$code)) {
7562 -+ s/\`([^\`]*)\`/eval $1/geo;
7563 -+
7564 -+ s/\bq([0-9]+)#(lo|hi)/sprintf "d%d",2*$1+($2 eq "hi")/geo or
7565 -+ s/\bret\b/bx lr/go or
7566 -+ s/\bbx\s+lr\b/.word\t0xe12fff1e/go; # make it possible to compile with -march=armv4
7567 -+
7568 -+ print $_,"\n";
7569 -+}
7570 -+close STDOUT; # enforce flush
7571 ---- /dev/null
7572 -+++ b/arch/arm/crypto/poly1305-core.S_shipped
7573 -@@ -0,0 +1,1158 @@
7574 -+#ifndef __KERNEL__
7575 -+# include "arm_arch.h"
7576 -+#else
7577 -+# define __ARM_ARCH__ __LINUX_ARM_ARCH__
7578 -+# define __ARM_MAX_ARCH__ __LINUX_ARM_ARCH__
7579 -+# define poly1305_init poly1305_init_arm
7580 -+# define poly1305_blocks poly1305_blocks_arm
7581 -+# define poly1305_emit poly1305_emit_arm
7582 -+.globl poly1305_blocks_neon
7583 -+#endif
7584 -+
7585 -+#if defined(__thumb2__)
7586 -+.syntax unified
7587 -+.thumb
7588 -+#else
7589 -+.code 32
7590 -+#endif
7591 -+
7592 -+.text
7593 -+
7594 -+.globl poly1305_emit
7595 -+.globl poly1305_blocks
7596 -+.globl poly1305_init
7597 -+.type poly1305_init,%function
7598 -+.align 5
7599 -+poly1305_init:
7600 -+.Lpoly1305_init:
7601 -+ stmdb sp!,{r4-r11}
7602 -+
7603 -+ eor r3,r3,r3
7604 -+ cmp r1,#0
7605 -+ str r3,[r0,#0] @ zero hash value
7606 -+ str r3,[r0,#4]
7607 -+ str r3,[r0,#8]
7608 -+ str r3,[r0,#12]
7609 -+ str r3,[r0,#16]
7610 -+ str r3,[r0,#36] @ clear is_base2_26
7611 -+ add r0,r0,#20
7612 -+
7613 -+#ifdef __thumb2__
7614 -+ it eq
7615 -+#endif
7616 -+ moveq r0,#0
7617 -+ beq .Lno_key
7618 -+
7619 -+#if __ARM_MAX_ARCH__>=7
7620 -+ mov r3,#-1
7621 -+ str r3,[r0,#28] @ impossible key power value
7622 -+# ifndef __KERNEL__
7623 -+ adr r11,.Lpoly1305_init
7624 -+ ldr r12,.LOPENSSL_armcap
7625 -+# endif
7626 -+#endif
7627 -+ ldrb r4,[r1,#0]
7628 -+ mov r10,#0x0fffffff
7629 -+ ldrb r5,[r1,#1]
7630 -+ and r3,r10,#-4 @ 0x0ffffffc
7631 -+ ldrb r6,[r1,#2]
7632 -+ ldrb r7,[r1,#3]
7633 -+ orr r4,r4,r5,lsl#8
7634 -+ ldrb r5,[r1,#4]
7635 -+ orr r4,r4,r6,lsl#16
7636 -+ ldrb r6,[r1,#5]
7637 -+ orr r4,r4,r7,lsl#24
7638 -+ ldrb r7,[r1,#6]
7639 -+ and r4,r4,r10
7640 -+
7641 -+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
7642 -+# if !defined(_WIN32)
7643 -+ ldr r12,[r11,r12] @ OPENSSL_armcap_P
7644 -+# endif
7645 -+# if defined(__APPLE__) || defined(_WIN32)
7646 -+ ldr r12,[r12]
7647 -+# endif
7648 -+#endif
7649 -+ ldrb r8,[r1,#7]
7650 -+ orr r5,r5,r6,lsl#8
7651 -+ ldrb r6,[r1,#8]
7652 -+ orr r5,r5,r7,lsl#16
7653 -+ ldrb r7,[r1,#9]
7654 -+ orr r5,r5,r8,lsl#24
7655 -+ ldrb r8,[r1,#10]
7656 -+ and r5,r5,r3
7657 -+
7658 -+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
7659 -+ tst r12,#ARMV7_NEON @ check for NEON
7660 -+# ifdef __thumb2__
7661 -+ adr r9,.Lpoly1305_blocks_neon
7662 -+ adr r11,.Lpoly1305_blocks
7663 -+ it ne
7664 -+ movne r11,r9
7665 -+ adr r12,.Lpoly1305_emit
7666 -+ orr r11,r11,#1 @ thumb-ify addresses
7667 -+ orr r12,r12,#1
7668 -+# else
7669 -+ add r12,r11,#(.Lpoly1305_emit-.Lpoly1305_init)
7670 -+ ite eq
7671 -+ addeq r11,r11,#(.Lpoly1305_blocks-.Lpoly1305_init)
7672 -+ addne r11,r11,#(.Lpoly1305_blocks_neon-.Lpoly1305_init)
7673 -+# endif
7674 -+#endif
7675 -+ ldrb r9,[r1,#11]
7676 -+ orr r6,r6,r7,lsl#8
7677 -+ ldrb r7,[r1,#12]
7678 -+ orr r6,r6,r8,lsl#16
7679 -+ ldrb r8,[r1,#13]
7680 -+ orr r6,r6,r9,lsl#24
7681 -+ ldrb r9,[r1,#14]
7682 -+ and r6,r6,r3
7683 -+
7684 -+ ldrb r10,[r1,#15]
7685 -+ orr r7,r7,r8,lsl#8
7686 -+ str r4,[r0,#0]
7687 -+ orr r7,r7,r9,lsl#16
7688 -+ str r5,[r0,#4]
7689 -+ orr r7,r7,r10,lsl#24
7690 -+ str r6,[r0,#8]
7691 -+ and r7,r7,r3
7692 -+ str r7,[r0,#12]
7693 -+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
7694 -+ stmia r2,{r11,r12} @ fill functions table
7695 -+ mov r0,#1
7696 -+#else
7697 -+ mov r0,#0
7698 -+#endif
7699 -+.Lno_key:
7700 -+ ldmia sp!,{r4-r11}
7701 -+#if __ARM_ARCH__>=5
7702 -+ bx lr @ bx lr
7703 -+#else
7704 -+ tst lr,#1
7705 -+ moveq pc,lr @ be binary compatible with V4, yet
7706 -+ .word 0xe12fff1e @ interoperable with Thumb ISA:-)
7707 -+#endif
7708 -+.size poly1305_init,.-poly1305_init
7709 -+.type poly1305_blocks,%function
7710 -+.align 5
7711 -+poly1305_blocks:
7712 -+.Lpoly1305_blocks:
7713 -+ stmdb sp!,{r3-r11,lr}
7714 -+
7715 -+ ands r2,r2,#-16
7716 -+ beq .Lno_data
7717 -+
7718 -+ add r2,r2,r1 @ end pointer
7719 -+ sub sp,sp,#32
7720 -+
7721 -+#if __ARM_ARCH__<7
7722 -+ ldmia r0,{r4-r12} @ load context
7723 -+ add r0,r0,#20
7724 -+ str r2,[sp,#16] @ offload stuff
7725 -+ str r0,[sp,#12]
7726 -+#else
7727 -+ ldr lr,[r0,#36] @ is_base2_26
7728 -+ ldmia r0!,{r4-r8} @ load hash value
7729 -+ str r2,[sp,#16] @ offload stuff
7730 -+ str r0,[sp,#12]
7731 -+
7732 -+ adds r9,r4,r5,lsl#26 @ base 2^26 -> base 2^32
7733 -+ mov r10,r5,lsr#6
7734 -+ adcs r10,r10,r6,lsl#20
7735 -+ mov r11,r6,lsr#12
7736 -+ adcs r11,r11,r7,lsl#14
7737 -+ mov r12,r7,lsr#18
7738 -+ adcs r12,r12,r8,lsl#8
7739 -+ mov r2,#0
7740 -+ teq lr,#0
7741 -+ str r2,[r0,#16] @ clear is_base2_26
7742 -+ adc r2,r2,r8,lsr#24
7743 -+
7744 -+ itttt ne
7745 -+ movne r4,r9 @ choose between radixes
7746 -+ movne r5,r10
7747 -+ movne r6,r11
7748 -+ movne r7,r12
7749 -+ ldmia r0,{r9-r12} @ load key
7750 -+ it ne
7751 -+ movne r8,r2
7752 -+#endif
7753 -+
7754 -+ mov lr,r1
7755 -+ cmp r3,#0
7756 -+ str r10,[sp,#20]
7757 -+ str r11,[sp,#24]
7758 -+ str r12,[sp,#28]
7759 -+ b .Loop
7760 -+
7761 -+.align 4
7762 -+.Loop:
7763 -+#if __ARM_ARCH__<7
7764 -+ ldrb r0,[lr],#16 @ load input
7765 -+# ifdef __thumb2__
7766 -+ it hi
7767 -+# endif
7768 -+ addhi r8,r8,#1 @ 1<<128
7769 -+ ldrb r1,[lr,#-15]
7770 -+ ldrb r2,[lr,#-14]
7771 -+ ldrb r3,[lr,#-13]
7772 -+ orr r1,r0,r1,lsl#8
7773 -+ ldrb r0,[lr,#-12]
7774 -+ orr r2,r1,r2,lsl#16
7775 -+ ldrb r1,[lr,#-11]
7776 -+ orr r3,r2,r3,lsl#24
7777 -+ ldrb r2,[lr,#-10]
7778 -+ adds r4,r4,r3 @ accumulate input
7779 -+
7780 -+ ldrb r3,[lr,#-9]
7781 -+ orr r1,r0,r1,lsl#8
7782 -+ ldrb r0,[lr,#-8]
7783 -+ orr r2,r1,r2,lsl#16
7784 -+ ldrb r1,[lr,#-7]
7785 -+ orr r3,r2,r3,lsl#24
7786 -+ ldrb r2,[lr,#-6]
7787 -+ adcs r5,r5,r3
7788 -+
7789 -+ ldrb r3,[lr,#-5]
7790 -+ orr r1,r0,r1,lsl#8
7791 -+ ldrb r0,[lr,#-4]
7792 -+ orr r2,r1,r2,lsl#16
7793 -+ ldrb r1,[lr,#-3]
7794 -+ orr r3,r2,r3,lsl#24
7795 -+ ldrb r2,[lr,#-2]
7796 -+ adcs r6,r6,r3
7797 -+
7798 -+ ldrb r3,[lr,#-1]
7799 -+ orr r1,r0,r1,lsl#8
7800 -+ str lr,[sp,#8] @ offload input pointer
7801 -+ orr r2,r1,r2,lsl#16
7802 -+ add r10,r10,r10,lsr#2
7803 -+ orr r3,r2,r3,lsl#24
7804 -+#else
7805 -+ ldr r0,[lr],#16 @ load input
7806 -+ it hi
7807 -+ addhi r8,r8,#1 @ padbit
7808 -+ ldr r1,[lr,#-12]
7809 -+ ldr r2,[lr,#-8]
7810 -+ ldr r3,[lr,#-4]
7811 -+# ifdef __ARMEB__
7812 -+ rev r0,r0
7813 -+ rev r1,r1
7814 -+ rev r2,r2
7815 -+ rev r3,r3
7816 -+# endif
7817 -+ adds r4,r4,r0 @ accumulate input
7818 -+ str lr,[sp,#8] @ offload input pointer
7819 -+ adcs r5,r5,r1
7820 -+ add r10,r10,r10,lsr#2
7821 -+ adcs r6,r6,r2
7822 -+#endif
7823 -+ add r11,r11,r11,lsr#2
7824 -+ adcs r7,r7,r3
7825 -+ add r12,r12,r12,lsr#2
7826 -+
7827 -+ umull r2,r3,r5,r9
7828 -+ adc r8,r8,#0
7829 -+ umull r0,r1,r4,r9
7830 -+ umlal r2,r3,r8,r10
7831 -+ umlal r0,r1,r7,r10
7832 -+ ldr r10,[sp,#20] @ reload r10
7833 -+ umlal r2,r3,r6,r12
7834 -+ umlal r0,r1,r5,r12
7835 -+ umlal r2,r3,r7,r11
7836 -+ umlal r0,r1,r6,r11
7837 -+ umlal r2,r3,r4,r10
7838 -+ str r0,[sp,#0] @ future r4
7839 -+ mul r0,r11,r8
7840 -+ ldr r11,[sp,#24] @ reload r11
7841 -+ adds r2,r2,r1 @ d1+=d0>>32
7842 -+ eor r1,r1,r1
7843 -+ adc lr,r3,#0 @ future r6
7844 -+ str r2,[sp,#4] @ future r5
7845 -+
7846 -+ mul r2,r12,r8
7847 -+ eor r3,r3,r3
7848 -+ umlal r0,r1,r7,r12
7849 -+ ldr r12,[sp,#28] @ reload r12
7850 -+ umlal r2,r3,r7,r9
7851 -+ umlal r0,r1,r6,r9
7852 -+ umlal r2,r3,r6,r10
7853 -+ umlal r0,r1,r5,r10
7854 -+ umlal r2,r3,r5,r11
7855 -+ umlal r0,r1,r4,r11
7856 -+ umlal r2,r3,r4,r12
7857 -+ ldr r4,[sp,#0]
7858 -+ mul r8,r9,r8
7859 -+ ldr r5,[sp,#4]
7860 -+
7861 -+ adds r6,lr,r0 @ d2+=d1>>32
7862 -+ ldr lr,[sp,#8] @ reload input pointer
7863 -+ adc r1,r1,#0
7864 -+ adds r7,r2,r1 @ d3+=d2>>32
7865 -+ ldr r0,[sp,#16] @ reload end pointer
7866 -+ adc r3,r3,#0
7867 -+ add r8,r8,r3 @ h4+=d3>>32
7868 -+
7869 -+ and r1,r8,#-4
7870 -+ and r8,r8,#3
7871 -+ add r1,r1,r1,lsr#2 @ *=5
7872 -+ adds r4,r4,r1
7873 -+ adcs r5,r5,#0
7874 -+ adcs r6,r6,#0
7875 -+ adcs r7,r7,#0
7876 -+ adc r8,r8,#0
7877 -+
7878 -+ cmp r0,lr @ done yet?
7879 -+ bhi .Loop
7880 -+
7881 -+ ldr r0,[sp,#12]
7882 -+ add sp,sp,#32
7883 -+ stmdb r0,{r4-r8} @ store the result
7884 -+
7885 -+.Lno_data:
7886 -+#if __ARM_ARCH__>=5
7887 -+ ldmia sp!,{r3-r11,pc}
7888 -+#else
7889 -+ ldmia sp!,{r3-r11,lr}
7890 -+ tst lr,#1
7891 -+ moveq pc,lr @ be binary compatible with V4, yet
7892 -+ .word 0xe12fff1e @ interoperable with Thumb ISA:-)
7893 -+#endif
7894 -+.size poly1305_blocks,.-poly1305_blocks
7895 -+.type poly1305_emit,%function
7896 -+.align 5
7897 -+poly1305_emit:
7898 -+.Lpoly1305_emit:
7899 -+ stmdb sp!,{r4-r11}
7900 -+
7901 -+ ldmia r0,{r3-r7}
7902 -+
7903 -+#if __ARM_ARCH__>=7
7904 -+ ldr ip,[r0,#36] @ is_base2_26
7905 -+
7906 -+ adds r8,r3,r4,lsl#26 @ base 2^26 -> base 2^32
7907 -+ mov r9,r4,lsr#6
7908 -+ adcs r9,r9,r5,lsl#20
7909 -+ mov r10,r5,lsr#12
7910 -+ adcs r10,r10,r6,lsl#14
7911 -+ mov r11,r6,lsr#18
7912 -+ adcs r11,r11,r7,lsl#8
7913 -+ mov r0,#0
7914 -+ adc r0,r0,r7,lsr#24
7915 -+
7916 -+ tst ip,ip
7917 -+ itttt ne
7918 -+ movne r3,r8
7919 -+ movne r4,r9
7920 -+ movne r5,r10
7921 -+ movne r6,r11
7922 -+ it ne
7923 -+ movne r7,r0
7924 -+#endif
7925 -+
7926 -+ adds r8,r3,#5 @ compare to modulus
7927 -+ adcs r9,r4,#0
7928 -+ adcs r10,r5,#0
7929 -+ adcs r11,r6,#0
7930 -+ adc r0,r7,#0
7931 -+ tst r0,#4 @ did it carry/borrow?
7932 -+
7933 -+#ifdef __thumb2__
7934 -+ it ne
7935 -+#endif
7936 -+ movne r3,r8
7937 -+ ldr r8,[r2,#0]
7938 -+#ifdef __thumb2__
7939 -+ it ne
7940 -+#endif
7941 -+ movne r4,r9
7942 -+ ldr r9,[r2,#4]
7943 -+#ifdef __thumb2__
7944 -+ it ne
7945 -+#endif
7946 -+ movne r5,r10
7947 -+ ldr r10,[r2,#8]
7948 -+#ifdef __thumb2__
7949 -+ it ne
7950 -+#endif
7951 -+ movne r6,r11
7952 -+ ldr r11,[r2,#12]
7953 -+
7954 -+ adds r3,r3,r8
7955 -+ adcs r4,r4,r9
7956 -+ adcs r5,r5,r10
7957 -+ adc r6,r6,r11
7958 -+
7959 -+#if __ARM_ARCH__>=7
7960 -+# ifdef __ARMEB__
7961 -+ rev r3,r3
7962 -+ rev r4,r4
7963 -+ rev r5,r5
7964 -+ rev r6,r6
7965 -+# endif
7966 -+ str r3,[r1,#0]
7967 -+ str r4,[r1,#4]
7968 -+ str r5,[r1,#8]
7969 -+ str r6,[r1,#12]
7970 -+#else
7971 -+ strb r3,[r1,#0]
7972 -+ mov r3,r3,lsr#8
7973 -+ strb r4,[r1,#4]
7974 -+ mov r4,r4,lsr#8
7975 -+ strb r5,[r1,#8]
7976 -+ mov r5,r5,lsr#8
7977 -+ strb r6,[r1,#12]
7978 -+ mov r6,r6,lsr#8
7979 -+
7980 -+ strb r3,[r1,#1]
7981 -+ mov r3,r3,lsr#8
7982 -+ strb r4,[r1,#5]
7983 -+ mov r4,r4,lsr#8
7984 -+ strb r5,[r1,#9]
7985 -+ mov r5,r5,lsr#8
7986 -+ strb r6,[r1,#13]
7987 -+ mov r6,r6,lsr#8
7988 -+
7989 -+ strb r3,[r1,#2]
7990 -+ mov r3,r3,lsr#8
7991 -+ strb r4,[r1,#6]
7992 -+ mov r4,r4,lsr#8
7993 -+ strb r5,[r1,#10]
7994 -+ mov r5,r5,lsr#8
7995 -+ strb r6,[r1,#14]
7996 -+ mov r6,r6,lsr#8
7997 -+
7998 -+ strb r3,[r1,#3]
7999 -+ strb r4,[r1,#7]
8000 -+ strb r5,[r1,#11]
8001 -+ strb r6,[r1,#15]
8002 -+#endif
8003 -+ ldmia sp!,{r4-r11}
8004 -+#if __ARM_ARCH__>=5
8005 -+ bx lr @ bx lr
8006 -+#else
8007 -+ tst lr,#1
8008 -+ moveq pc,lr @ be binary compatible with V4, yet
8009 -+ .word 0xe12fff1e @ interoperable with Thumb ISA:-)
8010 -+#endif
8011 -+.size poly1305_emit,.-poly1305_emit
8012 -+#if __ARM_MAX_ARCH__>=7
8013 -+.fpu neon
8014 -+
8015 -+.type poly1305_init_neon,%function
8016 -+.align 5
8017 -+poly1305_init_neon:
8018 -+.Lpoly1305_init_neon:
8019 -+ ldr r3,[r0,#48] @ first table element
8020 -+ cmp r3,#-1 @ is value impossible?
8021 -+ bne .Lno_init_neon
8022 -+
8023 -+ ldr r4,[r0,#20] @ load key base 2^32
8024 -+ ldr r5,[r0,#24]
8025 -+ ldr r6,[r0,#28]
8026 -+ ldr r7,[r0,#32]
8027 -+
8028 -+ and r2,r4,#0x03ffffff @ base 2^32 -> base 2^26
8029 -+ mov r3,r4,lsr#26
8030 -+ mov r4,r5,lsr#20
8031 -+ orr r3,r3,r5,lsl#6
8032 -+ mov r5,r6,lsr#14
8033 -+ orr r4,r4,r6,lsl#12
8034 -+ mov r6,r7,lsr#8
8035 -+ orr r5,r5,r7,lsl#18
8036 -+ and r3,r3,#0x03ffffff
8037 -+ and r4,r4,#0x03ffffff
8038 -+ and r5,r5,#0x03ffffff
8039 -+
8040 -+ vdup.32 d0,r2 @ r^1 in both lanes
8041 -+ add r2,r3,r3,lsl#2 @ *5
8042 -+ vdup.32 d1,r3
8043 -+ add r3,r4,r4,lsl#2
8044 -+ vdup.32 d2,r2
8045 -+ vdup.32 d3,r4
8046 -+ add r4,r5,r5,lsl#2
8047 -+ vdup.32 d4,r3
8048 -+ vdup.32 d5,r5
8049 -+ add r5,r6,r6,lsl#2
8050 -+ vdup.32 d6,r4
8051 -+ vdup.32 d7,r6
8052 -+ vdup.32 d8,r5
8053 -+
8054 -+ mov r5,#2 @ counter
8055 -+
8056 -+.Lsquare_neon:
8057 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8058 -+ @ d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
8059 -+ @ d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
8060 -+ @ d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
8061 -+ @ d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
8062 -+ @ d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
8063 -+
8064 -+ vmull.u32 q5,d0,d0[1]
8065 -+ vmull.u32 q6,d1,d0[1]
8066 -+ vmull.u32 q7,d3,d0[1]
8067 -+ vmull.u32 q8,d5,d0[1]
8068 -+ vmull.u32 q9,d7,d0[1]
8069 -+
8070 -+ vmlal.u32 q5,d7,d2[1]
8071 -+ vmlal.u32 q6,d0,d1[1]
8072 -+ vmlal.u32 q7,d1,d1[1]
8073 -+ vmlal.u32 q8,d3,d1[1]
8074 -+ vmlal.u32 q9,d5,d1[1]
8075 -+
8076 -+ vmlal.u32 q5,d5,d4[1]
8077 -+ vmlal.u32 q6,d7,d4[1]
8078 -+ vmlal.u32 q8,d1,d3[1]
8079 -+ vmlal.u32 q7,d0,d3[1]
8080 -+ vmlal.u32 q9,d3,d3[1]
8081 -+
8082 -+ vmlal.u32 q5,d3,d6[1]
8083 -+ vmlal.u32 q8,d0,d5[1]
8084 -+ vmlal.u32 q6,d5,d6[1]
8085 -+ vmlal.u32 q7,d7,d6[1]
8086 -+ vmlal.u32 q9,d1,d5[1]
8087 -+
8088 -+ vmlal.u32 q8,d7,d8[1]
8089 -+ vmlal.u32 q5,d1,d8[1]
8090 -+ vmlal.u32 q6,d3,d8[1]
8091 -+ vmlal.u32 q7,d5,d8[1]
8092 -+ vmlal.u32 q9,d0,d7[1]
8093 -+
8094 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8095 -+ @ lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
8096 -+ @ and P. Schwabe
8097 -+ @
8098 -+ @ H0>>+H1>>+H2>>+H3>>+H4
8099 -+ @ H3>>+H4>>*5+H0>>+H1
8100 -+ @
8101 -+ @ Trivia.
8102 -+ @
8103 -+ @ Result of multiplication of n-bit number by m-bit number is
8104 -+ @ n+m bits wide. However! Even though 2^n is a n+1-bit number,
8105 -+ @ m-bit number multiplied by 2^n is still n+m bits wide.
8106 -+ @
8107 -+ @ Sum of two n-bit numbers is n+1 bits wide, sum of three - n+2,
8108 -+ @ and so is sum of four. Sum of 2^m n-m-bit numbers and n-bit
8109 -+ @ one is n+1 bits wide.
8110 -+ @
8111 -+ @ >>+ denotes Hnext += Hn>>26, Hn &= 0x3ffffff. This means that
8112 -+ @ H0, H2, H3 are guaranteed to be 26 bits wide, while H1 and H4
8113 -+ @ can be 27. However! In cases when their width exceeds 26 bits
8114 -+ @ they are limited by 2^26+2^6. This in turn means that *sum*
8115 -+ @ of the products with these values can still be viewed as sum
8116 -+ @ of 52-bit numbers as long as the amount of addends is not a
8117 -+ @ power of 2. For example,
8118 -+ @
8119 -+ @ H4 = H4*R0 + H3*R1 + H2*R2 + H1*R3 + H0 * R4,
8120 -+ @
8121 -+ @ which can't be larger than 5 * (2^26 + 2^6) * (2^26 + 2^6), or
8122 -+ @ 5 * (2^52 + 2*2^32 + 2^12), which in turn is smaller than
8123 -+ @ 8 * (2^52) or 2^55. However, the value is then multiplied by
8124 -+ @ by 5, so we should be looking at 5 * 5 * (2^52 + 2^33 + 2^12),
8125 -+ @ which is less than 32 * (2^52) or 2^57. And when processing
8126 -+ @ data we are looking at triple as many addends...
8127 -+ @
8128 -+ @ In key setup procedure pre-reduced H0 is limited by 5*4+1 and
8129 -+ @ 5*H4 - by 5*5 52-bit addends, or 57 bits. But when hashing the
8130 -+ @ input H0 is limited by (5*4+1)*3 addends, or 58 bits, while
8131 -+ @ 5*H4 by 5*5*3, or 59[!] bits. How is this relevant? vmlal.u32
8132 -+ @ instruction accepts 2x32-bit input and writes 2x64-bit result.
8133 -+ @ This means that result of reduction have to be compressed upon
8134 -+ @ loop wrap-around. This can be done in the process of reduction
8135 -+ @ to minimize amount of instructions [as well as amount of
8136 -+ @ 128-bit instructions, which benefits low-end processors], but
8137 -+ @ one has to watch for H2 (which is narrower than H0) and 5*H4
8138 -+ @ not being wider than 58 bits, so that result of right shift
8139 -+ @ by 26 bits fits in 32 bits. This is also useful on x86,
8140 -+ @ because it allows to use paddd in place for paddq, which
8141 -+ @ benefits Atom, where paddq is ridiculously slow.
8142 -+
8143 -+ vshr.u64 q15,q8,#26
8144 -+ vmovn.i64 d16,q8
8145 -+ vshr.u64 q4,q5,#26
8146 -+ vmovn.i64 d10,q5
8147 -+ vadd.i64 q9,q9,q15 @ h3 -> h4
8148 -+ vbic.i32 d16,#0xfc000000 @ &=0x03ffffff
8149 -+ vadd.i64 q6,q6,q4 @ h0 -> h1
8150 -+ vbic.i32 d10,#0xfc000000
8151 -+
8152 -+ vshrn.u64 d30,q9,#26
8153 -+ vmovn.i64 d18,q9
8154 -+ vshr.u64 q4,q6,#26
8155 -+ vmovn.i64 d12,q6
8156 -+ vadd.i64 q7,q7,q4 @ h1 -> h2
8157 -+ vbic.i32 d18,#0xfc000000
8158 -+ vbic.i32 d12,#0xfc000000
8159 -+
8160 -+ vadd.i32 d10,d10,d30
8161 -+ vshl.u32 d30,d30,#2
8162 -+ vshrn.u64 d8,q7,#26
8163 -+ vmovn.i64 d14,q7
8164 -+ vadd.i32 d10,d10,d30 @ h4 -> h0
8165 -+ vadd.i32 d16,d16,d8 @ h2 -> h3
8166 -+ vbic.i32 d14,#0xfc000000
8167 -+
8168 -+ vshr.u32 d30,d10,#26
8169 -+ vbic.i32 d10,#0xfc000000
8170 -+ vshr.u32 d8,d16,#26
8171 -+ vbic.i32 d16,#0xfc000000
8172 -+ vadd.i32 d12,d12,d30 @ h0 -> h1
8173 -+ vadd.i32 d18,d18,d8 @ h3 -> h4
8174 -+
8175 -+ subs r5,r5,#1
8176 -+ beq .Lsquare_break_neon
8177 -+
8178 -+ add r6,r0,#(48+0*9*4)
8179 -+ add r7,r0,#(48+1*9*4)
8180 -+
8181 -+ vtrn.32 d0,d10 @ r^2:r^1
8182 -+ vtrn.32 d3,d14
8183 -+ vtrn.32 d5,d16
8184 -+ vtrn.32 d1,d12
8185 -+ vtrn.32 d7,d18
8186 -+
8187 -+ vshl.u32 d4,d3,#2 @ *5
8188 -+ vshl.u32 d6,d5,#2
8189 -+ vshl.u32 d2,d1,#2
8190 -+ vshl.u32 d8,d7,#2
8191 -+ vadd.i32 d4,d4,d3
8192 -+ vadd.i32 d2,d2,d1
8193 -+ vadd.i32 d6,d6,d5
8194 -+ vadd.i32 d8,d8,d7
8195 -+
8196 -+ vst4.32 {d0[0],d1[0],d2[0],d3[0]},[r6]!
8197 -+ vst4.32 {d0[1],d1[1],d2[1],d3[1]},[r7]!
8198 -+ vst4.32 {d4[0],d5[0],d6[0],d7[0]},[r6]!
8199 -+ vst4.32 {d4[1],d5[1],d6[1],d7[1]},[r7]!
8200 -+ vst1.32 {d8[0]},[r6,:32]
8201 -+ vst1.32 {d8[1]},[r7,:32]
8202 -+
8203 -+ b .Lsquare_neon
8204 -+
8205 -+.align 4
8206 -+.Lsquare_break_neon:
8207 -+ add r6,r0,#(48+2*4*9)
8208 -+ add r7,r0,#(48+3*4*9)
8209 -+
8210 -+ vmov d0,d10 @ r^4:r^3
8211 -+ vshl.u32 d2,d12,#2 @ *5
8212 -+ vmov d1,d12
8213 -+ vshl.u32 d4,d14,#2
8214 -+ vmov d3,d14
8215 -+ vshl.u32 d6,d16,#2
8216 -+ vmov d5,d16
8217 -+ vshl.u32 d8,d18,#2
8218 -+ vmov d7,d18
8219 -+ vadd.i32 d2,d2,d12
8220 -+ vadd.i32 d4,d4,d14
8221 -+ vadd.i32 d6,d6,d16
8222 -+ vadd.i32 d8,d8,d18
8223 -+
8224 -+ vst4.32 {d0[0],d1[0],d2[0],d3[0]},[r6]!
8225 -+ vst4.32 {d0[1],d1[1],d2[1],d3[1]},[r7]!
8226 -+ vst4.32 {d4[0],d5[0],d6[0],d7[0]},[r6]!
8227 -+ vst4.32 {d4[1],d5[1],d6[1],d7[1]},[r7]!
8228 -+ vst1.32 {d8[0]},[r6]
8229 -+ vst1.32 {d8[1]},[r7]
8230 -+
8231 -+.Lno_init_neon:
8232 -+ bx lr @ bx lr
8233 -+.size poly1305_init_neon,.-poly1305_init_neon
8234 -+
8235 -+.type poly1305_blocks_neon,%function
8236 -+.align 5
8237 -+poly1305_blocks_neon:
8238 -+.Lpoly1305_blocks_neon:
8239 -+ ldr ip,[r0,#36] @ is_base2_26
8240 -+
8241 -+ cmp r2,#64
8242 -+ blo .Lpoly1305_blocks
8243 -+
8244 -+ stmdb sp!,{r4-r7}
8245 -+ vstmdb sp!,{d8-d15} @ ABI specification says so
8246 -+
8247 -+ tst ip,ip @ is_base2_26?
8248 -+ bne .Lbase2_26_neon
8249 -+
8250 -+ stmdb sp!,{r1-r3,lr}
8251 -+ bl .Lpoly1305_init_neon
8252 -+
8253 -+ ldr r4,[r0,#0] @ load hash value base 2^32
8254 -+ ldr r5,[r0,#4]
8255 -+ ldr r6,[r0,#8]
8256 -+ ldr r7,[r0,#12]
8257 -+ ldr ip,[r0,#16]
8258 -+
8259 -+ and r2,r4,#0x03ffffff @ base 2^32 -> base 2^26
8260 -+ mov r3,r4,lsr#26
8261 -+ veor d10,d10,d10
8262 -+ mov r4,r5,lsr#20
8263 -+ orr r3,r3,r5,lsl#6
8264 -+ veor d12,d12,d12
8265 -+ mov r5,r6,lsr#14
8266 -+ orr r4,r4,r6,lsl#12
8267 -+ veor d14,d14,d14
8268 -+ mov r6,r7,lsr#8
8269 -+ orr r5,r5,r7,lsl#18
8270 -+ veor d16,d16,d16
8271 -+ and r3,r3,#0x03ffffff
8272 -+ orr r6,r6,ip,lsl#24
8273 -+ veor d18,d18,d18
8274 -+ and r4,r4,#0x03ffffff
8275 -+ mov r1,#1
8276 -+ and r5,r5,#0x03ffffff
8277 -+ str r1,[r0,#36] @ set is_base2_26
8278 -+
8279 -+ vmov.32 d10[0],r2
8280 -+ vmov.32 d12[0],r3
8281 -+ vmov.32 d14[0],r4
8282 -+ vmov.32 d16[0],r5
8283 -+ vmov.32 d18[0],r6
8284 -+ adr r5,.Lzeros
8285 -+
8286 -+ ldmia sp!,{r1-r3,lr}
8287 -+ b .Lhash_loaded
8288 -+
8289 -+.align 4
8290 -+.Lbase2_26_neon:
8291 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8292 -+ @ load hash value
8293 -+
8294 -+ veor d10,d10,d10
8295 -+ veor d12,d12,d12
8296 -+ veor d14,d14,d14
8297 -+ veor d16,d16,d16
8298 -+ veor d18,d18,d18
8299 -+ vld4.32 {d10[0],d12[0],d14[0],d16[0]},[r0]!
8300 -+ adr r5,.Lzeros
8301 -+ vld1.32 {d18[0]},[r0]
8302 -+ sub r0,r0,#16 @ rewind
8303 -+
8304 -+.Lhash_loaded:
8305 -+ add r4,r1,#32
8306 -+ mov r3,r3,lsl#24
8307 -+ tst r2,#31
8308 -+ beq .Leven
8309 -+
8310 -+ vld4.32 {d20[0],d22[0],d24[0],d26[0]},[r1]!
8311 -+ vmov.32 d28[0],r3
8312 -+ sub r2,r2,#16
8313 -+ add r4,r1,#32
8314 -+
8315 -+# ifdef __ARMEB__
8316 -+ vrev32.8 q10,q10
8317 -+ vrev32.8 q13,q13
8318 -+ vrev32.8 q11,q11
8319 -+ vrev32.8 q12,q12
8320 -+# endif
8321 -+ vsri.u32 d28,d26,#8 @ base 2^32 -> base 2^26
8322 -+ vshl.u32 d26,d26,#18
8323 -+
8324 -+ vsri.u32 d26,d24,#14
8325 -+ vshl.u32 d24,d24,#12
8326 -+ vadd.i32 d29,d28,d18 @ add hash value and move to #hi
8327 -+
8328 -+ vbic.i32 d26,#0xfc000000
8329 -+ vsri.u32 d24,d22,#20
8330 -+ vshl.u32 d22,d22,#6
8331 -+
8332 -+ vbic.i32 d24,#0xfc000000
8333 -+ vsri.u32 d22,d20,#26
8334 -+ vadd.i32 d27,d26,d16
8335 -+
8336 -+ vbic.i32 d20,#0xfc000000
8337 -+ vbic.i32 d22,#0xfc000000
8338 -+ vadd.i32 d25,d24,d14
8339 -+
8340 -+ vadd.i32 d21,d20,d10
8341 -+ vadd.i32 d23,d22,d12
8342 -+
8343 -+ mov r7,r5
8344 -+ add r6,r0,#48
8345 -+
8346 -+ cmp r2,r2
8347 -+ b .Long_tail
8348 -+
8349 -+.align 4
8350 -+.Leven:
8351 -+ subs r2,r2,#64
8352 -+ it lo
8353 -+ movlo r4,r5
8354 -+
8355 -+ vmov.i32 q14,#1<<24 @ padbit, yes, always
8356 -+ vld4.32 {d20,d22,d24,d26},[r1] @ inp[0:1]
8357 -+ add r1,r1,#64
8358 -+ vld4.32 {d21,d23,d25,d27},[r4] @ inp[2:3] (or 0)
8359 -+ add r4,r4,#64
8360 -+ itt hi
8361 -+ addhi r7,r0,#(48+1*9*4)
8362 -+ addhi r6,r0,#(48+3*9*4)
8363 -+
8364 -+# ifdef __ARMEB__
8365 -+ vrev32.8 q10,q10
8366 -+ vrev32.8 q13,q13
8367 -+ vrev32.8 q11,q11
8368 -+ vrev32.8 q12,q12
8369 -+# endif
8370 -+ vsri.u32 q14,q13,#8 @ base 2^32 -> base 2^26
8371 -+ vshl.u32 q13,q13,#18
8372 -+
8373 -+ vsri.u32 q13,q12,#14
8374 -+ vshl.u32 q12,q12,#12
8375 -+
8376 -+ vbic.i32 q13,#0xfc000000
8377 -+ vsri.u32 q12,q11,#20
8378 -+ vshl.u32 q11,q11,#6
8379 -+
8380 -+ vbic.i32 q12,#0xfc000000
8381 -+ vsri.u32 q11,q10,#26
8382 -+
8383 -+ vbic.i32 q10,#0xfc000000
8384 -+ vbic.i32 q11,#0xfc000000
8385 -+
8386 -+ bls .Lskip_loop
8387 -+
8388 -+ vld4.32 {d0[1],d1[1],d2[1],d3[1]},[r7]! @ load r^2
8389 -+ vld4.32 {d0[0],d1[0],d2[0],d3[0]},[r6]! @ load r^4
8390 -+ vld4.32 {d4[1],d5[1],d6[1],d7[1]},[r7]!
8391 -+ vld4.32 {d4[0],d5[0],d6[0],d7[0]},[r6]!
8392 -+ b .Loop_neon
8393 -+
8394 -+.align 5
8395 -+.Loop_neon:
8396 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8397 -+ @ ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2
8398 -+ @ ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^3+inp[7]*r
8399 -+ @ ___________________/
8400 -+ @ ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2+inp[8])*r^2
8401 -+ @ ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^4+inp[7]*r^2+inp[9])*r
8402 -+ @ ___________________/ ____________________/
8403 -+ @
8404 -+ @ Note that we start with inp[2:3]*r^2. This is because it
8405 -+ @ doesn't depend on reduction in previous iteration.
8406 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8407 -+ @ d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
8408 -+ @ d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
8409 -+ @ d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
8410 -+ @ d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
8411 -+ @ d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
8412 -+
8413 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8414 -+ @ inp[2:3]*r^2
8415 -+
8416 -+ vadd.i32 d24,d24,d14 @ accumulate inp[0:1]
8417 -+ vmull.u32 q7,d25,d0[1]
8418 -+ vadd.i32 d20,d20,d10
8419 -+ vmull.u32 q5,d21,d0[1]
8420 -+ vadd.i32 d26,d26,d16
8421 -+ vmull.u32 q8,d27,d0[1]
8422 -+ vmlal.u32 q7,d23,d1[1]
8423 -+ vadd.i32 d22,d22,d12
8424 -+ vmull.u32 q6,d23,d0[1]
8425 -+
8426 -+ vadd.i32 d28,d28,d18
8427 -+ vmull.u32 q9,d29,d0[1]
8428 -+ subs r2,r2,#64
8429 -+ vmlal.u32 q5,d29,d2[1]
8430 -+ it lo
8431 -+ movlo r4,r5
8432 -+ vmlal.u32 q8,d25,d1[1]
8433 -+ vld1.32 d8[1],[r7,:32]
8434 -+ vmlal.u32 q6,d21,d1[1]
8435 -+ vmlal.u32 q9,d27,d1[1]
8436 -+
8437 -+ vmlal.u32 q5,d27,d4[1]
8438 -+ vmlal.u32 q8,d23,d3[1]
8439 -+ vmlal.u32 q9,d25,d3[1]
8440 -+ vmlal.u32 q6,d29,d4[1]
8441 -+ vmlal.u32 q7,d21,d3[1]
8442 -+
8443 -+ vmlal.u32 q8,d21,d5[1]
8444 -+ vmlal.u32 q5,d25,d6[1]
8445 -+ vmlal.u32 q9,d23,d5[1]
8446 -+ vmlal.u32 q6,d27,d6[1]
8447 -+ vmlal.u32 q7,d29,d6[1]
8448 -+
8449 -+ vmlal.u32 q8,d29,d8[1]
8450 -+ vmlal.u32 q5,d23,d8[1]
8451 -+ vmlal.u32 q9,d21,d7[1]
8452 -+ vmlal.u32 q6,d25,d8[1]
8453 -+ vmlal.u32 q7,d27,d8[1]
8454 -+
8455 -+ vld4.32 {d21,d23,d25,d27},[r4] @ inp[2:3] (or 0)
8456 -+ add r4,r4,#64
8457 -+
8458 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8459 -+ @ (hash+inp[0:1])*r^4 and accumulate
8460 -+
8461 -+ vmlal.u32 q8,d26,d0[0]
8462 -+ vmlal.u32 q5,d20,d0[0]
8463 -+ vmlal.u32 q9,d28,d0[0]
8464 -+ vmlal.u32 q6,d22,d0[0]
8465 -+ vmlal.u32 q7,d24,d0[0]
8466 -+ vld1.32 d8[0],[r6,:32]
8467 -+
8468 -+ vmlal.u32 q8,d24,d1[0]
8469 -+ vmlal.u32 q5,d28,d2[0]
8470 -+ vmlal.u32 q9,d26,d1[0]
8471 -+ vmlal.u32 q6,d20,d1[0]
8472 -+ vmlal.u32 q7,d22,d1[0]
8473 -+
8474 -+ vmlal.u32 q8,d22,d3[0]
8475 -+ vmlal.u32 q5,d26,d4[0]
8476 -+ vmlal.u32 q9,d24,d3[0]
8477 -+ vmlal.u32 q6,d28,d4[0]
8478 -+ vmlal.u32 q7,d20,d3[0]
8479 -+
8480 -+ vmlal.u32 q8,d20,d5[0]
8481 -+ vmlal.u32 q5,d24,d6[0]
8482 -+ vmlal.u32 q9,d22,d5[0]
8483 -+ vmlal.u32 q6,d26,d6[0]
8484 -+ vmlal.u32 q8,d28,d8[0]
8485 -+
8486 -+ vmlal.u32 q7,d28,d6[0]
8487 -+ vmlal.u32 q5,d22,d8[0]
8488 -+ vmlal.u32 q9,d20,d7[0]
8489 -+ vmov.i32 q14,#1<<24 @ padbit, yes, always
8490 -+ vmlal.u32 q6,d24,d8[0]
8491 -+ vmlal.u32 q7,d26,d8[0]
8492 -+
8493 -+ vld4.32 {d20,d22,d24,d26},[r1] @ inp[0:1]
8494 -+ add r1,r1,#64
8495 -+# ifdef __ARMEB__
8496 -+ vrev32.8 q10,q10
8497 -+ vrev32.8 q11,q11
8498 -+ vrev32.8 q12,q12
8499 -+ vrev32.8 q13,q13
8500 -+# endif
8501 -+
8502 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8503 -+ @ lazy reduction interleaved with base 2^32 -> base 2^26 of
8504 -+ @ inp[0:3] previously loaded to q10-q13 and smashed to q10-q14.
8505 -+
8506 -+ vshr.u64 q15,q8,#26
8507 -+ vmovn.i64 d16,q8
8508 -+ vshr.u64 q4,q5,#26
8509 -+ vmovn.i64 d10,q5
8510 -+ vadd.i64 q9,q9,q15 @ h3 -> h4
8511 -+ vbic.i32 d16,#0xfc000000
8512 -+ vsri.u32 q14,q13,#8 @ base 2^32 -> base 2^26
8513 -+ vadd.i64 q6,q6,q4 @ h0 -> h1
8514 -+ vshl.u32 q13,q13,#18
8515 -+ vbic.i32 d10,#0xfc000000
8516 -+
8517 -+ vshrn.u64 d30,q9,#26
8518 -+ vmovn.i64 d18,q9
8519 -+ vshr.u64 q4,q6,#26
8520 -+ vmovn.i64 d12,q6
8521 -+ vadd.i64 q7,q7,q4 @ h1 -> h2
8522 -+ vsri.u32 q13,q12,#14
8523 -+ vbic.i32 d18,#0xfc000000
8524 -+ vshl.u32 q12,q12,#12
8525 -+ vbic.i32 d12,#0xfc000000
8526 -+
8527 -+ vadd.i32 d10,d10,d30
8528 -+ vshl.u32 d30,d30,#2
8529 -+ vbic.i32 q13,#0xfc000000
8530 -+ vshrn.u64 d8,q7,#26
8531 -+ vmovn.i64 d14,q7
8532 -+ vaddl.u32 q5,d10,d30 @ h4 -> h0 [widen for a sec]
8533 -+ vsri.u32 q12,q11,#20
8534 -+ vadd.i32 d16,d16,d8 @ h2 -> h3
8535 -+ vshl.u32 q11,q11,#6
8536 -+ vbic.i32 d14,#0xfc000000
8537 -+ vbic.i32 q12,#0xfc000000
8538 -+
8539 -+ vshrn.u64 d30,q5,#26 @ re-narrow
8540 -+ vmovn.i64 d10,q5
8541 -+ vsri.u32 q11,q10,#26
8542 -+ vbic.i32 q10,#0xfc000000
8543 -+ vshr.u32 d8,d16,#26
8544 -+ vbic.i32 d16,#0xfc000000
8545 -+ vbic.i32 d10,#0xfc000000
8546 -+ vadd.i32 d12,d12,d30 @ h0 -> h1
8547 -+ vadd.i32 d18,d18,d8 @ h3 -> h4
8548 -+ vbic.i32 q11,#0xfc000000
8549 -+
8550 -+ bhi .Loop_neon
8551 -+
8552 -+.Lskip_loop:
8553 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8554 -+ @ multiply (inp[0:1]+hash) or inp[2:3] by r^2:r^1
8555 -+
8556 -+ add r7,r0,#(48+0*9*4)
8557 -+ add r6,r0,#(48+1*9*4)
8558 -+ adds r2,r2,#32
8559 -+ it ne
8560 -+ movne r2,#0
8561 -+ bne .Long_tail
8562 -+
8563 -+ vadd.i32 d25,d24,d14 @ add hash value and move to #hi
8564 -+ vadd.i32 d21,d20,d10
8565 -+ vadd.i32 d27,d26,d16
8566 -+ vadd.i32 d23,d22,d12
8567 -+ vadd.i32 d29,d28,d18
8568 -+
8569 -+.Long_tail:
8570 -+ vld4.32 {d0[1],d1[1],d2[1],d3[1]},[r7]! @ load r^1
8571 -+ vld4.32 {d0[0],d1[0],d2[0],d3[0]},[r6]! @ load r^2
8572 -+
8573 -+ vadd.i32 d24,d24,d14 @ can be redundant
8574 -+ vmull.u32 q7,d25,d0
8575 -+ vadd.i32 d20,d20,d10
8576 -+ vmull.u32 q5,d21,d0
8577 -+ vadd.i32 d26,d26,d16
8578 -+ vmull.u32 q8,d27,d0
8579 -+ vadd.i32 d22,d22,d12
8580 -+ vmull.u32 q6,d23,d0
8581 -+ vadd.i32 d28,d28,d18
8582 -+ vmull.u32 q9,d29,d0
8583 -+
8584 -+ vmlal.u32 q5,d29,d2
8585 -+ vld4.32 {d4[1],d5[1],d6[1],d7[1]},[r7]!
8586 -+ vmlal.u32 q8,d25,d1
8587 -+ vld4.32 {d4[0],d5[0],d6[0],d7[0]},[r6]!
8588 -+ vmlal.u32 q6,d21,d1
8589 -+ vmlal.u32 q9,d27,d1
8590 -+ vmlal.u32 q7,d23,d1
8591 -+
8592 -+ vmlal.u32 q8,d23,d3
8593 -+ vld1.32 d8[1],[r7,:32]
8594 -+ vmlal.u32 q5,d27,d4
8595 -+ vld1.32 d8[0],[r6,:32]
8596 -+ vmlal.u32 q9,d25,d3
8597 -+ vmlal.u32 q6,d29,d4
8598 -+ vmlal.u32 q7,d21,d3
8599 -+
8600 -+ vmlal.u32 q8,d21,d5
8601 -+ it ne
8602 -+ addne r7,r0,#(48+2*9*4)
8603 -+ vmlal.u32 q5,d25,d6
8604 -+ it ne
8605 -+ addne r6,r0,#(48+3*9*4)
8606 -+ vmlal.u32 q9,d23,d5
8607 -+ vmlal.u32 q6,d27,d6
8608 -+ vmlal.u32 q7,d29,d6
8609 -+
8610 -+ vmlal.u32 q8,d29,d8
8611 -+ vorn q0,q0,q0 @ all-ones, can be redundant
8612 -+ vmlal.u32 q5,d23,d8
8613 -+ vshr.u64 q0,q0,#38
8614 -+ vmlal.u32 q9,d21,d7
8615 -+ vmlal.u32 q6,d25,d8
8616 -+ vmlal.u32 q7,d27,d8
8617 -+
8618 -+ beq .Lshort_tail
8619 -+
8620 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8621 -+ @ (hash+inp[0:1])*r^4:r^3 and accumulate
8622 -+
8623 -+ vld4.32 {d0[1],d1[1],d2[1],d3[1]},[r7]! @ load r^3
8624 -+ vld4.32 {d0[0],d1[0],d2[0],d3[0]},[r6]! @ load r^4
8625 -+
8626 -+ vmlal.u32 q7,d24,d0
8627 -+ vmlal.u32 q5,d20,d0
8628 -+ vmlal.u32 q8,d26,d0
8629 -+ vmlal.u32 q6,d22,d0
8630 -+ vmlal.u32 q9,d28,d0
8631 -+
8632 -+ vmlal.u32 q5,d28,d2
8633 -+ vld4.32 {d4[1],d5[1],d6[1],d7[1]},[r7]!
8634 -+ vmlal.u32 q8,d24,d1
8635 -+ vld4.32 {d4[0],d5[0],d6[0],d7[0]},[r6]!
8636 -+ vmlal.u32 q6,d20,d1
8637 -+ vmlal.u32 q9,d26,d1
8638 -+ vmlal.u32 q7,d22,d1
8639 -+
8640 -+ vmlal.u32 q8,d22,d3
8641 -+ vld1.32 d8[1],[r7,:32]
8642 -+ vmlal.u32 q5,d26,d4
8643 -+ vld1.32 d8[0],[r6,:32]
8644 -+ vmlal.u32 q9,d24,d3
8645 -+ vmlal.u32 q6,d28,d4
8646 -+ vmlal.u32 q7,d20,d3
8647 -+
8648 -+ vmlal.u32 q8,d20,d5
8649 -+ vmlal.u32 q5,d24,d6
8650 -+ vmlal.u32 q9,d22,d5
8651 -+ vmlal.u32 q6,d26,d6
8652 -+ vmlal.u32 q7,d28,d6
8653 -+
8654 -+ vmlal.u32 q8,d28,d8
8655 -+ vorn q0,q0,q0 @ all-ones
8656 -+ vmlal.u32 q5,d22,d8
8657 -+ vshr.u64 q0,q0,#38
8658 -+ vmlal.u32 q9,d20,d7
8659 -+ vmlal.u32 q6,d24,d8
8660 -+ vmlal.u32 q7,d26,d8
8661 -+
8662 -+.Lshort_tail:
8663 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8664 -+ @ horizontal addition
8665 -+
8666 -+ vadd.i64 d16,d16,d17
8667 -+ vadd.i64 d10,d10,d11
8668 -+ vadd.i64 d18,d18,d19
8669 -+ vadd.i64 d12,d12,d13
8670 -+ vadd.i64 d14,d14,d15
8671 -+
8672 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8673 -+ @ lazy reduction, but without narrowing
8674 -+
8675 -+ vshr.u64 q15,q8,#26
8676 -+ vand.i64 q8,q8,q0
8677 -+ vshr.u64 q4,q5,#26
8678 -+ vand.i64 q5,q5,q0
8679 -+ vadd.i64 q9,q9,q15 @ h3 -> h4
8680 -+ vadd.i64 q6,q6,q4 @ h0 -> h1
8681 -+
8682 -+ vshr.u64 q15,q9,#26
8683 -+ vand.i64 q9,q9,q0
8684 -+ vshr.u64 q4,q6,#26
8685 -+ vand.i64 q6,q6,q0
8686 -+ vadd.i64 q7,q7,q4 @ h1 -> h2
8687 -+
8688 -+ vadd.i64 q5,q5,q15
8689 -+ vshl.u64 q15,q15,#2
8690 -+ vshr.u64 q4,q7,#26
8691 -+ vand.i64 q7,q7,q0
8692 -+ vadd.i64 q5,q5,q15 @ h4 -> h0
8693 -+ vadd.i64 q8,q8,q4 @ h2 -> h3
8694 -+
8695 -+ vshr.u64 q15,q5,#26
8696 -+ vand.i64 q5,q5,q0
8697 -+ vshr.u64 q4,q8,#26
8698 -+ vand.i64 q8,q8,q0
8699 -+ vadd.i64 q6,q6,q15 @ h0 -> h1
8700 -+ vadd.i64 q9,q9,q4 @ h3 -> h4
8701 -+
8702 -+ cmp r2,#0
8703 -+ bne .Leven
8704 -+
8705 -+ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8706 -+ @ store hash value
8707 -+
8708 -+ vst4.32 {d10[0],d12[0],d14[0],d16[0]},[r0]!
8709 -+ vst1.32 {d18[0]},[r0]
8710 -+
8711 -+ vldmia sp!,{d8-d15} @ epilogue
8712 -+ ldmia sp!,{r4-r7}
8713 -+ bx lr @ bx lr
8714 -+.size poly1305_blocks_neon,.-poly1305_blocks_neon
8715 -+
8716 -+.align 5
8717 -+.Lzeros:
8718 -+.long 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
8719 -+#ifndef __KERNEL__
8720 -+.LOPENSSL_armcap:
8721 -+# ifdef _WIN32
8722 -+.word OPENSSL_armcap_P
8723 -+# else
8724 -+.word OPENSSL_armcap_P-.Lpoly1305_init
8725 -+# endif
8726 -+.comm OPENSSL_armcap_P,4,4
8727 -+.hidden OPENSSL_armcap_P
8728 -+#endif
8729 -+#endif
8730 -+.asciz "Poly1305 for ARMv4/NEON, CRYPTOGAMS by @dot-asm"
8731 -+.align 2
8732 ---- b/arch/arm/crypto/poly1305-glue.c
8733 -+++ b/arch/arm/crypto/poly1305-glue.c
8734 -@@ -0,0 +1,273 @@
8735 -+// SPDX-License-Identifier: GPL-2.0
8736 -+/*
8737 -+ * OpenSSL/Cryptogams accelerated Poly1305 transform for ARM
8738 -+ *
8739 -+ * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@××××××.org>
8740 -+ */
8741 -+
8742 -+#include <asm/hwcap.h>
8743 -+#include <asm/neon.h>
8744 -+#include <asm/simd.h>
8745 -+#include <asm/unaligned.h>
8746 -+#include <crypto/algapi.h>
8747 -+#include <crypto/internal/hash.h>
8748 -+#include <crypto/internal/poly1305.h>
8749 -+#include <crypto/internal/simd.h>
8750 -+#include <linux/cpufeature.h>
8751 -+#include <linux/crypto.h>
8752 -+#include <linux/jump_label.h>
8753 -+#include <linux/module.h>
8754 -+
8755 -+void poly1305_init_arm(void *state, const u8 *key);
8756 -+void poly1305_blocks_arm(void *state, const u8 *src, u32 len, u32 hibit);
8757 -+void poly1305_blocks_neon(void *state, const u8 *src, u32 len, u32 hibit);
8758 -+void poly1305_emit_arm(void *state, u8 *digest, const u32 *nonce);
8759 -+
8760 -+void __weak poly1305_blocks_neon(void *state, const u8 *src, u32 len, u32 hibit)
8761 -+{
8762 -+}
8763 -+
8764 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
8765 -+
8766 -+void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 *key)
8767 -+{
8768 -+ poly1305_init_arm(&dctx->h, key);
8769 -+ dctx->s[0] = get_unaligned_le32(key + 16);
8770 -+ dctx->s[1] = get_unaligned_le32(key + 20);
8771 -+ dctx->s[2] = get_unaligned_le32(key + 24);
8772 -+ dctx->s[3] = get_unaligned_le32(key + 28);
8773 -+ dctx->buflen = 0;
8774 -+}
8775 -+EXPORT_SYMBOL(poly1305_init_arch);
8776 -+
8777 -+static int arm_poly1305_init(struct shash_desc *desc)
8778 -+{
8779 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
8780 -+
8781 -+ dctx->buflen = 0;
8782 -+ dctx->rset = 0;
8783 -+ dctx->sset = false;
8784 -+
8785 -+ return 0;
8786 -+}
8787 -+
8788 -+static void arm_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
8789 -+ u32 len, u32 hibit, bool do_neon)
8790 -+{
8791 -+ if (unlikely(!dctx->sset)) {
8792 -+ if (!dctx->rset) {
8793 -+ poly1305_init_arm(&dctx->h, src);
8794 -+ src += POLY1305_BLOCK_SIZE;
8795 -+ len -= POLY1305_BLOCK_SIZE;
8796 -+ dctx->rset = 1;
8797 -+ }
8798 -+ if (len >= POLY1305_BLOCK_SIZE) {
8799 -+ dctx->s[0] = get_unaligned_le32(src + 0);
8800 -+ dctx->s[1] = get_unaligned_le32(src + 4);
8801 -+ dctx->s[2] = get_unaligned_le32(src + 8);
8802 -+ dctx->s[3] = get_unaligned_le32(src + 12);
8803 -+ src += POLY1305_BLOCK_SIZE;
8804 -+ len -= POLY1305_BLOCK_SIZE;
8805 -+ dctx->sset = true;
8806 -+ }
8807 -+ if (len < POLY1305_BLOCK_SIZE)
8808 -+ return;
8809 -+ }
8810 -+
8811 -+ len &= ~(POLY1305_BLOCK_SIZE - 1);
8812 -+
8813 -+ if (static_branch_likely(&have_neon) && likely(do_neon))
8814 -+ poly1305_blocks_neon(&dctx->h, src, len, hibit);
8815 -+ else
8816 -+ poly1305_blocks_arm(&dctx->h, src, len, hibit);
8817 -+}
8818 -+
8819 -+static void arm_poly1305_do_update(struct poly1305_desc_ctx *dctx,
8820 -+ const u8 *src, u32 len, bool do_neon)
8821 -+{
8822 -+ if (unlikely(dctx->buflen)) {
8823 -+ u32 bytes = min(len, POLY1305_BLOCK_SIZE - dctx->buflen);
8824 -+
8825 -+ memcpy(dctx->buf + dctx->buflen, src, bytes);
8826 -+ src += bytes;
8827 -+ len -= bytes;
8828 -+ dctx->buflen += bytes;
8829 -+
8830 -+ if (dctx->buflen == POLY1305_BLOCK_SIZE) {
8831 -+ arm_poly1305_blocks(dctx, dctx->buf,
8832 -+ POLY1305_BLOCK_SIZE, 1, false);
8833 -+ dctx->buflen = 0;
8834 -+ }
8835 -+ }
8836 -+
8837 -+ if (likely(len >= POLY1305_BLOCK_SIZE)) {
8838 -+ arm_poly1305_blocks(dctx, src, len, 1, do_neon);
8839 -+ src += round_down(len, POLY1305_BLOCK_SIZE);
8840 -+ len %= POLY1305_BLOCK_SIZE;
8841 -+ }
8842 -+
8843 -+ if (unlikely(len)) {
8844 -+ dctx->buflen = len;
8845 -+ memcpy(dctx->buf, src, len);
8846 -+ }
8847 -+}
8848 -+
8849 -+static int arm_poly1305_update(struct shash_desc *desc,
8850 -+ const u8 *src, unsigned int srclen)
8851 -+{
8852 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
8853 -+
8854 -+ arm_poly1305_do_update(dctx, src, srclen, false);
8855 -+ return 0;
8856 -+}
8857 -+
8858 -+static int __maybe_unused arm_poly1305_update_neon(struct shash_desc *desc,
8859 -+ const u8 *src,
8860 -+ unsigned int srclen)
8861 -+{
8862 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
8863 -+ bool do_neon = crypto_simd_usable() && srclen > 128;
8864 -+
8865 -+ if (static_branch_likely(&have_neon) && do_neon)
8866 -+ kernel_neon_begin();
8867 -+ arm_poly1305_do_update(dctx, src, srclen, do_neon);
8868 -+ if (static_branch_likely(&have_neon) && do_neon)
8869 -+ kernel_neon_end();
8870 -+ return 0;
8871 -+}
8872 -+
8873 -+void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
8874 -+ unsigned int nbytes)
8875 -+{
8876 -+ bool do_neon = IS_ENABLED(CONFIG_KERNEL_MODE_NEON) &&
8877 -+ crypto_simd_usable();
8878 -+
8879 -+ if (unlikely(dctx->buflen)) {
8880 -+ u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
8881 -+
8882 -+ memcpy(dctx->buf + dctx->buflen, src, bytes);
8883 -+ src += bytes;
8884 -+ nbytes -= bytes;
8885 -+ dctx->buflen += bytes;
8886 -+
8887 -+ if (dctx->buflen == POLY1305_BLOCK_SIZE) {
8888 -+ poly1305_blocks_arm(&dctx->h, dctx->buf,
8889 -+ POLY1305_BLOCK_SIZE, 1);
8890 -+ dctx->buflen = 0;
8891 -+ }
8892 -+ }
8893 -+
8894 -+ if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
8895 -+ unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE);
8896 -+
8897 -+ if (static_branch_likely(&have_neon) && do_neon) {
8898 -+ do {
8899 -+ unsigned int todo = min_t(unsigned int, len, SZ_4K);
8900 -+
8901 -+ kernel_neon_begin();
8902 -+ poly1305_blocks_neon(&dctx->h, src, todo, 1);
8903 -+ kernel_neon_end();
8904 -+
8905 -+ len -= todo;
8906 -+ src += todo;
8907 -+ } while (len);
8908 -+ } else {
8909 -+ poly1305_blocks_arm(&dctx->h, src, len, 1);
8910 -+ src += len;
8911 -+ }
8912 -+ nbytes %= POLY1305_BLOCK_SIZE;
8913 -+ }
8914 -+
8915 -+ if (unlikely(nbytes)) {
8916 -+ dctx->buflen = nbytes;
8917 -+ memcpy(dctx->buf, src, nbytes);
8918 -+ }
8919 -+}
8920 -+EXPORT_SYMBOL(poly1305_update_arch);
8921 -+
8922 -+void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
8923 -+{
8924 -+ if (unlikely(dctx->buflen)) {
8925 -+ dctx->buf[dctx->buflen++] = 1;
8926 -+ memset(dctx->buf + dctx->buflen, 0,
8927 -+ POLY1305_BLOCK_SIZE - dctx->buflen);
8928 -+ poly1305_blocks_arm(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
8929 -+ }
8930 -+
8931 -+ poly1305_emit_arm(&dctx->h, dst, dctx->s);
8932 -+ *dctx = (struct poly1305_desc_ctx){};
8933 -+}
8934 -+EXPORT_SYMBOL(poly1305_final_arch);
8935 -+
8936 -+static int arm_poly1305_final(struct shash_desc *desc, u8 *dst)
8937 -+{
8938 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
8939 -+
8940 -+ if (unlikely(!dctx->sset))
8941 -+ return -ENOKEY;
8942 -+
8943 -+ poly1305_final_arch(dctx, dst);
8944 -+ return 0;
8945 -+}
8946 -+
8947 -+static struct shash_alg arm_poly1305_algs[] = {{
8948 -+ .init = arm_poly1305_init,
8949 -+ .update = arm_poly1305_update,
8950 -+ .final = arm_poly1305_final,
8951 -+ .digestsize = POLY1305_DIGEST_SIZE,
8952 -+ .descsize = sizeof(struct poly1305_desc_ctx),
8953 -+
8954 -+ .base.cra_name = "poly1305",
8955 -+ .base.cra_driver_name = "poly1305-arm",
8956 -+ .base.cra_priority = 150,
8957 -+ .base.cra_blocksize = POLY1305_BLOCK_SIZE,
8958 -+ .base.cra_module = THIS_MODULE,
8959 -+#ifdef CONFIG_KERNEL_MODE_NEON
8960 -+}, {
8961 -+ .init = arm_poly1305_init,
8962 -+ .update = arm_poly1305_update_neon,
8963 -+ .final = arm_poly1305_final,
8964 -+ .digestsize = POLY1305_DIGEST_SIZE,
8965 -+ .descsize = sizeof(struct poly1305_desc_ctx),
8966 -+
8967 -+ .base.cra_name = "poly1305",
8968 -+ .base.cra_driver_name = "poly1305-neon",
8969 -+ .base.cra_priority = 200,
8970 -+ .base.cra_blocksize = POLY1305_BLOCK_SIZE,
8971 -+ .base.cra_module = THIS_MODULE,
8972 -+#endif
8973 -+}};
8974 -+
8975 -+static int __init arm_poly1305_mod_init(void)
8976 -+{
8977 -+ if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) &&
8978 -+ (elf_hwcap & HWCAP_NEON))
8979 -+ static_branch_enable(&have_neon);
8980 -+ else if (IS_REACHABLE(CONFIG_CRYPTO_HASH))
8981 -+ /* register only the first entry */
8982 -+ return crypto_register_shash(&arm_poly1305_algs[0]);
8983 -+
8984 -+ return IS_REACHABLE(CONFIG_CRYPTO_HASH) ?
8985 -+ crypto_register_shashes(arm_poly1305_algs,
8986 -+ ARRAY_SIZE(arm_poly1305_algs)) : 0;
8987 -+}
8988 -+
8989 -+static void __exit arm_poly1305_mod_exit(void)
8990 -+{
8991 -+ if (!IS_REACHABLE(CONFIG_CRYPTO_HASH))
8992 -+ return;
8993 -+ if (!static_branch_likely(&have_neon)) {
8994 -+ crypto_unregister_shash(&arm_poly1305_algs[0]);
8995 -+ return;
8996 -+ }
8997 -+ crypto_unregister_shashes(arm_poly1305_algs,
8998 -+ ARRAY_SIZE(arm_poly1305_algs));
8999 -+}
9000 -+
9001 -+module_init(arm_poly1305_mod_init);
9002 -+module_exit(arm_poly1305_mod_exit);
9003 -+
9004 -+MODULE_LICENSE("GPL v2");
9005 -+MODULE_ALIAS_CRYPTO("poly1305");
9006 -+MODULE_ALIAS_CRYPTO("poly1305-arm");
9007 -+MODULE_ALIAS_CRYPTO("poly1305-neon");
9008 ---- b/arch/mips/crypto/poly1305-glue.c
9009 -+++ b/arch/mips/crypto/poly1305-glue.c
9010 -@@ -0,0 +1,191 @@
9011 -+// SPDX-License-Identifier: GPL-2.0
9012 -+/*
9013 -+ * OpenSSL/Cryptogams accelerated Poly1305 transform for MIPS
9014 -+ *
9015 -+ * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@××××××.org>
9016 -+ */
9017 -+
9018 -+#include <asm/unaligned.h>
9019 -+#include <crypto/algapi.h>
9020 -+#include <crypto/internal/hash.h>
9021 -+#include <crypto/internal/poly1305.h>
9022 -+#include <linux/cpufeature.h>
9023 -+#include <linux/crypto.h>
9024 -+#include <linux/module.h>
9025 -+
9026 -+asmlinkage void poly1305_init_mips(void *state, const u8 *key);
9027 -+asmlinkage void poly1305_blocks_mips(void *state, const u8 *src, u32 len, u32 hibit);
9028 -+asmlinkage void poly1305_emit_mips(void *state, u8 *digest, const u32 *nonce);
9029 -+
9030 -+void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 *key)
9031 -+{
9032 -+ poly1305_init_mips(&dctx->h, key);
9033 -+ dctx->s[0] = get_unaligned_le32(key + 16);
9034 -+ dctx->s[1] = get_unaligned_le32(key + 20);
9035 -+ dctx->s[2] = get_unaligned_le32(key + 24);
9036 -+ dctx->s[3] = get_unaligned_le32(key + 28);
9037 -+ dctx->buflen = 0;
9038 -+}
9039 -+EXPORT_SYMBOL(poly1305_init_arch);
9040 -+
9041 -+static int mips_poly1305_init(struct shash_desc *desc)
9042 -+{
9043 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
9044 -+
9045 -+ dctx->buflen = 0;
9046 -+ dctx->rset = 0;
9047 -+ dctx->sset = false;
9048 -+
9049 -+ return 0;
9050 -+}
9051 -+
9052 -+static void mips_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
9053 -+ u32 len, u32 hibit)
9054 -+{
9055 -+ if (unlikely(!dctx->sset)) {
9056 -+ if (!dctx->rset) {
9057 -+ poly1305_init_mips(&dctx->h, src);
9058 -+ src += POLY1305_BLOCK_SIZE;
9059 -+ len -= POLY1305_BLOCK_SIZE;
9060 -+ dctx->rset = 1;
9061 -+ }
9062 -+ if (len >= POLY1305_BLOCK_SIZE) {
9063 -+ dctx->s[0] = get_unaligned_le32(src + 0);
9064 -+ dctx->s[1] = get_unaligned_le32(src + 4);
9065 -+ dctx->s[2] = get_unaligned_le32(src + 8);
9066 -+ dctx->s[3] = get_unaligned_le32(src + 12);
9067 -+ src += POLY1305_BLOCK_SIZE;
9068 -+ len -= POLY1305_BLOCK_SIZE;
9069 -+ dctx->sset = true;
9070 -+ }
9071 -+ if (len < POLY1305_BLOCK_SIZE)
9072 -+ return;
9073 -+ }
9074 -+
9075 -+ len &= ~(POLY1305_BLOCK_SIZE - 1);
9076 -+
9077 -+ poly1305_blocks_mips(&dctx->h, src, len, hibit);
9078 -+}
9079 -+
9080 -+static int mips_poly1305_update(struct shash_desc *desc, const u8 *src,
9081 -+ unsigned int len)
9082 -+{
9083 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
9084 -+
9085 -+ if (unlikely(dctx->buflen)) {
9086 -+ u32 bytes = min(len, POLY1305_BLOCK_SIZE - dctx->buflen);
9087 -+
9088 -+ memcpy(dctx->buf + dctx->buflen, src, bytes);
9089 -+ src += bytes;
9090 -+ len -= bytes;
9091 -+ dctx->buflen += bytes;
9092 -+
9093 -+ if (dctx->buflen == POLY1305_BLOCK_SIZE) {
9094 -+ mips_poly1305_blocks(dctx, dctx->buf, POLY1305_BLOCK_SIZE, 1);
9095 -+ dctx->buflen = 0;
9096 -+ }
9097 -+ }
9098 -+
9099 -+ if (likely(len >= POLY1305_BLOCK_SIZE)) {
9100 -+ mips_poly1305_blocks(dctx, src, len, 1);
9101 -+ src += round_down(len, POLY1305_BLOCK_SIZE);
9102 -+ len %= POLY1305_BLOCK_SIZE;
9103 -+ }
9104 -+
9105 -+ if (unlikely(len)) {
9106 -+ dctx->buflen = len;
9107 -+ memcpy(dctx->buf, src, len);
9108 -+ }
9109 -+ return 0;
9110 -+}
9111 -+
9112 -+void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
9113 -+ unsigned int nbytes)
9114 -+{
9115 -+ if (unlikely(dctx->buflen)) {
9116 -+ u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
9117 -+
9118 -+ memcpy(dctx->buf + dctx->buflen, src, bytes);
9119 -+ src += bytes;
9120 -+ nbytes -= bytes;
9121 -+ dctx->buflen += bytes;
9122 -+
9123 -+ if (dctx->buflen == POLY1305_BLOCK_SIZE) {
9124 -+ poly1305_blocks_mips(&dctx->h, dctx->buf,
9125 -+ POLY1305_BLOCK_SIZE, 1);
9126 -+ dctx->buflen = 0;
9127 -+ }
9128 -+ }
9129 -+
9130 -+ if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
9131 -+ unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE);
9132 -+
9133 -+ poly1305_blocks_mips(&dctx->h, src, len, 1);
9134 -+ src += len;
9135 -+ nbytes %= POLY1305_BLOCK_SIZE;
9136 -+ }
9137 -+
9138 -+ if (unlikely(nbytes)) {
9139 -+ dctx->buflen = nbytes;
9140 -+ memcpy(dctx->buf, src, nbytes);
9141 -+ }
9142 -+}
9143 -+EXPORT_SYMBOL(poly1305_update_arch);
9144 -+
9145 -+void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
9146 -+{
9147 -+ if (unlikely(dctx->buflen)) {
9148 -+ dctx->buf[dctx->buflen++] = 1;
9149 -+ memset(dctx->buf + dctx->buflen, 0,
9150 -+ POLY1305_BLOCK_SIZE - dctx->buflen);
9151 -+ poly1305_blocks_mips(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
9152 -+ }
9153 -+
9154 -+ poly1305_emit_mips(&dctx->h, dst, dctx->s);
9155 -+ *dctx = (struct poly1305_desc_ctx){};
9156 -+}
9157 -+EXPORT_SYMBOL(poly1305_final_arch);
9158 -+
9159 -+static int mips_poly1305_final(struct shash_desc *desc, u8 *dst)
9160 -+{
9161 -+ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
9162 -+
9163 -+ if (unlikely(!dctx->sset))
9164 -+ return -ENOKEY;
9165 -+
9166 -+ poly1305_final_arch(dctx, dst);
9167 -+ return 0;
9168 -+}
9169 -+
9170 -+static struct shash_alg mips_poly1305_alg = {
9171 -+ .init = mips_poly1305_init,
9172 -+ .update = mips_poly1305_update,
9173 -+ .final = mips_poly1305_final,
9174 -+ .digestsize = POLY1305_DIGEST_SIZE,
9175 -+ .descsize = sizeof(struct poly1305_desc_ctx),
9176 -+
9177 -+ .base.cra_name = "poly1305",
9178 -+ .base.cra_driver_name = "poly1305-mips",
9179 -+ .base.cra_priority = 200,
9180 -+ .base.cra_blocksize = POLY1305_BLOCK_SIZE,
9181 -+ .base.cra_module = THIS_MODULE,
9182 -+};
9183 -+
9184 -+static int __init mips_poly1305_mod_init(void)
9185 -+{
9186 -+ return IS_REACHABLE(CONFIG_CRYPTO_HASH) ?
9187 -+ crypto_register_shash(&mips_poly1305_alg) : 0;
9188 -+}
9189 -+
9190 -+static void __exit mips_poly1305_mod_exit(void)
9191 -+{
9192 -+ if (IS_REACHABLE(CONFIG_CRYPTO_HASH))
9193 -+ crypto_unregister_shash(&mips_poly1305_alg);
9194 -+}
9195 -+
9196 -+module_init(mips_poly1305_mod_init);
9197 -+module_exit(mips_poly1305_mod_exit);
9198 -+
9199 -+MODULE_LICENSE("GPL v2");
9200 -+MODULE_ALIAS_CRYPTO("poly1305");
9201 -+MODULE_ALIAS_CRYPTO("poly1305-mips");
9202 ---- /dev/null
9203 -+++ b/arch/mips/crypto/poly1305-mips.pl
9204 -@@ -0,0 +1,1273 @@
9205 -+#!/usr/bin/env perl
9206 -+# SPDX-License-Identifier: GPL-1.0+ OR BSD-3-Clause
9207 -+#
9208 -+# ====================================================================
9209 -+# Written by Andy Polyakov, @dot-asm, originally for the OpenSSL
9210 -+# project.
9211 -+# ====================================================================
9212 -+
9213 -+# Poly1305 hash for MIPS.
9214 -+#
9215 -+# May 2016
9216 -+#
9217 -+# Numbers are cycles per processed byte with poly1305_blocks alone.
9218 -+#
9219 -+# IALU/gcc
9220 -+# R1x000 ~5.5/+130% (big-endian)
9221 -+# Octeon II 2.50/+70% (little-endian)
9222 -+#
9223 -+# March 2019
9224 -+#
9225 -+# Add 32-bit code path.
9226 -+#
9227 -+# October 2019
9228 -+#
9229 -+# Modulo-scheduling reduction allows to omit dependency chain at the
9230 -+# end of inner loop and improve performance. Also optimize MIPS32R2
9231 -+# code path for MIPS 1004K core. Per René von Dorst's suggestions.
9232 -+#
9233 -+# IALU/gcc
9234 -+# R1x000 ~9.8/? (big-endian)
9235 -+# Octeon II 3.65/+140% (little-endian)
9236 -+# MT7621/1004K 4.75/? (little-endian)
9237 -+#
9238 -+######################################################################
9239 -+# There is a number of MIPS ABI in use, O32 and N32/64 are most
9240 -+# widely used. Then there is a new contender: NUBI. It appears that if
9241 -+# one picks the latter, it's possible to arrange code in ABI neutral
9242 -+# manner. Therefore let's stick to NUBI register layout:
9243 -+#
9244 -+($zero,$at,$t0,$t1,$t2)=map("\$$_",(0..2,24,25));
9245 -+($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$$_",(4..11));
9246 -+($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7,$s8,$s9,$s10,$s11)=map("\$$_",(12..23));
9247 -+($gp,$tp,$sp,$fp,$ra)=map("\$$_",(3,28..31));
9248 -+#
9249 -+# The return value is placed in $a0. Following coding rules facilitate
9250 -+# interoperability:
9251 -+#
9252 -+# - never ever touch $tp, "thread pointer", former $gp [o32 can be
9253 -+# excluded from the rule, because it's specified volatile];
9254 -+# - copy return value to $t0, former $v0 [or to $a0 if you're adapting
9255 -+# old code];
9256 -+# - on O32 populate $a4-$a7 with 'lw $aN,4*N($sp)' if necessary;
9257 -+#
9258 -+# For reference here is register layout for N32/64 MIPS ABIs:
9259 -+#
9260 -+# ($zero,$at,$v0,$v1)=map("\$$_",(0..3));
9261 -+# ($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$$_",(4..11));
9262 -+# ($t0,$t1,$t2,$t3,$t8,$t9)=map("\$$_",(12..15,24,25));
9263 -+# ($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7)=map("\$$_",(16..23));
9264 -+# ($gp,$sp,$fp,$ra)=map("\$$_",(28..31));
9265 -+#
9266 -+# <appro@×××××××.org>
9267 -+#
9268 -+######################################################################
9269 -+
9270 -+$flavour = shift || "64"; # supported flavours are o32,n32,64,nubi32,nubi64
9271 -+
9272 -+$v0 = ($flavour =~ /nubi/i) ? $a0 : $t0;
9273 -+
9274 -+if ($flavour =~ /64|n32/i) {{{
9275 -+######################################################################
9276 -+# 64-bit code path
9277 -+#
9278 -+
9279 -+my ($ctx,$inp,$len,$padbit) = ($a0,$a1,$a2,$a3);
9280 -+my ($in0,$in1,$tmp0,$tmp1,$tmp2,$tmp3,$tmp4) = ($a4,$a5,$a6,$a7,$at,$t0,$t1);
9281 -+
9282 -+$code.=<<___;
9283 -+#if (defined(_MIPS_ARCH_MIPS64R3) || defined(_MIPS_ARCH_MIPS64R5) || \\
9284 -+ defined(_MIPS_ARCH_MIPS64R6)) \\
9285 -+ && !defined(_MIPS_ARCH_MIPS64R2)
9286 -+# define _MIPS_ARCH_MIPS64R2
9287 -+#endif
9288 -+
9289 -+#if defined(_MIPS_ARCH_MIPS64R6)
9290 -+# define dmultu(rs,rt)
9291 -+# define mflo(rd,rs,rt) dmulu rd,rs,rt
9292 -+# define mfhi(rd,rs,rt) dmuhu rd,rs,rt
9293 -+#else
9294 -+# define dmultu(rs,rt) dmultu rs,rt
9295 -+# define mflo(rd,rs,rt) mflo rd
9296 -+# define mfhi(rd,rs,rt) mfhi rd
9297 -+#endif
9298 -+
9299 -+#ifdef __KERNEL__
9300 -+# define poly1305_init poly1305_init_mips
9301 -+# define poly1305_blocks poly1305_blocks_mips
9302 -+# define poly1305_emit poly1305_emit_mips
9303 -+#endif
9304 -+
9305 -+#if defined(__MIPSEB__) && !defined(MIPSEB)
9306 -+# define MIPSEB
9307 -+#endif
9308 -+
9309 -+#ifdef MIPSEB
9310 -+# define MSB 0
9311 -+# define LSB 7
9312 -+#else
9313 -+# define MSB 7
9314 -+# define LSB 0
9315 -+#endif
9316 -+
9317 -+.text
9318 -+.set noat
9319 -+.set noreorder
9320 -+
9321 -+.align 5
9322 -+.globl poly1305_init
9323 -+.ent poly1305_init
9324 -+poly1305_init:
9325 -+ .frame $sp,0,$ra
9326 -+ .set reorder
9327 -+
9328 -+ sd $zero,0($ctx)
9329 -+ sd $zero,8($ctx)
9330 -+ sd $zero,16($ctx)
9331 -+
9332 -+ beqz $inp,.Lno_key
9333 -+
9334 -+#if defined(_MIPS_ARCH_MIPS64R6)
9335 -+ andi $tmp0,$inp,7 # $inp % 8
9336 -+ dsubu $inp,$inp,$tmp0 # align $inp
9337 -+ sll $tmp0,$tmp0,3 # byte to bit offset
9338 -+ ld $in0,0($inp)
9339 -+ ld $in1,8($inp)
9340 -+ beqz $tmp0,.Laligned_key
9341 -+ ld $tmp2,16($inp)
9342 -+
9343 -+ subu $tmp1,$zero,$tmp0
9344 -+# ifdef MIPSEB
9345 -+ dsllv $in0,$in0,$tmp0
9346 -+ dsrlv $tmp3,$in1,$tmp1
9347 -+ dsllv $in1,$in1,$tmp0
9348 -+ dsrlv $tmp2,$tmp2,$tmp1
9349 -+# else
9350 -+ dsrlv $in0,$in0,$tmp0
9351 -+ dsllv $tmp3,$in1,$tmp1
9352 -+ dsrlv $in1,$in1,$tmp0
9353 -+ dsllv $tmp2,$tmp2,$tmp1
9354 -+# endif
9355 -+ or $in0,$in0,$tmp3
9356 -+ or $in1,$in1,$tmp2
9357 -+.Laligned_key:
9358 -+#else
9359 -+ ldl $in0,0+MSB($inp)
9360 -+ ldl $in1,8+MSB($inp)
9361 -+ ldr $in0,0+LSB($inp)
9362 -+ ldr $in1,8+LSB($inp)
9363 -+#endif
9364 -+#ifdef MIPSEB
9365 -+# if defined(_MIPS_ARCH_MIPS64R2)
9366 -+ dsbh $in0,$in0 # byte swap
9367 -+ dsbh $in1,$in1
9368 -+ dshd $in0,$in0
9369 -+ dshd $in1,$in1
9370 -+# else
9371 -+ ori $tmp0,$zero,0xFF
9372 -+ dsll $tmp2,$tmp0,32
9373 -+ or $tmp0,$tmp2 # 0x000000FF000000FF
9374 -+
9375 -+ and $tmp1,$in0,$tmp0 # byte swap
9376 -+ and $tmp3,$in1,$tmp0
9377 -+ dsrl $tmp2,$in0,24
9378 -+ dsrl $tmp4,$in1,24
9379 -+ dsll $tmp1,24
9380 -+ dsll $tmp3,24
9381 -+ and $tmp2,$tmp0
9382 -+ and $tmp4,$tmp0
9383 -+ dsll $tmp0,8 # 0x0000FF000000FF00
9384 -+ or $tmp1,$tmp2
9385 -+ or $tmp3,$tmp4
9386 -+ and $tmp2,$in0,$tmp0
9387 -+ and $tmp4,$in1,$tmp0
9388 -+ dsrl $in0,8
9389 -+ dsrl $in1,8
9390 -+ dsll $tmp2,8
9391 -+ dsll $tmp4,8
9392 -+ and $in0,$tmp0
9393 -+ and $in1,$tmp0
9394 -+ or $tmp1,$tmp2
9395 -+ or $tmp3,$tmp4
9396 -+ or $in0,$tmp1
9397 -+ or $in1,$tmp3
9398 -+ dsrl $tmp1,$in0,32
9399 -+ dsrl $tmp3,$in1,32
9400 -+ dsll $in0,32
9401 -+ dsll $in1,32
9402 -+ or $in0,$tmp1
9403 -+ or $in1,$tmp3
9404 -+# endif
9405 -+#endif
9406 -+ li $tmp0,1
9407 -+ dsll $tmp0,32 # 0x0000000100000000
9408 -+ daddiu $tmp0,-63 # 0x00000000ffffffc1
9409 -+ dsll $tmp0,28 # 0x0ffffffc10000000
9410 -+ daddiu $tmp0,-1 # 0x0ffffffc0fffffff
9411 -+
9412 -+ and $in0,$tmp0
9413 -+ daddiu $tmp0,-3 # 0x0ffffffc0ffffffc
9414 -+ and $in1,$tmp0
9415 -+
9416 -+ sd $in0,24($ctx)
9417 -+ dsrl $tmp0,$in1,2
9418 -+ sd $in1,32($ctx)
9419 -+ daddu $tmp0,$in1 # s1 = r1 + (r1 >> 2)
9420 -+ sd $tmp0,40($ctx)
9421 -+
9422 -+.Lno_key:
9423 -+ li $v0,0 # return 0
9424 -+ jr $ra
9425 -+.end poly1305_init
9426 -+___
9427 -+{
9428 -+my $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0x0003f000" : "0x00030000";
9429 -+
9430 -+my ($h0,$h1,$h2,$r0,$r1,$rs1,$d0,$d1,$d2) =
9431 -+ ($s0,$s1,$s2,$s3,$s4,$s5,$in0,$in1,$t2);
9432 -+my ($shr,$shl) = ($s6,$s7); # used on R6
9433 -+
9434 -+$code.=<<___;
9435 -+.align 5
9436 -+.globl poly1305_blocks
9437 -+.ent poly1305_blocks
9438 -+poly1305_blocks:
9439 -+ .set noreorder
9440 -+ dsrl $len,4 # number of complete blocks
9441 -+ bnez $len,poly1305_blocks_internal
9442 -+ nop
9443 -+ jr $ra
9444 -+ nop
9445 -+.end poly1305_blocks
9446 -+
9447 -+.align 5
9448 -+.ent poly1305_blocks_internal
9449 -+poly1305_blocks_internal:
9450 -+ .set noreorder
9451 -+#if defined(_MIPS_ARCH_MIPS64R6)
9452 -+ .frame $sp,8*8,$ra
9453 -+ .mask $SAVED_REGS_MASK|0x000c0000,-8
9454 -+ dsubu $sp,8*8
9455 -+ sd $s7,56($sp)
9456 -+ sd $s6,48($sp)
9457 -+#else
9458 -+ .frame $sp,6*8,$ra
9459 -+ .mask $SAVED_REGS_MASK,-8
9460 -+ dsubu $sp,6*8
9461 -+#endif
9462 -+ sd $s5,40($sp)
9463 -+ sd $s4,32($sp)
9464 -+___
9465 -+$code.=<<___ if ($flavour =~ /nubi/i); # optimize non-nubi prologue
9466 -+ sd $s3,24($sp)
9467 -+ sd $s2,16($sp)
9468 -+ sd $s1,8($sp)
9469 -+ sd $s0,0($sp)
9470 -+___
9471 -+$code.=<<___;
9472 -+ .set reorder
9473 -+
9474 -+#if defined(_MIPS_ARCH_MIPS64R6)
9475 -+ andi $shr,$inp,7
9476 -+ dsubu $inp,$inp,$shr # align $inp
9477 -+ sll $shr,$shr,3 # byte to bit offset
9478 -+ subu $shl,$zero,$shr
9479 -+#endif
9480 -+
9481 -+ ld $h0,0($ctx) # load hash value
9482 -+ ld $h1,8($ctx)
9483 -+ ld $h2,16($ctx)
9484 -+
9485 -+ ld $r0,24($ctx) # load key
9486 -+ ld $r1,32($ctx)
9487 -+ ld $rs1,40($ctx)
9488 -+
9489 -+ dsll $len,4
9490 -+ daddu $len,$inp # end of buffer
9491 -+ b .Loop
9492 -+
9493 -+.align 4
9494 -+.Loop:
9495 -+#if defined(_MIPS_ARCH_MIPS64R6)
9496 -+ ld $in0,0($inp) # load input
9497 -+ ld $in1,8($inp)
9498 -+ beqz $shr,.Laligned_inp
9499 -+
9500 -+ ld $tmp2,16($inp)
9501 -+# ifdef MIPSEB
9502 -+ dsllv $in0,$in0,$shr
9503 -+ dsrlv $tmp3,$in1,$shl
9504 -+ dsllv $in1,$in1,$shr
9505 -+ dsrlv $tmp2,$tmp2,$shl
9506 -+# else
9507 -+ dsrlv $in0,$in0,$shr
9508 -+ dsllv $tmp3,$in1,$shl
9509 -+ dsrlv $in1,$in1,$shr
9510 -+ dsllv $tmp2,$tmp2,$shl
9511 -+# endif
9512 -+ or $in0,$in0,$tmp3
9513 -+ or $in1,$in1,$tmp2
9514 -+.Laligned_inp:
9515 -+#else
9516 -+ ldl $in0,0+MSB($inp) # load input
9517 -+ ldl $in1,8+MSB($inp)
9518 -+ ldr $in0,0+LSB($inp)
9519 -+ ldr $in1,8+LSB($inp)
9520 -+#endif
9521 -+ daddiu $inp,16
9522 -+#ifdef MIPSEB
9523 -+# if defined(_MIPS_ARCH_MIPS64R2)
9524 -+ dsbh $in0,$in0 # byte swap
9525 -+ dsbh $in1,$in1
9526 -+ dshd $in0,$in0
9527 -+ dshd $in1,$in1
9528 -+# else
9529 -+ ori $tmp0,$zero,0xFF
9530 -+ dsll $tmp2,$tmp0,32
9531 -+ or $tmp0,$tmp2 # 0x000000FF000000FF
9532 -+
9533 -+ and $tmp1,$in0,$tmp0 # byte swap
9534 -+ and $tmp3,$in1,$tmp0
9535 -+ dsrl $tmp2,$in0,24
9536 -+ dsrl $tmp4,$in1,24
9537 -+ dsll $tmp1,24
9538 -+ dsll $tmp3,24
9539 -+ and $tmp2,$tmp0
9540 -+ and $tmp4,$tmp0
9541 -+ dsll $tmp0,8 # 0x0000FF000000FF00
9542 -+ or $tmp1,$tmp2
9543 -+ or $tmp3,$tmp4
9544 -+ and $tmp2,$in0,$tmp0
9545 -+ and $tmp4,$in1,$tmp0
9546 -+ dsrl $in0,8
9547 -+ dsrl $in1,8
9548 -+ dsll $tmp2,8
9549 -+ dsll $tmp4,8
9550 -+ and $in0,$tmp0
9551 -+ and $in1,$tmp0
9552 -+ or $tmp1,$tmp2
9553 -+ or $tmp3,$tmp4
9554 -+ or $in0,$tmp1
9555 -+ or $in1,$tmp3
9556 -+ dsrl $tmp1,$in0,32
9557 -+ dsrl $tmp3,$in1,32
9558 -+ dsll $in0,32
9559 -+ dsll $in1,32
9560 -+ or $in0,$tmp1
9561 -+ or $in1,$tmp3
9562 -+# endif
9563 -+#endif
9564 -+ dsrl $tmp1,$h2,2 # modulo-scheduled reduction
9565 -+ andi $h2,$h2,3
9566 -+ dsll $tmp0,$tmp1,2
9567 -+
9568 -+ daddu $d0,$h0,$in0 # accumulate input
9569 -+ daddu $tmp1,$tmp0
9570 -+ sltu $tmp0,$d0,$h0
9571 -+ daddu $d0,$d0,$tmp1 # ... and residue
9572 -+ sltu $tmp1,$d0,$tmp1
9573 -+ daddu $d1,$h1,$in1
9574 -+ daddu $tmp0,$tmp1
9575 -+ sltu $tmp1,$d1,$h1
9576 -+ daddu $d1,$tmp0
9577 -+
9578 -+ dmultu ($r0,$d0) # h0*r0
9579 -+ daddu $d2,$h2,$padbit
9580 -+ sltu $tmp0,$d1,$tmp0
9581 -+ mflo ($h0,$r0,$d0)
9582 -+ mfhi ($h1,$r0,$d0)
9583 -+
9584 -+ dmultu ($rs1,$d1) # h1*5*r1
9585 -+ daddu $d2,$tmp1
9586 -+ daddu $d2,$tmp0
9587 -+ mflo ($tmp0,$rs1,$d1)
9588 -+ mfhi ($tmp1,$rs1,$d1)
9589 -+
9590 -+ dmultu ($r1,$d0) # h0*r1
9591 -+ mflo ($tmp2,$r1,$d0)
9592 -+ mfhi ($h2,$r1,$d0)
9593 -+ daddu $h0,$tmp0
9594 -+ daddu $h1,$tmp1
9595 -+ sltu $tmp0,$h0,$tmp0
9596 -+
9597 -+ dmultu ($r0,$d1) # h1*r0
9598 -+ daddu $h1,$tmp0
9599 -+ daddu $h1,$tmp2
9600 -+ mflo ($tmp0,$r0,$d1)
9601 -+ mfhi ($tmp1,$r0,$d1)
9602 -+
9603 -+ dmultu ($rs1,$d2) # h2*5*r1
9604 -+ sltu $tmp2,$h1,$tmp2
9605 -+ daddu $h2,$tmp2
9606 -+ mflo ($tmp2,$rs1,$d2)
9607 -+
9608 -+ dmultu ($r0,$d2) # h2*r0
9609 -+ daddu $h1,$tmp0
9610 -+ daddu $h2,$tmp1
9611 -+ mflo ($tmp3,$r0,$d2)
9612 -+ sltu $tmp0,$h1,$tmp0
9613 -+ daddu $h2,$tmp0
9614 -+
9615 -+ daddu $h1,$tmp2
9616 -+ sltu $tmp2,$h1,$tmp2
9617 -+ daddu $h2,$tmp2
9618 -+ daddu $h2,$tmp3
9619 -+
9620 -+ bne $inp,$len,.Loop
9621 -+
9622 -+ sd $h0,0($ctx) # store hash value
9623 -+ sd $h1,8($ctx)
9624 -+ sd $h2,16($ctx)
9625 -+
9626 -+ .set noreorder
9627 -+#if defined(_MIPS_ARCH_MIPS64R6)
9628 -+ ld $s7,56($sp)
9629 -+ ld $s6,48($sp)
9630 -+#endif
9631 -+ ld $s5,40($sp) # epilogue
9632 -+ ld $s4,32($sp)
9633 -+___
9634 -+$code.=<<___ if ($flavour =~ /nubi/i); # optimize non-nubi epilogue
9635 -+ ld $s3,24($sp)
9636 -+ ld $s2,16($sp)
9637 -+ ld $s1,8($sp)
9638 -+ ld $s0,0($sp)
9639 -+___
9640 -+$code.=<<___;
9641 -+ jr $ra
9642 -+#if defined(_MIPS_ARCH_MIPS64R6)
9643 -+ daddu $sp,8*8
9644 -+#else
9645 -+ daddu $sp,6*8
9646 -+#endif
9647 -+.end poly1305_blocks_internal
9648 -+___
9649 -+}
9650 -+{
9651 -+my ($ctx,$mac,$nonce) = ($a0,$a1,$a2);
9652 -+
9653 -+$code.=<<___;
9654 -+.align 5
9655 -+.globl poly1305_emit
9656 -+.ent poly1305_emit
9657 -+poly1305_emit:
9658 -+ .frame $sp,0,$ra
9659 -+ .set reorder
9660 -+
9661 -+ ld $tmp2,16($ctx)
9662 -+ ld $tmp0,0($ctx)
9663 -+ ld $tmp1,8($ctx)
9664 -+
9665 -+ li $in0,-4 # final reduction
9666 -+ dsrl $in1,$tmp2,2
9667 -+ and $in0,$tmp2
9668 -+ andi $tmp2,$tmp2,3
9669 -+ daddu $in0,$in1
9670 -+
9671 -+ daddu $tmp0,$tmp0,$in0
9672 -+ sltu $in1,$tmp0,$in0
9673 -+ daddiu $in0,$tmp0,5 # compare to modulus
9674 -+ daddu $tmp1,$tmp1,$in1
9675 -+ sltiu $tmp3,$in0,5
9676 -+ sltu $tmp4,$tmp1,$in1
9677 -+ daddu $in1,$tmp1,$tmp3
9678 -+ daddu $tmp2,$tmp2,$tmp4
9679 -+ sltu $tmp3,$in1,$tmp3
9680 -+ daddu $tmp2,$tmp2,$tmp3
9681 -+
9682 -+ dsrl $tmp2,2 # see if it carried/borrowed
9683 -+ dsubu $tmp2,$zero,$tmp2
9684 -+
9685 -+ xor $in0,$tmp0
9686 -+ xor $in1,$tmp1
9687 -+ and $in0,$tmp2
9688 -+ and $in1,$tmp2
9689 -+ xor $in0,$tmp0
9690 -+ xor $in1,$tmp1
9691 -+
9692 -+ lwu $tmp0,0($nonce) # load nonce
9693 -+ lwu $tmp1,4($nonce)
9694 -+ lwu $tmp2,8($nonce)
9695 -+ lwu $tmp3,12($nonce)
9696 -+ dsll $tmp1,32
9697 -+ dsll $tmp3,32
9698 -+ or $tmp0,$tmp1
9699 -+ or $tmp2,$tmp3
9700 -+
9701 -+ daddu $in0,$tmp0 # accumulate nonce
9702 -+ daddu $in1,$tmp2
9703 -+ sltu $tmp0,$in0,$tmp0
9704 -+ daddu $in1,$tmp0
9705 -+
9706 -+ dsrl $tmp0,$in0,8 # write mac value
9707 -+ dsrl $tmp1,$in0,16
9708 -+ dsrl $tmp2,$in0,24
9709 -+ sb $in0,0($mac)
9710 -+ dsrl $tmp3,$in0,32
9711 -+ sb $tmp0,1($mac)
9712 -+ dsrl $tmp0,$in0,40
9713 -+ sb $tmp1,2($mac)
9714 -+ dsrl $tmp1,$in0,48
9715 -+ sb $tmp2,3($mac)
9716 -+ dsrl $tmp2,$in0,56
9717 -+ sb $tmp3,4($mac)
9718 -+ dsrl $tmp3,$in1,8
9719 -+ sb $tmp0,5($mac)
9720 -+ dsrl $tmp0,$in1,16
9721 -+ sb $tmp1,6($mac)
9722 -+ dsrl $tmp1,$in1,24
9723 -+ sb $tmp2,7($mac)
9724 -+
9725 -+ sb $in1,8($mac)
9726 -+ dsrl $tmp2,$in1,32
9727 -+ sb $tmp3,9($mac)
9728 -+ dsrl $tmp3,$in1,40
9729 -+ sb $tmp0,10($mac)
9730 -+ dsrl $tmp0,$in1,48
9731 -+ sb $tmp1,11($mac)
9732 -+ dsrl $tmp1,$in1,56
9733 -+ sb $tmp2,12($mac)
9734 -+ sb $tmp3,13($mac)
9735 -+ sb $tmp0,14($mac)
9736 -+ sb $tmp1,15($mac)
9737 -+
9738 -+ jr $ra
9739 -+.end poly1305_emit
9740 -+.rdata
9741 -+.asciiz "Poly1305 for MIPS64, CRYPTOGAMS by \@dot-asm"
9742 -+.align 2
9743 -+___
9744 -+}
9745 -+}}} else {{{
9746 -+######################################################################
9747 -+# 32-bit code path
9748 -+#
9749 -+
9750 -+my ($ctx,$inp,$len,$padbit) = ($a0,$a1,$a2,$a3);
9751 -+my ($in0,$in1,$in2,$in3,$tmp0,$tmp1,$tmp2,$tmp3) =
9752 -+ ($a4,$a5,$a6,$a7,$at,$t0,$t1,$t2);
9753 -+
9754 -+$code.=<<___;
9755 -+#if (defined(_MIPS_ARCH_MIPS32R3) || defined(_MIPS_ARCH_MIPS32R5) || \\
9756 -+ defined(_MIPS_ARCH_MIPS32R6)) \\
9757 -+ && !defined(_MIPS_ARCH_MIPS32R2)
9758 -+# define _MIPS_ARCH_MIPS32R2
9759 -+#endif
9760 -+
9761 -+#if defined(_MIPS_ARCH_MIPS32R6)
9762 -+# define multu(rs,rt)
9763 -+# define mflo(rd,rs,rt) mulu rd,rs,rt
9764 -+# define mfhi(rd,rs,rt) muhu rd,rs,rt
9765 -+#else
9766 -+# define multu(rs,rt) multu rs,rt
9767 -+# define mflo(rd,rs,rt) mflo rd
9768 -+# define mfhi(rd,rs,rt) mfhi rd
9769 -+#endif
9770 -+
9771 -+#ifdef __KERNEL__
9772 -+# define poly1305_init poly1305_init_mips
9773 -+# define poly1305_blocks poly1305_blocks_mips
9774 -+# define poly1305_emit poly1305_emit_mips
9775 -+#endif
9776 -+
9777 -+#if defined(__MIPSEB__) && !defined(MIPSEB)
9778 -+# define MIPSEB
9779 -+#endif
9780 -+
9781 -+#ifdef MIPSEB
9782 -+# define MSB 0
9783 -+# define LSB 3
9784 -+#else
9785 -+# define MSB 3
9786 -+# define LSB 0
9787 -+#endif
9788 -+
9789 -+.text
9790 -+.set noat
9791 -+.set noreorder
9792 -+
9793 -+.align 5
9794 -+.globl poly1305_init
9795 -+.ent poly1305_init
9796 -+poly1305_init:
9797 -+ .frame $sp,0,$ra
9798 -+ .set reorder
9799 -+
9800 -+ sw $zero,0($ctx)
9801 -+ sw $zero,4($ctx)
9802 -+ sw $zero,8($ctx)
9803 -+ sw $zero,12($ctx)
9804 -+ sw $zero,16($ctx)
9805 -+
9806 -+ beqz $inp,.Lno_key
9807 -+
9808 -+#if defined(_MIPS_ARCH_MIPS32R6)
9809 -+ andi $tmp0,$inp,3 # $inp % 4
9810 -+ subu $inp,$inp,$tmp0 # align $inp
9811 -+ sll $tmp0,$tmp0,3 # byte to bit offset
9812 -+ lw $in0,0($inp)
9813 -+ lw $in1,4($inp)
9814 -+ lw $in2,8($inp)
9815 -+ lw $in3,12($inp)
9816 -+ beqz $tmp0,.Laligned_key
9817 -+
9818 -+ lw $tmp2,16($inp)
9819 -+ subu $tmp1,$zero,$tmp0
9820 -+# ifdef MIPSEB
9821 -+ sllv $in0,$in0,$tmp0
9822 -+ srlv $tmp3,$in1,$tmp1
9823 -+ sllv $in1,$in1,$tmp0
9824 -+ or $in0,$in0,$tmp3
9825 -+ srlv $tmp3,$in2,$tmp1
9826 -+ sllv $in2,$in2,$tmp0
9827 -+ or $in1,$in1,$tmp3
9828 -+ srlv $tmp3,$in3,$tmp1
9829 -+ sllv $in3,$in3,$tmp0
9830 -+ or $in2,$in2,$tmp3
9831 -+ srlv $tmp2,$tmp2,$tmp1
9832 -+ or $in3,$in3,$tmp2
9833 -+# else
9834 -+ srlv $in0,$in0,$tmp0
9835 -+ sllv $tmp3,$in1,$tmp1
9836 -+ srlv $in1,$in1,$tmp0
9837 -+ or $in0,$in0,$tmp3
9838 -+ sllv $tmp3,$in2,$tmp1
9839 -+ srlv $in2,$in2,$tmp0
9840 -+ or $in1,$in1,$tmp3
9841 -+ sllv $tmp3,$in3,$tmp1
9842 -+ srlv $in3,$in3,$tmp0
9843 -+ or $in2,$in2,$tmp3
9844 -+ sllv $tmp2,$tmp2,$tmp1
9845 -+ or $in3,$in3,$tmp2
9846 -+# endif
9847 -+.Laligned_key:
9848 -+#else
9849 -+ lwl $in0,0+MSB($inp)
9850 -+ lwl $in1,4+MSB($inp)
9851 -+ lwl $in2,8+MSB($inp)
9852 -+ lwl $in3,12+MSB($inp)
9853 -+ lwr $in0,0+LSB($inp)
9854 -+ lwr $in1,4+LSB($inp)
9855 -+ lwr $in2,8+LSB($inp)
9856 -+ lwr $in3,12+LSB($inp)
9857 -+#endif
9858 -+#ifdef MIPSEB
9859 -+# if defined(_MIPS_ARCH_MIPS32R2)
9860 -+ wsbh $in0,$in0 # byte swap
9861 -+ wsbh $in1,$in1
9862 -+ wsbh $in2,$in2
9863 -+ wsbh $in3,$in3
9864 -+ rotr $in0,$in0,16
9865 -+ rotr $in1,$in1,16
9866 -+ rotr $in2,$in2,16
9867 -+ rotr $in3,$in3,16
9868 -+# else
9869 -+ srl $tmp0,$in0,24 # byte swap
9870 -+ srl $tmp1,$in0,8
9871 -+ andi $tmp2,$in0,0xFF00
9872 -+ sll $in0,$in0,24
9873 -+ andi $tmp1,0xFF00
9874 -+ sll $tmp2,$tmp2,8
9875 -+ or $in0,$tmp0
9876 -+ srl $tmp0,$in1,24
9877 -+ or $tmp1,$tmp2
9878 -+ srl $tmp2,$in1,8
9879 -+ or $in0,$tmp1
9880 -+ andi $tmp1,$in1,0xFF00
9881 -+ sll $in1,$in1,24
9882 -+ andi $tmp2,0xFF00
9883 -+ sll $tmp1,$tmp1,8
9884 -+ or $in1,$tmp0
9885 -+ srl $tmp0,$in2,24
9886 -+ or $tmp2,$tmp1
9887 -+ srl $tmp1,$in2,8
9888 -+ or $in1,$tmp2
9889 -+ andi $tmp2,$in2,0xFF00
9890 -+ sll $in2,$in2,24
9891 -+ andi $tmp1,0xFF00
9892 -+ sll $tmp2,$tmp2,8
9893 -+ or $in2,$tmp0
9894 -+ srl $tmp0,$in3,24
9895 -+ or $tmp1,$tmp2
9896 -+ srl $tmp2,$in3,8
9897 -+ or $in2,$tmp1
9898 -+ andi $tmp1,$in3,0xFF00
9899 -+ sll $in3,$in3,24
9900 -+ andi $tmp2,0xFF00
9901 -+ sll $tmp1,$tmp1,8
9902 -+ or $in3,$tmp0
9903 -+ or $tmp2,$tmp1
9904 -+ or $in3,$tmp2
9905 -+# endif
9906 -+#endif
9907 -+ lui $tmp0,0x0fff
9908 -+ ori $tmp0,0xffff # 0x0fffffff
9909 -+ and $in0,$in0,$tmp0
9910 -+ subu $tmp0,3 # 0x0ffffffc
9911 -+ and $in1,$in1,$tmp0
9912 -+ and $in2,$in2,$tmp0
9913 -+ and $in3,$in3,$tmp0
9914 -+
9915 -+ sw $in0,20($ctx)
9916 -+ sw $in1,24($ctx)
9917 -+ sw $in2,28($ctx)
9918 -+ sw $in3,32($ctx)
9919 -+
9920 -+ srl $tmp1,$in1,2
9921 -+ srl $tmp2,$in2,2
9922 -+ srl $tmp3,$in3,2
9923 -+ addu $in1,$in1,$tmp1 # s1 = r1 + (r1 >> 2)
9924 -+ addu $in2,$in2,$tmp2
9925 -+ addu $in3,$in3,$tmp3
9926 -+ sw $in1,36($ctx)
9927 -+ sw $in2,40($ctx)
9928 -+ sw $in3,44($ctx)
9929 -+.Lno_key:
9930 -+ li $v0,0
9931 -+ jr $ra
9932 -+.end poly1305_init
9933 -+___
9934 -+{
9935 -+my $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0x00fff000" : "0x00ff0000";
9936 -+
9937 -+my ($h0,$h1,$h2,$h3,$h4, $r0,$r1,$r2,$r3, $rs1,$rs2,$rs3) =
9938 -+ ($s0,$s1,$s2,$s3,$s4, $s5,$s6,$s7,$s8, $s9,$s10,$s11);
9939 -+my ($d0,$d1,$d2,$d3) =
9940 -+ ($a4,$a5,$a6,$a7);
9941 -+my $shr = $t2; # used on R6
9942 -+my $one = $t2; # used on R2
9943 -+
9944 -+$code.=<<___;
9945 -+.globl poly1305_blocks
9946 -+.align 5
9947 -+.ent poly1305_blocks
9948 -+poly1305_blocks:
9949 -+ .frame $sp,16*4,$ra
9950 -+ .mask $SAVED_REGS_MASK,-4
9951 -+ .set noreorder
9952 -+ subu $sp, $sp,4*12
9953 -+ sw $s11,4*11($sp)
9954 -+ sw $s10,4*10($sp)
9955 -+ sw $s9, 4*9($sp)
9956 -+ sw $s8, 4*8($sp)
9957 -+ sw $s7, 4*7($sp)
9958 -+ sw $s6, 4*6($sp)
9959 -+ sw $s5, 4*5($sp)
9960 -+ sw $s4, 4*4($sp)
9961 -+___
9962 -+$code.=<<___ if ($flavour =~ /nubi/i); # optimize non-nubi prologue
9963 -+ sw $s3, 4*3($sp)
9964 -+ sw $s2, 4*2($sp)
9965 -+ sw $s1, 4*1($sp)
9966 -+ sw $s0, 4*0($sp)
9967 -+___
9968 -+$code.=<<___;
9969 -+ .set reorder
9970 -+
9971 -+ srl $len,4 # number of complete blocks
9972 -+ li $one,1
9973 -+ beqz $len,.Labort
9974 -+
9975 -+#if defined(_MIPS_ARCH_MIPS32R6)
9976 -+ andi $shr,$inp,3
9977 -+ subu $inp,$inp,$shr # align $inp
9978 -+ sll $shr,$shr,3 # byte to bit offset
9979 -+#endif
9980 -+
9981 -+ lw $h0,0($ctx) # load hash value
9982 -+ lw $h1,4($ctx)
9983 -+ lw $h2,8($ctx)
9984 -+ lw $h3,12($ctx)
9985 -+ lw $h4,16($ctx)
9986 -+
9987 -+ lw $r0,20($ctx) # load key
9988 -+ lw $r1,24($ctx)
9989 -+ lw $r2,28($ctx)
9990 -+ lw $r3,32($ctx)
9991 -+ lw $rs1,36($ctx)
9992 -+ lw $rs2,40($ctx)
9993 -+ lw $rs3,44($ctx)
9994 -+
9995 -+ sll $len,4
9996 -+ addu $len,$len,$inp # end of buffer
9997 -+ b .Loop
9998 -+
9999 -+.align 4
10000 -+.Loop:
10001 -+#if defined(_MIPS_ARCH_MIPS32R6)
10002 -+ lw $d0,0($inp) # load input
10003 -+ lw $d1,4($inp)
10004 -+ lw $d2,8($inp)
10005 -+ lw $d3,12($inp)
10006 -+ beqz $shr,.Laligned_inp
10007 -+
10008 -+ lw $t0,16($inp)
10009 -+ subu $t1,$zero,$shr
10010 -+# ifdef MIPSEB
10011 -+ sllv $d0,$d0,$shr
10012 -+ srlv $at,$d1,$t1
10013 -+ sllv $d1,$d1,$shr
10014 -+ or $d0,$d0,$at
10015 -+ srlv $at,$d2,$t1
10016 -+ sllv $d2,$d2,$shr
10017 -+ or $d1,$d1,$at
10018 -+ srlv $at,$d3,$t1
10019 -+ sllv $d3,$d3,$shr
10020 -+ or $d2,$d2,$at
10021 -+ srlv $t0,$t0,$t1
10022 -+ or $d3,$d3,$t0
10023 -+# else
10024 -+ srlv $d0,$d0,$shr
10025 -+ sllv $at,$d1,$t1
10026 -+ srlv $d1,$d1,$shr
10027 -+ or $d0,$d0,$at
10028 -+ sllv $at,$d2,$t1
10029 -+ srlv $d2,$d2,$shr
10030 -+ or $d1,$d1,$at
10031 -+ sllv $at,$d3,$t1
10032 -+ srlv $d3,$d3,$shr
10033 -+ or $d2,$d2,$at
10034 -+ sllv $t0,$t0,$t1
10035 -+ or $d3,$d3,$t0
10036 -+# endif
10037 -+.Laligned_inp:
10038 -+#else
10039 -+ lwl $d0,0+MSB($inp) # load input
10040 -+ lwl $d1,4+MSB($inp)
10041 -+ lwl $d2,8+MSB($inp)
10042 -+ lwl $d3,12+MSB($inp)
10043 -+ lwr $d0,0+LSB($inp)
10044 -+ lwr $d1,4+LSB($inp)
10045 -+ lwr $d2,8+LSB($inp)
10046 -+ lwr $d3,12+LSB($inp)
10047 -+#endif
10048 -+#ifdef MIPSEB
10049 -+# if defined(_MIPS_ARCH_MIPS32R2)
10050 -+ wsbh $d0,$d0 # byte swap
10051 -+ wsbh $d1,$d1
10052 -+ wsbh $d2,$d2
10053 -+ wsbh $d3,$d3
10054 -+ rotr $d0,$d0,16
10055 -+ rotr $d1,$d1,16
10056 -+ rotr $d2,$d2,16
10057 -+ rotr $d3,$d3,16
10058 -+# else
10059 -+ srl $at,$d0,24 # byte swap
10060 -+ srl $t0,$d0,8
10061 -+ andi $t1,$d0,0xFF00
10062 -+ sll $d0,$d0,24
10063 -+ andi $t0,0xFF00
10064 -+ sll $t1,$t1,8
10065 -+ or $d0,$at
10066 -+ srl $at,$d1,24
10067 -+ or $t0,$t1
10068 -+ srl $t1,$d1,8
10069 -+ or $d0,$t0
10070 -+ andi $t0,$d1,0xFF00
10071 -+ sll $d1,$d1,24
10072 -+ andi $t1,0xFF00
10073 -+ sll $t0,$t0,8
10074 -+ or $d1,$at
10075 -+ srl $at,$d2,24
10076 -+ or $t1,$t0
10077 -+ srl $t0,$d2,8
10078 -+ or $d1,$t1
10079 -+ andi $t1,$d2,0xFF00
10080 -+ sll $d2,$d2,24
10081 -+ andi $t0,0xFF00
10082 -+ sll $t1,$t1,8
10083 -+ or $d2,$at
10084 -+ srl $at,$d3,24
10085 -+ or $t0,$t1
10086 -+ srl $t1,$d3,8
10087 -+ or $d2,$t0
10088 -+ andi $t0,$d3,0xFF00
10089 -+ sll $d3,$d3,24
10090 -+ andi $t1,0xFF00
10091 -+ sll $t0,$t0,8
10092 -+ or $d3,$at
10093 -+ or $t1,$t0
10094 -+ or $d3,$t1
10095 -+# endif
10096 -+#endif
10097 -+ srl $t0,$h4,2 # modulo-scheduled reduction
10098 -+ andi $h4,$h4,3
10099 -+ sll $at,$t0,2
10100 -+
10101 -+ addu $d0,$d0,$h0 # accumulate input
10102 -+ addu $t0,$t0,$at
10103 -+ sltu $h0,$d0,$h0
10104 -+ addu $d0,$d0,$t0 # ... and residue
10105 -+ sltu $at,$d0,$t0
10106 -+
10107 -+ addu $d1,$d1,$h1
10108 -+ addu $h0,$h0,$at # carry
10109 -+ sltu $h1,$d1,$h1
10110 -+ addu $d1,$d1,$h0
10111 -+ sltu $h0,$d1,$h0
10112 -+
10113 -+ addu $d2,$d2,$h2
10114 -+ addu $h1,$h1,$h0 # carry
10115 -+ sltu $h2,$d2,$h2
10116 -+ addu $d2,$d2,$h1
10117 -+ sltu $h1,$d2,$h1
10118 -+
10119 -+ addu $d3,$d3,$h3
10120 -+ addu $h2,$h2,$h1 # carry
10121 -+ sltu $h3,$d3,$h3
10122 -+ addu $d3,$d3,$h2
10123 -+
10124 -+#if defined(_MIPS_ARCH_MIPS32R2) && !defined(_MIPS_ARCH_MIPS32R6)
10125 -+ multu $r0,$d0 # d0*r0
10126 -+ sltu $h2,$d3,$h2
10127 -+ maddu $rs3,$d1 # d1*s3
10128 -+ addu $h3,$h3,$h2 # carry
10129 -+ maddu $rs2,$d2 # d2*s2
10130 -+ addu $h4,$h4,$padbit
10131 -+ maddu $rs1,$d3 # d3*s1
10132 -+ addu $h4,$h4,$h3
10133 -+ mfhi $at
10134 -+ mflo $h0
10135 -+
10136 -+ multu $r1,$d0 # d0*r1
10137 -+ maddu $r0,$d1 # d1*r0
10138 -+ maddu $rs3,$d2 # d2*s3
10139 -+ maddu $rs2,$d3 # d3*s2
10140 -+ maddu $rs1,$h4 # h4*s1
10141 -+ maddu $at,$one # hi*1
10142 -+ mfhi $at
10143 -+ mflo $h1
10144 -+
10145 -+ multu $r2,$d0 # d0*r2
10146 -+ maddu $r1,$d1 # d1*r1
10147 -+ maddu $r0,$d2 # d2*r0
10148 -+ maddu $rs3,$d3 # d3*s3
10149 -+ maddu $rs2,$h4 # h4*s2
10150 -+ maddu $at,$one # hi*1
10151 -+ mfhi $at
10152 -+ mflo $h2
10153 -+
10154 -+ mul $t0,$r0,$h4 # h4*r0
10155 -+
10156 -+ multu $r3,$d0 # d0*r3
10157 -+ maddu $r2,$d1 # d1*r2
10158 -+ maddu $r1,$d2 # d2*r1
10159 -+ maddu $r0,$d3 # d3*r0
10160 -+ maddu $rs3,$h4 # h4*s3
10161 -+ maddu $at,$one # hi*1
10162 -+ mfhi $at
10163 -+ mflo $h3
10164 -+
10165 -+ addiu $inp,$inp,16
10166 -+
10167 -+ addu $h4,$t0,$at
10168 -+#else
10169 -+ multu ($r0,$d0) # d0*r0
10170 -+ mflo ($h0,$r0,$d0)
10171 -+ mfhi ($h1,$r0,$d0)
10172 -+
10173 -+ sltu $h2,$d3,$h2
10174 -+ addu $h3,$h3,$h2 # carry
10175 -+
10176 -+ multu ($rs3,$d1) # d1*s3
10177 -+ mflo ($at,$rs3,$d1)
10178 -+ mfhi ($t0,$rs3,$d1)
10179 -+
10180 -+ addu $h4,$h4,$padbit
10181 -+ addiu $inp,$inp,16
10182 -+ addu $h4,$h4,$h3
10183 -+
10184 -+ multu ($rs2,$d2) # d2*s2
10185 -+ mflo ($a3,$rs2,$d2)
10186 -+ mfhi ($t1,$rs2,$d2)
10187 -+ addu $h0,$h0,$at
10188 -+ addu $h1,$h1,$t0
10189 -+ multu ($rs1,$d3) # d3*s1
10190 -+ sltu $at,$h0,$at
10191 -+ addu $h1,$h1,$at
10192 -+
10193 -+ mflo ($at,$rs1,$d3)
10194 -+ mfhi ($t0,$rs1,$d3)
10195 -+ addu $h0,$h0,$a3
10196 -+ addu $h1,$h1,$t1
10197 -+ multu ($r1,$d0) # d0*r1
10198 -+ sltu $a3,$h0,$a3
10199 -+ addu $h1,$h1,$a3
10200 -+
10201 -+
10202 -+ mflo ($a3,$r1,$d0)
10203 -+ mfhi ($h2,$r1,$d0)
10204 -+ addu $h0,$h0,$at
10205 -+ addu $h1,$h1,$t0
10206 -+ multu ($r0,$d1) # d1*r0
10207 -+ sltu $at,$h0,$at
10208 -+ addu $h1,$h1,$at
10209 -+
10210 -+ mflo ($at,$r0,$d1)
10211 -+ mfhi ($t0,$r0,$d1)
10212 -+ addu $h1,$h1,$a3
10213 -+ sltu $a3,$h1,$a3
10214 -+ multu ($rs3,$d2) # d2*s3
10215 -+ addu $h2,$h2,$a3
10216 -+
10217 -+ mflo ($a3,$rs3,$d2)
10218 -+ mfhi ($t1,$rs3,$d2)
10219 -+ addu $h1,$h1,$at
10220 -+ addu $h2,$h2,$t0
10221 -+ multu ($rs2,$d3) # d3*s2
10222 -+ sltu $at,$h1,$at
10223 -+ addu $h2,$h2,$at
10224 -+
10225 -+ mflo ($at,$rs2,$d3)
10226 -+ mfhi ($t0,$rs2,$d3)
10227 -+ addu $h1,$h1,$a3
10228 -+ addu $h2,$h2,$t1
10229 -+ multu ($rs1,$h4) # h4*s1
10230 -+ sltu $a3,$h1,$a3
10231 -+ addu $h2,$h2,$a3
10232 -+
10233 -+ mflo ($a3,$rs1,$h4)
10234 -+ addu $h1,$h1,$at
10235 -+ addu $h2,$h2,$t0
10236 -+ multu ($r2,$d0) # d0*r2
10237 -+ sltu $at,$h1,$at
10238 -+ addu $h2,$h2,$at
10239 -+
10240 -+
10241 -+ mflo ($at,$r2,$d0)
10242 -+ mfhi ($h3,$r2,$d0)
10243 -+ addu $h1,$h1,$a3
10244 -+ sltu $a3,$h1,$a3
10245 -+ multu ($r1,$d1) # d1*r1
10246 -+ addu $h2,$h2,$a3
10247 -+
10248 -+ mflo ($a3,$r1,$d1)
10249 -+ mfhi ($t1,$r1,$d1)
10250 -+ addu $h2,$h2,$at
10251 -+ sltu $at,$h2,$at
10252 -+ multu ($r0,$d2) # d2*r0
10253 -+ addu $h3,$h3,$at
10254 -+
10255 -+ mflo ($at,$r0,$d2)
10256 -+ mfhi ($t0,$r0,$d2)
10257 -+ addu $h2,$h2,$a3
10258 -+ addu $h3,$h3,$t1
10259 -+ multu ($rs3,$d3) # d3*s3
10260 -+ sltu $a3,$h2,$a3
10261 -+ addu $h3,$h3,$a3
10262 -+
10263 -+ mflo ($a3,$rs3,$d3)
10264 -+ mfhi ($t1,$rs3,$d3)
10265 -+ addu $h2,$h2,$at
10266 -+ addu $h3,$h3,$t0
10267 -+ multu ($rs2,$h4) # h4*s2
10268 -+ sltu $at,$h2,$at
10269 -+ addu $h3,$h3,$at
10270 -+
10271 -+ mflo ($at,$rs2,$h4)
10272 -+ addu $h2,$h2,$a3
10273 -+ addu $h3,$h3,$t1
10274 -+ multu ($r3,$d0) # d0*r3
10275 -+ sltu $a3,$h2,$a3
10276 -+ addu $h3,$h3,$a3
10277 -+
10278 -+
10279 -+ mflo ($a3,$r3,$d0)
10280 -+ mfhi ($t1,$r3,$d0)
10281 -+ addu $h2,$h2,$at
10282 -+ sltu $at,$h2,$at
10283 -+ multu ($r2,$d1) # d1*r2
10284 -+ addu $h3,$h3,$at
10285 -+
10286 -+ mflo ($at,$r2,$d1)
10287 -+ mfhi ($t0,$r2,$d1)
10288 -+ addu $h3,$h3,$a3
10289 -+ sltu $a3,$h3,$a3
10290 -+ multu ($r0,$d3) # d3*r0
10291 -+ addu $t1,$t1,$a3
10292 -+
10293 -+ mflo ($a3,$r0,$d3)
10294 -+ mfhi ($d3,$r0,$d3)
10295 -+ addu $h3,$h3,$at
10296 -+ addu $t1,$t1,$t0
10297 -+ multu ($r1,$d2) # d2*r1
10298 -+ sltu $at,$h3,$at
10299 -+ addu $t1,$t1,$at
10300 -+
10301 -+ mflo ($at,$r1,$d2)
10302 -+ mfhi ($t0,$r1,$d2)
10303 -+ addu $h3,$h3,$a3
10304 -+ addu $t1,$t1,$d3
10305 -+ multu ($rs3,$h4) # h4*s3
10306 -+ sltu $a3,$h3,$a3
10307 -+ addu $t1,$t1,$a3
10308 -+
10309 -+ mflo ($a3,$rs3,$h4)
10310 -+ addu $h3,$h3,$at
10311 -+ addu $t1,$t1,$t0
10312 -+ multu ($r0,$h4) # h4*r0
10313 -+ sltu $at,$h3,$at
10314 -+ addu $t1,$t1,$at
10315 -+
10316 -+
10317 -+ mflo ($h4,$r0,$h4)
10318 -+ addu $h3,$h3,$a3
10319 -+ sltu $a3,$h3,$a3
10320 -+ addu $t1,$t1,$a3
10321 -+ addu $h4,$h4,$t1
10322 -+
10323 -+ li $padbit,1 # if we loop, padbit is 1
10324 -+#endif
10325 -+ bne $inp,$len,.Loop
10326 -+
10327 -+ sw $h0,0($ctx) # store hash value
10328 -+ sw $h1,4($ctx)
10329 -+ sw $h2,8($ctx)
10330 -+ sw $h3,12($ctx)
10331 -+ sw $h4,16($ctx)
10332 -+
10333 -+ .set noreorder
10334 -+.Labort:
10335 -+ lw $s11,4*11($sp)
10336 -+ lw $s10,4*10($sp)
10337 -+ lw $s9, 4*9($sp)
10338 -+ lw $s8, 4*8($sp)
10339 -+ lw $s7, 4*7($sp)
10340 -+ lw $s6, 4*6($sp)
10341 -+ lw $s5, 4*5($sp)
10342 -+ lw $s4, 4*4($sp)
10343 -+___
10344 -+$code.=<<___ if ($flavour =~ /nubi/i); # optimize non-nubi prologue
10345 -+ lw $s3, 4*3($sp)
10346 -+ lw $s2, 4*2($sp)
10347 -+ lw $s1, 4*1($sp)
10348 -+ lw $s0, 4*0($sp)
10349 -+___
10350 -+$code.=<<___;
10351 -+ jr $ra
10352 -+ addu $sp,$sp,4*12
10353 -+.end poly1305_blocks
10354 -+___
10355 -+}
10356 -+{
10357 -+my ($ctx,$mac,$nonce,$tmp4) = ($a0,$a1,$a2,$a3);
10358 -+
10359 -+$code.=<<___;
10360 -+.align 5
10361 -+.globl poly1305_emit
10362 -+.ent poly1305_emit
10363 -+poly1305_emit:
10364 -+ .frame $sp,0,$ra
10365 -+ .set reorder
10366 -+
10367 -+ lw $tmp4,16($ctx)
10368 -+ lw $tmp0,0($ctx)
10369 -+ lw $tmp1,4($ctx)
10370 -+ lw $tmp2,8($ctx)
10371 -+ lw $tmp3,12($ctx)
10372 -+
10373 -+ li $in0,-4 # final reduction
10374 -+ srl $ctx,$tmp4,2
10375 -+ and $in0,$in0,$tmp4
10376 -+ andi $tmp4,$tmp4,3
10377 -+ addu $ctx,$ctx,$in0
10378 -+
10379 -+ addu $tmp0,$tmp0,$ctx
10380 -+ sltu $ctx,$tmp0,$ctx
10381 -+ addiu $in0,$tmp0,5 # compare to modulus
10382 -+ addu $tmp1,$tmp1,$ctx
10383 -+ sltiu $in1,$in0,5
10384 -+ sltu $ctx,$tmp1,$ctx
10385 -+ addu $in1,$in1,$tmp1
10386 -+ addu $tmp2,$tmp2,$ctx
10387 -+ sltu $in2,$in1,$tmp1
10388 -+ sltu $ctx,$tmp2,$ctx
10389 -+ addu $in2,$in2,$tmp2
10390 -+ addu $tmp3,$tmp3,$ctx
10391 -+ sltu $in3,$in2,$tmp2
10392 -+ sltu $ctx,$tmp3,$ctx
10393 -+ addu $in3,$in3,$tmp3
10394 -+ addu $tmp4,$tmp4,$ctx
10395 -+ sltu $ctx,$in3,$tmp3
10396 -+ addu $ctx,$tmp4
10397 -+
10398 -+ srl $ctx,2 # see if it carried/borrowed
10399 -+ subu $ctx,$zero,$ctx
10400 -+
10401 -+ xor $in0,$tmp0
10402 -+ xor $in1,$tmp1
10403 -+ xor $in2,$tmp2
10404 -+ xor $in3,$tmp3
10405 -+ and $in0,$ctx
10406 -+ and $in1,$ctx
10407 -+ and $in2,$ctx
10408 -+ and $in3,$ctx
10409 -+ xor $in0,$tmp0
10410 -+ xor $in1,$tmp1
10411 -+ xor $in2,$tmp2
10412 -+ xor $in3,$tmp3
10413 -+
10414 -+ lw $tmp0,0($nonce) # load nonce
10415 -+ lw $tmp1,4($nonce)
10416 -+ lw $tmp2,8($nonce)
10417 -+ lw $tmp3,12($nonce)
10418 -+
10419 -+ addu $in0,$tmp0 # accumulate nonce
10420 -+ sltu $ctx,$in0,$tmp0
10421 -+
10422 -+ addu $in1,$tmp1
10423 -+ sltu $tmp1,$in1,$tmp1
10424 -+ addu $in1,$ctx
10425 -+ sltu $ctx,$in1,$ctx
10426 -+ addu $ctx,$tmp1
10427 -+
10428 -+ addu $in2,$tmp2
10429 -+ sltu $tmp2,$in2,$tmp2
10430 -+ addu $in2,$ctx
10431 -+ sltu $ctx,$in2,$ctx
10432 -+ addu $ctx,$tmp2
10433 -+
10434 -+ addu $in3,$tmp3
10435 -+ addu $in3,$ctx
10436 -+
10437 -+ srl $tmp0,$in0,8 # write mac value
10438 -+ srl $tmp1,$in0,16
10439 -+ srl $tmp2,$in0,24
10440 -+ sb $in0, 0($mac)
10441 -+ sb $tmp0,1($mac)
10442 -+ srl $tmp0,$in1,8
10443 -+ sb $tmp1,2($mac)
10444 -+ srl $tmp1,$in1,16
10445 -+ sb $tmp2,3($mac)
10446 -+ srl $tmp2,$in1,24
10447 -+ sb $in1, 4($mac)
10448 -+ sb $tmp0,5($mac)
10449 -+ srl $tmp0,$in2,8
10450 -+ sb $tmp1,6($mac)
10451 -+ srl $tmp1,$in2,16
10452 -+ sb $tmp2,7($mac)
10453 -+ srl $tmp2,$in2,24
10454 -+ sb $in2, 8($mac)
10455 -+ sb $tmp0,9($mac)
10456 -+ srl $tmp0,$in3,8
10457 -+ sb $tmp1,10($mac)
10458 -+ srl $tmp1,$in3,16
10459 -+ sb $tmp2,11($mac)
10460 -+ srl $tmp2,$in3,24
10461 -+ sb $in3, 12($mac)
10462 -+ sb $tmp0,13($mac)
10463 -+ sb $tmp1,14($mac)
10464 -+ sb $tmp2,15($mac)
10465 -+
10466 -+ jr $ra
10467 -+.end poly1305_emit
10468 -+.rdata
10469 -+.asciiz "Poly1305 for MIPS32, CRYPTOGAMS by \@dot-asm"
10470 -+.align 2
10471 -+___
10472 -+}
10473 -+}}}
10474 -+
10475 -+$output=pop and open STDOUT,">$output";
10476 -+print $code;
10477 -+close STDOUT;
10478 ---- /dev/null
10479 -+++ b/include/crypto/blake2s.h
10480 -@@ -0,0 +1,106 @@
10481 -+/* SPDX-License-Identifier: GPL-2.0 OR MIT */
10482 -+/*
10483 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
10484 -+ */
10485 -+
10486 -+#ifndef BLAKE2S_H
10487 -+#define BLAKE2S_H
10488 -+
10489 -+#include <linux/types.h>
10490 -+#include <linux/kernel.h>
10491 -+#include <linux/string.h>
10492 -+
10493 -+#include <asm/bug.h>
10494 -+
10495 -+enum blake2s_lengths {
10496 -+ BLAKE2S_BLOCK_SIZE = 64,
10497 -+ BLAKE2S_HASH_SIZE = 32,
10498 -+ BLAKE2S_KEY_SIZE = 32,
10499 -+
10500 -+ BLAKE2S_128_HASH_SIZE = 16,
10501 -+ BLAKE2S_160_HASH_SIZE = 20,
10502 -+ BLAKE2S_224_HASH_SIZE = 28,
10503 -+ BLAKE2S_256_HASH_SIZE = 32,
10504 -+};
10505 -+
10506 -+struct blake2s_state {
10507 -+ u32 h[8];
10508 -+ u32 t[2];
10509 -+ u32 f[2];
10510 -+ u8 buf[BLAKE2S_BLOCK_SIZE];
10511 -+ unsigned int buflen;
10512 -+ unsigned int outlen;
10513 -+};
10514 -+
10515 -+enum blake2s_iv {
10516 -+ BLAKE2S_IV0 = 0x6A09E667UL,
10517 -+ BLAKE2S_IV1 = 0xBB67AE85UL,
10518 -+ BLAKE2S_IV2 = 0x3C6EF372UL,
10519 -+ BLAKE2S_IV3 = 0xA54FF53AUL,
10520 -+ BLAKE2S_IV4 = 0x510E527FUL,
10521 -+ BLAKE2S_IV5 = 0x9B05688CUL,
10522 -+ BLAKE2S_IV6 = 0x1F83D9ABUL,
10523 -+ BLAKE2S_IV7 = 0x5BE0CD19UL,
10524 -+};
10525 -+
10526 -+void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen);
10527 -+void blake2s_final(struct blake2s_state *state, u8 *out);
10528 -+
10529 -+static inline void blake2s_init_param(struct blake2s_state *state,
10530 -+ const u32 param)
10531 -+{
10532 -+ *state = (struct blake2s_state){{
10533 -+ BLAKE2S_IV0 ^ param,
10534 -+ BLAKE2S_IV1,
10535 -+ BLAKE2S_IV2,
10536 -+ BLAKE2S_IV3,
10537 -+ BLAKE2S_IV4,
10538 -+ BLAKE2S_IV5,
10539 -+ BLAKE2S_IV6,
10540 -+ BLAKE2S_IV7,
10541 -+ }};
10542 -+}
10543 -+
10544 -+static inline void blake2s_init(struct blake2s_state *state,
10545 -+ const size_t outlen)
10546 -+{
10547 -+ blake2s_init_param(state, 0x01010000 | outlen);
10548 -+ state->outlen = outlen;
10549 -+}
10550 -+
10551 -+static inline void blake2s_init_key(struct blake2s_state *state,
10552 -+ const size_t outlen, const void *key,
10553 -+ const size_t keylen)
10554 -+{
10555 -+ WARN_ON(IS_ENABLED(DEBUG) && (!outlen || outlen > BLAKE2S_HASH_SIZE ||
10556 -+ !key || !keylen || keylen > BLAKE2S_KEY_SIZE));
10557 -+
10558 -+ blake2s_init_param(state, 0x01010000 | keylen << 8 | outlen);
10559 -+ memcpy(state->buf, key, keylen);
10560 -+ state->buflen = BLAKE2S_BLOCK_SIZE;
10561 -+ state->outlen = outlen;
10562 -+}
10563 -+
10564 -+static inline void blake2s(u8 *out, const u8 *in, const u8 *key,
10565 -+ const size_t outlen, const size_t inlen,
10566 -+ const size_t keylen)
10567 -+{
10568 -+ struct blake2s_state state;
10569 -+
10570 -+ WARN_ON(IS_ENABLED(DEBUG) && ((!in && inlen > 0) || !out || !outlen ||
10571 -+ outlen > BLAKE2S_HASH_SIZE || keylen > BLAKE2S_KEY_SIZE ||
10572 -+ (!key && keylen)));
10573 -+
10574 -+ if (keylen)
10575 -+ blake2s_init_key(&state, outlen, key, keylen);
10576 -+ else
10577 -+ blake2s_init(&state, outlen);
10578 -+
10579 -+ blake2s_update(&state, in, inlen);
10580 -+ blake2s_final(&state, out);
10581 -+}
10582 -+
10583 -+void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
10584 -+ const size_t keylen);
10585 -+
10586 -+#endif /* BLAKE2S_H */
10587 ---- b/include/crypto/internal/blake2s.h
10588 -+++ b/include/crypto/internal/blake2s.h
10589 -@@ -0,0 +1,24 @@
10590 -+/* SPDX-License-Identifier: GPL-2.0 OR MIT */
10591 -+
10592 -+#ifndef BLAKE2S_INTERNAL_H
10593 -+#define BLAKE2S_INTERNAL_H
10594 -+
10595 -+#include <crypto/blake2s.h>
10596 -+
10597 -+struct blake2s_tfm_ctx {
10598 -+ u8 key[BLAKE2S_KEY_SIZE];
10599 -+ unsigned int keylen;
10600 -+};
10601 -+
10602 -+void blake2s_compress_generic(struct blake2s_state *state,const u8 *block,
10603 -+ size_t nblocks, const u32 inc);
10604 -+
10605 -+void blake2s_compress_arch(struct blake2s_state *state,const u8 *block,
10606 -+ size_t nblocks, const u32 inc);
10607 -+
10608 -+static inline void blake2s_set_lastblock(struct blake2s_state *state)
10609 -+{
10610 -+ state->f[0] = -1;
10611 -+}
10612 -+
10613 -+#endif /* BLAKE2S_INTERNAL_H */
10614 ---- /dev/null
10615 -+++ b/lib/crypto/blake2s-generic.c
10616 -@@ -0,0 +1,111 @@
10617 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
10618 -+/*
10619 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
10620 -+ *
10621 -+ * This is an implementation of the BLAKE2s hash and PRF functions.
10622 -+ *
10623 -+ * Information: https://blake2.net/
10624 -+ *
10625 -+ */
10626 -+
10627 -+#include <crypto/internal/blake2s.h>
10628 -+#include <linux/types.h>
10629 -+#include <linux/string.h>
10630 -+#include <linux/kernel.h>
10631 -+#include <linux/module.h>
10632 -+#include <linux/init.h>
10633 -+#include <linux/bug.h>
10634 -+#include <asm/unaligned.h>
10635 -+
10636 -+static const u8 blake2s_sigma[10][16] = {
10637 -+ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
10638 -+ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
10639 -+ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
10640 -+ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
10641 -+ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
10642 -+ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
10643 -+ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
10644 -+ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
10645 -+ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
10646 -+ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
10647 -+};
10648 -+
10649 -+static inline void blake2s_increment_counter(struct blake2s_state *state,
10650 -+ const u32 inc)
10651 -+{
10652 -+ state->t[0] += inc;
10653 -+ state->t[1] += (state->t[0] < inc);
10654 -+}
10655 -+
10656 -+void blake2s_compress_generic(struct blake2s_state *state,const u8 *block,
10657 -+ size_t nblocks, const u32 inc)
10658 -+{
10659 -+ u32 m[16];
10660 -+ u32 v[16];
10661 -+ int i;
10662 -+
10663 -+ WARN_ON(IS_ENABLED(DEBUG) &&
10664 -+ (nblocks > 1 && inc != BLAKE2S_BLOCK_SIZE));
10665 -+
10666 -+ while (nblocks > 0) {
10667 -+ blake2s_increment_counter(state, inc);
10668 -+ memcpy(m, block, BLAKE2S_BLOCK_SIZE);
10669 -+ le32_to_cpu_array(m, ARRAY_SIZE(m));
10670 -+ memcpy(v, state->h, 32);
10671 -+ v[ 8] = BLAKE2S_IV0;
10672 -+ v[ 9] = BLAKE2S_IV1;
10673 -+ v[10] = BLAKE2S_IV2;
10674 -+ v[11] = BLAKE2S_IV3;
10675 -+ v[12] = BLAKE2S_IV4 ^ state->t[0];
10676 -+ v[13] = BLAKE2S_IV5 ^ state->t[1];
10677 -+ v[14] = BLAKE2S_IV6 ^ state->f[0];
10678 -+ v[15] = BLAKE2S_IV7 ^ state->f[1];
10679 -+
10680 -+#define G(r, i, a, b, c, d) do { \
10681 -+ a += b + m[blake2s_sigma[r][2 * i + 0]]; \
10682 -+ d = ror32(d ^ a, 16); \
10683 -+ c += d; \
10684 -+ b = ror32(b ^ c, 12); \
10685 -+ a += b + m[blake2s_sigma[r][2 * i + 1]]; \
10686 -+ d = ror32(d ^ a, 8); \
10687 -+ c += d; \
10688 -+ b = ror32(b ^ c, 7); \
10689 -+} while (0)
10690 -+
10691 -+#define ROUND(r) do { \
10692 -+ G(r, 0, v[0], v[ 4], v[ 8], v[12]); \
10693 -+ G(r, 1, v[1], v[ 5], v[ 9], v[13]); \
10694 -+ G(r, 2, v[2], v[ 6], v[10], v[14]); \
10695 -+ G(r, 3, v[3], v[ 7], v[11], v[15]); \
10696 -+ G(r, 4, v[0], v[ 5], v[10], v[15]); \
10697 -+ G(r, 5, v[1], v[ 6], v[11], v[12]); \
10698 -+ G(r, 6, v[2], v[ 7], v[ 8], v[13]); \
10699 -+ G(r, 7, v[3], v[ 4], v[ 9], v[14]); \
10700 -+} while (0)
10701 -+ ROUND(0);
10702 -+ ROUND(1);
10703 -+ ROUND(2);
10704 -+ ROUND(3);
10705 -+ ROUND(4);
10706 -+ ROUND(5);
10707 -+ ROUND(6);
10708 -+ ROUND(7);
10709 -+ ROUND(8);
10710 -+ ROUND(9);
10711 -+
10712 -+#undef G
10713 -+#undef ROUND
10714 -+
10715 -+ for (i = 0; i < 8; ++i)
10716 -+ state->h[i] ^= v[i] ^ v[i + 8];
10717 -+
10718 -+ block += BLAKE2S_BLOCK_SIZE;
10719 -+ --nblocks;
10720 -+ }
10721 -+}
10722 -+
10723 -+EXPORT_SYMBOL(blake2s_compress_generic);
10724 -+
10725 -+MODULE_LICENSE("GPL v2");
10726 -+MODULE_DESCRIPTION("BLAKE2s hash function");
10727 -+MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
10728 ---- /dev/null
10729 -+++ b/lib/crypto/blake2s-selftest.c
10730 -@@ -0,0 +1,622 @@
10731 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
10732 -+/*
10733 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
10734 -+ */
10735 -+
10736 -+#include <crypto/blake2s.h>
10737 -+#include <linux/string.h>
10738 -+
10739 -+/*
10740 -+ * blake2s_testvecs[] generated with the program below (using libb2-dev and
10741 -+ * libssl-dev [OpenSSL])
10742 -+ *
10743 -+ * #include <blake2.h>
10744 -+ * #include <stdint.h>
10745 -+ * #include <stdio.h>
10746 -+ *
10747 -+ * #include <openssl/evp.h>
10748 -+ * #include <openssl/hmac.h>
10749 -+ *
10750 -+ * #define BLAKE2S_TESTVEC_COUNT 256
10751 -+ *
10752 -+ * static void print_vec(const uint8_t vec[], int len)
10753 -+ * {
10754 -+ * int i;
10755 -+ *
10756 -+ * printf(" { ");
10757 -+ * for (i = 0; i < len; i++) {
10758 -+ * if (i && (i % 12) == 0)
10759 -+ * printf("\n ");
10760 -+ * printf("0x%02x, ", vec[i]);
10761 -+ * }
10762 -+ * printf("},\n");
10763 -+ * }
10764 -+ *
10765 -+ * int main(void)
10766 -+ * {
10767 -+ * uint8_t key[BLAKE2S_KEYBYTES];
10768 -+ * uint8_t buf[BLAKE2S_TESTVEC_COUNT];
10769 -+ * uint8_t hash[BLAKE2S_OUTBYTES];
10770 -+ * int i, j;
10771 -+ *
10772 -+ * key[0] = key[1] = 1;
10773 -+ * for (i = 2; i < BLAKE2S_KEYBYTES; ++i)
10774 -+ * key[i] = key[i - 2] + key[i - 1];
10775 -+ *
10776 -+ * for (i = 0; i < BLAKE2S_TESTVEC_COUNT; ++i)
10777 -+ * buf[i] = (uint8_t)i;
10778 -+ *
10779 -+ * printf("static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
10780 -+ *
10781 -+ * for (i = 0; i < BLAKE2S_TESTVEC_COUNT; ++i) {
10782 -+ * int outlen = 1 + i % BLAKE2S_OUTBYTES;
10783 -+ * int keylen = (13 * i) % (BLAKE2S_KEYBYTES + 1);
10784 -+ *
10785 -+ * blake2s(hash, buf, key + BLAKE2S_KEYBYTES - keylen, outlen, i,
10786 -+ * keylen);
10787 -+ * print_vec(hash, outlen);
10788 -+ * }
10789 -+ * printf("};\n\n");
10790 -+ *
10791 -+ * printf("static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
10792 -+ *
10793 -+ * HMAC(EVP_blake2s256(), key, sizeof(key), buf, sizeof(buf), hash, NULL);
10794 -+ * print_vec(hash, BLAKE2S_OUTBYTES);
10795 -+ *
10796 -+ * HMAC(EVP_blake2s256(), buf, sizeof(buf), key, sizeof(key), hash, NULL);
10797 -+ * print_vec(hash, BLAKE2S_OUTBYTES);
10798 -+ *
10799 -+ * printf("};\n");
10800 -+ *
10801 -+ * return 0;
10802 -+ *}
10803 -+ */
10804 -+static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
10805 -+ { 0xa1, },
10806 -+ { 0x7c, 0x89, },
10807 -+ { 0x74, 0x0e, 0xd4, },
10808 -+ { 0x47, 0x0c, 0x21, 0x15, },
10809 -+ { 0x18, 0xd6, 0x9c, 0xa6, 0xc4, },
10810 -+ { 0x13, 0x5d, 0x16, 0x63, 0x2e, 0xf9, },
10811 -+ { 0x2c, 0xb5, 0x04, 0xb7, 0x99, 0xe2, 0x73, },
10812 -+ { 0x9a, 0x0f, 0xd2, 0x39, 0xd6, 0x68, 0x1b, 0x92, },
10813 -+ { 0xc8, 0xde, 0x7a, 0xea, 0x2f, 0xf4, 0xd2, 0xe3, 0x2b, },
10814 -+ { 0x5b, 0xf9, 0x43, 0x52, 0x0c, 0x12, 0xba, 0xb5, 0x93, 0x9f, },
10815 -+ { 0xc6, 0x2c, 0x4e, 0x80, 0xfc, 0x32, 0x5b, 0x33, 0xb8, 0xb8, 0x0a, },
10816 -+ { 0xa7, 0x5c, 0xfd, 0x3a, 0xcc, 0xbf, 0x90, 0xca, 0xb7, 0x97, 0xde, 0xd8, },
10817 -+ { 0x66, 0xca, 0x3c, 0xc4, 0x19, 0xef, 0x92, 0x66, 0x3f, 0x21, 0x8f, 0xda,
10818 -+ 0xb7, },
10819 -+ { 0xba, 0xe5, 0xbb, 0x30, 0x25, 0x94, 0x6d, 0xc3, 0x89, 0x09, 0xc4, 0x25,
10820 -+ 0x52, 0x3e, },
10821 -+ { 0xa2, 0xef, 0x0e, 0x52, 0x0b, 0x5f, 0xa2, 0x01, 0x6d, 0x0a, 0x25, 0xbc,
10822 -+ 0x57, 0xe2, 0x27, },
10823 -+ { 0x4f, 0xe0, 0xf9, 0x52, 0x12, 0xda, 0x84, 0xb7, 0xab, 0xae, 0xb0, 0xa6,
10824 -+ 0x47, 0x2a, 0xc7, 0xf5, },
10825 -+ { 0x56, 0xe7, 0xa8, 0x1c, 0x4c, 0xca, 0xed, 0x90, 0x31, 0xec, 0x87, 0x43,
10826 -+ 0xe7, 0x72, 0x08, 0xec, 0xbe, },
10827 -+ { 0x7e, 0xdf, 0x80, 0x1c, 0x93, 0x33, 0xfd, 0x53, 0x44, 0xba, 0xfd, 0x96,
10828 -+ 0xe1, 0xbb, 0xb5, 0x65, 0xa5, 0x00, },
10829 -+ { 0xec, 0x6b, 0xed, 0xf7, 0x7b, 0x62, 0x1d, 0x7d, 0xf4, 0x82, 0xf3, 0x1e,
10830 -+ 0x18, 0xff, 0x2b, 0xc4, 0x06, 0x20, 0x2a, },
10831 -+ { 0x74, 0x98, 0xd7, 0x68, 0x63, 0xed, 0x87, 0xe4, 0x5d, 0x8d, 0x9e, 0x1d,
10832 -+ 0xfd, 0x2a, 0xbb, 0x86, 0xac, 0xe9, 0x2a, 0x89, },
10833 -+ { 0x89, 0xc3, 0x88, 0xce, 0x2b, 0x33, 0x1e, 0x10, 0xd1, 0x37, 0x20, 0x86,
10834 -+ 0x28, 0x43, 0x70, 0xd9, 0xfb, 0x96, 0xd9, 0xb5, 0xd3, },
10835 -+ { 0xcb, 0x56, 0x74, 0x41, 0x8d, 0x80, 0x01, 0x9a, 0x6b, 0x38, 0xe1, 0x41,
10836 -+ 0xad, 0x9c, 0x62, 0x74, 0xce, 0x35, 0xd5, 0x6c, 0x89, 0x6e, },
10837 -+ { 0x79, 0xaf, 0x94, 0x59, 0x99, 0x26, 0xe1, 0xc9, 0x34, 0xfe, 0x7c, 0x22,
10838 -+ 0xf7, 0x43, 0xd7, 0x65, 0xd4, 0x48, 0x18, 0xac, 0x3d, 0xfd, 0x93, },
10839 -+ { 0x85, 0x0d, 0xff, 0xb8, 0x3e, 0x87, 0x41, 0xb0, 0x95, 0xd3, 0x3d, 0x00,
10840 -+ 0x47, 0x55, 0x9e, 0xd2, 0x69, 0xea, 0xbf, 0xe9, 0x7a, 0x2d, 0x61, 0x45, },
10841 -+ { 0x03, 0xe0, 0x85, 0xec, 0x54, 0xb5, 0x16, 0x53, 0xa8, 0xc4, 0x71, 0xe9,
10842 -+ 0x6a, 0xe7, 0xcb, 0xc4, 0x15, 0x02, 0xfc, 0x34, 0xa4, 0xa4, 0x28, 0x13,
10843 -+ 0xd1, },
10844 -+ { 0xe3, 0x34, 0x4b, 0xe1, 0xd0, 0x4b, 0x55, 0x61, 0x8f, 0xc0, 0x24, 0x05,
10845 -+ 0xe6, 0xe0, 0x3d, 0x70, 0x24, 0x4d, 0xda, 0xb8, 0x91, 0x05, 0x29, 0x07,
10846 -+ 0x01, 0x3e, },
10847 -+ { 0x61, 0xff, 0x01, 0x72, 0xb1, 0x4d, 0xf6, 0xfe, 0xd1, 0xd1, 0x08, 0x74,
10848 -+ 0xe6, 0x91, 0x44, 0xeb, 0x61, 0xda, 0x40, 0xaf, 0xfc, 0x8c, 0x91, 0x6b,
10849 -+ 0xec, 0x13, 0xed, },
10850 -+ { 0xd4, 0x40, 0xd2, 0xa0, 0x7f, 0xc1, 0x58, 0x0c, 0x85, 0xa0, 0x86, 0xc7,
10851 -+ 0x86, 0xb9, 0x61, 0xc9, 0xea, 0x19, 0x86, 0x1f, 0xab, 0x07, 0xce, 0x37,
10852 -+ 0x72, 0x67, 0x09, 0xfc, },
10853 -+ { 0x9e, 0xf8, 0x18, 0x67, 0x93, 0x10, 0x9b, 0x39, 0x75, 0xe8, 0x8b, 0x38,
10854 -+ 0x82, 0x7d, 0xb8, 0xb7, 0xa5, 0xaf, 0xe6, 0x6a, 0x22, 0x5e, 0x1f, 0x9c,
10855 -+ 0x95, 0x29, 0x19, 0xf2, 0x4b, },
10856 -+ { 0xc8, 0x62, 0x25, 0xf5, 0x98, 0xc9, 0xea, 0xe5, 0x29, 0x3a, 0xd3, 0x22,
10857 -+ 0xeb, 0xeb, 0x07, 0x7c, 0x15, 0x07, 0xee, 0x15, 0x61, 0xbb, 0x05, 0x30,
10858 -+ 0x99, 0x7f, 0x11, 0xf6, 0x0a, 0x1d, },
10859 -+ { 0x68, 0x70, 0xf7, 0x90, 0xa1, 0x8b, 0x1f, 0x0f, 0xbb, 0xce, 0xd2, 0x0e,
10860 -+ 0x33, 0x1f, 0x7f, 0xa9, 0x78, 0xa8, 0xa6, 0x81, 0x66, 0xab, 0x8d, 0xcd,
10861 -+ 0x58, 0x55, 0x3a, 0x0b, 0x7a, 0xdb, 0xb5, },
10862 -+ { 0xdd, 0x35, 0xd2, 0xb4, 0xf6, 0xc7, 0xea, 0xab, 0x64, 0x24, 0x4e, 0xfe,
10863 -+ 0xe5, 0x3d, 0x4e, 0x95, 0x8b, 0x6d, 0x6c, 0xbc, 0xb0, 0xf8, 0x88, 0x61,
10864 -+ 0x09, 0xb7, 0x78, 0xa3, 0x31, 0xfe, 0xd9, 0x2f, },
10865 -+ { 0x0a, },
10866 -+ { 0x6e, 0xd4, },
10867 -+ { 0x64, 0xe9, 0xd1, },
10868 -+ { 0x30, 0xdd, 0x71, 0xef, },
10869 -+ { 0x11, 0xb5, 0x0c, 0x87, 0xc9, },
10870 -+ { 0x06, 0x1c, 0x6d, 0x04, 0x82, 0xd0, },
10871 -+ { 0x5c, 0x42, 0x0b, 0xee, 0xc5, 0x9c, 0xb2, },
10872 -+ { 0xe8, 0x29, 0xd6, 0xb4, 0x5d, 0xf7, 0x2b, 0x93, },
10873 -+ { 0x18, 0xca, 0x27, 0x72, 0x43, 0x39, 0x16, 0xbc, 0x6a, },
10874 -+ { 0x39, 0x8f, 0xfd, 0x64, 0xf5, 0x57, 0x23, 0xb0, 0x45, 0xf8, },
10875 -+ { 0xbb, 0x3a, 0x78, 0x6b, 0x02, 0x1d, 0x0b, 0x16, 0xe3, 0xb2, 0x9a, },
10876 -+ { 0xb8, 0xb4, 0x0b, 0xe5, 0xd4, 0x1d, 0x0d, 0x85, 0x49, 0x91, 0x35, 0xfa, },
10877 -+ { 0x6d, 0x48, 0x2a, 0x0c, 0x42, 0x08, 0xbd, 0xa9, 0x78, 0x6f, 0x18, 0xaf,
10878 -+ 0xe2, },
10879 -+ { 0x10, 0x45, 0xd4, 0x58, 0x88, 0xec, 0x4e, 0x1e, 0xf6, 0x14, 0x92, 0x64,
10880 -+ 0x7e, 0xb0, },
10881 -+ { 0x8b, 0x0b, 0x95, 0xee, 0x92, 0xc6, 0x3b, 0x91, 0xf1, 0x1e, 0xeb, 0x51,
10882 -+ 0x98, 0x0a, 0x8d, },
10883 -+ { 0xa3, 0x50, 0x4d, 0xa5, 0x1d, 0x03, 0x68, 0xe9, 0x57, 0x78, 0xd6, 0x04,
10884 -+ 0xf1, 0xc3, 0x94, 0xd8, },
10885 -+ { 0xb8, 0x66, 0x6e, 0xdd, 0x46, 0x15, 0xae, 0x3d, 0x83, 0x7e, 0xcf, 0xe7,
10886 -+ 0x2c, 0xe8, 0x8f, 0xc7, 0x34, },
10887 -+ { 0x2e, 0xc0, 0x1f, 0x29, 0xea, 0xf6, 0xb9, 0xe2, 0xc2, 0x93, 0xeb, 0x41,
10888 -+ 0x0d, 0xf0, 0x0a, 0x13, 0x0e, 0xa2, },
10889 -+ { 0x71, 0xb8, 0x33, 0xa9, 0x1b, 0xac, 0xf1, 0xb5, 0x42, 0x8f, 0x5e, 0x81,
10890 -+ 0x34, 0x43, 0xb7, 0xa4, 0x18, 0x5c, 0x47, },
10891 -+ { 0xda, 0x45, 0xb8, 0x2e, 0x82, 0x1e, 0xc0, 0x59, 0x77, 0x9d, 0xfa, 0xb4,
10892 -+ 0x1c, 0x5e, 0xa0, 0x2b, 0x33, 0x96, 0x5a, 0x58, },
10893 -+ { 0xe3, 0x09, 0x05, 0xa9, 0xeb, 0x48, 0x13, 0xad, 0x71, 0x88, 0x81, 0x9a,
10894 -+ 0x3e, 0x2c, 0xe1, 0x23, 0x99, 0x13, 0x35, 0x9f, 0xb5, },
10895 -+ { 0xb7, 0x86, 0x2d, 0x16, 0xe1, 0x04, 0x00, 0x47, 0x47, 0x61, 0x31, 0xfb,
10896 -+ 0x14, 0xac, 0xd8, 0xe9, 0xe3, 0x49, 0xbd, 0xf7, 0x9c, 0x3f, },
10897 -+ { 0x7f, 0xd9, 0x95, 0xa8, 0xa7, 0xa0, 0xcc, 0xba, 0xef, 0xb1, 0x0a, 0xa9,
10898 -+ 0x21, 0x62, 0x08, 0x0f, 0x1b, 0xff, 0x7b, 0x9d, 0xae, 0xb2, 0x95, },
10899 -+ { 0x85, 0x99, 0xea, 0x33, 0xe0, 0x56, 0xff, 0x13, 0xc6, 0x61, 0x8c, 0xf9,
10900 -+ 0x57, 0x05, 0x03, 0x11, 0xf9, 0xfb, 0x3a, 0xf7, 0xce, 0xbb, 0x52, 0x30, },
10901 -+ { 0xb2, 0x72, 0x9c, 0xf8, 0x77, 0x4e, 0x8f, 0x6b, 0x01, 0x6c, 0xff, 0x4e,
10902 -+ 0x4f, 0x02, 0xd2, 0xbc, 0xeb, 0x51, 0x28, 0x99, 0x50, 0xab, 0xc4, 0x42,
10903 -+ 0xe3, },
10904 -+ { 0x8b, 0x0a, 0xb5, 0x90, 0x8f, 0xf5, 0x7b, 0xdd, 0xba, 0x47, 0x37, 0xc9,
10905 -+ 0x2a, 0xd5, 0x4b, 0x25, 0x08, 0x8b, 0x02, 0x17, 0xa7, 0x9e, 0x6b, 0x6e,
10906 -+ 0xe3, 0x90, },
10907 -+ { 0x90, 0xdd, 0xf7, 0x75, 0xa7, 0xa3, 0x99, 0x5e, 0x5b, 0x7d, 0x75, 0xc3,
10908 -+ 0x39, 0x6b, 0xa0, 0xe2, 0x44, 0x53, 0xb1, 0x9e, 0xc8, 0xf1, 0x77, 0x10,
10909 -+ 0x58, 0x06, 0x9a, },
10910 -+ { 0x99, 0x52, 0xf0, 0x49, 0xa8, 0x8c, 0xec, 0xa6, 0x97, 0x32, 0x13, 0xb5,
10911 -+ 0xf7, 0xa3, 0x8e, 0xfb, 0x4b, 0x59, 0x31, 0x3d, 0x01, 0x59, 0x98, 0x5d,
10912 -+ 0x53, 0x03, 0x1a, 0x39, },
10913 -+ { 0x9f, 0xe0, 0xc2, 0xe5, 0x5d, 0x93, 0xd6, 0x9b, 0x47, 0x8f, 0x9b, 0xe0,
10914 -+ 0x26, 0x35, 0x84, 0x20, 0x1d, 0xc5, 0x53, 0x10, 0x0f, 0x22, 0xb9, 0xb5,
10915 -+ 0xd4, 0x36, 0xb1, 0xac, 0x73, },
10916 -+ { 0x30, 0x32, 0x20, 0x3b, 0x10, 0x28, 0xec, 0x1f, 0x4f, 0x9b, 0x47, 0x59,
10917 -+ 0xeb, 0x7b, 0xee, 0x45, 0xfb, 0x0c, 0x49, 0xd8, 0x3d, 0x69, 0xbd, 0x90,
10918 -+ 0x2c, 0xf0, 0x9e, 0x8d, 0xbf, 0xd5, },
10919 -+ { 0x2a, 0x37, 0x73, 0x7f, 0xf9, 0x96, 0x19, 0xaa, 0x25, 0xd8, 0x13, 0x28,
10920 -+ 0x01, 0x29, 0x89, 0xdf, 0x6e, 0x0c, 0x9b, 0x43, 0x44, 0x51, 0xe9, 0x75,
10921 -+ 0x26, 0x0c, 0xb7, 0x87, 0x66, 0x0b, 0x5f, },
10922 -+ { 0x23, 0xdf, 0x96, 0x68, 0x91, 0x86, 0xd0, 0x93, 0x55, 0x33, 0x24, 0xf6,
10923 -+ 0xba, 0x08, 0x75, 0x5b, 0x59, 0x11, 0x69, 0xb8, 0xb9, 0xe5, 0x2c, 0x77,
10924 -+ 0x02, 0xf6, 0x47, 0xee, 0x81, 0xdd, 0xb9, 0x06, },
10925 -+ { 0x9d, },
10926 -+ { 0x9d, 0x7d, },
10927 -+ { 0xfd, 0xc3, 0xda, },
10928 -+ { 0xe8, 0x82, 0xcd, 0x21, },
10929 -+ { 0xc3, 0x1d, 0x42, 0x4c, 0x74, },
10930 -+ { 0xe9, 0xda, 0xf1, 0xa2, 0xe5, 0x7c, },
10931 -+ { 0x52, 0xb8, 0x6f, 0x81, 0x5c, 0x3a, 0x4c, },
10932 -+ { 0x5b, 0x39, 0x26, 0xfc, 0x92, 0x5e, 0xe0, 0x49, },
10933 -+ { 0x59, 0xe4, 0x7c, 0x93, 0x1c, 0xf9, 0x28, 0x93, 0xde, },
10934 -+ { 0xde, 0xdf, 0xb2, 0x43, 0x61, 0x0b, 0x86, 0x16, 0x4c, 0x2e, },
10935 -+ { 0x14, 0x8f, 0x75, 0x51, 0xaf, 0xb9, 0xee, 0x51, 0x5a, 0xae, 0x23, },
10936 -+ { 0x43, 0x5f, 0x50, 0xd5, 0x70, 0xb0, 0x5b, 0x87, 0xf5, 0xd9, 0xb3, 0x6d, },
10937 -+ { 0x66, 0x0a, 0x64, 0x93, 0x79, 0x71, 0x94, 0x40, 0xb7, 0x68, 0x2d, 0xd3,
10938 -+ 0x63, },
10939 -+ { 0x15, 0x00, 0xc4, 0x0c, 0x7d, 0x1b, 0x10, 0xa9, 0x73, 0x1b, 0x90, 0x6f,
10940 -+ 0xe6, 0xa9, },
10941 -+ { 0x34, 0x75, 0xf3, 0x86, 0x8f, 0x56, 0xcf, 0x2a, 0x0a, 0xf2, 0x62, 0x0a,
10942 -+ 0xf6, 0x0e, 0x20, },
10943 -+ { 0xb1, 0xde, 0xc9, 0xf5, 0xdb, 0xf3, 0x2f, 0x4c, 0xd6, 0x41, 0x7d, 0x39,
10944 -+ 0x18, 0x3e, 0xc7, 0xc3, },
10945 -+ { 0xc5, 0x89, 0xb2, 0xf8, 0xb8, 0xc0, 0xa3, 0xb9, 0x3b, 0x10, 0x6d, 0x7c,
10946 -+ 0x92, 0xfc, 0x7f, 0x34, 0x41, },
10947 -+ { 0xc4, 0xd8, 0xef, 0xba, 0xef, 0xd2, 0xaa, 0xc5, 0x6c, 0x8e, 0x3e, 0xbb,
10948 -+ 0x12, 0xfc, 0x0f, 0x72, 0xbf, 0x0f, },
10949 -+ { 0xdd, 0x91, 0xd1, 0x15, 0x9e, 0x7d, 0xf8, 0xc1, 0xb9, 0x14, 0x63, 0x96,
10950 -+ 0xb5, 0xcb, 0x83, 0x1d, 0x35, 0x1c, 0xec, },
10951 -+ { 0xa9, 0xf8, 0x52, 0xc9, 0x67, 0x76, 0x2b, 0xad, 0xfb, 0xd8, 0x3a, 0xa6,
10952 -+ 0x74, 0x02, 0xae, 0xb8, 0x25, 0x2c, 0x63, 0x49, },
10953 -+ { 0x77, 0x1f, 0x66, 0x70, 0xfd, 0x50, 0x29, 0xaa, 0xeb, 0xdc, 0xee, 0xba,
10954 -+ 0x75, 0x98, 0xdc, 0x93, 0x12, 0x3f, 0xdc, 0x7c, 0x38, },
10955 -+ { 0xe2, 0xe1, 0x89, 0x5c, 0x37, 0x38, 0x6a, 0xa3, 0x40, 0xac, 0x3f, 0xb0,
10956 -+ 0xca, 0xfc, 0xa7, 0xf3, 0xea, 0xf9, 0x0f, 0x5d, 0x8e, 0x39, },
10957 -+ { 0x0f, 0x67, 0xc8, 0x38, 0x01, 0xb1, 0xb7, 0xb8, 0xa2, 0xe7, 0x0a, 0x6d,
10958 -+ 0xd2, 0x63, 0x69, 0x9e, 0xcc, 0xf0, 0xf2, 0xbe, 0x9b, 0x98, 0xdd, },
10959 -+ { 0x13, 0xe1, 0x36, 0x30, 0xfe, 0xc6, 0x01, 0x8a, 0xa1, 0x63, 0x96, 0x59,
10960 -+ 0xc2, 0xa9, 0x68, 0x3f, 0x58, 0xd4, 0x19, 0x0c, 0x40, 0xf3, 0xde, 0x02, },
10961 -+ { 0xa3, 0x9e, 0xce, 0xda, 0x42, 0xee, 0x8c, 0x6c, 0x5a, 0x7d, 0xdc, 0x89,
10962 -+ 0x02, 0x77, 0xdd, 0xe7, 0x95, 0xbb, 0xff, 0x0d, 0xa4, 0xb5, 0x38, 0x1e,
10963 -+ 0xaf, },
10964 -+ { 0x9a, 0xf6, 0xb5, 0x9a, 0x4f, 0xa9, 0x4f, 0x2c, 0x35, 0x3c, 0x24, 0xdc,
10965 -+ 0x97, 0x6f, 0xd9, 0xa1, 0x7d, 0x1a, 0x85, 0x0b, 0xf5, 0xda, 0x2e, 0xe7,
10966 -+ 0xb1, 0x1d, },
10967 -+ { 0x84, 0x1e, 0x8e, 0x3d, 0x45, 0xa5, 0xf2, 0x27, 0xf3, 0x31, 0xfe, 0xb9,
10968 -+ 0xfb, 0xc5, 0x45, 0x99, 0x99, 0xdd, 0x93, 0x43, 0x02, 0xee, 0x58, 0xaf,
10969 -+ 0xee, 0x6a, 0xbe, },
10970 -+ { 0x07, 0x2f, 0xc0, 0xa2, 0x04, 0xc4, 0xab, 0x7c, 0x26, 0xbb, 0xa8, 0xd8,
10971 -+ 0xe3, 0x1c, 0x75, 0x15, 0x64, 0x5d, 0x02, 0x6a, 0xf0, 0x86, 0xe9, 0xcd,
10972 -+ 0x5c, 0xef, 0xa3, 0x25, },
10973 -+ { 0x2f, 0x3b, 0x1f, 0xb5, 0x91, 0x8f, 0x86, 0xe0, 0xdc, 0x31, 0x48, 0xb6,
10974 -+ 0xa1, 0x8c, 0xfd, 0x75, 0xbb, 0x7d, 0x3d, 0xc1, 0xf0, 0x10, 0x9a, 0xd8,
10975 -+ 0x4b, 0x0e, 0xe3, 0x94, 0x9f, },
10976 -+ { 0x29, 0xbb, 0x8f, 0x6c, 0xd1, 0xf2, 0xb6, 0xaf, 0xe5, 0xe3, 0x2d, 0xdc,
10977 -+ 0x6f, 0xa4, 0x53, 0x88, 0xd8, 0xcf, 0x4d, 0x45, 0x42, 0x62, 0xdb, 0xdf,
10978 -+ 0xf8, 0x45, 0xc2, 0x13, 0xec, 0x35, },
10979 -+ { 0x06, 0x3c, 0xe3, 0x2c, 0x15, 0xc6, 0x43, 0x03, 0x81, 0xfb, 0x08, 0x76,
10980 -+ 0x33, 0xcb, 0x02, 0xc1, 0xba, 0x33, 0xe5, 0xe0, 0xd1, 0x92, 0xa8, 0x46,
10981 -+ 0x28, 0x3f, 0x3e, 0x9d, 0x2c, 0x44, 0x54, },
10982 -+ { 0xea, 0xbb, 0x96, 0xf8, 0xd1, 0x8b, 0x04, 0x11, 0x40, 0x78, 0x42, 0x02,
10983 -+ 0x19, 0xd1, 0xbc, 0x65, 0x92, 0xd3, 0xc3, 0xd6, 0xd9, 0x19, 0xe7, 0xc3,
10984 -+ 0x40, 0x97, 0xbd, 0xd4, 0xed, 0xfa, 0x5e, 0x28, },
10985 -+ { 0x02, },
10986 -+ { 0x52, 0xa8, },
10987 -+ { 0x38, 0x25, 0x0d, },
10988 -+ { 0xe3, 0x04, 0xd4, 0x92, },
10989 -+ { 0x97, 0xdb, 0xf7, 0x81, 0xca, },
10990 -+ { 0x8a, 0x56, 0x9d, 0x62, 0x56, 0xcc, },
10991 -+ { 0xa1, 0x8e, 0x3c, 0x72, 0x8f, 0x63, 0x03, },
10992 -+ { 0xf7, 0xf3, 0x39, 0x09, 0x0a, 0xa1, 0xbb, 0x23, },
10993 -+ { 0x6b, 0x03, 0xc0, 0xe9, 0xd9, 0x83, 0x05, 0x22, 0x01, },
10994 -+ { 0x1b, 0x4b, 0xf5, 0xd6, 0x4f, 0x05, 0x75, 0x91, 0x4c, 0x7f, },
10995 -+ { 0x4c, 0x8c, 0x25, 0x20, 0x21, 0xcb, 0xc2, 0x4b, 0x3a, 0x5b, 0x8d, },
10996 -+ { 0x56, 0xe2, 0x77, 0xa0, 0xb6, 0x9f, 0x81, 0xec, 0x83, 0x75, 0xc4, 0xf9, },
10997 -+ { 0x71, 0x70, 0x0f, 0xad, 0x4d, 0x35, 0x81, 0x9d, 0x88, 0x69, 0xf9, 0xaa,
10998 -+ 0xd3, },
10999 -+ { 0x50, 0x6e, 0x86, 0x6e, 0x43, 0xc0, 0xc2, 0x44, 0xc2, 0xe2, 0xa0, 0x1c,
11000 -+ 0xb7, 0x9a, },
11001 -+ { 0xe4, 0x7e, 0x72, 0xc6, 0x12, 0x8e, 0x7c, 0xfc, 0xbd, 0xe2, 0x08, 0x31,
11002 -+ 0x3d, 0x47, 0x3d, },
11003 -+ { 0x08, 0x97, 0x5b, 0x80, 0xae, 0xc4, 0x1d, 0x50, 0x77, 0xdf, 0x1f, 0xd0,
11004 -+ 0x24, 0xf0, 0x17, 0xc0, },
11005 -+ { 0x01, 0xb6, 0x29, 0xf4, 0xaf, 0x78, 0x5f, 0xb6, 0x91, 0xdd, 0x76, 0x76,
11006 -+ 0xd2, 0xfd, 0x0c, 0x47, 0x40, },
11007 -+ { 0xa1, 0xd8, 0x09, 0x97, 0x7a, 0xa6, 0xc8, 0x94, 0xf6, 0x91, 0x7b, 0xae,
11008 -+ 0x2b, 0x9f, 0x0d, 0x83, 0x48, 0xf7, },
11009 -+ { 0x12, 0xd5, 0x53, 0x7d, 0x9a, 0xb0, 0xbe, 0xd9, 0xed, 0xe9, 0x9e, 0xee,
11010 -+ 0x61, 0x5b, 0x42, 0xf2, 0xc0, 0x73, 0xc0, },
11011 -+ { 0xd5, 0x77, 0xd6, 0x5c, 0x6e, 0xa5, 0x69, 0x2b, 0x3b, 0x8c, 0xd6, 0x7d,
11012 -+ 0x1d, 0xbe, 0x2c, 0xa1, 0x02, 0x21, 0xcd, 0x29, },
11013 -+ { 0xa4, 0x98, 0x80, 0xca, 0x22, 0xcf, 0x6a, 0xab, 0x5e, 0x40, 0x0d, 0x61,
11014 -+ 0x08, 0x21, 0xef, 0xc0, 0x6c, 0x52, 0xb4, 0xb0, 0x53, },
11015 -+ { 0xbf, 0xaf, 0x8f, 0x3b, 0x7a, 0x97, 0x33, 0xe5, 0xca, 0x07, 0x37, 0xfd,
11016 -+ 0x15, 0xdf, 0xce, 0x26, 0x2a, 0xb1, 0xa7, 0x0b, 0xb3, 0xac, },
11017 -+ { 0x16, 0x22, 0xe1, 0xbc, 0x99, 0x4e, 0x01, 0xf0, 0xfa, 0xff, 0x8f, 0xa5,
11018 -+ 0x0c, 0x61, 0xb0, 0xad, 0xcc, 0xb1, 0xe1, 0x21, 0x46, 0xfa, 0x2e, },
11019 -+ { 0x11, 0x5b, 0x0b, 0x2b, 0xe6, 0x14, 0xc1, 0xd5, 0x4d, 0x71, 0x5e, 0x17,
11020 -+ 0xea, 0x23, 0xdd, 0x6c, 0xbd, 0x1d, 0xbe, 0x12, 0x1b, 0xee, 0x4c, 0x1a, },
11021 -+ { 0x40, 0x88, 0x22, 0xf3, 0x20, 0x6c, 0xed, 0xe1, 0x36, 0x34, 0x62, 0x2c,
11022 -+ 0x98, 0x83, 0x52, 0xe2, 0x25, 0xee, 0xe9, 0xf5, 0xe1, 0x17, 0xf0, 0x5c,
11023 -+ 0xae, },
11024 -+ { 0xc3, 0x76, 0x37, 0xde, 0x95, 0x8c, 0xca, 0x2b, 0x0c, 0x23, 0xe7, 0xb5,
11025 -+ 0x38, 0x70, 0x61, 0xcc, 0xff, 0xd3, 0x95, 0x7b, 0xf3, 0xff, 0x1f, 0x9d,
11026 -+ 0x59, 0x00, },
11027 -+ { 0x0c, 0x19, 0x52, 0x05, 0x22, 0x53, 0xcb, 0x48, 0xd7, 0x10, 0x0e, 0x7e,
11028 -+ 0x14, 0x69, 0xb5, 0xa2, 0x92, 0x43, 0xa3, 0x9e, 0x4b, 0x8f, 0x51, 0x2c,
11029 -+ 0x5a, 0x2c, 0x3b, },
11030 -+ { 0xe1, 0x9d, 0x70, 0x70, 0x28, 0xec, 0x86, 0x40, 0x55, 0x33, 0x56, 0xda,
11031 -+ 0x88, 0xca, 0xee, 0xc8, 0x6a, 0x20, 0xb1, 0xe5, 0x3d, 0x57, 0xf8, 0x3c,
11032 -+ 0x10, 0x07, 0x2a, 0xc4, },
11033 -+ { 0x0b, 0xae, 0xf1, 0xc4, 0x79, 0xee, 0x1b, 0x3d, 0x27, 0x35, 0x8d, 0x14,
11034 -+ 0xd6, 0xae, 0x4e, 0x3c, 0xe9, 0x53, 0x50, 0xb5, 0xcc, 0x0c, 0xf7, 0xdf,
11035 -+ 0xee, 0xa1, 0x74, 0xd6, 0x71, },
11036 -+ { 0xe6, 0xa4, 0xf4, 0x99, 0x98, 0xb9, 0x80, 0xea, 0x96, 0x7f, 0x4f, 0x33,
11037 -+ 0xcf, 0x74, 0x25, 0x6f, 0x17, 0x6c, 0xbf, 0xf5, 0x5c, 0x38, 0xd0, 0xff,
11038 -+ 0x96, 0xcb, 0x13, 0xf9, 0xdf, 0xfd, },
11039 -+ { 0xbe, 0x92, 0xeb, 0xba, 0x44, 0x2c, 0x24, 0x74, 0xd4, 0x03, 0x27, 0x3c,
11040 -+ 0x5d, 0x5b, 0x03, 0x30, 0x87, 0x63, 0x69, 0xe0, 0xb8, 0x94, 0xf4, 0x44,
11041 -+ 0x7e, 0xad, 0xcd, 0x20, 0x12, 0x16, 0x79, },
11042 -+ { 0x30, 0xf1, 0xc4, 0x8e, 0x05, 0x90, 0x2a, 0x97, 0x63, 0x94, 0x46, 0xff,
11043 -+ 0xce, 0xd8, 0x67, 0xa7, 0xac, 0x33, 0x8c, 0x95, 0xb7, 0xcd, 0xa3, 0x23,
11044 -+ 0x98, 0x9d, 0x76, 0x6c, 0x9d, 0xa8, 0xd6, 0x8a, },
11045 -+ { 0xbe, },
11046 -+ { 0x17, 0x6c, },
11047 -+ { 0x1a, 0x42, 0x4f, },
11048 -+ { 0xba, 0xaf, 0xb7, 0x65, },
11049 -+ { 0xc2, 0x63, 0x43, 0x6a, 0xea, },
11050 -+ { 0xe4, 0x4d, 0xad, 0xf2, 0x0b, 0x02, },
11051 -+ { 0x04, 0xc7, 0xc4, 0x7f, 0xa9, 0x2b, 0xce, },
11052 -+ { 0x66, 0xf6, 0x67, 0xcb, 0x03, 0x53, 0xc8, 0xf1, },
11053 -+ { 0x56, 0xa3, 0x60, 0x78, 0xc9, 0x5f, 0x70, 0x1b, 0x5e, },
11054 -+ { 0x99, 0xff, 0x81, 0x7c, 0x13, 0x3c, 0x29, 0x79, 0x4b, 0x65, },
11055 -+ { 0x51, 0x10, 0x50, 0x93, 0x01, 0x93, 0xb7, 0x01, 0xc9, 0x18, 0xb7, },
11056 -+ { 0x8e, 0x3c, 0x42, 0x1e, 0x5e, 0x7d, 0xc1, 0x50, 0x70, 0x1f, 0x00, 0x98, },
11057 -+ { 0x5f, 0xd9, 0x9b, 0xc8, 0xd7, 0xb2, 0x72, 0x62, 0x1a, 0x1e, 0xba, 0x92,
11058 -+ 0xe9, },
11059 -+ { 0x70, 0x2b, 0xba, 0xfe, 0xad, 0x5d, 0x96, 0x3f, 0x27, 0xc2, 0x41, 0x6d,
11060 -+ 0xc4, 0xb3, },
11061 -+ { 0xae, 0xe0, 0xd5, 0xd4, 0xc7, 0xae, 0x15, 0x5e, 0xdc, 0xdd, 0x33, 0x60,
11062 -+ 0xd7, 0xd3, 0x5e, },
11063 -+ { 0x79, 0x8e, 0xbc, 0x9e, 0x20, 0xb9, 0x19, 0x4b, 0x63, 0x80, 0xf3, 0x16,
11064 -+ 0xaf, 0x39, 0xbd, 0x92, },
11065 -+ { 0xc2, 0x0e, 0x85, 0xa0, 0x0b, 0x9a, 0xb0, 0xec, 0xde, 0x38, 0xd3, 0x10,
11066 -+ 0xd9, 0xa7, 0x66, 0x27, 0xcf, },
11067 -+ { 0x0e, 0x3b, 0x75, 0x80, 0x67, 0x14, 0x0c, 0x02, 0x90, 0xd6, 0xb3, 0x02,
11068 -+ 0x81, 0xf6, 0xa6, 0x87, 0xce, 0x58, },
11069 -+ { 0x79, 0xb5, 0xe9, 0x5d, 0x52, 0x4d, 0xf7, 0x59, 0xf4, 0x2e, 0x27, 0xdd,
11070 -+ 0xb3, 0xed, 0x57, 0x5b, 0x82, 0xea, 0x6f, },
11071 -+ { 0xa2, 0x97, 0xf5, 0x80, 0x02, 0x3d, 0xde, 0xa3, 0xf9, 0xf6, 0xab, 0xe3,
11072 -+ 0x57, 0x63, 0x7b, 0x9b, 0x10, 0x42, 0x6f, 0xf2, },
11073 -+ { 0x12, 0x7a, 0xfc, 0xb7, 0x67, 0x06, 0x0c, 0x78, 0x1a, 0xfe, 0x88, 0x4f,
11074 -+ 0xc6, 0xac, 0x52, 0x96, 0x64, 0x28, 0x97, 0x84, 0x06, },
11075 -+ { 0xc5, 0x04, 0x44, 0x6b, 0xb2, 0xa5, 0xa4, 0x66, 0xe1, 0x76, 0xa2, 0x51,
11076 -+ 0xf9, 0x59, 0x69, 0x97, 0x56, 0x0b, 0xbf, 0x50, 0xb3, 0x34, },
11077 -+ { 0x21, 0x32, 0x6b, 0x42, 0xb5, 0xed, 0x71, 0x8d, 0xf7, 0x5a, 0x35, 0xe3,
11078 -+ 0x90, 0xe2, 0xee, 0xaa, 0x89, 0xf6, 0xc9, 0x9c, 0x4d, 0x73, 0xf4, },
11079 -+ { 0x4c, 0xa6, 0x09, 0xf4, 0x48, 0xe7, 0x46, 0xbc, 0x49, 0xfc, 0xe5, 0xda,
11080 -+ 0xd1, 0x87, 0x13, 0x17, 0x4c, 0x59, 0x71, 0x26, 0x5b, 0x2c, 0x42, 0xb7, },
11081 -+ { 0x13, 0x63, 0xf3, 0x40, 0x02, 0xe5, 0xa3, 0x3a, 0x5e, 0x8e, 0xf8, 0xb6,
11082 -+ 0x8a, 0x49, 0x60, 0x76, 0x34, 0x72, 0x94, 0x73, 0xf6, 0xd9, 0x21, 0x6a,
11083 -+ 0x26, },
11084 -+ { 0xdf, 0x75, 0x16, 0x10, 0x1b, 0x5e, 0x81, 0xc3, 0xc8, 0xde, 0x34, 0x24,
11085 -+ 0xb0, 0x98, 0xeb, 0x1b, 0x8f, 0xa1, 0x9b, 0x05, 0xee, 0xa5, 0xe9, 0x35,
11086 -+ 0xf4, 0x1d, },
11087 -+ { 0xcd, 0x21, 0x93, 0x6e, 0x5b, 0xa0, 0x26, 0x2b, 0x21, 0x0e, 0xa0, 0xb9,
11088 -+ 0x1c, 0xb5, 0xbb, 0xb8, 0xf8, 0x1e, 0xff, 0x5c, 0xa8, 0xf9, 0x39, 0x46,
11089 -+ 0x4e, 0x29, 0x26, },
11090 -+ { 0x73, 0x7f, 0x0e, 0x3b, 0x0b, 0x5c, 0xf9, 0x60, 0xaa, 0x88, 0xa1, 0x09,
11091 -+ 0xb1, 0x5d, 0x38, 0x7b, 0x86, 0x8f, 0x13, 0x7a, 0x8d, 0x72, 0x7a, 0x98,
11092 -+ 0x1a, 0x5b, 0xff, 0xc9, },
11093 -+ { 0xd3, 0x3c, 0x61, 0x71, 0x44, 0x7e, 0x31, 0x74, 0x98, 0x9d, 0x9a, 0xd2,
11094 -+ 0x27, 0xf3, 0x46, 0x43, 0x42, 0x51, 0xd0, 0x5f, 0xe9, 0x1c, 0x5c, 0x69,
11095 -+ 0xbf, 0xf6, 0xbe, 0x3c, 0x40, },
11096 -+ { 0x31, 0x99, 0x31, 0x9f, 0xaa, 0x43, 0x2e, 0x77, 0x3e, 0x74, 0x26, 0x31,
11097 -+ 0x5e, 0x61, 0xf1, 0x87, 0xe2, 0xeb, 0x9b, 0xcd, 0xd0, 0x3a, 0xee, 0x20,
11098 -+ 0x7e, 0x10, 0x0a, 0x0b, 0x7e, 0xfa, },
11099 -+ { 0xa4, 0x27, 0x80, 0x67, 0x81, 0x2a, 0xa7, 0x62, 0xf7, 0x6e, 0xda, 0xd4,
11100 -+ 0x5c, 0x39, 0x74, 0xad, 0x7e, 0xbe, 0xad, 0xa5, 0x84, 0x7f, 0xa9, 0x30,
11101 -+ 0x5d, 0xdb, 0xe2, 0x05, 0x43, 0xf7, 0x1b, },
11102 -+ { 0x0b, 0x37, 0xd8, 0x02, 0xe1, 0x83, 0xd6, 0x80, 0xf2, 0x35, 0xc2, 0xb0,
11103 -+ 0x37, 0xef, 0xef, 0x5e, 0x43, 0x93, 0xf0, 0x49, 0x45, 0x0a, 0xef, 0xb5,
11104 -+ 0x76, 0x70, 0x12, 0x44, 0xc4, 0xdb, 0xf5, 0x7a, },
11105 -+ { 0x1f, },
11106 -+ { 0x82, 0x60, },
11107 -+ { 0xcc, 0xe3, 0x08, },
11108 -+ { 0x56, 0x17, 0xe4, 0x59, },
11109 -+ { 0xe2, 0xd7, 0x9e, 0xc4, 0x4c, },
11110 -+ { 0xb2, 0xad, 0xd3, 0x78, 0x58, 0x5a, },
11111 -+ { 0xce, 0x43, 0xb4, 0x02, 0x96, 0xab, 0x3c, },
11112 -+ { 0xe6, 0x05, 0x1a, 0x73, 0x22, 0x32, 0xbb, 0x77, },
11113 -+ { 0x23, 0xe7, 0xda, 0xfe, 0x2c, 0xef, 0x8c, 0x22, 0xec, },
11114 -+ { 0xe9, 0x8e, 0x55, 0x38, 0xd1, 0xd7, 0x35, 0x23, 0x98, 0xc7, },
11115 -+ { 0xb5, 0x81, 0x1a, 0xe5, 0xb5, 0xa5, 0xd9, 0x4d, 0xca, 0x41, 0xe7, },
11116 -+ { 0x41, 0x16, 0x16, 0x95, 0x8d, 0x9e, 0x0c, 0xea, 0x8c, 0x71, 0x9a, 0xc1, },
11117 -+ { 0x7c, 0x33, 0xc0, 0xa4, 0x00, 0x62, 0xea, 0x60, 0x67, 0xe4, 0x20, 0xbc,
11118 -+ 0x5b, },
11119 -+ { 0xdb, 0xb1, 0xdc, 0xfd, 0x08, 0xc0, 0xde, 0x82, 0xd1, 0xde, 0x38, 0xc0,
11120 -+ 0x90, 0x48, },
11121 -+ { 0x37, 0x18, 0x2e, 0x0d, 0x61, 0xaa, 0x61, 0xd7, 0x86, 0x20, 0x16, 0x60,
11122 -+ 0x04, 0xd9, 0xd5, },
11123 -+ { 0xb0, 0xcf, 0x2c, 0x4c, 0x5e, 0x5b, 0x4f, 0x2a, 0x23, 0x25, 0x58, 0x47,
11124 -+ 0xe5, 0x31, 0x06, 0x70, },
11125 -+ { 0x91, 0xa0, 0xa3, 0x86, 0x4e, 0xe0, 0x72, 0x38, 0x06, 0x67, 0x59, 0x5c,
11126 -+ 0x70, 0x25, 0xdb, 0x33, 0x27, },
11127 -+ { 0x44, 0x58, 0x66, 0xb8, 0x58, 0xc7, 0x13, 0xed, 0x4c, 0xc0, 0xf4, 0x9a,
11128 -+ 0x1e, 0x67, 0x75, 0x33, 0xb6, 0xb8, },
11129 -+ { 0x7f, 0x98, 0x4a, 0x8e, 0x50, 0xa2, 0x5c, 0xcd, 0x59, 0xde, 0x72, 0xb3,
11130 -+ 0x9d, 0xc3, 0x09, 0x8a, 0xab, 0x56, 0xf1, },
11131 -+ { 0x80, 0x96, 0x49, 0x1a, 0x59, 0xa2, 0xc5, 0xd5, 0xa7, 0x20, 0x8a, 0xb7,
11132 -+ 0x27, 0x62, 0x84, 0x43, 0xc6, 0xe1, 0x1b, 0x5d, },
11133 -+ { 0x6b, 0xb7, 0x2b, 0x26, 0x62, 0x14, 0x70, 0x19, 0x3d, 0x4d, 0xac, 0xac,
11134 -+ 0x63, 0x58, 0x5e, 0x94, 0xb5, 0xb7, 0xe8, 0xe8, 0xa2, },
11135 -+ { 0x20, 0xa8, 0xc0, 0xfd, 0x63, 0x3d, 0x6e, 0x98, 0xcf, 0x0c, 0x49, 0x98,
11136 -+ 0xe4, 0x5a, 0xfe, 0x8c, 0xaa, 0x70, 0x82, 0x1c, 0x7b, 0x74, },
11137 -+ { 0xc8, 0xe8, 0xdd, 0xdf, 0x69, 0x30, 0x01, 0xc2, 0x0f, 0x7e, 0x2f, 0x11,
11138 -+ 0xcc, 0x3e, 0x17, 0xa5, 0x69, 0x40, 0x3f, 0x0e, 0x79, 0x7f, 0xcf, },
11139 -+ { 0xdb, 0x61, 0xc0, 0xe2, 0x2e, 0x49, 0x07, 0x31, 0x1d, 0x91, 0x42, 0x8a,
11140 -+ 0xfc, 0x5e, 0xd3, 0xf8, 0x56, 0x1f, 0x2b, 0x73, 0xfd, 0x9f, 0xb2, 0x8e, },
11141 -+ { 0x0c, 0x89, 0x55, 0x0c, 0x1f, 0x59, 0x2c, 0x9d, 0x1b, 0x29, 0x1d, 0x41,
11142 -+ 0x1d, 0xe6, 0x47, 0x8f, 0x8c, 0x2b, 0xea, 0x8f, 0xf0, 0xff, 0x21, 0x70,
11143 -+ 0x88, },
11144 -+ { 0x12, 0x18, 0x95, 0xa6, 0x59, 0xb1, 0x31, 0x24, 0x45, 0x67, 0x55, 0xa4,
11145 -+ 0x1a, 0x2d, 0x48, 0x67, 0x1b, 0x43, 0x88, 0x2d, 0x8e, 0xa0, 0x70, 0xb3,
11146 -+ 0xc6, 0xbb, },
11147 -+ { 0xe7, 0xb1, 0x1d, 0xb2, 0x76, 0x4d, 0x68, 0x68, 0x68, 0x23, 0x02, 0x55,
11148 -+ 0x3a, 0xe2, 0xe5, 0xd5, 0x4b, 0x43, 0xf9, 0x34, 0x77, 0x5c, 0xa1, 0xf5,
11149 -+ 0x55, 0xfd, 0x4f, },
11150 -+ { 0x8c, 0x87, 0x5a, 0x08, 0x3a, 0x73, 0xad, 0x61, 0xe1, 0xe7, 0x99, 0x7e,
11151 -+ 0xf0, 0x5d, 0xe9, 0x5d, 0x16, 0x43, 0x80, 0x2f, 0xd0, 0x66, 0x34, 0xe2,
11152 -+ 0x42, 0x64, 0x3b, 0x1a, },
11153 -+ { 0x39, 0xc1, 0x99, 0xcf, 0x22, 0xbf, 0x16, 0x8f, 0x9f, 0x80, 0x7f, 0x95,
11154 -+ 0x0a, 0x05, 0x67, 0x27, 0xe7, 0x15, 0xdf, 0x9d, 0xb2, 0xfe, 0x1c, 0xb5,
11155 -+ 0x1d, 0x60, 0x8f, 0x8a, 0x1d, },
11156 -+ { 0x9b, 0x6e, 0x08, 0x09, 0x06, 0x73, 0xab, 0x68, 0x02, 0x62, 0x1a, 0xe4,
11157 -+ 0xd4, 0xdf, 0xc7, 0x02, 0x4c, 0x6a, 0x5f, 0xfd, 0x23, 0xac, 0xae, 0x6d,
11158 -+ 0x43, 0xa4, 0x7a, 0x50, 0x60, 0x3c, },
11159 -+ { 0x1d, 0xb4, 0xc6, 0xe1, 0xb1, 0x4b, 0xe3, 0xf2, 0xe2, 0x1a, 0x73, 0x1b,
11160 -+ 0xa0, 0x92, 0xa7, 0xf5, 0xff, 0x8f, 0x8b, 0x5d, 0xdf, 0xa8, 0x04, 0xb3,
11161 -+ 0xb0, 0xf7, 0xcc, 0x12, 0xfa, 0x35, 0x46, },
11162 -+ { 0x49, 0x45, 0x97, 0x11, 0x0f, 0x1c, 0x60, 0x8e, 0xe8, 0x47, 0x30, 0xcf,
11163 -+ 0x60, 0xa8, 0x71, 0xc5, 0x1b, 0xe9, 0x39, 0x4d, 0x49, 0xb6, 0x12, 0x1f,
11164 -+ 0x24, 0xab, 0x37, 0xff, 0x83, 0xc2, 0xe1, 0x3a, },
11165 -+ { 0x60, },
11166 -+ { 0x24, 0x26, },
11167 -+ { 0x47, 0xeb, 0xc9, },
11168 -+ { 0x4a, 0xd0, 0xbc, 0xf0, },
11169 -+ { 0x8e, 0x2b, 0xc9, 0x85, 0x3c, },
11170 -+ { 0xa2, 0x07, 0x15, 0xb8, 0x12, 0x74, },
11171 -+ { 0x0f, 0xdb, 0x5b, 0x33, 0x69, 0xfe, 0x4b, },
11172 -+ { 0xa2, 0x86, 0x54, 0xf4, 0xfd, 0xb2, 0xd4, 0xe6, },
11173 -+ { 0xbb, 0x84, 0x78, 0x49, 0x27, 0x8e, 0x61, 0xda, 0x60, },
11174 -+ { 0x04, 0xc3, 0xcd, 0xaa, 0x8f, 0xa7, 0x03, 0xc9, 0xf9, 0xb6, },
11175 -+ { 0xf8, 0x27, 0x1d, 0x61, 0xdc, 0x21, 0x42, 0xdd, 0xad, 0x92, 0x40, },
11176 -+ { 0x12, 0x87, 0xdf, 0xc2, 0x41, 0x45, 0x5a, 0x36, 0x48, 0x5b, 0x51, 0x2b, },
11177 -+ { 0xbb, 0x37, 0x5d, 0x1f, 0xf1, 0x68, 0x7a, 0xc4, 0xa5, 0xd2, 0xa4, 0x91,
11178 -+ 0x8d, },
11179 -+ { 0x5b, 0x27, 0xd1, 0x04, 0x54, 0x52, 0x9f, 0xa3, 0x47, 0x86, 0x33, 0x33,
11180 -+ 0xbf, 0xa0, },
11181 -+ { 0xcf, 0x04, 0xea, 0xf8, 0x03, 0x2a, 0x43, 0xff, 0xa6, 0x68, 0x21, 0x4c,
11182 -+ 0xd5, 0x4b, 0xed, },
11183 -+ { 0xaf, 0xb8, 0xbc, 0x63, 0x0f, 0x18, 0x4d, 0xe2, 0x7a, 0xdd, 0x46, 0x44,
11184 -+ 0xc8, 0x24, 0x0a, 0xb7, },
11185 -+ { 0x3e, 0xdc, 0x36, 0xe4, 0x89, 0xb1, 0xfa, 0xc6, 0x40, 0x93, 0x2e, 0x75,
11186 -+ 0xb2, 0x15, 0xd1, 0xb1, 0x10, },
11187 -+ { 0x6c, 0xd8, 0x20, 0x3b, 0x82, 0x79, 0xf9, 0xc8, 0xbc, 0x9d, 0xe0, 0x35,
11188 -+ 0xbe, 0x1b, 0x49, 0x1a, 0xbc, 0x3a, },
11189 -+ { 0x78, 0x65, 0x2c, 0xbe, 0x35, 0x67, 0xdc, 0x78, 0xd4, 0x41, 0xf6, 0xc9,
11190 -+ 0xde, 0xde, 0x1f, 0x18, 0x13, 0x31, 0x11, },
11191 -+ { 0x8a, 0x7f, 0xb1, 0x33, 0x8f, 0x0c, 0x3c, 0x0a, 0x06, 0x61, 0xf0, 0x47,
11192 -+ 0x29, 0x1b, 0x29, 0xbc, 0x1c, 0x47, 0xef, 0x7a, },
11193 -+ { 0x65, 0x91, 0xf1, 0xe6, 0xb3, 0x96, 0xd3, 0x8c, 0xc2, 0x4a, 0x59, 0x35,
11194 -+ 0x72, 0x8e, 0x0b, 0x9a, 0x87, 0xca, 0x34, 0x7b, 0x63, },
11195 -+ { 0x5f, 0x08, 0x87, 0x80, 0x56, 0x25, 0x89, 0x77, 0x61, 0x8c, 0x64, 0xa1,
11196 -+ 0x59, 0x6d, 0x59, 0x62, 0xe8, 0x4a, 0xc8, 0x58, 0x99, 0xd1, },
11197 -+ { 0x23, 0x87, 0x1d, 0xed, 0x6f, 0xf2, 0x91, 0x90, 0xe2, 0xfe, 0x43, 0x21,
11198 -+ 0xaf, 0x97, 0xc6, 0xbc, 0xd7, 0x15, 0xc7, 0x2d, 0x08, 0x77, 0x91, },
11199 -+ { 0x90, 0x47, 0x9a, 0x9e, 0x3a, 0xdf, 0xf3, 0xc9, 0x4c, 0x1e, 0xa7, 0xd4,
11200 -+ 0x6a, 0x32, 0x90, 0xfe, 0xb7, 0xb6, 0x7b, 0xfa, 0x96, 0x61, 0xfb, 0xa4, },
11201 -+ { 0xb1, 0x67, 0x60, 0x45, 0xb0, 0x96, 0xc5, 0x15, 0x9f, 0x4d, 0x26, 0xd7,
11202 -+ 0x9d, 0xf1, 0xf5, 0x6d, 0x21, 0x00, 0x94, 0x31, 0x64, 0x94, 0xd3, 0xa7,
11203 -+ 0xd3, },
11204 -+ { 0x02, 0x3e, 0xaf, 0xf3, 0x79, 0x73, 0xa5, 0xf5, 0xcc, 0x7a, 0x7f, 0xfb,
11205 -+ 0x79, 0x2b, 0x85, 0x8c, 0x88, 0x72, 0x06, 0xbe, 0xfe, 0xaf, 0xc1, 0x16,
11206 -+ 0xa6, 0xd6, },
11207 -+ { 0x2a, 0xb0, 0x1a, 0xe5, 0xaa, 0x6e, 0xb3, 0xae, 0x53, 0x85, 0x33, 0x80,
11208 -+ 0x75, 0xae, 0x30, 0xe6, 0xb8, 0x72, 0x42, 0xf6, 0x25, 0x4f, 0x38, 0x88,
11209 -+ 0x55, 0xd1, 0xa9, },
11210 -+ { 0x90, 0xd8, 0x0c, 0xc0, 0x93, 0x4b, 0x4f, 0x9e, 0x65, 0x6c, 0xa1, 0x54,
11211 -+ 0xa6, 0xf6, 0x6e, 0xca, 0xd2, 0xbb, 0x7e, 0x6a, 0x1c, 0xd3, 0xce, 0x46,
11212 -+ 0xef, 0xb0, 0x00, 0x8d, },
11213 -+ { 0xed, 0x9c, 0x49, 0xcd, 0xc2, 0xde, 0x38, 0x0e, 0xe9, 0x98, 0x6c, 0xc8,
11214 -+ 0x90, 0x9e, 0x3c, 0xd4, 0xd3, 0xeb, 0x88, 0x32, 0xc7, 0x28, 0xe3, 0x94,
11215 -+ 0x1c, 0x9f, 0x8b, 0xf3, 0xcb, },
11216 -+ { 0xac, 0xe7, 0x92, 0x16, 0xb4, 0x14, 0xa0, 0xe4, 0x04, 0x79, 0xa2, 0xf4,
11217 -+ 0x31, 0xe6, 0x0c, 0x26, 0xdc, 0xbf, 0x2f, 0x69, 0x1b, 0x55, 0x94, 0x67,
11218 -+ 0xda, 0x0c, 0xd7, 0x32, 0x1f, 0xef, },
11219 -+ { 0x68, 0x63, 0x85, 0x57, 0x95, 0x9e, 0x42, 0x27, 0x41, 0x43, 0x42, 0x02,
11220 -+ 0xa5, 0x78, 0xa7, 0xc6, 0x43, 0xc1, 0x6a, 0xba, 0x70, 0x80, 0xcd, 0x04,
11221 -+ 0xb6, 0x78, 0x76, 0x29, 0xf3, 0xe8, 0xa0, },
11222 -+ { 0xe6, 0xac, 0x8d, 0x9d, 0xf0, 0xc0, 0xf7, 0xf7, 0xe3, 0x3e, 0x4e, 0x28,
11223 -+ 0x0f, 0x59, 0xb2, 0x67, 0x9e, 0x84, 0x34, 0x42, 0x96, 0x30, 0x2b, 0xca,
11224 -+ 0x49, 0xb6, 0xc5, 0x9a, 0x84, 0x59, 0xa7, 0x81, },
11225 -+ { 0x7e, },
11226 -+ { 0x1e, 0x21, },
11227 -+ { 0x26, 0xd3, 0xdd, },
11228 -+ { 0x2c, 0xd4, 0xb3, 0x3d, },
11229 -+ { 0x86, 0x7b, 0x76, 0x3c, 0xf0, },
11230 -+ { 0x12, 0xc3, 0x70, 0x1d, 0x55, 0x18, },
11231 -+ { 0x96, 0xc2, 0xbd, 0x61, 0x55, 0xf4, 0x24, },
11232 -+ { 0x20, 0x51, 0xf7, 0x86, 0x58, 0x8f, 0x07, 0x2a, },
11233 -+ { 0x93, 0x15, 0xa8, 0x1d, 0xda, 0x97, 0xee, 0x0e, 0x6c, },
11234 -+ { 0x39, 0x93, 0xdf, 0xd5, 0x0e, 0xca, 0xdc, 0x7a, 0x92, 0xce, },
11235 -+ { 0x60, 0xd5, 0xfd, 0xf5, 0x1b, 0x26, 0x82, 0x26, 0x73, 0x02, 0xbc, },
11236 -+ { 0x98, 0xf2, 0x34, 0xe1, 0xf5, 0xfb, 0x00, 0xac, 0x10, 0x4a, 0x38, 0x9f, },
11237 -+ { 0xda, 0x3a, 0x92, 0x8a, 0xd0, 0xcd, 0x12, 0xcd, 0x15, 0xbb, 0xab, 0x77,
11238 -+ 0x66, },
11239 -+ { 0xa2, 0x92, 0x1a, 0xe5, 0xca, 0x0c, 0x30, 0x75, 0xeb, 0xaf, 0x00, 0x31,
11240 -+ 0x55, 0x66, },
11241 -+ { 0x06, 0xea, 0xfd, 0x3e, 0x86, 0x38, 0x62, 0x4e, 0xa9, 0x12, 0xa4, 0x12,
11242 -+ 0x43, 0xbf, 0xa1, },
11243 -+ { 0xe4, 0x71, 0x7b, 0x94, 0xdb, 0xa0, 0xd2, 0xff, 0x9b, 0xeb, 0xad, 0x8e,
11244 -+ 0x95, 0x8a, 0xc5, 0xed, },
11245 -+ { 0x25, 0x5a, 0x77, 0x71, 0x41, 0x0e, 0x7a, 0xe9, 0xed, 0x0c, 0x10, 0xef,
11246 -+ 0xf6, 0x2b, 0x3a, 0xba, 0x60, },
11247 -+ { 0xee, 0xe2, 0xa3, 0x67, 0x64, 0x1d, 0xc6, 0x04, 0xc4, 0xe1, 0x68, 0xd2,
11248 -+ 0x6e, 0xd2, 0x91, 0x75, 0x53, 0x07, },
11249 -+ { 0xe0, 0xf6, 0x4d, 0x8f, 0x68, 0xfc, 0x06, 0x7e, 0x18, 0x79, 0x7f, 0x2b,
11250 -+ 0x6d, 0xef, 0x46, 0x7f, 0xab, 0xb2, 0xad, },
11251 -+ { 0x3d, 0x35, 0x88, 0x9f, 0x2e, 0xcf, 0x96, 0x45, 0x07, 0x60, 0x71, 0x94,
11252 -+ 0x00, 0x8d, 0xbf, 0xf4, 0xef, 0x46, 0x2e, 0x3c, },
11253 -+ { 0x43, 0xcf, 0x98, 0xf7, 0x2d, 0xf4, 0x17, 0xe7, 0x8c, 0x05, 0x2d, 0x9b,
11254 -+ 0x24, 0xfb, 0x4d, 0xea, 0x4a, 0xec, 0x01, 0x25, 0x29, },
11255 -+ { 0x8e, 0x73, 0x9a, 0x78, 0x11, 0xfe, 0x48, 0xa0, 0x3b, 0x1a, 0x26, 0xdf,
11256 -+ 0x25, 0xe9, 0x59, 0x1c, 0x70, 0x07, 0x9f, 0xdc, 0xa0, 0xa6, },
11257 -+ { 0xe8, 0x47, 0x71, 0xc7, 0x3e, 0xdf, 0xb5, 0x13, 0xb9, 0x85, 0x13, 0xa8,
11258 -+ 0x54, 0x47, 0x6e, 0x59, 0x96, 0x09, 0x13, 0x5f, 0x82, 0x16, 0x0b, },
11259 -+ { 0xfb, 0xc0, 0x8c, 0x03, 0x21, 0xb3, 0xc4, 0xb5, 0x43, 0x32, 0x6c, 0xea,
11260 -+ 0x7f, 0xa8, 0x43, 0x91, 0xe8, 0x4e, 0x3f, 0xbf, 0x45, 0x58, 0x6a, 0xa3, },
11261 -+ { 0x55, 0xf8, 0xf3, 0x00, 0x76, 0x09, 0xef, 0x69, 0x5d, 0xd2, 0x8a, 0xf2,
11262 -+ 0x65, 0xc3, 0xcb, 0x9b, 0x43, 0xfd, 0xb1, 0x7e, 0x7f, 0xa1, 0x94, 0xb0,
11263 -+ 0xd7, },
11264 -+ { 0xaa, 0x13, 0xc1, 0x51, 0x40, 0x6d, 0x8d, 0x4c, 0x0a, 0x95, 0x64, 0x7b,
11265 -+ 0xd1, 0x96, 0xb6, 0x56, 0xb4, 0x5b, 0xcf, 0xd6, 0xd9, 0x15, 0x97, 0xdd,
11266 -+ 0xb6, 0xef, },
11267 -+ { 0xaf, 0xb7, 0x36, 0xb0, 0x04, 0xdb, 0xd7, 0x9c, 0x9a, 0x44, 0xc4, 0xf6,
11268 -+ 0x1f, 0x12, 0x21, 0x2d, 0x59, 0x30, 0x54, 0xab, 0x27, 0x61, 0xa3, 0x57,
11269 -+ 0xef, 0xf8, 0x53, },
11270 -+ { 0x97, 0x34, 0x45, 0x3e, 0xce, 0x7c, 0x35, 0xa2, 0xda, 0x9f, 0x4b, 0x46,
11271 -+ 0x6c, 0x11, 0x67, 0xff, 0x2f, 0x76, 0x58, 0x15, 0x71, 0xfa, 0x44, 0x89,
11272 -+ 0x89, 0xfd, 0xf7, 0x99, },
11273 -+ { 0x1f, 0xb1, 0x62, 0xeb, 0x83, 0xc5, 0x9c, 0x89, 0xf9, 0x2c, 0xd2, 0x03,
11274 -+ 0x61, 0xbc, 0xbb, 0xa5, 0x74, 0x0e, 0x9b, 0x7e, 0x82, 0x3e, 0x70, 0x0a,
11275 -+ 0xa9, 0x8f, 0x2b, 0x59, 0xfb, },
11276 -+ { 0xf8, 0xca, 0x5e, 0x3a, 0x4f, 0x9e, 0x10, 0x69, 0x10, 0xd5, 0x4c, 0xeb,
11277 -+ 0x1a, 0x0f, 0x3c, 0x6a, 0x98, 0xf5, 0xb0, 0x97, 0x5b, 0x37, 0x2f, 0x0d,
11278 -+ 0xbd, 0x42, 0x4b, 0x69, 0xa1, 0x82, },
11279 -+ { 0x12, 0x8c, 0x6d, 0x52, 0x08, 0xef, 0x74, 0xb2, 0xe6, 0xaa, 0xd3, 0xb0,
11280 -+ 0x26, 0xb0, 0xd9, 0x94, 0xb6, 0x11, 0x45, 0x0e, 0x36, 0x71, 0x14, 0x2d,
11281 -+ 0x41, 0x8c, 0x21, 0x53, 0x31, 0xe9, 0x68, },
11282 -+ { 0xee, 0xea, 0x0d, 0x89, 0x47, 0x7e, 0x72, 0xd1, 0xd8, 0xce, 0x58, 0x4c,
11283 -+ 0x94, 0x1f, 0x0d, 0x51, 0x08, 0xa3, 0xb6, 0x3d, 0xe7, 0x82, 0x46, 0x92,
11284 -+ 0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, },
11285 -+};
11286 -+
11287 -+static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
11288 -+ { 0xce, 0xe1, 0x57, 0x69, 0x82, 0xdc, 0xbf, 0x43, 0xad, 0x56, 0x4c, 0x70,
11289 -+ 0xed, 0x68, 0x16, 0x96, 0xcf, 0xa4, 0x73, 0xe8, 0xe8, 0xfc, 0x32, 0x79,
11290 -+ 0x08, 0x0a, 0x75, 0x82, 0xda, 0x3f, 0x05, 0x11, },
11291 -+ { 0x77, 0x2f, 0x0c, 0x71, 0x41, 0xf4, 0x4b, 0x2b, 0xb3, 0xc6, 0xb6, 0xf9,
11292 -+ 0x60, 0xde, 0xe4, 0x52, 0x38, 0x66, 0xe8, 0xbf, 0x9b, 0x96, 0xc4, 0x9f,
11293 -+ 0x60, 0xd9, 0x24, 0x37, 0x99, 0xd6, 0xec, 0x31, },
11294 -+};
11295 -+
11296 -+bool __init blake2s_selftest(void)
11297 -+{
11298 -+ u8 key[BLAKE2S_KEY_SIZE];
11299 -+ u8 buf[ARRAY_SIZE(blake2s_testvecs)];
11300 -+ u8 hash[BLAKE2S_HASH_SIZE];
11301 -+ struct blake2s_state state;
11302 -+ bool success = true;
11303 -+ int i, l;
11304 -+
11305 -+ key[0] = key[1] = 1;
11306 -+ for (i = 2; i < sizeof(key); ++i)
11307 -+ key[i] = key[i - 2] + key[i - 1];
11308 -+
11309 -+ for (i = 0; i < sizeof(buf); ++i)
11310 -+ buf[i] = (u8)i;
11311 -+
11312 -+ for (i = l = 0; i < ARRAY_SIZE(blake2s_testvecs); l = (l + 37) % ++i) {
11313 -+ int outlen = 1 + i % BLAKE2S_HASH_SIZE;
11314 -+ int keylen = (13 * i) % (BLAKE2S_KEY_SIZE + 1);
11315 -+
11316 -+ blake2s(hash, buf, key + BLAKE2S_KEY_SIZE - keylen, outlen, i,
11317 -+ keylen);
11318 -+ if (memcmp(hash, blake2s_testvecs[i], outlen)) {
11319 -+ pr_err("blake2s self-test %d: FAIL\n", i + 1);
11320 -+ success = false;
11321 -+ }
11322 -+
11323 -+ if (!keylen)
11324 -+ blake2s_init(&state, outlen);
11325 -+ else
11326 -+ blake2s_init_key(&state, outlen,
11327 -+ key + BLAKE2S_KEY_SIZE - keylen,
11328 -+ keylen);
11329 -+
11330 -+ blake2s_update(&state, buf, l);
11331 -+ blake2s_update(&state, buf + l, i - l);
11332 -+ blake2s_final(&state, hash);
11333 -+ if (memcmp(hash, blake2s_testvecs[i], outlen)) {
11334 -+ pr_err("blake2s init/update/final self-test %d: FAIL\n",
11335 -+ i + 1);
11336 -+ success = false;
11337 -+ }
11338 -+ }
11339 -+
11340 -+ if (success) {
11341 -+ blake2s256_hmac(hash, buf, key, sizeof(buf), sizeof(key));
11342 -+ success &= !memcmp(hash, blake2s_hmac_testvecs[0], BLAKE2S_HASH_SIZE);
11343 -+
11344 -+ blake2s256_hmac(hash, key, buf, sizeof(key), sizeof(buf));
11345 -+ success &= !memcmp(hash, blake2s_hmac_testvecs[1], BLAKE2S_HASH_SIZE);
11346 -+
11347 -+ if (!success)
11348 -+ pr_err("blake2s256_hmac self-test: FAIL\n");
11349 -+ }
11350 -+
11351 -+ return success;
11352 -+}
11353 ---- /dev/null
11354 -+++ b/lib/crypto/blake2s.c
11355 -@@ -0,0 +1,126 @@
11356 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
11357 -+/*
11358 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
11359 -+ *
11360 -+ * This is an implementation of the BLAKE2s hash and PRF functions.
11361 -+ *
11362 -+ * Information: https://blake2.net/
11363 -+ *
11364 -+ */
11365 -+
11366 -+#include <crypto/internal/blake2s.h>
11367 -+#include <linux/types.h>
11368 -+#include <linux/string.h>
11369 -+#include <linux/kernel.h>
11370 -+#include <linux/module.h>
11371 -+#include <linux/init.h>
11372 -+#include <linux/bug.h>
11373 -+#include <asm/unaligned.h>
11374 -+
11375 -+bool blake2s_selftest(void);
11376 -+
11377 -+void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
11378 -+{
11379 -+ const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
11380 -+
11381 -+ if (unlikely(!inlen))
11382 -+ return;
11383 -+ if (inlen > fill) {
11384 -+ memcpy(state->buf + state->buflen, in, fill);
11385 -+ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
11386 -+ blake2s_compress_arch(state, state->buf, 1,
11387 -+ BLAKE2S_BLOCK_SIZE);
11388 -+ else
11389 -+ blake2s_compress_generic(state, state->buf, 1,
11390 -+ BLAKE2S_BLOCK_SIZE);
11391 -+ state->buflen = 0;
11392 -+ in += fill;
11393 -+ inlen -= fill;
11394 -+ }
11395 -+ if (inlen > BLAKE2S_BLOCK_SIZE) {
11396 -+ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
11397 -+ /* Hash one less (full) block than strictly possible */
11398 -+ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
11399 -+ blake2s_compress_arch(state, in, nblocks - 1,
11400 -+ BLAKE2S_BLOCK_SIZE);
11401 -+ else
11402 -+ blake2s_compress_generic(state, in, nblocks - 1,
11403 -+ BLAKE2S_BLOCK_SIZE);
11404 -+ in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
11405 -+ inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
11406 -+ }
11407 -+ memcpy(state->buf + state->buflen, in, inlen);
11408 -+ state->buflen += inlen;
11409 -+}
11410 -+EXPORT_SYMBOL(blake2s_update);
11411 -+
11412 -+void blake2s_final(struct blake2s_state *state, u8 *out)
11413 -+{
11414 -+ WARN_ON(IS_ENABLED(DEBUG) && !out);
11415 -+ blake2s_set_lastblock(state);
11416 -+ memset(state->buf + state->buflen, 0,
11417 -+ BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
11418 -+ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
11419 -+ blake2s_compress_arch(state, state->buf, 1, state->buflen);
11420 -+ else
11421 -+ blake2s_compress_generic(state, state->buf, 1, state->buflen);
11422 -+ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
11423 -+ memcpy(out, state->h, state->outlen);
11424 -+ memzero_explicit(state, sizeof(*state));
11425 -+}
11426 -+EXPORT_SYMBOL(blake2s_final);
11427 -+
11428 -+void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
11429 -+ const size_t keylen)
11430 -+{
11431 -+ struct blake2s_state state;
11432 -+ u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
11433 -+ u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
11434 -+ int i;
11435 -+
11436 -+ if (keylen > BLAKE2S_BLOCK_SIZE) {
11437 -+ blake2s_init(&state, BLAKE2S_HASH_SIZE);
11438 -+ blake2s_update(&state, key, keylen);
11439 -+ blake2s_final(&state, x_key);
11440 -+ } else
11441 -+ memcpy(x_key, key, keylen);
11442 -+
11443 -+ for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
11444 -+ x_key[i] ^= 0x36;
11445 -+
11446 -+ blake2s_init(&state, BLAKE2S_HASH_SIZE);
11447 -+ blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
11448 -+ blake2s_update(&state, in, inlen);
11449 -+ blake2s_final(&state, i_hash);
11450 -+
11451 -+ for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
11452 -+ x_key[i] ^= 0x5c ^ 0x36;
11453 -+
11454 -+ blake2s_init(&state, BLAKE2S_HASH_SIZE);
11455 -+ blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
11456 -+ blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
11457 -+ blake2s_final(&state, i_hash);
11458 -+
11459 -+ memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
11460 -+ memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
11461 -+ memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
11462 -+}
11463 -+EXPORT_SYMBOL(blake2s256_hmac);
11464 -+
11465 -+static int __init mod_init(void)
11466 -+{
11467 -+ if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
11468 -+ WARN_ON(!blake2s_selftest()))
11469 -+ return -ENODEV;
11470 -+ return 0;
11471 -+}
11472 -+
11473 -+static void __exit mod_exit(void)
11474 -+{
11475 -+}
11476 -+
11477 -+module_init(mod_init);
11478 -+module_exit(mod_exit);
11479 -+MODULE_LICENSE("GPL v2");
11480 -+MODULE_DESCRIPTION("BLAKE2s hash function");
11481 -+MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
11482 ---- b/crypto/testmgr.c
11483 -+++ b/crypto/testmgr.c
11484 -@@ -4036,4 +4036,28 @@
11485 - .fips_allowed = 1,
11486 - }, {
11487 -+ .alg = "blake2s-128",
11488 -+ .test = alg_test_hash,
11489 -+ .suite = {
11490 -+ .hash = __VECS(blakes2s_128_tv_template)
11491 -+ }
11492 -+ }, {
11493 -+ .alg = "blake2s-160",
11494 -+ .test = alg_test_hash,
11495 -+ .suite = {
11496 -+ .hash = __VECS(blakes2s_160_tv_template)
11497 -+ }
11498 -+ }, {
11499 -+ .alg = "blake2s-224",
11500 -+ .test = alg_test_hash,
11501 -+ .suite = {
11502 -+ .hash = __VECS(blakes2s_224_tv_template)
11503 -+ }
11504 -+ }, {
11505 -+ .alg = "blake2s-256",
11506 -+ .test = alg_test_hash,
11507 -+ .suite = {
11508 -+ .hash = __VECS(blakes2s_256_tv_template)
11509 -+ }
11510 -+ }, {
11511 - .alg = "cbc(aes)",
11512 - .test = alg_test_skcipher,
11513 -@@ -4273,4 +4297,10 @@
11514 - .fips_allowed = 1,
11515 - }, {
11516 -+ .alg = "curve25519",
11517 -+ .test = alg_test_kpp,
11518 -+ .suite = {
11519 -+ .kpp = __VECS(curve25519_tv_template)
11520 -+ }
11521 -+ }, {
11522 - .alg = "deflate",
11523 - .test = alg_test_comp,
11524 ---- b/crypto/testmgr.h
11525 -+++ b/crypto/testmgr.h
11526 -@@ -1030,6 +1030,1231 @@
11527 - }
11528 - };
11529 -
11530 -+static const struct kpp_testvec curve25519_tv_template[] = {
11531 -+{
11532 -+ .secret = (u8[32]){ 0x77, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d,
11533 -+ 0x3c, 0x16, 0xc1, 0x72, 0x51, 0xb2, 0x66, 0x45,
11534 -+ 0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, 0x99, 0x2a,
11535 -+ 0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x2a },
11536 -+ .b_public = (u8[32]){ 0xde, 0x9e, 0xdb, 0x7d, 0x7b, 0x7d, 0xc1, 0xb4,
11537 -+ 0xd3, 0x5b, 0x61, 0xc2, 0xec, 0xe4, 0x35, 0x37,
11538 -+ 0x3f, 0x83, 0x43, 0xc8, 0x5b, 0x78, 0x67, 0x4d,
11539 -+ 0xad, 0xfc, 0x7e, 0x14, 0x6f, 0x88, 0x2b, 0x4f },
11540 -+ .expected_ss = (u8[32]){ 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1,
11541 -+ 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25,
11542 -+ 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33,
11543 -+ 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 },
11544 -+ .secret_size = 32,
11545 -+ .b_public_size = 32,
11546 -+ .expected_ss_size = 32,
11547 -+
11548 -+},
11549 -+{
11550 -+ .secret = (u8[32]){ 0x5d, 0xab, 0x08, 0x7e, 0x62, 0x4a, 0x8a, 0x4b,
11551 -+ 0x79, 0xe1, 0x7f, 0x8b, 0x83, 0x80, 0x0e, 0xe6,
11552 -+ 0x6f, 0x3b, 0xb1, 0x29, 0x26, 0x18, 0xb6, 0xfd,
11553 -+ 0x1c, 0x2f, 0x8b, 0x27, 0xff, 0x88, 0xe0, 0xeb },
11554 -+ .b_public = (u8[32]){ 0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54,
11555 -+ 0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a,
11556 -+ 0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4,
11557 -+ 0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a },
11558 -+ .expected_ss = (u8[32]){ 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1,
11559 -+ 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25,
11560 -+ 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33,
11561 -+ 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 },
11562 -+ .secret_size = 32,
11563 -+ .b_public_size = 32,
11564 -+ .expected_ss_size = 32,
11565 -+
11566 -+},
11567 -+{
11568 -+ .secret = (u8[32]){ 1 },
11569 -+ .b_public = (u8[32]){ 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11570 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11571 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11572 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
11573 -+ .expected_ss = (u8[32]){ 0x3c, 0x77, 0x77, 0xca, 0xf9, 0x97, 0xb2, 0x64,
11574 -+ 0x41, 0x60, 0x77, 0x66, 0x5b, 0x4e, 0x22, 0x9d,
11575 -+ 0x0b, 0x95, 0x48, 0xdc, 0x0c, 0xd8, 0x19, 0x98,
11576 -+ 0xdd, 0xcd, 0xc5, 0xc8, 0x53, 0x3c, 0x79, 0x7f },
11577 -+ .secret_size = 32,
11578 -+ .b_public_size = 32,
11579 -+ .expected_ss_size = 32,
11580 -+
11581 -+},
11582 -+{
11583 -+ .secret = (u8[32]){ 1 },
11584 -+ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11585 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11586 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11587 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
11588 -+ .expected_ss = (u8[32]){ 0xb3, 0x2d, 0x13, 0x62, 0xc2, 0x48, 0xd6, 0x2f,
11589 -+ 0xe6, 0x26, 0x19, 0xcf, 0xf0, 0x4d, 0xd4, 0x3d,
11590 -+ 0xb7, 0x3f, 0xfc, 0x1b, 0x63, 0x08, 0xed, 0xe3,
11591 -+ 0x0b, 0x78, 0xd8, 0x73, 0x80, 0xf1, 0xe8, 0x34 },
11592 -+ .secret_size = 32,
11593 -+ .b_public_size = 32,
11594 -+ .expected_ss_size = 32,
11595 -+
11596 -+},
11597 -+{
11598 -+ .secret = (u8[32]){ 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d,
11599 -+ 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd,
11600 -+ 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18,
11601 -+ 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0xc4 },
11602 -+ .b_public = (u8[32]){ 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb,
11603 -+ 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c,
11604 -+ 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b,
11605 -+ 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c },
11606 -+ .expected_ss = (u8[32]){ 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90,
11607 -+ 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f,
11608 -+ 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7,
11609 -+ 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 },
11610 -+ .secret_size = 32,
11611 -+ .b_public_size = 32,
11612 -+ .expected_ss_size = 32,
11613 -+
11614 -+},
11615 -+{
11616 -+ .secret = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0x0a, 0xff, 0xff, 0xff,
11617 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11618 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11619 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
11620 -+ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11621 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11622 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11623 -+ 0xff, 0xff, 0xff, 0xff, 0x0a, 0x00, 0xfb, 0x9f },
11624 -+ .expected_ss = (u8[32]){ 0x77, 0x52, 0xb6, 0x18, 0xc1, 0x2d, 0x48, 0xd2,
11625 -+ 0xc6, 0x93, 0x46, 0x83, 0x81, 0x7c, 0xc6, 0x57,
11626 -+ 0xf3, 0x31, 0x03, 0x19, 0x49, 0x48, 0x20, 0x05,
11627 -+ 0x42, 0x2b, 0x4e, 0xae, 0x8d, 0x1d, 0x43, 0x23 },
11628 -+ .secret_size = 32,
11629 -+ .b_public_size = 32,
11630 -+ .expected_ss_size = 32,
11631 -+
11632 -+},
11633 -+{
11634 -+ .secret = (u8[32]){ 0x8e, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11635 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11636 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11637 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
11638 -+ .b_public = (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11639 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11640 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11641 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8e, 0x06 },
11642 -+ .expected_ss = (u8[32]){ 0x5a, 0xdf, 0xaa, 0x25, 0x86, 0x8e, 0x32, 0x3d,
11643 -+ 0xae, 0x49, 0x62, 0xc1, 0x01, 0x5c, 0xb3, 0x12,
11644 -+ 0xe1, 0xc5, 0xc7, 0x9e, 0x95, 0x3f, 0x03, 0x99,
11645 -+ 0xb0, 0xba, 0x16, 0x22, 0xf3, 0xb6, 0xf7, 0x0c },
11646 -+ .secret_size = 32,
11647 -+ .b_public_size = 32,
11648 -+ .expected_ss_size = 32,
11649 -+
11650 -+},
11651 -+/* wycheproof - normal case */
11652 -+{
11653 -+ .secret = (u8[32]){ 0x48, 0x52, 0x83, 0x4d, 0x9d, 0x6b, 0x77, 0xda,
11654 -+ 0xde, 0xab, 0xaa, 0xf2, 0xe1, 0x1d, 0xca, 0x66,
11655 -+ 0xd1, 0x9f, 0xe7, 0x49, 0x93, 0xa7, 0xbe, 0xc3,
11656 -+ 0x6c, 0x6e, 0x16, 0xa0, 0x98, 0x3f, 0xea, 0xba },
11657 -+ .b_public = (u8[32]){ 0x9c, 0x64, 0x7d, 0x9a, 0xe5, 0x89, 0xb9, 0xf5,
11658 -+ 0x8f, 0xdc, 0x3c, 0xa4, 0x94, 0x7e, 0xfb, 0xc9,
11659 -+ 0x15, 0xc4, 0xb2, 0xe0, 0x8e, 0x74, 0x4a, 0x0e,
11660 -+ 0xdf, 0x46, 0x9d, 0xac, 0x59, 0xc8, 0xf8, 0x5a },
11661 -+ .expected_ss = (u8[32]){ 0x87, 0xb7, 0xf2, 0x12, 0xb6, 0x27, 0xf7, 0xa5,
11662 -+ 0x4c, 0xa5, 0xe0, 0xbc, 0xda, 0xdd, 0xd5, 0x38,
11663 -+ 0x9d, 0x9d, 0xe6, 0x15, 0x6c, 0xdb, 0xcf, 0x8e,
11664 -+ 0xbe, 0x14, 0xff, 0xbc, 0xfb, 0x43, 0x65, 0x51 },
11665 -+ .secret_size = 32,
11666 -+ .b_public_size = 32,
11667 -+ .expected_ss_size = 32,
11668 -+
11669 -+},
11670 -+/* wycheproof - public key on twist */
11671 -+{
11672 -+ .secret = (u8[32]){ 0x58, 0x8c, 0x06, 0x1a, 0x50, 0x80, 0x4a, 0xc4,
11673 -+ 0x88, 0xad, 0x77, 0x4a, 0xc7, 0x16, 0xc3, 0xf5,
11674 -+ 0xba, 0x71, 0x4b, 0x27, 0x12, 0xe0, 0x48, 0x49,
11675 -+ 0x13, 0x79, 0xa5, 0x00, 0x21, 0x19, 0x98, 0xa8 },
11676 -+ .b_public = (u8[32]){ 0x63, 0xaa, 0x40, 0xc6, 0xe3, 0x83, 0x46, 0xc5,
11677 -+ 0xca, 0xf2, 0x3a, 0x6d, 0xf0, 0xa5, 0xe6, 0xc8,
11678 -+ 0x08, 0x89, 0xa0, 0x86, 0x47, 0xe5, 0x51, 0xb3,
11679 -+ 0x56, 0x34, 0x49, 0xbe, 0xfc, 0xfc, 0x97, 0x33 },
11680 -+ .expected_ss = (u8[32]){ 0xb1, 0xa7, 0x07, 0x51, 0x94, 0x95, 0xff, 0xff,
11681 -+ 0xb2, 0x98, 0xff, 0x94, 0x17, 0x16, 0xb0, 0x6d,
11682 -+ 0xfa, 0xb8, 0x7c, 0xf8, 0xd9, 0x11, 0x23, 0xfe,
11683 -+ 0x2b, 0xe9, 0xa2, 0x33, 0xdd, 0xa2, 0x22, 0x12 },
11684 -+ .secret_size = 32,
11685 -+ .b_public_size = 32,
11686 -+ .expected_ss_size = 32,
11687 -+
11688 -+},
11689 -+/* wycheproof - public key on twist */
11690 -+{
11691 -+ .secret = (u8[32]){ 0xb0, 0x5b, 0xfd, 0x32, 0xe5, 0x53, 0x25, 0xd9,
11692 -+ 0xfd, 0x64, 0x8c, 0xb3, 0x02, 0x84, 0x80, 0x39,
11693 -+ 0x00, 0x0b, 0x39, 0x0e, 0x44, 0xd5, 0x21, 0xe5,
11694 -+ 0x8a, 0xab, 0x3b, 0x29, 0xa6, 0x96, 0x0b, 0xa8 },
11695 -+ .b_public = (u8[32]){ 0x0f, 0x83, 0xc3, 0x6f, 0xde, 0xd9, 0xd3, 0x2f,
11696 -+ 0xad, 0xf4, 0xef, 0xa3, 0xae, 0x93, 0xa9, 0x0b,
11697 -+ 0xb5, 0xcf, 0xa6, 0x68, 0x93, 0xbc, 0x41, 0x2c,
11698 -+ 0x43, 0xfa, 0x72, 0x87, 0xdb, 0xb9, 0x97, 0x79 },
11699 -+ .expected_ss = (u8[32]){ 0x67, 0xdd, 0x4a, 0x6e, 0x16, 0x55, 0x33, 0x53,
11700 -+ 0x4c, 0x0e, 0x3f, 0x17, 0x2e, 0x4a, 0xb8, 0x57,
11701 -+ 0x6b, 0xca, 0x92, 0x3a, 0x5f, 0x07, 0xb2, 0xc0,
11702 -+ 0x69, 0xb4, 0xc3, 0x10, 0xff, 0x2e, 0x93, 0x5b },
11703 -+ .secret_size = 32,
11704 -+ .b_public_size = 32,
11705 -+ .expected_ss_size = 32,
11706 -+
11707 -+},
11708 -+/* wycheproof - public key on twist */
11709 -+{
11710 -+ .secret = (u8[32]){ 0x70, 0xe3, 0x4b, 0xcb, 0xe1, 0xf4, 0x7f, 0xbc,
11711 -+ 0x0f, 0xdd, 0xfd, 0x7c, 0x1e, 0x1a, 0xa5, 0x3d,
11712 -+ 0x57, 0xbf, 0xe0, 0xf6, 0x6d, 0x24, 0x30, 0x67,
11713 -+ 0xb4, 0x24, 0xbb, 0x62, 0x10, 0xbe, 0xd1, 0x9c },
11714 -+ .b_public = (u8[32]){ 0x0b, 0x82, 0x11, 0xa2, 0xb6, 0x04, 0x90, 0x97,
11715 -+ 0xf6, 0x87, 0x1c, 0x6c, 0x05, 0x2d, 0x3c, 0x5f,
11716 -+ 0xc1, 0xba, 0x17, 0xda, 0x9e, 0x32, 0xae, 0x45,
11717 -+ 0x84, 0x03, 0xb0, 0x5b, 0xb2, 0x83, 0x09, 0x2a },
11718 -+ .expected_ss = (u8[32]){ 0x4a, 0x06, 0x38, 0xcf, 0xaa, 0x9e, 0xf1, 0x93,
11719 -+ 0x3b, 0x47, 0xf8, 0x93, 0x92, 0x96, 0xa6, 0xb2,
11720 -+ 0x5b, 0xe5, 0x41, 0xef, 0x7f, 0x70, 0xe8, 0x44,
11721 -+ 0xc0, 0xbc, 0xc0, 0x0b, 0x13, 0x4d, 0xe6, 0x4a },
11722 -+ .secret_size = 32,
11723 -+ .b_public_size = 32,
11724 -+ .expected_ss_size = 32,
11725 -+
11726 -+},
11727 -+/* wycheproof - public key on twist */
11728 -+{
11729 -+ .secret = (u8[32]){ 0x68, 0xc1, 0xf3, 0xa6, 0x53, 0xa4, 0xcd, 0xb1,
11730 -+ 0xd3, 0x7b, 0xba, 0x94, 0x73, 0x8f, 0x8b, 0x95,
11731 -+ 0x7a, 0x57, 0xbe, 0xb2, 0x4d, 0x64, 0x6e, 0x99,
11732 -+ 0x4d, 0xc2, 0x9a, 0x27, 0x6a, 0xad, 0x45, 0x8d },
11733 -+ .b_public = (u8[32]){ 0x34, 0x3a, 0xc2, 0x0a, 0x3b, 0x9c, 0x6a, 0x27,
11734 -+ 0xb1, 0x00, 0x81, 0x76, 0x50, 0x9a, 0xd3, 0x07,
11735 -+ 0x35, 0x85, 0x6e, 0xc1, 0xc8, 0xd8, 0xfc, 0xae,
11736 -+ 0x13, 0x91, 0x2d, 0x08, 0xd1, 0x52, 0xf4, 0x6c },
11737 -+ .expected_ss = (u8[32]){ 0x39, 0x94, 0x91, 0xfc, 0xe8, 0xdf, 0xab, 0x73,
11738 -+ 0xb4, 0xf9, 0xf6, 0x11, 0xde, 0x8e, 0xa0, 0xb2,
11739 -+ 0x7b, 0x28, 0xf8, 0x59, 0x94, 0x25, 0x0b, 0x0f,
11740 -+ 0x47, 0x5d, 0x58, 0x5d, 0x04, 0x2a, 0xc2, 0x07 },
11741 -+ .secret_size = 32,
11742 -+ .b_public_size = 32,
11743 -+ .expected_ss_size = 32,
11744 -+
11745 -+},
11746 -+/* wycheproof - public key on twist */
11747 -+{
11748 -+ .secret = (u8[32]){ 0xd8, 0x77, 0xb2, 0x6d, 0x06, 0xdf, 0xf9, 0xd9,
11749 -+ 0xf7, 0xfd, 0x4c, 0x5b, 0x37, 0x69, 0xf8, 0xcd,
11750 -+ 0xd5, 0xb3, 0x05, 0x16, 0xa5, 0xab, 0x80, 0x6b,
11751 -+ 0xe3, 0x24, 0xff, 0x3e, 0xb6, 0x9e, 0xa0, 0xb2 },
11752 -+ .b_public = (u8[32]){ 0xfa, 0x69, 0x5f, 0xc7, 0xbe, 0x8d, 0x1b, 0xe5,
11753 -+ 0xbf, 0x70, 0x48, 0x98, 0xf3, 0x88, 0xc4, 0x52,
11754 -+ 0xba, 0xfd, 0xd3, 0xb8, 0xea, 0xe8, 0x05, 0xf8,
11755 -+ 0x68, 0x1a, 0x8d, 0x15, 0xc2, 0xd4, 0xe1, 0x42 },
11756 -+ .expected_ss = (u8[32]){ 0x2c, 0x4f, 0xe1, 0x1d, 0x49, 0x0a, 0x53, 0x86,
11757 -+ 0x17, 0x76, 0xb1, 0x3b, 0x43, 0x54, 0xab, 0xd4,
11758 -+ 0xcf, 0x5a, 0x97, 0x69, 0x9d, 0xb6, 0xe6, 0xc6,
11759 -+ 0x8c, 0x16, 0x26, 0xd0, 0x76, 0x62, 0xf7, 0x58 },
11760 -+ .secret_size = 32,
11761 -+ .b_public_size = 32,
11762 -+ .expected_ss_size = 32,
11763 -+
11764 -+},
11765 -+/* wycheproof - edge case on twist */
11766 -+{
11767 -+ .secret = (u8[32]){ 0x38, 0xdd, 0xe9, 0xf3, 0xe7, 0xb7, 0x99, 0x04,
11768 -+ 0x5f, 0x9a, 0xc3, 0x79, 0x3d, 0x4a, 0x92, 0x77,
11769 -+ 0xda, 0xde, 0xad, 0xc4, 0x1b, 0xec, 0x02, 0x90,
11770 -+ 0xf8, 0x1f, 0x74, 0x4f, 0x73, 0x77, 0x5f, 0x84 },
11771 -+ .b_public = (u8[32]){ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11772 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11773 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11774 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
11775 -+ .expected_ss = (u8[32]){ 0x9a, 0x2c, 0xfe, 0x84, 0xff, 0x9c, 0x4a, 0x97,
11776 -+ 0x39, 0x62, 0x5c, 0xae, 0x4a, 0x3b, 0x82, 0xa9,
11777 -+ 0x06, 0x87, 0x7a, 0x44, 0x19, 0x46, 0xf8, 0xd7,
11778 -+ 0xb3, 0xd7, 0x95, 0xfe, 0x8f, 0x5d, 0x16, 0x39 },
11779 -+ .secret_size = 32,
11780 -+ .b_public_size = 32,
11781 -+ .expected_ss_size = 32,
11782 -+
11783 -+},
11784 -+/* wycheproof - edge case on twist */
11785 -+{
11786 -+ .secret = (u8[32]){ 0x98, 0x57, 0xa9, 0x14, 0xe3, 0xc2, 0x90, 0x36,
11787 -+ 0xfd, 0x9a, 0x44, 0x2b, 0xa5, 0x26, 0xb5, 0xcd,
11788 -+ 0xcd, 0xf2, 0x82, 0x16, 0x15, 0x3e, 0x63, 0x6c,
11789 -+ 0x10, 0x67, 0x7a, 0xca, 0xb6, 0xbd, 0x6a, 0xa5 },
11790 -+ .b_public = (u8[32]){ 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11791 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11792 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11793 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
11794 -+ .expected_ss = (u8[32]){ 0x4d, 0xa4, 0xe0, 0xaa, 0x07, 0x2c, 0x23, 0x2e,
11795 -+ 0xe2, 0xf0, 0xfa, 0x4e, 0x51, 0x9a, 0xe5, 0x0b,
11796 -+ 0x52, 0xc1, 0xed, 0xd0, 0x8a, 0x53, 0x4d, 0x4e,
11797 -+ 0xf3, 0x46, 0xc2, 0xe1, 0x06, 0xd2, 0x1d, 0x60 },
11798 -+ .secret_size = 32,
11799 -+ .b_public_size = 32,
11800 -+ .expected_ss_size = 32,
11801 -+
11802 -+},
11803 -+/* wycheproof - edge case on twist */
11804 -+{
11805 -+ .secret = (u8[32]){ 0x48, 0xe2, 0x13, 0x0d, 0x72, 0x33, 0x05, 0xed,
11806 -+ 0x05, 0xe6, 0xe5, 0x89, 0x4d, 0x39, 0x8a, 0x5e,
11807 -+ 0x33, 0x36, 0x7a, 0x8c, 0x6a, 0xac, 0x8f, 0xcd,
11808 -+ 0xf0, 0xa8, 0x8e, 0x4b, 0x42, 0x82, 0x0d, 0xb7 },
11809 -+ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0xf8, 0xff,
11810 -+ 0xff, 0x1f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff,
11811 -+ 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0x07, 0x00,
11812 -+ 0x00, 0xf0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00 },
11813 -+ .expected_ss = (u8[32]){ 0x9e, 0xd1, 0x0c, 0x53, 0x74, 0x7f, 0x64, 0x7f,
11814 -+ 0x82, 0xf4, 0x51, 0x25, 0xd3, 0xde, 0x15, 0xa1,
11815 -+ 0xe6, 0xb8, 0x24, 0x49, 0x6a, 0xb4, 0x04, 0x10,
11816 -+ 0xff, 0xcc, 0x3c, 0xfe, 0x95, 0x76, 0x0f, 0x3b },
11817 -+ .secret_size = 32,
11818 -+ .b_public_size = 32,
11819 -+ .expected_ss_size = 32,
11820 -+
11821 -+},
11822 -+/* wycheproof - edge case on twist */
11823 -+{
11824 -+ .secret = (u8[32]){ 0x28, 0xf4, 0x10, 0x11, 0x69, 0x18, 0x51, 0xb3,
11825 -+ 0xa6, 0x2b, 0x64, 0x15, 0x53, 0xb3, 0x0d, 0x0d,
11826 -+ 0xfd, 0xdc, 0xb8, 0xff, 0xfc, 0xf5, 0x37, 0x00,
11827 -+ 0xa7, 0xbe, 0x2f, 0x6a, 0x87, 0x2e, 0x9f, 0xb0 },
11828 -+ .b_public = (u8[32]){ 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0x07, 0x00,
11829 -+ 0x00, 0xe0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00,
11830 -+ 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0xf8, 0xff,
11831 -+ 0xff, 0x0f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x7f },
11832 -+ .expected_ss = (u8[32]){ 0xcf, 0x72, 0xb4, 0xaa, 0x6a, 0xa1, 0xc9, 0xf8,
11833 -+ 0x94, 0xf4, 0x16, 0x5b, 0x86, 0x10, 0x9a, 0xa4,
11834 -+ 0x68, 0x51, 0x76, 0x48, 0xe1, 0xf0, 0xcc, 0x70,
11835 -+ 0xe1, 0xab, 0x08, 0x46, 0x01, 0x76, 0x50, 0x6b },
11836 -+ .secret_size = 32,
11837 -+ .b_public_size = 32,
11838 -+ .expected_ss_size = 32,
11839 -+
11840 -+},
11841 -+/* wycheproof - edge case on twist */
11842 -+{
11843 -+ .secret = (u8[32]){ 0x18, 0xa9, 0x3b, 0x64, 0x99, 0xb9, 0xf6, 0xb3,
11844 -+ 0x22, 0x5c, 0xa0, 0x2f, 0xef, 0x41, 0x0e, 0x0a,
11845 -+ 0xde, 0xc2, 0x35, 0x32, 0x32, 0x1d, 0x2d, 0x8e,
11846 -+ 0xf1, 0xa6, 0xd6, 0x02, 0xa8, 0xc6, 0x5b, 0x83 },
11847 -+ .b_public = (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
11848 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
11849 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
11850 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f },
11851 -+ .expected_ss = (u8[32]){ 0x5d, 0x50, 0xb6, 0x28, 0x36, 0xbb, 0x69, 0x57,
11852 -+ 0x94, 0x10, 0x38, 0x6c, 0xf7, 0xbb, 0x81, 0x1c,
11853 -+ 0x14, 0xbf, 0x85, 0xb1, 0xc7, 0xb1, 0x7e, 0x59,
11854 -+ 0x24, 0xc7, 0xff, 0xea, 0x91, 0xef, 0x9e, 0x12 },
11855 -+ .secret_size = 32,
11856 -+ .b_public_size = 32,
11857 -+ .expected_ss_size = 32,
11858 -+
11859 -+},
11860 -+/* wycheproof - edge case on twist */
11861 -+{
11862 -+ .secret = (u8[32]){ 0xc0, 0x1d, 0x13, 0x05, 0xa1, 0x33, 0x8a, 0x1f,
11863 -+ 0xca, 0xc2, 0xba, 0x7e, 0x2e, 0x03, 0x2b, 0x42,
11864 -+ 0x7e, 0x0b, 0x04, 0x90, 0x31, 0x65, 0xac, 0xa9,
11865 -+ 0x57, 0xd8, 0xd0, 0x55, 0x3d, 0x87, 0x17, 0xb0 },
11866 -+ .b_public = (u8[32]){ 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11867 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11868 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11869 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
11870 -+ .expected_ss = (u8[32]){ 0x19, 0x23, 0x0e, 0xb1, 0x48, 0xd5, 0xd6, 0x7c,
11871 -+ 0x3c, 0x22, 0xab, 0x1d, 0xae, 0xff, 0x80, 0xa5,
11872 -+ 0x7e, 0xae, 0x42, 0x65, 0xce, 0x28, 0x72, 0x65,
11873 -+ 0x7b, 0x2c, 0x80, 0x99, 0xfc, 0x69, 0x8e, 0x50 },
11874 -+ .secret_size = 32,
11875 -+ .b_public_size = 32,
11876 -+ .expected_ss_size = 32,
11877 -+
11878 -+},
11879 -+/* wycheproof - edge case for public key */
11880 -+{
11881 -+ .secret = (u8[32]){ 0x38, 0x6f, 0x7f, 0x16, 0xc5, 0x07, 0x31, 0xd6,
11882 -+ 0x4f, 0x82, 0xe6, 0xa1, 0x70, 0xb1, 0x42, 0xa4,
11883 -+ 0xe3, 0x4f, 0x31, 0xfd, 0x77, 0x68, 0xfc, 0xb8,
11884 -+ 0x90, 0x29, 0x25, 0xe7, 0xd1, 0xe2, 0x1a, 0xbe },
11885 -+ .b_public = (u8[32]){ 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11886 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11887 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11888 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
11889 -+ .expected_ss = (u8[32]){ 0x0f, 0xca, 0xb5, 0xd8, 0x42, 0xa0, 0x78, 0xd7,
11890 -+ 0xa7, 0x1f, 0xc5, 0x9b, 0x57, 0xbf, 0xb4, 0xca,
11891 -+ 0x0b, 0xe6, 0x87, 0x3b, 0x49, 0xdc, 0xdb, 0x9f,
11892 -+ 0x44, 0xe1, 0x4a, 0xe8, 0xfb, 0xdf, 0xa5, 0x42 },
11893 -+ .secret_size = 32,
11894 -+ .b_public_size = 32,
11895 -+ .expected_ss_size = 32,
11896 -+
11897 -+},
11898 -+/* wycheproof - edge case for public key */
11899 -+{
11900 -+ .secret = (u8[32]){ 0xe0, 0x23, 0xa2, 0x89, 0xbd, 0x5e, 0x90, 0xfa,
11901 -+ 0x28, 0x04, 0xdd, 0xc0, 0x19, 0xa0, 0x5e, 0xf3,
11902 -+ 0xe7, 0x9d, 0x43, 0x4b, 0xb6, 0xea, 0x2f, 0x52,
11903 -+ 0x2e, 0xcb, 0x64, 0x3a, 0x75, 0x29, 0x6e, 0x95 },
11904 -+ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
11905 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
11906 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
11907 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00 },
11908 -+ .expected_ss = (u8[32]){ 0x54, 0xce, 0x8f, 0x22, 0x75, 0xc0, 0x77, 0xe3,
11909 -+ 0xb1, 0x30, 0x6a, 0x39, 0x39, 0xc5, 0xe0, 0x3e,
11910 -+ 0xef, 0x6b, 0xbb, 0x88, 0x06, 0x05, 0x44, 0x75,
11911 -+ 0x8d, 0x9f, 0xef, 0x59, 0xb0, 0xbc, 0x3e, 0x4f },
11912 -+ .secret_size = 32,
11913 -+ .b_public_size = 32,
11914 -+ .expected_ss_size = 32,
11915 -+
11916 -+},
11917 -+/* wycheproof - edge case for public key */
11918 -+{
11919 -+ .secret = (u8[32]){ 0x68, 0xf0, 0x10, 0xd6, 0x2e, 0xe8, 0xd9, 0x26,
11920 -+ 0x05, 0x3a, 0x36, 0x1c, 0x3a, 0x75, 0xc6, 0xea,
11921 -+ 0x4e, 0xbd, 0xc8, 0x60, 0x6a, 0xb2, 0x85, 0x00,
11922 -+ 0x3a, 0x6f, 0x8f, 0x40, 0x76, 0xb0, 0x1e, 0x83 },
11923 -+ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11924 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11925 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11926 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 },
11927 -+ .expected_ss = (u8[32]){ 0xf1, 0x36, 0x77, 0x5c, 0x5b, 0xeb, 0x0a, 0xf8,
11928 -+ 0x11, 0x0a, 0xf1, 0x0b, 0x20, 0x37, 0x23, 0x32,
11929 -+ 0x04, 0x3c, 0xab, 0x75, 0x24, 0x19, 0x67, 0x87,
11930 -+ 0x75, 0xa2, 0x23, 0xdf, 0x57, 0xc9, 0xd3, 0x0d },
11931 -+ .secret_size = 32,
11932 -+ .b_public_size = 32,
11933 -+ .expected_ss_size = 32,
11934 -+
11935 -+},
11936 -+/* wycheproof - edge case for public key */
11937 -+{
11938 -+ .secret = (u8[32]){ 0x58, 0xeb, 0xcb, 0x35, 0xb0, 0xf8, 0x84, 0x5c,
11939 -+ 0xaf, 0x1e, 0xc6, 0x30, 0xf9, 0x65, 0x76, 0xb6,
11940 -+ 0x2c, 0x4b, 0x7b, 0x6c, 0x36, 0xb2, 0x9d, 0xeb,
11941 -+ 0x2c, 0xb0, 0x08, 0x46, 0x51, 0x75, 0x5c, 0x96 },
11942 -+ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xfb, 0xff, 0xff, 0xfb, 0xff,
11943 -+ 0xff, 0xdf, 0xff, 0xff, 0xdf, 0xff, 0xff, 0xff,
11944 -+ 0xfe, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xf7, 0xff,
11945 -+ 0xff, 0xf7, 0xff, 0xff, 0xbf, 0xff, 0xff, 0x3f },
11946 -+ .expected_ss = (u8[32]){ 0xbf, 0x9a, 0xff, 0xd0, 0x6b, 0x84, 0x40, 0x85,
11947 -+ 0x58, 0x64, 0x60, 0x96, 0x2e, 0xf2, 0x14, 0x6f,
11948 -+ 0xf3, 0xd4, 0x53, 0x3d, 0x94, 0x44, 0xaa, 0xb0,
11949 -+ 0x06, 0xeb, 0x88, 0xcc, 0x30, 0x54, 0x40, 0x7d },
11950 -+ .secret_size = 32,
11951 -+ .b_public_size = 32,
11952 -+ .expected_ss_size = 32,
11953 -+
11954 -+},
11955 -+/* wycheproof - edge case for public key */
11956 -+{
11957 -+ .secret = (u8[32]){ 0x18, 0x8c, 0x4b, 0xc5, 0xb9, 0xc4, 0x4b, 0x38,
11958 -+ 0xbb, 0x65, 0x8b, 0x9b, 0x2a, 0xe8, 0x2d, 0x5b,
11959 -+ 0x01, 0x01, 0x5e, 0x09, 0x31, 0x84, 0xb1, 0x7c,
11960 -+ 0xb7, 0x86, 0x35, 0x03, 0xa7, 0x83, 0xe1, 0xbb },
11961 -+ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11962 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11963 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11964 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
11965 -+ .expected_ss = (u8[32]){ 0xd4, 0x80, 0xde, 0x04, 0xf6, 0x99, 0xcb, 0x3b,
11966 -+ 0xe0, 0x68, 0x4a, 0x9c, 0xc2, 0xe3, 0x12, 0x81,
11967 -+ 0xea, 0x0b, 0xc5, 0xa9, 0xdc, 0xc1, 0x57, 0xd3,
11968 -+ 0xd2, 0x01, 0x58, 0xd4, 0x6c, 0xa5, 0x24, 0x6d },
11969 -+ .secret_size = 32,
11970 -+ .b_public_size = 32,
11971 -+ .expected_ss_size = 32,
11972 -+
11973 -+},
11974 -+/* wycheproof - edge case for public key */
11975 -+{
11976 -+ .secret = (u8[32]){ 0xe0, 0x6c, 0x11, 0xbb, 0x2e, 0x13, 0xce, 0x3d,
11977 -+ 0xc7, 0x67, 0x3f, 0x67, 0xf5, 0x48, 0x22, 0x42,
11978 -+ 0x90, 0x94, 0x23, 0xa9, 0xae, 0x95, 0xee, 0x98,
11979 -+ 0x6a, 0x98, 0x8d, 0x98, 0xfa, 0xee, 0x23, 0xa2 },
11980 -+ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f,
11981 -+ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f,
11982 -+ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f,
11983 -+ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f },
11984 -+ .expected_ss = (u8[32]){ 0x4c, 0x44, 0x01, 0xcc, 0xe6, 0xb5, 0x1e, 0x4c,
11985 -+ 0xb1, 0x8f, 0x27, 0x90, 0x24, 0x6c, 0x9b, 0xf9,
11986 -+ 0x14, 0xdb, 0x66, 0x77, 0x50, 0xa1, 0xcb, 0x89,
11987 -+ 0x06, 0x90, 0x92, 0xaf, 0x07, 0x29, 0x22, 0x76 },
11988 -+ .secret_size = 32,
11989 -+ .b_public_size = 32,
11990 -+ .expected_ss_size = 32,
11991 -+
11992 -+},
11993 -+/* wycheproof - edge case for public key */
11994 -+{
11995 -+ .secret = (u8[32]){ 0xc0, 0x65, 0x8c, 0x46, 0xdd, 0xe1, 0x81, 0x29,
11996 -+ 0x29, 0x38, 0x77, 0x53, 0x5b, 0x11, 0x62, 0xb6,
11997 -+ 0xf9, 0xf5, 0x41, 0x4a, 0x23, 0xcf, 0x4d, 0x2c,
11998 -+ 0xbc, 0x14, 0x0a, 0x4d, 0x99, 0xda, 0x2b, 0x8f },
11999 -+ .b_public = (u8[32]){ 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12000 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12001 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12002 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12003 -+ .expected_ss = (u8[32]){ 0x57, 0x8b, 0xa8, 0xcc, 0x2d, 0xbd, 0xc5, 0x75,
12004 -+ 0xaf, 0xcf, 0x9d, 0xf2, 0xb3, 0xee, 0x61, 0x89,
12005 -+ 0xf5, 0x33, 0x7d, 0x68, 0x54, 0xc7, 0x9b, 0x4c,
12006 -+ 0xe1, 0x65, 0xea, 0x12, 0x29, 0x3b, 0x3a, 0x0f },
12007 -+ .secret_size = 32,
12008 -+ .b_public_size = 32,
12009 -+ .expected_ss_size = 32,
12010 -+
12011 -+},
12012 -+/* wycheproof - public key >= p */
12013 -+{
12014 -+ .secret = (u8[32]){ 0xf0, 0x1e, 0x48, 0xda, 0xfa, 0xc9, 0xd7, 0xbc,
12015 -+ 0xf5, 0x89, 0xcb, 0xc3, 0x82, 0xc8, 0x78, 0xd1,
12016 -+ 0x8b, 0xda, 0x35, 0x50, 0x58, 0x9f, 0xfb, 0x5d,
12017 -+ 0x50, 0xb5, 0x23, 0xbe, 0xbe, 0x32, 0x9d, 0xae },
12018 -+ .b_public = (u8[32]){ 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12019 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12020 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12021 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12022 -+ .expected_ss = (u8[32]){ 0xbd, 0x36, 0xa0, 0x79, 0x0e, 0xb8, 0x83, 0x09,
12023 -+ 0x8c, 0x98, 0x8b, 0x21, 0x78, 0x67, 0x73, 0xde,
12024 -+ 0x0b, 0x3a, 0x4d, 0xf1, 0x62, 0x28, 0x2c, 0xf1,
12025 -+ 0x10, 0xde, 0x18, 0xdd, 0x48, 0x4c, 0xe7, 0x4b },
12026 -+ .secret_size = 32,
12027 -+ .b_public_size = 32,
12028 -+ .expected_ss_size = 32,
12029 -+
12030 -+},
12031 -+/* wycheproof - public key >= p */
12032 -+{
12033 -+ .secret = (u8[32]){ 0x28, 0x87, 0x96, 0xbc, 0x5a, 0xff, 0x4b, 0x81,
12034 -+ 0xa3, 0x75, 0x01, 0x75, 0x7b, 0xc0, 0x75, 0x3a,
12035 -+ 0x3c, 0x21, 0x96, 0x47, 0x90, 0xd3, 0x86, 0x99,
12036 -+ 0x30, 0x8d, 0xeb, 0xc1, 0x7a, 0x6e, 0xaf, 0x8d },
12037 -+ .b_public = (u8[32]){ 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12038 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12039 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12040 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12041 -+ .expected_ss = (u8[32]){ 0xb4, 0xe0, 0xdd, 0x76, 0xda, 0x7b, 0x07, 0x17,
12042 -+ 0x28, 0xb6, 0x1f, 0x85, 0x67, 0x71, 0xaa, 0x35,
12043 -+ 0x6e, 0x57, 0xed, 0xa7, 0x8a, 0x5b, 0x16, 0x55,
12044 -+ 0xcc, 0x38, 0x20, 0xfb, 0x5f, 0x85, 0x4c, 0x5c },
12045 -+ .secret_size = 32,
12046 -+ .b_public_size = 32,
12047 -+ .expected_ss_size = 32,
12048 -+
12049 -+},
12050 -+/* wycheproof - public key >= p */
12051 -+{
12052 -+ .secret = (u8[32]){ 0x98, 0xdf, 0x84, 0x5f, 0x66, 0x51, 0xbf, 0x11,
12053 -+ 0x38, 0x22, 0x1f, 0x11, 0x90, 0x41, 0xf7, 0x2b,
12054 -+ 0x6d, 0xbc, 0x3c, 0x4a, 0xce, 0x71, 0x43, 0xd9,
12055 -+ 0x9f, 0xd5, 0x5a, 0xd8, 0x67, 0x48, 0x0d, 0xa8 },
12056 -+ .b_public = (u8[32]){ 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12057 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12058 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12059 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12060 -+ .expected_ss = (u8[32]){ 0x6f, 0xdf, 0x6c, 0x37, 0x61, 0x1d, 0xbd, 0x53,
12061 -+ 0x04, 0xdc, 0x0f, 0x2e, 0xb7, 0xc9, 0x51, 0x7e,
12062 -+ 0xb3, 0xc5, 0x0e, 0x12, 0xfd, 0x05, 0x0a, 0xc6,
12063 -+ 0xde, 0xc2, 0x70, 0x71, 0xd4, 0xbf, 0xc0, 0x34 },
12064 -+ .secret_size = 32,
12065 -+ .b_public_size = 32,
12066 -+ .expected_ss_size = 32,
12067 -+
12068 -+},
12069 -+/* wycheproof - public key >= p */
12070 -+{
12071 -+ .secret = (u8[32]){ 0xf0, 0x94, 0x98, 0xe4, 0x6f, 0x02, 0xf8, 0x78,
12072 -+ 0x82, 0x9e, 0x78, 0xb8, 0x03, 0xd3, 0x16, 0xa2,
12073 -+ 0xed, 0x69, 0x5d, 0x04, 0x98, 0xa0, 0x8a, 0xbd,
12074 -+ 0xf8, 0x27, 0x69, 0x30, 0xe2, 0x4e, 0xdc, 0xb0 },
12075 -+ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12076 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12077 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12078 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12079 -+ .expected_ss = (u8[32]){ 0x4c, 0x8f, 0xc4, 0xb1, 0xc6, 0xab, 0x88, 0xfb,
12080 -+ 0x21, 0xf1, 0x8f, 0x6d, 0x4c, 0x81, 0x02, 0x40,
12081 -+ 0xd4, 0xe9, 0x46, 0x51, 0xba, 0x44, 0xf7, 0xa2,
12082 -+ 0xc8, 0x63, 0xce, 0xc7, 0xdc, 0x56, 0x60, 0x2d },
12083 -+ .secret_size = 32,
12084 -+ .b_public_size = 32,
12085 -+ .expected_ss_size = 32,
12086 -+
12087 -+},
12088 -+/* wycheproof - public key >= p */
12089 -+{
12090 -+ .secret = (u8[32]){ 0x18, 0x13, 0xc1, 0x0a, 0x5c, 0x7f, 0x21, 0xf9,
12091 -+ 0x6e, 0x17, 0xf2, 0x88, 0xc0, 0xcc, 0x37, 0x60,
12092 -+ 0x7c, 0x04, 0xc5, 0xf5, 0xae, 0xa2, 0xdb, 0x13,
12093 -+ 0x4f, 0x9e, 0x2f, 0xfc, 0x66, 0xbd, 0x9d, 0xb8 },
12094 -+ .b_public = (u8[32]){ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12095 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12096 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12097 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
12098 -+ .expected_ss = (u8[32]){ 0x1c, 0xd0, 0xb2, 0x82, 0x67, 0xdc, 0x54, 0x1c,
12099 -+ 0x64, 0x2d, 0x6d, 0x7d, 0xca, 0x44, 0xa8, 0xb3,
12100 -+ 0x8a, 0x63, 0x73, 0x6e, 0xef, 0x5c, 0x4e, 0x65,
12101 -+ 0x01, 0xff, 0xbb, 0xb1, 0x78, 0x0c, 0x03, 0x3c },
12102 -+ .secret_size = 32,
12103 -+ .b_public_size = 32,
12104 -+ .expected_ss_size = 32,
12105 -+
12106 -+},
12107 -+/* wycheproof - public key >= p */
12108 -+{
12109 -+ .secret = (u8[32]){ 0x78, 0x57, 0xfb, 0x80, 0x86, 0x53, 0x64, 0x5a,
12110 -+ 0x0b, 0xeb, 0x13, 0x8a, 0x64, 0xf5, 0xf4, 0xd7,
12111 -+ 0x33, 0xa4, 0x5e, 0xa8, 0x4c, 0x3c, 0xda, 0x11,
12112 -+ 0xa9, 0xc0, 0x6f, 0x7e, 0x71, 0x39, 0x14, 0x9e },
12113 -+ .b_public = (u8[32]){ 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12114 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12115 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12116 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
12117 -+ .expected_ss = (u8[32]){ 0x87, 0x55, 0xbe, 0x01, 0xc6, 0x0a, 0x7e, 0x82,
12118 -+ 0x5c, 0xff, 0x3e, 0x0e, 0x78, 0xcb, 0x3a, 0xa4,
12119 -+ 0x33, 0x38, 0x61, 0x51, 0x6a, 0xa5, 0x9b, 0x1c,
12120 -+ 0x51, 0xa8, 0xb2, 0xa5, 0x43, 0xdf, 0xa8, 0x22 },
12121 -+ .secret_size = 32,
12122 -+ .b_public_size = 32,
12123 -+ .expected_ss_size = 32,
12124 -+
12125 -+},
12126 -+/* wycheproof - public key >= p */
12127 -+{
12128 -+ .secret = (u8[32]){ 0xe0, 0x3a, 0xa8, 0x42, 0xe2, 0xab, 0xc5, 0x6e,
12129 -+ 0x81, 0xe8, 0x7b, 0x8b, 0x9f, 0x41, 0x7b, 0x2a,
12130 -+ 0x1e, 0x59, 0x13, 0xc7, 0x23, 0xee, 0xd2, 0x8d,
12131 -+ 0x75, 0x2f, 0x8d, 0x47, 0xa5, 0x9f, 0x49, 0x8f },
12132 -+ .b_public = (u8[32]){ 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12133 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12134 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12135 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
12136 -+ .expected_ss = (u8[32]){ 0x54, 0xc9, 0xa1, 0xed, 0x95, 0xe5, 0x46, 0xd2,
12137 -+ 0x78, 0x22, 0xa3, 0x60, 0x93, 0x1d, 0xda, 0x60,
12138 -+ 0xa1, 0xdf, 0x04, 0x9d, 0xa6, 0xf9, 0x04, 0x25,
12139 -+ 0x3c, 0x06, 0x12, 0xbb, 0xdc, 0x08, 0x74, 0x76 },
12140 -+ .secret_size = 32,
12141 -+ .b_public_size = 32,
12142 -+ .expected_ss_size = 32,
12143 -+
12144 -+},
12145 -+/* wycheproof - public key >= p */
12146 -+{
12147 -+ .secret = (u8[32]){ 0xf8, 0xf7, 0x07, 0xb7, 0x99, 0x9b, 0x18, 0xcb,
12148 -+ 0x0d, 0x6b, 0x96, 0x12, 0x4f, 0x20, 0x45, 0x97,
12149 -+ 0x2c, 0xa2, 0x74, 0xbf, 0xc1, 0x54, 0xad, 0x0c,
12150 -+ 0x87, 0x03, 0x8c, 0x24, 0xc6, 0xd0, 0xd4, 0xb2 },
12151 -+ .b_public = (u8[32]){ 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12152 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12153 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12154 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12155 -+ .expected_ss = (u8[32]){ 0xcc, 0x1f, 0x40, 0xd7, 0x43, 0xcd, 0xc2, 0x23,
12156 -+ 0x0e, 0x10, 0x43, 0xda, 0xba, 0x8b, 0x75, 0xe8,
12157 -+ 0x10, 0xf1, 0xfb, 0xab, 0x7f, 0x25, 0x52, 0x69,
12158 -+ 0xbd, 0x9e, 0xbb, 0x29, 0xe6, 0xbf, 0x49, 0x4f },
12159 -+ .secret_size = 32,
12160 -+ .b_public_size = 32,
12161 -+ .expected_ss_size = 32,
12162 -+
12163 -+},
12164 -+/* wycheproof - public key >= p */
12165 -+{
12166 -+ .secret = (u8[32]){ 0xa0, 0x34, 0xf6, 0x84, 0xfa, 0x63, 0x1e, 0x1a,
12167 -+ 0x34, 0x81, 0x18, 0xc1, 0xce, 0x4c, 0x98, 0x23,
12168 -+ 0x1f, 0x2d, 0x9e, 0xec, 0x9b, 0xa5, 0x36, 0x5b,
12169 -+ 0x4a, 0x05, 0xd6, 0x9a, 0x78, 0x5b, 0x07, 0x96 },
12170 -+ .b_public = (u8[32]){ 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12171 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12172 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12173 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12174 -+ .expected_ss = (u8[32]){ 0x54, 0x99, 0x8e, 0xe4, 0x3a, 0x5b, 0x00, 0x7b,
12175 -+ 0xf4, 0x99, 0xf0, 0x78, 0xe7, 0x36, 0x52, 0x44,
12176 -+ 0x00, 0xa8, 0xb5, 0xc7, 0xe9, 0xb9, 0xb4, 0x37,
12177 -+ 0x71, 0x74, 0x8c, 0x7c, 0xdf, 0x88, 0x04, 0x12 },
12178 -+ .secret_size = 32,
12179 -+ .b_public_size = 32,
12180 -+ .expected_ss_size = 32,
12181 -+
12182 -+},
12183 -+/* wycheproof - public key >= p */
12184 -+{
12185 -+ .secret = (u8[32]){ 0x30, 0xb6, 0xc6, 0xa0, 0xf2, 0xff, 0xa6, 0x80,
12186 -+ 0x76, 0x8f, 0x99, 0x2b, 0xa8, 0x9e, 0x15, 0x2d,
12187 -+ 0x5b, 0xc9, 0x89, 0x3d, 0x38, 0xc9, 0x11, 0x9b,
12188 -+ 0xe4, 0xf7, 0x67, 0xbf, 0xab, 0x6e, 0x0c, 0xa5 },
12189 -+ .b_public = (u8[32]){ 0xdc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12190 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12191 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12192 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12193 -+ .expected_ss = (u8[32]){ 0xea, 0xd9, 0xb3, 0x8e, 0xfd, 0xd7, 0x23, 0x63,
12194 -+ 0x79, 0x34, 0xe5, 0x5a, 0xb7, 0x17, 0xa7, 0xae,
12195 -+ 0x09, 0xeb, 0x86, 0xa2, 0x1d, 0xc3, 0x6a, 0x3f,
12196 -+ 0xee, 0xb8, 0x8b, 0x75, 0x9e, 0x39, 0x1e, 0x09 },
12197 -+ .secret_size = 32,
12198 -+ .b_public_size = 32,
12199 -+ .expected_ss_size = 32,
12200 -+
12201 -+},
12202 -+/* wycheproof - public key >= p */
12203 -+{
12204 -+ .secret = (u8[32]){ 0x90, 0x1b, 0x9d, 0xcf, 0x88, 0x1e, 0x01, 0xe0,
12205 -+ 0x27, 0x57, 0x50, 0x35, 0xd4, 0x0b, 0x43, 0xbd,
12206 -+ 0xc1, 0xc5, 0x24, 0x2e, 0x03, 0x08, 0x47, 0x49,
12207 -+ 0x5b, 0x0c, 0x72, 0x86, 0x46, 0x9b, 0x65, 0x91 },
12208 -+ .b_public = (u8[32]){ 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12209 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12210 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12211 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12212 -+ .expected_ss = (u8[32]){ 0x60, 0x2f, 0xf4, 0x07, 0x89, 0xb5, 0x4b, 0x41,
12213 -+ 0x80, 0x59, 0x15, 0xfe, 0x2a, 0x62, 0x21, 0xf0,
12214 -+ 0x7a, 0x50, 0xff, 0xc2, 0xc3, 0xfc, 0x94, 0xcf,
12215 -+ 0x61, 0xf1, 0x3d, 0x79, 0x04, 0xe8, 0x8e, 0x0e },
12216 -+ .secret_size = 32,
12217 -+ .b_public_size = 32,
12218 -+ .expected_ss_size = 32,
12219 -+
12220 -+},
12221 -+/* wycheproof - public key >= p */
12222 -+{
12223 -+ .secret = (u8[32]){ 0x80, 0x46, 0x67, 0x7c, 0x28, 0xfd, 0x82, 0xc9,
12224 -+ 0xa1, 0xbd, 0xb7, 0x1a, 0x1a, 0x1a, 0x34, 0xfa,
12225 -+ 0xba, 0x12, 0x25, 0xe2, 0x50, 0x7f, 0xe3, 0xf5,
12226 -+ 0x4d, 0x10, 0xbd, 0x5b, 0x0d, 0x86, 0x5f, 0x8e },
12227 -+ .b_public = (u8[32]){ 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12228 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12229 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12230 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12231 -+ .expected_ss = (u8[32]){ 0xe0, 0x0a, 0xe8, 0xb1, 0x43, 0x47, 0x12, 0x47,
12232 -+ 0xba, 0x24, 0xf1, 0x2c, 0x88, 0x55, 0x36, 0xc3,
12233 -+ 0xcb, 0x98, 0x1b, 0x58, 0xe1, 0xe5, 0x6b, 0x2b,
12234 -+ 0xaf, 0x35, 0xc1, 0x2a, 0xe1, 0xf7, 0x9c, 0x26 },
12235 -+ .secret_size = 32,
12236 -+ .b_public_size = 32,
12237 -+ .expected_ss_size = 32,
12238 -+
12239 -+},
12240 -+/* wycheproof - public key >= p */
12241 -+{
12242 -+ .secret = (u8[32]){ 0x60, 0x2f, 0x7e, 0x2f, 0x68, 0xa8, 0x46, 0xb8,
12243 -+ 0x2c, 0xc2, 0x69, 0xb1, 0xd4, 0x8e, 0x93, 0x98,
12244 -+ 0x86, 0xae, 0x54, 0xfd, 0x63, 0x6c, 0x1f, 0xe0,
12245 -+ 0x74, 0xd7, 0x10, 0x12, 0x7d, 0x47, 0x24, 0x91 },
12246 -+ .b_public = (u8[32]){ 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12247 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12248 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12249 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12250 -+ .expected_ss = (u8[32]){ 0x98, 0xcb, 0x9b, 0x50, 0xdd, 0x3f, 0xc2, 0xb0,
12251 -+ 0xd4, 0xf2, 0xd2, 0xbf, 0x7c, 0x5c, 0xfd, 0xd1,
12252 -+ 0x0c, 0x8f, 0xcd, 0x31, 0xfc, 0x40, 0xaf, 0x1a,
12253 -+ 0xd4, 0x4f, 0x47, 0xc1, 0x31, 0x37, 0x63, 0x62 },
12254 -+ .secret_size = 32,
12255 -+ .b_public_size = 32,
12256 -+ .expected_ss_size = 32,
12257 -+
12258 -+},
12259 -+/* wycheproof - public key >= p */
12260 -+{
12261 -+ .secret = (u8[32]){ 0x60, 0x88, 0x7b, 0x3d, 0xc7, 0x24, 0x43, 0x02,
12262 -+ 0x6e, 0xbe, 0xdb, 0xbb, 0xb7, 0x06, 0x65, 0xf4,
12263 -+ 0x2b, 0x87, 0xad, 0xd1, 0x44, 0x0e, 0x77, 0x68,
12264 -+ 0xfb, 0xd7, 0xe8, 0xe2, 0xce, 0x5f, 0x63, 0x9d },
12265 -+ .b_public = (u8[32]){ 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12266 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12267 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12268 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12269 -+ .expected_ss = (u8[32]){ 0x38, 0xd6, 0x30, 0x4c, 0x4a, 0x7e, 0x6d, 0x9f,
12270 -+ 0x79, 0x59, 0x33, 0x4f, 0xb5, 0x24, 0x5b, 0xd2,
12271 -+ 0xc7, 0x54, 0x52, 0x5d, 0x4c, 0x91, 0xdb, 0x95,
12272 -+ 0x02, 0x06, 0x92, 0x62, 0x34, 0xc1, 0xf6, 0x33 },
12273 -+ .secret_size = 32,
12274 -+ .b_public_size = 32,
12275 -+ .expected_ss_size = 32,
12276 -+
12277 -+},
12278 -+/* wycheproof - public key >= p */
12279 -+{
12280 -+ .secret = (u8[32]){ 0x78, 0xd3, 0x1d, 0xfa, 0x85, 0x44, 0x97, 0xd7,
12281 -+ 0x2d, 0x8d, 0xef, 0x8a, 0x1b, 0x7f, 0xb0, 0x06,
12282 -+ 0xce, 0xc2, 0xd8, 0xc4, 0x92, 0x46, 0x47, 0xc9,
12283 -+ 0x38, 0x14, 0xae, 0x56, 0xfa, 0xed, 0xa4, 0x95 },
12284 -+ .b_public = (u8[32]){ 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12285 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12286 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12287 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12288 -+ .expected_ss = (u8[32]){ 0x78, 0x6c, 0xd5, 0x49, 0x96, 0xf0, 0x14, 0xa5,
12289 -+ 0xa0, 0x31, 0xec, 0x14, 0xdb, 0x81, 0x2e, 0xd0,
12290 -+ 0x83, 0x55, 0x06, 0x1f, 0xdb, 0x5d, 0xe6, 0x80,
12291 -+ 0xa8, 0x00, 0xac, 0x52, 0x1f, 0x31, 0x8e, 0x23 },
12292 -+ .secret_size = 32,
12293 -+ .b_public_size = 32,
12294 -+ .expected_ss_size = 32,
12295 -+
12296 -+},
12297 -+/* wycheproof - public key >= p */
12298 -+{
12299 -+ .secret = (u8[32]){ 0xc0, 0x4c, 0x5b, 0xae, 0xfa, 0x83, 0x02, 0xdd,
12300 -+ 0xde, 0xd6, 0xa4, 0xbb, 0x95, 0x77, 0x61, 0xb4,
12301 -+ 0xeb, 0x97, 0xae, 0xfa, 0x4f, 0xc3, 0xb8, 0x04,
12302 -+ 0x30, 0x85, 0xf9, 0x6a, 0x56, 0x59, 0xb3, 0xa5 },
12303 -+ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12304 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12305 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12306 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12307 -+ .expected_ss = (u8[32]){ 0x29, 0xae, 0x8b, 0xc7, 0x3e, 0x9b, 0x10, 0xa0,
12308 -+ 0x8b, 0x4f, 0x68, 0x1c, 0x43, 0xc3, 0xe0, 0xac,
12309 -+ 0x1a, 0x17, 0x1d, 0x31, 0xb3, 0x8f, 0x1a, 0x48,
12310 -+ 0xef, 0xba, 0x29, 0xae, 0x63, 0x9e, 0xa1, 0x34 },
12311 -+ .secret_size = 32,
12312 -+ .b_public_size = 32,
12313 -+ .expected_ss_size = 32,
12314 -+
12315 -+},
12316 -+/* wycheproof - RFC 7748 */
12317 -+{
12318 -+ .secret = (u8[32]){ 0xa0, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d,
12319 -+ 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd,
12320 -+ 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18,
12321 -+ 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0x44 },
12322 -+ .b_public = (u8[32]){ 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb,
12323 -+ 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c,
12324 -+ 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b,
12325 -+ 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c },
12326 -+ .expected_ss = (u8[32]){ 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90,
12327 -+ 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f,
12328 -+ 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7,
12329 -+ 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 },
12330 -+ .secret_size = 32,
12331 -+ .b_public_size = 32,
12332 -+ .expected_ss_size = 32,
12333 -+
12334 -+},
12335 -+/* wycheproof - RFC 7748 */
12336 -+{
12337 -+ .secret = (u8[32]){ 0x48, 0x66, 0xe9, 0xd4, 0xd1, 0xb4, 0x67, 0x3c,
12338 -+ 0x5a, 0xd2, 0x26, 0x91, 0x95, 0x7d, 0x6a, 0xf5,
12339 -+ 0xc1, 0x1b, 0x64, 0x21, 0xe0, 0xea, 0x01, 0xd4,
12340 -+ 0x2c, 0xa4, 0x16, 0x9e, 0x79, 0x18, 0xba, 0x4d },
12341 -+ .b_public = (u8[32]){ 0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3,
12342 -+ 0xf4, 0xb7, 0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c,
12343 -+ 0x31, 0xdb, 0xe7, 0x10, 0x6f, 0xc0, 0x3c, 0x3e,
12344 -+ 0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15, 0xa4, 0x13 },
12345 -+ .expected_ss = (u8[32]){ 0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d,
12346 -+ 0x7a, 0xad, 0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8,
12347 -+ 0x8b, 0x59, 0x5a, 0x68, 0x79, 0x9f, 0xa1, 0x52,
12348 -+ 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac, 0x79, 0x57 },
12349 -+ .secret_size = 32,
12350 -+ .b_public_size = 32,
12351 -+ .expected_ss_size = 32,
12352 -+
12353 -+},
12354 -+/* wycheproof - edge case for shared secret */
12355 -+{
12356 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12357 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12358 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12359 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12360 -+ .b_public = (u8[32]){ 0x0a, 0xb4, 0xe7, 0x63, 0x80, 0xd8, 0x4d, 0xde,
12361 -+ 0x4f, 0x68, 0x33, 0xc5, 0x8f, 0x2a, 0x9f, 0xb8,
12362 -+ 0xf8, 0x3b, 0xb0, 0x16, 0x9b, 0x17, 0x2b, 0xe4,
12363 -+ 0xb6, 0xe0, 0x59, 0x28, 0x87, 0x74, 0x1a, 0x36 },
12364 -+ .expected_ss = (u8[32]){ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12365 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12366 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12367 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
12368 -+ .secret_size = 32,
12369 -+ .b_public_size = 32,
12370 -+ .expected_ss_size = 32,
12371 -+
12372 -+},
12373 -+/* wycheproof - edge case for shared secret */
12374 -+{
12375 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12376 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12377 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12378 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12379 -+ .b_public = (u8[32]){ 0x89, 0xe1, 0x0d, 0x57, 0x01, 0xb4, 0x33, 0x7d,
12380 -+ 0x2d, 0x03, 0x21, 0x81, 0x53, 0x8b, 0x10, 0x64,
12381 -+ 0xbd, 0x40, 0x84, 0x40, 0x1c, 0xec, 0xa1, 0xfd,
12382 -+ 0x12, 0x66, 0x3a, 0x19, 0x59, 0x38, 0x80, 0x00 },
12383 -+ .expected_ss = (u8[32]){ 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12384 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12385 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12386 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
12387 -+ .secret_size = 32,
12388 -+ .b_public_size = 32,
12389 -+ .expected_ss_size = 32,
12390 -+
12391 -+},
12392 -+/* wycheproof - edge case for shared secret */
12393 -+{
12394 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12395 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12396 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12397 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12398 -+ .b_public = (u8[32]){ 0x2b, 0x55, 0xd3, 0xaa, 0x4a, 0x8f, 0x80, 0xc8,
12399 -+ 0xc0, 0xb2, 0xae, 0x5f, 0x93, 0x3e, 0x85, 0xaf,
12400 -+ 0x49, 0xbe, 0xac, 0x36, 0xc2, 0xfa, 0x73, 0x94,
12401 -+ 0xba, 0xb7, 0x6c, 0x89, 0x33, 0xf8, 0xf8, 0x1d },
12402 -+ .expected_ss = (u8[32]){ 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12403 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12404 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12405 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
12406 -+ .secret_size = 32,
12407 -+ .b_public_size = 32,
12408 -+ .expected_ss_size = 32,
12409 -+
12410 -+},
12411 -+/* wycheproof - edge case for shared secret */
12412 -+{
12413 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12414 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12415 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12416 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12417 -+ .b_public = (u8[32]){ 0x63, 0xe5, 0xb1, 0xfe, 0x96, 0x01, 0xfe, 0x84,
12418 -+ 0x38, 0x5d, 0x88, 0x66, 0xb0, 0x42, 0x12, 0x62,
12419 -+ 0xf7, 0x8f, 0xbf, 0xa5, 0xaf, 0xf9, 0x58, 0x5e,
12420 -+ 0x62, 0x66, 0x79, 0xb1, 0x85, 0x47, 0xd9, 0x59 },
12421 -+ .expected_ss = (u8[32]){ 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12422 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12423 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12424 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
12425 -+ .secret_size = 32,
12426 -+ .b_public_size = 32,
12427 -+ .expected_ss_size = 32,
12428 -+
12429 -+},
12430 -+/* wycheproof - edge case for shared secret */
12431 -+{
12432 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12433 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12434 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12435 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12436 -+ .b_public = (u8[32]){ 0xe4, 0x28, 0xf3, 0xda, 0xc1, 0x78, 0x09, 0xf8,
12437 -+ 0x27, 0xa5, 0x22, 0xce, 0x32, 0x35, 0x50, 0x58,
12438 -+ 0xd0, 0x73, 0x69, 0x36, 0x4a, 0xa7, 0x89, 0x02,
12439 -+ 0xee, 0x10, 0x13, 0x9b, 0x9f, 0x9d, 0xd6, 0x53 },
12440 -+ .expected_ss = (u8[32]){ 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12441 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12442 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12443 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
12444 -+ .secret_size = 32,
12445 -+ .b_public_size = 32,
12446 -+ .expected_ss_size = 32,
12447 -+
12448 -+},
12449 -+/* wycheproof - edge case for shared secret */
12450 -+{
12451 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12452 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12453 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12454 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12455 -+ .b_public = (u8[32]){ 0xb3, 0xb5, 0x0e, 0x3e, 0xd3, 0xa4, 0x07, 0xb9,
12456 -+ 0x5d, 0xe9, 0x42, 0xef, 0x74, 0x57, 0x5b, 0x5a,
12457 -+ 0xb8, 0xa1, 0x0c, 0x09, 0xee, 0x10, 0x35, 0x44,
12458 -+ 0xd6, 0x0b, 0xdf, 0xed, 0x81, 0x38, 0xab, 0x2b },
12459 -+ .expected_ss = (u8[32]){ 0xf9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12460 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12461 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12462 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
12463 -+ .secret_size = 32,
12464 -+ .b_public_size = 32,
12465 -+ .expected_ss_size = 32,
12466 -+
12467 -+},
12468 -+/* wycheproof - edge case for shared secret */
12469 -+{
12470 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12471 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12472 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12473 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12474 -+ .b_public = (u8[32]){ 0x21, 0x3f, 0xff, 0xe9, 0x3d, 0x5e, 0xa8, 0xcd,
12475 -+ 0x24, 0x2e, 0x46, 0x28, 0x44, 0x02, 0x99, 0x22,
12476 -+ 0xc4, 0x3c, 0x77, 0xc9, 0xe3, 0xe4, 0x2f, 0x56,
12477 -+ 0x2f, 0x48, 0x5d, 0x24, 0xc5, 0x01, 0xa2, 0x0b },
12478 -+ .expected_ss = (u8[32]){ 0xf3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12479 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12480 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12481 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
12482 -+ .secret_size = 32,
12483 -+ .b_public_size = 32,
12484 -+ .expected_ss_size = 32,
12485 -+
12486 -+},
12487 -+/* wycheproof - edge case for shared secret */
12488 -+{
12489 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12490 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12491 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12492 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12493 -+ .b_public = (u8[32]){ 0x91, 0xb2, 0x32, 0xa1, 0x78, 0xb3, 0xcd, 0x53,
12494 -+ 0x09, 0x32, 0x44, 0x1e, 0x61, 0x39, 0x41, 0x8f,
12495 -+ 0x72, 0x17, 0x22, 0x92, 0xf1, 0xda, 0x4c, 0x18,
12496 -+ 0x34, 0xfc, 0x5e, 0xbf, 0xef, 0xb5, 0x1e, 0x3f },
12497 -+ .expected_ss = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12498 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12499 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12500 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 },
12501 -+ .secret_size = 32,
12502 -+ .b_public_size = 32,
12503 -+ .expected_ss_size = 32,
12504 -+
12505 -+},
12506 -+/* wycheproof - edge case for shared secret */
12507 -+{
12508 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12509 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12510 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12511 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12512 -+ .b_public = (u8[32]){ 0x04, 0x5c, 0x6e, 0x11, 0xc5, 0xd3, 0x32, 0x55,
12513 -+ 0x6c, 0x78, 0x22, 0xfe, 0x94, 0xeb, 0xf8, 0x9b,
12514 -+ 0x56, 0xa3, 0x87, 0x8d, 0xc2, 0x7c, 0xa0, 0x79,
12515 -+ 0x10, 0x30, 0x58, 0x84, 0x9f, 0xab, 0xcb, 0x4f },
12516 -+ .expected_ss = (u8[32]){ 0xe5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12517 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12518 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12519 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12520 -+ .secret_size = 32,
12521 -+ .b_public_size = 32,
12522 -+ .expected_ss_size = 32,
12523 -+
12524 -+},
12525 -+/* wycheproof - edge case for shared secret */
12526 -+{
12527 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12528 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12529 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12530 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12531 -+ .b_public = (u8[32]){ 0x1c, 0xa2, 0x19, 0x0b, 0x71, 0x16, 0x35, 0x39,
12532 -+ 0x06, 0x3c, 0x35, 0x77, 0x3b, 0xda, 0x0c, 0x9c,
12533 -+ 0x92, 0x8e, 0x91, 0x36, 0xf0, 0x62, 0x0a, 0xeb,
12534 -+ 0x09, 0x3f, 0x09, 0x91, 0x97, 0xb7, 0xf7, 0x4e },
12535 -+ .expected_ss = (u8[32]){ 0xe3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12536 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12537 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12538 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12539 -+ .secret_size = 32,
12540 -+ .b_public_size = 32,
12541 -+ .expected_ss_size = 32,
12542 -+
12543 -+},
12544 -+/* wycheproof - edge case for shared secret */
12545 -+{
12546 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12547 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12548 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12549 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12550 -+ .b_public = (u8[32]){ 0xf7, 0x6e, 0x90, 0x10, 0xac, 0x33, 0xc5, 0x04,
12551 -+ 0x3b, 0x2d, 0x3b, 0x76, 0xa8, 0x42, 0x17, 0x10,
12552 -+ 0x00, 0xc4, 0x91, 0x62, 0x22, 0xe9, 0xe8, 0x58,
12553 -+ 0x97, 0xa0, 0xae, 0xc7, 0xf6, 0x35, 0x0b, 0x3c },
12554 -+ .expected_ss = (u8[32]){ 0xdd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12555 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12556 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12557 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12558 -+ .secret_size = 32,
12559 -+ .b_public_size = 32,
12560 -+ .expected_ss_size = 32,
12561 -+
12562 -+},
12563 -+/* wycheproof - edge case for shared secret */
12564 -+{
12565 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12566 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12567 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12568 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12569 -+ .b_public = (u8[32]){ 0xbb, 0x72, 0x68, 0x8d, 0x8f, 0x8a, 0xa7, 0xa3,
12570 -+ 0x9c, 0xd6, 0x06, 0x0c, 0xd5, 0xc8, 0x09, 0x3c,
12571 -+ 0xde, 0xc6, 0xfe, 0x34, 0x19, 0x37, 0xc3, 0x88,
12572 -+ 0x6a, 0x99, 0x34, 0x6c, 0xd0, 0x7f, 0xaa, 0x55 },
12573 -+ .expected_ss = (u8[32]){ 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12574 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12575 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12576 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12577 -+ .secret_size = 32,
12578 -+ .b_public_size = 32,
12579 -+ .expected_ss_size = 32,
12580 -+
12581 -+},
12582 -+/* wycheproof - edge case for shared secret */
12583 -+{
12584 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12585 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12586 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12587 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12588 -+ .b_public = (u8[32]){ 0x88, 0xfd, 0xde, 0xa1, 0x93, 0x39, 0x1c, 0x6a,
12589 -+ 0x59, 0x33, 0xef, 0x9b, 0x71, 0x90, 0x15, 0x49,
12590 -+ 0x44, 0x72, 0x05, 0xaa, 0xe9, 0xda, 0x92, 0x8a,
12591 -+ 0x6b, 0x91, 0xa3, 0x52, 0xba, 0x10, 0xf4, 0x1f },
12592 -+ .expected_ss = (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12593 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12594 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12595 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
12596 -+ .secret_size = 32,
12597 -+ .b_public_size = 32,
12598 -+ .expected_ss_size = 32,
12599 -+
12600 -+},
12601 -+/* wycheproof - edge case for shared secret */
12602 -+{
12603 -+ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12604 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12605 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12606 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12607 -+ .b_public = (u8[32]){ 0x30, 0x3b, 0x39, 0x2f, 0x15, 0x31, 0x16, 0xca,
12608 -+ 0xd9, 0xcc, 0x68, 0x2a, 0x00, 0xcc, 0xc4, 0x4c,
12609 -+ 0x95, 0xff, 0x0d, 0x3b, 0xbe, 0x56, 0x8b, 0xeb,
12610 -+ 0x6c, 0x4e, 0x73, 0x9b, 0xaf, 0xdc, 0x2c, 0x68 },
12611 -+ .expected_ss = (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12612 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12613 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12614 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 },
12615 -+ .secret_size = 32,
12616 -+ .b_public_size = 32,
12617 -+ .expected_ss_size = 32,
12618 -+
12619 -+},
12620 -+/* wycheproof - checking for overflow */
12621 -+{
12622 -+ .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
12623 -+ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
12624 -+ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
12625 -+ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
12626 -+ .b_public = (u8[32]){ 0xfd, 0x30, 0x0a, 0xeb, 0x40, 0xe1, 0xfa, 0x58,
12627 -+ 0x25, 0x18, 0x41, 0x2b, 0x49, 0xb2, 0x08, 0xa7,
12628 -+ 0x84, 0x2b, 0x1e, 0x1f, 0x05, 0x6a, 0x04, 0x01,
12629 -+ 0x78, 0xea, 0x41, 0x41, 0x53, 0x4f, 0x65, 0x2d },
12630 -+ .expected_ss = (u8[32]){ 0xb7, 0x34, 0x10, 0x5d, 0xc2, 0x57, 0x58, 0x5d,
12631 -+ 0x73, 0xb5, 0x66, 0xcc, 0xb7, 0x6f, 0x06, 0x27,
12632 -+ 0x95, 0xcc, 0xbe, 0xc8, 0x91, 0x28, 0xe5, 0x2b,
12633 -+ 0x02, 0xf3, 0xe5, 0x96, 0x39, 0xf1, 0x3c, 0x46 },
12634 -+ .secret_size = 32,
12635 -+ .b_public_size = 32,
12636 -+ .expected_ss_size = 32,
12637 -+
12638 -+},
12639 -+/* wycheproof - checking for overflow */
12640 -+{
12641 -+ .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
12642 -+ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
12643 -+ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
12644 -+ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
12645 -+ .b_public = (u8[32]){ 0xc8, 0xef, 0x79, 0xb5, 0x14, 0xd7, 0x68, 0x26,
12646 -+ 0x77, 0xbc, 0x79, 0x31, 0xe0, 0x6e, 0xe5, 0xc2,
12647 -+ 0x7c, 0x9b, 0x39, 0x2b, 0x4a, 0xe9, 0x48, 0x44,
12648 -+ 0x73, 0xf5, 0x54, 0xe6, 0x67, 0x8e, 0xcc, 0x2e },
12649 -+ .expected_ss = (u8[32]){ 0x64, 0x7a, 0x46, 0xb6, 0xfc, 0x3f, 0x40, 0xd6,
12650 -+ 0x21, 0x41, 0xee, 0x3c, 0xee, 0x70, 0x6b, 0x4d,
12651 -+ 0x7a, 0x92, 0x71, 0x59, 0x3a, 0x7b, 0x14, 0x3e,
12652 -+ 0x8e, 0x2e, 0x22, 0x79, 0x88, 0x3e, 0x45, 0x50 },
12653 -+ .secret_size = 32,
12654 -+ .b_public_size = 32,
12655 -+ .expected_ss_size = 32,
12656 -+
12657 -+},
12658 -+/* wycheproof - checking for overflow */
12659 -+{
12660 -+ .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
12661 -+ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
12662 -+ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
12663 -+ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
12664 -+ .b_public = (u8[32]){ 0x64, 0xae, 0xac, 0x25, 0x04, 0x14, 0x48, 0x61,
12665 -+ 0x53, 0x2b, 0x7b, 0xbc, 0xb6, 0xc8, 0x7d, 0x67,
12666 -+ 0xdd, 0x4c, 0x1f, 0x07, 0xeb, 0xc2, 0xe0, 0x6e,
12667 -+ 0xff, 0xb9, 0x5a, 0xec, 0xc6, 0x17, 0x0b, 0x2c },
12668 -+ .expected_ss = (u8[32]){ 0x4f, 0xf0, 0x3d, 0x5f, 0xb4, 0x3c, 0xd8, 0x65,
12669 -+ 0x7a, 0x3c, 0xf3, 0x7c, 0x13, 0x8c, 0xad, 0xce,
12670 -+ 0xcc, 0xe5, 0x09, 0xe4, 0xeb, 0xa0, 0x89, 0xd0,
12671 -+ 0xef, 0x40, 0xb4, 0xe4, 0xfb, 0x94, 0x61, 0x55 },
12672 -+ .secret_size = 32,
12673 -+ .b_public_size = 32,
12674 -+ .expected_ss_size = 32,
12675 -+
12676 -+},
12677 -+/* wycheproof - checking for overflow */
12678 -+{
12679 -+ .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
12680 -+ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
12681 -+ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
12682 -+ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
12683 -+ .b_public = (u8[32]){ 0xbf, 0x68, 0xe3, 0x5e, 0x9b, 0xdb, 0x7e, 0xee,
12684 -+ 0x1b, 0x50, 0x57, 0x02, 0x21, 0x86, 0x0f, 0x5d,
12685 -+ 0xcd, 0xad, 0x8a, 0xcb, 0xab, 0x03, 0x1b, 0x14,
12686 -+ 0x97, 0x4c, 0xc4, 0x90, 0x13, 0xc4, 0x98, 0x31 },
12687 -+ .expected_ss = (u8[32]){ 0x21, 0xce, 0xe5, 0x2e, 0xfd, 0xbc, 0x81, 0x2e,
12688 -+ 0x1d, 0x02, 0x1a, 0x4a, 0xf1, 0xe1, 0xd8, 0xbc,
12689 -+ 0x4d, 0xb3, 0xc4, 0x00, 0xe4, 0xd2, 0xa2, 0xc5,
12690 -+ 0x6a, 0x39, 0x26, 0xdb, 0x4d, 0x99, 0xc6, 0x5b },
12691 -+ .secret_size = 32,
12692 -+ .b_public_size = 32,
12693 -+ .expected_ss_size = 32,
12694 -+
12695 -+},
12696 -+/* wycheproof - checking for overflow */
12697 -+{
12698 -+ .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
12699 -+ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
12700 -+ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
12701 -+ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
12702 -+ .b_public = (u8[32]){ 0x53, 0x47, 0xc4, 0x91, 0x33, 0x1a, 0x64, 0xb4,
12703 -+ 0x3d, 0xdc, 0x68, 0x30, 0x34, 0xe6, 0x77, 0xf5,
12704 -+ 0x3d, 0xc3, 0x2b, 0x52, 0xa5, 0x2a, 0x57, 0x7c,
12705 -+ 0x15, 0xa8, 0x3b, 0xf2, 0x98, 0xe9, 0x9f, 0x19 },
12706 -+ .expected_ss = (u8[32]){ 0x18, 0xcb, 0x89, 0xe4, 0xe2, 0x0c, 0x0c, 0x2b,
12707 -+ 0xd3, 0x24, 0x30, 0x52, 0x45, 0x26, 0x6c, 0x93,
12708 -+ 0x27, 0x69, 0x0b, 0xbe, 0x79, 0xac, 0xb8, 0x8f,
12709 -+ 0x5b, 0x8f, 0xb3, 0xf7, 0x4e, 0xca, 0x3e, 0x52 },
12710 -+ .secret_size = 32,
12711 -+ .b_public_size = 32,
12712 -+ .expected_ss_size = 32,
12713 -+
12714 -+},
12715 -+/* wycheproof - private key == -1 (mod order) */
12716 -+{
12717 -+ .secret = (u8[32]){ 0xa0, 0x23, 0xcd, 0xd0, 0x83, 0xef, 0x5b, 0xb8,
12718 -+ 0x2f, 0x10, 0xd6, 0x2e, 0x59, 0xe1, 0x5a, 0x68,
12719 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12720 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50 },
12721 -+ .b_public = (u8[32]){ 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e,
12722 -+ 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57,
12723 -+ 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f,
12724 -+ 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 },
12725 -+ .expected_ss = (u8[32]){ 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e,
12726 -+ 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57,
12727 -+ 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f,
12728 -+ 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 },
12729 -+ .secret_size = 32,
12730 -+ .b_public_size = 32,
12731 -+ .expected_ss_size = 32,
12732 -+
12733 -+},
12734 -+/* wycheproof - private key == 1 (mod order) on twist */
12735 -+{
12736 -+ .secret = (u8[32]){ 0x58, 0x08, 0x3d, 0xd2, 0x61, 0xad, 0x91, 0xef,
12737 -+ 0xf9, 0x52, 0x32, 0x2e, 0xc8, 0x24, 0xc6, 0x82,
12738 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12739 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x5f },
12740 -+ .b_public = (u8[32]){ 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f,
12741 -+ 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6,
12742 -+ 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64,
12743 -+ 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 },
12744 -+ .expected_ss = (u8[32]){ 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f,
12745 -+ 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6,
12746 -+ 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64,
12747 -+ 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 },
12748 -+ .secret_size = 32,
12749 -+ .b_public_size = 32,
12750 -+ .expected_ss_size = 32,
12751 -+
12752 -+}
12753 -+};
12754 -+
12755 - static const struct kpp_testvec ecdh_tv_template[] = {
12756 - {
12757 - #ifndef CONFIG_CRYPTO_FIPS
12758 -@@ -31569,2 +32794,253 @@
12759 -
12760 -+static const char blake2_ordered_sequence[] =
12761 -+ "\x00\x01\x02\x03\x04\x05\x06\x07"
12762 -+ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
12763 -+ "\x10\x11\x12\x13\x14\x15\x16\x17"
12764 -+ "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
12765 -+ "\x20\x21\x22\x23\x24\x25\x26\x27"
12766 -+ "\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
12767 -+ "\x30\x31\x32\x33\x34\x35\x36\x37"
12768 -+ "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
12769 -+ "\x40\x41\x42\x43\x44\x45\x46\x47"
12770 -+ "\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"
12771 -+ "\x50\x51\x52\x53\x54\x55\x56\x57"
12772 -+ "\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
12773 -+ "\x60\x61\x62\x63\x64\x65\x66\x67"
12774 -+ "\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f"
12775 -+ "\x70\x71\x72\x73\x74\x75\x76\x77"
12776 -+ "\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
12777 -+ "\x80\x81\x82\x83\x84\x85\x86\x87"
12778 -+ "\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
12779 -+ "\x90\x91\x92\x93\x94\x95\x96\x97"
12780 -+ "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
12781 -+ "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7"
12782 -+ "\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
12783 -+ "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7"
12784 -+ "\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
12785 -+ "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7"
12786 -+ "\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
12787 -+ "\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7"
12788 -+ "\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
12789 -+ "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7"
12790 -+ "\xe8\xe9\xea\xeb\xec\xed\xee\xef"
12791 -+ "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7"
12792 -+ "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff";
12793 -+
12794 -+static const struct hash_testvec blakes2s_128_tv_template[] = {{
12795 -+ .digest = (u8[]){ 0x64, 0x55, 0x0d, 0x6f, 0xfe, 0x2c, 0x0a, 0x01,
12796 -+ 0xa1, 0x4a, 0xba, 0x1e, 0xad, 0xe0, 0x20, 0x0c, },
12797 -+}, {
12798 -+ .plaintext = blake2_ordered_sequence,
12799 -+ .psize = 64,
12800 -+ .digest = (u8[]){ 0xdc, 0x66, 0xca, 0x8f, 0x03, 0x86, 0x58, 0x01,
12801 -+ 0xb0, 0xff, 0xe0, 0x6e, 0xd8, 0xa1, 0xa9, 0x0e, },
12802 -+}, {
12803 -+ .ksize = 16,
12804 -+ .key = blake2_ordered_sequence,
12805 -+ .plaintext = blake2_ordered_sequence,
12806 -+ .psize = 1,
12807 -+ .digest = (u8[]){ 0x88, 0x1e, 0x42, 0xe7, 0xbb, 0x35, 0x80, 0x82,
12808 -+ 0x63, 0x7c, 0x0a, 0x0f, 0xd7, 0xec, 0x6c, 0x2f, },
12809 -+}, {
12810 -+ .ksize = 32,
12811 -+ .key = blake2_ordered_sequence,
12812 -+ .plaintext = blake2_ordered_sequence,
12813 -+ .psize = 7,
12814 -+ .digest = (u8[]){ 0xcf, 0x9e, 0x07, 0x2a, 0xd5, 0x22, 0xf2, 0xcd,
12815 -+ 0xa2, 0xd8, 0x25, 0x21, 0x80, 0x86, 0x73, 0x1c, },
12816 -+}, {
12817 -+ .ksize = 1,
12818 -+ .key = "B",
12819 -+ .plaintext = blake2_ordered_sequence,
12820 -+ .psize = 15,
12821 -+ .digest = (u8[]){ 0xf6, 0x33, 0x5a, 0x2c, 0x22, 0xa0, 0x64, 0xb2,
12822 -+ 0xb6, 0x3f, 0xeb, 0xbc, 0xd1, 0xc3, 0xe5, 0xb2, },
12823 -+}, {
12824 -+ .ksize = 16,
12825 -+ .key = blake2_ordered_sequence,
12826 -+ .plaintext = blake2_ordered_sequence,
12827 -+ .psize = 247,
12828 -+ .digest = (u8[]){ 0x72, 0x66, 0x49, 0x60, 0xf9, 0x4a, 0xea, 0xbe,
12829 -+ 0x1f, 0xf4, 0x60, 0xce, 0xb7, 0x81, 0xcb, 0x09, },
12830 -+}, {
12831 -+ .ksize = 32,
12832 -+ .key = blake2_ordered_sequence,
12833 -+ .plaintext = blake2_ordered_sequence,
12834 -+ .psize = 256,
12835 -+ .digest = (u8[]){ 0xd5, 0xa4, 0x0e, 0xc3, 0x16, 0xc7, 0x51, 0xa6,
12836 -+ 0x3c, 0xd0, 0xd9, 0x11, 0x57, 0xfa, 0x1e, 0xbb, },
12837 -+}};
12838 -+
12839 -+static const struct hash_testvec blakes2s_160_tv_template[] = {{
12840 -+ .plaintext = blake2_ordered_sequence,
12841 -+ .psize = 7,
12842 -+ .digest = (u8[]){ 0xb4, 0xf2, 0x03, 0x49, 0x37, 0xed, 0xb1, 0x3e,
12843 -+ 0x5b, 0x2a, 0xca, 0x64, 0x82, 0x74, 0xf6, 0x62,
12844 -+ 0xe3, 0xf2, 0x84, 0xff, },
12845 -+}, {
12846 -+ .plaintext = blake2_ordered_sequence,
12847 -+ .psize = 256,
12848 -+ .digest = (u8[]){ 0xaa, 0x56, 0x9b, 0xdc, 0x98, 0x17, 0x75, 0xf2,
12849 -+ 0xb3, 0x68, 0x83, 0xb7, 0x9b, 0x8d, 0x48, 0xb1,
12850 -+ 0x9b, 0x2d, 0x35, 0x05, },
12851 -+}, {
12852 -+ .ksize = 1,
12853 -+ .key = "B",
12854 -+ .digest = (u8[]){ 0x50, 0x16, 0xe7, 0x0c, 0x01, 0xd0, 0xd3, 0xc3,
12855 -+ 0xf4, 0x3e, 0xb1, 0x6e, 0x97, 0xa9, 0x4e, 0xd1,
12856 -+ 0x79, 0x65, 0x32, 0x93, },
12857 -+}, {
12858 -+ .ksize = 32,
12859 -+ .key = blake2_ordered_sequence,
12860 -+ .plaintext = blake2_ordered_sequence,
12861 -+ .psize = 1,
12862 -+ .digest = (u8[]){ 0x1c, 0x2b, 0xcd, 0x9a, 0x68, 0xca, 0x8c, 0x71,
12863 -+ 0x90, 0x29, 0x6c, 0x54, 0xfa, 0x56, 0x4a, 0xef,
12864 -+ 0xa2, 0x3a, 0x56, 0x9c, },
12865 -+}, {
12866 -+ .ksize = 16,
12867 -+ .key = blake2_ordered_sequence,
12868 -+ .plaintext = blake2_ordered_sequence,
12869 -+ .psize = 15,
12870 -+ .digest = (u8[]){ 0x36, 0xc3, 0x5f, 0x9a, 0xdc, 0x7e, 0xbf, 0x19,
12871 -+ 0x68, 0xaa, 0xca, 0xd8, 0x81, 0xbf, 0x09, 0x34,
12872 -+ 0x83, 0x39, 0x0f, 0x30, },
12873 -+}, {
12874 -+ .ksize = 1,
12875 -+ .key = "B",
12876 -+ .plaintext = blake2_ordered_sequence,
12877 -+ .psize = 64,
12878 -+ .digest = (u8[]){ 0x86, 0x80, 0x78, 0xa4, 0x14, 0xec, 0x03, 0xe5,
12879 -+ 0xb6, 0x9a, 0x52, 0x0e, 0x42, 0xee, 0x39, 0x9d,
12880 -+ 0xac, 0xa6, 0x81, 0x63, },
12881 -+}, {
12882 -+ .ksize = 32,
12883 -+ .key = blake2_ordered_sequence,
12884 -+ .plaintext = blake2_ordered_sequence,
12885 -+ .psize = 247,
12886 -+ .digest = (u8[]){ 0x2d, 0xd8, 0xd2, 0x53, 0x66, 0xfa, 0xa9, 0x01,
12887 -+ 0x1c, 0x9c, 0xaf, 0xa3, 0xe2, 0x9d, 0x9b, 0x10,
12888 -+ 0x0a, 0xf6, 0x73, 0xe8, },
12889 -+}};
12890 -+
12891 -+static const struct hash_testvec blakes2s_224_tv_template[] = {{
12892 -+ .plaintext = blake2_ordered_sequence,
12893 -+ .psize = 1,
12894 -+ .digest = (u8[]){ 0x61, 0xb9, 0x4e, 0xc9, 0x46, 0x22, 0xa3, 0x91,
12895 -+ 0xd2, 0xae, 0x42, 0xe6, 0x45, 0x6c, 0x90, 0x12,
12896 -+ 0xd5, 0x80, 0x07, 0x97, 0xb8, 0x86, 0x5a, 0xfc,
12897 -+ 0x48, 0x21, 0x97, 0xbb, },
12898 -+}, {
12899 -+ .plaintext = blake2_ordered_sequence,
12900 -+ .psize = 247,
12901 -+ .digest = (u8[]){ 0x9e, 0xda, 0xc7, 0x20, 0x2c, 0xd8, 0x48, 0x2e,
12902 -+ 0x31, 0x94, 0xab, 0x46, 0x6d, 0x94, 0xd8, 0xb4,
12903 -+ 0x69, 0xcd, 0xae, 0x19, 0x6d, 0x9e, 0x41, 0xcc,
12904 -+ 0x2b, 0xa4, 0xd5, 0xf6, },
12905 -+}, {
12906 -+ .ksize = 16,
12907 -+ .key = blake2_ordered_sequence,
12908 -+ .digest = (u8[]){ 0x32, 0xc0, 0xac, 0xf4, 0x3b, 0xd3, 0x07, 0x9f,
12909 -+ 0xbe, 0xfb, 0xfa, 0x4d, 0x6b, 0x4e, 0x56, 0xb3,
12910 -+ 0xaa, 0xd3, 0x27, 0xf6, 0x14, 0xbf, 0xb9, 0x32,
12911 -+ 0xa7, 0x19, 0xfc, 0xb8, },
12912 -+}, {
12913 -+ .ksize = 1,
12914 -+ .key = "B",
12915 -+ .plaintext = blake2_ordered_sequence,
12916 -+ .psize = 7,
12917 -+ .digest = (u8[]){ 0x73, 0xad, 0x5e, 0x6d, 0xb9, 0x02, 0x8e, 0x76,
12918 -+ 0xf2, 0x66, 0x42, 0x4b, 0x4c, 0xfa, 0x1f, 0xe6,
12919 -+ 0x2e, 0x56, 0x40, 0xe5, 0xa2, 0xb0, 0x3c, 0xe8,
12920 -+ 0x7b, 0x45, 0xfe, 0x05, },
12921 -+}, {
12922 -+ .ksize = 32,
12923 -+ .key = blake2_ordered_sequence,
12924 -+ .plaintext = blake2_ordered_sequence,
12925 -+ .psize = 15,
12926 -+ .digest = (u8[]){ 0x16, 0x60, 0xfb, 0x92, 0x54, 0xb3, 0x6e, 0x36,
12927 -+ 0x81, 0xf4, 0x16, 0x41, 0xc3, 0x3d, 0xd3, 0x43,
12928 -+ 0x84, 0xed, 0x10, 0x6f, 0x65, 0x80, 0x7a, 0x3e,
12929 -+ 0x25, 0xab, 0xc5, 0x02, },
12930 -+}, {
12931 -+ .ksize = 16,
12932 -+ .key = blake2_ordered_sequence,
12933 -+ .plaintext = blake2_ordered_sequence,
12934 -+ .psize = 64,
12935 -+ .digest = (u8[]){ 0xca, 0xaa, 0x39, 0x67, 0x9c, 0xf7, 0x6b, 0xc7,
12936 -+ 0xb6, 0x82, 0xca, 0x0e, 0x65, 0x36, 0x5b, 0x7c,
12937 -+ 0x24, 0x00, 0xfa, 0x5f, 0xda, 0x06, 0x91, 0x93,
12938 -+ 0x6a, 0x31, 0x83, 0xb5, },
12939 -+}, {
12940 -+ .ksize = 1,
12941 -+ .key = "B",
12942 -+ .plaintext = blake2_ordered_sequence,
12943 -+ .psize = 256,
12944 -+ .digest = (u8[]){ 0x90, 0x02, 0x26, 0xb5, 0x06, 0x9c, 0x36, 0x86,
12945 -+ 0x94, 0x91, 0x90, 0x1e, 0x7d, 0x2a, 0x71, 0xb2,
12946 -+ 0x48, 0xb5, 0xe8, 0x16, 0xfd, 0x64, 0x33, 0x45,
12947 -+ 0xb3, 0xd7, 0xec, 0xcc, },
12948 -+}};
12949 -+
12950 -+static const struct hash_testvec blakes2s_256_tv_template[] = {{
12951 -+ .plaintext = blake2_ordered_sequence,
12952 -+ .psize = 15,
12953 -+ .digest = (u8[]){ 0xd9, 0x7c, 0x82, 0x8d, 0x81, 0x82, 0xa7, 0x21,
12954 -+ 0x80, 0xa0, 0x6a, 0x78, 0x26, 0x83, 0x30, 0x67,
12955 -+ 0x3f, 0x7c, 0x4e, 0x06, 0x35, 0x94, 0x7c, 0x04,
12956 -+ 0xc0, 0x23, 0x23, 0xfd, 0x45, 0xc0, 0xa5, 0x2d, },
12957 -+}, {
12958 -+ .ksize = 32,
12959 -+ .key = blake2_ordered_sequence,
12960 -+ .digest = (u8[]){ 0x48, 0xa8, 0x99, 0x7d, 0xa4, 0x07, 0x87, 0x6b,
12961 -+ 0x3d, 0x79, 0xc0, 0xd9, 0x23, 0x25, 0xad, 0x3b,
12962 -+ 0x89, 0xcb, 0xb7, 0x54, 0xd8, 0x6a, 0xb7, 0x1a,
12963 -+ 0xee, 0x04, 0x7a, 0xd3, 0x45, 0xfd, 0x2c, 0x49, },
12964 -+}, {
12965 -+ .ksize = 1,
12966 -+ .key = "B",
12967 -+ .plaintext = blake2_ordered_sequence,
12968 -+ .psize = 1,
12969 -+ .digest = (u8[]){ 0x22, 0x27, 0xae, 0xaa, 0x6e, 0x81, 0x56, 0x03,
12970 -+ 0xa7, 0xe3, 0xa1, 0x18, 0xa5, 0x9a, 0x2c, 0x18,
12971 -+ 0xf4, 0x63, 0xbc, 0x16, 0x70, 0xf1, 0xe7, 0x4b,
12972 -+ 0x00, 0x6d, 0x66, 0x16, 0xae, 0x9e, 0x74, 0x4e, },
12973 -+}, {
12974 -+ .ksize = 16,
12975 -+ .key = blake2_ordered_sequence,
12976 -+ .plaintext = blake2_ordered_sequence,
12977 -+ .psize = 7,
12978 -+ .digest = (u8[]){ 0x58, 0x5d, 0xa8, 0x60, 0x1c, 0xa4, 0xd8, 0x03,
12979 -+ 0x86, 0x86, 0x84, 0x64, 0xd7, 0xa0, 0x8e, 0x15,
12980 -+ 0x2f, 0x05, 0xa2, 0x1b, 0xbc, 0xef, 0x7a, 0x34,
12981 -+ 0xb3, 0xc5, 0xbc, 0x4b, 0xf0, 0x32, 0xeb, 0x12, },
12982 -+}, {
12983 -+ .ksize = 32,
12984 -+ .key = blake2_ordered_sequence,
12985 -+ .plaintext = blake2_ordered_sequence,
12986 -+ .psize = 64,
12987 -+ .digest = (u8[]){ 0x89, 0x75, 0xb0, 0x57, 0x7f, 0xd3, 0x55, 0x66,
12988 -+ 0xd7, 0x50, 0xb3, 0x62, 0xb0, 0x89, 0x7a, 0x26,
12989 -+ 0xc3, 0x99, 0x13, 0x6d, 0xf0, 0x7b, 0xab, 0xab,
12990 -+ 0xbd, 0xe6, 0x20, 0x3f, 0xf2, 0x95, 0x4e, 0xd4, },
12991 -+}, {
12992 -+ .ksize = 1,
12993 -+ .key = "B",
12994 -+ .plaintext = blake2_ordered_sequence,
12995 -+ .psize = 247,
12996 -+ .digest = (u8[]){ 0x2e, 0x74, 0x1c, 0x1d, 0x03, 0xf4, 0x9d, 0x84,
12997 -+ 0x6f, 0xfc, 0x86, 0x32, 0x92, 0x49, 0x7e, 0x66,
12998 -+ 0xd7, 0xc3, 0x10, 0x88, 0xfe, 0x28, 0xb3, 0xe0,
12999 -+ 0xbf, 0x50, 0x75, 0xad, 0x8e, 0xa4, 0xe6, 0xb2, },
13000 -+}, {
13001 -+ .ksize = 16,
13002 -+ .key = blake2_ordered_sequence,
13003 -+ .plaintext = blake2_ordered_sequence,
13004 -+ .psize = 256,
13005 -+ .digest = (u8[]){ 0xb9, 0xd2, 0x81, 0x0e, 0x3a, 0xb1, 0x62, 0x9b,
13006 -+ 0xad, 0x44, 0x05, 0xf4, 0x92, 0x2e, 0x99, 0xc1,
13007 -+ 0x4a, 0x47, 0xbb, 0x5b, 0x6f, 0xb2, 0x96, 0xed,
13008 -+ 0xd5, 0x06, 0xb5, 0x3a, 0x7c, 0x7a, 0x65, 0x1d, },
13009 -+}};
13010 -+
13011 - #endif /* _CRYPTO_TESTMGR_H */
13012 ---- b/crypto/Makefile
13013 -+++ b/crypto/Makefile
13014 -@@ -74,6 +74,7 @@
13015 - obj-$(CONFIG_CRYPTO_WP512) += wp512.o
13016 - CFLAGS_wp512.o := $(call cc-option,-fno-schedule-insns) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
13017 - obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o
13018 -+obj-$(CONFIG_CRYPTO_BLAKE2S) += blake2s_generic.o
13019 - obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o
13020 - obj-$(CONFIG_CRYPTO_ECB) += ecb.o
13021 - obj-$(CONFIG_CRYPTO_CBC) += cbc.o
13022 -@@ -166,6 +167,7 @@
13023 - obj-$(CONFIG_CRYPTO_OFB) += ofb.o
13024 - obj-$(CONFIG_CRYPTO_ECC) += ecc.o
13025 - obj-$(CONFIG_CRYPTO_ESSIV) += essiv.o
13026 -+obj-$(CONFIG_CRYPTO_CURVE25519) += curve25519-generic.o
13027 -
13028 - ecdh_generic-y += ecdh.o
13029 - ecdh_generic-y += ecdh_helper.o
13030 ---- /dev/null
13031 -+++ b/crypto/blake2s_generic.c
13032 -@@ -0,0 +1,171 @@
13033 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
13034 -+/*
13035 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
13036 -+ */
13037 -+
13038 -+#include <crypto/internal/blake2s.h>
13039 -+#include <crypto/internal/simd.h>
13040 -+#include <crypto/internal/hash.h>
13041 -+
13042 -+#include <linux/types.h>
13043 -+#include <linux/jump_label.h>
13044 -+#include <linux/kernel.h>
13045 -+#include <linux/module.h>
13046 -+
13047 -+static int crypto_blake2s_setkey(struct crypto_shash *tfm, const u8 *key,
13048 -+ unsigned int keylen)
13049 -+{
13050 -+ struct blake2s_tfm_ctx *tctx = crypto_shash_ctx(tfm);
13051 -+
13052 -+ if (keylen == 0 || keylen > BLAKE2S_KEY_SIZE) {
13053 -+ crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
13054 -+ return -EINVAL;
13055 -+ }
13056 -+
13057 -+ memcpy(tctx->key, key, keylen);
13058 -+ tctx->keylen = keylen;
13059 -+
13060 -+ return 0;
13061 -+}
13062 -+
13063 -+static int crypto_blake2s_init(struct shash_desc *desc)
13064 -+{
13065 -+ struct blake2s_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
13066 -+ struct blake2s_state *state = shash_desc_ctx(desc);
13067 -+ const int outlen = crypto_shash_digestsize(desc->tfm);
13068 -+
13069 -+ if (tctx->keylen)
13070 -+ blake2s_init_key(state, outlen, tctx->key, tctx->keylen);
13071 -+ else
13072 -+ blake2s_init(state, outlen);
13073 -+
13074 -+ return 0;
13075 -+}
13076 -+
13077 -+static int crypto_blake2s_update(struct shash_desc *desc, const u8 *in,
13078 -+ unsigned int inlen)
13079 -+{
13080 -+ struct blake2s_state *state = shash_desc_ctx(desc);
13081 -+ const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
13082 -+
13083 -+ if (unlikely(!inlen))
13084 -+ return 0;
13085 -+ if (inlen > fill) {
13086 -+ memcpy(state->buf + state->buflen, in, fill);
13087 -+ blake2s_compress_generic(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
13088 -+ state->buflen = 0;
13089 -+ in += fill;
13090 -+ inlen -= fill;
13091 -+ }
13092 -+ if (inlen > BLAKE2S_BLOCK_SIZE) {
13093 -+ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
13094 -+ /* Hash one less (full) block than strictly possible */
13095 -+ blake2s_compress_generic(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
13096 -+ in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
13097 -+ inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
13098 -+ }
13099 -+ memcpy(state->buf + state->buflen, in, inlen);
13100 -+ state->buflen += inlen;
13101 -+
13102 -+ return 0;
13103 -+}
13104 -+
13105 -+static int crypto_blake2s_final(struct shash_desc *desc, u8 *out)
13106 -+{
13107 -+ struct blake2s_state *state = shash_desc_ctx(desc);
13108 -+
13109 -+ blake2s_set_lastblock(state);
13110 -+ memset(state->buf + state->buflen, 0,
13111 -+ BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
13112 -+ blake2s_compress_generic(state, state->buf, 1, state->buflen);
13113 -+ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
13114 -+ memcpy(out, state->h, state->outlen);
13115 -+ memzero_explicit(state, sizeof(*state));
13116 -+
13117 -+ return 0;
13118 -+}
13119 -+
13120 -+static struct shash_alg blake2s_algs[] = {{
13121 -+ .base.cra_name = "blake2s-128",
13122 -+ .base.cra_driver_name = "blake2s-128-generic",
13123 -+ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13124 -+ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13125 -+ .base.cra_priority = 200,
13126 -+ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13127 -+ .base.cra_module = THIS_MODULE,
13128 -+
13129 -+ .digestsize = BLAKE2S_128_HASH_SIZE,
13130 -+ .setkey = crypto_blake2s_setkey,
13131 -+ .init = crypto_blake2s_init,
13132 -+ .update = crypto_blake2s_update,
13133 -+ .final = crypto_blake2s_final,
13134 -+ .descsize = sizeof(struct blake2s_state),
13135 -+}, {
13136 -+ .base.cra_name = "blake2s-160",
13137 -+ .base.cra_driver_name = "blake2s-160-generic",
13138 -+ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13139 -+ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13140 -+ .base.cra_priority = 200,
13141 -+ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13142 -+ .base.cra_module = THIS_MODULE,
13143 -+
13144 -+ .digestsize = BLAKE2S_160_HASH_SIZE,
13145 -+ .setkey = crypto_blake2s_setkey,
13146 -+ .init = crypto_blake2s_init,
13147 -+ .update = crypto_blake2s_update,
13148 -+ .final = crypto_blake2s_final,
13149 -+ .descsize = sizeof(struct blake2s_state),
13150 -+}, {
13151 -+ .base.cra_name = "blake2s-224",
13152 -+ .base.cra_driver_name = "blake2s-224-generic",
13153 -+ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13154 -+ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13155 -+ .base.cra_priority = 200,
13156 -+ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13157 -+ .base.cra_module = THIS_MODULE,
13158 -+
13159 -+ .digestsize = BLAKE2S_224_HASH_SIZE,
13160 -+ .setkey = crypto_blake2s_setkey,
13161 -+ .init = crypto_blake2s_init,
13162 -+ .update = crypto_blake2s_update,
13163 -+ .final = crypto_blake2s_final,
13164 -+ .descsize = sizeof(struct blake2s_state),
13165 -+}, {
13166 -+ .base.cra_name = "blake2s-256",
13167 -+ .base.cra_driver_name = "blake2s-256-generic",
13168 -+ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13169 -+ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13170 -+ .base.cra_priority = 200,
13171 -+ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13172 -+ .base.cra_module = THIS_MODULE,
13173 -+
13174 -+ .digestsize = BLAKE2S_256_HASH_SIZE,
13175 -+ .setkey = crypto_blake2s_setkey,
13176 -+ .init = crypto_blake2s_init,
13177 -+ .update = crypto_blake2s_update,
13178 -+ .final = crypto_blake2s_final,
13179 -+ .descsize = sizeof(struct blake2s_state),
13180 -+}};
13181 -+
13182 -+static int __init blake2s_mod_init(void)
13183 -+{
13184 -+ return crypto_register_shashes(blake2s_algs, ARRAY_SIZE(blake2s_algs));
13185 -+}
13186 -+
13187 -+static void __exit blake2s_mod_exit(void)
13188 -+{
13189 -+ crypto_unregister_shashes(blake2s_algs, ARRAY_SIZE(blake2s_algs));
13190 -+}
13191 -+
13192 -+subsys_initcall(blake2s_mod_init);
13193 -+module_exit(blake2s_mod_exit);
13194 -+
13195 -+MODULE_ALIAS_CRYPTO("blake2s-128");
13196 -+MODULE_ALIAS_CRYPTO("blake2s-128-generic");
13197 -+MODULE_ALIAS_CRYPTO("blake2s-160");
13198 -+MODULE_ALIAS_CRYPTO("blake2s-160-generic");
13199 -+MODULE_ALIAS_CRYPTO("blake2s-224");
13200 -+MODULE_ALIAS_CRYPTO("blake2s-224-generic");
13201 -+MODULE_ALIAS_CRYPTO("blake2s-256");
13202 -+MODULE_ALIAS_CRYPTO("blake2s-256-generic");
13203 -+MODULE_LICENSE("GPL v2");
13204 ---- b/arch/x86/crypto/Makefile
13205 -+++ b/arch/x86/crypto/Makefile
13206 -@@ -11,6 +11,7 @@
13207 - avx512_supported :=$(call as-instr,vpmovm2b %k1$(comma)%zmm5,yes,no)
13208 - sha1_ni_supported :=$(call as-instr,sha1msg1 %xmm0$(comma)%xmm1,yes,no)
13209 - sha256_ni_supported :=$(call as-instr,sha256msg1 %xmm0$(comma)%xmm1,yes,no)
13210 -+adx_supported := $(call as-instr,adox %r10$(comma)%r10,yes,no)
13211 -
13212 - obj-$(CONFIG_CRYPTO_GLUE_HELPER_X86) += glue_helper.o
13213 -
13214 -@@ -41,4 +42,9 @@
13215 - obj-$(CONFIG_CRYPTO_NHPOLY1305_AVX2) += nhpoly1305-avx2.o
13216 -
13217 -+# These modules require the assembler to support ADX.
13218 -+ifeq ($(adx_supported),yes)
13219 -+ obj-$(CONFIG_CRYPTO_CURVE25519_X86) += curve25519-x86_64.o
13220 -+endif
13221 -+
13222 - # These modules require assembler to support AVX.
13223 - ifeq ($(avx_supported),yes)
13224 -@@ -48,6 +54,7 @@
13225 - obj-$(CONFIG_CRYPTO_CAST6_AVX_X86_64) += cast6-avx-x86_64.o
13226 - obj-$(CONFIG_CRYPTO_TWOFISH_AVX_X86_64) += twofish-avx-x86_64.o
13227 - obj-$(CONFIG_CRYPTO_SERPENT_AVX_X86_64) += serpent-avx-x86_64.o
13228 -+ obj-$(CONFIG_CRYPTO_BLAKE2S_X86) += blake2s-x86_64.o
13229 - endif
13230 -
13231 - # These modules require assembler to support AVX2.
13232 -@@ -70,6 +77,11 @@
13233 - aegis128-aesni-y := aegis128-aesni-asm.o aegis128-aesni-glue.o
13234 -
13235 - nhpoly1305-sse2-y := nh-sse2-x86_64.o nhpoly1305-sse2-glue.o
13236 -+blake2s-x86_64-y := blake2s-core.o blake2s-glue.o
13237 -+poly1305-x86_64-y := poly1305-x86_64-cryptogams.o poly1305_glue.o
13238 -+ifneq ($(CONFIG_CRYPTO_POLY1305_X86_64),)
13239 -+targets += poly1305-x86_64-cryptogams.S
13240 -+endif
13241 -
13242 - ifeq ($(avx_supported),yes)
13243 - camellia-aesni-avx-x86_64-y := camellia-aesni-avx-asm_64.o \
13244 -@@ -98,10 +110,8 @@
13245 - aesni-intel-$(CONFIG_64BIT) += aesni-intel_avx-x86_64.o aes_ctrby8_avx-x86_64.o
13246 - ghash-clmulni-intel-y := ghash-clmulni-intel_asm.o ghash-clmulni-intel_glue.o
13247 - sha1-ssse3-y := sha1_ssse3_asm.o sha1_ssse3_glue.o
13248 --poly1305-x86_64-y := poly1305-sse2-x86_64.o poly1305_glue.o
13249 - ifeq ($(avx2_supported),yes)
13250 - sha1-ssse3-y += sha1_avx2_x86_64_asm.o
13251 --poly1305-x86_64-y += poly1305-avx2-x86_64.o
13252 - endif
13253 - ifeq ($(sha1_ni_supported),yes)
13254 - sha1-ssse3-y += sha1_ni_asm.o
13255 -@@ -117,0 +128,5 @@
13256 -+
13257 -+quiet_cmd_perlasm = PERLASM $@
13258 -+ cmd_perlasm = $(PERL) $< > $@
13259 -+$(obj)/%.S: $(src)/%.pl FORCE
13260 -+ $(call if_changed,perlasm)
13261 ---- /dev/null
13262 -+++ b/arch/x86/crypto/blake2s-core.S
13263 -@@ -0,0 +1,258 @@
13264 -+/* SPDX-License-Identifier: GPL-2.0 OR MIT */
13265 -+/*
13266 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
13267 -+ * Copyright (C) 2017-2019 Samuel Neves <sneves@××××××.pt>. All Rights Reserved.
13268 -+ */
13269 -+
13270 -+#include <linux/linkage.h>
13271 -+
13272 -+.section .rodata.cst32.BLAKE2S_IV, "aM", @progbits, 32
13273 -+.align 32
13274 -+IV: .octa 0xA54FF53A3C6EF372BB67AE856A09E667
13275 -+ .octa 0x5BE0CD191F83D9AB9B05688C510E527F
13276 -+.section .rodata.cst16.ROT16, "aM", @progbits, 16
13277 -+.align 16
13278 -+ROT16: .octa 0x0D0C0F0E09080B0A0504070601000302
13279 -+.section .rodata.cst16.ROR328, "aM", @progbits, 16
13280 -+.align 16
13281 -+ROR328: .octa 0x0C0F0E0D080B0A090407060500030201
13282 -+.section .rodata.cst64.BLAKE2S_SIGMA, "aM", @progbits, 160
13283 -+.align 64
13284 -+SIGMA:
13285 -+.byte 0, 2, 4, 6, 1, 3, 5, 7, 14, 8, 10, 12, 15, 9, 11, 13
13286 -+.byte 14, 4, 9, 13, 10, 8, 15, 6, 5, 1, 0, 11, 3, 12, 2, 7
13287 -+.byte 11, 12, 5, 15, 8, 0, 2, 13, 9, 10, 3, 7, 4, 14, 6, 1
13288 -+.byte 7, 3, 13, 11, 9, 1, 12, 14, 15, 2, 5, 4, 8, 6, 10, 0
13289 -+.byte 9, 5, 2, 10, 0, 7, 4, 15, 3, 14, 11, 6, 13, 1, 12, 8
13290 -+.byte 2, 6, 0, 8, 12, 10, 11, 3, 1, 4, 7, 15, 9, 13, 5, 14
13291 -+.byte 12, 1, 14, 4, 5, 15, 13, 10, 8, 0, 6, 9, 11, 7, 3, 2
13292 -+.byte 13, 7, 12, 3, 11, 14, 1, 9, 2, 5, 15, 8, 10, 0, 4, 6
13293 -+.byte 6, 14, 11, 0, 15, 9, 3, 8, 10, 12, 13, 1, 5, 2, 7, 4
13294 -+.byte 10, 8, 7, 1, 2, 4, 6, 5, 13, 15, 9, 3, 0, 11, 14, 12
13295 -+#ifdef CONFIG_AS_AVX512
13296 -+.section .rodata.cst64.BLAKE2S_SIGMA2, "aM", @progbits, 640
13297 -+.align 64
13298 -+SIGMA2:
13299 -+.long 0, 2, 4, 6, 1, 3, 5, 7, 14, 8, 10, 12, 15, 9, 11, 13
13300 -+.long 8, 2, 13, 15, 10, 9, 12, 3, 6, 4, 0, 14, 5, 11, 1, 7
13301 -+.long 11, 13, 8, 6, 5, 10, 14, 3, 2, 4, 12, 15, 1, 0, 7, 9
13302 -+.long 11, 10, 7, 0, 8, 15, 1, 13, 3, 6, 2, 12, 4, 14, 9, 5
13303 -+.long 4, 10, 9, 14, 15, 0, 11, 8, 1, 7, 3, 13, 2, 5, 6, 12
13304 -+.long 2, 11, 4, 15, 14, 3, 10, 8, 13, 6, 5, 7, 0, 12, 1, 9
13305 -+.long 4, 8, 15, 9, 14, 11, 13, 5, 3, 2, 1, 12, 6, 10, 7, 0
13306 -+.long 6, 13, 0, 14, 12, 2, 1, 11, 15, 4, 5, 8, 7, 9, 3, 10
13307 -+.long 15, 5, 4, 13, 10, 7, 3, 11, 12, 2, 0, 6, 9, 8, 1, 14
13308 -+.long 8, 7, 14, 11, 13, 15, 0, 12, 10, 4, 5, 6, 3, 2, 1, 9
13309 -+#endif /* CONFIG_AS_AVX512 */
13310 -+
13311 -+.text
13312 -+#ifdef CONFIG_AS_SSSE3
13313 -+ENTRY(blake2s_compress_ssse3)
13314 -+ testq %rdx,%rdx
13315 -+ je .Lendofloop
13316 -+ movdqu (%rdi),%xmm0
13317 -+ movdqu 0x10(%rdi),%xmm1
13318 -+ movdqa ROT16(%rip),%xmm12
13319 -+ movdqa ROR328(%rip),%xmm13
13320 -+ movdqu 0x20(%rdi),%xmm14
13321 -+ movq %rcx,%xmm15
13322 -+ leaq SIGMA+0xa0(%rip),%r8
13323 -+ jmp .Lbeginofloop
13324 -+ .align 32
13325 -+.Lbeginofloop:
13326 -+ movdqa %xmm0,%xmm10
13327 -+ movdqa %xmm1,%xmm11
13328 -+ paddq %xmm15,%xmm14
13329 -+ movdqa IV(%rip),%xmm2
13330 -+ movdqa %xmm14,%xmm3
13331 -+ pxor IV+0x10(%rip),%xmm3
13332 -+ leaq SIGMA(%rip),%rcx
13333 -+.Lroundloop:
13334 -+ movzbl (%rcx),%eax
13335 -+ movd (%rsi,%rax,4),%xmm4
13336 -+ movzbl 0x1(%rcx),%eax
13337 -+ movd (%rsi,%rax,4),%xmm5
13338 -+ movzbl 0x2(%rcx),%eax
13339 -+ movd (%rsi,%rax,4),%xmm6
13340 -+ movzbl 0x3(%rcx),%eax
13341 -+ movd (%rsi,%rax,4),%xmm7
13342 -+ punpckldq %xmm5,%xmm4
13343 -+ punpckldq %xmm7,%xmm6
13344 -+ punpcklqdq %xmm6,%xmm4
13345 -+ paddd %xmm4,%xmm0
13346 -+ paddd %xmm1,%xmm0
13347 -+ pxor %xmm0,%xmm3
13348 -+ pshufb %xmm12,%xmm3
13349 -+ paddd %xmm3,%xmm2
13350 -+ pxor %xmm2,%xmm1
13351 -+ movdqa %xmm1,%xmm8
13352 -+ psrld $0xc,%xmm1
13353 -+ pslld $0x14,%xmm8
13354 -+ por %xmm8,%xmm1
13355 -+ movzbl 0x4(%rcx),%eax
13356 -+ movd (%rsi,%rax,4),%xmm5
13357 -+ movzbl 0x5(%rcx),%eax
13358 -+ movd (%rsi,%rax,4),%xmm6
13359 -+ movzbl 0x6(%rcx),%eax
13360 -+ movd (%rsi,%rax,4),%xmm7
13361 -+ movzbl 0x7(%rcx),%eax
13362 -+ movd (%rsi,%rax,4),%xmm4
13363 -+ punpckldq %xmm6,%xmm5
13364 -+ punpckldq %xmm4,%xmm7
13365 -+ punpcklqdq %xmm7,%xmm5
13366 -+ paddd %xmm5,%xmm0
13367 -+ paddd %xmm1,%xmm0
13368 -+ pxor %xmm0,%xmm3
13369 -+ pshufb %xmm13,%xmm3
13370 -+ paddd %xmm3,%xmm2
13371 -+ pxor %xmm2,%xmm1
13372 -+ movdqa %xmm1,%xmm8
13373 -+ psrld $0x7,%xmm1
13374 -+ pslld $0x19,%xmm8
13375 -+ por %xmm8,%xmm1
13376 -+ pshufd $0x93,%xmm0,%xmm0
13377 -+ pshufd $0x4e,%xmm3,%xmm3
13378 -+ pshufd $0x39,%xmm2,%xmm2
13379 -+ movzbl 0x8(%rcx),%eax
13380 -+ movd (%rsi,%rax,4),%xmm6
13381 -+ movzbl 0x9(%rcx),%eax
13382 -+ movd (%rsi,%rax,4),%xmm7
13383 -+ movzbl 0xa(%rcx),%eax
13384 -+ movd (%rsi,%rax,4),%xmm4
13385 -+ movzbl 0xb(%rcx),%eax
13386 -+ movd (%rsi,%rax,4),%xmm5
13387 -+ punpckldq %xmm7,%xmm6
13388 -+ punpckldq %xmm5,%xmm4
13389 -+ punpcklqdq %xmm4,%xmm6
13390 -+ paddd %xmm6,%xmm0
13391 -+ paddd %xmm1,%xmm0
13392 -+ pxor %xmm0,%xmm3
13393 -+ pshufb %xmm12,%xmm3
13394 -+ paddd %xmm3,%xmm2
13395 -+ pxor %xmm2,%xmm1
13396 -+ movdqa %xmm1,%xmm8
13397 -+ psrld $0xc,%xmm1
13398 -+ pslld $0x14,%xmm8
13399 -+ por %xmm8,%xmm1
13400 -+ movzbl 0xc(%rcx),%eax
13401 -+ movd (%rsi,%rax,4),%xmm7
13402 -+ movzbl 0xd(%rcx),%eax
13403 -+ movd (%rsi,%rax,4),%xmm4
13404 -+ movzbl 0xe(%rcx),%eax
13405 -+ movd (%rsi,%rax,4),%xmm5
13406 -+ movzbl 0xf(%rcx),%eax
13407 -+ movd (%rsi,%rax,4),%xmm6
13408 -+ punpckldq %xmm4,%xmm7
13409 -+ punpckldq %xmm6,%xmm5
13410 -+ punpcklqdq %xmm5,%xmm7
13411 -+ paddd %xmm7,%xmm0
13412 -+ paddd %xmm1,%xmm0
13413 -+ pxor %xmm0,%xmm3
13414 -+ pshufb %xmm13,%xmm3
13415 -+ paddd %xmm3,%xmm2
13416 -+ pxor %xmm2,%xmm1
13417 -+ movdqa %xmm1,%xmm8
13418 -+ psrld $0x7,%xmm1
13419 -+ pslld $0x19,%xmm8
13420 -+ por %xmm8,%xmm1
13421 -+ pshufd $0x39,%xmm0,%xmm0
13422 -+ pshufd $0x4e,%xmm3,%xmm3
13423 -+ pshufd $0x93,%xmm2,%xmm2
13424 -+ addq $0x10,%rcx
13425 -+ cmpq %r8,%rcx
13426 -+ jnz .Lroundloop
13427 -+ pxor %xmm2,%xmm0
13428 -+ pxor %xmm3,%xmm1
13429 -+ pxor %xmm10,%xmm0
13430 -+ pxor %xmm11,%xmm1
13431 -+ addq $0x40,%rsi
13432 -+ decq %rdx
13433 -+ jnz .Lbeginofloop
13434 -+ movdqu %xmm0,(%rdi)
13435 -+ movdqu %xmm1,0x10(%rdi)
13436 -+ movdqu %xmm14,0x20(%rdi)
13437 -+.Lendofloop:
13438 -+ ret
13439 -+ENDPROC(blake2s_compress_ssse3)
13440 -+#endif /* CONFIG_AS_SSSE3 */
13441 -+
13442 -+#ifdef CONFIG_AS_AVX512
13443 -+ENTRY(blake2s_compress_avx512)
13444 -+ vmovdqu (%rdi),%xmm0
13445 -+ vmovdqu 0x10(%rdi),%xmm1
13446 -+ vmovdqu 0x20(%rdi),%xmm4
13447 -+ vmovq %rcx,%xmm5
13448 -+ vmovdqa IV(%rip),%xmm14
13449 -+ vmovdqa IV+16(%rip),%xmm15
13450 -+ jmp .Lblake2s_compress_avx512_mainloop
13451 -+.align 32
13452 -+.Lblake2s_compress_avx512_mainloop:
13453 -+ vmovdqa %xmm0,%xmm10
13454 -+ vmovdqa %xmm1,%xmm11
13455 -+ vpaddq %xmm5,%xmm4,%xmm4
13456 -+ vmovdqa %xmm14,%xmm2
13457 -+ vpxor %xmm15,%xmm4,%xmm3
13458 -+ vmovdqu (%rsi),%ymm6
13459 -+ vmovdqu 0x20(%rsi),%ymm7
13460 -+ addq $0x40,%rsi
13461 -+ leaq SIGMA2(%rip),%rax
13462 -+ movb $0xa,%cl
13463 -+.Lblake2s_compress_avx512_roundloop:
13464 -+ addq $0x40,%rax
13465 -+ vmovdqa -0x40(%rax),%ymm8
13466 -+ vmovdqa -0x20(%rax),%ymm9
13467 -+ vpermi2d %ymm7,%ymm6,%ymm8
13468 -+ vpermi2d %ymm7,%ymm6,%ymm9
13469 -+ vmovdqa %ymm8,%ymm6
13470 -+ vmovdqa %ymm9,%ymm7
13471 -+ vpaddd %xmm8,%xmm0,%xmm0
13472 -+ vpaddd %xmm1,%xmm0,%xmm0
13473 -+ vpxor %xmm0,%xmm3,%xmm3
13474 -+ vprord $0x10,%xmm3,%xmm3
13475 -+ vpaddd %xmm3,%xmm2,%xmm2
13476 -+ vpxor %xmm2,%xmm1,%xmm1
13477 -+ vprord $0xc,%xmm1,%xmm1
13478 -+ vextracti128 $0x1,%ymm8,%xmm8
13479 -+ vpaddd %xmm8,%xmm0,%xmm0
13480 -+ vpaddd %xmm1,%xmm0,%xmm0
13481 -+ vpxor %xmm0,%xmm3,%xmm3
13482 -+ vprord $0x8,%xmm3,%xmm3
13483 -+ vpaddd %xmm3,%xmm2,%xmm2
13484 -+ vpxor %xmm2,%xmm1,%xmm1
13485 -+ vprord $0x7,%xmm1,%xmm1
13486 -+ vpshufd $0x93,%xmm0,%xmm0
13487 -+ vpshufd $0x4e,%xmm3,%xmm3
13488 -+ vpshufd $0x39,%xmm2,%xmm2
13489 -+ vpaddd %xmm9,%xmm0,%xmm0
13490 -+ vpaddd %xmm1,%xmm0,%xmm0
13491 -+ vpxor %xmm0,%xmm3,%xmm3
13492 -+ vprord $0x10,%xmm3,%xmm3
13493 -+ vpaddd %xmm3,%xmm2,%xmm2
13494 -+ vpxor %xmm2,%xmm1,%xmm1
13495 -+ vprord $0xc,%xmm1,%xmm1
13496 -+ vextracti128 $0x1,%ymm9,%xmm9
13497 -+ vpaddd %xmm9,%xmm0,%xmm0
13498 -+ vpaddd %xmm1,%xmm0,%xmm0
13499 -+ vpxor %xmm0,%xmm3,%xmm3
13500 -+ vprord $0x8,%xmm3,%xmm3
13501 -+ vpaddd %xmm3,%xmm2,%xmm2
13502 -+ vpxor %xmm2,%xmm1,%xmm1
13503 -+ vprord $0x7,%xmm1,%xmm1
13504 -+ vpshufd $0x39,%xmm0,%xmm0
13505 -+ vpshufd $0x4e,%xmm3,%xmm3
13506 -+ vpshufd $0x93,%xmm2,%xmm2
13507 -+ decb %cl
13508 -+ jne .Lblake2s_compress_avx512_roundloop
13509 -+ vpxor %xmm10,%xmm0,%xmm0
13510 -+ vpxor %xmm11,%xmm1,%xmm1
13511 -+ vpxor %xmm2,%xmm0,%xmm0
13512 -+ vpxor %xmm3,%xmm1,%xmm1
13513 -+ decq %rdx
13514 -+ jne .Lblake2s_compress_avx512_mainloop
13515 -+ vmovdqu %xmm0,(%rdi)
13516 -+ vmovdqu %xmm1,0x10(%rdi)
13517 -+ vmovdqu %xmm4,0x20(%rdi)
13518 -+ vzeroupper
13519 -+ retq
13520 -+ENDPROC(blake2s_compress_avx512)
13521 -+#endif /* CONFIG_AS_AVX512 */
13522 ---- b/arch/x86/crypto/blake2s-glue.c
13523 -+++ b/arch/x86/crypto/blake2s-glue.c
13524 -@@ -0,0 +1,233 @@
13525 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
13526 -+/*
13527 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
13528 -+ */
13529 -+
13530 -+#include <crypto/internal/blake2s.h>
13531 -+#include <crypto/internal/simd.h>
13532 -+#include <crypto/internal/hash.h>
13533 -+
13534 -+#include <linux/types.h>
13535 -+#include <linux/jump_label.h>
13536 -+#include <linux/kernel.h>
13537 -+#include <linux/module.h>
13538 -+
13539 -+#include <asm/cpufeature.h>
13540 -+#include <asm/fpu/api.h>
13541 -+#include <asm/processor.h>
13542 -+#include <asm/simd.h>
13543 -+
13544 -+asmlinkage void blake2s_compress_ssse3(struct blake2s_state *state,
13545 -+ const u8 *block, const size_t nblocks,
13546 -+ const u32 inc);
13547 -+asmlinkage void blake2s_compress_avx512(struct blake2s_state *state,
13548 -+ const u8 *block, const size_t nblocks,
13549 -+ const u32 inc);
13550 -+
13551 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(blake2s_use_ssse3);
13552 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(blake2s_use_avx512);
13553 -+
13554 -+void blake2s_compress_arch(struct blake2s_state *state,
13555 -+ const u8 *block, size_t nblocks,
13556 -+ const u32 inc)
13557 -+{
13558 -+ /* SIMD disables preemption, so relax after processing each page. */
13559 -+ BUILD_BUG_ON(SZ_4K / BLAKE2S_BLOCK_SIZE < 8);
13560 -+
13561 -+ if (!static_branch_likely(&blake2s_use_ssse3) || !crypto_simd_usable()) {
13562 -+ blake2s_compress_generic(state, block, nblocks, inc);
13563 -+ return;
13564 -+ }
13565 -+
13566 -+ do {
13567 -+ const size_t blocks = min_t(size_t, nblocks,
13568 -+ SZ_4K / BLAKE2S_BLOCK_SIZE);
13569 -+
13570 -+ kernel_fpu_begin();
13571 -+ if (IS_ENABLED(CONFIG_AS_AVX512) &&
13572 -+ static_branch_likely(&blake2s_use_avx512))
13573 -+ blake2s_compress_avx512(state, block, blocks, inc);
13574 -+ else
13575 -+ blake2s_compress_ssse3(state, block, blocks, inc);
13576 -+ kernel_fpu_end();
13577 -+
13578 -+ nblocks -= blocks;
13579 -+ block += blocks * BLAKE2S_BLOCK_SIZE;
13580 -+ } while (nblocks);
13581 -+}
13582 -+EXPORT_SYMBOL(blake2s_compress_arch);
13583 -+
13584 -+static int crypto_blake2s_setkey(struct crypto_shash *tfm, const u8 *key,
13585 -+ unsigned int keylen)
13586 -+{
13587 -+ struct blake2s_tfm_ctx *tctx = crypto_shash_ctx(tfm);
13588 -+
13589 -+ if (keylen == 0 || keylen > BLAKE2S_KEY_SIZE) {
13590 -+ crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
13591 -+ return -EINVAL;
13592 -+ }
13593 -+
13594 -+ memcpy(tctx->key, key, keylen);
13595 -+ tctx->keylen = keylen;
13596 -+
13597 -+ return 0;
13598 -+}
13599 -+
13600 -+static int crypto_blake2s_init(struct shash_desc *desc)
13601 -+{
13602 -+ struct blake2s_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
13603 -+ struct blake2s_state *state = shash_desc_ctx(desc);
13604 -+ const int outlen = crypto_shash_digestsize(desc->tfm);
13605 -+
13606 -+ if (tctx->keylen)
13607 -+ blake2s_init_key(state, outlen, tctx->key, tctx->keylen);
13608 -+ else
13609 -+ blake2s_init(state, outlen);
13610 -+
13611 -+ return 0;
13612 -+}
13613 -+
13614 -+static int crypto_blake2s_update(struct shash_desc *desc, const u8 *in,
13615 -+ unsigned int inlen)
13616 -+{
13617 -+ struct blake2s_state *state = shash_desc_ctx(desc);
13618 -+ const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
13619 -+
13620 -+ if (unlikely(!inlen))
13621 -+ return 0;
13622 -+ if (inlen > fill) {
13623 -+ memcpy(state->buf + state->buflen, in, fill);
13624 -+ blake2s_compress_arch(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
13625 -+ state->buflen = 0;
13626 -+ in += fill;
13627 -+ inlen -= fill;
13628 -+ }
13629 -+ if (inlen > BLAKE2S_BLOCK_SIZE) {
13630 -+ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
13631 -+ /* Hash one less (full) block than strictly possible */
13632 -+ blake2s_compress_arch(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
13633 -+ in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
13634 -+ inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
13635 -+ }
13636 -+ memcpy(state->buf + state->buflen, in, inlen);
13637 -+ state->buflen += inlen;
13638 -+
13639 -+ return 0;
13640 -+}
13641 -+
13642 -+static int crypto_blake2s_final(struct shash_desc *desc, u8 *out)
13643 -+{
13644 -+ struct blake2s_state *state = shash_desc_ctx(desc);
13645 -+
13646 -+ blake2s_set_lastblock(state);
13647 -+ memset(state->buf + state->buflen, 0,
13648 -+ BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
13649 -+ blake2s_compress_arch(state, state->buf, 1, state->buflen);
13650 -+ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
13651 -+ memcpy(out, state->h, state->outlen);
13652 -+ memzero_explicit(state, sizeof(*state));
13653 -+
13654 -+ return 0;
13655 -+}
13656 -+
13657 -+static struct shash_alg blake2s_algs[] = {{
13658 -+ .base.cra_name = "blake2s-128",
13659 -+ .base.cra_driver_name = "blake2s-128-x86",
13660 -+ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13661 -+ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13662 -+ .base.cra_priority = 200,
13663 -+ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13664 -+ .base.cra_module = THIS_MODULE,
13665 -+
13666 -+ .digestsize = BLAKE2S_128_HASH_SIZE,
13667 -+ .setkey = crypto_blake2s_setkey,
13668 -+ .init = crypto_blake2s_init,
13669 -+ .update = crypto_blake2s_update,
13670 -+ .final = crypto_blake2s_final,
13671 -+ .descsize = sizeof(struct blake2s_state),
13672 -+}, {
13673 -+ .base.cra_name = "blake2s-160",
13674 -+ .base.cra_driver_name = "blake2s-160-x86",
13675 -+ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13676 -+ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13677 -+ .base.cra_priority = 200,
13678 -+ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13679 -+ .base.cra_module = THIS_MODULE,
13680 -+
13681 -+ .digestsize = BLAKE2S_160_HASH_SIZE,
13682 -+ .setkey = crypto_blake2s_setkey,
13683 -+ .init = crypto_blake2s_init,
13684 -+ .update = crypto_blake2s_update,
13685 -+ .final = crypto_blake2s_final,
13686 -+ .descsize = sizeof(struct blake2s_state),
13687 -+}, {
13688 -+ .base.cra_name = "blake2s-224",
13689 -+ .base.cra_driver_name = "blake2s-224-x86",
13690 -+ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13691 -+ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13692 -+ .base.cra_priority = 200,
13693 -+ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13694 -+ .base.cra_module = THIS_MODULE,
13695 -+
13696 -+ .digestsize = BLAKE2S_224_HASH_SIZE,
13697 -+ .setkey = crypto_blake2s_setkey,
13698 -+ .init = crypto_blake2s_init,
13699 -+ .update = crypto_blake2s_update,
13700 -+ .final = crypto_blake2s_final,
13701 -+ .descsize = sizeof(struct blake2s_state),
13702 -+}, {
13703 -+ .base.cra_name = "blake2s-256",
13704 -+ .base.cra_driver_name = "blake2s-256-x86",
13705 -+ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13706 -+ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13707 -+ .base.cra_priority = 200,
13708 -+ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13709 -+ .base.cra_module = THIS_MODULE,
13710 -+
13711 -+ .digestsize = BLAKE2S_256_HASH_SIZE,
13712 -+ .setkey = crypto_blake2s_setkey,
13713 -+ .init = crypto_blake2s_init,
13714 -+ .update = crypto_blake2s_update,
13715 -+ .final = crypto_blake2s_final,
13716 -+ .descsize = sizeof(struct blake2s_state),
13717 -+}};
13718 -+
13719 -+static int __init blake2s_mod_init(void)
13720 -+{
13721 -+ if (!boot_cpu_has(X86_FEATURE_SSSE3))
13722 -+ return 0;
13723 -+
13724 -+ static_branch_enable(&blake2s_use_ssse3);
13725 -+
13726 -+ if (IS_ENABLED(CONFIG_AS_AVX512) &&
13727 -+ boot_cpu_has(X86_FEATURE_AVX) &&
13728 -+ boot_cpu_has(X86_FEATURE_AVX2) &&
13729 -+ boot_cpu_has(X86_FEATURE_AVX512F) &&
13730 -+ boot_cpu_has(X86_FEATURE_AVX512VL) &&
13731 -+ cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM |
13732 -+ XFEATURE_MASK_AVX512, NULL))
13733 -+ static_branch_enable(&blake2s_use_avx512);
13734 -+
13735 -+ return IS_REACHABLE(CONFIG_CRYPTO_HASH) ?
13736 -+ crypto_register_shashes(blake2s_algs,
13737 -+ ARRAY_SIZE(blake2s_algs)) : 0;
13738 -+}
13739 -+
13740 -+static void __exit blake2s_mod_exit(void)
13741 -+{
13742 -+ if (IS_REACHABLE(CONFIG_CRYPTO_HASH) && boot_cpu_has(X86_FEATURE_SSSE3))
13743 -+ crypto_unregister_shashes(blake2s_algs, ARRAY_SIZE(blake2s_algs));
13744 -+}
13745 -+
13746 -+module_init(blake2s_mod_init);
13747 -+module_exit(blake2s_mod_exit);
13748 -+
13749 -+MODULE_ALIAS_CRYPTO("blake2s-128");
13750 -+MODULE_ALIAS_CRYPTO("blake2s-128-x86");
13751 -+MODULE_ALIAS_CRYPTO("blake2s-160");
13752 -+MODULE_ALIAS_CRYPTO("blake2s-160-x86");
13753 -+MODULE_ALIAS_CRYPTO("blake2s-224");
13754 -+MODULE_ALIAS_CRYPTO("blake2s-224-x86");
13755 -+MODULE_ALIAS_CRYPTO("blake2s-256");
13756 -+MODULE_ALIAS_CRYPTO("blake2s-256-x86");
13757 -+MODULE_LICENSE("GPL v2");
13758 ---- b/include/crypto/curve25519.h
13759 -+++ b/include/crypto/curve25519.h
13760 -@@ -0,0 +1,73 @@
13761 -+/* SPDX-License-Identifier: GPL-2.0 OR MIT */
13762 -+/*
13763 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
13764 -+ */
13765 -+
13766 -+#ifndef CURVE25519_H
13767 -+#define CURVE25519_H
13768 -+
13769 -+#include <crypto/algapi.h> // For crypto_memneq.
13770 -+#include <linux/types.h>
13771 -+#include <linux/random.h>
13772 -+
13773 -+enum curve25519_lengths {
13774 -+ CURVE25519_KEY_SIZE = 32
13775 -+};
13776 -+
13777 -+extern const u8 curve25519_null_point[];
13778 -+extern const u8 curve25519_base_point[];
13779 -+
13780 -+void curve25519_generic(u8 out[CURVE25519_KEY_SIZE],
13781 -+ const u8 scalar[CURVE25519_KEY_SIZE],
13782 -+ const u8 point[CURVE25519_KEY_SIZE]);
13783 -+
13784 -+void curve25519_arch(u8 out[CURVE25519_KEY_SIZE],
13785 -+ const u8 scalar[CURVE25519_KEY_SIZE],
13786 -+ const u8 point[CURVE25519_KEY_SIZE]);
13787 -+
13788 -+void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE],
13789 -+ const u8 secret[CURVE25519_KEY_SIZE]);
13790 -+
13791 -+static inline
13792 -+bool __must_check curve25519(u8 mypublic[CURVE25519_KEY_SIZE],
13793 -+ const u8 secret[CURVE25519_KEY_SIZE],
13794 -+ const u8 basepoint[CURVE25519_KEY_SIZE])
13795 -+{
13796 -+ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519) &&
13797 -+ (!IS_ENABLED(CONFIG_CRYPTO_CURVE25519_X86) || IS_ENABLED(CONFIG_AS_ADX)))
13798 -+ curve25519_arch(mypublic, secret, basepoint);
13799 -+ else
13800 -+ curve25519_generic(mypublic, secret, basepoint);
13801 -+ return crypto_memneq(mypublic, curve25519_null_point,
13802 -+ CURVE25519_KEY_SIZE);
13803 -+}
13804 -+
13805 -+static inline bool
13806 -+__must_check curve25519_generate_public(u8 pub[CURVE25519_KEY_SIZE],
13807 -+ const u8 secret[CURVE25519_KEY_SIZE])
13808 -+{
13809 -+ if (unlikely(!crypto_memneq(secret, curve25519_null_point,
13810 -+ CURVE25519_KEY_SIZE)))
13811 -+ return false;
13812 -+
13813 -+ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519) &&
13814 -+ (!IS_ENABLED(CONFIG_CRYPTO_CURVE25519_X86) || IS_ENABLED(CONFIG_AS_ADX)))
13815 -+ curve25519_base_arch(pub, secret);
13816 -+ else
13817 -+ curve25519_generic(pub, secret, curve25519_base_point);
13818 -+ return crypto_memneq(pub, curve25519_null_point, CURVE25519_KEY_SIZE);
13819 -+}
13820 -+
13821 -+static inline void curve25519_clamp_secret(u8 secret[CURVE25519_KEY_SIZE])
13822 -+{
13823 -+ secret[0] &= 248;
13824 -+ secret[31] = (secret[31] & 127) | 64;
13825 -+}
13826 -+
13827 -+static inline void curve25519_generate_secret(u8 secret[CURVE25519_KEY_SIZE])
13828 -+{
13829 -+ get_random_bytes_wait(secret, CURVE25519_KEY_SIZE);
13830 -+ curve25519_clamp_secret(secret);
13831 -+}
13832 -+
13833 -+#endif /* CURVE25519_H */
13834 ---- b/lib/crypto/curve25519-fiat32.c
13835 -+++ b/lib/crypto/curve25519-fiat32.c
13836 -@@ -0,0 +1,864 @@
13837 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
13838 -+/*
13839 -+ * Copyright (C) 2015-2016 The fiat-crypto Authors.
13840 -+ * Copyright (C) 2018-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
13841 -+ *
13842 -+ * This is a machine-generated formally verified implementation of Curve25519
13843 -+ * ECDH from: <https://github.com/mit-plv/fiat-crypto>. Though originally
13844 -+ * machine generated, it has been tweaked to be suitable for use in the kernel.
13845 -+ * It is optimized for 32-bit machines and machines that cannot work efficiently
13846 -+ * with 128-bit integer types.
13847 -+ */
13848 -+
13849 -+#include <asm/unaligned.h>
13850 -+#include <crypto/curve25519.h>
13851 -+#include <linux/string.h>
13852 -+
13853 -+/* fe means field element. Here the field is \Z/(2^255-19). An element t,
13854 -+ * entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
13855 -+ * t[3]+2^102 t[4]+...+2^230 t[9].
13856 -+ * fe limbs are bounded by 1.125*2^26,1.125*2^25,1.125*2^26,1.125*2^25,etc.
13857 -+ * Multiplication and carrying produce fe from fe_loose.
13858 -+ */
13859 -+typedef struct fe { u32 v[10]; } fe;
13860 -+
13861 -+/* fe_loose limbs are bounded by 3.375*2^26,3.375*2^25,3.375*2^26,3.375*2^25,etc
13862 -+ * Addition and subtraction produce fe_loose from (fe, fe).
13863 -+ */
13864 -+typedef struct fe_loose { u32 v[10]; } fe_loose;
13865 -+
13866 -+static __always_inline void fe_frombytes_impl(u32 h[10], const u8 *s)
13867 -+{
13868 -+ /* Ignores top bit of s. */
13869 -+ u32 a0 = get_unaligned_le32(s);
13870 -+ u32 a1 = get_unaligned_le32(s+4);
13871 -+ u32 a2 = get_unaligned_le32(s+8);
13872 -+ u32 a3 = get_unaligned_le32(s+12);
13873 -+ u32 a4 = get_unaligned_le32(s+16);
13874 -+ u32 a5 = get_unaligned_le32(s+20);
13875 -+ u32 a6 = get_unaligned_le32(s+24);
13876 -+ u32 a7 = get_unaligned_le32(s+28);
13877 -+ h[0] = a0&((1<<26)-1); /* 26 used, 32-26 left. 26 */
13878 -+ h[1] = (a0>>26) | ((a1&((1<<19)-1))<< 6); /* (32-26) + 19 = 6+19 = 25 */
13879 -+ h[2] = (a1>>19) | ((a2&((1<<13)-1))<<13); /* (32-19) + 13 = 13+13 = 26 */
13880 -+ h[3] = (a2>>13) | ((a3&((1<< 6)-1))<<19); /* (32-13) + 6 = 19+ 6 = 25 */
13881 -+ h[4] = (a3>> 6); /* (32- 6) = 26 */
13882 -+ h[5] = a4&((1<<25)-1); /* 25 */
13883 -+ h[6] = (a4>>25) | ((a5&((1<<19)-1))<< 7); /* (32-25) + 19 = 7+19 = 26 */
13884 -+ h[7] = (a5>>19) | ((a6&((1<<12)-1))<<13); /* (32-19) + 12 = 13+12 = 25 */
13885 -+ h[8] = (a6>>12) | ((a7&((1<< 6)-1))<<20); /* (32-12) + 6 = 20+ 6 = 26 */
13886 -+ h[9] = (a7>> 6)&((1<<25)-1); /* 25 */
13887 -+}
13888 -+
13889 -+static __always_inline void fe_frombytes(fe *h, const u8 *s)
13890 -+{
13891 -+ fe_frombytes_impl(h->v, s);
13892 -+}
13893 -+
13894 -+static __always_inline u8 /*bool*/
13895 -+addcarryx_u25(u8 /*bool*/ c, u32 a, u32 b, u32 *low)
13896 -+{
13897 -+ /* This function extracts 25 bits of result and 1 bit of carry
13898 -+ * (26 total), so a 32-bit intermediate is sufficient.
13899 -+ */
13900 -+ u32 x = a + b + c;
13901 -+ *low = x & ((1 << 25) - 1);
13902 -+ return (x >> 25) & 1;
13903 -+}
13904 -+
13905 -+static __always_inline u8 /*bool*/
13906 -+addcarryx_u26(u8 /*bool*/ c, u32 a, u32 b, u32 *low)
13907 -+{
13908 -+ /* This function extracts 26 bits of result and 1 bit of carry
13909 -+ * (27 total), so a 32-bit intermediate is sufficient.
13910 -+ */
13911 -+ u32 x = a + b + c;
13912 -+ *low = x & ((1 << 26) - 1);
13913 -+ return (x >> 26) & 1;
13914 -+}
13915 -+
13916 -+static __always_inline u8 /*bool*/
13917 -+subborrow_u25(u8 /*bool*/ c, u32 a, u32 b, u32 *low)
13918 -+{
13919 -+ /* This function extracts 25 bits of result and 1 bit of borrow
13920 -+ * (26 total), so a 32-bit intermediate is sufficient.
13921 -+ */
13922 -+ u32 x = a - b - c;
13923 -+ *low = x & ((1 << 25) - 1);
13924 -+ return x >> 31;
13925 -+}
13926 -+
13927 -+static __always_inline u8 /*bool*/
13928 -+subborrow_u26(u8 /*bool*/ c, u32 a, u32 b, u32 *low)
13929 -+{
13930 -+ /* This function extracts 26 bits of result and 1 bit of borrow
13931 -+ *(27 total), so a 32-bit intermediate is sufficient.
13932 -+ */
13933 -+ u32 x = a - b - c;
13934 -+ *low = x & ((1 << 26) - 1);
13935 -+ return x >> 31;
13936 -+}
13937 -+
13938 -+static __always_inline u32 cmovznz32(u32 t, u32 z, u32 nz)
13939 -+{
13940 -+ t = -!!t; /* all set if nonzero, 0 if 0 */
13941 -+ return (t&nz) | ((~t)&z);
13942 -+}
13943 -+
13944 -+static __always_inline void fe_freeze(u32 out[10], const u32 in1[10])
13945 -+{
13946 -+ { const u32 x17 = in1[9];
13947 -+ { const u32 x18 = in1[8];
13948 -+ { const u32 x16 = in1[7];
13949 -+ { const u32 x14 = in1[6];
13950 -+ { const u32 x12 = in1[5];
13951 -+ { const u32 x10 = in1[4];
13952 -+ { const u32 x8 = in1[3];
13953 -+ { const u32 x6 = in1[2];
13954 -+ { const u32 x4 = in1[1];
13955 -+ { const u32 x2 = in1[0];
13956 -+ { u32 x20; u8/*bool*/ x21 = subborrow_u26(0x0, x2, 0x3ffffed, &x20);
13957 -+ { u32 x23; u8/*bool*/ x24 = subborrow_u25(x21, x4, 0x1ffffff, &x23);
13958 -+ { u32 x26; u8/*bool*/ x27 = subborrow_u26(x24, x6, 0x3ffffff, &x26);
13959 -+ { u32 x29; u8/*bool*/ x30 = subborrow_u25(x27, x8, 0x1ffffff, &x29);
13960 -+ { u32 x32; u8/*bool*/ x33 = subborrow_u26(x30, x10, 0x3ffffff, &x32);
13961 -+ { u32 x35; u8/*bool*/ x36 = subborrow_u25(x33, x12, 0x1ffffff, &x35);
13962 -+ { u32 x38; u8/*bool*/ x39 = subborrow_u26(x36, x14, 0x3ffffff, &x38);
13963 -+ { u32 x41; u8/*bool*/ x42 = subborrow_u25(x39, x16, 0x1ffffff, &x41);
13964 -+ { u32 x44; u8/*bool*/ x45 = subborrow_u26(x42, x18, 0x3ffffff, &x44);
13965 -+ { u32 x47; u8/*bool*/ x48 = subborrow_u25(x45, x17, 0x1ffffff, &x47);
13966 -+ { u32 x49 = cmovznz32(x48, 0x0, 0xffffffff);
13967 -+ { u32 x50 = (x49 & 0x3ffffed);
13968 -+ { u32 x52; u8/*bool*/ x53 = addcarryx_u26(0x0, x20, x50, &x52);
13969 -+ { u32 x54 = (x49 & 0x1ffffff);
13970 -+ { u32 x56; u8/*bool*/ x57 = addcarryx_u25(x53, x23, x54, &x56);
13971 -+ { u32 x58 = (x49 & 0x3ffffff);
13972 -+ { u32 x60; u8/*bool*/ x61 = addcarryx_u26(x57, x26, x58, &x60);
13973 -+ { u32 x62 = (x49 & 0x1ffffff);
13974 -+ { u32 x64; u8/*bool*/ x65 = addcarryx_u25(x61, x29, x62, &x64);
13975 -+ { u32 x66 = (x49 & 0x3ffffff);
13976 -+ { u32 x68; u8/*bool*/ x69 = addcarryx_u26(x65, x32, x66, &x68);
13977 -+ { u32 x70 = (x49 & 0x1ffffff);
13978 -+ { u32 x72; u8/*bool*/ x73 = addcarryx_u25(x69, x35, x70, &x72);
13979 -+ { u32 x74 = (x49 & 0x3ffffff);
13980 -+ { u32 x76; u8/*bool*/ x77 = addcarryx_u26(x73, x38, x74, &x76);
13981 -+ { u32 x78 = (x49 & 0x1ffffff);
13982 -+ { u32 x80; u8/*bool*/ x81 = addcarryx_u25(x77, x41, x78, &x80);
13983 -+ { u32 x82 = (x49 & 0x3ffffff);
13984 -+ { u32 x84; u8/*bool*/ x85 = addcarryx_u26(x81, x44, x82, &x84);
13985 -+ { u32 x86 = (x49 & 0x1ffffff);
13986 -+ { u32 x88; addcarryx_u25(x85, x47, x86, &x88);
13987 -+ out[0] = x52;
13988 -+ out[1] = x56;
13989 -+ out[2] = x60;
13990 -+ out[3] = x64;
13991 -+ out[4] = x68;
13992 -+ out[5] = x72;
13993 -+ out[6] = x76;
13994 -+ out[7] = x80;
13995 -+ out[8] = x84;
13996 -+ out[9] = x88;
13997 -+ }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
13998 -+}
13999 -+
14000 -+static __always_inline void fe_tobytes(u8 s[32], const fe *f)
14001 -+{
14002 -+ u32 h[10];
14003 -+ fe_freeze(h, f->v);
14004 -+ s[0] = h[0] >> 0;
14005 -+ s[1] = h[0] >> 8;
14006 -+ s[2] = h[0] >> 16;
14007 -+ s[3] = (h[0] >> 24) | (h[1] << 2);
14008 -+ s[4] = h[1] >> 6;
14009 -+ s[5] = h[1] >> 14;
14010 -+ s[6] = (h[1] >> 22) | (h[2] << 3);
14011 -+ s[7] = h[2] >> 5;
14012 -+ s[8] = h[2] >> 13;
14013 -+ s[9] = (h[2] >> 21) | (h[3] << 5);
14014 -+ s[10] = h[3] >> 3;
14015 -+ s[11] = h[3] >> 11;
14016 -+ s[12] = (h[3] >> 19) | (h[4] << 6);
14017 -+ s[13] = h[4] >> 2;
14018 -+ s[14] = h[4] >> 10;
14019 -+ s[15] = h[4] >> 18;
14020 -+ s[16] = h[5] >> 0;
14021 -+ s[17] = h[5] >> 8;
14022 -+ s[18] = h[5] >> 16;
14023 -+ s[19] = (h[5] >> 24) | (h[6] << 1);
14024 -+ s[20] = h[6] >> 7;
14025 -+ s[21] = h[6] >> 15;
14026 -+ s[22] = (h[6] >> 23) | (h[7] << 3);
14027 -+ s[23] = h[7] >> 5;
14028 -+ s[24] = h[7] >> 13;
14029 -+ s[25] = (h[7] >> 21) | (h[8] << 4);
14030 -+ s[26] = h[8] >> 4;
14031 -+ s[27] = h[8] >> 12;
14032 -+ s[28] = (h[8] >> 20) | (h[9] << 6);
14033 -+ s[29] = h[9] >> 2;
14034 -+ s[30] = h[9] >> 10;
14035 -+ s[31] = h[9] >> 18;
14036 -+}
14037 -+
14038 -+/* h = f */
14039 -+static __always_inline void fe_copy(fe *h, const fe *f)
14040 -+{
14041 -+ memmove(h, f, sizeof(u32) * 10);
14042 -+}
14043 -+
14044 -+static __always_inline void fe_copy_lt(fe_loose *h, const fe *f)
14045 -+{
14046 -+ memmove(h, f, sizeof(u32) * 10);
14047 -+}
14048 -+
14049 -+/* h = 0 */
14050 -+static __always_inline void fe_0(fe *h)
14051 -+{
14052 -+ memset(h, 0, sizeof(u32) * 10);
14053 -+}
14054 -+
14055 -+/* h = 1 */
14056 -+static __always_inline void fe_1(fe *h)
14057 -+{
14058 -+ memset(h, 0, sizeof(u32) * 10);
14059 -+ h->v[0] = 1;
14060 -+}
14061 -+
14062 -+static noinline void fe_add_impl(u32 out[10], const u32 in1[10], const u32 in2[10])
14063 -+{
14064 -+ { const u32 x20 = in1[9];
14065 -+ { const u32 x21 = in1[8];
14066 -+ { const u32 x19 = in1[7];
14067 -+ { const u32 x17 = in1[6];
14068 -+ { const u32 x15 = in1[5];
14069 -+ { const u32 x13 = in1[4];
14070 -+ { const u32 x11 = in1[3];
14071 -+ { const u32 x9 = in1[2];
14072 -+ { const u32 x7 = in1[1];
14073 -+ { const u32 x5 = in1[0];
14074 -+ { const u32 x38 = in2[9];
14075 -+ { const u32 x39 = in2[8];
14076 -+ { const u32 x37 = in2[7];
14077 -+ { const u32 x35 = in2[6];
14078 -+ { const u32 x33 = in2[5];
14079 -+ { const u32 x31 = in2[4];
14080 -+ { const u32 x29 = in2[3];
14081 -+ { const u32 x27 = in2[2];
14082 -+ { const u32 x25 = in2[1];
14083 -+ { const u32 x23 = in2[0];
14084 -+ out[0] = (x5 + x23);
14085 -+ out[1] = (x7 + x25);
14086 -+ out[2] = (x9 + x27);
14087 -+ out[3] = (x11 + x29);
14088 -+ out[4] = (x13 + x31);
14089 -+ out[5] = (x15 + x33);
14090 -+ out[6] = (x17 + x35);
14091 -+ out[7] = (x19 + x37);
14092 -+ out[8] = (x21 + x39);
14093 -+ out[9] = (x20 + x38);
14094 -+ }}}}}}}}}}}}}}}}}}}}
14095 -+}
14096 -+
14097 -+/* h = f + g
14098 -+ * Can overlap h with f or g.
14099 -+ */
14100 -+static __always_inline void fe_add(fe_loose *h, const fe *f, const fe *g)
14101 -+{
14102 -+ fe_add_impl(h->v, f->v, g->v);
14103 -+}
14104 -+
14105 -+static noinline void fe_sub_impl(u32 out[10], const u32 in1[10], const u32 in2[10])
14106 -+{
14107 -+ { const u32 x20 = in1[9];
14108 -+ { const u32 x21 = in1[8];
14109 -+ { const u32 x19 = in1[7];
14110 -+ { const u32 x17 = in1[6];
14111 -+ { const u32 x15 = in1[5];
14112 -+ { const u32 x13 = in1[4];
14113 -+ { const u32 x11 = in1[3];
14114 -+ { const u32 x9 = in1[2];
14115 -+ { const u32 x7 = in1[1];
14116 -+ { const u32 x5 = in1[0];
14117 -+ { const u32 x38 = in2[9];
14118 -+ { const u32 x39 = in2[8];
14119 -+ { const u32 x37 = in2[7];
14120 -+ { const u32 x35 = in2[6];
14121 -+ { const u32 x33 = in2[5];
14122 -+ { const u32 x31 = in2[4];
14123 -+ { const u32 x29 = in2[3];
14124 -+ { const u32 x27 = in2[2];
14125 -+ { const u32 x25 = in2[1];
14126 -+ { const u32 x23 = in2[0];
14127 -+ out[0] = ((0x7ffffda + x5) - x23);
14128 -+ out[1] = ((0x3fffffe + x7) - x25);
14129 -+ out[2] = ((0x7fffffe + x9) - x27);
14130 -+ out[3] = ((0x3fffffe + x11) - x29);
14131 -+ out[4] = ((0x7fffffe + x13) - x31);
14132 -+ out[5] = ((0x3fffffe + x15) - x33);
14133 -+ out[6] = ((0x7fffffe + x17) - x35);
14134 -+ out[7] = ((0x3fffffe + x19) - x37);
14135 -+ out[8] = ((0x7fffffe + x21) - x39);
14136 -+ out[9] = ((0x3fffffe + x20) - x38);
14137 -+ }}}}}}}}}}}}}}}}}}}}
14138 -+}
14139 -+
14140 -+/* h = f - g
14141 -+ * Can overlap h with f or g.
14142 -+ */
14143 -+static __always_inline void fe_sub(fe_loose *h, const fe *f, const fe *g)
14144 -+{
14145 -+ fe_sub_impl(h->v, f->v, g->v);
14146 -+}
14147 -+
14148 -+static noinline void fe_mul_impl(u32 out[10], const u32 in1[10], const u32 in2[10])
14149 -+{
14150 -+ { const u32 x20 = in1[9];
14151 -+ { const u32 x21 = in1[8];
14152 -+ { const u32 x19 = in1[7];
14153 -+ { const u32 x17 = in1[6];
14154 -+ { const u32 x15 = in1[5];
14155 -+ { const u32 x13 = in1[4];
14156 -+ { const u32 x11 = in1[3];
14157 -+ { const u32 x9 = in1[2];
14158 -+ { const u32 x7 = in1[1];
14159 -+ { const u32 x5 = in1[0];
14160 -+ { const u32 x38 = in2[9];
14161 -+ { const u32 x39 = in2[8];
14162 -+ { const u32 x37 = in2[7];
14163 -+ { const u32 x35 = in2[6];
14164 -+ { const u32 x33 = in2[5];
14165 -+ { const u32 x31 = in2[4];
14166 -+ { const u32 x29 = in2[3];
14167 -+ { const u32 x27 = in2[2];
14168 -+ { const u32 x25 = in2[1];
14169 -+ { const u32 x23 = in2[0];
14170 -+ { u64 x40 = ((u64)x23 * x5);
14171 -+ { u64 x41 = (((u64)x23 * x7) + ((u64)x25 * x5));
14172 -+ { u64 x42 = ((((u64)(0x2 * x25) * x7) + ((u64)x23 * x9)) + ((u64)x27 * x5));
14173 -+ { u64 x43 = (((((u64)x25 * x9) + ((u64)x27 * x7)) + ((u64)x23 * x11)) + ((u64)x29 * x5));
14174 -+ { u64 x44 = (((((u64)x27 * x9) + (0x2 * (((u64)x25 * x11) + ((u64)x29 * x7)))) + ((u64)x23 * x13)) + ((u64)x31 * x5));
14175 -+ { u64 x45 = (((((((u64)x27 * x11) + ((u64)x29 * x9)) + ((u64)x25 * x13)) + ((u64)x31 * x7)) + ((u64)x23 * x15)) + ((u64)x33 * x5));
14176 -+ { u64 x46 = (((((0x2 * ((((u64)x29 * x11) + ((u64)x25 * x15)) + ((u64)x33 * x7))) + ((u64)x27 * x13)) + ((u64)x31 * x9)) + ((u64)x23 * x17)) + ((u64)x35 * x5));
14177 -+ { u64 x47 = (((((((((u64)x29 * x13) + ((u64)x31 * x11)) + ((u64)x27 * x15)) + ((u64)x33 * x9)) + ((u64)x25 * x17)) + ((u64)x35 * x7)) + ((u64)x23 * x19)) + ((u64)x37 * x5));
14178 -+ { u64 x48 = (((((((u64)x31 * x13) + (0x2 * (((((u64)x29 * x15) + ((u64)x33 * x11)) + ((u64)x25 * x19)) + ((u64)x37 * x7)))) + ((u64)x27 * x17)) + ((u64)x35 * x9)) + ((u64)x23 * x21)) + ((u64)x39 * x5));
14179 -+ { u64 x49 = (((((((((((u64)x31 * x15) + ((u64)x33 * x13)) + ((u64)x29 * x17)) + ((u64)x35 * x11)) + ((u64)x27 * x19)) + ((u64)x37 * x9)) + ((u64)x25 * x21)) + ((u64)x39 * x7)) + ((u64)x23 * x20)) + ((u64)x38 * x5));
14180 -+ { u64 x50 = (((((0x2 * ((((((u64)x33 * x15) + ((u64)x29 * x19)) + ((u64)x37 * x11)) + ((u64)x25 * x20)) + ((u64)x38 * x7))) + ((u64)x31 * x17)) + ((u64)x35 * x13)) + ((u64)x27 * x21)) + ((u64)x39 * x9));
14181 -+ { u64 x51 = (((((((((u64)x33 * x17) + ((u64)x35 * x15)) + ((u64)x31 * x19)) + ((u64)x37 * x13)) + ((u64)x29 * x21)) + ((u64)x39 * x11)) + ((u64)x27 * x20)) + ((u64)x38 * x9));
14182 -+ { u64 x52 = (((((u64)x35 * x17) + (0x2 * (((((u64)x33 * x19) + ((u64)x37 * x15)) + ((u64)x29 * x20)) + ((u64)x38 * x11)))) + ((u64)x31 * x21)) + ((u64)x39 * x13));
14183 -+ { u64 x53 = (((((((u64)x35 * x19) + ((u64)x37 * x17)) + ((u64)x33 * x21)) + ((u64)x39 * x15)) + ((u64)x31 * x20)) + ((u64)x38 * x13));
14184 -+ { u64 x54 = (((0x2 * ((((u64)x37 * x19) + ((u64)x33 * x20)) + ((u64)x38 * x15))) + ((u64)x35 * x21)) + ((u64)x39 * x17));
14185 -+ { u64 x55 = (((((u64)x37 * x21) + ((u64)x39 * x19)) + ((u64)x35 * x20)) + ((u64)x38 * x17));
14186 -+ { u64 x56 = (((u64)x39 * x21) + (0x2 * (((u64)x37 * x20) + ((u64)x38 * x19))));
14187 -+ { u64 x57 = (((u64)x39 * x20) + ((u64)x38 * x21));
14188 -+ { u64 x58 = ((u64)(0x2 * x38) * x20);
14189 -+ { u64 x59 = (x48 + (x58 << 0x4));
14190 -+ { u64 x60 = (x59 + (x58 << 0x1));
14191 -+ { u64 x61 = (x60 + x58);
14192 -+ { u64 x62 = (x47 + (x57 << 0x4));
14193 -+ { u64 x63 = (x62 + (x57 << 0x1));
14194 -+ { u64 x64 = (x63 + x57);
14195 -+ { u64 x65 = (x46 + (x56 << 0x4));
14196 -+ { u64 x66 = (x65 + (x56 << 0x1));
14197 -+ { u64 x67 = (x66 + x56);
14198 -+ { u64 x68 = (x45 + (x55 << 0x4));
14199 -+ { u64 x69 = (x68 + (x55 << 0x1));
14200 -+ { u64 x70 = (x69 + x55);
14201 -+ { u64 x71 = (x44 + (x54 << 0x4));
14202 -+ { u64 x72 = (x71 + (x54 << 0x1));
14203 -+ { u64 x73 = (x72 + x54);
14204 -+ { u64 x74 = (x43 + (x53 << 0x4));
14205 -+ { u64 x75 = (x74 + (x53 << 0x1));
14206 -+ { u64 x76 = (x75 + x53);
14207 -+ { u64 x77 = (x42 + (x52 << 0x4));
14208 -+ { u64 x78 = (x77 + (x52 << 0x1));
14209 -+ { u64 x79 = (x78 + x52);
14210 -+ { u64 x80 = (x41 + (x51 << 0x4));
14211 -+ { u64 x81 = (x80 + (x51 << 0x1));
14212 -+ { u64 x82 = (x81 + x51);
14213 -+ { u64 x83 = (x40 + (x50 << 0x4));
14214 -+ { u64 x84 = (x83 + (x50 << 0x1));
14215 -+ { u64 x85 = (x84 + x50);
14216 -+ { u64 x86 = (x85 >> 0x1a);
14217 -+ { u32 x87 = ((u32)x85 & 0x3ffffff);
14218 -+ { u64 x88 = (x86 + x82);
14219 -+ { u64 x89 = (x88 >> 0x19);
14220 -+ { u32 x90 = ((u32)x88 & 0x1ffffff);
14221 -+ { u64 x91 = (x89 + x79);
14222 -+ { u64 x92 = (x91 >> 0x1a);
14223 -+ { u32 x93 = ((u32)x91 & 0x3ffffff);
14224 -+ { u64 x94 = (x92 + x76);
14225 -+ { u64 x95 = (x94 >> 0x19);
14226 -+ { u32 x96 = ((u32)x94 & 0x1ffffff);
14227 -+ { u64 x97 = (x95 + x73);
14228 -+ { u64 x98 = (x97 >> 0x1a);
14229 -+ { u32 x99 = ((u32)x97 & 0x3ffffff);
14230 -+ { u64 x100 = (x98 + x70);
14231 -+ { u64 x101 = (x100 >> 0x19);
14232 -+ { u32 x102 = ((u32)x100 & 0x1ffffff);
14233 -+ { u64 x103 = (x101 + x67);
14234 -+ { u64 x104 = (x103 >> 0x1a);
14235 -+ { u32 x105 = ((u32)x103 & 0x3ffffff);
14236 -+ { u64 x106 = (x104 + x64);
14237 -+ { u64 x107 = (x106 >> 0x19);
14238 -+ { u32 x108 = ((u32)x106 & 0x1ffffff);
14239 -+ { u64 x109 = (x107 + x61);
14240 -+ { u64 x110 = (x109 >> 0x1a);
14241 -+ { u32 x111 = ((u32)x109 & 0x3ffffff);
14242 -+ { u64 x112 = (x110 + x49);
14243 -+ { u64 x113 = (x112 >> 0x19);
14244 -+ { u32 x114 = ((u32)x112 & 0x1ffffff);
14245 -+ { u64 x115 = (x87 + (0x13 * x113));
14246 -+ { u32 x116 = (u32) (x115 >> 0x1a);
14247 -+ { u32 x117 = ((u32)x115 & 0x3ffffff);
14248 -+ { u32 x118 = (x116 + x90);
14249 -+ { u32 x119 = (x118 >> 0x19);
14250 -+ { u32 x120 = (x118 & 0x1ffffff);
14251 -+ out[0] = x117;
14252 -+ out[1] = x120;
14253 -+ out[2] = (x119 + x93);
14254 -+ out[3] = x96;
14255 -+ out[4] = x99;
14256 -+ out[5] = x102;
14257 -+ out[6] = x105;
14258 -+ out[7] = x108;
14259 -+ out[8] = x111;
14260 -+ out[9] = x114;
14261 -+ }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
14262 -+}
14263 -+
14264 -+static __always_inline void fe_mul_ttt(fe *h, const fe *f, const fe *g)
14265 -+{
14266 -+ fe_mul_impl(h->v, f->v, g->v);
14267 -+}
14268 -+
14269 -+static __always_inline void fe_mul_tlt(fe *h, const fe_loose *f, const fe *g)
14270 -+{
14271 -+ fe_mul_impl(h->v, f->v, g->v);
14272 -+}
14273 -+
14274 -+static __always_inline void
14275 -+fe_mul_tll(fe *h, const fe_loose *f, const fe_loose *g)
14276 -+{
14277 -+ fe_mul_impl(h->v, f->v, g->v);
14278 -+}
14279 -+
14280 -+static noinline void fe_sqr_impl(u32 out[10], const u32 in1[10])
14281 -+{
14282 -+ { const u32 x17 = in1[9];
14283 -+ { const u32 x18 = in1[8];
14284 -+ { const u32 x16 = in1[7];
14285 -+ { const u32 x14 = in1[6];
14286 -+ { const u32 x12 = in1[5];
14287 -+ { const u32 x10 = in1[4];
14288 -+ { const u32 x8 = in1[3];
14289 -+ { const u32 x6 = in1[2];
14290 -+ { const u32 x4 = in1[1];
14291 -+ { const u32 x2 = in1[0];
14292 -+ { u64 x19 = ((u64)x2 * x2);
14293 -+ { u64 x20 = ((u64)(0x2 * x2) * x4);
14294 -+ { u64 x21 = (0x2 * (((u64)x4 * x4) + ((u64)x2 * x6)));
14295 -+ { u64 x22 = (0x2 * (((u64)x4 * x6) + ((u64)x2 * x8)));
14296 -+ { u64 x23 = ((((u64)x6 * x6) + ((u64)(0x4 * x4) * x8)) + ((u64)(0x2 * x2) * x10));
14297 -+ { u64 x24 = (0x2 * ((((u64)x6 * x8) + ((u64)x4 * x10)) + ((u64)x2 * x12)));
14298 -+ { u64 x25 = (0x2 * (((((u64)x8 * x8) + ((u64)x6 * x10)) + ((u64)x2 * x14)) + ((u64)(0x2 * x4) * x12)));
14299 -+ { u64 x26 = (0x2 * (((((u64)x8 * x10) + ((u64)x6 * x12)) + ((u64)x4 * x14)) + ((u64)x2 * x16)));
14300 -+ { u64 x27 = (((u64)x10 * x10) + (0x2 * ((((u64)x6 * x14) + ((u64)x2 * x18)) + (0x2 * (((u64)x4 * x16) + ((u64)x8 * x12))))));
14301 -+ { u64 x28 = (0x2 * ((((((u64)x10 * x12) + ((u64)x8 * x14)) + ((u64)x6 * x16)) + ((u64)x4 * x18)) + ((u64)x2 * x17)));
14302 -+ { u64 x29 = (0x2 * (((((u64)x12 * x12) + ((u64)x10 * x14)) + ((u64)x6 * x18)) + (0x2 * (((u64)x8 * x16) + ((u64)x4 * x17)))));
14303 -+ { u64 x30 = (0x2 * (((((u64)x12 * x14) + ((u64)x10 * x16)) + ((u64)x8 * x18)) + ((u64)x6 * x17)));
14304 -+ { u64 x31 = (((u64)x14 * x14) + (0x2 * (((u64)x10 * x18) + (0x2 * (((u64)x12 * x16) + ((u64)x8 * x17))))));
14305 -+ { u64 x32 = (0x2 * ((((u64)x14 * x16) + ((u64)x12 * x18)) + ((u64)x10 * x17)));
14306 -+ { u64 x33 = (0x2 * ((((u64)x16 * x16) + ((u64)x14 * x18)) + ((u64)(0x2 * x12) * x17)));
14307 -+ { u64 x34 = (0x2 * (((u64)x16 * x18) + ((u64)x14 * x17)));
14308 -+ { u64 x35 = (((u64)x18 * x18) + ((u64)(0x4 * x16) * x17));
14309 -+ { u64 x36 = ((u64)(0x2 * x18) * x17);
14310 -+ { u64 x37 = ((u64)(0x2 * x17) * x17);
14311 -+ { u64 x38 = (x27 + (x37 << 0x4));
14312 -+ { u64 x39 = (x38 + (x37 << 0x1));
14313 -+ { u64 x40 = (x39 + x37);
14314 -+ { u64 x41 = (x26 + (x36 << 0x4));
14315 -+ { u64 x42 = (x41 + (x36 << 0x1));
14316 -+ { u64 x43 = (x42 + x36);
14317 -+ { u64 x44 = (x25 + (x35 << 0x4));
14318 -+ { u64 x45 = (x44 + (x35 << 0x1));
14319 -+ { u64 x46 = (x45 + x35);
14320 -+ { u64 x47 = (x24 + (x34 << 0x4));
14321 -+ { u64 x48 = (x47 + (x34 << 0x1));
14322 -+ { u64 x49 = (x48 + x34);
14323 -+ { u64 x50 = (x23 + (x33 << 0x4));
14324 -+ { u64 x51 = (x50 + (x33 << 0x1));
14325 -+ { u64 x52 = (x51 + x33);
14326 -+ { u64 x53 = (x22 + (x32 << 0x4));
14327 -+ { u64 x54 = (x53 + (x32 << 0x1));
14328 -+ { u64 x55 = (x54 + x32);
14329 -+ { u64 x56 = (x21 + (x31 << 0x4));
14330 -+ { u64 x57 = (x56 + (x31 << 0x1));
14331 -+ { u64 x58 = (x57 + x31);
14332 -+ { u64 x59 = (x20 + (x30 << 0x4));
14333 -+ { u64 x60 = (x59 + (x30 << 0x1));
14334 -+ { u64 x61 = (x60 + x30);
14335 -+ { u64 x62 = (x19 + (x29 << 0x4));
14336 -+ { u64 x63 = (x62 + (x29 << 0x1));
14337 -+ { u64 x64 = (x63 + x29);
14338 -+ { u64 x65 = (x64 >> 0x1a);
14339 -+ { u32 x66 = ((u32)x64 & 0x3ffffff);
14340 -+ { u64 x67 = (x65 + x61);
14341 -+ { u64 x68 = (x67 >> 0x19);
14342 -+ { u32 x69 = ((u32)x67 & 0x1ffffff);
14343 -+ { u64 x70 = (x68 + x58);
14344 -+ { u64 x71 = (x70 >> 0x1a);
14345 -+ { u32 x72 = ((u32)x70 & 0x3ffffff);
14346 -+ { u64 x73 = (x71 + x55);
14347 -+ { u64 x74 = (x73 >> 0x19);
14348 -+ { u32 x75 = ((u32)x73 & 0x1ffffff);
14349 -+ { u64 x76 = (x74 + x52);
14350 -+ { u64 x77 = (x76 >> 0x1a);
14351 -+ { u32 x78 = ((u32)x76 & 0x3ffffff);
14352 -+ { u64 x79 = (x77 + x49);
14353 -+ { u64 x80 = (x79 >> 0x19);
14354 -+ { u32 x81 = ((u32)x79 & 0x1ffffff);
14355 -+ { u64 x82 = (x80 + x46);
14356 -+ { u64 x83 = (x82 >> 0x1a);
14357 -+ { u32 x84 = ((u32)x82 & 0x3ffffff);
14358 -+ { u64 x85 = (x83 + x43);
14359 -+ { u64 x86 = (x85 >> 0x19);
14360 -+ { u32 x87 = ((u32)x85 & 0x1ffffff);
14361 -+ { u64 x88 = (x86 + x40);
14362 -+ { u64 x89 = (x88 >> 0x1a);
14363 -+ { u32 x90 = ((u32)x88 & 0x3ffffff);
14364 -+ { u64 x91 = (x89 + x28);
14365 -+ { u64 x92 = (x91 >> 0x19);
14366 -+ { u32 x93 = ((u32)x91 & 0x1ffffff);
14367 -+ { u64 x94 = (x66 + (0x13 * x92));
14368 -+ { u32 x95 = (u32) (x94 >> 0x1a);
14369 -+ { u32 x96 = ((u32)x94 & 0x3ffffff);
14370 -+ { u32 x97 = (x95 + x69);
14371 -+ { u32 x98 = (x97 >> 0x19);
14372 -+ { u32 x99 = (x97 & 0x1ffffff);
14373 -+ out[0] = x96;
14374 -+ out[1] = x99;
14375 -+ out[2] = (x98 + x72);
14376 -+ out[3] = x75;
14377 -+ out[4] = x78;
14378 -+ out[5] = x81;
14379 -+ out[6] = x84;
14380 -+ out[7] = x87;
14381 -+ out[8] = x90;
14382 -+ out[9] = x93;
14383 -+ }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
14384 -+}
14385 -+
14386 -+static __always_inline void fe_sq_tl(fe *h, const fe_loose *f)
14387 -+{
14388 -+ fe_sqr_impl(h->v, f->v);
14389 -+}
14390 -+
14391 -+static __always_inline void fe_sq_tt(fe *h, const fe *f)
14392 -+{
14393 -+ fe_sqr_impl(h->v, f->v);
14394 -+}
14395 -+
14396 -+static __always_inline void fe_loose_invert(fe *out, const fe_loose *z)
14397 -+{
14398 -+ fe t0;
14399 -+ fe t1;
14400 -+ fe t2;
14401 -+ fe t3;
14402 -+ int i;
14403 -+
14404 -+ fe_sq_tl(&t0, z);
14405 -+ fe_sq_tt(&t1, &t0);
14406 -+ for (i = 1; i < 2; ++i)
14407 -+ fe_sq_tt(&t1, &t1);
14408 -+ fe_mul_tlt(&t1, z, &t1);
14409 -+ fe_mul_ttt(&t0, &t0, &t1);
14410 -+ fe_sq_tt(&t2, &t0);
14411 -+ fe_mul_ttt(&t1, &t1, &t2);
14412 -+ fe_sq_tt(&t2, &t1);
14413 -+ for (i = 1; i < 5; ++i)
14414 -+ fe_sq_tt(&t2, &t2);
14415 -+ fe_mul_ttt(&t1, &t2, &t1);
14416 -+ fe_sq_tt(&t2, &t1);
14417 -+ for (i = 1; i < 10; ++i)
14418 -+ fe_sq_tt(&t2, &t2);
14419 -+ fe_mul_ttt(&t2, &t2, &t1);
14420 -+ fe_sq_tt(&t3, &t2);
14421 -+ for (i = 1; i < 20; ++i)
14422 -+ fe_sq_tt(&t3, &t3);
14423 -+ fe_mul_ttt(&t2, &t3, &t2);
14424 -+ fe_sq_tt(&t2, &t2);
14425 -+ for (i = 1; i < 10; ++i)
14426 -+ fe_sq_tt(&t2, &t2);
14427 -+ fe_mul_ttt(&t1, &t2, &t1);
14428 -+ fe_sq_tt(&t2, &t1);
14429 -+ for (i = 1; i < 50; ++i)
14430 -+ fe_sq_tt(&t2, &t2);
14431 -+ fe_mul_ttt(&t2, &t2, &t1);
14432 -+ fe_sq_tt(&t3, &t2);
14433 -+ for (i = 1; i < 100; ++i)
14434 -+ fe_sq_tt(&t3, &t3);
14435 -+ fe_mul_ttt(&t2, &t3, &t2);
14436 -+ fe_sq_tt(&t2, &t2);
14437 -+ for (i = 1; i < 50; ++i)
14438 -+ fe_sq_tt(&t2, &t2);
14439 -+ fe_mul_ttt(&t1, &t2, &t1);
14440 -+ fe_sq_tt(&t1, &t1);
14441 -+ for (i = 1; i < 5; ++i)
14442 -+ fe_sq_tt(&t1, &t1);
14443 -+ fe_mul_ttt(out, &t1, &t0);
14444 -+}
14445 -+
14446 -+static __always_inline void fe_invert(fe *out, const fe *z)
14447 -+{
14448 -+ fe_loose l;
14449 -+ fe_copy_lt(&l, z);
14450 -+ fe_loose_invert(out, &l);
14451 -+}
14452 -+
14453 -+/* Replace (f,g) with (g,f) if b == 1;
14454 -+ * replace (f,g) with (f,g) if b == 0.
14455 -+ *
14456 -+ * Preconditions: b in {0,1}
14457 -+ */
14458 -+static noinline void fe_cswap(fe *f, fe *g, unsigned int b)
14459 -+{
14460 -+ unsigned i;
14461 -+ b = 0 - b;
14462 -+ for (i = 0; i < 10; i++) {
14463 -+ u32 x = f->v[i] ^ g->v[i];
14464 -+ x &= b;
14465 -+ f->v[i] ^= x;
14466 -+ g->v[i] ^= x;
14467 -+ }
14468 -+}
14469 -+
14470 -+/* NOTE: based on fiat-crypto fe_mul, edited for in2=121666, 0, 0.*/
14471 -+static __always_inline void fe_mul_121666_impl(u32 out[10], const u32 in1[10])
14472 -+{
14473 -+ { const u32 x20 = in1[9];
14474 -+ { const u32 x21 = in1[8];
14475 -+ { const u32 x19 = in1[7];
14476 -+ { const u32 x17 = in1[6];
14477 -+ { const u32 x15 = in1[5];
14478 -+ { const u32 x13 = in1[4];
14479 -+ { const u32 x11 = in1[3];
14480 -+ { const u32 x9 = in1[2];
14481 -+ { const u32 x7 = in1[1];
14482 -+ { const u32 x5 = in1[0];
14483 -+ { const u32 x38 = 0;
14484 -+ { const u32 x39 = 0;
14485 -+ { const u32 x37 = 0;
14486 -+ { const u32 x35 = 0;
14487 -+ { const u32 x33 = 0;
14488 -+ { const u32 x31 = 0;
14489 -+ { const u32 x29 = 0;
14490 -+ { const u32 x27 = 0;
14491 -+ { const u32 x25 = 0;
14492 -+ { const u32 x23 = 121666;
14493 -+ { u64 x40 = ((u64)x23 * x5);
14494 -+ { u64 x41 = (((u64)x23 * x7) + ((u64)x25 * x5));
14495 -+ { u64 x42 = ((((u64)(0x2 * x25) * x7) + ((u64)x23 * x9)) + ((u64)x27 * x5));
14496 -+ { u64 x43 = (((((u64)x25 * x9) + ((u64)x27 * x7)) + ((u64)x23 * x11)) + ((u64)x29 * x5));
14497 -+ { u64 x44 = (((((u64)x27 * x9) + (0x2 * (((u64)x25 * x11) + ((u64)x29 * x7)))) + ((u64)x23 * x13)) + ((u64)x31 * x5));
14498 -+ { u64 x45 = (((((((u64)x27 * x11) + ((u64)x29 * x9)) + ((u64)x25 * x13)) + ((u64)x31 * x7)) + ((u64)x23 * x15)) + ((u64)x33 * x5));
14499 -+ { u64 x46 = (((((0x2 * ((((u64)x29 * x11) + ((u64)x25 * x15)) + ((u64)x33 * x7))) + ((u64)x27 * x13)) + ((u64)x31 * x9)) + ((u64)x23 * x17)) + ((u64)x35 * x5));
14500 -+ { u64 x47 = (((((((((u64)x29 * x13) + ((u64)x31 * x11)) + ((u64)x27 * x15)) + ((u64)x33 * x9)) + ((u64)x25 * x17)) + ((u64)x35 * x7)) + ((u64)x23 * x19)) + ((u64)x37 * x5));
14501 -+ { u64 x48 = (((((((u64)x31 * x13) + (0x2 * (((((u64)x29 * x15) + ((u64)x33 * x11)) + ((u64)x25 * x19)) + ((u64)x37 * x7)))) + ((u64)x27 * x17)) + ((u64)x35 * x9)) + ((u64)x23 * x21)) + ((u64)x39 * x5));
14502 -+ { u64 x49 = (((((((((((u64)x31 * x15) + ((u64)x33 * x13)) + ((u64)x29 * x17)) + ((u64)x35 * x11)) + ((u64)x27 * x19)) + ((u64)x37 * x9)) + ((u64)x25 * x21)) + ((u64)x39 * x7)) + ((u64)x23 * x20)) + ((u64)x38 * x5));
14503 -+ { u64 x50 = (((((0x2 * ((((((u64)x33 * x15) + ((u64)x29 * x19)) + ((u64)x37 * x11)) + ((u64)x25 * x20)) + ((u64)x38 * x7))) + ((u64)x31 * x17)) + ((u64)x35 * x13)) + ((u64)x27 * x21)) + ((u64)x39 * x9));
14504 -+ { u64 x51 = (((((((((u64)x33 * x17) + ((u64)x35 * x15)) + ((u64)x31 * x19)) + ((u64)x37 * x13)) + ((u64)x29 * x21)) + ((u64)x39 * x11)) + ((u64)x27 * x20)) + ((u64)x38 * x9));
14505 -+ { u64 x52 = (((((u64)x35 * x17) + (0x2 * (((((u64)x33 * x19) + ((u64)x37 * x15)) + ((u64)x29 * x20)) + ((u64)x38 * x11)))) + ((u64)x31 * x21)) + ((u64)x39 * x13));
14506 -+ { u64 x53 = (((((((u64)x35 * x19) + ((u64)x37 * x17)) + ((u64)x33 * x21)) + ((u64)x39 * x15)) + ((u64)x31 * x20)) + ((u64)x38 * x13));
14507 -+ { u64 x54 = (((0x2 * ((((u64)x37 * x19) + ((u64)x33 * x20)) + ((u64)x38 * x15))) + ((u64)x35 * x21)) + ((u64)x39 * x17));
14508 -+ { u64 x55 = (((((u64)x37 * x21) + ((u64)x39 * x19)) + ((u64)x35 * x20)) + ((u64)x38 * x17));
14509 -+ { u64 x56 = (((u64)x39 * x21) + (0x2 * (((u64)x37 * x20) + ((u64)x38 * x19))));
14510 -+ { u64 x57 = (((u64)x39 * x20) + ((u64)x38 * x21));
14511 -+ { u64 x58 = ((u64)(0x2 * x38) * x20);
14512 -+ { u64 x59 = (x48 + (x58 << 0x4));
14513 -+ { u64 x60 = (x59 + (x58 << 0x1));
14514 -+ { u64 x61 = (x60 + x58);
14515 -+ { u64 x62 = (x47 + (x57 << 0x4));
14516 -+ { u64 x63 = (x62 + (x57 << 0x1));
14517 -+ { u64 x64 = (x63 + x57);
14518 -+ { u64 x65 = (x46 + (x56 << 0x4));
14519 -+ { u64 x66 = (x65 + (x56 << 0x1));
14520 -+ { u64 x67 = (x66 + x56);
14521 -+ { u64 x68 = (x45 + (x55 << 0x4));
14522 -+ { u64 x69 = (x68 + (x55 << 0x1));
14523 -+ { u64 x70 = (x69 + x55);
14524 -+ { u64 x71 = (x44 + (x54 << 0x4));
14525 -+ { u64 x72 = (x71 + (x54 << 0x1));
14526 -+ { u64 x73 = (x72 + x54);
14527 -+ { u64 x74 = (x43 + (x53 << 0x4));
14528 -+ { u64 x75 = (x74 + (x53 << 0x1));
14529 -+ { u64 x76 = (x75 + x53);
14530 -+ { u64 x77 = (x42 + (x52 << 0x4));
14531 -+ { u64 x78 = (x77 + (x52 << 0x1));
14532 -+ { u64 x79 = (x78 + x52);
14533 -+ { u64 x80 = (x41 + (x51 << 0x4));
14534 -+ { u64 x81 = (x80 + (x51 << 0x1));
14535 -+ { u64 x82 = (x81 + x51);
14536 -+ { u64 x83 = (x40 + (x50 << 0x4));
14537 -+ { u64 x84 = (x83 + (x50 << 0x1));
14538 -+ { u64 x85 = (x84 + x50);
14539 -+ { u64 x86 = (x85 >> 0x1a);
14540 -+ { u32 x87 = ((u32)x85 & 0x3ffffff);
14541 -+ { u64 x88 = (x86 + x82);
14542 -+ { u64 x89 = (x88 >> 0x19);
14543 -+ { u32 x90 = ((u32)x88 & 0x1ffffff);
14544 -+ { u64 x91 = (x89 + x79);
14545 -+ { u64 x92 = (x91 >> 0x1a);
14546 -+ { u32 x93 = ((u32)x91 & 0x3ffffff);
14547 -+ { u64 x94 = (x92 + x76);
14548 -+ { u64 x95 = (x94 >> 0x19);
14549 -+ { u32 x96 = ((u32)x94 & 0x1ffffff);
14550 -+ { u64 x97 = (x95 + x73);
14551 -+ { u64 x98 = (x97 >> 0x1a);
14552 -+ { u32 x99 = ((u32)x97 & 0x3ffffff);
14553 -+ { u64 x100 = (x98 + x70);
14554 -+ { u64 x101 = (x100 >> 0x19);
14555 -+ { u32 x102 = ((u32)x100 & 0x1ffffff);
14556 -+ { u64 x103 = (x101 + x67);
14557 -+ { u64 x104 = (x103 >> 0x1a);
14558 -+ { u32 x105 = ((u32)x103 & 0x3ffffff);
14559 -+ { u64 x106 = (x104 + x64);
14560 -+ { u64 x107 = (x106 >> 0x19);
14561 -+ { u32 x108 = ((u32)x106 & 0x1ffffff);
14562 -+ { u64 x109 = (x107 + x61);
14563 -+ { u64 x110 = (x109 >> 0x1a);
14564 -+ { u32 x111 = ((u32)x109 & 0x3ffffff);
14565 -+ { u64 x112 = (x110 + x49);
14566 -+ { u64 x113 = (x112 >> 0x19);
14567 -+ { u32 x114 = ((u32)x112 & 0x1ffffff);
14568 -+ { u64 x115 = (x87 + (0x13 * x113));
14569 -+ { u32 x116 = (u32) (x115 >> 0x1a);
14570 -+ { u32 x117 = ((u32)x115 & 0x3ffffff);
14571 -+ { u32 x118 = (x116 + x90);
14572 -+ { u32 x119 = (x118 >> 0x19);
14573 -+ { u32 x120 = (x118 & 0x1ffffff);
14574 -+ out[0] = x117;
14575 -+ out[1] = x120;
14576 -+ out[2] = (x119 + x93);
14577 -+ out[3] = x96;
14578 -+ out[4] = x99;
14579 -+ out[5] = x102;
14580 -+ out[6] = x105;
14581 -+ out[7] = x108;
14582 -+ out[8] = x111;
14583 -+ out[9] = x114;
14584 -+ }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
14585 -+}
14586 -+
14587 -+static __always_inline void fe_mul121666(fe *h, const fe_loose *f)
14588 -+{
14589 -+ fe_mul_121666_impl(h->v, f->v);
14590 -+}
14591 -+
14592 -+void curve25519_generic(u8 out[CURVE25519_KEY_SIZE],
14593 -+ const u8 scalar[CURVE25519_KEY_SIZE],
14594 -+ const u8 point[CURVE25519_KEY_SIZE])
14595 -+{
14596 -+ fe x1, x2, z2, x3, z3;
14597 -+ fe_loose x2l, z2l, x3l;
14598 -+ unsigned swap = 0;
14599 -+ int pos;
14600 -+ u8 e[32];
14601 -+
14602 -+ memcpy(e, scalar, 32);
14603 -+ curve25519_clamp_secret(e);
14604 -+
14605 -+ /* The following implementation was transcribed to Coq and proven to
14606 -+ * correspond to unary scalar multiplication in affine coordinates given
14607 -+ * that x1 != 0 is the x coordinate of some point on the curve. It was
14608 -+ * also checked in Coq that doing a ladderstep with x1 = x3 = 0 gives
14609 -+ * z2' = z3' = 0, and z2 = z3 = 0 gives z2' = z3' = 0. The statement was
14610 -+ * quantified over the underlying field, so it applies to Curve25519
14611 -+ * itself and the quadratic twist of Curve25519. It was not proven in
14612 -+ * Coq that prime-field arithmetic correctly simulates extension-field
14613 -+ * arithmetic on prime-field values. The decoding of the byte array
14614 -+ * representation of e was not considered.
14615 -+ *
14616 -+ * Specification of Montgomery curves in affine coordinates:
14617 -+ * <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Spec/MontgomeryCurve.v#L27>
14618 -+ *
14619 -+ * Proof that these form a group that is isomorphic to a Weierstrass
14620 -+ * curve:
14621 -+ * <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/AffineProofs.v#L35>
14622 -+ *
14623 -+ * Coq transcription and correctness proof of the loop
14624 -+ * (where scalarbits=255):
14625 -+ * <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/XZ.v#L118>
14626 -+ * <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/XZProofs.v#L278>
14627 -+ * preconditions: 0 <= e < 2^255 (not necessarily e < order),
14628 -+ * fe_invert(0) = 0
14629 -+ */
14630 -+ fe_frombytes(&x1, point);
14631 -+ fe_1(&x2);
14632 -+ fe_0(&z2);
14633 -+ fe_copy(&x3, &x1);
14634 -+ fe_1(&z3);
14635 -+
14636 -+ for (pos = 254; pos >= 0; --pos) {
14637 -+ fe tmp0, tmp1;
14638 -+ fe_loose tmp0l, tmp1l;
14639 -+ /* loop invariant as of right before the test, for the case
14640 -+ * where x1 != 0:
14641 -+ * pos >= -1; if z2 = 0 then x2 is nonzero; if z3 = 0 then x3
14642 -+ * is nonzero
14643 -+ * let r := e >> (pos+1) in the following equalities of
14644 -+ * projective points:
14645 -+ * to_xz (r*P) === if swap then (x3, z3) else (x2, z2)
14646 -+ * to_xz ((r+1)*P) === if swap then (x2, z2) else (x3, z3)
14647 -+ * x1 is the nonzero x coordinate of the nonzero
14648 -+ * point (r*P-(r+1)*P)
14649 -+ */
14650 -+ unsigned b = 1 & (e[pos / 8] >> (pos & 7));
14651 -+ swap ^= b;
14652 -+ fe_cswap(&x2, &x3, swap);
14653 -+ fe_cswap(&z2, &z3, swap);
14654 -+ swap = b;
14655 -+ /* Coq transcription of ladderstep formula (called from
14656 -+ * transcribed loop):
14657 -+ * <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/XZ.v#L89>
14658 -+ * <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/XZProofs.v#L131>
14659 -+ * x1 != 0 <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/XZProofs.v#L217>
14660 -+ * x1 = 0 <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/XZProofs.v#L147>
14661 -+ */
14662 -+ fe_sub(&tmp0l, &x3, &z3);
14663 -+ fe_sub(&tmp1l, &x2, &z2);
14664 -+ fe_add(&x2l, &x2, &z2);
14665 -+ fe_add(&z2l, &x3, &z3);
14666 -+ fe_mul_tll(&z3, &tmp0l, &x2l);
14667 -+ fe_mul_tll(&z2, &z2l, &tmp1l);
14668 -+ fe_sq_tl(&tmp0, &tmp1l);
14669 -+ fe_sq_tl(&tmp1, &x2l);
14670 -+ fe_add(&x3l, &z3, &z2);
14671 -+ fe_sub(&z2l, &z3, &z2);
14672 -+ fe_mul_ttt(&x2, &tmp1, &tmp0);
14673 -+ fe_sub(&tmp1l, &tmp1, &tmp0);
14674 -+ fe_sq_tl(&z2, &z2l);
14675 -+ fe_mul121666(&z3, &tmp1l);
14676 -+ fe_sq_tl(&x3, &x3l);
14677 -+ fe_add(&tmp0l, &tmp0, &z3);
14678 -+ fe_mul_ttt(&z3, &x1, &z2);
14679 -+ fe_mul_tll(&z2, &tmp1l, &tmp0l);
14680 -+ }
14681 -+ /* here pos=-1, so r=e, so to_xz (e*P) === if swap then (x3, z3)
14682 -+ * else (x2, z2)
14683 -+ */
14684 -+ fe_cswap(&x2, &x3, swap);
14685 -+ fe_cswap(&z2, &z3, swap);
14686 -+
14687 -+ fe_invert(&z2, &z2);
14688 -+ fe_mul_ttt(&x2, &x2, &z2);
14689 -+ fe_tobytes(out, &x2);
14690 -+
14691 -+ memzero_explicit(&x1, sizeof(x1));
14692 -+ memzero_explicit(&x2, sizeof(x2));
14693 -+ memzero_explicit(&z2, sizeof(z2));
14694 -+ memzero_explicit(&x3, sizeof(x3));
14695 -+ memzero_explicit(&z3, sizeof(z3));
14696 -+ memzero_explicit(&x2l, sizeof(x2l));
14697 -+ memzero_explicit(&z2l, sizeof(z2l));
14698 -+ memzero_explicit(&x3l, sizeof(x3l));
14699 -+ memzero_explicit(&e, sizeof(e));
14700 -+}
14701 ---- /dev/null
14702 -+++ b/lib/crypto/curve25519-hacl64.c
14703 -@@ -0,0 +1,788 @@
14704 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
14705 -+/*
14706 -+ * Copyright (C) 2016-2017 INRIA and Microsoft Corporation.
14707 -+ * Copyright (C) 2018-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
14708 -+ *
14709 -+ * This is a machine-generated formally verified implementation of Curve25519
14710 -+ * ECDH from: <https://github.com/mitls/hacl-star>. Though originally machine
14711 -+ * generated, it has been tweaked to be suitable for use in the kernel. It is
14712 -+ * optimized for 64-bit machines that can efficiently work with 128-bit
14713 -+ * integer types.
14714 -+ */
14715 -+
14716 -+#include <asm/unaligned.h>
14717 -+#include <crypto/curve25519.h>
14718 -+#include <linux/string.h>
14719 -+
14720 -+typedef __uint128_t u128;
14721 -+
14722 -+static __always_inline u64 u64_eq_mask(u64 a, u64 b)
14723 -+{
14724 -+ u64 x = a ^ b;
14725 -+ u64 minus_x = ~x + (u64)1U;
14726 -+ u64 x_or_minus_x = x | minus_x;
14727 -+ u64 xnx = x_or_minus_x >> (u32)63U;
14728 -+ u64 c = xnx - (u64)1U;
14729 -+ return c;
14730 -+}
14731 -+
14732 -+static __always_inline u64 u64_gte_mask(u64 a, u64 b)
14733 -+{
14734 -+ u64 x = a;
14735 -+ u64 y = b;
14736 -+ u64 x_xor_y = x ^ y;
14737 -+ u64 x_sub_y = x - y;
14738 -+ u64 x_sub_y_xor_y = x_sub_y ^ y;
14739 -+ u64 q = x_xor_y | x_sub_y_xor_y;
14740 -+ u64 x_xor_q = x ^ q;
14741 -+ u64 x_xor_q_ = x_xor_q >> (u32)63U;
14742 -+ u64 c = x_xor_q_ - (u64)1U;
14743 -+ return c;
14744 -+}
14745 -+
14746 -+static __always_inline void modulo_carry_top(u64 *b)
14747 -+{
14748 -+ u64 b4 = b[4];
14749 -+ u64 b0 = b[0];
14750 -+ u64 b4_ = b4 & 0x7ffffffffffffLLU;
14751 -+ u64 b0_ = b0 + 19 * (b4 >> 51);
14752 -+ b[4] = b4_;
14753 -+ b[0] = b0_;
14754 -+}
14755 -+
14756 -+static __always_inline void fproduct_copy_from_wide_(u64 *output, u128 *input)
14757 -+{
14758 -+ {
14759 -+ u128 xi = input[0];
14760 -+ output[0] = ((u64)(xi));
14761 -+ }
14762 -+ {
14763 -+ u128 xi = input[1];
14764 -+ output[1] = ((u64)(xi));
14765 -+ }
14766 -+ {
14767 -+ u128 xi = input[2];
14768 -+ output[2] = ((u64)(xi));
14769 -+ }
14770 -+ {
14771 -+ u128 xi = input[3];
14772 -+ output[3] = ((u64)(xi));
14773 -+ }
14774 -+ {
14775 -+ u128 xi = input[4];
14776 -+ output[4] = ((u64)(xi));
14777 -+ }
14778 -+}
14779 -+
14780 -+static __always_inline void
14781 -+fproduct_sum_scalar_multiplication_(u128 *output, u64 *input, u64 s)
14782 -+{
14783 -+ output[0] += (u128)input[0] * s;
14784 -+ output[1] += (u128)input[1] * s;
14785 -+ output[2] += (u128)input[2] * s;
14786 -+ output[3] += (u128)input[3] * s;
14787 -+ output[4] += (u128)input[4] * s;
14788 -+}
14789 -+
14790 -+static __always_inline void fproduct_carry_wide_(u128 *tmp)
14791 -+{
14792 -+ {
14793 -+ u32 ctr = 0;
14794 -+ u128 tctr = tmp[ctr];
14795 -+ u128 tctrp1 = tmp[ctr + 1];
14796 -+ u64 r0 = ((u64)(tctr)) & 0x7ffffffffffffLLU;
14797 -+ u128 c = ((tctr) >> (51));
14798 -+ tmp[ctr] = ((u128)(r0));
14799 -+ tmp[ctr + 1] = ((tctrp1) + (c));
14800 -+ }
14801 -+ {
14802 -+ u32 ctr = 1;
14803 -+ u128 tctr = tmp[ctr];
14804 -+ u128 tctrp1 = tmp[ctr + 1];
14805 -+ u64 r0 = ((u64)(tctr)) & 0x7ffffffffffffLLU;
14806 -+ u128 c = ((tctr) >> (51));
14807 -+ tmp[ctr] = ((u128)(r0));
14808 -+ tmp[ctr + 1] = ((tctrp1) + (c));
14809 -+ }
14810 -+
14811 -+ {
14812 -+ u32 ctr = 2;
14813 -+ u128 tctr = tmp[ctr];
14814 -+ u128 tctrp1 = tmp[ctr + 1];
14815 -+ u64 r0 = ((u64)(tctr)) & 0x7ffffffffffffLLU;
14816 -+ u128 c = ((tctr) >> (51));
14817 -+ tmp[ctr] = ((u128)(r0));
14818 -+ tmp[ctr + 1] = ((tctrp1) + (c));
14819 -+ }
14820 -+ {
14821 -+ u32 ctr = 3;
14822 -+ u128 tctr = tmp[ctr];
14823 -+ u128 tctrp1 = tmp[ctr + 1];
14824 -+ u64 r0 = ((u64)(tctr)) & 0x7ffffffffffffLLU;
14825 -+ u128 c = ((tctr) >> (51));
14826 -+ tmp[ctr] = ((u128)(r0));
14827 -+ tmp[ctr + 1] = ((tctrp1) + (c));
14828 -+ }
14829 -+}
14830 -+
14831 -+static __always_inline void fmul_shift_reduce(u64 *output)
14832 -+{
14833 -+ u64 tmp = output[4];
14834 -+ u64 b0;
14835 -+ {
14836 -+ u32 ctr = 5 - 0 - 1;
14837 -+ u64 z = output[ctr - 1];
14838 -+ output[ctr] = z;
14839 -+ }
14840 -+ {
14841 -+ u32 ctr = 5 - 1 - 1;
14842 -+ u64 z = output[ctr - 1];
14843 -+ output[ctr] = z;
14844 -+ }
14845 -+ {
14846 -+ u32 ctr = 5 - 2 - 1;
14847 -+ u64 z = output[ctr - 1];
14848 -+ output[ctr] = z;
14849 -+ }
14850 -+ {
14851 -+ u32 ctr = 5 - 3 - 1;
14852 -+ u64 z = output[ctr - 1];
14853 -+ output[ctr] = z;
14854 -+ }
14855 -+ output[0] = tmp;
14856 -+ b0 = output[0];
14857 -+ output[0] = 19 * b0;
14858 -+}
14859 -+
14860 -+static __always_inline void fmul_mul_shift_reduce_(u128 *output, u64 *input,
14861 -+ u64 *input21)
14862 -+{
14863 -+ u32 i;
14864 -+ u64 input2i;
14865 -+ {
14866 -+ u64 input2i = input21[0];
14867 -+ fproduct_sum_scalar_multiplication_(output, input, input2i);
14868 -+ fmul_shift_reduce(input);
14869 -+ }
14870 -+ {
14871 -+ u64 input2i = input21[1];
14872 -+ fproduct_sum_scalar_multiplication_(output, input, input2i);
14873 -+ fmul_shift_reduce(input);
14874 -+ }
14875 -+ {
14876 -+ u64 input2i = input21[2];
14877 -+ fproduct_sum_scalar_multiplication_(output, input, input2i);
14878 -+ fmul_shift_reduce(input);
14879 -+ }
14880 -+ {
14881 -+ u64 input2i = input21[3];
14882 -+ fproduct_sum_scalar_multiplication_(output, input, input2i);
14883 -+ fmul_shift_reduce(input);
14884 -+ }
14885 -+ i = 4;
14886 -+ input2i = input21[i];
14887 -+ fproduct_sum_scalar_multiplication_(output, input, input2i);
14888 -+}
14889 -+
14890 -+static __always_inline void fmul_fmul(u64 *output, u64 *input, u64 *input21)
14891 -+{
14892 -+ u64 tmp[5] = { input[0], input[1], input[2], input[3], input[4] };
14893 -+ {
14894 -+ u128 b4;
14895 -+ u128 b0;
14896 -+ u128 b4_;
14897 -+ u128 b0_;
14898 -+ u64 i0;
14899 -+ u64 i1;
14900 -+ u64 i0_;
14901 -+ u64 i1_;
14902 -+ u128 t[5] = { 0 };
14903 -+ fmul_mul_shift_reduce_(t, tmp, input21);
14904 -+ fproduct_carry_wide_(t);
14905 -+ b4 = t[4];
14906 -+ b0 = t[0];
14907 -+ b4_ = ((b4) & (((u128)(0x7ffffffffffffLLU))));
14908 -+ b0_ = ((b0) + (((u128)(19) * (((u64)(((b4) >> (51))))))));
14909 -+ t[4] = b4_;
14910 -+ t[0] = b0_;
14911 -+ fproduct_copy_from_wide_(output, t);
14912 -+ i0 = output[0];
14913 -+ i1 = output[1];
14914 -+ i0_ = i0 & 0x7ffffffffffffLLU;
14915 -+ i1_ = i1 + (i0 >> 51);
14916 -+ output[0] = i0_;
14917 -+ output[1] = i1_;
14918 -+ }
14919 -+}
14920 -+
14921 -+static __always_inline void fsquare_fsquare__(u128 *tmp, u64 *output)
14922 -+{
14923 -+ u64 r0 = output[0];
14924 -+ u64 r1 = output[1];
14925 -+ u64 r2 = output[2];
14926 -+ u64 r3 = output[3];
14927 -+ u64 r4 = output[4];
14928 -+ u64 d0 = r0 * 2;
14929 -+ u64 d1 = r1 * 2;
14930 -+ u64 d2 = r2 * 2 * 19;
14931 -+ u64 d419 = r4 * 19;
14932 -+ u64 d4 = d419 * 2;
14933 -+ u128 s0 = ((((((u128)(r0) * (r0))) + (((u128)(d4) * (r1))))) +
14934 -+ (((u128)(d2) * (r3))));
14935 -+ u128 s1 = ((((((u128)(d0) * (r1))) + (((u128)(d4) * (r2))))) +
14936 -+ (((u128)(r3 * 19) * (r3))));
14937 -+ u128 s2 = ((((((u128)(d0) * (r2))) + (((u128)(r1) * (r1))))) +
14938 -+ (((u128)(d4) * (r3))));
14939 -+ u128 s3 = ((((((u128)(d0) * (r3))) + (((u128)(d1) * (r2))))) +
14940 -+ (((u128)(r4) * (d419))));
14941 -+ u128 s4 = ((((((u128)(d0) * (r4))) + (((u128)(d1) * (r3))))) +
14942 -+ (((u128)(r2) * (r2))));
14943 -+ tmp[0] = s0;
14944 -+ tmp[1] = s1;
14945 -+ tmp[2] = s2;
14946 -+ tmp[3] = s3;
14947 -+ tmp[4] = s4;
14948 -+}
14949 -+
14950 -+static __always_inline void fsquare_fsquare_(u128 *tmp, u64 *output)
14951 -+{
14952 -+ u128 b4;
14953 -+ u128 b0;
14954 -+ u128 b4_;
14955 -+ u128 b0_;
14956 -+ u64 i0;
14957 -+ u64 i1;
14958 -+ u64 i0_;
14959 -+ u64 i1_;
14960 -+ fsquare_fsquare__(tmp, output);
14961 -+ fproduct_carry_wide_(tmp);
14962 -+ b4 = tmp[4];
14963 -+ b0 = tmp[0];
14964 -+ b4_ = ((b4) & (((u128)(0x7ffffffffffffLLU))));
14965 -+ b0_ = ((b0) + (((u128)(19) * (((u64)(((b4) >> (51))))))));
14966 -+ tmp[4] = b4_;
14967 -+ tmp[0] = b0_;
14968 -+ fproduct_copy_from_wide_(output, tmp);
14969 -+ i0 = output[0];
14970 -+ i1 = output[1];
14971 -+ i0_ = i0 & 0x7ffffffffffffLLU;
14972 -+ i1_ = i1 + (i0 >> 51);
14973 -+ output[0] = i0_;
14974 -+ output[1] = i1_;
14975 -+}
14976 -+
14977 -+static __always_inline void fsquare_fsquare_times_(u64 *output, u128 *tmp,
14978 -+ u32 count1)
14979 -+{
14980 -+ u32 i;
14981 -+ fsquare_fsquare_(tmp, output);
14982 -+ for (i = 1; i < count1; ++i)
14983 -+ fsquare_fsquare_(tmp, output);
14984 -+}
14985 -+
14986 -+static __always_inline void fsquare_fsquare_times(u64 *output, u64 *input,
14987 -+ u32 count1)
14988 -+{
14989 -+ u128 t[5];
14990 -+ memcpy(output, input, 5 * sizeof(*input));
14991 -+ fsquare_fsquare_times_(output, t, count1);
14992 -+}
14993 -+
14994 -+static __always_inline void fsquare_fsquare_times_inplace(u64 *output,
14995 -+ u32 count1)
14996 -+{
14997 -+ u128 t[5];
14998 -+ fsquare_fsquare_times_(output, t, count1);
14999 -+}
15000 -+
15001 -+static __always_inline void crecip_crecip(u64 *out, u64 *z)
15002 -+{
15003 -+ u64 buf[20] = { 0 };
15004 -+ u64 *a0 = buf;
15005 -+ u64 *t00 = buf + 5;
15006 -+ u64 *b0 = buf + 10;
15007 -+ u64 *t01;
15008 -+ u64 *b1;
15009 -+ u64 *c0;
15010 -+ u64 *a;
15011 -+ u64 *t0;
15012 -+ u64 *b;
15013 -+ u64 *c;
15014 -+ fsquare_fsquare_times(a0, z, 1);
15015 -+ fsquare_fsquare_times(t00, a0, 2);
15016 -+ fmul_fmul(b0, t00, z);
15017 -+ fmul_fmul(a0, b0, a0);
15018 -+ fsquare_fsquare_times(t00, a0, 1);
15019 -+ fmul_fmul(b0, t00, b0);
15020 -+ fsquare_fsquare_times(t00, b0, 5);
15021 -+ t01 = buf + 5;
15022 -+ b1 = buf + 10;
15023 -+ c0 = buf + 15;
15024 -+ fmul_fmul(b1, t01, b1);
15025 -+ fsquare_fsquare_times(t01, b1, 10);
15026 -+ fmul_fmul(c0, t01, b1);
15027 -+ fsquare_fsquare_times(t01, c0, 20);
15028 -+ fmul_fmul(t01, t01, c0);
15029 -+ fsquare_fsquare_times_inplace(t01, 10);
15030 -+ fmul_fmul(b1, t01, b1);
15031 -+ fsquare_fsquare_times(t01, b1, 50);
15032 -+ a = buf;
15033 -+ t0 = buf + 5;
15034 -+ b = buf + 10;
15035 -+ c = buf + 15;
15036 -+ fmul_fmul(c, t0, b);
15037 -+ fsquare_fsquare_times(t0, c, 100);
15038 -+ fmul_fmul(t0, t0, c);
15039 -+ fsquare_fsquare_times_inplace(t0, 50);
15040 -+ fmul_fmul(t0, t0, b);
15041 -+ fsquare_fsquare_times_inplace(t0, 5);
15042 -+ fmul_fmul(out, t0, a);
15043 -+}
15044 -+
15045 -+static __always_inline void fsum(u64 *a, u64 *b)
15046 -+{
15047 -+ a[0] += b[0];
15048 -+ a[1] += b[1];
15049 -+ a[2] += b[2];
15050 -+ a[3] += b[3];
15051 -+ a[4] += b[4];
15052 -+}
15053 -+
15054 -+static __always_inline void fdifference(u64 *a, u64 *b)
15055 -+{
15056 -+ u64 tmp[5] = { 0 };
15057 -+ u64 b0;
15058 -+ u64 b1;
15059 -+ u64 b2;
15060 -+ u64 b3;
15061 -+ u64 b4;
15062 -+ memcpy(tmp, b, 5 * sizeof(*b));
15063 -+ b0 = tmp[0];
15064 -+ b1 = tmp[1];
15065 -+ b2 = tmp[2];
15066 -+ b3 = tmp[3];
15067 -+ b4 = tmp[4];
15068 -+ tmp[0] = b0 + 0x3fffffffffff68LLU;
15069 -+ tmp[1] = b1 + 0x3ffffffffffff8LLU;
15070 -+ tmp[2] = b2 + 0x3ffffffffffff8LLU;
15071 -+ tmp[3] = b3 + 0x3ffffffffffff8LLU;
15072 -+ tmp[4] = b4 + 0x3ffffffffffff8LLU;
15073 -+ {
15074 -+ u64 xi = a[0];
15075 -+ u64 yi = tmp[0];
15076 -+ a[0] = yi - xi;
15077 -+ }
15078 -+ {
15079 -+ u64 xi = a[1];
15080 -+ u64 yi = tmp[1];
15081 -+ a[1] = yi - xi;
15082 -+ }
15083 -+ {
15084 -+ u64 xi = a[2];
15085 -+ u64 yi = tmp[2];
15086 -+ a[2] = yi - xi;
15087 -+ }
15088 -+ {
15089 -+ u64 xi = a[3];
15090 -+ u64 yi = tmp[3];
15091 -+ a[3] = yi - xi;
15092 -+ }
15093 -+ {
15094 -+ u64 xi = a[4];
15095 -+ u64 yi = tmp[4];
15096 -+ a[4] = yi - xi;
15097 -+ }
15098 -+}
15099 -+
15100 -+static __always_inline void fscalar(u64 *output, u64 *b, u64 s)
15101 -+{
15102 -+ u128 tmp[5];
15103 -+ u128 b4;
15104 -+ u128 b0;
15105 -+ u128 b4_;
15106 -+ u128 b0_;
15107 -+ {
15108 -+ u64 xi = b[0];
15109 -+ tmp[0] = ((u128)(xi) * (s));
15110 -+ }
15111 -+ {
15112 -+ u64 xi = b[1];
15113 -+ tmp[1] = ((u128)(xi) * (s));
15114 -+ }
15115 -+ {
15116 -+ u64 xi = b[2];
15117 -+ tmp[2] = ((u128)(xi) * (s));
15118 -+ }
15119 -+ {
15120 -+ u64 xi = b[3];
15121 -+ tmp[3] = ((u128)(xi) * (s));
15122 -+ }
15123 -+ {
15124 -+ u64 xi = b[4];
15125 -+ tmp[4] = ((u128)(xi) * (s));
15126 -+ }
15127 -+ fproduct_carry_wide_(tmp);
15128 -+ b4 = tmp[4];
15129 -+ b0 = tmp[0];
15130 -+ b4_ = ((b4) & (((u128)(0x7ffffffffffffLLU))));
15131 -+ b0_ = ((b0) + (((u128)(19) * (((u64)(((b4) >> (51))))))));
15132 -+ tmp[4] = b4_;
15133 -+ tmp[0] = b0_;
15134 -+ fproduct_copy_from_wide_(output, tmp);
15135 -+}
15136 -+
15137 -+static __always_inline void fmul(u64 *output, u64 *a, u64 *b)
15138 -+{
15139 -+ fmul_fmul(output, a, b);
15140 -+}
15141 -+
15142 -+static __always_inline void crecip(u64 *output, u64 *input)
15143 -+{
15144 -+ crecip_crecip(output, input);
15145 -+}
15146 -+
15147 -+static __always_inline void point_swap_conditional_step(u64 *a, u64 *b,
15148 -+ u64 swap1, u32 ctr)
15149 -+{
15150 -+ u32 i = ctr - 1;
15151 -+ u64 ai = a[i];
15152 -+ u64 bi = b[i];
15153 -+ u64 x = swap1 & (ai ^ bi);
15154 -+ u64 ai1 = ai ^ x;
15155 -+ u64 bi1 = bi ^ x;
15156 -+ a[i] = ai1;
15157 -+ b[i] = bi1;
15158 -+}
15159 -+
15160 -+static __always_inline void point_swap_conditional5(u64 *a, u64 *b, u64 swap1)
15161 -+{
15162 -+ point_swap_conditional_step(a, b, swap1, 5);
15163 -+ point_swap_conditional_step(a, b, swap1, 4);
15164 -+ point_swap_conditional_step(a, b, swap1, 3);
15165 -+ point_swap_conditional_step(a, b, swap1, 2);
15166 -+ point_swap_conditional_step(a, b, swap1, 1);
15167 -+}
15168 -+
15169 -+static __always_inline void point_swap_conditional(u64 *a, u64 *b, u64 iswap)
15170 -+{
15171 -+ u64 swap1 = 0 - iswap;
15172 -+ point_swap_conditional5(a, b, swap1);
15173 -+ point_swap_conditional5(a + 5, b + 5, swap1);
15174 -+}
15175 -+
15176 -+static __always_inline void point_copy(u64 *output, u64 *input)
15177 -+{
15178 -+ memcpy(output, input, 5 * sizeof(*input));
15179 -+ memcpy(output + 5, input + 5, 5 * sizeof(*input));
15180 -+}
15181 -+
15182 -+static __always_inline void addanddouble_fmonty(u64 *pp, u64 *ppq, u64 *p,
15183 -+ u64 *pq, u64 *qmqp)
15184 -+{
15185 -+ u64 *qx = qmqp;
15186 -+ u64 *x2 = pp;
15187 -+ u64 *z2 = pp + 5;
15188 -+ u64 *x3 = ppq;
15189 -+ u64 *z3 = ppq + 5;
15190 -+ u64 *x = p;
15191 -+ u64 *z = p + 5;
15192 -+ u64 *xprime = pq;
15193 -+ u64 *zprime = pq + 5;
15194 -+ u64 buf[40] = { 0 };
15195 -+ u64 *origx = buf;
15196 -+ u64 *origxprime0 = buf + 5;
15197 -+ u64 *xxprime0;
15198 -+ u64 *zzprime0;
15199 -+ u64 *origxprime;
15200 -+ xxprime0 = buf + 25;
15201 -+ zzprime0 = buf + 30;
15202 -+ memcpy(origx, x, 5 * sizeof(*x));
15203 -+ fsum(x, z);
15204 -+ fdifference(z, origx);
15205 -+ memcpy(origxprime0, xprime, 5 * sizeof(*xprime));
15206 -+ fsum(xprime, zprime);
15207 -+ fdifference(zprime, origxprime0);
15208 -+ fmul(xxprime0, xprime, z);
15209 -+ fmul(zzprime0, x, zprime);
15210 -+ origxprime = buf + 5;
15211 -+ {
15212 -+ u64 *xx0;
15213 -+ u64 *zz0;
15214 -+ u64 *xxprime;
15215 -+ u64 *zzprime;
15216 -+ u64 *zzzprime;
15217 -+ xx0 = buf + 15;
15218 -+ zz0 = buf + 20;
15219 -+ xxprime = buf + 25;
15220 -+ zzprime = buf + 30;
15221 -+ zzzprime = buf + 35;
15222 -+ memcpy(origxprime, xxprime, 5 * sizeof(*xxprime));
15223 -+ fsum(xxprime, zzprime);
15224 -+ fdifference(zzprime, origxprime);
15225 -+ fsquare_fsquare_times(x3, xxprime, 1);
15226 -+ fsquare_fsquare_times(zzzprime, zzprime, 1);
15227 -+ fmul(z3, zzzprime, qx);
15228 -+ fsquare_fsquare_times(xx0, x, 1);
15229 -+ fsquare_fsquare_times(zz0, z, 1);
15230 -+ {
15231 -+ u64 *zzz;
15232 -+ u64 *xx;
15233 -+ u64 *zz;
15234 -+ u64 scalar;
15235 -+ zzz = buf + 10;
15236 -+ xx = buf + 15;
15237 -+ zz = buf + 20;
15238 -+ fmul(x2, xx, zz);
15239 -+ fdifference(zz, xx);
15240 -+ scalar = 121665;
15241 -+ fscalar(zzz, zz, scalar);
15242 -+ fsum(zzz, xx);
15243 -+ fmul(z2, zzz, zz);
15244 -+ }
15245 -+ }
15246 -+}
15247 -+
15248 -+static __always_inline void
15249 -+ladder_smallloop_cmult_small_loop_step(u64 *nq, u64 *nqpq, u64 *nq2, u64 *nqpq2,
15250 -+ u64 *q, u8 byt)
15251 -+{
15252 -+ u64 bit0 = (u64)(byt >> 7);
15253 -+ u64 bit;
15254 -+ point_swap_conditional(nq, nqpq, bit0);
15255 -+ addanddouble_fmonty(nq2, nqpq2, nq, nqpq, q);
15256 -+ bit = (u64)(byt >> 7);
15257 -+ point_swap_conditional(nq2, nqpq2, bit);
15258 -+}
15259 -+
15260 -+static __always_inline void
15261 -+ladder_smallloop_cmult_small_loop_double_step(u64 *nq, u64 *nqpq, u64 *nq2,
15262 -+ u64 *nqpq2, u64 *q, u8 byt)
15263 -+{
15264 -+ u8 byt1;
15265 -+ ladder_smallloop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt);
15266 -+ byt1 = byt << 1;
15267 -+ ladder_smallloop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1);
15268 -+}
15269 -+
15270 -+static __always_inline void
15271 -+ladder_smallloop_cmult_small_loop(u64 *nq, u64 *nqpq, u64 *nq2, u64 *nqpq2,
15272 -+ u64 *q, u8 byt, u32 i)
15273 -+{
15274 -+ while (i--) {
15275 -+ ladder_smallloop_cmult_small_loop_double_step(nq, nqpq, nq2,
15276 -+ nqpq2, q, byt);
15277 -+ byt <<= 2;
15278 -+ }
15279 -+}
15280 -+
15281 -+static __always_inline void ladder_bigloop_cmult_big_loop(u8 *n1, u64 *nq,
15282 -+ u64 *nqpq, u64 *nq2,
15283 -+ u64 *nqpq2, u64 *q,
15284 -+ u32 i)
15285 -+{
15286 -+ while (i--) {
15287 -+ u8 byte = n1[i];
15288 -+ ladder_smallloop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q,
15289 -+ byte, 4);
15290 -+ }
15291 -+}
15292 -+
15293 -+static void ladder_cmult(u64 *result, u8 *n1, u64 *q)
15294 -+{
15295 -+ u64 point_buf[40] = { 0 };
15296 -+ u64 *nq = point_buf;
15297 -+ u64 *nqpq = point_buf + 10;
15298 -+ u64 *nq2 = point_buf + 20;
15299 -+ u64 *nqpq2 = point_buf + 30;
15300 -+ point_copy(nqpq, q);
15301 -+ nq[0] = 1;
15302 -+ ladder_bigloop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, 32);
15303 -+ point_copy(result, nq);
15304 -+}
15305 -+
15306 -+static __always_inline void format_fexpand(u64 *output, const u8 *input)
15307 -+{
15308 -+ const u8 *x00 = input + 6;
15309 -+ const u8 *x01 = input + 12;
15310 -+ const u8 *x02 = input + 19;
15311 -+ const u8 *x0 = input + 24;
15312 -+ u64 i0, i1, i2, i3, i4, output0, output1, output2, output3, output4;
15313 -+ i0 = get_unaligned_le64(input);
15314 -+ i1 = get_unaligned_le64(x00);
15315 -+ i2 = get_unaligned_le64(x01);
15316 -+ i3 = get_unaligned_le64(x02);
15317 -+ i4 = get_unaligned_le64(x0);
15318 -+ output0 = i0 & 0x7ffffffffffffLLU;
15319 -+ output1 = i1 >> 3 & 0x7ffffffffffffLLU;
15320 -+ output2 = i2 >> 6 & 0x7ffffffffffffLLU;
15321 -+ output3 = i3 >> 1 & 0x7ffffffffffffLLU;
15322 -+ output4 = i4 >> 12 & 0x7ffffffffffffLLU;
15323 -+ output[0] = output0;
15324 -+ output[1] = output1;
15325 -+ output[2] = output2;
15326 -+ output[3] = output3;
15327 -+ output[4] = output4;
15328 -+}
15329 -+
15330 -+static __always_inline void format_fcontract_first_carry_pass(u64 *input)
15331 -+{
15332 -+ u64 t0 = input[0];
15333 -+ u64 t1 = input[1];
15334 -+ u64 t2 = input[2];
15335 -+ u64 t3 = input[3];
15336 -+ u64 t4 = input[4];
15337 -+ u64 t1_ = t1 + (t0 >> 51);
15338 -+ u64 t0_ = t0 & 0x7ffffffffffffLLU;
15339 -+ u64 t2_ = t2 + (t1_ >> 51);
15340 -+ u64 t1__ = t1_ & 0x7ffffffffffffLLU;
15341 -+ u64 t3_ = t3 + (t2_ >> 51);
15342 -+ u64 t2__ = t2_ & 0x7ffffffffffffLLU;
15343 -+ u64 t4_ = t4 + (t3_ >> 51);
15344 -+ u64 t3__ = t3_ & 0x7ffffffffffffLLU;
15345 -+ input[0] = t0_;
15346 -+ input[1] = t1__;
15347 -+ input[2] = t2__;
15348 -+ input[3] = t3__;
15349 -+ input[4] = t4_;
15350 -+}
15351 -+
15352 -+static __always_inline void format_fcontract_first_carry_full(u64 *input)
15353 -+{
15354 -+ format_fcontract_first_carry_pass(input);
15355 -+ modulo_carry_top(input);
15356 -+}
15357 -+
15358 -+static __always_inline void format_fcontract_second_carry_pass(u64 *input)
15359 -+{
15360 -+ u64 t0 = input[0];
15361 -+ u64 t1 = input[1];
15362 -+ u64 t2 = input[2];
15363 -+ u64 t3 = input[3];
15364 -+ u64 t4 = input[4];
15365 -+ u64 t1_ = t1 + (t0 >> 51);
15366 -+ u64 t0_ = t0 & 0x7ffffffffffffLLU;
15367 -+ u64 t2_ = t2 + (t1_ >> 51);
15368 -+ u64 t1__ = t1_ & 0x7ffffffffffffLLU;
15369 -+ u64 t3_ = t3 + (t2_ >> 51);
15370 -+ u64 t2__ = t2_ & 0x7ffffffffffffLLU;
15371 -+ u64 t4_ = t4 + (t3_ >> 51);
15372 -+ u64 t3__ = t3_ & 0x7ffffffffffffLLU;
15373 -+ input[0] = t0_;
15374 -+ input[1] = t1__;
15375 -+ input[2] = t2__;
15376 -+ input[3] = t3__;
15377 -+ input[4] = t4_;
15378 -+}
15379 -+
15380 -+static __always_inline void format_fcontract_second_carry_full(u64 *input)
15381 -+{
15382 -+ u64 i0;
15383 -+ u64 i1;
15384 -+ u64 i0_;
15385 -+ u64 i1_;
15386 -+ format_fcontract_second_carry_pass(input);
15387 -+ modulo_carry_top(input);
15388 -+ i0 = input[0];
15389 -+ i1 = input[1];
15390 -+ i0_ = i0 & 0x7ffffffffffffLLU;
15391 -+ i1_ = i1 + (i0 >> 51);
15392 -+ input[0] = i0_;
15393 -+ input[1] = i1_;
15394 -+}
15395 -+
15396 -+static __always_inline void format_fcontract_trim(u64 *input)
15397 -+{
15398 -+ u64 a0 = input[0];
15399 -+ u64 a1 = input[1];
15400 -+ u64 a2 = input[2];
15401 -+ u64 a3 = input[3];
15402 -+ u64 a4 = input[4];
15403 -+ u64 mask0 = u64_gte_mask(a0, 0x7ffffffffffedLLU);
15404 -+ u64 mask1 = u64_eq_mask(a1, 0x7ffffffffffffLLU);
15405 -+ u64 mask2 = u64_eq_mask(a2, 0x7ffffffffffffLLU);
15406 -+ u64 mask3 = u64_eq_mask(a3, 0x7ffffffffffffLLU);
15407 -+ u64 mask4 = u64_eq_mask(a4, 0x7ffffffffffffLLU);
15408 -+ u64 mask = (((mask0 & mask1) & mask2) & mask3) & mask4;
15409 -+ u64 a0_ = a0 - (0x7ffffffffffedLLU & mask);
15410 -+ u64 a1_ = a1 - (0x7ffffffffffffLLU & mask);
15411 -+ u64 a2_ = a2 - (0x7ffffffffffffLLU & mask);
15412 -+ u64 a3_ = a3 - (0x7ffffffffffffLLU & mask);
15413 -+ u64 a4_ = a4 - (0x7ffffffffffffLLU & mask);
15414 -+ input[0] = a0_;
15415 -+ input[1] = a1_;
15416 -+ input[2] = a2_;
15417 -+ input[3] = a3_;
15418 -+ input[4] = a4_;
15419 -+}
15420 -+
15421 -+static __always_inline void format_fcontract_store(u8 *output, u64 *input)
15422 -+{
15423 -+ u64 t0 = input[0];
15424 -+ u64 t1 = input[1];
15425 -+ u64 t2 = input[2];
15426 -+ u64 t3 = input[3];
15427 -+ u64 t4 = input[4];
15428 -+ u64 o0 = t1 << 51 | t0;
15429 -+ u64 o1 = t2 << 38 | t1 >> 13;
15430 -+ u64 o2 = t3 << 25 | t2 >> 26;
15431 -+ u64 o3 = t4 << 12 | t3 >> 39;
15432 -+ u8 *b0 = output;
15433 -+ u8 *b1 = output + 8;
15434 -+ u8 *b2 = output + 16;
15435 -+ u8 *b3 = output + 24;
15436 -+ put_unaligned_le64(o0, b0);
15437 -+ put_unaligned_le64(o1, b1);
15438 -+ put_unaligned_le64(o2, b2);
15439 -+ put_unaligned_le64(o3, b3);
15440 -+}
15441 -+
15442 -+static __always_inline void format_fcontract(u8 *output, u64 *input)
15443 -+{
15444 -+ format_fcontract_first_carry_full(input);
15445 -+ format_fcontract_second_carry_full(input);
15446 -+ format_fcontract_trim(input);
15447 -+ format_fcontract_store(output, input);
15448 -+}
15449 -+
15450 -+static __always_inline void format_scalar_of_point(u8 *scalar, u64 *point)
15451 -+{
15452 -+ u64 *x = point;
15453 -+ u64 *z = point + 5;
15454 -+ u64 buf[10] __aligned(32) = { 0 };
15455 -+ u64 *zmone = buf;
15456 -+ u64 *sc = buf + 5;
15457 -+ crecip(zmone, z);
15458 -+ fmul(sc, x, zmone);
15459 -+ format_fcontract(scalar, sc);
15460 -+}
15461 -+
15462 -+void curve25519_generic(u8 mypublic[CURVE25519_KEY_SIZE],
15463 -+ const u8 secret[CURVE25519_KEY_SIZE],
15464 -+ const u8 basepoint[CURVE25519_KEY_SIZE])
15465 -+{
15466 -+ u64 buf0[10] __aligned(32) = { 0 };
15467 -+ u64 *x0 = buf0;
15468 -+ u64 *z = buf0 + 5;
15469 -+ u64 *q;
15470 -+ format_fexpand(x0, basepoint);
15471 -+ z[0] = 1;
15472 -+ q = buf0;
15473 -+ {
15474 -+ u8 e[32] __aligned(32) = { 0 };
15475 -+ u8 *scalar;
15476 -+ memcpy(e, secret, 32);
15477 -+ curve25519_clamp_secret(e);
15478 -+ scalar = e;
15479 -+ {
15480 -+ u64 buf[15] = { 0 };
15481 -+ u64 *nq = buf;
15482 -+ u64 *x = nq;
15483 -+ x[0] = 1;
15484 -+ ladder_cmult(nq, scalar, q);
15485 -+ format_scalar_of_point(mypublic, nq);
15486 -+ memzero_explicit(buf, sizeof(buf));
15487 -+ }
15488 -+ memzero_explicit(e, sizeof(e));
15489 -+ }
15490 -+ memzero_explicit(buf0, sizeof(buf0));
15491 -+}
15492 ---- b/lib/crypto/curve25519.c
15493 -+++ b/lib/crypto/curve25519.c
15494 -@@ -0,0 +1,35 @@
15495 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
15496 -+/*
15497 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
15498 -+ *
15499 -+ * This is an implementation of the Curve25519 ECDH algorithm, using either
15500 -+ * a 32-bit implementation or a 64-bit implementation with 128-bit integers,
15501 -+ * depending on what is supported by the target compiler.
15502 -+ *
15503 -+ * Information: https://cr.yp.to/ecdh.html
15504 -+ */
15505 -+
15506 -+#include <crypto/curve25519.h>
15507 -+#include <linux/module.h>
15508 -+#include <linux/init.h>
15509 -+
15510 -+bool curve25519_selftest(void);
15511 -+
15512 -+static int __init mod_init(void)
15513 -+{
15514 -+ if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
15515 -+ WARN_ON(!curve25519_selftest()))
15516 -+ return -ENODEV;
15517 -+ return 0;
15518 -+}
15519 -+
15520 -+static void __exit mod_exit(void)
15521 -+{
15522 -+}
15523 -+
15524 -+module_init(mod_init);
15525 -+module_exit(mod_exit);
15526 -+
15527 -+MODULE_LICENSE("GPL v2");
15528 -+MODULE_DESCRIPTION("Curve25519 scalar multiplication");
15529 -+MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
15530 ---- /dev/null
15531 -+++ b/crypto/curve25519-generic.c
15532 -@@ -0,0 +1,90 @@
15533 -+// SPDX-License-Identifier: GPL-2.0-or-later
15534 -+
15535 -+#include <crypto/curve25519.h>
15536 -+#include <crypto/internal/kpp.h>
15537 -+#include <crypto/kpp.h>
15538 -+#include <linux/module.h>
15539 -+#include <linux/scatterlist.h>
15540 -+
15541 -+static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf,
15542 -+ unsigned int len)
15543 -+{
15544 -+ u8 *secret = kpp_tfm_ctx(tfm);
15545 -+
15546 -+ if (!len)
15547 -+ curve25519_generate_secret(secret);
15548 -+ else if (len == CURVE25519_KEY_SIZE &&
15549 -+ crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE))
15550 -+ memcpy(secret, buf, CURVE25519_KEY_SIZE);
15551 -+ else
15552 -+ return -EINVAL;
15553 -+ return 0;
15554 -+}
15555 -+
15556 -+static int curve25519_compute_value(struct kpp_request *req)
15557 -+{
15558 -+ struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
15559 -+ const u8 *secret = kpp_tfm_ctx(tfm);
15560 -+ u8 public_key[CURVE25519_KEY_SIZE];
15561 -+ u8 buf[CURVE25519_KEY_SIZE];
15562 -+ int copied, nbytes;
15563 -+ u8 const *bp;
15564 -+
15565 -+ if (req->src) {
15566 -+ copied = sg_copy_to_buffer(req->src,
15567 -+ sg_nents_for_len(req->src,
15568 -+ CURVE25519_KEY_SIZE),
15569 -+ public_key, CURVE25519_KEY_SIZE);
15570 -+ if (copied != CURVE25519_KEY_SIZE)
15571 -+ return -EINVAL;
15572 -+ bp = public_key;
15573 -+ } else {
15574 -+ bp = curve25519_base_point;
15575 -+ }
15576 -+
15577 -+ curve25519_generic(buf, secret, bp);
15578 -+
15579 -+ /* might want less than we've got */
15580 -+ nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len);
15581 -+ copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst,
15582 -+ nbytes),
15583 -+ buf, nbytes);
15584 -+ if (copied != nbytes)
15585 -+ return -EINVAL;
15586 -+ return 0;
15587 -+}
15588 -+
15589 -+static unsigned int curve25519_max_size(struct crypto_kpp *tfm)
15590 -+{
15591 -+ return CURVE25519_KEY_SIZE;
15592 -+}
15593 -+
15594 -+static struct kpp_alg curve25519_alg = {
15595 -+ .base.cra_name = "curve25519",
15596 -+ .base.cra_driver_name = "curve25519-generic",
15597 -+ .base.cra_priority = 100,
15598 -+ .base.cra_module = THIS_MODULE,
15599 -+ .base.cra_ctxsize = CURVE25519_KEY_SIZE,
15600 -+
15601 -+ .set_secret = curve25519_set_secret,
15602 -+ .generate_public_key = curve25519_compute_value,
15603 -+ .compute_shared_secret = curve25519_compute_value,
15604 -+ .max_size = curve25519_max_size,
15605 -+};
15606 -+
15607 -+static int curve25519_init(void)
15608 -+{
15609 -+ return crypto_register_kpp(&curve25519_alg);
15610 -+}
15611 -+
15612 -+static void curve25519_exit(void)
15613 -+{
15614 -+ crypto_unregister_kpp(&curve25519_alg);
15615 -+}
15616 -+
15617 -+subsys_initcall(curve25519_init);
15618 -+module_exit(curve25519_exit);
15619 -+
15620 -+MODULE_ALIAS_CRYPTO("curve25519");
15621 -+MODULE_ALIAS_CRYPTO("curve25519-generic");
15622 -+MODULE_LICENSE("GPL");
15623 ---- b/arch/x86/crypto/curve25519-x86_64.c
15624 -+++ b/arch/x86/crypto/curve25519-x86_64.c
15625 -@@ -0,0 +1,1512 @@
15626 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
15627 -+/*
15628 -+ * Copyright (C) 2020 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
15629 -+ * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
15630 -+ */
15631 -+
15632 -+#include <crypto/curve25519.h>
15633 -+#include <crypto/internal/kpp.h>
15634 -+
15635 -+#include <linux/types.h>
15636 -+#include <linux/jump_label.h>
15637 -+#include <linux/kernel.h>
15638 -+#include <linux/module.h>
15639 -+
15640 -+#include <asm/cpufeature.h>
15641 -+#include <asm/processor.h>
15642 -+
15643 -+static __always_inline u64 eq_mask(u64 a, u64 b)
15644 -+{
15645 -+ u64 x = a ^ b;
15646 -+ u64 minus_x = ~x + (u64)1U;
15647 -+ u64 x_or_minus_x = x | minus_x;
15648 -+ u64 xnx = x_or_minus_x >> (u32)63U;
15649 -+ return xnx - (u64)1U;
15650 -+}
15651 -+
15652 -+static __always_inline u64 gte_mask(u64 a, u64 b)
15653 -+{
15654 -+ u64 x = a;
15655 -+ u64 y = b;
15656 -+ u64 x_xor_y = x ^ y;
15657 -+ u64 x_sub_y = x - y;
15658 -+ u64 x_sub_y_xor_y = x_sub_y ^ y;
15659 -+ u64 q = x_xor_y | x_sub_y_xor_y;
15660 -+ u64 x_xor_q = x ^ q;
15661 -+ u64 x_xor_q_ = x_xor_q >> (u32)63U;
15662 -+ return x_xor_q_ - (u64)1U;
15663 -+}
15664 -+
15665 -+/* Computes the addition of four-element f1 with value in f2
15666 -+ * and returns the carry (if any) */
15667 -+static inline u64 add_scalar(u64 *out, const u64 *f1, u64 f2)
15668 -+{
15669 -+ u64 carry_r;
15670 -+
15671 -+ asm volatile(
15672 -+ /* Clear registers to propagate the carry bit */
15673 -+ " xor %%r8d, %%r8d;"
15674 -+ " xor %%r9d, %%r9d;"
15675 -+ " xor %%r10d, %%r10d;"
15676 -+ " xor %%r11d, %%r11d;"
15677 -+ " xor %k1, %k1;"
15678 -+
15679 -+ /* Begin addition chain */
15680 -+ " addq 0(%3), %0;"
15681 -+ " movq %0, 0(%2);"
15682 -+ " adcxq 8(%3), %%r8;"
15683 -+ " movq %%r8, 8(%2);"
15684 -+ " adcxq 16(%3), %%r9;"
15685 -+ " movq %%r9, 16(%2);"
15686 -+ " adcxq 24(%3), %%r10;"
15687 -+ " movq %%r10, 24(%2);"
15688 -+
15689 -+ /* Return the carry bit in a register */
15690 -+ " adcx %%r11, %1;"
15691 -+ : "+&r" (f2), "=&r" (carry_r)
15692 -+ : "r" (out), "r" (f1)
15693 -+ : "%r8", "%r9", "%r10", "%r11", "memory", "cc"
15694 -+ );
15695 -+
15696 -+ return carry_r;
15697 -+}
15698 -+
15699 -+/* Computes the field addition of two field elements */
15700 -+static inline void fadd(u64 *out, const u64 *f1, const u64 *f2)
15701 -+{
15702 -+ asm volatile(
15703 -+ /* Compute the raw addition of f1 + f2 */
15704 -+ " movq 0(%0), %%r8;"
15705 -+ " addq 0(%2), %%r8;"
15706 -+ " movq 8(%0), %%r9;"
15707 -+ " adcxq 8(%2), %%r9;"
15708 -+ " movq 16(%0), %%r10;"
15709 -+ " adcxq 16(%2), %%r10;"
15710 -+ " movq 24(%0), %%r11;"
15711 -+ " adcxq 24(%2), %%r11;"
15712 -+
15713 -+ /* Wrap the result back into the field */
15714 -+
15715 -+ /* Step 1: Compute carry*38 */
15716 -+ " mov $0, %%rax;"
15717 -+ " mov $38, %0;"
15718 -+ " cmovc %0, %%rax;"
15719 -+
15720 -+ /* Step 2: Add carry*38 to the original sum */
15721 -+ " xor %%ecx, %%ecx;"
15722 -+ " add %%rax, %%r8;"
15723 -+ " adcx %%rcx, %%r9;"
15724 -+ " movq %%r9, 8(%1);"
15725 -+ " adcx %%rcx, %%r10;"
15726 -+ " movq %%r10, 16(%1);"
15727 -+ " adcx %%rcx, %%r11;"
15728 -+ " movq %%r11, 24(%1);"
15729 -+
15730 -+ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
15731 -+ " mov $0, %%rax;"
15732 -+ " cmovc %0, %%rax;"
15733 -+ " add %%rax, %%r8;"
15734 -+ " movq %%r8, 0(%1);"
15735 -+ : "+&r" (f2)
15736 -+ : "r" (out), "r" (f1)
15737 -+ : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc"
15738 -+ );
15739 -+}
15740 -+
15741 -+/* Computes the field substraction of two field elements */
15742 -+static inline void fsub(u64 *out, const u64 *f1, const u64 *f2)
15743 -+{
15744 -+ asm volatile(
15745 -+ /* Compute the raw substraction of f1-f2 */
15746 -+ " movq 0(%1), %%r8;"
15747 -+ " subq 0(%2), %%r8;"
15748 -+ " movq 8(%1), %%r9;"
15749 -+ " sbbq 8(%2), %%r9;"
15750 -+ " movq 16(%1), %%r10;"
15751 -+ " sbbq 16(%2), %%r10;"
15752 -+ " movq 24(%1), %%r11;"
15753 -+ " sbbq 24(%2), %%r11;"
15754 -+
15755 -+ /* Wrap the result back into the field */
15756 -+
15757 -+ /* Step 1: Compute carry*38 */
15758 -+ " mov $0, %%rax;"
15759 -+ " mov $38, %%rcx;"
15760 -+ " cmovc %%rcx, %%rax;"
15761 -+
15762 -+ /* Step 2: Substract carry*38 from the original difference */
15763 -+ " sub %%rax, %%r8;"
15764 -+ " sbb $0, %%r9;"
15765 -+ " sbb $0, %%r10;"
15766 -+ " sbb $0, %%r11;"
15767 -+
15768 -+ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
15769 -+ " mov $0, %%rax;"
15770 -+ " cmovc %%rcx, %%rax;"
15771 -+ " sub %%rax, %%r8;"
15772 -+
15773 -+ /* Store the result */
15774 -+ " movq %%r8, 0(%0);"
15775 -+ " movq %%r9, 8(%0);"
15776 -+ " movq %%r10, 16(%0);"
15777 -+ " movq %%r11, 24(%0);"
15778 -+ :
15779 -+ : "r" (out), "r" (f1), "r" (f2)
15780 -+ : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc"
15781 -+ );
15782 -+}
15783 -+
15784 -+/* Computes a field multiplication: out <- f1 * f2
15785 -+ * Uses the 8-element buffer tmp for intermediate results */
15786 -+static inline void fmul(u64 *out, const u64 *f1, const u64 *f2, u64 *tmp)
15787 -+{
15788 -+ asm volatile(
15789 -+ /* Compute the raw multiplication: tmp <- src1 * src2 */
15790 -+
15791 -+ /* Compute src1[0] * src2 */
15792 -+ " movq 0(%1), %%rdx;"
15793 -+ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 0(%0);"
15794 -+ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 8(%0);"
15795 -+ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;"
15796 -+ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;"
15797 -+ " adox %%rdx, %%rax;"
15798 -+ /* Compute src1[1] * src2 */
15799 -+ " movq 8(%1), %%rdx;"
15800 -+ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 8(%0), %%r8;" " movq %%r8, 8(%0);"
15801 -+ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 16(%0);"
15802 -+ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;"
15803 -+ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;"
15804 -+ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;"
15805 -+ /* Compute src1[2] * src2 */
15806 -+ " movq 16(%1), %%rdx;"
15807 -+ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 16(%0), %%r8;" " movq %%r8, 16(%0);"
15808 -+ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 24(%0);"
15809 -+ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;"
15810 -+ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;"
15811 -+ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;"
15812 -+ /* Compute src1[3] * src2 */
15813 -+ " movq 24(%1), %%rdx;"
15814 -+ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 24(%0), %%r8;" " movq %%r8, 24(%0);"
15815 -+ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 32(%0);"
15816 -+ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 40(%0);" " mov $0, %%r8;"
15817 -+ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 48(%0);" " mov $0, %%rax;"
15818 -+ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 56(%0);"
15819 -+ /* Line up pointers */
15820 -+ " mov %0, %1;"
15821 -+ " mov %2, %0;"
15822 -+
15823 -+ /* Wrap the result back into the field */
15824 -+
15825 -+ /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */
15826 -+ " mov $38, %%rdx;"
15827 -+ " mulxq 32(%1), %%r8, %%r13;"
15828 -+ " xor %k3, %k3;"
15829 -+ " adoxq 0(%1), %%r8;"
15830 -+ " mulxq 40(%1), %%r9, %%rbx;"
15831 -+ " adcx %%r13, %%r9;"
15832 -+ " adoxq 8(%1), %%r9;"
15833 -+ " mulxq 48(%1), %%r10, %%r13;"
15834 -+ " adcx %%rbx, %%r10;"
15835 -+ " adoxq 16(%1), %%r10;"
15836 -+ " mulxq 56(%1), %%r11, %%rax;"
15837 -+ " adcx %%r13, %%r11;"
15838 -+ " adoxq 24(%1), %%r11;"
15839 -+ " adcx %3, %%rax;"
15840 -+ " adox %3, %%rax;"
15841 -+ " imul %%rdx, %%rax;"
15842 -+
15843 -+ /* Step 2: Fold the carry back into dst */
15844 -+ " add %%rax, %%r8;"
15845 -+ " adcx %3, %%r9;"
15846 -+ " movq %%r9, 8(%0);"
15847 -+ " adcx %3, %%r10;"
15848 -+ " movq %%r10, 16(%0);"
15849 -+ " adcx %3, %%r11;"
15850 -+ " movq %%r11, 24(%0);"
15851 -+
15852 -+ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
15853 -+ " mov $0, %%rax;"
15854 -+ " cmovc %%rdx, %%rax;"
15855 -+ " add %%rax, %%r8;"
15856 -+ " movq %%r8, 0(%0);"
15857 -+ : "+&r" (tmp), "+&r" (f1), "+&r" (out), "+&r" (f2)
15858 -+ :
15859 -+ : "%rax", "%rdx", "%r8", "%r9", "%r10", "%r11", "%rbx", "%r13", "%r14", "memory", "cc"
15860 -+ );
15861 -+}
15862 -+
15863 -+/* Computes two field multiplications:
15864 -+ * out[0] <- f1[0] * f2[0]
15865 -+ * out[1] <- f1[1] * f2[1]
15866 -+ * Uses the 16-element buffer tmp for intermediate results. */
15867 -+static inline void fmul2(u64 *out, const u64 *f1, const u64 *f2, u64 *tmp)
15868 -+{
15869 -+ asm volatile(
15870 -+ /* Compute the raw multiplication tmp[0] <- f1[0] * f2[0] */
15871 -+
15872 -+ /* Compute src1[0] * src2 */
15873 -+ " movq 0(%1), %%rdx;"
15874 -+ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 0(%0);"
15875 -+ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 8(%0);"
15876 -+ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;"
15877 -+ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;"
15878 -+ " adox %%rdx, %%rax;"
15879 -+ /* Compute src1[1] * src2 */
15880 -+ " movq 8(%1), %%rdx;"
15881 -+ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 8(%0), %%r8;" " movq %%r8, 8(%0);"
15882 -+ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 16(%0);"
15883 -+ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;"
15884 -+ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;"
15885 -+ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;"
15886 -+ /* Compute src1[2] * src2 */
15887 -+ " movq 16(%1), %%rdx;"
15888 -+ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 16(%0), %%r8;" " movq %%r8, 16(%0);"
15889 -+ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 24(%0);"
15890 -+ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;"
15891 -+ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;"
15892 -+ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;"
15893 -+ /* Compute src1[3] * src2 */
15894 -+ " movq 24(%1), %%rdx;"
15895 -+ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 24(%0), %%r8;" " movq %%r8, 24(%0);"
15896 -+ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 32(%0);"
15897 -+ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 40(%0);" " mov $0, %%r8;"
15898 -+ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 48(%0);" " mov $0, %%rax;"
15899 -+ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 56(%0);"
15900 -+
15901 -+ /* Compute the raw multiplication tmp[1] <- f1[1] * f2[1] */
15902 -+
15903 -+ /* Compute src1[0] * src2 */
15904 -+ " movq 32(%1), %%rdx;"
15905 -+ " mulxq 32(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 64(%0);"
15906 -+ " mulxq 40(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 72(%0);"
15907 -+ " mulxq 48(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;"
15908 -+ " mulxq 56(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;"
15909 -+ " adox %%rdx, %%rax;"
15910 -+ /* Compute src1[1] * src2 */
15911 -+ " movq 40(%1), %%rdx;"
15912 -+ " mulxq 32(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 72(%0), %%r8;" " movq %%r8, 72(%0);"
15913 -+ " mulxq 40(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 80(%0);"
15914 -+ " mulxq 48(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;"
15915 -+ " mulxq 56(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;"
15916 -+ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;"
15917 -+ /* Compute src1[2] * src2 */
15918 -+ " movq 48(%1), %%rdx;"
15919 -+ " mulxq 32(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 80(%0), %%r8;" " movq %%r8, 80(%0);"
15920 -+ " mulxq 40(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 88(%0);"
15921 -+ " mulxq 48(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;"
15922 -+ " mulxq 56(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;"
15923 -+ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;"
15924 -+ /* Compute src1[3] * src2 */
15925 -+ " movq 56(%1), %%rdx;"
15926 -+ " mulxq 32(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 88(%0), %%r8;" " movq %%r8, 88(%0);"
15927 -+ " mulxq 40(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 96(%0);"
15928 -+ " mulxq 48(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 104(%0);" " mov $0, %%r8;"
15929 -+ " mulxq 56(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 112(%0);" " mov $0, %%rax;"
15930 -+ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 120(%0);"
15931 -+ /* Line up pointers */
15932 -+ " mov %0, %1;"
15933 -+ " mov %2, %0;"
15934 -+
15935 -+ /* Wrap the results back into the field */
15936 -+
15937 -+ /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */
15938 -+ " mov $38, %%rdx;"
15939 -+ " mulxq 32(%1), %%r8, %%r13;"
15940 -+ " xor %k3, %k3;"
15941 -+ " adoxq 0(%1), %%r8;"
15942 -+ " mulxq 40(%1), %%r9, %%rbx;"
15943 -+ " adcx %%r13, %%r9;"
15944 -+ " adoxq 8(%1), %%r9;"
15945 -+ " mulxq 48(%1), %%r10, %%r13;"
15946 -+ " adcx %%rbx, %%r10;"
15947 -+ " adoxq 16(%1), %%r10;"
15948 -+ " mulxq 56(%1), %%r11, %%rax;"
15949 -+ " adcx %%r13, %%r11;"
15950 -+ " adoxq 24(%1), %%r11;"
15951 -+ " adcx %3, %%rax;"
15952 -+ " adox %3, %%rax;"
15953 -+ " imul %%rdx, %%rax;"
15954 -+
15955 -+ /* Step 2: Fold the carry back into dst */
15956 -+ " add %%rax, %%r8;"
15957 -+ " adcx %3, %%r9;"
15958 -+ " movq %%r9, 8(%0);"
15959 -+ " adcx %3, %%r10;"
15960 -+ " movq %%r10, 16(%0);"
15961 -+ " adcx %3, %%r11;"
15962 -+ " movq %%r11, 24(%0);"
15963 -+
15964 -+ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
15965 -+ " mov $0, %%rax;"
15966 -+ " cmovc %%rdx, %%rax;"
15967 -+ " add %%rax, %%r8;"
15968 -+ " movq %%r8, 0(%0);"
15969 -+
15970 -+ /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */
15971 -+ " mov $38, %%rdx;"
15972 -+ " mulxq 96(%1), %%r8, %%r13;"
15973 -+ " xor %k3, %k3;"
15974 -+ " adoxq 64(%1), %%r8;"
15975 -+ " mulxq 104(%1), %%r9, %%rbx;"
15976 -+ " adcx %%r13, %%r9;"
15977 -+ " adoxq 72(%1), %%r9;"
15978 -+ " mulxq 112(%1), %%r10, %%r13;"
15979 -+ " adcx %%rbx, %%r10;"
15980 -+ " adoxq 80(%1), %%r10;"
15981 -+ " mulxq 120(%1), %%r11, %%rax;"
15982 -+ " adcx %%r13, %%r11;"
15983 -+ " adoxq 88(%1), %%r11;"
15984 -+ " adcx %3, %%rax;"
15985 -+ " adox %3, %%rax;"
15986 -+ " imul %%rdx, %%rax;"
15987 -+
15988 -+ /* Step 2: Fold the carry back into dst */
15989 -+ " add %%rax, %%r8;"
15990 -+ " adcx %3, %%r9;"
15991 -+ " movq %%r9, 40(%0);"
15992 -+ " adcx %3, %%r10;"
15993 -+ " movq %%r10, 48(%0);"
15994 -+ " adcx %3, %%r11;"
15995 -+ " movq %%r11, 56(%0);"
15996 -+
15997 -+ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
15998 -+ " mov $0, %%rax;"
15999 -+ " cmovc %%rdx, %%rax;"
16000 -+ " add %%rax, %%r8;"
16001 -+ " movq %%r8, 32(%0);"
16002 -+ : "+&r" (tmp), "+&r" (f1), "+&r" (out), "+&r" (f2)
16003 -+ :
16004 -+ : "%rax", "%rdx", "%r8", "%r9", "%r10", "%r11", "%rbx", "%r13", "%r14", "memory", "cc"
16005 -+ );
16006 -+}
16007 -+
16008 -+/* Computes the field multiplication of four-element f1 with value in f2 */
16009 -+static inline void fmul_scalar(u64 *out, const u64 *f1, u64 f2)
16010 -+{
16011 -+ register u64 f2_r asm("rdx") = f2;
16012 -+
16013 -+ asm volatile(
16014 -+ /* Compute the raw multiplication of f1*f2 */
16015 -+ " mulxq 0(%2), %%r8, %%rcx;" /* f1[0]*f2 */
16016 -+ " mulxq 8(%2), %%r9, %%rbx;" /* f1[1]*f2 */
16017 -+ " add %%rcx, %%r9;"
16018 -+ " mov $0, %%rcx;"
16019 -+ " mulxq 16(%2), %%r10, %%r13;" /* f1[2]*f2 */
16020 -+ " adcx %%rbx, %%r10;"
16021 -+ " mulxq 24(%2), %%r11, %%rax;" /* f1[3]*f2 */
16022 -+ " adcx %%r13, %%r11;"
16023 -+ " adcx %%rcx, %%rax;"
16024 -+
16025 -+ /* Wrap the result back into the field */
16026 -+
16027 -+ /* Step 1: Compute carry*38 */
16028 -+ " mov $38, %%rdx;"
16029 -+ " imul %%rdx, %%rax;"
16030 -+
16031 -+ /* Step 2: Fold the carry back into dst */
16032 -+ " add %%rax, %%r8;"
16033 -+ " adcx %%rcx, %%r9;"
16034 -+ " movq %%r9, 8(%1);"
16035 -+ " adcx %%rcx, %%r10;"
16036 -+ " movq %%r10, 16(%1);"
16037 -+ " adcx %%rcx, %%r11;"
16038 -+ " movq %%r11, 24(%1);"
16039 -+
16040 -+ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
16041 -+ " mov $0, %%rax;"
16042 -+ " cmovc %%rdx, %%rax;"
16043 -+ " add %%rax, %%r8;"
16044 -+ " movq %%r8, 0(%1);"
16045 -+ : "+&r" (f2_r)
16046 -+ : "r" (out), "r" (f1)
16047 -+ : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "%rbx", "%r13", "memory", "cc"
16048 -+ );
16049 -+}
16050 -+
16051 -+/* Computes p1 <- bit ? p2 : p1 in constant time */
16052 -+static inline void cswap2(u64 bit, const u64 *p1, const u64 *p2)
16053 -+{
16054 -+ asm volatile(
16055 -+ /* Invert the polarity of bit to match cmov expectations */
16056 -+ " add $18446744073709551615, %0;"
16057 -+
16058 -+ /* cswap p1[0], p2[0] */
16059 -+ " movq 0(%1), %%r8;"
16060 -+ " movq 0(%2), %%r9;"
16061 -+ " mov %%r8, %%r10;"
16062 -+ " cmovc %%r9, %%r8;"
16063 -+ " cmovc %%r10, %%r9;"
16064 -+ " movq %%r8, 0(%1);"
16065 -+ " movq %%r9, 0(%2);"
16066 -+
16067 -+ /* cswap p1[1], p2[1] */
16068 -+ " movq 8(%1), %%r8;"
16069 -+ " movq 8(%2), %%r9;"
16070 -+ " mov %%r8, %%r10;"
16071 -+ " cmovc %%r9, %%r8;"
16072 -+ " cmovc %%r10, %%r9;"
16073 -+ " movq %%r8, 8(%1);"
16074 -+ " movq %%r9, 8(%2);"
16075 -+
16076 -+ /* cswap p1[2], p2[2] */
16077 -+ " movq 16(%1), %%r8;"
16078 -+ " movq 16(%2), %%r9;"
16079 -+ " mov %%r8, %%r10;"
16080 -+ " cmovc %%r9, %%r8;"
16081 -+ " cmovc %%r10, %%r9;"
16082 -+ " movq %%r8, 16(%1);"
16083 -+ " movq %%r9, 16(%2);"
16084 -+
16085 -+ /* cswap p1[3], p2[3] */
16086 -+ " movq 24(%1), %%r8;"
16087 -+ " movq 24(%2), %%r9;"
16088 -+ " mov %%r8, %%r10;"
16089 -+ " cmovc %%r9, %%r8;"
16090 -+ " cmovc %%r10, %%r9;"
16091 -+ " movq %%r8, 24(%1);"
16092 -+ " movq %%r9, 24(%2);"
16093 -+
16094 -+ /* cswap p1[4], p2[4] */
16095 -+ " movq 32(%1), %%r8;"
16096 -+ " movq 32(%2), %%r9;"
16097 -+ " mov %%r8, %%r10;"
16098 -+ " cmovc %%r9, %%r8;"
16099 -+ " cmovc %%r10, %%r9;"
16100 -+ " movq %%r8, 32(%1);"
16101 -+ " movq %%r9, 32(%2);"
16102 -+
16103 -+ /* cswap p1[5], p2[5] */
16104 -+ " movq 40(%1), %%r8;"
16105 -+ " movq 40(%2), %%r9;"
16106 -+ " mov %%r8, %%r10;"
16107 -+ " cmovc %%r9, %%r8;"
16108 -+ " cmovc %%r10, %%r9;"
16109 -+ " movq %%r8, 40(%1);"
16110 -+ " movq %%r9, 40(%2);"
16111 -+
16112 -+ /* cswap p1[6], p2[6] */
16113 -+ " movq 48(%1), %%r8;"
16114 -+ " movq 48(%2), %%r9;"
16115 -+ " mov %%r8, %%r10;"
16116 -+ " cmovc %%r9, %%r8;"
16117 -+ " cmovc %%r10, %%r9;"
16118 -+ " movq %%r8, 48(%1);"
16119 -+ " movq %%r9, 48(%2);"
16120 -+
16121 -+ /* cswap p1[7], p2[7] */
16122 -+ " movq 56(%1), %%r8;"
16123 -+ " movq 56(%2), %%r9;"
16124 -+ " mov %%r8, %%r10;"
16125 -+ " cmovc %%r9, %%r8;"
16126 -+ " cmovc %%r10, %%r9;"
16127 -+ " movq %%r8, 56(%1);"
16128 -+ " movq %%r9, 56(%2);"
16129 -+ : "+&r" (bit)
16130 -+ : "r" (p1), "r" (p2)
16131 -+ : "%r8", "%r9", "%r10", "memory", "cc"
16132 -+ );
16133 -+}
16134 -+
16135 -+/* Computes the square of a field element: out <- f * f
16136 -+ * Uses the 8-element buffer tmp for intermediate results */
16137 -+static inline void fsqr(u64 *out, const u64 *f, u64 *tmp)
16138 -+{
16139 -+ asm volatile(
16140 -+ /* Compute the raw multiplication: tmp <- f * f */
16141 -+
16142 -+ /* Step 1: Compute all partial products */
16143 -+ " movq 0(%1), %%rdx;" /* f[0] */
16144 -+ " mulxq 8(%1), %%r8, %%r14;" " xor %%r15d, %%r15d;" /* f[1]*f[0] */
16145 -+ " mulxq 16(%1), %%r9, %%r10;" " adcx %%r14, %%r9;" /* f[2]*f[0] */
16146 -+ " mulxq 24(%1), %%rax, %%rcx;" " adcx %%rax, %%r10;" /* f[3]*f[0] */
16147 -+ " movq 24(%1), %%rdx;" /* f[3] */
16148 -+ " mulxq 8(%1), %%r11, %%rbx;" " adcx %%rcx, %%r11;" /* f[1]*f[3] */
16149 -+ " mulxq 16(%1), %%rax, %%r13;" " adcx %%rax, %%rbx;" /* f[2]*f[3] */
16150 -+ " movq 8(%1), %%rdx;" " adcx %%r15, %%r13;" /* f1 */
16151 -+ " mulxq 16(%1), %%rax, %%rcx;" " mov $0, %%r14;" /* f[2]*f[1] */
16152 -+
16153 -+ /* Step 2: Compute two parallel carry chains */
16154 -+ " xor %%r15d, %%r15d;"
16155 -+ " adox %%rax, %%r10;"
16156 -+ " adcx %%r8, %%r8;"
16157 -+ " adox %%rcx, %%r11;"
16158 -+ " adcx %%r9, %%r9;"
16159 -+ " adox %%r15, %%rbx;"
16160 -+ " adcx %%r10, %%r10;"
16161 -+ " adox %%r15, %%r13;"
16162 -+ " adcx %%r11, %%r11;"
16163 -+ " adox %%r15, %%r14;"
16164 -+ " adcx %%rbx, %%rbx;"
16165 -+ " adcx %%r13, %%r13;"
16166 -+ " adcx %%r14, %%r14;"
16167 -+
16168 -+ /* Step 3: Compute intermediate squares */
16169 -+ " movq 0(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[0]^2 */
16170 -+ " movq %%rax, 0(%0);"
16171 -+ " add %%rcx, %%r8;" " movq %%r8, 8(%0);"
16172 -+ " movq 8(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[1]^2 */
16173 -+ " adcx %%rax, %%r9;" " movq %%r9, 16(%0);"
16174 -+ " adcx %%rcx, %%r10;" " movq %%r10, 24(%0);"
16175 -+ " movq 16(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[2]^2 */
16176 -+ " adcx %%rax, %%r11;" " movq %%r11, 32(%0);"
16177 -+ " adcx %%rcx, %%rbx;" " movq %%rbx, 40(%0);"
16178 -+ " movq 24(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[3]^2 */
16179 -+ " adcx %%rax, %%r13;" " movq %%r13, 48(%0);"
16180 -+ " adcx %%rcx, %%r14;" " movq %%r14, 56(%0);"
16181 -+
16182 -+ /* Line up pointers */
16183 -+ " mov %0, %1;"
16184 -+ " mov %2, %0;"
16185 -+
16186 -+ /* Wrap the result back into the field */
16187 -+
16188 -+ /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */
16189 -+ " mov $38, %%rdx;"
16190 -+ " mulxq 32(%1), %%r8, %%r13;"
16191 -+ " xor %%ecx, %%ecx;"
16192 -+ " adoxq 0(%1), %%r8;"
16193 -+ " mulxq 40(%1), %%r9, %%rbx;"
16194 -+ " adcx %%r13, %%r9;"
16195 -+ " adoxq 8(%1), %%r9;"
16196 -+ " mulxq 48(%1), %%r10, %%r13;"
16197 -+ " adcx %%rbx, %%r10;"
16198 -+ " adoxq 16(%1), %%r10;"
16199 -+ " mulxq 56(%1), %%r11, %%rax;"
16200 -+ " adcx %%r13, %%r11;"
16201 -+ " adoxq 24(%1), %%r11;"
16202 -+ " adcx %%rcx, %%rax;"
16203 -+ " adox %%rcx, %%rax;"
16204 -+ " imul %%rdx, %%rax;"
16205 -+
16206 -+ /* Step 2: Fold the carry back into dst */
16207 -+ " add %%rax, %%r8;"
16208 -+ " adcx %%rcx, %%r9;"
16209 -+ " movq %%r9, 8(%0);"
16210 -+ " adcx %%rcx, %%r10;"
16211 -+ " movq %%r10, 16(%0);"
16212 -+ " adcx %%rcx, %%r11;"
16213 -+ " movq %%r11, 24(%0);"
16214 -+
16215 -+ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
16216 -+ " mov $0, %%rax;"
16217 -+ " cmovc %%rdx, %%rax;"
16218 -+ " add %%rax, %%r8;"
16219 -+ " movq %%r8, 0(%0);"
16220 -+ : "+&r" (tmp), "+&r" (f), "+&r" (out)
16221 -+ :
16222 -+ : "%rax", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%rbx", "%r13", "%r14", "%r15", "memory", "cc"
16223 -+ );
16224 -+}
16225 -+
16226 -+/* Computes two field squarings:
16227 -+ * out[0] <- f[0] * f[0]
16228 -+ * out[1] <- f[1] * f[1]
16229 -+ * Uses the 16-element buffer tmp for intermediate results */
16230 -+static inline void fsqr2(u64 *out, const u64 *f, u64 *tmp)
16231 -+{
16232 -+ asm volatile(
16233 -+ /* Step 1: Compute all partial products */
16234 -+ " movq 0(%1), %%rdx;" /* f[0] */
16235 -+ " mulxq 8(%1), %%r8, %%r14;" " xor %%r15d, %%r15d;" /* f[1]*f[0] */
16236 -+ " mulxq 16(%1), %%r9, %%r10;" " adcx %%r14, %%r9;" /* f[2]*f[0] */
16237 -+ " mulxq 24(%1), %%rax, %%rcx;" " adcx %%rax, %%r10;" /* f[3]*f[0] */
16238 -+ " movq 24(%1), %%rdx;" /* f[3] */
16239 -+ " mulxq 8(%1), %%r11, %%rbx;" " adcx %%rcx, %%r11;" /* f[1]*f[3] */
16240 -+ " mulxq 16(%1), %%rax, %%r13;" " adcx %%rax, %%rbx;" /* f[2]*f[3] */
16241 -+ " movq 8(%1), %%rdx;" " adcx %%r15, %%r13;" /* f1 */
16242 -+ " mulxq 16(%1), %%rax, %%rcx;" " mov $0, %%r14;" /* f[2]*f[1] */
16243 -+
16244 -+ /* Step 2: Compute two parallel carry chains */
16245 -+ " xor %%r15d, %%r15d;"
16246 -+ " adox %%rax, %%r10;"
16247 -+ " adcx %%r8, %%r8;"
16248 -+ " adox %%rcx, %%r11;"
16249 -+ " adcx %%r9, %%r9;"
16250 -+ " adox %%r15, %%rbx;"
16251 -+ " adcx %%r10, %%r10;"
16252 -+ " adox %%r15, %%r13;"
16253 -+ " adcx %%r11, %%r11;"
16254 -+ " adox %%r15, %%r14;"
16255 -+ " adcx %%rbx, %%rbx;"
16256 -+ " adcx %%r13, %%r13;"
16257 -+ " adcx %%r14, %%r14;"
16258 -+
16259 -+ /* Step 3: Compute intermediate squares */
16260 -+ " movq 0(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[0]^2 */
16261 -+ " movq %%rax, 0(%0);"
16262 -+ " add %%rcx, %%r8;" " movq %%r8, 8(%0);"
16263 -+ " movq 8(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[1]^2 */
16264 -+ " adcx %%rax, %%r9;" " movq %%r9, 16(%0);"
16265 -+ " adcx %%rcx, %%r10;" " movq %%r10, 24(%0);"
16266 -+ " movq 16(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[2]^2 */
16267 -+ " adcx %%rax, %%r11;" " movq %%r11, 32(%0);"
16268 -+ " adcx %%rcx, %%rbx;" " movq %%rbx, 40(%0);"
16269 -+ " movq 24(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[3]^2 */
16270 -+ " adcx %%rax, %%r13;" " movq %%r13, 48(%0);"
16271 -+ " adcx %%rcx, %%r14;" " movq %%r14, 56(%0);"
16272 -+
16273 -+ /* Step 1: Compute all partial products */
16274 -+ " movq 32(%1), %%rdx;" /* f[0] */
16275 -+ " mulxq 40(%1), %%r8, %%r14;" " xor %%r15d, %%r15d;" /* f[1]*f[0] */
16276 -+ " mulxq 48(%1), %%r9, %%r10;" " adcx %%r14, %%r9;" /* f[2]*f[0] */
16277 -+ " mulxq 56(%1), %%rax, %%rcx;" " adcx %%rax, %%r10;" /* f[3]*f[0] */
16278 -+ " movq 56(%1), %%rdx;" /* f[3] */
16279 -+ " mulxq 40(%1), %%r11, %%rbx;" " adcx %%rcx, %%r11;" /* f[1]*f[3] */
16280 -+ " mulxq 48(%1), %%rax, %%r13;" " adcx %%rax, %%rbx;" /* f[2]*f[3] */
16281 -+ " movq 40(%1), %%rdx;" " adcx %%r15, %%r13;" /* f1 */
16282 -+ " mulxq 48(%1), %%rax, %%rcx;" " mov $0, %%r14;" /* f[2]*f[1] */
16283 -+
16284 -+ /* Step 2: Compute two parallel carry chains */
16285 -+ " xor %%r15d, %%r15d;"
16286 -+ " adox %%rax, %%r10;"
16287 -+ " adcx %%r8, %%r8;"
16288 -+ " adox %%rcx, %%r11;"
16289 -+ " adcx %%r9, %%r9;"
16290 -+ " adox %%r15, %%rbx;"
16291 -+ " adcx %%r10, %%r10;"
16292 -+ " adox %%r15, %%r13;"
16293 -+ " adcx %%r11, %%r11;"
16294 -+ " adox %%r15, %%r14;"
16295 -+ " adcx %%rbx, %%rbx;"
16296 -+ " adcx %%r13, %%r13;"
16297 -+ " adcx %%r14, %%r14;"
16298 -+
16299 -+ /* Step 3: Compute intermediate squares */
16300 -+ " movq 32(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[0]^2 */
16301 -+ " movq %%rax, 64(%0);"
16302 -+ " add %%rcx, %%r8;" " movq %%r8, 72(%0);"
16303 -+ " movq 40(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[1]^2 */
16304 -+ " adcx %%rax, %%r9;" " movq %%r9, 80(%0);"
16305 -+ " adcx %%rcx, %%r10;" " movq %%r10, 88(%0);"
16306 -+ " movq 48(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[2]^2 */
16307 -+ " adcx %%rax, %%r11;" " movq %%r11, 96(%0);"
16308 -+ " adcx %%rcx, %%rbx;" " movq %%rbx, 104(%0);"
16309 -+ " movq 56(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[3]^2 */
16310 -+ " adcx %%rax, %%r13;" " movq %%r13, 112(%0);"
16311 -+ " adcx %%rcx, %%r14;" " movq %%r14, 120(%0);"
16312 -+
16313 -+ /* Line up pointers */
16314 -+ " mov %0, %1;"
16315 -+ " mov %2, %0;"
16316 -+
16317 -+ /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */
16318 -+ " mov $38, %%rdx;"
16319 -+ " mulxq 32(%1), %%r8, %%r13;"
16320 -+ " xor %%ecx, %%ecx;"
16321 -+ " adoxq 0(%1), %%r8;"
16322 -+ " mulxq 40(%1), %%r9, %%rbx;"
16323 -+ " adcx %%r13, %%r9;"
16324 -+ " adoxq 8(%1), %%r9;"
16325 -+ " mulxq 48(%1), %%r10, %%r13;"
16326 -+ " adcx %%rbx, %%r10;"
16327 -+ " adoxq 16(%1), %%r10;"
16328 -+ " mulxq 56(%1), %%r11, %%rax;"
16329 -+ " adcx %%r13, %%r11;"
16330 -+ " adoxq 24(%1), %%r11;"
16331 -+ " adcx %%rcx, %%rax;"
16332 -+ " adox %%rcx, %%rax;"
16333 -+ " imul %%rdx, %%rax;"
16334 -+
16335 -+ /* Step 2: Fold the carry back into dst */
16336 -+ " add %%rax, %%r8;"
16337 -+ " adcx %%rcx, %%r9;"
16338 -+ " movq %%r9, 8(%0);"
16339 -+ " adcx %%rcx, %%r10;"
16340 -+ " movq %%r10, 16(%0);"
16341 -+ " adcx %%rcx, %%r11;"
16342 -+ " movq %%r11, 24(%0);"
16343 -+
16344 -+ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
16345 -+ " mov $0, %%rax;"
16346 -+ " cmovc %%rdx, %%rax;"
16347 -+ " add %%rax, %%r8;"
16348 -+ " movq %%r8, 0(%0);"
16349 -+
16350 -+ /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */
16351 -+ " mov $38, %%rdx;"
16352 -+ " mulxq 96(%1), %%r8, %%r13;"
16353 -+ " xor %%ecx, %%ecx;"
16354 -+ " adoxq 64(%1), %%r8;"
16355 -+ " mulxq 104(%1), %%r9, %%rbx;"
16356 -+ " adcx %%r13, %%r9;"
16357 -+ " adoxq 72(%1), %%r9;"
16358 -+ " mulxq 112(%1), %%r10, %%r13;"
16359 -+ " adcx %%rbx, %%r10;"
16360 -+ " adoxq 80(%1), %%r10;"
16361 -+ " mulxq 120(%1), %%r11, %%rax;"
16362 -+ " adcx %%r13, %%r11;"
16363 -+ " adoxq 88(%1), %%r11;"
16364 -+ " adcx %%rcx, %%rax;"
16365 -+ " adox %%rcx, %%rax;"
16366 -+ " imul %%rdx, %%rax;"
16367 -+
16368 -+ /* Step 2: Fold the carry back into dst */
16369 -+ " add %%rax, %%r8;"
16370 -+ " adcx %%rcx, %%r9;"
16371 -+ " movq %%r9, 40(%0);"
16372 -+ " adcx %%rcx, %%r10;"
16373 -+ " movq %%r10, 48(%0);"
16374 -+ " adcx %%rcx, %%r11;"
16375 -+ " movq %%r11, 56(%0);"
16376 -+
16377 -+ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
16378 -+ " mov $0, %%rax;"
16379 -+ " cmovc %%rdx, %%rax;"
16380 -+ " add %%rax, %%r8;"
16381 -+ " movq %%r8, 32(%0);"
16382 -+ : "+&r" (tmp), "+&r" (f), "+&r" (out)
16383 -+ :
16384 -+ : "%rax", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%rbx", "%r13", "%r14", "%r15", "memory", "cc"
16385 -+ );
16386 -+}
16387 -+
16388 -+static void point_add_and_double(u64 *q, u64 *p01_tmp1, u64 *tmp2)
16389 -+{
16390 -+ u64 *nq = p01_tmp1;
16391 -+ u64 *nq_p1 = p01_tmp1 + (u32)8U;
16392 -+ u64 *tmp1 = p01_tmp1 + (u32)16U;
16393 -+ u64 *x1 = q;
16394 -+ u64 *x2 = nq;
16395 -+ u64 *z2 = nq + (u32)4U;
16396 -+ u64 *z3 = nq_p1 + (u32)4U;
16397 -+ u64 *a = tmp1;
16398 -+ u64 *b = tmp1 + (u32)4U;
16399 -+ u64 *ab = tmp1;
16400 -+ u64 *dc = tmp1 + (u32)8U;
16401 -+ u64 *x3;
16402 -+ u64 *z31;
16403 -+ u64 *d0;
16404 -+ u64 *c0;
16405 -+ u64 *a1;
16406 -+ u64 *b1;
16407 -+ u64 *d;
16408 -+ u64 *c;
16409 -+ u64 *ab1;
16410 -+ u64 *dc1;
16411 -+ fadd(a, x2, z2);
16412 -+ fsub(b, x2, z2);
16413 -+ x3 = nq_p1;
16414 -+ z31 = nq_p1 + (u32)4U;
16415 -+ d0 = dc;
16416 -+ c0 = dc + (u32)4U;
16417 -+ fadd(c0, x3, z31);
16418 -+ fsub(d0, x3, z31);
16419 -+ fmul2(dc, dc, ab, tmp2);
16420 -+ fadd(x3, d0, c0);
16421 -+ fsub(z31, d0, c0);
16422 -+ a1 = tmp1;
16423 -+ b1 = tmp1 + (u32)4U;
16424 -+ d = tmp1 + (u32)8U;
16425 -+ c = tmp1 + (u32)12U;
16426 -+ ab1 = tmp1;
16427 -+ dc1 = tmp1 + (u32)8U;
16428 -+ fsqr2(dc1, ab1, tmp2);
16429 -+ fsqr2(nq_p1, nq_p1, tmp2);
16430 -+ a1[0U] = c[0U];
16431 -+ a1[1U] = c[1U];
16432 -+ a1[2U] = c[2U];
16433 -+ a1[3U] = c[3U];
16434 -+ fsub(c, d, c);
16435 -+ fmul_scalar(b1, c, (u64)121665U);
16436 -+ fadd(b1, b1, d);
16437 -+ fmul2(nq, dc1, ab1, tmp2);
16438 -+ fmul(z3, z3, x1, tmp2);
16439 -+}
16440 -+
16441 -+static void point_double(u64 *nq, u64 *tmp1, u64 *tmp2)
16442 -+{
16443 -+ u64 *x2 = nq;
16444 -+ u64 *z2 = nq + (u32)4U;
16445 -+ u64 *a = tmp1;
16446 -+ u64 *b = tmp1 + (u32)4U;
16447 -+ u64 *d = tmp1 + (u32)8U;
16448 -+ u64 *c = tmp1 + (u32)12U;
16449 -+ u64 *ab = tmp1;
16450 -+ u64 *dc = tmp1 + (u32)8U;
16451 -+ fadd(a, x2, z2);
16452 -+ fsub(b, x2, z2);
16453 -+ fsqr2(dc, ab, tmp2);
16454 -+ a[0U] = c[0U];
16455 -+ a[1U] = c[1U];
16456 -+ a[2U] = c[2U];
16457 -+ a[3U] = c[3U];
16458 -+ fsub(c, d, c);
16459 -+ fmul_scalar(b, c, (u64)121665U);
16460 -+ fadd(b, b, d);
16461 -+ fmul2(nq, dc, ab, tmp2);
16462 -+}
16463 -+
16464 -+static void montgomery_ladder(u64 *out, const u8 *key, u64 *init1)
16465 -+{
16466 -+ u64 tmp2[16U] = { 0U };
16467 -+ u64 p01_tmp1_swap[33U] = { 0U };
16468 -+ u64 *p0 = p01_tmp1_swap;
16469 -+ u64 *p01 = p01_tmp1_swap;
16470 -+ u64 *p03 = p01;
16471 -+ u64 *p11 = p01 + (u32)8U;
16472 -+ u64 *x0;
16473 -+ u64 *z0;
16474 -+ u64 *p01_tmp1;
16475 -+ u64 *p01_tmp11;
16476 -+ u64 *nq10;
16477 -+ u64 *nq_p11;
16478 -+ u64 *swap1;
16479 -+ u64 sw0;
16480 -+ u64 *nq1;
16481 -+ u64 *tmp1;
16482 -+ memcpy(p11, init1, (u32)8U * sizeof(init1[0U]));
16483 -+ x0 = p03;
16484 -+ z0 = p03 + (u32)4U;
16485 -+ x0[0U] = (u64)1U;
16486 -+ x0[1U] = (u64)0U;
16487 -+ x0[2U] = (u64)0U;
16488 -+ x0[3U] = (u64)0U;
16489 -+ z0[0U] = (u64)0U;
16490 -+ z0[1U] = (u64)0U;
16491 -+ z0[2U] = (u64)0U;
16492 -+ z0[3U] = (u64)0U;
16493 -+ p01_tmp1 = p01_tmp1_swap;
16494 -+ p01_tmp11 = p01_tmp1_swap;
16495 -+ nq10 = p01_tmp1_swap;
16496 -+ nq_p11 = p01_tmp1_swap + (u32)8U;
16497 -+ swap1 = p01_tmp1_swap + (u32)32U;
16498 -+ cswap2((u64)1U, nq10, nq_p11);
16499 -+ point_add_and_double(init1, p01_tmp11, tmp2);
16500 -+ swap1[0U] = (u64)1U;
16501 -+ {
16502 -+ u32 i;
16503 -+ for (i = (u32)0U; i < (u32)251U; i = i + (u32)1U) {
16504 -+ u64 *p01_tmp12 = p01_tmp1_swap;
16505 -+ u64 *swap2 = p01_tmp1_swap + (u32)32U;
16506 -+ u64 *nq2 = p01_tmp12;
16507 -+ u64 *nq_p12 = p01_tmp12 + (u32)8U;
16508 -+ u64 bit = (u64)(key[((u32)253U - i) / (u32)8U] >> ((u32)253U - i) % (u32)8U & (u8)1U);
16509 -+ u64 sw = swap2[0U] ^ bit;
16510 -+ cswap2(sw, nq2, nq_p12);
16511 -+ point_add_and_double(init1, p01_tmp12, tmp2);
16512 -+ swap2[0U] = bit;
16513 -+ }
16514 -+ }
16515 -+ sw0 = swap1[0U];
16516 -+ cswap2(sw0, nq10, nq_p11);
16517 -+ nq1 = p01_tmp1;
16518 -+ tmp1 = p01_tmp1 + (u32)16U;
16519 -+ point_double(nq1, tmp1, tmp2);
16520 -+ point_double(nq1, tmp1, tmp2);
16521 -+ point_double(nq1, tmp1, tmp2);
16522 -+ memcpy(out, p0, (u32)8U * sizeof(p0[0U]));
16523 -+
16524 -+ memzero_explicit(tmp2, sizeof(tmp2));
16525 -+ memzero_explicit(p01_tmp1_swap, sizeof(p01_tmp1_swap));
16526 -+}
16527 -+
16528 -+static void fsquare_times(u64 *o, const u64 *inp, u64 *tmp, u32 n1)
16529 -+{
16530 -+ u32 i;
16531 -+ fsqr(o, inp, tmp);
16532 -+ for (i = (u32)0U; i < n1 - (u32)1U; i = i + (u32)1U)
16533 -+ fsqr(o, o, tmp);
16534 -+}
16535 -+
16536 -+static void finv(u64 *o, const u64 *i, u64 *tmp)
16537 -+{
16538 -+ u64 t1[16U] = { 0U };
16539 -+ u64 *a0 = t1;
16540 -+ u64 *b = t1 + (u32)4U;
16541 -+ u64 *c = t1 + (u32)8U;
16542 -+ u64 *t00 = t1 + (u32)12U;
16543 -+ u64 *tmp1 = tmp;
16544 -+ u64 *a;
16545 -+ u64 *t0;
16546 -+ fsquare_times(a0, i, tmp1, (u32)1U);
16547 -+ fsquare_times(t00, a0, tmp1, (u32)2U);
16548 -+ fmul(b, t00, i, tmp);
16549 -+ fmul(a0, b, a0, tmp);
16550 -+ fsquare_times(t00, a0, tmp1, (u32)1U);
16551 -+ fmul(b, t00, b, tmp);
16552 -+ fsquare_times(t00, b, tmp1, (u32)5U);
16553 -+ fmul(b, t00, b, tmp);
16554 -+ fsquare_times(t00, b, tmp1, (u32)10U);
16555 -+ fmul(c, t00, b, tmp);
16556 -+ fsquare_times(t00, c, tmp1, (u32)20U);
16557 -+ fmul(t00, t00, c, tmp);
16558 -+ fsquare_times(t00, t00, tmp1, (u32)10U);
16559 -+ fmul(b, t00, b, tmp);
16560 -+ fsquare_times(t00, b, tmp1, (u32)50U);
16561 -+ fmul(c, t00, b, tmp);
16562 -+ fsquare_times(t00, c, tmp1, (u32)100U);
16563 -+ fmul(t00, t00, c, tmp);
16564 -+ fsquare_times(t00, t00, tmp1, (u32)50U);
16565 -+ fmul(t00, t00, b, tmp);
16566 -+ fsquare_times(t00, t00, tmp1, (u32)5U);
16567 -+ a = t1;
16568 -+ t0 = t1 + (u32)12U;
16569 -+ fmul(o, t0, a, tmp);
16570 -+}
16571 -+
16572 -+static void store_felem(u64 *b, u64 *f)
16573 -+{
16574 -+ u64 f30 = f[3U];
16575 -+ u64 top_bit0 = f30 >> (u32)63U;
16576 -+ u64 f31;
16577 -+ u64 top_bit;
16578 -+ u64 f0;
16579 -+ u64 f1;
16580 -+ u64 f2;
16581 -+ u64 f3;
16582 -+ u64 m0;
16583 -+ u64 m1;
16584 -+ u64 m2;
16585 -+ u64 m3;
16586 -+ u64 mask;
16587 -+ u64 f0_;
16588 -+ u64 f1_;
16589 -+ u64 f2_;
16590 -+ u64 f3_;
16591 -+ u64 o0;
16592 -+ u64 o1;
16593 -+ u64 o2;
16594 -+ u64 o3;
16595 -+ f[3U] = f30 & (u64)0x7fffffffffffffffU;
16596 -+ add_scalar(f, f, (u64)19U * top_bit0);
16597 -+ f31 = f[3U];
16598 -+ top_bit = f31 >> (u32)63U;
16599 -+ f[3U] = f31 & (u64)0x7fffffffffffffffU;
16600 -+ add_scalar(f, f, (u64)19U * top_bit);
16601 -+ f0 = f[0U];
16602 -+ f1 = f[1U];
16603 -+ f2 = f[2U];
16604 -+ f3 = f[3U];
16605 -+ m0 = gte_mask(f0, (u64)0xffffffffffffffedU);
16606 -+ m1 = eq_mask(f1, (u64)0xffffffffffffffffU);
16607 -+ m2 = eq_mask(f2, (u64)0xffffffffffffffffU);
16608 -+ m3 = eq_mask(f3, (u64)0x7fffffffffffffffU);
16609 -+ mask = ((m0 & m1) & m2) & m3;
16610 -+ f0_ = f0 - (mask & (u64)0xffffffffffffffedU);
16611 -+ f1_ = f1 - (mask & (u64)0xffffffffffffffffU);
16612 -+ f2_ = f2 - (mask & (u64)0xffffffffffffffffU);
16613 -+ f3_ = f3 - (mask & (u64)0x7fffffffffffffffU);
16614 -+ o0 = f0_;
16615 -+ o1 = f1_;
16616 -+ o2 = f2_;
16617 -+ o3 = f3_;
16618 -+ b[0U] = o0;
16619 -+ b[1U] = o1;
16620 -+ b[2U] = o2;
16621 -+ b[3U] = o3;
16622 -+}
16623 -+
16624 -+static void encode_point(u8 *o, const u64 *i)
16625 -+{
16626 -+ const u64 *x = i;
16627 -+ const u64 *z = i + (u32)4U;
16628 -+ u64 tmp[4U] = { 0U };
16629 -+ u64 tmp_w[16U] = { 0U };
16630 -+ finv(tmp, z, tmp_w);
16631 -+ fmul(tmp, tmp, x, tmp_w);
16632 -+ store_felem((u64 *)o, tmp);
16633 -+}
16634 -+
16635 -+static void curve25519_ever64(u8 *out, const u8 *priv, const u8 *pub)
16636 -+{
16637 -+ u64 init1[8U] = { 0U };
16638 -+ u64 tmp[4U] = { 0U };
16639 -+ u64 tmp3;
16640 -+ u64 *x;
16641 -+ u64 *z;
16642 -+ {
16643 -+ u32 i;
16644 -+ for (i = (u32)0U; i < (u32)4U; i = i + (u32)1U) {
16645 -+ u64 *os = tmp;
16646 -+ const u8 *bj = pub + i * (u32)8U;
16647 -+ u64 u = *(u64 *)bj;
16648 -+ u64 r = u;
16649 -+ u64 x0 = r;
16650 -+ os[i] = x0;
16651 -+ }
16652 -+ }
16653 -+ tmp3 = tmp[3U];
16654 -+ tmp[3U] = tmp3 & (u64)0x7fffffffffffffffU;
16655 -+ x = init1;
16656 -+ z = init1 + (u32)4U;
16657 -+ z[0U] = (u64)1U;
16658 -+ z[1U] = (u64)0U;
16659 -+ z[2U] = (u64)0U;
16660 -+ z[3U] = (u64)0U;
16661 -+ x[0U] = tmp[0U];
16662 -+ x[1U] = tmp[1U];
16663 -+ x[2U] = tmp[2U];
16664 -+ x[3U] = tmp[3U];
16665 -+ montgomery_ladder(init1, priv, init1);
16666 -+ encode_point(out, init1);
16667 -+}
16668 -+
16669 -+/* The below constants were generated using this sage script:
16670 -+ *
16671 -+ * #!/usr/bin/env sage
16672 -+ * import sys
16673 -+ * from sage.all import *
16674 -+ * def limbs(n):
16675 -+ * n = int(n)
16676 -+ * l = ((n >> 0) % 2^64, (n >> 64) % 2^64, (n >> 128) % 2^64, (n >> 192) % 2^64)
16677 -+ * return "0x%016xULL, 0x%016xULL, 0x%016xULL, 0x%016xULL" % l
16678 -+ * ec = EllipticCurve(GF(2^255 - 19), [0, 486662, 0, 1, 0])
16679 -+ * p_minus_s = (ec.lift_x(9) - ec.lift_x(1))[0]
16680 -+ * print("static const u64 p_minus_s[] = { %s };\n" % limbs(p_minus_s))
16681 -+ * print("static const u64 table_ladder[] = {")
16682 -+ * p = ec.lift_x(9)
16683 -+ * for i in range(252):
16684 -+ * l = (p[0] + p[2]) / (p[0] - p[2])
16685 -+ * print(("\t%s" + ("," if i != 251 else "")) % limbs(l))
16686 -+ * p = p * 2
16687 -+ * print("};")
16688 -+ *
16689 -+ */
16690 -+
16691 -+static const u64 p_minus_s[] = { 0x816b1e0137d48290ULL, 0x440f6a51eb4d1207ULL, 0x52385f46dca2b71dULL, 0x215132111d8354cbULL };
16692 -+
16693 -+static const u64 table_ladder[] = {
16694 -+ 0xfffffffffffffff3ULL, 0xffffffffffffffffULL, 0xffffffffffffffffULL, 0x5fffffffffffffffULL,
16695 -+ 0x6b8220f416aafe96ULL, 0x82ebeb2b4f566a34ULL, 0xd5a9a5b075a5950fULL, 0x5142b2cf4b2488f4ULL,
16696 -+ 0x6aaebc750069680cULL, 0x89cf7820a0f99c41ULL, 0x2a58d9183b56d0f4ULL, 0x4b5aca80e36011a4ULL,
16697 -+ 0x329132348c29745dULL, 0xf4a2e616e1642fd7ULL, 0x1e45bb03ff67bc34ULL, 0x306912d0f42a9b4aULL,
16698 -+ 0xff886507e6af7154ULL, 0x04f50e13dfeec82fULL, 0xaa512fe82abab5ceULL, 0x174e251a68d5f222ULL,
16699 -+ 0xcf96700d82028898ULL, 0x1743e3370a2c02c5ULL, 0x379eec98b4e86eaaULL, 0x0c59888a51e0482eULL,
16700 -+ 0xfbcbf1d699b5d189ULL, 0xacaef0d58e9fdc84ULL, 0xc1c20d06231f7614ULL, 0x2938218da274f972ULL,
16701 -+ 0xf6af49beff1d7f18ULL, 0xcc541c22387ac9c2ULL, 0x96fcc9ef4015c56bULL, 0x69c1627c690913a9ULL,
16702 -+ 0x7a86fd2f4733db0eULL, 0xfdb8c4f29e087de9ULL, 0x095e4b1a8ea2a229ULL, 0x1ad7a7c829b37a79ULL,
16703 -+ 0x342d89cad17ea0c0ULL, 0x67bedda6cced2051ULL, 0x19ca31bf2bb42f74ULL, 0x3df7b4c84980acbbULL,
16704 -+ 0xa8c6444dc80ad883ULL, 0xb91e440366e3ab85ULL, 0xc215cda00164f6d8ULL, 0x3d867c6ef247e668ULL,
16705 -+ 0xc7dd582bcc3e658cULL, 0xfd2c4748ee0e5528ULL, 0xa0fd9b95cc9f4f71ULL, 0x7529d871b0675ddfULL,
16706 -+ 0xb8f568b42d3cbd78ULL, 0x1233011b91f3da82ULL, 0x2dce6ccd4a7c3b62ULL, 0x75e7fc8e9e498603ULL,
16707 -+ 0x2f4f13f1fcd0b6ecULL, 0xf1a8ca1f29ff7a45ULL, 0xc249c1a72981e29bULL, 0x6ebe0dbb8c83b56aULL,
16708 -+ 0x7114fa8d170bb222ULL, 0x65a2dcd5bf93935fULL, 0xbdc41f68b59c979aULL, 0x2f0eef79a2ce9289ULL,
16709 -+ 0x42ecbf0c083c37ceULL, 0x2930bc09ec496322ULL, 0xf294b0c19cfeac0dULL, 0x3780aa4bedfabb80ULL,
16710 -+ 0x56c17d3e7cead929ULL, 0xe7cb4beb2e5722c5ULL, 0x0ce931732dbfe15aULL, 0x41b883c7621052f8ULL,
16711 -+ 0xdbf75ca0c3d25350ULL, 0x2936be086eb1e351ULL, 0xc936e03cb4a9b212ULL, 0x1d45bf82322225aaULL,
16712 -+ 0xe81ab1036a024cc5ULL, 0xe212201c304c9a72ULL, 0xc5d73fba6832b1fcULL, 0x20ffdb5a4d839581ULL,
16713 -+ 0xa283d367be5d0fadULL, 0x6c2b25ca8b164475ULL, 0x9d4935467caaf22eULL, 0x5166408eee85ff49ULL,
16714 -+ 0x3c67baa2fab4e361ULL, 0xb3e433c67ef35cefULL, 0x5259729241159b1cULL, 0x6a621892d5b0ab33ULL,
16715 -+ 0x20b74a387555cdcbULL, 0x532aa10e1208923fULL, 0xeaa17b7762281dd1ULL, 0x61ab3443f05c44bfULL,
16716 -+ 0x257a6c422324def8ULL, 0x131c6c1017e3cf7fULL, 0x23758739f630a257ULL, 0x295a407a01a78580ULL,
16717 -+ 0xf8c443246d5da8d9ULL, 0x19d775450c52fa5dULL, 0x2afcfc92731bf83dULL, 0x7d10c8e81b2b4700ULL,
16718 -+ 0xc8e0271f70baa20bULL, 0x993748867ca63957ULL, 0x5412efb3cb7ed4bbULL, 0x3196d36173e62975ULL,
16719 -+ 0xde5bcad141c7dffcULL, 0x47cc8cd2b395c848ULL, 0xa34cd942e11af3cbULL, 0x0256dbf2d04ecec2ULL,
16720 -+ 0x875ab7e94b0e667fULL, 0xcad4dd83c0850d10ULL, 0x47f12e8f4e72c79fULL, 0x5f1a87bb8c85b19bULL,
16721 -+ 0x7ae9d0b6437f51b8ULL, 0x12c7ce5518879065ULL, 0x2ade09fe5cf77aeeULL, 0x23a05a2f7d2c5627ULL,
16722 -+ 0x5908e128f17c169aULL, 0xf77498dd8ad0852dULL, 0x74b4c4ceab102f64ULL, 0x183abadd10139845ULL,
16723 -+ 0xb165ba8daa92aaacULL, 0xd5c5ef9599386705ULL, 0xbe2f8f0cf8fc40d1ULL, 0x2701e635ee204514ULL,
16724 -+ 0x629fa80020156514ULL, 0xf223868764a8c1ceULL, 0x5b894fff0b3f060eULL, 0x60d9944cf708a3faULL,
16725 -+ 0xaeea001a1c7a201fULL, 0xebf16a633ee2ce63ULL, 0x6f7709594c7a07e1ULL, 0x79b958150d0208cbULL,
16726 -+ 0x24b55e5301d410e7ULL, 0xe3a34edff3fdc84dULL, 0xd88768e4904032d8ULL, 0x131384427b3aaeecULL,
16727 -+ 0x8405e51286234f14ULL, 0x14dc4739adb4c529ULL, 0xb8a2b5b250634ffdULL, 0x2fe2a94ad8a7ff93ULL,
16728 -+ 0xec5c57efe843faddULL, 0x2843ce40f0bb9918ULL, 0xa4b561d6cf3d6305ULL, 0x743629bde8fb777eULL,
16729 -+ 0x343edd46bbaf738fULL, 0xed981828b101a651ULL, 0xa401760b882c797aULL, 0x1fc223e28dc88730ULL,
16730 -+ 0x48604e91fc0fba0eULL, 0xb637f78f052c6fa4ULL, 0x91ccac3d09e9239cULL, 0x23f7eed4437a687cULL,
16731 -+ 0x5173b1118d9bd800ULL, 0x29d641b63189d4a7ULL, 0xfdbf177988bbc586ULL, 0x2959894fcad81df5ULL,
16732 -+ 0xaebc8ef3b4bbc899ULL, 0x4148995ab26992b9ULL, 0x24e20b0134f92cfbULL, 0x40d158894a05dee8ULL,
16733 -+ 0x46b00b1185af76f6ULL, 0x26bac77873187a79ULL, 0x3dc0bf95ab8fff5fULL, 0x2a608bd8945524d7ULL,
16734 -+ 0x26449588bd446302ULL, 0x7c4bc21c0388439cULL, 0x8e98a4f383bd11b2ULL, 0x26218d7bc9d876b9ULL,
16735 -+ 0xe3081542997c178aULL, 0x3c2d29a86fb6606fULL, 0x5c217736fa279374ULL, 0x7dde05734afeb1faULL,
16736 -+ 0x3bf10e3906d42babULL, 0xe4f7803e1980649cULL, 0xe6053bf89595bf7aULL, 0x394faf38da245530ULL,
16737 -+ 0x7a8efb58896928f4ULL, 0xfbc778e9cc6a113cULL, 0x72670ce330af596fULL, 0x48f222a81d3d6cf7ULL,
16738 -+ 0xf01fce410d72caa7ULL, 0x5a20ecc7213b5595ULL, 0x7bc21165c1fa1483ULL, 0x07f89ae31da8a741ULL,
16739 -+ 0x05d2c2b4c6830ff9ULL, 0xd43e330fc6316293ULL, 0xa5a5590a96d3a904ULL, 0x705edb91a65333b6ULL,
16740 -+ 0x048ee15e0bb9a5f7ULL, 0x3240cfca9e0aaf5dULL, 0x8f4b71ceedc4a40bULL, 0x621c0da3de544a6dULL,
16741 -+ 0x92872836a08c4091ULL, 0xce8375b010c91445ULL, 0x8a72eb524f276394ULL, 0x2667fcfa7ec83635ULL,
16742 -+ 0x7f4c173345e8752aULL, 0x061b47feee7079a5ULL, 0x25dd9afa9f86ff34ULL, 0x3780cef5425dc89cULL,
16743 -+ 0x1a46035a513bb4e9ULL, 0x3e1ef379ac575adaULL, 0xc78c5f1c5fa24b50ULL, 0x321a967634fd9f22ULL,
16744 -+ 0x946707b8826e27faULL, 0x3dca84d64c506fd0ULL, 0xc189218075e91436ULL, 0x6d9284169b3b8484ULL,
16745 -+ 0x3a67e840383f2ddfULL, 0x33eec9a30c4f9b75ULL, 0x3ec7c86fa783ef47ULL, 0x26ec449fbac9fbc4ULL,
16746 -+ 0x5c0f38cba09b9e7dULL, 0x81168cc762a3478cULL, 0x3e23b0d306fc121cULL, 0x5a238aa0a5efdcddULL,
16747 -+ 0x1ba26121c4ea43ffULL, 0x36f8c77f7c8832b5ULL, 0x88fbea0b0adcf99aULL, 0x5ca9938ec25bebf9ULL,
16748 -+ 0xd5436a5e51fccda0ULL, 0x1dbc4797c2cd893bULL, 0x19346a65d3224a08ULL, 0x0f5034e49b9af466ULL,
16749 -+ 0xf23c3967a1e0b96eULL, 0xe58b08fa867a4d88ULL, 0xfb2fabc6a7341679ULL, 0x2a75381eb6026946ULL,
16750 -+ 0xc80a3be4c19420acULL, 0x66b1f6c681f2b6dcULL, 0x7cf7036761e93388ULL, 0x25abbbd8a660a4c4ULL,
16751 -+ 0x91ea12ba14fd5198ULL, 0x684950fc4a3cffa9ULL, 0xf826842130f5ad28ULL, 0x3ea988f75301a441ULL,
16752 -+ 0xc978109a695f8c6fULL, 0x1746eb4a0530c3f3ULL, 0x444d6d77b4459995ULL, 0x75952b8c054e5cc7ULL,
16753 -+ 0xa3703f7915f4d6aaULL, 0x66c346202f2647d8ULL, 0xd01469df811d644bULL, 0x77fea47d81a5d71fULL,
16754 -+ 0xc5e9529ef57ca381ULL, 0x6eeeb4b9ce2f881aULL, 0xb6e91a28e8009bd6ULL, 0x4b80be3e9afc3fecULL,
16755 -+ 0x7e3773c526aed2c5ULL, 0x1b4afcb453c9a49dULL, 0xa920bdd7baffb24dULL, 0x7c54699f122d400eULL,
16756 -+ 0xef46c8e14fa94bc8ULL, 0xe0b074ce2952ed5eULL, 0xbea450e1dbd885d5ULL, 0x61b68649320f712cULL,
16757 -+ 0x8a485f7309ccbdd1ULL, 0xbd06320d7d4d1a2dULL, 0x25232973322dbef4ULL, 0x445dc4758c17f770ULL,
16758 -+ 0xdb0434177cc8933cULL, 0xed6fe82175ea059fULL, 0x1efebefdc053db34ULL, 0x4adbe867c65daf99ULL,
16759 -+ 0x3acd71a2a90609dfULL, 0xe5e991856dd04050ULL, 0x1ec69b688157c23cULL, 0x697427f6885cfe4dULL,
16760 -+ 0xd7be7b9b65e1a851ULL, 0xa03d28d522c536ddULL, 0x28399d658fd2b645ULL, 0x49e5b7e17c2641e1ULL,
16761 -+ 0x6f8c3a98700457a4ULL, 0x5078f0a25ebb6778ULL, 0xd13c3ccbc382960fULL, 0x2e003258a7df84b1ULL,
16762 -+ 0x8ad1f39be6296a1cULL, 0xc1eeaa652a5fbfb2ULL, 0x33ee0673fd26f3cbULL, 0x59256173a69d2cccULL,
16763 -+ 0x41ea07aa4e18fc41ULL, 0xd9fc19527c87a51eULL, 0xbdaacb805831ca6fULL, 0x445b652dc916694fULL,
16764 -+ 0xce92a3a7f2172315ULL, 0x1edc282de11b9964ULL, 0xa1823aafe04c314aULL, 0x790a2d94437cf586ULL,
16765 -+ 0x71c447fb93f6e009ULL, 0x8922a56722845276ULL, 0xbf70903b204f5169ULL, 0x2f7a89891ba319feULL,
16766 -+ 0x02a08eb577e2140cULL, 0xed9a4ed4427bdcf4ULL, 0x5253ec44e4323cd1ULL, 0x3e88363c14e9355bULL,
16767 -+ 0xaa66c14277110b8cULL, 0x1ae0391610a23390ULL, 0x2030bd12c93fc2a2ULL, 0x3ee141579555c7abULL,
16768 -+ 0x9214de3a6d6e7d41ULL, 0x3ccdd88607f17efeULL, 0x674f1288f8e11217ULL, 0x5682250f329f93d0ULL,
16769 -+ 0x6cf00b136d2e396eULL, 0x6e4cf86f1014debfULL, 0x5930b1b5bfcc4e83ULL, 0x047069b48aba16b6ULL,
16770 -+ 0x0d4ce4ab69b20793ULL, 0xb24db91a97d0fb9eULL, 0xcdfa50f54e00d01dULL, 0x221b1085368bddb5ULL,
16771 -+ 0xe7e59468b1e3d8d2ULL, 0x53c56563bd122f93ULL, 0xeee8a903e0663f09ULL, 0x61efa662cbbe3d42ULL,
16772 -+ 0x2cf8ddddde6eab2aULL, 0x9bf80ad51435f231ULL, 0x5deadacec9f04973ULL, 0x29275b5d41d29b27ULL,
16773 -+ 0xcfde0f0895ebf14fULL, 0xb9aab96b054905a7ULL, 0xcae80dd9a1c420fdULL, 0x0a63bf2f1673bbc7ULL,
16774 -+ 0x092f6e11958fbc8cULL, 0x672a81e804822fadULL, 0xcac8351560d52517ULL, 0x6f3f7722c8f192f8ULL,
16775 -+ 0xf8ba90ccc2e894b7ULL, 0x2c7557a438ff9f0dULL, 0x894d1d855ae52359ULL, 0x68e122157b743d69ULL,
16776 -+ 0xd87e5570cfb919f3ULL, 0x3f2cdecd95798db9ULL, 0x2121154710c0a2ceULL, 0x3c66a115246dc5b2ULL,
16777 -+ 0xcbedc562294ecb72ULL, 0xba7143c36a280b16ULL, 0x9610c2efd4078b67ULL, 0x6144735d946a4b1eULL,
16778 -+ 0x536f111ed75b3350ULL, 0x0211db8c2041d81bULL, 0xf93cb1000e10413cULL, 0x149dfd3c039e8876ULL,
16779 -+ 0xd479dde46b63155bULL, 0xb66e15e93c837976ULL, 0xdafde43b1f13e038ULL, 0x5fafda1a2e4b0b35ULL,
16780 -+ 0x3600bbdf17197581ULL, 0x3972050bbe3cd2c2ULL, 0x5938906dbdd5be86ULL, 0x34fce5e43f9b860fULL,
16781 -+ 0x75a8a4cd42d14d02ULL, 0x828dabc53441df65ULL, 0x33dcabedd2e131d3ULL, 0x3ebad76fb814d25fULL,
16782 -+ 0xd4906f566f70e10fULL, 0x5d12f7aa51690f5aULL, 0x45adb16e76cefcf2ULL, 0x01f768aead232999ULL,
16783 -+ 0x2b6cc77b6248febdULL, 0x3cd30628ec3aaffdULL, 0xce1c0b80d4ef486aULL, 0x4c3bff2ea6f66c23ULL,
16784 -+ 0x3f2ec4094aeaeb5fULL, 0x61b19b286e372ca7ULL, 0x5eefa966de2a701dULL, 0x23b20565de55e3efULL,
16785 -+ 0xe301ca5279d58557ULL, 0x07b2d4ce27c2874fULL, 0xa532cd8a9dcf1d67ULL, 0x2a52fee23f2bff56ULL,
16786 -+ 0x8624efb37cd8663dULL, 0xbbc7ac20ffbd7594ULL, 0x57b85e9c82d37445ULL, 0x7b3052cb86a6ec66ULL,
16787 -+ 0x3482f0ad2525e91eULL, 0x2cb68043d28edca0ULL, 0xaf4f6d052e1b003aULL, 0x185f8c2529781b0aULL,
16788 -+ 0xaa41de5bd80ce0d6ULL, 0x9407b2416853e9d6ULL, 0x563ec36e357f4c3aULL, 0x4cc4b8dd0e297bceULL,
16789 -+ 0xa2fc1a52ffb8730eULL, 0x1811f16e67058e37ULL, 0x10f9a366cddf4ee1ULL, 0x72f4a0c4a0b9f099ULL,
16790 -+ 0x8c16c06f663f4ea7ULL, 0x693b3af74e970fbaULL, 0x2102e7f1d69ec345ULL, 0x0ba53cbc968a8089ULL,
16791 -+ 0xca3d9dc7fea15537ULL, 0x4c6824bb51536493ULL, 0xb9886314844006b1ULL, 0x40d2a72ab454cc60ULL,
16792 -+ 0x5936a1b712570975ULL, 0x91b9d648debda657ULL, 0x3344094bb64330eaULL, 0x006ba10d12ee51d0ULL,
16793 -+ 0x19228468f5de5d58ULL, 0x0eb12f4c38cc05b0ULL, 0xa1039f9dd5601990ULL, 0x4502d4ce4fff0e0bULL,
16794 -+ 0xeb2054106837c189ULL, 0xd0f6544c6dd3b93cULL, 0x40727064c416d74fULL, 0x6e15c6114b502ef0ULL,
16795 -+ 0x4df2a398cfb1a76bULL, 0x11256c7419f2f6b1ULL, 0x4a497962066e6043ULL, 0x705b3aab41355b44ULL,
16796 -+ 0x365ef536d797b1d8ULL, 0x00076bd622ddf0dbULL, 0x3bbf33b0e0575a88ULL, 0x3777aa05c8e4ca4dULL,
16797 -+ 0x392745c85578db5fULL, 0x6fda4149dbae5ae2ULL, 0xb1f0b00b8adc9867ULL, 0x09963437d36f1da3ULL,
16798 -+ 0x7e824e90a5dc3853ULL, 0xccb5f6641f135cbdULL, 0x6736d86c87ce8fccULL, 0x625f3ce26604249fULL,
16799 -+ 0xaf8ac8059502f63fULL, 0x0c05e70a2e351469ULL, 0x35292e9c764b6305ULL, 0x1a394360c7e23ac3ULL,
16800 -+ 0xd5c6d53251183264ULL, 0x62065abd43c2b74fULL, 0xb5fbf5d03b973f9bULL, 0x13a3da3661206e5eULL,
16801 -+ 0xc6bd5837725d94e5ULL, 0x18e30912205016c5ULL, 0x2088ce1570033c68ULL, 0x7fba1f495c837987ULL,
16802 -+ 0x5a8c7423f2f9079dULL, 0x1735157b34023fc5ULL, 0xe4f9b49ad2fab351ULL, 0x6691ff72c878e33cULL,
16803 -+ 0x122c2adedc5eff3eULL, 0xf8dd4bf1d8956cf4ULL, 0xeb86205d9e9e5bdaULL, 0x049b92b9d975c743ULL,
16804 -+ 0xa5379730b0f6c05aULL, 0x72a0ffacc6f3a553ULL, 0xb0032c34b20dcd6dULL, 0x470e9dbc88d5164aULL,
16805 -+ 0xb19cf10ca237c047ULL, 0xb65466711f6c81a2ULL, 0xb3321bd16dd80b43ULL, 0x48c14f600c5fbe8eULL,
16806 -+ 0x66451c264aa6c803ULL, 0xb66e3904a4fa7da6ULL, 0xd45f19b0b3128395ULL, 0x31602627c3c9bc10ULL,
16807 -+ 0x3120dc4832e4e10dULL, 0xeb20c46756c717f7ULL, 0x00f52e3f67280294ULL, 0x566d4fc14730c509ULL,
16808 -+ 0x7e3a5d40fd837206ULL, 0xc1e926dc7159547aULL, 0x216730fba68d6095ULL, 0x22e8c3843f69cea7ULL,
16809 -+ 0x33d074e8930e4b2bULL, 0xb6e4350e84d15816ULL, 0x5534c26ad6ba2365ULL, 0x7773c12f89f1f3f3ULL,
16810 -+ 0x8cba404da57962aaULL, 0x5b9897a81999ce56ULL, 0x508e862f121692fcULL, 0x3a81907fa093c291ULL,
16811 -+ 0x0dded0ff4725a510ULL, 0x10d8cc10673fc503ULL, 0x5b9d151c9f1f4e89ULL, 0x32a5c1d5cb09a44cULL,
16812 -+ 0x1e0aa442b90541fbULL, 0x5f85eb7cc1b485dbULL, 0xbee595ce8a9df2e5ULL, 0x25e496c722422236ULL,
16813 -+ 0x5edf3c46cd0fe5b9ULL, 0x34e75a7ed2a43388ULL, 0xe488de11d761e352ULL, 0x0e878a01a085545cULL,
16814 -+ 0xba493c77e021bb04ULL, 0x2b4d1843c7df899aULL, 0x9ea37a487ae80d67ULL, 0x67a9958011e41794ULL,
16815 -+ 0x4b58051a6697b065ULL, 0x47e33f7d8d6ba6d4ULL, 0xbb4da8d483ca46c1ULL, 0x68becaa181c2db0dULL,
16816 -+ 0x8d8980e90b989aa5ULL, 0xf95eb14a2c93c99bULL, 0x51c6c7c4796e73a2ULL, 0x6e228363b5efb569ULL,
16817 -+ 0xc6bbc0b02dd624c8ULL, 0x777eb47dec8170eeULL, 0x3cde15a004cfafa9ULL, 0x1dc6bc087160bf9bULL,
16818 -+ 0x2e07e043eec34002ULL, 0x18e9fc677a68dc7fULL, 0xd8da03188bd15b9aULL, 0x48fbc3bb00568253ULL,
16819 -+ 0x57547d4cfb654ce1ULL, 0xd3565b82a058e2adULL, 0xf63eaf0bbf154478ULL, 0x47531ef114dfbb18ULL,
16820 -+ 0xe1ec630a4278c587ULL, 0x5507d546ca8e83f3ULL, 0x85e135c63adc0c2bULL, 0x0aa7efa85682844eULL,
16821 -+ 0x72691ba8b3e1f615ULL, 0x32b4e9701fbe3ffaULL, 0x97b6d92e39bb7868ULL, 0x2cfe53dea02e39e8ULL,
16822 -+ 0x687392cd85cd52b0ULL, 0x27ff66c910e29831ULL, 0x97134556a9832d06ULL, 0x269bb0360a84f8a0ULL,
16823 -+ 0x706e55457643f85cULL, 0x3734a48c9b597d1bULL, 0x7aee91e8c6efa472ULL, 0x5cd6abc198a9d9e0ULL,
16824 -+ 0x0e04de06cb3ce41aULL, 0xd8c6eb893402e138ULL, 0x904659bb686e3772ULL, 0x7215c371746ba8c8ULL,
16825 -+ 0xfd12a97eeae4a2d9ULL, 0x9514b7516394f2c5ULL, 0x266fd5809208f294ULL, 0x5c847085619a26b9ULL,
16826 -+ 0x52985410fed694eaULL, 0x3c905b934a2ed254ULL, 0x10bb47692d3be467ULL, 0x063b3d2d69e5e9e1ULL,
16827 -+ 0x472726eedda57debULL, 0xefb6c4ae10f41891ULL, 0x2b1641917b307614ULL, 0x117c554fc4f45b7cULL,
16828 -+ 0xc07cf3118f9d8812ULL, 0x01dbd82050017939ULL, 0xd7e803f4171b2827ULL, 0x1015e87487d225eaULL,
16829 -+ 0xc58de3fed23acc4dULL, 0x50db91c294a7be2dULL, 0x0b94d43d1c9cf457ULL, 0x6b1640fa6e37524aULL,
16830 -+ 0x692f346c5fda0d09ULL, 0x200b1c59fa4d3151ULL, 0xb8c46f760777a296ULL, 0x4b38395f3ffdfbcfULL,
16831 -+ 0x18d25e00be54d671ULL, 0x60d50582bec8aba6ULL, 0x87ad8f263b78b982ULL, 0x50fdf64e9cda0432ULL,
16832 -+ 0x90f567aac578dcf0ULL, 0xef1e9b0ef2a3133bULL, 0x0eebba9242d9de71ULL, 0x15473c9bf03101c7ULL,
16833 -+ 0x7c77e8ae56b78095ULL, 0xb678e7666e6f078eULL, 0x2da0b9615348ba1fULL, 0x7cf931c1ff733f0bULL,
16834 -+ 0x26b357f50a0a366cULL, 0xe9708cf42b87d732ULL, 0xc13aeea5f91cb2c0ULL, 0x35d90c991143bb4cULL,
16835 -+ 0x47c1c404a9a0d9dcULL, 0x659e58451972d251ULL, 0x3875a8c473b38c31ULL, 0x1fbd9ed379561f24ULL,
16836 -+ 0x11fabc6fd41ec28dULL, 0x7ef8dfe3cd2a2dcaULL, 0x72e73b5d8c404595ULL, 0x6135fa4954b72f27ULL,
16837 -+ 0xccfc32a2de24b69cULL, 0x3f55698c1f095d88ULL, 0xbe3350ed5ac3f929ULL, 0x5e9bf806ca477eebULL,
16838 -+ 0xe9ce8fb63c309f68ULL, 0x5376f63565e1f9f4ULL, 0xd1afcfb35a6393f1ULL, 0x6632a1ede5623506ULL,
16839 -+ 0x0b7d6c390c2ded4cULL, 0x56cb3281df04cb1fULL, 0x66305a1249ecc3c7ULL, 0x5d588b60a38ca72aULL,
16840 -+ 0xa6ecbf78e8e5f42dULL, 0x86eeb44b3c8a3eecULL, 0xec219c48fbd21604ULL, 0x1aaf1af517c36731ULL,
16841 -+ 0xc306a2836769bde7ULL, 0x208280622b1e2adbULL, 0x8027f51ffbff94a6ULL, 0x76cfa1ce1124f26bULL,
16842 -+ 0x18eb00562422abb6ULL, 0xf377c4d58f8c29c3ULL, 0x4dbbc207f531561aULL, 0x0253b7f082128a27ULL,
16843 -+ 0x3d1f091cb62c17e0ULL, 0x4860e1abd64628a9ULL, 0x52d17436309d4253ULL, 0x356f97e13efae576ULL,
16844 -+ 0xd351e11aa150535bULL, 0x3e6b45bb1dd878ccULL, 0x0c776128bed92c98ULL, 0x1d34ae93032885b8ULL,
16845 -+ 0x4ba0488ca85ba4c3ULL, 0x985348c33c9ce6ceULL, 0x66124c6f97bda770ULL, 0x0f81a0290654124aULL,
16846 -+ 0x9ed09ca6569b86fdULL, 0x811009fd18af9a2dULL, 0xff08d03f93d8c20aULL, 0x52a148199faef26bULL,
16847 -+ 0x3e03f9dc2d8d1b73ULL, 0x4205801873961a70ULL, 0xc0d987f041a35970ULL, 0x07aa1f15a1c0d549ULL,
16848 -+ 0xdfd46ce08cd27224ULL, 0x6d0a024f934e4239ULL, 0x808a7a6399897b59ULL, 0x0a4556e9e13d95a2ULL,
16849 -+ 0xd21a991fe9c13045ULL, 0x9b0e8548fe7751b8ULL, 0x5da643cb4bf30035ULL, 0x77db28d63940f721ULL,
16850 -+ 0xfc5eeb614adc9011ULL, 0x5229419ae8c411ebULL, 0x9ec3e7787d1dcf74ULL, 0x340d053e216e4cb5ULL,
16851 -+ 0xcac7af39b48df2b4ULL, 0xc0faec2871a10a94ULL, 0x140a69245ca575edULL, 0x0cf1c37134273a4cULL,
16852 -+ 0xc8ee306ac224b8a5ULL, 0x57eaee7ccb4930b0ULL, 0xa1e806bdaacbe74fULL, 0x7d9a62742eeb657dULL,
16853 -+ 0x9eb6b6ef546c4830ULL, 0x885cca1fddb36e2eULL, 0xe6b9f383ef0d7105ULL, 0x58654fef9d2e0412ULL,
16854 -+ 0xa905c4ffbe0e8e26ULL, 0x942de5df9b31816eULL, 0x497d723f802e88e1ULL, 0x30684dea602f408dULL,
16855 -+ 0x21e5a278a3e6cb34ULL, 0xaefb6e6f5b151dc4ULL, 0xb30b8e049d77ca15ULL, 0x28c3c9cf53b98981ULL,
16856 -+ 0x287fb721556cdd2aULL, 0x0d317ca897022274ULL, 0x7468c7423a543258ULL, 0x4a7f11464eb5642fULL,
16857 -+ 0xa237a4774d193aa6ULL, 0xd865986ea92129a1ULL, 0x24c515ecf87c1a88ULL, 0x604003575f39f5ebULL,
16858 -+ 0x47b9f189570a9b27ULL, 0x2b98cede465e4b78ULL, 0x026df551dbb85c20ULL, 0x74fcd91047e21901ULL,
16859 -+ 0x13e2a90a23c1bfa3ULL, 0x0cb0074e478519f6ULL, 0x5ff1cbbe3af6cf44ULL, 0x67fe5438be812dbeULL,
16860 -+ 0xd13cf64fa40f05b0ULL, 0x054dfb2f32283787ULL, 0x4173915b7f0d2aeaULL, 0x482f144f1f610d4eULL,
16861 -+ 0xf6210201b47f8234ULL, 0x5d0ae1929e70b990ULL, 0xdcd7f455b049567cULL, 0x7e93d0f1f0916f01ULL,
16862 -+ 0xdd79cbf18a7db4faULL, 0xbe8391bf6f74c62fULL, 0x027145d14b8291bdULL, 0x585a73ea2cbf1705ULL,
16863 -+ 0x485ca03e928a0db2ULL, 0x10fc01a5742857e7ULL, 0x2f482edbd6d551a7ULL, 0x0f0433b5048fdb8aULL,
16864 -+ 0x60da2e8dd7dc6247ULL, 0x88b4c9d38cd4819aULL, 0x13033ac001f66697ULL, 0x273b24fe3b367d75ULL,
16865 -+ 0xc6e8f66a31b3b9d4ULL, 0x281514a494df49d5ULL, 0xd1726fdfc8b23da7ULL, 0x4b3ae7d103dee548ULL,
16866 -+ 0xc6256e19ce4b9d7eULL, 0xff5c5cf186e3c61cULL, 0xacc63ca34b8ec145ULL, 0x74621888fee66574ULL,
16867 -+ 0x956f409645290a1eULL, 0xef0bf8e3263a962eULL, 0xed6a50eb5ec2647bULL, 0x0694283a9dca7502ULL,
16868 -+ 0x769b963643a2dcd1ULL, 0x42b7c8ea09fc5353ULL, 0x4f002aee13397eabULL, 0x63005e2c19b7d63aULL,
16869 -+ 0xca6736da63023beaULL, 0x966c7f6db12a99b7ULL, 0xace09390c537c5e1ULL, 0x0b696063a1aa89eeULL,
16870 -+ 0xebb03e97288c56e5ULL, 0x432a9f9f938c8be8ULL, 0xa6a5a93d5b717f71ULL, 0x1a5fb4c3e18f9d97ULL,
16871 -+ 0x1c94e7ad1c60cdceULL, 0xee202a43fc02c4a0ULL, 0x8dafe4d867c46a20ULL, 0x0a10263c8ac27b58ULL,
16872 -+ 0xd0dea9dfe4432a4aULL, 0x856af87bbe9277c5ULL, 0xce8472acc212c71aULL, 0x6f151b6d9bbb1e91ULL,
16873 -+ 0x26776c527ceed56aULL, 0x7d211cb7fbf8faecULL, 0x37ae66a6fd4609ccULL, 0x1f81b702d2770c42ULL,
16874 -+ 0x2fb0b057eac58392ULL, 0xe1dd89fe29744e9dULL, 0xc964f8eb17beb4f8ULL, 0x29571073c9a2d41eULL,
16875 -+ 0xa948a18981c0e254ULL, 0x2df6369b65b22830ULL, 0xa33eb2d75fcfd3c6ULL, 0x078cd6ec4199a01fULL,
16876 -+ 0x4a584a41ad900d2fULL, 0x32142b78e2c74c52ULL, 0x68c4e8338431c978ULL, 0x7f69ea9008689fc2ULL,
16877 -+ 0x52f2c81e46a38265ULL, 0xfd78072d04a832fdULL, 0x8cd7d5fa25359e94ULL, 0x4de71b7454cc29d2ULL,
16878 -+ 0x42eb60ad1eda6ac9ULL, 0x0aad37dfdbc09c3aULL, 0x81004b71e33cc191ULL, 0x44e6be345122803cULL,
16879 -+ 0x03fe8388ba1920dbULL, 0xf5d57c32150db008ULL, 0x49c8c4281af60c29ULL, 0x21edb518de701aeeULL,
16880 -+ 0x7fb63e418f06dc99ULL, 0xa4460d99c166d7b8ULL, 0x24dd5248ce520a83ULL, 0x5ec3ad712b928358ULL,
16881 -+ 0x15022a5fbd17930fULL, 0xa4f64a77d82570e3ULL, 0x12bc8d6915783712ULL, 0x498194c0fc620abbULL,
16882 -+ 0x38a2d9d255686c82ULL, 0x785c6bd9193e21f0ULL, 0xe4d5c81ab24a5484ULL, 0x56307860b2e20989ULL,
16883 -+ 0x429d55f78b4d74c4ULL, 0x22f1834643350131ULL, 0x1e60c24598c71fffULL, 0x59f2f014979983efULL,
16884 -+ 0x46a47d56eb494a44ULL, 0x3e22a854d636a18eULL, 0xb346e15274491c3bULL, 0x2ceafd4e5390cde7ULL,
16885 -+ 0xba8a8538be0d6675ULL, 0x4b9074bb50818e23ULL, 0xcbdab89085d304c3ULL, 0x61a24fe0e56192c4ULL,
16886 -+ 0xcb7615e6db525bcbULL, 0xdd7d8c35a567e4caULL, 0xe6b4153acafcdd69ULL, 0x2d668e097f3c9766ULL,
16887 -+ 0xa57e7e265ce55ef0ULL, 0x5d9f4e527cd4b967ULL, 0xfbc83606492fd1e5ULL, 0x090d52beb7c3f7aeULL,
16888 -+ 0x09b9515a1e7b4d7cULL, 0x1f266a2599da44c0ULL, 0xa1c49548e2c55504ULL, 0x7ef04287126f15ccULL,
16889 -+ 0xfed1659dbd30ef15ULL, 0x8b4ab9eec4e0277bULL, 0x884d6236a5df3291ULL, 0x1fd96ea6bf5cf788ULL,
16890 -+ 0x42a161981f190d9aULL, 0x61d849507e6052c1ULL, 0x9fe113bf285a2cd5ULL, 0x7c22d676dbad85d8ULL,
16891 -+ 0x82e770ed2bfbd27dULL, 0x4c05b2ece996f5a5ULL, 0xcd40a9c2b0900150ULL, 0x5895319213d9bf64ULL,
16892 -+ 0xe7cc5d703fea2e08ULL, 0xb50c491258e2188cULL, 0xcce30baa48205bf0ULL, 0x537c659ccfa32d62ULL,
16893 -+ 0x37b6623a98cfc088ULL, 0xfe9bed1fa4d6aca4ULL, 0x04d29b8e56a8d1b0ULL, 0x725f71c40b519575ULL,
16894 -+ 0x28c7f89cd0339ce6ULL, 0x8367b14469ddc18bULL, 0x883ada83a6a1652cULL, 0x585f1974034d6c17ULL,
16895 -+ 0x89cfb266f1b19188ULL, 0xe63b4863e7c35217ULL, 0xd88c9da6b4c0526aULL, 0x3e035c9df0954635ULL,
16896 -+ 0xdd9d5412fb45de9dULL, 0xdd684532e4cff40dULL, 0x4b5c999b151d671cULL, 0x2d8c2cc811e7f690ULL,
16897 -+ 0x7f54be1d90055d40ULL, 0xa464c5df464aaf40ULL, 0x33979624f0e917beULL, 0x2c018dc527356b30ULL,
16898 -+ 0xa5415024e330b3d4ULL, 0x73ff3d96691652d3ULL, 0x94ec42c4ef9b59f1ULL, 0x0747201618d08e5aULL,
16899 -+ 0x4d6ca48aca411c53ULL, 0x66415f2fcfa66119ULL, 0x9c4dd40051e227ffULL, 0x59810bc09a02f7ebULL,
16900 -+ 0x2a7eb171b3dc101dULL, 0x441c5ab99ffef68eULL, 0x32025c9b93b359eaULL, 0x5e8ce0a71e9d112fULL,
16901 -+ 0xbfcccb92429503fdULL, 0xd271ba752f095d55ULL, 0x345ead5e972d091eULL, 0x18c8df11a83103baULL,
16902 -+ 0x90cd949a9aed0f4cULL, 0xc5d1f4cb6660e37eULL, 0xb8cac52d56c52e0bULL, 0x6e42e400c5808e0dULL,
16903 -+ 0xa3b46966eeaefd23ULL, 0x0c4f1f0be39ecdcaULL, 0x189dc8c9d683a51dULL, 0x51f27f054c09351bULL,
16904 -+ 0x4c487ccd2a320682ULL, 0x587ea95bb3df1c96ULL, 0xc8ccf79e555cb8e8ULL, 0x547dc829a206d73dULL,
16905 -+ 0xb822a6cd80c39b06ULL, 0xe96d54732000d4c6ULL, 0x28535b6f91463b4dULL, 0x228f4660e2486e1dULL,
16906 -+ 0x98799538de8d3abfULL, 0x8cd8330045ebca6eULL, 0x79952a008221e738ULL, 0x4322e1a7535cd2bbULL,
16907 -+ 0xb114c11819d1801cULL, 0x2016e4d84f3f5ec7ULL, 0xdd0e2df409260f4cULL, 0x5ec362c0ae5f7266ULL,
16908 -+ 0xc0462b18b8b2b4eeULL, 0x7cc8d950274d1afbULL, 0xf25f7105436b02d2ULL, 0x43bbf8dcbff9ccd3ULL,
16909 -+ 0xb6ad1767a039e9dfULL, 0xb0714da8f69d3583ULL, 0x5e55fa18b42931f5ULL, 0x4ed5558f33c60961ULL,
16910 -+ 0x1fe37901c647a5ddULL, 0x593ddf1f8081d357ULL, 0x0249a4fd813fd7a6ULL, 0x69acca274e9caf61ULL,
16911 -+ 0x047ba3ea330721c9ULL, 0x83423fc20e7e1ea0ULL, 0x1df4c0af01314a60ULL, 0x09a62dab89289527ULL,
16912 -+ 0xa5b325a49cc6cb00ULL, 0xe94b5dc654b56cb6ULL, 0x3be28779adc994a0ULL, 0x4296e8f8ba3a4aadULL,
16913 -+ 0x328689761e451eabULL, 0x2e4d598bff59594aULL, 0x49b96853d7a7084aULL, 0x4980a319601420a8ULL,
16914 -+ 0x9565b9e12f552c42ULL, 0x8a5318db7100fe96ULL, 0x05c90b4d43add0d7ULL, 0x538b4cd66a5d4edaULL,
16915 -+ 0xf4e94fc3e89f039fULL, 0x592c9af26f618045ULL, 0x08a36eb5fd4b9550ULL, 0x25fffaf6c2ed1419ULL,
16916 -+ 0x34434459cc79d354ULL, 0xeeecbfb4b1d5476bULL, 0xddeb34a061615d99ULL, 0x5129cecceb64b773ULL,
16917 -+ 0xee43215894993520ULL, 0x772f9c7cf14c0b3bULL, 0xd2e2fce306bedad5ULL, 0x715f42b546f06a97ULL,
16918 -+ 0x434ecdceda5b5f1aULL, 0x0da17115a49741a9ULL, 0x680bd77c73edad2eULL, 0x487c02354edd9041ULL,
16919 -+ 0xb8efeff3a70ed9c4ULL, 0x56a32aa3e857e302ULL, 0xdf3a68bd48a2a5a0ULL, 0x07f650b73176c444ULL,
16920 -+ 0xe38b9b1626e0ccb1ULL, 0x79e053c18b09fb36ULL, 0x56d90319c9f94964ULL, 0x1ca941e7ac9ff5c4ULL,
16921 -+ 0x49c4df29162fa0bbULL, 0x8488cf3282b33305ULL, 0x95dfda14cabb437dULL, 0x3391f78264d5ad86ULL,
16922 -+ 0x729ae06ae2b5095dULL, 0xd58a58d73259a946ULL, 0xe9834262d13921edULL, 0x27fedafaa54bb592ULL,
16923 -+ 0xa99dc5b829ad48bbULL, 0x5f025742499ee260ULL, 0x802c8ecd5d7513fdULL, 0x78ceb3ef3f6dd938ULL,
16924 -+ 0xc342f44f8a135d94ULL, 0x7b9edb44828cdda3ULL, 0x9436d11a0537cfe7ULL, 0x5064b164ec1ab4c8ULL,
16925 -+ 0x7020eccfd37eb2fcULL, 0x1f31ea3ed90d25fcULL, 0x1b930d7bdfa1bb34ULL, 0x5344467a48113044ULL,
16926 -+ 0x70073170f25e6dfbULL, 0xe385dc1a50114cc8ULL, 0x2348698ac8fc4f00ULL, 0x2a77a55284dd40d8ULL,
16927 -+ 0xfe06afe0c98c6ce4ULL, 0xc235df96dddfd6e4ULL, 0x1428d01e33bf1ed3ULL, 0x785768ec9300bdafULL,
16928 -+ 0x9702e57a91deb63bULL, 0x61bdb8bfe5ce8b80ULL, 0x645b426f3d1d58acULL, 0x4804a82227a557bcULL,
16929 -+ 0x8e57048ab44d2601ULL, 0x68d6501a4b3a6935ULL, 0xc39c9ec3f9e1c293ULL, 0x4172f257d4de63e2ULL,
16930 -+ 0xd368b450330c6401ULL, 0x040d3017418f2391ULL, 0x2c34bb6090b7d90dULL, 0x16f649228fdfd51fULL,
16931 -+ 0xbea6818e2b928ef5ULL, 0xe28ccf91cdc11e72ULL, 0x594aaa68e77a36cdULL, 0x313034806c7ffd0fULL,
16932 -+ 0x8a9d27ac2249bd65ULL, 0x19a3b464018e9512ULL, 0xc26ccff352b37ec7ULL, 0x056f68341d797b21ULL,
16933 -+ 0x5e79d6757efd2327ULL, 0xfabdbcb6553afe15ULL, 0xd3e7222c6eaf5a60ULL, 0x7046c76d4dae743bULL,
16934 -+ 0x660be872b18d4a55ULL, 0x19992518574e1496ULL, 0xc103053a302bdcbbULL, 0x3ed8e9800b218e8eULL,
16935 -+ 0x7b0b9239fa75e03eULL, 0xefe9fb684633c083ULL, 0x98a35fbe391a7793ULL, 0x6065510fe2d0fe34ULL,
16936 -+ 0x55cb668548abad0cULL, 0xb4584548da87e527ULL, 0x2c43ecea0107c1ddULL, 0x526028809372de35ULL,
16937 -+ 0x3415c56af9213b1fULL, 0x5bee1a4d017e98dbULL, 0x13f6b105b5cf709bULL, 0x5ff20e3482b29ab6ULL,
16938 -+ 0x0aa29c75cc2e6c90ULL, 0xfc7d73ca3a70e206ULL, 0x899fc38fc4b5c515ULL, 0x250386b124ffc207ULL,
16939 -+ 0x54ea28d5ae3d2b56ULL, 0x9913149dd6de60ceULL, 0x16694fc58f06d6c1ULL, 0x46b23975eb018fc7ULL,
16940 -+ 0x470a6a0fb4b7b4e2ULL, 0x5d92475a8f7253deULL, 0xabeee5b52fbd3adbULL, 0x7fa20801a0806968ULL,
16941 -+ 0x76f3faf19f7714d2ULL, 0xb3e840c12f4660c3ULL, 0x0fb4cd8df212744eULL, 0x4b065a251d3a2dd2ULL,
16942 -+ 0x5cebde383d77cd4aULL, 0x6adf39df882c9cb1ULL, 0xa2dd242eb09af759ULL, 0x3147c0e50e5f6422ULL,
16943 -+ 0x164ca5101d1350dbULL, 0xf8d13479c33fc962ULL, 0xe640ce4d13e5da08ULL, 0x4bdee0c45061f8baULL,
16944 -+ 0xd7c46dc1a4edb1c9ULL, 0x5514d7b6437fd98aULL, 0x58942f6bb2a1c00bULL, 0x2dffb2ab1d70710eULL,
16945 -+ 0xccdfcf2fc18b6d68ULL, 0xa8ebcba8b7806167ULL, 0x980697f95e2937e3ULL, 0x02fbba1cd0126e8cULL
16946 -+};
16947 -+
16948 -+static void curve25519_ever64_base(u8 *out, const u8 *priv)
16949 -+{
16950 -+ u64 swap = 1;
16951 -+ int i, j, k;
16952 -+ u64 tmp[16 + 32 + 4];
16953 -+ u64 *x1 = &tmp[0];
16954 -+ u64 *z1 = &tmp[4];
16955 -+ u64 *x2 = &tmp[8];
16956 -+ u64 *z2 = &tmp[12];
16957 -+ u64 *xz1 = &tmp[0];
16958 -+ u64 *xz2 = &tmp[8];
16959 -+ u64 *a = &tmp[0 + 16];
16960 -+ u64 *b = &tmp[4 + 16];
16961 -+ u64 *c = &tmp[8 + 16];
16962 -+ u64 *ab = &tmp[0 + 16];
16963 -+ u64 *abcd = &tmp[0 + 16];
16964 -+ u64 *ef = &tmp[16 + 16];
16965 -+ u64 *efgh = &tmp[16 + 16];
16966 -+ u64 *key = &tmp[0 + 16 + 32];
16967 -+
16968 -+ memcpy(key, priv, 32);
16969 -+ ((u8 *)key)[0] &= 248;
16970 -+ ((u8 *)key)[31] = (((u8 *)key)[31] & 127) | 64;
16971 -+
16972 -+ x1[0] = 1, x1[1] = x1[2] = x1[3] = 0;
16973 -+ z1[0] = 1, z1[1] = z1[2] = z1[3] = 0;
16974 -+ z2[0] = 1, z2[1] = z2[2] = z2[3] = 0;
16975 -+ memcpy(x2, p_minus_s, sizeof(p_minus_s));
16976 -+
16977 -+ j = 3;
16978 -+ for (i = 0; i < 4; ++i) {
16979 -+ while (j < (const int[]){ 64, 64, 64, 63 }[i]) {
16980 -+ u64 bit = (key[i] >> j) & 1;
16981 -+ k = (64 * i + j - 3);
16982 -+ swap = swap ^ bit;
16983 -+ cswap2(swap, xz1, xz2);
16984 -+ swap = bit;
16985 -+ fsub(b, x1, z1);
16986 -+ fadd(a, x1, z1);
16987 -+ fmul(c, &table_ladder[4 * k], b, ef);
16988 -+ fsub(b, a, c);
16989 -+ fadd(a, a, c);
16990 -+ fsqr2(ab, ab, efgh);
16991 -+ fmul2(xz1, xz2, ab, efgh);
16992 -+ ++j;
16993 -+ }
16994 -+ j = 0;
16995 -+ }
16996 -+
16997 -+ point_double(xz1, abcd, efgh);
16998 -+ point_double(xz1, abcd, efgh);
16999 -+ point_double(xz1, abcd, efgh);
17000 -+ encode_point(out, xz1);
17001 -+
17002 -+ memzero_explicit(tmp, sizeof(tmp));
17003 -+}
17004 -+
17005 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(curve25519_use_bmi2_adx);
17006 -+
17007 -+void curve25519_arch(u8 mypublic[CURVE25519_KEY_SIZE],
17008 -+ const u8 secret[CURVE25519_KEY_SIZE],
17009 -+ const u8 basepoint[CURVE25519_KEY_SIZE])
17010 -+{
17011 -+ if (static_branch_likely(&curve25519_use_bmi2_adx))
17012 -+ curve25519_ever64(mypublic, secret, basepoint);
17013 -+ else
17014 -+ curve25519_generic(mypublic, secret, basepoint);
17015 -+}
17016 -+EXPORT_SYMBOL(curve25519_arch);
17017 -+
17018 -+void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE],
17019 -+ const u8 secret[CURVE25519_KEY_SIZE])
17020 -+{
17021 -+ if (static_branch_likely(&curve25519_use_bmi2_adx))
17022 -+ curve25519_ever64_base(pub, secret);
17023 -+ else
17024 -+ curve25519_generic(pub, secret, curve25519_base_point);
17025 -+}
17026 -+EXPORT_SYMBOL(curve25519_base_arch);
17027 -+
17028 -+static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf,
17029 -+ unsigned int len)
17030 -+{
17031 -+ u8 *secret = kpp_tfm_ctx(tfm);
17032 -+
17033 -+ if (!len)
17034 -+ curve25519_generate_secret(secret);
17035 -+ else if (len == CURVE25519_KEY_SIZE &&
17036 -+ crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE))
17037 -+ memcpy(secret, buf, CURVE25519_KEY_SIZE);
17038 -+ else
17039 -+ return -EINVAL;
17040 -+ return 0;
17041 -+}
17042 -+
17043 -+static int curve25519_generate_public_key(struct kpp_request *req)
17044 -+{
17045 -+ struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
17046 -+ const u8 *secret = kpp_tfm_ctx(tfm);
17047 -+ u8 buf[CURVE25519_KEY_SIZE];
17048 -+ int copied, nbytes;
17049 -+
17050 -+ if (req->src)
17051 -+ return -EINVAL;
17052 -+
17053 -+ curve25519_base_arch(buf, secret);
17054 -+
17055 -+ /* might want less than we've got */
17056 -+ nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len);
17057 -+ copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst,
17058 -+ nbytes),
17059 -+ buf, nbytes);
17060 -+ if (copied != nbytes)
17061 -+ return -EINVAL;
17062 -+ return 0;
17063 -+}
17064 -+
17065 -+static int curve25519_compute_shared_secret(struct kpp_request *req)
17066 -+{
17067 -+ struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
17068 -+ const u8 *secret = kpp_tfm_ctx(tfm);
17069 -+ u8 public_key[CURVE25519_KEY_SIZE];
17070 -+ u8 buf[CURVE25519_KEY_SIZE];
17071 -+ int copied, nbytes;
17072 -+
17073 -+ if (!req->src)
17074 -+ return -EINVAL;
17075 -+
17076 -+ copied = sg_copy_to_buffer(req->src,
17077 -+ sg_nents_for_len(req->src,
17078 -+ CURVE25519_KEY_SIZE),
17079 -+ public_key, CURVE25519_KEY_SIZE);
17080 -+ if (copied != CURVE25519_KEY_SIZE)
17081 -+ return -EINVAL;
17082 -+
17083 -+ curve25519_arch(buf, secret, public_key);
17084 -+
17085 -+ /* might want less than we've got */
17086 -+ nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len);
17087 -+ copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst,
17088 -+ nbytes),
17089 -+ buf, nbytes);
17090 -+ if (copied != nbytes)
17091 -+ return -EINVAL;
17092 -+ return 0;
17093 -+}
17094 -+
17095 -+static unsigned int curve25519_max_size(struct crypto_kpp *tfm)
17096 -+{
17097 -+ return CURVE25519_KEY_SIZE;
17098 -+}
17099 -+
17100 -+static struct kpp_alg curve25519_alg = {
17101 -+ .base.cra_name = "curve25519",
17102 -+ .base.cra_driver_name = "curve25519-x86",
17103 -+ .base.cra_priority = 200,
17104 -+ .base.cra_module = THIS_MODULE,
17105 -+ .base.cra_ctxsize = CURVE25519_KEY_SIZE,
17106 -+
17107 -+ .set_secret = curve25519_set_secret,
17108 -+ .generate_public_key = curve25519_generate_public_key,
17109 -+ .compute_shared_secret = curve25519_compute_shared_secret,
17110 -+ .max_size = curve25519_max_size,
17111 -+};
17112 -+
17113 -+
17114 -+static int __init curve25519_mod_init(void)
17115 -+{
17116 -+ if (boot_cpu_has(X86_FEATURE_BMI2) && boot_cpu_has(X86_FEATURE_ADX))
17117 -+ static_branch_enable(&curve25519_use_bmi2_adx);
17118 -+ else
17119 -+ return 0;
17120 -+ return IS_REACHABLE(CONFIG_CRYPTO_KPP) ?
17121 -+ crypto_register_kpp(&curve25519_alg) : 0;
17122 -+}
17123 -+
17124 -+static void __exit curve25519_mod_exit(void)
17125 -+{
17126 -+ if (IS_REACHABLE(CONFIG_CRYPTO_KPP) &&
17127 -+ (boot_cpu_has(X86_FEATURE_BMI2) || boot_cpu_has(X86_FEATURE_ADX)))
17128 -+ crypto_unregister_kpp(&curve25519_alg);
17129 -+}
17130 -+
17131 -+module_init(curve25519_mod_init);
17132 -+module_exit(curve25519_mod_exit);
17133 -+
17134 -+MODULE_ALIAS_CRYPTO("curve25519");
17135 -+MODULE_ALIAS_CRYPTO("curve25519-x86");
17136 -+MODULE_LICENSE("GPL v2");
17137 -+MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
17138 ---- b/arch/arm/crypto/curve25519-core.S
17139 -+++ b/arch/arm/crypto/curve25519-core.S
17140 -@@ -0,0 +1,2062 @@
17141 -+/* SPDX-License-Identifier: GPL-2.0 OR MIT */
17142 -+/*
17143 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
17144 -+ *
17145 -+ * Based on public domain code from Daniel J. Bernstein and Peter Schwabe. This
17146 -+ * began from SUPERCOP's curve25519/neon2/scalarmult.s, but has subsequently been
17147 -+ * manually reworked for use in kernel space.
17148 -+ */
17149 -+
17150 -+#include <linux/linkage.h>
17151 -+
17152 -+.text
17153 -+.fpu neon
17154 -+.arch armv7-a
17155 -+.align 4
17156 -+
17157 -+ENTRY(curve25519_neon)
17158 -+ push {r4-r11, lr}
17159 -+ mov ip, sp
17160 -+ sub r3, sp, #704
17161 -+ and r3, r3, #0xfffffff0
17162 -+ mov sp, r3
17163 -+ movw r4, #0
17164 -+ movw r5, #254
17165 -+ vmov.i32 q0, #1
17166 -+ vshr.u64 q1, q0, #7
17167 -+ vshr.u64 q0, q0, #8
17168 -+ vmov.i32 d4, #19
17169 -+ vmov.i32 d5, #38
17170 -+ add r6, sp, #480
17171 -+ vst1.8 {d2-d3}, [r6, : 128]!
17172 -+ vst1.8 {d0-d1}, [r6, : 128]!
17173 -+ vst1.8 {d4-d5}, [r6, : 128]
17174 -+ add r6, r3, #0
17175 -+ vmov.i32 q2, #0
17176 -+ vst1.8 {d4-d5}, [r6, : 128]!
17177 -+ vst1.8 {d4-d5}, [r6, : 128]!
17178 -+ vst1.8 d4, [r6, : 64]
17179 -+ add r6, r3, #0
17180 -+ movw r7, #960
17181 -+ sub r7, r7, #2
17182 -+ neg r7, r7
17183 -+ sub r7, r7, r7, LSL #7
17184 -+ str r7, [r6]
17185 -+ add r6, sp, #672
17186 -+ vld1.8 {d4-d5}, [r1]!
17187 -+ vld1.8 {d6-d7}, [r1]
17188 -+ vst1.8 {d4-d5}, [r6, : 128]!
17189 -+ vst1.8 {d6-d7}, [r6, : 128]
17190 -+ sub r1, r6, #16
17191 -+ ldrb r6, [r1]
17192 -+ and r6, r6, #248
17193 -+ strb r6, [r1]
17194 -+ ldrb r6, [r1, #31]
17195 -+ and r6, r6, #127
17196 -+ orr r6, r6, #64
17197 -+ strb r6, [r1, #31]
17198 -+ vmov.i64 q2, #0xffffffff
17199 -+ vshr.u64 q3, q2, #7
17200 -+ vshr.u64 q2, q2, #6
17201 -+ vld1.8 {d8}, [r2]
17202 -+ vld1.8 {d10}, [r2]
17203 -+ add r2, r2, #6
17204 -+ vld1.8 {d12}, [r2]
17205 -+ vld1.8 {d14}, [r2]
17206 -+ add r2, r2, #6
17207 -+ vld1.8 {d16}, [r2]
17208 -+ add r2, r2, #4
17209 -+ vld1.8 {d18}, [r2]
17210 -+ vld1.8 {d20}, [r2]
17211 -+ add r2, r2, #6
17212 -+ vld1.8 {d22}, [r2]
17213 -+ add r2, r2, #2
17214 -+ vld1.8 {d24}, [r2]
17215 -+ vld1.8 {d26}, [r2]
17216 -+ vshr.u64 q5, q5, #26
17217 -+ vshr.u64 q6, q6, #3
17218 -+ vshr.u64 q7, q7, #29
17219 -+ vshr.u64 q8, q8, #6
17220 -+ vshr.u64 q10, q10, #25
17221 -+ vshr.u64 q11, q11, #3
17222 -+ vshr.u64 q12, q12, #12
17223 -+ vshr.u64 q13, q13, #38
17224 -+ vand q4, q4, q2
17225 -+ vand q6, q6, q2
17226 -+ vand q8, q8, q2
17227 -+ vand q10, q10, q2
17228 -+ vand q2, q12, q2
17229 -+ vand q5, q5, q3
17230 -+ vand q7, q7, q3
17231 -+ vand q9, q9, q3
17232 -+ vand q11, q11, q3
17233 -+ vand q3, q13, q3
17234 -+ add r2, r3, #48
17235 -+ vadd.i64 q12, q4, q1
17236 -+ vadd.i64 q13, q10, q1
17237 -+ vshr.s64 q12, q12, #26
17238 -+ vshr.s64 q13, q13, #26
17239 -+ vadd.i64 q5, q5, q12
17240 -+ vshl.i64 q12, q12, #26
17241 -+ vadd.i64 q14, q5, q0
17242 -+ vadd.i64 q11, q11, q13
17243 -+ vshl.i64 q13, q13, #26
17244 -+ vadd.i64 q15, q11, q0
17245 -+ vsub.i64 q4, q4, q12
17246 -+ vshr.s64 q12, q14, #25
17247 -+ vsub.i64 q10, q10, q13
17248 -+ vshr.s64 q13, q15, #25
17249 -+ vadd.i64 q6, q6, q12
17250 -+ vshl.i64 q12, q12, #25
17251 -+ vadd.i64 q14, q6, q1
17252 -+ vadd.i64 q2, q2, q13
17253 -+ vsub.i64 q5, q5, q12
17254 -+ vshr.s64 q12, q14, #26
17255 -+ vshl.i64 q13, q13, #25
17256 -+ vadd.i64 q14, q2, q1
17257 -+ vadd.i64 q7, q7, q12
17258 -+ vshl.i64 q12, q12, #26
17259 -+ vadd.i64 q15, q7, q0
17260 -+ vsub.i64 q11, q11, q13
17261 -+ vshr.s64 q13, q14, #26
17262 -+ vsub.i64 q6, q6, q12
17263 -+ vshr.s64 q12, q15, #25
17264 -+ vadd.i64 q3, q3, q13
17265 -+ vshl.i64 q13, q13, #26
17266 -+ vadd.i64 q14, q3, q0
17267 -+ vadd.i64 q8, q8, q12
17268 -+ vshl.i64 q12, q12, #25
17269 -+ vadd.i64 q15, q8, q1
17270 -+ add r2, r2, #8
17271 -+ vsub.i64 q2, q2, q13
17272 -+ vshr.s64 q13, q14, #25
17273 -+ vsub.i64 q7, q7, q12
17274 -+ vshr.s64 q12, q15, #26
17275 -+ vadd.i64 q14, q13, q13
17276 -+ vadd.i64 q9, q9, q12
17277 -+ vtrn.32 d12, d14
17278 -+ vshl.i64 q12, q12, #26
17279 -+ vtrn.32 d13, d15
17280 -+ vadd.i64 q0, q9, q0
17281 -+ vadd.i64 q4, q4, q14
17282 -+ vst1.8 d12, [r2, : 64]!
17283 -+ vshl.i64 q6, q13, #4
17284 -+ vsub.i64 q7, q8, q12
17285 -+ vshr.s64 q0, q0, #25
17286 -+ vadd.i64 q4, q4, q6
17287 -+ vadd.i64 q6, q10, q0
17288 -+ vshl.i64 q0, q0, #25
17289 -+ vadd.i64 q8, q6, q1
17290 -+ vadd.i64 q4, q4, q13
17291 -+ vshl.i64 q10, q13, #25
17292 -+ vadd.i64 q1, q4, q1
17293 -+ vsub.i64 q0, q9, q0
17294 -+ vshr.s64 q8, q8, #26
17295 -+ vsub.i64 q3, q3, q10
17296 -+ vtrn.32 d14, d0
17297 -+ vshr.s64 q1, q1, #26
17298 -+ vtrn.32 d15, d1
17299 -+ vadd.i64 q0, q11, q8
17300 -+ vst1.8 d14, [r2, : 64]
17301 -+ vshl.i64 q7, q8, #26
17302 -+ vadd.i64 q5, q5, q1
17303 -+ vtrn.32 d4, d6
17304 -+ vshl.i64 q1, q1, #26
17305 -+ vtrn.32 d5, d7
17306 -+ vsub.i64 q3, q6, q7
17307 -+ add r2, r2, #16
17308 -+ vsub.i64 q1, q4, q1
17309 -+ vst1.8 d4, [r2, : 64]
17310 -+ vtrn.32 d6, d0
17311 -+ vtrn.32 d7, d1
17312 -+ sub r2, r2, #8
17313 -+ vtrn.32 d2, d10
17314 -+ vtrn.32 d3, d11
17315 -+ vst1.8 d6, [r2, : 64]
17316 -+ sub r2, r2, #24
17317 -+ vst1.8 d2, [r2, : 64]
17318 -+ add r2, r3, #96
17319 -+ vmov.i32 q0, #0
17320 -+ vmov.i64 d2, #0xff
17321 -+ vmov.i64 d3, #0
17322 -+ vshr.u32 q1, q1, #7
17323 -+ vst1.8 {d2-d3}, [r2, : 128]!
17324 -+ vst1.8 {d0-d1}, [r2, : 128]!
17325 -+ vst1.8 d0, [r2, : 64]
17326 -+ add r2, r3, #144
17327 -+ vmov.i32 q0, #0
17328 -+ vst1.8 {d0-d1}, [r2, : 128]!
17329 -+ vst1.8 {d0-d1}, [r2, : 128]!
17330 -+ vst1.8 d0, [r2, : 64]
17331 -+ add r2, r3, #240
17332 -+ vmov.i32 q0, #0
17333 -+ vmov.i64 d2, #0xff
17334 -+ vmov.i64 d3, #0
17335 -+ vshr.u32 q1, q1, #7
17336 -+ vst1.8 {d2-d3}, [r2, : 128]!
17337 -+ vst1.8 {d0-d1}, [r2, : 128]!
17338 -+ vst1.8 d0, [r2, : 64]
17339 -+ add r2, r3, #48
17340 -+ add r6, r3, #192
17341 -+ vld1.8 {d0-d1}, [r2, : 128]!
17342 -+ vld1.8 {d2-d3}, [r2, : 128]!
17343 -+ vld1.8 {d4}, [r2, : 64]
17344 -+ vst1.8 {d0-d1}, [r6, : 128]!
17345 -+ vst1.8 {d2-d3}, [r6, : 128]!
17346 -+ vst1.8 d4, [r6, : 64]
17347 -+.Lmainloop:
17348 -+ mov r2, r5, LSR #3
17349 -+ and r6, r5, #7
17350 -+ ldrb r2, [r1, r2]
17351 -+ mov r2, r2, LSR r6
17352 -+ and r2, r2, #1
17353 -+ str r5, [sp, #456]
17354 -+ eor r4, r4, r2
17355 -+ str r2, [sp, #460]
17356 -+ neg r2, r4
17357 -+ add r4, r3, #96
17358 -+ add r5, r3, #192
17359 -+ add r6, r3, #144
17360 -+ vld1.8 {d8-d9}, [r4, : 128]!
17361 -+ add r7, r3, #240
17362 -+ vld1.8 {d10-d11}, [r5, : 128]!
17363 -+ veor q6, q4, q5
17364 -+ vld1.8 {d14-d15}, [r6, : 128]!
17365 -+ vdup.i32 q8, r2
17366 -+ vld1.8 {d18-d19}, [r7, : 128]!
17367 -+ veor q10, q7, q9
17368 -+ vld1.8 {d22-d23}, [r4, : 128]!
17369 -+ vand q6, q6, q8
17370 -+ vld1.8 {d24-d25}, [r5, : 128]!
17371 -+ vand q10, q10, q8
17372 -+ vld1.8 {d26-d27}, [r6, : 128]!
17373 -+ veor q4, q4, q6
17374 -+ vld1.8 {d28-d29}, [r7, : 128]!
17375 -+ veor q5, q5, q6
17376 -+ vld1.8 {d0}, [r4, : 64]
17377 -+ veor q6, q7, q10
17378 -+ vld1.8 {d2}, [r5, : 64]
17379 -+ veor q7, q9, q10
17380 -+ vld1.8 {d4}, [r6, : 64]
17381 -+ veor q9, q11, q12
17382 -+ vld1.8 {d6}, [r7, : 64]
17383 -+ veor q10, q0, q1
17384 -+ sub r2, r4, #32
17385 -+ vand q9, q9, q8
17386 -+ sub r4, r5, #32
17387 -+ vand q10, q10, q8
17388 -+ sub r5, r6, #32
17389 -+ veor q11, q11, q9
17390 -+ sub r6, r7, #32
17391 -+ veor q0, q0, q10
17392 -+ veor q9, q12, q9
17393 -+ veor q1, q1, q10
17394 -+ veor q10, q13, q14
17395 -+ veor q12, q2, q3
17396 -+ vand q10, q10, q8
17397 -+ vand q8, q12, q8
17398 -+ veor q12, q13, q10
17399 -+ veor q2, q2, q8
17400 -+ veor q10, q14, q10
17401 -+ veor q3, q3, q8
17402 -+ vadd.i32 q8, q4, q6
17403 -+ vsub.i32 q4, q4, q6
17404 -+ vst1.8 {d16-d17}, [r2, : 128]!
17405 -+ vadd.i32 q6, q11, q12
17406 -+ vst1.8 {d8-d9}, [r5, : 128]!
17407 -+ vsub.i32 q4, q11, q12
17408 -+ vst1.8 {d12-d13}, [r2, : 128]!
17409 -+ vadd.i32 q6, q0, q2
17410 -+ vst1.8 {d8-d9}, [r5, : 128]!
17411 -+ vsub.i32 q0, q0, q2
17412 -+ vst1.8 d12, [r2, : 64]
17413 -+ vadd.i32 q2, q5, q7
17414 -+ vst1.8 d0, [r5, : 64]
17415 -+ vsub.i32 q0, q5, q7
17416 -+ vst1.8 {d4-d5}, [r4, : 128]!
17417 -+ vadd.i32 q2, q9, q10
17418 -+ vst1.8 {d0-d1}, [r6, : 128]!
17419 -+ vsub.i32 q0, q9, q10
17420 -+ vst1.8 {d4-d5}, [r4, : 128]!
17421 -+ vadd.i32 q2, q1, q3
17422 -+ vst1.8 {d0-d1}, [r6, : 128]!
17423 -+ vsub.i32 q0, q1, q3
17424 -+ vst1.8 d4, [r4, : 64]
17425 -+ vst1.8 d0, [r6, : 64]
17426 -+ add r2, sp, #512
17427 -+ add r4, r3, #96
17428 -+ add r5, r3, #144
17429 -+ vld1.8 {d0-d1}, [r2, : 128]
17430 -+ vld1.8 {d2-d3}, [r4, : 128]!
17431 -+ vld1.8 {d4-d5}, [r5, : 128]!
17432 -+ vzip.i32 q1, q2
17433 -+ vld1.8 {d6-d7}, [r4, : 128]!
17434 -+ vld1.8 {d8-d9}, [r5, : 128]!
17435 -+ vshl.i32 q5, q1, #1
17436 -+ vzip.i32 q3, q4
17437 -+ vshl.i32 q6, q2, #1
17438 -+ vld1.8 {d14}, [r4, : 64]
17439 -+ vshl.i32 q8, q3, #1
17440 -+ vld1.8 {d15}, [r5, : 64]
17441 -+ vshl.i32 q9, q4, #1
17442 -+ vmul.i32 d21, d7, d1
17443 -+ vtrn.32 d14, d15
17444 -+ vmul.i32 q11, q4, q0
17445 -+ vmul.i32 q0, q7, q0
17446 -+ vmull.s32 q12, d2, d2
17447 -+ vmlal.s32 q12, d11, d1
17448 -+ vmlal.s32 q12, d12, d0
17449 -+ vmlal.s32 q12, d13, d23
17450 -+ vmlal.s32 q12, d16, d22
17451 -+ vmlal.s32 q12, d7, d21
17452 -+ vmull.s32 q10, d2, d11
17453 -+ vmlal.s32 q10, d4, d1
17454 -+ vmlal.s32 q10, d13, d0
17455 -+ vmlal.s32 q10, d6, d23
17456 -+ vmlal.s32 q10, d17, d22
17457 -+ vmull.s32 q13, d10, d4
17458 -+ vmlal.s32 q13, d11, d3
17459 -+ vmlal.s32 q13, d13, d1
17460 -+ vmlal.s32 q13, d16, d0
17461 -+ vmlal.s32 q13, d17, d23
17462 -+ vmlal.s32 q13, d8, d22
17463 -+ vmull.s32 q1, d10, d5
17464 -+ vmlal.s32 q1, d11, d4
17465 -+ vmlal.s32 q1, d6, d1
17466 -+ vmlal.s32 q1, d17, d0
17467 -+ vmlal.s32 q1, d8, d23
17468 -+ vmull.s32 q14, d10, d6
17469 -+ vmlal.s32 q14, d11, d13
17470 -+ vmlal.s32 q14, d4, d4
17471 -+ vmlal.s32 q14, d17, d1
17472 -+ vmlal.s32 q14, d18, d0
17473 -+ vmlal.s32 q14, d9, d23
17474 -+ vmull.s32 q11, d10, d7
17475 -+ vmlal.s32 q11, d11, d6
17476 -+ vmlal.s32 q11, d12, d5
17477 -+ vmlal.s32 q11, d8, d1
17478 -+ vmlal.s32 q11, d19, d0
17479 -+ vmull.s32 q15, d10, d8
17480 -+ vmlal.s32 q15, d11, d17
17481 -+ vmlal.s32 q15, d12, d6
17482 -+ vmlal.s32 q15, d13, d5
17483 -+ vmlal.s32 q15, d19, d1
17484 -+ vmlal.s32 q15, d14, d0
17485 -+ vmull.s32 q2, d10, d9
17486 -+ vmlal.s32 q2, d11, d8
17487 -+ vmlal.s32 q2, d12, d7
17488 -+ vmlal.s32 q2, d13, d6
17489 -+ vmlal.s32 q2, d14, d1
17490 -+ vmull.s32 q0, d15, d1
17491 -+ vmlal.s32 q0, d10, d14
17492 -+ vmlal.s32 q0, d11, d19
17493 -+ vmlal.s32 q0, d12, d8
17494 -+ vmlal.s32 q0, d13, d17
17495 -+ vmlal.s32 q0, d6, d6
17496 -+ add r2, sp, #480
17497 -+ vld1.8 {d18-d19}, [r2, : 128]!
17498 -+ vmull.s32 q3, d16, d7
17499 -+ vmlal.s32 q3, d10, d15
17500 -+ vmlal.s32 q3, d11, d14
17501 -+ vmlal.s32 q3, d12, d9
17502 -+ vmlal.s32 q3, d13, d8
17503 -+ vld1.8 {d8-d9}, [r2, : 128]
17504 -+ vadd.i64 q5, q12, q9
17505 -+ vadd.i64 q6, q15, q9
17506 -+ vshr.s64 q5, q5, #26
17507 -+ vshr.s64 q6, q6, #26
17508 -+ vadd.i64 q7, q10, q5
17509 -+ vshl.i64 q5, q5, #26
17510 -+ vadd.i64 q8, q7, q4
17511 -+ vadd.i64 q2, q2, q6
17512 -+ vshl.i64 q6, q6, #26
17513 -+ vadd.i64 q10, q2, q4
17514 -+ vsub.i64 q5, q12, q5
17515 -+ vshr.s64 q8, q8, #25
17516 -+ vsub.i64 q6, q15, q6
17517 -+ vshr.s64 q10, q10, #25
17518 -+ vadd.i64 q12, q13, q8
17519 -+ vshl.i64 q8, q8, #25
17520 -+ vadd.i64 q13, q12, q9
17521 -+ vadd.i64 q0, q0, q10
17522 -+ vsub.i64 q7, q7, q8
17523 -+ vshr.s64 q8, q13, #26
17524 -+ vshl.i64 q10, q10, #25
17525 -+ vadd.i64 q13, q0, q9
17526 -+ vadd.i64 q1, q1, q8
17527 -+ vshl.i64 q8, q8, #26
17528 -+ vadd.i64 q15, q1, q4
17529 -+ vsub.i64 q2, q2, q10
17530 -+ vshr.s64 q10, q13, #26
17531 -+ vsub.i64 q8, q12, q8
17532 -+ vshr.s64 q12, q15, #25
17533 -+ vadd.i64 q3, q3, q10
17534 -+ vshl.i64 q10, q10, #26
17535 -+ vadd.i64 q13, q3, q4
17536 -+ vadd.i64 q14, q14, q12
17537 -+ add r2, r3, #288
17538 -+ vshl.i64 q12, q12, #25
17539 -+ add r4, r3, #336
17540 -+ vadd.i64 q15, q14, q9
17541 -+ add r2, r2, #8
17542 -+ vsub.i64 q0, q0, q10
17543 -+ add r4, r4, #8
17544 -+ vshr.s64 q10, q13, #25
17545 -+ vsub.i64 q1, q1, q12
17546 -+ vshr.s64 q12, q15, #26
17547 -+ vadd.i64 q13, q10, q10
17548 -+ vadd.i64 q11, q11, q12
17549 -+ vtrn.32 d16, d2
17550 -+ vshl.i64 q12, q12, #26
17551 -+ vtrn.32 d17, d3
17552 -+ vadd.i64 q1, q11, q4
17553 -+ vadd.i64 q4, q5, q13
17554 -+ vst1.8 d16, [r2, : 64]!
17555 -+ vshl.i64 q5, q10, #4
17556 -+ vst1.8 d17, [r4, : 64]!
17557 -+ vsub.i64 q8, q14, q12
17558 -+ vshr.s64 q1, q1, #25
17559 -+ vadd.i64 q4, q4, q5
17560 -+ vadd.i64 q5, q6, q1
17561 -+ vshl.i64 q1, q1, #25
17562 -+ vadd.i64 q6, q5, q9
17563 -+ vadd.i64 q4, q4, q10
17564 -+ vshl.i64 q10, q10, #25
17565 -+ vadd.i64 q9, q4, q9
17566 -+ vsub.i64 q1, q11, q1
17567 -+ vshr.s64 q6, q6, #26
17568 -+ vsub.i64 q3, q3, q10
17569 -+ vtrn.32 d16, d2
17570 -+ vshr.s64 q9, q9, #26
17571 -+ vtrn.32 d17, d3
17572 -+ vadd.i64 q1, q2, q6
17573 -+ vst1.8 d16, [r2, : 64]
17574 -+ vshl.i64 q2, q6, #26
17575 -+ vst1.8 d17, [r4, : 64]
17576 -+ vadd.i64 q6, q7, q9
17577 -+ vtrn.32 d0, d6
17578 -+ vshl.i64 q7, q9, #26
17579 -+ vtrn.32 d1, d7
17580 -+ vsub.i64 q2, q5, q2
17581 -+ add r2, r2, #16
17582 -+ vsub.i64 q3, q4, q7
17583 -+ vst1.8 d0, [r2, : 64]
17584 -+ add r4, r4, #16
17585 -+ vst1.8 d1, [r4, : 64]
17586 -+ vtrn.32 d4, d2
17587 -+ vtrn.32 d5, d3
17588 -+ sub r2, r2, #8
17589 -+ sub r4, r4, #8
17590 -+ vtrn.32 d6, d12
17591 -+ vtrn.32 d7, d13
17592 -+ vst1.8 d4, [r2, : 64]
17593 -+ vst1.8 d5, [r4, : 64]
17594 -+ sub r2, r2, #24
17595 -+ sub r4, r4, #24
17596 -+ vst1.8 d6, [r2, : 64]
17597 -+ vst1.8 d7, [r4, : 64]
17598 -+ add r2, r3, #240
17599 -+ add r4, r3, #96
17600 -+ vld1.8 {d0-d1}, [r4, : 128]!
17601 -+ vld1.8 {d2-d3}, [r4, : 128]!
17602 -+ vld1.8 {d4}, [r4, : 64]
17603 -+ add r4, r3, #144
17604 -+ vld1.8 {d6-d7}, [r4, : 128]!
17605 -+ vtrn.32 q0, q3
17606 -+ vld1.8 {d8-d9}, [r4, : 128]!
17607 -+ vshl.i32 q5, q0, #4
17608 -+ vtrn.32 q1, q4
17609 -+ vshl.i32 q6, q3, #4
17610 -+ vadd.i32 q5, q5, q0
17611 -+ vadd.i32 q6, q6, q3
17612 -+ vshl.i32 q7, q1, #4
17613 -+ vld1.8 {d5}, [r4, : 64]
17614 -+ vshl.i32 q8, q4, #4
17615 -+ vtrn.32 d4, d5
17616 -+ vadd.i32 q7, q7, q1
17617 -+ vadd.i32 q8, q8, q4
17618 -+ vld1.8 {d18-d19}, [r2, : 128]!
17619 -+ vshl.i32 q10, q2, #4
17620 -+ vld1.8 {d22-d23}, [r2, : 128]!
17621 -+ vadd.i32 q10, q10, q2
17622 -+ vld1.8 {d24}, [r2, : 64]
17623 -+ vadd.i32 q5, q5, q0
17624 -+ add r2, r3, #192
17625 -+ vld1.8 {d26-d27}, [r2, : 128]!
17626 -+ vadd.i32 q6, q6, q3
17627 -+ vld1.8 {d28-d29}, [r2, : 128]!
17628 -+ vadd.i32 q8, q8, q4
17629 -+ vld1.8 {d25}, [r2, : 64]
17630 -+ vadd.i32 q10, q10, q2
17631 -+ vtrn.32 q9, q13
17632 -+ vadd.i32 q7, q7, q1
17633 -+ vadd.i32 q5, q5, q0
17634 -+ vtrn.32 q11, q14
17635 -+ vadd.i32 q6, q6, q3
17636 -+ add r2, sp, #528
17637 -+ vadd.i32 q10, q10, q2
17638 -+ vtrn.32 d24, d25
17639 -+ vst1.8 {d12-d13}, [r2, : 128]!
17640 -+ vshl.i32 q6, q13, #1
17641 -+ vst1.8 {d20-d21}, [r2, : 128]!
17642 -+ vshl.i32 q10, q14, #1
17643 -+ vst1.8 {d12-d13}, [r2, : 128]!
17644 -+ vshl.i32 q15, q12, #1
17645 -+ vadd.i32 q8, q8, q4
17646 -+ vext.32 d10, d31, d30, #0
17647 -+ vadd.i32 q7, q7, q1
17648 -+ vst1.8 {d16-d17}, [r2, : 128]!
17649 -+ vmull.s32 q8, d18, d5
17650 -+ vmlal.s32 q8, d26, d4
17651 -+ vmlal.s32 q8, d19, d9
17652 -+ vmlal.s32 q8, d27, d3
17653 -+ vmlal.s32 q8, d22, d8
17654 -+ vmlal.s32 q8, d28, d2
17655 -+ vmlal.s32 q8, d23, d7
17656 -+ vmlal.s32 q8, d29, d1
17657 -+ vmlal.s32 q8, d24, d6
17658 -+ vmlal.s32 q8, d25, d0
17659 -+ vst1.8 {d14-d15}, [r2, : 128]!
17660 -+ vmull.s32 q2, d18, d4
17661 -+ vmlal.s32 q2, d12, d9
17662 -+ vmlal.s32 q2, d13, d8
17663 -+ vmlal.s32 q2, d19, d3
17664 -+ vmlal.s32 q2, d22, d2
17665 -+ vmlal.s32 q2, d23, d1
17666 -+ vmlal.s32 q2, d24, d0
17667 -+ vst1.8 {d20-d21}, [r2, : 128]!
17668 -+ vmull.s32 q7, d18, d9
17669 -+ vmlal.s32 q7, d26, d3
17670 -+ vmlal.s32 q7, d19, d8
17671 -+ vmlal.s32 q7, d27, d2
17672 -+ vmlal.s32 q7, d22, d7
17673 -+ vmlal.s32 q7, d28, d1
17674 -+ vmlal.s32 q7, d23, d6
17675 -+ vmlal.s32 q7, d29, d0
17676 -+ vst1.8 {d10-d11}, [r2, : 128]!
17677 -+ vmull.s32 q5, d18, d3
17678 -+ vmlal.s32 q5, d19, d2
17679 -+ vmlal.s32 q5, d22, d1
17680 -+ vmlal.s32 q5, d23, d0
17681 -+ vmlal.s32 q5, d12, d8
17682 -+ vst1.8 {d16-d17}, [r2, : 128]
17683 -+ vmull.s32 q4, d18, d8
17684 -+ vmlal.s32 q4, d26, d2
17685 -+ vmlal.s32 q4, d19, d7
17686 -+ vmlal.s32 q4, d27, d1
17687 -+ vmlal.s32 q4, d22, d6
17688 -+ vmlal.s32 q4, d28, d0
17689 -+ vmull.s32 q8, d18, d7
17690 -+ vmlal.s32 q8, d26, d1
17691 -+ vmlal.s32 q8, d19, d6
17692 -+ vmlal.s32 q8, d27, d0
17693 -+ add r2, sp, #544
17694 -+ vld1.8 {d20-d21}, [r2, : 128]
17695 -+ vmlal.s32 q7, d24, d21
17696 -+ vmlal.s32 q7, d25, d20
17697 -+ vmlal.s32 q4, d23, d21
17698 -+ vmlal.s32 q4, d29, d20
17699 -+ vmlal.s32 q8, d22, d21
17700 -+ vmlal.s32 q8, d28, d20
17701 -+ vmlal.s32 q5, d24, d20
17702 -+ vst1.8 {d14-d15}, [r2, : 128]
17703 -+ vmull.s32 q7, d18, d6
17704 -+ vmlal.s32 q7, d26, d0
17705 -+ add r2, sp, #624
17706 -+ vld1.8 {d30-d31}, [r2, : 128]
17707 -+ vmlal.s32 q2, d30, d21
17708 -+ vmlal.s32 q7, d19, d21
17709 -+ vmlal.s32 q7, d27, d20
17710 -+ add r2, sp, #592
17711 -+ vld1.8 {d26-d27}, [r2, : 128]
17712 -+ vmlal.s32 q4, d25, d27
17713 -+ vmlal.s32 q8, d29, d27
17714 -+ vmlal.s32 q8, d25, d26
17715 -+ vmlal.s32 q7, d28, d27
17716 -+ vmlal.s32 q7, d29, d26
17717 -+ add r2, sp, #576
17718 -+ vld1.8 {d28-d29}, [r2, : 128]
17719 -+ vmlal.s32 q4, d24, d29
17720 -+ vmlal.s32 q8, d23, d29
17721 -+ vmlal.s32 q8, d24, d28
17722 -+ vmlal.s32 q7, d22, d29
17723 -+ vmlal.s32 q7, d23, d28
17724 -+ vst1.8 {d8-d9}, [r2, : 128]
17725 -+ add r2, sp, #528
17726 -+ vld1.8 {d8-d9}, [r2, : 128]
17727 -+ vmlal.s32 q7, d24, d9
17728 -+ vmlal.s32 q7, d25, d31
17729 -+ vmull.s32 q1, d18, d2
17730 -+ vmlal.s32 q1, d19, d1
17731 -+ vmlal.s32 q1, d22, d0
17732 -+ vmlal.s32 q1, d24, d27
17733 -+ vmlal.s32 q1, d23, d20
17734 -+ vmlal.s32 q1, d12, d7
17735 -+ vmlal.s32 q1, d13, d6
17736 -+ vmull.s32 q6, d18, d1
17737 -+ vmlal.s32 q6, d19, d0
17738 -+ vmlal.s32 q6, d23, d27
17739 -+ vmlal.s32 q6, d22, d20
17740 -+ vmlal.s32 q6, d24, d26
17741 -+ vmull.s32 q0, d18, d0
17742 -+ vmlal.s32 q0, d22, d27
17743 -+ vmlal.s32 q0, d23, d26
17744 -+ vmlal.s32 q0, d24, d31
17745 -+ vmlal.s32 q0, d19, d20
17746 -+ add r2, sp, #608
17747 -+ vld1.8 {d18-d19}, [r2, : 128]
17748 -+ vmlal.s32 q2, d18, d7
17749 -+ vmlal.s32 q5, d18, d6
17750 -+ vmlal.s32 q1, d18, d21
17751 -+ vmlal.s32 q0, d18, d28
17752 -+ vmlal.s32 q6, d18, d29
17753 -+ vmlal.s32 q2, d19, d6
17754 -+ vmlal.s32 q5, d19, d21
17755 -+ vmlal.s32 q1, d19, d29
17756 -+ vmlal.s32 q0, d19, d9
17757 -+ vmlal.s32 q6, d19, d28
17758 -+ add r2, sp, #560
17759 -+ vld1.8 {d18-d19}, [r2, : 128]
17760 -+ add r2, sp, #480
17761 -+ vld1.8 {d22-d23}, [r2, : 128]
17762 -+ vmlal.s32 q5, d19, d7
17763 -+ vmlal.s32 q0, d18, d21
17764 -+ vmlal.s32 q0, d19, d29
17765 -+ vmlal.s32 q6, d18, d6
17766 -+ add r2, sp, #496
17767 -+ vld1.8 {d6-d7}, [r2, : 128]
17768 -+ vmlal.s32 q6, d19, d21
17769 -+ add r2, sp, #544
17770 -+ vld1.8 {d18-d19}, [r2, : 128]
17771 -+ vmlal.s32 q0, d30, d8
17772 -+ add r2, sp, #640
17773 -+ vld1.8 {d20-d21}, [r2, : 128]
17774 -+ vmlal.s32 q5, d30, d29
17775 -+ add r2, sp, #576
17776 -+ vld1.8 {d24-d25}, [r2, : 128]
17777 -+ vmlal.s32 q1, d30, d28
17778 -+ vadd.i64 q13, q0, q11
17779 -+ vadd.i64 q14, q5, q11
17780 -+ vmlal.s32 q6, d30, d9
17781 -+ vshr.s64 q4, q13, #26
17782 -+ vshr.s64 q13, q14, #26
17783 -+ vadd.i64 q7, q7, q4
17784 -+ vshl.i64 q4, q4, #26
17785 -+ vadd.i64 q14, q7, q3
17786 -+ vadd.i64 q9, q9, q13
17787 -+ vshl.i64 q13, q13, #26
17788 -+ vadd.i64 q15, q9, q3
17789 -+ vsub.i64 q0, q0, q4
17790 -+ vshr.s64 q4, q14, #25
17791 -+ vsub.i64 q5, q5, q13
17792 -+ vshr.s64 q13, q15, #25
17793 -+ vadd.i64 q6, q6, q4
17794 -+ vshl.i64 q4, q4, #25
17795 -+ vadd.i64 q14, q6, q11
17796 -+ vadd.i64 q2, q2, q13
17797 -+ vsub.i64 q4, q7, q4
17798 -+ vshr.s64 q7, q14, #26
17799 -+ vshl.i64 q13, q13, #25
17800 -+ vadd.i64 q14, q2, q11
17801 -+ vadd.i64 q8, q8, q7
17802 -+ vshl.i64 q7, q7, #26
17803 -+ vadd.i64 q15, q8, q3
17804 -+ vsub.i64 q9, q9, q13
17805 -+ vshr.s64 q13, q14, #26
17806 -+ vsub.i64 q6, q6, q7
17807 -+ vshr.s64 q7, q15, #25
17808 -+ vadd.i64 q10, q10, q13
17809 -+ vshl.i64 q13, q13, #26
17810 -+ vadd.i64 q14, q10, q3
17811 -+ vadd.i64 q1, q1, q7
17812 -+ add r2, r3, #144
17813 -+ vshl.i64 q7, q7, #25
17814 -+ add r4, r3, #96
17815 -+ vadd.i64 q15, q1, q11
17816 -+ add r2, r2, #8
17817 -+ vsub.i64 q2, q2, q13
17818 -+ add r4, r4, #8
17819 -+ vshr.s64 q13, q14, #25
17820 -+ vsub.i64 q7, q8, q7
17821 -+ vshr.s64 q8, q15, #26
17822 -+ vadd.i64 q14, q13, q13
17823 -+ vadd.i64 q12, q12, q8
17824 -+ vtrn.32 d12, d14
17825 -+ vshl.i64 q8, q8, #26
17826 -+ vtrn.32 d13, d15
17827 -+ vadd.i64 q3, q12, q3
17828 -+ vadd.i64 q0, q0, q14
17829 -+ vst1.8 d12, [r2, : 64]!
17830 -+ vshl.i64 q7, q13, #4
17831 -+ vst1.8 d13, [r4, : 64]!
17832 -+ vsub.i64 q1, q1, q8
17833 -+ vshr.s64 q3, q3, #25
17834 -+ vadd.i64 q0, q0, q7
17835 -+ vadd.i64 q5, q5, q3
17836 -+ vshl.i64 q3, q3, #25
17837 -+ vadd.i64 q6, q5, q11
17838 -+ vadd.i64 q0, q0, q13
17839 -+ vshl.i64 q7, q13, #25
17840 -+ vadd.i64 q8, q0, q11
17841 -+ vsub.i64 q3, q12, q3
17842 -+ vshr.s64 q6, q6, #26
17843 -+ vsub.i64 q7, q10, q7
17844 -+ vtrn.32 d2, d6
17845 -+ vshr.s64 q8, q8, #26
17846 -+ vtrn.32 d3, d7
17847 -+ vadd.i64 q3, q9, q6
17848 -+ vst1.8 d2, [r2, : 64]
17849 -+ vshl.i64 q6, q6, #26
17850 -+ vst1.8 d3, [r4, : 64]
17851 -+ vadd.i64 q1, q4, q8
17852 -+ vtrn.32 d4, d14
17853 -+ vshl.i64 q4, q8, #26
17854 -+ vtrn.32 d5, d15
17855 -+ vsub.i64 q5, q5, q6
17856 -+ add r2, r2, #16
17857 -+ vsub.i64 q0, q0, q4
17858 -+ vst1.8 d4, [r2, : 64]
17859 -+ add r4, r4, #16
17860 -+ vst1.8 d5, [r4, : 64]
17861 -+ vtrn.32 d10, d6
17862 -+ vtrn.32 d11, d7
17863 -+ sub r2, r2, #8
17864 -+ sub r4, r4, #8
17865 -+ vtrn.32 d0, d2
17866 -+ vtrn.32 d1, d3
17867 -+ vst1.8 d10, [r2, : 64]
17868 -+ vst1.8 d11, [r4, : 64]
17869 -+ sub r2, r2, #24
17870 -+ sub r4, r4, #24
17871 -+ vst1.8 d0, [r2, : 64]
17872 -+ vst1.8 d1, [r4, : 64]
17873 -+ add r2, r3, #288
17874 -+ add r4, r3, #336
17875 -+ vld1.8 {d0-d1}, [r2, : 128]!
17876 -+ vld1.8 {d2-d3}, [r4, : 128]!
17877 -+ vsub.i32 q0, q0, q1
17878 -+ vld1.8 {d2-d3}, [r2, : 128]!
17879 -+ vld1.8 {d4-d5}, [r4, : 128]!
17880 -+ vsub.i32 q1, q1, q2
17881 -+ add r5, r3, #240
17882 -+ vld1.8 {d4}, [r2, : 64]
17883 -+ vld1.8 {d6}, [r4, : 64]
17884 -+ vsub.i32 q2, q2, q3
17885 -+ vst1.8 {d0-d1}, [r5, : 128]!
17886 -+ vst1.8 {d2-d3}, [r5, : 128]!
17887 -+ vst1.8 d4, [r5, : 64]
17888 -+ add r2, r3, #144
17889 -+ add r4, r3, #96
17890 -+ add r5, r3, #144
17891 -+ add r6, r3, #192
17892 -+ vld1.8 {d0-d1}, [r2, : 128]!
17893 -+ vld1.8 {d2-d3}, [r4, : 128]!
17894 -+ vsub.i32 q2, q0, q1
17895 -+ vadd.i32 q0, q0, q1
17896 -+ vld1.8 {d2-d3}, [r2, : 128]!
17897 -+ vld1.8 {d6-d7}, [r4, : 128]!
17898 -+ vsub.i32 q4, q1, q3
17899 -+ vadd.i32 q1, q1, q3
17900 -+ vld1.8 {d6}, [r2, : 64]
17901 -+ vld1.8 {d10}, [r4, : 64]
17902 -+ vsub.i32 q6, q3, q5
17903 -+ vadd.i32 q3, q3, q5
17904 -+ vst1.8 {d4-d5}, [r5, : 128]!
17905 -+ vst1.8 {d0-d1}, [r6, : 128]!
17906 -+ vst1.8 {d8-d9}, [r5, : 128]!
17907 -+ vst1.8 {d2-d3}, [r6, : 128]!
17908 -+ vst1.8 d12, [r5, : 64]
17909 -+ vst1.8 d6, [r6, : 64]
17910 -+ add r2, r3, #0
17911 -+ add r4, r3, #240
17912 -+ vld1.8 {d0-d1}, [r4, : 128]!
17913 -+ vld1.8 {d2-d3}, [r4, : 128]!
17914 -+ vld1.8 {d4}, [r4, : 64]
17915 -+ add r4, r3, #336
17916 -+ vld1.8 {d6-d7}, [r4, : 128]!
17917 -+ vtrn.32 q0, q3
17918 -+ vld1.8 {d8-d9}, [r4, : 128]!
17919 -+ vshl.i32 q5, q0, #4
17920 -+ vtrn.32 q1, q4
17921 -+ vshl.i32 q6, q3, #4
17922 -+ vadd.i32 q5, q5, q0
17923 -+ vadd.i32 q6, q6, q3
17924 -+ vshl.i32 q7, q1, #4
17925 -+ vld1.8 {d5}, [r4, : 64]
17926 -+ vshl.i32 q8, q4, #4
17927 -+ vtrn.32 d4, d5
17928 -+ vadd.i32 q7, q7, q1
17929 -+ vadd.i32 q8, q8, q4
17930 -+ vld1.8 {d18-d19}, [r2, : 128]!
17931 -+ vshl.i32 q10, q2, #4
17932 -+ vld1.8 {d22-d23}, [r2, : 128]!
17933 -+ vadd.i32 q10, q10, q2
17934 -+ vld1.8 {d24}, [r2, : 64]
17935 -+ vadd.i32 q5, q5, q0
17936 -+ add r2, r3, #288
17937 -+ vld1.8 {d26-d27}, [r2, : 128]!
17938 -+ vadd.i32 q6, q6, q3
17939 -+ vld1.8 {d28-d29}, [r2, : 128]!
17940 -+ vadd.i32 q8, q8, q4
17941 -+ vld1.8 {d25}, [r2, : 64]
17942 -+ vadd.i32 q10, q10, q2
17943 -+ vtrn.32 q9, q13
17944 -+ vadd.i32 q7, q7, q1
17945 -+ vadd.i32 q5, q5, q0
17946 -+ vtrn.32 q11, q14
17947 -+ vadd.i32 q6, q6, q3
17948 -+ add r2, sp, #528
17949 -+ vadd.i32 q10, q10, q2
17950 -+ vtrn.32 d24, d25
17951 -+ vst1.8 {d12-d13}, [r2, : 128]!
17952 -+ vshl.i32 q6, q13, #1
17953 -+ vst1.8 {d20-d21}, [r2, : 128]!
17954 -+ vshl.i32 q10, q14, #1
17955 -+ vst1.8 {d12-d13}, [r2, : 128]!
17956 -+ vshl.i32 q15, q12, #1
17957 -+ vadd.i32 q8, q8, q4
17958 -+ vext.32 d10, d31, d30, #0
17959 -+ vadd.i32 q7, q7, q1
17960 -+ vst1.8 {d16-d17}, [r2, : 128]!
17961 -+ vmull.s32 q8, d18, d5
17962 -+ vmlal.s32 q8, d26, d4
17963 -+ vmlal.s32 q8, d19, d9
17964 -+ vmlal.s32 q8, d27, d3
17965 -+ vmlal.s32 q8, d22, d8
17966 -+ vmlal.s32 q8, d28, d2
17967 -+ vmlal.s32 q8, d23, d7
17968 -+ vmlal.s32 q8, d29, d1
17969 -+ vmlal.s32 q8, d24, d6
17970 -+ vmlal.s32 q8, d25, d0
17971 -+ vst1.8 {d14-d15}, [r2, : 128]!
17972 -+ vmull.s32 q2, d18, d4
17973 -+ vmlal.s32 q2, d12, d9
17974 -+ vmlal.s32 q2, d13, d8
17975 -+ vmlal.s32 q2, d19, d3
17976 -+ vmlal.s32 q2, d22, d2
17977 -+ vmlal.s32 q2, d23, d1
17978 -+ vmlal.s32 q2, d24, d0
17979 -+ vst1.8 {d20-d21}, [r2, : 128]!
17980 -+ vmull.s32 q7, d18, d9
17981 -+ vmlal.s32 q7, d26, d3
17982 -+ vmlal.s32 q7, d19, d8
17983 -+ vmlal.s32 q7, d27, d2
17984 -+ vmlal.s32 q7, d22, d7
17985 -+ vmlal.s32 q7, d28, d1
17986 -+ vmlal.s32 q7, d23, d6
17987 -+ vmlal.s32 q7, d29, d0
17988 -+ vst1.8 {d10-d11}, [r2, : 128]!
17989 -+ vmull.s32 q5, d18, d3
17990 -+ vmlal.s32 q5, d19, d2
17991 -+ vmlal.s32 q5, d22, d1
17992 -+ vmlal.s32 q5, d23, d0
17993 -+ vmlal.s32 q5, d12, d8
17994 -+ vst1.8 {d16-d17}, [r2, : 128]!
17995 -+ vmull.s32 q4, d18, d8
17996 -+ vmlal.s32 q4, d26, d2
17997 -+ vmlal.s32 q4, d19, d7
17998 -+ vmlal.s32 q4, d27, d1
17999 -+ vmlal.s32 q4, d22, d6
18000 -+ vmlal.s32 q4, d28, d0
18001 -+ vmull.s32 q8, d18, d7
18002 -+ vmlal.s32 q8, d26, d1
18003 -+ vmlal.s32 q8, d19, d6
18004 -+ vmlal.s32 q8, d27, d0
18005 -+ add r2, sp, #544
18006 -+ vld1.8 {d20-d21}, [r2, : 128]
18007 -+ vmlal.s32 q7, d24, d21
18008 -+ vmlal.s32 q7, d25, d20
18009 -+ vmlal.s32 q4, d23, d21
18010 -+ vmlal.s32 q4, d29, d20
18011 -+ vmlal.s32 q8, d22, d21
18012 -+ vmlal.s32 q8, d28, d20
18013 -+ vmlal.s32 q5, d24, d20
18014 -+ vst1.8 {d14-d15}, [r2, : 128]
18015 -+ vmull.s32 q7, d18, d6
18016 -+ vmlal.s32 q7, d26, d0
18017 -+ add r2, sp, #624
18018 -+ vld1.8 {d30-d31}, [r2, : 128]
18019 -+ vmlal.s32 q2, d30, d21
18020 -+ vmlal.s32 q7, d19, d21
18021 -+ vmlal.s32 q7, d27, d20
18022 -+ add r2, sp, #592
18023 -+ vld1.8 {d26-d27}, [r2, : 128]
18024 -+ vmlal.s32 q4, d25, d27
18025 -+ vmlal.s32 q8, d29, d27
18026 -+ vmlal.s32 q8, d25, d26
18027 -+ vmlal.s32 q7, d28, d27
18028 -+ vmlal.s32 q7, d29, d26
18029 -+ add r2, sp, #576
18030 -+ vld1.8 {d28-d29}, [r2, : 128]
18031 -+ vmlal.s32 q4, d24, d29
18032 -+ vmlal.s32 q8, d23, d29
18033 -+ vmlal.s32 q8, d24, d28
18034 -+ vmlal.s32 q7, d22, d29
18035 -+ vmlal.s32 q7, d23, d28
18036 -+ vst1.8 {d8-d9}, [r2, : 128]
18037 -+ add r2, sp, #528
18038 -+ vld1.8 {d8-d9}, [r2, : 128]
18039 -+ vmlal.s32 q7, d24, d9
18040 -+ vmlal.s32 q7, d25, d31
18041 -+ vmull.s32 q1, d18, d2
18042 -+ vmlal.s32 q1, d19, d1
18043 -+ vmlal.s32 q1, d22, d0
18044 -+ vmlal.s32 q1, d24, d27
18045 -+ vmlal.s32 q1, d23, d20
18046 -+ vmlal.s32 q1, d12, d7
18047 -+ vmlal.s32 q1, d13, d6
18048 -+ vmull.s32 q6, d18, d1
18049 -+ vmlal.s32 q6, d19, d0
18050 -+ vmlal.s32 q6, d23, d27
18051 -+ vmlal.s32 q6, d22, d20
18052 -+ vmlal.s32 q6, d24, d26
18053 -+ vmull.s32 q0, d18, d0
18054 -+ vmlal.s32 q0, d22, d27
18055 -+ vmlal.s32 q0, d23, d26
18056 -+ vmlal.s32 q0, d24, d31
18057 -+ vmlal.s32 q0, d19, d20
18058 -+ add r2, sp, #608
18059 -+ vld1.8 {d18-d19}, [r2, : 128]
18060 -+ vmlal.s32 q2, d18, d7
18061 -+ vmlal.s32 q5, d18, d6
18062 -+ vmlal.s32 q1, d18, d21
18063 -+ vmlal.s32 q0, d18, d28
18064 -+ vmlal.s32 q6, d18, d29
18065 -+ vmlal.s32 q2, d19, d6
18066 -+ vmlal.s32 q5, d19, d21
18067 -+ vmlal.s32 q1, d19, d29
18068 -+ vmlal.s32 q0, d19, d9
18069 -+ vmlal.s32 q6, d19, d28
18070 -+ add r2, sp, #560
18071 -+ vld1.8 {d18-d19}, [r2, : 128]
18072 -+ add r2, sp, #480
18073 -+ vld1.8 {d22-d23}, [r2, : 128]
18074 -+ vmlal.s32 q5, d19, d7
18075 -+ vmlal.s32 q0, d18, d21
18076 -+ vmlal.s32 q0, d19, d29
18077 -+ vmlal.s32 q6, d18, d6
18078 -+ add r2, sp, #496
18079 -+ vld1.8 {d6-d7}, [r2, : 128]
18080 -+ vmlal.s32 q6, d19, d21
18081 -+ add r2, sp, #544
18082 -+ vld1.8 {d18-d19}, [r2, : 128]
18083 -+ vmlal.s32 q0, d30, d8
18084 -+ add r2, sp, #640
18085 -+ vld1.8 {d20-d21}, [r2, : 128]
18086 -+ vmlal.s32 q5, d30, d29
18087 -+ add r2, sp, #576
18088 -+ vld1.8 {d24-d25}, [r2, : 128]
18089 -+ vmlal.s32 q1, d30, d28
18090 -+ vadd.i64 q13, q0, q11
18091 -+ vadd.i64 q14, q5, q11
18092 -+ vmlal.s32 q6, d30, d9
18093 -+ vshr.s64 q4, q13, #26
18094 -+ vshr.s64 q13, q14, #26
18095 -+ vadd.i64 q7, q7, q4
18096 -+ vshl.i64 q4, q4, #26
18097 -+ vadd.i64 q14, q7, q3
18098 -+ vadd.i64 q9, q9, q13
18099 -+ vshl.i64 q13, q13, #26
18100 -+ vadd.i64 q15, q9, q3
18101 -+ vsub.i64 q0, q0, q4
18102 -+ vshr.s64 q4, q14, #25
18103 -+ vsub.i64 q5, q5, q13
18104 -+ vshr.s64 q13, q15, #25
18105 -+ vadd.i64 q6, q6, q4
18106 -+ vshl.i64 q4, q4, #25
18107 -+ vadd.i64 q14, q6, q11
18108 -+ vadd.i64 q2, q2, q13
18109 -+ vsub.i64 q4, q7, q4
18110 -+ vshr.s64 q7, q14, #26
18111 -+ vshl.i64 q13, q13, #25
18112 -+ vadd.i64 q14, q2, q11
18113 -+ vadd.i64 q8, q8, q7
18114 -+ vshl.i64 q7, q7, #26
18115 -+ vadd.i64 q15, q8, q3
18116 -+ vsub.i64 q9, q9, q13
18117 -+ vshr.s64 q13, q14, #26
18118 -+ vsub.i64 q6, q6, q7
18119 -+ vshr.s64 q7, q15, #25
18120 -+ vadd.i64 q10, q10, q13
18121 -+ vshl.i64 q13, q13, #26
18122 -+ vadd.i64 q14, q10, q3
18123 -+ vadd.i64 q1, q1, q7
18124 -+ add r2, r3, #288
18125 -+ vshl.i64 q7, q7, #25
18126 -+ add r4, r3, #96
18127 -+ vadd.i64 q15, q1, q11
18128 -+ add r2, r2, #8
18129 -+ vsub.i64 q2, q2, q13
18130 -+ add r4, r4, #8
18131 -+ vshr.s64 q13, q14, #25
18132 -+ vsub.i64 q7, q8, q7
18133 -+ vshr.s64 q8, q15, #26
18134 -+ vadd.i64 q14, q13, q13
18135 -+ vadd.i64 q12, q12, q8
18136 -+ vtrn.32 d12, d14
18137 -+ vshl.i64 q8, q8, #26
18138 -+ vtrn.32 d13, d15
18139 -+ vadd.i64 q3, q12, q3
18140 -+ vadd.i64 q0, q0, q14
18141 -+ vst1.8 d12, [r2, : 64]!
18142 -+ vshl.i64 q7, q13, #4
18143 -+ vst1.8 d13, [r4, : 64]!
18144 -+ vsub.i64 q1, q1, q8
18145 -+ vshr.s64 q3, q3, #25
18146 -+ vadd.i64 q0, q0, q7
18147 -+ vadd.i64 q5, q5, q3
18148 -+ vshl.i64 q3, q3, #25
18149 -+ vadd.i64 q6, q5, q11
18150 -+ vadd.i64 q0, q0, q13
18151 -+ vshl.i64 q7, q13, #25
18152 -+ vadd.i64 q8, q0, q11
18153 -+ vsub.i64 q3, q12, q3
18154 -+ vshr.s64 q6, q6, #26
18155 -+ vsub.i64 q7, q10, q7
18156 -+ vtrn.32 d2, d6
18157 -+ vshr.s64 q8, q8, #26
18158 -+ vtrn.32 d3, d7
18159 -+ vadd.i64 q3, q9, q6
18160 -+ vst1.8 d2, [r2, : 64]
18161 -+ vshl.i64 q6, q6, #26
18162 -+ vst1.8 d3, [r4, : 64]
18163 -+ vadd.i64 q1, q4, q8
18164 -+ vtrn.32 d4, d14
18165 -+ vshl.i64 q4, q8, #26
18166 -+ vtrn.32 d5, d15
18167 -+ vsub.i64 q5, q5, q6
18168 -+ add r2, r2, #16
18169 -+ vsub.i64 q0, q0, q4
18170 -+ vst1.8 d4, [r2, : 64]
18171 -+ add r4, r4, #16
18172 -+ vst1.8 d5, [r4, : 64]
18173 -+ vtrn.32 d10, d6
18174 -+ vtrn.32 d11, d7
18175 -+ sub r2, r2, #8
18176 -+ sub r4, r4, #8
18177 -+ vtrn.32 d0, d2
18178 -+ vtrn.32 d1, d3
18179 -+ vst1.8 d10, [r2, : 64]
18180 -+ vst1.8 d11, [r4, : 64]
18181 -+ sub r2, r2, #24
18182 -+ sub r4, r4, #24
18183 -+ vst1.8 d0, [r2, : 64]
18184 -+ vst1.8 d1, [r4, : 64]
18185 -+ add r2, sp, #512
18186 -+ add r4, r3, #144
18187 -+ add r5, r3, #192
18188 -+ vld1.8 {d0-d1}, [r2, : 128]
18189 -+ vld1.8 {d2-d3}, [r4, : 128]!
18190 -+ vld1.8 {d4-d5}, [r5, : 128]!
18191 -+ vzip.i32 q1, q2
18192 -+ vld1.8 {d6-d7}, [r4, : 128]!
18193 -+ vld1.8 {d8-d9}, [r5, : 128]!
18194 -+ vshl.i32 q5, q1, #1
18195 -+ vzip.i32 q3, q4
18196 -+ vshl.i32 q6, q2, #1
18197 -+ vld1.8 {d14}, [r4, : 64]
18198 -+ vshl.i32 q8, q3, #1
18199 -+ vld1.8 {d15}, [r5, : 64]
18200 -+ vshl.i32 q9, q4, #1
18201 -+ vmul.i32 d21, d7, d1
18202 -+ vtrn.32 d14, d15
18203 -+ vmul.i32 q11, q4, q0
18204 -+ vmul.i32 q0, q7, q0
18205 -+ vmull.s32 q12, d2, d2
18206 -+ vmlal.s32 q12, d11, d1
18207 -+ vmlal.s32 q12, d12, d0
18208 -+ vmlal.s32 q12, d13, d23
18209 -+ vmlal.s32 q12, d16, d22
18210 -+ vmlal.s32 q12, d7, d21
18211 -+ vmull.s32 q10, d2, d11
18212 -+ vmlal.s32 q10, d4, d1
18213 -+ vmlal.s32 q10, d13, d0
18214 -+ vmlal.s32 q10, d6, d23
18215 -+ vmlal.s32 q10, d17, d22
18216 -+ vmull.s32 q13, d10, d4
18217 -+ vmlal.s32 q13, d11, d3
18218 -+ vmlal.s32 q13, d13, d1
18219 -+ vmlal.s32 q13, d16, d0
18220 -+ vmlal.s32 q13, d17, d23
18221 -+ vmlal.s32 q13, d8, d22
18222 -+ vmull.s32 q1, d10, d5
18223 -+ vmlal.s32 q1, d11, d4
18224 -+ vmlal.s32 q1, d6, d1
18225 -+ vmlal.s32 q1, d17, d0
18226 -+ vmlal.s32 q1, d8, d23
18227 -+ vmull.s32 q14, d10, d6
18228 -+ vmlal.s32 q14, d11, d13
18229 -+ vmlal.s32 q14, d4, d4
18230 -+ vmlal.s32 q14, d17, d1
18231 -+ vmlal.s32 q14, d18, d0
18232 -+ vmlal.s32 q14, d9, d23
18233 -+ vmull.s32 q11, d10, d7
18234 -+ vmlal.s32 q11, d11, d6
18235 -+ vmlal.s32 q11, d12, d5
18236 -+ vmlal.s32 q11, d8, d1
18237 -+ vmlal.s32 q11, d19, d0
18238 -+ vmull.s32 q15, d10, d8
18239 -+ vmlal.s32 q15, d11, d17
18240 -+ vmlal.s32 q15, d12, d6
18241 -+ vmlal.s32 q15, d13, d5
18242 -+ vmlal.s32 q15, d19, d1
18243 -+ vmlal.s32 q15, d14, d0
18244 -+ vmull.s32 q2, d10, d9
18245 -+ vmlal.s32 q2, d11, d8
18246 -+ vmlal.s32 q2, d12, d7
18247 -+ vmlal.s32 q2, d13, d6
18248 -+ vmlal.s32 q2, d14, d1
18249 -+ vmull.s32 q0, d15, d1
18250 -+ vmlal.s32 q0, d10, d14
18251 -+ vmlal.s32 q0, d11, d19
18252 -+ vmlal.s32 q0, d12, d8
18253 -+ vmlal.s32 q0, d13, d17
18254 -+ vmlal.s32 q0, d6, d6
18255 -+ add r2, sp, #480
18256 -+ vld1.8 {d18-d19}, [r2, : 128]!
18257 -+ vmull.s32 q3, d16, d7
18258 -+ vmlal.s32 q3, d10, d15
18259 -+ vmlal.s32 q3, d11, d14
18260 -+ vmlal.s32 q3, d12, d9
18261 -+ vmlal.s32 q3, d13, d8
18262 -+ vld1.8 {d8-d9}, [r2, : 128]
18263 -+ vadd.i64 q5, q12, q9
18264 -+ vadd.i64 q6, q15, q9
18265 -+ vshr.s64 q5, q5, #26
18266 -+ vshr.s64 q6, q6, #26
18267 -+ vadd.i64 q7, q10, q5
18268 -+ vshl.i64 q5, q5, #26
18269 -+ vadd.i64 q8, q7, q4
18270 -+ vadd.i64 q2, q2, q6
18271 -+ vshl.i64 q6, q6, #26
18272 -+ vadd.i64 q10, q2, q4
18273 -+ vsub.i64 q5, q12, q5
18274 -+ vshr.s64 q8, q8, #25
18275 -+ vsub.i64 q6, q15, q6
18276 -+ vshr.s64 q10, q10, #25
18277 -+ vadd.i64 q12, q13, q8
18278 -+ vshl.i64 q8, q8, #25
18279 -+ vadd.i64 q13, q12, q9
18280 -+ vadd.i64 q0, q0, q10
18281 -+ vsub.i64 q7, q7, q8
18282 -+ vshr.s64 q8, q13, #26
18283 -+ vshl.i64 q10, q10, #25
18284 -+ vadd.i64 q13, q0, q9
18285 -+ vadd.i64 q1, q1, q8
18286 -+ vshl.i64 q8, q8, #26
18287 -+ vadd.i64 q15, q1, q4
18288 -+ vsub.i64 q2, q2, q10
18289 -+ vshr.s64 q10, q13, #26
18290 -+ vsub.i64 q8, q12, q8
18291 -+ vshr.s64 q12, q15, #25
18292 -+ vadd.i64 q3, q3, q10
18293 -+ vshl.i64 q10, q10, #26
18294 -+ vadd.i64 q13, q3, q4
18295 -+ vadd.i64 q14, q14, q12
18296 -+ add r2, r3, #144
18297 -+ vshl.i64 q12, q12, #25
18298 -+ add r4, r3, #192
18299 -+ vadd.i64 q15, q14, q9
18300 -+ add r2, r2, #8
18301 -+ vsub.i64 q0, q0, q10
18302 -+ add r4, r4, #8
18303 -+ vshr.s64 q10, q13, #25
18304 -+ vsub.i64 q1, q1, q12
18305 -+ vshr.s64 q12, q15, #26
18306 -+ vadd.i64 q13, q10, q10
18307 -+ vadd.i64 q11, q11, q12
18308 -+ vtrn.32 d16, d2
18309 -+ vshl.i64 q12, q12, #26
18310 -+ vtrn.32 d17, d3
18311 -+ vadd.i64 q1, q11, q4
18312 -+ vadd.i64 q4, q5, q13
18313 -+ vst1.8 d16, [r2, : 64]!
18314 -+ vshl.i64 q5, q10, #4
18315 -+ vst1.8 d17, [r4, : 64]!
18316 -+ vsub.i64 q8, q14, q12
18317 -+ vshr.s64 q1, q1, #25
18318 -+ vadd.i64 q4, q4, q5
18319 -+ vadd.i64 q5, q6, q1
18320 -+ vshl.i64 q1, q1, #25
18321 -+ vadd.i64 q6, q5, q9
18322 -+ vadd.i64 q4, q4, q10
18323 -+ vshl.i64 q10, q10, #25
18324 -+ vadd.i64 q9, q4, q9
18325 -+ vsub.i64 q1, q11, q1
18326 -+ vshr.s64 q6, q6, #26
18327 -+ vsub.i64 q3, q3, q10
18328 -+ vtrn.32 d16, d2
18329 -+ vshr.s64 q9, q9, #26
18330 -+ vtrn.32 d17, d3
18331 -+ vadd.i64 q1, q2, q6
18332 -+ vst1.8 d16, [r2, : 64]
18333 -+ vshl.i64 q2, q6, #26
18334 -+ vst1.8 d17, [r4, : 64]
18335 -+ vadd.i64 q6, q7, q9
18336 -+ vtrn.32 d0, d6
18337 -+ vshl.i64 q7, q9, #26
18338 -+ vtrn.32 d1, d7
18339 -+ vsub.i64 q2, q5, q2
18340 -+ add r2, r2, #16
18341 -+ vsub.i64 q3, q4, q7
18342 -+ vst1.8 d0, [r2, : 64]
18343 -+ add r4, r4, #16
18344 -+ vst1.8 d1, [r4, : 64]
18345 -+ vtrn.32 d4, d2
18346 -+ vtrn.32 d5, d3
18347 -+ sub r2, r2, #8
18348 -+ sub r4, r4, #8
18349 -+ vtrn.32 d6, d12
18350 -+ vtrn.32 d7, d13
18351 -+ vst1.8 d4, [r2, : 64]
18352 -+ vst1.8 d5, [r4, : 64]
18353 -+ sub r2, r2, #24
18354 -+ sub r4, r4, #24
18355 -+ vst1.8 d6, [r2, : 64]
18356 -+ vst1.8 d7, [r4, : 64]
18357 -+ add r2, r3, #336
18358 -+ add r4, r3, #288
18359 -+ vld1.8 {d0-d1}, [r2, : 128]!
18360 -+ vld1.8 {d2-d3}, [r4, : 128]!
18361 -+ vadd.i32 q0, q0, q1
18362 -+ vld1.8 {d2-d3}, [r2, : 128]!
18363 -+ vld1.8 {d4-d5}, [r4, : 128]!
18364 -+ vadd.i32 q1, q1, q2
18365 -+ add r5, r3, #288
18366 -+ vld1.8 {d4}, [r2, : 64]
18367 -+ vld1.8 {d6}, [r4, : 64]
18368 -+ vadd.i32 q2, q2, q3
18369 -+ vst1.8 {d0-d1}, [r5, : 128]!
18370 -+ vst1.8 {d2-d3}, [r5, : 128]!
18371 -+ vst1.8 d4, [r5, : 64]
18372 -+ add r2, r3, #48
18373 -+ add r4, r3, #144
18374 -+ vld1.8 {d0-d1}, [r4, : 128]!
18375 -+ vld1.8 {d2-d3}, [r4, : 128]!
18376 -+ vld1.8 {d4}, [r4, : 64]
18377 -+ add r4, r3, #288
18378 -+ vld1.8 {d6-d7}, [r4, : 128]!
18379 -+ vtrn.32 q0, q3
18380 -+ vld1.8 {d8-d9}, [r4, : 128]!
18381 -+ vshl.i32 q5, q0, #4
18382 -+ vtrn.32 q1, q4
18383 -+ vshl.i32 q6, q3, #4
18384 -+ vadd.i32 q5, q5, q0
18385 -+ vadd.i32 q6, q6, q3
18386 -+ vshl.i32 q7, q1, #4
18387 -+ vld1.8 {d5}, [r4, : 64]
18388 -+ vshl.i32 q8, q4, #4
18389 -+ vtrn.32 d4, d5
18390 -+ vadd.i32 q7, q7, q1
18391 -+ vadd.i32 q8, q8, q4
18392 -+ vld1.8 {d18-d19}, [r2, : 128]!
18393 -+ vshl.i32 q10, q2, #4
18394 -+ vld1.8 {d22-d23}, [r2, : 128]!
18395 -+ vadd.i32 q10, q10, q2
18396 -+ vld1.8 {d24}, [r2, : 64]
18397 -+ vadd.i32 q5, q5, q0
18398 -+ add r2, r3, #240
18399 -+ vld1.8 {d26-d27}, [r2, : 128]!
18400 -+ vadd.i32 q6, q6, q3
18401 -+ vld1.8 {d28-d29}, [r2, : 128]!
18402 -+ vadd.i32 q8, q8, q4
18403 -+ vld1.8 {d25}, [r2, : 64]
18404 -+ vadd.i32 q10, q10, q2
18405 -+ vtrn.32 q9, q13
18406 -+ vadd.i32 q7, q7, q1
18407 -+ vadd.i32 q5, q5, q0
18408 -+ vtrn.32 q11, q14
18409 -+ vadd.i32 q6, q6, q3
18410 -+ add r2, sp, #528
18411 -+ vadd.i32 q10, q10, q2
18412 -+ vtrn.32 d24, d25
18413 -+ vst1.8 {d12-d13}, [r2, : 128]!
18414 -+ vshl.i32 q6, q13, #1
18415 -+ vst1.8 {d20-d21}, [r2, : 128]!
18416 -+ vshl.i32 q10, q14, #1
18417 -+ vst1.8 {d12-d13}, [r2, : 128]!
18418 -+ vshl.i32 q15, q12, #1
18419 -+ vadd.i32 q8, q8, q4
18420 -+ vext.32 d10, d31, d30, #0
18421 -+ vadd.i32 q7, q7, q1
18422 -+ vst1.8 {d16-d17}, [r2, : 128]!
18423 -+ vmull.s32 q8, d18, d5
18424 -+ vmlal.s32 q8, d26, d4
18425 -+ vmlal.s32 q8, d19, d9
18426 -+ vmlal.s32 q8, d27, d3
18427 -+ vmlal.s32 q8, d22, d8
18428 -+ vmlal.s32 q8, d28, d2
18429 -+ vmlal.s32 q8, d23, d7
18430 -+ vmlal.s32 q8, d29, d1
18431 -+ vmlal.s32 q8, d24, d6
18432 -+ vmlal.s32 q8, d25, d0
18433 -+ vst1.8 {d14-d15}, [r2, : 128]!
18434 -+ vmull.s32 q2, d18, d4
18435 -+ vmlal.s32 q2, d12, d9
18436 -+ vmlal.s32 q2, d13, d8
18437 -+ vmlal.s32 q2, d19, d3
18438 -+ vmlal.s32 q2, d22, d2
18439 -+ vmlal.s32 q2, d23, d1
18440 -+ vmlal.s32 q2, d24, d0
18441 -+ vst1.8 {d20-d21}, [r2, : 128]!
18442 -+ vmull.s32 q7, d18, d9
18443 -+ vmlal.s32 q7, d26, d3
18444 -+ vmlal.s32 q7, d19, d8
18445 -+ vmlal.s32 q7, d27, d2
18446 -+ vmlal.s32 q7, d22, d7
18447 -+ vmlal.s32 q7, d28, d1
18448 -+ vmlal.s32 q7, d23, d6
18449 -+ vmlal.s32 q7, d29, d0
18450 -+ vst1.8 {d10-d11}, [r2, : 128]!
18451 -+ vmull.s32 q5, d18, d3
18452 -+ vmlal.s32 q5, d19, d2
18453 -+ vmlal.s32 q5, d22, d1
18454 -+ vmlal.s32 q5, d23, d0
18455 -+ vmlal.s32 q5, d12, d8
18456 -+ vst1.8 {d16-d17}, [r2, : 128]!
18457 -+ vmull.s32 q4, d18, d8
18458 -+ vmlal.s32 q4, d26, d2
18459 -+ vmlal.s32 q4, d19, d7
18460 -+ vmlal.s32 q4, d27, d1
18461 -+ vmlal.s32 q4, d22, d6
18462 -+ vmlal.s32 q4, d28, d0
18463 -+ vmull.s32 q8, d18, d7
18464 -+ vmlal.s32 q8, d26, d1
18465 -+ vmlal.s32 q8, d19, d6
18466 -+ vmlal.s32 q8, d27, d0
18467 -+ add r2, sp, #544
18468 -+ vld1.8 {d20-d21}, [r2, : 128]
18469 -+ vmlal.s32 q7, d24, d21
18470 -+ vmlal.s32 q7, d25, d20
18471 -+ vmlal.s32 q4, d23, d21
18472 -+ vmlal.s32 q4, d29, d20
18473 -+ vmlal.s32 q8, d22, d21
18474 -+ vmlal.s32 q8, d28, d20
18475 -+ vmlal.s32 q5, d24, d20
18476 -+ vst1.8 {d14-d15}, [r2, : 128]
18477 -+ vmull.s32 q7, d18, d6
18478 -+ vmlal.s32 q7, d26, d0
18479 -+ add r2, sp, #624
18480 -+ vld1.8 {d30-d31}, [r2, : 128]
18481 -+ vmlal.s32 q2, d30, d21
18482 -+ vmlal.s32 q7, d19, d21
18483 -+ vmlal.s32 q7, d27, d20
18484 -+ add r2, sp, #592
18485 -+ vld1.8 {d26-d27}, [r2, : 128]
18486 -+ vmlal.s32 q4, d25, d27
18487 -+ vmlal.s32 q8, d29, d27
18488 -+ vmlal.s32 q8, d25, d26
18489 -+ vmlal.s32 q7, d28, d27
18490 -+ vmlal.s32 q7, d29, d26
18491 -+ add r2, sp, #576
18492 -+ vld1.8 {d28-d29}, [r2, : 128]
18493 -+ vmlal.s32 q4, d24, d29
18494 -+ vmlal.s32 q8, d23, d29
18495 -+ vmlal.s32 q8, d24, d28
18496 -+ vmlal.s32 q7, d22, d29
18497 -+ vmlal.s32 q7, d23, d28
18498 -+ vst1.8 {d8-d9}, [r2, : 128]
18499 -+ add r2, sp, #528
18500 -+ vld1.8 {d8-d9}, [r2, : 128]
18501 -+ vmlal.s32 q7, d24, d9
18502 -+ vmlal.s32 q7, d25, d31
18503 -+ vmull.s32 q1, d18, d2
18504 -+ vmlal.s32 q1, d19, d1
18505 -+ vmlal.s32 q1, d22, d0
18506 -+ vmlal.s32 q1, d24, d27
18507 -+ vmlal.s32 q1, d23, d20
18508 -+ vmlal.s32 q1, d12, d7
18509 -+ vmlal.s32 q1, d13, d6
18510 -+ vmull.s32 q6, d18, d1
18511 -+ vmlal.s32 q6, d19, d0
18512 -+ vmlal.s32 q6, d23, d27
18513 -+ vmlal.s32 q6, d22, d20
18514 -+ vmlal.s32 q6, d24, d26
18515 -+ vmull.s32 q0, d18, d0
18516 -+ vmlal.s32 q0, d22, d27
18517 -+ vmlal.s32 q0, d23, d26
18518 -+ vmlal.s32 q0, d24, d31
18519 -+ vmlal.s32 q0, d19, d20
18520 -+ add r2, sp, #608
18521 -+ vld1.8 {d18-d19}, [r2, : 128]
18522 -+ vmlal.s32 q2, d18, d7
18523 -+ vmlal.s32 q5, d18, d6
18524 -+ vmlal.s32 q1, d18, d21
18525 -+ vmlal.s32 q0, d18, d28
18526 -+ vmlal.s32 q6, d18, d29
18527 -+ vmlal.s32 q2, d19, d6
18528 -+ vmlal.s32 q5, d19, d21
18529 -+ vmlal.s32 q1, d19, d29
18530 -+ vmlal.s32 q0, d19, d9
18531 -+ vmlal.s32 q6, d19, d28
18532 -+ add r2, sp, #560
18533 -+ vld1.8 {d18-d19}, [r2, : 128]
18534 -+ add r2, sp, #480
18535 -+ vld1.8 {d22-d23}, [r2, : 128]
18536 -+ vmlal.s32 q5, d19, d7
18537 -+ vmlal.s32 q0, d18, d21
18538 -+ vmlal.s32 q0, d19, d29
18539 -+ vmlal.s32 q6, d18, d6
18540 -+ add r2, sp, #496
18541 -+ vld1.8 {d6-d7}, [r2, : 128]
18542 -+ vmlal.s32 q6, d19, d21
18543 -+ add r2, sp, #544
18544 -+ vld1.8 {d18-d19}, [r2, : 128]
18545 -+ vmlal.s32 q0, d30, d8
18546 -+ add r2, sp, #640
18547 -+ vld1.8 {d20-d21}, [r2, : 128]
18548 -+ vmlal.s32 q5, d30, d29
18549 -+ add r2, sp, #576
18550 -+ vld1.8 {d24-d25}, [r2, : 128]
18551 -+ vmlal.s32 q1, d30, d28
18552 -+ vadd.i64 q13, q0, q11
18553 -+ vadd.i64 q14, q5, q11
18554 -+ vmlal.s32 q6, d30, d9
18555 -+ vshr.s64 q4, q13, #26
18556 -+ vshr.s64 q13, q14, #26
18557 -+ vadd.i64 q7, q7, q4
18558 -+ vshl.i64 q4, q4, #26
18559 -+ vadd.i64 q14, q7, q3
18560 -+ vadd.i64 q9, q9, q13
18561 -+ vshl.i64 q13, q13, #26
18562 -+ vadd.i64 q15, q9, q3
18563 -+ vsub.i64 q0, q0, q4
18564 -+ vshr.s64 q4, q14, #25
18565 -+ vsub.i64 q5, q5, q13
18566 -+ vshr.s64 q13, q15, #25
18567 -+ vadd.i64 q6, q6, q4
18568 -+ vshl.i64 q4, q4, #25
18569 -+ vadd.i64 q14, q6, q11
18570 -+ vadd.i64 q2, q2, q13
18571 -+ vsub.i64 q4, q7, q4
18572 -+ vshr.s64 q7, q14, #26
18573 -+ vshl.i64 q13, q13, #25
18574 -+ vadd.i64 q14, q2, q11
18575 -+ vadd.i64 q8, q8, q7
18576 -+ vshl.i64 q7, q7, #26
18577 -+ vadd.i64 q15, q8, q3
18578 -+ vsub.i64 q9, q9, q13
18579 -+ vshr.s64 q13, q14, #26
18580 -+ vsub.i64 q6, q6, q7
18581 -+ vshr.s64 q7, q15, #25
18582 -+ vadd.i64 q10, q10, q13
18583 -+ vshl.i64 q13, q13, #26
18584 -+ vadd.i64 q14, q10, q3
18585 -+ vadd.i64 q1, q1, q7
18586 -+ add r2, r3, #240
18587 -+ vshl.i64 q7, q7, #25
18588 -+ add r4, r3, #144
18589 -+ vadd.i64 q15, q1, q11
18590 -+ add r2, r2, #8
18591 -+ vsub.i64 q2, q2, q13
18592 -+ add r4, r4, #8
18593 -+ vshr.s64 q13, q14, #25
18594 -+ vsub.i64 q7, q8, q7
18595 -+ vshr.s64 q8, q15, #26
18596 -+ vadd.i64 q14, q13, q13
18597 -+ vadd.i64 q12, q12, q8
18598 -+ vtrn.32 d12, d14
18599 -+ vshl.i64 q8, q8, #26
18600 -+ vtrn.32 d13, d15
18601 -+ vadd.i64 q3, q12, q3
18602 -+ vadd.i64 q0, q0, q14
18603 -+ vst1.8 d12, [r2, : 64]!
18604 -+ vshl.i64 q7, q13, #4
18605 -+ vst1.8 d13, [r4, : 64]!
18606 -+ vsub.i64 q1, q1, q8
18607 -+ vshr.s64 q3, q3, #25
18608 -+ vadd.i64 q0, q0, q7
18609 -+ vadd.i64 q5, q5, q3
18610 -+ vshl.i64 q3, q3, #25
18611 -+ vadd.i64 q6, q5, q11
18612 -+ vadd.i64 q0, q0, q13
18613 -+ vshl.i64 q7, q13, #25
18614 -+ vadd.i64 q8, q0, q11
18615 -+ vsub.i64 q3, q12, q3
18616 -+ vshr.s64 q6, q6, #26
18617 -+ vsub.i64 q7, q10, q7
18618 -+ vtrn.32 d2, d6
18619 -+ vshr.s64 q8, q8, #26
18620 -+ vtrn.32 d3, d7
18621 -+ vadd.i64 q3, q9, q6
18622 -+ vst1.8 d2, [r2, : 64]
18623 -+ vshl.i64 q6, q6, #26
18624 -+ vst1.8 d3, [r4, : 64]
18625 -+ vadd.i64 q1, q4, q8
18626 -+ vtrn.32 d4, d14
18627 -+ vshl.i64 q4, q8, #26
18628 -+ vtrn.32 d5, d15
18629 -+ vsub.i64 q5, q5, q6
18630 -+ add r2, r2, #16
18631 -+ vsub.i64 q0, q0, q4
18632 -+ vst1.8 d4, [r2, : 64]
18633 -+ add r4, r4, #16
18634 -+ vst1.8 d5, [r4, : 64]
18635 -+ vtrn.32 d10, d6
18636 -+ vtrn.32 d11, d7
18637 -+ sub r2, r2, #8
18638 -+ sub r4, r4, #8
18639 -+ vtrn.32 d0, d2
18640 -+ vtrn.32 d1, d3
18641 -+ vst1.8 d10, [r2, : 64]
18642 -+ vst1.8 d11, [r4, : 64]
18643 -+ sub r2, r2, #24
18644 -+ sub r4, r4, #24
18645 -+ vst1.8 d0, [r2, : 64]
18646 -+ vst1.8 d1, [r4, : 64]
18647 -+ ldr r2, [sp, #456]
18648 -+ ldr r4, [sp, #460]
18649 -+ subs r5, r2, #1
18650 -+ bge .Lmainloop
18651 -+ add r1, r3, #144
18652 -+ add r2, r3, #336
18653 -+ vld1.8 {d0-d1}, [r1, : 128]!
18654 -+ vld1.8 {d2-d3}, [r1, : 128]!
18655 -+ vld1.8 {d4}, [r1, : 64]
18656 -+ vst1.8 {d0-d1}, [r2, : 128]!
18657 -+ vst1.8 {d2-d3}, [r2, : 128]!
18658 -+ vst1.8 d4, [r2, : 64]
18659 -+ movw r1, #0
18660 -+.Linvertloop:
18661 -+ add r2, r3, #144
18662 -+ movw r4, #0
18663 -+ movw r5, #2
18664 -+ cmp r1, #1
18665 -+ moveq r5, #1
18666 -+ addeq r2, r3, #336
18667 -+ addeq r4, r3, #48
18668 -+ cmp r1, #2
18669 -+ moveq r5, #1
18670 -+ addeq r2, r3, #48
18671 -+ cmp r1, #3
18672 -+ moveq r5, #5
18673 -+ addeq r4, r3, #336
18674 -+ cmp r1, #4
18675 -+ moveq r5, #10
18676 -+ cmp r1, #5
18677 -+ moveq r5, #20
18678 -+ cmp r1, #6
18679 -+ moveq r5, #10
18680 -+ addeq r2, r3, #336
18681 -+ addeq r4, r3, #336
18682 -+ cmp r1, #7
18683 -+ moveq r5, #50
18684 -+ cmp r1, #8
18685 -+ moveq r5, #100
18686 -+ cmp r1, #9
18687 -+ moveq r5, #50
18688 -+ addeq r2, r3, #336
18689 -+ cmp r1, #10
18690 -+ moveq r5, #5
18691 -+ addeq r2, r3, #48
18692 -+ cmp r1, #11
18693 -+ moveq r5, #0
18694 -+ addeq r2, r3, #96
18695 -+ add r6, r3, #144
18696 -+ add r7, r3, #288
18697 -+ vld1.8 {d0-d1}, [r6, : 128]!
18698 -+ vld1.8 {d2-d3}, [r6, : 128]!
18699 -+ vld1.8 {d4}, [r6, : 64]
18700 -+ vst1.8 {d0-d1}, [r7, : 128]!
18701 -+ vst1.8 {d2-d3}, [r7, : 128]!
18702 -+ vst1.8 d4, [r7, : 64]
18703 -+ cmp r5, #0
18704 -+ beq .Lskipsquaringloop
18705 -+.Lsquaringloop:
18706 -+ add r6, r3, #288
18707 -+ add r7, r3, #288
18708 -+ add r8, r3, #288
18709 -+ vmov.i32 q0, #19
18710 -+ vmov.i32 q1, #0
18711 -+ vmov.i32 q2, #1
18712 -+ vzip.i32 q1, q2
18713 -+ vld1.8 {d4-d5}, [r7, : 128]!
18714 -+ vld1.8 {d6-d7}, [r7, : 128]!
18715 -+ vld1.8 {d9}, [r7, : 64]
18716 -+ vld1.8 {d10-d11}, [r6, : 128]!
18717 -+ add r7, sp, #384
18718 -+ vld1.8 {d12-d13}, [r6, : 128]!
18719 -+ vmul.i32 q7, q2, q0
18720 -+ vld1.8 {d8}, [r6, : 64]
18721 -+ vext.32 d17, d11, d10, #1
18722 -+ vmul.i32 q9, q3, q0
18723 -+ vext.32 d16, d10, d8, #1
18724 -+ vshl.u32 q10, q5, q1
18725 -+ vext.32 d22, d14, d4, #1
18726 -+ vext.32 d24, d18, d6, #1
18727 -+ vshl.u32 q13, q6, q1
18728 -+ vshl.u32 d28, d8, d2
18729 -+ vrev64.i32 d22, d22
18730 -+ vmul.i32 d1, d9, d1
18731 -+ vrev64.i32 d24, d24
18732 -+ vext.32 d29, d8, d13, #1
18733 -+ vext.32 d0, d1, d9, #1
18734 -+ vrev64.i32 d0, d0
18735 -+ vext.32 d2, d9, d1, #1
18736 -+ vext.32 d23, d15, d5, #1
18737 -+ vmull.s32 q4, d20, d4
18738 -+ vrev64.i32 d23, d23
18739 -+ vmlal.s32 q4, d21, d1
18740 -+ vrev64.i32 d2, d2
18741 -+ vmlal.s32 q4, d26, d19
18742 -+ vext.32 d3, d5, d15, #1
18743 -+ vmlal.s32 q4, d27, d18
18744 -+ vrev64.i32 d3, d3
18745 -+ vmlal.s32 q4, d28, d15
18746 -+ vext.32 d14, d12, d11, #1
18747 -+ vmull.s32 q5, d16, d23
18748 -+ vext.32 d15, d13, d12, #1
18749 -+ vmlal.s32 q5, d17, d4
18750 -+ vst1.8 d8, [r7, : 64]!
18751 -+ vmlal.s32 q5, d14, d1
18752 -+ vext.32 d12, d9, d8, #0
18753 -+ vmlal.s32 q5, d15, d19
18754 -+ vmov.i64 d13, #0
18755 -+ vmlal.s32 q5, d29, d18
18756 -+ vext.32 d25, d19, d7, #1
18757 -+ vmlal.s32 q6, d20, d5
18758 -+ vrev64.i32 d25, d25
18759 -+ vmlal.s32 q6, d21, d4
18760 -+ vst1.8 d11, [r7, : 64]!
18761 -+ vmlal.s32 q6, d26, d1
18762 -+ vext.32 d9, d10, d10, #0
18763 -+ vmlal.s32 q6, d27, d19
18764 -+ vmov.i64 d8, #0
18765 -+ vmlal.s32 q6, d28, d18
18766 -+ vmlal.s32 q4, d16, d24
18767 -+ vmlal.s32 q4, d17, d5
18768 -+ vmlal.s32 q4, d14, d4
18769 -+ vst1.8 d12, [r7, : 64]!
18770 -+ vmlal.s32 q4, d15, d1
18771 -+ vext.32 d10, d13, d12, #0
18772 -+ vmlal.s32 q4, d29, d19
18773 -+ vmov.i64 d11, #0
18774 -+ vmlal.s32 q5, d20, d6
18775 -+ vmlal.s32 q5, d21, d5
18776 -+ vmlal.s32 q5, d26, d4
18777 -+ vext.32 d13, d8, d8, #0
18778 -+ vmlal.s32 q5, d27, d1
18779 -+ vmov.i64 d12, #0
18780 -+ vmlal.s32 q5, d28, d19
18781 -+ vst1.8 d9, [r7, : 64]!
18782 -+ vmlal.s32 q6, d16, d25
18783 -+ vmlal.s32 q6, d17, d6
18784 -+ vst1.8 d10, [r7, : 64]
18785 -+ vmlal.s32 q6, d14, d5
18786 -+ vext.32 d8, d11, d10, #0
18787 -+ vmlal.s32 q6, d15, d4
18788 -+ vmov.i64 d9, #0
18789 -+ vmlal.s32 q6, d29, d1
18790 -+ vmlal.s32 q4, d20, d7
18791 -+ vmlal.s32 q4, d21, d6
18792 -+ vmlal.s32 q4, d26, d5
18793 -+ vext.32 d11, d12, d12, #0
18794 -+ vmlal.s32 q4, d27, d4
18795 -+ vmov.i64 d10, #0
18796 -+ vmlal.s32 q4, d28, d1
18797 -+ vmlal.s32 q5, d16, d0
18798 -+ sub r6, r7, #32
18799 -+ vmlal.s32 q5, d17, d7
18800 -+ vmlal.s32 q5, d14, d6
18801 -+ vext.32 d30, d9, d8, #0
18802 -+ vmlal.s32 q5, d15, d5
18803 -+ vld1.8 {d31}, [r6, : 64]!
18804 -+ vmlal.s32 q5, d29, d4
18805 -+ vmlal.s32 q15, d20, d0
18806 -+ vext.32 d0, d6, d18, #1
18807 -+ vmlal.s32 q15, d21, d25
18808 -+ vrev64.i32 d0, d0
18809 -+ vmlal.s32 q15, d26, d24
18810 -+ vext.32 d1, d7, d19, #1
18811 -+ vext.32 d7, d10, d10, #0
18812 -+ vmlal.s32 q15, d27, d23
18813 -+ vrev64.i32 d1, d1
18814 -+ vld1.8 {d6}, [r6, : 64]
18815 -+ vmlal.s32 q15, d28, d22
18816 -+ vmlal.s32 q3, d16, d4
18817 -+ add r6, r6, #24
18818 -+ vmlal.s32 q3, d17, d2
18819 -+ vext.32 d4, d31, d30, #0
18820 -+ vmov d17, d11
18821 -+ vmlal.s32 q3, d14, d1
18822 -+ vext.32 d11, d13, d13, #0
18823 -+ vext.32 d13, d30, d30, #0
18824 -+ vmlal.s32 q3, d15, d0
18825 -+ vext.32 d1, d8, d8, #0
18826 -+ vmlal.s32 q3, d29, d3
18827 -+ vld1.8 {d5}, [r6, : 64]
18828 -+ sub r6, r6, #16
18829 -+ vext.32 d10, d6, d6, #0
18830 -+ vmov.i32 q1, #0xffffffff
18831 -+ vshl.i64 q4, q1, #25
18832 -+ add r7, sp, #480
18833 -+ vld1.8 {d14-d15}, [r7, : 128]
18834 -+ vadd.i64 q9, q2, q7
18835 -+ vshl.i64 q1, q1, #26
18836 -+ vshr.s64 q10, q9, #26
18837 -+ vld1.8 {d0}, [r6, : 64]!
18838 -+ vadd.i64 q5, q5, q10
18839 -+ vand q9, q9, q1
18840 -+ vld1.8 {d16}, [r6, : 64]!
18841 -+ add r6, sp, #496
18842 -+ vld1.8 {d20-d21}, [r6, : 128]
18843 -+ vadd.i64 q11, q5, q10
18844 -+ vsub.i64 q2, q2, q9
18845 -+ vshr.s64 q9, q11, #25
18846 -+ vext.32 d12, d5, d4, #0
18847 -+ vand q11, q11, q4
18848 -+ vadd.i64 q0, q0, q9
18849 -+ vmov d19, d7
18850 -+ vadd.i64 q3, q0, q7
18851 -+ vsub.i64 q5, q5, q11
18852 -+ vshr.s64 q11, q3, #26
18853 -+ vext.32 d18, d11, d10, #0
18854 -+ vand q3, q3, q1
18855 -+ vadd.i64 q8, q8, q11
18856 -+ vadd.i64 q11, q8, q10
18857 -+ vsub.i64 q0, q0, q3
18858 -+ vshr.s64 q3, q11, #25
18859 -+ vand q11, q11, q4
18860 -+ vadd.i64 q3, q6, q3
18861 -+ vadd.i64 q6, q3, q7
18862 -+ vsub.i64 q8, q8, q11
18863 -+ vshr.s64 q11, q6, #26
18864 -+ vand q6, q6, q1
18865 -+ vadd.i64 q9, q9, q11
18866 -+ vadd.i64 d25, d19, d21
18867 -+ vsub.i64 q3, q3, q6
18868 -+ vshr.s64 d23, d25, #25
18869 -+ vand q4, q12, q4
18870 -+ vadd.i64 d21, d23, d23
18871 -+ vshl.i64 d25, d23, #4
18872 -+ vadd.i64 d21, d21, d23
18873 -+ vadd.i64 d25, d25, d21
18874 -+ vadd.i64 d4, d4, d25
18875 -+ vzip.i32 q0, q8
18876 -+ vadd.i64 d12, d4, d14
18877 -+ add r6, r8, #8
18878 -+ vst1.8 d0, [r6, : 64]
18879 -+ vsub.i64 d19, d19, d9
18880 -+ add r6, r6, #16
18881 -+ vst1.8 d16, [r6, : 64]
18882 -+ vshr.s64 d22, d12, #26
18883 -+ vand q0, q6, q1
18884 -+ vadd.i64 d10, d10, d22
18885 -+ vzip.i32 q3, q9
18886 -+ vsub.i64 d4, d4, d0
18887 -+ sub r6, r6, #8
18888 -+ vst1.8 d6, [r6, : 64]
18889 -+ add r6, r6, #16
18890 -+ vst1.8 d18, [r6, : 64]
18891 -+ vzip.i32 q2, q5
18892 -+ sub r6, r6, #32
18893 -+ vst1.8 d4, [r6, : 64]
18894 -+ subs r5, r5, #1
18895 -+ bhi .Lsquaringloop
18896 -+.Lskipsquaringloop:
18897 -+ mov r2, r2
18898 -+ add r5, r3, #288
18899 -+ add r6, r3, #144
18900 -+ vmov.i32 q0, #19
18901 -+ vmov.i32 q1, #0
18902 -+ vmov.i32 q2, #1
18903 -+ vzip.i32 q1, q2
18904 -+ vld1.8 {d4-d5}, [r5, : 128]!
18905 -+ vld1.8 {d6-d7}, [r5, : 128]!
18906 -+ vld1.8 {d9}, [r5, : 64]
18907 -+ vld1.8 {d10-d11}, [r2, : 128]!
18908 -+ add r5, sp, #384
18909 -+ vld1.8 {d12-d13}, [r2, : 128]!
18910 -+ vmul.i32 q7, q2, q0
18911 -+ vld1.8 {d8}, [r2, : 64]
18912 -+ vext.32 d17, d11, d10, #1
18913 -+ vmul.i32 q9, q3, q0
18914 -+ vext.32 d16, d10, d8, #1
18915 -+ vshl.u32 q10, q5, q1
18916 -+ vext.32 d22, d14, d4, #1
18917 -+ vext.32 d24, d18, d6, #1
18918 -+ vshl.u32 q13, q6, q1
18919 -+ vshl.u32 d28, d8, d2
18920 -+ vrev64.i32 d22, d22
18921 -+ vmul.i32 d1, d9, d1
18922 -+ vrev64.i32 d24, d24
18923 -+ vext.32 d29, d8, d13, #1
18924 -+ vext.32 d0, d1, d9, #1
18925 -+ vrev64.i32 d0, d0
18926 -+ vext.32 d2, d9, d1, #1
18927 -+ vext.32 d23, d15, d5, #1
18928 -+ vmull.s32 q4, d20, d4
18929 -+ vrev64.i32 d23, d23
18930 -+ vmlal.s32 q4, d21, d1
18931 -+ vrev64.i32 d2, d2
18932 -+ vmlal.s32 q4, d26, d19
18933 -+ vext.32 d3, d5, d15, #1
18934 -+ vmlal.s32 q4, d27, d18
18935 -+ vrev64.i32 d3, d3
18936 -+ vmlal.s32 q4, d28, d15
18937 -+ vext.32 d14, d12, d11, #1
18938 -+ vmull.s32 q5, d16, d23
18939 -+ vext.32 d15, d13, d12, #1
18940 -+ vmlal.s32 q5, d17, d4
18941 -+ vst1.8 d8, [r5, : 64]!
18942 -+ vmlal.s32 q5, d14, d1
18943 -+ vext.32 d12, d9, d8, #0
18944 -+ vmlal.s32 q5, d15, d19
18945 -+ vmov.i64 d13, #0
18946 -+ vmlal.s32 q5, d29, d18
18947 -+ vext.32 d25, d19, d7, #1
18948 -+ vmlal.s32 q6, d20, d5
18949 -+ vrev64.i32 d25, d25
18950 -+ vmlal.s32 q6, d21, d4
18951 -+ vst1.8 d11, [r5, : 64]!
18952 -+ vmlal.s32 q6, d26, d1
18953 -+ vext.32 d9, d10, d10, #0
18954 -+ vmlal.s32 q6, d27, d19
18955 -+ vmov.i64 d8, #0
18956 -+ vmlal.s32 q6, d28, d18
18957 -+ vmlal.s32 q4, d16, d24
18958 -+ vmlal.s32 q4, d17, d5
18959 -+ vmlal.s32 q4, d14, d4
18960 -+ vst1.8 d12, [r5, : 64]!
18961 -+ vmlal.s32 q4, d15, d1
18962 -+ vext.32 d10, d13, d12, #0
18963 -+ vmlal.s32 q4, d29, d19
18964 -+ vmov.i64 d11, #0
18965 -+ vmlal.s32 q5, d20, d6
18966 -+ vmlal.s32 q5, d21, d5
18967 -+ vmlal.s32 q5, d26, d4
18968 -+ vext.32 d13, d8, d8, #0
18969 -+ vmlal.s32 q5, d27, d1
18970 -+ vmov.i64 d12, #0
18971 -+ vmlal.s32 q5, d28, d19
18972 -+ vst1.8 d9, [r5, : 64]!
18973 -+ vmlal.s32 q6, d16, d25
18974 -+ vmlal.s32 q6, d17, d6
18975 -+ vst1.8 d10, [r5, : 64]
18976 -+ vmlal.s32 q6, d14, d5
18977 -+ vext.32 d8, d11, d10, #0
18978 -+ vmlal.s32 q6, d15, d4
18979 -+ vmov.i64 d9, #0
18980 -+ vmlal.s32 q6, d29, d1
18981 -+ vmlal.s32 q4, d20, d7
18982 -+ vmlal.s32 q4, d21, d6
18983 -+ vmlal.s32 q4, d26, d5
18984 -+ vext.32 d11, d12, d12, #0
18985 -+ vmlal.s32 q4, d27, d4
18986 -+ vmov.i64 d10, #0
18987 -+ vmlal.s32 q4, d28, d1
18988 -+ vmlal.s32 q5, d16, d0
18989 -+ sub r2, r5, #32
18990 -+ vmlal.s32 q5, d17, d7
18991 -+ vmlal.s32 q5, d14, d6
18992 -+ vext.32 d30, d9, d8, #0
18993 -+ vmlal.s32 q5, d15, d5
18994 -+ vld1.8 {d31}, [r2, : 64]!
18995 -+ vmlal.s32 q5, d29, d4
18996 -+ vmlal.s32 q15, d20, d0
18997 -+ vext.32 d0, d6, d18, #1
18998 -+ vmlal.s32 q15, d21, d25
18999 -+ vrev64.i32 d0, d0
19000 -+ vmlal.s32 q15, d26, d24
19001 -+ vext.32 d1, d7, d19, #1
19002 -+ vext.32 d7, d10, d10, #0
19003 -+ vmlal.s32 q15, d27, d23
19004 -+ vrev64.i32 d1, d1
19005 -+ vld1.8 {d6}, [r2, : 64]
19006 -+ vmlal.s32 q15, d28, d22
19007 -+ vmlal.s32 q3, d16, d4
19008 -+ add r2, r2, #24
19009 -+ vmlal.s32 q3, d17, d2
19010 -+ vext.32 d4, d31, d30, #0
19011 -+ vmov d17, d11
19012 -+ vmlal.s32 q3, d14, d1
19013 -+ vext.32 d11, d13, d13, #0
19014 -+ vext.32 d13, d30, d30, #0
19015 -+ vmlal.s32 q3, d15, d0
19016 -+ vext.32 d1, d8, d8, #0
19017 -+ vmlal.s32 q3, d29, d3
19018 -+ vld1.8 {d5}, [r2, : 64]
19019 -+ sub r2, r2, #16
19020 -+ vext.32 d10, d6, d6, #0
19021 -+ vmov.i32 q1, #0xffffffff
19022 -+ vshl.i64 q4, q1, #25
19023 -+ add r5, sp, #480
19024 -+ vld1.8 {d14-d15}, [r5, : 128]
19025 -+ vadd.i64 q9, q2, q7
19026 -+ vshl.i64 q1, q1, #26
19027 -+ vshr.s64 q10, q9, #26
19028 -+ vld1.8 {d0}, [r2, : 64]!
19029 -+ vadd.i64 q5, q5, q10
19030 -+ vand q9, q9, q1
19031 -+ vld1.8 {d16}, [r2, : 64]!
19032 -+ add r2, sp, #496
19033 -+ vld1.8 {d20-d21}, [r2, : 128]
19034 -+ vadd.i64 q11, q5, q10
19035 -+ vsub.i64 q2, q2, q9
19036 -+ vshr.s64 q9, q11, #25
19037 -+ vext.32 d12, d5, d4, #0
19038 -+ vand q11, q11, q4
19039 -+ vadd.i64 q0, q0, q9
19040 -+ vmov d19, d7
19041 -+ vadd.i64 q3, q0, q7
19042 -+ vsub.i64 q5, q5, q11
19043 -+ vshr.s64 q11, q3, #26
19044 -+ vext.32 d18, d11, d10, #0
19045 -+ vand q3, q3, q1
19046 -+ vadd.i64 q8, q8, q11
19047 -+ vadd.i64 q11, q8, q10
19048 -+ vsub.i64 q0, q0, q3
19049 -+ vshr.s64 q3, q11, #25
19050 -+ vand q11, q11, q4
19051 -+ vadd.i64 q3, q6, q3
19052 -+ vadd.i64 q6, q3, q7
19053 -+ vsub.i64 q8, q8, q11
19054 -+ vshr.s64 q11, q6, #26
19055 -+ vand q6, q6, q1
19056 -+ vadd.i64 q9, q9, q11
19057 -+ vadd.i64 d25, d19, d21
19058 -+ vsub.i64 q3, q3, q6
19059 -+ vshr.s64 d23, d25, #25
19060 -+ vand q4, q12, q4
19061 -+ vadd.i64 d21, d23, d23
19062 -+ vshl.i64 d25, d23, #4
19063 -+ vadd.i64 d21, d21, d23
19064 -+ vadd.i64 d25, d25, d21
19065 -+ vadd.i64 d4, d4, d25
19066 -+ vzip.i32 q0, q8
19067 -+ vadd.i64 d12, d4, d14
19068 -+ add r2, r6, #8
19069 -+ vst1.8 d0, [r2, : 64]
19070 -+ vsub.i64 d19, d19, d9
19071 -+ add r2, r2, #16
19072 -+ vst1.8 d16, [r2, : 64]
19073 -+ vshr.s64 d22, d12, #26
19074 -+ vand q0, q6, q1
19075 -+ vadd.i64 d10, d10, d22
19076 -+ vzip.i32 q3, q9
19077 -+ vsub.i64 d4, d4, d0
19078 -+ sub r2, r2, #8
19079 -+ vst1.8 d6, [r2, : 64]
19080 -+ add r2, r2, #16
19081 -+ vst1.8 d18, [r2, : 64]
19082 -+ vzip.i32 q2, q5
19083 -+ sub r2, r2, #32
19084 -+ vst1.8 d4, [r2, : 64]
19085 -+ cmp r4, #0
19086 -+ beq .Lskippostcopy
19087 -+ add r2, r3, #144
19088 -+ mov r4, r4
19089 -+ vld1.8 {d0-d1}, [r2, : 128]!
19090 -+ vld1.8 {d2-d3}, [r2, : 128]!
19091 -+ vld1.8 {d4}, [r2, : 64]
19092 -+ vst1.8 {d0-d1}, [r4, : 128]!
19093 -+ vst1.8 {d2-d3}, [r4, : 128]!
19094 -+ vst1.8 d4, [r4, : 64]
19095 -+.Lskippostcopy:
19096 -+ cmp r1, #1
19097 -+ bne .Lskipfinalcopy
19098 -+ add r2, r3, #288
19099 -+ add r4, r3, #144
19100 -+ vld1.8 {d0-d1}, [r2, : 128]!
19101 -+ vld1.8 {d2-d3}, [r2, : 128]!
19102 -+ vld1.8 {d4}, [r2, : 64]
19103 -+ vst1.8 {d0-d1}, [r4, : 128]!
19104 -+ vst1.8 {d2-d3}, [r4, : 128]!
19105 -+ vst1.8 d4, [r4, : 64]
19106 -+.Lskipfinalcopy:
19107 -+ add r1, r1, #1
19108 -+ cmp r1, #12
19109 -+ blo .Linvertloop
19110 -+ add r1, r3, #144
19111 -+ ldr r2, [r1], #4
19112 -+ ldr r3, [r1], #4
19113 -+ ldr r4, [r1], #4
19114 -+ ldr r5, [r1], #4
19115 -+ ldr r6, [r1], #4
19116 -+ ldr r7, [r1], #4
19117 -+ ldr r8, [r1], #4
19118 -+ ldr r9, [r1], #4
19119 -+ ldr r10, [r1], #4
19120 -+ ldr r1, [r1]
19121 -+ add r11, r1, r1, LSL #4
19122 -+ add r11, r11, r1, LSL #1
19123 -+ add r11, r11, #16777216
19124 -+ mov r11, r11, ASR #25
19125 -+ add r11, r11, r2
19126 -+ mov r11, r11, ASR #26
19127 -+ add r11, r11, r3
19128 -+ mov r11, r11, ASR #25
19129 -+ add r11, r11, r4
19130 -+ mov r11, r11, ASR #26
19131 -+ add r11, r11, r5
19132 -+ mov r11, r11, ASR #25
19133 -+ add r11, r11, r6
19134 -+ mov r11, r11, ASR #26
19135 -+ add r11, r11, r7
19136 -+ mov r11, r11, ASR #25
19137 -+ add r11, r11, r8
19138 -+ mov r11, r11, ASR #26
19139 -+ add r11, r11, r9
19140 -+ mov r11, r11, ASR #25
19141 -+ add r11, r11, r10
19142 -+ mov r11, r11, ASR #26
19143 -+ add r11, r11, r1
19144 -+ mov r11, r11, ASR #25
19145 -+ add r2, r2, r11
19146 -+ add r2, r2, r11, LSL #1
19147 -+ add r2, r2, r11, LSL #4
19148 -+ mov r11, r2, ASR #26
19149 -+ add r3, r3, r11
19150 -+ sub r2, r2, r11, LSL #26
19151 -+ mov r11, r3, ASR #25
19152 -+ add r4, r4, r11
19153 -+ sub r3, r3, r11, LSL #25
19154 -+ mov r11, r4, ASR #26
19155 -+ add r5, r5, r11
19156 -+ sub r4, r4, r11, LSL #26
19157 -+ mov r11, r5, ASR #25
19158 -+ add r6, r6, r11
19159 -+ sub r5, r5, r11, LSL #25
19160 -+ mov r11, r6, ASR #26
19161 -+ add r7, r7, r11
19162 -+ sub r6, r6, r11, LSL #26
19163 -+ mov r11, r7, ASR #25
19164 -+ add r8, r8, r11
19165 -+ sub r7, r7, r11, LSL #25
19166 -+ mov r11, r8, ASR #26
19167 -+ add r9, r9, r11
19168 -+ sub r8, r8, r11, LSL #26
19169 -+ mov r11, r9, ASR #25
19170 -+ add r10, r10, r11
19171 -+ sub r9, r9, r11, LSL #25
19172 -+ mov r11, r10, ASR #26
19173 -+ add r1, r1, r11
19174 -+ sub r10, r10, r11, LSL #26
19175 -+ mov r11, r1, ASR #25
19176 -+ sub r1, r1, r11, LSL #25
19177 -+ add r2, r2, r3, LSL #26
19178 -+ mov r3, r3, LSR #6
19179 -+ add r3, r3, r4, LSL #19
19180 -+ mov r4, r4, LSR #13
19181 -+ add r4, r4, r5, LSL #13
19182 -+ mov r5, r5, LSR #19
19183 -+ add r5, r5, r6, LSL #6
19184 -+ add r6, r7, r8, LSL #25
19185 -+ mov r7, r8, LSR #7
19186 -+ add r7, r7, r9, LSL #19
19187 -+ mov r8, r9, LSR #13
19188 -+ add r8, r8, r10, LSL #12
19189 -+ mov r9, r10, LSR #20
19190 -+ add r1, r9, r1, LSL #6
19191 -+ str r2, [r0]
19192 -+ str r3, [r0, #4]
19193 -+ str r4, [r0, #8]
19194 -+ str r5, [r0, #12]
19195 -+ str r6, [r0, #16]
19196 -+ str r7, [r0, #20]
19197 -+ str r8, [r0, #24]
19198 -+ str r1, [r0, #28]
19199 -+ movw r0, #0
19200 -+ mov sp, ip
19201 -+ pop {r4-r11, pc}
19202 -+ENDPROC(curve25519_neon)
19203 ---- b/arch/arm/crypto/curve25519-glue.c
19204 -+++ b/arch/arm/crypto/curve25519-glue.c
19205 -@@ -0,0 +1,136 @@
19206 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
19207 -+/*
19208 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
19209 -+ *
19210 -+ * Based on public domain code from Daniel J. Bernstein and Peter Schwabe. This
19211 -+ * began from SUPERCOP's curve25519/neon2/scalarmult.s, but has subsequently been
19212 -+ * manually reworked for use in kernel space.
19213 -+ */
19214 -+
19215 -+#include <asm/hwcap.h>
19216 -+#include <asm/neon.h>
19217 -+#include <asm/simd.h>
19218 -+#include <crypto/internal/kpp.h>
19219 -+#include <crypto/internal/simd.h>
19220 -+#include <linux/types.h>
19221 -+#include <linux/module.h>
19222 -+#include <linux/init.h>
19223 -+#include <linux/jump_label.h>
19224 -+#include <linux/scatterlist.h>
19225 -+#include <crypto/curve25519.h>
19226 -+
19227 -+asmlinkage void curve25519_neon(u8 mypublic[CURVE25519_KEY_SIZE],
19228 -+ const u8 secret[CURVE25519_KEY_SIZE],
19229 -+ const u8 basepoint[CURVE25519_KEY_SIZE]);
19230 -+
19231 -+static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
19232 -+
19233 -+void curve25519_arch(u8 out[CURVE25519_KEY_SIZE],
19234 -+ const u8 scalar[CURVE25519_KEY_SIZE],
19235 -+ const u8 point[CURVE25519_KEY_SIZE])
19236 -+{
19237 -+ if (static_branch_likely(&have_neon) && crypto_simd_usable()) {
19238 -+ kernel_neon_begin();
19239 -+ curve25519_neon(out, scalar, point);
19240 -+ kernel_neon_end();
19241 -+ } else {
19242 -+ curve25519_generic(out, scalar, point);
19243 -+ }
19244 -+}
19245 -+EXPORT_SYMBOL(curve25519_arch);
19246 -+
19247 -+void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE],
19248 -+ const u8 secret[CURVE25519_KEY_SIZE])
19249 -+{
19250 -+ return curve25519_arch(pub, secret, curve25519_base_point);
19251 -+}
19252 -+EXPORT_SYMBOL(curve25519_base_arch);
19253 -+
19254 -+static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf,
19255 -+ unsigned int len)
19256 -+{
19257 -+ u8 *secret = kpp_tfm_ctx(tfm);
19258 -+
19259 -+ if (!len)
19260 -+ curve25519_generate_secret(secret);
19261 -+ else if (len == CURVE25519_KEY_SIZE &&
19262 -+ crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE))
19263 -+ memcpy(secret, buf, CURVE25519_KEY_SIZE);
19264 -+ else
19265 -+ return -EINVAL;
19266 -+ return 0;
19267 -+}
19268 -+
19269 -+static int curve25519_compute_value(struct kpp_request *req)
19270 -+{
19271 -+ struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
19272 -+ const u8 *secret = kpp_tfm_ctx(tfm);
19273 -+ u8 public_key[CURVE25519_KEY_SIZE];
19274 -+ u8 buf[CURVE25519_KEY_SIZE];
19275 -+ int copied, nbytes;
19276 -+ u8 const *bp;
19277 -+
19278 -+ if (req->src) {
19279 -+ copied = sg_copy_to_buffer(req->src,
19280 -+ sg_nents_for_len(req->src,
19281 -+ CURVE25519_KEY_SIZE),
19282 -+ public_key, CURVE25519_KEY_SIZE);
19283 -+ if (copied != CURVE25519_KEY_SIZE)
19284 -+ return -EINVAL;
19285 -+ bp = public_key;
19286 -+ } else {
19287 -+ bp = curve25519_base_point;
19288 -+ }
19289 -+
19290 -+ curve25519_arch(buf, secret, bp);
19291 -+
19292 -+ /* might want less than we've got */
19293 -+ nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len);
19294 -+ copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst,
19295 -+ nbytes),
19296 -+ buf, nbytes);
19297 -+ if (copied != nbytes)
19298 -+ return -EINVAL;
19299 -+ return 0;
19300 -+}
19301 -+
19302 -+static unsigned int curve25519_max_size(struct crypto_kpp *tfm)
19303 -+{
19304 -+ return CURVE25519_KEY_SIZE;
19305 -+}
19306 -+
19307 -+static struct kpp_alg curve25519_alg = {
19308 -+ .base.cra_name = "curve25519",
19309 -+ .base.cra_driver_name = "curve25519-neon",
19310 -+ .base.cra_priority = 200,
19311 -+ .base.cra_module = THIS_MODULE,
19312 -+ .base.cra_ctxsize = CURVE25519_KEY_SIZE,
19313 -+
19314 -+ .set_secret = curve25519_set_secret,
19315 -+ .generate_public_key = curve25519_compute_value,
19316 -+ .compute_shared_secret = curve25519_compute_value,
19317 -+ .max_size = curve25519_max_size,
19318 -+};
19319 -+
19320 -+static int __init mod_init(void)
19321 -+{
19322 -+ if (elf_hwcap & HWCAP_NEON) {
19323 -+ static_branch_enable(&have_neon);
19324 -+ return IS_REACHABLE(CONFIG_CRYPTO_KPP) ?
19325 -+ crypto_register_kpp(&curve25519_alg) : 0;
19326 -+ }
19327 -+ return 0;
19328 -+}
19329 -+
19330 -+static void __exit mod_exit(void)
19331 -+{
19332 -+ if (IS_REACHABLE(CONFIG_CRYPTO_KPP) && elf_hwcap & HWCAP_NEON)
19333 -+ crypto_unregister_kpp(&curve25519_alg);
19334 -+}
19335 -+
19336 -+module_init(mod_init);
19337 -+module_exit(mod_exit);
19338 -+
19339 -+MODULE_ALIAS_CRYPTO("curve25519");
19340 -+MODULE_ALIAS_CRYPTO("curve25519-neon");
19341 -+MODULE_LICENSE("GPL v2");
19342 ---- b/include/crypto/chacha20poly1305.h
19343 -+++ b/include/crypto/chacha20poly1305.h
19344 -@@ -0,0 +1,50 @@
19345 -+/* SPDX-License-Identifier: GPL-2.0 OR MIT */
19346 -+/*
19347 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
19348 -+ */
19349 -+
19350 -+#ifndef __CHACHA20POLY1305_H
19351 -+#define __CHACHA20POLY1305_H
19352 -+
19353 -+#include <linux/types.h>
19354 -+#include <linux/scatterlist.h>
19355 -+
19356 -+enum chacha20poly1305_lengths {
19357 -+ XCHACHA20POLY1305_NONCE_SIZE = 24,
19358 -+ CHACHA20POLY1305_KEY_SIZE = 32,
19359 -+ CHACHA20POLY1305_AUTHTAG_SIZE = 16
19360 -+};
19361 -+
19362 -+void chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
19363 -+ const u8 *ad, const size_t ad_len,
19364 -+ const u64 nonce,
19365 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE]);
19366 -+
19367 -+bool __must_check
19368 -+chacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len,
19369 -+ const u8 *ad, const size_t ad_len, const u64 nonce,
19370 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE]);
19371 -+
19372 -+void xchacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
19373 -+ const u8 *ad, const size_t ad_len,
19374 -+ const u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
19375 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE]);
19376 -+
19377 -+bool __must_check xchacha20poly1305_decrypt(
19378 -+ u8 *dst, const u8 *src, const size_t src_len, const u8 *ad,
19379 -+ const size_t ad_len, const u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
19380 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE]);
19381 -+
19382 -+bool chacha20poly1305_encrypt_sg_inplace(struct scatterlist *src, size_t src_len,
19383 -+ const u8 *ad, const size_t ad_len,
19384 -+ const u64 nonce,
19385 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE]);
19386 -+
19387 -+bool chacha20poly1305_decrypt_sg_inplace(struct scatterlist *src, size_t src_len,
19388 -+ const u8 *ad, const size_t ad_len,
19389 -+ const u64 nonce,
19390 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE]);
19391 -+
19392 -+bool chacha20poly1305_selftest(void);
19393 -+
19394 -+#endif /* __CHACHA20POLY1305_H */
19395 ---- b/lib/crypto/chacha20poly1305-selftest.c
19396 -+++ b/lib/crypto/chacha20poly1305-selftest.c
19397 -@@ -0,0 +1,9082 @@
19398 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
19399 -+/*
19400 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
19401 -+ */
19402 -+
19403 -+#include <crypto/chacha20poly1305.h>
19404 -+#include <crypto/chacha.h>
19405 -+#include <crypto/poly1305.h>
19406 -+
19407 -+#include <asm/unaligned.h>
19408 -+#include <linux/bug.h>
19409 -+#include <linux/init.h>
19410 -+#include <linux/mm.h>
19411 -+#include <linux/kernel.h>
19412 -+#include <linux/slab.h>
19413 -+
19414 -+struct chacha20poly1305_testvec {
19415 -+ const u8 *input, *output, *assoc, *nonce, *key;
19416 -+ size_t ilen, alen, nlen;
19417 -+ bool failure;
19418 -+};
19419 -+
19420 -+/* The first of these are the ChaCha20-Poly1305 AEAD test vectors from RFC7539
19421 -+ * 2.8.2. After they are generated by reference implementations. And the final
19422 -+ * marked ones are taken from wycheproof, but we only do these for the encrypt
19423 -+ * side, because mostly we're stressing the primitives rather than the actual
19424 -+ * chapoly construction.
19425 -+ */
19426 -+
19427 -+static const u8 enc_input001[] __initconst = {
19428 -+ 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
19429 -+ 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20,
19430 -+ 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66,
19431 -+ 0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
19432 -+ 0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c, 0x69,
19433 -+ 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20,
19434 -+ 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20,
19435 -+ 0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d,
19436 -+ 0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e,
19437 -+ 0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65,
19438 -+ 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64,
19439 -+ 0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
19440 -+ 0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f,
19441 -+ 0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64,
19442 -+ 0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65,
19443 -+ 0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
19444 -+ 0x6e, 0x74, 0x73, 0x20, 0x61, 0x74, 0x20, 0x61,
19445 -+ 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e,
19446 -+ 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69,
19447 -+ 0x6e, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x70, 0x72,
19448 -+ 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20,
19449 -+ 0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65,
19450 -+ 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61,
19451 -+ 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72,
19452 -+ 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
19453 -+ 0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61,
19454 -+ 0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20,
19455 -+ 0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65,
19456 -+ 0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20,
19457 -+ 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20,
19458 -+ 0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b,
19459 -+ 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67,
19460 -+ 0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80,
19461 -+ 0x9d
19462 -+};
19463 -+static const u8 enc_output001[] __initconst = {
19464 -+ 0x64, 0xa0, 0x86, 0x15, 0x75, 0x86, 0x1a, 0xf4,
19465 -+ 0x60, 0xf0, 0x62, 0xc7, 0x9b, 0xe6, 0x43, 0xbd,
19466 -+ 0x5e, 0x80, 0x5c, 0xfd, 0x34, 0x5c, 0xf3, 0x89,
19467 -+ 0xf1, 0x08, 0x67, 0x0a, 0xc7, 0x6c, 0x8c, 0xb2,
19468 -+ 0x4c, 0x6c, 0xfc, 0x18, 0x75, 0x5d, 0x43, 0xee,
19469 -+ 0xa0, 0x9e, 0xe9, 0x4e, 0x38, 0x2d, 0x26, 0xb0,
19470 -+ 0xbd, 0xb7, 0xb7, 0x3c, 0x32, 0x1b, 0x01, 0x00,
19471 -+ 0xd4, 0xf0, 0x3b, 0x7f, 0x35, 0x58, 0x94, 0xcf,
19472 -+ 0x33, 0x2f, 0x83, 0x0e, 0x71, 0x0b, 0x97, 0xce,
19473 -+ 0x98, 0xc8, 0xa8, 0x4a, 0xbd, 0x0b, 0x94, 0x81,
19474 -+ 0x14, 0xad, 0x17, 0x6e, 0x00, 0x8d, 0x33, 0xbd,
19475 -+ 0x60, 0xf9, 0x82, 0xb1, 0xff, 0x37, 0xc8, 0x55,
19476 -+ 0x97, 0x97, 0xa0, 0x6e, 0xf4, 0xf0, 0xef, 0x61,
19477 -+ 0xc1, 0x86, 0x32, 0x4e, 0x2b, 0x35, 0x06, 0x38,
19478 -+ 0x36, 0x06, 0x90, 0x7b, 0x6a, 0x7c, 0x02, 0xb0,
19479 -+ 0xf9, 0xf6, 0x15, 0x7b, 0x53, 0xc8, 0x67, 0xe4,
19480 -+ 0xb9, 0x16, 0x6c, 0x76, 0x7b, 0x80, 0x4d, 0x46,
19481 -+ 0xa5, 0x9b, 0x52, 0x16, 0xcd, 0xe7, 0xa4, 0xe9,
19482 -+ 0x90, 0x40, 0xc5, 0xa4, 0x04, 0x33, 0x22, 0x5e,
19483 -+ 0xe2, 0x82, 0xa1, 0xb0, 0xa0, 0x6c, 0x52, 0x3e,
19484 -+ 0xaf, 0x45, 0x34, 0xd7, 0xf8, 0x3f, 0xa1, 0x15,
19485 -+ 0x5b, 0x00, 0x47, 0x71, 0x8c, 0xbc, 0x54, 0x6a,
19486 -+ 0x0d, 0x07, 0x2b, 0x04, 0xb3, 0x56, 0x4e, 0xea,
19487 -+ 0x1b, 0x42, 0x22, 0x73, 0xf5, 0x48, 0x27, 0x1a,
19488 -+ 0x0b, 0xb2, 0x31, 0x60, 0x53, 0xfa, 0x76, 0x99,
19489 -+ 0x19, 0x55, 0xeb, 0xd6, 0x31, 0x59, 0x43, 0x4e,
19490 -+ 0xce, 0xbb, 0x4e, 0x46, 0x6d, 0xae, 0x5a, 0x10,
19491 -+ 0x73, 0xa6, 0x72, 0x76, 0x27, 0x09, 0x7a, 0x10,
19492 -+ 0x49, 0xe6, 0x17, 0xd9, 0x1d, 0x36, 0x10, 0x94,
19493 -+ 0xfa, 0x68, 0xf0, 0xff, 0x77, 0x98, 0x71, 0x30,
19494 -+ 0x30, 0x5b, 0xea, 0xba, 0x2e, 0xda, 0x04, 0xdf,
19495 -+ 0x99, 0x7b, 0x71, 0x4d, 0x6c, 0x6f, 0x2c, 0x29,
19496 -+ 0xa6, 0xad, 0x5c, 0xb4, 0x02, 0x2b, 0x02, 0x70,
19497 -+ 0x9b, 0xee, 0xad, 0x9d, 0x67, 0x89, 0x0c, 0xbb,
19498 -+ 0x22, 0x39, 0x23, 0x36, 0xfe, 0xa1, 0x85, 0x1f,
19499 -+ 0x38
19500 -+};
19501 -+static const u8 enc_assoc001[] __initconst = {
19502 -+ 0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00,
19503 -+ 0x00, 0x00, 0x4e, 0x91
19504 -+};
19505 -+static const u8 enc_nonce001[] __initconst = {
19506 -+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
19507 -+};
19508 -+static const u8 enc_key001[] __initconst = {
19509 -+ 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
19510 -+ 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
19511 -+ 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
19512 -+ 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
19513 -+};
19514 -+
19515 -+static const u8 enc_input002[] __initconst = { };
19516 -+static const u8 enc_output002[] __initconst = {
19517 -+ 0xea, 0xe0, 0x1e, 0x9e, 0x2c, 0x91, 0xaa, 0xe1,
19518 -+ 0xdb, 0x5d, 0x99, 0x3f, 0x8a, 0xf7, 0x69, 0x92
19519 -+};
19520 -+static const u8 enc_assoc002[] __initconst = { };
19521 -+static const u8 enc_nonce002[] __initconst = {
19522 -+ 0xca, 0xbf, 0x33, 0x71, 0x32, 0x45, 0x77, 0x8e
19523 -+};
19524 -+static const u8 enc_key002[] __initconst = {
19525 -+ 0x4c, 0xf5, 0x96, 0x83, 0x38, 0xe6, 0xae, 0x7f,
19526 -+ 0x2d, 0x29, 0x25, 0x76, 0xd5, 0x75, 0x27, 0x86,
19527 -+ 0x91, 0x9a, 0x27, 0x7a, 0xfb, 0x46, 0xc5, 0xef,
19528 -+ 0x94, 0x81, 0x79, 0x57, 0x14, 0x59, 0x40, 0x68
19529 -+};
19530 -+
19531 -+static const u8 enc_input003[] __initconst = { };
19532 -+static const u8 enc_output003[] __initconst = {
19533 -+ 0xdd, 0x6b, 0x3b, 0x82, 0xce, 0x5a, 0xbd, 0xd6,
19534 -+ 0xa9, 0x35, 0x83, 0xd8, 0x8c, 0x3d, 0x85, 0x77
19535 -+};
19536 -+static const u8 enc_assoc003[] __initconst = {
19537 -+ 0x33, 0x10, 0x41, 0x12, 0x1f, 0xf3, 0xd2, 0x6b
19538 -+};
19539 -+static const u8 enc_nonce003[] __initconst = {
19540 -+ 0x3d, 0x86, 0xb5, 0x6b, 0xc8, 0xa3, 0x1f, 0x1d
19541 -+};
19542 -+static const u8 enc_key003[] __initconst = {
19543 -+ 0x2d, 0xb0, 0x5d, 0x40, 0xc8, 0xed, 0x44, 0x88,
19544 -+ 0x34, 0xd1, 0x13, 0xaf, 0x57, 0xa1, 0xeb, 0x3a,
19545 -+ 0x2a, 0x80, 0x51, 0x36, 0xec, 0x5b, 0xbc, 0x08,
19546 -+ 0x93, 0x84, 0x21, 0xb5, 0x13, 0x88, 0x3c, 0x0d
19547 -+};
19548 -+
19549 -+static const u8 enc_input004[] __initconst = {
19550 -+ 0xa4
19551 -+};
19552 -+static const u8 enc_output004[] __initconst = {
19553 -+ 0xb7, 0x1b, 0xb0, 0x73, 0x59, 0xb0, 0x84, 0xb2,
19554 -+ 0x6d, 0x8e, 0xab, 0x94, 0x31, 0xa1, 0xae, 0xac,
19555 -+ 0x89
19556 -+};
19557 -+static const u8 enc_assoc004[] __initconst = {
19558 -+ 0x6a, 0xe2, 0xad, 0x3f, 0x88, 0x39, 0x5a, 0x40
19559 -+};
19560 -+static const u8 enc_nonce004[] __initconst = {
19561 -+ 0xd2, 0x32, 0x1f, 0x29, 0x28, 0xc6, 0xc4, 0xc4
19562 -+};
19563 -+static const u8 enc_key004[] __initconst = {
19564 -+ 0x4b, 0x28, 0x4b, 0xa3, 0x7b, 0xbe, 0xe9, 0xf8,
19565 -+ 0x31, 0x80, 0x82, 0xd7, 0xd8, 0xe8, 0xb5, 0xa1,
19566 -+ 0xe2, 0x18, 0x18, 0x8a, 0x9c, 0xfa, 0xa3, 0x3d,
19567 -+ 0x25, 0x71, 0x3e, 0x40, 0xbc, 0x54, 0x7a, 0x3e
19568 -+};
19569 -+
19570 -+static const u8 enc_input005[] __initconst = {
19571 -+ 0x2d
19572 -+};
19573 -+static const u8 enc_output005[] __initconst = {
19574 -+ 0xbf, 0xe1, 0x5b, 0x0b, 0xdb, 0x6b, 0xf5, 0x5e,
19575 -+ 0x6c, 0x5d, 0x84, 0x44, 0x39, 0x81, 0xc1, 0x9c,
19576 -+ 0xac
19577 -+};
19578 -+static const u8 enc_assoc005[] __initconst = { };
19579 -+static const u8 enc_nonce005[] __initconst = {
19580 -+ 0x20, 0x1c, 0xaa, 0x5f, 0x9c, 0xbf, 0x92, 0x30
19581 -+};
19582 -+static const u8 enc_key005[] __initconst = {
19583 -+ 0x66, 0xca, 0x9c, 0x23, 0x2a, 0x4b, 0x4b, 0x31,
19584 -+ 0x0e, 0x92, 0x89, 0x8b, 0xf4, 0x93, 0xc7, 0x87,
19585 -+ 0x98, 0xa3, 0xd8, 0x39, 0xf8, 0xf4, 0xa7, 0x01,
19586 -+ 0xc0, 0x2e, 0x0a, 0xa6, 0x7e, 0x5a, 0x78, 0x87
19587 -+};
19588 -+
19589 -+static const u8 enc_input006[] __initconst = {
19590 -+ 0x33, 0x2f, 0x94, 0xc1, 0xa4, 0xef, 0xcc, 0x2a,
19591 -+ 0x5b, 0xa6, 0xe5, 0x8f, 0x1d, 0x40, 0xf0, 0x92,
19592 -+ 0x3c, 0xd9, 0x24, 0x11, 0xa9, 0x71, 0xf9, 0x37,
19593 -+ 0x14, 0x99, 0xfa, 0xbe, 0xe6, 0x80, 0xde, 0x50,
19594 -+ 0xc9, 0x96, 0xd4, 0xb0, 0xec, 0x9e, 0x17, 0xec,
19595 -+ 0xd2, 0x5e, 0x72, 0x99, 0xfc, 0x0a, 0xe1, 0xcb,
19596 -+ 0x48, 0xd2, 0x85, 0xdd, 0x2f, 0x90, 0xe0, 0x66,
19597 -+ 0x3b, 0xe6, 0x20, 0x74, 0xbe, 0x23, 0x8f, 0xcb,
19598 -+ 0xb4, 0xe4, 0xda, 0x48, 0x40, 0xa6, 0xd1, 0x1b,
19599 -+ 0xc7, 0x42, 0xce, 0x2f, 0x0c, 0xa6, 0x85, 0x6e,
19600 -+ 0x87, 0x37, 0x03, 0xb1, 0x7c, 0x25, 0x96, 0xa3,
19601 -+ 0x05, 0xd8, 0xb0, 0xf4, 0xed, 0xea, 0xc2, 0xf0,
19602 -+ 0x31, 0x98, 0x6c, 0xd1, 0x14, 0x25, 0xc0, 0xcb,
19603 -+ 0x01, 0x74, 0xd0, 0x82, 0xf4, 0x36, 0xf5, 0x41,
19604 -+ 0xd5, 0xdc, 0xca, 0xc5, 0xbb, 0x98, 0xfe, 0xfc,
19605 -+ 0x69, 0x21, 0x70, 0xd8, 0xa4, 0x4b, 0xc8, 0xde,
19606 -+ 0x8f
19607 -+};
19608 -+static const u8 enc_output006[] __initconst = {
19609 -+ 0x8b, 0x06, 0xd3, 0x31, 0xb0, 0x93, 0x45, 0xb1,
19610 -+ 0x75, 0x6e, 0x26, 0xf9, 0x67, 0xbc, 0x90, 0x15,
19611 -+ 0x81, 0x2c, 0xb5, 0xf0, 0xc6, 0x2b, 0xc7, 0x8c,
19612 -+ 0x56, 0xd1, 0xbf, 0x69, 0x6c, 0x07, 0xa0, 0xda,
19613 -+ 0x65, 0x27, 0xc9, 0x90, 0x3d, 0xef, 0x4b, 0x11,
19614 -+ 0x0f, 0x19, 0x07, 0xfd, 0x29, 0x92, 0xd9, 0xc8,
19615 -+ 0xf7, 0x99, 0x2e, 0x4a, 0xd0, 0xb8, 0x2c, 0xdc,
19616 -+ 0x93, 0xf5, 0x9e, 0x33, 0x78, 0xd1, 0x37, 0xc3,
19617 -+ 0x66, 0xd7, 0x5e, 0xbc, 0x44, 0xbf, 0x53, 0xa5,
19618 -+ 0xbc, 0xc4, 0xcb, 0x7b, 0x3a, 0x8e, 0x7f, 0x02,
19619 -+ 0xbd, 0xbb, 0xe7, 0xca, 0xa6, 0x6c, 0x6b, 0x93,
19620 -+ 0x21, 0x93, 0x10, 0x61, 0xe7, 0x69, 0xd0, 0x78,
19621 -+ 0xf3, 0x07, 0x5a, 0x1a, 0x8f, 0x73, 0xaa, 0xb1,
19622 -+ 0x4e, 0xd3, 0xda, 0x4f, 0xf3, 0x32, 0xe1, 0x66,
19623 -+ 0x3e, 0x6c, 0xc6, 0x13, 0xba, 0x06, 0x5b, 0xfc,
19624 -+ 0x6a, 0xe5, 0x6f, 0x60, 0xfb, 0x07, 0x40, 0xb0,
19625 -+ 0x8c, 0x9d, 0x84, 0x43, 0x6b, 0xc1, 0xf7, 0x8d,
19626 -+ 0x8d, 0x31, 0xf7, 0x7a, 0x39, 0x4d, 0x8f, 0x9a,
19627 -+ 0xeb
19628 -+};
19629 -+static const u8 enc_assoc006[] __initconst = {
19630 -+ 0x70, 0xd3, 0x33, 0xf3, 0x8b, 0x18, 0x0b
19631 -+};
19632 -+static const u8 enc_nonce006[] __initconst = {
19633 -+ 0xdf, 0x51, 0x84, 0x82, 0x42, 0x0c, 0x75, 0x9c
19634 -+};
19635 -+static const u8 enc_key006[] __initconst = {
19636 -+ 0x68, 0x7b, 0x8d, 0x8e, 0xe3, 0xc4, 0xdd, 0xae,
19637 -+ 0xdf, 0x72, 0x7f, 0x53, 0x72, 0x25, 0x1e, 0x78,
19638 -+ 0x91, 0xcb, 0x69, 0x76, 0x1f, 0x49, 0x93, 0xf9,
19639 -+ 0x6f, 0x21, 0xcc, 0x39, 0x9c, 0xad, 0xb1, 0x01
19640 -+};
19641 -+
19642 -+static const u8 enc_input007[] __initconst = {
19643 -+ 0x9b, 0x18, 0xdb, 0xdd, 0x9a, 0x0f, 0x3e, 0xa5,
19644 -+ 0x15, 0x17, 0xde, 0xdf, 0x08, 0x9d, 0x65, 0x0a,
19645 -+ 0x67, 0x30, 0x12, 0xe2, 0x34, 0x77, 0x4b, 0xc1,
19646 -+ 0xd9, 0xc6, 0x1f, 0xab, 0xc6, 0x18, 0x50, 0x17,
19647 -+ 0xa7, 0x9d, 0x3c, 0xa6, 0xc5, 0x35, 0x8c, 0x1c,
19648 -+ 0xc0, 0xa1, 0x7c, 0x9f, 0x03, 0x89, 0xca, 0xe1,
19649 -+ 0xe6, 0xe9, 0xd4, 0xd3, 0x88, 0xdb, 0xb4, 0x51,
19650 -+ 0x9d, 0xec, 0xb4, 0xfc, 0x52, 0xee, 0x6d, 0xf1,
19651 -+ 0x75, 0x42, 0xc6, 0xfd, 0xbd, 0x7a, 0x8e, 0x86,
19652 -+ 0xfc, 0x44, 0xb3, 0x4f, 0xf3, 0xea, 0x67, 0x5a,
19653 -+ 0x41, 0x13, 0xba, 0xb0, 0xdc, 0xe1, 0xd3, 0x2a,
19654 -+ 0x7c, 0x22, 0xb3, 0xca, 0xac, 0x6a, 0x37, 0x98,
19655 -+ 0x3e, 0x1d, 0x40, 0x97, 0xf7, 0x9b, 0x1d, 0x36,
19656 -+ 0x6b, 0xb3, 0x28, 0xbd, 0x60, 0x82, 0x47, 0x34,
19657 -+ 0xaa, 0x2f, 0x7d, 0xe9, 0xa8, 0x70, 0x81, 0x57,
19658 -+ 0xd4, 0xb9, 0x77, 0x0a, 0x9d, 0x29, 0xa7, 0x84,
19659 -+ 0x52, 0x4f, 0xc2, 0x4a, 0x40, 0x3b, 0x3c, 0xd4,
19660 -+ 0xc9, 0x2a, 0xdb, 0x4a, 0x53, 0xc4, 0xbe, 0x80,
19661 -+ 0xe9, 0x51, 0x7f, 0x8f, 0xc7, 0xa2, 0xce, 0x82,
19662 -+ 0x5c, 0x91, 0x1e, 0x74, 0xd9, 0xd0, 0xbd, 0xd5,
19663 -+ 0xf3, 0xfd, 0xda, 0x4d, 0x25, 0xb4, 0xbb, 0x2d,
19664 -+ 0xac, 0x2f, 0x3d, 0x71, 0x85, 0x7b, 0xcf, 0x3c,
19665 -+ 0x7b, 0x3e, 0x0e, 0x22, 0x78, 0x0c, 0x29, 0xbf,
19666 -+ 0xe4, 0xf4, 0x57, 0xb3, 0xcb, 0x49, 0xa0, 0xfc,
19667 -+ 0x1e, 0x05, 0x4e, 0x16, 0xbc, 0xd5, 0xa8, 0xa3,
19668 -+ 0xee, 0x05, 0x35, 0xc6, 0x7c, 0xab, 0x60, 0x14,
19669 -+ 0x55, 0x1a, 0x8e, 0xc5, 0x88, 0x5d, 0xd5, 0x81,
19670 -+ 0xc2, 0x81, 0xa5, 0xc4, 0x60, 0xdb, 0xaf, 0x77,
19671 -+ 0x91, 0xe1, 0xce, 0xa2, 0x7e, 0x7f, 0x42, 0xe3,
19672 -+ 0xb0, 0x13, 0x1c, 0x1f, 0x25, 0x60, 0x21, 0xe2,
19673 -+ 0x40, 0x5f, 0x99, 0xb7, 0x73, 0xec, 0x9b, 0x2b,
19674 -+ 0xf0, 0x65, 0x11, 0xc8, 0xd0, 0x0a, 0x9f, 0xd3
19675 -+};
19676 -+static const u8 enc_output007[] __initconst = {
19677 -+ 0x85, 0x04, 0xc2, 0xed, 0x8d, 0xfd, 0x97, 0x5c,
19678 -+ 0xd2, 0xb7, 0xe2, 0xc1, 0x6b, 0xa3, 0xba, 0xf8,
19679 -+ 0xc9, 0x50, 0xc3, 0xc6, 0xa5, 0xe3, 0xa4, 0x7c,
19680 -+ 0xc3, 0x23, 0x49, 0x5e, 0xa9, 0xb9, 0x32, 0xeb,
19681 -+ 0x8a, 0x7c, 0xca, 0xe5, 0xec, 0xfb, 0x7c, 0xc0,
19682 -+ 0xcb, 0x7d, 0xdc, 0x2c, 0x9d, 0x92, 0x55, 0x21,
19683 -+ 0x0a, 0xc8, 0x43, 0x63, 0x59, 0x0a, 0x31, 0x70,
19684 -+ 0x82, 0x67, 0x41, 0x03, 0xf8, 0xdf, 0xf2, 0xac,
19685 -+ 0xa7, 0x02, 0xd4, 0xd5, 0x8a, 0x2d, 0xc8, 0x99,
19686 -+ 0x19, 0x66, 0xd0, 0xf6, 0x88, 0x2c, 0x77, 0xd9,
19687 -+ 0xd4, 0x0d, 0x6c, 0xbd, 0x98, 0xde, 0xe7, 0x7f,
19688 -+ 0xad, 0x7e, 0x8a, 0xfb, 0xe9, 0x4b, 0xe5, 0xf7,
19689 -+ 0xe5, 0x50, 0xa0, 0x90, 0x3f, 0xd6, 0x22, 0x53,
19690 -+ 0xe3, 0xfe, 0x1b, 0xcc, 0x79, 0x3b, 0xec, 0x12,
19691 -+ 0x47, 0x52, 0xa7, 0xd6, 0x04, 0xe3, 0x52, 0xe6,
19692 -+ 0x93, 0x90, 0x91, 0x32, 0x73, 0x79, 0xb8, 0xd0,
19693 -+ 0x31, 0xde, 0x1f, 0x9f, 0x2f, 0x05, 0x38, 0x54,
19694 -+ 0x2f, 0x35, 0x04, 0x39, 0xe0, 0xa7, 0xba, 0xc6,
19695 -+ 0x52, 0xf6, 0x37, 0x65, 0x4c, 0x07, 0xa9, 0x7e,
19696 -+ 0xb3, 0x21, 0x6f, 0x74, 0x8c, 0xc9, 0xde, 0xdb,
19697 -+ 0x65, 0x1b, 0x9b, 0xaa, 0x60, 0xb1, 0x03, 0x30,
19698 -+ 0x6b, 0xb2, 0x03, 0xc4, 0x1c, 0x04, 0xf8, 0x0f,
19699 -+ 0x64, 0xaf, 0x46, 0xe4, 0x65, 0x99, 0x49, 0xe2,
19700 -+ 0xea, 0xce, 0x78, 0x00, 0xd8, 0x8b, 0xd5, 0x2e,
19701 -+ 0xcf, 0xfc, 0x40, 0x49, 0xe8, 0x58, 0xdc, 0x34,
19702 -+ 0x9c, 0x8c, 0x61, 0xbf, 0x0a, 0x8e, 0xec, 0x39,
19703 -+ 0xa9, 0x30, 0x05, 0x5a, 0xd2, 0x56, 0x01, 0xc7,
19704 -+ 0xda, 0x8f, 0x4e, 0xbb, 0x43, 0xa3, 0x3a, 0xf9,
19705 -+ 0x15, 0x2a, 0xd0, 0xa0, 0x7a, 0x87, 0x34, 0x82,
19706 -+ 0xfe, 0x8a, 0xd1, 0x2d, 0x5e, 0xc7, 0xbf, 0x04,
19707 -+ 0x53, 0x5f, 0x3b, 0x36, 0xd4, 0x25, 0x5c, 0x34,
19708 -+ 0x7a, 0x8d, 0xd5, 0x05, 0xce, 0x72, 0xca, 0xef,
19709 -+ 0x7a, 0x4b, 0xbc, 0xb0, 0x10, 0x5c, 0x96, 0x42,
19710 -+ 0x3a, 0x00, 0x98, 0xcd, 0x15, 0xe8, 0xb7, 0x53
19711 -+};
19712 -+static const u8 enc_assoc007[] __initconst = { };
19713 -+static const u8 enc_nonce007[] __initconst = {
19714 -+ 0xde, 0x7b, 0xef, 0xc3, 0x65, 0x1b, 0x68, 0xb0
19715 -+};
19716 -+static const u8 enc_key007[] __initconst = {
19717 -+ 0x8d, 0xb8, 0x91, 0x48, 0xf0, 0xe7, 0x0a, 0xbd,
19718 -+ 0xf9, 0x3f, 0xcd, 0xd9, 0xa0, 0x1e, 0x42, 0x4c,
19719 -+ 0xe7, 0xde, 0x25, 0x3d, 0xa3, 0xd7, 0x05, 0x80,
19720 -+ 0x8d, 0xf2, 0x82, 0xac, 0x44, 0x16, 0x51, 0x01
19721 -+};
19722 -+
19723 -+static const u8 enc_input008[] __initconst = {
19724 -+ 0xc3, 0x09, 0x94, 0x62, 0xe6, 0x46, 0x2e, 0x10,
19725 -+ 0xbe, 0x00, 0xe4, 0xfc, 0xf3, 0x40, 0xa3, 0xe2,
19726 -+ 0x0f, 0xc2, 0x8b, 0x28, 0xdc, 0xba, 0xb4, 0x3c,
19727 -+ 0xe4, 0x21, 0x58, 0x61, 0xcd, 0x8b, 0xcd, 0xfb,
19728 -+ 0xac, 0x94, 0xa1, 0x45, 0xf5, 0x1c, 0xe1, 0x12,
19729 -+ 0xe0, 0x3b, 0x67, 0x21, 0x54, 0x5e, 0x8c, 0xaa,
19730 -+ 0xcf, 0xdb, 0xb4, 0x51, 0xd4, 0x13, 0xda, 0xe6,
19731 -+ 0x83, 0x89, 0xb6, 0x92, 0xe9, 0x21, 0x76, 0xa4,
19732 -+ 0x93, 0x7d, 0x0e, 0xfd, 0x96, 0x36, 0x03, 0x91,
19733 -+ 0x43, 0x5c, 0x92, 0x49, 0x62, 0x61, 0x7b, 0xeb,
19734 -+ 0x43, 0x89, 0xb8, 0x12, 0x20, 0x43, 0xd4, 0x47,
19735 -+ 0x06, 0x84, 0xee, 0x47, 0xe9, 0x8a, 0x73, 0x15,
19736 -+ 0x0f, 0x72, 0xcf, 0xed, 0xce, 0x96, 0xb2, 0x7f,
19737 -+ 0x21, 0x45, 0x76, 0xeb, 0x26, 0x28, 0x83, 0x6a,
19738 -+ 0xad, 0xaa, 0xa6, 0x81, 0xd8, 0x55, 0xb1, 0xa3,
19739 -+ 0x85, 0xb3, 0x0c, 0xdf, 0xf1, 0x69, 0x2d, 0x97,
19740 -+ 0x05, 0x2a, 0xbc, 0x7c, 0x7b, 0x25, 0xf8, 0x80,
19741 -+ 0x9d, 0x39, 0x25, 0xf3, 0x62, 0xf0, 0x66, 0x5e,
19742 -+ 0xf4, 0xa0, 0xcf, 0xd8, 0xfd, 0x4f, 0xb1, 0x1f,
19743 -+ 0x60, 0x3a, 0x08, 0x47, 0xaf, 0xe1, 0xf6, 0x10,
19744 -+ 0x77, 0x09, 0xa7, 0x27, 0x8f, 0x9a, 0x97, 0x5a,
19745 -+ 0x26, 0xfa, 0xfe, 0x41, 0x32, 0x83, 0x10, 0xe0,
19746 -+ 0x1d, 0xbf, 0x64, 0x0d, 0xf4, 0x1c, 0x32, 0x35,
19747 -+ 0xe5, 0x1b, 0x36, 0xef, 0xd4, 0x4a, 0x93, 0x4d,
19748 -+ 0x00, 0x7c, 0xec, 0x02, 0x07, 0x8b, 0x5d, 0x7d,
19749 -+ 0x1b, 0x0e, 0xd1, 0xa6, 0xa5, 0x5d, 0x7d, 0x57,
19750 -+ 0x88, 0xa8, 0xcc, 0x81, 0xb4, 0x86, 0x4e, 0xb4,
19751 -+ 0x40, 0xe9, 0x1d, 0xc3, 0xb1, 0x24, 0x3e, 0x7f,
19752 -+ 0xcc, 0x8a, 0x24, 0x9b, 0xdf, 0x6d, 0xf0, 0x39,
19753 -+ 0x69, 0x3e, 0x4c, 0xc0, 0x96, 0xe4, 0x13, 0xda,
19754 -+ 0x90, 0xda, 0xf4, 0x95, 0x66, 0x8b, 0x17, 0x17,
19755 -+ 0xfe, 0x39, 0x43, 0x25, 0xaa, 0xda, 0xa0, 0x43,
19756 -+ 0x3c, 0xb1, 0x41, 0x02, 0xa3, 0xf0, 0xa7, 0x19,
19757 -+ 0x59, 0xbc, 0x1d, 0x7d, 0x6c, 0x6d, 0x91, 0x09,
19758 -+ 0x5c, 0xb7, 0x5b, 0x01, 0xd1, 0x6f, 0x17, 0x21,
19759 -+ 0x97, 0xbf, 0x89, 0x71, 0xa5, 0xb0, 0x6e, 0x07,
19760 -+ 0x45, 0xfd, 0x9d, 0xea, 0x07, 0xf6, 0x7a, 0x9f,
19761 -+ 0x10, 0x18, 0x22, 0x30, 0x73, 0xac, 0xd4, 0x6b,
19762 -+ 0x72, 0x44, 0xed, 0xd9, 0x19, 0x9b, 0x2d, 0x4a,
19763 -+ 0x41, 0xdd, 0xd1, 0x85, 0x5e, 0x37, 0x19, 0xed,
19764 -+ 0xd2, 0x15, 0x8f, 0x5e, 0x91, 0xdb, 0x33, 0xf2,
19765 -+ 0xe4, 0xdb, 0xff, 0x98, 0xfb, 0xa3, 0xb5, 0xca,
19766 -+ 0x21, 0x69, 0x08, 0xe7, 0x8a, 0xdf, 0x90, 0xff,
19767 -+ 0x3e, 0xe9, 0x20, 0x86, 0x3c, 0xe9, 0xfc, 0x0b,
19768 -+ 0xfe, 0x5c, 0x61, 0xaa, 0x13, 0x92, 0x7f, 0x7b,
19769 -+ 0xec, 0xe0, 0x6d, 0xa8, 0x23, 0x22, 0xf6, 0x6b,
19770 -+ 0x77, 0xc4, 0xfe, 0x40, 0x07, 0x3b, 0xb6, 0xf6,
19771 -+ 0x8e, 0x5f, 0xd4, 0xb9, 0xb7, 0x0f, 0x21, 0x04,
19772 -+ 0xef, 0x83, 0x63, 0x91, 0x69, 0x40, 0xa3, 0x48,
19773 -+ 0x5c, 0xd2, 0x60, 0xf9, 0x4f, 0x6c, 0x47, 0x8b,
19774 -+ 0x3b, 0xb1, 0x9f, 0x8e, 0xee, 0x16, 0x8a, 0x13,
19775 -+ 0xfc, 0x46, 0x17, 0xc3, 0xc3, 0x32, 0x56, 0xf8,
19776 -+ 0x3c, 0x85, 0x3a, 0xb6, 0x3e, 0xaa, 0x89, 0x4f,
19777 -+ 0xb3, 0xdf, 0x38, 0xfd, 0xf1, 0xe4, 0x3a, 0xc0,
19778 -+ 0xe6, 0x58, 0xb5, 0x8f, 0xc5, 0x29, 0xa2, 0x92,
19779 -+ 0x4a, 0xb6, 0xa0, 0x34, 0x7f, 0xab, 0xb5, 0x8a,
19780 -+ 0x90, 0xa1, 0xdb, 0x4d, 0xca, 0xb6, 0x2c, 0x41,
19781 -+ 0x3c, 0xf7, 0x2b, 0x21, 0xc3, 0xfd, 0xf4, 0x17,
19782 -+ 0x5c, 0xb5, 0x33, 0x17, 0x68, 0x2b, 0x08, 0x30,
19783 -+ 0xf3, 0xf7, 0x30, 0x3c, 0x96, 0xe6, 0x6a, 0x20,
19784 -+ 0x97, 0xe7, 0x4d, 0x10, 0x5f, 0x47, 0x5f, 0x49,
19785 -+ 0x96, 0x09, 0xf0, 0x27, 0x91, 0xc8, 0xf8, 0x5a,
19786 -+ 0x2e, 0x79, 0xb5, 0xe2, 0xb8, 0xe8, 0xb9, 0x7b,
19787 -+ 0xd5, 0x10, 0xcb, 0xff, 0x5d, 0x14, 0x73, 0xf3
19788 -+};
19789 -+static const u8 enc_output008[] __initconst = {
19790 -+ 0x14, 0xf6, 0x41, 0x37, 0xa6, 0xd4, 0x27, 0xcd,
19791 -+ 0xdb, 0x06, 0x3e, 0x9a, 0x4e, 0xab, 0xd5, 0xb1,
19792 -+ 0x1e, 0x6b, 0xd2, 0xbc, 0x11, 0xf4, 0x28, 0x93,
19793 -+ 0x63, 0x54, 0xef, 0xbb, 0x5e, 0x1d, 0x3a, 0x1d,
19794 -+ 0x37, 0x3c, 0x0a, 0x6c, 0x1e, 0xc2, 0xd1, 0x2c,
19795 -+ 0xb5, 0xa3, 0xb5, 0x7b, 0xb8, 0x8f, 0x25, 0xa6,
19796 -+ 0x1b, 0x61, 0x1c, 0xec, 0x28, 0x58, 0x26, 0xa4,
19797 -+ 0xa8, 0x33, 0x28, 0x25, 0x5c, 0x45, 0x05, 0xe5,
19798 -+ 0x6c, 0x99, 0xe5, 0x45, 0xc4, 0xa2, 0x03, 0x84,
19799 -+ 0x03, 0x73, 0x1e, 0x8c, 0x49, 0xac, 0x20, 0xdd,
19800 -+ 0x8d, 0xb3, 0xc4, 0xf5, 0xe7, 0x4f, 0xf1, 0xed,
19801 -+ 0xa1, 0x98, 0xde, 0xa4, 0x96, 0xdd, 0x2f, 0xab,
19802 -+ 0xab, 0x97, 0xcf, 0x3e, 0xd2, 0x9e, 0xb8, 0x13,
19803 -+ 0x07, 0x28, 0x29, 0x19, 0xaf, 0xfd, 0xf2, 0x49,
19804 -+ 0x43, 0xea, 0x49, 0x26, 0x91, 0xc1, 0x07, 0xd6,
19805 -+ 0xbb, 0x81, 0x75, 0x35, 0x0d, 0x24, 0x7f, 0xc8,
19806 -+ 0xda, 0xd4, 0xb7, 0xeb, 0xe8, 0x5c, 0x09, 0xa2,
19807 -+ 0x2f, 0xdc, 0x28, 0x7d, 0x3a, 0x03, 0xfa, 0x94,
19808 -+ 0xb5, 0x1d, 0x17, 0x99, 0x36, 0xc3, 0x1c, 0x18,
19809 -+ 0x34, 0xe3, 0x9f, 0xf5, 0x55, 0x7c, 0xb0, 0x60,
19810 -+ 0x9d, 0xff, 0xac, 0xd4, 0x61, 0xf2, 0xad, 0xf8,
19811 -+ 0xce, 0xc7, 0xbe, 0x5c, 0xd2, 0x95, 0xa8, 0x4b,
19812 -+ 0x77, 0x13, 0x19, 0x59, 0x26, 0xc9, 0xb7, 0x8f,
19813 -+ 0x6a, 0xcb, 0x2d, 0x37, 0x91, 0xea, 0x92, 0x9c,
19814 -+ 0x94, 0x5b, 0xda, 0x0b, 0xce, 0xfe, 0x30, 0x20,
19815 -+ 0xf8, 0x51, 0xad, 0xf2, 0xbe, 0xe7, 0xc7, 0xff,
19816 -+ 0xb3, 0x33, 0x91, 0x6a, 0xc9, 0x1a, 0x41, 0xc9,
19817 -+ 0x0f, 0xf3, 0x10, 0x0e, 0xfd, 0x53, 0xff, 0x6c,
19818 -+ 0x16, 0x52, 0xd9, 0xf3, 0xf7, 0x98, 0x2e, 0xc9,
19819 -+ 0x07, 0x31, 0x2c, 0x0c, 0x72, 0xd7, 0xc5, 0xc6,
19820 -+ 0x08, 0x2a, 0x7b, 0xda, 0xbd, 0x7e, 0x02, 0xea,
19821 -+ 0x1a, 0xbb, 0xf2, 0x04, 0x27, 0x61, 0x28, 0x8e,
19822 -+ 0xf5, 0x04, 0x03, 0x1f, 0x4c, 0x07, 0x55, 0x82,
19823 -+ 0xec, 0x1e, 0xd7, 0x8b, 0x2f, 0x65, 0x56, 0xd1,
19824 -+ 0xd9, 0x1e, 0x3c, 0xe9, 0x1f, 0x5e, 0x98, 0x70,
19825 -+ 0x38, 0x4a, 0x8c, 0x49, 0xc5, 0x43, 0xa0, 0xa1,
19826 -+ 0x8b, 0x74, 0x9d, 0x4c, 0x62, 0x0d, 0x10, 0x0c,
19827 -+ 0xf4, 0x6c, 0x8f, 0xe0, 0xaa, 0x9a, 0x8d, 0xb7,
19828 -+ 0xe0, 0xbe, 0x4c, 0x87, 0xf1, 0x98, 0x2f, 0xcc,
19829 -+ 0xed, 0xc0, 0x52, 0x29, 0xdc, 0x83, 0xf8, 0xfc,
19830 -+ 0x2c, 0x0e, 0xa8, 0x51, 0x4d, 0x80, 0x0d, 0xa3,
19831 -+ 0xfe, 0xd8, 0x37, 0xe7, 0x41, 0x24, 0xfc, 0xfb,
19832 -+ 0x75, 0xe3, 0x71, 0x7b, 0x57, 0x45, 0xf5, 0x97,
19833 -+ 0x73, 0x65, 0x63, 0x14, 0x74, 0xb8, 0x82, 0x9f,
19834 -+ 0xf8, 0x60, 0x2f, 0x8a, 0xf2, 0x4e, 0xf1, 0x39,
19835 -+ 0xda, 0x33, 0x91, 0xf8, 0x36, 0xe0, 0x8d, 0x3f,
19836 -+ 0x1f, 0x3b, 0x56, 0xdc, 0xa0, 0x8f, 0x3c, 0x9d,
19837 -+ 0x71, 0x52, 0xa7, 0xb8, 0xc0, 0xa5, 0xc6, 0xa2,
19838 -+ 0x73, 0xda, 0xf4, 0x4b, 0x74, 0x5b, 0x00, 0x3d,
19839 -+ 0x99, 0xd7, 0x96, 0xba, 0xe6, 0xe1, 0xa6, 0x96,
19840 -+ 0x38, 0xad, 0xb3, 0xc0, 0xd2, 0xba, 0x91, 0x6b,
19841 -+ 0xf9, 0x19, 0xdd, 0x3b, 0xbe, 0xbe, 0x9c, 0x20,
19842 -+ 0x50, 0xba, 0xa1, 0xd0, 0xce, 0x11, 0xbd, 0x95,
19843 -+ 0xd8, 0xd1, 0xdd, 0x33, 0x85, 0x74, 0xdc, 0xdb,
19844 -+ 0x66, 0x76, 0x44, 0xdc, 0x03, 0x74, 0x48, 0x35,
19845 -+ 0x98, 0xb1, 0x18, 0x47, 0x94, 0x7d, 0xff, 0x62,
19846 -+ 0xe4, 0x58, 0x78, 0xab, 0xed, 0x95, 0x36, 0xd9,
19847 -+ 0x84, 0x91, 0x82, 0x64, 0x41, 0xbb, 0x58, 0xe6,
19848 -+ 0x1c, 0x20, 0x6d, 0x15, 0x6b, 0x13, 0x96, 0xe8,
19849 -+ 0x35, 0x7f, 0xdc, 0x40, 0x2c, 0xe9, 0xbc, 0x8a,
19850 -+ 0x4f, 0x92, 0xec, 0x06, 0x2d, 0x50, 0xdf, 0x93,
19851 -+ 0x5d, 0x65, 0x5a, 0xa8, 0xfc, 0x20, 0x50, 0x14,
19852 -+ 0xa9, 0x8a, 0x7e, 0x1d, 0x08, 0x1f, 0xe2, 0x99,
19853 -+ 0xd0, 0xbe, 0xfb, 0x3a, 0x21, 0x9d, 0xad, 0x86,
19854 -+ 0x54, 0xfd, 0x0d, 0x98, 0x1c, 0x5a, 0x6f, 0x1f,
19855 -+ 0x9a, 0x40, 0xcd, 0xa2, 0xff, 0x6a, 0xf1, 0x54
19856 -+};
19857 -+static const u8 enc_assoc008[] __initconst = { };
19858 -+static const u8 enc_nonce008[] __initconst = {
19859 -+ 0x0e, 0x0d, 0x57, 0xbb, 0x7b, 0x40, 0x54, 0x02
19860 -+};
19861 -+static const u8 enc_key008[] __initconst = {
19862 -+ 0xf2, 0xaa, 0x4f, 0x99, 0xfd, 0x3e, 0xa8, 0x53,
19863 -+ 0xc1, 0x44, 0xe9, 0x81, 0x18, 0xdc, 0xf5, 0xf0,
19864 -+ 0x3e, 0x44, 0x15, 0x59, 0xe0, 0xc5, 0x44, 0x86,
19865 -+ 0xc3, 0x91, 0xa8, 0x75, 0xc0, 0x12, 0x46, 0xba
19866 -+};
19867 -+
19868 -+static const u8 enc_input009[] __initconst = {
19869 -+ 0xe6, 0xc3, 0xdb, 0x63, 0x55, 0x15, 0xe3, 0x5b,
19870 -+ 0xb7, 0x4b, 0x27, 0x8b, 0x5a, 0xdd, 0xc2, 0xe8,
19871 -+ 0x3a, 0x6b, 0xd7, 0x81, 0x96, 0x35, 0x97, 0xca,
19872 -+ 0xd7, 0x68, 0xe8, 0xef, 0xce, 0xab, 0xda, 0x09,
19873 -+ 0x6e, 0xd6, 0x8e, 0xcb, 0x55, 0xb5, 0xe1, 0xe5,
19874 -+ 0x57, 0xfd, 0xc4, 0xe3, 0xe0, 0x18, 0x4f, 0x85,
19875 -+ 0xf5, 0x3f, 0x7e, 0x4b, 0x88, 0xc9, 0x52, 0x44,
19876 -+ 0x0f, 0xea, 0xaf, 0x1f, 0x71, 0x48, 0x9f, 0x97,
19877 -+ 0x6d, 0xb9, 0x6f, 0x00, 0xa6, 0xde, 0x2b, 0x77,
19878 -+ 0x8b, 0x15, 0xad, 0x10, 0xa0, 0x2b, 0x7b, 0x41,
19879 -+ 0x90, 0x03, 0x2d, 0x69, 0xae, 0xcc, 0x77, 0x7c,
19880 -+ 0xa5, 0x9d, 0x29, 0x22, 0xc2, 0xea, 0xb4, 0x00,
19881 -+ 0x1a, 0xd2, 0x7a, 0x98, 0x8a, 0xf9, 0xf7, 0x82,
19882 -+ 0xb0, 0xab, 0xd8, 0xa6, 0x94, 0x8d, 0x58, 0x2f,
19883 -+ 0x01, 0x9e, 0x00, 0x20, 0xfc, 0x49, 0xdc, 0x0e,
19884 -+ 0x03, 0xe8, 0x45, 0x10, 0xd6, 0xa8, 0xda, 0x55,
19885 -+ 0x10, 0x9a, 0xdf, 0x67, 0x22, 0x8b, 0x43, 0xab,
19886 -+ 0x00, 0xbb, 0x02, 0xc8, 0xdd, 0x7b, 0x97, 0x17,
19887 -+ 0xd7, 0x1d, 0x9e, 0x02, 0x5e, 0x48, 0xde, 0x8e,
19888 -+ 0xcf, 0x99, 0x07, 0x95, 0x92, 0x3c, 0x5f, 0x9f,
19889 -+ 0xc5, 0x8a, 0xc0, 0x23, 0xaa, 0xd5, 0x8c, 0x82,
19890 -+ 0x6e, 0x16, 0x92, 0xb1, 0x12, 0x17, 0x07, 0xc3,
19891 -+ 0xfb, 0x36, 0xf5, 0x6c, 0x35, 0xd6, 0x06, 0x1f,
19892 -+ 0x9f, 0xa7, 0x94, 0xa2, 0x38, 0x63, 0x9c, 0xb0,
19893 -+ 0x71, 0xb3, 0xa5, 0xd2, 0xd8, 0xba, 0x9f, 0x08,
19894 -+ 0x01, 0xb3, 0xff, 0x04, 0x97, 0x73, 0x45, 0x1b,
19895 -+ 0xd5, 0xa9, 0x9c, 0x80, 0xaf, 0x04, 0x9a, 0x85,
19896 -+ 0xdb, 0x32, 0x5b, 0x5d, 0x1a, 0xc1, 0x36, 0x28,
19897 -+ 0x10, 0x79, 0xf1, 0x3c, 0xbf, 0x1a, 0x41, 0x5c,
19898 -+ 0x4e, 0xdf, 0xb2, 0x7c, 0x79, 0x3b, 0x7a, 0x62,
19899 -+ 0x3d, 0x4b, 0xc9, 0x9b, 0x2a, 0x2e, 0x7c, 0xa2,
19900 -+ 0xb1, 0x11, 0x98, 0xa7, 0x34, 0x1a, 0x00, 0xf3,
19901 -+ 0xd1, 0xbc, 0x18, 0x22, 0xba, 0x02, 0x56, 0x62,
19902 -+ 0x31, 0x10, 0x11, 0x6d, 0xe0, 0x54, 0x9d, 0x40,
19903 -+ 0x1f, 0x26, 0x80, 0x41, 0xca, 0x3f, 0x68, 0x0f,
19904 -+ 0x32, 0x1d, 0x0a, 0x8e, 0x79, 0xd8, 0xa4, 0x1b,
19905 -+ 0x29, 0x1c, 0x90, 0x8e, 0xc5, 0xe3, 0xb4, 0x91,
19906 -+ 0x37, 0x9a, 0x97, 0x86, 0x99, 0xd5, 0x09, 0xc5,
19907 -+ 0xbb, 0xa3, 0x3f, 0x21, 0x29, 0x82, 0x14, 0x5c,
19908 -+ 0xab, 0x25, 0xfb, 0xf2, 0x4f, 0x58, 0x26, 0xd4,
19909 -+ 0x83, 0xaa, 0x66, 0x89, 0x67, 0x7e, 0xc0, 0x49,
19910 -+ 0xe1, 0x11, 0x10, 0x7f, 0x7a, 0xda, 0x29, 0x04,
19911 -+ 0xff, 0xf0, 0xcb, 0x09, 0x7c, 0x9d, 0xfa, 0x03,
19912 -+ 0x6f, 0x81, 0x09, 0x31, 0x60, 0xfb, 0x08, 0xfa,
19913 -+ 0x74, 0xd3, 0x64, 0x44, 0x7c, 0x55, 0x85, 0xec,
19914 -+ 0x9c, 0x6e, 0x25, 0xb7, 0x6c, 0xc5, 0x37, 0xb6,
19915 -+ 0x83, 0x87, 0x72, 0x95, 0x8b, 0x9d, 0xe1, 0x69,
19916 -+ 0x5c, 0x31, 0x95, 0x42, 0xa6, 0x2c, 0xd1, 0x36,
19917 -+ 0x47, 0x1f, 0xec, 0x54, 0xab, 0xa2, 0x1c, 0xd8,
19918 -+ 0x00, 0xcc, 0xbc, 0x0d, 0x65, 0xe2, 0x67, 0xbf,
19919 -+ 0xbc, 0xea, 0xee, 0x9e, 0xe4, 0x36, 0x95, 0xbe,
19920 -+ 0x73, 0xd9, 0xa6, 0xd9, 0x0f, 0xa0, 0xcc, 0x82,
19921 -+ 0x76, 0x26, 0xad, 0x5b, 0x58, 0x6c, 0x4e, 0xab,
19922 -+ 0x29, 0x64, 0xd3, 0xd9, 0xa9, 0x08, 0x8c, 0x1d,
19923 -+ 0xa1, 0x4f, 0x80, 0xd8, 0x3f, 0x94, 0xfb, 0xd3,
19924 -+ 0x7b, 0xfc, 0xd1, 0x2b, 0xc3, 0x21, 0xeb, 0xe5,
19925 -+ 0x1c, 0x84, 0x23, 0x7f, 0x4b, 0xfa, 0xdb, 0x34,
19926 -+ 0x18, 0xa2, 0xc2, 0xe5, 0x13, 0xfe, 0x6c, 0x49,
19927 -+ 0x81, 0xd2, 0x73, 0xe7, 0xe2, 0xd7, 0xe4, 0x4f,
19928 -+ 0x4b, 0x08, 0x6e, 0xb1, 0x12, 0x22, 0x10, 0x9d,
19929 -+ 0xac, 0x51, 0x1e, 0x17, 0xd9, 0x8a, 0x0b, 0x42,
19930 -+ 0x88, 0x16, 0x81, 0x37, 0x7c, 0x6a, 0xf7, 0xef,
19931 -+ 0x2d, 0xe3, 0xd9, 0xf8, 0x5f, 0xe0, 0x53, 0x27,
19932 -+ 0x74, 0xb9, 0xe2, 0xd6, 0x1c, 0x80, 0x2c, 0x52,
19933 -+ 0x65
19934 -+};
19935 -+static const u8 enc_output009[] __initconst = {
19936 -+ 0xfd, 0x81, 0x8d, 0xd0, 0x3d, 0xb4, 0xd5, 0xdf,
19937 -+ 0xd3, 0x42, 0x47, 0x5a, 0x6d, 0x19, 0x27, 0x66,
19938 -+ 0x4b, 0x2e, 0x0c, 0x27, 0x9c, 0x96, 0x4c, 0x72,
19939 -+ 0x02, 0xa3, 0x65, 0xc3, 0xb3, 0x6f, 0x2e, 0xbd,
19940 -+ 0x63, 0x8a, 0x4a, 0x5d, 0x29, 0xa2, 0xd0, 0x28,
19941 -+ 0x48, 0xc5, 0x3d, 0x98, 0xa3, 0xbc, 0xe0, 0xbe,
19942 -+ 0x3b, 0x3f, 0xe6, 0x8a, 0xa4, 0x7f, 0x53, 0x06,
19943 -+ 0xfa, 0x7f, 0x27, 0x76, 0x72, 0x31, 0xa1, 0xf5,
19944 -+ 0xd6, 0x0c, 0x52, 0x47, 0xba, 0xcd, 0x4f, 0xd7,
19945 -+ 0xeb, 0x05, 0x48, 0x0d, 0x7c, 0x35, 0x4a, 0x09,
19946 -+ 0xc9, 0x76, 0x71, 0x02, 0xa3, 0xfb, 0xb7, 0x1a,
19947 -+ 0x65, 0xb7, 0xed, 0x98, 0xc6, 0x30, 0x8a, 0x00,
19948 -+ 0xae, 0xa1, 0x31, 0xe5, 0xb5, 0x9e, 0x6d, 0x62,
19949 -+ 0xda, 0xda, 0x07, 0x0f, 0x38, 0x38, 0xd3, 0xcb,
19950 -+ 0xc1, 0xb0, 0xad, 0xec, 0x72, 0xec, 0xb1, 0xa2,
19951 -+ 0x7b, 0x59, 0xf3, 0x3d, 0x2b, 0xef, 0xcd, 0x28,
19952 -+ 0x5b, 0x83, 0xcc, 0x18, 0x91, 0x88, 0xb0, 0x2e,
19953 -+ 0xf9, 0x29, 0x31, 0x18, 0xf9, 0x4e, 0xe9, 0x0a,
19954 -+ 0x91, 0x92, 0x9f, 0xae, 0x2d, 0xad, 0xf4, 0xe6,
19955 -+ 0x1a, 0xe2, 0xa4, 0xee, 0x47, 0x15, 0xbf, 0x83,
19956 -+ 0x6e, 0xd7, 0x72, 0x12, 0x3b, 0x2d, 0x24, 0xe9,
19957 -+ 0xb2, 0x55, 0xcb, 0x3c, 0x10, 0xf0, 0x24, 0x8a,
19958 -+ 0x4a, 0x02, 0xea, 0x90, 0x25, 0xf0, 0xb4, 0x79,
19959 -+ 0x3a, 0xef, 0x6e, 0xf5, 0x52, 0xdf, 0xb0, 0x0a,
19960 -+ 0xcd, 0x24, 0x1c, 0xd3, 0x2e, 0x22, 0x74, 0xea,
19961 -+ 0x21, 0x6f, 0xe9, 0xbd, 0xc8, 0x3e, 0x36, 0x5b,
19962 -+ 0x19, 0xf1, 0xca, 0x99, 0x0a, 0xb4, 0xa7, 0x52,
19963 -+ 0x1a, 0x4e, 0xf2, 0xad, 0x8d, 0x56, 0x85, 0xbb,
19964 -+ 0x64, 0x89, 0xba, 0x26, 0xf9, 0xc7, 0xe1, 0x89,
19965 -+ 0x19, 0x22, 0x77, 0xc3, 0xa8, 0xfc, 0xff, 0xad,
19966 -+ 0xfe, 0xb9, 0x48, 0xae, 0x12, 0x30, 0x9f, 0x19,
19967 -+ 0xfb, 0x1b, 0xef, 0x14, 0x87, 0x8a, 0x78, 0x71,
19968 -+ 0xf3, 0xf4, 0xb7, 0x00, 0x9c, 0x1d, 0xb5, 0x3d,
19969 -+ 0x49, 0x00, 0x0c, 0x06, 0xd4, 0x50, 0xf9, 0x54,
19970 -+ 0x45, 0xb2, 0x5b, 0x43, 0xdb, 0x6d, 0xcf, 0x1a,
19971 -+ 0xe9, 0x7a, 0x7a, 0xcf, 0xfc, 0x8a, 0x4e, 0x4d,
19972 -+ 0x0b, 0x07, 0x63, 0x28, 0xd8, 0xe7, 0x08, 0x95,
19973 -+ 0xdf, 0xa6, 0x72, 0x93, 0x2e, 0xbb, 0xa0, 0x42,
19974 -+ 0x89, 0x16, 0xf1, 0xd9, 0x0c, 0xf9, 0xa1, 0x16,
19975 -+ 0xfd, 0xd9, 0x03, 0xb4, 0x3b, 0x8a, 0xf5, 0xf6,
19976 -+ 0xe7, 0x6b, 0x2e, 0x8e, 0x4c, 0x3d, 0xe2, 0xaf,
19977 -+ 0x08, 0x45, 0x03, 0xff, 0x09, 0xb6, 0xeb, 0x2d,
19978 -+ 0xc6, 0x1b, 0x88, 0x94, 0xac, 0x3e, 0xf1, 0x9f,
19979 -+ 0x0e, 0x0e, 0x2b, 0xd5, 0x00, 0x4d, 0x3f, 0x3b,
19980 -+ 0x53, 0xae, 0xaf, 0x1c, 0x33, 0x5f, 0x55, 0x6e,
19981 -+ 0x8d, 0xaf, 0x05, 0x7a, 0x10, 0x34, 0xc9, 0xf4,
19982 -+ 0x66, 0xcb, 0x62, 0x12, 0xa6, 0xee, 0xe8, 0x1c,
19983 -+ 0x5d, 0x12, 0x86, 0xdb, 0x6f, 0x1c, 0x33, 0xc4,
19984 -+ 0x1c, 0xda, 0x82, 0x2d, 0x3b, 0x59, 0xfe, 0xb1,
19985 -+ 0xa4, 0x59, 0x41, 0x86, 0xd0, 0xef, 0xae, 0xfb,
19986 -+ 0xda, 0x6d, 0x11, 0xb8, 0xca, 0xe9, 0x6e, 0xff,
19987 -+ 0xf7, 0xa9, 0xd9, 0x70, 0x30, 0xfc, 0x53, 0xe2,
19988 -+ 0xd7, 0xa2, 0x4e, 0xc7, 0x91, 0xd9, 0x07, 0x06,
19989 -+ 0xaa, 0xdd, 0xb0, 0x59, 0x28, 0x1d, 0x00, 0x66,
19990 -+ 0xc5, 0x54, 0xc2, 0xfc, 0x06, 0xda, 0x05, 0x90,
19991 -+ 0x52, 0x1d, 0x37, 0x66, 0xee, 0xf0, 0xb2, 0x55,
19992 -+ 0x8a, 0x5d, 0xd2, 0x38, 0x86, 0x94, 0x9b, 0xfc,
19993 -+ 0x10, 0x4c, 0xa1, 0xb9, 0x64, 0x3e, 0x44, 0xb8,
19994 -+ 0x5f, 0xb0, 0x0c, 0xec, 0xe0, 0xc9, 0xe5, 0x62,
19995 -+ 0x75, 0x3f, 0x09, 0xd5, 0xf5, 0xd9, 0x26, 0xba,
19996 -+ 0x9e, 0xd2, 0xf4, 0xb9, 0x48, 0x0a, 0xbc, 0xa2,
19997 -+ 0xd6, 0x7c, 0x36, 0x11, 0x7d, 0x26, 0x81, 0x89,
19998 -+ 0xcf, 0xa4, 0xad, 0x73, 0x0e, 0xee, 0xcc, 0x06,
19999 -+ 0xa9, 0xdb, 0xb1, 0xfd, 0xfb, 0x09, 0x7f, 0x90,
20000 -+ 0x42, 0x37, 0x2f, 0xe1, 0x9c, 0x0f, 0x6f, 0xcf,
20001 -+ 0x43, 0xb5, 0xd9, 0x90, 0xe1, 0x85, 0xf5, 0xa8,
20002 -+ 0xae
20003 -+};
20004 -+static const u8 enc_assoc009[] __initconst = {
20005 -+ 0x5a, 0x27, 0xff, 0xeb, 0xdf, 0x84, 0xb2, 0x9e,
20006 -+ 0xef
20007 -+};
20008 -+static const u8 enc_nonce009[] __initconst = {
20009 -+ 0xef, 0x2d, 0x63, 0xee, 0x6b, 0x80, 0x8b, 0x78
20010 -+};
20011 -+static const u8 enc_key009[] __initconst = {
20012 -+ 0xea, 0xbc, 0x56, 0x99, 0xe3, 0x50, 0xff, 0xc5,
20013 -+ 0xcc, 0x1a, 0xd7, 0xc1, 0x57, 0x72, 0xea, 0x86,
20014 -+ 0x5b, 0x89, 0x88, 0x61, 0x3d, 0x2f, 0x9b, 0xb2,
20015 -+ 0xe7, 0x9c, 0xec, 0x74, 0x6e, 0x3e, 0xf4, 0x3b
20016 -+};
20017 -+
20018 -+static const u8 enc_input010[] __initconst = {
20019 -+ 0x42, 0x93, 0xe4, 0xeb, 0x97, 0xb0, 0x57, 0xbf,
20020 -+ 0x1a, 0x8b, 0x1f, 0xe4, 0x5f, 0x36, 0x20, 0x3c,
20021 -+ 0xef, 0x0a, 0xa9, 0x48, 0x5f, 0x5f, 0x37, 0x22,
20022 -+ 0x3a, 0xde, 0xe3, 0xae, 0xbe, 0xad, 0x07, 0xcc,
20023 -+ 0xb1, 0xf6, 0xf5, 0xf9, 0x56, 0xdd, 0xe7, 0x16,
20024 -+ 0x1e, 0x7f, 0xdf, 0x7a, 0x9e, 0x75, 0xb7, 0xc7,
20025 -+ 0xbe, 0xbe, 0x8a, 0x36, 0x04, 0xc0, 0x10, 0xf4,
20026 -+ 0x95, 0x20, 0x03, 0xec, 0xdc, 0x05, 0xa1, 0x7d,
20027 -+ 0xc4, 0xa9, 0x2c, 0x82, 0xd0, 0xbc, 0x8b, 0xc5,
20028 -+ 0xc7, 0x45, 0x50, 0xf6, 0xa2, 0x1a, 0xb5, 0x46,
20029 -+ 0x3b, 0x73, 0x02, 0xa6, 0x83, 0x4b, 0x73, 0x82,
20030 -+ 0x58, 0x5e, 0x3b, 0x65, 0x2f, 0x0e, 0xfd, 0x2b,
20031 -+ 0x59, 0x16, 0xce, 0xa1, 0x60, 0x9c, 0xe8, 0x3a,
20032 -+ 0x99, 0xed, 0x8d, 0x5a, 0xcf, 0xf6, 0x83, 0xaf,
20033 -+ 0xba, 0xd7, 0x73, 0x73, 0x40, 0x97, 0x3d, 0xca,
20034 -+ 0xef, 0x07, 0x57, 0xe6, 0xd9, 0x70, 0x0e, 0x95,
20035 -+ 0xae, 0xa6, 0x8d, 0x04, 0xcc, 0xee, 0xf7, 0x09,
20036 -+ 0x31, 0x77, 0x12, 0xa3, 0x23, 0x97, 0x62, 0xb3,
20037 -+ 0x7b, 0x32, 0xfb, 0x80, 0x14, 0x48, 0x81, 0xc3,
20038 -+ 0xe5, 0xea, 0x91, 0x39, 0x52, 0x81, 0xa2, 0x4f,
20039 -+ 0xe4, 0xb3, 0x09, 0xff, 0xde, 0x5e, 0xe9, 0x58,
20040 -+ 0x84, 0x6e, 0xf9, 0x3d, 0xdf, 0x25, 0xea, 0xad,
20041 -+ 0xae, 0xe6, 0x9a, 0xd1, 0x89, 0x55, 0xd3, 0xde,
20042 -+ 0x6c, 0x52, 0xdb, 0x70, 0xfe, 0x37, 0xce, 0x44,
20043 -+ 0x0a, 0xa8, 0x25, 0x5f, 0x92, 0xc1, 0x33, 0x4a,
20044 -+ 0x4f, 0x9b, 0x62, 0x35, 0xff, 0xce, 0xc0, 0xa9,
20045 -+ 0x60, 0xce, 0x52, 0x00, 0x97, 0x51, 0x35, 0x26,
20046 -+ 0x2e, 0xb9, 0x36, 0xa9, 0x87, 0x6e, 0x1e, 0xcc,
20047 -+ 0x91, 0x78, 0x53, 0x98, 0x86, 0x5b, 0x9c, 0x74,
20048 -+ 0x7d, 0x88, 0x33, 0xe1, 0xdf, 0x37, 0x69, 0x2b,
20049 -+ 0xbb, 0xf1, 0x4d, 0xf4, 0xd1, 0xf1, 0x39, 0x93,
20050 -+ 0x17, 0x51, 0x19, 0xe3, 0x19, 0x1e, 0x76, 0x37,
20051 -+ 0x25, 0xfb, 0x09, 0x27, 0x6a, 0xab, 0x67, 0x6f,
20052 -+ 0x14, 0x12, 0x64, 0xe7, 0xc4, 0x07, 0xdf, 0x4d,
20053 -+ 0x17, 0xbb, 0x6d, 0xe0, 0xe9, 0xb9, 0xab, 0xca,
20054 -+ 0x10, 0x68, 0xaf, 0x7e, 0xb7, 0x33, 0x54, 0x73,
20055 -+ 0x07, 0x6e, 0xf7, 0x81, 0x97, 0x9c, 0x05, 0x6f,
20056 -+ 0x84, 0x5f, 0xd2, 0x42, 0xfb, 0x38, 0xcf, 0xd1,
20057 -+ 0x2f, 0x14, 0x30, 0x88, 0x98, 0x4d, 0x5a, 0xa9,
20058 -+ 0x76, 0xd5, 0x4f, 0x3e, 0x70, 0x6c, 0x85, 0x76,
20059 -+ 0xd7, 0x01, 0xa0, 0x1a, 0xc8, 0x4e, 0xaa, 0xac,
20060 -+ 0x78, 0xfe, 0x46, 0xde, 0x6a, 0x05, 0x46, 0xa7,
20061 -+ 0x43, 0x0c, 0xb9, 0xde, 0xb9, 0x68, 0xfb, 0xce,
20062 -+ 0x42, 0x99, 0x07, 0x4d, 0x0b, 0x3b, 0x5a, 0x30,
20063 -+ 0x35, 0xa8, 0xf9, 0x3a, 0x73, 0xef, 0x0f, 0xdb,
20064 -+ 0x1e, 0x16, 0x42, 0xc4, 0xba, 0xae, 0x58, 0xaa,
20065 -+ 0xf8, 0xe5, 0x75, 0x2f, 0x1b, 0x15, 0x5c, 0xfd,
20066 -+ 0x0a, 0x97, 0xd0, 0xe4, 0x37, 0x83, 0x61, 0x5f,
20067 -+ 0x43, 0xa6, 0xc7, 0x3f, 0x38, 0x59, 0xe6, 0xeb,
20068 -+ 0xa3, 0x90, 0xc3, 0xaa, 0xaa, 0x5a, 0xd3, 0x34,
20069 -+ 0xd4, 0x17, 0xc8, 0x65, 0x3e, 0x57, 0xbc, 0x5e,
20070 -+ 0xdd, 0x9e, 0xb7, 0xf0, 0x2e, 0x5b, 0xb2, 0x1f,
20071 -+ 0x8a, 0x08, 0x0d, 0x45, 0x91, 0x0b, 0x29, 0x53,
20072 -+ 0x4f, 0x4c, 0x5a, 0x73, 0x56, 0xfe, 0xaf, 0x41,
20073 -+ 0x01, 0x39, 0x0a, 0x24, 0x3c, 0x7e, 0xbe, 0x4e,
20074 -+ 0x53, 0xf3, 0xeb, 0x06, 0x66, 0x51, 0x28, 0x1d,
20075 -+ 0xbd, 0x41, 0x0a, 0x01, 0xab, 0x16, 0x47, 0x27,
20076 -+ 0x47, 0x47, 0xf7, 0xcb, 0x46, 0x0a, 0x70, 0x9e,
20077 -+ 0x01, 0x9c, 0x09, 0xe1, 0x2a, 0x00, 0x1a, 0xd8,
20078 -+ 0xd4, 0x79, 0x9d, 0x80, 0x15, 0x8e, 0x53, 0x2a,
20079 -+ 0x65, 0x83, 0x78, 0x3e, 0x03, 0x00, 0x07, 0x12,
20080 -+ 0x1f, 0x33, 0x3e, 0x7b, 0x13, 0x37, 0xf1, 0xc3,
20081 -+ 0xef, 0xb7, 0xc1, 0x20, 0x3c, 0x3e, 0x67, 0x66,
20082 -+ 0x5d, 0x88, 0xa7, 0x7d, 0x33, 0x50, 0x77, 0xb0,
20083 -+ 0x28, 0x8e, 0xe7, 0x2c, 0x2e, 0x7a, 0xf4, 0x3c,
20084 -+ 0x8d, 0x74, 0x83, 0xaf, 0x8e, 0x87, 0x0f, 0xe4,
20085 -+ 0x50, 0xff, 0x84, 0x5c, 0x47, 0x0c, 0x6a, 0x49,
20086 -+ 0xbf, 0x42, 0x86, 0x77, 0x15, 0x48, 0xa5, 0x90,
20087 -+ 0x5d, 0x93, 0xd6, 0x2a, 0x11, 0xd5, 0xd5, 0x11,
20088 -+ 0xaa, 0xce, 0xe7, 0x6f, 0xa5, 0xb0, 0x09, 0x2c,
20089 -+ 0x8d, 0xd3, 0x92, 0xf0, 0x5a, 0x2a, 0xda, 0x5b,
20090 -+ 0x1e, 0xd5, 0x9a, 0xc4, 0xc4, 0xf3, 0x49, 0x74,
20091 -+ 0x41, 0xca, 0xe8, 0xc1, 0xf8, 0x44, 0xd6, 0x3c,
20092 -+ 0xae, 0x6c, 0x1d, 0x9a, 0x30, 0x04, 0x4d, 0x27,
20093 -+ 0x0e, 0xb1, 0x5f, 0x59, 0xa2, 0x24, 0xe8, 0xe1,
20094 -+ 0x98, 0xc5, 0x6a, 0x4c, 0xfe, 0x41, 0xd2, 0x27,
20095 -+ 0x42, 0x52, 0xe1, 0xe9, 0x7d, 0x62, 0xe4, 0x88,
20096 -+ 0x0f, 0xad, 0xb2, 0x70, 0xcb, 0x9d, 0x4c, 0x27,
20097 -+ 0x2e, 0x76, 0x1e, 0x1a, 0x63, 0x65, 0xf5, 0x3b,
20098 -+ 0xf8, 0x57, 0x69, 0xeb, 0x5b, 0x38, 0x26, 0x39,
20099 -+ 0x33, 0x25, 0x45, 0x3e, 0x91, 0xb8, 0xd8, 0xc7,
20100 -+ 0xd5, 0x42, 0xc0, 0x22, 0x31, 0x74, 0xf4, 0xbc,
20101 -+ 0x0c, 0x23, 0xf1, 0xca, 0xc1, 0x8d, 0xd7, 0xbe,
20102 -+ 0xc9, 0x62, 0xe4, 0x08, 0x1a, 0xcf, 0x36, 0xd5,
20103 -+ 0xfe, 0x55, 0x21, 0x59, 0x91, 0x87, 0x87, 0xdf,
20104 -+ 0x06, 0xdb, 0xdf, 0x96, 0x45, 0x58, 0xda, 0x05,
20105 -+ 0xcd, 0x50, 0x4d, 0xd2, 0x7d, 0x05, 0x18, 0x73,
20106 -+ 0x6a, 0x8d, 0x11, 0x85, 0xa6, 0x88, 0xe8, 0xda,
20107 -+ 0xe6, 0x30, 0x33, 0xa4, 0x89, 0x31, 0x75, 0xbe,
20108 -+ 0x69, 0x43, 0x84, 0x43, 0x50, 0x87, 0xdd, 0x71,
20109 -+ 0x36, 0x83, 0xc3, 0x78, 0x74, 0x24, 0x0a, 0xed,
20110 -+ 0x7b, 0xdb, 0xa4, 0x24, 0x0b, 0xb9, 0x7e, 0x5d,
20111 -+ 0xff, 0xde, 0xb1, 0xef, 0x61, 0x5a, 0x45, 0x33,
20112 -+ 0xf6, 0x17, 0x07, 0x08, 0x98, 0x83, 0x92, 0x0f,
20113 -+ 0x23, 0x6d, 0xe6, 0xaa, 0x17, 0x54, 0xad, 0x6a,
20114 -+ 0xc8, 0xdb, 0x26, 0xbe, 0xb8, 0xb6, 0x08, 0xfa,
20115 -+ 0x68, 0xf1, 0xd7, 0x79, 0x6f, 0x18, 0xb4, 0x9e,
20116 -+ 0x2d, 0x3f, 0x1b, 0x64, 0xaf, 0x8d, 0x06, 0x0e,
20117 -+ 0x49, 0x28, 0xe0, 0x5d, 0x45, 0x68, 0x13, 0x87,
20118 -+ 0xfa, 0xde, 0x40, 0x7b, 0xd2, 0xc3, 0x94, 0xd5,
20119 -+ 0xe1, 0xd9, 0xc2, 0xaf, 0x55, 0x89, 0xeb, 0xb4,
20120 -+ 0x12, 0x59, 0xa8, 0xd4, 0xc5, 0x29, 0x66, 0x38,
20121 -+ 0xe6, 0xac, 0x22, 0x22, 0xd9, 0x64, 0x9b, 0x34,
20122 -+ 0x0a, 0x32, 0x9f, 0xc2, 0xbf, 0x17, 0x6c, 0x3f,
20123 -+ 0x71, 0x7a, 0x38, 0x6b, 0x98, 0xfb, 0x49, 0x36,
20124 -+ 0x89, 0xc9, 0xe2, 0xd6, 0xc7, 0x5d, 0xd0, 0x69,
20125 -+ 0x5f, 0x23, 0x35, 0xc9, 0x30, 0xe2, 0xfd, 0x44,
20126 -+ 0x58, 0x39, 0xd7, 0x97, 0xfb, 0x5c, 0x00, 0xd5,
20127 -+ 0x4f, 0x7a, 0x1a, 0x95, 0x8b, 0x62, 0x4b, 0xce,
20128 -+ 0xe5, 0x91, 0x21, 0x7b, 0x30, 0x00, 0xd6, 0xdd,
20129 -+ 0x6d, 0x02, 0x86, 0x49, 0x0f, 0x3c, 0x1a, 0x27,
20130 -+ 0x3c, 0xd3, 0x0e, 0x71, 0xf2, 0xff, 0xf5, 0x2f,
20131 -+ 0x87, 0xac, 0x67, 0x59, 0x81, 0xa3, 0xf7, 0xf8,
20132 -+ 0xd6, 0x11, 0x0c, 0x84, 0xa9, 0x03, 0xee, 0x2a,
20133 -+ 0xc4, 0xf3, 0x22, 0xab, 0x7c, 0xe2, 0x25, 0xf5,
20134 -+ 0x67, 0xa3, 0xe4, 0x11, 0xe0, 0x59, 0xb3, 0xca,
20135 -+ 0x87, 0xa0, 0xae, 0xc9, 0xa6, 0x62, 0x1b, 0x6e,
20136 -+ 0x4d, 0x02, 0x6b, 0x07, 0x9d, 0xfd, 0xd0, 0x92,
20137 -+ 0x06, 0xe1, 0xb2, 0x9a, 0x4a, 0x1f, 0x1f, 0x13,
20138 -+ 0x49, 0x99, 0x97, 0x08, 0xde, 0x7f, 0x98, 0xaf,
20139 -+ 0x51, 0x98, 0xee, 0x2c, 0xcb, 0xf0, 0x0b, 0xc6,
20140 -+ 0xb6, 0xb7, 0x2d, 0x9a, 0xb1, 0xac, 0xa6, 0xe3,
20141 -+ 0x15, 0x77, 0x9d, 0x6b, 0x1a, 0xe4, 0xfc, 0x8b,
20142 -+ 0xf2, 0x17, 0x59, 0x08, 0x04, 0x58, 0x81, 0x9d,
20143 -+ 0x1b, 0x1b, 0x69, 0x55, 0xc2, 0xb4, 0x3c, 0x1f,
20144 -+ 0x50, 0xf1, 0x7f, 0x77, 0x90, 0x4c, 0x66, 0x40,
20145 -+ 0x5a, 0xc0, 0x33, 0x1f, 0xcb, 0x05, 0x6d, 0x5c,
20146 -+ 0x06, 0x87, 0x52, 0xa2, 0x8f, 0x26, 0xd5, 0x4f
20147 -+};
20148 -+static const u8 enc_output010[] __initconst = {
20149 -+ 0xe5, 0x26, 0xa4, 0x3d, 0xbd, 0x33, 0xd0, 0x4b,
20150 -+ 0x6f, 0x05, 0xa7, 0x6e, 0x12, 0x7a, 0xd2, 0x74,
20151 -+ 0xa6, 0xdd, 0xbd, 0x95, 0xeb, 0xf9, 0xa4, 0xf1,
20152 -+ 0x59, 0x93, 0x91, 0x70, 0xd9, 0xfe, 0x9a, 0xcd,
20153 -+ 0x53, 0x1f, 0x3a, 0xab, 0xa6, 0x7c, 0x9f, 0xa6,
20154 -+ 0x9e, 0xbd, 0x99, 0xd9, 0xb5, 0x97, 0x44, 0xd5,
20155 -+ 0x14, 0x48, 0x4d, 0x9d, 0xc0, 0xd0, 0x05, 0x96,
20156 -+ 0xeb, 0x4c, 0x78, 0x55, 0x09, 0x08, 0x01, 0x02,
20157 -+ 0x30, 0x90, 0x7b, 0x96, 0x7a, 0x7b, 0x5f, 0x30,
20158 -+ 0x41, 0x24, 0xce, 0x68, 0x61, 0x49, 0x86, 0x57,
20159 -+ 0x82, 0xdd, 0x53, 0x1c, 0x51, 0x28, 0x2b, 0x53,
20160 -+ 0x6e, 0x2d, 0xc2, 0x20, 0x4c, 0xdd, 0x8f, 0x65,
20161 -+ 0x10, 0x20, 0x50, 0xdd, 0x9d, 0x50, 0xe5, 0x71,
20162 -+ 0x40, 0x53, 0x69, 0xfc, 0x77, 0x48, 0x11, 0xb9,
20163 -+ 0xde, 0xa4, 0x8d, 0x58, 0xe4, 0xa6, 0x1a, 0x18,
20164 -+ 0x47, 0x81, 0x7e, 0xfc, 0xdd, 0xf6, 0xef, 0xce,
20165 -+ 0x2f, 0x43, 0x68, 0xd6, 0x06, 0xe2, 0x74, 0x6a,
20166 -+ 0xad, 0x90, 0xf5, 0x37, 0xf3, 0x3d, 0x82, 0x69,
20167 -+ 0x40, 0xe9, 0x6b, 0xa7, 0x3d, 0xa8, 0x1e, 0xd2,
20168 -+ 0x02, 0x7c, 0xb7, 0x9b, 0xe4, 0xda, 0x8f, 0x95,
20169 -+ 0x06, 0xc5, 0xdf, 0x73, 0xa3, 0x20, 0x9a, 0x49,
20170 -+ 0xde, 0x9c, 0xbc, 0xee, 0x14, 0x3f, 0x81, 0x5e,
20171 -+ 0xf8, 0x3b, 0x59, 0x3c, 0xe1, 0x68, 0x12, 0x5a,
20172 -+ 0x3a, 0x76, 0x3a, 0x3f, 0xf7, 0x87, 0x33, 0x0a,
20173 -+ 0x01, 0xb8, 0xd4, 0xed, 0xb6, 0xbe, 0x94, 0x5e,
20174 -+ 0x70, 0x40, 0x56, 0x67, 0x1f, 0x50, 0x44, 0x19,
20175 -+ 0xce, 0x82, 0x70, 0x10, 0x87, 0x13, 0x20, 0x0b,
20176 -+ 0x4c, 0x5a, 0xb6, 0xf6, 0xa7, 0xae, 0x81, 0x75,
20177 -+ 0x01, 0x81, 0xe6, 0x4b, 0x57, 0x7c, 0xdd, 0x6d,
20178 -+ 0xf8, 0x1c, 0x29, 0x32, 0xf7, 0xda, 0x3c, 0x2d,
20179 -+ 0xf8, 0x9b, 0x25, 0x6e, 0x00, 0xb4, 0xf7, 0x2f,
20180 -+ 0xf7, 0x04, 0xf7, 0xa1, 0x56, 0xac, 0x4f, 0x1a,
20181 -+ 0x64, 0xb8, 0x47, 0x55, 0x18, 0x7b, 0x07, 0x4d,
20182 -+ 0xbd, 0x47, 0x24, 0x80, 0x5d, 0xa2, 0x70, 0xc5,
20183 -+ 0xdd, 0x8e, 0x82, 0xd4, 0xeb, 0xec, 0xb2, 0x0c,
20184 -+ 0x39, 0xd2, 0x97, 0xc1, 0xcb, 0xeb, 0xf4, 0x77,
20185 -+ 0x59, 0xb4, 0x87, 0xef, 0xcb, 0x43, 0x2d, 0x46,
20186 -+ 0x54, 0xd1, 0xa7, 0xd7, 0x15, 0x99, 0x0a, 0x43,
20187 -+ 0xa1, 0xe0, 0x99, 0x33, 0x71, 0xc1, 0xed, 0xfe,
20188 -+ 0x72, 0x46, 0x33, 0x8e, 0x91, 0x08, 0x9f, 0xc8,
20189 -+ 0x2e, 0xca, 0xfa, 0xdc, 0x59, 0xd5, 0xc3, 0x76,
20190 -+ 0x84, 0x9f, 0xa3, 0x37, 0x68, 0xc3, 0xf0, 0x47,
20191 -+ 0x2c, 0x68, 0xdb, 0x5e, 0xc3, 0x49, 0x4c, 0xe8,
20192 -+ 0x92, 0x85, 0xe2, 0x23, 0xd3, 0x3f, 0xad, 0x32,
20193 -+ 0xe5, 0x2b, 0x82, 0xd7, 0x8f, 0x99, 0x0a, 0x59,
20194 -+ 0x5c, 0x45, 0xd9, 0xb4, 0x51, 0x52, 0xc2, 0xae,
20195 -+ 0xbf, 0x80, 0xcf, 0xc9, 0xc9, 0x51, 0x24, 0x2a,
20196 -+ 0x3b, 0x3a, 0x4d, 0xae, 0xeb, 0xbd, 0x22, 0xc3,
20197 -+ 0x0e, 0x0f, 0x59, 0x25, 0x92, 0x17, 0xe9, 0x74,
20198 -+ 0xc7, 0x8b, 0x70, 0x70, 0x36, 0x55, 0x95, 0x75,
20199 -+ 0x4b, 0xad, 0x61, 0x2b, 0x09, 0xbc, 0x82, 0xf2,
20200 -+ 0x6e, 0x94, 0x43, 0xae, 0xc3, 0xd5, 0xcd, 0x8e,
20201 -+ 0xfe, 0x5b, 0x9a, 0x88, 0x43, 0x01, 0x75, 0xb2,
20202 -+ 0x23, 0x09, 0xf7, 0x89, 0x83, 0xe7, 0xfa, 0xf9,
20203 -+ 0xb4, 0x9b, 0xf8, 0xef, 0xbd, 0x1c, 0x92, 0xc1,
20204 -+ 0xda, 0x7e, 0xfe, 0x05, 0xba, 0x5a, 0xcd, 0x07,
20205 -+ 0x6a, 0x78, 0x9e, 0x5d, 0xfb, 0x11, 0x2f, 0x79,
20206 -+ 0x38, 0xb6, 0xc2, 0x5b, 0x6b, 0x51, 0xb4, 0x71,
20207 -+ 0xdd, 0xf7, 0x2a, 0xe4, 0xf4, 0x72, 0x76, 0xad,
20208 -+ 0xc2, 0xdd, 0x64, 0x5d, 0x79, 0xb6, 0xf5, 0x7a,
20209 -+ 0x77, 0x20, 0x05, 0x3d, 0x30, 0x06, 0xd4, 0x4c,
20210 -+ 0x0a, 0x2c, 0x98, 0x5a, 0xb9, 0xd4, 0x98, 0xa9,
20211 -+ 0x3f, 0xc6, 0x12, 0xea, 0x3b, 0x4b, 0xc5, 0x79,
20212 -+ 0x64, 0x63, 0x6b, 0x09, 0x54, 0x3b, 0x14, 0x27,
20213 -+ 0xba, 0x99, 0x80, 0xc8, 0x72, 0xa8, 0x12, 0x90,
20214 -+ 0x29, 0xba, 0x40, 0x54, 0x97, 0x2b, 0x7b, 0xfe,
20215 -+ 0xeb, 0xcd, 0x01, 0x05, 0x44, 0x72, 0xdb, 0x99,
20216 -+ 0xe4, 0x61, 0xc9, 0x69, 0xd6, 0xb9, 0x28, 0xd1,
20217 -+ 0x05, 0x3e, 0xf9, 0x0b, 0x49, 0x0a, 0x49, 0xe9,
20218 -+ 0x8d, 0x0e, 0xa7, 0x4a, 0x0f, 0xaf, 0x32, 0xd0,
20219 -+ 0xe0, 0xb2, 0x3a, 0x55, 0x58, 0xfe, 0x5c, 0x28,
20220 -+ 0x70, 0x51, 0x23, 0xb0, 0x7b, 0x6a, 0x5f, 0x1e,
20221 -+ 0xb8, 0x17, 0xd7, 0x94, 0x15, 0x8f, 0xee, 0x20,
20222 -+ 0xc7, 0x42, 0x25, 0x3e, 0x9a, 0x14, 0xd7, 0x60,
20223 -+ 0x72, 0x39, 0x47, 0x48, 0xa9, 0xfe, 0xdd, 0x47,
20224 -+ 0x0a, 0xb1, 0xe6, 0x60, 0x28, 0x8c, 0x11, 0x68,
20225 -+ 0xe1, 0xff, 0xd7, 0xce, 0xc8, 0xbe, 0xb3, 0xfe,
20226 -+ 0x27, 0x30, 0x09, 0x70, 0xd7, 0xfa, 0x02, 0x33,
20227 -+ 0x3a, 0x61, 0x2e, 0xc7, 0xff, 0xa4, 0x2a, 0xa8,
20228 -+ 0x6e, 0xb4, 0x79, 0x35, 0x6d, 0x4c, 0x1e, 0x38,
20229 -+ 0xf8, 0xee, 0xd4, 0x84, 0x4e, 0x6e, 0x28, 0xa7,
20230 -+ 0xce, 0xc8, 0xc1, 0xcf, 0x80, 0x05, 0xf3, 0x04,
20231 -+ 0xef, 0xc8, 0x18, 0x28, 0x2e, 0x8d, 0x5e, 0x0c,
20232 -+ 0xdf, 0xb8, 0x5f, 0x96, 0xe8, 0xc6, 0x9c, 0x2f,
20233 -+ 0xe5, 0xa6, 0x44, 0xd7, 0xe7, 0x99, 0x44, 0x0c,
20234 -+ 0xec, 0xd7, 0x05, 0x60, 0x97, 0xbb, 0x74, 0x77,
20235 -+ 0x58, 0xd5, 0xbb, 0x48, 0xde, 0x5a, 0xb2, 0x54,
20236 -+ 0x7f, 0x0e, 0x46, 0x70, 0x6a, 0x6f, 0x78, 0xa5,
20237 -+ 0x08, 0x89, 0x05, 0x4e, 0x7e, 0xa0, 0x69, 0xb4,
20238 -+ 0x40, 0x60, 0x55, 0x77, 0x75, 0x9b, 0x19, 0xf2,
20239 -+ 0xd5, 0x13, 0x80, 0x77, 0xf9, 0x4b, 0x3f, 0x1e,
20240 -+ 0xee, 0xe6, 0x76, 0x84, 0x7b, 0x8c, 0xe5, 0x27,
20241 -+ 0xa8, 0x0a, 0x91, 0x01, 0x68, 0x71, 0x8a, 0x3f,
20242 -+ 0x06, 0xab, 0xf6, 0xa9, 0xa5, 0xe6, 0x72, 0x92,
20243 -+ 0xe4, 0x67, 0xe2, 0xa2, 0x46, 0x35, 0x84, 0x55,
20244 -+ 0x7d, 0xca, 0xa8, 0x85, 0xd0, 0xf1, 0x3f, 0xbe,
20245 -+ 0xd7, 0x34, 0x64, 0xfc, 0xae, 0xe3, 0xe4, 0x04,
20246 -+ 0x9f, 0x66, 0x02, 0xb9, 0x88, 0x10, 0xd9, 0xc4,
20247 -+ 0x4c, 0x31, 0x43, 0x7a, 0x93, 0xe2, 0x9b, 0x56,
20248 -+ 0x43, 0x84, 0xdc, 0xdc, 0xde, 0x1d, 0xa4, 0x02,
20249 -+ 0x0e, 0xc2, 0xef, 0xc3, 0xf8, 0x78, 0xd1, 0xb2,
20250 -+ 0x6b, 0x63, 0x18, 0xc9, 0xa9, 0xe5, 0x72, 0xd8,
20251 -+ 0xf3, 0xb9, 0xd1, 0x8a, 0xc7, 0x1a, 0x02, 0x27,
20252 -+ 0x20, 0x77, 0x10, 0xe5, 0xc8, 0xd4, 0x4a, 0x47,
20253 -+ 0xe5, 0xdf, 0x5f, 0x01, 0xaa, 0xb0, 0xd4, 0x10,
20254 -+ 0xbb, 0x69, 0xe3, 0x36, 0xc8, 0xe1, 0x3d, 0x43,
20255 -+ 0xfb, 0x86, 0xcd, 0xcc, 0xbf, 0xf4, 0x88, 0xe0,
20256 -+ 0x20, 0xca, 0xb7, 0x1b, 0xf1, 0x2f, 0x5c, 0xee,
20257 -+ 0xd4, 0xd3, 0xa3, 0xcc, 0xa4, 0x1e, 0x1c, 0x47,
20258 -+ 0xfb, 0xbf, 0xfc, 0xa2, 0x41, 0x55, 0x9d, 0xf6,
20259 -+ 0x5a, 0x5e, 0x65, 0x32, 0x34, 0x7b, 0x52, 0x8d,
20260 -+ 0xd5, 0xd0, 0x20, 0x60, 0x03, 0xab, 0x3f, 0x8c,
20261 -+ 0xd4, 0x21, 0xea, 0x2a, 0xd9, 0xc4, 0xd0, 0xd3,
20262 -+ 0x65, 0xd8, 0x7a, 0x13, 0x28, 0x62, 0x32, 0x4b,
20263 -+ 0x2c, 0x87, 0x93, 0xa8, 0xb4, 0x52, 0x45, 0x09,
20264 -+ 0x44, 0xec, 0xec, 0xc3, 0x17, 0xdb, 0x9a, 0x4d,
20265 -+ 0x5c, 0xa9, 0x11, 0xd4, 0x7d, 0xaf, 0x9e, 0xf1,
20266 -+ 0x2d, 0xb2, 0x66, 0xc5, 0x1d, 0xed, 0xb7, 0xcd,
20267 -+ 0x0b, 0x25, 0x5e, 0x30, 0x47, 0x3f, 0x40, 0xf4,
20268 -+ 0xa1, 0xa0, 0x00, 0x94, 0x10, 0xc5, 0x6a, 0x63,
20269 -+ 0x1a, 0xd5, 0x88, 0x92, 0x8e, 0x82, 0x39, 0x87,
20270 -+ 0x3c, 0x78, 0x65, 0x58, 0x42, 0x75, 0x5b, 0xdd,
20271 -+ 0x77, 0x3e, 0x09, 0x4e, 0x76, 0x5b, 0xe6, 0x0e,
20272 -+ 0x4d, 0x38, 0xb2, 0xc0, 0xb8, 0x95, 0x01, 0x7a,
20273 -+ 0x10, 0xe0, 0xfb, 0x07, 0xf2, 0xab, 0x2d, 0x8c,
20274 -+ 0x32, 0xed, 0x2b, 0xc0, 0x46, 0xc2, 0xf5, 0x38,
20275 -+ 0x83, 0xf0, 0x17, 0xec, 0xc1, 0x20, 0x6a, 0x9a,
20276 -+ 0x0b, 0x00, 0xa0, 0x98, 0x22, 0x50, 0x23, 0xd5,
20277 -+ 0x80, 0x6b, 0xf6, 0x1f, 0xc3, 0xcc, 0x97, 0xc9,
20278 -+ 0x24, 0x9f, 0xf3, 0xaf, 0x43, 0x14, 0xd5, 0xa0
20279 -+};
20280 -+static const u8 enc_assoc010[] __initconst = {
20281 -+ 0xd2, 0xa1, 0x70, 0xdb, 0x7a, 0xf8, 0xfa, 0x27,
20282 -+ 0xba, 0x73, 0x0f, 0xbf, 0x3d, 0x1e, 0x82, 0xb2
20283 -+};
20284 -+static const u8 enc_nonce010[] __initconst = {
20285 -+ 0xdb, 0x92, 0x0f, 0x7f, 0x17, 0x54, 0x0c, 0x30
20286 -+};
20287 -+static const u8 enc_key010[] __initconst = {
20288 -+ 0x47, 0x11, 0xeb, 0x86, 0x2b, 0x2c, 0xab, 0x44,
20289 -+ 0x34, 0xda, 0x7f, 0x57, 0x03, 0x39, 0x0c, 0xaf,
20290 -+ 0x2c, 0x14, 0xfd, 0x65, 0x23, 0xe9, 0x8e, 0x74,
20291 -+ 0xd5, 0x08, 0x68, 0x08, 0xe7, 0xb4, 0x72, 0xd7
20292 -+};
20293 -+
20294 -+static const u8 enc_input011[] __initconst = {
20295 -+ 0x7a, 0x57, 0xf2, 0xc7, 0x06, 0x3f, 0x50, 0x7b,
20296 -+ 0x36, 0x1a, 0x66, 0x5c, 0xb9, 0x0e, 0x5e, 0x3b,
20297 -+ 0x45, 0x60, 0xbe, 0x9a, 0x31, 0x9f, 0xff, 0x5d,
20298 -+ 0x66, 0x34, 0xb4, 0xdc, 0xfb, 0x9d, 0x8e, 0xee,
20299 -+ 0x6a, 0x33, 0xa4, 0x07, 0x3c, 0xf9, 0x4c, 0x30,
20300 -+ 0xa1, 0x24, 0x52, 0xf9, 0x50, 0x46, 0x88, 0x20,
20301 -+ 0x02, 0x32, 0x3a, 0x0e, 0x99, 0x63, 0xaf, 0x1f,
20302 -+ 0x15, 0x28, 0x2a, 0x05, 0xff, 0x57, 0x59, 0x5e,
20303 -+ 0x18, 0xa1, 0x1f, 0xd0, 0x92, 0x5c, 0x88, 0x66,
20304 -+ 0x1b, 0x00, 0x64, 0xa5, 0x93, 0x8d, 0x06, 0x46,
20305 -+ 0xb0, 0x64, 0x8b, 0x8b, 0xef, 0x99, 0x05, 0x35,
20306 -+ 0x85, 0xb3, 0xf3, 0x33, 0xbb, 0xec, 0x66, 0xb6,
20307 -+ 0x3d, 0x57, 0x42, 0xe3, 0xb4, 0xc6, 0xaa, 0xb0,
20308 -+ 0x41, 0x2a, 0xb9, 0x59, 0xa9, 0xf6, 0x3e, 0x15,
20309 -+ 0x26, 0x12, 0x03, 0x21, 0x4c, 0x74, 0x43, 0x13,
20310 -+ 0x2a, 0x03, 0x27, 0x09, 0xb4, 0xfb, 0xe7, 0xb7,
20311 -+ 0x40, 0xff, 0x5e, 0xce, 0x48, 0x9a, 0x60, 0xe3,
20312 -+ 0x8b, 0x80, 0x8c, 0x38, 0x2d, 0xcb, 0x93, 0x37,
20313 -+ 0x74, 0x05, 0x52, 0x6f, 0x73, 0x3e, 0xc3, 0xbc,
20314 -+ 0xca, 0x72, 0x0a, 0xeb, 0xf1, 0x3b, 0xa0, 0x95,
20315 -+ 0xdc, 0x8a, 0xc4, 0xa9, 0xdc, 0xca, 0x44, 0xd8,
20316 -+ 0x08, 0x63, 0x6a, 0x36, 0xd3, 0x3c, 0xb8, 0xac,
20317 -+ 0x46, 0x7d, 0xfd, 0xaa, 0xeb, 0x3e, 0x0f, 0x45,
20318 -+ 0x8f, 0x49, 0xda, 0x2b, 0xf2, 0x12, 0xbd, 0xaf,
20319 -+ 0x67, 0x8a, 0x63, 0x48, 0x4b, 0x55, 0x5f, 0x6d,
20320 -+ 0x8c, 0xb9, 0x76, 0x34, 0x84, 0xae, 0xc2, 0xfc,
20321 -+ 0x52, 0x64, 0x82, 0xf7, 0xb0, 0x06, 0xf0, 0x45,
20322 -+ 0x73, 0x12, 0x50, 0x30, 0x72, 0xea, 0x78, 0x9a,
20323 -+ 0xa8, 0xaf, 0xb5, 0xe3, 0xbb, 0x77, 0x52, 0xec,
20324 -+ 0x59, 0x84, 0xbf, 0x6b, 0x8f, 0xce, 0x86, 0x5e,
20325 -+ 0x1f, 0x23, 0xe9, 0xfb, 0x08, 0x86, 0xf7, 0x10,
20326 -+ 0xb9, 0xf2, 0x44, 0x96, 0x44, 0x63, 0xa9, 0xa8,
20327 -+ 0x78, 0x00, 0x23, 0xd6, 0xc7, 0xe7, 0x6e, 0x66,
20328 -+ 0x4f, 0xcc, 0xee, 0x15, 0xb3, 0xbd, 0x1d, 0xa0,
20329 -+ 0xe5, 0x9c, 0x1b, 0x24, 0x2c, 0x4d, 0x3c, 0x62,
20330 -+ 0x35, 0x9c, 0x88, 0x59, 0x09, 0xdd, 0x82, 0x1b,
20331 -+ 0xcf, 0x0a, 0x83, 0x6b, 0x3f, 0xae, 0x03, 0xc4,
20332 -+ 0xb4, 0xdd, 0x7e, 0x5b, 0x28, 0x76, 0x25, 0x96,
20333 -+ 0xd9, 0xc9, 0x9d, 0x5f, 0x86, 0xfa, 0xf6, 0xd7,
20334 -+ 0xd2, 0xe6, 0x76, 0x1d, 0x0f, 0xa1, 0xdc, 0x74,
20335 -+ 0x05, 0x1b, 0x1d, 0xe0, 0xcd, 0x16, 0xb0, 0xa8,
20336 -+ 0x8a, 0x34, 0x7b, 0x15, 0x11, 0x77, 0xe5, 0x7b,
20337 -+ 0x7e, 0x20, 0xf7, 0xda, 0x38, 0xda, 0xce, 0x70,
20338 -+ 0xe9, 0xf5, 0x6c, 0xd9, 0xbe, 0x0c, 0x4c, 0x95,
20339 -+ 0x4c, 0xc2, 0x9b, 0x34, 0x55, 0x55, 0xe1, 0xf3,
20340 -+ 0x46, 0x8e, 0x48, 0x74, 0x14, 0x4f, 0x9d, 0xc9,
20341 -+ 0xf5, 0xe8, 0x1a, 0xf0, 0x11, 0x4a, 0xc1, 0x8d,
20342 -+ 0xe0, 0x93, 0xa0, 0xbe, 0x09, 0x1c, 0x2b, 0x4e,
20343 -+ 0x0f, 0xb2, 0x87, 0x8b, 0x84, 0xfe, 0x92, 0x32,
20344 -+ 0x14, 0xd7, 0x93, 0xdf, 0xe7, 0x44, 0xbc, 0xc5,
20345 -+ 0xae, 0x53, 0x69, 0xd8, 0xb3, 0x79, 0x37, 0x80,
20346 -+ 0xe3, 0x17, 0x5c, 0xec, 0x53, 0x00, 0x9a, 0xe3,
20347 -+ 0x8e, 0xdc, 0x38, 0xb8, 0x66, 0xf0, 0xd3, 0xad,
20348 -+ 0x1d, 0x02, 0x96, 0x86, 0x3e, 0x9d, 0x3b, 0x5d,
20349 -+ 0xa5, 0x7f, 0x21, 0x10, 0xf1, 0x1f, 0x13, 0x20,
20350 -+ 0xf9, 0x57, 0x87, 0x20, 0xf5, 0x5f, 0xf1, 0x17,
20351 -+ 0x48, 0x0a, 0x51, 0x5a, 0xcd, 0x19, 0x03, 0xa6,
20352 -+ 0x5a, 0xd1, 0x12, 0x97, 0xe9, 0x48, 0xe2, 0x1d,
20353 -+ 0x83, 0x75, 0x50, 0xd9, 0x75, 0x7d, 0x6a, 0x82,
20354 -+ 0xa1, 0xf9, 0x4e, 0x54, 0x87, 0x89, 0xc9, 0x0c,
20355 -+ 0xb7, 0x5b, 0x6a, 0x91, 0xc1, 0x9c, 0xb2, 0xa9,
20356 -+ 0xdc, 0x9a, 0xa4, 0x49, 0x0a, 0x6d, 0x0d, 0xbb,
20357 -+ 0xde, 0x86, 0x44, 0xdd, 0x5d, 0x89, 0x2b, 0x96,
20358 -+ 0x0f, 0x23, 0x95, 0xad, 0xcc, 0xa2, 0xb3, 0xb9,
20359 -+ 0x7e, 0x74, 0x38, 0xba, 0x9f, 0x73, 0xae, 0x5f,
20360 -+ 0xf8, 0x68, 0xa2, 0xe0, 0xa9, 0xce, 0xbd, 0x40,
20361 -+ 0xd4, 0x4c, 0x6b, 0xd2, 0x56, 0x62, 0xb0, 0xcc,
20362 -+ 0x63, 0x7e, 0x5b, 0xd3, 0xae, 0xd1, 0x75, 0xce,
20363 -+ 0xbb, 0xb4, 0x5b, 0xa8, 0xf8, 0xb4, 0xac, 0x71,
20364 -+ 0x75, 0xaa, 0xc9, 0x9f, 0xbb, 0x6c, 0xad, 0x0f,
20365 -+ 0x55, 0x5d, 0xe8, 0x85, 0x7d, 0xf9, 0x21, 0x35,
20366 -+ 0xea, 0x92, 0x85, 0x2b, 0x00, 0xec, 0x84, 0x90,
20367 -+ 0x0a, 0x63, 0x96, 0xe4, 0x6b, 0xa9, 0x77, 0xb8,
20368 -+ 0x91, 0xf8, 0x46, 0x15, 0x72, 0x63, 0x70, 0x01,
20369 -+ 0x40, 0xa3, 0xa5, 0x76, 0x62, 0x2b, 0xbf, 0xf1,
20370 -+ 0xe5, 0x8d, 0x9f, 0xa3, 0xfa, 0x9b, 0x03, 0xbe,
20371 -+ 0xfe, 0x65, 0x6f, 0xa2, 0x29, 0x0d, 0x54, 0xb4,
20372 -+ 0x71, 0xce, 0xa9, 0xd6, 0x3d, 0x88, 0xf9, 0xaf,
20373 -+ 0x6b, 0xa8, 0x9e, 0xf4, 0x16, 0x96, 0x36, 0xb9,
20374 -+ 0x00, 0xdc, 0x10, 0xab, 0xb5, 0x08, 0x31, 0x1f,
20375 -+ 0x00, 0xb1, 0x3c, 0xd9, 0x38, 0x3e, 0xc6, 0x04,
20376 -+ 0xa7, 0x4e, 0xe8, 0xae, 0xed, 0x98, 0xc2, 0xf7,
20377 -+ 0xb9, 0x00, 0x5f, 0x8c, 0x60, 0xd1, 0xe5, 0x15,
20378 -+ 0xf7, 0xae, 0x1e, 0x84, 0x88, 0xd1, 0xf6, 0xbc,
20379 -+ 0x3a, 0x89, 0x35, 0x22, 0x83, 0x7c, 0xca, 0xf0,
20380 -+ 0x33, 0x82, 0x4c, 0x79, 0x3c, 0xfd, 0xb1, 0xae,
20381 -+ 0x52, 0x62, 0x55, 0xd2, 0x41, 0x60, 0xc6, 0xbb,
20382 -+ 0xfa, 0x0e, 0x59, 0xd6, 0xa8, 0xfe, 0x5d, 0xed,
20383 -+ 0x47, 0x3d, 0xe0, 0xea, 0x1f, 0x6e, 0x43, 0x51,
20384 -+ 0xec, 0x10, 0x52, 0x56, 0x77, 0x42, 0x6b, 0x52,
20385 -+ 0x87, 0xd8, 0xec, 0xe0, 0xaa, 0x76, 0xa5, 0x84,
20386 -+ 0x2a, 0x22, 0x24, 0xfd, 0x92, 0x40, 0x88, 0xd5,
20387 -+ 0x85, 0x1c, 0x1f, 0x6b, 0x47, 0xa0, 0xc4, 0xe4,
20388 -+ 0xef, 0xf4, 0xea, 0xd7, 0x59, 0xac, 0x2a, 0x9e,
20389 -+ 0x8c, 0xfa, 0x1f, 0x42, 0x08, 0xfe, 0x4f, 0x74,
20390 -+ 0xa0, 0x26, 0xf5, 0xb3, 0x84, 0xf6, 0x58, 0x5f,
20391 -+ 0x26, 0x66, 0x3e, 0xd7, 0xe4, 0x22, 0x91, 0x13,
20392 -+ 0xc8, 0xac, 0x25, 0x96, 0x23, 0xd8, 0x09, 0xea,
20393 -+ 0x45, 0x75, 0x23, 0xb8, 0x5f, 0xc2, 0x90, 0x8b,
20394 -+ 0x09, 0xc4, 0xfc, 0x47, 0x6c, 0x6d, 0x0a, 0xef,
20395 -+ 0x69, 0xa4, 0x38, 0x19, 0xcf, 0x7d, 0xf9, 0x09,
20396 -+ 0x73, 0x9b, 0x60, 0x5a, 0xf7, 0x37, 0xb5, 0xfe,
20397 -+ 0x9f, 0xe3, 0x2b, 0x4c, 0x0d, 0x6e, 0x19, 0xf1,
20398 -+ 0xd6, 0xc0, 0x70, 0xf3, 0x9d, 0x22, 0x3c, 0xf9,
20399 -+ 0x49, 0xce, 0x30, 0x8e, 0x44, 0xb5, 0x76, 0x15,
20400 -+ 0x8f, 0x52, 0xfd, 0xa5, 0x04, 0xb8, 0x55, 0x6a,
20401 -+ 0x36, 0x59, 0x7c, 0xc4, 0x48, 0xb8, 0xd7, 0xab,
20402 -+ 0x05, 0x66, 0xe9, 0x5e, 0x21, 0x6f, 0x6b, 0x36,
20403 -+ 0x29, 0xbb, 0xe9, 0xe3, 0xa2, 0x9a, 0xa8, 0xcd,
20404 -+ 0x55, 0x25, 0x11, 0xba, 0x5a, 0x58, 0xa0, 0xde,
20405 -+ 0xae, 0x19, 0x2a, 0x48, 0x5a, 0xff, 0x36, 0xcd,
20406 -+ 0x6d, 0x16, 0x7a, 0x73, 0x38, 0x46, 0xe5, 0x47,
20407 -+ 0x59, 0xc8, 0xa2, 0xf6, 0xe2, 0x6c, 0x83, 0xc5,
20408 -+ 0x36, 0x2c, 0x83, 0x7d, 0xb4, 0x01, 0x05, 0x69,
20409 -+ 0xe7, 0xaf, 0x5c, 0xc4, 0x64, 0x82, 0x12, 0x21,
20410 -+ 0xef, 0xf7, 0xd1, 0x7d, 0xb8, 0x8d, 0x8c, 0x98,
20411 -+ 0x7c, 0x5f, 0x7d, 0x92, 0x88, 0xb9, 0x94, 0x07,
20412 -+ 0x9c, 0xd8, 0xe9, 0x9c, 0x17, 0x38, 0xe3, 0x57,
20413 -+ 0x6c, 0xe0, 0xdc, 0xa5, 0x92, 0x42, 0xb3, 0xbd,
20414 -+ 0x50, 0xa2, 0x7e, 0xb5, 0xb1, 0x52, 0x72, 0x03,
20415 -+ 0x97, 0xd8, 0xaa, 0x9a, 0x1e, 0x75, 0x41, 0x11,
20416 -+ 0xa3, 0x4f, 0xcc, 0xd4, 0xe3, 0x73, 0xad, 0x96,
20417 -+ 0xdc, 0x47, 0x41, 0x9f, 0xb0, 0xbe, 0x79, 0x91,
20418 -+ 0xf5, 0xb6, 0x18, 0xfe, 0xc2, 0x83, 0x18, 0x7d,
20419 -+ 0x73, 0xd9, 0x4f, 0x83, 0x84, 0x03, 0xb3, 0xf0,
20420 -+ 0x77, 0x66, 0x3d, 0x83, 0x63, 0x2e, 0x2c, 0xf9,
20421 -+ 0xdd, 0xa6, 0x1f, 0x89, 0x82, 0xb8, 0x23, 0x42,
20422 -+ 0xeb, 0xe2, 0xca, 0x70, 0x82, 0x61, 0x41, 0x0a,
20423 -+ 0x6d, 0x5f, 0x75, 0xc5, 0xe2, 0xc4, 0x91, 0x18,
20424 -+ 0x44, 0x22, 0xfa, 0x34, 0x10, 0xf5, 0x20, 0xdc,
20425 -+ 0xb7, 0xdd, 0x2a, 0x20, 0x77, 0xf5, 0xf9, 0xce,
20426 -+ 0xdb, 0xa0, 0x0a, 0x52, 0x2a, 0x4e, 0xdd, 0xcc,
20427 -+ 0x97, 0xdf, 0x05, 0xe4, 0x5e, 0xb7, 0xaa, 0xf0,
20428 -+ 0xe2, 0x80, 0xff, 0xba, 0x1a, 0x0f, 0xac, 0xdf,
20429 -+ 0x02, 0x32, 0xe6, 0xf7, 0xc7, 0x17, 0x13, 0xb7,
20430 -+ 0xfc, 0x98, 0x48, 0x8c, 0x0d, 0x82, 0xc9, 0x80,
20431 -+ 0x7a, 0xe2, 0x0a, 0xc5, 0xb4, 0xde, 0x7c, 0x3c,
20432 -+ 0x79, 0x81, 0x0e, 0x28, 0x65, 0x79, 0x67, 0x82,
20433 -+ 0x69, 0x44, 0x66, 0x09, 0xf7, 0x16, 0x1a, 0xf9,
20434 -+ 0x7d, 0x80, 0xa1, 0x79, 0x14, 0xa9, 0xc8, 0x20,
20435 -+ 0xfb, 0xa2, 0x46, 0xbe, 0x08, 0x35, 0x17, 0x58,
20436 -+ 0xc1, 0x1a, 0xda, 0x2a, 0x6b, 0x2e, 0x1e, 0xe6,
20437 -+ 0x27, 0x55, 0x7b, 0x19, 0xe2, 0xfb, 0x64, 0xfc,
20438 -+ 0x5e, 0x15, 0x54, 0x3c, 0xe7, 0xc2, 0x11, 0x50,
20439 -+ 0x30, 0xb8, 0x72, 0x03, 0x0b, 0x1a, 0x9f, 0x86,
20440 -+ 0x27, 0x11, 0x5c, 0x06, 0x2b, 0xbd, 0x75, 0x1a,
20441 -+ 0x0a, 0xda, 0x01, 0xfa, 0x5c, 0x4a, 0xc1, 0x80,
20442 -+ 0x3a, 0x6e, 0x30, 0xc8, 0x2c, 0xeb, 0x56, 0xec,
20443 -+ 0x89, 0xfa, 0x35, 0x7b, 0xb2, 0xf0, 0x97, 0x08,
20444 -+ 0x86, 0x53, 0xbe, 0xbd, 0x40, 0x41, 0x38, 0x1c,
20445 -+ 0xb4, 0x8b, 0x79, 0x2e, 0x18, 0x96, 0x94, 0xde,
20446 -+ 0xe8, 0xca, 0xe5, 0x9f, 0x92, 0x9f, 0x15, 0x5d,
20447 -+ 0x56, 0x60, 0x5c, 0x09, 0xf9, 0x16, 0xf4, 0x17,
20448 -+ 0x0f, 0xf6, 0x4c, 0xda, 0xe6, 0x67, 0x89, 0x9f,
20449 -+ 0xca, 0x6c, 0xe7, 0x9b, 0x04, 0x62, 0x0e, 0x26,
20450 -+ 0xa6, 0x52, 0xbd, 0x29, 0xff, 0xc7, 0xa4, 0x96,
20451 -+ 0xe6, 0x6a, 0x02, 0xa5, 0x2e, 0x7b, 0xfe, 0x97,
20452 -+ 0x68, 0x3e, 0x2e, 0x5f, 0x3b, 0x0f, 0x36, 0xd6,
20453 -+ 0x98, 0x19, 0x59, 0x48, 0xd2, 0xc6, 0xe1, 0x55,
20454 -+ 0x1a, 0x6e, 0xd6, 0xed, 0x2c, 0xba, 0xc3, 0x9e,
20455 -+ 0x64, 0xc9, 0x95, 0x86, 0x35, 0x5e, 0x3e, 0x88,
20456 -+ 0x69, 0x99, 0x4b, 0xee, 0xbe, 0x9a, 0x99, 0xb5,
20457 -+ 0x6e, 0x58, 0xae, 0xdd, 0x22, 0xdb, 0xdd, 0x6b,
20458 -+ 0xfc, 0xaf, 0x90, 0xa3, 0x3d, 0xa4, 0xc1, 0x15,
20459 -+ 0x92, 0x18, 0x8d, 0xd2, 0x4b, 0x7b, 0x06, 0xd1,
20460 -+ 0x37, 0xb5, 0xe2, 0x7c, 0x2c, 0xf0, 0x25, 0xe4,
20461 -+ 0x94, 0x2a, 0xbd, 0xe3, 0x82, 0x70, 0x78, 0xa3,
20462 -+ 0x82, 0x10, 0x5a, 0x90, 0xd7, 0xa4, 0xfa, 0xaf,
20463 -+ 0x1a, 0x88, 0x59, 0xdc, 0x74, 0x12, 0xb4, 0x8e,
20464 -+ 0xd7, 0x19, 0x46, 0xf4, 0x84, 0x69, 0x9f, 0xbb,
20465 -+ 0x70, 0xa8, 0x4c, 0x52, 0x81, 0xa9, 0xff, 0x76,
20466 -+ 0x1c, 0xae, 0xd8, 0x11, 0x3d, 0x7f, 0x7d, 0xc5,
20467 -+ 0x12, 0x59, 0x28, 0x18, 0xc2, 0xa2, 0xb7, 0x1c,
20468 -+ 0x88, 0xf8, 0xd6, 0x1b, 0xa6, 0x7d, 0x9e, 0xde,
20469 -+ 0x29, 0xf8, 0xed, 0xff, 0xeb, 0x92, 0x24, 0x4f,
20470 -+ 0x05, 0xaa, 0xd9, 0x49, 0xba, 0x87, 0x59, 0x51,
20471 -+ 0xc9, 0x20, 0x5c, 0x9b, 0x74, 0xcf, 0x03, 0xd9,
20472 -+ 0x2d, 0x34, 0xc7, 0x5b, 0xa5, 0x40, 0xb2, 0x99,
20473 -+ 0xf5, 0xcb, 0xb4, 0xf6, 0xb7, 0x72, 0x4a, 0xd6,
20474 -+ 0xbd, 0xb0, 0xf3, 0x93, 0xe0, 0x1b, 0xa8, 0x04,
20475 -+ 0x1e, 0x35, 0xd4, 0x80, 0x20, 0xf4, 0x9c, 0x31,
20476 -+ 0x6b, 0x45, 0xb9, 0x15, 0xb0, 0x5e, 0xdd, 0x0a,
20477 -+ 0x33, 0x9c, 0x83, 0xcd, 0x58, 0x89, 0x50, 0x56,
20478 -+ 0xbb, 0x81, 0x00, 0x91, 0x32, 0xf3, 0x1b, 0x3e,
20479 -+ 0xcf, 0x45, 0xe1, 0xf9, 0xe1, 0x2c, 0x26, 0x78,
20480 -+ 0x93, 0x9a, 0x60, 0x46, 0xc9, 0xb5, 0x5e, 0x6a,
20481 -+ 0x28, 0x92, 0x87, 0x3f, 0x63, 0x7b, 0xdb, 0xf7,
20482 -+ 0xd0, 0x13, 0x9d, 0x32, 0x40, 0x5e, 0xcf, 0xfb,
20483 -+ 0x79, 0x68, 0x47, 0x4c, 0xfd, 0x01, 0x17, 0xe6,
20484 -+ 0x97, 0x93, 0x78, 0xbb, 0xa6, 0x27, 0xa3, 0xe8,
20485 -+ 0x1a, 0xe8, 0x94, 0x55, 0x7d, 0x08, 0xe5, 0xdc,
20486 -+ 0x66, 0xa3, 0x69, 0xc8, 0xca, 0xc5, 0xa1, 0x84,
20487 -+ 0x55, 0xde, 0x08, 0x91, 0x16, 0x3a, 0x0c, 0x86,
20488 -+ 0xab, 0x27, 0x2b, 0x64, 0x34, 0x02, 0x6c, 0x76,
20489 -+ 0x8b, 0xc6, 0xaf, 0xcc, 0xe1, 0xd6, 0x8c, 0x2a,
20490 -+ 0x18, 0x3d, 0xa6, 0x1b, 0x37, 0x75, 0x45, 0x73,
20491 -+ 0xc2, 0x75, 0xd7, 0x53, 0x78, 0x3a, 0xd6, 0xe8,
20492 -+ 0x29, 0xd2, 0x4a, 0xa8, 0x1e, 0x82, 0xf6, 0xb6,
20493 -+ 0x81, 0xde, 0x21, 0xed, 0x2b, 0x56, 0xbb, 0xf2,
20494 -+ 0xd0, 0x57, 0xc1, 0x7c, 0xd2, 0x6a, 0xd2, 0x56,
20495 -+ 0xf5, 0x13, 0x5f, 0x1c, 0x6a, 0x0b, 0x74, 0xfb,
20496 -+ 0xe9, 0xfe, 0x9e, 0xea, 0x95, 0xb2, 0x46, 0xab,
20497 -+ 0x0a, 0xfc, 0xfd, 0xf3, 0xbb, 0x04, 0x2b, 0x76,
20498 -+ 0x1b, 0xa4, 0x74, 0xb0, 0xc1, 0x78, 0xc3, 0x69,
20499 -+ 0xe2, 0xb0, 0x01, 0xe1, 0xde, 0x32, 0x4c, 0x8d,
20500 -+ 0x1a, 0xb3, 0x38, 0x08, 0xd5, 0xfc, 0x1f, 0xdc,
20501 -+ 0x0e, 0x2c, 0x9c, 0xb1, 0xa1, 0x63, 0x17, 0x22,
20502 -+ 0xf5, 0x6c, 0x93, 0x70, 0x74, 0x00, 0xf8, 0x39,
20503 -+ 0x01, 0x94, 0xd1, 0x32, 0x23, 0x56, 0x5d, 0xa6,
20504 -+ 0x02, 0x76, 0x76, 0x93, 0xce, 0x2f, 0x19, 0xe9,
20505 -+ 0x17, 0x52, 0xae, 0x6e, 0x2c, 0x6d, 0x61, 0x7f,
20506 -+ 0x3b, 0xaa, 0xe0, 0x52, 0x85, 0xc5, 0x65, 0xc1,
20507 -+ 0xbb, 0x8e, 0x5b, 0x21, 0xd5, 0xc9, 0x78, 0x83,
20508 -+ 0x07, 0x97, 0x4c, 0x62, 0x61, 0x41, 0xd4, 0xfc,
20509 -+ 0xc9, 0x39, 0xe3, 0x9b, 0xd0, 0xcc, 0x75, 0xc4,
20510 -+ 0x97, 0xe6, 0xdd, 0x2a, 0x5f, 0xa6, 0xe8, 0x59,
20511 -+ 0x6c, 0x98, 0xb9, 0x02, 0xe2, 0xa2, 0xd6, 0x68,
20512 -+ 0xee, 0x3b, 0x1d, 0xe3, 0x4d, 0x5b, 0x30, 0xef,
20513 -+ 0x03, 0xf2, 0xeb, 0x18, 0x57, 0x36, 0xe8, 0xa1,
20514 -+ 0xf4, 0x47, 0xfb, 0xcb, 0x8f, 0xcb, 0xc8, 0xf3,
20515 -+ 0x4f, 0x74, 0x9d, 0x9d, 0xb1, 0x8d, 0x14, 0x44,
20516 -+ 0xd9, 0x19, 0xb4, 0x54, 0x4f, 0x75, 0x19, 0x09,
20517 -+ 0xa0, 0x75, 0xbc, 0x3b, 0x82, 0xc6, 0x3f, 0xb8,
20518 -+ 0x83, 0x19, 0x6e, 0xd6, 0x37, 0xfe, 0x6e, 0x8a,
20519 -+ 0x4e, 0xe0, 0x4a, 0xab, 0x7b, 0xc8, 0xb4, 0x1d,
20520 -+ 0xf4, 0xed, 0x27, 0x03, 0x65, 0xa2, 0xa1, 0xae,
20521 -+ 0x11, 0xe7, 0x98, 0x78, 0x48, 0x91, 0xd2, 0xd2,
20522 -+ 0xd4, 0x23, 0x78, 0x50, 0xb1, 0x5b, 0x85, 0x10,
20523 -+ 0x8d, 0xca, 0x5f, 0x0f, 0x71, 0xae, 0x72, 0x9a,
20524 -+ 0xf6, 0x25, 0x19, 0x60, 0x06, 0xf7, 0x10, 0x34,
20525 -+ 0x18, 0x0d, 0xc9, 0x9f, 0x7b, 0x0c, 0x9b, 0x8f,
20526 -+ 0x91, 0x1b, 0x9f, 0xcd, 0x10, 0xee, 0x75, 0xf9,
20527 -+ 0x97, 0x66, 0xfc, 0x4d, 0x33, 0x6e, 0x28, 0x2b,
20528 -+ 0x92, 0x85, 0x4f, 0xab, 0x43, 0x8d, 0x8f, 0x7d,
20529 -+ 0x86, 0xa7, 0xc7, 0xd8, 0xd3, 0x0b, 0x8b, 0x57,
20530 -+ 0xb6, 0x1d, 0x95, 0x0d, 0xe9, 0xbc, 0xd9, 0x03,
20531 -+ 0xd9, 0x10, 0x19, 0xc3, 0x46, 0x63, 0x55, 0x87,
20532 -+ 0x61, 0x79, 0x6c, 0x95, 0x0e, 0x9c, 0xdd, 0xca,
20533 -+ 0xc3, 0xf3, 0x64, 0xf0, 0x7d, 0x76, 0xb7, 0x53,
20534 -+ 0x67, 0x2b, 0x1e, 0x44, 0x56, 0x81, 0xea, 0x8f,
20535 -+ 0x5c, 0x42, 0x16, 0xb8, 0x28, 0xeb, 0x1b, 0x61,
20536 -+ 0x10, 0x1e, 0xbf, 0xec, 0xa8
20537 -+};
20538 -+static const u8 enc_output011[] __initconst = {
20539 -+ 0x6a, 0xfc, 0x4b, 0x25, 0xdf, 0xc0, 0xe4, 0xe8,
20540 -+ 0x17, 0x4d, 0x4c, 0xc9, 0x7e, 0xde, 0x3a, 0xcc,
20541 -+ 0x3c, 0xba, 0x6a, 0x77, 0x47, 0xdb, 0xe3, 0x74,
20542 -+ 0x7a, 0x4d, 0x5f, 0x8d, 0x37, 0x55, 0x80, 0x73,
20543 -+ 0x90, 0x66, 0x5d, 0x3a, 0x7d, 0x5d, 0x86, 0x5e,
20544 -+ 0x8d, 0xfd, 0x83, 0xff, 0x4e, 0x74, 0x6f, 0xf9,
20545 -+ 0xe6, 0x70, 0x17, 0x70, 0x3e, 0x96, 0xa7, 0x7e,
20546 -+ 0xcb, 0xab, 0x8f, 0x58, 0x24, 0x9b, 0x01, 0xfd,
20547 -+ 0xcb, 0xe6, 0x4d, 0x9b, 0xf0, 0x88, 0x94, 0x57,
20548 -+ 0x66, 0xef, 0x72, 0x4c, 0x42, 0x6e, 0x16, 0x19,
20549 -+ 0x15, 0xea, 0x70, 0x5b, 0xac, 0x13, 0xdb, 0x9f,
20550 -+ 0x18, 0xe2, 0x3c, 0x26, 0x97, 0xbc, 0xdc, 0x45,
20551 -+ 0x8c, 0x6c, 0x24, 0x69, 0x9c, 0xf7, 0x65, 0x1e,
20552 -+ 0x18, 0x59, 0x31, 0x7c, 0xe4, 0x73, 0xbc, 0x39,
20553 -+ 0x62, 0xc6, 0x5c, 0x9f, 0xbf, 0xfa, 0x90, 0x03,
20554 -+ 0xc9, 0x72, 0x26, 0xb6, 0x1b, 0xc2, 0xb7, 0x3f,
20555 -+ 0xf2, 0x13, 0x77, 0xf2, 0x8d, 0xb9, 0x47, 0xd0,
20556 -+ 0x53, 0xdd, 0xc8, 0x91, 0x83, 0x8b, 0xb1, 0xce,
20557 -+ 0xa3, 0xfe, 0xcd, 0xd9, 0xdd, 0x92, 0x7b, 0xdb,
20558 -+ 0xb8, 0xfb, 0xc9, 0x2d, 0x01, 0x59, 0x39, 0x52,
20559 -+ 0xad, 0x1b, 0xec, 0xcf, 0xd7, 0x70, 0x13, 0x21,
20560 -+ 0xf5, 0x47, 0xaa, 0x18, 0x21, 0x5c, 0xc9, 0x9a,
20561 -+ 0xd2, 0x6b, 0x05, 0x9c, 0x01, 0xa1, 0xda, 0x35,
20562 -+ 0x5d, 0xb3, 0x70, 0xe6, 0xa9, 0x80, 0x8b, 0x91,
20563 -+ 0xb7, 0xb3, 0x5f, 0x24, 0x9a, 0xb7, 0xd1, 0x6b,
20564 -+ 0xa1, 0x1c, 0x50, 0xba, 0x49, 0xe0, 0xee, 0x2e,
20565 -+ 0x75, 0xac, 0x69, 0xc0, 0xeb, 0x03, 0xdd, 0x19,
20566 -+ 0xe5, 0xf6, 0x06, 0xdd, 0xc3, 0xd7, 0x2b, 0x07,
20567 -+ 0x07, 0x30, 0xa7, 0x19, 0x0c, 0xbf, 0xe6, 0x18,
20568 -+ 0xcc, 0xb1, 0x01, 0x11, 0x85, 0x77, 0x1d, 0x96,
20569 -+ 0xa7, 0xa3, 0x00, 0x84, 0x02, 0xa2, 0x83, 0x68,
20570 -+ 0xda, 0x17, 0x27, 0xc8, 0x7f, 0x23, 0xb7, 0xf4,
20571 -+ 0x13, 0x85, 0xcf, 0xdd, 0x7a, 0x7d, 0x24, 0x57,
20572 -+ 0xfe, 0x05, 0x93, 0xf5, 0x74, 0xce, 0xed, 0x0c,
20573 -+ 0x20, 0x98, 0x8d, 0x92, 0x30, 0xa1, 0x29, 0x23,
20574 -+ 0x1a, 0xa0, 0x4f, 0x69, 0x56, 0x4c, 0xe1, 0xc8,
20575 -+ 0xce, 0xf6, 0x9a, 0x0c, 0xa4, 0xfa, 0x04, 0xf6,
20576 -+ 0x62, 0x95, 0xf2, 0xfa, 0xc7, 0x40, 0x68, 0x40,
20577 -+ 0x8f, 0x41, 0xda, 0xb4, 0x26, 0x6f, 0x70, 0xab,
20578 -+ 0x40, 0x61, 0xa4, 0x0e, 0x75, 0xfb, 0x86, 0xeb,
20579 -+ 0x9d, 0x9a, 0x1f, 0xec, 0x76, 0x99, 0xe7, 0xea,
20580 -+ 0xaa, 0x1e, 0x2d, 0xb5, 0xd4, 0xa6, 0x1a, 0xb8,
20581 -+ 0x61, 0x0a, 0x1d, 0x16, 0x5b, 0x98, 0xc2, 0x31,
20582 -+ 0x40, 0xe7, 0x23, 0x1d, 0x66, 0x99, 0xc8, 0xc0,
20583 -+ 0xd7, 0xce, 0xf3, 0x57, 0x40, 0x04, 0x3f, 0xfc,
20584 -+ 0xea, 0xb3, 0xfc, 0xd2, 0xd3, 0x99, 0xa4, 0x94,
20585 -+ 0x69, 0xa0, 0xef, 0xd1, 0x85, 0xb3, 0xa6, 0xb1,
20586 -+ 0x28, 0xbf, 0x94, 0x67, 0x22, 0xc3, 0x36, 0x46,
20587 -+ 0xf8, 0xd2, 0x0f, 0x5f, 0xf4, 0x59, 0x80, 0xe6,
20588 -+ 0x2d, 0x43, 0x08, 0x7d, 0x19, 0x09, 0x97, 0xa7,
20589 -+ 0x4c, 0x3d, 0x8d, 0xba, 0x65, 0x62, 0xa3, 0x71,
20590 -+ 0x33, 0x29, 0x62, 0xdb, 0xc1, 0x33, 0x34, 0x1a,
20591 -+ 0x63, 0x33, 0x16, 0xb6, 0x64, 0x7e, 0xab, 0x33,
20592 -+ 0xf0, 0xe6, 0x26, 0x68, 0xba, 0x1d, 0x2e, 0x38,
20593 -+ 0x08, 0xe6, 0x02, 0xd3, 0x25, 0x2c, 0x47, 0x23,
20594 -+ 0x58, 0x34, 0x0f, 0x9d, 0x63, 0x4f, 0x63, 0xbb,
20595 -+ 0x7f, 0x3b, 0x34, 0x38, 0xa7, 0xb5, 0x8d, 0x65,
20596 -+ 0xd9, 0x9f, 0x79, 0x55, 0x3e, 0x4d, 0xe7, 0x73,
20597 -+ 0xd8, 0xf6, 0x98, 0x97, 0x84, 0x60, 0x9c, 0xc8,
20598 -+ 0xa9, 0x3c, 0xf6, 0xdc, 0x12, 0x5c, 0xe1, 0xbb,
20599 -+ 0x0b, 0x8b, 0x98, 0x9c, 0x9d, 0x26, 0x7c, 0x4a,
20600 -+ 0xe6, 0x46, 0x36, 0x58, 0x21, 0x4a, 0xee, 0xca,
20601 -+ 0xd7, 0x3b, 0xc2, 0x6c, 0x49, 0x2f, 0xe5, 0xd5,
20602 -+ 0x03, 0x59, 0x84, 0x53, 0xcb, 0xfe, 0x92, 0x71,
20603 -+ 0x2e, 0x7c, 0x21, 0xcc, 0x99, 0x85, 0x7f, 0xb8,
20604 -+ 0x74, 0x90, 0x13, 0x42, 0x3f, 0xe0, 0x6b, 0x1d,
20605 -+ 0xf2, 0x4d, 0x54, 0xd4, 0xfc, 0x3a, 0x05, 0xe6,
20606 -+ 0x74, 0xaf, 0xa6, 0xa0, 0x2a, 0x20, 0x23, 0x5d,
20607 -+ 0x34, 0x5c, 0xd9, 0x3e, 0x4e, 0xfa, 0x93, 0xe7,
20608 -+ 0xaa, 0xe9, 0x6f, 0x08, 0x43, 0x67, 0x41, 0xc5,
20609 -+ 0xad, 0xfb, 0x31, 0x95, 0x82, 0x73, 0x32, 0xd8,
20610 -+ 0xa6, 0xa3, 0xed, 0x0e, 0x2d, 0xf6, 0x5f, 0xfd,
20611 -+ 0x80, 0xa6, 0x7a, 0xe0, 0xdf, 0x78, 0x15, 0x29,
20612 -+ 0x74, 0x33, 0xd0, 0x9e, 0x83, 0x86, 0x72, 0x22,
20613 -+ 0x57, 0x29, 0xb9, 0x9e, 0x5d, 0xd3, 0x1a, 0xb5,
20614 -+ 0x96, 0x72, 0x41, 0x3d, 0xf1, 0x64, 0x43, 0x67,
20615 -+ 0xee, 0xaa, 0x5c, 0xd3, 0x9a, 0x96, 0x13, 0x11,
20616 -+ 0x5d, 0xf3, 0x0c, 0x87, 0x82, 0x1e, 0x41, 0x9e,
20617 -+ 0xd0, 0x27, 0xd7, 0x54, 0x3b, 0x67, 0x73, 0x09,
20618 -+ 0x91, 0xe9, 0xd5, 0x36, 0xa7, 0xb5, 0x55, 0xe4,
20619 -+ 0xf3, 0x21, 0x51, 0x49, 0x22, 0x07, 0x55, 0x4f,
20620 -+ 0x44, 0x4b, 0xd2, 0x15, 0x93, 0x17, 0x2a, 0xfa,
20621 -+ 0x4d, 0x4a, 0x57, 0xdb, 0x4c, 0xa6, 0xeb, 0xec,
20622 -+ 0x53, 0x25, 0x6c, 0x21, 0xed, 0x00, 0x4c, 0x3b,
20623 -+ 0xca, 0x14, 0x57, 0xa9, 0xd6, 0x6a, 0xcd, 0x8d,
20624 -+ 0x5e, 0x74, 0xac, 0x72, 0xc1, 0x97, 0xe5, 0x1b,
20625 -+ 0x45, 0x4e, 0xda, 0xfc, 0xcc, 0x40, 0xe8, 0x48,
20626 -+ 0x88, 0x0b, 0xa3, 0xe3, 0x8d, 0x83, 0x42, 0xc3,
20627 -+ 0x23, 0xfd, 0x68, 0xb5, 0x8e, 0xf1, 0x9d, 0x63,
20628 -+ 0x77, 0xe9, 0xa3, 0x8e, 0x8c, 0x26, 0x6b, 0xbd,
20629 -+ 0x72, 0x73, 0x35, 0x0c, 0x03, 0xf8, 0x43, 0x78,
20630 -+ 0x52, 0x71, 0x15, 0x1f, 0x71, 0x5d, 0x6e, 0xed,
20631 -+ 0xb9, 0xcc, 0x86, 0x30, 0xdb, 0x2b, 0xd3, 0x82,
20632 -+ 0x88, 0x23, 0x71, 0x90, 0x53, 0x5c, 0xa9, 0x2f,
20633 -+ 0x76, 0x01, 0xb7, 0x9a, 0xfe, 0x43, 0x55, 0xa3,
20634 -+ 0x04, 0x9b, 0x0e, 0xe4, 0x59, 0xdf, 0xc9, 0xe9,
20635 -+ 0xb1, 0xea, 0x29, 0x28, 0x3c, 0x5c, 0xae, 0x72,
20636 -+ 0x84, 0xb6, 0xc6, 0xeb, 0x0c, 0x27, 0x07, 0x74,
20637 -+ 0x90, 0x0d, 0x31, 0xb0, 0x00, 0x77, 0xe9, 0x40,
20638 -+ 0x70, 0x6f, 0x68, 0xa7, 0xfd, 0x06, 0xec, 0x4b,
20639 -+ 0xc0, 0xb7, 0xac, 0xbc, 0x33, 0xb7, 0x6d, 0x0a,
20640 -+ 0xbd, 0x12, 0x1b, 0x59, 0xcb, 0xdd, 0x32, 0xf5,
20641 -+ 0x1d, 0x94, 0x57, 0x76, 0x9e, 0x0c, 0x18, 0x98,
20642 -+ 0x71, 0xd7, 0x2a, 0xdb, 0x0b, 0x7b, 0xa7, 0x71,
20643 -+ 0xb7, 0x67, 0x81, 0x23, 0x96, 0xae, 0xb9, 0x7e,
20644 -+ 0x32, 0x43, 0x92, 0x8a, 0x19, 0xa0, 0xc4, 0xd4,
20645 -+ 0x3b, 0x57, 0xf9, 0x4a, 0x2c, 0xfb, 0x51, 0x46,
20646 -+ 0xbb, 0xcb, 0x5d, 0xb3, 0xef, 0x13, 0x93, 0x6e,
20647 -+ 0x68, 0x42, 0x54, 0x57, 0xd3, 0x6a, 0x3a, 0x8f,
20648 -+ 0x9d, 0x66, 0xbf, 0xbd, 0x36, 0x23, 0xf5, 0x93,
20649 -+ 0x83, 0x7b, 0x9c, 0xc0, 0xdd, 0xc5, 0x49, 0xc0,
20650 -+ 0x64, 0xed, 0x07, 0x12, 0xb3, 0xe6, 0xe4, 0xe5,
20651 -+ 0x38, 0x95, 0x23, 0xb1, 0xa0, 0x3b, 0x1a, 0x61,
20652 -+ 0xda, 0x17, 0xac, 0xc3, 0x58, 0xdd, 0x74, 0x64,
20653 -+ 0x22, 0x11, 0xe8, 0x32, 0x1d, 0x16, 0x93, 0x85,
20654 -+ 0x99, 0xa5, 0x9c, 0x34, 0x55, 0xb1, 0xe9, 0x20,
20655 -+ 0x72, 0xc9, 0x28, 0x7b, 0x79, 0x00, 0xa1, 0xa6,
20656 -+ 0xa3, 0x27, 0x40, 0x18, 0x8a, 0x54, 0xe0, 0xcc,
20657 -+ 0xe8, 0x4e, 0x8e, 0x43, 0x96, 0xe7, 0x3f, 0xc8,
20658 -+ 0xe9, 0xb2, 0xf9, 0xc9, 0xda, 0x04, 0x71, 0x50,
20659 -+ 0x47, 0xe4, 0xaa, 0xce, 0xa2, 0x30, 0xc8, 0xe4,
20660 -+ 0xac, 0xc7, 0x0d, 0x06, 0x2e, 0xe6, 0xe8, 0x80,
20661 -+ 0x36, 0x29, 0x9e, 0x01, 0xb8, 0xc3, 0xf0, 0xa0,
20662 -+ 0x5d, 0x7a, 0xca, 0x4d, 0xa0, 0x57, 0xbd, 0x2a,
20663 -+ 0x45, 0xa7, 0x7f, 0x9c, 0x93, 0x07, 0x8f, 0x35,
20664 -+ 0x67, 0x92, 0xe3, 0xe9, 0x7f, 0xa8, 0x61, 0x43,
20665 -+ 0x9e, 0x25, 0x4f, 0x33, 0x76, 0x13, 0x6e, 0x12,
20666 -+ 0xb9, 0xdd, 0xa4, 0x7c, 0x08, 0x9f, 0x7c, 0xe7,
20667 -+ 0x0a, 0x8d, 0x84, 0x06, 0xa4, 0x33, 0x17, 0x34,
20668 -+ 0x5e, 0x10, 0x7c, 0xc0, 0xa8, 0x3d, 0x1f, 0x42,
20669 -+ 0x20, 0x51, 0x65, 0x5d, 0x09, 0xc3, 0xaa, 0xc0,
20670 -+ 0xc8, 0x0d, 0xf0, 0x79, 0xbc, 0x20, 0x1b, 0x95,
20671 -+ 0xe7, 0x06, 0x7d, 0x47, 0x20, 0x03, 0x1a, 0x74,
20672 -+ 0xdd, 0xe2, 0xd4, 0xae, 0x38, 0x71, 0x9b, 0xf5,
20673 -+ 0x80, 0xec, 0x08, 0x4e, 0x56, 0xba, 0x76, 0x12,
20674 -+ 0x1a, 0xdf, 0x48, 0xf3, 0xae, 0xb3, 0xe6, 0xe6,
20675 -+ 0xbe, 0xc0, 0x91, 0x2e, 0x01, 0xb3, 0x01, 0x86,
20676 -+ 0xa2, 0xb9, 0x52, 0xd1, 0x21, 0xae, 0xd4, 0x97,
20677 -+ 0x1d, 0xef, 0x41, 0x12, 0x95, 0x3d, 0x48, 0x45,
20678 -+ 0x1c, 0x56, 0x32, 0x8f, 0xb8, 0x43, 0xbb, 0x19,
20679 -+ 0xf3, 0xca, 0xe9, 0xeb, 0x6d, 0x84, 0xbe, 0x86,
20680 -+ 0x06, 0xe2, 0x36, 0xb2, 0x62, 0x9d, 0xd3, 0x4c,
20681 -+ 0x48, 0x18, 0x54, 0x13, 0x4e, 0xcf, 0xfd, 0xba,
20682 -+ 0x84, 0xb9, 0x30, 0x53, 0xcf, 0xfb, 0xb9, 0x29,
20683 -+ 0x8f, 0xdc, 0x9f, 0xef, 0x60, 0x0b, 0x64, 0xf6,
20684 -+ 0x8b, 0xee, 0xa6, 0x91, 0xc2, 0x41, 0x6c, 0xf6,
20685 -+ 0xfa, 0x79, 0x67, 0x4b, 0xc1, 0x3f, 0xaf, 0x09,
20686 -+ 0x81, 0xd4, 0x5d, 0xcb, 0x09, 0xdf, 0x36, 0x31,
20687 -+ 0xc0, 0x14, 0x3c, 0x7c, 0x0e, 0x65, 0x95, 0x99,
20688 -+ 0x6d, 0xa3, 0xf4, 0xd7, 0x38, 0xee, 0x1a, 0x2b,
20689 -+ 0x37, 0xe2, 0xa4, 0x3b, 0x4b, 0xd0, 0x65, 0xca,
20690 -+ 0xf8, 0xc3, 0xe8, 0x15, 0x20, 0xef, 0xf2, 0x00,
20691 -+ 0xfd, 0x01, 0x09, 0xc5, 0xc8, 0x17, 0x04, 0x93,
20692 -+ 0xd0, 0x93, 0x03, 0x55, 0xc5, 0xfe, 0x32, 0xa3,
20693 -+ 0x3e, 0x28, 0x2d, 0x3b, 0x93, 0x8a, 0xcc, 0x07,
20694 -+ 0x72, 0x80, 0x8b, 0x74, 0x16, 0x24, 0xbb, 0xda,
20695 -+ 0x94, 0x39, 0x30, 0x8f, 0xb1, 0xcd, 0x4a, 0x90,
20696 -+ 0x92, 0x7c, 0x14, 0x8f, 0x95, 0x4e, 0xac, 0x9b,
20697 -+ 0xd8, 0x8f, 0x1a, 0x87, 0xa4, 0x32, 0x27, 0x8a,
20698 -+ 0xba, 0xf7, 0x41, 0xcf, 0x84, 0x37, 0x19, 0xe6,
20699 -+ 0x06, 0xf5, 0x0e, 0xcf, 0x36, 0xf5, 0x9e, 0x6c,
20700 -+ 0xde, 0xbc, 0xff, 0x64, 0x7e, 0x4e, 0x59, 0x57,
20701 -+ 0x48, 0xfe, 0x14, 0xf7, 0x9c, 0x93, 0x5d, 0x15,
20702 -+ 0xad, 0xcc, 0x11, 0xb1, 0x17, 0x18, 0xb2, 0x7e,
20703 -+ 0xcc, 0xab, 0xe9, 0xce, 0x7d, 0x77, 0x5b, 0x51,
20704 -+ 0x1b, 0x1e, 0x20, 0xa8, 0x32, 0x06, 0x0e, 0x75,
20705 -+ 0x93, 0xac, 0xdb, 0x35, 0x37, 0x1f, 0xe9, 0x19,
20706 -+ 0x1d, 0xb4, 0x71, 0x97, 0xd6, 0x4e, 0x2c, 0x08,
20707 -+ 0xa5, 0x13, 0xf9, 0x0e, 0x7e, 0x78, 0x6e, 0x14,
20708 -+ 0xe0, 0xa9, 0xb9, 0x96, 0x4c, 0x80, 0x82, 0xba,
20709 -+ 0x17, 0xb3, 0x9d, 0x69, 0xb0, 0x84, 0x46, 0xff,
20710 -+ 0xf9, 0x52, 0x79, 0x94, 0x58, 0x3a, 0x62, 0x90,
20711 -+ 0x15, 0x35, 0x71, 0x10, 0x37, 0xed, 0xa1, 0x8e,
20712 -+ 0x53, 0x6e, 0xf4, 0x26, 0x57, 0x93, 0x15, 0x93,
20713 -+ 0xf6, 0x81, 0x2c, 0x5a, 0x10, 0xda, 0x92, 0xad,
20714 -+ 0x2f, 0xdb, 0x28, 0x31, 0x2d, 0x55, 0x04, 0xd2,
20715 -+ 0x06, 0x28, 0x8c, 0x1e, 0xdc, 0xea, 0x54, 0xac,
20716 -+ 0xff, 0xb7, 0x6c, 0x30, 0x15, 0xd4, 0xb4, 0x0d,
20717 -+ 0x00, 0x93, 0x57, 0xdd, 0xd2, 0x07, 0x07, 0x06,
20718 -+ 0xd9, 0x43, 0x9b, 0xcd, 0x3a, 0xf4, 0x7d, 0x4c,
20719 -+ 0x36, 0x5d, 0x23, 0xa2, 0xcc, 0x57, 0x40, 0x91,
20720 -+ 0xe9, 0x2c, 0x2f, 0x2c, 0xd5, 0x30, 0x9b, 0x17,
20721 -+ 0xb0, 0xc9, 0xf7, 0xa7, 0x2f, 0xd1, 0x93, 0x20,
20722 -+ 0x6b, 0xc6, 0xc1, 0xe4, 0x6f, 0xcb, 0xd1, 0xe7,
20723 -+ 0x09, 0x0f, 0x9e, 0xdc, 0xaa, 0x9f, 0x2f, 0xdf,
20724 -+ 0x56, 0x9f, 0xd4, 0x33, 0x04, 0xaf, 0xd3, 0x6c,
20725 -+ 0x58, 0x61, 0xf0, 0x30, 0xec, 0xf2, 0x7f, 0xf2,
20726 -+ 0x9c, 0xdf, 0x39, 0xbb, 0x6f, 0xa2, 0x8c, 0x7e,
20727 -+ 0xc4, 0x22, 0x51, 0x71, 0xc0, 0x4d, 0x14, 0x1a,
20728 -+ 0xc4, 0xcd, 0x04, 0xd9, 0x87, 0x08, 0x50, 0x05,
20729 -+ 0xcc, 0xaf, 0xf6, 0xf0, 0x8f, 0x92, 0x54, 0x58,
20730 -+ 0xc2, 0xc7, 0x09, 0x7a, 0x59, 0x02, 0x05, 0xe8,
20731 -+ 0xb0, 0x86, 0xd9, 0xbf, 0x7b, 0x35, 0x51, 0x4d,
20732 -+ 0xaf, 0x08, 0x97, 0x2c, 0x65, 0xda, 0x2a, 0x71,
20733 -+ 0x3a, 0xa8, 0x51, 0xcc, 0xf2, 0x73, 0x27, 0xc3,
20734 -+ 0xfd, 0x62, 0xcf, 0xe3, 0xb2, 0xca, 0xcb, 0xbe,
20735 -+ 0x1a, 0x0a, 0xa1, 0x34, 0x7b, 0x77, 0xc4, 0x62,
20736 -+ 0x68, 0x78, 0x5f, 0x94, 0x07, 0x04, 0x65, 0x16,
20737 -+ 0x4b, 0x61, 0xcb, 0xff, 0x75, 0x26, 0x50, 0x66,
20738 -+ 0x1f, 0x6e, 0x93, 0xf8, 0xc5, 0x51, 0xeb, 0xa4,
20739 -+ 0x4a, 0x48, 0x68, 0x6b, 0xe2, 0x5e, 0x44, 0xb2,
20740 -+ 0x50, 0x2c, 0x6c, 0xae, 0x79, 0x4e, 0x66, 0x35,
20741 -+ 0x81, 0x50, 0xac, 0xbc, 0x3f, 0xb1, 0x0c, 0xf3,
20742 -+ 0x05, 0x3c, 0x4a, 0xa3, 0x6c, 0x2a, 0x79, 0xb4,
20743 -+ 0xb7, 0xab, 0xca, 0xc7, 0x9b, 0x8e, 0xcd, 0x5f,
20744 -+ 0x11, 0x03, 0xcb, 0x30, 0xa3, 0xab, 0xda, 0xfe,
20745 -+ 0x64, 0xb9, 0xbb, 0xd8, 0x5e, 0x3a, 0x1a, 0x56,
20746 -+ 0xe5, 0x05, 0x48, 0x90, 0x1e, 0x61, 0x69, 0x1b,
20747 -+ 0x22, 0xe6, 0x1a, 0x3c, 0x75, 0xad, 0x1f, 0x37,
20748 -+ 0x28, 0xdc, 0xe4, 0x6d, 0xbd, 0x42, 0xdc, 0xd3,
20749 -+ 0xc8, 0xb6, 0x1c, 0x48, 0xfe, 0x94, 0x77, 0x7f,
20750 -+ 0xbd, 0x62, 0xac, 0xa3, 0x47, 0x27, 0xcf, 0x5f,
20751 -+ 0xd9, 0xdb, 0xaf, 0xec, 0xf7, 0x5e, 0xc1, 0xb0,
20752 -+ 0x9d, 0x01, 0x26, 0x99, 0x7e, 0x8f, 0x03, 0x70,
20753 -+ 0xb5, 0x42, 0xbe, 0x67, 0x28, 0x1b, 0x7c, 0xbd,
20754 -+ 0x61, 0x21, 0x97, 0xcc, 0x5c, 0xe1, 0x97, 0x8f,
20755 -+ 0x8d, 0xde, 0x2b, 0xaa, 0xa7, 0x71, 0x1d, 0x1e,
20756 -+ 0x02, 0x73, 0x70, 0x58, 0x32, 0x5b, 0x1d, 0x67,
20757 -+ 0x3d, 0xe0, 0x74, 0x4f, 0x03, 0xf2, 0x70, 0x51,
20758 -+ 0x79, 0xf1, 0x61, 0x70, 0x15, 0x74, 0x9d, 0x23,
20759 -+ 0x89, 0xde, 0xac, 0xfd, 0xde, 0xd0, 0x1f, 0xc3,
20760 -+ 0x87, 0x44, 0x35, 0x4b, 0xe5, 0xb0, 0x60, 0xc5,
20761 -+ 0x22, 0xe4, 0x9e, 0xca, 0xeb, 0xd5, 0x3a, 0x09,
20762 -+ 0x45, 0xa4, 0xdb, 0xfa, 0x3f, 0xeb, 0x1b, 0xc7,
20763 -+ 0xc8, 0x14, 0x99, 0x51, 0x92, 0x10, 0xed, 0xed,
20764 -+ 0x28, 0xe0, 0xa1, 0xf8, 0x26, 0xcf, 0xcd, 0xcb,
20765 -+ 0x63, 0xa1, 0x3b, 0xe3, 0xdf, 0x7e, 0xfe, 0xa6,
20766 -+ 0xf0, 0x81, 0x9a, 0xbf, 0x55, 0xde, 0x54, 0xd5,
20767 -+ 0x56, 0x60, 0x98, 0x10, 0x68, 0xf4, 0x38, 0x96,
20768 -+ 0x8e, 0x6f, 0x1d, 0x44, 0x7f, 0xd6, 0x2f, 0xfe,
20769 -+ 0x55, 0xfb, 0x0c, 0x7e, 0x67, 0xe2, 0x61, 0x44,
20770 -+ 0xed, 0xf2, 0x35, 0x30, 0x5d, 0xe9, 0xc7, 0xd6,
20771 -+ 0x6d, 0xe0, 0xa0, 0xed, 0xf3, 0xfc, 0xd8, 0x3e,
20772 -+ 0x0a, 0x7b, 0xcd, 0xaf, 0x65, 0x68, 0x18, 0xc0,
20773 -+ 0xec, 0x04, 0x1c, 0x74, 0x6d, 0xe2, 0x6e, 0x79,
20774 -+ 0xd4, 0x11, 0x2b, 0x62, 0xd5, 0x27, 0xad, 0x4f,
20775 -+ 0x01, 0x59, 0x73, 0xcc, 0x6a, 0x53, 0xfb, 0x2d,
20776 -+ 0xd5, 0x4e, 0x99, 0x21, 0x65, 0x4d, 0xf5, 0x82,
20777 -+ 0xf7, 0xd8, 0x42, 0xce, 0x6f, 0x3d, 0x36, 0x47,
20778 -+ 0xf1, 0x05, 0x16, 0xe8, 0x1b, 0x6a, 0x8f, 0x93,
20779 -+ 0xf2, 0x8f, 0x37, 0x40, 0x12, 0x28, 0xa3, 0xe6,
20780 -+ 0xb9, 0x17, 0x4a, 0x1f, 0xb1, 0xd1, 0x66, 0x69,
20781 -+ 0x86, 0xc4, 0xfc, 0x97, 0xae, 0x3f, 0x8f, 0x1e,
20782 -+ 0x2b, 0xdf, 0xcd, 0xf9, 0x3c
20783 -+};
20784 -+static const u8 enc_assoc011[] __initconst = {
20785 -+ 0xd6, 0x31, 0xda, 0x5d, 0x42, 0x5e, 0xd7
20786 -+};
20787 -+static const u8 enc_nonce011[] __initconst = {
20788 -+ 0xfd, 0x87, 0xd4, 0xd8, 0x62, 0xfd, 0xec, 0xaa
20789 -+};
20790 -+static const u8 enc_key011[] __initconst = {
20791 -+ 0x35, 0x4e, 0xb5, 0x70, 0x50, 0x42, 0x8a, 0x85,
20792 -+ 0xf2, 0xfb, 0xed, 0x7b, 0xd0, 0x9e, 0x97, 0xca,
20793 -+ 0xfa, 0x98, 0x66, 0x63, 0xee, 0x37, 0xcc, 0x52,
20794 -+ 0xfe, 0xd1, 0xdf, 0x95, 0x15, 0x34, 0x29, 0x38
20795 -+};
20796 -+
20797 -+static const u8 enc_input012[] __initconst = {
20798 -+ 0x74, 0xa6, 0x3e, 0xe4, 0xb1, 0xcb, 0xaf, 0xb0,
20799 -+ 0x40, 0xe5, 0x0f, 0x9e, 0xf1, 0xf2, 0x89, 0xb5,
20800 -+ 0x42, 0x34, 0x8a, 0xa1, 0x03, 0xb7, 0xe9, 0x57,
20801 -+ 0x46, 0xbe, 0x20, 0xe4, 0x6e, 0xb0, 0xeb, 0xff,
20802 -+ 0xea, 0x07, 0x7e, 0xef, 0xe2, 0x55, 0x9f, 0xe5,
20803 -+ 0x78, 0x3a, 0xb7, 0x83, 0xc2, 0x18, 0x40, 0x7b,
20804 -+ 0xeb, 0xcd, 0x81, 0xfb, 0x90, 0x12, 0x9e, 0x46,
20805 -+ 0xa9, 0xd6, 0x4a, 0xba, 0xb0, 0x62, 0xdb, 0x6b,
20806 -+ 0x99, 0xc4, 0xdb, 0x54, 0x4b, 0xb8, 0xa5, 0x71,
20807 -+ 0xcb, 0xcd, 0x63, 0x32, 0x55, 0xfb, 0x31, 0xf0,
20808 -+ 0x38, 0xf5, 0xbe, 0x78, 0xe4, 0x45, 0xce, 0x1b,
20809 -+ 0x6a, 0x5b, 0x0e, 0xf4, 0x16, 0xe4, 0xb1, 0x3d,
20810 -+ 0xf6, 0x63, 0x7b, 0xa7, 0x0c, 0xde, 0x6f, 0x8f,
20811 -+ 0x74, 0xdf, 0xe0, 0x1e, 0x9d, 0xce, 0x8f, 0x24,
20812 -+ 0xef, 0x23, 0x35, 0x33, 0x7b, 0x83, 0x34, 0x23,
20813 -+ 0x58, 0x74, 0x14, 0x77, 0x1f, 0xc2, 0x4f, 0x4e,
20814 -+ 0xc6, 0x89, 0xf9, 0x52, 0x09, 0x37, 0x64, 0x14,
20815 -+ 0xc4, 0x01, 0x6b, 0x9d, 0x77, 0xe8, 0x90, 0x5d,
20816 -+ 0xa8, 0x4a, 0x2a, 0xef, 0x5c, 0x7f, 0xeb, 0xbb,
20817 -+ 0xb2, 0xc6, 0x93, 0x99, 0x66, 0xdc, 0x7f, 0xd4,
20818 -+ 0x9e, 0x2a, 0xca, 0x8d, 0xdb, 0xe7, 0x20, 0xcf,
20819 -+ 0xe4, 0x73, 0xae, 0x49, 0x7d, 0x64, 0x0f, 0x0e,
20820 -+ 0x28, 0x46, 0xa9, 0xa8, 0x32, 0xe4, 0x0e, 0xf6,
20821 -+ 0x51, 0x53, 0xb8, 0x3c, 0xb1, 0xff, 0xa3, 0x33,
20822 -+ 0x41, 0x75, 0xff, 0xf1, 0x6f, 0xf1, 0xfb, 0xbb,
20823 -+ 0x83, 0x7f, 0x06, 0x9b, 0xe7, 0x1b, 0x0a, 0xe0,
20824 -+ 0x5c, 0x33, 0x60, 0x5b, 0xdb, 0x5b, 0xed, 0xfe,
20825 -+ 0xa5, 0x16, 0x19, 0x72, 0xa3, 0x64, 0x23, 0x00,
20826 -+ 0x02, 0xc7, 0xf3, 0x6a, 0x81, 0x3e, 0x44, 0x1d,
20827 -+ 0x79, 0x15, 0x5f, 0x9a, 0xde, 0xe2, 0xfd, 0x1b,
20828 -+ 0x73, 0xc1, 0xbc, 0x23, 0xba, 0x31, 0xd2, 0x50,
20829 -+ 0xd5, 0xad, 0x7f, 0x74, 0xa7, 0xc9, 0xf8, 0x3e,
20830 -+ 0x2b, 0x26, 0x10, 0xf6, 0x03, 0x36, 0x74, 0xe4,
20831 -+ 0x0e, 0x6a, 0x72, 0xb7, 0x73, 0x0a, 0x42, 0x28,
20832 -+ 0xc2, 0xad, 0x5e, 0x03, 0xbe, 0xb8, 0x0b, 0xa8,
20833 -+ 0x5b, 0xd4, 0xb8, 0xba, 0x52, 0x89, 0xb1, 0x9b,
20834 -+ 0xc1, 0xc3, 0x65, 0x87, 0xed, 0xa5, 0xf4, 0x86,
20835 -+ 0xfd, 0x41, 0x80, 0x91, 0x27, 0x59, 0x53, 0x67,
20836 -+ 0x15, 0x78, 0x54, 0x8b, 0x2d, 0x3d, 0xc7, 0xff,
20837 -+ 0x02, 0x92, 0x07, 0x5f, 0x7a, 0x4b, 0x60, 0x59,
20838 -+ 0x3c, 0x6f, 0x5c, 0xd8, 0xec, 0x95, 0xd2, 0xfe,
20839 -+ 0xa0, 0x3b, 0xd8, 0x3f, 0xd1, 0x69, 0xa6, 0xd6,
20840 -+ 0x41, 0xb2, 0xf4, 0x4d, 0x12, 0xf4, 0x58, 0x3e,
20841 -+ 0x66, 0x64, 0x80, 0x31, 0x9b, 0xa8, 0x4c, 0x8b,
20842 -+ 0x07, 0xb2, 0xec, 0x66, 0x94, 0x66, 0x47, 0x50,
20843 -+ 0x50, 0x5f, 0x18, 0x0b, 0x0e, 0xd6, 0xc0, 0x39,
20844 -+ 0x21, 0x13, 0x9e, 0x33, 0xbc, 0x79, 0x36, 0x02,
20845 -+ 0x96, 0x70, 0xf0, 0x48, 0x67, 0x2f, 0x26, 0xe9,
20846 -+ 0x6d, 0x10, 0xbb, 0xd6, 0x3f, 0xd1, 0x64, 0x7a,
20847 -+ 0x2e, 0xbe, 0x0c, 0x61, 0xf0, 0x75, 0x42, 0x38,
20848 -+ 0x23, 0xb1, 0x9e, 0x9f, 0x7c, 0x67, 0x66, 0xd9,
20849 -+ 0x58, 0x9a, 0xf1, 0xbb, 0x41, 0x2a, 0x8d, 0x65,
20850 -+ 0x84, 0x94, 0xfc, 0xdc, 0x6a, 0x50, 0x64, 0xdb,
20851 -+ 0x56, 0x33, 0x76, 0x00, 0x10, 0xed, 0xbe, 0xd2,
20852 -+ 0x12, 0xf6, 0xf6, 0x1b, 0xa2, 0x16, 0xde, 0xae,
20853 -+ 0x31, 0x95, 0xdd, 0xb1, 0x08, 0x7e, 0x4e, 0xee,
20854 -+ 0xe7, 0xf9, 0xa5, 0xfb, 0x5b, 0x61, 0x43, 0x00,
20855 -+ 0x40, 0xf6, 0x7e, 0x02, 0x04, 0x32, 0x4e, 0x0c,
20856 -+ 0xe2, 0x66, 0x0d, 0xd7, 0x07, 0x98, 0x0e, 0xf8,
20857 -+ 0x72, 0x34, 0x6d, 0x95, 0x86, 0xd7, 0xcb, 0x31,
20858 -+ 0x54, 0x47, 0xd0, 0x38, 0x29, 0x9c, 0x5a, 0x68,
20859 -+ 0xd4, 0x87, 0x76, 0xc9, 0xe7, 0x7e, 0xe3, 0xf4,
20860 -+ 0x81, 0x6d, 0x18, 0xcb, 0xc9, 0x05, 0xaf, 0xa0,
20861 -+ 0xfb, 0x66, 0xf7, 0xf1, 0x1c, 0xc6, 0x14, 0x11,
20862 -+ 0x4f, 0x2b, 0x79, 0x42, 0x8b, 0xbc, 0xac, 0xe7,
20863 -+ 0x6c, 0xfe, 0x0f, 0x58, 0xe7, 0x7c, 0x78, 0x39,
20864 -+ 0x30, 0xb0, 0x66, 0x2c, 0x9b, 0x6d, 0x3a, 0xe1,
20865 -+ 0xcf, 0xc9, 0xa4, 0x0e, 0x6d, 0x6d, 0x8a, 0xa1,
20866 -+ 0x3a, 0xe7, 0x28, 0xd4, 0x78, 0x4c, 0xa6, 0xa2,
20867 -+ 0x2a, 0xa6, 0x03, 0x30, 0xd7, 0xa8, 0x25, 0x66,
20868 -+ 0x87, 0x2f, 0x69, 0x5c, 0x4e, 0xdd, 0xa5, 0x49,
20869 -+ 0x5d, 0x37, 0x4a, 0x59, 0xc4, 0xaf, 0x1f, 0xa2,
20870 -+ 0xe4, 0xf8, 0xa6, 0x12, 0x97, 0xd5, 0x79, 0xf5,
20871 -+ 0xe2, 0x4a, 0x2b, 0x5f, 0x61, 0xe4, 0x9e, 0xe3,
20872 -+ 0xee, 0xb8, 0xa7, 0x5b, 0x2f, 0xf4, 0x9e, 0x6c,
20873 -+ 0xfb, 0xd1, 0xc6, 0x56, 0x77, 0xba, 0x75, 0xaa,
20874 -+ 0x3d, 0x1a, 0xa8, 0x0b, 0xb3, 0x68, 0x24, 0x00,
20875 -+ 0x10, 0x7f, 0xfd, 0xd7, 0xa1, 0x8d, 0x83, 0x54,
20876 -+ 0x4f, 0x1f, 0xd8, 0x2a, 0xbe, 0x8a, 0x0c, 0x87,
20877 -+ 0xab, 0xa2, 0xde, 0xc3, 0x39, 0xbf, 0x09, 0x03,
20878 -+ 0xa5, 0xf3, 0x05, 0x28, 0xe1, 0xe1, 0xee, 0x39,
20879 -+ 0x70, 0x9c, 0xd8, 0x81, 0x12, 0x1e, 0x02, 0x40,
20880 -+ 0xd2, 0x6e, 0xf0, 0xeb, 0x1b, 0x3d, 0x22, 0xc6,
20881 -+ 0xe5, 0xe3, 0xb4, 0x5a, 0x98, 0xbb, 0xf0, 0x22,
20882 -+ 0x28, 0x8d, 0xe5, 0xd3, 0x16, 0x48, 0x24, 0xa5,
20883 -+ 0xe6, 0x66, 0x0c, 0xf9, 0x08, 0xf9, 0x7e, 0x1e,
20884 -+ 0xe1, 0x28, 0x26, 0x22, 0xc7, 0xc7, 0x0a, 0x32,
20885 -+ 0x47, 0xfa, 0xa3, 0xbe, 0x3c, 0xc4, 0xc5, 0x53,
20886 -+ 0x0a, 0xd5, 0x94, 0x4a, 0xd7, 0x93, 0xd8, 0x42,
20887 -+ 0x99, 0xb9, 0x0a, 0xdb, 0x56, 0xf7, 0xb9, 0x1c,
20888 -+ 0x53, 0x4f, 0xfa, 0xd3, 0x74, 0xad, 0xd9, 0x68,
20889 -+ 0xf1, 0x1b, 0xdf, 0x61, 0xc6, 0x5e, 0xa8, 0x48,
20890 -+ 0xfc, 0xd4, 0x4a, 0x4c, 0x3c, 0x32, 0xf7, 0x1c,
20891 -+ 0x96, 0x21, 0x9b, 0xf9, 0xa3, 0xcc, 0x5a, 0xce,
20892 -+ 0xd5, 0xd7, 0x08, 0x24, 0xf6, 0x1c, 0xfd, 0xdd,
20893 -+ 0x38, 0xc2, 0x32, 0xe9, 0xb8, 0xe7, 0xb6, 0xfa,
20894 -+ 0x9d, 0x45, 0x13, 0x2c, 0x83, 0xfd, 0x4a, 0x69,
20895 -+ 0x82, 0xcd, 0xdc, 0xb3, 0x76, 0x0c, 0x9e, 0xd8,
20896 -+ 0xf4, 0x1b, 0x45, 0x15, 0xb4, 0x97, 0xe7, 0x58,
20897 -+ 0x34, 0xe2, 0x03, 0x29, 0x5a, 0xbf, 0xb6, 0xe0,
20898 -+ 0x5d, 0x13, 0xd9, 0x2b, 0xb4, 0x80, 0xb2, 0x45,
20899 -+ 0x81, 0x6a, 0x2e, 0x6c, 0x89, 0x7d, 0xee, 0xbb,
20900 -+ 0x52, 0xdd, 0x1f, 0x18, 0xe7, 0x13, 0x6b, 0x33,
20901 -+ 0x0e, 0xea, 0x36, 0x92, 0x77, 0x7b, 0x6d, 0x9c,
20902 -+ 0x5a, 0x5f, 0x45, 0x7b, 0x7b, 0x35, 0x62, 0x23,
20903 -+ 0xd1, 0xbf, 0x0f, 0xd0, 0x08, 0x1b, 0x2b, 0x80,
20904 -+ 0x6b, 0x7e, 0xf1, 0x21, 0x47, 0xb0, 0x57, 0xd1,
20905 -+ 0x98, 0x72, 0x90, 0x34, 0x1c, 0x20, 0x04, 0xff,
20906 -+ 0x3d, 0x5c, 0xee, 0x0e, 0x57, 0x5f, 0x6f, 0x24,
20907 -+ 0x4e, 0x3c, 0xea, 0xfc, 0xa5, 0xa9, 0x83, 0xc9,
20908 -+ 0x61, 0xb4, 0x51, 0x24, 0xf8, 0x27, 0x5e, 0x46,
20909 -+ 0x8c, 0xb1, 0x53, 0x02, 0x96, 0x35, 0xba, 0xb8,
20910 -+ 0x4c, 0x71, 0xd3, 0x15, 0x59, 0x35, 0x22, 0x20,
20911 -+ 0xad, 0x03, 0x9f, 0x66, 0x44, 0x3b, 0x9c, 0x35,
20912 -+ 0x37, 0x1f, 0x9b, 0xbb, 0xf3, 0xdb, 0x35, 0x63,
20913 -+ 0x30, 0x64, 0xaa, 0xa2, 0x06, 0xa8, 0x5d, 0xbb,
20914 -+ 0xe1, 0x9f, 0x70, 0xec, 0x82, 0x11, 0x06, 0x36,
20915 -+ 0xec, 0x8b, 0x69, 0x66, 0x24, 0x44, 0xc9, 0x4a,
20916 -+ 0x57, 0xbb, 0x9b, 0x78, 0x13, 0xce, 0x9c, 0x0c,
20917 -+ 0xba, 0x92, 0x93, 0x63, 0xb8, 0xe2, 0x95, 0x0f,
20918 -+ 0x0f, 0x16, 0x39, 0x52, 0xfd, 0x3a, 0x6d, 0x02,
20919 -+ 0x4b, 0xdf, 0x13, 0xd3, 0x2a, 0x22, 0xb4, 0x03,
20920 -+ 0x7c, 0x54, 0x49, 0x96, 0x68, 0x54, 0x10, 0xfa,
20921 -+ 0xef, 0xaa, 0x6c, 0xe8, 0x22, 0xdc, 0x71, 0x16,
20922 -+ 0x13, 0x1a, 0xf6, 0x28, 0xe5, 0x6d, 0x77, 0x3d,
20923 -+ 0xcd, 0x30, 0x63, 0xb1, 0x70, 0x52, 0xa1, 0xc5,
20924 -+ 0x94, 0x5f, 0xcf, 0xe8, 0xb8, 0x26, 0x98, 0xf7,
20925 -+ 0x06, 0xa0, 0x0a, 0x70, 0xfa, 0x03, 0x80, 0xac,
20926 -+ 0xc1, 0xec, 0xd6, 0x4c, 0x54, 0xd7, 0xfe, 0x47,
20927 -+ 0xb6, 0x88, 0x4a, 0xf7, 0x71, 0x24, 0xee, 0xf3,
20928 -+ 0xd2, 0xc2, 0x4a, 0x7f, 0xfe, 0x61, 0xc7, 0x35,
20929 -+ 0xc9, 0x37, 0x67, 0xcb, 0x24, 0x35, 0xda, 0x7e,
20930 -+ 0xca, 0x5f, 0xf3, 0x8d, 0xd4, 0x13, 0x8e, 0xd6,
20931 -+ 0xcb, 0x4d, 0x53, 0x8f, 0x53, 0x1f, 0xc0, 0x74,
20932 -+ 0xf7, 0x53, 0xb9, 0x5e, 0x23, 0x37, 0xba, 0x6e,
20933 -+ 0xe3, 0x9d, 0x07, 0x55, 0x25, 0x7b, 0xe6, 0x2a,
20934 -+ 0x64, 0xd1, 0x32, 0xdd, 0x54, 0x1b, 0x4b, 0xc0,
20935 -+ 0xe1, 0xd7, 0x69, 0x58, 0xf8, 0x93, 0x29, 0xc4,
20936 -+ 0xdd, 0x23, 0x2f, 0xa5, 0xfc, 0x9d, 0x7e, 0xf8,
20937 -+ 0xd4, 0x90, 0xcd, 0x82, 0x55, 0xdc, 0x16, 0x16,
20938 -+ 0x9f, 0x07, 0x52, 0x9b, 0x9d, 0x25, 0xed, 0x32,
20939 -+ 0xc5, 0x7b, 0xdf, 0xf6, 0x83, 0x46, 0x3d, 0x65,
20940 -+ 0xb7, 0xef, 0x87, 0x7a, 0x12, 0x69, 0x8f, 0x06,
20941 -+ 0x7c, 0x51, 0x15, 0x4a, 0x08, 0xe8, 0xac, 0x9a,
20942 -+ 0x0c, 0x24, 0xa7, 0x27, 0xd8, 0x46, 0x2f, 0xe7,
20943 -+ 0x01, 0x0e, 0x1c, 0xc6, 0x91, 0xb0, 0x6e, 0x85,
20944 -+ 0x65, 0xf0, 0x29, 0x0d, 0x2e, 0x6b, 0x3b, 0xfb,
20945 -+ 0x4b, 0xdf, 0xe4, 0x80, 0x93, 0x03, 0x66, 0x46,
20946 -+ 0x3e, 0x8a, 0x6e, 0xf3, 0x5e, 0x4d, 0x62, 0x0e,
20947 -+ 0x49, 0x05, 0xaf, 0xd4, 0xf8, 0x21, 0x20, 0x61,
20948 -+ 0x1d, 0x39, 0x17, 0xf4, 0x61, 0x47, 0x95, 0xfb,
20949 -+ 0x15, 0x2e, 0xb3, 0x4f, 0xd0, 0x5d, 0xf5, 0x7d,
20950 -+ 0x40, 0xda, 0x90, 0x3c, 0x6b, 0xcb, 0x17, 0x00,
20951 -+ 0x13, 0x3b, 0x64, 0x34, 0x1b, 0xf0, 0xf2, 0xe5,
20952 -+ 0x3b, 0xb2, 0xc7, 0xd3, 0x5f, 0x3a, 0x44, 0xa6,
20953 -+ 0x9b, 0xb7, 0x78, 0x0e, 0x42, 0x5d, 0x4c, 0xc1,
20954 -+ 0xe9, 0xd2, 0xcb, 0xb7, 0x78, 0xd1, 0xfe, 0x9a,
20955 -+ 0xb5, 0x07, 0xe9, 0xe0, 0xbe, 0xe2, 0x8a, 0xa7,
20956 -+ 0x01, 0x83, 0x00, 0x8c, 0x5c, 0x08, 0xe6, 0x63,
20957 -+ 0x12, 0x92, 0xb7, 0xb7, 0xa6, 0x19, 0x7d, 0x38,
20958 -+ 0x13, 0x38, 0x92, 0x87, 0x24, 0xf9, 0x48, 0xb3,
20959 -+ 0x5e, 0x87, 0x6a, 0x40, 0x39, 0x5c, 0x3f, 0xed,
20960 -+ 0x8f, 0xee, 0xdb, 0x15, 0x82, 0x06, 0xda, 0x49,
20961 -+ 0x21, 0x2b, 0xb5, 0xbf, 0x32, 0x7c, 0x9f, 0x42,
20962 -+ 0x28, 0x63, 0xcf, 0xaf, 0x1e, 0xf8, 0xc6, 0xa0,
20963 -+ 0xd1, 0x02, 0x43, 0x57, 0x62, 0xec, 0x9b, 0x0f,
20964 -+ 0x01, 0x9e, 0x71, 0xd8, 0x87, 0x9d, 0x01, 0xc1,
20965 -+ 0x58, 0x77, 0xd9, 0xaf, 0xb1, 0x10, 0x7e, 0xdd,
20966 -+ 0xa6, 0x50, 0x96, 0xe5, 0xf0, 0x72, 0x00, 0x6d,
20967 -+ 0x4b, 0xf8, 0x2a, 0x8f, 0x19, 0xf3, 0x22, 0x88,
20968 -+ 0x11, 0x4a, 0x8b, 0x7c, 0xfd, 0xb7, 0xed, 0xe1,
20969 -+ 0xf6, 0x40, 0x39, 0xe0, 0xe9, 0xf6, 0x3d, 0x25,
20970 -+ 0xe6, 0x74, 0x3c, 0x58, 0x57, 0x7f, 0xe1, 0x22,
20971 -+ 0x96, 0x47, 0x31, 0x91, 0xba, 0x70, 0x85, 0x28,
20972 -+ 0x6b, 0x9f, 0x6e, 0x25, 0xac, 0x23, 0x66, 0x2f,
20973 -+ 0x29, 0x88, 0x28, 0xce, 0x8c, 0x5c, 0x88, 0x53,
20974 -+ 0xd1, 0x3b, 0xcc, 0x6a, 0x51, 0xb2, 0xe1, 0x28,
20975 -+ 0x3f, 0x91, 0xb4, 0x0d, 0x00, 0x3a, 0xe3, 0xf8,
20976 -+ 0xc3, 0x8f, 0xd7, 0x96, 0x62, 0x0e, 0x2e, 0xfc,
20977 -+ 0xc8, 0x6c, 0x77, 0xa6, 0x1d, 0x22, 0xc1, 0xb8,
20978 -+ 0xe6, 0x61, 0xd7, 0x67, 0x36, 0x13, 0x7b, 0xbb,
20979 -+ 0x9b, 0x59, 0x09, 0xa6, 0xdf, 0xf7, 0x6b, 0xa3,
20980 -+ 0x40, 0x1a, 0xf5, 0x4f, 0xb4, 0xda, 0xd3, 0xf3,
20981 -+ 0x81, 0x93, 0xc6, 0x18, 0xd9, 0x26, 0xee, 0xac,
20982 -+ 0xf0, 0xaa, 0xdf, 0xc5, 0x9c, 0xca, 0xc2, 0xa2,
20983 -+ 0xcc, 0x7b, 0x5c, 0x24, 0xb0, 0xbc, 0xd0, 0x6a,
20984 -+ 0x4d, 0x89, 0x09, 0xb8, 0x07, 0xfe, 0x87, 0xad,
20985 -+ 0x0a, 0xea, 0xb8, 0x42, 0xf9, 0x5e, 0xb3, 0x3e,
20986 -+ 0x36, 0x4c, 0xaf, 0x75, 0x9e, 0x1c, 0xeb, 0xbd,
20987 -+ 0xbc, 0xbb, 0x80, 0x40, 0xa7, 0x3a, 0x30, 0xbf,
20988 -+ 0xa8, 0x44, 0xf4, 0xeb, 0x38, 0xad, 0x29, 0xba,
20989 -+ 0x23, 0xed, 0x41, 0x0c, 0xea, 0xd2, 0xbb, 0x41,
20990 -+ 0x18, 0xd6, 0xb9, 0xba, 0x65, 0x2b, 0xa3, 0x91,
20991 -+ 0x6d, 0x1f, 0xa9, 0xf4, 0xd1, 0x25, 0x8d, 0x4d,
20992 -+ 0x38, 0xff, 0x64, 0xa0, 0xec, 0xde, 0xa6, 0xb6,
20993 -+ 0x79, 0xab, 0x8e, 0x33, 0x6c, 0x47, 0xde, 0xaf,
20994 -+ 0x94, 0xa4, 0xa5, 0x86, 0x77, 0x55, 0x09, 0x92,
20995 -+ 0x81, 0x31, 0x76, 0xc7, 0x34, 0x22, 0x89, 0x8e,
20996 -+ 0x3d, 0x26, 0x26, 0xd7, 0xfc, 0x1e, 0x16, 0x72,
20997 -+ 0x13, 0x33, 0x63, 0xd5, 0x22, 0xbe, 0xb8, 0x04,
20998 -+ 0x34, 0x84, 0x41, 0xbb, 0x80, 0xd0, 0x9f, 0x46,
20999 -+ 0x48, 0x07, 0xa7, 0xfc, 0x2b, 0x3a, 0x75, 0x55,
21000 -+ 0x8c, 0xc7, 0x6a, 0xbd, 0x7e, 0x46, 0x08, 0x84,
21001 -+ 0x0f, 0xd5, 0x74, 0xc0, 0x82, 0x8e, 0xaa, 0x61,
21002 -+ 0x05, 0x01, 0xb2, 0x47, 0x6e, 0x20, 0x6a, 0x2d,
21003 -+ 0x58, 0x70, 0x48, 0x32, 0xa7, 0x37, 0xd2, 0xb8,
21004 -+ 0x82, 0x1a, 0x51, 0xb9, 0x61, 0xdd, 0xfd, 0x9d,
21005 -+ 0x6b, 0x0e, 0x18, 0x97, 0xf8, 0x45, 0x5f, 0x87,
21006 -+ 0x10, 0xcf, 0x34, 0x72, 0x45, 0x26, 0x49, 0x70,
21007 -+ 0xe7, 0xa3, 0x78, 0xe0, 0x52, 0x89, 0x84, 0x94,
21008 -+ 0x83, 0x82, 0xc2, 0x69, 0x8f, 0xe3, 0xe1, 0x3f,
21009 -+ 0x60, 0x74, 0x88, 0xc4, 0xf7, 0x75, 0x2c, 0xfb,
21010 -+ 0xbd, 0xb6, 0xc4, 0x7e, 0x10, 0x0a, 0x6c, 0x90,
21011 -+ 0x04, 0x9e, 0xc3, 0x3f, 0x59, 0x7c, 0xce, 0x31,
21012 -+ 0x18, 0x60, 0x57, 0x73, 0x46, 0x94, 0x7d, 0x06,
21013 -+ 0xa0, 0x6d, 0x44, 0xec, 0xa2, 0x0a, 0x9e, 0x05,
21014 -+ 0x15, 0xef, 0xca, 0x5c, 0xbf, 0x00, 0xeb, 0xf7,
21015 -+ 0x3d, 0x32, 0xd4, 0xa5, 0xef, 0x49, 0x89, 0x5e,
21016 -+ 0x46, 0xb0, 0xa6, 0x63, 0x5b, 0x8a, 0x73, 0xae,
21017 -+ 0x6f, 0xd5, 0x9d, 0xf8, 0x4f, 0x40, 0xb5, 0xb2,
21018 -+ 0x6e, 0xd3, 0xb6, 0x01, 0xa9, 0x26, 0xa2, 0x21,
21019 -+ 0xcf, 0x33, 0x7a, 0x3a, 0xa4, 0x23, 0x13, 0xb0,
21020 -+ 0x69, 0x6a, 0xee, 0xce, 0xd8, 0x9d, 0x01, 0x1d,
21021 -+ 0x50, 0xc1, 0x30, 0x6c, 0xb1, 0xcd, 0xa0, 0xf0,
21022 -+ 0xf0, 0xa2, 0x64, 0x6f, 0xbb, 0xbf, 0x5e, 0xe6,
21023 -+ 0xab, 0x87, 0xb4, 0x0f, 0x4f, 0x15, 0xaf, 0xb5,
21024 -+ 0x25, 0xa1, 0xb2, 0xd0, 0x80, 0x2c, 0xfb, 0xf9,
21025 -+ 0xfe, 0xd2, 0x33, 0xbb, 0x76, 0xfe, 0x7c, 0xa8,
21026 -+ 0x66, 0xf7, 0xe7, 0x85, 0x9f, 0x1f, 0x85, 0x57,
21027 -+ 0x88, 0xe1, 0xe9, 0x63, 0xe4, 0xd8, 0x1c, 0xa1,
21028 -+ 0xfb, 0xda, 0x44, 0x05, 0x2e, 0x1d, 0x3a, 0x1c,
21029 -+ 0xff, 0xc8, 0x3b, 0xc0, 0xfe, 0xda, 0x22, 0x0b,
21030 -+ 0x43, 0xd6, 0x88, 0x39, 0x4c, 0x4a, 0xa6, 0x69,
21031 -+ 0x18, 0x93, 0x42, 0x4e, 0xb5, 0xcc, 0x66, 0x0d,
21032 -+ 0x09, 0xf8, 0x1e, 0x7c, 0xd3, 0x3c, 0x99, 0x0d,
21033 -+ 0x50, 0x1d, 0x62, 0xe9, 0x57, 0x06, 0xbf, 0x19,
21034 -+ 0x88, 0xdd, 0xad, 0x7b, 0x4f, 0xf9, 0xc7, 0x82,
21035 -+ 0x6d, 0x8d, 0xc8, 0xc4, 0xc5, 0x78, 0x17, 0x20,
21036 -+ 0x15, 0xc5, 0x52, 0x41, 0xcf, 0x5b, 0xd6, 0x7f,
21037 -+ 0x94, 0x02, 0x41, 0xe0, 0x40, 0x22, 0x03, 0x5e,
21038 -+ 0xd1, 0x53, 0xd4, 0x86, 0xd3, 0x2c, 0x9f, 0x0f,
21039 -+ 0x96, 0xe3, 0x6b, 0x9a, 0x76, 0x32, 0x06, 0x47,
21040 -+ 0x4b, 0x11, 0xb3, 0xdd, 0x03, 0x65, 0xbd, 0x9b,
21041 -+ 0x01, 0xda, 0x9c, 0xb9, 0x7e, 0x3f, 0x6a, 0xc4,
21042 -+ 0x7b, 0xea, 0xd4, 0x3c, 0xb9, 0xfb, 0x5c, 0x6b,
21043 -+ 0x64, 0x33, 0x52, 0xba, 0x64, 0x78, 0x8f, 0xa4,
21044 -+ 0xaf, 0x7a, 0x61, 0x8d, 0xbc, 0xc5, 0x73, 0xe9,
21045 -+ 0x6b, 0x58, 0x97, 0x4b, 0xbf, 0x63, 0x22, 0xd3,
21046 -+ 0x37, 0x02, 0x54, 0xc5, 0xb9, 0x16, 0x4a, 0xf0,
21047 -+ 0x19, 0xd8, 0x94, 0x57, 0xb8, 0x8a, 0xb3, 0x16,
21048 -+ 0x3b, 0xd0, 0x84, 0x8e, 0x67, 0xa6, 0xa3, 0x7d,
21049 -+ 0x78, 0xec, 0x00
21050 -+};
21051 -+static const u8 enc_output012[] __initconst = {
21052 -+ 0x52, 0x34, 0xb3, 0x65, 0x3b, 0xb7, 0xe5, 0xd3,
21053 -+ 0xab, 0x49, 0x17, 0x60, 0xd2, 0x52, 0x56, 0xdf,
21054 -+ 0xdf, 0x34, 0x56, 0x82, 0xe2, 0xbe, 0xe5, 0xe1,
21055 -+ 0x28, 0xd1, 0x4e, 0x5f, 0x4f, 0x01, 0x7d, 0x3f,
21056 -+ 0x99, 0x6b, 0x30, 0x6e, 0x1a, 0x7c, 0x4c, 0x8e,
21057 -+ 0x62, 0x81, 0xae, 0x86, 0x3f, 0x6b, 0xd0, 0xb5,
21058 -+ 0xa9, 0xcf, 0x50, 0xf1, 0x02, 0x12, 0xa0, 0x0b,
21059 -+ 0x24, 0xe9, 0xe6, 0x72, 0x89, 0x2c, 0x52, 0x1b,
21060 -+ 0x34, 0x38, 0xf8, 0x75, 0x5f, 0xa0, 0x74, 0xe2,
21061 -+ 0x99, 0xdd, 0xa6, 0x4b, 0x14, 0x50, 0x4e, 0xf1,
21062 -+ 0xbe, 0xd6, 0x9e, 0xdb, 0xb2, 0x24, 0x27, 0x74,
21063 -+ 0x12, 0x4a, 0x78, 0x78, 0x17, 0xa5, 0x58, 0x8e,
21064 -+ 0x2f, 0xf9, 0xf4, 0x8d, 0xee, 0x03, 0x88, 0xae,
21065 -+ 0xb8, 0x29, 0xa1, 0x2f, 0x4b, 0xee, 0x92, 0xbd,
21066 -+ 0x87, 0xb3, 0xce, 0x34, 0x21, 0x57, 0x46, 0x04,
21067 -+ 0x49, 0x0c, 0x80, 0xf2, 0x01, 0x13, 0xa1, 0x55,
21068 -+ 0xb3, 0xff, 0x44, 0x30, 0x3c, 0x1c, 0xd0, 0xef,
21069 -+ 0xbc, 0x18, 0x74, 0x26, 0xad, 0x41, 0x5b, 0x5b,
21070 -+ 0x3e, 0x9a, 0x7a, 0x46, 0x4f, 0x16, 0xd6, 0x74,
21071 -+ 0x5a, 0xb7, 0x3a, 0x28, 0x31, 0xd8, 0xae, 0x26,
21072 -+ 0xac, 0x50, 0x53, 0x86, 0xf2, 0x56, 0xd7, 0x3f,
21073 -+ 0x29, 0xbc, 0x45, 0x68, 0x8e, 0xcb, 0x98, 0x64,
21074 -+ 0xdd, 0xc9, 0xba, 0xb8, 0x4b, 0x7b, 0x82, 0xdd,
21075 -+ 0x14, 0xa7, 0xcb, 0x71, 0x72, 0x00, 0x5c, 0xad,
21076 -+ 0x7b, 0x6a, 0x89, 0xa4, 0x3d, 0xbf, 0xb5, 0x4b,
21077 -+ 0x3e, 0x7c, 0x5a, 0xcf, 0xb8, 0xa1, 0xc5, 0x6e,
21078 -+ 0xc8, 0xb6, 0x31, 0x57, 0x7b, 0xdf, 0xa5, 0x7e,
21079 -+ 0xb1, 0xd6, 0x42, 0x2a, 0x31, 0x36, 0xd1, 0xd0,
21080 -+ 0x3f, 0x7a, 0xe5, 0x94, 0xd6, 0x36, 0xa0, 0x6f,
21081 -+ 0xb7, 0x40, 0x7d, 0x37, 0xc6, 0x55, 0x7c, 0x50,
21082 -+ 0x40, 0x6d, 0x29, 0x89, 0xe3, 0x5a, 0xae, 0x97,
21083 -+ 0xe7, 0x44, 0x49, 0x6e, 0xbd, 0x81, 0x3d, 0x03,
21084 -+ 0x93, 0x06, 0x12, 0x06, 0xe2, 0x41, 0x12, 0x4a,
21085 -+ 0xf1, 0x6a, 0xa4, 0x58, 0xa2, 0xfb, 0xd2, 0x15,
21086 -+ 0xba, 0xc9, 0x79, 0xc9, 0xce, 0x5e, 0x13, 0xbb,
21087 -+ 0xf1, 0x09, 0x04, 0xcc, 0xfd, 0xe8, 0x51, 0x34,
21088 -+ 0x6a, 0xe8, 0x61, 0x88, 0xda, 0xed, 0x01, 0x47,
21089 -+ 0x84, 0xf5, 0x73, 0x25, 0xf9, 0x1c, 0x42, 0x86,
21090 -+ 0x07, 0xf3, 0x5b, 0x1a, 0x01, 0xb3, 0xeb, 0x24,
21091 -+ 0x32, 0x8d, 0xf6, 0xed, 0x7c, 0x4b, 0xeb, 0x3c,
21092 -+ 0x36, 0x42, 0x28, 0xdf, 0xdf, 0xb6, 0xbe, 0xd9,
21093 -+ 0x8c, 0x52, 0xd3, 0x2b, 0x08, 0x90, 0x8c, 0xe7,
21094 -+ 0x98, 0x31, 0xe2, 0x32, 0x8e, 0xfc, 0x11, 0x48,
21095 -+ 0x00, 0xa8, 0x6a, 0x42, 0x4a, 0x02, 0xc6, 0x4b,
21096 -+ 0x09, 0xf1, 0xe3, 0x49, 0xf3, 0x45, 0x1f, 0x0e,
21097 -+ 0xbc, 0x56, 0xe2, 0xe4, 0xdf, 0xfb, 0xeb, 0x61,
21098 -+ 0xfa, 0x24, 0xc1, 0x63, 0x75, 0xbb, 0x47, 0x75,
21099 -+ 0xaf, 0xe1, 0x53, 0x16, 0x96, 0x21, 0x85, 0x26,
21100 -+ 0x11, 0xb3, 0x76, 0xe3, 0x23, 0xa1, 0x6b, 0x74,
21101 -+ 0x37, 0xd0, 0xde, 0x06, 0x90, 0x71, 0x5d, 0x43,
21102 -+ 0x88, 0x9b, 0x00, 0x54, 0xa6, 0x75, 0x2f, 0xa1,
21103 -+ 0xc2, 0x0b, 0x73, 0x20, 0x1d, 0xb6, 0x21, 0x79,
21104 -+ 0x57, 0x3f, 0xfa, 0x09, 0xbe, 0x8a, 0x33, 0xc3,
21105 -+ 0x52, 0xf0, 0x1d, 0x82, 0x31, 0xd1, 0x55, 0xb5,
21106 -+ 0x6c, 0x99, 0x25, 0xcf, 0x5c, 0x32, 0xce, 0xe9,
21107 -+ 0x0d, 0xfa, 0x69, 0x2c, 0xd5, 0x0d, 0xc5, 0x6d,
21108 -+ 0x86, 0xd0, 0x0c, 0x3b, 0x06, 0x50, 0x79, 0xe8,
21109 -+ 0xc3, 0xae, 0x04, 0xe6, 0xcd, 0x51, 0xe4, 0x26,
21110 -+ 0x9b, 0x4f, 0x7e, 0xa6, 0x0f, 0xab, 0xd8, 0xe5,
21111 -+ 0xde, 0xa9, 0x00, 0x95, 0xbe, 0xa3, 0x9d, 0x5d,
21112 -+ 0xb2, 0x09, 0x70, 0x18, 0x1c, 0xf0, 0xac, 0x29,
21113 -+ 0x23, 0x02, 0x29, 0x28, 0xd2, 0x74, 0x35, 0x57,
21114 -+ 0x62, 0x0f, 0x24, 0xea, 0x5e, 0x33, 0xc2, 0x92,
21115 -+ 0xf3, 0x78, 0x4d, 0x30, 0x1e, 0xa1, 0x99, 0xa9,
21116 -+ 0x82, 0xb0, 0x42, 0x31, 0x8d, 0xad, 0x8a, 0xbc,
21117 -+ 0xfc, 0xd4, 0x57, 0x47, 0x3e, 0xb4, 0x50, 0xdd,
21118 -+ 0x6e, 0x2c, 0x80, 0x4d, 0x22, 0xf1, 0xfb, 0x57,
21119 -+ 0xc4, 0xdd, 0x17, 0xe1, 0x8a, 0x36, 0x4a, 0xb3,
21120 -+ 0x37, 0xca, 0xc9, 0x4e, 0xab, 0xd5, 0x69, 0xc4,
21121 -+ 0xf4, 0xbc, 0x0b, 0x3b, 0x44, 0x4b, 0x29, 0x9c,
21122 -+ 0xee, 0xd4, 0x35, 0x22, 0x21, 0xb0, 0x1f, 0x27,
21123 -+ 0x64, 0xa8, 0x51, 0x1b, 0xf0, 0x9f, 0x19, 0x5c,
21124 -+ 0xfb, 0x5a, 0x64, 0x74, 0x70, 0x45, 0x09, 0xf5,
21125 -+ 0x64, 0xfe, 0x1a, 0x2d, 0xc9, 0x14, 0x04, 0x14,
21126 -+ 0xcf, 0xd5, 0x7d, 0x60, 0xaf, 0x94, 0x39, 0x94,
21127 -+ 0xe2, 0x7d, 0x79, 0x82, 0xd0, 0x65, 0x3b, 0x6b,
21128 -+ 0x9c, 0x19, 0x84, 0xb4, 0x6d, 0xb3, 0x0c, 0x99,
21129 -+ 0xc0, 0x56, 0xa8, 0xbd, 0x73, 0xce, 0x05, 0x84,
21130 -+ 0x3e, 0x30, 0xaa, 0xc4, 0x9b, 0x1b, 0x04, 0x2a,
21131 -+ 0x9f, 0xd7, 0x43, 0x2b, 0x23, 0xdf, 0xbf, 0xaa,
21132 -+ 0xd5, 0xc2, 0x43, 0x2d, 0x70, 0xab, 0xdc, 0x75,
21133 -+ 0xad, 0xac, 0xf7, 0xc0, 0xbe, 0x67, 0xb2, 0x74,
21134 -+ 0xed, 0x67, 0x10, 0x4a, 0x92, 0x60, 0xc1, 0x40,
21135 -+ 0x50, 0x19, 0x8a, 0x8a, 0x8c, 0x09, 0x0e, 0x72,
21136 -+ 0xe1, 0x73, 0x5e, 0xe8, 0x41, 0x85, 0x63, 0x9f,
21137 -+ 0x3f, 0xd7, 0x7d, 0xc4, 0xfb, 0x22, 0x5d, 0x92,
21138 -+ 0x6c, 0xb3, 0x1e, 0xe2, 0x50, 0x2f, 0x82, 0xa8,
21139 -+ 0x28, 0xc0, 0xb5, 0xd7, 0x5f, 0x68, 0x0d, 0x2c,
21140 -+ 0x2d, 0xaf, 0x7e, 0xfa, 0x2e, 0x08, 0x0f, 0x1f,
21141 -+ 0x70, 0x9f, 0xe9, 0x19, 0x72, 0x55, 0xf8, 0xfb,
21142 -+ 0x51, 0xd2, 0x33, 0x5d, 0xa0, 0xd3, 0x2b, 0x0a,
21143 -+ 0x6c, 0xbc, 0x4e, 0xcf, 0x36, 0x4d, 0xdc, 0x3b,
21144 -+ 0xe9, 0x3e, 0x81, 0x7c, 0x61, 0xdb, 0x20, 0x2d,
21145 -+ 0x3a, 0xc3, 0xb3, 0x0c, 0x1e, 0x00, 0xb9, 0x7c,
21146 -+ 0xf5, 0xca, 0x10, 0x5f, 0x3a, 0x71, 0xb3, 0xe4,
21147 -+ 0x20, 0xdb, 0x0c, 0x2a, 0x98, 0x63, 0x45, 0x00,
21148 -+ 0x58, 0xf6, 0x68, 0xe4, 0x0b, 0xda, 0x13, 0x3b,
21149 -+ 0x60, 0x5c, 0x76, 0xdb, 0xb9, 0x97, 0x71, 0xe4,
21150 -+ 0xd9, 0xb7, 0xdb, 0xbd, 0x68, 0xc7, 0x84, 0x84,
21151 -+ 0xaa, 0x7c, 0x68, 0x62, 0x5e, 0x16, 0xfc, 0xba,
21152 -+ 0x72, 0xaa, 0x9a, 0xa9, 0xeb, 0x7c, 0x75, 0x47,
21153 -+ 0x97, 0x7e, 0xad, 0xe2, 0xd9, 0x91, 0xe8, 0xe4,
21154 -+ 0xa5, 0x31, 0xd7, 0x01, 0x8e, 0xa2, 0x11, 0x88,
21155 -+ 0x95, 0xb9, 0xf2, 0x9b, 0xd3, 0x7f, 0x1b, 0x81,
21156 -+ 0x22, 0xf7, 0x98, 0x60, 0x0a, 0x64, 0xa6, 0xc1,
21157 -+ 0xf6, 0x49, 0xc7, 0xe3, 0x07, 0x4d, 0x94, 0x7a,
21158 -+ 0xcf, 0x6e, 0x68, 0x0c, 0x1b, 0x3f, 0x6e, 0x2e,
21159 -+ 0xee, 0x92, 0xfa, 0x52, 0xb3, 0x59, 0xf8, 0xf1,
21160 -+ 0x8f, 0x6a, 0x66, 0xa3, 0x82, 0x76, 0x4a, 0x07,
21161 -+ 0x1a, 0xc7, 0xdd, 0xf5, 0xda, 0x9c, 0x3c, 0x24,
21162 -+ 0xbf, 0xfd, 0x42, 0xa1, 0x10, 0x64, 0x6a, 0x0f,
21163 -+ 0x89, 0xee, 0x36, 0xa5, 0xce, 0x99, 0x48, 0x6a,
21164 -+ 0xf0, 0x9f, 0x9e, 0x69, 0xa4, 0x40, 0x20, 0xe9,
21165 -+ 0x16, 0x15, 0xf7, 0xdb, 0x75, 0x02, 0xcb, 0xe9,
21166 -+ 0x73, 0x8b, 0x3b, 0x49, 0x2f, 0xf0, 0xaf, 0x51,
21167 -+ 0x06, 0x5c, 0xdf, 0x27, 0x27, 0x49, 0x6a, 0xd1,
21168 -+ 0xcc, 0xc7, 0xb5, 0x63, 0xb5, 0xfc, 0xb8, 0x5c,
21169 -+ 0x87, 0x7f, 0x84, 0xb4, 0xcc, 0x14, 0xa9, 0x53,
21170 -+ 0xda, 0xa4, 0x56, 0xf8, 0xb6, 0x1b, 0xcc, 0x40,
21171 -+ 0x27, 0x52, 0x06, 0x5a, 0x13, 0x81, 0xd7, 0x3a,
21172 -+ 0xd4, 0x3b, 0xfb, 0x49, 0x65, 0x31, 0x33, 0xb2,
21173 -+ 0xfa, 0xcd, 0xad, 0x58, 0x4e, 0x2b, 0xae, 0xd2,
21174 -+ 0x20, 0xfb, 0x1a, 0x48, 0xb4, 0x3f, 0x9a, 0xd8,
21175 -+ 0x7a, 0x35, 0x4a, 0xc8, 0xee, 0x88, 0x5e, 0x07,
21176 -+ 0x66, 0x54, 0xb9, 0xec, 0x9f, 0xa3, 0xe3, 0xb9,
21177 -+ 0x37, 0xaa, 0x49, 0x76, 0x31, 0xda, 0x74, 0x2d,
21178 -+ 0x3c, 0xa4, 0x65, 0x10, 0x32, 0x38, 0xf0, 0xde,
21179 -+ 0xd3, 0x99, 0x17, 0xaa, 0x71, 0xaa, 0x8f, 0x0f,
21180 -+ 0x8c, 0xaf, 0xa2, 0xf8, 0x5d, 0x64, 0xba, 0x1d,
21181 -+ 0xa3, 0xef, 0x96, 0x73, 0xe8, 0xa1, 0x02, 0x8d,
21182 -+ 0x0c, 0x6d, 0xb8, 0x06, 0x90, 0xb8, 0x08, 0x56,
21183 -+ 0x2c, 0xa7, 0x06, 0xc9, 0xc2, 0x38, 0xdb, 0x7c,
21184 -+ 0x63, 0xb1, 0x57, 0x8e, 0xea, 0x7c, 0x79, 0xf3,
21185 -+ 0x49, 0x1d, 0xfe, 0x9f, 0xf3, 0x6e, 0xb1, 0x1d,
21186 -+ 0xba, 0x19, 0x80, 0x1a, 0x0a, 0xd3, 0xb0, 0x26,
21187 -+ 0x21, 0x40, 0xb1, 0x7c, 0xf9, 0x4d, 0x8d, 0x10,
21188 -+ 0xc1, 0x7e, 0xf4, 0xf6, 0x3c, 0xa8, 0xfd, 0x7c,
21189 -+ 0xa3, 0x92, 0xb2, 0x0f, 0xaa, 0xcc, 0xa6, 0x11,
21190 -+ 0xfe, 0x04, 0xe3, 0xd1, 0x7a, 0x32, 0x89, 0xdf,
21191 -+ 0x0d, 0xc4, 0x8f, 0x79, 0x6b, 0xca, 0x16, 0x7c,
21192 -+ 0x6e, 0xf9, 0xad, 0x0f, 0xf6, 0xfe, 0x27, 0xdb,
21193 -+ 0xc4, 0x13, 0x70, 0xf1, 0x62, 0x1a, 0x4f, 0x79,
21194 -+ 0x40, 0xc9, 0x9b, 0x8b, 0x21, 0xea, 0x84, 0xfa,
21195 -+ 0xf5, 0xf1, 0x89, 0xce, 0xb7, 0x55, 0x0a, 0x80,
21196 -+ 0x39, 0x2f, 0x55, 0x36, 0x16, 0x9c, 0x7b, 0x08,
21197 -+ 0xbd, 0x87, 0x0d, 0xa5, 0x32, 0xf1, 0x52, 0x7c,
21198 -+ 0xe8, 0x55, 0x60, 0x5b, 0xd7, 0x69, 0xe4, 0xfc,
21199 -+ 0xfa, 0x12, 0x85, 0x96, 0xea, 0x50, 0x28, 0xab,
21200 -+ 0x8a, 0xf7, 0xbb, 0x0e, 0x53, 0x74, 0xca, 0xa6,
21201 -+ 0x27, 0x09, 0xc2, 0xb5, 0xde, 0x18, 0x14, 0xd9,
21202 -+ 0xea, 0xe5, 0x29, 0x1c, 0x40, 0x56, 0xcf, 0xd7,
21203 -+ 0xae, 0x05, 0x3f, 0x65, 0xaf, 0x05, 0x73, 0xe2,
21204 -+ 0x35, 0x96, 0x27, 0x07, 0x14, 0xc0, 0xad, 0x33,
21205 -+ 0xf1, 0xdc, 0x44, 0x7a, 0x89, 0x17, 0x77, 0xd2,
21206 -+ 0x9c, 0x58, 0x60, 0xf0, 0x3f, 0x7b, 0x2d, 0x2e,
21207 -+ 0x57, 0x95, 0x54, 0x87, 0xed, 0xf2, 0xc7, 0x4c,
21208 -+ 0xf0, 0xae, 0x56, 0x29, 0x19, 0x7d, 0x66, 0x4b,
21209 -+ 0x9b, 0x83, 0x84, 0x42, 0x3b, 0x01, 0x25, 0x66,
21210 -+ 0x8e, 0x02, 0xde, 0xb9, 0x83, 0x54, 0x19, 0xf6,
21211 -+ 0x9f, 0x79, 0x0d, 0x67, 0xc5, 0x1d, 0x7a, 0x44,
21212 -+ 0x02, 0x98, 0xa7, 0x16, 0x1c, 0x29, 0x0d, 0x74,
21213 -+ 0xff, 0x85, 0x40, 0x06, 0xef, 0x2c, 0xa9, 0xc6,
21214 -+ 0xf5, 0x53, 0x07, 0x06, 0xae, 0xe4, 0xfa, 0x5f,
21215 -+ 0xd8, 0x39, 0x4d, 0xf1, 0x9b, 0x6b, 0xd9, 0x24,
21216 -+ 0x84, 0xfe, 0x03, 0x4c, 0xb2, 0x3f, 0xdf, 0xa1,
21217 -+ 0x05, 0x9e, 0x50, 0x14, 0x5a, 0xd9, 0x1a, 0xa2,
21218 -+ 0xa7, 0xfa, 0xfa, 0x17, 0xf7, 0x78, 0xd6, 0xb5,
21219 -+ 0x92, 0x61, 0x91, 0xac, 0x36, 0xfa, 0x56, 0x0d,
21220 -+ 0x38, 0x32, 0x18, 0x85, 0x08, 0x58, 0x37, 0xf0,
21221 -+ 0x4b, 0xdb, 0x59, 0xe7, 0xa4, 0x34, 0xc0, 0x1b,
21222 -+ 0x01, 0xaf, 0x2d, 0xde, 0xa1, 0xaa, 0x5d, 0xd3,
21223 -+ 0xec, 0xe1, 0xd4, 0xf7, 0xe6, 0x54, 0x68, 0xf0,
21224 -+ 0x51, 0x97, 0xa7, 0x89, 0xea, 0x24, 0xad, 0xd3,
21225 -+ 0x6e, 0x47, 0x93, 0x8b, 0x4b, 0xb4, 0xf7, 0x1c,
21226 -+ 0x42, 0x06, 0x67, 0xe8, 0x99, 0xf6, 0xf5, 0x7b,
21227 -+ 0x85, 0xb5, 0x65, 0xb5, 0xb5, 0xd2, 0x37, 0xf5,
21228 -+ 0xf3, 0x02, 0xa6, 0x4d, 0x11, 0xa7, 0xdc, 0x51,
21229 -+ 0x09, 0x7f, 0xa0, 0xd8, 0x88, 0x1c, 0x13, 0x71,
21230 -+ 0xae, 0x9c, 0xb7, 0x7b, 0x34, 0xd6, 0x4e, 0x68,
21231 -+ 0x26, 0x83, 0x51, 0xaf, 0x1d, 0xee, 0x8b, 0xbb,
21232 -+ 0x69, 0x43, 0x2b, 0x9e, 0x8a, 0xbc, 0x02, 0x0e,
21233 -+ 0xa0, 0x1b, 0xe0, 0xa8, 0x5f, 0x6f, 0xaf, 0x1b,
21234 -+ 0x8f, 0xe7, 0x64, 0x71, 0x74, 0x11, 0x7e, 0xa8,
21235 -+ 0xd8, 0xf9, 0x97, 0x06, 0xc3, 0xb6, 0xfb, 0xfb,
21236 -+ 0xb7, 0x3d, 0x35, 0x9d, 0x3b, 0x52, 0xed, 0x54,
21237 -+ 0xca, 0xf4, 0x81, 0x01, 0x2d, 0x1b, 0xc3, 0xa7,
21238 -+ 0x00, 0x3d, 0x1a, 0x39, 0x54, 0xe1, 0xf6, 0xff,
21239 -+ 0xed, 0x6f, 0x0b, 0x5a, 0x68, 0xda, 0x58, 0xdd,
21240 -+ 0xa9, 0xcf, 0x5c, 0x4a, 0xe5, 0x09, 0x4e, 0xde,
21241 -+ 0x9d, 0xbc, 0x3e, 0xee, 0x5a, 0x00, 0x3b, 0x2c,
21242 -+ 0x87, 0x10, 0x65, 0x60, 0xdd, 0xd7, 0x56, 0xd1,
21243 -+ 0x4c, 0x64, 0x45, 0xe4, 0x21, 0xec, 0x78, 0xf8,
21244 -+ 0x25, 0x7a, 0x3e, 0x16, 0x5d, 0x09, 0x53, 0x14,
21245 -+ 0xbe, 0x4f, 0xae, 0x87, 0xd8, 0xd1, 0xaa, 0x3c,
21246 -+ 0xf6, 0x3e, 0xa4, 0x70, 0x8c, 0x5e, 0x70, 0xa4,
21247 -+ 0xb3, 0x6b, 0x66, 0x73, 0xd3, 0xbf, 0x31, 0x06,
21248 -+ 0x19, 0x62, 0x93, 0x15, 0xf2, 0x86, 0xe4, 0x52,
21249 -+ 0x7e, 0x53, 0x4c, 0x12, 0x38, 0xcc, 0x34, 0x7d,
21250 -+ 0x57, 0xf6, 0x42, 0x93, 0x8a, 0xc4, 0xee, 0x5c,
21251 -+ 0x8a, 0xe1, 0x52, 0x8f, 0x56, 0x64, 0xf6, 0xa6,
21252 -+ 0xd1, 0x91, 0x57, 0x70, 0xcd, 0x11, 0x76, 0xf5,
21253 -+ 0x59, 0x60, 0x60, 0x3c, 0xc1, 0xc3, 0x0b, 0x7f,
21254 -+ 0x58, 0x1a, 0x50, 0x91, 0xf1, 0x68, 0x8f, 0x6e,
21255 -+ 0x74, 0x74, 0xa8, 0x51, 0x0b, 0xf7, 0x7a, 0x98,
21256 -+ 0x37, 0xf2, 0x0a, 0x0e, 0xa4, 0x97, 0x04, 0xb8,
21257 -+ 0x9b, 0xfd, 0xa0, 0xea, 0xf7, 0x0d, 0xe1, 0xdb,
21258 -+ 0x03, 0xf0, 0x31, 0x29, 0xf8, 0xdd, 0x6b, 0x8b,
21259 -+ 0x5d, 0xd8, 0x59, 0xa9, 0x29, 0xcf, 0x9a, 0x79,
21260 -+ 0x89, 0x19, 0x63, 0x46, 0x09, 0x79, 0x6a, 0x11,
21261 -+ 0xda, 0x63, 0x68, 0x48, 0x77, 0x23, 0xfb, 0x7d,
21262 -+ 0x3a, 0x43, 0xcb, 0x02, 0x3b, 0x7a, 0x6d, 0x10,
21263 -+ 0x2a, 0x9e, 0xac, 0xf1, 0xd4, 0x19, 0xf8, 0x23,
21264 -+ 0x64, 0x1d, 0x2c, 0x5f, 0xf2, 0xb0, 0x5c, 0x23,
21265 -+ 0x27, 0xf7, 0x27, 0x30, 0x16, 0x37, 0xb1, 0x90,
21266 -+ 0xab, 0x38, 0xfb, 0x55, 0xcd, 0x78, 0x58, 0xd4,
21267 -+ 0x7d, 0x43, 0xf6, 0x45, 0x5e, 0x55, 0x8d, 0xb1,
21268 -+ 0x02, 0x65, 0x58, 0xb4, 0x13, 0x4b, 0x36, 0xf7,
21269 -+ 0xcc, 0xfe, 0x3d, 0x0b, 0x82, 0xe2, 0x12, 0x11,
21270 -+ 0xbb, 0xe6, 0xb8, 0x3a, 0x48, 0x71, 0xc7, 0x50,
21271 -+ 0x06, 0x16, 0x3a, 0xe6, 0x7c, 0x05, 0xc7, 0xc8,
21272 -+ 0x4d, 0x2f, 0x08, 0x6a, 0x17, 0x9a, 0x95, 0x97,
21273 -+ 0x50, 0x68, 0xdc, 0x28, 0x18, 0xc4, 0x61, 0x38,
21274 -+ 0xb9, 0xe0, 0x3e, 0x78, 0xdb, 0x29, 0xe0, 0x9f,
21275 -+ 0x52, 0xdd, 0xf8, 0x4f, 0x91, 0xc1, 0xd0, 0x33,
21276 -+ 0xa1, 0x7a, 0x8e, 0x30, 0x13, 0x82, 0x07, 0x9f,
21277 -+ 0xd3, 0x31, 0x0f, 0x23, 0xbe, 0x32, 0x5a, 0x75,
21278 -+ 0xcf, 0x96, 0xb2, 0xec, 0xb5, 0x32, 0xac, 0x21,
21279 -+ 0xd1, 0x82, 0x33, 0xd3, 0x15, 0x74, 0xbd, 0x90,
21280 -+ 0xf1, 0x2c, 0xe6, 0x5f, 0x8d, 0xe3, 0x02, 0xe8,
21281 -+ 0xe9, 0xc4, 0xca, 0x96, 0xeb, 0x0e, 0xbc, 0x91,
21282 -+ 0xf4, 0xb9, 0xea, 0xd9, 0x1b, 0x75, 0xbd, 0xe1,
21283 -+ 0xac, 0x2a, 0x05, 0x37, 0x52, 0x9b, 0x1b, 0x3f,
21284 -+ 0x5a, 0xdc, 0x21, 0xc3, 0x98, 0xbb, 0xaf, 0xa3,
21285 -+ 0xf2, 0x00, 0xbf, 0x0d, 0x30, 0x89, 0x05, 0xcc,
21286 -+ 0xa5, 0x76, 0xf5, 0x06, 0xf0, 0xc6, 0x54, 0x8a,
21287 -+ 0x5d, 0xd4, 0x1e, 0xc1, 0xf2, 0xce, 0xb0, 0x62,
21288 -+ 0xc8, 0xfc, 0x59, 0x42, 0x9a, 0x90, 0x60, 0x55,
21289 -+ 0xfe, 0x88, 0xa5, 0x8b, 0xb8, 0x33, 0x0c, 0x23,
21290 -+ 0x24, 0x0d, 0x15, 0x70, 0x37, 0x1e, 0x3d, 0xf6,
21291 -+ 0xd2, 0xea, 0x92, 0x10, 0xb2, 0xc4, 0x51, 0xac,
21292 -+ 0xf2, 0xac, 0xf3, 0x6b, 0x6c, 0xaa, 0xcf, 0x12,
21293 -+ 0xc5, 0x6c, 0x90, 0x50, 0xb5, 0x0c, 0xfc, 0x1a,
21294 -+ 0x15, 0x52, 0xe9, 0x26, 0xc6, 0x52, 0xa4, 0xe7,
21295 -+ 0x81, 0x69, 0xe1, 0xe7, 0x9e, 0x30, 0x01, 0xec,
21296 -+ 0x84, 0x89, 0xb2, 0x0d, 0x66, 0xdd, 0xce, 0x28,
21297 -+ 0x5c, 0xec, 0x98, 0x46, 0x68, 0x21, 0x9f, 0x88,
21298 -+ 0x3f, 0x1f, 0x42, 0x77, 0xce, 0xd0, 0x61, 0xd4,
21299 -+ 0x20, 0xa7, 0xff, 0x53, 0xad, 0x37, 0xd0, 0x17,
21300 -+ 0x35, 0xc9, 0xfc, 0xba, 0x0a, 0x78, 0x3f, 0xf2,
21301 -+ 0xcc, 0x86, 0x89, 0xe8, 0x4b, 0x3c, 0x48, 0x33,
21302 -+ 0x09, 0x7f, 0xc6, 0xc0, 0xdd, 0xb8, 0xfd, 0x7a,
21303 -+ 0x66, 0x66, 0x65, 0xeb, 0x47, 0xa7, 0x04, 0x28,
21304 -+ 0xa3, 0x19, 0x8e, 0xa9, 0xb1, 0x13, 0x67, 0x62,
21305 -+ 0x70, 0xcf, 0xd6
21306 -+};
21307 -+static const u8 enc_assoc012[] __initconst = {
21308 -+ 0xb1, 0x69, 0x83, 0x87, 0x30, 0xaa, 0x5d, 0xb8,
21309 -+ 0x77, 0xe8, 0x21, 0xff, 0x06, 0x59, 0x35, 0xce,
21310 -+ 0x75, 0xfe, 0x38, 0xef, 0xb8, 0x91, 0x43, 0x8c,
21311 -+ 0xcf, 0x70, 0xdd, 0x0a, 0x68, 0xbf, 0xd4, 0xbc,
21312 -+ 0x16, 0x76, 0x99, 0x36, 0x1e, 0x58, 0x79, 0x5e,
21313 -+ 0xd4, 0x29, 0xf7, 0x33, 0x93, 0x48, 0xdb, 0x5f,
21314 -+ 0x01, 0xae, 0x9c, 0xb6, 0xe4, 0x88, 0x6d, 0x2b,
21315 -+ 0x76, 0x75, 0xe0, 0xf3, 0x74, 0xe2, 0xc9
21316 -+};
21317 -+static const u8 enc_nonce012[] __initconst = {
21318 -+ 0x05, 0xa3, 0x93, 0xed, 0x30, 0xc5, 0xa2, 0x06
21319 -+};
21320 -+static const u8 enc_key012[] __initconst = {
21321 -+ 0xb3, 0x35, 0x50, 0x03, 0x54, 0x2e, 0x40, 0x5e,
21322 -+ 0x8f, 0x59, 0x8e, 0xc5, 0x90, 0xd5, 0x27, 0x2d,
21323 -+ 0xba, 0x29, 0x2e, 0xcb, 0x1b, 0x70, 0x44, 0x1e,
21324 -+ 0x65, 0x91, 0x6e, 0x2a, 0x79, 0x22, 0xda, 0x64
21325 -+};
21326 -+
21327 -+/* wycheproof - rfc7539 */
21328 -+static const u8 enc_input013[] __initconst = {
21329 -+ 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
21330 -+ 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
21331 -+ 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
21332 -+ 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
21333 -+ 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
21334 -+ 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
21335 -+ 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
21336 -+ 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
21337 -+ 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
21338 -+ 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
21339 -+ 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
21340 -+ 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
21341 -+ 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
21342 -+ 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
21343 -+ 0x74, 0x2e
21344 -+};
21345 -+static const u8 enc_output013[] __initconst = {
21346 -+ 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
21347 -+ 0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
21348 -+ 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
21349 -+ 0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
21350 -+ 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
21351 -+ 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
21352 -+ 0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
21353 -+ 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
21354 -+ 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
21355 -+ 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
21356 -+ 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
21357 -+ 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
21358 -+ 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
21359 -+ 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
21360 -+ 0x61, 0x16, 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09,
21361 -+ 0xe2, 0x6a, 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60,
21362 -+ 0x06, 0x91
21363 -+};
21364 -+static const u8 enc_assoc013[] __initconst = {
21365 -+ 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
21366 -+ 0xc4, 0xc5, 0xc6, 0xc7
21367 -+};
21368 -+static const u8 enc_nonce013[] __initconst = {
21369 -+ 0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43,
21370 -+ 0x44, 0x45, 0x46, 0x47
21371 -+};
21372 -+static const u8 enc_key013[] __initconst = {
21373 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
21374 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
21375 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
21376 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
21377 -+};
21378 -+
21379 -+/* wycheproof - misc */
21380 -+static const u8 enc_input014[] __initconst = { };
21381 -+static const u8 enc_output014[] __initconst = {
21382 -+ 0x76, 0xac, 0xb3, 0x42, 0xcf, 0x31, 0x66, 0xa5,
21383 -+ 0xb6, 0x3c, 0x0c, 0x0e, 0xa1, 0x38, 0x3c, 0x8d
21384 -+};
21385 -+static const u8 enc_assoc014[] __initconst = { };
21386 -+static const u8 enc_nonce014[] __initconst = {
21387 -+ 0x4d, 0xa5, 0xbf, 0x8d, 0xfd, 0x58, 0x52, 0xc1,
21388 -+ 0xea, 0x12, 0x37, 0x9d
21389 -+};
21390 -+static const u8 enc_key014[] __initconst = {
21391 -+ 0x80, 0xba, 0x31, 0x92, 0xc8, 0x03, 0xce, 0x96,
21392 -+ 0x5e, 0xa3, 0x71, 0xd5, 0xff, 0x07, 0x3c, 0xf0,
21393 -+ 0xf4, 0x3b, 0x6a, 0x2a, 0xb5, 0x76, 0xb2, 0x08,
21394 -+ 0x42, 0x6e, 0x11, 0x40, 0x9c, 0x09, 0xb9, 0xb0
21395 -+};
21396 -+
21397 -+/* wycheproof - misc */
21398 -+static const u8 enc_input015[] __initconst = { };
21399 -+static const u8 enc_output015[] __initconst = {
21400 -+ 0x90, 0x6f, 0xa6, 0x28, 0x4b, 0x52, 0xf8, 0x7b,
21401 -+ 0x73, 0x59, 0xcb, 0xaa, 0x75, 0x63, 0xc7, 0x09
21402 -+};
21403 -+static const u8 enc_assoc015[] __initconst = {
21404 -+ 0xbd, 0x50, 0x67, 0x64, 0xf2, 0xd2, 0xc4, 0x10
21405 -+};
21406 -+static const u8 enc_nonce015[] __initconst = {
21407 -+ 0xa9, 0x2e, 0xf0, 0xac, 0x99, 0x1d, 0xd5, 0x16,
21408 -+ 0xa3, 0xc6, 0xf6, 0x89
21409 -+};
21410 -+static const u8 enc_key015[] __initconst = {
21411 -+ 0x7a, 0x4c, 0xd7, 0x59, 0x17, 0x2e, 0x02, 0xeb,
21412 -+ 0x20, 0x4d, 0xb2, 0xc3, 0xf5, 0xc7, 0x46, 0x22,
21413 -+ 0x7d, 0xf5, 0x84, 0xfc, 0x13, 0x45, 0x19, 0x63,
21414 -+ 0x91, 0xdb, 0xb9, 0x57, 0x7a, 0x25, 0x07, 0x42
21415 -+};
21416 -+
21417 -+/* wycheproof - misc */
21418 -+static const u8 enc_input016[] __initconst = {
21419 -+ 0x2a
21420 -+};
21421 -+static const u8 enc_output016[] __initconst = {
21422 -+ 0x3a, 0xca, 0xc2, 0x7d, 0xec, 0x09, 0x68, 0x80,
21423 -+ 0x1e, 0x9f, 0x6e, 0xde, 0xd6, 0x9d, 0x80, 0x75,
21424 -+ 0x22
21425 -+};
21426 -+static const u8 enc_assoc016[] __initconst = { };
21427 -+static const u8 enc_nonce016[] __initconst = {
21428 -+ 0x99, 0xe2, 0x3e, 0xc4, 0x89, 0x85, 0xbc, 0xcd,
21429 -+ 0xee, 0xab, 0x60, 0xf1
21430 -+};
21431 -+static const u8 enc_key016[] __initconst = {
21432 -+ 0xcc, 0x56, 0xb6, 0x80, 0x55, 0x2e, 0xb7, 0x50,
21433 -+ 0x08, 0xf5, 0x48, 0x4b, 0x4c, 0xb8, 0x03, 0xfa,
21434 -+ 0x50, 0x63, 0xeb, 0xd6, 0xea, 0xb9, 0x1f, 0x6a,
21435 -+ 0xb6, 0xae, 0xf4, 0x91, 0x6a, 0x76, 0x62, 0x73
21436 -+};
21437 -+
21438 -+/* wycheproof - misc */
21439 -+static const u8 enc_input017[] __initconst = {
21440 -+ 0x51
21441 -+};
21442 -+static const u8 enc_output017[] __initconst = {
21443 -+ 0xc4, 0x16, 0x83, 0x10, 0xca, 0x45, 0xb1, 0xf7,
21444 -+ 0xc6, 0x6c, 0xad, 0x4e, 0x99, 0xe4, 0x3f, 0x72,
21445 -+ 0xb9
21446 -+};
21447 -+static const u8 enc_assoc017[] __initconst = {
21448 -+ 0x91, 0xca, 0x6c, 0x59, 0x2c, 0xbc, 0xca, 0x53
21449 -+};
21450 -+static const u8 enc_nonce017[] __initconst = {
21451 -+ 0xab, 0x0d, 0xca, 0x71, 0x6e, 0xe0, 0x51, 0xd2,
21452 -+ 0x78, 0x2f, 0x44, 0x03
21453 -+};
21454 -+static const u8 enc_key017[] __initconst = {
21455 -+ 0x46, 0xf0, 0x25, 0x49, 0x65, 0xf7, 0x69, 0xd5,
21456 -+ 0x2b, 0xdb, 0x4a, 0x70, 0xb4, 0x43, 0x19, 0x9f,
21457 -+ 0x8e, 0xf2, 0x07, 0x52, 0x0d, 0x12, 0x20, 0xc5,
21458 -+ 0x5e, 0x4b, 0x70, 0xf0, 0xfd, 0xa6, 0x20, 0xee
21459 -+};
21460 -+
21461 -+/* wycheproof - misc */
21462 -+static const u8 enc_input018[] __initconst = {
21463 -+ 0x5c, 0x60
21464 -+};
21465 -+static const u8 enc_output018[] __initconst = {
21466 -+ 0x4d, 0x13, 0x91, 0xe8, 0xb6, 0x1e, 0xfb, 0x39,
21467 -+ 0xc1, 0x22, 0x19, 0x54, 0x53, 0x07, 0x7b, 0x22,
21468 -+ 0xe5, 0xe2
21469 -+};
21470 -+static const u8 enc_assoc018[] __initconst = { };
21471 -+static const u8 enc_nonce018[] __initconst = {
21472 -+ 0x46, 0x1a, 0xf1, 0x22, 0xe9, 0xf2, 0xe0, 0x34,
21473 -+ 0x7e, 0x03, 0xf2, 0xdb
21474 -+};
21475 -+static const u8 enc_key018[] __initconst = {
21476 -+ 0x2f, 0x7f, 0x7e, 0x4f, 0x59, 0x2b, 0xb3, 0x89,
21477 -+ 0x19, 0x49, 0x89, 0x74, 0x35, 0x07, 0xbf, 0x3e,
21478 -+ 0xe9, 0xcb, 0xde, 0x17, 0x86, 0xb6, 0x69, 0x5f,
21479 -+ 0xe6, 0xc0, 0x25, 0xfd, 0x9b, 0xa4, 0xc1, 0x00
21480 -+};
21481 -+
21482 -+/* wycheproof - misc */
21483 -+static const u8 enc_input019[] __initconst = {
21484 -+ 0xdd, 0xf2
21485 -+};
21486 -+static const u8 enc_output019[] __initconst = {
21487 -+ 0xb6, 0x0d, 0xea, 0xd0, 0xfd, 0x46, 0x97, 0xec,
21488 -+ 0x2e, 0x55, 0x58, 0x23, 0x77, 0x19, 0xd0, 0x24,
21489 -+ 0x37, 0xa2
21490 -+};
21491 -+static const u8 enc_assoc019[] __initconst = {
21492 -+ 0x88, 0x36, 0x4f, 0xc8, 0x06, 0x05, 0x18, 0xbf
21493 -+};
21494 -+static const u8 enc_nonce019[] __initconst = {
21495 -+ 0x61, 0x54, 0x6b, 0xa5, 0xf1, 0x72, 0x05, 0x90,
21496 -+ 0xb6, 0x04, 0x0a, 0xc6
21497 -+};
21498 -+static const u8 enc_key019[] __initconst = {
21499 -+ 0xc8, 0x83, 0x3d, 0xce, 0x5e, 0xa9, 0xf2, 0x48,
21500 -+ 0xaa, 0x20, 0x30, 0xea, 0xcf, 0xe7, 0x2b, 0xff,
21501 -+ 0xe6, 0x9a, 0x62, 0x0c, 0xaf, 0x79, 0x33, 0x44,
21502 -+ 0xe5, 0x71, 0x8f, 0xe0, 0xd7, 0xab, 0x1a, 0x58
21503 -+};
21504 -+
21505 -+/* wycheproof - misc */
21506 -+static const u8 enc_input020[] __initconst = {
21507 -+ 0xab, 0x85, 0xe9, 0xc1, 0x57, 0x17, 0x31
21508 -+};
21509 -+static const u8 enc_output020[] __initconst = {
21510 -+ 0x5d, 0xfe, 0x34, 0x40, 0xdb, 0xb3, 0xc3, 0xed,
21511 -+ 0x7a, 0x43, 0x4e, 0x26, 0x02, 0xd3, 0x94, 0x28,
21512 -+ 0x1e, 0x0a, 0xfa, 0x9f, 0xb7, 0xaa, 0x42
21513 -+};
21514 -+static const u8 enc_assoc020[] __initconst = { };
21515 -+static const u8 enc_nonce020[] __initconst = {
21516 -+ 0x3c, 0x4e, 0x65, 0x4d, 0x66, 0x3f, 0xa4, 0x59,
21517 -+ 0x6d, 0xc5, 0x5b, 0xb7
21518 -+};
21519 -+static const u8 enc_key020[] __initconst = {
21520 -+ 0x55, 0x56, 0x81, 0x58, 0xd3, 0xa6, 0x48, 0x3f,
21521 -+ 0x1f, 0x70, 0x21, 0xea, 0xb6, 0x9b, 0x70, 0x3f,
21522 -+ 0x61, 0x42, 0x51, 0xca, 0xdc, 0x1a, 0xf5, 0xd3,
21523 -+ 0x4a, 0x37, 0x4f, 0xdb, 0xfc, 0x5a, 0xda, 0xc7
21524 -+};
21525 -+
21526 -+/* wycheproof - misc */
21527 -+static const u8 enc_input021[] __initconst = {
21528 -+ 0x4e, 0xe5, 0xcd, 0xa2, 0x0d, 0x42, 0x90
21529 -+};
21530 -+static const u8 enc_output021[] __initconst = {
21531 -+ 0x4b, 0xd4, 0x72, 0x12, 0x94, 0x1c, 0xe3, 0x18,
21532 -+ 0x5f, 0x14, 0x08, 0xee, 0x7f, 0xbf, 0x18, 0xf5,
21533 -+ 0xab, 0xad, 0x6e, 0x22, 0x53, 0xa1, 0xba
21534 -+};
21535 -+static const u8 enc_assoc021[] __initconst = {
21536 -+ 0x84, 0xe4, 0x6b, 0xe8, 0xc0, 0x91, 0x90, 0x53
21537 -+};
21538 -+static const u8 enc_nonce021[] __initconst = {
21539 -+ 0x58, 0x38, 0x93, 0x75, 0xc6, 0x9e, 0xe3, 0x98,
21540 -+ 0xde, 0x94, 0x83, 0x96
21541 -+};
21542 -+static const u8 enc_key021[] __initconst = {
21543 -+ 0xe3, 0xc0, 0x9e, 0x7f, 0xab, 0x1a, 0xef, 0xb5,
21544 -+ 0x16, 0xda, 0x6a, 0x33, 0x02, 0x2a, 0x1d, 0xd4,
21545 -+ 0xeb, 0x27, 0x2c, 0x80, 0xd5, 0x40, 0xc5, 0xda,
21546 -+ 0x52, 0xa7, 0x30, 0xf3, 0x4d, 0x84, 0x0d, 0x7f
21547 -+};
21548 -+
21549 -+/* wycheproof - misc */
21550 -+static const u8 enc_input022[] __initconst = {
21551 -+ 0xbe, 0x33, 0x08, 0xf7, 0x2a, 0x2c, 0x6a, 0xed
21552 -+};
21553 -+static const u8 enc_output022[] __initconst = {
21554 -+ 0x8e, 0x94, 0x39, 0xa5, 0x6e, 0xee, 0xc8, 0x17,
21555 -+ 0xfb, 0xe8, 0xa6, 0xed, 0x8f, 0xab, 0xb1, 0x93,
21556 -+ 0x75, 0x39, 0xdd, 0x6c, 0x00, 0xe9, 0x00, 0x21
21557 -+};
21558 -+static const u8 enc_assoc022[] __initconst = { };
21559 -+static const u8 enc_nonce022[] __initconst = {
21560 -+ 0x4f, 0x07, 0xaf, 0xed, 0xfd, 0xc3, 0xb6, 0xc2,
21561 -+ 0x36, 0x18, 0x23, 0xd3
21562 -+};
21563 -+static const u8 enc_key022[] __initconst = {
21564 -+ 0x51, 0xe4, 0xbf, 0x2b, 0xad, 0x92, 0xb7, 0xaf,
21565 -+ 0xf1, 0xa4, 0xbc, 0x05, 0x55, 0x0b, 0xa8, 0x1d,
21566 -+ 0xf4, 0xb9, 0x6f, 0xab, 0xf4, 0x1c, 0x12, 0xc7,
21567 -+ 0xb0, 0x0e, 0x60, 0xe4, 0x8d, 0xb7, 0xe1, 0x52
21568 -+};
21569 -+
21570 -+/* wycheproof - misc */
21571 -+static const u8 enc_input023[] __initconst = {
21572 -+ 0xa4, 0xc9, 0xc2, 0x80, 0x1b, 0x71, 0xf7, 0xdf
21573 -+};
21574 -+static const u8 enc_output023[] __initconst = {
21575 -+ 0xb9, 0xb9, 0x10, 0x43, 0x3a, 0xf0, 0x52, 0xb0,
21576 -+ 0x45, 0x30, 0xf5, 0x1a, 0xee, 0xe0, 0x24, 0xe0,
21577 -+ 0xa4, 0x45, 0xa6, 0x32, 0x8f, 0xa6, 0x7a, 0x18
21578 -+};
21579 -+static const u8 enc_assoc023[] __initconst = {
21580 -+ 0x66, 0xc0, 0xae, 0x70, 0x07, 0x6c, 0xb1, 0x4d
21581 -+};
21582 -+static const u8 enc_nonce023[] __initconst = {
21583 -+ 0xb4, 0xea, 0x66, 0x6e, 0xe1, 0x19, 0x56, 0x33,
21584 -+ 0x66, 0x48, 0x4a, 0x78
21585 -+};
21586 -+static const u8 enc_key023[] __initconst = {
21587 -+ 0x11, 0x31, 0xc1, 0x41, 0x85, 0x77, 0xa0, 0x54,
21588 -+ 0xde, 0x7a, 0x4a, 0xc5, 0x51, 0x95, 0x0f, 0x1a,
21589 -+ 0x05, 0x3f, 0x9a, 0xe4, 0x6e, 0x5b, 0x75, 0xfe,
21590 -+ 0x4a, 0xbd, 0x56, 0x08, 0xd7, 0xcd, 0xda, 0xdd
21591 -+};
21592 -+
21593 -+/* wycheproof - misc */
21594 -+static const u8 enc_input024[] __initconst = {
21595 -+ 0x42, 0xba, 0xae, 0x59, 0x78, 0xfe, 0xaf, 0x5c,
21596 -+ 0x36, 0x8d, 0x14, 0xe0
21597 -+};
21598 -+static const u8 enc_output024[] __initconst = {
21599 -+ 0xff, 0x7d, 0xc2, 0x03, 0xb2, 0x6c, 0x46, 0x7a,
21600 -+ 0x6b, 0x50, 0xdb, 0x33, 0x57, 0x8c, 0x0f, 0x27,
21601 -+ 0x58, 0xc2, 0xe1, 0x4e, 0x36, 0xd4, 0xfc, 0x10,
21602 -+ 0x6d, 0xcb, 0x29, 0xb4
21603 -+};
21604 -+static const u8 enc_assoc024[] __initconst = { };
21605 -+static const u8 enc_nonce024[] __initconst = {
21606 -+ 0x9a, 0x59, 0xfc, 0xe2, 0x6d, 0xf0, 0x00, 0x5e,
21607 -+ 0x07, 0x53, 0x86, 0x56
21608 -+};
21609 -+static const u8 enc_key024[] __initconst = {
21610 -+ 0x99, 0xb6, 0x2b, 0xd5, 0xaf, 0xbe, 0x3f, 0xb0,
21611 -+ 0x15, 0xbd, 0xe9, 0x3f, 0x0a, 0xbf, 0x48, 0x39,
21612 -+ 0x57, 0xa1, 0xc3, 0xeb, 0x3c, 0xa5, 0x9c, 0xb5,
21613 -+ 0x0b, 0x39, 0xf7, 0xf8, 0xa9, 0xcc, 0x51, 0xbe
21614 -+};
21615 -+
21616 -+/* wycheproof - misc */
21617 -+static const u8 enc_input025[] __initconst = {
21618 -+ 0xfd, 0xc8, 0x5b, 0x94, 0xa4, 0xb2, 0xa6, 0xb7,
21619 -+ 0x59, 0xb1, 0xa0, 0xda
21620 -+};
21621 -+static const u8 enc_output025[] __initconst = {
21622 -+ 0x9f, 0x88, 0x16, 0xde, 0x09, 0x94, 0xe9, 0x38,
21623 -+ 0xd9, 0xe5, 0x3f, 0x95, 0xd0, 0x86, 0xfc, 0x6c,
21624 -+ 0x9d, 0x8f, 0xa9, 0x15, 0xfd, 0x84, 0x23, 0xa7,
21625 -+ 0xcf, 0x05, 0x07, 0x2f
21626 -+};
21627 -+static const u8 enc_assoc025[] __initconst = {
21628 -+ 0xa5, 0x06, 0xe1, 0xa5, 0xc6, 0x90, 0x93, 0xf9
21629 -+};
21630 -+static const u8 enc_nonce025[] __initconst = {
21631 -+ 0x58, 0xdb, 0xd4, 0xad, 0x2c, 0x4a, 0xd3, 0x5d,
21632 -+ 0xd9, 0x06, 0xe9, 0xce
21633 -+};
21634 -+static const u8 enc_key025[] __initconst = {
21635 -+ 0x85, 0xf3, 0x5b, 0x62, 0x82, 0xcf, 0xf4, 0x40,
21636 -+ 0xbc, 0x10, 0x20, 0xc8, 0x13, 0x6f, 0xf2, 0x70,
21637 -+ 0x31, 0x11, 0x0f, 0xa6, 0x3e, 0xc1, 0x6f, 0x1e,
21638 -+ 0x82, 0x51, 0x18, 0xb0, 0x06, 0xb9, 0x12, 0x57
21639 -+};
21640 -+
21641 -+/* wycheproof - misc */
21642 -+static const u8 enc_input026[] __initconst = {
21643 -+ 0x51, 0xf8, 0xc1, 0xf7, 0x31, 0xea, 0x14, 0xac,
21644 -+ 0xdb, 0x21, 0x0a, 0x6d, 0x97, 0x3e, 0x07
21645 -+};
21646 -+static const u8 enc_output026[] __initconst = {
21647 -+ 0x0b, 0x29, 0x63, 0x8e, 0x1f, 0xbd, 0xd6, 0xdf,
21648 -+ 0x53, 0x97, 0x0b, 0xe2, 0x21, 0x00, 0x42, 0x2a,
21649 -+ 0x91, 0x34, 0x08, 0x7d, 0x67, 0xa4, 0x6e, 0x79,
21650 -+ 0x17, 0x8d, 0x0a, 0x93, 0xf5, 0xe1, 0xd2
21651 -+};
21652 -+static const u8 enc_assoc026[] __initconst = { };
21653 -+static const u8 enc_nonce026[] __initconst = {
21654 -+ 0x68, 0xab, 0x7f, 0xdb, 0xf6, 0x19, 0x01, 0xda,
21655 -+ 0xd4, 0x61, 0xd2, 0x3c
21656 -+};
21657 -+static const u8 enc_key026[] __initconst = {
21658 -+ 0x67, 0x11, 0x96, 0x27, 0xbd, 0x98, 0x8e, 0xda,
21659 -+ 0x90, 0x62, 0x19, 0xe0, 0x8c, 0x0d, 0x0d, 0x77,
21660 -+ 0x9a, 0x07, 0xd2, 0x08, 0xce, 0x8a, 0x4f, 0xe0,
21661 -+ 0x70, 0x9a, 0xf7, 0x55, 0xee, 0xec, 0x6d, 0xcb
21662 -+};
21663 -+
21664 -+/* wycheproof - misc */
21665 -+static const u8 enc_input027[] __initconst = {
21666 -+ 0x97, 0x46, 0x9d, 0xa6, 0x67, 0xd6, 0x11, 0x0f,
21667 -+ 0x9c, 0xbd, 0xa1, 0xd1, 0xa2, 0x06, 0x73
21668 -+};
21669 -+static const u8 enc_output027[] __initconst = {
21670 -+ 0x32, 0xdb, 0x66, 0xc4, 0xa3, 0x81, 0x9d, 0x81,
21671 -+ 0x55, 0x74, 0x55, 0xe5, 0x98, 0x0f, 0xed, 0xfe,
21672 -+ 0xae, 0x30, 0xde, 0xc9, 0x4e, 0x6a, 0xd3, 0xa9,
21673 -+ 0xee, 0xa0, 0x6a, 0x0d, 0x70, 0x39, 0x17
21674 -+};
21675 -+static const u8 enc_assoc027[] __initconst = {
21676 -+ 0x64, 0x53, 0xa5, 0x33, 0x84, 0x63, 0x22, 0x12
21677 -+};
21678 -+static const u8 enc_nonce027[] __initconst = {
21679 -+ 0xd9, 0x5b, 0x32, 0x43, 0xaf, 0xae, 0xf7, 0x14,
21680 -+ 0xc5, 0x03, 0x5b, 0x6a
21681 -+};
21682 -+static const u8 enc_key027[] __initconst = {
21683 -+ 0xe6, 0xf1, 0x11, 0x8d, 0x41, 0xe4, 0xb4, 0x3f,
21684 -+ 0xb5, 0x82, 0x21, 0xb7, 0xed, 0x79, 0x67, 0x38,
21685 -+ 0x34, 0xe0, 0xd8, 0xac, 0x5c, 0x4f, 0xa6, 0x0b,
21686 -+ 0xbc, 0x8b, 0xc4, 0x89, 0x3a, 0x58, 0x89, 0x4d
21687 -+};
21688 -+
21689 -+/* wycheproof - misc */
21690 -+static const u8 enc_input028[] __initconst = {
21691 -+ 0x54, 0x9b, 0x36, 0x5a, 0xf9, 0x13, 0xf3, 0xb0,
21692 -+ 0x81, 0x13, 0x1c, 0xcb, 0x6b, 0x82, 0x55, 0x88
21693 -+};
21694 -+static const u8 enc_output028[] __initconst = {
21695 -+ 0xe9, 0x11, 0x0e, 0x9f, 0x56, 0xab, 0x3c, 0xa4,
21696 -+ 0x83, 0x50, 0x0c, 0xea, 0xba, 0xb6, 0x7a, 0x13,
21697 -+ 0x83, 0x6c, 0xca, 0xbf, 0x15, 0xa6, 0xa2, 0x2a,
21698 -+ 0x51, 0xc1, 0x07, 0x1c, 0xfa, 0x68, 0xfa, 0x0c
21699 -+};
21700 -+static const u8 enc_assoc028[] __initconst = { };
21701 -+static const u8 enc_nonce028[] __initconst = {
21702 -+ 0x2f, 0xcb, 0x1b, 0x38, 0xa9, 0x9e, 0x71, 0xb8,
21703 -+ 0x47, 0x40, 0xad, 0x9b
21704 -+};
21705 -+static const u8 enc_key028[] __initconst = {
21706 -+ 0x59, 0xd4, 0xea, 0xfb, 0x4d, 0xe0, 0xcf, 0xc7,
21707 -+ 0xd3, 0xdb, 0x99, 0xa8, 0xf5, 0x4b, 0x15, 0xd7,
21708 -+ 0xb3, 0x9f, 0x0a, 0xcc, 0x8d, 0xa6, 0x97, 0x63,
21709 -+ 0xb0, 0x19, 0xc1, 0x69, 0x9f, 0x87, 0x67, 0x4a
21710 -+};
21711 -+
21712 -+/* wycheproof - misc */
21713 -+static const u8 enc_input029[] __initconst = {
21714 -+ 0x55, 0xa4, 0x65, 0x64, 0x4f, 0x5b, 0x65, 0x09,
21715 -+ 0x28, 0xcb, 0xee, 0x7c, 0x06, 0x32, 0x14, 0xd6
21716 -+};
21717 -+static const u8 enc_output029[] __initconst = {
21718 -+ 0xe4, 0xb1, 0x13, 0xcb, 0x77, 0x59, 0x45, 0xf3,
21719 -+ 0xd3, 0xa8, 0xae, 0x9e, 0xc1, 0x41, 0xc0, 0x0c,
21720 -+ 0x7c, 0x43, 0xf1, 0x6c, 0xe0, 0x96, 0xd0, 0xdc,
21721 -+ 0x27, 0xc9, 0x58, 0x49, 0xdc, 0x38, 0x3b, 0x7d
21722 -+};
21723 -+static const u8 enc_assoc029[] __initconst = {
21724 -+ 0x03, 0x45, 0x85, 0x62, 0x1a, 0xf8, 0xd7, 0xff
21725 -+};
21726 -+static const u8 enc_nonce029[] __initconst = {
21727 -+ 0x11, 0x8a, 0x69, 0x64, 0xc2, 0xd3, 0xe3, 0x80,
21728 -+ 0x07, 0x1f, 0x52, 0x66
21729 -+};
21730 -+static const u8 enc_key029[] __initconst = {
21731 -+ 0xb9, 0x07, 0xa4, 0x50, 0x75, 0x51, 0x3f, 0xe8,
21732 -+ 0xa8, 0x01, 0x9e, 0xde, 0xe3, 0xf2, 0x59, 0x14,
21733 -+ 0x87, 0xb2, 0xa0, 0x30, 0xb0, 0x3c, 0x6e, 0x1d,
21734 -+ 0x77, 0x1c, 0x86, 0x25, 0x71, 0xd2, 0xea, 0x1e
21735 -+};
21736 -+
21737 -+/* wycheproof - misc */
21738 -+static const u8 enc_input030[] __initconst = {
21739 -+ 0x3f, 0xf1, 0x51, 0x4b, 0x1c, 0x50, 0x39, 0x15,
21740 -+ 0x91, 0x8f, 0x0c, 0x0c, 0x31, 0x09, 0x4a, 0x6e,
21741 -+ 0x1f
21742 -+};
21743 -+static const u8 enc_output030[] __initconst = {
21744 -+ 0x02, 0xcc, 0x3a, 0xcb, 0x5e, 0xe1, 0xfc, 0xdd,
21745 -+ 0x12, 0xa0, 0x3b, 0xb8, 0x57, 0x97, 0x64, 0x74,
21746 -+ 0xd3, 0xd8, 0x3b, 0x74, 0x63, 0xa2, 0xc3, 0x80,
21747 -+ 0x0f, 0xe9, 0x58, 0xc2, 0x8e, 0xaa, 0x29, 0x08,
21748 -+ 0x13
21749 -+};
21750 -+static const u8 enc_assoc030[] __initconst = { };
21751 -+static const u8 enc_nonce030[] __initconst = {
21752 -+ 0x45, 0xaa, 0xa3, 0xe5, 0xd1, 0x6d, 0x2d, 0x42,
21753 -+ 0xdc, 0x03, 0x44, 0x5d
21754 -+};
21755 -+static const u8 enc_key030[] __initconst = {
21756 -+ 0x3b, 0x24, 0x58, 0xd8, 0x17, 0x6e, 0x16, 0x21,
21757 -+ 0xc0, 0xcc, 0x24, 0xc0, 0xc0, 0xe2, 0x4c, 0x1e,
21758 -+ 0x80, 0xd7, 0x2f, 0x7e, 0xe9, 0x14, 0x9a, 0x4b,
21759 -+ 0x16, 0x61, 0x76, 0x62, 0x96, 0x16, 0xd0, 0x11
21760 -+};
21761 -+
21762 -+/* wycheproof - misc */
21763 -+static const u8 enc_input031[] __initconst = {
21764 -+ 0x63, 0x85, 0x8c, 0xa3, 0xe2, 0xce, 0x69, 0x88,
21765 -+ 0x7b, 0x57, 0x8a, 0x3c, 0x16, 0x7b, 0x42, 0x1c,
21766 -+ 0x9c
21767 -+};
21768 -+static const u8 enc_output031[] __initconst = {
21769 -+ 0x35, 0x76, 0x64, 0x88, 0xd2, 0xbc, 0x7c, 0x2b,
21770 -+ 0x8d, 0x17, 0xcb, 0xbb, 0x9a, 0xbf, 0xad, 0x9e,
21771 -+ 0x6d, 0x1f, 0x39, 0x1e, 0x65, 0x7b, 0x27, 0x38,
21772 -+ 0xdd, 0xa0, 0x84, 0x48, 0xcb, 0xa2, 0x81, 0x1c,
21773 -+ 0xeb
21774 -+};
21775 -+static const u8 enc_assoc031[] __initconst = {
21776 -+ 0x9a, 0xaf, 0x29, 0x9e, 0xee, 0xa7, 0x8f, 0x79
21777 -+};
21778 -+static const u8 enc_nonce031[] __initconst = {
21779 -+ 0xf0, 0x38, 0x4f, 0xb8, 0x76, 0x12, 0x14, 0x10,
21780 -+ 0x63, 0x3d, 0x99, 0x3d
21781 -+};
21782 -+static const u8 enc_key031[] __initconst = {
21783 -+ 0xf6, 0x0c, 0x6a, 0x1b, 0x62, 0x57, 0x25, 0xf7,
21784 -+ 0x6c, 0x70, 0x37, 0xb4, 0x8f, 0xe3, 0x57, 0x7f,
21785 -+ 0xa7, 0xf7, 0xb8, 0x7b, 0x1b, 0xd5, 0xa9, 0x82,
21786 -+ 0x17, 0x6d, 0x18, 0x23, 0x06, 0xff, 0xb8, 0x70
21787 -+};
21788 -+
21789 -+/* wycheproof - misc */
21790 -+static const u8 enc_input032[] __initconst = {
21791 -+ 0x10, 0xf1, 0xec, 0xf9, 0xc6, 0x05, 0x84, 0x66,
21792 -+ 0x5d, 0x9a, 0xe5, 0xef, 0xe2, 0x79, 0xe7, 0xf7,
21793 -+ 0x37, 0x7e, 0xea, 0x69, 0x16, 0xd2, 0xb1, 0x11
21794 -+};
21795 -+static const u8 enc_output032[] __initconst = {
21796 -+ 0x42, 0xf2, 0x6c, 0x56, 0xcb, 0x4b, 0xe2, 0x1d,
21797 -+ 0x9d, 0x8d, 0x0c, 0x80, 0xfc, 0x99, 0xdd, 0xe0,
21798 -+ 0x0d, 0x75, 0xf3, 0x80, 0x74, 0xbf, 0xe7, 0x64,
21799 -+ 0x54, 0xaa, 0x7e, 0x13, 0xd4, 0x8f, 0xff, 0x7d,
21800 -+ 0x75, 0x57, 0x03, 0x94, 0x57, 0x04, 0x0a, 0x3a
21801 -+};
21802 -+static const u8 enc_assoc032[] __initconst = { };
21803 -+static const u8 enc_nonce032[] __initconst = {
21804 -+ 0xe6, 0xb1, 0xad, 0xf2, 0xfd, 0x58, 0xa8, 0x76,
21805 -+ 0x2c, 0x65, 0xf3, 0x1b
21806 -+};
21807 -+static const u8 enc_key032[] __initconst = {
21808 -+ 0x02, 0x12, 0xa8, 0xde, 0x50, 0x07, 0xed, 0x87,
21809 -+ 0xb3, 0x3f, 0x1a, 0x70, 0x90, 0xb6, 0x11, 0x4f,
21810 -+ 0x9e, 0x08, 0xce, 0xfd, 0x96, 0x07, 0xf2, 0xc2,
21811 -+ 0x76, 0xbd, 0xcf, 0xdb, 0xc5, 0xce, 0x9c, 0xd7
21812 -+};
21813 -+
21814 -+/* wycheproof - misc */
21815 -+static const u8 enc_input033[] __initconst = {
21816 -+ 0x92, 0x22, 0xf9, 0x01, 0x8e, 0x54, 0xfd, 0x6d,
21817 -+ 0xe1, 0x20, 0x08, 0x06, 0xa9, 0xee, 0x8e, 0x4c,
21818 -+ 0xc9, 0x04, 0xd2, 0x9f, 0x25, 0xcb, 0xa1, 0x93
21819 -+};
21820 -+static const u8 enc_output033[] __initconst = {
21821 -+ 0x12, 0x30, 0x32, 0x43, 0x7b, 0x4b, 0xfd, 0x69,
21822 -+ 0x20, 0xe8, 0xf7, 0xe7, 0xe0, 0x08, 0x7a, 0xe4,
21823 -+ 0x88, 0x9e, 0xbe, 0x7a, 0x0a, 0xd0, 0xe9, 0x00,
21824 -+ 0x3c, 0xf6, 0x8f, 0x17, 0x95, 0x50, 0xda, 0x63,
21825 -+ 0xd3, 0xb9, 0x6c, 0x2d, 0x55, 0x41, 0x18, 0x65
21826 -+};
21827 -+static const u8 enc_assoc033[] __initconst = {
21828 -+ 0x3e, 0x8b, 0xc5, 0xad, 0xe1, 0x82, 0xff, 0x08
21829 -+};
21830 -+static const u8 enc_nonce033[] __initconst = {
21831 -+ 0x6b, 0x28, 0x2e, 0xbe, 0xcc, 0x54, 0x1b, 0xcd,
21832 -+ 0x78, 0x34, 0xed, 0x55
21833 -+};
21834 -+static const u8 enc_key033[] __initconst = {
21835 -+ 0xc5, 0xbc, 0x09, 0x56, 0x56, 0x46, 0xe7, 0xed,
21836 -+ 0xda, 0x95, 0x4f, 0x1f, 0x73, 0x92, 0x23, 0xda,
21837 -+ 0xda, 0x20, 0xb9, 0x5c, 0x44, 0xab, 0x03, 0x3d,
21838 -+ 0x0f, 0xae, 0x4b, 0x02, 0x83, 0xd1, 0x8b, 0xe3
21839 -+};
21840 -+
21841 -+/* wycheproof - misc */
21842 -+static const u8 enc_input034[] __initconst = {
21843 -+ 0xb0, 0x53, 0x99, 0x92, 0x86, 0xa2, 0x82, 0x4f,
21844 -+ 0x42, 0xcc, 0x8c, 0x20, 0x3a, 0xb2, 0x4e, 0x2c,
21845 -+ 0x97, 0xa6, 0x85, 0xad, 0xcc, 0x2a, 0xd3, 0x26,
21846 -+ 0x62, 0x55, 0x8e, 0x55, 0xa5, 0xc7, 0x29
21847 -+};
21848 -+static const u8 enc_output034[] __initconst = {
21849 -+ 0x45, 0xc7, 0xd6, 0xb5, 0x3a, 0xca, 0xd4, 0xab,
21850 -+ 0xb6, 0x88, 0x76, 0xa6, 0xe9, 0x6a, 0x48, 0xfb,
21851 -+ 0x59, 0x52, 0x4d, 0x2c, 0x92, 0xc9, 0xd8, 0xa1,
21852 -+ 0x89, 0xc9, 0xfd, 0x2d, 0xb9, 0x17, 0x46, 0x56,
21853 -+ 0x6d, 0x3c, 0xa1, 0x0e, 0x31, 0x1b, 0x69, 0x5f,
21854 -+ 0x3e, 0xae, 0x15, 0x51, 0x65, 0x24, 0x93
21855 -+};
21856 -+static const u8 enc_assoc034[] __initconst = { };
21857 -+static const u8 enc_nonce034[] __initconst = {
21858 -+ 0x04, 0xa9, 0xbe, 0x03, 0x50, 0x8a, 0x5f, 0x31,
21859 -+ 0x37, 0x1a, 0x6f, 0xd2
21860 -+};
21861 -+static const u8 enc_key034[] __initconst = {
21862 -+ 0x2e, 0xb5, 0x1c, 0x46, 0x9a, 0xa8, 0xeb, 0x9e,
21863 -+ 0x6c, 0x54, 0xa8, 0x34, 0x9b, 0xae, 0x50, 0xa2,
21864 -+ 0x0f, 0x0e, 0x38, 0x27, 0x11, 0xbb, 0xa1, 0x15,
21865 -+ 0x2c, 0x42, 0x4f, 0x03, 0xb6, 0x67, 0x1d, 0x71
21866 -+};
21867 -+
21868 -+/* wycheproof - misc */
21869 -+static const u8 enc_input035[] __initconst = {
21870 -+ 0xf4, 0x52, 0x06, 0xab, 0xc2, 0x55, 0x52, 0xb2,
21871 -+ 0xab, 0xc9, 0xab, 0x7f, 0xa2, 0x43, 0x03, 0x5f,
21872 -+ 0xed, 0xaa, 0xdd, 0xc3, 0xb2, 0x29, 0x39, 0x56,
21873 -+ 0xf1, 0xea, 0x6e, 0x71, 0x56, 0xe7, 0xeb
21874 -+};
21875 -+static const u8 enc_output035[] __initconst = {
21876 -+ 0x46, 0xa8, 0x0c, 0x41, 0x87, 0x02, 0x47, 0x20,
21877 -+ 0x08, 0x46, 0x27, 0x58, 0x00, 0x80, 0xdd, 0xe5,
21878 -+ 0xa3, 0xf4, 0xa1, 0x10, 0x93, 0xa7, 0x07, 0x6e,
21879 -+ 0xd6, 0xf3, 0xd3, 0x26, 0xbc, 0x7b, 0x70, 0x53,
21880 -+ 0x4d, 0x4a, 0xa2, 0x83, 0x5a, 0x52, 0xe7, 0x2d,
21881 -+ 0x14, 0xdf, 0x0e, 0x4f, 0x47, 0xf2, 0x5f
21882 -+};
21883 -+static const u8 enc_assoc035[] __initconst = {
21884 -+ 0x37, 0x46, 0x18, 0xa0, 0x6e, 0xa9, 0x8a, 0x48
21885 -+};
21886 -+static const u8 enc_nonce035[] __initconst = {
21887 -+ 0x47, 0x0a, 0x33, 0x9e, 0xcb, 0x32, 0x19, 0xb8,
21888 -+ 0xb8, 0x1a, 0x1f, 0x8b
21889 -+};
21890 -+static const u8 enc_key035[] __initconst = {
21891 -+ 0x7f, 0x5b, 0x74, 0xc0, 0x7e, 0xd1, 0xb4, 0x0f,
21892 -+ 0xd1, 0x43, 0x58, 0xfe, 0x2f, 0xf2, 0xa7, 0x40,
21893 -+ 0xc1, 0x16, 0xc7, 0x70, 0x65, 0x10, 0xe6, 0xa4,
21894 -+ 0x37, 0xf1, 0x9e, 0xa4, 0x99, 0x11, 0xce, 0xc4
21895 -+};
21896 -+
21897 -+/* wycheproof - misc */
21898 -+static const u8 enc_input036[] __initconst = {
21899 -+ 0xb9, 0xc5, 0x54, 0xcb, 0xc3, 0x6a, 0xc1, 0x8a,
21900 -+ 0xe8, 0x97, 0xdf, 0x7b, 0xee, 0xca, 0xc1, 0xdb,
21901 -+ 0xeb, 0x4e, 0xaf, 0xa1, 0x56, 0xbb, 0x60, 0xce,
21902 -+ 0x2e, 0x5d, 0x48, 0xf0, 0x57, 0x15, 0xe6, 0x78
21903 -+};
21904 -+static const u8 enc_output036[] __initconst = {
21905 -+ 0xea, 0x29, 0xaf, 0xa4, 0x9d, 0x36, 0xe8, 0x76,
21906 -+ 0x0f, 0x5f, 0xe1, 0x97, 0x23, 0xb9, 0x81, 0x1e,
21907 -+ 0xd5, 0xd5, 0x19, 0x93, 0x4a, 0x44, 0x0f, 0x50,
21908 -+ 0x81, 0xac, 0x43, 0x0b, 0x95, 0x3b, 0x0e, 0x21,
21909 -+ 0x22, 0x25, 0x41, 0xaf, 0x46, 0xb8, 0x65, 0x33,
21910 -+ 0xc6, 0xb6, 0x8d, 0x2f, 0xf1, 0x08, 0xa7, 0xea
21911 -+};
21912 -+static const u8 enc_assoc036[] __initconst = { };
21913 -+static const u8 enc_nonce036[] __initconst = {
21914 -+ 0x72, 0xcf, 0xd9, 0x0e, 0xf3, 0x02, 0x6c, 0xa2,
21915 -+ 0x2b, 0x7e, 0x6e, 0x6a
21916 -+};
21917 -+static const u8 enc_key036[] __initconst = {
21918 -+ 0xe1, 0x73, 0x1d, 0x58, 0x54, 0xe1, 0xb7, 0x0c,
21919 -+ 0xb3, 0xff, 0xe8, 0xb7, 0x86, 0xa2, 0xb3, 0xeb,
21920 -+ 0xf0, 0x99, 0x43, 0x70, 0x95, 0x47, 0x57, 0xb9,
21921 -+ 0xdc, 0x8c, 0x7b, 0xc5, 0x35, 0x46, 0x34, 0xa3
21922 -+};
21923 -+
21924 -+/* wycheproof - misc */
21925 -+static const u8 enc_input037[] __initconst = {
21926 -+ 0x6b, 0x26, 0x04, 0x99, 0x6c, 0xd3, 0x0c, 0x14,
21927 -+ 0xa1, 0x3a, 0x52, 0x57, 0xed, 0x6c, 0xff, 0xd3,
21928 -+ 0xbc, 0x5e, 0x29, 0xd6, 0xb9, 0x7e, 0xb1, 0x79,
21929 -+ 0x9e, 0xb3, 0x35, 0xe2, 0x81, 0xea, 0x45, 0x1e
21930 -+};
21931 -+static const u8 enc_output037[] __initconst = {
21932 -+ 0x6d, 0xad, 0x63, 0x78, 0x97, 0x54, 0x4d, 0x8b,
21933 -+ 0xf6, 0xbe, 0x95, 0x07, 0xed, 0x4d, 0x1b, 0xb2,
21934 -+ 0xe9, 0x54, 0xbc, 0x42, 0x7e, 0x5d, 0xe7, 0x29,
21935 -+ 0xda, 0xf5, 0x07, 0x62, 0x84, 0x6f, 0xf2, 0xf4,
21936 -+ 0x7b, 0x99, 0x7d, 0x93, 0xc9, 0x82, 0x18, 0x9d,
21937 -+ 0x70, 0x95, 0xdc, 0x79, 0x4c, 0x74, 0x62, 0x32
21938 -+};
21939 -+static const u8 enc_assoc037[] __initconst = {
21940 -+ 0x23, 0x33, 0xe5, 0xce, 0x0f, 0x93, 0xb0, 0x59
21941 -+};
21942 -+static const u8 enc_nonce037[] __initconst = {
21943 -+ 0x26, 0x28, 0x80, 0xd4, 0x75, 0xf3, 0xda, 0xc5,
21944 -+ 0x34, 0x0d, 0xd1, 0xb8
21945 -+};
21946 -+static const u8 enc_key037[] __initconst = {
21947 -+ 0x27, 0xd8, 0x60, 0x63, 0x1b, 0x04, 0x85, 0xa4,
21948 -+ 0x10, 0x70, 0x2f, 0xea, 0x61, 0xbc, 0x87, 0x3f,
21949 -+ 0x34, 0x42, 0x26, 0x0c, 0xad, 0xed, 0x4a, 0xbd,
21950 -+ 0xe2, 0x5b, 0x78, 0x6a, 0x2d, 0x97, 0xf1, 0x45
21951 -+};
21952 -+
21953 -+/* wycheproof - misc */
21954 -+static const u8 enc_input038[] __initconst = {
21955 -+ 0x97, 0x3d, 0x0c, 0x75, 0x38, 0x26, 0xba, 0xe4,
21956 -+ 0x66, 0xcf, 0x9a, 0xbb, 0x34, 0x93, 0x15, 0x2e,
21957 -+ 0x9d, 0xe7, 0x81, 0x9e, 0x2b, 0xd0, 0xc7, 0x11,
21958 -+ 0x71, 0x34, 0x6b, 0x4d, 0x2c, 0xeb, 0xf8, 0x04,
21959 -+ 0x1a, 0xa3, 0xce, 0xdc, 0x0d, 0xfd, 0x7b, 0x46,
21960 -+ 0x7e, 0x26, 0x22, 0x8b, 0xc8, 0x6c, 0x9a
21961 -+};
21962 -+static const u8 enc_output038[] __initconst = {
21963 -+ 0xfb, 0xa7, 0x8a, 0xe4, 0xf9, 0xd8, 0x08, 0xa6,
21964 -+ 0x2e, 0x3d, 0xa4, 0x0b, 0xe2, 0xcb, 0x77, 0x00,
21965 -+ 0xc3, 0x61, 0x3d, 0x9e, 0xb2, 0xc5, 0x29, 0xc6,
21966 -+ 0x52, 0xe7, 0x6a, 0x43, 0x2c, 0x65, 0x8d, 0x27,
21967 -+ 0x09, 0x5f, 0x0e, 0xb8, 0xf9, 0x40, 0xc3, 0x24,
21968 -+ 0x98, 0x1e, 0xa9, 0x35, 0xe5, 0x07, 0xf9, 0x8f,
21969 -+ 0x04, 0x69, 0x56, 0xdb, 0x3a, 0x51, 0x29, 0x08,
21970 -+ 0xbd, 0x7a, 0xfc, 0x8f, 0x2a, 0xb0, 0xa9
21971 -+};
21972 -+static const u8 enc_assoc038[] __initconst = { };
21973 -+static const u8 enc_nonce038[] __initconst = {
21974 -+ 0xe7, 0x4a, 0x51, 0x5e, 0x7e, 0x21, 0x02, 0xb9,
21975 -+ 0x0b, 0xef, 0x55, 0xd2
21976 -+};
21977 -+static const u8 enc_key038[] __initconst = {
21978 -+ 0xcf, 0x0d, 0x40, 0xa4, 0x64, 0x4e, 0x5f, 0x51,
21979 -+ 0x81, 0x51, 0x65, 0xd5, 0x30, 0x1b, 0x22, 0x63,
21980 -+ 0x1f, 0x45, 0x44, 0xc4, 0x9a, 0x18, 0x78, 0xe3,
21981 -+ 0xa0, 0xa5, 0xe8, 0xe1, 0xaa, 0xe0, 0xf2, 0x64
21982 -+};
21983 -+
21984 -+/* wycheproof - misc */
21985 -+static const u8 enc_input039[] __initconst = {
21986 -+ 0xa9, 0x89, 0x95, 0x50, 0x4d, 0xf1, 0x6f, 0x74,
21987 -+ 0x8b, 0xfb, 0x77, 0x85, 0xff, 0x91, 0xee, 0xb3,
21988 -+ 0xb6, 0x60, 0xea, 0x9e, 0xd3, 0x45, 0x0c, 0x3d,
21989 -+ 0x5e, 0x7b, 0x0e, 0x79, 0xef, 0x65, 0x36, 0x59,
21990 -+ 0xa9, 0x97, 0x8d, 0x75, 0x54, 0x2e, 0xf9, 0x1c,
21991 -+ 0x45, 0x67, 0x62, 0x21, 0x56, 0x40, 0xb9
21992 -+};
21993 -+static const u8 enc_output039[] __initconst = {
21994 -+ 0xa1, 0xff, 0xed, 0x80, 0x76, 0x18, 0x29, 0xec,
21995 -+ 0xce, 0x24, 0x2e, 0x0e, 0x88, 0xb1, 0x38, 0x04,
21996 -+ 0x90, 0x16, 0xbc, 0xa0, 0x18, 0xda, 0x2b, 0x6e,
21997 -+ 0x19, 0x98, 0x6b, 0x3e, 0x31, 0x8c, 0xae, 0x8d,
21998 -+ 0x80, 0x61, 0x98, 0xfb, 0x4c, 0x52, 0x7c, 0xc3,
21999 -+ 0x93, 0x50, 0xeb, 0xdd, 0xea, 0xc5, 0x73, 0xc4,
22000 -+ 0xcb, 0xf0, 0xbe, 0xfd, 0xa0, 0xb7, 0x02, 0x42,
22001 -+ 0xc6, 0x40, 0xd7, 0xcd, 0x02, 0xd7, 0xa3
22002 -+};
22003 -+static const u8 enc_assoc039[] __initconst = {
22004 -+ 0xb3, 0xe4, 0x06, 0x46, 0x83, 0xb0, 0x2d, 0x84
22005 -+};
22006 -+static const u8 enc_nonce039[] __initconst = {
22007 -+ 0xd4, 0xd8, 0x07, 0x34, 0x16, 0x83, 0x82, 0x5b,
22008 -+ 0x31, 0xcd, 0x4d, 0x95
22009 -+};
22010 -+static const u8 enc_key039[] __initconst = {
22011 -+ 0x6c, 0xbf, 0xd7, 0x1c, 0x64, 0x5d, 0x18, 0x4c,
22012 -+ 0xf5, 0xd2, 0x3c, 0x40, 0x2b, 0xdb, 0x0d, 0x25,
22013 -+ 0xec, 0x54, 0x89, 0x8c, 0x8a, 0x02, 0x73, 0xd4,
22014 -+ 0x2e, 0xb5, 0xbe, 0x10, 0x9f, 0xdc, 0xb2, 0xac
22015 -+};
22016 -+
22017 -+/* wycheproof - misc */
22018 -+static const u8 enc_input040[] __initconst = {
22019 -+ 0xd0, 0x96, 0x80, 0x31, 0x81, 0xbe, 0xef, 0x9e,
22020 -+ 0x00, 0x8f, 0xf8, 0x5d, 0x5d, 0xdc, 0x38, 0xdd,
22021 -+ 0xac, 0xf0, 0xf0, 0x9e, 0xe5, 0xf7, 0xe0, 0x7f,
22022 -+ 0x1e, 0x40, 0x79, 0xcb, 0x64, 0xd0, 0xdc, 0x8f,
22023 -+ 0x5e, 0x67, 0x11, 0xcd, 0x49, 0x21, 0xa7, 0x88,
22024 -+ 0x7d, 0xe7, 0x6e, 0x26, 0x78, 0xfd, 0xc6, 0x76,
22025 -+ 0x18, 0xf1, 0x18, 0x55, 0x86, 0xbf, 0xea, 0x9d,
22026 -+ 0x4c, 0x68, 0x5d, 0x50, 0xe4, 0xbb, 0x9a, 0x82
22027 -+};
22028 -+static const u8 enc_output040[] __initconst = {
22029 -+ 0x9a, 0x4e, 0xf2, 0x2b, 0x18, 0x16, 0x77, 0xb5,
22030 -+ 0x75, 0x5c, 0x08, 0xf7, 0x47, 0xc0, 0xf8, 0xd8,
22031 -+ 0xe8, 0xd4, 0xc1, 0x8a, 0x9c, 0xc2, 0x40, 0x5c,
22032 -+ 0x12, 0xbb, 0x51, 0xbb, 0x18, 0x72, 0xc8, 0xe8,
22033 -+ 0xb8, 0x77, 0x67, 0x8b, 0xec, 0x44, 0x2c, 0xfc,
22034 -+ 0xbb, 0x0f, 0xf4, 0x64, 0xa6, 0x4b, 0x74, 0x33,
22035 -+ 0x2c, 0xf0, 0x72, 0x89, 0x8c, 0x7e, 0x0e, 0xdd,
22036 -+ 0xf6, 0x23, 0x2e, 0xa6, 0xe2, 0x7e, 0xfe, 0x50,
22037 -+ 0x9f, 0xf3, 0x42, 0x7a, 0x0f, 0x32, 0xfa, 0x56,
22038 -+ 0x6d, 0x9c, 0xa0, 0xa7, 0x8a, 0xef, 0xc0, 0x13
22039 -+};
22040 -+static const u8 enc_assoc040[] __initconst = { };
22041 -+static const u8 enc_nonce040[] __initconst = {
22042 -+ 0xd6, 0x10, 0x40, 0xa3, 0x13, 0xed, 0x49, 0x28,
22043 -+ 0x23, 0xcc, 0x06, 0x5b
22044 -+};
22045 -+static const u8 enc_key040[] __initconst = {
22046 -+ 0x5b, 0x1d, 0x10, 0x35, 0xc0, 0xb1, 0x7e, 0xe0,
22047 -+ 0xb0, 0x44, 0x47, 0x67, 0xf8, 0x0a, 0x25, 0xb8,
22048 -+ 0xc1, 0xb7, 0x41, 0xf4, 0xb5, 0x0a, 0x4d, 0x30,
22049 -+ 0x52, 0x22, 0x6b, 0xaa, 0x1c, 0x6f, 0xb7, 0x01
22050 -+};
22051 -+
22052 -+/* wycheproof - misc */
22053 -+static const u8 enc_input041[] __initconst = {
22054 -+ 0x94, 0xee, 0x16, 0x6d, 0x6d, 0x6e, 0xcf, 0x88,
22055 -+ 0x32, 0x43, 0x71, 0x36, 0xb4, 0xae, 0x80, 0x5d,
22056 -+ 0x42, 0x88, 0x64, 0x35, 0x95, 0x86, 0xd9, 0x19,
22057 -+ 0x3a, 0x25, 0x01, 0x62, 0x93, 0xed, 0xba, 0x44,
22058 -+ 0x3c, 0x58, 0xe0, 0x7e, 0x7b, 0x71, 0x95, 0xec,
22059 -+ 0x5b, 0xd8, 0x45, 0x82, 0xa9, 0xd5, 0x6c, 0x8d,
22060 -+ 0x4a, 0x10, 0x8c, 0x7d, 0x7c, 0xe3, 0x4e, 0x6c,
22061 -+ 0x6f, 0x8e, 0xa1, 0xbe, 0xc0, 0x56, 0x73, 0x17
22062 -+};
22063 -+static const u8 enc_output041[] __initconst = {
22064 -+ 0x5f, 0xbb, 0xde, 0xcc, 0x34, 0xbe, 0x20, 0x16,
22065 -+ 0x14, 0xf6, 0x36, 0x03, 0x1e, 0xeb, 0x42, 0xf1,
22066 -+ 0xca, 0xce, 0x3c, 0x79, 0xa1, 0x2c, 0xff, 0xd8,
22067 -+ 0x71, 0xee, 0x8e, 0x73, 0x82, 0x0c, 0x82, 0x97,
22068 -+ 0x49, 0xf1, 0xab, 0xb4, 0x29, 0x43, 0x67, 0x84,
22069 -+ 0x9f, 0xb6, 0xc2, 0xaa, 0x56, 0xbd, 0xa8, 0xa3,
22070 -+ 0x07, 0x8f, 0x72, 0x3d, 0x7c, 0x1c, 0x85, 0x20,
22071 -+ 0x24, 0xb0, 0x17, 0xb5, 0x89, 0x73, 0xfb, 0x1e,
22072 -+ 0x09, 0x26, 0x3d, 0xa7, 0xb4, 0xcb, 0x92, 0x14,
22073 -+ 0x52, 0xf9, 0x7d, 0xca, 0x40, 0xf5, 0x80, 0xec
22074 -+};
22075 -+static const u8 enc_assoc041[] __initconst = {
22076 -+ 0x71, 0x93, 0xf6, 0x23, 0x66, 0x33, 0x21, 0xa2
22077 -+};
22078 -+static const u8 enc_nonce041[] __initconst = {
22079 -+ 0xd3, 0x1c, 0x21, 0xab, 0xa1, 0x75, 0xb7, 0x0d,
22080 -+ 0xe4, 0xeb, 0xb1, 0x9c
22081 -+};
22082 -+static const u8 enc_key041[] __initconst = {
22083 -+ 0x97, 0xd6, 0x35, 0xc4, 0xf4, 0x75, 0x74, 0xd9,
22084 -+ 0x99, 0x8a, 0x90, 0x87, 0x5d, 0xa1, 0xd3, 0xa2,
22085 -+ 0x84, 0xb7, 0x55, 0xb2, 0xd3, 0x92, 0x97, 0xa5,
22086 -+ 0x72, 0x52, 0x35, 0x19, 0x0e, 0x10, 0xa9, 0x7e
22087 -+};
22088 -+
22089 -+/* wycheproof - misc */
22090 -+static const u8 enc_input042[] __initconst = {
22091 -+ 0xb4, 0x29, 0xeb, 0x80, 0xfb, 0x8f, 0xe8, 0xba,
22092 -+ 0xed, 0xa0, 0xc8, 0x5b, 0x9c, 0x33, 0x34, 0x58,
22093 -+ 0xe7, 0xc2, 0x99, 0x2e, 0x55, 0x84, 0x75, 0x06,
22094 -+ 0x9d, 0x12, 0xd4, 0x5c, 0x22, 0x21, 0x75, 0x64,
22095 -+ 0x12, 0x15, 0x88, 0x03, 0x22, 0x97, 0xef, 0xf5,
22096 -+ 0x67, 0x83, 0x74, 0x2a, 0x5f, 0xc2, 0x2d, 0x74,
22097 -+ 0x10, 0xff, 0xb2, 0x9d, 0x66, 0x09, 0x86, 0x61,
22098 -+ 0xd7, 0x6f, 0x12, 0x6c, 0x3c, 0x27, 0x68, 0x9e,
22099 -+ 0x43, 0xb3, 0x72, 0x67, 0xca, 0xc5, 0xa3, 0xa6,
22100 -+ 0xd3, 0xab, 0x49, 0xe3, 0x91, 0xda, 0x29, 0xcd,
22101 -+ 0x30, 0x54, 0xa5, 0x69, 0x2e, 0x28, 0x07, 0xe4,
22102 -+ 0xc3, 0xea, 0x46, 0xc8, 0x76, 0x1d, 0x50, 0xf5,
22103 -+ 0x92
22104 -+};
22105 -+static const u8 enc_output042[] __initconst = {
22106 -+ 0xd0, 0x10, 0x2f, 0x6c, 0x25, 0x8b, 0xf4, 0x97,
22107 -+ 0x42, 0xce, 0xc3, 0x4c, 0xf2, 0xd0, 0xfe, 0xdf,
22108 -+ 0x23, 0xd1, 0x05, 0xfb, 0x4c, 0x84, 0xcf, 0x98,
22109 -+ 0x51, 0x5e, 0x1b, 0xc9, 0xa6, 0x4f, 0x8a, 0xd5,
22110 -+ 0xbe, 0x8f, 0x07, 0x21, 0xbd, 0xe5, 0x06, 0x45,
22111 -+ 0xd0, 0x00, 0x83, 0xc3, 0xa2, 0x63, 0xa3, 0x10,
22112 -+ 0x53, 0xb7, 0x60, 0x24, 0x5f, 0x52, 0xae, 0x28,
22113 -+ 0x66, 0xa5, 0xec, 0x83, 0xb1, 0x9f, 0x61, 0xbe,
22114 -+ 0x1d, 0x30, 0xd5, 0xc5, 0xd9, 0xfe, 0xcc, 0x4c,
22115 -+ 0xbb, 0xe0, 0x8f, 0xd3, 0x85, 0x81, 0x3a, 0x2a,
22116 -+ 0xa3, 0x9a, 0x00, 0xff, 0x9c, 0x10, 0xf7, 0xf2,
22117 -+ 0x37, 0x02, 0xad, 0xd1, 0xe4, 0xb2, 0xff, 0xa3,
22118 -+ 0x1c, 0x41, 0x86, 0x5f, 0xc7, 0x1d, 0xe1, 0x2b,
22119 -+ 0x19, 0x61, 0x21, 0x27, 0xce, 0x49, 0x99, 0x3b,
22120 -+ 0xb0
22121 -+};
22122 -+static const u8 enc_assoc042[] __initconst = { };
22123 -+static const u8 enc_nonce042[] __initconst = {
22124 -+ 0x17, 0xc8, 0x6a, 0x8a, 0xbb, 0xb7, 0xe0, 0x03,
22125 -+ 0xac, 0xde, 0x27, 0x99
22126 -+};
22127 -+static const u8 enc_key042[] __initconst = {
22128 -+ 0xfe, 0x6e, 0x55, 0xbd, 0xae, 0xd1, 0xf7, 0x28,
22129 -+ 0x4c, 0xa5, 0xfc, 0x0f, 0x8c, 0x5f, 0x2b, 0x8d,
22130 -+ 0xf5, 0x6d, 0xc0, 0xf4, 0x9e, 0x8c, 0xa6, 0x6a,
22131 -+ 0x41, 0x99, 0x5e, 0x78, 0x33, 0x51, 0xf9, 0x01
22132 -+};
22133 -+
22134 -+/* wycheproof - misc */
22135 -+static const u8 enc_input043[] __initconst = {
22136 -+ 0xce, 0xb5, 0x34, 0xce, 0x50, 0xdc, 0x23, 0xff,
22137 -+ 0x63, 0x8a, 0xce, 0x3e, 0xf6, 0x3a, 0xb2, 0xcc,
22138 -+ 0x29, 0x73, 0xee, 0xad, 0xa8, 0x07, 0x85, 0xfc,
22139 -+ 0x16, 0x5d, 0x06, 0xc2, 0xf5, 0x10, 0x0f, 0xf5,
22140 -+ 0xe8, 0xab, 0x28, 0x82, 0xc4, 0x75, 0xaf, 0xcd,
22141 -+ 0x05, 0xcc, 0xd4, 0x9f, 0x2e, 0x7d, 0x8f, 0x55,
22142 -+ 0xef, 0x3a, 0x72, 0xe3, 0xdc, 0x51, 0xd6, 0x85,
22143 -+ 0x2b, 0x8e, 0x6b, 0x9e, 0x7a, 0xec, 0xe5, 0x7b,
22144 -+ 0xe6, 0x55, 0x6b, 0x0b, 0x6d, 0x94, 0x13, 0xe3,
22145 -+ 0x3f, 0xc5, 0xfc, 0x24, 0xa9, 0xa2, 0x05, 0xad,
22146 -+ 0x59, 0x57, 0x4b, 0xb3, 0x9d, 0x94, 0x4a, 0x92,
22147 -+ 0xdc, 0x47, 0x97, 0x0d, 0x84, 0xa6, 0xad, 0x31,
22148 -+ 0x76
22149 -+};
22150 -+static const u8 enc_output043[] __initconst = {
22151 -+ 0x75, 0x45, 0x39, 0x1b, 0x51, 0xde, 0x01, 0xd5,
22152 -+ 0xc5, 0x3d, 0xfa, 0xca, 0x77, 0x79, 0x09, 0x06,
22153 -+ 0x3e, 0x58, 0xed, 0xee, 0x4b, 0xb1, 0x22, 0x7e,
22154 -+ 0x71, 0x10, 0xac, 0x4d, 0x26, 0x20, 0xc2, 0xae,
22155 -+ 0xc2, 0xf8, 0x48, 0xf5, 0x6d, 0xee, 0xb0, 0x37,
22156 -+ 0xa8, 0xdc, 0xed, 0x75, 0xaf, 0xa8, 0xa6, 0xc8,
22157 -+ 0x90, 0xe2, 0xde, 0xe4, 0x2f, 0x95, 0x0b, 0xb3,
22158 -+ 0x3d, 0x9e, 0x24, 0x24, 0xd0, 0x8a, 0x50, 0x5d,
22159 -+ 0x89, 0x95, 0x63, 0x97, 0x3e, 0xd3, 0x88, 0x70,
22160 -+ 0xf3, 0xde, 0x6e, 0xe2, 0xad, 0xc7, 0xfe, 0x07,
22161 -+ 0x2c, 0x36, 0x6c, 0x14, 0xe2, 0xcf, 0x7c, 0xa6,
22162 -+ 0x2f, 0xb3, 0xd3, 0x6b, 0xee, 0x11, 0x68, 0x54,
22163 -+ 0x61, 0xb7, 0x0d, 0x44, 0xef, 0x8c, 0x66, 0xc5,
22164 -+ 0xc7, 0xbb, 0xf1, 0x0d, 0xca, 0xdd, 0x7f, 0xac,
22165 -+ 0xf6
22166 -+};
22167 -+static const u8 enc_assoc043[] __initconst = {
22168 -+ 0xa1, 0x1c, 0x40, 0xb6, 0x03, 0x76, 0x73, 0x30
22169 -+};
22170 -+static const u8 enc_nonce043[] __initconst = {
22171 -+ 0x46, 0x36, 0x2f, 0x45, 0xd6, 0x37, 0x9e, 0x63,
22172 -+ 0xe5, 0x22, 0x94, 0x60
22173 -+};
22174 -+static const u8 enc_key043[] __initconst = {
22175 -+ 0xaa, 0xbc, 0x06, 0x34, 0x74, 0xe6, 0x5c, 0x4c,
22176 -+ 0x3e, 0x9b, 0xdc, 0x48, 0x0d, 0xea, 0x97, 0xb4,
22177 -+ 0x51, 0x10, 0xc8, 0x61, 0x88, 0x46, 0xff, 0x6b,
22178 -+ 0x15, 0xbd, 0xd2, 0xa4, 0xa5, 0x68, 0x2c, 0x4e
22179 -+};
22180 -+
22181 -+/* wycheproof - misc */
22182 -+static const u8 enc_input044[] __initconst = {
22183 -+ 0xe5, 0xcc, 0xaa, 0x44, 0x1b, 0xc8, 0x14, 0x68,
22184 -+ 0x8f, 0x8f, 0x6e, 0x8f, 0x28, 0xb5, 0x00, 0xb2
22185 -+};
22186 -+static const u8 enc_output044[] __initconst = {
22187 -+ 0x7e, 0x72, 0xf5, 0xa1, 0x85, 0xaf, 0x16, 0xa6,
22188 -+ 0x11, 0x92, 0x1b, 0x43, 0x8f, 0x74, 0x9f, 0x0b,
22189 -+ 0x12, 0x42, 0xc6, 0x70, 0x73, 0x23, 0x34, 0x02,
22190 -+ 0x9a, 0xdf, 0xe1, 0xc5, 0x00, 0x16, 0x51, 0xe4
22191 -+};
22192 -+static const u8 enc_assoc044[] __initconst = {
22193 -+ 0x02
22194 -+};
22195 -+static const u8 enc_nonce044[] __initconst = {
22196 -+ 0x87, 0x34, 0x5f, 0x10, 0x55, 0xfd, 0x9e, 0x21,
22197 -+ 0x02, 0xd5, 0x06, 0x56
22198 -+};
22199 -+static const u8 enc_key044[] __initconst = {
22200 -+ 0x7d, 0x00, 0xb4, 0x80, 0x95, 0xad, 0xfa, 0x32,
22201 -+ 0x72, 0x05, 0x06, 0x07, 0xb2, 0x64, 0x18, 0x50,
22202 -+ 0x02, 0xba, 0x99, 0x95, 0x7c, 0x49, 0x8b, 0xe0,
22203 -+ 0x22, 0x77, 0x0f, 0x2c, 0xe2, 0xf3, 0x14, 0x3c
22204 -+};
22205 -+
22206 -+/* wycheproof - misc */
22207 -+static const u8 enc_input045[] __initconst = {
22208 -+ 0x02, 0xcd, 0xe1, 0x68, 0xfb, 0xa3, 0xf5, 0x44,
22209 -+ 0xbb, 0xd0, 0x33, 0x2f, 0x7a, 0xde, 0xad, 0xa8
22210 -+};
22211 -+static const u8 enc_output045[] __initconst = {
22212 -+ 0x85, 0xf2, 0x9a, 0x71, 0x95, 0x57, 0xcd, 0xd1,
22213 -+ 0x4d, 0x1f, 0x8f, 0xff, 0xab, 0x6d, 0x9e, 0x60,
22214 -+ 0x73, 0x2c, 0xa3, 0x2b, 0xec, 0xd5, 0x15, 0xa1,
22215 -+ 0xed, 0x35, 0x3f, 0x54, 0x2e, 0x99, 0x98, 0x58
22216 -+};
22217 -+static const u8 enc_assoc045[] __initconst = {
22218 -+ 0xb6, 0x48
22219 -+};
22220 -+static const u8 enc_nonce045[] __initconst = {
22221 -+ 0x87, 0xa3, 0x16, 0x3e, 0xc0, 0x59, 0x8a, 0xd9,
22222 -+ 0x5b, 0x3a, 0xa7, 0x13
22223 -+};
22224 -+static const u8 enc_key045[] __initconst = {
22225 -+ 0x64, 0x32, 0x71, 0x7f, 0x1d, 0xb8, 0x5e, 0x41,
22226 -+ 0xac, 0x78, 0x36, 0xbc, 0xe2, 0x51, 0x85, 0xa0,
22227 -+ 0x80, 0xd5, 0x76, 0x2b, 0x9e, 0x2b, 0x18, 0x44,
22228 -+ 0x4b, 0x6e, 0xc7, 0x2c, 0x3b, 0xd8, 0xe4, 0xdc
22229 -+};
22230 -+
22231 -+/* wycheproof - misc */
22232 -+static const u8 enc_input046[] __initconst = {
22233 -+ 0x16, 0xdd, 0xd2, 0x3f, 0xf5, 0x3f, 0x3d, 0x23,
22234 -+ 0xc0, 0x63, 0x34, 0x48, 0x70, 0x40, 0xeb, 0x47
22235 -+};
22236 -+static const u8 enc_output046[] __initconst = {
22237 -+ 0xc1, 0xb2, 0x95, 0x93, 0x6d, 0x56, 0xfa, 0xda,
22238 -+ 0xc0, 0x3e, 0x5f, 0x74, 0x2b, 0xff, 0x73, 0xa1,
22239 -+ 0x39, 0xc4, 0x57, 0xdb, 0xab, 0x66, 0x38, 0x2b,
22240 -+ 0xab, 0xb3, 0xb5, 0x58, 0x00, 0xcd, 0xa5, 0xb8
22241 -+};
22242 -+static const u8 enc_assoc046[] __initconst = {
22243 -+ 0xbd, 0x4c, 0xd0, 0x2f, 0xc7, 0x50, 0x2b, 0xbd,
22244 -+ 0xbd, 0xf6, 0xc9, 0xa3, 0xcb, 0xe8, 0xf0
22245 -+};
22246 -+static const u8 enc_nonce046[] __initconst = {
22247 -+ 0x6f, 0x57, 0x3a, 0xa8, 0x6b, 0xaa, 0x49, 0x2b,
22248 -+ 0xa4, 0x65, 0x96, 0xdf
22249 -+};
22250 -+static const u8 enc_key046[] __initconst = {
22251 -+ 0x8e, 0x34, 0xcf, 0x73, 0xd2, 0x45, 0xa1, 0x08,
22252 -+ 0x2a, 0x92, 0x0b, 0x86, 0x36, 0x4e, 0xb8, 0x96,
22253 -+ 0xc4, 0x94, 0x64, 0x67, 0xbc, 0xb3, 0xd5, 0x89,
22254 -+ 0x29, 0xfc, 0xb3, 0x66, 0x90, 0xe6, 0x39, 0x4f
22255 -+};
22256 -+
22257 -+/* wycheproof - misc */
22258 -+static const u8 enc_input047[] __initconst = {
22259 -+ 0x62, 0x3b, 0x78, 0x50, 0xc3, 0x21, 0xe2, 0xcf,
22260 -+ 0x0c, 0x6f, 0xbc, 0xc8, 0xdf, 0xd1, 0xaf, 0xf2
22261 -+};
22262 -+static const u8 enc_output047[] __initconst = {
22263 -+ 0xc8, 0x4c, 0x9b, 0xb7, 0xc6, 0x1c, 0x1b, 0xcb,
22264 -+ 0x17, 0x77, 0x2a, 0x1c, 0x50, 0x0c, 0x50, 0x95,
22265 -+ 0xdb, 0xad, 0xf7, 0xa5, 0x13, 0x8c, 0xa0, 0x34,
22266 -+ 0x59, 0xa2, 0xcd, 0x65, 0x83, 0x1e, 0x09, 0x2f
22267 -+};
22268 -+static const u8 enc_assoc047[] __initconst = {
22269 -+ 0x89, 0xcc, 0xe9, 0xfb, 0x47, 0x44, 0x1d, 0x07,
22270 -+ 0xe0, 0x24, 0x5a, 0x66, 0xfe, 0x8b, 0x77, 0x8b
22271 -+};
22272 -+static const u8 enc_nonce047[] __initconst = {
22273 -+ 0x1a, 0x65, 0x18, 0xf0, 0x2e, 0xde, 0x1d, 0xa6,
22274 -+ 0x80, 0x92, 0x66, 0xd9
22275 -+};
22276 -+static const u8 enc_key047[] __initconst = {
22277 -+ 0xcb, 0x55, 0x75, 0xf5, 0xc7, 0xc4, 0x5c, 0x91,
22278 -+ 0xcf, 0x32, 0x0b, 0x13, 0x9f, 0xb5, 0x94, 0x23,
22279 -+ 0x75, 0x60, 0xd0, 0xa3, 0xe6, 0xf8, 0x65, 0xa6,
22280 -+ 0x7d, 0x4f, 0x63, 0x3f, 0x2c, 0x08, 0xf0, 0x16
22281 -+};
22282 -+
22283 -+/* wycheproof - misc */
22284 -+static const u8 enc_input048[] __initconst = {
22285 -+ 0x87, 0xb3, 0xa4, 0xd7, 0xb2, 0x6d, 0x8d, 0x32,
22286 -+ 0x03, 0xa0, 0xde, 0x1d, 0x64, 0xef, 0x82, 0xe3
22287 -+};
22288 -+static const u8 enc_output048[] __initconst = {
22289 -+ 0x94, 0xbc, 0x80, 0x62, 0x1e, 0xd1, 0xe7, 0x1b,
22290 -+ 0x1f, 0xd2, 0xb5, 0xc3, 0xa1, 0x5e, 0x35, 0x68,
22291 -+ 0x33, 0x35, 0x11, 0x86, 0x17, 0x96, 0x97, 0x84,
22292 -+ 0x01, 0x59, 0x8b, 0x96, 0x37, 0x22, 0xf5, 0xb3
22293 -+};
22294 -+static const u8 enc_assoc048[] __initconst = {
22295 -+ 0xd1, 0x9f, 0x2d, 0x98, 0x90, 0x95, 0xf7, 0xab,
22296 -+ 0x03, 0xa5, 0xfd, 0xe8, 0x44, 0x16, 0xe0, 0x0c,
22297 -+ 0x0e
22298 -+};
22299 -+static const u8 enc_nonce048[] __initconst = {
22300 -+ 0x56, 0x4d, 0xee, 0x49, 0xab, 0x00, 0xd2, 0x40,
22301 -+ 0xfc, 0x10, 0x68, 0xc3
22302 -+};
22303 -+static const u8 enc_key048[] __initconst = {
22304 -+ 0xa5, 0x56, 0x9e, 0x72, 0x9a, 0x69, 0xb2, 0x4b,
22305 -+ 0xa6, 0xe0, 0xff, 0x15, 0xc4, 0x62, 0x78, 0x97,
22306 -+ 0x43, 0x68, 0x24, 0xc9, 0x41, 0xe9, 0xd0, 0x0b,
22307 -+ 0x2e, 0x93, 0xfd, 0xdc, 0x4b, 0xa7, 0x76, 0x57
22308 -+};
22309 -+
22310 -+/* wycheproof - misc */
22311 -+static const u8 enc_input049[] __initconst = {
22312 -+ 0xe6, 0x01, 0xb3, 0x85, 0x57, 0x79, 0x7d, 0xa2,
22313 -+ 0xf8, 0xa4, 0x10, 0x6a, 0x08, 0x9d, 0x1d, 0xa6
22314 -+};
22315 -+static const u8 enc_output049[] __initconst = {
22316 -+ 0x29, 0x9b, 0x5d, 0x3f, 0x3d, 0x03, 0xc0, 0x87,
22317 -+ 0x20, 0x9a, 0x16, 0xe2, 0x85, 0x14, 0x31, 0x11,
22318 -+ 0x4b, 0x45, 0x4e, 0xd1, 0x98, 0xde, 0x11, 0x7e,
22319 -+ 0x83, 0xec, 0x49, 0xfa, 0x8d, 0x85, 0x08, 0xd6
22320 -+};
22321 -+static const u8 enc_assoc049[] __initconst = {
22322 -+ 0x5e, 0x64, 0x70, 0xfa, 0xcd, 0x99, 0xc1, 0xd8,
22323 -+ 0x1e, 0x37, 0xcd, 0x44, 0x01, 0x5f, 0xe1, 0x94,
22324 -+ 0x80, 0xa2, 0xa4, 0xd3, 0x35, 0x2a, 0x4f, 0xf5,
22325 -+ 0x60, 0xc0, 0x64, 0x0f, 0xdb, 0xda
22326 -+};
22327 -+static const u8 enc_nonce049[] __initconst = {
22328 -+ 0xdf, 0x87, 0x13, 0xe8, 0x7e, 0xc3, 0xdb, 0xcf,
22329 -+ 0xad, 0x14, 0xd5, 0x3e
22330 -+};
22331 -+static const u8 enc_key049[] __initconst = {
22332 -+ 0x56, 0x20, 0x74, 0x65, 0xb4, 0xe4, 0x8e, 0x6d,
22333 -+ 0x04, 0x63, 0x0f, 0x4a, 0x42, 0xf3, 0x5c, 0xfc,
22334 -+ 0x16, 0x3a, 0xb2, 0x89, 0xc2, 0x2a, 0x2b, 0x47,
22335 -+ 0x84, 0xf6, 0xf9, 0x29, 0x03, 0x30, 0xbe, 0xe0
22336 -+};
22337 -+
22338 -+/* wycheproof - misc */
22339 -+static const u8 enc_input050[] __initconst = {
22340 -+ 0xdc, 0x9e, 0x9e, 0xaf, 0x11, 0xe3, 0x14, 0x18,
22341 -+ 0x2d, 0xf6, 0xa4, 0xeb, 0xa1, 0x7a, 0xec, 0x9c
22342 -+};
22343 -+static const u8 enc_output050[] __initconst = {
22344 -+ 0x60, 0x5b, 0xbf, 0x90, 0xae, 0xb9, 0x74, 0xf6,
22345 -+ 0x60, 0x2b, 0xc7, 0x78, 0x05, 0x6f, 0x0d, 0xca,
22346 -+ 0x38, 0xea, 0x23, 0xd9, 0x90, 0x54, 0xb4, 0x6b,
22347 -+ 0x42, 0xff, 0xe0, 0x04, 0x12, 0x9d, 0x22, 0x04
22348 -+};
22349 -+static const u8 enc_assoc050[] __initconst = {
22350 -+ 0xba, 0x44, 0x6f, 0x6f, 0x9a, 0x0c, 0xed, 0x22,
22351 -+ 0x45, 0x0f, 0xeb, 0x10, 0x73, 0x7d, 0x90, 0x07,
22352 -+ 0xfd, 0x69, 0xab, 0xc1, 0x9b, 0x1d, 0x4d, 0x90,
22353 -+ 0x49, 0xa5, 0x55, 0x1e, 0x86, 0xec, 0x2b, 0x37
22354 -+};
22355 -+static const u8 enc_nonce050[] __initconst = {
22356 -+ 0x8d, 0xf4, 0xb1, 0x5a, 0x88, 0x8c, 0x33, 0x28,
22357 -+ 0x6a, 0x7b, 0x76, 0x51
22358 -+};
22359 -+static const u8 enc_key050[] __initconst = {
22360 -+ 0x39, 0x37, 0x98, 0x6a, 0xf8, 0x6d, 0xaf, 0xc1,
22361 -+ 0xba, 0x0c, 0x46, 0x72, 0xd8, 0xab, 0xc4, 0x6c,
22362 -+ 0x20, 0x70, 0x62, 0x68, 0x2d, 0x9c, 0x26, 0x4a,
22363 -+ 0xb0, 0x6d, 0x6c, 0x58, 0x07, 0x20, 0x51, 0x30
22364 -+};
22365 -+
22366 -+/* wycheproof - misc */
22367 -+static const u8 enc_input051[] __initconst = {
22368 -+ 0x81, 0xce, 0x84, 0xed, 0xe9, 0xb3, 0x58, 0x59,
22369 -+ 0xcc, 0x8c, 0x49, 0xa8, 0xf6, 0xbe, 0x7d, 0xc6
22370 -+};
22371 -+static const u8 enc_output051[] __initconst = {
22372 -+ 0x7b, 0x7c, 0xe0, 0xd8, 0x24, 0x80, 0x9a, 0x70,
22373 -+ 0xde, 0x32, 0x56, 0x2c, 0xcf, 0x2c, 0x2b, 0xbd,
22374 -+ 0x15, 0xd4, 0x4a, 0x00, 0xce, 0x0d, 0x19, 0xb4,
22375 -+ 0x23, 0x1f, 0x92, 0x1e, 0x22, 0xbc, 0x0a, 0x43
22376 -+};
22377 -+static const u8 enc_assoc051[] __initconst = {
22378 -+ 0xd4, 0x1a, 0x82, 0x8d, 0x5e, 0x71, 0x82, 0x92,
22379 -+ 0x47, 0x02, 0x19, 0x05, 0x40, 0x2e, 0xa2, 0x57,
22380 -+ 0xdc, 0xcb, 0xc3, 0xb8, 0x0f, 0xcd, 0x56, 0x75,
22381 -+ 0x05, 0x6b, 0x68, 0xbb, 0x59, 0xe6, 0x2e, 0x88,
22382 -+ 0x73
22383 -+};
22384 -+static const u8 enc_nonce051[] __initconst = {
22385 -+ 0xbe, 0x40, 0xe5, 0xf1, 0xa1, 0x18, 0x17, 0xa0,
22386 -+ 0xa8, 0xfa, 0x89, 0x49
22387 -+};
22388 -+static const u8 enc_key051[] __initconst = {
22389 -+ 0x36, 0x37, 0x2a, 0xbc, 0xdb, 0x78, 0xe0, 0x27,
22390 -+ 0x96, 0x46, 0xac, 0x3d, 0x17, 0x6b, 0x96, 0x74,
22391 -+ 0xe9, 0x15, 0x4e, 0xec, 0xf0, 0xd5, 0x46, 0x9c,
22392 -+ 0x65, 0x1e, 0xc7, 0xe1, 0x6b, 0x4c, 0x11, 0x99
22393 -+};
22394 -+
22395 -+/* wycheproof - misc */
22396 -+static const u8 enc_input052[] __initconst = {
22397 -+ 0xa6, 0x67, 0x47, 0xc8, 0x9e, 0x85, 0x7a, 0xf3,
22398 -+ 0xa1, 0x8e, 0x2c, 0x79, 0x50, 0x00, 0x87, 0xed
22399 -+};
22400 -+static const u8 enc_output052[] __initconst = {
22401 -+ 0xca, 0x82, 0xbf, 0xf3, 0xe2, 0xf3, 0x10, 0xcc,
22402 -+ 0xc9, 0x76, 0x67, 0x2c, 0x44, 0x15, 0xe6, 0x9b,
22403 -+ 0x57, 0x63, 0x8c, 0x62, 0xa5, 0xd8, 0x5d, 0xed,
22404 -+ 0x77, 0x4f, 0x91, 0x3c, 0x81, 0x3e, 0xa0, 0x32
22405 -+};
22406 -+static const u8 enc_assoc052[] __initconst = {
22407 -+ 0x3f, 0x2d, 0xd4, 0x9b, 0xbf, 0x09, 0xd6, 0x9a,
22408 -+ 0x78, 0xa3, 0xd8, 0x0e, 0xa2, 0x56, 0x66, 0x14,
22409 -+ 0xfc, 0x37, 0x94, 0x74, 0x19, 0x6c, 0x1a, 0xae,
22410 -+ 0x84, 0x58, 0x3d, 0xa7, 0x3d, 0x7f, 0xf8, 0x5c,
22411 -+ 0x6f, 0x42, 0xca, 0x42, 0x05, 0x6a, 0x97, 0x92,
22412 -+ 0xcc, 0x1b, 0x9f, 0xb3, 0xc7, 0xd2, 0x61
22413 -+};
22414 -+static const u8 enc_nonce052[] __initconst = {
22415 -+ 0x84, 0xc8, 0x7d, 0xae, 0x4e, 0xee, 0x27, 0x73,
22416 -+ 0x0e, 0xc3, 0x5d, 0x12
22417 -+};
22418 -+static const u8 enc_key052[] __initconst = {
22419 -+ 0x9f, 0x14, 0x79, 0xed, 0x09, 0x7d, 0x7f, 0xe5,
22420 -+ 0x29, 0xc1, 0x1f, 0x2f, 0x5a, 0xdd, 0x9a, 0xaf,
22421 -+ 0xf4, 0xa1, 0xca, 0x0b, 0x68, 0x99, 0x7a, 0x2c,
22422 -+ 0xb7, 0xf7, 0x97, 0x49, 0xbd, 0x90, 0xaa, 0xf4
22423 -+};
22424 -+
22425 -+/* wycheproof - misc */
22426 -+static const u8 enc_input053[] __initconst = {
22427 -+ 0x25, 0x6d, 0x40, 0x88, 0x80, 0x94, 0x17, 0x83,
22428 -+ 0x55, 0xd3, 0x04, 0x84, 0x64, 0x43, 0xfe, 0xe8,
22429 -+ 0xdf, 0x99, 0x47, 0x03, 0x03, 0xfb, 0x3b, 0x7b,
22430 -+ 0x80, 0xe0, 0x30, 0xbe, 0xeb, 0xd3, 0x29, 0xbe
22431 -+};
22432 -+static const u8 enc_output053[] __initconst = {
22433 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22434 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22435 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22436 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22437 -+ 0xe6, 0xd3, 0xd7, 0x32, 0x4a, 0x1c, 0xbb, 0xa7,
22438 -+ 0x77, 0xbb, 0xb0, 0xec, 0xdd, 0xa3, 0x78, 0x07
22439 -+};
22440 -+static const u8 enc_assoc053[] __initconst = {
22441 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22442 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
22443 -+};
22444 -+static const u8 enc_nonce053[] __initconst = {
22445 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22446 -+};
22447 -+static const u8 enc_key053[] __initconst = {
22448 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22449 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22450 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22451 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22452 -+};
22453 -+
22454 -+/* wycheproof - misc */
22455 -+static const u8 enc_input054[] __initconst = {
22456 -+ 0x25, 0x6d, 0x40, 0x88, 0x80, 0x94, 0x17, 0x83,
22457 -+ 0x55, 0xd3, 0x04, 0x84, 0x64, 0x43, 0xfe, 0xe8,
22458 -+ 0xdf, 0x99, 0x47, 0x03, 0x03, 0xfb, 0x3b, 0x7b,
22459 -+ 0x80, 0xe0, 0x30, 0xbe, 0xeb, 0xd3, 0x29, 0xbe,
22460 -+ 0xe3, 0xbc, 0xdb, 0x5b, 0x1e, 0xde, 0xfc, 0xfe,
22461 -+ 0x8b, 0xcd, 0xa1, 0xb6, 0xa1, 0x5c, 0x8c, 0x2b,
22462 -+ 0x08, 0x69, 0xff, 0xd2, 0xec, 0x5e, 0x26, 0xe5,
22463 -+ 0x53, 0xb7, 0xb2, 0x27, 0xfe, 0x87, 0xfd, 0xbd
22464 -+};
22465 -+static const u8 enc_output054[] __initconst = {
22466 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22467 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22468 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22469 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22470 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22471 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22472 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22473 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22474 -+ 0x06, 0x2d, 0xe6, 0x79, 0x5f, 0x27, 0x4f, 0xd2,
22475 -+ 0xa3, 0x05, 0xd7, 0x69, 0x80, 0xbc, 0x9c, 0xce
22476 -+};
22477 -+static const u8 enc_assoc054[] __initconst = {
22478 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22479 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
22480 -+};
22481 -+static const u8 enc_nonce054[] __initconst = {
22482 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22483 -+};
22484 -+static const u8 enc_key054[] __initconst = {
22485 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22486 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22487 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22488 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22489 -+};
22490 -+
22491 -+/* wycheproof - misc */
22492 -+static const u8 enc_input055[] __initconst = {
22493 -+ 0x25, 0x6d, 0x40, 0x88, 0x80, 0x94, 0x17, 0x83,
22494 -+ 0x55, 0xd3, 0x04, 0x84, 0x64, 0x43, 0xfe, 0xe8,
22495 -+ 0xdf, 0x99, 0x47, 0x03, 0x03, 0xfb, 0x3b, 0x7b,
22496 -+ 0x80, 0xe0, 0x30, 0xbe, 0xeb, 0xd3, 0x29, 0xbe,
22497 -+ 0xe3, 0xbc, 0xdb, 0x5b, 0x1e, 0xde, 0xfc, 0xfe,
22498 -+ 0x8b, 0xcd, 0xa1, 0xb6, 0xa1, 0x5c, 0x8c, 0x2b,
22499 -+ 0x08, 0x69, 0xff, 0xd2, 0xec, 0x5e, 0x26, 0xe5,
22500 -+ 0x53, 0xb7, 0xb2, 0x27, 0xfe, 0x87, 0xfd, 0xbd,
22501 -+ 0x7a, 0xda, 0x44, 0x42, 0x42, 0x69, 0xbf, 0xfa,
22502 -+ 0x55, 0x27, 0xf2, 0x70, 0xac, 0xf6, 0x85, 0x02,
22503 -+ 0xb7, 0x4c, 0x5a, 0xe2, 0xe6, 0x0c, 0x05, 0x80,
22504 -+ 0x98, 0x1a, 0x49, 0x38, 0x45, 0x93, 0x92, 0xc4,
22505 -+ 0x9b, 0xb2, 0xf2, 0x84, 0xb6, 0x46, 0xef, 0xc7,
22506 -+ 0xf3, 0xf0, 0xb1, 0x36, 0x1d, 0xc3, 0x48, 0xed,
22507 -+ 0x77, 0xd3, 0x0b, 0xc5, 0x76, 0x92, 0xed, 0x38,
22508 -+ 0xfb, 0xac, 0x01, 0x88, 0x38, 0x04, 0x88, 0xc7
22509 -+};
22510 -+static const u8 enc_output055[] __initconst = {
22511 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22512 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22513 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22514 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22515 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22516 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22517 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22518 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22519 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22520 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22521 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22522 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22523 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22524 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22525 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22526 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22527 -+ 0xd8, 0xb4, 0x79, 0x02, 0xba, 0xae, 0xaf, 0xb3,
22528 -+ 0x42, 0x03, 0x05, 0x15, 0x29, 0xaf, 0x28, 0x2e
22529 -+};
22530 -+static const u8 enc_assoc055[] __initconst = {
22531 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22532 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
22533 -+};
22534 -+static const u8 enc_nonce055[] __initconst = {
22535 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22536 -+};
22537 -+static const u8 enc_key055[] __initconst = {
22538 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22539 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22540 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22541 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22542 -+};
22543 -+
22544 -+/* wycheproof - misc */
22545 -+static const u8 enc_input056[] __initconst = {
22546 -+ 0xda, 0x92, 0xbf, 0x77, 0x7f, 0x6b, 0xe8, 0x7c,
22547 -+ 0xaa, 0x2c, 0xfb, 0x7b, 0x9b, 0xbc, 0x01, 0x17,
22548 -+ 0x20, 0x66, 0xb8, 0xfc, 0xfc, 0x04, 0xc4, 0x84,
22549 -+ 0x7f, 0x1f, 0xcf, 0x41, 0x14, 0x2c, 0xd6, 0x41
22550 -+};
22551 -+static const u8 enc_output056[] __initconst = {
22552 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22553 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22554 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22555 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22556 -+ 0xb3, 0x89, 0x1c, 0x84, 0x9c, 0xb5, 0x2c, 0x27,
22557 -+ 0x74, 0x7e, 0xdf, 0xcf, 0x31, 0x21, 0x3b, 0xb6
22558 -+};
22559 -+static const u8 enc_assoc056[] __initconst = {
22560 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22561 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
22562 -+};
22563 -+static const u8 enc_nonce056[] __initconst = {
22564 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22565 -+};
22566 -+static const u8 enc_key056[] __initconst = {
22567 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22568 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22569 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22570 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22571 -+};
22572 -+
22573 -+/* wycheproof - misc */
22574 -+static const u8 enc_input057[] __initconst = {
22575 -+ 0xda, 0x92, 0xbf, 0x77, 0x7f, 0x6b, 0xe8, 0x7c,
22576 -+ 0xaa, 0x2c, 0xfb, 0x7b, 0x9b, 0xbc, 0x01, 0x17,
22577 -+ 0x20, 0x66, 0xb8, 0xfc, 0xfc, 0x04, 0xc4, 0x84,
22578 -+ 0x7f, 0x1f, 0xcf, 0x41, 0x14, 0x2c, 0xd6, 0x41,
22579 -+ 0x1c, 0x43, 0x24, 0xa4, 0xe1, 0x21, 0x03, 0x01,
22580 -+ 0x74, 0x32, 0x5e, 0x49, 0x5e, 0xa3, 0x73, 0xd4,
22581 -+ 0xf7, 0x96, 0x00, 0x2d, 0x13, 0xa1, 0xd9, 0x1a,
22582 -+ 0xac, 0x48, 0x4d, 0xd8, 0x01, 0x78, 0x02, 0x42
22583 -+};
22584 -+static const u8 enc_output057[] __initconst = {
22585 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22586 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22587 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22588 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22589 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22590 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22591 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22592 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22593 -+ 0xf0, 0xc1, 0x2d, 0x26, 0xef, 0x03, 0x02, 0x9b,
22594 -+ 0x62, 0xc0, 0x08, 0xda, 0x27, 0xc5, 0xdc, 0x68
22595 -+};
22596 -+static const u8 enc_assoc057[] __initconst = {
22597 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22598 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
22599 -+};
22600 -+static const u8 enc_nonce057[] __initconst = {
22601 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22602 -+};
22603 -+static const u8 enc_key057[] __initconst = {
22604 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22605 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22606 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22607 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22608 -+};
22609 -+
22610 -+/* wycheproof - misc */
22611 -+static const u8 enc_input058[] __initconst = {
22612 -+ 0xda, 0x92, 0xbf, 0x77, 0x7f, 0x6b, 0xe8, 0x7c,
22613 -+ 0xaa, 0x2c, 0xfb, 0x7b, 0x9b, 0xbc, 0x01, 0x17,
22614 -+ 0x20, 0x66, 0xb8, 0xfc, 0xfc, 0x04, 0xc4, 0x84,
22615 -+ 0x7f, 0x1f, 0xcf, 0x41, 0x14, 0x2c, 0xd6, 0x41,
22616 -+ 0x1c, 0x43, 0x24, 0xa4, 0xe1, 0x21, 0x03, 0x01,
22617 -+ 0x74, 0x32, 0x5e, 0x49, 0x5e, 0xa3, 0x73, 0xd4,
22618 -+ 0xf7, 0x96, 0x00, 0x2d, 0x13, 0xa1, 0xd9, 0x1a,
22619 -+ 0xac, 0x48, 0x4d, 0xd8, 0x01, 0x78, 0x02, 0x42,
22620 -+ 0x85, 0x25, 0xbb, 0xbd, 0xbd, 0x96, 0x40, 0x05,
22621 -+ 0xaa, 0xd8, 0x0d, 0x8f, 0x53, 0x09, 0x7a, 0xfd,
22622 -+ 0x48, 0xb3, 0xa5, 0x1d, 0x19, 0xf3, 0xfa, 0x7f,
22623 -+ 0x67, 0xe5, 0xb6, 0xc7, 0xba, 0x6c, 0x6d, 0x3b,
22624 -+ 0x64, 0x4d, 0x0d, 0x7b, 0x49, 0xb9, 0x10, 0x38,
22625 -+ 0x0c, 0x0f, 0x4e, 0xc9, 0xe2, 0x3c, 0xb7, 0x12,
22626 -+ 0x88, 0x2c, 0xf4, 0x3a, 0x89, 0x6d, 0x12, 0xc7,
22627 -+ 0x04, 0x53, 0xfe, 0x77, 0xc7, 0xfb, 0x77, 0x38
22628 -+};
22629 -+static const u8 enc_output058[] __initconst = {
22630 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22631 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22632 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22633 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22634 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22635 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22636 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22637 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22638 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22639 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22640 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22641 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22642 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22643 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22644 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22645 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22646 -+ 0xee, 0x65, 0x78, 0x30, 0x01, 0xc2, 0x56, 0x91,
22647 -+ 0xfa, 0x28, 0xd0, 0xf5, 0xf1, 0xc1, 0xd7, 0x62
22648 -+};
22649 -+static const u8 enc_assoc058[] __initconst = {
22650 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22651 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
22652 -+};
22653 -+static const u8 enc_nonce058[] __initconst = {
22654 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22655 -+};
22656 -+static const u8 enc_key058[] __initconst = {
22657 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22658 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22659 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22660 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22661 -+};
22662 -+
22663 -+/* wycheproof - misc */
22664 -+static const u8 enc_input059[] __initconst = {
22665 -+ 0x25, 0x6d, 0x40, 0x08, 0x80, 0x94, 0x17, 0x03,
22666 -+ 0x55, 0xd3, 0x04, 0x04, 0x64, 0x43, 0xfe, 0x68,
22667 -+ 0xdf, 0x99, 0x47, 0x83, 0x03, 0xfb, 0x3b, 0xfb,
22668 -+ 0x80, 0xe0, 0x30, 0x3e, 0xeb, 0xd3, 0x29, 0x3e
22669 -+};
22670 -+static const u8 enc_output059[] __initconst = {
22671 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22672 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22673 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22674 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22675 -+ 0x79, 0xba, 0x7a, 0x29, 0xf5, 0xa7, 0xbb, 0x75,
22676 -+ 0x79, 0x7a, 0xf8, 0x7a, 0x61, 0x01, 0x29, 0xa4
22677 -+};
22678 -+static const u8 enc_assoc059[] __initconst = {
22679 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22680 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80
22681 -+};
22682 -+static const u8 enc_nonce059[] __initconst = {
22683 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22684 -+};
22685 -+static const u8 enc_key059[] __initconst = {
22686 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22687 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22688 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22689 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22690 -+};
22691 -+
22692 -+/* wycheproof - misc */
22693 -+static const u8 enc_input060[] __initconst = {
22694 -+ 0x25, 0x6d, 0x40, 0x08, 0x80, 0x94, 0x17, 0x03,
22695 -+ 0x55, 0xd3, 0x04, 0x04, 0x64, 0x43, 0xfe, 0x68,
22696 -+ 0xdf, 0x99, 0x47, 0x83, 0x03, 0xfb, 0x3b, 0xfb,
22697 -+ 0x80, 0xe0, 0x30, 0x3e, 0xeb, 0xd3, 0x29, 0x3e,
22698 -+ 0xe3, 0xbc, 0xdb, 0xdb, 0x1e, 0xde, 0xfc, 0x7e,
22699 -+ 0x8b, 0xcd, 0xa1, 0x36, 0xa1, 0x5c, 0x8c, 0xab,
22700 -+ 0x08, 0x69, 0xff, 0x52, 0xec, 0x5e, 0x26, 0x65,
22701 -+ 0x53, 0xb7, 0xb2, 0xa7, 0xfe, 0x87, 0xfd, 0x3d
22702 -+};
22703 -+static const u8 enc_output060[] __initconst = {
22704 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22705 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22706 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22707 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22708 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22709 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22710 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22711 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22712 -+ 0x36, 0xb1, 0x74, 0x38, 0x19, 0xe1, 0xb9, 0xba,
22713 -+ 0x15, 0x51, 0xe8, 0xed, 0x92, 0x2a, 0x95, 0x9a
22714 -+};
22715 -+static const u8 enc_assoc060[] __initconst = {
22716 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22717 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80
22718 -+};
22719 -+static const u8 enc_nonce060[] __initconst = {
22720 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22721 -+};
22722 -+static const u8 enc_key060[] __initconst = {
22723 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22724 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22725 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22726 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22727 -+};
22728 -+
22729 -+/* wycheproof - misc */
22730 -+static const u8 enc_input061[] __initconst = {
22731 -+ 0x25, 0x6d, 0x40, 0x08, 0x80, 0x94, 0x17, 0x03,
22732 -+ 0x55, 0xd3, 0x04, 0x04, 0x64, 0x43, 0xfe, 0x68,
22733 -+ 0xdf, 0x99, 0x47, 0x83, 0x03, 0xfb, 0x3b, 0xfb,
22734 -+ 0x80, 0xe0, 0x30, 0x3e, 0xeb, 0xd3, 0x29, 0x3e,
22735 -+ 0xe3, 0xbc, 0xdb, 0xdb, 0x1e, 0xde, 0xfc, 0x7e,
22736 -+ 0x8b, 0xcd, 0xa1, 0x36, 0xa1, 0x5c, 0x8c, 0xab,
22737 -+ 0x08, 0x69, 0xff, 0x52, 0xec, 0x5e, 0x26, 0x65,
22738 -+ 0x53, 0xb7, 0xb2, 0xa7, 0xfe, 0x87, 0xfd, 0x3d,
22739 -+ 0x7a, 0xda, 0x44, 0xc2, 0x42, 0x69, 0xbf, 0x7a,
22740 -+ 0x55, 0x27, 0xf2, 0xf0, 0xac, 0xf6, 0x85, 0x82,
22741 -+ 0xb7, 0x4c, 0x5a, 0x62, 0xe6, 0x0c, 0x05, 0x00,
22742 -+ 0x98, 0x1a, 0x49, 0xb8, 0x45, 0x93, 0x92, 0x44,
22743 -+ 0x9b, 0xb2, 0xf2, 0x04, 0xb6, 0x46, 0xef, 0x47,
22744 -+ 0xf3, 0xf0, 0xb1, 0xb6, 0x1d, 0xc3, 0x48, 0x6d,
22745 -+ 0x77, 0xd3, 0x0b, 0x45, 0x76, 0x92, 0xed, 0xb8,
22746 -+ 0xfb, 0xac, 0x01, 0x08, 0x38, 0x04, 0x88, 0x47
22747 -+};
22748 -+static const u8 enc_output061[] __initconst = {
22749 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22750 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22751 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22752 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22753 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22754 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22755 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22756 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22757 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22758 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22759 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22760 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22761 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22762 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22763 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22764 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22765 -+ 0xfe, 0xac, 0x49, 0x55, 0x55, 0x4e, 0x80, 0x6f,
22766 -+ 0x3a, 0x19, 0x02, 0xe2, 0x44, 0x32, 0xc0, 0x8a
22767 -+};
22768 -+static const u8 enc_assoc061[] __initconst = {
22769 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22770 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80
22771 -+};
22772 -+static const u8 enc_nonce061[] __initconst = {
22773 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22774 -+};
22775 -+static const u8 enc_key061[] __initconst = {
22776 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22777 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22778 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22779 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22780 -+};
22781 -+
22782 -+/* wycheproof - misc */
22783 -+static const u8 enc_input062[] __initconst = {
22784 -+ 0xda, 0x92, 0xbf, 0xf7, 0x7f, 0x6b, 0xe8, 0xfc,
22785 -+ 0xaa, 0x2c, 0xfb, 0xfb, 0x9b, 0xbc, 0x01, 0x97,
22786 -+ 0x20, 0x66, 0xb8, 0x7c, 0xfc, 0x04, 0xc4, 0x04,
22787 -+ 0x7f, 0x1f, 0xcf, 0xc1, 0x14, 0x2c, 0xd6, 0xc1
22788 -+};
22789 -+static const u8 enc_output062[] __initconst = {
22790 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22791 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22792 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22793 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22794 -+ 0x20, 0xa3, 0x79, 0x8d, 0xf1, 0x29, 0x2c, 0x59,
22795 -+ 0x72, 0xbf, 0x97, 0x41, 0xae, 0xc3, 0x8a, 0x19
22796 -+};
22797 -+static const u8 enc_assoc062[] __initconst = {
22798 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22799 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f
22800 -+};
22801 -+static const u8 enc_nonce062[] __initconst = {
22802 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22803 -+};
22804 -+static const u8 enc_key062[] __initconst = {
22805 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22806 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22807 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22808 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22809 -+};
22810 -+
22811 -+/* wycheproof - misc */
22812 -+static const u8 enc_input063[] __initconst = {
22813 -+ 0xda, 0x92, 0xbf, 0xf7, 0x7f, 0x6b, 0xe8, 0xfc,
22814 -+ 0xaa, 0x2c, 0xfb, 0xfb, 0x9b, 0xbc, 0x01, 0x97,
22815 -+ 0x20, 0x66, 0xb8, 0x7c, 0xfc, 0x04, 0xc4, 0x04,
22816 -+ 0x7f, 0x1f, 0xcf, 0xc1, 0x14, 0x2c, 0xd6, 0xc1,
22817 -+ 0x1c, 0x43, 0x24, 0x24, 0xe1, 0x21, 0x03, 0x81,
22818 -+ 0x74, 0x32, 0x5e, 0xc9, 0x5e, 0xa3, 0x73, 0x54,
22819 -+ 0xf7, 0x96, 0x00, 0xad, 0x13, 0xa1, 0xd9, 0x9a,
22820 -+ 0xac, 0x48, 0x4d, 0x58, 0x01, 0x78, 0x02, 0xc2
22821 -+};
22822 -+static const u8 enc_output063[] __initconst = {
22823 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22824 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22825 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22826 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22827 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22828 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22829 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22830 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22831 -+ 0xc0, 0x3d, 0x9f, 0x67, 0x35, 0x4a, 0x97, 0xb2,
22832 -+ 0xf0, 0x74, 0xf7, 0x55, 0x15, 0x57, 0xe4, 0x9c
22833 -+};
22834 -+static const u8 enc_assoc063[] __initconst = {
22835 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22836 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f
22837 -+};
22838 -+static const u8 enc_nonce063[] __initconst = {
22839 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22840 -+};
22841 -+static const u8 enc_key063[] __initconst = {
22842 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22843 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22844 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22845 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22846 -+};
22847 -+
22848 -+/* wycheproof - misc */
22849 -+static const u8 enc_input064[] __initconst = {
22850 -+ 0xda, 0x92, 0xbf, 0xf7, 0x7f, 0x6b, 0xe8, 0xfc,
22851 -+ 0xaa, 0x2c, 0xfb, 0xfb, 0x9b, 0xbc, 0x01, 0x97,
22852 -+ 0x20, 0x66, 0xb8, 0x7c, 0xfc, 0x04, 0xc4, 0x04,
22853 -+ 0x7f, 0x1f, 0xcf, 0xc1, 0x14, 0x2c, 0xd6, 0xc1,
22854 -+ 0x1c, 0x43, 0x24, 0x24, 0xe1, 0x21, 0x03, 0x81,
22855 -+ 0x74, 0x32, 0x5e, 0xc9, 0x5e, 0xa3, 0x73, 0x54,
22856 -+ 0xf7, 0x96, 0x00, 0xad, 0x13, 0xa1, 0xd9, 0x9a,
22857 -+ 0xac, 0x48, 0x4d, 0x58, 0x01, 0x78, 0x02, 0xc2,
22858 -+ 0x85, 0x25, 0xbb, 0x3d, 0xbd, 0x96, 0x40, 0x85,
22859 -+ 0xaa, 0xd8, 0x0d, 0x0f, 0x53, 0x09, 0x7a, 0x7d,
22860 -+ 0x48, 0xb3, 0xa5, 0x9d, 0x19, 0xf3, 0xfa, 0xff,
22861 -+ 0x67, 0xe5, 0xb6, 0x47, 0xba, 0x6c, 0x6d, 0xbb,
22862 -+ 0x64, 0x4d, 0x0d, 0xfb, 0x49, 0xb9, 0x10, 0xb8,
22863 -+ 0x0c, 0x0f, 0x4e, 0x49, 0xe2, 0x3c, 0xb7, 0x92,
22864 -+ 0x88, 0x2c, 0xf4, 0xba, 0x89, 0x6d, 0x12, 0x47,
22865 -+ 0x04, 0x53, 0xfe, 0xf7, 0xc7, 0xfb, 0x77, 0xb8
22866 -+};
22867 -+static const u8 enc_output064[] __initconst = {
22868 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22869 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22870 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22871 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22872 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22873 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22874 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22875 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22876 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22877 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22878 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22879 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22880 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22881 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22882 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22883 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22884 -+ 0xc8, 0x6d, 0xa8, 0xdd, 0x65, 0x22, 0x86, 0xd5,
22885 -+ 0x02, 0x13, 0xd3, 0x28, 0xd6, 0x3e, 0x40, 0x06
22886 -+};
22887 -+static const u8 enc_assoc064[] __initconst = {
22888 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22889 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f
22890 -+};
22891 -+static const u8 enc_nonce064[] __initconst = {
22892 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22893 -+};
22894 -+static const u8 enc_key064[] __initconst = {
22895 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22896 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22897 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22898 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22899 -+};
22900 -+
22901 -+/* wycheproof - misc */
22902 -+static const u8 enc_input065[] __initconst = {
22903 -+ 0x5a, 0x92, 0xbf, 0x77, 0xff, 0x6b, 0xe8, 0x7c,
22904 -+ 0x2a, 0x2c, 0xfb, 0x7b, 0x1b, 0xbc, 0x01, 0x17,
22905 -+ 0xa0, 0x66, 0xb8, 0xfc, 0x7c, 0x04, 0xc4, 0x84,
22906 -+ 0xff, 0x1f, 0xcf, 0x41, 0x94, 0x2c, 0xd6, 0x41
22907 -+};
22908 -+static const u8 enc_output065[] __initconst = {
22909 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22910 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22911 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22912 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22913 -+ 0xbe, 0xde, 0x90, 0x83, 0xce, 0xb3, 0x6d, 0xdf,
22914 -+ 0xe5, 0xfa, 0x81, 0x1f, 0x95, 0x47, 0x1c, 0x67
22915 -+};
22916 -+static const u8 enc_assoc065[] __initconst = {
22917 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22918 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff
22919 -+};
22920 -+static const u8 enc_nonce065[] __initconst = {
22921 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22922 -+};
22923 -+static const u8 enc_key065[] __initconst = {
22924 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22925 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22926 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22927 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22928 -+};
22929 -+
22930 -+/* wycheproof - misc */
22931 -+static const u8 enc_input066[] __initconst = {
22932 -+ 0x5a, 0x92, 0xbf, 0x77, 0xff, 0x6b, 0xe8, 0x7c,
22933 -+ 0x2a, 0x2c, 0xfb, 0x7b, 0x1b, 0xbc, 0x01, 0x17,
22934 -+ 0xa0, 0x66, 0xb8, 0xfc, 0x7c, 0x04, 0xc4, 0x84,
22935 -+ 0xff, 0x1f, 0xcf, 0x41, 0x94, 0x2c, 0xd6, 0x41,
22936 -+ 0x9c, 0x43, 0x24, 0xa4, 0x61, 0x21, 0x03, 0x01,
22937 -+ 0xf4, 0x32, 0x5e, 0x49, 0xde, 0xa3, 0x73, 0xd4,
22938 -+ 0x77, 0x96, 0x00, 0x2d, 0x93, 0xa1, 0xd9, 0x1a,
22939 -+ 0x2c, 0x48, 0x4d, 0xd8, 0x81, 0x78, 0x02, 0x42
22940 -+};
22941 -+static const u8 enc_output066[] __initconst = {
22942 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22943 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22944 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22945 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22946 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22947 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22948 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22949 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22950 -+ 0x30, 0x08, 0x74, 0xbb, 0x06, 0x92, 0xb6, 0x89,
22951 -+ 0xde, 0xad, 0x9a, 0xe1, 0x5b, 0x06, 0x73, 0x90
22952 -+};
22953 -+static const u8 enc_assoc066[] __initconst = {
22954 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22955 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff
22956 -+};
22957 -+static const u8 enc_nonce066[] __initconst = {
22958 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22959 -+};
22960 -+static const u8 enc_key066[] __initconst = {
22961 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22962 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22963 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22964 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22965 -+};
22966 -+
22967 -+/* wycheproof - misc */
22968 -+static const u8 enc_input067[] __initconst = {
22969 -+ 0x5a, 0x92, 0xbf, 0x77, 0xff, 0x6b, 0xe8, 0x7c,
22970 -+ 0x2a, 0x2c, 0xfb, 0x7b, 0x1b, 0xbc, 0x01, 0x17,
22971 -+ 0xa0, 0x66, 0xb8, 0xfc, 0x7c, 0x04, 0xc4, 0x84,
22972 -+ 0xff, 0x1f, 0xcf, 0x41, 0x94, 0x2c, 0xd6, 0x41,
22973 -+ 0x9c, 0x43, 0x24, 0xa4, 0x61, 0x21, 0x03, 0x01,
22974 -+ 0xf4, 0x32, 0x5e, 0x49, 0xde, 0xa3, 0x73, 0xd4,
22975 -+ 0x77, 0x96, 0x00, 0x2d, 0x93, 0xa1, 0xd9, 0x1a,
22976 -+ 0x2c, 0x48, 0x4d, 0xd8, 0x81, 0x78, 0x02, 0x42,
22977 -+ 0x05, 0x25, 0xbb, 0xbd, 0x3d, 0x96, 0x40, 0x05,
22978 -+ 0x2a, 0xd8, 0x0d, 0x8f, 0xd3, 0x09, 0x7a, 0xfd,
22979 -+ 0xc8, 0xb3, 0xa5, 0x1d, 0x99, 0xf3, 0xfa, 0x7f,
22980 -+ 0xe7, 0xe5, 0xb6, 0xc7, 0x3a, 0x6c, 0x6d, 0x3b,
22981 -+ 0xe4, 0x4d, 0x0d, 0x7b, 0xc9, 0xb9, 0x10, 0x38,
22982 -+ 0x8c, 0x0f, 0x4e, 0xc9, 0x62, 0x3c, 0xb7, 0x12,
22983 -+ 0x08, 0x2c, 0xf4, 0x3a, 0x09, 0x6d, 0x12, 0xc7,
22984 -+ 0x84, 0x53, 0xfe, 0x77, 0x47, 0xfb, 0x77, 0x38
22985 -+};
22986 -+static const u8 enc_output067[] __initconst = {
22987 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22988 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22989 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22990 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22991 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22992 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22993 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22994 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22995 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22996 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22997 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22998 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22999 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23000 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23001 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23002 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23003 -+ 0x99, 0xca, 0xd8, 0x5f, 0x45, 0xca, 0x40, 0x94,
23004 -+ 0x2d, 0x0d, 0x4d, 0x5e, 0x95, 0x0a, 0xde, 0x22
23005 -+};
23006 -+static const u8 enc_assoc067[] __initconst = {
23007 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23008 -+ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff
23009 -+};
23010 -+static const u8 enc_nonce067[] __initconst = {
23011 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23012 -+};
23013 -+static const u8 enc_key067[] __initconst = {
23014 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23015 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23016 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23017 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23018 -+};
23019 -+
23020 -+/* wycheproof - misc */
23021 -+static const u8 enc_input068[] __initconst = {
23022 -+ 0x25, 0x6d, 0x40, 0x88, 0x7f, 0x6b, 0xe8, 0x7c,
23023 -+ 0x55, 0xd3, 0x04, 0x84, 0x9b, 0xbc, 0x01, 0x17,
23024 -+ 0xdf, 0x99, 0x47, 0x03, 0xfc, 0x04, 0xc4, 0x84,
23025 -+ 0x80, 0xe0, 0x30, 0xbe, 0x14, 0x2c, 0xd6, 0x41
23026 -+};
23027 -+static const u8 enc_output068[] __initconst = {
23028 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23029 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23030 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23031 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23032 -+ 0x8b, 0xbe, 0x14, 0x52, 0x72, 0xe7, 0xc2, 0xd9,
23033 -+ 0xa1, 0x89, 0x1a, 0x3a, 0xb0, 0x98, 0x3d, 0x9d
23034 -+};
23035 -+static const u8 enc_assoc068[] __initconst = {
23036 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23037 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff
23038 -+};
23039 -+static const u8 enc_nonce068[] __initconst = {
23040 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23041 -+};
23042 -+static const u8 enc_key068[] __initconst = {
23043 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23044 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23045 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23046 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23047 -+};
23048 -+
23049 -+/* wycheproof - misc */
23050 -+static const u8 enc_input069[] __initconst = {
23051 -+ 0x25, 0x6d, 0x40, 0x88, 0x7f, 0x6b, 0xe8, 0x7c,
23052 -+ 0x55, 0xd3, 0x04, 0x84, 0x9b, 0xbc, 0x01, 0x17,
23053 -+ 0xdf, 0x99, 0x47, 0x03, 0xfc, 0x04, 0xc4, 0x84,
23054 -+ 0x80, 0xe0, 0x30, 0xbe, 0x14, 0x2c, 0xd6, 0x41,
23055 -+ 0xe3, 0xbc, 0xdb, 0x5b, 0xe1, 0x21, 0x03, 0x01,
23056 -+ 0x8b, 0xcd, 0xa1, 0xb6, 0x5e, 0xa3, 0x73, 0xd4,
23057 -+ 0x08, 0x69, 0xff, 0xd2, 0x13, 0xa1, 0xd9, 0x1a,
23058 -+ 0x53, 0xb7, 0xb2, 0x27, 0x01, 0x78, 0x02, 0x42
23059 -+};
23060 -+static const u8 enc_output069[] __initconst = {
23061 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23062 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23063 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23064 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23065 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23066 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23067 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23068 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23069 -+ 0x3b, 0x41, 0x86, 0x19, 0x13, 0xa8, 0xf6, 0xde,
23070 -+ 0x7f, 0x61, 0xe2, 0x25, 0x63, 0x1b, 0xc3, 0x82
23071 -+};
23072 -+static const u8 enc_assoc069[] __initconst = {
23073 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23074 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff
23075 -+};
23076 -+static const u8 enc_nonce069[] __initconst = {
23077 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23078 -+};
23079 -+static const u8 enc_key069[] __initconst = {
23080 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23081 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23082 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23083 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23084 -+};
23085 -+
23086 -+/* wycheproof - misc */
23087 -+static const u8 enc_input070[] __initconst = {
23088 -+ 0x25, 0x6d, 0x40, 0x88, 0x7f, 0x6b, 0xe8, 0x7c,
23089 -+ 0x55, 0xd3, 0x04, 0x84, 0x9b, 0xbc, 0x01, 0x17,
23090 -+ 0xdf, 0x99, 0x47, 0x03, 0xfc, 0x04, 0xc4, 0x84,
23091 -+ 0x80, 0xe0, 0x30, 0xbe, 0x14, 0x2c, 0xd6, 0x41,
23092 -+ 0xe3, 0xbc, 0xdb, 0x5b, 0xe1, 0x21, 0x03, 0x01,
23093 -+ 0x8b, 0xcd, 0xa1, 0xb6, 0x5e, 0xa3, 0x73, 0xd4,
23094 -+ 0x08, 0x69, 0xff, 0xd2, 0x13, 0xa1, 0xd9, 0x1a,
23095 -+ 0x53, 0xb7, 0xb2, 0x27, 0x01, 0x78, 0x02, 0x42,
23096 -+ 0x7a, 0xda, 0x44, 0x42, 0xbd, 0x96, 0x40, 0x05,
23097 -+ 0x55, 0x27, 0xf2, 0x70, 0x53, 0x09, 0x7a, 0xfd,
23098 -+ 0xb7, 0x4c, 0x5a, 0xe2, 0x19, 0xf3, 0xfa, 0x7f,
23099 -+ 0x98, 0x1a, 0x49, 0x38, 0xba, 0x6c, 0x6d, 0x3b,
23100 -+ 0x9b, 0xb2, 0xf2, 0x84, 0x49, 0xb9, 0x10, 0x38,
23101 -+ 0xf3, 0xf0, 0xb1, 0x36, 0xe2, 0x3c, 0xb7, 0x12,
23102 -+ 0x77, 0xd3, 0x0b, 0xc5, 0x89, 0x6d, 0x12, 0xc7,
23103 -+ 0xfb, 0xac, 0x01, 0x88, 0xc7, 0xfb, 0x77, 0x38
23104 -+};
23105 -+static const u8 enc_output070[] __initconst = {
23106 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23107 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23108 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23109 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23110 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23111 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23112 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23113 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23114 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23115 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23116 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23117 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23118 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23119 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23120 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23121 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23122 -+ 0x84, 0x28, 0xbc, 0xf0, 0x23, 0xec, 0x6b, 0xf3,
23123 -+ 0x1f, 0xd9, 0xef, 0xb2, 0x03, 0xff, 0x08, 0x71
23124 -+};
23125 -+static const u8 enc_assoc070[] __initconst = {
23126 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23127 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff
23128 -+};
23129 -+static const u8 enc_nonce070[] __initconst = {
23130 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23131 -+};
23132 -+static const u8 enc_key070[] __initconst = {
23133 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23134 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23135 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23136 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23137 -+};
23138 -+
23139 -+/* wycheproof - misc */
23140 -+static const u8 enc_input071[] __initconst = {
23141 -+ 0xda, 0x92, 0xbf, 0x77, 0x80, 0x94, 0x17, 0x83,
23142 -+ 0xaa, 0x2c, 0xfb, 0x7b, 0x64, 0x43, 0xfe, 0xe8,
23143 -+ 0x20, 0x66, 0xb8, 0xfc, 0x03, 0xfb, 0x3b, 0x7b,
23144 -+ 0x7f, 0x1f, 0xcf, 0x41, 0xeb, 0xd3, 0x29, 0xbe
23145 -+};
23146 -+static const u8 enc_output071[] __initconst = {
23147 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23148 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23149 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23150 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23151 -+ 0x13, 0x9f, 0xdf, 0x64, 0x74, 0xea, 0x24, 0xf5,
23152 -+ 0x49, 0xb0, 0x75, 0x82, 0x5f, 0x2c, 0x76, 0x20
23153 -+};
23154 -+static const u8 enc_assoc071[] __initconst = {
23155 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23156 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00
23157 -+};
23158 -+static const u8 enc_nonce071[] __initconst = {
23159 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23160 -+};
23161 -+static const u8 enc_key071[] __initconst = {
23162 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23163 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23164 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23165 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23166 -+};
23167 -+
23168 -+/* wycheproof - misc */
23169 -+static const u8 enc_input072[] __initconst = {
23170 -+ 0xda, 0x92, 0xbf, 0x77, 0x80, 0x94, 0x17, 0x83,
23171 -+ 0xaa, 0x2c, 0xfb, 0x7b, 0x64, 0x43, 0xfe, 0xe8,
23172 -+ 0x20, 0x66, 0xb8, 0xfc, 0x03, 0xfb, 0x3b, 0x7b,
23173 -+ 0x7f, 0x1f, 0xcf, 0x41, 0xeb, 0xd3, 0x29, 0xbe,
23174 -+ 0x1c, 0x43, 0x24, 0xa4, 0x1e, 0xde, 0xfc, 0xfe,
23175 -+ 0x74, 0x32, 0x5e, 0x49, 0xa1, 0x5c, 0x8c, 0x2b,
23176 -+ 0xf7, 0x96, 0x00, 0x2d, 0xec, 0x5e, 0x26, 0xe5,
23177 -+ 0xac, 0x48, 0x4d, 0xd8, 0xfe, 0x87, 0xfd, 0xbd
23178 -+};
23179 -+static const u8 enc_output072[] __initconst = {
23180 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23181 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23182 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23183 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23184 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23185 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23186 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23187 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23188 -+ 0xbb, 0xad, 0x8d, 0x86, 0x3b, 0x83, 0x5a, 0x8e,
23189 -+ 0x86, 0x64, 0xfd, 0x1d, 0x45, 0x66, 0xb6, 0xb4
23190 -+};
23191 -+static const u8 enc_assoc072[] __initconst = {
23192 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23193 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00
23194 -+};
23195 -+static const u8 enc_nonce072[] __initconst = {
23196 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23197 -+};
23198 -+static const u8 enc_key072[] __initconst = {
23199 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23200 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23201 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23202 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23203 -+};
23204 -+
23205 -+/* wycheproof - misc */
23206 -+static const u8 enc_input073[] __initconst = {
23207 -+ 0xda, 0x92, 0xbf, 0x77, 0x80, 0x94, 0x17, 0x83,
23208 -+ 0xaa, 0x2c, 0xfb, 0x7b, 0x64, 0x43, 0xfe, 0xe8,
23209 -+ 0x20, 0x66, 0xb8, 0xfc, 0x03, 0xfb, 0x3b, 0x7b,
23210 -+ 0x7f, 0x1f, 0xcf, 0x41, 0xeb, 0xd3, 0x29, 0xbe,
23211 -+ 0x1c, 0x43, 0x24, 0xa4, 0x1e, 0xde, 0xfc, 0xfe,
23212 -+ 0x74, 0x32, 0x5e, 0x49, 0xa1, 0x5c, 0x8c, 0x2b,
23213 -+ 0xf7, 0x96, 0x00, 0x2d, 0xec, 0x5e, 0x26, 0xe5,
23214 -+ 0xac, 0x48, 0x4d, 0xd8, 0xfe, 0x87, 0xfd, 0xbd,
23215 -+ 0x85, 0x25, 0xbb, 0xbd, 0x42, 0x69, 0xbf, 0xfa,
23216 -+ 0xaa, 0xd8, 0x0d, 0x8f, 0xac, 0xf6, 0x85, 0x02,
23217 -+ 0x48, 0xb3, 0xa5, 0x1d, 0xe6, 0x0c, 0x05, 0x80,
23218 -+ 0x67, 0xe5, 0xb6, 0xc7, 0x45, 0x93, 0x92, 0xc4,
23219 -+ 0x64, 0x4d, 0x0d, 0x7b, 0xb6, 0x46, 0xef, 0xc7,
23220 -+ 0x0c, 0x0f, 0x4e, 0xc9, 0x1d, 0xc3, 0x48, 0xed,
23221 -+ 0x88, 0x2c, 0xf4, 0x3a, 0x76, 0x92, 0xed, 0x38,
23222 -+ 0x04, 0x53, 0xfe, 0x77, 0x38, 0x04, 0x88, 0xc7
23223 -+};
23224 -+static const u8 enc_output073[] __initconst = {
23225 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23226 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23227 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23228 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23229 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23230 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23231 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23232 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23233 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23234 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23235 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23236 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23237 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23238 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23239 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23240 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23241 -+ 0x42, 0xf2, 0x35, 0x42, 0x97, 0x84, 0x9a, 0x51,
23242 -+ 0x1d, 0x53, 0xe5, 0x57, 0x17, 0x72, 0xf7, 0x1f
23243 -+};
23244 -+static const u8 enc_assoc073[] __initconst = {
23245 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23246 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00
23247 -+};
23248 -+static const u8 enc_nonce073[] __initconst = {
23249 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23250 -+};
23251 -+static const u8 enc_key073[] __initconst = {
23252 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23253 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23254 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23255 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23256 -+};
23257 -+
23258 -+/* wycheproof - checking for int overflows */
23259 -+static const u8 enc_input074[] __initconst = {
23260 -+ 0xd4, 0x50, 0x0b, 0xf0, 0x09, 0x49, 0x35, 0x51,
23261 -+ 0xc3, 0x80, 0xad, 0xf5, 0x2c, 0x57, 0x3a, 0x69,
23262 -+ 0xdf, 0x7e, 0x8b, 0x76, 0x24, 0x63, 0x33, 0x0f,
23263 -+ 0xac, 0xc1, 0x6a, 0x57, 0x26, 0xbe, 0x71, 0x90,
23264 -+ 0xc6, 0x3c, 0x5a, 0x1c, 0x92, 0x65, 0x84, 0xa0,
23265 -+ 0x96, 0x75, 0x68, 0x28, 0xdc, 0xdc, 0x64, 0xac,
23266 -+ 0xdf, 0x96, 0x3d, 0x93, 0x1b, 0xf1, 0xda, 0xe2,
23267 -+ 0x38, 0xf3, 0xf1, 0x57, 0x22, 0x4a, 0xc4, 0xb5,
23268 -+ 0x42, 0xd7, 0x85, 0xb0, 0xdd, 0x84, 0xdb, 0x6b,
23269 -+ 0xe3, 0xbc, 0x5a, 0x36, 0x63, 0xe8, 0x41, 0x49,
23270 -+ 0xff, 0xbe, 0xd0, 0x9e, 0x54, 0xf7, 0x8f, 0x16,
23271 -+ 0xa8, 0x22, 0x3b, 0x24, 0xcb, 0x01, 0x9f, 0x58,
23272 -+ 0xb2, 0x1b, 0x0e, 0x55, 0x1e, 0x7a, 0xa0, 0x73,
23273 -+ 0x27, 0x62, 0x95, 0x51, 0x37, 0x6c, 0xcb, 0xc3,
23274 -+ 0x93, 0x76, 0x71, 0xa0, 0x62, 0x9b, 0xd9, 0x5c,
23275 -+ 0x99, 0x15, 0xc7, 0x85, 0x55, 0x77, 0x1e, 0x7a
23276 -+};
23277 -+static const u8 enc_output074[] __initconst = {
23278 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23279 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23280 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23281 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23282 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23283 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23284 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23285 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23286 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23287 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23288 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23289 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23290 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23291 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23292 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23293 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23294 -+ 0x0b, 0x30, 0x0d, 0x8d, 0xa5, 0x6c, 0x21, 0x85,
23295 -+ 0x75, 0x52, 0x79, 0x55, 0x3c, 0x4c, 0x82, 0xca
23296 -+};
23297 -+static const u8 enc_assoc074[] __initconst = {
23298 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23299 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23300 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23301 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23302 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23303 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23304 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23305 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23306 -+};
23307 -+static const u8 enc_nonce074[] __initconst = {
23308 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23309 -+ 0x00, 0x02, 0x50, 0x6e
23310 -+};
23311 -+static const u8 enc_key074[] __initconst = {
23312 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23313 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23314 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23315 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23316 -+};
23317 -+
23318 -+/* wycheproof - checking for int overflows */
23319 -+static const u8 enc_input075[] __initconst = {
23320 -+ 0x7d, 0xe8, 0x7f, 0x67, 0x29, 0x94, 0x52, 0x75,
23321 -+ 0xd0, 0x65, 0x5d, 0xa4, 0xc7, 0xfd, 0xe4, 0x56,
23322 -+ 0x9e, 0x16, 0xf1, 0x11, 0xb5, 0xeb, 0x26, 0xc2,
23323 -+ 0x2d, 0x85, 0x9e, 0x3f, 0xf8, 0x22, 0xec, 0xed,
23324 -+ 0x3a, 0x6d, 0xd9, 0xa6, 0x0f, 0x22, 0x95, 0x7f,
23325 -+ 0x7b, 0x7c, 0x85, 0x7e, 0x88, 0x22, 0xeb, 0x9f,
23326 -+ 0xe0, 0xb8, 0xd7, 0x02, 0x21, 0x41, 0xf2, 0xd0,
23327 -+ 0xb4, 0x8f, 0x4b, 0x56, 0x12, 0xd3, 0x22, 0xa8,
23328 -+ 0x8d, 0xd0, 0xfe, 0x0b, 0x4d, 0x91, 0x79, 0x32,
23329 -+ 0x4f, 0x7c, 0x6c, 0x9e, 0x99, 0x0e, 0xfb, 0xd8,
23330 -+ 0x0e, 0x5e, 0xd6, 0x77, 0x58, 0x26, 0x49, 0x8b,
23331 -+ 0x1e, 0xfe, 0x0f, 0x71, 0xa0, 0xf3, 0xec, 0x5b,
23332 -+ 0x29, 0xcb, 0x28, 0xc2, 0x54, 0x0a, 0x7d, 0xcd,
23333 -+ 0x51, 0xb7, 0xda, 0xae, 0xe0, 0xff, 0x4a, 0x7f,
23334 -+ 0x3a, 0xc1, 0xee, 0x54, 0xc2, 0x9e, 0xe4, 0xc1,
23335 -+ 0x70, 0xde, 0x40, 0x8f, 0x66, 0x69, 0x21, 0x94
23336 -+};
23337 -+static const u8 enc_output075[] __initconst = {
23338 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23339 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23340 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23341 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23342 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23343 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23344 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23345 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23346 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23347 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23348 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23349 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23350 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23351 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23352 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23353 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23354 -+ 0xc5, 0x78, 0xe2, 0xaa, 0x44, 0xd3, 0x09, 0xb7,
23355 -+ 0xb6, 0xa5, 0x19, 0x3b, 0xdc, 0x61, 0x18, 0xf5
23356 -+};
23357 -+static const u8 enc_assoc075[] __initconst = {
23358 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23359 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23360 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23361 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23362 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23363 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23364 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23365 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23366 -+};
23367 -+static const u8 enc_nonce075[] __initconst = {
23368 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23369 -+ 0x00, 0x03, 0x18, 0xa5
23370 -+};
23371 -+static const u8 enc_key075[] __initconst = {
23372 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23373 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23374 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23375 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23376 -+};
23377 -+
23378 -+/* wycheproof - checking for int overflows */
23379 -+static const u8 enc_input076[] __initconst = {
23380 -+ 0x1b, 0x99, 0x6f, 0x9a, 0x3c, 0xcc, 0x67, 0x85,
23381 -+ 0xde, 0x22, 0xff, 0x5b, 0x8a, 0xdd, 0x95, 0x02,
23382 -+ 0xce, 0x03, 0xa0, 0xfa, 0xf5, 0x99, 0x2a, 0x09,
23383 -+ 0x52, 0x2c, 0xdd, 0x12, 0x06, 0xd2, 0x20, 0xb8,
23384 -+ 0xf8, 0xbd, 0x07, 0xd1, 0xf1, 0xf5, 0xa1, 0xbd,
23385 -+ 0x9a, 0x71, 0xd1, 0x1c, 0x7f, 0x57, 0x9b, 0x85,
23386 -+ 0x58, 0x18, 0xc0, 0x8d, 0x4d, 0xe0, 0x36, 0x39,
23387 -+ 0x31, 0x83, 0xb7, 0xf5, 0x90, 0xb3, 0x35, 0xae,
23388 -+ 0xd8, 0xde, 0x5b, 0x57, 0xb1, 0x3c, 0x5f, 0xed,
23389 -+ 0xe2, 0x44, 0x1c, 0x3e, 0x18, 0x4a, 0xa9, 0xd4,
23390 -+ 0x6e, 0x61, 0x59, 0x85, 0x06, 0xb3, 0xe1, 0x1c,
23391 -+ 0x43, 0xc6, 0x2c, 0xbc, 0xac, 0xec, 0xed, 0x33,
23392 -+ 0x19, 0x08, 0x75, 0xb0, 0x12, 0x21, 0x8b, 0x19,
23393 -+ 0x30, 0xfb, 0x7c, 0x38, 0xec, 0x45, 0xac, 0x11,
23394 -+ 0xc3, 0x53, 0xd0, 0xcf, 0x93, 0x8d, 0xcc, 0xb9,
23395 -+ 0xef, 0xad, 0x8f, 0xed, 0xbe, 0x46, 0xda, 0xa5
23396 -+};
23397 -+static const u8 enc_output076[] __initconst = {
23398 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23399 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23400 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23401 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23402 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23403 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23404 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23405 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23406 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23407 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23408 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23409 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23410 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23411 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23412 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23413 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23414 -+ 0x4b, 0x0b, 0xda, 0x8a, 0xd0, 0x43, 0x83, 0x0d,
23415 -+ 0x83, 0x19, 0xab, 0x82, 0xc5, 0x0c, 0x76, 0x63
23416 -+};
23417 -+static const u8 enc_assoc076[] __initconst = {
23418 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23419 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23420 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23421 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23422 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23423 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23424 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23425 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23426 -+};
23427 -+static const u8 enc_nonce076[] __initconst = {
23428 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0xb4, 0xf0
23429 -+};
23430 -+static const u8 enc_key076[] __initconst = {
23431 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23432 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23433 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23434 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23435 -+};
23436 -+
23437 -+/* wycheproof - checking for int overflows */
23438 -+static const u8 enc_input077[] __initconst = {
23439 -+ 0x86, 0xcb, 0xac, 0xae, 0x4d, 0x3f, 0x74, 0xae,
23440 -+ 0x01, 0x21, 0x3e, 0x05, 0x51, 0xcc, 0x15, 0x16,
23441 -+ 0x0e, 0xa1, 0xbe, 0x84, 0x08, 0xe3, 0xd5, 0xd7,
23442 -+ 0x4f, 0x01, 0x46, 0x49, 0x95, 0xa6, 0x9e, 0x61,
23443 -+ 0x76, 0xcb, 0x9e, 0x02, 0xb2, 0x24, 0x7e, 0xd2,
23444 -+ 0x99, 0x89, 0x2f, 0x91, 0x82, 0xa4, 0x5c, 0xaf,
23445 -+ 0x4c, 0x69, 0x40, 0x56, 0x11, 0x76, 0x6e, 0xdf,
23446 -+ 0xaf, 0xdc, 0x28, 0x55, 0x19, 0xea, 0x30, 0x48,
23447 -+ 0x0c, 0x44, 0xf0, 0x5e, 0x78, 0x1e, 0xac, 0xf8,
23448 -+ 0xfc, 0xec, 0xc7, 0x09, 0x0a, 0xbb, 0x28, 0xfa,
23449 -+ 0x5f, 0xd5, 0x85, 0xac, 0x8c, 0xda, 0x7e, 0x87,
23450 -+ 0x72, 0xe5, 0x94, 0xe4, 0xce, 0x6c, 0x88, 0x32,
23451 -+ 0x81, 0x93, 0x2e, 0x0f, 0x89, 0xf8, 0x77, 0xa1,
23452 -+ 0xf0, 0x4d, 0x9c, 0x32, 0xb0, 0x6c, 0xf9, 0x0b,
23453 -+ 0x0e, 0x76, 0x2b, 0x43, 0x0c, 0x4d, 0x51, 0x7c,
23454 -+ 0x97, 0x10, 0x70, 0x68, 0xf4, 0x98, 0xef, 0x7f
23455 -+};
23456 -+static const u8 enc_output077[] __initconst = {
23457 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23458 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23459 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23460 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23461 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23462 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23463 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23464 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23465 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23466 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23467 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23468 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23469 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23470 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23471 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23472 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23473 -+ 0x4b, 0xc9, 0x8f, 0x72, 0xc4, 0x94, 0xc2, 0xa4,
23474 -+ 0x3c, 0x2b, 0x15, 0xa1, 0x04, 0x3f, 0x1c, 0xfa
23475 -+};
23476 -+static const u8 enc_assoc077[] __initconst = {
23477 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23478 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23479 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23480 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23481 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23482 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23483 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23484 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23485 -+};
23486 -+static const u8 enc_nonce077[] __initconst = {
23487 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0xfb, 0x66
23488 -+};
23489 -+static const u8 enc_key077[] __initconst = {
23490 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23491 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23492 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23493 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23494 -+};
23495 -+
23496 -+/* wycheproof - checking for int overflows */
23497 -+static const u8 enc_input078[] __initconst = {
23498 -+ 0xfa, 0xb1, 0xcd, 0xdf, 0x4f, 0xe1, 0x98, 0xef,
23499 -+ 0x63, 0xad, 0xd8, 0x81, 0xd6, 0xea, 0xd6, 0xc5,
23500 -+ 0x76, 0x37, 0xbb, 0xe9, 0x20, 0x18, 0xca, 0x7c,
23501 -+ 0x0b, 0x96, 0xfb, 0xa0, 0x87, 0x1e, 0x93, 0x2d,
23502 -+ 0xb1, 0xfb, 0xf9, 0x07, 0x61, 0xbe, 0x25, 0xdf,
23503 -+ 0x8d, 0xfa, 0xf9, 0x31, 0xce, 0x57, 0x57, 0xe6,
23504 -+ 0x17, 0xb3, 0xd7, 0xa9, 0xf0, 0xbf, 0x0f, 0xfe,
23505 -+ 0x5d, 0x59, 0x1a, 0x33, 0xc1, 0x43, 0xb8, 0xf5,
23506 -+ 0x3f, 0xd0, 0xb5, 0xa1, 0x96, 0x09, 0xfd, 0x62,
23507 -+ 0xe5, 0xc2, 0x51, 0xa4, 0x28, 0x1a, 0x20, 0x0c,
23508 -+ 0xfd, 0xc3, 0x4f, 0x28, 0x17, 0x10, 0x40, 0x6f,
23509 -+ 0x4e, 0x37, 0x62, 0x54, 0x46, 0xff, 0x6e, 0xf2,
23510 -+ 0x24, 0x91, 0x3d, 0xeb, 0x0d, 0x89, 0xaf, 0x33,
23511 -+ 0x71, 0x28, 0xe3, 0xd1, 0x55, 0xd1, 0x6d, 0x3e,
23512 -+ 0xc3, 0x24, 0x60, 0x41, 0x43, 0x21, 0x43, 0xe9,
23513 -+ 0xab, 0x3a, 0x6d, 0x2c, 0xcc, 0x2f, 0x4d, 0x62
23514 -+};
23515 -+static const u8 enc_output078[] __initconst = {
23516 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23517 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23518 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23519 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23520 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23521 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23522 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23523 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23524 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23525 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23526 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23527 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23528 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23529 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23530 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23531 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23532 -+ 0xf7, 0xe9, 0xe1, 0x51, 0xb0, 0x25, 0x33, 0xc7,
23533 -+ 0x46, 0x58, 0xbf, 0xc7, 0x73, 0x7c, 0x68, 0x0d
23534 -+};
23535 -+static const u8 enc_assoc078[] __initconst = {
23536 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23537 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23538 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23539 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23540 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23541 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23542 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23543 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23544 -+};
23545 -+static const u8 enc_nonce078[] __initconst = {
23546 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0xbb, 0x90
23547 -+};
23548 -+static const u8 enc_key078[] __initconst = {
23549 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23550 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23551 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23552 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23553 -+};
23554 -+
23555 -+/* wycheproof - checking for int overflows */
23556 -+static const u8 enc_input079[] __initconst = {
23557 -+ 0x22, 0x72, 0x02, 0xbe, 0x7f, 0x35, 0x15, 0xe9,
23558 -+ 0xd1, 0xc0, 0x2e, 0xea, 0x2f, 0x19, 0x50, 0xb6,
23559 -+ 0x48, 0x1b, 0x04, 0x8a, 0x4c, 0x91, 0x50, 0x6c,
23560 -+ 0xb4, 0x0d, 0x50, 0x4e, 0x6c, 0x94, 0x9f, 0x82,
23561 -+ 0xd1, 0x97, 0xc2, 0x5a, 0xd1, 0x7d, 0xc7, 0x21,
23562 -+ 0x65, 0x11, 0x25, 0x78, 0x2a, 0xc7, 0xa7, 0x12,
23563 -+ 0x47, 0xfe, 0xae, 0xf3, 0x2f, 0x1f, 0x25, 0x0c,
23564 -+ 0xe4, 0xbb, 0x8f, 0x79, 0xac, 0xaa, 0x17, 0x9d,
23565 -+ 0x45, 0xa7, 0xb0, 0x54, 0x5f, 0x09, 0x24, 0x32,
23566 -+ 0x5e, 0xfa, 0x87, 0xd5, 0xe4, 0x41, 0xd2, 0x84,
23567 -+ 0x78, 0xc6, 0x1f, 0x22, 0x23, 0xee, 0x67, 0xc3,
23568 -+ 0xb4, 0x1f, 0x43, 0x94, 0x53, 0x5e, 0x2a, 0x24,
23569 -+ 0x36, 0x9a, 0x2e, 0x16, 0x61, 0x3c, 0x45, 0x94,
23570 -+ 0x90, 0xc1, 0x4f, 0xb1, 0xd7, 0x55, 0xfe, 0x53,
23571 -+ 0xfb, 0xe1, 0xee, 0x45, 0xb1, 0xb2, 0x1f, 0x71,
23572 -+ 0x62, 0xe2, 0xfc, 0xaa, 0x74, 0x2a, 0xbe, 0xfd
23573 -+};
23574 -+static const u8 enc_output079[] __initconst = {
23575 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23576 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23577 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23578 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23579 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23580 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23581 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23582 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23583 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23584 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23585 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23586 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23587 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23588 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23589 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23590 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23591 -+ 0x79, 0x5b, 0xcf, 0xf6, 0x47, 0xc5, 0x53, 0xc2,
23592 -+ 0xe4, 0xeb, 0x6e, 0x0e, 0xaf, 0xd9, 0xe0, 0x4e
23593 -+};
23594 -+static const u8 enc_assoc079[] __initconst = {
23595 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23596 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23597 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23598 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23599 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23600 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23601 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23602 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23603 -+};
23604 -+static const u8 enc_nonce079[] __initconst = {
23605 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x48, 0x4a
23606 -+};
23607 -+static const u8 enc_key079[] __initconst = {
23608 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23609 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23610 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23611 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23612 -+};
23613 -+
23614 -+/* wycheproof - checking for int overflows */
23615 -+static const u8 enc_input080[] __initconst = {
23616 -+ 0xfa, 0xe5, 0x83, 0x45, 0xc1, 0x6c, 0xb0, 0xf5,
23617 -+ 0xcc, 0x53, 0x7f, 0x2b, 0x1b, 0x34, 0x69, 0xc9,
23618 -+ 0x69, 0x46, 0x3b, 0x3e, 0xa7, 0x1b, 0xcf, 0x6b,
23619 -+ 0x98, 0xd6, 0x69, 0xa8, 0xe6, 0x0e, 0x04, 0xfc,
23620 -+ 0x08, 0xd5, 0xfd, 0x06, 0x9c, 0x36, 0x26, 0x38,
23621 -+ 0xe3, 0x40, 0x0e, 0xf4, 0xcb, 0x24, 0x2e, 0x27,
23622 -+ 0xe2, 0x24, 0x5e, 0x68, 0xcb, 0x9e, 0xc5, 0x83,
23623 -+ 0xda, 0x53, 0x40, 0xb1, 0x2e, 0xdf, 0x42, 0x3b,
23624 -+ 0x73, 0x26, 0xad, 0x20, 0xfe, 0xeb, 0x57, 0xda,
23625 -+ 0xca, 0x2e, 0x04, 0x67, 0xa3, 0x28, 0x99, 0xb4,
23626 -+ 0x2d, 0xf8, 0xe5, 0x6d, 0x84, 0xe0, 0x06, 0xbc,
23627 -+ 0x8a, 0x7a, 0xcc, 0x73, 0x1e, 0x7c, 0x1f, 0x6b,
23628 -+ 0xec, 0xb5, 0x71, 0x9f, 0x70, 0x77, 0xf0, 0xd4,
23629 -+ 0xf4, 0xc6, 0x1a, 0xb1, 0x1e, 0xba, 0xc1, 0x00,
23630 -+ 0x18, 0x01, 0xce, 0x33, 0xc4, 0xe4, 0xa7, 0x7d,
23631 -+ 0x83, 0x1d, 0x3c, 0xe3, 0x4e, 0x84, 0x10, 0xe1
23632 -+};
23633 -+static const u8 enc_output080[] __initconst = {
23634 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23635 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23636 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23637 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23638 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23639 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23640 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23641 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23642 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23643 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23644 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23645 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23646 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23647 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23648 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23649 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23650 -+ 0x19, 0x46, 0xd6, 0x53, 0x96, 0x0f, 0x94, 0x7a,
23651 -+ 0x74, 0xd3, 0xe8, 0x09, 0x3c, 0xf4, 0x85, 0x02
23652 -+};
23653 -+static const u8 enc_assoc080[] __initconst = {
23654 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23655 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23656 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23657 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23658 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23659 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23660 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23661 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23662 -+};
23663 -+static const u8 enc_nonce080[] __initconst = {
23664 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x93, 0x2f, 0x40
23665 -+};
23666 -+static const u8 enc_key080[] __initconst = {
23667 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23668 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23669 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23670 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23671 -+};
23672 -+
23673 -+/* wycheproof - checking for int overflows */
23674 -+static const u8 enc_input081[] __initconst = {
23675 -+ 0xeb, 0xb2, 0x16, 0xdd, 0xd7, 0xca, 0x70, 0x92,
23676 -+ 0x15, 0xf5, 0x03, 0xdf, 0x9c, 0xe6, 0x3c, 0x5c,
23677 -+ 0xd2, 0x19, 0x4e, 0x7d, 0x90, 0x99, 0xe8, 0xa9,
23678 -+ 0x0b, 0x2a, 0xfa, 0xad, 0x5e, 0xba, 0x35, 0x06,
23679 -+ 0x99, 0x25, 0xa6, 0x03, 0xfd, 0xbc, 0x34, 0x1a,
23680 -+ 0xae, 0xd4, 0x15, 0x05, 0xb1, 0x09, 0x41, 0xfa,
23681 -+ 0x38, 0x56, 0xa7, 0xe2, 0x47, 0xb1, 0x04, 0x07,
23682 -+ 0x09, 0x74, 0x6c, 0xfc, 0x20, 0x96, 0xca, 0xa6,
23683 -+ 0x31, 0xb2, 0xff, 0xf4, 0x1c, 0x25, 0x05, 0x06,
23684 -+ 0xd8, 0x89, 0xc1, 0xc9, 0x06, 0x71, 0xad, 0xe8,
23685 -+ 0x53, 0xee, 0x63, 0x94, 0xc1, 0x91, 0x92, 0xa5,
23686 -+ 0xcf, 0x37, 0x10, 0xd1, 0x07, 0x30, 0x99, 0xe5,
23687 -+ 0xbc, 0x94, 0x65, 0x82, 0xfc, 0x0f, 0xab, 0x9f,
23688 -+ 0x54, 0x3c, 0x71, 0x6a, 0xe2, 0x48, 0x6a, 0x86,
23689 -+ 0x83, 0xfd, 0xca, 0x39, 0xd2, 0xe1, 0x4f, 0x23,
23690 -+ 0xd0, 0x0a, 0x58, 0x26, 0x64, 0xf4, 0xec, 0xb1
23691 -+};
23692 -+static const u8 enc_output081[] __initconst = {
23693 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23694 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23695 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23696 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23697 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23698 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23699 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23700 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23701 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23702 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23703 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23704 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23705 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23706 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23707 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23708 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23709 -+ 0x36, 0xc3, 0x00, 0x29, 0x85, 0xdd, 0x21, 0xba,
23710 -+ 0xf8, 0x95, 0xd6, 0x33, 0x57, 0x3f, 0x12, 0xc0
23711 -+};
23712 -+static const u8 enc_assoc081[] __initconst = {
23713 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23714 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23715 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23716 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23717 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23718 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23719 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23720 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23721 -+};
23722 -+static const u8 enc_nonce081[] __initconst = {
23723 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0xe2, 0x93, 0x35
23724 -+};
23725 -+static const u8 enc_key081[] __initconst = {
23726 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23727 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23728 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23729 -+ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23730 -+};
23731 -+
23732 -+/* wycheproof - checking for int overflows */
23733 -+static const u8 enc_input082[] __initconst = {
23734 -+ 0x40, 0x8a, 0xe6, 0xef, 0x1c, 0x7e, 0xf0, 0xfb,
23735 -+ 0x2c, 0x2d, 0x61, 0x08, 0x16, 0xfc, 0x78, 0x49,
23736 -+ 0xef, 0xa5, 0x8f, 0x78, 0x27, 0x3f, 0x5f, 0x16,
23737 -+ 0x6e, 0xa6, 0x5f, 0x81, 0xb5, 0x75, 0x74, 0x7d,
23738 -+ 0x03, 0x5b, 0x30, 0x40, 0xfe, 0xde, 0x1e, 0xb9,
23739 -+ 0x45, 0x97, 0x88, 0x66, 0x97, 0x88, 0x40, 0x8e,
23740 -+ 0x00, 0x41, 0x3b, 0x3e, 0x37, 0x6d, 0x15, 0x2d,
23741 -+ 0x20, 0x4a, 0xa2, 0xb7, 0xa8, 0x35, 0x58, 0xfc,
23742 -+ 0xd4, 0x8a, 0x0e, 0xf7, 0xa2, 0x6b, 0x1c, 0xd6,
23743 -+ 0xd3, 0x5d, 0x23, 0xb3, 0xf5, 0xdf, 0xe0, 0xca,
23744 -+ 0x77, 0xa4, 0xce, 0x32, 0xb9, 0x4a, 0xbf, 0x83,
23745 -+ 0xda, 0x2a, 0xef, 0xca, 0xf0, 0x68, 0x38, 0x08,
23746 -+ 0x79, 0xe8, 0x9f, 0xb0, 0xa3, 0x82, 0x95, 0x95,
23747 -+ 0xcf, 0x44, 0xc3, 0x85, 0x2a, 0xe2, 0xcc, 0x66,
23748 -+ 0x2b, 0x68, 0x9f, 0x93, 0x55, 0xd9, 0xc1, 0x83,
23749 -+ 0x80, 0x1f, 0x6a, 0xcc, 0x31, 0x3f, 0x89, 0x07
23750 -+};
23751 -+static const u8 enc_output082[] __initconst = {
23752 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23753 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23754 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23755 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23756 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23757 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23758 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23759 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23760 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23761 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23762 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23763 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23764 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23765 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23766 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23767 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23768 -+ 0x65, 0x14, 0x51, 0x8e, 0x0a, 0x26, 0x41, 0x42,
23769 -+ 0xe0, 0xb7, 0x35, 0x1f, 0x96, 0x7f, 0xc2, 0xae
23770 -+};
23771 -+static const u8 enc_assoc082[] __initconst = {
23772 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23773 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23774 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23775 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23776 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23777 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23778 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23779 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23780 -+};
23781 -+static const u8 enc_nonce082[] __initconst = {
23782 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xf7, 0xd5
23783 -+};
23784 -+static const u8 enc_key082[] __initconst = {
23785 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23786 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23787 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23788 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23789 -+};
23790 -+
23791 -+/* wycheproof - checking for int overflows */
23792 -+static const u8 enc_input083[] __initconst = {
23793 -+ 0x0a, 0x0a, 0x24, 0x49, 0x9b, 0xca, 0xde, 0x58,
23794 -+ 0xcf, 0x15, 0x76, 0xc3, 0x12, 0xac, 0xa9, 0x84,
23795 -+ 0x71, 0x8c, 0xb4, 0xcc, 0x7e, 0x01, 0x53, 0xf5,
23796 -+ 0xa9, 0x01, 0x58, 0x10, 0x85, 0x96, 0x44, 0xdf,
23797 -+ 0xc0, 0x21, 0x17, 0x4e, 0x0b, 0x06, 0x0a, 0x39,
23798 -+ 0x74, 0x48, 0xde, 0x8b, 0x48, 0x4a, 0x86, 0x03,
23799 -+ 0xbe, 0x68, 0x0a, 0x69, 0x34, 0xc0, 0x90, 0x6f,
23800 -+ 0x30, 0xdd, 0x17, 0xea, 0xe2, 0xd4, 0xc5, 0xfa,
23801 -+ 0xa7, 0x77, 0xf8, 0xca, 0x53, 0x37, 0x0e, 0x08,
23802 -+ 0x33, 0x1b, 0x88, 0xc3, 0x42, 0xba, 0xc9, 0x59,
23803 -+ 0x78, 0x7b, 0xbb, 0x33, 0x93, 0x0e, 0x3b, 0x56,
23804 -+ 0xbe, 0x86, 0xda, 0x7f, 0x2a, 0x6e, 0xb1, 0xf9,
23805 -+ 0x40, 0x89, 0xd1, 0xd1, 0x81, 0x07, 0x4d, 0x43,
23806 -+ 0x02, 0xf8, 0xe0, 0x55, 0x2d, 0x0d, 0xe1, 0xfa,
23807 -+ 0xb3, 0x06, 0xa2, 0x1b, 0x42, 0xd4, 0xc3, 0xba,
23808 -+ 0x6e, 0x6f, 0x0c, 0xbc, 0xc8, 0x1e, 0x87, 0x7a
23809 -+};
23810 -+static const u8 enc_output083[] __initconst = {
23811 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23812 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23813 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23814 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23815 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23816 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23817 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23818 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23819 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23820 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23821 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23822 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23823 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23824 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23825 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23826 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23827 -+ 0x4c, 0x19, 0x4d, 0xa6, 0xa9, 0x9f, 0xd6, 0x5b,
23828 -+ 0x40, 0xe9, 0xca, 0xd7, 0x98, 0xf4, 0x4b, 0x19
23829 -+};
23830 -+static const u8 enc_assoc083[] __initconst = {
23831 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23832 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23833 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23834 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23835 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23836 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23837 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23838 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23839 -+};
23840 -+static const u8 enc_nonce083[] __initconst = {
23841 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0xfc, 0xe4
23842 -+};
23843 -+static const u8 enc_key083[] __initconst = {
23844 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23845 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23846 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23847 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23848 -+};
23849 -+
23850 -+/* wycheproof - checking for int overflows */
23851 -+static const u8 enc_input084[] __initconst = {
23852 -+ 0x4a, 0x0a, 0xaf, 0xf8, 0x49, 0x47, 0x29, 0x18,
23853 -+ 0x86, 0x91, 0x70, 0x13, 0x40, 0xf3, 0xce, 0x2b,
23854 -+ 0x8a, 0x78, 0xee, 0xd3, 0xa0, 0xf0, 0x65, 0x99,
23855 -+ 0x4b, 0x72, 0x48, 0x4e, 0x79, 0x91, 0xd2, 0x5c,
23856 -+ 0x29, 0xaa, 0x07, 0x5e, 0xb1, 0xfc, 0x16, 0xde,
23857 -+ 0x93, 0xfe, 0x06, 0x90, 0x58, 0x11, 0x2a, 0xb2,
23858 -+ 0x84, 0xa3, 0xed, 0x18, 0x78, 0x03, 0x26, 0xd1,
23859 -+ 0x25, 0x8a, 0x47, 0x22, 0x2f, 0xa6, 0x33, 0xd8,
23860 -+ 0xb2, 0x9f, 0x3b, 0xd9, 0x15, 0x0b, 0x23, 0x9b,
23861 -+ 0x15, 0x46, 0xc2, 0xbb, 0x9b, 0x9f, 0x41, 0x0f,
23862 -+ 0xeb, 0xea, 0xd3, 0x96, 0x00, 0x0e, 0xe4, 0x77,
23863 -+ 0x70, 0x15, 0x32, 0xc3, 0xd0, 0xf5, 0xfb, 0xf8,
23864 -+ 0x95, 0xd2, 0x80, 0x19, 0x6d, 0x2f, 0x73, 0x7c,
23865 -+ 0x5e, 0x9f, 0xec, 0x50, 0xd9, 0x2b, 0xb0, 0xdf,
23866 -+ 0x5d, 0x7e, 0x51, 0x3b, 0xe5, 0xb8, 0xea, 0x97,
23867 -+ 0x13, 0x10, 0xd5, 0xbf, 0x16, 0xba, 0x7a, 0xee
23868 -+};
23869 -+static const u8 enc_output084[] __initconst = {
23870 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23871 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23872 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23873 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23874 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23875 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23876 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23877 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23878 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23879 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23880 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23881 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23882 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23883 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23884 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23885 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23886 -+ 0xc8, 0xae, 0x77, 0x88, 0xcd, 0x28, 0x74, 0xab,
23887 -+ 0xc1, 0x38, 0x54, 0x1e, 0x11, 0xfd, 0x05, 0x87
23888 -+};
23889 -+static const u8 enc_assoc084[] __initconst = {
23890 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23891 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23892 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23893 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23894 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23895 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23896 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23897 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23898 -+};
23899 -+static const u8 enc_nonce084[] __initconst = {
23900 -+ 0x00, 0x00, 0x00, 0x00, 0x01, 0x84, 0x86, 0xa8
23901 -+};
23902 -+static const u8 enc_key084[] __initconst = {
23903 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23904 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23905 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23906 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23907 -+};
23908 -+
23909 -+/* wycheproof - checking for int overflows */
23910 -+static const u8 enc_input085[] __initconst = {
23911 -+ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
23912 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
23913 -+ 0x78, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
23914 -+ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
23915 -+ 0x9f, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
23916 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
23917 -+ 0x9c, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
23918 -+ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
23919 -+ 0x47, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
23920 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
23921 -+ 0xd4, 0xd2, 0x06, 0x61, 0x6f, 0x92, 0x93, 0xf6,
23922 -+ 0x5b, 0x45, 0xdb, 0xbc, 0x74, 0xe7, 0xc2, 0xed,
23923 -+ 0xfb, 0xcb, 0xbf, 0x1c, 0xfb, 0x67, 0x9b, 0xb7,
23924 -+ 0x39, 0xa5, 0x86, 0x2d, 0xe2, 0xbc, 0xb9, 0x37,
23925 -+ 0xf7, 0x4d, 0x5b, 0xf8, 0x67, 0x1c, 0x5a, 0x8a,
23926 -+ 0x50, 0x92, 0xf6, 0x1d, 0x54, 0xc9, 0xaa, 0x5b
23927 -+};
23928 -+static const u8 enc_output085[] __initconst = {
23929 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23930 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23931 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23932 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23933 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23934 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23935 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23936 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23937 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23938 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23939 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23940 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23941 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23942 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23943 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23944 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23945 -+ 0x93, 0x3a, 0x51, 0x63, 0xc7, 0xf6, 0x23, 0x68,
23946 -+ 0x32, 0x7b, 0x3f, 0xbc, 0x10, 0x36, 0xc9, 0x43
23947 -+};
23948 -+static const u8 enc_assoc085[] __initconst = {
23949 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23950 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23951 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23952 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23953 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23954 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23955 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23956 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23957 -+};
23958 -+static const u8 enc_nonce085[] __initconst = {
23959 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
23960 -+};
23961 -+static const u8 enc_key085[] __initconst = {
23962 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23963 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23964 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23965 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23966 -+};
23967 -+
23968 -+/* wycheproof - special case tag */
23969 -+static const u8 enc_input086[] __initconst = {
23970 -+ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
23971 -+ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
23972 -+ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
23973 -+ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
23974 -+ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
23975 -+ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
23976 -+ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
23977 -+ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
23978 -+};
23979 -+static const u8 enc_output086[] __initconst = {
23980 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23981 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23982 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23983 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23984 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23985 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23986 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23987 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23988 -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
23989 -+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
23990 -+};
23991 -+static const u8 enc_assoc086[] __initconst = {
23992 -+ 0x85, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23993 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23994 -+ 0xa6, 0x90, 0x2f, 0xcb, 0xc8, 0x83, 0xbb, 0xc1,
23995 -+ 0x80, 0xb2, 0x56, 0xae, 0x34, 0xad, 0x7f, 0x00
23996 -+};
23997 -+static const u8 enc_nonce086[] __initconst = {
23998 -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
23999 -+ 0x08, 0x09, 0x0a, 0x0b
24000 -+};
24001 -+static const u8 enc_key086[] __initconst = {
24002 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24003 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24004 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24005 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24006 -+};
24007 -+
24008 -+/* wycheproof - special case tag */
24009 -+static const u8 enc_input087[] __initconst = {
24010 -+ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
24011 -+ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
24012 -+ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
24013 -+ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
24014 -+ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
24015 -+ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
24016 -+ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
24017 -+ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
24018 -+};
24019 -+static const u8 enc_output087[] __initconst = {
24020 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24021 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24022 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24023 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24024 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24025 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24026 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24027 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24028 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
24029 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
24030 -+};
24031 -+static const u8 enc_assoc087[] __initconst = {
24032 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24033 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24034 -+ 0x24, 0x7e, 0x50, 0x64, 0x2a, 0x1c, 0x0a, 0x2f,
24035 -+ 0x8f, 0x77, 0x21, 0x96, 0x09, 0xdb, 0xa9, 0x58
24036 -+};
24037 -+static const u8 enc_nonce087[] __initconst = {
24038 -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24039 -+ 0x08, 0x09, 0x0a, 0x0b
24040 -+};
24041 -+static const u8 enc_key087[] __initconst = {
24042 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24043 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24044 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24045 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24046 -+};
24047 -+
24048 -+/* wycheproof - special case tag */
24049 -+static const u8 enc_input088[] __initconst = {
24050 -+ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
24051 -+ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
24052 -+ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
24053 -+ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
24054 -+ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
24055 -+ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
24056 -+ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
24057 -+ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
24058 -+};
24059 -+static const u8 enc_output088[] __initconst = {
24060 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24061 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24062 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24063 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24064 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24065 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24066 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24067 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24068 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24069 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
24070 -+};
24071 -+static const u8 enc_assoc088[] __initconst = {
24072 -+ 0x7c, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24073 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24074 -+ 0xd9, 0xe7, 0x2c, 0x06, 0x4a, 0xc8, 0x96, 0x1f,
24075 -+ 0x3f, 0xa5, 0x85, 0xe0, 0xe2, 0xab, 0xd6, 0x00
24076 -+};
24077 -+static const u8 enc_nonce088[] __initconst = {
24078 -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24079 -+ 0x08, 0x09, 0x0a, 0x0b
24080 -+};
24081 -+static const u8 enc_key088[] __initconst = {
24082 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24083 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24084 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24085 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24086 -+};
24087 -+
24088 -+/* wycheproof - special case tag */
24089 -+static const u8 enc_input089[] __initconst = {
24090 -+ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
24091 -+ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
24092 -+ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
24093 -+ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
24094 -+ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
24095 -+ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
24096 -+ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
24097 -+ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
24098 -+};
24099 -+static const u8 enc_output089[] __initconst = {
24100 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24101 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24102 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24103 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24104 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24105 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24106 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24107 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24108 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
24109 -+ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80
24110 -+};
24111 -+static const u8 enc_assoc089[] __initconst = {
24112 -+ 0x65, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24113 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24114 -+ 0x95, 0xaf, 0x0f, 0x4d, 0x0b, 0x68, 0x6e, 0xae,
24115 -+ 0xcc, 0xca, 0x43, 0x07, 0xd5, 0x96, 0xf5, 0x02
24116 -+};
24117 -+static const u8 enc_nonce089[] __initconst = {
24118 -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24119 -+ 0x08, 0x09, 0x0a, 0x0b
24120 -+};
24121 -+static const u8 enc_key089[] __initconst = {
24122 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24123 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24124 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24125 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24126 -+};
24127 -+
24128 -+/* wycheproof - special case tag */
24129 -+static const u8 enc_input090[] __initconst = {
24130 -+ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
24131 -+ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
24132 -+ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
24133 -+ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
24134 -+ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
24135 -+ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
24136 -+ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
24137 -+ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
24138 -+};
24139 -+static const u8 enc_output090[] __initconst = {
24140 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24141 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24142 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24143 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24144 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24145 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24146 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24147 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24148 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
24149 -+ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f
24150 -+};
24151 -+static const u8 enc_assoc090[] __initconst = {
24152 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24153 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24154 -+ 0x85, 0x40, 0xb4, 0x64, 0x35, 0x77, 0x07, 0xbe,
24155 -+ 0x3a, 0x39, 0xd5, 0x5c, 0x34, 0xf8, 0xbc, 0xb3
24156 -+};
24157 -+static const u8 enc_nonce090[] __initconst = {
24158 -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24159 -+ 0x08, 0x09, 0x0a, 0x0b
24160 -+};
24161 -+static const u8 enc_key090[] __initconst = {
24162 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24163 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24164 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24165 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24166 -+};
24167 -+
24168 -+/* wycheproof - special case tag */
24169 -+static const u8 enc_input091[] __initconst = {
24170 -+ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
24171 -+ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
24172 -+ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
24173 -+ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
24174 -+ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
24175 -+ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
24176 -+ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
24177 -+ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
24178 -+};
24179 -+static const u8 enc_output091[] __initconst = {
24180 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24181 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24182 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24183 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24184 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24185 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24186 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24187 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24188 -+ 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
24189 -+ 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00
24190 -+};
24191 -+static const u8 enc_assoc091[] __initconst = {
24192 -+ 0x4f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24193 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24194 -+ 0x66, 0x23, 0xd9, 0x90, 0xb8, 0x98, 0xd8, 0x30,
24195 -+ 0xd2, 0x12, 0xaf, 0x23, 0x83, 0x33, 0x07, 0x01
24196 -+};
24197 -+static const u8 enc_nonce091[] __initconst = {
24198 -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24199 -+ 0x08, 0x09, 0x0a, 0x0b
24200 -+};
24201 -+static const u8 enc_key091[] __initconst = {
24202 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24203 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24204 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24205 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24206 -+};
24207 -+
24208 -+/* wycheproof - special case tag */
24209 -+static const u8 enc_input092[] __initconst = {
24210 -+ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
24211 -+ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
24212 -+ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
24213 -+ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
24214 -+ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
24215 -+ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
24216 -+ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
24217 -+ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
24218 -+};
24219 -+static const u8 enc_output092[] __initconst = {
24220 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24221 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24222 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24223 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24224 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24225 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24226 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24227 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24228 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
24229 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
24230 -+};
24231 -+static const u8 enc_assoc092[] __initconst = {
24232 -+ 0x83, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24233 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24234 -+ 0x5f, 0x16, 0xd0, 0x9f, 0x17, 0x78, 0x72, 0x11,
24235 -+ 0xb7, 0xd4, 0x84, 0xe0, 0x24, 0xf8, 0x97, 0x01
24236 -+};
24237 -+static const u8 enc_nonce092[] __initconst = {
24238 -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24239 -+ 0x08, 0x09, 0x0a, 0x0b
24240 -+};
24241 -+static const u8 enc_key092[] __initconst = {
24242 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24243 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24244 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24245 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24246 -+};
24247 -+
24248 -+/* wycheproof - edge case intermediate sums in poly1305 */
24249 -+static const u8 enc_input093[] __initconst = {
24250 -+ 0x00, 0x52, 0x35, 0xd2, 0xa9, 0x19, 0xf2, 0x8d,
24251 -+ 0x3d, 0xb7, 0x66, 0x4a, 0x34, 0xae, 0x6b, 0x44,
24252 -+ 0x4d, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24253 -+ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24254 -+ 0x5b, 0x8b, 0x94, 0x50, 0x9e, 0x2b, 0x74, 0xa3,
24255 -+ 0x6d, 0x34, 0x6e, 0x33, 0xd5, 0x72, 0x65, 0x9b,
24256 -+ 0xa9, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24257 -+ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24258 -+ 0x83, 0xdc, 0xe9, 0xf3, 0x07, 0x3e, 0xfa, 0xdb,
24259 -+ 0x7d, 0x23, 0xb8, 0x7a, 0xce, 0x35, 0x16, 0x8c
24260 -+};
24261 -+static const u8 enc_output093[] __initconst = {
24262 -+ 0x00, 0x39, 0xe2, 0xfd, 0x2f, 0xd3, 0x12, 0x14,
24263 -+ 0x9e, 0x98, 0x98, 0x80, 0x88, 0x48, 0x13, 0xe7,
24264 -+ 0xca, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24265 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24266 -+ 0x3b, 0x0e, 0x86, 0x9a, 0xaa, 0x8e, 0xa4, 0x96,
24267 -+ 0x32, 0xff, 0xff, 0x37, 0xb9, 0xe8, 0xce, 0x00,
24268 -+ 0xca, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24269 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24270 -+ 0x3b, 0x0e, 0x86, 0x9a, 0xaa, 0x8e, 0xa4, 0x96,
24271 -+ 0x32, 0xff, 0xff, 0x37, 0xb9, 0xe8, 0xce, 0x00,
24272 -+ 0xa5, 0x19, 0xac, 0x1a, 0x35, 0xb4, 0xa5, 0x77,
24273 -+ 0x87, 0x51, 0x0a, 0xf7, 0x8d, 0x8d, 0x20, 0x0a
24274 -+};
24275 -+static const u8 enc_assoc093[] __initconst = {
24276 -+ 0xff, 0xff, 0xff, 0xff
24277 -+};
24278 -+static const u8 enc_nonce093[] __initconst = {
24279 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24280 -+};
24281 -+static const u8 enc_key093[] __initconst = {
24282 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24283 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24284 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24285 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24286 -+};
24287 -+
24288 -+/* wycheproof - edge case intermediate sums in poly1305 */
24289 -+static const u8 enc_input094[] __initconst = {
24290 -+ 0xd3, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24291 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24292 -+ 0xe5, 0xda, 0x78, 0x76, 0x6f, 0xa1, 0x92, 0x90,
24293 -+ 0xc0, 0x31, 0xf7, 0x52, 0x08, 0x50, 0x67, 0x45,
24294 -+ 0xae, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24295 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24296 -+ 0x49, 0x6d, 0xde, 0xb0, 0x55, 0x09, 0xc6, 0xef,
24297 -+ 0xff, 0xab, 0x75, 0xeb, 0x2d, 0xf4, 0xab, 0x09,
24298 -+ 0x76, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24299 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24300 -+ 0x01, 0x49, 0xef, 0x50, 0x4b, 0x71, 0xb1, 0x20,
24301 -+ 0xca, 0x4f, 0xf3, 0x95, 0x19, 0xc2, 0xc2, 0x10
24302 -+};
24303 -+static const u8 enc_output094[] __initconst = {
24304 -+ 0xd3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24305 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24306 -+ 0x62, 0x18, 0xb2, 0x7f, 0x83, 0xb8, 0xb4, 0x66,
24307 -+ 0x02, 0xf6, 0xe1, 0xd8, 0x34, 0x20, 0x7b, 0x02,
24308 -+ 0xce, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24309 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24310 -+ 0x2a, 0x64, 0x16, 0xce, 0xdb, 0x1c, 0xdd, 0x29,
24311 -+ 0x6e, 0xf5, 0xd7, 0xd6, 0x92, 0xda, 0xff, 0x02,
24312 -+ 0xce, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24313 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24314 -+ 0x2a, 0x64, 0x16, 0xce, 0xdb, 0x1c, 0xdd, 0x29,
24315 -+ 0x6e, 0xf5, 0xd7, 0xd6, 0x92, 0xda, 0xff, 0x02,
24316 -+ 0x30, 0x2f, 0xe8, 0x2a, 0xb0, 0xa0, 0x9a, 0xf6,
24317 -+ 0x44, 0x00, 0xd0, 0x15, 0xae, 0x83, 0xd9, 0xcc
24318 -+};
24319 -+static const u8 enc_assoc094[] __initconst = {
24320 -+ 0xff, 0xff, 0xff, 0xff
24321 -+};
24322 -+static const u8 enc_nonce094[] __initconst = {
24323 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24324 -+};
24325 -+static const u8 enc_key094[] __initconst = {
24326 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24327 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24328 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24329 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24330 -+};
24331 -+
24332 -+/* wycheproof - edge case intermediate sums in poly1305 */
24333 -+static const u8 enc_input095[] __initconst = {
24334 -+ 0xe9, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24335 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24336 -+ 0x6d, 0xf1, 0x39, 0x4e, 0xdc, 0x53, 0x9b, 0x5b,
24337 -+ 0x3a, 0x09, 0x57, 0xbe, 0x0f, 0xb8, 0x59, 0x46,
24338 -+ 0x80, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24339 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24340 -+ 0xd1, 0x76, 0x9f, 0xe8, 0x06, 0xbb, 0xfe, 0xb6,
24341 -+ 0xf5, 0x90, 0x95, 0x0f, 0x2e, 0xac, 0x9e, 0x0a,
24342 -+ 0x58, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24343 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24344 -+ 0x99, 0x52, 0xae, 0x08, 0x18, 0xc3, 0x89, 0x79,
24345 -+ 0xc0, 0x74, 0x13, 0x71, 0x1a, 0x9a, 0xf7, 0x13
24346 -+};
24347 -+static const u8 enc_output095[] __initconst = {
24348 -+ 0xe9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24349 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24350 -+ 0xea, 0x33, 0xf3, 0x47, 0x30, 0x4a, 0xbd, 0xad,
24351 -+ 0xf8, 0xce, 0x41, 0x34, 0x33, 0xc8, 0x45, 0x01,
24352 -+ 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24353 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24354 -+ 0xb2, 0x7f, 0x57, 0x96, 0x88, 0xae, 0xe5, 0x70,
24355 -+ 0x64, 0xce, 0x37, 0x32, 0x91, 0x82, 0xca, 0x01,
24356 -+ 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24357 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24358 -+ 0xb2, 0x7f, 0x57, 0x96, 0x88, 0xae, 0xe5, 0x70,
24359 -+ 0x64, 0xce, 0x37, 0x32, 0x91, 0x82, 0xca, 0x01,
24360 -+ 0x98, 0xa7, 0xe8, 0x36, 0xe0, 0xee, 0x4d, 0x02,
24361 -+ 0x35, 0x00, 0xd0, 0x55, 0x7e, 0xc2, 0xcb, 0xe0
24362 -+};
24363 -+static const u8 enc_assoc095[] __initconst = {
24364 -+ 0xff, 0xff, 0xff, 0xff
24365 -+};
24366 -+static const u8 enc_nonce095[] __initconst = {
24367 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24368 -+};
24369 -+static const u8 enc_key095[] __initconst = {
24370 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24371 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24372 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24373 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24374 -+};
24375 -+
24376 -+/* wycheproof - edge case intermediate sums in poly1305 */
24377 -+static const u8 enc_input096[] __initconst = {
24378 -+ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24379 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24380 -+ 0x64, 0xf9, 0x0f, 0x5b, 0x26, 0x92, 0xb8, 0x60,
24381 -+ 0xd4, 0x59, 0x6f, 0xf4, 0xb3, 0x40, 0x2c, 0x5c,
24382 -+ 0x00, 0xb9, 0xbb, 0x53, 0x70, 0x7a, 0xa6, 0x67,
24383 -+ 0xd3, 0x56, 0xfe, 0x50, 0xc7, 0x19, 0x96, 0x94,
24384 -+ 0x03, 0x35, 0x61, 0xe7, 0xca, 0xca, 0x6d, 0x94,
24385 -+ 0x1d, 0xc3, 0xcd, 0x69, 0x14, 0xad, 0x69, 0x04
24386 -+};
24387 -+static const u8 enc_output096[] __initconst = {
24388 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24389 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24390 -+ 0xe3, 0x3b, 0xc5, 0x52, 0xca, 0x8b, 0x9e, 0x96,
24391 -+ 0x16, 0x9e, 0x79, 0x7e, 0x8f, 0x30, 0x30, 0x1b,
24392 -+ 0x60, 0x3c, 0xa9, 0x99, 0x44, 0xdf, 0x76, 0x52,
24393 -+ 0x8c, 0x9d, 0x6f, 0x54, 0xab, 0x83, 0x3d, 0x0f,
24394 -+ 0x60, 0x3c, 0xa9, 0x99, 0x44, 0xdf, 0x76, 0x52,
24395 -+ 0x8c, 0x9d, 0x6f, 0x54, 0xab, 0x83, 0x3d, 0x0f,
24396 -+ 0x6a, 0xb8, 0xdc, 0xe2, 0xc5, 0x9d, 0xa4, 0x73,
24397 -+ 0x71, 0x30, 0xb0, 0x25, 0x2f, 0x68, 0xa8, 0xd8
24398 -+};
24399 -+static const u8 enc_assoc096[] __initconst = {
24400 -+ 0xff, 0xff, 0xff, 0xff
24401 -+};
24402 -+static const u8 enc_nonce096[] __initconst = {
24403 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24404 -+};
24405 -+static const u8 enc_key096[] __initconst = {
24406 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24407 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24408 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24409 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24410 -+};
24411 -+
24412 -+/* wycheproof - edge case intermediate sums in poly1305 */
24413 -+static const u8 enc_input097[] __initconst = {
24414 -+ 0x68, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24415 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24416 -+ 0xb0, 0x8f, 0x25, 0x67, 0x5b, 0x9b, 0xcb, 0xf6,
24417 -+ 0xe3, 0x84, 0x07, 0xde, 0x2e, 0xc7, 0x5a, 0x47,
24418 -+ 0x9f, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24419 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24420 -+ 0x2d, 0x2a, 0xf7, 0xcd, 0x6b, 0x08, 0x05, 0x01,
24421 -+ 0xd3, 0x1b, 0xa5, 0x4f, 0xb2, 0xeb, 0x75, 0x96,
24422 -+ 0x47, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24423 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24424 -+ 0x65, 0x0e, 0xc6, 0x2d, 0x75, 0x70, 0x72, 0xce,
24425 -+ 0xe6, 0xff, 0x23, 0x31, 0x86, 0xdd, 0x1c, 0x8f
24426 -+};
24427 -+static const u8 enc_output097[] __initconst = {
24428 -+ 0x68, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24429 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24430 -+ 0x37, 0x4d, 0xef, 0x6e, 0xb7, 0x82, 0xed, 0x00,
24431 -+ 0x21, 0x43, 0x11, 0x54, 0x12, 0xb7, 0x46, 0x00,
24432 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24433 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24434 -+ 0x4e, 0x23, 0x3f, 0xb3, 0xe5, 0x1d, 0x1e, 0xc7,
24435 -+ 0x42, 0x45, 0x07, 0x72, 0x0d, 0xc5, 0x21, 0x9d,
24436 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24437 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24438 -+ 0x4e, 0x23, 0x3f, 0xb3, 0xe5, 0x1d, 0x1e, 0xc7,
24439 -+ 0x42, 0x45, 0x07, 0x72, 0x0d, 0xc5, 0x21, 0x9d,
24440 -+ 0x04, 0x4d, 0xea, 0x60, 0x88, 0x80, 0x41, 0x2b,
24441 -+ 0xfd, 0xff, 0xcf, 0x35, 0x57, 0x9e, 0x9b, 0x26
24442 -+};
24443 -+static const u8 enc_assoc097[] __initconst = {
24444 -+ 0xff, 0xff, 0xff, 0xff
24445 -+};
24446 -+static const u8 enc_nonce097[] __initconst = {
24447 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24448 -+};
24449 -+static const u8 enc_key097[] __initconst = {
24450 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24451 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24452 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24453 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24454 -+};
24455 -+
24456 -+/* wycheproof - edge case intermediate sums in poly1305 */
24457 -+static const u8 enc_input098[] __initconst = {
24458 -+ 0x6d, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24459 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24460 -+ 0xa1, 0x61, 0xb5, 0xab, 0x04, 0x09, 0x00, 0x62,
24461 -+ 0x9e, 0xfe, 0xff, 0x78, 0xd7, 0xd8, 0x6b, 0x45,
24462 -+ 0x9f, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24463 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24464 -+ 0xc6, 0xf8, 0x07, 0x8c, 0xc8, 0xef, 0x12, 0xa0,
24465 -+ 0xff, 0x65, 0x7d, 0x6d, 0x08, 0xdb, 0x10, 0xb8,
24466 -+ 0x47, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24467 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24468 -+ 0x8e, 0xdc, 0x36, 0x6c, 0xd6, 0x97, 0x65, 0x6f,
24469 -+ 0xca, 0x81, 0xfb, 0x13, 0x3c, 0xed, 0x79, 0xa1
24470 -+};
24471 -+static const u8 enc_output098[] __initconst = {
24472 -+ 0x6d, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24473 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24474 -+ 0x26, 0xa3, 0x7f, 0xa2, 0xe8, 0x10, 0x26, 0x94,
24475 -+ 0x5c, 0x39, 0xe9, 0xf2, 0xeb, 0xa8, 0x77, 0x02,
24476 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24477 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24478 -+ 0xa5, 0xf1, 0xcf, 0xf2, 0x46, 0xfa, 0x09, 0x66,
24479 -+ 0x6e, 0x3b, 0xdf, 0x50, 0xb7, 0xf5, 0x44, 0xb3,
24480 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24481 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24482 -+ 0xa5, 0xf1, 0xcf, 0xf2, 0x46, 0xfa, 0x09, 0x66,
24483 -+ 0x6e, 0x3b, 0xdf, 0x50, 0xb7, 0xf5, 0x44, 0xb3,
24484 -+ 0x1e, 0x6b, 0xea, 0x63, 0x14, 0x54, 0x2e, 0x2e,
24485 -+ 0xf9, 0xff, 0xcf, 0x45, 0x0b, 0x2e, 0x98, 0x2b
24486 -+};
24487 -+static const u8 enc_assoc098[] __initconst = {
24488 -+ 0xff, 0xff, 0xff, 0xff
24489 -+};
24490 -+static const u8 enc_nonce098[] __initconst = {
24491 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24492 -+};
24493 -+static const u8 enc_key098[] __initconst = {
24494 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24495 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24496 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24497 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24498 -+};
24499 -+
24500 -+/* wycheproof - edge case intermediate sums in poly1305 */
24501 -+static const u8 enc_input099[] __initconst = {
24502 -+ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24503 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24504 -+ 0xfc, 0x01, 0xb8, 0x91, 0xe5, 0xf0, 0xf9, 0x12,
24505 -+ 0x8d, 0x7d, 0x1c, 0x57, 0x91, 0x92, 0xb6, 0x98,
24506 -+ 0x63, 0x41, 0x44, 0x15, 0xb6, 0x99, 0x68, 0x95,
24507 -+ 0x9a, 0x72, 0x91, 0xb7, 0xa5, 0xaf, 0x13, 0x48,
24508 -+ 0x60, 0xcd, 0x9e, 0xa1, 0x0c, 0x29, 0xa3, 0x66,
24509 -+ 0x54, 0xe7, 0xa2, 0x8e, 0x76, 0x1b, 0xec, 0xd8
24510 -+};
24511 -+static const u8 enc_output099[] __initconst = {
24512 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24513 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24514 -+ 0x7b, 0xc3, 0x72, 0x98, 0x09, 0xe9, 0xdf, 0xe4,
24515 -+ 0x4f, 0xba, 0x0a, 0xdd, 0xad, 0xe2, 0xaa, 0xdf,
24516 -+ 0x03, 0xc4, 0x56, 0xdf, 0x82, 0x3c, 0xb8, 0xa0,
24517 -+ 0xc5, 0xb9, 0x00, 0xb3, 0xc9, 0x35, 0xb8, 0xd3,
24518 -+ 0x03, 0xc4, 0x56, 0xdf, 0x82, 0x3c, 0xb8, 0xa0,
24519 -+ 0xc5, 0xb9, 0x00, 0xb3, 0xc9, 0x35, 0xb8, 0xd3,
24520 -+ 0xed, 0x20, 0x17, 0xc8, 0xdb, 0xa4, 0x77, 0x56,
24521 -+ 0x29, 0x04, 0x9d, 0x78, 0x6e, 0x3b, 0xce, 0xb1
24522 -+};
24523 -+static const u8 enc_assoc099[] __initconst = {
24524 -+ 0xff, 0xff, 0xff, 0xff
24525 -+};
24526 -+static const u8 enc_nonce099[] __initconst = {
24527 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24528 -+};
24529 -+static const u8 enc_key099[] __initconst = {
24530 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24531 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24532 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24533 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24534 -+};
24535 -+
24536 -+/* wycheproof - edge case intermediate sums in poly1305 */
24537 -+static const u8 enc_input100[] __initconst = {
24538 -+ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24539 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24540 -+ 0x6b, 0x6d, 0xc9, 0xd2, 0x1a, 0x81, 0x9e, 0x70,
24541 -+ 0xb5, 0x77, 0xf4, 0x41, 0x37, 0xd3, 0xd6, 0xbd,
24542 -+ 0x13, 0x35, 0xf5, 0xeb, 0x44, 0x49, 0x40, 0x77,
24543 -+ 0xb2, 0x64, 0x49, 0xa5, 0x4b, 0x6c, 0x7c, 0x75,
24544 -+ 0x10, 0xb9, 0x2f, 0x5f, 0xfe, 0xf9, 0x8b, 0x84,
24545 -+ 0x7c, 0xf1, 0x7a, 0x9c, 0x98, 0xd8, 0x83, 0xe5
24546 -+};
24547 -+static const u8 enc_output100[] __initconst = {
24548 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24549 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24550 -+ 0xec, 0xaf, 0x03, 0xdb, 0xf6, 0x98, 0xb8, 0x86,
24551 -+ 0x77, 0xb0, 0xe2, 0xcb, 0x0b, 0xa3, 0xca, 0xfa,
24552 -+ 0x73, 0xb0, 0xe7, 0x21, 0x70, 0xec, 0x90, 0x42,
24553 -+ 0xed, 0xaf, 0xd8, 0xa1, 0x27, 0xf6, 0xd7, 0xee,
24554 -+ 0x73, 0xb0, 0xe7, 0x21, 0x70, 0xec, 0x90, 0x42,
24555 -+ 0xed, 0xaf, 0xd8, 0xa1, 0x27, 0xf6, 0xd7, 0xee,
24556 -+ 0x07, 0x3f, 0x17, 0xcb, 0x67, 0x78, 0x64, 0x59,
24557 -+ 0x25, 0x04, 0x9d, 0x88, 0x22, 0xcb, 0xca, 0xb6
24558 -+};
24559 -+static const u8 enc_assoc100[] __initconst = {
24560 -+ 0xff, 0xff, 0xff, 0xff
24561 -+};
24562 -+static const u8 enc_nonce100[] __initconst = {
24563 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24564 -+};
24565 -+static const u8 enc_key100[] __initconst = {
24566 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24567 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24568 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24569 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24570 -+};
24571 -+
24572 -+/* wycheproof - edge case intermediate sums in poly1305 */
24573 -+static const u8 enc_input101[] __initconst = {
24574 -+ 0xff, 0xcb, 0x2b, 0x11, 0x06, 0xf8, 0x23, 0x4c,
24575 -+ 0x5e, 0x99, 0xd4, 0xdb, 0x4c, 0x70, 0x48, 0xde,
24576 -+ 0x32, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24577 -+ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24578 -+ 0x16, 0xe9, 0x88, 0x4a, 0x11, 0x4f, 0x0e, 0x92,
24579 -+ 0x66, 0xce, 0xa3, 0x88, 0x5f, 0xe3, 0x6b, 0x9f,
24580 -+ 0xd6, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24581 -+ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24582 -+ 0xce, 0xbe, 0xf5, 0xe9, 0x88, 0x5a, 0x80, 0xea,
24583 -+ 0x76, 0xd9, 0x75, 0xc1, 0x44, 0xa4, 0x18, 0x88
24584 -+};
24585 -+static const u8 enc_output101[] __initconst = {
24586 -+ 0xff, 0xa0, 0xfc, 0x3e, 0x80, 0x32, 0xc3, 0xd5,
24587 -+ 0xfd, 0xb6, 0x2a, 0x11, 0xf0, 0x96, 0x30, 0x7d,
24588 -+ 0xb5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24589 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24590 -+ 0x76, 0x6c, 0x9a, 0x80, 0x25, 0xea, 0xde, 0xa7,
24591 -+ 0x39, 0x05, 0x32, 0x8c, 0x33, 0x79, 0xc0, 0x04,
24592 -+ 0xb5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24593 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24594 -+ 0x76, 0x6c, 0x9a, 0x80, 0x25, 0xea, 0xde, 0xa7,
24595 -+ 0x39, 0x05, 0x32, 0x8c, 0x33, 0x79, 0xc0, 0x04,
24596 -+ 0x8b, 0x9b, 0xb4, 0xb4, 0x86, 0x12, 0x89, 0x65,
24597 -+ 0x8c, 0x69, 0x6a, 0x83, 0x40, 0x15, 0x04, 0x05
24598 -+};
24599 -+static const u8 enc_assoc101[] __initconst = {
24600 -+ 0xff, 0xff, 0xff, 0xff
24601 -+};
24602 -+static const u8 enc_nonce101[] __initconst = {
24603 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24604 -+};
24605 -+static const u8 enc_key101[] __initconst = {
24606 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24607 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24608 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24609 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24610 -+};
24611 -+
24612 -+/* wycheproof - edge case intermediate sums in poly1305 */
24613 -+static const u8 enc_input102[] __initconst = {
24614 -+ 0x6f, 0x9e, 0x70, 0xed, 0x3b, 0x8b, 0xac, 0xa0,
24615 -+ 0x26, 0xe4, 0x6a, 0x5a, 0x09, 0x43, 0x15, 0x8d,
24616 -+ 0x21, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24617 -+ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24618 -+ 0x0c, 0x61, 0x2c, 0x5e, 0x8d, 0x89, 0xa8, 0x73,
24619 -+ 0xdb, 0xca, 0xad, 0x5b, 0x73, 0x46, 0x42, 0x9b,
24620 -+ 0xc5, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24621 -+ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24622 -+ 0xd4, 0x36, 0x51, 0xfd, 0x14, 0x9c, 0x26, 0x0b,
24623 -+ 0xcb, 0xdd, 0x7b, 0x12, 0x68, 0x01, 0x31, 0x8c
24624 -+};
24625 -+static const u8 enc_output102[] __initconst = {
24626 -+ 0x6f, 0xf5, 0xa7, 0xc2, 0xbd, 0x41, 0x4c, 0x39,
24627 -+ 0x85, 0xcb, 0x94, 0x90, 0xb5, 0xa5, 0x6d, 0x2e,
24628 -+ 0xa6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24629 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24630 -+ 0x6c, 0xe4, 0x3e, 0x94, 0xb9, 0x2c, 0x78, 0x46,
24631 -+ 0x84, 0x01, 0x3c, 0x5f, 0x1f, 0xdc, 0xe9, 0x00,
24632 -+ 0xa6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24633 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24634 -+ 0x6c, 0xe4, 0x3e, 0x94, 0xb9, 0x2c, 0x78, 0x46,
24635 -+ 0x84, 0x01, 0x3c, 0x5f, 0x1f, 0xdc, 0xe9, 0x00,
24636 -+ 0x8b, 0x3b, 0xbd, 0x51, 0x64, 0x44, 0x59, 0x56,
24637 -+ 0x8d, 0x81, 0xca, 0x1f, 0xa7, 0x2c, 0xe4, 0x04
24638 -+};
24639 -+static const u8 enc_assoc102[] __initconst = {
24640 -+ 0xff, 0xff, 0xff, 0xff
24641 -+};
24642 -+static const u8 enc_nonce102[] __initconst = {
24643 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24644 -+};
24645 -+static const u8 enc_key102[] __initconst = {
24646 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24647 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24648 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24649 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24650 -+};
24651 -+
24652 -+/* wycheproof - edge case intermediate sums in poly1305 */
24653 -+static const u8 enc_input103[] __initconst = {
24654 -+ 0x41, 0x2b, 0x08, 0x0a, 0x3e, 0x19, 0xc1, 0x0d,
24655 -+ 0x44, 0xa1, 0xaf, 0x1e, 0xab, 0xde, 0xb4, 0xce,
24656 -+ 0x35, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24657 -+ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24658 -+ 0x6b, 0x83, 0x94, 0x33, 0x09, 0x21, 0x48, 0x6c,
24659 -+ 0xa1, 0x1d, 0x29, 0x1c, 0x3e, 0x97, 0xee, 0x9a,
24660 -+ 0xd1, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24661 -+ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24662 -+ 0xb3, 0xd4, 0xe9, 0x90, 0x90, 0x34, 0xc6, 0x14,
24663 -+ 0xb1, 0x0a, 0xff, 0x55, 0x25, 0xd0, 0x9d, 0x8d
24664 -+};
24665 -+static const u8 enc_output103[] __initconst = {
24666 -+ 0x41, 0x40, 0xdf, 0x25, 0xb8, 0xd3, 0x21, 0x94,
24667 -+ 0xe7, 0x8e, 0x51, 0xd4, 0x17, 0x38, 0xcc, 0x6d,
24668 -+ 0xb2, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24669 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24670 -+ 0x0b, 0x06, 0x86, 0xf9, 0x3d, 0x84, 0x98, 0x59,
24671 -+ 0xfe, 0xd6, 0xb8, 0x18, 0x52, 0x0d, 0x45, 0x01,
24672 -+ 0xb2, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24673 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24674 -+ 0x0b, 0x06, 0x86, 0xf9, 0x3d, 0x84, 0x98, 0x59,
24675 -+ 0xfe, 0xd6, 0xb8, 0x18, 0x52, 0x0d, 0x45, 0x01,
24676 -+ 0x86, 0xfb, 0xab, 0x2b, 0x4a, 0x94, 0xf4, 0x7a,
24677 -+ 0xa5, 0x6f, 0x0a, 0xea, 0x65, 0xd1, 0x10, 0x08
24678 -+};
24679 -+static const u8 enc_assoc103[] __initconst = {
24680 -+ 0xff, 0xff, 0xff, 0xff
24681 -+};
24682 -+static const u8 enc_nonce103[] __initconst = {
24683 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24684 -+};
24685 -+static const u8 enc_key103[] __initconst = {
24686 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24687 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24688 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24689 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24690 -+};
24691 -+
24692 -+/* wycheproof - edge case intermediate sums in poly1305 */
24693 -+static const u8 enc_input104[] __initconst = {
24694 -+ 0xb2, 0x47, 0xa7, 0x47, 0x23, 0x49, 0x1a, 0xac,
24695 -+ 0xac, 0xaa, 0xd7, 0x09, 0xc9, 0x1e, 0x93, 0x2b,
24696 -+ 0x31, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24697 -+ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24698 -+ 0x9a, 0xde, 0x04, 0xe7, 0x5b, 0xb7, 0x01, 0xd9,
24699 -+ 0x66, 0x06, 0x01, 0xb3, 0x47, 0x65, 0xde, 0x98,
24700 -+ 0xd5, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24701 -+ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24702 -+ 0x42, 0x89, 0x79, 0x44, 0xc2, 0xa2, 0x8f, 0xa1,
24703 -+ 0x76, 0x11, 0xd7, 0xfa, 0x5c, 0x22, 0xad, 0x8f
24704 -+};
24705 -+static const u8 enc_output104[] __initconst = {
24706 -+ 0xb2, 0x2c, 0x70, 0x68, 0xa5, 0x83, 0xfa, 0x35,
24707 -+ 0x0f, 0x85, 0x29, 0xc3, 0x75, 0xf8, 0xeb, 0x88,
24708 -+ 0xb6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24709 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24710 -+ 0xfa, 0x5b, 0x16, 0x2d, 0x6f, 0x12, 0xd1, 0xec,
24711 -+ 0x39, 0xcd, 0x90, 0xb7, 0x2b, 0xff, 0x75, 0x03,
24712 -+ 0xb6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24713 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24714 -+ 0xfa, 0x5b, 0x16, 0x2d, 0x6f, 0x12, 0xd1, 0xec,
24715 -+ 0x39, 0xcd, 0x90, 0xb7, 0x2b, 0xff, 0x75, 0x03,
24716 -+ 0xa0, 0x19, 0xac, 0x2e, 0xd6, 0x67, 0xe1, 0x7d,
24717 -+ 0xa1, 0x6f, 0x0a, 0xfa, 0x19, 0x61, 0x0d, 0x0d
24718 -+};
24719 -+static const u8 enc_assoc104[] __initconst = {
24720 -+ 0xff, 0xff, 0xff, 0xff
24721 -+};
24722 -+static const u8 enc_nonce104[] __initconst = {
24723 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24724 -+};
24725 -+static const u8 enc_key104[] __initconst = {
24726 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24727 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24728 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24729 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24730 -+};
24731 -+
24732 -+/* wycheproof - edge case intermediate sums in poly1305 */
24733 -+static const u8 enc_input105[] __initconst = {
24734 -+ 0x74, 0x0f, 0x9e, 0x49, 0xf6, 0x10, 0xef, 0xa5,
24735 -+ 0x85, 0xb6, 0x59, 0xca, 0x6e, 0xd8, 0xb4, 0x99,
24736 -+ 0x2d, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24737 -+ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24738 -+ 0x41, 0x2d, 0x96, 0xaf, 0xbe, 0x80, 0xec, 0x3e,
24739 -+ 0x79, 0xd4, 0x51, 0xb0, 0x0a, 0x2d, 0xb2, 0x9a,
24740 -+ 0xc9, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24741 -+ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24742 -+ 0x99, 0x7a, 0xeb, 0x0c, 0x27, 0x95, 0x62, 0x46,
24743 -+ 0x69, 0xc3, 0x87, 0xf9, 0x11, 0x6a, 0xc1, 0x8d
24744 -+};
24745 -+static const u8 enc_output105[] __initconst = {
24746 -+ 0x74, 0x64, 0x49, 0x66, 0x70, 0xda, 0x0f, 0x3c,
24747 -+ 0x26, 0x99, 0xa7, 0x00, 0xd2, 0x3e, 0xcc, 0x3a,
24748 -+ 0xaa, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24749 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24750 -+ 0x21, 0xa8, 0x84, 0x65, 0x8a, 0x25, 0x3c, 0x0b,
24751 -+ 0x26, 0x1f, 0xc0, 0xb4, 0x66, 0xb7, 0x19, 0x01,
24752 -+ 0xaa, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24753 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24754 -+ 0x21, 0xa8, 0x84, 0x65, 0x8a, 0x25, 0x3c, 0x0b,
24755 -+ 0x26, 0x1f, 0xc0, 0xb4, 0x66, 0xb7, 0x19, 0x01,
24756 -+ 0x73, 0x6e, 0x18, 0x18, 0x16, 0x96, 0xa5, 0x88,
24757 -+ 0x9c, 0x31, 0x59, 0xfa, 0xab, 0xab, 0x20, 0xfd
24758 -+};
24759 -+static const u8 enc_assoc105[] __initconst = {
24760 -+ 0xff, 0xff, 0xff, 0xff
24761 -+};
24762 -+static const u8 enc_nonce105[] __initconst = {
24763 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24764 -+};
24765 -+static const u8 enc_key105[] __initconst = {
24766 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24767 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24768 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24769 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24770 -+};
24771 -+
24772 -+/* wycheproof - edge case intermediate sums in poly1305 */
24773 -+static const u8 enc_input106[] __initconst = {
24774 -+ 0xad, 0xba, 0x5d, 0x10, 0x5b, 0xc8, 0xaa, 0x06,
24775 -+ 0x2c, 0x23, 0x36, 0xcb, 0x88, 0x9d, 0xdb, 0xd5,
24776 -+ 0x37, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24777 -+ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24778 -+ 0x17, 0x7c, 0x5f, 0xfe, 0x28, 0x75, 0xf4, 0x68,
24779 -+ 0xf6, 0xc2, 0x96, 0x57, 0x48, 0xf3, 0x59, 0x9a,
24780 -+ 0xd3, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24781 -+ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24782 -+ 0xcf, 0x2b, 0x22, 0x5d, 0xb1, 0x60, 0x7a, 0x10,
24783 -+ 0xe6, 0xd5, 0x40, 0x1e, 0x53, 0xb4, 0x2a, 0x8d
24784 -+};
24785 -+static const u8 enc_output106[] __initconst = {
24786 -+ 0xad, 0xd1, 0x8a, 0x3f, 0xdd, 0x02, 0x4a, 0x9f,
24787 -+ 0x8f, 0x0c, 0xc8, 0x01, 0x34, 0x7b, 0xa3, 0x76,
24788 -+ 0xb0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24789 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24790 -+ 0x77, 0xf9, 0x4d, 0x34, 0x1c, 0xd0, 0x24, 0x5d,
24791 -+ 0xa9, 0x09, 0x07, 0x53, 0x24, 0x69, 0xf2, 0x01,
24792 -+ 0xb0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24793 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24794 -+ 0x77, 0xf9, 0x4d, 0x34, 0x1c, 0xd0, 0x24, 0x5d,
24795 -+ 0xa9, 0x09, 0x07, 0x53, 0x24, 0x69, 0xf2, 0x01,
24796 -+ 0xba, 0xd5, 0x8f, 0x10, 0xa9, 0x1e, 0x6a, 0x88,
24797 -+ 0x9a, 0xba, 0x32, 0xfd, 0x17, 0xd8, 0x33, 0x1a
24798 -+};
24799 -+static const u8 enc_assoc106[] __initconst = {
24800 -+ 0xff, 0xff, 0xff, 0xff
24801 -+};
24802 -+static const u8 enc_nonce106[] __initconst = {
24803 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24804 -+};
24805 -+static const u8 enc_key106[] __initconst = {
24806 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24807 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24808 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24809 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24810 -+};
24811 -+
24812 -+/* wycheproof - edge case intermediate sums in poly1305 */
24813 -+static const u8 enc_input107[] __initconst = {
24814 -+ 0xfe, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24815 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24816 -+ 0xc0, 0x01, 0xed, 0xc5, 0xda, 0x44, 0x2e, 0x71,
24817 -+ 0x9b, 0xce, 0x9a, 0xbe, 0x27, 0x3a, 0xf1, 0x44,
24818 -+ 0xb4, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24819 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24820 -+ 0x48, 0x02, 0x5f, 0x41, 0xfa, 0x4e, 0x33, 0x6c,
24821 -+ 0x78, 0x69, 0x57, 0xa2, 0xa7, 0xc4, 0x93, 0x0a,
24822 -+ 0x6c, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24823 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24824 -+ 0x00, 0x26, 0x6e, 0xa1, 0xe4, 0x36, 0x44, 0xa3,
24825 -+ 0x4d, 0x8d, 0xd1, 0xdc, 0x93, 0xf2, 0xfa, 0x13
24826 -+};
24827 -+static const u8 enc_output107[] __initconst = {
24828 -+ 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24829 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24830 -+ 0x47, 0xc3, 0x27, 0xcc, 0x36, 0x5d, 0x08, 0x87,
24831 -+ 0x59, 0x09, 0x8c, 0x34, 0x1b, 0x4a, 0xed, 0x03,
24832 -+ 0xd4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24833 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24834 -+ 0x2b, 0x0b, 0x97, 0x3f, 0x74, 0x5b, 0x28, 0xaa,
24835 -+ 0xe9, 0x37, 0xf5, 0x9f, 0x18, 0xea, 0xc7, 0x01,
24836 -+ 0xd4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24837 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24838 -+ 0x2b, 0x0b, 0x97, 0x3f, 0x74, 0x5b, 0x28, 0xaa,
24839 -+ 0xe9, 0x37, 0xf5, 0x9f, 0x18, 0xea, 0xc7, 0x01,
24840 -+ 0xd6, 0x8c, 0xe1, 0x74, 0x07, 0x9a, 0xdd, 0x02,
24841 -+ 0x8d, 0xd0, 0x5c, 0xf8, 0x14, 0x63, 0x04, 0x88
24842 -+};
24843 -+static const u8 enc_assoc107[] __initconst = {
24844 -+ 0xff, 0xff, 0xff, 0xff
24845 -+};
24846 -+static const u8 enc_nonce107[] __initconst = {
24847 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24848 -+};
24849 -+static const u8 enc_key107[] __initconst = {
24850 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24851 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24852 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24853 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24854 -+};
24855 -+
24856 -+/* wycheproof - edge case intermediate sums in poly1305 */
24857 -+static const u8 enc_input108[] __initconst = {
24858 -+ 0xb5, 0x13, 0xb0, 0x6a, 0xb9, 0xac, 0x14, 0x43,
24859 -+ 0x5a, 0xcb, 0x8a, 0xa3, 0xa3, 0x7a, 0xfd, 0xb6,
24860 -+ 0x54, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24861 -+ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24862 -+ 0x61, 0x95, 0x01, 0x93, 0xb1, 0xbf, 0x03, 0x11,
24863 -+ 0xff, 0x11, 0x79, 0x89, 0xae, 0xd9, 0xa9, 0x99,
24864 -+ 0xb0, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24865 -+ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24866 -+ 0xb9, 0xc2, 0x7c, 0x30, 0x28, 0xaa, 0x8d, 0x69,
24867 -+ 0xef, 0x06, 0xaf, 0xc0, 0xb5, 0x9e, 0xda, 0x8e
24868 -+};
24869 -+static const u8 enc_output108[] __initconst = {
24870 -+ 0xb5, 0x78, 0x67, 0x45, 0x3f, 0x66, 0xf4, 0xda,
24871 -+ 0xf9, 0xe4, 0x74, 0x69, 0x1f, 0x9c, 0x85, 0x15,
24872 -+ 0xd3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24873 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24874 -+ 0x01, 0x10, 0x13, 0x59, 0x85, 0x1a, 0xd3, 0x24,
24875 -+ 0xa0, 0xda, 0xe8, 0x8d, 0xc2, 0x43, 0x02, 0x02,
24876 -+ 0xd3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24877 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24878 -+ 0x01, 0x10, 0x13, 0x59, 0x85, 0x1a, 0xd3, 0x24,
24879 -+ 0xa0, 0xda, 0xe8, 0x8d, 0xc2, 0x43, 0x02, 0x02,
24880 -+ 0xaa, 0x48, 0xa3, 0x88, 0x7d, 0x4b, 0x05, 0x96,
24881 -+ 0x99, 0xc2, 0xfd, 0xf9, 0xc6, 0x78, 0x7e, 0x0a
24882 -+};
24883 -+static const u8 enc_assoc108[] __initconst = {
24884 -+ 0xff, 0xff, 0xff, 0xff
24885 -+};
24886 -+static const u8 enc_nonce108[] __initconst = {
24887 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24888 -+};
24889 -+static const u8 enc_key108[] __initconst = {
24890 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24891 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24892 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24893 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24894 -+};
24895 -+
24896 -+/* wycheproof - edge case intermediate sums in poly1305 */
24897 -+static const u8 enc_input109[] __initconst = {
24898 -+ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24899 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24900 -+ 0xd4, 0xf1, 0x09, 0xe8, 0x14, 0xce, 0xa8, 0x5a,
24901 -+ 0x08, 0xc0, 0x11, 0xd8, 0x50, 0xdd, 0x1d, 0xcb,
24902 -+ 0xcf, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24903 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24904 -+ 0x53, 0x40, 0xb8, 0x5a, 0x9a, 0xa0, 0x82, 0x96,
24905 -+ 0xb7, 0x7a, 0x5f, 0xc3, 0x96, 0x1f, 0x66, 0x0f,
24906 -+ 0x17, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24907 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24908 -+ 0x1b, 0x64, 0x89, 0xba, 0x84, 0xd8, 0xf5, 0x59,
24909 -+ 0x82, 0x9e, 0xd9, 0xbd, 0xa2, 0x29, 0x0f, 0x16
24910 -+};
24911 -+static const u8 enc_output109[] __initconst = {
24912 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24913 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24914 -+ 0x53, 0x33, 0xc3, 0xe1, 0xf8, 0xd7, 0x8e, 0xac,
24915 -+ 0xca, 0x07, 0x07, 0x52, 0x6c, 0xad, 0x01, 0x8c,
24916 -+ 0xaf, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24917 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24918 -+ 0x30, 0x49, 0x70, 0x24, 0x14, 0xb5, 0x99, 0x50,
24919 -+ 0x26, 0x24, 0xfd, 0xfe, 0x29, 0x31, 0x32, 0x04,
24920 -+ 0xaf, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24921 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24922 -+ 0x30, 0x49, 0x70, 0x24, 0x14, 0xb5, 0x99, 0x50,
24923 -+ 0x26, 0x24, 0xfd, 0xfe, 0x29, 0x31, 0x32, 0x04,
24924 -+ 0xb9, 0x36, 0xa8, 0x17, 0xf2, 0x21, 0x1a, 0xf1,
24925 -+ 0x29, 0xe2, 0xcf, 0x16, 0x0f, 0xd4, 0x2b, 0xcb
24926 -+};
24927 -+static const u8 enc_assoc109[] __initconst = {
24928 -+ 0xff, 0xff, 0xff, 0xff
24929 -+};
24930 -+static const u8 enc_nonce109[] __initconst = {
24931 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24932 -+};
24933 -+static const u8 enc_key109[] __initconst = {
24934 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24935 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24936 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24937 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24938 -+};
24939 -+
24940 -+/* wycheproof - edge case intermediate sums in poly1305 */
24941 -+static const u8 enc_input110[] __initconst = {
24942 -+ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24943 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24944 -+ 0xdf, 0x4c, 0x62, 0x03, 0x2d, 0x41, 0x19, 0xb5,
24945 -+ 0x88, 0x47, 0x7e, 0x99, 0x92, 0x5a, 0x56, 0xd9,
24946 -+ 0xd6, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24947 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24948 -+ 0xfa, 0x84, 0xf0, 0x64, 0x55, 0x36, 0x42, 0x1b,
24949 -+ 0x2b, 0xb9, 0x24, 0x6e, 0xc2, 0x19, 0xed, 0x0b,
24950 -+ 0x0e, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24951 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24952 -+ 0xb2, 0xa0, 0xc1, 0x84, 0x4b, 0x4e, 0x35, 0xd4,
24953 -+ 0x1e, 0x5d, 0xa2, 0x10, 0xf6, 0x2f, 0x84, 0x12
24954 -+};
24955 -+static const u8 enc_output110[] __initconst = {
24956 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24957 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24958 -+ 0x58, 0x8e, 0xa8, 0x0a, 0xc1, 0x58, 0x3f, 0x43,
24959 -+ 0x4a, 0x80, 0x68, 0x13, 0xae, 0x2a, 0x4a, 0x9e,
24960 -+ 0xb6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24961 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24962 -+ 0x99, 0x8d, 0x38, 0x1a, 0xdb, 0x23, 0x59, 0xdd,
24963 -+ 0xba, 0xe7, 0x86, 0x53, 0x7d, 0x37, 0xb9, 0x00,
24964 -+ 0xb6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24965 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24966 -+ 0x99, 0x8d, 0x38, 0x1a, 0xdb, 0x23, 0x59, 0xdd,
24967 -+ 0xba, 0xe7, 0x86, 0x53, 0x7d, 0x37, 0xb9, 0x00,
24968 -+ 0x9f, 0x7a, 0xc4, 0x35, 0x1f, 0x6b, 0x91, 0xe6,
24969 -+ 0x30, 0x97, 0xa7, 0x13, 0x11, 0x5d, 0x05, 0xbe
24970 -+};
24971 -+static const u8 enc_assoc110[] __initconst = {
24972 -+ 0xff, 0xff, 0xff, 0xff
24973 -+};
24974 -+static const u8 enc_nonce110[] __initconst = {
24975 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24976 -+};
24977 -+static const u8 enc_key110[] __initconst = {
24978 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24979 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24980 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24981 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24982 -+};
24983 -+
24984 -+/* wycheproof - edge case intermediate sums in poly1305 */
24985 -+static const u8 enc_input111[] __initconst = {
24986 -+ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24987 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24988 -+ 0x13, 0xf8, 0x0a, 0x00, 0x6d, 0xc1, 0xbb, 0xda,
24989 -+ 0xd6, 0x39, 0xa9, 0x2f, 0xc7, 0xec, 0xa6, 0x55,
24990 -+ 0xf7, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24991 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24992 -+ 0x63, 0x48, 0xb8, 0xfd, 0x29, 0xbf, 0x96, 0xd5,
24993 -+ 0x63, 0xa5, 0x17, 0xe2, 0x7d, 0x7b, 0xfc, 0x0f,
24994 -+ 0x2f, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24995 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24996 -+ 0x2b, 0x6c, 0x89, 0x1d, 0x37, 0xc7, 0xe1, 0x1a,
24997 -+ 0x56, 0x41, 0x91, 0x9c, 0x49, 0x4d, 0x95, 0x16
24998 -+};
24999 -+static const u8 enc_output111[] __initconst = {
25000 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25001 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25002 -+ 0x94, 0x3a, 0xc0, 0x09, 0x81, 0xd8, 0x9d, 0x2c,
25003 -+ 0x14, 0xfe, 0xbf, 0xa5, 0xfb, 0x9c, 0xba, 0x12,
25004 -+ 0x97, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25005 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25006 -+ 0x00, 0x41, 0x70, 0x83, 0xa7, 0xaa, 0x8d, 0x13,
25007 -+ 0xf2, 0xfb, 0xb5, 0xdf, 0xc2, 0x55, 0xa8, 0x04,
25008 -+ 0x97, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25009 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25010 -+ 0x00, 0x41, 0x70, 0x83, 0xa7, 0xaa, 0x8d, 0x13,
25011 -+ 0xf2, 0xfb, 0xb5, 0xdf, 0xc2, 0x55, 0xa8, 0x04,
25012 -+ 0x9a, 0x18, 0xa8, 0x28, 0x07, 0x02, 0x69, 0xf4,
25013 -+ 0x47, 0x00, 0xd0, 0x09, 0xe7, 0x17, 0x1c, 0xc9
25014 -+};
25015 -+static const u8 enc_assoc111[] __initconst = {
25016 -+ 0xff, 0xff, 0xff, 0xff
25017 -+};
25018 -+static const u8 enc_nonce111[] __initconst = {
25019 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25020 -+};
25021 -+static const u8 enc_key111[] __initconst = {
25022 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25023 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25024 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25025 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25026 -+};
25027 -+
25028 -+/* wycheproof - edge case intermediate sums in poly1305 */
25029 -+static const u8 enc_input112[] __initconst = {
25030 -+ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
25031 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
25032 -+ 0x82, 0xe5, 0x9b, 0x45, 0x82, 0x91, 0x50, 0x38,
25033 -+ 0xf9, 0x33, 0x81, 0x1e, 0x65, 0x2d, 0xc6, 0x6a,
25034 -+ 0xfc, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
25035 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
25036 -+ 0xb6, 0x71, 0xc8, 0xca, 0xc2, 0x70, 0xc2, 0x65,
25037 -+ 0xa0, 0xac, 0x2f, 0x53, 0x57, 0x99, 0x88, 0x0a,
25038 -+ 0x24, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
25039 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
25040 -+ 0xfe, 0x55, 0xf9, 0x2a, 0xdc, 0x08, 0xb5, 0xaa,
25041 -+ 0x95, 0x48, 0xa9, 0x2d, 0x63, 0xaf, 0xe1, 0x13
25042 -+};
25043 -+static const u8 enc_output112[] __initconst = {
25044 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25045 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25046 -+ 0x05, 0x27, 0x51, 0x4c, 0x6e, 0x88, 0x76, 0xce,
25047 -+ 0x3b, 0xf4, 0x97, 0x94, 0x59, 0x5d, 0xda, 0x2d,
25048 -+ 0x9c, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25049 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25050 -+ 0xd5, 0x78, 0x00, 0xb4, 0x4c, 0x65, 0xd9, 0xa3,
25051 -+ 0x31, 0xf2, 0x8d, 0x6e, 0xe8, 0xb7, 0xdc, 0x01,
25052 -+ 0x9c, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25053 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25054 -+ 0xd5, 0x78, 0x00, 0xb4, 0x4c, 0x65, 0xd9, 0xa3,
25055 -+ 0x31, 0xf2, 0x8d, 0x6e, 0xe8, 0xb7, 0xdc, 0x01,
25056 -+ 0xb4, 0x36, 0xa8, 0x2b, 0x93, 0xd5, 0x55, 0xf7,
25057 -+ 0x43, 0x00, 0xd0, 0x19, 0x9b, 0xa7, 0x18, 0xce
25058 -+};
25059 -+static const u8 enc_assoc112[] __initconst = {
25060 -+ 0xff, 0xff, 0xff, 0xff
25061 -+};
25062 -+static const u8 enc_nonce112[] __initconst = {
25063 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25064 -+};
25065 -+static const u8 enc_key112[] __initconst = {
25066 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25067 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25068 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25069 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25070 -+};
25071 -+
25072 -+/* wycheproof - edge case intermediate sums in poly1305 */
25073 -+static const u8 enc_input113[] __initconst = {
25074 -+ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
25075 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
25076 -+ 0xf1, 0xd1, 0x28, 0x87, 0xb7, 0x21, 0x69, 0x86,
25077 -+ 0xa1, 0x2d, 0x79, 0x09, 0x8b, 0x6d, 0xe6, 0x0f,
25078 -+ 0xc0, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
25079 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
25080 -+ 0xa7, 0xc7, 0x58, 0x99, 0xf3, 0xe6, 0x0a, 0xf1,
25081 -+ 0xfc, 0xb6, 0xc7, 0x30, 0x7d, 0x87, 0x59, 0x0f,
25082 -+ 0x18, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
25083 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
25084 -+ 0xef, 0xe3, 0x69, 0x79, 0xed, 0x9e, 0x7d, 0x3e,
25085 -+ 0xc9, 0x52, 0x41, 0x4e, 0x49, 0xb1, 0x30, 0x16
25086 -+};
25087 -+static const u8 enc_output113[] __initconst = {
25088 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25089 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25090 -+ 0x76, 0x13, 0xe2, 0x8e, 0x5b, 0x38, 0x4f, 0x70,
25091 -+ 0x63, 0xea, 0x6f, 0x83, 0xb7, 0x1d, 0xfa, 0x48,
25092 -+ 0xa0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25093 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25094 -+ 0xc4, 0xce, 0x90, 0xe7, 0x7d, 0xf3, 0x11, 0x37,
25095 -+ 0x6d, 0xe8, 0x65, 0x0d, 0xc2, 0xa9, 0x0d, 0x04,
25096 -+ 0xa0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25097 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25098 -+ 0xc4, 0xce, 0x90, 0xe7, 0x7d, 0xf3, 0x11, 0x37,
25099 -+ 0x6d, 0xe8, 0x65, 0x0d, 0xc2, 0xa9, 0x0d, 0x04,
25100 -+ 0xce, 0x54, 0xa8, 0x2e, 0x1f, 0xa9, 0x42, 0xfa,
25101 -+ 0x3f, 0x00, 0xd0, 0x29, 0x4f, 0x37, 0x15, 0xd3
25102 -+};
25103 -+static const u8 enc_assoc113[] __initconst = {
25104 -+ 0xff, 0xff, 0xff, 0xff
25105 -+};
25106 -+static const u8 enc_nonce113[] __initconst = {
25107 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25108 -+};
25109 -+static const u8 enc_key113[] __initconst = {
25110 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25111 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25112 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25113 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25114 -+};
25115 -+
25116 -+/* wycheproof - edge case intermediate sums in poly1305 */
25117 -+static const u8 enc_input114[] __initconst = {
25118 -+ 0xcb, 0xf1, 0xda, 0x9e, 0x0b, 0xa9, 0x37, 0x73,
25119 -+ 0x74, 0xe6, 0x9e, 0x1c, 0x0e, 0x60, 0x0c, 0xfc,
25120 -+ 0x34, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
25121 -+ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
25122 -+ 0xbe, 0x3f, 0xa6, 0x6b, 0x6c, 0xe7, 0x80, 0x8a,
25123 -+ 0xa3, 0xe4, 0x59, 0x49, 0xf9, 0x44, 0x64, 0x9f,
25124 -+ 0xd0, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
25125 -+ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
25126 -+ 0x66, 0x68, 0xdb, 0xc8, 0xf5, 0xf2, 0x0e, 0xf2,
25127 -+ 0xb3, 0xf3, 0x8f, 0x00, 0xe2, 0x03, 0x17, 0x88
25128 -+};
25129 -+static const u8 enc_output114[] __initconst = {
25130 -+ 0xcb, 0x9a, 0x0d, 0xb1, 0x8d, 0x63, 0xd7, 0xea,
25131 -+ 0xd7, 0xc9, 0x60, 0xd6, 0xb2, 0x86, 0x74, 0x5f,
25132 -+ 0xb3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25133 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25134 -+ 0xde, 0xba, 0xb4, 0xa1, 0x58, 0x42, 0x50, 0xbf,
25135 -+ 0xfc, 0x2f, 0xc8, 0x4d, 0x95, 0xde, 0xcf, 0x04,
25136 -+ 0xb3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25137 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25138 -+ 0xde, 0xba, 0xb4, 0xa1, 0x58, 0x42, 0x50, 0xbf,
25139 -+ 0xfc, 0x2f, 0xc8, 0x4d, 0x95, 0xde, 0xcf, 0x04,
25140 -+ 0x23, 0x83, 0xab, 0x0b, 0x79, 0x92, 0x05, 0x69,
25141 -+ 0x9b, 0x51, 0x0a, 0xa7, 0x09, 0xbf, 0x31, 0xf1
25142 -+};
25143 -+static const u8 enc_assoc114[] __initconst = {
25144 -+ 0xff, 0xff, 0xff, 0xff
25145 -+};
25146 -+static const u8 enc_nonce114[] __initconst = {
25147 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25148 -+};
25149 -+static const u8 enc_key114[] __initconst = {
25150 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25151 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25152 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25153 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25154 -+};
25155 -+
25156 -+/* wycheproof - edge case intermediate sums in poly1305 */
25157 -+static const u8 enc_input115[] __initconst = {
25158 -+ 0x8f, 0x27, 0x86, 0x94, 0xc4, 0xe9, 0xda, 0xeb,
25159 -+ 0xd5, 0x8d, 0x3e, 0x5b, 0x96, 0x6e, 0x8b, 0x68,
25160 -+ 0x42, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
25161 -+ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
25162 -+ 0x06, 0x53, 0xe7, 0xa3, 0x31, 0x71, 0x88, 0x33,
25163 -+ 0xac, 0xc3, 0xb9, 0xad, 0xff, 0x1c, 0x31, 0x98,
25164 -+ 0xa6, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
25165 -+ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
25166 -+ 0xde, 0x04, 0x9a, 0x00, 0xa8, 0x64, 0x06, 0x4b,
25167 -+ 0xbc, 0xd4, 0x6f, 0xe4, 0xe4, 0x5b, 0x42, 0x8f
25168 -+};
25169 -+static const u8 enc_output115[] __initconst = {
25170 -+ 0x8f, 0x4c, 0x51, 0xbb, 0x42, 0x23, 0x3a, 0x72,
25171 -+ 0x76, 0xa2, 0xc0, 0x91, 0x2a, 0x88, 0xf3, 0xcb,
25172 -+ 0xc5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25173 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25174 -+ 0x66, 0xd6, 0xf5, 0x69, 0x05, 0xd4, 0x58, 0x06,
25175 -+ 0xf3, 0x08, 0x28, 0xa9, 0x93, 0x86, 0x9a, 0x03,
25176 -+ 0xc5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25177 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25178 -+ 0x66, 0xd6, 0xf5, 0x69, 0x05, 0xd4, 0x58, 0x06,
25179 -+ 0xf3, 0x08, 0x28, 0xa9, 0x93, 0x86, 0x9a, 0x03,
25180 -+ 0x8b, 0xfb, 0xab, 0x17, 0xa9, 0xe0, 0xb8, 0x74,
25181 -+ 0x8b, 0x51, 0x0a, 0xe7, 0xd9, 0xfd, 0x23, 0x05
25182 -+};
25183 -+static const u8 enc_assoc115[] __initconst = {
25184 -+ 0xff, 0xff, 0xff, 0xff
25185 -+};
25186 -+static const u8 enc_nonce115[] __initconst = {
25187 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25188 -+};
25189 -+static const u8 enc_key115[] __initconst = {
25190 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25191 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25192 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25193 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25194 -+};
25195 -+
25196 -+/* wycheproof - edge case intermediate sums in poly1305 */
25197 -+static const u8 enc_input116[] __initconst = {
25198 -+ 0xd5, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
25199 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
25200 -+ 0x9a, 0x22, 0xd7, 0x0a, 0x48, 0xe2, 0x4f, 0xdd,
25201 -+ 0xcd, 0xd4, 0x41, 0x9d, 0xe6, 0x4c, 0x8f, 0x44,
25202 -+ 0xfc, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
25203 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
25204 -+ 0x77, 0xb5, 0xc9, 0x07, 0xd9, 0xc9, 0xe1, 0xea,
25205 -+ 0x51, 0x85, 0x1a, 0x20, 0x4a, 0xad, 0x9f, 0x0a,
25206 -+ 0x24, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
25207 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
25208 -+ 0x3f, 0x91, 0xf8, 0xe7, 0xc7, 0xb1, 0x96, 0x25,
25209 -+ 0x64, 0x61, 0x9c, 0x5e, 0x7e, 0x9b, 0xf6, 0x13
25210 -+};
25211 -+static const u8 enc_output116[] __initconst = {
25212 -+ 0xd5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25213 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25214 -+ 0x1d, 0xe0, 0x1d, 0x03, 0xa4, 0xfb, 0x69, 0x2b,
25215 -+ 0x0f, 0x13, 0x57, 0x17, 0xda, 0x3c, 0x93, 0x03,
25216 -+ 0x9c, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25217 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25218 -+ 0x14, 0xbc, 0x01, 0x79, 0x57, 0xdc, 0xfa, 0x2c,
25219 -+ 0xc0, 0xdb, 0xb8, 0x1d, 0xf5, 0x83, 0xcb, 0x01,
25220 -+ 0x9c, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25221 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25222 -+ 0x14, 0xbc, 0x01, 0x79, 0x57, 0xdc, 0xfa, 0x2c,
25223 -+ 0xc0, 0xdb, 0xb8, 0x1d, 0xf5, 0x83, 0xcb, 0x01,
25224 -+ 0x49, 0xbc, 0x6e, 0x9f, 0xc5, 0x1c, 0x4d, 0x50,
25225 -+ 0x30, 0x36, 0x64, 0x4d, 0x84, 0x27, 0x73, 0xd2
25226 -+};
25227 -+static const u8 enc_assoc116[] __initconst = {
25228 -+ 0xff, 0xff, 0xff, 0xff
25229 -+};
25230 -+static const u8 enc_nonce116[] __initconst = {
25231 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25232 -+};
25233 -+static const u8 enc_key116[] __initconst = {
25234 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25235 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25236 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25237 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25238 -+};
25239 -+
25240 -+/* wycheproof - edge case intermediate sums in poly1305 */
25241 -+static const u8 enc_input117[] __initconst = {
25242 -+ 0xdb, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
25243 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
25244 -+ 0x75, 0xd5, 0x64, 0x3a, 0xa5, 0xaf, 0x93, 0x4d,
25245 -+ 0x8c, 0xce, 0x39, 0x2c, 0xc3, 0xee, 0xdb, 0x47,
25246 -+ 0xc0, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
25247 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
25248 -+ 0x60, 0x1b, 0x5a, 0xd2, 0x06, 0x7f, 0x28, 0x06,
25249 -+ 0x6a, 0x8f, 0x32, 0x81, 0x71, 0x5b, 0xa8, 0x08,
25250 -+ 0x18, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
25251 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
25252 -+ 0x28, 0x3f, 0x6b, 0x32, 0x18, 0x07, 0x5f, 0xc9,
25253 -+ 0x5f, 0x6b, 0xb4, 0xff, 0x45, 0x6d, 0xc1, 0x11
25254 -+};
25255 -+static const u8 enc_output117[] __initconst = {
25256 -+ 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25257 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25258 -+ 0xf2, 0x17, 0xae, 0x33, 0x49, 0xb6, 0xb5, 0xbb,
25259 -+ 0x4e, 0x09, 0x2f, 0xa6, 0xff, 0x9e, 0xc7, 0x00,
25260 -+ 0xa0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25261 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25262 -+ 0x03, 0x12, 0x92, 0xac, 0x88, 0x6a, 0x33, 0xc0,
25263 -+ 0xfb, 0xd1, 0x90, 0xbc, 0xce, 0x75, 0xfc, 0x03,
25264 -+ 0xa0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25265 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25266 -+ 0x03, 0x12, 0x92, 0xac, 0x88, 0x6a, 0x33, 0xc0,
25267 -+ 0xfb, 0xd1, 0x90, 0xbc, 0xce, 0x75, 0xfc, 0x03,
25268 -+ 0x63, 0xda, 0x6e, 0xa2, 0x51, 0xf0, 0x39, 0x53,
25269 -+ 0x2c, 0x36, 0x64, 0x5d, 0x38, 0xb7, 0x6f, 0xd7
25270 -+};
25271 -+static const u8 enc_assoc117[] __initconst = {
25272 -+ 0xff, 0xff, 0xff, 0xff
25273 -+};
25274 -+static const u8 enc_nonce117[] __initconst = {
25275 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25276 -+};
25277 -+static const u8 enc_key117[] __initconst = {
25278 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25279 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25280 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25281 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25282 -+};
25283 -+
25284 -+/* wycheproof - edge case intermediate sums in poly1305 */
25285 -+static const u8 enc_input118[] __initconst = {
25286 -+ 0x93, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
25287 -+ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
25288 -+ 0x62, 0x48, 0x39, 0x60, 0x42, 0x16, 0xe4, 0x03,
25289 -+ 0xeb, 0xcc, 0x6a, 0xf5, 0x59, 0xec, 0x8b, 0x43,
25290 -+ 0x97, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
25291 -+ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
25292 -+ 0xd8, 0xc8, 0xc3, 0xfa, 0x1a, 0x9e, 0x47, 0x4a,
25293 -+ 0xbe, 0x52, 0xd0, 0x2c, 0x81, 0x87, 0xe9, 0x0f,
25294 -+ 0x4f, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
25295 -+ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
25296 -+ 0x90, 0xec, 0xf2, 0x1a, 0x04, 0xe6, 0x30, 0x85,
25297 -+ 0x8b, 0xb6, 0x56, 0x52, 0xb5, 0xb1, 0x80, 0x16
25298 -+};
25299 -+static const u8 enc_output118[] __initconst = {
25300 -+ 0x93, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25301 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25302 -+ 0xe5, 0x8a, 0xf3, 0x69, 0xae, 0x0f, 0xc2, 0xf5,
25303 -+ 0x29, 0x0b, 0x7c, 0x7f, 0x65, 0x9c, 0x97, 0x04,
25304 -+ 0xf7, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25305 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25306 -+ 0xbb, 0xc1, 0x0b, 0x84, 0x94, 0x8b, 0x5c, 0x8c,
25307 -+ 0x2f, 0x0c, 0x72, 0x11, 0x3e, 0xa9, 0xbd, 0x04,
25308 -+ 0xf7, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25309 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25310 -+ 0xbb, 0xc1, 0x0b, 0x84, 0x94, 0x8b, 0x5c, 0x8c,
25311 -+ 0x2f, 0x0c, 0x72, 0x11, 0x3e, 0xa9, 0xbd, 0x04,
25312 -+ 0x73, 0xeb, 0x27, 0x24, 0xb5, 0xc4, 0x05, 0xf0,
25313 -+ 0x4d, 0x00, 0xd0, 0xf1, 0x58, 0x40, 0xa1, 0xc1
25314 -+};
25315 -+static const u8 enc_assoc118[] __initconst = {
25316 -+ 0xff, 0xff, 0xff, 0xff
25317 -+};
25318 -+static const u8 enc_nonce118[] __initconst = {
25319 -+ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25320 -+};
25321 -+static const u8 enc_key118[] __initconst = {
25322 -+ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25323 -+ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25324 -+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25325 -+ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25326 -+};
25327 -+
25328 -+static const struct chacha20poly1305_testvec
25329 -+chacha20poly1305_enc_vectors[] __initconst = {
25330 -+ { enc_input001, enc_output001, enc_assoc001, enc_nonce001, enc_key001,
25331 -+ sizeof(enc_input001), sizeof(enc_assoc001), sizeof(enc_nonce001) },
25332 -+ { enc_input002, enc_output002, enc_assoc002, enc_nonce002, enc_key002,
25333 -+ sizeof(enc_input002), sizeof(enc_assoc002), sizeof(enc_nonce002) },
25334 -+ { enc_input003, enc_output003, enc_assoc003, enc_nonce003, enc_key003,
25335 -+ sizeof(enc_input003), sizeof(enc_assoc003), sizeof(enc_nonce003) },
25336 -+ { enc_input004, enc_output004, enc_assoc004, enc_nonce004, enc_key004,
25337 -+ sizeof(enc_input004), sizeof(enc_assoc004), sizeof(enc_nonce004) },
25338 -+ { enc_input005, enc_output005, enc_assoc005, enc_nonce005, enc_key005,
25339 -+ sizeof(enc_input005), sizeof(enc_assoc005), sizeof(enc_nonce005) },
25340 -+ { enc_input006, enc_output006, enc_assoc006, enc_nonce006, enc_key006,
25341 -+ sizeof(enc_input006), sizeof(enc_assoc006), sizeof(enc_nonce006) },
25342 -+ { enc_input007, enc_output007, enc_assoc007, enc_nonce007, enc_key007,
25343 -+ sizeof(enc_input007), sizeof(enc_assoc007), sizeof(enc_nonce007) },
25344 -+ { enc_input008, enc_output008, enc_assoc008, enc_nonce008, enc_key008,
25345 -+ sizeof(enc_input008), sizeof(enc_assoc008), sizeof(enc_nonce008) },
25346 -+ { enc_input009, enc_output009, enc_assoc009, enc_nonce009, enc_key009,
25347 -+ sizeof(enc_input009), sizeof(enc_assoc009), sizeof(enc_nonce009) },
25348 -+ { enc_input010, enc_output010, enc_assoc010, enc_nonce010, enc_key010,
25349 -+ sizeof(enc_input010), sizeof(enc_assoc010), sizeof(enc_nonce010) },
25350 -+ { enc_input011, enc_output011, enc_assoc011, enc_nonce011, enc_key011,
25351 -+ sizeof(enc_input011), sizeof(enc_assoc011), sizeof(enc_nonce011) },
25352 -+ { enc_input012, enc_output012, enc_assoc012, enc_nonce012, enc_key012,
25353 -+ sizeof(enc_input012), sizeof(enc_assoc012), sizeof(enc_nonce012) },
25354 -+ { enc_input013, enc_output013, enc_assoc013, enc_nonce013, enc_key013,
25355 -+ sizeof(enc_input013), sizeof(enc_assoc013), sizeof(enc_nonce013) },
25356 -+ { enc_input014, enc_output014, enc_assoc014, enc_nonce014, enc_key014,
25357 -+ sizeof(enc_input014), sizeof(enc_assoc014), sizeof(enc_nonce014) },
25358 -+ { enc_input015, enc_output015, enc_assoc015, enc_nonce015, enc_key015,
25359 -+ sizeof(enc_input015), sizeof(enc_assoc015), sizeof(enc_nonce015) },
25360 -+ { enc_input016, enc_output016, enc_assoc016, enc_nonce016, enc_key016,
25361 -+ sizeof(enc_input016), sizeof(enc_assoc016), sizeof(enc_nonce016) },
25362 -+ { enc_input017, enc_output017, enc_assoc017, enc_nonce017, enc_key017,
25363 -+ sizeof(enc_input017), sizeof(enc_assoc017), sizeof(enc_nonce017) },
25364 -+ { enc_input018, enc_output018, enc_assoc018, enc_nonce018, enc_key018,
25365 -+ sizeof(enc_input018), sizeof(enc_assoc018), sizeof(enc_nonce018) },
25366 -+ { enc_input019, enc_output019, enc_assoc019, enc_nonce019, enc_key019,
25367 -+ sizeof(enc_input019), sizeof(enc_assoc019), sizeof(enc_nonce019) },
25368 -+ { enc_input020, enc_output020, enc_assoc020, enc_nonce020, enc_key020,
25369 -+ sizeof(enc_input020), sizeof(enc_assoc020), sizeof(enc_nonce020) },
25370 -+ { enc_input021, enc_output021, enc_assoc021, enc_nonce021, enc_key021,
25371 -+ sizeof(enc_input021), sizeof(enc_assoc021), sizeof(enc_nonce021) },
25372 -+ { enc_input022, enc_output022, enc_assoc022, enc_nonce022, enc_key022,
25373 -+ sizeof(enc_input022), sizeof(enc_assoc022), sizeof(enc_nonce022) },
25374 -+ { enc_input023, enc_output023, enc_assoc023, enc_nonce023, enc_key023,
25375 -+ sizeof(enc_input023), sizeof(enc_assoc023), sizeof(enc_nonce023) },
25376 -+ { enc_input024, enc_output024, enc_assoc024, enc_nonce024, enc_key024,
25377 -+ sizeof(enc_input024), sizeof(enc_assoc024), sizeof(enc_nonce024) },
25378 -+ { enc_input025, enc_output025, enc_assoc025, enc_nonce025, enc_key025,
25379 -+ sizeof(enc_input025), sizeof(enc_assoc025), sizeof(enc_nonce025) },
25380 -+ { enc_input026, enc_output026, enc_assoc026, enc_nonce026, enc_key026,
25381 -+ sizeof(enc_input026), sizeof(enc_assoc026), sizeof(enc_nonce026) },
25382 -+ { enc_input027, enc_output027, enc_assoc027, enc_nonce027, enc_key027,
25383 -+ sizeof(enc_input027), sizeof(enc_assoc027), sizeof(enc_nonce027) },
25384 -+ { enc_input028, enc_output028, enc_assoc028, enc_nonce028, enc_key028,
25385 -+ sizeof(enc_input028), sizeof(enc_assoc028), sizeof(enc_nonce028) },
25386 -+ { enc_input029, enc_output029, enc_assoc029, enc_nonce029, enc_key029,
25387 -+ sizeof(enc_input029), sizeof(enc_assoc029), sizeof(enc_nonce029) },
25388 -+ { enc_input030, enc_output030, enc_assoc030, enc_nonce030, enc_key030,
25389 -+ sizeof(enc_input030), sizeof(enc_assoc030), sizeof(enc_nonce030) },
25390 -+ { enc_input031, enc_output031, enc_assoc031, enc_nonce031, enc_key031,
25391 -+ sizeof(enc_input031), sizeof(enc_assoc031), sizeof(enc_nonce031) },
25392 -+ { enc_input032, enc_output032, enc_assoc032, enc_nonce032, enc_key032,
25393 -+ sizeof(enc_input032), sizeof(enc_assoc032), sizeof(enc_nonce032) },
25394 -+ { enc_input033, enc_output033, enc_assoc033, enc_nonce033, enc_key033,
25395 -+ sizeof(enc_input033), sizeof(enc_assoc033), sizeof(enc_nonce033) },
25396 -+ { enc_input034, enc_output034, enc_assoc034, enc_nonce034, enc_key034,
25397 -+ sizeof(enc_input034), sizeof(enc_assoc034), sizeof(enc_nonce034) },
25398 -+ { enc_input035, enc_output035, enc_assoc035, enc_nonce035, enc_key035,
25399 -+ sizeof(enc_input035), sizeof(enc_assoc035), sizeof(enc_nonce035) },
25400 -+ { enc_input036, enc_output036, enc_assoc036, enc_nonce036, enc_key036,
25401 -+ sizeof(enc_input036), sizeof(enc_assoc036), sizeof(enc_nonce036) },
25402 -+ { enc_input037, enc_output037, enc_assoc037, enc_nonce037, enc_key037,
25403 -+ sizeof(enc_input037), sizeof(enc_assoc037), sizeof(enc_nonce037) },
25404 -+ { enc_input038, enc_output038, enc_assoc038, enc_nonce038, enc_key038,
25405 -+ sizeof(enc_input038), sizeof(enc_assoc038), sizeof(enc_nonce038) },
25406 -+ { enc_input039, enc_output039, enc_assoc039, enc_nonce039, enc_key039,
25407 -+ sizeof(enc_input039), sizeof(enc_assoc039), sizeof(enc_nonce039) },
25408 -+ { enc_input040, enc_output040, enc_assoc040, enc_nonce040, enc_key040,
25409 -+ sizeof(enc_input040), sizeof(enc_assoc040), sizeof(enc_nonce040) },
25410 -+ { enc_input041, enc_output041, enc_assoc041, enc_nonce041, enc_key041,
25411 -+ sizeof(enc_input041), sizeof(enc_assoc041), sizeof(enc_nonce041) },
25412 -+ { enc_input042, enc_output042, enc_assoc042, enc_nonce042, enc_key042,
25413 -+ sizeof(enc_input042), sizeof(enc_assoc042), sizeof(enc_nonce042) },
25414 -+ { enc_input043, enc_output043, enc_assoc043, enc_nonce043, enc_key043,
25415 -+ sizeof(enc_input043), sizeof(enc_assoc043), sizeof(enc_nonce043) },
25416 -+ { enc_input044, enc_output044, enc_assoc044, enc_nonce044, enc_key044,
25417 -+ sizeof(enc_input044), sizeof(enc_assoc044), sizeof(enc_nonce044) },
25418 -+ { enc_input045, enc_output045, enc_assoc045, enc_nonce045, enc_key045,
25419 -+ sizeof(enc_input045), sizeof(enc_assoc045), sizeof(enc_nonce045) },
25420 -+ { enc_input046, enc_output046, enc_assoc046, enc_nonce046, enc_key046,
25421 -+ sizeof(enc_input046), sizeof(enc_assoc046), sizeof(enc_nonce046) },
25422 -+ { enc_input047, enc_output047, enc_assoc047, enc_nonce047, enc_key047,
25423 -+ sizeof(enc_input047), sizeof(enc_assoc047), sizeof(enc_nonce047) },
25424 -+ { enc_input048, enc_output048, enc_assoc048, enc_nonce048, enc_key048,
25425 -+ sizeof(enc_input048), sizeof(enc_assoc048), sizeof(enc_nonce048) },
25426 -+ { enc_input049, enc_output049, enc_assoc049, enc_nonce049, enc_key049,
25427 -+ sizeof(enc_input049), sizeof(enc_assoc049), sizeof(enc_nonce049) },
25428 -+ { enc_input050, enc_output050, enc_assoc050, enc_nonce050, enc_key050,
25429 -+ sizeof(enc_input050), sizeof(enc_assoc050), sizeof(enc_nonce050) },
25430 -+ { enc_input051, enc_output051, enc_assoc051, enc_nonce051, enc_key051,
25431 -+ sizeof(enc_input051), sizeof(enc_assoc051), sizeof(enc_nonce051) },
25432 -+ { enc_input052, enc_output052, enc_assoc052, enc_nonce052, enc_key052,
25433 -+ sizeof(enc_input052), sizeof(enc_assoc052), sizeof(enc_nonce052) },
25434 -+ { enc_input053, enc_output053, enc_assoc053, enc_nonce053, enc_key053,
25435 -+ sizeof(enc_input053), sizeof(enc_assoc053), sizeof(enc_nonce053) },
25436 -+ { enc_input054, enc_output054, enc_assoc054, enc_nonce054, enc_key054,
25437 -+ sizeof(enc_input054), sizeof(enc_assoc054), sizeof(enc_nonce054) },
25438 -+ { enc_input055, enc_output055, enc_assoc055, enc_nonce055, enc_key055,
25439 -+ sizeof(enc_input055), sizeof(enc_assoc055), sizeof(enc_nonce055) },
25440 -+ { enc_input056, enc_output056, enc_assoc056, enc_nonce056, enc_key056,
25441 -+ sizeof(enc_input056), sizeof(enc_assoc056), sizeof(enc_nonce056) },
25442 -+ { enc_input057, enc_output057, enc_assoc057, enc_nonce057, enc_key057,
25443 -+ sizeof(enc_input057), sizeof(enc_assoc057), sizeof(enc_nonce057) },
25444 -+ { enc_input058, enc_output058, enc_assoc058, enc_nonce058, enc_key058,
25445 -+ sizeof(enc_input058), sizeof(enc_assoc058), sizeof(enc_nonce058) },
25446 -+ { enc_input059, enc_output059, enc_assoc059, enc_nonce059, enc_key059,
25447 -+ sizeof(enc_input059), sizeof(enc_assoc059), sizeof(enc_nonce059) },
25448 -+ { enc_input060, enc_output060, enc_assoc060, enc_nonce060, enc_key060,
25449 -+ sizeof(enc_input060), sizeof(enc_assoc060), sizeof(enc_nonce060) },
25450 -+ { enc_input061, enc_output061, enc_assoc061, enc_nonce061, enc_key061,
25451 -+ sizeof(enc_input061), sizeof(enc_assoc061), sizeof(enc_nonce061) },
25452 -+ { enc_input062, enc_output062, enc_assoc062, enc_nonce062, enc_key062,
25453 -+ sizeof(enc_input062), sizeof(enc_assoc062), sizeof(enc_nonce062) },
25454 -+ { enc_input063, enc_output063, enc_assoc063, enc_nonce063, enc_key063,
25455 -+ sizeof(enc_input063), sizeof(enc_assoc063), sizeof(enc_nonce063) },
25456 -+ { enc_input064, enc_output064, enc_assoc064, enc_nonce064, enc_key064,
25457 -+ sizeof(enc_input064), sizeof(enc_assoc064), sizeof(enc_nonce064) },
25458 -+ { enc_input065, enc_output065, enc_assoc065, enc_nonce065, enc_key065,
25459 -+ sizeof(enc_input065), sizeof(enc_assoc065), sizeof(enc_nonce065) },
25460 -+ { enc_input066, enc_output066, enc_assoc066, enc_nonce066, enc_key066,
25461 -+ sizeof(enc_input066), sizeof(enc_assoc066), sizeof(enc_nonce066) },
25462 -+ { enc_input067, enc_output067, enc_assoc067, enc_nonce067, enc_key067,
25463 -+ sizeof(enc_input067), sizeof(enc_assoc067), sizeof(enc_nonce067) },
25464 -+ { enc_input068, enc_output068, enc_assoc068, enc_nonce068, enc_key068,
25465 -+ sizeof(enc_input068), sizeof(enc_assoc068), sizeof(enc_nonce068) },
25466 -+ { enc_input069, enc_output069, enc_assoc069, enc_nonce069, enc_key069,
25467 -+ sizeof(enc_input069), sizeof(enc_assoc069), sizeof(enc_nonce069) },
25468 -+ { enc_input070, enc_output070, enc_assoc070, enc_nonce070, enc_key070,
25469 -+ sizeof(enc_input070), sizeof(enc_assoc070), sizeof(enc_nonce070) },
25470 -+ { enc_input071, enc_output071, enc_assoc071, enc_nonce071, enc_key071,
25471 -+ sizeof(enc_input071), sizeof(enc_assoc071), sizeof(enc_nonce071) },
25472 -+ { enc_input072, enc_output072, enc_assoc072, enc_nonce072, enc_key072,
25473 -+ sizeof(enc_input072), sizeof(enc_assoc072), sizeof(enc_nonce072) },
25474 -+ { enc_input073, enc_output073, enc_assoc073, enc_nonce073, enc_key073,
25475 -+ sizeof(enc_input073), sizeof(enc_assoc073), sizeof(enc_nonce073) },
25476 -+ { enc_input074, enc_output074, enc_assoc074, enc_nonce074, enc_key074,
25477 -+ sizeof(enc_input074), sizeof(enc_assoc074), sizeof(enc_nonce074) },
25478 -+ { enc_input075, enc_output075, enc_assoc075, enc_nonce075, enc_key075,
25479 -+ sizeof(enc_input075), sizeof(enc_assoc075), sizeof(enc_nonce075) },
25480 -+ { enc_input076, enc_output076, enc_assoc076, enc_nonce076, enc_key076,
25481 -+ sizeof(enc_input076), sizeof(enc_assoc076), sizeof(enc_nonce076) },
25482 -+ { enc_input077, enc_output077, enc_assoc077, enc_nonce077, enc_key077,
25483 -+ sizeof(enc_input077), sizeof(enc_assoc077), sizeof(enc_nonce077) },
25484 -+ { enc_input078, enc_output078, enc_assoc078, enc_nonce078, enc_key078,
25485 -+ sizeof(enc_input078), sizeof(enc_assoc078), sizeof(enc_nonce078) },
25486 -+ { enc_input079, enc_output079, enc_assoc079, enc_nonce079, enc_key079,
25487 -+ sizeof(enc_input079), sizeof(enc_assoc079), sizeof(enc_nonce079) },
25488 -+ { enc_input080, enc_output080, enc_assoc080, enc_nonce080, enc_key080,
25489 -+ sizeof(enc_input080), sizeof(enc_assoc080), sizeof(enc_nonce080) },
25490 -+ { enc_input081, enc_output081, enc_assoc081, enc_nonce081, enc_key081,
25491 -+ sizeof(enc_input081), sizeof(enc_assoc081), sizeof(enc_nonce081) },
25492 -+ { enc_input082, enc_output082, enc_assoc082, enc_nonce082, enc_key082,
25493 -+ sizeof(enc_input082), sizeof(enc_assoc082), sizeof(enc_nonce082) },
25494 -+ { enc_input083, enc_output083, enc_assoc083, enc_nonce083, enc_key083,
25495 -+ sizeof(enc_input083), sizeof(enc_assoc083), sizeof(enc_nonce083) },
25496 -+ { enc_input084, enc_output084, enc_assoc084, enc_nonce084, enc_key084,
25497 -+ sizeof(enc_input084), sizeof(enc_assoc084), sizeof(enc_nonce084) },
25498 -+ { enc_input085, enc_output085, enc_assoc085, enc_nonce085, enc_key085,
25499 -+ sizeof(enc_input085), sizeof(enc_assoc085), sizeof(enc_nonce085) },
25500 -+ { enc_input086, enc_output086, enc_assoc086, enc_nonce086, enc_key086,
25501 -+ sizeof(enc_input086), sizeof(enc_assoc086), sizeof(enc_nonce086) },
25502 -+ { enc_input087, enc_output087, enc_assoc087, enc_nonce087, enc_key087,
25503 -+ sizeof(enc_input087), sizeof(enc_assoc087), sizeof(enc_nonce087) },
25504 -+ { enc_input088, enc_output088, enc_assoc088, enc_nonce088, enc_key088,
25505 -+ sizeof(enc_input088), sizeof(enc_assoc088), sizeof(enc_nonce088) },
25506 -+ { enc_input089, enc_output089, enc_assoc089, enc_nonce089, enc_key089,
25507 -+ sizeof(enc_input089), sizeof(enc_assoc089), sizeof(enc_nonce089) },
25508 -+ { enc_input090, enc_output090, enc_assoc090, enc_nonce090, enc_key090,
25509 -+ sizeof(enc_input090), sizeof(enc_assoc090), sizeof(enc_nonce090) },
25510 -+ { enc_input091, enc_output091, enc_assoc091, enc_nonce091, enc_key091,
25511 -+ sizeof(enc_input091), sizeof(enc_assoc091), sizeof(enc_nonce091) },
25512 -+ { enc_input092, enc_output092, enc_assoc092, enc_nonce092, enc_key092,
25513 -+ sizeof(enc_input092), sizeof(enc_assoc092), sizeof(enc_nonce092) },
25514 -+ { enc_input093, enc_output093, enc_assoc093, enc_nonce093, enc_key093,
25515 -+ sizeof(enc_input093), sizeof(enc_assoc093), sizeof(enc_nonce093) },
25516 -+ { enc_input094, enc_output094, enc_assoc094, enc_nonce094, enc_key094,
25517 -+ sizeof(enc_input094), sizeof(enc_assoc094), sizeof(enc_nonce094) },
25518 -+ { enc_input095, enc_output095, enc_assoc095, enc_nonce095, enc_key095,
25519 -+ sizeof(enc_input095), sizeof(enc_assoc095), sizeof(enc_nonce095) },
25520 -+ { enc_input096, enc_output096, enc_assoc096, enc_nonce096, enc_key096,
25521 -+ sizeof(enc_input096), sizeof(enc_assoc096), sizeof(enc_nonce096) },
25522 -+ { enc_input097, enc_output097, enc_assoc097, enc_nonce097, enc_key097,
25523 -+ sizeof(enc_input097), sizeof(enc_assoc097), sizeof(enc_nonce097) },
25524 -+ { enc_input098, enc_output098, enc_assoc098, enc_nonce098, enc_key098,
25525 -+ sizeof(enc_input098), sizeof(enc_assoc098), sizeof(enc_nonce098) },
25526 -+ { enc_input099, enc_output099, enc_assoc099, enc_nonce099, enc_key099,
25527 -+ sizeof(enc_input099), sizeof(enc_assoc099), sizeof(enc_nonce099) },
25528 -+ { enc_input100, enc_output100, enc_assoc100, enc_nonce100, enc_key100,
25529 -+ sizeof(enc_input100), sizeof(enc_assoc100), sizeof(enc_nonce100) },
25530 -+ { enc_input101, enc_output101, enc_assoc101, enc_nonce101, enc_key101,
25531 -+ sizeof(enc_input101), sizeof(enc_assoc101), sizeof(enc_nonce101) },
25532 -+ { enc_input102, enc_output102, enc_assoc102, enc_nonce102, enc_key102,
25533 -+ sizeof(enc_input102), sizeof(enc_assoc102), sizeof(enc_nonce102) },
25534 -+ { enc_input103, enc_output103, enc_assoc103, enc_nonce103, enc_key103,
25535 -+ sizeof(enc_input103), sizeof(enc_assoc103), sizeof(enc_nonce103) },
25536 -+ { enc_input104, enc_output104, enc_assoc104, enc_nonce104, enc_key104,
25537 -+ sizeof(enc_input104), sizeof(enc_assoc104), sizeof(enc_nonce104) },
25538 -+ { enc_input105, enc_output105, enc_assoc105, enc_nonce105, enc_key105,
25539 -+ sizeof(enc_input105), sizeof(enc_assoc105), sizeof(enc_nonce105) },
25540 -+ { enc_input106, enc_output106, enc_assoc106, enc_nonce106, enc_key106,
25541 -+ sizeof(enc_input106), sizeof(enc_assoc106), sizeof(enc_nonce106) },
25542 -+ { enc_input107, enc_output107, enc_assoc107, enc_nonce107, enc_key107,
25543 -+ sizeof(enc_input107), sizeof(enc_assoc107), sizeof(enc_nonce107) },
25544 -+ { enc_input108, enc_output108, enc_assoc108, enc_nonce108, enc_key108,
25545 -+ sizeof(enc_input108), sizeof(enc_assoc108), sizeof(enc_nonce108) },
25546 -+ { enc_input109, enc_output109, enc_assoc109, enc_nonce109, enc_key109,
25547 -+ sizeof(enc_input109), sizeof(enc_assoc109), sizeof(enc_nonce109) },
25548 -+ { enc_input110, enc_output110, enc_assoc110, enc_nonce110, enc_key110,
25549 -+ sizeof(enc_input110), sizeof(enc_assoc110), sizeof(enc_nonce110) },
25550 -+ { enc_input111, enc_output111, enc_assoc111, enc_nonce111, enc_key111,
25551 -+ sizeof(enc_input111), sizeof(enc_assoc111), sizeof(enc_nonce111) },
25552 -+ { enc_input112, enc_output112, enc_assoc112, enc_nonce112, enc_key112,
25553 -+ sizeof(enc_input112), sizeof(enc_assoc112), sizeof(enc_nonce112) },
25554 -+ { enc_input113, enc_output113, enc_assoc113, enc_nonce113, enc_key113,
25555 -+ sizeof(enc_input113), sizeof(enc_assoc113), sizeof(enc_nonce113) },
25556 -+ { enc_input114, enc_output114, enc_assoc114, enc_nonce114, enc_key114,
25557 -+ sizeof(enc_input114), sizeof(enc_assoc114), sizeof(enc_nonce114) },
25558 -+ { enc_input115, enc_output115, enc_assoc115, enc_nonce115, enc_key115,
25559 -+ sizeof(enc_input115), sizeof(enc_assoc115), sizeof(enc_nonce115) },
25560 -+ { enc_input116, enc_output116, enc_assoc116, enc_nonce116, enc_key116,
25561 -+ sizeof(enc_input116), sizeof(enc_assoc116), sizeof(enc_nonce116) },
25562 -+ { enc_input117, enc_output117, enc_assoc117, enc_nonce117, enc_key117,
25563 -+ sizeof(enc_input117), sizeof(enc_assoc117), sizeof(enc_nonce117) },
25564 -+ { enc_input118, enc_output118, enc_assoc118, enc_nonce118, enc_key118,
25565 -+ sizeof(enc_input118), sizeof(enc_assoc118), sizeof(enc_nonce118) }
25566 -+};
25567 -+
25568 -+static const u8 dec_input001[] __initconst = {
25569 -+ 0x64, 0xa0, 0x86, 0x15, 0x75, 0x86, 0x1a, 0xf4,
25570 -+ 0x60, 0xf0, 0x62, 0xc7, 0x9b, 0xe6, 0x43, 0xbd,
25571 -+ 0x5e, 0x80, 0x5c, 0xfd, 0x34, 0x5c, 0xf3, 0x89,
25572 -+ 0xf1, 0x08, 0x67, 0x0a, 0xc7, 0x6c, 0x8c, 0xb2,
25573 -+ 0x4c, 0x6c, 0xfc, 0x18, 0x75, 0x5d, 0x43, 0xee,
25574 -+ 0xa0, 0x9e, 0xe9, 0x4e, 0x38, 0x2d, 0x26, 0xb0,
25575 -+ 0xbd, 0xb7, 0xb7, 0x3c, 0x32, 0x1b, 0x01, 0x00,
25576 -+ 0xd4, 0xf0, 0x3b, 0x7f, 0x35, 0x58, 0x94, 0xcf,
25577 -+ 0x33, 0x2f, 0x83, 0x0e, 0x71, 0x0b, 0x97, 0xce,
25578 -+ 0x98, 0xc8, 0xa8, 0x4a, 0xbd, 0x0b, 0x94, 0x81,
25579 -+ 0x14, 0xad, 0x17, 0x6e, 0x00, 0x8d, 0x33, 0xbd,
25580 -+ 0x60, 0xf9, 0x82, 0xb1, 0xff, 0x37, 0xc8, 0x55,
25581 -+ 0x97, 0x97, 0xa0, 0x6e, 0xf4, 0xf0, 0xef, 0x61,
25582 -+ 0xc1, 0x86, 0x32, 0x4e, 0x2b, 0x35, 0x06, 0x38,
25583 -+ 0x36, 0x06, 0x90, 0x7b, 0x6a, 0x7c, 0x02, 0xb0,
25584 -+ 0xf9, 0xf6, 0x15, 0x7b, 0x53, 0xc8, 0x67, 0xe4,
25585 -+ 0xb9, 0x16, 0x6c, 0x76, 0x7b, 0x80, 0x4d, 0x46,
25586 -+ 0xa5, 0x9b, 0x52, 0x16, 0xcd, 0xe7, 0xa4, 0xe9,
25587 -+ 0x90, 0x40, 0xc5, 0xa4, 0x04, 0x33, 0x22, 0x5e,
25588 -+ 0xe2, 0x82, 0xa1, 0xb0, 0xa0, 0x6c, 0x52, 0x3e,
25589 -+ 0xaf, 0x45, 0x34, 0xd7, 0xf8, 0x3f, 0xa1, 0x15,
25590 -+ 0x5b, 0x00, 0x47, 0x71, 0x8c, 0xbc, 0x54, 0x6a,
25591 -+ 0x0d, 0x07, 0x2b, 0x04, 0xb3, 0x56, 0x4e, 0xea,
25592 -+ 0x1b, 0x42, 0x22, 0x73, 0xf5, 0x48, 0x27, 0x1a,
25593 -+ 0x0b, 0xb2, 0x31, 0x60, 0x53, 0xfa, 0x76, 0x99,
25594 -+ 0x19, 0x55, 0xeb, 0xd6, 0x31, 0x59, 0x43, 0x4e,
25595 -+ 0xce, 0xbb, 0x4e, 0x46, 0x6d, 0xae, 0x5a, 0x10,
25596 -+ 0x73, 0xa6, 0x72, 0x76, 0x27, 0x09, 0x7a, 0x10,
25597 -+ 0x49, 0xe6, 0x17, 0xd9, 0x1d, 0x36, 0x10, 0x94,
25598 -+ 0xfa, 0x68, 0xf0, 0xff, 0x77, 0x98, 0x71, 0x30,
25599 -+ 0x30, 0x5b, 0xea, 0xba, 0x2e, 0xda, 0x04, 0xdf,
25600 -+ 0x99, 0x7b, 0x71, 0x4d, 0x6c, 0x6f, 0x2c, 0x29,
25601 -+ 0xa6, 0xad, 0x5c, 0xb4, 0x02, 0x2b, 0x02, 0x70,
25602 -+ 0x9b, 0xee, 0xad, 0x9d, 0x67, 0x89, 0x0c, 0xbb,
25603 -+ 0x22, 0x39, 0x23, 0x36, 0xfe, 0xa1, 0x85, 0x1f,
25604 -+ 0x38
25605 -+};
25606 -+static const u8 dec_output001[] __initconst = {
25607 -+ 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
25608 -+ 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20,
25609 -+ 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66,
25610 -+ 0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
25611 -+ 0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c, 0x69,
25612 -+ 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20,
25613 -+ 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20,
25614 -+ 0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d,
25615 -+ 0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e,
25616 -+ 0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65,
25617 -+ 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64,
25618 -+ 0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
25619 -+ 0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f,
25620 -+ 0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64,
25621 -+ 0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65,
25622 -+ 0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
25623 -+ 0x6e, 0x74, 0x73, 0x20, 0x61, 0x74, 0x20, 0x61,
25624 -+ 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e,
25625 -+ 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69,
25626 -+ 0x6e, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x70, 0x72,
25627 -+ 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20,
25628 -+ 0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65,
25629 -+ 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61,
25630 -+ 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72,
25631 -+ 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
25632 -+ 0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61,
25633 -+ 0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20,
25634 -+ 0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65,
25635 -+ 0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20,
25636 -+ 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20,
25637 -+ 0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b,
25638 -+ 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67,
25639 -+ 0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80,
25640 -+ 0x9d
25641 -+};
25642 -+static const u8 dec_assoc001[] __initconst = {
25643 -+ 0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00,
25644 -+ 0x00, 0x00, 0x4e, 0x91
25645 -+};
25646 -+static const u8 dec_nonce001[] __initconst = {
25647 -+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
25648 -+};
25649 -+static const u8 dec_key001[] __initconst = {
25650 -+ 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
25651 -+ 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
25652 -+ 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
25653 -+ 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
25654 -+};
25655 -+
25656 -+static const u8 dec_input002[] __initconst = {
25657 -+ 0xea, 0xe0, 0x1e, 0x9e, 0x2c, 0x91, 0xaa, 0xe1,
25658 -+ 0xdb, 0x5d, 0x99, 0x3f, 0x8a, 0xf7, 0x69, 0x92
25659 -+};
25660 -+static const u8 dec_output002[] __initconst = { };
25661 -+static const u8 dec_assoc002[] __initconst = { };
25662 -+static const u8 dec_nonce002[] __initconst = {
25663 -+ 0xca, 0xbf, 0x33, 0x71, 0x32, 0x45, 0x77, 0x8e
25664 -+};
25665 -+static const u8 dec_key002[] __initconst = {
25666 -+ 0x4c, 0xf5, 0x96, 0x83, 0x38, 0xe6, 0xae, 0x7f,
25667 -+ 0x2d, 0x29, 0x25, 0x76, 0xd5, 0x75, 0x27, 0x86,
25668 -+ 0x91, 0x9a, 0x27, 0x7a, 0xfb, 0x46, 0xc5, 0xef,
25669 -+ 0x94, 0x81, 0x79, 0x57, 0x14, 0x59, 0x40, 0x68
25670 -+};
25671 -+
25672 -+static const u8 dec_input003[] __initconst = {
25673 -+ 0xdd, 0x6b, 0x3b, 0x82, 0xce, 0x5a, 0xbd, 0xd6,
25674 -+ 0xa9, 0x35, 0x83, 0xd8, 0x8c, 0x3d, 0x85, 0x77
25675 -+};
25676 -+static const u8 dec_output003[] __initconst = { };
25677 -+static const u8 dec_assoc003[] __initconst = {
25678 -+ 0x33, 0x10, 0x41, 0x12, 0x1f, 0xf3, 0xd2, 0x6b
25679 -+};
25680 -+static const u8 dec_nonce003[] __initconst = {
25681 -+ 0x3d, 0x86, 0xb5, 0x6b, 0xc8, 0xa3, 0x1f, 0x1d
25682 -+};
25683 -+static const u8 dec_key003[] __initconst = {
25684 -+ 0x2d, 0xb0, 0x5d, 0x40, 0xc8, 0xed, 0x44, 0x88,
25685 -+ 0x34, 0xd1, 0x13, 0xaf, 0x57, 0xa1, 0xeb, 0x3a,
25686 -+ 0x2a, 0x80, 0x51, 0x36, 0xec, 0x5b, 0xbc, 0x08,
25687 -+ 0x93, 0x84, 0x21, 0xb5, 0x13, 0x88, 0x3c, 0x0d
25688 -+};
25689 -+
25690 -+static const u8 dec_input004[] __initconst = {
25691 -+ 0xb7, 0x1b, 0xb0, 0x73, 0x59, 0xb0, 0x84, 0xb2,
25692 -+ 0x6d, 0x8e, 0xab, 0x94, 0x31, 0xa1, 0xae, 0xac,
25693 -+ 0x89
25694 -+};
25695 -+static const u8 dec_output004[] __initconst = {
25696 -+ 0xa4
25697 -+};
25698 -+static const u8 dec_assoc004[] __initconst = {
25699 -+ 0x6a, 0xe2, 0xad, 0x3f, 0x88, 0x39, 0x5a, 0x40
25700 -+};
25701 -+static const u8 dec_nonce004[] __initconst = {
25702 -+ 0xd2, 0x32, 0x1f, 0x29, 0x28, 0xc6, 0xc4, 0xc4
25703 -+};
25704 -+static const u8 dec_key004[] __initconst = {
25705 -+ 0x4b, 0x28, 0x4b, 0xa3, 0x7b, 0xbe, 0xe9, 0xf8,
25706 -+ 0x31, 0x80, 0x82, 0xd7, 0xd8, 0xe8, 0xb5, 0xa1,
25707 -+ 0xe2, 0x18, 0x18, 0x8a, 0x9c, 0xfa, 0xa3, 0x3d,
25708 -+ 0x25, 0x71, 0x3e, 0x40, 0xbc, 0x54, 0x7a, 0x3e
25709 -+};
25710 -+
25711 -+static const u8 dec_input005[] __initconst = {
25712 -+ 0xbf, 0xe1, 0x5b, 0x0b, 0xdb, 0x6b, 0xf5, 0x5e,
25713 -+ 0x6c, 0x5d, 0x84, 0x44, 0x39, 0x81, 0xc1, 0x9c,
25714 -+ 0xac
25715 -+};
25716 -+static const u8 dec_output005[] __initconst = {
25717 -+ 0x2d
25718 -+};
25719 -+static const u8 dec_assoc005[] __initconst = { };
25720 -+static const u8 dec_nonce005[] __initconst = {
25721 -+ 0x20, 0x1c, 0xaa, 0x5f, 0x9c, 0xbf, 0x92, 0x30
25722 -+};
25723 -+static const u8 dec_key005[] __initconst = {
25724 -+ 0x66, 0xca, 0x9c, 0x23, 0x2a, 0x4b, 0x4b, 0x31,
25725 -+ 0x0e, 0x92, 0x89, 0x8b, 0xf4, 0x93, 0xc7, 0x87,
25726 -+ 0x98, 0xa3, 0xd8, 0x39, 0xf8, 0xf4, 0xa7, 0x01,
25727 -+ 0xc0, 0x2e, 0x0a, 0xa6, 0x7e, 0x5a, 0x78, 0x87
25728 -+};
25729 -+
25730 -+static const u8 dec_input006[] __initconst = {
25731 -+ 0x8b, 0x06, 0xd3, 0x31, 0xb0, 0x93, 0x45, 0xb1,
25732 -+ 0x75, 0x6e, 0x26, 0xf9, 0x67, 0xbc, 0x90, 0x15,
25733 -+ 0x81, 0x2c, 0xb5, 0xf0, 0xc6, 0x2b, 0xc7, 0x8c,
25734 -+ 0x56, 0xd1, 0xbf, 0x69, 0x6c, 0x07, 0xa0, 0xda,
25735 -+ 0x65, 0x27, 0xc9, 0x90, 0x3d, 0xef, 0x4b, 0x11,
25736 -+ 0x0f, 0x19, 0x07, 0xfd, 0x29, 0x92, 0xd9, 0xc8,
25737 -+ 0xf7, 0x99, 0x2e, 0x4a, 0xd0, 0xb8, 0x2c, 0xdc,
25738 -+ 0x93, 0xf5, 0x9e, 0x33, 0x78, 0xd1, 0x37, 0xc3,
25739 -+ 0x66, 0xd7, 0x5e, 0xbc, 0x44, 0xbf, 0x53, 0xa5,
25740 -+ 0xbc, 0xc4, 0xcb, 0x7b, 0x3a, 0x8e, 0x7f, 0x02,
25741 -+ 0xbd, 0xbb, 0xe7, 0xca, 0xa6, 0x6c, 0x6b, 0x93,
25742 -+ 0x21, 0x93, 0x10, 0x61, 0xe7, 0x69, 0xd0, 0x78,
25743 -+ 0xf3, 0x07, 0x5a, 0x1a, 0x8f, 0x73, 0xaa, 0xb1,
25744 -+ 0x4e, 0xd3, 0xda, 0x4f, 0xf3, 0x32, 0xe1, 0x66,
25745 -+ 0x3e, 0x6c, 0xc6, 0x13, 0xba, 0x06, 0x5b, 0xfc,
25746 -+ 0x6a, 0xe5, 0x6f, 0x60, 0xfb, 0x07, 0x40, 0xb0,
25747 -+ 0x8c, 0x9d, 0x84, 0x43, 0x6b, 0xc1, 0xf7, 0x8d,
25748 -+ 0x8d, 0x31, 0xf7, 0x7a, 0x39, 0x4d, 0x8f, 0x9a,
25749 -+ 0xeb
25750 -+};
25751 -+static const u8 dec_output006[] __initconst = {
25752 -+ 0x33, 0x2f, 0x94, 0xc1, 0xa4, 0xef, 0xcc, 0x2a,
25753 -+ 0x5b, 0xa6, 0xe5, 0x8f, 0x1d, 0x40, 0xf0, 0x92,
25754 -+ 0x3c, 0xd9, 0x24, 0x11, 0xa9, 0x71, 0xf9, 0x37,
25755 -+ 0x14, 0x99, 0xfa, 0xbe, 0xe6, 0x80, 0xde, 0x50,
25756 -+ 0xc9, 0x96, 0xd4, 0xb0, 0xec, 0x9e, 0x17, 0xec,
25757 -+ 0xd2, 0x5e, 0x72, 0x99, 0xfc, 0x0a, 0xe1, 0xcb,
25758 -+ 0x48, 0xd2, 0x85, 0xdd, 0x2f, 0x90, 0xe0, 0x66,
25759 -+ 0x3b, 0xe6, 0x20, 0x74, 0xbe, 0x23, 0x8f, 0xcb,
25760 -+ 0xb4, 0xe4, 0xda, 0x48, 0x40, 0xa6, 0xd1, 0x1b,
25761 -+ 0xc7, 0x42, 0xce, 0x2f, 0x0c, 0xa6, 0x85, 0x6e,
25762 -+ 0x87, 0x37, 0x03, 0xb1, 0x7c, 0x25, 0x96, 0xa3,
25763 -+ 0x05, 0xd8, 0xb0, 0xf4, 0xed, 0xea, 0xc2, 0xf0,
25764 -+ 0x31, 0x98, 0x6c, 0xd1, 0x14, 0x25, 0xc0, 0xcb,
25765 -+ 0x01, 0x74, 0xd0, 0x82, 0xf4, 0x36, 0xf5, 0x41,
25766 -+ 0xd5, 0xdc, 0xca, 0xc5, 0xbb, 0x98, 0xfe, 0xfc,
25767 -+ 0x69, 0x21, 0x70, 0xd8, 0xa4, 0x4b, 0xc8, 0xde,
25768 -+ 0x8f
25769 -+};
25770 -+static const u8 dec_assoc006[] __initconst = {
25771 -+ 0x70, 0xd3, 0x33, 0xf3, 0x8b, 0x18, 0x0b
25772 -+};
25773 -+static const u8 dec_nonce006[] __initconst = {
25774 -+ 0xdf, 0x51, 0x84, 0x82, 0x42, 0x0c, 0x75, 0x9c
25775 -+};
25776 -+static const u8 dec_key006[] __initconst = {
25777 -+ 0x68, 0x7b, 0x8d, 0x8e, 0xe3, 0xc4, 0xdd, 0xae,
25778 -+ 0xdf, 0x72, 0x7f, 0x53, 0x72, 0x25, 0x1e, 0x78,
25779 -+ 0x91, 0xcb, 0x69, 0x76, 0x1f, 0x49, 0x93, 0xf9,
25780 -+ 0x6f, 0x21, 0xcc, 0x39, 0x9c, 0xad, 0xb1, 0x01
25781 -+};
25782 -+
25783 -+static const u8 dec_input007[] __initconst = {
25784 -+ 0x85, 0x04, 0xc2, 0xed, 0x8d, 0xfd, 0x97, 0x5c,
25785 -+ 0xd2, 0xb7, 0xe2, 0xc1, 0x6b, 0xa3, 0xba, 0xf8,
25786 -+ 0xc9, 0x50, 0xc3, 0xc6, 0xa5, 0xe3, 0xa4, 0x7c,
25787 -+ 0xc3, 0x23, 0x49, 0x5e, 0xa9, 0xb9, 0x32, 0xeb,
25788 -+ 0x8a, 0x7c, 0xca, 0xe5, 0xec, 0xfb, 0x7c, 0xc0,
25789 -+ 0xcb, 0x7d, 0xdc, 0x2c, 0x9d, 0x92, 0x55, 0x21,
25790 -+ 0x0a, 0xc8, 0x43, 0x63, 0x59, 0x0a, 0x31, 0x70,
25791 -+ 0x82, 0x67, 0x41, 0x03, 0xf8, 0xdf, 0xf2, 0xac,
25792 -+ 0xa7, 0x02, 0xd4, 0xd5, 0x8a, 0x2d, 0xc8, 0x99,
25793 -+ 0x19, 0x66, 0xd0, 0xf6, 0x88, 0x2c, 0x77, 0xd9,
25794 -+ 0xd4, 0x0d, 0x6c, 0xbd, 0x98, 0xde, 0xe7, 0x7f,
25795 -+ 0xad, 0x7e, 0x8a, 0xfb, 0xe9, 0x4b, 0xe5, 0xf7,
25796 -+ 0xe5, 0x50, 0xa0, 0x90, 0x3f, 0xd6, 0x22, 0x53,
25797 -+ 0xe3, 0xfe, 0x1b, 0xcc, 0x79, 0x3b, 0xec, 0x12,
25798 -+ 0x47, 0x52, 0xa7, 0xd6, 0x04, 0xe3, 0x52, 0xe6,
25799 -+ 0x93, 0x90, 0x91, 0x32, 0x73, 0x79, 0xb8, 0xd0,
25800 -+ 0x31, 0xde, 0x1f, 0x9f, 0x2f, 0x05, 0x38, 0x54,
25801 -+ 0x2f, 0x35, 0x04, 0x39, 0xe0, 0xa7, 0xba, 0xc6,
25802 -+ 0x52, 0xf6, 0x37, 0x65, 0x4c, 0x07, 0xa9, 0x7e,
25803 -+ 0xb3, 0x21, 0x6f, 0x74, 0x8c, 0xc9, 0xde, 0xdb,
25804 -+ 0x65, 0x1b, 0x9b, 0xaa, 0x60, 0xb1, 0x03, 0x30,
25805 -+ 0x6b, 0xb2, 0x03, 0xc4, 0x1c, 0x04, 0xf8, 0x0f,
25806 -+ 0x64, 0xaf, 0x46, 0xe4, 0x65, 0x99, 0x49, 0xe2,
25807 -+ 0xea, 0xce, 0x78, 0x00, 0xd8, 0x8b, 0xd5, 0x2e,
25808 -+ 0xcf, 0xfc, 0x40, 0x49, 0xe8, 0x58, 0xdc, 0x34,
25809 -+ 0x9c, 0x8c, 0x61, 0xbf, 0x0a, 0x8e, 0xec, 0x39,
25810 -+ 0xa9, 0x30, 0x05, 0x5a, 0xd2, 0x56, 0x01, 0xc7,
25811 -+ 0xda, 0x8f, 0x4e, 0xbb, 0x43, 0xa3, 0x3a, 0xf9,
25812 -+ 0x15, 0x2a, 0xd0, 0xa0, 0x7a, 0x87, 0x34, 0x82,
25813 -+ 0xfe, 0x8a, 0xd1, 0x2d, 0x5e, 0xc7, 0xbf, 0x04,
25814 -+ 0x53, 0x5f, 0x3b, 0x36, 0xd4, 0x25, 0x5c, 0x34,
25815 -+ 0x7a, 0x8d, 0xd5, 0x05, 0xce, 0x72, 0xca, 0xef,
25816 -+ 0x7a, 0x4b, 0xbc, 0xb0, 0x10, 0x5c, 0x96, 0x42,
25817 -+ 0x3a, 0x00, 0x98, 0xcd, 0x15, 0xe8, 0xb7, 0x53
25818 -+};
25819 -+static const u8 dec_output007[] __initconst = {
25820 -+ 0x9b, 0x18, 0xdb, 0xdd, 0x9a, 0x0f, 0x3e, 0xa5,
25821 -+ 0x15, 0x17, 0xde, 0xdf, 0x08, 0x9d, 0x65, 0x0a,
25822 -+ 0x67, 0x30, 0x12, 0xe2, 0x34, 0x77, 0x4b, 0xc1,
25823 -+ 0xd9, 0xc6, 0x1f, 0xab, 0xc6, 0x18, 0x50, 0x17,
25824 -+ 0xa7, 0x9d, 0x3c, 0xa6, 0xc5, 0x35, 0x8c, 0x1c,
25825 -+ 0xc0, 0xa1, 0x7c, 0x9f, 0x03, 0x89, 0xca, 0xe1,
25826 -+ 0xe6, 0xe9, 0xd4, 0xd3, 0x88, 0xdb, 0xb4, 0x51,
25827 -+ 0x9d, 0xec, 0xb4, 0xfc, 0x52, 0xee, 0x6d, 0xf1,
25828 -+ 0x75, 0x42, 0xc6, 0xfd, 0xbd, 0x7a, 0x8e, 0x86,
25829 -+ 0xfc, 0x44, 0xb3, 0x4f, 0xf3, 0xea, 0x67, 0x5a,
25830 -+ 0x41, 0x13, 0xba, 0xb0, 0xdc, 0xe1, 0xd3, 0x2a,
25831 -+ 0x7c, 0x22, 0xb3, 0xca, 0xac, 0x6a, 0x37, 0x98,
25832 -+ 0x3e, 0x1d, 0x40, 0x97, 0xf7, 0x9b, 0x1d, 0x36,
25833 -+ 0x6b, 0xb3, 0x28, 0xbd, 0x60, 0x82, 0x47, 0x34,
25834 -+ 0xaa, 0x2f, 0x7d, 0xe9, 0xa8, 0x70, 0x81, 0x57,
25835 -+ 0xd4, 0xb9, 0x77, 0x0a, 0x9d, 0x29, 0xa7, 0x84,
25836 -+ 0x52, 0x4f, 0xc2, 0x4a, 0x40, 0x3b, 0x3c, 0xd4,
25837 -+ 0xc9, 0x2a, 0xdb, 0x4a, 0x53, 0xc4, 0xbe, 0x80,
25838 -+ 0xe9, 0x51, 0x7f, 0x8f, 0xc7, 0xa2, 0xce, 0x82,
25839 -+ 0x5c, 0x91, 0x1e, 0x74, 0xd9, 0xd0, 0xbd, 0xd5,
25840 -+ 0xf3, 0xfd, 0xda, 0x4d, 0x25, 0xb4, 0xbb, 0x2d,
25841 -+ 0xac, 0x2f, 0x3d, 0x71, 0x85, 0x7b, 0xcf, 0x3c,
25842 -+ 0x7b, 0x3e, 0x0e, 0x22, 0x78, 0x0c, 0x29, 0xbf,
25843 -+ 0xe4, 0xf4, 0x57, 0xb3, 0xcb, 0x49, 0xa0, 0xfc,
25844 -+ 0x1e, 0x05, 0x4e, 0x16, 0xbc, 0xd5, 0xa8, 0xa3,
25845 -+ 0xee, 0x05, 0x35, 0xc6, 0x7c, 0xab, 0x60, 0x14,
25846 -+ 0x55, 0x1a, 0x8e, 0xc5, 0x88, 0x5d, 0xd5, 0x81,
25847 -+ 0xc2, 0x81, 0xa5, 0xc4, 0x60, 0xdb, 0xaf, 0x77,
25848 -+ 0x91, 0xe1, 0xce, 0xa2, 0x7e, 0x7f, 0x42, 0xe3,
25849 -+ 0xb0, 0x13, 0x1c, 0x1f, 0x25, 0x60, 0x21, 0xe2,
25850 -+ 0x40, 0x5f, 0x99, 0xb7, 0x73, 0xec, 0x9b, 0x2b,
25851 -+ 0xf0, 0x65, 0x11, 0xc8, 0xd0, 0x0a, 0x9f, 0xd3
25852 -+};
25853 -+static const u8 dec_assoc007[] __initconst = { };
25854 -+static const u8 dec_nonce007[] __initconst = {
25855 -+ 0xde, 0x7b, 0xef, 0xc3, 0x65, 0x1b, 0x68, 0xb0
25856 -+};
25857 -+static const u8 dec_key007[] __initconst = {
25858 -+ 0x8d, 0xb8, 0x91, 0x48, 0xf0, 0xe7, 0x0a, 0xbd,
25859 -+ 0xf9, 0x3f, 0xcd, 0xd9, 0xa0, 0x1e, 0x42, 0x4c,
25860 -+ 0xe7, 0xde, 0x25, 0x3d, 0xa3, 0xd7, 0x05, 0x80,
25861 -+ 0x8d, 0xf2, 0x82, 0xac, 0x44, 0x16, 0x51, 0x01
25862 -+};
25863 -+
25864 -+static const u8 dec_input008[] __initconst = {
25865 -+ 0x14, 0xf6, 0x41, 0x37, 0xa6, 0xd4, 0x27, 0xcd,
25866 -+ 0xdb, 0x06, 0x3e, 0x9a, 0x4e, 0xab, 0xd5, 0xb1,
25867 -+ 0x1e, 0x6b, 0xd2, 0xbc, 0x11, 0xf4, 0x28, 0x93,
25868 -+ 0x63, 0x54, 0xef, 0xbb, 0x5e, 0x1d, 0x3a, 0x1d,
25869 -+ 0x37, 0x3c, 0x0a, 0x6c, 0x1e, 0xc2, 0xd1, 0x2c,
25870 -+ 0xb5, 0xa3, 0xb5, 0x7b, 0xb8, 0x8f, 0x25, 0xa6,
25871 -+ 0x1b, 0x61, 0x1c, 0xec, 0x28, 0x58, 0x26, 0xa4,
25872 -+ 0xa8, 0x33, 0x28, 0x25, 0x5c, 0x45, 0x05, 0xe5,
25873 -+ 0x6c, 0x99, 0xe5, 0x45, 0xc4, 0xa2, 0x03, 0x84,
25874 -+ 0x03, 0x73, 0x1e, 0x8c, 0x49, 0xac, 0x20, 0xdd,
25875 -+ 0x8d, 0xb3, 0xc4, 0xf5, 0xe7, 0x4f, 0xf1, 0xed,
25876 -+ 0xa1, 0x98, 0xde, 0xa4, 0x96, 0xdd, 0x2f, 0xab,
25877 -+ 0xab, 0x97, 0xcf, 0x3e, 0xd2, 0x9e, 0xb8, 0x13,
25878 -+ 0x07, 0x28, 0x29, 0x19, 0xaf, 0xfd, 0xf2, 0x49,
25879 -+ 0x43, 0xea, 0x49, 0x26, 0x91, 0xc1, 0x07, 0xd6,
25880 -+ 0xbb, 0x81, 0x75, 0x35, 0x0d, 0x24, 0x7f, 0xc8,
25881 -+ 0xda, 0xd4, 0xb7, 0xeb, 0xe8, 0x5c, 0x09, 0xa2,
25882 -+ 0x2f, 0xdc, 0x28, 0x7d, 0x3a, 0x03, 0xfa, 0x94,
25883 -+ 0xb5, 0x1d, 0x17, 0x99, 0x36, 0xc3, 0x1c, 0x18,
25884 -+ 0x34, 0xe3, 0x9f, 0xf5, 0x55, 0x7c, 0xb0, 0x60,
25885 -+ 0x9d, 0xff, 0xac, 0xd4, 0x61, 0xf2, 0xad, 0xf8,
25886 -+ 0xce, 0xc7, 0xbe, 0x5c, 0xd2, 0x95, 0xa8, 0x4b,
25887 -+ 0x77, 0x13, 0x19, 0x59, 0x26, 0xc9, 0xb7, 0x8f,
25888 -+ 0x6a, 0xcb, 0x2d, 0x37, 0x91, 0xea, 0x92, 0x9c,
25889 -+ 0x94, 0x5b, 0xda, 0x0b, 0xce, 0xfe, 0x30, 0x20,
25890 -+ 0xf8, 0x51, 0xad, 0xf2, 0xbe, 0xe7, 0xc7, 0xff,
25891 -+ 0xb3, 0x33, 0x91, 0x6a, 0xc9, 0x1a, 0x41, 0xc9,
25892 -+ 0x0f, 0xf3, 0x10, 0x0e, 0xfd, 0x53, 0xff, 0x6c,
25893 -+ 0x16, 0x52, 0xd9, 0xf3, 0xf7, 0x98, 0x2e, 0xc9,
25894 -+ 0x07, 0x31, 0x2c, 0x0c, 0x72, 0xd7, 0xc5, 0xc6,
25895 -+ 0x08, 0x2a, 0x7b, 0xda, 0xbd, 0x7e, 0x02, 0xea,
25896 -+ 0x1a, 0xbb, 0xf2, 0x04, 0x27, 0x61, 0x28, 0x8e,
25897 -+ 0xf5, 0x04, 0x03, 0x1f, 0x4c, 0x07, 0x55, 0x82,
25898 -+ 0xec, 0x1e, 0xd7, 0x8b, 0x2f, 0x65, 0x56, 0xd1,
25899 -+ 0xd9, 0x1e, 0x3c, 0xe9, 0x1f, 0x5e, 0x98, 0x70,
25900 -+ 0x38, 0x4a, 0x8c, 0x49, 0xc5, 0x43, 0xa0, 0xa1,
25901 -+ 0x8b, 0x74, 0x9d, 0x4c, 0x62, 0x0d, 0x10, 0x0c,
25902 -+ 0xf4, 0x6c, 0x8f, 0xe0, 0xaa, 0x9a, 0x8d, 0xb7,
25903 -+ 0xe0, 0xbe, 0x4c, 0x87, 0xf1, 0x98, 0x2f, 0xcc,
25904 -+ 0xed, 0xc0, 0x52, 0x29, 0xdc, 0x83, 0xf8, 0xfc,
25905 -+ 0x2c, 0x0e, 0xa8, 0x51, 0x4d, 0x80, 0x0d, 0xa3,
25906 -+ 0xfe, 0xd8, 0x37, 0xe7, 0x41, 0x24, 0xfc, 0xfb,
25907 -+ 0x75, 0xe3, 0x71, 0x7b, 0x57, 0x45, 0xf5, 0x97,
25908 -+ 0x73, 0x65, 0x63, 0x14, 0x74, 0xb8, 0x82, 0x9f,
25909 -+ 0xf8, 0x60, 0x2f, 0x8a, 0xf2, 0x4e, 0xf1, 0x39,
25910 -+ 0xda, 0x33, 0x91, 0xf8, 0x36, 0xe0, 0x8d, 0x3f,
25911 -+ 0x1f, 0x3b, 0x56, 0xdc, 0xa0, 0x8f, 0x3c, 0x9d,
25912 -+ 0x71, 0x52, 0xa7, 0xb8, 0xc0, 0xa5, 0xc6, 0xa2,
25913 -+ 0x73, 0xda, 0xf4, 0x4b, 0x74, 0x5b, 0x00, 0x3d,
25914 -+ 0x99, 0xd7, 0x96, 0xba, 0xe6, 0xe1, 0xa6, 0x96,
25915 -+ 0x38, 0xad, 0xb3, 0xc0, 0xd2, 0xba, 0x91, 0x6b,
25916 -+ 0xf9, 0x19, 0xdd, 0x3b, 0xbe, 0xbe, 0x9c, 0x20,
25917 -+ 0x50, 0xba, 0xa1, 0xd0, 0xce, 0x11, 0xbd, 0x95,
25918 -+ 0xd8, 0xd1, 0xdd, 0x33, 0x85, 0x74, 0xdc, 0xdb,
25919 -+ 0x66, 0x76, 0x44, 0xdc, 0x03, 0x74, 0x48, 0x35,
25920 -+ 0x98, 0xb1, 0x18, 0x47, 0x94, 0x7d, 0xff, 0x62,
25921 -+ 0xe4, 0x58, 0x78, 0xab, 0xed, 0x95, 0x36, 0xd9,
25922 -+ 0x84, 0x91, 0x82, 0x64, 0x41, 0xbb, 0x58, 0xe6,
25923 -+ 0x1c, 0x20, 0x6d, 0x15, 0x6b, 0x13, 0x96, 0xe8,
25924 -+ 0x35, 0x7f, 0xdc, 0x40, 0x2c, 0xe9, 0xbc, 0x8a,
25925 -+ 0x4f, 0x92, 0xec, 0x06, 0x2d, 0x50, 0xdf, 0x93,
25926 -+ 0x5d, 0x65, 0x5a, 0xa8, 0xfc, 0x20, 0x50, 0x14,
25927 -+ 0xa9, 0x8a, 0x7e, 0x1d, 0x08, 0x1f, 0xe2, 0x99,
25928 -+ 0xd0, 0xbe, 0xfb, 0x3a, 0x21, 0x9d, 0xad, 0x86,
25929 -+ 0x54, 0xfd, 0x0d, 0x98, 0x1c, 0x5a, 0x6f, 0x1f,
25930 -+ 0x9a, 0x40, 0xcd, 0xa2, 0xff, 0x6a, 0xf1, 0x54
25931 -+};
25932 -+static const u8 dec_output008[] __initconst = {
25933 -+ 0xc3, 0x09, 0x94, 0x62, 0xe6, 0x46, 0x2e, 0x10,
25934 -+ 0xbe, 0x00, 0xe4, 0xfc, 0xf3, 0x40, 0xa3, 0xe2,
25935 -+ 0x0f, 0xc2, 0x8b, 0x28, 0xdc, 0xba, 0xb4, 0x3c,
25936 -+ 0xe4, 0x21, 0x58, 0x61, 0xcd, 0x8b, 0xcd, 0xfb,
25937 -+ 0xac, 0x94, 0xa1, 0x45, 0xf5, 0x1c, 0xe1, 0x12,
25938 -+ 0xe0, 0x3b, 0x67, 0x21, 0x54, 0x5e, 0x8c, 0xaa,
25939 -+ 0xcf, 0xdb, 0xb4, 0x51, 0xd4, 0x13, 0xda, 0xe6,
25940 -+ 0x83, 0x89, 0xb6, 0x92, 0xe9, 0x21, 0x76, 0xa4,
25941 -+ 0x93, 0x7d, 0x0e, 0xfd, 0x96, 0x36, 0x03, 0x91,
25942 -+ 0x43, 0x5c, 0x92, 0x49, 0x62, 0x61, 0x7b, 0xeb,
25943 -+ 0x43, 0x89, 0xb8, 0x12, 0x20, 0x43, 0xd4, 0x47,
25944 -+ 0x06, 0x84, 0xee, 0x47, 0xe9, 0x8a, 0x73, 0x15,
25945 -+ 0x0f, 0x72, 0xcf, 0xed, 0xce, 0x96, 0xb2, 0x7f,
25946 -+ 0x21, 0x45, 0x76, 0xeb, 0x26, 0x28, 0x83, 0x6a,
25947 -+ 0xad, 0xaa, 0xa6, 0x81, 0xd8, 0x55, 0xb1, 0xa3,
25948 -+ 0x85, 0xb3, 0x0c, 0xdf, 0xf1, 0x69, 0x2d, 0x97,
25949 -+ 0x05, 0x2a, 0xbc, 0x7c, 0x7b, 0x25, 0xf8, 0x80,
25950 -+ 0x9d, 0x39, 0x25, 0xf3, 0x62, 0xf0, 0x66, 0x5e,
25951 -+ 0xf4, 0xa0, 0xcf, 0xd8, 0xfd, 0x4f, 0xb1, 0x1f,
25952 -+ 0x60, 0x3a, 0x08, 0x47, 0xaf, 0xe1, 0xf6, 0x10,
25953 -+ 0x77, 0x09, 0xa7, 0x27, 0x8f, 0x9a, 0x97, 0x5a,
25954 -+ 0x26, 0xfa, 0xfe, 0x41, 0x32, 0x83, 0x10, 0xe0,
25955 -+ 0x1d, 0xbf, 0x64, 0x0d, 0xf4, 0x1c, 0x32, 0x35,
25956 -+ 0xe5, 0x1b, 0x36, 0xef, 0xd4, 0x4a, 0x93, 0x4d,
25957 -+ 0x00, 0x7c, 0xec, 0x02, 0x07, 0x8b, 0x5d, 0x7d,
25958 -+ 0x1b, 0x0e, 0xd1, 0xa6, 0xa5, 0x5d, 0x7d, 0x57,
25959 -+ 0x88, 0xa8, 0xcc, 0x81, 0xb4, 0x86, 0x4e, 0xb4,
25960 -+ 0x40, 0xe9, 0x1d, 0xc3, 0xb1, 0x24, 0x3e, 0x7f,
25961 -+ 0xcc, 0x8a, 0x24, 0x9b, 0xdf, 0x6d, 0xf0, 0x39,
25962 -+ 0x69, 0x3e, 0x4c, 0xc0, 0x96, 0xe4, 0x13, 0xda,
25963 -+ 0x90, 0xda, 0xf4, 0x95, 0x66, 0x8b, 0x17, 0x17,
25964 -+ 0xfe, 0x39, 0x43, 0x25, 0xaa, 0xda, 0xa0, 0x43,
25965 -+ 0x3c, 0xb1, 0x41, 0x02, 0xa3, 0xf0, 0xa7, 0x19,
25966 -+ 0x59, 0xbc, 0x1d, 0x7d, 0x6c, 0x6d, 0x91, 0x09,
25967 -+ 0x5c, 0xb7, 0x5b, 0x01, 0xd1, 0x6f, 0x17, 0x21,
25968 -+ 0x97, 0xbf, 0x89, 0x71, 0xa5, 0xb0, 0x6e, 0x07,
25969 -+ 0x45, 0xfd, 0x9d, 0xea, 0x07, 0xf6, 0x7a, 0x9f,
25970 -+ 0x10, 0x18, 0x22, 0x30, 0x73, 0xac, 0xd4, 0x6b,
25971 -+ 0x72, 0x44, 0xed, 0xd9, 0x19, 0x9b, 0x2d, 0x4a,
25972 -+ 0x41, 0xdd, 0xd1, 0x85, 0x5e, 0x37, 0x19, 0xed,
25973 -+ 0xd2, 0x15, 0x8f, 0x5e, 0x91, 0xdb, 0x33, 0xf2,
25974 -+ 0xe4, 0xdb, 0xff, 0x98, 0xfb, 0xa3, 0xb5, 0xca,
25975 -+ 0x21, 0x69, 0x08, 0xe7, 0x8a, 0xdf, 0x90, 0xff,
25976 -+ 0x3e, 0xe9, 0x20, 0x86, 0x3c, 0xe9, 0xfc, 0x0b,
25977 -+ 0xfe, 0x5c, 0x61, 0xaa, 0x13, 0x92, 0x7f, 0x7b,
25978 -+ 0xec, 0xe0, 0x6d, 0xa8, 0x23, 0x22, 0xf6, 0x6b,
25979 -+ 0x77, 0xc4, 0xfe, 0x40, 0x07, 0x3b, 0xb6, 0xf6,
25980 -+ 0x8e, 0x5f, 0xd4, 0xb9, 0xb7, 0x0f, 0x21, 0x04,
25981 -+ 0xef, 0x83, 0x63, 0x91, 0x69, 0x40, 0xa3, 0x48,
25982 -+ 0x5c, 0xd2, 0x60, 0xf9, 0x4f, 0x6c, 0x47, 0x8b,
25983 -+ 0x3b, 0xb1, 0x9f, 0x8e, 0xee, 0x16, 0x8a, 0x13,
25984 -+ 0xfc, 0x46, 0x17, 0xc3, 0xc3, 0x32, 0x56, 0xf8,
25985 -+ 0x3c, 0x85, 0x3a, 0xb6, 0x3e, 0xaa, 0x89, 0x4f,
25986 -+ 0xb3, 0xdf, 0x38, 0xfd, 0xf1, 0xe4, 0x3a, 0xc0,
25987 -+ 0xe6, 0x58, 0xb5, 0x8f, 0xc5, 0x29, 0xa2, 0x92,
25988 -+ 0x4a, 0xb6, 0xa0, 0x34, 0x7f, 0xab, 0xb5, 0x8a,
25989 -+ 0x90, 0xa1, 0xdb, 0x4d, 0xca, 0xb6, 0x2c, 0x41,
25990 -+ 0x3c, 0xf7, 0x2b, 0x21, 0xc3, 0xfd, 0xf4, 0x17,
25991 -+ 0x5c, 0xb5, 0x33, 0x17, 0x68, 0x2b, 0x08, 0x30,
25992 -+ 0xf3, 0xf7, 0x30, 0x3c, 0x96, 0xe6, 0x6a, 0x20,
25993 -+ 0x97, 0xe7, 0x4d, 0x10, 0x5f, 0x47, 0x5f, 0x49,
25994 -+ 0x96, 0x09, 0xf0, 0x27, 0x91, 0xc8, 0xf8, 0x5a,
25995 -+ 0x2e, 0x79, 0xb5, 0xe2, 0xb8, 0xe8, 0xb9, 0x7b,
25996 -+ 0xd5, 0x10, 0xcb, 0xff, 0x5d, 0x14, 0x73, 0xf3
25997 -+};
25998 -+static const u8 dec_assoc008[] __initconst = { };
25999 -+static const u8 dec_nonce008[] __initconst = {
26000 -+ 0x0e, 0x0d, 0x57, 0xbb, 0x7b, 0x40, 0x54, 0x02
26001 -+};
26002 -+static const u8 dec_key008[] __initconst = {
26003 -+ 0xf2, 0xaa, 0x4f, 0x99, 0xfd, 0x3e, 0xa8, 0x53,
26004 -+ 0xc1, 0x44, 0xe9, 0x81, 0x18, 0xdc, 0xf5, 0xf0,
26005 -+ 0x3e, 0x44, 0x15, 0x59, 0xe0, 0xc5, 0x44, 0x86,
26006 -+ 0xc3, 0x91, 0xa8, 0x75, 0xc0, 0x12, 0x46, 0xba
26007 -+};
26008 -+
26009 -+static const u8 dec_input009[] __initconst = {
26010 -+ 0xfd, 0x81, 0x8d, 0xd0, 0x3d, 0xb4, 0xd5, 0xdf,
26011 -+ 0xd3, 0x42, 0x47, 0x5a, 0x6d, 0x19, 0x27, 0x66,
26012 -+ 0x4b, 0x2e, 0x0c, 0x27, 0x9c, 0x96, 0x4c, 0x72,
26013 -+ 0x02, 0xa3, 0x65, 0xc3, 0xb3, 0x6f, 0x2e, 0xbd,
26014 -+ 0x63, 0x8a, 0x4a, 0x5d, 0x29, 0xa2, 0xd0, 0x28,
26015 -+ 0x48, 0xc5, 0x3d, 0x98, 0xa3, 0xbc, 0xe0, 0xbe,
26016 -+ 0x3b, 0x3f, 0xe6, 0x8a, 0xa4, 0x7f, 0x53, 0x06,
26017 -+ 0xfa, 0x7f, 0x27, 0x76, 0x72, 0x31, 0xa1, 0xf5,
26018 -+ 0xd6, 0x0c, 0x52, 0x47, 0xba, 0xcd, 0x4f, 0xd7,
26019 -+ 0xeb, 0x05, 0x48, 0x0d, 0x7c, 0x35, 0x4a, 0x09,
26020 -+ 0xc9, 0x76, 0x71, 0x02, 0xa3, 0xfb, 0xb7, 0x1a,
26021 -+ 0x65, 0xb7, 0xed, 0x98, 0xc6, 0x30, 0x8a, 0x00,
26022 -+ 0xae, 0xa1, 0x31, 0xe5, 0xb5, 0x9e, 0x6d, 0x62,
26023 -+ 0xda, 0xda, 0x07, 0x0f, 0x38, 0x38, 0xd3, 0xcb,
26024 -+ 0xc1, 0xb0, 0xad, 0xec, 0x72, 0xec, 0xb1, 0xa2,
26025 -+ 0x7b, 0x59, 0xf3, 0x3d, 0x2b, 0xef, 0xcd, 0x28,
26026 -+ 0x5b, 0x83, 0xcc, 0x18, 0x91, 0x88, 0xb0, 0x2e,
26027 -+ 0xf9, 0x29, 0x31, 0x18, 0xf9, 0x4e, 0xe9, 0x0a,
26028 -+ 0x91, 0x92, 0x9f, 0xae, 0x2d, 0xad, 0xf4, 0xe6,
26029 -+ 0x1a, 0xe2, 0xa4, 0xee, 0x47, 0x15, 0xbf, 0x83,
26030 -+ 0x6e, 0xd7, 0x72, 0x12, 0x3b, 0x2d, 0x24, 0xe9,
26031 -+ 0xb2, 0x55, 0xcb, 0x3c, 0x10, 0xf0, 0x24, 0x8a,
26032 -+ 0x4a, 0x02, 0xea, 0x90, 0x25, 0xf0, 0xb4, 0x79,
26033 -+ 0x3a, 0xef, 0x6e, 0xf5, 0x52, 0xdf, 0xb0, 0x0a,
26034 -+ 0xcd, 0x24, 0x1c, 0xd3, 0x2e, 0x22, 0x74, 0xea,
26035 -+ 0x21, 0x6f, 0xe9, 0xbd, 0xc8, 0x3e, 0x36, 0x5b,
26036 -+ 0x19, 0xf1, 0xca, 0x99, 0x0a, 0xb4, 0xa7, 0x52,
26037 -+ 0x1a, 0x4e, 0xf2, 0xad, 0x8d, 0x56, 0x85, 0xbb,
26038 -+ 0x64, 0x89, 0xba, 0x26, 0xf9, 0xc7, 0xe1, 0x89,
26039 -+ 0x19, 0x22, 0x77, 0xc3, 0xa8, 0xfc, 0xff, 0xad,
26040 -+ 0xfe, 0xb9, 0x48, 0xae, 0x12, 0x30, 0x9f, 0x19,
26041 -+ 0xfb, 0x1b, 0xef, 0x14, 0x87, 0x8a, 0x78, 0x71,
26042 -+ 0xf3, 0xf4, 0xb7, 0x00, 0x9c, 0x1d, 0xb5, 0x3d,
26043 -+ 0x49, 0x00, 0x0c, 0x06, 0xd4, 0x50, 0xf9, 0x54,
26044 -+ 0x45, 0xb2, 0x5b, 0x43, 0xdb, 0x6d, 0xcf, 0x1a,
26045 -+ 0xe9, 0x7a, 0x7a, 0xcf, 0xfc, 0x8a, 0x4e, 0x4d,
26046 -+ 0x0b, 0x07, 0x63, 0x28, 0xd8, 0xe7, 0x08, 0x95,
26047 -+ 0xdf, 0xa6, 0x72, 0x93, 0x2e, 0xbb, 0xa0, 0x42,
26048 -+ 0x89, 0x16, 0xf1, 0xd9, 0x0c, 0xf9, 0xa1, 0x16,
26049 -+ 0xfd, 0xd9, 0x03, 0xb4, 0x3b, 0x8a, 0xf5, 0xf6,
26050 -+ 0xe7, 0x6b, 0x2e, 0x8e, 0x4c, 0x3d, 0xe2, 0xaf,
26051 -+ 0x08, 0x45, 0x03, 0xff, 0x09, 0xb6, 0xeb, 0x2d,
26052 -+ 0xc6, 0x1b, 0x88, 0x94, 0xac, 0x3e, 0xf1, 0x9f,
26053 -+ 0x0e, 0x0e, 0x2b, 0xd5, 0x00, 0x4d, 0x3f, 0x3b,
26054 -+ 0x53, 0xae, 0xaf, 0x1c, 0x33, 0x5f, 0x55, 0x6e,
26055 -+ 0x8d, 0xaf, 0x05, 0x7a, 0x10, 0x34, 0xc9, 0xf4,
26056 -+ 0x66, 0xcb, 0x62, 0x12, 0xa6, 0xee, 0xe8, 0x1c,
26057 -+ 0x5d, 0x12, 0x86, 0xdb, 0x6f, 0x1c, 0x33, 0xc4,
26058 -+ 0x1c, 0xda, 0x82, 0x2d, 0x3b, 0x59, 0xfe, 0xb1,
26059 -+ 0xa4, 0x59, 0x41, 0x86, 0xd0, 0xef, 0xae, 0xfb,
26060 -+ 0xda, 0x6d, 0x11, 0xb8, 0xca, 0xe9, 0x6e, 0xff,
26061 -+ 0xf7, 0xa9, 0xd9, 0x70, 0x30, 0xfc, 0x53, 0xe2,
26062 -+ 0xd7, 0xa2, 0x4e, 0xc7, 0x91, 0xd9, 0x07, 0x06,
26063 -+ 0xaa, 0xdd, 0xb0, 0x59, 0x28, 0x1d, 0x00, 0x66,
26064 -+ 0xc5, 0x54, 0xc2, 0xfc, 0x06, 0xda, 0x05, 0x90,
26065 -+ 0x52, 0x1d, 0x37, 0x66, 0xee, 0xf0, 0xb2, 0x55,
26066 -+ 0x8a, 0x5d, 0xd2, 0x38, 0x86, 0x94, 0x9b, 0xfc,
26067 -+ 0x10, 0x4c, 0xa1, 0xb9, 0x64, 0x3e, 0x44, 0xb8,
26068 -+ 0x5f, 0xb0, 0x0c, 0xec, 0xe0, 0xc9, 0xe5, 0x62,
26069 -+ 0x75, 0x3f, 0x09, 0xd5, 0xf5, 0xd9, 0x26, 0xba,
26070 -+ 0x9e, 0xd2, 0xf4, 0xb9, 0x48, 0x0a, 0xbc, 0xa2,
26071 -+ 0xd6, 0x7c, 0x36, 0x11, 0x7d, 0x26, 0x81, 0x89,
26072 -+ 0xcf, 0xa4, 0xad, 0x73, 0x0e, 0xee, 0xcc, 0x06,
26073 -+ 0xa9, 0xdb, 0xb1, 0xfd, 0xfb, 0x09, 0x7f, 0x90,
26074 -+ 0x42, 0x37, 0x2f, 0xe1, 0x9c, 0x0f, 0x6f, 0xcf,
26075 -+ 0x43, 0xb5, 0xd9, 0x90, 0xe1, 0x85, 0xf5, 0xa8,
26076 -+ 0xae
26077 -+};
26078 -+static const u8 dec_output009[] __initconst = {
26079 -+ 0xe6, 0xc3, 0xdb, 0x63, 0x55, 0x15, 0xe3, 0x5b,
26080 -+ 0xb7, 0x4b, 0x27, 0x8b, 0x5a, 0xdd, 0xc2, 0xe8,
26081 -+ 0x3a, 0x6b, 0xd7, 0x81, 0x96, 0x35, 0x97, 0xca,
26082 -+ 0xd7, 0x68, 0xe8, 0xef, 0xce, 0xab, 0xda, 0x09,
26083 -+ 0x6e, 0xd6, 0x8e, 0xcb, 0x55, 0xb5, 0xe1, 0xe5,
26084 -+ 0x57, 0xfd, 0xc4, 0xe3, 0xe0, 0x18, 0x4f, 0x85,
26085 -+ 0xf5, 0x3f, 0x7e, 0x4b, 0x88, 0xc9, 0x52, 0x44,
26086 -+ 0x0f, 0xea, 0xaf, 0x1f, 0x71, 0x48, 0x9f, 0x97,
26087 -+ 0x6d, 0xb9, 0x6f, 0x00, 0xa6, 0xde, 0x2b, 0x77,
26088 -+ 0x8b, 0x15, 0xad, 0x10, 0xa0, 0x2b, 0x7b, 0x41,
26089 -+ 0x90, 0x03, 0x2d, 0x69, 0xae, 0xcc, 0x77, 0x7c,
26090 -+ 0xa5, 0x9d, 0x29, 0x22, 0xc2, 0xea, 0xb4, 0x00,
26091 -+ 0x1a, 0xd2, 0x7a, 0x98, 0x8a, 0xf9, 0xf7, 0x82,
26092 -+ 0xb0, 0xab, 0xd8, 0xa6, 0x94, 0x8d, 0x58, 0x2f,
26093 -+ 0x01, 0x9e, 0x00, 0x20, 0xfc, 0x49, 0xdc, 0x0e,
26094 -+ 0x03, 0xe8, 0x45, 0x10, 0xd6, 0xa8, 0xda, 0x55,
26095 -+ 0x10, 0x9a, 0xdf, 0x67, 0x22, 0x8b, 0x43, 0xab,
26096 -+ 0x00, 0xbb, 0x02, 0xc8, 0xdd, 0x7b, 0x97, 0x17,
26097 -+ 0xd7, 0x1d, 0x9e, 0x02, 0x5e, 0x48, 0xde, 0x8e,
26098 -+ 0xcf, 0x99, 0x07, 0x95, 0x92, 0x3c, 0x5f, 0x9f,
26099 -+ 0xc5, 0x8a, 0xc0, 0x23, 0xaa, 0xd5, 0x8c, 0x82,
26100 -+ 0x6e, 0x16, 0x92, 0xb1, 0x12, 0x17, 0x07, 0xc3,
26101 -+ 0xfb, 0x36, 0xf5, 0x6c, 0x35, 0xd6, 0x06, 0x1f,
26102 -+ 0x9f, 0xa7, 0x94, 0xa2, 0x38, 0x63, 0x9c, 0xb0,
26103 -+ 0x71, 0xb3, 0xa5, 0xd2, 0xd8, 0xba, 0x9f, 0x08,
26104 -+ 0x01, 0xb3, 0xff, 0x04, 0x97, 0x73, 0x45, 0x1b,
26105 -+ 0xd5, 0xa9, 0x9c, 0x80, 0xaf, 0x04, 0x9a, 0x85,
26106 -+ 0xdb, 0x32, 0x5b, 0x5d, 0x1a, 0xc1, 0x36, 0x28,
26107 -+ 0x10, 0x79, 0xf1, 0x3c, 0xbf, 0x1a, 0x41, 0x5c,
26108 -+ 0x4e, 0xdf, 0xb2, 0x7c, 0x79, 0x3b, 0x7a, 0x62,
26109 -+ 0x3d, 0x4b, 0xc9, 0x9b, 0x2a, 0x2e, 0x7c, 0xa2,
26110 -+ 0xb1, 0x11, 0x98, 0xa7, 0x34, 0x1a, 0x00, 0xf3,
26111 -+ 0xd1, 0xbc, 0x18, 0x22, 0xba, 0x02, 0x56, 0x62,
26112 -+ 0x31, 0x10, 0x11, 0x6d, 0xe0, 0x54, 0x9d, 0x40,
26113 -+ 0x1f, 0x26, 0x80, 0x41, 0xca, 0x3f, 0x68, 0x0f,
26114 -+ 0x32, 0x1d, 0x0a, 0x8e, 0x79, 0xd8, 0xa4, 0x1b,
26115 -+ 0x29, 0x1c, 0x90, 0x8e, 0xc5, 0xe3, 0xb4, 0x91,
26116 -+ 0x37, 0x9a, 0x97, 0x86, 0x99, 0xd5, 0x09, 0xc5,
26117 -+ 0xbb, 0xa3, 0x3f, 0x21, 0x29, 0x82, 0x14, 0x5c,
26118 -+ 0xab, 0x25, 0xfb, 0xf2, 0x4f, 0x58, 0x26, 0xd4,
26119 -+ 0x83, 0xaa, 0x66, 0x89, 0x67, 0x7e, 0xc0, 0x49,
26120 -+ 0xe1, 0x11, 0x10, 0x7f, 0x7a, 0xda, 0x29, 0x04,
26121 -+ 0xff, 0xf0, 0xcb, 0x09, 0x7c, 0x9d, 0xfa, 0x03,
26122 -+ 0x6f, 0x81, 0x09, 0x31, 0x60, 0xfb, 0x08, 0xfa,
26123 -+ 0x74, 0xd3, 0x64, 0x44, 0x7c, 0x55, 0x85, 0xec,
26124 -+ 0x9c, 0x6e, 0x25, 0xb7, 0x6c, 0xc5, 0x37, 0xb6,
26125 -+ 0x83, 0x87, 0x72, 0x95, 0x8b, 0x9d, 0xe1, 0x69,
26126 -+ 0x5c, 0x31, 0x95, 0x42, 0xa6, 0x2c, 0xd1, 0x36,
26127 -+ 0x47, 0x1f, 0xec, 0x54, 0xab, 0xa2, 0x1c, 0xd8,
26128 -+ 0x00, 0xcc, 0xbc, 0x0d, 0x65, 0xe2, 0x67, 0xbf,
26129 -+ 0xbc, 0xea, 0xee, 0x9e, 0xe4, 0x36, 0x95, 0xbe,
26130 -+ 0x73, 0xd9, 0xa6, 0xd9, 0x0f, 0xa0, 0xcc, 0x82,
26131 -+ 0x76, 0x26, 0xad, 0x5b, 0x58, 0x6c, 0x4e, 0xab,
26132 -+ 0x29, 0x64, 0xd3, 0xd9, 0xa9, 0x08, 0x8c, 0x1d,
26133 -+ 0xa1, 0x4f, 0x80, 0xd8, 0x3f, 0x94, 0xfb, 0xd3,
26134 -+ 0x7b, 0xfc, 0xd1, 0x2b, 0xc3, 0x21, 0xeb, 0xe5,
26135 -+ 0x1c, 0x84, 0x23, 0x7f, 0x4b, 0xfa, 0xdb, 0x34,
26136 -+ 0x18, 0xa2, 0xc2, 0xe5, 0x13, 0xfe, 0x6c, 0x49,
26137 -+ 0x81, 0xd2, 0x73, 0xe7, 0xe2, 0xd7, 0xe4, 0x4f,
26138 -+ 0x4b, 0x08, 0x6e, 0xb1, 0x12, 0x22, 0x10, 0x9d,
26139 -+ 0xac, 0x51, 0x1e, 0x17, 0xd9, 0x8a, 0x0b, 0x42,
26140 -+ 0x88, 0x16, 0x81, 0x37, 0x7c, 0x6a, 0xf7, 0xef,
26141 -+ 0x2d, 0xe3, 0xd9, 0xf8, 0x5f, 0xe0, 0x53, 0x27,
26142 -+ 0x74, 0xb9, 0xe2, 0xd6, 0x1c, 0x80, 0x2c, 0x52,
26143 -+ 0x65
26144 -+};
26145 -+static const u8 dec_assoc009[] __initconst = {
26146 -+ 0x5a, 0x27, 0xff, 0xeb, 0xdf, 0x84, 0xb2, 0x9e,
26147 -+ 0xef
26148 -+};
26149 -+static const u8 dec_nonce009[] __initconst = {
26150 -+ 0xef, 0x2d, 0x63, 0xee, 0x6b, 0x80, 0x8b, 0x78
26151 -+};
26152 -+static const u8 dec_key009[] __initconst = {
26153 -+ 0xea, 0xbc, 0x56, 0x99, 0xe3, 0x50, 0xff, 0xc5,
26154 -+ 0xcc, 0x1a, 0xd7, 0xc1, 0x57, 0x72, 0xea, 0x86,
26155 -+ 0x5b, 0x89, 0x88, 0x61, 0x3d, 0x2f, 0x9b, 0xb2,
26156 -+ 0xe7, 0x9c, 0xec, 0x74, 0x6e, 0x3e, 0xf4, 0x3b
26157 -+};
26158 -+
26159 -+static const u8 dec_input010[] __initconst = {
26160 -+ 0xe5, 0x26, 0xa4, 0x3d, 0xbd, 0x33, 0xd0, 0x4b,
26161 -+ 0x6f, 0x05, 0xa7, 0x6e, 0x12, 0x7a, 0xd2, 0x74,
26162 -+ 0xa6, 0xdd, 0xbd, 0x95, 0xeb, 0xf9, 0xa4, 0xf1,
26163 -+ 0x59, 0x93, 0x91, 0x70, 0xd9, 0xfe, 0x9a, 0xcd,
26164 -+ 0x53, 0x1f, 0x3a, 0xab, 0xa6, 0x7c, 0x9f, 0xa6,
26165 -+ 0x9e, 0xbd, 0x99, 0xd9, 0xb5, 0x97, 0x44, 0xd5,
26166 -+ 0x14, 0x48, 0x4d, 0x9d, 0xc0, 0xd0, 0x05, 0x96,
26167 -+ 0xeb, 0x4c, 0x78, 0x55, 0x09, 0x08, 0x01, 0x02,
26168 -+ 0x30, 0x90, 0x7b, 0x96, 0x7a, 0x7b, 0x5f, 0x30,
26169 -+ 0x41, 0x24, 0xce, 0x68, 0x61, 0x49, 0x86, 0x57,
26170 -+ 0x82, 0xdd, 0x53, 0x1c, 0x51, 0x28, 0x2b, 0x53,
26171 -+ 0x6e, 0x2d, 0xc2, 0x20, 0x4c, 0xdd, 0x8f, 0x65,
26172 -+ 0x10, 0x20, 0x50, 0xdd, 0x9d, 0x50, 0xe5, 0x71,
26173 -+ 0x40, 0x53, 0x69, 0xfc, 0x77, 0x48, 0x11, 0xb9,
26174 -+ 0xde, 0xa4, 0x8d, 0x58, 0xe4, 0xa6, 0x1a, 0x18,
26175 -+ 0x47, 0x81, 0x7e, 0xfc, 0xdd, 0xf6, 0xef, 0xce,
26176 -+ 0x2f, 0x43, 0x68, 0xd6, 0x06, 0xe2, 0x74, 0x6a,
26177 -+ 0xad, 0x90, 0xf5, 0x37, 0xf3, 0x3d, 0x82, 0x69,
26178 -+ 0x40, 0xe9, 0x6b, 0xa7, 0x3d, 0xa8, 0x1e, 0xd2,
26179 -+ 0x02, 0x7c, 0xb7, 0x9b, 0xe4, 0xda, 0x8f, 0x95,
26180 -+ 0x06, 0xc5, 0xdf, 0x73, 0xa3, 0x20, 0x9a, 0x49,
26181 -+ 0xde, 0x9c, 0xbc, 0xee, 0x14, 0x3f, 0x81, 0x5e,
26182 -+ 0xf8, 0x3b, 0x59, 0x3c, 0xe1, 0x68, 0x12, 0x5a,
26183 -+ 0x3a, 0x76, 0x3a, 0x3f, 0xf7, 0x87, 0x33, 0x0a,
26184 -+ 0x01, 0xb8, 0xd4, 0xed, 0xb6, 0xbe, 0x94, 0x5e,
26185 -+ 0x70, 0x40, 0x56, 0x67, 0x1f, 0x50, 0x44, 0x19,
26186 -+ 0xce, 0x82, 0x70, 0x10, 0x87, 0x13, 0x20, 0x0b,
26187 -+ 0x4c, 0x5a, 0xb6, 0xf6, 0xa7, 0xae, 0x81, 0x75,
26188 -+ 0x01, 0x81, 0xe6, 0x4b, 0x57, 0x7c, 0xdd, 0x6d,
26189 -+ 0xf8, 0x1c, 0x29, 0x32, 0xf7, 0xda, 0x3c, 0x2d,
26190 -+ 0xf8, 0x9b, 0x25, 0x6e, 0x00, 0xb4, 0xf7, 0x2f,
26191 -+ 0xf7, 0x04, 0xf7, 0xa1, 0x56, 0xac, 0x4f, 0x1a,
26192 -+ 0x64, 0xb8, 0x47, 0x55, 0x18, 0x7b, 0x07, 0x4d,
26193 -+ 0xbd, 0x47, 0x24, 0x80, 0x5d, 0xa2, 0x70, 0xc5,
26194 -+ 0xdd, 0x8e, 0x82, 0xd4, 0xeb, 0xec, 0xb2, 0x0c,
26195 -+ 0x39, 0xd2, 0x97, 0xc1, 0xcb, 0xeb, 0xf4, 0x77,
26196 -+ 0x59, 0xb4, 0x87, 0xef, 0xcb, 0x43, 0x2d, 0x46,
26197 -+ 0x54, 0xd1, 0xa7, 0xd7, 0x15, 0x99, 0x0a, 0x43,
26198 -+ 0xa1, 0xe0, 0x99, 0x33, 0x71, 0xc1, 0xed, 0xfe,
26199 -+ 0x72, 0x46, 0x33, 0x8e, 0x91, 0x08, 0x9f, 0xc8,
26200 -+ 0x2e, 0xca, 0xfa, 0xdc, 0x59, 0xd5, 0xc3, 0x76,
26201 -+ 0x84, 0x9f, 0xa3, 0x37, 0x68, 0xc3, 0xf0, 0x47,
26202 -+ 0x2c, 0x68, 0xdb, 0x5e, 0xc3, 0x49, 0x4c, 0xe8,
26203 -+ 0x92, 0x85, 0xe2, 0x23, 0xd3, 0x3f, 0xad, 0x32,
26204 -+ 0xe5, 0x2b, 0x82, 0xd7, 0x8f, 0x99, 0x0a, 0x59,
26205 -+ 0x5c, 0x45, 0xd9, 0xb4, 0x51, 0x52, 0xc2, 0xae,
26206 -+ 0xbf, 0x80, 0xcf, 0xc9, 0xc9, 0x51, 0x24, 0x2a,
26207 -+ 0x3b, 0x3a, 0x4d, 0xae, 0xeb, 0xbd, 0x22, 0xc3,
26208 -+ 0x0e, 0x0f, 0x59, 0x25, 0x92, 0x17, 0xe9, 0x74,
26209 -+ 0xc7, 0x8b, 0x70, 0x70, 0x36, 0x55, 0x95, 0x75,
26210 -+ 0x4b, 0xad, 0x61, 0x2b, 0x09, 0xbc, 0x82, 0xf2,
26211 -+ 0x6e, 0x94, 0x43, 0xae, 0xc3, 0xd5, 0xcd, 0x8e,
26212 -+ 0xfe, 0x5b, 0x9a, 0x88, 0x43, 0x01, 0x75, 0xb2,
26213 -+ 0x23, 0x09, 0xf7, 0x89, 0x83, 0xe7, 0xfa, 0xf9,
26214 -+ 0xb4, 0x9b, 0xf8, 0xef, 0xbd, 0x1c, 0x92, 0xc1,
26215 -+ 0xda, 0x7e, 0xfe, 0x05, 0xba, 0x5a, 0xcd, 0x07,
26216 -+ 0x6a, 0x78, 0x9e, 0x5d, 0xfb, 0x11, 0x2f, 0x79,
26217 -+ 0x38, 0xb6, 0xc2, 0x5b, 0x6b, 0x51, 0xb4, 0x71,
26218 -+ 0xdd, 0xf7, 0x2a, 0xe4, 0xf4, 0x72, 0x76, 0xad,
26219 -+ 0xc2, 0xdd, 0x64, 0x5d, 0x79, 0xb6, 0xf5, 0x7a,
26220 -+ 0x77, 0x20, 0x05, 0x3d, 0x30, 0x06, 0xd4, 0x4c,
26221 -+ 0x0a, 0x2c, 0x98, 0x5a, 0xb9, 0xd4, 0x98, 0xa9,
26222 -+ 0x3f, 0xc6, 0x12, 0xea, 0x3b, 0x4b, 0xc5, 0x79,
26223 -+ 0x64, 0x63, 0x6b, 0x09, 0x54, 0x3b, 0x14, 0x27,
26224 -+ 0xba, 0x99, 0x80, 0xc8, 0x72, 0xa8, 0x12, 0x90,
26225 -+ 0x29, 0xba, 0x40, 0x54, 0x97, 0x2b, 0x7b, 0xfe,
26226 -+ 0xeb, 0xcd, 0x01, 0x05, 0x44, 0x72, 0xdb, 0x99,
26227 -+ 0xe4, 0x61, 0xc9, 0x69, 0xd6, 0xb9, 0x28, 0xd1,
26228 -+ 0x05, 0x3e, 0xf9, 0x0b, 0x49, 0x0a, 0x49, 0xe9,
26229 -+ 0x8d, 0x0e, 0xa7, 0x4a, 0x0f, 0xaf, 0x32, 0xd0,
26230 -+ 0xe0, 0xb2, 0x3a, 0x55, 0x58, 0xfe, 0x5c, 0x28,
26231 -+ 0x70, 0x51, 0x23, 0xb0, 0x7b, 0x6a, 0x5f, 0x1e,
26232 -+ 0xb8, 0x17, 0xd7, 0x94, 0x15, 0x8f, 0xee, 0x20,
26233 -+ 0xc7, 0x42, 0x25, 0x3e, 0x9a, 0x14, 0xd7, 0x60,
26234 -+ 0x72, 0x39, 0x47, 0x48, 0xa9, 0xfe, 0xdd, 0x47,
26235 -+ 0x0a, 0xb1, 0xe6, 0x60, 0x28, 0x8c, 0x11, 0x68,
26236 -+ 0xe1, 0xff, 0xd7, 0xce, 0xc8, 0xbe, 0xb3, 0xfe,
26237 -+ 0x27, 0x30, 0x09, 0x70, 0xd7, 0xfa, 0x02, 0x33,
26238 -+ 0x3a, 0x61, 0x2e, 0xc7, 0xff, 0xa4, 0x2a, 0xa8,
26239 -+ 0x6e, 0xb4, 0x79, 0x35, 0x6d, 0x4c, 0x1e, 0x38,
26240 -+ 0xf8, 0xee, 0xd4, 0x84, 0x4e, 0x6e, 0x28, 0xa7,
26241 -+ 0xce, 0xc8, 0xc1, 0xcf, 0x80, 0x05, 0xf3, 0x04,
26242 -+ 0xef, 0xc8, 0x18, 0x28, 0x2e, 0x8d, 0x5e, 0x0c,
26243 -+ 0xdf, 0xb8, 0x5f, 0x96, 0xe8, 0xc6, 0x9c, 0x2f,
26244 -+ 0xe5, 0xa6, 0x44, 0xd7, 0xe7, 0x99, 0x44, 0x0c,
26245 -+ 0xec, 0xd7, 0x05, 0x60, 0x97, 0xbb, 0x74, 0x77,
26246 -+ 0x58, 0xd5, 0xbb, 0x48, 0xde, 0x5a, 0xb2, 0x54,
26247 -+ 0x7f, 0x0e, 0x46, 0x70, 0x6a, 0x6f, 0x78, 0xa5,
26248 -+ 0x08, 0x89, 0x05, 0x4e, 0x7e, 0xa0, 0x69, 0xb4,
26249 -+ 0x40, 0x60, 0x55, 0x77, 0x75, 0x9b, 0x19, 0xf2,
26250 -+ 0xd5, 0x13, 0x80, 0x77, 0xf9, 0x4b, 0x3f, 0x1e,
26251 -+ 0xee, 0xe6, 0x76, 0x84, 0x7b, 0x8c, 0xe5, 0x27,
26252 -+ 0xa8, 0x0a, 0x91, 0x01, 0x68, 0x71, 0x8a, 0x3f,
26253 -+ 0x06, 0xab, 0xf6, 0xa9, 0xa5, 0xe6, 0x72, 0x92,
26254 -+ 0xe4, 0x67, 0xe2, 0xa2, 0x46, 0x35, 0x84, 0x55,
26255 -+ 0x7d, 0xca, 0xa8, 0x85, 0xd0, 0xf1, 0x3f, 0xbe,
26256 -+ 0xd7, 0x34, 0x64, 0xfc, 0xae, 0xe3, 0xe4, 0x04,
26257 -+ 0x9f, 0x66, 0x02, 0xb9, 0x88, 0x10, 0xd9, 0xc4,
26258 -+ 0x4c, 0x31, 0x43, 0x7a, 0x93, 0xe2, 0x9b, 0x56,
26259 -+ 0x43, 0x84, 0xdc, 0xdc, 0xde, 0x1d, 0xa4, 0x02,
26260 -+ 0x0e, 0xc2, 0xef, 0xc3, 0xf8, 0x78, 0xd1, 0xb2,
26261 -+ 0x6b, 0x63, 0x18, 0xc9, 0xa9, 0xe5, 0x72, 0xd8,
26262 -+ 0xf3, 0xb9, 0xd1, 0x8a, 0xc7, 0x1a, 0x02, 0x27,
26263 -+ 0x20, 0x77, 0x10, 0xe5, 0xc8, 0xd4, 0x4a, 0x47,
26264 -+ 0xe5, 0xdf, 0x5f, 0x01, 0xaa, 0xb0, 0xd4, 0x10,
26265 -+ 0xbb, 0x69, 0xe3, 0x36, 0xc8, 0xe1, 0x3d, 0x43,
26266 -+ 0xfb, 0x86, 0xcd, 0xcc, 0xbf, 0xf4, 0x88, 0xe0,
26267 -+ 0x20, 0xca, 0xb7, 0x1b, 0xf1, 0x2f, 0x5c, 0xee,
26268 -+ 0xd4, 0xd3, 0xa3, 0xcc, 0xa4, 0x1e, 0x1c, 0x47,
26269 -+ 0xfb, 0xbf, 0xfc, 0xa2, 0x41, 0x55, 0x9d, 0xf6,
26270 -+ 0x5a, 0x5e, 0x65, 0x32, 0x34, 0x7b, 0x52, 0x8d,
26271 -+ 0xd5, 0xd0, 0x20, 0x60, 0x03, 0xab, 0x3f, 0x8c,
26272 -+ 0xd4, 0x21, 0xea, 0x2a, 0xd9, 0xc4, 0xd0, 0xd3,
26273 -+ 0x65, 0xd8, 0x7a, 0x13, 0x28, 0x62, 0x32, 0x4b,
26274 -+ 0x2c, 0x87, 0x93, 0xa8, 0xb4, 0x52, 0x45, 0x09,
26275 -+ 0x44, 0xec, 0xec, 0xc3, 0x17, 0xdb, 0x9a, 0x4d,
26276 -+ 0x5c, 0xa9, 0x11, 0xd4, 0x7d, 0xaf, 0x9e, 0xf1,
26277 -+ 0x2d, 0xb2, 0x66, 0xc5, 0x1d, 0xed, 0xb7, 0xcd,
26278 -+ 0x0b, 0x25, 0x5e, 0x30, 0x47, 0x3f, 0x40, 0xf4,
26279 -+ 0xa1, 0xa0, 0x00, 0x94, 0x10, 0xc5, 0x6a, 0x63,
26280 -+ 0x1a, 0xd5, 0x88, 0x92, 0x8e, 0x82, 0x39, 0x87,
26281 -+ 0x3c, 0x78, 0x65, 0x58, 0x42, 0x75, 0x5b, 0xdd,
26282 -+ 0x77, 0x3e, 0x09, 0x4e, 0x76, 0x5b, 0xe6, 0x0e,
26283 -+ 0x4d, 0x38, 0xb2, 0xc0, 0xb8, 0x95, 0x01, 0x7a,
26284 -+ 0x10, 0xe0, 0xfb, 0x07, 0xf2, 0xab, 0x2d, 0x8c,
26285 -+ 0x32, 0xed, 0x2b, 0xc0, 0x46, 0xc2, 0xf5, 0x38,
26286 -+ 0x83, 0xf0, 0x17, 0xec, 0xc1, 0x20, 0x6a, 0x9a,
26287 -+ 0x0b, 0x00, 0xa0, 0x98, 0x22, 0x50, 0x23, 0xd5,
26288 -+ 0x80, 0x6b, 0xf6, 0x1f, 0xc3, 0xcc, 0x97, 0xc9,
26289 -+ 0x24, 0x9f, 0xf3, 0xaf, 0x43, 0x14, 0xd5, 0xa0
26290 -+};
26291 -+static const u8 dec_output010[] __initconst = {
26292 -+ 0x42, 0x93, 0xe4, 0xeb, 0x97, 0xb0, 0x57, 0xbf,
26293 -+ 0x1a, 0x8b, 0x1f, 0xe4, 0x5f, 0x36, 0x20, 0x3c,
26294 -+ 0xef, 0x0a, 0xa9, 0x48, 0x5f, 0x5f, 0x37, 0x22,
26295 -+ 0x3a, 0xde, 0xe3, 0xae, 0xbe, 0xad, 0x07, 0xcc,
26296 -+ 0xb1, 0xf6, 0xf5, 0xf9, 0x56, 0xdd, 0xe7, 0x16,
26297 -+ 0x1e, 0x7f, 0xdf, 0x7a, 0x9e, 0x75, 0xb7, 0xc7,
26298 -+ 0xbe, 0xbe, 0x8a, 0x36, 0x04, 0xc0, 0x10, 0xf4,
26299 -+ 0x95, 0x20, 0x03, 0xec, 0xdc, 0x05, 0xa1, 0x7d,
26300 -+ 0xc4, 0xa9, 0x2c, 0x82, 0xd0, 0xbc, 0x8b, 0xc5,
26301 -+ 0xc7, 0x45, 0x50, 0xf6, 0xa2, 0x1a, 0xb5, 0x46,
26302 -+ 0x3b, 0x73, 0x02, 0xa6, 0x83, 0x4b, 0x73, 0x82,
26303 -+ 0x58, 0x5e, 0x3b, 0x65, 0x2f, 0x0e, 0xfd, 0x2b,
26304 -+ 0x59, 0x16, 0xce, 0xa1, 0x60, 0x9c, 0xe8, 0x3a,
26305 -+ 0x99, 0xed, 0x8d, 0x5a, 0xcf, 0xf6, 0x83, 0xaf,
26306 -+ 0xba, 0xd7, 0x73, 0x73, 0x40, 0x97, 0x3d, 0xca,
26307 -+ 0xef, 0x07, 0x57, 0xe6, 0xd9, 0x70, 0x0e, 0x95,
26308 -+ 0xae, 0xa6, 0x8d, 0x04, 0xcc, 0xee, 0xf7, 0x09,
26309 -+ 0x31, 0x77, 0x12, 0xa3, 0x23, 0x97, 0x62, 0xb3,
26310 -+ 0x7b, 0x32, 0xfb, 0x80, 0x14, 0x48, 0x81, 0xc3,
26311 -+ 0xe5, 0xea, 0x91, 0x39, 0x52, 0x81, 0xa2, 0x4f,
26312 -+ 0xe4, 0xb3, 0x09, 0xff, 0xde, 0x5e, 0xe9, 0x58,
26313 -+ 0x84, 0x6e, 0xf9, 0x3d, 0xdf, 0x25, 0xea, 0xad,
26314 -+ 0xae, 0xe6, 0x9a, 0xd1, 0x89, 0x55, 0xd3, 0xde,
26315 -+ 0x6c, 0x52, 0xdb, 0x70, 0xfe, 0x37, 0xce, 0x44,
26316 -+ 0x0a, 0xa8, 0x25, 0x5f, 0x92, 0xc1, 0x33, 0x4a,
26317 -+ 0x4f, 0x9b, 0x62, 0x35, 0xff, 0xce, 0xc0, 0xa9,
26318 -+ 0x60, 0xce, 0x52, 0x00, 0x97, 0x51, 0x35, 0x26,
26319 -+ 0x2e, 0xb9, 0x36, 0xa9, 0x87, 0x6e, 0x1e, 0xcc,
26320 -+ 0x91, 0x78, 0x53, 0x98, 0x86, 0x5b, 0x9c, 0x74,
26321 -+ 0x7d, 0x88, 0x33, 0xe1, 0xdf, 0x37, 0x69, 0x2b,
26322 -+ 0xbb, 0xf1, 0x4d, 0xf4, 0xd1, 0xf1, 0x39, 0x93,
26323 -+ 0x17, 0x51, 0x19, 0xe3, 0x19, 0x1e, 0x76, 0x37,
26324 -+ 0x25, 0xfb, 0x09, 0x27, 0x6a, 0xab, 0x67, 0x6f,
26325 -+ 0x14, 0x12, 0x64, 0xe7, 0xc4, 0x07, 0xdf, 0x4d,
26326 -+ 0x17, 0xbb, 0x6d, 0xe0, 0xe9, 0xb9, 0xab, 0xca,
26327 -+ 0x10, 0x68, 0xaf, 0x7e, 0xb7, 0x33, 0x54, 0x73,
26328 -+ 0x07, 0x6e, 0xf7, 0x81, 0x97, 0x9c, 0x05, 0x6f,
26329 -+ 0x84, 0x5f, 0xd2, 0x42, 0xfb, 0x38, 0xcf, 0xd1,
26330 -+ 0x2f, 0x14, 0x30, 0x88, 0x98, 0x4d, 0x5a, 0xa9,
26331 -+ 0x76, 0xd5, 0x4f, 0x3e, 0x70, 0x6c, 0x85, 0x76,
26332 -+ 0xd7, 0x01, 0xa0, 0x1a, 0xc8, 0x4e, 0xaa, 0xac,
26333 -+ 0x78, 0xfe, 0x46, 0xde, 0x6a, 0x05, 0x46, 0xa7,
26334 -+ 0x43, 0x0c, 0xb9, 0xde, 0xb9, 0x68, 0xfb, 0xce,
26335 -+ 0x42, 0x99, 0x07, 0x4d, 0x0b, 0x3b, 0x5a, 0x30,
26336 -+ 0x35, 0xa8, 0xf9, 0x3a, 0x73, 0xef, 0x0f, 0xdb,
26337 -+ 0x1e, 0x16, 0x42, 0xc4, 0xba, 0xae, 0x58, 0xaa,
26338 -+ 0xf8, 0xe5, 0x75, 0x2f, 0x1b, 0x15, 0x5c, 0xfd,
26339 -+ 0x0a, 0x97, 0xd0, 0xe4, 0x37, 0x83, 0x61, 0x5f,
26340 -+ 0x43, 0xa6, 0xc7, 0x3f, 0x38, 0x59, 0xe6, 0xeb,
26341 -+ 0xa3, 0x90, 0xc3, 0xaa, 0xaa, 0x5a, 0xd3, 0x34,
26342 -+ 0xd4, 0x17, 0xc8, 0x65, 0x3e, 0x57, 0xbc, 0x5e,
26343 -+ 0xdd, 0x9e, 0xb7, 0xf0, 0x2e, 0x5b, 0xb2, 0x1f,
26344 -+ 0x8a, 0x08, 0x0d, 0x45, 0x91, 0x0b, 0x29, 0x53,
26345 -+ 0x4f, 0x4c, 0x5a, 0x73, 0x56, 0xfe, 0xaf, 0x41,
26346 -+ 0x01, 0x39, 0x0a, 0x24, 0x3c, 0x7e, 0xbe, 0x4e,
26347 -+ 0x53, 0xf3, 0xeb, 0x06, 0x66, 0x51, 0x28, 0x1d,
26348 -+ 0xbd, 0x41, 0x0a, 0x01, 0xab, 0x16, 0x47, 0x27,
26349 -+ 0x47, 0x47, 0xf7, 0xcb, 0x46, 0x0a, 0x70, 0x9e,
26350 -+ 0x01, 0x9c, 0x09, 0xe1, 0x2a, 0x00, 0x1a, 0xd8,
26351 -+ 0xd4, 0x79, 0x9d, 0x80, 0x15, 0x8e, 0x53, 0x2a,
26352 -+ 0x65, 0x83, 0x78, 0x3e, 0x03, 0x00, 0x07, 0x12,
26353 -+ 0x1f, 0x33, 0x3e, 0x7b, 0x13, 0x37, 0xf1, 0xc3,
26354 -+ 0xef, 0xb7, 0xc1, 0x20, 0x3c, 0x3e, 0x67, 0x66,
26355 -+ 0x5d, 0x88, 0xa7, 0x7d, 0x33, 0x50, 0x77, 0xb0,
26356 -+ 0x28, 0x8e, 0xe7, 0x2c, 0x2e, 0x7a, 0xf4, 0x3c,
26357 -+ 0x8d, 0x74, 0x83, 0xaf, 0x8e, 0x87, 0x0f, 0xe4,
26358 -+ 0x50, 0xff, 0x84, 0x5c, 0x47, 0x0c, 0x6a, 0x49,
26359 -+ 0xbf, 0x42, 0x86, 0x77, 0x15, 0x48, 0xa5, 0x90,
26360 -+ 0x5d, 0x93, 0xd6, 0x2a, 0x11, 0xd5, 0xd5, 0x11,
26361 -+ 0xaa, 0xce, 0xe7, 0x6f, 0xa5, 0xb0, 0x09, 0x2c,
26362 -+ 0x8d, 0xd3, 0x92, 0xf0, 0x5a, 0x2a, 0xda, 0x5b,
26363 -+ 0x1e, 0xd5, 0x9a, 0xc4, 0xc4, 0xf3, 0x49, 0x74,
26364 -+ 0x41, 0xca, 0xe8, 0xc1, 0xf8, 0x44, 0xd6, 0x3c,
26365 -+ 0xae, 0x6c, 0x1d, 0x9a, 0x30, 0x04, 0x4d, 0x27,
26366 -+ 0x0e, 0xb1, 0x5f, 0x59, 0xa2, 0x24, 0xe8, 0xe1,
26367 -+ 0x98, 0xc5, 0x6a, 0x4c, 0xfe, 0x41, 0xd2, 0x27,
26368 -+ 0x42, 0x52, 0xe1, 0xe9, 0x7d, 0x62, 0xe4, 0x88,
26369 -+ 0x0f, 0xad, 0xb2, 0x70, 0xcb, 0x9d, 0x4c, 0x27,
26370 -+ 0x2e, 0x76, 0x1e, 0x1a, 0x63, 0x65, 0xf5, 0x3b,
26371 -+ 0xf8, 0x57, 0x69, 0xeb, 0x5b, 0x38, 0x26, 0x39,
26372 -+ 0x33, 0x25, 0x45, 0x3e, 0x91, 0xb8, 0xd8, 0xc7,
26373 -+ 0xd5, 0x42, 0xc0, 0x22, 0x31, 0x74, 0xf4, 0xbc,
26374 -+ 0x0c, 0x23, 0xf1, 0xca, 0xc1, 0x8d, 0xd7, 0xbe,
26375 -+ 0xc9, 0x62, 0xe4, 0x08, 0x1a, 0xcf, 0x36, 0xd5,
26376 -+ 0xfe, 0x55, 0x21, 0x59, 0x91, 0x87, 0x87, 0xdf,
26377 -+ 0x06, 0xdb, 0xdf, 0x96, 0x45, 0x58, 0xda, 0x05,
26378 -+ 0xcd, 0x50, 0x4d, 0xd2, 0x7d, 0x05, 0x18, 0x73,
26379 -+ 0x6a, 0x8d, 0x11, 0x85, 0xa6, 0x88, 0xe8, 0xda,
26380 -+ 0xe6, 0x30, 0x33, 0xa4, 0x89, 0x31, 0x75, 0xbe,
26381 -+ 0x69, 0x43, 0x84, 0x43, 0x50, 0x87, 0xdd, 0x71,
26382 -+ 0x36, 0x83, 0xc3, 0x78, 0x74, 0x24, 0x0a, 0xed,
26383 -+ 0x7b, 0xdb, 0xa4, 0x24, 0x0b, 0xb9, 0x7e, 0x5d,
26384 -+ 0xff, 0xde, 0xb1, 0xef, 0x61, 0x5a, 0x45, 0x33,
26385 -+ 0xf6, 0x17, 0x07, 0x08, 0x98, 0x83, 0x92, 0x0f,
26386 -+ 0x23, 0x6d, 0xe6, 0xaa, 0x17, 0x54, 0xad, 0x6a,
26387 -+ 0xc8, 0xdb, 0x26, 0xbe, 0xb8, 0xb6, 0x08, 0xfa,
26388 -+ 0x68, 0xf1, 0xd7, 0x79, 0x6f, 0x18, 0xb4, 0x9e,
26389 -+ 0x2d, 0x3f, 0x1b, 0x64, 0xaf, 0x8d, 0x06, 0x0e,
26390 -+ 0x49, 0x28, 0xe0, 0x5d, 0x45, 0x68, 0x13, 0x87,
26391 -+ 0xfa, 0xde, 0x40, 0x7b, 0xd2, 0xc3, 0x94, 0xd5,
26392 -+ 0xe1, 0xd9, 0xc2, 0xaf, 0x55, 0x89, 0xeb, 0xb4,
26393 -+ 0x12, 0x59, 0xa8, 0xd4, 0xc5, 0x29, 0x66, 0x38,
26394 -+ 0xe6, 0xac, 0x22, 0x22, 0xd9, 0x64, 0x9b, 0x34,
26395 -+ 0x0a, 0x32, 0x9f, 0xc2, 0xbf, 0x17, 0x6c, 0x3f,
26396 -+ 0x71, 0x7a, 0x38, 0x6b, 0x98, 0xfb, 0x49, 0x36,
26397 -+ 0x89, 0xc9, 0xe2, 0xd6, 0xc7, 0x5d, 0xd0, 0x69,
26398 -+ 0x5f, 0x23, 0x35, 0xc9, 0x30, 0xe2, 0xfd, 0x44,
26399 -+ 0x58, 0x39, 0xd7, 0x97, 0xfb, 0x5c, 0x00, 0xd5,
26400 -+ 0x4f, 0x7a, 0x1a, 0x95, 0x8b, 0x62, 0x4b, 0xce,
26401 -+ 0xe5, 0x91, 0x21, 0x7b, 0x30, 0x00, 0xd6, 0xdd,
26402 -+ 0x6d, 0x02, 0x86, 0x49, 0x0f, 0x3c, 0x1a, 0x27,
26403 -+ 0x3c, 0xd3, 0x0e, 0x71, 0xf2, 0xff, 0xf5, 0x2f,
26404 -+ 0x87, 0xac, 0x67, 0x59, 0x81, 0xa3, 0xf7, 0xf8,
26405 -+ 0xd6, 0x11, 0x0c, 0x84, 0xa9, 0x03, 0xee, 0x2a,
26406 -+ 0xc4, 0xf3, 0x22, 0xab, 0x7c, 0xe2, 0x25, 0xf5,
26407 -+ 0x67, 0xa3, 0xe4, 0x11, 0xe0, 0x59, 0xb3, 0xca,
26408 -+ 0x87, 0xa0, 0xae, 0xc9, 0xa6, 0x62, 0x1b, 0x6e,
26409 -+ 0x4d, 0x02, 0x6b, 0x07, 0x9d, 0xfd, 0xd0, 0x92,
26410 -+ 0x06, 0xe1, 0xb2, 0x9a, 0x4a, 0x1f, 0x1f, 0x13,
26411 -+ 0x49, 0x99, 0x97, 0x08, 0xde, 0x7f, 0x98, 0xaf,
26412 -+ 0x51, 0x98, 0xee, 0x2c, 0xcb, 0xf0, 0x0b, 0xc6,
26413 -+ 0xb6, 0xb7, 0x2d, 0x9a, 0xb1, 0xac, 0xa6, 0xe3,
26414 -+ 0x15, 0x77, 0x9d, 0x6b, 0x1a, 0xe4, 0xfc, 0x8b,
26415 -+ 0xf2, 0x17, 0x59, 0x08, 0x04, 0x58, 0x81, 0x9d,
26416 -+ 0x1b, 0x1b, 0x69, 0x55, 0xc2, 0xb4, 0x3c, 0x1f,
26417 -+ 0x50, 0xf1, 0x7f, 0x77, 0x90, 0x4c, 0x66, 0x40,
26418 -+ 0x5a, 0xc0, 0x33, 0x1f, 0xcb, 0x05, 0x6d, 0x5c,
26419 -+ 0x06, 0x87, 0x52, 0xa2, 0x8f, 0x26, 0xd5, 0x4f
26420 -+};
26421 -+static const u8 dec_assoc010[] __initconst = {
26422 -+ 0xd2, 0xa1, 0x70, 0xdb, 0x7a, 0xf8, 0xfa, 0x27,
26423 -+ 0xba, 0x73, 0x0f, 0xbf, 0x3d, 0x1e, 0x82, 0xb2
26424 -+};
26425 -+static const u8 dec_nonce010[] __initconst = {
26426 -+ 0xdb, 0x92, 0x0f, 0x7f, 0x17, 0x54, 0x0c, 0x30
26427 -+};
26428 -+static const u8 dec_key010[] __initconst = {
26429 -+ 0x47, 0x11, 0xeb, 0x86, 0x2b, 0x2c, 0xab, 0x44,
26430 -+ 0x34, 0xda, 0x7f, 0x57, 0x03, 0x39, 0x0c, 0xaf,
26431 -+ 0x2c, 0x14, 0xfd, 0x65, 0x23, 0xe9, 0x8e, 0x74,
26432 -+ 0xd5, 0x08, 0x68, 0x08, 0xe7, 0xb4, 0x72, 0xd7
26433 -+};
26434 -+
26435 -+static const u8 dec_input011[] __initconst = {
26436 -+ 0x6a, 0xfc, 0x4b, 0x25, 0xdf, 0xc0, 0xe4, 0xe8,
26437 -+ 0x17, 0x4d, 0x4c, 0xc9, 0x7e, 0xde, 0x3a, 0xcc,
26438 -+ 0x3c, 0xba, 0x6a, 0x77, 0x47, 0xdb, 0xe3, 0x74,
26439 -+ 0x7a, 0x4d, 0x5f, 0x8d, 0x37, 0x55, 0x80, 0x73,
26440 -+ 0x90, 0x66, 0x5d, 0x3a, 0x7d, 0x5d, 0x86, 0x5e,
26441 -+ 0x8d, 0xfd, 0x83, 0xff, 0x4e, 0x74, 0x6f, 0xf9,
26442 -+ 0xe6, 0x70, 0x17, 0x70, 0x3e, 0x96, 0xa7, 0x7e,
26443 -+ 0xcb, 0xab, 0x8f, 0x58, 0x24, 0x9b, 0x01, 0xfd,
26444 -+ 0xcb, 0xe6, 0x4d, 0x9b, 0xf0, 0x88, 0x94, 0x57,
26445 -+ 0x66, 0xef, 0x72, 0x4c, 0x42, 0x6e, 0x16, 0x19,
26446 -+ 0x15, 0xea, 0x70, 0x5b, 0xac, 0x13, 0xdb, 0x9f,
26447 -+ 0x18, 0xe2, 0x3c, 0x26, 0x97, 0xbc, 0xdc, 0x45,
26448 -+ 0x8c, 0x6c, 0x24, 0x69, 0x9c, 0xf7, 0x65, 0x1e,
26449 -+ 0x18, 0x59, 0x31, 0x7c, 0xe4, 0x73, 0xbc, 0x39,
26450 -+ 0x62, 0xc6, 0x5c, 0x9f, 0xbf, 0xfa, 0x90, 0x03,
26451 -+ 0xc9, 0x72, 0x26, 0xb6, 0x1b, 0xc2, 0xb7, 0x3f,
26452 -+ 0xf2, 0x13, 0x77, 0xf2, 0x8d, 0xb9, 0x47, 0xd0,
26453 -+ 0x53, 0xdd, 0xc8, 0x91, 0x83, 0x8b, 0xb1, 0xce,
26454 -+ 0xa3, 0xfe, 0xcd, 0xd9, 0xdd, 0x92, 0x7b, 0xdb,
26455 -+ 0xb8, 0xfb, 0xc9, 0x2d, 0x01, 0x59, 0x39, 0x52,
26456 -+ 0xad, 0x1b, 0xec, 0xcf, 0xd7, 0x70, 0x13, 0x21,
26457 -+ 0xf5, 0x47, 0xaa, 0x18, 0x21, 0x5c, 0xc9, 0x9a,
26458 -+ 0xd2, 0x6b, 0x05, 0x9c, 0x01, 0xa1, 0xda, 0x35,
26459 -+ 0x5d, 0xb3, 0x70, 0xe6, 0xa9, 0x80, 0x8b, 0x91,
26460 -+ 0xb7, 0xb3, 0x5f, 0x24, 0x9a, 0xb7, 0xd1, 0x6b,
26461 -+ 0xa1, 0x1c, 0x50, 0xba, 0x49, 0xe0, 0xee, 0x2e,
26462 -+ 0x75, 0xac, 0x69, 0xc0, 0xeb, 0x03, 0xdd, 0x19,
26463 -+ 0xe5, 0xf6, 0x06, 0xdd, 0xc3, 0xd7, 0x2b, 0x07,
26464 -+ 0x07, 0x30, 0xa7, 0x19, 0x0c, 0xbf, 0xe6, 0x18,
26465 -+ 0xcc, 0xb1, 0x01, 0x11, 0x85, 0x77, 0x1d, 0x96,
26466 -+ 0xa7, 0xa3, 0x00, 0x84, 0x02, 0xa2, 0x83, 0x68,
26467 -+ 0xda, 0x17, 0x27, 0xc8, 0x7f, 0x23, 0xb7, 0xf4,
26468 -+ 0x13, 0x85, 0xcf, 0xdd, 0x7a, 0x7d, 0x24, 0x57,
26469 -+ 0xfe, 0x05, 0x93, 0xf5, 0x74, 0xce, 0xed, 0x0c,
26470 -+ 0x20, 0x98, 0x8d, 0x92, 0x30, 0xa1, 0x29, 0x23,
26471 -+ 0x1a, 0xa0, 0x4f, 0x69, 0x56, 0x4c, 0xe1, 0xc8,
26472 -+ 0xce, 0xf6, 0x9a, 0x0c, 0xa4, 0xfa, 0x04, 0xf6,
26473 -+ 0x62, 0x95, 0xf2, 0xfa, 0xc7, 0x40, 0x68, 0x40,
26474 -+ 0x8f, 0x41, 0xda, 0xb4, 0x26, 0x6f, 0x70, 0xab,
26475 -+ 0x40, 0x61, 0xa4, 0x0e, 0x75, 0xfb, 0x86, 0xeb,
26476 -+ 0x9d, 0x9a, 0x1f, 0xec, 0x76, 0x99, 0xe7, 0xea,
26477 -+ 0xaa, 0x1e, 0x2d, 0xb5, 0xd4, 0xa6, 0x1a, 0xb8,
26478 -+ 0x61, 0x0a, 0x1d, 0x16, 0x5b, 0x98, 0xc2, 0x31,
26479 -+ 0x40, 0xe7, 0x23, 0x1d, 0x66, 0x99, 0xc8, 0xc0,
26480 -+ 0xd7, 0xce, 0xf3, 0x57, 0x40, 0x04, 0x3f, 0xfc,
26481 -+ 0xea, 0xb3, 0xfc, 0xd2, 0xd3, 0x99, 0xa4, 0x94,
26482 -+ 0x69, 0xa0, 0xef, 0xd1, 0x85, 0xb3, 0xa6, 0xb1,
26483 -+ 0x28, 0xbf, 0x94, 0x67, 0x22, 0xc3, 0x36, 0x46,
26484 -+ 0xf8, 0xd2, 0x0f, 0x5f, 0xf4, 0x59, 0x80, 0xe6,
26485 -+ 0x2d, 0x43, 0x08, 0x7d, 0x19, 0x09, 0x97, 0xa7,
26486 -+ 0x4c, 0x3d, 0x8d, 0xba, 0x65, 0x62, 0xa3, 0x71,
26487 -+ 0x33, 0x29, 0x62, 0xdb, 0xc1, 0x33, 0x34, 0x1a,
26488 -+ 0x63, 0x33, 0x16, 0xb6, 0x64, 0x7e, 0xab, 0x33,
26489 -+ 0xf0, 0xe6, 0x26, 0x68, 0xba, 0x1d, 0x2e, 0x38,
26490 -+ 0x08, 0xe6, 0x02, 0xd3, 0x25, 0x2c, 0x47, 0x23,
26491 -+ 0x58, 0x34, 0x0f, 0x9d, 0x63, 0x4f, 0x63, 0xbb,
26492 -+ 0x7f, 0x3b, 0x34, 0x38, 0xa7, 0xb5, 0x8d, 0x65,
26493 -+ 0xd9, 0x9f, 0x79, 0x55, 0x3e, 0x4d, 0xe7, 0x73,
26494 -+ 0xd8, 0xf6, 0x98, 0x97, 0x84, 0x60, 0x9c, 0xc8,
26495 -+ 0xa9, 0x3c, 0xf6, 0xdc, 0x12, 0x5c, 0xe1, 0xbb,
26496 -+ 0x0b, 0x8b, 0x98, 0x9c, 0x9d, 0x26, 0x7c, 0x4a,
26497 -+ 0xe6, 0x46, 0x36, 0x58, 0x21, 0x4a, 0xee, 0xca,
26498 -+ 0xd7, 0x3b, 0xc2, 0x6c, 0x49, 0x2f, 0xe5, 0xd5,
26499 -+ 0x03, 0x59, 0x84, 0x53, 0xcb, 0xfe, 0x92, 0x71,
26500 -+ 0x2e, 0x7c, 0x21, 0xcc, 0x99, 0x85, 0x7f, 0xb8,
26501 -+ 0x74, 0x90, 0x13, 0x42, 0x3f, 0xe0, 0x6b, 0x1d,
26502 -+ 0xf2, 0x4d, 0x54, 0xd4, 0xfc, 0x3a, 0x05, 0xe6,
26503 -+ 0x74, 0xaf, 0xa6, 0xa0, 0x2a, 0x20, 0x23, 0x5d,
26504 -+ 0x34, 0x5c, 0xd9, 0x3e, 0x4e, 0xfa, 0x93, 0xe7,
26505 -+ 0xaa, 0xe9, 0x6f, 0x08, 0x43, 0x67, 0x41, 0xc5,
26506 -+ 0xad, 0xfb, 0x31, 0x95, 0x82, 0x73, 0x32, 0xd8,
26507 -+ 0xa6, 0xa3, 0xed, 0x0e, 0x2d, 0xf6, 0x5f, 0xfd,
26508 -+ 0x80, 0xa6, 0x7a, 0xe0, 0xdf, 0x78, 0x15, 0x29,
26509 -+ 0x74, 0x33, 0xd0, 0x9e, 0x83, 0x86, 0x72, 0x22,
26510 -+ 0x57, 0x29, 0xb9, 0x9e, 0x5d, 0xd3, 0x1a, 0xb5,
26511 -+ 0x96, 0x72, 0x41, 0x3d, 0xf1, 0x64, 0x43, 0x67,
26512 -+ 0xee, 0xaa, 0x5c, 0xd3, 0x9a, 0x96, 0x13, 0x11,
26513 -+ 0x5d, 0xf3, 0x0c, 0x87, 0x82, 0x1e, 0x41, 0x9e,
26514 -+ 0xd0, 0x27, 0xd7, 0x54, 0x3b, 0x67, 0x73, 0x09,
26515 -+ 0x91, 0xe9, 0xd5, 0x36, 0xa7, 0xb5, 0x55, 0xe4,
26516 -+ 0xf3, 0x21, 0x51, 0x49, 0x22, 0x07, 0x55, 0x4f,
26517 -+ 0x44, 0x4b, 0xd2, 0x15, 0x93, 0x17, 0x2a, 0xfa,
26518 -+ 0x4d, 0x4a, 0x57, 0xdb, 0x4c, 0xa6, 0xeb, 0xec,
26519 -+ 0x53, 0x25, 0x6c, 0x21, 0xed, 0x00, 0x4c, 0x3b,
26520 -+ 0xca, 0x14, 0x57, 0xa9, 0xd6, 0x6a, 0xcd, 0x8d,
26521 -+ 0x5e, 0x74, 0xac, 0x72, 0xc1, 0x97, 0xe5, 0x1b,
26522 -+ 0x45, 0x4e, 0xda, 0xfc, 0xcc, 0x40, 0xe8, 0x48,
26523 -+ 0x88, 0x0b, 0xa3, 0xe3, 0x8d, 0x83, 0x42, 0xc3,
26524 -+ 0x23, 0xfd, 0x68, 0xb5, 0x8e, 0xf1, 0x9d, 0x63,
26525 -+ 0x77, 0xe9, 0xa3, 0x8e, 0x8c, 0x26, 0x6b, 0xbd,
26526 -+ 0x72, 0x73, 0x35, 0x0c, 0x03, 0xf8, 0x43, 0x78,
26527 -+ 0x52, 0x71, 0x15, 0x1f, 0x71, 0x5d, 0x6e, 0xed,
26528 -+ 0xb9, 0xcc, 0x86, 0x30, 0xdb, 0x2b, 0xd3, 0x82,
26529 -+ 0x88, 0x23, 0x71, 0x90, 0x53, 0x5c, 0xa9, 0x2f,
26530 -+ 0x76, 0x01, 0xb7, 0x9a, 0xfe, 0x43, 0x55, 0xa3,
26531 -+ 0x04, 0x9b, 0x0e, 0xe4, 0x59, 0xdf, 0xc9, 0xe9,
26532 -+ 0xb1, 0xea, 0x29, 0x28, 0x3c, 0x5c, 0xae, 0x72,
26533 -+ 0x84, 0xb6, 0xc6, 0xeb, 0x0c, 0x27, 0x07, 0x74,
26534 -+ 0x90, 0x0d, 0x31, 0xb0, 0x00, 0x77, 0xe9, 0x40,
26535 -+ 0x70, 0x6f, 0x68, 0xa7, 0xfd, 0x06, 0xec, 0x4b,
26536 -+ 0xc0, 0xb7, 0xac, 0xbc, 0x33, 0xb7, 0x6d, 0x0a,
26537 -+ 0xbd, 0x12, 0x1b, 0x59, 0xcb, 0xdd, 0x32, 0xf5,
26538 -+ 0x1d, 0x94, 0x57, 0x76, 0x9e, 0x0c, 0x18, 0x98,
26539 -+ 0x71, 0xd7, 0x2a, 0xdb, 0x0b, 0x7b, 0xa7, 0x71,
26540 -+ 0xb7, 0x67, 0x81, 0x23, 0x96, 0xae, 0xb9, 0x7e,
26541 -+ 0x32, 0x43, 0x92, 0x8a, 0x19, 0xa0, 0xc4, 0xd4,
26542 -+ 0x3b, 0x57, 0xf9, 0x4a, 0x2c, 0xfb, 0x51, 0x46,
26543 -+ 0xbb, 0xcb, 0x5d, 0xb3, 0xef, 0x13, 0x93, 0x6e,
26544 -+ 0x68, 0x42, 0x54, 0x57, 0xd3, 0x6a, 0x3a, 0x8f,
26545 -+ 0x9d, 0x66, 0xbf, 0xbd, 0x36, 0x23, 0xf5, 0x93,
26546 -+ 0x83, 0x7b, 0x9c, 0xc0, 0xdd, 0xc5, 0x49, 0xc0,
26547 -+ 0x64, 0xed, 0x07, 0x12, 0xb3, 0xe6, 0xe4, 0xe5,
26548 -+ 0x38, 0x95, 0x23, 0xb1, 0xa0, 0x3b, 0x1a, 0x61,
26549 -+ 0xda, 0x17, 0xac, 0xc3, 0x58, 0xdd, 0x74, 0x64,
26550 -+ 0x22, 0x11, 0xe8, 0x32, 0x1d, 0x16, 0x93, 0x85,
26551 -+ 0x99, 0xa5, 0x9c, 0x34, 0x55, 0xb1, 0xe9, 0x20,
26552 -+ 0x72, 0xc9, 0x28, 0x7b, 0x79, 0x00, 0xa1, 0xa6,
26553 -+ 0xa3, 0x27, 0x40, 0x18, 0x8a, 0x54, 0xe0, 0xcc,
26554 -+ 0xe8, 0x4e, 0x8e, 0x43, 0x96, 0xe7, 0x3f, 0xc8,
26555 -+ 0xe9, 0xb2, 0xf9, 0xc9, 0xda, 0x04, 0x71, 0x50,
26556 -+ 0x47, 0xe4, 0xaa, 0xce, 0xa2, 0x30, 0xc8, 0xe4,
26557 -+ 0xac, 0xc7, 0x0d, 0x06, 0x2e, 0xe6, 0xe8, 0x80,
26558 -+ 0x36, 0x29, 0x9e, 0x01, 0xb8, 0xc3, 0xf0, 0xa0,
26559 -+ 0x5d, 0x7a, 0xca, 0x4d, 0xa0, 0x57, 0xbd, 0x2a,
26560 -+ 0x45, 0xa7, 0x7f, 0x9c, 0x93, 0x07, 0x8f, 0x35,
26561 -+ 0x67, 0x92, 0xe3, 0xe9, 0x7f, 0xa8, 0x61, 0x43,
26562 -+ 0x9e, 0x25, 0x4f, 0x33, 0x76, 0x13, 0x6e, 0x12,
26563 -+ 0xb9, 0xdd, 0xa4, 0x7c, 0x08, 0x9f, 0x7c, 0xe7,
26564 -+ 0x0a, 0x8d, 0x84, 0x06, 0xa4, 0x33, 0x17, 0x34,
26565 -+ 0x5e, 0x10, 0x7c, 0xc0, 0xa8, 0x3d, 0x1f, 0x42,
26566 -+ 0x20, 0x51, 0x65, 0x5d, 0x09, 0xc3, 0xaa, 0xc0,
26567 -+ 0xc8, 0x0d, 0xf0, 0x79, 0xbc, 0x20, 0x1b, 0x95,
26568 -+ 0xe7, 0x06, 0x7d, 0x47, 0x20, 0x03, 0x1a, 0x74,
26569 -+ 0xdd, 0xe2, 0xd4, 0xae, 0x38, 0x71, 0x9b, 0xf5,
26570 -+ 0x80, 0xec, 0x08, 0x4e, 0x56, 0xba, 0x76, 0x12,
26571 -+ 0x1a, 0xdf, 0x48, 0xf3, 0xae, 0xb3, 0xe6, 0xe6,
26572 -+ 0xbe, 0xc0, 0x91, 0x2e, 0x01, 0xb3, 0x01, 0x86,
26573 -+ 0xa2, 0xb9, 0x52, 0xd1, 0x21, 0xae, 0xd4, 0x97,
26574 -+ 0x1d, 0xef, 0x41, 0x12, 0x95, 0x3d, 0x48, 0x45,
26575 -+ 0x1c, 0x56, 0x32, 0x8f, 0xb8, 0x43, 0xbb, 0x19,
26576 -+ 0xf3, 0xca, 0xe9, 0xeb, 0x6d, 0x84, 0xbe, 0x86,
26577 -+ 0x06, 0xe2, 0x36, 0xb2, 0x62, 0x9d, 0xd3, 0x4c,
26578 -+ 0x48, 0x18, 0x54, 0x13, 0x4e, 0xcf, 0xfd, 0xba,
26579 -+ 0x84, 0xb9, 0x30, 0x53, 0xcf, 0xfb, 0xb9, 0x29,
26580 -+ 0x8f, 0xdc, 0x9f, 0xef, 0x60, 0x0b, 0x64, 0xf6,
26581 -+ 0x8b, 0xee, 0xa6, 0x91, 0xc2, 0x41, 0x6c, 0xf6,
26582 -+ 0xfa, 0x79, 0x67, 0x4b, 0xc1, 0x3f, 0xaf, 0x09,
26583 -+ 0x81, 0xd4, 0x5d, 0xcb, 0x09, 0xdf, 0x36, 0x31,
26584 -+ 0xc0, 0x14, 0x3c, 0x7c, 0x0e, 0x65, 0x95, 0x99,
26585 -+ 0x6d, 0xa3, 0xf4, 0xd7, 0x38, 0xee, 0x1a, 0x2b,
26586 -+ 0x37, 0xe2, 0xa4, 0x3b, 0x4b, 0xd0, 0x65, 0xca,
26587 -+ 0xf8, 0xc3, 0xe8, 0x15, 0x20, 0xef, 0xf2, 0x00,
26588 -+ 0xfd, 0x01, 0x09, 0xc5, 0xc8, 0x17, 0x04, 0x93,
26589 -+ 0xd0, 0x93, 0x03, 0x55, 0xc5, 0xfe, 0x32, 0xa3,
26590 -+ 0x3e, 0x28, 0x2d, 0x3b, 0x93, 0x8a, 0xcc, 0x07,
26591 -+ 0x72, 0x80, 0x8b, 0x74, 0x16, 0x24, 0xbb, 0xda,
26592 -+ 0x94, 0x39, 0x30, 0x8f, 0xb1, 0xcd, 0x4a, 0x90,
26593 -+ 0x92, 0x7c, 0x14, 0x8f, 0x95, 0x4e, 0xac, 0x9b,
26594 -+ 0xd8, 0x8f, 0x1a, 0x87, 0xa4, 0x32, 0x27, 0x8a,
26595 -+ 0xba, 0xf7, 0x41, 0xcf, 0x84, 0x37, 0x19, 0xe6,
26596 -+ 0x06, 0xf5, 0x0e, 0xcf, 0x36, 0xf5, 0x9e, 0x6c,
26597 -+ 0xde, 0xbc, 0xff, 0x64, 0x7e, 0x4e, 0x59, 0x57,
26598 -+ 0x48, 0xfe, 0x14, 0xf7, 0x9c, 0x93, 0x5d, 0x15,
26599 -+ 0xad, 0xcc, 0x11, 0xb1, 0x17, 0x18, 0xb2, 0x7e,
26600 -+ 0xcc, 0xab, 0xe9, 0xce, 0x7d, 0x77, 0x5b, 0x51,
26601 -+ 0x1b, 0x1e, 0x20, 0xa8, 0x32, 0x06, 0x0e, 0x75,
26602 -+ 0x93, 0xac, 0xdb, 0x35, 0x37, 0x1f, 0xe9, 0x19,
26603 -+ 0x1d, 0xb4, 0x71, 0x97, 0xd6, 0x4e, 0x2c, 0x08,
26604 -+ 0xa5, 0x13, 0xf9, 0x0e, 0x7e, 0x78, 0x6e, 0x14,
26605 -+ 0xe0, 0xa9, 0xb9, 0x96, 0x4c, 0x80, 0x82, 0xba,
26606 -+ 0x17, 0xb3, 0x9d, 0x69, 0xb0, 0x84, 0x46, 0xff,
26607 -+ 0xf9, 0x52, 0x79, 0x94, 0x58, 0x3a, 0x62, 0x90,
26608 -+ 0x15, 0x35, 0x71, 0x10, 0x37, 0xed, 0xa1, 0x8e,
26609 -+ 0x53, 0x6e, 0xf4, 0x26, 0x57, 0x93, 0x15, 0x93,
26610 -+ 0xf6, 0x81, 0x2c, 0x5a, 0x10, 0xda, 0x92, 0xad,
26611 -+ 0x2f, 0xdb, 0x28, 0x31, 0x2d, 0x55, 0x04, 0xd2,
26612 -+ 0x06, 0x28, 0x8c, 0x1e, 0xdc, 0xea, 0x54, 0xac,
26613 -+ 0xff, 0xb7, 0x6c, 0x30, 0x15, 0xd4, 0xb4, 0x0d,
26614 -+ 0x00, 0x93, 0x57, 0xdd, 0xd2, 0x07, 0x07, 0x06,
26615 -+ 0xd9, 0x43, 0x9b, 0xcd, 0x3a, 0xf4, 0x7d, 0x4c,
26616 -+ 0x36, 0x5d, 0x23, 0xa2, 0xcc, 0x57, 0x40, 0x91,
26617 -+ 0xe9, 0x2c, 0x2f, 0x2c, 0xd5, 0x30, 0x9b, 0x17,
26618 -+ 0xb0, 0xc9, 0xf7, 0xa7, 0x2f, 0xd1, 0x93, 0x20,
26619 -+ 0x6b, 0xc6, 0xc1, 0xe4, 0x6f, 0xcb, 0xd1, 0xe7,
26620 -+ 0x09, 0x0f, 0x9e, 0xdc, 0xaa, 0x9f, 0x2f, 0xdf,
26621 -+ 0x56, 0x9f, 0xd4, 0x33, 0x04, 0xaf, 0xd3, 0x6c,
26622 -+ 0x58, 0x61, 0xf0, 0x30, 0xec, 0xf2, 0x7f, 0xf2,
26623 -+ 0x9c, 0xdf, 0x39, 0xbb, 0x6f, 0xa2, 0x8c, 0x7e,
26624 -+ 0xc4, 0x22, 0x51, 0x71, 0xc0, 0x4d, 0x14, 0x1a,
26625 -+ 0xc4, 0xcd, 0x04, 0xd9, 0x87, 0x08, 0x50, 0x05,
26626 -+ 0xcc, 0xaf, 0xf6, 0xf0, 0x8f, 0x92, 0x54, 0x58,
26627 -+ 0xc2, 0xc7, 0x09, 0x7a, 0x59, 0x02, 0x05, 0xe8,
26628 -+ 0xb0, 0x86, 0xd9, 0xbf, 0x7b, 0x35, 0x51, 0x4d,
26629 -+ 0xaf, 0x08, 0x97, 0x2c, 0x65, 0xda, 0x2a, 0x71,
26630 -+ 0x3a, 0xa8, 0x51, 0xcc, 0xf2, 0x73, 0x27, 0xc3,
26631 -+ 0xfd, 0x62, 0xcf, 0xe3, 0xb2, 0xca, 0xcb, 0xbe,
26632 -+ 0x1a, 0x0a, 0xa1, 0x34, 0x7b, 0x77, 0xc4, 0x62,
26633 -+ 0x68, 0x78, 0x5f, 0x94, 0x07, 0x04, 0x65, 0x16,
26634 -+ 0x4b, 0x61, 0xcb, 0xff, 0x75, 0x26, 0x50, 0x66,
26635 -+ 0x1f, 0x6e, 0x93, 0xf8, 0xc5, 0x51, 0xeb, 0xa4,
26636 -+ 0x4a, 0x48, 0x68, 0x6b, 0xe2, 0x5e, 0x44, 0xb2,
26637 -+ 0x50, 0x2c, 0x6c, 0xae, 0x79, 0x4e, 0x66, 0x35,
26638 -+ 0x81, 0x50, 0xac, 0xbc, 0x3f, 0xb1, 0x0c, 0xf3,
26639 -+ 0x05, 0x3c, 0x4a, 0xa3, 0x6c, 0x2a, 0x79, 0xb4,
26640 -+ 0xb7, 0xab, 0xca, 0xc7, 0x9b, 0x8e, 0xcd, 0x5f,
26641 -+ 0x11, 0x03, 0xcb, 0x30, 0xa3, 0xab, 0xda, 0xfe,
26642 -+ 0x64, 0xb9, 0xbb, 0xd8, 0x5e, 0x3a, 0x1a, 0x56,
26643 -+ 0xe5, 0x05, 0x48, 0x90, 0x1e, 0x61, 0x69, 0x1b,
26644 -+ 0x22, 0xe6, 0x1a, 0x3c, 0x75, 0xad, 0x1f, 0x37,
26645 -+ 0x28, 0xdc, 0xe4, 0x6d, 0xbd, 0x42, 0xdc, 0xd3,
26646 -+ 0xc8, 0xb6, 0x1c, 0x48, 0xfe, 0x94, 0x77, 0x7f,
26647 -+ 0xbd, 0x62, 0xac, 0xa3, 0x47, 0x27, 0xcf, 0x5f,
26648 -+ 0xd9, 0xdb, 0xaf, 0xec, 0xf7, 0x5e, 0xc1, 0xb0,
26649 -+ 0x9d, 0x01, 0x26, 0x99, 0x7e, 0x8f, 0x03, 0x70,
26650 -+ 0xb5, 0x42, 0xbe, 0x67, 0x28, 0x1b, 0x7c, 0xbd,
26651 -+ 0x61, 0x21, 0x97, 0xcc, 0x5c, 0xe1, 0x97, 0x8f,
26652 -+ 0x8d, 0xde, 0x2b, 0xaa, 0xa7, 0x71, 0x1d, 0x1e,
26653 -+ 0x02, 0x73, 0x70, 0x58, 0x32, 0x5b, 0x1d, 0x67,
26654 -+ 0x3d, 0xe0, 0x74, 0x4f, 0x03, 0xf2, 0x70, 0x51,
26655 -+ 0x79, 0xf1, 0x61, 0x70, 0x15, 0x74, 0x9d, 0x23,
26656 -+ 0x89, 0xde, 0xac, 0xfd, 0xde, 0xd0, 0x1f, 0xc3,
26657 -+ 0x87, 0x44, 0x35, 0x4b, 0xe5, 0xb0, 0x60, 0xc5,
26658 -+ 0x22, 0xe4, 0x9e, 0xca, 0xeb, 0xd5, 0x3a, 0x09,
26659 -+ 0x45, 0xa4, 0xdb, 0xfa, 0x3f, 0xeb, 0x1b, 0xc7,
26660 -+ 0xc8, 0x14, 0x99, 0x51, 0x92, 0x10, 0xed, 0xed,
26661 -+ 0x28, 0xe0, 0xa1, 0xf8, 0x26, 0xcf, 0xcd, 0xcb,
26662 -+ 0x63, 0xa1, 0x3b, 0xe3, 0xdf, 0x7e, 0xfe, 0xa6,
26663 -+ 0xf0, 0x81, 0x9a, 0xbf, 0x55, 0xde, 0x54, 0xd5,
26664 -+ 0x56, 0x60, 0x98, 0x10, 0x68, 0xf4, 0x38, 0x96,
26665 -+ 0x8e, 0x6f, 0x1d, 0x44, 0x7f, 0xd6, 0x2f, 0xfe,
26666 -+ 0x55, 0xfb, 0x0c, 0x7e, 0x67, 0xe2, 0x61, 0x44,
26667 -+ 0xed, 0xf2, 0x35, 0x30, 0x5d, 0xe9, 0xc7, 0xd6,
26668 -+ 0x6d, 0xe0, 0xa0, 0xed, 0xf3, 0xfc, 0xd8, 0x3e,
26669 -+ 0x0a, 0x7b, 0xcd, 0xaf, 0x65, 0x68, 0x18, 0xc0,
26670 -+ 0xec, 0x04, 0x1c, 0x74, 0x6d, 0xe2, 0x6e, 0x79,
26671 -+ 0xd4, 0x11, 0x2b, 0x62, 0xd5, 0x27, 0xad, 0x4f,
26672 -+ 0x01, 0x59, 0x73, 0xcc, 0x6a, 0x53, 0xfb, 0x2d,
26673 -+ 0xd5, 0x4e, 0x99, 0x21, 0x65, 0x4d, 0xf5, 0x82,
26674 -+ 0xf7, 0xd8, 0x42, 0xce, 0x6f, 0x3d, 0x36, 0x47,
26675 -+ 0xf1, 0x05, 0x16, 0xe8, 0x1b, 0x6a, 0x8f, 0x93,
26676 -+ 0xf2, 0x8f, 0x37, 0x40, 0x12, 0x28, 0xa3, 0xe6,
26677 -+ 0xb9, 0x17, 0x4a, 0x1f, 0xb1, 0xd1, 0x66, 0x69,
26678 -+ 0x86, 0xc4, 0xfc, 0x97, 0xae, 0x3f, 0x8f, 0x1e,
26679 -+ 0x2b, 0xdf, 0xcd, 0xf9, 0x3c
26680 -+};
26681 -+static const u8 dec_output011[] __initconst = {
26682 -+ 0x7a, 0x57, 0xf2, 0xc7, 0x06, 0x3f, 0x50, 0x7b,
26683 -+ 0x36, 0x1a, 0x66, 0x5c, 0xb9, 0x0e, 0x5e, 0x3b,
26684 -+ 0x45, 0x60, 0xbe, 0x9a, 0x31, 0x9f, 0xff, 0x5d,
26685 -+ 0x66, 0x34, 0xb4, 0xdc, 0xfb, 0x9d, 0x8e, 0xee,
26686 -+ 0x6a, 0x33, 0xa4, 0x07, 0x3c, 0xf9, 0x4c, 0x30,
26687 -+ 0xa1, 0x24, 0x52, 0xf9, 0x50, 0x46, 0x88, 0x20,
26688 -+ 0x02, 0x32, 0x3a, 0x0e, 0x99, 0x63, 0xaf, 0x1f,
26689 -+ 0x15, 0x28, 0x2a, 0x05, 0xff, 0x57, 0x59, 0x5e,
26690 -+ 0x18, 0xa1, 0x1f, 0xd0, 0x92, 0x5c, 0x88, 0x66,
26691 -+ 0x1b, 0x00, 0x64, 0xa5, 0x93, 0x8d, 0x06, 0x46,
26692 -+ 0xb0, 0x64, 0x8b, 0x8b, 0xef, 0x99, 0x05, 0x35,
26693 -+ 0x85, 0xb3, 0xf3, 0x33, 0xbb, 0xec, 0x66, 0xb6,
26694 -+ 0x3d, 0x57, 0x42, 0xe3, 0xb4, 0xc6, 0xaa, 0xb0,
26695 -+ 0x41, 0x2a, 0xb9, 0x59, 0xa9, 0xf6, 0x3e, 0x15,
26696 -+ 0x26, 0x12, 0x03, 0x21, 0x4c, 0x74, 0x43, 0x13,
26697 -+ 0x2a, 0x03, 0x27, 0x09, 0xb4, 0xfb, 0xe7, 0xb7,
26698 -+ 0x40, 0xff, 0x5e, 0xce, 0x48, 0x9a, 0x60, 0xe3,
26699 -+ 0x8b, 0x80, 0x8c, 0x38, 0x2d, 0xcb, 0x93, 0x37,
26700 -+ 0x74, 0x05, 0x52, 0x6f, 0x73, 0x3e, 0xc3, 0xbc,
26701 -+ 0xca, 0x72, 0x0a, 0xeb, 0xf1, 0x3b, 0xa0, 0x95,
26702 -+ 0xdc, 0x8a, 0xc4, 0xa9, 0xdc, 0xca, 0x44, 0xd8,
26703 -+ 0x08, 0x63, 0x6a, 0x36, 0xd3, 0x3c, 0xb8, 0xac,
26704 -+ 0x46, 0x7d, 0xfd, 0xaa, 0xeb, 0x3e, 0x0f, 0x45,
26705 -+ 0x8f, 0x49, 0xda, 0x2b, 0xf2, 0x12, 0xbd, 0xaf,
26706 -+ 0x67, 0x8a, 0x63, 0x48, 0x4b, 0x55, 0x5f, 0x6d,
26707 -+ 0x8c, 0xb9, 0x76, 0x34, 0x84, 0xae, 0xc2, 0xfc,
26708 -+ 0x52, 0x64, 0x82, 0xf7, 0xb0, 0x06, 0xf0, 0x45,
26709 -+ 0x73, 0x12, 0x50, 0x30, 0x72, 0xea, 0x78, 0x9a,
26710 -+ 0xa8, 0xaf, 0xb5, 0xe3, 0xbb, 0x77, 0x52, 0xec,
26711 -+ 0x59, 0x84, 0xbf, 0x6b, 0x8f, 0xce, 0x86, 0x5e,
26712 -+ 0x1f, 0x23, 0xe9, 0xfb, 0x08, 0x86, 0xf7, 0x10,
26713 -+ 0xb9, 0xf2, 0x44, 0x96, 0x44, 0x63, 0xa9, 0xa8,
26714 -+ 0x78, 0x00, 0x23, 0xd6, 0xc7, 0xe7, 0x6e, 0x66,
26715 -+ 0x4f, 0xcc, 0xee, 0x15, 0xb3, 0xbd, 0x1d, 0xa0,
26716 -+ 0xe5, 0x9c, 0x1b, 0x24, 0x2c, 0x4d, 0x3c, 0x62,
26717 -+ 0x35, 0x9c, 0x88, 0x59, 0x09, 0xdd, 0x82, 0x1b,
26718 -+ 0xcf, 0x0a, 0x83, 0x6b, 0x3f, 0xae, 0x03, 0xc4,
26719 -+ 0xb4, 0xdd, 0x7e, 0x5b, 0x28, 0x76, 0x25, 0x96,
26720 -+ 0xd9, 0xc9, 0x9d, 0x5f, 0x86, 0xfa, 0xf6, 0xd7,
26721 -+ 0xd2, 0xe6, 0x76, 0x1d, 0x0f, 0xa1, 0xdc, 0x74,
26722 -+ 0x05, 0x1b, 0x1d, 0xe0, 0xcd, 0x16, 0xb0, 0xa8,
26723 -+ 0x8a, 0x34, 0x7b, 0x15, 0x11, 0x77, 0xe5, 0x7b,
26724 -+ 0x7e, 0x20, 0xf7, 0xda, 0x38, 0xda, 0xce, 0x70,
26725 -+ 0xe9, 0xf5, 0x6c, 0xd9, 0xbe, 0x0c, 0x4c, 0x95,
26726 -+ 0x4c, 0xc2, 0x9b, 0x34, 0x55, 0x55, 0xe1, 0xf3,
26727 -+ 0x46, 0x8e, 0x48, 0x74, 0x14, 0x4f, 0x9d, 0xc9,
26728 -+ 0xf5, 0xe8, 0x1a, 0xf0, 0x11, 0x4a, 0xc1, 0x8d,
26729 -+ 0xe0, 0x93, 0xa0, 0xbe, 0x09, 0x1c, 0x2b, 0x4e,
26730 -+ 0x0f, 0xb2, 0x87, 0x8b, 0x84, 0xfe, 0x92, 0x32,
26731 -+ 0x14, 0xd7, 0x93, 0xdf, 0xe7, 0x44, 0xbc, 0xc5,
26732 -+ 0xae, 0x53, 0x69, 0xd8, 0xb3, 0x79, 0x37, 0x80,
26733 -+ 0xe3, 0x17, 0x5c, 0xec, 0x53, 0x00, 0x9a, 0xe3,
26734 -+ 0x8e, 0xdc, 0x38, 0xb8, 0x66, 0xf0, 0xd3, 0xad,
26735 -+ 0x1d, 0x02, 0x96, 0x86, 0x3e, 0x9d, 0x3b, 0x5d,
26736 -+ 0xa5, 0x7f, 0x21, 0x10, 0xf1, 0x1f, 0x13, 0x20,
26737 -+ 0xf9, 0x57, 0x87, 0x20, 0xf5, 0x5f, 0xf1, 0x17,
26738 -+ 0x48, 0x0a, 0x51, 0x5a, 0xcd, 0x19, 0x03, 0xa6,
26739 -+ 0x5a, 0xd1, 0x12, 0x97, 0xe9, 0x48, 0xe2, 0x1d,
26740 -+ 0x83, 0x75, 0x50, 0xd9, 0x75, 0x7d, 0x6a, 0x82,
26741 -+ 0xa1, 0xf9, 0x4e, 0x54, 0x87, 0x89, 0xc9, 0x0c,
26742 -+ 0xb7, 0x5b, 0x6a, 0x91, 0xc1, 0x9c, 0xb2, 0xa9,
26743 -+ 0xdc, 0x9a, 0xa4, 0x49, 0x0a, 0x6d, 0x0d, 0xbb,
26744 -+ 0xde, 0x86, 0x44, 0xdd, 0x5d, 0x89, 0x2b, 0x96,
26745 -+ 0x0f, 0x23, 0x95, 0xad, 0xcc, 0xa2, 0xb3, 0xb9,
26746 -+ 0x7e, 0x74, 0x38, 0xba, 0x9f, 0x73, 0xae, 0x5f,
26747 -+ 0xf8, 0x68, 0xa2, 0xe0, 0xa9, 0xce, 0xbd, 0x40,
26748 -+ 0xd4, 0x4c, 0x6b, 0xd2, 0x56, 0x62, 0xb0, 0xcc,
26749 -+ 0x63, 0x7e, 0x5b, 0xd3, 0xae, 0xd1, 0x75, 0xce,
26750 -+ 0xbb, 0xb4, 0x5b, 0xa8, 0xf8, 0xb4, 0xac, 0x71,
26751 -+ 0x75, 0xaa, 0xc9, 0x9f, 0xbb, 0x6c, 0xad, 0x0f,
26752 -+ 0x55, 0x5d, 0xe8, 0x85, 0x7d, 0xf9, 0x21, 0x35,
26753 -+ 0xea, 0x92, 0x85, 0x2b, 0x00, 0xec, 0x84, 0x90,
26754 -+ 0x0a, 0x63, 0x96, 0xe4, 0x6b, 0xa9, 0x77, 0xb8,
26755 -+ 0x91, 0xf8, 0x46, 0x15, 0x72, 0x63, 0x70, 0x01,
26756 -+ 0x40, 0xa3, 0xa5, 0x76, 0x62, 0x2b, 0xbf, 0xf1,
26757 -+ 0xe5, 0x8d, 0x9f, 0xa3, 0xfa, 0x9b, 0x03, 0xbe,
26758 -+ 0xfe, 0x65, 0x6f, 0xa2, 0x29, 0x0d, 0x54, 0xb4,
26759 -+ 0x71, 0xce, 0xa9, 0xd6, 0x3d, 0x88, 0xf9, 0xaf,
26760 -+ 0x6b, 0xa8, 0x9e, 0xf4, 0x16, 0x96, 0x36, 0xb9,
26761 -+ 0x00, 0xdc, 0x10, 0xab, 0xb5, 0x08, 0x31, 0x1f,
26762 -+ 0x00, 0xb1, 0x3c, 0xd9, 0x38, 0x3e, 0xc6, 0x04,
26763 -+ 0xa7, 0x4e, 0xe8, 0xae, 0xed, 0x98, 0xc2, 0xf7,
26764 -+ 0xb9, 0x00, 0x5f, 0x8c, 0x60, 0xd1, 0xe5, 0x15,
26765 -+ 0xf7, 0xae, 0x1e, 0x84, 0x88, 0xd1, 0xf6, 0xbc,
26766 -+ 0x3a, 0x89, 0x35, 0x22, 0x83, 0x7c, 0xca, 0xf0,
26767 -+ 0x33, 0x82, 0x4c, 0x79, 0x3c, 0xfd, 0xb1, 0xae,
26768 -+ 0x52, 0x62, 0x55, 0xd2, 0x41, 0x60, 0xc6, 0xbb,
26769 -+ 0xfa, 0x0e, 0x59, 0xd6, 0xa8, 0xfe, 0x5d, 0xed,
26770 -+ 0x47, 0x3d, 0xe0, 0xea, 0x1f, 0x6e, 0x43, 0x51,
26771 -+ 0xec, 0x10, 0x52, 0x56, 0x77, 0x42, 0x6b, 0x52,
26772 -+ 0x87, 0xd8, 0xec, 0xe0, 0xaa, 0x76, 0xa5, 0x84,
26773 -+ 0x2a, 0x22, 0x24, 0xfd, 0x92, 0x40, 0x88, 0xd5,
26774 -+ 0x85, 0x1c, 0x1f, 0x6b, 0x47, 0xa0, 0xc4, 0xe4,
26775 -+ 0xef, 0xf4, 0xea, 0xd7, 0x59, 0xac, 0x2a, 0x9e,
26776 -+ 0x8c, 0xfa, 0x1f, 0x42, 0x08, 0xfe, 0x4f, 0x74,
26777 -+ 0xa0, 0x26, 0xf5, 0xb3, 0x84, 0xf6, 0x58, 0x5f,
26778 -+ 0x26, 0x66, 0x3e, 0xd7, 0xe4, 0x22, 0x91, 0x13,
26779 -+ 0xc8, 0xac, 0x25, 0x96, 0x23, 0xd8, 0x09, 0xea,
26780 -+ 0x45, 0x75, 0x23, 0xb8, 0x5f, 0xc2, 0x90, 0x8b,
26781 -+ 0x09, 0xc4, 0xfc, 0x47, 0x6c, 0x6d, 0x0a, 0xef,
26782 -+ 0x69, 0xa4, 0x38, 0x19, 0xcf, 0x7d, 0xf9, 0x09,
26783 -+ 0x73, 0x9b, 0x60, 0x5a, 0xf7, 0x37, 0xb5, 0xfe,
26784 -+ 0x9f, 0xe3, 0x2b, 0x4c, 0x0d, 0x6e, 0x19, 0xf1,
26785 -+ 0xd6, 0xc0, 0x70, 0xf3, 0x9d, 0x22, 0x3c, 0xf9,
26786 -+ 0x49, 0xce, 0x30, 0x8e, 0x44, 0xb5, 0x76, 0x15,
26787 -+ 0x8f, 0x52, 0xfd, 0xa5, 0x04, 0xb8, 0x55, 0x6a,
26788 -+ 0x36, 0x59, 0x7c, 0xc4, 0x48, 0xb8, 0xd7, 0xab,
26789 -+ 0x05, 0x66, 0xe9, 0x5e, 0x21, 0x6f, 0x6b, 0x36,
26790 -+ 0x29, 0xbb, 0xe9, 0xe3, 0xa2, 0x9a, 0xa8, 0xcd,
26791 -+ 0x55, 0x25, 0x11, 0xba, 0x5a, 0x58, 0xa0, 0xde,
26792 -+ 0xae, 0x19, 0x2a, 0x48, 0x5a, 0xff, 0x36, 0xcd,
26793 -+ 0x6d, 0x16, 0x7a, 0x73, 0x38, 0x46, 0xe5, 0x47,
26794 -+ 0x59, 0xc8, 0xa2, 0xf6, 0xe2, 0x6c, 0x83, 0xc5,
26795 -+ 0x36, 0x2c, 0x83, 0x7d, 0xb4, 0x01, 0x05, 0x69,
26796 -+ 0xe7, 0xaf, 0x5c, 0xc4, 0x64, 0x82, 0x12, 0x21,
26797 -+ 0xef, 0xf7, 0xd1, 0x7d, 0xb8, 0x8d, 0x8c, 0x98,
26798 -+ 0x7c, 0x5f, 0x7d, 0x92, 0x88, 0xb9, 0x94, 0x07,
26799 -+ 0x9c, 0xd8, 0xe9, 0x9c, 0x17, 0x38, 0xe3, 0x57,
26800 -+ 0x6c, 0xe0, 0xdc, 0xa5, 0x92, 0x42, 0xb3, 0xbd,
26801 -+ 0x50, 0xa2, 0x7e, 0xb5, 0xb1, 0x52, 0x72, 0x03,
26802 -+ 0x97, 0xd8, 0xaa, 0x9a, 0x1e, 0x75, 0x41, 0x11,
26803 -+ 0xa3, 0x4f, 0xcc, 0xd4, 0xe3, 0x73, 0xad, 0x96,
26804 -+ 0xdc, 0x47, 0x41, 0x9f, 0xb0, 0xbe, 0x79, 0x91,
26805 -+ 0xf5, 0xb6, 0x18, 0xfe, 0xc2, 0x83, 0x18, 0x7d,
26806 -+ 0x73, 0xd9, 0x4f, 0x83, 0x84, 0x03, 0xb3, 0xf0,
26807 -+ 0x77, 0x66, 0x3d, 0x83, 0x63, 0x2e, 0x2c, 0xf9,
26808 -+ 0xdd, 0xa6, 0x1f, 0x89, 0x82, 0xb8, 0x23, 0x42,
26809 -+ 0xeb, 0xe2, 0xca, 0x70, 0x82, 0x61, 0x41, 0x0a,
26810 -+ 0x6d, 0x5f, 0x75, 0xc5, 0xe2, 0xc4, 0x91, 0x18,
26811 -+ 0x44, 0x22, 0xfa, 0x34, 0x10, 0xf5, 0x20, 0xdc,
26812 -+ 0xb7, 0xdd, 0x2a, 0x20, 0x77, 0xf5, 0xf9, 0xce,
26813 -+ 0xdb, 0xa0, 0x0a, 0x52, 0x2a, 0x4e, 0xdd, 0xcc,
26814 -+ 0x97, 0xdf, 0x05, 0xe4, 0x5e, 0xb7, 0xaa, 0xf0,
26815 -+ 0xe2, 0x80, 0xff, 0xba, 0x1a, 0x0f, 0xac, 0xdf,
26816 -+ 0x02, 0x32, 0xe6, 0xf7, 0xc7, 0x17, 0x13, 0xb7,
26817 -+ 0xfc, 0x98, 0x48, 0x8c, 0x0d, 0x82, 0xc9, 0x80,
26818 -+ 0x7a, 0xe2, 0x0a, 0xc5, 0xb4, 0xde, 0x7c, 0x3c,
26819 -+ 0x79, 0x81, 0x0e, 0x28, 0x65, 0x79, 0x67, 0x82,
26820 -+ 0x69, 0x44, 0x66, 0x09, 0xf7, 0x16, 0x1a, 0xf9,
26821 -+ 0x7d, 0x80, 0xa1, 0x79, 0x14, 0xa9, 0xc8, 0x20,
26822 -+ 0xfb, 0xa2, 0x46, 0xbe, 0x08, 0x35, 0x17, 0x58,
26823 -+ 0xc1, 0x1a, 0xda, 0x2a, 0x6b, 0x2e, 0x1e, 0xe6,
26824 -+ 0x27, 0x55, 0x7b, 0x19, 0xe2, 0xfb, 0x64, 0xfc,
26825 -+ 0x5e, 0x15, 0x54, 0x3c, 0xe7, 0xc2, 0x11, 0x50,
26826 -+ 0x30, 0xb8, 0x72, 0x03, 0x0b, 0x1a, 0x9f, 0x86,
26827 -+ 0x27, 0x11, 0x5c, 0x06, 0x2b, 0xbd, 0x75, 0x1a,
26828 -+ 0x0a, 0xda, 0x01, 0xfa, 0x5c, 0x4a, 0xc1, 0x80,
26829 -+ 0x3a, 0x6e, 0x30, 0xc8, 0x2c, 0xeb, 0x56, 0xec,
26830 -+ 0x89, 0xfa, 0x35, 0x7b, 0xb2, 0xf0, 0x97, 0x08,
26831 -+ 0x86, 0x53, 0xbe, 0xbd, 0x40, 0x41, 0x38, 0x1c,
26832 -+ 0xb4, 0x8b, 0x79, 0x2e, 0x18, 0x96, 0x94, 0xde,
26833 -+ 0xe8, 0xca, 0xe5, 0x9f, 0x92, 0x9f, 0x15, 0x5d,
26834 -+ 0x56, 0x60, 0x5c, 0x09, 0xf9, 0x16, 0xf4, 0x17,
26835 -+ 0x0f, 0xf6, 0x4c, 0xda, 0xe6, 0x67, 0x89, 0x9f,
26836 -+ 0xca, 0x6c, 0xe7, 0x9b, 0x04, 0x62, 0x0e, 0x26,
26837 -+ 0xa6, 0x52, 0xbd, 0x29, 0xff, 0xc7, 0xa4, 0x96,
26838 -+ 0xe6, 0x6a, 0x02, 0xa5, 0x2e, 0x7b, 0xfe, 0x97,
26839 -+ 0x68, 0x3e, 0x2e, 0x5f, 0x3b, 0x0f, 0x36, 0xd6,
26840 -+ 0x98, 0x19, 0x59, 0x48, 0xd2, 0xc6, 0xe1, 0x55,
26841 -+ 0x1a, 0x6e, 0xd6, 0xed, 0x2c, 0xba, 0xc3, 0x9e,
26842 -+ 0x64, 0xc9, 0x95, 0x86, 0x35, 0x5e, 0x3e, 0x88,
26843 -+ 0x69, 0x99, 0x4b, 0xee, 0xbe, 0x9a, 0x99, 0xb5,
26844 -+ 0x6e, 0x58, 0xae, 0xdd, 0x22, 0xdb, 0xdd, 0x6b,
26845 -+ 0xfc, 0xaf, 0x90, 0xa3, 0x3d, 0xa4, 0xc1, 0x15,
26846 -+ 0x92, 0x18, 0x8d, 0xd2, 0x4b, 0x7b, 0x06, 0xd1,
26847 -+ 0x37, 0xb5, 0xe2, 0x7c, 0x2c, 0xf0, 0x25, 0xe4,
26848 -+ 0x94, 0x2a, 0xbd, 0xe3, 0x82, 0x70, 0x78, 0xa3,
26849 -+ 0x82, 0x10, 0x5a, 0x90, 0xd7, 0xa4, 0xfa, 0xaf,
26850 -+ 0x1a, 0x88, 0x59, 0xdc, 0x74, 0x12, 0xb4, 0x8e,
26851 -+ 0xd7, 0x19, 0x46, 0xf4, 0x84, 0x69, 0x9f, 0xbb,
26852 -+ 0x70, 0xa8, 0x4c, 0x52, 0x81, 0xa9, 0xff, 0x76,
26853 -+ 0x1c, 0xae, 0xd8, 0x11, 0x3d, 0x7f, 0x7d, 0xc5,
26854 -+ 0x12, 0x59, 0x28, 0x18, 0xc2, 0xa2, 0xb7, 0x1c,
26855 -+ 0x88, 0xf8, 0xd6, 0x1b, 0xa6, 0x7d, 0x9e, 0xde,
26856 -+ 0x29, 0xf8, 0xed, 0xff, 0xeb, 0x92, 0x24, 0x4f,
26857 -+ 0x05, 0xaa, 0xd9, 0x49, 0xba, 0x87, 0x59, 0x51,
26858 -+ 0xc9, 0x20, 0x5c, 0x9b, 0x74, 0xcf, 0x03, 0xd9,
26859 -+ 0x2d, 0x34, 0xc7, 0x5b, 0xa5, 0x40, 0xb2, 0x99,
26860 -+ 0xf5, 0xcb, 0xb4, 0xf6, 0xb7, 0x72, 0x4a, 0xd6,
26861 -+ 0xbd, 0xb0, 0xf3, 0x93, 0xe0, 0x1b, 0xa8, 0x04,
26862 -+ 0x1e, 0x35, 0xd4, 0x80, 0x20, 0xf4, 0x9c, 0x31,
26863 -+ 0x6b, 0x45, 0xb9, 0x15, 0xb0, 0x5e, 0xdd, 0x0a,
26864 -+ 0x33, 0x9c, 0x83, 0xcd, 0x58, 0x89, 0x50, 0x56,
26865 -+ 0xbb, 0x81, 0x00, 0x91, 0x32, 0xf3, 0x1b, 0x3e,
26866 -+ 0xcf, 0x45, 0xe1, 0xf9, 0xe1, 0x2c, 0x26, 0x78,
26867 -+ 0x93, 0x9a, 0x60, 0x46, 0xc9, 0xb5, 0x5e, 0x6a,
26868 -+ 0x28, 0x92, 0x87, 0x3f, 0x63, 0x7b, 0xdb, 0xf7,
26869 -+ 0xd0, 0x13, 0x9d, 0x32, 0x40, 0x5e, 0xcf, 0xfb,
26870 -+ 0x79, 0x68, 0x47, 0x4c, 0xfd, 0x01, 0x17, 0xe6,
26871 -+ 0x97, 0x93, 0x78, 0xbb, 0xa6, 0x27, 0xa3, 0xe8,
26872 -+ 0x1a, 0xe8, 0x94, 0x55, 0x7d, 0x08, 0xe5, 0xdc,
26873 -+ 0x66, 0xa3, 0x69, 0xc8, 0xca, 0xc5, 0xa1, 0x84,
26874 -+ 0x55, 0xde, 0x08, 0x91, 0x16, 0x3a, 0x0c, 0x86,
26875 -+ 0xab, 0x27, 0x2b, 0x64, 0x34, 0x02, 0x6c, 0x76,
26876 -+ 0x8b, 0xc6, 0xaf, 0xcc, 0xe1, 0xd6, 0x8c, 0x2a,
26877 -+ 0x18, 0x3d, 0xa6, 0x1b, 0x37, 0x75, 0x45, 0x73,
26878 -+ 0xc2, 0x75, 0xd7, 0x53, 0x78, 0x3a, 0xd6, 0xe8,
26879 -+ 0x29, 0xd2, 0x4a, 0xa8, 0x1e, 0x82, 0xf6, 0xb6,
26880 -+ 0x81, 0xde, 0x21, 0xed, 0x2b, 0x56, 0xbb, 0xf2,
26881 -+ 0xd0, 0x57, 0xc1, 0x7c, 0xd2, 0x6a, 0xd2, 0x56,
26882 -+ 0xf5, 0x13, 0x5f, 0x1c, 0x6a, 0x0b, 0x74, 0xfb,
26883 -+ 0xe9, 0xfe, 0x9e, 0xea, 0x95, 0xb2, 0x46, 0xab,
26884 -+ 0x0a, 0xfc, 0xfd, 0xf3, 0xbb, 0x04, 0x2b, 0x76,
26885 -+ 0x1b, 0xa4, 0x74, 0xb0, 0xc1, 0x78, 0xc3, 0x69,
26886 -+ 0xe2, 0xb0, 0x01, 0xe1, 0xde, 0x32, 0x4c, 0x8d,
26887 -+ 0x1a, 0xb3, 0x38, 0x08, 0xd5, 0xfc, 0x1f, 0xdc,
26888 -+ 0x0e, 0x2c, 0x9c, 0xb1, 0xa1, 0x63, 0x17, 0x22,
26889 -+ 0xf5, 0x6c, 0x93, 0x70, 0x74, 0x00, 0xf8, 0x39,
26890 -+ 0x01, 0x94, 0xd1, 0x32, 0x23, 0x56, 0x5d, 0xa6,
26891 -+ 0x02, 0x76, 0x76, 0x93, 0xce, 0x2f, 0x19, 0xe9,
26892 -+ 0x17, 0x52, 0xae, 0x6e, 0x2c, 0x6d, 0x61, 0x7f,
26893 -+ 0x3b, 0xaa, 0xe0, 0x52, 0x85, 0xc5, 0x65, 0xc1,
26894 -+ 0xbb, 0x8e, 0x5b, 0x21, 0xd5, 0xc9, 0x78, 0x83,
26895 -+ 0x07, 0x97, 0x4c, 0x62, 0x61, 0x41, 0xd4, 0xfc,
26896 -+ 0xc9, 0x39, 0xe3, 0x9b, 0xd0, 0xcc, 0x75, 0xc4,
26897 -+ 0x97, 0xe6, 0xdd, 0x2a, 0x5f, 0xa6, 0xe8, 0x59,
26898 -+ 0x6c, 0x98, 0xb9, 0x02, 0xe2, 0xa2, 0xd6, 0x68,
26899 -+ 0xee, 0x3b, 0x1d, 0xe3, 0x4d, 0x5b, 0x30, 0xef,
26900 -+ 0x03, 0xf2, 0xeb, 0x18, 0x57, 0x36, 0xe8, 0xa1,
26901 -+ 0xf4, 0x47, 0xfb, 0xcb, 0x8f, 0xcb, 0xc8, 0xf3,
26902 -+ 0x4f, 0x74, 0x9d, 0x9d, 0xb1, 0x8d, 0x14, 0x44,
26903 -+ 0xd9, 0x19, 0xb4, 0x54, 0x4f, 0x75, 0x19, 0x09,
26904 -+ 0xa0, 0x75, 0xbc, 0x3b, 0x82, 0xc6, 0x3f, 0xb8,
26905 -+ 0x83, 0x19, 0x6e, 0xd6, 0x37, 0xfe, 0x6e, 0x8a,
26906 -+ 0x4e, 0xe0, 0x4a, 0xab, 0x7b, 0xc8, 0xb4, 0x1d,
26907 -+ 0xf4, 0xed, 0x27, 0x03, 0x65, 0xa2, 0xa1, 0xae,
26908 -+ 0x11, 0xe7, 0x98, 0x78, 0x48, 0x91, 0xd2, 0xd2,
26909 -+ 0xd4, 0x23, 0x78, 0x50, 0xb1, 0x5b, 0x85, 0x10,
26910 -+ 0x8d, 0xca, 0x5f, 0x0f, 0x71, 0xae, 0x72, 0x9a,
26911 -+ 0xf6, 0x25, 0x19, 0x60, 0x06, 0xf7, 0x10, 0x34,
26912 -+ 0x18, 0x0d, 0xc9, 0x9f, 0x7b, 0x0c, 0x9b, 0x8f,
26913 -+ 0x91, 0x1b, 0x9f, 0xcd, 0x10, 0xee, 0x75, 0xf9,
26914 -+ 0x97, 0x66, 0xfc, 0x4d, 0x33, 0x6e, 0x28, 0x2b,
26915 -+ 0x92, 0x85, 0x4f, 0xab, 0x43, 0x8d, 0x8f, 0x7d,
26916 -+ 0x86, 0xa7, 0xc7, 0xd8, 0xd3, 0x0b, 0x8b, 0x57,
26917 -+ 0xb6, 0x1d, 0x95, 0x0d, 0xe9, 0xbc, 0xd9, 0x03,
26918 -+ 0xd9, 0x10, 0x19, 0xc3, 0x46, 0x63, 0x55, 0x87,
26919 -+ 0x61, 0x79, 0x6c, 0x95, 0x0e, 0x9c, 0xdd, 0xca,
26920 -+ 0xc3, 0xf3, 0x64, 0xf0, 0x7d, 0x76, 0xb7, 0x53,
26921 -+ 0x67, 0x2b, 0x1e, 0x44, 0x56, 0x81, 0xea, 0x8f,
26922 -+ 0x5c, 0x42, 0x16, 0xb8, 0x28, 0xeb, 0x1b, 0x61,
26923 -+ 0x10, 0x1e, 0xbf, 0xec, 0xa8
26924 -+};
26925 -+static const u8 dec_assoc011[] __initconst = {
26926 -+ 0xd6, 0x31, 0xda, 0x5d, 0x42, 0x5e, 0xd7
26927 -+};
26928 -+static const u8 dec_nonce011[] __initconst = {
26929 -+ 0xfd, 0x87, 0xd4, 0xd8, 0x62, 0xfd, 0xec, 0xaa
26930 -+};
26931 -+static const u8 dec_key011[] __initconst = {
26932 -+ 0x35, 0x4e, 0xb5, 0x70, 0x50, 0x42, 0x8a, 0x85,
26933 -+ 0xf2, 0xfb, 0xed, 0x7b, 0xd0, 0x9e, 0x97, 0xca,
26934 -+ 0xfa, 0x98, 0x66, 0x63, 0xee, 0x37, 0xcc, 0x52,
26935 -+ 0xfe, 0xd1, 0xdf, 0x95, 0x15, 0x34, 0x29, 0x38
26936 -+};
26937 -+
26938 -+static const u8 dec_input012[] __initconst = {
26939 -+ 0x52, 0x34, 0xb3, 0x65, 0x3b, 0xb7, 0xe5, 0xd3,
26940 -+ 0xab, 0x49, 0x17, 0x60, 0xd2, 0x52, 0x56, 0xdf,
26941 -+ 0xdf, 0x34, 0x56, 0x82, 0xe2, 0xbe, 0xe5, 0xe1,
26942 -+ 0x28, 0xd1, 0x4e, 0x5f, 0x4f, 0x01, 0x7d, 0x3f,
26943 -+ 0x99, 0x6b, 0x30, 0x6e, 0x1a, 0x7c, 0x4c, 0x8e,
26944 -+ 0x62, 0x81, 0xae, 0x86, 0x3f, 0x6b, 0xd0, 0xb5,
26945 -+ 0xa9, 0xcf, 0x50, 0xf1, 0x02, 0x12, 0xa0, 0x0b,
26946 -+ 0x24, 0xe9, 0xe6, 0x72, 0x89, 0x2c, 0x52, 0x1b,
26947 -+ 0x34, 0x38, 0xf8, 0x75, 0x5f, 0xa0, 0x74, 0xe2,
26948 -+ 0x99, 0xdd, 0xa6, 0x4b, 0x14, 0x50, 0x4e, 0xf1,
26949 -+ 0xbe, 0xd6, 0x9e, 0xdb, 0xb2, 0x24, 0x27, 0x74,
26950 -+ 0x12, 0x4a, 0x78, 0x78, 0x17, 0xa5, 0x58, 0x8e,
26951 -+ 0x2f, 0xf9, 0xf4, 0x8d, 0xee, 0x03, 0x88, 0xae,
26952 -+ 0xb8, 0x29, 0xa1, 0x2f, 0x4b, 0xee, 0x92, 0xbd,
26953 -+ 0x87, 0xb3, 0xce, 0x34, 0x21, 0x57, 0x46, 0x04,
26954 -+ 0x49, 0x0c, 0x80, 0xf2, 0x01, 0x13, 0xa1, 0x55,
26955 -+ 0xb3, 0xff, 0x44, 0x30, 0x3c, 0x1c, 0xd0, 0xef,
26956 -+ 0xbc, 0x18, 0x74, 0x26, 0xad, 0x41, 0x5b, 0x5b,
26957 -+ 0x3e, 0x9a, 0x7a, 0x46, 0x4f, 0x16, 0xd6, 0x74,
26958 -+ 0x5a, 0xb7, 0x3a, 0x28, 0x31, 0xd8, 0xae, 0x26,
26959 -+ 0xac, 0x50, 0x53, 0x86, 0xf2, 0x56, 0xd7, 0x3f,
26960 -+ 0x29, 0xbc, 0x45, 0x68, 0x8e, 0xcb, 0x98, 0x64,
26961 -+ 0xdd, 0xc9, 0xba, 0xb8, 0x4b, 0x7b, 0x82, 0xdd,
26962 -+ 0x14, 0xa7, 0xcb, 0x71, 0x72, 0x00, 0x5c, 0xad,
26963 -+ 0x7b, 0x6a, 0x89, 0xa4, 0x3d, 0xbf, 0xb5, 0x4b,
26964 -+ 0x3e, 0x7c, 0x5a, 0xcf, 0xb8, 0xa1, 0xc5, 0x6e,
26965 -+ 0xc8, 0xb6, 0x31, 0x57, 0x7b, 0xdf, 0xa5, 0x7e,
26966 -+ 0xb1, 0xd6, 0x42, 0x2a, 0x31, 0x36, 0xd1, 0xd0,
26967 -+ 0x3f, 0x7a, 0xe5, 0x94, 0xd6, 0x36, 0xa0, 0x6f,
26968 -+ 0xb7, 0x40, 0x7d, 0x37, 0xc6, 0x55, 0x7c, 0x50,
26969 -+ 0x40, 0x6d, 0x29, 0x89, 0xe3, 0x5a, 0xae, 0x97,
26970 -+ 0xe7, 0x44, 0x49, 0x6e, 0xbd, 0x81, 0x3d, 0x03,
26971 -+ 0x93, 0x06, 0x12, 0x06, 0xe2, 0x41, 0x12, 0x4a,
26972 -+ 0xf1, 0x6a, 0xa4, 0x58, 0xa2, 0xfb, 0xd2, 0x15,
26973 -+ 0xba, 0xc9, 0x79, 0xc9, 0xce, 0x5e, 0x13, 0xbb,
26974 -+ 0xf1, 0x09, 0x04, 0xcc, 0xfd, 0xe8, 0x51, 0x34,
26975 -+ 0x6a, 0xe8, 0x61, 0x88, 0xda, 0xed, 0x01, 0x47,
26976 -+ 0x84, 0xf5, 0x73, 0x25, 0xf9, 0x1c, 0x42, 0x86,
26977 -+ 0x07, 0xf3, 0x5b, 0x1a, 0x01, 0xb3, 0xeb, 0x24,
26978 -+ 0x32, 0x8d, 0xf6, 0xed, 0x7c, 0x4b, 0xeb, 0x3c,
26979 -+ 0x36, 0x42, 0x28, 0xdf, 0xdf, 0xb6, 0xbe, 0xd9,
26980 -+ 0x8c, 0x52, 0xd3, 0x2b, 0x08, 0x90, 0x8c, 0xe7,
26981 -+ 0x98, 0x31, 0xe2, 0x32, 0x8e, 0xfc, 0x11, 0x48,
26982 -+ 0x00, 0xa8, 0x6a, 0x42, 0x4a, 0x02, 0xc6, 0x4b,
26983 -+ 0x09, 0xf1, 0xe3, 0x49, 0xf3, 0x45, 0x1f, 0x0e,
26984 -+ 0xbc, 0x56, 0xe2, 0xe4, 0xdf, 0xfb, 0xeb, 0x61,
26985 -+ 0xfa, 0x24, 0xc1, 0x63, 0x75, 0xbb, 0x47, 0x75,
26986 -+ 0xaf, 0xe1, 0x53, 0x16, 0x96, 0x21, 0x85, 0x26,
26987 -+ 0x11, 0xb3, 0x76, 0xe3, 0x23, 0xa1, 0x6b, 0x74,
26988 -+ 0x37, 0xd0, 0xde, 0x06, 0x90, 0x71, 0x5d, 0x43,
26989 -+ 0x88, 0x9b, 0x00, 0x54, 0xa6, 0x75, 0x2f, 0xa1,
26990 -+ 0xc2, 0x0b, 0x73, 0x20, 0x1d, 0xb6, 0x21, 0x79,
26991 -+ 0x57, 0x3f, 0xfa, 0x09, 0xbe, 0x8a, 0x33, 0xc3,
26992 -+ 0x52, 0xf0, 0x1d, 0x82, 0x31, 0xd1, 0x55, 0xb5,
26993 -+ 0x6c, 0x99, 0x25, 0xcf, 0x5c, 0x32, 0xce, 0xe9,
26994 -+ 0x0d, 0xfa, 0x69, 0x2c, 0xd5, 0x0d, 0xc5, 0x6d,
26995 -+ 0x86, 0xd0, 0x0c, 0x3b, 0x06, 0x50, 0x79, 0xe8,
26996 -+ 0xc3, 0xae, 0x04, 0xe6, 0xcd, 0x51, 0xe4, 0x26,
26997 -+ 0x9b, 0x4f, 0x7e, 0xa6, 0x0f, 0xab, 0xd8, 0xe5,
26998 -+ 0xde, 0xa9, 0x00, 0x95, 0xbe, 0xa3, 0x9d, 0x5d,
26999 -+ 0xb2, 0x09, 0x70, 0x18, 0x1c, 0xf0, 0xac, 0x29,
27000 -+ 0x23, 0x02, 0x29, 0x28, 0xd2, 0x74, 0x35, 0x57,
27001 -+ 0x62, 0x0f, 0x24, 0xea, 0x5e, 0x33, 0xc2, 0x92,
27002 -+ 0xf3, 0x78, 0x4d, 0x30, 0x1e, 0xa1, 0x99, 0xa9,
27003 -+ 0x82, 0xb0, 0x42, 0x31, 0x8d, 0xad, 0x8a, 0xbc,
27004 -+ 0xfc, 0xd4, 0x57, 0x47, 0x3e, 0xb4, 0x50, 0xdd,
27005 -+ 0x6e, 0x2c, 0x80, 0x4d, 0x22, 0xf1, 0xfb, 0x57,
27006 -+ 0xc4, 0xdd, 0x17, 0xe1, 0x8a, 0x36, 0x4a, 0xb3,
27007 -+ 0x37, 0xca, 0xc9, 0x4e, 0xab, 0xd5, 0x69, 0xc4,
27008 -+ 0xf4, 0xbc, 0x0b, 0x3b, 0x44, 0x4b, 0x29, 0x9c,
27009 -+ 0xee, 0xd4, 0x35, 0x22, 0x21, 0xb0, 0x1f, 0x27,
27010 -+ 0x64, 0xa8, 0x51, 0x1b, 0xf0, 0x9f, 0x19, 0x5c,
27011 -+ 0xfb, 0x5a, 0x64, 0x74, 0x70, 0x45, 0x09, 0xf5,
27012 -+ 0x64, 0xfe, 0x1a, 0x2d, 0xc9, 0x14, 0x04, 0x14,
27013 -+ 0xcf, 0xd5, 0x7d, 0x60, 0xaf, 0x94, 0x39, 0x94,
27014 -+ 0xe2, 0x7d, 0x79, 0x82, 0xd0, 0x65, 0x3b, 0x6b,
27015 -+ 0x9c, 0x19, 0x84, 0xb4, 0x6d, 0xb3, 0x0c, 0x99,
27016 -+ 0xc0, 0x56, 0xa8, 0xbd, 0x73, 0xce, 0x05, 0x84,
27017 -+ 0x3e, 0x30, 0xaa, 0xc4, 0x9b, 0x1b, 0x04, 0x2a,
27018 -+ 0x9f, 0xd7, 0x43, 0x2b, 0x23, 0xdf, 0xbf, 0xaa,
27019 -+ 0xd5, 0xc2, 0x43, 0x2d, 0x70, 0xab, 0xdc, 0x75,
27020 -+ 0xad, 0xac, 0xf7, 0xc0, 0xbe, 0x67, 0xb2, 0x74,
27021 -+ 0xed, 0x67, 0x10, 0x4a, 0x92, 0x60, 0xc1, 0x40,
27022 -+ 0x50, 0x19, 0x8a, 0x8a, 0x8c, 0x09, 0x0e, 0x72,
27023 -+ 0xe1, 0x73, 0x5e, 0xe8, 0x41, 0x85, 0x63, 0x9f,
27024 -+ 0x3f, 0xd7, 0x7d, 0xc4, 0xfb, 0x22, 0x5d, 0x92,
27025 -+ 0x6c, 0xb3, 0x1e, 0xe2, 0x50, 0x2f, 0x82, 0xa8,
27026 -+ 0x28, 0xc0, 0xb5, 0xd7, 0x5f, 0x68, 0x0d, 0x2c,
27027 -+ 0x2d, 0xaf, 0x7e, 0xfa, 0x2e, 0x08, 0x0f, 0x1f,
27028 -+ 0x70, 0x9f, 0xe9, 0x19, 0x72, 0x55, 0xf8, 0xfb,
27029 -+ 0x51, 0xd2, 0x33, 0x5d, 0xa0, 0xd3, 0x2b, 0x0a,
27030 -+ 0x6c, 0xbc, 0x4e, 0xcf, 0x36, 0x4d, 0xdc, 0x3b,
27031 -+ 0xe9, 0x3e, 0x81, 0x7c, 0x61, 0xdb, 0x20, 0x2d,
27032 -+ 0x3a, 0xc3, 0xb3, 0x0c, 0x1e, 0x00, 0xb9, 0x7c,
27033 -+ 0xf5, 0xca, 0x10, 0x5f, 0x3a, 0x71, 0xb3, 0xe4,
27034 -+ 0x20, 0xdb, 0x0c, 0x2a, 0x98, 0x63, 0x45, 0x00,
27035 -+ 0x58, 0xf6, 0x68, 0xe4, 0x0b, 0xda, 0x13, 0x3b,
27036 -+ 0x60, 0x5c, 0x76, 0xdb, 0xb9, 0x97, 0x71, 0xe4,
27037 -+ 0xd9, 0xb7, 0xdb, 0xbd, 0x68, 0xc7, 0x84, 0x84,
27038 -+ 0xaa, 0x7c, 0x68, 0x62, 0x5e, 0x16, 0xfc, 0xba,
27039 -+ 0x72, 0xaa, 0x9a, 0xa9, 0xeb, 0x7c, 0x75, 0x47,
27040 -+ 0x97, 0x7e, 0xad, 0xe2, 0xd9, 0x91, 0xe8, 0xe4,
27041 -+ 0xa5, 0x31, 0xd7, 0x01, 0x8e, 0xa2, 0x11, 0x88,
27042 -+ 0x95, 0xb9, 0xf2, 0x9b, 0xd3, 0x7f, 0x1b, 0x81,
27043 -+ 0x22, 0xf7, 0x98, 0x60, 0x0a, 0x64, 0xa6, 0xc1,
27044 -+ 0xf6, 0x49, 0xc7, 0xe3, 0x07, 0x4d, 0x94, 0x7a,
27045 -+ 0xcf, 0x6e, 0x68, 0x0c, 0x1b, 0x3f, 0x6e, 0x2e,
27046 -+ 0xee, 0x92, 0xfa, 0x52, 0xb3, 0x59, 0xf8, 0xf1,
27047 -+ 0x8f, 0x6a, 0x66, 0xa3, 0x82, 0x76, 0x4a, 0x07,
27048 -+ 0x1a, 0xc7, 0xdd, 0xf5, 0xda, 0x9c, 0x3c, 0x24,
27049 -+ 0xbf, 0xfd, 0x42, 0xa1, 0x10, 0x64, 0x6a, 0x0f,
27050 -+ 0x89, 0xee, 0x36, 0xa5, 0xce, 0x99, 0x48, 0x6a,
27051 -+ 0xf0, 0x9f, 0x9e, 0x69, 0xa4, 0x40, 0x20, 0xe9,
27052 -+ 0x16, 0x15, 0xf7, 0xdb, 0x75, 0x02, 0xcb, 0xe9,
27053 -+ 0x73, 0x8b, 0x3b, 0x49, 0x2f, 0xf0, 0xaf, 0x51,
27054 -+ 0x06, 0x5c, 0xdf, 0x27, 0x27, 0x49, 0x6a, 0xd1,
27055 -+ 0xcc, 0xc7, 0xb5, 0x63, 0xb5, 0xfc, 0xb8, 0x5c,
27056 -+ 0x87, 0x7f, 0x84, 0xb4, 0xcc, 0x14, 0xa9, 0x53,
27057 -+ 0xda, 0xa4, 0x56, 0xf8, 0xb6, 0x1b, 0xcc, 0x40,
27058 -+ 0x27, 0x52, 0x06, 0x5a, 0x13, 0x81, 0xd7, 0x3a,
27059 -+ 0xd4, 0x3b, 0xfb, 0x49, 0x65, 0x31, 0x33, 0xb2,
27060 -+ 0xfa, 0xcd, 0xad, 0x58, 0x4e, 0x2b, 0xae, 0xd2,
27061 -+ 0x20, 0xfb, 0x1a, 0x48, 0xb4, 0x3f, 0x9a, 0xd8,
27062 -+ 0x7a, 0x35, 0x4a, 0xc8, 0xee, 0x88, 0x5e, 0x07,
27063 -+ 0x66, 0x54, 0xb9, 0xec, 0x9f, 0xa3, 0xe3, 0xb9,
27064 -+ 0x37, 0xaa, 0x49, 0x76, 0x31, 0xda, 0x74, 0x2d,
27065 -+ 0x3c, 0xa4, 0x65, 0x10, 0x32, 0x38, 0xf0, 0xde,
27066 -+ 0xd3, 0x99, 0x17, 0xaa, 0x71, 0xaa, 0x8f, 0x0f,
27067 -+ 0x8c, 0xaf, 0xa2, 0xf8, 0x5d, 0x64, 0xba, 0x1d,
27068 -+ 0xa3, 0xef, 0x96, 0x73, 0xe8, 0xa1, 0x02, 0x8d,
27069 -+ 0x0c, 0x6d, 0xb8, 0x06, 0x90, 0xb8, 0x08, 0x56,
27070 -+ 0x2c, 0xa7, 0x06, 0xc9, 0xc2, 0x38, 0xdb, 0x7c,
27071 -+ 0x63, 0xb1, 0x57, 0x8e, 0xea, 0x7c, 0x79, 0xf3,
27072 -+ 0x49, 0x1d, 0xfe, 0x9f, 0xf3, 0x6e, 0xb1, 0x1d,
27073 -+ 0xba, 0x19, 0x80, 0x1a, 0x0a, 0xd3, 0xb0, 0x26,
27074 -+ 0x21, 0x40, 0xb1, 0x7c, 0xf9, 0x4d, 0x8d, 0x10,
27075 -+ 0xc1, 0x7e, 0xf4, 0xf6, 0x3c, 0xa8, 0xfd, 0x7c,
27076 -+ 0xa3, 0x92, 0xb2, 0x0f, 0xaa, 0xcc, 0xa6, 0x11,
27077 -+ 0xfe, 0x04, 0xe3, 0xd1, 0x7a, 0x32, 0x89, 0xdf,
27078 -+ 0x0d, 0xc4, 0x8f, 0x79, 0x6b, 0xca, 0x16, 0x7c,
27079 -+ 0x6e, 0xf9, 0xad, 0x0f, 0xf6, 0xfe, 0x27, 0xdb,
27080 -+ 0xc4, 0x13, 0x70, 0xf1, 0x62, 0x1a, 0x4f, 0x79,
27081 -+ 0x40, 0xc9, 0x9b, 0x8b, 0x21, 0xea, 0x84, 0xfa,
27082 -+ 0xf5, 0xf1, 0x89, 0xce, 0xb7, 0x55, 0x0a, 0x80,
27083 -+ 0x39, 0x2f, 0x55, 0x36, 0x16, 0x9c, 0x7b, 0x08,
27084 -+ 0xbd, 0x87, 0x0d, 0xa5, 0x32, 0xf1, 0x52, 0x7c,
27085 -+ 0xe8, 0x55, 0x60, 0x5b, 0xd7, 0x69, 0xe4, 0xfc,
27086 -+ 0xfa, 0x12, 0x85, 0x96, 0xea, 0x50, 0x28, 0xab,
27087 -+ 0x8a, 0xf7, 0xbb, 0x0e, 0x53, 0x74, 0xca, 0xa6,
27088 -+ 0x27, 0x09, 0xc2, 0xb5, 0xde, 0x18, 0x14, 0xd9,
27089 -+ 0xea, 0xe5, 0x29, 0x1c, 0x40, 0x56, 0xcf, 0xd7,
27090 -+ 0xae, 0x05, 0x3f, 0x65, 0xaf, 0x05, 0x73, 0xe2,
27091 -+ 0x35, 0x96, 0x27, 0x07, 0x14, 0xc0, 0xad, 0x33,
27092 -+ 0xf1, 0xdc, 0x44, 0x7a, 0x89, 0x17, 0x77, 0xd2,
27093 -+ 0x9c, 0x58, 0x60, 0xf0, 0x3f, 0x7b, 0x2d, 0x2e,
27094 -+ 0x57, 0x95, 0x54, 0x87, 0xed, 0xf2, 0xc7, 0x4c,
27095 -+ 0xf0, 0xae, 0x56, 0x29, 0x19, 0x7d, 0x66, 0x4b,
27096 -+ 0x9b, 0x83, 0x84, 0x42, 0x3b, 0x01, 0x25, 0x66,
27097 -+ 0x8e, 0x02, 0xde, 0xb9, 0x83, 0x54, 0x19, 0xf6,
27098 -+ 0x9f, 0x79, 0x0d, 0x67, 0xc5, 0x1d, 0x7a, 0x44,
27099 -+ 0x02, 0x98, 0xa7, 0x16, 0x1c, 0x29, 0x0d, 0x74,
27100 -+ 0xff, 0x85, 0x40, 0x06, 0xef, 0x2c, 0xa9, 0xc6,
27101 -+ 0xf5, 0x53, 0x07, 0x06, 0xae, 0xe4, 0xfa, 0x5f,
27102 -+ 0xd8, 0x39, 0x4d, 0xf1, 0x9b, 0x6b, 0xd9, 0x24,
27103 -+ 0x84, 0xfe, 0x03, 0x4c, 0xb2, 0x3f, 0xdf, 0xa1,
27104 -+ 0x05, 0x9e, 0x50, 0x14, 0x5a, 0xd9, 0x1a, 0xa2,
27105 -+ 0xa7, 0xfa, 0xfa, 0x17, 0xf7, 0x78, 0xd6, 0xb5,
27106 -+ 0x92, 0x61, 0x91, 0xac, 0x36, 0xfa, 0x56, 0x0d,
27107 -+ 0x38, 0x32, 0x18, 0x85, 0x08, 0x58, 0x37, 0xf0,
27108 -+ 0x4b, 0xdb, 0x59, 0xe7, 0xa4, 0x34, 0xc0, 0x1b,
27109 -+ 0x01, 0xaf, 0x2d, 0xde, 0xa1, 0xaa, 0x5d, 0xd3,
27110 -+ 0xec, 0xe1, 0xd4, 0xf7, 0xe6, 0x54, 0x68, 0xf0,
27111 -+ 0x51, 0x97, 0xa7, 0x89, 0xea, 0x24, 0xad, 0xd3,
27112 -+ 0x6e, 0x47, 0x93, 0x8b, 0x4b, 0xb4, 0xf7, 0x1c,
27113 -+ 0x42, 0x06, 0x67, 0xe8, 0x99, 0xf6, 0xf5, 0x7b,
27114 -+ 0x85, 0xb5, 0x65, 0xb5, 0xb5, 0xd2, 0x37, 0xf5,
27115 -+ 0xf3, 0x02, 0xa6, 0x4d, 0x11, 0xa7, 0xdc, 0x51,
27116 -+ 0x09, 0x7f, 0xa0, 0xd8, 0x88, 0x1c, 0x13, 0x71,
27117 -+ 0xae, 0x9c, 0xb7, 0x7b, 0x34, 0xd6, 0x4e, 0x68,
27118 -+ 0x26, 0x83, 0x51, 0xaf, 0x1d, 0xee, 0x8b, 0xbb,
27119 -+ 0x69, 0x43, 0x2b, 0x9e, 0x8a, 0xbc, 0x02, 0x0e,
27120 -+ 0xa0, 0x1b, 0xe0, 0xa8, 0x5f, 0x6f, 0xaf, 0x1b,
27121 -+ 0x8f, 0xe7, 0x64, 0x71, 0x74, 0x11, 0x7e, 0xa8,
27122 -+ 0xd8, 0xf9, 0x97, 0x06, 0xc3, 0xb6, 0xfb, 0xfb,
27123 -+ 0xb7, 0x3d, 0x35, 0x9d, 0x3b, 0x52, 0xed, 0x54,
27124 -+ 0xca, 0xf4, 0x81, 0x01, 0x2d, 0x1b, 0xc3, 0xa7,
27125 -+ 0x00, 0x3d, 0x1a, 0x39, 0x54, 0xe1, 0xf6, 0xff,
27126 -+ 0xed, 0x6f, 0x0b, 0x5a, 0x68, 0xda, 0x58, 0xdd,
27127 -+ 0xa9, 0xcf, 0x5c, 0x4a, 0xe5, 0x09, 0x4e, 0xde,
27128 -+ 0x9d, 0xbc, 0x3e, 0xee, 0x5a, 0x00, 0x3b, 0x2c,
27129 -+ 0x87, 0x10, 0x65, 0x60, 0xdd, 0xd7, 0x56, 0xd1,
27130 -+ 0x4c, 0x64, 0x45, 0xe4, 0x21, 0xec, 0x78, 0xf8,
27131 -+ 0x25, 0x7a, 0x3e, 0x16, 0x5d, 0x09, 0x53, 0x14,
27132 -+ 0xbe, 0x4f, 0xae, 0x87, 0xd8, 0xd1, 0xaa, 0x3c,
27133 -+ 0xf6, 0x3e, 0xa4, 0x70, 0x8c, 0x5e, 0x70, 0xa4,
27134 -+ 0xb3, 0x6b, 0x66, 0x73, 0xd3, 0xbf, 0x31, 0x06,
27135 -+ 0x19, 0x62, 0x93, 0x15, 0xf2, 0x86, 0xe4, 0x52,
27136 -+ 0x7e, 0x53, 0x4c, 0x12, 0x38, 0xcc, 0x34, 0x7d,
27137 -+ 0x57, 0xf6, 0x42, 0x93, 0x8a, 0xc4, 0xee, 0x5c,
27138 -+ 0x8a, 0xe1, 0x52, 0x8f, 0x56, 0x64, 0xf6, 0xa6,
27139 -+ 0xd1, 0x91, 0x57, 0x70, 0xcd, 0x11, 0x76, 0xf5,
27140 -+ 0x59, 0x60, 0x60, 0x3c, 0xc1, 0xc3, 0x0b, 0x7f,
27141 -+ 0x58, 0x1a, 0x50, 0x91, 0xf1, 0x68, 0x8f, 0x6e,
27142 -+ 0x74, 0x74, 0xa8, 0x51, 0x0b, 0xf7, 0x7a, 0x98,
27143 -+ 0x37, 0xf2, 0x0a, 0x0e, 0xa4, 0x97, 0x04, 0xb8,
27144 -+ 0x9b, 0xfd, 0xa0, 0xea, 0xf7, 0x0d, 0xe1, 0xdb,
27145 -+ 0x03, 0xf0, 0x31, 0x29, 0xf8, 0xdd, 0x6b, 0x8b,
27146 -+ 0x5d, 0xd8, 0x59, 0xa9, 0x29, 0xcf, 0x9a, 0x79,
27147 -+ 0x89, 0x19, 0x63, 0x46, 0x09, 0x79, 0x6a, 0x11,
27148 -+ 0xda, 0x63, 0x68, 0x48, 0x77, 0x23, 0xfb, 0x7d,
27149 -+ 0x3a, 0x43, 0xcb, 0x02, 0x3b, 0x7a, 0x6d, 0x10,
27150 -+ 0x2a, 0x9e, 0xac, 0xf1, 0xd4, 0x19, 0xf8, 0x23,
27151 -+ 0x64, 0x1d, 0x2c, 0x5f, 0xf2, 0xb0, 0x5c, 0x23,
27152 -+ 0x27, 0xf7, 0x27, 0x30, 0x16, 0x37, 0xb1, 0x90,
27153 -+ 0xab, 0x38, 0xfb, 0x55, 0xcd, 0x78, 0x58, 0xd4,
27154 -+ 0x7d, 0x43, 0xf6, 0x45, 0x5e, 0x55, 0x8d, 0xb1,
27155 -+ 0x02, 0x65, 0x58, 0xb4, 0x13, 0x4b, 0x36, 0xf7,
27156 -+ 0xcc, 0xfe, 0x3d, 0x0b, 0x82, 0xe2, 0x12, 0x11,
27157 -+ 0xbb, 0xe6, 0xb8, 0x3a, 0x48, 0x71, 0xc7, 0x50,
27158 -+ 0x06, 0x16, 0x3a, 0xe6, 0x7c, 0x05, 0xc7, 0xc8,
27159 -+ 0x4d, 0x2f, 0x08, 0x6a, 0x17, 0x9a, 0x95, 0x97,
27160 -+ 0x50, 0x68, 0xdc, 0x28, 0x18, 0xc4, 0x61, 0x38,
27161 -+ 0xb9, 0xe0, 0x3e, 0x78, 0xdb, 0x29, 0xe0, 0x9f,
27162 -+ 0x52, 0xdd, 0xf8, 0x4f, 0x91, 0xc1, 0xd0, 0x33,
27163 -+ 0xa1, 0x7a, 0x8e, 0x30, 0x13, 0x82, 0x07, 0x9f,
27164 -+ 0xd3, 0x31, 0x0f, 0x23, 0xbe, 0x32, 0x5a, 0x75,
27165 -+ 0xcf, 0x96, 0xb2, 0xec, 0xb5, 0x32, 0xac, 0x21,
27166 -+ 0xd1, 0x82, 0x33, 0xd3, 0x15, 0x74, 0xbd, 0x90,
27167 -+ 0xf1, 0x2c, 0xe6, 0x5f, 0x8d, 0xe3, 0x02, 0xe8,
27168 -+ 0xe9, 0xc4, 0xca, 0x96, 0xeb, 0x0e, 0xbc, 0x91,
27169 -+ 0xf4, 0xb9, 0xea, 0xd9, 0x1b, 0x75, 0xbd, 0xe1,
27170 -+ 0xac, 0x2a, 0x05, 0x37, 0x52, 0x9b, 0x1b, 0x3f,
27171 -+ 0x5a, 0xdc, 0x21, 0xc3, 0x98, 0xbb, 0xaf, 0xa3,
27172 -+ 0xf2, 0x00, 0xbf, 0x0d, 0x30, 0x89, 0x05, 0xcc,
27173 -+ 0xa5, 0x76, 0xf5, 0x06, 0xf0, 0xc6, 0x54, 0x8a,
27174 -+ 0x5d, 0xd4, 0x1e, 0xc1, 0xf2, 0xce, 0xb0, 0x62,
27175 -+ 0xc8, 0xfc, 0x59, 0x42, 0x9a, 0x90, 0x60, 0x55,
27176 -+ 0xfe, 0x88, 0xa5, 0x8b, 0xb8, 0x33, 0x0c, 0x23,
27177 -+ 0x24, 0x0d, 0x15, 0x70, 0x37, 0x1e, 0x3d, 0xf6,
27178 -+ 0xd2, 0xea, 0x92, 0x10, 0xb2, 0xc4, 0x51, 0xac,
27179 -+ 0xf2, 0xac, 0xf3, 0x6b, 0x6c, 0xaa, 0xcf, 0x12,
27180 -+ 0xc5, 0x6c, 0x90, 0x50, 0xb5, 0x0c, 0xfc, 0x1a,
27181 -+ 0x15, 0x52, 0xe9, 0x26, 0xc6, 0x52, 0xa4, 0xe7,
27182 -+ 0x81, 0x69, 0xe1, 0xe7, 0x9e, 0x30, 0x01, 0xec,
27183 -+ 0x84, 0x89, 0xb2, 0x0d, 0x66, 0xdd, 0xce, 0x28,
27184 -+ 0x5c, 0xec, 0x98, 0x46, 0x68, 0x21, 0x9f, 0x88,
27185 -+ 0x3f, 0x1f, 0x42, 0x77, 0xce, 0xd0, 0x61, 0xd4,
27186 -+ 0x20, 0xa7, 0xff, 0x53, 0xad, 0x37, 0xd0, 0x17,
27187 -+ 0x35, 0xc9, 0xfc, 0xba, 0x0a, 0x78, 0x3f, 0xf2,
27188 -+ 0xcc, 0x86, 0x89, 0xe8, 0x4b, 0x3c, 0x48, 0x33,
27189 -+ 0x09, 0x7f, 0xc6, 0xc0, 0xdd, 0xb8, 0xfd, 0x7a,
27190 -+ 0x66, 0x66, 0x65, 0xeb, 0x47, 0xa7, 0x04, 0x28,
27191 -+ 0xa3, 0x19, 0x8e, 0xa9, 0xb1, 0x13, 0x67, 0x62,
27192 -+ 0x70, 0xcf, 0xd6
27193 -+};
27194 -+static const u8 dec_output012[] __initconst = {
27195 -+ 0x74, 0xa6, 0x3e, 0xe4, 0xb1, 0xcb, 0xaf, 0xb0,
27196 -+ 0x40, 0xe5, 0x0f, 0x9e, 0xf1, 0xf2, 0x89, 0xb5,
27197 -+ 0x42, 0x34, 0x8a, 0xa1, 0x03, 0xb7, 0xe9, 0x57,
27198 -+ 0x46, 0xbe, 0x20, 0xe4, 0x6e, 0xb0, 0xeb, 0xff,
27199 -+ 0xea, 0x07, 0x7e, 0xef, 0xe2, 0x55, 0x9f, 0xe5,
27200 -+ 0x78, 0x3a, 0xb7, 0x83, 0xc2, 0x18, 0x40, 0x7b,
27201 -+ 0xeb, 0xcd, 0x81, 0xfb, 0x90, 0x12, 0x9e, 0x46,
27202 -+ 0xa9, 0xd6, 0x4a, 0xba, 0xb0, 0x62, 0xdb, 0x6b,
27203 -+ 0x99, 0xc4, 0xdb, 0x54, 0x4b, 0xb8, 0xa5, 0x71,
27204 -+ 0xcb, 0xcd, 0x63, 0x32, 0x55, 0xfb, 0x31, 0xf0,
27205 -+ 0x38, 0xf5, 0xbe, 0x78, 0xe4, 0x45, 0xce, 0x1b,
27206 -+ 0x6a, 0x5b, 0x0e, 0xf4, 0x16, 0xe4, 0xb1, 0x3d,
27207 -+ 0xf6, 0x63, 0x7b, 0xa7, 0x0c, 0xde, 0x6f, 0x8f,
27208 -+ 0x74, 0xdf, 0xe0, 0x1e, 0x9d, 0xce, 0x8f, 0x24,
27209 -+ 0xef, 0x23, 0x35, 0x33, 0x7b, 0x83, 0x34, 0x23,
27210 -+ 0x58, 0x74, 0x14, 0x77, 0x1f, 0xc2, 0x4f, 0x4e,
27211 -+ 0xc6, 0x89, 0xf9, 0x52, 0x09, 0x37, 0x64, 0x14,
27212 -+ 0xc4, 0x01, 0x6b, 0x9d, 0x77, 0xe8, 0x90, 0x5d,
27213 -+ 0xa8, 0x4a, 0x2a, 0xef, 0x5c, 0x7f, 0xeb, 0xbb,
27214 -+ 0xb2, 0xc6, 0x93, 0x99, 0x66, 0xdc, 0x7f, 0xd4,
27215 -+ 0x9e, 0x2a, 0xca, 0x8d, 0xdb, 0xe7, 0x20, 0xcf,
27216 -+ 0xe4, 0x73, 0xae, 0x49, 0x7d, 0x64, 0x0f, 0x0e,
27217 -+ 0x28, 0x46, 0xa9, 0xa8, 0x32, 0xe4, 0x0e, 0xf6,
27218 -+ 0x51, 0x53, 0xb8, 0x3c, 0xb1, 0xff, 0xa3, 0x33,
27219 -+ 0x41, 0x75, 0xff, 0xf1, 0x6f, 0xf1, 0xfb, 0xbb,
27220 -+ 0x83, 0x7f, 0x06, 0x9b, 0xe7, 0x1b, 0x0a, 0xe0,
27221 -+ 0x5c, 0x33, 0x60, 0x5b, 0xdb, 0x5b, 0xed, 0xfe,
27222 -+ 0xa5, 0x16, 0x19, 0x72, 0xa3, 0x64, 0x23, 0x00,
27223 -+ 0x02, 0xc7, 0xf3, 0x6a, 0x81, 0x3e, 0x44, 0x1d,
27224 -+ 0x79, 0x15, 0x5f, 0x9a, 0xde, 0xe2, 0xfd, 0x1b,
27225 -+ 0x73, 0xc1, 0xbc, 0x23, 0xba, 0x31, 0xd2, 0x50,
27226 -+ 0xd5, 0xad, 0x7f, 0x74, 0xa7, 0xc9, 0xf8, 0x3e,
27227 -+ 0x2b, 0x26, 0x10, 0xf6, 0x03, 0x36, 0x74, 0xe4,
27228 -+ 0x0e, 0x6a, 0x72, 0xb7, 0x73, 0x0a, 0x42, 0x28,
27229 -+ 0xc2, 0xad, 0x5e, 0x03, 0xbe, 0xb8, 0x0b, 0xa8,
27230 -+ 0x5b, 0xd4, 0xb8, 0xba, 0x52, 0x89, 0xb1, 0x9b,
27231 -+ 0xc1, 0xc3, 0x65, 0x87, 0xed, 0xa5, 0xf4, 0x86,
27232 -+ 0xfd, 0x41, 0x80, 0x91, 0x27, 0x59, 0x53, 0x67,
27233 -+ 0x15, 0x78, 0x54, 0x8b, 0x2d, 0x3d, 0xc7, 0xff,
27234 -+ 0x02, 0x92, 0x07, 0x5f, 0x7a, 0x4b, 0x60, 0x59,
27235 -+ 0x3c, 0x6f, 0x5c, 0xd8, 0xec, 0x95, 0xd2, 0xfe,
27236 -+ 0xa0, 0x3b, 0xd8, 0x3f, 0xd1, 0x69, 0xa6, 0xd6,
27237 -+ 0x41, 0xb2, 0xf4, 0x4d, 0x12, 0xf4, 0x58, 0x3e,
27238 -+ 0x66, 0x64, 0x80, 0x31, 0x9b, 0xa8, 0x4c, 0x8b,
27239 -+ 0x07, 0xb2, 0xec, 0x66, 0x94, 0x66, 0x47, 0x50,
27240 -+ 0x50, 0x5f, 0x18, 0x0b, 0x0e, 0xd6, 0xc0, 0x39,
27241 -+ 0x21, 0x13, 0x9e, 0x33, 0xbc, 0x79, 0x36, 0x02,
27242 -+ 0x96, 0x70, 0xf0, 0x48, 0x67, 0x2f, 0x26, 0xe9,
27243 -+ 0x6d, 0x10, 0xbb, 0xd6, 0x3f, 0xd1, 0x64, 0x7a,
27244 -+ 0x2e, 0xbe, 0x0c, 0x61, 0xf0, 0x75, 0x42, 0x38,
27245 -+ 0x23, 0xb1, 0x9e, 0x9f, 0x7c, 0x67, 0x66, 0xd9,
27246 -+ 0x58, 0x9a, 0xf1, 0xbb, 0x41, 0x2a, 0x8d, 0x65,
27247 -+ 0x84, 0x94, 0xfc, 0xdc, 0x6a, 0x50, 0x64, 0xdb,
27248 -+ 0x56, 0x33, 0x76, 0x00, 0x10, 0xed, 0xbe, 0xd2,
27249 -+ 0x12, 0xf6, 0xf6, 0x1b, 0xa2, 0x16, 0xde, 0xae,
27250 -+ 0x31, 0x95, 0xdd, 0xb1, 0x08, 0x7e, 0x4e, 0xee,
27251 -+ 0xe7, 0xf9, 0xa5, 0xfb, 0x5b, 0x61, 0x43, 0x00,
27252 -+ 0x40, 0xf6, 0x7e, 0x02, 0x04, 0x32, 0x4e, 0x0c,
27253 -+ 0xe2, 0x66, 0x0d, 0xd7, 0x07, 0x98, 0x0e, 0xf8,
27254 -+ 0x72, 0x34, 0x6d, 0x95, 0x86, 0xd7, 0xcb, 0x31,
27255 -+ 0x54, 0x47, 0xd0, 0x38, 0x29, 0x9c, 0x5a, 0x68,
27256 -+ 0xd4, 0x87, 0x76, 0xc9, 0xe7, 0x7e, 0xe3, 0xf4,
27257 -+ 0x81, 0x6d, 0x18, 0xcb, 0xc9, 0x05, 0xaf, 0xa0,
27258 -+ 0xfb, 0x66, 0xf7, 0xf1, 0x1c, 0xc6, 0x14, 0x11,
27259 -+ 0x4f, 0x2b, 0x79, 0x42, 0x8b, 0xbc, 0xac, 0xe7,
27260 -+ 0x6c, 0xfe, 0x0f, 0x58, 0xe7, 0x7c, 0x78, 0x39,
27261 -+ 0x30, 0xb0, 0x66, 0x2c, 0x9b, 0x6d, 0x3a, 0xe1,
27262 -+ 0xcf, 0xc9, 0xa4, 0x0e, 0x6d, 0x6d, 0x8a, 0xa1,
27263 -+ 0x3a, 0xe7, 0x28, 0xd4, 0x78, 0x4c, 0xa6, 0xa2,
27264 -+ 0x2a, 0xa6, 0x03, 0x30, 0xd7, 0xa8, 0x25, 0x66,
27265 -+ 0x87, 0x2f, 0x69, 0x5c, 0x4e, 0xdd, 0xa5, 0x49,
27266 -+ 0x5d, 0x37, 0x4a, 0x59, 0xc4, 0xaf, 0x1f, 0xa2,
27267 -+ 0xe4, 0xf8, 0xa6, 0x12, 0x97, 0xd5, 0x79, 0xf5,
27268 -+ 0xe2, 0x4a, 0x2b, 0x5f, 0x61, 0xe4, 0x9e, 0xe3,
27269 -+ 0xee, 0xb8, 0xa7, 0x5b, 0x2f, 0xf4, 0x9e, 0x6c,
27270 -+ 0xfb, 0xd1, 0xc6, 0x56, 0x77, 0xba, 0x75, 0xaa,
27271 -+ 0x3d, 0x1a, 0xa8, 0x0b, 0xb3, 0x68, 0x24, 0x00,
27272 -+ 0x10, 0x7f, 0xfd, 0xd7, 0xa1, 0x8d, 0x83, 0x54,
27273 -+ 0x4f, 0x1f, 0xd8, 0x2a, 0xbe, 0x8a, 0x0c, 0x87,
27274 -+ 0xab, 0xa2, 0xde, 0xc3, 0x39, 0xbf, 0x09, 0x03,
27275 -+ 0xa5, 0xf3, 0x05, 0x28, 0xe1, 0xe1, 0xee, 0x39,
27276 -+ 0x70, 0x9c, 0xd8, 0x81, 0x12, 0x1e, 0x02, 0x40,
27277 -+ 0xd2, 0x6e, 0xf0, 0xeb, 0x1b, 0x3d, 0x22, 0xc6,
27278 -+ 0xe5, 0xe3, 0xb4, 0x5a, 0x98, 0xbb, 0xf0, 0x22,
27279 -+ 0x28, 0x8d, 0xe5, 0xd3, 0x16, 0x48, 0x24, 0xa5,
27280 -+ 0xe6, 0x66, 0x0c, 0xf9, 0x08, 0xf9, 0x7e, 0x1e,
27281 -+ 0xe1, 0x28, 0x26, 0x22, 0xc7, 0xc7, 0x0a, 0x32,
27282 -+ 0x47, 0xfa, 0xa3, 0xbe, 0x3c, 0xc4, 0xc5, 0x53,
27283 -+ 0x0a, 0xd5, 0x94, 0x4a, 0xd7, 0x93, 0xd8, 0x42,
27284 -+ 0x99, 0xb9, 0x0a, 0xdb, 0x56, 0xf7, 0xb9, 0x1c,
27285 -+ 0x53, 0x4f, 0xfa, 0xd3, 0x74, 0xad, 0xd9, 0x68,
27286 -+ 0xf1, 0x1b, 0xdf, 0x61, 0xc6, 0x5e, 0xa8, 0x48,
27287 -+ 0xfc, 0xd4, 0x4a, 0x4c, 0x3c, 0x32, 0xf7, 0x1c,
27288 -+ 0x96, 0x21, 0x9b, 0xf9, 0xa3, 0xcc, 0x5a, 0xce,
27289 -+ 0xd5, 0xd7, 0x08, 0x24, 0xf6, 0x1c, 0xfd, 0xdd,
27290 -+ 0x38, 0xc2, 0x32, 0xe9, 0xb8, 0xe7, 0xb6, 0xfa,
27291 -+ 0x9d, 0x45, 0x13, 0x2c, 0x83, 0xfd, 0x4a, 0x69,
27292 -+ 0x82, 0xcd, 0xdc, 0xb3, 0x76, 0x0c, 0x9e, 0xd8,
27293 -+ 0xf4, 0x1b, 0x45, 0x15, 0xb4, 0x97, 0xe7, 0x58,
27294 -+ 0x34, 0xe2, 0x03, 0x29, 0x5a, 0xbf, 0xb6, 0xe0,
27295 -+ 0x5d, 0x13, 0xd9, 0x2b, 0xb4, 0x80, 0xb2, 0x45,
27296 -+ 0x81, 0x6a, 0x2e, 0x6c, 0x89, 0x7d, 0xee, 0xbb,
27297 -+ 0x52, 0xdd, 0x1f, 0x18, 0xe7, 0x13, 0x6b, 0x33,
27298 -+ 0x0e, 0xea, 0x36, 0x92, 0x77, 0x7b, 0x6d, 0x9c,
27299 -+ 0x5a, 0x5f, 0x45, 0x7b, 0x7b, 0x35, 0x62, 0x23,
27300 -+ 0xd1, 0xbf, 0x0f, 0xd0, 0x08, 0x1b, 0x2b, 0x80,
27301 -+ 0x6b, 0x7e, 0xf1, 0x21, 0x47, 0xb0, 0x57, 0xd1,
27302 -+ 0x98, 0x72, 0x90, 0x34, 0x1c, 0x20, 0x04, 0xff,
27303 -+ 0x3d, 0x5c, 0xee, 0x0e, 0x57, 0x5f, 0x6f, 0x24,
27304 -+ 0x4e, 0x3c, 0xea, 0xfc, 0xa5, 0xa9, 0x83, 0xc9,
27305 -+ 0x61, 0xb4, 0x51, 0x24, 0xf8, 0x27, 0x5e, 0x46,
27306 -+ 0x8c, 0xb1, 0x53, 0x02, 0x96, 0x35, 0xba, 0xb8,
27307 -+ 0x4c, 0x71, 0xd3, 0x15, 0x59, 0x35, 0x22, 0x20,
27308 -+ 0xad, 0x03, 0x9f, 0x66, 0x44, 0x3b, 0x9c, 0x35,
27309 -+ 0x37, 0x1f, 0x9b, 0xbb, 0xf3, 0xdb, 0x35, 0x63,
27310 -+ 0x30, 0x64, 0xaa, 0xa2, 0x06, 0xa8, 0x5d, 0xbb,
27311 -+ 0xe1, 0x9f, 0x70, 0xec, 0x82, 0x11, 0x06, 0x36,
27312 -+ 0xec, 0x8b, 0x69, 0x66, 0x24, 0x44, 0xc9, 0x4a,
27313 -+ 0x57, 0xbb, 0x9b, 0x78, 0x13, 0xce, 0x9c, 0x0c,
27314 -+ 0xba, 0x92, 0x93, 0x63, 0xb8, 0xe2, 0x95, 0x0f,
27315 -+ 0x0f, 0x16, 0x39, 0x52, 0xfd, 0x3a, 0x6d, 0x02,
27316 -+ 0x4b, 0xdf, 0x13, 0xd3, 0x2a, 0x22, 0xb4, 0x03,
27317 -+ 0x7c, 0x54, 0x49, 0x96, 0x68, 0x54, 0x10, 0xfa,
27318 -+ 0xef, 0xaa, 0x6c, 0xe8, 0x22, 0xdc, 0x71, 0x16,
27319 -+ 0x13, 0x1a, 0xf6, 0x28, 0xe5, 0x6d, 0x77, 0x3d,
27320 -+ 0xcd, 0x30, 0x63, 0xb1, 0x70, 0x52, 0xa1, 0xc5,
27321 -+ 0x94, 0x5f, 0xcf, 0xe8, 0xb8, 0x26, 0x98, 0xf7,
27322 -+ 0x06, 0xa0, 0x0a, 0x70, 0xfa, 0x03, 0x80, 0xac,
27323 -+ 0xc1, 0xec, 0xd6, 0x4c, 0x54, 0xd7, 0xfe, 0x47,
27324 -+ 0xb6, 0x88, 0x4a, 0xf7, 0x71, 0x24, 0xee, 0xf3,
27325 -+ 0xd2, 0xc2, 0x4a, 0x7f, 0xfe, 0x61, 0xc7, 0x35,
27326 -+ 0xc9, 0x37, 0x67, 0xcb, 0x24, 0x35, 0xda, 0x7e,
27327 -+ 0xca, 0x5f, 0xf3, 0x8d, 0xd4, 0x13, 0x8e, 0xd6,
27328 -+ 0xcb, 0x4d, 0x53, 0x8f, 0x53, 0x1f, 0xc0, 0x74,
27329 -+ 0xf7, 0x53, 0xb9, 0x5e, 0x23, 0x37, 0xba, 0x6e,
27330 -+ 0xe3, 0x9d, 0x07, 0x55, 0x25, 0x7b, 0xe6, 0x2a,
27331 -+ 0x64, 0xd1, 0x32, 0xdd, 0x54, 0x1b, 0x4b, 0xc0,
27332 -+ 0xe1, 0xd7, 0x69, 0x58, 0xf8, 0x93, 0x29, 0xc4,
27333 -+ 0xdd, 0x23, 0x2f, 0xa5, 0xfc, 0x9d, 0x7e, 0xf8,
27334 -+ 0xd4, 0x90, 0xcd, 0x82, 0x55, 0xdc, 0x16, 0x16,
27335 -+ 0x9f, 0x07, 0x52, 0x9b, 0x9d, 0x25, 0xed, 0x32,
27336 -+ 0xc5, 0x7b, 0xdf, 0xf6, 0x83, 0x46, 0x3d, 0x65,
27337 -+ 0xb7, 0xef, 0x87, 0x7a, 0x12, 0x69, 0x8f, 0x06,
27338 -+ 0x7c, 0x51, 0x15, 0x4a, 0x08, 0xe8, 0xac, 0x9a,
27339 -+ 0x0c, 0x24, 0xa7, 0x27, 0xd8, 0x46, 0x2f, 0xe7,
27340 -+ 0x01, 0x0e, 0x1c, 0xc6, 0x91, 0xb0, 0x6e, 0x85,
27341 -+ 0x65, 0xf0, 0x29, 0x0d, 0x2e, 0x6b, 0x3b, 0xfb,
27342 -+ 0x4b, 0xdf, 0xe4, 0x80, 0x93, 0x03, 0x66, 0x46,
27343 -+ 0x3e, 0x8a, 0x6e, 0xf3, 0x5e, 0x4d, 0x62, 0x0e,
27344 -+ 0x49, 0x05, 0xaf, 0xd4, 0xf8, 0x21, 0x20, 0x61,
27345 -+ 0x1d, 0x39, 0x17, 0xf4, 0x61, 0x47, 0x95, 0xfb,
27346 -+ 0x15, 0x2e, 0xb3, 0x4f, 0xd0, 0x5d, 0xf5, 0x7d,
27347 -+ 0x40, 0xda, 0x90, 0x3c, 0x6b, 0xcb, 0x17, 0x00,
27348 -+ 0x13, 0x3b, 0x64, 0x34, 0x1b, 0xf0, 0xf2, 0xe5,
27349 -+ 0x3b, 0xb2, 0xc7, 0xd3, 0x5f, 0x3a, 0x44, 0xa6,
27350 -+ 0x9b, 0xb7, 0x78, 0x0e, 0x42, 0x5d, 0x4c, 0xc1,
27351 -+ 0xe9, 0xd2, 0xcb, 0xb7, 0x78, 0xd1, 0xfe, 0x9a,
27352 -+ 0xb5, 0x07, 0xe9, 0xe0, 0xbe, 0xe2, 0x8a, 0xa7,
27353 -+ 0x01, 0x83, 0x00, 0x8c, 0x5c, 0x08, 0xe6, 0x63,
27354 -+ 0x12, 0x92, 0xb7, 0xb7, 0xa6, 0x19, 0x7d, 0x38,
27355 -+ 0x13, 0x38, 0x92, 0x87, 0x24, 0xf9, 0x48, 0xb3,
27356 -+ 0x5e, 0x87, 0x6a, 0x40, 0x39, 0x5c, 0x3f, 0xed,
27357 -+ 0x8f, 0xee, 0xdb, 0x15, 0x82, 0x06, 0xda, 0x49,
27358 -+ 0x21, 0x2b, 0xb5, 0xbf, 0x32, 0x7c, 0x9f, 0x42,
27359 -+ 0x28, 0x63, 0xcf, 0xaf, 0x1e, 0xf8, 0xc6, 0xa0,
27360 -+ 0xd1, 0x02, 0x43, 0x57, 0x62, 0xec, 0x9b, 0x0f,
27361 -+ 0x01, 0x9e, 0x71, 0xd8, 0x87, 0x9d, 0x01, 0xc1,
27362 -+ 0x58, 0x77, 0xd9, 0xaf, 0xb1, 0x10, 0x7e, 0xdd,
27363 -+ 0xa6, 0x50, 0x96, 0xe5, 0xf0, 0x72, 0x00, 0x6d,
27364 -+ 0x4b, 0xf8, 0x2a, 0x8f, 0x19, 0xf3, 0x22, 0x88,
27365 -+ 0x11, 0x4a, 0x8b, 0x7c, 0xfd, 0xb7, 0xed, 0xe1,
27366 -+ 0xf6, 0x40, 0x39, 0xe0, 0xe9, 0xf6, 0x3d, 0x25,
27367 -+ 0xe6, 0x74, 0x3c, 0x58, 0x57, 0x7f, 0xe1, 0x22,
27368 -+ 0x96, 0x47, 0x31, 0x91, 0xba, 0x70, 0x85, 0x28,
27369 -+ 0x6b, 0x9f, 0x6e, 0x25, 0xac, 0x23, 0x66, 0x2f,
27370 -+ 0x29, 0x88, 0x28, 0xce, 0x8c, 0x5c, 0x88, 0x53,
27371 -+ 0xd1, 0x3b, 0xcc, 0x6a, 0x51, 0xb2, 0xe1, 0x28,
27372 -+ 0x3f, 0x91, 0xb4, 0x0d, 0x00, 0x3a, 0xe3, 0xf8,
27373 -+ 0xc3, 0x8f, 0xd7, 0x96, 0x62, 0x0e, 0x2e, 0xfc,
27374 -+ 0xc8, 0x6c, 0x77, 0xa6, 0x1d, 0x22, 0xc1, 0xb8,
27375 -+ 0xe6, 0x61, 0xd7, 0x67, 0x36, 0x13, 0x7b, 0xbb,
27376 -+ 0x9b, 0x59, 0x09, 0xa6, 0xdf, 0xf7, 0x6b, 0xa3,
27377 -+ 0x40, 0x1a, 0xf5, 0x4f, 0xb4, 0xda, 0xd3, 0xf3,
27378 -+ 0x81, 0x93, 0xc6, 0x18, 0xd9, 0x26, 0xee, 0xac,
27379 -+ 0xf0, 0xaa, 0xdf, 0xc5, 0x9c, 0xca, 0xc2, 0xa2,
27380 -+ 0xcc, 0x7b, 0x5c, 0x24, 0xb0, 0xbc, 0xd0, 0x6a,
27381 -+ 0x4d, 0x89, 0x09, 0xb8, 0x07, 0xfe, 0x87, 0xad,
27382 -+ 0x0a, 0xea, 0xb8, 0x42, 0xf9, 0x5e, 0xb3, 0x3e,
27383 -+ 0x36, 0x4c, 0xaf, 0x75, 0x9e, 0x1c, 0xeb, 0xbd,
27384 -+ 0xbc, 0xbb, 0x80, 0x40, 0xa7, 0x3a, 0x30, 0xbf,
27385 -+ 0xa8, 0x44, 0xf4, 0xeb, 0x38, 0xad, 0x29, 0xba,
27386 -+ 0x23, 0xed, 0x41, 0x0c, 0xea, 0xd2, 0xbb, 0x41,
27387 -+ 0x18, 0xd6, 0xb9, 0xba, 0x65, 0x2b, 0xa3, 0x91,
27388 -+ 0x6d, 0x1f, 0xa9, 0xf4, 0xd1, 0x25, 0x8d, 0x4d,
27389 -+ 0x38, 0xff, 0x64, 0xa0, 0xec, 0xde, 0xa6, 0xb6,
27390 -+ 0x79, 0xab, 0x8e, 0x33, 0x6c, 0x47, 0xde, 0xaf,
27391 -+ 0x94, 0xa4, 0xa5, 0x86, 0x77, 0x55, 0x09, 0x92,
27392 -+ 0x81, 0x31, 0x76, 0xc7, 0x34, 0x22, 0x89, 0x8e,
27393 -+ 0x3d, 0x26, 0x26, 0xd7, 0xfc, 0x1e, 0x16, 0x72,
27394 -+ 0x13, 0x33, 0x63, 0xd5, 0x22, 0xbe, 0xb8, 0x04,
27395 -+ 0x34, 0x84, 0x41, 0xbb, 0x80, 0xd0, 0x9f, 0x46,
27396 -+ 0x48, 0x07, 0xa7, 0xfc, 0x2b, 0x3a, 0x75, 0x55,
27397 -+ 0x8c, 0xc7, 0x6a, 0xbd, 0x7e, 0x46, 0x08, 0x84,
27398 -+ 0x0f, 0xd5, 0x74, 0xc0, 0x82, 0x8e, 0xaa, 0x61,
27399 -+ 0x05, 0x01, 0xb2, 0x47, 0x6e, 0x20, 0x6a, 0x2d,
27400 -+ 0x58, 0x70, 0x48, 0x32, 0xa7, 0x37, 0xd2, 0xb8,
27401 -+ 0x82, 0x1a, 0x51, 0xb9, 0x61, 0xdd, 0xfd, 0x9d,
27402 -+ 0x6b, 0x0e, 0x18, 0x97, 0xf8, 0x45, 0x5f, 0x87,
27403 -+ 0x10, 0xcf, 0x34, 0x72, 0x45, 0x26, 0x49, 0x70,
27404 -+ 0xe7, 0xa3, 0x78, 0xe0, 0x52, 0x89, 0x84, 0x94,
27405 -+ 0x83, 0x82, 0xc2, 0x69, 0x8f, 0xe3, 0xe1, 0x3f,
27406 -+ 0x60, 0x74, 0x88, 0xc4, 0xf7, 0x75, 0x2c, 0xfb,
27407 -+ 0xbd, 0xb6, 0xc4, 0x7e, 0x10, 0x0a, 0x6c, 0x90,
27408 -+ 0x04, 0x9e, 0xc3, 0x3f, 0x59, 0x7c, 0xce, 0x31,
27409 -+ 0x18, 0x60, 0x57, 0x73, 0x46, 0x94, 0x7d, 0x06,
27410 -+ 0xa0, 0x6d, 0x44, 0xec, 0xa2, 0x0a, 0x9e, 0x05,
27411 -+ 0x15, 0xef, 0xca, 0x5c, 0xbf, 0x00, 0xeb, 0xf7,
27412 -+ 0x3d, 0x32, 0xd4, 0xa5, 0xef, 0x49, 0x89, 0x5e,
27413 -+ 0x46, 0xb0, 0xa6, 0x63, 0x5b, 0x8a, 0x73, 0xae,
27414 -+ 0x6f, 0xd5, 0x9d, 0xf8, 0x4f, 0x40, 0xb5, 0xb2,
27415 -+ 0x6e, 0xd3, 0xb6, 0x01, 0xa9, 0x26, 0xa2, 0x21,
27416 -+ 0xcf, 0x33, 0x7a, 0x3a, 0xa4, 0x23, 0x13, 0xb0,
27417 -+ 0x69, 0x6a, 0xee, 0xce, 0xd8, 0x9d, 0x01, 0x1d,
27418 -+ 0x50, 0xc1, 0x30, 0x6c, 0xb1, 0xcd, 0xa0, 0xf0,
27419 -+ 0xf0, 0xa2, 0x64, 0x6f, 0xbb, 0xbf, 0x5e, 0xe6,
27420 -+ 0xab, 0x87, 0xb4, 0x0f, 0x4f, 0x15, 0xaf, 0xb5,
27421 -+ 0x25, 0xa1, 0xb2, 0xd0, 0x80, 0x2c, 0xfb, 0xf9,
27422 -+ 0xfe, 0xd2, 0x33, 0xbb, 0x76, 0xfe, 0x7c, 0xa8,
27423 -+ 0x66, 0xf7, 0xe7, 0x85, 0x9f, 0x1f, 0x85, 0x57,
27424 -+ 0x88, 0xe1, 0xe9, 0x63, 0xe4, 0xd8, 0x1c, 0xa1,
27425 -+ 0xfb, 0xda, 0x44, 0x05, 0x2e, 0x1d, 0x3a, 0x1c,
27426 -+ 0xff, 0xc8, 0x3b, 0xc0, 0xfe, 0xda, 0x22, 0x0b,
27427 -+ 0x43, 0xd6, 0x88, 0x39, 0x4c, 0x4a, 0xa6, 0x69,
27428 -+ 0x18, 0x93, 0x42, 0x4e, 0xb5, 0xcc, 0x66, 0x0d,
27429 -+ 0x09, 0xf8, 0x1e, 0x7c, 0xd3, 0x3c, 0x99, 0x0d,
27430 -+ 0x50, 0x1d, 0x62, 0xe9, 0x57, 0x06, 0xbf, 0x19,
27431 -+ 0x88, 0xdd, 0xad, 0x7b, 0x4f, 0xf9, 0xc7, 0x82,
27432 -+ 0x6d, 0x8d, 0xc8, 0xc4, 0xc5, 0x78, 0x17, 0x20,
27433 -+ 0x15, 0xc5, 0x52, 0x41, 0xcf, 0x5b, 0xd6, 0x7f,
27434 -+ 0x94, 0x02, 0x41, 0xe0, 0x40, 0x22, 0x03, 0x5e,
27435 -+ 0xd1, 0x53, 0xd4, 0x86, 0xd3, 0x2c, 0x9f, 0x0f,
27436 -+ 0x96, 0xe3, 0x6b, 0x9a, 0x76, 0x32, 0x06, 0x47,
27437 -+ 0x4b, 0x11, 0xb3, 0xdd, 0x03, 0x65, 0xbd, 0x9b,
27438 -+ 0x01, 0xda, 0x9c, 0xb9, 0x7e, 0x3f, 0x6a, 0xc4,
27439 -+ 0x7b, 0xea, 0xd4, 0x3c, 0xb9, 0xfb, 0x5c, 0x6b,
27440 -+ 0x64, 0x33, 0x52, 0xba, 0x64, 0x78, 0x8f, 0xa4,
27441 -+ 0xaf, 0x7a, 0x61, 0x8d, 0xbc, 0xc5, 0x73, 0xe9,
27442 -+ 0x6b, 0x58, 0x97, 0x4b, 0xbf, 0x63, 0x22, 0xd3,
27443 -+ 0x37, 0x02, 0x54, 0xc5, 0xb9, 0x16, 0x4a, 0xf0,
27444 -+ 0x19, 0xd8, 0x94, 0x57, 0xb8, 0x8a, 0xb3, 0x16,
27445 -+ 0x3b, 0xd0, 0x84, 0x8e, 0x67, 0xa6, 0xa3, 0x7d,
27446 -+ 0x78, 0xec, 0x00
27447 -+};
27448 -+static const u8 dec_assoc012[] __initconst = {
27449 -+ 0xb1, 0x69, 0x83, 0x87, 0x30, 0xaa, 0x5d, 0xb8,
27450 -+ 0x77, 0xe8, 0x21, 0xff, 0x06, 0x59, 0x35, 0xce,
27451 -+ 0x75, 0xfe, 0x38, 0xef, 0xb8, 0x91, 0x43, 0x8c,
27452 -+ 0xcf, 0x70, 0xdd, 0x0a, 0x68, 0xbf, 0xd4, 0xbc,
27453 -+ 0x16, 0x76, 0x99, 0x36, 0x1e, 0x58, 0x79, 0x5e,
27454 -+ 0xd4, 0x29, 0xf7, 0x33, 0x93, 0x48, 0xdb, 0x5f,
27455 -+ 0x01, 0xae, 0x9c, 0xb6, 0xe4, 0x88, 0x6d, 0x2b,
27456 -+ 0x76, 0x75, 0xe0, 0xf3, 0x74, 0xe2, 0xc9
27457 -+};
27458 -+static const u8 dec_nonce012[] __initconst = {
27459 -+ 0x05, 0xa3, 0x93, 0xed, 0x30, 0xc5, 0xa2, 0x06
27460 -+};
27461 -+static const u8 dec_key012[] __initconst = {
27462 -+ 0xb3, 0x35, 0x50, 0x03, 0x54, 0x2e, 0x40, 0x5e,
27463 -+ 0x8f, 0x59, 0x8e, 0xc5, 0x90, 0xd5, 0x27, 0x2d,
27464 -+ 0xba, 0x29, 0x2e, 0xcb, 0x1b, 0x70, 0x44, 0x1e,
27465 -+ 0x65, 0x91, 0x6e, 0x2a, 0x79, 0x22, 0xda, 0x64
27466 -+};
27467 -+
27468 -+static const u8 dec_input013[] __initconst = {
27469 -+ 0x52, 0x34, 0xb3, 0x65, 0x3b, 0xb7, 0xe5, 0xd3,
27470 -+ 0xab, 0x49, 0x17, 0x60, 0xd2, 0x52, 0x56, 0xdf,
27471 -+ 0xdf, 0x34, 0x56, 0x82, 0xe2, 0xbe, 0xe5, 0xe1,
27472 -+ 0x28, 0xd1, 0x4e, 0x5f, 0x4f, 0x01, 0x7d, 0x3f,
27473 -+ 0x99, 0x6b, 0x30, 0x6e, 0x1a, 0x7c, 0x4c, 0x8e,
27474 -+ 0x62, 0x81, 0xae, 0x86, 0x3f, 0x6b, 0xd0, 0xb5,
27475 -+ 0xa9, 0xcf, 0x50, 0xf1, 0x02, 0x12, 0xa0, 0x0b,
27476 -+ 0x24, 0xe9, 0xe6, 0x72, 0x89, 0x2c, 0x52, 0x1b,
27477 -+ 0x34, 0x38, 0xf8, 0x75, 0x5f, 0xa0, 0x74, 0xe2,
27478 -+ 0x99, 0xdd, 0xa6, 0x4b, 0x14, 0x50, 0x4e, 0xf1,
27479 -+ 0xbe, 0xd6, 0x9e, 0xdb, 0xb2, 0x24, 0x27, 0x74,
27480 -+ 0x12, 0x4a, 0x78, 0x78, 0x17, 0xa5, 0x58, 0x8e,
27481 -+ 0x2f, 0xf9, 0xf4, 0x8d, 0xee, 0x03, 0x88, 0xae,
27482 -+ 0xb8, 0x29, 0xa1, 0x2f, 0x4b, 0xee, 0x92, 0xbd,
27483 -+ 0x87, 0xb3, 0xce, 0x34, 0x21, 0x57, 0x46, 0x04,
27484 -+ 0x49, 0x0c, 0x80, 0xf2, 0x01, 0x13, 0xa1, 0x55,
27485 -+ 0xb3, 0xff, 0x44, 0x30, 0x3c, 0x1c, 0xd0, 0xef,
27486 -+ 0xbc, 0x18, 0x74, 0x26, 0xad, 0x41, 0x5b, 0x5b,
27487 -+ 0x3e, 0x9a, 0x7a, 0x46, 0x4f, 0x16, 0xd6, 0x74,
27488 -+ 0x5a, 0xb7, 0x3a, 0x28, 0x31, 0xd8, 0xae, 0x26,
27489 -+ 0xac, 0x50, 0x53, 0x86, 0xf2, 0x56, 0xd7, 0x3f,
27490 -+ 0x29, 0xbc, 0x45, 0x68, 0x8e, 0xcb, 0x98, 0x64,
27491 -+ 0xdd, 0xc9, 0xba, 0xb8, 0x4b, 0x7b, 0x82, 0xdd,
27492 -+ 0x14, 0xa7, 0xcb, 0x71, 0x72, 0x00, 0x5c, 0xad,
27493 -+ 0x7b, 0x6a, 0x89, 0xa4, 0x3d, 0xbf, 0xb5, 0x4b,
27494 -+ 0x3e, 0x7c, 0x5a, 0xcf, 0xb8, 0xa1, 0xc5, 0x6e,
27495 -+ 0xc8, 0xb6, 0x31, 0x57, 0x7b, 0xdf, 0xa5, 0x7e,
27496 -+ 0xb1, 0xd6, 0x42, 0x2a, 0x31, 0x36, 0xd1, 0xd0,
27497 -+ 0x3f, 0x7a, 0xe5, 0x94, 0xd6, 0x36, 0xa0, 0x6f,
27498 -+ 0xb7, 0x40, 0x7d, 0x37, 0xc6, 0x55, 0x7c, 0x50,
27499 -+ 0x40, 0x6d, 0x29, 0x89, 0xe3, 0x5a, 0xae, 0x97,
27500 -+ 0xe7, 0x44, 0x49, 0x6e, 0xbd, 0x81, 0x3d, 0x03,
27501 -+ 0x93, 0x06, 0x12, 0x06, 0xe2, 0x41, 0x12, 0x4a,
27502 -+ 0xf1, 0x6a, 0xa4, 0x58, 0xa2, 0xfb, 0xd2, 0x15,
27503 -+ 0xba, 0xc9, 0x79, 0xc9, 0xce, 0x5e, 0x13, 0xbb,
27504 -+ 0xf1, 0x09, 0x04, 0xcc, 0xfd, 0xe8, 0x51, 0x34,
27505 -+ 0x6a, 0xe8, 0x61, 0x88, 0xda, 0xed, 0x01, 0x47,
27506 -+ 0x84, 0xf5, 0x73, 0x25, 0xf9, 0x1c, 0x42, 0x86,
27507 -+ 0x07, 0xf3, 0x5b, 0x1a, 0x01, 0xb3, 0xeb, 0x24,
27508 -+ 0x32, 0x8d, 0xf6, 0xed, 0x7c, 0x4b, 0xeb, 0x3c,
27509 -+ 0x36, 0x42, 0x28, 0xdf, 0xdf, 0xb6, 0xbe, 0xd9,
27510 -+ 0x8c, 0x52, 0xd3, 0x2b, 0x08, 0x90, 0x8c, 0xe7,
27511 -+ 0x98, 0x31, 0xe2, 0x32, 0x8e, 0xfc, 0x11, 0x48,
27512 -+ 0x00, 0xa8, 0x6a, 0x42, 0x4a, 0x02, 0xc6, 0x4b,
27513 -+ 0x09, 0xf1, 0xe3, 0x49, 0xf3, 0x45, 0x1f, 0x0e,
27514 -+ 0xbc, 0x56, 0xe2, 0xe4, 0xdf, 0xfb, 0xeb, 0x61,
27515 -+ 0xfa, 0x24, 0xc1, 0x63, 0x75, 0xbb, 0x47, 0x75,
27516 -+ 0xaf, 0xe1, 0x53, 0x16, 0x96, 0x21, 0x85, 0x26,
27517 -+ 0x11, 0xb3, 0x76, 0xe3, 0x23, 0xa1, 0x6b, 0x74,
27518 -+ 0x37, 0xd0, 0xde, 0x06, 0x90, 0x71, 0x5d, 0x43,
27519 -+ 0x88, 0x9b, 0x00, 0x54, 0xa6, 0x75, 0x2f, 0xa1,
27520 -+ 0xc2, 0x0b, 0x73, 0x20, 0x1d, 0xb6, 0x21, 0x79,
27521 -+ 0x57, 0x3f, 0xfa, 0x09, 0xbe, 0x8a, 0x33, 0xc3,
27522 -+ 0x52, 0xf0, 0x1d, 0x82, 0x31, 0xd1, 0x55, 0xb5,
27523 -+ 0x6c, 0x99, 0x25, 0xcf, 0x5c, 0x32, 0xce, 0xe9,
27524 -+ 0x0d, 0xfa, 0x69, 0x2c, 0xd5, 0x0d, 0xc5, 0x6d,
27525 -+ 0x86, 0xd0, 0x0c, 0x3b, 0x06, 0x50, 0x79, 0xe8,
27526 -+ 0xc3, 0xae, 0x04, 0xe6, 0xcd, 0x51, 0xe4, 0x26,
27527 -+ 0x9b, 0x4f, 0x7e, 0xa6, 0x0f, 0xab, 0xd8, 0xe5,
27528 -+ 0xde, 0xa9, 0x00, 0x95, 0xbe, 0xa3, 0x9d, 0x5d,
27529 -+ 0xb2, 0x09, 0x70, 0x18, 0x1c, 0xf0, 0xac, 0x29,
27530 -+ 0x23, 0x02, 0x29, 0x28, 0xd2, 0x74, 0x35, 0x57,
27531 -+ 0x62, 0x0f, 0x24, 0xea, 0x5e, 0x33, 0xc2, 0x92,
27532 -+ 0xf3, 0x78, 0x4d, 0x30, 0x1e, 0xa1, 0x99, 0xa9,
27533 -+ 0x82, 0xb0, 0x42, 0x31, 0x8d, 0xad, 0x8a, 0xbc,
27534 -+ 0xfc, 0xd4, 0x57, 0x47, 0x3e, 0xb4, 0x50, 0xdd,
27535 -+ 0x6e, 0x2c, 0x80, 0x4d, 0x22, 0xf1, 0xfb, 0x57,
27536 -+ 0xc4, 0xdd, 0x17, 0xe1, 0x8a, 0x36, 0x4a, 0xb3,
27537 -+ 0x37, 0xca, 0xc9, 0x4e, 0xab, 0xd5, 0x69, 0xc4,
27538 -+ 0xf4, 0xbc, 0x0b, 0x3b, 0x44, 0x4b, 0x29, 0x9c,
27539 -+ 0xee, 0xd4, 0x35, 0x22, 0x21, 0xb0, 0x1f, 0x27,
27540 -+ 0x64, 0xa8, 0x51, 0x1b, 0xf0, 0x9f, 0x19, 0x5c,
27541 -+ 0xfb, 0x5a, 0x64, 0x74, 0x70, 0x45, 0x09, 0xf5,
27542 -+ 0x64, 0xfe, 0x1a, 0x2d, 0xc9, 0x14, 0x04, 0x14,
27543 -+ 0xcf, 0xd5, 0x7d, 0x60, 0xaf, 0x94, 0x39, 0x94,
27544 -+ 0xe2, 0x7d, 0x79, 0x82, 0xd0, 0x65, 0x3b, 0x6b,
27545 -+ 0x9c, 0x19, 0x84, 0xb4, 0x6d, 0xb3, 0x0c, 0x99,
27546 -+ 0xc0, 0x56, 0xa8, 0xbd, 0x73, 0xce, 0x05, 0x84,
27547 -+ 0x3e, 0x30, 0xaa, 0xc4, 0x9b, 0x1b, 0x04, 0x2a,
27548 -+ 0x9f, 0xd7, 0x43, 0x2b, 0x23, 0xdf, 0xbf, 0xaa,
27549 -+ 0xd5, 0xc2, 0x43, 0x2d, 0x70, 0xab, 0xdc, 0x75,
27550 -+ 0xad, 0xac, 0xf7, 0xc0, 0xbe, 0x67, 0xb2, 0x74,
27551 -+ 0xed, 0x67, 0x10, 0x4a, 0x92, 0x60, 0xc1, 0x40,
27552 -+ 0x50, 0x19, 0x8a, 0x8a, 0x8c, 0x09, 0x0e, 0x72,
27553 -+ 0xe1, 0x73, 0x5e, 0xe8, 0x41, 0x85, 0x63, 0x9f,
27554 -+ 0x3f, 0xd7, 0x7d, 0xc4, 0xfb, 0x22, 0x5d, 0x92,
27555 -+ 0x6c, 0xb3, 0x1e, 0xe2, 0x50, 0x2f, 0x82, 0xa8,
27556 -+ 0x28, 0xc0, 0xb5, 0xd7, 0x5f, 0x68, 0x0d, 0x2c,
27557 -+ 0x2d, 0xaf, 0x7e, 0xfa, 0x2e, 0x08, 0x0f, 0x1f,
27558 -+ 0x70, 0x9f, 0xe9, 0x19, 0x72, 0x55, 0xf8, 0xfb,
27559 -+ 0x51, 0xd2, 0x33, 0x5d, 0xa0, 0xd3, 0x2b, 0x0a,
27560 -+ 0x6c, 0xbc, 0x4e, 0xcf, 0x36, 0x4d, 0xdc, 0x3b,
27561 -+ 0xe9, 0x3e, 0x81, 0x7c, 0x61, 0xdb, 0x20, 0x2d,
27562 -+ 0x3a, 0xc3, 0xb3, 0x0c, 0x1e, 0x00, 0xb9, 0x7c,
27563 -+ 0xf5, 0xca, 0x10, 0x5f, 0x3a, 0x71, 0xb3, 0xe4,
27564 -+ 0x20, 0xdb, 0x0c, 0x2a, 0x98, 0x63, 0x45, 0x00,
27565 -+ 0x58, 0xf6, 0x68, 0xe4, 0x0b, 0xda, 0x13, 0x3b,
27566 -+ 0x60, 0x5c, 0x76, 0xdb, 0xb9, 0x97, 0x71, 0xe4,
27567 -+ 0xd9, 0xb7, 0xdb, 0xbd, 0x68, 0xc7, 0x84, 0x84,
27568 -+ 0xaa, 0x7c, 0x68, 0x62, 0x5e, 0x16, 0xfc, 0xba,
27569 -+ 0x72, 0xaa, 0x9a, 0xa9, 0xeb, 0x7c, 0x75, 0x47,
27570 -+ 0x97, 0x7e, 0xad, 0xe2, 0xd9, 0x91, 0xe8, 0xe4,
27571 -+ 0xa5, 0x31, 0xd7, 0x01, 0x8e, 0xa2, 0x11, 0x88,
27572 -+ 0x95, 0xb9, 0xf2, 0x9b, 0xd3, 0x7f, 0x1b, 0x81,
27573 -+ 0x22, 0xf7, 0x98, 0x60, 0x0a, 0x64, 0xa6, 0xc1,
27574 -+ 0xf6, 0x49, 0xc7, 0xe3, 0x07, 0x4d, 0x94, 0x7a,
27575 -+ 0xcf, 0x6e, 0x68, 0x0c, 0x1b, 0x3f, 0x6e, 0x2e,
27576 -+ 0xee, 0x92, 0xfa, 0x52, 0xb3, 0x59, 0xf8, 0xf1,
27577 -+ 0x8f, 0x6a, 0x66, 0xa3, 0x82, 0x76, 0x4a, 0x07,
27578 -+ 0x1a, 0xc7, 0xdd, 0xf5, 0xda, 0x9c, 0x3c, 0x24,
27579 -+ 0xbf, 0xfd, 0x42, 0xa1, 0x10, 0x64, 0x6a, 0x0f,
27580 -+ 0x89, 0xee, 0x36, 0xa5, 0xce, 0x99, 0x48, 0x6a,
27581 -+ 0xf0, 0x9f, 0x9e, 0x69, 0xa4, 0x40, 0x20, 0xe9,
27582 -+ 0x16, 0x15, 0xf7, 0xdb, 0x75, 0x02, 0xcb, 0xe9,
27583 -+ 0x73, 0x8b, 0x3b, 0x49, 0x2f, 0xf0, 0xaf, 0x51,
27584 -+ 0x06, 0x5c, 0xdf, 0x27, 0x27, 0x49, 0x6a, 0xd1,
27585 -+ 0xcc, 0xc7, 0xb5, 0x63, 0xb5, 0xfc, 0xb8, 0x5c,
27586 -+ 0x87, 0x7f, 0x84, 0xb4, 0xcc, 0x14, 0xa9, 0x53,
27587 -+ 0xda, 0xa4, 0x56, 0xf8, 0xb6, 0x1b, 0xcc, 0x40,
27588 -+ 0x27, 0x52, 0x06, 0x5a, 0x13, 0x81, 0xd7, 0x3a,
27589 -+ 0xd4, 0x3b, 0xfb, 0x49, 0x65, 0x31, 0x33, 0xb2,
27590 -+ 0xfa, 0xcd, 0xad, 0x58, 0x4e, 0x2b, 0xae, 0xd2,
27591 -+ 0x20, 0xfb, 0x1a, 0x48, 0xb4, 0x3f, 0x9a, 0xd8,
27592 -+ 0x7a, 0x35, 0x4a, 0xc8, 0xee, 0x88, 0x5e, 0x07,
27593 -+ 0x66, 0x54, 0xb9, 0xec, 0x9f, 0xa3, 0xe3, 0xb9,
27594 -+ 0x37, 0xaa, 0x49, 0x76, 0x31, 0xda, 0x74, 0x2d,
27595 -+ 0x3c, 0xa4, 0x65, 0x10, 0x32, 0x38, 0xf0, 0xde,
27596 -+ 0xd3, 0x99, 0x17, 0xaa, 0x71, 0xaa, 0x8f, 0x0f,
27597 -+ 0x8c, 0xaf, 0xa2, 0xf8, 0x5d, 0x64, 0xba, 0x1d,
27598 -+ 0xa3, 0xef, 0x96, 0x73, 0xe8, 0xa1, 0x02, 0x8d,
27599 -+ 0x0c, 0x6d, 0xb8, 0x06, 0x90, 0xb8, 0x08, 0x56,
27600 -+ 0x2c, 0xa7, 0x06, 0xc9, 0xc2, 0x38, 0xdb, 0x7c,
27601 -+ 0x63, 0xb1, 0x57, 0x8e, 0xea, 0x7c, 0x79, 0xf3,
27602 -+ 0x49, 0x1d, 0xfe, 0x9f, 0xf3, 0x6e, 0xb1, 0x1d,
27603 -+ 0xba, 0x19, 0x80, 0x1a, 0x0a, 0xd3, 0xb0, 0x26,
27604 -+ 0x21, 0x40, 0xb1, 0x7c, 0xf9, 0x4d, 0x8d, 0x10,
27605 -+ 0xc1, 0x7e, 0xf4, 0xf6, 0x3c, 0xa8, 0xfd, 0x7c,
27606 -+ 0xa3, 0x92, 0xb2, 0x0f, 0xaa, 0xcc, 0xa6, 0x11,
27607 -+ 0xfe, 0x04, 0xe3, 0xd1, 0x7a, 0x32, 0x89, 0xdf,
27608 -+ 0x0d, 0xc4, 0x8f, 0x79, 0x6b, 0xca, 0x16, 0x7c,
27609 -+ 0x6e, 0xf9, 0xad, 0x0f, 0xf6, 0xfe, 0x27, 0xdb,
27610 -+ 0xc4, 0x13, 0x70, 0xf1, 0x62, 0x1a, 0x4f, 0x79,
27611 -+ 0x40, 0xc9, 0x9b, 0x8b, 0x21, 0xea, 0x84, 0xfa,
27612 -+ 0xf5, 0xf1, 0x89, 0xce, 0xb7, 0x55, 0x0a, 0x80,
27613 -+ 0x39, 0x2f, 0x55, 0x36, 0x16, 0x9c, 0x7b, 0x08,
27614 -+ 0xbd, 0x87, 0x0d, 0xa5, 0x32, 0xf1, 0x52, 0x7c,
27615 -+ 0xe8, 0x55, 0x60, 0x5b, 0xd7, 0x69, 0xe4, 0xfc,
27616 -+ 0xfa, 0x12, 0x85, 0x96, 0xea, 0x50, 0x28, 0xab,
27617 -+ 0x8a, 0xf7, 0xbb, 0x0e, 0x53, 0x74, 0xca, 0xa6,
27618 -+ 0x27, 0x09, 0xc2, 0xb5, 0xde, 0x18, 0x14, 0xd9,
27619 -+ 0xea, 0xe5, 0x29, 0x1c, 0x40, 0x56, 0xcf, 0xd7,
27620 -+ 0xae, 0x05, 0x3f, 0x65, 0xaf, 0x05, 0x73, 0xe2,
27621 -+ 0x35, 0x96, 0x27, 0x07, 0x14, 0xc0, 0xad, 0x33,
27622 -+ 0xf1, 0xdc, 0x44, 0x7a, 0x89, 0x17, 0x77, 0xd2,
27623 -+ 0x9c, 0x58, 0x60, 0xf0, 0x3f, 0x7b, 0x2d, 0x2e,
27624 -+ 0x57, 0x95, 0x54, 0x87, 0xed, 0xf2, 0xc7, 0x4c,
27625 -+ 0xf0, 0xae, 0x56, 0x29, 0x19, 0x7d, 0x66, 0x4b,
27626 -+ 0x9b, 0x83, 0x84, 0x42, 0x3b, 0x01, 0x25, 0x66,
27627 -+ 0x8e, 0x02, 0xde, 0xb9, 0x83, 0x54, 0x19, 0xf6,
27628 -+ 0x9f, 0x79, 0x0d, 0x67, 0xc5, 0x1d, 0x7a, 0x44,
27629 -+ 0x02, 0x98, 0xa7, 0x16, 0x1c, 0x29, 0x0d, 0x74,
27630 -+ 0xff, 0x85, 0x40, 0x06, 0xef, 0x2c, 0xa9, 0xc6,
27631 -+ 0xf5, 0x53, 0x07, 0x06, 0xae, 0xe4, 0xfa, 0x5f,
27632 -+ 0xd8, 0x39, 0x4d, 0xf1, 0x9b, 0x6b, 0xd9, 0x24,
27633 -+ 0x84, 0xfe, 0x03, 0x4c, 0xb2, 0x3f, 0xdf, 0xa1,
27634 -+ 0x05, 0x9e, 0x50, 0x14, 0x5a, 0xd9, 0x1a, 0xa2,
27635 -+ 0xa7, 0xfa, 0xfa, 0x17, 0xf7, 0x78, 0xd6, 0xb5,
27636 -+ 0x92, 0x61, 0x91, 0xac, 0x36, 0xfa, 0x56, 0x0d,
27637 -+ 0x38, 0x32, 0x18, 0x85, 0x08, 0x58, 0x37, 0xf0,
27638 -+ 0x4b, 0xdb, 0x59, 0xe7, 0xa4, 0x34, 0xc0, 0x1b,
27639 -+ 0x01, 0xaf, 0x2d, 0xde, 0xa1, 0xaa, 0x5d, 0xd3,
27640 -+ 0xec, 0xe1, 0xd4, 0xf7, 0xe6, 0x54, 0x68, 0xf0,
27641 -+ 0x51, 0x97, 0xa7, 0x89, 0xea, 0x24, 0xad, 0xd3,
27642 -+ 0x6e, 0x47, 0x93, 0x8b, 0x4b, 0xb4, 0xf7, 0x1c,
27643 -+ 0x42, 0x06, 0x67, 0xe8, 0x99, 0xf6, 0xf5, 0x7b,
27644 -+ 0x85, 0xb5, 0x65, 0xb5, 0xb5, 0xd2, 0x37, 0xf5,
27645 -+ 0xf3, 0x02, 0xa6, 0x4d, 0x11, 0xa7, 0xdc, 0x51,
27646 -+ 0x09, 0x7f, 0xa0, 0xd8, 0x88, 0x1c, 0x13, 0x71,
27647 -+ 0xae, 0x9c, 0xb7, 0x7b, 0x34, 0xd6, 0x4e, 0x68,
27648 -+ 0x26, 0x83, 0x51, 0xaf, 0x1d, 0xee, 0x8b, 0xbb,
27649 -+ 0x69, 0x43, 0x2b, 0x9e, 0x8a, 0xbc, 0x02, 0x0e,
27650 -+ 0xa0, 0x1b, 0xe0, 0xa8, 0x5f, 0x6f, 0xaf, 0x1b,
27651 -+ 0x8f, 0xe7, 0x64, 0x71, 0x74, 0x11, 0x7e, 0xa8,
27652 -+ 0xd8, 0xf9, 0x97, 0x06, 0xc3, 0xb6, 0xfb, 0xfb,
27653 -+ 0xb7, 0x3d, 0x35, 0x9d, 0x3b, 0x52, 0xed, 0x54,
27654 -+ 0xca, 0xf4, 0x81, 0x01, 0x2d, 0x1b, 0xc3, 0xa7,
27655 -+ 0x00, 0x3d, 0x1a, 0x39, 0x54, 0xe1, 0xf6, 0xff,
27656 -+ 0xed, 0x6f, 0x0b, 0x5a, 0x68, 0xda, 0x58, 0xdd,
27657 -+ 0xa9, 0xcf, 0x5c, 0x4a, 0xe5, 0x09, 0x4e, 0xde,
27658 -+ 0x9d, 0xbc, 0x3e, 0xee, 0x5a, 0x00, 0x3b, 0x2c,
27659 -+ 0x87, 0x10, 0x65, 0x60, 0xdd, 0xd7, 0x56, 0xd1,
27660 -+ 0x4c, 0x64, 0x45, 0xe4, 0x21, 0xec, 0x78, 0xf8,
27661 -+ 0x25, 0x7a, 0x3e, 0x16, 0x5d, 0x09, 0x53, 0x14,
27662 -+ 0xbe, 0x4f, 0xae, 0x87, 0xd8, 0xd1, 0xaa, 0x3c,
27663 -+ 0xf6, 0x3e, 0xa4, 0x70, 0x8c, 0x5e, 0x70, 0xa4,
27664 -+ 0xb3, 0x6b, 0x66, 0x73, 0xd3, 0xbf, 0x31, 0x06,
27665 -+ 0x19, 0x62, 0x93, 0x15, 0xf2, 0x86, 0xe4, 0x52,
27666 -+ 0x7e, 0x53, 0x4c, 0x12, 0x38, 0xcc, 0x34, 0x7d,
27667 -+ 0x57, 0xf6, 0x42, 0x93, 0x8a, 0xc4, 0xee, 0x5c,
27668 -+ 0x8a, 0xe1, 0x52, 0x8f, 0x56, 0x64, 0xf6, 0xa6,
27669 -+ 0xd1, 0x91, 0x57, 0x70, 0xcd, 0x11, 0x76, 0xf5,
27670 -+ 0x59, 0x60, 0x60, 0x3c, 0xc1, 0xc3, 0x0b, 0x7f,
27671 -+ 0x58, 0x1a, 0x50, 0x91, 0xf1, 0x68, 0x8f, 0x6e,
27672 -+ 0x74, 0x74, 0xa8, 0x51, 0x0b, 0xf7, 0x7a, 0x98,
27673 -+ 0x37, 0xf2, 0x0a, 0x0e, 0xa4, 0x97, 0x04, 0xb8,
27674 -+ 0x9b, 0xfd, 0xa0, 0xea, 0xf7, 0x0d, 0xe1, 0xdb,
27675 -+ 0x03, 0xf0, 0x31, 0x29, 0xf8, 0xdd, 0x6b, 0x8b,
27676 -+ 0x5d, 0xd8, 0x59, 0xa9, 0x29, 0xcf, 0x9a, 0x79,
27677 -+ 0x89, 0x19, 0x63, 0x46, 0x09, 0x79, 0x6a, 0x11,
27678 -+ 0xda, 0x63, 0x68, 0x48, 0x77, 0x23, 0xfb, 0x7d,
27679 -+ 0x3a, 0x43, 0xcb, 0x02, 0x3b, 0x7a, 0x6d, 0x10,
27680 -+ 0x2a, 0x9e, 0xac, 0xf1, 0xd4, 0x19, 0xf8, 0x23,
27681 -+ 0x64, 0x1d, 0x2c, 0x5f, 0xf2, 0xb0, 0x5c, 0x23,
27682 -+ 0x27, 0xf7, 0x27, 0x30, 0x16, 0x37, 0xb1, 0x90,
27683 -+ 0xab, 0x38, 0xfb, 0x55, 0xcd, 0x78, 0x58, 0xd4,
27684 -+ 0x7d, 0x43, 0xf6, 0x45, 0x5e, 0x55, 0x8d, 0xb1,
27685 -+ 0x02, 0x65, 0x58, 0xb4, 0x13, 0x4b, 0x36, 0xf7,
27686 -+ 0xcc, 0xfe, 0x3d, 0x0b, 0x82, 0xe2, 0x12, 0x11,
27687 -+ 0xbb, 0xe6, 0xb8, 0x3a, 0x48, 0x71, 0xc7, 0x50,
27688 -+ 0x06, 0x16, 0x3a, 0xe6, 0x7c, 0x05, 0xc7, 0xc8,
27689 -+ 0x4d, 0x2f, 0x08, 0x6a, 0x17, 0x9a, 0x95, 0x97,
27690 -+ 0x50, 0x68, 0xdc, 0x28, 0x18, 0xc4, 0x61, 0x38,
27691 -+ 0xb9, 0xe0, 0x3e, 0x78, 0xdb, 0x29, 0xe0, 0x9f,
27692 -+ 0x52, 0xdd, 0xf8, 0x4f, 0x91, 0xc1, 0xd0, 0x33,
27693 -+ 0xa1, 0x7a, 0x8e, 0x30, 0x13, 0x82, 0x07, 0x9f,
27694 -+ 0xd3, 0x31, 0x0f, 0x23, 0xbe, 0x32, 0x5a, 0x75,
27695 -+ 0xcf, 0x96, 0xb2, 0xec, 0xb5, 0x32, 0xac, 0x21,
27696 -+ 0xd1, 0x82, 0x33, 0xd3, 0x15, 0x74, 0xbd, 0x90,
27697 -+ 0xf1, 0x2c, 0xe6, 0x5f, 0x8d, 0xe3, 0x02, 0xe8,
27698 -+ 0xe9, 0xc4, 0xca, 0x96, 0xeb, 0x0e, 0xbc, 0x91,
27699 -+ 0xf4, 0xb9, 0xea, 0xd9, 0x1b, 0x75, 0xbd, 0xe1,
27700 -+ 0xac, 0x2a, 0x05, 0x37, 0x52, 0x9b, 0x1b, 0x3f,
27701 -+ 0x5a, 0xdc, 0x21, 0xc3, 0x98, 0xbb, 0xaf, 0xa3,
27702 -+ 0xf2, 0x00, 0xbf, 0x0d, 0x30, 0x89, 0x05, 0xcc,
27703 -+ 0xa5, 0x76, 0xf5, 0x06, 0xf0, 0xc6, 0x54, 0x8a,
27704 -+ 0x5d, 0xd4, 0x1e, 0xc1, 0xf2, 0xce, 0xb0, 0x62,
27705 -+ 0xc8, 0xfc, 0x59, 0x42, 0x9a, 0x90, 0x60, 0x55,
27706 -+ 0xfe, 0x88, 0xa5, 0x8b, 0xb8, 0x33, 0x0c, 0x23,
27707 -+ 0x24, 0x0d, 0x15, 0x70, 0x37, 0x1e, 0x3d, 0xf6,
27708 -+ 0xd2, 0xea, 0x92, 0x10, 0xb2, 0xc4, 0x51, 0xac,
27709 -+ 0xf2, 0xac, 0xf3, 0x6b, 0x6c, 0xaa, 0xcf, 0x12,
27710 -+ 0xc5, 0x6c, 0x90, 0x50, 0xb5, 0x0c, 0xfc, 0x1a,
27711 -+ 0x15, 0x52, 0xe9, 0x26, 0xc6, 0x52, 0xa4, 0xe7,
27712 -+ 0x81, 0x69, 0xe1, 0xe7, 0x9e, 0x30, 0x01, 0xec,
27713 -+ 0x84, 0x89, 0xb2, 0x0d, 0x66, 0xdd, 0xce, 0x28,
27714 -+ 0x5c, 0xec, 0x98, 0x46, 0x68, 0x21, 0x9f, 0x88,
27715 -+ 0x3f, 0x1f, 0x42, 0x77, 0xce, 0xd0, 0x61, 0xd4,
27716 -+ 0x20, 0xa7, 0xff, 0x53, 0xad, 0x37, 0xd0, 0x17,
27717 -+ 0x35, 0xc9, 0xfc, 0xba, 0x0a, 0x78, 0x3f, 0xf2,
27718 -+ 0xcc, 0x86, 0x89, 0xe8, 0x4b, 0x3c, 0x48, 0x33,
27719 -+ 0x09, 0x7f, 0xc6, 0xc0, 0xdd, 0xb8, 0xfd, 0x7a,
27720 -+ 0x66, 0x66, 0x65, 0xeb, 0x47, 0xa7, 0x04, 0x28,
27721 -+ 0xa3, 0x19, 0x8e, 0xa9, 0xb1, 0x13, 0x67, 0x62,
27722 -+ 0x70, 0xcf, 0xd7
27723 -+};
27724 -+static const u8 dec_output013[] __initconst = {
27725 -+ 0x74, 0xa6, 0x3e, 0xe4, 0xb1, 0xcb, 0xaf, 0xb0,
27726 -+ 0x40, 0xe5, 0x0f, 0x9e, 0xf1, 0xf2, 0x89, 0xb5,
27727 -+ 0x42, 0x34, 0x8a, 0xa1, 0x03, 0xb7, 0xe9, 0x57,
27728 -+ 0x46, 0xbe, 0x20, 0xe4, 0x6e, 0xb0, 0xeb, 0xff,
27729 -+ 0xea, 0x07, 0x7e, 0xef, 0xe2, 0x55, 0x9f, 0xe5,
27730 -+ 0x78, 0x3a, 0xb7, 0x83, 0xc2, 0x18, 0x40, 0x7b,
27731 -+ 0xeb, 0xcd, 0x81, 0xfb, 0x90, 0x12, 0x9e, 0x46,
27732 -+ 0xa9, 0xd6, 0x4a, 0xba, 0xb0, 0x62, 0xdb, 0x6b,
27733 -+ 0x99, 0xc4, 0xdb, 0x54, 0x4b, 0xb8, 0xa5, 0x71,
27734 -+ 0xcb, 0xcd, 0x63, 0x32, 0x55, 0xfb, 0x31, 0xf0,
27735 -+ 0x38, 0xf5, 0xbe, 0x78, 0xe4, 0x45, 0xce, 0x1b,
27736 -+ 0x6a, 0x5b, 0x0e, 0xf4, 0x16, 0xe4, 0xb1, 0x3d,
27737 -+ 0xf6, 0x63, 0x7b, 0xa7, 0x0c, 0xde, 0x6f, 0x8f,
27738 -+ 0x74, 0xdf, 0xe0, 0x1e, 0x9d, 0xce, 0x8f, 0x24,
27739 -+ 0xef, 0x23, 0x35, 0x33, 0x7b, 0x83, 0x34, 0x23,
27740 -+ 0x58, 0x74, 0x14, 0x77, 0x1f, 0xc2, 0x4f, 0x4e,
27741 -+ 0xc6, 0x89, 0xf9, 0x52, 0x09, 0x37, 0x64, 0x14,
27742 -+ 0xc4, 0x01, 0x6b, 0x9d, 0x77, 0xe8, 0x90, 0x5d,
27743 -+ 0xa8, 0x4a, 0x2a, 0xef, 0x5c, 0x7f, 0xeb, 0xbb,
27744 -+ 0xb2, 0xc6, 0x93, 0x99, 0x66, 0xdc, 0x7f, 0xd4,
27745 -+ 0x9e, 0x2a, 0xca, 0x8d, 0xdb, 0xe7, 0x20, 0xcf,
27746 -+ 0xe4, 0x73, 0xae, 0x49, 0x7d, 0x64, 0x0f, 0x0e,
27747 -+ 0x28, 0x46, 0xa9, 0xa8, 0x32, 0xe4, 0x0e, 0xf6,
27748 -+ 0x51, 0x53, 0xb8, 0x3c, 0xb1, 0xff, 0xa3, 0x33,
27749 -+ 0x41, 0x75, 0xff, 0xf1, 0x6f, 0xf1, 0xfb, 0xbb,
27750 -+ 0x83, 0x7f, 0x06, 0x9b, 0xe7, 0x1b, 0x0a, 0xe0,
27751 -+ 0x5c, 0x33, 0x60, 0x5b, 0xdb, 0x5b, 0xed, 0xfe,
27752 -+ 0xa5, 0x16, 0x19, 0x72, 0xa3, 0x64, 0x23, 0x00,
27753 -+ 0x02, 0xc7, 0xf3, 0x6a, 0x81, 0x3e, 0x44, 0x1d,
27754 -+ 0x79, 0x15, 0x5f, 0x9a, 0xde, 0xe2, 0xfd, 0x1b,
27755 -+ 0x73, 0xc1, 0xbc, 0x23, 0xba, 0x31, 0xd2, 0x50,
27756 -+ 0xd5, 0xad, 0x7f, 0x74, 0xa7, 0xc9, 0xf8, 0x3e,
27757 -+ 0x2b, 0x26, 0x10, 0xf6, 0x03, 0x36, 0x74, 0xe4,
27758 -+ 0x0e, 0x6a, 0x72, 0xb7, 0x73, 0x0a, 0x42, 0x28,
27759 -+ 0xc2, 0xad, 0x5e, 0x03, 0xbe, 0xb8, 0x0b, 0xa8,
27760 -+ 0x5b, 0xd4, 0xb8, 0xba, 0x52, 0x89, 0xb1, 0x9b,
27761 -+ 0xc1, 0xc3, 0x65, 0x87, 0xed, 0xa5, 0xf4, 0x86,
27762 -+ 0xfd, 0x41, 0x80, 0x91, 0x27, 0x59, 0x53, 0x67,
27763 -+ 0x15, 0x78, 0x54, 0x8b, 0x2d, 0x3d, 0xc7, 0xff,
27764 -+ 0x02, 0x92, 0x07, 0x5f, 0x7a, 0x4b, 0x60, 0x59,
27765 -+ 0x3c, 0x6f, 0x5c, 0xd8, 0xec, 0x95, 0xd2, 0xfe,
27766 -+ 0xa0, 0x3b, 0xd8, 0x3f, 0xd1, 0x69, 0xa6, 0xd6,
27767 -+ 0x41, 0xb2, 0xf4, 0x4d, 0x12, 0xf4, 0x58, 0x3e,
27768 -+ 0x66, 0x64, 0x80, 0x31, 0x9b, 0xa8, 0x4c, 0x8b,
27769 -+ 0x07, 0xb2, 0xec, 0x66, 0x94, 0x66, 0x47, 0x50,
27770 -+ 0x50, 0x5f, 0x18, 0x0b, 0x0e, 0xd6, 0xc0, 0x39,
27771 -+ 0x21, 0x13, 0x9e, 0x33, 0xbc, 0x79, 0x36, 0x02,
27772 -+ 0x96, 0x70, 0xf0, 0x48, 0x67, 0x2f, 0x26, 0xe9,
27773 -+ 0x6d, 0x10, 0xbb, 0xd6, 0x3f, 0xd1, 0x64, 0x7a,
27774 -+ 0x2e, 0xbe, 0x0c, 0x61, 0xf0, 0x75, 0x42, 0x38,
27775 -+ 0x23, 0xb1, 0x9e, 0x9f, 0x7c, 0x67, 0x66, 0xd9,
27776 -+ 0x58, 0x9a, 0xf1, 0xbb, 0x41, 0x2a, 0x8d, 0x65,
27777 -+ 0x84, 0x94, 0xfc, 0xdc, 0x6a, 0x50, 0x64, 0xdb,
27778 -+ 0x56, 0x33, 0x76, 0x00, 0x10, 0xed, 0xbe, 0xd2,
27779 -+ 0x12, 0xf6, 0xf6, 0x1b, 0xa2, 0x16, 0xde, 0xae,
27780 -+ 0x31, 0x95, 0xdd, 0xb1, 0x08, 0x7e, 0x4e, 0xee,
27781 -+ 0xe7, 0xf9, 0xa5, 0xfb, 0x5b, 0x61, 0x43, 0x00,
27782 -+ 0x40, 0xf6, 0x7e, 0x02, 0x04, 0x32, 0x4e, 0x0c,
27783 -+ 0xe2, 0x66, 0x0d, 0xd7, 0x07, 0x98, 0x0e, 0xf8,
27784 -+ 0x72, 0x34, 0x6d, 0x95, 0x86, 0xd7, 0xcb, 0x31,
27785 -+ 0x54, 0x47, 0xd0, 0x38, 0x29, 0x9c, 0x5a, 0x68,
27786 -+ 0xd4, 0x87, 0x76, 0xc9, 0xe7, 0x7e, 0xe3, 0xf4,
27787 -+ 0x81, 0x6d, 0x18, 0xcb, 0xc9, 0x05, 0xaf, 0xa0,
27788 -+ 0xfb, 0x66, 0xf7, 0xf1, 0x1c, 0xc6, 0x14, 0x11,
27789 -+ 0x4f, 0x2b, 0x79, 0x42, 0x8b, 0xbc, 0xac, 0xe7,
27790 -+ 0x6c, 0xfe, 0x0f, 0x58, 0xe7, 0x7c, 0x78, 0x39,
27791 -+ 0x30, 0xb0, 0x66, 0x2c, 0x9b, 0x6d, 0x3a, 0xe1,
27792 -+ 0xcf, 0xc9, 0xa4, 0x0e, 0x6d, 0x6d, 0x8a, 0xa1,
27793 -+ 0x3a, 0xe7, 0x28, 0xd4, 0x78, 0x4c, 0xa6, 0xa2,
27794 -+ 0x2a, 0xa6, 0x03, 0x30, 0xd7, 0xa8, 0x25, 0x66,
27795 -+ 0x87, 0x2f, 0x69, 0x5c, 0x4e, 0xdd, 0xa5, 0x49,
27796 -+ 0x5d, 0x37, 0x4a, 0x59, 0xc4, 0xaf, 0x1f, 0xa2,
27797 -+ 0xe4, 0xf8, 0xa6, 0x12, 0x97, 0xd5, 0x79, 0xf5,
27798 -+ 0xe2, 0x4a, 0x2b, 0x5f, 0x61, 0xe4, 0x9e, 0xe3,
27799 -+ 0xee, 0xb8, 0xa7, 0x5b, 0x2f, 0xf4, 0x9e, 0x6c,
27800 -+ 0xfb, 0xd1, 0xc6, 0x56, 0x77, 0xba, 0x75, 0xaa,
27801 -+ 0x3d, 0x1a, 0xa8, 0x0b, 0xb3, 0x68, 0x24, 0x00,
27802 -+ 0x10, 0x7f, 0xfd, 0xd7, 0xa1, 0x8d, 0x83, 0x54,
27803 -+ 0x4f, 0x1f, 0xd8, 0x2a, 0xbe, 0x8a, 0x0c, 0x87,
27804 -+ 0xab, 0xa2, 0xde, 0xc3, 0x39, 0xbf, 0x09, 0x03,
27805 -+ 0xa5, 0xf3, 0x05, 0x28, 0xe1, 0xe1, 0xee, 0x39,
27806 -+ 0x70, 0x9c, 0xd8, 0x81, 0x12, 0x1e, 0x02, 0x40,
27807 -+ 0xd2, 0x6e, 0xf0, 0xeb, 0x1b, 0x3d, 0x22, 0xc6,
27808 -+ 0xe5, 0xe3, 0xb4, 0x5a, 0x98, 0xbb, 0xf0, 0x22,
27809 -+ 0x28, 0x8d, 0xe5, 0xd3, 0x16, 0x48, 0x24, 0xa5,
27810 -+ 0xe6, 0x66, 0x0c, 0xf9, 0x08, 0xf9, 0x7e, 0x1e,
27811 -+ 0xe1, 0x28, 0x26, 0x22, 0xc7, 0xc7, 0x0a, 0x32,
27812 -+ 0x47, 0xfa, 0xa3, 0xbe, 0x3c, 0xc4, 0xc5, 0x53,
27813 -+ 0x0a, 0xd5, 0x94, 0x4a, 0xd7, 0x93, 0xd8, 0x42,
27814 -+ 0x99, 0xb9, 0x0a, 0xdb, 0x56, 0xf7, 0xb9, 0x1c,
27815 -+ 0x53, 0x4f, 0xfa, 0xd3, 0x74, 0xad, 0xd9, 0x68,
27816 -+ 0xf1, 0x1b, 0xdf, 0x61, 0xc6, 0x5e, 0xa8, 0x48,
27817 -+ 0xfc, 0xd4, 0x4a, 0x4c, 0x3c, 0x32, 0xf7, 0x1c,
27818 -+ 0x96, 0x21, 0x9b, 0xf9, 0xa3, 0xcc, 0x5a, 0xce,
27819 -+ 0xd5, 0xd7, 0x08, 0x24, 0xf6, 0x1c, 0xfd, 0xdd,
27820 -+ 0x38, 0xc2, 0x32, 0xe9, 0xb8, 0xe7, 0xb6, 0xfa,
27821 -+ 0x9d, 0x45, 0x13, 0x2c, 0x83, 0xfd, 0x4a, 0x69,
27822 -+ 0x82, 0xcd, 0xdc, 0xb3, 0x76, 0x0c, 0x9e, 0xd8,
27823 -+ 0xf4, 0x1b, 0x45, 0x15, 0xb4, 0x97, 0xe7, 0x58,
27824 -+ 0x34, 0xe2, 0x03, 0x29, 0x5a, 0xbf, 0xb6, 0xe0,
27825 -+ 0x5d, 0x13, 0xd9, 0x2b, 0xb4, 0x80, 0xb2, 0x45,
27826 -+ 0x81, 0x6a, 0x2e, 0x6c, 0x89, 0x7d, 0xee, 0xbb,
27827 -+ 0x52, 0xdd, 0x1f, 0x18, 0xe7, 0x13, 0x6b, 0x33,
27828 -+ 0x0e, 0xea, 0x36, 0x92, 0x77, 0x7b, 0x6d, 0x9c,
27829 -+ 0x5a, 0x5f, 0x45, 0x7b, 0x7b, 0x35, 0x62, 0x23,
27830 -+ 0xd1, 0xbf, 0x0f, 0xd0, 0x08, 0x1b, 0x2b, 0x80,
27831 -+ 0x6b, 0x7e, 0xf1, 0x21, 0x47, 0xb0, 0x57, 0xd1,
27832 -+ 0x98, 0x72, 0x90, 0x34, 0x1c, 0x20, 0x04, 0xff,
27833 -+ 0x3d, 0x5c, 0xee, 0x0e, 0x57, 0x5f, 0x6f, 0x24,
27834 -+ 0x4e, 0x3c, 0xea, 0xfc, 0xa5, 0xa9, 0x83, 0xc9,
27835 -+ 0x61, 0xb4, 0x51, 0x24, 0xf8, 0x27, 0x5e, 0x46,
27836 -+ 0x8c, 0xb1, 0x53, 0x02, 0x96, 0x35, 0xba, 0xb8,
27837 -+ 0x4c, 0x71, 0xd3, 0x15, 0x59, 0x35, 0x22, 0x20,
27838 -+ 0xad, 0x03, 0x9f, 0x66, 0x44, 0x3b, 0x9c, 0x35,
27839 -+ 0x37, 0x1f, 0x9b, 0xbb, 0xf3, 0xdb, 0x35, 0x63,
27840 -+ 0x30, 0x64, 0xaa, 0xa2, 0x06, 0xa8, 0x5d, 0xbb,
27841 -+ 0xe1, 0x9f, 0x70, 0xec, 0x82, 0x11, 0x06, 0x36,
27842 -+ 0xec, 0x8b, 0x69, 0x66, 0x24, 0x44, 0xc9, 0x4a,
27843 -+ 0x57, 0xbb, 0x9b, 0x78, 0x13, 0xce, 0x9c, 0x0c,
27844 -+ 0xba, 0x92, 0x93, 0x63, 0xb8, 0xe2, 0x95, 0x0f,
27845 -+ 0x0f, 0x16, 0x39, 0x52, 0xfd, 0x3a, 0x6d, 0x02,
27846 -+ 0x4b, 0xdf, 0x13, 0xd3, 0x2a, 0x22, 0xb4, 0x03,
27847 -+ 0x7c, 0x54, 0x49, 0x96, 0x68, 0x54, 0x10, 0xfa,
27848 -+ 0xef, 0xaa, 0x6c, 0xe8, 0x22, 0xdc, 0x71, 0x16,
27849 -+ 0x13, 0x1a, 0xf6, 0x28, 0xe5, 0x6d, 0x77, 0x3d,
27850 -+ 0xcd, 0x30, 0x63, 0xb1, 0x70, 0x52, 0xa1, 0xc5,
27851 -+ 0x94, 0x5f, 0xcf, 0xe8, 0xb8, 0x26, 0x98, 0xf7,
27852 -+ 0x06, 0xa0, 0x0a, 0x70, 0xfa, 0x03, 0x80, 0xac,
27853 -+ 0xc1, 0xec, 0xd6, 0x4c, 0x54, 0xd7, 0xfe, 0x47,
27854 -+ 0xb6, 0x88, 0x4a, 0xf7, 0x71, 0x24, 0xee, 0xf3,
27855 -+ 0xd2, 0xc2, 0x4a, 0x7f, 0xfe, 0x61, 0xc7, 0x35,
27856 -+ 0xc9, 0x37, 0x67, 0xcb, 0x24, 0x35, 0xda, 0x7e,
27857 -+ 0xca, 0x5f, 0xf3, 0x8d, 0xd4, 0x13, 0x8e, 0xd6,
27858 -+ 0xcb, 0x4d, 0x53, 0x8f, 0x53, 0x1f, 0xc0, 0x74,
27859 -+ 0xf7, 0x53, 0xb9, 0x5e, 0x23, 0x37, 0xba, 0x6e,
27860 -+ 0xe3, 0x9d, 0x07, 0x55, 0x25, 0x7b, 0xe6, 0x2a,
27861 -+ 0x64, 0xd1, 0x32, 0xdd, 0x54, 0x1b, 0x4b, 0xc0,
27862 -+ 0xe1, 0xd7, 0x69, 0x58, 0xf8, 0x93, 0x29, 0xc4,
27863 -+ 0xdd, 0x23, 0x2f, 0xa5, 0xfc, 0x9d, 0x7e, 0xf8,
27864 -+ 0xd4, 0x90, 0xcd, 0x82, 0x55, 0xdc, 0x16, 0x16,
27865 -+ 0x9f, 0x07, 0x52, 0x9b, 0x9d, 0x25, 0xed, 0x32,
27866 -+ 0xc5, 0x7b, 0xdf, 0xf6, 0x83, 0x46, 0x3d, 0x65,
27867 -+ 0xb7, 0xef, 0x87, 0x7a, 0x12, 0x69, 0x8f, 0x06,
27868 -+ 0x7c, 0x51, 0x15, 0x4a, 0x08, 0xe8, 0xac, 0x9a,
27869 -+ 0x0c, 0x24, 0xa7, 0x27, 0xd8, 0x46, 0x2f, 0xe7,
27870 -+ 0x01, 0x0e, 0x1c, 0xc6, 0x91, 0xb0, 0x6e, 0x85,
27871 -+ 0x65, 0xf0, 0x29, 0x0d, 0x2e, 0x6b, 0x3b, 0xfb,
27872 -+ 0x4b, 0xdf, 0xe4, 0x80, 0x93, 0x03, 0x66, 0x46,
27873 -+ 0x3e, 0x8a, 0x6e, 0xf3, 0x5e, 0x4d, 0x62, 0x0e,
27874 -+ 0x49, 0x05, 0xaf, 0xd4, 0xf8, 0x21, 0x20, 0x61,
27875 -+ 0x1d, 0x39, 0x17, 0xf4, 0x61, 0x47, 0x95, 0xfb,
27876 -+ 0x15, 0x2e, 0xb3, 0x4f, 0xd0, 0x5d, 0xf5, 0x7d,
27877 -+ 0x40, 0xda, 0x90, 0x3c, 0x6b, 0xcb, 0x17, 0x00,
27878 -+ 0x13, 0x3b, 0x64, 0x34, 0x1b, 0xf0, 0xf2, 0xe5,
27879 -+ 0x3b, 0xb2, 0xc7, 0xd3, 0x5f, 0x3a, 0x44, 0xa6,
27880 -+ 0x9b, 0xb7, 0x78, 0x0e, 0x42, 0x5d, 0x4c, 0xc1,
27881 -+ 0xe9, 0xd2, 0xcb, 0xb7, 0x78, 0xd1, 0xfe, 0x9a,
27882 -+ 0xb5, 0x07, 0xe9, 0xe0, 0xbe, 0xe2, 0x8a, 0xa7,
27883 -+ 0x01, 0x83, 0x00, 0x8c, 0x5c, 0x08, 0xe6, 0x63,
27884 -+ 0x12, 0x92, 0xb7, 0xb7, 0xa6, 0x19, 0x7d, 0x38,
27885 -+ 0x13, 0x38, 0x92, 0x87, 0x24, 0xf9, 0x48, 0xb3,
27886 -+ 0x5e, 0x87, 0x6a, 0x40, 0x39, 0x5c, 0x3f, 0xed,
27887 -+ 0x8f, 0xee, 0xdb, 0x15, 0x82, 0x06, 0xda, 0x49,
27888 -+ 0x21, 0x2b, 0xb5, 0xbf, 0x32, 0x7c, 0x9f, 0x42,
27889 -+ 0x28, 0x63, 0xcf, 0xaf, 0x1e, 0xf8, 0xc6, 0xa0,
27890 -+ 0xd1, 0x02, 0x43, 0x57, 0x62, 0xec, 0x9b, 0x0f,
27891 -+ 0x01, 0x9e, 0x71, 0xd8, 0x87, 0x9d, 0x01, 0xc1,
27892 -+ 0x58, 0x77, 0xd9, 0xaf, 0xb1, 0x10, 0x7e, 0xdd,
27893 -+ 0xa6, 0x50, 0x96, 0xe5, 0xf0, 0x72, 0x00, 0x6d,
27894 -+ 0x4b, 0xf8, 0x2a, 0x8f, 0x19, 0xf3, 0x22, 0x88,
27895 -+ 0x11, 0x4a, 0x8b, 0x7c, 0xfd, 0xb7, 0xed, 0xe1,
27896 -+ 0xf6, 0x40, 0x39, 0xe0, 0xe9, 0xf6, 0x3d, 0x25,
27897 -+ 0xe6, 0x74, 0x3c, 0x58, 0x57, 0x7f, 0xe1, 0x22,
27898 -+ 0x96, 0x47, 0x31, 0x91, 0xba, 0x70, 0x85, 0x28,
27899 -+ 0x6b, 0x9f, 0x6e, 0x25, 0xac, 0x23, 0x66, 0x2f,
27900 -+ 0x29, 0x88, 0x28, 0xce, 0x8c, 0x5c, 0x88, 0x53,
27901 -+ 0xd1, 0x3b, 0xcc, 0x6a, 0x51, 0xb2, 0xe1, 0x28,
27902 -+ 0x3f, 0x91, 0xb4, 0x0d, 0x00, 0x3a, 0xe3, 0xf8,
27903 -+ 0xc3, 0x8f, 0xd7, 0x96, 0x62, 0x0e, 0x2e, 0xfc,
27904 -+ 0xc8, 0x6c, 0x77, 0xa6, 0x1d, 0x22, 0xc1, 0xb8,
27905 -+ 0xe6, 0x61, 0xd7, 0x67, 0x36, 0x13, 0x7b, 0xbb,
27906 -+ 0x9b, 0x59, 0x09, 0xa6, 0xdf, 0xf7, 0x6b, 0xa3,
27907 -+ 0x40, 0x1a, 0xf5, 0x4f, 0xb4, 0xda, 0xd3, 0xf3,
27908 -+ 0x81, 0x93, 0xc6, 0x18, 0xd9, 0x26, 0xee, 0xac,
27909 -+ 0xf0, 0xaa, 0xdf, 0xc5, 0x9c, 0xca, 0xc2, 0xa2,
27910 -+ 0xcc, 0x7b, 0x5c, 0x24, 0xb0, 0xbc, 0xd0, 0x6a,
27911 -+ 0x4d, 0x89, 0x09, 0xb8, 0x07, 0xfe, 0x87, 0xad,
27912 -+ 0x0a, 0xea, 0xb8, 0x42, 0xf9, 0x5e, 0xb3, 0x3e,
27913 -+ 0x36, 0x4c, 0xaf, 0x75, 0x9e, 0x1c, 0xeb, 0xbd,
27914 -+ 0xbc, 0xbb, 0x80, 0x40, 0xa7, 0x3a, 0x30, 0xbf,
27915 -+ 0xa8, 0x44, 0xf4, 0xeb, 0x38, 0xad, 0x29, 0xba,
27916 -+ 0x23, 0xed, 0x41, 0x0c, 0xea, 0xd2, 0xbb, 0x41,
27917 -+ 0x18, 0xd6, 0xb9, 0xba, 0x65, 0x2b, 0xa3, 0x91,
27918 -+ 0x6d, 0x1f, 0xa9, 0xf4, 0xd1, 0x25, 0x8d, 0x4d,
27919 -+ 0x38, 0xff, 0x64, 0xa0, 0xec, 0xde, 0xa6, 0xb6,
27920 -+ 0x79, 0xab, 0x8e, 0x33, 0x6c, 0x47, 0xde, 0xaf,
27921 -+ 0x94, 0xa4, 0xa5, 0x86, 0x77, 0x55, 0x09, 0x92,
27922 -+ 0x81, 0x31, 0x76, 0xc7, 0x34, 0x22, 0x89, 0x8e,
27923 -+ 0x3d, 0x26, 0x26, 0xd7, 0xfc, 0x1e, 0x16, 0x72,
27924 -+ 0x13, 0x33, 0x63, 0xd5, 0x22, 0xbe, 0xb8, 0x04,
27925 -+ 0x34, 0x84, 0x41, 0xbb, 0x80, 0xd0, 0x9f, 0x46,
27926 -+ 0x48, 0x07, 0xa7, 0xfc, 0x2b, 0x3a, 0x75, 0x55,
27927 -+ 0x8c, 0xc7, 0x6a, 0xbd, 0x7e, 0x46, 0x08, 0x84,
27928 -+ 0x0f, 0xd5, 0x74, 0xc0, 0x82, 0x8e, 0xaa, 0x61,
27929 -+ 0x05, 0x01, 0xb2, 0x47, 0x6e, 0x20, 0x6a, 0x2d,
27930 -+ 0x58, 0x70, 0x48, 0x32, 0xa7, 0x37, 0xd2, 0xb8,
27931 -+ 0x82, 0x1a, 0x51, 0xb9, 0x61, 0xdd, 0xfd, 0x9d,
27932 -+ 0x6b, 0x0e, 0x18, 0x97, 0xf8, 0x45, 0x5f, 0x87,
27933 -+ 0x10, 0xcf, 0x34, 0x72, 0x45, 0x26, 0x49, 0x70,
27934 -+ 0xe7, 0xa3, 0x78, 0xe0, 0x52, 0x89, 0x84, 0x94,
27935 -+ 0x83, 0x82, 0xc2, 0x69, 0x8f, 0xe3, 0xe1, 0x3f,
27936 -+ 0x60, 0x74, 0x88, 0xc4, 0xf7, 0x75, 0x2c, 0xfb,
27937 -+ 0xbd, 0xb6, 0xc4, 0x7e, 0x10, 0x0a, 0x6c, 0x90,
27938 -+ 0x04, 0x9e, 0xc3, 0x3f, 0x59, 0x7c, 0xce, 0x31,
27939 -+ 0x18, 0x60, 0x57, 0x73, 0x46, 0x94, 0x7d, 0x06,
27940 -+ 0xa0, 0x6d, 0x44, 0xec, 0xa2, 0x0a, 0x9e, 0x05,
27941 -+ 0x15, 0xef, 0xca, 0x5c, 0xbf, 0x00, 0xeb, 0xf7,
27942 -+ 0x3d, 0x32, 0xd4, 0xa5, 0xef, 0x49, 0x89, 0x5e,
27943 -+ 0x46, 0xb0, 0xa6, 0x63, 0x5b, 0x8a, 0x73, 0xae,
27944 -+ 0x6f, 0xd5, 0x9d, 0xf8, 0x4f, 0x40, 0xb5, 0xb2,
27945 -+ 0x6e, 0xd3, 0xb6, 0x01, 0xa9, 0x26, 0xa2, 0x21,
27946 -+ 0xcf, 0x33, 0x7a, 0x3a, 0xa4, 0x23, 0x13, 0xb0,
27947 -+ 0x69, 0x6a, 0xee, 0xce, 0xd8, 0x9d, 0x01, 0x1d,
27948 -+ 0x50, 0xc1, 0x30, 0x6c, 0xb1, 0xcd, 0xa0, 0xf0,
27949 -+ 0xf0, 0xa2, 0x64, 0x6f, 0xbb, 0xbf, 0x5e, 0xe6,
27950 -+ 0xab, 0x87, 0xb4, 0x0f, 0x4f, 0x15, 0xaf, 0xb5,
27951 -+ 0x25, 0xa1, 0xb2, 0xd0, 0x80, 0x2c, 0xfb, 0xf9,
27952 -+ 0xfe, 0xd2, 0x33, 0xbb, 0x76, 0xfe, 0x7c, 0xa8,
27953 -+ 0x66, 0xf7, 0xe7, 0x85, 0x9f, 0x1f, 0x85, 0x57,
27954 -+ 0x88, 0xe1, 0xe9, 0x63, 0xe4, 0xd8, 0x1c, 0xa1,
27955 -+ 0xfb, 0xda, 0x44, 0x05, 0x2e, 0x1d, 0x3a, 0x1c,
27956 -+ 0xff, 0xc8, 0x3b, 0xc0, 0xfe, 0xda, 0x22, 0x0b,
27957 -+ 0x43, 0xd6, 0x88, 0x39, 0x4c, 0x4a, 0xa6, 0x69,
27958 -+ 0x18, 0x93, 0x42, 0x4e, 0xb5, 0xcc, 0x66, 0x0d,
27959 -+ 0x09, 0xf8, 0x1e, 0x7c, 0xd3, 0x3c, 0x99, 0x0d,
27960 -+ 0x50, 0x1d, 0x62, 0xe9, 0x57, 0x06, 0xbf, 0x19,
27961 -+ 0x88, 0xdd, 0xad, 0x7b, 0x4f, 0xf9, 0xc7, 0x82,
27962 -+ 0x6d, 0x8d, 0xc8, 0xc4, 0xc5, 0x78, 0x17, 0x20,
27963 -+ 0x15, 0xc5, 0x52, 0x41, 0xcf, 0x5b, 0xd6, 0x7f,
27964 -+ 0x94, 0x02, 0x41, 0xe0, 0x40, 0x22, 0x03, 0x5e,
27965 -+ 0xd1, 0x53, 0xd4, 0x86, 0xd3, 0x2c, 0x9f, 0x0f,
27966 -+ 0x96, 0xe3, 0x6b, 0x9a, 0x76, 0x32, 0x06, 0x47,
27967 -+ 0x4b, 0x11, 0xb3, 0xdd, 0x03, 0x65, 0xbd, 0x9b,
27968 -+ 0x01, 0xda, 0x9c, 0xb9, 0x7e, 0x3f, 0x6a, 0xc4,
27969 -+ 0x7b, 0xea, 0xd4, 0x3c, 0xb9, 0xfb, 0x5c, 0x6b,
27970 -+ 0x64, 0x33, 0x52, 0xba, 0x64, 0x78, 0x8f, 0xa4,
27971 -+ 0xaf, 0x7a, 0x61, 0x8d, 0xbc, 0xc5, 0x73, 0xe9,
27972 -+ 0x6b, 0x58, 0x97, 0x4b, 0xbf, 0x63, 0x22, 0xd3,
27973 -+ 0x37, 0x02, 0x54, 0xc5, 0xb9, 0x16, 0x4a, 0xf0,
27974 -+ 0x19, 0xd8, 0x94, 0x57, 0xb8, 0x8a, 0xb3, 0x16,
27975 -+ 0x3b, 0xd0, 0x84, 0x8e, 0x67, 0xa6, 0xa3, 0x7d,
27976 -+ 0x78, 0xec, 0x00
27977 -+};
27978 -+static const u8 dec_assoc013[] __initconst = {
27979 -+ 0xb1, 0x69, 0x83, 0x87, 0x30, 0xaa, 0x5d, 0xb8,
27980 -+ 0x77, 0xe8, 0x21, 0xff, 0x06, 0x59, 0x35, 0xce,
27981 -+ 0x75, 0xfe, 0x38, 0xef, 0xb8, 0x91, 0x43, 0x8c,
27982 -+ 0xcf, 0x70, 0xdd, 0x0a, 0x68, 0xbf, 0xd4, 0xbc,
27983 -+ 0x16, 0x76, 0x99, 0x36, 0x1e, 0x58, 0x79, 0x5e,
27984 -+ 0xd4, 0x29, 0xf7, 0x33, 0x93, 0x48, 0xdb, 0x5f,
27985 -+ 0x01, 0xae, 0x9c, 0xb6, 0xe4, 0x88, 0x6d, 0x2b,
27986 -+ 0x76, 0x75, 0xe0, 0xf3, 0x74, 0xe2, 0xc9
27987 -+};
27988 -+static const u8 dec_nonce013[] __initconst = {
27989 -+ 0x05, 0xa3, 0x93, 0xed, 0x30, 0xc5, 0xa2, 0x06
27990 -+};
27991 -+static const u8 dec_key013[] __initconst = {
27992 -+ 0xb3, 0x35, 0x50, 0x03, 0x54, 0x2e, 0x40, 0x5e,
27993 -+ 0x8f, 0x59, 0x8e, 0xc5, 0x90, 0xd5, 0x27, 0x2d,
27994 -+ 0xba, 0x29, 0x2e, 0xcb, 0x1b, 0x70, 0x44, 0x1e,
27995 -+ 0x65, 0x91, 0x6e, 0x2a, 0x79, 0x22, 0xda, 0x64
27996 -+};
27997 -+
27998 -+static const struct chacha20poly1305_testvec
27999 -+chacha20poly1305_dec_vectors[] __initconst = {
28000 -+ { dec_input001, dec_output001, dec_assoc001, dec_nonce001, dec_key001,
28001 -+ sizeof(dec_input001), sizeof(dec_assoc001), sizeof(dec_nonce001) },
28002 -+ { dec_input002, dec_output002, dec_assoc002, dec_nonce002, dec_key002,
28003 -+ sizeof(dec_input002), sizeof(dec_assoc002), sizeof(dec_nonce002) },
28004 -+ { dec_input003, dec_output003, dec_assoc003, dec_nonce003, dec_key003,
28005 -+ sizeof(dec_input003), sizeof(dec_assoc003), sizeof(dec_nonce003) },
28006 -+ { dec_input004, dec_output004, dec_assoc004, dec_nonce004, dec_key004,
28007 -+ sizeof(dec_input004), sizeof(dec_assoc004), sizeof(dec_nonce004) },
28008 -+ { dec_input005, dec_output005, dec_assoc005, dec_nonce005, dec_key005,
28009 -+ sizeof(dec_input005), sizeof(dec_assoc005), sizeof(dec_nonce005) },
28010 -+ { dec_input006, dec_output006, dec_assoc006, dec_nonce006, dec_key006,
28011 -+ sizeof(dec_input006), sizeof(dec_assoc006), sizeof(dec_nonce006) },
28012 -+ { dec_input007, dec_output007, dec_assoc007, dec_nonce007, dec_key007,
28013 -+ sizeof(dec_input007), sizeof(dec_assoc007), sizeof(dec_nonce007) },
28014 -+ { dec_input008, dec_output008, dec_assoc008, dec_nonce008, dec_key008,
28015 -+ sizeof(dec_input008), sizeof(dec_assoc008), sizeof(dec_nonce008) },
28016 -+ { dec_input009, dec_output009, dec_assoc009, dec_nonce009, dec_key009,
28017 -+ sizeof(dec_input009), sizeof(dec_assoc009), sizeof(dec_nonce009) },
28018 -+ { dec_input010, dec_output010, dec_assoc010, dec_nonce010, dec_key010,
28019 -+ sizeof(dec_input010), sizeof(dec_assoc010), sizeof(dec_nonce010) },
28020 -+ { dec_input011, dec_output011, dec_assoc011, dec_nonce011, dec_key011,
28021 -+ sizeof(dec_input011), sizeof(dec_assoc011), sizeof(dec_nonce011) },
28022 -+ { dec_input012, dec_output012, dec_assoc012, dec_nonce012, dec_key012,
28023 -+ sizeof(dec_input012), sizeof(dec_assoc012), sizeof(dec_nonce012) },
28024 -+ { dec_input013, dec_output013, dec_assoc013, dec_nonce013, dec_key013,
28025 -+ sizeof(dec_input013), sizeof(dec_assoc013), sizeof(dec_nonce013),
28026 -+ true }
28027 -+};
28028 -+
28029 -+static const u8 xenc_input001[] __initconst = {
28030 -+ 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
28031 -+ 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20,
28032 -+ 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66,
28033 -+ 0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
28034 -+ 0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c, 0x69,
28035 -+ 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20,
28036 -+ 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20,
28037 -+ 0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d,
28038 -+ 0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e,
28039 -+ 0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65,
28040 -+ 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64,
28041 -+ 0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
28042 -+ 0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f,
28043 -+ 0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64,
28044 -+ 0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65,
28045 -+ 0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
28046 -+ 0x6e, 0x74, 0x73, 0x20, 0x61, 0x74, 0x20, 0x61,
28047 -+ 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e,
28048 -+ 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69,
28049 -+ 0x6e, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x70, 0x72,
28050 -+ 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20,
28051 -+ 0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65,
28052 -+ 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61,
28053 -+ 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72,
28054 -+ 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
28055 -+ 0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61,
28056 -+ 0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20,
28057 -+ 0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65,
28058 -+ 0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20,
28059 -+ 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20,
28060 -+ 0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b,
28061 -+ 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67,
28062 -+ 0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80,
28063 -+ 0x9d
28064 -+};
28065 -+static const u8 xenc_output001[] __initconst = {
28066 -+ 0x1a, 0x6e, 0x3a, 0xd9, 0xfd, 0x41, 0x3f, 0x77,
28067 -+ 0x54, 0x72, 0x0a, 0x70, 0x9a, 0xa0, 0x29, 0x92,
28068 -+ 0x2e, 0xed, 0x93, 0xcf, 0x0f, 0x71, 0x88, 0x18,
28069 -+ 0x7a, 0x9d, 0x2d, 0x24, 0xe0, 0xf5, 0xea, 0x3d,
28070 -+ 0x55, 0x64, 0xd7, 0xad, 0x2a, 0x1a, 0x1f, 0x7e,
28071 -+ 0x86, 0x6d, 0xb0, 0xce, 0x80, 0x41, 0x72, 0x86,
28072 -+ 0x26, 0xee, 0x84, 0xd7, 0xef, 0x82, 0x9e, 0xe2,
28073 -+ 0x60, 0x9d, 0x5a, 0xfc, 0xf0, 0xe4, 0x19, 0x85,
28074 -+ 0xea, 0x09, 0xc6, 0xfb, 0xb3, 0xa9, 0x50, 0x09,
28075 -+ 0xec, 0x5e, 0x11, 0x90, 0xa1, 0xc5, 0x4e, 0x49,
28076 -+ 0xef, 0x50, 0xd8, 0x8f, 0xe0, 0x78, 0xd7, 0xfd,
28077 -+ 0xb9, 0x3b, 0xc9, 0xf2, 0x91, 0xc8, 0x25, 0xc8,
28078 -+ 0xa7, 0x63, 0x60, 0xce, 0x10, 0xcd, 0xc6, 0x7f,
28079 -+ 0xf8, 0x16, 0xf8, 0xe1, 0x0a, 0xd9, 0xde, 0x79,
28080 -+ 0x50, 0x33, 0xf2, 0x16, 0x0f, 0x17, 0xba, 0xb8,
28081 -+ 0x5d, 0xd8, 0xdf, 0x4e, 0x51, 0xa8, 0x39, 0xd0,
28082 -+ 0x85, 0xca, 0x46, 0x6a, 0x10, 0xa7, 0xa3, 0x88,
28083 -+ 0xef, 0x79, 0xb9, 0xf8, 0x24, 0xf3, 0xe0, 0x71,
28084 -+ 0x7b, 0x76, 0x28, 0x46, 0x3a, 0x3a, 0x1b, 0x91,
28085 -+ 0xb6, 0xd4, 0x3e, 0x23, 0xe5, 0x44, 0x15, 0xbf,
28086 -+ 0x60, 0x43, 0x9d, 0xa4, 0xbb, 0xd5, 0x5f, 0x89,
28087 -+ 0xeb, 0xef, 0x8e, 0xfd, 0xdd, 0xb4, 0x0d, 0x46,
28088 -+ 0xf0, 0x69, 0x23, 0x63, 0xae, 0x94, 0xf5, 0x5e,
28089 -+ 0xa5, 0xad, 0x13, 0x1c, 0x41, 0x76, 0xe6, 0x90,
28090 -+ 0xd6, 0x6d, 0xa2, 0x8f, 0x97, 0x4c, 0xa8, 0x0b,
28091 -+ 0xcf, 0x8d, 0x43, 0x2b, 0x9c, 0x9b, 0xc5, 0x58,
28092 -+ 0xa5, 0xb6, 0x95, 0x9a, 0xbf, 0x81, 0xc6, 0x54,
28093 -+ 0xc9, 0x66, 0x0c, 0xe5, 0x4f, 0x6a, 0x53, 0xa1,
28094 -+ 0xe5, 0x0c, 0xba, 0x31, 0xde, 0x34, 0x64, 0x73,
28095 -+ 0x8a, 0x3b, 0xbd, 0x92, 0x01, 0xdb, 0x71, 0x69,
28096 -+ 0xf3, 0x58, 0x99, 0xbc, 0xd1, 0xcb, 0x4a, 0x05,
28097 -+ 0xe2, 0x58, 0x9c, 0x25, 0x17, 0xcd, 0xdc, 0x83,
28098 -+ 0xb7, 0xff, 0xfb, 0x09, 0x61, 0xad, 0xbf, 0x13,
28099 -+ 0x5b, 0x5e, 0xed, 0x46, 0x82, 0x6f, 0x22, 0xd8,
28100 -+ 0x93, 0xa6, 0x85, 0x5b, 0x40, 0x39, 0x5c, 0xc5,
28101 -+ 0x9c
28102 -+};
28103 -+static const u8 xenc_assoc001[] __initconst = {
28104 -+ 0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00,
28105 -+ 0x00, 0x00, 0x4e, 0x91
28106 -+};
28107 -+static const u8 xenc_nonce001[] __initconst = {
28108 -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
28109 -+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
28110 -+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
28111 -+};
28112 -+static const u8 xenc_key001[] __initconst = {
28113 -+ 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
28114 -+ 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
28115 -+ 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
28116 -+ 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
28117 -+};
28118 -+
28119 -+static const struct chacha20poly1305_testvec
28120 -+xchacha20poly1305_enc_vectors[] __initconst = {
28121 -+ { xenc_input001, xenc_output001, xenc_assoc001, xenc_nonce001, xenc_key001,
28122 -+ sizeof(xenc_input001), sizeof(xenc_assoc001), sizeof(xenc_nonce001) }
28123 -+};
28124 -+
28125 -+static const u8 xdec_input001[] __initconst = {
28126 -+ 0x1a, 0x6e, 0x3a, 0xd9, 0xfd, 0x41, 0x3f, 0x77,
28127 -+ 0x54, 0x72, 0x0a, 0x70, 0x9a, 0xa0, 0x29, 0x92,
28128 -+ 0x2e, 0xed, 0x93, 0xcf, 0x0f, 0x71, 0x88, 0x18,
28129 -+ 0x7a, 0x9d, 0x2d, 0x24, 0xe0, 0xf5, 0xea, 0x3d,
28130 -+ 0x55, 0x64, 0xd7, 0xad, 0x2a, 0x1a, 0x1f, 0x7e,
28131 -+ 0x86, 0x6d, 0xb0, 0xce, 0x80, 0x41, 0x72, 0x86,
28132 -+ 0x26, 0xee, 0x84, 0xd7, 0xef, 0x82, 0x9e, 0xe2,
28133 -+ 0x60, 0x9d, 0x5a, 0xfc, 0xf0, 0xe4, 0x19, 0x85,
28134 -+ 0xea, 0x09, 0xc6, 0xfb, 0xb3, 0xa9, 0x50, 0x09,
28135 -+ 0xec, 0x5e, 0x11, 0x90, 0xa1, 0xc5, 0x4e, 0x49,
28136 -+ 0xef, 0x50, 0xd8, 0x8f, 0xe0, 0x78, 0xd7, 0xfd,
28137 -+ 0xb9, 0x3b, 0xc9, 0xf2, 0x91, 0xc8, 0x25, 0xc8,
28138 -+ 0xa7, 0x63, 0x60, 0xce, 0x10, 0xcd, 0xc6, 0x7f,
28139 -+ 0xf8, 0x16, 0xf8, 0xe1, 0x0a, 0xd9, 0xde, 0x79,
28140 -+ 0x50, 0x33, 0xf2, 0x16, 0x0f, 0x17, 0xba, 0xb8,
28141 -+ 0x5d, 0xd8, 0xdf, 0x4e, 0x51, 0xa8, 0x39, 0xd0,
28142 -+ 0x85, 0xca, 0x46, 0x6a, 0x10, 0xa7, 0xa3, 0x88,
28143 -+ 0xef, 0x79, 0xb9, 0xf8, 0x24, 0xf3, 0xe0, 0x71,
28144 -+ 0x7b, 0x76, 0x28, 0x46, 0x3a, 0x3a, 0x1b, 0x91,
28145 -+ 0xb6, 0xd4, 0x3e, 0x23, 0xe5, 0x44, 0x15, 0xbf,
28146 -+ 0x60, 0x43, 0x9d, 0xa4, 0xbb, 0xd5, 0x5f, 0x89,
28147 -+ 0xeb, 0xef, 0x8e, 0xfd, 0xdd, 0xb4, 0x0d, 0x46,
28148 -+ 0xf0, 0x69, 0x23, 0x63, 0xae, 0x94, 0xf5, 0x5e,
28149 -+ 0xa5, 0xad, 0x13, 0x1c, 0x41, 0x76, 0xe6, 0x90,
28150 -+ 0xd6, 0x6d, 0xa2, 0x8f, 0x97, 0x4c, 0xa8, 0x0b,
28151 -+ 0xcf, 0x8d, 0x43, 0x2b, 0x9c, 0x9b, 0xc5, 0x58,
28152 -+ 0xa5, 0xb6, 0x95, 0x9a, 0xbf, 0x81, 0xc6, 0x54,
28153 -+ 0xc9, 0x66, 0x0c, 0xe5, 0x4f, 0x6a, 0x53, 0xa1,
28154 -+ 0xe5, 0x0c, 0xba, 0x31, 0xde, 0x34, 0x64, 0x73,
28155 -+ 0x8a, 0x3b, 0xbd, 0x92, 0x01, 0xdb, 0x71, 0x69,
28156 -+ 0xf3, 0x58, 0x99, 0xbc, 0xd1, 0xcb, 0x4a, 0x05,
28157 -+ 0xe2, 0x58, 0x9c, 0x25, 0x17, 0xcd, 0xdc, 0x83,
28158 -+ 0xb7, 0xff, 0xfb, 0x09, 0x61, 0xad, 0xbf, 0x13,
28159 -+ 0x5b, 0x5e, 0xed, 0x46, 0x82, 0x6f, 0x22, 0xd8,
28160 -+ 0x93, 0xa6, 0x85, 0x5b, 0x40, 0x39, 0x5c, 0xc5,
28161 -+ 0x9c
28162 -+};
28163 -+static const u8 xdec_output001[] __initconst = {
28164 -+ 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
28165 -+ 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20,
28166 -+ 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66,
28167 -+ 0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
28168 -+ 0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c, 0x69,
28169 -+ 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20,
28170 -+ 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20,
28171 -+ 0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d,
28172 -+ 0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e,
28173 -+ 0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65,
28174 -+ 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64,
28175 -+ 0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
28176 -+ 0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f,
28177 -+ 0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64,
28178 -+ 0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65,
28179 -+ 0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
28180 -+ 0x6e, 0x74, 0x73, 0x20, 0x61, 0x74, 0x20, 0x61,
28181 -+ 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e,
28182 -+ 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69,
28183 -+ 0x6e, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x70, 0x72,
28184 -+ 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20,
28185 -+ 0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65,
28186 -+ 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61,
28187 -+ 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72,
28188 -+ 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
28189 -+ 0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61,
28190 -+ 0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20,
28191 -+ 0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65,
28192 -+ 0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20,
28193 -+ 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20,
28194 -+ 0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b,
28195 -+ 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67,
28196 -+ 0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80,
28197 -+ 0x9d
28198 -+};
28199 -+static const u8 xdec_assoc001[] __initconst = {
28200 -+ 0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00,
28201 -+ 0x00, 0x00, 0x4e, 0x91
28202 -+};
28203 -+static const u8 xdec_nonce001[] __initconst = {
28204 -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
28205 -+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
28206 -+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
28207 -+};
28208 -+static const u8 xdec_key001[] __initconst = {
28209 -+ 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
28210 -+ 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
28211 -+ 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
28212 -+ 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
28213 -+};
28214 -+
28215 -+static const struct chacha20poly1305_testvec
28216 -+xchacha20poly1305_dec_vectors[] __initconst = {
28217 -+ { xdec_input001, xdec_output001, xdec_assoc001, xdec_nonce001, xdec_key001,
28218 -+ sizeof(xdec_input001), sizeof(xdec_assoc001), sizeof(xdec_nonce001) }
28219 -+};
28220 -+
28221 -+/* This is for the selftests-only, since it is only useful for the purpose of
28222 -+ * testing the underlying primitives and interactions.
28223 -+ */
28224 -+static void __init
28225 -+chacha20poly1305_encrypt_bignonce(u8 *dst, const u8 *src, const size_t src_len,
28226 -+ const u8 *ad, const size_t ad_len,
28227 -+ const u8 nonce[12],
28228 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28229 -+{
28230 -+ const u8 *pad0 = page_address(ZERO_PAGE(0));
28231 -+ struct poly1305_desc_ctx poly1305_state;
28232 -+ u32 chacha20_state[CHACHA_STATE_WORDS];
28233 -+ union {
28234 -+ u8 block0[POLY1305_KEY_SIZE];
28235 -+ __le64 lens[2];
28236 -+ } b = {{ 0 }};
28237 -+ u8 bottom_row[16] = { 0 };
28238 -+ u32 le_key[8];
28239 -+ int i;
28240 -+
28241 -+ memcpy(&bottom_row[4], nonce, 12);
28242 -+ for (i = 0; i < 8; ++i)
28243 -+ le_key[i] = get_unaligned_le32(key + sizeof(le_key[i]) * i);
28244 -+ chacha_init(chacha20_state, le_key, bottom_row);
28245 -+ chacha20_crypt(chacha20_state, b.block0, b.block0, sizeof(b.block0));
28246 -+ poly1305_init(&poly1305_state, b.block0);
28247 -+ poly1305_update(&poly1305_state, ad, ad_len);
28248 -+ poly1305_update(&poly1305_state, pad0, (0x10 - ad_len) & 0xf);
28249 -+ chacha20_crypt(chacha20_state, dst, src, src_len);
28250 -+ poly1305_update(&poly1305_state, dst, src_len);
28251 -+ poly1305_update(&poly1305_state, pad0, (0x10 - src_len) & 0xf);
28252 -+ b.lens[0] = cpu_to_le64(ad_len);
28253 -+ b.lens[1] = cpu_to_le64(src_len);
28254 -+ poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens));
28255 -+ poly1305_final(&poly1305_state, dst + src_len);
28256 -+}
28257 -+
28258 -+static void __init
28259 -+chacha20poly1305_selftest_encrypt(u8 *dst, const u8 *src, const size_t src_len,
28260 -+ const u8 *ad, const size_t ad_len,
28261 -+ const u8 *nonce, const size_t nonce_len,
28262 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28263 -+{
28264 -+ if (nonce_len == 8)
28265 -+ chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len,
28266 -+ get_unaligned_le64(nonce), key);
28267 -+ else if (nonce_len == 12)
28268 -+ chacha20poly1305_encrypt_bignonce(dst, src, src_len, ad,
28269 -+ ad_len, nonce, key);
28270 -+ else
28271 -+ BUG();
28272 -+}
28273 -+
28274 -+static bool __init
28275 -+decryption_success(bool func_ret, bool expect_failure, int memcmp_result)
28276 -+{
28277 -+ if (expect_failure)
28278 -+ return !func_ret;
28279 -+ return func_ret && !memcmp_result;
28280 -+}
28281 -+
28282 -+bool __init chacha20poly1305_selftest(void)
28283 -+{
28284 -+ enum { MAXIMUM_TEST_BUFFER_LEN = 1UL << 12 };
28285 -+ size_t i, j, k, total_len;
28286 -+ u8 *computed_output = NULL, *input = NULL;
28287 -+ bool success = true, ret;
28288 -+ struct scatterlist sg_src[3];
28289 -+
28290 -+ computed_output = kmalloc(MAXIMUM_TEST_BUFFER_LEN, GFP_KERNEL);
28291 -+ input = kmalloc(MAXIMUM_TEST_BUFFER_LEN, GFP_KERNEL);
28292 -+ if (!computed_output || !input) {
28293 -+ pr_err("chacha20poly1305 self-test malloc: FAIL\n");
28294 -+ success = false;
28295 -+ goto out;
28296 -+ }
28297 -+
28298 -+ for (i = 0; i < ARRAY_SIZE(chacha20poly1305_enc_vectors); ++i) {
28299 -+ memset(computed_output, 0, MAXIMUM_TEST_BUFFER_LEN);
28300 -+ chacha20poly1305_selftest_encrypt(computed_output,
28301 -+ chacha20poly1305_enc_vectors[i].input,
28302 -+ chacha20poly1305_enc_vectors[i].ilen,
28303 -+ chacha20poly1305_enc_vectors[i].assoc,
28304 -+ chacha20poly1305_enc_vectors[i].alen,
28305 -+ chacha20poly1305_enc_vectors[i].nonce,
28306 -+ chacha20poly1305_enc_vectors[i].nlen,
28307 -+ chacha20poly1305_enc_vectors[i].key);
28308 -+ if (memcmp(computed_output,
28309 -+ chacha20poly1305_enc_vectors[i].output,
28310 -+ chacha20poly1305_enc_vectors[i].ilen +
28311 -+ POLY1305_DIGEST_SIZE)) {
28312 -+ pr_err("chacha20poly1305 encryption self-test %zu: FAIL\n",
28313 -+ i + 1);
28314 -+ success = false;
28315 -+ }
28316 -+ }
28317 -+
28318 -+ for (i = 0; i < ARRAY_SIZE(chacha20poly1305_enc_vectors); ++i) {
28319 -+ if (chacha20poly1305_enc_vectors[i].nlen != 8)
28320 -+ continue;
28321 -+ memcpy(computed_output, chacha20poly1305_enc_vectors[i].input,
28322 -+ chacha20poly1305_enc_vectors[i].ilen);
28323 -+ sg_init_one(sg_src, computed_output,
28324 -+ chacha20poly1305_enc_vectors[i].ilen + POLY1305_DIGEST_SIZE);
28325 -+ ret = chacha20poly1305_encrypt_sg_inplace(sg_src,
28326 -+ chacha20poly1305_enc_vectors[i].ilen,
28327 -+ chacha20poly1305_enc_vectors[i].assoc,
28328 -+ chacha20poly1305_enc_vectors[i].alen,
28329 -+ get_unaligned_le64(chacha20poly1305_enc_vectors[i].nonce),
28330 -+ chacha20poly1305_enc_vectors[i].key);
28331 -+ if (!ret || memcmp(computed_output,
28332 -+ chacha20poly1305_enc_vectors[i].output,
28333 -+ chacha20poly1305_enc_vectors[i].ilen +
28334 -+ POLY1305_DIGEST_SIZE)) {
28335 -+ pr_err("chacha20poly1305 sg encryption self-test %zu: FAIL\n",
28336 -+ i + 1);
28337 -+ success = false;
28338 -+ }
28339 -+ }
28340 -+
28341 -+ for (i = 0; i < ARRAY_SIZE(chacha20poly1305_dec_vectors); ++i) {
28342 -+ memset(computed_output, 0, MAXIMUM_TEST_BUFFER_LEN);
28343 -+ ret = chacha20poly1305_decrypt(computed_output,
28344 -+ chacha20poly1305_dec_vectors[i].input,
28345 -+ chacha20poly1305_dec_vectors[i].ilen,
28346 -+ chacha20poly1305_dec_vectors[i].assoc,
28347 -+ chacha20poly1305_dec_vectors[i].alen,
28348 -+ get_unaligned_le64(chacha20poly1305_dec_vectors[i].nonce),
28349 -+ chacha20poly1305_dec_vectors[i].key);
28350 -+ if (!decryption_success(ret,
28351 -+ chacha20poly1305_dec_vectors[i].failure,
28352 -+ memcmp(computed_output,
28353 -+ chacha20poly1305_dec_vectors[i].output,
28354 -+ chacha20poly1305_dec_vectors[i].ilen -
28355 -+ POLY1305_DIGEST_SIZE))) {
28356 -+ pr_err("chacha20poly1305 decryption self-test %zu: FAIL\n",
28357 -+ i + 1);
28358 -+ success = false;
28359 -+ }
28360 -+ }
28361 -+
28362 -+ for (i = 0; i < ARRAY_SIZE(chacha20poly1305_dec_vectors); ++i) {
28363 -+ memcpy(computed_output, chacha20poly1305_dec_vectors[i].input,
28364 -+ chacha20poly1305_dec_vectors[i].ilen);
28365 -+ sg_init_one(sg_src, computed_output,
28366 -+ chacha20poly1305_dec_vectors[i].ilen);
28367 -+ ret = chacha20poly1305_decrypt_sg_inplace(sg_src,
28368 -+ chacha20poly1305_dec_vectors[i].ilen,
28369 -+ chacha20poly1305_dec_vectors[i].assoc,
28370 -+ chacha20poly1305_dec_vectors[i].alen,
28371 -+ get_unaligned_le64(chacha20poly1305_dec_vectors[i].nonce),
28372 -+ chacha20poly1305_dec_vectors[i].key);
28373 -+ if (!decryption_success(ret,
28374 -+ chacha20poly1305_dec_vectors[i].failure,
28375 -+ memcmp(computed_output, chacha20poly1305_dec_vectors[i].output,
28376 -+ chacha20poly1305_dec_vectors[i].ilen -
28377 -+ POLY1305_DIGEST_SIZE))) {
28378 -+ pr_err("chacha20poly1305 sg decryption self-test %zu: FAIL\n",
28379 -+ i + 1);
28380 -+ success = false;
28381 -+ }
28382 -+ }
28383 -+
28384 -+ for (i = 0; i < ARRAY_SIZE(xchacha20poly1305_enc_vectors); ++i) {
28385 -+ memset(computed_output, 0, MAXIMUM_TEST_BUFFER_LEN);
28386 -+ xchacha20poly1305_encrypt(computed_output,
28387 -+ xchacha20poly1305_enc_vectors[i].input,
28388 -+ xchacha20poly1305_enc_vectors[i].ilen,
28389 -+ xchacha20poly1305_enc_vectors[i].assoc,
28390 -+ xchacha20poly1305_enc_vectors[i].alen,
28391 -+ xchacha20poly1305_enc_vectors[i].nonce,
28392 -+ xchacha20poly1305_enc_vectors[i].key);
28393 -+ if (memcmp(computed_output,
28394 -+ xchacha20poly1305_enc_vectors[i].output,
28395 -+ xchacha20poly1305_enc_vectors[i].ilen +
28396 -+ POLY1305_DIGEST_SIZE)) {
28397 -+ pr_err("xchacha20poly1305 encryption self-test %zu: FAIL\n",
28398 -+ i + 1);
28399 -+ success = false;
28400 -+ }
28401 -+ }
28402 -+
28403 -+ for (i = 0; i < ARRAY_SIZE(xchacha20poly1305_dec_vectors); ++i) {
28404 -+ memset(computed_output, 0, MAXIMUM_TEST_BUFFER_LEN);
28405 -+ ret = xchacha20poly1305_decrypt(computed_output,
28406 -+ xchacha20poly1305_dec_vectors[i].input,
28407 -+ xchacha20poly1305_dec_vectors[i].ilen,
28408 -+ xchacha20poly1305_dec_vectors[i].assoc,
28409 -+ xchacha20poly1305_dec_vectors[i].alen,
28410 -+ xchacha20poly1305_dec_vectors[i].nonce,
28411 -+ xchacha20poly1305_dec_vectors[i].key);
28412 -+ if (!decryption_success(ret,
28413 -+ xchacha20poly1305_dec_vectors[i].failure,
28414 -+ memcmp(computed_output,
28415 -+ xchacha20poly1305_dec_vectors[i].output,
28416 -+ xchacha20poly1305_dec_vectors[i].ilen -
28417 -+ POLY1305_DIGEST_SIZE))) {
28418 -+ pr_err("xchacha20poly1305 decryption self-test %zu: FAIL\n",
28419 -+ i + 1);
28420 -+ success = false;
28421 -+ }
28422 -+ }
28423 -+
28424 -+ for (total_len = POLY1305_DIGEST_SIZE; IS_ENABLED(DEBUG_CHACHA20POLY1305_SLOW_CHUNK_TEST)
28425 -+ && total_len <= 1 << 10; ++total_len) {
28426 -+ for (i = 0; i <= total_len; ++i) {
28427 -+ for (j = i; j <= total_len; ++j) {
28428 -+ k = 0;
28429 -+ sg_init_table(sg_src, 3);
28430 -+ if (i)
28431 -+ sg_set_buf(&sg_src[k++], input, i);
28432 -+ if (j - i)
28433 -+ sg_set_buf(&sg_src[k++], input + i, j - i);
28434 -+ if (total_len - j)
28435 -+ sg_set_buf(&sg_src[k++], input + j, total_len - j);
28436 -+ sg_init_marker(sg_src, k);
28437 -+ memset(computed_output, 0, total_len);
28438 -+ memset(input, 0, total_len);
28439 -+
28440 -+ if (!chacha20poly1305_encrypt_sg_inplace(sg_src,
28441 -+ total_len - POLY1305_DIGEST_SIZE, NULL, 0,
28442 -+ 0, enc_key001))
28443 -+ goto chunkfail;
28444 -+ chacha20poly1305_encrypt(computed_output,
28445 -+ computed_output,
28446 -+ total_len - POLY1305_DIGEST_SIZE, NULL, 0, 0,
28447 -+ enc_key001);
28448 -+ if (memcmp(computed_output, input, total_len))
28449 -+ goto chunkfail;
28450 -+ if (!chacha20poly1305_decrypt(computed_output,
28451 -+ input, total_len, NULL, 0, 0, enc_key001))
28452 -+ goto chunkfail;
28453 -+ for (k = 0; k < total_len - POLY1305_DIGEST_SIZE; ++k) {
28454 -+ if (computed_output[k])
28455 -+ goto chunkfail;
28456 -+ }
28457 -+ if (!chacha20poly1305_decrypt_sg_inplace(sg_src,
28458 -+ total_len, NULL, 0, 0, enc_key001))
28459 -+ goto chunkfail;
28460 -+ for (k = 0; k < total_len - POLY1305_DIGEST_SIZE; ++k) {
28461 -+ if (input[k])
28462 -+ goto chunkfail;
28463 -+ }
28464 -+ continue;
28465 -+
28466 -+ chunkfail:
28467 -+ pr_err("chacha20poly1305 chunked self-test %zu/%zu/%zu: FAIL\n",
28468 -+ total_len, i, j);
28469 -+ success = false;
28470 -+ }
28471 -+
28472 -+ }
28473 -+ }
28474 -+
28475 -+out:
28476 -+ kfree(computed_output);
28477 -+ kfree(input);
28478 -+ return success;
28479 -+}
28480 ---- b/lib/crypto/chacha20poly1305.c
28481 -+++ b/lib/crypto/chacha20poly1305.c
28482 -@@ -0,0 +1,370 @@
28483 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
28484 -+/*
28485 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
28486 -+ *
28487 -+ * This is an implementation of the ChaCha20Poly1305 AEAD construction.
28488 -+ *
28489 -+ * Information: https://tools.ietf.org/html/rfc8439
28490 -+ */
28491 -+
28492 -+#include <crypto/algapi.h>
28493 -+#include <crypto/chacha20poly1305.h>
28494 -+#include <crypto/chacha.h>
28495 -+#include <crypto/poly1305.h>
28496 -+#include <crypto/scatterwalk.h>
28497 -+
28498 -+#include <asm/unaligned.h>
28499 -+#include <linux/kernel.h>
28500 -+#include <linux/init.h>
28501 -+#include <linux/mm.h>
28502 -+#include <linux/module.h>
28503 -+
28504 -+#define CHACHA_KEY_WORDS (CHACHA_KEY_SIZE / sizeof(u32))
28505 -+
28506 -+static void chacha_load_key(u32 *k, const u8 *in)
28507 -+{
28508 -+ k[0] = get_unaligned_le32(in);
28509 -+ k[1] = get_unaligned_le32(in + 4);
28510 -+ k[2] = get_unaligned_le32(in + 8);
28511 -+ k[3] = get_unaligned_le32(in + 12);
28512 -+ k[4] = get_unaligned_le32(in + 16);
28513 -+ k[5] = get_unaligned_le32(in + 20);
28514 -+ k[6] = get_unaligned_le32(in + 24);
28515 -+ k[7] = get_unaligned_le32(in + 28);
28516 -+}
28517 -+
28518 -+static void xchacha_init(u32 *chacha_state, const u8 *key, const u8 *nonce)
28519 -+{
28520 -+ u32 k[CHACHA_KEY_WORDS];
28521 -+ u8 iv[CHACHA_IV_SIZE];
28522 -+
28523 -+ memset(iv, 0, 8);
28524 -+ memcpy(iv + 8, nonce + 16, 8);
28525 -+
28526 -+ chacha_load_key(k, key);
28527 -+
28528 -+ /* Compute the subkey given the original key and first 128 nonce bits */
28529 -+ chacha_init(chacha_state, k, nonce);
28530 -+ hchacha_block(chacha_state, k, 20);
28531 -+
28532 -+ chacha_init(chacha_state, k, iv);
28533 -+
28534 -+ memzero_explicit(k, sizeof(k));
28535 -+ memzero_explicit(iv, sizeof(iv));
28536 -+}
28537 -+
28538 -+static void
28539 -+__chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
28540 -+ const u8 *ad, const size_t ad_len, u32 *chacha_state)
28541 -+{
28542 -+ const u8 *pad0 = page_address(ZERO_PAGE(0));
28543 -+ struct poly1305_desc_ctx poly1305_state;
28544 -+ union {
28545 -+ u8 block0[POLY1305_KEY_SIZE];
28546 -+ __le64 lens[2];
28547 -+ } b;
28548 -+
28549 -+ chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
28550 -+ poly1305_init(&poly1305_state, b.block0);
28551 -+
28552 -+ poly1305_update(&poly1305_state, ad, ad_len);
28553 -+ if (ad_len & 0xf)
28554 -+ poly1305_update(&poly1305_state, pad0, 0x10 - (ad_len & 0xf));
28555 -+
28556 -+ chacha20_crypt(chacha_state, dst, src, src_len);
28557 -+
28558 -+ poly1305_update(&poly1305_state, dst, src_len);
28559 -+ if (src_len & 0xf)
28560 -+ poly1305_update(&poly1305_state, pad0, 0x10 - (src_len & 0xf));
28561 -+
28562 -+ b.lens[0] = cpu_to_le64(ad_len);
28563 -+ b.lens[1] = cpu_to_le64(src_len);
28564 -+ poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens));
28565 -+
28566 -+ poly1305_final(&poly1305_state, dst + src_len);
28567 -+
28568 -+ memzero_explicit(chacha_state, CHACHA_STATE_WORDS * sizeof(u32));
28569 -+ memzero_explicit(&b, sizeof(b));
28570 -+}
28571 -+
28572 -+void chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
28573 -+ const u8 *ad, const size_t ad_len,
28574 -+ const u64 nonce,
28575 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28576 -+{
28577 -+ u32 chacha_state[CHACHA_STATE_WORDS];
28578 -+ u32 k[CHACHA_KEY_WORDS];
28579 -+ __le64 iv[2];
28580 -+
28581 -+ chacha_load_key(k, key);
28582 -+
28583 -+ iv[0] = 0;
28584 -+ iv[1] = cpu_to_le64(nonce);
28585 -+
28586 -+ chacha_init(chacha_state, k, (u8 *)iv);
28587 -+ __chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len, chacha_state);
28588 -+
28589 -+ memzero_explicit(iv, sizeof(iv));
28590 -+ memzero_explicit(k, sizeof(k));
28591 -+}
28592 -+EXPORT_SYMBOL(chacha20poly1305_encrypt);
28593 -+
28594 -+void xchacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
28595 -+ const u8 *ad, const size_t ad_len,
28596 -+ const u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
28597 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28598 -+{
28599 -+ u32 chacha_state[CHACHA_STATE_WORDS];
28600 -+
28601 -+ xchacha_init(chacha_state, key, nonce);
28602 -+ __chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len, chacha_state);
28603 -+}
28604 -+EXPORT_SYMBOL(xchacha20poly1305_encrypt);
28605 -+
28606 -+static bool
28607 -+__chacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len,
28608 -+ const u8 *ad, const size_t ad_len, u32 *chacha_state)
28609 -+{
28610 -+ const u8 *pad0 = page_address(ZERO_PAGE(0));
28611 -+ struct poly1305_desc_ctx poly1305_state;
28612 -+ size_t dst_len;
28613 -+ int ret;
28614 -+ union {
28615 -+ u8 block0[POLY1305_KEY_SIZE];
28616 -+ u8 mac[POLY1305_DIGEST_SIZE];
28617 -+ __le64 lens[2];
28618 -+ } b;
28619 -+
28620 -+ if (unlikely(src_len < POLY1305_DIGEST_SIZE))
28621 -+ return false;
28622 -+
28623 -+ chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
28624 -+ poly1305_init(&poly1305_state, b.block0);
28625 -+
28626 -+ poly1305_update(&poly1305_state, ad, ad_len);
28627 -+ if (ad_len & 0xf)
28628 -+ poly1305_update(&poly1305_state, pad0, 0x10 - (ad_len & 0xf));
28629 -+
28630 -+ dst_len = src_len - POLY1305_DIGEST_SIZE;
28631 -+ poly1305_update(&poly1305_state, src, dst_len);
28632 -+ if (dst_len & 0xf)
28633 -+ poly1305_update(&poly1305_state, pad0, 0x10 - (dst_len & 0xf));
28634 -+
28635 -+ b.lens[0] = cpu_to_le64(ad_len);
28636 -+ b.lens[1] = cpu_to_le64(dst_len);
28637 -+ poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens));
28638 -+
28639 -+ poly1305_final(&poly1305_state, b.mac);
28640 -+
28641 -+ ret = crypto_memneq(b.mac, src + dst_len, POLY1305_DIGEST_SIZE);
28642 -+ if (likely(!ret))
28643 -+ chacha20_crypt(chacha_state, dst, src, dst_len);
28644 -+
28645 -+ memzero_explicit(&b, sizeof(b));
28646 -+
28647 -+ return !ret;
28648 -+}
28649 -+
28650 -+bool chacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len,
28651 -+ const u8 *ad, const size_t ad_len,
28652 -+ const u64 nonce,
28653 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28654 -+{
28655 -+ u32 chacha_state[CHACHA_STATE_WORDS];
28656 -+ u32 k[CHACHA_KEY_WORDS];
28657 -+ __le64 iv[2];
28658 -+ bool ret;
28659 -+
28660 -+ chacha_load_key(k, key);
28661 -+
28662 -+ iv[0] = 0;
28663 -+ iv[1] = cpu_to_le64(nonce);
28664 -+
28665 -+ chacha_init(chacha_state, k, (u8 *)iv);
28666 -+ ret = __chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len,
28667 -+ chacha_state);
28668 -+
28669 -+ memzero_explicit(chacha_state, sizeof(chacha_state));
28670 -+ memzero_explicit(iv, sizeof(iv));
28671 -+ memzero_explicit(k, sizeof(k));
28672 -+ return ret;
28673 -+}
28674 -+EXPORT_SYMBOL(chacha20poly1305_decrypt);
28675 -+
28676 -+bool xchacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len,
28677 -+ const u8 *ad, const size_t ad_len,
28678 -+ const u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
28679 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28680 -+{
28681 -+ u32 chacha_state[CHACHA_STATE_WORDS];
28682 -+
28683 -+ xchacha_init(chacha_state, key, nonce);
28684 -+ return __chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len,
28685 -+ chacha_state);
28686 -+}
28687 -+EXPORT_SYMBOL(xchacha20poly1305_decrypt);
28688 -+
28689 -+static
28690 -+bool chacha20poly1305_crypt_sg_inplace(struct scatterlist *src,
28691 -+ const size_t src_len,
28692 -+ const u8 *ad, const size_t ad_len,
28693 -+ const u64 nonce,
28694 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE],
28695 -+ int encrypt)
28696 -+{
28697 -+ const u8 *pad0 = page_address(ZERO_PAGE(0));
28698 -+ struct poly1305_desc_ctx poly1305_state;
28699 -+ u32 chacha_state[CHACHA_STATE_WORDS];
28700 -+ struct sg_mapping_iter miter;
28701 -+ size_t partial = 0;
28702 -+ unsigned int flags;
28703 -+ bool ret = true;
28704 -+ int sl;
28705 -+ union {
28706 -+ struct {
28707 -+ u32 k[CHACHA_KEY_WORDS];
28708 -+ __le64 iv[2];
28709 -+ };
28710 -+ u8 block0[POLY1305_KEY_SIZE];
28711 -+ u8 chacha_stream[CHACHA_BLOCK_SIZE];
28712 -+ struct {
28713 -+ u8 mac[2][POLY1305_DIGEST_SIZE];
28714 -+ };
28715 -+ __le64 lens[2];
28716 -+ } b __aligned(16);
28717 -+
28718 -+ if (WARN_ON(src_len > INT_MAX))
28719 -+ return false;
28720 -+
28721 -+ chacha_load_key(b.k, key);
28722 -+
28723 -+ b.iv[0] = 0;
28724 -+ b.iv[1] = cpu_to_le64(nonce);
28725 -+
28726 -+ chacha_init(chacha_state, b.k, (u8 *)b.iv);
28727 -+ chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
28728 -+ poly1305_init(&poly1305_state, b.block0);
28729 -+
28730 -+ if (unlikely(ad_len)) {
28731 -+ poly1305_update(&poly1305_state, ad, ad_len);
28732 -+ if (ad_len & 0xf)
28733 -+ poly1305_update(&poly1305_state, pad0, 0x10 - (ad_len & 0xf));
28734 -+ }
28735 -+
28736 -+ flags = SG_MITER_TO_SG;
28737 -+ if (!preemptible())
28738 -+ flags |= SG_MITER_ATOMIC;
28739 -+
28740 -+ sg_miter_start(&miter, src, sg_nents(src), flags);
28741 -+
28742 -+ for (sl = src_len; sl > 0 && sg_miter_next(&miter); sl -= miter.length) {
28743 -+ u8 *addr = miter.addr;
28744 -+ size_t length = min_t(size_t, sl, miter.length);
28745 -+
28746 -+ if (!encrypt)
28747 -+ poly1305_update(&poly1305_state, addr, length);
28748 -+
28749 -+ if (unlikely(partial)) {
28750 -+ size_t l = min(length, CHACHA_BLOCK_SIZE - partial);
28751 -+
28752 -+ crypto_xor(addr, b.chacha_stream + partial, l);
28753 -+ partial = (partial + l) & (CHACHA_BLOCK_SIZE - 1);
28754 -+
28755 -+ addr += l;
28756 -+ length -= l;
28757 -+ }
28758 -+
28759 -+ if (likely(length >= CHACHA_BLOCK_SIZE || length == sl)) {
28760 -+ size_t l = length;
28761 -+
28762 -+ if (unlikely(length < sl))
28763 -+ l &= ~(CHACHA_BLOCK_SIZE - 1);
28764 -+ chacha20_crypt(chacha_state, addr, addr, l);
28765 -+ addr += l;
28766 -+ length -= l;
28767 -+ }
28768 -+
28769 -+ if (unlikely(length > 0)) {
28770 -+ chacha20_crypt(chacha_state, b.chacha_stream, pad0,
28771 -+ CHACHA_BLOCK_SIZE);
28772 -+ crypto_xor(addr, b.chacha_stream, length);
28773 -+ partial = length;
28774 -+ }
28775 -+
28776 -+ if (encrypt)
28777 -+ poly1305_update(&poly1305_state, miter.addr,
28778 -+ min_t(size_t, sl, miter.length));
28779 -+ }
28780 -+
28781 -+ if (src_len & 0xf)
28782 -+ poly1305_update(&poly1305_state, pad0, 0x10 - (src_len & 0xf));
28783 -+
28784 -+ b.lens[0] = cpu_to_le64(ad_len);
28785 -+ b.lens[1] = cpu_to_le64(src_len);
28786 -+ poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens));
28787 -+
28788 -+ if (likely(sl <= -POLY1305_DIGEST_SIZE)) {
28789 -+ if (encrypt) {
28790 -+ poly1305_final(&poly1305_state,
28791 -+ miter.addr + miter.length + sl);
28792 -+ ret = true;
28793 -+ } else {
28794 -+ poly1305_final(&poly1305_state, b.mac[0]);
28795 -+ ret = !crypto_memneq(b.mac[0],
28796 -+ miter.addr + miter.length + sl,
28797 -+ POLY1305_DIGEST_SIZE);
28798 -+ }
28799 -+ }
28800 -+
28801 -+ sg_miter_stop(&miter);
28802 -+
28803 -+ if (unlikely(sl > -POLY1305_DIGEST_SIZE)) {
28804 -+ poly1305_final(&poly1305_state, b.mac[1]);
28805 -+ scatterwalk_map_and_copy(b.mac[encrypt], src, src_len,
28806 -+ sizeof(b.mac[1]), encrypt);
28807 -+ ret = encrypt ||
28808 -+ !crypto_memneq(b.mac[0], b.mac[1], POLY1305_DIGEST_SIZE);
28809 -+ }
28810 -+
28811 -+ memzero_explicit(chacha_state, sizeof(chacha_state));
28812 -+ memzero_explicit(&b, sizeof(b));
28813 -+
28814 -+ return ret;
28815 -+}
28816 -+
28817 -+bool chacha20poly1305_encrypt_sg_inplace(struct scatterlist *src, size_t src_len,
28818 -+ const u8 *ad, const size_t ad_len,
28819 -+ const u64 nonce,
28820 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28821 -+{
28822 -+ return chacha20poly1305_crypt_sg_inplace(src, src_len, ad, ad_len,
28823 -+ nonce, key, 1);
28824 -+}
28825 -+EXPORT_SYMBOL(chacha20poly1305_encrypt_sg_inplace);
28826 -+
28827 -+bool chacha20poly1305_decrypt_sg_inplace(struct scatterlist *src, size_t src_len,
28828 -+ const u8 *ad, const size_t ad_len,
28829 -+ const u64 nonce,
28830 -+ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28831 -+{
28832 -+ if (unlikely(src_len < POLY1305_DIGEST_SIZE))
28833 -+ return false;
28834 -+
28835 -+ return chacha20poly1305_crypt_sg_inplace(src,
28836 -+ src_len - POLY1305_DIGEST_SIZE,
28837 -+ ad, ad_len, nonce, key, 0);
28838 -+}
28839 -+EXPORT_SYMBOL(chacha20poly1305_decrypt_sg_inplace);
28840 -+
28841 -+static int __init mod_init(void)
28842 -+{
28843 -+ if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
28844 -+ WARN_ON(!chacha20poly1305_selftest()))
28845 -+ return -ENODEV;
28846 -+ return 0;
28847 -+}
28848 -+
28849 -+module_init(mod_init);
28850 -+MODULE_LICENSE("GPL v2");
28851 -+MODULE_DESCRIPTION("ChaCha20Poly1305 AEAD construction");
28852 -+MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
28853 ---- /dev/null
28854 -+++ b/lib/crypto/curve25519-selftest.c
28855 -@@ -0,0 +1,1321 @@
28856 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
28857 -+/*
28858 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
28859 -+ */
28860 -+
28861 -+#include <crypto/curve25519.h>
28862 -+
28863 -+struct curve25519_test_vector {
28864 -+ u8 private[CURVE25519_KEY_SIZE];
28865 -+ u8 public[CURVE25519_KEY_SIZE];
28866 -+ u8 result[CURVE25519_KEY_SIZE];
28867 -+ bool valid;
28868 -+};
28869 -+static const struct curve25519_test_vector curve25519_test_vectors[] __initconst = {
28870 -+ {
28871 -+ .private = { 0x77, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d,
28872 -+ 0x3c, 0x16, 0xc1, 0x72, 0x51, 0xb2, 0x66, 0x45,
28873 -+ 0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, 0x99, 0x2a,
28874 -+ 0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x2a },
28875 -+ .public = { 0xde, 0x9e, 0xdb, 0x7d, 0x7b, 0x7d, 0xc1, 0xb4,
28876 -+ 0xd3, 0x5b, 0x61, 0xc2, 0xec, 0xe4, 0x35, 0x37,
28877 -+ 0x3f, 0x83, 0x43, 0xc8, 0x5b, 0x78, 0x67, 0x4d,
28878 -+ 0xad, 0xfc, 0x7e, 0x14, 0x6f, 0x88, 0x2b, 0x4f },
28879 -+ .result = { 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1,
28880 -+ 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25,
28881 -+ 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33,
28882 -+ 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 },
28883 -+ .valid = true
28884 -+ },
28885 -+ {
28886 -+ .private = { 0x5d, 0xab, 0x08, 0x7e, 0x62, 0x4a, 0x8a, 0x4b,
28887 -+ 0x79, 0xe1, 0x7f, 0x8b, 0x83, 0x80, 0x0e, 0xe6,
28888 -+ 0x6f, 0x3b, 0xb1, 0x29, 0x26, 0x18, 0xb6, 0xfd,
28889 -+ 0x1c, 0x2f, 0x8b, 0x27, 0xff, 0x88, 0xe0, 0xeb },
28890 -+ .public = { 0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54,
28891 -+ 0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a,
28892 -+ 0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4,
28893 -+ 0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a },
28894 -+ .result = { 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1,
28895 -+ 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25,
28896 -+ 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33,
28897 -+ 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 },
28898 -+ .valid = true
28899 -+ },
28900 -+ {
28901 -+ .private = { 1 },
28902 -+ .public = { 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28903 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28904 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28905 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
28906 -+ .result = { 0x3c, 0x77, 0x77, 0xca, 0xf9, 0x97, 0xb2, 0x64,
28907 -+ 0x41, 0x60, 0x77, 0x66, 0x5b, 0x4e, 0x22, 0x9d,
28908 -+ 0x0b, 0x95, 0x48, 0xdc, 0x0c, 0xd8, 0x19, 0x98,
28909 -+ 0xdd, 0xcd, 0xc5, 0xc8, 0x53, 0x3c, 0x79, 0x7f },
28910 -+ .valid = true
28911 -+ },
28912 -+ {
28913 -+ .private = { 1 },
28914 -+ .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28915 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28916 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28917 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
28918 -+ .result = { 0xb3, 0x2d, 0x13, 0x62, 0xc2, 0x48, 0xd6, 0x2f,
28919 -+ 0xe6, 0x26, 0x19, 0xcf, 0xf0, 0x4d, 0xd4, 0x3d,
28920 -+ 0xb7, 0x3f, 0xfc, 0x1b, 0x63, 0x08, 0xed, 0xe3,
28921 -+ 0x0b, 0x78, 0xd8, 0x73, 0x80, 0xf1, 0xe8, 0x34 },
28922 -+ .valid = true
28923 -+ },
28924 -+ {
28925 -+ .private = { 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d,
28926 -+ 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd,
28927 -+ 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18,
28928 -+ 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0xc4 },
28929 -+ .public = { 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb,
28930 -+ 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c,
28931 -+ 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b,
28932 -+ 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c },
28933 -+ .result = { 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90,
28934 -+ 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f,
28935 -+ 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7,
28936 -+ 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 },
28937 -+ .valid = true
28938 -+ },
28939 -+ {
28940 -+ .private = { 1, 2, 3, 4 },
28941 -+ .public = { 0 },
28942 -+ .result = { 0 },
28943 -+ .valid = false
28944 -+ },
28945 -+ {
28946 -+ .private = { 2, 4, 6, 8 },
28947 -+ .public = { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae,
28948 -+ 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a,
28949 -+ 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd,
28950 -+ 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8 },
28951 -+ .result = { 0 },
28952 -+ .valid = false
28953 -+ },
28954 -+ {
28955 -+ .private = { 0xff, 0xff, 0xff, 0xff, 0x0a, 0xff, 0xff, 0xff,
28956 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28957 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28958 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
28959 -+ .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28960 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28961 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28962 -+ 0xff, 0xff, 0xff, 0xff, 0x0a, 0x00, 0xfb, 0x9f },
28963 -+ .result = { 0x77, 0x52, 0xb6, 0x18, 0xc1, 0x2d, 0x48, 0xd2,
28964 -+ 0xc6, 0x93, 0x46, 0x83, 0x81, 0x7c, 0xc6, 0x57,
28965 -+ 0xf3, 0x31, 0x03, 0x19, 0x49, 0x48, 0x20, 0x05,
28966 -+ 0x42, 0x2b, 0x4e, 0xae, 0x8d, 0x1d, 0x43, 0x23 },
28967 -+ .valid = true
28968 -+ },
28969 -+ {
28970 -+ .private = { 0x8e, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28971 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28972 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28973 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
28974 -+ .public = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28975 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28976 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28977 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8e, 0x06 },
28978 -+ .result = { 0x5a, 0xdf, 0xaa, 0x25, 0x86, 0x8e, 0x32, 0x3d,
28979 -+ 0xae, 0x49, 0x62, 0xc1, 0x01, 0x5c, 0xb3, 0x12,
28980 -+ 0xe1, 0xc5, 0xc7, 0x9e, 0x95, 0x3f, 0x03, 0x99,
28981 -+ 0xb0, 0xba, 0x16, 0x22, 0xf3, 0xb6, 0xf7, 0x0c },
28982 -+ .valid = true
28983 -+ },
28984 -+ /* wycheproof - normal case */
28985 -+ {
28986 -+ .private = { 0x48, 0x52, 0x83, 0x4d, 0x9d, 0x6b, 0x77, 0xda,
28987 -+ 0xde, 0xab, 0xaa, 0xf2, 0xe1, 0x1d, 0xca, 0x66,
28988 -+ 0xd1, 0x9f, 0xe7, 0x49, 0x93, 0xa7, 0xbe, 0xc3,
28989 -+ 0x6c, 0x6e, 0x16, 0xa0, 0x98, 0x3f, 0xea, 0xba },
28990 -+ .public = { 0x9c, 0x64, 0x7d, 0x9a, 0xe5, 0x89, 0xb9, 0xf5,
28991 -+ 0x8f, 0xdc, 0x3c, 0xa4, 0x94, 0x7e, 0xfb, 0xc9,
28992 -+ 0x15, 0xc4, 0xb2, 0xe0, 0x8e, 0x74, 0x4a, 0x0e,
28993 -+ 0xdf, 0x46, 0x9d, 0xac, 0x59, 0xc8, 0xf8, 0x5a },
28994 -+ .result = { 0x87, 0xb7, 0xf2, 0x12, 0xb6, 0x27, 0xf7, 0xa5,
28995 -+ 0x4c, 0xa5, 0xe0, 0xbc, 0xda, 0xdd, 0xd5, 0x38,
28996 -+ 0x9d, 0x9d, 0xe6, 0x15, 0x6c, 0xdb, 0xcf, 0x8e,
28997 -+ 0xbe, 0x14, 0xff, 0xbc, 0xfb, 0x43, 0x65, 0x51 },
28998 -+ .valid = true
28999 -+ },
29000 -+ /* wycheproof - public key on twist */
29001 -+ {
29002 -+ .private = { 0x58, 0x8c, 0x06, 0x1a, 0x50, 0x80, 0x4a, 0xc4,
29003 -+ 0x88, 0xad, 0x77, 0x4a, 0xc7, 0x16, 0xc3, 0xf5,
29004 -+ 0xba, 0x71, 0x4b, 0x27, 0x12, 0xe0, 0x48, 0x49,
29005 -+ 0x13, 0x79, 0xa5, 0x00, 0x21, 0x19, 0x98, 0xa8 },
29006 -+ .public = { 0x63, 0xaa, 0x40, 0xc6, 0xe3, 0x83, 0x46, 0xc5,
29007 -+ 0xca, 0xf2, 0x3a, 0x6d, 0xf0, 0xa5, 0xe6, 0xc8,
29008 -+ 0x08, 0x89, 0xa0, 0x86, 0x47, 0xe5, 0x51, 0xb3,
29009 -+ 0x56, 0x34, 0x49, 0xbe, 0xfc, 0xfc, 0x97, 0x33 },
29010 -+ .result = { 0xb1, 0xa7, 0x07, 0x51, 0x94, 0x95, 0xff, 0xff,
29011 -+ 0xb2, 0x98, 0xff, 0x94, 0x17, 0x16, 0xb0, 0x6d,
29012 -+ 0xfa, 0xb8, 0x7c, 0xf8, 0xd9, 0x11, 0x23, 0xfe,
29013 -+ 0x2b, 0xe9, 0xa2, 0x33, 0xdd, 0xa2, 0x22, 0x12 },
29014 -+ .valid = true
29015 -+ },
29016 -+ /* wycheproof - public key on twist */
29017 -+ {
29018 -+ .private = { 0xb0, 0x5b, 0xfd, 0x32, 0xe5, 0x53, 0x25, 0xd9,
29019 -+ 0xfd, 0x64, 0x8c, 0xb3, 0x02, 0x84, 0x80, 0x39,
29020 -+ 0x00, 0x0b, 0x39, 0x0e, 0x44, 0xd5, 0x21, 0xe5,
29021 -+ 0x8a, 0xab, 0x3b, 0x29, 0xa6, 0x96, 0x0b, 0xa8 },
29022 -+ .public = { 0x0f, 0x83, 0xc3, 0x6f, 0xde, 0xd9, 0xd3, 0x2f,
29023 -+ 0xad, 0xf4, 0xef, 0xa3, 0xae, 0x93, 0xa9, 0x0b,
29024 -+ 0xb5, 0xcf, 0xa6, 0x68, 0x93, 0xbc, 0x41, 0x2c,
29025 -+ 0x43, 0xfa, 0x72, 0x87, 0xdb, 0xb9, 0x97, 0x79 },
29026 -+ .result = { 0x67, 0xdd, 0x4a, 0x6e, 0x16, 0x55, 0x33, 0x53,
29027 -+ 0x4c, 0x0e, 0x3f, 0x17, 0x2e, 0x4a, 0xb8, 0x57,
29028 -+ 0x6b, 0xca, 0x92, 0x3a, 0x5f, 0x07, 0xb2, 0xc0,
29029 -+ 0x69, 0xb4, 0xc3, 0x10, 0xff, 0x2e, 0x93, 0x5b },
29030 -+ .valid = true
29031 -+ },
29032 -+ /* wycheproof - public key on twist */
29033 -+ {
29034 -+ .private = { 0x70, 0xe3, 0x4b, 0xcb, 0xe1, 0xf4, 0x7f, 0xbc,
29035 -+ 0x0f, 0xdd, 0xfd, 0x7c, 0x1e, 0x1a, 0xa5, 0x3d,
29036 -+ 0x57, 0xbf, 0xe0, 0xf6, 0x6d, 0x24, 0x30, 0x67,
29037 -+ 0xb4, 0x24, 0xbb, 0x62, 0x10, 0xbe, 0xd1, 0x9c },
29038 -+ .public = { 0x0b, 0x82, 0x11, 0xa2, 0xb6, 0x04, 0x90, 0x97,
29039 -+ 0xf6, 0x87, 0x1c, 0x6c, 0x05, 0x2d, 0x3c, 0x5f,
29040 -+ 0xc1, 0xba, 0x17, 0xda, 0x9e, 0x32, 0xae, 0x45,
29041 -+ 0x84, 0x03, 0xb0, 0x5b, 0xb2, 0x83, 0x09, 0x2a },
29042 -+ .result = { 0x4a, 0x06, 0x38, 0xcf, 0xaa, 0x9e, 0xf1, 0x93,
29043 -+ 0x3b, 0x47, 0xf8, 0x93, 0x92, 0x96, 0xa6, 0xb2,
29044 -+ 0x5b, 0xe5, 0x41, 0xef, 0x7f, 0x70, 0xe8, 0x44,
29045 -+ 0xc0, 0xbc, 0xc0, 0x0b, 0x13, 0x4d, 0xe6, 0x4a },
29046 -+ .valid = true
29047 -+ },
29048 -+ /* wycheproof - public key on twist */
29049 -+ {
29050 -+ .private = { 0x68, 0xc1, 0xf3, 0xa6, 0x53, 0xa4, 0xcd, 0xb1,
29051 -+ 0xd3, 0x7b, 0xba, 0x94, 0x73, 0x8f, 0x8b, 0x95,
29052 -+ 0x7a, 0x57, 0xbe, 0xb2, 0x4d, 0x64, 0x6e, 0x99,
29053 -+ 0x4d, 0xc2, 0x9a, 0x27, 0x6a, 0xad, 0x45, 0x8d },
29054 -+ .public = { 0x34, 0x3a, 0xc2, 0x0a, 0x3b, 0x9c, 0x6a, 0x27,
29055 -+ 0xb1, 0x00, 0x81, 0x76, 0x50, 0x9a, 0xd3, 0x07,
29056 -+ 0x35, 0x85, 0x6e, 0xc1, 0xc8, 0xd8, 0xfc, 0xae,
29057 -+ 0x13, 0x91, 0x2d, 0x08, 0xd1, 0x52, 0xf4, 0x6c },
29058 -+ .result = { 0x39, 0x94, 0x91, 0xfc, 0xe8, 0xdf, 0xab, 0x73,
29059 -+ 0xb4, 0xf9, 0xf6, 0x11, 0xde, 0x8e, 0xa0, 0xb2,
29060 -+ 0x7b, 0x28, 0xf8, 0x59, 0x94, 0x25, 0x0b, 0x0f,
29061 -+ 0x47, 0x5d, 0x58, 0x5d, 0x04, 0x2a, 0xc2, 0x07 },
29062 -+ .valid = true
29063 -+ },
29064 -+ /* wycheproof - public key on twist */
29065 -+ {
29066 -+ .private = { 0xd8, 0x77, 0xb2, 0x6d, 0x06, 0xdf, 0xf9, 0xd9,
29067 -+ 0xf7, 0xfd, 0x4c, 0x5b, 0x37, 0x69, 0xf8, 0xcd,
29068 -+ 0xd5, 0xb3, 0x05, 0x16, 0xa5, 0xab, 0x80, 0x6b,
29069 -+ 0xe3, 0x24, 0xff, 0x3e, 0xb6, 0x9e, 0xa0, 0xb2 },
29070 -+ .public = { 0xfa, 0x69, 0x5f, 0xc7, 0xbe, 0x8d, 0x1b, 0xe5,
29071 -+ 0xbf, 0x70, 0x48, 0x98, 0xf3, 0x88, 0xc4, 0x52,
29072 -+ 0xba, 0xfd, 0xd3, 0xb8, 0xea, 0xe8, 0x05, 0xf8,
29073 -+ 0x68, 0x1a, 0x8d, 0x15, 0xc2, 0xd4, 0xe1, 0x42 },
29074 -+ .result = { 0x2c, 0x4f, 0xe1, 0x1d, 0x49, 0x0a, 0x53, 0x86,
29075 -+ 0x17, 0x76, 0xb1, 0x3b, 0x43, 0x54, 0xab, 0xd4,
29076 -+ 0xcf, 0x5a, 0x97, 0x69, 0x9d, 0xb6, 0xe6, 0xc6,
29077 -+ 0x8c, 0x16, 0x26, 0xd0, 0x76, 0x62, 0xf7, 0x58 },
29078 -+ .valid = true
29079 -+ },
29080 -+ /* wycheproof - public key = 0 */
29081 -+ {
29082 -+ .private = { 0x20, 0x74, 0x94, 0x03, 0x8f, 0x2b, 0xb8, 0x11,
29083 -+ 0xd4, 0x78, 0x05, 0xbc, 0xdf, 0x04, 0xa2, 0xac,
29084 -+ 0x58, 0x5a, 0xda, 0x7f, 0x2f, 0x23, 0x38, 0x9b,
29085 -+ 0xfd, 0x46, 0x58, 0xf9, 0xdd, 0xd4, 0xde, 0xbc },
29086 -+ .public = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29087 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29088 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29089 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29090 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29091 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29092 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29093 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29094 -+ .valid = false
29095 -+ },
29096 -+ /* wycheproof - public key = 1 */
29097 -+ {
29098 -+ .private = { 0x20, 0x2e, 0x89, 0x72, 0xb6, 0x1c, 0x7e, 0x61,
29099 -+ 0x93, 0x0e, 0xb9, 0x45, 0x0b, 0x50, 0x70, 0xea,
29100 -+ 0xe1, 0xc6, 0x70, 0x47, 0x56, 0x85, 0x54, 0x1f,
29101 -+ 0x04, 0x76, 0x21, 0x7e, 0x48, 0x18, 0xcf, 0xab },
29102 -+ .public = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29103 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29104 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29105 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29106 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29107 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29108 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29109 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29110 -+ .valid = false
29111 -+ },
29112 -+ /* wycheproof - edge case on twist */
29113 -+ {
29114 -+ .private = { 0x38, 0xdd, 0xe9, 0xf3, 0xe7, 0xb7, 0x99, 0x04,
29115 -+ 0x5f, 0x9a, 0xc3, 0x79, 0x3d, 0x4a, 0x92, 0x77,
29116 -+ 0xda, 0xde, 0xad, 0xc4, 0x1b, 0xec, 0x02, 0x90,
29117 -+ 0xf8, 0x1f, 0x74, 0x4f, 0x73, 0x77, 0x5f, 0x84 },
29118 -+ .public = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29119 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29120 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29121 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29122 -+ .result = { 0x9a, 0x2c, 0xfe, 0x84, 0xff, 0x9c, 0x4a, 0x97,
29123 -+ 0x39, 0x62, 0x5c, 0xae, 0x4a, 0x3b, 0x82, 0xa9,
29124 -+ 0x06, 0x87, 0x7a, 0x44, 0x19, 0x46, 0xf8, 0xd7,
29125 -+ 0xb3, 0xd7, 0x95, 0xfe, 0x8f, 0x5d, 0x16, 0x39 },
29126 -+ .valid = true
29127 -+ },
29128 -+ /* wycheproof - edge case on twist */
29129 -+ {
29130 -+ .private = { 0x98, 0x57, 0xa9, 0x14, 0xe3, 0xc2, 0x90, 0x36,
29131 -+ 0xfd, 0x9a, 0x44, 0x2b, 0xa5, 0x26, 0xb5, 0xcd,
29132 -+ 0xcd, 0xf2, 0x82, 0x16, 0x15, 0x3e, 0x63, 0x6c,
29133 -+ 0x10, 0x67, 0x7a, 0xca, 0xb6, 0xbd, 0x6a, 0xa5 },
29134 -+ .public = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29135 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29136 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29137 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29138 -+ .result = { 0x4d, 0xa4, 0xe0, 0xaa, 0x07, 0x2c, 0x23, 0x2e,
29139 -+ 0xe2, 0xf0, 0xfa, 0x4e, 0x51, 0x9a, 0xe5, 0x0b,
29140 -+ 0x52, 0xc1, 0xed, 0xd0, 0x8a, 0x53, 0x4d, 0x4e,
29141 -+ 0xf3, 0x46, 0xc2, 0xe1, 0x06, 0xd2, 0x1d, 0x60 },
29142 -+ .valid = true
29143 -+ },
29144 -+ /* wycheproof - edge case on twist */
29145 -+ {
29146 -+ .private = { 0x48, 0xe2, 0x13, 0x0d, 0x72, 0x33, 0x05, 0xed,
29147 -+ 0x05, 0xe6, 0xe5, 0x89, 0x4d, 0x39, 0x8a, 0x5e,
29148 -+ 0x33, 0x36, 0x7a, 0x8c, 0x6a, 0xac, 0x8f, 0xcd,
29149 -+ 0xf0, 0xa8, 0x8e, 0x4b, 0x42, 0x82, 0x0d, 0xb7 },
29150 -+ .public = { 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0xf8, 0xff,
29151 -+ 0xff, 0x1f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff,
29152 -+ 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0x07, 0x00,
29153 -+ 0x00, 0xf0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00 },
29154 -+ .result = { 0x9e, 0xd1, 0x0c, 0x53, 0x74, 0x7f, 0x64, 0x7f,
29155 -+ 0x82, 0xf4, 0x51, 0x25, 0xd3, 0xde, 0x15, 0xa1,
29156 -+ 0xe6, 0xb8, 0x24, 0x49, 0x6a, 0xb4, 0x04, 0x10,
29157 -+ 0xff, 0xcc, 0x3c, 0xfe, 0x95, 0x76, 0x0f, 0x3b },
29158 -+ .valid = true
29159 -+ },
29160 -+ /* wycheproof - edge case on twist */
29161 -+ {
29162 -+ .private = { 0x28, 0xf4, 0x10, 0x11, 0x69, 0x18, 0x51, 0xb3,
29163 -+ 0xa6, 0x2b, 0x64, 0x15, 0x53, 0xb3, 0x0d, 0x0d,
29164 -+ 0xfd, 0xdc, 0xb8, 0xff, 0xfc, 0xf5, 0x37, 0x00,
29165 -+ 0xa7, 0xbe, 0x2f, 0x6a, 0x87, 0x2e, 0x9f, 0xb0 },
29166 -+ .public = { 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0x07, 0x00,
29167 -+ 0x00, 0xe0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00,
29168 -+ 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0xf8, 0xff,
29169 -+ 0xff, 0x0f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x7f },
29170 -+ .result = { 0xcf, 0x72, 0xb4, 0xaa, 0x6a, 0xa1, 0xc9, 0xf8,
29171 -+ 0x94, 0xf4, 0x16, 0x5b, 0x86, 0x10, 0x9a, 0xa4,
29172 -+ 0x68, 0x51, 0x76, 0x48, 0xe1, 0xf0, 0xcc, 0x70,
29173 -+ 0xe1, 0xab, 0x08, 0x46, 0x01, 0x76, 0x50, 0x6b },
29174 -+ .valid = true
29175 -+ },
29176 -+ /* wycheproof - edge case on twist */
29177 -+ {
29178 -+ .private = { 0x18, 0xa9, 0x3b, 0x64, 0x99, 0xb9, 0xf6, 0xb3,
29179 -+ 0x22, 0x5c, 0xa0, 0x2f, 0xef, 0x41, 0x0e, 0x0a,
29180 -+ 0xde, 0xc2, 0x35, 0x32, 0x32, 0x1d, 0x2d, 0x8e,
29181 -+ 0xf1, 0xa6, 0xd6, 0x02, 0xa8, 0xc6, 0x5b, 0x83 },
29182 -+ .public = { 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
29183 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
29184 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
29185 -+ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f },
29186 -+ .result = { 0x5d, 0x50, 0xb6, 0x28, 0x36, 0xbb, 0x69, 0x57,
29187 -+ 0x94, 0x10, 0x38, 0x6c, 0xf7, 0xbb, 0x81, 0x1c,
29188 -+ 0x14, 0xbf, 0x85, 0xb1, 0xc7, 0xb1, 0x7e, 0x59,
29189 -+ 0x24, 0xc7, 0xff, 0xea, 0x91, 0xef, 0x9e, 0x12 },
29190 -+ .valid = true
29191 -+ },
29192 -+ /* wycheproof - edge case on twist */
29193 -+ {
29194 -+ .private = { 0xc0, 0x1d, 0x13, 0x05, 0xa1, 0x33, 0x8a, 0x1f,
29195 -+ 0xca, 0xc2, 0xba, 0x7e, 0x2e, 0x03, 0x2b, 0x42,
29196 -+ 0x7e, 0x0b, 0x04, 0x90, 0x31, 0x65, 0xac, 0xa9,
29197 -+ 0x57, 0xd8, 0xd0, 0x55, 0x3d, 0x87, 0x17, 0xb0 },
29198 -+ .public = { 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29199 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29200 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29201 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29202 -+ .result = { 0x19, 0x23, 0x0e, 0xb1, 0x48, 0xd5, 0xd6, 0x7c,
29203 -+ 0x3c, 0x22, 0xab, 0x1d, 0xae, 0xff, 0x80, 0xa5,
29204 -+ 0x7e, 0xae, 0x42, 0x65, 0xce, 0x28, 0x72, 0x65,
29205 -+ 0x7b, 0x2c, 0x80, 0x99, 0xfc, 0x69, 0x8e, 0x50 },
29206 -+ .valid = true
29207 -+ },
29208 -+ /* wycheproof - edge case for public key */
29209 -+ {
29210 -+ .private = { 0x38, 0x6f, 0x7f, 0x16, 0xc5, 0x07, 0x31, 0xd6,
29211 -+ 0x4f, 0x82, 0xe6, 0xa1, 0x70, 0xb1, 0x42, 0xa4,
29212 -+ 0xe3, 0x4f, 0x31, 0xfd, 0x77, 0x68, 0xfc, 0xb8,
29213 -+ 0x90, 0x29, 0x25, 0xe7, 0xd1, 0xe2, 0x1a, 0xbe },
29214 -+ .public = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29215 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29216 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29217 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29218 -+ .result = { 0x0f, 0xca, 0xb5, 0xd8, 0x42, 0xa0, 0x78, 0xd7,
29219 -+ 0xa7, 0x1f, 0xc5, 0x9b, 0x57, 0xbf, 0xb4, 0xca,
29220 -+ 0x0b, 0xe6, 0x87, 0x3b, 0x49, 0xdc, 0xdb, 0x9f,
29221 -+ 0x44, 0xe1, 0x4a, 0xe8, 0xfb, 0xdf, 0xa5, 0x42 },
29222 -+ .valid = true
29223 -+ },
29224 -+ /* wycheproof - edge case for public key */
29225 -+ {
29226 -+ .private = { 0xe0, 0x23, 0xa2, 0x89, 0xbd, 0x5e, 0x90, 0xfa,
29227 -+ 0x28, 0x04, 0xdd, 0xc0, 0x19, 0xa0, 0x5e, 0xf3,
29228 -+ 0xe7, 0x9d, 0x43, 0x4b, 0xb6, 0xea, 0x2f, 0x52,
29229 -+ 0x2e, 0xcb, 0x64, 0x3a, 0x75, 0x29, 0x6e, 0x95 },
29230 -+ .public = { 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
29231 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
29232 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
29233 -+ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00 },
29234 -+ .result = { 0x54, 0xce, 0x8f, 0x22, 0x75, 0xc0, 0x77, 0xe3,
29235 -+ 0xb1, 0x30, 0x6a, 0x39, 0x39, 0xc5, 0xe0, 0x3e,
29236 -+ 0xef, 0x6b, 0xbb, 0x88, 0x06, 0x05, 0x44, 0x75,
29237 -+ 0x8d, 0x9f, 0xef, 0x59, 0xb0, 0xbc, 0x3e, 0x4f },
29238 -+ .valid = true
29239 -+ },
29240 -+ /* wycheproof - edge case for public key */
29241 -+ {
29242 -+ .private = { 0x68, 0xf0, 0x10, 0xd6, 0x2e, 0xe8, 0xd9, 0x26,
29243 -+ 0x05, 0x3a, 0x36, 0x1c, 0x3a, 0x75, 0xc6, 0xea,
29244 -+ 0x4e, 0xbd, 0xc8, 0x60, 0x6a, 0xb2, 0x85, 0x00,
29245 -+ 0x3a, 0x6f, 0x8f, 0x40, 0x76, 0xb0, 0x1e, 0x83 },
29246 -+ .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29247 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29248 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29249 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 },
29250 -+ .result = { 0xf1, 0x36, 0x77, 0x5c, 0x5b, 0xeb, 0x0a, 0xf8,
29251 -+ 0x11, 0x0a, 0xf1, 0x0b, 0x20, 0x37, 0x23, 0x32,
29252 -+ 0x04, 0x3c, 0xab, 0x75, 0x24, 0x19, 0x67, 0x87,
29253 -+ 0x75, 0xa2, 0x23, 0xdf, 0x57, 0xc9, 0xd3, 0x0d },
29254 -+ .valid = true
29255 -+ },
29256 -+ /* wycheproof - edge case for public key */
29257 -+ {
29258 -+ .private = { 0x58, 0xeb, 0xcb, 0x35, 0xb0, 0xf8, 0x84, 0x5c,
29259 -+ 0xaf, 0x1e, 0xc6, 0x30, 0xf9, 0x65, 0x76, 0xb6,
29260 -+ 0x2c, 0x4b, 0x7b, 0x6c, 0x36, 0xb2, 0x9d, 0xeb,
29261 -+ 0x2c, 0xb0, 0x08, 0x46, 0x51, 0x75, 0x5c, 0x96 },
29262 -+ .public = { 0xff, 0xff, 0xff, 0xfb, 0xff, 0xff, 0xfb, 0xff,
29263 -+ 0xff, 0xdf, 0xff, 0xff, 0xdf, 0xff, 0xff, 0xff,
29264 -+ 0xfe, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xf7, 0xff,
29265 -+ 0xff, 0xf7, 0xff, 0xff, 0xbf, 0xff, 0xff, 0x3f },
29266 -+ .result = { 0xbf, 0x9a, 0xff, 0xd0, 0x6b, 0x84, 0x40, 0x85,
29267 -+ 0x58, 0x64, 0x60, 0x96, 0x2e, 0xf2, 0x14, 0x6f,
29268 -+ 0xf3, 0xd4, 0x53, 0x3d, 0x94, 0x44, 0xaa, 0xb0,
29269 -+ 0x06, 0xeb, 0x88, 0xcc, 0x30, 0x54, 0x40, 0x7d },
29270 -+ .valid = true
29271 -+ },
29272 -+ /* wycheproof - edge case for public key */
29273 -+ {
29274 -+ .private = { 0x18, 0x8c, 0x4b, 0xc5, 0xb9, 0xc4, 0x4b, 0x38,
29275 -+ 0xbb, 0x65, 0x8b, 0x9b, 0x2a, 0xe8, 0x2d, 0x5b,
29276 -+ 0x01, 0x01, 0x5e, 0x09, 0x31, 0x84, 0xb1, 0x7c,
29277 -+ 0xb7, 0x86, 0x35, 0x03, 0xa7, 0x83, 0xe1, 0xbb },
29278 -+ .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29279 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29280 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29281 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
29282 -+ .result = { 0xd4, 0x80, 0xde, 0x04, 0xf6, 0x99, 0xcb, 0x3b,
29283 -+ 0xe0, 0x68, 0x4a, 0x9c, 0xc2, 0xe3, 0x12, 0x81,
29284 -+ 0xea, 0x0b, 0xc5, 0xa9, 0xdc, 0xc1, 0x57, 0xd3,
29285 -+ 0xd2, 0x01, 0x58, 0xd4, 0x6c, 0xa5, 0x24, 0x6d },
29286 -+ .valid = true
29287 -+ },
29288 -+ /* wycheproof - edge case for public key */
29289 -+ {
29290 -+ .private = { 0xe0, 0x6c, 0x11, 0xbb, 0x2e, 0x13, 0xce, 0x3d,
29291 -+ 0xc7, 0x67, 0x3f, 0x67, 0xf5, 0x48, 0x22, 0x42,
29292 -+ 0x90, 0x94, 0x23, 0xa9, 0xae, 0x95, 0xee, 0x98,
29293 -+ 0x6a, 0x98, 0x8d, 0x98, 0xfa, 0xee, 0x23, 0xa2 },
29294 -+ .public = { 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f,
29295 -+ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f,
29296 -+ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f,
29297 -+ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f },
29298 -+ .result = { 0x4c, 0x44, 0x01, 0xcc, 0xe6, 0xb5, 0x1e, 0x4c,
29299 -+ 0xb1, 0x8f, 0x27, 0x90, 0x24, 0x6c, 0x9b, 0xf9,
29300 -+ 0x14, 0xdb, 0x66, 0x77, 0x50, 0xa1, 0xcb, 0x89,
29301 -+ 0x06, 0x90, 0x92, 0xaf, 0x07, 0x29, 0x22, 0x76 },
29302 -+ .valid = true
29303 -+ },
29304 -+ /* wycheproof - edge case for public key */
29305 -+ {
29306 -+ .private = { 0xc0, 0x65, 0x8c, 0x46, 0xdd, 0xe1, 0x81, 0x29,
29307 -+ 0x29, 0x38, 0x77, 0x53, 0x5b, 0x11, 0x62, 0xb6,
29308 -+ 0xf9, 0xf5, 0x41, 0x4a, 0x23, 0xcf, 0x4d, 0x2c,
29309 -+ 0xbc, 0x14, 0x0a, 0x4d, 0x99, 0xda, 0x2b, 0x8f },
29310 -+ .public = { 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29311 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29312 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29313 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29314 -+ .result = { 0x57, 0x8b, 0xa8, 0xcc, 0x2d, 0xbd, 0xc5, 0x75,
29315 -+ 0xaf, 0xcf, 0x9d, 0xf2, 0xb3, 0xee, 0x61, 0x89,
29316 -+ 0xf5, 0x33, 0x7d, 0x68, 0x54, 0xc7, 0x9b, 0x4c,
29317 -+ 0xe1, 0x65, 0xea, 0x12, 0x29, 0x3b, 0x3a, 0x0f },
29318 -+ .valid = true
29319 -+ },
29320 -+ /* wycheproof - public key with low order */
29321 -+ {
29322 -+ .private = { 0x10, 0x25, 0x5c, 0x92, 0x30, 0xa9, 0x7a, 0x30,
29323 -+ 0xa4, 0x58, 0xca, 0x28, 0x4a, 0x62, 0x96, 0x69,
29324 -+ 0x29, 0x3a, 0x31, 0x89, 0x0c, 0xda, 0x9d, 0x14,
29325 -+ 0x7f, 0xeb, 0xc7, 0xd1, 0xe2, 0x2d, 0x6b, 0xb1 },
29326 -+ .public = { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae,
29327 -+ 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a,
29328 -+ 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd,
29329 -+ 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 },
29330 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29331 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29332 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29333 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29334 -+ .valid = false
29335 -+ },
29336 -+ /* wycheproof - public key with low order */
29337 -+ {
29338 -+ .private = { 0x78, 0xf1, 0xe8, 0xed, 0xf1, 0x44, 0x81, 0xb3,
29339 -+ 0x89, 0x44, 0x8d, 0xac, 0x8f, 0x59, 0xc7, 0x0b,
29340 -+ 0x03, 0x8e, 0x7c, 0xf9, 0x2e, 0xf2, 0xc7, 0xef,
29341 -+ 0xf5, 0x7a, 0x72, 0x46, 0x6e, 0x11, 0x52, 0x96 },
29342 -+ .public = { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24,
29343 -+ 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b,
29344 -+ 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86,
29345 -+ 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 },
29346 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29347 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29348 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29349 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29350 -+ .valid = false
29351 -+ },
29352 -+ /* wycheproof - public key with low order */
29353 -+ {
29354 -+ .private = { 0xa0, 0xa0, 0x5a, 0x3e, 0x8f, 0x9f, 0x44, 0x20,
29355 -+ 0x4d, 0x5f, 0x80, 0x59, 0xa9, 0x4a, 0xc7, 0xdf,
29356 -+ 0xc3, 0x9a, 0x49, 0xac, 0x01, 0x6d, 0xd7, 0x43,
29357 -+ 0xdb, 0xfa, 0x43, 0xc5, 0xd6, 0x71, 0xfd, 0x88 },
29358 -+ .public = { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29359 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29360 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29361 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29362 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29363 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29364 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29365 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29366 -+ .valid = false
29367 -+ },
29368 -+ /* wycheproof - public key with low order */
29369 -+ {
29370 -+ .private = { 0xd0, 0xdb, 0xb3, 0xed, 0x19, 0x06, 0x66, 0x3f,
29371 -+ 0x15, 0x42, 0x0a, 0xf3, 0x1f, 0x4e, 0xaf, 0x65,
29372 -+ 0x09, 0xd9, 0xa9, 0x94, 0x97, 0x23, 0x50, 0x06,
29373 -+ 0x05, 0xad, 0x7c, 0x1c, 0x6e, 0x74, 0x50, 0xa9 },
29374 -+ .public = { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29375 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29376 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29377 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29378 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29379 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29380 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29381 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29382 -+ .valid = false
29383 -+ },
29384 -+ /* wycheproof - public key with low order */
29385 -+ {
29386 -+ .private = { 0xc0, 0xb1, 0xd0, 0xeb, 0x22, 0xb2, 0x44, 0xfe,
29387 -+ 0x32, 0x91, 0x14, 0x00, 0x72, 0xcd, 0xd9, 0xd9,
29388 -+ 0x89, 0xb5, 0xf0, 0xec, 0xd9, 0x6c, 0x10, 0x0f,
29389 -+ 0xeb, 0x5b, 0xca, 0x24, 0x1c, 0x1d, 0x9f, 0x8f },
29390 -+ .public = { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29391 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29392 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29393 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29394 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29395 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29396 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29397 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29398 -+ .valid = false
29399 -+ },
29400 -+ /* wycheproof - public key with low order */
29401 -+ {
29402 -+ .private = { 0x48, 0x0b, 0xf4, 0x5f, 0x59, 0x49, 0x42, 0xa8,
29403 -+ 0xbc, 0x0f, 0x33, 0x53, 0xc6, 0xe8, 0xb8, 0x85,
29404 -+ 0x3d, 0x77, 0xf3, 0x51, 0xf1, 0xc2, 0xca, 0x6c,
29405 -+ 0x2d, 0x1a, 0xbf, 0x8a, 0x00, 0xb4, 0x22, 0x9c },
29406 -+ .public = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29407 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29408 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29409 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
29410 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29411 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29412 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29413 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29414 -+ .valid = false
29415 -+ },
29416 -+ /* wycheproof - public key with low order */
29417 -+ {
29418 -+ .private = { 0x30, 0xf9, 0x93, 0xfc, 0xf8, 0x51, 0x4f, 0xc8,
29419 -+ 0x9b, 0xd8, 0xdb, 0x14, 0xcd, 0x43, 0xba, 0x0d,
29420 -+ 0x4b, 0x25, 0x30, 0xe7, 0x3c, 0x42, 0x76, 0xa0,
29421 -+ 0x5e, 0x1b, 0x14, 0x5d, 0x42, 0x0c, 0xed, 0xb4 },
29422 -+ .public = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29423 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29424 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29425 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
29426 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29427 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29428 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29429 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29430 -+ .valid = false
29431 -+ },
29432 -+ /* wycheproof - public key with low order */
29433 -+ {
29434 -+ .private = { 0xc0, 0x49, 0x74, 0xb7, 0x58, 0x38, 0x0e, 0x2a,
29435 -+ 0x5b, 0x5d, 0xf6, 0xeb, 0x09, 0xbb, 0x2f, 0x6b,
29436 -+ 0x34, 0x34, 0xf9, 0x82, 0x72, 0x2a, 0x8e, 0x67,
29437 -+ 0x6d, 0x3d, 0xa2, 0x51, 0xd1, 0xb3, 0xde, 0x83 },
29438 -+ .public = { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae,
29439 -+ 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a,
29440 -+ 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd,
29441 -+ 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x80 },
29442 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29443 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29444 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29445 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29446 -+ .valid = false
29447 -+ },
29448 -+ /* wycheproof - public key with low order */
29449 -+ {
29450 -+ .private = { 0x50, 0x2a, 0x31, 0x37, 0x3d, 0xb3, 0x24, 0x46,
29451 -+ 0x84, 0x2f, 0xe5, 0xad, 0xd3, 0xe0, 0x24, 0x02,
29452 -+ 0x2e, 0xa5, 0x4f, 0x27, 0x41, 0x82, 0xaf, 0xc3,
29453 -+ 0xd9, 0xf1, 0xbb, 0x3d, 0x39, 0x53, 0x4e, 0xb5 },
29454 -+ .public = { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24,
29455 -+ 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b,
29456 -+ 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86,
29457 -+ 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7 },
29458 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29459 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29460 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29461 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29462 -+ .valid = false
29463 -+ },
29464 -+ /* wycheproof - public key with low order */
29465 -+ {
29466 -+ .private = { 0x90, 0xfa, 0x64, 0x17, 0xb0, 0xe3, 0x70, 0x30,
29467 -+ 0xfd, 0x6e, 0x43, 0xef, 0xf2, 0xab, 0xae, 0xf1,
29468 -+ 0x4c, 0x67, 0x93, 0x11, 0x7a, 0x03, 0x9c, 0xf6,
29469 -+ 0x21, 0x31, 0x8b, 0xa9, 0x0f, 0x4e, 0x98, 0xbe },
29470 -+ .public = { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29471 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29472 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29473 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29474 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29475 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29476 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29477 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29478 -+ .valid = false
29479 -+ },
29480 -+ /* wycheproof - public key with low order */
29481 -+ {
29482 -+ .private = { 0x78, 0xad, 0x3f, 0x26, 0x02, 0x7f, 0x1c, 0x9f,
29483 -+ 0xdd, 0x97, 0x5a, 0x16, 0x13, 0xb9, 0x47, 0x77,
29484 -+ 0x9b, 0xad, 0x2c, 0xf2, 0xb7, 0x41, 0xad, 0xe0,
29485 -+ 0x18, 0x40, 0x88, 0x5a, 0x30, 0xbb, 0x97, 0x9c },
29486 -+ .public = { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29487 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29488 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29489 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29490 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29491 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29492 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29493 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29494 -+ .valid = false
29495 -+ },
29496 -+ /* wycheproof - public key with low order */
29497 -+ {
29498 -+ .private = { 0x98, 0xe2, 0x3d, 0xe7, 0xb1, 0xe0, 0x92, 0x6e,
29499 -+ 0xd9, 0xc8, 0x7e, 0x7b, 0x14, 0xba, 0xf5, 0x5f,
29500 -+ 0x49, 0x7a, 0x1d, 0x70, 0x96, 0xf9, 0x39, 0x77,
29501 -+ 0x68, 0x0e, 0x44, 0xdc, 0x1c, 0x7b, 0x7b, 0x8b },
29502 -+ .public = { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29503 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29504 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29505 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29506 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29507 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29508 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29509 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29510 -+ .valid = false
29511 -+ },
29512 -+ /* wycheproof - public key >= p */
29513 -+ {
29514 -+ .private = { 0xf0, 0x1e, 0x48, 0xda, 0xfa, 0xc9, 0xd7, 0xbc,
29515 -+ 0xf5, 0x89, 0xcb, 0xc3, 0x82, 0xc8, 0x78, 0xd1,
29516 -+ 0x8b, 0xda, 0x35, 0x50, 0x58, 0x9f, 0xfb, 0x5d,
29517 -+ 0x50, 0xb5, 0x23, 0xbe, 0xbe, 0x32, 0x9d, 0xae },
29518 -+ .public = { 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29519 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29520 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29521 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29522 -+ .result = { 0xbd, 0x36, 0xa0, 0x79, 0x0e, 0xb8, 0x83, 0x09,
29523 -+ 0x8c, 0x98, 0x8b, 0x21, 0x78, 0x67, 0x73, 0xde,
29524 -+ 0x0b, 0x3a, 0x4d, 0xf1, 0x62, 0x28, 0x2c, 0xf1,
29525 -+ 0x10, 0xde, 0x18, 0xdd, 0x48, 0x4c, 0xe7, 0x4b },
29526 -+ .valid = true
29527 -+ },
29528 -+ /* wycheproof - public key >= p */
29529 -+ {
29530 -+ .private = { 0x28, 0x87, 0x96, 0xbc, 0x5a, 0xff, 0x4b, 0x81,
29531 -+ 0xa3, 0x75, 0x01, 0x75, 0x7b, 0xc0, 0x75, 0x3a,
29532 -+ 0x3c, 0x21, 0x96, 0x47, 0x90, 0xd3, 0x86, 0x99,
29533 -+ 0x30, 0x8d, 0xeb, 0xc1, 0x7a, 0x6e, 0xaf, 0x8d },
29534 -+ .public = { 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29535 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29536 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29537 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29538 -+ .result = { 0xb4, 0xe0, 0xdd, 0x76, 0xda, 0x7b, 0x07, 0x17,
29539 -+ 0x28, 0xb6, 0x1f, 0x85, 0x67, 0x71, 0xaa, 0x35,
29540 -+ 0x6e, 0x57, 0xed, 0xa7, 0x8a, 0x5b, 0x16, 0x55,
29541 -+ 0xcc, 0x38, 0x20, 0xfb, 0x5f, 0x85, 0x4c, 0x5c },
29542 -+ .valid = true
29543 -+ },
29544 -+ /* wycheproof - public key >= p */
29545 -+ {
29546 -+ .private = { 0x98, 0xdf, 0x84, 0x5f, 0x66, 0x51, 0xbf, 0x11,
29547 -+ 0x38, 0x22, 0x1f, 0x11, 0x90, 0x41, 0xf7, 0x2b,
29548 -+ 0x6d, 0xbc, 0x3c, 0x4a, 0xce, 0x71, 0x43, 0xd9,
29549 -+ 0x9f, 0xd5, 0x5a, 0xd8, 0x67, 0x48, 0x0d, 0xa8 },
29550 -+ .public = { 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29551 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29552 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29553 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29554 -+ .result = { 0x6f, 0xdf, 0x6c, 0x37, 0x61, 0x1d, 0xbd, 0x53,
29555 -+ 0x04, 0xdc, 0x0f, 0x2e, 0xb7, 0xc9, 0x51, 0x7e,
29556 -+ 0xb3, 0xc5, 0x0e, 0x12, 0xfd, 0x05, 0x0a, 0xc6,
29557 -+ 0xde, 0xc2, 0x70, 0x71, 0xd4, 0xbf, 0xc0, 0x34 },
29558 -+ .valid = true
29559 -+ },
29560 -+ /* wycheproof - public key >= p */
29561 -+ {
29562 -+ .private = { 0xf0, 0x94, 0x98, 0xe4, 0x6f, 0x02, 0xf8, 0x78,
29563 -+ 0x82, 0x9e, 0x78, 0xb8, 0x03, 0xd3, 0x16, 0xa2,
29564 -+ 0xed, 0x69, 0x5d, 0x04, 0x98, 0xa0, 0x8a, 0xbd,
29565 -+ 0xf8, 0x27, 0x69, 0x30, 0xe2, 0x4e, 0xdc, 0xb0 },
29566 -+ .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29567 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29568 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29569 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29570 -+ .result = { 0x4c, 0x8f, 0xc4, 0xb1, 0xc6, 0xab, 0x88, 0xfb,
29571 -+ 0x21, 0xf1, 0x8f, 0x6d, 0x4c, 0x81, 0x02, 0x40,
29572 -+ 0xd4, 0xe9, 0x46, 0x51, 0xba, 0x44, 0xf7, 0xa2,
29573 -+ 0xc8, 0x63, 0xce, 0xc7, 0xdc, 0x56, 0x60, 0x2d },
29574 -+ .valid = true
29575 -+ },
29576 -+ /* wycheproof - public key >= p */
29577 -+ {
29578 -+ .private = { 0x18, 0x13, 0xc1, 0x0a, 0x5c, 0x7f, 0x21, 0xf9,
29579 -+ 0x6e, 0x17, 0xf2, 0x88, 0xc0, 0xcc, 0x37, 0x60,
29580 -+ 0x7c, 0x04, 0xc5, 0xf5, 0xae, 0xa2, 0xdb, 0x13,
29581 -+ 0x4f, 0x9e, 0x2f, 0xfc, 0x66, 0xbd, 0x9d, 0xb8 },
29582 -+ .public = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29583 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29584 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29585 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
29586 -+ .result = { 0x1c, 0xd0, 0xb2, 0x82, 0x67, 0xdc, 0x54, 0x1c,
29587 -+ 0x64, 0x2d, 0x6d, 0x7d, 0xca, 0x44, 0xa8, 0xb3,
29588 -+ 0x8a, 0x63, 0x73, 0x6e, 0xef, 0x5c, 0x4e, 0x65,
29589 -+ 0x01, 0xff, 0xbb, 0xb1, 0x78, 0x0c, 0x03, 0x3c },
29590 -+ .valid = true
29591 -+ },
29592 -+ /* wycheproof - public key >= p */
29593 -+ {
29594 -+ .private = { 0x78, 0x57, 0xfb, 0x80, 0x86, 0x53, 0x64, 0x5a,
29595 -+ 0x0b, 0xeb, 0x13, 0x8a, 0x64, 0xf5, 0xf4, 0xd7,
29596 -+ 0x33, 0xa4, 0x5e, 0xa8, 0x4c, 0x3c, 0xda, 0x11,
29597 -+ 0xa9, 0xc0, 0x6f, 0x7e, 0x71, 0x39, 0x14, 0x9e },
29598 -+ .public = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29599 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29600 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29601 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
29602 -+ .result = { 0x87, 0x55, 0xbe, 0x01, 0xc6, 0x0a, 0x7e, 0x82,
29603 -+ 0x5c, 0xff, 0x3e, 0x0e, 0x78, 0xcb, 0x3a, 0xa4,
29604 -+ 0x33, 0x38, 0x61, 0x51, 0x6a, 0xa5, 0x9b, 0x1c,
29605 -+ 0x51, 0xa8, 0xb2, 0xa5, 0x43, 0xdf, 0xa8, 0x22 },
29606 -+ .valid = true
29607 -+ },
29608 -+ /* wycheproof - public key >= p */
29609 -+ {
29610 -+ .private = { 0xe0, 0x3a, 0xa8, 0x42, 0xe2, 0xab, 0xc5, 0x6e,
29611 -+ 0x81, 0xe8, 0x7b, 0x8b, 0x9f, 0x41, 0x7b, 0x2a,
29612 -+ 0x1e, 0x59, 0x13, 0xc7, 0x23, 0xee, 0xd2, 0x8d,
29613 -+ 0x75, 0x2f, 0x8d, 0x47, 0xa5, 0x9f, 0x49, 0x8f },
29614 -+ .public = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29615 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29616 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29617 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
29618 -+ .result = { 0x54, 0xc9, 0xa1, 0xed, 0x95, 0xe5, 0x46, 0xd2,
29619 -+ 0x78, 0x22, 0xa3, 0x60, 0x93, 0x1d, 0xda, 0x60,
29620 -+ 0xa1, 0xdf, 0x04, 0x9d, 0xa6, 0xf9, 0x04, 0x25,
29621 -+ 0x3c, 0x06, 0x12, 0xbb, 0xdc, 0x08, 0x74, 0x76 },
29622 -+ .valid = true
29623 -+ },
29624 -+ /* wycheproof - public key >= p */
29625 -+ {
29626 -+ .private = { 0xf8, 0xf7, 0x07, 0xb7, 0x99, 0x9b, 0x18, 0xcb,
29627 -+ 0x0d, 0x6b, 0x96, 0x12, 0x4f, 0x20, 0x45, 0x97,
29628 -+ 0x2c, 0xa2, 0x74, 0xbf, 0xc1, 0x54, 0xad, 0x0c,
29629 -+ 0x87, 0x03, 0x8c, 0x24, 0xc6, 0xd0, 0xd4, 0xb2 },
29630 -+ .public = { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29631 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29632 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29633 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29634 -+ .result = { 0xcc, 0x1f, 0x40, 0xd7, 0x43, 0xcd, 0xc2, 0x23,
29635 -+ 0x0e, 0x10, 0x43, 0xda, 0xba, 0x8b, 0x75, 0xe8,
29636 -+ 0x10, 0xf1, 0xfb, 0xab, 0x7f, 0x25, 0x52, 0x69,
29637 -+ 0xbd, 0x9e, 0xbb, 0x29, 0xe6, 0xbf, 0x49, 0x4f },
29638 -+ .valid = true
29639 -+ },
29640 -+ /* wycheproof - public key >= p */
29641 -+ {
29642 -+ .private = { 0xa0, 0x34, 0xf6, 0x84, 0xfa, 0x63, 0x1e, 0x1a,
29643 -+ 0x34, 0x81, 0x18, 0xc1, 0xce, 0x4c, 0x98, 0x23,
29644 -+ 0x1f, 0x2d, 0x9e, 0xec, 0x9b, 0xa5, 0x36, 0x5b,
29645 -+ 0x4a, 0x05, 0xd6, 0x9a, 0x78, 0x5b, 0x07, 0x96 },
29646 -+ .public = { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29647 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29648 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29649 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29650 -+ .result = { 0x54, 0x99, 0x8e, 0xe4, 0x3a, 0x5b, 0x00, 0x7b,
29651 -+ 0xf4, 0x99, 0xf0, 0x78, 0xe7, 0x36, 0x52, 0x44,
29652 -+ 0x00, 0xa8, 0xb5, 0xc7, 0xe9, 0xb9, 0xb4, 0x37,
29653 -+ 0x71, 0x74, 0x8c, 0x7c, 0xdf, 0x88, 0x04, 0x12 },
29654 -+ .valid = true
29655 -+ },
29656 -+ /* wycheproof - public key >= p */
29657 -+ {
29658 -+ .private = { 0x30, 0xb6, 0xc6, 0xa0, 0xf2, 0xff, 0xa6, 0x80,
29659 -+ 0x76, 0x8f, 0x99, 0x2b, 0xa8, 0x9e, 0x15, 0x2d,
29660 -+ 0x5b, 0xc9, 0x89, 0x3d, 0x38, 0xc9, 0x11, 0x9b,
29661 -+ 0xe4, 0xf7, 0x67, 0xbf, 0xab, 0x6e, 0x0c, 0xa5 },
29662 -+ .public = { 0xdc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29663 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29664 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29665 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29666 -+ .result = { 0xea, 0xd9, 0xb3, 0x8e, 0xfd, 0xd7, 0x23, 0x63,
29667 -+ 0x79, 0x34, 0xe5, 0x5a, 0xb7, 0x17, 0xa7, 0xae,
29668 -+ 0x09, 0xeb, 0x86, 0xa2, 0x1d, 0xc3, 0x6a, 0x3f,
29669 -+ 0xee, 0xb8, 0x8b, 0x75, 0x9e, 0x39, 0x1e, 0x09 },
29670 -+ .valid = true
29671 -+ },
29672 -+ /* wycheproof - public key >= p */
29673 -+ {
29674 -+ .private = { 0x90, 0x1b, 0x9d, 0xcf, 0x88, 0x1e, 0x01, 0xe0,
29675 -+ 0x27, 0x57, 0x50, 0x35, 0xd4, 0x0b, 0x43, 0xbd,
29676 -+ 0xc1, 0xc5, 0x24, 0x2e, 0x03, 0x08, 0x47, 0x49,
29677 -+ 0x5b, 0x0c, 0x72, 0x86, 0x46, 0x9b, 0x65, 0x91 },
29678 -+ .public = { 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29679 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29680 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29681 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29682 -+ .result = { 0x60, 0x2f, 0xf4, 0x07, 0x89, 0xb5, 0x4b, 0x41,
29683 -+ 0x80, 0x59, 0x15, 0xfe, 0x2a, 0x62, 0x21, 0xf0,
29684 -+ 0x7a, 0x50, 0xff, 0xc2, 0xc3, 0xfc, 0x94, 0xcf,
29685 -+ 0x61, 0xf1, 0x3d, 0x79, 0x04, 0xe8, 0x8e, 0x0e },
29686 -+ .valid = true
29687 -+ },
29688 -+ /* wycheproof - public key >= p */
29689 -+ {
29690 -+ .private = { 0x80, 0x46, 0x67, 0x7c, 0x28, 0xfd, 0x82, 0xc9,
29691 -+ 0xa1, 0xbd, 0xb7, 0x1a, 0x1a, 0x1a, 0x34, 0xfa,
29692 -+ 0xba, 0x12, 0x25, 0xe2, 0x50, 0x7f, 0xe3, 0xf5,
29693 -+ 0x4d, 0x10, 0xbd, 0x5b, 0x0d, 0x86, 0x5f, 0x8e },
29694 -+ .public = { 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29695 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29696 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29697 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29698 -+ .result = { 0xe0, 0x0a, 0xe8, 0xb1, 0x43, 0x47, 0x12, 0x47,
29699 -+ 0xba, 0x24, 0xf1, 0x2c, 0x88, 0x55, 0x36, 0xc3,
29700 -+ 0xcb, 0x98, 0x1b, 0x58, 0xe1, 0xe5, 0x6b, 0x2b,
29701 -+ 0xaf, 0x35, 0xc1, 0x2a, 0xe1, 0xf7, 0x9c, 0x26 },
29702 -+ .valid = true
29703 -+ },
29704 -+ /* wycheproof - public key >= p */
29705 -+ {
29706 -+ .private = { 0x60, 0x2f, 0x7e, 0x2f, 0x68, 0xa8, 0x46, 0xb8,
29707 -+ 0x2c, 0xc2, 0x69, 0xb1, 0xd4, 0x8e, 0x93, 0x98,
29708 -+ 0x86, 0xae, 0x54, 0xfd, 0x63, 0x6c, 0x1f, 0xe0,
29709 -+ 0x74, 0xd7, 0x10, 0x12, 0x7d, 0x47, 0x24, 0x91 },
29710 -+ .public = { 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29711 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29712 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29713 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29714 -+ .result = { 0x98, 0xcb, 0x9b, 0x50, 0xdd, 0x3f, 0xc2, 0xb0,
29715 -+ 0xd4, 0xf2, 0xd2, 0xbf, 0x7c, 0x5c, 0xfd, 0xd1,
29716 -+ 0x0c, 0x8f, 0xcd, 0x31, 0xfc, 0x40, 0xaf, 0x1a,
29717 -+ 0xd4, 0x4f, 0x47, 0xc1, 0x31, 0x37, 0x63, 0x62 },
29718 -+ .valid = true
29719 -+ },
29720 -+ /* wycheproof - public key >= p */
29721 -+ {
29722 -+ .private = { 0x60, 0x88, 0x7b, 0x3d, 0xc7, 0x24, 0x43, 0x02,
29723 -+ 0x6e, 0xbe, 0xdb, 0xbb, 0xb7, 0x06, 0x65, 0xf4,
29724 -+ 0x2b, 0x87, 0xad, 0xd1, 0x44, 0x0e, 0x77, 0x68,
29725 -+ 0xfb, 0xd7, 0xe8, 0xe2, 0xce, 0x5f, 0x63, 0x9d },
29726 -+ .public = { 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29727 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29728 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29729 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29730 -+ .result = { 0x38, 0xd6, 0x30, 0x4c, 0x4a, 0x7e, 0x6d, 0x9f,
29731 -+ 0x79, 0x59, 0x33, 0x4f, 0xb5, 0x24, 0x5b, 0xd2,
29732 -+ 0xc7, 0x54, 0x52, 0x5d, 0x4c, 0x91, 0xdb, 0x95,
29733 -+ 0x02, 0x06, 0x92, 0x62, 0x34, 0xc1, 0xf6, 0x33 },
29734 -+ .valid = true
29735 -+ },
29736 -+ /* wycheproof - public key >= p */
29737 -+ {
29738 -+ .private = { 0x78, 0xd3, 0x1d, 0xfa, 0x85, 0x44, 0x97, 0xd7,
29739 -+ 0x2d, 0x8d, 0xef, 0x8a, 0x1b, 0x7f, 0xb0, 0x06,
29740 -+ 0xce, 0xc2, 0xd8, 0xc4, 0x92, 0x46, 0x47, 0xc9,
29741 -+ 0x38, 0x14, 0xae, 0x56, 0xfa, 0xed, 0xa4, 0x95 },
29742 -+ .public = { 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29743 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29744 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29745 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29746 -+ .result = { 0x78, 0x6c, 0xd5, 0x49, 0x96, 0xf0, 0x14, 0xa5,
29747 -+ 0xa0, 0x31, 0xec, 0x14, 0xdb, 0x81, 0x2e, 0xd0,
29748 -+ 0x83, 0x55, 0x06, 0x1f, 0xdb, 0x5d, 0xe6, 0x80,
29749 -+ 0xa8, 0x00, 0xac, 0x52, 0x1f, 0x31, 0x8e, 0x23 },
29750 -+ .valid = true
29751 -+ },
29752 -+ /* wycheproof - public key >= p */
29753 -+ {
29754 -+ .private = { 0xc0, 0x4c, 0x5b, 0xae, 0xfa, 0x83, 0x02, 0xdd,
29755 -+ 0xde, 0xd6, 0xa4, 0xbb, 0x95, 0x77, 0x61, 0xb4,
29756 -+ 0xeb, 0x97, 0xae, 0xfa, 0x4f, 0xc3, 0xb8, 0x04,
29757 -+ 0x30, 0x85, 0xf9, 0x6a, 0x56, 0x59, 0xb3, 0xa5 },
29758 -+ .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29759 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29760 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29761 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29762 -+ .result = { 0x29, 0xae, 0x8b, 0xc7, 0x3e, 0x9b, 0x10, 0xa0,
29763 -+ 0x8b, 0x4f, 0x68, 0x1c, 0x43, 0xc3, 0xe0, 0xac,
29764 -+ 0x1a, 0x17, 0x1d, 0x31, 0xb3, 0x8f, 0x1a, 0x48,
29765 -+ 0xef, 0xba, 0x29, 0xae, 0x63, 0x9e, 0xa1, 0x34 },
29766 -+ .valid = true
29767 -+ },
29768 -+ /* wycheproof - RFC 7748 */
29769 -+ {
29770 -+ .private = { 0xa0, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d,
29771 -+ 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd,
29772 -+ 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18,
29773 -+ 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0x44 },
29774 -+ .public = { 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb,
29775 -+ 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c,
29776 -+ 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b,
29777 -+ 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c },
29778 -+ .result = { 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90,
29779 -+ 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f,
29780 -+ 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7,
29781 -+ 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 },
29782 -+ .valid = true
29783 -+ },
29784 -+ /* wycheproof - RFC 7748 */
29785 -+ {
29786 -+ .private = { 0x48, 0x66, 0xe9, 0xd4, 0xd1, 0xb4, 0x67, 0x3c,
29787 -+ 0x5a, 0xd2, 0x26, 0x91, 0x95, 0x7d, 0x6a, 0xf5,
29788 -+ 0xc1, 0x1b, 0x64, 0x21, 0xe0, 0xea, 0x01, 0xd4,
29789 -+ 0x2c, 0xa4, 0x16, 0x9e, 0x79, 0x18, 0xba, 0x4d },
29790 -+ .public = { 0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3,
29791 -+ 0xf4, 0xb7, 0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c,
29792 -+ 0x31, 0xdb, 0xe7, 0x10, 0x6f, 0xc0, 0x3c, 0x3e,
29793 -+ 0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15, 0xa4, 0x13 },
29794 -+ .result = { 0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d,
29795 -+ 0x7a, 0xad, 0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8,
29796 -+ 0x8b, 0x59, 0x5a, 0x68, 0x79, 0x9f, 0xa1, 0x52,
29797 -+ 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac, 0x79, 0x57 },
29798 -+ .valid = true
29799 -+ },
29800 -+ /* wycheproof - edge case for shared secret */
29801 -+ {
29802 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29803 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29804 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29805 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29806 -+ .public = { 0x0a, 0xb4, 0xe7, 0x63, 0x80, 0xd8, 0x4d, 0xde,
29807 -+ 0x4f, 0x68, 0x33, 0xc5, 0x8f, 0x2a, 0x9f, 0xb8,
29808 -+ 0xf8, 0x3b, 0xb0, 0x16, 0x9b, 0x17, 0x2b, 0xe4,
29809 -+ 0xb6, 0xe0, 0x59, 0x28, 0x87, 0x74, 0x1a, 0x36 },
29810 -+ .result = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29811 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29812 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29813 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29814 -+ .valid = true
29815 -+ },
29816 -+ /* wycheproof - edge case for shared secret */
29817 -+ {
29818 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29819 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29820 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29821 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29822 -+ .public = { 0x89, 0xe1, 0x0d, 0x57, 0x01, 0xb4, 0x33, 0x7d,
29823 -+ 0x2d, 0x03, 0x21, 0x81, 0x53, 0x8b, 0x10, 0x64,
29824 -+ 0xbd, 0x40, 0x84, 0x40, 0x1c, 0xec, 0xa1, 0xfd,
29825 -+ 0x12, 0x66, 0x3a, 0x19, 0x59, 0x38, 0x80, 0x00 },
29826 -+ .result = { 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29827 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29828 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29829 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29830 -+ .valid = true
29831 -+ },
29832 -+ /* wycheproof - edge case for shared secret */
29833 -+ {
29834 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29835 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29836 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29837 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29838 -+ .public = { 0x2b, 0x55, 0xd3, 0xaa, 0x4a, 0x8f, 0x80, 0xc8,
29839 -+ 0xc0, 0xb2, 0xae, 0x5f, 0x93, 0x3e, 0x85, 0xaf,
29840 -+ 0x49, 0xbe, 0xac, 0x36, 0xc2, 0xfa, 0x73, 0x94,
29841 -+ 0xba, 0xb7, 0x6c, 0x89, 0x33, 0xf8, 0xf8, 0x1d },
29842 -+ .result = { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29843 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29844 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29845 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29846 -+ .valid = true
29847 -+ },
29848 -+ /* wycheproof - edge case for shared secret */
29849 -+ {
29850 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29851 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29852 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29853 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29854 -+ .public = { 0x63, 0xe5, 0xb1, 0xfe, 0x96, 0x01, 0xfe, 0x84,
29855 -+ 0x38, 0x5d, 0x88, 0x66, 0xb0, 0x42, 0x12, 0x62,
29856 -+ 0xf7, 0x8f, 0xbf, 0xa5, 0xaf, 0xf9, 0x58, 0x5e,
29857 -+ 0x62, 0x66, 0x79, 0xb1, 0x85, 0x47, 0xd9, 0x59 },
29858 -+ .result = { 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29859 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29860 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29861 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
29862 -+ .valid = true
29863 -+ },
29864 -+ /* wycheproof - edge case for shared secret */
29865 -+ {
29866 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29867 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29868 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29869 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29870 -+ .public = { 0xe4, 0x28, 0xf3, 0xda, 0xc1, 0x78, 0x09, 0xf8,
29871 -+ 0x27, 0xa5, 0x22, 0xce, 0x32, 0x35, 0x50, 0x58,
29872 -+ 0xd0, 0x73, 0x69, 0x36, 0x4a, 0xa7, 0x89, 0x02,
29873 -+ 0xee, 0x10, 0x13, 0x9b, 0x9f, 0x9d, 0xd6, 0x53 },
29874 -+ .result = { 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29875 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29876 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29877 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
29878 -+ .valid = true
29879 -+ },
29880 -+ /* wycheproof - edge case for shared secret */
29881 -+ {
29882 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29883 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29884 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29885 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29886 -+ .public = { 0xb3, 0xb5, 0x0e, 0x3e, 0xd3, 0xa4, 0x07, 0xb9,
29887 -+ 0x5d, 0xe9, 0x42, 0xef, 0x74, 0x57, 0x5b, 0x5a,
29888 -+ 0xb8, 0xa1, 0x0c, 0x09, 0xee, 0x10, 0x35, 0x44,
29889 -+ 0xd6, 0x0b, 0xdf, 0xed, 0x81, 0x38, 0xab, 0x2b },
29890 -+ .result = { 0xf9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29891 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29892 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29893 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
29894 -+ .valid = true
29895 -+ },
29896 -+ /* wycheproof - edge case for shared secret */
29897 -+ {
29898 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29899 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29900 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29901 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29902 -+ .public = { 0x21, 0x3f, 0xff, 0xe9, 0x3d, 0x5e, 0xa8, 0xcd,
29903 -+ 0x24, 0x2e, 0x46, 0x28, 0x44, 0x02, 0x99, 0x22,
29904 -+ 0xc4, 0x3c, 0x77, 0xc9, 0xe3, 0xe4, 0x2f, 0x56,
29905 -+ 0x2f, 0x48, 0x5d, 0x24, 0xc5, 0x01, 0xa2, 0x0b },
29906 -+ .result = { 0xf3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29907 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29908 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29909 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
29910 -+ .valid = true
29911 -+ },
29912 -+ /* wycheproof - edge case for shared secret */
29913 -+ {
29914 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29915 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29916 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29917 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29918 -+ .public = { 0x91, 0xb2, 0x32, 0xa1, 0x78, 0xb3, 0xcd, 0x53,
29919 -+ 0x09, 0x32, 0x44, 0x1e, 0x61, 0x39, 0x41, 0x8f,
29920 -+ 0x72, 0x17, 0x22, 0x92, 0xf1, 0xda, 0x4c, 0x18,
29921 -+ 0x34, 0xfc, 0x5e, 0xbf, 0xef, 0xb5, 0x1e, 0x3f },
29922 -+ .result = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29923 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29924 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29925 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 },
29926 -+ .valid = true
29927 -+ },
29928 -+ /* wycheproof - edge case for shared secret */
29929 -+ {
29930 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29931 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29932 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29933 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29934 -+ .public = { 0x04, 0x5c, 0x6e, 0x11, 0xc5, 0xd3, 0x32, 0x55,
29935 -+ 0x6c, 0x78, 0x22, 0xfe, 0x94, 0xeb, 0xf8, 0x9b,
29936 -+ 0x56, 0xa3, 0x87, 0x8d, 0xc2, 0x7c, 0xa0, 0x79,
29937 -+ 0x10, 0x30, 0x58, 0x84, 0x9f, 0xab, 0xcb, 0x4f },
29938 -+ .result = { 0xe5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29939 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29940 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29941 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29942 -+ .valid = true
29943 -+ },
29944 -+ /* wycheproof - edge case for shared secret */
29945 -+ {
29946 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29947 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29948 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29949 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29950 -+ .public = { 0x1c, 0xa2, 0x19, 0x0b, 0x71, 0x16, 0x35, 0x39,
29951 -+ 0x06, 0x3c, 0x35, 0x77, 0x3b, 0xda, 0x0c, 0x9c,
29952 -+ 0x92, 0x8e, 0x91, 0x36, 0xf0, 0x62, 0x0a, 0xeb,
29953 -+ 0x09, 0x3f, 0x09, 0x91, 0x97, 0xb7, 0xf7, 0x4e },
29954 -+ .result = { 0xe3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29955 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29956 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29957 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29958 -+ .valid = true
29959 -+ },
29960 -+ /* wycheproof - edge case for shared secret */
29961 -+ {
29962 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29963 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29964 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29965 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29966 -+ .public = { 0xf7, 0x6e, 0x90, 0x10, 0xac, 0x33, 0xc5, 0x04,
29967 -+ 0x3b, 0x2d, 0x3b, 0x76, 0xa8, 0x42, 0x17, 0x10,
29968 -+ 0x00, 0xc4, 0x91, 0x62, 0x22, 0xe9, 0xe8, 0x58,
29969 -+ 0x97, 0xa0, 0xae, 0xc7, 0xf6, 0x35, 0x0b, 0x3c },
29970 -+ .result = { 0xdd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29971 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29972 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29973 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29974 -+ .valid = true
29975 -+ },
29976 -+ /* wycheproof - edge case for shared secret */
29977 -+ {
29978 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29979 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29980 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29981 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29982 -+ .public = { 0xbb, 0x72, 0x68, 0x8d, 0x8f, 0x8a, 0xa7, 0xa3,
29983 -+ 0x9c, 0xd6, 0x06, 0x0c, 0xd5, 0xc8, 0x09, 0x3c,
29984 -+ 0xde, 0xc6, 0xfe, 0x34, 0x19, 0x37, 0xc3, 0x88,
29985 -+ 0x6a, 0x99, 0x34, 0x6c, 0xd0, 0x7f, 0xaa, 0x55 },
29986 -+ .result = { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29987 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29988 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29989 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29990 -+ .valid = true
29991 -+ },
29992 -+ /* wycheproof - edge case for shared secret */
29993 -+ {
29994 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29995 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29996 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29997 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29998 -+ .public = { 0x88, 0xfd, 0xde, 0xa1, 0x93, 0x39, 0x1c, 0x6a,
29999 -+ 0x59, 0x33, 0xef, 0x9b, 0x71, 0x90, 0x15, 0x49,
30000 -+ 0x44, 0x72, 0x05, 0xaa, 0xe9, 0xda, 0x92, 0x8a,
30001 -+ 0x6b, 0x91, 0xa3, 0x52, 0xba, 0x10, 0xf4, 0x1f },
30002 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30003 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30004 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30005 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
30006 -+ .valid = true
30007 -+ },
30008 -+ /* wycheproof - edge case for shared secret */
30009 -+ {
30010 -+ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
30011 -+ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
30012 -+ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
30013 -+ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
30014 -+ .public = { 0x30, 0x3b, 0x39, 0x2f, 0x15, 0x31, 0x16, 0xca,
30015 -+ 0xd9, 0xcc, 0x68, 0x2a, 0x00, 0xcc, 0xc4, 0x4c,
30016 -+ 0x95, 0xff, 0x0d, 0x3b, 0xbe, 0x56, 0x8b, 0xeb,
30017 -+ 0x6c, 0x4e, 0x73, 0x9b, 0xaf, 0xdc, 0x2c, 0x68 },
30018 -+ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30019 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30020 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30021 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 },
30022 -+ .valid = true
30023 -+ },
30024 -+ /* wycheproof - checking for overflow */
30025 -+ {
30026 -+ .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
30027 -+ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
30028 -+ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
30029 -+ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
30030 -+ .public = { 0xfd, 0x30, 0x0a, 0xeb, 0x40, 0xe1, 0xfa, 0x58,
30031 -+ 0x25, 0x18, 0x41, 0x2b, 0x49, 0xb2, 0x08, 0xa7,
30032 -+ 0x84, 0x2b, 0x1e, 0x1f, 0x05, 0x6a, 0x04, 0x01,
30033 -+ 0x78, 0xea, 0x41, 0x41, 0x53, 0x4f, 0x65, 0x2d },
30034 -+ .result = { 0xb7, 0x34, 0x10, 0x5d, 0xc2, 0x57, 0x58, 0x5d,
30035 -+ 0x73, 0xb5, 0x66, 0xcc, 0xb7, 0x6f, 0x06, 0x27,
30036 -+ 0x95, 0xcc, 0xbe, 0xc8, 0x91, 0x28, 0xe5, 0x2b,
30037 -+ 0x02, 0xf3, 0xe5, 0x96, 0x39, 0xf1, 0x3c, 0x46 },
30038 -+ .valid = true
30039 -+ },
30040 -+ /* wycheproof - checking for overflow */
30041 -+ {
30042 -+ .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
30043 -+ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
30044 -+ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
30045 -+ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
30046 -+ .public = { 0xc8, 0xef, 0x79, 0xb5, 0x14, 0xd7, 0x68, 0x26,
30047 -+ 0x77, 0xbc, 0x79, 0x31, 0xe0, 0x6e, 0xe5, 0xc2,
30048 -+ 0x7c, 0x9b, 0x39, 0x2b, 0x4a, 0xe9, 0x48, 0x44,
30049 -+ 0x73, 0xf5, 0x54, 0xe6, 0x67, 0x8e, 0xcc, 0x2e },
30050 -+ .result = { 0x64, 0x7a, 0x46, 0xb6, 0xfc, 0x3f, 0x40, 0xd6,
30051 -+ 0x21, 0x41, 0xee, 0x3c, 0xee, 0x70, 0x6b, 0x4d,
30052 -+ 0x7a, 0x92, 0x71, 0x59, 0x3a, 0x7b, 0x14, 0x3e,
30053 -+ 0x8e, 0x2e, 0x22, 0x79, 0x88, 0x3e, 0x45, 0x50 },
30054 -+ .valid = true
30055 -+ },
30056 -+ /* wycheproof - checking for overflow */
30057 -+ {
30058 -+ .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
30059 -+ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
30060 -+ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
30061 -+ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
30062 -+ .public = { 0x64, 0xae, 0xac, 0x25, 0x04, 0x14, 0x48, 0x61,
30063 -+ 0x53, 0x2b, 0x7b, 0xbc, 0xb6, 0xc8, 0x7d, 0x67,
30064 -+ 0xdd, 0x4c, 0x1f, 0x07, 0xeb, 0xc2, 0xe0, 0x6e,
30065 -+ 0xff, 0xb9, 0x5a, 0xec, 0xc6, 0x17, 0x0b, 0x2c },
30066 -+ .result = { 0x4f, 0xf0, 0x3d, 0x5f, 0xb4, 0x3c, 0xd8, 0x65,
30067 -+ 0x7a, 0x3c, 0xf3, 0x7c, 0x13, 0x8c, 0xad, 0xce,
30068 -+ 0xcc, 0xe5, 0x09, 0xe4, 0xeb, 0xa0, 0x89, 0xd0,
30069 -+ 0xef, 0x40, 0xb4, 0xe4, 0xfb, 0x94, 0x61, 0x55 },
30070 -+ .valid = true
30071 -+ },
30072 -+ /* wycheproof - checking for overflow */
30073 -+ {
30074 -+ .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
30075 -+ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
30076 -+ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
30077 -+ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
30078 -+ .public = { 0xbf, 0x68, 0xe3, 0x5e, 0x9b, 0xdb, 0x7e, 0xee,
30079 -+ 0x1b, 0x50, 0x57, 0x02, 0x21, 0x86, 0x0f, 0x5d,
30080 -+ 0xcd, 0xad, 0x8a, 0xcb, 0xab, 0x03, 0x1b, 0x14,
30081 -+ 0x97, 0x4c, 0xc4, 0x90, 0x13, 0xc4, 0x98, 0x31 },
30082 -+ .result = { 0x21, 0xce, 0xe5, 0x2e, 0xfd, 0xbc, 0x81, 0x2e,
30083 -+ 0x1d, 0x02, 0x1a, 0x4a, 0xf1, 0xe1, 0xd8, 0xbc,
30084 -+ 0x4d, 0xb3, 0xc4, 0x00, 0xe4, 0xd2, 0xa2, 0xc5,
30085 -+ 0x6a, 0x39, 0x26, 0xdb, 0x4d, 0x99, 0xc6, 0x5b },
30086 -+ .valid = true
30087 -+ },
30088 -+ /* wycheproof - checking for overflow */
30089 -+ {
30090 -+ .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
30091 -+ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
30092 -+ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
30093 -+ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
30094 -+ .public = { 0x53, 0x47, 0xc4, 0x91, 0x33, 0x1a, 0x64, 0xb4,
30095 -+ 0x3d, 0xdc, 0x68, 0x30, 0x34, 0xe6, 0x77, 0xf5,
30096 -+ 0x3d, 0xc3, 0x2b, 0x52, 0xa5, 0x2a, 0x57, 0x7c,
30097 -+ 0x15, 0xa8, 0x3b, 0xf2, 0x98, 0xe9, 0x9f, 0x19 },
30098 -+ .result = { 0x18, 0xcb, 0x89, 0xe4, 0xe2, 0x0c, 0x0c, 0x2b,
30099 -+ 0xd3, 0x24, 0x30, 0x52, 0x45, 0x26, 0x6c, 0x93,
30100 -+ 0x27, 0x69, 0x0b, 0xbe, 0x79, 0xac, 0xb8, 0x8f,
30101 -+ 0x5b, 0x8f, 0xb3, 0xf7, 0x4e, 0xca, 0x3e, 0x52 },
30102 -+ .valid = true
30103 -+ },
30104 -+ /* wycheproof - private key == -1 (mod order) */
30105 -+ {
30106 -+ .private = { 0xa0, 0x23, 0xcd, 0xd0, 0x83, 0xef, 0x5b, 0xb8,
30107 -+ 0x2f, 0x10, 0xd6, 0x2e, 0x59, 0xe1, 0x5a, 0x68,
30108 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30109 -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50 },
30110 -+ .public = { 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e,
30111 -+ 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57,
30112 -+ 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f,
30113 -+ 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 },
30114 -+ .result = { 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e,
30115 -+ 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57,
30116 -+ 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f,
30117 -+ 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 },
30118 -+ .valid = true
30119 -+ },
30120 -+ /* wycheproof - private key == 1 (mod order) on twist */
30121 -+ {
30122 -+ .private = { 0x58, 0x08, 0x3d, 0xd2, 0x61, 0xad, 0x91, 0xef,
30123 -+ 0xf9, 0x52, 0x32, 0x2e, 0xc8, 0x24, 0xc6, 0x82,
30124 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
30125 -+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x5f },
30126 -+ .public = { 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f,
30127 -+ 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6,
30128 -+ 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64,
30129 -+ 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 },
30130 -+ .result = { 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f,
30131 -+ 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6,
30132 -+ 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64,
30133 -+ 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 },
30134 -+ .valid = true
30135 -+ }
30136 -+};
30137 -+
30138 -+bool __init curve25519_selftest(void)
30139 -+{
30140 -+ bool success = true, ret, ret2;
30141 -+ size_t i = 0, j;
30142 -+ u8 in[CURVE25519_KEY_SIZE];
30143 -+ u8 out[CURVE25519_KEY_SIZE], out2[CURVE25519_KEY_SIZE],
30144 -+ out3[CURVE25519_KEY_SIZE];
30145 -+
30146 -+ for (i = 0; i < ARRAY_SIZE(curve25519_test_vectors); ++i) {
30147 -+ memset(out, 0, CURVE25519_KEY_SIZE);
30148 -+ ret = curve25519(out, curve25519_test_vectors[i].private,
30149 -+ curve25519_test_vectors[i].public);
30150 -+ if (ret != curve25519_test_vectors[i].valid ||
30151 -+ memcmp(out, curve25519_test_vectors[i].result,
30152 -+ CURVE25519_KEY_SIZE)) {
30153 -+ pr_err("curve25519 self-test %zu: FAIL\n", i + 1);
30154 -+ success = false;
30155 -+ }
30156 -+ }
30157 -+
30158 -+ for (i = 0; i < 5; ++i) {
30159 -+ get_random_bytes(in, sizeof(in));
30160 -+ ret = curve25519_generate_public(out, in);
30161 -+ ret2 = curve25519(out2, in, (u8[CURVE25519_KEY_SIZE]){ 9 });
30162 -+ curve25519_generic(out3, in, (u8[CURVE25519_KEY_SIZE]){ 9 });
30163 -+ if (ret != ret2 ||
30164 -+ memcmp(out, out2, CURVE25519_KEY_SIZE) ||
30165 -+ memcmp(out, out3, CURVE25519_KEY_SIZE)) {
30166 -+ pr_err("curve25519 basepoint self-test %zu: FAIL: input - 0x",
30167 -+ i + 1);
30168 -+ for (j = CURVE25519_KEY_SIZE; j-- > 0;)
30169 -+ printk(KERN_CONT "%02x", in[j]);
30170 -+ printk(KERN_CONT "\n");
30171 -+ success = false;
30172 -+ }
30173 -+ }
30174 -+
30175 -+ return success;
30176 -+}
30177 ---- b/arch/x86/crypto/poly1305-avx2-x86_64.S
30178 -+++ /dev/null
30179 -@@ -1,390 +0,0 @@
30180 --/* SPDX-License-Identifier: GPL-2.0-or-later */
30181 --/*
30182 -- * Poly1305 authenticator algorithm, RFC7539, x64 AVX2 functions
30183 -- *
30184 -- * Copyright (C) 2015 Martin Willi
30185 -- */
30186 --
30187 --#include <linux/linkage.h>
30188 --
30189 --.section .rodata.cst32.ANMASK, "aM", @progbits, 32
30190 --.align 32
30191 --ANMASK: .octa 0x0000000003ffffff0000000003ffffff
30192 -- .octa 0x0000000003ffffff0000000003ffffff
30193 --
30194 --.section .rodata.cst32.ORMASK, "aM", @progbits, 32
30195 --.align 32
30196 --ORMASK: .octa 0x00000000010000000000000001000000
30197 -- .octa 0x00000000010000000000000001000000
30198 --
30199 --.text
30200 --
30201 --#define h0 0x00(%rdi)
30202 --#define h1 0x04(%rdi)
30203 --#define h2 0x08(%rdi)
30204 --#define h3 0x0c(%rdi)
30205 --#define h4 0x10(%rdi)
30206 --#define r0 0x00(%rdx)
30207 --#define r1 0x04(%rdx)
30208 --#define r2 0x08(%rdx)
30209 --#define r3 0x0c(%rdx)
30210 --#define r4 0x10(%rdx)
30211 --#define u0 0x00(%r8)
30212 --#define u1 0x04(%r8)
30213 --#define u2 0x08(%r8)
30214 --#define u3 0x0c(%r8)
30215 --#define u4 0x10(%r8)
30216 --#define w0 0x14(%r8)
30217 --#define w1 0x18(%r8)
30218 --#define w2 0x1c(%r8)
30219 --#define w3 0x20(%r8)
30220 --#define w4 0x24(%r8)
30221 --#define y0 0x28(%r8)
30222 --#define y1 0x2c(%r8)
30223 --#define y2 0x30(%r8)
30224 --#define y3 0x34(%r8)
30225 --#define y4 0x38(%r8)
30226 --#define m %rsi
30227 --#define hc0 %ymm0
30228 --#define hc1 %ymm1
30229 --#define hc2 %ymm2
30230 --#define hc3 %ymm3
30231 --#define hc4 %ymm4
30232 --#define hc0x %xmm0
30233 --#define hc1x %xmm1
30234 --#define hc2x %xmm2
30235 --#define hc3x %xmm3
30236 --#define hc4x %xmm4
30237 --#define t1 %ymm5
30238 --#define t2 %ymm6
30239 --#define t1x %xmm5
30240 --#define t2x %xmm6
30241 --#define ruwy0 %ymm7
30242 --#define ruwy1 %ymm8
30243 --#define ruwy2 %ymm9
30244 --#define ruwy3 %ymm10
30245 --#define ruwy4 %ymm11
30246 --#define ruwy0x %xmm7
30247 --#define ruwy1x %xmm8
30248 --#define ruwy2x %xmm9
30249 --#define ruwy3x %xmm10
30250 --#define ruwy4x %xmm11
30251 --#define svxz1 %ymm12
30252 --#define svxz2 %ymm13
30253 --#define svxz3 %ymm14
30254 --#define svxz4 %ymm15
30255 --#define d0 %r9
30256 --#define d1 %r10
30257 --#define d2 %r11
30258 --#define d3 %r12
30259 --#define d4 %r13
30260 --
30261 --ENTRY(poly1305_4block_avx2)
30262 -- # %rdi: Accumulator h[5]
30263 -- # %rsi: 64 byte input block m
30264 -- # %rdx: Poly1305 key r[5]
30265 -- # %rcx: Quadblock count
30266 -- # %r8: Poly1305 derived key r^2 u[5], r^3 w[5], r^4 y[5],
30267 --
30268 -- # This four-block variant uses loop unrolled block processing. It
30269 -- # requires 4 Poly1305 keys: r, r^2, r^3 and r^4:
30270 -- # h = (h + m) * r => h = (h + m1) * r^4 + m2 * r^3 + m3 * r^2 + m4 * r
30271 --
30272 -- vzeroupper
30273 -- push %rbx
30274 -- push %r12
30275 -- push %r13
30276 --
30277 -- # combine r0,u0,w0,y0
30278 -- vmovd y0,ruwy0x
30279 -- vmovd w0,t1x
30280 -- vpunpcklqdq t1,ruwy0,ruwy0
30281 -- vmovd u0,t1x
30282 -- vmovd r0,t2x
30283 -- vpunpcklqdq t2,t1,t1
30284 -- vperm2i128 $0x20,t1,ruwy0,ruwy0
30285 --
30286 -- # combine r1,u1,w1,y1 and s1=r1*5,v1=u1*5,x1=w1*5,z1=y1*5
30287 -- vmovd y1,ruwy1x
30288 -- vmovd w1,t1x
30289 -- vpunpcklqdq t1,ruwy1,ruwy1
30290 -- vmovd u1,t1x
30291 -- vmovd r1,t2x
30292 -- vpunpcklqdq t2,t1,t1
30293 -- vperm2i128 $0x20,t1,ruwy1,ruwy1
30294 -- vpslld $2,ruwy1,svxz1
30295 -- vpaddd ruwy1,svxz1,svxz1
30296 --
30297 -- # combine r2,u2,w2,y2 and s2=r2*5,v2=u2*5,x2=w2*5,z2=y2*5
30298 -- vmovd y2,ruwy2x
30299 -- vmovd w2,t1x
30300 -- vpunpcklqdq t1,ruwy2,ruwy2
30301 -- vmovd u2,t1x
30302 -- vmovd r2,t2x
30303 -- vpunpcklqdq t2,t1,t1
30304 -- vperm2i128 $0x20,t1,ruwy2,ruwy2
30305 -- vpslld $2,ruwy2,svxz2
30306 -- vpaddd ruwy2,svxz2,svxz2
30307 --
30308 -- # combine r3,u3,w3,y3 and s3=r3*5,v3=u3*5,x3=w3*5,z3=y3*5
30309 -- vmovd y3,ruwy3x
30310 -- vmovd w3,t1x
30311 -- vpunpcklqdq t1,ruwy3,ruwy3
30312 -- vmovd u3,t1x
30313 -- vmovd r3,t2x
30314 -- vpunpcklqdq t2,t1,t1
30315 -- vperm2i128 $0x20,t1,ruwy3,ruwy3
30316 -- vpslld $2,ruwy3,svxz3
30317 -- vpaddd ruwy3,svxz3,svxz3
30318 --
30319 -- # combine r4,u4,w4,y4 and s4=r4*5,v4=u4*5,x4=w4*5,z4=y4*5
30320 -- vmovd y4,ruwy4x
30321 -- vmovd w4,t1x
30322 -- vpunpcklqdq t1,ruwy4,ruwy4
30323 -- vmovd u4,t1x
30324 -- vmovd r4,t2x
30325 -- vpunpcklqdq t2,t1,t1
30326 -- vperm2i128 $0x20,t1,ruwy4,ruwy4
30327 -- vpslld $2,ruwy4,svxz4
30328 -- vpaddd ruwy4,svxz4,svxz4
30329 --
30330 --.Ldoblock4:
30331 -- # hc0 = [m[48-51] & 0x3ffffff, m[32-35] & 0x3ffffff,
30332 -- # m[16-19] & 0x3ffffff, m[ 0- 3] & 0x3ffffff + h0]
30333 -- vmovd 0x00(m),hc0x
30334 -- vmovd 0x10(m),t1x
30335 -- vpunpcklqdq t1,hc0,hc0
30336 -- vmovd 0x20(m),t1x
30337 -- vmovd 0x30(m),t2x
30338 -- vpunpcklqdq t2,t1,t1
30339 -- vperm2i128 $0x20,t1,hc0,hc0
30340 -- vpand ANMASK(%rip),hc0,hc0
30341 -- vmovd h0,t1x
30342 -- vpaddd t1,hc0,hc0
30343 -- # hc1 = [(m[51-54] >> 2) & 0x3ffffff, (m[35-38] >> 2) & 0x3ffffff,
30344 -- # (m[19-22] >> 2) & 0x3ffffff, (m[ 3- 6] >> 2) & 0x3ffffff + h1]
30345 -- vmovd 0x03(m),hc1x
30346 -- vmovd 0x13(m),t1x
30347 -- vpunpcklqdq t1,hc1,hc1
30348 -- vmovd 0x23(m),t1x
30349 -- vmovd 0x33(m),t2x
30350 -- vpunpcklqdq t2,t1,t1
30351 -- vperm2i128 $0x20,t1,hc1,hc1
30352 -- vpsrld $2,hc1,hc1
30353 -- vpand ANMASK(%rip),hc1,hc1
30354 -- vmovd h1,t1x
30355 -- vpaddd t1,hc1,hc1
30356 -- # hc2 = [(m[54-57] >> 4) & 0x3ffffff, (m[38-41] >> 4) & 0x3ffffff,
30357 -- # (m[22-25] >> 4) & 0x3ffffff, (m[ 6- 9] >> 4) & 0x3ffffff + h2]
30358 -- vmovd 0x06(m),hc2x
30359 -- vmovd 0x16(m),t1x
30360 -- vpunpcklqdq t1,hc2,hc2
30361 -- vmovd 0x26(m),t1x
30362 -- vmovd 0x36(m),t2x
30363 -- vpunpcklqdq t2,t1,t1
30364 -- vperm2i128 $0x20,t1,hc2,hc2
30365 -- vpsrld $4,hc2,hc2
30366 -- vpand ANMASK(%rip),hc2,hc2
30367 -- vmovd h2,t1x
30368 -- vpaddd t1,hc2,hc2
30369 -- # hc3 = [(m[57-60] >> 6) & 0x3ffffff, (m[41-44] >> 6) & 0x3ffffff,
30370 -- # (m[25-28] >> 6) & 0x3ffffff, (m[ 9-12] >> 6) & 0x3ffffff + h3]
30371 -- vmovd 0x09(m),hc3x
30372 -- vmovd 0x19(m),t1x
30373 -- vpunpcklqdq t1,hc3,hc3
30374 -- vmovd 0x29(m),t1x
30375 -- vmovd 0x39(m),t2x
30376 -- vpunpcklqdq t2,t1,t1
30377 -- vperm2i128 $0x20,t1,hc3,hc3
30378 -- vpsrld $6,hc3,hc3
30379 -- vpand ANMASK(%rip),hc3,hc3
30380 -- vmovd h3,t1x
30381 -- vpaddd t1,hc3,hc3
30382 -- # hc4 = [(m[60-63] >> 8) | (1<<24), (m[44-47] >> 8) | (1<<24),
30383 -- # (m[28-31] >> 8) | (1<<24), (m[12-15] >> 8) | (1<<24) + h4]
30384 -- vmovd 0x0c(m),hc4x
30385 -- vmovd 0x1c(m),t1x
30386 -- vpunpcklqdq t1,hc4,hc4
30387 -- vmovd 0x2c(m),t1x
30388 -- vmovd 0x3c(m),t2x
30389 -- vpunpcklqdq t2,t1,t1
30390 -- vperm2i128 $0x20,t1,hc4,hc4
30391 -- vpsrld $8,hc4,hc4
30392 -- vpor ORMASK(%rip),hc4,hc4
30393 -- vmovd h4,t1x
30394 -- vpaddd t1,hc4,hc4
30395 --
30396 -- # t1 = [ hc0[3] * r0, hc0[2] * u0, hc0[1] * w0, hc0[0] * y0 ]
30397 -- vpmuludq hc0,ruwy0,t1
30398 -- # t1 += [ hc1[3] * s4, hc1[2] * v4, hc1[1] * x4, hc1[0] * z4 ]
30399 -- vpmuludq hc1,svxz4,t2
30400 -- vpaddq t2,t1,t1
30401 -- # t1 += [ hc2[3] * s3, hc2[2] * v3, hc2[1] * x3, hc2[0] * z3 ]
30402 -- vpmuludq hc2,svxz3,t2
30403 -- vpaddq t2,t1,t1
30404 -- # t1 += [ hc3[3] * s2, hc3[2] * v2, hc3[1] * x2, hc3[0] * z2 ]
30405 -- vpmuludq hc3,svxz2,t2
30406 -- vpaddq t2,t1,t1
30407 -- # t1 += [ hc4[3] * s1, hc4[2] * v1, hc4[1] * x1, hc4[0] * z1 ]
30408 -- vpmuludq hc4,svxz1,t2
30409 -- vpaddq t2,t1,t1
30410 -- # d0 = t1[0] + t1[1] + t[2] + t[3]
30411 -- vpermq $0xee,t1,t2
30412 -- vpaddq t2,t1,t1
30413 -- vpsrldq $8,t1,t2
30414 -- vpaddq t2,t1,t1
30415 -- vmovq t1x,d0
30416 --
30417 -- # t1 = [ hc0[3] * r1, hc0[2] * u1,hc0[1] * w1, hc0[0] * y1 ]
30418 -- vpmuludq hc0,ruwy1,t1
30419 -- # t1 += [ hc1[3] * r0, hc1[2] * u0, hc1[1] * w0, hc1[0] * y0 ]
30420 -- vpmuludq hc1,ruwy0,t2
30421 -- vpaddq t2,t1,t1
30422 -- # t1 += [ hc2[3] * s4, hc2[2] * v4, hc2[1] * x4, hc2[0] * z4 ]
30423 -- vpmuludq hc2,svxz4,t2
30424 -- vpaddq t2,t1,t1
30425 -- # t1 += [ hc3[3] * s3, hc3[2] * v3, hc3[1] * x3, hc3[0] * z3 ]
30426 -- vpmuludq hc3,svxz3,t2
30427 -- vpaddq t2,t1,t1
30428 -- # t1 += [ hc4[3] * s2, hc4[2] * v2, hc4[1] * x2, hc4[0] * z2 ]
30429 -- vpmuludq hc4,svxz2,t2
30430 -- vpaddq t2,t1,t1
30431 -- # d1 = t1[0] + t1[1] + t1[3] + t1[4]
30432 -- vpermq $0xee,t1,t2
30433 -- vpaddq t2,t1,t1
30434 -- vpsrldq $8,t1,t2
30435 -- vpaddq t2,t1,t1
30436 -- vmovq t1x,d1
30437 --
30438 -- # t1 = [ hc0[3] * r2, hc0[2] * u2, hc0[1] * w2, hc0[0] * y2 ]
30439 -- vpmuludq hc0,ruwy2,t1
30440 -- # t1 += [ hc1[3] * r1, hc1[2] * u1, hc1[1] * w1, hc1[0] * y1 ]
30441 -- vpmuludq hc1,ruwy1,t2
30442 -- vpaddq t2,t1,t1
30443 -- # t1 += [ hc2[3] * r0, hc2[2] * u0, hc2[1] * w0, hc2[0] * y0 ]
30444 -- vpmuludq hc2,ruwy0,t2
30445 -- vpaddq t2,t1,t1
30446 -- # t1 += [ hc3[3] * s4, hc3[2] * v4, hc3[1] * x4, hc3[0] * z4 ]
30447 -- vpmuludq hc3,svxz4,t2
30448 -- vpaddq t2,t1,t1
30449 -- # t1 += [ hc4[3] * s3, hc4[2] * v3, hc4[1] * x3, hc4[0] * z3 ]
30450 -- vpmuludq hc4,svxz3,t2
30451 -- vpaddq t2,t1,t1
30452 -- # d2 = t1[0] + t1[1] + t1[2] + t1[3]
30453 -- vpermq $0xee,t1,t2
30454 -- vpaddq t2,t1,t1
30455 -- vpsrldq $8,t1,t2
30456 -- vpaddq t2,t1,t1
30457 -- vmovq t1x,d2
30458 --
30459 -- # t1 = [ hc0[3] * r3, hc0[2] * u3, hc0[1] * w3, hc0[0] * y3 ]
30460 -- vpmuludq hc0,ruwy3,t1
30461 -- # t1 += [ hc1[3] * r2, hc1[2] * u2, hc1[1] * w2, hc1[0] * y2 ]
30462 -- vpmuludq hc1,ruwy2,t2
30463 -- vpaddq t2,t1,t1
30464 -- # t1 += [ hc2[3] * r1, hc2[2] * u1, hc2[1] * w1, hc2[0] * y1 ]
30465 -- vpmuludq hc2,ruwy1,t2
30466 -- vpaddq t2,t1,t1
30467 -- # t1 += [ hc3[3] * r0, hc3[2] * u0, hc3[1] * w0, hc3[0] * y0 ]
30468 -- vpmuludq hc3,ruwy0,t2
30469 -- vpaddq t2,t1,t1
30470 -- # t1 += [ hc4[3] * s4, hc4[2] * v4, hc4[1] * x4, hc4[0] * z4 ]
30471 -- vpmuludq hc4,svxz4,t2
30472 -- vpaddq t2,t1,t1
30473 -- # d3 = t1[0] + t1[1] + t1[2] + t1[3]
30474 -- vpermq $0xee,t1,t2
30475 -- vpaddq t2,t1,t1
30476 -- vpsrldq $8,t1,t2
30477 -- vpaddq t2,t1,t1
30478 -- vmovq t1x,d3
30479 --
30480 -- # t1 = [ hc0[3] * r4, hc0[2] * u4, hc0[1] * w4, hc0[0] * y4 ]
30481 -- vpmuludq hc0,ruwy4,t1
30482 -- # t1 += [ hc1[3] * r3, hc1[2] * u3, hc1[1] * w3, hc1[0] * y3 ]
30483 -- vpmuludq hc1,ruwy3,t2
30484 -- vpaddq t2,t1,t1
30485 -- # t1 += [ hc2[3] * r2, hc2[2] * u2, hc2[1] * w2, hc2[0] * y2 ]
30486 -- vpmuludq hc2,ruwy2,t2
30487 -- vpaddq t2,t1,t1
30488 -- # t1 += [ hc3[3] * r1, hc3[2] * u1, hc3[1] * w1, hc3[0] * y1 ]
30489 -- vpmuludq hc3,ruwy1,t2
30490 -- vpaddq t2,t1,t1
30491 -- # t1 += [ hc4[3] * r0, hc4[2] * u0, hc4[1] * w0, hc4[0] * y0 ]
30492 -- vpmuludq hc4,ruwy0,t2
30493 -- vpaddq t2,t1,t1
30494 -- # d4 = t1[0] + t1[1] + t1[2] + t1[3]
30495 -- vpermq $0xee,t1,t2
30496 -- vpaddq t2,t1,t1
30497 -- vpsrldq $8,t1,t2
30498 -- vpaddq t2,t1,t1
30499 -- vmovq t1x,d4
30500 --
30501 -- # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 ->
30502 -- # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small
30503 -- # amount. Careful: we must not assume the carry bits 'd0 >> 26',
30504 -- # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit
30505 -- # integers. It's true in a single-block implementation, but not here.
30506 --
30507 -- # d1 += d0 >> 26
30508 -- mov d0,%rax
30509 -- shr $26,%rax
30510 -- add %rax,d1
30511 -- # h0 = d0 & 0x3ffffff
30512 -- mov d0,%rbx
30513 -- and $0x3ffffff,%ebx
30514 --
30515 -- # d2 += d1 >> 26
30516 -- mov d1,%rax
30517 -- shr $26,%rax
30518 -- add %rax,d2
30519 -- # h1 = d1 & 0x3ffffff
30520 -- mov d1,%rax
30521 -- and $0x3ffffff,%eax
30522 -- mov %eax,h1
30523 --
30524 -- # d3 += d2 >> 26
30525 -- mov d2,%rax
30526 -- shr $26,%rax
30527 -- add %rax,d3
30528 -- # h2 = d2 & 0x3ffffff
30529 -- mov d2,%rax
30530 -- and $0x3ffffff,%eax
30531 -- mov %eax,h2
30532 --
30533 -- # d4 += d3 >> 26
30534 -- mov d3,%rax
30535 -- shr $26,%rax
30536 -- add %rax,d4
30537 -- # h3 = d3 & 0x3ffffff
30538 -- mov d3,%rax
30539 -- and $0x3ffffff,%eax
30540 -- mov %eax,h3
30541 --
30542 -- # h0 += (d4 >> 26) * 5
30543 -- mov d4,%rax
30544 -- shr $26,%rax
30545 -- lea (%rax,%rax,4),%rax
30546 -- add %rax,%rbx
30547 -- # h4 = d4 & 0x3ffffff
30548 -- mov d4,%rax
30549 -- and $0x3ffffff,%eax
30550 -- mov %eax,h4
30551 --
30552 -- # h1 += h0 >> 26
30553 -- mov %rbx,%rax
30554 -- shr $26,%rax
30555 -- add %eax,h1
30556 -- # h0 = h0 & 0x3ffffff
30557 -- andl $0x3ffffff,%ebx
30558 -- mov %ebx,h0
30559 --
30560 -- add $0x40,m
30561 -- dec %rcx
30562 -- jnz .Ldoblock4
30563 --
30564 -- vzeroupper
30565 -- pop %r13
30566 -- pop %r12
30567 -- pop %rbx
30568 -- ret
30569 --ENDPROC(poly1305_4block_avx2)
30570 ---- a/include/crypto/nhpoly1305.h
30571 -+++ b/include/crypto/nhpoly1305.h
30572 -@@ -7,7 +7,7 @@
30573 - #define _NHPOLY1305_H
30574 -
30575 - #include <crypto/hash.h>
30576 --#include <crypto/poly1305.h>
30577 -+#include <crypto/internal/poly1305.h>
30578 -
30579 - /* NH parameterization: */
30580 -
30581 -@@ -33,7 +33,7 @@
30582 - #define NHPOLY1305_KEY_SIZE (POLY1305_BLOCK_SIZE + NH_KEY_BYTES)
30583 -
30584 - struct nhpoly1305_key {
30585 -- struct poly1305_key poly_key;
30586 -+ struct poly1305_core_key poly_key;
30587 - u32 nh_key[NH_KEY_WORDS];
30588 - };
30589 -
30590 ---- /dev/null
30591 -+++ b/lib/crypto/poly1305-donna32.c
30592 -@@ -0,0 +1,204 @@
30593 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
30594 -+/*
30595 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
30596 -+ *
30597 -+ * This is based in part on Andrew Moon's poly1305-donna, which is in the
30598 -+ * public domain.
30599 -+ */
30600 -+
30601 -+#include <linux/kernel.h>
30602 -+#include <asm/unaligned.h>
30603 -+#include <crypto/internal/poly1305.h>
30604 -+
30605 -+void poly1305_core_setkey(struct poly1305_core_key *key, const u8 raw_key[16])
30606 -+{
30607 -+ /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
30608 -+ key->key.r[0] = (get_unaligned_le32(&raw_key[0])) & 0x3ffffff;
30609 -+ key->key.r[1] = (get_unaligned_le32(&raw_key[3]) >> 2) & 0x3ffff03;
30610 -+ key->key.r[2] = (get_unaligned_le32(&raw_key[6]) >> 4) & 0x3ffc0ff;
30611 -+ key->key.r[3] = (get_unaligned_le32(&raw_key[9]) >> 6) & 0x3f03fff;
30612 -+ key->key.r[4] = (get_unaligned_le32(&raw_key[12]) >> 8) & 0x00fffff;
30613 -+
30614 -+ /* s = 5*r */
30615 -+ key->precomputed_s.r[0] = key->key.r[1] * 5;
30616 -+ key->precomputed_s.r[1] = key->key.r[2] * 5;
30617 -+ key->precomputed_s.r[2] = key->key.r[3] * 5;
30618 -+ key->precomputed_s.r[3] = key->key.r[4] * 5;
30619 -+}
30620 -+EXPORT_SYMBOL(poly1305_core_setkey);
30621 -+
30622 -+void poly1305_core_blocks(struct poly1305_state *state,
30623 -+ const struct poly1305_core_key *key, const void *src,
30624 -+ unsigned int nblocks, u32 hibit)
30625 -+{
30626 -+ const u8 *input = src;
30627 -+ u32 r0, r1, r2, r3, r4;
30628 -+ u32 s1, s2, s3, s4;
30629 -+ u32 h0, h1, h2, h3, h4;
30630 -+ u64 d0, d1, d2, d3, d4;
30631 -+ u32 c;
30632 -+
30633 -+ if (!nblocks)
30634 -+ return;
30635 -+
30636 -+ hibit <<= 24;
30637 -+
30638 -+ r0 = key->key.r[0];
30639 -+ r1 = key->key.r[1];
30640 -+ r2 = key->key.r[2];
30641 -+ r3 = key->key.r[3];
30642 -+ r4 = key->key.r[4];
30643 -+
30644 -+ s1 = key->precomputed_s.r[0];
30645 -+ s2 = key->precomputed_s.r[1];
30646 -+ s3 = key->precomputed_s.r[2];
30647 -+ s4 = key->precomputed_s.r[3];
30648 -+
30649 -+ h0 = state->h[0];
30650 -+ h1 = state->h[1];
30651 -+ h2 = state->h[2];
30652 -+ h3 = state->h[3];
30653 -+ h4 = state->h[4];
30654 -+
30655 -+ do {
30656 -+ /* h += m[i] */
30657 -+ h0 += (get_unaligned_le32(&input[0])) & 0x3ffffff;
30658 -+ h1 += (get_unaligned_le32(&input[3]) >> 2) & 0x3ffffff;
30659 -+ h2 += (get_unaligned_le32(&input[6]) >> 4) & 0x3ffffff;
30660 -+ h3 += (get_unaligned_le32(&input[9]) >> 6) & 0x3ffffff;
30661 -+ h4 += (get_unaligned_le32(&input[12]) >> 8) | hibit;
30662 -+
30663 -+ /* h *= r */
30664 -+ d0 = ((u64)h0 * r0) + ((u64)h1 * s4) +
30665 -+ ((u64)h2 * s3) + ((u64)h3 * s2) +
30666 -+ ((u64)h4 * s1);
30667 -+ d1 = ((u64)h0 * r1) + ((u64)h1 * r0) +
30668 -+ ((u64)h2 * s4) + ((u64)h3 * s3) +
30669 -+ ((u64)h4 * s2);
30670 -+ d2 = ((u64)h0 * r2) + ((u64)h1 * r1) +
30671 -+ ((u64)h2 * r0) + ((u64)h3 * s4) +
30672 -+ ((u64)h4 * s3);
30673 -+ d3 = ((u64)h0 * r3) + ((u64)h1 * r2) +
30674 -+ ((u64)h2 * r1) + ((u64)h3 * r0) +
30675 -+ ((u64)h4 * s4);
30676 -+ d4 = ((u64)h0 * r4) + ((u64)h1 * r3) +
30677 -+ ((u64)h2 * r2) + ((u64)h3 * r1) +
30678 -+ ((u64)h4 * r0);
30679 -+
30680 -+ /* (partial) h %= p */
30681 -+ c = (u32)(d0 >> 26);
30682 -+ h0 = (u32)d0 & 0x3ffffff;
30683 -+ d1 += c;
30684 -+ c = (u32)(d1 >> 26);
30685 -+ h1 = (u32)d1 & 0x3ffffff;
30686 -+ d2 += c;
30687 -+ c = (u32)(d2 >> 26);
30688 -+ h2 = (u32)d2 & 0x3ffffff;
30689 -+ d3 += c;
30690 -+ c = (u32)(d3 >> 26);
30691 -+ h3 = (u32)d3 & 0x3ffffff;
30692 -+ d4 += c;
30693 -+ c = (u32)(d4 >> 26);
30694 -+ h4 = (u32)d4 & 0x3ffffff;
30695 -+ h0 += c * 5;
30696 -+ c = (h0 >> 26);
30697 -+ h0 = h0 & 0x3ffffff;
30698 -+ h1 += c;
30699 -+
30700 -+ input += POLY1305_BLOCK_SIZE;
30701 -+ } while (--nblocks);
30702 -+
30703 -+ state->h[0] = h0;
30704 -+ state->h[1] = h1;
30705 -+ state->h[2] = h2;
30706 -+ state->h[3] = h3;
30707 -+ state->h[4] = h4;
30708 -+}
30709 -+EXPORT_SYMBOL(poly1305_core_blocks);
30710 -+
30711 -+void poly1305_core_emit(const struct poly1305_state *state, const u32 nonce[4],
30712 -+ void *dst)
30713 -+{
30714 -+ u8 *mac = dst;
30715 -+ u32 h0, h1, h2, h3, h4, c;
30716 -+ u32 g0, g1, g2, g3, g4;
30717 -+ u64 f;
30718 -+ u32 mask;
30719 -+
30720 -+ /* fully carry h */
30721 -+ h0 = state->h[0];
30722 -+ h1 = state->h[1];
30723 -+ h2 = state->h[2];
30724 -+ h3 = state->h[3];
30725 -+ h4 = state->h[4];
30726 -+
30727 -+ c = h1 >> 26;
30728 -+ h1 = h1 & 0x3ffffff;
30729 -+ h2 += c;
30730 -+ c = h2 >> 26;
30731 -+ h2 = h2 & 0x3ffffff;
30732 -+ h3 += c;
30733 -+ c = h3 >> 26;
30734 -+ h3 = h3 & 0x3ffffff;
30735 -+ h4 += c;
30736 -+ c = h4 >> 26;
30737 -+ h4 = h4 & 0x3ffffff;
30738 -+ h0 += c * 5;
30739 -+ c = h0 >> 26;
30740 -+ h0 = h0 & 0x3ffffff;
30741 -+ h1 += c;
30742 -+
30743 -+ /* compute h + -p */
30744 -+ g0 = h0 + 5;
30745 -+ c = g0 >> 26;
30746 -+ g0 &= 0x3ffffff;
30747 -+ g1 = h1 + c;
30748 -+ c = g1 >> 26;
30749 -+ g1 &= 0x3ffffff;
30750 -+ g2 = h2 + c;
30751 -+ c = g2 >> 26;
30752 -+ g2 &= 0x3ffffff;
30753 -+ g3 = h3 + c;
30754 -+ c = g3 >> 26;
30755 -+ g3 &= 0x3ffffff;
30756 -+ g4 = h4 + c - (1UL << 26);
30757 -+
30758 -+ /* select h if h < p, or h + -p if h >= p */
30759 -+ mask = (g4 >> ((sizeof(u32) * 8) - 1)) - 1;
30760 -+ g0 &= mask;
30761 -+ g1 &= mask;
30762 -+ g2 &= mask;
30763 -+ g3 &= mask;
30764 -+ g4 &= mask;
30765 -+ mask = ~mask;
30766 -+
30767 -+ h0 = (h0 & mask) | g0;
30768 -+ h1 = (h1 & mask) | g1;
30769 -+ h2 = (h2 & mask) | g2;
30770 -+ h3 = (h3 & mask) | g3;
30771 -+ h4 = (h4 & mask) | g4;
30772 -+
30773 -+ /* h = h % (2^128) */
30774 -+ h0 = ((h0) | (h1 << 26)) & 0xffffffff;
30775 -+ h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff;
30776 -+ h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;
30777 -+ h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff;
30778 -+
30779 -+ if (likely(nonce)) {
30780 -+ /* mac = (h + nonce) % (2^128) */
30781 -+ f = (u64)h0 + nonce[0];
30782 -+ h0 = (u32)f;
30783 -+ f = (u64)h1 + nonce[1] + (f >> 32);
30784 -+ h1 = (u32)f;
30785 -+ f = (u64)h2 + nonce[2] + (f >> 32);
30786 -+ h2 = (u32)f;
30787 -+ f = (u64)h3 + nonce[3] + (f >> 32);
30788 -+ h3 = (u32)f;
30789 -+ }
30790 -+
30791 -+ put_unaligned_le32(h0, &mac[0]);
30792 -+ put_unaligned_le32(h1, &mac[4]);
30793 -+ put_unaligned_le32(h2, &mac[8]);
30794 -+ put_unaligned_le32(h3, &mac[12]);
30795 -+}
30796 -+EXPORT_SYMBOL(poly1305_core_emit);
30797 ---- /dev/null
30798 -+++ b/lib/crypto/poly1305-donna64.c
30799 -@@ -0,0 +1,185 @@
30800 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
30801 -+/*
30802 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
30803 -+ *
30804 -+ * This is based in part on Andrew Moon's poly1305-donna, which is in the
30805 -+ * public domain.
30806 -+ */
30807 -+
30808 -+#include <linux/kernel.h>
30809 -+#include <asm/unaligned.h>
30810 -+#include <crypto/internal/poly1305.h>
30811 -+
30812 -+typedef __uint128_t u128;
30813 -+
30814 -+void poly1305_core_setkey(struct poly1305_core_key *key, const u8 raw_key[16])
30815 -+{
30816 -+ u64 t0, t1;
30817 -+
30818 -+ /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
30819 -+ t0 = get_unaligned_le64(&raw_key[0]);
30820 -+ t1 = get_unaligned_le64(&raw_key[8]);
30821 -+
30822 -+ key->key.r64[0] = t0 & 0xffc0fffffffULL;
30823 -+ key->key.r64[1] = ((t0 >> 44) | (t1 << 20)) & 0xfffffc0ffffULL;
30824 -+ key->key.r64[2] = ((t1 >> 24)) & 0x00ffffffc0fULL;
30825 -+
30826 -+ /* s = 20*r */
30827 -+ key->precomputed_s.r64[0] = key->key.r64[1] * 20;
30828 -+ key->precomputed_s.r64[1] = key->key.r64[2] * 20;
30829 -+}
30830 -+EXPORT_SYMBOL(poly1305_core_setkey);
30831 -+
30832 -+void poly1305_core_blocks(struct poly1305_state *state,
30833 -+ const struct poly1305_core_key *key, const void *src,
30834 -+ unsigned int nblocks, u32 hibit)
30835 -+{
30836 -+ const u8 *input = src;
30837 -+ u64 hibit64;
30838 -+ u64 r0, r1, r2;
30839 -+ u64 s1, s2;
30840 -+ u64 h0, h1, h2;
30841 -+ u64 c;
30842 -+ u128 d0, d1, d2, d;
30843 -+
30844 -+ if (!nblocks)
30845 -+ return;
30846 -+
30847 -+ hibit64 = ((u64)hibit) << 40;
30848 -+
30849 -+ r0 = key->key.r64[0];
30850 -+ r1 = key->key.r64[1];
30851 -+ r2 = key->key.r64[2];
30852 -+
30853 -+ h0 = state->h64[0];
30854 -+ h1 = state->h64[1];
30855 -+ h2 = state->h64[2];
30856 -+
30857 -+ s1 = key->precomputed_s.r64[0];
30858 -+ s2 = key->precomputed_s.r64[1];
30859 -+
30860 -+ do {
30861 -+ u64 t0, t1;
30862 -+
30863 -+ /* h += m[i] */
30864 -+ t0 = get_unaligned_le64(&input[0]);
30865 -+ t1 = get_unaligned_le64(&input[8]);
30866 -+
30867 -+ h0 += t0 & 0xfffffffffffULL;
30868 -+ h1 += ((t0 >> 44) | (t1 << 20)) & 0xfffffffffffULL;
30869 -+ h2 += (((t1 >> 24)) & 0x3ffffffffffULL) | hibit64;
30870 -+
30871 -+ /* h *= r */
30872 -+ d0 = (u128)h0 * r0;
30873 -+ d = (u128)h1 * s2;
30874 -+ d0 += d;
30875 -+ d = (u128)h2 * s1;
30876 -+ d0 += d;
30877 -+ d1 = (u128)h0 * r1;
30878 -+ d = (u128)h1 * r0;
30879 -+ d1 += d;
30880 -+ d = (u128)h2 * s2;
30881 -+ d1 += d;
30882 -+ d2 = (u128)h0 * r2;
30883 -+ d = (u128)h1 * r1;
30884 -+ d2 += d;
30885 -+ d = (u128)h2 * r0;
30886 -+ d2 += d;
30887 -+
30888 -+ /* (partial) h %= p */
30889 -+ c = (u64)(d0 >> 44);
30890 -+ h0 = (u64)d0 & 0xfffffffffffULL;
30891 -+ d1 += c;
30892 -+ c = (u64)(d1 >> 44);
30893 -+ h1 = (u64)d1 & 0xfffffffffffULL;
30894 -+ d2 += c;
30895 -+ c = (u64)(d2 >> 42);
30896 -+ h2 = (u64)d2 & 0x3ffffffffffULL;
30897 -+ h0 += c * 5;
30898 -+ c = h0 >> 44;
30899 -+ h0 = h0 & 0xfffffffffffULL;
30900 -+ h1 += c;
30901 -+
30902 -+ input += POLY1305_BLOCK_SIZE;
30903 -+ } while (--nblocks);
30904 -+
30905 -+ state->h64[0] = h0;
30906 -+ state->h64[1] = h1;
30907 -+ state->h64[2] = h2;
30908 -+}
30909 -+EXPORT_SYMBOL(poly1305_core_blocks);
30910 -+
30911 -+void poly1305_core_emit(const struct poly1305_state *state, const u32 nonce[4],
30912 -+ void *dst)
30913 -+{
30914 -+ u8 *mac = dst;
30915 -+ u64 h0, h1, h2, c;
30916 -+ u64 g0, g1, g2;
30917 -+ u64 t0, t1;
30918 -+
30919 -+ /* fully carry h */
30920 -+ h0 = state->h64[0];
30921 -+ h1 = state->h64[1];
30922 -+ h2 = state->h64[2];
30923 -+
30924 -+ c = h1 >> 44;
30925 -+ h1 &= 0xfffffffffffULL;
30926 -+ h2 += c;
30927 -+ c = h2 >> 42;
30928 -+ h2 &= 0x3ffffffffffULL;
30929 -+ h0 += c * 5;
30930 -+ c = h0 >> 44;
30931 -+ h0 &= 0xfffffffffffULL;
30932 -+ h1 += c;
30933 -+ c = h1 >> 44;
30934 -+ h1 &= 0xfffffffffffULL;
30935 -+ h2 += c;
30936 -+ c = h2 >> 42;
30937 -+ h2 &= 0x3ffffffffffULL;
30938 -+ h0 += c * 5;
30939 -+ c = h0 >> 44;
30940 -+ h0 &= 0xfffffffffffULL;
30941 -+ h1 += c;
30942 -+
30943 -+ /* compute h + -p */
30944 -+ g0 = h0 + 5;
30945 -+ c = g0 >> 44;
30946 -+ g0 &= 0xfffffffffffULL;
30947 -+ g1 = h1 + c;
30948 -+ c = g1 >> 44;
30949 -+ g1 &= 0xfffffffffffULL;
30950 -+ g2 = h2 + c - (1ULL << 42);
30951 -+
30952 -+ /* select h if h < p, or h + -p if h >= p */
30953 -+ c = (g2 >> ((sizeof(u64) * 8) - 1)) - 1;
30954 -+ g0 &= c;
30955 -+ g1 &= c;
30956 -+ g2 &= c;
30957 -+ c = ~c;
30958 -+ h0 = (h0 & c) | g0;
30959 -+ h1 = (h1 & c) | g1;
30960 -+ h2 = (h2 & c) | g2;
30961 -+
30962 -+ if (likely(nonce)) {
30963 -+ /* h = (h + nonce) */
30964 -+ t0 = ((u64)nonce[1] << 32) | nonce[0];
30965 -+ t1 = ((u64)nonce[3] << 32) | nonce[2];
30966 -+
30967 -+ h0 += t0 & 0xfffffffffffULL;
30968 -+ c = h0 >> 44;
30969 -+ h0 &= 0xfffffffffffULL;
30970 -+ h1 += (((t0 >> 44) | (t1 << 20)) & 0xfffffffffffULL) + c;
30971 -+ c = h1 >> 44;
30972 -+ h1 &= 0xfffffffffffULL;
30973 -+ h2 += (((t1 >> 24)) & 0x3ffffffffffULL) + c;
30974 -+ h2 &= 0x3ffffffffffULL;
30975 -+ }
30976 -+
30977 -+ /* mac = h % (2^128) */
30978 -+ h0 = h0 | (h1 << 44);
30979 -+ h1 = (h1 >> 20) | (h2 << 24);
30980 -+
30981 -+ put_unaligned_le64(h0, &mac[0]);
30982 -+ put_unaligned_le64(h1, &mac[8]);
30983 -+}
30984 -+EXPORT_SYMBOL(poly1305_core_emit);
30985 ---- b/arch/x86/crypto/poly1305-x86_64-cryptogams.pl
30986 -+++ b/arch/x86/crypto/poly1305-x86_64-cryptogams.pl
30987 -@@ -0,0 +1,4265 @@
30988 -+#!/usr/bin/env perl
30989 -+# SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
30990 -+#
30991 -+# Copyright (C) 2017-2018 Samuel Neves <sneves@××××××.pt>. All Rights Reserved.
30992 -+# Copyright (C) 2017-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
30993 -+# Copyright (C) 2006-2017 CRYPTOGAMS by <appro@×××××××.org>. All Rights Reserved.
30994 -+#
30995 -+# This code is taken from the OpenSSL project but the author, Andy Polyakov,
30996 -+# has relicensed it under the licenses specified in the SPDX header above.
30997 -+# The original headers, including the original license headers, are
30998 -+# included below for completeness.
30999 -+#
31000 -+# ====================================================================
31001 -+# Written by Andy Polyakov <appro@×××××××.org> for the OpenSSL
31002 -+# project. The module is, however, dual licensed under OpenSSL and
31003 -+# CRYPTOGAMS licenses depending on where you obtain it. For further
31004 -+# details see http://www.openssl.org/~appro/cryptogams/.
31005 -+# ====================================================================
31006 -+#
31007 -+# This module implements Poly1305 hash for x86_64.
31008 -+#
31009 -+# March 2015
31010 -+#
31011 -+# Initial release.
31012 -+#
31013 -+# December 2016
31014 -+#
31015 -+# Add AVX512F+VL+BW code path.
31016 -+#
31017 -+# November 2017
31018 -+#
31019 -+# Convert AVX512F+VL+BW code path to pure AVX512F, so that it can be
31020 -+# executed even on Knights Landing. Trigger for modification was
31021 -+# observation that AVX512 code paths can negatively affect overall
31022 -+# Skylake-X system performance. Since we are likely to suppress
31023 -+# AVX512F capability flag [at least on Skylake-X], conversion serves
31024 -+# as kind of "investment protection". Note that next *lake processor,
31025 -+# Cannonlake, has AVX512IFMA code path to execute...
31026 -+#
31027 -+# Numbers are cycles per processed byte with poly1305_blocks alone,
31028 -+# measured with rdtsc at fixed clock frequency.
31029 -+#
31030 -+# IALU/gcc-4.8(*) AVX(**) AVX2 AVX-512
31031 -+# P4 4.46/+120% -
31032 -+# Core 2 2.41/+90% -
31033 -+# Westmere 1.88/+120% -
31034 -+# Sandy Bridge 1.39/+140% 1.10
31035 -+# Haswell 1.14/+175% 1.11 0.65
31036 -+# Skylake[-X] 1.13/+120% 0.96 0.51 [0.35]
31037 -+# Silvermont 2.83/+95% -
31038 -+# Knights L 3.60/? 1.65 1.10 0.41(***)
31039 -+# Goldmont 1.70/+180% -
31040 -+# VIA Nano 1.82/+150% -
31041 -+# Sledgehammer 1.38/+160% -
31042 -+# Bulldozer 2.30/+130% 0.97
31043 -+# Ryzen 1.15/+200% 1.08 1.18
31044 -+#
31045 -+# (*) improvement coefficients relative to clang are more modest and
31046 -+# are ~50% on most processors, in both cases we are comparing to
31047 -+# __int128 code;
31048 -+# (**) SSE2 implementation was attempted, but among non-AVX processors
31049 -+# it was faster than integer-only code only on older Intel P4 and
31050 -+# Core processors, 50-30%, less newer processor is, but slower on
31051 -+# contemporary ones, for example almost 2x slower on Atom, and as
31052 -+# former are naturally disappearing, SSE2 is deemed unnecessary;
31053 -+# (***) strangely enough performance seems to vary from core to core,
31054 -+# listed result is best case;
31055 -+
31056 -+$flavour = shift;
31057 -+$output = shift;
31058 -+if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
31059 -+
31060 -+$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
31061 -+$kernel=0; $kernel=1 if (!$flavour && !$output);
31062 -+
31063 -+if (!$kernel) {
31064 -+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
31065 -+ ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
31066 -+ ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
31067 -+ die "can't locate x86_64-xlate.pl";
31068 -+
31069 -+ open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"";
31070 -+ *STDOUT=*OUT;
31071 -+
31072 -+ if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
31073 -+ =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
31074 -+ $avx = ($1>=2.19) + ($1>=2.22) + ($1>=2.25);
31075 -+ }
31076 -+
31077 -+ if (!$avx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
31078 -+ `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)(?:\.([0-9]+))?/) {
31079 -+ $avx = ($1>=2.09) + ($1>=2.10) + ($1>=2.12);
31080 -+ $avx += 1 if ($1==2.11 && $2>=8);
31081 -+ }
31082 -+
31083 -+ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
31084 -+ `ml64 2>&1` =~ /Version ([0-9]+)\./) {
31085 -+ $avx = ($1>=10) + ($1>=11);
31086 -+ }
31087 -+
31088 -+ if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) {
31089 -+ $avx = ($2>=3.0) + ($2>3.0);
31090 -+ }
31091 -+} else {
31092 -+ $avx = 4; # The kernel uses ifdefs for this.
31093 -+}
31094 -+
31095 -+sub declare_function() {
31096 -+ my ($name, $align, $nargs) = @_;
31097 -+ if($kernel) {
31098 -+ $code .= ".align $align\n";
31099 -+ $code .= "ENTRY($name)\n";
31100 -+ $code .= ".L$name:\n";
31101 -+ } else {
31102 -+ $code .= ".globl $name\n";
31103 -+ $code .= ".type $name,\@function,$nargs\n";
31104 -+ $code .= ".align $align\n";
31105 -+ $code .= "$name:\n";
31106 -+ }
31107 -+}
31108 -+
31109 -+sub end_function() {
31110 -+ my ($name) = @_;
31111 -+ if($kernel) {
31112 -+ $code .= "ENDPROC($name)\n";
31113 -+ } else {
31114 -+ $code .= ".size $name,.-$name\n";
31115 -+ }
31116 -+}
31117 -+
31118 -+$code.=<<___ if $kernel;
31119 -+#include <linux/linkage.h>
31120 -+___
31121 -+
31122 -+if ($avx) {
31123 -+$code.=<<___ if $kernel;
31124 -+.section .rodata
31125 -+___
31126 -+$code.=<<___;
31127 -+.align 64
31128 -+.Lconst:
31129 -+.Lmask24:
31130 -+.long 0x0ffffff,0,0x0ffffff,0,0x0ffffff,0,0x0ffffff,0
31131 -+.L129:
31132 -+.long `1<<24`,0,`1<<24`,0,`1<<24`,0,`1<<24`,0
31133 -+.Lmask26:
31134 -+.long 0x3ffffff,0,0x3ffffff,0,0x3ffffff,0,0x3ffffff,0
31135 -+.Lpermd_avx2:
31136 -+.long 2,2,2,3,2,0,2,1
31137 -+.Lpermd_avx512:
31138 -+.long 0,0,0,1, 0,2,0,3, 0,4,0,5, 0,6,0,7
31139 -+
31140 -+.L2_44_inp_permd:
31141 -+.long 0,1,1,2,2,3,7,7
31142 -+.L2_44_inp_shift:
31143 -+.quad 0,12,24,64
31144 -+.L2_44_mask:
31145 -+.quad 0xfffffffffff,0xfffffffffff,0x3ffffffffff,0xffffffffffffffff
31146 -+.L2_44_shift_rgt:
31147 -+.quad 44,44,42,64
31148 -+.L2_44_shift_lft:
31149 -+.quad 8,8,10,64
31150 -+
31151 -+.align 64
31152 -+.Lx_mask44:
31153 -+.quad 0xfffffffffff,0xfffffffffff,0xfffffffffff,0xfffffffffff
31154 -+.quad 0xfffffffffff,0xfffffffffff,0xfffffffffff,0xfffffffffff
31155 -+.Lx_mask42:
31156 -+.quad 0x3ffffffffff,0x3ffffffffff,0x3ffffffffff,0x3ffffffffff
31157 -+.quad 0x3ffffffffff,0x3ffffffffff,0x3ffffffffff,0x3ffffffffff
31158 -+___
31159 -+}
31160 -+$code.=<<___ if (!$kernel);
31161 -+.asciz "Poly1305 for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
31162 -+.align 16
31163 -+___
31164 -+
31165 -+my ($ctx,$inp,$len,$padbit)=("%rdi","%rsi","%rdx","%rcx");
31166 -+my ($mac,$nonce)=($inp,$len); # *_emit arguments
31167 -+my ($d1,$d2,$d3, $r0,$r1,$s1)=("%r8","%r9","%rdi","%r11","%r12","%r13");
31168 -+my ($h0,$h1,$h2)=("%r14","%rbx","%r10");
31169 -+
31170 -+sub poly1305_iteration {
31171 -+# input: copy of $r1 in %rax, $h0-$h2, $r0-$r1
31172 -+# output: $h0-$h2 *= $r0-$r1
31173 -+$code.=<<___;
31174 -+ mulq $h0 # h0*r1
31175 -+ mov %rax,$d2
31176 -+ mov $r0,%rax
31177 -+ mov %rdx,$d3
31178 -+
31179 -+ mulq $h0 # h0*r0
31180 -+ mov %rax,$h0 # future $h0
31181 -+ mov $r0,%rax
31182 -+ mov %rdx,$d1
31183 -+
31184 -+ mulq $h1 # h1*r0
31185 -+ add %rax,$d2
31186 -+ mov $s1,%rax
31187 -+ adc %rdx,$d3
31188 -+
31189 -+ mulq $h1 # h1*s1
31190 -+ mov $h2,$h1 # borrow $h1
31191 -+ add %rax,$h0
31192 -+ adc %rdx,$d1
31193 -+
31194 -+ imulq $s1,$h1 # h2*s1
31195 -+ add $h1,$d2
31196 -+ mov $d1,$h1
31197 -+ adc \$0,$d3
31198 -+
31199 -+ imulq $r0,$h2 # h2*r0
31200 -+ add $d2,$h1
31201 -+ mov \$-4,%rax # mask value
31202 -+ adc $h2,$d3
31203 -+
31204 -+ and $d3,%rax # last reduction step
31205 -+ mov $d3,$h2
31206 -+ shr \$2,$d3
31207 -+ and \$3,$h2
31208 -+ add $d3,%rax
31209 -+ add %rax,$h0
31210 -+ adc \$0,$h1
31211 -+ adc \$0,$h2
31212 -+___
31213 -+}
31214 -+
31215 -+########################################################################
31216 -+# Layout of opaque area is following.
31217 -+#
31218 -+# unsigned __int64 h[3]; # current hash value base 2^64
31219 -+# unsigned __int64 r[2]; # key value base 2^64
31220 -+
31221 -+$code.=<<___;
31222 -+.text
31223 -+___
31224 -+$code.=<<___ if (!$kernel);
31225 -+.extern OPENSSL_ia32cap_P
31226 -+
31227 -+.globl poly1305_init_x86_64
31228 -+.hidden poly1305_init_x86_64
31229 -+.globl poly1305_blocks_x86_64
31230 -+.hidden poly1305_blocks_x86_64
31231 -+.globl poly1305_emit_x86_64
31232 -+.hidden poly1305_emit_x86_64
31233 -+___
31234 -+&declare_function("poly1305_init_x86_64", 32, 3);
31235 -+$code.=<<___;
31236 -+ xor %eax,%eax
31237 -+ mov %rax,0($ctx) # initialize hash value
31238 -+ mov %rax,8($ctx)
31239 -+ mov %rax,16($ctx)
31240 -+
31241 -+ cmp \$0,$inp
31242 -+ je .Lno_key
31243 -+___
31244 -+$code.=<<___ if (!$kernel);
31245 -+ lea poly1305_blocks_x86_64(%rip),%r10
31246 -+ lea poly1305_emit_x86_64(%rip),%r11
31247 -+___
31248 -+$code.=<<___ if (!$kernel && $avx);
31249 -+ mov OPENSSL_ia32cap_P+4(%rip),%r9
31250 -+ lea poly1305_blocks_avx(%rip),%rax
31251 -+ lea poly1305_emit_avx(%rip),%rcx
31252 -+ bt \$`60-32`,%r9 # AVX?
31253 -+ cmovc %rax,%r10
31254 -+ cmovc %rcx,%r11
31255 -+___
31256 -+$code.=<<___ if (!$kernel && $avx>1);
31257 -+ lea poly1305_blocks_avx2(%rip),%rax
31258 -+ bt \$`5+32`,%r9 # AVX2?
31259 -+ cmovc %rax,%r10
31260 -+___
31261 -+$code.=<<___ if (!$kernel && $avx>3);
31262 -+ mov \$`(1<<31|1<<21|1<<16)`,%rax
31263 -+ shr \$32,%r9
31264 -+ and %rax,%r9
31265 -+ cmp %rax,%r9
31266 -+ je .Linit_base2_44
31267 -+___
31268 -+$code.=<<___;
31269 -+ mov \$0x0ffffffc0fffffff,%rax
31270 -+ mov \$0x0ffffffc0ffffffc,%rcx
31271 -+ and 0($inp),%rax
31272 -+ and 8($inp),%rcx
31273 -+ mov %rax,24($ctx)
31274 -+ mov %rcx,32($ctx)
31275 -+___
31276 -+$code.=<<___ if (!$kernel && $flavour !~ /elf32/);
31277 -+ mov %r10,0(%rdx)
31278 -+ mov %r11,8(%rdx)
31279 -+___
31280 -+$code.=<<___ if (!$kernel && $flavour =~ /elf32/);
31281 -+ mov %r10d,0(%rdx)
31282 -+ mov %r11d,4(%rdx)
31283 -+___
31284 -+$code.=<<___;
31285 -+ mov \$1,%eax
31286 -+.Lno_key:
31287 -+ ret
31288 -+___
31289 -+&end_function("poly1305_init_x86_64");
31290 -+
31291 -+&declare_function("poly1305_blocks_x86_64", 32, 4);
31292 -+$code.=<<___;
31293 -+.cfi_startproc
31294 -+.Lblocks:
31295 -+ shr \$4,$len
31296 -+ jz .Lno_data # too short
31297 -+
31298 -+ push %rbx
31299 -+.cfi_push %rbx
31300 -+ push %r12
31301 -+.cfi_push %r12
31302 -+ push %r13
31303 -+.cfi_push %r13
31304 -+ push %r14
31305 -+.cfi_push %r14
31306 -+ push %r15
31307 -+.cfi_push %r15
31308 -+ push $ctx
31309 -+.cfi_push $ctx
31310 -+.Lblocks_body:
31311 -+
31312 -+ mov $len,%r15 # reassign $len
31313 -+
31314 -+ mov 24($ctx),$r0 # load r
31315 -+ mov 32($ctx),$s1
31316 -+
31317 -+ mov 0($ctx),$h0 # load hash value
31318 -+ mov 8($ctx),$h1
31319 -+ mov 16($ctx),$h2
31320 -+
31321 -+ mov $s1,$r1
31322 -+ shr \$2,$s1
31323 -+ mov $r1,%rax
31324 -+ add $r1,$s1 # s1 = r1 + (r1 >> 2)
31325 -+ jmp .Loop
31326 -+
31327 -+.align 32
31328 -+.Loop:
31329 -+ add 0($inp),$h0 # accumulate input
31330 -+ adc 8($inp),$h1
31331 -+ lea 16($inp),$inp
31332 -+ adc $padbit,$h2
31333 -+___
31334 -+
31335 -+ &poly1305_iteration();
31336 -+
31337 -+$code.=<<___;
31338 -+ mov $r1,%rax
31339 -+ dec %r15 # len-=16
31340 -+ jnz .Loop
31341 -+
31342 -+ mov 0(%rsp),$ctx
31343 -+.cfi_restore $ctx
31344 -+
31345 -+ mov $h0,0($ctx) # store hash value
31346 -+ mov $h1,8($ctx)
31347 -+ mov $h2,16($ctx)
31348 -+
31349 -+ mov 8(%rsp),%r15
31350 -+.cfi_restore %r15
31351 -+ mov 16(%rsp),%r14
31352 -+.cfi_restore %r14
31353 -+ mov 24(%rsp),%r13
31354 -+.cfi_restore %r13
31355 -+ mov 32(%rsp),%r12
31356 -+.cfi_restore %r12
31357 -+ mov 40(%rsp),%rbx
31358 -+.cfi_restore %rbx
31359 -+ lea 48(%rsp),%rsp
31360 -+.cfi_adjust_cfa_offset -48
31361 -+.Lno_data:
31362 -+.Lblocks_epilogue:
31363 -+ ret
31364 -+.cfi_endproc
31365 -+___
31366 -+&end_function("poly1305_blocks_x86_64");
31367 -+
31368 -+&declare_function("poly1305_emit_x86_64", 32, 3);
31369 -+$code.=<<___;
31370 -+.Lemit:
31371 -+ mov 0($ctx),%r8 # load hash value
31372 -+ mov 8($ctx),%r9
31373 -+ mov 16($ctx),%r10
31374 -+
31375 -+ mov %r8,%rax
31376 -+ add \$5,%r8 # compare to modulus
31377 -+ mov %r9,%rcx
31378 -+ adc \$0,%r9
31379 -+ adc \$0,%r10
31380 -+ shr \$2,%r10 # did 130-bit value overflow?
31381 -+ cmovnz %r8,%rax
31382 -+ cmovnz %r9,%rcx
31383 -+
31384 -+ add 0($nonce),%rax # accumulate nonce
31385 -+ adc 8($nonce),%rcx
31386 -+ mov %rax,0($mac) # write result
31387 -+ mov %rcx,8($mac)
31388 -+
31389 -+ ret
31390 -+___
31391 -+&end_function("poly1305_emit_x86_64");
31392 -+if ($avx) {
31393 -+
31394 -+if($kernel) {
31395 -+ $code .= "#ifdef CONFIG_AS_AVX\n";
31396 -+}
31397 -+
31398 -+########################################################################
31399 -+# Layout of opaque area is following.
31400 -+#
31401 -+# unsigned __int32 h[5]; # current hash value base 2^26
31402 -+# unsigned __int32 is_base2_26;
31403 -+# unsigned __int64 r[2]; # key value base 2^64
31404 -+# unsigned __int64 pad;
31405 -+# struct { unsigned __int32 r^2, r^1, r^4, r^3; } r[9];
31406 -+#
31407 -+# where r^n are base 2^26 digits of degrees of multiplier key. There are
31408 -+# 5 digits, but last four are interleaved with multiples of 5, totalling
31409 -+# in 9 elements: r0, r1, 5*r1, r2, 5*r2, r3, 5*r3, r4, 5*r4.
31410 -+
31411 -+my ($H0,$H1,$H2,$H3,$H4, $T0,$T1,$T2,$T3,$T4, $D0,$D1,$D2,$D3,$D4, $MASK) =
31412 -+ map("%xmm$_",(0..15));
31413 -+
31414 -+$code.=<<___;
31415 -+.type __poly1305_block,\@abi-omnipotent
31416 -+.align 32
31417 -+__poly1305_block:
31418 -+ push $ctx
31419 -+___
31420 -+ &poly1305_iteration();
31421 -+$code.=<<___;
31422 -+ pop $ctx
31423 -+ ret
31424 -+.size __poly1305_block,.-__poly1305_block
31425 -+
31426 -+.type __poly1305_init_avx,\@abi-omnipotent
31427 -+.align 32
31428 -+__poly1305_init_avx:
31429 -+ push %rbp
31430 -+ mov %rsp,%rbp
31431 -+ mov $r0,$h0
31432 -+ mov $r1,$h1
31433 -+ xor $h2,$h2
31434 -+
31435 -+ lea 48+64($ctx),$ctx # size optimization
31436 -+
31437 -+ mov $r1,%rax
31438 -+ call __poly1305_block # r^2
31439 -+
31440 -+ mov \$0x3ffffff,%eax # save interleaved r^2 and r base 2^26
31441 -+ mov \$0x3ffffff,%edx
31442 -+ mov $h0,$d1
31443 -+ and $h0#d,%eax
31444 -+ mov $r0,$d2
31445 -+ and $r0#d,%edx
31446 -+ mov %eax,`16*0+0-64`($ctx)
31447 -+ shr \$26,$d1
31448 -+ mov %edx,`16*0+4-64`($ctx)
31449 -+ shr \$26,$d2
31450 -+
31451 -+ mov \$0x3ffffff,%eax
31452 -+ mov \$0x3ffffff,%edx
31453 -+ and $d1#d,%eax
31454 -+ and $d2#d,%edx
31455 -+ mov %eax,`16*1+0-64`($ctx)
31456 -+ lea (%rax,%rax,4),%eax # *5
31457 -+ mov %edx,`16*1+4-64`($ctx)
31458 -+ lea (%rdx,%rdx,4),%edx # *5
31459 -+ mov %eax,`16*2+0-64`($ctx)
31460 -+ shr \$26,$d1
31461 -+ mov %edx,`16*2+4-64`($ctx)
31462 -+ shr \$26,$d2
31463 -+
31464 -+ mov $h1,%rax
31465 -+ mov $r1,%rdx
31466 -+ shl \$12,%rax
31467 -+ shl \$12,%rdx
31468 -+ or $d1,%rax
31469 -+ or $d2,%rdx
31470 -+ and \$0x3ffffff,%eax
31471 -+ and \$0x3ffffff,%edx
31472 -+ mov %eax,`16*3+0-64`($ctx)
31473 -+ lea (%rax,%rax,4),%eax # *5
31474 -+ mov %edx,`16*3+4-64`($ctx)
31475 -+ lea (%rdx,%rdx,4),%edx # *5
31476 -+ mov %eax,`16*4+0-64`($ctx)
31477 -+ mov $h1,$d1
31478 -+ mov %edx,`16*4+4-64`($ctx)
31479 -+ mov $r1,$d2
31480 -+
31481 -+ mov \$0x3ffffff,%eax
31482 -+ mov \$0x3ffffff,%edx
31483 -+ shr \$14,$d1
31484 -+ shr \$14,$d2
31485 -+ and $d1#d,%eax
31486 -+ and $d2#d,%edx
31487 -+ mov %eax,`16*5+0-64`($ctx)
31488 -+ lea (%rax,%rax,4),%eax # *5
31489 -+ mov %edx,`16*5+4-64`($ctx)
31490 -+ lea (%rdx,%rdx,4),%edx # *5
31491 -+ mov %eax,`16*6+0-64`($ctx)
31492 -+ shr \$26,$d1
31493 -+ mov %edx,`16*6+4-64`($ctx)
31494 -+ shr \$26,$d2
31495 -+
31496 -+ mov $h2,%rax
31497 -+ shl \$24,%rax
31498 -+ or %rax,$d1
31499 -+ mov $d1#d,`16*7+0-64`($ctx)
31500 -+ lea ($d1,$d1,4),$d1 # *5
31501 -+ mov $d2#d,`16*7+4-64`($ctx)
31502 -+ lea ($d2,$d2,4),$d2 # *5
31503 -+ mov $d1#d,`16*8+0-64`($ctx)
31504 -+ mov $d2#d,`16*8+4-64`($ctx)
31505 -+
31506 -+ mov $r1,%rax
31507 -+ call __poly1305_block # r^3
31508 -+
31509 -+ mov \$0x3ffffff,%eax # save r^3 base 2^26
31510 -+ mov $h0,$d1
31511 -+ and $h0#d,%eax
31512 -+ shr \$26,$d1
31513 -+ mov %eax,`16*0+12-64`($ctx)
31514 -+
31515 -+ mov \$0x3ffffff,%edx
31516 -+ and $d1#d,%edx
31517 -+ mov %edx,`16*1+12-64`($ctx)
31518 -+ lea (%rdx,%rdx,4),%edx # *5
31519 -+ shr \$26,$d1
31520 -+ mov %edx,`16*2+12-64`($ctx)
31521 -+
31522 -+ mov $h1,%rax
31523 -+ shl \$12,%rax
31524 -+ or $d1,%rax
31525 -+ and \$0x3ffffff,%eax
31526 -+ mov %eax,`16*3+12-64`($ctx)
31527 -+ lea (%rax,%rax,4),%eax # *5
31528 -+ mov $h1,$d1
31529 -+ mov %eax,`16*4+12-64`($ctx)
31530 -+
31531 -+ mov \$0x3ffffff,%edx
31532 -+ shr \$14,$d1
31533 -+ and $d1#d,%edx
31534 -+ mov %edx,`16*5+12-64`($ctx)
31535 -+ lea (%rdx,%rdx,4),%edx # *5
31536 -+ shr \$26,$d1
31537 -+ mov %edx,`16*6+12-64`($ctx)
31538 -+
31539 -+ mov $h2,%rax
31540 -+ shl \$24,%rax
31541 -+ or %rax,$d1
31542 -+ mov $d1#d,`16*7+12-64`($ctx)
31543 -+ lea ($d1,$d1,4),$d1 # *5
31544 -+ mov $d1#d,`16*8+12-64`($ctx)
31545 -+
31546 -+ mov $r1,%rax
31547 -+ call __poly1305_block # r^4
31548 -+
31549 -+ mov \$0x3ffffff,%eax # save r^4 base 2^26
31550 -+ mov $h0,$d1
31551 -+ and $h0#d,%eax
31552 -+ shr \$26,$d1
31553 -+ mov %eax,`16*0+8-64`($ctx)
31554 -+
31555 -+ mov \$0x3ffffff,%edx
31556 -+ and $d1#d,%edx
31557 -+ mov %edx,`16*1+8-64`($ctx)
31558 -+ lea (%rdx,%rdx,4),%edx # *5
31559 -+ shr \$26,$d1
31560 -+ mov %edx,`16*2+8-64`($ctx)
31561 -+
31562 -+ mov $h1,%rax
31563 -+ shl \$12,%rax
31564 -+ or $d1,%rax
31565 -+ and \$0x3ffffff,%eax
31566 -+ mov %eax,`16*3+8-64`($ctx)
31567 -+ lea (%rax,%rax,4),%eax # *5
31568 -+ mov $h1,$d1
31569 -+ mov %eax,`16*4+8-64`($ctx)
31570 -+
31571 -+ mov \$0x3ffffff,%edx
31572 -+ shr \$14,$d1
31573 -+ and $d1#d,%edx
31574 -+ mov %edx,`16*5+8-64`($ctx)
31575 -+ lea (%rdx,%rdx,4),%edx # *5
31576 -+ shr \$26,$d1
31577 -+ mov %edx,`16*6+8-64`($ctx)
31578 -+
31579 -+ mov $h2,%rax
31580 -+ shl \$24,%rax
31581 -+ or %rax,$d1
31582 -+ mov $d1#d,`16*7+8-64`($ctx)
31583 -+ lea ($d1,$d1,4),$d1 # *5
31584 -+ mov $d1#d,`16*8+8-64`($ctx)
31585 -+
31586 -+ lea -48-64($ctx),$ctx # size [de-]optimization
31587 -+ pop %rbp
31588 -+ ret
31589 -+.size __poly1305_init_avx,.-__poly1305_init_avx
31590 -+___
31591 -+
31592 -+&declare_function("poly1305_blocks_avx", 32, 4);
31593 -+$code.=<<___;
31594 -+.cfi_startproc
31595 -+ mov 20($ctx),%r8d # is_base2_26
31596 -+ cmp \$128,$len
31597 -+ jae .Lblocks_avx
31598 -+ test %r8d,%r8d
31599 -+ jz .Lblocks
31600 -+
31601 -+.Lblocks_avx:
31602 -+ and \$-16,$len
31603 -+ jz .Lno_data_avx
31604 -+
31605 -+ vzeroupper
31606 -+
31607 -+ test %r8d,%r8d
31608 -+ jz .Lbase2_64_avx
31609 -+
31610 -+ test \$31,$len
31611 -+ jz .Leven_avx
31612 -+
31613 -+ push %rbp
31614 -+.cfi_push %rbp
31615 -+ mov %rsp,%rbp
31616 -+ push %rbx
31617 -+.cfi_push %rbx
31618 -+ push %r12
31619 -+.cfi_push %r12
31620 -+ push %r13
31621 -+.cfi_push %r13
31622 -+ push %r14
31623 -+.cfi_push %r14
31624 -+ push %r15
31625 -+.cfi_push %r15
31626 -+.Lblocks_avx_body:
31627 -+
31628 -+ mov $len,%r15 # reassign $len
31629 -+
31630 -+ mov 0($ctx),$d1 # load hash value
31631 -+ mov 8($ctx),$d2
31632 -+ mov 16($ctx),$h2#d
31633 -+
31634 -+ mov 24($ctx),$r0 # load r
31635 -+ mov 32($ctx),$s1
31636 -+
31637 -+ ################################# base 2^26 -> base 2^64
31638 -+ mov $d1#d,$h0#d
31639 -+ and \$`-1*(1<<31)`,$d1
31640 -+ mov $d2,$r1 # borrow $r1
31641 -+ mov $d2#d,$h1#d
31642 -+ and \$`-1*(1<<31)`,$d2
31643 -+
31644 -+ shr \$6,$d1
31645 -+ shl \$52,$r1
31646 -+ add $d1,$h0
31647 -+ shr \$12,$h1
31648 -+ shr \$18,$d2
31649 -+ add $r1,$h0
31650 -+ adc $d2,$h1
31651 -+
31652 -+ mov $h2,$d1
31653 -+ shl \$40,$d1
31654 -+ shr \$24,$h2
31655 -+ add $d1,$h1
31656 -+ adc \$0,$h2 # can be partially reduced...
31657 -+
31658 -+ mov \$-4,$d2 # ... so reduce
31659 -+ mov $h2,$d1
31660 -+ and $h2,$d2
31661 -+ shr \$2,$d1
31662 -+ and \$3,$h2
31663 -+ add $d2,$d1 # =*5
31664 -+ add $d1,$h0
31665 -+ adc \$0,$h1
31666 -+ adc \$0,$h2
31667 -+
31668 -+ mov $s1,$r1
31669 -+ mov $s1,%rax
31670 -+ shr \$2,$s1
31671 -+ add $r1,$s1 # s1 = r1 + (r1 >> 2)
31672 -+
31673 -+ add 0($inp),$h0 # accumulate input
31674 -+ adc 8($inp),$h1
31675 -+ lea 16($inp),$inp
31676 -+ adc $padbit,$h2
31677 -+
31678 -+ call __poly1305_block
31679 -+
31680 -+ test $padbit,$padbit # if $padbit is zero,
31681 -+ jz .Lstore_base2_64_avx # store hash in base 2^64 format
31682 -+
31683 -+ ################################# base 2^64 -> base 2^26
31684 -+ mov $h0,%rax
31685 -+ mov $h0,%rdx
31686 -+ shr \$52,$h0
31687 -+ mov $h1,$r0
31688 -+ mov $h1,$r1
31689 -+ shr \$26,%rdx
31690 -+ and \$0x3ffffff,%rax # h[0]
31691 -+ shl \$12,$r0
31692 -+ and \$0x3ffffff,%rdx # h[1]
31693 -+ shr \$14,$h1
31694 -+ or $r0,$h0
31695 -+ shl \$24,$h2
31696 -+ and \$0x3ffffff,$h0 # h[2]
31697 -+ shr \$40,$r1
31698 -+ and \$0x3ffffff,$h1 # h[3]
31699 -+ or $r1,$h2 # h[4]
31700 -+
31701 -+ sub \$16,%r15
31702 -+ jz .Lstore_base2_26_avx
31703 -+
31704 -+ vmovd %rax#d,$H0
31705 -+ vmovd %rdx#d,$H1
31706 -+ vmovd $h0#d,$H2
31707 -+ vmovd $h1#d,$H3
31708 -+ vmovd $h2#d,$H4
31709 -+ jmp .Lproceed_avx
31710 -+
31711 -+.align 32
31712 -+.Lstore_base2_64_avx:
31713 -+ mov $h0,0($ctx)
31714 -+ mov $h1,8($ctx)
31715 -+ mov $h2,16($ctx) # note that is_base2_26 is zeroed
31716 -+ jmp .Ldone_avx
31717 -+
31718 -+.align 16
31719 -+.Lstore_base2_26_avx:
31720 -+ mov %rax#d,0($ctx) # store hash value base 2^26
31721 -+ mov %rdx#d,4($ctx)
31722 -+ mov $h0#d,8($ctx)
31723 -+ mov $h1#d,12($ctx)
31724 -+ mov $h2#d,16($ctx)
31725 -+.align 16
31726 -+.Ldone_avx:
31727 -+ pop %r15
31728 -+.cfi_restore %r15
31729 -+ pop %r14
31730 -+.cfi_restore %r14
31731 -+ pop %r13
31732 -+.cfi_restore %r13
31733 -+ pop %r12
31734 -+.cfi_restore %r12
31735 -+ pop %rbx
31736 -+.cfi_restore %rbx
31737 -+ pop %rbp
31738 -+.cfi_restore %rbp
31739 -+.Lno_data_avx:
31740 -+.Lblocks_avx_epilogue:
31741 -+ ret
31742 -+.cfi_endproc
31743 -+
31744 -+.align 32
31745 -+.Lbase2_64_avx:
31746 -+.cfi_startproc
31747 -+ push %rbp
31748 -+.cfi_push %rbp
31749 -+ mov %rsp,%rbp
31750 -+ push %rbx
31751 -+.cfi_push %rbx
31752 -+ push %r12
31753 -+.cfi_push %r12
31754 -+ push %r13
31755 -+.cfi_push %r13
31756 -+ push %r14
31757 -+.cfi_push %r14
31758 -+ push %r15
31759 -+.cfi_push %r15
31760 -+.Lbase2_64_avx_body:
31761 -+
31762 -+ mov $len,%r15 # reassign $len
31763 -+
31764 -+ mov 24($ctx),$r0 # load r
31765 -+ mov 32($ctx),$s1
31766 -+
31767 -+ mov 0($ctx),$h0 # load hash value
31768 -+ mov 8($ctx),$h1
31769 -+ mov 16($ctx),$h2#d
31770 -+
31771 -+ mov $s1,$r1
31772 -+ mov $s1,%rax
31773 -+ shr \$2,$s1
31774 -+ add $r1,$s1 # s1 = r1 + (r1 >> 2)
31775 -+
31776 -+ test \$31,$len
31777 -+ jz .Linit_avx
31778 -+
31779 -+ add 0($inp),$h0 # accumulate input
31780 -+ adc 8($inp),$h1
31781 -+ lea 16($inp),$inp
31782 -+ adc $padbit,$h2
31783 -+ sub \$16,%r15
31784 -+
31785 -+ call __poly1305_block
31786 -+
31787 -+.Linit_avx:
31788 -+ ################################# base 2^64 -> base 2^26
31789 -+ mov $h0,%rax
31790 -+ mov $h0,%rdx
31791 -+ shr \$52,$h0
31792 -+ mov $h1,$d1
31793 -+ mov $h1,$d2
31794 -+ shr \$26,%rdx
31795 -+ and \$0x3ffffff,%rax # h[0]
31796 -+ shl \$12,$d1
31797 -+ and \$0x3ffffff,%rdx # h[1]
31798 -+ shr \$14,$h1
31799 -+ or $d1,$h0
31800 -+ shl \$24,$h2
31801 -+ and \$0x3ffffff,$h0 # h[2]
31802 -+ shr \$40,$d2
31803 -+ and \$0x3ffffff,$h1 # h[3]
31804 -+ or $d2,$h2 # h[4]
31805 -+
31806 -+ vmovd %rax#d,$H0
31807 -+ vmovd %rdx#d,$H1
31808 -+ vmovd $h0#d,$H2
31809 -+ vmovd $h1#d,$H3
31810 -+ vmovd $h2#d,$H4
31811 -+ movl \$1,20($ctx) # set is_base2_26
31812 -+
31813 -+ call __poly1305_init_avx
31814 -+
31815 -+.Lproceed_avx:
31816 -+ mov %r15,$len
31817 -+ pop %r15
31818 -+.cfi_restore %r15
31819 -+ pop %r14
31820 -+.cfi_restore %r14
31821 -+ pop %r13
31822 -+.cfi_restore %r13
31823 -+ pop %r12
31824 -+.cfi_restore %r12
31825 -+ pop %rbx
31826 -+.cfi_restore %rbx
31827 -+ pop %rbp
31828 -+.cfi_restore %rbp
31829 -+.Lbase2_64_avx_epilogue:
31830 -+ jmp .Ldo_avx
31831 -+.cfi_endproc
31832 -+
31833 -+.align 32
31834 -+.Leven_avx:
31835 -+.cfi_startproc
31836 -+ vmovd 4*0($ctx),$H0 # load hash value
31837 -+ vmovd 4*1($ctx),$H1
31838 -+ vmovd 4*2($ctx),$H2
31839 -+ vmovd 4*3($ctx),$H3
31840 -+ vmovd 4*4($ctx),$H4
31841 -+
31842 -+.Ldo_avx:
31843 -+___
31844 -+$code.=<<___ if (!$win64);
31845 -+ lea 8(%rsp),%r10
31846 -+.cfi_def_cfa_register %r10
31847 -+ and \$-32,%rsp
31848 -+ sub \$-8,%rsp
31849 -+ lea -0x58(%rsp),%r11
31850 -+ sub \$0x178,%rsp
31851 -+___
31852 -+$code.=<<___ if ($win64);
31853 -+ lea -0xf8(%rsp),%r11
31854 -+ sub \$0x218,%rsp
31855 -+ vmovdqa %xmm6,0x50(%r11)
31856 -+ vmovdqa %xmm7,0x60(%r11)
31857 -+ vmovdqa %xmm8,0x70(%r11)
31858 -+ vmovdqa %xmm9,0x80(%r11)
31859 -+ vmovdqa %xmm10,0x90(%r11)
31860 -+ vmovdqa %xmm11,0xa0(%r11)
31861 -+ vmovdqa %xmm12,0xb0(%r11)
31862 -+ vmovdqa %xmm13,0xc0(%r11)
31863 -+ vmovdqa %xmm14,0xd0(%r11)
31864 -+ vmovdqa %xmm15,0xe0(%r11)
31865 -+.Ldo_avx_body:
31866 -+___
31867 -+$code.=<<___;
31868 -+ sub \$64,$len
31869 -+ lea -32($inp),%rax
31870 -+ cmovc %rax,$inp
31871 -+
31872 -+ vmovdqu `16*3`($ctx),$D4 # preload r0^2
31873 -+ lea `16*3+64`($ctx),$ctx # size optimization
31874 -+ lea .Lconst(%rip),%rcx
31875 -+
31876 -+ ################################################################
31877 -+ # load input
31878 -+ vmovdqu 16*2($inp),$T0
31879 -+ vmovdqu 16*3($inp),$T1
31880 -+ vmovdqa 64(%rcx),$MASK # .Lmask26
31881 -+
31882 -+ vpsrldq \$6,$T0,$T2 # splat input
31883 -+ vpsrldq \$6,$T1,$T3
31884 -+ vpunpckhqdq $T1,$T0,$T4 # 4
31885 -+ vpunpcklqdq $T1,$T0,$T0 # 0:1
31886 -+ vpunpcklqdq $T3,$T2,$T3 # 2:3
31887 -+
31888 -+ vpsrlq \$40,$T4,$T4 # 4
31889 -+ vpsrlq \$26,$T0,$T1
31890 -+ vpand $MASK,$T0,$T0 # 0
31891 -+ vpsrlq \$4,$T3,$T2
31892 -+ vpand $MASK,$T1,$T1 # 1
31893 -+ vpsrlq \$30,$T3,$T3
31894 -+ vpand $MASK,$T2,$T2 # 2
31895 -+ vpand $MASK,$T3,$T3 # 3
31896 -+ vpor 32(%rcx),$T4,$T4 # padbit, yes, always
31897 -+
31898 -+ jbe .Lskip_loop_avx
31899 -+
31900 -+ # expand and copy pre-calculated table to stack
31901 -+ vmovdqu `16*1-64`($ctx),$D1
31902 -+ vmovdqu `16*2-64`($ctx),$D2
31903 -+ vpshufd \$0xEE,$D4,$D3 # 34xx -> 3434
31904 -+ vpshufd \$0x44,$D4,$D0 # xx12 -> 1212
31905 -+ vmovdqa $D3,-0x90(%r11)
31906 -+ vmovdqa $D0,0x00(%rsp)
31907 -+ vpshufd \$0xEE,$D1,$D4
31908 -+ vmovdqu `16*3-64`($ctx),$D0
31909 -+ vpshufd \$0x44,$D1,$D1
31910 -+ vmovdqa $D4,-0x80(%r11)
31911 -+ vmovdqa $D1,0x10(%rsp)
31912 -+ vpshufd \$0xEE,$D2,$D3
31913 -+ vmovdqu `16*4-64`($ctx),$D1
31914 -+ vpshufd \$0x44,$D2,$D2
31915 -+ vmovdqa $D3,-0x70(%r11)
31916 -+ vmovdqa $D2,0x20(%rsp)
31917 -+ vpshufd \$0xEE,$D0,$D4
31918 -+ vmovdqu `16*5-64`($ctx),$D2
31919 -+ vpshufd \$0x44,$D0,$D0
31920 -+ vmovdqa $D4,-0x60(%r11)
31921 -+ vmovdqa $D0,0x30(%rsp)
31922 -+ vpshufd \$0xEE,$D1,$D3
31923 -+ vmovdqu `16*6-64`($ctx),$D0
31924 -+ vpshufd \$0x44,$D1,$D1
31925 -+ vmovdqa $D3,-0x50(%r11)
31926 -+ vmovdqa $D1,0x40(%rsp)
31927 -+ vpshufd \$0xEE,$D2,$D4
31928 -+ vmovdqu `16*7-64`($ctx),$D1
31929 -+ vpshufd \$0x44,$D2,$D2
31930 -+ vmovdqa $D4,-0x40(%r11)
31931 -+ vmovdqa $D2,0x50(%rsp)
31932 -+ vpshufd \$0xEE,$D0,$D3
31933 -+ vmovdqu `16*8-64`($ctx),$D2
31934 -+ vpshufd \$0x44,$D0,$D0
31935 -+ vmovdqa $D3,-0x30(%r11)
31936 -+ vmovdqa $D0,0x60(%rsp)
31937 -+ vpshufd \$0xEE,$D1,$D4
31938 -+ vpshufd \$0x44,$D1,$D1
31939 -+ vmovdqa $D4,-0x20(%r11)
31940 -+ vmovdqa $D1,0x70(%rsp)
31941 -+ vpshufd \$0xEE,$D2,$D3
31942 -+ vmovdqa 0x00(%rsp),$D4 # preload r0^2
31943 -+ vpshufd \$0x44,$D2,$D2
31944 -+ vmovdqa $D3,-0x10(%r11)
31945 -+ vmovdqa $D2,0x80(%rsp)
31946 -+
31947 -+ jmp .Loop_avx
31948 -+
31949 -+.align 32
31950 -+.Loop_avx:
31951 -+ ################################################################
31952 -+ # ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2
31953 -+ # ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^3+inp[7]*r
31954 -+ # \___________________/
31955 -+ # ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2+inp[8])*r^2
31956 -+ # ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^4+inp[7]*r^2+inp[9])*r
31957 -+ # \___________________/ \____________________/
31958 -+ #
31959 -+ # Note that we start with inp[2:3]*r^2. This is because it
31960 -+ # doesn't depend on reduction in previous iteration.
31961 -+ ################################################################
31962 -+ # d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
31963 -+ # d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
31964 -+ # d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
31965 -+ # d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
31966 -+ # d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
31967 -+ #
31968 -+ # though note that $Tx and $Hx are "reversed" in this section,
31969 -+ # and $D4 is preloaded with r0^2...
31970 -+
31971 -+ vpmuludq $T0,$D4,$D0 # d0 = h0*r0
31972 -+ vpmuludq $T1,$D4,$D1 # d1 = h1*r0
31973 -+ vmovdqa $H2,0x20(%r11) # offload hash
31974 -+ vpmuludq $T2,$D4,$D2 # d3 = h2*r0
31975 -+ vmovdqa 0x10(%rsp),$H2 # r1^2
31976 -+ vpmuludq $T3,$D4,$D3 # d3 = h3*r0
31977 -+ vpmuludq $T4,$D4,$D4 # d4 = h4*r0
31978 -+
31979 -+ vmovdqa $H0,0x00(%r11) #
31980 -+ vpmuludq 0x20(%rsp),$T4,$H0 # h4*s1
31981 -+ vmovdqa $H1,0x10(%r11) #
31982 -+ vpmuludq $T3,$H2,$H1 # h3*r1
31983 -+ vpaddq $H0,$D0,$D0 # d0 += h4*s1
31984 -+ vpaddq $H1,$D4,$D4 # d4 += h3*r1
31985 -+ vmovdqa $H3,0x30(%r11) #
31986 -+ vpmuludq $T2,$H2,$H0 # h2*r1
31987 -+ vpmuludq $T1,$H2,$H1 # h1*r1
31988 -+ vpaddq $H0,$D3,$D3 # d3 += h2*r1
31989 -+ vmovdqa 0x30(%rsp),$H3 # r2^2
31990 -+ vpaddq $H1,$D2,$D2 # d2 += h1*r1
31991 -+ vmovdqa $H4,0x40(%r11) #
31992 -+ vpmuludq $T0,$H2,$H2 # h0*r1
31993 -+ vpmuludq $T2,$H3,$H0 # h2*r2
31994 -+ vpaddq $H2,$D1,$D1 # d1 += h0*r1
31995 -+
31996 -+ vmovdqa 0x40(%rsp),$H4 # s2^2
31997 -+ vpaddq $H0,$D4,$D4 # d4 += h2*r2
31998 -+ vpmuludq $T1,$H3,$H1 # h1*r2
31999 -+ vpmuludq $T0,$H3,$H3 # h0*r2
32000 -+ vpaddq $H1,$D3,$D3 # d3 += h1*r2
32001 -+ vmovdqa 0x50(%rsp),$H2 # r3^2
32002 -+ vpaddq $H3,$D2,$D2 # d2 += h0*r2
32003 -+ vpmuludq $T4,$H4,$H0 # h4*s2
32004 -+ vpmuludq $T3,$H4,$H4 # h3*s2
32005 -+ vpaddq $H0,$D1,$D1 # d1 += h4*s2
32006 -+ vmovdqa 0x60(%rsp),$H3 # s3^2
32007 -+ vpaddq $H4,$D0,$D0 # d0 += h3*s2
32008 -+
32009 -+ vmovdqa 0x80(%rsp),$H4 # s4^2
32010 -+ vpmuludq $T1,$H2,$H1 # h1*r3
32011 -+ vpmuludq $T0,$H2,$H2 # h0*r3
32012 -+ vpaddq $H1,$D4,$D4 # d4 += h1*r3
32013 -+ vpaddq $H2,$D3,$D3 # d3 += h0*r3
32014 -+ vpmuludq $T4,$H3,$H0 # h4*s3
32015 -+ vpmuludq $T3,$H3,$H1 # h3*s3
32016 -+ vpaddq $H0,$D2,$D2 # d2 += h4*s3
32017 -+ vmovdqu 16*0($inp),$H0 # load input
32018 -+ vpaddq $H1,$D1,$D1 # d1 += h3*s3
32019 -+ vpmuludq $T2,$H3,$H3 # h2*s3
32020 -+ vpmuludq $T2,$H4,$T2 # h2*s4
32021 -+ vpaddq $H3,$D0,$D0 # d0 += h2*s3
32022 -+
32023 -+ vmovdqu 16*1($inp),$H1 #
32024 -+ vpaddq $T2,$D1,$D1 # d1 += h2*s4
32025 -+ vpmuludq $T3,$H4,$T3 # h3*s4
32026 -+ vpmuludq $T4,$H4,$T4 # h4*s4
32027 -+ vpsrldq \$6,$H0,$H2 # splat input
32028 -+ vpaddq $T3,$D2,$D2 # d2 += h3*s4
32029 -+ vpaddq $T4,$D3,$D3 # d3 += h4*s4
32030 -+ vpsrldq \$6,$H1,$H3 #
32031 -+ vpmuludq 0x70(%rsp),$T0,$T4 # h0*r4
32032 -+ vpmuludq $T1,$H4,$T0 # h1*s4
32033 -+ vpunpckhqdq $H1,$H0,$H4 # 4
32034 -+ vpaddq $T4,$D4,$D4 # d4 += h0*r4
32035 -+ vmovdqa -0x90(%r11),$T4 # r0^4
32036 -+ vpaddq $T0,$D0,$D0 # d0 += h1*s4
32037 -+
32038 -+ vpunpcklqdq $H1,$H0,$H0 # 0:1
32039 -+ vpunpcklqdq $H3,$H2,$H3 # 2:3
32040 -+
32041 -+ #vpsrlq \$40,$H4,$H4 # 4
32042 -+ vpsrldq \$`40/8`,$H4,$H4 # 4
32043 -+ vpsrlq \$26,$H0,$H1
32044 -+ vpand $MASK,$H0,$H0 # 0
32045 -+ vpsrlq \$4,$H3,$H2
32046 -+ vpand $MASK,$H1,$H1 # 1
32047 -+ vpand 0(%rcx),$H4,$H4 # .Lmask24
32048 -+ vpsrlq \$30,$H3,$H3
32049 -+ vpand $MASK,$H2,$H2 # 2
32050 -+ vpand $MASK,$H3,$H3 # 3
32051 -+ vpor 32(%rcx),$H4,$H4 # padbit, yes, always
32052 -+
32053 -+ vpaddq 0x00(%r11),$H0,$H0 # add hash value
32054 -+ vpaddq 0x10(%r11),$H1,$H1
32055 -+ vpaddq 0x20(%r11),$H2,$H2
32056 -+ vpaddq 0x30(%r11),$H3,$H3
32057 -+ vpaddq 0x40(%r11),$H4,$H4
32058 -+
32059 -+ lea 16*2($inp),%rax
32060 -+ lea 16*4($inp),$inp
32061 -+ sub \$64,$len
32062 -+ cmovc %rax,$inp
32063 -+
32064 -+ ################################################################
32065 -+ # Now we accumulate (inp[0:1]+hash)*r^4
32066 -+ ################################################################
32067 -+ # d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
32068 -+ # d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
32069 -+ # d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
32070 -+ # d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
32071 -+ # d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
32072 -+
32073 -+ vpmuludq $H0,$T4,$T0 # h0*r0
32074 -+ vpmuludq $H1,$T4,$T1 # h1*r0
32075 -+ vpaddq $T0,$D0,$D0
32076 -+ vpaddq $T1,$D1,$D1
32077 -+ vmovdqa -0x80(%r11),$T2 # r1^4
32078 -+ vpmuludq $H2,$T4,$T0 # h2*r0
32079 -+ vpmuludq $H3,$T4,$T1 # h3*r0
32080 -+ vpaddq $T0,$D2,$D2
32081 -+ vpaddq $T1,$D3,$D3
32082 -+ vpmuludq $H4,$T4,$T4 # h4*r0
32083 -+ vpmuludq -0x70(%r11),$H4,$T0 # h4*s1
32084 -+ vpaddq $T4,$D4,$D4
32085 -+
32086 -+ vpaddq $T0,$D0,$D0 # d0 += h4*s1
32087 -+ vpmuludq $H2,$T2,$T1 # h2*r1
32088 -+ vpmuludq $H3,$T2,$T0 # h3*r1
32089 -+ vpaddq $T1,$D3,$D3 # d3 += h2*r1
32090 -+ vmovdqa -0x60(%r11),$T3 # r2^4
32091 -+ vpaddq $T0,$D4,$D4 # d4 += h3*r1
32092 -+ vpmuludq $H1,$T2,$T1 # h1*r1
32093 -+ vpmuludq $H0,$T2,$T2 # h0*r1
32094 -+ vpaddq $T1,$D2,$D2 # d2 += h1*r1
32095 -+ vpaddq $T2,$D1,$D1 # d1 += h0*r1
32096 -+
32097 -+ vmovdqa -0x50(%r11),$T4 # s2^4
32098 -+ vpmuludq $H2,$T3,$T0 # h2*r2
32099 -+ vpmuludq $H1,$T3,$T1 # h1*r2
32100 -+ vpaddq $T0,$D4,$D4 # d4 += h2*r2
32101 -+ vpaddq $T1,$D3,$D3 # d3 += h1*r2
32102 -+ vmovdqa -0x40(%r11),$T2 # r3^4
32103 -+ vpmuludq $H0,$T3,$T3 # h0*r2
32104 -+ vpmuludq $H4,$T4,$T0 # h4*s2
32105 -+ vpaddq $T3,$D2,$D2 # d2 += h0*r2
32106 -+ vpaddq $T0,$D1,$D1 # d1 += h4*s2
32107 -+ vmovdqa -0x30(%r11),$T3 # s3^4
32108 -+ vpmuludq $H3,$T4,$T4 # h3*s2
32109 -+ vpmuludq $H1,$T2,$T1 # h1*r3
32110 -+ vpaddq $T4,$D0,$D0 # d0 += h3*s2
32111 -+
32112 -+ vmovdqa -0x10(%r11),$T4 # s4^4
32113 -+ vpaddq $T1,$D4,$D4 # d4 += h1*r3
32114 -+ vpmuludq $H0,$T2,$T2 # h0*r3
32115 -+ vpmuludq $H4,$T3,$T0 # h4*s3
32116 -+ vpaddq $T2,$D3,$D3 # d3 += h0*r3
32117 -+ vpaddq $T0,$D2,$D2 # d2 += h4*s3
32118 -+ vmovdqu 16*2($inp),$T0 # load input
32119 -+ vpmuludq $H3,$T3,$T2 # h3*s3
32120 -+ vpmuludq $H2,$T3,$T3 # h2*s3
32121 -+ vpaddq $T2,$D1,$D1 # d1 += h3*s3
32122 -+ vmovdqu 16*3($inp),$T1 #
32123 -+ vpaddq $T3,$D0,$D0 # d0 += h2*s3
32124 -+
32125 -+ vpmuludq $H2,$T4,$H2 # h2*s4
32126 -+ vpmuludq $H3,$T4,$H3 # h3*s4
32127 -+ vpsrldq \$6,$T0,$T2 # splat input
32128 -+ vpaddq $H2,$D1,$D1 # d1 += h2*s4
32129 -+ vpmuludq $H4,$T4,$H4 # h4*s4
32130 -+ vpsrldq \$6,$T1,$T3 #
32131 -+ vpaddq $H3,$D2,$H2 # h2 = d2 + h3*s4
32132 -+ vpaddq $H4,$D3,$H3 # h3 = d3 + h4*s4
32133 -+ vpmuludq -0x20(%r11),$H0,$H4 # h0*r4
32134 -+ vpmuludq $H1,$T4,$H0
32135 -+ vpunpckhqdq $T1,$T0,$T4 # 4
32136 -+ vpaddq $H4,$D4,$H4 # h4 = d4 + h0*r4
32137 -+ vpaddq $H0,$D0,$H0 # h0 = d0 + h1*s4
32138 -+
32139 -+ vpunpcklqdq $T1,$T0,$T0 # 0:1
32140 -+ vpunpcklqdq $T3,$T2,$T3 # 2:3
32141 -+
32142 -+ #vpsrlq \$40,$T4,$T4 # 4
32143 -+ vpsrldq \$`40/8`,$T4,$T4 # 4
32144 -+ vpsrlq \$26,$T0,$T1
32145 -+ vmovdqa 0x00(%rsp),$D4 # preload r0^2
32146 -+ vpand $MASK,$T0,$T0 # 0
32147 -+ vpsrlq \$4,$T3,$T2
32148 -+ vpand $MASK,$T1,$T1 # 1
32149 -+ vpand 0(%rcx),$T4,$T4 # .Lmask24
32150 -+ vpsrlq \$30,$T3,$T3
32151 -+ vpand $MASK,$T2,$T2 # 2
32152 -+ vpand $MASK,$T3,$T3 # 3
32153 -+ vpor 32(%rcx),$T4,$T4 # padbit, yes, always
32154 -+
32155 -+ ################################################################
32156 -+ # lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
32157 -+ # and P. Schwabe
32158 -+
32159 -+ vpsrlq \$26,$H3,$D3
32160 -+ vpand $MASK,$H3,$H3
32161 -+ vpaddq $D3,$H4,$H4 # h3 -> h4
32162 -+
32163 -+ vpsrlq \$26,$H0,$D0
32164 -+ vpand $MASK,$H0,$H0
32165 -+ vpaddq $D0,$D1,$H1 # h0 -> h1
32166 -+
32167 -+ vpsrlq \$26,$H4,$D0
32168 -+ vpand $MASK,$H4,$H4
32169 -+
32170 -+ vpsrlq \$26,$H1,$D1
32171 -+ vpand $MASK,$H1,$H1
32172 -+ vpaddq $D1,$H2,$H2 # h1 -> h2
32173 -+
32174 -+ vpaddq $D0,$H0,$H0
32175 -+ vpsllq \$2,$D0,$D0
32176 -+ vpaddq $D0,$H0,$H0 # h4 -> h0
32177 -+
32178 -+ vpsrlq \$26,$H2,$D2
32179 -+ vpand $MASK,$H2,$H2
32180 -+ vpaddq $D2,$H3,$H3 # h2 -> h3
32181 -+
32182 -+ vpsrlq \$26,$H0,$D0
32183 -+ vpand $MASK,$H0,$H0
32184 -+ vpaddq $D0,$H1,$H1 # h0 -> h1
32185 -+
32186 -+ vpsrlq \$26,$H3,$D3
32187 -+ vpand $MASK,$H3,$H3
32188 -+ vpaddq $D3,$H4,$H4 # h3 -> h4
32189 -+
32190 -+ ja .Loop_avx
32191 -+
32192 -+.Lskip_loop_avx:
32193 -+ ################################################################
32194 -+ # multiply (inp[0:1]+hash) or inp[2:3] by r^2:r^1
32195 -+
32196 -+ vpshufd \$0x10,$D4,$D4 # r0^n, xx12 -> x1x2
32197 -+ add \$32,$len
32198 -+ jnz .Long_tail_avx
32199 -+
32200 -+ vpaddq $H2,$T2,$T2
32201 -+ vpaddq $H0,$T0,$T0
32202 -+ vpaddq $H1,$T1,$T1
32203 -+ vpaddq $H3,$T3,$T3
32204 -+ vpaddq $H4,$T4,$T4
32205 -+
32206 -+.Long_tail_avx:
32207 -+ vmovdqa $H2,0x20(%r11)
32208 -+ vmovdqa $H0,0x00(%r11)
32209 -+ vmovdqa $H1,0x10(%r11)
32210 -+ vmovdqa $H3,0x30(%r11)
32211 -+ vmovdqa $H4,0x40(%r11)
32212 -+
32213 -+ # d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
32214 -+ # d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
32215 -+ # d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
32216 -+ # d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
32217 -+ # d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
32218 -+
32219 -+ vpmuludq $T2,$D4,$D2 # d2 = h2*r0
32220 -+ vpmuludq $T0,$D4,$D0 # d0 = h0*r0
32221 -+ vpshufd \$0x10,`16*1-64`($ctx),$H2 # r1^n
32222 -+ vpmuludq $T1,$D4,$D1 # d1 = h1*r0
32223 -+ vpmuludq $T3,$D4,$D3 # d3 = h3*r0
32224 -+ vpmuludq $T4,$D4,$D4 # d4 = h4*r0
32225 -+
32226 -+ vpmuludq $T3,$H2,$H0 # h3*r1
32227 -+ vpaddq $H0,$D4,$D4 # d4 += h3*r1
32228 -+ vpshufd \$0x10,`16*2-64`($ctx),$H3 # s1^n
32229 -+ vpmuludq $T2,$H2,$H1 # h2*r1
32230 -+ vpaddq $H1,$D3,$D3 # d3 += h2*r1
32231 -+ vpshufd \$0x10,`16*3-64`($ctx),$H4 # r2^n
32232 -+ vpmuludq $T1,$H2,$H0 # h1*r1
32233 -+ vpaddq $H0,$D2,$D2 # d2 += h1*r1
32234 -+ vpmuludq $T0,$H2,$H2 # h0*r1
32235 -+ vpaddq $H2,$D1,$D1 # d1 += h0*r1
32236 -+ vpmuludq $T4,$H3,$H3 # h4*s1
32237 -+ vpaddq $H3,$D0,$D0 # d0 += h4*s1
32238 -+
32239 -+ vpshufd \$0x10,`16*4-64`($ctx),$H2 # s2^n
32240 -+ vpmuludq $T2,$H4,$H1 # h2*r2
32241 -+ vpaddq $H1,$D4,$D4 # d4 += h2*r2
32242 -+ vpmuludq $T1,$H4,$H0 # h1*r2
32243 -+ vpaddq $H0,$D3,$D3 # d3 += h1*r2
32244 -+ vpshufd \$0x10,`16*5-64`($ctx),$H3 # r3^n
32245 -+ vpmuludq $T0,$H4,$H4 # h0*r2
32246 -+ vpaddq $H4,$D2,$D2 # d2 += h0*r2
32247 -+ vpmuludq $T4,$H2,$H1 # h4*s2
32248 -+ vpaddq $H1,$D1,$D1 # d1 += h4*s2
32249 -+ vpshufd \$0x10,`16*6-64`($ctx),$H4 # s3^n
32250 -+ vpmuludq $T3,$H2,$H2 # h3*s2
32251 -+ vpaddq $H2,$D0,$D0 # d0 += h3*s2
32252 -+
32253 -+ vpmuludq $T1,$H3,$H0 # h1*r3
32254 -+ vpaddq $H0,$D4,$D4 # d4 += h1*r3
32255 -+ vpmuludq $T0,$H3,$H3 # h0*r3
32256 -+ vpaddq $H3,$D3,$D3 # d3 += h0*r3
32257 -+ vpshufd \$0x10,`16*7-64`($ctx),$H2 # r4^n
32258 -+ vpmuludq $T4,$H4,$H1 # h4*s3
32259 -+ vpaddq $H1,$D2,$D2 # d2 += h4*s3
32260 -+ vpshufd \$0x10,`16*8-64`($ctx),$H3 # s4^n
32261 -+ vpmuludq $T3,$H4,$H0 # h3*s3
32262 -+ vpaddq $H0,$D1,$D1 # d1 += h3*s3
32263 -+ vpmuludq $T2,$H4,$H4 # h2*s3
32264 -+ vpaddq $H4,$D0,$D0 # d0 += h2*s3
32265 -+
32266 -+ vpmuludq $T0,$H2,$H2 # h0*r4
32267 -+ vpaddq $H2,$D4,$D4 # h4 = d4 + h0*r4
32268 -+ vpmuludq $T4,$H3,$H1 # h4*s4
32269 -+ vpaddq $H1,$D3,$D3 # h3 = d3 + h4*s4
32270 -+ vpmuludq $T3,$H3,$H0 # h3*s4
32271 -+ vpaddq $H0,$D2,$D2 # h2 = d2 + h3*s4
32272 -+ vpmuludq $T2,$H3,$H1 # h2*s4
32273 -+ vpaddq $H1,$D1,$D1 # h1 = d1 + h2*s4
32274 -+ vpmuludq $T1,$H3,$H3 # h1*s4
32275 -+ vpaddq $H3,$D0,$D0 # h0 = d0 + h1*s4
32276 -+
32277 -+ jz .Lshort_tail_avx
32278 -+
32279 -+ vmovdqu 16*0($inp),$H0 # load input
32280 -+ vmovdqu 16*1($inp),$H1
32281 -+
32282 -+ vpsrldq \$6,$H0,$H2 # splat input
32283 -+ vpsrldq \$6,$H1,$H3
32284 -+ vpunpckhqdq $H1,$H0,$H4 # 4
32285 -+ vpunpcklqdq $H1,$H0,$H0 # 0:1
32286 -+ vpunpcklqdq $H3,$H2,$H3 # 2:3
32287 -+
32288 -+ vpsrlq \$40,$H4,$H4 # 4
32289 -+ vpsrlq \$26,$H0,$H1
32290 -+ vpand $MASK,$H0,$H0 # 0
32291 -+ vpsrlq \$4,$H3,$H2
32292 -+ vpand $MASK,$H1,$H1 # 1
32293 -+ vpsrlq \$30,$H3,$H3
32294 -+ vpand $MASK,$H2,$H2 # 2
32295 -+ vpand $MASK,$H3,$H3 # 3
32296 -+ vpor 32(%rcx),$H4,$H4 # padbit, yes, always
32297 -+
32298 -+ vpshufd \$0x32,`16*0-64`($ctx),$T4 # r0^n, 34xx -> x3x4
32299 -+ vpaddq 0x00(%r11),$H0,$H0
32300 -+ vpaddq 0x10(%r11),$H1,$H1
32301 -+ vpaddq 0x20(%r11),$H2,$H2
32302 -+ vpaddq 0x30(%r11),$H3,$H3
32303 -+ vpaddq 0x40(%r11),$H4,$H4
32304 -+
32305 -+ ################################################################
32306 -+ # multiply (inp[0:1]+hash) by r^4:r^3 and accumulate
32307 -+
32308 -+ vpmuludq $H0,$T4,$T0 # h0*r0
32309 -+ vpaddq $T0,$D0,$D0 # d0 += h0*r0
32310 -+ vpmuludq $H1,$T4,$T1 # h1*r0
32311 -+ vpaddq $T1,$D1,$D1 # d1 += h1*r0
32312 -+ vpmuludq $H2,$T4,$T0 # h2*r0
32313 -+ vpaddq $T0,$D2,$D2 # d2 += h2*r0
32314 -+ vpshufd \$0x32,`16*1-64`($ctx),$T2 # r1^n
32315 -+ vpmuludq $H3,$T4,$T1 # h3*r0
32316 -+ vpaddq $T1,$D3,$D3 # d3 += h3*r0
32317 -+ vpmuludq $H4,$T4,$T4 # h4*r0
32318 -+ vpaddq $T4,$D4,$D4 # d4 += h4*r0
32319 -+
32320 -+ vpmuludq $H3,$T2,$T0 # h3*r1
32321 -+ vpaddq $T0,$D4,$D4 # d4 += h3*r1
32322 -+ vpshufd \$0x32,`16*2-64`($ctx),$T3 # s1
32323 -+ vpmuludq $H2,$T2,$T1 # h2*r1
32324 -+ vpaddq $T1,$D3,$D3 # d3 += h2*r1
32325 -+ vpshufd \$0x32,`16*3-64`($ctx),$T4 # r2
32326 -+ vpmuludq $H1,$T2,$T0 # h1*r1
32327 -+ vpaddq $T0,$D2,$D2 # d2 += h1*r1
32328 -+ vpmuludq $H0,$T2,$T2 # h0*r1
32329 -+ vpaddq $T2,$D1,$D1 # d1 += h0*r1
32330 -+ vpmuludq $H4,$T3,$T3 # h4*s1
32331 -+ vpaddq $T3,$D0,$D0 # d0 += h4*s1
32332 -+
32333 -+ vpshufd \$0x32,`16*4-64`($ctx),$T2 # s2
32334 -+ vpmuludq $H2,$T4,$T1 # h2*r2
32335 -+ vpaddq $T1,$D4,$D4 # d4 += h2*r2
32336 -+ vpmuludq $H1,$T4,$T0 # h1*r2
32337 -+ vpaddq $T0,$D3,$D3 # d3 += h1*r2
32338 -+ vpshufd \$0x32,`16*5-64`($ctx),$T3 # r3
32339 -+ vpmuludq $H0,$T4,$T4 # h0*r2
32340 -+ vpaddq $T4,$D2,$D2 # d2 += h0*r2
32341 -+ vpmuludq $H4,$T2,$T1 # h4*s2
32342 -+ vpaddq $T1,$D1,$D1 # d1 += h4*s2
32343 -+ vpshufd \$0x32,`16*6-64`($ctx),$T4 # s3
32344 -+ vpmuludq $H3,$T2,$T2 # h3*s2
32345 -+ vpaddq $T2,$D0,$D0 # d0 += h3*s2
32346 -+
32347 -+ vpmuludq $H1,$T3,$T0 # h1*r3
32348 -+ vpaddq $T0,$D4,$D4 # d4 += h1*r3
32349 -+ vpmuludq $H0,$T3,$T3 # h0*r3
32350 -+ vpaddq $T3,$D3,$D3 # d3 += h0*r3
32351 -+ vpshufd \$0x32,`16*7-64`($ctx),$T2 # r4
32352 -+ vpmuludq $H4,$T4,$T1 # h4*s3
32353 -+ vpaddq $T1,$D2,$D2 # d2 += h4*s3
32354 -+ vpshufd \$0x32,`16*8-64`($ctx),$T3 # s4
32355 -+ vpmuludq $H3,$T4,$T0 # h3*s3
32356 -+ vpaddq $T0,$D1,$D1 # d1 += h3*s3
32357 -+ vpmuludq $H2,$T4,$T4 # h2*s3
32358 -+ vpaddq $T4,$D0,$D0 # d0 += h2*s3
32359 -+
32360 -+ vpmuludq $H0,$T2,$T2 # h0*r4
32361 -+ vpaddq $T2,$D4,$D4 # d4 += h0*r4
32362 -+ vpmuludq $H4,$T3,$T1 # h4*s4
32363 -+ vpaddq $T1,$D3,$D3 # d3 += h4*s4
32364 -+ vpmuludq $H3,$T3,$T0 # h3*s4
32365 -+ vpaddq $T0,$D2,$D2 # d2 += h3*s4
32366 -+ vpmuludq $H2,$T3,$T1 # h2*s4
32367 -+ vpaddq $T1,$D1,$D1 # d1 += h2*s4
32368 -+ vpmuludq $H1,$T3,$T3 # h1*s4
32369 -+ vpaddq $T3,$D0,$D0 # d0 += h1*s4
32370 -+
32371 -+.Lshort_tail_avx:
32372 -+ ################################################################
32373 -+ # horizontal addition
32374 -+
32375 -+ vpsrldq \$8,$D4,$T4
32376 -+ vpsrldq \$8,$D3,$T3
32377 -+ vpsrldq \$8,$D1,$T1
32378 -+ vpsrldq \$8,$D0,$T0
32379 -+ vpsrldq \$8,$D2,$T2
32380 -+ vpaddq $T3,$D3,$D3
32381 -+ vpaddq $T4,$D4,$D4
32382 -+ vpaddq $T0,$D0,$D0
32383 -+ vpaddq $T1,$D1,$D1
32384 -+ vpaddq $T2,$D2,$D2
32385 -+
32386 -+ ################################################################
32387 -+ # lazy reduction
32388 -+
32389 -+ vpsrlq \$26,$D3,$H3
32390 -+ vpand $MASK,$D3,$D3
32391 -+ vpaddq $H3,$D4,$D4 # h3 -> h4
32392 -+
32393 -+ vpsrlq \$26,$D0,$H0
32394 -+ vpand $MASK,$D0,$D0
32395 -+ vpaddq $H0,$D1,$D1 # h0 -> h1
32396 -+
32397 -+ vpsrlq \$26,$D4,$H4
32398 -+ vpand $MASK,$D4,$D4
32399 -+
32400 -+ vpsrlq \$26,$D1,$H1
32401 -+ vpand $MASK,$D1,$D1
32402 -+ vpaddq $H1,$D2,$D2 # h1 -> h2
32403 -+
32404 -+ vpaddq $H4,$D0,$D0
32405 -+ vpsllq \$2,$H4,$H4
32406 -+ vpaddq $H4,$D0,$D0 # h4 -> h0
32407 -+
32408 -+ vpsrlq \$26,$D2,$H2
32409 -+ vpand $MASK,$D2,$D2
32410 -+ vpaddq $H2,$D3,$D3 # h2 -> h3
32411 -+
32412 -+ vpsrlq \$26,$D0,$H0
32413 -+ vpand $MASK,$D0,$D0
32414 -+ vpaddq $H0,$D1,$D1 # h0 -> h1
32415 -+
32416 -+ vpsrlq \$26,$D3,$H3
32417 -+ vpand $MASK,$D3,$D3
32418 -+ vpaddq $H3,$D4,$D4 # h3 -> h4
32419 -+
32420 -+ vmovd $D0,`4*0-48-64`($ctx) # save partially reduced
32421 -+ vmovd $D1,`4*1-48-64`($ctx)
32422 -+ vmovd $D2,`4*2-48-64`($ctx)
32423 -+ vmovd $D3,`4*3-48-64`($ctx)
32424 -+ vmovd $D4,`4*4-48-64`($ctx)
32425 -+___
32426 -+$code.=<<___ if ($win64);
32427 -+ vmovdqa 0x50(%r11),%xmm6
32428 -+ vmovdqa 0x60(%r11),%xmm7
32429 -+ vmovdqa 0x70(%r11),%xmm8
32430 -+ vmovdqa 0x80(%r11),%xmm9
32431 -+ vmovdqa 0x90(%r11),%xmm10
32432 -+ vmovdqa 0xa0(%r11),%xmm11
32433 -+ vmovdqa 0xb0(%r11),%xmm12
32434 -+ vmovdqa 0xc0(%r11),%xmm13
32435 -+ vmovdqa 0xd0(%r11),%xmm14
32436 -+ vmovdqa 0xe0(%r11),%xmm15
32437 -+ lea 0xf8(%r11),%rsp
32438 -+.Ldo_avx_epilogue:
32439 -+___
32440 -+$code.=<<___ if (!$win64);
32441 -+ lea -8(%r10),%rsp
32442 -+.cfi_def_cfa_register %rsp
32443 -+___
32444 -+$code.=<<___;
32445 -+ vzeroupper
32446 -+ ret
32447 -+.cfi_endproc
32448 -+___
32449 -+&end_function("poly1305_blocks_avx");
32450 -+
32451 -+&declare_function("poly1305_emit_avx", 32, 3);
32452 -+$code.=<<___;
32453 -+ cmpl \$0,20($ctx) # is_base2_26?
32454 -+ je .Lemit
32455 -+
32456 -+ mov 0($ctx),%eax # load hash value base 2^26
32457 -+ mov 4($ctx),%ecx
32458 -+ mov 8($ctx),%r8d
32459 -+ mov 12($ctx),%r11d
32460 -+ mov 16($ctx),%r10d
32461 -+
32462 -+ shl \$26,%rcx # base 2^26 -> base 2^64
32463 -+ mov %r8,%r9
32464 -+ shl \$52,%r8
32465 -+ add %rcx,%rax
32466 -+ shr \$12,%r9
32467 -+ add %rax,%r8 # h0
32468 -+ adc \$0,%r9
32469 -+
32470 -+ shl \$14,%r11
32471 -+ mov %r10,%rax
32472 -+ shr \$24,%r10
32473 -+ add %r11,%r9
32474 -+ shl \$40,%rax
32475 -+ add %rax,%r9 # h1
32476 -+ adc \$0,%r10 # h2
32477 -+
32478 -+ mov %r10,%rax # could be partially reduced, so reduce
32479 -+ mov %r10,%rcx
32480 -+ and \$3,%r10
32481 -+ shr \$2,%rax
32482 -+ and \$-4,%rcx
32483 -+ add %rcx,%rax
32484 -+ add %rax,%r8
32485 -+ adc \$0,%r9
32486 -+ adc \$0,%r10
32487 -+
32488 -+ mov %r8,%rax
32489 -+ add \$5,%r8 # compare to modulus
32490 -+ mov %r9,%rcx
32491 -+ adc \$0,%r9
32492 -+ adc \$0,%r10
32493 -+ shr \$2,%r10 # did 130-bit value overflow?
32494 -+ cmovnz %r8,%rax
32495 -+ cmovnz %r9,%rcx
32496 -+
32497 -+ add 0($nonce),%rax # accumulate nonce
32498 -+ adc 8($nonce),%rcx
32499 -+ mov %rax,0($mac) # write result
32500 -+ mov %rcx,8($mac)
32501 -+
32502 -+ ret
32503 -+___
32504 -+&end_function("poly1305_emit_avx");
32505 -+
32506 -+if ($kernel) {
32507 -+ $code .= "#endif\n";
32508 -+}
32509 -+
32510 -+if ($avx>1) {
32511 -+
32512 -+if ($kernel) {
32513 -+ $code .= "#ifdef CONFIG_AS_AVX2\n";
32514 -+}
32515 -+
32516 -+my ($H0,$H1,$H2,$H3,$H4, $MASK, $T4,$T0,$T1,$T2,$T3, $D0,$D1,$D2,$D3,$D4) =
32517 -+ map("%ymm$_",(0..15));
32518 -+my $S4=$MASK;
32519 -+
32520 -+sub poly1305_blocks_avxN {
32521 -+ my ($avx512) = @_;
32522 -+ my $suffix = $avx512 ? "_avx512" : "";
32523 -+$code.=<<___;
32524 -+.cfi_startproc
32525 -+ mov 20($ctx),%r8d # is_base2_26
32526 -+ cmp \$128,$len
32527 -+ jae .Lblocks_avx2$suffix
32528 -+ test %r8d,%r8d
32529 -+ jz .Lblocks
32530 -+
32531 -+.Lblocks_avx2$suffix:
32532 -+ and \$-16,$len
32533 -+ jz .Lno_data_avx2$suffix
32534 -+
32535 -+ vzeroupper
32536 -+
32537 -+ test %r8d,%r8d
32538 -+ jz .Lbase2_64_avx2$suffix
32539 -+
32540 -+ test \$63,$len
32541 -+ jz .Leven_avx2$suffix
32542 -+
32543 -+ push %rbp
32544 -+.cfi_push %rbp
32545 -+ mov %rsp,%rbp
32546 -+ push %rbx
32547 -+.cfi_push %rbx
32548 -+ push %r12
32549 -+.cfi_push %r12
32550 -+ push %r13
32551 -+.cfi_push %r13
32552 -+ push %r14
32553 -+.cfi_push %r14
32554 -+ push %r15
32555 -+.cfi_push %r15
32556 -+.Lblocks_avx2_body$suffix:
32557 -+
32558 -+ mov $len,%r15 # reassign $len
32559 -+
32560 -+ mov 0($ctx),$d1 # load hash value
32561 -+ mov 8($ctx),$d2
32562 -+ mov 16($ctx),$h2#d
32563 -+
32564 -+ mov 24($ctx),$r0 # load r
32565 -+ mov 32($ctx),$s1
32566 -+
32567 -+ ################################# base 2^26 -> base 2^64
32568 -+ mov $d1#d,$h0#d
32569 -+ and \$`-1*(1<<31)`,$d1
32570 -+ mov $d2,$r1 # borrow $r1
32571 -+ mov $d2#d,$h1#d
32572 -+ and \$`-1*(1<<31)`,$d2
32573 -+
32574 -+ shr \$6,$d1
32575 -+ shl \$52,$r1
32576 -+ add $d1,$h0
32577 -+ shr \$12,$h1
32578 -+ shr \$18,$d2
32579 -+ add $r1,$h0
32580 -+ adc $d2,$h1
32581 -+
32582 -+ mov $h2,$d1
32583 -+ shl \$40,$d1
32584 -+ shr \$24,$h2
32585 -+ add $d1,$h1
32586 -+ adc \$0,$h2 # can be partially reduced...
32587 -+
32588 -+ mov \$-4,$d2 # ... so reduce
32589 -+ mov $h2,$d1
32590 -+ and $h2,$d2
32591 -+ shr \$2,$d1
32592 -+ and \$3,$h2
32593 -+ add $d2,$d1 # =*5
32594 -+ add $d1,$h0
32595 -+ adc \$0,$h1
32596 -+ adc \$0,$h2
32597 -+
32598 -+ mov $s1,$r1
32599 -+ mov $s1,%rax
32600 -+ shr \$2,$s1
32601 -+ add $r1,$s1 # s1 = r1 + (r1 >> 2)
32602 -+
32603 -+.Lbase2_26_pre_avx2$suffix:
32604 -+ add 0($inp),$h0 # accumulate input
32605 -+ adc 8($inp),$h1
32606 -+ lea 16($inp),$inp
32607 -+ adc $padbit,$h2
32608 -+ sub \$16,%r15
32609 -+
32610 -+ call __poly1305_block
32611 -+ mov $r1,%rax
32612 -+
32613 -+ test \$63,%r15
32614 -+ jnz .Lbase2_26_pre_avx2$suffix
32615 -+
32616 -+ test $padbit,$padbit # if $padbit is zero,
32617 -+ jz .Lstore_base2_64_avx2$suffix # store hash in base 2^64 format
32618 -+
32619 -+ ################################# base 2^64 -> base 2^26
32620 -+ mov $h0,%rax
32621 -+ mov $h0,%rdx
32622 -+ shr \$52,$h0
32623 -+ mov $h1,$r0
32624 -+ mov $h1,$r1
32625 -+ shr \$26,%rdx
32626 -+ and \$0x3ffffff,%rax # h[0]
32627 -+ shl \$12,$r0
32628 -+ and \$0x3ffffff,%rdx # h[1]
32629 -+ shr \$14,$h1
32630 -+ or $r0,$h0
32631 -+ shl \$24,$h2
32632 -+ and \$0x3ffffff,$h0 # h[2]
32633 -+ shr \$40,$r1
32634 -+ and \$0x3ffffff,$h1 # h[3]
32635 -+ or $r1,$h2 # h[4]
32636 -+
32637 -+ test %r15,%r15
32638 -+ jz .Lstore_base2_26_avx2$suffix
32639 -+
32640 -+ vmovd %rax#d,%x#$H0
32641 -+ vmovd %rdx#d,%x#$H1
32642 -+ vmovd $h0#d,%x#$H2
32643 -+ vmovd $h1#d,%x#$H3
32644 -+ vmovd $h2#d,%x#$H4
32645 -+ jmp .Lproceed_avx2$suffix
32646 -+
32647 -+.align 32
32648 -+.Lstore_base2_64_avx2$suffix:
32649 -+ mov $h0,0($ctx)
32650 -+ mov $h1,8($ctx)
32651 -+ mov $h2,16($ctx) # note that is_base2_26 is zeroed
32652 -+ jmp .Ldone_avx2$suffix
32653 -+
32654 -+.align 16
32655 -+.Lstore_base2_26_avx2$suffix:
32656 -+ mov %rax#d,0($ctx) # store hash value base 2^26
32657 -+ mov %rdx#d,4($ctx)
32658 -+ mov $h0#d,8($ctx)
32659 -+ mov $h1#d,12($ctx)
32660 -+ mov $h2#d,16($ctx)
32661 -+.align 16
32662 -+.Ldone_avx2$suffix:
32663 -+ pop %r15
32664 -+.cfi_restore %r15
32665 -+ pop %r14
32666 -+.cfi_restore %r14
32667 -+ pop %r13
32668 -+.cfi_restore %r13
32669 -+ pop %r12
32670 -+.cfi_restore %r12
32671 -+ pop %rbx
32672 -+.cfi_restore %rbx
32673 -+ pop %rbp
32674 -+.cfi_restore %rbp
32675 -+.Lno_data_avx2$suffix:
32676 -+.Lblocks_avx2_epilogue$suffix:
32677 -+ ret
32678 -+.cfi_endproc
32679 -+
32680 -+.align 32
32681 -+.Lbase2_64_avx2$suffix:
32682 -+.cfi_startproc
32683 -+ push %rbp
32684 -+.cfi_push %rbp
32685 -+ mov %rsp,%rbp
32686 -+ push %rbx
32687 -+.cfi_push %rbx
32688 -+ push %r12
32689 -+.cfi_push %r12
32690 -+ push %r13
32691 -+.cfi_push %r13
32692 -+ push %r14
32693 -+.cfi_push %r14
32694 -+ push %r15
32695 -+.cfi_push %r15
32696 -+.Lbase2_64_avx2_body$suffix:
32697 -+
32698 -+ mov $len,%r15 # reassign $len
32699 -+
32700 -+ mov 24($ctx),$r0 # load r
32701 -+ mov 32($ctx),$s1
32702 -+
32703 -+ mov 0($ctx),$h0 # load hash value
32704 -+ mov 8($ctx),$h1
32705 -+ mov 16($ctx),$h2#d
32706 -+
32707 -+ mov $s1,$r1
32708 -+ mov $s1,%rax
32709 -+ shr \$2,$s1
32710 -+ add $r1,$s1 # s1 = r1 + (r1 >> 2)
32711 -+
32712 -+ test \$63,$len
32713 -+ jz .Linit_avx2$suffix
32714 -+
32715 -+.Lbase2_64_pre_avx2$suffix:
32716 -+ add 0($inp),$h0 # accumulate input
32717 -+ adc 8($inp),$h1
32718 -+ lea 16($inp),$inp
32719 -+ adc $padbit,$h2
32720 -+ sub \$16,%r15
32721 -+
32722 -+ call __poly1305_block
32723 -+ mov $r1,%rax
32724 -+
32725 -+ test \$63,%r15
32726 -+ jnz .Lbase2_64_pre_avx2$suffix
32727 -+
32728 -+.Linit_avx2$suffix:
32729 -+ ################################# base 2^64 -> base 2^26
32730 -+ mov $h0,%rax
32731 -+ mov $h0,%rdx
32732 -+ shr \$52,$h0
32733 -+ mov $h1,$d1
32734 -+ mov $h1,$d2
32735 -+ shr \$26,%rdx
32736 -+ and \$0x3ffffff,%rax # h[0]
32737 -+ shl \$12,$d1
32738 -+ and \$0x3ffffff,%rdx # h[1]
32739 -+ shr \$14,$h1
32740 -+ or $d1,$h0
32741 -+ shl \$24,$h2
32742 -+ and \$0x3ffffff,$h0 # h[2]
32743 -+ shr \$40,$d2
32744 -+ and \$0x3ffffff,$h1 # h[3]
32745 -+ or $d2,$h2 # h[4]
32746 -+
32747 -+ vmovd %rax#d,%x#$H0
32748 -+ vmovd %rdx#d,%x#$H1
32749 -+ vmovd $h0#d,%x#$H2
32750 -+ vmovd $h1#d,%x#$H3
32751 -+ vmovd $h2#d,%x#$H4
32752 -+ movl \$1,20($ctx) # set is_base2_26
32753 -+
32754 -+ call __poly1305_init_avx
32755 -+
32756 -+.Lproceed_avx2$suffix:
32757 -+ mov %r15,$len # restore $len
32758 -+___
32759 -+$code.=<<___ if (!$kernel);
32760 -+ mov OPENSSL_ia32cap_P+8(%rip),%r9d
32761 -+ mov \$`(1<<31|1<<30|1<<16)`,%r11d
32762 -+___
32763 -+$code.=<<___;
32764 -+ pop %r15
32765 -+.cfi_restore %r15
32766 -+ pop %r14
32767 -+.cfi_restore %r14
32768 -+ pop %r13
32769 -+.cfi_restore %r13
32770 -+ pop %r12
32771 -+.cfi_restore %r12
32772 -+ pop %rbx
32773 -+.cfi_restore %rbx
32774 -+ pop %rbp
32775 -+.cfi_restore %rbp
32776 -+.Lbase2_64_avx2_epilogue$suffix:
32777 -+ jmp .Ldo_avx2$suffix
32778 -+.cfi_endproc
32779 -+
32780 -+.align 32
32781 -+.Leven_avx2$suffix:
32782 -+.cfi_startproc
32783 -+___
32784 -+$code.=<<___ if (!$kernel);
32785 -+ mov OPENSSL_ia32cap_P+8(%rip),%r9d
32786 -+___
32787 -+$code.=<<___;
32788 -+ vmovd 4*0($ctx),%x#$H0 # load hash value base 2^26
32789 -+ vmovd 4*1($ctx),%x#$H1
32790 -+ vmovd 4*2($ctx),%x#$H2
32791 -+ vmovd 4*3($ctx),%x#$H3
32792 -+ vmovd 4*4($ctx),%x#$H4
32793 -+
32794 -+.Ldo_avx2$suffix:
32795 -+___
32796 -+$code.=<<___ if (!$kernel && $avx>2);
32797 -+ cmp \$512,$len
32798 -+ jb .Lskip_avx512
32799 -+ and %r11d,%r9d
32800 -+ test \$`1<<16`,%r9d # check for AVX512F
32801 -+ jnz .Lblocks_avx512
32802 -+.Lskip_avx512$suffix:
32803 -+___
32804 -+$code.=<<___ if ($avx > 2 && $avx512 && $kernel);
32805 -+ cmp \$512,$len
32806 -+ jae .Lblocks_avx512
32807 -+___
32808 -+$code.=<<___ if (!$win64);
32809 -+ lea 8(%rsp),%r10
32810 -+.cfi_def_cfa_register %r10
32811 -+ sub \$0x128,%rsp
32812 -+___
32813 -+$code.=<<___ if ($win64);
32814 -+ lea 8(%rsp),%r10
32815 -+ sub \$0x1c8,%rsp
32816 -+ vmovdqa %xmm6,-0xb0(%r10)
32817 -+ vmovdqa %xmm7,-0xa0(%r10)
32818 -+ vmovdqa %xmm8,-0x90(%r10)
32819 -+ vmovdqa %xmm9,-0x80(%r10)
32820 -+ vmovdqa %xmm10,-0x70(%r10)
32821 -+ vmovdqa %xmm11,-0x60(%r10)
32822 -+ vmovdqa %xmm12,-0x50(%r10)
32823 -+ vmovdqa %xmm13,-0x40(%r10)
32824 -+ vmovdqa %xmm14,-0x30(%r10)
32825 -+ vmovdqa %xmm15,-0x20(%r10)
32826 -+.Ldo_avx2_body$suffix:
32827 -+___
32828 -+$code.=<<___;
32829 -+ lea .Lconst(%rip),%rcx
32830 -+ lea 48+64($ctx),$ctx # size optimization
32831 -+ vmovdqa 96(%rcx),$T0 # .Lpermd_avx2
32832 -+
32833 -+ # expand and copy pre-calculated table to stack
32834 -+ vmovdqu `16*0-64`($ctx),%x#$T2
32835 -+ and \$-512,%rsp
32836 -+ vmovdqu `16*1-64`($ctx),%x#$T3
32837 -+ vmovdqu `16*2-64`($ctx),%x#$T4
32838 -+ vmovdqu `16*3-64`($ctx),%x#$D0
32839 -+ vmovdqu `16*4-64`($ctx),%x#$D1
32840 -+ vmovdqu `16*5-64`($ctx),%x#$D2
32841 -+ lea 0x90(%rsp),%rax # size optimization
32842 -+ vmovdqu `16*6-64`($ctx),%x#$D3
32843 -+ vpermd $T2,$T0,$T2 # 00003412 -> 14243444
32844 -+ vmovdqu `16*7-64`($ctx),%x#$D4
32845 -+ vpermd $T3,$T0,$T3
32846 -+ vmovdqu `16*8-64`($ctx),%x#$MASK
32847 -+ vpermd $T4,$T0,$T4
32848 -+ vmovdqa $T2,0x00(%rsp)
32849 -+ vpermd $D0,$T0,$D0
32850 -+ vmovdqa $T3,0x20-0x90(%rax)
32851 -+ vpermd $D1,$T0,$D1
32852 -+ vmovdqa $T4,0x40-0x90(%rax)
32853 -+ vpermd $D2,$T0,$D2
32854 -+ vmovdqa $D0,0x60-0x90(%rax)
32855 -+ vpermd $D3,$T0,$D3
32856 -+ vmovdqa $D1,0x80-0x90(%rax)
32857 -+ vpermd $D4,$T0,$D4
32858 -+ vmovdqa $D2,0xa0-0x90(%rax)
32859 -+ vpermd $MASK,$T0,$MASK
32860 -+ vmovdqa $D3,0xc0-0x90(%rax)
32861 -+ vmovdqa $D4,0xe0-0x90(%rax)
32862 -+ vmovdqa $MASK,0x100-0x90(%rax)
32863 -+ vmovdqa 64(%rcx),$MASK # .Lmask26
32864 -+
32865 -+ ################################################################
32866 -+ # load input
32867 -+ vmovdqu 16*0($inp),%x#$T0
32868 -+ vmovdqu 16*1($inp),%x#$T1
32869 -+ vinserti128 \$1,16*2($inp),$T0,$T0
32870 -+ vinserti128 \$1,16*3($inp),$T1,$T1
32871 -+ lea 16*4($inp),$inp
32872 -+
32873 -+ vpsrldq \$6,$T0,$T2 # splat input
32874 -+ vpsrldq \$6,$T1,$T3
32875 -+ vpunpckhqdq $T1,$T0,$T4 # 4
32876 -+ vpunpcklqdq $T3,$T2,$T2 # 2:3
32877 -+ vpunpcklqdq $T1,$T0,$T0 # 0:1
32878 -+
32879 -+ vpsrlq \$30,$T2,$T3
32880 -+ vpsrlq \$4,$T2,$T2
32881 -+ vpsrlq \$26,$T0,$T1
32882 -+ vpsrlq \$40,$T4,$T4 # 4
32883 -+ vpand $MASK,$T2,$T2 # 2
32884 -+ vpand $MASK,$T0,$T0 # 0
32885 -+ vpand $MASK,$T1,$T1 # 1
32886 -+ vpand $MASK,$T3,$T3 # 3
32887 -+ vpor 32(%rcx),$T4,$T4 # padbit, yes, always
32888 -+
32889 -+ vpaddq $H2,$T2,$H2 # accumulate input
32890 -+ sub \$64,$len
32891 -+ jz .Ltail_avx2$suffix
32892 -+ jmp .Loop_avx2$suffix
32893 -+
32894 -+.align 32
32895 -+.Loop_avx2$suffix:
32896 -+ ################################################################
32897 -+ # ((inp[0]*r^4+inp[4])*r^4+inp[ 8])*r^4
32898 -+ # ((inp[1]*r^4+inp[5])*r^4+inp[ 9])*r^3
32899 -+ # ((inp[2]*r^4+inp[6])*r^4+inp[10])*r^2
32900 -+ # ((inp[3]*r^4+inp[7])*r^4+inp[11])*r^1
32901 -+ # \________/\__________/
32902 -+ ################################################################
32903 -+ #vpaddq $H2,$T2,$H2 # accumulate input
32904 -+ vpaddq $H0,$T0,$H0
32905 -+ vmovdqa `32*0`(%rsp),$T0 # r0^4
32906 -+ vpaddq $H1,$T1,$H1
32907 -+ vmovdqa `32*1`(%rsp),$T1 # r1^4
32908 -+ vpaddq $H3,$T3,$H3
32909 -+ vmovdqa `32*3`(%rsp),$T2 # r2^4
32910 -+ vpaddq $H4,$T4,$H4
32911 -+ vmovdqa `32*6-0x90`(%rax),$T3 # s3^4
32912 -+ vmovdqa `32*8-0x90`(%rax),$S4 # s4^4
32913 -+
32914 -+ # d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
32915 -+ # d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
32916 -+ # d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
32917 -+ # d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
32918 -+ # d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
32919 -+ #
32920 -+ # however, as h2 is "chronologically" first one available pull
32921 -+ # corresponding operations up, so it's
32922 -+ #
32923 -+ # d4 = h2*r2 + h4*r0 + h3*r1 + h1*r3 + h0*r4
32924 -+ # d3 = h2*r1 + h3*r0 + h1*r2 + h0*r3 + h4*5*r4
32925 -+ # d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
32926 -+ # d1 = h2*5*r4 + h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3
32927 -+ # d0 = h2*5*r3 + h0*r0 + h4*5*r1 + h3*5*r2 + h1*5*r4
32928 -+
32929 -+ vpmuludq $H2,$T0,$D2 # d2 = h2*r0
32930 -+ vpmuludq $H2,$T1,$D3 # d3 = h2*r1
32931 -+ vpmuludq $H2,$T2,$D4 # d4 = h2*r2
32932 -+ vpmuludq $H2,$T3,$D0 # d0 = h2*s3
32933 -+ vpmuludq $H2,$S4,$D1 # d1 = h2*s4
32934 -+
32935 -+ vpmuludq $H0,$T1,$T4 # h0*r1
32936 -+ vpmuludq $H1,$T1,$H2 # h1*r1, borrow $H2 as temp
32937 -+ vpaddq $T4,$D1,$D1 # d1 += h0*r1
32938 -+ vpaddq $H2,$D2,$D2 # d2 += h1*r1
32939 -+ vpmuludq $H3,$T1,$T4 # h3*r1
32940 -+ vpmuludq `32*2`(%rsp),$H4,$H2 # h4*s1
32941 -+ vpaddq $T4,$D4,$D4 # d4 += h3*r1
32942 -+ vpaddq $H2,$D0,$D0 # d0 += h4*s1
32943 -+ vmovdqa `32*4-0x90`(%rax),$T1 # s2
32944 -+
32945 -+ vpmuludq $H0,$T0,$T4 # h0*r0
32946 -+ vpmuludq $H1,$T0,$H2 # h1*r0
32947 -+ vpaddq $T4,$D0,$D0 # d0 += h0*r0
32948 -+ vpaddq $H2,$D1,$D1 # d1 += h1*r0
32949 -+ vpmuludq $H3,$T0,$T4 # h3*r0
32950 -+ vpmuludq $H4,$T0,$H2 # h4*r0
32951 -+ vmovdqu 16*0($inp),%x#$T0 # load input
32952 -+ vpaddq $T4,$D3,$D3 # d3 += h3*r0
32953 -+ vpaddq $H2,$D4,$D4 # d4 += h4*r0
32954 -+ vinserti128 \$1,16*2($inp),$T0,$T0
32955 -+
32956 -+ vpmuludq $H3,$T1,$T4 # h3*s2
32957 -+ vpmuludq $H4,$T1,$H2 # h4*s2
32958 -+ vmovdqu 16*1($inp),%x#$T1
32959 -+ vpaddq $T4,$D0,$D0 # d0 += h3*s2
32960 -+ vpaddq $H2,$D1,$D1 # d1 += h4*s2
32961 -+ vmovdqa `32*5-0x90`(%rax),$H2 # r3
32962 -+ vpmuludq $H1,$T2,$T4 # h1*r2
32963 -+ vpmuludq $H0,$T2,$T2 # h0*r2
32964 -+ vpaddq $T4,$D3,$D3 # d3 += h1*r2
32965 -+ vpaddq $T2,$D2,$D2 # d2 += h0*r2
32966 -+ vinserti128 \$1,16*3($inp),$T1,$T1
32967 -+ lea 16*4($inp),$inp
32968 -+
32969 -+ vpmuludq $H1,$H2,$T4 # h1*r3
32970 -+ vpmuludq $H0,$H2,$H2 # h0*r3
32971 -+ vpsrldq \$6,$T0,$T2 # splat input
32972 -+ vpaddq $T4,$D4,$D4 # d4 += h1*r3
32973 -+ vpaddq $H2,$D3,$D3 # d3 += h0*r3
32974 -+ vpmuludq $H3,$T3,$T4 # h3*s3
32975 -+ vpmuludq $H4,$T3,$H2 # h4*s3
32976 -+ vpsrldq \$6,$T1,$T3
32977 -+ vpaddq $T4,$D1,$D1 # d1 += h3*s3
32978 -+ vpaddq $H2,$D2,$D2 # d2 += h4*s3
32979 -+ vpunpckhqdq $T1,$T0,$T4 # 4
32980 -+
32981 -+ vpmuludq $H3,$S4,$H3 # h3*s4
32982 -+ vpmuludq $H4,$S4,$H4 # h4*s4
32983 -+ vpunpcklqdq $T1,$T0,$T0 # 0:1
32984 -+ vpaddq $H3,$D2,$H2 # h2 = d2 + h3*r4
32985 -+ vpaddq $H4,$D3,$H3 # h3 = d3 + h4*r4
32986 -+ vpunpcklqdq $T3,$T2,$T3 # 2:3
32987 -+ vpmuludq `32*7-0x90`(%rax),$H0,$H4 # h0*r4
32988 -+ vpmuludq $H1,$S4,$H0 # h1*s4
32989 -+ vmovdqa 64(%rcx),$MASK # .Lmask26
32990 -+ vpaddq $H4,$D4,$H4 # h4 = d4 + h0*r4
32991 -+ vpaddq $H0,$D0,$H0 # h0 = d0 + h1*s4
32992 -+
32993 -+ ################################################################
32994 -+ # lazy reduction (interleaved with tail of input splat)
32995 -+
32996 -+ vpsrlq \$26,$H3,$D3
32997 -+ vpand $MASK,$H3,$H3
32998 -+ vpaddq $D3,$H4,$H4 # h3 -> h4
32999 -+
33000 -+ vpsrlq \$26,$H0,$D0
33001 -+ vpand $MASK,$H0,$H0
33002 -+ vpaddq $D0,$D1,$H1 # h0 -> h1
33003 -+
33004 -+ vpsrlq \$26,$H4,$D4
33005 -+ vpand $MASK,$H4,$H4
33006 -+
33007 -+ vpsrlq \$4,$T3,$T2
33008 -+
33009 -+ vpsrlq \$26,$H1,$D1
33010 -+ vpand $MASK,$H1,$H1
33011 -+ vpaddq $D1,$H2,$H2 # h1 -> h2
33012 -+
33013 -+ vpaddq $D4,$H0,$H0
33014 -+ vpsllq \$2,$D4,$D4
33015 -+ vpaddq $D4,$H0,$H0 # h4 -> h0
33016 -+
33017 -+ vpand $MASK,$T2,$T2 # 2
33018 -+ vpsrlq \$26,$T0,$T1
33019 -+
33020 -+ vpsrlq \$26,$H2,$D2
33021 -+ vpand $MASK,$H2,$H2
33022 -+ vpaddq $D2,$H3,$H3 # h2 -> h3
33023 -+
33024 -+ vpaddq $T2,$H2,$H2 # modulo-scheduled
33025 -+ vpsrlq \$30,$T3,$T3
33026 -+
33027 -+ vpsrlq \$26,$H0,$D0
33028 -+ vpand $MASK,$H0,$H0
33029 -+ vpaddq $D0,$H1,$H1 # h0 -> h1
33030 -+
33031 -+ vpsrlq \$40,$T4,$T4 # 4
33032 -+
33033 -+ vpsrlq \$26,$H3,$D3
33034 -+ vpand $MASK,$H3,$H3
33035 -+ vpaddq $D3,$H4,$H4 # h3 -> h4
33036 -+
33037 -+ vpand $MASK,$T0,$T0 # 0
33038 -+ vpand $MASK,$T1,$T1 # 1
33039 -+ vpand $MASK,$T3,$T3 # 3
33040 -+ vpor 32(%rcx),$T4,$T4 # padbit, yes, always
33041 -+
33042 -+ sub \$64,$len
33043 -+ jnz .Loop_avx2$suffix
33044 -+
33045 -+ .byte 0x66,0x90
33046 -+.Ltail_avx2$suffix:
33047 -+ ################################################################
33048 -+ # while above multiplications were by r^4 in all lanes, in last
33049 -+ # iteration we multiply least significant lane by r^4 and most
33050 -+ # significant one by r, so copy of above except that references
33051 -+ # to the precomputed table are displaced by 4...
33052 -+
33053 -+ #vpaddq $H2,$T2,$H2 # accumulate input
33054 -+ vpaddq $H0,$T0,$H0
33055 -+ vmovdqu `32*0+4`(%rsp),$T0 # r0^4
33056 -+ vpaddq $H1,$T1,$H1
33057 -+ vmovdqu `32*1+4`(%rsp),$T1 # r1^4
33058 -+ vpaddq $H3,$T3,$H3
33059 -+ vmovdqu `32*3+4`(%rsp),$T2 # r2^4
33060 -+ vpaddq $H4,$T4,$H4
33061 -+ vmovdqu `32*6+4-0x90`(%rax),$T3 # s3^4
33062 -+ vmovdqu `32*8+4-0x90`(%rax),$S4 # s4^4
33063 -+
33064 -+ vpmuludq $H2,$T0,$D2 # d2 = h2*r0
33065 -+ vpmuludq $H2,$T1,$D3 # d3 = h2*r1
33066 -+ vpmuludq $H2,$T2,$D4 # d4 = h2*r2
33067 -+ vpmuludq $H2,$T3,$D0 # d0 = h2*s3
33068 -+ vpmuludq $H2,$S4,$D1 # d1 = h2*s4
33069 -+
33070 -+ vpmuludq $H0,$T1,$T4 # h0*r1
33071 -+ vpmuludq $H1,$T1,$H2 # h1*r1
33072 -+ vpaddq $T4,$D1,$D1 # d1 += h0*r1
33073 -+ vpaddq $H2,$D2,$D2 # d2 += h1*r1
33074 -+ vpmuludq $H3,$T1,$T4 # h3*r1
33075 -+ vpmuludq `32*2+4`(%rsp),$H4,$H2 # h4*s1
33076 -+ vpaddq $T4,$D4,$D4 # d4 += h3*r1
33077 -+ vpaddq $H2,$D0,$D0 # d0 += h4*s1
33078 -+
33079 -+ vpmuludq $H0,$T0,$T4 # h0*r0
33080 -+ vpmuludq $H1,$T0,$H2 # h1*r0
33081 -+ vpaddq $T4,$D0,$D0 # d0 += h0*r0
33082 -+ vmovdqu `32*4+4-0x90`(%rax),$T1 # s2
33083 -+ vpaddq $H2,$D1,$D1 # d1 += h1*r0
33084 -+ vpmuludq $H3,$T0,$T4 # h3*r0
33085 -+ vpmuludq $H4,$T0,$H2 # h4*r0
33086 -+ vpaddq $T4,$D3,$D3 # d3 += h3*r0
33087 -+ vpaddq $H2,$D4,$D4 # d4 += h4*r0
33088 -+
33089 -+ vpmuludq $H3,$T1,$T4 # h3*s2
33090 -+ vpmuludq $H4,$T1,$H2 # h4*s2
33091 -+ vpaddq $T4,$D0,$D0 # d0 += h3*s2
33092 -+ vpaddq $H2,$D1,$D1 # d1 += h4*s2
33093 -+ vmovdqu `32*5+4-0x90`(%rax),$H2 # r3
33094 -+ vpmuludq $H1,$T2,$T4 # h1*r2
33095 -+ vpmuludq $H0,$T2,$T2 # h0*r2
33096 -+ vpaddq $T4,$D3,$D3 # d3 += h1*r2
33097 -+ vpaddq $T2,$D2,$D2 # d2 += h0*r2
33098 -+
33099 -+ vpmuludq $H1,$H2,$T4 # h1*r3
33100 -+ vpmuludq $H0,$H2,$H2 # h0*r3
33101 -+ vpaddq $T4,$D4,$D4 # d4 += h1*r3
33102 -+ vpaddq $H2,$D3,$D3 # d3 += h0*r3
33103 -+ vpmuludq $H3,$T3,$T4 # h3*s3
33104 -+ vpmuludq $H4,$T3,$H2 # h4*s3
33105 -+ vpaddq $T4,$D1,$D1 # d1 += h3*s3
33106 -+ vpaddq $H2,$D2,$D2 # d2 += h4*s3
33107 -+
33108 -+ vpmuludq $H3,$S4,$H3 # h3*s4
33109 -+ vpmuludq $H4,$S4,$H4 # h4*s4
33110 -+ vpaddq $H3,$D2,$H2 # h2 = d2 + h3*r4
33111 -+ vpaddq $H4,$D3,$H3 # h3 = d3 + h4*r4
33112 -+ vpmuludq `32*7+4-0x90`(%rax),$H0,$H4 # h0*r4
33113 -+ vpmuludq $H1,$S4,$H0 # h1*s4
33114 -+ vmovdqa 64(%rcx),$MASK # .Lmask26
33115 -+ vpaddq $H4,$D4,$H4 # h4 = d4 + h0*r4
33116 -+ vpaddq $H0,$D0,$H0 # h0 = d0 + h1*s4
33117 -+
33118 -+ ################################################################
33119 -+ # horizontal addition
33120 -+
33121 -+ vpsrldq \$8,$D1,$T1
33122 -+ vpsrldq \$8,$H2,$T2
33123 -+ vpsrldq \$8,$H3,$T3
33124 -+ vpsrldq \$8,$H4,$T4
33125 -+ vpsrldq \$8,$H0,$T0
33126 -+ vpaddq $T1,$D1,$D1
33127 -+ vpaddq $T2,$H2,$H2
33128 -+ vpaddq $T3,$H3,$H3
33129 -+ vpaddq $T4,$H4,$H4
33130 -+ vpaddq $T0,$H0,$H0
33131 -+
33132 -+ vpermq \$0x2,$H3,$T3
33133 -+ vpermq \$0x2,$H4,$T4
33134 -+ vpermq \$0x2,$H0,$T0
33135 -+ vpermq \$0x2,$D1,$T1
33136 -+ vpermq \$0x2,$H2,$T2
33137 -+ vpaddq $T3,$H3,$H3
33138 -+ vpaddq $T4,$H4,$H4
33139 -+ vpaddq $T0,$H0,$H0
33140 -+ vpaddq $T1,$D1,$D1
33141 -+ vpaddq $T2,$H2,$H2
33142 -+
33143 -+ ################################################################
33144 -+ # lazy reduction
33145 -+
33146 -+ vpsrlq \$26,$H3,$D3
33147 -+ vpand $MASK,$H3,$H3
33148 -+ vpaddq $D3,$H4,$H4 # h3 -> h4
33149 -+
33150 -+ vpsrlq \$26,$H0,$D0
33151 -+ vpand $MASK,$H0,$H0
33152 -+ vpaddq $D0,$D1,$H1 # h0 -> h1
33153 -+
33154 -+ vpsrlq \$26,$H4,$D4
33155 -+ vpand $MASK,$H4,$H4
33156 -+
33157 -+ vpsrlq \$26,$H1,$D1
33158 -+ vpand $MASK,$H1,$H1
33159 -+ vpaddq $D1,$H2,$H2 # h1 -> h2
33160 -+
33161 -+ vpaddq $D4,$H0,$H0
33162 -+ vpsllq \$2,$D4,$D4
33163 -+ vpaddq $D4,$H0,$H0 # h4 -> h0
33164 -+
33165 -+ vpsrlq \$26,$H2,$D2
33166 -+ vpand $MASK,$H2,$H2
33167 -+ vpaddq $D2,$H3,$H3 # h2 -> h3
33168 -+
33169 -+ vpsrlq \$26,$H0,$D0
33170 -+ vpand $MASK,$H0,$H0
33171 -+ vpaddq $D0,$H1,$H1 # h0 -> h1
33172 -+
33173 -+ vpsrlq \$26,$H3,$D3
33174 -+ vpand $MASK,$H3,$H3
33175 -+ vpaddq $D3,$H4,$H4 # h3 -> h4
33176 -+
33177 -+ vmovd %x#$H0,`4*0-48-64`($ctx)# save partially reduced
33178 -+ vmovd %x#$H1,`4*1-48-64`($ctx)
33179 -+ vmovd %x#$H2,`4*2-48-64`($ctx)
33180 -+ vmovd %x#$H3,`4*3-48-64`($ctx)
33181 -+ vmovd %x#$H4,`4*4-48-64`($ctx)
33182 -+___
33183 -+$code.=<<___ if ($win64);
33184 -+ vmovdqa -0xb0(%r10),%xmm6
33185 -+ vmovdqa -0xa0(%r10),%xmm7
33186 -+ vmovdqa -0x90(%r10),%xmm8
33187 -+ vmovdqa -0x80(%r10),%xmm9
33188 -+ vmovdqa -0x70(%r10),%xmm10
33189 -+ vmovdqa -0x60(%r10),%xmm11
33190 -+ vmovdqa -0x50(%r10),%xmm12
33191 -+ vmovdqa -0x40(%r10),%xmm13
33192 -+ vmovdqa -0x30(%r10),%xmm14
33193 -+ vmovdqa -0x20(%r10),%xmm15
33194 -+ lea -8(%r10),%rsp
33195 -+.Ldo_avx2_epilogue$suffix:
33196 -+___
33197 -+$code.=<<___ if (!$win64);
33198 -+ lea -8(%r10),%rsp
33199 -+.cfi_def_cfa_register %rsp
33200 -+___
33201 -+$code.=<<___;
33202 -+ vzeroupper
33203 -+ ret
33204 -+.cfi_endproc
33205 -+___
33206 -+if($avx > 2 && $avx512) {
33207 -+my ($R0,$R1,$R2,$R3,$R4, $S1,$S2,$S3,$S4) = map("%zmm$_",(16..24));
33208 -+my ($M0,$M1,$M2,$M3,$M4) = map("%zmm$_",(25..29));
33209 -+my $PADBIT="%zmm30";
33210 -+
33211 -+map(s/%y/%z/,($T4,$T0,$T1,$T2,$T3)); # switch to %zmm domain
33212 -+map(s/%y/%z/,($D0,$D1,$D2,$D3,$D4));
33213 -+map(s/%y/%z/,($H0,$H1,$H2,$H3,$H4));
33214 -+map(s/%y/%z/,($MASK));
33215 -+
33216 -+$code.=<<___;
33217 -+.cfi_startproc
33218 -+.Lblocks_avx512:
33219 -+ mov \$15,%eax
33220 -+ kmovw %eax,%k2
33221 -+___
33222 -+$code.=<<___ if (!$win64);
33223 -+ lea 8(%rsp),%r10
33224 -+.cfi_def_cfa_register %r10
33225 -+ sub \$0x128,%rsp
33226 -+___
33227 -+$code.=<<___ if ($win64);
33228 -+ lea 8(%rsp),%r10
33229 -+ sub \$0x1c8,%rsp
33230 -+ vmovdqa %xmm6,-0xb0(%r10)
33231 -+ vmovdqa %xmm7,-0xa0(%r10)
33232 -+ vmovdqa %xmm8,-0x90(%r10)
33233 -+ vmovdqa %xmm9,-0x80(%r10)
33234 -+ vmovdqa %xmm10,-0x70(%r10)
33235 -+ vmovdqa %xmm11,-0x60(%r10)
33236 -+ vmovdqa %xmm12,-0x50(%r10)
33237 -+ vmovdqa %xmm13,-0x40(%r10)
33238 -+ vmovdqa %xmm14,-0x30(%r10)
33239 -+ vmovdqa %xmm15,-0x20(%r10)
33240 -+.Ldo_avx512_body:
33241 -+___
33242 -+$code.=<<___;
33243 -+ lea .Lconst(%rip),%rcx
33244 -+ lea 48+64($ctx),$ctx # size optimization
33245 -+ vmovdqa 96(%rcx),%y#$T2 # .Lpermd_avx2
33246 -+
33247 -+ # expand pre-calculated table
33248 -+ vmovdqu `16*0-64`($ctx),%x#$D0 # will become expanded ${R0}
33249 -+ and \$-512,%rsp
33250 -+ vmovdqu `16*1-64`($ctx),%x#$D1 # will become ... ${R1}
33251 -+ mov \$0x20,%rax
33252 -+ vmovdqu `16*2-64`($ctx),%x#$T0 # ... ${S1}
33253 -+ vmovdqu `16*3-64`($ctx),%x#$D2 # ... ${R2}
33254 -+ vmovdqu `16*4-64`($ctx),%x#$T1 # ... ${S2}
33255 -+ vmovdqu `16*5-64`($ctx),%x#$D3 # ... ${R3}
33256 -+ vmovdqu `16*6-64`($ctx),%x#$T3 # ... ${S3}
33257 -+ vmovdqu `16*7-64`($ctx),%x#$D4 # ... ${R4}
33258 -+ vmovdqu `16*8-64`($ctx),%x#$T4 # ... ${S4}
33259 -+ vpermd $D0,$T2,$R0 # 00003412 -> 14243444
33260 -+ vpbroadcastq 64(%rcx),$MASK # .Lmask26
33261 -+ vpermd $D1,$T2,$R1
33262 -+ vpermd $T0,$T2,$S1
33263 -+ vpermd $D2,$T2,$R2
33264 -+ vmovdqa64 $R0,0x00(%rsp){%k2} # save in case $len%128 != 0
33265 -+ vpsrlq \$32,$R0,$T0 # 14243444 -> 01020304
33266 -+ vpermd $T1,$T2,$S2
33267 -+ vmovdqu64 $R1,0x00(%rsp,%rax){%k2}
33268 -+ vpsrlq \$32,$R1,$T1
33269 -+ vpermd $D3,$T2,$R3
33270 -+ vmovdqa64 $S1,0x40(%rsp){%k2}
33271 -+ vpermd $T3,$T2,$S3
33272 -+ vpermd $D4,$T2,$R4
33273 -+ vmovdqu64 $R2,0x40(%rsp,%rax){%k2}
33274 -+ vpermd $T4,$T2,$S4
33275 -+ vmovdqa64 $S2,0x80(%rsp){%k2}
33276 -+ vmovdqu64 $R3,0x80(%rsp,%rax){%k2}
33277 -+ vmovdqa64 $S3,0xc0(%rsp){%k2}
33278 -+ vmovdqu64 $R4,0xc0(%rsp,%rax){%k2}
33279 -+ vmovdqa64 $S4,0x100(%rsp){%k2}
33280 -+
33281 -+ ################################################################
33282 -+ # calculate 5th through 8th powers of the key
33283 -+ #
33284 -+ # d0 = r0'*r0 + r1'*5*r4 + r2'*5*r3 + r3'*5*r2 + r4'*5*r1
33285 -+ # d1 = r0'*r1 + r1'*r0 + r2'*5*r4 + r3'*5*r3 + r4'*5*r2
33286 -+ # d2 = r0'*r2 + r1'*r1 + r2'*r0 + r3'*5*r4 + r4'*5*r3
33287 -+ # d3 = r0'*r3 + r1'*r2 + r2'*r1 + r3'*r0 + r4'*5*r4
33288 -+ # d4 = r0'*r4 + r1'*r3 + r2'*r2 + r3'*r1 + r4'*r0
33289 -+
33290 -+ vpmuludq $T0,$R0,$D0 # d0 = r0'*r0
33291 -+ vpmuludq $T0,$R1,$D1 # d1 = r0'*r1
33292 -+ vpmuludq $T0,$R2,$D2 # d2 = r0'*r2
33293 -+ vpmuludq $T0,$R3,$D3 # d3 = r0'*r3
33294 -+ vpmuludq $T0,$R4,$D4 # d4 = r0'*r4
33295 -+ vpsrlq \$32,$R2,$T2
33296 -+
33297 -+ vpmuludq $T1,$S4,$M0
33298 -+ vpmuludq $T1,$R0,$M1
33299 -+ vpmuludq $T1,$R1,$M2
33300 -+ vpmuludq $T1,$R2,$M3
33301 -+ vpmuludq $T1,$R3,$M4
33302 -+ vpsrlq \$32,$R3,$T3
33303 -+ vpaddq $M0,$D0,$D0 # d0 += r1'*5*r4
33304 -+ vpaddq $M1,$D1,$D1 # d1 += r1'*r0
33305 -+ vpaddq $M2,$D2,$D2 # d2 += r1'*r1
33306 -+ vpaddq $M3,$D3,$D3 # d3 += r1'*r2
33307 -+ vpaddq $M4,$D4,$D4 # d4 += r1'*r3
33308 -+
33309 -+ vpmuludq $T2,$S3,$M0
33310 -+ vpmuludq $T2,$S4,$M1
33311 -+ vpmuludq $T2,$R1,$M3
33312 -+ vpmuludq $T2,$R2,$M4
33313 -+ vpmuludq $T2,$R0,$M2
33314 -+ vpsrlq \$32,$R4,$T4
33315 -+ vpaddq $M0,$D0,$D0 # d0 += r2'*5*r3
33316 -+ vpaddq $M1,$D1,$D1 # d1 += r2'*5*r4
33317 -+ vpaddq $M3,$D3,$D3 # d3 += r2'*r1
33318 -+ vpaddq $M4,$D4,$D4 # d4 += r2'*r2
33319 -+ vpaddq $M2,$D2,$D2 # d2 += r2'*r0
33320 -+
33321 -+ vpmuludq $T3,$S2,$M0
33322 -+ vpmuludq $T3,$R0,$M3
33323 -+ vpmuludq $T3,$R1,$M4
33324 -+ vpmuludq $T3,$S3,$M1
33325 -+ vpmuludq $T3,$S4,$M2
33326 -+ vpaddq $M0,$D0,$D0 # d0 += r3'*5*r2
33327 -+ vpaddq $M3,$D3,$D3 # d3 += r3'*r0
33328 -+ vpaddq $M4,$D4,$D4 # d4 += r3'*r1
33329 -+ vpaddq $M1,$D1,$D1 # d1 += r3'*5*r3
33330 -+ vpaddq $M2,$D2,$D2 # d2 += r3'*5*r4
33331 -+
33332 -+ vpmuludq $T4,$S4,$M3
33333 -+ vpmuludq $T4,$R0,$M4
33334 -+ vpmuludq $T4,$S1,$M0
33335 -+ vpmuludq $T4,$S2,$M1
33336 -+ vpmuludq $T4,$S3,$M2
33337 -+ vpaddq $M3,$D3,$D3 # d3 += r2'*5*r4
33338 -+ vpaddq $M4,$D4,$D4 # d4 += r2'*r0
33339 -+ vpaddq $M0,$D0,$D0 # d0 += r2'*5*r1
33340 -+ vpaddq $M1,$D1,$D1 # d1 += r2'*5*r2
33341 -+ vpaddq $M2,$D2,$D2 # d2 += r2'*5*r3
33342 -+
33343 -+ ################################################################
33344 -+ # load input
33345 -+ vmovdqu64 16*0($inp),%z#$T3
33346 -+ vmovdqu64 16*4($inp),%z#$T4
33347 -+ lea 16*8($inp),$inp
33348 -+
33349 -+ ################################################################
33350 -+ # lazy reduction
33351 -+
33352 -+ vpsrlq \$26,$D3,$M3
33353 -+ vpandq $MASK,$D3,$D3
33354 -+ vpaddq $M3,$D4,$D4 # d3 -> d4
33355 -+
33356 -+ vpsrlq \$26,$D0,$M0
33357 -+ vpandq $MASK,$D0,$D0
33358 -+ vpaddq $M0,$D1,$D1 # d0 -> d1
33359 -+
33360 -+ vpsrlq \$26,$D4,$M4
33361 -+ vpandq $MASK,$D4,$D4
33362 -+
33363 -+ vpsrlq \$26,$D1,$M1
33364 -+ vpandq $MASK,$D1,$D1
33365 -+ vpaddq $M1,$D2,$D2 # d1 -> d2
33366 -+
33367 -+ vpaddq $M4,$D0,$D0
33368 -+ vpsllq \$2,$M4,$M4
33369 -+ vpaddq $M4,$D0,$D0 # d4 -> d0
33370 -+
33371 -+ vpsrlq \$26,$D2,$M2
33372 -+ vpandq $MASK,$D2,$D2
33373 -+ vpaddq $M2,$D3,$D3 # d2 -> d3
33374 -+
33375 -+ vpsrlq \$26,$D0,$M0
33376 -+ vpandq $MASK,$D0,$D0
33377 -+ vpaddq $M0,$D1,$D1 # d0 -> d1
33378 -+
33379 -+ vpsrlq \$26,$D3,$M3
33380 -+ vpandq $MASK,$D3,$D3
33381 -+ vpaddq $M3,$D4,$D4 # d3 -> d4
33382 -+
33383 -+ ################################################################
33384 -+ # at this point we have 14243444 in $R0-$S4 and 05060708 in
33385 -+ # $D0-$D4, ...
33386 -+
33387 -+ vpunpcklqdq $T4,$T3,$T0 # transpose input
33388 -+ vpunpckhqdq $T4,$T3,$T4
33389 -+
33390 -+ # ... since input 64-bit lanes are ordered as 73625140, we could
33391 -+ # "vperm" it to 76543210 (here and in each loop iteration), *or*
33392 -+ # we could just flow along, hence the goal for $R0-$S4 is
33393 -+ # 1858286838784888 ...
33394 -+
33395 -+ vmovdqa32 128(%rcx),$M0 # .Lpermd_avx512:
33396 -+ mov \$0x7777,%eax
33397 -+ kmovw %eax,%k1
33398 -+
33399 -+ vpermd $R0,$M0,$R0 # 14243444 -> 1---2---3---4---
33400 -+ vpermd $R1,$M0,$R1
33401 -+ vpermd $R2,$M0,$R2
33402 -+ vpermd $R3,$M0,$R3
33403 -+ vpermd $R4,$M0,$R4
33404 -+
33405 -+ vpermd $D0,$M0,${R0}{%k1} # 05060708 -> 1858286838784888
33406 -+ vpermd $D1,$M0,${R1}{%k1}
33407 -+ vpermd $D2,$M0,${R2}{%k1}
33408 -+ vpermd $D3,$M0,${R3}{%k1}
33409 -+ vpermd $D4,$M0,${R4}{%k1}
33410 -+
33411 -+ vpslld \$2,$R1,$S1 # *5
33412 -+ vpslld \$2,$R2,$S2
33413 -+ vpslld \$2,$R3,$S3
33414 -+ vpslld \$2,$R4,$S4
33415 -+ vpaddd $R1,$S1,$S1
33416 -+ vpaddd $R2,$S2,$S2
33417 -+ vpaddd $R3,$S3,$S3
33418 -+ vpaddd $R4,$S4,$S4
33419 -+
33420 -+ vpbroadcastq 32(%rcx),$PADBIT # .L129
33421 -+
33422 -+ vpsrlq \$52,$T0,$T2 # splat input
33423 -+ vpsllq \$12,$T4,$T3
33424 -+ vporq $T3,$T2,$T2
33425 -+ vpsrlq \$26,$T0,$T1
33426 -+ vpsrlq \$14,$T4,$T3
33427 -+ vpsrlq \$40,$T4,$T4 # 4
33428 -+ vpandq $MASK,$T2,$T2 # 2
33429 -+ vpandq $MASK,$T0,$T0 # 0
33430 -+ #vpandq $MASK,$T1,$T1 # 1
33431 -+ #vpandq $MASK,$T3,$T3 # 3
33432 -+ #vporq $PADBIT,$T4,$T4 # padbit, yes, always
33433 -+
33434 -+ vpaddq $H2,$T2,$H2 # accumulate input
33435 -+ sub \$192,$len
33436 -+ jbe .Ltail_avx512
33437 -+ jmp .Loop_avx512
33438 -+
33439 -+.align 32
33440 -+.Loop_avx512:
33441 -+ ################################################################
33442 -+ # ((inp[0]*r^8+inp[ 8])*r^8+inp[16])*r^8
33443 -+ # ((inp[1]*r^8+inp[ 9])*r^8+inp[17])*r^7
33444 -+ # ((inp[2]*r^8+inp[10])*r^8+inp[18])*r^6
33445 -+ # ((inp[3]*r^8+inp[11])*r^8+inp[19])*r^5
33446 -+ # ((inp[4]*r^8+inp[12])*r^8+inp[20])*r^4
33447 -+ # ((inp[5]*r^8+inp[13])*r^8+inp[21])*r^3
33448 -+ # ((inp[6]*r^8+inp[14])*r^8+inp[22])*r^2
33449 -+ # ((inp[7]*r^8+inp[15])*r^8+inp[23])*r^1
33450 -+ # \________/\___________/
33451 -+ ################################################################
33452 -+ #vpaddq $H2,$T2,$H2 # accumulate input
33453 -+
33454 -+ # d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
33455 -+ # d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
33456 -+ # d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
33457 -+ # d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
33458 -+ # d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
33459 -+ #
33460 -+ # however, as h2 is "chronologically" first one available pull
33461 -+ # corresponding operations up, so it's
33462 -+ #
33463 -+ # d3 = h2*r1 + h0*r3 + h1*r2 + h3*r0 + h4*5*r4
33464 -+ # d4 = h2*r2 + h0*r4 + h1*r3 + h3*r1 + h4*r0
33465 -+ # d0 = h2*5*r3 + h0*r0 + h1*5*r4 + h3*5*r2 + h4*5*r1
33466 -+ # d1 = h2*5*r4 + h0*r1 + h1*r0 + h3*5*r3 + h4*5*r2
33467 -+ # d2 = h2*r0 + h0*r2 + h1*r1 + h3*5*r4 + h4*5*r3
33468 -+
33469 -+ vpmuludq $H2,$R1,$D3 # d3 = h2*r1
33470 -+ vpaddq $H0,$T0,$H0
33471 -+ vpmuludq $H2,$R2,$D4 # d4 = h2*r2
33472 -+ vpandq $MASK,$T1,$T1 # 1
33473 -+ vpmuludq $H2,$S3,$D0 # d0 = h2*s3
33474 -+ vpandq $MASK,$T3,$T3 # 3
33475 -+ vpmuludq $H2,$S4,$D1 # d1 = h2*s4
33476 -+ vporq $PADBIT,$T4,$T4 # padbit, yes, always
33477 -+ vpmuludq $H2,$R0,$D2 # d2 = h2*r0
33478 -+ vpaddq $H1,$T1,$H1 # accumulate input
33479 -+ vpaddq $H3,$T3,$H3
33480 -+ vpaddq $H4,$T4,$H4
33481 -+
33482 -+ vmovdqu64 16*0($inp),$T3 # load input
33483 -+ vmovdqu64 16*4($inp),$T4
33484 -+ lea 16*8($inp),$inp
33485 -+ vpmuludq $H0,$R3,$M3
33486 -+ vpmuludq $H0,$R4,$M4
33487 -+ vpmuludq $H0,$R0,$M0
33488 -+ vpmuludq $H0,$R1,$M1
33489 -+ vpaddq $M3,$D3,$D3 # d3 += h0*r3
33490 -+ vpaddq $M4,$D4,$D4 # d4 += h0*r4
33491 -+ vpaddq $M0,$D0,$D0 # d0 += h0*r0
33492 -+ vpaddq $M1,$D1,$D1 # d1 += h0*r1
33493 -+
33494 -+ vpmuludq $H1,$R2,$M3
33495 -+ vpmuludq $H1,$R3,$M4
33496 -+ vpmuludq $H1,$S4,$M0
33497 -+ vpmuludq $H0,$R2,$M2
33498 -+ vpaddq $M3,$D3,$D3 # d3 += h1*r2
33499 -+ vpaddq $M4,$D4,$D4 # d4 += h1*r3
33500 -+ vpaddq $M0,$D0,$D0 # d0 += h1*s4
33501 -+ vpaddq $M2,$D2,$D2 # d2 += h0*r2
33502 -+
33503 -+ vpunpcklqdq $T4,$T3,$T0 # transpose input
33504 -+ vpunpckhqdq $T4,$T3,$T4
33505 -+
33506 -+ vpmuludq $H3,$R0,$M3
33507 -+ vpmuludq $H3,$R1,$M4
33508 -+ vpmuludq $H1,$R0,$M1
33509 -+ vpmuludq $H1,$R1,$M2
33510 -+ vpaddq $M3,$D3,$D3 # d3 += h3*r0
33511 -+ vpaddq $M4,$D4,$D4 # d4 += h3*r1
33512 -+ vpaddq $M1,$D1,$D1 # d1 += h1*r0
33513 -+ vpaddq $M2,$D2,$D2 # d2 += h1*r1
33514 -+
33515 -+ vpmuludq $H4,$S4,$M3
33516 -+ vpmuludq $H4,$R0,$M4
33517 -+ vpmuludq $H3,$S2,$M0
33518 -+ vpmuludq $H3,$S3,$M1
33519 -+ vpaddq $M3,$D3,$D3 # d3 += h4*s4
33520 -+ vpmuludq $H3,$S4,$M2
33521 -+ vpaddq $M4,$D4,$D4 # d4 += h4*r0
33522 -+ vpaddq $M0,$D0,$D0 # d0 += h3*s2
33523 -+ vpaddq $M1,$D1,$D1 # d1 += h3*s3
33524 -+ vpaddq $M2,$D2,$D2 # d2 += h3*s4
33525 -+
33526 -+ vpmuludq $H4,$S1,$M0
33527 -+ vpmuludq $H4,$S2,$M1
33528 -+ vpmuludq $H4,$S3,$M2
33529 -+ vpaddq $M0,$D0,$H0 # h0 = d0 + h4*s1
33530 -+ vpaddq $M1,$D1,$H1 # h1 = d2 + h4*s2
33531 -+ vpaddq $M2,$D2,$H2 # h2 = d3 + h4*s3
33532 -+
33533 -+ ################################################################
33534 -+ # lazy reduction (interleaved with input splat)
33535 -+
33536 -+ vpsrlq \$52,$T0,$T2 # splat input
33537 -+ vpsllq \$12,$T4,$T3
33538 -+
33539 -+ vpsrlq \$26,$D3,$H3
33540 -+ vpandq $MASK,$D3,$D3
33541 -+ vpaddq $H3,$D4,$H4 # h3 -> h4
33542 -+
33543 -+ vporq $T3,$T2,$T2
33544 -+
33545 -+ vpsrlq \$26,$H0,$D0
33546 -+ vpandq $MASK,$H0,$H0
33547 -+ vpaddq $D0,$H1,$H1 # h0 -> h1
33548 -+
33549 -+ vpandq $MASK,$T2,$T2 # 2
33550 -+
33551 -+ vpsrlq \$26,$H4,$D4
33552 -+ vpandq $MASK,$H4,$H4
33553 -+
33554 -+ vpsrlq \$26,$H1,$D1
33555 -+ vpandq $MASK,$H1,$H1
33556 -+ vpaddq $D1,$H2,$H2 # h1 -> h2
33557 -+
33558 -+ vpaddq $D4,$H0,$H0
33559 -+ vpsllq \$2,$D4,$D4
33560 -+ vpaddq $D4,$H0,$H0 # h4 -> h0
33561 -+
33562 -+ vpaddq $T2,$H2,$H2 # modulo-scheduled
33563 -+ vpsrlq \$26,$T0,$T1
33564 -+
33565 -+ vpsrlq \$26,$H2,$D2
33566 -+ vpandq $MASK,$H2,$H2
33567 -+ vpaddq $D2,$D3,$H3 # h2 -> h3
33568 -+
33569 -+ vpsrlq \$14,$T4,$T3
33570 -+
33571 -+ vpsrlq \$26,$H0,$D0
33572 -+ vpandq $MASK,$H0,$H0
33573 -+ vpaddq $D0,$H1,$H1 # h0 -> h1
33574 -+
33575 -+ vpsrlq \$40,$T4,$T4 # 4
33576 -+
33577 -+ vpsrlq \$26,$H3,$D3
33578 -+ vpandq $MASK,$H3,$H3
33579 -+ vpaddq $D3,$H4,$H4 # h3 -> h4
33580 -+
33581 -+ vpandq $MASK,$T0,$T0 # 0
33582 -+ #vpandq $MASK,$T1,$T1 # 1
33583 -+ #vpandq $MASK,$T3,$T3 # 3
33584 -+ #vporq $PADBIT,$T4,$T4 # padbit, yes, always
33585 -+
33586 -+ sub \$128,$len
33587 -+ ja .Loop_avx512
33588 -+
33589 -+.Ltail_avx512:
33590 -+ ################################################################
33591 -+ # while above multiplications were by r^8 in all lanes, in last
33592 -+ # iteration we multiply least significant lane by r^8 and most
33593 -+ # significant one by r, that's why table gets shifted...
33594 -+
33595 -+ vpsrlq \$32,$R0,$R0 # 0105020603070408
33596 -+ vpsrlq \$32,$R1,$R1
33597 -+ vpsrlq \$32,$R2,$R2
33598 -+ vpsrlq \$32,$S3,$S3
33599 -+ vpsrlq \$32,$S4,$S4
33600 -+ vpsrlq \$32,$R3,$R3
33601 -+ vpsrlq \$32,$R4,$R4
33602 -+ vpsrlq \$32,$S1,$S1
33603 -+ vpsrlq \$32,$S2,$S2
33604 -+
33605 -+ ################################################################
33606 -+ # load either next or last 64 byte of input
33607 -+ lea ($inp,$len),$inp
33608 -+
33609 -+ #vpaddq $H2,$T2,$H2 # accumulate input
33610 -+ vpaddq $H0,$T0,$H0
33611 -+
33612 -+ vpmuludq $H2,$R1,$D3 # d3 = h2*r1
33613 -+ vpmuludq $H2,$R2,$D4 # d4 = h2*r2
33614 -+ vpmuludq $H2,$S3,$D0 # d0 = h2*s3
33615 -+ vpandq $MASK,$T1,$T1 # 1
33616 -+ vpmuludq $H2,$S4,$D1 # d1 = h2*s4
33617 -+ vpandq $MASK,$T3,$T3 # 3
33618 -+ vpmuludq $H2,$R0,$D2 # d2 = h2*r0
33619 -+ vporq $PADBIT,$T4,$T4 # padbit, yes, always
33620 -+ vpaddq $H1,$T1,$H1 # accumulate input
33621 -+ vpaddq $H3,$T3,$H3
33622 -+ vpaddq $H4,$T4,$H4
33623 -+
33624 -+ vmovdqu 16*0($inp),%x#$T0
33625 -+ vpmuludq $H0,$R3,$M3
33626 -+ vpmuludq $H0,$R4,$M4
33627 -+ vpmuludq $H0,$R0,$M0
33628 -+ vpmuludq $H0,$R1,$M1
33629 -+ vpaddq $M3,$D3,$D3 # d3 += h0*r3
33630 -+ vpaddq $M4,$D4,$D4 # d4 += h0*r4
33631 -+ vpaddq $M0,$D0,$D0 # d0 += h0*r0
33632 -+ vpaddq $M1,$D1,$D1 # d1 += h0*r1
33633 -+
33634 -+ vmovdqu 16*1($inp),%x#$T1
33635 -+ vpmuludq $H1,$R2,$M3
33636 -+ vpmuludq $H1,$R3,$M4
33637 -+ vpmuludq $H1,$S4,$M0
33638 -+ vpmuludq $H0,$R2,$M2
33639 -+ vpaddq $M3,$D3,$D3 # d3 += h1*r2
33640 -+ vpaddq $M4,$D4,$D4 # d4 += h1*r3
33641 -+ vpaddq $M0,$D0,$D0 # d0 += h1*s4
33642 -+ vpaddq $M2,$D2,$D2 # d2 += h0*r2
33643 -+
33644 -+ vinserti128 \$1,16*2($inp),%y#$T0,%y#$T0
33645 -+ vpmuludq $H3,$R0,$M3
33646 -+ vpmuludq $H3,$R1,$M4
33647 -+ vpmuludq $H1,$R0,$M1
33648 -+ vpmuludq $H1,$R1,$M2
33649 -+ vpaddq $M3,$D3,$D3 # d3 += h3*r0
33650 -+ vpaddq $M4,$D4,$D4 # d4 += h3*r1
33651 -+ vpaddq $M1,$D1,$D1 # d1 += h1*r0
33652 -+ vpaddq $M2,$D2,$D2 # d2 += h1*r1
33653 -+
33654 -+ vinserti128 \$1,16*3($inp),%y#$T1,%y#$T1
33655 -+ vpmuludq $H4,$S4,$M3
33656 -+ vpmuludq $H4,$R0,$M4
33657 -+ vpmuludq $H3,$S2,$M0
33658 -+ vpmuludq $H3,$S3,$M1
33659 -+ vpmuludq $H3,$S4,$M2
33660 -+ vpaddq $M3,$D3,$H3 # h3 = d3 + h4*s4
33661 -+ vpaddq $M4,$D4,$D4 # d4 += h4*r0
33662 -+ vpaddq $M0,$D0,$D0 # d0 += h3*s2
33663 -+ vpaddq $M1,$D1,$D1 # d1 += h3*s3
33664 -+ vpaddq $M2,$D2,$D2 # d2 += h3*s4
33665 -+
33666 -+ vpmuludq $H4,$S1,$M0
33667 -+ vpmuludq $H4,$S2,$M1
33668 -+ vpmuludq $H4,$S3,$M2
33669 -+ vpaddq $M0,$D0,$H0 # h0 = d0 + h4*s1
33670 -+ vpaddq $M1,$D1,$H1 # h1 = d2 + h4*s2
33671 -+ vpaddq $M2,$D2,$H2 # h2 = d3 + h4*s3
33672 -+
33673 -+ ################################################################
33674 -+ # horizontal addition
33675 -+
33676 -+ mov \$1,%eax
33677 -+ vpermq \$0xb1,$H3,$D3
33678 -+ vpermq \$0xb1,$D4,$H4
33679 -+ vpermq \$0xb1,$H0,$D0
33680 -+ vpermq \$0xb1,$H1,$D1
33681 -+ vpermq \$0xb1,$H2,$D2
33682 -+ vpaddq $D3,$H3,$H3
33683 -+ vpaddq $D4,$H4,$H4
33684 -+ vpaddq $D0,$H0,$H0
33685 -+ vpaddq $D1,$H1,$H1
33686 -+ vpaddq $D2,$H2,$H2
33687 -+
33688 -+ kmovw %eax,%k3
33689 -+ vpermq \$0x2,$H3,$D3
33690 -+ vpermq \$0x2,$H4,$D4
33691 -+ vpermq \$0x2,$H0,$D0
33692 -+ vpermq \$0x2,$H1,$D1
33693 -+ vpermq \$0x2,$H2,$D2
33694 -+ vpaddq $D3,$H3,$H3
33695 -+ vpaddq $D4,$H4,$H4
33696 -+ vpaddq $D0,$H0,$H0
33697 -+ vpaddq $D1,$H1,$H1
33698 -+ vpaddq $D2,$H2,$H2
33699 -+
33700 -+ vextracti64x4 \$0x1,$H3,%y#$D3
33701 -+ vextracti64x4 \$0x1,$H4,%y#$D4
33702 -+ vextracti64x4 \$0x1,$H0,%y#$D0
33703 -+ vextracti64x4 \$0x1,$H1,%y#$D1
33704 -+ vextracti64x4 \$0x1,$H2,%y#$D2
33705 -+ vpaddq $D3,$H3,${H3}{%k3}{z} # keep single qword in case
33706 -+ vpaddq $D4,$H4,${H4}{%k3}{z} # it's passed to .Ltail_avx2
33707 -+ vpaddq $D0,$H0,${H0}{%k3}{z}
33708 -+ vpaddq $D1,$H1,${H1}{%k3}{z}
33709 -+ vpaddq $D2,$H2,${H2}{%k3}{z}
33710 -+___
33711 -+map(s/%z/%y/,($T0,$T1,$T2,$T3,$T4, $PADBIT));
33712 -+map(s/%z/%y/,($H0,$H1,$H2,$H3,$H4, $D0,$D1,$D2,$D3,$D4, $MASK));
33713 -+$code.=<<___;
33714 -+ ################################################################
33715 -+ # lazy reduction (interleaved with input splat)
33716 -+
33717 -+ vpsrlq \$26,$H3,$D3
33718 -+ vpand $MASK,$H3,$H3
33719 -+ vpsrldq \$6,$T0,$T2 # splat input
33720 -+ vpsrldq \$6,$T1,$T3
33721 -+ vpunpckhqdq $T1,$T0,$T4 # 4
33722 -+ vpaddq $D3,$H4,$H4 # h3 -> h4
33723 -+
33724 -+ vpsrlq \$26,$H0,$D0
33725 -+ vpand $MASK,$H0,$H0
33726 -+ vpunpcklqdq $T3,$T2,$T2 # 2:3
33727 -+ vpunpcklqdq $T1,$T0,$T0 # 0:1
33728 -+ vpaddq $D0,$H1,$H1 # h0 -> h1
33729 -+
33730 -+ vpsrlq \$26,$H4,$D4
33731 -+ vpand $MASK,$H4,$H4
33732 -+
33733 -+ vpsrlq \$26,$H1,$D1
33734 -+ vpand $MASK,$H1,$H1
33735 -+ vpsrlq \$30,$T2,$T3
33736 -+ vpsrlq \$4,$T2,$T2
33737 -+ vpaddq $D1,$H2,$H2 # h1 -> h2
33738 -+
33739 -+ vpaddq $D4,$H0,$H0
33740 -+ vpsllq \$2,$D4,$D4
33741 -+ vpsrlq \$26,$T0,$T1
33742 -+ vpsrlq \$40,$T4,$T4 # 4
33743 -+ vpaddq $D4,$H0,$H0 # h4 -> h0
33744 -+
33745 -+ vpsrlq \$26,$H2,$D2
33746 -+ vpand $MASK,$H2,$H2
33747 -+ vpand $MASK,$T2,$T2 # 2
33748 -+ vpand $MASK,$T0,$T0 # 0
33749 -+ vpaddq $D2,$H3,$H3 # h2 -> h3
33750 -+
33751 -+ vpsrlq \$26,$H0,$D0
33752 -+ vpand $MASK,$H0,$H0
33753 -+ vpaddq $H2,$T2,$H2 # accumulate input for .Ltail_avx2
33754 -+ vpand $MASK,$T1,$T1 # 1
33755 -+ vpaddq $D0,$H1,$H1 # h0 -> h1
33756 -+
33757 -+ vpsrlq \$26,$H3,$D3
33758 -+ vpand $MASK,$H3,$H3
33759 -+ vpand $MASK,$T3,$T3 # 3
33760 -+ vpor 32(%rcx),$T4,$T4 # padbit, yes, always
33761 -+ vpaddq $D3,$H4,$H4 # h3 -> h4
33762 -+
33763 -+ lea 0x90(%rsp),%rax # size optimization for .Ltail_avx2
33764 -+ add \$64,$len
33765 -+ jnz .Ltail_avx2$suffix
33766 -+
33767 -+ vpsubq $T2,$H2,$H2 # undo input accumulation
33768 -+ vmovd %x#$H0,`4*0-48-64`($ctx)# save partially reduced
33769 -+ vmovd %x#$H1,`4*1-48-64`($ctx)
33770 -+ vmovd %x#$H2,`4*2-48-64`($ctx)
33771 -+ vmovd %x#$H3,`4*3-48-64`($ctx)
33772 -+ vmovd %x#$H4,`4*4-48-64`($ctx)
33773 -+ vzeroall
33774 -+___
33775 -+$code.=<<___ if ($win64);
33776 -+ movdqa -0xb0(%r10),%xmm6
33777 -+ movdqa -0xa0(%r10),%xmm7
33778 -+ movdqa -0x90(%r10),%xmm8
33779 -+ movdqa -0x80(%r10),%xmm9
33780 -+ movdqa -0x70(%r10),%xmm10
33781 -+ movdqa -0x60(%r10),%xmm11
33782 -+ movdqa -0x50(%r10),%xmm12
33783 -+ movdqa -0x40(%r10),%xmm13
33784 -+ movdqa -0x30(%r10),%xmm14
33785 -+ movdqa -0x20(%r10),%xmm15
33786 -+ lea -8(%r10),%rsp
33787 -+.Ldo_avx512_epilogue:
33788 -+___
33789 -+$code.=<<___ if (!$win64);
33790 -+ lea -8(%r10),%rsp
33791 -+.cfi_def_cfa_register %rsp
33792 -+___
33793 -+$code.=<<___;
33794 -+ ret
33795 -+.cfi_endproc
33796 -+___
33797 -+
33798 -+}
33799 -+
33800 -+}
33801 -+
33802 -+&declare_function("poly1305_blocks_avx2", 32, 4);
33803 -+poly1305_blocks_avxN(0);
33804 -+&end_function("poly1305_blocks_avx2");
33805 -+
33806 -+if($kernel) {
33807 -+ $code .= "#endif\n";
33808 -+}
33809 -+
33810 -+#######################################################################
33811 -+if ($avx>2) {
33812 -+# On entry we have input length divisible by 64. But since inner loop
33813 -+# processes 128 bytes per iteration, cases when length is not divisible
33814 -+# by 128 are handled by passing tail 64 bytes to .Ltail_avx2. For this
33815 -+# reason stack layout is kept identical to poly1305_blocks_avx2. If not
33816 -+# for this tail, we wouldn't have to even allocate stack frame...
33817 -+
33818 -+if($kernel) {
33819 -+ $code .= "#ifdef CONFIG_AS_AVX512\n";
33820 -+}
33821 -+
33822 -+&declare_function("poly1305_blocks_avx512", 32, 4);
33823 -+poly1305_blocks_avxN(1);
33824 -+&end_function("poly1305_blocks_avx512");
33825 -+
33826 -+if ($kernel) {
33827 -+ $code .= "#endif\n";
33828 -+}
33829 -+
33830 -+if (!$kernel && $avx>3) {
33831 -+########################################################################
33832 -+# VPMADD52 version using 2^44 radix.
33833 -+#
33834 -+# One can argue that base 2^52 would be more natural. Well, even though
33835 -+# some operations would be more natural, one has to recognize couple of
33836 -+# things. Base 2^52 doesn't provide advantage over base 2^44 if you look
33837 -+# at amount of multiply-n-accumulate operations. Secondly, it makes it
33838 -+# impossible to pre-compute multiples of 5 [referred to as s[]/sN in
33839 -+# reference implementations], which means that more such operations
33840 -+# would have to be performed in inner loop, which in turn makes critical
33841 -+# path longer. In other words, even though base 2^44 reduction might
33842 -+# look less elegant, overall critical path is actually shorter...
33843 -+
33844 -+########################################################################
33845 -+# Layout of opaque area is following.
33846 -+#
33847 -+# unsigned __int64 h[3]; # current hash value base 2^44
33848 -+# unsigned __int64 s[2]; # key value*20 base 2^44
33849 -+# unsigned __int64 r[3]; # key value base 2^44
33850 -+# struct { unsigned __int64 r^1, r^3, r^2, r^4; } R[4];
33851 -+# # r^n positions reflect
33852 -+# # placement in register, not
33853 -+# # memory, R[3] is R[1]*20
33854 -+
33855 -+$code.=<<___;
33856 -+.type poly1305_init_base2_44,\@function,3
33857 -+.align 32
33858 -+poly1305_init_base2_44:
33859 -+ xor %eax,%eax
33860 -+ mov %rax,0($ctx) # initialize hash value
33861 -+ mov %rax,8($ctx)
33862 -+ mov %rax,16($ctx)
33863 -+
33864 -+.Linit_base2_44:
33865 -+ lea poly1305_blocks_vpmadd52(%rip),%r10
33866 -+ lea poly1305_emit_base2_44(%rip),%r11
33867 -+
33868 -+ mov \$0x0ffffffc0fffffff,%rax
33869 -+ mov \$0x0ffffffc0ffffffc,%rcx
33870 -+ and 0($inp),%rax
33871 -+ mov \$0x00000fffffffffff,%r8
33872 -+ and 8($inp),%rcx
33873 -+ mov \$0x00000fffffffffff,%r9
33874 -+ and %rax,%r8
33875 -+ shrd \$44,%rcx,%rax
33876 -+ mov %r8,40($ctx) # r0
33877 -+ and %r9,%rax
33878 -+ shr \$24,%rcx
33879 -+ mov %rax,48($ctx) # r1
33880 -+ lea (%rax,%rax,4),%rax # *5
33881 -+ mov %rcx,56($ctx) # r2
33882 -+ shl \$2,%rax # magic <<2
33883 -+ lea (%rcx,%rcx,4),%rcx # *5
33884 -+ shl \$2,%rcx # magic <<2
33885 -+ mov %rax,24($ctx) # s1
33886 -+ mov %rcx,32($ctx) # s2
33887 -+ movq \$-1,64($ctx) # write impossible value
33888 -+___
33889 -+$code.=<<___ if ($flavour !~ /elf32/);
33890 -+ mov %r10,0(%rdx)
33891 -+ mov %r11,8(%rdx)
33892 -+___
33893 -+$code.=<<___ if ($flavour =~ /elf32/);
33894 -+ mov %r10d,0(%rdx)
33895 -+ mov %r11d,4(%rdx)
33896 -+___
33897 -+$code.=<<___;
33898 -+ mov \$1,%eax
33899 -+ ret
33900 -+.size poly1305_init_base2_44,.-poly1305_init_base2_44
33901 -+___
33902 -+{
33903 -+my ($H0,$H1,$H2,$r2r1r0,$r1r0s2,$r0s2s1,$Dlo,$Dhi) = map("%ymm$_",(0..5,16,17));
33904 -+my ($T0,$inp_permd,$inp_shift,$PAD) = map("%ymm$_",(18..21));
33905 -+my ($reduc_mask,$reduc_rght,$reduc_left) = map("%ymm$_",(22..25));
33906 -+
33907 -+$code.=<<___;
33908 -+.type poly1305_blocks_vpmadd52,\@function,4
33909 -+.align 32
33910 -+poly1305_blocks_vpmadd52:
33911 -+ shr \$4,$len
33912 -+ jz .Lno_data_vpmadd52 # too short
33913 -+
33914 -+ shl \$40,$padbit
33915 -+ mov 64($ctx),%r8 # peek on power of the key
33916 -+
33917 -+ # if powers of the key are not calculated yet, process up to 3
33918 -+ # blocks with this single-block subroutine, otherwise ensure that
33919 -+ # length is divisible by 2 blocks and pass the rest down to next
33920 -+ # subroutine...
33921 -+
33922 -+ mov \$3,%rax
33923 -+ mov \$1,%r10
33924 -+ cmp \$4,$len # is input long
33925 -+ cmovae %r10,%rax
33926 -+ test %r8,%r8 # is power value impossible?
33927 -+ cmovns %r10,%rax
33928 -+
33929 -+ and $len,%rax # is input of favourable length?
33930 -+ jz .Lblocks_vpmadd52_4x
33931 -+
33932 -+ sub %rax,$len
33933 -+ mov \$7,%r10d
33934 -+ mov \$1,%r11d
33935 -+ kmovw %r10d,%k7
33936 -+ lea .L2_44_inp_permd(%rip),%r10
33937 -+ kmovw %r11d,%k1
33938 -+
33939 -+ vmovq $padbit,%x#$PAD
33940 -+ vmovdqa64 0(%r10),$inp_permd # .L2_44_inp_permd
33941 -+ vmovdqa64 32(%r10),$inp_shift # .L2_44_inp_shift
33942 -+ vpermq \$0xcf,$PAD,$PAD
33943 -+ vmovdqa64 64(%r10),$reduc_mask # .L2_44_mask
33944 -+
33945 -+ vmovdqu64 0($ctx),${Dlo}{%k7}{z} # load hash value
33946 -+ vmovdqu64 40($ctx),${r2r1r0}{%k7}{z} # load keys
33947 -+ vmovdqu64 32($ctx),${r1r0s2}{%k7}{z}
33948 -+ vmovdqu64 24($ctx),${r0s2s1}{%k7}{z}
33949 -+
33950 -+ vmovdqa64 96(%r10),$reduc_rght # .L2_44_shift_rgt
33951 -+ vmovdqa64 128(%r10),$reduc_left # .L2_44_shift_lft
33952 -+
33953 -+ jmp .Loop_vpmadd52
33954 -+
33955 -+.align 32
33956 -+.Loop_vpmadd52:
33957 -+ vmovdqu32 0($inp),%x#$T0 # load input as ----3210
33958 -+ lea 16($inp),$inp
33959 -+
33960 -+ vpermd $T0,$inp_permd,$T0 # ----3210 -> --322110
33961 -+ vpsrlvq $inp_shift,$T0,$T0
33962 -+ vpandq $reduc_mask,$T0,$T0
33963 -+ vporq $PAD,$T0,$T0
33964 -+
33965 -+ vpaddq $T0,$Dlo,$Dlo # accumulate input
33966 -+
33967 -+ vpermq \$0,$Dlo,${H0}{%k7}{z} # smash hash value
33968 -+ vpermq \$0b01010101,$Dlo,${H1}{%k7}{z}
33969 -+ vpermq \$0b10101010,$Dlo,${H2}{%k7}{z}
33970 -+
33971 -+ vpxord $Dlo,$Dlo,$Dlo
33972 -+ vpxord $Dhi,$Dhi,$Dhi
33973 -+
33974 -+ vpmadd52luq $r2r1r0,$H0,$Dlo
33975 -+ vpmadd52huq $r2r1r0,$H0,$Dhi
33976 -+
33977 -+ vpmadd52luq $r1r0s2,$H1,$Dlo
33978 -+ vpmadd52huq $r1r0s2,$H1,$Dhi
33979 -+
33980 -+ vpmadd52luq $r0s2s1,$H2,$Dlo
33981 -+ vpmadd52huq $r0s2s1,$H2,$Dhi
33982 -+
33983 -+ vpsrlvq $reduc_rght,$Dlo,$T0 # 0 in topmost qword
33984 -+ vpsllvq $reduc_left,$Dhi,$Dhi # 0 in topmost qword
33985 -+ vpandq $reduc_mask,$Dlo,$Dlo
33986 -+
33987 -+ vpaddq $T0,$Dhi,$Dhi
33988 -+
33989 -+ vpermq \$0b10010011,$Dhi,$Dhi # 0 in lowest qword
33990 -+
33991 -+ vpaddq $Dhi,$Dlo,$Dlo # note topmost qword :-)
33992 -+
33993 -+ vpsrlvq $reduc_rght,$Dlo,$T0 # 0 in topmost word
33994 -+ vpandq $reduc_mask,$Dlo,$Dlo
33995 -+
33996 -+ vpermq \$0b10010011,$T0,$T0
33997 -+
33998 -+ vpaddq $T0,$Dlo,$Dlo
33999 -+
34000 -+ vpermq \$0b10010011,$Dlo,${T0}{%k1}{z}
34001 -+
34002 -+ vpaddq $T0,$Dlo,$Dlo
34003 -+ vpsllq \$2,$T0,$T0
34004 -+
34005 -+ vpaddq $T0,$Dlo,$Dlo
34006 -+
34007 -+ dec %rax # len-=16
34008 -+ jnz .Loop_vpmadd52
34009 -+
34010 -+ vmovdqu64 $Dlo,0($ctx){%k7} # store hash value
34011 -+
34012 -+ test $len,$len
34013 -+ jnz .Lblocks_vpmadd52_4x
34014 -+
34015 -+.Lno_data_vpmadd52:
34016 -+ ret
34017 -+.size poly1305_blocks_vpmadd52,.-poly1305_blocks_vpmadd52
34018 -+___
34019 -+}
34020 -+{
34021 -+########################################################################
34022 -+# As implied by its name 4x subroutine processes 4 blocks in parallel
34023 -+# (but handles even 4*n+2 blocks lengths). It takes up to 4th key power
34024 -+# and is handled in 256-bit %ymm registers.
34025 -+
34026 -+my ($H0,$H1,$H2,$R0,$R1,$R2,$S1,$S2) = map("%ymm$_",(0..5,16,17));
34027 -+my ($D0lo,$D0hi,$D1lo,$D1hi,$D2lo,$D2hi) = map("%ymm$_",(18..23));
34028 -+my ($T0,$T1,$T2,$T3,$mask44,$mask42,$tmp,$PAD) = map("%ymm$_",(24..31));
34029 -+
34030 -+$code.=<<___;
34031 -+.type poly1305_blocks_vpmadd52_4x,\@function,4
34032 -+.align 32
34033 -+poly1305_blocks_vpmadd52_4x:
34034 -+ shr \$4,$len
34035 -+ jz .Lno_data_vpmadd52_4x # too short
34036 -+
34037 -+ shl \$40,$padbit
34038 -+ mov 64($ctx),%r8 # peek on power of the key
34039 -+
34040 -+.Lblocks_vpmadd52_4x:
34041 -+ vpbroadcastq $padbit,$PAD
34042 -+
34043 -+ vmovdqa64 .Lx_mask44(%rip),$mask44
34044 -+ mov \$5,%eax
34045 -+ vmovdqa64 .Lx_mask42(%rip),$mask42
34046 -+ kmovw %eax,%k1 # used in 2x path
34047 -+
34048 -+ test %r8,%r8 # is power value impossible?
34049 -+ js .Linit_vpmadd52 # if it is, then init R[4]
34050 -+
34051 -+ vmovq 0($ctx),%x#$H0 # load current hash value
34052 -+ vmovq 8($ctx),%x#$H1
34053 -+ vmovq 16($ctx),%x#$H2
34054 -+
34055 -+ test \$3,$len # is length 4*n+2?
34056 -+ jnz .Lblocks_vpmadd52_2x_do
34057 -+
34058 -+.Lblocks_vpmadd52_4x_do:
34059 -+ vpbroadcastq 64($ctx),$R0 # load 4th power of the key
34060 -+ vpbroadcastq 96($ctx),$R1
34061 -+ vpbroadcastq 128($ctx),$R2
34062 -+ vpbroadcastq 160($ctx),$S1
34063 -+
34064 -+.Lblocks_vpmadd52_4x_key_loaded:
34065 -+ vpsllq \$2,$R2,$S2 # S2 = R2*5*4
34066 -+ vpaddq $R2,$S2,$S2
34067 -+ vpsllq \$2,$S2,$S2
34068 -+
34069 -+ test \$7,$len # is len 8*n?
34070 -+ jz .Lblocks_vpmadd52_8x
34071 -+
34072 -+ vmovdqu64 16*0($inp),$T2 # load data
34073 -+ vmovdqu64 16*2($inp),$T3
34074 -+ lea 16*4($inp),$inp
34075 -+
34076 -+ vpunpcklqdq $T3,$T2,$T1 # transpose data
34077 -+ vpunpckhqdq $T3,$T2,$T3
34078 -+
34079 -+ # at this point 64-bit lanes are ordered as 3-1-2-0
34080 -+
34081 -+ vpsrlq \$24,$T3,$T2 # splat the data
34082 -+ vporq $PAD,$T2,$T2
34083 -+ vpaddq $T2,$H2,$H2 # accumulate input
34084 -+ vpandq $mask44,$T1,$T0
34085 -+ vpsrlq \$44,$T1,$T1
34086 -+ vpsllq \$20,$T3,$T3
34087 -+ vporq $T3,$T1,$T1
34088 -+ vpandq $mask44,$T1,$T1
34089 -+
34090 -+ sub \$4,$len
34091 -+ jz .Ltail_vpmadd52_4x
34092 -+ jmp .Loop_vpmadd52_4x
34093 -+ ud2
34094 -+
34095 -+.align 32
34096 -+.Linit_vpmadd52:
34097 -+ vmovq 24($ctx),%x#$S1 # load key
34098 -+ vmovq 56($ctx),%x#$H2
34099 -+ vmovq 32($ctx),%x#$S2
34100 -+ vmovq 40($ctx),%x#$R0
34101 -+ vmovq 48($ctx),%x#$R1
34102 -+
34103 -+ vmovdqa $R0,$H0
34104 -+ vmovdqa $R1,$H1
34105 -+ vmovdqa $H2,$R2
34106 -+
34107 -+ mov \$2,%eax
34108 -+
34109 -+.Lmul_init_vpmadd52:
34110 -+ vpxorq $D0lo,$D0lo,$D0lo
34111 -+ vpmadd52luq $H2,$S1,$D0lo
34112 -+ vpxorq $D0hi,$D0hi,$D0hi
34113 -+ vpmadd52huq $H2,$S1,$D0hi
34114 -+ vpxorq $D1lo,$D1lo,$D1lo
34115 -+ vpmadd52luq $H2,$S2,$D1lo
34116 -+ vpxorq $D1hi,$D1hi,$D1hi
34117 -+ vpmadd52huq $H2,$S2,$D1hi
34118 -+ vpxorq $D2lo,$D2lo,$D2lo
34119 -+ vpmadd52luq $H2,$R0,$D2lo
34120 -+ vpxorq $D2hi,$D2hi,$D2hi
34121 -+ vpmadd52huq $H2,$R0,$D2hi
34122 -+
34123 -+ vpmadd52luq $H0,$R0,$D0lo
34124 -+ vpmadd52huq $H0,$R0,$D0hi
34125 -+ vpmadd52luq $H0,$R1,$D1lo
34126 -+ vpmadd52huq $H0,$R1,$D1hi
34127 -+ vpmadd52luq $H0,$R2,$D2lo
34128 -+ vpmadd52huq $H0,$R2,$D2hi
34129 -+
34130 -+ vpmadd52luq $H1,$S2,$D0lo
34131 -+ vpmadd52huq $H1,$S2,$D0hi
34132 -+ vpmadd52luq $H1,$R0,$D1lo
34133 -+ vpmadd52huq $H1,$R0,$D1hi
34134 -+ vpmadd52luq $H1,$R1,$D2lo
34135 -+ vpmadd52huq $H1,$R1,$D2hi
34136 -+
34137 -+ ################################################################
34138 -+ # partial reduction
34139 -+ vpsrlq \$44,$D0lo,$tmp
34140 -+ vpsllq \$8,$D0hi,$D0hi
34141 -+ vpandq $mask44,$D0lo,$H0
34142 -+ vpaddq $tmp,$D0hi,$D0hi
34143 -+
34144 -+ vpaddq $D0hi,$D1lo,$D1lo
34145 -+
34146 -+ vpsrlq \$44,$D1lo,$tmp
34147 -+ vpsllq \$8,$D1hi,$D1hi
34148 -+ vpandq $mask44,$D1lo,$H1
34149 -+ vpaddq $tmp,$D1hi,$D1hi
34150 -+
34151 -+ vpaddq $D1hi,$D2lo,$D2lo
34152 -+
34153 -+ vpsrlq \$42,$D2lo,$tmp
34154 -+ vpsllq \$10,$D2hi,$D2hi
34155 -+ vpandq $mask42,$D2lo,$H2
34156 -+ vpaddq $tmp,$D2hi,$D2hi
34157 -+
34158 -+ vpaddq $D2hi,$H0,$H0
34159 -+ vpsllq \$2,$D2hi,$D2hi
34160 -+
34161 -+ vpaddq $D2hi,$H0,$H0
34162 -+
34163 -+ vpsrlq \$44,$H0,$tmp # additional step
34164 -+ vpandq $mask44,$H0,$H0
34165 -+
34166 -+ vpaddq $tmp,$H1,$H1
34167 -+
34168 -+ dec %eax
34169 -+ jz .Ldone_init_vpmadd52
34170 -+
34171 -+ vpunpcklqdq $R1,$H1,$R1 # 1,2
34172 -+ vpbroadcastq %x#$H1,%x#$H1 # 2,2
34173 -+ vpunpcklqdq $R2,$H2,$R2
34174 -+ vpbroadcastq %x#$H2,%x#$H2
34175 -+ vpunpcklqdq $R0,$H0,$R0
34176 -+ vpbroadcastq %x#$H0,%x#$H0
34177 -+
34178 -+ vpsllq \$2,$R1,$S1 # S1 = R1*5*4
34179 -+ vpsllq \$2,$R2,$S2 # S2 = R2*5*4
34180 -+ vpaddq $R1,$S1,$S1
34181 -+ vpaddq $R2,$S2,$S2
34182 -+ vpsllq \$2,$S1,$S1
34183 -+ vpsllq \$2,$S2,$S2
34184 -+
34185 -+ jmp .Lmul_init_vpmadd52
34186 -+ ud2
34187 -+
34188 -+.align 32
34189 -+.Ldone_init_vpmadd52:
34190 -+ vinserti128 \$1,%x#$R1,$H1,$R1 # 1,2,3,4
34191 -+ vinserti128 \$1,%x#$R2,$H2,$R2
34192 -+ vinserti128 \$1,%x#$R0,$H0,$R0
34193 -+
34194 -+ vpermq \$0b11011000,$R1,$R1 # 1,3,2,4
34195 -+ vpermq \$0b11011000,$R2,$R2
34196 -+ vpermq \$0b11011000,$R0,$R0
34197 -+
34198 -+ vpsllq \$2,$R1,$S1 # S1 = R1*5*4
34199 -+ vpaddq $R1,$S1,$S1
34200 -+ vpsllq \$2,$S1,$S1
34201 -+
34202 -+ vmovq 0($ctx),%x#$H0 # load current hash value
34203 -+ vmovq 8($ctx),%x#$H1
34204 -+ vmovq 16($ctx),%x#$H2
34205 -+
34206 -+ test \$3,$len # is length 4*n+2?
34207 -+ jnz .Ldone_init_vpmadd52_2x
34208 -+
34209 -+ vmovdqu64 $R0,64($ctx) # save key powers
34210 -+ vpbroadcastq %x#$R0,$R0 # broadcast 4th power
34211 -+ vmovdqu64 $R1,96($ctx)
34212 -+ vpbroadcastq %x#$R1,$R1
34213 -+ vmovdqu64 $R2,128($ctx)
34214 -+ vpbroadcastq %x#$R2,$R2
34215 -+ vmovdqu64 $S1,160($ctx)
34216 -+ vpbroadcastq %x#$S1,$S1
34217 -+
34218 -+ jmp .Lblocks_vpmadd52_4x_key_loaded
34219 -+ ud2
34220 -+
34221 -+.align 32
34222 -+.Ldone_init_vpmadd52_2x:
34223 -+ vmovdqu64 $R0,64($ctx) # save key powers
34224 -+ vpsrldq \$8,$R0,$R0 # 0-1-0-2
34225 -+ vmovdqu64 $R1,96($ctx)
34226 -+ vpsrldq \$8,$R1,$R1
34227 -+ vmovdqu64 $R2,128($ctx)
34228 -+ vpsrldq \$8,$R2,$R2
34229 -+ vmovdqu64 $S1,160($ctx)
34230 -+ vpsrldq \$8,$S1,$S1
34231 -+ jmp .Lblocks_vpmadd52_2x_key_loaded
34232 -+ ud2
34233 -+
34234 -+.align 32
34235 -+.Lblocks_vpmadd52_2x_do:
34236 -+ vmovdqu64 128+8($ctx),${R2}{%k1}{z}# load 2nd and 1st key powers
34237 -+ vmovdqu64 160+8($ctx),${S1}{%k1}{z}
34238 -+ vmovdqu64 64+8($ctx),${R0}{%k1}{z}
34239 -+ vmovdqu64 96+8($ctx),${R1}{%k1}{z}
34240 -+
34241 -+.Lblocks_vpmadd52_2x_key_loaded:
34242 -+ vmovdqu64 16*0($inp),$T2 # load data
34243 -+ vpxorq $T3,$T3,$T3
34244 -+ lea 16*2($inp),$inp
34245 -+
34246 -+ vpunpcklqdq $T3,$T2,$T1 # transpose data
34247 -+ vpunpckhqdq $T3,$T2,$T3
34248 -+
34249 -+ # at this point 64-bit lanes are ordered as x-1-x-0
34250 -+
34251 -+ vpsrlq \$24,$T3,$T2 # splat the data
34252 -+ vporq $PAD,$T2,$T2
34253 -+ vpaddq $T2,$H2,$H2 # accumulate input
34254 -+ vpandq $mask44,$T1,$T0
34255 -+ vpsrlq \$44,$T1,$T1
34256 -+ vpsllq \$20,$T3,$T3
34257 -+ vporq $T3,$T1,$T1
34258 -+ vpandq $mask44,$T1,$T1
34259 -+
34260 -+ jmp .Ltail_vpmadd52_2x
34261 -+ ud2
34262 -+
34263 -+.align 32
34264 -+.Loop_vpmadd52_4x:
34265 -+ #vpaddq $T2,$H2,$H2 # accumulate input
34266 -+ vpaddq $T0,$H0,$H0
34267 -+ vpaddq $T1,$H1,$H1
34268 -+
34269 -+ vpxorq $D0lo,$D0lo,$D0lo
34270 -+ vpmadd52luq $H2,$S1,$D0lo
34271 -+ vpxorq $D0hi,$D0hi,$D0hi
34272 -+ vpmadd52huq $H2,$S1,$D0hi
34273 -+ vpxorq $D1lo,$D1lo,$D1lo
34274 -+ vpmadd52luq $H2,$S2,$D1lo
34275 -+ vpxorq $D1hi,$D1hi,$D1hi
34276 -+ vpmadd52huq $H2,$S2,$D1hi
34277 -+ vpxorq $D2lo,$D2lo,$D2lo
34278 -+ vpmadd52luq $H2,$R0,$D2lo
34279 -+ vpxorq $D2hi,$D2hi,$D2hi
34280 -+ vpmadd52huq $H2,$R0,$D2hi
34281 -+
34282 -+ vmovdqu64 16*0($inp),$T2 # load data
34283 -+ vmovdqu64 16*2($inp),$T3
34284 -+ lea 16*4($inp),$inp
34285 -+ vpmadd52luq $H0,$R0,$D0lo
34286 -+ vpmadd52huq $H0,$R0,$D0hi
34287 -+ vpmadd52luq $H0,$R1,$D1lo
34288 -+ vpmadd52huq $H0,$R1,$D1hi
34289 -+ vpmadd52luq $H0,$R2,$D2lo
34290 -+ vpmadd52huq $H0,$R2,$D2hi
34291 -+
34292 -+ vpunpcklqdq $T3,$T2,$T1 # transpose data
34293 -+ vpunpckhqdq $T3,$T2,$T3
34294 -+ vpmadd52luq $H1,$S2,$D0lo
34295 -+ vpmadd52huq $H1,$S2,$D0hi
34296 -+ vpmadd52luq $H1,$R0,$D1lo
34297 -+ vpmadd52huq $H1,$R0,$D1hi
34298 -+ vpmadd52luq $H1,$R1,$D2lo
34299 -+ vpmadd52huq $H1,$R1,$D2hi
34300 -+
34301 -+ ################################################################
34302 -+ # partial reduction (interleaved with data splat)
34303 -+ vpsrlq \$44,$D0lo,$tmp
34304 -+ vpsllq \$8,$D0hi,$D0hi
34305 -+ vpandq $mask44,$D0lo,$H0
34306 -+ vpaddq $tmp,$D0hi,$D0hi
34307 -+
34308 -+ vpsrlq \$24,$T3,$T2
34309 -+ vporq $PAD,$T2,$T2
34310 -+ vpaddq $D0hi,$D1lo,$D1lo
34311 -+
34312 -+ vpsrlq \$44,$D1lo,$tmp
34313 -+ vpsllq \$8,$D1hi,$D1hi
34314 -+ vpandq $mask44,$D1lo,$H1
34315 -+ vpaddq $tmp,$D1hi,$D1hi
34316 -+
34317 -+ vpandq $mask44,$T1,$T0
34318 -+ vpsrlq \$44,$T1,$T1
34319 -+ vpsllq \$20,$T3,$T3
34320 -+ vpaddq $D1hi,$D2lo,$D2lo
34321 -+
34322 -+ vpsrlq \$42,$D2lo,$tmp
34323 -+ vpsllq \$10,$D2hi,$D2hi
34324 -+ vpandq $mask42,$D2lo,$H2
34325 -+ vpaddq $tmp,$D2hi,$D2hi
34326 -+
34327 -+ vpaddq $T2,$H2,$H2 # accumulate input
34328 -+ vpaddq $D2hi,$H0,$H0
34329 -+ vpsllq \$2,$D2hi,$D2hi
34330 -+
34331 -+ vpaddq $D2hi,$H0,$H0
34332 -+ vporq $T3,$T1,$T1
34333 -+ vpandq $mask44,$T1,$T1
34334 -+
34335 -+ vpsrlq \$44,$H0,$tmp # additional step
34336 -+ vpandq $mask44,$H0,$H0
34337 -+
34338 -+ vpaddq $tmp,$H1,$H1
34339 -+
34340 -+ sub \$4,$len # len-=64
34341 -+ jnz .Loop_vpmadd52_4x
34342 -+
34343 -+.Ltail_vpmadd52_4x:
34344 -+ vmovdqu64 128($ctx),$R2 # load all key powers
34345 -+ vmovdqu64 160($ctx),$S1
34346 -+ vmovdqu64 64($ctx),$R0
34347 -+ vmovdqu64 96($ctx),$R1
34348 -+
34349 -+.Ltail_vpmadd52_2x:
34350 -+ vpsllq \$2,$R2,$S2 # S2 = R2*5*4
34351 -+ vpaddq $R2,$S2,$S2
34352 -+ vpsllq \$2,$S2,$S2
34353 -+
34354 -+ #vpaddq $T2,$H2,$H2 # accumulate input
34355 -+ vpaddq $T0,$H0,$H0
34356 -+ vpaddq $T1,$H1,$H1
34357 -+
34358 -+ vpxorq $D0lo,$D0lo,$D0lo
34359 -+ vpmadd52luq $H2,$S1,$D0lo
34360 -+ vpxorq $D0hi,$D0hi,$D0hi
34361 -+ vpmadd52huq $H2,$S1,$D0hi
34362 -+ vpxorq $D1lo,$D1lo,$D1lo
34363 -+ vpmadd52luq $H2,$S2,$D1lo
34364 -+ vpxorq $D1hi,$D1hi,$D1hi
34365 -+ vpmadd52huq $H2,$S2,$D1hi
34366 -+ vpxorq $D2lo,$D2lo,$D2lo
34367 -+ vpmadd52luq $H2,$R0,$D2lo
34368 -+ vpxorq $D2hi,$D2hi,$D2hi
34369 -+ vpmadd52huq $H2,$R0,$D2hi
34370 -+
34371 -+ vpmadd52luq $H0,$R0,$D0lo
34372 -+ vpmadd52huq $H0,$R0,$D0hi
34373 -+ vpmadd52luq $H0,$R1,$D1lo
34374 -+ vpmadd52huq $H0,$R1,$D1hi
34375 -+ vpmadd52luq $H0,$R2,$D2lo
34376 -+ vpmadd52huq $H0,$R2,$D2hi
34377 -+
34378 -+ vpmadd52luq $H1,$S2,$D0lo
34379 -+ vpmadd52huq $H1,$S2,$D0hi
34380 -+ vpmadd52luq $H1,$R0,$D1lo
34381 -+ vpmadd52huq $H1,$R0,$D1hi
34382 -+ vpmadd52luq $H1,$R1,$D2lo
34383 -+ vpmadd52huq $H1,$R1,$D2hi
34384 -+
34385 -+ ################################################################
34386 -+ # horizontal addition
34387 -+
34388 -+ mov \$1,%eax
34389 -+ kmovw %eax,%k1
34390 -+ vpsrldq \$8,$D0lo,$T0
34391 -+ vpsrldq \$8,$D0hi,$H0
34392 -+ vpsrldq \$8,$D1lo,$T1
34393 -+ vpsrldq \$8,$D1hi,$H1
34394 -+ vpaddq $T0,$D0lo,$D0lo
34395 -+ vpaddq $H0,$D0hi,$D0hi
34396 -+ vpsrldq \$8,$D2lo,$T2
34397 -+ vpsrldq \$8,$D2hi,$H2
34398 -+ vpaddq $T1,$D1lo,$D1lo
34399 -+ vpaddq $H1,$D1hi,$D1hi
34400 -+ vpermq \$0x2,$D0lo,$T0
34401 -+ vpermq \$0x2,$D0hi,$H0
34402 -+ vpaddq $T2,$D2lo,$D2lo
34403 -+ vpaddq $H2,$D2hi,$D2hi
34404 -+
34405 -+ vpermq \$0x2,$D1lo,$T1
34406 -+ vpermq \$0x2,$D1hi,$H1
34407 -+ vpaddq $T0,$D0lo,${D0lo}{%k1}{z}
34408 -+ vpaddq $H0,$D0hi,${D0hi}{%k1}{z}
34409 -+ vpermq \$0x2,$D2lo,$T2
34410 -+ vpermq \$0x2,$D2hi,$H2
34411 -+ vpaddq $T1,$D1lo,${D1lo}{%k1}{z}
34412 -+ vpaddq $H1,$D1hi,${D1hi}{%k1}{z}
34413 -+ vpaddq $T2,$D2lo,${D2lo}{%k1}{z}
34414 -+ vpaddq $H2,$D2hi,${D2hi}{%k1}{z}
34415 -+
34416 -+ ################################################################
34417 -+ # partial reduction
34418 -+ vpsrlq \$44,$D0lo,$tmp
34419 -+ vpsllq \$8,$D0hi,$D0hi
34420 -+ vpandq $mask44,$D0lo,$H0
34421 -+ vpaddq $tmp,$D0hi,$D0hi
34422 -+
34423 -+ vpaddq $D0hi,$D1lo,$D1lo
34424 -+
34425 -+ vpsrlq \$44,$D1lo,$tmp
34426 -+ vpsllq \$8,$D1hi,$D1hi
34427 -+ vpandq $mask44,$D1lo,$H1
34428 -+ vpaddq $tmp,$D1hi,$D1hi
34429 -+
34430 -+ vpaddq $D1hi,$D2lo,$D2lo
34431 -+
34432 -+ vpsrlq \$42,$D2lo,$tmp
34433 -+ vpsllq \$10,$D2hi,$D2hi
34434 -+ vpandq $mask42,$D2lo,$H2
34435 -+ vpaddq $tmp,$D2hi,$D2hi
34436 -+
34437 -+ vpaddq $D2hi,$H0,$H0
34438 -+ vpsllq \$2,$D2hi,$D2hi
34439 -+
34440 -+ vpaddq $D2hi,$H0,$H0
34441 -+
34442 -+ vpsrlq \$44,$H0,$tmp # additional step
34443 -+ vpandq $mask44,$H0,$H0
34444 -+
34445 -+ vpaddq $tmp,$H1,$H1
34446 -+ # at this point $len is
34447 -+ # either 4*n+2 or 0...
34448 -+ sub \$2,$len # len-=32
34449 -+ ja .Lblocks_vpmadd52_4x_do
34450 -+
34451 -+ vmovq %x#$H0,0($ctx)
34452 -+ vmovq %x#$H1,8($ctx)
34453 -+ vmovq %x#$H2,16($ctx)
34454 -+ vzeroall
34455 -+
34456 -+.Lno_data_vpmadd52_4x:
34457 -+ ret
34458 -+.size poly1305_blocks_vpmadd52_4x,.-poly1305_blocks_vpmadd52_4x
34459 -+___
34460 -+}
34461 -+{
34462 -+########################################################################
34463 -+# As implied by its name 8x subroutine processes 8 blocks in parallel...
34464 -+# This is intermediate version, as it's used only in cases when input
34465 -+# length is either 8*n, 8*n+1 or 8*n+2...
34466 -+
34467 -+my ($H0,$H1,$H2,$R0,$R1,$R2,$S1,$S2) = map("%ymm$_",(0..5,16,17));
34468 -+my ($D0lo,$D0hi,$D1lo,$D1hi,$D2lo,$D2hi) = map("%ymm$_",(18..23));
34469 -+my ($T0,$T1,$T2,$T3,$mask44,$mask42,$tmp,$PAD) = map("%ymm$_",(24..31));
34470 -+my ($RR0,$RR1,$RR2,$SS1,$SS2) = map("%ymm$_",(6..10));
34471 -+
34472 -+$code.=<<___;
34473 -+.type poly1305_blocks_vpmadd52_8x,\@function,4
34474 -+.align 32
34475 -+poly1305_blocks_vpmadd52_8x:
34476 -+ shr \$4,$len
34477 -+ jz .Lno_data_vpmadd52_8x # too short
34478 -+
34479 -+ shl \$40,$padbit
34480 -+ mov 64($ctx),%r8 # peek on power of the key
34481 -+
34482 -+ vmovdqa64 .Lx_mask44(%rip),$mask44
34483 -+ vmovdqa64 .Lx_mask42(%rip),$mask42
34484 -+
34485 -+ test %r8,%r8 # is power value impossible?
34486 -+ js .Linit_vpmadd52 # if it is, then init R[4]
34487 -+
34488 -+ vmovq 0($ctx),%x#$H0 # load current hash value
34489 -+ vmovq 8($ctx),%x#$H1
34490 -+ vmovq 16($ctx),%x#$H2
34491 -+
34492 -+.Lblocks_vpmadd52_8x:
34493 -+ ################################################################
34494 -+ # fist we calculate more key powers
34495 -+
34496 -+ vmovdqu64 128($ctx),$R2 # load 1-3-2-4 powers
34497 -+ vmovdqu64 160($ctx),$S1
34498 -+ vmovdqu64 64($ctx),$R0
34499 -+ vmovdqu64 96($ctx),$R1
34500 -+
34501 -+ vpsllq \$2,$R2,$S2 # S2 = R2*5*4
34502 -+ vpaddq $R2,$S2,$S2
34503 -+ vpsllq \$2,$S2,$S2
34504 -+
34505 -+ vpbroadcastq %x#$R2,$RR2 # broadcast 4th power
34506 -+ vpbroadcastq %x#$R0,$RR0
34507 -+ vpbroadcastq %x#$R1,$RR1
34508 -+
34509 -+ vpxorq $D0lo,$D0lo,$D0lo
34510 -+ vpmadd52luq $RR2,$S1,$D0lo
34511 -+ vpxorq $D0hi,$D0hi,$D0hi
34512 -+ vpmadd52huq $RR2,$S1,$D0hi
34513 -+ vpxorq $D1lo,$D1lo,$D1lo
34514 -+ vpmadd52luq $RR2,$S2,$D1lo
34515 -+ vpxorq $D1hi,$D1hi,$D1hi
34516 -+ vpmadd52huq $RR2,$S2,$D1hi
34517 -+ vpxorq $D2lo,$D2lo,$D2lo
34518 -+ vpmadd52luq $RR2,$R0,$D2lo
34519 -+ vpxorq $D2hi,$D2hi,$D2hi
34520 -+ vpmadd52huq $RR2,$R0,$D2hi
34521 -+
34522 -+ vpmadd52luq $RR0,$R0,$D0lo
34523 -+ vpmadd52huq $RR0,$R0,$D0hi
34524 -+ vpmadd52luq $RR0,$R1,$D1lo
34525 -+ vpmadd52huq $RR0,$R1,$D1hi
34526 -+ vpmadd52luq $RR0,$R2,$D2lo
34527 -+ vpmadd52huq $RR0,$R2,$D2hi
34528 -+
34529 -+ vpmadd52luq $RR1,$S2,$D0lo
34530 -+ vpmadd52huq $RR1,$S2,$D0hi
34531 -+ vpmadd52luq $RR1,$R0,$D1lo
34532 -+ vpmadd52huq $RR1,$R0,$D1hi
34533 -+ vpmadd52luq $RR1,$R1,$D2lo
34534 -+ vpmadd52huq $RR1,$R1,$D2hi
34535 -+
34536 -+ ################################################################
34537 -+ # partial reduction
34538 -+ vpsrlq \$44,$D0lo,$tmp
34539 -+ vpsllq \$8,$D0hi,$D0hi
34540 -+ vpandq $mask44,$D0lo,$RR0
34541 -+ vpaddq $tmp,$D0hi,$D0hi
34542 -+
34543 -+ vpaddq $D0hi,$D1lo,$D1lo
34544 -+
34545 -+ vpsrlq \$44,$D1lo,$tmp
34546 -+ vpsllq \$8,$D1hi,$D1hi
34547 -+ vpandq $mask44,$D1lo,$RR1
34548 -+ vpaddq $tmp,$D1hi,$D1hi
34549 -+
34550 -+ vpaddq $D1hi,$D2lo,$D2lo
34551 -+
34552 -+ vpsrlq \$42,$D2lo,$tmp
34553 -+ vpsllq \$10,$D2hi,$D2hi
34554 -+ vpandq $mask42,$D2lo,$RR2
34555 -+ vpaddq $tmp,$D2hi,$D2hi
34556 -+
34557 -+ vpaddq $D2hi,$RR0,$RR0
34558 -+ vpsllq \$2,$D2hi,$D2hi
34559 -+
34560 -+ vpaddq $D2hi,$RR0,$RR0
34561 -+
34562 -+ vpsrlq \$44,$RR0,$tmp # additional step
34563 -+ vpandq $mask44,$RR0,$RR0
34564 -+
34565 -+ vpaddq $tmp,$RR1,$RR1
34566 -+
34567 -+ ################################################################
34568 -+ # At this point Rx holds 1324 powers, RRx - 5768, and the goal
34569 -+ # is 15263748, which reflects how data is loaded...
34570 -+
34571 -+ vpunpcklqdq $R2,$RR2,$T2 # 3748
34572 -+ vpunpckhqdq $R2,$RR2,$R2 # 1526
34573 -+ vpunpcklqdq $R0,$RR0,$T0
34574 -+ vpunpckhqdq $R0,$RR0,$R0
34575 -+ vpunpcklqdq $R1,$RR1,$T1
34576 -+ vpunpckhqdq $R1,$RR1,$R1
34577 -+___
34578 -+######## switch to %zmm
34579 -+map(s/%y/%z/, $H0,$H1,$H2,$R0,$R1,$R2,$S1,$S2);
34580 -+map(s/%y/%z/, $D0lo,$D0hi,$D1lo,$D1hi,$D2lo,$D2hi);
34581 -+map(s/%y/%z/, $T0,$T1,$T2,$T3,$mask44,$mask42,$tmp,$PAD);
34582 -+map(s/%y/%z/, $RR0,$RR1,$RR2,$SS1,$SS2);
34583 -+
34584 -+$code.=<<___;
34585 -+ vshufi64x2 \$0x44,$R2,$T2,$RR2 # 15263748
34586 -+ vshufi64x2 \$0x44,$R0,$T0,$RR0
34587 -+ vshufi64x2 \$0x44,$R1,$T1,$RR1
34588 -+
34589 -+ vmovdqu64 16*0($inp),$T2 # load data
34590 -+ vmovdqu64 16*4($inp),$T3
34591 -+ lea 16*8($inp),$inp
34592 -+
34593 -+ vpsllq \$2,$RR2,$SS2 # S2 = R2*5*4
34594 -+ vpsllq \$2,$RR1,$SS1 # S1 = R1*5*4
34595 -+ vpaddq $RR2,$SS2,$SS2
34596 -+ vpaddq $RR1,$SS1,$SS1
34597 -+ vpsllq \$2,$SS2,$SS2
34598 -+ vpsllq \$2,$SS1,$SS1
34599 -+
34600 -+ vpbroadcastq $padbit,$PAD
34601 -+ vpbroadcastq %x#$mask44,$mask44
34602 -+ vpbroadcastq %x#$mask42,$mask42
34603 -+
34604 -+ vpbroadcastq %x#$SS1,$S1 # broadcast 8th power
34605 -+ vpbroadcastq %x#$SS2,$S2
34606 -+ vpbroadcastq %x#$RR0,$R0
34607 -+ vpbroadcastq %x#$RR1,$R1
34608 -+ vpbroadcastq %x#$RR2,$R2
34609 -+
34610 -+ vpunpcklqdq $T3,$T2,$T1 # transpose data
34611 -+ vpunpckhqdq $T3,$T2,$T3
34612 -+
34613 -+ # at this point 64-bit lanes are ordered as 73625140
34614 -+
34615 -+ vpsrlq \$24,$T3,$T2 # splat the data
34616 -+ vporq $PAD,$T2,$T2
34617 -+ vpaddq $T2,$H2,$H2 # accumulate input
34618 -+ vpandq $mask44,$T1,$T0
34619 -+ vpsrlq \$44,$T1,$T1
34620 -+ vpsllq \$20,$T3,$T3
34621 -+ vporq $T3,$T1,$T1
34622 -+ vpandq $mask44,$T1,$T1
34623 -+
34624 -+ sub \$8,$len
34625 -+ jz .Ltail_vpmadd52_8x
34626 -+ jmp .Loop_vpmadd52_8x
34627 -+
34628 -+.align 32
34629 -+.Loop_vpmadd52_8x:
34630 -+ #vpaddq $T2,$H2,$H2 # accumulate input
34631 -+ vpaddq $T0,$H0,$H0
34632 -+ vpaddq $T1,$H1,$H1
34633 -+
34634 -+ vpxorq $D0lo,$D0lo,$D0lo
34635 -+ vpmadd52luq $H2,$S1,$D0lo
34636 -+ vpxorq $D0hi,$D0hi,$D0hi
34637 -+ vpmadd52huq $H2,$S1,$D0hi
34638 -+ vpxorq $D1lo,$D1lo,$D1lo
34639 -+ vpmadd52luq $H2,$S2,$D1lo
34640 -+ vpxorq $D1hi,$D1hi,$D1hi
34641 -+ vpmadd52huq $H2,$S2,$D1hi
34642 -+ vpxorq $D2lo,$D2lo,$D2lo
34643 -+ vpmadd52luq $H2,$R0,$D2lo
34644 -+ vpxorq $D2hi,$D2hi,$D2hi
34645 -+ vpmadd52huq $H2,$R0,$D2hi
34646 -+
34647 -+ vmovdqu64 16*0($inp),$T2 # load data
34648 -+ vmovdqu64 16*4($inp),$T3
34649 -+ lea 16*8($inp),$inp
34650 -+ vpmadd52luq $H0,$R0,$D0lo
34651 -+ vpmadd52huq $H0,$R0,$D0hi
34652 -+ vpmadd52luq $H0,$R1,$D1lo
34653 -+ vpmadd52huq $H0,$R1,$D1hi
34654 -+ vpmadd52luq $H0,$R2,$D2lo
34655 -+ vpmadd52huq $H0,$R2,$D2hi
34656 -+
34657 -+ vpunpcklqdq $T3,$T2,$T1 # transpose data
34658 -+ vpunpckhqdq $T3,$T2,$T3
34659 -+ vpmadd52luq $H1,$S2,$D0lo
34660 -+ vpmadd52huq $H1,$S2,$D0hi
34661 -+ vpmadd52luq $H1,$R0,$D1lo
34662 -+ vpmadd52huq $H1,$R0,$D1hi
34663 -+ vpmadd52luq $H1,$R1,$D2lo
34664 -+ vpmadd52huq $H1,$R1,$D2hi
34665 -+
34666 -+ ################################################################
34667 -+ # partial reduction (interleaved with data splat)
34668 -+ vpsrlq \$44,$D0lo,$tmp
34669 -+ vpsllq \$8,$D0hi,$D0hi
34670 -+ vpandq $mask44,$D0lo,$H0
34671 -+ vpaddq $tmp,$D0hi,$D0hi
34672 -+
34673 -+ vpsrlq \$24,$T3,$T2
34674 -+ vporq $PAD,$T2,$T2
34675 -+ vpaddq $D0hi,$D1lo,$D1lo
34676 -+
34677 -+ vpsrlq \$44,$D1lo,$tmp
34678 -+ vpsllq \$8,$D1hi,$D1hi
34679 -+ vpandq $mask44,$D1lo,$H1
34680 -+ vpaddq $tmp,$D1hi,$D1hi
34681 -+
34682 -+ vpandq $mask44,$T1,$T0
34683 -+ vpsrlq \$44,$T1,$T1
34684 -+ vpsllq \$20,$T3,$T3
34685 -+ vpaddq $D1hi,$D2lo,$D2lo
34686 -+
34687 -+ vpsrlq \$42,$D2lo,$tmp
34688 -+ vpsllq \$10,$D2hi,$D2hi
34689 -+ vpandq $mask42,$D2lo,$H2
34690 -+ vpaddq $tmp,$D2hi,$D2hi
34691 -+
34692 -+ vpaddq $T2,$H2,$H2 # accumulate input
34693 -+ vpaddq $D2hi,$H0,$H0
34694 -+ vpsllq \$2,$D2hi,$D2hi
34695 -+
34696 -+ vpaddq $D2hi,$H0,$H0
34697 -+ vporq $T3,$T1,$T1
34698 -+ vpandq $mask44,$T1,$T1
34699 -+
34700 -+ vpsrlq \$44,$H0,$tmp # additional step
34701 -+ vpandq $mask44,$H0,$H0
34702 -+
34703 -+ vpaddq $tmp,$H1,$H1
34704 -+
34705 -+ sub \$8,$len # len-=128
34706 -+ jnz .Loop_vpmadd52_8x
34707 -+
34708 -+.Ltail_vpmadd52_8x:
34709 -+ #vpaddq $T2,$H2,$H2 # accumulate input
34710 -+ vpaddq $T0,$H0,$H0
34711 -+ vpaddq $T1,$H1,$H1
34712 -+
34713 -+ vpxorq $D0lo,$D0lo,$D0lo
34714 -+ vpmadd52luq $H2,$SS1,$D0lo
34715 -+ vpxorq $D0hi,$D0hi,$D0hi
34716 -+ vpmadd52huq $H2,$SS1,$D0hi
34717 -+ vpxorq $D1lo,$D1lo,$D1lo
34718 -+ vpmadd52luq $H2,$SS2,$D1lo
34719 -+ vpxorq $D1hi,$D1hi,$D1hi
34720 -+ vpmadd52huq $H2,$SS2,$D1hi
34721 -+ vpxorq $D2lo,$D2lo,$D2lo
34722 -+ vpmadd52luq $H2,$RR0,$D2lo
34723 -+ vpxorq $D2hi,$D2hi,$D2hi
34724 -+ vpmadd52huq $H2,$RR0,$D2hi
34725 -+
34726 -+ vpmadd52luq $H0,$RR0,$D0lo
34727 -+ vpmadd52huq $H0,$RR0,$D0hi
34728 -+ vpmadd52luq $H0,$RR1,$D1lo
34729 -+ vpmadd52huq $H0,$RR1,$D1hi
34730 -+ vpmadd52luq $H0,$RR2,$D2lo
34731 -+ vpmadd52huq $H0,$RR2,$D2hi
34732 -+
34733 -+ vpmadd52luq $H1,$SS2,$D0lo
34734 -+ vpmadd52huq $H1,$SS2,$D0hi
34735 -+ vpmadd52luq $H1,$RR0,$D1lo
34736 -+ vpmadd52huq $H1,$RR0,$D1hi
34737 -+ vpmadd52luq $H1,$RR1,$D2lo
34738 -+ vpmadd52huq $H1,$RR1,$D2hi
34739 -+
34740 -+ ################################################################
34741 -+ # horizontal addition
34742 -+
34743 -+ mov \$1,%eax
34744 -+ kmovw %eax,%k1
34745 -+ vpsrldq \$8,$D0lo,$T0
34746 -+ vpsrldq \$8,$D0hi,$H0
34747 -+ vpsrldq \$8,$D1lo,$T1
34748 -+ vpsrldq \$8,$D1hi,$H1
34749 -+ vpaddq $T0,$D0lo,$D0lo
34750 -+ vpaddq $H0,$D0hi,$D0hi
34751 -+ vpsrldq \$8,$D2lo,$T2
34752 -+ vpsrldq \$8,$D2hi,$H2
34753 -+ vpaddq $T1,$D1lo,$D1lo
34754 -+ vpaddq $H1,$D1hi,$D1hi
34755 -+ vpermq \$0x2,$D0lo,$T0
34756 -+ vpermq \$0x2,$D0hi,$H0
34757 -+ vpaddq $T2,$D2lo,$D2lo
34758 -+ vpaddq $H2,$D2hi,$D2hi
34759 -+
34760 -+ vpermq \$0x2,$D1lo,$T1
34761 -+ vpermq \$0x2,$D1hi,$H1
34762 -+ vpaddq $T0,$D0lo,$D0lo
34763 -+ vpaddq $H0,$D0hi,$D0hi
34764 -+ vpermq \$0x2,$D2lo,$T2
34765 -+ vpermq \$0x2,$D2hi,$H2
34766 -+ vpaddq $T1,$D1lo,$D1lo
34767 -+ vpaddq $H1,$D1hi,$D1hi
34768 -+ vextracti64x4 \$1,$D0lo,%y#$T0
34769 -+ vextracti64x4 \$1,$D0hi,%y#$H0
34770 -+ vpaddq $T2,$D2lo,$D2lo
34771 -+ vpaddq $H2,$D2hi,$D2hi
34772 -+
34773 -+ vextracti64x4 \$1,$D1lo,%y#$T1
34774 -+ vextracti64x4 \$1,$D1hi,%y#$H1
34775 -+ vextracti64x4 \$1,$D2lo,%y#$T2
34776 -+ vextracti64x4 \$1,$D2hi,%y#$H2
34777 -+___
34778 -+######## switch back to %ymm
34779 -+map(s/%z/%y/, $H0,$H1,$H2,$R0,$R1,$R2,$S1,$S2);
34780 -+map(s/%z/%y/, $D0lo,$D0hi,$D1lo,$D1hi,$D2lo,$D2hi);
34781 -+map(s/%z/%y/, $T0,$T1,$T2,$T3,$mask44,$mask42,$tmp,$PAD);
34782 -+
34783 -+$code.=<<___;
34784 -+ vpaddq $T0,$D0lo,${D0lo}{%k1}{z}
34785 -+ vpaddq $H0,$D0hi,${D0hi}{%k1}{z}
34786 -+ vpaddq $T1,$D1lo,${D1lo}{%k1}{z}
34787 -+ vpaddq $H1,$D1hi,${D1hi}{%k1}{z}
34788 -+ vpaddq $T2,$D2lo,${D2lo}{%k1}{z}
34789 -+ vpaddq $H2,$D2hi,${D2hi}{%k1}{z}
34790 -+
34791 -+ ################################################################
34792 -+ # partial reduction
34793 -+ vpsrlq \$44,$D0lo,$tmp
34794 -+ vpsllq \$8,$D0hi,$D0hi
34795 -+ vpandq $mask44,$D0lo,$H0
34796 -+ vpaddq $tmp,$D0hi,$D0hi
34797 -+
34798 -+ vpaddq $D0hi,$D1lo,$D1lo
34799 -+
34800 -+ vpsrlq \$44,$D1lo,$tmp
34801 -+ vpsllq \$8,$D1hi,$D1hi
34802 -+ vpandq $mask44,$D1lo,$H1
34803 -+ vpaddq $tmp,$D1hi,$D1hi
34804 -+
34805 -+ vpaddq $D1hi,$D2lo,$D2lo
34806 -+
34807 -+ vpsrlq \$42,$D2lo,$tmp
34808 -+ vpsllq \$10,$D2hi,$D2hi
34809 -+ vpandq $mask42,$D2lo,$H2
34810 -+ vpaddq $tmp,$D2hi,$D2hi
34811 -+
34812 -+ vpaddq $D2hi,$H0,$H0
34813 -+ vpsllq \$2,$D2hi,$D2hi
34814 -+
34815 -+ vpaddq $D2hi,$H0,$H0
34816 -+
34817 -+ vpsrlq \$44,$H0,$tmp # additional step
34818 -+ vpandq $mask44,$H0,$H0
34819 -+
34820 -+ vpaddq $tmp,$H1,$H1
34821 -+
34822 -+ ################################################################
34823 -+
34824 -+ vmovq %x#$H0,0($ctx)
34825 -+ vmovq %x#$H1,8($ctx)
34826 -+ vmovq %x#$H2,16($ctx)
34827 -+ vzeroall
34828 -+
34829 -+.Lno_data_vpmadd52_8x:
34830 -+ ret
34831 -+.size poly1305_blocks_vpmadd52_8x,.-poly1305_blocks_vpmadd52_8x
34832 -+___
34833 -+}
34834 -+$code.=<<___;
34835 -+.type poly1305_emit_base2_44,\@function,3
34836 -+.align 32
34837 -+poly1305_emit_base2_44:
34838 -+ mov 0($ctx),%r8 # load hash value
34839 -+ mov 8($ctx),%r9
34840 -+ mov 16($ctx),%r10
34841 -+
34842 -+ mov %r9,%rax
34843 -+ shr \$20,%r9
34844 -+ shl \$44,%rax
34845 -+ mov %r10,%rcx
34846 -+ shr \$40,%r10
34847 -+ shl \$24,%rcx
34848 -+
34849 -+ add %rax,%r8
34850 -+ adc %rcx,%r9
34851 -+ adc \$0,%r10
34852 -+
34853 -+ mov %r8,%rax
34854 -+ add \$5,%r8 # compare to modulus
34855 -+ mov %r9,%rcx
34856 -+ adc \$0,%r9
34857 -+ adc \$0,%r10
34858 -+ shr \$2,%r10 # did 130-bit value overflow?
34859 -+ cmovnz %r8,%rax
34860 -+ cmovnz %r9,%rcx
34861 -+
34862 -+ add 0($nonce),%rax # accumulate nonce
34863 -+ adc 8($nonce),%rcx
34864 -+ mov %rax,0($mac) # write result
34865 -+ mov %rcx,8($mac)
34866 -+
34867 -+ ret
34868 -+.size poly1305_emit_base2_44,.-poly1305_emit_base2_44
34869 -+___
34870 -+} } }
34871 -+}
34872 -+
34873 -+if (!$kernel)
34874 -+{ # chacha20-poly1305 helpers
34875 -+my ($out,$inp,$otp,$len)=$win64 ? ("%rcx","%rdx","%r8", "%r9") : # Win64 order
34876 -+ ("%rdi","%rsi","%rdx","%rcx"); # Unix order
34877 -+$code.=<<___;
34878 -+.globl xor128_encrypt_n_pad
34879 -+.type xor128_encrypt_n_pad,\@abi-omnipotent
34880 -+.align 16
34881 -+xor128_encrypt_n_pad:
34882 -+ sub $otp,$inp
34883 -+ sub $otp,$out
34884 -+ mov $len,%r10 # put len aside
34885 -+ shr \$4,$len # len / 16
34886 -+ jz .Ltail_enc
34887 -+ nop
34888 -+.Loop_enc_xmm:
34889 -+ movdqu ($inp,$otp),%xmm0
34890 -+ pxor ($otp),%xmm0
34891 -+ movdqu %xmm0,($out,$otp)
34892 -+ movdqa %xmm0,($otp)
34893 -+ lea 16($otp),$otp
34894 -+ dec $len
34895 -+ jnz .Loop_enc_xmm
34896 -+
34897 -+ and \$15,%r10 # len % 16
34898 -+ jz .Ldone_enc
34899 -+
34900 -+.Ltail_enc:
34901 -+ mov \$16,$len
34902 -+ sub %r10,$len
34903 -+ xor %eax,%eax
34904 -+.Loop_enc_byte:
34905 -+ mov ($inp,$otp),%al
34906 -+ xor ($otp),%al
34907 -+ mov %al,($out,$otp)
34908 -+ mov %al,($otp)
34909 -+ lea 1($otp),$otp
34910 -+ dec %r10
34911 -+ jnz .Loop_enc_byte
34912 -+
34913 -+ xor %eax,%eax
34914 -+.Loop_enc_pad:
34915 -+ mov %al,($otp)
34916 -+ lea 1($otp),$otp
34917 -+ dec $len
34918 -+ jnz .Loop_enc_pad
34919 -+
34920 -+.Ldone_enc:
34921 -+ mov $otp,%rax
34922 -+ ret
34923 -+.size xor128_encrypt_n_pad,.-xor128_encrypt_n_pad
34924 -+
34925 -+.globl xor128_decrypt_n_pad
34926 -+.type xor128_decrypt_n_pad,\@abi-omnipotent
34927 -+.align 16
34928 -+xor128_decrypt_n_pad:
34929 -+ sub $otp,$inp
34930 -+ sub $otp,$out
34931 -+ mov $len,%r10 # put len aside
34932 -+ shr \$4,$len # len / 16
34933 -+ jz .Ltail_dec
34934 -+ nop
34935 -+.Loop_dec_xmm:
34936 -+ movdqu ($inp,$otp),%xmm0
34937 -+ movdqa ($otp),%xmm1
34938 -+ pxor %xmm0,%xmm1
34939 -+ movdqu %xmm1,($out,$otp)
34940 -+ movdqa %xmm0,($otp)
34941 -+ lea 16($otp),$otp
34942 -+ dec $len
34943 -+ jnz .Loop_dec_xmm
34944 -+
34945 -+ pxor %xmm1,%xmm1
34946 -+ and \$15,%r10 # len % 16
34947 -+ jz .Ldone_dec
34948 -+
34949 -+.Ltail_dec:
34950 -+ mov \$16,$len
34951 -+ sub %r10,$len
34952 -+ xor %eax,%eax
34953 -+ xor %r11d,%r11d
34954 -+.Loop_dec_byte:
34955 -+ mov ($inp,$otp),%r11b
34956 -+ mov ($otp),%al
34957 -+ xor %r11b,%al
34958 -+ mov %al,($out,$otp)
34959 -+ mov %r11b,($otp)
34960 -+ lea 1($otp),$otp
34961 -+ dec %r10
34962 -+ jnz .Loop_dec_byte
34963 -+
34964 -+ xor %eax,%eax
34965 -+.Loop_dec_pad:
34966 -+ mov %al,($otp)
34967 -+ lea 1($otp),$otp
34968 -+ dec $len
34969 -+ jnz .Loop_dec_pad
34970 -+
34971 -+.Ldone_dec:
34972 -+ mov $otp,%rax
34973 -+ ret
34974 -+.size xor128_decrypt_n_pad,.-xor128_decrypt_n_pad
34975 -+___
34976 -+}
34977 -+
34978 -+# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
34979 -+# CONTEXT *context,DISPATCHER_CONTEXT *disp)
34980 -+if ($win64) {
34981 -+$rec="%rcx";
34982 -+$frame="%rdx";
34983 -+$context="%r8";
34984 -+$disp="%r9";
34985 -+
34986 -+$code.=<<___;
34987 -+.extern __imp_RtlVirtualUnwind
34988 -+.type se_handler,\@abi-omnipotent
34989 -+.align 16
34990 -+se_handler:
34991 -+ push %rsi
34992 -+ push %rdi
34993 -+ push %rbx
34994 -+ push %rbp
34995 -+ push %r12
34996 -+ push %r13
34997 -+ push %r14
34998 -+ push %r15
34999 -+ pushfq
35000 -+ sub \$64,%rsp
35001 -+
35002 -+ mov 120($context),%rax # pull context->Rax
35003 -+ mov 248($context),%rbx # pull context->Rip
35004 -+
35005 -+ mov 8($disp),%rsi # disp->ImageBase
35006 -+ mov 56($disp),%r11 # disp->HandlerData
35007 -+
35008 -+ mov 0(%r11),%r10d # HandlerData[0]
35009 -+ lea (%rsi,%r10),%r10 # prologue label
35010 -+ cmp %r10,%rbx # context->Rip<.Lprologue
35011 -+ jb .Lcommon_seh_tail
35012 -+
35013 -+ mov 152($context),%rax # pull context->Rsp
35014 -+
35015 -+ mov 4(%r11),%r10d # HandlerData[1]
35016 -+ lea (%rsi,%r10),%r10 # epilogue label
35017 -+ cmp %r10,%rbx # context->Rip>=.Lepilogue
35018 -+ jae .Lcommon_seh_tail
35019 -+
35020 -+ lea 48(%rax),%rax
35021 -+
35022 -+ mov -8(%rax),%rbx
35023 -+ mov -16(%rax),%rbp
35024 -+ mov -24(%rax),%r12
35025 -+ mov -32(%rax),%r13
35026 -+ mov -40(%rax),%r14
35027 -+ mov -48(%rax),%r15
35028 -+ mov %rbx,144($context) # restore context->Rbx
35029 -+ mov %rbp,160($context) # restore context->Rbp
35030 -+ mov %r12,216($context) # restore context->R12
35031 -+ mov %r13,224($context) # restore context->R13
35032 -+ mov %r14,232($context) # restore context->R14
35033 -+ mov %r15,240($context) # restore context->R14
35034 -+
35035 -+ jmp .Lcommon_seh_tail
35036 -+.size se_handler,.-se_handler
35037 -+
35038 -+.type avx_handler,\@abi-omnipotent
35039 -+.align 16
35040 -+avx_handler:
35041 -+ push %rsi
35042 -+ push %rdi
35043 -+ push %rbx
35044 -+ push %rbp
35045 -+ push %r12
35046 -+ push %r13
35047 -+ push %r14
35048 -+ push %r15
35049 -+ pushfq
35050 -+ sub \$64,%rsp
35051 -+
35052 -+ mov 120($context),%rax # pull context->Rax
35053 -+ mov 248($context),%rbx # pull context->Rip
35054 -+
35055 -+ mov 8($disp),%rsi # disp->ImageBase
35056 -+ mov 56($disp),%r11 # disp->HandlerData
35057 -+
35058 -+ mov 0(%r11),%r10d # HandlerData[0]
35059 -+ lea (%rsi,%r10),%r10 # prologue label
35060 -+ cmp %r10,%rbx # context->Rip<prologue label
35061 -+ jb .Lcommon_seh_tail
35062 -+
35063 -+ mov 152($context),%rax # pull context->Rsp
35064 -+
35065 -+ mov 4(%r11),%r10d # HandlerData[1]
35066 -+ lea (%rsi,%r10),%r10 # epilogue label
35067 -+ cmp %r10,%rbx # context->Rip>=epilogue label
35068 -+ jae .Lcommon_seh_tail
35069 -+
35070 -+ mov 208($context),%rax # pull context->R11
35071 -+
35072 -+ lea 0x50(%rax),%rsi
35073 -+ lea 0xf8(%rax),%rax
35074 -+ lea 512($context),%rdi # &context.Xmm6
35075 -+ mov \$20,%ecx
35076 -+ .long 0xa548f3fc # cld; rep movsq
35077 -+
35078 -+.Lcommon_seh_tail:
35079 -+ mov 8(%rax),%rdi
35080 -+ mov 16(%rax),%rsi
35081 -+ mov %rax,152($context) # restore context->Rsp
35082 -+ mov %rsi,168($context) # restore context->Rsi
35083 -+ mov %rdi,176($context) # restore context->Rdi
35084 -+
35085 -+ mov 40($disp),%rdi # disp->ContextRecord
35086 -+ mov $context,%rsi # context
35087 -+ mov \$154,%ecx # sizeof(CONTEXT)
35088 -+ .long 0xa548f3fc # cld; rep movsq
35089 -+
35090 -+ mov $disp,%rsi
35091 -+ xor %ecx,%ecx # arg1, UNW_FLAG_NHANDLER
35092 -+ mov 8(%rsi),%rdx # arg2, disp->ImageBase
35093 -+ mov 0(%rsi),%r8 # arg3, disp->ControlPc
35094 -+ mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
35095 -+ mov 40(%rsi),%r10 # disp->ContextRecord
35096 -+ lea 56(%rsi),%r11 # &disp->HandlerData
35097 -+ lea 24(%rsi),%r12 # &disp->EstablisherFrame
35098 -+ mov %r10,32(%rsp) # arg5
35099 -+ mov %r11,40(%rsp) # arg6
35100 -+ mov %r12,48(%rsp) # arg7
35101 -+ mov %rcx,56(%rsp) # arg8, (NULL)
35102 -+ call *__imp_RtlVirtualUnwind(%rip)
35103 -+
35104 -+ mov \$1,%eax # ExceptionContinueSearch
35105 -+ add \$64,%rsp
35106 -+ popfq
35107 -+ pop %r15
35108 -+ pop %r14
35109 -+ pop %r13
35110 -+ pop %r12
35111 -+ pop %rbp
35112 -+ pop %rbx
35113 -+ pop %rdi
35114 -+ pop %rsi
35115 -+ ret
35116 -+.size avx_handler,.-avx_handler
35117 -+
35118 -+.section .pdata
35119 -+.align 4
35120 -+ .rva .LSEH_begin_poly1305_init_x86_64
35121 -+ .rva .LSEH_end_poly1305_init_x86_64
35122 -+ .rva .LSEH_info_poly1305_init_x86_64
35123 -+
35124 -+ .rva .LSEH_begin_poly1305_blocks_x86_64
35125 -+ .rva .LSEH_end_poly1305_blocks_x86_64
35126 -+ .rva .LSEH_info_poly1305_blocks_x86_64
35127 -+
35128 -+ .rva .LSEH_begin_poly1305_emit_x86_64
35129 -+ .rva .LSEH_end_poly1305_emit_x86_64
35130 -+ .rva .LSEH_info_poly1305_emit_x86_64
35131 -+___
35132 -+$code.=<<___ if ($avx);
35133 -+ .rva .LSEH_begin_poly1305_blocks_avx
35134 -+ .rva .Lbase2_64_avx
35135 -+ .rva .LSEH_info_poly1305_blocks_avx_1
35136 -+
35137 -+ .rva .Lbase2_64_avx
35138 -+ .rva .Leven_avx
35139 -+ .rva .LSEH_info_poly1305_blocks_avx_2
35140 -+
35141 -+ .rva .Leven_avx
35142 -+ .rva .LSEH_end_poly1305_blocks_avx
35143 -+ .rva .LSEH_info_poly1305_blocks_avx_3
35144 -+
35145 -+ .rva .LSEH_begin_poly1305_emit_avx
35146 -+ .rva .LSEH_end_poly1305_emit_avx
35147 -+ .rva .LSEH_info_poly1305_emit_avx
35148 -+___
35149 -+$code.=<<___ if ($avx>1);
35150 -+ .rva .LSEH_begin_poly1305_blocks_avx2
35151 -+ .rva .Lbase2_64_avx2
35152 -+ .rva .LSEH_info_poly1305_blocks_avx2_1
35153 -+
35154 -+ .rva .Lbase2_64_avx2
35155 -+ .rva .Leven_avx2
35156 -+ .rva .LSEH_info_poly1305_blocks_avx2_2
35157 -+
35158 -+ .rva .Leven_avx2
35159 -+ .rva .LSEH_end_poly1305_blocks_avx2
35160 -+ .rva .LSEH_info_poly1305_blocks_avx2_3
35161 -+___
35162 -+$code.=<<___ if ($avx>2);
35163 -+ .rva .LSEH_begin_poly1305_blocks_avx512
35164 -+ .rva .LSEH_end_poly1305_blocks_avx512
35165 -+ .rva .LSEH_info_poly1305_blocks_avx512
35166 -+___
35167 -+$code.=<<___;
35168 -+.section .xdata
35169 -+.align 8
35170 -+.LSEH_info_poly1305_init_x86_64:
35171 -+ .byte 9,0,0,0
35172 -+ .rva se_handler
35173 -+ .rva .LSEH_begin_poly1305_init_x86_64,.LSEH_begin_poly1305_init_x86_64
35174 -+
35175 -+.LSEH_info_poly1305_blocks_x86_64:
35176 -+ .byte 9,0,0,0
35177 -+ .rva se_handler
35178 -+ .rva .Lblocks_body,.Lblocks_epilogue
35179 -+
35180 -+.LSEH_info_poly1305_emit_x86_64:
35181 -+ .byte 9,0,0,0
35182 -+ .rva se_handler
35183 -+ .rva .LSEH_begin_poly1305_emit_x86_64,.LSEH_begin_poly1305_emit_x86_64
35184 -+___
35185 -+$code.=<<___ if ($avx);
35186 -+.LSEH_info_poly1305_blocks_avx_1:
35187 -+ .byte 9,0,0,0
35188 -+ .rva se_handler
35189 -+ .rva .Lblocks_avx_body,.Lblocks_avx_epilogue # HandlerData[]
35190 -+
35191 -+.LSEH_info_poly1305_blocks_avx_2:
35192 -+ .byte 9,0,0,0
35193 -+ .rva se_handler
35194 -+ .rva .Lbase2_64_avx_body,.Lbase2_64_avx_epilogue # HandlerData[]
35195 -+
35196 -+.LSEH_info_poly1305_blocks_avx_3:
35197 -+ .byte 9,0,0,0
35198 -+ .rva avx_handler
35199 -+ .rva .Ldo_avx_body,.Ldo_avx_epilogue # HandlerData[]
35200 -+
35201 -+.LSEH_info_poly1305_emit_avx:
35202 -+ .byte 9,0,0,0
35203 -+ .rva se_handler
35204 -+ .rva .LSEH_begin_poly1305_emit_avx,.LSEH_begin_poly1305_emit_avx
35205 -+___
35206 -+$code.=<<___ if ($avx>1);
35207 -+.LSEH_info_poly1305_blocks_avx2_1:
35208 -+ .byte 9,0,0,0
35209 -+ .rva se_handler
35210 -+ .rva .Lblocks_avx2_body,.Lblocks_avx2_epilogue # HandlerData[]
35211 -+
35212 -+.LSEH_info_poly1305_blocks_avx2_2:
35213 -+ .byte 9,0,0,0
35214 -+ .rva se_handler
35215 -+ .rva .Lbase2_64_avx2_body,.Lbase2_64_avx2_epilogue # HandlerData[]
35216 -+
35217 -+.LSEH_info_poly1305_blocks_avx2_3:
35218 -+ .byte 9,0,0,0
35219 -+ .rva avx_handler
35220 -+ .rva .Ldo_avx2_body,.Ldo_avx2_epilogue # HandlerData[]
35221 -+___
35222 -+$code.=<<___ if ($avx>2);
35223 -+.LSEH_info_poly1305_blocks_avx512:
35224 -+ .byte 9,0,0,0
35225 -+ .rva avx_handler
35226 -+ .rva .Ldo_avx512_body,.Ldo_avx512_epilogue # HandlerData[]
35227 -+___
35228 -+}
35229 -+
35230 -+open SELF,$0;
35231 -+while(<SELF>) {
35232 -+ next if (/^#!/);
35233 -+ last if (!s/^#/\/\// and !/^$/);
35234 -+ print;
35235 -+}
35236 -+close SELF;
35237 -+
35238 -+foreach (split('\n',$code)) {
35239 -+ s/\`([^\`]*)\`/eval($1)/ge;
35240 -+ s/%r([a-z]+)#d/%e$1/g;
35241 -+ s/%r([0-9]+)#d/%r$1d/g;
35242 -+ s/%x#%[yz]/%x/g or s/%y#%z/%y/g or s/%z#%[yz]/%z/g;
35243 -+
35244 -+ if ($kernel) {
35245 -+ s/(^\.type.*),[0-9]+$/\1/;
35246 -+ s/(^\.type.*),\@abi-omnipotent+$/\1,\@function/;
35247 -+ next if /^\.cfi.*/;
35248 -+ }
35249 -+
35250 -+ print $_,"\n";
35251 -+}
35252 -+close STDOUT;
35253 ---- b/arch/x86/crypto/.gitignore
35254 -+++ b/arch/x86/crypto/.gitignore
35255 -@@ -0,0 +1 @@
35256 -+poly1305-x86_64-cryptogams.S
35257 ---- a/arch/x86/crypto/poly1305-sse2-x86_64.S
35258 -+++ /dev/null
35259 -@@ -1,590 +0,0 @@
35260 --/* SPDX-License-Identifier: GPL-2.0-or-later */
35261 --/*
35262 -- * Poly1305 authenticator algorithm, RFC7539, x64 SSE2 functions
35263 -- *
35264 -- * Copyright (C) 2015 Martin Willi
35265 -- */
35266 --
35267 --#include <linux/linkage.h>
35268 --
35269 --.section .rodata.cst16.ANMASK, "aM", @progbits, 16
35270 --.align 16
35271 --ANMASK: .octa 0x0000000003ffffff0000000003ffffff
35272 --
35273 --.section .rodata.cst16.ORMASK, "aM", @progbits, 16
35274 --.align 16
35275 --ORMASK: .octa 0x00000000010000000000000001000000
35276 --
35277 --.text
35278 --
35279 --#define h0 0x00(%rdi)
35280 --#define h1 0x04(%rdi)
35281 --#define h2 0x08(%rdi)
35282 --#define h3 0x0c(%rdi)
35283 --#define h4 0x10(%rdi)
35284 --#define r0 0x00(%rdx)
35285 --#define r1 0x04(%rdx)
35286 --#define r2 0x08(%rdx)
35287 --#define r3 0x0c(%rdx)
35288 --#define r4 0x10(%rdx)
35289 --#define s1 0x00(%rsp)
35290 --#define s2 0x04(%rsp)
35291 --#define s3 0x08(%rsp)
35292 --#define s4 0x0c(%rsp)
35293 --#define m %rsi
35294 --#define h01 %xmm0
35295 --#define h23 %xmm1
35296 --#define h44 %xmm2
35297 --#define t1 %xmm3
35298 --#define t2 %xmm4
35299 --#define t3 %xmm5
35300 --#define t4 %xmm6
35301 --#define mask %xmm7
35302 --#define d0 %r8
35303 --#define d1 %r9
35304 --#define d2 %r10
35305 --#define d3 %r11
35306 --#define d4 %r12
35307 --
35308 --ENTRY(poly1305_block_sse2)
35309 -- # %rdi: Accumulator h[5]
35310 -- # %rsi: 16 byte input block m
35311 -- # %rdx: Poly1305 key r[5]
35312 -- # %rcx: Block count
35313 --
35314 -- # This single block variant tries to improve performance by doing two
35315 -- # multiplications in parallel using SSE instructions. There is quite
35316 -- # some quardword packing involved, hence the speedup is marginal.
35317 --
35318 -- push %rbx
35319 -- push %r12
35320 -- sub $0x10,%rsp
35321 --
35322 -- # s1..s4 = r1..r4 * 5
35323 -- mov r1,%eax
35324 -- lea (%eax,%eax,4),%eax
35325 -- mov %eax,s1
35326 -- mov r2,%eax
35327 -- lea (%eax,%eax,4),%eax
35328 -- mov %eax,s2
35329 -- mov r3,%eax
35330 -- lea (%eax,%eax,4),%eax
35331 -- mov %eax,s3
35332 -- mov r4,%eax
35333 -- lea (%eax,%eax,4),%eax
35334 -- mov %eax,s4
35335 --
35336 -- movdqa ANMASK(%rip),mask
35337 --
35338 --.Ldoblock:
35339 -- # h01 = [0, h1, 0, h0]
35340 -- # h23 = [0, h3, 0, h2]
35341 -- # h44 = [0, h4, 0, h4]
35342 -- movd h0,h01
35343 -- movd h1,t1
35344 -- movd h2,h23
35345 -- movd h3,t2
35346 -- movd h4,h44
35347 -- punpcklqdq t1,h01
35348 -- punpcklqdq t2,h23
35349 -- punpcklqdq h44,h44
35350 --
35351 -- # h01 += [ (m[3-6] >> 2) & 0x3ffffff, m[0-3] & 0x3ffffff ]
35352 -- movd 0x00(m),t1
35353 -- movd 0x03(m),t2
35354 -- psrld $2,t2
35355 -- punpcklqdq t2,t1
35356 -- pand mask,t1
35357 -- paddd t1,h01
35358 -- # h23 += [ (m[9-12] >> 6) & 0x3ffffff, (m[6-9] >> 4) & 0x3ffffff ]
35359 -- movd 0x06(m),t1
35360 -- movd 0x09(m),t2
35361 -- psrld $4,t1
35362 -- psrld $6,t2
35363 -- punpcklqdq t2,t1
35364 -- pand mask,t1
35365 -- paddd t1,h23
35366 -- # h44 += [ (m[12-15] >> 8) | (1 << 24), (m[12-15] >> 8) | (1 << 24) ]
35367 -- mov 0x0c(m),%eax
35368 -- shr $8,%eax
35369 -- or $0x01000000,%eax
35370 -- movd %eax,t1
35371 -- pshufd $0xc4,t1,t1
35372 -- paddd t1,h44
35373 --
35374 -- # t1[0] = h0 * r0 + h2 * s3
35375 -- # t1[1] = h1 * s4 + h3 * s2
35376 -- movd r0,t1
35377 -- movd s4,t2
35378 -- punpcklqdq t2,t1
35379 -- pmuludq h01,t1
35380 -- movd s3,t2
35381 -- movd s2,t3
35382 -- punpcklqdq t3,t2
35383 -- pmuludq h23,t2
35384 -- paddq t2,t1
35385 -- # t2[0] = h0 * r1 + h2 * s4
35386 -- # t2[1] = h1 * r0 + h3 * s3
35387 -- movd r1,t2
35388 -- movd r0,t3
35389 -- punpcklqdq t3,t2
35390 -- pmuludq h01,t2
35391 -- movd s4,t3
35392 -- movd s3,t4
35393 -- punpcklqdq t4,t3
35394 -- pmuludq h23,t3
35395 -- paddq t3,t2
35396 -- # t3[0] = h4 * s1
35397 -- # t3[1] = h4 * s2
35398 -- movd s1,t3
35399 -- movd s2,t4
35400 -- punpcklqdq t4,t3
35401 -- pmuludq h44,t3
35402 -- # d0 = t1[0] + t1[1] + t3[0]
35403 -- # d1 = t2[0] + t2[1] + t3[1]
35404 -- movdqa t1,t4
35405 -- punpcklqdq t2,t4
35406 -- punpckhqdq t2,t1
35407 -- paddq t4,t1
35408 -- paddq t3,t1
35409 -- movq t1,d0
35410 -- psrldq $8,t1
35411 -- movq t1,d1
35412 --
35413 -- # t1[0] = h0 * r2 + h2 * r0
35414 -- # t1[1] = h1 * r1 + h3 * s4
35415 -- movd r2,t1
35416 -- movd r1,t2
35417 -- punpcklqdq t2,t1
35418 -- pmuludq h01,t1
35419 -- movd r0,t2
35420 -- movd s4,t3
35421 -- punpcklqdq t3,t2
35422 -- pmuludq h23,t2
35423 -- paddq t2,t1
35424 -- # t2[0] = h0 * r3 + h2 * r1
35425 -- # t2[1] = h1 * r2 + h3 * r0
35426 -- movd r3,t2
35427 -- movd r2,t3
35428 -- punpcklqdq t3,t2
35429 -- pmuludq h01,t2
35430 -- movd r1,t3
35431 -- movd r0,t4
35432 -- punpcklqdq t4,t3
35433 -- pmuludq h23,t3
35434 -- paddq t3,t2
35435 -- # t3[0] = h4 * s3
35436 -- # t3[1] = h4 * s4
35437 -- movd s3,t3
35438 -- movd s4,t4
35439 -- punpcklqdq t4,t3
35440 -- pmuludq h44,t3
35441 -- # d2 = t1[0] + t1[1] + t3[0]
35442 -- # d3 = t2[0] + t2[1] + t3[1]
35443 -- movdqa t1,t4
35444 -- punpcklqdq t2,t4
35445 -- punpckhqdq t2,t1
35446 -- paddq t4,t1
35447 -- paddq t3,t1
35448 -- movq t1,d2
35449 -- psrldq $8,t1
35450 -- movq t1,d3
35451 --
35452 -- # t1[0] = h0 * r4 + h2 * r2
35453 -- # t1[1] = h1 * r3 + h3 * r1
35454 -- movd r4,t1
35455 -- movd r3,t2
35456 -- punpcklqdq t2,t1
35457 -- pmuludq h01,t1
35458 -- movd r2,t2
35459 -- movd r1,t3
35460 -- punpcklqdq t3,t2
35461 -- pmuludq h23,t2
35462 -- paddq t2,t1
35463 -- # t3[0] = h4 * r0
35464 -- movd r0,t3
35465 -- pmuludq h44,t3
35466 -- # d4 = t1[0] + t1[1] + t3[0]
35467 -- movdqa t1,t4
35468 -- psrldq $8,t4
35469 -- paddq t4,t1
35470 -- paddq t3,t1
35471 -- movq t1,d4
35472 --
35473 -- # d1 += d0 >> 26
35474 -- mov d0,%rax
35475 -- shr $26,%rax
35476 -- add %rax,d1
35477 -- # h0 = d0 & 0x3ffffff
35478 -- mov d0,%rbx
35479 -- and $0x3ffffff,%ebx
35480 --
35481 -- # d2 += d1 >> 26
35482 -- mov d1,%rax
35483 -- shr $26,%rax
35484 -- add %rax,d2
35485 -- # h1 = d1 & 0x3ffffff
35486 -- mov d1,%rax
35487 -- and $0x3ffffff,%eax
35488 -- mov %eax,h1
35489 --
35490 -- # d3 += d2 >> 26
35491 -- mov d2,%rax
35492 -- shr $26,%rax
35493 -- add %rax,d3
35494 -- # h2 = d2 & 0x3ffffff
35495 -- mov d2,%rax
35496 -- and $0x3ffffff,%eax
35497 -- mov %eax,h2
35498 --
35499 -- # d4 += d3 >> 26
35500 -- mov d3,%rax
35501 -- shr $26,%rax
35502 -- add %rax,d4
35503 -- # h3 = d3 & 0x3ffffff
35504 -- mov d3,%rax
35505 -- and $0x3ffffff,%eax
35506 -- mov %eax,h3
35507 --
35508 -- # h0 += (d4 >> 26) * 5
35509 -- mov d4,%rax
35510 -- shr $26,%rax
35511 -- lea (%rax,%rax,4),%rax
35512 -- add %rax,%rbx
35513 -- # h4 = d4 & 0x3ffffff
35514 -- mov d4,%rax
35515 -- and $0x3ffffff,%eax
35516 -- mov %eax,h4
35517 --
35518 -- # h1 += h0 >> 26
35519 -- mov %rbx,%rax
35520 -- shr $26,%rax
35521 -- add %eax,h1
35522 -- # h0 = h0 & 0x3ffffff
35523 -- andl $0x3ffffff,%ebx
35524 -- mov %ebx,h0
35525 --
35526 -- add $0x10,m
35527 -- dec %rcx
35528 -- jnz .Ldoblock
35529 --
35530 -- # Zeroing of key material
35531 -- mov %rcx,0x00(%rsp)
35532 -- mov %rcx,0x08(%rsp)
35533 --
35534 -- add $0x10,%rsp
35535 -- pop %r12
35536 -- pop %rbx
35537 -- ret
35538 --ENDPROC(poly1305_block_sse2)
35539 --
35540 --
35541 --#define u0 0x00(%r8)
35542 --#define u1 0x04(%r8)
35543 --#define u2 0x08(%r8)
35544 --#define u3 0x0c(%r8)
35545 --#define u4 0x10(%r8)
35546 --#define hc0 %xmm0
35547 --#define hc1 %xmm1
35548 --#define hc2 %xmm2
35549 --#define hc3 %xmm5
35550 --#define hc4 %xmm6
35551 --#define ru0 %xmm7
35552 --#define ru1 %xmm8
35553 --#define ru2 %xmm9
35554 --#define ru3 %xmm10
35555 --#define ru4 %xmm11
35556 --#define sv1 %xmm12
35557 --#define sv2 %xmm13
35558 --#define sv3 %xmm14
35559 --#define sv4 %xmm15
35560 --#undef d0
35561 --#define d0 %r13
35562 --
35563 --ENTRY(poly1305_2block_sse2)
35564 -- # %rdi: Accumulator h[5]
35565 -- # %rsi: 16 byte input block m
35566 -- # %rdx: Poly1305 key r[5]
35567 -- # %rcx: Doubleblock count
35568 -- # %r8: Poly1305 derived key r^2 u[5]
35569 --
35570 -- # This two-block variant further improves performance by using loop
35571 -- # unrolled block processing. This is more straight forward and does
35572 -- # less byte shuffling, but requires a second Poly1305 key r^2:
35573 -- # h = (h + m) * r => h = (h + m1) * r^2 + m2 * r
35574 --
35575 -- push %rbx
35576 -- push %r12
35577 -- push %r13
35578 --
35579 -- # combine r0,u0
35580 -- movd u0,ru0
35581 -- movd r0,t1
35582 -- punpcklqdq t1,ru0
35583 --
35584 -- # combine r1,u1 and s1=r1*5,v1=u1*5
35585 -- movd u1,ru1
35586 -- movd r1,t1
35587 -- punpcklqdq t1,ru1
35588 -- movdqa ru1,sv1
35589 -- pslld $2,sv1
35590 -- paddd ru1,sv1
35591 --
35592 -- # combine r2,u2 and s2=r2*5,v2=u2*5
35593 -- movd u2,ru2
35594 -- movd r2,t1
35595 -- punpcklqdq t1,ru2
35596 -- movdqa ru2,sv2
35597 -- pslld $2,sv2
35598 -- paddd ru2,sv2
35599 --
35600 -- # combine r3,u3 and s3=r3*5,v3=u3*5
35601 -- movd u3,ru3
35602 -- movd r3,t1
35603 -- punpcklqdq t1,ru3
35604 -- movdqa ru3,sv3
35605 -- pslld $2,sv3
35606 -- paddd ru3,sv3
35607 --
35608 -- # combine r4,u4 and s4=r4*5,v4=u4*5
35609 -- movd u4,ru4
35610 -- movd r4,t1
35611 -- punpcklqdq t1,ru4
35612 -- movdqa ru4,sv4
35613 -- pslld $2,sv4
35614 -- paddd ru4,sv4
35615 --
35616 --.Ldoblock2:
35617 -- # hc0 = [ m[16-19] & 0x3ffffff, h0 + m[0-3] & 0x3ffffff ]
35618 -- movd 0x00(m),hc0
35619 -- movd 0x10(m),t1
35620 -- punpcklqdq t1,hc0
35621 -- pand ANMASK(%rip),hc0
35622 -- movd h0,t1
35623 -- paddd t1,hc0
35624 -- # hc1 = [ (m[19-22] >> 2) & 0x3ffffff, h1 + (m[3-6] >> 2) & 0x3ffffff ]
35625 -- movd 0x03(m),hc1
35626 -- movd 0x13(m),t1
35627 -- punpcklqdq t1,hc1
35628 -- psrld $2,hc1
35629 -- pand ANMASK(%rip),hc1
35630 -- movd h1,t1
35631 -- paddd t1,hc1
35632 -- # hc2 = [ (m[22-25] >> 4) & 0x3ffffff, h2 + (m[6-9] >> 4) & 0x3ffffff ]
35633 -- movd 0x06(m),hc2
35634 -- movd 0x16(m),t1
35635 -- punpcklqdq t1,hc2
35636 -- psrld $4,hc2
35637 -- pand ANMASK(%rip),hc2
35638 -- movd h2,t1
35639 -- paddd t1,hc2
35640 -- # hc3 = [ (m[25-28] >> 6) & 0x3ffffff, h3 + (m[9-12] >> 6) & 0x3ffffff ]
35641 -- movd 0x09(m),hc3
35642 -- movd 0x19(m),t1
35643 -- punpcklqdq t1,hc3
35644 -- psrld $6,hc3
35645 -- pand ANMASK(%rip),hc3
35646 -- movd h3,t1
35647 -- paddd t1,hc3
35648 -- # hc4 = [ (m[28-31] >> 8) | (1<<24), h4 + (m[12-15] >> 8) | (1<<24) ]
35649 -- movd 0x0c(m),hc4
35650 -- movd 0x1c(m),t1
35651 -- punpcklqdq t1,hc4
35652 -- psrld $8,hc4
35653 -- por ORMASK(%rip),hc4
35654 -- movd h4,t1
35655 -- paddd t1,hc4
35656 --
35657 -- # t1 = [ hc0[1] * r0, hc0[0] * u0 ]
35658 -- movdqa ru0,t1
35659 -- pmuludq hc0,t1
35660 -- # t1 += [ hc1[1] * s4, hc1[0] * v4 ]
35661 -- movdqa sv4,t2
35662 -- pmuludq hc1,t2
35663 -- paddq t2,t1
35664 -- # t1 += [ hc2[1] * s3, hc2[0] * v3 ]
35665 -- movdqa sv3,t2
35666 -- pmuludq hc2,t2
35667 -- paddq t2,t1
35668 -- # t1 += [ hc3[1] * s2, hc3[0] * v2 ]
35669 -- movdqa sv2,t2
35670 -- pmuludq hc3,t2
35671 -- paddq t2,t1
35672 -- # t1 += [ hc4[1] * s1, hc4[0] * v1 ]
35673 -- movdqa sv1,t2
35674 -- pmuludq hc4,t2
35675 -- paddq t2,t1
35676 -- # d0 = t1[0] + t1[1]
35677 -- movdqa t1,t2
35678 -- psrldq $8,t2
35679 -- paddq t2,t1
35680 -- movq t1,d0
35681 --
35682 -- # t1 = [ hc0[1] * r1, hc0[0] * u1 ]
35683 -- movdqa ru1,t1
35684 -- pmuludq hc0,t1
35685 -- # t1 += [ hc1[1] * r0, hc1[0] * u0 ]
35686 -- movdqa ru0,t2
35687 -- pmuludq hc1,t2
35688 -- paddq t2,t1
35689 -- # t1 += [ hc2[1] * s4, hc2[0] * v4 ]
35690 -- movdqa sv4,t2
35691 -- pmuludq hc2,t2
35692 -- paddq t2,t1
35693 -- # t1 += [ hc3[1] * s3, hc3[0] * v3 ]
35694 -- movdqa sv3,t2
35695 -- pmuludq hc3,t2
35696 -- paddq t2,t1
35697 -- # t1 += [ hc4[1] * s2, hc4[0] * v2 ]
35698 -- movdqa sv2,t2
35699 -- pmuludq hc4,t2
35700 -- paddq t2,t1
35701 -- # d1 = t1[0] + t1[1]
35702 -- movdqa t1,t2
35703 -- psrldq $8,t2
35704 -- paddq t2,t1
35705 -- movq t1,d1
35706 --
35707 -- # t1 = [ hc0[1] * r2, hc0[0] * u2 ]
35708 -- movdqa ru2,t1
35709 -- pmuludq hc0,t1
35710 -- # t1 += [ hc1[1] * r1, hc1[0] * u1 ]
35711 -- movdqa ru1,t2
35712 -- pmuludq hc1,t2
35713 -- paddq t2,t1
35714 -- # t1 += [ hc2[1] * r0, hc2[0] * u0 ]
35715 -- movdqa ru0,t2
35716 -- pmuludq hc2,t2
35717 -- paddq t2,t1
35718 -- # t1 += [ hc3[1] * s4, hc3[0] * v4 ]
35719 -- movdqa sv4,t2
35720 -- pmuludq hc3,t2
35721 -- paddq t2,t1
35722 -- # t1 += [ hc4[1] * s3, hc4[0] * v3 ]
35723 -- movdqa sv3,t2
35724 -- pmuludq hc4,t2
35725 -- paddq t2,t1
35726 -- # d2 = t1[0] + t1[1]
35727 -- movdqa t1,t2
35728 -- psrldq $8,t2
35729 -- paddq t2,t1
35730 -- movq t1,d2
35731 --
35732 -- # t1 = [ hc0[1] * r3, hc0[0] * u3 ]
35733 -- movdqa ru3,t1
35734 -- pmuludq hc0,t1
35735 -- # t1 += [ hc1[1] * r2, hc1[0] * u2 ]
35736 -- movdqa ru2,t2
35737 -- pmuludq hc1,t2
35738 -- paddq t2,t1
35739 -- # t1 += [ hc2[1] * r1, hc2[0] * u1 ]
35740 -- movdqa ru1,t2
35741 -- pmuludq hc2,t2
35742 -- paddq t2,t1
35743 -- # t1 += [ hc3[1] * r0, hc3[0] * u0 ]
35744 -- movdqa ru0,t2
35745 -- pmuludq hc3,t2
35746 -- paddq t2,t1
35747 -- # t1 += [ hc4[1] * s4, hc4[0] * v4 ]
35748 -- movdqa sv4,t2
35749 -- pmuludq hc4,t2
35750 -- paddq t2,t1
35751 -- # d3 = t1[0] + t1[1]
35752 -- movdqa t1,t2
35753 -- psrldq $8,t2
35754 -- paddq t2,t1
35755 -- movq t1,d3
35756 --
35757 -- # t1 = [ hc0[1] * r4, hc0[0] * u4 ]
35758 -- movdqa ru4,t1
35759 -- pmuludq hc0,t1
35760 -- # t1 += [ hc1[1] * r3, hc1[0] * u3 ]
35761 -- movdqa ru3,t2
35762 -- pmuludq hc1,t2
35763 -- paddq t2,t1
35764 -- # t1 += [ hc2[1] * r2, hc2[0] * u2 ]
35765 -- movdqa ru2,t2
35766 -- pmuludq hc2,t2
35767 -- paddq t2,t1
35768 -- # t1 += [ hc3[1] * r1, hc3[0] * u1 ]
35769 -- movdqa ru1,t2
35770 -- pmuludq hc3,t2
35771 -- paddq t2,t1
35772 -- # t1 += [ hc4[1] * r0, hc4[0] * u0 ]
35773 -- movdqa ru0,t2
35774 -- pmuludq hc4,t2
35775 -- paddq t2,t1
35776 -- # d4 = t1[0] + t1[1]
35777 -- movdqa t1,t2
35778 -- psrldq $8,t2
35779 -- paddq t2,t1
35780 -- movq t1,d4
35781 --
35782 -- # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 ->
35783 -- # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small
35784 -- # amount. Careful: we must not assume the carry bits 'd0 >> 26',
35785 -- # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit
35786 -- # integers. It's true in a single-block implementation, but not here.
35787 --
35788 -- # d1 += d0 >> 26
35789 -- mov d0,%rax
35790 -- shr $26,%rax
35791 -- add %rax,d1
35792 -- # h0 = d0 & 0x3ffffff
35793 -- mov d0,%rbx
35794 -- and $0x3ffffff,%ebx
35795 --
35796 -- # d2 += d1 >> 26
35797 -- mov d1,%rax
35798 -- shr $26,%rax
35799 -- add %rax,d2
35800 -- # h1 = d1 & 0x3ffffff
35801 -- mov d1,%rax
35802 -- and $0x3ffffff,%eax
35803 -- mov %eax,h1
35804 --
35805 -- # d3 += d2 >> 26
35806 -- mov d2,%rax
35807 -- shr $26,%rax
35808 -- add %rax,d3
35809 -- # h2 = d2 & 0x3ffffff
35810 -- mov d2,%rax
35811 -- and $0x3ffffff,%eax
35812 -- mov %eax,h2
35813 --
35814 -- # d4 += d3 >> 26
35815 -- mov d3,%rax
35816 -- shr $26,%rax
35817 -- add %rax,d4
35818 -- # h3 = d3 & 0x3ffffff
35819 -- mov d3,%rax
35820 -- and $0x3ffffff,%eax
35821 -- mov %eax,h3
35822 --
35823 -- # h0 += (d4 >> 26) * 5
35824 -- mov d4,%rax
35825 -- shr $26,%rax
35826 -- lea (%rax,%rax,4),%rax
35827 -- add %rax,%rbx
35828 -- # h4 = d4 & 0x3ffffff
35829 -- mov d4,%rax
35830 -- and $0x3ffffff,%eax
35831 -- mov %eax,h4
35832 --
35833 -- # h1 += h0 >> 26
35834 -- mov %rbx,%rax
35835 -- shr $26,%rax
35836 -- add %eax,h1
35837 -- # h0 = h0 & 0x3ffffff
35838 -- andl $0x3ffffff,%ebx
35839 -- mov %ebx,h0
35840 --
35841 -- add $0x20,m
35842 -- dec %rcx
35843 -- jnz .Ldoblock2
35844 --
35845 -- pop %r13
35846 -- pop %r12
35847 -- pop %rbx
35848 -- ret
35849 --ENDPROC(poly1305_2block_sse2)
35850 ---- /dev/null
35851 -+++ b/lib/crypto/curve25519-generic.c
35852 -@@ -0,0 +1,24 @@
35853 -+// SPDX-License-Identifier: GPL-2.0 OR MIT
35854 -+/*
35855 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
35856 -+ *
35857 -+ * This is an implementation of the Curve25519 ECDH algorithm, using either
35858 -+ * a 32-bit implementation or a 64-bit implementation with 128-bit integers,
35859 -+ * depending on what is supported by the target compiler.
35860 -+ *
35861 -+ * Information: https://cr.yp.to/ecdh.html
35862 -+ */
35863 -+
35864 -+#include <crypto/curve25519.h>
35865 -+#include <linux/module.h>
35866 -+
35867 -+const u8 curve25519_null_point[CURVE25519_KEY_SIZE] __aligned(32) = { 0 };
35868 -+const u8 curve25519_base_point[CURVE25519_KEY_SIZE] __aligned(32) = { 9 };
35869 -+
35870 -+EXPORT_SYMBOL(curve25519_null_point);
35871 -+EXPORT_SYMBOL(curve25519_base_point);
35872 -+EXPORT_SYMBOL(curve25519_generic);
35873 -+
35874 -+MODULE_LICENSE("GPL v2");
35875 -+MODULE_DESCRIPTION("Curve25519 scalar multiplication");
35876 -+MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
35877 ---- a/arch/x86/Makefile
35878 -+++ b/arch/x86/Makefile
35879 -@@ -194,9 +194,10 @@ avx2_instr :=$(call as-instr,vpbroadcastb %xmm0$(comma)%ymm1,-DCONFIG_AS_AVX2=1)
35880 - avx512_instr :=$(call as-instr,vpmovm2b %k1$(comma)%zmm5,-DCONFIG_AS_AVX512=1)
35881 - sha1_ni_instr :=$(call as-instr,sha1msg1 %xmm0$(comma)%xmm1,-DCONFIG_AS_SHA1_NI=1)
35882 - sha256_ni_instr :=$(call as-instr,sha256msg1 %xmm0$(comma)%xmm1,-DCONFIG_AS_SHA256_NI=1)
35883 -+adx_instr := $(call as-instr,adox %r10$(comma)%r10,-DCONFIG_AS_ADX=1)
35884 -
35885 --KBUILD_AFLAGS += $(cfi) $(cfi-sigframe) $(cfi-sections) $(asinstr) $(avx_instr) $(avx2_instr) $(avx512_instr) $(sha1_ni_instr) $(sha256_ni_instr)
35886 --KBUILD_CFLAGS += $(cfi) $(cfi-sigframe) $(cfi-sections) $(asinstr) $(avx_instr) $(avx2_instr) $(avx512_instr) $(sha1_ni_instr) $(sha256_ni_instr)
35887 -+KBUILD_AFLAGS += $(cfi) $(cfi-sigframe) $(cfi-sections) $(asinstr) $(avx_instr) $(avx2_instr) $(avx512_instr) $(sha1_ni_instr) $(sha256_ni_instr) $(adx_instr)
35888 -+KBUILD_CFLAGS += $(cfi) $(cfi-sigframe) $(cfi-sections) $(asinstr) $(avx_instr) $(avx2_instr) $(avx512_instr) $(sha1_ni_instr) $(sha256_ni_instr) $(adx_instr)
35889 -
35890 - KBUILD_LDFLAGS := -m elf_$(UTS_MACHINE)
35891 -
35892 ---- a/arch/arm/crypto/.gitignore
35893 -+++ b/arch/arm/crypto/.gitignore
35894 -@@ -1,3 +1,4 @@
35895 - aesbs-core.S
35896 - sha256-core.S
35897 - sha512-core.S
35898 -+poly1305-core.S
35899 ---- a/arch/arm64/crypto/.gitignore
35900 -+++ b/arch/arm64/crypto/.gitignore
35901 -@@ -1,2 +1,3 @@
35902 - sha256-core.S
35903 - sha512-core.S
35904 -+poly1305-core.S
35905 ---- a/arch/x86/crypto/chacha-ssse3-x86_64.S
35906 -+++ b/arch/x86/crypto/chacha-ssse3-x86_64.S
35907 -@@ -120,10 +120,10 @@ ENTRY(chacha_block_xor_ssse3)
35908 - FRAME_BEGIN
35909 -
35910 - # x0..3 = s0..3
35911 -- movdqa 0x00(%rdi),%xmm0
35912 -- movdqa 0x10(%rdi),%xmm1
35913 -- movdqa 0x20(%rdi),%xmm2
35914 -- movdqa 0x30(%rdi),%xmm3
35915 -+ movdqu 0x00(%rdi),%xmm0
35916 -+ movdqu 0x10(%rdi),%xmm1
35917 -+ movdqu 0x20(%rdi),%xmm2
35918 -+ movdqu 0x30(%rdi),%xmm3
35919 - movdqa %xmm0,%xmm8
35920 - movdqa %xmm1,%xmm9
35921 - movdqa %xmm2,%xmm10
35922 -@@ -205,10 +205,10 @@ ENTRY(hchacha_block_ssse3)
35923 - # %edx: nrounds
35924 - FRAME_BEGIN
35925 -
35926 -- movdqa 0x00(%rdi),%xmm0
35927 -- movdqa 0x10(%rdi),%xmm1
35928 -- movdqa 0x20(%rdi),%xmm2
35929 -- movdqa 0x30(%rdi),%xmm3
35930 -+ movdqu 0x00(%rdi),%xmm0
35931 -+ movdqu 0x10(%rdi),%xmm1
35932 -+ movdqu 0x20(%rdi),%xmm2
35933 -+ movdqu 0x30(%rdi),%xmm3
35934 -
35935 - mov %edx,%r8d
35936 - call chacha_permute
35937 ---- a/arch/arm/crypto/chacha-neon-core.S
35938 -+++ b/arch/arm/crypto/chacha-neon-core.S
35939 -@@ -47,6 +47,7 @@
35940 - */
35941 -
35942 - #include <linux/linkage.h>
35943 -+#include <asm/cache.h>
35944 -
35945 - .text
35946 - .fpu neon
35947 -@@ -205,7 +206,7 @@ ENDPROC(hchacha_block_neon)
35948 -
35949 - .align 5
35950 - ENTRY(chacha_4block_xor_neon)
35951 -- push {r4-r5}
35952 -+ push {r4, lr}
35953 - mov r4, sp // preserve the stack pointer
35954 - sub ip, sp, #0x20 // allocate a 32 byte buffer
35955 - bic ip, ip, #0x1f // aligned to 32 bytes
35956 -@@ -229,10 +230,10 @@ ENTRY(chacha_4block_xor_neon)
35957 - vld1.32 {q0-q1}, [r0]
35958 - vld1.32 {q2-q3}, [ip]
35959 -
35960 -- adr r5, .Lctrinc
35961 -+ adr lr, .Lctrinc
35962 - vdup.32 q15, d7[1]
35963 - vdup.32 q14, d7[0]
35964 -- vld1.32 {q4}, [r5, :128]
35965 -+ vld1.32 {q4}, [lr, :128]
35966 - vdup.32 q13, d6[1]
35967 - vdup.32 q12, d6[0]
35968 - vdup.32 q11, d5[1]
35969 -@@ -455,7 +456,7 @@ ENTRY(chacha_4block_xor_neon)
35970 -
35971 - // Re-interleave the words in the first two rows of each block (x0..7).
35972 - // Also add the counter values 0-3 to x12[0-3].
35973 -- vld1.32 {q8}, [r5, :128] // load counter values 0-3
35974 -+ vld1.32 {q8}, [lr, :128] // load counter values 0-3
35975 - vzip.32 q0, q1 // => (0 1 0 1) (0 1 0 1)
35976 - vzip.32 q2, q3 // => (2 3 2 3) (2 3 2 3)
35977 - vzip.32 q4, q5 // => (4 5 4 5) (4 5 4 5)
35978 -@@ -493,6 +494,8 @@ ENTRY(chacha_4block_xor_neon)
35979 -
35980 - // Re-interleave the words in the last two rows of each block (x8..15).
35981 - vld1.32 {q8-q9}, [sp, :256]
35982 -+ mov sp, r4 // restore original stack pointer
35983 -+ ldr r4, [r4, #8] // load number of bytes
35984 - vzip.32 q12, q13 // => (12 13 12 13) (12 13 12 13)
35985 - vzip.32 q14, q15 // => (14 15 14 15) (14 15 14 15)
35986 - vzip.32 q8, q9 // => (8 9 8 9) (8 9 8 9)
35987 -@@ -520,41 +523,121 @@ ENTRY(chacha_4block_xor_neon)
35988 - // XOR the rest of the data with the keystream
35989 -
35990 - vld1.8 {q0-q1}, [r2]!
35991 -+ subs r4, r4, #96
35992 - veor q0, q0, q8
35993 - veor q1, q1, q12
35994 -+ ble .Lle96
35995 - vst1.8 {q0-q1}, [r1]!
35996 -
35997 - vld1.8 {q0-q1}, [r2]!
35998 -+ subs r4, r4, #32
35999 - veor q0, q0, q2
36000 - veor q1, q1, q6
36001 -+ ble .Lle128
36002 - vst1.8 {q0-q1}, [r1]!
36003 -
36004 - vld1.8 {q0-q1}, [r2]!
36005 -+ subs r4, r4, #32
36006 - veor q0, q0, q10
36007 - veor q1, q1, q14
36008 -+ ble .Lle160
36009 - vst1.8 {q0-q1}, [r1]!
36010 -
36011 - vld1.8 {q0-q1}, [r2]!
36012 -+ subs r4, r4, #32
36013 - veor q0, q0, q4
36014 - veor q1, q1, q5
36015 -+ ble .Lle192
36016 - vst1.8 {q0-q1}, [r1]!
36017 -
36018 - vld1.8 {q0-q1}, [r2]!
36019 -+ subs r4, r4, #32
36020 - veor q0, q0, q9
36021 - veor q1, q1, q13
36022 -+ ble .Lle224
36023 - vst1.8 {q0-q1}, [r1]!
36024 -
36025 - vld1.8 {q0-q1}, [r2]!
36026 -+ subs r4, r4, #32
36027 - veor q0, q0, q3
36028 - veor q1, q1, q7
36029 -+ blt .Llt256
36030 -+.Lout:
36031 - vst1.8 {q0-q1}, [r1]!
36032 -
36033 - vld1.8 {q0-q1}, [r2]
36034 -- mov sp, r4 // restore original stack pointer
36035 - veor q0, q0, q11
36036 - veor q1, q1, q15
36037 - vst1.8 {q0-q1}, [r1]
36038 -
36039 -- pop {r4-r5}
36040 -- bx lr
36041 -+ pop {r4, pc}
36042 -+
36043 -+.Lle192:
36044 -+ vmov q4, q9
36045 -+ vmov q5, q13
36046 -+
36047 -+.Lle160:
36048 -+ // nothing to do
36049 -+
36050 -+.Lfinalblock:
36051 -+ // Process the final block if processing less than 4 full blocks.
36052 -+ // Entered with 32 bytes of ChaCha cipher stream in q4-q5, and the
36053 -+ // previous 32 byte output block that still needs to be written at
36054 -+ // [r1] in q0-q1.
36055 -+ beq .Lfullblock
36056 -+
36057 -+.Lpartialblock:
36058 -+ adr lr, .Lpermute + 32
36059 -+ add r2, r2, r4
36060 -+ add lr, lr, r4
36061 -+ add r4, r4, r1
36062 -+
36063 -+ vld1.8 {q2-q3}, [lr]
36064 -+ vld1.8 {q6-q7}, [r2]
36065 -+
36066 -+ add r4, r4, #32
36067 -+
36068 -+ vtbl.8 d4, {q4-q5}, d4
36069 -+ vtbl.8 d5, {q4-q5}, d5
36070 -+ vtbl.8 d6, {q4-q5}, d6
36071 -+ vtbl.8 d7, {q4-q5}, d7
36072 -+
36073 -+ veor q6, q6, q2
36074 -+ veor q7, q7, q3
36075 -+
36076 -+ vst1.8 {q6-q7}, [r4] // overlapping stores
36077 -+ vst1.8 {q0-q1}, [r1]
36078 -+ pop {r4, pc}
36079 -+
36080 -+.Lfullblock:
36081 -+ vmov q11, q4
36082 -+ vmov q15, q5
36083 -+ b .Lout
36084 -+.Lle96:
36085 -+ vmov q4, q2
36086 -+ vmov q5, q6
36087 -+ b .Lfinalblock
36088 -+.Lle128:
36089 -+ vmov q4, q10
36090 -+ vmov q5, q14
36091 -+ b .Lfinalblock
36092 -+.Lle224:
36093 -+ vmov q4, q3
36094 -+ vmov q5, q7
36095 -+ b .Lfinalblock
36096 -+.Llt256:
36097 -+ vmov q4, q11
36098 -+ vmov q5, q15
36099 -+ b .Lpartialblock
36100 - ENDPROC(chacha_4block_xor_neon)
36101 -+
36102 -+ .align L1_CACHE_SHIFT
36103 -+.Lpermute:
36104 -+ .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
36105 -+ .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
36106 -+ .byte 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
36107 -+ .byte 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
36108 -+ .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
36109 -+ .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
36110 -+ .byte 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
36111 -+ .byte 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
36112 ---- a/arch/arm64/crypto/chacha-neon-core.S
36113 -+++ b/arch/arm64/crypto/chacha-neon-core.S
36114 -@@ -195,7 +195,6 @@ ENTRY(chacha_4block_xor_neon)
36115 - adr_l x10, .Lpermute
36116 - and x5, x4, #63
36117 - add x10, x10, x5
36118 -- add x11, x10, #64
36119 -
36120 - //
36121 - // This function encrypts four consecutive ChaCha blocks by loading
36122 -@@ -645,11 +644,11 @@ CPU_BE( rev a15, a15 )
36123 - zip2 v31.4s, v14.4s, v15.4s
36124 - eor a15, a15, w9
36125 -
36126 -- mov x3, #64
36127 -+ add x3, x2, x4
36128 -+ sub x3, x3, #128 // start of last block
36129 -+
36130 - subs x5, x4, #128
36131 -- add x6, x5, x2
36132 -- csel x3, x3, xzr, ge
36133 -- csel x2, x2, x6, ge
36134 -+ csel x2, x2, x3, ge
36135 -
36136 - // interleave 64-bit words in state n, n+2
36137 - zip1 v0.2d, v16.2d, v18.2d
36138 -@@ -658,13 +657,10 @@ CPU_BE( rev a15, a15 )
36139 - zip1 v8.2d, v17.2d, v19.2d
36140 - zip2 v12.2d, v17.2d, v19.2d
36141 - stp a2, a3, [x1, #-56]
36142 -- ld1 {v16.16b-v19.16b}, [x2], x3
36143 -
36144 - subs x6, x4, #192
36145 -- ccmp x3, xzr, #4, lt
36146 -- add x7, x6, x2
36147 -- csel x3, x3, xzr, eq
36148 -- csel x2, x2, x7, eq
36149 -+ ld1 {v16.16b-v19.16b}, [x2], #64
36150 -+ csel x2, x2, x3, ge
36151 -
36152 - zip1 v1.2d, v20.2d, v22.2d
36153 - zip2 v5.2d, v20.2d, v22.2d
36154 -@@ -672,13 +668,10 @@ CPU_BE( rev a15, a15 )
36155 - zip1 v9.2d, v21.2d, v23.2d
36156 - zip2 v13.2d, v21.2d, v23.2d
36157 - stp a6, a7, [x1, #-40]
36158 -- ld1 {v20.16b-v23.16b}, [x2], x3
36159 -
36160 - subs x7, x4, #256
36161 -- ccmp x3, xzr, #4, lt
36162 -- add x8, x7, x2
36163 -- csel x3, x3, xzr, eq
36164 -- csel x2, x2, x8, eq
36165 -+ ld1 {v20.16b-v23.16b}, [x2], #64
36166 -+ csel x2, x2, x3, ge
36167 -
36168 - zip1 v2.2d, v24.2d, v26.2d
36169 - zip2 v6.2d, v24.2d, v26.2d
36170 -@@ -686,12 +679,10 @@ CPU_BE( rev a15, a15 )
36171 - zip1 v10.2d, v25.2d, v27.2d
36172 - zip2 v14.2d, v25.2d, v27.2d
36173 - stp a10, a11, [x1, #-24]
36174 -- ld1 {v24.16b-v27.16b}, [x2], x3
36175 -
36176 - subs x8, x4, #320
36177 -- ccmp x3, xzr, #4, lt
36178 -- add x9, x8, x2
36179 -- csel x2, x2, x9, eq
36180 -+ ld1 {v24.16b-v27.16b}, [x2], #64
36181 -+ csel x2, x2, x3, ge
36182 -
36183 - zip1 v3.2d, v28.2d, v30.2d
36184 - zip2 v7.2d, v28.2d, v30.2d
36185 -@@ -699,151 +690,105 @@ CPU_BE( rev a15, a15 )
36186 - zip1 v11.2d, v29.2d, v31.2d
36187 - zip2 v15.2d, v29.2d, v31.2d
36188 - stp a14, a15, [x1, #-8]
36189 -+
36190 -+ tbnz x5, #63, .Lt128
36191 - ld1 {v28.16b-v31.16b}, [x2]
36192 -
36193 - // xor with corresponding input, write to output
36194 -- tbnz x5, #63, 0f
36195 - eor v16.16b, v16.16b, v0.16b
36196 - eor v17.16b, v17.16b, v1.16b
36197 - eor v18.16b, v18.16b, v2.16b
36198 - eor v19.16b, v19.16b, v3.16b
36199 -- st1 {v16.16b-v19.16b}, [x1], #64
36200 -- cbz x5, .Lout
36201 -
36202 -- tbnz x6, #63, 1f
36203 -+ tbnz x6, #63, .Lt192
36204 -+
36205 - eor v20.16b, v20.16b, v4.16b
36206 - eor v21.16b, v21.16b, v5.16b
36207 - eor v22.16b, v22.16b, v6.16b
36208 - eor v23.16b, v23.16b, v7.16b
36209 -- st1 {v20.16b-v23.16b}, [x1], #64
36210 -- cbz x6, .Lout
36211 -
36212 -- tbnz x7, #63, 2f
36213 -+ st1 {v16.16b-v19.16b}, [x1], #64
36214 -+ tbnz x7, #63, .Lt256
36215 -+
36216 - eor v24.16b, v24.16b, v8.16b
36217 - eor v25.16b, v25.16b, v9.16b
36218 - eor v26.16b, v26.16b, v10.16b
36219 - eor v27.16b, v27.16b, v11.16b
36220 -- st1 {v24.16b-v27.16b}, [x1], #64
36221 -- cbz x7, .Lout
36222 -
36223 -- tbnz x8, #63, 3f
36224 -+ st1 {v20.16b-v23.16b}, [x1], #64
36225 -+ tbnz x8, #63, .Lt320
36226 -+
36227 - eor v28.16b, v28.16b, v12.16b
36228 - eor v29.16b, v29.16b, v13.16b
36229 - eor v30.16b, v30.16b, v14.16b
36230 - eor v31.16b, v31.16b, v15.16b
36231 -+
36232 -+ st1 {v24.16b-v27.16b}, [x1], #64
36233 - st1 {v28.16b-v31.16b}, [x1]
36234 -
36235 - .Lout: frame_pop
36236 - ret
36237 -
36238 -- // fewer than 128 bytes of in/output
36239 --0: ld1 {v8.16b}, [x10]
36240 -- ld1 {v9.16b}, [x11]
36241 -- movi v10.16b, #16
36242 -- sub x2, x1, #64
36243 -- add x1, x1, x5
36244 -- ld1 {v16.16b-v19.16b}, [x2]
36245 -- tbl v4.16b, {v0.16b-v3.16b}, v8.16b
36246 -- tbx v20.16b, {v16.16b-v19.16b}, v9.16b
36247 -- add v8.16b, v8.16b, v10.16b
36248 -- add v9.16b, v9.16b, v10.16b
36249 -- tbl v5.16b, {v0.16b-v3.16b}, v8.16b
36250 -- tbx v21.16b, {v16.16b-v19.16b}, v9.16b
36251 -- add v8.16b, v8.16b, v10.16b
36252 -- add v9.16b, v9.16b, v10.16b
36253 -- tbl v6.16b, {v0.16b-v3.16b}, v8.16b
36254 -- tbx v22.16b, {v16.16b-v19.16b}, v9.16b
36255 -- add v8.16b, v8.16b, v10.16b
36256 -- add v9.16b, v9.16b, v10.16b
36257 -- tbl v7.16b, {v0.16b-v3.16b}, v8.16b
36258 -- tbx v23.16b, {v16.16b-v19.16b}, v9.16b
36259 --
36260 -- eor v20.16b, v20.16b, v4.16b
36261 -- eor v21.16b, v21.16b, v5.16b
36262 -- eor v22.16b, v22.16b, v6.16b
36263 -- eor v23.16b, v23.16b, v7.16b
36264 -- st1 {v20.16b-v23.16b}, [x1]
36265 -- b .Lout
36266 --
36267 - // fewer than 192 bytes of in/output
36268 --1: ld1 {v8.16b}, [x10]
36269 -- ld1 {v9.16b}, [x11]
36270 -- movi v10.16b, #16
36271 -- add x1, x1, x6
36272 -- tbl v0.16b, {v4.16b-v7.16b}, v8.16b
36273 -- tbx v20.16b, {v16.16b-v19.16b}, v9.16b
36274 -- add v8.16b, v8.16b, v10.16b
36275 -- add v9.16b, v9.16b, v10.16b
36276 -- tbl v1.16b, {v4.16b-v7.16b}, v8.16b
36277 -- tbx v21.16b, {v16.16b-v19.16b}, v9.16b
36278 -- add v8.16b, v8.16b, v10.16b
36279 -- add v9.16b, v9.16b, v10.16b
36280 -- tbl v2.16b, {v4.16b-v7.16b}, v8.16b
36281 -- tbx v22.16b, {v16.16b-v19.16b}, v9.16b
36282 -- add v8.16b, v8.16b, v10.16b
36283 -- add v9.16b, v9.16b, v10.16b
36284 -- tbl v3.16b, {v4.16b-v7.16b}, v8.16b
36285 -- tbx v23.16b, {v16.16b-v19.16b}, v9.16b
36286 --
36287 -- eor v20.16b, v20.16b, v0.16b
36288 -- eor v21.16b, v21.16b, v1.16b
36289 -- eor v22.16b, v22.16b, v2.16b
36290 -- eor v23.16b, v23.16b, v3.16b
36291 -- st1 {v20.16b-v23.16b}, [x1]
36292 -+.Lt192: cbz x5, 1f // exactly 128 bytes?
36293 -+ ld1 {v28.16b-v31.16b}, [x10]
36294 -+ add x5, x5, x1
36295 -+ tbl v28.16b, {v4.16b-v7.16b}, v28.16b
36296 -+ tbl v29.16b, {v4.16b-v7.16b}, v29.16b
36297 -+ tbl v30.16b, {v4.16b-v7.16b}, v30.16b
36298 -+ tbl v31.16b, {v4.16b-v7.16b}, v31.16b
36299 -+
36300 -+0: eor v20.16b, v20.16b, v28.16b
36301 -+ eor v21.16b, v21.16b, v29.16b
36302 -+ eor v22.16b, v22.16b, v30.16b
36303 -+ eor v23.16b, v23.16b, v31.16b
36304 -+ st1 {v20.16b-v23.16b}, [x5] // overlapping stores
36305 -+1: st1 {v16.16b-v19.16b}, [x1]
36306 - b .Lout
36307 -
36308 -+ // fewer than 128 bytes of in/output
36309 -+.Lt128: ld1 {v28.16b-v31.16b}, [x10]
36310 -+ add x5, x5, x1
36311 -+ sub x1, x1, #64
36312 -+ tbl v28.16b, {v0.16b-v3.16b}, v28.16b
36313 -+ tbl v29.16b, {v0.16b-v3.16b}, v29.16b
36314 -+ tbl v30.16b, {v0.16b-v3.16b}, v30.16b
36315 -+ tbl v31.16b, {v0.16b-v3.16b}, v31.16b
36316 -+ ld1 {v16.16b-v19.16b}, [x1] // reload first output block
36317 -+ b 0b
36318 -+
36319 - // fewer than 256 bytes of in/output
36320 --2: ld1 {v4.16b}, [x10]
36321 -- ld1 {v5.16b}, [x11]
36322 -- movi v6.16b, #16
36323 -- add x1, x1, x7
36324 -+.Lt256: cbz x6, 2f // exactly 192 bytes?
36325 -+ ld1 {v4.16b-v7.16b}, [x10]
36326 -+ add x6, x6, x1
36327 - tbl v0.16b, {v8.16b-v11.16b}, v4.16b
36328 -- tbx v24.16b, {v20.16b-v23.16b}, v5.16b
36329 -- add v4.16b, v4.16b, v6.16b
36330 -- add v5.16b, v5.16b, v6.16b
36331 -- tbl v1.16b, {v8.16b-v11.16b}, v4.16b
36332 -- tbx v25.16b, {v20.16b-v23.16b}, v5.16b
36333 -- add v4.16b, v4.16b, v6.16b
36334 -- add v5.16b, v5.16b, v6.16b
36335 -- tbl v2.16b, {v8.16b-v11.16b}, v4.16b
36336 -- tbx v26.16b, {v20.16b-v23.16b}, v5.16b
36337 -- add v4.16b, v4.16b, v6.16b
36338 -- add v5.16b, v5.16b, v6.16b
36339 -- tbl v3.16b, {v8.16b-v11.16b}, v4.16b
36340 -- tbx v27.16b, {v20.16b-v23.16b}, v5.16b
36341 --
36342 -- eor v24.16b, v24.16b, v0.16b
36343 -- eor v25.16b, v25.16b, v1.16b
36344 -- eor v26.16b, v26.16b, v2.16b
36345 -- eor v27.16b, v27.16b, v3.16b
36346 -- st1 {v24.16b-v27.16b}, [x1]
36347 -+ tbl v1.16b, {v8.16b-v11.16b}, v5.16b
36348 -+ tbl v2.16b, {v8.16b-v11.16b}, v6.16b
36349 -+ tbl v3.16b, {v8.16b-v11.16b}, v7.16b
36350 -+
36351 -+ eor v28.16b, v28.16b, v0.16b
36352 -+ eor v29.16b, v29.16b, v1.16b
36353 -+ eor v30.16b, v30.16b, v2.16b
36354 -+ eor v31.16b, v31.16b, v3.16b
36355 -+ st1 {v28.16b-v31.16b}, [x6] // overlapping stores
36356 -+2: st1 {v20.16b-v23.16b}, [x1]
36357 - b .Lout
36358 -
36359 - // fewer than 320 bytes of in/output
36360 --3: ld1 {v4.16b}, [x10]
36361 -- ld1 {v5.16b}, [x11]
36362 -- movi v6.16b, #16
36363 -- add x1, x1, x8
36364 -+.Lt320: cbz x7, 3f // exactly 256 bytes?
36365 -+ ld1 {v4.16b-v7.16b}, [x10]
36366 -+ add x7, x7, x1
36367 - tbl v0.16b, {v12.16b-v15.16b}, v4.16b
36368 -- tbx v28.16b, {v24.16b-v27.16b}, v5.16b
36369 -- add v4.16b, v4.16b, v6.16b
36370 -- add v5.16b, v5.16b, v6.16b
36371 -- tbl v1.16b, {v12.16b-v15.16b}, v4.16b
36372 -- tbx v29.16b, {v24.16b-v27.16b}, v5.16b
36373 -- add v4.16b, v4.16b, v6.16b
36374 -- add v5.16b, v5.16b, v6.16b
36375 -- tbl v2.16b, {v12.16b-v15.16b}, v4.16b
36376 -- tbx v30.16b, {v24.16b-v27.16b}, v5.16b
36377 -- add v4.16b, v4.16b, v6.16b
36378 -- add v5.16b, v5.16b, v6.16b
36379 -- tbl v3.16b, {v12.16b-v15.16b}, v4.16b
36380 -- tbx v31.16b, {v24.16b-v27.16b}, v5.16b
36381 -+ tbl v1.16b, {v12.16b-v15.16b}, v5.16b
36382 -+ tbl v2.16b, {v12.16b-v15.16b}, v6.16b
36383 -+ tbl v3.16b, {v12.16b-v15.16b}, v7.16b
36384 -
36385 - eor v28.16b, v28.16b, v0.16b
36386 - eor v29.16b, v29.16b, v1.16b
36387 - eor v30.16b, v30.16b, v2.16b
36388 - eor v31.16b, v31.16b, v3.16b
36389 -- st1 {v28.16b-v31.16b}, [x1]
36390 -+ st1 {v28.16b-v31.16b}, [x7] // overlapping stores
36391 -+3: st1 {v24.16b-v27.16b}, [x1]
36392 - b .Lout
36393 - ENDPROC(chacha_4block_xor_neon)
36394 -
36395 -@@ -851,7 +796,7 @@ ENDPROC(chacha_4block_xor_neon)
36396 - .align L1_CACHE_SHIFT
36397 - .Lpermute:
36398 - .set .Li, 0
36399 -- .rept 192
36400 -+ .rept 128
36401 - .byte (.Li - 64)
36402 - .set .Li, .Li + 1
36403 - .endr
36404 ---- a/include/linux/icmpv6.h
36405 -+++ b/include/linux/icmpv6.h
36406 -@@ -22,12 +22,22 @@ extern int inet6_unregister_icmp_sender(ip6_icmp_send_t *fn);
36407 - int ip6_err_gen_icmpv6_unreach(struct sk_buff *skb, int nhs, int type,
36408 - unsigned int data_len);
36409 -
36410 -+#if IS_ENABLED(CONFIG_NF_NAT)
36411 -+void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info);
36412 -+#else
36413 -+#define icmpv6_ndo_send icmpv6_send
36414 -+#endif
36415 -+
36416 - #else
36417 -
36418 - static inline void icmpv6_send(struct sk_buff *skb,
36419 - u8 type, u8 code, __u32 info)
36420 - {
36421 -+}
36422 -
36423 -+static inline void icmpv6_ndo_send(struct sk_buff *skb,
36424 -+ u8 type, u8 code, __u32 info)
36425 -+{
36426 - }
36427 - #endif
36428 -
36429 ---- a/include/net/icmp.h
36430 -+++ b/include/net/icmp.h
36431 -@@ -43,6 +43,12 @@ static inline void icmp_send(struct sk_buff *skb_in, int type, int code, __be32
36432 - __icmp_send(skb_in, type, code, info, &IPCB(skb_in)->opt);
36433 - }
36434 -
36435 -+#if IS_ENABLED(CONFIG_NF_NAT)
36436 -+void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info);
36437 -+#else
36438 -+#define icmp_ndo_send icmp_send
36439 -+#endif
36440 -+
36441 - int icmp_rcv(struct sk_buff *skb);
36442 - int icmp_err(struct sk_buff *skb, u32 info);
36443 - int icmp_init(void);
36444 ---- a/net/ipv4/icmp.c
36445 -+++ b/net/ipv4/icmp.c
36446 -@@ -750,6 +750,39 @@ out:;
36447 - }
36448 - EXPORT_SYMBOL(__icmp_send);
36449 -
36450 -+#if IS_ENABLED(CONFIG_NF_NAT)
36451 -+#include <net/netfilter/nf_conntrack.h>
36452 -+void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
36453 -+{
36454 -+ struct sk_buff *cloned_skb = NULL;
36455 -+ enum ip_conntrack_info ctinfo;
36456 -+ struct nf_conn *ct;
36457 -+ __be32 orig_ip;
36458 -+
36459 -+ ct = nf_ct_get(skb_in, &ctinfo);
36460 -+ if (!ct || !(ct->status & IPS_SRC_NAT)) {
36461 -+ icmp_send(skb_in, type, code, info);
36462 -+ return;
36463 -+ }
36464 -+
36465 -+ if (skb_shared(skb_in))
36466 -+ skb_in = cloned_skb = skb_clone(skb_in, GFP_ATOMIC);
36467 -+
36468 -+ if (unlikely(!skb_in || skb_network_header(skb_in) < skb_in->head ||
36469 -+ (skb_network_header(skb_in) + sizeof(struct iphdr)) >
36470 -+ skb_tail_pointer(skb_in) || skb_ensure_writable(skb_in,
36471 -+ skb_network_offset(skb_in) + sizeof(struct iphdr))))
36472 -+ goto out;
36473 -+
36474 -+ orig_ip = ip_hdr(skb_in)->saddr;
36475 -+ ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
36476 -+ icmp_send(skb_in, type, code, info);
36477 -+ ip_hdr(skb_in)->saddr = orig_ip;
36478 -+out:
36479 -+ consume_skb(cloned_skb);
36480 -+}
36481 -+EXPORT_SYMBOL(icmp_ndo_send);
36482 -+#endif
36483 -
36484 - static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
36485 - {
36486 ---- a/net/ipv6/ip6_icmp.c
36487 -+++ b/net/ipv6/ip6_icmp.c
36488 -@@ -45,4 +45,38 @@ out:
36489 - rcu_read_unlock();
36490 - }
36491 - EXPORT_SYMBOL(icmpv6_send);
36492 -+
36493 -+#if IS_ENABLED(CONFIG_NF_NAT)
36494 -+#include <net/netfilter/nf_conntrack.h>
36495 -+void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
36496 -+{
36497 -+ struct sk_buff *cloned_skb = NULL;
36498 -+ enum ip_conntrack_info ctinfo;
36499 -+ struct in6_addr orig_ip;
36500 -+ struct nf_conn *ct;
36501 -+
36502 -+ ct = nf_ct_get(skb_in, &ctinfo);
36503 -+ if (!ct || !(ct->status & IPS_SRC_NAT)) {
36504 -+ icmpv6_send(skb_in, type, code, info);
36505 -+ return;
36506 -+ }
36507 -+
36508 -+ if (skb_shared(skb_in))
36509 -+ skb_in = cloned_skb = skb_clone(skb_in, GFP_ATOMIC);
36510 -+
36511 -+ if (unlikely(!skb_in || skb_network_header(skb_in) < skb_in->head ||
36512 -+ (skb_network_header(skb_in) + sizeof(struct ipv6hdr)) >
36513 -+ skb_tail_pointer(skb_in) || skb_ensure_writable(skb_in,
36514 -+ skb_network_offset(skb_in) + sizeof(struct ipv6hdr))))
36515 -+ goto out;
36516 -+
36517 -+ orig_ip = ipv6_hdr(skb_in)->saddr;
36518 -+ ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6;
36519 -+ icmpv6_send(skb_in, type, code, info);
36520 -+ ipv6_hdr(skb_in)->saddr = orig_ip;
36521 -+out:
36522 -+ consume_skb(cloned_skb);
36523 -+}
36524 -+EXPORT_SYMBOL(icmpv6_ndo_send);
36525 -+#endif
36526 - #endif
36527 ---- a/MAINTAINERS
36528 -+++ b/MAINTAINERS
36529 -@@ -17584,6 +17584,14 @@ L: linux-gpio@×××××××××××.org
36530 - S: Maintained
36531 - F: drivers/gpio/gpio-ws16c48.c
36532 -
36533 -+WIREGUARD SECURE NETWORK TUNNEL
36534 -+M: Jason A. Donenfeld <Jason@×××××.com>
36535 -+S: Maintained
36536 -+F: drivers/net/wireguard/
36537 -+F: tools/testing/selftests/wireguard/
36538 -+L: wireguard@×××××××××××.com
36539 -+L: netdev@×××××××××××.org
36540 -+
36541 - WISTRON LAPTOP BUTTON DRIVER
36542 - M: Miloslav Trmac <mitr@×××××.cz>
36543 - S: Maintained
36544 ---- b/drivers/net/Kconfig
36545 -+++ b/drivers/net/Kconfig
36546 -@@ -71,6 +71,49 @@
36547 - To compile this driver as a module, choose M here: the module
36548 - will be called dummy.
36549 -
36550 -+config WIREGUARD
36551 -+ tristate "WireGuard secure network tunnel"
36552 -+ depends on NET && INET
36553 -+ depends on IPV6 || !IPV6
36554 -+ select NET_UDP_TUNNEL
36555 -+ select DST_CACHE
36556 -+ select CRYPTO
36557 -+ select CRYPTO_LIB_CURVE25519
36558 -+ select CRYPTO_LIB_CHACHA20POLY1305
36559 -+ select CRYPTO_LIB_BLAKE2S
36560 -+ select CRYPTO_CHACHA20_X86_64 if X86 && 64BIT
36561 -+ select CRYPTO_POLY1305_X86_64 if X86 && 64BIT
36562 -+ select CRYPTO_BLAKE2S_X86 if X86 && 64BIT
36563 -+ select CRYPTO_CURVE25519_X86 if X86 && 64BIT
36564 -+ select ARM_CRYPTO if ARM
36565 -+ select ARM64_CRYPTO if ARM64
36566 -+ select CRYPTO_CHACHA20_NEON if (ARM || ARM64) && KERNEL_MODE_NEON
36567 -+ select CRYPTO_POLY1305_NEON if ARM64 && KERNEL_MODE_NEON
36568 -+ select CRYPTO_POLY1305_ARM if ARM
36569 -+ select CRYPTO_CURVE25519_NEON if ARM && KERNEL_MODE_NEON
36570 -+ select CRYPTO_CHACHA_MIPS if CPU_MIPS32_R2
36571 -+ select CRYPTO_POLY1305_MIPS if CPU_MIPS32 || (CPU_MIPS64 && 64BIT)
36572 -+ help
36573 -+ WireGuard is a secure, fast, and easy to use replacement for IPSec
36574 -+ that uses modern cryptography and clever networking tricks. It's
36575 -+ designed to be fairly general purpose and abstract enough to fit most
36576 -+ use cases, while at the same time remaining extremely simple to
36577 -+ configure. See www.wireguard.com for more info.
36578 -+
36579 -+ It's safe to say Y or M here, as the driver is very lightweight and
36580 -+ is only in use when an administrator chooses to add an interface.
36581 -+
36582 -+config WIREGUARD_DEBUG
36583 -+ bool "Debugging checks and verbose messages"
36584 -+ depends on WIREGUARD
36585 -+ help
36586 -+ This will write log messages for handshake and other events
36587 -+ that occur for a WireGuard interface. It will also perform some
36588 -+ extra validation checks and unit tests at various points. This is
36589 -+ only useful for debugging.
36590 -+
36591 -+ Say N here unless you know what you're doing.
36592 -+
36593 - config EQUALIZER
36594 - tristate "EQL (serial line load balancing) support"
36595 - ---help---
36596 ---- a/drivers/net/Makefile
36597 -+++ b/drivers/net/Makefile
36598 -@@ -10,6 +10,7 @@ obj-$(CONFIG_BONDING) += bonding/
36599 - obj-$(CONFIG_IPVLAN) += ipvlan/
36600 - obj-$(CONFIG_IPVTAP) += ipvlan/
36601 - obj-$(CONFIG_DUMMY) += dummy.o
36602 -+obj-$(CONFIG_WIREGUARD) += wireguard/
36603 - obj-$(CONFIG_EQUALIZER) += eql.o
36604 - obj-$(CONFIG_IFB) += ifb.o
36605 - obj-$(CONFIG_MACSEC) += macsec.o
36606 ---- /dev/null
36607 -+++ b/drivers/net/wireguard/Makefile
36608 -@@ -0,0 +1,18 @@
36609 -+ccflags-y := -O3
36610 -+ccflags-y += -D'pr_fmt(fmt)=KBUILD_MODNAME ": " fmt'
36611 -+ccflags-$(CONFIG_WIREGUARD_DEBUG) += -DDEBUG
36612 -+wireguard-y := main.o
36613 -+wireguard-y += noise.o
36614 -+wireguard-y += device.o
36615 -+wireguard-y += peer.o
36616 -+wireguard-y += timers.o
36617 -+wireguard-y += queueing.o
36618 -+wireguard-y += send.o
36619 -+wireguard-y += receive.o
36620 -+wireguard-y += socket.o
36621 -+wireguard-y += peerlookup.o
36622 -+wireguard-y += allowedips.o
36623 -+wireguard-y += ratelimiter.o
36624 -+wireguard-y += cookie.o
36625 -+wireguard-y += netlink.o
36626 -+obj-$(CONFIG_WIREGUARD) := wireguard.o
36627 ---- b/drivers/net/wireguard/allowedips.c
36628 -+++ b/drivers/net/wireguard/allowedips.c
36629 -@@ -0,0 +1,377 @@
36630 -+// SPDX-License-Identifier: GPL-2.0
36631 -+/*
36632 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
36633 -+ */
36634 -+
36635 -+#include "allowedips.h"
36636 -+#include "peer.h"
36637 -+
36638 -+static void swap_endian(u8 *dst, const u8 *src, u8 bits)
36639 -+{
36640 -+ if (bits == 32) {
36641 -+ *(u32 *)dst = be32_to_cpu(*(const __be32 *)src);
36642 -+ } else if (bits == 128) {
36643 -+ ((u64 *)dst)[0] = be64_to_cpu(((const __be64 *)src)[0]);
36644 -+ ((u64 *)dst)[1] = be64_to_cpu(((const __be64 *)src)[1]);
36645 -+ }
36646 -+}
36647 -+
36648 -+static void copy_and_assign_cidr(struct allowedips_node *node, const u8 *src,
36649 -+ u8 cidr, u8 bits)
36650 -+{
36651 -+ node->cidr = cidr;
36652 -+ node->bit_at_a = cidr / 8U;
36653 -+#ifdef __LITTLE_ENDIAN
36654 -+ node->bit_at_a ^= (bits / 8U - 1U) % 8U;
36655 -+#endif
36656 -+ node->bit_at_b = 7U - (cidr % 8U);
36657 -+ node->bitlen = bits;
36658 -+ memcpy(node->bits, src, bits / 8U);
36659 -+}
36660 -+#define CHOOSE_NODE(parent, key) \
36661 -+ parent->bit[(key[parent->bit_at_a] >> parent->bit_at_b) & 1]
36662 -+
36663 -+static void push_rcu(struct allowedips_node **stack,
36664 -+ struct allowedips_node __rcu *p, unsigned int *len)
36665 -+{
36666 -+ if (rcu_access_pointer(p)) {
36667 -+ WARN_ON(IS_ENABLED(DEBUG) && *len >= 128);
36668 -+ stack[(*len)++] = rcu_dereference_raw(p);
36669 -+ }
36670 -+}
36671 -+
36672 -+static void root_free_rcu(struct rcu_head *rcu)
36673 -+{
36674 -+ struct allowedips_node *node, *stack[128] = {
36675 -+ container_of(rcu, struct allowedips_node, rcu) };
36676 -+ unsigned int len = 1;
36677 -+
36678 -+ while (len > 0 && (node = stack[--len])) {
36679 -+ push_rcu(stack, node->bit[0], &len);
36680 -+ push_rcu(stack, node->bit[1], &len);
36681 -+ kfree(node);
36682 -+ }
36683 -+}
36684 -+
36685 -+static void root_remove_peer_lists(struct allowedips_node *root)
36686 -+{
36687 -+ struct allowedips_node *node, *stack[128] = { root };
36688 -+ unsigned int len = 1;
36689 -+
36690 -+ while (len > 0 && (node = stack[--len])) {
36691 -+ push_rcu(stack, node->bit[0], &len);
36692 -+ push_rcu(stack, node->bit[1], &len);
36693 -+ if (rcu_access_pointer(node->peer))
36694 -+ list_del(&node->peer_list);
36695 -+ }
36696 -+}
36697 -+
36698 -+static void walk_remove_by_peer(struct allowedips_node __rcu **top,
36699 -+ struct wg_peer *peer, struct mutex *lock)
36700 -+{
36701 -+#define REF(p) rcu_access_pointer(p)
36702 -+#define DEREF(p) rcu_dereference_protected(*(p), lockdep_is_held(lock))
36703 -+#define PUSH(p) ({ \
36704 -+ WARN_ON(IS_ENABLED(DEBUG) && len >= 128); \
36705 -+ stack[len++] = p; \
36706 -+ })
36707 -+
36708 -+ struct allowedips_node __rcu **stack[128], **nptr;
36709 -+ struct allowedips_node *node, *prev;
36710 -+ unsigned int len;
36711 -+
36712 -+ if (unlikely(!peer || !REF(*top)))
36713 -+ return;
36714 -+
36715 -+ for (prev = NULL, len = 0, PUSH(top); len > 0; prev = node) {
36716 -+ nptr = stack[len - 1];
36717 -+ node = DEREF(nptr);
36718 -+ if (!node) {
36719 -+ --len;
36720 -+ continue;
36721 -+ }
36722 -+ if (!prev || REF(prev->bit[0]) == node ||
36723 -+ REF(prev->bit[1]) == node) {
36724 -+ if (REF(node->bit[0]))
36725 -+ PUSH(&node->bit[0]);
36726 -+ else if (REF(node->bit[1]))
36727 -+ PUSH(&node->bit[1]);
36728 -+ } else if (REF(node->bit[0]) == prev) {
36729 -+ if (REF(node->bit[1]))
36730 -+ PUSH(&node->bit[1]);
36731 -+ } else {
36732 -+ if (rcu_dereference_protected(node->peer,
36733 -+ lockdep_is_held(lock)) == peer) {
36734 -+ RCU_INIT_POINTER(node->peer, NULL);
36735 -+ list_del_init(&node->peer_list);
36736 -+ if (!node->bit[0] || !node->bit[1]) {
36737 -+ rcu_assign_pointer(*nptr, DEREF(
36738 -+ &node->bit[!REF(node->bit[0])]));
36739 -+ kfree_rcu(node, rcu);
36740 -+ node = DEREF(nptr);
36741 -+ }
36742 -+ }
36743 -+ --len;
36744 -+ }
36745 -+ }
36746 -+
36747 -+#undef REF
36748 -+#undef DEREF
36749 -+#undef PUSH
36750 -+}
36751 -+
36752 -+static unsigned int fls128(u64 a, u64 b)
36753 -+{
36754 -+ return a ? fls64(a) + 64U : fls64(b);
36755 -+}
36756 -+
36757 -+static u8 common_bits(const struct allowedips_node *node, const u8 *key,
36758 -+ u8 bits)
36759 -+{
36760 -+ if (bits == 32)
36761 -+ return 32U - fls(*(const u32 *)node->bits ^ *(const u32 *)key);
36762 -+ else if (bits == 128)
36763 -+ return 128U - fls128(
36764 -+ *(const u64 *)&node->bits[0] ^ *(const u64 *)&key[0],
36765 -+ *(const u64 *)&node->bits[8] ^ *(const u64 *)&key[8]);
36766 -+ return 0;
36767 -+}
36768 -+
36769 -+static bool prefix_matches(const struct allowedips_node *node, const u8 *key,
36770 -+ u8 bits)
36771 -+{
36772 -+ /* This could be much faster if it actually just compared the common
36773 -+ * bits properly, by precomputing a mask bswap(~0 << (32 - cidr)), and
36774 -+ * the rest, but it turns out that common_bits is already super fast on
36775 -+ * modern processors, even taking into account the unfortunate bswap.
36776 -+ * So, we just inline it like this instead.
36777 -+ */
36778 -+ return common_bits(node, key, bits) >= node->cidr;
36779 -+}
36780 -+
36781 -+static struct allowedips_node *find_node(struct allowedips_node *trie, u8 bits,
36782 -+ const u8 *key)
36783 -+{
36784 -+ struct allowedips_node *node = trie, *found = NULL;
36785 -+
36786 -+ while (node && prefix_matches(node, key, bits)) {
36787 -+ if (rcu_access_pointer(node->peer))
36788 -+ found = node;
36789 -+ if (node->cidr == bits)
36790 -+ break;
36791 -+ node = rcu_dereference_bh(CHOOSE_NODE(node, key));
36792 -+ }
36793 -+ return found;
36794 -+}
36795 -+
36796 -+/* Returns a strong reference to a peer */
36797 -+static struct wg_peer *lookup(struct allowedips_node __rcu *root, u8 bits,
36798 -+ const void *be_ip)
36799 -+{
36800 -+ /* Aligned so it can be passed to fls/fls64 */
36801 -+ u8 ip[16] __aligned(__alignof(u64));
36802 -+ struct allowedips_node *node;
36803 -+ struct wg_peer *peer = NULL;
36804 -+
36805 -+ swap_endian(ip, be_ip, bits);
36806 -+
36807 -+ rcu_read_lock_bh();
36808 -+retry:
36809 -+ node = find_node(rcu_dereference_bh(root), bits, ip);
36810 -+ if (node) {
36811 -+ peer = wg_peer_get_maybe_zero(rcu_dereference_bh(node->peer));
36812 -+ if (!peer)
36813 -+ goto retry;
36814 -+ }
36815 -+ rcu_read_unlock_bh();
36816 -+ return peer;
36817 -+}
36818 -+
36819 -+static bool node_placement(struct allowedips_node __rcu *trie, const u8 *key,
36820 -+ u8 cidr, u8 bits, struct allowedips_node **rnode,
36821 -+ struct mutex *lock)
36822 -+{
36823 -+ struct allowedips_node *node = rcu_dereference_protected(trie,
36824 -+ lockdep_is_held(lock));
36825 -+ struct allowedips_node *parent = NULL;
36826 -+ bool exact = false;
36827 -+
36828 -+ while (node && node->cidr <= cidr && prefix_matches(node, key, bits)) {
36829 -+ parent = node;
36830 -+ if (parent->cidr == cidr) {
36831 -+ exact = true;
36832 -+ break;
36833 -+ }
36834 -+ node = rcu_dereference_protected(CHOOSE_NODE(parent, key),
36835 -+ lockdep_is_held(lock));
36836 -+ }
36837 -+ *rnode = parent;
36838 -+ return exact;
36839 -+}
36840 -+
36841 -+static int add(struct allowedips_node __rcu **trie, u8 bits, const u8 *key,
36842 -+ u8 cidr, struct wg_peer *peer, struct mutex *lock)
36843 -+{
36844 -+ struct allowedips_node *node, *parent, *down, *newnode;
36845 -+
36846 -+ if (unlikely(cidr > bits || !peer))
36847 -+ return -EINVAL;
36848 -+
36849 -+ if (!rcu_access_pointer(*trie)) {
36850 -+ node = kzalloc(sizeof(*node), GFP_KERNEL);
36851 -+ if (unlikely(!node))
36852 -+ return -ENOMEM;
36853 -+ RCU_INIT_POINTER(node->peer, peer);
36854 -+ list_add_tail(&node->peer_list, &peer->allowedips_list);
36855 -+ copy_and_assign_cidr(node, key, cidr, bits);
36856 -+ rcu_assign_pointer(*trie, node);
36857 -+ return 0;
36858 -+ }
36859 -+ if (node_placement(*trie, key, cidr, bits, &node, lock)) {
36860 -+ rcu_assign_pointer(node->peer, peer);
36861 -+ list_move_tail(&node->peer_list, &peer->allowedips_list);
36862 -+ return 0;
36863 -+ }
36864 -+
36865 -+ newnode = kzalloc(sizeof(*newnode), GFP_KERNEL);
36866 -+ if (unlikely(!newnode))
36867 -+ return -ENOMEM;
36868 -+ RCU_INIT_POINTER(newnode->peer, peer);
36869 -+ list_add_tail(&newnode->peer_list, &peer->allowedips_list);
36870 -+ copy_and_assign_cidr(newnode, key, cidr, bits);
36871 -+
36872 -+ if (!node) {
36873 -+ down = rcu_dereference_protected(*trie, lockdep_is_held(lock));
36874 -+ } else {
36875 -+ down = rcu_dereference_protected(CHOOSE_NODE(node, key),
36876 -+ lockdep_is_held(lock));
36877 -+ if (!down) {
36878 -+ rcu_assign_pointer(CHOOSE_NODE(node, key), newnode);
36879 -+ return 0;
36880 -+ }
36881 -+ }
36882 -+ cidr = min(cidr, common_bits(down, key, bits));
36883 -+ parent = node;
36884 -+
36885 -+ if (newnode->cidr == cidr) {
36886 -+ rcu_assign_pointer(CHOOSE_NODE(newnode, down->bits), down);
36887 -+ if (!parent)
36888 -+ rcu_assign_pointer(*trie, newnode);
36889 -+ else
36890 -+ rcu_assign_pointer(CHOOSE_NODE(parent, newnode->bits),
36891 -+ newnode);
36892 -+ } else {
36893 -+ node = kzalloc(sizeof(*node), GFP_KERNEL);
36894 -+ if (unlikely(!node)) {
36895 -+ list_del(&newnode->peer_list);
36896 -+ kfree(newnode);
36897 -+ return -ENOMEM;
36898 -+ }
36899 -+ INIT_LIST_HEAD(&node->peer_list);
36900 -+ copy_and_assign_cidr(node, newnode->bits, cidr, bits);
36901 -+
36902 -+ rcu_assign_pointer(CHOOSE_NODE(node, down->bits), down);
36903 -+ rcu_assign_pointer(CHOOSE_NODE(node, newnode->bits), newnode);
36904 -+ if (!parent)
36905 -+ rcu_assign_pointer(*trie, node);
36906 -+ else
36907 -+ rcu_assign_pointer(CHOOSE_NODE(parent, node->bits),
36908 -+ node);
36909 -+ }
36910 -+ return 0;
36911 -+}
36912 -+
36913 -+void wg_allowedips_init(struct allowedips *table)
36914 -+{
36915 -+ table->root4 = table->root6 = NULL;
36916 -+ table->seq = 1;
36917 -+}
36918 -+
36919 -+void wg_allowedips_free(struct allowedips *table, struct mutex *lock)
36920 -+{
36921 -+ struct allowedips_node __rcu *old4 = table->root4, *old6 = table->root6;
36922 -+
36923 -+ ++table->seq;
36924 -+ RCU_INIT_POINTER(table->root4, NULL);
36925 -+ RCU_INIT_POINTER(table->root6, NULL);
36926 -+ if (rcu_access_pointer(old4)) {
36927 -+ struct allowedips_node *node = rcu_dereference_protected(old4,
36928 -+ lockdep_is_held(lock));
36929 -+
36930 -+ root_remove_peer_lists(node);
36931 -+ call_rcu(&node->rcu, root_free_rcu);
36932 -+ }
36933 -+ if (rcu_access_pointer(old6)) {
36934 -+ struct allowedips_node *node = rcu_dereference_protected(old6,
36935 -+ lockdep_is_held(lock));
36936 -+
36937 -+ root_remove_peer_lists(node);
36938 -+ call_rcu(&node->rcu, root_free_rcu);
36939 -+ }
36940 -+}
36941 -+
36942 -+int wg_allowedips_insert_v4(struct allowedips *table, const struct in_addr *ip,
36943 -+ u8 cidr, struct wg_peer *peer, struct mutex *lock)
36944 -+{
36945 -+ /* Aligned so it can be passed to fls */
36946 -+ u8 key[4] __aligned(__alignof(u32));
36947 -+
36948 -+ ++table->seq;
36949 -+ swap_endian(key, (const u8 *)ip, 32);
36950 -+ return add(&table->root4, 32, key, cidr, peer, lock);
36951 -+}
36952 -+
36953 -+int wg_allowedips_insert_v6(struct allowedips *table, const struct in6_addr *ip,
36954 -+ u8 cidr, struct wg_peer *peer, struct mutex *lock)
36955 -+{
36956 -+ /* Aligned so it can be passed to fls64 */
36957 -+ u8 key[16] __aligned(__alignof(u64));
36958 -+
36959 -+ ++table->seq;
36960 -+ swap_endian(key, (const u8 *)ip, 128);
36961 -+ return add(&table->root6, 128, key, cidr, peer, lock);
36962 -+}
36963 -+
36964 -+void wg_allowedips_remove_by_peer(struct allowedips *table,
36965 -+ struct wg_peer *peer, struct mutex *lock)
36966 -+{
36967 -+ ++table->seq;
36968 -+ walk_remove_by_peer(&table->root4, peer, lock);
36969 -+ walk_remove_by_peer(&table->root6, peer, lock);
36970 -+}
36971 -+
36972 -+int wg_allowedips_read_node(struct allowedips_node *node, u8 ip[16], u8 *cidr)
36973 -+{
36974 -+ const unsigned int cidr_bytes = DIV_ROUND_UP(node->cidr, 8U);
36975 -+ swap_endian(ip, node->bits, node->bitlen);
36976 -+ memset(ip + cidr_bytes, 0, node->bitlen / 8U - cidr_bytes);
36977 -+ if (node->cidr)
36978 -+ ip[cidr_bytes - 1U] &= ~0U << (-node->cidr % 8U);
36979 -+
36980 -+ *cidr = node->cidr;
36981 -+ return node->bitlen == 32 ? AF_INET : AF_INET6;
36982 -+}
36983 -+
36984 -+/* Returns a strong reference to a peer */
36985 -+struct wg_peer *wg_allowedips_lookup_dst(struct allowedips *table,
36986 -+ struct sk_buff *skb)
36987 -+{
36988 -+ if (skb->protocol == htons(ETH_P_IP))
36989 -+ return lookup(table->root4, 32, &ip_hdr(skb)->daddr);
36990 -+ else if (skb->protocol == htons(ETH_P_IPV6))
36991 -+ return lookup(table->root6, 128, &ipv6_hdr(skb)->daddr);
36992 -+ return NULL;
36993 -+}
36994 -+
36995 -+/* Returns a strong reference to a peer */
36996 -+struct wg_peer *wg_allowedips_lookup_src(struct allowedips *table,
36997 -+ struct sk_buff *skb)
36998 -+{
36999 -+ if (skb->protocol == htons(ETH_P_IP))
37000 -+ return lookup(table->root4, 32, &ip_hdr(skb)->saddr);
37001 -+ else if (skb->protocol == htons(ETH_P_IPV6))
37002 -+ return lookup(table->root6, 128, &ipv6_hdr(skb)->saddr);
37003 -+ return NULL;
37004 -+}
37005 -+
37006 -+#include "selftest/allowedips.c"
37007 ---- /dev/null
37008 -+++ b/drivers/net/wireguard/allowedips.h
37009 -@@ -0,0 +1,59 @@
37010 -+/* SPDX-License-Identifier: GPL-2.0 */
37011 -+/*
37012 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
37013 -+ */
37014 -+
37015 -+#ifndef _WG_ALLOWEDIPS_H
37016 -+#define _WG_ALLOWEDIPS_H
37017 -+
37018 -+#include <linux/mutex.h>
37019 -+#include <linux/ip.h>
37020 -+#include <linux/ipv6.h>
37021 -+
37022 -+struct wg_peer;
37023 -+
37024 -+struct allowedips_node {
37025 -+ struct wg_peer __rcu *peer;
37026 -+ struct allowedips_node __rcu *bit[2];
37027 -+ /* While it may seem scandalous that we waste space for v4,
37028 -+ * we're alloc'ing to the nearest power of 2 anyway, so this
37029 -+ * doesn't actually make a difference.
37030 -+ */
37031 -+ u8 bits[16] __aligned(__alignof(u64));
37032 -+ u8 cidr, bit_at_a, bit_at_b, bitlen;
37033 -+
37034 -+ /* Keep rarely used list at bottom to be beyond cache line. */
37035 -+ union {
37036 -+ struct list_head peer_list;
37037 -+ struct rcu_head rcu;
37038 -+ };
37039 -+};
37040 -+
37041 -+struct allowedips {
37042 -+ struct allowedips_node __rcu *root4;
37043 -+ struct allowedips_node __rcu *root6;
37044 -+ u64 seq;
37045 -+};
37046 -+
37047 -+void wg_allowedips_init(struct allowedips *table);
37048 -+void wg_allowedips_free(struct allowedips *table, struct mutex *mutex);
37049 -+int wg_allowedips_insert_v4(struct allowedips *table, const struct in_addr *ip,
37050 -+ u8 cidr, struct wg_peer *peer, struct mutex *lock);
37051 -+int wg_allowedips_insert_v6(struct allowedips *table, const struct in6_addr *ip,
37052 -+ u8 cidr, struct wg_peer *peer, struct mutex *lock);
37053 -+void wg_allowedips_remove_by_peer(struct allowedips *table,
37054 -+ struct wg_peer *peer, struct mutex *lock);
37055 -+/* The ip input pointer should be __aligned(__alignof(u64))) */
37056 -+int wg_allowedips_read_node(struct allowedips_node *node, u8 ip[16], u8 *cidr);
37057 -+
37058 -+/* These return a strong reference to a peer: */
37059 -+struct wg_peer *wg_allowedips_lookup_dst(struct allowedips *table,
37060 -+ struct sk_buff *skb);
37061 -+struct wg_peer *wg_allowedips_lookup_src(struct allowedips *table,
37062 -+ struct sk_buff *skb);
37063 -+
37064 -+#ifdef DEBUG
37065 -+bool wg_allowedips_selftest(void);
37066 -+#endif
37067 -+
37068 -+#endif /* _WG_ALLOWEDIPS_H */
37069 ---- /dev/null
37070 -+++ b/drivers/net/wireguard/cookie.c
37071 -@@ -0,0 +1,236 @@
37072 -+// SPDX-License-Identifier: GPL-2.0
37073 -+/*
37074 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
37075 -+ */
37076 -+
37077 -+#include "cookie.h"
37078 -+#include "peer.h"
37079 -+#include "device.h"
37080 -+#include "messages.h"
37081 -+#include "ratelimiter.h"
37082 -+#include "timers.h"
37083 -+
37084 -+#include <crypto/blake2s.h>
37085 -+#include <crypto/chacha20poly1305.h>
37086 -+
37087 -+#include <net/ipv6.h>
37088 -+#include <crypto/algapi.h>
37089 -+
37090 -+void wg_cookie_checker_init(struct cookie_checker *checker,
37091 -+ struct wg_device *wg)
37092 -+{
37093 -+ init_rwsem(&checker->secret_lock);
37094 -+ checker->secret_birthdate = ktime_get_coarse_boottime_ns();
37095 -+ get_random_bytes(checker->secret, NOISE_HASH_LEN);
37096 -+ checker->device = wg;
37097 -+}
37098 -+
37099 -+enum { COOKIE_KEY_LABEL_LEN = 8 };
37100 -+static const u8 mac1_key_label[COOKIE_KEY_LABEL_LEN] = "mac1----";
37101 -+static const u8 cookie_key_label[COOKIE_KEY_LABEL_LEN] = "cookie--";
37102 -+
37103 -+static void precompute_key(u8 key[NOISE_SYMMETRIC_KEY_LEN],
37104 -+ const u8 pubkey[NOISE_PUBLIC_KEY_LEN],
37105 -+ const u8 label[COOKIE_KEY_LABEL_LEN])
37106 -+{
37107 -+ struct blake2s_state blake;
37108 -+
37109 -+ blake2s_init(&blake, NOISE_SYMMETRIC_KEY_LEN);
37110 -+ blake2s_update(&blake, label, COOKIE_KEY_LABEL_LEN);
37111 -+ blake2s_update(&blake, pubkey, NOISE_PUBLIC_KEY_LEN);
37112 -+ blake2s_final(&blake, key);
37113 -+}
37114 -+
37115 -+/* Must hold peer->handshake.static_identity->lock */
37116 -+void wg_cookie_checker_precompute_device_keys(struct cookie_checker *checker)
37117 -+{
37118 -+ if (likely(checker->device->static_identity.has_identity)) {
37119 -+ precompute_key(checker->cookie_encryption_key,
37120 -+ checker->device->static_identity.static_public,
37121 -+ cookie_key_label);
37122 -+ precompute_key(checker->message_mac1_key,
37123 -+ checker->device->static_identity.static_public,
37124 -+ mac1_key_label);
37125 -+ } else {
37126 -+ memset(checker->cookie_encryption_key, 0,
37127 -+ NOISE_SYMMETRIC_KEY_LEN);
37128 -+ memset(checker->message_mac1_key, 0, NOISE_SYMMETRIC_KEY_LEN);
37129 -+ }
37130 -+}
37131 -+
37132 -+void wg_cookie_checker_precompute_peer_keys(struct wg_peer *peer)
37133 -+{
37134 -+ precompute_key(peer->latest_cookie.cookie_decryption_key,
37135 -+ peer->handshake.remote_static, cookie_key_label);
37136 -+ precompute_key(peer->latest_cookie.message_mac1_key,
37137 -+ peer->handshake.remote_static, mac1_key_label);
37138 -+}
37139 -+
37140 -+void wg_cookie_init(struct cookie *cookie)
37141 -+{
37142 -+ memset(cookie, 0, sizeof(*cookie));
37143 -+ init_rwsem(&cookie->lock);
37144 -+}
37145 -+
37146 -+static void compute_mac1(u8 mac1[COOKIE_LEN], const void *message, size_t len,
37147 -+ const u8 key[NOISE_SYMMETRIC_KEY_LEN])
37148 -+{
37149 -+ len = len - sizeof(struct message_macs) +
37150 -+ offsetof(struct message_macs, mac1);
37151 -+ blake2s(mac1, message, key, COOKIE_LEN, len, NOISE_SYMMETRIC_KEY_LEN);
37152 -+}
37153 -+
37154 -+static void compute_mac2(u8 mac2[COOKIE_LEN], const void *message, size_t len,
37155 -+ const u8 cookie[COOKIE_LEN])
37156 -+{
37157 -+ len = len - sizeof(struct message_macs) +
37158 -+ offsetof(struct message_macs, mac2);
37159 -+ blake2s(mac2, message, cookie, COOKIE_LEN, len, COOKIE_LEN);
37160 -+}
37161 -+
37162 -+static void make_cookie(u8 cookie[COOKIE_LEN], struct sk_buff *skb,
37163 -+ struct cookie_checker *checker)
37164 -+{
37165 -+ struct blake2s_state state;
37166 -+
37167 -+ if (wg_birthdate_has_expired(checker->secret_birthdate,
37168 -+ COOKIE_SECRET_MAX_AGE)) {
37169 -+ down_write(&checker->secret_lock);
37170 -+ checker->secret_birthdate = ktime_get_coarse_boottime_ns();
37171 -+ get_random_bytes(checker->secret, NOISE_HASH_LEN);
37172 -+ up_write(&checker->secret_lock);
37173 -+ }
37174 -+
37175 -+ down_read(&checker->secret_lock);
37176 -+
37177 -+ blake2s_init_key(&state, COOKIE_LEN, checker->secret, NOISE_HASH_LEN);
37178 -+ if (skb->protocol == htons(ETH_P_IP))
37179 -+ blake2s_update(&state, (u8 *)&ip_hdr(skb)->saddr,
37180 -+ sizeof(struct in_addr));
37181 -+ else if (skb->protocol == htons(ETH_P_IPV6))
37182 -+ blake2s_update(&state, (u8 *)&ipv6_hdr(skb)->saddr,
37183 -+ sizeof(struct in6_addr));
37184 -+ blake2s_update(&state, (u8 *)&udp_hdr(skb)->source, sizeof(__be16));
37185 -+ blake2s_final(&state, cookie);
37186 -+
37187 -+ up_read(&checker->secret_lock);
37188 -+}
37189 -+
37190 -+enum cookie_mac_state wg_cookie_validate_packet(struct cookie_checker *checker,
37191 -+ struct sk_buff *skb,
37192 -+ bool check_cookie)
37193 -+{
37194 -+ struct message_macs *macs = (struct message_macs *)
37195 -+ (skb->data + skb->len - sizeof(*macs));
37196 -+ enum cookie_mac_state ret;
37197 -+ u8 computed_mac[COOKIE_LEN];
37198 -+ u8 cookie[COOKIE_LEN];
37199 -+
37200 -+ ret = INVALID_MAC;
37201 -+ compute_mac1(computed_mac, skb->data, skb->len,
37202 -+ checker->message_mac1_key);
37203 -+ if (crypto_memneq(computed_mac, macs->mac1, COOKIE_LEN))
37204 -+ goto out;
37205 -+
37206 -+ ret = VALID_MAC_BUT_NO_COOKIE;
37207 -+
37208 -+ if (!check_cookie)
37209 -+ goto out;
37210 -+
37211 -+ make_cookie(cookie, skb, checker);
37212 -+
37213 -+ compute_mac2(computed_mac, skb->data, skb->len, cookie);
37214 -+ if (crypto_memneq(computed_mac, macs->mac2, COOKIE_LEN))
37215 -+ goto out;
37216 -+
37217 -+ ret = VALID_MAC_WITH_COOKIE_BUT_RATELIMITED;
37218 -+ if (!wg_ratelimiter_allow(skb, dev_net(checker->device->dev)))
37219 -+ goto out;
37220 -+
37221 -+ ret = VALID_MAC_WITH_COOKIE;
37222 -+
37223 -+out:
37224 -+ return ret;
37225 -+}
37226 -+
37227 -+void wg_cookie_add_mac_to_packet(void *message, size_t len,
37228 -+ struct wg_peer *peer)
37229 -+{
37230 -+ struct message_macs *macs = (struct message_macs *)
37231 -+ ((u8 *)message + len - sizeof(*macs));
37232 -+
37233 -+ down_write(&peer->latest_cookie.lock);
37234 -+ compute_mac1(macs->mac1, message, len,
37235 -+ peer->latest_cookie.message_mac1_key);
37236 -+ memcpy(peer->latest_cookie.last_mac1_sent, macs->mac1, COOKIE_LEN);
37237 -+ peer->latest_cookie.have_sent_mac1 = true;
37238 -+ up_write(&peer->latest_cookie.lock);
37239 -+
37240 -+ down_read(&peer->latest_cookie.lock);
37241 -+ if (peer->latest_cookie.is_valid &&
37242 -+ !wg_birthdate_has_expired(peer->latest_cookie.birthdate,
37243 -+ COOKIE_SECRET_MAX_AGE - COOKIE_SECRET_LATENCY))
37244 -+ compute_mac2(macs->mac2, message, len,
37245 -+ peer->latest_cookie.cookie);
37246 -+ else
37247 -+ memset(macs->mac2, 0, COOKIE_LEN);
37248 -+ up_read(&peer->latest_cookie.lock);
37249 -+}
37250 -+
37251 -+void wg_cookie_message_create(struct message_handshake_cookie *dst,
37252 -+ struct sk_buff *skb, __le32 index,
37253 -+ struct cookie_checker *checker)
37254 -+{
37255 -+ struct message_macs *macs = (struct message_macs *)
37256 -+ ((u8 *)skb->data + skb->len - sizeof(*macs));
37257 -+ u8 cookie[COOKIE_LEN];
37258 -+
37259 -+ dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE);
37260 -+ dst->receiver_index = index;
37261 -+ get_random_bytes_wait(dst->nonce, COOKIE_NONCE_LEN);
37262 -+
37263 -+ make_cookie(cookie, skb, checker);
37264 -+ xchacha20poly1305_encrypt(dst->encrypted_cookie, cookie, COOKIE_LEN,
37265 -+ macs->mac1, COOKIE_LEN, dst->nonce,
37266 -+ checker->cookie_encryption_key);
37267 -+}
37268 -+
37269 -+void wg_cookie_message_consume(struct message_handshake_cookie *src,
37270 -+ struct wg_device *wg)
37271 -+{
37272 -+ struct wg_peer *peer = NULL;
37273 -+ u8 cookie[COOKIE_LEN];
37274 -+ bool ret;
37275 -+
37276 -+ if (unlikely(!wg_index_hashtable_lookup(wg->index_hashtable,
37277 -+ INDEX_HASHTABLE_HANDSHAKE |
37278 -+ INDEX_HASHTABLE_KEYPAIR,
37279 -+ src->receiver_index, &peer)))
37280 -+ return;
37281 -+
37282 -+ down_read(&peer->latest_cookie.lock);
37283 -+ if (unlikely(!peer->latest_cookie.have_sent_mac1)) {
37284 -+ up_read(&peer->latest_cookie.lock);
37285 -+ goto out;
37286 -+ }
37287 -+ ret = xchacha20poly1305_decrypt(
37288 -+ cookie, src->encrypted_cookie, sizeof(src->encrypted_cookie),
37289 -+ peer->latest_cookie.last_mac1_sent, COOKIE_LEN, src->nonce,
37290 -+ peer->latest_cookie.cookie_decryption_key);
37291 -+ up_read(&peer->latest_cookie.lock);
37292 -+
37293 -+ if (ret) {
37294 -+ down_write(&peer->latest_cookie.lock);
37295 -+ memcpy(peer->latest_cookie.cookie, cookie, COOKIE_LEN);
37296 -+ peer->latest_cookie.birthdate = ktime_get_coarse_boottime_ns();
37297 -+ peer->latest_cookie.is_valid = true;
37298 -+ peer->latest_cookie.have_sent_mac1 = false;
37299 -+ up_write(&peer->latest_cookie.lock);
37300 -+ } else {
37301 -+ net_dbg_ratelimited("%s: Could not decrypt invalid cookie response\n",
37302 -+ wg->dev->name);
37303 -+ }
37304 -+
37305 -+out:
37306 -+ wg_peer_put(peer);
37307 -+}
37308 ---- /dev/null
37309 -+++ b/drivers/net/wireguard/cookie.h
37310 -@@ -0,0 +1,59 @@
37311 -+/* SPDX-License-Identifier: GPL-2.0 */
37312 -+/*
37313 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
37314 -+ */
37315 -+
37316 -+#ifndef _WG_COOKIE_H
37317 -+#define _WG_COOKIE_H
37318 -+
37319 -+#include "messages.h"
37320 -+#include <linux/rwsem.h>
37321 -+
37322 -+struct wg_peer;
37323 -+
37324 -+struct cookie_checker {
37325 -+ u8 secret[NOISE_HASH_LEN];
37326 -+ u8 cookie_encryption_key[NOISE_SYMMETRIC_KEY_LEN];
37327 -+ u8 message_mac1_key[NOISE_SYMMETRIC_KEY_LEN];
37328 -+ u64 secret_birthdate;
37329 -+ struct rw_semaphore secret_lock;
37330 -+ struct wg_device *device;
37331 -+};
37332 -+
37333 -+struct cookie {
37334 -+ u64 birthdate;
37335 -+ bool is_valid;
37336 -+ u8 cookie[COOKIE_LEN];
37337 -+ bool have_sent_mac1;
37338 -+ u8 last_mac1_sent[COOKIE_LEN];
37339 -+ u8 cookie_decryption_key[NOISE_SYMMETRIC_KEY_LEN];
37340 -+ u8 message_mac1_key[NOISE_SYMMETRIC_KEY_LEN];
37341 -+ struct rw_semaphore lock;
37342 -+};
37343 -+
37344 -+enum cookie_mac_state {
37345 -+ INVALID_MAC,
37346 -+ VALID_MAC_BUT_NO_COOKIE,
37347 -+ VALID_MAC_WITH_COOKIE_BUT_RATELIMITED,
37348 -+ VALID_MAC_WITH_COOKIE
37349 -+};
37350 -+
37351 -+void wg_cookie_checker_init(struct cookie_checker *checker,
37352 -+ struct wg_device *wg);
37353 -+void wg_cookie_checker_precompute_device_keys(struct cookie_checker *checker);
37354 -+void wg_cookie_checker_precompute_peer_keys(struct wg_peer *peer);
37355 -+void wg_cookie_init(struct cookie *cookie);
37356 -+
37357 -+enum cookie_mac_state wg_cookie_validate_packet(struct cookie_checker *checker,
37358 -+ struct sk_buff *skb,
37359 -+ bool check_cookie);
37360 -+void wg_cookie_add_mac_to_packet(void *message, size_t len,
37361 -+ struct wg_peer *peer);
37362 -+
37363 -+void wg_cookie_message_create(struct message_handshake_cookie *src,
37364 -+ struct sk_buff *skb, __le32 index,
37365 -+ struct cookie_checker *checker);
37366 -+void wg_cookie_message_consume(struct message_handshake_cookie *src,
37367 -+ struct wg_device *wg);
37368 -+
37369 -+#endif /* _WG_COOKIE_H */
37370 ---- b/drivers/net/wireguard/device.c
37371 -+++ b/drivers/net/wireguard/device.c
37372 -@@ -0,0 +1,456 @@
37373 -+// SPDX-License-Identifier: GPL-2.0
37374 -+/*
37375 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
37376 -+ */
37377 -+
37378 -+#include "queueing.h"
37379 -+#include "socket.h"
37380 -+#include "timers.h"
37381 -+#include "device.h"
37382 -+#include "ratelimiter.h"
37383 -+#include "peer.h"
37384 -+#include "messages.h"
37385 -+
37386 -+#include <linux/module.h>
37387 -+#include <linux/rtnetlink.h>
37388 -+#include <linux/inet.h>
37389 -+#include <linux/netdevice.h>
37390 -+#include <linux/inetdevice.h>
37391 -+#include <linux/if_arp.h>
37392 -+#include <linux/icmp.h>
37393 -+#include <linux/suspend.h>
37394 -+#include <net/icmp.h>
37395 -+#include <net/rtnetlink.h>
37396 -+#include <net/ip_tunnels.h>
37397 -+#include <net/addrconf.h>
37398 -+
37399 -+static LIST_HEAD(device_list);
37400 -+
37401 -+static int wg_open(struct net_device *dev)
37402 -+{
37403 -+ struct in_device *dev_v4 = __in_dev_get_rtnl(dev);
37404 -+ struct inet6_dev *dev_v6 = __in6_dev_get(dev);
37405 -+ struct wg_device *wg = netdev_priv(dev);
37406 -+ struct wg_peer *peer;
37407 -+ int ret;
37408 -+
37409 -+ if (dev_v4) {
37410 -+ /* At some point we might put this check near the ip_rt_send_
37411 -+ * redirect call of ip_forward in net/ipv4/ip_forward.c, similar
37412 -+ * to the current secpath check.
37413 -+ */
37414 -+ IN_DEV_CONF_SET(dev_v4, SEND_REDIRECTS, false);
37415 -+ IPV4_DEVCONF_ALL(dev_net(dev), SEND_REDIRECTS) = false;
37416 -+ }
37417 -+ if (dev_v6)
37418 -+ dev_v6->cnf.addr_gen_mode = IN6_ADDR_GEN_MODE_NONE;
37419 -+
37420 -+ mutex_lock(&wg->device_update_lock);
37421 -+ ret = wg_socket_init(wg, wg->incoming_port);
37422 -+ if (ret < 0)
37423 -+ goto out;
37424 -+ list_for_each_entry(peer, &wg->peer_list, peer_list) {
37425 -+ wg_packet_send_staged_packets(peer);
37426 -+ if (peer->persistent_keepalive_interval)
37427 -+ wg_packet_send_keepalive(peer);
37428 -+ }
37429 -+out:
37430 -+ mutex_unlock(&wg->device_update_lock);
37431 -+ return ret;
37432 -+}
37433 -+
37434 -+#ifdef CONFIG_PM_SLEEP
37435 -+static int wg_pm_notification(struct notifier_block *nb, unsigned long action,
37436 -+ void *data)
37437 -+{
37438 -+ struct wg_device *wg;
37439 -+ struct wg_peer *peer;
37440 -+
37441 -+ /* If the machine is constantly suspending and resuming, as part of
37442 -+ * its normal operation rather than as a somewhat rare event, then we
37443 -+ * don't actually want to clear keys.
37444 -+ */
37445 -+ if (IS_ENABLED(CONFIG_PM_AUTOSLEEP) || IS_ENABLED(CONFIG_ANDROID))
37446 -+ return 0;
37447 -+
37448 -+ if (action != PM_HIBERNATION_PREPARE && action != PM_SUSPEND_PREPARE)
37449 -+ return 0;
37450 -+
37451 -+ rtnl_lock();
37452 -+ list_for_each_entry(wg, &device_list, device_list) {
37453 -+ mutex_lock(&wg->device_update_lock);
37454 -+ list_for_each_entry(peer, &wg->peer_list, peer_list) {
37455 -+ del_timer(&peer->timer_zero_key_material);
37456 -+ wg_noise_handshake_clear(&peer->handshake);
37457 -+ wg_noise_keypairs_clear(&peer->keypairs);
37458 -+ }
37459 -+ mutex_unlock(&wg->device_update_lock);
37460 -+ }
37461 -+ rtnl_unlock();
37462 -+ rcu_barrier();
37463 -+ return 0;
37464 -+}
37465 -+
37466 -+static struct notifier_block pm_notifier = { .notifier_call = wg_pm_notification };
37467 -+#endif
37468 -+
37469 -+static int wg_stop(struct net_device *dev)
37470 -+{
37471 -+ struct wg_device *wg = netdev_priv(dev);
37472 -+ struct wg_peer *peer;
37473 -+
37474 -+ mutex_lock(&wg->device_update_lock);
37475 -+ list_for_each_entry(peer, &wg->peer_list, peer_list) {
37476 -+ wg_packet_purge_staged_packets(peer);
37477 -+ wg_timers_stop(peer);
37478 -+ wg_noise_handshake_clear(&peer->handshake);
37479 -+ wg_noise_keypairs_clear(&peer->keypairs);
37480 -+ wg_noise_reset_last_sent_handshake(&peer->last_sent_handshake);
37481 -+ }
37482 -+ mutex_unlock(&wg->device_update_lock);
37483 -+ skb_queue_purge(&wg->incoming_handshakes);
37484 -+ wg_socket_reinit(wg, NULL, NULL);
37485 -+ return 0;
37486 -+}
37487 -+
37488 -+static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev)
37489 -+{
37490 -+ struct wg_device *wg = netdev_priv(dev);
37491 -+ struct sk_buff_head packets;
37492 -+ struct wg_peer *peer;
37493 -+ struct sk_buff *next;
37494 -+ sa_family_t family;
37495 -+ u32 mtu;
37496 -+ int ret;
37497 -+
37498 -+ if (unlikely(!wg_check_packet_protocol(skb))) {
37499 -+ ret = -EPROTONOSUPPORT;
37500 -+ net_dbg_ratelimited("%s: Invalid IP packet\n", dev->name);
37501 -+ goto err;
37502 -+ }
37503 -+
37504 -+ peer = wg_allowedips_lookup_dst(&wg->peer_allowedips, skb);
37505 -+ if (unlikely(!peer)) {
37506 -+ ret = -ENOKEY;
37507 -+ if (skb->protocol == htons(ETH_P_IP))
37508 -+ net_dbg_ratelimited("%s: No peer has allowed IPs matching %pI4\n",
37509 -+ dev->name, &ip_hdr(skb)->daddr);
37510 -+ else if (skb->protocol == htons(ETH_P_IPV6))
37511 -+ net_dbg_ratelimited("%s: No peer has allowed IPs matching %pI6\n",
37512 -+ dev->name, &ipv6_hdr(skb)->daddr);
37513 -+ goto err;
37514 -+ }
37515 -+
37516 -+ family = READ_ONCE(peer->endpoint.addr.sa_family);
37517 -+ if (unlikely(family != AF_INET && family != AF_INET6)) {
37518 -+ ret = -EDESTADDRREQ;
37519 -+ net_dbg_ratelimited("%s: No valid endpoint has been configured or discovered for peer %llu\n",
37520 -+ dev->name, peer->internal_id);
37521 -+ goto err_peer;
37522 -+ }
37523 -+
37524 -+ mtu = skb_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu;
37525 -+
37526 -+ __skb_queue_head_init(&packets);
37527 -+ if (!skb_is_gso(skb)) {
37528 -+ skb_mark_not_on_list(skb);
37529 -+ } else {
37530 -+ struct sk_buff *segs = skb_gso_segment(skb, 0);
37531 -+
37532 -+ if (unlikely(IS_ERR(segs))) {
37533 -+ ret = PTR_ERR(segs);
37534 -+ goto err_peer;
37535 -+ }
37536 -+ dev_kfree_skb(skb);
37537 -+ skb = segs;
37538 -+ }
37539 -+
37540 -+ skb_list_walk_safe(skb, skb, next) {
37541 -+ skb_mark_not_on_list(skb);
37542 -+
37543 -+ skb = skb_share_check(skb, GFP_ATOMIC);
37544 -+ if (unlikely(!skb))
37545 -+ continue;
37546 -+
37547 -+ /* We only need to keep the original dst around for icmp,
37548 -+ * so at this point we're in a position to drop it.
37549 -+ */
37550 -+ skb_dst_drop(skb);
37551 -+
37552 -+ PACKET_CB(skb)->mtu = mtu;
37553 -+
37554 -+ __skb_queue_tail(&packets, skb);
37555 -+ }
37556 -+
37557 -+ spin_lock_bh(&peer->staged_packet_queue.lock);
37558 -+ /* If the queue is getting too big, we start removing the oldest packets
37559 -+ * until it's small again. We do this before adding the new packet, so
37560 -+ * we don't remove GSO segments that are in excess.
37561 -+ */
37562 -+ while (skb_queue_len(&peer->staged_packet_queue) > MAX_STAGED_PACKETS) {
37563 -+ dev_kfree_skb(__skb_dequeue(&peer->staged_packet_queue));
37564 -+ ++dev->stats.tx_dropped;
37565 -+ }
37566 -+ skb_queue_splice_tail(&packets, &peer->staged_packet_queue);
37567 -+ spin_unlock_bh(&peer->staged_packet_queue.lock);
37568 -+
37569 -+ wg_packet_send_staged_packets(peer);
37570 -+
37571 -+ wg_peer_put(peer);
37572 -+ return NETDEV_TX_OK;
37573 -+
37574 -+err_peer:
37575 -+ wg_peer_put(peer);
37576 -+err:
37577 -+ ++dev->stats.tx_errors;
37578 -+ if (skb->protocol == htons(ETH_P_IP))
37579 -+ icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
37580 -+ else if (skb->protocol == htons(ETH_P_IPV6))
37581 -+ icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0);
37582 -+ kfree_skb(skb);
37583 -+ return ret;
37584 -+}
37585 -+
37586 -+static const struct net_device_ops netdev_ops = {
37587 -+ .ndo_open = wg_open,
37588 -+ .ndo_stop = wg_stop,
37589 -+ .ndo_start_xmit = wg_xmit,
37590 -+ .ndo_get_stats64 = ip_tunnel_get_stats64
37591 -+};
37592 -+
37593 -+static void wg_destruct(struct net_device *dev)
37594 -+{
37595 -+ struct wg_device *wg = netdev_priv(dev);
37596 -+
37597 -+ rtnl_lock();
37598 -+ list_del(&wg->device_list);
37599 -+ rtnl_unlock();
37600 -+ mutex_lock(&wg->device_update_lock);
37601 -+ rcu_assign_pointer(wg->creating_net, NULL);
37602 -+ wg->incoming_port = 0;
37603 -+ wg_socket_reinit(wg, NULL, NULL);
37604 -+ /* The final references are cleared in the below calls to destroy_workqueue. */
37605 -+ wg_peer_remove_all(wg);
37606 -+ destroy_workqueue(wg->handshake_receive_wq);
37607 -+ destroy_workqueue(wg->handshake_send_wq);
37608 -+ destroy_workqueue(wg->packet_crypt_wq);
37609 -+ wg_packet_queue_free(&wg->decrypt_queue, true);
37610 -+ wg_packet_queue_free(&wg->encrypt_queue, true);
37611 -+ rcu_barrier(); /* Wait for all the peers to be actually freed. */
37612 -+ wg_ratelimiter_uninit();
37613 -+ memzero_explicit(&wg->static_identity, sizeof(wg->static_identity));
37614 -+ skb_queue_purge(&wg->incoming_handshakes);
37615 -+ free_percpu(dev->tstats);
37616 -+ free_percpu(wg->incoming_handshakes_worker);
37617 -+ kvfree(wg->index_hashtable);
37618 -+ kvfree(wg->peer_hashtable);
37619 -+ mutex_unlock(&wg->device_update_lock);
37620 -+
37621 -+ pr_debug("%s: Interface destroyed\n", dev->name);
37622 -+ free_netdev(dev);
37623 -+}
37624 -+
37625 -+static const struct device_type device_type = { .name = KBUILD_MODNAME };
37626 -+
37627 -+static void wg_setup(struct net_device *dev)
37628 -+{
37629 -+ struct wg_device *wg = netdev_priv(dev);
37630 -+ enum { WG_NETDEV_FEATURES = NETIF_F_HW_CSUM | NETIF_F_RXCSUM |
37631 -+ NETIF_F_SG | NETIF_F_GSO |
37632 -+ NETIF_F_GSO_SOFTWARE | NETIF_F_HIGHDMA };
37633 -+ const int overhead = MESSAGE_MINIMUM_LENGTH + sizeof(struct udphdr) +
37634 -+ max(sizeof(struct ipv6hdr), sizeof(struct iphdr));
37635 -+
37636 -+ dev->netdev_ops = &netdev_ops;
37637 -+ dev->header_ops = &ip_tunnel_header_ops;
37638 -+ dev->hard_header_len = 0;
37639 -+ dev->addr_len = 0;
37640 -+ dev->needed_headroom = DATA_PACKET_HEAD_ROOM;
37641 -+ dev->needed_tailroom = noise_encrypted_len(MESSAGE_PADDING_MULTIPLE);
37642 -+ dev->type = ARPHRD_NONE;
37643 -+ dev->flags = IFF_POINTOPOINT | IFF_NOARP;
37644 -+ dev->priv_flags |= IFF_NO_QUEUE;
37645 -+ dev->features |= NETIF_F_LLTX;
37646 -+ dev->features |= WG_NETDEV_FEATURES;
37647 -+ dev->hw_features |= WG_NETDEV_FEATURES;
37648 -+ dev->hw_enc_features |= WG_NETDEV_FEATURES;
37649 -+ dev->mtu = ETH_DATA_LEN - overhead;
37650 -+ dev->max_mtu = round_down(INT_MAX, MESSAGE_PADDING_MULTIPLE) - overhead;
37651 -+
37652 -+ SET_NETDEV_DEVTYPE(dev, &device_type);
37653 -+
37654 -+ /* We need to keep the dst around in case of icmp replies. */
37655 -+ netif_keep_dst(dev);
37656 -+
37657 -+ memset(wg, 0, sizeof(*wg));
37658 -+ wg->dev = dev;
37659 -+}
37660 -+
37661 -+static int wg_newlink(struct net *src_net, struct net_device *dev,
37662 -+ struct nlattr *tb[], struct nlattr *data[],
37663 -+ struct netlink_ext_ack *extack)
37664 -+{
37665 -+ struct wg_device *wg = netdev_priv(dev);
37666 -+ int ret = -ENOMEM;
37667 -+
37668 -+ rcu_assign_pointer(wg->creating_net, src_net);
37669 -+ init_rwsem(&wg->static_identity.lock);
37670 -+ mutex_init(&wg->socket_update_lock);
37671 -+ mutex_init(&wg->device_update_lock);
37672 -+ skb_queue_head_init(&wg->incoming_handshakes);
37673 -+ wg_allowedips_init(&wg->peer_allowedips);
37674 -+ wg_cookie_checker_init(&wg->cookie_checker, wg);
37675 -+ INIT_LIST_HEAD(&wg->peer_list);
37676 -+ wg->device_update_gen = 1;
37677 -+
37678 -+ wg->peer_hashtable = wg_pubkey_hashtable_alloc();
37679 -+ if (!wg->peer_hashtable)
37680 -+ return ret;
37681 -+
37682 -+ wg->index_hashtable = wg_index_hashtable_alloc();
37683 -+ if (!wg->index_hashtable)
37684 -+ goto err_free_peer_hashtable;
37685 -+
37686 -+ dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
37687 -+ if (!dev->tstats)
37688 -+ goto err_free_index_hashtable;
37689 -+
37690 -+ wg->incoming_handshakes_worker =
37691 -+ wg_packet_percpu_multicore_worker_alloc(
37692 -+ wg_packet_handshake_receive_worker, wg);
37693 -+ if (!wg->incoming_handshakes_worker)
37694 -+ goto err_free_tstats;
37695 -+
37696 -+ wg->handshake_receive_wq = alloc_workqueue("wg-kex-%s",
37697 -+ WQ_CPU_INTENSIVE | WQ_FREEZABLE, 0, dev->name);
37698 -+ if (!wg->handshake_receive_wq)
37699 -+ goto err_free_incoming_handshakes;
37700 -+
37701 -+ wg->handshake_send_wq = alloc_workqueue("wg-kex-%s",
37702 -+ WQ_UNBOUND | WQ_FREEZABLE, 0, dev->name);
37703 -+ if (!wg->handshake_send_wq)
37704 -+ goto err_destroy_handshake_receive;
37705 -+
37706 -+ wg->packet_crypt_wq = alloc_workqueue("wg-crypt-%s",
37707 -+ WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM, 0, dev->name);
37708 -+ if (!wg->packet_crypt_wq)
37709 -+ goto err_destroy_handshake_send;
37710 -+
37711 -+ ret = wg_packet_queue_init(&wg->encrypt_queue, wg_packet_encrypt_worker,
37712 -+ true, MAX_QUEUED_PACKETS);
37713 -+ if (ret < 0)
37714 -+ goto err_destroy_packet_crypt;
37715 -+
37716 -+ ret = wg_packet_queue_init(&wg->decrypt_queue, wg_packet_decrypt_worker,
37717 -+ true, MAX_QUEUED_PACKETS);
37718 -+ if (ret < 0)
37719 -+ goto err_free_encrypt_queue;
37720 -+
37721 -+ ret = wg_ratelimiter_init();
37722 -+ if (ret < 0)
37723 -+ goto err_free_decrypt_queue;
37724 -+
37725 -+ ret = register_netdevice(dev);
37726 -+ if (ret < 0)
37727 -+ goto err_uninit_ratelimiter;
37728 -+
37729 -+ list_add(&wg->device_list, &device_list);
37730 -+
37731 -+ /* We wait until the end to assign priv_destructor, so that
37732 -+ * register_netdevice doesn't call it for us if it fails.
37733 -+ */
37734 -+ dev->priv_destructor = wg_destruct;
37735 -+
37736 -+ pr_debug("%s: Interface created\n", dev->name);
37737 -+ return ret;
37738 -+
37739 -+err_uninit_ratelimiter:
37740 -+ wg_ratelimiter_uninit();
37741 -+err_free_decrypt_queue:
37742 -+ wg_packet_queue_free(&wg->decrypt_queue, true);
37743 -+err_free_encrypt_queue:
37744 -+ wg_packet_queue_free(&wg->encrypt_queue, true);
37745 -+err_destroy_packet_crypt:
37746 -+ destroy_workqueue(wg->packet_crypt_wq);
37747 -+err_destroy_handshake_send:
37748 -+ destroy_workqueue(wg->handshake_send_wq);
37749 -+err_destroy_handshake_receive:
37750 -+ destroy_workqueue(wg->handshake_receive_wq);
37751 -+err_free_incoming_handshakes:
37752 -+ free_percpu(wg->incoming_handshakes_worker);
37753 -+err_free_tstats:
37754 -+ free_percpu(dev->tstats);
37755 -+err_free_index_hashtable:
37756 -+ kvfree(wg->index_hashtable);
37757 -+err_free_peer_hashtable:
37758 -+ kvfree(wg->peer_hashtable);
37759 -+ return ret;
37760 -+}
37761 -+
37762 -+static struct rtnl_link_ops link_ops __read_mostly = {
37763 -+ .kind = KBUILD_MODNAME,
37764 -+ .priv_size = sizeof(struct wg_device),
37765 -+ .setup = wg_setup,
37766 -+ .newlink = wg_newlink,
37767 -+};
37768 -+
37769 -+static void wg_netns_pre_exit(struct net *net)
37770 -+{
37771 -+ struct wg_device *wg;
37772 -+
37773 -+ rtnl_lock();
37774 -+ list_for_each_entry(wg, &device_list, device_list) {
37775 -+ if (rcu_access_pointer(wg->creating_net) == net) {
37776 -+ pr_debug("%s: Creating namespace exiting\n", wg->dev->name);
37777 -+ netif_carrier_off(wg->dev);
37778 -+ mutex_lock(&wg->device_update_lock);
37779 -+ rcu_assign_pointer(wg->creating_net, NULL);
37780 -+ wg_socket_reinit(wg, NULL, NULL);
37781 -+ mutex_unlock(&wg->device_update_lock);
37782 -+ }
37783 -+ }
37784 -+ rtnl_unlock();
37785 -+}
37786 -+
37787 -+static struct pernet_operations pernet_ops = {
37788 -+ .pre_exit = wg_netns_pre_exit
37789 -+};
37790 -+
37791 -+int __init wg_device_init(void)
37792 -+{
37793 -+ int ret;
37794 -+
37795 -+#ifdef CONFIG_PM_SLEEP
37796 -+ ret = register_pm_notifier(&pm_notifier);
37797 -+ if (ret)
37798 -+ return ret;
37799 -+#endif
37800 -+
37801 -+ ret = register_pernet_device(&pernet_ops);
37802 -+ if (ret)
37803 -+ goto error_pm;
37804 -+
37805 -+ ret = rtnl_link_register(&link_ops);
37806 -+ if (ret)
37807 -+ goto error_pernet;
37808 -+
37809 -+ return 0;
37810 -+
37811 -+error_pernet:
37812 -+ unregister_pernet_device(&pernet_ops);
37813 -+error_pm:
37814 -+#ifdef CONFIG_PM_SLEEP
37815 -+ unregister_pm_notifier(&pm_notifier);
37816 -+#endif
37817 -+ return ret;
37818 -+}
37819 -+
37820 -+void wg_device_uninit(void)
37821 -+{
37822 -+ rtnl_link_unregister(&link_ops);
37823 -+ unregister_pernet_device(&pernet_ops);
37824 -+#ifdef CONFIG_PM_SLEEP
37825 -+ unregister_pm_notifier(&pm_notifier);
37826 -+#endif
37827 -+ rcu_barrier();
37828 -+}
37829 ---- b/drivers/net/wireguard/device.h
37830 -+++ b/drivers/net/wireguard/device.h
37831 -@@ -0,0 +1,64 @@
37832 -+/* SPDX-License-Identifier: GPL-2.0 */
37833 -+/*
37834 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
37835 -+ */
37836 -+
37837 -+#ifndef _WG_DEVICE_H
37838 -+#define _WG_DEVICE_H
37839 -+
37840 -+#include "noise.h"
37841 -+#include "allowedips.h"
37842 -+#include "peerlookup.h"
37843 -+#include "cookie.h"
37844 -+
37845 -+#include <linux/types.h>
37846 -+#include <linux/netdevice.h>
37847 -+#include <linux/workqueue.h>
37848 -+#include <linux/mutex.h>
37849 -+#include <linux/net.h>
37850 -+#include <linux/ptr_ring.h>
37851 -+
37852 -+struct wg_device;
37853 -+
37854 -+struct multicore_worker {
37855 -+ void *ptr;
37856 -+ struct work_struct work;
37857 -+};
37858 -+
37859 -+struct crypt_queue {
37860 -+ struct ptr_ring ring;
37861 -+ union {
37862 -+ struct {
37863 -+ struct multicore_worker __percpu *worker;
37864 -+ int last_cpu;
37865 -+ };
37866 -+ struct work_struct work;
37867 -+ };
37868 -+};
37869 -+
37870 -+struct wg_device {
37871 -+ struct net_device *dev;
37872 -+ struct crypt_queue encrypt_queue, decrypt_queue;
37873 -+ struct sock __rcu *sock4, *sock6;
37874 -+ struct net __rcu *creating_net;
37875 -+ struct noise_static_identity static_identity;
37876 -+ struct workqueue_struct *handshake_receive_wq, *handshake_send_wq;
37877 -+ struct workqueue_struct *packet_crypt_wq;
37878 -+ struct sk_buff_head incoming_handshakes;
37879 -+ int incoming_handshake_cpu;
37880 -+ struct multicore_worker __percpu *incoming_handshakes_worker;
37881 -+ struct cookie_checker cookie_checker;
37882 -+ struct pubkey_hashtable *peer_hashtable;
37883 -+ struct index_hashtable *index_hashtable;
37884 -+ struct allowedips peer_allowedips;
37885 -+ struct mutex device_update_lock, socket_update_lock;
37886 -+ struct list_head device_list, peer_list;
37887 -+ unsigned int num_peers, device_update_gen;
37888 -+ u32 fwmark;
37889 -+ u16 incoming_port;
37890 -+};
37891 -+
37892 -+int wg_device_init(void);
37893 -+void wg_device_uninit(void);
37894 -+
37895 -+#endif /* _WG_DEVICE_H */
37896 ---- b/drivers/net/wireguard/main.c
37897 -+++ b/drivers/net/wireguard/main.c
37898 -@@ -0,0 +1,63 @@
37899 -+// SPDX-License-Identifier: GPL-2.0
37900 -+/*
37901 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
37902 -+ */
37903 -+
37904 -+#include "version.h"
37905 -+#include "device.h"
37906 -+#include "noise.h"
37907 -+#include "queueing.h"
37908 -+#include "ratelimiter.h"
37909 -+#include "netlink.h"
37910 -+
37911 -+#include <uapi/linux/wireguard.h>
37912 -+
37913 -+#include <linux/init.h>
37914 -+#include <linux/module.h>
37915 -+#include <linux/genetlink.h>
37916 -+#include <net/rtnetlink.h>
37917 -+
37918 -+static int __init mod_init(void)
37919 -+{
37920 -+ int ret;
37921 -+
37922 -+#ifdef DEBUG
37923 -+ if (!wg_allowedips_selftest() || !wg_packet_counter_selftest() ||
37924 -+ !wg_ratelimiter_selftest())
37925 -+ return -ENOTRECOVERABLE;
37926 -+#endif
37927 -+ wg_noise_init();
37928 -+
37929 -+ ret = wg_device_init();
37930 -+ if (ret < 0)
37931 -+ goto err_device;
37932 -+
37933 -+ ret = wg_genetlink_init();
37934 -+ if (ret < 0)
37935 -+ goto err_netlink;
37936 -+
37937 -+ pr_info("WireGuard " WIREGUARD_VERSION " loaded. See www.wireguard.com for information.\n");
37938 -+ pr_info("Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.\n");
37939 -+
37940 -+ return 0;
37941 -+
37942 -+err_netlink:
37943 -+ wg_device_uninit();
37944 -+err_device:
37945 -+ return ret;
37946 -+}
37947 -+
37948 -+static void __exit mod_exit(void)
37949 -+{
37950 -+ wg_genetlink_uninit();
37951 -+ wg_device_uninit();
37952 -+}
37953 -+
37954 -+module_init(mod_init);
37955 -+module_exit(mod_exit);
37956 -+MODULE_LICENSE("GPL v2");
37957 -+MODULE_DESCRIPTION("WireGuard secure network tunnel");
37958 -+MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
37959 -+MODULE_VERSION(WIREGUARD_VERSION);
37960 -+MODULE_ALIAS_RTNL_LINK(KBUILD_MODNAME);
37961 -+MODULE_ALIAS_GENL_FAMILY(WG_GENL_NAME);
37962 ---- b/drivers/net/wireguard/messages.h
37963 -+++ b/drivers/net/wireguard/messages.h
37964 -@@ -0,0 +1,128 @@
37965 -+/* SPDX-License-Identifier: GPL-2.0 */
37966 -+/*
37967 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
37968 -+ */
37969 -+
37970 -+#ifndef _WG_MESSAGES_H
37971 -+#define _WG_MESSAGES_H
37972 -+
37973 -+#include <crypto/curve25519.h>
37974 -+#include <crypto/chacha20poly1305.h>
37975 -+#include <crypto/blake2s.h>
37976 -+
37977 -+#include <linux/kernel.h>
37978 -+#include <linux/param.h>
37979 -+#include <linux/skbuff.h>
37980 -+
37981 -+enum noise_lengths {
37982 -+ NOISE_PUBLIC_KEY_LEN = CURVE25519_KEY_SIZE,
37983 -+ NOISE_SYMMETRIC_KEY_LEN = CHACHA20POLY1305_KEY_SIZE,
37984 -+ NOISE_TIMESTAMP_LEN = sizeof(u64) + sizeof(u32),
37985 -+ NOISE_AUTHTAG_LEN = CHACHA20POLY1305_AUTHTAG_SIZE,
37986 -+ NOISE_HASH_LEN = BLAKE2S_HASH_SIZE
37987 -+};
37988 -+
37989 -+#define noise_encrypted_len(plain_len) ((plain_len) + NOISE_AUTHTAG_LEN)
37990 -+
37991 -+enum cookie_values {
37992 -+ COOKIE_SECRET_MAX_AGE = 2 * 60,
37993 -+ COOKIE_SECRET_LATENCY = 5,
37994 -+ COOKIE_NONCE_LEN = XCHACHA20POLY1305_NONCE_SIZE,
37995 -+ COOKIE_LEN = 16
37996 -+};
37997 -+
37998 -+enum counter_values {
37999 -+ COUNTER_BITS_TOTAL = 8192,
38000 -+ COUNTER_REDUNDANT_BITS = BITS_PER_LONG,
38001 -+ COUNTER_WINDOW_SIZE = COUNTER_BITS_TOTAL - COUNTER_REDUNDANT_BITS
38002 -+};
38003 -+
38004 -+enum limits {
38005 -+ REKEY_AFTER_MESSAGES = 1ULL << 60,
38006 -+ REJECT_AFTER_MESSAGES = U64_MAX - COUNTER_WINDOW_SIZE - 1,
38007 -+ REKEY_TIMEOUT = 5,
38008 -+ REKEY_TIMEOUT_JITTER_MAX_JIFFIES = HZ / 3,
38009 -+ REKEY_AFTER_TIME = 120,
38010 -+ REJECT_AFTER_TIME = 180,
38011 -+ INITIATIONS_PER_SECOND = 50,
38012 -+ MAX_PEERS_PER_DEVICE = 1U << 20,
38013 -+ KEEPALIVE_TIMEOUT = 10,
38014 -+ MAX_TIMER_HANDSHAKES = 90 / REKEY_TIMEOUT,
38015 -+ MAX_QUEUED_INCOMING_HANDSHAKES = 4096, /* TODO: replace this with DQL */
38016 -+ MAX_STAGED_PACKETS = 128,
38017 -+ MAX_QUEUED_PACKETS = 1024 /* TODO: replace this with DQL */
38018 -+};
38019 -+
38020 -+enum message_type {
38021 -+ MESSAGE_INVALID = 0,
38022 -+ MESSAGE_HANDSHAKE_INITIATION = 1,
38023 -+ MESSAGE_HANDSHAKE_RESPONSE = 2,
38024 -+ MESSAGE_HANDSHAKE_COOKIE = 3,
38025 -+ MESSAGE_DATA = 4
38026 -+};
38027 -+
38028 -+struct message_header {
38029 -+ /* The actual layout of this that we want is:
38030 -+ * u8 type
38031 -+ * u8 reserved_zero[3]
38032 -+ *
38033 -+ * But it turns out that by encoding this as little endian,
38034 -+ * we achieve the same thing, and it makes checking faster.
38035 -+ */
38036 -+ __le32 type;
38037 -+};
38038 -+
38039 -+struct message_macs {
38040 -+ u8 mac1[COOKIE_LEN];
38041 -+ u8 mac2[COOKIE_LEN];
38042 -+};
38043 -+
38044 -+struct message_handshake_initiation {
38045 -+ struct message_header header;
38046 -+ __le32 sender_index;
38047 -+ u8 unencrypted_ephemeral[NOISE_PUBLIC_KEY_LEN];
38048 -+ u8 encrypted_static[noise_encrypted_len(NOISE_PUBLIC_KEY_LEN)];
38049 -+ u8 encrypted_timestamp[noise_encrypted_len(NOISE_TIMESTAMP_LEN)];
38050 -+ struct message_macs macs;
38051 -+};
38052 -+
38053 -+struct message_handshake_response {
38054 -+ struct message_header header;
38055 -+ __le32 sender_index;
38056 -+ __le32 receiver_index;
38057 -+ u8 unencrypted_ephemeral[NOISE_PUBLIC_KEY_LEN];
38058 -+ u8 encrypted_nothing[noise_encrypted_len(0)];
38059 -+ struct message_macs macs;
38060 -+};
38061 -+
38062 -+struct message_handshake_cookie {
38063 -+ struct message_header header;
38064 -+ __le32 receiver_index;
38065 -+ u8 nonce[COOKIE_NONCE_LEN];
38066 -+ u8 encrypted_cookie[noise_encrypted_len(COOKIE_LEN)];
38067 -+};
38068 -+
38069 -+struct message_data {
38070 -+ struct message_header header;
38071 -+ __le32 key_idx;
38072 -+ __le64 counter;
38073 -+ u8 encrypted_data[];
38074 -+};
38075 -+
38076 -+#define message_data_len(plain_len) \
38077 -+ (noise_encrypted_len(plain_len) + sizeof(struct message_data))
38078 -+
38079 -+enum message_alignments {
38080 -+ MESSAGE_PADDING_MULTIPLE = 16,
38081 -+ MESSAGE_MINIMUM_LENGTH = message_data_len(0)
38082 -+};
38083 -+
38084 -+#define SKB_HEADER_LEN \
38085 -+ (max(sizeof(struct iphdr), sizeof(struct ipv6hdr)) + \
38086 -+ sizeof(struct udphdr) + NET_SKB_PAD)
38087 -+#define DATA_PACKET_HEAD_ROOM \
38088 -+ ALIGN(sizeof(struct message_data) + SKB_HEADER_LEN, 4)
38089 -+
38090 -+enum { HANDSHAKE_DSCP = 0x88 /* AF41, plus 00 ECN */ };
38091 -+
38092 -+#endif /* _WG_MESSAGES_H */
38093 ---- b/drivers/net/wireguard/netlink.c
38094 -+++ b/drivers/net/wireguard/netlink.c
38095 -@@ -0,0 +1,646 @@
38096 -+// SPDX-License-Identifier: GPL-2.0
38097 -+/*
38098 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
38099 -+ */
38100 -+
38101 -+#include "netlink.h"
38102 -+#include "device.h"
38103 -+#include "peer.h"
38104 -+#include "socket.h"
38105 -+#include "queueing.h"
38106 -+#include "messages.h"
38107 -+
38108 -+#include <uapi/linux/wireguard.h>
38109 -+
38110 -+#include <linux/if.h>
38111 -+#include <net/genetlink.h>
38112 -+#include <net/sock.h>
38113 -+#include <crypto/algapi.h>
38114 -+
38115 -+static struct genl_family genl_family;
38116 -+
38117 -+static const struct nla_policy device_policy[WGDEVICE_A_MAX + 1] = {
38118 -+ [WGDEVICE_A_IFINDEX] = { .type = NLA_U32 },
38119 -+ [WGDEVICE_A_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ - 1 },
38120 -+ [WGDEVICE_A_PRIVATE_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN),
38121 -+ [WGDEVICE_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN),
38122 -+ [WGDEVICE_A_FLAGS] = { .type = NLA_U32 },
38123 -+ [WGDEVICE_A_LISTEN_PORT] = { .type = NLA_U16 },
38124 -+ [WGDEVICE_A_FWMARK] = { .type = NLA_U32 },
38125 -+ [WGDEVICE_A_PEERS] = { .type = NLA_NESTED }
38126 -+};
38127 -+
38128 -+static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = {
38129 -+ [WGPEER_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN),
38130 -+ [WGPEER_A_PRESHARED_KEY] = NLA_POLICY_EXACT_LEN(NOISE_SYMMETRIC_KEY_LEN),
38131 -+ [WGPEER_A_FLAGS] = { .type = NLA_U32 },
38132 -+ [WGPEER_A_ENDPOINT] = NLA_POLICY_MIN_LEN(sizeof(struct sockaddr)),
38133 -+ [WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16 },
38134 -+ [WGPEER_A_LAST_HANDSHAKE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)),
38135 -+ [WGPEER_A_RX_BYTES] = { .type = NLA_U64 },
38136 -+ [WGPEER_A_TX_BYTES] = { .type = NLA_U64 },
38137 -+ [WGPEER_A_ALLOWEDIPS] = { .type = NLA_NESTED },
38138 -+ [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 }
38139 -+};
38140 -+
38141 -+static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = {
38142 -+ [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 },
38143 -+ [WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(sizeof(struct in_addr)),
38144 -+ [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 }
38145 -+};
38146 -+
38147 -+static struct wg_device *lookup_interface(struct nlattr **attrs,
38148 -+ struct sk_buff *skb)
38149 -+{
38150 -+ struct net_device *dev = NULL;
38151 -+
38152 -+ if (!attrs[WGDEVICE_A_IFINDEX] == !attrs[WGDEVICE_A_IFNAME])
38153 -+ return ERR_PTR(-EBADR);
38154 -+ if (attrs[WGDEVICE_A_IFINDEX])
38155 -+ dev = dev_get_by_index(sock_net(skb->sk),
38156 -+ nla_get_u32(attrs[WGDEVICE_A_IFINDEX]));
38157 -+ else if (attrs[WGDEVICE_A_IFNAME])
38158 -+ dev = dev_get_by_name(sock_net(skb->sk),
38159 -+ nla_data(attrs[WGDEVICE_A_IFNAME]));
38160 -+ if (!dev)
38161 -+ return ERR_PTR(-ENODEV);
38162 -+ if (!dev->rtnl_link_ops || !dev->rtnl_link_ops->kind ||
38163 -+ strcmp(dev->rtnl_link_ops->kind, KBUILD_MODNAME)) {
38164 -+ dev_put(dev);
38165 -+ return ERR_PTR(-EOPNOTSUPP);
38166 -+ }
38167 -+ return netdev_priv(dev);
38168 -+}
38169 -+
38170 -+static int get_allowedips(struct sk_buff *skb, const u8 *ip, u8 cidr,
38171 -+ int family)
38172 -+{
38173 -+ struct nlattr *allowedip_nest;
38174 -+
38175 -+ allowedip_nest = nla_nest_start(skb, 0);
38176 -+ if (!allowedip_nest)
38177 -+ return -EMSGSIZE;
38178 -+
38179 -+ if (nla_put_u8(skb, WGALLOWEDIP_A_CIDR_MASK, cidr) ||
38180 -+ nla_put_u16(skb, WGALLOWEDIP_A_FAMILY, family) ||
38181 -+ nla_put(skb, WGALLOWEDIP_A_IPADDR, family == AF_INET6 ?
38182 -+ sizeof(struct in6_addr) : sizeof(struct in_addr), ip)) {
38183 -+ nla_nest_cancel(skb, allowedip_nest);
38184 -+ return -EMSGSIZE;
38185 -+ }
38186 -+
38187 -+ nla_nest_end(skb, allowedip_nest);
38188 -+ return 0;
38189 -+}
38190 -+
38191 -+struct dump_ctx {
38192 -+ struct wg_device *wg;
38193 -+ struct wg_peer *next_peer;
38194 -+ u64 allowedips_seq;
38195 -+ struct allowedips_node *next_allowedip;
38196 -+};
38197 -+
38198 -+#define DUMP_CTX(cb) ((struct dump_ctx *)(cb)->args)
38199 -+
38200 -+static int
38201 -+get_peer(struct wg_peer *peer, struct sk_buff *skb, struct dump_ctx *ctx)
38202 -+{
38203 -+
38204 -+ struct nlattr *allowedips_nest, *peer_nest = nla_nest_start(skb, 0);
38205 -+ struct allowedips_node *allowedips_node = ctx->next_allowedip;
38206 -+ bool fail;
38207 -+
38208 -+ if (!peer_nest)
38209 -+ return -EMSGSIZE;
38210 -+
38211 -+ down_read(&peer->handshake.lock);
38212 -+ fail = nla_put(skb, WGPEER_A_PUBLIC_KEY, NOISE_PUBLIC_KEY_LEN,
38213 -+ peer->handshake.remote_static);
38214 -+ up_read(&peer->handshake.lock);
38215 -+ if (fail)
38216 -+ goto err;
38217 -+
38218 -+ if (!allowedips_node) {
38219 -+ const struct __kernel_timespec last_handshake = {
38220 -+ .tv_sec = peer->walltime_last_handshake.tv_sec,
38221 -+ .tv_nsec = peer->walltime_last_handshake.tv_nsec
38222 -+ };
38223 -+
38224 -+ down_read(&peer->handshake.lock);
38225 -+ fail = nla_put(skb, WGPEER_A_PRESHARED_KEY,
38226 -+ NOISE_SYMMETRIC_KEY_LEN,
38227 -+ peer->handshake.preshared_key);
38228 -+ up_read(&peer->handshake.lock);
38229 -+ if (fail)
38230 -+ goto err;
38231 -+
38232 -+ if (nla_put(skb, WGPEER_A_LAST_HANDSHAKE_TIME,
38233 -+ sizeof(last_handshake), &last_handshake) ||
38234 -+ nla_put_u16(skb, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
38235 -+ peer->persistent_keepalive_interval) ||
38236 -+ nla_put_u64_64bit(skb, WGPEER_A_TX_BYTES, peer->tx_bytes,
38237 -+ WGPEER_A_UNSPEC) ||
38238 -+ nla_put_u64_64bit(skb, WGPEER_A_RX_BYTES, peer->rx_bytes,
38239 -+ WGPEER_A_UNSPEC) ||
38240 -+ nla_put_u32(skb, WGPEER_A_PROTOCOL_VERSION, 1))
38241 -+ goto err;
38242 -+
38243 -+ read_lock_bh(&peer->endpoint_lock);
38244 -+ if (peer->endpoint.addr.sa_family == AF_INET)
38245 -+ fail = nla_put(skb, WGPEER_A_ENDPOINT,
38246 -+ sizeof(peer->endpoint.addr4),
38247 -+ &peer->endpoint.addr4);
38248 -+ else if (peer->endpoint.addr.sa_family == AF_INET6)
38249 -+ fail = nla_put(skb, WGPEER_A_ENDPOINT,
38250 -+ sizeof(peer->endpoint.addr6),
38251 -+ &peer->endpoint.addr6);
38252 -+ read_unlock_bh(&peer->endpoint_lock);
38253 -+ if (fail)
38254 -+ goto err;
38255 -+ allowedips_node =
38256 -+ list_first_entry_or_null(&peer->allowedips_list,
38257 -+ struct allowedips_node, peer_list);
38258 -+ }
38259 -+ if (!allowedips_node)
38260 -+ goto no_allowedips;
38261 -+ if (!ctx->allowedips_seq)
38262 -+ ctx->allowedips_seq = peer->device->peer_allowedips.seq;
38263 -+ else if (ctx->allowedips_seq != peer->device->peer_allowedips.seq)
38264 -+ goto no_allowedips;
38265 -+
38266 -+ allowedips_nest = nla_nest_start(skb, WGPEER_A_ALLOWEDIPS);
38267 -+ if (!allowedips_nest)
38268 -+ goto err;
38269 -+
38270 -+ list_for_each_entry_from(allowedips_node, &peer->allowedips_list,
38271 -+ peer_list) {
38272 -+ u8 cidr, ip[16] __aligned(__alignof(u64));
38273 -+ int family;
38274 -+
38275 -+ family = wg_allowedips_read_node(allowedips_node, ip, &cidr);
38276 -+ if (get_allowedips(skb, ip, cidr, family)) {
38277 -+ nla_nest_end(skb, allowedips_nest);
38278 -+ nla_nest_end(skb, peer_nest);
38279 -+ ctx->next_allowedip = allowedips_node;
38280 -+ return -EMSGSIZE;
38281 -+ }
38282 -+ }
38283 -+ nla_nest_end(skb, allowedips_nest);
38284 -+no_allowedips:
38285 -+ nla_nest_end(skb, peer_nest);
38286 -+ ctx->next_allowedip = NULL;
38287 -+ ctx->allowedips_seq = 0;
38288 -+ return 0;
38289 -+err:
38290 -+ nla_nest_cancel(skb, peer_nest);
38291 -+ return -EMSGSIZE;
38292 -+}
38293 -+
38294 -+static int wg_get_device_start(struct netlink_callback *cb)
38295 -+{
38296 -+ struct nlattr **attrs = genl_family_attrbuf(&genl_family);
38297 -+ struct wg_device *wg;
38298 -+ int ret;
38299 -+
38300 -+ ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + genl_family.hdrsize, attrs,
38301 -+ genl_family.maxattr, device_policy, NULL);
38302 -+ if (ret < 0)
38303 -+ return ret;
38304 -+ wg = lookup_interface(attrs, cb->skb);
38305 -+ if (IS_ERR(wg))
38306 -+ return PTR_ERR(wg);
38307 -+ DUMP_CTX(cb)->wg = wg;
38308 -+ return 0;
38309 -+}
38310 -+
38311 -+static int wg_get_device_dump(struct sk_buff *skb, struct netlink_callback *cb)
38312 -+{
38313 -+ struct wg_peer *peer, *next_peer_cursor;
38314 -+ struct dump_ctx *ctx = DUMP_CTX(cb);
38315 -+ struct wg_device *wg = ctx->wg;
38316 -+ struct nlattr *peers_nest;
38317 -+ int ret = -EMSGSIZE;
38318 -+ bool done = true;
38319 -+ void *hdr;
38320 -+
38321 -+ rtnl_lock();
38322 -+ mutex_lock(&wg->device_update_lock);
38323 -+ cb->seq = wg->device_update_gen;
38324 -+ next_peer_cursor = ctx->next_peer;
38325 -+
38326 -+ hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
38327 -+ &genl_family, NLM_F_MULTI, WG_CMD_GET_DEVICE);
38328 -+ if (!hdr)
38329 -+ goto out;
38330 -+ genl_dump_check_consistent(cb, hdr);
38331 -+
38332 -+ if (!ctx->next_peer) {
38333 -+ if (nla_put_u16(skb, WGDEVICE_A_LISTEN_PORT,
38334 -+ wg->incoming_port) ||
38335 -+ nla_put_u32(skb, WGDEVICE_A_FWMARK, wg->fwmark) ||
38336 -+ nla_put_u32(skb, WGDEVICE_A_IFINDEX, wg->dev->ifindex) ||
38337 -+ nla_put_string(skb, WGDEVICE_A_IFNAME, wg->dev->name))
38338 -+ goto out;
38339 -+
38340 -+ down_read(&wg->static_identity.lock);
38341 -+ if (wg->static_identity.has_identity) {
38342 -+ if (nla_put(skb, WGDEVICE_A_PRIVATE_KEY,
38343 -+ NOISE_PUBLIC_KEY_LEN,
38344 -+ wg->static_identity.static_private) ||
38345 -+ nla_put(skb, WGDEVICE_A_PUBLIC_KEY,
38346 -+ NOISE_PUBLIC_KEY_LEN,
38347 -+ wg->static_identity.static_public)) {
38348 -+ up_read(&wg->static_identity.lock);
38349 -+ goto out;
38350 -+ }
38351 -+ }
38352 -+ up_read(&wg->static_identity.lock);
38353 -+ }
38354 -+
38355 -+ peers_nest = nla_nest_start(skb, WGDEVICE_A_PEERS);
38356 -+ if (!peers_nest)
38357 -+ goto out;
38358 -+ ret = 0;
38359 -+ /* If the last cursor was removed via list_del_init in peer_remove, then
38360 -+ * we just treat this the same as there being no more peers left. The
38361 -+ * reason is that seq_nr should indicate to userspace that this isn't a
38362 -+ * coherent dump anyway, so they'll try again.
38363 -+ */
38364 -+ if (list_empty(&wg->peer_list) ||
38365 -+ (ctx->next_peer && list_empty(&ctx->next_peer->peer_list))) {
38366 -+ nla_nest_cancel(skb, peers_nest);
38367 -+ goto out;
38368 -+ }
38369 -+ lockdep_assert_held(&wg->device_update_lock);
38370 -+ peer = list_prepare_entry(ctx->next_peer, &wg->peer_list, peer_list);
38371 -+ list_for_each_entry_continue(peer, &wg->peer_list, peer_list) {
38372 -+ if (get_peer(peer, skb, ctx)) {
38373 -+ done = false;
38374 -+ break;
38375 -+ }
38376 -+ next_peer_cursor = peer;
38377 -+ }
38378 -+ nla_nest_end(skb, peers_nest);
38379 -+
38380 -+out:
38381 -+ if (!ret && !done && next_peer_cursor)
38382 -+ wg_peer_get(next_peer_cursor);
38383 -+ wg_peer_put(ctx->next_peer);
38384 -+ mutex_unlock(&wg->device_update_lock);
38385 -+ rtnl_unlock();
38386 -+
38387 -+ if (ret) {
38388 -+ genlmsg_cancel(skb, hdr);
38389 -+ return ret;
38390 -+ }
38391 -+ genlmsg_end(skb, hdr);
38392 -+ if (done) {
38393 -+ ctx->next_peer = NULL;
38394 -+ return 0;
38395 -+ }
38396 -+ ctx->next_peer = next_peer_cursor;
38397 -+ return skb->len;
38398 -+
38399 -+ /* At this point, we can't really deal ourselves with safely zeroing out
38400 -+ * the private key material after usage. This will need an additional API
38401 -+ * in the kernel for marking skbs as zero_on_free.
38402 -+ */
38403 -+}
38404 -+
38405 -+static int wg_get_device_done(struct netlink_callback *cb)
38406 -+{
38407 -+ struct dump_ctx *ctx = DUMP_CTX(cb);
38408 -+
38409 -+ if (ctx->wg)
38410 -+ dev_put(ctx->wg->dev);
38411 -+ wg_peer_put(ctx->next_peer);
38412 -+ return 0;
38413 -+}
38414 -+
38415 -+static int set_port(struct wg_device *wg, u16 port)
38416 -+{
38417 -+ struct wg_peer *peer;
38418 -+
38419 -+ if (wg->incoming_port == port)
38420 -+ return 0;
38421 -+ list_for_each_entry(peer, &wg->peer_list, peer_list)
38422 -+ wg_socket_clear_peer_endpoint_src(peer);
38423 -+ if (!netif_running(wg->dev)) {
38424 -+ wg->incoming_port = port;
38425 -+ return 0;
38426 -+ }
38427 -+ return wg_socket_init(wg, port);
38428 -+}
38429 -+
38430 -+static int set_allowedip(struct wg_peer *peer, struct nlattr **attrs)
38431 -+{
38432 -+ int ret = -EINVAL;
38433 -+ u16 family;
38434 -+ u8 cidr;
38435 -+
38436 -+ if (!attrs[WGALLOWEDIP_A_FAMILY] || !attrs[WGALLOWEDIP_A_IPADDR] ||
38437 -+ !attrs[WGALLOWEDIP_A_CIDR_MASK])
38438 -+ return ret;
38439 -+ family = nla_get_u16(attrs[WGALLOWEDIP_A_FAMILY]);
38440 -+ cidr = nla_get_u8(attrs[WGALLOWEDIP_A_CIDR_MASK]);
38441 -+
38442 -+ if (family == AF_INET && cidr <= 32 &&
38443 -+ nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in_addr))
38444 -+ ret = wg_allowedips_insert_v4(
38445 -+ &peer->device->peer_allowedips,
38446 -+ nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, peer,
38447 -+ &peer->device->device_update_lock);
38448 -+ else if (family == AF_INET6 && cidr <= 128 &&
38449 -+ nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in6_addr))
38450 -+ ret = wg_allowedips_insert_v6(
38451 -+ &peer->device->peer_allowedips,
38452 -+ nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, peer,
38453 -+ &peer->device->device_update_lock);
38454 -+
38455 -+ return ret;
38456 -+}
38457 -+
38458 -+static int set_peer(struct wg_device *wg, struct nlattr **attrs)
38459 -+{
38460 -+ u8 *public_key = NULL, *preshared_key = NULL;
38461 -+ struct wg_peer *peer = NULL;
38462 -+ u32 flags = 0;
38463 -+ int ret;
38464 -+
38465 -+ ret = -EINVAL;
38466 -+ if (attrs[WGPEER_A_PUBLIC_KEY] &&
38467 -+ nla_len(attrs[WGPEER_A_PUBLIC_KEY]) == NOISE_PUBLIC_KEY_LEN)
38468 -+ public_key = nla_data(attrs[WGPEER_A_PUBLIC_KEY]);
38469 -+ else
38470 -+ goto out;
38471 -+ if (attrs[WGPEER_A_PRESHARED_KEY] &&
38472 -+ nla_len(attrs[WGPEER_A_PRESHARED_KEY]) == NOISE_SYMMETRIC_KEY_LEN)
38473 -+ preshared_key = nla_data(attrs[WGPEER_A_PRESHARED_KEY]);
38474 -+
38475 -+ if (attrs[WGPEER_A_FLAGS])
38476 -+ flags = nla_get_u32(attrs[WGPEER_A_FLAGS]);
38477 -+ ret = -EOPNOTSUPP;
38478 -+ if (flags & ~__WGPEER_F_ALL)
38479 -+ goto out;
38480 -+
38481 -+ ret = -EPFNOSUPPORT;
38482 -+ if (attrs[WGPEER_A_PROTOCOL_VERSION]) {
38483 -+ if (nla_get_u32(attrs[WGPEER_A_PROTOCOL_VERSION]) != 1)
38484 -+ goto out;
38485 -+ }
38486 -+
38487 -+ peer = wg_pubkey_hashtable_lookup(wg->peer_hashtable,
38488 -+ nla_data(attrs[WGPEER_A_PUBLIC_KEY]));
38489 -+ ret = 0;
38490 -+ if (!peer) { /* Peer doesn't exist yet. Add a new one. */
38491 -+ if (flags & (WGPEER_F_REMOVE_ME | WGPEER_F_UPDATE_ONLY))
38492 -+ goto out;
38493 -+
38494 -+ /* The peer is new, so there aren't allowed IPs to remove. */
38495 -+ flags &= ~WGPEER_F_REPLACE_ALLOWEDIPS;
38496 -+
38497 -+ down_read(&wg->static_identity.lock);
38498 -+ if (wg->static_identity.has_identity &&
38499 -+ !memcmp(nla_data(attrs[WGPEER_A_PUBLIC_KEY]),
38500 -+ wg->static_identity.static_public,
38501 -+ NOISE_PUBLIC_KEY_LEN)) {
38502 -+ /* We silently ignore peers that have the same public
38503 -+ * key as the device. The reason we do it silently is
38504 -+ * that we'd like for people to be able to reuse the
38505 -+ * same set of API calls across peers.
38506 -+ */
38507 -+ up_read(&wg->static_identity.lock);
38508 -+ ret = 0;
38509 -+ goto out;
38510 -+ }
38511 -+ up_read(&wg->static_identity.lock);
38512 -+
38513 -+ peer = wg_peer_create(wg, public_key, preshared_key);
38514 -+ if (IS_ERR(peer)) {
38515 -+ ret = PTR_ERR(peer);
38516 -+ peer = NULL;
38517 -+ goto out;
38518 -+ }
38519 -+ /* Take additional reference, as though we've just been
38520 -+ * looked up.
38521 -+ */
38522 -+ wg_peer_get(peer);
38523 -+ }
38524 -+
38525 -+ if (flags & WGPEER_F_REMOVE_ME) {
38526 -+ wg_peer_remove(peer);
38527 -+ goto out;
38528 -+ }
38529 -+
38530 -+ if (preshared_key) {
38531 -+ down_write(&peer->handshake.lock);
38532 -+ memcpy(&peer->handshake.preshared_key, preshared_key,
38533 -+ NOISE_SYMMETRIC_KEY_LEN);
38534 -+ up_write(&peer->handshake.lock);
38535 -+ }
38536 -+
38537 -+ if (attrs[WGPEER_A_ENDPOINT]) {
38538 -+ struct sockaddr *addr = nla_data(attrs[WGPEER_A_ENDPOINT]);
38539 -+ size_t len = nla_len(attrs[WGPEER_A_ENDPOINT]);
38540 -+
38541 -+ if ((len == sizeof(struct sockaddr_in) &&
38542 -+ addr->sa_family == AF_INET) ||
38543 -+ (len == sizeof(struct sockaddr_in6) &&
38544 -+ addr->sa_family == AF_INET6)) {
38545 -+ struct endpoint endpoint = { { { 0 } } };
38546 -+
38547 -+ memcpy(&endpoint.addr, addr, len);
38548 -+ wg_socket_set_peer_endpoint(peer, &endpoint);
38549 -+ }
38550 -+ }
38551 -+
38552 -+ if (flags & WGPEER_F_REPLACE_ALLOWEDIPS)
38553 -+ wg_allowedips_remove_by_peer(&wg->peer_allowedips, peer,
38554 -+ &wg->device_update_lock);
38555 -+
38556 -+ if (attrs[WGPEER_A_ALLOWEDIPS]) {
38557 -+ struct nlattr *attr, *allowedip[WGALLOWEDIP_A_MAX + 1];
38558 -+ int rem;
38559 -+
38560 -+ nla_for_each_nested(attr, attrs[WGPEER_A_ALLOWEDIPS], rem) {
38561 -+ ret = nla_parse_nested(allowedip, WGALLOWEDIP_A_MAX,
38562 -+ attr, allowedip_policy, NULL);
38563 -+ if (ret < 0)
38564 -+ goto out;
38565 -+ ret = set_allowedip(peer, allowedip);
38566 -+ if (ret < 0)
38567 -+ goto out;
38568 -+ }
38569 -+ }
38570 -+
38571 -+ if (attrs[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL]) {
38572 -+ const u16 persistent_keepalive_interval = nla_get_u16(
38573 -+ attrs[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL]);
38574 -+ const bool send_keepalive =
38575 -+ !peer->persistent_keepalive_interval &&
38576 -+ persistent_keepalive_interval &&
38577 -+ netif_running(wg->dev);
38578 -+
38579 -+ peer->persistent_keepalive_interval = persistent_keepalive_interval;
38580 -+ if (send_keepalive)
38581 -+ wg_packet_send_keepalive(peer);
38582 -+ }
38583 -+
38584 -+ if (netif_running(wg->dev))
38585 -+ wg_packet_send_staged_packets(peer);
38586 -+
38587 -+out:
38588 -+ wg_peer_put(peer);
38589 -+ if (attrs[WGPEER_A_PRESHARED_KEY])
38590 -+ memzero_explicit(nla_data(attrs[WGPEER_A_PRESHARED_KEY]),
38591 -+ nla_len(attrs[WGPEER_A_PRESHARED_KEY]));
38592 -+ return ret;
38593 -+}
38594 -+
38595 -+static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
38596 -+{
38597 -+ struct wg_device *wg = lookup_interface(info->attrs, skb);
38598 -+ u32 flags = 0;
38599 -+ int ret;
38600 -+
38601 -+ if (IS_ERR(wg)) {
38602 -+ ret = PTR_ERR(wg);
38603 -+ goto out_nodev;
38604 -+ }
38605 -+
38606 -+ rtnl_lock();
38607 -+ mutex_lock(&wg->device_update_lock);
38608 -+
38609 -+ if (info->attrs[WGDEVICE_A_FLAGS])
38610 -+ flags = nla_get_u32(info->attrs[WGDEVICE_A_FLAGS]);
38611 -+ ret = -EOPNOTSUPP;
38612 -+ if (flags & ~__WGDEVICE_F_ALL)
38613 -+ goto out;
38614 -+
38615 -+ if (info->attrs[WGDEVICE_A_LISTEN_PORT] || info->attrs[WGDEVICE_A_FWMARK]) {
38616 -+ struct net *net;
38617 -+ rcu_read_lock();
38618 -+ net = rcu_dereference(wg->creating_net);
38619 -+ ret = !net || !ns_capable(net->user_ns, CAP_NET_ADMIN) ? -EPERM : 0;
38620 -+ rcu_read_unlock();
38621 -+ if (ret)
38622 -+ goto out;
38623 -+ }
38624 -+
38625 -+ ++wg->device_update_gen;
38626 -+
38627 -+ if (info->attrs[WGDEVICE_A_FWMARK]) {
38628 -+ struct wg_peer *peer;
38629 -+
38630 -+ wg->fwmark = nla_get_u32(info->attrs[WGDEVICE_A_FWMARK]);
38631 -+ list_for_each_entry(peer, &wg->peer_list, peer_list)
38632 -+ wg_socket_clear_peer_endpoint_src(peer);
38633 -+ }
38634 -+
38635 -+ if (info->attrs[WGDEVICE_A_LISTEN_PORT]) {
38636 -+ ret = set_port(wg,
38637 -+ nla_get_u16(info->attrs[WGDEVICE_A_LISTEN_PORT]));
38638 -+ if (ret)
38639 -+ goto out;
38640 -+ }
38641 -+
38642 -+ if (flags & WGDEVICE_F_REPLACE_PEERS)
38643 -+ wg_peer_remove_all(wg);
38644 -+
38645 -+ if (info->attrs[WGDEVICE_A_PRIVATE_KEY] &&
38646 -+ nla_len(info->attrs[WGDEVICE_A_PRIVATE_KEY]) ==
38647 -+ NOISE_PUBLIC_KEY_LEN) {
38648 -+ u8 *private_key = nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]);
38649 -+ u8 public_key[NOISE_PUBLIC_KEY_LEN];
38650 -+ struct wg_peer *peer, *temp;
38651 -+
38652 -+ if (!crypto_memneq(wg->static_identity.static_private,
38653 -+ private_key, NOISE_PUBLIC_KEY_LEN))
38654 -+ goto skip_set_private_key;
38655 -+
38656 -+ /* We remove before setting, to prevent race, which means doing
38657 -+ * two 25519-genpub ops.
38658 -+ */
38659 -+ if (curve25519_generate_public(public_key, private_key)) {
38660 -+ peer = wg_pubkey_hashtable_lookup(wg->peer_hashtable,
38661 -+ public_key);
38662 -+ if (peer) {
38663 -+ wg_peer_put(peer);
38664 -+ wg_peer_remove(peer);
38665 -+ }
38666 -+ }
38667 -+
38668 -+ down_write(&wg->static_identity.lock);
38669 -+ wg_noise_set_static_identity_private_key(&wg->static_identity,
38670 -+ private_key);
38671 -+ list_for_each_entry_safe(peer, temp, &wg->peer_list,
38672 -+ peer_list) {
38673 -+ wg_noise_precompute_static_static(peer);
38674 -+ wg_noise_expire_current_peer_keypairs(peer);
38675 -+ }
38676 -+ wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
38677 -+ up_write(&wg->static_identity.lock);
38678 -+ }
38679 -+skip_set_private_key:
38680 -+
38681 -+ if (info->attrs[WGDEVICE_A_PEERS]) {
38682 -+ struct nlattr *attr, *peer[WGPEER_A_MAX + 1];
38683 -+ int rem;
38684 -+
38685 -+ nla_for_each_nested(attr, info->attrs[WGDEVICE_A_PEERS], rem) {
38686 -+ ret = nla_parse_nested(peer, WGPEER_A_MAX, attr,
38687 -+ peer_policy, NULL);
38688 -+ if (ret < 0)
38689 -+ goto out;
38690 -+ ret = set_peer(wg, peer);
38691 -+ if (ret < 0)
38692 -+ goto out;
38693 -+ }
38694 -+ }
38695 -+ ret = 0;
38696 -+
38697 -+out:
38698 -+ mutex_unlock(&wg->device_update_lock);
38699 -+ rtnl_unlock();
38700 -+ dev_put(wg->dev);
38701 -+out_nodev:
38702 -+ if (info->attrs[WGDEVICE_A_PRIVATE_KEY])
38703 -+ memzero_explicit(nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]),
38704 -+ nla_len(info->attrs[WGDEVICE_A_PRIVATE_KEY]));
38705 -+ return ret;
38706 -+}
38707 -+
38708 -+static const struct genl_ops genl_ops[] = {
38709 -+ {
38710 -+ .cmd = WG_CMD_GET_DEVICE,
38711 -+ .start = wg_get_device_start,
38712 -+ .dumpit = wg_get_device_dump,
38713 -+ .done = wg_get_device_done,
38714 -+ .flags = GENL_UNS_ADMIN_PERM
38715 -+ }, {
38716 -+ .cmd = WG_CMD_SET_DEVICE,
38717 -+ .doit = wg_set_device,
38718 -+ .flags = GENL_UNS_ADMIN_PERM
38719 -+ }
38720 -+};
38721 -+
38722 -+static struct genl_family genl_family __ro_after_init = {
38723 -+ .ops = genl_ops,
38724 -+ .n_ops = ARRAY_SIZE(genl_ops),
38725 -+ .name = WG_GENL_NAME,
38726 -+ .version = WG_GENL_VERSION,
38727 -+ .maxattr = WGDEVICE_A_MAX,
38728 -+ .module = THIS_MODULE,
38729 -+ .policy = device_policy,
38730 -+ .netnsok = true
38731 -+};
38732 -+
38733 -+int __init wg_genetlink_init(void)
38734 -+{
38735 -+ return genl_register_family(&genl_family);
38736 -+}
38737 -+
38738 -+void __exit wg_genetlink_uninit(void)
38739 -+{
38740 -+ genl_unregister_family(&genl_family);
38741 -+}
38742 ---- /dev/null
38743 -+++ b/drivers/net/wireguard/netlink.h
38744 -@@ -0,0 +1,12 @@
38745 -+/* SPDX-License-Identifier: GPL-2.0 */
38746 -+/*
38747 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
38748 -+ */
38749 -+
38750 -+#ifndef _WG_NETLINK_H
38751 -+#define _WG_NETLINK_H
38752 -+
38753 -+int wg_genetlink_init(void);
38754 -+void wg_genetlink_uninit(void);
38755 -+
38756 -+#endif /* _WG_NETLINK_H */
38757 ---- b/drivers/net/wireguard/noise.c
38758 -+++ b/drivers/net/wireguard/noise.c
38759 -@@ -0,0 +1,828 @@
38760 -+// SPDX-License-Identifier: GPL-2.0
38761 -+/*
38762 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
38763 -+ */
38764 -+
38765 -+#include "noise.h"
38766 -+#include "device.h"
38767 -+#include "peer.h"
38768 -+#include "messages.h"
38769 -+#include "queueing.h"
38770 -+#include "peerlookup.h"
38771 -+
38772 -+#include <linux/rcupdate.h>
38773 -+#include <linux/slab.h>
38774 -+#include <linux/bitmap.h>
38775 -+#include <linux/scatterlist.h>
38776 -+#include <linux/highmem.h>
38777 -+#include <crypto/algapi.h>
38778 -+
38779 -+/* This implements Noise_IKpsk2:
38780 -+ *
38781 -+ * <- s
38782 -+ * ******
38783 -+ * -> e, es, s, ss, {t}
38784 -+ * <- e, ee, se, psk, {}
38785 -+ */
38786 -+
38787 -+static const u8 handshake_name[37] = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s";
38788 -+static const u8 identifier_name[34] = "WireGuard v1 zx2c4 Jason@×××××.com";
38789 -+static u8 handshake_init_hash[NOISE_HASH_LEN] __ro_after_init;
38790 -+static u8 handshake_init_chaining_key[NOISE_HASH_LEN] __ro_after_init;
38791 -+static atomic64_t keypair_counter = ATOMIC64_INIT(0);
38792 -+
38793 -+void __init wg_noise_init(void)
38794 -+{
38795 -+ struct blake2s_state blake;
38796 -+
38797 -+ blake2s(handshake_init_chaining_key, handshake_name, NULL,
38798 -+ NOISE_HASH_LEN, sizeof(handshake_name), 0);
38799 -+ blake2s_init(&blake, NOISE_HASH_LEN);
38800 -+ blake2s_update(&blake, handshake_init_chaining_key, NOISE_HASH_LEN);
38801 -+ blake2s_update(&blake, identifier_name, sizeof(identifier_name));
38802 -+ blake2s_final(&blake, handshake_init_hash);
38803 -+}
38804 -+
38805 -+/* Must hold peer->handshake.static_identity->lock */
38806 -+void wg_noise_precompute_static_static(struct wg_peer *peer)
38807 -+{
38808 -+ down_write(&peer->handshake.lock);
38809 -+ if (!peer->handshake.static_identity->has_identity ||
38810 -+ !curve25519(peer->handshake.precomputed_static_static,
38811 -+ peer->handshake.static_identity->static_private,
38812 -+ peer->handshake.remote_static))
38813 -+ memset(peer->handshake.precomputed_static_static, 0,
38814 -+ NOISE_PUBLIC_KEY_LEN);
38815 -+ up_write(&peer->handshake.lock);
38816 -+}
38817 -+
38818 -+void wg_noise_handshake_init(struct noise_handshake *handshake,
38819 -+ struct noise_static_identity *static_identity,
38820 -+ const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN],
38821 -+ const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN],
38822 -+ struct wg_peer *peer)
38823 -+{
38824 -+ memset(handshake, 0, sizeof(*handshake));
38825 -+ init_rwsem(&handshake->lock);
38826 -+ handshake->entry.type = INDEX_HASHTABLE_HANDSHAKE;
38827 -+ handshake->entry.peer = peer;
38828 -+ memcpy(handshake->remote_static, peer_public_key, NOISE_PUBLIC_KEY_LEN);
38829 -+ if (peer_preshared_key)
38830 -+ memcpy(handshake->preshared_key, peer_preshared_key,
38831 -+ NOISE_SYMMETRIC_KEY_LEN);
38832 -+ handshake->static_identity = static_identity;
38833 -+ handshake->state = HANDSHAKE_ZEROED;
38834 -+ wg_noise_precompute_static_static(peer);
38835 -+}
38836 -+
38837 -+static void handshake_zero(struct noise_handshake *handshake)
38838 -+{
38839 -+ memset(&handshake->ephemeral_private, 0, NOISE_PUBLIC_KEY_LEN);
38840 -+ memset(&handshake->remote_ephemeral, 0, NOISE_PUBLIC_KEY_LEN);
38841 -+ memset(&handshake->hash, 0, NOISE_HASH_LEN);
38842 -+ memset(&handshake->chaining_key, 0, NOISE_HASH_LEN);
38843 -+ handshake->remote_index = 0;
38844 -+ handshake->state = HANDSHAKE_ZEROED;
38845 -+}
38846 -+
38847 -+void wg_noise_handshake_clear(struct noise_handshake *handshake)
38848 -+{
38849 -+ down_write(&handshake->lock);
38850 -+ wg_index_hashtable_remove(
38851 -+ handshake->entry.peer->device->index_hashtable,
38852 -+ &handshake->entry);
38853 -+ handshake_zero(handshake);
38854 -+ up_write(&handshake->lock);
38855 -+}
38856 -+
38857 -+static struct noise_keypair *keypair_create(struct wg_peer *peer)
38858 -+{
38859 -+ struct noise_keypair *keypair = kzalloc(sizeof(*keypair), GFP_KERNEL);
38860 -+
38861 -+ if (unlikely(!keypair))
38862 -+ return NULL;
38863 -+ spin_lock_init(&keypair->receiving_counter.lock);
38864 -+ keypair->internal_id = atomic64_inc_return(&keypair_counter);
38865 -+ keypair->entry.type = INDEX_HASHTABLE_KEYPAIR;
38866 -+ keypair->entry.peer = peer;
38867 -+ kref_init(&keypair->refcount);
38868 -+ return keypair;
38869 -+}
38870 -+
38871 -+static void keypair_free_rcu(struct rcu_head *rcu)
38872 -+{
38873 -+ kzfree(container_of(rcu, struct noise_keypair, rcu));
38874 -+}
38875 -+
38876 -+static void keypair_free_kref(struct kref *kref)
38877 -+{
38878 -+ struct noise_keypair *keypair =
38879 -+ container_of(kref, struct noise_keypair, refcount);
38880 -+
38881 -+ net_dbg_ratelimited("%s: Keypair %llu destroyed for peer %llu\n",
38882 -+ keypair->entry.peer->device->dev->name,
38883 -+ keypair->internal_id,
38884 -+ keypair->entry.peer->internal_id);
38885 -+ wg_index_hashtable_remove(keypair->entry.peer->device->index_hashtable,
38886 -+ &keypair->entry);
38887 -+ call_rcu(&keypair->rcu, keypair_free_rcu);
38888 -+}
38889 -+
38890 -+void wg_noise_keypair_put(struct noise_keypair *keypair, bool unreference_now)
38891 -+{
38892 -+ if (unlikely(!keypair))
38893 -+ return;
38894 -+ if (unlikely(unreference_now))
38895 -+ wg_index_hashtable_remove(
38896 -+ keypair->entry.peer->device->index_hashtable,
38897 -+ &keypair->entry);
38898 -+ kref_put(&keypair->refcount, keypair_free_kref);
38899 -+}
38900 -+
38901 -+struct noise_keypair *wg_noise_keypair_get(struct noise_keypair *keypair)
38902 -+{
38903 -+ RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(),
38904 -+ "Taking noise keypair reference without holding the RCU BH read lock");
38905 -+ if (unlikely(!keypair || !kref_get_unless_zero(&keypair->refcount)))
38906 -+ return NULL;
38907 -+ return keypair;
38908 -+}
38909 -+
38910 -+void wg_noise_keypairs_clear(struct noise_keypairs *keypairs)
38911 -+{
38912 -+ struct noise_keypair *old;
38913 -+
38914 -+ spin_lock_bh(&keypairs->keypair_update_lock);
38915 -+
38916 -+ /* We zero the next_keypair before zeroing the others, so that
38917 -+ * wg_noise_received_with_keypair returns early before subsequent ones
38918 -+ * are zeroed.
38919 -+ */
38920 -+ old = rcu_dereference_protected(keypairs->next_keypair,
38921 -+ lockdep_is_held(&keypairs->keypair_update_lock));
38922 -+ RCU_INIT_POINTER(keypairs->next_keypair, NULL);
38923 -+ wg_noise_keypair_put(old, true);
38924 -+
38925 -+ old = rcu_dereference_protected(keypairs->previous_keypair,
38926 -+ lockdep_is_held(&keypairs->keypair_update_lock));
38927 -+ RCU_INIT_POINTER(keypairs->previous_keypair, NULL);
38928 -+ wg_noise_keypair_put(old, true);
38929 -+
38930 -+ old = rcu_dereference_protected(keypairs->current_keypair,
38931 -+ lockdep_is_held(&keypairs->keypair_update_lock));
38932 -+ RCU_INIT_POINTER(keypairs->current_keypair, NULL);
38933 -+ wg_noise_keypair_put(old, true);
38934 -+
38935 -+ spin_unlock_bh(&keypairs->keypair_update_lock);
38936 -+}
38937 -+
38938 -+void wg_noise_expire_current_peer_keypairs(struct wg_peer *peer)
38939 -+{
38940 -+ struct noise_keypair *keypair;
38941 -+
38942 -+ wg_noise_handshake_clear(&peer->handshake);
38943 -+ wg_noise_reset_last_sent_handshake(&peer->last_sent_handshake);
38944 -+
38945 -+ spin_lock_bh(&peer->keypairs.keypair_update_lock);
38946 -+ keypair = rcu_dereference_protected(peer->keypairs.next_keypair,
38947 -+ lockdep_is_held(&peer->keypairs.keypair_update_lock));
38948 -+ if (keypair)
38949 -+ keypair->sending.is_valid = false;
38950 -+ keypair = rcu_dereference_protected(peer->keypairs.current_keypair,
38951 -+ lockdep_is_held(&peer->keypairs.keypair_update_lock));
38952 -+ if (keypair)
38953 -+ keypair->sending.is_valid = false;
38954 -+ spin_unlock_bh(&peer->keypairs.keypair_update_lock);
38955 -+}
38956 -+
38957 -+static void add_new_keypair(struct noise_keypairs *keypairs,
38958 -+ struct noise_keypair *new_keypair)
38959 -+{
38960 -+ struct noise_keypair *previous_keypair, *next_keypair, *current_keypair;
38961 -+
38962 -+ spin_lock_bh(&keypairs->keypair_update_lock);
38963 -+ previous_keypair = rcu_dereference_protected(keypairs->previous_keypair,
38964 -+ lockdep_is_held(&keypairs->keypair_update_lock));
38965 -+ next_keypair = rcu_dereference_protected(keypairs->next_keypair,
38966 -+ lockdep_is_held(&keypairs->keypair_update_lock));
38967 -+ current_keypair = rcu_dereference_protected(keypairs->current_keypair,
38968 -+ lockdep_is_held(&keypairs->keypair_update_lock));
38969 -+ if (new_keypair->i_am_the_initiator) {
38970 -+ /* If we're the initiator, it means we've sent a handshake, and
38971 -+ * received a confirmation response, which means this new
38972 -+ * keypair can now be used.
38973 -+ */
38974 -+ if (next_keypair) {
38975 -+ /* If there already was a next keypair pending, we
38976 -+ * demote it to be the previous keypair, and free the
38977 -+ * existing current. Note that this means KCI can result
38978 -+ * in this transition. It would perhaps be more sound to
38979 -+ * always just get rid of the unused next keypair
38980 -+ * instead of putting it in the previous slot, but this
38981 -+ * might be a bit less robust. Something to think about
38982 -+ * for the future.
38983 -+ */
38984 -+ RCU_INIT_POINTER(keypairs->next_keypair, NULL);
38985 -+ rcu_assign_pointer(keypairs->previous_keypair,
38986 -+ next_keypair);
38987 -+ wg_noise_keypair_put(current_keypair, true);
38988 -+ } else /* If there wasn't an existing next keypair, we replace
38989 -+ * the previous with the current one.
38990 -+ */
38991 -+ rcu_assign_pointer(keypairs->previous_keypair,
38992 -+ current_keypair);
38993 -+ /* At this point we can get rid of the old previous keypair, and
38994 -+ * set up the new keypair.
38995 -+ */
38996 -+ wg_noise_keypair_put(previous_keypair, true);
38997 -+ rcu_assign_pointer(keypairs->current_keypair, new_keypair);
38998 -+ } else {
38999 -+ /* If we're the responder, it means we can't use the new keypair
39000 -+ * until we receive confirmation via the first data packet, so
39001 -+ * we get rid of the existing previous one, the possibly
39002 -+ * existing next one, and slide in the new next one.
39003 -+ */
39004 -+ rcu_assign_pointer(keypairs->next_keypair, new_keypair);
39005 -+ wg_noise_keypair_put(next_keypair, true);
39006 -+ RCU_INIT_POINTER(keypairs->previous_keypair, NULL);
39007 -+ wg_noise_keypair_put(previous_keypair, true);
39008 -+ }
39009 -+ spin_unlock_bh(&keypairs->keypair_update_lock);
39010 -+}
39011 -+
39012 -+bool wg_noise_received_with_keypair(struct noise_keypairs *keypairs,
39013 -+ struct noise_keypair *received_keypair)
39014 -+{
39015 -+ struct noise_keypair *old_keypair;
39016 -+ bool key_is_new;
39017 -+
39018 -+ /* We first check without taking the spinlock. */
39019 -+ key_is_new = received_keypair ==
39020 -+ rcu_access_pointer(keypairs->next_keypair);
39021 -+ if (likely(!key_is_new))
39022 -+ return false;
39023 -+
39024 -+ spin_lock_bh(&keypairs->keypair_update_lock);
39025 -+ /* After locking, we double check that things didn't change from
39026 -+ * beneath us.
39027 -+ */
39028 -+ if (unlikely(received_keypair !=
39029 -+ rcu_dereference_protected(keypairs->next_keypair,
39030 -+ lockdep_is_held(&keypairs->keypair_update_lock)))) {
39031 -+ spin_unlock_bh(&keypairs->keypair_update_lock);
39032 -+ return false;
39033 -+ }
39034 -+
39035 -+ /* When we've finally received the confirmation, we slide the next
39036 -+ * into the current, the current into the previous, and get rid of
39037 -+ * the old previous.
39038 -+ */
39039 -+ old_keypair = rcu_dereference_protected(keypairs->previous_keypair,
39040 -+ lockdep_is_held(&keypairs->keypair_update_lock));
39041 -+ rcu_assign_pointer(keypairs->previous_keypair,
39042 -+ rcu_dereference_protected(keypairs->current_keypair,
39043 -+ lockdep_is_held(&keypairs->keypair_update_lock)));
39044 -+ wg_noise_keypair_put(old_keypair, true);
39045 -+ rcu_assign_pointer(keypairs->current_keypair, received_keypair);
39046 -+ RCU_INIT_POINTER(keypairs->next_keypair, NULL);
39047 -+
39048 -+ spin_unlock_bh(&keypairs->keypair_update_lock);
39049 -+ return true;
39050 -+}
39051 -+
39052 -+/* Must hold static_identity->lock */
39053 -+void wg_noise_set_static_identity_private_key(
39054 -+ struct noise_static_identity *static_identity,
39055 -+ const u8 private_key[NOISE_PUBLIC_KEY_LEN])
39056 -+{
39057 -+ memcpy(static_identity->static_private, private_key,
39058 -+ NOISE_PUBLIC_KEY_LEN);
39059 -+ curve25519_clamp_secret(static_identity->static_private);
39060 -+ static_identity->has_identity = curve25519_generate_public(
39061 -+ static_identity->static_public, private_key);
39062 -+}
39063 -+
39064 -+/* This is Hugo Krawczyk's HKDF:
39065 -+ * - https://eprint.iacr.org/2010/264.pdf
39066 -+ * - https://tools.ietf.org/html/rfc5869
39067 -+ */
39068 -+static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
39069 -+ size_t first_len, size_t second_len, size_t third_len,
39070 -+ size_t data_len, const u8 chaining_key[NOISE_HASH_LEN])
39071 -+{
39072 -+ u8 output[BLAKE2S_HASH_SIZE + 1];
39073 -+ u8 secret[BLAKE2S_HASH_SIZE];
39074 -+
39075 -+ WARN_ON(IS_ENABLED(DEBUG) &&
39076 -+ (first_len > BLAKE2S_HASH_SIZE ||
39077 -+ second_len > BLAKE2S_HASH_SIZE ||
39078 -+ third_len > BLAKE2S_HASH_SIZE ||
39079 -+ ((second_len || second_dst || third_len || third_dst) &&
39080 -+ (!first_len || !first_dst)) ||
39081 -+ ((third_len || third_dst) && (!second_len || !second_dst))));
39082 -+
39083 -+ /* Extract entropy from data into secret */
39084 -+ blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
39085 -+
39086 -+ if (!first_dst || !first_len)
39087 -+ goto out;
39088 -+
39089 -+ /* Expand first key: key = secret, data = 0x1 */
39090 -+ output[0] = 1;
39091 -+ blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
39092 -+ memcpy(first_dst, output, first_len);
39093 -+
39094 -+ if (!second_dst || !second_len)
39095 -+ goto out;
39096 -+
39097 -+ /* Expand second key: key = secret, data = first-key || 0x2 */
39098 -+ output[BLAKE2S_HASH_SIZE] = 2;
39099 -+ blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
39100 -+ BLAKE2S_HASH_SIZE);
39101 -+ memcpy(second_dst, output, second_len);
39102 -+
39103 -+ if (!third_dst || !third_len)
39104 -+ goto out;
39105 -+
39106 -+ /* Expand third key: key = secret, data = second-key || 0x3 */
39107 -+ output[BLAKE2S_HASH_SIZE] = 3;
39108 -+ blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
39109 -+ BLAKE2S_HASH_SIZE);
39110 -+ memcpy(third_dst, output, third_len);
39111 -+
39112 -+out:
39113 -+ /* Clear sensitive data from stack */
39114 -+ memzero_explicit(secret, BLAKE2S_HASH_SIZE);
39115 -+ memzero_explicit(output, BLAKE2S_HASH_SIZE + 1);
39116 -+}
39117 -+
39118 -+static void derive_keys(struct noise_symmetric_key *first_dst,
39119 -+ struct noise_symmetric_key *second_dst,
39120 -+ const u8 chaining_key[NOISE_HASH_LEN])
39121 -+{
39122 -+ u64 birthdate = ktime_get_coarse_boottime_ns();
39123 -+ kdf(first_dst->key, second_dst->key, NULL, NULL,
39124 -+ NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0,
39125 -+ chaining_key);
39126 -+ first_dst->birthdate = second_dst->birthdate = birthdate;
39127 -+ first_dst->is_valid = second_dst->is_valid = true;
39128 -+}
39129 -+
39130 -+static bool __must_check mix_dh(u8 chaining_key[NOISE_HASH_LEN],
39131 -+ u8 key[NOISE_SYMMETRIC_KEY_LEN],
39132 -+ const u8 private[NOISE_PUBLIC_KEY_LEN],
39133 -+ const u8 public[NOISE_PUBLIC_KEY_LEN])
39134 -+{
39135 -+ u8 dh_calculation[NOISE_PUBLIC_KEY_LEN];
39136 -+
39137 -+ if (unlikely(!curve25519(dh_calculation, private, public)))
39138 -+ return false;
39139 -+ kdf(chaining_key, key, NULL, dh_calculation, NOISE_HASH_LEN,
39140 -+ NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN, chaining_key);
39141 -+ memzero_explicit(dh_calculation, NOISE_PUBLIC_KEY_LEN);
39142 -+ return true;
39143 -+}
39144 -+
39145 -+static bool __must_check mix_precomputed_dh(u8 chaining_key[NOISE_HASH_LEN],
39146 -+ u8 key[NOISE_SYMMETRIC_KEY_LEN],
39147 -+ const u8 precomputed[NOISE_PUBLIC_KEY_LEN])
39148 -+{
39149 -+ static u8 zero_point[NOISE_PUBLIC_KEY_LEN];
39150 -+ if (unlikely(!crypto_memneq(precomputed, zero_point, NOISE_PUBLIC_KEY_LEN)))
39151 -+ return false;
39152 -+ kdf(chaining_key, key, NULL, precomputed, NOISE_HASH_LEN,
39153 -+ NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN,
39154 -+ chaining_key);
39155 -+ return true;
39156 -+}
39157 -+
39158 -+static void mix_hash(u8 hash[NOISE_HASH_LEN], const u8 *src, size_t src_len)
39159 -+{
39160 -+ struct blake2s_state blake;
39161 -+
39162 -+ blake2s_init(&blake, NOISE_HASH_LEN);
39163 -+ blake2s_update(&blake, hash, NOISE_HASH_LEN);
39164 -+ blake2s_update(&blake, src, src_len);
39165 -+ blake2s_final(&blake, hash);
39166 -+}
39167 -+
39168 -+static void mix_psk(u8 chaining_key[NOISE_HASH_LEN], u8 hash[NOISE_HASH_LEN],
39169 -+ u8 key[NOISE_SYMMETRIC_KEY_LEN],
39170 -+ const u8 psk[NOISE_SYMMETRIC_KEY_LEN])
39171 -+{
39172 -+ u8 temp_hash[NOISE_HASH_LEN];
39173 -+
39174 -+ kdf(chaining_key, temp_hash, key, psk, NOISE_HASH_LEN, NOISE_HASH_LEN,
39175 -+ NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, chaining_key);
39176 -+ mix_hash(hash, temp_hash, NOISE_HASH_LEN);
39177 -+ memzero_explicit(temp_hash, NOISE_HASH_LEN);
39178 -+}
39179 -+
39180 -+static void handshake_init(u8 chaining_key[NOISE_HASH_LEN],
39181 -+ u8 hash[NOISE_HASH_LEN],
39182 -+ const u8 remote_static[NOISE_PUBLIC_KEY_LEN])
39183 -+{
39184 -+ memcpy(hash, handshake_init_hash, NOISE_HASH_LEN);
39185 -+ memcpy(chaining_key, handshake_init_chaining_key, NOISE_HASH_LEN);
39186 -+ mix_hash(hash, remote_static, NOISE_PUBLIC_KEY_LEN);
39187 -+}
39188 -+
39189 -+static void message_encrypt(u8 *dst_ciphertext, const u8 *src_plaintext,
39190 -+ size_t src_len, u8 key[NOISE_SYMMETRIC_KEY_LEN],
39191 -+ u8 hash[NOISE_HASH_LEN])
39192 -+{
39193 -+ chacha20poly1305_encrypt(dst_ciphertext, src_plaintext, src_len, hash,
39194 -+ NOISE_HASH_LEN,
39195 -+ 0 /* Always zero for Noise_IK */, key);
39196 -+ mix_hash(hash, dst_ciphertext, noise_encrypted_len(src_len));
39197 -+}
39198 -+
39199 -+static bool message_decrypt(u8 *dst_plaintext, const u8 *src_ciphertext,
39200 -+ size_t src_len, u8 key[NOISE_SYMMETRIC_KEY_LEN],
39201 -+ u8 hash[NOISE_HASH_LEN])
39202 -+{
39203 -+ if (!chacha20poly1305_decrypt(dst_plaintext, src_ciphertext, src_len,
39204 -+ hash, NOISE_HASH_LEN,
39205 -+ 0 /* Always zero for Noise_IK */, key))
39206 -+ return false;
39207 -+ mix_hash(hash, src_ciphertext, src_len);
39208 -+ return true;
39209 -+}
39210 -+
39211 -+static void message_ephemeral(u8 ephemeral_dst[NOISE_PUBLIC_KEY_LEN],
39212 -+ const u8 ephemeral_src[NOISE_PUBLIC_KEY_LEN],
39213 -+ u8 chaining_key[NOISE_HASH_LEN],
39214 -+ u8 hash[NOISE_HASH_LEN])
39215 -+{
39216 -+ if (ephemeral_dst != ephemeral_src)
39217 -+ memcpy(ephemeral_dst, ephemeral_src, NOISE_PUBLIC_KEY_LEN);
39218 -+ mix_hash(hash, ephemeral_src, NOISE_PUBLIC_KEY_LEN);
39219 -+ kdf(chaining_key, NULL, NULL, ephemeral_src, NOISE_HASH_LEN, 0, 0,
39220 -+ NOISE_PUBLIC_KEY_LEN, chaining_key);
39221 -+}
39222 -+
39223 -+static void tai64n_now(u8 output[NOISE_TIMESTAMP_LEN])
39224 -+{
39225 -+ struct timespec64 now;
39226 -+
39227 -+ ktime_get_real_ts64(&now);
39228 -+
39229 -+ /* In order to prevent some sort of infoleak from precise timers, we
39230 -+ * round down the nanoseconds part to the closest rounded-down power of
39231 -+ * two to the maximum initiations per second allowed anyway by the
39232 -+ * implementation.
39233 -+ */
39234 -+ now.tv_nsec = ALIGN_DOWN(now.tv_nsec,
39235 -+ rounddown_pow_of_two(NSEC_PER_SEC / INITIATIONS_PER_SECOND));
39236 -+
39237 -+ /* https://cr.yp.to/libtai/tai64.html */
39238 -+ *(__be64 *)output = cpu_to_be64(0x400000000000000aULL + now.tv_sec);
39239 -+ *(__be32 *)(output + sizeof(__be64)) = cpu_to_be32(now.tv_nsec);
39240 -+}
39241 -+
39242 -+bool
39243 -+wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
39244 -+ struct noise_handshake *handshake)
39245 -+{
39246 -+ u8 timestamp[NOISE_TIMESTAMP_LEN];
39247 -+ u8 key[NOISE_SYMMETRIC_KEY_LEN];
39248 -+ bool ret = false;
39249 -+
39250 -+ /* We need to wait for crng _before_ taking any locks, since
39251 -+ * curve25519_generate_secret uses get_random_bytes_wait.
39252 -+ */
39253 -+ wait_for_random_bytes();
39254 -+
39255 -+ down_read(&handshake->static_identity->lock);
39256 -+ down_write(&handshake->lock);
39257 -+
39258 -+ if (unlikely(!handshake->static_identity->has_identity))
39259 -+ goto out;
39260 -+
39261 -+ dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION);
39262 -+
39263 -+ handshake_init(handshake->chaining_key, handshake->hash,
39264 -+ handshake->remote_static);
39265 -+
39266 -+ /* e */
39267 -+ curve25519_generate_secret(handshake->ephemeral_private);
39268 -+ if (!curve25519_generate_public(dst->unencrypted_ephemeral,
39269 -+ handshake->ephemeral_private))
39270 -+ goto out;
39271 -+ message_ephemeral(dst->unencrypted_ephemeral,
39272 -+ dst->unencrypted_ephemeral, handshake->chaining_key,
39273 -+ handshake->hash);
39274 -+
39275 -+ /* es */
39276 -+ if (!mix_dh(handshake->chaining_key, key, handshake->ephemeral_private,
39277 -+ handshake->remote_static))
39278 -+ goto out;
39279 -+
39280 -+ /* s */
39281 -+ message_encrypt(dst->encrypted_static,
39282 -+ handshake->static_identity->static_public,
39283 -+ NOISE_PUBLIC_KEY_LEN, key, handshake->hash);
39284 -+
39285 -+ /* ss */
39286 -+ if (!mix_precomputed_dh(handshake->chaining_key, key,
39287 -+ handshake->precomputed_static_static))
39288 -+ goto out;
39289 -+
39290 -+ /* {t} */
39291 -+ tai64n_now(timestamp);
39292 -+ message_encrypt(dst->encrypted_timestamp, timestamp,
39293 -+ NOISE_TIMESTAMP_LEN, key, handshake->hash);
39294 -+
39295 -+ dst->sender_index = wg_index_hashtable_insert(
39296 -+ handshake->entry.peer->device->index_hashtable,
39297 -+ &handshake->entry);
39298 -+
39299 -+ handshake->state = HANDSHAKE_CREATED_INITIATION;
39300 -+ ret = true;
39301 -+
39302 -+out:
39303 -+ up_write(&handshake->lock);
39304 -+ up_read(&handshake->static_identity->lock);
39305 -+ memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
39306 -+ return ret;
39307 -+}
39308 -+
39309 -+struct wg_peer *
39310 -+wg_noise_handshake_consume_initiation(struct message_handshake_initiation *src,
39311 -+ struct wg_device *wg)
39312 -+{
39313 -+ struct wg_peer *peer = NULL, *ret_peer = NULL;
39314 -+ struct noise_handshake *handshake;
39315 -+ bool replay_attack, flood_attack;
39316 -+ u8 key[NOISE_SYMMETRIC_KEY_LEN];
39317 -+ u8 chaining_key[NOISE_HASH_LEN];
39318 -+ u8 hash[NOISE_HASH_LEN];
39319 -+ u8 s[NOISE_PUBLIC_KEY_LEN];
39320 -+ u8 e[NOISE_PUBLIC_KEY_LEN];
39321 -+ u8 t[NOISE_TIMESTAMP_LEN];
39322 -+ u64 initiation_consumption;
39323 -+
39324 -+ down_read(&wg->static_identity.lock);
39325 -+ if (unlikely(!wg->static_identity.has_identity))
39326 -+ goto out;
39327 -+
39328 -+ handshake_init(chaining_key, hash, wg->static_identity.static_public);
39329 -+
39330 -+ /* e */
39331 -+ message_ephemeral(e, src->unencrypted_ephemeral, chaining_key, hash);
39332 -+
39333 -+ /* es */
39334 -+ if (!mix_dh(chaining_key, key, wg->static_identity.static_private, e))
39335 -+ goto out;
39336 -+
39337 -+ /* s */
39338 -+ if (!message_decrypt(s, src->encrypted_static,
39339 -+ sizeof(src->encrypted_static), key, hash))
39340 -+ goto out;
39341 -+
39342 -+ /* Lookup which peer we're actually talking to */
39343 -+ peer = wg_pubkey_hashtable_lookup(wg->peer_hashtable, s);
39344 -+ if (!peer)
39345 -+ goto out;
39346 -+ handshake = &peer->handshake;
39347 -+
39348 -+ /* ss */
39349 -+ if (!mix_precomputed_dh(chaining_key, key,
39350 -+ handshake->precomputed_static_static))
39351 -+ goto out;
39352 -+
39353 -+ /* {t} */
39354 -+ if (!message_decrypt(t, src->encrypted_timestamp,
39355 -+ sizeof(src->encrypted_timestamp), key, hash))
39356 -+ goto out;
39357 -+
39358 -+ down_read(&handshake->lock);
39359 -+ replay_attack = memcmp(t, handshake->latest_timestamp,
39360 -+ NOISE_TIMESTAMP_LEN) <= 0;
39361 -+ flood_attack = (s64)handshake->last_initiation_consumption +
39362 -+ NSEC_PER_SEC / INITIATIONS_PER_SECOND >
39363 -+ (s64)ktime_get_coarse_boottime_ns();
39364 -+ up_read(&handshake->lock);
39365 -+ if (replay_attack || flood_attack)
39366 -+ goto out;
39367 -+
39368 -+ /* Success! Copy everything to peer */
39369 -+ down_write(&handshake->lock);
39370 -+ memcpy(handshake->remote_ephemeral, e, NOISE_PUBLIC_KEY_LEN);
39371 -+ if (memcmp(t, handshake->latest_timestamp, NOISE_TIMESTAMP_LEN) > 0)
39372 -+ memcpy(handshake->latest_timestamp, t, NOISE_TIMESTAMP_LEN);
39373 -+ memcpy(handshake->hash, hash, NOISE_HASH_LEN);
39374 -+ memcpy(handshake->chaining_key, chaining_key, NOISE_HASH_LEN);
39375 -+ handshake->remote_index = src->sender_index;
39376 -+ initiation_consumption = ktime_get_coarse_boottime_ns();
39377 -+ if ((s64)(handshake->last_initiation_consumption - initiation_consumption) < 0)
39378 -+ handshake->last_initiation_consumption = initiation_consumption;
39379 -+ handshake->state = HANDSHAKE_CONSUMED_INITIATION;
39380 -+ up_write(&handshake->lock);
39381 -+ ret_peer = peer;
39382 -+
39383 -+out:
39384 -+ memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
39385 -+ memzero_explicit(hash, NOISE_HASH_LEN);
39386 -+ memzero_explicit(chaining_key, NOISE_HASH_LEN);
39387 -+ up_read(&wg->static_identity.lock);
39388 -+ if (!ret_peer)
39389 -+ wg_peer_put(peer);
39390 -+ return ret_peer;
39391 -+}
39392 -+
39393 -+bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
39394 -+ struct noise_handshake *handshake)
39395 -+{
39396 -+ u8 key[NOISE_SYMMETRIC_KEY_LEN];
39397 -+ bool ret = false;
39398 -+
39399 -+ /* We need to wait for crng _before_ taking any locks, since
39400 -+ * curve25519_generate_secret uses get_random_bytes_wait.
39401 -+ */
39402 -+ wait_for_random_bytes();
39403 -+
39404 -+ down_read(&handshake->static_identity->lock);
39405 -+ down_write(&handshake->lock);
39406 -+
39407 -+ if (handshake->state != HANDSHAKE_CONSUMED_INITIATION)
39408 -+ goto out;
39409 -+
39410 -+ dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE);
39411 -+ dst->receiver_index = handshake->remote_index;
39412 -+
39413 -+ /* e */
39414 -+ curve25519_generate_secret(handshake->ephemeral_private);
39415 -+ if (!curve25519_generate_public(dst->unencrypted_ephemeral,
39416 -+ handshake->ephemeral_private))
39417 -+ goto out;
39418 -+ message_ephemeral(dst->unencrypted_ephemeral,
39419 -+ dst->unencrypted_ephemeral, handshake->chaining_key,
39420 -+ handshake->hash);
39421 -+
39422 -+ /* ee */
39423 -+ if (!mix_dh(handshake->chaining_key, NULL, handshake->ephemeral_private,
39424 -+ handshake->remote_ephemeral))
39425 -+ goto out;
39426 -+
39427 -+ /* se */
39428 -+ if (!mix_dh(handshake->chaining_key, NULL, handshake->ephemeral_private,
39429 -+ handshake->remote_static))
39430 -+ goto out;
39431 -+
39432 -+ /* psk */
39433 -+ mix_psk(handshake->chaining_key, handshake->hash, key,
39434 -+ handshake->preshared_key);
39435 -+
39436 -+ /* {} */
39437 -+ message_encrypt(dst->encrypted_nothing, NULL, 0, key, handshake->hash);
39438 -+
39439 -+ dst->sender_index = wg_index_hashtable_insert(
39440 -+ handshake->entry.peer->device->index_hashtable,
39441 -+ &handshake->entry);
39442 -+
39443 -+ handshake->state = HANDSHAKE_CREATED_RESPONSE;
39444 -+ ret = true;
39445 -+
39446 -+out:
39447 -+ up_write(&handshake->lock);
39448 -+ up_read(&handshake->static_identity->lock);
39449 -+ memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
39450 -+ return ret;
39451 -+}
39452 -+
39453 -+struct wg_peer *
39454 -+wg_noise_handshake_consume_response(struct message_handshake_response *src,
39455 -+ struct wg_device *wg)
39456 -+{
39457 -+ enum noise_handshake_state state = HANDSHAKE_ZEROED;
39458 -+ struct wg_peer *peer = NULL, *ret_peer = NULL;
39459 -+ struct noise_handshake *handshake;
39460 -+ u8 key[NOISE_SYMMETRIC_KEY_LEN];
39461 -+ u8 hash[NOISE_HASH_LEN];
39462 -+ u8 chaining_key[NOISE_HASH_LEN];
39463 -+ u8 e[NOISE_PUBLIC_KEY_LEN];
39464 -+ u8 ephemeral_private[NOISE_PUBLIC_KEY_LEN];
39465 -+ u8 static_private[NOISE_PUBLIC_KEY_LEN];
39466 -+ u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN];
39467 -+
39468 -+ down_read(&wg->static_identity.lock);
39469 -+
39470 -+ if (unlikely(!wg->static_identity.has_identity))
39471 -+ goto out;
39472 -+
39473 -+ handshake = (struct noise_handshake *)wg_index_hashtable_lookup(
39474 -+ wg->index_hashtable, INDEX_HASHTABLE_HANDSHAKE,
39475 -+ src->receiver_index, &peer);
39476 -+ if (unlikely(!handshake))
39477 -+ goto out;
39478 -+
39479 -+ down_read(&handshake->lock);
39480 -+ state = handshake->state;
39481 -+ memcpy(hash, handshake->hash, NOISE_HASH_LEN);
39482 -+ memcpy(chaining_key, handshake->chaining_key, NOISE_HASH_LEN);
39483 -+ memcpy(ephemeral_private, handshake->ephemeral_private,
39484 -+ NOISE_PUBLIC_KEY_LEN);
39485 -+ memcpy(preshared_key, handshake->preshared_key,
39486 -+ NOISE_SYMMETRIC_KEY_LEN);
39487 -+ up_read(&handshake->lock);
39488 -+
39489 -+ if (state != HANDSHAKE_CREATED_INITIATION)
39490 -+ goto fail;
39491 -+
39492 -+ /* e */
39493 -+ message_ephemeral(e, src->unencrypted_ephemeral, chaining_key, hash);
39494 -+
39495 -+ /* ee */
39496 -+ if (!mix_dh(chaining_key, NULL, ephemeral_private, e))
39497 -+ goto fail;
39498 -+
39499 -+ /* se */
39500 -+ if (!mix_dh(chaining_key, NULL, wg->static_identity.static_private, e))
39501 -+ goto fail;
39502 -+
39503 -+ /* psk */
39504 -+ mix_psk(chaining_key, hash, key, preshared_key);
39505 -+
39506 -+ /* {} */
39507 -+ if (!message_decrypt(NULL, src->encrypted_nothing,
39508 -+ sizeof(src->encrypted_nothing), key, hash))
39509 -+ goto fail;
39510 -+
39511 -+ /* Success! Copy everything to peer */
39512 -+ down_write(&handshake->lock);
39513 -+ /* It's important to check that the state is still the same, while we
39514 -+ * have an exclusive lock.
39515 -+ */
39516 -+ if (handshake->state != state) {
39517 -+ up_write(&handshake->lock);
39518 -+ goto fail;
39519 -+ }
39520 -+ memcpy(handshake->remote_ephemeral, e, NOISE_PUBLIC_KEY_LEN);
39521 -+ memcpy(handshake->hash, hash, NOISE_HASH_LEN);
39522 -+ memcpy(handshake->chaining_key, chaining_key, NOISE_HASH_LEN);
39523 -+ handshake->remote_index = src->sender_index;
39524 -+ handshake->state = HANDSHAKE_CONSUMED_RESPONSE;
39525 -+ up_write(&handshake->lock);
39526 -+ ret_peer = peer;
39527 -+ goto out;
39528 -+
39529 -+fail:
39530 -+ wg_peer_put(peer);
39531 -+out:
39532 -+ memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
39533 -+ memzero_explicit(hash, NOISE_HASH_LEN);
39534 -+ memzero_explicit(chaining_key, NOISE_HASH_LEN);
39535 -+ memzero_explicit(ephemeral_private, NOISE_PUBLIC_KEY_LEN);
39536 -+ memzero_explicit(static_private, NOISE_PUBLIC_KEY_LEN);
39537 -+ memzero_explicit(preshared_key, NOISE_SYMMETRIC_KEY_LEN);
39538 -+ up_read(&wg->static_identity.lock);
39539 -+ return ret_peer;
39540 -+}
39541 -+
39542 -+bool wg_noise_handshake_begin_session(struct noise_handshake *handshake,
39543 -+ struct noise_keypairs *keypairs)
39544 -+{
39545 -+ struct noise_keypair *new_keypair;
39546 -+ bool ret = false;
39547 -+
39548 -+ down_write(&handshake->lock);
39549 -+ if (handshake->state != HANDSHAKE_CREATED_RESPONSE &&
39550 -+ handshake->state != HANDSHAKE_CONSUMED_RESPONSE)
39551 -+ goto out;
39552 -+
39553 -+ new_keypair = keypair_create(handshake->entry.peer);
39554 -+ if (!new_keypair)
39555 -+ goto out;
39556 -+ new_keypair->i_am_the_initiator = handshake->state ==
39557 -+ HANDSHAKE_CONSUMED_RESPONSE;
39558 -+ new_keypair->remote_index = handshake->remote_index;
39559 -+
39560 -+ if (new_keypair->i_am_the_initiator)
39561 -+ derive_keys(&new_keypair->sending, &new_keypair->receiving,
39562 -+ handshake->chaining_key);
39563 -+ else
39564 -+ derive_keys(&new_keypair->receiving, &new_keypair->sending,
39565 -+ handshake->chaining_key);
39566 -+
39567 -+ handshake_zero(handshake);
39568 -+ rcu_read_lock_bh();
39569 -+ if (likely(!READ_ONCE(container_of(handshake, struct wg_peer,
39570 -+ handshake)->is_dead))) {
39571 -+ add_new_keypair(keypairs, new_keypair);
39572 -+ net_dbg_ratelimited("%s: Keypair %llu created for peer %llu\n",
39573 -+ handshake->entry.peer->device->dev->name,
39574 -+ new_keypair->internal_id,
39575 -+ handshake->entry.peer->internal_id);
39576 -+ ret = wg_index_hashtable_replace(
39577 -+ handshake->entry.peer->device->index_hashtable,
39578 -+ &handshake->entry, &new_keypair->entry);
39579 -+ } else {
39580 -+ kzfree(new_keypair);
39581 -+ }
39582 -+ rcu_read_unlock_bh();
39583 -+
39584 -+out:
39585 -+ up_write(&handshake->lock);
39586 -+ return ret;
39587 -+}
39588 ---- b/drivers/net/wireguard/noise.h
39589 -+++ b/drivers/net/wireguard/noise.h
39590 -@@ -0,0 +1,135 @@
39591 -+/* SPDX-License-Identifier: GPL-2.0 */
39592 -+/*
39593 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
39594 -+ */
39595 -+#ifndef _WG_NOISE_H
39596 -+#define _WG_NOISE_H
39597 -+
39598 -+#include "messages.h"
39599 -+#include "peerlookup.h"
39600 -+
39601 -+#include <linux/types.h>
39602 -+#include <linux/spinlock.h>
39603 -+#include <linux/atomic.h>
39604 -+#include <linux/rwsem.h>
39605 -+#include <linux/mutex.h>
39606 -+#include <linux/kref.h>
39607 -+
39608 -+struct noise_replay_counter {
39609 -+ u64 counter;
39610 -+ spinlock_t lock;
39611 -+ unsigned long backtrack[COUNTER_BITS_TOTAL / BITS_PER_LONG];
39612 -+};
39613 -+
39614 -+struct noise_symmetric_key {
39615 -+ u8 key[NOISE_SYMMETRIC_KEY_LEN];
39616 -+ u64 birthdate;
39617 -+ bool is_valid;
39618 -+};
39619 -+
39620 -+struct noise_keypair {
39621 -+ struct index_hashtable_entry entry;
39622 -+ struct noise_symmetric_key sending;
39623 -+ atomic64_t sending_counter;
39624 -+ struct noise_symmetric_key receiving;
39625 -+ struct noise_replay_counter receiving_counter;
39626 -+ __le32 remote_index;
39627 -+ bool i_am_the_initiator;
39628 -+ struct kref refcount;
39629 -+ struct rcu_head rcu;
39630 -+ u64 internal_id;
39631 -+};
39632 -+
39633 -+struct noise_keypairs {
39634 -+ struct noise_keypair __rcu *current_keypair;
39635 -+ struct noise_keypair __rcu *previous_keypair;
39636 -+ struct noise_keypair __rcu *next_keypair;
39637 -+ spinlock_t keypair_update_lock;
39638 -+};
39639 -+
39640 -+struct noise_static_identity {
39641 -+ u8 static_public[NOISE_PUBLIC_KEY_LEN];
39642 -+ u8 static_private[NOISE_PUBLIC_KEY_LEN];
39643 -+ struct rw_semaphore lock;
39644 -+ bool has_identity;
39645 -+};
39646 -+
39647 -+enum noise_handshake_state {
39648 -+ HANDSHAKE_ZEROED,
39649 -+ HANDSHAKE_CREATED_INITIATION,
39650 -+ HANDSHAKE_CONSUMED_INITIATION,
39651 -+ HANDSHAKE_CREATED_RESPONSE,
39652 -+ HANDSHAKE_CONSUMED_RESPONSE
39653 -+};
39654 -+
39655 -+struct noise_handshake {
39656 -+ struct index_hashtable_entry entry;
39657 -+
39658 -+ enum noise_handshake_state state;
39659 -+ u64 last_initiation_consumption;
39660 -+
39661 -+ struct noise_static_identity *static_identity;
39662 -+
39663 -+ u8 ephemeral_private[NOISE_PUBLIC_KEY_LEN];
39664 -+ u8 remote_static[NOISE_PUBLIC_KEY_LEN];
39665 -+ u8 remote_ephemeral[NOISE_PUBLIC_KEY_LEN];
39666 -+ u8 precomputed_static_static[NOISE_PUBLIC_KEY_LEN];
39667 -+
39668 -+ u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN];
39669 -+
39670 -+ u8 hash[NOISE_HASH_LEN];
39671 -+ u8 chaining_key[NOISE_HASH_LEN];
39672 -+
39673 -+ u8 latest_timestamp[NOISE_TIMESTAMP_LEN];
39674 -+ __le32 remote_index;
39675 -+
39676 -+ /* Protects all members except the immutable (after noise_handshake_
39677 -+ * init): remote_static, precomputed_static_static, static_identity.
39678 -+ */
39679 -+ struct rw_semaphore lock;
39680 -+};
39681 -+
39682 -+struct wg_device;
39683 -+
39684 -+void wg_noise_init(void);
39685 -+void wg_noise_handshake_init(struct noise_handshake *handshake,
39686 -+ struct noise_static_identity *static_identity,
39687 -+ const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN],
39688 -+ const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN],
39689 -+ struct wg_peer *peer);
39690 -+void wg_noise_handshake_clear(struct noise_handshake *handshake);
39691 -+static inline void wg_noise_reset_last_sent_handshake(atomic64_t *handshake_ns)
39692 -+{
39693 -+ atomic64_set(handshake_ns, ktime_get_coarse_boottime_ns() -
39694 -+ (u64)(REKEY_TIMEOUT + 1) * NSEC_PER_SEC);
39695 -+}
39696 -+
39697 -+void wg_noise_keypair_put(struct noise_keypair *keypair, bool unreference_now);
39698 -+struct noise_keypair *wg_noise_keypair_get(struct noise_keypair *keypair);
39699 -+void wg_noise_keypairs_clear(struct noise_keypairs *keypairs);
39700 -+bool wg_noise_received_with_keypair(struct noise_keypairs *keypairs,
39701 -+ struct noise_keypair *received_keypair);
39702 -+void wg_noise_expire_current_peer_keypairs(struct wg_peer *peer);
39703 -+
39704 -+void wg_noise_set_static_identity_private_key(
39705 -+ struct noise_static_identity *static_identity,
39706 -+ const u8 private_key[NOISE_PUBLIC_KEY_LEN]);
39707 -+void wg_noise_precompute_static_static(struct wg_peer *peer);
39708 -+
39709 -+bool
39710 -+wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
39711 -+ struct noise_handshake *handshake);
39712 -+struct wg_peer *
39713 -+wg_noise_handshake_consume_initiation(struct message_handshake_initiation *src,
39714 -+ struct wg_device *wg);
39715 -+
39716 -+bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
39717 -+ struct noise_handshake *handshake);
39718 -+struct wg_peer *
39719 -+wg_noise_handshake_consume_response(struct message_handshake_response *src,
39720 -+ struct wg_device *wg);
39721 -+
39722 -+bool wg_noise_handshake_begin_session(struct noise_handshake *handshake,
39723 -+ struct noise_keypairs *keypairs);
39724 -+
39725 -+#endif /* _WG_NOISE_H */
39726 ---- b/drivers/net/wireguard/peer.c
39727 -+++ b/drivers/net/wireguard/peer.c
39728 -@@ -0,0 +1,237 @@
39729 -+// SPDX-License-Identifier: GPL-2.0
39730 -+/*
39731 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
39732 -+ */
39733 -+
39734 -+#include "peer.h"
39735 -+#include "device.h"
39736 -+#include "queueing.h"
39737 -+#include "timers.h"
39738 -+#include "peerlookup.h"
39739 -+#include "noise.h"
39740 -+
39741 -+#include <linux/kref.h>
39742 -+#include <linux/lockdep.h>
39743 -+#include <linux/rcupdate.h>
39744 -+#include <linux/list.h>
39745 -+
39746 -+static atomic64_t peer_counter = ATOMIC64_INIT(0);
39747 -+
39748 -+struct wg_peer *wg_peer_create(struct wg_device *wg,
39749 -+ const u8 public_key[NOISE_PUBLIC_KEY_LEN],
39750 -+ const u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN])
39751 -+{
39752 -+ struct wg_peer *peer;
39753 -+ int ret = -ENOMEM;
39754 -+
39755 -+ lockdep_assert_held(&wg->device_update_lock);
39756 -+
39757 -+ if (wg->num_peers >= MAX_PEERS_PER_DEVICE)
39758 -+ return ERR_PTR(ret);
39759 -+
39760 -+ peer = kzalloc(sizeof(*peer), GFP_KERNEL);
39761 -+ if (unlikely(!peer))
39762 -+ return ERR_PTR(ret);
39763 -+ peer->device = wg;
39764 -+
39765 -+ wg_noise_handshake_init(&peer->handshake, &wg->static_identity,
39766 -+ public_key, preshared_key, peer);
39767 -+ if (dst_cache_init(&peer->endpoint_cache, GFP_KERNEL))
39768 -+ goto err_1;
39769 -+ if (wg_packet_queue_init(&peer->tx_queue, wg_packet_tx_worker, false,
39770 -+ MAX_QUEUED_PACKETS))
39771 -+ goto err_2;
39772 -+ if (wg_packet_queue_init(&peer->rx_queue, NULL, false,
39773 -+ MAX_QUEUED_PACKETS))
39774 -+ goto err_3;
39775 -+
39776 -+ peer->internal_id = atomic64_inc_return(&peer_counter);
39777 -+ peer->serial_work_cpu = nr_cpumask_bits;
39778 -+ wg_cookie_init(&peer->latest_cookie);
39779 -+ wg_timers_init(peer);
39780 -+ wg_cookie_checker_precompute_peer_keys(peer);
39781 -+ spin_lock_init(&peer->keypairs.keypair_update_lock);
39782 -+ INIT_WORK(&peer->transmit_handshake_work,
39783 -+ wg_packet_handshake_send_worker);
39784 -+ rwlock_init(&peer->endpoint_lock);
39785 -+ kref_init(&peer->refcount);
39786 -+ skb_queue_head_init(&peer->staged_packet_queue);
39787 -+ wg_noise_reset_last_sent_handshake(&peer->last_sent_handshake);
39788 -+ set_bit(NAPI_STATE_NO_BUSY_POLL, &peer->napi.state);
39789 -+ netif_napi_add(wg->dev, &peer->napi, wg_packet_rx_poll,
39790 -+ NAPI_POLL_WEIGHT);
39791 -+ napi_enable(&peer->napi);
39792 -+ list_add_tail(&peer->peer_list, &wg->peer_list);
39793 -+ INIT_LIST_HEAD(&peer->allowedips_list);
39794 -+ wg_pubkey_hashtable_add(wg->peer_hashtable, peer);
39795 -+ ++wg->num_peers;
39796 -+ pr_debug("%s: Peer %llu created\n", wg->dev->name, peer->internal_id);
39797 -+ return peer;
39798 -+
39799 -+err_3:
39800 -+ wg_packet_queue_free(&peer->tx_queue, false);
39801 -+err_2:
39802 -+ dst_cache_destroy(&peer->endpoint_cache);
39803 -+err_1:
39804 -+ kfree(peer);
39805 -+ return ERR_PTR(ret);
39806 -+}
39807 -+
39808 -+struct wg_peer *wg_peer_get_maybe_zero(struct wg_peer *peer)
39809 -+{
39810 -+ RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(),
39811 -+ "Taking peer reference without holding the RCU read lock");
39812 -+ if (unlikely(!peer || !kref_get_unless_zero(&peer->refcount)))
39813 -+ return NULL;
39814 -+ return peer;
39815 -+}
39816 -+
39817 -+static void peer_make_dead(struct wg_peer *peer)
39818 -+{
39819 -+ /* Remove from configuration-time lookup structures. */
39820 -+ list_del_init(&peer->peer_list);
39821 -+ wg_allowedips_remove_by_peer(&peer->device->peer_allowedips, peer,
39822 -+ &peer->device->device_update_lock);
39823 -+ wg_pubkey_hashtable_remove(peer->device->peer_hashtable, peer);
39824 -+
39825 -+ /* Mark as dead, so that we don't allow jumping contexts after. */
39826 -+ WRITE_ONCE(peer->is_dead, true);
39827 -+
39828 -+ /* The caller must now synchronize_rcu() for this to take effect. */
39829 -+}
39830 -+
39831 -+static void peer_remove_after_dead(struct wg_peer *peer)
39832 -+{
39833 -+ WARN_ON(!peer->is_dead);
39834 -+
39835 -+ /* No more keypairs can be created for this peer, since is_dead protects
39836 -+ * add_new_keypair, so we can now destroy existing ones.
39837 -+ */
39838 -+ wg_noise_keypairs_clear(&peer->keypairs);
39839 -+
39840 -+ /* Destroy all ongoing timers that were in-flight at the beginning of
39841 -+ * this function.
39842 -+ */
39843 -+ wg_timers_stop(peer);
39844 -+
39845 -+ /* The transition between packet encryption/decryption queues isn't
39846 -+ * guarded by is_dead, but each reference's life is strictly bounded by
39847 -+ * two generations: once for parallel crypto and once for serial
39848 -+ * ingestion, so we can simply flush twice, and be sure that we no
39849 -+ * longer have references inside these queues.
39850 -+ */
39851 -+
39852 -+ /* a) For encrypt/decrypt. */
39853 -+ flush_workqueue(peer->device->packet_crypt_wq);
39854 -+ /* b.1) For send (but not receive, since that's napi). */
39855 -+ flush_workqueue(peer->device->packet_crypt_wq);
39856 -+ /* b.2.1) For receive (but not send, since that's wq). */
39857 -+ napi_disable(&peer->napi);
39858 -+ /* b.2.1) It's now safe to remove the napi struct, which must be done
39859 -+ * here from process context.
39860 -+ */
39861 -+ netif_napi_del(&peer->napi);
39862 -+
39863 -+ /* Ensure any workstructs we own (like transmit_handshake_work or
39864 -+ * clear_peer_work) no longer are in use.
39865 -+ */
39866 -+ flush_workqueue(peer->device->handshake_send_wq);
39867 -+
39868 -+ /* After the above flushes, a peer might still be active in a few
39869 -+ * different contexts: 1) from xmit(), before hitting is_dead and
39870 -+ * returning, 2) from wg_packet_consume_data(), before hitting is_dead
39871 -+ * and returning, 3) from wg_receive_handshake_packet() after a point
39872 -+ * where it has processed an incoming handshake packet, but where
39873 -+ * all calls to pass it off to timers fails because of is_dead. We won't
39874 -+ * have new references in (1) eventually, because we're removed from
39875 -+ * allowedips; we won't have new references in (2) eventually, because
39876 -+ * wg_index_hashtable_lookup will always return NULL, since we removed
39877 -+ * all existing keypairs and no more can be created; we won't have new
39878 -+ * references in (3) eventually, because we're removed from the pubkey
39879 -+ * hash table, which allows for a maximum of one handshake response,
39880 -+ * via the still-uncleared index hashtable entry, but not more than one,
39881 -+ * and in wg_cookie_message_consume, the lookup eventually gets a peer
39882 -+ * with a refcount of zero, so no new reference is taken.
39883 -+ */
39884 -+
39885 -+ --peer->device->num_peers;
39886 -+ wg_peer_put(peer);
39887 -+}
39888 -+
39889 -+/* We have a separate "remove" function make sure that all active places where
39890 -+ * a peer is currently operating will eventually come to an end and not pass
39891 -+ * their reference onto another context.
39892 -+ */
39893 -+void wg_peer_remove(struct wg_peer *peer)
39894 -+{
39895 -+ if (unlikely(!peer))
39896 -+ return;
39897 -+ lockdep_assert_held(&peer->device->device_update_lock);
39898 -+
39899 -+ peer_make_dead(peer);
39900 -+ synchronize_rcu();
39901 -+ peer_remove_after_dead(peer);
39902 -+}
39903 -+
39904 -+void wg_peer_remove_all(struct wg_device *wg)
39905 -+{
39906 -+ struct wg_peer *peer, *temp;
39907 -+ LIST_HEAD(dead_peers);
39908 -+
39909 -+ lockdep_assert_held(&wg->device_update_lock);
39910 -+
39911 -+ /* Avoid having to traverse individually for each one. */
39912 -+ wg_allowedips_free(&wg->peer_allowedips, &wg->device_update_lock);
39913 -+
39914 -+ list_for_each_entry_safe(peer, temp, &wg->peer_list, peer_list) {
39915 -+ peer_make_dead(peer);
39916 -+ list_add_tail(&peer->peer_list, &dead_peers);
39917 -+ }
39918 -+ synchronize_rcu();
39919 -+ list_for_each_entry_safe(peer, temp, &dead_peers, peer_list)
39920 -+ peer_remove_after_dead(peer);
39921 -+}
39922 -+
39923 -+static void rcu_release(struct rcu_head *rcu)
39924 -+{
39925 -+ struct wg_peer *peer = container_of(rcu, struct wg_peer, rcu);
39926 -+
39927 -+ dst_cache_destroy(&peer->endpoint_cache);
39928 -+ wg_packet_queue_free(&peer->rx_queue, false);
39929 -+ wg_packet_queue_free(&peer->tx_queue, false);
39930 -+
39931 -+ /* The final zeroing takes care of clearing any remaining handshake key
39932 -+ * material and other potentially sensitive information.
39933 -+ */
39934 -+ kzfree(peer);
39935 -+}
39936 -+
39937 -+static void kref_release(struct kref *refcount)
39938 -+{
39939 -+ struct wg_peer *peer = container_of(refcount, struct wg_peer, refcount);
39940 -+
39941 -+ pr_debug("%s: Peer %llu (%pISpfsc) destroyed\n",
39942 -+ peer->device->dev->name, peer->internal_id,
39943 -+ &peer->endpoint.addr);
39944 -+
39945 -+ /* Remove ourself from dynamic runtime lookup structures, now that the
39946 -+ * last reference is gone.
39947 -+ */
39948 -+ wg_index_hashtable_remove(peer->device->index_hashtable,
39949 -+ &peer->handshake.entry);
39950 -+
39951 -+ /* Remove any lingering packets that didn't have a chance to be
39952 -+ * transmitted.
39953 -+ */
39954 -+ wg_packet_purge_staged_packets(peer);
39955 -+
39956 -+ /* Free the memory used. */
39957 -+ call_rcu(&peer->rcu, rcu_release);
39958 -+}
39959 -+
39960 -+void wg_peer_put(struct wg_peer *peer)
39961 -+{
39962 -+ if (unlikely(!peer))
39963 -+ return;
39964 -+ kref_put(&peer->refcount, kref_release);
39965 -+}
39966 ---- /dev/null
39967 -+++ b/drivers/net/wireguard/peer.h
39968 -@@ -0,0 +1,83 @@
39969 -+/* SPDX-License-Identifier: GPL-2.0 */
39970 -+/*
39971 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
39972 -+ */
39973 -+
39974 -+#ifndef _WG_PEER_H
39975 -+#define _WG_PEER_H
39976 -+
39977 -+#include "device.h"
39978 -+#include "noise.h"
39979 -+#include "cookie.h"
39980 -+
39981 -+#include <linux/types.h>
39982 -+#include <linux/netfilter.h>
39983 -+#include <linux/spinlock.h>
39984 -+#include <linux/kref.h>
39985 -+#include <net/dst_cache.h>
39986 -+
39987 -+struct wg_device;
39988 -+
39989 -+struct endpoint {
39990 -+ union {
39991 -+ struct sockaddr addr;
39992 -+ struct sockaddr_in addr4;
39993 -+ struct sockaddr_in6 addr6;
39994 -+ };
39995 -+ union {
39996 -+ struct {
39997 -+ struct in_addr src4;
39998 -+ /* Essentially the same as addr6->scope_id */
39999 -+ int src_if4;
40000 -+ };
40001 -+ struct in6_addr src6;
40002 -+ };
40003 -+};
40004 -+
40005 -+struct wg_peer {
40006 -+ struct wg_device *device;
40007 -+ struct crypt_queue tx_queue, rx_queue;
40008 -+ struct sk_buff_head staged_packet_queue;
40009 -+ int serial_work_cpu;
40010 -+ struct noise_keypairs keypairs;
40011 -+ struct endpoint endpoint;
40012 -+ struct dst_cache endpoint_cache;
40013 -+ rwlock_t endpoint_lock;
40014 -+ struct noise_handshake handshake;
40015 -+ atomic64_t last_sent_handshake;
40016 -+ struct work_struct transmit_handshake_work, clear_peer_work;
40017 -+ struct cookie latest_cookie;
40018 -+ struct hlist_node pubkey_hash;
40019 -+ u64 rx_bytes, tx_bytes;
40020 -+ struct timer_list timer_retransmit_handshake, timer_send_keepalive;
40021 -+ struct timer_list timer_new_handshake, timer_zero_key_material;
40022 -+ struct timer_list timer_persistent_keepalive;
40023 -+ unsigned int timer_handshake_attempts;
40024 -+ u16 persistent_keepalive_interval;
40025 -+ bool timer_need_another_keepalive;
40026 -+ bool sent_lastminute_handshake;
40027 -+ struct timespec64 walltime_last_handshake;
40028 -+ struct kref refcount;
40029 -+ struct rcu_head rcu;
40030 -+ struct list_head peer_list;
40031 -+ struct list_head allowedips_list;
40032 -+ u64 internal_id;
40033 -+ struct napi_struct napi;
40034 -+ bool is_dead;
40035 -+};
40036 -+
40037 -+struct wg_peer *wg_peer_create(struct wg_device *wg,
40038 -+ const u8 public_key[NOISE_PUBLIC_KEY_LEN],
40039 -+ const u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN]);
40040 -+
40041 -+struct wg_peer *__must_check wg_peer_get_maybe_zero(struct wg_peer *peer);
40042 -+static inline struct wg_peer *wg_peer_get(struct wg_peer *peer)
40043 -+{
40044 -+ kref_get(&peer->refcount);
40045 -+ return peer;
40046 -+}
40047 -+void wg_peer_put(struct wg_peer *peer);
40048 -+void wg_peer_remove(struct wg_peer *peer);
40049 -+void wg_peer_remove_all(struct wg_device *wg);
40050 -+
40051 -+#endif /* _WG_PEER_H */
40052 ---- b/drivers/net/wireguard/peerlookup.c
40053 -+++ b/drivers/net/wireguard/peerlookup.c
40054 -@@ -0,0 +1,226 @@
40055 -+// SPDX-License-Identifier: GPL-2.0
40056 -+/*
40057 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40058 -+ */
40059 -+
40060 -+#include "peerlookup.h"
40061 -+#include "peer.h"
40062 -+#include "noise.h"
40063 -+
40064 -+static struct hlist_head *pubkey_bucket(struct pubkey_hashtable *table,
40065 -+ const u8 pubkey[NOISE_PUBLIC_KEY_LEN])
40066 -+{
40067 -+ /* siphash gives us a secure 64bit number based on a random key. Since
40068 -+ * the bits are uniformly distributed, we can then mask off to get the
40069 -+ * bits we need.
40070 -+ */
40071 -+ const u64 hash = siphash(pubkey, NOISE_PUBLIC_KEY_LEN, &table->key);
40072 -+
40073 -+ return &table->hashtable[hash & (HASH_SIZE(table->hashtable) - 1)];
40074 -+}
40075 -+
40076 -+struct pubkey_hashtable *wg_pubkey_hashtable_alloc(void)
40077 -+{
40078 -+ struct pubkey_hashtable *table = kvmalloc(sizeof(*table), GFP_KERNEL);
40079 -+
40080 -+ if (!table)
40081 -+ return NULL;
40082 -+
40083 -+ get_random_bytes(&table->key, sizeof(table->key));
40084 -+ hash_init(table->hashtable);
40085 -+ mutex_init(&table->lock);
40086 -+ return table;
40087 -+}
40088 -+
40089 -+void wg_pubkey_hashtable_add(struct pubkey_hashtable *table,
40090 -+ struct wg_peer *peer)
40091 -+{
40092 -+ mutex_lock(&table->lock);
40093 -+ hlist_add_head_rcu(&peer->pubkey_hash,
40094 -+ pubkey_bucket(table, peer->handshake.remote_static));
40095 -+ mutex_unlock(&table->lock);
40096 -+}
40097 -+
40098 -+void wg_pubkey_hashtable_remove(struct pubkey_hashtable *table,
40099 -+ struct wg_peer *peer)
40100 -+{
40101 -+ mutex_lock(&table->lock);
40102 -+ hlist_del_init_rcu(&peer->pubkey_hash);
40103 -+ mutex_unlock(&table->lock);
40104 -+}
40105 -+
40106 -+/* Returns a strong reference to a peer */
40107 -+struct wg_peer *
40108 -+wg_pubkey_hashtable_lookup(struct pubkey_hashtable *table,
40109 -+ const u8 pubkey[NOISE_PUBLIC_KEY_LEN])
40110 -+{
40111 -+ struct wg_peer *iter_peer, *peer = NULL;
40112 -+
40113 -+ rcu_read_lock_bh();
40114 -+ hlist_for_each_entry_rcu_bh(iter_peer, pubkey_bucket(table, pubkey),
40115 -+ pubkey_hash) {
40116 -+ if (!memcmp(pubkey, iter_peer->handshake.remote_static,
40117 -+ NOISE_PUBLIC_KEY_LEN)) {
40118 -+ peer = iter_peer;
40119 -+ break;
40120 -+ }
40121 -+ }
40122 -+ peer = wg_peer_get_maybe_zero(peer);
40123 -+ rcu_read_unlock_bh();
40124 -+ return peer;
40125 -+}
40126 -+
40127 -+static struct hlist_head *index_bucket(struct index_hashtable *table,
40128 -+ const __le32 index)
40129 -+{
40130 -+ /* Since the indices are random and thus all bits are uniformly
40131 -+ * distributed, we can find its bucket simply by masking.
40132 -+ */
40133 -+ return &table->hashtable[(__force u32)index &
40134 -+ (HASH_SIZE(table->hashtable) - 1)];
40135 -+}
40136 -+
40137 -+struct index_hashtable *wg_index_hashtable_alloc(void)
40138 -+{
40139 -+ struct index_hashtable *table = kvmalloc(sizeof(*table), GFP_KERNEL);
40140 -+
40141 -+ if (!table)
40142 -+ return NULL;
40143 -+
40144 -+ hash_init(table->hashtable);
40145 -+ spin_lock_init(&table->lock);
40146 -+ return table;
40147 -+}
40148 -+
40149 -+/* At the moment, we limit ourselves to 2^20 total peers, which generally might
40150 -+ * amount to 2^20*3 items in this hashtable. The algorithm below works by
40151 -+ * picking a random number and testing it. We can see that these limits mean we
40152 -+ * usually succeed pretty quickly:
40153 -+ *
40154 -+ * >>> def calculation(tries, size):
40155 -+ * ... return (size / 2**32)**(tries - 1) * (1 - (size / 2**32))
40156 -+ * ...
40157 -+ * >>> calculation(1, 2**20 * 3)
40158 -+ * 0.999267578125
40159 -+ * >>> calculation(2, 2**20 * 3)
40160 -+ * 0.0007318854331970215
40161 -+ * >>> calculation(3, 2**20 * 3)
40162 -+ * 5.360489012673497e-07
40163 -+ * >>> calculation(4, 2**20 * 3)
40164 -+ * 3.9261394135792216e-10
40165 -+ *
40166 -+ * At the moment, we don't do any masking, so this algorithm isn't exactly
40167 -+ * constant time in either the random guessing or in the hash list lookup. We
40168 -+ * could require a minimum of 3 tries, which would successfully mask the
40169 -+ * guessing. this would not, however, help with the growing hash lengths, which
40170 -+ * is another thing to consider moving forward.
40171 -+ */
40172 -+
40173 -+__le32 wg_index_hashtable_insert(struct index_hashtable *table,
40174 -+ struct index_hashtable_entry *entry)
40175 -+{
40176 -+ struct index_hashtable_entry *existing_entry;
40177 -+
40178 -+ spin_lock_bh(&table->lock);
40179 -+ hlist_del_init_rcu(&entry->index_hash);
40180 -+ spin_unlock_bh(&table->lock);
40181 -+
40182 -+ rcu_read_lock_bh();
40183 -+
40184 -+search_unused_slot:
40185 -+ /* First we try to find an unused slot, randomly, while unlocked. */
40186 -+ entry->index = (__force __le32)get_random_u32();
40187 -+ hlist_for_each_entry_rcu_bh(existing_entry,
40188 -+ index_bucket(table, entry->index),
40189 -+ index_hash) {
40190 -+ if (existing_entry->index == entry->index)
40191 -+ /* If it's already in use, we continue searching. */
40192 -+ goto search_unused_slot;
40193 -+ }
40194 -+
40195 -+ /* Once we've found an unused slot, we lock it, and then double-check
40196 -+ * that nobody else stole it from us.
40197 -+ */
40198 -+ spin_lock_bh(&table->lock);
40199 -+ hlist_for_each_entry_rcu_bh(existing_entry,
40200 -+ index_bucket(table, entry->index),
40201 -+ index_hash) {
40202 -+ if (existing_entry->index == entry->index) {
40203 -+ spin_unlock_bh(&table->lock);
40204 -+ /* If it was stolen, we start over. */
40205 -+ goto search_unused_slot;
40206 -+ }
40207 -+ }
40208 -+ /* Otherwise, we know we have it exclusively (since we're locked),
40209 -+ * so we insert.
40210 -+ */
40211 -+ hlist_add_head_rcu(&entry->index_hash,
40212 -+ index_bucket(table, entry->index));
40213 -+ spin_unlock_bh(&table->lock);
40214 -+
40215 -+ rcu_read_unlock_bh();
40216 -+
40217 -+ return entry->index;
40218 -+}
40219 -+
40220 -+bool wg_index_hashtable_replace(struct index_hashtable *table,
40221 -+ struct index_hashtable_entry *old,
40222 -+ struct index_hashtable_entry *new)
40223 -+{
40224 -+ bool ret;
40225 -+
40226 -+ spin_lock_bh(&table->lock);
40227 -+ ret = !hlist_unhashed(&old->index_hash);
40228 -+ if (unlikely(!ret))
40229 -+ goto out;
40230 -+
40231 -+ new->index = old->index;
40232 -+ hlist_replace_rcu(&old->index_hash, &new->index_hash);
40233 -+
40234 -+ /* Calling init here NULLs out index_hash, and in fact after this
40235 -+ * function returns, it's theoretically possible for this to get
40236 -+ * reinserted elsewhere. That means the RCU lookup below might either
40237 -+ * terminate early or jump between buckets, in which case the packet
40238 -+ * simply gets dropped, which isn't terrible.
40239 -+ */
40240 -+ INIT_HLIST_NODE(&old->index_hash);
40241 -+out:
40242 -+ spin_unlock_bh(&table->lock);
40243 -+ return ret;
40244 -+}
40245 -+
40246 -+void wg_index_hashtable_remove(struct index_hashtable *table,
40247 -+ struct index_hashtable_entry *entry)
40248 -+{
40249 -+ spin_lock_bh(&table->lock);
40250 -+ hlist_del_init_rcu(&entry->index_hash);
40251 -+ spin_unlock_bh(&table->lock);
40252 -+}
40253 -+
40254 -+/* Returns a strong reference to a entry->peer */
40255 -+struct index_hashtable_entry *
40256 -+wg_index_hashtable_lookup(struct index_hashtable *table,
40257 -+ const enum index_hashtable_type type_mask,
40258 -+ const __le32 index, struct wg_peer **peer)
40259 -+{
40260 -+ struct index_hashtable_entry *iter_entry, *entry = NULL;
40261 -+
40262 -+ rcu_read_lock_bh();
40263 -+ hlist_for_each_entry_rcu_bh(iter_entry, index_bucket(table, index),
40264 -+ index_hash) {
40265 -+ if (iter_entry->index == index) {
40266 -+ if (likely(iter_entry->type & type_mask))
40267 -+ entry = iter_entry;
40268 -+ break;
40269 -+ }
40270 -+ }
40271 -+ if (likely(entry)) {
40272 -+ entry->peer = wg_peer_get_maybe_zero(entry->peer);
40273 -+ if (likely(entry->peer))
40274 -+ *peer = entry->peer;
40275 -+ else
40276 -+ entry = NULL;
40277 -+ }
40278 -+ rcu_read_unlock_bh();
40279 -+ return entry;
40280 -+}
40281 ---- /dev/null
40282 -+++ b/drivers/net/wireguard/peerlookup.h
40283 -@@ -0,0 +1,64 @@
40284 -+/* SPDX-License-Identifier: GPL-2.0 */
40285 -+/*
40286 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40287 -+ */
40288 -+
40289 -+#ifndef _WG_PEERLOOKUP_H
40290 -+#define _WG_PEERLOOKUP_H
40291 -+
40292 -+#include "messages.h"
40293 -+
40294 -+#include <linux/hashtable.h>
40295 -+#include <linux/mutex.h>
40296 -+#include <linux/siphash.h>
40297 -+
40298 -+struct wg_peer;
40299 -+
40300 -+struct pubkey_hashtable {
40301 -+ /* TODO: move to rhashtable */
40302 -+ DECLARE_HASHTABLE(hashtable, 11);
40303 -+ siphash_key_t key;
40304 -+ struct mutex lock;
40305 -+};
40306 -+
40307 -+struct pubkey_hashtable *wg_pubkey_hashtable_alloc(void);
40308 -+void wg_pubkey_hashtable_add(struct pubkey_hashtable *table,
40309 -+ struct wg_peer *peer);
40310 -+void wg_pubkey_hashtable_remove(struct pubkey_hashtable *table,
40311 -+ struct wg_peer *peer);
40312 -+struct wg_peer *
40313 -+wg_pubkey_hashtable_lookup(struct pubkey_hashtable *table,
40314 -+ const u8 pubkey[NOISE_PUBLIC_KEY_LEN]);
40315 -+
40316 -+struct index_hashtable {
40317 -+ /* TODO: move to rhashtable */
40318 -+ DECLARE_HASHTABLE(hashtable, 13);
40319 -+ spinlock_t lock;
40320 -+};
40321 -+
40322 -+enum index_hashtable_type {
40323 -+ INDEX_HASHTABLE_HANDSHAKE = 1U << 0,
40324 -+ INDEX_HASHTABLE_KEYPAIR = 1U << 1
40325 -+};
40326 -+
40327 -+struct index_hashtable_entry {
40328 -+ struct wg_peer *peer;
40329 -+ struct hlist_node index_hash;
40330 -+ enum index_hashtable_type type;
40331 -+ __le32 index;
40332 -+};
40333 -+
40334 -+struct index_hashtable *wg_index_hashtable_alloc(void);
40335 -+__le32 wg_index_hashtable_insert(struct index_hashtable *table,
40336 -+ struct index_hashtable_entry *entry);
40337 -+bool wg_index_hashtable_replace(struct index_hashtable *table,
40338 -+ struct index_hashtable_entry *old,
40339 -+ struct index_hashtable_entry *new);
40340 -+void wg_index_hashtable_remove(struct index_hashtable *table,
40341 -+ struct index_hashtable_entry *entry);
40342 -+struct index_hashtable_entry *
40343 -+wg_index_hashtable_lookup(struct index_hashtable *table,
40344 -+ const enum index_hashtable_type type_mask,
40345 -+ const __le32 index, struct wg_peer **peer);
40346 -+
40347 -+#endif /* _WG_PEERLOOKUP_H */
40348 ---- b/drivers/net/wireguard/queueing.c
40349 -+++ b/drivers/net/wireguard/queueing.c
40350 -@@ -0,0 +1,55 @@
40351 -+// SPDX-License-Identifier: GPL-2.0
40352 -+/*
40353 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40354 -+ */
40355 -+
40356 -+#include "queueing.h"
40357 -+
40358 -+struct multicore_worker __percpu *
40359 -+wg_packet_percpu_multicore_worker_alloc(work_func_t function, void *ptr)
40360 -+{
40361 -+ int cpu;
40362 -+ struct multicore_worker __percpu *worker =
40363 -+ alloc_percpu(struct multicore_worker);
40364 -+
40365 -+ if (!worker)
40366 -+ return NULL;
40367 -+
40368 -+ for_each_possible_cpu(cpu) {
40369 -+ per_cpu_ptr(worker, cpu)->ptr = ptr;
40370 -+ INIT_WORK(&per_cpu_ptr(worker, cpu)->work, function);
40371 -+ }
40372 -+ return worker;
40373 -+}
40374 -+
40375 -+int wg_packet_queue_init(struct crypt_queue *queue, work_func_t function,
40376 -+ bool multicore, unsigned int len)
40377 -+{
40378 -+ int ret;
40379 -+
40380 -+ memset(queue, 0, sizeof(*queue));
40381 -+ ret = ptr_ring_init(&queue->ring, len, GFP_KERNEL);
40382 -+ if (ret)
40383 -+ return ret;
40384 -+ if (function) {
40385 -+ if (multicore) {
40386 -+ queue->worker = wg_packet_percpu_multicore_worker_alloc(
40387 -+ function, queue);
40388 -+ if (!queue->worker) {
40389 -+ ptr_ring_cleanup(&queue->ring, NULL);
40390 -+ return -ENOMEM;
40391 -+ }
40392 -+ } else {
40393 -+ INIT_WORK(&queue->work, function);
40394 -+ }
40395 -+ }
40396 -+ return 0;
40397 -+}
40398 -+
40399 -+void wg_packet_queue_free(struct crypt_queue *queue, bool multicore)
40400 -+{
40401 -+ if (multicore)
40402 -+ free_percpu(queue->worker);
40403 -+ WARN_ON(!__ptr_ring_empty(&queue->ring));
40404 -+ ptr_ring_cleanup(&queue->ring, NULL);
40405 -+}
40406 ---- b/drivers/net/wireguard/queueing.h
40407 -+++ b/drivers/net/wireguard/queueing.h
40408 -@@ -0,0 +1,193 @@
40409 -+/* SPDX-License-Identifier: GPL-2.0 */
40410 -+/*
40411 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40412 -+ */
40413 -+
40414 -+#ifndef _WG_QUEUEING_H
40415 -+#define _WG_QUEUEING_H
40416 -+
40417 -+#include "peer.h"
40418 -+#include <linux/types.h>
40419 -+#include <linux/skbuff.h>
40420 -+#include <linux/ip.h>
40421 -+#include <linux/ipv6.h>
40422 -+#include <net/ip_tunnels.h>
40423 -+
40424 -+struct wg_device;
40425 -+struct wg_peer;
40426 -+struct multicore_worker;
40427 -+struct crypt_queue;
40428 -+struct sk_buff;
40429 -+
40430 -+/* queueing.c APIs: */
40431 -+int wg_packet_queue_init(struct crypt_queue *queue, work_func_t function,
40432 -+ bool multicore, unsigned int len);
40433 -+void wg_packet_queue_free(struct crypt_queue *queue, bool multicore);
40434 -+struct multicore_worker __percpu *
40435 -+wg_packet_percpu_multicore_worker_alloc(work_func_t function, void *ptr);
40436 -+
40437 -+/* receive.c APIs: */
40438 -+void wg_packet_receive(struct wg_device *wg, struct sk_buff *skb);
40439 -+void wg_packet_handshake_receive_worker(struct work_struct *work);
40440 -+/* NAPI poll function: */
40441 -+int wg_packet_rx_poll(struct napi_struct *napi, int budget);
40442 -+/* Workqueue worker: */
40443 -+void wg_packet_decrypt_worker(struct work_struct *work);
40444 -+
40445 -+/* send.c APIs: */
40446 -+void wg_packet_send_queued_handshake_initiation(struct wg_peer *peer,
40447 -+ bool is_retry);
40448 -+void wg_packet_send_handshake_response(struct wg_peer *peer);
40449 -+void wg_packet_send_handshake_cookie(struct wg_device *wg,
40450 -+ struct sk_buff *initiating_skb,
40451 -+ __le32 sender_index);
40452 -+void wg_packet_send_keepalive(struct wg_peer *peer);
40453 -+void wg_packet_purge_staged_packets(struct wg_peer *peer);
40454 -+void wg_packet_send_staged_packets(struct wg_peer *peer);
40455 -+/* Workqueue workers: */
40456 -+void wg_packet_handshake_send_worker(struct work_struct *work);
40457 -+void wg_packet_tx_worker(struct work_struct *work);
40458 -+void wg_packet_encrypt_worker(struct work_struct *work);
40459 -+
40460 -+enum packet_state {
40461 -+ PACKET_STATE_UNCRYPTED,
40462 -+ PACKET_STATE_CRYPTED,
40463 -+ PACKET_STATE_DEAD
40464 -+};
40465 -+
40466 -+struct packet_cb {
40467 -+ u64 nonce;
40468 -+ struct noise_keypair *keypair;
40469 -+ atomic_t state;
40470 -+ u32 mtu;
40471 -+ u8 ds;
40472 -+};
40473 -+
40474 -+#define PACKET_CB(skb) ((struct packet_cb *)((skb)->cb))
40475 -+#define PACKET_PEER(skb) (PACKET_CB(skb)->keypair->entry.peer)
40476 -+
40477 -+static inline bool wg_check_packet_protocol(struct sk_buff *skb)
40478 -+{
40479 -+ __be16 real_protocol = ip_tunnel_parse_protocol(skb);
40480 -+ return real_protocol && skb->protocol == real_protocol;
40481 -+}
40482 -+
40483 -+static inline void wg_reset_packet(struct sk_buff *skb, bool encapsulating)
40484 -+{
40485 -+ u8 l4_hash = skb->l4_hash;
40486 -+ u8 sw_hash = skb->sw_hash;
40487 -+ u32 hash = skb->hash;
40488 -+ skb_scrub_packet(skb, true);
40489 -+ memset(&skb->headers_start, 0,
40490 -+ offsetof(struct sk_buff, headers_end) -
40491 -+ offsetof(struct sk_buff, headers_start));
40492 -+ if (encapsulating) {
40493 -+ skb->l4_hash = l4_hash;
40494 -+ skb->sw_hash = sw_hash;
40495 -+ skb->hash = hash;
40496 -+ }
40497 -+ skb->queue_mapping = 0;
40498 -+ skb->nohdr = 0;
40499 -+ skb->peeked = 0;
40500 -+ skb->mac_len = 0;
40501 -+ skb->dev = NULL;
40502 -+#ifdef CONFIG_NET_SCHED
40503 -+ skb->tc_index = 0;
40504 -+#endif
40505 -+ skb_reset_redirect(skb);
40506 -+ skb->hdr_len = skb_headroom(skb);
40507 -+ skb_reset_mac_header(skb);
40508 -+ skb_reset_network_header(skb);
40509 -+ skb_reset_transport_header(skb);
40510 -+ skb_probe_transport_header(skb);
40511 -+ skb_reset_inner_headers(skb);
40512 -+}
40513 -+
40514 -+static inline int wg_cpumask_choose_online(int *stored_cpu, unsigned int id)
40515 -+{
40516 -+ unsigned int cpu = *stored_cpu, cpu_index, i;
40517 -+
40518 -+ if (unlikely(cpu == nr_cpumask_bits ||
40519 -+ !cpumask_test_cpu(cpu, cpu_online_mask))) {
40520 -+ cpu_index = id % cpumask_weight(cpu_online_mask);
40521 -+ cpu = cpumask_first(cpu_online_mask);
40522 -+ for (i = 0; i < cpu_index; ++i)
40523 -+ cpu = cpumask_next(cpu, cpu_online_mask);
40524 -+ *stored_cpu = cpu;
40525 -+ }
40526 -+ return cpu;
40527 -+}
40528 -+
40529 -+/* This function is racy, in the sense that next is unlocked, so it could return
40530 -+ * the same CPU twice. A race-free version of this would be to instead store an
40531 -+ * atomic sequence number, do an increment-and-return, and then iterate through
40532 -+ * every possible CPU until we get to that index -- choose_cpu. However that's
40533 -+ * a bit slower, and it doesn't seem like this potential race actually
40534 -+ * introduces any performance loss, so we live with it.
40535 -+ */
40536 -+static inline int wg_cpumask_next_online(int *next)
40537 -+{
40538 -+ int cpu = *next;
40539 -+
40540 -+ while (unlikely(!cpumask_test_cpu(cpu, cpu_online_mask)))
40541 -+ cpu = cpumask_next(cpu, cpu_online_mask) % nr_cpumask_bits;
40542 -+ *next = cpumask_next(cpu, cpu_online_mask) % nr_cpumask_bits;
40543 -+ return cpu;
40544 -+}
40545 -+
40546 -+static inline int wg_queue_enqueue_per_device_and_peer(
40547 -+ struct crypt_queue *device_queue, struct crypt_queue *peer_queue,
40548 -+ struct sk_buff *skb, struct workqueue_struct *wq, int *next_cpu)
40549 -+{
40550 -+ int cpu;
40551 -+
40552 -+ atomic_set_release(&PACKET_CB(skb)->state, PACKET_STATE_UNCRYPTED);
40553 -+ /* We first queue this up for the peer ingestion, but the consumer
40554 -+ * will wait for the state to change to CRYPTED or DEAD before.
40555 -+ */
40556 -+ if (unlikely(ptr_ring_produce_bh(&peer_queue->ring, skb)))
40557 -+ return -ENOSPC;
40558 -+ /* Then we queue it up in the device queue, which consumes the
40559 -+ * packet as soon as it can.
40560 -+ */
40561 -+ cpu = wg_cpumask_next_online(next_cpu);
40562 -+ if (unlikely(ptr_ring_produce_bh(&device_queue->ring, skb)))
40563 -+ return -EPIPE;
40564 -+ queue_work_on(cpu, wq, &per_cpu_ptr(device_queue->worker, cpu)->work);
40565 -+ return 0;
40566 -+}
40567 -+
40568 -+static inline void wg_queue_enqueue_per_peer(struct crypt_queue *queue,
40569 -+ struct sk_buff *skb,
40570 -+ enum packet_state state)
40571 -+{
40572 -+ /* We take a reference, because as soon as we call atomic_set, the
40573 -+ * peer can be freed from below us.
40574 -+ */
40575 -+ struct wg_peer *peer = wg_peer_get(PACKET_PEER(skb));
40576 -+
40577 -+ atomic_set_release(&PACKET_CB(skb)->state, state);
40578 -+ queue_work_on(wg_cpumask_choose_online(&peer->serial_work_cpu,
40579 -+ peer->internal_id),
40580 -+ peer->device->packet_crypt_wq, &queue->work);
40581 -+ wg_peer_put(peer);
40582 -+}
40583 -+
40584 -+static inline void wg_queue_enqueue_per_peer_napi(struct sk_buff *skb,
40585 -+ enum packet_state state)
40586 -+{
40587 -+ /* We take a reference, because as soon as we call atomic_set, the
40588 -+ * peer can be freed from below us.
40589 -+ */
40590 -+ struct wg_peer *peer = wg_peer_get(PACKET_PEER(skb));
40591 -+
40592 -+ atomic_set_release(&PACKET_CB(skb)->state, state);
40593 -+ napi_schedule(&peer->napi);
40594 -+ wg_peer_put(peer);
40595 -+}
40596 -+
40597 -+#ifdef DEBUG
40598 -+bool wg_packet_counter_selftest(void);
40599 -+#endif
40600 -+
40601 -+#endif /* _WG_QUEUEING_H */
40602 ---- /dev/null
40603 -+++ b/drivers/net/wireguard/ratelimiter.c
40604 -@@ -0,0 +1,223 @@
40605 -+// SPDX-License-Identifier: GPL-2.0
40606 -+/*
40607 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40608 -+ */
40609 -+
40610 -+#include "ratelimiter.h"
40611 -+#include <linux/siphash.h>
40612 -+#include <linux/mm.h>
40613 -+#include <linux/slab.h>
40614 -+#include <net/ip.h>
40615 -+
40616 -+static struct kmem_cache *entry_cache;
40617 -+static hsiphash_key_t key;
40618 -+static spinlock_t table_lock = __SPIN_LOCK_UNLOCKED("ratelimiter_table_lock");
40619 -+static DEFINE_MUTEX(init_lock);
40620 -+static u64 init_refcnt; /* Protected by init_lock, hence not atomic. */
40621 -+static atomic_t total_entries = ATOMIC_INIT(0);
40622 -+static unsigned int max_entries, table_size;
40623 -+static void wg_ratelimiter_gc_entries(struct work_struct *);
40624 -+static DECLARE_DEFERRABLE_WORK(gc_work, wg_ratelimiter_gc_entries);
40625 -+static struct hlist_head *table_v4;
40626 -+#if IS_ENABLED(CONFIG_IPV6)
40627 -+static struct hlist_head *table_v6;
40628 -+#endif
40629 -+
40630 -+struct ratelimiter_entry {
40631 -+ u64 last_time_ns, tokens, ip;
40632 -+ void *net;
40633 -+ spinlock_t lock;
40634 -+ struct hlist_node hash;
40635 -+ struct rcu_head rcu;
40636 -+};
40637 -+
40638 -+enum {
40639 -+ PACKETS_PER_SECOND = 20,
40640 -+ PACKETS_BURSTABLE = 5,
40641 -+ PACKET_COST = NSEC_PER_SEC / PACKETS_PER_SECOND,
40642 -+ TOKEN_MAX = PACKET_COST * PACKETS_BURSTABLE
40643 -+};
40644 -+
40645 -+static void entry_free(struct rcu_head *rcu)
40646 -+{
40647 -+ kmem_cache_free(entry_cache,
40648 -+ container_of(rcu, struct ratelimiter_entry, rcu));
40649 -+ atomic_dec(&total_entries);
40650 -+}
40651 -+
40652 -+static void entry_uninit(struct ratelimiter_entry *entry)
40653 -+{
40654 -+ hlist_del_rcu(&entry->hash);
40655 -+ call_rcu(&entry->rcu, entry_free);
40656 -+}
40657 -+
40658 -+/* Calling this function with a NULL work uninits all entries. */
40659 -+static void wg_ratelimiter_gc_entries(struct work_struct *work)
40660 -+{
40661 -+ const u64 now = ktime_get_coarse_boottime_ns();
40662 -+ struct ratelimiter_entry *entry;
40663 -+ struct hlist_node *temp;
40664 -+ unsigned int i;
40665 -+
40666 -+ for (i = 0; i < table_size; ++i) {
40667 -+ spin_lock(&table_lock);
40668 -+ hlist_for_each_entry_safe(entry, temp, &table_v4[i], hash) {
40669 -+ if (unlikely(!work) ||
40670 -+ now - entry->last_time_ns > NSEC_PER_SEC)
40671 -+ entry_uninit(entry);
40672 -+ }
40673 -+#if IS_ENABLED(CONFIG_IPV6)
40674 -+ hlist_for_each_entry_safe(entry, temp, &table_v6[i], hash) {
40675 -+ if (unlikely(!work) ||
40676 -+ now - entry->last_time_ns > NSEC_PER_SEC)
40677 -+ entry_uninit(entry);
40678 -+ }
40679 -+#endif
40680 -+ spin_unlock(&table_lock);
40681 -+ if (likely(work))
40682 -+ cond_resched();
40683 -+ }
40684 -+ if (likely(work))
40685 -+ queue_delayed_work(system_power_efficient_wq, &gc_work, HZ);
40686 -+}
40687 -+
40688 -+bool wg_ratelimiter_allow(struct sk_buff *skb, struct net *net)
40689 -+{
40690 -+ /* We only take the bottom half of the net pointer, so that we can hash
40691 -+ * 3 words in the end. This way, siphash's len param fits into the final
40692 -+ * u32, and we don't incur an extra round.
40693 -+ */
40694 -+ const u32 net_word = (unsigned long)net;
40695 -+ struct ratelimiter_entry *entry;
40696 -+ struct hlist_head *bucket;
40697 -+ u64 ip;
40698 -+
40699 -+ if (skb->protocol == htons(ETH_P_IP)) {
40700 -+ ip = (u64 __force)ip_hdr(skb)->saddr;
40701 -+ bucket = &table_v4[hsiphash_2u32(net_word, ip, &key) &
40702 -+ (table_size - 1)];
40703 -+ }
40704 -+#if IS_ENABLED(CONFIG_IPV6)
40705 -+ else if (skb->protocol == htons(ETH_P_IPV6)) {
40706 -+ /* Only use 64 bits, so as to ratelimit the whole /64. */
40707 -+ memcpy(&ip, &ipv6_hdr(skb)->saddr, sizeof(ip));
40708 -+ bucket = &table_v6[hsiphash_3u32(net_word, ip >> 32, ip, &key) &
40709 -+ (table_size - 1)];
40710 -+ }
40711 -+#endif
40712 -+ else
40713 -+ return false;
40714 -+ rcu_read_lock();
40715 -+ hlist_for_each_entry_rcu(entry, bucket, hash) {
40716 -+ if (entry->net == net && entry->ip == ip) {
40717 -+ u64 now, tokens;
40718 -+ bool ret;
40719 -+ /* Quasi-inspired by nft_limit.c, but this is actually a
40720 -+ * slightly different algorithm. Namely, we incorporate
40721 -+ * the burst as part of the maximum tokens, rather than
40722 -+ * as part of the rate.
40723 -+ */
40724 -+ spin_lock(&entry->lock);
40725 -+ now = ktime_get_coarse_boottime_ns();
40726 -+ tokens = min_t(u64, TOKEN_MAX,
40727 -+ entry->tokens + now -
40728 -+ entry->last_time_ns);
40729 -+ entry->last_time_ns = now;
40730 -+ ret = tokens >= PACKET_COST;
40731 -+ entry->tokens = ret ? tokens - PACKET_COST : tokens;
40732 -+ spin_unlock(&entry->lock);
40733 -+ rcu_read_unlock();
40734 -+ return ret;
40735 -+ }
40736 -+ }
40737 -+ rcu_read_unlock();
40738 -+
40739 -+ if (atomic_inc_return(&total_entries) > max_entries)
40740 -+ goto err_oom;
40741 -+
40742 -+ entry = kmem_cache_alloc(entry_cache, GFP_KERNEL);
40743 -+ if (unlikely(!entry))
40744 -+ goto err_oom;
40745 -+
40746 -+ entry->net = net;
40747 -+ entry->ip = ip;
40748 -+ INIT_HLIST_NODE(&entry->hash);
40749 -+ spin_lock_init(&entry->lock);
40750 -+ entry->last_time_ns = ktime_get_coarse_boottime_ns();
40751 -+ entry->tokens = TOKEN_MAX - PACKET_COST;
40752 -+ spin_lock(&table_lock);
40753 -+ hlist_add_head_rcu(&entry->hash, bucket);
40754 -+ spin_unlock(&table_lock);
40755 -+ return true;
40756 -+
40757 -+err_oom:
40758 -+ atomic_dec(&total_entries);
40759 -+ return false;
40760 -+}
40761 -+
40762 -+int wg_ratelimiter_init(void)
40763 -+{
40764 -+ mutex_lock(&init_lock);
40765 -+ if (++init_refcnt != 1)
40766 -+ goto out;
40767 -+
40768 -+ entry_cache = KMEM_CACHE(ratelimiter_entry, 0);
40769 -+ if (!entry_cache)
40770 -+ goto err;
40771 -+
40772 -+ /* xt_hashlimit.c uses a slightly different algorithm for ratelimiting,
40773 -+ * but what it shares in common is that it uses a massive hashtable. So,
40774 -+ * we borrow their wisdom about good table sizes on different systems
40775 -+ * dependent on RAM. This calculation here comes from there.
40776 -+ */
40777 -+ table_size = (totalram_pages() > (1U << 30) / PAGE_SIZE) ? 8192 :
40778 -+ max_t(unsigned long, 16, roundup_pow_of_two(
40779 -+ (totalram_pages() << PAGE_SHIFT) /
40780 -+ (1U << 14) / sizeof(struct hlist_head)));
40781 -+ max_entries = table_size * 8;
40782 -+
40783 -+ table_v4 = kvzalloc(table_size * sizeof(*table_v4), GFP_KERNEL);
40784 -+ if (unlikely(!table_v4))
40785 -+ goto err_kmemcache;
40786 -+
40787 -+#if IS_ENABLED(CONFIG_IPV6)
40788 -+ table_v6 = kvzalloc(table_size * sizeof(*table_v6), GFP_KERNEL);
40789 -+ if (unlikely(!table_v6)) {
40790 -+ kvfree(table_v4);
40791 -+ goto err_kmemcache;
40792 -+ }
40793 -+#endif
40794 -+
40795 -+ queue_delayed_work(system_power_efficient_wq, &gc_work, HZ);
40796 -+ get_random_bytes(&key, sizeof(key));
40797 -+out:
40798 -+ mutex_unlock(&init_lock);
40799 -+ return 0;
40800 -+
40801 -+err_kmemcache:
40802 -+ kmem_cache_destroy(entry_cache);
40803 -+err:
40804 -+ --init_refcnt;
40805 -+ mutex_unlock(&init_lock);
40806 -+ return -ENOMEM;
40807 -+}
40808 -+
40809 -+void wg_ratelimiter_uninit(void)
40810 -+{
40811 -+ mutex_lock(&init_lock);
40812 -+ if (!init_refcnt || --init_refcnt)
40813 -+ goto out;
40814 -+
40815 -+ cancel_delayed_work_sync(&gc_work);
40816 -+ wg_ratelimiter_gc_entries(NULL);
40817 -+ rcu_barrier();
40818 -+ kvfree(table_v4);
40819 -+#if IS_ENABLED(CONFIG_IPV6)
40820 -+ kvfree(table_v6);
40821 -+#endif
40822 -+ kmem_cache_destroy(entry_cache);
40823 -+out:
40824 -+ mutex_unlock(&init_lock);
40825 -+}
40826 -+
40827 -+#include "selftest/ratelimiter.c"
40828 ---- /dev/null
40829 -+++ b/drivers/net/wireguard/ratelimiter.h
40830 -@@ -0,0 +1,19 @@
40831 -+/* SPDX-License-Identifier: GPL-2.0 */
40832 -+/*
40833 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40834 -+ */
40835 -+
40836 -+#ifndef _WG_RATELIMITER_H
40837 -+#define _WG_RATELIMITER_H
40838 -+
40839 -+#include <linux/skbuff.h>
40840 -+
40841 -+int wg_ratelimiter_init(void);
40842 -+void wg_ratelimiter_uninit(void);
40843 -+bool wg_ratelimiter_allow(struct sk_buff *skb, struct net *net);
40844 -+
40845 -+#ifdef DEBUG
40846 -+bool wg_ratelimiter_selftest(void);
40847 -+#endif
40848 -+
40849 -+#endif /* _WG_RATELIMITER_H */
40850 ---- b/drivers/net/wireguard/receive.c
40851 -+++ b/drivers/net/wireguard/receive.c
40852 -@@ -0,0 +1,590 @@
40853 -+// SPDX-License-Identifier: GPL-2.0
40854 -+/*
40855 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40856 -+ */
40857 -+
40858 -+#include "queueing.h"
40859 -+#include "device.h"
40860 -+#include "peer.h"
40861 -+#include "timers.h"
40862 -+#include "messages.h"
40863 -+#include "cookie.h"
40864 -+#include "socket.h"
40865 -+
40866 -+#include <linux/ip.h>
40867 -+#include <linux/ipv6.h>
40868 -+#include <linux/udp.h>
40869 -+#include <net/ip_tunnels.h>
40870 -+
40871 -+/* Must be called with bh disabled. */
40872 -+static void update_rx_stats(struct wg_peer *peer, size_t len)
40873 -+{
40874 -+ struct pcpu_sw_netstats *tstats =
40875 -+ get_cpu_ptr(peer->device->dev->tstats);
40876 -+
40877 -+ u64_stats_update_begin(&tstats->syncp);
40878 -+ ++tstats->rx_packets;
40879 -+ tstats->rx_bytes += len;
40880 -+ peer->rx_bytes += len;
40881 -+ u64_stats_update_end(&tstats->syncp);
40882 -+ put_cpu_ptr(tstats);
40883 -+}
40884 -+
40885 -+#define SKB_TYPE_LE32(skb) (((struct message_header *)(skb)->data)->type)
40886 -+
40887 -+static size_t validate_header_len(struct sk_buff *skb)
40888 -+{
40889 -+ if (unlikely(skb->len < sizeof(struct message_header)))
40890 -+ return 0;
40891 -+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_DATA) &&
40892 -+ skb->len >= MESSAGE_MINIMUM_LENGTH)
40893 -+ return sizeof(struct message_data);
40894 -+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION) &&
40895 -+ skb->len == sizeof(struct message_handshake_initiation))
40896 -+ return sizeof(struct message_handshake_initiation);
40897 -+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE) &&
40898 -+ skb->len == sizeof(struct message_handshake_response))
40899 -+ return sizeof(struct message_handshake_response);
40900 -+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE) &&
40901 -+ skb->len == sizeof(struct message_handshake_cookie))
40902 -+ return sizeof(struct message_handshake_cookie);
40903 -+ return 0;
40904 -+}
40905 -+
40906 -+static int prepare_skb_header(struct sk_buff *skb, struct wg_device *wg)
40907 -+{
40908 -+ size_t data_offset, data_len, header_len;
40909 -+ struct udphdr *udp;
40910 -+
40911 -+ if (unlikely(!wg_check_packet_protocol(skb) ||
40912 -+ skb_transport_header(skb) < skb->head ||
40913 -+ (skb_transport_header(skb) + sizeof(struct udphdr)) >
40914 -+ skb_tail_pointer(skb)))
40915 -+ return -EINVAL; /* Bogus IP header */
40916 -+ udp = udp_hdr(skb);
40917 -+ data_offset = (u8 *)udp - skb->data;
40918 -+ if (unlikely(data_offset > U16_MAX ||
40919 -+ data_offset + sizeof(struct udphdr) > skb->len))
40920 -+ /* Packet has offset at impossible location or isn't big enough
40921 -+ * to have UDP fields.
40922 -+ */
40923 -+ return -EINVAL;
40924 -+ data_len = ntohs(udp->len);
40925 -+ if (unlikely(data_len < sizeof(struct udphdr) ||
40926 -+ data_len > skb->len - data_offset))
40927 -+ /* UDP packet is reporting too small of a size or lying about
40928 -+ * its size.
40929 -+ */
40930 -+ return -EINVAL;
40931 -+ data_len -= sizeof(struct udphdr);
40932 -+ data_offset = (u8 *)udp + sizeof(struct udphdr) - skb->data;
40933 -+ if (unlikely(!pskb_may_pull(skb,
40934 -+ data_offset + sizeof(struct message_header)) ||
40935 -+ pskb_trim(skb, data_len + data_offset) < 0))
40936 -+ return -EINVAL;
40937 -+ skb_pull(skb, data_offset);
40938 -+ if (unlikely(skb->len != data_len))
40939 -+ /* Final len does not agree with calculated len */
40940 -+ return -EINVAL;
40941 -+ header_len = validate_header_len(skb);
40942 -+ if (unlikely(!header_len))
40943 -+ return -EINVAL;
40944 -+ __skb_push(skb, data_offset);
40945 -+ if (unlikely(!pskb_may_pull(skb, data_offset + header_len)))
40946 -+ return -EINVAL;
40947 -+ __skb_pull(skb, data_offset);
40948 -+ return 0;
40949 -+}
40950 -+
40951 -+static void wg_receive_handshake_packet(struct wg_device *wg,
40952 -+ struct sk_buff *skb)
40953 -+{
40954 -+ enum cookie_mac_state mac_state;
40955 -+ struct wg_peer *peer = NULL;
40956 -+ /* This is global, so that our load calculation applies to the whole
40957 -+ * system. We don't care about races with it at all.
40958 -+ */
40959 -+ static u64 last_under_load;
40960 -+ bool packet_needs_cookie;
40961 -+ bool under_load;
40962 -+
40963 -+ if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE)) {
40964 -+ net_dbg_skb_ratelimited("%s: Receiving cookie response from %pISpfsc\n",
40965 -+ wg->dev->name, skb);
40966 -+ wg_cookie_message_consume(
40967 -+ (struct message_handshake_cookie *)skb->data, wg);
40968 -+ return;
40969 -+ }
40970 -+
40971 -+ under_load = skb_queue_len(&wg->incoming_handshakes) >=
40972 -+ MAX_QUEUED_INCOMING_HANDSHAKES / 8;
40973 -+ if (under_load) {
40974 -+ last_under_load = ktime_get_coarse_boottime_ns();
40975 -+ } else if (last_under_load) {
40976 -+ under_load = !wg_birthdate_has_expired(last_under_load, 1);
40977 -+ if (!under_load)
40978 -+ last_under_load = 0;
40979 -+ }
40980 -+ mac_state = wg_cookie_validate_packet(&wg->cookie_checker, skb,
40981 -+ under_load);
40982 -+ if ((under_load && mac_state == VALID_MAC_WITH_COOKIE) ||
40983 -+ (!under_load && mac_state == VALID_MAC_BUT_NO_COOKIE)) {
40984 -+ packet_needs_cookie = false;
40985 -+ } else if (under_load && mac_state == VALID_MAC_BUT_NO_COOKIE) {
40986 -+ packet_needs_cookie = true;
40987 -+ } else {
40988 -+ net_dbg_skb_ratelimited("%s: Invalid MAC of handshake, dropping packet from %pISpfsc\n",
40989 -+ wg->dev->name, skb);
40990 -+ return;
40991 -+ }
40992 -+
40993 -+ switch (SKB_TYPE_LE32(skb)) {
40994 -+ case cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION): {
40995 -+ struct message_handshake_initiation *message =
40996 -+ (struct message_handshake_initiation *)skb->data;
40997 -+
40998 -+ if (packet_needs_cookie) {
40999 -+ wg_packet_send_handshake_cookie(wg, skb,
41000 -+ message->sender_index);
41001 -+ return;
41002 -+ }
41003 -+ peer = wg_noise_handshake_consume_initiation(message, wg);
41004 -+ if (unlikely(!peer)) {
41005 -+ net_dbg_skb_ratelimited("%s: Invalid handshake initiation from %pISpfsc\n",
41006 -+ wg->dev->name, skb);
41007 -+ return;
41008 -+ }
41009 -+ wg_socket_set_peer_endpoint_from_skb(peer, skb);
41010 -+ net_dbg_ratelimited("%s: Receiving handshake initiation from peer %llu (%pISpfsc)\n",
41011 -+ wg->dev->name, peer->internal_id,
41012 -+ &peer->endpoint.addr);
41013 -+ wg_packet_send_handshake_response(peer);
41014 -+ break;
41015 -+ }
41016 -+ case cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE): {
41017 -+ struct message_handshake_response *message =
41018 -+ (struct message_handshake_response *)skb->data;
41019 -+
41020 -+ if (packet_needs_cookie) {
41021 -+ wg_packet_send_handshake_cookie(wg, skb,
41022 -+ message->sender_index);
41023 -+ return;
41024 -+ }
41025 -+ peer = wg_noise_handshake_consume_response(message, wg);
41026 -+ if (unlikely(!peer)) {
41027 -+ net_dbg_skb_ratelimited("%s: Invalid handshake response from %pISpfsc\n",
41028 -+ wg->dev->name, skb);
41029 -+ return;
41030 -+ }
41031 -+ wg_socket_set_peer_endpoint_from_skb(peer, skb);
41032 -+ net_dbg_ratelimited("%s: Receiving handshake response from peer %llu (%pISpfsc)\n",
41033 -+ wg->dev->name, peer->internal_id,
41034 -+ &peer->endpoint.addr);
41035 -+ if (wg_noise_handshake_begin_session(&peer->handshake,
41036 -+ &peer->keypairs)) {
41037 -+ wg_timers_session_derived(peer);
41038 -+ wg_timers_handshake_complete(peer);
41039 -+ /* Calling this function will either send any existing
41040 -+ * packets in the queue and not send a keepalive, which
41041 -+ * is the best case, Or, if there's nothing in the
41042 -+ * queue, it will send a keepalive, in order to give
41043 -+ * immediate confirmation of the session.
41044 -+ */
41045 -+ wg_packet_send_keepalive(peer);
41046 -+ }
41047 -+ break;
41048 -+ }
41049 -+ }
41050 -+
41051 -+ if (unlikely(!peer)) {
41052 -+ WARN(1, "Somehow a wrong type of packet wound up in the handshake queue!\n");
41053 -+ return;
41054 -+ }
41055 -+
41056 -+ local_bh_disable();
41057 -+ update_rx_stats(peer, skb->len);
41058 -+ local_bh_enable();
41059 -+
41060 -+ wg_timers_any_authenticated_packet_received(peer);
41061 -+ wg_timers_any_authenticated_packet_traversal(peer);
41062 -+ wg_peer_put(peer);
41063 -+}
41064 -+
41065 -+void wg_packet_handshake_receive_worker(struct work_struct *work)
41066 -+{
41067 -+ struct wg_device *wg = container_of(work, struct multicore_worker,
41068 -+ work)->ptr;
41069 -+ struct sk_buff *skb;
41070 -+
41071 -+ while ((skb = skb_dequeue(&wg->incoming_handshakes)) != NULL) {
41072 -+ wg_receive_handshake_packet(wg, skb);
41073 -+ dev_kfree_skb(skb);
41074 -+ cond_resched();
41075 -+ }
41076 -+}
41077 -+
41078 -+static void keep_key_fresh(struct wg_peer *peer)
41079 -+{
41080 -+ struct noise_keypair *keypair;
41081 -+ bool send;
41082 -+
41083 -+ if (peer->sent_lastminute_handshake)
41084 -+ return;
41085 -+
41086 -+ rcu_read_lock_bh();
41087 -+ keypair = rcu_dereference_bh(peer->keypairs.current_keypair);
41088 -+ send = keypair && READ_ONCE(keypair->sending.is_valid) &&
41089 -+ keypair->i_am_the_initiator &&
41090 -+ wg_birthdate_has_expired(keypair->sending.birthdate,
41091 -+ REJECT_AFTER_TIME - KEEPALIVE_TIMEOUT - REKEY_TIMEOUT);
41092 -+ rcu_read_unlock_bh();
41093 -+
41094 -+ if (unlikely(send)) {
41095 -+ peer->sent_lastminute_handshake = true;
41096 -+ wg_packet_send_queued_handshake_initiation(peer, false);
41097 -+ }
41098 -+}
41099 -+
41100 -+static bool decrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair)
41101 -+{
41102 -+ struct scatterlist sg[MAX_SKB_FRAGS + 8];
41103 -+ struct sk_buff *trailer;
41104 -+ unsigned int offset;
41105 -+ int num_frags;
41106 -+
41107 -+ if (unlikely(!keypair))
41108 -+ return false;
41109 -+
41110 -+ if (unlikely(!READ_ONCE(keypair->receiving.is_valid) ||
41111 -+ wg_birthdate_has_expired(keypair->receiving.birthdate, REJECT_AFTER_TIME) ||
41112 -+ keypair->receiving_counter.counter >= REJECT_AFTER_MESSAGES)) {
41113 -+ WRITE_ONCE(keypair->receiving.is_valid, false);
41114 -+ return false;
41115 -+ }
41116 -+
41117 -+ PACKET_CB(skb)->nonce =
41118 -+ le64_to_cpu(((struct message_data *)skb->data)->counter);
41119 -+
41120 -+ /* We ensure that the network header is part of the packet before we
41121 -+ * call skb_cow_data, so that there's no chance that data is removed
41122 -+ * from the skb, so that later we can extract the original endpoint.
41123 -+ */
41124 -+ offset = skb->data - skb_network_header(skb);
41125 -+ skb_push(skb, offset);
41126 -+ num_frags = skb_cow_data(skb, 0, &trailer);
41127 -+ offset += sizeof(struct message_data);
41128 -+ skb_pull(skb, offset);
41129 -+ if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
41130 -+ return false;
41131 -+
41132 -+ sg_init_table(sg, num_frags);
41133 -+ if (skb_to_sgvec(skb, sg, 0, skb->len) <= 0)
41134 -+ return false;
41135 -+
41136 -+ if (!chacha20poly1305_decrypt_sg_inplace(sg, skb->len, NULL, 0,
41137 -+ PACKET_CB(skb)->nonce,
41138 -+ keypair->receiving.key))
41139 -+ return false;
41140 -+
41141 -+ /* Another ugly situation of pushing and pulling the header so as to
41142 -+ * keep endpoint information intact.
41143 -+ */
41144 -+ skb_push(skb, offset);
41145 -+ if (pskb_trim(skb, skb->len - noise_encrypted_len(0)))
41146 -+ return false;
41147 -+ skb_pull(skb, offset);
41148 -+
41149 -+ return true;
41150 -+}
41151 -+
41152 -+/* This is RFC6479, a replay detection bitmap algorithm that avoids bitshifts */
41153 -+static bool counter_validate(struct noise_replay_counter *counter, u64 their_counter)
41154 -+{
41155 -+ unsigned long index, index_current, top, i;
41156 -+ bool ret = false;
41157 -+
41158 -+ spin_lock_bh(&counter->lock);
41159 -+
41160 -+ if (unlikely(counter->counter >= REJECT_AFTER_MESSAGES + 1 ||
41161 -+ their_counter >= REJECT_AFTER_MESSAGES))
41162 -+ goto out;
41163 -+
41164 -+ ++their_counter;
41165 -+
41166 -+ if (unlikely((COUNTER_WINDOW_SIZE + their_counter) <
41167 -+ counter->counter))
41168 -+ goto out;
41169 -+
41170 -+ index = their_counter >> ilog2(BITS_PER_LONG);
41171 -+
41172 -+ if (likely(their_counter > counter->counter)) {
41173 -+ index_current = counter->counter >> ilog2(BITS_PER_LONG);
41174 -+ top = min_t(unsigned long, index - index_current,
41175 -+ COUNTER_BITS_TOTAL / BITS_PER_LONG);
41176 -+ for (i = 1; i <= top; ++i)
41177 -+ counter->backtrack[(i + index_current) &
41178 -+ ((COUNTER_BITS_TOTAL / BITS_PER_LONG) - 1)] = 0;
41179 -+ counter->counter = their_counter;
41180 -+ }
41181 -+
41182 -+ index &= (COUNTER_BITS_TOTAL / BITS_PER_LONG) - 1;
41183 -+ ret = !test_and_set_bit(their_counter & (BITS_PER_LONG - 1),
41184 -+ &counter->backtrack[index]);
41185 -+
41186 -+out:
41187 -+ spin_unlock_bh(&counter->lock);
41188 -+ return ret;
41189 -+}
41190 -+
41191 -+#include "selftest/counter.c"
41192 -+
41193 -+static void wg_packet_consume_data_done(struct wg_peer *peer,
41194 -+ struct sk_buff *skb,
41195 -+ struct endpoint *endpoint)
41196 -+{
41197 -+ struct net_device *dev = peer->device->dev;
41198 -+ unsigned int len, len_before_trim;
41199 -+ struct wg_peer *routed_peer;
41200 -+
41201 -+ wg_socket_set_peer_endpoint(peer, endpoint);
41202 -+
41203 -+ if (unlikely(wg_noise_received_with_keypair(&peer->keypairs,
41204 -+ PACKET_CB(skb)->keypair))) {
41205 -+ wg_timers_handshake_complete(peer);
41206 -+ wg_packet_send_staged_packets(peer);
41207 -+ }
41208 -+
41209 -+ keep_key_fresh(peer);
41210 -+
41211 -+ wg_timers_any_authenticated_packet_received(peer);
41212 -+ wg_timers_any_authenticated_packet_traversal(peer);
41213 -+
41214 -+ /* A packet with length 0 is a keepalive packet */
41215 -+ if (unlikely(!skb->len)) {
41216 -+ update_rx_stats(peer, message_data_len(0));
41217 -+ net_dbg_ratelimited("%s: Receiving keepalive packet from peer %llu (%pISpfsc)\n",
41218 -+ dev->name, peer->internal_id,
41219 -+ &peer->endpoint.addr);
41220 -+ goto packet_processed;
41221 -+ }
41222 -+
41223 -+ wg_timers_data_received(peer);
41224 -+
41225 -+ if (unlikely(skb_network_header(skb) < skb->head))
41226 -+ goto dishonest_packet_size;
41227 -+ if (unlikely(!(pskb_network_may_pull(skb, sizeof(struct iphdr)) &&
41228 -+ (ip_hdr(skb)->version == 4 ||
41229 -+ (ip_hdr(skb)->version == 6 &&
41230 -+ pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))))))
41231 -+ goto dishonest_packet_type;
41232 -+
41233 -+ skb->dev = dev;
41234 -+ /* We've already verified the Poly1305 auth tag, which means this packet
41235 -+ * was not modified in transit. We can therefore tell the networking
41236 -+ * stack that all checksums of every layer of encapsulation have already
41237 -+ * been checked "by the hardware" and therefore is unnecessary to check
41238 -+ * again in software.
41239 -+ */
41240 -+ skb->ip_summed = CHECKSUM_UNNECESSARY;
41241 -+ skb->csum_level = ~0; /* All levels */
41242 -+ skb->protocol = ip_tunnel_parse_protocol(skb);
41243 -+ if (skb->protocol == htons(ETH_P_IP)) {
41244 -+ len = ntohs(ip_hdr(skb)->tot_len);
41245 -+ if (unlikely(len < sizeof(struct iphdr)))
41246 -+ goto dishonest_packet_size;
41247 -+ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ip_hdr(skb)->tos);
41248 -+ } else if (skb->protocol == htons(ETH_P_IPV6)) {
41249 -+ len = ntohs(ipv6_hdr(skb)->payload_len) +
41250 -+ sizeof(struct ipv6hdr);
41251 -+ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ipv6_get_dsfield(ipv6_hdr(skb)));
41252 -+ } else {
41253 -+ goto dishonest_packet_type;
41254 -+ }
41255 -+
41256 -+ if (unlikely(len > skb->len))
41257 -+ goto dishonest_packet_size;
41258 -+ len_before_trim = skb->len;
41259 -+ if (unlikely(pskb_trim(skb, len)))
41260 -+ goto packet_processed;
41261 -+
41262 -+ routed_peer = wg_allowedips_lookup_src(&peer->device->peer_allowedips,
41263 -+ skb);
41264 -+ wg_peer_put(routed_peer); /* We don't need the extra reference. */
41265 -+
41266 -+ if (unlikely(routed_peer != peer))
41267 -+ goto dishonest_packet_peer;
41268 -+
41269 -+ napi_gro_receive(&peer->napi, skb);
41270 -+ update_rx_stats(peer, message_data_len(len_before_trim));
41271 -+ return;
41272 -+
41273 -+dishonest_packet_peer:
41274 -+ net_dbg_skb_ratelimited("%s: Packet has unallowed src IP (%pISc) from peer %llu (%pISpfsc)\n",
41275 -+ dev->name, skb, peer->internal_id,
41276 -+ &peer->endpoint.addr);
41277 -+ ++dev->stats.rx_errors;
41278 -+ ++dev->stats.rx_frame_errors;
41279 -+ goto packet_processed;
41280 -+dishonest_packet_type:
41281 -+ net_dbg_ratelimited("%s: Packet is neither ipv4 nor ipv6 from peer %llu (%pISpfsc)\n",
41282 -+ dev->name, peer->internal_id, &peer->endpoint.addr);
41283 -+ ++dev->stats.rx_errors;
41284 -+ ++dev->stats.rx_frame_errors;
41285 -+ goto packet_processed;
41286 -+dishonest_packet_size:
41287 -+ net_dbg_ratelimited("%s: Packet has incorrect size from peer %llu (%pISpfsc)\n",
41288 -+ dev->name, peer->internal_id, &peer->endpoint.addr);
41289 -+ ++dev->stats.rx_errors;
41290 -+ ++dev->stats.rx_length_errors;
41291 -+ goto packet_processed;
41292 -+packet_processed:
41293 -+ dev_kfree_skb(skb);
41294 -+}
41295 -+
41296 -+int wg_packet_rx_poll(struct napi_struct *napi, int budget)
41297 -+{
41298 -+ struct wg_peer *peer = container_of(napi, struct wg_peer, napi);
41299 -+ struct crypt_queue *queue = &peer->rx_queue;
41300 -+ struct noise_keypair *keypair;
41301 -+ struct endpoint endpoint;
41302 -+ enum packet_state state;
41303 -+ struct sk_buff *skb;
41304 -+ int work_done = 0;
41305 -+ bool free;
41306 -+
41307 -+ if (unlikely(budget <= 0))
41308 -+ return 0;
41309 -+
41310 -+ while ((skb = __ptr_ring_peek(&queue->ring)) != NULL &&
41311 -+ (state = atomic_read_acquire(&PACKET_CB(skb)->state)) !=
41312 -+ PACKET_STATE_UNCRYPTED) {
41313 -+ __ptr_ring_discard_one(&queue->ring);
41314 -+ peer = PACKET_PEER(skb);
41315 -+ keypair = PACKET_CB(skb)->keypair;
41316 -+ free = true;
41317 -+
41318 -+ if (unlikely(state != PACKET_STATE_CRYPTED))
41319 -+ goto next;
41320 -+
41321 -+ if (unlikely(!counter_validate(&keypair->receiving_counter,
41322 -+ PACKET_CB(skb)->nonce))) {
41323 -+ net_dbg_ratelimited("%s: Packet has invalid nonce %llu (max %llu)\n",
41324 -+ peer->device->dev->name,
41325 -+ PACKET_CB(skb)->nonce,
41326 -+ keypair->receiving_counter.counter);
41327 -+ goto next;
41328 -+ }
41329 -+
41330 -+ if (unlikely(wg_socket_endpoint_from_skb(&endpoint, skb)))
41331 -+ goto next;
41332 -+
41333 -+ wg_reset_packet(skb, false);
41334 -+ wg_packet_consume_data_done(peer, skb, &endpoint);
41335 -+ free = false;
41336 -+
41337 -+next:
41338 -+ wg_noise_keypair_put(keypair, false);
41339 -+ wg_peer_put(peer);
41340 -+ if (unlikely(free))
41341 -+ dev_kfree_skb(skb);
41342 -+
41343 -+ if (++work_done >= budget)
41344 -+ break;
41345 -+ }
41346 -+
41347 -+ if (work_done < budget)
41348 -+ napi_complete_done(napi, work_done);
41349 -+
41350 -+ return work_done;
41351 -+}
41352 -+
41353 -+void wg_packet_decrypt_worker(struct work_struct *work)
41354 -+{
41355 -+ struct crypt_queue *queue = container_of(work, struct multicore_worker,
41356 -+ work)->ptr;
41357 -+ struct sk_buff *skb;
41358 -+
41359 -+ while ((skb = ptr_ring_consume_bh(&queue->ring)) != NULL) {
41360 -+ enum packet_state state =
41361 -+ likely(decrypt_packet(skb, PACKET_CB(skb)->keypair)) ?
41362 -+ PACKET_STATE_CRYPTED : PACKET_STATE_DEAD;
41363 -+ wg_queue_enqueue_per_peer_napi(skb, state);
41364 -+ if (need_resched())
41365 -+ cond_resched();
41366 -+ }
41367 -+}
41368 -+
41369 -+static void wg_packet_consume_data(struct wg_device *wg, struct sk_buff *skb)
41370 -+{
41371 -+ __le32 idx = ((struct message_data *)skb->data)->key_idx;
41372 -+ struct wg_peer *peer = NULL;
41373 -+ int ret;
41374 -+
41375 -+ rcu_read_lock_bh();
41376 -+ PACKET_CB(skb)->keypair =
41377 -+ (struct noise_keypair *)wg_index_hashtable_lookup(
41378 -+ wg->index_hashtable, INDEX_HASHTABLE_KEYPAIR, idx,
41379 -+ &peer);
41380 -+ if (unlikely(!wg_noise_keypair_get(PACKET_CB(skb)->keypair)))
41381 -+ goto err_keypair;
41382 -+
41383 -+ if (unlikely(READ_ONCE(peer->is_dead)))
41384 -+ goto err;
41385 -+
41386 -+ ret = wg_queue_enqueue_per_device_and_peer(&wg->decrypt_queue,
41387 -+ &peer->rx_queue, skb,
41388 -+ wg->packet_crypt_wq,
41389 -+ &wg->decrypt_queue.last_cpu);
41390 -+ if (unlikely(ret == -EPIPE))
41391 -+ wg_queue_enqueue_per_peer_napi(skb, PACKET_STATE_DEAD);
41392 -+ if (likely(!ret || ret == -EPIPE)) {
41393 -+ rcu_read_unlock_bh();
41394 -+ return;
41395 -+ }
41396 -+err:
41397 -+ wg_noise_keypair_put(PACKET_CB(skb)->keypair, false);
41398 -+err_keypair:
41399 -+ rcu_read_unlock_bh();
41400 -+ wg_peer_put(peer);
41401 -+ dev_kfree_skb(skb);
41402 -+}
41403 -+
41404 -+void wg_packet_receive(struct wg_device *wg, struct sk_buff *skb)
41405 -+{
41406 -+ if (unlikely(prepare_skb_header(skb, wg) < 0))
41407 -+ goto err;
41408 -+ switch (SKB_TYPE_LE32(skb)) {
41409 -+ case cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION):
41410 -+ case cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE):
41411 -+ case cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE): {
41412 -+ int cpu;
41413 -+
41414 -+ if (skb_queue_len(&wg->incoming_handshakes) >
41415 -+ MAX_QUEUED_INCOMING_HANDSHAKES ||
41416 -+ unlikely(!rng_is_initialized())) {
41417 -+ net_dbg_skb_ratelimited("%s: Dropping handshake packet from %pISpfsc\n",
41418 -+ wg->dev->name, skb);
41419 -+ goto err;
41420 -+ }
41421 -+ skb_queue_tail(&wg->incoming_handshakes, skb);
41422 -+ /* Queues up a call to packet_process_queued_handshake_
41423 -+ * packets(skb):
41424 -+ */
41425 -+ cpu = wg_cpumask_next_online(&wg->incoming_handshake_cpu);
41426 -+ queue_work_on(cpu, wg->handshake_receive_wq,
41427 -+ &per_cpu_ptr(wg->incoming_handshakes_worker, cpu)->work);
41428 -+ break;
41429 -+ }
41430 -+ case cpu_to_le32(MESSAGE_DATA):
41431 -+ PACKET_CB(skb)->ds = ip_tunnel_get_dsfield(ip_hdr(skb), skb);
41432 -+ wg_packet_consume_data(wg, skb);
41433 -+ break;
41434 -+ default:
41435 -+ WARN(1, "Non-exhaustive parsing of packet header lead to unknown packet type!\n");
41436 -+ goto err;
41437 -+ }
41438 -+ return;
41439 -+
41440 -+err:
41441 -+ dev_kfree_skb(skb);
41442 -+}
41443 ---- /dev/null
41444 -+++ b/drivers/net/wireguard/selftest/allowedips.c
41445 -@@ -0,0 +1,683 @@
41446 -+// SPDX-License-Identifier: GPL-2.0
41447 -+/*
41448 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
41449 -+ *
41450 -+ * This contains some basic static unit tests for the allowedips data structure.
41451 -+ * It also has two additional modes that are disabled and meant to be used by
41452 -+ * folks directly playing with this file. If you define the macro
41453 -+ * DEBUG_PRINT_TRIE_GRAPHVIZ to be 1, then every time there's a full tree in
41454 -+ * memory, it will be printed out as KERN_DEBUG in a format that can be passed
41455 -+ * to graphviz (the dot command) to visualize it. If you define the macro
41456 -+ * DEBUG_RANDOM_TRIE to be 1, then there will be an extremely costly set of
41457 -+ * randomized tests done against a trivial implementation, which may take
41458 -+ * upwards of a half-hour to complete. There's no set of users who should be
41459 -+ * enabling these, and the only developers that should go anywhere near these
41460 -+ * nobs are the ones who are reading this comment.
41461 -+ */
41462 -+
41463 -+#ifdef DEBUG
41464 -+
41465 -+#include <linux/siphash.h>
41466 -+
41467 -+static __init void swap_endian_and_apply_cidr(u8 *dst, const u8 *src, u8 bits,
41468 -+ u8 cidr)
41469 -+{
41470 -+ swap_endian(dst, src, bits);
41471 -+ memset(dst + (cidr + 7) / 8, 0, bits / 8 - (cidr + 7) / 8);
41472 -+ if (cidr)
41473 -+ dst[(cidr + 7) / 8 - 1] &= ~0U << ((8 - (cidr % 8)) % 8);
41474 -+}
41475 -+
41476 -+static __init void print_node(struct allowedips_node *node, u8 bits)
41477 -+{
41478 -+ char *fmt_connection = KERN_DEBUG "\t\"%p/%d\" -> \"%p/%d\";\n";
41479 -+ char *fmt_declaration = KERN_DEBUG
41480 -+ "\t\"%p/%d\"[style=%s, color=\"#%06x\"];\n";
41481 -+ char *style = "dotted";
41482 -+ u8 ip1[16], ip2[16];
41483 -+ u32 color = 0;
41484 -+
41485 -+ if (bits == 32) {
41486 -+ fmt_connection = KERN_DEBUG "\t\"%pI4/%d\" -> \"%pI4/%d\";\n";
41487 -+ fmt_declaration = KERN_DEBUG
41488 -+ "\t\"%pI4/%d\"[style=%s, color=\"#%06x\"];\n";
41489 -+ } else if (bits == 128) {
41490 -+ fmt_connection = KERN_DEBUG "\t\"%pI6/%d\" -> \"%pI6/%d\";\n";
41491 -+ fmt_declaration = KERN_DEBUG
41492 -+ "\t\"%pI6/%d\"[style=%s, color=\"#%06x\"];\n";
41493 -+ }
41494 -+ if (node->peer) {
41495 -+ hsiphash_key_t key = { { 0 } };
41496 -+
41497 -+ memcpy(&key, &node->peer, sizeof(node->peer));
41498 -+ color = hsiphash_1u32(0xdeadbeef, &key) % 200 << 16 |
41499 -+ hsiphash_1u32(0xbabecafe, &key) % 200 << 8 |
41500 -+ hsiphash_1u32(0xabad1dea, &key) % 200;
41501 -+ style = "bold";
41502 -+ }
41503 -+ swap_endian_and_apply_cidr(ip1, node->bits, bits, node->cidr);
41504 -+ printk(fmt_declaration, ip1, node->cidr, style, color);
41505 -+ if (node->bit[0]) {
41506 -+ swap_endian_and_apply_cidr(ip2,
41507 -+ rcu_dereference_raw(node->bit[0])->bits, bits,
41508 -+ node->cidr);
41509 -+ printk(fmt_connection, ip1, node->cidr, ip2,
41510 -+ rcu_dereference_raw(node->bit[0])->cidr);
41511 -+ print_node(rcu_dereference_raw(node->bit[0]), bits);
41512 -+ }
41513 -+ if (node->bit[1]) {
41514 -+ swap_endian_and_apply_cidr(ip2,
41515 -+ rcu_dereference_raw(node->bit[1])->bits,
41516 -+ bits, node->cidr);
41517 -+ printk(fmt_connection, ip1, node->cidr, ip2,
41518 -+ rcu_dereference_raw(node->bit[1])->cidr);
41519 -+ print_node(rcu_dereference_raw(node->bit[1]), bits);
41520 -+ }
41521 -+}
41522 -+
41523 -+static __init void print_tree(struct allowedips_node __rcu *top, u8 bits)
41524 -+{
41525 -+ printk(KERN_DEBUG "digraph trie {\n");
41526 -+ print_node(rcu_dereference_raw(top), bits);
41527 -+ printk(KERN_DEBUG "}\n");
41528 -+}
41529 -+
41530 -+enum {
41531 -+ NUM_PEERS = 2000,
41532 -+ NUM_RAND_ROUTES = 400,
41533 -+ NUM_MUTATED_ROUTES = 100,
41534 -+ NUM_QUERIES = NUM_RAND_ROUTES * NUM_MUTATED_ROUTES * 30
41535 -+};
41536 -+
41537 -+struct horrible_allowedips {
41538 -+ struct hlist_head head;
41539 -+};
41540 -+
41541 -+struct horrible_allowedips_node {
41542 -+ struct hlist_node table;
41543 -+ union nf_inet_addr ip;
41544 -+ union nf_inet_addr mask;
41545 -+ u8 ip_version;
41546 -+ void *value;
41547 -+};
41548 -+
41549 -+static __init void horrible_allowedips_init(struct horrible_allowedips *table)
41550 -+{
41551 -+ INIT_HLIST_HEAD(&table->head);
41552 -+}
41553 -+
41554 -+static __init void horrible_allowedips_free(struct horrible_allowedips *table)
41555 -+{
41556 -+ struct horrible_allowedips_node *node;
41557 -+ struct hlist_node *h;
41558 -+
41559 -+ hlist_for_each_entry_safe(node, h, &table->head, table) {
41560 -+ hlist_del(&node->table);
41561 -+ kfree(node);
41562 -+ }
41563 -+}
41564 -+
41565 -+static __init inline union nf_inet_addr horrible_cidr_to_mask(u8 cidr)
41566 -+{
41567 -+ union nf_inet_addr mask;
41568 -+
41569 -+ memset(&mask, 0x00, 128 / 8);
41570 -+ memset(&mask, 0xff, cidr / 8);
41571 -+ if (cidr % 32)
41572 -+ mask.all[cidr / 32] = (__force u32)htonl(
41573 -+ (0xFFFFFFFFUL << (32 - (cidr % 32))) & 0xFFFFFFFFUL);
41574 -+ return mask;
41575 -+}
41576 -+
41577 -+static __init inline u8 horrible_mask_to_cidr(union nf_inet_addr subnet)
41578 -+{
41579 -+ return hweight32(subnet.all[0]) + hweight32(subnet.all[1]) +
41580 -+ hweight32(subnet.all[2]) + hweight32(subnet.all[3]);
41581 -+}
41582 -+
41583 -+static __init inline void
41584 -+horrible_mask_self(struct horrible_allowedips_node *node)
41585 -+{
41586 -+ if (node->ip_version == 4) {
41587 -+ node->ip.ip &= node->mask.ip;
41588 -+ } else if (node->ip_version == 6) {
41589 -+ node->ip.ip6[0] &= node->mask.ip6[0];
41590 -+ node->ip.ip6[1] &= node->mask.ip6[1];
41591 -+ node->ip.ip6[2] &= node->mask.ip6[2];
41592 -+ node->ip.ip6[3] &= node->mask.ip6[3];
41593 -+ }
41594 -+}
41595 -+
41596 -+static __init inline bool
41597 -+horrible_match_v4(const struct horrible_allowedips_node *node,
41598 -+ struct in_addr *ip)
41599 -+{
41600 -+ return (ip->s_addr & node->mask.ip) == node->ip.ip;
41601 -+}
41602 -+
41603 -+static __init inline bool
41604 -+horrible_match_v6(const struct horrible_allowedips_node *node,
41605 -+ struct in6_addr *ip)
41606 -+{
41607 -+ return (ip->in6_u.u6_addr32[0] & node->mask.ip6[0]) ==
41608 -+ node->ip.ip6[0] &&
41609 -+ (ip->in6_u.u6_addr32[1] & node->mask.ip6[1]) ==
41610 -+ node->ip.ip6[1] &&
41611 -+ (ip->in6_u.u6_addr32[2] & node->mask.ip6[2]) ==
41612 -+ node->ip.ip6[2] &&
41613 -+ (ip->in6_u.u6_addr32[3] & node->mask.ip6[3]) == node->ip.ip6[3];
41614 -+}
41615 -+
41616 -+static __init void
41617 -+horrible_insert_ordered(struct horrible_allowedips *table,
41618 -+ struct horrible_allowedips_node *node)
41619 -+{
41620 -+ struct horrible_allowedips_node *other = NULL, *where = NULL;
41621 -+ u8 my_cidr = horrible_mask_to_cidr(node->mask);
41622 -+
41623 -+ hlist_for_each_entry(other, &table->head, table) {
41624 -+ if (!memcmp(&other->mask, &node->mask,
41625 -+ sizeof(union nf_inet_addr)) &&
41626 -+ !memcmp(&other->ip, &node->ip,
41627 -+ sizeof(union nf_inet_addr)) &&
41628 -+ other->ip_version == node->ip_version) {
41629 -+ other->value = node->value;
41630 -+ kfree(node);
41631 -+ return;
41632 -+ }
41633 -+ where = other;
41634 -+ if (horrible_mask_to_cidr(other->mask) <= my_cidr)
41635 -+ break;
41636 -+ }
41637 -+ if (!other && !where)
41638 -+ hlist_add_head(&node->table, &table->head);
41639 -+ else if (!other)
41640 -+ hlist_add_behind(&node->table, &where->table);
41641 -+ else
41642 -+ hlist_add_before(&node->table, &where->table);
41643 -+}
41644 -+
41645 -+static __init int
41646 -+horrible_allowedips_insert_v4(struct horrible_allowedips *table,
41647 -+ struct in_addr *ip, u8 cidr, void *value)
41648 -+{
41649 -+ struct horrible_allowedips_node *node = kzalloc(sizeof(*node),
41650 -+ GFP_KERNEL);
41651 -+
41652 -+ if (unlikely(!node))
41653 -+ return -ENOMEM;
41654 -+ node->ip.in = *ip;
41655 -+ node->mask = horrible_cidr_to_mask(cidr);
41656 -+ node->ip_version = 4;
41657 -+ node->value = value;
41658 -+ horrible_mask_self(node);
41659 -+ horrible_insert_ordered(table, node);
41660 -+ return 0;
41661 -+}
41662 -+
41663 -+static __init int
41664 -+horrible_allowedips_insert_v6(struct horrible_allowedips *table,
41665 -+ struct in6_addr *ip, u8 cidr, void *value)
41666 -+{
41667 -+ struct horrible_allowedips_node *node = kzalloc(sizeof(*node),
41668 -+ GFP_KERNEL);
41669 -+
41670 -+ if (unlikely(!node))
41671 -+ return -ENOMEM;
41672 -+ node->ip.in6 = *ip;
41673 -+ node->mask = horrible_cidr_to_mask(cidr);
41674 -+ node->ip_version = 6;
41675 -+ node->value = value;
41676 -+ horrible_mask_self(node);
41677 -+ horrible_insert_ordered(table, node);
41678 -+ return 0;
41679 -+}
41680 -+
41681 -+static __init void *
41682 -+horrible_allowedips_lookup_v4(struct horrible_allowedips *table,
41683 -+ struct in_addr *ip)
41684 -+{
41685 -+ struct horrible_allowedips_node *node;
41686 -+ void *ret = NULL;
41687 -+
41688 -+ hlist_for_each_entry(node, &table->head, table) {
41689 -+ if (node->ip_version != 4)
41690 -+ continue;
41691 -+ if (horrible_match_v4(node, ip)) {
41692 -+ ret = node->value;
41693 -+ break;
41694 -+ }
41695 -+ }
41696 -+ return ret;
41697 -+}
41698 -+
41699 -+static __init void *
41700 -+horrible_allowedips_lookup_v6(struct horrible_allowedips *table,
41701 -+ struct in6_addr *ip)
41702 -+{
41703 -+ struct horrible_allowedips_node *node;
41704 -+ void *ret = NULL;
41705 -+
41706 -+ hlist_for_each_entry(node, &table->head, table) {
41707 -+ if (node->ip_version != 6)
41708 -+ continue;
41709 -+ if (horrible_match_v6(node, ip)) {
41710 -+ ret = node->value;
41711 -+ break;
41712 -+ }
41713 -+ }
41714 -+ return ret;
41715 -+}
41716 -+
41717 -+static __init bool randomized_test(void)
41718 -+{
41719 -+ unsigned int i, j, k, mutate_amount, cidr;
41720 -+ u8 ip[16], mutate_mask[16], mutated[16];
41721 -+ struct wg_peer **peers, *peer;
41722 -+ struct horrible_allowedips h;
41723 -+ DEFINE_MUTEX(mutex);
41724 -+ struct allowedips t;
41725 -+ bool ret = false;
41726 -+
41727 -+ mutex_init(&mutex);
41728 -+
41729 -+ wg_allowedips_init(&t);
41730 -+ horrible_allowedips_init(&h);
41731 -+
41732 -+ peers = kcalloc(NUM_PEERS, sizeof(*peers), GFP_KERNEL);
41733 -+ if (unlikely(!peers)) {
41734 -+ pr_err("allowedips random self-test malloc: FAIL\n");
41735 -+ goto free;
41736 -+ }
41737 -+ for (i = 0; i < NUM_PEERS; ++i) {
41738 -+ peers[i] = kzalloc(sizeof(*peers[i]), GFP_KERNEL);
41739 -+ if (unlikely(!peers[i])) {
41740 -+ pr_err("allowedips random self-test malloc: FAIL\n");
41741 -+ goto free;
41742 -+ }
41743 -+ kref_init(&peers[i]->refcount);
41744 -+ }
41745 -+
41746 -+ mutex_lock(&mutex);
41747 -+
41748 -+ for (i = 0; i < NUM_RAND_ROUTES; ++i) {
41749 -+ prandom_bytes(ip, 4);
41750 -+ cidr = prandom_u32_max(32) + 1;
41751 -+ peer = peers[prandom_u32_max(NUM_PEERS)];
41752 -+ if (wg_allowedips_insert_v4(&t, (struct in_addr *)ip, cidr,
41753 -+ peer, &mutex) < 0) {
41754 -+ pr_err("allowedips random self-test malloc: FAIL\n");
41755 -+ goto free_locked;
41756 -+ }
41757 -+ if (horrible_allowedips_insert_v4(&h, (struct in_addr *)ip,
41758 -+ cidr, peer) < 0) {
41759 -+ pr_err("allowedips random self-test malloc: FAIL\n");
41760 -+ goto free_locked;
41761 -+ }
41762 -+ for (j = 0; j < NUM_MUTATED_ROUTES; ++j) {
41763 -+ memcpy(mutated, ip, 4);
41764 -+ prandom_bytes(mutate_mask, 4);
41765 -+ mutate_amount = prandom_u32_max(32);
41766 -+ for (k = 0; k < mutate_amount / 8; ++k)
41767 -+ mutate_mask[k] = 0xff;
41768 -+ mutate_mask[k] = 0xff
41769 -+ << ((8 - (mutate_amount % 8)) % 8);
41770 -+ for (; k < 4; ++k)
41771 -+ mutate_mask[k] = 0;
41772 -+ for (k = 0; k < 4; ++k)
41773 -+ mutated[k] = (mutated[k] & mutate_mask[k]) |
41774 -+ (~mutate_mask[k] &
41775 -+ prandom_u32_max(256));
41776 -+ cidr = prandom_u32_max(32) + 1;
41777 -+ peer = peers[prandom_u32_max(NUM_PEERS)];
41778 -+ if (wg_allowedips_insert_v4(&t,
41779 -+ (struct in_addr *)mutated,
41780 -+ cidr, peer, &mutex) < 0) {
41781 -+ pr_err("allowedips random malloc: FAIL\n");
41782 -+ goto free_locked;
41783 -+ }
41784 -+ if (horrible_allowedips_insert_v4(&h,
41785 -+ (struct in_addr *)mutated, cidr, peer)) {
41786 -+ pr_err("allowedips random self-test malloc: FAIL\n");
41787 -+ goto free_locked;
41788 -+ }
41789 -+ }
41790 -+ }
41791 -+
41792 -+ for (i = 0; i < NUM_RAND_ROUTES; ++i) {
41793 -+ prandom_bytes(ip, 16);
41794 -+ cidr = prandom_u32_max(128) + 1;
41795 -+ peer = peers[prandom_u32_max(NUM_PEERS)];
41796 -+ if (wg_allowedips_insert_v6(&t, (struct in6_addr *)ip, cidr,
41797 -+ peer, &mutex) < 0) {
41798 -+ pr_err("allowedips random self-test malloc: FAIL\n");
41799 -+ goto free_locked;
41800 -+ }
41801 -+ if (horrible_allowedips_insert_v6(&h, (struct in6_addr *)ip,
41802 -+ cidr, peer) < 0) {
41803 -+ pr_err("allowedips random self-test malloc: FAIL\n");
41804 -+ goto free_locked;
41805 -+ }
41806 -+ for (j = 0; j < NUM_MUTATED_ROUTES; ++j) {
41807 -+ memcpy(mutated, ip, 16);
41808 -+ prandom_bytes(mutate_mask, 16);
41809 -+ mutate_amount = prandom_u32_max(128);
41810 -+ for (k = 0; k < mutate_amount / 8; ++k)
41811 -+ mutate_mask[k] = 0xff;
41812 -+ mutate_mask[k] = 0xff
41813 -+ << ((8 - (mutate_amount % 8)) % 8);
41814 -+ for (; k < 4; ++k)
41815 -+ mutate_mask[k] = 0;
41816 -+ for (k = 0; k < 4; ++k)
41817 -+ mutated[k] = (mutated[k] & mutate_mask[k]) |
41818 -+ (~mutate_mask[k] &
41819 -+ prandom_u32_max(256));
41820 -+ cidr = prandom_u32_max(128) + 1;
41821 -+ peer = peers[prandom_u32_max(NUM_PEERS)];
41822 -+ if (wg_allowedips_insert_v6(&t,
41823 -+ (struct in6_addr *)mutated,
41824 -+ cidr, peer, &mutex) < 0) {
41825 -+ pr_err("allowedips random self-test malloc: FAIL\n");
41826 -+ goto free_locked;
41827 -+ }
41828 -+ if (horrible_allowedips_insert_v6(
41829 -+ &h, (struct in6_addr *)mutated, cidr,
41830 -+ peer)) {
41831 -+ pr_err("allowedips random self-test malloc: FAIL\n");
41832 -+ goto free_locked;
41833 -+ }
41834 -+ }
41835 -+ }
41836 -+
41837 -+ mutex_unlock(&mutex);
41838 -+
41839 -+ if (IS_ENABLED(DEBUG_PRINT_TRIE_GRAPHVIZ)) {
41840 -+ print_tree(t.root4, 32);
41841 -+ print_tree(t.root6, 128);
41842 -+ }
41843 -+
41844 -+ for (i = 0; i < NUM_QUERIES; ++i) {
41845 -+ prandom_bytes(ip, 4);
41846 -+ if (lookup(t.root4, 32, ip) !=
41847 -+ horrible_allowedips_lookup_v4(&h, (struct in_addr *)ip)) {
41848 -+ pr_err("allowedips random self-test: FAIL\n");
41849 -+ goto free;
41850 -+ }
41851 -+ }
41852 -+
41853 -+ for (i = 0; i < NUM_QUERIES; ++i) {
41854 -+ prandom_bytes(ip, 16);
41855 -+ if (lookup(t.root6, 128, ip) !=
41856 -+ horrible_allowedips_lookup_v6(&h, (struct in6_addr *)ip)) {
41857 -+ pr_err("allowedips random self-test: FAIL\n");
41858 -+ goto free;
41859 -+ }
41860 -+ }
41861 -+ ret = true;
41862 -+
41863 -+free:
41864 -+ mutex_lock(&mutex);
41865 -+free_locked:
41866 -+ wg_allowedips_free(&t, &mutex);
41867 -+ mutex_unlock(&mutex);
41868 -+ horrible_allowedips_free(&h);
41869 -+ if (peers) {
41870 -+ for (i = 0; i < NUM_PEERS; ++i)
41871 -+ kfree(peers[i]);
41872 -+ }
41873 -+ kfree(peers);
41874 -+ return ret;
41875 -+}
41876 -+
41877 -+static __init inline struct in_addr *ip4(u8 a, u8 b, u8 c, u8 d)
41878 -+{
41879 -+ static struct in_addr ip;
41880 -+ u8 *split = (u8 *)&ip;
41881 -+
41882 -+ split[0] = a;
41883 -+ split[1] = b;
41884 -+ split[2] = c;
41885 -+ split[3] = d;
41886 -+ return &ip;
41887 -+}
41888 -+
41889 -+static __init inline struct in6_addr *ip6(u32 a, u32 b, u32 c, u32 d)
41890 -+{
41891 -+ static struct in6_addr ip;
41892 -+ __be32 *split = (__be32 *)&ip;
41893 -+
41894 -+ split[0] = cpu_to_be32(a);
41895 -+ split[1] = cpu_to_be32(b);
41896 -+ split[2] = cpu_to_be32(c);
41897 -+ split[3] = cpu_to_be32(d);
41898 -+ return &ip;
41899 -+}
41900 -+
41901 -+static __init struct wg_peer *init_peer(void)
41902 -+{
41903 -+ struct wg_peer *peer = kzalloc(sizeof(*peer), GFP_KERNEL);
41904 -+
41905 -+ if (!peer)
41906 -+ return NULL;
41907 -+ kref_init(&peer->refcount);
41908 -+ INIT_LIST_HEAD(&peer->allowedips_list);
41909 -+ return peer;
41910 -+}
41911 -+
41912 -+#define insert(version, mem, ipa, ipb, ipc, ipd, cidr) \
41913 -+ wg_allowedips_insert_v##version(&t, ip##version(ipa, ipb, ipc, ipd), \
41914 -+ cidr, mem, &mutex)
41915 -+
41916 -+#define maybe_fail() do { \
41917 -+ ++i; \
41918 -+ if (!_s) { \
41919 -+ pr_info("allowedips self-test %zu: FAIL\n", i); \
41920 -+ success = false; \
41921 -+ } \
41922 -+ } while (0)
41923 -+
41924 -+#define test(version, mem, ipa, ipb, ipc, ipd) do { \
41925 -+ bool _s = lookup(t.root##version, (version) == 4 ? 32 : 128, \
41926 -+ ip##version(ipa, ipb, ipc, ipd)) == (mem); \
41927 -+ maybe_fail(); \
41928 -+ } while (0)
41929 -+
41930 -+#define test_negative(version, mem, ipa, ipb, ipc, ipd) do { \
41931 -+ bool _s = lookup(t.root##version, (version) == 4 ? 32 : 128, \
41932 -+ ip##version(ipa, ipb, ipc, ipd)) != (mem); \
41933 -+ maybe_fail(); \
41934 -+ } while (0)
41935 -+
41936 -+#define test_boolean(cond) do { \
41937 -+ bool _s = (cond); \
41938 -+ maybe_fail(); \
41939 -+ } while (0)
41940 -+
41941 -+bool __init wg_allowedips_selftest(void)
41942 -+{
41943 -+ bool found_a = false, found_b = false, found_c = false, found_d = false,
41944 -+ found_e = false, found_other = false;
41945 -+ struct wg_peer *a = init_peer(), *b = init_peer(), *c = init_peer(),
41946 -+ *d = init_peer(), *e = init_peer(), *f = init_peer(),
41947 -+ *g = init_peer(), *h = init_peer();
41948 -+ struct allowedips_node *iter_node;
41949 -+ bool success = false;
41950 -+ struct allowedips t;
41951 -+ DEFINE_MUTEX(mutex);
41952 -+ struct in6_addr ip;
41953 -+ size_t i = 0, count = 0;
41954 -+ __be64 part;
41955 -+
41956 -+ mutex_init(&mutex);
41957 -+ mutex_lock(&mutex);
41958 -+ wg_allowedips_init(&t);
41959 -+
41960 -+ if (!a || !b || !c || !d || !e || !f || !g || !h) {
41961 -+ pr_err("allowedips self-test malloc: FAIL\n");
41962 -+ goto free;
41963 -+ }
41964 -+
41965 -+ insert(4, a, 192, 168, 4, 0, 24);
41966 -+ insert(4, b, 192, 168, 4, 4, 32);
41967 -+ insert(4, c, 192, 168, 0, 0, 16);
41968 -+ insert(4, d, 192, 95, 5, 64, 27);
41969 -+ /* replaces previous entry, and maskself is required */
41970 -+ insert(4, c, 192, 95, 5, 65, 27);
41971 -+ insert(6, d, 0x26075300, 0x60006b00, 0, 0xc05f0543, 128);
41972 -+ insert(6, c, 0x26075300, 0x60006b00, 0, 0, 64);
41973 -+ insert(4, e, 0, 0, 0, 0, 0);
41974 -+ insert(6, e, 0, 0, 0, 0, 0);
41975 -+ /* replaces previous entry */
41976 -+ insert(6, f, 0, 0, 0, 0, 0);
41977 -+ insert(6, g, 0x24046800, 0, 0, 0, 32);
41978 -+ /* maskself is required */
41979 -+ insert(6, h, 0x24046800, 0x40040800, 0xdeadbeef, 0xdeadbeef, 64);
41980 -+ insert(6, a, 0x24046800, 0x40040800, 0xdeadbeef, 0xdeadbeef, 128);
41981 -+ insert(6, c, 0x24446800, 0x40e40800, 0xdeaebeef, 0xdefbeef, 128);
41982 -+ insert(6, b, 0x24446800, 0xf0e40800, 0xeeaebeef, 0, 98);
41983 -+ insert(4, g, 64, 15, 112, 0, 20);
41984 -+ /* maskself is required */
41985 -+ insert(4, h, 64, 15, 123, 211, 25);
41986 -+ insert(4, a, 10, 0, 0, 0, 25);
41987 -+ insert(4, b, 10, 0, 0, 128, 25);
41988 -+ insert(4, a, 10, 1, 0, 0, 30);
41989 -+ insert(4, b, 10, 1, 0, 4, 30);
41990 -+ insert(4, c, 10, 1, 0, 8, 29);
41991 -+ insert(4, d, 10, 1, 0, 16, 29);
41992 -+
41993 -+ if (IS_ENABLED(DEBUG_PRINT_TRIE_GRAPHVIZ)) {
41994 -+ print_tree(t.root4, 32);
41995 -+ print_tree(t.root6, 128);
41996 -+ }
41997 -+
41998 -+ success = true;
41999 -+
42000 -+ test(4, a, 192, 168, 4, 20);
42001 -+ test(4, a, 192, 168, 4, 0);
42002 -+ test(4, b, 192, 168, 4, 4);
42003 -+ test(4, c, 192, 168, 200, 182);
42004 -+ test(4, c, 192, 95, 5, 68);
42005 -+ test(4, e, 192, 95, 5, 96);
42006 -+ test(6, d, 0x26075300, 0x60006b00, 0, 0xc05f0543);
42007 -+ test(6, c, 0x26075300, 0x60006b00, 0, 0xc02e01ee);
42008 -+ test(6, f, 0x26075300, 0x60006b01, 0, 0);
42009 -+ test(6, g, 0x24046800, 0x40040806, 0, 0x1006);
42010 -+ test(6, g, 0x24046800, 0x40040806, 0x1234, 0x5678);
42011 -+ test(6, f, 0x240467ff, 0x40040806, 0x1234, 0x5678);
42012 -+ test(6, f, 0x24046801, 0x40040806, 0x1234, 0x5678);
42013 -+ test(6, h, 0x24046800, 0x40040800, 0x1234, 0x5678);
42014 -+ test(6, h, 0x24046800, 0x40040800, 0, 0);
42015 -+ test(6, h, 0x24046800, 0x40040800, 0x10101010, 0x10101010);
42016 -+ test(6, a, 0x24046800, 0x40040800, 0xdeadbeef, 0xdeadbeef);
42017 -+ test(4, g, 64, 15, 116, 26);
42018 -+ test(4, g, 64, 15, 127, 3);
42019 -+ test(4, g, 64, 15, 123, 1);
42020 -+ test(4, h, 64, 15, 123, 128);
42021 -+ test(4, h, 64, 15, 123, 129);
42022 -+ test(4, a, 10, 0, 0, 52);
42023 -+ test(4, b, 10, 0, 0, 220);
42024 -+ test(4, a, 10, 1, 0, 2);
42025 -+ test(4, b, 10, 1, 0, 6);
42026 -+ test(4, c, 10, 1, 0, 10);
42027 -+ test(4, d, 10, 1, 0, 20);
42028 -+
42029 -+ insert(4, a, 1, 0, 0, 0, 32);
42030 -+ insert(4, a, 64, 0, 0, 0, 32);
42031 -+ insert(4, a, 128, 0, 0, 0, 32);
42032 -+ insert(4, a, 192, 0, 0, 0, 32);
42033 -+ insert(4, a, 255, 0, 0, 0, 32);
42034 -+ wg_allowedips_remove_by_peer(&t, a, &mutex);
42035 -+ test_negative(4, a, 1, 0, 0, 0);
42036 -+ test_negative(4, a, 64, 0, 0, 0);
42037 -+ test_negative(4, a, 128, 0, 0, 0);
42038 -+ test_negative(4, a, 192, 0, 0, 0);
42039 -+ test_negative(4, a, 255, 0, 0, 0);
42040 -+
42041 -+ wg_allowedips_free(&t, &mutex);
42042 -+ wg_allowedips_init(&t);
42043 -+ insert(4, a, 192, 168, 0, 0, 16);
42044 -+ insert(4, a, 192, 168, 0, 0, 24);
42045 -+ wg_allowedips_remove_by_peer(&t, a, &mutex);
42046 -+ test_negative(4, a, 192, 168, 0, 1);
42047 -+
42048 -+ /* These will hit the WARN_ON(len >= 128) in free_node if something
42049 -+ * goes wrong.
42050 -+ */
42051 -+ for (i = 0; i < 128; ++i) {
42052 -+ part = cpu_to_be64(~(1LLU << (i % 64)));
42053 -+ memset(&ip, 0xff, 16);
42054 -+ memcpy((u8 *)&ip + (i < 64) * 8, &part, 8);
42055 -+ wg_allowedips_insert_v6(&t, &ip, 128, a, &mutex);
42056 -+ }
42057 -+
42058 -+ wg_allowedips_free(&t, &mutex);
42059 -+
42060 -+ wg_allowedips_init(&t);
42061 -+ insert(4, a, 192, 95, 5, 93, 27);
42062 -+ insert(6, a, 0x26075300, 0x60006b00, 0, 0xc05f0543, 128);
42063 -+ insert(4, a, 10, 1, 0, 20, 29);
42064 -+ insert(6, a, 0x26075300, 0x6d8a6bf8, 0xdab1f1df, 0xc05f1523, 83);
42065 -+ insert(6, a, 0x26075300, 0x6d8a6bf8, 0xdab1f1df, 0xc05f1523, 21);
42066 -+ list_for_each_entry(iter_node, &a->allowedips_list, peer_list) {
42067 -+ u8 cidr, ip[16] __aligned(__alignof(u64));
42068 -+ int family = wg_allowedips_read_node(iter_node, ip, &cidr);
42069 -+
42070 -+ count++;
42071 -+
42072 -+ if (cidr == 27 && family == AF_INET &&
42073 -+ !memcmp(ip, ip4(192, 95, 5, 64), sizeof(struct in_addr)))
42074 -+ found_a = true;
42075 -+ else if (cidr == 128 && family == AF_INET6 &&
42076 -+ !memcmp(ip, ip6(0x26075300, 0x60006b00, 0, 0xc05f0543),
42077 -+ sizeof(struct in6_addr)))
42078 -+ found_b = true;
42079 -+ else if (cidr == 29 && family == AF_INET &&
42080 -+ !memcmp(ip, ip4(10, 1, 0, 16), sizeof(struct in_addr)))
42081 -+ found_c = true;
42082 -+ else if (cidr == 83 && family == AF_INET6 &&
42083 -+ !memcmp(ip, ip6(0x26075300, 0x6d8a6bf8, 0xdab1e000, 0),
42084 -+ sizeof(struct in6_addr)))
42085 -+ found_d = true;
42086 -+ else if (cidr == 21 && family == AF_INET6 &&
42087 -+ !memcmp(ip, ip6(0x26075000, 0, 0, 0),
42088 -+ sizeof(struct in6_addr)))
42089 -+ found_e = true;
42090 -+ else
42091 -+ found_other = true;
42092 -+ }
42093 -+ test_boolean(count == 5);
42094 -+ test_boolean(found_a);
42095 -+ test_boolean(found_b);
42096 -+ test_boolean(found_c);
42097 -+ test_boolean(found_d);
42098 -+ test_boolean(found_e);
42099 -+ test_boolean(!found_other);
42100 -+
42101 -+ if (IS_ENABLED(DEBUG_RANDOM_TRIE) && success)
42102 -+ success = randomized_test();
42103 -+
42104 -+ if (success)
42105 -+ pr_info("allowedips self-tests: pass\n");
42106 -+
42107 -+free:
42108 -+ wg_allowedips_free(&t, &mutex);
42109 -+ kfree(a);
42110 -+ kfree(b);
42111 -+ kfree(c);
42112 -+ kfree(d);
42113 -+ kfree(e);
42114 -+ kfree(f);
42115 -+ kfree(g);
42116 -+ kfree(h);
42117 -+ mutex_unlock(&mutex);
42118 -+
42119 -+ return success;
42120 -+}
42121 -+
42122 -+#undef test_negative
42123 -+#undef test
42124 -+#undef remove
42125 -+#undef insert
42126 -+#undef init_peer
42127 -+
42128 -+#endif
42129 ---- b/drivers/net/wireguard/selftest/counter.c
42130 -+++ b/drivers/net/wireguard/selftest/counter.c
42131 -@@ -0,0 +1,111 @@
42132 -+// SPDX-License-Identifier: GPL-2.0
42133 -+/*
42134 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
42135 -+ */
42136 -+
42137 -+#ifdef DEBUG
42138 -+bool __init wg_packet_counter_selftest(void)
42139 -+{
42140 -+ struct noise_replay_counter *counter;
42141 -+ unsigned int test_num = 0, i;
42142 -+ bool success = true;
42143 -+
42144 -+ counter = kmalloc(sizeof(*counter), GFP_KERNEL);
42145 -+ if (unlikely(!counter)) {
42146 -+ pr_err("nonce counter self-test malloc: FAIL\n");
42147 -+ return false;
42148 -+ }
42149 -+
42150 -+#define T_INIT do { \
42151 -+ memset(counter, 0, sizeof(*counter)); \
42152 -+ spin_lock_init(&counter->lock); \
42153 -+ } while (0)
42154 -+#define T_LIM (COUNTER_WINDOW_SIZE + 1)
42155 -+#define T(n, v) do { \
42156 -+ ++test_num; \
42157 -+ if (counter_validate(counter, n) != (v)) { \
42158 -+ pr_err("nonce counter self-test %u: FAIL\n", \
42159 -+ test_num); \
42160 -+ success = false; \
42161 -+ } \
42162 -+ } while (0)
42163 -+
42164 -+ T_INIT;
42165 -+ /* 1 */ T(0, true);
42166 -+ /* 2 */ T(1, true);
42167 -+ /* 3 */ T(1, false);
42168 -+ /* 4 */ T(9, true);
42169 -+ /* 5 */ T(8, true);
42170 -+ /* 6 */ T(7, true);
42171 -+ /* 7 */ T(7, false);
42172 -+ /* 8 */ T(T_LIM, true);
42173 -+ /* 9 */ T(T_LIM - 1, true);
42174 -+ /* 10 */ T(T_LIM - 1, false);
42175 -+ /* 11 */ T(T_LIM - 2, true);
42176 -+ /* 12 */ T(2, true);
42177 -+ /* 13 */ T(2, false);
42178 -+ /* 14 */ T(T_LIM + 16, true);
42179 -+ /* 15 */ T(3, false);
42180 -+ /* 16 */ T(T_LIM + 16, false);
42181 -+ /* 17 */ T(T_LIM * 4, true);
42182 -+ /* 18 */ T(T_LIM * 4 - (T_LIM - 1), true);
42183 -+ /* 19 */ T(10, false);
42184 -+ /* 20 */ T(T_LIM * 4 - T_LIM, false);
42185 -+ /* 21 */ T(T_LIM * 4 - (T_LIM + 1), false);
42186 -+ /* 22 */ T(T_LIM * 4 - (T_LIM - 2), true);
42187 -+ /* 23 */ T(T_LIM * 4 + 1 - T_LIM, false);
42188 -+ /* 24 */ T(0, false);
42189 -+ /* 25 */ T(REJECT_AFTER_MESSAGES, false);
42190 -+ /* 26 */ T(REJECT_AFTER_MESSAGES - 1, true);
42191 -+ /* 27 */ T(REJECT_AFTER_MESSAGES, false);
42192 -+ /* 28 */ T(REJECT_AFTER_MESSAGES - 1, false);
42193 -+ /* 29 */ T(REJECT_AFTER_MESSAGES - 2, true);
42194 -+ /* 30 */ T(REJECT_AFTER_MESSAGES + 1, false);
42195 -+ /* 31 */ T(REJECT_AFTER_MESSAGES + 2, false);
42196 -+ /* 32 */ T(REJECT_AFTER_MESSAGES - 2, false);
42197 -+ /* 33 */ T(REJECT_AFTER_MESSAGES - 3, true);
42198 -+ /* 34 */ T(0, false);
42199 -+
42200 -+ T_INIT;
42201 -+ for (i = 1; i <= COUNTER_WINDOW_SIZE; ++i)
42202 -+ T(i, true);
42203 -+ T(0, true);
42204 -+ T(0, false);
42205 -+
42206 -+ T_INIT;
42207 -+ for (i = 2; i <= COUNTER_WINDOW_SIZE + 1; ++i)
42208 -+ T(i, true);
42209 -+ T(1, true);
42210 -+ T(0, false);
42211 -+
42212 -+ T_INIT;
42213 -+ for (i = COUNTER_WINDOW_SIZE + 1; i-- > 0;)
42214 -+ T(i, true);
42215 -+
42216 -+ T_INIT;
42217 -+ for (i = COUNTER_WINDOW_SIZE + 2; i-- > 1;)
42218 -+ T(i, true);
42219 -+ T(0, false);
42220 -+
42221 -+ T_INIT;
42222 -+ for (i = COUNTER_WINDOW_SIZE + 1; i-- > 1;)
42223 -+ T(i, true);
42224 -+ T(COUNTER_WINDOW_SIZE + 1, true);
42225 -+ T(0, false);
42226 -+
42227 -+ T_INIT;
42228 -+ for (i = COUNTER_WINDOW_SIZE + 1; i-- > 1;)
42229 -+ T(i, true);
42230 -+ T(0, true);
42231 -+ T(COUNTER_WINDOW_SIZE + 1, true);
42232 -+
42233 -+#undef T
42234 -+#undef T_LIM
42235 -+#undef T_INIT
42236 -+
42237 -+ if (success)
42238 -+ pr_info("nonce counter self-tests: pass\n");
42239 -+ kfree(counter);
42240 -+ return success;
42241 -+}
42242 -+#endif
42243 ---- b/drivers/net/wireguard/selftest/ratelimiter.c
42244 -+++ b/drivers/net/wireguard/selftest/ratelimiter.c
42245 -@@ -0,0 +1,226 @@
42246 -+// SPDX-License-Identifier: GPL-2.0
42247 -+/*
42248 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
42249 -+ */
42250 -+
42251 -+#ifdef DEBUG
42252 -+
42253 -+#include <linux/jiffies.h>
42254 -+
42255 -+static const struct {
42256 -+ bool result;
42257 -+ unsigned int msec_to_sleep_before;
42258 -+} expected_results[] __initconst = {
42259 -+ [0 ... PACKETS_BURSTABLE - 1] = { true, 0 },
42260 -+ [PACKETS_BURSTABLE] = { false, 0 },
42261 -+ [PACKETS_BURSTABLE + 1] = { true, MSEC_PER_SEC / PACKETS_PER_SECOND },
42262 -+ [PACKETS_BURSTABLE + 2] = { false, 0 },
42263 -+ [PACKETS_BURSTABLE + 3] = { true, (MSEC_PER_SEC / PACKETS_PER_SECOND) * 2 },
42264 -+ [PACKETS_BURSTABLE + 4] = { true, 0 },
42265 -+ [PACKETS_BURSTABLE + 5] = { false, 0 }
42266 -+};
42267 -+
42268 -+static __init unsigned int maximum_jiffies_at_index(int index)
42269 -+{
42270 -+ unsigned int total_msecs = 2 * MSEC_PER_SEC / PACKETS_PER_SECOND / 3;
42271 -+ int i;
42272 -+
42273 -+ for (i = 0; i <= index; ++i)
42274 -+ total_msecs += expected_results[i].msec_to_sleep_before;
42275 -+ return msecs_to_jiffies(total_msecs);
42276 -+}
42277 -+
42278 -+static __init int timings_test(struct sk_buff *skb4, struct iphdr *hdr4,
42279 -+ struct sk_buff *skb6, struct ipv6hdr *hdr6,
42280 -+ int *test)
42281 -+{
42282 -+ unsigned long loop_start_time;
42283 -+ int i;
42284 -+
42285 -+ wg_ratelimiter_gc_entries(NULL);
42286 -+ rcu_barrier();
42287 -+ loop_start_time = jiffies;
42288 -+
42289 -+ for (i = 0; i < ARRAY_SIZE(expected_results); ++i) {
42290 -+ if (expected_results[i].msec_to_sleep_before)
42291 -+ msleep(expected_results[i].msec_to_sleep_before);
42292 -+
42293 -+ if (time_is_before_jiffies(loop_start_time +
42294 -+ maximum_jiffies_at_index(i)))
42295 -+ return -ETIMEDOUT;
42296 -+ if (wg_ratelimiter_allow(skb4, &init_net) !=
42297 -+ expected_results[i].result)
42298 -+ return -EXFULL;
42299 -+ ++(*test);
42300 -+
42301 -+ hdr4->saddr = htonl(ntohl(hdr4->saddr) + i + 1);
42302 -+ if (time_is_before_jiffies(loop_start_time +
42303 -+ maximum_jiffies_at_index(i)))
42304 -+ return -ETIMEDOUT;
42305 -+ if (!wg_ratelimiter_allow(skb4, &init_net))
42306 -+ return -EXFULL;
42307 -+ ++(*test);
42308 -+
42309 -+ hdr4->saddr = htonl(ntohl(hdr4->saddr) - i - 1);
42310 -+
42311 -+#if IS_ENABLED(CONFIG_IPV6)
42312 -+ hdr6->saddr.in6_u.u6_addr32[2] = htonl(i);
42313 -+ hdr6->saddr.in6_u.u6_addr32[3] = htonl(i);
42314 -+ if (time_is_before_jiffies(loop_start_time +
42315 -+ maximum_jiffies_at_index(i)))
42316 -+ return -ETIMEDOUT;
42317 -+ if (wg_ratelimiter_allow(skb6, &init_net) !=
42318 -+ expected_results[i].result)
42319 -+ return -EXFULL;
42320 -+ ++(*test);
42321 -+
42322 -+ hdr6->saddr.in6_u.u6_addr32[0] =
42323 -+ htonl(ntohl(hdr6->saddr.in6_u.u6_addr32[0]) + i + 1);
42324 -+ if (time_is_before_jiffies(loop_start_time +
42325 -+ maximum_jiffies_at_index(i)))
42326 -+ return -ETIMEDOUT;
42327 -+ if (!wg_ratelimiter_allow(skb6, &init_net))
42328 -+ return -EXFULL;
42329 -+ ++(*test);
42330 -+
42331 -+ hdr6->saddr.in6_u.u6_addr32[0] =
42332 -+ htonl(ntohl(hdr6->saddr.in6_u.u6_addr32[0]) - i - 1);
42333 -+
42334 -+ if (time_is_before_jiffies(loop_start_time +
42335 -+ maximum_jiffies_at_index(i)))
42336 -+ return -ETIMEDOUT;
42337 -+#endif
42338 -+ }
42339 -+ return 0;
42340 -+}
42341 -+
42342 -+static __init int capacity_test(struct sk_buff *skb4, struct iphdr *hdr4,
42343 -+ int *test)
42344 -+{
42345 -+ int i;
42346 -+
42347 -+ wg_ratelimiter_gc_entries(NULL);
42348 -+ rcu_barrier();
42349 -+
42350 -+ if (atomic_read(&total_entries))
42351 -+ return -EXFULL;
42352 -+ ++(*test);
42353 -+
42354 -+ for (i = 0; i <= max_entries; ++i) {
42355 -+ hdr4->saddr = htonl(i);
42356 -+ if (wg_ratelimiter_allow(skb4, &init_net) != (i != max_entries))
42357 -+ return -EXFULL;
42358 -+ ++(*test);
42359 -+ }
42360 -+ return 0;
42361 -+}
42362 -+
42363 -+bool __init wg_ratelimiter_selftest(void)
42364 -+{
42365 -+ enum { TRIALS_BEFORE_GIVING_UP = 5000 };
42366 -+ bool success = false;
42367 -+ int test = 0, trials;
42368 -+ struct sk_buff *skb4, *skb6 = NULL;
42369 -+ struct iphdr *hdr4;
42370 -+ struct ipv6hdr *hdr6 = NULL;
42371 -+
42372 -+ if (IS_ENABLED(CONFIG_KASAN) || IS_ENABLED(CONFIG_UBSAN))
42373 -+ return true;
42374 -+
42375 -+ BUILD_BUG_ON(MSEC_PER_SEC % PACKETS_PER_SECOND != 0);
42376 -+
42377 -+ if (wg_ratelimiter_init())
42378 -+ goto out;
42379 -+ ++test;
42380 -+ if (wg_ratelimiter_init()) {
42381 -+ wg_ratelimiter_uninit();
42382 -+ goto out;
42383 -+ }
42384 -+ ++test;
42385 -+ if (wg_ratelimiter_init()) {
42386 -+ wg_ratelimiter_uninit();
42387 -+ wg_ratelimiter_uninit();
42388 -+ goto out;
42389 -+ }
42390 -+ ++test;
42391 -+
42392 -+ skb4 = alloc_skb(sizeof(struct iphdr), GFP_KERNEL);
42393 -+ if (unlikely(!skb4))
42394 -+ goto err_nofree;
42395 -+ skb4->protocol = htons(ETH_P_IP);
42396 -+ hdr4 = (struct iphdr *)skb_put(skb4, sizeof(*hdr4));
42397 -+ hdr4->saddr = htonl(8182);
42398 -+ skb_reset_network_header(skb4);
42399 -+ ++test;
42400 -+
42401 -+#if IS_ENABLED(CONFIG_IPV6)
42402 -+ skb6 = alloc_skb(sizeof(struct ipv6hdr), GFP_KERNEL);
42403 -+ if (unlikely(!skb6)) {
42404 -+ kfree_skb(skb4);
42405 -+ goto err_nofree;
42406 -+ }
42407 -+ skb6->protocol = htons(ETH_P_IPV6);
42408 -+ hdr6 = (struct ipv6hdr *)skb_put(skb6, sizeof(*hdr6));
42409 -+ hdr6->saddr.in6_u.u6_addr32[0] = htonl(1212);
42410 -+ hdr6->saddr.in6_u.u6_addr32[1] = htonl(289188);
42411 -+ skb_reset_network_header(skb6);
42412 -+ ++test;
42413 -+#endif
42414 -+
42415 -+ for (trials = TRIALS_BEFORE_GIVING_UP;;) {
42416 -+ int test_count = 0, ret;
42417 -+
42418 -+ ret = timings_test(skb4, hdr4, skb6, hdr6, &test_count);
42419 -+ if (ret == -ETIMEDOUT) {
42420 -+ if (!trials--) {
42421 -+ test += test_count;
42422 -+ goto err;
42423 -+ }
42424 -+ msleep(500);
42425 -+ continue;
42426 -+ } else if (ret < 0) {
42427 -+ test += test_count;
42428 -+ goto err;
42429 -+ } else {
42430 -+ test += test_count;
42431 -+ break;
42432 -+ }
42433 -+ }
42434 -+
42435 -+ for (trials = TRIALS_BEFORE_GIVING_UP;;) {
42436 -+ int test_count = 0;
42437 -+
42438 -+ if (capacity_test(skb4, hdr4, &test_count) < 0) {
42439 -+ if (!trials--) {
42440 -+ test += test_count;
42441 -+ goto err;
42442 -+ }
42443 -+ msleep(50);
42444 -+ continue;
42445 -+ }
42446 -+ test += test_count;
42447 -+ break;
42448 -+ }
42449 -+
42450 -+ success = true;
42451 -+
42452 -+err:
42453 -+ kfree_skb(skb4);
42454 -+#if IS_ENABLED(CONFIG_IPV6)
42455 -+ kfree_skb(skb6);
42456 -+#endif
42457 -+err_nofree:
42458 -+ wg_ratelimiter_uninit();
42459 -+ wg_ratelimiter_uninit();
42460 -+ wg_ratelimiter_uninit();
42461 -+ /* Uninit one extra time to check underflow detection. */
42462 -+ wg_ratelimiter_uninit();
42463 -+out:
42464 -+ if (success)
42465 -+ pr_info("ratelimiter self-tests: pass\n");
42466 -+ else
42467 -+ pr_err("ratelimiter self-test %d: FAIL\n", test);
42468 -+
42469 -+ return success;
42470 -+}
42471 -+#endif
42472 ---- b/drivers/net/wireguard/send.c
42473 -+++ b/drivers/net/wireguard/send.c
42474 -@@ -0,0 +1,422 @@
42475 -+// SPDX-License-Identifier: GPL-2.0
42476 -+/*
42477 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
42478 -+ */
42479 -+
42480 -+#include "queueing.h"
42481 -+#include "timers.h"
42482 -+#include "device.h"
42483 -+#include "peer.h"
42484 -+#include "socket.h"
42485 -+#include "messages.h"
42486 -+#include "cookie.h"
42487 -+
42488 -+#include <linux/uio.h>
42489 -+#include <linux/inetdevice.h>
42490 -+#include <linux/socket.h>
42491 -+#include <net/ip_tunnels.h>
42492 -+#include <net/udp.h>
42493 -+#include <net/sock.h>
42494 -+
42495 -+static void wg_packet_send_handshake_initiation(struct wg_peer *peer)
42496 -+{
42497 -+ struct message_handshake_initiation packet;
42498 -+
42499 -+ if (!wg_birthdate_has_expired(atomic64_read(&peer->last_sent_handshake),
42500 -+ REKEY_TIMEOUT))
42501 -+ return; /* This function is rate limited. */
42502 -+
42503 -+ atomic64_set(&peer->last_sent_handshake, ktime_get_coarse_boottime_ns());
42504 -+ net_dbg_ratelimited("%s: Sending handshake initiation to peer %llu (%pISpfsc)\n",
42505 -+ peer->device->dev->name, peer->internal_id,
42506 -+ &peer->endpoint.addr);
42507 -+
42508 -+ if (wg_noise_handshake_create_initiation(&packet, &peer->handshake)) {
42509 -+ wg_cookie_add_mac_to_packet(&packet, sizeof(packet), peer);
42510 -+ wg_timers_any_authenticated_packet_traversal(peer);
42511 -+ wg_timers_any_authenticated_packet_sent(peer);
42512 -+ atomic64_set(&peer->last_sent_handshake,
42513 -+ ktime_get_coarse_boottime_ns());
42514 -+ wg_socket_send_buffer_to_peer(peer, &packet, sizeof(packet),
42515 -+ HANDSHAKE_DSCP);
42516 -+ wg_timers_handshake_initiated(peer);
42517 -+ }
42518 -+}
42519 -+
42520 -+void wg_packet_handshake_send_worker(struct work_struct *work)
42521 -+{
42522 -+ struct wg_peer *peer = container_of(work, struct wg_peer,
42523 -+ transmit_handshake_work);
42524 -+
42525 -+ wg_packet_send_handshake_initiation(peer);
42526 -+ wg_peer_put(peer);
42527 -+}
42528 -+
42529 -+void wg_packet_send_queued_handshake_initiation(struct wg_peer *peer,
42530 -+ bool is_retry)
42531 -+{
42532 -+ if (!is_retry)
42533 -+ peer->timer_handshake_attempts = 0;
42534 -+
42535 -+ rcu_read_lock_bh();
42536 -+ /* We check last_sent_handshake here in addition to the actual function
42537 -+ * we're queueing up, so that we don't queue things if not strictly
42538 -+ * necessary:
42539 -+ */
42540 -+ if (!wg_birthdate_has_expired(atomic64_read(&peer->last_sent_handshake),
42541 -+ REKEY_TIMEOUT) ||
42542 -+ unlikely(READ_ONCE(peer->is_dead)))
42543 -+ goto out;
42544 -+
42545 -+ wg_peer_get(peer);
42546 -+ /* Queues up calling packet_send_queued_handshakes(peer), where we do a
42547 -+ * peer_put(peer) after:
42548 -+ */
42549 -+ if (!queue_work(peer->device->handshake_send_wq,
42550 -+ &peer->transmit_handshake_work))
42551 -+ /* If the work was already queued, we want to drop the
42552 -+ * extra reference:
42553 -+ */
42554 -+ wg_peer_put(peer);
42555 -+out:
42556 -+ rcu_read_unlock_bh();
42557 -+}
42558 -+
42559 -+void wg_packet_send_handshake_response(struct wg_peer *peer)
42560 -+{
42561 -+ struct message_handshake_response packet;
42562 -+
42563 -+ atomic64_set(&peer->last_sent_handshake, ktime_get_coarse_boottime_ns());
42564 -+ net_dbg_ratelimited("%s: Sending handshake response to peer %llu (%pISpfsc)\n",
42565 -+ peer->device->dev->name, peer->internal_id,
42566 -+ &peer->endpoint.addr);
42567 -+
42568 -+ if (wg_noise_handshake_create_response(&packet, &peer->handshake)) {
42569 -+ wg_cookie_add_mac_to_packet(&packet, sizeof(packet), peer);
42570 -+ if (wg_noise_handshake_begin_session(&peer->handshake,
42571 -+ &peer->keypairs)) {
42572 -+ wg_timers_session_derived(peer);
42573 -+ wg_timers_any_authenticated_packet_traversal(peer);
42574 -+ wg_timers_any_authenticated_packet_sent(peer);
42575 -+ atomic64_set(&peer->last_sent_handshake,
42576 -+ ktime_get_coarse_boottime_ns());
42577 -+ wg_socket_send_buffer_to_peer(peer, &packet,
42578 -+ sizeof(packet),
42579 -+ HANDSHAKE_DSCP);
42580 -+ }
42581 -+ }
42582 -+}
42583 -+
42584 -+void wg_packet_send_handshake_cookie(struct wg_device *wg,
42585 -+ struct sk_buff *initiating_skb,
42586 -+ __le32 sender_index)
42587 -+{
42588 -+ struct message_handshake_cookie packet;
42589 -+
42590 -+ net_dbg_skb_ratelimited("%s: Sending cookie response for denied handshake message for %pISpfsc\n",
42591 -+ wg->dev->name, initiating_skb);
42592 -+ wg_cookie_message_create(&packet, initiating_skb, sender_index,
42593 -+ &wg->cookie_checker);
42594 -+ wg_socket_send_buffer_as_reply_to_skb(wg, initiating_skb, &packet,
42595 -+ sizeof(packet));
42596 -+}
42597 -+
42598 -+static void keep_key_fresh(struct wg_peer *peer)
42599 -+{
42600 -+ struct noise_keypair *keypair;
42601 -+ bool send;
42602 -+
42603 -+ rcu_read_lock_bh();
42604 -+ keypair = rcu_dereference_bh(peer->keypairs.current_keypair);
42605 -+ send = keypair && READ_ONCE(keypair->sending.is_valid) &&
42606 -+ (atomic64_read(&keypair->sending_counter) > REKEY_AFTER_MESSAGES ||
42607 -+ (keypair->i_am_the_initiator &&
42608 -+ wg_birthdate_has_expired(keypair->sending.birthdate, REKEY_AFTER_TIME)));
42609 -+ rcu_read_unlock_bh();
42610 -+
42611 -+ if (unlikely(send))
42612 -+ wg_packet_send_queued_handshake_initiation(peer, false);
42613 -+}
42614 -+
42615 -+static unsigned int calculate_skb_padding(struct sk_buff *skb)
42616 -+{
42617 -+ unsigned int padded_size, last_unit = skb->len;
42618 -+
42619 -+ if (unlikely(!PACKET_CB(skb)->mtu))
42620 -+ return ALIGN(last_unit, MESSAGE_PADDING_MULTIPLE) - last_unit;
42621 -+
42622 -+ /* We do this modulo business with the MTU, just in case the networking
42623 -+ * layer gives us a packet that's bigger than the MTU. In that case, we
42624 -+ * wouldn't want the final subtraction to overflow in the case of the
42625 -+ * padded_size being clamped. Fortunately, that's very rarely the case,
42626 -+ * so we optimize for that not happening.
42627 -+ */
42628 -+ if (unlikely(last_unit > PACKET_CB(skb)->mtu))
42629 -+ last_unit %= PACKET_CB(skb)->mtu;
42630 -+
42631 -+ padded_size = min(PACKET_CB(skb)->mtu,
42632 -+ ALIGN(last_unit, MESSAGE_PADDING_MULTIPLE));
42633 -+ return padded_size - last_unit;
42634 -+}
42635 -+
42636 -+static bool encrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair)
42637 -+{
42638 -+ unsigned int padding_len, plaintext_len, trailer_len;
42639 -+ struct scatterlist sg[MAX_SKB_FRAGS + 8];
42640 -+ struct message_data *header;
42641 -+ struct sk_buff *trailer;
42642 -+ int num_frags;
42643 -+
42644 -+ /* Force hash calculation before encryption so that flow analysis is
42645 -+ * consistent over the inner packet.
42646 -+ */
42647 -+ skb_get_hash(skb);
42648 -+
42649 -+ /* Calculate lengths. */
42650 -+ padding_len = calculate_skb_padding(skb);
42651 -+ trailer_len = padding_len + noise_encrypted_len(0);
42652 -+ plaintext_len = skb->len + padding_len;
42653 -+
42654 -+ /* Expand data section to have room for padding and auth tag. */
42655 -+ num_frags = skb_cow_data(skb, trailer_len, &trailer);
42656 -+ if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
42657 -+ return false;
42658 -+
42659 -+ /* Set the padding to zeros, and make sure it and the auth tag are part
42660 -+ * of the skb.
42661 -+ */
42662 -+ memset(skb_tail_pointer(trailer), 0, padding_len);
42663 -+
42664 -+ /* Expand head section to have room for our header and the network
42665 -+ * stack's headers.
42666 -+ */
42667 -+ if (unlikely(skb_cow_head(skb, DATA_PACKET_HEAD_ROOM) < 0))
42668 -+ return false;
42669 -+
42670 -+ /* Finalize checksum calculation for the inner packet, if required. */
42671 -+ if (unlikely(skb->ip_summed == CHECKSUM_PARTIAL &&
42672 -+ skb_checksum_help(skb)))
42673 -+ return false;
42674 -+
42675 -+ /* Only after checksumming can we safely add on the padding at the end
42676 -+ * and the header.
42677 -+ */
42678 -+ skb_set_inner_network_header(skb, 0);
42679 -+ header = (struct message_data *)skb_push(skb, sizeof(*header));
42680 -+ header->header.type = cpu_to_le32(MESSAGE_DATA);
42681 -+ header->key_idx = keypair->remote_index;
42682 -+ header->counter = cpu_to_le64(PACKET_CB(skb)->nonce);
42683 -+ pskb_put(skb, trailer, trailer_len);
42684 -+
42685 -+ /* Now we can encrypt the scattergather segments */
42686 -+ sg_init_table(sg, num_frags);
42687 -+ if (skb_to_sgvec(skb, sg, sizeof(struct message_data),
42688 -+ noise_encrypted_len(plaintext_len)) <= 0)
42689 -+ return false;
42690 -+ return chacha20poly1305_encrypt_sg_inplace(sg, plaintext_len, NULL, 0,
42691 -+ PACKET_CB(skb)->nonce,
42692 -+ keypair->sending.key);
42693 -+}
42694 -+
42695 -+void wg_packet_send_keepalive(struct wg_peer *peer)
42696 -+{
42697 -+ struct sk_buff *skb;
42698 -+
42699 -+ if (skb_queue_empty(&peer->staged_packet_queue)) {
42700 -+ skb = alloc_skb(DATA_PACKET_HEAD_ROOM + MESSAGE_MINIMUM_LENGTH,
42701 -+ GFP_ATOMIC);
42702 -+ if (unlikely(!skb))
42703 -+ return;
42704 -+ skb_reserve(skb, DATA_PACKET_HEAD_ROOM);
42705 -+ skb->dev = peer->device->dev;
42706 -+ PACKET_CB(skb)->mtu = skb->dev->mtu;
42707 -+ skb_queue_tail(&peer->staged_packet_queue, skb);
42708 -+ net_dbg_ratelimited("%s: Sending keepalive packet to peer %llu (%pISpfsc)\n",
42709 -+ peer->device->dev->name, peer->internal_id,
42710 -+ &peer->endpoint.addr);
42711 -+ }
42712 -+
42713 -+ wg_packet_send_staged_packets(peer);
42714 -+}
42715 -+
42716 -+static void wg_packet_create_data_done(struct sk_buff *first,
42717 -+ struct wg_peer *peer)
42718 -+{
42719 -+ struct sk_buff *skb, *next;
42720 -+ bool is_keepalive, data_sent = false;
42721 -+
42722 -+ wg_timers_any_authenticated_packet_traversal(peer);
42723 -+ wg_timers_any_authenticated_packet_sent(peer);
42724 -+ skb_list_walk_safe(first, skb, next) {
42725 -+ is_keepalive = skb->len == message_data_len(0);
42726 -+ if (likely(!wg_socket_send_skb_to_peer(peer, skb,
42727 -+ PACKET_CB(skb)->ds) && !is_keepalive))
42728 -+ data_sent = true;
42729 -+ }
42730 -+
42731 -+ if (likely(data_sent))
42732 -+ wg_timers_data_sent(peer);
42733 -+
42734 -+ keep_key_fresh(peer);
42735 -+}
42736 -+
42737 -+void wg_packet_tx_worker(struct work_struct *work)
42738 -+{
42739 -+ struct crypt_queue *queue = container_of(work, struct crypt_queue,
42740 -+ work);
42741 -+ struct noise_keypair *keypair;
42742 -+ enum packet_state state;
42743 -+ struct sk_buff *first;
42744 -+ struct wg_peer *peer;
42745 -+
42746 -+ while ((first = __ptr_ring_peek(&queue->ring)) != NULL &&
42747 -+ (state = atomic_read_acquire(&PACKET_CB(first)->state)) !=
42748 -+ PACKET_STATE_UNCRYPTED) {
42749 -+ __ptr_ring_discard_one(&queue->ring);
42750 -+ peer = PACKET_PEER(first);
42751 -+ keypair = PACKET_CB(first)->keypair;
42752 -+
42753 -+ if (likely(state == PACKET_STATE_CRYPTED))
42754 -+ wg_packet_create_data_done(first, peer);
42755 -+ else
42756 -+ kfree_skb_list(first);
42757 -+
42758 -+ wg_noise_keypair_put(keypair, false);
42759 -+ wg_peer_put(peer);
42760 -+ if (need_resched())
42761 -+ cond_resched();
42762 -+ }
42763 -+}
42764 -+
42765 -+void wg_packet_encrypt_worker(struct work_struct *work)
42766 -+{
42767 -+ struct crypt_queue *queue = container_of(work, struct multicore_worker,
42768 -+ work)->ptr;
42769 -+ struct sk_buff *first, *skb, *next;
42770 -+
42771 -+ while ((first = ptr_ring_consume_bh(&queue->ring)) != NULL) {
42772 -+ enum packet_state state = PACKET_STATE_CRYPTED;
42773 -+
42774 -+ skb_list_walk_safe(first, skb, next) {
42775 -+ if (likely(encrypt_packet(skb,
42776 -+ PACKET_CB(first)->keypair))) {
42777 -+ wg_reset_packet(skb, true);
42778 -+ } else {
42779 -+ state = PACKET_STATE_DEAD;
42780 -+ break;
42781 -+ }
42782 -+ }
42783 -+ wg_queue_enqueue_per_peer(&PACKET_PEER(first)->tx_queue, first,
42784 -+ state);
42785 -+ if (need_resched())
42786 -+ cond_resched();
42787 -+ }
42788 -+}
42789 -+
42790 -+static void wg_packet_create_data(struct sk_buff *first)
42791 -+{
42792 -+ struct wg_peer *peer = PACKET_PEER(first);
42793 -+ struct wg_device *wg = peer->device;
42794 -+ int ret = -EINVAL;
42795 -+
42796 -+ rcu_read_lock_bh();
42797 -+ if (unlikely(READ_ONCE(peer->is_dead)))
42798 -+ goto err;
42799 -+
42800 -+ ret = wg_queue_enqueue_per_device_and_peer(&wg->encrypt_queue,
42801 -+ &peer->tx_queue, first,
42802 -+ wg->packet_crypt_wq,
42803 -+ &wg->encrypt_queue.last_cpu);
42804 -+ if (unlikely(ret == -EPIPE))
42805 -+ wg_queue_enqueue_per_peer(&peer->tx_queue, first,
42806 -+ PACKET_STATE_DEAD);
42807 -+err:
42808 -+ rcu_read_unlock_bh();
42809 -+ if (likely(!ret || ret == -EPIPE))
42810 -+ return;
42811 -+ wg_noise_keypair_put(PACKET_CB(first)->keypair, false);
42812 -+ wg_peer_put(peer);
42813 -+ kfree_skb_list(first);
42814 -+}
42815 -+
42816 -+void wg_packet_purge_staged_packets(struct wg_peer *peer)
42817 -+{
42818 -+ spin_lock_bh(&peer->staged_packet_queue.lock);
42819 -+ peer->device->dev->stats.tx_dropped += peer->staged_packet_queue.qlen;
42820 -+ __skb_queue_purge(&peer->staged_packet_queue);
42821 -+ spin_unlock_bh(&peer->staged_packet_queue.lock);
42822 -+}
42823 -+
42824 -+void wg_packet_send_staged_packets(struct wg_peer *peer)
42825 -+{
42826 -+ struct noise_keypair *keypair;
42827 -+ struct sk_buff_head packets;
42828 -+ struct sk_buff *skb;
42829 -+
42830 -+ /* Steal the current queue into our local one. */
42831 -+ __skb_queue_head_init(&packets);
42832 -+ spin_lock_bh(&peer->staged_packet_queue.lock);
42833 -+ skb_queue_splice_init(&peer->staged_packet_queue, &packets);
42834 -+ spin_unlock_bh(&peer->staged_packet_queue.lock);
42835 -+ if (unlikely(skb_queue_empty(&packets)))
42836 -+ return;
42837 -+
42838 -+ /* First we make sure we have a valid reference to a valid key. */
42839 -+ rcu_read_lock_bh();
42840 -+ keypair = wg_noise_keypair_get(
42841 -+ rcu_dereference_bh(peer->keypairs.current_keypair));
42842 -+ rcu_read_unlock_bh();
42843 -+ if (unlikely(!keypair))
42844 -+ goto out_nokey;
42845 -+ if (unlikely(!READ_ONCE(keypair->sending.is_valid)))
42846 -+ goto out_nokey;
42847 -+ if (unlikely(wg_birthdate_has_expired(keypair->sending.birthdate,
42848 -+ REJECT_AFTER_TIME)))
42849 -+ goto out_invalid;
42850 -+
42851 -+ /* After we know we have a somewhat valid key, we now try to assign
42852 -+ * nonces to all of the packets in the queue. If we can't assign nonces
42853 -+ * for all of them, we just consider it a failure and wait for the next
42854 -+ * handshake.
42855 -+ */
42856 -+ skb_queue_walk(&packets, skb) {
42857 -+ /* 0 for no outer TOS: no leak. TODO: at some later point, we
42858 -+ * might consider using flowi->tos as outer instead.
42859 -+ */
42860 -+ PACKET_CB(skb)->ds = ip_tunnel_ecn_encap(0, ip_hdr(skb), skb);
42861 -+ PACKET_CB(skb)->nonce =
42862 -+ atomic64_inc_return(&keypair->sending_counter) - 1;
42863 -+ if (unlikely(PACKET_CB(skb)->nonce >= REJECT_AFTER_MESSAGES))
42864 -+ goto out_invalid;
42865 -+ }
42866 -+
42867 -+ packets.prev->next = NULL;
42868 -+ wg_peer_get(keypair->entry.peer);
42869 -+ PACKET_CB(packets.next)->keypair = keypair;
42870 -+ wg_packet_create_data(packets.next);
42871 -+ return;
42872 -+
42873 -+out_invalid:
42874 -+ WRITE_ONCE(keypair->sending.is_valid, false);
42875 -+out_nokey:
42876 -+ wg_noise_keypair_put(keypair, false);
42877 -+
42878 -+ /* We orphan the packets if we're waiting on a handshake, so that they
42879 -+ * don't block a socket's pool.
42880 -+ */
42881 -+ skb_queue_walk(&packets, skb)
42882 -+ skb_orphan(skb);
42883 -+ /* Then we put them back on the top of the queue. We're not too
42884 -+ * concerned about accidentally getting things a little out of order if
42885 -+ * packets are being added really fast, because this queue is for before
42886 -+ * packets can even be sent and it's small anyway.
42887 -+ */
42888 -+ spin_lock_bh(&peer->staged_packet_queue.lock);
42889 -+ skb_queue_splice(&packets, &peer->staged_packet_queue);
42890 -+ spin_unlock_bh(&peer->staged_packet_queue.lock);
42891 -+
42892 -+ /* If we're exiting because there's something wrong with the key, it
42893 -+ * means we should initiate a new handshake.
42894 -+ */
42895 -+ wg_packet_send_queued_handshake_initiation(peer, false);
42896 -+}
42897 ---- b/drivers/net/wireguard/socket.c
42898 -+++ b/drivers/net/wireguard/socket.c
42899 -@@ -0,0 +1,436 @@
42900 -+// SPDX-License-Identifier: GPL-2.0
42901 -+/*
42902 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
42903 -+ */
42904 -+
42905 -+#include "device.h"
42906 -+#include "peer.h"
42907 -+#include "socket.h"
42908 -+#include "queueing.h"
42909 -+#include "messages.h"
42910 -+
42911 -+#include <linux/ctype.h>
42912 -+#include <linux/net.h>
42913 -+#include <linux/if_vlan.h>
42914 -+#include <linux/if_ether.h>
42915 -+#include <linux/inetdevice.h>
42916 -+#include <net/udp_tunnel.h>
42917 -+#include <net/ipv6.h>
42918 -+
42919 -+static int send4(struct wg_device *wg, struct sk_buff *skb,
42920 -+ struct endpoint *endpoint, u8 ds, struct dst_cache *cache)
42921 -+{
42922 -+ struct flowi4 fl = {
42923 -+ .saddr = endpoint->src4.s_addr,
42924 -+ .daddr = endpoint->addr4.sin_addr.s_addr,
42925 -+ .fl4_dport = endpoint->addr4.sin_port,
42926 -+ .flowi4_mark = wg->fwmark,
42927 -+ .flowi4_proto = IPPROTO_UDP
42928 -+ };
42929 -+ struct rtable *rt = NULL;
42930 -+ struct sock *sock;
42931 -+ int ret = 0;
42932 -+
42933 -+ skb_mark_not_on_list(skb);
42934 -+ skb->dev = wg->dev;
42935 -+ skb->mark = wg->fwmark;
42936 -+
42937 -+ rcu_read_lock_bh();
42938 -+ sock = rcu_dereference_bh(wg->sock4);
42939 -+
42940 -+ if (unlikely(!sock)) {
42941 -+ ret = -ENONET;
42942 -+ goto err;
42943 -+ }
42944 -+
42945 -+ fl.fl4_sport = inet_sk(sock)->inet_sport;
42946 -+
42947 -+ if (cache)
42948 -+ rt = dst_cache_get_ip4(cache, &fl.saddr);
42949 -+
42950 -+ if (!rt) {
42951 -+ security_sk_classify_flow(sock, flowi4_to_flowi(&fl));
42952 -+ if (unlikely(!inet_confirm_addr(sock_net(sock), NULL, 0,
42953 -+ fl.saddr, RT_SCOPE_HOST))) {
42954 -+ endpoint->src4.s_addr = 0;
42955 -+ *(__force __be32 *)&endpoint->src_if4 = 0;
42956 -+ fl.saddr = 0;
42957 -+ if (cache)
42958 -+ dst_cache_reset(cache);
42959 -+ }
42960 -+ rt = ip_route_output_flow(sock_net(sock), &fl, sock);
42961 -+ if (unlikely(endpoint->src_if4 && ((IS_ERR(rt) &&
42962 -+ PTR_ERR(rt) == -EINVAL) || (!IS_ERR(rt) &&
42963 -+ rt->dst.dev->ifindex != endpoint->src_if4)))) {
42964 -+ endpoint->src4.s_addr = 0;
42965 -+ *(__force __be32 *)&endpoint->src_if4 = 0;
42966 -+ fl.saddr = 0;
42967 -+ if (cache)
42968 -+ dst_cache_reset(cache);
42969 -+ if (!IS_ERR(rt))
42970 -+ ip_rt_put(rt);
42971 -+ rt = ip_route_output_flow(sock_net(sock), &fl, sock);
42972 -+ }
42973 -+ if (unlikely(IS_ERR(rt))) {
42974 -+ ret = PTR_ERR(rt);
42975 -+ net_dbg_ratelimited("%s: No route to %pISpfsc, error %d\n",
42976 -+ wg->dev->name, &endpoint->addr, ret);
42977 -+ goto err;
42978 -+ }
42979 -+ if (cache)
42980 -+ dst_cache_set_ip4(cache, &rt->dst, fl.saddr);
42981 -+ }
42982 -+
42983 -+ skb->ignore_df = 1;
42984 -+ udp_tunnel_xmit_skb(rt, sock, skb, fl.saddr, fl.daddr, ds,
42985 -+ ip4_dst_hoplimit(&rt->dst), 0, fl.fl4_sport,
42986 -+ fl.fl4_dport, false, false);
42987 -+ goto out;
42988 -+
42989 -+err:
42990 -+ kfree_skb(skb);
42991 -+out:
42992 -+ rcu_read_unlock_bh();
42993 -+ return ret;
42994 -+}
42995 -+
42996 -+static int send6(struct wg_device *wg, struct sk_buff *skb,
42997 -+ struct endpoint *endpoint, u8 ds, struct dst_cache *cache)
42998 -+{
42999 -+#if IS_ENABLED(CONFIG_IPV6)
43000 -+ struct flowi6 fl = {
43001 -+ .saddr = endpoint->src6,
43002 -+ .daddr = endpoint->addr6.sin6_addr,
43003 -+ .fl6_dport = endpoint->addr6.sin6_port,
43004 -+ .flowi6_mark = wg->fwmark,
43005 -+ .flowi6_oif = endpoint->addr6.sin6_scope_id,
43006 -+ .flowi6_proto = IPPROTO_UDP
43007 -+ /* TODO: addr->sin6_flowinfo */
43008 -+ };
43009 -+ struct dst_entry *dst = NULL;
43010 -+ struct sock *sock;
43011 -+ int ret = 0;
43012 -+
43013 -+ skb_mark_not_on_list(skb);
43014 -+ skb->dev = wg->dev;
43015 -+ skb->mark = wg->fwmark;
43016 -+
43017 -+ rcu_read_lock_bh();
43018 -+ sock = rcu_dereference_bh(wg->sock6);
43019 -+
43020 -+ if (unlikely(!sock)) {
43021 -+ ret = -ENONET;
43022 -+ goto err;
43023 -+ }
43024 -+
43025 -+ fl.fl6_sport = inet_sk(sock)->inet_sport;
43026 -+
43027 -+ if (cache)
43028 -+ dst = dst_cache_get_ip6(cache, &fl.saddr);
43029 -+
43030 -+ if (!dst) {
43031 -+ security_sk_classify_flow(sock, flowi6_to_flowi(&fl));
43032 -+ if (unlikely(!ipv6_addr_any(&fl.saddr) &&
43033 -+ !ipv6_chk_addr(sock_net(sock), &fl.saddr, NULL, 0))) {
43034 -+ endpoint->src6 = fl.saddr = in6addr_any;
43035 -+ if (cache)
43036 -+ dst_cache_reset(cache);
43037 -+ }
43038 -+ dst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(sock), sock, &fl,
43039 -+ NULL);
43040 -+ if (unlikely(IS_ERR(dst))) {
43041 -+ ret = PTR_ERR(dst);
43042 -+ net_dbg_ratelimited("%s: No route to %pISpfsc, error %d\n",
43043 -+ wg->dev->name, &endpoint->addr, ret);
43044 -+ goto err;
43045 -+ }
43046 -+ if (cache)
43047 -+ dst_cache_set_ip6(cache, dst, &fl.saddr);
43048 -+ }
43049 -+
43050 -+ skb->ignore_df = 1;
43051 -+ udp_tunnel6_xmit_skb(dst, sock, skb, skb->dev, &fl.saddr, &fl.daddr, ds,
43052 -+ ip6_dst_hoplimit(dst), 0, fl.fl6_sport,
43053 -+ fl.fl6_dport, false);
43054 -+ goto out;
43055 -+
43056 -+err:
43057 -+ kfree_skb(skb);
43058 -+out:
43059 -+ rcu_read_unlock_bh();
43060 -+ return ret;
43061 -+#else
43062 -+ return -EAFNOSUPPORT;
43063 -+#endif
43064 -+}
43065 -+
43066 -+int wg_socket_send_skb_to_peer(struct wg_peer *peer, struct sk_buff *skb, u8 ds)
43067 -+{
43068 -+ size_t skb_len = skb->len;
43069 -+ int ret = -EAFNOSUPPORT;
43070 -+
43071 -+ read_lock_bh(&peer->endpoint_lock);
43072 -+ if (peer->endpoint.addr.sa_family == AF_INET)
43073 -+ ret = send4(peer->device, skb, &peer->endpoint, ds,
43074 -+ &peer->endpoint_cache);
43075 -+ else if (peer->endpoint.addr.sa_family == AF_INET6)
43076 -+ ret = send6(peer->device, skb, &peer->endpoint, ds,
43077 -+ &peer->endpoint_cache);
43078 -+ else
43079 -+ dev_kfree_skb(skb);
43080 -+ if (likely(!ret))
43081 -+ peer->tx_bytes += skb_len;
43082 -+ read_unlock_bh(&peer->endpoint_lock);
43083 -+
43084 -+ return ret;
43085 -+}
43086 -+
43087 -+int wg_socket_send_buffer_to_peer(struct wg_peer *peer, void *buffer,
43088 -+ size_t len, u8 ds)
43089 -+{
43090 -+ struct sk_buff *skb = alloc_skb(len + SKB_HEADER_LEN, GFP_ATOMIC);
43091 -+
43092 -+ if (unlikely(!skb))
43093 -+ return -ENOMEM;
43094 -+
43095 -+ skb_reserve(skb, SKB_HEADER_LEN);
43096 -+ skb_set_inner_network_header(skb, 0);
43097 -+ skb_put_data(skb, buffer, len);
43098 -+ return wg_socket_send_skb_to_peer(peer, skb, ds);
43099 -+}
43100 -+
43101 -+int wg_socket_send_buffer_as_reply_to_skb(struct wg_device *wg,
43102 -+ struct sk_buff *in_skb, void *buffer,
43103 -+ size_t len)
43104 -+{
43105 -+ int ret = 0;
43106 -+ struct sk_buff *skb;
43107 -+ struct endpoint endpoint;
43108 -+
43109 -+ if (unlikely(!in_skb))
43110 -+ return -EINVAL;
43111 -+ ret = wg_socket_endpoint_from_skb(&endpoint, in_skb);
43112 -+ if (unlikely(ret < 0))
43113 -+ return ret;
43114 -+
43115 -+ skb = alloc_skb(len + SKB_HEADER_LEN, GFP_ATOMIC);
43116 -+ if (unlikely(!skb))
43117 -+ return -ENOMEM;
43118 -+ skb_reserve(skb, SKB_HEADER_LEN);
43119 -+ skb_set_inner_network_header(skb, 0);
43120 -+ skb_put_data(skb, buffer, len);
43121 -+
43122 -+ if (endpoint.addr.sa_family == AF_INET)
43123 -+ ret = send4(wg, skb, &endpoint, 0, NULL);
43124 -+ else if (endpoint.addr.sa_family == AF_INET6)
43125 -+ ret = send6(wg, skb, &endpoint, 0, NULL);
43126 -+ /* No other possibilities if the endpoint is valid, which it is,
43127 -+ * as we checked above.
43128 -+ */
43129 -+
43130 -+ return ret;
43131 -+}
43132 -+
43133 -+int wg_socket_endpoint_from_skb(struct endpoint *endpoint,
43134 -+ const struct sk_buff *skb)
43135 -+{
43136 -+ memset(endpoint, 0, sizeof(*endpoint));
43137 -+ if (skb->protocol == htons(ETH_P_IP)) {
43138 -+ endpoint->addr4.sin_family = AF_INET;
43139 -+ endpoint->addr4.sin_port = udp_hdr(skb)->source;
43140 -+ endpoint->addr4.sin_addr.s_addr = ip_hdr(skb)->saddr;
43141 -+ endpoint->src4.s_addr = ip_hdr(skb)->daddr;
43142 -+ endpoint->src_if4 = skb->skb_iif;
43143 -+ } else if (skb->protocol == htons(ETH_P_IPV6)) {
43144 -+ endpoint->addr6.sin6_family = AF_INET6;
43145 -+ endpoint->addr6.sin6_port = udp_hdr(skb)->source;
43146 -+ endpoint->addr6.sin6_addr = ipv6_hdr(skb)->saddr;
43147 -+ endpoint->addr6.sin6_scope_id = ipv6_iface_scope_id(
43148 -+ &ipv6_hdr(skb)->saddr, skb->skb_iif);
43149 -+ endpoint->src6 = ipv6_hdr(skb)->daddr;
43150 -+ } else {
43151 -+ return -EINVAL;
43152 -+ }
43153 -+ return 0;
43154 -+}
43155 -+
43156 -+static bool endpoint_eq(const struct endpoint *a, const struct endpoint *b)
43157 -+{
43158 -+ return (a->addr.sa_family == AF_INET && b->addr.sa_family == AF_INET &&
43159 -+ a->addr4.sin_port == b->addr4.sin_port &&
43160 -+ a->addr4.sin_addr.s_addr == b->addr4.sin_addr.s_addr &&
43161 -+ a->src4.s_addr == b->src4.s_addr && a->src_if4 == b->src_if4) ||
43162 -+ (a->addr.sa_family == AF_INET6 &&
43163 -+ b->addr.sa_family == AF_INET6 &&
43164 -+ a->addr6.sin6_port == b->addr6.sin6_port &&
43165 -+ ipv6_addr_equal(&a->addr6.sin6_addr, &b->addr6.sin6_addr) &&
43166 -+ a->addr6.sin6_scope_id == b->addr6.sin6_scope_id &&
43167 -+ ipv6_addr_equal(&a->src6, &b->src6)) ||
43168 -+ unlikely(!a->addr.sa_family && !b->addr.sa_family);
43169 -+}
43170 -+
43171 -+void wg_socket_set_peer_endpoint(struct wg_peer *peer,
43172 -+ const struct endpoint *endpoint)
43173 -+{
43174 -+ /* First we check unlocked, in order to optimize, since it's pretty rare
43175 -+ * that an endpoint will change. If we happen to be mid-write, and two
43176 -+ * CPUs wind up writing the same thing or something slightly different,
43177 -+ * it doesn't really matter much either.
43178 -+ */
43179 -+ if (endpoint_eq(endpoint, &peer->endpoint))
43180 -+ return;
43181 -+ write_lock_bh(&peer->endpoint_lock);
43182 -+ if (endpoint->addr.sa_family == AF_INET) {
43183 -+ peer->endpoint.addr4 = endpoint->addr4;
43184 -+ peer->endpoint.src4 = endpoint->src4;
43185 -+ peer->endpoint.src_if4 = endpoint->src_if4;
43186 -+ } else if (endpoint->addr.sa_family == AF_INET6) {
43187 -+ peer->endpoint.addr6 = endpoint->addr6;
43188 -+ peer->endpoint.src6 = endpoint->src6;
43189 -+ } else {
43190 -+ goto out;
43191 -+ }
43192 -+ dst_cache_reset(&peer->endpoint_cache);
43193 -+out:
43194 -+ write_unlock_bh(&peer->endpoint_lock);
43195 -+}
43196 -+
43197 -+void wg_socket_set_peer_endpoint_from_skb(struct wg_peer *peer,
43198 -+ const struct sk_buff *skb)
43199 -+{
43200 -+ struct endpoint endpoint;
43201 -+
43202 -+ if (!wg_socket_endpoint_from_skb(&endpoint, skb))
43203 -+ wg_socket_set_peer_endpoint(peer, &endpoint);
43204 -+}
43205 -+
43206 -+void wg_socket_clear_peer_endpoint_src(struct wg_peer *peer)
43207 -+{
43208 -+ write_lock_bh(&peer->endpoint_lock);
43209 -+ memset(&peer->endpoint.src6, 0, sizeof(peer->endpoint.src6));
43210 -+ dst_cache_reset(&peer->endpoint_cache);
43211 -+ write_unlock_bh(&peer->endpoint_lock);
43212 -+}
43213 -+
43214 -+static int wg_receive(struct sock *sk, struct sk_buff *skb)
43215 -+{
43216 -+ struct wg_device *wg;
43217 -+
43218 -+ if (unlikely(!sk))
43219 -+ goto err;
43220 -+ wg = sk->sk_user_data;
43221 -+ if (unlikely(!wg))
43222 -+ goto err;
43223 -+ skb_mark_not_on_list(skb);
43224 -+ wg_packet_receive(wg, skb);
43225 -+ return 0;
43226 -+
43227 -+err:
43228 -+ kfree_skb(skb);
43229 -+ return 0;
43230 -+}
43231 -+
43232 -+static void sock_free(struct sock *sock)
43233 -+{
43234 -+ if (unlikely(!sock))
43235 -+ return;
43236 -+ sk_clear_memalloc(sock);
43237 -+ udp_tunnel_sock_release(sock->sk_socket);
43238 -+}
43239 -+
43240 -+static void set_sock_opts(struct socket *sock)
43241 -+{
43242 -+ sock->sk->sk_allocation = GFP_ATOMIC;
43243 -+ sock->sk->sk_sndbuf = INT_MAX;
43244 -+ sk_set_memalloc(sock->sk);
43245 -+}
43246 -+
43247 -+int wg_socket_init(struct wg_device *wg, u16 port)
43248 -+{
43249 -+ struct net *net;
43250 -+ int ret;
43251 -+ struct udp_tunnel_sock_cfg cfg = {
43252 -+ .sk_user_data = wg,
43253 -+ .encap_type = 1,
43254 -+ .encap_rcv = wg_receive
43255 -+ };
43256 -+ struct socket *new4 = NULL, *new6 = NULL;
43257 -+ struct udp_port_cfg port4 = {
43258 -+ .family = AF_INET,
43259 -+ .local_ip.s_addr = htonl(INADDR_ANY),
43260 -+ .local_udp_port = htons(port),
43261 -+ .use_udp_checksums = true
43262 -+ };
43263 -+#if IS_ENABLED(CONFIG_IPV6)
43264 -+ int retries = 0;
43265 -+ struct udp_port_cfg port6 = {
43266 -+ .family = AF_INET6,
43267 -+ .local_ip6 = IN6ADDR_ANY_INIT,
43268 -+ .use_udp6_tx_checksums = true,
43269 -+ .use_udp6_rx_checksums = true,
43270 -+ .ipv6_v6only = true
43271 -+ };
43272 -+#endif
43273 -+
43274 -+ rcu_read_lock();
43275 -+ net = rcu_dereference(wg->creating_net);
43276 -+ net = net ? maybe_get_net(net) : NULL;
43277 -+ rcu_read_unlock();
43278 -+ if (unlikely(!net))
43279 -+ return -ENONET;
43280 -+
43281 -+#if IS_ENABLED(CONFIG_IPV6)
43282 -+retry:
43283 -+#endif
43284 -+
43285 -+ ret = udp_sock_create(net, &port4, &new4);
43286 -+ if (ret < 0) {
43287 -+ pr_err("%s: Could not create IPv4 socket\n", wg->dev->name);
43288 -+ goto out;
43289 -+ }
43290 -+ set_sock_opts(new4);
43291 -+ setup_udp_tunnel_sock(net, new4, &cfg);
43292 -+
43293 -+#if IS_ENABLED(CONFIG_IPV6)
43294 -+ if (ipv6_mod_enabled()) {
43295 -+ port6.local_udp_port = inet_sk(new4->sk)->inet_sport;
43296 -+ ret = udp_sock_create(net, &port6, &new6);
43297 -+ if (ret < 0) {
43298 -+ udp_tunnel_sock_release(new4);
43299 -+ if (ret == -EADDRINUSE && !port && retries++ < 100)
43300 -+ goto retry;
43301 -+ pr_err("%s: Could not create IPv6 socket\n",
43302 -+ wg->dev->name);
43303 -+ goto out;
43304 -+ }
43305 -+ set_sock_opts(new6);
43306 -+ setup_udp_tunnel_sock(net, new6, &cfg);
43307 -+ }
43308 -+#endif
43309 -+
43310 -+ wg_socket_reinit(wg, new4->sk, new6 ? new6->sk : NULL);
43311 -+ ret = 0;
43312 -+out:
43313 -+ put_net(net);
43314 -+ return ret;
43315 -+}
43316 -+
43317 -+void wg_socket_reinit(struct wg_device *wg, struct sock *new4,
43318 -+ struct sock *new6)
43319 -+{
43320 -+ struct sock *old4, *old6;
43321 -+
43322 -+ mutex_lock(&wg->socket_update_lock);
43323 -+ old4 = rcu_dereference_protected(wg->sock4,
43324 -+ lockdep_is_held(&wg->socket_update_lock));
43325 -+ old6 = rcu_dereference_protected(wg->sock6,
43326 -+ lockdep_is_held(&wg->socket_update_lock));
43327 -+ rcu_assign_pointer(wg->sock4, new4);
43328 -+ rcu_assign_pointer(wg->sock6, new6);
43329 -+ if (new4)
43330 -+ wg->incoming_port = ntohs(inet_sk(new4)->inet_sport);
43331 -+ mutex_unlock(&wg->socket_update_lock);
43332 -+ synchronize_rcu();
43333 -+ sock_free(old4);
43334 -+ sock_free(old6);
43335 -+}
43336 ---- /dev/null
43337 -+++ b/drivers/net/wireguard/socket.h
43338 -@@ -0,0 +1,44 @@
43339 -+/* SPDX-License-Identifier: GPL-2.0 */
43340 -+/*
43341 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
43342 -+ */
43343 -+
43344 -+#ifndef _WG_SOCKET_H
43345 -+#define _WG_SOCKET_H
43346 -+
43347 -+#include <linux/netdevice.h>
43348 -+#include <linux/udp.h>
43349 -+#include <linux/if_vlan.h>
43350 -+#include <linux/if_ether.h>
43351 -+
43352 -+int wg_socket_init(struct wg_device *wg, u16 port);
43353 -+void wg_socket_reinit(struct wg_device *wg, struct sock *new4,
43354 -+ struct sock *new6);
43355 -+int wg_socket_send_buffer_to_peer(struct wg_peer *peer, void *data,
43356 -+ size_t len, u8 ds);
43357 -+int wg_socket_send_skb_to_peer(struct wg_peer *peer, struct sk_buff *skb,
43358 -+ u8 ds);
43359 -+int wg_socket_send_buffer_as_reply_to_skb(struct wg_device *wg,
43360 -+ struct sk_buff *in_skb,
43361 -+ void *out_buffer, size_t len);
43362 -+
43363 -+int wg_socket_endpoint_from_skb(struct endpoint *endpoint,
43364 -+ const struct sk_buff *skb);
43365 -+void wg_socket_set_peer_endpoint(struct wg_peer *peer,
43366 -+ const struct endpoint *endpoint);
43367 -+void wg_socket_set_peer_endpoint_from_skb(struct wg_peer *peer,
43368 -+ const struct sk_buff *skb);
43369 -+void wg_socket_clear_peer_endpoint_src(struct wg_peer *peer);
43370 -+
43371 -+#if defined(CONFIG_DYNAMIC_DEBUG) || defined(DEBUG)
43372 -+#define net_dbg_skb_ratelimited(fmt, dev, skb, ...) do { \
43373 -+ struct endpoint __endpoint; \
43374 -+ wg_socket_endpoint_from_skb(&__endpoint, skb); \
43375 -+ net_dbg_ratelimited(fmt, dev, &__endpoint.addr, \
43376 -+ ##__VA_ARGS__); \
43377 -+ } while (0)
43378 -+#else
43379 -+#define net_dbg_skb_ratelimited(fmt, skb, ...)
43380 -+#endif
43381 -+
43382 -+#endif /* _WG_SOCKET_H */
43383 ---- /dev/null
43384 -+++ b/drivers/net/wireguard/timers.c
43385 -@@ -0,0 +1,243 @@
43386 -+// SPDX-License-Identifier: GPL-2.0
43387 -+/*
43388 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
43389 -+ */
43390 -+
43391 -+#include "timers.h"
43392 -+#include "device.h"
43393 -+#include "peer.h"
43394 -+#include "queueing.h"
43395 -+#include "socket.h"
43396 -+
43397 -+/*
43398 -+ * - Timer for retransmitting the handshake if we don't hear back after
43399 -+ * `REKEY_TIMEOUT + jitter` ms.
43400 -+ *
43401 -+ * - Timer for sending empty packet if we have received a packet but after have
43402 -+ * not sent one for `KEEPALIVE_TIMEOUT` ms.
43403 -+ *
43404 -+ * - Timer for initiating new handshake if we have sent a packet but after have
43405 -+ * not received one (even empty) for `(KEEPALIVE_TIMEOUT + REKEY_TIMEOUT) +
43406 -+ * jitter` ms.
43407 -+ *
43408 -+ * - Timer for zeroing out all ephemeral keys after `(REJECT_AFTER_TIME * 3)` ms
43409 -+ * if no new keys have been received.
43410 -+ *
43411 -+ * - Timer for, if enabled, sending an empty authenticated packet every user-
43412 -+ * specified seconds.
43413 -+ */
43414 -+
43415 -+static inline void mod_peer_timer(struct wg_peer *peer,
43416 -+ struct timer_list *timer,
43417 -+ unsigned long expires)
43418 -+{
43419 -+ rcu_read_lock_bh();
43420 -+ if (likely(netif_running(peer->device->dev) &&
43421 -+ !READ_ONCE(peer->is_dead)))
43422 -+ mod_timer(timer, expires);
43423 -+ rcu_read_unlock_bh();
43424 -+}
43425 -+
43426 -+static void wg_expired_retransmit_handshake(struct timer_list *timer)
43427 -+{
43428 -+ struct wg_peer *peer = from_timer(peer, timer,
43429 -+ timer_retransmit_handshake);
43430 -+
43431 -+ if (peer->timer_handshake_attempts > MAX_TIMER_HANDSHAKES) {
43432 -+ pr_debug("%s: Handshake for peer %llu (%pISpfsc) did not complete after %d attempts, giving up\n",
43433 -+ peer->device->dev->name, peer->internal_id,
43434 -+ &peer->endpoint.addr, MAX_TIMER_HANDSHAKES + 2);
43435 -+
43436 -+ del_timer(&peer->timer_send_keepalive);
43437 -+ /* We drop all packets without a keypair and don't try again,
43438 -+ * if we try unsuccessfully for too long to make a handshake.
43439 -+ */
43440 -+ wg_packet_purge_staged_packets(peer);
43441 -+
43442 -+ /* We set a timer for destroying any residue that might be left
43443 -+ * of a partial exchange.
43444 -+ */
43445 -+ if (!timer_pending(&peer->timer_zero_key_material))
43446 -+ mod_peer_timer(peer, &peer->timer_zero_key_material,
43447 -+ jiffies + REJECT_AFTER_TIME * 3 * HZ);
43448 -+ } else {
43449 -+ ++peer->timer_handshake_attempts;
43450 -+ pr_debug("%s: Handshake for peer %llu (%pISpfsc) did not complete after %d seconds, retrying (try %d)\n",
43451 -+ peer->device->dev->name, peer->internal_id,
43452 -+ &peer->endpoint.addr, REKEY_TIMEOUT,
43453 -+ peer->timer_handshake_attempts + 1);
43454 -+
43455 -+ /* We clear the endpoint address src address, in case this is
43456 -+ * the cause of trouble.
43457 -+ */
43458 -+ wg_socket_clear_peer_endpoint_src(peer);
43459 -+
43460 -+ wg_packet_send_queued_handshake_initiation(peer, true);
43461 -+ }
43462 -+}
43463 -+
43464 -+static void wg_expired_send_keepalive(struct timer_list *timer)
43465 -+{
43466 -+ struct wg_peer *peer = from_timer(peer, timer, timer_send_keepalive);
43467 -+
43468 -+ wg_packet_send_keepalive(peer);
43469 -+ if (peer->timer_need_another_keepalive) {
43470 -+ peer->timer_need_another_keepalive = false;
43471 -+ mod_peer_timer(peer, &peer->timer_send_keepalive,
43472 -+ jiffies + KEEPALIVE_TIMEOUT * HZ);
43473 -+ }
43474 -+}
43475 -+
43476 -+static void wg_expired_new_handshake(struct timer_list *timer)
43477 -+{
43478 -+ struct wg_peer *peer = from_timer(peer, timer, timer_new_handshake);
43479 -+
43480 -+ pr_debug("%s: Retrying handshake with peer %llu (%pISpfsc) because we stopped hearing back after %d seconds\n",
43481 -+ peer->device->dev->name, peer->internal_id,
43482 -+ &peer->endpoint.addr, KEEPALIVE_TIMEOUT + REKEY_TIMEOUT);
43483 -+ /* We clear the endpoint address src address, in case this is the cause
43484 -+ * of trouble.
43485 -+ */
43486 -+ wg_socket_clear_peer_endpoint_src(peer);
43487 -+ wg_packet_send_queued_handshake_initiation(peer, false);
43488 -+}
43489 -+
43490 -+static void wg_expired_zero_key_material(struct timer_list *timer)
43491 -+{
43492 -+ struct wg_peer *peer = from_timer(peer, timer, timer_zero_key_material);
43493 -+
43494 -+ rcu_read_lock_bh();
43495 -+ if (!READ_ONCE(peer->is_dead)) {
43496 -+ wg_peer_get(peer);
43497 -+ if (!queue_work(peer->device->handshake_send_wq,
43498 -+ &peer->clear_peer_work))
43499 -+ /* If the work was already on the queue, we want to drop
43500 -+ * the extra reference.
43501 -+ */
43502 -+ wg_peer_put(peer);
43503 -+ }
43504 -+ rcu_read_unlock_bh();
43505 -+}
43506 -+
43507 -+static void wg_queued_expired_zero_key_material(struct work_struct *work)
43508 -+{
43509 -+ struct wg_peer *peer = container_of(work, struct wg_peer,
43510 -+ clear_peer_work);
43511 -+
43512 -+ pr_debug("%s: Zeroing out all keys for peer %llu (%pISpfsc), since we haven't received a new one in %d seconds\n",
43513 -+ peer->device->dev->name, peer->internal_id,
43514 -+ &peer->endpoint.addr, REJECT_AFTER_TIME * 3);
43515 -+ wg_noise_handshake_clear(&peer->handshake);
43516 -+ wg_noise_keypairs_clear(&peer->keypairs);
43517 -+ wg_peer_put(peer);
43518 -+}
43519 -+
43520 -+static void wg_expired_send_persistent_keepalive(struct timer_list *timer)
43521 -+{
43522 -+ struct wg_peer *peer = from_timer(peer, timer,
43523 -+ timer_persistent_keepalive);
43524 -+
43525 -+ if (likely(peer->persistent_keepalive_interval))
43526 -+ wg_packet_send_keepalive(peer);
43527 -+}
43528 -+
43529 -+/* Should be called after an authenticated data packet is sent. */
43530 -+void wg_timers_data_sent(struct wg_peer *peer)
43531 -+{
43532 -+ if (!timer_pending(&peer->timer_new_handshake))
43533 -+ mod_peer_timer(peer, &peer->timer_new_handshake,
43534 -+ jiffies + (KEEPALIVE_TIMEOUT + REKEY_TIMEOUT) * HZ +
43535 -+ prandom_u32_max(REKEY_TIMEOUT_JITTER_MAX_JIFFIES));
43536 -+}
43537 -+
43538 -+/* Should be called after an authenticated data packet is received. */
43539 -+void wg_timers_data_received(struct wg_peer *peer)
43540 -+{
43541 -+ if (likely(netif_running(peer->device->dev))) {
43542 -+ if (!timer_pending(&peer->timer_send_keepalive))
43543 -+ mod_peer_timer(peer, &peer->timer_send_keepalive,
43544 -+ jiffies + KEEPALIVE_TIMEOUT * HZ);
43545 -+ else
43546 -+ peer->timer_need_another_keepalive = true;
43547 -+ }
43548 -+}
43549 -+
43550 -+/* Should be called after any type of authenticated packet is sent, whether
43551 -+ * keepalive, data, or handshake.
43552 -+ */
43553 -+void wg_timers_any_authenticated_packet_sent(struct wg_peer *peer)
43554 -+{
43555 -+ del_timer(&peer->timer_send_keepalive);
43556 -+}
43557 -+
43558 -+/* Should be called after any type of authenticated packet is received, whether
43559 -+ * keepalive, data, or handshake.
43560 -+ */
43561 -+void wg_timers_any_authenticated_packet_received(struct wg_peer *peer)
43562 -+{
43563 -+ del_timer(&peer->timer_new_handshake);
43564 -+}
43565 -+
43566 -+/* Should be called after a handshake initiation message is sent. */
43567 -+void wg_timers_handshake_initiated(struct wg_peer *peer)
43568 -+{
43569 -+ mod_peer_timer(peer, &peer->timer_retransmit_handshake,
43570 -+ jiffies + REKEY_TIMEOUT * HZ +
43571 -+ prandom_u32_max(REKEY_TIMEOUT_JITTER_MAX_JIFFIES));
43572 -+}
43573 -+
43574 -+/* Should be called after a handshake response message is received and processed
43575 -+ * or when getting key confirmation via the first data message.
43576 -+ */
43577 -+void wg_timers_handshake_complete(struct wg_peer *peer)
43578 -+{
43579 -+ del_timer(&peer->timer_retransmit_handshake);
43580 -+ peer->timer_handshake_attempts = 0;
43581 -+ peer->sent_lastminute_handshake = false;
43582 -+ ktime_get_real_ts64(&peer->walltime_last_handshake);
43583 -+}
43584 -+
43585 -+/* Should be called after an ephemeral key is created, which is before sending a
43586 -+ * handshake response or after receiving a handshake response.
43587 -+ */
43588 -+void wg_timers_session_derived(struct wg_peer *peer)
43589 -+{
43590 -+ mod_peer_timer(peer, &peer->timer_zero_key_material,
43591 -+ jiffies + REJECT_AFTER_TIME * 3 * HZ);
43592 -+}
43593 -+
43594 -+/* Should be called before a packet with authentication, whether
43595 -+ * keepalive, data, or handshakem is sent, or after one is received.
43596 -+ */
43597 -+void wg_timers_any_authenticated_packet_traversal(struct wg_peer *peer)
43598 -+{
43599 -+ if (peer->persistent_keepalive_interval)
43600 -+ mod_peer_timer(peer, &peer->timer_persistent_keepalive,
43601 -+ jiffies + peer->persistent_keepalive_interval * HZ);
43602 -+}
43603 -+
43604 -+void wg_timers_init(struct wg_peer *peer)
43605 -+{
43606 -+ timer_setup(&peer->timer_retransmit_handshake,
43607 -+ wg_expired_retransmit_handshake, 0);
43608 -+ timer_setup(&peer->timer_send_keepalive, wg_expired_send_keepalive, 0);
43609 -+ timer_setup(&peer->timer_new_handshake, wg_expired_new_handshake, 0);
43610 -+ timer_setup(&peer->timer_zero_key_material,
43611 -+ wg_expired_zero_key_material, 0);
43612 -+ timer_setup(&peer->timer_persistent_keepalive,
43613 -+ wg_expired_send_persistent_keepalive, 0);
43614 -+ INIT_WORK(&peer->clear_peer_work, wg_queued_expired_zero_key_material);
43615 -+ peer->timer_handshake_attempts = 0;
43616 -+ peer->sent_lastminute_handshake = false;
43617 -+ peer->timer_need_another_keepalive = false;
43618 -+}
43619 -+
43620 -+void wg_timers_stop(struct wg_peer *peer)
43621 -+{
43622 -+ del_timer_sync(&peer->timer_retransmit_handshake);
43623 -+ del_timer_sync(&peer->timer_send_keepalive);
43624 -+ del_timer_sync(&peer->timer_new_handshake);
43625 -+ del_timer_sync(&peer->timer_zero_key_material);
43626 -+ del_timer_sync(&peer->timer_persistent_keepalive);
43627 -+ flush_work(&peer->clear_peer_work);
43628 -+}
43629 ---- /dev/null
43630 -+++ b/drivers/net/wireguard/timers.h
43631 -@@ -0,0 +1,31 @@
43632 -+/* SPDX-License-Identifier: GPL-2.0 */
43633 -+/*
43634 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
43635 -+ */
43636 -+
43637 -+#ifndef _WG_TIMERS_H
43638 -+#define _WG_TIMERS_H
43639 -+
43640 -+#include <linux/ktime.h>
43641 -+
43642 -+struct wg_peer;
43643 -+
43644 -+void wg_timers_init(struct wg_peer *peer);
43645 -+void wg_timers_stop(struct wg_peer *peer);
43646 -+void wg_timers_data_sent(struct wg_peer *peer);
43647 -+void wg_timers_data_received(struct wg_peer *peer);
43648 -+void wg_timers_any_authenticated_packet_sent(struct wg_peer *peer);
43649 -+void wg_timers_any_authenticated_packet_received(struct wg_peer *peer);
43650 -+void wg_timers_handshake_initiated(struct wg_peer *peer);
43651 -+void wg_timers_handshake_complete(struct wg_peer *peer);
43652 -+void wg_timers_session_derived(struct wg_peer *peer);
43653 -+void wg_timers_any_authenticated_packet_traversal(struct wg_peer *peer);
43654 -+
43655 -+static inline bool wg_birthdate_has_expired(u64 birthday_nanoseconds,
43656 -+ u64 expiration_seconds)
43657 -+{
43658 -+ return (s64)(birthday_nanoseconds + expiration_seconds * NSEC_PER_SEC)
43659 -+ <= (s64)ktime_get_coarse_boottime_ns();
43660 -+}
43661 -+
43662 -+#endif /* _WG_TIMERS_H */
43663 ---- /dev/null
43664 -+++ b/drivers/net/wireguard/version.h
43665 -@@ -0,0 +1 @@
43666 -+#define WIREGUARD_VERSION "1.0.0"
43667 ---- b/include/uapi/linux/wireguard.h
43668 -+++ b/include/uapi/linux/wireguard.h
43669 -@@ -0,0 +1,196 @@
43670 -+/* SPDX-License-Identifier: (GPL-2.0 WITH Linux-syscall-note) OR MIT */
43671 -+/*
43672 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
43673 -+ *
43674 -+ * Documentation
43675 -+ * =============
43676 -+ *
43677 -+ * The below enums and macros are for interfacing with WireGuard, using generic
43678 -+ * netlink, with family WG_GENL_NAME and version WG_GENL_VERSION. It defines two
43679 -+ * methods: get and set. Note that while they share many common attributes,
43680 -+ * these two functions actually accept a slightly different set of inputs and
43681 -+ * outputs.
43682 -+ *
43683 -+ * WG_CMD_GET_DEVICE
43684 -+ * -----------------
43685 -+ *
43686 -+ * May only be called via NLM_F_REQUEST | NLM_F_DUMP. The command should contain
43687 -+ * one but not both of:
43688 -+ *
43689 -+ * WGDEVICE_A_IFINDEX: NLA_U32
43690 -+ * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1
43691 -+ *
43692 -+ * The kernel will then return several messages (NLM_F_MULTI) containing the
43693 -+ * following tree of nested items:
43694 -+ *
43695 -+ * WGDEVICE_A_IFINDEX: NLA_U32
43696 -+ * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1
43697 -+ * WGDEVICE_A_PRIVATE_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
43698 -+ * WGDEVICE_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
43699 -+ * WGDEVICE_A_LISTEN_PORT: NLA_U16
43700 -+ * WGDEVICE_A_FWMARK: NLA_U32
43701 -+ * WGDEVICE_A_PEERS: NLA_NESTED
43702 -+ * 0: NLA_NESTED
43703 -+ * WGPEER_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
43704 -+ * WGPEER_A_PRESHARED_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
43705 -+ * WGPEER_A_ENDPOINT: NLA_MIN_LEN(struct sockaddr), struct sockaddr_in or struct sockaddr_in6
43706 -+ * WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL: NLA_U16
43707 -+ * WGPEER_A_LAST_HANDSHAKE_TIME: NLA_EXACT_LEN, struct __kernel_timespec
43708 -+ * WGPEER_A_RX_BYTES: NLA_U64
43709 -+ * WGPEER_A_TX_BYTES: NLA_U64
43710 -+ * WGPEER_A_ALLOWEDIPS: NLA_NESTED
43711 -+ * 0: NLA_NESTED
43712 -+ * WGALLOWEDIP_A_FAMILY: NLA_U16
43713 -+ * WGALLOWEDIP_A_IPADDR: NLA_MIN_LEN(struct in_addr), struct in_addr or struct in6_addr
43714 -+ * WGALLOWEDIP_A_CIDR_MASK: NLA_U8
43715 -+ * 0: NLA_NESTED
43716 -+ * ...
43717 -+ * 0: NLA_NESTED
43718 -+ * ...
43719 -+ * ...
43720 -+ * WGPEER_A_PROTOCOL_VERSION: NLA_U32
43721 -+ * 0: NLA_NESTED
43722 -+ * ...
43723 -+ * ...
43724 -+ *
43725 -+ * It is possible that all of the allowed IPs of a single peer will not
43726 -+ * fit within a single netlink message. In that case, the same peer will
43727 -+ * be written in the following message, except it will only contain
43728 -+ * WGPEER_A_PUBLIC_KEY and WGPEER_A_ALLOWEDIPS. This may occur several
43729 -+ * times in a row for the same peer. It is then up to the receiver to
43730 -+ * coalesce adjacent peers. Likewise, it is possible that all peers will
43731 -+ * not fit within a single message. So, subsequent peers will be sent
43732 -+ * in following messages, except those will only contain WGDEVICE_A_IFNAME
43733 -+ * and WGDEVICE_A_PEERS. It is then up to the receiver to coalesce these
43734 -+ * messages to form the complete list of peers.
43735 -+ *
43736 -+ * Since this is an NLA_F_DUMP command, the final message will always be
43737 -+ * NLMSG_DONE, even if an error occurs. However, this NLMSG_DONE message
43738 -+ * contains an integer error code. It is either zero or a negative error
43739 -+ * code corresponding to the errno.
43740 -+ *
43741 -+ * WG_CMD_SET_DEVICE
43742 -+ * -----------------
43743 -+ *
43744 -+ * May only be called via NLM_F_REQUEST. The command should contain the
43745 -+ * following tree of nested items, containing one but not both of
43746 -+ * WGDEVICE_A_IFINDEX and WGDEVICE_A_IFNAME:
43747 -+ *
43748 -+ * WGDEVICE_A_IFINDEX: NLA_U32
43749 -+ * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1
43750 -+ * WGDEVICE_A_FLAGS: NLA_U32, 0 or WGDEVICE_F_REPLACE_PEERS if all current
43751 -+ * peers should be removed prior to adding the list below.
43752 -+ * WGDEVICE_A_PRIVATE_KEY: len WG_KEY_LEN, all zeros to remove
43753 -+ * WGDEVICE_A_LISTEN_PORT: NLA_U16, 0 to choose randomly
43754 -+ * WGDEVICE_A_FWMARK: NLA_U32, 0 to disable
43755 -+ * WGDEVICE_A_PEERS: NLA_NESTED
43756 -+ * 0: NLA_NESTED
43757 -+ * WGPEER_A_PUBLIC_KEY: len WG_KEY_LEN
43758 -+ * WGPEER_A_FLAGS: NLA_U32, 0 and/or WGPEER_F_REMOVE_ME if the
43759 -+ * specified peer should not exist at the end of the
43760 -+ * operation, rather than added/updated and/or
43761 -+ * WGPEER_F_REPLACE_ALLOWEDIPS if all current allowed
43762 -+ * IPs of this peer should be removed prior to adding
43763 -+ * the list below and/or WGPEER_F_UPDATE_ONLY if the
43764 -+ * peer should only be set if it already exists.
43765 -+ * WGPEER_A_PRESHARED_KEY: len WG_KEY_LEN, all zeros to remove
43766 -+ * WGPEER_A_ENDPOINT: struct sockaddr_in or struct sockaddr_in6
43767 -+ * WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL: NLA_U16, 0 to disable
43768 -+ * WGPEER_A_ALLOWEDIPS: NLA_NESTED
43769 -+ * 0: NLA_NESTED
43770 -+ * WGALLOWEDIP_A_FAMILY: NLA_U16
43771 -+ * WGALLOWEDIP_A_IPADDR: struct in_addr or struct in6_addr
43772 -+ * WGALLOWEDIP_A_CIDR_MASK: NLA_U8
43773 -+ * 0: NLA_NESTED
43774 -+ * ...
43775 -+ * 0: NLA_NESTED
43776 -+ * ...
43777 -+ * ...
43778 -+ * WGPEER_A_PROTOCOL_VERSION: NLA_U32, should not be set or used at
43779 -+ * all by most users of this API, as the
43780 -+ * most recent protocol will be used when
43781 -+ * this is unset. Otherwise, must be set
43782 -+ * to 1.
43783 -+ * 0: NLA_NESTED
43784 -+ * ...
43785 -+ * ...
43786 -+ *
43787 -+ * It is possible that the amount of configuration data exceeds that of
43788 -+ * the maximum message length accepted by the kernel. In that case, several
43789 -+ * messages should be sent one after another, with each successive one
43790 -+ * filling in information not contained in the prior. Note that if
43791 -+ * WGDEVICE_F_REPLACE_PEERS is specified in the first message, it probably
43792 -+ * should not be specified in fragments that come after, so that the list
43793 -+ * of peers is only cleared the first time but appended after. Likewise for
43794 -+ * peers, if WGPEER_F_REPLACE_ALLOWEDIPS is specified in the first message
43795 -+ * of a peer, it likely should not be specified in subsequent fragments.
43796 -+ *
43797 -+ * If an error occurs, NLMSG_ERROR will reply containing an errno.
43798 -+ */
43799 -+
43800 -+#ifndef _WG_UAPI_WIREGUARD_H
43801 -+#define _WG_UAPI_WIREGUARD_H
43802 -+
43803 -+#define WG_GENL_NAME "wireguard"
43804 -+#define WG_GENL_VERSION 1
43805 -+
43806 -+#define WG_KEY_LEN 32
43807 -+
43808 -+enum wg_cmd {
43809 -+ WG_CMD_GET_DEVICE,
43810 -+ WG_CMD_SET_DEVICE,
43811 -+ __WG_CMD_MAX
43812 -+};
43813 -+#define WG_CMD_MAX (__WG_CMD_MAX - 1)
43814 -+
43815 -+enum wgdevice_flag {
43816 -+ WGDEVICE_F_REPLACE_PEERS = 1U << 0,
43817 -+ __WGDEVICE_F_ALL = WGDEVICE_F_REPLACE_PEERS
43818 -+};
43819 -+enum wgdevice_attribute {
43820 -+ WGDEVICE_A_UNSPEC,
43821 -+ WGDEVICE_A_IFINDEX,
43822 -+ WGDEVICE_A_IFNAME,
43823 -+ WGDEVICE_A_PRIVATE_KEY,
43824 -+ WGDEVICE_A_PUBLIC_KEY,
43825 -+ WGDEVICE_A_FLAGS,
43826 -+ WGDEVICE_A_LISTEN_PORT,
43827 -+ WGDEVICE_A_FWMARK,
43828 -+ WGDEVICE_A_PEERS,
43829 -+ __WGDEVICE_A_LAST
43830 -+};
43831 -+#define WGDEVICE_A_MAX (__WGDEVICE_A_LAST - 1)
43832 -+
43833 -+enum wgpeer_flag {
43834 -+ WGPEER_F_REMOVE_ME = 1U << 0,
43835 -+ WGPEER_F_REPLACE_ALLOWEDIPS = 1U << 1,
43836 -+ WGPEER_F_UPDATE_ONLY = 1U << 2,
43837 -+ __WGPEER_F_ALL = WGPEER_F_REMOVE_ME | WGPEER_F_REPLACE_ALLOWEDIPS |
43838 -+ WGPEER_F_UPDATE_ONLY
43839 -+};
43840 -+enum wgpeer_attribute {
43841 -+ WGPEER_A_UNSPEC,
43842 -+ WGPEER_A_PUBLIC_KEY,
43843 -+ WGPEER_A_PRESHARED_KEY,
43844 -+ WGPEER_A_FLAGS,
43845 -+ WGPEER_A_ENDPOINT,
43846 -+ WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
43847 -+ WGPEER_A_LAST_HANDSHAKE_TIME,
43848 -+ WGPEER_A_RX_BYTES,
43849 -+ WGPEER_A_TX_BYTES,
43850 -+ WGPEER_A_ALLOWEDIPS,
43851 -+ WGPEER_A_PROTOCOL_VERSION,
43852 -+ __WGPEER_A_LAST
43853 -+};
43854 -+#define WGPEER_A_MAX (__WGPEER_A_LAST - 1)
43855 -+
43856 -+enum wgallowedip_attribute {
43857 -+ WGALLOWEDIP_A_UNSPEC,
43858 -+ WGALLOWEDIP_A_FAMILY,
43859 -+ WGALLOWEDIP_A_IPADDR,
43860 -+ WGALLOWEDIP_A_CIDR_MASK,
43861 -+ __WGALLOWEDIP_A_LAST
43862 -+};
43863 -+#define WGALLOWEDIP_A_MAX (__WGALLOWEDIP_A_LAST - 1)
43864 -+
43865 -+#endif /* _WG_UAPI_WIREGUARD_H */
43866 ---- b/tools/testing/selftests/wireguard/netns.sh
43867 -+++ b/tools/testing/selftests/wireguard/netns.sh
43868 -@@ -0,0 +1,622 @@
43869 -+#!/bin/bash
43870 -+# SPDX-License-Identifier: GPL-2.0
43871 -+#
43872 -+# Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
43873 -+#
43874 -+# This script tests the below topology:
43875 -+#
43876 -+# ┌─────────────────────┐ ┌──────────────────────────────────┐ ┌─────────────────────┐
43877 -+# │ $ns1 namespace │ │ $ns0 namespace │ │ $ns2 namespace │
43878 -+# │ │ │ │ │ │
43879 -+# │┌────────┐ │ │ ┌────────┐ │ │ ┌────────┐│
43880 -+# ││ wg0 │───────────┼───┼────────────│ lo │────────────┼───┼───────────│ wg0 ││
43881 -+# │├────────┴──────────┐│ │ ┌───────┴────────┴────────┐ │ │┌──────────┴────────┤│
43882 -+# ││192.168.241.1/24 ││ │ │(ns1) (ns2) │ │ ││192.168.241.2/24 ││
43883 -+# ││fd00::1/24 ││ │ │127.0.0.1:1 127.0.0.1:2│ │ ││fd00::2/24 ││
43884 -+# │└───────────────────┘│ │ │[::]:1 [::]:2 │ │ │└───────────────────┘│
43885 -+# └─────────────────────┘ │ └─────────────────────────┘ │ └─────────────────────┘
43886 -+# └──────────────────────────────────┘
43887 -+#
43888 -+# After the topology is prepared we run a series of TCP/UDP iperf3 tests between the
43889 -+# wireguard peers in $ns1 and $ns2. Note that $ns0 is the endpoint for the wg0
43890 -+# interfaces in $ns1 and $ns2. See https://www.wireguard.com/netns/ for further
43891 -+# details on how this is accomplished.
43892 -+set -e
43893 -+
43894 -+exec 3>&1
43895 -+export LANG=C
43896 -+export WG_HIDE_KEYS=never
43897 -+netns0="wg-test-$$-0"
43898 -+netns1="wg-test-$$-1"
43899 -+netns2="wg-test-$$-2"
43900 -+pretty() { echo -e "\x1b[32m\x1b[1m[+] ${1:+NS$1: }${2}\x1b[0m" >&3; }
43901 -+pp() { pretty "" "$*"; "$@"; }
43902 -+maybe_exec() { if [[ $BASHPID -eq $$ ]]; then "$@"; else exec "$@"; fi; }
43903 -+n0() { pretty 0 "$*"; maybe_exec ip netns exec $netns0 "$@"; }
43904 -+n1() { pretty 1 "$*"; maybe_exec ip netns exec $netns1 "$@"; }
43905 -+n2() { pretty 2 "$*"; maybe_exec ip netns exec $netns2 "$@"; }
43906 -+ip0() { pretty 0 "ip $*"; ip -n $netns0 "$@"; }
43907 -+ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; }
43908 -+ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; }
43909 -+sleep() { read -t "$1" -N 1 || true; }
43910 -+waitiperf() { pretty "${1//*-}" "wait for iperf:5201 pid $2"; while [[ $(ss -N "$1" -tlpH 'sport = 5201') != *\"iperf3\",pid=$2,fd=* ]]; do sleep 0.1; done; }
43911 -+waitncatudp() { pretty "${1//*-}" "wait for udp:1111 pid $2"; while [[ $(ss -N "$1" -ulpH 'sport = 1111') != *\"ncat\",pid=$2,fd=* ]]; do sleep 0.1; done; }
43912 -+waitiface() { pretty "${1//*-}" "wait for $2 to come up"; ip netns exec "$1" bash -c "while [[ \$(< \"/sys/class/net/$2/operstate\") != up ]]; do read -t .1 -N 0 || true; done;"; }
43913 -+
43914 -+cleanup() {
43915 -+ set +e
43916 -+ exec 2>/dev/null
43917 -+ printf "$orig_message_cost" > /proc/sys/net/core/message_cost
43918 -+ ip0 link del dev wg0
43919 -+ ip0 link del dev wg1
43920 -+ ip1 link del dev wg0
43921 -+ ip1 link del dev wg1
43922 -+ ip2 link del dev wg0
43923 -+ ip2 link del dev wg1
43924 -+ local to_kill="$(ip netns pids $netns0) $(ip netns pids $netns1) $(ip netns pids $netns2)"
43925 -+ [[ -n $to_kill ]] && kill $to_kill
43926 -+ pp ip netns del $netns1
43927 -+ pp ip netns del $netns2
43928 -+ pp ip netns del $netns0
43929 -+ exit
43930 -+}
43931 -+
43932 -+orig_message_cost="$(< /proc/sys/net/core/message_cost)"
43933 -+trap cleanup EXIT
43934 -+printf 0 > /proc/sys/net/core/message_cost
43935 -+
43936 -+ip netns del $netns0 2>/dev/null || true
43937 -+ip netns del $netns1 2>/dev/null || true
43938 -+ip netns del $netns2 2>/dev/null || true
43939 -+pp ip netns add $netns0
43940 -+pp ip netns add $netns1
43941 -+pp ip netns add $netns2
43942 -+ip0 link set up dev lo
43943 -+
43944 -+ip0 link add dev wg0 type wireguard
43945 -+ip0 link set wg0 netns $netns1
43946 -+ip0 link add dev wg0 type wireguard
43947 -+ip0 link set wg0 netns $netns2
43948 -+key1="$(pp wg genkey)"
43949 -+key2="$(pp wg genkey)"
43950 -+key3="$(pp wg genkey)"
43951 -+key4="$(pp wg genkey)"
43952 -+pub1="$(pp wg pubkey <<<"$key1")"
43953 -+pub2="$(pp wg pubkey <<<"$key2")"
43954 -+pub3="$(pp wg pubkey <<<"$key3")"
43955 -+pub4="$(pp wg pubkey <<<"$key4")"
43956 -+psk="$(pp wg genpsk)"
43957 -+[[ -n $key1 && -n $key2 && -n $psk ]]
43958 -+
43959 -+configure_peers() {
43960 -+ ip1 addr add 192.168.241.1/24 dev wg0
43961 -+ ip1 addr add fd00::1/112 dev wg0
43962 -+
43963 -+ ip2 addr add 192.168.241.2/24 dev wg0
43964 -+ ip2 addr add fd00::2/112 dev wg0
43965 -+
43966 -+ n1 wg set wg0 \
43967 -+ private-key <(echo "$key1") \
43968 -+ listen-port 1 \
43969 -+ peer "$pub2" \
43970 -+ preshared-key <(echo "$psk") \
43971 -+ allowed-ips 192.168.241.2/32,fd00::2/128
43972 -+ n2 wg set wg0 \
43973 -+ private-key <(echo "$key2") \
43974 -+ listen-port 2 \
43975 -+ peer "$pub1" \
43976 -+ preshared-key <(echo "$psk") \
43977 -+ allowed-ips 192.168.241.1/32,fd00::1/128
43978 -+
43979 -+ ip1 link set up dev wg0
43980 -+ ip2 link set up dev wg0
43981 -+}
43982 -+configure_peers
43983 -+
43984 -+tests() {
43985 -+ # Ping over IPv4
43986 -+ n2 ping -c 10 -f -W 1 192.168.241.1
43987 -+ n1 ping -c 10 -f -W 1 192.168.241.2
43988 -+
43989 -+ # Ping over IPv6
43990 -+ n2 ping6 -c 10 -f -W 1 fd00::1
43991 -+ n1 ping6 -c 10 -f -W 1 fd00::2
43992 -+
43993 -+ # TCP over IPv4
43994 -+ n2 iperf3 -s -1 -B 192.168.241.2 &
43995 -+ waitiperf $netns2 $!
43996 -+ n1 iperf3 -Z -t 3 -c 192.168.241.2
43997 -+
43998 -+ # TCP over IPv6
43999 -+ n1 iperf3 -s -1 -B fd00::1 &
44000 -+ waitiperf $netns1 $!
44001 -+ n2 iperf3 -Z -t 3 -c fd00::1
44002 -+
44003 -+ # UDP over IPv4
44004 -+ n1 iperf3 -s -1 -B 192.168.241.1 &
44005 -+ waitiperf $netns1 $!
44006 -+ n2 iperf3 -Z -t 3 -b 0 -u -c 192.168.241.1
44007 -+
44008 -+ # UDP over IPv6
44009 -+ n2 iperf3 -s -1 -B fd00::2 &
44010 -+ waitiperf $netns2 $!
44011 -+ n1 iperf3 -Z -t 3 -b 0 -u -c fd00::2
44012 -+}
44013 -+
44014 -+[[ $(ip1 link show dev wg0) =~ mtu\ ([0-9]+) ]] && orig_mtu="${BASH_REMATCH[1]}"
44015 -+big_mtu=$(( 34816 - 1500 + $orig_mtu ))
44016 -+
44017 -+# Test using IPv4 as outer transport
44018 -+n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
44019 -+n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
44020 -+# Before calling tests, we first make sure that the stats counters and timestamper are working
44021 -+n2 ping -c 10 -f -W 1 192.168.241.1
44022 -+{ read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip2 -stats link show dev wg0)
44023 -+(( rx_bytes == 1372 && (tx_bytes == 1428 || tx_bytes == 1460) ))
44024 -+{ read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip1 -stats link show dev wg0)
44025 -+(( tx_bytes == 1372 && (rx_bytes == 1428 || rx_bytes == 1460) ))
44026 -+read _ rx_bytes tx_bytes < <(n2 wg show wg0 transfer)
44027 -+(( rx_bytes == 1372 && (tx_bytes == 1428 || tx_bytes == 1460) ))
44028 -+read _ rx_bytes tx_bytes < <(n1 wg show wg0 transfer)
44029 -+(( tx_bytes == 1372 && (rx_bytes == 1428 || rx_bytes == 1460) ))
44030 -+read _ timestamp < <(n1 wg show wg0 latest-handshakes)
44031 -+(( timestamp != 0 ))
44032 -+
44033 -+tests
44034 -+ip1 link set wg0 mtu $big_mtu
44035 -+ip2 link set wg0 mtu $big_mtu
44036 -+tests
44037 -+
44038 -+ip1 link set wg0 mtu $orig_mtu
44039 -+ip2 link set wg0 mtu $orig_mtu
44040 -+
44041 -+# Test using IPv6 as outer transport
44042 -+n1 wg set wg0 peer "$pub2" endpoint [::1]:2
44043 -+n2 wg set wg0 peer "$pub1" endpoint [::1]:1
44044 -+tests
44045 -+ip1 link set wg0 mtu $big_mtu
44046 -+ip2 link set wg0 mtu $big_mtu
44047 -+tests
44048 -+
44049 -+# Test that route MTUs work with the padding
44050 -+ip1 link set wg0 mtu 1300
44051 -+ip2 link set wg0 mtu 1300
44052 -+n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
44053 -+n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
44054 -+n0 iptables -A INPUT -m length --length 1360 -j DROP
44055 -+n1 ip route add 192.168.241.2/32 dev wg0 mtu 1299
44056 -+n2 ip route add 192.168.241.1/32 dev wg0 mtu 1299
44057 -+n2 ping -c 1 -W 1 -s 1269 192.168.241.1
44058 -+n2 ip route delete 192.168.241.1/32 dev wg0 mtu 1299
44059 -+n1 ip route delete 192.168.241.2/32 dev wg0 mtu 1299
44060 -+n0 iptables -F INPUT
44061 -+
44062 -+ip1 link set wg0 mtu $orig_mtu
44063 -+ip2 link set wg0 mtu $orig_mtu
44064 -+
44065 -+# Test using IPv4 that roaming works
44066 -+ip0 -4 addr del 127.0.0.1/8 dev lo
44067 -+ip0 -4 addr add 127.212.121.99/8 dev lo
44068 -+n1 wg set wg0 listen-port 9999
44069 -+n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
44070 -+n1 ping6 -W 1 -c 1 fd00::2
44071 -+[[ $(n2 wg show wg0 endpoints) == "$pub1 127.212.121.99:9999" ]]
44072 -+
44073 -+# Test using IPv6 that roaming works
44074 -+n1 wg set wg0 listen-port 9998
44075 -+n1 wg set wg0 peer "$pub2" endpoint [::1]:2
44076 -+n1 ping -W 1 -c 1 192.168.241.2
44077 -+[[ $(n2 wg show wg0 endpoints) == "$pub1 [::1]:9998" ]]
44078 -+
44079 -+# Test that crypto-RP filter works
44080 -+n1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24
44081 -+exec 4< <(n1 ncat -l -u -p 1111)
44082 -+ncat_pid=$!
44083 -+waitncatudp $netns1 $ncat_pid
44084 -+n2 ncat -u 192.168.241.1 1111 <<<"X"
44085 -+read -r -N 1 -t 1 out <&4 && [[ $out == "X" ]]
44086 -+kill $ncat_pid
44087 -+more_specific_key="$(pp wg genkey | pp wg pubkey)"
44088 -+n1 wg set wg0 peer "$more_specific_key" allowed-ips 192.168.241.2/32
44089 -+n2 wg set wg0 listen-port 9997
44090 -+exec 4< <(n1 ncat -l -u -p 1111)
44091 -+ncat_pid=$!
44092 -+waitncatudp $netns1 $ncat_pid
44093 -+n2 ncat -u 192.168.241.1 1111 <<<"X"
44094 -+! read -r -N 1 -t 1 out <&4 || false
44095 -+kill $ncat_pid
44096 -+n1 wg set wg0 peer "$more_specific_key" remove
44097 -+[[ $(n1 wg show wg0 endpoints) == "$pub2 [::1]:9997" ]]
44098 -+
44099 -+# Test that we can change private keys keys and immediately handshake
44100 -+n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips 192.168.241.2/32 endpoint 127.0.0.1:2
44101 -+n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32
44102 -+n1 ping -W 1 -c 1 192.168.241.2
44103 -+n1 wg set wg0 private-key <(echo "$key3")
44104 -+n2 wg set wg0 peer "$pub3" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32 peer "$pub1" remove
44105 -+n1 ping -W 1 -c 1 192.168.241.2
44106 -+n2 wg set wg0 peer "$pub3" remove
44107 -+
44108 -+# Test that we can route wg through wg
44109 -+ip1 addr flush dev wg0
44110 -+ip2 addr flush dev wg0
44111 -+ip1 addr add fd00::5:1/112 dev wg0
44112 -+ip2 addr add fd00::5:2/112 dev wg0
44113 -+n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips fd00::5:2/128 endpoint 127.0.0.1:2
44114 -+n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") allowed-ips fd00::5:1/128 endpoint 127.212.121.99:9998
44115 -+ip1 link add wg1 type wireguard
44116 -+ip2 link add wg1 type wireguard
44117 -+ip1 addr add 192.168.241.1/24 dev wg1
44118 -+ip1 addr add fd00::1/112 dev wg1
44119 -+ip2 addr add 192.168.241.2/24 dev wg1
44120 -+ip2 addr add fd00::2/112 dev wg1
44121 -+ip1 link set mtu 1340 up dev wg1
44122 -+ip2 link set mtu 1340 up dev wg1
44123 -+n1 wg set wg1 listen-port 5 private-key <(echo "$key3") peer "$pub4" allowed-ips 192.168.241.2/32,fd00::2/128 endpoint [fd00::5:2]:5
44124 -+n2 wg set wg1 listen-port 5 private-key <(echo "$key4") peer "$pub3" allowed-ips 192.168.241.1/32,fd00::1/128 endpoint [fd00::5:1]:5
44125 -+tests
44126 -+# Try to set up a routing loop between the two namespaces
44127 -+ip1 link set netns $netns0 dev wg1
44128 -+ip0 addr add 192.168.241.1/24 dev wg1
44129 -+ip0 link set up dev wg1
44130 -+n0 ping -W 1 -c 1 192.168.241.2
44131 -+n1 wg set wg0 peer "$pub2" endpoint 192.168.241.2:7
44132 -+ip2 link del wg0
44133 -+ip2 link del wg1
44134 -+! n0 ping -W 1 -c 10 -f 192.168.241.2 || false # Should not crash kernel
44135 -+
44136 -+ip0 link del wg1
44137 -+ip1 link del wg0
44138 -+
44139 -+# Test using NAT. We now change the topology to this:
44140 -+# ┌────────────────────────────────────────┐ ┌────────────────────────────────────────────────┐ ┌────────────────────────────────────────┐
44141 -+# │ $ns1 namespace │ │ $ns0 namespace │ │ $ns2 namespace │
44142 -+# │ │ │ │ │ │
44143 -+# │ ┌─────┐ ┌─────┐ │ │ ┌──────┐ ┌──────┐ │ │ ┌─────┐ ┌─────┐ │
44144 -+# │ │ wg0 │─────────────│vethc│───────────┼────┼────│vethrc│ │vethrs│──────────────┼─────┼──│veths│────────────│ wg0 │ │
44145 -+# │ ├─────┴──────────┐ ├─────┴──────────┐│ │ ├──────┴─────────┐ ├──────┴────────────┐ │ │ ├─────┴──────────┐ ├─────┴──────────┐ │
44146 -+# │ │192.168.241.1/24│ │192.168.1.100/24││ │ │192.168.1.1/24 │ │10.0.0.1/24 │ │ │ │10.0.0.100/24 │ │192.168.241.2/24│ │
44147 -+# │ │fd00::1/24 │ │ ││ │ │ │ │SNAT:192.168.1.0/24│ │ │ │ │ │fd00::2/24 │ │
44148 -+# │ └────────────────┘ └────────────────┘│ │ └────────────────┘ └───────────────────┘ │ │ └────────────────┘ └────────────────┘ │
44149 -+# └────────────────────────────────────────┘ └────────────────────────────────────────────────┘ └────────────────────────────────────────┘
44150 -+
44151 -+ip1 link add dev wg0 type wireguard
44152 -+ip2 link add dev wg0 type wireguard
44153 -+configure_peers
44154 -+
44155 -+ip0 link add vethrc type veth peer name vethc
44156 -+ip0 link add vethrs type veth peer name veths
44157 -+ip0 link set vethc netns $netns1
44158 -+ip0 link set veths netns $netns2
44159 -+ip0 link set vethrc up
44160 -+ip0 link set vethrs up
44161 -+ip0 addr add 192.168.1.1/24 dev vethrc
44162 -+ip0 addr add 10.0.0.1/24 dev vethrs
44163 -+ip1 addr add 192.168.1.100/24 dev vethc
44164 -+ip1 link set vethc up
44165 -+ip1 route add default via 192.168.1.1
44166 -+ip2 addr add 10.0.0.100/24 dev veths
44167 -+ip2 link set veths up
44168 -+waitiface $netns0 vethrc
44169 -+waitiface $netns0 vethrs
44170 -+waitiface $netns1 vethc
44171 -+waitiface $netns2 veths
44172 -+
44173 -+n0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
44174 -+n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout'
44175 -+n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream'
44176 -+n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1
44177 -+
44178 -+n1 wg set wg0 peer "$pub2" endpoint 10.0.0.100:2 persistent-keepalive 1
44179 -+n1 ping -W 1 -c 1 192.168.241.2
44180 -+n2 ping -W 1 -c 1 192.168.241.1
44181 -+[[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.1:1" ]]
44182 -+# Demonstrate n2 can still send packets to n1, since persistent-keepalive will prevent connection tracking entry from expiring (to see entries: `n0 conntrack -L`).
44183 -+pp sleep 3
44184 -+n2 ping -W 1 -c 1 192.168.241.1
44185 -+n1 wg set wg0 peer "$pub2" persistent-keepalive 0
44186 -+
44187 -+# Test that sk_bound_dev_if works
44188 -+n1 ping -I wg0 -c 1 -W 1 192.168.241.2
44189 -+# What about when the mark changes and the packet must be rerouted?
44190 -+n1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1
44191 -+n1 ping -c 1 -W 1 192.168.241.2 # First the boring case
44192 -+n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # Then the sk_bound_dev_if case
44193 -+n1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1
44194 -+
44195 -+# Test that onion routing works, even when it loops
44196 -+n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5
44197 -+ip1 addr add 192.168.242.1/24 dev wg0
44198 -+ip2 link add wg1 type wireguard
44199 -+ip2 addr add 192.168.242.2/24 dev wg1
44200 -+n2 wg set wg1 private-key <(echo "$key3") listen-port 5 peer "$pub1" allowed-ips 192.168.242.1/32
44201 -+ip2 link set wg1 up
44202 -+n1 ping -W 1 -c 1 192.168.242.2
44203 -+ip2 link del wg1
44204 -+n1 wg set wg0 peer "$pub3" endpoint 192.168.242.2:5
44205 -+! n1 ping -W 1 -c 1 192.168.242.2 || false # Should not crash kernel
44206 -+n1 wg set wg0 peer "$pub3" remove
44207 -+ip1 addr del 192.168.242.1/24 dev wg0
44208 -+
44209 -+# Do a wg-quick(8)-style policy routing for the default route, making sure vethc has a v6 address to tease out bugs.
44210 -+ip1 -6 addr add fc00::9/96 dev vethc
44211 -+ip1 -6 route add default via fc00::1
44212 -+ip2 -4 addr add 192.168.99.7/32 dev wg0
44213 -+ip2 -6 addr add abab::1111/128 dev wg0
44214 -+n1 wg set wg0 fwmark 51820 peer "$pub2" allowed-ips 192.168.99.7,abab::1111
44215 -+ip1 -6 route add default dev wg0 table 51820
44216 -+ip1 -6 rule add not fwmark 51820 table 51820
44217 -+ip1 -6 rule add table main suppress_prefixlength 0
44218 -+ip1 -4 route add default dev wg0 table 51820
44219 -+ip1 -4 rule add not fwmark 51820 table 51820
44220 -+ip1 -4 rule add table main suppress_prefixlength 0
44221 -+# Flood the pings instead of sending just one, to trigger routing table reference counting bugs.
44222 -+n1 ping -W 1 -c 100 -f 192.168.99.7
44223 -+n1 ping -W 1 -c 100 -f abab::1111
44224 -+
44225 -+# Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route.
44226 -+n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
44227 -+n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit.
44228 -+n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
44229 -+ip0 -4 route add 192.168.241.1 via 10.0.0.100
44230 -+n2 wg set wg0 peer "$pub1" remove
44231 -+[[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]]
44232 -+
44233 -+n0 iptables -t nat -F
44234 -+n0 iptables -t filter -F
44235 -+n2 iptables -t nat -F
44236 -+ip0 link del vethrc
44237 -+ip0 link del vethrs
44238 -+ip1 link del wg0
44239 -+ip2 link del wg0
44240 -+
44241 -+# Test that saddr routing is sticky but not too sticky, changing to this topology:
44242 -+# ┌────────────────────────────────────────┐ ┌────────────────────────────────────────┐
44243 -+# │ $ns1 namespace │ │ $ns2 namespace │
44244 -+# │ │ │ │
44245 -+# │ ┌─────┐ ┌─────┐ │ │ ┌─────┐ ┌─────┐ │
44246 -+# │ │ wg0 │─────────────│veth1│───────────┼────┼──│veth2│────────────│ wg0 │ │
44247 -+# │ ├─────┴──────────┐ ├─────┴──────────┐│ │ ├─────┴──────────┐ ├─────┴──────────┐ │
44248 -+# │ │192.168.241.1/24│ │10.0.0.1/24 ││ │ │10.0.0.2/24 │ │192.168.241.2/24│ │
44249 -+# │ │fd00::1/24 │ │fd00:aa::1/96 ││ │ │fd00:aa::2/96 │ │fd00::2/24 │ │
44250 -+# │ └────────────────┘ └────────────────┘│ │ └────────────────┘ └────────────────┘ │
44251 -+# └────────────────────────────────────────┘ └────────────────────────────────────────┘
44252 -+
44253 -+ip1 link add dev wg0 type wireguard
44254 -+ip2 link add dev wg0 type wireguard
44255 -+configure_peers
44256 -+ip1 link add veth1 type veth peer name veth2
44257 -+ip1 link set veth2 netns $netns2
44258 -+n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
44259 -+n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
44260 -+n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth1/accept_dad'
44261 -+n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth2/accept_dad'
44262 -+n1 bash -c 'printf 1 > /proc/sys/net/ipv4/conf/veth1/promote_secondaries'
44263 -+
44264 -+# First we check that we aren't overly sticky and can fall over to new IPs when old ones are removed
44265 -+ip1 addr add 10.0.0.1/24 dev veth1
44266 -+ip1 addr add fd00:aa::1/96 dev veth1
44267 -+ip2 addr add 10.0.0.2/24 dev veth2
44268 -+ip2 addr add fd00:aa::2/96 dev veth2
44269 -+ip1 link set veth1 up
44270 -+ip2 link set veth2 up
44271 -+waitiface $netns1 veth1
44272 -+waitiface $netns2 veth2
44273 -+n1 wg set wg0 peer "$pub2" endpoint 10.0.0.2:2
44274 -+n1 ping -W 1 -c 1 192.168.241.2
44275 -+ip1 addr add 10.0.0.10/24 dev veth1
44276 -+ip1 addr del 10.0.0.1/24 dev veth1
44277 -+n1 ping -W 1 -c 1 192.168.241.2
44278 -+n1 wg set wg0 peer "$pub2" endpoint [fd00:aa::2]:2
44279 -+n1 ping -W 1 -c 1 192.168.241.2
44280 -+ip1 addr add fd00:aa::10/96 dev veth1
44281 -+ip1 addr del fd00:aa::1/96 dev veth1
44282 -+n1 ping -W 1 -c 1 192.168.241.2
44283 -+
44284 -+# Now we show that we can successfully do reply to sender routing
44285 -+ip1 link set veth1 down
44286 -+ip2 link set veth2 down
44287 -+ip1 addr flush dev veth1
44288 -+ip2 addr flush dev veth2
44289 -+ip1 addr add 10.0.0.1/24 dev veth1
44290 -+ip1 addr add 10.0.0.2/24 dev veth1
44291 -+ip1 addr add fd00:aa::1/96 dev veth1
44292 -+ip1 addr add fd00:aa::2/96 dev veth1
44293 -+ip2 addr add 10.0.0.3/24 dev veth2
44294 -+ip2 addr add fd00:aa::3/96 dev veth2
44295 -+ip1 link set veth1 up
44296 -+ip2 link set veth2 up
44297 -+waitiface $netns1 veth1
44298 -+waitiface $netns2 veth2
44299 -+n2 wg set wg0 peer "$pub1" endpoint 10.0.0.1:1
44300 -+n2 ping -W 1 -c 1 192.168.241.1
44301 -+[[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.1:1" ]]
44302 -+n2 wg set wg0 peer "$pub1" endpoint [fd00:aa::1]:1
44303 -+n2 ping -W 1 -c 1 192.168.241.1
44304 -+[[ $(n2 wg show wg0 endpoints) == "$pub1 [fd00:aa::1]:1" ]]
44305 -+n2 wg set wg0 peer "$pub1" endpoint 10.0.0.2:1
44306 -+n2 ping -W 1 -c 1 192.168.241.1
44307 -+[[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.2:1" ]]
44308 -+n2 wg set wg0 peer "$pub1" endpoint [fd00:aa::2]:1
44309 -+n2 ping -W 1 -c 1 192.168.241.1
44310 -+[[ $(n2 wg show wg0 endpoints) == "$pub1 [fd00:aa::2]:1" ]]
44311 -+
44312 -+# What happens if the inbound destination address belongs to a different interface as the default route?
44313 -+ip1 link add dummy0 type dummy
44314 -+ip1 addr add 10.50.0.1/24 dev dummy0
44315 -+ip1 link set dummy0 up
44316 -+ip2 route add 10.50.0.0/24 dev veth2
44317 -+n2 wg set wg0 peer "$pub1" endpoint 10.50.0.1:1
44318 -+n2 ping -W 1 -c 1 192.168.241.1
44319 -+[[ $(n2 wg show wg0 endpoints) == "$pub1 10.50.0.1:1" ]]
44320 -+
44321 -+ip1 link del dummy0
44322 -+ip1 addr flush dev veth1
44323 -+ip2 addr flush dev veth2
44324 -+ip1 route flush dev veth1
44325 -+ip2 route flush dev veth2
44326 -+
44327 -+# Now we see what happens if another interface route takes precedence over an ongoing one
44328 -+ip1 link add veth3 type veth peer name veth4
44329 -+ip1 link set veth4 netns $netns2
44330 -+ip1 addr add 10.0.0.1/24 dev veth1
44331 -+ip2 addr add 10.0.0.2/24 dev veth2
44332 -+ip1 addr add 10.0.0.3/24 dev veth3
44333 -+ip1 link set veth1 up
44334 -+ip2 link set veth2 up
44335 -+ip1 link set veth3 up
44336 -+ip2 link set veth4 up
44337 -+waitiface $netns1 veth1
44338 -+waitiface $netns2 veth2
44339 -+waitiface $netns1 veth3
44340 -+waitiface $netns2 veth4
44341 -+ip1 route flush dev veth1
44342 -+ip1 route flush dev veth3
44343 -+ip1 route add 10.0.0.0/24 dev veth1 src 10.0.0.1 metric 2
44344 -+n1 wg set wg0 peer "$pub2" endpoint 10.0.0.2:2
44345 -+n1 ping -W 1 -c 1 192.168.241.2
44346 -+[[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.1:1" ]]
44347 -+ip1 route add 10.0.0.0/24 dev veth3 src 10.0.0.3 metric 1
44348 -+n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth1/rp_filter'
44349 -+n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth4/rp_filter'
44350 -+n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
44351 -+n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
44352 -+n1 ping -W 1 -c 1 192.168.241.2
44353 -+[[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.3:1" ]]
44354 -+
44355 -+ip1 link del veth1
44356 -+ip1 link del veth3
44357 -+ip1 link del wg0
44358 -+ip2 link del wg0
44359 -+
44360 -+# We test that Netlink/IPC is working properly by doing things that usually cause split responses
44361 -+ip0 link add dev wg0 type wireguard
44362 -+config=( "[Interface]" "PrivateKey=$(wg genkey)" "[Peer]" "PublicKey=$(wg genkey)" )
44363 -+for a in {1..255}; do
44364 -+ for b in {0..255}; do
44365 -+ config+=( "AllowedIPs=$a.$b.0.0/16,$a::$b/128" )
44366 -+ done
44367 -+done
44368 -+n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
44369 -+i=0
44370 -+for ip in $(n0 wg show wg0 allowed-ips); do
44371 -+ ((++i))
44372 -+done
44373 -+((i == 255*256*2+1))
44374 -+ip0 link del wg0
44375 -+ip0 link add dev wg0 type wireguard
44376 -+config=( "[Interface]" "PrivateKey=$(wg genkey)" )
44377 -+for a in {1..40}; do
44378 -+ config+=( "[Peer]" "PublicKey=$(wg genkey)" )
44379 -+ for b in {1..52}; do
44380 -+ config+=( "AllowedIPs=$a.$b.0.0/16" )
44381 -+ done
44382 -+done
44383 -+n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
44384 -+i=0
44385 -+while read -r line; do
44386 -+ j=0
44387 -+ for ip in $line; do
44388 -+ ((++j))
44389 -+ done
44390 -+ ((j == 53))
44391 -+ ((++i))
44392 -+done < <(n0 wg show wg0 allowed-ips)
44393 -+((i == 40))
44394 -+ip0 link del wg0
44395 -+ip0 link add wg0 type wireguard
44396 -+config=( )
44397 -+for i in {1..29}; do
44398 -+ config+=( "[Peer]" "PublicKey=$(wg genkey)" )
44399 -+done
44400 -+config+=( "[Peer]" "PublicKey=$(wg genkey)" "AllowedIPs=255.2.3.4/32,abcd::255/128" )
44401 -+n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
44402 -+n0 wg showconf wg0 > /dev/null
44403 -+ip0 link del wg0
44404 -+
44405 -+allowedips=( )
44406 -+for i in {1..197}; do
44407 -+ allowedips+=( abcd::$i )
44408 -+done
44409 -+saved_ifs="$IFS"
44410 -+IFS=,
44411 -+allowedips="${allowedips[*]}"
44412 -+IFS="$saved_ifs"
44413 -+ip0 link add wg0 type wireguard
44414 -+n0 wg set wg0 peer "$pub1"
44415 -+n0 wg set wg0 peer "$pub2" allowed-ips "$allowedips"
44416 -+{
44417 -+ read -r pub allowedips
44418 -+ [[ $pub == "$pub1" && $allowedips == "(none)" ]]
44419 -+ read -r pub allowedips
44420 -+ [[ $pub == "$pub2" ]]
44421 -+ i=0
44422 -+ for _ in $allowedips; do
44423 -+ ((++i))
44424 -+ done
44425 -+ ((i == 197))
44426 -+} < <(n0 wg show wg0 allowed-ips)
44427 -+ip0 link del wg0
44428 -+
44429 -+! n0 wg show doesnotexist || false
44430 -+
44431 -+ip0 link add wg0 type wireguard
44432 -+n0 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk")
44433 -+[[ $(n0 wg show wg0 private-key) == "$key1" ]]
44434 -+[[ $(n0 wg show wg0 preshared-keys) == "$pub2 $psk" ]]
44435 -+n0 wg set wg0 private-key /dev/null peer "$pub2" preshared-key /dev/null
44436 -+[[ $(n0 wg show wg0 private-key) == "(none)" ]]
44437 -+[[ $(n0 wg show wg0 preshared-keys) == "$pub2 (none)" ]]
44438 -+n0 wg set wg0 peer "$pub2"
44439 -+n0 wg set wg0 private-key <(echo "$key2")
44440 -+[[ $(n0 wg show wg0 public-key) == "$pub2" ]]
44441 -+[[ -z $(n0 wg show wg0 peers) ]]
44442 -+n0 wg set wg0 peer "$pub2"
44443 -+[[ -z $(n0 wg show wg0 peers) ]]
44444 -+n0 wg set wg0 private-key <(echo "$key1")
44445 -+n0 wg set wg0 peer "$pub2"
44446 -+[[ $(n0 wg show wg0 peers) == "$pub2" ]]
44447 -+n0 wg set wg0 private-key <(echo "/${key1:1}")
44448 -+[[ $(n0 wg show wg0 private-key) == "+${key1:1}" ]]
44449 -+n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0,10.0.0.0/8,100.0.0.0/10,172.16.0.0/12,192.168.0.0/16
44450 -+n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0
44451 -+n0 wg set wg0 peer "$pub2" allowed-ips ::/0,1700::/111,5000::/4,e000::/37,9000::/75
44452 -+n0 wg set wg0 peer "$pub2" allowed-ips ::/0
44453 -+n0 wg set wg0 peer "$pub2" remove
44454 -+for low_order_point in AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= 4Ot6fDtBuK4WVuP68Z/EatoJjeucMrH9hmIFFl9JuAA= X5yVvKNQjCSx0LFVnIPvWwREXMRYHI6G2CJO3dCfEVc= 7P///////////////////////////////////////38= 7f///////////////////////////////////////38= 7v///////////////////////////////////////38=; do
44455 -+ n0 wg set wg0 peer "$low_order_point" persistent-keepalive 1 endpoint 127.0.0.1:1111
44456 -+done
44457 -+[[ -n $(n0 wg show wg0 peers) ]]
44458 -+exec 4< <(n0 ncat -l -u -p 1111)
44459 -+ncat_pid=$!
44460 -+waitncatudp $netns0 $ncat_pid
44461 -+ip0 link set wg0 up
44462 -+! read -r -n 1 -t 2 <&4 || false
44463 -+kill $ncat_pid
44464 -+ip0 link del wg0
44465 -+
44466 -+# Ensure there aren't circular reference loops
44467 -+ip1 link add wg1 type wireguard
44468 -+ip2 link add wg2 type wireguard
44469 -+ip1 link set wg1 netns $netns2
44470 -+ip2 link set wg2 netns $netns1
44471 -+pp ip netns delete $netns1
44472 -+pp ip netns delete $netns2
44473 -+pp ip netns add $netns1
44474 -+pp ip netns add $netns2
44475 -+
44476 -+sleep 2 # Wait for cleanup and grace periods
44477 -+declare -A objects
44478 -+while read -t 0.1 -r line 2>/dev/null || [[ $? -ne 142 ]]; do
44479 -+ [[ $line =~ .*(wg[0-9]+:\ [A-Z][a-z]+\ ?[0-9]*)\ .*(created|destroyed).* ]] || continue
44480 -+ objects["${BASH_REMATCH[1]}"]+="${BASH_REMATCH[2]}"
44481 -+done < /dev/kmsg
44482 -+alldeleted=1
44483 -+for object in "${!objects[@]}"; do
44484 -+ if [[ ${objects["$object"]} != *createddestroyed ]]; then
44485 -+ echo "Error: $object: merely ${objects["$object"]}" >&3
44486 -+ alldeleted=0
44487 -+ fi
44488 -+done
44489 -+[[ $alldeleted -eq 1 ]]
44490 -+pretty "" "Objects that were created were also destroyed."
44491 ---- /dev/null
44492 -+++ b/tools/testing/selftests/wireguard/qemu/.gitignore
44493 -@@ -0,0 +1,2 @@
44494 -+build/
44495 -+distfiles/
44496 ---- b/tools/testing/selftests/wireguard/qemu/Makefile
44497 -+++ b/tools/testing/selftests/wireguard/qemu/Makefile
44498 -@@ -0,0 +1,377 @@
44499 -+# SPDX-License-Identifier: GPL-2.0
44500 -+#
44501 -+# Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
44502 -+
44503 -+PWD := $(shell pwd)
44504 -+
44505 -+CHOST := $(shell gcc -dumpmachine)
44506 -+HOST_ARCH := $(firstword $(subst -, ,$(CHOST)))
44507 -+ifneq (,$(ARCH))
44508 -+CBUILD := $(subst -gcc,,$(lastword $(subst /, ,$(firstword $(wildcard $(foreach bindir,$(subst :, ,$(PATH)),$(bindir)/$(ARCH)-*-gcc))))))
44509 -+ifeq (,$(CBUILD))
44510 -+$(error The toolchain for $(ARCH) is not installed)
44511 -+endif
44512 -+else
44513 -+CBUILD := $(CHOST)
44514 -+ARCH := $(firstword $(subst -, ,$(CBUILD)))
44515 -+endif
44516 -+
44517 -+# Set these from the environment to override
44518 -+KERNEL_PATH ?= $(PWD)/../../../../..
44519 -+BUILD_PATH ?= $(PWD)/build/$(ARCH)
44520 -+DISTFILES_PATH ?= $(PWD)/distfiles
44521 -+NR_CPUS ?= 4
44522 -+
44523 -+MIRROR := https://download.wireguard.com/qemu-test/distfiles/
44524 -+
44525 -+default: qemu
44526 -+
44527 -+# variable name, tarball project name, version, tarball extension, default URI base
44528 -+define tar_download =
44529 -+$(1)_VERSION := $(3)
44530 -+$(1)_NAME := $(2)-$$($(1)_VERSION)
44531 -+$(1)_TAR := $(DISTFILES_PATH)/$$($(1)_NAME)$(4)
44532 -+$(1)_PATH := $(BUILD_PATH)/$$($(1)_NAME)
44533 -+$(call file_download,$$($(1)_NAME)$(4),$(5),$(6))
44534 -+endef
44535 -+
44536 -+define file_download =
44537 -+$(DISTFILES_PATH)/$(1):
44538 -+ mkdir -p $(DISTFILES_PATH)
44539 -+ flock -x $$@.lock -c '[ -f $$@ ] && exit 0; wget -O $$@.tmp $(MIRROR)$(1) || wget -O $$@.tmp $(2)$(1) || rm -f $$@.tmp; [ -f $$@.tmp ] || exit 1; if echo "$(3) $$@.tmp" | sha256sum -c -; then mv $$@.tmp $$@; else rm -f $$@.tmp; exit 71; fi'
44540 -+endef
44541 -+
44542 -+$(eval $(call tar_download,MUSL,musl,1.1.24,.tar.gz,https://www.musl-libc.org/releases/,1370c9a812b2cf2a7d92802510cca0058cc37e66a7bedd70051f0a34015022a3))
44543 -+$(eval $(call tar_download,IPERF,iperf,3.7,.tar.gz,https://downloads.es.net/pub/iperf/,d846040224317caf2f75c843d309a950a7db23f9b44b94688ccbe557d6d1710c))
44544 -+$(eval $(call tar_download,BASH,bash,5.0,.tar.gz,https://ftp.gnu.org/gnu/bash/,b4a80f2ac66170b2913efbfb9f2594f1f76c7b1afd11f799e22035d63077fb4d))
44545 -+$(eval $(call tar_download,IPROUTE2,iproute2,5.6.0,.tar.xz,https://www.kernel.org/pub/linux/utils/net/iproute2/,1b5b0e25ce6e23da7526ea1da044e814ad85ba761b10dd29c2b027c056b04692))
44546 -+$(eval $(call tar_download,IPTABLES,iptables,1.8.4,.tar.bz2,https://www.netfilter.org/projects/iptables/files/,993a3a5490a544c2cbf2ef15cf7e7ed21af1845baf228318d5c36ef8827e157c))
44547 -+$(eval $(call tar_download,NMAP,nmap,7.80,.tar.bz2,https://nmap.org/dist/,fcfa5a0e42099e12e4bf7a68ebe6fde05553383a682e816a7ec9256ab4773faa))
44548 -+$(eval $(call tar_download,IPUTILS,iputils,s20190709,.tar.gz,https://github.com/iputils/iputils/archive/s20190709.tar.gz/#,a15720dd741d7538dd2645f9f516d193636ae4300ff7dbc8bfca757bf166490a))
44549 -+$(eval $(call tar_download,WIREGUARD_TOOLS,wireguard-tools,1.0.20200206,.tar.xz,https://git.zx2c4.com/wireguard-tools/snapshot/,f5207248c6a3c3e3bfc9ab30b91c1897b00802ed861e1f9faaed873366078c64))
44550 -+
44551 -+KERNEL_BUILD_PATH := $(BUILD_PATH)/kernel$(if $(findstring yes,$(DEBUG_KERNEL)),-debug)
44552 -+rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d))
44553 -+WIREGUARD_SOURCES := $(call rwildcard,$(KERNEL_PATH)/drivers/net/wireguard/,*)
44554 -+
44555 -+export CFLAGS ?= -O3 -pipe
44556 -+export LDFLAGS ?=
44557 -+export CPPFLAGS := -I$(BUILD_PATH)/include
44558 -+
44559 -+ifeq ($(HOST_ARCH),$(ARCH))
44560 -+CROSS_COMPILE_FLAG := --host=$(CHOST)
44561 -+CFLAGS += -march=native
44562 -+STRIP := strip
44563 -+else
44564 -+$(info Cross compilation: building for $(CBUILD) using $(CHOST))
44565 -+CROSS_COMPILE_FLAG := --build=$(CBUILD) --host=$(CHOST)
44566 -+export CROSS_COMPILE=$(CBUILD)-
44567 -+STRIP := $(CBUILD)-strip
44568 -+endif
44569 -+ifeq ($(ARCH),aarch64)
44570 -+QEMU_ARCH := aarch64
44571 -+KERNEL_ARCH := arm64
44572 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/arm64/boot/Image
44573 -+ifeq ($(HOST_ARCH),$(ARCH))
44574 -+QEMU_MACHINE := -cpu host -machine virt,gic_version=host,accel=kvm
44575 -+else
44576 -+QEMU_MACHINE := -cpu cortex-a53 -machine virt
44577 -+CFLAGS += -march=armv8-a -mtune=cortex-a53
44578 -+endif
44579 -+else ifeq ($(ARCH),aarch64_be)
44580 -+QEMU_ARCH := aarch64
44581 -+KERNEL_ARCH := arm64
44582 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/arm64/boot/Image
44583 -+ifeq ($(HOST_ARCH),$(ARCH))
44584 -+QEMU_MACHINE := -cpu host -machine virt,gic_version=host,accel=kvm
44585 -+else
44586 -+QEMU_MACHINE := -cpu cortex-a53 -machine virt
44587 -+CFLAGS += -march=armv8-a -mtune=cortex-a53
44588 -+endif
44589 -+else ifeq ($(ARCH),arm)
44590 -+QEMU_ARCH := arm
44591 -+KERNEL_ARCH := arm
44592 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/arm/boot/zImage
44593 -+ifeq ($(HOST_ARCH),$(ARCH))
44594 -+QEMU_MACHINE := -cpu host -machine virt,gic_version=host,accel=kvm
44595 -+else
44596 -+QEMU_MACHINE := -cpu cortex-a15 -machine virt
44597 -+CFLAGS += -march=armv7-a -mtune=cortex-a15 -mabi=aapcs-linux
44598 -+endif
44599 -+else ifeq ($(ARCH),armeb)
44600 -+QEMU_ARCH := arm
44601 -+KERNEL_ARCH := arm
44602 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/arm/boot/zImage
44603 -+ifeq ($(HOST_ARCH),$(ARCH))
44604 -+QEMU_MACHINE := -cpu host -machine virt,gic_version=host,accel=kvm
44605 -+else
44606 -+QEMU_MACHINE := -cpu cortex-a15 -machine virt
44607 -+CFLAGS += -march=armv7-a -mabi=aapcs-linux # We don't pass -mtune=cortex-a15 due to a compiler bug on big endian.
44608 -+LDFLAGS += -Wl,--be8
44609 -+endif
44610 -+else ifeq ($(ARCH),x86_64)
44611 -+QEMU_ARCH := x86_64
44612 -+KERNEL_ARCH := x86_64
44613 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/x86/boot/bzImage
44614 -+ifeq ($(HOST_ARCH),$(ARCH))
44615 -+QEMU_MACHINE := -cpu host -machine q35,accel=kvm
44616 -+else
44617 -+QEMU_MACHINE := -cpu Skylake-Server -machine q35
44618 -+CFLAGS += -march=skylake-avx512
44619 -+endif
44620 -+else ifeq ($(ARCH),i686)
44621 -+QEMU_ARCH := i386
44622 -+KERNEL_ARCH := x86
44623 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/x86/boot/bzImage
44624 -+ifeq ($(subst x86_64,i686,$(HOST_ARCH)),$(ARCH))
44625 -+QEMU_MACHINE := -cpu host -machine q35,accel=kvm
44626 -+else
44627 -+QEMU_MACHINE := -cpu coreduo -machine q35
44628 -+CFLAGS += -march=prescott
44629 -+endif
44630 -+else ifeq ($(ARCH),mips64)
44631 -+QEMU_ARCH := mips64
44632 -+KERNEL_ARCH := mips
44633 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/vmlinux
44634 -+ifeq ($(HOST_ARCH),$(ARCH))
44635 -+QEMU_MACHINE := -cpu host -machine malta,accel=kvm
44636 -+CFLAGS += -EB
44637 -+else
44638 -+QEMU_MACHINE := -cpu MIPS64R2-generic -machine malta -smp 1
44639 -+CFLAGS += -march=mips64r2 -EB
44640 -+endif
44641 -+else ifeq ($(ARCH),mips64el)
44642 -+QEMU_ARCH := mips64el
44643 -+KERNEL_ARCH := mips
44644 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/vmlinux
44645 -+ifeq ($(HOST_ARCH),$(ARCH))
44646 -+QEMU_MACHINE := -cpu host -machine malta,accel=kvm
44647 -+CFLAGS += -EL
44648 -+else
44649 -+QEMU_MACHINE := -cpu MIPS64R2-generic -machine malta -smp 1
44650 -+CFLAGS += -march=mips64r2 -EL
44651 -+endif
44652 -+else ifeq ($(ARCH),mips)
44653 -+QEMU_ARCH := mips
44654 -+KERNEL_ARCH := mips
44655 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/vmlinux
44656 -+ifeq ($(HOST_ARCH),$(ARCH))
44657 -+QEMU_MACHINE := -cpu host -machine malta,accel=kvm
44658 -+CFLAGS += -EB
44659 -+else
44660 -+QEMU_MACHINE := -cpu 24Kf -machine malta -smp 1
44661 -+CFLAGS += -march=mips32r2 -EB
44662 -+endif
44663 -+else ifeq ($(ARCH),mipsel)
44664 -+QEMU_ARCH := mipsel
44665 -+KERNEL_ARCH := mips
44666 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/vmlinux
44667 -+ifeq ($(HOST_ARCH),$(ARCH))
44668 -+QEMU_MACHINE := -cpu host -machine malta,accel=kvm
44669 -+CFLAGS += -EL
44670 -+else
44671 -+QEMU_MACHINE := -cpu 24Kf -machine malta -smp 1
44672 -+CFLAGS += -march=mips32r2 -EL
44673 -+endif
44674 -+else ifeq ($(ARCH),powerpc64le)
44675 -+QEMU_ARCH := ppc64
44676 -+KERNEL_ARCH := powerpc
44677 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/vmlinux
44678 -+ifeq ($(HOST_ARCH),$(ARCH))
44679 -+QEMU_MACHINE := -cpu host,accel=kvm -machine pseries
44680 -+else
44681 -+QEMU_MACHINE := -machine pseries
44682 -+endif
44683 -+CFLAGS += -mcpu=powerpc64le -mlong-double-64
44684 -+else ifeq ($(ARCH),powerpc)
44685 -+QEMU_ARCH := ppc
44686 -+KERNEL_ARCH := powerpc
44687 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/powerpc/boot/uImage
44688 -+ifeq ($(HOST_ARCH),$(ARCH))
44689 -+QEMU_MACHINE := -cpu host,accel=kvm -machine ppce500
44690 -+else
44691 -+QEMU_MACHINE := -machine ppce500
44692 -+endif
44693 -+CFLAGS += -mcpu=powerpc -mlong-double-64 -msecure-plt
44694 -+else ifeq ($(ARCH),m68k)
44695 -+QEMU_ARCH := m68k
44696 -+KERNEL_ARCH := m68k
44697 -+KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/vmlinux
44698 -+KERNEL_CMDLINE := $(shell sed -n 's/CONFIG_CMDLINE=\(.*\)/\1/p' arch/m68k.config)
44699 -+ifeq ($(HOST_ARCH),$(ARCH))
44700 -+QEMU_MACHINE := -cpu host,accel=kvm -machine q800 -smp 1 -append $(KERNEL_CMDLINE)
44701 -+else
44702 -+QEMU_MACHINE := -machine q800 -smp 1 -append $(KERNEL_CMDLINE)
44703 -+endif
44704 -+else
44705 -+$(error I only build: x86_64, i686, arm, armeb, aarch64, aarch64_be, mips, mipsel, mips64, mips64el, powerpc64le, powerpc, m68k)
44706 -+endif
44707 -+
44708 -+REAL_CC := $(CBUILD)-gcc
44709 -+MUSL_CC := $(BUILD_PATH)/musl-gcc
44710 -+export CC := $(MUSL_CC)
44711 -+USERSPACE_DEPS := $(MUSL_CC) $(BUILD_PATH)/include/.installed $(BUILD_PATH)/include/linux/.installed
44712 -+
44713 -+build: $(KERNEL_BZIMAGE)
44714 -+qemu: $(KERNEL_BZIMAGE)
44715 -+ rm -f $(BUILD_PATH)/result
44716 -+ timeout --foreground 20m qemu-system-$(QEMU_ARCH) \
44717 -+ -nodefaults \
44718 -+ -nographic \
44719 -+ -smp $(NR_CPUS) \
44720 -+ $(QEMU_MACHINE) \
44721 -+ -m $$(grep -q CONFIG_DEBUG_KMEMLEAK=y $(KERNEL_BUILD_PATH)/.config && echo 1G || echo 256M) \
44722 -+ -serial stdio \
44723 -+ -serial file:$(BUILD_PATH)/result \
44724 -+ -no-reboot \
44725 -+ -monitor none \
44726 -+ -kernel $<
44727 -+ grep -Fq success $(BUILD_PATH)/result
44728 -+
44729 -+$(BUILD_PATH)/init-cpio-spec.txt:
44730 -+ mkdir -p $(BUILD_PATH)
44731 -+ echo "file /init $(BUILD_PATH)/init 755 0 0" > $@
44732 -+ echo "file /init.sh $(PWD)/../netns.sh 755 0 0" >> $@
44733 -+ echo "dir /dev 755 0 0" >> $@
44734 -+ echo "nod /dev/console 644 0 0 c 5 1" >> $@
44735 -+ echo "dir /bin 755 0 0" >> $@
44736 -+ echo "file /bin/iperf3 $(IPERF_PATH)/src/iperf3 755 0 0" >> $@
44737 -+ echo "file /bin/wg $(WIREGUARD_TOOLS_PATH)/src/wg 755 0 0" >> $@
44738 -+ echo "file /bin/bash $(BASH_PATH)/bash 755 0 0" >> $@
44739 -+ echo "file /bin/ip $(IPROUTE2_PATH)/ip/ip 755 0 0" >> $@
44740 -+ echo "file /bin/ss $(IPROUTE2_PATH)/misc/ss 755 0 0" >> $@
44741 -+ echo "file /bin/ping $(IPUTILS_PATH)/ping 755 0 0" >> $@
44742 -+ echo "file /bin/ncat $(NMAP_PATH)/ncat/ncat 755 0 0" >> $@
44743 -+ echo "file /bin/xtables-legacy-multi $(IPTABLES_PATH)/iptables/xtables-legacy-multi 755 0 0" >> $@
44744 -+ echo "slink /bin/iptables xtables-legacy-multi 777 0 0" >> $@
44745 -+ echo "slink /bin/ping6 ping 777 0 0" >> $@
44746 -+ echo "dir /lib 755 0 0" >> $@
44747 -+ echo "file /lib/libc.so $(MUSL_PATH)/lib/libc.so 755 0 0" >> $@
44748 -+ echo "slink /lib/ld-linux.so.1 libc.so 777 0 0" >> $@
44749 -+
44750 -+$(KERNEL_BUILD_PATH)/.config: kernel.config arch/$(ARCH).config
44751 -+ mkdir -p $(KERNEL_BUILD_PATH)
44752 -+ cp kernel.config $(KERNEL_BUILD_PATH)/minimal.config
44753 -+ printf 'CONFIG_NR_CPUS=$(NR_CPUS)\nCONFIG_INITRAMFS_SOURCE="$(BUILD_PATH)/init-cpio-spec.txt"\n' >> $(KERNEL_BUILD_PATH)/minimal.config
44754 -+ cat arch/$(ARCH).config >> $(KERNEL_BUILD_PATH)/minimal.config
44755 -+ $(MAKE) -C $(KERNEL_PATH) O=$(KERNEL_BUILD_PATH) ARCH=$(KERNEL_ARCH) allnoconfig
44756 -+ cd $(KERNEL_BUILD_PATH) && ARCH=$(KERNEL_ARCH) $(KERNEL_PATH)/scripts/kconfig/merge_config.sh -n $(KERNEL_BUILD_PATH)/.config $(KERNEL_BUILD_PATH)/minimal.config
44757 -+ $(if $(findstring yes,$(DEBUG_KERNEL)),cp debug.config $(KERNEL_BUILD_PATH) && cd $(KERNEL_BUILD_PATH) && ARCH=$(KERNEL_ARCH) $(KERNEL_PATH)/scripts/kconfig/merge_config.sh -n $(KERNEL_BUILD_PATH)/.config debug.config,)
44758 -+
44759 -+$(KERNEL_BZIMAGE): $(KERNEL_BUILD_PATH)/.config $(BUILD_PATH)/init-cpio-spec.txt $(MUSL_PATH)/lib/libc.so $(IPERF_PATH)/src/iperf3 $(IPUTILS_PATH)/ping $(BASH_PATH)/bash $(IPROUTE2_PATH)/misc/ss $(IPROUTE2_PATH)/ip/ip $(IPTABLES_PATH)/iptables/xtables-legacy-multi $(NMAP_PATH)/ncat/ncat $(WIREGUARD_TOOLS_PATH)/src/wg $(BUILD_PATH)/init ../netns.sh $(WIREGUARD_SOURCES)
44760 -+ $(MAKE) -C $(KERNEL_PATH) O=$(KERNEL_BUILD_PATH) ARCH=$(KERNEL_ARCH) CROSS_COMPILE=$(CROSS_COMPILE)
44761 -+
44762 -+$(BUILD_PATH)/include/linux/.installed: | $(KERNEL_BUILD_PATH)/.config
44763 -+ $(MAKE) -C $(KERNEL_PATH) O=$(KERNEL_BUILD_PATH) INSTALL_HDR_PATH=$(BUILD_PATH) ARCH=$(KERNEL_ARCH) CROSS_COMPILE=$(CROSS_COMPILE) headers_install
44764 -+ touch $@
44765 -+
44766 -+$(MUSL_PATH)/lib/libc.so: $(MUSL_TAR)
44767 -+ mkdir -p $(BUILD_PATH)
44768 -+ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
44769 -+ cd $(MUSL_PATH) && CC=$(REAL_CC) ./configure --prefix=/ --disable-static --build=$(CBUILD)
44770 -+ $(MAKE) -C $(MUSL_PATH)
44771 -+ $(STRIP) -s $@
44772 -+
44773 -+$(BUILD_PATH)/include/.installed: $(MUSL_PATH)/lib/libc.so
44774 -+ $(MAKE) -C $(MUSL_PATH) DESTDIR=$(BUILD_PATH) install-headers
44775 -+ touch $@
44776 -+
44777 -+$(MUSL_CC): $(MUSL_PATH)/lib/libc.so
44778 -+ sh $(MUSL_PATH)/tools/musl-gcc.specs.sh $(BUILD_PATH)/include $(MUSL_PATH)/lib /lib/ld-linux.so.1 > $(BUILD_PATH)/musl-gcc.specs
44779 -+ printf '#!/bin/sh\nexec "$(REAL_CC)" --specs="$(BUILD_PATH)/musl-gcc.specs" "$$@"\n' > $(BUILD_PATH)/musl-gcc
44780 -+ chmod +x $(BUILD_PATH)/musl-gcc
44781 -+
44782 -+$(IPERF_PATH)/.installed: $(IPERF_TAR)
44783 -+ mkdir -p $(BUILD_PATH)
44784 -+ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
44785 -+ sed -i '1s/^/#include <stdint.h>/' $(IPERF_PATH)/src/cjson.h $(IPERF_PATH)/src/timer.h
44786 -+ sed -i -r 's/-p?g//g' $(IPERF_PATH)/src/Makefile*
44787 -+ touch $@
44788 -+
44789 -+$(IPERF_PATH)/src/iperf3: | $(IPERF_PATH)/.installed $(USERSPACE_DEPS)
44790 -+ cd $(IPERF_PATH) && CFLAGS="$(CFLAGS) -D_GNU_SOURCE" ./configure --prefix=/ $(CROSS_COMPILE_FLAG) --enable-static --disable-shared --with-openssl=no
44791 -+ $(MAKE) -C $(IPERF_PATH)
44792 -+ $(STRIP) -s $@
44793 -+
44794 -+$(WIREGUARD_TOOLS_PATH)/.installed: $(WIREGUARD_TOOLS_TAR)
44795 -+ mkdir -p $(BUILD_PATH)
44796 -+ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
44797 -+ touch $@
44798 -+
44799 -+$(WIREGUARD_TOOLS_PATH)/src/wg: | $(WIREGUARD_TOOLS_PATH)/.installed $(USERSPACE_DEPS)
44800 -+ $(MAKE) -C $(WIREGUARD_TOOLS_PATH)/src wg
44801 -+ $(STRIP) -s $@
44802 -+
44803 -+$(BUILD_PATH)/init: init.c | $(USERSPACE_DEPS)
44804 -+ mkdir -p $(BUILD_PATH)
44805 -+ $(MUSL_CC) -o $@ $(CFLAGS) $(LDFLAGS) -std=gnu11 $<
44806 -+ $(STRIP) -s $@
44807 -+
44808 -+$(IPUTILS_PATH)/.installed: $(IPUTILS_TAR)
44809 -+ mkdir -p $(BUILD_PATH)
44810 -+ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
44811 -+ touch $@
44812 -+
44813 -+$(IPUTILS_PATH)/ping: | $(IPUTILS_PATH)/.installed $(USERSPACE_DEPS)
44814 -+ sed -i /atexit/d $(IPUTILS_PATH)/ping.c
44815 -+ cd $(IPUTILS_PATH) && $(CC) $(CFLAGS) -std=c99 -o $@ ping.c ping_common.c ping6_common.c iputils_common.c -D_GNU_SOURCE -D'IPUTILS_VERSION(f)=f' -lresolv $(LDFLAGS)
44816 -+ $(STRIP) -s $@
44817 -+
44818 -+$(BASH_PATH)/.installed: $(BASH_TAR)
44819 -+ mkdir -p $(BUILD_PATH)
44820 -+ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
44821 -+ touch $@
44822 -+
44823 -+$(BASH_PATH)/bash: | $(BASH_PATH)/.installed $(USERSPACE_DEPS)
44824 -+ cd $(BASH_PATH) && ./configure --prefix=/ $(CROSS_COMPILE_FLAG) --without-bash-malloc --disable-debugger --disable-help-builtin --disable-history --disable-multibyte --disable-progcomp --disable-readline --disable-mem-scramble
44825 -+ $(MAKE) -C $(BASH_PATH)
44826 -+ $(STRIP) -s $@
44827 -+
44828 -+$(IPROUTE2_PATH)/.installed: $(IPROUTE2_TAR)
44829 -+ mkdir -p $(BUILD_PATH)
44830 -+ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
44831 -+ printf 'CC:=$(CC)\nPKG_CONFIG:=pkg-config\nTC_CONFIG_XT:=n\nTC_CONFIG_ATM:=n\nTC_CONFIG_IPSET:=n\nIP_CONFIG_SETNS:=y\nHAVE_ELF:=n\nHAVE_MNL:=n\nHAVE_BERKELEY_DB:=n\nHAVE_LATEX:=n\nHAVE_PDFLATEX:=n\nCFLAGS+=-DHAVE_SETNS\n' > $(IPROUTE2_PATH)/config.mk
44832 -+ printf 'lib: snapshot\n\t$$(MAKE) -C lib\nip/ip: lib\n\t$$(MAKE) -C ip ip\nmisc/ss: lib\n\t$$(MAKE) -C misc ss\n' >> $(IPROUTE2_PATH)/Makefile
44833 -+ touch $@
44834 -+
44835 -+$(IPROUTE2_PATH)/ip/ip: | $(IPROUTE2_PATH)/.installed $(USERSPACE_DEPS)
44836 -+ $(MAKE) -C $(IPROUTE2_PATH) PREFIX=/ ip/ip
44837 -+ $(STRIP) -s $@
44838 -+
44839 -+$(IPROUTE2_PATH)/misc/ss: | $(IPROUTE2_PATH)/.installed $(USERSPACE_DEPS)
44840 -+ $(MAKE) -C $(IPROUTE2_PATH) PREFIX=/ misc/ss
44841 -+ $(STRIP) -s $@
44842 -+
44843 -+$(IPTABLES_PATH)/.installed: $(IPTABLES_TAR)
44844 -+ mkdir -p $(BUILD_PATH)
44845 -+ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
44846 -+ sed -i -e "/nfnetlink=[01]/s:=[01]:=0:" -e "/nfconntrack=[01]/s:=[01]:=0:" $(IPTABLES_PATH)/configure
44847 -+ touch $@
44848 -+
44849 -+$(IPTABLES_PATH)/iptables/xtables-legacy-multi: | $(IPTABLES_PATH)/.installed $(USERSPACE_DEPS)
44850 -+ cd $(IPTABLES_PATH) && ./configure --prefix=/ $(CROSS_COMPILE_FLAG) --enable-static --disable-shared --disable-nftables --disable-bpf-compiler --disable-nfsynproxy --disable-libipq --disable-connlabel --with-kernel=$(BUILD_PATH)/include
44851 -+ $(MAKE) -C $(IPTABLES_PATH)
44852 -+ $(STRIP) -s $@
44853 -+
44854 -+$(NMAP_PATH)/.installed: $(NMAP_TAR)
44855 -+ mkdir -p $(BUILD_PATH)
44856 -+ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
44857 -+ touch $@
44858 -+
44859 -+$(NMAP_PATH)/ncat/ncat: | $(NMAP_PATH)/.installed $(USERSPACE_DEPS)
44860 -+ cd $(NMAP_PATH) && ./configure --prefix=/ $(CROSS_COMPILE_FLAG) --enable-static --disable-shared --without-ndiff --without-zenmap --without-nping --with-libpcap=included --with-libpcre=included --with-libdnet=included --without-liblua --with-liblinear=included --without-nmap-update --without-openssl --with-pcap=linux --without-libssh
44861 -+ $(MAKE) -C $(NMAP_PATH)/libpcap
44862 -+ $(MAKE) -C $(NMAP_PATH)/ncat
44863 -+ $(STRIP) -s $@
44864 -+
44865 -+clean:
44866 -+ rm -rf $(BUILD_PATH)
44867 -+
44868 -+distclean: clean
44869 -+ rm -rf $(DISTFILES_PATH)
44870 -+
44871 -+menuconfig: $(KERNEL_BUILD_PATH)/.config
44872 -+ $(MAKE) -C $(KERNEL_PATH) O=$(KERNEL_BUILD_PATH) ARCH=$(KERNEL_ARCH) CROSS_COMPILE=$(CROSS_COMPILE) menuconfig
44873 -+
44874 -+.PHONY: qemu build clean distclean menuconfig
44875 -+.DELETE_ON_ERROR:
44876 ---- /dev/null
44877 -+++ b/tools/testing/selftests/wireguard/qemu/arch/aarch64.config
44878 -@@ -0,0 +1,5 @@
44879 -+CONFIG_SERIAL_AMBA_PL011=y
44880 -+CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
44881 -+CONFIG_CMDLINE_BOOL=y
44882 -+CONFIG_CMDLINE="console=ttyAMA0 wg.success=ttyAMA1"
44883 -+CONFIG_FRAME_WARN=1280
44884 ---- /dev/null
44885 -+++ b/tools/testing/selftests/wireguard/qemu/arch/aarch64_be.config
44886 -@@ -0,0 +1,6 @@
44887 -+CONFIG_CPU_BIG_ENDIAN=y
44888 -+CONFIG_SERIAL_AMBA_PL011=y
44889 -+CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
44890 -+CONFIG_CMDLINE_BOOL=y
44891 -+CONFIG_CMDLINE="console=ttyAMA0 wg.success=ttyAMA1"
44892 -+CONFIG_FRAME_WARN=1280
44893 ---- /dev/null
44894 -+++ b/tools/testing/selftests/wireguard/qemu/arch/arm.config
44895 -@@ -0,0 +1,9 @@
44896 -+CONFIG_MMU=y
44897 -+CONFIG_ARCH_MULTI_V7=y
44898 -+CONFIG_ARCH_VIRT=y
44899 -+CONFIG_THUMB2_KERNEL=n
44900 -+CONFIG_SERIAL_AMBA_PL011=y
44901 -+CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
44902 -+CONFIG_CMDLINE_BOOL=y
44903 -+CONFIG_CMDLINE="console=ttyAMA0 wg.success=ttyAMA1"
44904 -+CONFIG_FRAME_WARN=1024
44905 ---- /dev/null
44906 -+++ b/tools/testing/selftests/wireguard/qemu/arch/armeb.config
44907 -@@ -0,0 +1,10 @@
44908 -+CONFIG_MMU=y
44909 -+CONFIG_ARCH_MULTI_V7=y
44910 -+CONFIG_ARCH_VIRT=y
44911 -+CONFIG_THUMB2_KERNEL=n
44912 -+CONFIG_SERIAL_AMBA_PL011=y
44913 -+CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
44914 -+CONFIG_CMDLINE_BOOL=y
44915 -+CONFIG_CMDLINE="console=ttyAMA0 wg.success=ttyAMA1"
44916 -+CONFIG_CPU_BIG_ENDIAN=y
44917 -+CONFIG_FRAME_WARN=1024
44918 ---- /dev/null
44919 -+++ b/tools/testing/selftests/wireguard/qemu/arch/i686.config
44920 -@@ -0,0 +1,5 @@
44921 -+CONFIG_SERIAL_8250=y
44922 -+CONFIG_SERIAL_8250_CONSOLE=y
44923 -+CONFIG_CMDLINE_BOOL=y
44924 -+CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
44925 -+CONFIG_FRAME_WARN=1024
44926 ---- b/tools/testing/selftests/wireguard/qemu/arch/m68k.config
44927 -+++ b/tools/testing/selftests/wireguard/qemu/arch/m68k.config
44928 -@@ -0,0 +1,9 @@
44929 -+CONFIG_MMU=y
44930 -+CONFIG_M68KCLASSIC=y
44931 -+CONFIG_M68040=y
44932 -+CONFIG_MAC=y
44933 -+CONFIG_SERIAL_PMACZILOG=y
44934 -+CONFIG_SERIAL_PMACZILOG_TTYS=y
44935 -+CONFIG_SERIAL_PMACZILOG_CONSOLE=y
44936 -+CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
44937 -+CONFIG_FRAME_WARN=1024
44938 ---- /dev/null
44939 -+++ b/tools/testing/selftests/wireguard/qemu/arch/mips.config
44940 -@@ -0,0 +1,11 @@
44941 -+CONFIG_CPU_MIPS32_R2=y
44942 -+CONFIG_MIPS_MALTA=y
44943 -+CONFIG_MIPS_CPS=y
44944 -+CONFIG_MIPS_FP_SUPPORT=y
44945 -+CONFIG_POWER_RESET=y
44946 -+CONFIG_POWER_RESET_SYSCON=y
44947 -+CONFIG_SERIAL_8250=y
44948 -+CONFIG_SERIAL_8250_CONSOLE=y
44949 -+CONFIG_CMDLINE_BOOL=y
44950 -+CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
44951 -+CONFIG_FRAME_WARN=1024
44952 ---- /dev/null
44953 -+++ b/tools/testing/selftests/wireguard/qemu/arch/mips64.config
44954 -@@ -0,0 +1,14 @@
44955 -+CONFIG_64BIT=y
44956 -+CONFIG_CPU_MIPS64_R2=y
44957 -+CONFIG_MIPS32_N32=y
44958 -+CONFIG_CPU_HAS_MSA=y
44959 -+CONFIG_MIPS_MALTA=y
44960 -+CONFIG_MIPS_CPS=y
44961 -+CONFIG_MIPS_FP_SUPPORT=y
44962 -+CONFIG_POWER_RESET=y
44963 -+CONFIG_POWER_RESET_SYSCON=y
44964 -+CONFIG_SERIAL_8250=y
44965 -+CONFIG_SERIAL_8250_CONSOLE=y
44966 -+CONFIG_CMDLINE_BOOL=y
44967 -+CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
44968 -+CONFIG_FRAME_WARN=1280
44969 ---- /dev/null
44970 -+++ b/tools/testing/selftests/wireguard/qemu/arch/mips64el.config
44971 -@@ -0,0 +1,15 @@
44972 -+CONFIG_64BIT=y
44973 -+CONFIG_CPU_MIPS64_R2=y
44974 -+CONFIG_MIPS32_N32=y
44975 -+CONFIG_CPU_HAS_MSA=y
44976 -+CONFIG_MIPS_MALTA=y
44977 -+CONFIG_CPU_LITTLE_ENDIAN=y
44978 -+CONFIG_MIPS_CPS=y
44979 -+CONFIG_MIPS_FP_SUPPORT=y
44980 -+CONFIG_POWER_RESET=y
44981 -+CONFIG_POWER_RESET_SYSCON=y
44982 -+CONFIG_SERIAL_8250=y
44983 -+CONFIG_SERIAL_8250_CONSOLE=y
44984 -+CONFIG_CMDLINE_BOOL=y
44985 -+CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
44986 -+CONFIG_FRAME_WARN=1280
44987 ---- /dev/null
44988 -+++ b/tools/testing/selftests/wireguard/qemu/arch/mipsel.config
44989 -@@ -0,0 +1,12 @@
44990 -+CONFIG_CPU_MIPS32_R2=y
44991 -+CONFIG_MIPS_MALTA=y
44992 -+CONFIG_CPU_LITTLE_ENDIAN=y
44993 -+CONFIG_MIPS_CPS=y
44994 -+CONFIG_MIPS_FP_SUPPORT=y
44995 -+CONFIG_POWER_RESET=y
44996 -+CONFIG_POWER_RESET_SYSCON=y
44997 -+CONFIG_SERIAL_8250=y
44998 -+CONFIG_SERIAL_8250_CONSOLE=y
44999 -+CONFIG_CMDLINE_BOOL=y
45000 -+CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
45001 -+CONFIG_FRAME_WARN=1024
45002 ---- /dev/null
45003 -+++ b/tools/testing/selftests/wireguard/qemu/arch/powerpc.config
45004 -@@ -0,0 +1,10 @@
45005 -+CONFIG_PPC_QEMU_E500=y
45006 -+CONFIG_FSL_SOC_BOOKE=y
45007 -+CONFIG_PPC_85xx=y
45008 -+CONFIG_PHYS_64BIT=y
45009 -+CONFIG_SERIAL_8250=y
45010 -+CONFIG_SERIAL_8250_CONSOLE=y
45011 -+CONFIG_MATH_EMULATION=y
45012 -+CONFIG_CMDLINE_BOOL=y
45013 -+CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
45014 -+CONFIG_FRAME_WARN=1024
45015 ---- b/tools/testing/selftests/wireguard/qemu/arch/powerpc64le.config
45016 -+++ b/tools/testing/selftests/wireguard/qemu/arch/powerpc64le.config
45017 -@@ -0,0 +1,13 @@
45018 -+CONFIG_PPC64=y
45019 -+CONFIG_PPC_PSERIES=y
45020 -+CONFIG_ALTIVEC=y
45021 -+CONFIG_VSX=y
45022 -+CONFIG_PPC_OF_BOOT_TRAMPOLINE=y
45023 -+CONFIG_PPC_RADIX_MMU=y
45024 -+CONFIG_HVC_CONSOLE=y
45025 -+CONFIG_CPU_LITTLE_ENDIAN=y
45026 -+CONFIG_CMDLINE_BOOL=y
45027 -+CONFIG_CMDLINE="console=hvc0 wg.success=hvc1"
45028 -+CONFIG_SECTION_MISMATCH_WARN_ONLY=y
45029 -+CONFIG_FRAME_WARN=1280
45030 -+CONFIG_THREAD_SHIFT=14
45031 ---- /dev/null
45032 -+++ b/tools/testing/selftests/wireguard/qemu/arch/x86_64.config
45033 -@@ -0,0 +1,5 @@
45034 -+CONFIG_SERIAL_8250=y
45035 -+CONFIG_SERIAL_8250_CONSOLE=y
45036 -+CONFIG_CMDLINE_BOOL=y
45037 -+CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
45038 -+CONFIG_FRAME_WARN=1280
45039 ---- /dev/null
45040 -+++ b/tools/testing/selftests/wireguard/qemu/debug.config
45041 -@@ -0,0 +1,67 @@
45042 -+CONFIG_LOCALVERSION="-debug"
45043 -+CONFIG_ENABLE_WARN_DEPRECATED=y
45044 -+CONFIG_ENABLE_MUST_CHECK=y
45045 -+CONFIG_FRAME_POINTER=y
45046 -+CONFIG_STACK_VALIDATION=y
45047 -+CONFIG_DEBUG_KERNEL=y
45048 -+CONFIG_DEBUG_INFO=y
45049 -+CONFIG_DEBUG_INFO_DWARF4=y
45050 -+CONFIG_PAGE_EXTENSION=y
45051 -+CONFIG_PAGE_POISONING=y
45052 -+CONFIG_DEBUG_OBJECTS=y
45053 -+CONFIG_DEBUG_OBJECTS_FREE=y
45054 -+CONFIG_DEBUG_OBJECTS_TIMERS=y
45055 -+CONFIG_DEBUG_OBJECTS_WORK=y
45056 -+CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
45057 -+CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
45058 -+CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
45059 -+CONFIG_SLUB_DEBUG_ON=y
45060 -+CONFIG_DEBUG_VM=y
45061 -+CONFIG_DEBUG_MEMORY_INIT=y
45062 -+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
45063 -+CONFIG_DEBUG_STACKOVERFLOW=y
45064 -+CONFIG_HAVE_ARCH_KMEMCHECK=y
45065 -+CONFIG_HAVE_ARCH_KASAN=y
45066 -+CONFIG_KASAN=y
45067 -+CONFIG_KASAN_INLINE=y
45068 -+CONFIG_UBSAN=y
45069 -+CONFIG_UBSAN_SANITIZE_ALL=y
45070 -+CONFIG_UBSAN_NO_ALIGNMENT=y
45071 -+CONFIG_UBSAN_NULL=y
45072 -+CONFIG_DEBUG_KMEMLEAK=y
45073 -+CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=8192
45074 -+CONFIG_DEBUG_STACK_USAGE=y
45075 -+CONFIG_DEBUG_SHIRQ=y
45076 -+CONFIG_WQ_WATCHDOG=y
45077 -+CONFIG_SCHED_DEBUG=y
45078 -+CONFIG_SCHED_INFO=y
45079 -+CONFIG_SCHEDSTATS=y
45080 -+CONFIG_SCHED_STACK_END_CHECK=y
45081 -+CONFIG_DEBUG_TIMEKEEPING=y
45082 -+CONFIG_TIMER_STATS=y
45083 -+CONFIG_DEBUG_PREEMPT=y
45084 -+CONFIG_DEBUG_RT_MUTEXES=y
45085 -+CONFIG_DEBUG_SPINLOCK=y
45086 -+CONFIG_DEBUG_MUTEXES=y
45087 -+CONFIG_DEBUG_LOCK_ALLOC=y
45088 -+CONFIG_PROVE_LOCKING=y
45089 -+CONFIG_LOCKDEP=y
45090 -+CONFIG_DEBUG_ATOMIC_SLEEP=y
45091 -+CONFIG_TRACE_IRQFLAGS=y
45092 -+CONFIG_DEBUG_BUGVERBOSE=y
45093 -+CONFIG_DEBUG_LIST=y
45094 -+CONFIG_DEBUG_PI_LIST=y
45095 -+CONFIG_PROVE_RCU=y
45096 -+CONFIG_SPARSE_RCU_POINTER=y
45097 -+CONFIG_RCU_CPU_STALL_TIMEOUT=21
45098 -+CONFIG_RCU_TRACE=y
45099 -+CONFIG_RCU_EQS_DEBUG=y
45100 -+CONFIG_USER_STACKTRACE_SUPPORT=y
45101 -+CONFIG_DEBUG_SG=y
45102 -+CONFIG_DEBUG_NOTIFIERS=y
45103 -+CONFIG_DOUBLEFAULT=y
45104 -+CONFIG_X86_DEBUG_FPU=y
45105 -+CONFIG_DEBUG_SECTION_MISMATCH=y
45106 -+CONFIG_DEBUG_PAGEALLOC=y
45107 -+CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT=y
45108 -+CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
45109 ---- b/tools/testing/selftests/wireguard/qemu/init.c
45110 -+++ b/tools/testing/selftests/wireguard/qemu/init.c
45111 -@@ -0,0 +1,284 @@
45112 -+// SPDX-License-Identifier: GPL-2.0
45113 -+/*
45114 -+ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
45115 -+ */
45116 -+
45117 -+#define _GNU_SOURCE
45118 -+#include <unistd.h>
45119 -+#include <errno.h>
45120 -+#include <string.h>
45121 -+#include <stdio.h>
45122 -+#include <stdlib.h>
45123 -+#include <stdbool.h>
45124 -+#include <fcntl.h>
45125 -+#include <sys/wait.h>
45126 -+#include <sys/mount.h>
45127 -+#include <sys/stat.h>
45128 -+#include <sys/types.h>
45129 -+#include <sys/io.h>
45130 -+#include <sys/ioctl.h>
45131 -+#include <sys/reboot.h>
45132 -+#include <sys/utsname.h>
45133 -+#include <sys/sendfile.h>
45134 -+#include <sys/sysmacros.h>
45135 -+#include <linux/random.h>
45136 -+#include <linux/version.h>
45137 -+
45138 -+__attribute__((noreturn)) static void poweroff(void)
45139 -+{
45140 -+ fflush(stdout);
45141 -+ fflush(stderr);
45142 -+ reboot(RB_AUTOBOOT);
45143 -+ sleep(30);
45144 -+ fprintf(stderr, "\x1b[37m\x1b[41m\x1b[1mFailed to power off!!!\x1b[0m\n");
45145 -+ exit(1);
45146 -+}
45147 -+
45148 -+static void panic(const char *what)
45149 -+{
45150 -+ fprintf(stderr, "\n\n\x1b[37m\x1b[41m\x1b[1mSOMETHING WENT HORRIBLY WRONG\x1b[0m\n\n \x1b[31m\x1b[1m%s: %s\x1b[0m\n\n\x1b[37m\x1b[44m\x1b[1mPower off...\x1b[0m\n\n", what, strerror(errno));
45151 -+ poweroff();
45152 -+}
45153 -+
45154 -+#define pretty_message(msg) puts("\x1b[32m\x1b[1m" msg "\x1b[0m")
45155 -+
45156 -+static void print_banner(void)
45157 -+{
45158 -+ struct utsname utsname;
45159 -+ int len;
45160 -+
45161 -+ if (uname(&utsname) < 0)
45162 -+ panic("uname");
45163 -+
45164 -+ len = strlen(" WireGuard Test Suite on ") + strlen(utsname.sysname) + strlen(utsname.release) + strlen(utsname.machine);
45165 -+ printf("\x1b[45m\x1b[33m\x1b[1m%*.s\x1b[0m\n\x1b[45m\x1b[33m\x1b[1m WireGuard Test Suite on %s %s %s \x1b[0m\n\x1b[45m\x1b[33m\x1b[1m%*.s\x1b[0m\n\n", len, "", utsname.sysname, utsname.release, utsname.machine, len, "");
45166 -+}
45167 -+
45168 -+static void seed_rng(void)
45169 -+{
45170 -+ int fd;
45171 -+ struct {
45172 -+ int entropy_count;
45173 -+ int buffer_size;
45174 -+ unsigned char buffer[256];
45175 -+ } entropy = {
45176 -+ .entropy_count = sizeof(entropy.buffer) * 8,
45177 -+ .buffer_size = sizeof(entropy.buffer),
45178 -+ .buffer = "Adding real entropy is not actually important for these tests. Don't try this at home, kids!"
45179 -+ };
45180 -+
45181 -+ if (mknod("/dev/urandom", S_IFCHR | 0644, makedev(1, 9)))
45182 -+ panic("mknod(/dev/urandom)");
45183 -+ fd = open("/dev/urandom", O_WRONLY);
45184 -+ if (fd < 0)
45185 -+ panic("open(urandom)");
45186 -+ for (int i = 0; i < 256; ++i) {
45187 -+ if (ioctl(fd, RNDADDENTROPY, &entropy) < 0)
45188 -+ panic("ioctl(urandom)");
45189 -+ }
45190 -+ close(fd);
45191 -+}
45192 -+
45193 -+static void mount_filesystems(void)
45194 -+{
45195 -+ pretty_message("[+] Mounting filesystems...");
45196 -+ mkdir("/dev", 0755);
45197 -+ mkdir("/proc", 0755);
45198 -+ mkdir("/sys", 0755);
45199 -+ mkdir("/tmp", 0755);
45200 -+ mkdir("/run", 0755);
45201 -+ mkdir("/var", 0755);
45202 -+ if (mount("none", "/dev", "devtmpfs", 0, NULL))
45203 -+ panic("devtmpfs mount");
45204 -+ if (mount("none", "/proc", "proc", 0, NULL))
45205 -+ panic("procfs mount");
45206 -+ if (mount("none", "/sys", "sysfs", 0, NULL))
45207 -+ panic("sysfs mount");
45208 -+ if (mount("none", "/tmp", "tmpfs", 0, NULL))
45209 -+ panic("tmpfs mount");
45210 -+ if (mount("none", "/run", "tmpfs", 0, NULL))
45211 -+ panic("tmpfs mount");
45212 -+ if (mount("none", "/sys/kernel/debug", "debugfs", 0, NULL))
45213 -+ ; /* Not a problem if it fails.*/
45214 -+ if (symlink("/run", "/var/run"))
45215 -+ panic("run symlink");
45216 -+ if (symlink("/proc/self/fd", "/dev/fd"))
45217 -+ panic("fd symlink");
45218 -+}
45219 -+
45220 -+static void enable_logging(void)
45221 -+{
45222 -+ int fd;
45223 -+ pretty_message("[+] Enabling logging...");
45224 -+ fd = open("/proc/sys/kernel/printk", O_WRONLY);
45225 -+ if (fd >= 0) {
45226 -+ if (write(fd, "9\n", 2) != 2)
45227 -+ panic("write(printk)");
45228 -+ close(fd);
45229 -+ }
45230 -+ fd = open("/proc/sys/debug/exception-trace", O_WRONLY);
45231 -+ if (fd >= 0) {
45232 -+ if (write(fd, "1\n", 2) != 2)
45233 -+ panic("write(exception-trace)");
45234 -+ close(fd);
45235 -+ }
45236 -+ fd = open("/proc/sys/kernel/panic_on_warn", O_WRONLY);
45237 -+ if (fd >= 0) {
45238 -+ if (write(fd, "1\n", 2) != 2)
45239 -+ panic("write(panic_on_warn)");
45240 -+ close(fd);
45241 -+ }
45242 -+}
45243 -+
45244 -+static void kmod_selftests(void)
45245 -+{
45246 -+ FILE *file;
45247 -+ char line[2048], *start, *pass;
45248 -+ bool success = true;
45249 -+ pretty_message("[+] Module self-tests:");
45250 -+ file = fopen("/proc/kmsg", "r");
45251 -+ if (!file)
45252 -+ panic("fopen(kmsg)");
45253 -+ if (fcntl(fileno(file), F_SETFL, O_NONBLOCK) < 0)
45254 -+ panic("fcntl(kmsg, nonblock)");
45255 -+ while (fgets(line, sizeof(line), file)) {
45256 -+ start = strstr(line, "wireguard: ");
45257 -+ if (!start)
45258 -+ continue;
45259 -+ start += 11;
45260 -+ *strchrnul(start, '\n') = '\0';
45261 -+ if (strstr(start, "www.wireguard.com"))
45262 -+ break;
45263 -+ pass = strstr(start, ": pass");
45264 -+ if (!pass || pass[6] != '\0') {
45265 -+ success = false;
45266 -+ printf(" \x1b[31m* %s\x1b[0m\n", start);
45267 -+ } else
45268 -+ printf(" \x1b[32m* %s\x1b[0m\n", start);
45269 -+ }
45270 -+ fclose(file);
45271 -+ if (!success) {
45272 -+ puts("\x1b[31m\x1b[1m[-] Tests failed! \u2639\x1b[0m");
45273 -+ poweroff();
45274 -+ }
45275 -+}
45276 -+
45277 -+static void launch_tests(void)
45278 -+{
45279 -+ char cmdline[4096], *success_dev;
45280 -+ int status, fd;
45281 -+ pid_t pid;
45282 -+
45283 -+ pretty_message("[+] Launching tests...");
45284 -+ pid = fork();
45285 -+ if (pid == -1)
45286 -+ panic("fork");
45287 -+ else if (pid == 0) {
45288 -+ execl("/init.sh", "init", NULL);
45289 -+ panic("exec");
45290 -+ }
45291 -+ if (waitpid(pid, &status, 0) < 0)
45292 -+ panic("waitpid");
45293 -+ if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
45294 -+ pretty_message("[+] Tests successful! :-)");
45295 -+ fd = open("/proc/cmdline", O_RDONLY);
45296 -+ if (fd < 0)
45297 -+ panic("open(/proc/cmdline)");
45298 -+ if (read(fd, cmdline, sizeof(cmdline) - 1) <= 0)
45299 -+ panic("read(/proc/cmdline)");
45300 -+ cmdline[sizeof(cmdline) - 1] = '\0';
45301 -+ for (success_dev = strtok(cmdline, " \n"); success_dev; success_dev = strtok(NULL, " \n")) {
45302 -+ if (strncmp(success_dev, "wg.success=", 11))
45303 -+ continue;
45304 -+ memcpy(success_dev + 11 - 5, "/dev/", 5);
45305 -+ success_dev += 11 - 5;
45306 -+ break;
45307 -+ }
45308 -+ if (!success_dev || !strlen(success_dev))
45309 -+ panic("Unable to find success device");
45310 -+
45311 -+ fd = open(success_dev, O_WRONLY);
45312 -+ if (fd < 0)
45313 -+ panic("open(success_dev)");
45314 -+ if (write(fd, "success\n", 8) != 8)
45315 -+ panic("write(success_dev)");
45316 -+ close(fd);
45317 -+ } else {
45318 -+ const char *why = "unknown cause";
45319 -+ int what = -1;
45320 -+
45321 -+ if (WIFEXITED(status)) {
45322 -+ why = "exit code";
45323 -+ what = WEXITSTATUS(status);
45324 -+ } else if (WIFSIGNALED(status)) {
45325 -+ why = "signal";
45326 -+ what = WTERMSIG(status);
45327 -+ }
45328 -+ printf("\x1b[31m\x1b[1m[-] Tests failed with %s %d! \u2639\x1b[0m\n", why, what);
45329 -+ }
45330 -+}
45331 -+
45332 -+static void ensure_console(void)
45333 -+{
45334 -+ for (unsigned int i = 0; i < 1000; ++i) {
45335 -+ int fd = open("/dev/console", O_RDWR);
45336 -+ if (fd < 0) {
45337 -+ usleep(50000);
45338 -+ continue;
45339 -+ }
45340 -+ dup2(fd, 0);
45341 -+ dup2(fd, 1);
45342 -+ dup2(fd, 2);
45343 -+ close(fd);
45344 -+ if (write(1, "\0\0\0\0\n", 5) == 5)
45345 -+ return;
45346 -+ }
45347 -+ panic("Unable to open console device");
45348 -+}
45349 -+
45350 -+static void clear_leaks(void)
45351 -+{
45352 -+ int fd;
45353 -+
45354 -+ fd = open("/sys/kernel/debug/kmemleak", O_WRONLY);
45355 -+ if (fd < 0)
45356 -+ return;
45357 -+ pretty_message("[+] Starting memory leak detection...");
45358 -+ write(fd, "clear\n", 5);
45359 -+ close(fd);
45360 -+}
45361 -+
45362 -+static void check_leaks(void)
45363 -+{
45364 -+ int fd;
45365 -+
45366 -+ fd = open("/sys/kernel/debug/kmemleak", O_WRONLY);
45367 -+ if (fd < 0)
45368 -+ return;
45369 -+ pretty_message("[+] Scanning for memory leaks...");
45370 -+ sleep(2); /* Wait for any grace periods. */
45371 -+ write(fd, "scan\n", 5);
45372 -+ close(fd);
45373 -+
45374 -+ fd = open("/sys/kernel/debug/kmemleak", O_RDONLY);
45375 -+ if (fd < 0)
45376 -+ return;
45377 -+ if (sendfile(1, fd, NULL, 0x7ffff000) > 0)
45378 -+ panic("Memory leaks encountered");
45379 -+ close(fd);
45380 -+}
45381 -+
45382 -+int main(int argc, char *argv[])
45383 -+{
45384 -+ seed_rng();
45385 -+ ensure_console();
45386 -+ print_banner();
45387 -+ mount_filesystems();
45388 -+ kmod_selftests();
45389 -+ enable_logging();
45390 -+ clear_leaks();
45391 -+ launch_tests();
45392 -+ check_leaks();
45393 -+ poweroff();
45394 -+ return 1;
45395 -+}
45396 ---- b/tools/testing/selftests/wireguard/qemu/kernel.config
45397 -+++ b/tools/testing/selftests/wireguard/qemu/kernel.config
45398 -@@ -0,0 +1,90 @@
45399 -+CONFIG_LOCALVERSION=""
45400 -+CONFIG_NET=y
45401 -+CONFIG_NETDEVICES=y
45402 -+CONFIG_NET_CORE=y
45403 -+CONFIG_NET_IPIP=y
45404 -+CONFIG_DUMMY=y
45405 -+CONFIG_VETH=y
45406 -+CONFIG_MULTIUSER=y
45407 -+CONFIG_NAMESPACES=y
45408 -+CONFIG_NET_NS=y
45409 -+CONFIG_UNIX=y
45410 -+CONFIG_INET=y
45411 -+CONFIG_IPV6=y
45412 -+CONFIG_NETFILTER=y
45413 -+CONFIG_NETFILTER_ADVANCED=y
45414 -+CONFIG_NF_CONNTRACK=y
45415 -+CONFIG_NF_NAT=y
45416 -+CONFIG_NETFILTER_XTABLES=y
45417 -+CONFIG_NETFILTER_XT_NAT=y
45418 -+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
45419 -+CONFIG_NETFILTER_XT_MARK=y
45420 -+CONFIG_NF_CONNTRACK_IPV4=y
45421 -+CONFIG_NF_NAT_IPV4=y
45422 -+CONFIG_IP_NF_IPTABLES=y
45423 -+CONFIG_IP_NF_FILTER=y
45424 -+CONFIG_IP_NF_MANGLE=y
45425 -+CONFIG_IP_NF_NAT=y
45426 -+CONFIG_IP_ADVANCED_ROUTER=y
45427 -+CONFIG_IP_MULTIPLE_TABLES=y
45428 -+CONFIG_IPV6_MULTIPLE_TABLES=y
45429 -+CONFIG_TTY=y
45430 -+CONFIG_BINFMT_ELF=y
45431 -+CONFIG_BINFMT_SCRIPT=y
45432 -+CONFIG_VDSO=y
45433 -+CONFIG_VIRTUALIZATION=y
45434 -+CONFIG_HYPERVISOR_GUEST=y
45435 -+CONFIG_PARAVIRT=y
45436 -+CONFIG_KVM_GUEST=y
45437 -+CONFIG_PARAVIRT_SPINLOCKS=y
45438 -+CONFIG_PRINTK=y
45439 -+CONFIG_KALLSYMS=y
45440 -+CONFIG_BUG=y
45441 -+CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
45442 -+CONFIG_JUMP_LABEL=y
45443 -+CONFIG_EMBEDDED=n
45444 -+CONFIG_BASE_FULL=y
45445 -+CONFIG_FUTEX=y
45446 -+CONFIG_SHMEM=y
45447 -+CONFIG_SLUB=y
45448 -+CONFIG_SPARSEMEM_VMEMMAP=y
45449 -+CONFIG_SMP=y
45450 -+CONFIG_SCHED_SMT=y
45451 -+CONFIG_SCHED_MC=y
45452 -+CONFIG_NUMA=y
45453 -+CONFIG_PREEMPT=y
45454 -+CONFIG_NO_HZ=y
45455 -+CONFIG_NO_HZ_IDLE=y
45456 -+CONFIG_NO_HZ_FULL=n
45457 -+CONFIG_HZ_PERIODIC=n
45458 -+CONFIG_HIGH_RES_TIMERS=y
45459 -+CONFIG_COMPAT_32BIT_TIME=y
45460 -+CONFIG_ARCH_RANDOM=y
45461 -+CONFIG_FILE_LOCKING=y
45462 -+CONFIG_POSIX_TIMERS=y
45463 -+CONFIG_DEVTMPFS=y
45464 -+CONFIG_PROC_FS=y
45465 -+CONFIG_PROC_SYSCTL=y
45466 -+CONFIG_SYSFS=y
45467 -+CONFIG_TMPFS=y
45468 -+CONFIG_CONSOLE_LOGLEVEL_DEFAULT=15
45469 -+CONFIG_PRINTK_TIME=y
45470 -+CONFIG_BLK_DEV_INITRD=y
45471 -+CONFIG_LEGACY_VSYSCALL_NONE=y
45472 -+CONFIG_KERNEL_GZIP=y
45473 -+CONFIG_PANIC_ON_OOPS=y
45474 -+CONFIG_BUG_ON_DATA_CORRUPTION=y
45475 -+CONFIG_LOCKUP_DETECTOR=y
45476 -+CONFIG_SOFTLOCKUP_DETECTOR=y
45477 -+CONFIG_HARDLOCKUP_DETECTOR=y
45478 -+CONFIG_WQ_WATCHDOG=y
45479 -+CONFIG_DETECT_HUNG_TASK=y
45480 -+CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
45481 -+CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
45482 -+CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y
45483 -+CONFIG_PANIC_TIMEOUT=-1
45484 -+CONFIG_STACKTRACE=y
45485 -+CONFIG_EARLY_PRINTK=y
45486 -+CONFIG_GDB_SCRIPTS=y
45487 -+CONFIG_WIREGUARD=y
45488 -+CONFIG_WIREGUARD_DEBUG=y
45489 ---- a/include/net/ip_tunnels.h
45490 -+++ b/include/net/ip_tunnels.h
45491 -@@ -289,6 +289,9 @@ int ip_tunnel_newlink(struct net_device *dev, struct nlattr *tb[],
45492 - struct ip_tunnel_parm *p, __u32 fwmark);
45493 - void ip_tunnel_setup(struct net_device *dev, unsigned int net_id);
45494 -
45495 -+extern const struct header_ops ip_tunnel_header_ops;
45496 -+__be16 ip_tunnel_parse_protocol(const struct sk_buff *skb);
45497 -+
45498 - struct ip_tunnel_encap_ops {
45499 - size_t (*encap_hlen)(struct ip_tunnel_encap *e);
45500 - int (*build_header)(struct sk_buff *skb, struct ip_tunnel_encap *e,
45501 ---- a/net/ipv4/ip_tunnel_core.c
45502 -+++ b/net/ipv4/ip_tunnel_core.c
45503 -@@ -446,3 +446,21 @@ void ip_tunnel_unneed_metadata(void)
45504 - static_branch_dec(&ip_tunnel_metadata_cnt);
45505 - }
45506 - EXPORT_SYMBOL_GPL(ip_tunnel_unneed_metadata);
45507 -+
45508 -+/* Returns either the correct skb->protocol value, or 0 if invalid. */
45509 -+__be16 ip_tunnel_parse_protocol(const struct sk_buff *skb)
45510 -+{
45511 -+ if (skb_network_header(skb) >= skb->head &&
45512 -+ (skb_network_header(skb) + sizeof(struct iphdr)) <= skb_tail_pointer(skb) &&
45513 -+ ip_hdr(skb)->version == 4)
45514 -+ return htons(ETH_P_IP);
45515 -+ if (skb_network_header(skb) >= skb->head &&
45516 -+ (skb_network_header(skb) + sizeof(struct ipv6hdr)) <= skb_tail_pointer(skb) &&
45517 -+ ipv6_hdr(skb)->version == 6)
45518 -+ return htons(ETH_P_IPV6);
45519 -+ return 0;
45520 -+}
45521 -+EXPORT_SYMBOL(ip_tunnel_parse_protocol);
45522 -+
45523 -+const struct header_ops ip_tunnel_header_ops = { .parse_protocol = ip_tunnel_parse_protocol };
45524 -+EXPORT_SYMBOL(ip_tunnel_header_ops);
Report Message
Find on MARC Find on Google Groups