Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Mike Pagano <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/linux-patches:5.4 commit in: /
Date: Mon, 01 Mar 2021 23:44:39
Message-Id: 1614642252.52e1185da1d0e3091ff767e49e352bca1c6eeb95.mpagano@gentoo
1 commit: 52e1185da1d0e3091ff767e49e352bca1c6eeb95
2 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3 AuthorDate: Mon Mar 1 23:44:12 2021 +0000
4 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5 CommitDate: Mon Mar 1 23:44:12 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=52e1185d
7
8 Update to wireguard patch
9
10 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
11
12 0000_README | 2 +-
13 2400_wireguard-backport-v1.0.20210301.patch | 45699 ++++++++++++++++++++++++++
14 2 files changed, 45700 insertions(+), 1 deletion(-)
15
16 diff --git a/0000_README b/0000_README
17 index 6a18e82..da56dee 100644
18 --- a/0000_README
19 +++ b/0000_README
20 @@ -459,7 +459,7 @@ Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch
21 From: https://lore.kernel.org/linux-bluetooth/20190522070540.48895-1-marcel@××××××××.org/raw
22 Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758
23
24 -Patch: 2400_wireguard-backport-v1.0.20201112.patch
25 +Patch: 2400_wireguard-backport-v1.0.20210301.patch
26 From: https://git.zx2c4.com/wireguard-linux/
27 Desc: Extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography
28
29
30 diff --git a/2400_wireguard-backport-v1.0.20210301.patch b/2400_wireguard-backport-v1.0.20210301.patch
31 new file mode 100644
32 index 0000000..88ac1de
33 --- /dev/null
34 +++ b/2400_wireguard-backport-v1.0.20210301.patch
35 @@ -0,0 +1,45699 @@
36 +--- b/crypto/Kconfig
37 ++++ b/crypto/Kconfig
38 +@@ -136,8 +136,6 @@
39 + Userspace configuration for cryptographic instantiations such as
40 + cbc(aes).
41 +
42 +-if CRYPTO_MANAGER2
43 +-
44 + config CRYPTO_MANAGER_DISABLE_TESTS
45 + bool "Disable run-time self tests"
46 + default y
47 +@@ -147,7 +145,7 @@
48 +
49 + config CRYPTO_MANAGER_EXTRA_TESTS
50 + bool "Enable extra run-time crypto self tests"
51 +- depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS
52 ++ depends on DEBUG_KERNEL && !CRYPTO_MANAGER_DISABLE_TESTS && CRYPTO_MANAGER
53 + help
54 + Enable extra run-time self tests of registered crypto algorithms,
55 + including randomized fuzz tests.
56 +@@ -155,8 +153,6 @@
57 + This is intended for developer use only, as these tests take much
58 + longer to run than the normal self tests.
59 +
60 +-endif # if CRYPTO_MANAGER2
61 +-
62 + config CRYPTO_GF128MUL
63 + tristate
64 +
65 +@@ -264,6 +260,17 @@
66 + standard algorithms (called GOST algorithms). Only signature verification
67 + is implemented.
68 +
69 ++config CRYPTO_CURVE25519
70 ++ tristate "Curve25519 algorithm"
71 ++ select CRYPTO_KPP
72 ++ select CRYPTO_LIB_CURVE25519_GENERIC
73 ++
74 ++config CRYPTO_CURVE25519_X86
75 ++ tristate "x86_64 accelerated Curve25519 scalar multiplication library"
76 ++ depends on X86 && 64BIT
77 ++ select CRYPTO_LIB_CURVE25519_GENERIC
78 ++ select CRYPTO_ARCH_HAVE_LIB_CURVE25519
79 ++
80 + comment "Authenticated Encryption with Associated Data"
81 +
82 + config CRYPTO_CCM
83 +@@ -446,7 +453,7 @@
84 + config CRYPTO_NHPOLY1305
85 + tristate
86 + select CRYPTO_HASH
87 +- select CRYPTO_POLY1305
88 ++ select CRYPTO_LIB_POLY1305_GENERIC
89 +
90 + config CRYPTO_NHPOLY1305_SSE2
91 + tristate "NHPoly1305 hash function (x86_64 SSE2 implementation)"
92 +@@ -467,7 +474,7 @@
93 + config CRYPTO_ADIANTUM
94 + tristate "Adiantum support"
95 + select CRYPTO_CHACHA20
96 +- select CRYPTO_POLY1305
97 ++ select CRYPTO_LIB_POLY1305_GENERIC
98 + select CRYPTO_NHPOLY1305
99 + select CRYPTO_MANAGER
100 + help
101 +@@ -639,6 +646,30 @@
102 + xxHash non-cryptographic hash algorithm. Extremely fast, working at
103 + speeds close to RAM limits.
104 +
105 ++config CRYPTO_BLAKE2S
106 ++ tristate "BLAKE2s digest algorithm"
107 ++ select CRYPTO_LIB_BLAKE2S_GENERIC
108 ++ select CRYPTO_HASH
109 ++ help
110 ++ Implementation of cryptographic hash function BLAKE2s
111 ++ optimized for 8-32bit platforms and can produce digests of any size
112 ++ between 1 to 32. The keyed hash is also implemented.
113 ++
114 ++ This module provides the following algorithms:
115 ++
116 ++ - blake2s-128
117 ++ - blake2s-160
118 ++ - blake2s-224
119 ++ - blake2s-256
120 ++
121 ++ See https://blake2.net for further information.
122 ++
123 ++config CRYPTO_BLAKE2S_X86
124 ++ tristate "BLAKE2s digest algorithm (x86 accelerated version)"
125 ++ depends on X86 && 64BIT
126 ++ select CRYPTO_LIB_BLAKE2S_GENERIC
127 ++ select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
128 ++
129 + config CRYPTO_CRCT10DIF
130 + tristate "CRCT10DIF algorithm"
131 + select CRYPTO_HASH
132 +@@ -686,6 +717,7 @@
133 + config CRYPTO_POLY1305
134 + tristate "Poly1305 authenticator algorithm"
135 + select CRYPTO_HASH
136 ++ select CRYPTO_LIB_POLY1305_GENERIC
137 + help
138 + Poly1305 authenticator algorithm, RFC7539.
139 +
140 +@@ -696,7 +728,8 @@
141 + config CRYPTO_POLY1305_X86_64
142 + tristate "Poly1305 authenticator algorithm (x86_64/SSE2/AVX2)"
143 + depends on X86 && 64BIT
144 +- select CRYPTO_POLY1305
145 ++ select CRYPTO_LIB_POLY1305_GENERIC
146 ++ select CRYPTO_ARCH_HAVE_LIB_POLY1305
147 + help
148 + Poly1305 authenticator algorithm, RFC7539.
149 +
150 +@@ -705,6 +738,11 @@
151 + in IETF protocols. This is the x86_64 assembler implementation using SIMD
152 + instructions.
153 +
154 ++config CRYPTO_POLY1305_MIPS
155 ++ tristate "Poly1305 authenticator algorithm (MIPS optimized)"
156 ++ depends on CPU_MIPS32 || (CPU_MIPS64 && 64BIT)
157 ++ select CRYPTO_ARCH_HAVE_LIB_POLY1305
158 ++
159 + config CRYPTO_MD4
160 + tristate "MD4 digest algorithm"
161 + select CRYPTO_HASH
162 +@@ -878,9 +916,6 @@
163 + SHA-1 secure hash standard (DFIPS 180-4) implemented
164 + using powerpc SPE SIMD instruction set.
165 +
166 +-config CRYPTO_LIB_SHA256
167 +- tristate
168 +-
169 + config CRYPTO_SHA256
170 + tristate "SHA224 and SHA256 digest algorithm"
171 + select CRYPTO_HASH
172 +@@ -1019,9 +1054,6 @@
173 +
174 + comment "Ciphers"
175 +
176 +-config CRYPTO_LIB_AES
177 +- tristate
178 +-
179 + config CRYPTO_AES
180 + tristate "AES cipher algorithms"
181 + select CRYPTO_ALGAPI
182 +@@ -1150,9 +1182,6 @@
183 + <https://www.cosic.esat.kuleuven.be/nessie/reports/>
184 + <http://www.larc.usp.br/~pbarreto/AnubisPage.html>
185 +
186 +-config CRYPTO_LIB_ARC4
187 +- tristate
188 +-
189 + config CRYPTO_ARC4
190 + tristate "ARC4 cipher algorithm"
191 + select CRYPTO_BLKCIPHER
192 +@@ -1339,9 +1368,6 @@
193 + This module provides the Cast6 cipher algorithm that processes
194 + eight blocks parallel using the AVX instruction set.
195 +
196 +-config CRYPTO_LIB_DES
197 +- tristate
198 +-
199 + config CRYPTO_DES
200 + tristate "DES and Triple DES EDE cipher algorithms"
201 + select CRYPTO_ALGAPI
202 +@@ -1405,6 +1431,7 @@
203 +
204 + config CRYPTO_CHACHA20
205 + tristate "ChaCha stream cipher algorithms"
206 ++ select CRYPTO_LIB_CHACHA_GENERIC
207 + select CRYPTO_BLKCIPHER
208 + help
209 + The ChaCha20, XChaCha20, and XChaCha12 stream cipher algorithms.
210 +@@ -1428,11 +1455,18 @@
211 + tristate "ChaCha stream cipher algorithms (x86_64/SSSE3/AVX2/AVX-512VL)"
212 + depends on X86 && 64BIT
213 + select CRYPTO_BLKCIPHER
214 +- select CRYPTO_CHACHA20
215 ++ select CRYPTO_LIB_CHACHA_GENERIC
216 ++ select CRYPTO_ARCH_HAVE_LIB_CHACHA
217 + help
218 + SSSE3, AVX2, and AVX-512VL optimized implementations of the ChaCha20,
219 + XChaCha20, and XChaCha12 stream ciphers.
220 +
221 ++config CRYPTO_CHACHA_MIPS
222 ++ tristate "ChaCha stream cipher algorithms (MIPS 32r2 optimized)"
223 ++ depends on CPU_MIPS32_R2
224 ++ select CRYPTO_BLKCIPHER
225 ++ select CRYPTO_ARCH_HAVE_LIB_CHACHA
226 ++
227 + config CRYPTO_SEED
228 + tristate "SEED cipher algorithm"
229 + select CRYPTO_ALGAPI
230 +@@ -1845,6 +1879,7 @@
231 + config CRYPTO_HASH_INFO
232 + bool
233 +
234 ++source "lib/crypto/Kconfig"
235 + source "drivers/crypto/Kconfig"
236 + source "crypto/asymmetric_keys/Kconfig"
237 + source "certs/Kconfig"
238 +--- b/lib/crypto/Kconfig
239 ++++ b/lib/crypto/Kconfig
240 +@@ -0,0 +1,130 @@
241 ++# SPDX-License-Identifier: GPL-2.0
242 ++
243 ++comment "Crypto library routines"
244 ++
245 ++config CRYPTO_LIB_AES
246 ++ tristate
247 ++
248 ++config CRYPTO_LIB_ARC4
249 ++ tristate
250 ++
251 ++config CRYPTO_ARCH_HAVE_LIB_BLAKE2S
252 ++ tristate
253 ++ help
254 ++ Declares whether the architecture provides an arch-specific
255 ++ accelerated implementation of the Blake2s library interface,
256 ++ either builtin or as a module.
257 ++
258 ++config CRYPTO_LIB_BLAKE2S_GENERIC
259 ++ tristate
260 ++ help
261 ++ This symbol can be depended upon by arch implementations of the
262 ++ Blake2s library interface that require the generic code as a
263 ++ fallback, e.g., for SIMD implementations. If no arch specific
264 ++ implementation is enabled, this implementation serves the users
265 ++ of CRYPTO_LIB_BLAKE2S.
266 ++
267 ++config CRYPTO_LIB_BLAKE2S
268 ++ tristate "BLAKE2s hash function library"
269 ++ depends on CRYPTO_ARCH_HAVE_LIB_BLAKE2S || !CRYPTO_ARCH_HAVE_LIB_BLAKE2S
270 ++ select CRYPTO_LIB_BLAKE2S_GENERIC if CRYPTO_ARCH_HAVE_LIB_BLAKE2S=n
271 ++ help
272 ++ Enable the Blake2s library interface. This interface may be fulfilled
273 ++ by either the generic implementation or an arch-specific one, if one
274 ++ is available and enabled.
275 ++
276 ++config CRYPTO_ARCH_HAVE_LIB_CHACHA
277 ++ tristate
278 ++ help
279 ++ Declares whether the architecture provides an arch-specific
280 ++ accelerated implementation of the ChaCha library interface,
281 ++ either builtin or as a module.
282 ++
283 ++config CRYPTO_LIB_CHACHA_GENERIC
284 ++ tristate
285 ++ select CRYPTO_ALGAPI
286 ++ help
287 ++ This symbol can be depended upon by arch implementations of the
288 ++ ChaCha library interface that require the generic code as a
289 ++ fallback, e.g., for SIMD implementations. If no arch specific
290 ++ implementation is enabled, this implementation serves the users
291 ++ of CRYPTO_LIB_CHACHA.
292 ++
293 ++config CRYPTO_LIB_CHACHA
294 ++ tristate "ChaCha library interface"
295 ++ depends on CRYPTO_ARCH_HAVE_LIB_CHACHA || !CRYPTO_ARCH_HAVE_LIB_CHACHA
296 ++ select CRYPTO_LIB_CHACHA_GENERIC if CRYPTO_ARCH_HAVE_LIB_CHACHA=n
297 ++ help
298 ++ Enable the ChaCha library interface. This interface may be fulfilled
299 ++ by either the generic implementation or an arch-specific one, if one
300 ++ is available and enabled.
301 ++
302 ++config CRYPTO_ARCH_HAVE_LIB_CURVE25519
303 ++ tristate
304 ++ help
305 ++ Declares whether the architecture provides an arch-specific
306 ++ accelerated implementation of the Curve25519 library interface,
307 ++ either builtin or as a module.
308 ++
309 ++config CRYPTO_LIB_CURVE25519_GENERIC
310 ++ tristate
311 ++ help
312 ++ This symbol can be depended upon by arch implementations of the
313 ++ Curve25519 library interface that require the generic code as a
314 ++ fallback, e.g., for SIMD implementations. If no arch specific
315 ++ implementation is enabled, this implementation serves the users
316 ++ of CRYPTO_LIB_CURVE25519.
317 ++
318 ++config CRYPTO_LIB_CURVE25519
319 ++ tristate "Curve25519 scalar multiplication library"
320 ++ depends on CRYPTO_ARCH_HAVE_LIB_CURVE25519 || !CRYPTO_ARCH_HAVE_LIB_CURVE25519
321 ++ select CRYPTO_LIB_CURVE25519_GENERIC if CRYPTO_ARCH_HAVE_LIB_CURVE25519=n
322 ++ help
323 ++ Enable the Curve25519 library interface. This interface may be
324 ++ fulfilled by either the generic implementation or an arch-specific
325 ++ one, if one is available and enabled.
326 ++
327 ++config CRYPTO_LIB_DES
328 ++ tristate
329 ++
330 ++config CRYPTO_LIB_POLY1305_RSIZE
331 ++ int
332 ++ default 2 if MIPS
333 ++ default 11 if X86_64
334 ++ default 9 if ARM || ARM64
335 ++ default 1
336 ++
337 ++config CRYPTO_ARCH_HAVE_LIB_POLY1305
338 ++ tristate
339 ++ help
340 ++ Declares whether the architecture provides an arch-specific
341 ++ accelerated implementation of the Poly1305 library interface,
342 ++ either builtin or as a module.
343 ++
344 ++config CRYPTO_LIB_POLY1305_GENERIC
345 ++ tristate
346 ++ help
347 ++ This symbol can be depended upon by arch implementations of the
348 ++ Poly1305 library interface that require the generic code as a
349 ++ fallback, e.g., for SIMD implementations. If no arch specific
350 ++ implementation is enabled, this implementation serves the users
351 ++ of CRYPTO_LIB_POLY1305.
352 ++
353 ++config CRYPTO_LIB_POLY1305
354 ++ tristate "Poly1305 library interface"
355 ++ depends on CRYPTO_ARCH_HAVE_LIB_POLY1305 || !CRYPTO_ARCH_HAVE_LIB_POLY1305
356 ++ select CRYPTO_LIB_POLY1305_GENERIC if CRYPTO_ARCH_HAVE_LIB_POLY1305=n
357 ++ help
358 ++ Enable the Poly1305 library interface. This interface may be fulfilled
359 ++ by either the generic implementation or an arch-specific one, if one
360 ++ is available and enabled.
361 ++
362 ++config CRYPTO_LIB_CHACHA20POLY1305
363 ++ tristate "ChaCha20-Poly1305 AEAD support (8-byte nonce library version)"
364 ++ depends on CRYPTO_ARCH_HAVE_LIB_CHACHA || !CRYPTO_ARCH_HAVE_LIB_CHACHA
365 ++ depends on CRYPTO_ARCH_HAVE_LIB_POLY1305 || !CRYPTO_ARCH_HAVE_LIB_POLY1305
366 ++ select CRYPTO_LIB_CHACHA
367 ++ select CRYPTO_LIB_POLY1305
368 ++
369 ++config CRYPTO_LIB_SHA256
370 ++ tristate
371 +--- b/lib/crypto/Makefile
372 ++++ b/lib/crypto/Makefile
373 +@@ -3,11 +3,43 @@
374 +-obj-$(CONFIG_CRYPTO_LIB_AES) += libaes.o
375 +-libaes-y := aes.o
376 ++# chacha is used by the /dev/random driver which is always builtin
377 ++obj-y += chacha.o
378 ++obj-$(CONFIG_CRYPTO_LIB_CHACHA_GENERIC) += libchacha.o
379 +
380 +-obj-$(CONFIG_CRYPTO_LIB_ARC4) += libarc4.o
381 +-libarc4-y := arc4.o
382 ++obj-$(CONFIG_CRYPTO_LIB_AES) += libaes.o
383 ++libaes-y := aes.o
384 +
385 +-obj-$(CONFIG_CRYPTO_LIB_DES) += libdes.o
386 +-libdes-y := des.o
387 ++obj-$(CONFIG_CRYPTO_LIB_ARC4) += libarc4.o
388 ++libarc4-y := arc4.o
389 +
390 +-obj-$(CONFIG_CRYPTO_LIB_SHA256) += libsha256.o
391 +-libsha256-y := sha256.o
392 ++obj-$(CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC) += libblake2s-generic.o
393 ++libblake2s-generic-y += blake2s-generic.o
394 ++
395 ++obj-$(CONFIG_CRYPTO_LIB_BLAKE2S) += libblake2s.o
396 ++libblake2s-y += blake2s.o
397 ++
398 ++obj-$(CONFIG_CRYPTO_LIB_CHACHA20POLY1305) += libchacha20poly1305.o
399 ++libchacha20poly1305-y += chacha20poly1305.o
400 ++
401 ++obj-$(CONFIG_CRYPTO_LIB_CURVE25519_GENERIC) += libcurve25519-generic.o
402 ++libcurve25519-generic-y := curve25519-fiat32.o
403 ++libcurve25519-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := curve25519-hacl64.o
404 ++libcurve25519-generic-y += curve25519-generic.o
405 ++
406 ++obj-$(CONFIG_CRYPTO_LIB_CURVE25519) += libcurve25519.o
407 ++libcurve25519-y += curve25519.o
408 ++
409 ++obj-$(CONFIG_CRYPTO_LIB_DES) += libdes.o
410 ++libdes-y := des.o
411 ++
412 ++obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC) += libpoly1305.o
413 ++libpoly1305-y := poly1305-donna32.o
414 ++libpoly1305-$(CONFIG_ARCH_SUPPORTS_INT128) := poly1305-donna64.o
415 ++libpoly1305-y += poly1305.o
416 ++
417 ++obj-$(CONFIG_CRYPTO_LIB_SHA256) += libsha256.o
418 ++libsha256-y := sha256.o
419 ++
420 ++ifneq ($(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS),y)
421 ++libblake2s-y += blake2s-selftest.o
422 ++libchacha20poly1305-y += chacha20poly1305-selftest.o
423 ++libcurve25519-y += curve25519-selftest.o
424 ++endif
425 +--- b/arch/arm/crypto/chacha-neon-glue.c
426 ++++ /dev/null
427 +@@ -1,202 +0,0 @@
428 +-/*
429 +- * ARM NEON accelerated ChaCha and XChaCha stream ciphers,
430 +- * including ChaCha20 (RFC7539)
431 +- *
432 +- * Copyright (C) 2016 Linaro, Ltd. <ard.biesheuvel@××××××.org>
433 +- *
434 +- * This program is free software; you can redistribute it and/or modify
435 +- * it under the terms of the GNU General Public License version 2 as
436 +- * published by the Free Software Foundation.
437 +- *
438 +- * Based on:
439 +- * ChaCha20 256-bit cipher algorithm, RFC7539, SIMD glue code
440 +- *
441 +- * Copyright (C) 2015 Martin Willi
442 +- *
443 +- * This program is free software; you can redistribute it and/or modify
444 +- * it under the terms of the GNU General Public License as published by
445 +- * the Free Software Foundation; either version 2 of the License, or
446 +- * (at your option) any later version.
447 +- */
448 +-
449 +-#include <crypto/algapi.h>
450 +-#include <crypto/chacha.h>
451 +-#include <crypto/internal/simd.h>
452 +-#include <crypto/internal/skcipher.h>
453 +-#include <linux/kernel.h>
454 +-#include <linux/module.h>
455 +-
456 +-#include <asm/hwcap.h>
457 +-#include <asm/neon.h>
458 +-#include <asm/simd.h>
459 +-
460 +-asmlinkage void chacha_block_xor_neon(const u32 *state, u8 *dst, const u8 *src,
461 +- int nrounds);
462 +-asmlinkage void chacha_4block_xor_neon(const u32 *state, u8 *dst, const u8 *src,
463 +- int nrounds);
464 +-asmlinkage void hchacha_block_neon(const u32 *state, u32 *out, int nrounds);
465 +-
466 +-static void chacha_doneon(u32 *state, u8 *dst, const u8 *src,
467 +- unsigned int bytes, int nrounds)
468 +-{
469 +- u8 buf[CHACHA_BLOCK_SIZE];
470 +-
471 +- while (bytes >= CHACHA_BLOCK_SIZE * 4) {
472 +- chacha_4block_xor_neon(state, dst, src, nrounds);
473 +- bytes -= CHACHA_BLOCK_SIZE * 4;
474 +- src += CHACHA_BLOCK_SIZE * 4;
475 +- dst += CHACHA_BLOCK_SIZE * 4;
476 +- state[12] += 4;
477 +- }
478 +- while (bytes >= CHACHA_BLOCK_SIZE) {
479 +- chacha_block_xor_neon(state, dst, src, nrounds);
480 +- bytes -= CHACHA_BLOCK_SIZE;
481 +- src += CHACHA_BLOCK_SIZE;
482 +- dst += CHACHA_BLOCK_SIZE;
483 +- state[12]++;
484 +- }
485 +- if (bytes) {
486 +- memcpy(buf, src, bytes);
487 +- chacha_block_xor_neon(state, buf, buf, nrounds);
488 +- memcpy(dst, buf, bytes);
489 +- }
490 +-}
491 +-
492 +-static int chacha_neon_stream_xor(struct skcipher_request *req,
493 +- const struct chacha_ctx *ctx, const u8 *iv)
494 +-{
495 +- struct skcipher_walk walk;
496 +- u32 state[16];
497 +- int err;
498 +-
499 +- err = skcipher_walk_virt(&walk, req, false);
500 +-
501 +- crypto_chacha_init(state, ctx, iv);
502 +-
503 +- while (walk.nbytes > 0) {
504 +- unsigned int nbytes = walk.nbytes;
505 +-
506 +- if (nbytes < walk.total)
507 +- nbytes = round_down(nbytes, walk.stride);
508 +-
509 +- kernel_neon_begin();
510 +- chacha_doneon(state, walk.dst.virt.addr, walk.src.virt.addr,
511 +- nbytes, ctx->nrounds);
512 +- kernel_neon_end();
513 +- err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
514 +- }
515 +-
516 +- return err;
517 +-}
518 +-
519 +-static int chacha_neon(struct skcipher_request *req)
520 +-{
521 +- struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
522 +- struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
523 +-
524 +- if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
525 +- return crypto_chacha_crypt(req);
526 +-
527 +- return chacha_neon_stream_xor(req, ctx, req->iv);
528 +-}
529 +-
530 +-static int xchacha_neon(struct skcipher_request *req)
531 +-{
532 +- struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
533 +- struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
534 +- struct chacha_ctx subctx;
535 +- u32 state[16];
536 +- u8 real_iv[16];
537 +-
538 +- if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
539 +- return crypto_xchacha_crypt(req);
540 +-
541 +- crypto_chacha_init(state, ctx, req->iv);
542 +-
543 +- kernel_neon_begin();
544 +- hchacha_block_neon(state, subctx.key, ctx->nrounds);
545 +- kernel_neon_end();
546 +- subctx.nrounds = ctx->nrounds;
547 +-
548 +- memcpy(&real_iv[0], req->iv + 24, 8);
549 +- memcpy(&real_iv[8], req->iv + 16, 8);
550 +- return chacha_neon_stream_xor(req, &subctx, real_iv);
551 +-}
552 +-
553 +-static struct skcipher_alg algs[] = {
554 +- {
555 +- .base.cra_name = "chacha20",
556 +- .base.cra_driver_name = "chacha20-neon",
557 +- .base.cra_priority = 300,
558 +- .base.cra_blocksize = 1,
559 +- .base.cra_ctxsize = sizeof(struct chacha_ctx),
560 +- .base.cra_module = THIS_MODULE,
561 +-
562 +- .min_keysize = CHACHA_KEY_SIZE,
563 +- .max_keysize = CHACHA_KEY_SIZE,
564 +- .ivsize = CHACHA_IV_SIZE,
565 +- .chunksize = CHACHA_BLOCK_SIZE,
566 +- .walksize = 4 * CHACHA_BLOCK_SIZE,
567 +- .setkey = crypto_chacha20_setkey,
568 +- .encrypt = chacha_neon,
569 +- .decrypt = chacha_neon,
570 +- }, {
571 +- .base.cra_name = "xchacha20",
572 +- .base.cra_driver_name = "xchacha20-neon",
573 +- .base.cra_priority = 300,
574 +- .base.cra_blocksize = 1,
575 +- .base.cra_ctxsize = sizeof(struct chacha_ctx),
576 +- .base.cra_module = THIS_MODULE,
577 +-
578 +- .min_keysize = CHACHA_KEY_SIZE,
579 +- .max_keysize = CHACHA_KEY_SIZE,
580 +- .ivsize = XCHACHA_IV_SIZE,
581 +- .chunksize = CHACHA_BLOCK_SIZE,
582 +- .walksize = 4 * CHACHA_BLOCK_SIZE,
583 +- .setkey = crypto_chacha20_setkey,
584 +- .encrypt = xchacha_neon,
585 +- .decrypt = xchacha_neon,
586 +- }, {
587 +- .base.cra_name = "xchacha12",
588 +- .base.cra_driver_name = "xchacha12-neon",
589 +- .base.cra_priority = 300,
590 +- .base.cra_blocksize = 1,
591 +- .base.cra_ctxsize = sizeof(struct chacha_ctx),
592 +- .base.cra_module = THIS_MODULE,
593 +-
594 +- .min_keysize = CHACHA_KEY_SIZE,
595 +- .max_keysize = CHACHA_KEY_SIZE,
596 +- .ivsize = XCHACHA_IV_SIZE,
597 +- .chunksize = CHACHA_BLOCK_SIZE,
598 +- .walksize = 4 * CHACHA_BLOCK_SIZE,
599 +- .setkey = crypto_chacha12_setkey,
600 +- .encrypt = xchacha_neon,
601 +- .decrypt = xchacha_neon,
602 +- }
603 +-};
604 +-
605 +-static int __init chacha_simd_mod_init(void)
606 +-{
607 +- if (!(elf_hwcap & HWCAP_NEON))
608 +- return -ENODEV;
609 +-
610 +- return crypto_register_skciphers(algs, ARRAY_SIZE(algs));
611 +-}
612 +-
613 +-static void __exit chacha_simd_mod_fini(void)
614 +-{
615 +- crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
616 +-}
617 +-
618 +-module_init(chacha_simd_mod_init);
619 +-module_exit(chacha_simd_mod_fini);
620 +-
621 +-MODULE_DESCRIPTION("ChaCha and XChaCha stream ciphers (NEON accelerated)");
622 +-MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@××××××.org>");
623 +-MODULE_LICENSE("GPL v2");
624 +-MODULE_ALIAS_CRYPTO("chacha20");
625 +-MODULE_ALIAS_CRYPTO("chacha20-neon");
626 +-MODULE_ALIAS_CRYPTO("xchacha20");
627 +-MODULE_ALIAS_CRYPTO("xchacha20-neon");
628 +-MODULE_ALIAS_CRYPTO("xchacha12");
629 +-MODULE_ALIAS_CRYPTO("xchacha12-neon");
630 +--- b/arch/arm64/crypto/chacha-neon-glue.c
631 ++++ b/arch/arm64/crypto/chacha-neon-glue.c
632 +@@ -1,5 +1,5 @@
633 + /*
634 +- * ARM NEON accelerated ChaCha and XChaCha stream ciphers,
635 ++ * ARM NEON and scalar accelerated ChaCha and XChaCha stream ciphers,
636 + * including ChaCha20 (RFC7539)
637 + *
638 + * Copyright (C) 2016 - 2017 Linaro, Ltd. <ard.biesheuvel@××××××.org>
639 +@@ -20,9 +20,10 @@
640 + */
641 +
642 + #include <crypto/algapi.h>
643 +-#include <crypto/chacha.h>
644 ++#include <crypto/internal/chacha.h>
645 + #include <crypto/internal/simd.h>
646 + #include <crypto/internal/skcipher.h>
647 ++#include <linux/jump_label.h>
648 + #include <linux/kernel.h>
649 + #include <linux/module.h>
650 +
651 +@@ -36,6 +37,8 @@
652 + int nrounds, int bytes);
653 + asmlinkage void hchacha_block_neon(const u32 *state, u32 *out, int nrounds);
654 +
655 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
656 ++
657 + static void chacha_doneon(u32 *state, u8 *dst, const u8 *src,
658 + int bytes, int nrounds)
659 + {
660 +@@ -52,12 +55,51 @@
661 + break;
662 + }
663 + chacha_4block_xor_neon(state, dst, src, nrounds, l);
664 +- bytes -= CHACHA_BLOCK_SIZE * 5;
665 +- src += CHACHA_BLOCK_SIZE * 5;
666 +- dst += CHACHA_BLOCK_SIZE * 5;
667 +- state[12] += 5;
668 ++ bytes -= l;
669 ++ src += l;
670 ++ dst += l;
671 ++ state[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE);
672 ++ }
673 ++}
674 ++
675 ++void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds)
676 ++{
677 ++ if (!static_branch_likely(&have_neon) || !crypto_simd_usable()) {
678 ++ hchacha_block_generic(state, stream, nrounds);
679 ++ } else {
680 ++ kernel_neon_begin();
681 ++ hchacha_block_neon(state, stream, nrounds);
682 ++ kernel_neon_end();
683 + }
684 + }
685 ++EXPORT_SYMBOL(hchacha_block_arch);
686 ++
687 ++void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv)
688 ++{
689 ++ chacha_init_generic(state, key, iv);
690 ++}
691 ++EXPORT_SYMBOL(chacha_init_arch);
692 ++
693 ++void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes,
694 ++ int nrounds)
695 ++{
696 ++ if (!static_branch_likely(&have_neon) || bytes <= CHACHA_BLOCK_SIZE ||
697 ++ !crypto_simd_usable())
698 ++ return chacha_crypt_generic(state, dst, src, bytes, nrounds);
699 ++
700 ++ do {
701 ++ unsigned int todo = min_t(unsigned int, bytes, SZ_4K);
702 ++
703 ++ kernel_neon_begin();
704 ++ chacha_doneon(state, dst, src, todo, nrounds);
705 ++ kernel_neon_end();
706 ++
707 ++ bytes -= todo;
708 ++ src += todo;
709 ++ dst += todo;
710 ++ } while (bytes);
711 ++}
712 ++EXPORT_SYMBOL(chacha_crypt_arch);
713 +
714 + static int chacha_neon_stream_xor(struct skcipher_request *req,
715 + const struct chacha_ctx *ctx, const u8 *iv)
716 +@@ -68,7 +110,7 @@
717 +
718 + err = skcipher_walk_virt(&walk, req, false);
719 +
720 +- crypto_chacha_init(state, ctx, iv);
721 ++ chacha_init_generic(state, ctx->key, iv);
722 +
723 + while (walk.nbytes > 0) {
724 + unsigned int nbytes = walk.nbytes;
725 +@@ -76,10 +118,17 @@
726 + if (nbytes < walk.total)
727 + nbytes = rounddown(nbytes, walk.stride);
728 +
729 +- kernel_neon_begin();
730 +- chacha_doneon(state, walk.dst.virt.addr, walk.src.virt.addr,
731 +- nbytes, ctx->nrounds);
732 +- kernel_neon_end();
733 ++ if (!static_branch_likely(&have_neon) ||
734 ++ !crypto_simd_usable()) {
735 ++ chacha_crypt_generic(state, walk.dst.virt.addr,
736 ++ walk.src.virt.addr, nbytes,
737 ++ ctx->nrounds);
738 ++ } else {
739 ++ kernel_neon_begin();
740 ++ chacha_doneon(state, walk.dst.virt.addr,
741 ++ walk.src.virt.addr, nbytes, ctx->nrounds);
742 ++ kernel_neon_end();
743 ++ }
744 + err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
745 + }
746 +
747 +@@ -91,9 +140,6 @@
748 + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
749 + struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
750 +
751 +- if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
752 +- return crypto_chacha_crypt(req);
753 +-
754 + return chacha_neon_stream_xor(req, ctx, req->iv);
755 + }
756 +
757 +@@ -105,14 +151,8 @@
758 + u32 state[16];
759 + u8 real_iv[16];
760 +
761 +- if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
762 +- return crypto_xchacha_crypt(req);
763 +-
764 +- crypto_chacha_init(state, ctx, req->iv);
765 +-
766 +- kernel_neon_begin();
767 +- hchacha_block_neon(state, subctx.key, ctx->nrounds);
768 +- kernel_neon_end();
769 ++ chacha_init_generic(state, ctx->key, req->iv);
770 ++ hchacha_block_arch(state, subctx.key, ctx->nrounds);
771 + subctx.nrounds = ctx->nrounds;
772 +
773 + memcpy(&real_iv[0], req->iv + 24, 8);
774 +@@ -134,7 +174,7 @@
775 + .ivsize = CHACHA_IV_SIZE,
776 + .chunksize = CHACHA_BLOCK_SIZE,
777 + .walksize = 5 * CHACHA_BLOCK_SIZE,
778 +- .setkey = crypto_chacha20_setkey,
779 ++ .setkey = chacha20_setkey,
780 + .encrypt = chacha_neon,
781 + .decrypt = chacha_neon,
782 + }, {
783 +@@ -150,7 +190,7 @@
784 + .ivsize = XCHACHA_IV_SIZE,
785 + .chunksize = CHACHA_BLOCK_SIZE,
786 + .walksize = 5 * CHACHA_BLOCK_SIZE,
787 +- .setkey = crypto_chacha20_setkey,
788 ++ .setkey = chacha20_setkey,
789 + .encrypt = xchacha_neon,
790 + .decrypt = xchacha_neon,
791 + }, {
792 +@@ -166,7 +206,7 @@
793 + .ivsize = XCHACHA_IV_SIZE,
794 + .chunksize = CHACHA_BLOCK_SIZE,
795 + .walksize = 5 * CHACHA_BLOCK_SIZE,
796 +- .setkey = crypto_chacha12_setkey,
797 ++ .setkey = chacha12_setkey,
798 + .encrypt = xchacha_neon,
799 + .decrypt = xchacha_neon,
800 + }
801 +@@ -175,14 +215,18 @@
802 + static int __init chacha_simd_mod_init(void)
803 + {
804 + if (!cpu_have_named_feature(ASIMD))
805 +- return -ENODEV;
806 ++ return 0;
807 ++
808 ++ static_branch_enable(&have_neon);
809 +
810 +- return crypto_register_skciphers(algs, ARRAY_SIZE(algs));
811 ++ return IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER) ?
812 ++ crypto_register_skciphers(algs, ARRAY_SIZE(algs)) : 0;
813 + }
814 +
815 + static void __exit chacha_simd_mod_fini(void)
816 + {
817 +- crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
818 ++ if (IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER) && cpu_have_named_feature(ASIMD))
819 ++ crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
820 + }
821 +
822 + module_init(chacha_simd_mod_init);
823 +--- b/arch/x86/crypto/chacha_glue.c
824 ++++ b/arch/x86/crypto/chacha_glue.c
825 +@@ -7,38 +7,36 @@
826 + */
827 +
828 + #include <crypto/algapi.h>
829 +-#include <crypto/chacha.h>
830 ++#include <crypto/internal/chacha.h>
831 + #include <crypto/internal/simd.h>
832 + #include <crypto/internal/skcipher.h>
833 + #include <linux/kernel.h>
834 + #include <linux/module.h>
835 + #include <asm/simd.h>
836 +
837 +-#define CHACHA_STATE_ALIGN 16
838 +-
839 + asmlinkage void chacha_block_xor_ssse3(u32 *state, u8 *dst, const u8 *src,
840 + unsigned int len, int nrounds);
841 + asmlinkage void chacha_4block_xor_ssse3(u32 *state, u8 *dst, const u8 *src,
842 + unsigned int len, int nrounds);
843 + asmlinkage void hchacha_block_ssse3(const u32 *state, u32 *out, int nrounds);
844 +-#ifdef CONFIG_AS_AVX2
845 ++
846 + asmlinkage void chacha_2block_xor_avx2(u32 *state, u8 *dst, const u8 *src,
847 + unsigned int len, int nrounds);
848 + asmlinkage void chacha_4block_xor_avx2(u32 *state, u8 *dst, const u8 *src,
849 + unsigned int len, int nrounds);
850 + asmlinkage void chacha_8block_xor_avx2(u32 *state, u8 *dst, const u8 *src,
851 + unsigned int len, int nrounds);
852 +-static bool chacha_use_avx2;
853 +-#ifdef CONFIG_AS_AVX512
854 ++
855 + asmlinkage void chacha_2block_xor_avx512vl(u32 *state, u8 *dst, const u8 *src,
856 + unsigned int len, int nrounds);
857 + asmlinkage void chacha_4block_xor_avx512vl(u32 *state, u8 *dst, const u8 *src,
858 + unsigned int len, int nrounds);
859 + asmlinkage void chacha_8block_xor_avx512vl(u32 *state, u8 *dst, const u8 *src,
860 + unsigned int len, int nrounds);
861 +-static bool chacha_use_avx512vl;
862 +-#endif
863 +-#endif
864 ++
865 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_simd);
866 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_avx2);
867 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(chacha_use_avx512vl);
868 +
869 + static unsigned int chacha_advance(unsigned int len, unsigned int maxblocks)
870 + {
871 +@@ -49,9 +47,8 @@
872 + static void chacha_dosimd(u32 *state, u8 *dst, const u8 *src,
873 + unsigned int bytes, int nrounds)
874 + {
875 +-#ifdef CONFIG_AS_AVX2
876 +-#ifdef CONFIG_AS_AVX512
877 +- if (chacha_use_avx512vl) {
878 ++ if (IS_ENABLED(CONFIG_AS_AVX512) &&
879 ++ static_branch_likely(&chacha_use_avx512vl)) {
880 + while (bytes >= CHACHA_BLOCK_SIZE * 8) {
881 + chacha_8block_xor_avx512vl(state, dst, src, bytes,
882 + nrounds);
883 +@@ -79,8 +76,9 @@
884 + return;
885 + }
886 + }
887 +-#endif
888 +- if (chacha_use_avx2) {
889 ++
890 ++ if (IS_ENABLED(CONFIG_AS_AVX2) &&
891 ++ static_branch_likely(&chacha_use_avx2)) {
892 + while (bytes >= CHACHA_BLOCK_SIZE * 8) {
893 + chacha_8block_xor_avx2(state, dst, src, bytes, nrounds);
894 + bytes -= CHACHA_BLOCK_SIZE * 8;
895 +@@ -104,7 +102,7 @@
896 + return;
897 + }
898 + }
899 +-#endif
900 ++
901 + while (bytes >= CHACHA_BLOCK_SIZE * 4) {
902 + chacha_4block_xor_ssse3(state, dst, src, bytes, nrounds);
903 + bytes -= CHACHA_BLOCK_SIZE * 4;
904 +@@ -123,37 +121,75 @@
905 + }
906 + }
907 +
908 +-static int chacha_simd_stream_xor(struct skcipher_walk *walk,
909 +- const struct chacha_ctx *ctx, const u8 *iv)
910 ++void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds)
911 + {
912 +- u32 *state, state_buf[16 + 2] __aligned(8);
913 +- int next_yield = 4096; /* bytes until next FPU yield */
914 +- int err = 0;
915 ++ if (!static_branch_likely(&chacha_use_simd) || !crypto_simd_usable()) {
916 ++ hchacha_block_generic(state, stream, nrounds);
917 ++ } else {
918 ++ kernel_fpu_begin();
919 ++ hchacha_block_ssse3(state, stream, nrounds);
920 ++ kernel_fpu_end();
921 ++ }
922 ++}
923 ++EXPORT_SYMBOL(hchacha_block_arch);
924 +
925 +- BUILD_BUG_ON(CHACHA_STATE_ALIGN != 16);
926 +- state = PTR_ALIGN(state_buf + 0, CHACHA_STATE_ALIGN);
927 ++void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv)
928 ++{
929 ++ chacha_init_generic(state, key, iv);
930 ++}
931 ++EXPORT_SYMBOL(chacha_init_arch);
932 +
933 +- crypto_chacha_init(state, ctx, iv);
934 ++void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes,
935 ++ int nrounds)
936 ++{
937 ++ if (!static_branch_likely(&chacha_use_simd) || !crypto_simd_usable() ||
938 ++ bytes <= CHACHA_BLOCK_SIZE)
939 ++ return chacha_crypt_generic(state, dst, src, bytes, nrounds);
940 ++
941 ++ do {
942 ++ unsigned int todo = min_t(unsigned int, bytes, SZ_4K);
943 ++
944 ++ kernel_fpu_begin();
945 ++ chacha_dosimd(state, dst, src, todo, nrounds);
946 ++ kernel_fpu_end();
947 ++
948 ++ bytes -= todo;
949 ++ src += todo;
950 ++ dst += todo;
951 ++ } while (bytes);
952 ++}
953 ++EXPORT_SYMBOL(chacha_crypt_arch);
954 +
955 +- while (walk->nbytes > 0) {
956 +- unsigned int nbytes = walk->nbytes;
957 ++static int chacha_simd_stream_xor(struct skcipher_request *req,
958 ++ const struct chacha_ctx *ctx, const u8 *iv)
959 ++{
960 ++ u32 state[CHACHA_STATE_WORDS] __aligned(8);
961 ++ struct skcipher_walk walk;
962 ++ int err;
963 +
964 +- if (nbytes < walk->total) {
965 +- nbytes = round_down(nbytes, walk->stride);
966 +- next_yield -= nbytes;
967 +- }
968 ++ err = skcipher_walk_virt(&walk, req, false);
969 +
970 +- chacha_dosimd(state, walk->dst.virt.addr, walk->src.virt.addr,
971 +- nbytes, ctx->nrounds);
972 ++ chacha_init_generic(state, ctx->key, iv);
973 +
974 +- if (next_yield <= 0) {
975 +- /* temporarily allow preemption */
976 +- kernel_fpu_end();
977 ++ while (walk.nbytes > 0) {
978 ++ unsigned int nbytes = walk.nbytes;
979 ++
980 ++ if (nbytes < walk.total)
981 ++ nbytes = round_down(nbytes, walk.stride);
982 ++
983 ++ if (!static_branch_likely(&chacha_use_simd) ||
984 ++ !crypto_simd_usable()) {
985 ++ chacha_crypt_generic(state, walk.dst.virt.addr,
986 ++ walk.src.virt.addr, nbytes,
987 ++ ctx->nrounds);
988 ++ } else {
989 + kernel_fpu_begin();
990 +- next_yield = 4096;
991 ++ chacha_dosimd(state, walk.dst.virt.addr,
992 ++ walk.src.virt.addr, nbytes,
993 ++ ctx->nrounds);
994 ++ kernel_fpu_end();
995 + }
996 +-
997 +- err = skcipher_walk_done(walk, walk->nbytes - nbytes);
998 ++ err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
999 + }
1000 +
1001 + return err;
1002 +@@ -163,55 +199,32 @@
1003 + {
1004 + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
1005 + struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
1006 +- struct skcipher_walk walk;
1007 +- int err;
1008 +
1009 +- if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
1010 +- return crypto_chacha_crypt(req);
1011 +-
1012 +- err = skcipher_walk_virt(&walk, req, true);
1013 +- if (err)
1014 +- return err;
1015 +-
1016 +- kernel_fpu_begin();
1017 +- err = chacha_simd_stream_xor(&walk, ctx, req->iv);
1018 +- kernel_fpu_end();
1019 +- return err;
1020 ++ return chacha_simd_stream_xor(req, ctx, req->iv);
1021 + }
1022 +
1023 + static int xchacha_simd(struct skcipher_request *req)
1024 + {
1025 + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
1026 + struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
1027 +- struct skcipher_walk walk;
1028 ++ u32 state[CHACHA_STATE_WORDS] __aligned(8);
1029 + struct chacha_ctx subctx;
1030 +- u32 *state, state_buf[16 + 2] __aligned(8);
1031 + u8 real_iv[16];
1032 +- int err;
1033 +
1034 +- if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
1035 +- return crypto_xchacha_crypt(req);
1036 ++ chacha_init_generic(state, ctx->key, req->iv);
1037 +
1038 +- err = skcipher_walk_virt(&walk, req, true);
1039 +- if (err)
1040 +- return err;
1041 +-
1042 +- BUILD_BUG_ON(CHACHA_STATE_ALIGN != 16);
1043 +- state = PTR_ALIGN(state_buf + 0, CHACHA_STATE_ALIGN);
1044 +- crypto_chacha_init(state, ctx, req->iv);
1045 +-
1046 +- kernel_fpu_begin();
1047 +-
1048 +- hchacha_block_ssse3(state, subctx.key, ctx->nrounds);
1049 ++ if (req->cryptlen > CHACHA_BLOCK_SIZE && crypto_simd_usable()) {
1050 ++ kernel_fpu_begin();
1051 ++ hchacha_block_ssse3(state, subctx.key, ctx->nrounds);
1052 ++ kernel_fpu_end();
1053 ++ } else {
1054 ++ hchacha_block_generic(state, subctx.key, ctx->nrounds);
1055 ++ }
1056 + subctx.nrounds = ctx->nrounds;
1057 +
1058 + memcpy(&real_iv[0], req->iv + 24, 8);
1059 + memcpy(&real_iv[8], req->iv + 16, 8);
1060 +- err = chacha_simd_stream_xor(&walk, &subctx, real_iv);
1061 +-
1062 +- kernel_fpu_end();
1063 +-
1064 +- return err;
1065 ++ return chacha_simd_stream_xor(req, &subctx, real_iv);
1066 + }
1067 +
1068 + static struct skcipher_alg algs[] = {
1069 +@@ -227,7 +240,7 @@
1070 + .max_keysize = CHACHA_KEY_SIZE,
1071 + .ivsize = CHACHA_IV_SIZE,
1072 + .chunksize = CHACHA_BLOCK_SIZE,
1073 +- .setkey = crypto_chacha20_setkey,
1074 ++ .setkey = chacha20_setkey,
1075 + .encrypt = chacha_simd,
1076 + .decrypt = chacha_simd,
1077 + }, {
1078 +@@ -242,7 +255,7 @@
1079 + .max_keysize = CHACHA_KEY_SIZE,
1080 + .ivsize = XCHACHA_IV_SIZE,
1081 + .chunksize = CHACHA_BLOCK_SIZE,
1082 +- .setkey = crypto_chacha20_setkey,
1083 ++ .setkey = chacha20_setkey,
1084 + .encrypt = xchacha_simd,
1085 + .decrypt = xchacha_simd,
1086 + }, {
1087 +@@ -257,7 +270,7 @@
1088 + .max_keysize = CHACHA_KEY_SIZE,
1089 + .ivsize = XCHACHA_IV_SIZE,
1090 + .chunksize = CHACHA_BLOCK_SIZE,
1091 +- .setkey = crypto_chacha12_setkey,
1092 ++ .setkey = chacha12_setkey,
1093 + .encrypt = xchacha_simd,
1094 + .decrypt = xchacha_simd,
1095 + },
1096 +@@ -266,24 +279,29 @@
1097 + static int __init chacha_simd_mod_init(void)
1098 + {
1099 + if (!boot_cpu_has(X86_FEATURE_SSSE3))
1100 +- return -ENODEV;
1101 ++ return 0;
1102 +
1103 +-#ifdef CONFIG_AS_AVX2
1104 +- chacha_use_avx2 = boot_cpu_has(X86_FEATURE_AVX) &&
1105 +- boot_cpu_has(X86_FEATURE_AVX2) &&
1106 +- cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL);
1107 +-#ifdef CONFIG_AS_AVX512
1108 +- chacha_use_avx512vl = chacha_use_avx2 &&
1109 +- boot_cpu_has(X86_FEATURE_AVX512VL) &&
1110 +- boot_cpu_has(X86_FEATURE_AVX512BW); /* kmovq */
1111 +-#endif
1112 +-#endif
1113 +- return crypto_register_skciphers(algs, ARRAY_SIZE(algs));
1114 ++ static_branch_enable(&chacha_use_simd);
1115 ++
1116 ++ if (IS_ENABLED(CONFIG_AS_AVX2) &&
1117 ++ boot_cpu_has(X86_FEATURE_AVX) &&
1118 ++ boot_cpu_has(X86_FEATURE_AVX2) &&
1119 ++ cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL)) {
1120 ++ static_branch_enable(&chacha_use_avx2);
1121 ++
1122 ++ if (IS_ENABLED(CONFIG_AS_AVX512) &&
1123 ++ boot_cpu_has(X86_FEATURE_AVX512VL) &&
1124 ++ boot_cpu_has(X86_FEATURE_AVX512BW)) /* kmovq */
1125 ++ static_branch_enable(&chacha_use_avx512vl);
1126 ++ }
1127 ++ return IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER) ?
1128 ++ crypto_register_skciphers(algs, ARRAY_SIZE(algs)) : 0;
1129 + }
1130 +
1131 + static void __exit chacha_simd_mod_fini(void)
1132 + {
1133 +- crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
1134 ++ if (IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER) && boot_cpu_has(X86_FEATURE_SSSE3))
1135 ++ crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
1136 + }
1137 +
1138 + module_init(chacha_simd_mod_init);
1139 +--- b/crypto/chacha_generic.c
1140 ++++ b/crypto/chacha_generic.c
1141 +@@ -8,29 +8,10 @@
1142 +
1143 + #include <asm/unaligned.h>
1144 + #include <crypto/algapi.h>
1145 +-#include <crypto/chacha.h>
1146 ++#include <crypto/internal/chacha.h>
1147 + #include <crypto/internal/skcipher.h>
1148 + #include <linux/module.h>
1149 +
1150 +-static void chacha_docrypt(u32 *state, u8 *dst, const u8 *src,
1151 +- unsigned int bytes, int nrounds)
1152 +-{
1153 +- /* aligned to potentially speed up crypto_xor() */
1154 +- u8 stream[CHACHA_BLOCK_SIZE] __aligned(sizeof(long));
1155 +-
1156 +- while (bytes >= CHACHA_BLOCK_SIZE) {
1157 +- chacha_block(state, stream, nrounds);
1158 +- crypto_xor_cpy(dst, src, stream, CHACHA_BLOCK_SIZE);
1159 +- bytes -= CHACHA_BLOCK_SIZE;
1160 +- dst += CHACHA_BLOCK_SIZE;
1161 +- src += CHACHA_BLOCK_SIZE;
1162 +- }
1163 +- if (bytes) {
1164 +- chacha_block(state, stream, nrounds);
1165 +- crypto_xor_cpy(dst, src, stream, bytes);
1166 +- }
1167 +-}
1168 +-
1169 + static int chacha_stream_xor(struct skcipher_request *req,
1170 + const struct chacha_ctx *ctx, const u8 *iv)
1171 + {
1172 +@@ -40,7 +21,7 @@
1173 +
1174 + err = skcipher_walk_virt(&walk, req, false);
1175 +
1176 +- crypto_chacha_init(state, ctx, iv);
1177 ++ chacha_init_generic(state, ctx->key, iv);
1178 +
1179 + while (walk.nbytes > 0) {
1180 + unsigned int nbytes = walk.nbytes;
1181 +@@ -48,75 +29,23 @@
1182 + if (nbytes < walk.total)
1183 + nbytes = round_down(nbytes, CHACHA_BLOCK_SIZE);
1184 +
1185 +- chacha_docrypt(state, walk.dst.virt.addr, walk.src.virt.addr,
1186 +- nbytes, ctx->nrounds);
1187 ++ chacha_crypt_generic(state, walk.dst.virt.addr,
1188 ++ walk.src.virt.addr, nbytes, ctx->nrounds);
1189 + err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
1190 + }
1191 +
1192 + return err;
1193 + }
1194 +
1195 +-void crypto_chacha_init(u32 *state, const struct chacha_ctx *ctx, const u8 *iv)
1196 +-{
1197 +- state[0] = 0x61707865; /* "expa" */
1198 +- state[1] = 0x3320646e; /* "nd 3" */
1199 +- state[2] = 0x79622d32; /* "2-by" */
1200 +- state[3] = 0x6b206574; /* "te k" */
1201 +- state[4] = ctx->key[0];
1202 +- state[5] = ctx->key[1];
1203 +- state[6] = ctx->key[2];
1204 +- state[7] = ctx->key[3];
1205 +- state[8] = ctx->key[4];
1206 +- state[9] = ctx->key[5];
1207 +- state[10] = ctx->key[6];
1208 +- state[11] = ctx->key[7];
1209 +- state[12] = get_unaligned_le32(iv + 0);
1210 +- state[13] = get_unaligned_le32(iv + 4);
1211 +- state[14] = get_unaligned_le32(iv + 8);
1212 +- state[15] = get_unaligned_le32(iv + 12);
1213 +-}
1214 +-EXPORT_SYMBOL_GPL(crypto_chacha_init);
1215 +-
1216 +-static int chacha_setkey(struct crypto_skcipher *tfm, const u8 *key,
1217 +- unsigned int keysize, int nrounds)
1218 +-{
1219 +- struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
1220 +- int i;
1221 +-
1222 +- if (keysize != CHACHA_KEY_SIZE)
1223 +- return -EINVAL;
1224 +-
1225 +- for (i = 0; i < ARRAY_SIZE(ctx->key); i++)
1226 +- ctx->key[i] = get_unaligned_le32(key + i * sizeof(u32));
1227 +-
1228 +- ctx->nrounds = nrounds;
1229 +- return 0;
1230 +-}
1231 +-
1232 +-int crypto_chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
1233 +- unsigned int keysize)
1234 +-{
1235 +- return chacha_setkey(tfm, key, keysize, 20);
1236 +-}
1237 +-EXPORT_SYMBOL_GPL(crypto_chacha20_setkey);
1238 +-
1239 +-int crypto_chacha12_setkey(struct crypto_skcipher *tfm, const u8 *key,
1240 +- unsigned int keysize)
1241 +-{
1242 +- return chacha_setkey(tfm, key, keysize, 12);
1243 +-}
1244 +-EXPORT_SYMBOL_GPL(crypto_chacha12_setkey);
1245 +-
1246 +-int crypto_chacha_crypt(struct skcipher_request *req)
1247 ++static int crypto_chacha_crypt(struct skcipher_request *req)
1248 + {
1249 + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
1250 + struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
1251 +
1252 + return chacha_stream_xor(req, ctx, req->iv);
1253 + }
1254 +-EXPORT_SYMBOL_GPL(crypto_chacha_crypt);
1255 +
1256 +-int crypto_xchacha_crypt(struct skcipher_request *req)
1257 ++static int crypto_xchacha_crypt(struct skcipher_request *req)
1258 + {
1259 + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
1260 + struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
1261 +@@ -125,8 +54,8 @@
1262 + u8 real_iv[16];
1263 +
1264 + /* Compute the subkey given the original key and first 128 nonce bits */
1265 +- crypto_chacha_init(state, ctx, req->iv);
1266 +- hchacha_block(state, subctx.key, ctx->nrounds);
1267 ++ chacha_init_generic(state, ctx->key, req->iv);
1268 ++ hchacha_block_generic(state, subctx.key, ctx->nrounds);
1269 + subctx.nrounds = ctx->nrounds;
1270 +
1271 + /* Build the real IV */
1272 +@@ -136,7 +65,6 @@
1273 + /* Generate the stream and XOR it with the data */
1274 + return chacha_stream_xor(req, &subctx, real_iv);
1275 + }
1276 +-EXPORT_SYMBOL_GPL(crypto_xchacha_crypt);
1277 +
1278 + static struct skcipher_alg algs[] = {
1279 + {
1280 +@@ -151,7 +79,7 @@
1281 + .max_keysize = CHACHA_KEY_SIZE,
1282 + .ivsize = CHACHA_IV_SIZE,
1283 + .chunksize = CHACHA_BLOCK_SIZE,
1284 +- .setkey = crypto_chacha20_setkey,
1285 ++ .setkey = chacha20_setkey,
1286 + .encrypt = crypto_chacha_crypt,
1287 + .decrypt = crypto_chacha_crypt,
1288 + }, {
1289 +@@ -166,7 +94,7 @@
1290 + .max_keysize = CHACHA_KEY_SIZE,
1291 + .ivsize = XCHACHA_IV_SIZE,
1292 + .chunksize = CHACHA_BLOCK_SIZE,
1293 +- .setkey = crypto_chacha20_setkey,
1294 ++ .setkey = chacha20_setkey,
1295 + .encrypt = crypto_xchacha_crypt,
1296 + .decrypt = crypto_xchacha_crypt,
1297 + }, {
1298 +@@ -181,7 +109,7 @@
1299 + .max_keysize = CHACHA_KEY_SIZE,
1300 + .ivsize = XCHACHA_IV_SIZE,
1301 + .chunksize = CHACHA_BLOCK_SIZE,
1302 +- .setkey = crypto_chacha12_setkey,
1303 ++ .setkey = chacha12_setkey,
1304 + .encrypt = crypto_xchacha_crypt,
1305 + .decrypt = crypto_xchacha_crypt,
1306 + }
1307 +--- b/include/crypto/chacha.h
1308 ++++ b/include/crypto/chacha.h
1309 +@@ -15,9 +15,8 @@
1310 + #ifndef _CRYPTO_CHACHA_H
1311 + #define _CRYPTO_CHACHA_H
1312 +
1313 +-#include <crypto/skcipher.h>
1314 ++#include <asm/unaligned.h>
1315 + #include <linux/types.h>
1316 +-#include <linux/crypto.h>
1317 +
1318 + /* 32-bit stream position, then 96-bit nonce (RFC7539 convention) */
1319 + #define CHACHA_IV_SIZE 16
1320 +@@ -27,28 +26,74 @@
1321 + #define CHACHAPOLY_IV_SIZE 12
1322 +
1323 ++#define CHACHA_STATE_WORDS (CHACHA_BLOCK_SIZE / sizeof(u32))
1324 ++
1325 + /* 192-bit nonce, then 64-bit stream position */
1326 + #define XCHACHA_IV_SIZE 32
1327 +
1328 +-struct chacha_ctx {
1329 +- u32 key[8];
1330 +- int nrounds;
1331 +-};
1332 +-
1333 +-void chacha_block(u32 *state, u8 *stream, int nrounds);
1334 ++void chacha_block_generic(u32 *state, u8 *stream, int nrounds);
1335 + static inline void chacha20_block(u32 *state, u8 *stream)
1336 + {
1337 +- chacha_block(state, stream, 20);
1338 ++ chacha_block_generic(state, stream, 20);
1339 ++}
1340 ++
1341 ++void hchacha_block_arch(const u32 *state, u32 *out, int nrounds);
1342 ++void hchacha_block_generic(const u32 *state, u32 *out, int nrounds);
1343 ++
1344 ++static inline void hchacha_block(const u32 *state, u32 *out, int nrounds)
1345 ++{
1346 ++ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
1347 ++ hchacha_block_arch(state, out, nrounds);
1348 ++ else
1349 ++ hchacha_block_generic(state, out, nrounds);
1350 ++}
1351 ++
1352 ++void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv);
1353 ++static inline void chacha_init_generic(u32 *state, const u32 *key, const u8 *iv)
1354 ++{
1355 ++ state[0] = 0x61707865; /* "expa" */
1356 ++ state[1] = 0x3320646e; /* "nd 3" */
1357 ++ state[2] = 0x79622d32; /* "2-by" */
1358 ++ state[3] = 0x6b206574; /* "te k" */
1359 ++ state[4] = key[0];
1360 ++ state[5] = key[1];
1361 ++ state[6] = key[2];
1362 ++ state[7] = key[3];
1363 ++ state[8] = key[4];
1364 ++ state[9] = key[5];
1365 ++ state[10] = key[6];
1366 ++ state[11] = key[7];
1367 ++ state[12] = get_unaligned_le32(iv + 0);
1368 ++ state[13] = get_unaligned_le32(iv + 4);
1369 ++ state[14] = get_unaligned_le32(iv + 8);
1370 ++ state[15] = get_unaligned_le32(iv + 12);
1371 ++}
1372 ++
1373 ++static inline void chacha_init(u32 *state, const u32 *key, const u8 *iv)
1374 ++{
1375 ++ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
1376 ++ chacha_init_arch(state, key, iv);
1377 ++ else
1378 ++ chacha_init_generic(state, key, iv);
1379 + }
1380 +-void hchacha_block(const u32 *in, u32 *out, int nrounds);
1381 +
1382 +-void crypto_chacha_init(u32 *state, const struct chacha_ctx *ctx, const u8 *iv);
1383 ++void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src,
1384 ++ unsigned int bytes, int nrounds);
1385 ++void chacha_crypt_generic(u32 *state, u8 *dst, const u8 *src,
1386 ++ unsigned int bytes, int nrounds);
1387 +
1388 +-int crypto_chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
1389 +- unsigned int keysize);
1390 +-int crypto_chacha12_setkey(struct crypto_skcipher *tfm, const u8 *key,
1391 +- unsigned int keysize);
1392 ++static inline void chacha_crypt(u32 *state, u8 *dst, const u8 *src,
1393 ++ unsigned int bytes, int nrounds)
1394 ++{
1395 ++ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA))
1396 ++ chacha_crypt_arch(state, dst, src, bytes, nrounds);
1397 ++ else
1398 ++ chacha_crypt_generic(state, dst, src, bytes, nrounds);
1399 ++}
1400 +
1401 +-int crypto_chacha_crypt(struct skcipher_request *req);
1402 +-int crypto_xchacha_crypt(struct skcipher_request *req);
1403 ++static inline void chacha20_crypt(u32 *state, u8 *dst, const u8 *src,
1404 ++ unsigned int bytes)
1405 ++{
1406 ++ chacha_crypt(state, dst, src, bytes, 20);
1407 ++}
1408 +
1409 + #endif /* _CRYPTO_CHACHA_H */
1410 +--- b/include/crypto/internal/chacha.h
1411 ++++ b/include/crypto/internal/chacha.h
1412 +@@ -0,0 +1,43 @@
1413 ++/* SPDX-License-Identifier: GPL-2.0 */
1414 ++
1415 ++#ifndef _CRYPTO_INTERNAL_CHACHA_H
1416 ++#define _CRYPTO_INTERNAL_CHACHA_H
1417 ++
1418 ++#include <crypto/chacha.h>
1419 ++#include <crypto/internal/skcipher.h>
1420 ++#include <linux/crypto.h>
1421 ++
1422 ++struct chacha_ctx {
1423 ++ u32 key[8];
1424 ++ int nrounds;
1425 ++};
1426 ++
1427 ++static inline int chacha_setkey(struct crypto_skcipher *tfm, const u8 *key,
1428 ++ unsigned int keysize, int nrounds)
1429 ++{
1430 ++ struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
1431 ++ int i;
1432 ++
1433 ++ if (keysize != CHACHA_KEY_SIZE)
1434 ++ return -EINVAL;
1435 ++
1436 ++ for (i = 0; i < ARRAY_SIZE(ctx->key); i++)
1437 ++ ctx->key[i] = get_unaligned_le32(key + i * sizeof(u32));
1438 ++
1439 ++ ctx->nrounds = nrounds;
1440 ++ return 0;
1441 ++}
1442 ++
1443 ++static inline int chacha20_setkey(struct crypto_skcipher *tfm, const u8 *key,
1444 ++ unsigned int keysize)
1445 ++{
1446 ++ return chacha_setkey(tfm, key, keysize, 20);
1447 ++}
1448 ++
1449 ++static inline int chacha12_setkey(struct crypto_skcipher *tfm, const u8 *key,
1450 ++ unsigned int keysize)
1451 ++{
1452 ++ return chacha_setkey(tfm, key, keysize, 12);
1453 ++}
1454 ++
1455 ++#endif /* _CRYPTO_CHACHA_H */
1456 +--- a/lib/Makefile
1457 ++++ b/lib/Makefile
1458 +@@ -26,8 +26,7 @@ endif
1459 +
1460 + lib-y := ctype.o string.o vsprintf.o cmdline.o \
1461 + rbtree.o radix-tree.o timerqueue.o xarray.o \
1462 +- idr.o extable.o \
1463 +- sha1.o chacha.o irq_regs.o argv_split.o \
1464 ++ idr.o extable.o sha1.o irq_regs.o argv_split.o \
1465 + flex_proportions.o ratelimit.o show_mem.o \
1466 + is_single_threaded.o plist.o decompress.o kobject_uevent.o \
1467 + earlycpio.o seq_buf.o siphash.o dec_and_lock.o \
1468 +--- a/lib/chacha.c
1469 ++++ /dev/null
1470 +@@ -1,113 +0,0 @@
1471 +-// SPDX-License-Identifier: GPL-2.0-or-later
1472 +-/*
1473 +- * The "hash function" used as the core of the ChaCha stream cipher (RFC7539)
1474 +- *
1475 +- * Copyright (C) 2015 Martin Willi
1476 +- */
1477 +-
1478 +-#include <linux/kernel.h>
1479 +-#include <linux/export.h>
1480 +-#include <linux/bitops.h>
1481 +-#include <linux/cryptohash.h>
1482 +-#include <asm/unaligned.h>
1483 +-#include <crypto/chacha.h>
1484 +-
1485 +-static void chacha_permute(u32 *x, int nrounds)
1486 +-{
1487 +- int i;
1488 +-
1489 +- /* whitelist the allowed round counts */
1490 +- WARN_ON_ONCE(nrounds != 20 && nrounds != 12);
1491 +-
1492 +- for (i = 0; i < nrounds; i += 2) {
1493 +- x[0] += x[4]; x[12] = rol32(x[12] ^ x[0], 16);
1494 +- x[1] += x[5]; x[13] = rol32(x[13] ^ x[1], 16);
1495 +- x[2] += x[6]; x[14] = rol32(x[14] ^ x[2], 16);
1496 +- x[3] += x[7]; x[15] = rol32(x[15] ^ x[3], 16);
1497 +-
1498 +- x[8] += x[12]; x[4] = rol32(x[4] ^ x[8], 12);
1499 +- x[9] += x[13]; x[5] = rol32(x[5] ^ x[9], 12);
1500 +- x[10] += x[14]; x[6] = rol32(x[6] ^ x[10], 12);
1501 +- x[11] += x[15]; x[7] = rol32(x[7] ^ x[11], 12);
1502 +-
1503 +- x[0] += x[4]; x[12] = rol32(x[12] ^ x[0], 8);
1504 +- x[1] += x[5]; x[13] = rol32(x[13] ^ x[1], 8);
1505 +- x[2] += x[6]; x[14] = rol32(x[14] ^ x[2], 8);
1506 +- x[3] += x[7]; x[15] = rol32(x[15] ^ x[3], 8);
1507 +-
1508 +- x[8] += x[12]; x[4] = rol32(x[4] ^ x[8], 7);
1509 +- x[9] += x[13]; x[5] = rol32(x[5] ^ x[9], 7);
1510 +- x[10] += x[14]; x[6] = rol32(x[6] ^ x[10], 7);
1511 +- x[11] += x[15]; x[7] = rol32(x[7] ^ x[11], 7);
1512 +-
1513 +- x[0] += x[5]; x[15] = rol32(x[15] ^ x[0], 16);
1514 +- x[1] += x[6]; x[12] = rol32(x[12] ^ x[1], 16);
1515 +- x[2] += x[7]; x[13] = rol32(x[13] ^ x[2], 16);
1516 +- x[3] += x[4]; x[14] = rol32(x[14] ^ x[3], 16);
1517 +-
1518 +- x[10] += x[15]; x[5] = rol32(x[5] ^ x[10], 12);
1519 +- x[11] += x[12]; x[6] = rol32(x[6] ^ x[11], 12);
1520 +- x[8] += x[13]; x[7] = rol32(x[7] ^ x[8], 12);
1521 +- x[9] += x[14]; x[4] = rol32(x[4] ^ x[9], 12);
1522 +-
1523 +- x[0] += x[5]; x[15] = rol32(x[15] ^ x[0], 8);
1524 +- x[1] += x[6]; x[12] = rol32(x[12] ^ x[1], 8);
1525 +- x[2] += x[7]; x[13] = rol32(x[13] ^ x[2], 8);
1526 +- x[3] += x[4]; x[14] = rol32(x[14] ^ x[3], 8);
1527 +-
1528 +- x[10] += x[15]; x[5] = rol32(x[5] ^ x[10], 7);
1529 +- x[11] += x[12]; x[6] = rol32(x[6] ^ x[11], 7);
1530 +- x[8] += x[13]; x[7] = rol32(x[7] ^ x[8], 7);
1531 +- x[9] += x[14]; x[4] = rol32(x[4] ^ x[9], 7);
1532 +- }
1533 +-}
1534 +-
1535 +-/**
1536 +- * chacha_block - generate one keystream block and increment block counter
1537 +- * @state: input state matrix (16 32-bit words)
1538 +- * @stream: output keystream block (64 bytes)
1539 +- * @nrounds: number of rounds (20 or 12; 20 is recommended)
1540 +- *
1541 +- * This is the ChaCha core, a function from 64-byte strings to 64-byte strings.
1542 +- * The caller has already converted the endianness of the input. This function
1543 +- * also handles incrementing the block counter in the input matrix.
1544 +- */
1545 +-void chacha_block(u32 *state, u8 *stream, int nrounds)
1546 +-{
1547 +- u32 x[16];
1548 +- int i;
1549 +-
1550 +- memcpy(x, state, 64);
1551 +-
1552 +- chacha_permute(x, nrounds);
1553 +-
1554 +- for (i = 0; i < ARRAY_SIZE(x); i++)
1555 +- put_unaligned_le32(x[i] + state[i], &stream[i * sizeof(u32)]);
1556 +-
1557 +- state[12]++;
1558 +-}
1559 +-EXPORT_SYMBOL(chacha_block);
1560 +-
1561 +-/**
1562 +- * hchacha_block - abbreviated ChaCha core, for XChaCha
1563 +- * @in: input state matrix (16 32-bit words)
1564 +- * @out: output (8 32-bit words)
1565 +- * @nrounds: number of rounds (20 or 12; 20 is recommended)
1566 +- *
1567 +- * HChaCha is the ChaCha equivalent of HSalsa and is an intermediate step
1568 +- * towards XChaCha (see https://cr.yp.to/snuffle/xsalsa-20081128.pdf). HChaCha
1569 +- * skips the final addition of the initial state, and outputs only certain words
1570 +- * of the state. It should not be used for streaming directly.
1571 +- */
1572 +-void hchacha_block(const u32 *in, u32 *out, int nrounds)
1573 +-{
1574 +- u32 x[16];
1575 +-
1576 +- memcpy(x, in, 64);
1577 +-
1578 +- chacha_permute(x, nrounds);
1579 +-
1580 +- memcpy(&out[0], &x[0], 16);
1581 +- memcpy(&out[4], &x[12], 16);
1582 +-}
1583 +-EXPORT_SYMBOL(hchacha_block);
1584 +--- /dev/null
1585 ++++ b/lib/crypto/chacha.c
1586 +@@ -0,0 +1,115 @@
1587 ++// SPDX-License-Identifier: GPL-2.0-or-later
1588 ++/*
1589 ++ * The "hash function" used as the core of the ChaCha stream cipher (RFC7539)
1590 ++ *
1591 ++ * Copyright (C) 2015 Martin Willi
1592 ++ */
1593 ++
1594 ++#include <linux/bug.h>
1595 ++#include <linux/kernel.h>
1596 ++#include <linux/export.h>
1597 ++#include <linux/bitops.h>
1598 ++#include <linux/string.h>
1599 ++#include <linux/cryptohash.h>
1600 ++#include <asm/unaligned.h>
1601 ++#include <crypto/chacha.h>
1602 ++
1603 ++static void chacha_permute(u32 *x, int nrounds)
1604 ++{
1605 ++ int i;
1606 ++
1607 ++ /* whitelist the allowed round counts */
1608 ++ WARN_ON_ONCE(nrounds != 20 && nrounds != 12);
1609 ++
1610 ++ for (i = 0; i < nrounds; i += 2) {
1611 ++ x[0] += x[4]; x[12] = rol32(x[12] ^ x[0], 16);
1612 ++ x[1] += x[5]; x[13] = rol32(x[13] ^ x[1], 16);
1613 ++ x[2] += x[6]; x[14] = rol32(x[14] ^ x[2], 16);
1614 ++ x[3] += x[7]; x[15] = rol32(x[15] ^ x[3], 16);
1615 ++
1616 ++ x[8] += x[12]; x[4] = rol32(x[4] ^ x[8], 12);
1617 ++ x[9] += x[13]; x[5] = rol32(x[5] ^ x[9], 12);
1618 ++ x[10] += x[14]; x[6] = rol32(x[6] ^ x[10], 12);
1619 ++ x[11] += x[15]; x[7] = rol32(x[7] ^ x[11], 12);
1620 ++
1621 ++ x[0] += x[4]; x[12] = rol32(x[12] ^ x[0], 8);
1622 ++ x[1] += x[5]; x[13] = rol32(x[13] ^ x[1], 8);
1623 ++ x[2] += x[6]; x[14] = rol32(x[14] ^ x[2], 8);
1624 ++ x[3] += x[7]; x[15] = rol32(x[15] ^ x[3], 8);
1625 ++
1626 ++ x[8] += x[12]; x[4] = rol32(x[4] ^ x[8], 7);
1627 ++ x[9] += x[13]; x[5] = rol32(x[5] ^ x[9], 7);
1628 ++ x[10] += x[14]; x[6] = rol32(x[6] ^ x[10], 7);
1629 ++ x[11] += x[15]; x[7] = rol32(x[7] ^ x[11], 7);
1630 ++
1631 ++ x[0] += x[5]; x[15] = rol32(x[15] ^ x[0], 16);
1632 ++ x[1] += x[6]; x[12] = rol32(x[12] ^ x[1], 16);
1633 ++ x[2] += x[7]; x[13] = rol32(x[13] ^ x[2], 16);
1634 ++ x[3] += x[4]; x[14] = rol32(x[14] ^ x[3], 16);
1635 ++
1636 ++ x[10] += x[15]; x[5] = rol32(x[5] ^ x[10], 12);
1637 ++ x[11] += x[12]; x[6] = rol32(x[6] ^ x[11], 12);
1638 ++ x[8] += x[13]; x[7] = rol32(x[7] ^ x[8], 12);
1639 ++ x[9] += x[14]; x[4] = rol32(x[4] ^ x[9], 12);
1640 ++
1641 ++ x[0] += x[5]; x[15] = rol32(x[15] ^ x[0], 8);
1642 ++ x[1] += x[6]; x[12] = rol32(x[12] ^ x[1], 8);
1643 ++ x[2] += x[7]; x[13] = rol32(x[13] ^ x[2], 8);
1644 ++ x[3] += x[4]; x[14] = rol32(x[14] ^ x[3], 8);
1645 ++
1646 ++ x[10] += x[15]; x[5] = rol32(x[5] ^ x[10], 7);
1647 ++ x[11] += x[12]; x[6] = rol32(x[6] ^ x[11], 7);
1648 ++ x[8] += x[13]; x[7] = rol32(x[7] ^ x[8], 7);
1649 ++ x[9] += x[14]; x[4] = rol32(x[4] ^ x[9], 7);
1650 ++ }
1651 ++}
1652 ++
1653 ++/**
1654 ++ * chacha_block - generate one keystream block and increment block counter
1655 ++ * @state: input state matrix (16 32-bit words)
1656 ++ * @stream: output keystream block (64 bytes)
1657 ++ * @nrounds: number of rounds (20 or 12; 20 is recommended)
1658 ++ *
1659 ++ * This is the ChaCha core, a function from 64-byte strings to 64-byte strings.
1660 ++ * The caller has already converted the endianness of the input. This function
1661 ++ * also handles incrementing the block counter in the input matrix.
1662 ++ */
1663 ++void chacha_block_generic(u32 *state, u8 *stream, int nrounds)
1664 ++{
1665 ++ u32 x[16];
1666 ++ int i;
1667 ++
1668 ++ memcpy(x, state, 64);
1669 ++
1670 ++ chacha_permute(x, nrounds);
1671 ++
1672 ++ for (i = 0; i < ARRAY_SIZE(x); i++)
1673 ++ put_unaligned_le32(x[i] + state[i], &stream[i * sizeof(u32)]);
1674 ++
1675 ++ state[12]++;
1676 ++}
1677 ++EXPORT_SYMBOL(chacha_block_generic);
1678 ++
1679 ++/**
1680 ++ * hchacha_block_generic - abbreviated ChaCha core, for XChaCha
1681 ++ * @state: input state matrix (16 32-bit words)
1682 ++ * @out: output (8 32-bit words)
1683 ++ * @nrounds: number of rounds (20 or 12; 20 is recommended)
1684 ++ *
1685 ++ * HChaCha is the ChaCha equivalent of HSalsa and is an intermediate step
1686 ++ * towards XChaCha (see https://cr.yp.to/snuffle/xsalsa-20081128.pdf). HChaCha
1687 ++ * skips the final addition of the initial state, and outputs only certain words
1688 ++ * of the state. It should not be used for streaming directly.
1689 ++ */
1690 ++void hchacha_block_generic(const u32 *state, u32 *stream, int nrounds)
1691 ++{
1692 ++ u32 x[16];
1693 ++
1694 ++ memcpy(x, state, 64);
1695 ++
1696 ++ chacha_permute(x, nrounds);
1697 ++
1698 ++ memcpy(&stream[0], &x[0], 16);
1699 ++ memcpy(&stream[4], &x[12], 16);
1700 ++}
1701 ++EXPORT_SYMBOL(hchacha_block_generic);
1702 +--- /dev/null
1703 ++++ b/lib/crypto/libchacha.c
1704 +@@ -0,0 +1,35 @@
1705 ++// SPDX-License-Identifier: GPL-2.0-or-later
1706 ++/*
1707 ++ * The ChaCha stream cipher (RFC7539)
1708 ++ *
1709 ++ * Copyright (C) 2015 Martin Willi
1710 ++ */
1711 ++
1712 ++#include <linux/kernel.h>
1713 ++#include <linux/export.h>
1714 ++#include <linux/module.h>
1715 ++
1716 ++#include <crypto/algapi.h> // for crypto_xor_cpy
1717 ++#include <crypto/chacha.h>
1718 ++
1719 ++void chacha_crypt_generic(u32 *state, u8 *dst, const u8 *src,
1720 ++ unsigned int bytes, int nrounds)
1721 ++{
1722 ++ /* aligned to potentially speed up crypto_xor() */
1723 ++ u8 stream[CHACHA_BLOCK_SIZE] __aligned(sizeof(long));
1724 ++
1725 ++ while (bytes >= CHACHA_BLOCK_SIZE) {
1726 ++ chacha_block_generic(state, stream, nrounds);
1727 ++ crypto_xor_cpy(dst, src, stream, CHACHA_BLOCK_SIZE);
1728 ++ bytes -= CHACHA_BLOCK_SIZE;
1729 ++ dst += CHACHA_BLOCK_SIZE;
1730 ++ src += CHACHA_BLOCK_SIZE;
1731 ++ }
1732 ++ if (bytes) {
1733 ++ chacha_block_generic(state, stream, nrounds);
1734 ++ crypto_xor_cpy(dst, src, stream, bytes);
1735 ++ }
1736 ++}
1737 ++EXPORT_SYMBOL(chacha_crypt_generic);
1738 ++
1739 ++MODULE_LICENSE("GPL");
1740 +--- b/arch/arm64/crypto/Kconfig
1741 ++++ b/arch/arm64/crypto/Kconfig
1742 +@@ -103,7 +103,14 @@
1743 + tristate "ChaCha20, XChaCha20, and XChaCha12 stream ciphers using NEON instructions"
1744 + depends on KERNEL_MODE_NEON
1745 + select CRYPTO_BLKCIPHER
1746 +- select CRYPTO_CHACHA20
1747 ++ select CRYPTO_LIB_CHACHA_GENERIC
1748 ++ select CRYPTO_ARCH_HAVE_LIB_CHACHA
1749 ++
1750 ++config CRYPTO_POLY1305_NEON
1751 ++ tristate "Poly1305 hash function using scalar or NEON instructions"
1752 ++ depends on KERNEL_MODE_NEON
1753 ++ select CRYPTO_HASH
1754 ++ select CRYPTO_ARCH_HAVE_LIB_POLY1305
1755 +
1756 + config CRYPTO_NHPOLY1305_NEON
1757 + tristate "NHPoly1305 hash function using NEON instructions (for Adiantum)"
1758 +--- b/arch/arm/crypto/chacha-scalar-core.S
1759 ++++ b/arch/arm/crypto/chacha-scalar-core.S
1760 +@@ -0,0 +1,460 @@
1761 ++/* SPDX-License-Identifier: GPL-2.0 */
1762 ++/*
1763 ++ * Copyright (C) 2018 Google, Inc.
1764 ++ */
1765 ++
1766 ++#include <linux/linkage.h>
1767 ++#include <asm/assembler.h>
1768 ++
1769 ++/*
1770 ++ * Design notes:
1771 ++ *
1772 ++ * 16 registers would be needed to hold the state matrix, but only 14 are
1773 ++ * available because 'sp' and 'pc' cannot be used. So we spill the elements
1774 ++ * (x8, x9) to the stack and swap them out with (x10, x11). This adds one
1775 ++ * 'ldrd' and one 'strd' instruction per round.
1776 ++ *
1777 ++ * All rotates are performed using the implicit rotate operand accepted by the
1778 ++ * 'add' and 'eor' instructions. This is faster than using explicit rotate
1779 ++ * instructions. To make this work, we allow the values in the second and last
1780 ++ * rows of the ChaCha state matrix (rows 'b' and 'd') to temporarily have the
1781 ++ * wrong rotation amount. The rotation amount is then fixed up just in time
1782 ++ * when the values are used. 'brot' is the number of bits the values in row 'b'
1783 ++ * need to be rotated right to arrive at the correct values, and 'drot'
1784 ++ * similarly for row 'd'. (brot, drot) start out as (0, 0) but we make it such
1785 ++ * that they end up as (25, 24) after every round.
1786 ++ */
1787 ++
1788 ++ // ChaCha state registers
1789 ++ X0 .req r0
1790 ++ X1 .req r1
1791 ++ X2 .req r2
1792 ++ X3 .req r3
1793 ++ X4 .req r4
1794 ++ X5 .req r5
1795 ++ X6 .req r6
1796 ++ X7 .req r7
1797 ++ X8_X10 .req r8 // shared by x8 and x10
1798 ++ X9_X11 .req r9 // shared by x9 and x11
1799 ++ X12 .req r10
1800 ++ X13 .req r11
1801 ++ X14 .req r12
1802 ++ X15 .req r14
1803 ++
1804 ++.macro __rev out, in, t0, t1, t2
1805 ++.if __LINUX_ARM_ARCH__ >= 6
1806 ++ rev \out, \in
1807 ++.else
1808 ++ lsl \t0, \in, #24
1809 ++ and \t1, \in, #0xff00
1810 ++ and \t2, \in, #0xff0000
1811 ++ orr \out, \t0, \in, lsr #24
1812 ++ orr \out, \out, \t1, lsl #8
1813 ++ orr \out, \out, \t2, lsr #8
1814 ++.endif
1815 ++.endm
1816 ++
1817 ++.macro _le32_bswap x, t0, t1, t2
1818 ++#ifdef __ARMEB__
1819 ++ __rev \x, \x, \t0, \t1, \t2
1820 ++#endif
1821 ++.endm
1822 ++
1823 ++.macro _le32_bswap_4x a, b, c, d, t0, t1, t2
1824 ++ _le32_bswap \a, \t0, \t1, \t2
1825 ++ _le32_bswap \b, \t0, \t1, \t2
1826 ++ _le32_bswap \c, \t0, \t1, \t2
1827 ++ _le32_bswap \d, \t0, \t1, \t2
1828 ++.endm
1829 ++
1830 ++.macro __ldrd a, b, src, offset
1831 ++#if __LINUX_ARM_ARCH__ >= 6
1832 ++ ldrd \a, \b, [\src, #\offset]
1833 ++#else
1834 ++ ldr \a, [\src, #\offset]
1835 ++ ldr \b, [\src, #\offset + 4]
1836 ++#endif
1837 ++.endm
1838 ++
1839 ++.macro __strd a, b, dst, offset
1840 ++#if __LINUX_ARM_ARCH__ >= 6
1841 ++ strd \a, \b, [\dst, #\offset]
1842 ++#else
1843 ++ str \a, [\dst, #\offset]
1844 ++ str \b, [\dst, #\offset + 4]
1845 ++#endif
1846 ++.endm
1847 ++
1848 ++.macro _halfround a1, b1, c1, d1, a2, b2, c2, d2
1849 ++
1850 ++ // a += b; d ^= a; d = rol(d, 16);
1851 ++ add \a1, \a1, \b1, ror #brot
1852 ++ add \a2, \a2, \b2, ror #brot
1853 ++ eor \d1, \a1, \d1, ror #drot
1854 ++ eor \d2, \a2, \d2, ror #drot
1855 ++ // drot == 32 - 16 == 16
1856 ++
1857 ++ // c += d; b ^= c; b = rol(b, 12);
1858 ++ add \c1, \c1, \d1, ror #16
1859 ++ add \c2, \c2, \d2, ror #16
1860 ++ eor \b1, \c1, \b1, ror #brot
1861 ++ eor \b2, \c2, \b2, ror #brot
1862 ++ // brot == 32 - 12 == 20
1863 ++
1864 ++ // a += b; d ^= a; d = rol(d, 8);
1865 ++ add \a1, \a1, \b1, ror #20
1866 ++ add \a2, \a2, \b2, ror #20
1867 ++ eor \d1, \a1, \d1, ror #16
1868 ++ eor \d2, \a2, \d2, ror #16
1869 ++ // drot == 32 - 8 == 24
1870 ++
1871 ++ // c += d; b ^= c; b = rol(b, 7);
1872 ++ add \c1, \c1, \d1, ror #24
1873 ++ add \c2, \c2, \d2, ror #24
1874 ++ eor \b1, \c1, \b1, ror #20
1875 ++ eor \b2, \c2, \b2, ror #20
1876 ++ // brot == 32 - 7 == 25
1877 ++.endm
1878 ++
1879 ++.macro _doubleround
1880 ++
1881 ++ // column round
1882 ++
1883 ++ // quarterrounds: (x0, x4, x8, x12) and (x1, x5, x9, x13)
1884 ++ _halfround X0, X4, X8_X10, X12, X1, X5, X9_X11, X13
1885 ++
1886 ++ // save (x8, x9); restore (x10, x11)
1887 ++ __strd X8_X10, X9_X11, sp, 0
1888 ++ __ldrd X8_X10, X9_X11, sp, 8
1889 ++
1890 ++ // quarterrounds: (x2, x6, x10, x14) and (x3, x7, x11, x15)
1891 ++ _halfround X2, X6, X8_X10, X14, X3, X7, X9_X11, X15
1892 ++
1893 ++ .set brot, 25
1894 ++ .set drot, 24
1895 ++
1896 ++ // diagonal round
1897 ++
1898 ++ // quarterrounds: (x0, x5, x10, x15) and (x1, x6, x11, x12)
1899 ++ _halfround X0, X5, X8_X10, X15, X1, X6, X9_X11, X12
1900 ++
1901 ++ // save (x10, x11); restore (x8, x9)
1902 ++ __strd X8_X10, X9_X11, sp, 8
1903 ++ __ldrd X8_X10, X9_X11, sp, 0
1904 ++
1905 ++ // quarterrounds: (x2, x7, x8, x13) and (x3, x4, x9, x14)
1906 ++ _halfround X2, X7, X8_X10, X13, X3, X4, X9_X11, X14
1907 ++.endm
1908 ++
1909 ++.macro _chacha_permute nrounds
1910 ++ .set brot, 0
1911 ++ .set drot, 0
1912 ++ .rept \nrounds / 2
1913 ++ _doubleround
1914 ++ .endr
1915 ++.endm
1916 ++
1917 ++.macro _chacha nrounds
1918 ++
1919 ++.Lnext_block\@:
1920 ++ // Stack: unused0-unused1 x10-x11 x0-x15 OUT IN LEN
1921 ++ // Registers contain x0-x9,x12-x15.
1922 ++
1923 ++ // Do the core ChaCha permutation to update x0-x15.
1924 ++ _chacha_permute \nrounds
1925 ++
1926 ++ add sp, #8
1927 ++ // Stack: x10-x11 orig_x0-orig_x15 OUT IN LEN
1928 ++ // Registers contain x0-x9,x12-x15.
1929 ++ // x4-x7 are rotated by 'brot'; x12-x15 are rotated by 'drot'.
1930 ++
1931 ++ // Free up some registers (r8-r12,r14) by pushing (x8-x9,x12-x15).
1932 ++ push {X8_X10, X9_X11, X12, X13, X14, X15}
1933 ++
1934 ++ // Load (OUT, IN, LEN).
1935 ++ ldr r14, [sp, #96]
1936 ++ ldr r12, [sp, #100]
1937 ++ ldr r11, [sp, #104]
1938 ++
1939 ++ orr r10, r14, r12
1940 ++
1941 ++ // Use slow path if fewer than 64 bytes remain.
1942 ++ cmp r11, #64
1943 ++ blt .Lxor_slowpath\@
1944 ++
1945 ++ // Use slow path if IN and/or OUT isn't 4-byte aligned. Needed even on
1946 ++ // ARMv6+, since ldmia and stmia (used below) still require alignment.
1947 ++ tst r10, #3
1948 ++ bne .Lxor_slowpath\@
1949 ++
1950 ++ // Fast path: XOR 64 bytes of aligned data.
1951 ++
1952 ++ // Stack: x8-x9 x12-x15 x10-x11 orig_x0-orig_x15 OUT IN LEN
1953 ++ // Registers: r0-r7 are x0-x7; r8-r11 are free; r12 is IN; r14 is OUT.
1954 ++ // x4-x7 are rotated by 'brot'; x12-x15 are rotated by 'drot'.
1955 ++
1956 ++ // x0-x3
1957 ++ __ldrd r8, r9, sp, 32
1958 ++ __ldrd r10, r11, sp, 40
1959 ++ add X0, X0, r8
1960 ++ add X1, X1, r9
1961 ++ add X2, X2, r10
1962 ++ add X3, X3, r11
1963 ++ _le32_bswap_4x X0, X1, X2, X3, r8, r9, r10
1964 ++ ldmia r12!, {r8-r11}
1965 ++ eor X0, X0, r8
1966 ++ eor X1, X1, r9
1967 ++ eor X2, X2, r10
1968 ++ eor X3, X3, r11
1969 ++ stmia r14!, {X0-X3}
1970 ++
1971 ++ // x4-x7
1972 ++ __ldrd r8, r9, sp, 48
1973 ++ __ldrd r10, r11, sp, 56
1974 ++ add X4, r8, X4, ror #brot
1975 ++ add X5, r9, X5, ror #brot
1976 ++ ldmia r12!, {X0-X3}
1977 ++ add X6, r10, X6, ror #brot
1978 ++ add X7, r11, X7, ror #brot
1979 ++ _le32_bswap_4x X4, X5, X6, X7, r8, r9, r10
1980 ++ eor X4, X4, X0
1981 ++ eor X5, X5, X1
1982 ++ eor X6, X6, X2
1983 ++ eor X7, X7, X3
1984 ++ stmia r14!, {X4-X7}
1985 ++
1986 ++ // x8-x15
1987 ++ pop {r0-r7} // (x8-x9,x12-x15,x10-x11)
1988 ++ __ldrd r8, r9, sp, 32
1989 ++ __ldrd r10, r11, sp, 40
1990 ++ add r0, r0, r8 // x8
1991 ++ add r1, r1, r9 // x9
1992 ++ add r6, r6, r10 // x10
1993 ++ add r7, r7, r11 // x11
1994 ++ _le32_bswap_4x r0, r1, r6, r7, r8, r9, r10
1995 ++ ldmia r12!, {r8-r11}
1996 ++ eor r0, r0, r8 // x8
1997 ++ eor r1, r1, r9 // x9
1998 ++ eor r6, r6, r10 // x10
1999 ++ eor r7, r7, r11 // x11
2000 ++ stmia r14!, {r0,r1,r6,r7}
2001 ++ ldmia r12!, {r0,r1,r6,r7}
2002 ++ __ldrd r8, r9, sp, 48
2003 ++ __ldrd r10, r11, sp, 56
2004 ++ add r2, r8, r2, ror #drot // x12
2005 ++ add r3, r9, r3, ror #drot // x13
2006 ++ add r4, r10, r4, ror #drot // x14
2007 ++ add r5, r11, r5, ror #drot // x15
2008 ++ _le32_bswap_4x r2, r3, r4, r5, r9, r10, r11
2009 ++ ldr r9, [sp, #72] // load LEN
2010 ++ eor r2, r2, r0 // x12
2011 ++ eor r3, r3, r1 // x13
2012 ++ eor r4, r4, r6 // x14
2013 ++ eor r5, r5, r7 // x15
2014 ++ subs r9, #64 // decrement and check LEN
2015 ++ stmia r14!, {r2-r5}
2016 ++
2017 ++ beq .Ldone\@
2018 ++
2019 ++.Lprepare_for_next_block\@:
2020 ++
2021 ++ // Stack: x0-x15 OUT IN LEN
2022 ++
2023 ++ // Increment block counter (x12)
2024 ++ add r8, #1
2025 ++
2026 ++ // Store updated (OUT, IN, LEN)
2027 ++ str r14, [sp, #64]
2028 ++ str r12, [sp, #68]
2029 ++ str r9, [sp, #72]
2030 ++
2031 ++ mov r14, sp
2032 ++
2033 ++ // Store updated block counter (x12)
2034 ++ str r8, [sp, #48]
2035 ++
2036 ++ sub sp, #16
2037 ++
2038 ++ // Reload state and do next block
2039 ++ ldmia r14!, {r0-r11} // load x0-x11
2040 ++ __strd r10, r11, sp, 8 // store x10-x11 before state
2041 ++ ldmia r14, {r10-r12,r14} // load x12-x15
2042 ++ b .Lnext_block\@
2043 ++
2044 ++.Lxor_slowpath\@:
2045 ++ // Slow path: < 64 bytes remaining, or unaligned input or output buffer.
2046 ++ // We handle it by storing the 64 bytes of keystream to the stack, then
2047 ++ // XOR-ing the needed portion with the data.
2048 ++
2049 ++ // Allocate keystream buffer
2050 ++ sub sp, #64
2051 ++ mov r14, sp
2052 ++
2053 ++ // Stack: ks0-ks15 x8-x9 x12-x15 x10-x11 orig_x0-orig_x15 OUT IN LEN
2054 ++ // Registers: r0-r7 are x0-x7; r8-r11 are free; r12 is IN; r14 is &ks0.
2055 ++ // x4-x7 are rotated by 'brot'; x12-x15 are rotated by 'drot'.
2056 ++
2057 ++ // Save keystream for x0-x3
2058 ++ __ldrd r8, r9, sp, 96
2059 ++ __ldrd r10, r11, sp, 104
2060 ++ add X0, X0, r8
2061 ++ add X1, X1, r9
2062 ++ add X2, X2, r10
2063 ++ add X3, X3, r11
2064 ++ _le32_bswap_4x X0, X1, X2, X3, r8, r9, r10
2065 ++ stmia r14!, {X0-X3}
2066 ++
2067 ++ // Save keystream for x4-x7
2068 ++ __ldrd r8, r9, sp, 112
2069 ++ __ldrd r10, r11, sp, 120
2070 ++ add X4, r8, X4, ror #brot
2071 ++ add X5, r9, X5, ror #brot
2072 ++ add X6, r10, X6, ror #brot
2073 ++ add X7, r11, X7, ror #brot
2074 ++ _le32_bswap_4x X4, X5, X6, X7, r8, r9, r10
2075 ++ add r8, sp, #64
2076 ++ stmia r14!, {X4-X7}
2077 ++
2078 ++ // Save keystream for x8-x15
2079 ++ ldm r8, {r0-r7} // (x8-x9,x12-x15,x10-x11)
2080 ++ __ldrd r8, r9, sp, 128
2081 ++ __ldrd r10, r11, sp, 136
2082 ++ add r0, r0, r8 // x8
2083 ++ add r1, r1, r9 // x9
2084 ++ add r6, r6, r10 // x10
2085 ++ add r7, r7, r11 // x11
2086 ++ _le32_bswap_4x r0, r1, r6, r7, r8, r9, r10
2087 ++ stmia r14!, {r0,r1,r6,r7}
2088 ++ __ldrd r8, r9, sp, 144
2089 ++ __ldrd r10, r11, sp, 152
2090 ++ add r2, r8, r2, ror #drot // x12
2091 ++ add r3, r9, r3, ror #drot // x13
2092 ++ add r4, r10, r4, ror #drot // x14
2093 ++ add r5, r11, r5, ror #drot // x15
2094 ++ _le32_bswap_4x r2, r3, r4, r5, r9, r10, r11
2095 ++ stmia r14, {r2-r5}
2096 ++
2097 ++ // Stack: ks0-ks15 unused0-unused7 x0-x15 OUT IN LEN
2098 ++ // Registers: r8 is block counter, r12 is IN.
2099 ++
2100 ++ ldr r9, [sp, #168] // LEN
2101 ++ ldr r14, [sp, #160] // OUT
2102 ++ cmp r9, #64
2103 ++ mov r0, sp
2104 ++ movle r1, r9
2105 ++ movgt r1, #64
2106 ++ // r1 is number of bytes to XOR, in range [1, 64]
2107 ++
2108 ++.if __LINUX_ARM_ARCH__ < 6
2109 ++ orr r2, r12, r14
2110 ++ tst r2, #3 // IN or OUT misaligned?
2111 ++ bne .Lxor_next_byte\@
2112 ++.endif
2113 ++
2114 ++ // XOR a word at a time
2115 ++.rept 16
2116 ++ subs r1, #4
2117 ++ blt .Lxor_words_done\@
2118 ++ ldr r2, [r12], #4
2119 ++ ldr r3, [r0], #4
2120 ++ eor r2, r2, r3
2121 ++ str r2, [r14], #4
2122 ++.endr
2123 ++ b .Lxor_slowpath_done\@
2124 ++.Lxor_words_done\@:
2125 ++ ands r1, r1, #3
2126 ++ beq .Lxor_slowpath_done\@
2127 ++
2128 ++ // XOR a byte at a time
2129 ++.Lxor_next_byte\@:
2130 ++ ldrb r2, [r12], #1
2131 ++ ldrb r3, [r0], #1
2132 ++ eor r2, r2, r3
2133 ++ strb r2, [r14], #1
2134 ++ subs r1, #1
2135 ++ bne .Lxor_next_byte\@
2136 ++
2137 ++.Lxor_slowpath_done\@:
2138 ++ subs r9, #64
2139 ++ add sp, #96
2140 ++ bgt .Lprepare_for_next_block\@
2141 ++
2142 ++.Ldone\@:
2143 ++.endm // _chacha
2144 ++
2145 ++/*
2146 ++ * void chacha_doarm(u8 *dst, const u8 *src, unsigned int bytes,
2147 ++ * const u32 *state, int nrounds);
2148 ++ */
2149 ++ENTRY(chacha_doarm)
2150 ++ cmp r2, #0 // len == 0?
2151 ++ reteq lr
2152 ++
2153 ++ ldr ip, [sp]
2154 ++ cmp ip, #12
2155 ++
2156 ++ push {r0-r2,r4-r11,lr}
2157 ++
2158 ++ // Push state x0-x15 onto stack.
2159 ++ // Also store an extra copy of x10-x11 just before the state.
2160 ++
2161 ++ add X12, r3, #48
2162 ++ ldm X12, {X12,X13,X14,X15}
2163 ++ push {X12,X13,X14,X15}
2164 ++ sub sp, sp, #64
2165 ++
2166 ++ __ldrd X8_X10, X9_X11, r3, 40
2167 ++ __strd X8_X10, X9_X11, sp, 8
2168 ++ __strd X8_X10, X9_X11, sp, 56
2169 ++ ldm r3, {X0-X9_X11}
2170 ++ __strd X0, X1, sp, 16
2171 ++ __strd X2, X3, sp, 24
2172 ++ __strd X4, X5, sp, 32
2173 ++ __strd X6, X7, sp, 40
2174 ++ __strd X8_X10, X9_X11, sp, 48
2175 ++
2176 ++ beq 1f
2177 ++ _chacha 20
2178 ++
2179 ++0: add sp, #76
2180 ++ pop {r4-r11, pc}
2181 ++
2182 ++1: _chacha 12
2183 ++ b 0b
2184 ++ENDPROC(chacha_doarm)
2185 ++
2186 ++/*
2187 ++ * void hchacha_block_arm(const u32 state[16], u32 out[8], int nrounds);
2188 ++ */
2189 ++ENTRY(hchacha_block_arm)
2190 ++ push {r1,r4-r11,lr}
2191 ++
2192 ++ cmp r2, #12 // ChaCha12 ?
2193 ++
2194 ++ mov r14, r0
2195 ++ ldmia r14!, {r0-r11} // load x0-x11
2196 ++ push {r10-r11} // store x10-x11 to stack
2197 ++ ldm r14, {r10-r12,r14} // load x12-x15
2198 ++ sub sp, #8
2199 ++
2200 ++ beq 1f
2201 ++ _chacha_permute 20
2202 ++
2203 ++ // Skip over (unused0-unused1, x10-x11)
2204 ++0: add sp, #16
2205 ++
2206 ++ // Fix up rotations of x12-x15
2207 ++ ror X12, X12, #drot
2208 ++ ror X13, X13, #drot
2209 ++ pop {r4} // load 'out'
2210 ++ ror X14, X14, #drot
2211 ++ ror X15, X15, #drot
2212 ++
2213 ++ // Store (x0-x3,x12-x15) to 'out'
2214 ++ stm r4, {X0,X1,X2,X3,X12,X13,X14,X15}
2215 ++
2216 ++ pop {r4-r11,pc}
2217 ++
2218 ++1: _chacha_permute 12
2219 ++ b 0b
2220 ++ENDPROC(hchacha_block_arm)
2221 +--- b/arch/arm/crypto/Kconfig
2222 ++++ b/arch/arm/crypto/Kconfig
2223 +@@ -129,12 +129,22 @@
2224 + config CRYPTO_CHACHA20_NEON
2225 +- tristate "NEON accelerated ChaCha stream cipher algorithms"
2226 +- depends on KERNEL_MODE_NEON
2227 ++ tristate "NEON and scalar accelerated ChaCha stream cipher algorithms"
2228 + select CRYPTO_BLKCIPHER
2229 +- select CRYPTO_CHACHA20
2230 ++ select CRYPTO_ARCH_HAVE_LIB_CHACHA
2231 ++
2232 ++config CRYPTO_POLY1305_ARM
2233 ++ tristate "Accelerated scalar and SIMD Poly1305 hash implementations"
2234 ++ select CRYPTO_HASH
2235 ++ select CRYPTO_ARCH_HAVE_LIB_POLY1305
2236 +
2237 + config CRYPTO_NHPOLY1305_NEON
2238 + tristate "NEON accelerated NHPoly1305 hash function (for Adiantum)"
2239 + depends on KERNEL_MODE_NEON
2240 + select CRYPTO_NHPOLY1305
2241 +
2242 ++config CRYPTO_CURVE25519_NEON
2243 ++ tristate "NEON accelerated Curve25519 scalar multiplication library"
2244 ++ depends on KERNEL_MODE_NEON
2245 ++ select CRYPTO_LIB_CURVE25519_GENERIC
2246 ++ select CRYPTO_ARCH_HAVE_LIB_CURVE25519
2247 ++
2248 + endif
2249 +--- b/arch/arm/crypto/Makefile
2250 ++++ b/arch/arm/crypto/Makefile
2251 +@@ -10,7 +10,9 @@
2252 + obj-$(CONFIG_CRYPTO_SHA256_ARM) += sha256-arm.o
2253 + obj-$(CONFIG_CRYPTO_SHA512_ARM) += sha512-arm.o
2254 + obj-$(CONFIG_CRYPTO_CHACHA20_NEON) += chacha-neon.o
2255 ++obj-$(CONFIG_CRYPTO_POLY1305_ARM) += poly1305-arm.o
2256 + obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) += nhpoly1305-neon.o
2257 ++obj-$(CONFIG_CRYPTO_CURVE25519_NEON) += curve25519-neon.o
2258 +
2259 + ce-obj-$(CONFIG_CRYPTO_AES_ARM_CE) += aes-arm-ce.o
2260 + ce-obj-$(CONFIG_CRYPTO_SHA1_ARM_CE) += sha1-arm-ce.o
2261 +@@ -53,13 +55,19 @@
2262 + ghash-arm-ce-y := ghash-ce-core.o ghash-ce-glue.o
2263 + crct10dif-arm-ce-y := crct10dif-ce-core.o crct10dif-ce-glue.o
2264 + crc32-arm-ce-y:= crc32-ce-core.o crc32-ce-glue.o
2265 +-chacha-neon-y := chacha-neon-core.o chacha-neon-glue.o
2266 ++chacha-neon-y := chacha-scalar-core.o chacha-glue.o
2267 ++chacha-neon-$(CONFIG_KERNEL_MODE_NEON) += chacha-neon-core.o
2268 ++poly1305-arm-y := poly1305-core.o poly1305-glue.o
2269 + nhpoly1305-neon-y := nh-neon-core.o nhpoly1305-neon-glue.o
2270 ++curve25519-neon-y := curve25519-core.o curve25519-glue.o
2271 +
2272 + ifdef REGENERATE_ARM_CRYPTO
2273 + quiet_cmd_perl = PERL $@
2274 + cmd_perl = $(PERL) $(<) > $(@)
2275 +
2276 ++$(src)/poly1305-core.S_shipped: $(src)/poly1305-armv4.pl
2277 ++ $(call cmd,perl)
2278 ++
2279 + $(src)/sha256-core.S_shipped: $(src)/sha256-armv4.pl
2280 + $(call cmd,perl)
2281 +
2282 +@@ -70 +78,6 @@
2283 +-clean-files += sha256-core.S sha512-core.S
2284 ++clean-files += poly1305-core.S sha256-core.S sha512-core.S
2285 ++
2286 ++# massage the perlasm code a bit so we only get the NEON routine if we need it
2287 ++poly1305-aflags-$(CONFIG_CPU_V7) := -U__LINUX_ARM_ARCH__ -D__LINUX_ARM_ARCH__=5
2288 ++poly1305-aflags-$(CONFIG_KERNEL_MODE_NEON) := -U__LINUX_ARM_ARCH__ -D__LINUX_ARM_ARCH__=7
2289 ++AFLAGS_poly1305-core.o += $(poly1305-aflags-y)
2290 +--- b/arch/arm/crypto/chacha-glue.c
2291 ++++ b/arch/arm/crypto/chacha-glue.c
2292 +@@ -0,0 +1,358 @@
2293 ++// SPDX-License-Identifier: GPL-2.0
2294 ++/*
2295 ++ * ARM NEON accelerated ChaCha and XChaCha stream ciphers,
2296 ++ * including ChaCha20 (RFC7539)
2297 ++ *
2298 ++ * Copyright (C) 2016-2019 Linaro, Ltd. <ard.biesheuvel@××××××.org>
2299 ++ * Copyright (C) 2015 Martin Willi
2300 ++ */
2301 ++
2302 ++#include <crypto/algapi.h>
2303 ++#include <crypto/internal/chacha.h>
2304 ++#include <crypto/internal/simd.h>
2305 ++#include <crypto/internal/skcipher.h>
2306 ++#include <linux/jump_label.h>
2307 ++#include <linux/kernel.h>
2308 ++#include <linux/module.h>
2309 ++
2310 ++#include <asm/cputype.h>
2311 ++#include <asm/hwcap.h>
2312 ++#include <asm/neon.h>
2313 ++#include <asm/simd.h>
2314 ++
2315 ++asmlinkage void chacha_block_xor_neon(const u32 *state, u8 *dst, const u8 *src,
2316 ++ int nrounds);
2317 ++asmlinkage void chacha_4block_xor_neon(const u32 *state, u8 *dst, const u8 *src,
2318 ++ int nrounds, unsigned int nbytes);
2319 ++asmlinkage void hchacha_block_arm(const u32 *state, u32 *out, int nrounds);
2320 ++asmlinkage void hchacha_block_neon(const u32 *state, u32 *out, int nrounds);
2321 ++
2322 ++asmlinkage void chacha_doarm(u8 *dst, const u8 *src, unsigned int bytes,
2323 ++ const u32 *state, int nrounds);
2324 ++
2325 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(use_neon);
2326 ++
2327 ++static inline bool neon_usable(void)
2328 ++{
2329 ++ return static_branch_likely(&use_neon) && crypto_simd_usable();
2330 ++}
2331 ++
2332 ++static void chacha_doneon(u32 *state, u8 *dst, const u8 *src,
2333 ++ unsigned int bytes, int nrounds)
2334 ++{
2335 ++ u8 buf[CHACHA_BLOCK_SIZE];
2336 ++
2337 ++ while (bytes > CHACHA_BLOCK_SIZE) {
2338 ++ unsigned int l = min(bytes, CHACHA_BLOCK_SIZE * 4U);
2339 ++
2340 ++ chacha_4block_xor_neon(state, dst, src, nrounds, l);
2341 ++ bytes -= l;
2342 ++ src += l;
2343 ++ dst += l;
2344 ++ state[12] += DIV_ROUND_UP(l, CHACHA_BLOCK_SIZE);
2345 ++ }
2346 ++ if (bytes) {
2347 ++ const u8 *s = src;
2348 ++ u8 *d = dst;
2349 ++
2350 ++ if (bytes != CHACHA_BLOCK_SIZE)
2351 ++ s = d = memcpy(buf, src, bytes);
2352 ++ chacha_block_xor_neon(state, d, s, nrounds);
2353 ++ if (d != dst)
2354 ++ memcpy(dst, buf, bytes);
2355 ++ state[12]++;
2356 ++ }
2357 ++}
2358 ++
2359 ++void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds)
2360 ++{
2361 ++ if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon_usable()) {
2362 ++ hchacha_block_arm(state, stream, nrounds);
2363 ++ } else {
2364 ++ kernel_neon_begin();
2365 ++ hchacha_block_neon(state, stream, nrounds);
2366 ++ kernel_neon_end();
2367 ++ }
2368 ++}
2369 ++EXPORT_SYMBOL(hchacha_block_arch);
2370 ++
2371 ++void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv)
2372 ++{
2373 ++ chacha_init_generic(state, key, iv);
2374 ++}
2375 ++EXPORT_SYMBOL(chacha_init_arch);
2376 ++
2377 ++void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src, unsigned int bytes,
2378 ++ int nrounds)
2379 ++{
2380 ++ if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon_usable() ||
2381 ++ bytes <= CHACHA_BLOCK_SIZE) {
2382 ++ chacha_doarm(dst, src, bytes, state, nrounds);
2383 ++ state[12] += DIV_ROUND_UP(bytes, CHACHA_BLOCK_SIZE);
2384 ++ return;
2385 ++ }
2386 ++
2387 ++ do {
2388 ++ unsigned int todo = min_t(unsigned int, bytes, SZ_4K);
2389 ++
2390 ++ kernel_neon_begin();
2391 ++ chacha_doneon(state, dst, src, todo, nrounds);
2392 ++ kernel_neon_end();
2393 ++
2394 ++ bytes -= todo;
2395 ++ src += todo;
2396 ++ dst += todo;
2397 ++ } while (bytes);
2398 ++}
2399 ++EXPORT_SYMBOL(chacha_crypt_arch);
2400 ++
2401 ++static int chacha_stream_xor(struct skcipher_request *req,
2402 ++ const struct chacha_ctx *ctx, const u8 *iv,
2403 ++ bool neon)
2404 ++{
2405 ++ struct skcipher_walk walk;
2406 ++ u32 state[16];
2407 ++ int err;
2408 ++
2409 ++ err = skcipher_walk_virt(&walk, req, false);
2410 ++
2411 ++ chacha_init_generic(state, ctx->key, iv);
2412 ++
2413 ++ while (walk.nbytes > 0) {
2414 ++ unsigned int nbytes = walk.nbytes;
2415 ++
2416 ++ if (nbytes < walk.total)
2417 ++ nbytes = round_down(nbytes, walk.stride);
2418 ++
2419 ++ if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon) {
2420 ++ chacha_doarm(walk.dst.virt.addr, walk.src.virt.addr,
2421 ++ nbytes, state, ctx->nrounds);
2422 ++ state[12] += DIV_ROUND_UP(nbytes, CHACHA_BLOCK_SIZE);
2423 ++ } else {
2424 ++ kernel_neon_begin();
2425 ++ chacha_doneon(state, walk.dst.virt.addr,
2426 ++ walk.src.virt.addr, nbytes, ctx->nrounds);
2427 ++ kernel_neon_end();
2428 ++ }
2429 ++ err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
2430 ++ }
2431 ++
2432 ++ return err;
2433 ++}
2434 ++
2435 ++static int do_chacha(struct skcipher_request *req, bool neon)
2436 ++{
2437 ++ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
2438 ++ struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
2439 ++
2440 ++ return chacha_stream_xor(req, ctx, req->iv, neon);
2441 ++}
2442 ++
2443 ++static int chacha_arm(struct skcipher_request *req)
2444 ++{
2445 ++ return do_chacha(req, false);
2446 ++}
2447 ++
2448 ++static int chacha_neon(struct skcipher_request *req)
2449 ++{
2450 ++ return do_chacha(req, neon_usable());
2451 ++}
2452 ++
2453 ++static int do_xchacha(struct skcipher_request *req, bool neon)
2454 ++{
2455 ++ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
2456 ++ struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
2457 ++ struct chacha_ctx subctx;
2458 ++ u32 state[16];
2459 ++ u8 real_iv[16];
2460 ++
2461 ++ chacha_init_generic(state, ctx->key, req->iv);
2462 ++
2463 ++ if (!IS_ENABLED(CONFIG_KERNEL_MODE_NEON) || !neon) {
2464 ++ hchacha_block_arm(state, subctx.key, ctx->nrounds);
2465 ++ } else {
2466 ++ kernel_neon_begin();
2467 ++ hchacha_block_neon(state, subctx.key, ctx->nrounds);
2468 ++ kernel_neon_end();
2469 ++ }
2470 ++ subctx.nrounds = ctx->nrounds;
2471 ++
2472 ++ memcpy(&real_iv[0], req->iv + 24, 8);
2473 ++ memcpy(&real_iv[8], req->iv + 16, 8);
2474 ++ return chacha_stream_xor(req, &subctx, real_iv, neon);
2475 ++}
2476 ++
2477 ++static int xchacha_arm(struct skcipher_request *req)
2478 ++{
2479 ++ return do_xchacha(req, false);
2480 ++}
2481 ++
2482 ++static int xchacha_neon(struct skcipher_request *req)
2483 ++{
2484 ++ return do_xchacha(req, neon_usable());
2485 ++}
2486 ++
2487 ++static struct skcipher_alg arm_algs[] = {
2488 ++ {
2489 ++ .base.cra_name = "chacha20",
2490 ++ .base.cra_driver_name = "chacha20-arm",
2491 ++ .base.cra_priority = 200,
2492 ++ .base.cra_blocksize = 1,
2493 ++ .base.cra_ctxsize = sizeof(struct chacha_ctx),
2494 ++ .base.cra_module = THIS_MODULE,
2495 ++
2496 ++ .min_keysize = CHACHA_KEY_SIZE,
2497 ++ .max_keysize = CHACHA_KEY_SIZE,
2498 ++ .ivsize = CHACHA_IV_SIZE,
2499 ++ .chunksize = CHACHA_BLOCK_SIZE,
2500 ++ .setkey = chacha20_setkey,
2501 ++ .encrypt = chacha_arm,
2502 ++ .decrypt = chacha_arm,
2503 ++ }, {
2504 ++ .base.cra_name = "xchacha20",
2505 ++ .base.cra_driver_name = "xchacha20-arm",
2506 ++ .base.cra_priority = 200,
2507 ++ .base.cra_blocksize = 1,
2508 ++ .base.cra_ctxsize = sizeof(struct chacha_ctx),
2509 ++ .base.cra_module = THIS_MODULE,
2510 ++
2511 ++ .min_keysize = CHACHA_KEY_SIZE,
2512 ++ .max_keysize = CHACHA_KEY_SIZE,
2513 ++ .ivsize = XCHACHA_IV_SIZE,
2514 ++ .chunksize = CHACHA_BLOCK_SIZE,
2515 ++ .setkey = chacha20_setkey,
2516 ++ .encrypt = xchacha_arm,
2517 ++ .decrypt = xchacha_arm,
2518 ++ }, {
2519 ++ .base.cra_name = "xchacha12",
2520 ++ .base.cra_driver_name = "xchacha12-arm",
2521 ++ .base.cra_priority = 200,
2522 ++ .base.cra_blocksize = 1,
2523 ++ .base.cra_ctxsize = sizeof(struct chacha_ctx),
2524 ++ .base.cra_module = THIS_MODULE,
2525 ++
2526 ++ .min_keysize = CHACHA_KEY_SIZE,
2527 ++ .max_keysize = CHACHA_KEY_SIZE,
2528 ++ .ivsize = XCHACHA_IV_SIZE,
2529 ++ .chunksize = CHACHA_BLOCK_SIZE,
2530 ++ .setkey = chacha12_setkey,
2531 ++ .encrypt = xchacha_arm,
2532 ++ .decrypt = xchacha_arm,
2533 ++ },
2534 ++};
2535 ++
2536 ++static struct skcipher_alg neon_algs[] = {
2537 ++ {
2538 ++ .base.cra_name = "chacha20",
2539 ++ .base.cra_driver_name = "chacha20-neon",
2540 ++ .base.cra_priority = 300,
2541 ++ .base.cra_blocksize = 1,
2542 ++ .base.cra_ctxsize = sizeof(struct chacha_ctx),
2543 ++ .base.cra_module = THIS_MODULE,
2544 ++
2545 ++ .min_keysize = CHACHA_KEY_SIZE,
2546 ++ .max_keysize = CHACHA_KEY_SIZE,
2547 ++ .ivsize = CHACHA_IV_SIZE,
2548 ++ .chunksize = CHACHA_BLOCK_SIZE,
2549 ++ .walksize = 4 * CHACHA_BLOCK_SIZE,
2550 ++ .setkey = chacha20_setkey,
2551 ++ .encrypt = chacha_neon,
2552 ++ .decrypt = chacha_neon,
2553 ++ }, {
2554 ++ .base.cra_name = "xchacha20",
2555 ++ .base.cra_driver_name = "xchacha20-neon",
2556 ++ .base.cra_priority = 300,
2557 ++ .base.cra_blocksize = 1,
2558 ++ .base.cra_ctxsize = sizeof(struct chacha_ctx),
2559 ++ .base.cra_module = THIS_MODULE,
2560 ++
2561 ++ .min_keysize = CHACHA_KEY_SIZE,
2562 ++ .max_keysize = CHACHA_KEY_SIZE,
2563 ++ .ivsize = XCHACHA_IV_SIZE,
2564 ++ .chunksize = CHACHA_BLOCK_SIZE,
2565 ++ .walksize = 4 * CHACHA_BLOCK_SIZE,
2566 ++ .setkey = chacha20_setkey,
2567 ++ .encrypt = xchacha_neon,
2568 ++ .decrypt = xchacha_neon,
2569 ++ }, {
2570 ++ .base.cra_name = "xchacha12",
2571 ++ .base.cra_driver_name = "xchacha12-neon",
2572 ++ .base.cra_priority = 300,
2573 ++ .base.cra_blocksize = 1,
2574 ++ .base.cra_ctxsize = sizeof(struct chacha_ctx),
2575 ++ .base.cra_module = THIS_MODULE,
2576 ++
2577 ++ .min_keysize = CHACHA_KEY_SIZE,
2578 ++ .max_keysize = CHACHA_KEY_SIZE,
2579 ++ .ivsize = XCHACHA_IV_SIZE,
2580 ++ .chunksize = CHACHA_BLOCK_SIZE,
2581 ++ .walksize = 4 * CHACHA_BLOCK_SIZE,
2582 ++ .setkey = chacha12_setkey,
2583 ++ .encrypt = xchacha_neon,
2584 ++ .decrypt = xchacha_neon,
2585 ++ }
2586 ++};
2587 ++
2588 ++static int __init chacha_simd_mod_init(void)
2589 ++{
2590 ++ int err = 0;
2591 ++
2592 ++ if (IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER)) {
2593 ++ err = crypto_register_skciphers(arm_algs, ARRAY_SIZE(arm_algs));
2594 ++ if (err)
2595 ++ return err;
2596 ++ }
2597 ++
2598 ++ if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && (elf_hwcap & HWCAP_NEON)) {
2599 ++ int i;
2600 ++
2601 ++ switch (read_cpuid_part()) {
2602 ++ case ARM_CPU_PART_CORTEX_A7:
2603 ++ case ARM_CPU_PART_CORTEX_A5:
2604 ++ /*
2605 ++ * The Cortex-A7 and Cortex-A5 do not perform well with
2606 ++ * the NEON implementation but do incredibly with the
2607 ++ * scalar one and use less power.
2608 ++ */
2609 ++ for (i = 0; i < ARRAY_SIZE(neon_algs); i++)
2610 ++ neon_algs[i].base.cra_priority = 0;
2611 ++ break;
2612 ++ default:
2613 ++ static_branch_enable(&use_neon);
2614 ++ }
2615 ++
2616 ++ if (IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER)) {
2617 ++ err = crypto_register_skciphers(neon_algs, ARRAY_SIZE(neon_algs));
2618 ++ if (err)
2619 ++ crypto_unregister_skciphers(arm_algs, ARRAY_SIZE(arm_algs));
2620 ++ }
2621 ++ }
2622 ++ return err;
2623 ++}
2624 ++
2625 ++static void __exit chacha_simd_mod_fini(void)
2626 ++{
2627 ++ if (IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER)) {
2628 ++ crypto_unregister_skciphers(arm_algs, ARRAY_SIZE(arm_algs));
2629 ++ if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) && (elf_hwcap & HWCAP_NEON))
2630 ++ crypto_unregister_skciphers(neon_algs, ARRAY_SIZE(neon_algs));
2631 ++ }
2632 ++}
2633 ++
2634 ++module_init(chacha_simd_mod_init);
2635 ++module_exit(chacha_simd_mod_fini);
2636 ++
2637 ++MODULE_DESCRIPTION("ChaCha and XChaCha stream ciphers (scalar and NEON accelerated)");
2638 ++MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@××××××.org>");
2639 ++MODULE_LICENSE("GPL v2");
2640 ++MODULE_ALIAS_CRYPTO("chacha20");
2641 ++MODULE_ALIAS_CRYPTO("chacha20-arm");
2642 ++MODULE_ALIAS_CRYPTO("xchacha20");
2643 ++MODULE_ALIAS_CRYPTO("xchacha20-arm");
2644 ++MODULE_ALIAS_CRYPTO("xchacha12");
2645 ++MODULE_ALIAS_CRYPTO("xchacha12-arm");
2646 ++#ifdef CONFIG_KERNEL_MODE_NEON
2647 ++MODULE_ALIAS_CRYPTO("chacha20-neon");
2648 ++MODULE_ALIAS_CRYPTO("xchacha20-neon");
2649 ++MODULE_ALIAS_CRYPTO("xchacha12-neon");
2650 ++#endif
2651 +--- b/arch/mips/crypto/chacha-core.S
2652 ++++ b/arch/mips/crypto/chacha-core.S
2653 +@@ -0,0 +1,497 @@
2654 ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
2655 ++/*
2656 ++ * Copyright (C) 2016-2018 René van Dorst <opensource@××××××.com>. All Rights Reserved.
2657 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
2658 ++ */
2659 ++
2660 ++#define MASK_U32 0x3c
2661 ++#define CHACHA20_BLOCK_SIZE 64
2662 ++#define STACK_SIZE 32
2663 ++
2664 ++#define X0 $t0
2665 ++#define X1 $t1
2666 ++#define X2 $t2
2667 ++#define X3 $t3
2668 ++#define X4 $t4
2669 ++#define X5 $t5
2670 ++#define X6 $t6
2671 ++#define X7 $t7
2672 ++#define X8 $t8
2673 ++#define X9 $t9
2674 ++#define X10 $v1
2675 ++#define X11 $s6
2676 ++#define X12 $s5
2677 ++#define X13 $s4
2678 ++#define X14 $s3
2679 ++#define X15 $s2
2680 ++/* Use regs which are overwritten on exit for Tx so we don't leak clear data. */
2681 ++#define T0 $s1
2682 ++#define T1 $s0
2683 ++#define T(n) T ## n
2684 ++#define X(n) X ## n
2685 ++
2686 ++/* Input arguments */
2687 ++#define STATE $a0
2688 ++#define OUT $a1
2689 ++#define IN $a2
2690 ++#define BYTES $a3
2691 ++
2692 ++/* Output argument */
2693 ++/* NONCE[0] is kept in a register and not in memory.
2694 ++ * We don't want to touch original value in memory.
2695 ++ * Must be incremented every loop iteration.
2696 ++ */
2697 ++#define NONCE_0 $v0
2698 ++
2699 ++/* SAVED_X and SAVED_CA are set in the jump table.
2700 ++ * Use regs which are overwritten on exit else we don't leak clear data.
2701 ++ * They are used to handling the last bytes which are not multiple of 4.
2702 ++ */
2703 ++#define SAVED_X X15
2704 ++#define SAVED_CA $s7
2705 ++
2706 ++#define IS_UNALIGNED $s7
2707 ++
2708 ++#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
2709 ++#define MSB 0
2710 ++#define LSB 3
2711 ++#define ROTx rotl
2712 ++#define ROTR(n) rotr n, 24
2713 ++#define CPU_TO_LE32(n) \
2714 ++ wsbh n; \
2715 ++ rotr n, 16;
2716 ++#else
2717 ++#define MSB 3
2718 ++#define LSB 0
2719 ++#define ROTx rotr
2720 ++#define CPU_TO_LE32(n)
2721 ++#define ROTR(n)
2722 ++#endif
2723 ++
2724 ++#define FOR_EACH_WORD(x) \
2725 ++ x( 0); \
2726 ++ x( 1); \
2727 ++ x( 2); \
2728 ++ x( 3); \
2729 ++ x( 4); \
2730 ++ x( 5); \
2731 ++ x( 6); \
2732 ++ x( 7); \
2733 ++ x( 8); \
2734 ++ x( 9); \
2735 ++ x(10); \
2736 ++ x(11); \
2737 ++ x(12); \
2738 ++ x(13); \
2739 ++ x(14); \
2740 ++ x(15);
2741 ++
2742 ++#define FOR_EACH_WORD_REV(x) \
2743 ++ x(15); \
2744 ++ x(14); \
2745 ++ x(13); \
2746 ++ x(12); \
2747 ++ x(11); \
2748 ++ x(10); \
2749 ++ x( 9); \
2750 ++ x( 8); \
2751 ++ x( 7); \
2752 ++ x( 6); \
2753 ++ x( 5); \
2754 ++ x( 4); \
2755 ++ x( 3); \
2756 ++ x( 2); \
2757 ++ x( 1); \
2758 ++ x( 0);
2759 ++
2760 ++#define PLUS_ONE_0 1
2761 ++#define PLUS_ONE_1 2
2762 ++#define PLUS_ONE_2 3
2763 ++#define PLUS_ONE_3 4
2764 ++#define PLUS_ONE_4 5
2765 ++#define PLUS_ONE_5 6
2766 ++#define PLUS_ONE_6 7
2767 ++#define PLUS_ONE_7 8
2768 ++#define PLUS_ONE_8 9
2769 ++#define PLUS_ONE_9 10
2770 ++#define PLUS_ONE_10 11
2771 ++#define PLUS_ONE_11 12
2772 ++#define PLUS_ONE_12 13
2773 ++#define PLUS_ONE_13 14
2774 ++#define PLUS_ONE_14 15
2775 ++#define PLUS_ONE_15 16
2776 ++#define PLUS_ONE(x) PLUS_ONE_ ## x
2777 ++#define _CONCAT3(a,b,c) a ## b ## c
2778 ++#define CONCAT3(a,b,c) _CONCAT3(a,b,c)
2779 ++
2780 ++#define STORE_UNALIGNED(x) \
2781 ++CONCAT3(.Lchacha_mips_xor_unaligned_, PLUS_ONE(x), _b: ;) \
2782 ++ .if (x != 12); \
2783 ++ lw T0, (x*4)(STATE); \
2784 ++ .endif; \
2785 ++ lwl T1, (x*4)+MSB ## (IN); \
2786 ++ lwr T1, (x*4)+LSB ## (IN); \
2787 ++ .if (x == 12); \
2788 ++ addu X ## x, NONCE_0; \
2789 ++ .else; \
2790 ++ addu X ## x, T0; \
2791 ++ .endif; \
2792 ++ CPU_TO_LE32(X ## x); \
2793 ++ xor X ## x, T1; \
2794 ++ swl X ## x, (x*4)+MSB ## (OUT); \
2795 ++ swr X ## x, (x*4)+LSB ## (OUT);
2796 ++
2797 ++#define STORE_ALIGNED(x) \
2798 ++CONCAT3(.Lchacha_mips_xor_aligned_, PLUS_ONE(x), _b: ;) \
2799 ++ .if (x != 12); \
2800 ++ lw T0, (x*4)(STATE); \
2801 ++ .endif; \
2802 ++ lw T1, (x*4) ## (IN); \
2803 ++ .if (x == 12); \
2804 ++ addu X ## x, NONCE_0; \
2805 ++ .else; \
2806 ++ addu X ## x, T0; \
2807 ++ .endif; \
2808 ++ CPU_TO_LE32(X ## x); \
2809 ++ xor X ## x, T1; \
2810 ++ sw X ## x, (x*4) ## (OUT);
2811 ++
2812 ++/* Jump table macro.
2813 ++ * Used for setup and handling the last bytes, which are not multiple of 4.
2814 ++ * X15 is free to store Xn
2815 ++ * Every jumptable entry must be equal in size.
2816 ++ */
2817 ++#define JMPTBL_ALIGNED(x) \
2818 ++.Lchacha_mips_jmptbl_aligned_ ## x: ; \
2819 ++ .set noreorder; \
2820 ++ b .Lchacha_mips_xor_aligned_ ## x ## _b; \
2821 ++ .if (x == 12); \
2822 ++ addu SAVED_X, X ## x, NONCE_0; \
2823 ++ .else; \
2824 ++ addu SAVED_X, X ## x, SAVED_CA; \
2825 ++ .endif; \
2826 ++ .set reorder
2827 ++
2828 ++#define JMPTBL_UNALIGNED(x) \
2829 ++.Lchacha_mips_jmptbl_unaligned_ ## x: ; \
2830 ++ .set noreorder; \
2831 ++ b .Lchacha_mips_xor_unaligned_ ## x ## _b; \
2832 ++ .if (x == 12); \
2833 ++ addu SAVED_X, X ## x, NONCE_0; \
2834 ++ .else; \
2835 ++ addu SAVED_X, X ## x, SAVED_CA; \
2836 ++ .endif; \
2837 ++ .set reorder
2838 ++
2839 ++#define AXR(A, B, C, D, K, L, M, N, V, W, Y, Z, S) \
2840 ++ addu X(A), X(K); \
2841 ++ addu X(B), X(L); \
2842 ++ addu X(C), X(M); \
2843 ++ addu X(D), X(N); \
2844 ++ xor X(V), X(A); \
2845 ++ xor X(W), X(B); \
2846 ++ xor X(Y), X(C); \
2847 ++ xor X(Z), X(D); \
2848 ++ rotl X(V), S; \
2849 ++ rotl X(W), S; \
2850 ++ rotl X(Y), S; \
2851 ++ rotl X(Z), S;
2852 ++
2853 ++.text
2854 ++.set reorder
2855 ++.set noat
2856 ++.globl chacha_crypt_arch
2857 ++.ent chacha_crypt_arch
2858 ++chacha_crypt_arch:
2859 ++ .frame $sp, STACK_SIZE, $ra
2860 ++
2861 ++ /* Load number of rounds */
2862 ++ lw $at, 16($sp)
2863 ++
2864 ++ addiu $sp, -STACK_SIZE
2865 ++
2866 ++ /* Return bytes = 0. */
2867 ++ beqz BYTES, .Lchacha_mips_end
2868 ++
2869 ++ lw NONCE_0, 48(STATE)
2870 ++
2871 ++ /* Save s0-s7 */
2872 ++ sw $s0, 0($sp)
2873 ++ sw $s1, 4($sp)
2874 ++ sw $s2, 8($sp)
2875 ++ sw $s3, 12($sp)
2876 ++ sw $s4, 16($sp)
2877 ++ sw $s5, 20($sp)
2878 ++ sw $s6, 24($sp)
2879 ++ sw $s7, 28($sp)
2880 ++
2881 ++ /* Test IN or OUT is unaligned.
2882 ++ * IS_UNALIGNED = ( IN | OUT ) & 0x00000003
2883 ++ */
2884 ++ or IS_UNALIGNED, IN, OUT
2885 ++ andi IS_UNALIGNED, 0x3
2886 ++
2887 ++ b .Lchacha_rounds_start
2888 ++
2889 ++.align 4
2890 ++.Loop_chacha_rounds:
2891 ++ addiu IN, CHACHA20_BLOCK_SIZE
2892 ++ addiu OUT, CHACHA20_BLOCK_SIZE
2893 ++ addiu NONCE_0, 1
2894 ++
2895 ++.Lchacha_rounds_start:
2896 ++ lw X0, 0(STATE)
2897 ++ lw X1, 4(STATE)
2898 ++ lw X2, 8(STATE)
2899 ++ lw X3, 12(STATE)
2900 ++
2901 ++ lw X4, 16(STATE)
2902 ++ lw X5, 20(STATE)
2903 ++ lw X6, 24(STATE)
2904 ++ lw X7, 28(STATE)
2905 ++ lw X8, 32(STATE)
2906 ++ lw X9, 36(STATE)
2907 ++ lw X10, 40(STATE)
2908 ++ lw X11, 44(STATE)
2909 ++
2910 ++ move X12, NONCE_0
2911 ++ lw X13, 52(STATE)
2912 ++ lw X14, 56(STATE)
2913 ++ lw X15, 60(STATE)
2914 ++
2915 ++.Loop_chacha_xor_rounds:
2916 ++ addiu $at, -2
2917 ++ AXR( 0, 1, 2, 3, 4, 5, 6, 7, 12,13,14,15, 16);
2918 ++ AXR( 8, 9,10,11, 12,13,14,15, 4, 5, 6, 7, 12);
2919 ++ AXR( 0, 1, 2, 3, 4, 5, 6, 7, 12,13,14,15, 8);
2920 ++ AXR( 8, 9,10,11, 12,13,14,15, 4, 5, 6, 7, 7);
2921 ++ AXR( 0, 1, 2, 3, 5, 6, 7, 4, 15,12,13,14, 16);
2922 ++ AXR(10,11, 8, 9, 15,12,13,14, 5, 6, 7, 4, 12);
2923 ++ AXR( 0, 1, 2, 3, 5, 6, 7, 4, 15,12,13,14, 8);
2924 ++ AXR(10,11, 8, 9, 15,12,13,14, 5, 6, 7, 4, 7);
2925 ++ bnez $at, .Loop_chacha_xor_rounds
2926 ++
2927 ++ addiu BYTES, -(CHACHA20_BLOCK_SIZE)
2928 ++
2929 ++ /* Is data src/dst unaligned? Jump */
2930 ++ bnez IS_UNALIGNED, .Loop_chacha_unaligned
2931 ++
2932 ++ /* Set number rounds here to fill delayslot. */
2933 ++ lw $at, (STACK_SIZE+16)($sp)
2934 ++
2935 ++ /* BYTES < 0, it has no full block. */
2936 ++ bltz BYTES, .Lchacha_mips_no_full_block_aligned
2937 ++
2938 ++ FOR_EACH_WORD_REV(STORE_ALIGNED)
2939 ++
2940 ++ /* BYTES > 0? Loop again. */
2941 ++ bgtz BYTES, .Loop_chacha_rounds
2942 ++
2943 ++ /* Place this here to fill delay slot */
2944 ++ addiu NONCE_0, 1
2945 ++
2946 ++ /* BYTES < 0? Handle last bytes */
2947 ++ bltz BYTES, .Lchacha_mips_xor_bytes
2948 ++
2949 ++.Lchacha_mips_xor_done:
2950 ++ /* Restore used registers */
2951 ++ lw $s0, 0($sp)
2952 ++ lw $s1, 4($sp)
2953 ++ lw $s2, 8($sp)
2954 ++ lw $s3, 12($sp)
2955 ++ lw $s4, 16($sp)
2956 ++ lw $s5, 20($sp)
2957 ++ lw $s6, 24($sp)
2958 ++ lw $s7, 28($sp)
2959 ++
2960 ++ /* Write NONCE_0 back to right location in state */
2961 ++ sw NONCE_0, 48(STATE)
2962 ++
2963 ++.Lchacha_mips_end:
2964 ++ addiu $sp, STACK_SIZE
2965 ++ jr $ra
2966 ++
2967 ++.Lchacha_mips_no_full_block_aligned:
2968 ++ /* Restore the offset on BYTES */
2969 ++ addiu BYTES, CHACHA20_BLOCK_SIZE
2970 ++
2971 ++ /* Get number of full WORDS */
2972 ++ andi $at, BYTES, MASK_U32
2973 ++
2974 ++ /* Load upper half of jump table addr */
2975 ++ lui T0, %hi(.Lchacha_mips_jmptbl_aligned_0)
2976 ++
2977 ++ /* Calculate lower half jump table offset */
2978 ++ ins T0, $at, 1, 6
2979 ++
2980 ++ /* Add offset to STATE */
2981 ++ addu T1, STATE, $at
2982 ++
2983 ++ /* Add lower half jump table addr */
2984 ++ addiu T0, %lo(.Lchacha_mips_jmptbl_aligned_0)
2985 ++
2986 ++ /* Read value from STATE */
2987 ++ lw SAVED_CA, 0(T1)
2988 ++
2989 ++ /* Store remaining bytecounter as negative value */
2990 ++ subu BYTES, $at, BYTES
2991 ++
2992 ++ jr T0
2993 ++
2994 ++ /* Jump table */
2995 ++ FOR_EACH_WORD(JMPTBL_ALIGNED)
2996 ++
2997 ++
2998 ++.Loop_chacha_unaligned:
2999 ++ /* Set number rounds here to fill delayslot. */
3000 ++ lw $at, (STACK_SIZE+16)($sp)
3001 ++
3002 ++ /* BYTES > 0, it has no full block. */
3003 ++ bltz BYTES, .Lchacha_mips_no_full_block_unaligned
3004 ++
3005 ++ FOR_EACH_WORD_REV(STORE_UNALIGNED)
3006 ++
3007 ++ /* BYTES > 0? Loop again. */
3008 ++ bgtz BYTES, .Loop_chacha_rounds
3009 ++
3010 ++ /* Write NONCE_0 back to right location in state */
3011 ++ sw NONCE_0, 48(STATE)
3012 ++
3013 ++ .set noreorder
3014 ++ /* Fall through to byte handling */
3015 ++ bgez BYTES, .Lchacha_mips_xor_done
3016 ++.Lchacha_mips_xor_unaligned_0_b:
3017 ++.Lchacha_mips_xor_aligned_0_b:
3018 ++ /* Place this here to fill delay slot */
3019 ++ addiu NONCE_0, 1
3020 ++ .set reorder
3021 ++
3022 ++.Lchacha_mips_xor_bytes:
3023 ++ addu IN, $at
3024 ++ addu OUT, $at
3025 ++ /* First byte */
3026 ++ lbu T1, 0(IN)
3027 ++ addiu $at, BYTES, 1
3028 ++ CPU_TO_LE32(SAVED_X)
3029 ++ ROTR(SAVED_X)
3030 ++ xor T1, SAVED_X
3031 ++ sb T1, 0(OUT)
3032 ++ beqz $at, .Lchacha_mips_xor_done
3033 ++ /* Second byte */
3034 ++ lbu T1, 1(IN)
3035 ++ addiu $at, BYTES, 2
3036 ++ ROTx SAVED_X, 8
3037 ++ xor T1, SAVED_X
3038 ++ sb T1, 1(OUT)
3039 ++ beqz $at, .Lchacha_mips_xor_done
3040 ++ /* Third byte */
3041 ++ lbu T1, 2(IN)
3042 ++ ROTx SAVED_X, 8
3043 ++ xor T1, SAVED_X
3044 ++ sb T1, 2(OUT)
3045 ++ b .Lchacha_mips_xor_done
3046 ++
3047 ++.Lchacha_mips_no_full_block_unaligned:
3048 ++ /* Restore the offset on BYTES */
3049 ++ addiu BYTES, CHACHA20_BLOCK_SIZE
3050 ++
3051 ++ /* Get number of full WORDS */
3052 ++ andi $at, BYTES, MASK_U32
3053 ++
3054 ++ /* Load upper half of jump table addr */
3055 ++ lui T0, %hi(.Lchacha_mips_jmptbl_unaligned_0)
3056 ++
3057 ++ /* Calculate lower half jump table offset */
3058 ++ ins T0, $at, 1, 6
3059 ++
3060 ++ /* Add offset to STATE */
3061 ++ addu T1, STATE, $at
3062 ++
3063 ++ /* Add lower half jump table addr */
3064 ++ addiu T0, %lo(.Lchacha_mips_jmptbl_unaligned_0)
3065 ++
3066 ++ /* Read value from STATE */
3067 ++ lw SAVED_CA, 0(T1)
3068 ++
3069 ++ /* Store remaining bytecounter as negative value */
3070 ++ subu BYTES, $at, BYTES
3071 ++
3072 ++ jr T0
3073 ++
3074 ++ /* Jump table */
3075 ++ FOR_EACH_WORD(JMPTBL_UNALIGNED)
3076 ++.end chacha_crypt_arch
3077 ++.set at
3078 ++
3079 ++/* Input arguments
3080 ++ * STATE $a0
3081 ++ * OUT $a1
3082 ++ * NROUND $a2
3083 ++ */
3084 ++
3085 ++#undef X12
3086 ++#undef X13
3087 ++#undef X14
3088 ++#undef X15
3089 ++
3090 ++#define X12 $a3
3091 ++#define X13 $at
3092 ++#define X14 $v0
3093 ++#define X15 STATE
3094 ++
3095 ++.set noat
3096 ++.globl hchacha_block_arch
3097 ++.ent hchacha_block_arch
3098 ++hchacha_block_arch:
3099 ++ .frame $sp, STACK_SIZE, $ra
3100 ++
3101 ++ addiu $sp, -STACK_SIZE
3102 ++
3103 ++ /* Save X11(s6) */
3104 ++ sw X11, 0($sp)
3105 ++
3106 ++ lw X0, 0(STATE)
3107 ++ lw X1, 4(STATE)
3108 ++ lw X2, 8(STATE)
3109 ++ lw X3, 12(STATE)
3110 ++ lw X4, 16(STATE)
3111 ++ lw X5, 20(STATE)
3112 ++ lw X6, 24(STATE)
3113 ++ lw X7, 28(STATE)
3114 ++ lw X8, 32(STATE)
3115 ++ lw X9, 36(STATE)
3116 ++ lw X10, 40(STATE)
3117 ++ lw X11, 44(STATE)
3118 ++ lw X12, 48(STATE)
3119 ++ lw X13, 52(STATE)
3120 ++ lw X14, 56(STATE)
3121 ++ lw X15, 60(STATE)
3122 ++
3123 ++.Loop_hchacha_xor_rounds:
3124 ++ addiu $a2, -2
3125 ++ AXR( 0, 1, 2, 3, 4, 5, 6, 7, 12,13,14,15, 16);
3126 ++ AXR( 8, 9,10,11, 12,13,14,15, 4, 5, 6, 7, 12);
3127 ++ AXR( 0, 1, 2, 3, 4, 5, 6, 7, 12,13,14,15, 8);
3128 ++ AXR( 8, 9,10,11, 12,13,14,15, 4, 5, 6, 7, 7);
3129 ++ AXR( 0, 1, 2, 3, 5, 6, 7, 4, 15,12,13,14, 16);
3130 ++ AXR(10,11, 8, 9, 15,12,13,14, 5, 6, 7, 4, 12);
3131 ++ AXR( 0, 1, 2, 3, 5, 6, 7, 4, 15,12,13,14, 8);
3132 ++ AXR(10,11, 8, 9, 15,12,13,14, 5, 6, 7, 4, 7);
3133 ++ bnez $a2, .Loop_hchacha_xor_rounds
3134 ++
3135 ++ /* Restore used register */
3136 ++ lw X11, 0($sp)
3137 ++
3138 ++ sw X0, 0(OUT)
3139 ++ sw X1, 4(OUT)
3140 ++ sw X2, 8(OUT)
3141 ++ sw X3, 12(OUT)
3142 ++ sw X12, 16(OUT)
3143 ++ sw X13, 20(OUT)
3144 ++ sw X14, 24(OUT)
3145 ++ sw X15, 28(OUT)
3146 ++
3147 ++ addiu $sp, STACK_SIZE
3148 ++ jr $ra
3149 ++.end hchacha_block_arch
3150 ++.set at
3151 +--- a/arch/mips/Makefile
3152 ++++ b/arch/mips/Makefile
3153 +@@ -334,7 +334,7 @@ libs-$(CONFIG_MIPS_FP_SUPPORT) += arch/mips/math-emu/
3154 + # See arch/mips/Kbuild for content of core part of the kernel
3155 + core-y += arch/mips/
3156 +
3157 +-drivers-$(CONFIG_MIPS_CRC_SUPPORT) += arch/mips/crypto/
3158 ++drivers-y += arch/mips/crypto/
3159 + drivers-$(CONFIG_OPROFILE) += arch/mips/oprofile/
3160 +
3161 + # suspend and hibernation support
3162 +--- b/arch/mips/crypto/Makefile
3163 ++++ b/arch/mips/crypto/Makefile
3164 +@@ -6,0 +7,18 @@
3165 ++
3166 ++obj-$(CONFIG_CRYPTO_CHACHA_MIPS) += chacha-mips.o
3167 ++chacha-mips-y := chacha-core.o chacha-glue.o
3168 ++AFLAGS_chacha-core.o += -O2 # needed to fill branch delay slots
3169 ++
3170 ++obj-$(CONFIG_CRYPTO_POLY1305_MIPS) += poly1305-mips.o
3171 ++poly1305-mips-y := poly1305-core.o poly1305-glue.o
3172 ++
3173 ++perlasm-flavour-$(CONFIG_CPU_MIPS32) := o32
3174 ++perlasm-flavour-$(CONFIG_CPU_MIPS64) := 64
3175 ++
3176 ++quiet_cmd_perlasm = PERLASM $@
3177 ++ cmd_perlasm = $(PERL) $(<) $(perlasm-flavour-y) $(@)
3178 ++
3179 ++$(obj)/poly1305-core.S: $(src)/poly1305-mips.pl FORCE
3180 ++ $(call if_changed,perlasm)
3181 ++
3182 ++targets += poly1305-core.S
3183 +--- b/arch/mips/crypto/chacha-glue.c
3184 ++++ b/arch/mips/crypto/chacha-glue.c
3185 +@@ -0,0 +1,152 @@
3186 ++// SPDX-License-Identifier: GPL-2.0
3187 ++/*
3188 ++ * MIPS accelerated ChaCha and XChaCha stream ciphers,
3189 ++ * including ChaCha20 (RFC7539)
3190 ++ *
3191 ++ * Copyright (C) 2019 Linaro, Ltd. <ard.biesheuvel@××××××.org>
3192 ++ */
3193 ++
3194 ++#include <asm/byteorder.h>
3195 ++#include <crypto/algapi.h>
3196 ++#include <crypto/internal/chacha.h>
3197 ++#include <crypto/internal/skcipher.h>
3198 ++#include <linux/kernel.h>
3199 ++#include <linux/module.h>
3200 ++
3201 ++asmlinkage void chacha_crypt_arch(u32 *state, u8 *dst, const u8 *src,
3202 ++ unsigned int bytes, int nrounds);
3203 ++EXPORT_SYMBOL(chacha_crypt_arch);
3204 ++
3205 ++asmlinkage void hchacha_block_arch(const u32 *state, u32 *stream, int nrounds);
3206 ++EXPORT_SYMBOL(hchacha_block_arch);
3207 ++
3208 ++void chacha_init_arch(u32 *state, const u32 *key, const u8 *iv)
3209 ++{
3210 ++ chacha_init_generic(state, key, iv);
3211 ++}
3212 ++EXPORT_SYMBOL(chacha_init_arch);
3213 ++
3214 ++static int chacha_mips_stream_xor(struct skcipher_request *req,
3215 ++ const struct chacha_ctx *ctx, const u8 *iv)
3216 ++{
3217 ++ struct skcipher_walk walk;
3218 ++ u32 state[16];
3219 ++ int err;
3220 ++
3221 ++ err = skcipher_walk_virt(&walk, req, false);
3222 ++
3223 ++ chacha_init_generic(state, ctx->key, iv);
3224 ++
3225 ++ while (walk.nbytes > 0) {
3226 ++ unsigned int nbytes = walk.nbytes;
3227 ++
3228 ++ if (nbytes < walk.total)
3229 ++ nbytes = round_down(nbytes, walk.stride);
3230 ++
3231 ++ chacha_crypt(state, walk.dst.virt.addr, walk.src.virt.addr,
3232 ++ nbytes, ctx->nrounds);
3233 ++ err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
3234 ++ }
3235 ++
3236 ++ return err;
3237 ++}
3238 ++
3239 ++static int chacha_mips(struct skcipher_request *req)
3240 ++{
3241 ++ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
3242 ++ struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
3243 ++
3244 ++ return chacha_mips_stream_xor(req, ctx, req->iv);
3245 ++}
3246 ++
3247 ++static int xchacha_mips(struct skcipher_request *req)
3248 ++{
3249 ++ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
3250 ++ struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
3251 ++ struct chacha_ctx subctx;
3252 ++ u32 state[16];
3253 ++ u8 real_iv[16];
3254 ++
3255 ++ chacha_init_generic(state, ctx->key, req->iv);
3256 ++
3257 ++ hchacha_block(state, subctx.key, ctx->nrounds);
3258 ++ subctx.nrounds = ctx->nrounds;
3259 ++
3260 ++ memcpy(&real_iv[0], req->iv + 24, 8);
3261 ++ memcpy(&real_iv[8], req->iv + 16, 8);
3262 ++ return chacha_mips_stream_xor(req, &subctx, real_iv);
3263 ++}
3264 ++
3265 ++static struct skcipher_alg algs[] = {
3266 ++ {
3267 ++ .base.cra_name = "chacha20",
3268 ++ .base.cra_driver_name = "chacha20-mips",
3269 ++ .base.cra_priority = 200,
3270 ++ .base.cra_blocksize = 1,
3271 ++ .base.cra_ctxsize = sizeof(struct chacha_ctx),
3272 ++ .base.cra_module = THIS_MODULE,
3273 ++
3274 ++ .min_keysize = CHACHA_KEY_SIZE,
3275 ++ .max_keysize = CHACHA_KEY_SIZE,
3276 ++ .ivsize = CHACHA_IV_SIZE,
3277 ++ .chunksize = CHACHA_BLOCK_SIZE,
3278 ++ .setkey = chacha20_setkey,
3279 ++ .encrypt = chacha_mips,
3280 ++ .decrypt = chacha_mips,
3281 ++ }, {
3282 ++ .base.cra_name = "xchacha20",
3283 ++ .base.cra_driver_name = "xchacha20-mips",
3284 ++ .base.cra_priority = 200,
3285 ++ .base.cra_blocksize = 1,
3286 ++ .base.cra_ctxsize = sizeof(struct chacha_ctx),
3287 ++ .base.cra_module = THIS_MODULE,
3288 ++
3289 ++ .min_keysize = CHACHA_KEY_SIZE,
3290 ++ .max_keysize = CHACHA_KEY_SIZE,
3291 ++ .ivsize = XCHACHA_IV_SIZE,
3292 ++ .chunksize = CHACHA_BLOCK_SIZE,
3293 ++ .setkey = chacha20_setkey,
3294 ++ .encrypt = xchacha_mips,
3295 ++ .decrypt = xchacha_mips,
3296 ++ }, {
3297 ++ .base.cra_name = "xchacha12",
3298 ++ .base.cra_driver_name = "xchacha12-mips",
3299 ++ .base.cra_priority = 200,
3300 ++ .base.cra_blocksize = 1,
3301 ++ .base.cra_ctxsize = sizeof(struct chacha_ctx),
3302 ++ .base.cra_module = THIS_MODULE,
3303 ++
3304 ++ .min_keysize = CHACHA_KEY_SIZE,
3305 ++ .max_keysize = CHACHA_KEY_SIZE,
3306 ++ .ivsize = XCHACHA_IV_SIZE,
3307 ++ .chunksize = CHACHA_BLOCK_SIZE,
3308 ++ .setkey = chacha12_setkey,
3309 ++ .encrypt = xchacha_mips,
3310 ++ .decrypt = xchacha_mips,
3311 ++ }
3312 ++};
3313 ++
3314 ++static int __init chacha_simd_mod_init(void)
3315 ++{
3316 ++ return IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER) ?
3317 ++ crypto_register_skciphers(algs, ARRAY_SIZE(algs)) : 0;
3318 ++}
3319 ++
3320 ++static void __exit chacha_simd_mod_fini(void)
3321 ++{
3322 ++ if (IS_REACHABLE(CONFIG_CRYPTO_BLKCIPHER))
3323 ++ crypto_unregister_skciphers(algs, ARRAY_SIZE(algs));
3324 ++}
3325 ++
3326 ++module_init(chacha_simd_mod_init);
3327 ++module_exit(chacha_simd_mod_fini);
3328 ++
3329 ++MODULE_DESCRIPTION("ChaCha and XChaCha stream ciphers (MIPS accelerated)");
3330 ++MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@××××××.org>");
3331 ++MODULE_LICENSE("GPL v2");
3332 ++MODULE_ALIAS_CRYPTO("chacha20");
3333 ++MODULE_ALIAS_CRYPTO("chacha20-mips");
3334 ++MODULE_ALIAS_CRYPTO("xchacha20");
3335 ++MODULE_ALIAS_CRYPTO("xchacha20-mips");
3336 ++MODULE_ALIAS_CRYPTO("xchacha12");
3337 ++MODULE_ALIAS_CRYPTO("xchacha12-mips");
3338 +--- b/arch/x86/crypto/poly1305_glue.c
3339 ++++ b/arch/x86/crypto/poly1305_glue.c
3340 +@@ -1,131 +1,173 @@
3341 +-// SPDX-License-Identifier: GPL-2.0-or-later
3342 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
3343 + /*
3344 +- * Poly1305 authenticator algorithm, RFC7539, SIMD glue code
3345 +- *
3346 +- * Copyright (C) 2015 Martin Willi
3347 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
3348 + */
3349 +
3350 + #include <crypto/algapi.h>
3351 + #include <crypto/internal/hash.h>
3352 ++#include <crypto/internal/poly1305.h>
3353 + #include <crypto/internal/simd.h>
3354 +-#include <crypto/poly1305.h>
3355 + #include <linux/crypto.h>
3356 ++#include <linux/jump_label.h>
3357 + #include <linux/kernel.h>
3358 + #include <linux/module.h>
3359 ++#include <asm/intel-family.h>
3360 + #include <asm/simd.h>
3361 +
3362 +-struct poly1305_simd_desc_ctx {
3363 +- struct poly1305_desc_ctx base;
3364 +- /* derived key u set? */
3365 +- bool uset;
3366 +-#ifdef CONFIG_AS_AVX2
3367 +- /* derived keys r^3, r^4 set? */
3368 +- bool wset;
3369 +-#endif
3370 +- /* derived Poly1305 key r^2 */
3371 +- u32 u[5];
3372 +- /* ... silently appended r^3 and r^4 when using AVX2 */
3373 ++asmlinkage void poly1305_init_x86_64(void *ctx,
3374 ++ const u8 key[POLY1305_KEY_SIZE]);
3375 ++asmlinkage void poly1305_blocks_x86_64(void *ctx, const u8 *inp,
3376 ++ const size_t len, const u32 padbit);
3377 ++asmlinkage void poly1305_emit_x86_64(void *ctx, u8 mac[POLY1305_DIGEST_SIZE],
3378 ++ const u32 nonce[4]);
3379 ++asmlinkage void poly1305_emit_avx(void *ctx, u8 mac[POLY1305_DIGEST_SIZE],
3380 ++ const u32 nonce[4]);
3381 ++asmlinkage void poly1305_blocks_avx(void *ctx, const u8 *inp, const size_t len,
3382 ++ const u32 padbit);
3383 ++asmlinkage void poly1305_blocks_avx2(void *ctx, const u8 *inp, const size_t len,
3384 ++ const u32 padbit);
3385 ++asmlinkage void poly1305_blocks_avx512(void *ctx, const u8 *inp,
3386 ++ const size_t len, const u32 padbit);
3387 ++
3388 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx);
3389 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx2);
3390 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx512);
3391 ++
3392 ++struct poly1305_arch_internal {
3393 ++ union {
3394 ++ struct {
3395 ++ u32 h[5];
3396 ++ u32 is_base2_26;
3397 ++ };
3398 ++ u64 hs[3];
3399 ++ };
3400 ++ u64 r[2];
3401 ++ u64 pad;
3402 ++ struct { u32 r2, r1, r4, r3; } rn[9];
3403 + };
3404 +
3405 +-asmlinkage void poly1305_block_sse2(u32 *h, const u8 *src,
3406 +- const u32 *r, unsigned int blocks);
3407 +-asmlinkage void poly1305_2block_sse2(u32 *h, const u8 *src, const u32 *r,
3408 +- unsigned int blocks, const u32 *u);
3409 +-#ifdef CONFIG_AS_AVX2
3410 +-asmlinkage void poly1305_4block_avx2(u32 *h, const u8 *src, const u32 *r,
3411 +- unsigned int blocks, const u32 *u);
3412 +-static bool poly1305_use_avx2;
3413 +-#endif
3414 +-
3415 +-static int poly1305_simd_init(struct shash_desc *desc)
3416 ++/* The AVX code uses base 2^26, while the scalar code uses base 2^64. If we hit
3417 ++ * the unfortunate situation of using AVX and then having to go back to scalar
3418 ++ * -- because the user is silly and has called the update function from two
3419 ++ * separate contexts -- then we need to convert back to the original base before
3420 ++ * proceeding. It is possible to reason that the initial reduction below is
3421 ++ * sufficient given the implementation invariants. However, for an avoidance of
3422 ++ * doubt and because this is not performance critical, we do the full reduction
3423 ++ * anyway. Z3 proof of below function: https://xn--4db.cc/ltPtHCKN/py
3424 ++ */
3425 ++static void convert_to_base2_64(void *ctx)
3426 + {
3427 +- struct poly1305_simd_desc_ctx *sctx = shash_desc_ctx(desc);
3428 ++ struct poly1305_arch_internal *state = ctx;
3429 ++ u32 cy;
3430 ++
3431 ++ if (!state->is_base2_26)
3432 ++ return;
3433 +
3434 +- sctx->uset = false;
3435 +-#ifdef CONFIG_AS_AVX2
3436 +- sctx->wset = false;
3437 +-#endif
3438 ++ cy = state->h[0] >> 26; state->h[0] &= 0x3ffffff; state->h[1] += cy;
3439 ++ cy = state->h[1] >> 26; state->h[1] &= 0x3ffffff; state->h[2] += cy;
3440 ++ cy = state->h[2] >> 26; state->h[2] &= 0x3ffffff; state->h[3] += cy;
3441 ++ cy = state->h[3] >> 26; state->h[3] &= 0x3ffffff; state->h[4] += cy;
3442 ++ state->hs[0] = ((u64)state->h[2] << 52) | ((u64)state->h[1] << 26) | state->h[0];
3443 ++ state->hs[1] = ((u64)state->h[4] << 40) | ((u64)state->h[3] << 14) | (state->h[2] >> 12);
3444 ++ state->hs[2] = state->h[4] >> 24;
3445 ++#define ULT(a, b) ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1))
3446 ++ cy = (state->hs[2] >> 2) + (state->hs[2] & ~3ULL);
3447 ++ state->hs[2] &= 3;
3448 ++ state->hs[0] += cy;
3449 ++ state->hs[1] += (cy = ULT(state->hs[0], cy));
3450 ++ state->hs[2] += ULT(state->hs[1], cy);
3451 ++#undef ULT
3452 ++ state->is_base2_26 = 0;
3453 ++}
3454 +
3455 +- return crypto_poly1305_init(desc);
3456 ++static void poly1305_simd_init(void *ctx, const u8 key[POLY1305_KEY_SIZE])
3457 ++{
3458 ++ poly1305_init_x86_64(ctx, key);
3459 + }
3460 +
3461 +-static void poly1305_simd_mult(u32 *a, const u32 *b)
3462 ++static void poly1305_simd_blocks(void *ctx, const u8 *inp, size_t len,
3463 ++ const u32 padbit)
3464 + {
3465 +- u8 m[POLY1305_BLOCK_SIZE];
3466 ++ struct poly1305_arch_internal *state = ctx;
3467 +
3468 +- memset(m, 0, sizeof(m));
3469 +- /* The poly1305 block function adds a hi-bit to the accumulator which
3470 +- * we don't need for key multiplication; compensate for it. */
3471 +- a[4] -= 1 << 24;
3472 +- poly1305_block_sse2(a, m, b, 1);
3473 ++ /* SIMD disables preemption, so relax after processing each page. */
3474 ++ BUILD_BUG_ON(SZ_4K < POLY1305_BLOCK_SIZE ||
3475 ++ SZ_4K % POLY1305_BLOCK_SIZE);
3476 ++
3477 ++ if (!IS_ENABLED(CONFIG_AS_AVX) || !static_branch_likely(&poly1305_use_avx) ||
3478 ++ (len < (POLY1305_BLOCK_SIZE * 18) && !state->is_base2_26) ||
3479 ++ !crypto_simd_usable()) {
3480 ++ convert_to_base2_64(ctx);
3481 ++ poly1305_blocks_x86_64(ctx, inp, len, padbit);
3482 ++ return;
3483 ++ }
3484 ++
3485 ++ do {
3486 ++ const size_t bytes = min_t(size_t, len, SZ_4K);
3487 ++
3488 ++ kernel_fpu_begin();
3489 ++ if (IS_ENABLED(CONFIG_AS_AVX512) && static_branch_likely(&poly1305_use_avx512))
3490 ++ poly1305_blocks_avx512(ctx, inp, bytes, padbit);
3491 ++ else if (IS_ENABLED(CONFIG_AS_AVX2) && static_branch_likely(&poly1305_use_avx2))
3492 ++ poly1305_blocks_avx2(ctx, inp, bytes, padbit);
3493 ++ else
3494 ++ poly1305_blocks_avx(ctx, inp, bytes, padbit);
3495 ++ kernel_fpu_end();
3496 ++
3497 ++ len -= bytes;
3498 ++ inp += bytes;
3499 ++ } while (len);
3500 + }
3501 +
3502 +-static unsigned int poly1305_simd_blocks(struct poly1305_desc_ctx *dctx,
3503 +- const u8 *src, unsigned int srclen)
3504 ++static void poly1305_simd_emit(void *ctx, u8 mac[POLY1305_DIGEST_SIZE],
3505 ++ const u32 nonce[4])
3506 + {
3507 +- struct poly1305_simd_desc_ctx *sctx;
3508 +- unsigned int blocks, datalen;
3509 ++ if (!IS_ENABLED(CONFIG_AS_AVX) || !static_branch_likely(&poly1305_use_avx))
3510 ++ poly1305_emit_x86_64(ctx, mac, nonce);
3511 ++ else
3512 ++ poly1305_emit_avx(ctx, mac, nonce);
3513 ++}
3514 +
3515 +- BUILD_BUG_ON(offsetof(struct poly1305_simd_desc_ctx, base));
3516 +- sctx = container_of(dctx, struct poly1305_simd_desc_ctx, base);
3517 ++void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 *key)
3518 ++{
3519 ++ poly1305_simd_init(&dctx->h, key);
3520 ++ dctx->s[0] = get_unaligned_le32(&key[16]);
3521 ++ dctx->s[1] = get_unaligned_le32(&key[20]);
3522 ++ dctx->s[2] = get_unaligned_le32(&key[24]);
3523 ++ dctx->s[3] = get_unaligned_le32(&key[28]);
3524 ++ dctx->buflen = 0;
3525 ++ dctx->sset = true;
3526 ++}
3527 ++EXPORT_SYMBOL(poly1305_init_arch);
3528 +
3529 ++static unsigned int crypto_poly1305_setdctxkey(struct poly1305_desc_ctx *dctx,
3530 ++ const u8 *inp, unsigned int len)
3531 ++{
3532 ++ unsigned int acc = 0;
3533 + if (unlikely(!dctx->sset)) {
3534 +- datalen = crypto_poly1305_setdesckey(dctx, src, srclen);
3535 +- src += srclen - datalen;
3536 +- srclen = datalen;
3537 +- }
3538 +-
3539 +-#ifdef CONFIG_AS_AVX2
3540 +- if (poly1305_use_avx2 && srclen >= POLY1305_BLOCK_SIZE * 4) {
3541 +- if (unlikely(!sctx->wset)) {
3542 +- if (!sctx->uset) {
3543 +- memcpy(sctx->u, dctx->r.r, sizeof(sctx->u));
3544 +- poly1305_simd_mult(sctx->u, dctx->r.r);
3545 +- sctx->uset = true;
3546 +- }
3547 +- memcpy(sctx->u + 5, sctx->u, sizeof(sctx->u));
3548 +- poly1305_simd_mult(sctx->u + 5, dctx->r.r);
3549 +- memcpy(sctx->u + 10, sctx->u + 5, sizeof(sctx->u));
3550 +- poly1305_simd_mult(sctx->u + 10, dctx->r.r);
3551 +- sctx->wset = true;
3552 ++ if (!dctx->rset && len >= POLY1305_BLOCK_SIZE) {
3553 ++ poly1305_simd_init(&dctx->h, inp);
3554 ++ inp += POLY1305_BLOCK_SIZE;
3555 ++ len -= POLY1305_BLOCK_SIZE;
3556 ++ acc += POLY1305_BLOCK_SIZE;
3557 ++ dctx->rset = 1;
3558 + }
3559 +- blocks = srclen / (POLY1305_BLOCK_SIZE * 4);
3560 +- poly1305_4block_avx2(dctx->h.h, src, dctx->r.r, blocks,
3561 +- sctx->u);
3562 +- src += POLY1305_BLOCK_SIZE * 4 * blocks;
3563 +- srclen -= POLY1305_BLOCK_SIZE * 4 * blocks;
3564 +- }
3565 +-#endif
3566 +- if (likely(srclen >= POLY1305_BLOCK_SIZE * 2)) {
3567 +- if (unlikely(!sctx->uset)) {
3568 +- memcpy(sctx->u, dctx->r.r, sizeof(sctx->u));
3569 +- poly1305_simd_mult(sctx->u, dctx->r.r);
3570 +- sctx->uset = true;
3571 ++ if (len >= POLY1305_BLOCK_SIZE) {
3572 ++ dctx->s[0] = get_unaligned_le32(&inp[0]);
3573 ++ dctx->s[1] = get_unaligned_le32(&inp[4]);
3574 ++ dctx->s[2] = get_unaligned_le32(&inp[8]);
3575 ++ dctx->s[3] = get_unaligned_le32(&inp[12]);
3576 ++ acc += POLY1305_BLOCK_SIZE;
3577 ++ dctx->sset = true;
3578 + }
3579 +- blocks = srclen / (POLY1305_BLOCK_SIZE * 2);
3580 +- poly1305_2block_sse2(dctx->h.h, src, dctx->r.r, blocks,
3581 +- sctx->u);
3582 +- src += POLY1305_BLOCK_SIZE * 2 * blocks;
3583 +- srclen -= POLY1305_BLOCK_SIZE * 2 * blocks;
3584 +- }
3585 +- if (srclen >= POLY1305_BLOCK_SIZE) {
3586 +- poly1305_block_sse2(dctx->h.h, src, dctx->r.r, 1);
3587 +- srclen -= POLY1305_BLOCK_SIZE;
3588 + }
3589 +- return srclen;
3590 ++ return acc;
3591 + }
3592 +
3593 +-static int poly1305_simd_update(struct shash_desc *desc,
3594 +- const u8 *src, unsigned int srclen)
3595 ++void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
3596 ++ unsigned int srclen)
3597 + {
3598 +- struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
3599 +- unsigned int bytes;
3600 +-
3601 +- /* kernel_fpu_begin/end is costly, use fallback for small updates */
3602 +- if (srclen <= 288 || !crypto_simd_usable())
3603 +- return crypto_poly1305_update(desc, src, srclen);
3604 +-
3605 +- kernel_fpu_begin();
3606 ++ unsigned int bytes, used;
3607 +
3608 + if (unlikely(dctx->buflen)) {
3609 + bytes = min(srclen, POLY1305_BLOCK_SIZE - dctx->buflen);
3610 +@@ -135,34 +177,76 @@
3611 + dctx->buflen += bytes;
3612 +
3613 + if (dctx->buflen == POLY1305_BLOCK_SIZE) {
3614 +- poly1305_simd_blocks(dctx, dctx->buf,
3615 +- POLY1305_BLOCK_SIZE);
3616 ++ if (likely(!crypto_poly1305_setdctxkey(dctx, dctx->buf, POLY1305_BLOCK_SIZE)))
3617 ++ poly1305_simd_blocks(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 1);
3618 + dctx->buflen = 0;
3619 + }
3620 + }
3621 +
3622 + if (likely(srclen >= POLY1305_BLOCK_SIZE)) {
3623 +- bytes = poly1305_simd_blocks(dctx, src, srclen);
3624 +- src += srclen - bytes;
3625 +- srclen = bytes;
3626 ++ bytes = round_down(srclen, POLY1305_BLOCK_SIZE);
3627 ++ srclen -= bytes;
3628 ++ used = crypto_poly1305_setdctxkey(dctx, src, bytes);
3629 ++ if (likely(bytes - used))
3630 ++ poly1305_simd_blocks(&dctx->h, src + used, bytes - used, 1);
3631 ++ src += bytes;
3632 + }
3633 +
3634 +- kernel_fpu_end();
3635 +-
3636 + if (unlikely(srclen)) {
3637 + dctx->buflen = srclen;
3638 + memcpy(dctx->buf, src, srclen);
3639 + }
3640 ++}
3641 ++EXPORT_SYMBOL(poly1305_update_arch);
3642 +
3643 ++void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
3644 ++{
3645 ++ if (unlikely(dctx->buflen)) {
3646 ++ dctx->buf[dctx->buflen++] = 1;
3647 ++ memset(dctx->buf + dctx->buflen, 0,
3648 ++ POLY1305_BLOCK_SIZE - dctx->buflen);
3649 ++ poly1305_simd_blocks(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
3650 ++ }
3651 ++
3652 ++ poly1305_simd_emit(&dctx->h, dst, dctx->s);
3653 ++ *dctx = (struct poly1305_desc_ctx){};
3654 ++}
3655 ++EXPORT_SYMBOL(poly1305_final_arch);
3656 ++
3657 ++static int crypto_poly1305_init(struct shash_desc *desc)
3658 ++{
3659 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
3660 ++
3661 ++ *dctx = (struct poly1305_desc_ctx){};
3662 ++ return 0;
3663 ++}
3664 ++
3665 ++static int crypto_poly1305_update(struct shash_desc *desc,
3666 ++ const u8 *src, unsigned int srclen)
3667 ++{
3668 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
3669 ++
3670 ++ poly1305_update_arch(dctx, src, srclen);
3671 ++ return 0;
3672 ++}
3673 ++
3674 ++static int crypto_poly1305_final(struct shash_desc *desc, u8 *dst)
3675 ++{
3676 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
3677 ++
3678 ++ if (unlikely(!dctx->sset))
3679 ++ return -ENOKEY;
3680 ++
3681 ++ poly1305_final_arch(dctx, dst);
3682 + return 0;
3683 + }
3684 +
3685 + static struct shash_alg alg = {
3686 + .digestsize = POLY1305_DIGEST_SIZE,
3687 +- .init = poly1305_simd_init,
3688 +- .update = poly1305_simd_update,
3689 ++ .init = crypto_poly1305_init,
3690 ++ .update = crypto_poly1305_update,
3691 + .final = crypto_poly1305_final,
3692 +- .descsize = sizeof(struct poly1305_simd_desc_ctx),
3693 ++ .descsize = sizeof(struct poly1305_desc_ctx),
3694 + .base = {
3695 + .cra_name = "poly1305",
3696 + .cra_driver_name = "poly1305-simd",
3697 +@@ -174,30 +258,33 @@
3698 +
3699 + static int __init poly1305_simd_mod_init(void)
3700 + {
3701 +- if (!boot_cpu_has(X86_FEATURE_XMM2))
3702 +- return -ENODEV;
3703 +-
3704 +-#ifdef CONFIG_AS_AVX2
3705 +- poly1305_use_avx2 = boot_cpu_has(X86_FEATURE_AVX) &&
3706 +- boot_cpu_has(X86_FEATURE_AVX2) &&
3707 +- cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL);
3708 +- alg.descsize = sizeof(struct poly1305_simd_desc_ctx);
3709 +- if (poly1305_use_avx2)
3710 +- alg.descsize += 10 * sizeof(u32);
3711 +-#endif
3712 +- return crypto_register_shash(&alg);
3713 ++ if (IS_ENABLED(CONFIG_AS_AVX) && boot_cpu_has(X86_FEATURE_AVX) &&
3714 ++ cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL))
3715 ++ static_branch_enable(&poly1305_use_avx);
3716 ++ if (IS_ENABLED(CONFIG_AS_AVX2) && boot_cpu_has(X86_FEATURE_AVX) &&
3717 ++ boot_cpu_has(X86_FEATURE_AVX2) &&
3718 ++ cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL))
3719 ++ static_branch_enable(&poly1305_use_avx2);
3720 ++ if (IS_ENABLED(CONFIG_AS_AVX512) && boot_cpu_has(X86_FEATURE_AVX) &&
3721 ++ boot_cpu_has(X86_FEATURE_AVX2) && boot_cpu_has(X86_FEATURE_AVX512F) &&
3722 ++ cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM | XFEATURE_MASK_AVX512, NULL) &&
3723 ++ /* Skylake downclocks unacceptably much when using zmm, but later generations are fast. */
3724 ++ boot_cpu_data.x86_model != INTEL_FAM6_SKYLAKE_X)
3725 ++ static_branch_enable(&poly1305_use_avx512);
3726 ++ return IS_REACHABLE(CONFIG_CRYPTO_HASH) ? crypto_register_shash(&alg) : 0;
3727 + }
3728 +
3729 + static void __exit poly1305_simd_mod_exit(void)
3730 + {
3731 +- crypto_unregister_shash(&alg);
3732 ++ if (IS_REACHABLE(CONFIG_CRYPTO_HASH))
3733 ++ crypto_unregister_shash(&alg);
3734 + }
3735 +
3736 + module_init(poly1305_simd_mod_init);
3737 + module_exit(poly1305_simd_mod_exit);
3738 +
3739 + MODULE_LICENSE("GPL");
3740 +-MODULE_AUTHOR("Martin Willi <martin@××××××××××.org>");
3741 ++MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
3742 + MODULE_DESCRIPTION("Poly1305 authenticator");
3743 + MODULE_ALIAS_CRYPTO("poly1305");
3744 + MODULE_ALIAS_CRYPTO("poly1305-simd");
3745 +--- b/crypto/adiantum.c
3746 ++++ b/crypto/adiantum.c
3747 +@@ -33,6 +33,7 @@
3748 + #include <crypto/b128ops.h>
3749 + #include <crypto/chacha.h>
3750 + #include <crypto/internal/hash.h>
3751 ++#include <crypto/internal/poly1305.h>
3752 + #include <crypto/internal/skcipher.h>
3753 + #include <crypto/nhpoly1305.h>
3754 + #include <crypto/scatterwalk.h>
3755 +@@ -71,7 +72,7 @@
3756 + struct crypto_skcipher *streamcipher;
3757 + struct crypto_cipher *blockcipher;
3758 + struct crypto_shash *hash;
3759 +- struct poly1305_key header_hash_key;
3760 ++ struct poly1305_core_key header_hash_key;
3761 + };
3762 +
3763 + struct adiantum_request_ctx {
3764 +@@ -242,13 +243,13 @@
3765 +
3766 + BUILD_BUG_ON(sizeof(header) % POLY1305_BLOCK_SIZE != 0);
3767 + poly1305_core_blocks(&state, &tctx->header_hash_key,
3768 +- &header, sizeof(header) / POLY1305_BLOCK_SIZE);
3769 ++ &header, sizeof(header) / POLY1305_BLOCK_SIZE, 1);
3770 +
3771 + BUILD_BUG_ON(TWEAK_SIZE % POLY1305_BLOCK_SIZE != 0);
3772 + poly1305_core_blocks(&state, &tctx->header_hash_key, req->iv,
3773 +- TWEAK_SIZE / POLY1305_BLOCK_SIZE);
3774 ++ TWEAK_SIZE / POLY1305_BLOCK_SIZE, 1);
3775 +
3776 +- poly1305_core_emit(&state, &rctx->header_hash);
3777 ++ poly1305_core_emit(&state, NULL, &rctx->header_hash);
3778 + }
3779 +
3780 + /* Hash the left-hand part (the "bulk") of the message using NHPoly1305 */
3781 +--- b/crypto/nhpoly1305.c
3782 ++++ b/crypto/nhpoly1305.c
3783 +@@ -33,6 +33,7 @@
3784 + #include <asm/unaligned.h>
3785 + #include <crypto/algapi.h>
3786 + #include <crypto/internal/hash.h>
3787 ++#include <crypto/internal/poly1305.h>
3788 + #include <crypto/nhpoly1305.h>
3789 + #include <linux/crypto.h>
3790 + #include <linux/kernel.h>
3791 +@@ -78,7 +79,7 @@
3792 + BUILD_BUG_ON(NH_HASH_BYTES % POLY1305_BLOCK_SIZE != 0);
3793 +
3794 + poly1305_core_blocks(&state->poly_state, &key->poly_key, state->nh_hash,
3795 +- NH_HASH_BYTES / POLY1305_BLOCK_SIZE);
3796 ++ NH_HASH_BYTES / POLY1305_BLOCK_SIZE, 1);
3797 + }
3798 +
3799 + /*
3800 +@@ -209,7 +210,7 @@
3801 + if (state->nh_remaining)
3802 + process_nh_hash_value(state, key);
3803 +
3804 +- poly1305_core_emit(&state->poly_state, dst);
3805 ++ poly1305_core_emit(&state->poly_state, NULL, dst);
3806 + return 0;
3807 + }
3808 + EXPORT_SYMBOL(crypto_nhpoly1305_final_helper);
3809 +--- b/crypto/poly1305_generic.c
3810 ++++ b/crypto/poly1305_generic.c
3811 +@@ -13,65 +13,33 @@
3812 +
3813 + #include <crypto/algapi.h>
3814 + #include <crypto/internal/hash.h>
3815 +-#include <crypto/poly1305.h>
3816 ++#include <crypto/internal/poly1305.h>
3817 + #include <linux/crypto.h>
3818 + #include <linux/kernel.h>
3819 + #include <linux/module.h>
3820 + #include <asm/unaligned.h>
3821 +
3822 +-static inline u64 mlt(u64 a, u64 b)
3823 +-{
3824 +- return a * b;
3825 +-}
3826 +-
3827 +-static inline u32 sr(u64 v, u_char n)
3828 +-{
3829 +- return v >> n;
3830 +-}
3831 +-
3832 +-static inline u32 and(u32 v, u32 mask)
3833 +-{
3834 +- return v & mask;
3835 +-}
3836 +-
3837 +-int crypto_poly1305_init(struct shash_desc *desc)
3838 ++static int crypto_poly1305_init(struct shash_desc *desc)
3839 + {
3840 + struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
3841 +
3842 + poly1305_core_init(&dctx->h);
3843 + dctx->buflen = 0;
3844 +- dctx->rset = false;
3845 ++ dctx->rset = 0;
3846 + dctx->sset = false;
3847 +
3848 + return 0;
3849 + }
3850 +-EXPORT_SYMBOL_GPL(crypto_poly1305_init);
3851 +-
3852 +-void poly1305_core_setkey(struct poly1305_key *key, const u8 *raw_key)
3853 +-{
3854 +- /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
3855 +- key->r[0] = (get_unaligned_le32(raw_key + 0) >> 0) & 0x3ffffff;
3856 +- key->r[1] = (get_unaligned_le32(raw_key + 3) >> 2) & 0x3ffff03;
3857 +- key->r[2] = (get_unaligned_le32(raw_key + 6) >> 4) & 0x3ffc0ff;
3858 +- key->r[3] = (get_unaligned_le32(raw_key + 9) >> 6) & 0x3f03fff;
3859 +- key->r[4] = (get_unaligned_le32(raw_key + 12) >> 8) & 0x00fffff;
3860 +-}
3861 +-EXPORT_SYMBOL_GPL(poly1305_core_setkey);
3862 +
3863 +-/*
3864 +- * Poly1305 requires a unique key for each tag, which implies that we can't set
3865 +- * it on the tfm that gets accessed by multiple users simultaneously. Instead we
3866 +- * expect the key as the first 32 bytes in the update() call.
3867 +- */
3868 +-unsigned int crypto_poly1305_setdesckey(struct poly1305_desc_ctx *dctx,
3869 +- const u8 *src, unsigned int srclen)
3870 ++static unsigned int crypto_poly1305_setdesckey(struct poly1305_desc_ctx *dctx,
3871 ++ const u8 *src, unsigned int srclen)
3872 + {
3873 + if (!dctx->sset) {
3874 + if (!dctx->rset && srclen >= POLY1305_BLOCK_SIZE) {
3875 +- poly1305_core_setkey(&dctx->r, src);
3876 ++ poly1305_core_setkey(&dctx->core_r, src);
3877 + src += POLY1305_BLOCK_SIZE;
3878 + srclen -= POLY1305_BLOCK_SIZE;
3879 +- dctx->rset = true;
3880 ++ dctx->rset = 2;
3881 + }
3882 + if (srclen >= POLY1305_BLOCK_SIZE) {
3883 + dctx->s[0] = get_unaligned_le32(src + 0);
3884 +@@ -85,86 +53,9 @@
3885 + }
3886 + return srclen;
3887 + }
3888 +-EXPORT_SYMBOL_GPL(crypto_poly1305_setdesckey);
3889 +
3890 +-static void poly1305_blocks_internal(struct poly1305_state *state,
3891 +- const struct poly1305_key *key,
3892 +- const void *src, unsigned int nblocks,
3893 +- u32 hibit)
3894 +-{
3895 +- u32 r0, r1, r2, r3, r4;
3896 +- u32 s1, s2, s3, s4;
3897 +- u32 h0, h1, h2, h3, h4;
3898 +- u64 d0, d1, d2, d3, d4;
3899 +-
3900 +- if (!nblocks)
3901 +- return;
3902 +-
3903 +- r0 = key->r[0];
3904 +- r1 = key->r[1];
3905 +- r2 = key->r[2];
3906 +- r3 = key->r[3];
3907 +- r4 = key->r[4];
3908 +-
3909 +- s1 = r1 * 5;
3910 +- s2 = r2 * 5;
3911 +- s3 = r3 * 5;
3912 +- s4 = r4 * 5;
3913 +-
3914 +- h0 = state->h[0];
3915 +- h1 = state->h[1];
3916 +- h2 = state->h[2];
3917 +- h3 = state->h[3];
3918 +- h4 = state->h[4];
3919 +-
3920 +- do {
3921 +- /* h += m[i] */
3922 +- h0 += (get_unaligned_le32(src + 0) >> 0) & 0x3ffffff;
3923 +- h1 += (get_unaligned_le32(src + 3) >> 2) & 0x3ffffff;
3924 +- h2 += (get_unaligned_le32(src + 6) >> 4) & 0x3ffffff;
3925 +- h3 += (get_unaligned_le32(src + 9) >> 6) & 0x3ffffff;
3926 +- h4 += (get_unaligned_le32(src + 12) >> 8) | hibit;
3927 +-
3928 +- /* h *= r */
3929 +- d0 = mlt(h0, r0) + mlt(h1, s4) + mlt(h2, s3) +
3930 +- mlt(h3, s2) + mlt(h4, s1);
3931 +- d1 = mlt(h0, r1) + mlt(h1, r0) + mlt(h2, s4) +
3932 +- mlt(h3, s3) + mlt(h4, s2);
3933 +- d2 = mlt(h0, r2) + mlt(h1, r1) + mlt(h2, r0) +
3934 +- mlt(h3, s4) + mlt(h4, s3);
3935 +- d3 = mlt(h0, r3) + mlt(h1, r2) + mlt(h2, r1) +
3936 +- mlt(h3, r0) + mlt(h4, s4);
3937 +- d4 = mlt(h0, r4) + mlt(h1, r3) + mlt(h2, r2) +
3938 +- mlt(h3, r1) + mlt(h4, r0);
3939 +-
3940 +- /* (partial) h %= p */
3941 +- d1 += sr(d0, 26); h0 = and(d0, 0x3ffffff);
3942 +- d2 += sr(d1, 26); h1 = and(d1, 0x3ffffff);
3943 +- d3 += sr(d2, 26); h2 = and(d2, 0x3ffffff);
3944 +- d4 += sr(d3, 26); h3 = and(d3, 0x3ffffff);
3945 +- h0 += sr(d4, 26) * 5; h4 = and(d4, 0x3ffffff);
3946 +- h1 += h0 >> 26; h0 = h0 & 0x3ffffff;
3947 +-
3948 +- src += POLY1305_BLOCK_SIZE;
3949 +- } while (--nblocks);
3950 +-
3951 +- state->h[0] = h0;
3952 +- state->h[1] = h1;
3953 +- state->h[2] = h2;
3954 +- state->h[3] = h3;
3955 +- state->h[4] = h4;
3956 +-}
3957 +-
3958 +-void poly1305_core_blocks(struct poly1305_state *state,
3959 +- const struct poly1305_key *key,
3960 +- const void *src, unsigned int nblocks)
3961 +-{
3962 +- poly1305_blocks_internal(state, key, src, nblocks, 1 << 24);
3963 +-}
3964 +-EXPORT_SYMBOL_GPL(poly1305_core_blocks);
3965 +-
3966 +-static void poly1305_blocks(struct poly1305_desc_ctx *dctx,
3967 +- const u8 *src, unsigned int srclen, u32 hibit)
3968 ++static void poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
3969 ++ unsigned int srclen)
3970 + {
3971 + unsigned int datalen;
3972 +
3973 +@@ -174,12 +65,12 @@
3974 + srclen = datalen;
3975 + }
3976 +
3977 +- poly1305_blocks_internal(&dctx->h, &dctx->r,
3978 +- src, srclen / POLY1305_BLOCK_SIZE, hibit);
3979 ++ poly1305_core_blocks(&dctx->h, &dctx->core_r, src,
3980 ++ srclen / POLY1305_BLOCK_SIZE, 1);
3981 + }
3982 +
3983 +-int crypto_poly1305_update(struct shash_desc *desc,
3984 +- const u8 *src, unsigned int srclen)
3985 ++static int crypto_poly1305_update(struct shash_desc *desc,
3986 ++ const u8 *src, unsigned int srclen)
3987 + {
3988 + struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
3989 + unsigned int bytes;
3990 +@@ -193,13 +84,13 @@
3991 +
3992 + if (dctx->buflen == POLY1305_BLOCK_SIZE) {
3993 + poly1305_blocks(dctx, dctx->buf,
3994 +- POLY1305_BLOCK_SIZE, 1 << 24);
3995 ++ POLY1305_BLOCK_SIZE);
3996 + dctx->buflen = 0;
3997 + }
3998 + }
3999 +
4000 + if (likely(srclen >= POLY1305_BLOCK_SIZE)) {
4001 +- poly1305_blocks(dctx, src, srclen, 1 << 24);
4002 ++ poly1305_blocks(dctx, src, srclen);
4003 + src += srclen - (srclen % POLY1305_BLOCK_SIZE);
4004 + srclen %= POLY1305_BLOCK_SIZE;
4005 + }
4006 +@@ -211,87 +102,17 @@
4007 +
4008 + return 0;
4009 + }
4010 +-EXPORT_SYMBOL_GPL(crypto_poly1305_update);
4011 +-
4012 +-void poly1305_core_emit(const struct poly1305_state *state, void *dst)
4013 +-{
4014 +- u32 h0, h1, h2, h3, h4;
4015 +- u32 g0, g1, g2, g3, g4;
4016 +- u32 mask;
4017 +-
4018 +- /* fully carry h */
4019 +- h0 = state->h[0];
4020 +- h1 = state->h[1];
4021 +- h2 = state->h[2];
4022 +- h3 = state->h[3];
4023 +- h4 = state->h[4];
4024 +-
4025 +- h2 += (h1 >> 26); h1 = h1 & 0x3ffffff;
4026 +- h3 += (h2 >> 26); h2 = h2 & 0x3ffffff;
4027 +- h4 += (h3 >> 26); h3 = h3 & 0x3ffffff;
4028 +- h0 += (h4 >> 26) * 5; h4 = h4 & 0x3ffffff;
4029 +- h1 += (h0 >> 26); h0 = h0 & 0x3ffffff;
4030 +-
4031 +- /* compute h + -p */
4032 +- g0 = h0 + 5;
4033 +- g1 = h1 + (g0 >> 26); g0 &= 0x3ffffff;
4034 +- g2 = h2 + (g1 >> 26); g1 &= 0x3ffffff;
4035 +- g3 = h3 + (g2 >> 26); g2 &= 0x3ffffff;
4036 +- g4 = h4 + (g3 >> 26) - (1 << 26); g3 &= 0x3ffffff;
4037 +-
4038 +- /* select h if h < p, or h + -p if h >= p */
4039 +- mask = (g4 >> ((sizeof(u32) * 8) - 1)) - 1;
4040 +- g0 &= mask;
4041 +- g1 &= mask;
4042 +- g2 &= mask;
4043 +- g3 &= mask;
4044 +- g4 &= mask;
4045 +- mask = ~mask;
4046 +- h0 = (h0 & mask) | g0;
4047 +- h1 = (h1 & mask) | g1;
4048 +- h2 = (h2 & mask) | g2;
4049 +- h3 = (h3 & mask) | g3;
4050 +- h4 = (h4 & mask) | g4;
4051 +-
4052 +- /* h = h % (2^128) */
4053 +- put_unaligned_le32((h0 >> 0) | (h1 << 26), dst + 0);
4054 +- put_unaligned_le32((h1 >> 6) | (h2 << 20), dst + 4);
4055 +- put_unaligned_le32((h2 >> 12) | (h3 << 14), dst + 8);
4056 +- put_unaligned_le32((h3 >> 18) | (h4 << 8), dst + 12);
4057 +-}
4058 +-EXPORT_SYMBOL_GPL(poly1305_core_emit);
4059 +
4060 +-int crypto_poly1305_final(struct shash_desc *desc, u8 *dst)
4061 ++static int crypto_poly1305_final(struct shash_desc *desc, u8 *dst)
4062 + {
4063 + struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
4064 +- __le32 digest[4];
4065 +- u64 f = 0;
4066 +
4067 + if (unlikely(!dctx->sset))
4068 + return -ENOKEY;
4069 +
4070 +- if (unlikely(dctx->buflen)) {
4071 +- dctx->buf[dctx->buflen++] = 1;
4072 +- memset(dctx->buf + dctx->buflen, 0,
4073 +- POLY1305_BLOCK_SIZE - dctx->buflen);
4074 +- poly1305_blocks(dctx, dctx->buf, POLY1305_BLOCK_SIZE, 0);
4075 +- }
4076 +-
4077 +- poly1305_core_emit(&dctx->h, digest);
4078 +-
4079 +- /* mac = (h + s) % (2^128) */
4080 +- f = (f >> 32) + le32_to_cpu(digest[0]) + dctx->s[0];
4081 +- put_unaligned_le32(f, dst + 0);
4082 +- f = (f >> 32) + le32_to_cpu(digest[1]) + dctx->s[1];
4083 +- put_unaligned_le32(f, dst + 4);
4084 +- f = (f >> 32) + le32_to_cpu(digest[2]) + dctx->s[2];
4085 +- put_unaligned_le32(f, dst + 8);
4086 +- f = (f >> 32) + le32_to_cpu(digest[3]) + dctx->s[3];
4087 +- put_unaligned_le32(f, dst + 12);
4088 +-
4089 ++ poly1305_final_generic(dctx, dst);
4090 + return 0;
4091 + }
4092 +-EXPORT_SYMBOL_GPL(crypto_poly1305_final);
4093 +
4094 + static struct shash_alg poly1305_alg = {
4095 + .digestsize = POLY1305_DIGEST_SIZE,
4096 +--- b/include/crypto/internal/poly1305.h
4097 ++++ b/include/crypto/internal/poly1305.h
4098 +@@ -0,0 +1,33 @@
4099 ++/* SPDX-License-Identifier: GPL-2.0 */
4100 ++/*
4101 ++ * Common values for the Poly1305 algorithm
4102 ++ */
4103 ++
4104 ++#ifndef _CRYPTO_INTERNAL_POLY1305_H
4105 ++#define _CRYPTO_INTERNAL_POLY1305_H
4106 ++
4107 ++#include <asm/unaligned.h>
4108 ++#include <linux/types.h>
4109 ++#include <crypto/poly1305.h>
4110 ++
4111 ++/*
4112 ++ * Poly1305 core functions. These only accept whole blocks; the caller must
4113 ++ * handle any needed block buffering and padding. 'hibit' must be 1 for any
4114 ++ * full blocks, or 0 for the final block if it had to be padded. If 'nonce' is
4115 ++ * non-NULL, then it's added at the end to compute the Poly1305 MAC. Otherwise,
4116 ++ * only the ε-almost-∆-universal hash function (not the full MAC) is computed.
4117 ++ */
4118 ++
4119 ++void poly1305_core_setkey(struct poly1305_core_key *key, const u8 *raw_key);
4120 ++static inline void poly1305_core_init(struct poly1305_state *state)
4121 ++{
4122 ++ *state = (struct poly1305_state){};
4123 ++}
4124 ++
4125 ++void poly1305_core_blocks(struct poly1305_state *state,
4126 ++ const struct poly1305_core_key *key, const void *src,
4127 ++ unsigned int nblocks, u32 hibit);
4128 ++void poly1305_core_emit(const struct poly1305_state *state, const u32 nonce[4],
4129 ++ void *dst);
4130 ++
4131 ++#endif
4132 +--- b/include/crypto/poly1305.h
4133 ++++ b/include/crypto/poly1305.h
4134 +@@ -14,51 +14,84 @@
4135 + #define POLY1305_DIGEST_SIZE 16
4136 +
4137 ++/* The poly1305_key and poly1305_state types are mostly opaque and
4138 ++ * implementation-defined. Limbs might be in base 2^64 or base 2^26, or
4139 ++ * different yet. The union type provided keeps these 64-bit aligned for the
4140 ++ * case in which this is implemented using 64x64 multiplies.
4141 ++ */
4142 ++
4143 + struct poly1305_key {
4144 +- u32 r[5]; /* key, base 2^26 */
4145 ++ union {
4146 ++ u32 r[5];
4147 ++ u64 r64[3];
4148 ++ };
4149 ++};
4150 ++
4151 ++struct poly1305_core_key {
4152 ++ struct poly1305_key key;
4153 ++ struct poly1305_key precomputed_s;
4154 + };
4155 +
4156 + struct poly1305_state {
4157 +- u32 h[5]; /* accumulator, base 2^26 */
4158 ++ union {
4159 ++ u32 h[5];
4160 ++ u64 h64[3];
4161 ++ };
4162 + };
4163 +
4164 + struct poly1305_desc_ctx {
4165 +- /* key */
4166 +- struct poly1305_key r;
4167 +- /* finalize key */
4168 +- u32 s[4];
4169 +- /* accumulator */
4170 +- struct poly1305_state h;
4171 + /* partial buffer */
4172 + u8 buf[POLY1305_BLOCK_SIZE];
4173 + /* bytes used in partial buffer */
4174 + unsigned int buflen;
4175 +- /* r key has been set */
4176 +- bool rset;
4177 +- /* s key has been set */
4178 ++ /* how many keys have been set in r[] */
4179 ++ unsigned short rset;
4180 ++ /* whether s[] has been set */
4181 + bool sset;
4182 ++ /* finalize key */
4183 ++ u32 s[4];
4184 ++ /* accumulator */
4185 ++ struct poly1305_state h;
4186 ++ /* key */
4187 ++ union {
4188 ++ struct poly1305_key opaque_r[CONFIG_CRYPTO_LIB_POLY1305_RSIZE];
4189 ++ struct poly1305_core_key core_r;
4190 ++ };
4191 + };
4192 +
4193 +-/*
4194 +- * Poly1305 core functions. These implement the ε-almost-∆-universal hash
4195 +- * function underlying the Poly1305 MAC, i.e. they don't add an encrypted nonce
4196 +- * ("s key") at the end. They also only support block-aligned inputs.
4197 +- */
4198 +-void poly1305_core_setkey(struct poly1305_key *key, const u8 *raw_key);
4199 +-static inline void poly1305_core_init(struct poly1305_state *state)
4200 ++void poly1305_init_arch(struct poly1305_desc_ctx *desc, const u8 *key);
4201 ++void poly1305_init_generic(struct poly1305_desc_ctx *desc, const u8 *key);
4202 ++
4203 ++static inline void poly1305_init(struct poly1305_desc_ctx *desc, const u8 *key)
4204 ++{
4205 ++ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
4206 ++ poly1305_init_arch(desc, key);
4207 ++ else
4208 ++ poly1305_init_generic(desc, key);
4209 ++}
4210 ++
4211 ++void poly1305_update_arch(struct poly1305_desc_ctx *desc, const u8 *src,
4212 ++ unsigned int nbytes);
4213 ++void poly1305_update_generic(struct poly1305_desc_ctx *desc, const u8 *src,
4214 ++ unsigned int nbytes);
4215 ++
4216 ++static inline void poly1305_update(struct poly1305_desc_ctx *desc,
4217 ++ const u8 *src, unsigned int nbytes)
4218 ++{
4219 ++ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
4220 ++ poly1305_update_arch(desc, src, nbytes);
4221 ++ else
4222 ++ poly1305_update_generic(desc, src, nbytes);
4223 ++}
4224 ++
4225 ++void poly1305_final_arch(struct poly1305_desc_ctx *desc, u8 *digest);
4226 ++void poly1305_final_generic(struct poly1305_desc_ctx *desc, u8 *digest);
4227 ++
4228 ++static inline void poly1305_final(struct poly1305_desc_ctx *desc, u8 *digest)
4229 + {
4230 +- memset(state->h, 0, sizeof(state->h));
4231 ++ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
4232 ++ poly1305_final_arch(desc, digest);
4233 ++ else
4234 ++ poly1305_final_generic(desc, digest);
4235 + }
4236 +-void poly1305_core_blocks(struct poly1305_state *state,
4237 +- const struct poly1305_key *key,
4238 +- const void *src, unsigned int nblocks);
4239 +-void poly1305_core_emit(const struct poly1305_state *state, void *dst);
4240 +-
4241 +-/* Crypto API helper functions for the Poly1305 MAC */
4242 +-int crypto_poly1305_init(struct shash_desc *desc);
4243 +-unsigned int crypto_poly1305_setdesckey(struct poly1305_desc_ctx *dctx,
4244 +- const u8 *src, unsigned int srclen);
4245 +-int crypto_poly1305_update(struct shash_desc *desc,
4246 +- const u8 *src, unsigned int srclen);
4247 +-int crypto_poly1305_final(struct shash_desc *desc, u8 *dst);
4248 +
4249 + #endif
4250 +--- b/lib/crypto/poly1305.c
4251 ++++ b/lib/crypto/poly1305.c
4252 +@@ -0,0 +1,77 @@
4253 ++// SPDX-License-Identifier: GPL-2.0-or-later
4254 ++/*
4255 ++ * Poly1305 authenticator algorithm, RFC7539
4256 ++ *
4257 ++ * Copyright (C) 2015 Martin Willi
4258 ++ *
4259 ++ * Based on public domain code by Andrew Moon and Daniel J. Bernstein.
4260 ++ */
4261 ++
4262 ++#include <crypto/internal/poly1305.h>
4263 ++#include <linux/kernel.h>
4264 ++#include <linux/module.h>
4265 ++#include <asm/unaligned.h>
4266 ++
4267 ++void poly1305_init_generic(struct poly1305_desc_ctx *desc, const u8 *key)
4268 ++{
4269 ++ poly1305_core_setkey(&desc->core_r, key);
4270 ++ desc->s[0] = get_unaligned_le32(key + 16);
4271 ++ desc->s[1] = get_unaligned_le32(key + 20);
4272 ++ desc->s[2] = get_unaligned_le32(key + 24);
4273 ++ desc->s[3] = get_unaligned_le32(key + 28);
4274 ++ poly1305_core_init(&desc->h);
4275 ++ desc->buflen = 0;
4276 ++ desc->sset = true;
4277 ++ desc->rset = 2;
4278 ++}
4279 ++EXPORT_SYMBOL_GPL(poly1305_init_generic);
4280 ++
4281 ++void poly1305_update_generic(struct poly1305_desc_ctx *desc, const u8 *src,
4282 ++ unsigned int nbytes)
4283 ++{
4284 ++ unsigned int bytes;
4285 ++
4286 ++ if (unlikely(desc->buflen)) {
4287 ++ bytes = min(nbytes, POLY1305_BLOCK_SIZE - desc->buflen);
4288 ++ memcpy(desc->buf + desc->buflen, src, bytes);
4289 ++ src += bytes;
4290 ++ nbytes -= bytes;
4291 ++ desc->buflen += bytes;
4292 ++
4293 ++ if (desc->buflen == POLY1305_BLOCK_SIZE) {
4294 ++ poly1305_core_blocks(&desc->h, &desc->core_r, desc->buf,
4295 ++ 1, 1);
4296 ++ desc->buflen = 0;
4297 ++ }
4298 ++ }
4299 ++
4300 ++ if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
4301 ++ poly1305_core_blocks(&desc->h, &desc->core_r, src,
4302 ++ nbytes / POLY1305_BLOCK_SIZE, 1);
4303 ++ src += nbytes - (nbytes % POLY1305_BLOCK_SIZE);
4304 ++ nbytes %= POLY1305_BLOCK_SIZE;
4305 ++ }
4306 ++
4307 ++ if (unlikely(nbytes)) {
4308 ++ desc->buflen = nbytes;
4309 ++ memcpy(desc->buf, src, nbytes);
4310 ++ }
4311 ++}
4312 ++EXPORT_SYMBOL_GPL(poly1305_update_generic);
4313 ++
4314 ++void poly1305_final_generic(struct poly1305_desc_ctx *desc, u8 *dst)
4315 ++{
4316 ++ if (unlikely(desc->buflen)) {
4317 ++ desc->buf[desc->buflen++] = 1;
4318 ++ memset(desc->buf + desc->buflen, 0,
4319 ++ POLY1305_BLOCK_SIZE - desc->buflen);
4320 ++ poly1305_core_blocks(&desc->h, &desc->core_r, desc->buf, 1, 0);
4321 ++ }
4322 ++
4323 ++ poly1305_core_emit(&desc->h, desc->s, dst);
4324 ++ *desc = (struct poly1305_desc_ctx){};
4325 ++}
4326 ++EXPORT_SYMBOL_GPL(poly1305_final_generic);
4327 ++
4328 ++MODULE_LICENSE("GPL");
4329 ++MODULE_AUTHOR("Martin Willi <martin@××××××××××.org>");
4330 +--- a/arch/arm64/crypto/Makefile
4331 ++++ b/arch/arm64/crypto/Makefile
4332 +@@ -50,6 +50,10 @@ sha512-arm64-y := sha512-glue.o sha512-core.o
4333 + obj-$(CONFIG_CRYPTO_CHACHA20_NEON) += chacha-neon.o
4334 + chacha-neon-y := chacha-neon-core.o chacha-neon-glue.o
4335 +
4336 ++obj-$(CONFIG_CRYPTO_POLY1305_NEON) += poly1305-neon.o
4337 ++poly1305-neon-y := poly1305-core.o poly1305-glue.o
4338 ++AFLAGS_poly1305-core.o += -Dpoly1305_init=poly1305_init_arm64
4339 ++
4340 + obj-$(CONFIG_CRYPTO_NHPOLY1305_NEON) += nhpoly1305-neon.o
4341 + nhpoly1305-neon-y := nh-neon-core.o nhpoly1305-neon-glue.o
4342 +
4343 +@@ -68,11 +72,15 @@ ifdef REGENERATE_ARM64_CRYPTO
4344 + quiet_cmd_perlasm = PERLASM $@
4345 + cmd_perlasm = $(PERL) $(<) void $(@)
4346 +
4347 ++$(src)/poly1305-core.S_shipped: $(src)/poly1305-armv8.pl
4348 ++ $(call cmd,perlasm)
4349 ++
4350 + $(src)/sha256-core.S_shipped: $(src)/sha512-armv8.pl
4351 + $(call cmd,perlasm)
4352 +
4353 + $(src)/sha512-core.S_shipped: $(src)/sha512-armv8.pl
4354 + $(call cmd,perlasm)
4355 ++
4356 + endif
4357 +
4358 +-clean-files += sha256-core.S sha512-core.S
4359 ++clean-files += poly1305-core.S sha256-core.S sha512-core.S
4360 +--- /dev/null
4361 ++++ b/arch/arm64/crypto/poly1305-armv8.pl
4362 +@@ -0,0 +1,913 @@
4363 ++#!/usr/bin/env perl
4364 ++# SPDX-License-Identifier: GPL-1.0+ OR BSD-3-Clause
4365 ++#
4366 ++# ====================================================================
4367 ++# Written by Andy Polyakov, @dot-asm, initially for the OpenSSL
4368 ++# project.
4369 ++# ====================================================================
4370 ++#
4371 ++# This module implements Poly1305 hash for ARMv8.
4372 ++#
4373 ++# June 2015
4374 ++#
4375 ++# Numbers are cycles per processed byte with poly1305_blocks alone.
4376 ++#
4377 ++# IALU/gcc-4.9 NEON
4378 ++#
4379 ++# Apple A7 1.86/+5% 0.72
4380 ++# Cortex-A53 2.69/+58% 1.47
4381 ++# Cortex-A57 2.70/+7% 1.14
4382 ++# Denver 1.64/+50% 1.18(*)
4383 ++# X-Gene 2.13/+68% 2.27
4384 ++# Mongoose 1.77/+75% 1.12
4385 ++# Kryo 2.70/+55% 1.13
4386 ++# ThunderX2 1.17/+95% 1.36
4387 ++#
4388 ++# (*) estimate based on resources availability is less than 1.0,
4389 ++# i.e. measured result is worse than expected, presumably binary
4390 ++# translator is not almighty;
4391 ++
4392 ++$flavour=shift;
4393 ++$output=shift;
4394 ++
4395 ++if ($flavour && $flavour ne "void") {
4396 ++ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
4397 ++ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
4398 ++ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
4399 ++ die "can't locate arm-xlate.pl";
4400 ++
4401 ++ open STDOUT,"| \"$^X\" $xlate $flavour $output";
4402 ++} else {
4403 ++ open STDOUT,">$output";
4404 ++}
4405 ++
4406 ++my ($ctx,$inp,$len,$padbit) = map("x$_",(0..3));
4407 ++my ($mac,$nonce)=($inp,$len);
4408 ++
4409 ++my ($h0,$h1,$h2,$r0,$r1,$s1,$t0,$t1,$d0,$d1,$d2) = map("x$_",(4..14));
4410 ++
4411 ++$code.=<<___;
4412 ++#ifndef __KERNEL__
4413 ++# include "arm_arch.h"
4414 ++.extern OPENSSL_armcap_P
4415 ++#endif
4416 ++
4417 ++.text
4418 ++
4419 ++// forward "declarations" are required for Apple
4420 ++.globl poly1305_blocks
4421 ++.globl poly1305_emit
4422 ++
4423 ++.globl poly1305_init
4424 ++.type poly1305_init,%function
4425 ++.align 5
4426 ++poly1305_init:
4427 ++ cmp $inp,xzr
4428 ++ stp xzr,xzr,[$ctx] // zero hash value
4429 ++ stp xzr,xzr,[$ctx,#16] // [along with is_base2_26]
4430 ++
4431 ++ csel x0,xzr,x0,eq
4432 ++ b.eq .Lno_key
4433 ++
4434 ++#ifndef __KERNEL__
4435 ++ adrp x17,OPENSSL_armcap_P
4436 ++ ldr w17,[x17,#:lo12:OPENSSL_armcap_P]
4437 ++#endif
4438 ++
4439 ++ ldp $r0,$r1,[$inp] // load key
4440 ++ mov $s1,#0xfffffffc0fffffff
4441 ++ movk $s1,#0x0fff,lsl#48
4442 ++#ifdef __AARCH64EB__
4443 ++ rev $r0,$r0 // flip bytes
4444 ++ rev $r1,$r1
4445 ++#endif
4446 ++ and $r0,$r0,$s1 // &=0ffffffc0fffffff
4447 ++ and $s1,$s1,#-4
4448 ++ and $r1,$r1,$s1 // &=0ffffffc0ffffffc
4449 ++ mov w#$s1,#-1
4450 ++ stp $r0,$r1,[$ctx,#32] // save key value
4451 ++ str w#$s1,[$ctx,#48] // impossible key power value
4452 ++
4453 ++#ifndef __KERNEL__
4454 ++ tst w17,#ARMV7_NEON
4455 ++
4456 ++ adr $d0,.Lpoly1305_blocks
4457 ++ adr $r0,.Lpoly1305_blocks_neon
4458 ++ adr $d1,.Lpoly1305_emit
4459 ++
4460 ++ csel $d0,$d0,$r0,eq
4461 ++
4462 ++# ifdef __ILP32__
4463 ++ stp w#$d0,w#$d1,[$len]
4464 ++# else
4465 ++ stp $d0,$d1,[$len]
4466 ++# endif
4467 ++#endif
4468 ++ mov x0,#1
4469 ++.Lno_key:
4470 ++ ret
4471 ++.size poly1305_init,.-poly1305_init
4472 ++
4473 ++.type poly1305_blocks,%function
4474 ++.align 5
4475 ++poly1305_blocks:
4476 ++.Lpoly1305_blocks:
4477 ++ ands $len,$len,#-16
4478 ++ b.eq .Lno_data
4479 ++
4480 ++ ldp $h0,$h1,[$ctx] // load hash value
4481 ++ ldp $h2,x17,[$ctx,#16] // [along with is_base2_26]
4482 ++ ldp $r0,$r1,[$ctx,#32] // load key value
4483 ++
4484 ++#ifdef __AARCH64EB__
4485 ++ lsr $d0,$h0,#32
4486 ++ mov w#$d1,w#$h0
4487 ++ lsr $d2,$h1,#32
4488 ++ mov w15,w#$h1
4489 ++ lsr x16,$h2,#32
4490 ++#else
4491 ++ mov w#$d0,w#$h0
4492 ++ lsr $d1,$h0,#32
4493 ++ mov w#$d2,w#$h1
4494 ++ lsr x15,$h1,#32
4495 ++ mov w16,w#$h2
4496 ++#endif
4497 ++
4498 ++ add $d0,$d0,$d1,lsl#26 // base 2^26 -> base 2^64
4499 ++ lsr $d1,$d2,#12
4500 ++ adds $d0,$d0,$d2,lsl#52
4501 ++ add $d1,$d1,x15,lsl#14
4502 ++ adc $d1,$d1,xzr
4503 ++ lsr $d2,x16,#24
4504 ++ adds $d1,$d1,x16,lsl#40
4505 ++ adc $d2,$d2,xzr
4506 ++
4507 ++ cmp x17,#0 // is_base2_26?
4508 ++ add $s1,$r1,$r1,lsr#2 // s1 = r1 + (r1 >> 2)
4509 ++ csel $h0,$h0,$d0,eq // choose between radixes
4510 ++ csel $h1,$h1,$d1,eq
4511 ++ csel $h2,$h2,$d2,eq
4512 ++
4513 ++.Loop:
4514 ++ ldp $t0,$t1,[$inp],#16 // load input
4515 ++ sub $len,$len,#16
4516 ++#ifdef __AARCH64EB__
4517 ++ rev $t0,$t0
4518 ++ rev $t1,$t1
4519 ++#endif
4520 ++ adds $h0,$h0,$t0 // accumulate input
4521 ++ adcs $h1,$h1,$t1
4522 ++
4523 ++ mul $d0,$h0,$r0 // h0*r0
4524 ++ adc $h2,$h2,$padbit
4525 ++ umulh $d1,$h0,$r0
4526 ++
4527 ++ mul $t0,$h1,$s1 // h1*5*r1
4528 ++ umulh $t1,$h1,$s1
4529 ++
4530 ++ adds $d0,$d0,$t0
4531 ++ mul $t0,$h0,$r1 // h0*r1
4532 ++ adc $d1,$d1,$t1
4533 ++ umulh $d2,$h0,$r1
4534 ++
4535 ++ adds $d1,$d1,$t0
4536 ++ mul $t0,$h1,$r0 // h1*r0
4537 ++ adc $d2,$d2,xzr
4538 ++ umulh $t1,$h1,$r0
4539 ++
4540 ++ adds $d1,$d1,$t0
4541 ++ mul $t0,$h2,$s1 // h2*5*r1
4542 ++ adc $d2,$d2,$t1
4543 ++ mul $t1,$h2,$r0 // h2*r0
4544 ++
4545 ++ adds $d1,$d1,$t0
4546 ++ adc $d2,$d2,$t1
4547 ++
4548 ++ and $t0,$d2,#-4 // final reduction
4549 ++ and $h2,$d2,#3
4550 ++ add $t0,$t0,$d2,lsr#2
4551 ++ adds $h0,$d0,$t0
4552 ++ adcs $h1,$d1,xzr
4553 ++ adc $h2,$h2,xzr
4554 ++
4555 ++ cbnz $len,.Loop
4556 ++
4557 ++ stp $h0,$h1,[$ctx] // store hash value
4558 ++ stp $h2,xzr,[$ctx,#16] // [and clear is_base2_26]
4559 ++
4560 ++.Lno_data:
4561 ++ ret
4562 ++.size poly1305_blocks,.-poly1305_blocks
4563 ++
4564 ++.type poly1305_emit,%function
4565 ++.align 5
4566 ++poly1305_emit:
4567 ++.Lpoly1305_emit:
4568 ++ ldp $h0,$h1,[$ctx] // load hash base 2^64
4569 ++ ldp $h2,$r0,[$ctx,#16] // [along with is_base2_26]
4570 ++ ldp $t0,$t1,[$nonce] // load nonce
4571 ++
4572 ++#ifdef __AARCH64EB__
4573 ++ lsr $d0,$h0,#32
4574 ++ mov w#$d1,w#$h0
4575 ++ lsr $d2,$h1,#32
4576 ++ mov w15,w#$h1
4577 ++ lsr x16,$h2,#32
4578 ++#else
4579 ++ mov w#$d0,w#$h0
4580 ++ lsr $d1,$h0,#32
4581 ++ mov w#$d2,w#$h1
4582 ++ lsr x15,$h1,#32
4583 ++ mov w16,w#$h2
4584 ++#endif
4585 ++
4586 ++ add $d0,$d0,$d1,lsl#26 // base 2^26 -> base 2^64
4587 ++ lsr $d1,$d2,#12
4588 ++ adds $d0,$d0,$d2,lsl#52
4589 ++ add $d1,$d1,x15,lsl#14
4590 ++ adc $d1,$d1,xzr
4591 ++ lsr $d2,x16,#24
4592 ++ adds $d1,$d1,x16,lsl#40
4593 ++ adc $d2,$d2,xzr
4594 ++
4595 ++ cmp $r0,#0 // is_base2_26?
4596 ++ csel $h0,$h0,$d0,eq // choose between radixes
4597 ++ csel $h1,$h1,$d1,eq
4598 ++ csel $h2,$h2,$d2,eq
4599 ++
4600 ++ adds $d0,$h0,#5 // compare to modulus
4601 ++ adcs $d1,$h1,xzr
4602 ++ adc $d2,$h2,xzr
4603 ++
4604 ++ tst $d2,#-4 // see if it's carried/borrowed
4605 ++
4606 ++ csel $h0,$h0,$d0,eq
4607 ++ csel $h1,$h1,$d1,eq
4608 ++
4609 ++#ifdef __AARCH64EB__
4610 ++ ror $t0,$t0,#32 // flip nonce words
4611 ++ ror $t1,$t1,#32
4612 ++#endif
4613 ++ adds $h0,$h0,$t0 // accumulate nonce
4614 ++ adc $h1,$h1,$t1
4615 ++#ifdef __AARCH64EB__
4616 ++ rev $h0,$h0 // flip output bytes
4617 ++ rev $h1,$h1
4618 ++#endif
4619 ++ stp $h0,$h1,[$mac] // write result
4620 ++
4621 ++ ret
4622 ++.size poly1305_emit,.-poly1305_emit
4623 ++___
4624 ++my ($R0,$R1,$S1,$R2,$S2,$R3,$S3,$R4,$S4) = map("v$_.4s",(0..8));
4625 ++my ($IN01_0,$IN01_1,$IN01_2,$IN01_3,$IN01_4) = map("v$_.2s",(9..13));
4626 ++my ($IN23_0,$IN23_1,$IN23_2,$IN23_3,$IN23_4) = map("v$_.2s",(14..18));
4627 ++my ($ACC0,$ACC1,$ACC2,$ACC3,$ACC4) = map("v$_.2d",(19..23));
4628 ++my ($H0,$H1,$H2,$H3,$H4) = map("v$_.2s",(24..28));
4629 ++my ($T0,$T1,$MASK) = map("v$_",(29..31));
4630 ++
4631 ++my ($in2,$zeros)=("x16","x17");
4632 ++my $is_base2_26 = $zeros; # borrow
4633 ++
4634 ++$code.=<<___;
4635 ++.type poly1305_mult,%function
4636 ++.align 5
4637 ++poly1305_mult:
4638 ++ mul $d0,$h0,$r0 // h0*r0
4639 ++ umulh $d1,$h0,$r0
4640 ++
4641 ++ mul $t0,$h1,$s1 // h1*5*r1
4642 ++ umulh $t1,$h1,$s1
4643 ++
4644 ++ adds $d0,$d0,$t0
4645 ++ mul $t0,$h0,$r1 // h0*r1
4646 ++ adc $d1,$d1,$t1
4647 ++ umulh $d2,$h0,$r1
4648 ++
4649 ++ adds $d1,$d1,$t0
4650 ++ mul $t0,$h1,$r0 // h1*r0
4651 ++ adc $d2,$d2,xzr
4652 ++ umulh $t1,$h1,$r0
4653 ++
4654 ++ adds $d1,$d1,$t0
4655 ++ mul $t0,$h2,$s1 // h2*5*r1
4656 ++ adc $d2,$d2,$t1
4657 ++ mul $t1,$h2,$r0 // h2*r0
4658 ++
4659 ++ adds $d1,$d1,$t0
4660 ++ adc $d2,$d2,$t1
4661 ++
4662 ++ and $t0,$d2,#-4 // final reduction
4663 ++ and $h2,$d2,#3
4664 ++ add $t0,$t0,$d2,lsr#2
4665 ++ adds $h0,$d0,$t0
4666 ++ adcs $h1,$d1,xzr
4667 ++ adc $h2,$h2,xzr
4668 ++
4669 ++ ret
4670 ++.size poly1305_mult,.-poly1305_mult
4671 ++
4672 ++.type poly1305_splat,%function
4673 ++.align 4
4674 ++poly1305_splat:
4675 ++ and x12,$h0,#0x03ffffff // base 2^64 -> base 2^26
4676 ++ ubfx x13,$h0,#26,#26
4677 ++ extr x14,$h1,$h0,#52
4678 ++ and x14,x14,#0x03ffffff
4679 ++ ubfx x15,$h1,#14,#26
4680 ++ extr x16,$h2,$h1,#40
4681 ++
4682 ++ str w12,[$ctx,#16*0] // r0
4683 ++ add w12,w13,w13,lsl#2 // r1*5
4684 ++ str w13,[$ctx,#16*1] // r1
4685 ++ add w13,w14,w14,lsl#2 // r2*5
4686 ++ str w12,[$ctx,#16*2] // s1
4687 ++ str w14,[$ctx,#16*3] // r2
4688 ++ add w14,w15,w15,lsl#2 // r3*5
4689 ++ str w13,[$ctx,#16*4] // s2
4690 ++ str w15,[$ctx,#16*5] // r3
4691 ++ add w15,w16,w16,lsl#2 // r4*5
4692 ++ str w14,[$ctx,#16*6] // s3
4693 ++ str w16,[$ctx,#16*7] // r4
4694 ++ str w15,[$ctx,#16*8] // s4
4695 ++
4696 ++ ret
4697 ++.size poly1305_splat,.-poly1305_splat
4698 ++
4699 ++#ifdef __KERNEL__
4700 ++.globl poly1305_blocks_neon
4701 ++#endif
4702 ++.type poly1305_blocks_neon,%function
4703 ++.align 5
4704 ++poly1305_blocks_neon:
4705 ++.Lpoly1305_blocks_neon:
4706 ++ ldr $is_base2_26,[$ctx,#24]
4707 ++ cmp $len,#128
4708 ++ b.lo .Lpoly1305_blocks
4709 ++
4710 ++ .inst 0xd503233f // paciasp
4711 ++ stp x29,x30,[sp,#-80]!
4712 ++ add x29,sp,#0
4713 ++
4714 ++ stp d8,d9,[sp,#16] // meet ABI requirements
4715 ++ stp d10,d11,[sp,#32]
4716 ++ stp d12,d13,[sp,#48]
4717 ++ stp d14,d15,[sp,#64]
4718 ++
4719 ++ cbz $is_base2_26,.Lbase2_64_neon
4720 ++
4721 ++ ldp w10,w11,[$ctx] // load hash value base 2^26
4722 ++ ldp w12,w13,[$ctx,#8]
4723 ++ ldr w14,[$ctx,#16]
4724 ++
4725 ++ tst $len,#31
4726 ++ b.eq .Leven_neon
4727 ++
4728 ++ ldp $r0,$r1,[$ctx,#32] // load key value
4729 ++
4730 ++ add $h0,x10,x11,lsl#26 // base 2^26 -> base 2^64
4731 ++ lsr $h1,x12,#12
4732 ++ adds $h0,$h0,x12,lsl#52
4733 ++ add $h1,$h1,x13,lsl#14
4734 ++ adc $h1,$h1,xzr
4735 ++ lsr $h2,x14,#24
4736 ++ adds $h1,$h1,x14,lsl#40
4737 ++ adc $d2,$h2,xzr // can be partially reduced...
4738 ++
4739 ++ ldp $d0,$d1,[$inp],#16 // load input
4740 ++ sub $len,$len,#16
4741 ++ add $s1,$r1,$r1,lsr#2 // s1 = r1 + (r1 >> 2)
4742 ++
4743 ++#ifdef __AARCH64EB__
4744 ++ rev $d0,$d0
4745 ++ rev $d1,$d1
4746 ++#endif
4747 ++ adds $h0,$h0,$d0 // accumulate input
4748 ++ adcs $h1,$h1,$d1
4749 ++ adc $h2,$h2,$padbit
4750 ++
4751 ++ bl poly1305_mult
4752 ++
4753 ++ and x10,$h0,#0x03ffffff // base 2^64 -> base 2^26
4754 ++ ubfx x11,$h0,#26,#26
4755 ++ extr x12,$h1,$h0,#52
4756 ++ and x12,x12,#0x03ffffff
4757 ++ ubfx x13,$h1,#14,#26
4758 ++ extr x14,$h2,$h1,#40
4759 ++
4760 ++ b .Leven_neon
4761 ++
4762 ++.align 4
4763 ++.Lbase2_64_neon:
4764 ++ ldp $r0,$r1,[$ctx,#32] // load key value
4765 ++
4766 ++ ldp $h0,$h1,[$ctx] // load hash value base 2^64
4767 ++ ldr $h2,[$ctx,#16]
4768 ++
4769 ++ tst $len,#31
4770 ++ b.eq .Linit_neon
4771 ++
4772 ++ ldp $d0,$d1,[$inp],#16 // load input
4773 ++ sub $len,$len,#16
4774 ++ add $s1,$r1,$r1,lsr#2 // s1 = r1 + (r1 >> 2)
4775 ++#ifdef __AARCH64EB__
4776 ++ rev $d0,$d0
4777 ++ rev $d1,$d1
4778 ++#endif
4779 ++ adds $h0,$h0,$d0 // accumulate input
4780 ++ adcs $h1,$h1,$d1
4781 ++ adc $h2,$h2,$padbit
4782 ++
4783 ++ bl poly1305_mult
4784 ++
4785 ++.Linit_neon:
4786 ++ ldr w17,[$ctx,#48] // first table element
4787 ++ and x10,$h0,#0x03ffffff // base 2^64 -> base 2^26
4788 ++ ubfx x11,$h0,#26,#26
4789 ++ extr x12,$h1,$h0,#52
4790 ++ and x12,x12,#0x03ffffff
4791 ++ ubfx x13,$h1,#14,#26
4792 ++ extr x14,$h2,$h1,#40
4793 ++
4794 ++ cmp w17,#-1 // is value impossible?
4795 ++ b.ne .Leven_neon
4796 ++
4797 ++ fmov ${H0},x10
4798 ++ fmov ${H1},x11
4799 ++ fmov ${H2},x12
4800 ++ fmov ${H3},x13
4801 ++ fmov ${H4},x14
4802 ++
4803 ++ ////////////////////////////////// initialize r^n table
4804 ++ mov $h0,$r0 // r^1
4805 ++ add $s1,$r1,$r1,lsr#2 // s1 = r1 + (r1 >> 2)
4806 ++ mov $h1,$r1
4807 ++ mov $h2,xzr
4808 ++ add $ctx,$ctx,#48+12
4809 ++ bl poly1305_splat
4810 ++
4811 ++ bl poly1305_mult // r^2
4812 ++ sub $ctx,$ctx,#4
4813 ++ bl poly1305_splat
4814 ++
4815 ++ bl poly1305_mult // r^3
4816 ++ sub $ctx,$ctx,#4
4817 ++ bl poly1305_splat
4818 ++
4819 ++ bl poly1305_mult // r^4
4820 ++ sub $ctx,$ctx,#4
4821 ++ bl poly1305_splat
4822 ++ sub $ctx,$ctx,#48 // restore original $ctx
4823 ++ b .Ldo_neon
4824 ++
4825 ++.align 4
4826 ++.Leven_neon:
4827 ++ fmov ${H0},x10
4828 ++ fmov ${H1},x11
4829 ++ fmov ${H2},x12
4830 ++ fmov ${H3},x13
4831 ++ fmov ${H4},x14
4832 ++
4833 ++.Ldo_neon:
4834 ++ ldp x8,x12,[$inp,#32] // inp[2:3]
4835 ++ subs $len,$len,#64
4836 ++ ldp x9,x13,[$inp,#48]
4837 ++ add $in2,$inp,#96
4838 ++ adr $zeros,.Lzeros
4839 ++
4840 ++ lsl $padbit,$padbit,#24
4841 ++ add x15,$ctx,#48
4842 ++
4843 ++#ifdef __AARCH64EB__
4844 ++ rev x8,x8
4845 ++ rev x12,x12
4846 ++ rev x9,x9
4847 ++ rev x13,x13
4848 ++#endif
4849 ++ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
4850 ++ and x5,x9,#0x03ffffff
4851 ++ ubfx x6,x8,#26,#26
4852 ++ ubfx x7,x9,#26,#26
4853 ++ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
4854 ++ extr x8,x12,x8,#52
4855 ++ extr x9,x13,x9,#52
4856 ++ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
4857 ++ fmov $IN23_0,x4
4858 ++ and x8,x8,#0x03ffffff
4859 ++ and x9,x9,#0x03ffffff
4860 ++ ubfx x10,x12,#14,#26
4861 ++ ubfx x11,x13,#14,#26
4862 ++ add x12,$padbit,x12,lsr#40
4863 ++ add x13,$padbit,x13,lsr#40
4864 ++ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
4865 ++ fmov $IN23_1,x6
4866 ++ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
4867 ++ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
4868 ++ fmov $IN23_2,x8
4869 ++ fmov $IN23_3,x10
4870 ++ fmov $IN23_4,x12
4871 ++
4872 ++ ldp x8,x12,[$inp],#16 // inp[0:1]
4873 ++ ldp x9,x13,[$inp],#48
4874 ++
4875 ++ ld1 {$R0,$R1,$S1,$R2},[x15],#64
4876 ++ ld1 {$S2,$R3,$S3,$R4},[x15],#64
4877 ++ ld1 {$S4},[x15]
4878 ++
4879 ++#ifdef __AARCH64EB__
4880 ++ rev x8,x8
4881 ++ rev x12,x12
4882 ++ rev x9,x9
4883 ++ rev x13,x13
4884 ++#endif
4885 ++ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
4886 ++ and x5,x9,#0x03ffffff
4887 ++ ubfx x6,x8,#26,#26
4888 ++ ubfx x7,x9,#26,#26
4889 ++ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
4890 ++ extr x8,x12,x8,#52
4891 ++ extr x9,x13,x9,#52
4892 ++ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
4893 ++ fmov $IN01_0,x4
4894 ++ and x8,x8,#0x03ffffff
4895 ++ and x9,x9,#0x03ffffff
4896 ++ ubfx x10,x12,#14,#26
4897 ++ ubfx x11,x13,#14,#26
4898 ++ add x12,$padbit,x12,lsr#40
4899 ++ add x13,$padbit,x13,lsr#40
4900 ++ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
4901 ++ fmov $IN01_1,x6
4902 ++ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
4903 ++ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
4904 ++ movi $MASK.2d,#-1
4905 ++ fmov $IN01_2,x8
4906 ++ fmov $IN01_3,x10
4907 ++ fmov $IN01_4,x12
4908 ++ ushr $MASK.2d,$MASK.2d,#38
4909 ++
4910 ++ b.ls .Lskip_loop
4911 ++
4912 ++.align 4
4913 ++.Loop_neon:
4914 ++ ////////////////////////////////////////////////////////////////
4915 ++ // ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2
4916 ++ // ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^3+inp[7]*r
4917 ++ // \___________________/
4918 ++ // ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2+inp[8])*r^2
4919 ++ // ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^4+inp[7]*r^2+inp[9])*r
4920 ++ // \___________________/ \____________________/
4921 ++ //
4922 ++ // Note that we start with inp[2:3]*r^2. This is because it
4923 ++ // doesn't depend on reduction in previous iteration.
4924 ++ ////////////////////////////////////////////////////////////////
4925 ++ // d4 = h0*r4 + h1*r3 + h2*r2 + h3*r1 + h4*r0
4926 ++ // d3 = h0*r3 + h1*r2 + h2*r1 + h3*r0 + h4*5*r4
4927 ++ // d2 = h0*r2 + h1*r1 + h2*r0 + h3*5*r4 + h4*5*r3
4928 ++ // d1 = h0*r1 + h1*r0 + h2*5*r4 + h3*5*r3 + h4*5*r2
4929 ++ // d0 = h0*r0 + h1*5*r4 + h2*5*r3 + h3*5*r2 + h4*5*r1
4930 ++
4931 ++ subs $len,$len,#64
4932 ++ umull $ACC4,$IN23_0,${R4}[2]
4933 ++ csel $in2,$zeros,$in2,lo
4934 ++ umull $ACC3,$IN23_0,${R3}[2]
4935 ++ umull $ACC2,$IN23_0,${R2}[2]
4936 ++ ldp x8,x12,[$in2],#16 // inp[2:3] (or zero)
4937 ++ umull $ACC1,$IN23_0,${R1}[2]
4938 ++ ldp x9,x13,[$in2],#48
4939 ++ umull $ACC0,$IN23_0,${R0}[2]
4940 ++#ifdef __AARCH64EB__
4941 ++ rev x8,x8
4942 ++ rev x12,x12
4943 ++ rev x9,x9
4944 ++ rev x13,x13
4945 ++#endif
4946 ++
4947 ++ umlal $ACC4,$IN23_1,${R3}[2]
4948 ++ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
4949 ++ umlal $ACC3,$IN23_1,${R2}[2]
4950 ++ and x5,x9,#0x03ffffff
4951 ++ umlal $ACC2,$IN23_1,${R1}[2]
4952 ++ ubfx x6,x8,#26,#26
4953 ++ umlal $ACC1,$IN23_1,${R0}[2]
4954 ++ ubfx x7,x9,#26,#26
4955 ++ umlal $ACC0,$IN23_1,${S4}[2]
4956 ++ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
4957 ++
4958 ++ umlal $ACC4,$IN23_2,${R2}[2]
4959 ++ extr x8,x12,x8,#52
4960 ++ umlal $ACC3,$IN23_2,${R1}[2]
4961 ++ extr x9,x13,x9,#52
4962 ++ umlal $ACC2,$IN23_2,${R0}[2]
4963 ++ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
4964 ++ umlal $ACC1,$IN23_2,${S4}[2]
4965 ++ fmov $IN23_0,x4
4966 ++ umlal $ACC0,$IN23_2,${S3}[2]
4967 ++ and x8,x8,#0x03ffffff
4968 ++
4969 ++ umlal $ACC4,$IN23_3,${R1}[2]
4970 ++ and x9,x9,#0x03ffffff
4971 ++ umlal $ACC3,$IN23_3,${R0}[2]
4972 ++ ubfx x10,x12,#14,#26
4973 ++ umlal $ACC2,$IN23_3,${S4}[2]
4974 ++ ubfx x11,x13,#14,#26
4975 ++ umlal $ACC1,$IN23_3,${S3}[2]
4976 ++ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
4977 ++ umlal $ACC0,$IN23_3,${S2}[2]
4978 ++ fmov $IN23_1,x6
4979 ++
4980 ++ add $IN01_2,$IN01_2,$H2
4981 ++ add x12,$padbit,x12,lsr#40
4982 ++ umlal $ACC4,$IN23_4,${R0}[2]
4983 ++ add x13,$padbit,x13,lsr#40
4984 ++ umlal $ACC3,$IN23_4,${S4}[2]
4985 ++ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
4986 ++ umlal $ACC2,$IN23_4,${S3}[2]
4987 ++ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
4988 ++ umlal $ACC1,$IN23_4,${S2}[2]
4989 ++ fmov $IN23_2,x8
4990 ++ umlal $ACC0,$IN23_4,${S1}[2]
4991 ++ fmov $IN23_3,x10
4992 ++
4993 ++ ////////////////////////////////////////////////////////////////
4994 ++ // (hash+inp[0:1])*r^4 and accumulate
4995 ++
4996 ++ add $IN01_0,$IN01_0,$H0
4997 ++ fmov $IN23_4,x12
4998 ++ umlal $ACC3,$IN01_2,${R1}[0]
4999 ++ ldp x8,x12,[$inp],#16 // inp[0:1]
5000 ++ umlal $ACC0,$IN01_2,${S3}[0]
5001 ++ ldp x9,x13,[$inp],#48
5002 ++ umlal $ACC4,$IN01_2,${R2}[0]
5003 ++ umlal $ACC1,$IN01_2,${S4}[0]
5004 ++ umlal $ACC2,$IN01_2,${R0}[0]
5005 ++#ifdef __AARCH64EB__
5006 ++ rev x8,x8
5007 ++ rev x12,x12
5008 ++ rev x9,x9
5009 ++ rev x13,x13
5010 ++#endif
5011 ++
5012 ++ add $IN01_1,$IN01_1,$H1
5013 ++ umlal $ACC3,$IN01_0,${R3}[0]
5014 ++ umlal $ACC4,$IN01_0,${R4}[0]
5015 ++ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
5016 ++ umlal $ACC2,$IN01_0,${R2}[0]
5017 ++ and x5,x9,#0x03ffffff
5018 ++ umlal $ACC0,$IN01_0,${R0}[0]
5019 ++ ubfx x6,x8,#26,#26
5020 ++ umlal $ACC1,$IN01_0,${R1}[0]
5021 ++ ubfx x7,x9,#26,#26
5022 ++
5023 ++ add $IN01_3,$IN01_3,$H3
5024 ++ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
5025 ++ umlal $ACC3,$IN01_1,${R2}[0]
5026 ++ extr x8,x12,x8,#52
5027 ++ umlal $ACC4,$IN01_1,${R3}[0]
5028 ++ extr x9,x13,x9,#52
5029 ++ umlal $ACC0,$IN01_1,${S4}[0]
5030 ++ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
5031 ++ umlal $ACC2,$IN01_1,${R1}[0]
5032 ++ fmov $IN01_0,x4
5033 ++ umlal $ACC1,$IN01_1,${R0}[0]
5034 ++ and x8,x8,#0x03ffffff
5035 ++
5036 ++ add $IN01_4,$IN01_4,$H4
5037 ++ and x9,x9,#0x03ffffff
5038 ++ umlal $ACC3,$IN01_3,${R0}[0]
5039 ++ ubfx x10,x12,#14,#26
5040 ++ umlal $ACC0,$IN01_3,${S2}[0]
5041 ++ ubfx x11,x13,#14,#26
5042 ++ umlal $ACC4,$IN01_3,${R1}[0]
5043 ++ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
5044 ++ umlal $ACC1,$IN01_3,${S3}[0]
5045 ++ fmov $IN01_1,x6
5046 ++ umlal $ACC2,$IN01_3,${S4}[0]
5047 ++ add x12,$padbit,x12,lsr#40
5048 ++
5049 ++ umlal $ACC3,$IN01_4,${S4}[0]
5050 ++ add x13,$padbit,x13,lsr#40
5051 ++ umlal $ACC0,$IN01_4,${S1}[0]
5052 ++ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
5053 ++ umlal $ACC4,$IN01_4,${R0}[0]
5054 ++ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
5055 ++ umlal $ACC1,$IN01_4,${S2}[0]
5056 ++ fmov $IN01_2,x8
5057 ++ umlal $ACC2,$IN01_4,${S3}[0]
5058 ++ fmov $IN01_3,x10
5059 ++ fmov $IN01_4,x12
5060 ++
5061 ++ /////////////////////////////////////////////////////////////////
5062 ++ // lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
5063 ++ // and P. Schwabe
5064 ++ //
5065 ++ // [see discussion in poly1305-armv4 module]
5066 ++
5067 ++ ushr $T0.2d,$ACC3,#26
5068 ++ xtn $H3,$ACC3
5069 ++ ushr $T1.2d,$ACC0,#26
5070 ++ and $ACC0,$ACC0,$MASK.2d
5071 ++ add $ACC4,$ACC4,$T0.2d // h3 -> h4
5072 ++ bic $H3,#0xfc,lsl#24 // &=0x03ffffff
5073 ++ add $ACC1,$ACC1,$T1.2d // h0 -> h1
5074 ++
5075 ++ ushr $T0.2d,$ACC4,#26
5076 ++ xtn $H4,$ACC4
5077 ++ ushr $T1.2d,$ACC1,#26
5078 ++ xtn $H1,$ACC1
5079 ++ bic $H4,#0xfc,lsl#24
5080 ++ add $ACC2,$ACC2,$T1.2d // h1 -> h2
5081 ++
5082 ++ add $ACC0,$ACC0,$T0.2d
5083 ++ shl $T0.2d,$T0.2d,#2
5084 ++ shrn $T1.2s,$ACC2,#26
5085 ++ xtn $H2,$ACC2
5086 ++ add $ACC0,$ACC0,$T0.2d // h4 -> h0
5087 ++ bic $H1,#0xfc,lsl#24
5088 ++ add $H3,$H3,$T1.2s // h2 -> h3
5089 ++ bic $H2,#0xfc,lsl#24
5090 ++
5091 ++ shrn $T0.2s,$ACC0,#26
5092 ++ xtn $H0,$ACC0
5093 ++ ushr $T1.2s,$H3,#26
5094 ++ bic $H3,#0xfc,lsl#24
5095 ++ bic $H0,#0xfc,lsl#24
5096 ++ add $H1,$H1,$T0.2s // h0 -> h1
5097 ++ add $H4,$H4,$T1.2s // h3 -> h4
5098 ++
5099 ++ b.hi .Loop_neon
5100 ++
5101 ++.Lskip_loop:
5102 ++ dup $IN23_2,${IN23_2}[0]
5103 ++ add $IN01_2,$IN01_2,$H2
5104 ++
5105 ++ ////////////////////////////////////////////////////////////////
5106 ++ // multiply (inp[0:1]+hash) or inp[2:3] by r^2:r^1
5107 ++
5108 ++ adds $len,$len,#32
5109 ++ b.ne .Long_tail
5110 ++
5111 ++ dup $IN23_2,${IN01_2}[0]
5112 ++ add $IN23_0,$IN01_0,$H0
5113 ++ add $IN23_3,$IN01_3,$H3
5114 ++ add $IN23_1,$IN01_1,$H1
5115 ++ add $IN23_4,$IN01_4,$H4
5116 ++
5117 ++.Long_tail:
5118 ++ dup $IN23_0,${IN23_0}[0]
5119 ++ umull2 $ACC0,$IN23_2,${S3}
5120 ++ umull2 $ACC3,$IN23_2,${R1}
5121 ++ umull2 $ACC4,$IN23_2,${R2}
5122 ++ umull2 $ACC2,$IN23_2,${R0}
5123 ++ umull2 $ACC1,$IN23_2,${S4}
5124 ++
5125 ++ dup $IN23_1,${IN23_1}[0]
5126 ++ umlal2 $ACC0,$IN23_0,${R0}
5127 ++ umlal2 $ACC2,$IN23_0,${R2}
5128 ++ umlal2 $ACC3,$IN23_0,${R3}
5129 ++ umlal2 $ACC4,$IN23_0,${R4}
5130 ++ umlal2 $ACC1,$IN23_0,${R1}
5131 ++
5132 ++ dup $IN23_3,${IN23_3}[0]
5133 ++ umlal2 $ACC0,$IN23_1,${S4}
5134 ++ umlal2 $ACC3,$IN23_1,${R2}
5135 ++ umlal2 $ACC2,$IN23_1,${R1}
5136 ++ umlal2 $ACC4,$IN23_1,${R3}
5137 ++ umlal2 $ACC1,$IN23_1,${R0}
5138 ++
5139 ++ dup $IN23_4,${IN23_4}[0]
5140 ++ umlal2 $ACC3,$IN23_3,${R0}
5141 ++ umlal2 $ACC4,$IN23_3,${R1}
5142 ++ umlal2 $ACC0,$IN23_3,${S2}
5143 ++ umlal2 $ACC1,$IN23_3,${S3}
5144 ++ umlal2 $ACC2,$IN23_3,${S4}
5145 ++
5146 ++ umlal2 $ACC3,$IN23_4,${S4}
5147 ++ umlal2 $ACC0,$IN23_4,${S1}
5148 ++ umlal2 $ACC4,$IN23_4,${R0}
5149 ++ umlal2 $ACC1,$IN23_4,${S2}
5150 ++ umlal2 $ACC2,$IN23_4,${S3}
5151 ++
5152 ++ b.eq .Lshort_tail
5153 ++
5154 ++ ////////////////////////////////////////////////////////////////
5155 ++ // (hash+inp[0:1])*r^4:r^3 and accumulate
5156 ++
5157 ++ add $IN01_0,$IN01_0,$H0
5158 ++ umlal $ACC3,$IN01_2,${R1}
5159 ++ umlal $ACC0,$IN01_2,${S3}
5160 ++ umlal $ACC4,$IN01_2,${R2}
5161 ++ umlal $ACC1,$IN01_2,${S4}
5162 ++ umlal $ACC2,$IN01_2,${R0}
5163 ++
5164 ++ add $IN01_1,$IN01_1,$H1
5165 ++ umlal $ACC3,$IN01_0,${R3}
5166 ++ umlal $ACC0,$IN01_0,${R0}
5167 ++ umlal $ACC4,$IN01_0,${R4}
5168 ++ umlal $ACC1,$IN01_0,${R1}
5169 ++ umlal $ACC2,$IN01_0,${R2}
5170 ++
5171 ++ add $IN01_3,$IN01_3,$H3
5172 ++ umlal $ACC3,$IN01_1,${R2}
5173 ++ umlal $ACC0,$IN01_1,${S4}
5174 ++ umlal $ACC4,$IN01_1,${R3}
5175 ++ umlal $ACC1,$IN01_1,${R0}
5176 ++ umlal $ACC2,$IN01_1,${R1}
5177 ++
5178 ++ add $IN01_4,$IN01_4,$H4
5179 ++ umlal $ACC3,$IN01_3,${R0}
5180 ++ umlal $ACC0,$IN01_3,${S2}
5181 ++ umlal $ACC4,$IN01_3,${R1}
5182 ++ umlal $ACC1,$IN01_3,${S3}
5183 ++ umlal $ACC2,$IN01_3,${S4}
5184 ++
5185 ++ umlal $ACC3,$IN01_4,${S4}
5186 ++ umlal $ACC0,$IN01_4,${S1}
5187 ++ umlal $ACC4,$IN01_4,${R0}
5188 ++ umlal $ACC1,$IN01_4,${S2}
5189 ++ umlal $ACC2,$IN01_4,${S3}
5190 ++
5191 ++.Lshort_tail:
5192 ++ ////////////////////////////////////////////////////////////////
5193 ++ // horizontal add
5194 ++
5195 ++ addp $ACC3,$ACC3,$ACC3
5196 ++ ldp d8,d9,[sp,#16] // meet ABI requirements
5197 ++ addp $ACC0,$ACC0,$ACC0
5198 ++ ldp d10,d11,[sp,#32]
5199 ++ addp $ACC4,$ACC4,$ACC4
5200 ++ ldp d12,d13,[sp,#48]
5201 ++ addp $ACC1,$ACC1,$ACC1
5202 ++ ldp d14,d15,[sp,#64]
5203 ++ addp $ACC2,$ACC2,$ACC2
5204 ++ ldr x30,[sp,#8]
5205 ++ .inst 0xd50323bf // autiasp
5206 ++
5207 ++ ////////////////////////////////////////////////////////////////
5208 ++ // lazy reduction, but without narrowing
5209 ++
5210 ++ ushr $T0.2d,$ACC3,#26
5211 ++ and $ACC3,$ACC3,$MASK.2d
5212 ++ ushr $T1.2d,$ACC0,#26
5213 ++ and $ACC0,$ACC0,$MASK.2d
5214 ++
5215 ++ add $ACC4,$ACC4,$T0.2d // h3 -> h4
5216 ++ add $ACC1,$ACC1,$T1.2d // h0 -> h1
5217 ++
5218 ++ ushr $T0.2d,$ACC4,#26
5219 ++ and $ACC4,$ACC4,$MASK.2d
5220 ++ ushr $T1.2d,$ACC1,#26
5221 ++ and $ACC1,$ACC1,$MASK.2d
5222 ++ add $ACC2,$ACC2,$T1.2d // h1 -> h2
5223 ++
5224 ++ add $ACC0,$ACC0,$T0.2d
5225 ++ shl $T0.2d,$T0.2d,#2
5226 ++ ushr $T1.2d,$ACC2,#26
5227 ++ and $ACC2,$ACC2,$MASK.2d
5228 ++ add $ACC0,$ACC0,$T0.2d // h4 -> h0
5229 ++ add $ACC3,$ACC3,$T1.2d // h2 -> h3
5230 ++
5231 ++ ushr $T0.2d,$ACC0,#26
5232 ++ and $ACC0,$ACC0,$MASK.2d
5233 ++ ushr $T1.2d,$ACC3,#26
5234 ++ and $ACC3,$ACC3,$MASK.2d
5235 ++ add $ACC1,$ACC1,$T0.2d // h0 -> h1
5236 ++ add $ACC4,$ACC4,$T1.2d // h3 -> h4
5237 ++
5238 ++ ////////////////////////////////////////////////////////////////
5239 ++ // write the result, can be partially reduced
5240 ++
5241 ++ st4 {$ACC0,$ACC1,$ACC2,$ACC3}[0],[$ctx],#16
5242 ++ mov x4,#1
5243 ++ st1 {$ACC4}[0],[$ctx]
5244 ++ str x4,[$ctx,#8] // set is_base2_26
5245 ++
5246 ++ ldr x29,[sp],#80
5247 ++ ret
5248 ++.size poly1305_blocks_neon,.-poly1305_blocks_neon
5249 ++
5250 ++.align 5
5251 ++.Lzeros:
5252 ++.long 0,0,0,0,0,0,0,0
5253 ++.asciz "Poly1305 for ARMv8, CRYPTOGAMS by \@dot-asm"
5254 ++.align 2
5255 ++#if !defined(__KERNEL__) && !defined(_WIN64)
5256 ++.comm OPENSSL_armcap_P,4,4
5257 ++.hidden OPENSSL_armcap_P
5258 ++#endif
5259 ++___
5260 ++
5261 ++foreach (split("\n",$code)) {
5262 ++ s/\b(shrn\s+v[0-9]+)\.[24]d/$1.2s/ or
5263 ++ s/\b(fmov\s+)v([0-9]+)[^,]*,\s*x([0-9]+)/$1d$2,x$3/ or
5264 ++ (m/\bdup\b/ and (s/\.[24]s/.2d/g or 1)) or
5265 ++ (m/\b(eor|and)/ and (s/\.[248][sdh]/.16b/g or 1)) or
5266 ++ (m/\bum(ul|la)l\b/ and (s/\.4s/.2s/g or 1)) or
5267 ++ (m/\bum(ul|la)l2\b/ and (s/\.2s/.4s/g or 1)) or
5268 ++ (m/\bst[1-4]\s+{[^}]+}\[/ and (s/\.[24]d/.s/g or 1));
5269 ++
5270 ++ s/\.[124]([sd])\[/.$1\[/;
5271 ++ s/w#x([0-9]+)/w$1/g;
5272 ++
5273 ++ print $_,"\n";
5274 ++}
5275 ++close STDOUT;
5276 +--- /dev/null
5277 ++++ b/arch/arm64/crypto/poly1305-core.S_shipped
5278 +@@ -0,0 +1,835 @@
5279 ++#ifndef __KERNEL__
5280 ++# include "arm_arch.h"
5281 ++.extern OPENSSL_armcap_P
5282 ++#endif
5283 ++
5284 ++.text
5285 ++
5286 ++// forward "declarations" are required for Apple
5287 ++.globl poly1305_blocks
5288 ++.globl poly1305_emit
5289 ++
5290 ++.globl poly1305_init
5291 ++.type poly1305_init,%function
5292 ++.align 5
5293 ++poly1305_init:
5294 ++ cmp x1,xzr
5295 ++ stp xzr,xzr,[x0] // zero hash value
5296 ++ stp xzr,xzr,[x0,#16] // [along with is_base2_26]
5297 ++
5298 ++ csel x0,xzr,x0,eq
5299 ++ b.eq .Lno_key
5300 ++
5301 ++#ifndef __KERNEL__
5302 ++ adrp x17,OPENSSL_armcap_P
5303 ++ ldr w17,[x17,#:lo12:OPENSSL_armcap_P]
5304 ++#endif
5305 ++
5306 ++ ldp x7,x8,[x1] // load key
5307 ++ mov x9,#0xfffffffc0fffffff
5308 ++ movk x9,#0x0fff,lsl#48
5309 ++#ifdef __AARCH64EB__
5310 ++ rev x7,x7 // flip bytes
5311 ++ rev x8,x8
5312 ++#endif
5313 ++ and x7,x7,x9 // &=0ffffffc0fffffff
5314 ++ and x9,x9,#-4
5315 ++ and x8,x8,x9 // &=0ffffffc0ffffffc
5316 ++ mov w9,#-1
5317 ++ stp x7,x8,[x0,#32] // save key value
5318 ++ str w9,[x0,#48] // impossible key power value
5319 ++
5320 ++#ifndef __KERNEL__
5321 ++ tst w17,#ARMV7_NEON
5322 ++
5323 ++ adr x12,.Lpoly1305_blocks
5324 ++ adr x7,.Lpoly1305_blocks_neon
5325 ++ adr x13,.Lpoly1305_emit
5326 ++
5327 ++ csel x12,x12,x7,eq
5328 ++
5329 ++# ifdef __ILP32__
5330 ++ stp w12,w13,[x2]
5331 ++# else
5332 ++ stp x12,x13,[x2]
5333 ++# endif
5334 ++#endif
5335 ++ mov x0,#1
5336 ++.Lno_key:
5337 ++ ret
5338 ++.size poly1305_init,.-poly1305_init
5339 ++
5340 ++.type poly1305_blocks,%function
5341 ++.align 5
5342 ++poly1305_blocks:
5343 ++.Lpoly1305_blocks:
5344 ++ ands x2,x2,#-16
5345 ++ b.eq .Lno_data
5346 ++
5347 ++ ldp x4,x5,[x0] // load hash value
5348 ++ ldp x6,x17,[x0,#16] // [along with is_base2_26]
5349 ++ ldp x7,x8,[x0,#32] // load key value
5350 ++
5351 ++#ifdef __AARCH64EB__
5352 ++ lsr x12,x4,#32
5353 ++ mov w13,w4
5354 ++ lsr x14,x5,#32
5355 ++ mov w15,w5
5356 ++ lsr x16,x6,#32
5357 ++#else
5358 ++ mov w12,w4
5359 ++ lsr x13,x4,#32
5360 ++ mov w14,w5
5361 ++ lsr x15,x5,#32
5362 ++ mov w16,w6
5363 ++#endif
5364 ++
5365 ++ add x12,x12,x13,lsl#26 // base 2^26 -> base 2^64
5366 ++ lsr x13,x14,#12
5367 ++ adds x12,x12,x14,lsl#52
5368 ++ add x13,x13,x15,lsl#14
5369 ++ adc x13,x13,xzr
5370 ++ lsr x14,x16,#24
5371 ++ adds x13,x13,x16,lsl#40
5372 ++ adc x14,x14,xzr
5373 ++
5374 ++ cmp x17,#0 // is_base2_26?
5375 ++ add x9,x8,x8,lsr#2 // s1 = r1 + (r1 >> 2)
5376 ++ csel x4,x4,x12,eq // choose between radixes
5377 ++ csel x5,x5,x13,eq
5378 ++ csel x6,x6,x14,eq
5379 ++
5380 ++.Loop:
5381 ++ ldp x10,x11,[x1],#16 // load input
5382 ++ sub x2,x2,#16
5383 ++#ifdef __AARCH64EB__
5384 ++ rev x10,x10
5385 ++ rev x11,x11
5386 ++#endif
5387 ++ adds x4,x4,x10 // accumulate input
5388 ++ adcs x5,x5,x11
5389 ++
5390 ++ mul x12,x4,x7 // h0*r0
5391 ++ adc x6,x6,x3
5392 ++ umulh x13,x4,x7
5393 ++
5394 ++ mul x10,x5,x9 // h1*5*r1
5395 ++ umulh x11,x5,x9
5396 ++
5397 ++ adds x12,x12,x10
5398 ++ mul x10,x4,x8 // h0*r1
5399 ++ adc x13,x13,x11
5400 ++ umulh x14,x4,x8
5401 ++
5402 ++ adds x13,x13,x10
5403 ++ mul x10,x5,x7 // h1*r0
5404 ++ adc x14,x14,xzr
5405 ++ umulh x11,x5,x7
5406 ++
5407 ++ adds x13,x13,x10
5408 ++ mul x10,x6,x9 // h2*5*r1
5409 ++ adc x14,x14,x11
5410 ++ mul x11,x6,x7 // h2*r0
5411 ++
5412 ++ adds x13,x13,x10
5413 ++ adc x14,x14,x11
5414 ++
5415 ++ and x10,x14,#-4 // final reduction
5416 ++ and x6,x14,#3
5417 ++ add x10,x10,x14,lsr#2
5418 ++ adds x4,x12,x10
5419 ++ adcs x5,x13,xzr
5420 ++ adc x6,x6,xzr
5421 ++
5422 ++ cbnz x2,.Loop
5423 ++
5424 ++ stp x4,x5,[x0] // store hash value
5425 ++ stp x6,xzr,[x0,#16] // [and clear is_base2_26]
5426 ++
5427 ++.Lno_data:
5428 ++ ret
5429 ++.size poly1305_blocks,.-poly1305_blocks
5430 ++
5431 ++.type poly1305_emit,%function
5432 ++.align 5
5433 ++poly1305_emit:
5434 ++.Lpoly1305_emit:
5435 ++ ldp x4,x5,[x0] // load hash base 2^64
5436 ++ ldp x6,x7,[x0,#16] // [along with is_base2_26]
5437 ++ ldp x10,x11,[x2] // load nonce
5438 ++
5439 ++#ifdef __AARCH64EB__
5440 ++ lsr x12,x4,#32
5441 ++ mov w13,w4
5442 ++ lsr x14,x5,#32
5443 ++ mov w15,w5
5444 ++ lsr x16,x6,#32
5445 ++#else
5446 ++ mov w12,w4
5447 ++ lsr x13,x4,#32
5448 ++ mov w14,w5
5449 ++ lsr x15,x5,#32
5450 ++ mov w16,w6
5451 ++#endif
5452 ++
5453 ++ add x12,x12,x13,lsl#26 // base 2^26 -> base 2^64
5454 ++ lsr x13,x14,#12
5455 ++ adds x12,x12,x14,lsl#52
5456 ++ add x13,x13,x15,lsl#14
5457 ++ adc x13,x13,xzr
5458 ++ lsr x14,x16,#24
5459 ++ adds x13,x13,x16,lsl#40
5460 ++ adc x14,x14,xzr
5461 ++
5462 ++ cmp x7,#0 // is_base2_26?
5463 ++ csel x4,x4,x12,eq // choose between radixes
5464 ++ csel x5,x5,x13,eq
5465 ++ csel x6,x6,x14,eq
5466 ++
5467 ++ adds x12,x4,#5 // compare to modulus
5468 ++ adcs x13,x5,xzr
5469 ++ adc x14,x6,xzr
5470 ++
5471 ++ tst x14,#-4 // see if it's carried/borrowed
5472 ++
5473 ++ csel x4,x4,x12,eq
5474 ++ csel x5,x5,x13,eq
5475 ++
5476 ++#ifdef __AARCH64EB__
5477 ++ ror x10,x10,#32 // flip nonce words
5478 ++ ror x11,x11,#32
5479 ++#endif
5480 ++ adds x4,x4,x10 // accumulate nonce
5481 ++ adc x5,x5,x11
5482 ++#ifdef __AARCH64EB__
5483 ++ rev x4,x4 // flip output bytes
5484 ++ rev x5,x5
5485 ++#endif
5486 ++ stp x4,x5,[x1] // write result
5487 ++
5488 ++ ret
5489 ++.size poly1305_emit,.-poly1305_emit
5490 ++.type poly1305_mult,%function
5491 ++.align 5
5492 ++poly1305_mult:
5493 ++ mul x12,x4,x7 // h0*r0
5494 ++ umulh x13,x4,x7
5495 ++
5496 ++ mul x10,x5,x9 // h1*5*r1
5497 ++ umulh x11,x5,x9
5498 ++
5499 ++ adds x12,x12,x10
5500 ++ mul x10,x4,x8 // h0*r1
5501 ++ adc x13,x13,x11
5502 ++ umulh x14,x4,x8
5503 ++
5504 ++ adds x13,x13,x10
5505 ++ mul x10,x5,x7 // h1*r0
5506 ++ adc x14,x14,xzr
5507 ++ umulh x11,x5,x7
5508 ++
5509 ++ adds x13,x13,x10
5510 ++ mul x10,x6,x9 // h2*5*r1
5511 ++ adc x14,x14,x11
5512 ++ mul x11,x6,x7 // h2*r0
5513 ++
5514 ++ adds x13,x13,x10
5515 ++ adc x14,x14,x11
5516 ++
5517 ++ and x10,x14,#-4 // final reduction
5518 ++ and x6,x14,#3
5519 ++ add x10,x10,x14,lsr#2
5520 ++ adds x4,x12,x10
5521 ++ adcs x5,x13,xzr
5522 ++ adc x6,x6,xzr
5523 ++
5524 ++ ret
5525 ++.size poly1305_mult,.-poly1305_mult
5526 ++
5527 ++.type poly1305_splat,%function
5528 ++.align 4
5529 ++poly1305_splat:
5530 ++ and x12,x4,#0x03ffffff // base 2^64 -> base 2^26
5531 ++ ubfx x13,x4,#26,#26
5532 ++ extr x14,x5,x4,#52
5533 ++ and x14,x14,#0x03ffffff
5534 ++ ubfx x15,x5,#14,#26
5535 ++ extr x16,x6,x5,#40
5536 ++
5537 ++ str w12,[x0,#16*0] // r0
5538 ++ add w12,w13,w13,lsl#2 // r1*5
5539 ++ str w13,[x0,#16*1] // r1
5540 ++ add w13,w14,w14,lsl#2 // r2*5
5541 ++ str w12,[x0,#16*2] // s1
5542 ++ str w14,[x0,#16*3] // r2
5543 ++ add w14,w15,w15,lsl#2 // r3*5
5544 ++ str w13,[x0,#16*4] // s2
5545 ++ str w15,[x0,#16*5] // r3
5546 ++ add w15,w16,w16,lsl#2 // r4*5
5547 ++ str w14,[x0,#16*6] // s3
5548 ++ str w16,[x0,#16*7] // r4
5549 ++ str w15,[x0,#16*8] // s4
5550 ++
5551 ++ ret
5552 ++.size poly1305_splat,.-poly1305_splat
5553 ++
5554 ++#ifdef __KERNEL__
5555 ++.globl poly1305_blocks_neon
5556 ++#endif
5557 ++.type poly1305_blocks_neon,%function
5558 ++.align 5
5559 ++poly1305_blocks_neon:
5560 ++.Lpoly1305_blocks_neon:
5561 ++ ldr x17,[x0,#24]
5562 ++ cmp x2,#128
5563 ++ b.lo .Lpoly1305_blocks
5564 ++
5565 ++ .inst 0xd503233f // paciasp
5566 ++ stp x29,x30,[sp,#-80]!
5567 ++ add x29,sp,#0
5568 ++
5569 ++ stp d8,d9,[sp,#16] // meet ABI requirements
5570 ++ stp d10,d11,[sp,#32]
5571 ++ stp d12,d13,[sp,#48]
5572 ++ stp d14,d15,[sp,#64]
5573 ++
5574 ++ cbz x17,.Lbase2_64_neon
5575 ++
5576 ++ ldp w10,w11,[x0] // load hash value base 2^26
5577 ++ ldp w12,w13,[x0,#8]
5578 ++ ldr w14,[x0,#16]
5579 ++
5580 ++ tst x2,#31
5581 ++ b.eq .Leven_neon
5582 ++
5583 ++ ldp x7,x8,[x0,#32] // load key value
5584 ++
5585 ++ add x4,x10,x11,lsl#26 // base 2^26 -> base 2^64
5586 ++ lsr x5,x12,#12
5587 ++ adds x4,x4,x12,lsl#52
5588 ++ add x5,x5,x13,lsl#14
5589 ++ adc x5,x5,xzr
5590 ++ lsr x6,x14,#24
5591 ++ adds x5,x5,x14,lsl#40
5592 ++ adc x14,x6,xzr // can be partially reduced...
5593 ++
5594 ++ ldp x12,x13,[x1],#16 // load input
5595 ++ sub x2,x2,#16
5596 ++ add x9,x8,x8,lsr#2 // s1 = r1 + (r1 >> 2)
5597 ++
5598 ++#ifdef __AARCH64EB__
5599 ++ rev x12,x12
5600 ++ rev x13,x13
5601 ++#endif
5602 ++ adds x4,x4,x12 // accumulate input
5603 ++ adcs x5,x5,x13
5604 ++ adc x6,x6,x3
5605 ++
5606 ++ bl poly1305_mult
5607 ++
5608 ++ and x10,x4,#0x03ffffff // base 2^64 -> base 2^26
5609 ++ ubfx x11,x4,#26,#26
5610 ++ extr x12,x5,x4,#52
5611 ++ and x12,x12,#0x03ffffff
5612 ++ ubfx x13,x5,#14,#26
5613 ++ extr x14,x6,x5,#40
5614 ++
5615 ++ b .Leven_neon
5616 ++
5617 ++.align 4
5618 ++.Lbase2_64_neon:
5619 ++ ldp x7,x8,[x0,#32] // load key value
5620 ++
5621 ++ ldp x4,x5,[x0] // load hash value base 2^64
5622 ++ ldr x6,[x0,#16]
5623 ++
5624 ++ tst x2,#31
5625 ++ b.eq .Linit_neon
5626 ++
5627 ++ ldp x12,x13,[x1],#16 // load input
5628 ++ sub x2,x2,#16
5629 ++ add x9,x8,x8,lsr#2 // s1 = r1 + (r1 >> 2)
5630 ++#ifdef __AARCH64EB__
5631 ++ rev x12,x12
5632 ++ rev x13,x13
5633 ++#endif
5634 ++ adds x4,x4,x12 // accumulate input
5635 ++ adcs x5,x5,x13
5636 ++ adc x6,x6,x3
5637 ++
5638 ++ bl poly1305_mult
5639 ++
5640 ++.Linit_neon:
5641 ++ ldr w17,[x0,#48] // first table element
5642 ++ and x10,x4,#0x03ffffff // base 2^64 -> base 2^26
5643 ++ ubfx x11,x4,#26,#26
5644 ++ extr x12,x5,x4,#52
5645 ++ and x12,x12,#0x03ffffff
5646 ++ ubfx x13,x5,#14,#26
5647 ++ extr x14,x6,x5,#40
5648 ++
5649 ++ cmp w17,#-1 // is value impossible?
5650 ++ b.ne .Leven_neon
5651 ++
5652 ++ fmov d24,x10
5653 ++ fmov d25,x11
5654 ++ fmov d26,x12
5655 ++ fmov d27,x13
5656 ++ fmov d28,x14
5657 ++
5658 ++ ////////////////////////////////// initialize r^n table
5659 ++ mov x4,x7 // r^1
5660 ++ add x9,x8,x8,lsr#2 // s1 = r1 + (r1 >> 2)
5661 ++ mov x5,x8
5662 ++ mov x6,xzr
5663 ++ add x0,x0,#48+12
5664 ++ bl poly1305_splat
5665 ++
5666 ++ bl poly1305_mult // r^2
5667 ++ sub x0,x0,#4
5668 ++ bl poly1305_splat
5669 ++
5670 ++ bl poly1305_mult // r^3
5671 ++ sub x0,x0,#4
5672 ++ bl poly1305_splat
5673 ++
5674 ++ bl poly1305_mult // r^4
5675 ++ sub x0,x0,#4
5676 ++ bl poly1305_splat
5677 ++ sub x0,x0,#48 // restore original x0
5678 ++ b .Ldo_neon
5679 ++
5680 ++.align 4
5681 ++.Leven_neon:
5682 ++ fmov d24,x10
5683 ++ fmov d25,x11
5684 ++ fmov d26,x12
5685 ++ fmov d27,x13
5686 ++ fmov d28,x14
5687 ++
5688 ++.Ldo_neon:
5689 ++ ldp x8,x12,[x1,#32] // inp[2:3]
5690 ++ subs x2,x2,#64
5691 ++ ldp x9,x13,[x1,#48]
5692 ++ add x16,x1,#96
5693 ++ adr x17,.Lzeros
5694 ++
5695 ++ lsl x3,x3,#24
5696 ++ add x15,x0,#48
5697 ++
5698 ++#ifdef __AARCH64EB__
5699 ++ rev x8,x8
5700 ++ rev x12,x12
5701 ++ rev x9,x9
5702 ++ rev x13,x13
5703 ++#endif
5704 ++ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
5705 ++ and x5,x9,#0x03ffffff
5706 ++ ubfx x6,x8,#26,#26
5707 ++ ubfx x7,x9,#26,#26
5708 ++ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
5709 ++ extr x8,x12,x8,#52
5710 ++ extr x9,x13,x9,#52
5711 ++ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
5712 ++ fmov d14,x4
5713 ++ and x8,x8,#0x03ffffff
5714 ++ and x9,x9,#0x03ffffff
5715 ++ ubfx x10,x12,#14,#26
5716 ++ ubfx x11,x13,#14,#26
5717 ++ add x12,x3,x12,lsr#40
5718 ++ add x13,x3,x13,lsr#40
5719 ++ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
5720 ++ fmov d15,x6
5721 ++ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
5722 ++ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
5723 ++ fmov d16,x8
5724 ++ fmov d17,x10
5725 ++ fmov d18,x12
5726 ++
5727 ++ ldp x8,x12,[x1],#16 // inp[0:1]
5728 ++ ldp x9,x13,[x1],#48
5729 ++
5730 ++ ld1 {v0.4s,v1.4s,v2.4s,v3.4s},[x15],#64
5731 ++ ld1 {v4.4s,v5.4s,v6.4s,v7.4s},[x15],#64
5732 ++ ld1 {v8.4s},[x15]
5733 ++
5734 ++#ifdef __AARCH64EB__
5735 ++ rev x8,x8
5736 ++ rev x12,x12
5737 ++ rev x9,x9
5738 ++ rev x13,x13
5739 ++#endif
5740 ++ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
5741 ++ and x5,x9,#0x03ffffff
5742 ++ ubfx x6,x8,#26,#26
5743 ++ ubfx x7,x9,#26,#26
5744 ++ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
5745 ++ extr x8,x12,x8,#52
5746 ++ extr x9,x13,x9,#52
5747 ++ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
5748 ++ fmov d9,x4
5749 ++ and x8,x8,#0x03ffffff
5750 ++ and x9,x9,#0x03ffffff
5751 ++ ubfx x10,x12,#14,#26
5752 ++ ubfx x11,x13,#14,#26
5753 ++ add x12,x3,x12,lsr#40
5754 ++ add x13,x3,x13,lsr#40
5755 ++ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
5756 ++ fmov d10,x6
5757 ++ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
5758 ++ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
5759 ++ movi v31.2d,#-1
5760 ++ fmov d11,x8
5761 ++ fmov d12,x10
5762 ++ fmov d13,x12
5763 ++ ushr v31.2d,v31.2d,#38
5764 ++
5765 ++ b.ls .Lskip_loop
5766 ++
5767 ++.align 4
5768 ++.Loop_neon:
5769 ++ ////////////////////////////////////////////////////////////////
5770 ++ // ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2
5771 ++ // ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^3+inp[7]*r
5772 ++ // ___________________/
5773 ++ // ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2+inp[8])*r^2
5774 ++ // ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^4+inp[7]*r^2+inp[9])*r
5775 ++ // ___________________/ ____________________/
5776 ++ //
5777 ++ // Note that we start with inp[2:3]*r^2. This is because it
5778 ++ // doesn't depend on reduction in previous iteration.
5779 ++ ////////////////////////////////////////////////////////////////
5780 ++ // d4 = h0*r4 + h1*r3 + h2*r2 + h3*r1 + h4*r0
5781 ++ // d3 = h0*r3 + h1*r2 + h2*r1 + h3*r0 + h4*5*r4
5782 ++ // d2 = h0*r2 + h1*r1 + h2*r0 + h3*5*r4 + h4*5*r3
5783 ++ // d1 = h0*r1 + h1*r0 + h2*5*r4 + h3*5*r3 + h4*5*r2
5784 ++ // d0 = h0*r0 + h1*5*r4 + h2*5*r3 + h3*5*r2 + h4*5*r1
5785 ++
5786 ++ subs x2,x2,#64
5787 ++ umull v23.2d,v14.2s,v7.s[2]
5788 ++ csel x16,x17,x16,lo
5789 ++ umull v22.2d,v14.2s,v5.s[2]
5790 ++ umull v21.2d,v14.2s,v3.s[2]
5791 ++ ldp x8,x12,[x16],#16 // inp[2:3] (or zero)
5792 ++ umull v20.2d,v14.2s,v1.s[2]
5793 ++ ldp x9,x13,[x16],#48
5794 ++ umull v19.2d,v14.2s,v0.s[2]
5795 ++#ifdef __AARCH64EB__
5796 ++ rev x8,x8
5797 ++ rev x12,x12
5798 ++ rev x9,x9
5799 ++ rev x13,x13
5800 ++#endif
5801 ++
5802 ++ umlal v23.2d,v15.2s,v5.s[2]
5803 ++ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
5804 ++ umlal v22.2d,v15.2s,v3.s[2]
5805 ++ and x5,x9,#0x03ffffff
5806 ++ umlal v21.2d,v15.2s,v1.s[2]
5807 ++ ubfx x6,x8,#26,#26
5808 ++ umlal v20.2d,v15.2s,v0.s[2]
5809 ++ ubfx x7,x9,#26,#26
5810 ++ umlal v19.2d,v15.2s,v8.s[2]
5811 ++ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
5812 ++
5813 ++ umlal v23.2d,v16.2s,v3.s[2]
5814 ++ extr x8,x12,x8,#52
5815 ++ umlal v22.2d,v16.2s,v1.s[2]
5816 ++ extr x9,x13,x9,#52
5817 ++ umlal v21.2d,v16.2s,v0.s[2]
5818 ++ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
5819 ++ umlal v20.2d,v16.2s,v8.s[2]
5820 ++ fmov d14,x4
5821 ++ umlal v19.2d,v16.2s,v6.s[2]
5822 ++ and x8,x8,#0x03ffffff
5823 ++
5824 ++ umlal v23.2d,v17.2s,v1.s[2]
5825 ++ and x9,x9,#0x03ffffff
5826 ++ umlal v22.2d,v17.2s,v0.s[2]
5827 ++ ubfx x10,x12,#14,#26
5828 ++ umlal v21.2d,v17.2s,v8.s[2]
5829 ++ ubfx x11,x13,#14,#26
5830 ++ umlal v20.2d,v17.2s,v6.s[2]
5831 ++ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
5832 ++ umlal v19.2d,v17.2s,v4.s[2]
5833 ++ fmov d15,x6
5834 ++
5835 ++ add v11.2s,v11.2s,v26.2s
5836 ++ add x12,x3,x12,lsr#40
5837 ++ umlal v23.2d,v18.2s,v0.s[2]
5838 ++ add x13,x3,x13,lsr#40
5839 ++ umlal v22.2d,v18.2s,v8.s[2]
5840 ++ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
5841 ++ umlal v21.2d,v18.2s,v6.s[2]
5842 ++ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
5843 ++ umlal v20.2d,v18.2s,v4.s[2]
5844 ++ fmov d16,x8
5845 ++ umlal v19.2d,v18.2s,v2.s[2]
5846 ++ fmov d17,x10
5847 ++
5848 ++ ////////////////////////////////////////////////////////////////
5849 ++ // (hash+inp[0:1])*r^4 and accumulate
5850 ++
5851 ++ add v9.2s,v9.2s,v24.2s
5852 ++ fmov d18,x12
5853 ++ umlal v22.2d,v11.2s,v1.s[0]
5854 ++ ldp x8,x12,[x1],#16 // inp[0:1]
5855 ++ umlal v19.2d,v11.2s,v6.s[0]
5856 ++ ldp x9,x13,[x1],#48
5857 ++ umlal v23.2d,v11.2s,v3.s[0]
5858 ++ umlal v20.2d,v11.2s,v8.s[0]
5859 ++ umlal v21.2d,v11.2s,v0.s[0]
5860 ++#ifdef __AARCH64EB__
5861 ++ rev x8,x8
5862 ++ rev x12,x12
5863 ++ rev x9,x9
5864 ++ rev x13,x13
5865 ++#endif
5866 ++
5867 ++ add v10.2s,v10.2s,v25.2s
5868 ++ umlal v22.2d,v9.2s,v5.s[0]
5869 ++ umlal v23.2d,v9.2s,v7.s[0]
5870 ++ and x4,x8,#0x03ffffff // base 2^64 -> base 2^26
5871 ++ umlal v21.2d,v9.2s,v3.s[0]
5872 ++ and x5,x9,#0x03ffffff
5873 ++ umlal v19.2d,v9.2s,v0.s[0]
5874 ++ ubfx x6,x8,#26,#26
5875 ++ umlal v20.2d,v9.2s,v1.s[0]
5876 ++ ubfx x7,x9,#26,#26
5877 ++
5878 ++ add v12.2s,v12.2s,v27.2s
5879 ++ add x4,x4,x5,lsl#32 // bfi x4,x5,#32,#32
5880 ++ umlal v22.2d,v10.2s,v3.s[0]
5881 ++ extr x8,x12,x8,#52
5882 ++ umlal v23.2d,v10.2s,v5.s[0]
5883 ++ extr x9,x13,x9,#52
5884 ++ umlal v19.2d,v10.2s,v8.s[0]
5885 ++ add x6,x6,x7,lsl#32 // bfi x6,x7,#32,#32
5886 ++ umlal v21.2d,v10.2s,v1.s[0]
5887 ++ fmov d9,x4
5888 ++ umlal v20.2d,v10.2s,v0.s[0]
5889 ++ and x8,x8,#0x03ffffff
5890 ++
5891 ++ add v13.2s,v13.2s,v28.2s
5892 ++ and x9,x9,#0x03ffffff
5893 ++ umlal v22.2d,v12.2s,v0.s[0]
5894 ++ ubfx x10,x12,#14,#26
5895 ++ umlal v19.2d,v12.2s,v4.s[0]
5896 ++ ubfx x11,x13,#14,#26
5897 ++ umlal v23.2d,v12.2s,v1.s[0]
5898 ++ add x8,x8,x9,lsl#32 // bfi x8,x9,#32,#32
5899 ++ umlal v20.2d,v12.2s,v6.s[0]
5900 ++ fmov d10,x6
5901 ++ umlal v21.2d,v12.2s,v8.s[0]
5902 ++ add x12,x3,x12,lsr#40
5903 ++
5904 ++ umlal v22.2d,v13.2s,v8.s[0]
5905 ++ add x13,x3,x13,lsr#40
5906 ++ umlal v19.2d,v13.2s,v2.s[0]
5907 ++ add x10,x10,x11,lsl#32 // bfi x10,x11,#32,#32
5908 ++ umlal v23.2d,v13.2s,v0.s[0]
5909 ++ add x12,x12,x13,lsl#32 // bfi x12,x13,#32,#32
5910 ++ umlal v20.2d,v13.2s,v4.s[0]
5911 ++ fmov d11,x8
5912 ++ umlal v21.2d,v13.2s,v6.s[0]
5913 ++ fmov d12,x10
5914 ++ fmov d13,x12
5915 ++
5916 ++ /////////////////////////////////////////////////////////////////
5917 ++ // lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
5918 ++ // and P. Schwabe
5919 ++ //
5920 ++ // [see discussion in poly1305-armv4 module]
5921 ++
5922 ++ ushr v29.2d,v22.2d,#26
5923 ++ xtn v27.2s,v22.2d
5924 ++ ushr v30.2d,v19.2d,#26
5925 ++ and v19.16b,v19.16b,v31.16b
5926 ++ add v23.2d,v23.2d,v29.2d // h3 -> h4
5927 ++ bic v27.2s,#0xfc,lsl#24 // &=0x03ffffff
5928 ++ add v20.2d,v20.2d,v30.2d // h0 -> h1
5929 ++
5930 ++ ushr v29.2d,v23.2d,#26
5931 ++ xtn v28.2s,v23.2d
5932 ++ ushr v30.2d,v20.2d,#26
5933 ++ xtn v25.2s,v20.2d
5934 ++ bic v28.2s,#0xfc,lsl#24
5935 ++ add v21.2d,v21.2d,v30.2d // h1 -> h2
5936 ++
5937 ++ add v19.2d,v19.2d,v29.2d
5938 ++ shl v29.2d,v29.2d,#2
5939 ++ shrn v30.2s,v21.2d,#26
5940 ++ xtn v26.2s,v21.2d
5941 ++ add v19.2d,v19.2d,v29.2d // h4 -> h0
5942 ++ bic v25.2s,#0xfc,lsl#24
5943 ++ add v27.2s,v27.2s,v30.2s // h2 -> h3
5944 ++ bic v26.2s,#0xfc,lsl#24
5945 ++
5946 ++ shrn v29.2s,v19.2d,#26
5947 ++ xtn v24.2s,v19.2d
5948 ++ ushr v30.2s,v27.2s,#26
5949 ++ bic v27.2s,#0xfc,lsl#24
5950 ++ bic v24.2s,#0xfc,lsl#24
5951 ++ add v25.2s,v25.2s,v29.2s // h0 -> h1
5952 ++ add v28.2s,v28.2s,v30.2s // h3 -> h4
5953 ++
5954 ++ b.hi .Loop_neon
5955 ++
5956 ++.Lskip_loop:
5957 ++ dup v16.2d,v16.d[0]
5958 ++ add v11.2s,v11.2s,v26.2s
5959 ++
5960 ++ ////////////////////////////////////////////////////////////////
5961 ++ // multiply (inp[0:1]+hash) or inp[2:3] by r^2:r^1
5962 ++
5963 ++ adds x2,x2,#32
5964 ++ b.ne .Long_tail
5965 ++
5966 ++ dup v16.2d,v11.d[0]
5967 ++ add v14.2s,v9.2s,v24.2s
5968 ++ add v17.2s,v12.2s,v27.2s
5969 ++ add v15.2s,v10.2s,v25.2s
5970 ++ add v18.2s,v13.2s,v28.2s
5971 ++
5972 ++.Long_tail:
5973 ++ dup v14.2d,v14.d[0]
5974 ++ umull2 v19.2d,v16.4s,v6.4s
5975 ++ umull2 v22.2d,v16.4s,v1.4s
5976 ++ umull2 v23.2d,v16.4s,v3.4s
5977 ++ umull2 v21.2d,v16.4s,v0.4s
5978 ++ umull2 v20.2d,v16.4s,v8.4s
5979 ++
5980 ++ dup v15.2d,v15.d[0]
5981 ++ umlal2 v19.2d,v14.4s,v0.4s
5982 ++ umlal2 v21.2d,v14.4s,v3.4s
5983 ++ umlal2 v22.2d,v14.4s,v5.4s
5984 ++ umlal2 v23.2d,v14.4s,v7.4s
5985 ++ umlal2 v20.2d,v14.4s,v1.4s
5986 ++
5987 ++ dup v17.2d,v17.d[0]
5988 ++ umlal2 v19.2d,v15.4s,v8.4s
5989 ++ umlal2 v22.2d,v15.4s,v3.4s
5990 ++ umlal2 v21.2d,v15.4s,v1.4s
5991 ++ umlal2 v23.2d,v15.4s,v5.4s
5992 ++ umlal2 v20.2d,v15.4s,v0.4s
5993 ++
5994 ++ dup v18.2d,v18.d[0]
5995 ++ umlal2 v22.2d,v17.4s,v0.4s
5996 ++ umlal2 v23.2d,v17.4s,v1.4s
5997 ++ umlal2 v19.2d,v17.4s,v4.4s
5998 ++ umlal2 v20.2d,v17.4s,v6.4s
5999 ++ umlal2 v21.2d,v17.4s,v8.4s
6000 ++
6001 ++ umlal2 v22.2d,v18.4s,v8.4s
6002 ++ umlal2 v19.2d,v18.4s,v2.4s
6003 ++ umlal2 v23.2d,v18.4s,v0.4s
6004 ++ umlal2 v20.2d,v18.4s,v4.4s
6005 ++ umlal2 v21.2d,v18.4s,v6.4s
6006 ++
6007 ++ b.eq .Lshort_tail
6008 ++
6009 ++ ////////////////////////////////////////////////////////////////
6010 ++ // (hash+inp[0:1])*r^4:r^3 and accumulate
6011 ++
6012 ++ add v9.2s,v9.2s,v24.2s
6013 ++ umlal v22.2d,v11.2s,v1.2s
6014 ++ umlal v19.2d,v11.2s,v6.2s
6015 ++ umlal v23.2d,v11.2s,v3.2s
6016 ++ umlal v20.2d,v11.2s,v8.2s
6017 ++ umlal v21.2d,v11.2s,v0.2s
6018 ++
6019 ++ add v10.2s,v10.2s,v25.2s
6020 ++ umlal v22.2d,v9.2s,v5.2s
6021 ++ umlal v19.2d,v9.2s,v0.2s
6022 ++ umlal v23.2d,v9.2s,v7.2s
6023 ++ umlal v20.2d,v9.2s,v1.2s
6024 ++ umlal v21.2d,v9.2s,v3.2s
6025 ++
6026 ++ add v12.2s,v12.2s,v27.2s
6027 ++ umlal v22.2d,v10.2s,v3.2s
6028 ++ umlal v19.2d,v10.2s,v8.2s
6029 ++ umlal v23.2d,v10.2s,v5.2s
6030 ++ umlal v20.2d,v10.2s,v0.2s
6031 ++ umlal v21.2d,v10.2s,v1.2s
6032 ++
6033 ++ add v13.2s,v13.2s,v28.2s
6034 ++ umlal v22.2d,v12.2s,v0.2s
6035 ++ umlal v19.2d,v12.2s,v4.2s
6036 ++ umlal v23.2d,v12.2s,v1.2s
6037 ++ umlal v20.2d,v12.2s,v6.2s
6038 ++ umlal v21.2d,v12.2s,v8.2s
6039 ++
6040 ++ umlal v22.2d,v13.2s,v8.2s
6041 ++ umlal v19.2d,v13.2s,v2.2s
6042 ++ umlal v23.2d,v13.2s,v0.2s
6043 ++ umlal v20.2d,v13.2s,v4.2s
6044 ++ umlal v21.2d,v13.2s,v6.2s
6045 ++
6046 ++.Lshort_tail:
6047 ++ ////////////////////////////////////////////////////////////////
6048 ++ // horizontal add
6049 ++
6050 ++ addp v22.2d,v22.2d,v22.2d
6051 ++ ldp d8,d9,[sp,#16] // meet ABI requirements
6052 ++ addp v19.2d,v19.2d,v19.2d
6053 ++ ldp d10,d11,[sp,#32]
6054 ++ addp v23.2d,v23.2d,v23.2d
6055 ++ ldp d12,d13,[sp,#48]
6056 ++ addp v20.2d,v20.2d,v20.2d
6057 ++ ldp d14,d15,[sp,#64]
6058 ++ addp v21.2d,v21.2d,v21.2d
6059 ++ ldr x30,[sp,#8]
6060 ++ .inst 0xd50323bf // autiasp
6061 ++
6062 ++ ////////////////////////////////////////////////////////////////
6063 ++ // lazy reduction, but without narrowing
6064 ++
6065 ++ ushr v29.2d,v22.2d,#26
6066 ++ and v22.16b,v22.16b,v31.16b
6067 ++ ushr v30.2d,v19.2d,#26
6068 ++ and v19.16b,v19.16b,v31.16b
6069 ++
6070 ++ add v23.2d,v23.2d,v29.2d // h3 -> h4
6071 ++ add v20.2d,v20.2d,v30.2d // h0 -> h1
6072 ++
6073 ++ ushr v29.2d,v23.2d,#26
6074 ++ and v23.16b,v23.16b,v31.16b
6075 ++ ushr v30.2d,v20.2d,#26
6076 ++ and v20.16b,v20.16b,v31.16b
6077 ++ add v21.2d,v21.2d,v30.2d // h1 -> h2
6078 ++
6079 ++ add v19.2d,v19.2d,v29.2d
6080 ++ shl v29.2d,v29.2d,#2
6081 ++ ushr v30.2d,v21.2d,#26
6082 ++ and v21.16b,v21.16b,v31.16b
6083 ++ add v19.2d,v19.2d,v29.2d // h4 -> h0
6084 ++ add v22.2d,v22.2d,v30.2d // h2 -> h3
6085 ++
6086 ++ ushr v29.2d,v19.2d,#26
6087 ++ and v19.16b,v19.16b,v31.16b
6088 ++ ushr v30.2d,v22.2d,#26
6089 ++ and v22.16b,v22.16b,v31.16b
6090 ++ add v20.2d,v20.2d,v29.2d // h0 -> h1
6091 ++ add v23.2d,v23.2d,v30.2d // h3 -> h4
6092 ++
6093 ++ ////////////////////////////////////////////////////////////////
6094 ++ // write the result, can be partially reduced
6095 ++
6096 ++ st4 {v19.s,v20.s,v21.s,v22.s}[0],[x0],#16
6097 ++ mov x4,#1
6098 ++ st1 {v23.s}[0],[x0]
6099 ++ str x4,[x0,#8] // set is_base2_26
6100 ++
6101 ++ ldr x29,[sp],#80
6102 ++ ret
6103 ++.size poly1305_blocks_neon,.-poly1305_blocks_neon
6104 ++
6105 ++.align 5
6106 ++.Lzeros:
6107 ++.long 0,0,0,0,0,0,0,0
6108 ++.asciz "Poly1305 for ARMv8, CRYPTOGAMS by @dot-asm"
6109 ++.align 2
6110 ++#if !defined(__KERNEL__) && !defined(_WIN64)
6111 ++.comm OPENSSL_armcap_P,4,4
6112 ++.hidden OPENSSL_armcap_P
6113 ++#endif
6114 +--- b/arch/arm64/crypto/poly1305-glue.c
6115 ++++ b/arch/arm64/crypto/poly1305-glue.c
6116 +@@ -0,0 +1,231 @@
6117 ++// SPDX-License-Identifier: GPL-2.0
6118 ++/*
6119 ++ * OpenSSL/Cryptogams accelerated Poly1305 transform for arm64
6120 ++ *
6121 ++ * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@××××××.org>
6122 ++ */
6123 ++
6124 ++#include <asm/hwcap.h>
6125 ++#include <asm/neon.h>
6126 ++#include <asm/simd.h>
6127 ++#include <asm/unaligned.h>
6128 ++#include <crypto/algapi.h>
6129 ++#include <crypto/internal/hash.h>
6130 ++#include <crypto/internal/poly1305.h>
6131 ++#include <crypto/internal/simd.h>
6132 ++#include <linux/cpufeature.h>
6133 ++#include <linux/crypto.h>
6134 ++#include <linux/jump_label.h>
6135 ++#include <linux/module.h>
6136 ++
6137 ++asmlinkage void poly1305_init_arm64(void *state, const u8 *key);
6138 ++asmlinkage void poly1305_blocks(void *state, const u8 *src, u32 len, u32 hibit);
6139 ++asmlinkage void poly1305_blocks_neon(void *state, const u8 *src, u32 len, u32 hibit);
6140 ++asmlinkage void poly1305_emit(void *state, u8 *digest, const u32 *nonce);
6141 ++
6142 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
6143 ++
6144 ++void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 *key)
6145 ++{
6146 ++ poly1305_init_arm64(&dctx->h, key);
6147 ++ dctx->s[0] = get_unaligned_le32(key + 16);
6148 ++ dctx->s[1] = get_unaligned_le32(key + 20);
6149 ++ dctx->s[2] = get_unaligned_le32(key + 24);
6150 ++ dctx->s[3] = get_unaligned_le32(key + 28);
6151 ++ dctx->buflen = 0;
6152 ++}
6153 ++EXPORT_SYMBOL(poly1305_init_arch);
6154 ++
6155 ++static int neon_poly1305_init(struct shash_desc *desc)
6156 ++{
6157 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
6158 ++
6159 ++ dctx->buflen = 0;
6160 ++ dctx->rset = 0;
6161 ++ dctx->sset = false;
6162 ++
6163 ++ return 0;
6164 ++}
6165 ++
6166 ++static void neon_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
6167 ++ u32 len, u32 hibit, bool do_neon)
6168 ++{
6169 ++ if (unlikely(!dctx->sset)) {
6170 ++ if (!dctx->rset) {
6171 ++ poly1305_init_arch(dctx, src);
6172 ++ src += POLY1305_BLOCK_SIZE;
6173 ++ len -= POLY1305_BLOCK_SIZE;
6174 ++ dctx->rset = 1;
6175 ++ }
6176 ++ if (len >= POLY1305_BLOCK_SIZE) {
6177 ++ dctx->s[0] = get_unaligned_le32(src + 0);
6178 ++ dctx->s[1] = get_unaligned_le32(src + 4);
6179 ++ dctx->s[2] = get_unaligned_le32(src + 8);
6180 ++ dctx->s[3] = get_unaligned_le32(src + 12);
6181 ++ src += POLY1305_BLOCK_SIZE;
6182 ++ len -= POLY1305_BLOCK_SIZE;
6183 ++ dctx->sset = true;
6184 ++ }
6185 ++ if (len < POLY1305_BLOCK_SIZE)
6186 ++ return;
6187 ++ }
6188 ++
6189 ++ len &= ~(POLY1305_BLOCK_SIZE - 1);
6190 ++
6191 ++ if (static_branch_likely(&have_neon) && likely(do_neon))
6192 ++ poly1305_blocks_neon(&dctx->h, src, len, hibit);
6193 ++ else
6194 ++ poly1305_blocks(&dctx->h, src, len, hibit);
6195 ++}
6196 ++
6197 ++static void neon_poly1305_do_update(struct poly1305_desc_ctx *dctx,
6198 ++ const u8 *src, u32 len, bool do_neon)
6199 ++{
6200 ++ if (unlikely(dctx->buflen)) {
6201 ++ u32 bytes = min(len, POLY1305_BLOCK_SIZE - dctx->buflen);
6202 ++
6203 ++ memcpy(dctx->buf + dctx->buflen, src, bytes);
6204 ++ src += bytes;
6205 ++ len -= bytes;
6206 ++ dctx->buflen += bytes;
6207 ++
6208 ++ if (dctx->buflen == POLY1305_BLOCK_SIZE) {
6209 ++ neon_poly1305_blocks(dctx, dctx->buf,
6210 ++ POLY1305_BLOCK_SIZE, 1, false);
6211 ++ dctx->buflen = 0;
6212 ++ }
6213 ++ }
6214 ++
6215 ++ if (likely(len >= POLY1305_BLOCK_SIZE)) {
6216 ++ neon_poly1305_blocks(dctx, src, len, 1, do_neon);
6217 ++ src += round_down(len, POLY1305_BLOCK_SIZE);
6218 ++ len %= POLY1305_BLOCK_SIZE;
6219 ++ }
6220 ++
6221 ++ if (unlikely(len)) {
6222 ++ dctx->buflen = len;
6223 ++ memcpy(dctx->buf, src, len);
6224 ++ }
6225 ++}
6226 ++
6227 ++static int neon_poly1305_update(struct shash_desc *desc,
6228 ++ const u8 *src, unsigned int srclen)
6229 ++{
6230 ++ bool do_neon = crypto_simd_usable() && srclen > 128;
6231 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
6232 ++
6233 ++ if (static_branch_likely(&have_neon) && do_neon)
6234 ++ kernel_neon_begin();
6235 ++ neon_poly1305_do_update(dctx, src, srclen, do_neon);
6236 ++ if (static_branch_likely(&have_neon) && do_neon)
6237 ++ kernel_neon_end();
6238 ++ return 0;
6239 ++}
6240 ++
6241 ++void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
6242 ++ unsigned int nbytes)
6243 ++{
6244 ++ if (unlikely(dctx->buflen)) {
6245 ++ u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
6246 ++
6247 ++ memcpy(dctx->buf + dctx->buflen, src, bytes);
6248 ++ src += bytes;
6249 ++ nbytes -= bytes;
6250 ++ dctx->buflen += bytes;
6251 ++
6252 ++ if (dctx->buflen == POLY1305_BLOCK_SIZE) {
6253 ++ poly1305_blocks(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 1);
6254 ++ dctx->buflen = 0;
6255 ++ }
6256 ++ }
6257 ++
6258 ++ if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
6259 ++ unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE);
6260 ++
6261 ++ if (static_branch_likely(&have_neon) && crypto_simd_usable()) {
6262 ++ do {
6263 ++ unsigned int todo = min_t(unsigned int, len, SZ_4K);
6264 ++
6265 ++ kernel_neon_begin();
6266 ++ poly1305_blocks_neon(&dctx->h, src, todo, 1);
6267 ++ kernel_neon_end();
6268 ++
6269 ++ len -= todo;
6270 ++ src += todo;
6271 ++ } while (len);
6272 ++ } else {
6273 ++ poly1305_blocks(&dctx->h, src, len, 1);
6274 ++ src += len;
6275 ++ }
6276 ++ nbytes %= POLY1305_BLOCK_SIZE;
6277 ++ }
6278 ++
6279 ++ if (unlikely(nbytes)) {
6280 ++ dctx->buflen = nbytes;
6281 ++ memcpy(dctx->buf, src, nbytes);
6282 ++ }
6283 ++}
6284 ++EXPORT_SYMBOL(poly1305_update_arch);
6285 ++
6286 ++void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
6287 ++{
6288 ++ if (unlikely(dctx->buflen)) {
6289 ++ dctx->buf[dctx->buflen++] = 1;
6290 ++ memset(dctx->buf + dctx->buflen, 0,
6291 ++ POLY1305_BLOCK_SIZE - dctx->buflen);
6292 ++ poly1305_blocks(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
6293 ++ }
6294 ++
6295 ++ poly1305_emit(&dctx->h, dst, dctx->s);
6296 ++ *dctx = (struct poly1305_desc_ctx){};
6297 ++}
6298 ++EXPORT_SYMBOL(poly1305_final_arch);
6299 ++
6300 ++static int neon_poly1305_final(struct shash_desc *desc, u8 *dst)
6301 ++{
6302 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
6303 ++
6304 ++ if (unlikely(!dctx->sset))
6305 ++ return -ENOKEY;
6306 ++
6307 ++ poly1305_final_arch(dctx, dst);
6308 ++ return 0;
6309 ++}
6310 ++
6311 ++static struct shash_alg neon_poly1305_alg = {
6312 ++ .init = neon_poly1305_init,
6313 ++ .update = neon_poly1305_update,
6314 ++ .final = neon_poly1305_final,
6315 ++ .digestsize = POLY1305_DIGEST_SIZE,
6316 ++ .descsize = sizeof(struct poly1305_desc_ctx),
6317 ++
6318 ++ .base.cra_name = "poly1305",
6319 ++ .base.cra_driver_name = "poly1305-neon",
6320 ++ .base.cra_priority = 200,
6321 ++ .base.cra_blocksize = POLY1305_BLOCK_SIZE,
6322 ++ .base.cra_module = THIS_MODULE,
6323 ++};
6324 ++
6325 ++static int __init neon_poly1305_mod_init(void)
6326 ++{
6327 ++ if (!cpu_have_named_feature(ASIMD))
6328 ++ return 0;
6329 ++
6330 ++ static_branch_enable(&have_neon);
6331 ++
6332 ++ return IS_REACHABLE(CONFIG_CRYPTO_HASH) ?
6333 ++ crypto_register_shash(&neon_poly1305_alg) : 0;
6334 ++}
6335 ++
6336 ++static void __exit neon_poly1305_mod_exit(void)
6337 ++{
6338 ++ if (IS_REACHABLE(CONFIG_CRYPTO_HASH) && cpu_have_named_feature(ASIMD))
6339 ++ crypto_unregister_shash(&neon_poly1305_alg);
6340 ++}
6341 ++
6342 ++module_init(neon_poly1305_mod_init);
6343 ++module_exit(neon_poly1305_mod_exit);
6344 ++
6345 ++MODULE_LICENSE("GPL v2");
6346 ++MODULE_ALIAS_CRYPTO("poly1305");
6347 ++MODULE_ALIAS_CRYPTO("poly1305-neon");
6348 +--- /dev/null
6349 ++++ b/arch/arm/crypto/poly1305-armv4.pl
6350 +@@ -0,0 +1,1236 @@
6351 ++#!/usr/bin/env perl
6352 ++# SPDX-License-Identifier: GPL-1.0+ OR BSD-3-Clause
6353 ++#
6354 ++# ====================================================================
6355 ++# Written by Andy Polyakov, @dot-asm, initially for the OpenSSL
6356 ++# project.
6357 ++# ====================================================================
6358 ++#
6359 ++# IALU(*)/gcc-4.4 NEON
6360 ++#
6361 ++# ARM11xx(ARMv6) 7.78/+100% -
6362 ++# Cortex-A5 6.35/+130% 3.00
6363 ++# Cortex-A8 6.25/+115% 2.36
6364 ++# Cortex-A9 5.10/+95% 2.55
6365 ++# Cortex-A15 3.85/+85% 1.25(**)
6366 ++# Snapdragon S4 5.70/+100% 1.48(**)
6367 ++#
6368 ++# (*) this is for -march=armv6, i.e. with bunch of ldrb loading data;
6369 ++# (**) these are trade-off results, they can be improved by ~8% but at
6370 ++# the cost of 15/12% regression on Cortex-A5/A7, it's even possible
6371 ++# to improve Cortex-A9 result, but then A5/A7 loose more than 20%;
6372 ++
6373 ++$flavour = shift;
6374 ++if ($flavour=~/\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
6375 ++else { while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} }
6376 ++
6377 ++if ($flavour && $flavour ne "void") {
6378 ++ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
6379 ++ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
6380 ++ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
6381 ++ die "can't locate arm-xlate.pl";
6382 ++
6383 ++ open STDOUT,"| \"$^X\" $xlate $flavour $output";
6384 ++} else {
6385 ++ open STDOUT,">$output";
6386 ++}
6387 ++
6388 ++($ctx,$inp,$len,$padbit)=map("r$_",(0..3));
6389 ++
6390 ++$code.=<<___;
6391 ++#ifndef __KERNEL__
6392 ++# include "arm_arch.h"
6393 ++#else
6394 ++# define __ARM_ARCH__ __LINUX_ARM_ARCH__
6395 ++# define __ARM_MAX_ARCH__ __LINUX_ARM_ARCH__
6396 ++# define poly1305_init poly1305_init_arm
6397 ++# define poly1305_blocks poly1305_blocks_arm
6398 ++# define poly1305_emit poly1305_emit_arm
6399 ++.globl poly1305_blocks_neon
6400 ++#endif
6401 ++
6402 ++#if defined(__thumb2__)
6403 ++.syntax unified
6404 ++.thumb
6405 ++#else
6406 ++.code 32
6407 ++#endif
6408 ++
6409 ++.text
6410 ++
6411 ++.globl poly1305_emit
6412 ++.globl poly1305_blocks
6413 ++.globl poly1305_init
6414 ++.type poly1305_init,%function
6415 ++.align 5
6416 ++poly1305_init:
6417 ++.Lpoly1305_init:
6418 ++ stmdb sp!,{r4-r11}
6419 ++
6420 ++ eor r3,r3,r3
6421 ++ cmp $inp,#0
6422 ++ str r3,[$ctx,#0] @ zero hash value
6423 ++ str r3,[$ctx,#4]
6424 ++ str r3,[$ctx,#8]
6425 ++ str r3,[$ctx,#12]
6426 ++ str r3,[$ctx,#16]
6427 ++ str r3,[$ctx,#36] @ clear is_base2_26
6428 ++ add $ctx,$ctx,#20
6429 ++
6430 ++#ifdef __thumb2__
6431 ++ it eq
6432 ++#endif
6433 ++ moveq r0,#0
6434 ++ beq .Lno_key
6435 ++
6436 ++#if __ARM_MAX_ARCH__>=7
6437 ++ mov r3,#-1
6438 ++ str r3,[$ctx,#28] @ impossible key power value
6439 ++# ifndef __KERNEL__
6440 ++ adr r11,.Lpoly1305_init
6441 ++ ldr r12,.LOPENSSL_armcap
6442 ++# endif
6443 ++#endif
6444 ++ ldrb r4,[$inp,#0]
6445 ++ mov r10,#0x0fffffff
6446 ++ ldrb r5,[$inp,#1]
6447 ++ and r3,r10,#-4 @ 0x0ffffffc
6448 ++ ldrb r6,[$inp,#2]
6449 ++ ldrb r7,[$inp,#3]
6450 ++ orr r4,r4,r5,lsl#8
6451 ++ ldrb r5,[$inp,#4]
6452 ++ orr r4,r4,r6,lsl#16
6453 ++ ldrb r6,[$inp,#5]
6454 ++ orr r4,r4,r7,lsl#24
6455 ++ ldrb r7,[$inp,#6]
6456 ++ and r4,r4,r10
6457 ++
6458 ++#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
6459 ++# if !defined(_WIN32)
6460 ++ ldr r12,[r11,r12] @ OPENSSL_armcap_P
6461 ++# endif
6462 ++# if defined(__APPLE__) || defined(_WIN32)
6463 ++ ldr r12,[r12]
6464 ++# endif
6465 ++#endif
6466 ++ ldrb r8,[$inp,#7]
6467 ++ orr r5,r5,r6,lsl#8
6468 ++ ldrb r6,[$inp,#8]
6469 ++ orr r5,r5,r7,lsl#16
6470 ++ ldrb r7,[$inp,#9]
6471 ++ orr r5,r5,r8,lsl#24
6472 ++ ldrb r8,[$inp,#10]
6473 ++ and r5,r5,r3
6474 ++
6475 ++#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
6476 ++ tst r12,#ARMV7_NEON @ check for NEON
6477 ++# ifdef __thumb2__
6478 ++ adr r9,.Lpoly1305_blocks_neon
6479 ++ adr r11,.Lpoly1305_blocks
6480 ++ it ne
6481 ++ movne r11,r9
6482 ++ adr r12,.Lpoly1305_emit
6483 ++ orr r11,r11,#1 @ thumb-ify addresses
6484 ++ orr r12,r12,#1
6485 ++# else
6486 ++ add r12,r11,#(.Lpoly1305_emit-.Lpoly1305_init)
6487 ++ ite eq
6488 ++ addeq r11,r11,#(.Lpoly1305_blocks-.Lpoly1305_init)
6489 ++ addne r11,r11,#(.Lpoly1305_blocks_neon-.Lpoly1305_init)
6490 ++# endif
6491 ++#endif
6492 ++ ldrb r9,[$inp,#11]
6493 ++ orr r6,r6,r7,lsl#8
6494 ++ ldrb r7,[$inp,#12]
6495 ++ orr r6,r6,r8,lsl#16
6496 ++ ldrb r8,[$inp,#13]
6497 ++ orr r6,r6,r9,lsl#24
6498 ++ ldrb r9,[$inp,#14]
6499 ++ and r6,r6,r3
6500 ++
6501 ++ ldrb r10,[$inp,#15]
6502 ++ orr r7,r7,r8,lsl#8
6503 ++ str r4,[$ctx,#0]
6504 ++ orr r7,r7,r9,lsl#16
6505 ++ str r5,[$ctx,#4]
6506 ++ orr r7,r7,r10,lsl#24
6507 ++ str r6,[$ctx,#8]
6508 ++ and r7,r7,r3
6509 ++ str r7,[$ctx,#12]
6510 ++#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
6511 ++ stmia r2,{r11,r12} @ fill functions table
6512 ++ mov r0,#1
6513 ++#else
6514 ++ mov r0,#0
6515 ++#endif
6516 ++.Lno_key:
6517 ++ ldmia sp!,{r4-r11}
6518 ++#if __ARM_ARCH__>=5
6519 ++ ret @ bx lr
6520 ++#else
6521 ++ tst lr,#1
6522 ++ moveq pc,lr @ be binary compatible with V4, yet
6523 ++ bx lr @ interoperable with Thumb ISA:-)
6524 ++#endif
6525 ++.size poly1305_init,.-poly1305_init
6526 ++___
6527 ++{
6528 ++my ($h0,$h1,$h2,$h3,$h4,$r0,$r1,$r2,$r3)=map("r$_",(4..12));
6529 ++my ($s1,$s2,$s3)=($r1,$r2,$r3);
6530 ++
6531 ++$code.=<<___;
6532 ++.type poly1305_blocks,%function
6533 ++.align 5
6534 ++poly1305_blocks:
6535 ++.Lpoly1305_blocks:
6536 ++ stmdb sp!,{r3-r11,lr}
6537 ++
6538 ++ ands $len,$len,#-16
6539 ++ beq .Lno_data
6540 ++
6541 ++ add $len,$len,$inp @ end pointer
6542 ++ sub sp,sp,#32
6543 ++
6544 ++#if __ARM_ARCH__<7
6545 ++ ldmia $ctx,{$h0-$r3} @ load context
6546 ++ add $ctx,$ctx,#20
6547 ++ str $len,[sp,#16] @ offload stuff
6548 ++ str $ctx,[sp,#12]
6549 ++#else
6550 ++ ldr lr,[$ctx,#36] @ is_base2_26
6551 ++ ldmia $ctx!,{$h0-$h4} @ load hash value
6552 ++ str $len,[sp,#16] @ offload stuff
6553 ++ str $ctx,[sp,#12]
6554 ++
6555 ++ adds $r0,$h0,$h1,lsl#26 @ base 2^26 -> base 2^32
6556 ++ mov $r1,$h1,lsr#6
6557 ++ adcs $r1,$r1,$h2,lsl#20
6558 ++ mov $r2,$h2,lsr#12
6559 ++ adcs $r2,$r2,$h3,lsl#14
6560 ++ mov $r3,$h3,lsr#18
6561 ++ adcs $r3,$r3,$h4,lsl#8
6562 ++ mov $len,#0
6563 ++ teq lr,#0
6564 ++ str $len,[$ctx,#16] @ clear is_base2_26
6565 ++ adc $len,$len,$h4,lsr#24
6566 ++
6567 ++ itttt ne
6568 ++ movne $h0,$r0 @ choose between radixes
6569 ++ movne $h1,$r1
6570 ++ movne $h2,$r2
6571 ++ movne $h3,$r3
6572 ++ ldmia $ctx,{$r0-$r3} @ load key
6573 ++ it ne
6574 ++ movne $h4,$len
6575 ++#endif
6576 ++
6577 ++ mov lr,$inp
6578 ++ cmp $padbit,#0
6579 ++ str $r1,[sp,#20]
6580 ++ str $r2,[sp,#24]
6581 ++ str $r3,[sp,#28]
6582 ++ b .Loop
6583 ++
6584 ++.align 4
6585 ++.Loop:
6586 ++#if __ARM_ARCH__<7
6587 ++ ldrb r0,[lr],#16 @ load input
6588 ++# ifdef __thumb2__
6589 ++ it hi
6590 ++# endif
6591 ++ addhi $h4,$h4,#1 @ 1<<128
6592 ++ ldrb r1,[lr,#-15]
6593 ++ ldrb r2,[lr,#-14]
6594 ++ ldrb r3,[lr,#-13]
6595 ++ orr r1,r0,r1,lsl#8
6596 ++ ldrb r0,[lr,#-12]
6597 ++ orr r2,r1,r2,lsl#16
6598 ++ ldrb r1,[lr,#-11]
6599 ++ orr r3,r2,r3,lsl#24
6600 ++ ldrb r2,[lr,#-10]
6601 ++ adds $h0,$h0,r3 @ accumulate input
6602 ++
6603 ++ ldrb r3,[lr,#-9]
6604 ++ orr r1,r0,r1,lsl#8
6605 ++ ldrb r0,[lr,#-8]
6606 ++ orr r2,r1,r2,lsl#16
6607 ++ ldrb r1,[lr,#-7]
6608 ++ orr r3,r2,r3,lsl#24
6609 ++ ldrb r2,[lr,#-6]
6610 ++ adcs $h1,$h1,r3
6611 ++
6612 ++ ldrb r3,[lr,#-5]
6613 ++ orr r1,r0,r1,lsl#8
6614 ++ ldrb r0,[lr,#-4]
6615 ++ orr r2,r1,r2,lsl#16
6616 ++ ldrb r1,[lr,#-3]
6617 ++ orr r3,r2,r3,lsl#24
6618 ++ ldrb r2,[lr,#-2]
6619 ++ adcs $h2,$h2,r3
6620 ++
6621 ++ ldrb r3,[lr,#-1]
6622 ++ orr r1,r0,r1,lsl#8
6623 ++ str lr,[sp,#8] @ offload input pointer
6624 ++ orr r2,r1,r2,lsl#16
6625 ++ add $s1,$r1,$r1,lsr#2
6626 ++ orr r3,r2,r3,lsl#24
6627 ++#else
6628 ++ ldr r0,[lr],#16 @ load input
6629 ++ it hi
6630 ++ addhi $h4,$h4,#1 @ padbit
6631 ++ ldr r1,[lr,#-12]
6632 ++ ldr r2,[lr,#-8]
6633 ++ ldr r3,[lr,#-4]
6634 ++# ifdef __ARMEB__
6635 ++ rev r0,r0
6636 ++ rev r1,r1
6637 ++ rev r2,r2
6638 ++ rev r3,r3
6639 ++# endif
6640 ++ adds $h0,$h0,r0 @ accumulate input
6641 ++ str lr,[sp,#8] @ offload input pointer
6642 ++ adcs $h1,$h1,r1
6643 ++ add $s1,$r1,$r1,lsr#2
6644 ++ adcs $h2,$h2,r2
6645 ++#endif
6646 ++ add $s2,$r2,$r2,lsr#2
6647 ++ adcs $h3,$h3,r3
6648 ++ add $s3,$r3,$r3,lsr#2
6649 ++
6650 ++ umull r2,r3,$h1,$r0
6651 ++ adc $h4,$h4,#0
6652 ++ umull r0,r1,$h0,$r0
6653 ++ umlal r2,r3,$h4,$s1
6654 ++ umlal r0,r1,$h3,$s1
6655 ++ ldr $r1,[sp,#20] @ reload $r1
6656 ++ umlal r2,r3,$h2,$s3
6657 ++ umlal r0,r1,$h1,$s3
6658 ++ umlal r2,r3,$h3,$s2
6659 ++ umlal r0,r1,$h2,$s2
6660 ++ umlal r2,r3,$h0,$r1
6661 ++ str r0,[sp,#0] @ future $h0
6662 ++ mul r0,$s2,$h4
6663 ++ ldr $r2,[sp,#24] @ reload $r2
6664 ++ adds r2,r2,r1 @ d1+=d0>>32
6665 ++ eor r1,r1,r1
6666 ++ adc lr,r3,#0 @ future $h2
6667 ++ str r2,[sp,#4] @ future $h1
6668 ++
6669 ++ mul r2,$s3,$h4
6670 ++ eor r3,r3,r3
6671 ++ umlal r0,r1,$h3,$s3
6672 ++ ldr $r3,[sp,#28] @ reload $r3
6673 ++ umlal r2,r3,$h3,$r0
6674 ++ umlal r0,r1,$h2,$r0
6675 ++ umlal r2,r3,$h2,$r1
6676 ++ umlal r0,r1,$h1,$r1
6677 ++ umlal r2,r3,$h1,$r2
6678 ++ umlal r0,r1,$h0,$r2
6679 ++ umlal r2,r3,$h0,$r3
6680 ++ ldr $h0,[sp,#0]
6681 ++ mul $h4,$r0,$h4
6682 ++ ldr $h1,[sp,#4]
6683 ++
6684 ++ adds $h2,lr,r0 @ d2+=d1>>32
6685 ++ ldr lr,[sp,#8] @ reload input pointer
6686 ++ adc r1,r1,#0
6687 ++ adds $h3,r2,r1 @ d3+=d2>>32
6688 ++ ldr r0,[sp,#16] @ reload end pointer
6689 ++ adc r3,r3,#0
6690 ++ add $h4,$h4,r3 @ h4+=d3>>32
6691 ++
6692 ++ and r1,$h4,#-4
6693 ++ and $h4,$h4,#3
6694 ++ add r1,r1,r1,lsr#2 @ *=5
6695 ++ adds $h0,$h0,r1
6696 ++ adcs $h1,$h1,#0
6697 ++ adcs $h2,$h2,#0
6698 ++ adcs $h3,$h3,#0
6699 ++ adc $h4,$h4,#0
6700 ++
6701 ++ cmp r0,lr @ done yet?
6702 ++ bhi .Loop
6703 ++
6704 ++ ldr $ctx,[sp,#12]
6705 ++ add sp,sp,#32
6706 ++ stmdb $ctx,{$h0-$h4} @ store the result
6707 ++
6708 ++.Lno_data:
6709 ++#if __ARM_ARCH__>=5
6710 ++ ldmia sp!,{r3-r11,pc}
6711 ++#else
6712 ++ ldmia sp!,{r3-r11,lr}
6713 ++ tst lr,#1
6714 ++ moveq pc,lr @ be binary compatible with V4, yet
6715 ++ bx lr @ interoperable with Thumb ISA:-)
6716 ++#endif
6717 ++.size poly1305_blocks,.-poly1305_blocks
6718 ++___
6719 ++}
6720 ++{
6721 ++my ($ctx,$mac,$nonce)=map("r$_",(0..2));
6722 ++my ($h0,$h1,$h2,$h3,$h4,$g0,$g1,$g2,$g3)=map("r$_",(3..11));
6723 ++my $g4=$ctx;
6724 ++
6725 ++$code.=<<___;
6726 ++.type poly1305_emit,%function
6727 ++.align 5
6728 ++poly1305_emit:
6729 ++.Lpoly1305_emit:
6730 ++ stmdb sp!,{r4-r11}
6731 ++
6732 ++ ldmia $ctx,{$h0-$h4}
6733 ++
6734 ++#if __ARM_ARCH__>=7
6735 ++ ldr ip,[$ctx,#36] @ is_base2_26
6736 ++
6737 ++ adds $g0,$h0,$h1,lsl#26 @ base 2^26 -> base 2^32
6738 ++ mov $g1,$h1,lsr#6
6739 ++ adcs $g1,$g1,$h2,lsl#20
6740 ++ mov $g2,$h2,lsr#12
6741 ++ adcs $g2,$g2,$h3,lsl#14
6742 ++ mov $g3,$h3,lsr#18
6743 ++ adcs $g3,$g3,$h4,lsl#8
6744 ++ mov $g4,#0
6745 ++ adc $g4,$g4,$h4,lsr#24
6746 ++
6747 ++ tst ip,ip
6748 ++ itttt ne
6749 ++ movne $h0,$g0
6750 ++ movne $h1,$g1
6751 ++ movne $h2,$g2
6752 ++ movne $h3,$g3
6753 ++ it ne
6754 ++ movne $h4,$g4
6755 ++#endif
6756 ++
6757 ++ adds $g0,$h0,#5 @ compare to modulus
6758 ++ adcs $g1,$h1,#0
6759 ++ adcs $g2,$h2,#0
6760 ++ adcs $g3,$h3,#0
6761 ++ adc $g4,$h4,#0
6762 ++ tst $g4,#4 @ did it carry/borrow?
6763 ++
6764 ++#ifdef __thumb2__
6765 ++ it ne
6766 ++#endif
6767 ++ movne $h0,$g0
6768 ++ ldr $g0,[$nonce,#0]
6769 ++#ifdef __thumb2__
6770 ++ it ne
6771 ++#endif
6772 ++ movne $h1,$g1
6773 ++ ldr $g1,[$nonce,#4]
6774 ++#ifdef __thumb2__
6775 ++ it ne
6776 ++#endif
6777 ++ movne $h2,$g2
6778 ++ ldr $g2,[$nonce,#8]
6779 ++#ifdef __thumb2__
6780 ++ it ne
6781 ++#endif
6782 ++ movne $h3,$g3
6783 ++ ldr $g3,[$nonce,#12]
6784 ++
6785 ++ adds $h0,$h0,$g0
6786 ++ adcs $h1,$h1,$g1
6787 ++ adcs $h2,$h2,$g2
6788 ++ adc $h3,$h3,$g3
6789 ++
6790 ++#if __ARM_ARCH__>=7
6791 ++# ifdef __ARMEB__
6792 ++ rev $h0,$h0
6793 ++ rev $h1,$h1
6794 ++ rev $h2,$h2
6795 ++ rev $h3,$h3
6796 ++# endif
6797 ++ str $h0,[$mac,#0]
6798 ++ str $h1,[$mac,#4]
6799 ++ str $h2,[$mac,#8]
6800 ++ str $h3,[$mac,#12]
6801 ++#else
6802 ++ strb $h0,[$mac,#0]
6803 ++ mov $h0,$h0,lsr#8
6804 ++ strb $h1,[$mac,#4]
6805 ++ mov $h1,$h1,lsr#8
6806 ++ strb $h2,[$mac,#8]
6807 ++ mov $h2,$h2,lsr#8
6808 ++ strb $h3,[$mac,#12]
6809 ++ mov $h3,$h3,lsr#8
6810 ++
6811 ++ strb $h0,[$mac,#1]
6812 ++ mov $h0,$h0,lsr#8
6813 ++ strb $h1,[$mac,#5]
6814 ++ mov $h1,$h1,lsr#8
6815 ++ strb $h2,[$mac,#9]
6816 ++ mov $h2,$h2,lsr#8
6817 ++ strb $h3,[$mac,#13]
6818 ++ mov $h3,$h3,lsr#8
6819 ++
6820 ++ strb $h0,[$mac,#2]
6821 ++ mov $h0,$h0,lsr#8
6822 ++ strb $h1,[$mac,#6]
6823 ++ mov $h1,$h1,lsr#8
6824 ++ strb $h2,[$mac,#10]
6825 ++ mov $h2,$h2,lsr#8
6826 ++ strb $h3,[$mac,#14]
6827 ++ mov $h3,$h3,lsr#8
6828 ++
6829 ++ strb $h0,[$mac,#3]
6830 ++ strb $h1,[$mac,#7]
6831 ++ strb $h2,[$mac,#11]
6832 ++ strb $h3,[$mac,#15]
6833 ++#endif
6834 ++ ldmia sp!,{r4-r11}
6835 ++#if __ARM_ARCH__>=5
6836 ++ ret @ bx lr
6837 ++#else
6838 ++ tst lr,#1
6839 ++ moveq pc,lr @ be binary compatible with V4, yet
6840 ++ bx lr @ interoperable with Thumb ISA:-)
6841 ++#endif
6842 ++.size poly1305_emit,.-poly1305_emit
6843 ++___
6844 ++{
6845 ++my ($R0,$R1,$S1,$R2,$S2,$R3,$S3,$R4,$S4) = map("d$_",(0..9));
6846 ++my ($D0,$D1,$D2,$D3,$D4, $H0,$H1,$H2,$H3,$H4) = map("q$_",(5..14));
6847 ++my ($T0,$T1,$MASK) = map("q$_",(15,4,0));
6848 ++
6849 ++my ($in2,$zeros,$tbl0,$tbl1) = map("r$_",(4..7));
6850 ++
6851 ++$code.=<<___;
6852 ++#if __ARM_MAX_ARCH__>=7
6853 ++.fpu neon
6854 ++
6855 ++.type poly1305_init_neon,%function
6856 ++.align 5
6857 ++poly1305_init_neon:
6858 ++.Lpoly1305_init_neon:
6859 ++ ldr r3,[$ctx,#48] @ first table element
6860 ++ cmp r3,#-1 @ is value impossible?
6861 ++ bne .Lno_init_neon
6862 ++
6863 ++ ldr r4,[$ctx,#20] @ load key base 2^32
6864 ++ ldr r5,[$ctx,#24]
6865 ++ ldr r6,[$ctx,#28]
6866 ++ ldr r7,[$ctx,#32]
6867 ++
6868 ++ and r2,r4,#0x03ffffff @ base 2^32 -> base 2^26
6869 ++ mov r3,r4,lsr#26
6870 ++ mov r4,r5,lsr#20
6871 ++ orr r3,r3,r5,lsl#6
6872 ++ mov r5,r6,lsr#14
6873 ++ orr r4,r4,r6,lsl#12
6874 ++ mov r6,r7,lsr#8
6875 ++ orr r5,r5,r7,lsl#18
6876 ++ and r3,r3,#0x03ffffff
6877 ++ and r4,r4,#0x03ffffff
6878 ++ and r5,r5,#0x03ffffff
6879 ++
6880 ++ vdup.32 $R0,r2 @ r^1 in both lanes
6881 ++ add r2,r3,r3,lsl#2 @ *5
6882 ++ vdup.32 $R1,r3
6883 ++ add r3,r4,r4,lsl#2
6884 ++ vdup.32 $S1,r2
6885 ++ vdup.32 $R2,r4
6886 ++ add r4,r5,r5,lsl#2
6887 ++ vdup.32 $S2,r3
6888 ++ vdup.32 $R3,r5
6889 ++ add r5,r6,r6,lsl#2
6890 ++ vdup.32 $S3,r4
6891 ++ vdup.32 $R4,r6
6892 ++ vdup.32 $S4,r5
6893 ++
6894 ++ mov $zeros,#2 @ counter
6895 ++
6896 ++.Lsquare_neon:
6897 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
6898 ++ @ d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
6899 ++ @ d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
6900 ++ @ d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
6901 ++ @ d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
6902 ++ @ d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
6903 ++
6904 ++ vmull.u32 $D0,$R0,${R0}[1]
6905 ++ vmull.u32 $D1,$R1,${R0}[1]
6906 ++ vmull.u32 $D2,$R2,${R0}[1]
6907 ++ vmull.u32 $D3,$R3,${R0}[1]
6908 ++ vmull.u32 $D4,$R4,${R0}[1]
6909 ++
6910 ++ vmlal.u32 $D0,$R4,${S1}[1]
6911 ++ vmlal.u32 $D1,$R0,${R1}[1]
6912 ++ vmlal.u32 $D2,$R1,${R1}[1]
6913 ++ vmlal.u32 $D3,$R2,${R1}[1]
6914 ++ vmlal.u32 $D4,$R3,${R1}[1]
6915 ++
6916 ++ vmlal.u32 $D0,$R3,${S2}[1]
6917 ++ vmlal.u32 $D1,$R4,${S2}[1]
6918 ++ vmlal.u32 $D3,$R1,${R2}[1]
6919 ++ vmlal.u32 $D2,$R0,${R2}[1]
6920 ++ vmlal.u32 $D4,$R2,${R2}[1]
6921 ++
6922 ++ vmlal.u32 $D0,$R2,${S3}[1]
6923 ++ vmlal.u32 $D3,$R0,${R3}[1]
6924 ++ vmlal.u32 $D1,$R3,${S3}[1]
6925 ++ vmlal.u32 $D2,$R4,${S3}[1]
6926 ++ vmlal.u32 $D4,$R1,${R3}[1]
6927 ++
6928 ++ vmlal.u32 $D3,$R4,${S4}[1]
6929 ++ vmlal.u32 $D0,$R1,${S4}[1]
6930 ++ vmlal.u32 $D1,$R2,${S4}[1]
6931 ++ vmlal.u32 $D2,$R3,${S4}[1]
6932 ++ vmlal.u32 $D4,$R0,${R4}[1]
6933 ++
6934 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
6935 ++ @ lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
6936 ++ @ and P. Schwabe
6937 ++ @
6938 ++ @ H0>>+H1>>+H2>>+H3>>+H4
6939 ++ @ H3>>+H4>>*5+H0>>+H1
6940 ++ @
6941 ++ @ Trivia.
6942 ++ @
6943 ++ @ Result of multiplication of n-bit number by m-bit number is
6944 ++ @ n+m bits wide. However! Even though 2^n is a n+1-bit number,
6945 ++ @ m-bit number multiplied by 2^n is still n+m bits wide.
6946 ++ @
6947 ++ @ Sum of two n-bit numbers is n+1 bits wide, sum of three - n+2,
6948 ++ @ and so is sum of four. Sum of 2^m n-m-bit numbers and n-bit
6949 ++ @ one is n+1 bits wide.
6950 ++ @
6951 ++ @ >>+ denotes Hnext += Hn>>26, Hn &= 0x3ffffff. This means that
6952 ++ @ H0, H2, H3 are guaranteed to be 26 bits wide, while H1 and H4
6953 ++ @ can be 27. However! In cases when their width exceeds 26 bits
6954 ++ @ they are limited by 2^26+2^6. This in turn means that *sum*
6955 ++ @ of the products with these values can still be viewed as sum
6956 ++ @ of 52-bit numbers as long as the amount of addends is not a
6957 ++ @ power of 2. For example,
6958 ++ @
6959 ++ @ H4 = H4*R0 + H3*R1 + H2*R2 + H1*R3 + H0 * R4,
6960 ++ @
6961 ++ @ which can't be larger than 5 * (2^26 + 2^6) * (2^26 + 2^6), or
6962 ++ @ 5 * (2^52 + 2*2^32 + 2^12), which in turn is smaller than
6963 ++ @ 8 * (2^52) or 2^55. However, the value is then multiplied by
6964 ++ @ by 5, so we should be looking at 5 * 5 * (2^52 + 2^33 + 2^12),
6965 ++ @ which is less than 32 * (2^52) or 2^57. And when processing
6966 ++ @ data we are looking at triple as many addends...
6967 ++ @
6968 ++ @ In key setup procedure pre-reduced H0 is limited by 5*4+1 and
6969 ++ @ 5*H4 - by 5*5 52-bit addends, or 57 bits. But when hashing the
6970 ++ @ input H0 is limited by (5*4+1)*3 addends, or 58 bits, while
6971 ++ @ 5*H4 by 5*5*3, or 59[!] bits. How is this relevant? vmlal.u32
6972 ++ @ instruction accepts 2x32-bit input and writes 2x64-bit result.
6973 ++ @ This means that result of reduction have to be compressed upon
6974 ++ @ loop wrap-around. This can be done in the process of reduction
6975 ++ @ to minimize amount of instructions [as well as amount of
6976 ++ @ 128-bit instructions, which benefits low-end processors], but
6977 ++ @ one has to watch for H2 (which is narrower than H0) and 5*H4
6978 ++ @ not being wider than 58 bits, so that result of right shift
6979 ++ @ by 26 bits fits in 32 bits. This is also useful on x86,
6980 ++ @ because it allows to use paddd in place for paddq, which
6981 ++ @ benefits Atom, where paddq is ridiculously slow.
6982 ++
6983 ++ vshr.u64 $T0,$D3,#26
6984 ++ vmovn.i64 $D3#lo,$D3
6985 ++ vshr.u64 $T1,$D0,#26
6986 ++ vmovn.i64 $D0#lo,$D0
6987 ++ vadd.i64 $D4,$D4,$T0 @ h3 -> h4
6988 ++ vbic.i32 $D3#lo,#0xfc000000 @ &=0x03ffffff
6989 ++ vadd.i64 $D1,$D1,$T1 @ h0 -> h1
6990 ++ vbic.i32 $D0#lo,#0xfc000000
6991 ++
6992 ++ vshrn.u64 $T0#lo,$D4,#26
6993 ++ vmovn.i64 $D4#lo,$D4
6994 ++ vshr.u64 $T1,$D1,#26
6995 ++ vmovn.i64 $D1#lo,$D1
6996 ++ vadd.i64 $D2,$D2,$T1 @ h1 -> h2
6997 ++ vbic.i32 $D4#lo,#0xfc000000
6998 ++ vbic.i32 $D1#lo,#0xfc000000
6999 ++
7000 ++ vadd.i32 $D0#lo,$D0#lo,$T0#lo
7001 ++ vshl.u32 $T0#lo,$T0#lo,#2
7002 ++ vshrn.u64 $T1#lo,$D2,#26
7003 ++ vmovn.i64 $D2#lo,$D2
7004 ++ vadd.i32 $D0#lo,$D0#lo,$T0#lo @ h4 -> h0
7005 ++ vadd.i32 $D3#lo,$D3#lo,$T1#lo @ h2 -> h3
7006 ++ vbic.i32 $D2#lo,#0xfc000000
7007 ++
7008 ++ vshr.u32 $T0#lo,$D0#lo,#26
7009 ++ vbic.i32 $D0#lo,#0xfc000000
7010 ++ vshr.u32 $T1#lo,$D3#lo,#26
7011 ++ vbic.i32 $D3#lo,#0xfc000000
7012 ++ vadd.i32 $D1#lo,$D1#lo,$T0#lo @ h0 -> h1
7013 ++ vadd.i32 $D4#lo,$D4#lo,$T1#lo @ h3 -> h4
7014 ++
7015 ++ subs $zeros,$zeros,#1
7016 ++ beq .Lsquare_break_neon
7017 ++
7018 ++ add $tbl0,$ctx,#(48+0*9*4)
7019 ++ add $tbl1,$ctx,#(48+1*9*4)
7020 ++
7021 ++ vtrn.32 $R0,$D0#lo @ r^2:r^1
7022 ++ vtrn.32 $R2,$D2#lo
7023 ++ vtrn.32 $R3,$D3#lo
7024 ++ vtrn.32 $R1,$D1#lo
7025 ++ vtrn.32 $R4,$D4#lo
7026 ++
7027 ++ vshl.u32 $S2,$R2,#2 @ *5
7028 ++ vshl.u32 $S3,$R3,#2
7029 ++ vshl.u32 $S1,$R1,#2
7030 ++ vshl.u32 $S4,$R4,#2
7031 ++ vadd.i32 $S2,$S2,$R2
7032 ++ vadd.i32 $S1,$S1,$R1
7033 ++ vadd.i32 $S3,$S3,$R3
7034 ++ vadd.i32 $S4,$S4,$R4
7035 ++
7036 ++ vst4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]!
7037 ++ vst4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]!
7038 ++ vst4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
7039 ++ vst4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
7040 ++ vst1.32 {${S4}[0]},[$tbl0,:32]
7041 ++ vst1.32 {${S4}[1]},[$tbl1,:32]
7042 ++
7043 ++ b .Lsquare_neon
7044 ++
7045 ++.align 4
7046 ++.Lsquare_break_neon:
7047 ++ add $tbl0,$ctx,#(48+2*4*9)
7048 ++ add $tbl1,$ctx,#(48+3*4*9)
7049 ++
7050 ++ vmov $R0,$D0#lo @ r^4:r^3
7051 ++ vshl.u32 $S1,$D1#lo,#2 @ *5
7052 ++ vmov $R1,$D1#lo
7053 ++ vshl.u32 $S2,$D2#lo,#2
7054 ++ vmov $R2,$D2#lo
7055 ++ vshl.u32 $S3,$D3#lo,#2
7056 ++ vmov $R3,$D3#lo
7057 ++ vshl.u32 $S4,$D4#lo,#2
7058 ++ vmov $R4,$D4#lo
7059 ++ vadd.i32 $S1,$S1,$D1#lo
7060 ++ vadd.i32 $S2,$S2,$D2#lo
7061 ++ vadd.i32 $S3,$S3,$D3#lo
7062 ++ vadd.i32 $S4,$S4,$D4#lo
7063 ++
7064 ++ vst4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]!
7065 ++ vst4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]!
7066 ++ vst4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
7067 ++ vst4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
7068 ++ vst1.32 {${S4}[0]},[$tbl0]
7069 ++ vst1.32 {${S4}[1]},[$tbl1]
7070 ++
7071 ++.Lno_init_neon:
7072 ++ ret @ bx lr
7073 ++.size poly1305_init_neon,.-poly1305_init_neon
7074 ++
7075 ++.type poly1305_blocks_neon,%function
7076 ++.align 5
7077 ++poly1305_blocks_neon:
7078 ++.Lpoly1305_blocks_neon:
7079 ++ ldr ip,[$ctx,#36] @ is_base2_26
7080 ++
7081 ++ cmp $len,#64
7082 ++ blo .Lpoly1305_blocks
7083 ++
7084 ++ stmdb sp!,{r4-r7}
7085 ++ vstmdb sp!,{d8-d15} @ ABI specification says so
7086 ++
7087 ++ tst ip,ip @ is_base2_26?
7088 ++ bne .Lbase2_26_neon
7089 ++
7090 ++ stmdb sp!,{r1-r3,lr}
7091 ++ bl .Lpoly1305_init_neon
7092 ++
7093 ++ ldr r4,[$ctx,#0] @ load hash value base 2^32
7094 ++ ldr r5,[$ctx,#4]
7095 ++ ldr r6,[$ctx,#8]
7096 ++ ldr r7,[$ctx,#12]
7097 ++ ldr ip,[$ctx,#16]
7098 ++
7099 ++ and r2,r4,#0x03ffffff @ base 2^32 -> base 2^26
7100 ++ mov r3,r4,lsr#26
7101 ++ veor $D0#lo,$D0#lo,$D0#lo
7102 ++ mov r4,r5,lsr#20
7103 ++ orr r3,r3,r5,lsl#6
7104 ++ veor $D1#lo,$D1#lo,$D1#lo
7105 ++ mov r5,r6,lsr#14
7106 ++ orr r4,r4,r6,lsl#12
7107 ++ veor $D2#lo,$D2#lo,$D2#lo
7108 ++ mov r6,r7,lsr#8
7109 ++ orr r5,r5,r7,lsl#18
7110 ++ veor $D3#lo,$D3#lo,$D3#lo
7111 ++ and r3,r3,#0x03ffffff
7112 ++ orr r6,r6,ip,lsl#24
7113 ++ veor $D4#lo,$D4#lo,$D4#lo
7114 ++ and r4,r4,#0x03ffffff
7115 ++ mov r1,#1
7116 ++ and r5,r5,#0x03ffffff
7117 ++ str r1,[$ctx,#36] @ set is_base2_26
7118 ++
7119 ++ vmov.32 $D0#lo[0],r2
7120 ++ vmov.32 $D1#lo[0],r3
7121 ++ vmov.32 $D2#lo[0],r4
7122 ++ vmov.32 $D3#lo[0],r5
7123 ++ vmov.32 $D4#lo[0],r6
7124 ++ adr $zeros,.Lzeros
7125 ++
7126 ++ ldmia sp!,{r1-r3,lr}
7127 ++ b .Lhash_loaded
7128 ++
7129 ++.align 4
7130 ++.Lbase2_26_neon:
7131 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7132 ++ @ load hash value
7133 ++
7134 ++ veor $D0#lo,$D0#lo,$D0#lo
7135 ++ veor $D1#lo,$D1#lo,$D1#lo
7136 ++ veor $D2#lo,$D2#lo,$D2#lo
7137 ++ veor $D3#lo,$D3#lo,$D3#lo
7138 ++ veor $D4#lo,$D4#lo,$D4#lo
7139 ++ vld4.32 {$D0#lo[0],$D1#lo[0],$D2#lo[0],$D3#lo[0]},[$ctx]!
7140 ++ adr $zeros,.Lzeros
7141 ++ vld1.32 {$D4#lo[0]},[$ctx]
7142 ++ sub $ctx,$ctx,#16 @ rewind
7143 ++
7144 ++.Lhash_loaded:
7145 ++ add $in2,$inp,#32
7146 ++ mov $padbit,$padbit,lsl#24
7147 ++ tst $len,#31
7148 ++ beq .Leven
7149 ++
7150 ++ vld4.32 {$H0#lo[0],$H1#lo[0],$H2#lo[0],$H3#lo[0]},[$inp]!
7151 ++ vmov.32 $H4#lo[0],$padbit
7152 ++ sub $len,$len,#16
7153 ++ add $in2,$inp,#32
7154 ++
7155 ++# ifdef __ARMEB__
7156 ++ vrev32.8 $H0,$H0
7157 ++ vrev32.8 $H3,$H3
7158 ++ vrev32.8 $H1,$H1
7159 ++ vrev32.8 $H2,$H2
7160 ++# endif
7161 ++ vsri.u32 $H4#lo,$H3#lo,#8 @ base 2^32 -> base 2^26
7162 ++ vshl.u32 $H3#lo,$H3#lo,#18
7163 ++
7164 ++ vsri.u32 $H3#lo,$H2#lo,#14
7165 ++ vshl.u32 $H2#lo,$H2#lo,#12
7166 ++ vadd.i32 $H4#hi,$H4#lo,$D4#lo @ add hash value and move to #hi
7167 ++
7168 ++ vbic.i32 $H3#lo,#0xfc000000
7169 ++ vsri.u32 $H2#lo,$H1#lo,#20
7170 ++ vshl.u32 $H1#lo,$H1#lo,#6
7171 ++
7172 ++ vbic.i32 $H2#lo,#0xfc000000
7173 ++ vsri.u32 $H1#lo,$H0#lo,#26
7174 ++ vadd.i32 $H3#hi,$H3#lo,$D3#lo
7175 ++
7176 ++ vbic.i32 $H0#lo,#0xfc000000
7177 ++ vbic.i32 $H1#lo,#0xfc000000
7178 ++ vadd.i32 $H2#hi,$H2#lo,$D2#lo
7179 ++
7180 ++ vadd.i32 $H0#hi,$H0#lo,$D0#lo
7181 ++ vadd.i32 $H1#hi,$H1#lo,$D1#lo
7182 ++
7183 ++ mov $tbl1,$zeros
7184 ++ add $tbl0,$ctx,#48
7185 ++
7186 ++ cmp $len,$len
7187 ++ b .Long_tail
7188 ++
7189 ++.align 4
7190 ++.Leven:
7191 ++ subs $len,$len,#64
7192 ++ it lo
7193 ++ movlo $in2,$zeros
7194 ++
7195 ++ vmov.i32 $H4,#1<<24 @ padbit, yes, always
7196 ++ vld4.32 {$H0#lo,$H1#lo,$H2#lo,$H3#lo},[$inp] @ inp[0:1]
7197 ++ add $inp,$inp,#64
7198 ++ vld4.32 {$H0#hi,$H1#hi,$H2#hi,$H3#hi},[$in2] @ inp[2:3] (or 0)
7199 ++ add $in2,$in2,#64
7200 ++ itt hi
7201 ++ addhi $tbl1,$ctx,#(48+1*9*4)
7202 ++ addhi $tbl0,$ctx,#(48+3*9*4)
7203 ++
7204 ++# ifdef __ARMEB__
7205 ++ vrev32.8 $H0,$H0
7206 ++ vrev32.8 $H3,$H3
7207 ++ vrev32.8 $H1,$H1
7208 ++ vrev32.8 $H2,$H2
7209 ++# endif
7210 ++ vsri.u32 $H4,$H3,#8 @ base 2^32 -> base 2^26
7211 ++ vshl.u32 $H3,$H3,#18
7212 ++
7213 ++ vsri.u32 $H3,$H2,#14
7214 ++ vshl.u32 $H2,$H2,#12
7215 ++
7216 ++ vbic.i32 $H3,#0xfc000000
7217 ++ vsri.u32 $H2,$H1,#20
7218 ++ vshl.u32 $H1,$H1,#6
7219 ++
7220 ++ vbic.i32 $H2,#0xfc000000
7221 ++ vsri.u32 $H1,$H0,#26
7222 ++
7223 ++ vbic.i32 $H0,#0xfc000000
7224 ++ vbic.i32 $H1,#0xfc000000
7225 ++
7226 ++ bls .Lskip_loop
7227 ++
7228 ++ vld4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]! @ load r^2
7229 ++ vld4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]! @ load r^4
7230 ++ vld4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
7231 ++ vld4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
7232 ++ b .Loop_neon
7233 ++
7234 ++.align 5
7235 ++.Loop_neon:
7236 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7237 ++ @ ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2
7238 ++ @ ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^3+inp[7]*r
7239 ++ @ \___________________/
7240 ++ @ ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2+inp[8])*r^2
7241 ++ @ ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^4+inp[7]*r^2+inp[9])*r
7242 ++ @ \___________________/ \____________________/
7243 ++ @
7244 ++ @ Note that we start with inp[2:3]*r^2. This is because it
7245 ++ @ doesn't depend on reduction in previous iteration.
7246 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7247 ++ @ d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
7248 ++ @ d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
7249 ++ @ d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
7250 ++ @ d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
7251 ++ @ d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
7252 ++
7253 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7254 ++ @ inp[2:3]*r^2
7255 ++
7256 ++ vadd.i32 $H2#lo,$H2#lo,$D2#lo @ accumulate inp[0:1]
7257 ++ vmull.u32 $D2,$H2#hi,${R0}[1]
7258 ++ vadd.i32 $H0#lo,$H0#lo,$D0#lo
7259 ++ vmull.u32 $D0,$H0#hi,${R0}[1]
7260 ++ vadd.i32 $H3#lo,$H3#lo,$D3#lo
7261 ++ vmull.u32 $D3,$H3#hi,${R0}[1]
7262 ++ vmlal.u32 $D2,$H1#hi,${R1}[1]
7263 ++ vadd.i32 $H1#lo,$H1#lo,$D1#lo
7264 ++ vmull.u32 $D1,$H1#hi,${R0}[1]
7265 ++
7266 ++ vadd.i32 $H4#lo,$H4#lo,$D4#lo
7267 ++ vmull.u32 $D4,$H4#hi,${R0}[1]
7268 ++ subs $len,$len,#64
7269 ++ vmlal.u32 $D0,$H4#hi,${S1}[1]
7270 ++ it lo
7271 ++ movlo $in2,$zeros
7272 ++ vmlal.u32 $D3,$H2#hi,${R1}[1]
7273 ++ vld1.32 ${S4}[1],[$tbl1,:32]
7274 ++ vmlal.u32 $D1,$H0#hi,${R1}[1]
7275 ++ vmlal.u32 $D4,$H3#hi,${R1}[1]
7276 ++
7277 ++ vmlal.u32 $D0,$H3#hi,${S2}[1]
7278 ++ vmlal.u32 $D3,$H1#hi,${R2}[1]
7279 ++ vmlal.u32 $D4,$H2#hi,${R2}[1]
7280 ++ vmlal.u32 $D1,$H4#hi,${S2}[1]
7281 ++ vmlal.u32 $D2,$H0#hi,${R2}[1]
7282 ++
7283 ++ vmlal.u32 $D3,$H0#hi,${R3}[1]
7284 ++ vmlal.u32 $D0,$H2#hi,${S3}[1]
7285 ++ vmlal.u32 $D4,$H1#hi,${R3}[1]
7286 ++ vmlal.u32 $D1,$H3#hi,${S3}[1]
7287 ++ vmlal.u32 $D2,$H4#hi,${S3}[1]
7288 ++
7289 ++ vmlal.u32 $D3,$H4#hi,${S4}[1]
7290 ++ vmlal.u32 $D0,$H1#hi,${S4}[1]
7291 ++ vmlal.u32 $D4,$H0#hi,${R4}[1]
7292 ++ vmlal.u32 $D1,$H2#hi,${S4}[1]
7293 ++ vmlal.u32 $D2,$H3#hi,${S4}[1]
7294 ++
7295 ++ vld4.32 {$H0#hi,$H1#hi,$H2#hi,$H3#hi},[$in2] @ inp[2:3] (or 0)
7296 ++ add $in2,$in2,#64
7297 ++
7298 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7299 ++ @ (hash+inp[0:1])*r^4 and accumulate
7300 ++
7301 ++ vmlal.u32 $D3,$H3#lo,${R0}[0]
7302 ++ vmlal.u32 $D0,$H0#lo,${R0}[0]
7303 ++ vmlal.u32 $D4,$H4#lo,${R0}[0]
7304 ++ vmlal.u32 $D1,$H1#lo,${R0}[0]
7305 ++ vmlal.u32 $D2,$H2#lo,${R0}[0]
7306 ++ vld1.32 ${S4}[0],[$tbl0,:32]
7307 ++
7308 ++ vmlal.u32 $D3,$H2#lo,${R1}[0]
7309 ++ vmlal.u32 $D0,$H4#lo,${S1}[0]
7310 ++ vmlal.u32 $D4,$H3#lo,${R1}[0]
7311 ++ vmlal.u32 $D1,$H0#lo,${R1}[0]
7312 ++ vmlal.u32 $D2,$H1#lo,${R1}[0]
7313 ++
7314 ++ vmlal.u32 $D3,$H1#lo,${R2}[0]
7315 ++ vmlal.u32 $D0,$H3#lo,${S2}[0]
7316 ++ vmlal.u32 $D4,$H2#lo,${R2}[0]
7317 ++ vmlal.u32 $D1,$H4#lo,${S2}[0]
7318 ++ vmlal.u32 $D2,$H0#lo,${R2}[0]
7319 ++
7320 ++ vmlal.u32 $D3,$H0#lo,${R3}[0]
7321 ++ vmlal.u32 $D0,$H2#lo,${S3}[0]
7322 ++ vmlal.u32 $D4,$H1#lo,${R3}[0]
7323 ++ vmlal.u32 $D1,$H3#lo,${S3}[0]
7324 ++ vmlal.u32 $D3,$H4#lo,${S4}[0]
7325 ++
7326 ++ vmlal.u32 $D2,$H4#lo,${S3}[0]
7327 ++ vmlal.u32 $D0,$H1#lo,${S4}[0]
7328 ++ vmlal.u32 $D4,$H0#lo,${R4}[0]
7329 ++ vmov.i32 $H4,#1<<24 @ padbit, yes, always
7330 ++ vmlal.u32 $D1,$H2#lo,${S4}[0]
7331 ++ vmlal.u32 $D2,$H3#lo,${S4}[0]
7332 ++
7333 ++ vld4.32 {$H0#lo,$H1#lo,$H2#lo,$H3#lo},[$inp] @ inp[0:1]
7334 ++ add $inp,$inp,#64
7335 ++# ifdef __ARMEB__
7336 ++ vrev32.8 $H0,$H0
7337 ++ vrev32.8 $H1,$H1
7338 ++ vrev32.8 $H2,$H2
7339 ++ vrev32.8 $H3,$H3
7340 ++# endif
7341 ++
7342 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7343 ++ @ lazy reduction interleaved with base 2^32 -> base 2^26 of
7344 ++ @ inp[0:3] previously loaded to $H0-$H3 and smashed to $H0-$H4.
7345 ++
7346 ++ vshr.u64 $T0,$D3,#26
7347 ++ vmovn.i64 $D3#lo,$D3
7348 ++ vshr.u64 $T1,$D0,#26
7349 ++ vmovn.i64 $D0#lo,$D0
7350 ++ vadd.i64 $D4,$D4,$T0 @ h3 -> h4
7351 ++ vbic.i32 $D3#lo,#0xfc000000
7352 ++ vsri.u32 $H4,$H3,#8 @ base 2^32 -> base 2^26
7353 ++ vadd.i64 $D1,$D1,$T1 @ h0 -> h1
7354 ++ vshl.u32 $H3,$H3,#18
7355 ++ vbic.i32 $D0#lo,#0xfc000000
7356 ++
7357 ++ vshrn.u64 $T0#lo,$D4,#26
7358 ++ vmovn.i64 $D4#lo,$D4
7359 ++ vshr.u64 $T1,$D1,#26
7360 ++ vmovn.i64 $D1#lo,$D1
7361 ++ vadd.i64 $D2,$D2,$T1 @ h1 -> h2
7362 ++ vsri.u32 $H3,$H2,#14
7363 ++ vbic.i32 $D4#lo,#0xfc000000
7364 ++ vshl.u32 $H2,$H2,#12
7365 ++ vbic.i32 $D1#lo,#0xfc000000
7366 ++
7367 ++ vadd.i32 $D0#lo,$D0#lo,$T0#lo
7368 ++ vshl.u32 $T0#lo,$T0#lo,#2
7369 ++ vbic.i32 $H3,#0xfc000000
7370 ++ vshrn.u64 $T1#lo,$D2,#26
7371 ++ vmovn.i64 $D2#lo,$D2
7372 ++ vaddl.u32 $D0,$D0#lo,$T0#lo @ h4 -> h0 [widen for a sec]
7373 ++ vsri.u32 $H2,$H1,#20
7374 ++ vadd.i32 $D3#lo,$D3#lo,$T1#lo @ h2 -> h3
7375 ++ vshl.u32 $H1,$H1,#6
7376 ++ vbic.i32 $D2#lo,#0xfc000000
7377 ++ vbic.i32 $H2,#0xfc000000
7378 ++
7379 ++ vshrn.u64 $T0#lo,$D0,#26 @ re-narrow
7380 ++ vmovn.i64 $D0#lo,$D0
7381 ++ vsri.u32 $H1,$H0,#26
7382 ++ vbic.i32 $H0,#0xfc000000
7383 ++ vshr.u32 $T1#lo,$D3#lo,#26
7384 ++ vbic.i32 $D3#lo,#0xfc000000
7385 ++ vbic.i32 $D0#lo,#0xfc000000
7386 ++ vadd.i32 $D1#lo,$D1#lo,$T0#lo @ h0 -> h1
7387 ++ vadd.i32 $D4#lo,$D4#lo,$T1#lo @ h3 -> h4
7388 ++ vbic.i32 $H1,#0xfc000000
7389 ++
7390 ++ bhi .Loop_neon
7391 ++
7392 ++.Lskip_loop:
7393 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7394 ++ @ multiply (inp[0:1]+hash) or inp[2:3] by r^2:r^1
7395 ++
7396 ++ add $tbl1,$ctx,#(48+0*9*4)
7397 ++ add $tbl0,$ctx,#(48+1*9*4)
7398 ++ adds $len,$len,#32
7399 ++ it ne
7400 ++ movne $len,#0
7401 ++ bne .Long_tail
7402 ++
7403 ++ vadd.i32 $H2#hi,$H2#lo,$D2#lo @ add hash value and move to #hi
7404 ++ vadd.i32 $H0#hi,$H0#lo,$D0#lo
7405 ++ vadd.i32 $H3#hi,$H3#lo,$D3#lo
7406 ++ vadd.i32 $H1#hi,$H1#lo,$D1#lo
7407 ++ vadd.i32 $H4#hi,$H4#lo,$D4#lo
7408 ++
7409 ++.Long_tail:
7410 ++ vld4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]! @ load r^1
7411 ++ vld4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]! @ load r^2
7412 ++
7413 ++ vadd.i32 $H2#lo,$H2#lo,$D2#lo @ can be redundant
7414 ++ vmull.u32 $D2,$H2#hi,$R0
7415 ++ vadd.i32 $H0#lo,$H0#lo,$D0#lo
7416 ++ vmull.u32 $D0,$H0#hi,$R0
7417 ++ vadd.i32 $H3#lo,$H3#lo,$D3#lo
7418 ++ vmull.u32 $D3,$H3#hi,$R0
7419 ++ vadd.i32 $H1#lo,$H1#lo,$D1#lo
7420 ++ vmull.u32 $D1,$H1#hi,$R0
7421 ++ vadd.i32 $H4#lo,$H4#lo,$D4#lo
7422 ++ vmull.u32 $D4,$H4#hi,$R0
7423 ++
7424 ++ vmlal.u32 $D0,$H4#hi,$S1
7425 ++ vld4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
7426 ++ vmlal.u32 $D3,$H2#hi,$R1
7427 ++ vld4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
7428 ++ vmlal.u32 $D1,$H0#hi,$R1
7429 ++ vmlal.u32 $D4,$H3#hi,$R1
7430 ++ vmlal.u32 $D2,$H1#hi,$R1
7431 ++
7432 ++ vmlal.u32 $D3,$H1#hi,$R2
7433 ++ vld1.32 ${S4}[1],[$tbl1,:32]
7434 ++ vmlal.u32 $D0,$H3#hi,$S2
7435 ++ vld1.32 ${S4}[0],[$tbl0,:32]
7436 ++ vmlal.u32 $D4,$H2#hi,$R2
7437 ++ vmlal.u32 $D1,$H4#hi,$S2
7438 ++ vmlal.u32 $D2,$H0#hi,$R2
7439 ++
7440 ++ vmlal.u32 $D3,$H0#hi,$R3
7441 ++ it ne
7442 ++ addne $tbl1,$ctx,#(48+2*9*4)
7443 ++ vmlal.u32 $D0,$H2#hi,$S3
7444 ++ it ne
7445 ++ addne $tbl0,$ctx,#(48+3*9*4)
7446 ++ vmlal.u32 $D4,$H1#hi,$R3
7447 ++ vmlal.u32 $D1,$H3#hi,$S3
7448 ++ vmlal.u32 $D2,$H4#hi,$S3
7449 ++
7450 ++ vmlal.u32 $D3,$H4#hi,$S4
7451 ++ vorn $MASK,$MASK,$MASK @ all-ones, can be redundant
7452 ++ vmlal.u32 $D0,$H1#hi,$S4
7453 ++ vshr.u64 $MASK,$MASK,#38
7454 ++ vmlal.u32 $D4,$H0#hi,$R4
7455 ++ vmlal.u32 $D1,$H2#hi,$S4
7456 ++ vmlal.u32 $D2,$H3#hi,$S4
7457 ++
7458 ++ beq .Lshort_tail
7459 ++
7460 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7461 ++ @ (hash+inp[0:1])*r^4:r^3 and accumulate
7462 ++
7463 ++ vld4.32 {${R0}[1],${R1}[1],${S1}[1],${R2}[1]},[$tbl1]! @ load r^3
7464 ++ vld4.32 {${R0}[0],${R1}[0],${S1}[0],${R2}[0]},[$tbl0]! @ load r^4
7465 ++
7466 ++ vmlal.u32 $D2,$H2#lo,$R0
7467 ++ vmlal.u32 $D0,$H0#lo,$R0
7468 ++ vmlal.u32 $D3,$H3#lo,$R0
7469 ++ vmlal.u32 $D1,$H1#lo,$R0
7470 ++ vmlal.u32 $D4,$H4#lo,$R0
7471 ++
7472 ++ vmlal.u32 $D0,$H4#lo,$S1
7473 ++ vld4.32 {${S2}[1],${R3}[1],${S3}[1],${R4}[1]},[$tbl1]!
7474 ++ vmlal.u32 $D3,$H2#lo,$R1
7475 ++ vld4.32 {${S2}[0],${R3}[0],${S3}[0],${R4}[0]},[$tbl0]!
7476 ++ vmlal.u32 $D1,$H0#lo,$R1
7477 ++ vmlal.u32 $D4,$H3#lo,$R1
7478 ++ vmlal.u32 $D2,$H1#lo,$R1
7479 ++
7480 ++ vmlal.u32 $D3,$H1#lo,$R2
7481 ++ vld1.32 ${S4}[1],[$tbl1,:32]
7482 ++ vmlal.u32 $D0,$H3#lo,$S2
7483 ++ vld1.32 ${S4}[0],[$tbl0,:32]
7484 ++ vmlal.u32 $D4,$H2#lo,$R2
7485 ++ vmlal.u32 $D1,$H4#lo,$S2
7486 ++ vmlal.u32 $D2,$H0#lo,$R2
7487 ++
7488 ++ vmlal.u32 $D3,$H0#lo,$R3
7489 ++ vmlal.u32 $D0,$H2#lo,$S3
7490 ++ vmlal.u32 $D4,$H1#lo,$R3
7491 ++ vmlal.u32 $D1,$H3#lo,$S3
7492 ++ vmlal.u32 $D2,$H4#lo,$S3
7493 ++
7494 ++ vmlal.u32 $D3,$H4#lo,$S4
7495 ++ vorn $MASK,$MASK,$MASK @ all-ones
7496 ++ vmlal.u32 $D0,$H1#lo,$S4
7497 ++ vshr.u64 $MASK,$MASK,#38
7498 ++ vmlal.u32 $D4,$H0#lo,$R4
7499 ++ vmlal.u32 $D1,$H2#lo,$S4
7500 ++ vmlal.u32 $D2,$H3#lo,$S4
7501 ++
7502 ++.Lshort_tail:
7503 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7504 ++ @ horizontal addition
7505 ++
7506 ++ vadd.i64 $D3#lo,$D3#lo,$D3#hi
7507 ++ vadd.i64 $D0#lo,$D0#lo,$D0#hi
7508 ++ vadd.i64 $D4#lo,$D4#lo,$D4#hi
7509 ++ vadd.i64 $D1#lo,$D1#lo,$D1#hi
7510 ++ vadd.i64 $D2#lo,$D2#lo,$D2#hi
7511 ++
7512 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7513 ++ @ lazy reduction, but without narrowing
7514 ++
7515 ++ vshr.u64 $T0,$D3,#26
7516 ++ vand.i64 $D3,$D3,$MASK
7517 ++ vshr.u64 $T1,$D0,#26
7518 ++ vand.i64 $D0,$D0,$MASK
7519 ++ vadd.i64 $D4,$D4,$T0 @ h3 -> h4
7520 ++ vadd.i64 $D1,$D1,$T1 @ h0 -> h1
7521 ++
7522 ++ vshr.u64 $T0,$D4,#26
7523 ++ vand.i64 $D4,$D4,$MASK
7524 ++ vshr.u64 $T1,$D1,#26
7525 ++ vand.i64 $D1,$D1,$MASK
7526 ++ vadd.i64 $D2,$D2,$T1 @ h1 -> h2
7527 ++
7528 ++ vadd.i64 $D0,$D0,$T0
7529 ++ vshl.u64 $T0,$T0,#2
7530 ++ vshr.u64 $T1,$D2,#26
7531 ++ vand.i64 $D2,$D2,$MASK
7532 ++ vadd.i64 $D0,$D0,$T0 @ h4 -> h0
7533 ++ vadd.i64 $D3,$D3,$T1 @ h2 -> h3
7534 ++
7535 ++ vshr.u64 $T0,$D0,#26
7536 ++ vand.i64 $D0,$D0,$MASK
7537 ++ vshr.u64 $T1,$D3,#26
7538 ++ vand.i64 $D3,$D3,$MASK
7539 ++ vadd.i64 $D1,$D1,$T0 @ h0 -> h1
7540 ++ vadd.i64 $D4,$D4,$T1 @ h3 -> h4
7541 ++
7542 ++ cmp $len,#0
7543 ++ bne .Leven
7544 ++
7545 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7546 ++ @ store hash value
7547 ++
7548 ++ vst4.32 {$D0#lo[0],$D1#lo[0],$D2#lo[0],$D3#lo[0]},[$ctx]!
7549 ++ vst1.32 {$D4#lo[0]},[$ctx]
7550 ++
7551 ++ vldmia sp!,{d8-d15} @ epilogue
7552 ++ ldmia sp!,{r4-r7}
7553 ++ ret @ bx lr
7554 ++.size poly1305_blocks_neon,.-poly1305_blocks_neon
7555 ++
7556 ++.align 5
7557 ++.Lzeros:
7558 ++.long 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
7559 ++#ifndef __KERNEL__
7560 ++.LOPENSSL_armcap:
7561 ++# ifdef _WIN32
7562 ++.word OPENSSL_armcap_P
7563 ++# else
7564 ++.word OPENSSL_armcap_P-.Lpoly1305_init
7565 ++# endif
7566 ++.comm OPENSSL_armcap_P,4,4
7567 ++.hidden OPENSSL_armcap_P
7568 ++#endif
7569 ++#endif
7570 ++___
7571 ++} }
7572 ++$code.=<<___;
7573 ++.asciz "Poly1305 for ARMv4/NEON, CRYPTOGAMS by \@dot-asm"
7574 ++.align 2
7575 ++___
7576 ++
7577 ++foreach (split("\n",$code)) {
7578 ++ s/\`([^\`]*)\`/eval $1/geo;
7579 ++
7580 ++ s/\bq([0-9]+)#(lo|hi)/sprintf "d%d",2*$1+($2 eq "hi")/geo or
7581 ++ s/\bret\b/bx lr/go or
7582 ++ s/\bbx\s+lr\b/.word\t0xe12fff1e/go; # make it possible to compile with -march=armv4
7583 ++
7584 ++ print $_,"\n";
7585 ++}
7586 ++close STDOUT; # enforce flush
7587 +--- /dev/null
7588 ++++ b/arch/arm/crypto/poly1305-core.S_shipped
7589 +@@ -0,0 +1,1158 @@
7590 ++#ifndef __KERNEL__
7591 ++# include "arm_arch.h"
7592 ++#else
7593 ++# define __ARM_ARCH__ __LINUX_ARM_ARCH__
7594 ++# define __ARM_MAX_ARCH__ __LINUX_ARM_ARCH__
7595 ++# define poly1305_init poly1305_init_arm
7596 ++# define poly1305_blocks poly1305_blocks_arm
7597 ++# define poly1305_emit poly1305_emit_arm
7598 ++.globl poly1305_blocks_neon
7599 ++#endif
7600 ++
7601 ++#if defined(__thumb2__)
7602 ++.syntax unified
7603 ++.thumb
7604 ++#else
7605 ++.code 32
7606 ++#endif
7607 ++
7608 ++.text
7609 ++
7610 ++.globl poly1305_emit
7611 ++.globl poly1305_blocks
7612 ++.globl poly1305_init
7613 ++.type poly1305_init,%function
7614 ++.align 5
7615 ++poly1305_init:
7616 ++.Lpoly1305_init:
7617 ++ stmdb sp!,{r4-r11}
7618 ++
7619 ++ eor r3,r3,r3
7620 ++ cmp r1,#0
7621 ++ str r3,[r0,#0] @ zero hash value
7622 ++ str r3,[r0,#4]
7623 ++ str r3,[r0,#8]
7624 ++ str r3,[r0,#12]
7625 ++ str r3,[r0,#16]
7626 ++ str r3,[r0,#36] @ clear is_base2_26
7627 ++ add r0,r0,#20
7628 ++
7629 ++#ifdef __thumb2__
7630 ++ it eq
7631 ++#endif
7632 ++ moveq r0,#0
7633 ++ beq .Lno_key
7634 ++
7635 ++#if __ARM_MAX_ARCH__>=7
7636 ++ mov r3,#-1
7637 ++ str r3,[r0,#28] @ impossible key power value
7638 ++# ifndef __KERNEL__
7639 ++ adr r11,.Lpoly1305_init
7640 ++ ldr r12,.LOPENSSL_armcap
7641 ++# endif
7642 ++#endif
7643 ++ ldrb r4,[r1,#0]
7644 ++ mov r10,#0x0fffffff
7645 ++ ldrb r5,[r1,#1]
7646 ++ and r3,r10,#-4 @ 0x0ffffffc
7647 ++ ldrb r6,[r1,#2]
7648 ++ ldrb r7,[r1,#3]
7649 ++ orr r4,r4,r5,lsl#8
7650 ++ ldrb r5,[r1,#4]
7651 ++ orr r4,r4,r6,lsl#16
7652 ++ ldrb r6,[r1,#5]
7653 ++ orr r4,r4,r7,lsl#24
7654 ++ ldrb r7,[r1,#6]
7655 ++ and r4,r4,r10
7656 ++
7657 ++#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
7658 ++# if !defined(_WIN32)
7659 ++ ldr r12,[r11,r12] @ OPENSSL_armcap_P
7660 ++# endif
7661 ++# if defined(__APPLE__) || defined(_WIN32)
7662 ++ ldr r12,[r12]
7663 ++# endif
7664 ++#endif
7665 ++ ldrb r8,[r1,#7]
7666 ++ orr r5,r5,r6,lsl#8
7667 ++ ldrb r6,[r1,#8]
7668 ++ orr r5,r5,r7,lsl#16
7669 ++ ldrb r7,[r1,#9]
7670 ++ orr r5,r5,r8,lsl#24
7671 ++ ldrb r8,[r1,#10]
7672 ++ and r5,r5,r3
7673 ++
7674 ++#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
7675 ++ tst r12,#ARMV7_NEON @ check for NEON
7676 ++# ifdef __thumb2__
7677 ++ adr r9,.Lpoly1305_blocks_neon
7678 ++ adr r11,.Lpoly1305_blocks
7679 ++ it ne
7680 ++ movne r11,r9
7681 ++ adr r12,.Lpoly1305_emit
7682 ++ orr r11,r11,#1 @ thumb-ify addresses
7683 ++ orr r12,r12,#1
7684 ++# else
7685 ++ add r12,r11,#(.Lpoly1305_emit-.Lpoly1305_init)
7686 ++ ite eq
7687 ++ addeq r11,r11,#(.Lpoly1305_blocks-.Lpoly1305_init)
7688 ++ addne r11,r11,#(.Lpoly1305_blocks_neon-.Lpoly1305_init)
7689 ++# endif
7690 ++#endif
7691 ++ ldrb r9,[r1,#11]
7692 ++ orr r6,r6,r7,lsl#8
7693 ++ ldrb r7,[r1,#12]
7694 ++ orr r6,r6,r8,lsl#16
7695 ++ ldrb r8,[r1,#13]
7696 ++ orr r6,r6,r9,lsl#24
7697 ++ ldrb r9,[r1,#14]
7698 ++ and r6,r6,r3
7699 ++
7700 ++ ldrb r10,[r1,#15]
7701 ++ orr r7,r7,r8,lsl#8
7702 ++ str r4,[r0,#0]
7703 ++ orr r7,r7,r9,lsl#16
7704 ++ str r5,[r0,#4]
7705 ++ orr r7,r7,r10,lsl#24
7706 ++ str r6,[r0,#8]
7707 ++ and r7,r7,r3
7708 ++ str r7,[r0,#12]
7709 ++#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
7710 ++ stmia r2,{r11,r12} @ fill functions table
7711 ++ mov r0,#1
7712 ++#else
7713 ++ mov r0,#0
7714 ++#endif
7715 ++.Lno_key:
7716 ++ ldmia sp!,{r4-r11}
7717 ++#if __ARM_ARCH__>=5
7718 ++ bx lr @ bx lr
7719 ++#else
7720 ++ tst lr,#1
7721 ++ moveq pc,lr @ be binary compatible with V4, yet
7722 ++ .word 0xe12fff1e @ interoperable with Thumb ISA:-)
7723 ++#endif
7724 ++.size poly1305_init,.-poly1305_init
7725 ++.type poly1305_blocks,%function
7726 ++.align 5
7727 ++poly1305_blocks:
7728 ++.Lpoly1305_blocks:
7729 ++ stmdb sp!,{r3-r11,lr}
7730 ++
7731 ++ ands r2,r2,#-16
7732 ++ beq .Lno_data
7733 ++
7734 ++ add r2,r2,r1 @ end pointer
7735 ++ sub sp,sp,#32
7736 ++
7737 ++#if __ARM_ARCH__<7
7738 ++ ldmia r0,{r4-r12} @ load context
7739 ++ add r0,r0,#20
7740 ++ str r2,[sp,#16] @ offload stuff
7741 ++ str r0,[sp,#12]
7742 ++#else
7743 ++ ldr lr,[r0,#36] @ is_base2_26
7744 ++ ldmia r0!,{r4-r8} @ load hash value
7745 ++ str r2,[sp,#16] @ offload stuff
7746 ++ str r0,[sp,#12]
7747 ++
7748 ++ adds r9,r4,r5,lsl#26 @ base 2^26 -> base 2^32
7749 ++ mov r10,r5,lsr#6
7750 ++ adcs r10,r10,r6,lsl#20
7751 ++ mov r11,r6,lsr#12
7752 ++ adcs r11,r11,r7,lsl#14
7753 ++ mov r12,r7,lsr#18
7754 ++ adcs r12,r12,r8,lsl#8
7755 ++ mov r2,#0
7756 ++ teq lr,#0
7757 ++ str r2,[r0,#16] @ clear is_base2_26
7758 ++ adc r2,r2,r8,lsr#24
7759 ++
7760 ++ itttt ne
7761 ++ movne r4,r9 @ choose between radixes
7762 ++ movne r5,r10
7763 ++ movne r6,r11
7764 ++ movne r7,r12
7765 ++ ldmia r0,{r9-r12} @ load key
7766 ++ it ne
7767 ++ movne r8,r2
7768 ++#endif
7769 ++
7770 ++ mov lr,r1
7771 ++ cmp r3,#0
7772 ++ str r10,[sp,#20]
7773 ++ str r11,[sp,#24]
7774 ++ str r12,[sp,#28]
7775 ++ b .Loop
7776 ++
7777 ++.align 4
7778 ++.Loop:
7779 ++#if __ARM_ARCH__<7
7780 ++ ldrb r0,[lr],#16 @ load input
7781 ++# ifdef __thumb2__
7782 ++ it hi
7783 ++# endif
7784 ++ addhi r8,r8,#1 @ 1<<128
7785 ++ ldrb r1,[lr,#-15]
7786 ++ ldrb r2,[lr,#-14]
7787 ++ ldrb r3,[lr,#-13]
7788 ++ orr r1,r0,r1,lsl#8
7789 ++ ldrb r0,[lr,#-12]
7790 ++ orr r2,r1,r2,lsl#16
7791 ++ ldrb r1,[lr,#-11]
7792 ++ orr r3,r2,r3,lsl#24
7793 ++ ldrb r2,[lr,#-10]
7794 ++ adds r4,r4,r3 @ accumulate input
7795 ++
7796 ++ ldrb r3,[lr,#-9]
7797 ++ orr r1,r0,r1,lsl#8
7798 ++ ldrb r0,[lr,#-8]
7799 ++ orr r2,r1,r2,lsl#16
7800 ++ ldrb r1,[lr,#-7]
7801 ++ orr r3,r2,r3,lsl#24
7802 ++ ldrb r2,[lr,#-6]
7803 ++ adcs r5,r5,r3
7804 ++
7805 ++ ldrb r3,[lr,#-5]
7806 ++ orr r1,r0,r1,lsl#8
7807 ++ ldrb r0,[lr,#-4]
7808 ++ orr r2,r1,r2,lsl#16
7809 ++ ldrb r1,[lr,#-3]
7810 ++ orr r3,r2,r3,lsl#24
7811 ++ ldrb r2,[lr,#-2]
7812 ++ adcs r6,r6,r3
7813 ++
7814 ++ ldrb r3,[lr,#-1]
7815 ++ orr r1,r0,r1,lsl#8
7816 ++ str lr,[sp,#8] @ offload input pointer
7817 ++ orr r2,r1,r2,lsl#16
7818 ++ add r10,r10,r10,lsr#2
7819 ++ orr r3,r2,r3,lsl#24
7820 ++#else
7821 ++ ldr r0,[lr],#16 @ load input
7822 ++ it hi
7823 ++ addhi r8,r8,#1 @ padbit
7824 ++ ldr r1,[lr,#-12]
7825 ++ ldr r2,[lr,#-8]
7826 ++ ldr r3,[lr,#-4]
7827 ++# ifdef __ARMEB__
7828 ++ rev r0,r0
7829 ++ rev r1,r1
7830 ++ rev r2,r2
7831 ++ rev r3,r3
7832 ++# endif
7833 ++ adds r4,r4,r0 @ accumulate input
7834 ++ str lr,[sp,#8] @ offload input pointer
7835 ++ adcs r5,r5,r1
7836 ++ add r10,r10,r10,lsr#2
7837 ++ adcs r6,r6,r2
7838 ++#endif
7839 ++ add r11,r11,r11,lsr#2
7840 ++ adcs r7,r7,r3
7841 ++ add r12,r12,r12,lsr#2
7842 ++
7843 ++ umull r2,r3,r5,r9
7844 ++ adc r8,r8,#0
7845 ++ umull r0,r1,r4,r9
7846 ++ umlal r2,r3,r8,r10
7847 ++ umlal r0,r1,r7,r10
7848 ++ ldr r10,[sp,#20] @ reload r10
7849 ++ umlal r2,r3,r6,r12
7850 ++ umlal r0,r1,r5,r12
7851 ++ umlal r2,r3,r7,r11
7852 ++ umlal r0,r1,r6,r11
7853 ++ umlal r2,r3,r4,r10
7854 ++ str r0,[sp,#0] @ future r4
7855 ++ mul r0,r11,r8
7856 ++ ldr r11,[sp,#24] @ reload r11
7857 ++ adds r2,r2,r1 @ d1+=d0>>32
7858 ++ eor r1,r1,r1
7859 ++ adc lr,r3,#0 @ future r6
7860 ++ str r2,[sp,#4] @ future r5
7861 ++
7862 ++ mul r2,r12,r8
7863 ++ eor r3,r3,r3
7864 ++ umlal r0,r1,r7,r12
7865 ++ ldr r12,[sp,#28] @ reload r12
7866 ++ umlal r2,r3,r7,r9
7867 ++ umlal r0,r1,r6,r9
7868 ++ umlal r2,r3,r6,r10
7869 ++ umlal r0,r1,r5,r10
7870 ++ umlal r2,r3,r5,r11
7871 ++ umlal r0,r1,r4,r11
7872 ++ umlal r2,r3,r4,r12
7873 ++ ldr r4,[sp,#0]
7874 ++ mul r8,r9,r8
7875 ++ ldr r5,[sp,#4]
7876 ++
7877 ++ adds r6,lr,r0 @ d2+=d1>>32
7878 ++ ldr lr,[sp,#8] @ reload input pointer
7879 ++ adc r1,r1,#0
7880 ++ adds r7,r2,r1 @ d3+=d2>>32
7881 ++ ldr r0,[sp,#16] @ reload end pointer
7882 ++ adc r3,r3,#0
7883 ++ add r8,r8,r3 @ h4+=d3>>32
7884 ++
7885 ++ and r1,r8,#-4
7886 ++ and r8,r8,#3
7887 ++ add r1,r1,r1,lsr#2 @ *=5
7888 ++ adds r4,r4,r1
7889 ++ adcs r5,r5,#0
7890 ++ adcs r6,r6,#0
7891 ++ adcs r7,r7,#0
7892 ++ adc r8,r8,#0
7893 ++
7894 ++ cmp r0,lr @ done yet?
7895 ++ bhi .Loop
7896 ++
7897 ++ ldr r0,[sp,#12]
7898 ++ add sp,sp,#32
7899 ++ stmdb r0,{r4-r8} @ store the result
7900 ++
7901 ++.Lno_data:
7902 ++#if __ARM_ARCH__>=5
7903 ++ ldmia sp!,{r3-r11,pc}
7904 ++#else
7905 ++ ldmia sp!,{r3-r11,lr}
7906 ++ tst lr,#1
7907 ++ moveq pc,lr @ be binary compatible with V4, yet
7908 ++ .word 0xe12fff1e @ interoperable with Thumb ISA:-)
7909 ++#endif
7910 ++.size poly1305_blocks,.-poly1305_blocks
7911 ++.type poly1305_emit,%function
7912 ++.align 5
7913 ++poly1305_emit:
7914 ++.Lpoly1305_emit:
7915 ++ stmdb sp!,{r4-r11}
7916 ++
7917 ++ ldmia r0,{r3-r7}
7918 ++
7919 ++#if __ARM_ARCH__>=7
7920 ++ ldr ip,[r0,#36] @ is_base2_26
7921 ++
7922 ++ adds r8,r3,r4,lsl#26 @ base 2^26 -> base 2^32
7923 ++ mov r9,r4,lsr#6
7924 ++ adcs r9,r9,r5,lsl#20
7925 ++ mov r10,r5,lsr#12
7926 ++ adcs r10,r10,r6,lsl#14
7927 ++ mov r11,r6,lsr#18
7928 ++ adcs r11,r11,r7,lsl#8
7929 ++ mov r0,#0
7930 ++ adc r0,r0,r7,lsr#24
7931 ++
7932 ++ tst ip,ip
7933 ++ itttt ne
7934 ++ movne r3,r8
7935 ++ movne r4,r9
7936 ++ movne r5,r10
7937 ++ movne r6,r11
7938 ++ it ne
7939 ++ movne r7,r0
7940 ++#endif
7941 ++
7942 ++ adds r8,r3,#5 @ compare to modulus
7943 ++ adcs r9,r4,#0
7944 ++ adcs r10,r5,#0
7945 ++ adcs r11,r6,#0
7946 ++ adc r0,r7,#0
7947 ++ tst r0,#4 @ did it carry/borrow?
7948 ++
7949 ++#ifdef __thumb2__
7950 ++ it ne
7951 ++#endif
7952 ++ movne r3,r8
7953 ++ ldr r8,[r2,#0]
7954 ++#ifdef __thumb2__
7955 ++ it ne
7956 ++#endif
7957 ++ movne r4,r9
7958 ++ ldr r9,[r2,#4]
7959 ++#ifdef __thumb2__
7960 ++ it ne
7961 ++#endif
7962 ++ movne r5,r10
7963 ++ ldr r10,[r2,#8]
7964 ++#ifdef __thumb2__
7965 ++ it ne
7966 ++#endif
7967 ++ movne r6,r11
7968 ++ ldr r11,[r2,#12]
7969 ++
7970 ++ adds r3,r3,r8
7971 ++ adcs r4,r4,r9
7972 ++ adcs r5,r5,r10
7973 ++ adc r6,r6,r11
7974 ++
7975 ++#if __ARM_ARCH__>=7
7976 ++# ifdef __ARMEB__
7977 ++ rev r3,r3
7978 ++ rev r4,r4
7979 ++ rev r5,r5
7980 ++ rev r6,r6
7981 ++# endif
7982 ++ str r3,[r1,#0]
7983 ++ str r4,[r1,#4]
7984 ++ str r5,[r1,#8]
7985 ++ str r6,[r1,#12]
7986 ++#else
7987 ++ strb r3,[r1,#0]
7988 ++ mov r3,r3,lsr#8
7989 ++ strb r4,[r1,#4]
7990 ++ mov r4,r4,lsr#8
7991 ++ strb r5,[r1,#8]
7992 ++ mov r5,r5,lsr#8
7993 ++ strb r6,[r1,#12]
7994 ++ mov r6,r6,lsr#8
7995 ++
7996 ++ strb r3,[r1,#1]
7997 ++ mov r3,r3,lsr#8
7998 ++ strb r4,[r1,#5]
7999 ++ mov r4,r4,lsr#8
8000 ++ strb r5,[r1,#9]
8001 ++ mov r5,r5,lsr#8
8002 ++ strb r6,[r1,#13]
8003 ++ mov r6,r6,lsr#8
8004 ++
8005 ++ strb r3,[r1,#2]
8006 ++ mov r3,r3,lsr#8
8007 ++ strb r4,[r1,#6]
8008 ++ mov r4,r4,lsr#8
8009 ++ strb r5,[r1,#10]
8010 ++ mov r5,r5,lsr#8
8011 ++ strb r6,[r1,#14]
8012 ++ mov r6,r6,lsr#8
8013 ++
8014 ++ strb r3,[r1,#3]
8015 ++ strb r4,[r1,#7]
8016 ++ strb r5,[r1,#11]
8017 ++ strb r6,[r1,#15]
8018 ++#endif
8019 ++ ldmia sp!,{r4-r11}
8020 ++#if __ARM_ARCH__>=5
8021 ++ bx lr @ bx lr
8022 ++#else
8023 ++ tst lr,#1
8024 ++ moveq pc,lr @ be binary compatible with V4, yet
8025 ++ .word 0xe12fff1e @ interoperable with Thumb ISA:-)
8026 ++#endif
8027 ++.size poly1305_emit,.-poly1305_emit
8028 ++#if __ARM_MAX_ARCH__>=7
8029 ++.fpu neon
8030 ++
8031 ++.type poly1305_init_neon,%function
8032 ++.align 5
8033 ++poly1305_init_neon:
8034 ++.Lpoly1305_init_neon:
8035 ++ ldr r3,[r0,#48] @ first table element
8036 ++ cmp r3,#-1 @ is value impossible?
8037 ++ bne .Lno_init_neon
8038 ++
8039 ++ ldr r4,[r0,#20] @ load key base 2^32
8040 ++ ldr r5,[r0,#24]
8041 ++ ldr r6,[r0,#28]
8042 ++ ldr r7,[r0,#32]
8043 ++
8044 ++ and r2,r4,#0x03ffffff @ base 2^32 -> base 2^26
8045 ++ mov r3,r4,lsr#26
8046 ++ mov r4,r5,lsr#20
8047 ++ orr r3,r3,r5,lsl#6
8048 ++ mov r5,r6,lsr#14
8049 ++ orr r4,r4,r6,lsl#12
8050 ++ mov r6,r7,lsr#8
8051 ++ orr r5,r5,r7,lsl#18
8052 ++ and r3,r3,#0x03ffffff
8053 ++ and r4,r4,#0x03ffffff
8054 ++ and r5,r5,#0x03ffffff
8055 ++
8056 ++ vdup.32 d0,r2 @ r^1 in both lanes
8057 ++ add r2,r3,r3,lsl#2 @ *5
8058 ++ vdup.32 d1,r3
8059 ++ add r3,r4,r4,lsl#2
8060 ++ vdup.32 d2,r2
8061 ++ vdup.32 d3,r4
8062 ++ add r4,r5,r5,lsl#2
8063 ++ vdup.32 d4,r3
8064 ++ vdup.32 d5,r5
8065 ++ add r5,r6,r6,lsl#2
8066 ++ vdup.32 d6,r4
8067 ++ vdup.32 d7,r6
8068 ++ vdup.32 d8,r5
8069 ++
8070 ++ mov r5,#2 @ counter
8071 ++
8072 ++.Lsquare_neon:
8073 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8074 ++ @ d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
8075 ++ @ d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
8076 ++ @ d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
8077 ++ @ d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
8078 ++ @ d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
8079 ++
8080 ++ vmull.u32 q5,d0,d0[1]
8081 ++ vmull.u32 q6,d1,d0[1]
8082 ++ vmull.u32 q7,d3,d0[1]
8083 ++ vmull.u32 q8,d5,d0[1]
8084 ++ vmull.u32 q9,d7,d0[1]
8085 ++
8086 ++ vmlal.u32 q5,d7,d2[1]
8087 ++ vmlal.u32 q6,d0,d1[1]
8088 ++ vmlal.u32 q7,d1,d1[1]
8089 ++ vmlal.u32 q8,d3,d1[1]
8090 ++ vmlal.u32 q9,d5,d1[1]
8091 ++
8092 ++ vmlal.u32 q5,d5,d4[1]
8093 ++ vmlal.u32 q6,d7,d4[1]
8094 ++ vmlal.u32 q8,d1,d3[1]
8095 ++ vmlal.u32 q7,d0,d3[1]
8096 ++ vmlal.u32 q9,d3,d3[1]
8097 ++
8098 ++ vmlal.u32 q5,d3,d6[1]
8099 ++ vmlal.u32 q8,d0,d5[1]
8100 ++ vmlal.u32 q6,d5,d6[1]
8101 ++ vmlal.u32 q7,d7,d6[1]
8102 ++ vmlal.u32 q9,d1,d5[1]
8103 ++
8104 ++ vmlal.u32 q8,d7,d8[1]
8105 ++ vmlal.u32 q5,d1,d8[1]
8106 ++ vmlal.u32 q6,d3,d8[1]
8107 ++ vmlal.u32 q7,d5,d8[1]
8108 ++ vmlal.u32 q9,d0,d7[1]
8109 ++
8110 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8111 ++ @ lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
8112 ++ @ and P. Schwabe
8113 ++ @
8114 ++ @ H0>>+H1>>+H2>>+H3>>+H4
8115 ++ @ H3>>+H4>>*5+H0>>+H1
8116 ++ @
8117 ++ @ Trivia.
8118 ++ @
8119 ++ @ Result of multiplication of n-bit number by m-bit number is
8120 ++ @ n+m bits wide. However! Even though 2^n is a n+1-bit number,
8121 ++ @ m-bit number multiplied by 2^n is still n+m bits wide.
8122 ++ @
8123 ++ @ Sum of two n-bit numbers is n+1 bits wide, sum of three - n+2,
8124 ++ @ and so is sum of four. Sum of 2^m n-m-bit numbers and n-bit
8125 ++ @ one is n+1 bits wide.
8126 ++ @
8127 ++ @ >>+ denotes Hnext += Hn>>26, Hn &= 0x3ffffff. This means that
8128 ++ @ H0, H2, H3 are guaranteed to be 26 bits wide, while H1 and H4
8129 ++ @ can be 27. However! In cases when their width exceeds 26 bits
8130 ++ @ they are limited by 2^26+2^6. This in turn means that *sum*
8131 ++ @ of the products with these values can still be viewed as sum
8132 ++ @ of 52-bit numbers as long as the amount of addends is not a
8133 ++ @ power of 2. For example,
8134 ++ @
8135 ++ @ H4 = H4*R0 + H3*R1 + H2*R2 + H1*R3 + H0 * R4,
8136 ++ @
8137 ++ @ which can't be larger than 5 * (2^26 + 2^6) * (2^26 + 2^6), or
8138 ++ @ 5 * (2^52 + 2*2^32 + 2^12), which in turn is smaller than
8139 ++ @ 8 * (2^52) or 2^55. However, the value is then multiplied by
8140 ++ @ by 5, so we should be looking at 5 * 5 * (2^52 + 2^33 + 2^12),
8141 ++ @ which is less than 32 * (2^52) or 2^57. And when processing
8142 ++ @ data we are looking at triple as many addends...
8143 ++ @
8144 ++ @ In key setup procedure pre-reduced H0 is limited by 5*4+1 and
8145 ++ @ 5*H4 - by 5*5 52-bit addends, or 57 bits. But when hashing the
8146 ++ @ input H0 is limited by (5*4+1)*3 addends, or 58 bits, while
8147 ++ @ 5*H4 by 5*5*3, or 59[!] bits. How is this relevant? vmlal.u32
8148 ++ @ instruction accepts 2x32-bit input and writes 2x64-bit result.
8149 ++ @ This means that result of reduction have to be compressed upon
8150 ++ @ loop wrap-around. This can be done in the process of reduction
8151 ++ @ to minimize amount of instructions [as well as amount of
8152 ++ @ 128-bit instructions, which benefits low-end processors], but
8153 ++ @ one has to watch for H2 (which is narrower than H0) and 5*H4
8154 ++ @ not being wider than 58 bits, so that result of right shift
8155 ++ @ by 26 bits fits in 32 bits. This is also useful on x86,
8156 ++ @ because it allows to use paddd in place for paddq, which
8157 ++ @ benefits Atom, where paddq is ridiculously slow.
8158 ++
8159 ++ vshr.u64 q15,q8,#26
8160 ++ vmovn.i64 d16,q8
8161 ++ vshr.u64 q4,q5,#26
8162 ++ vmovn.i64 d10,q5
8163 ++ vadd.i64 q9,q9,q15 @ h3 -> h4
8164 ++ vbic.i32 d16,#0xfc000000 @ &=0x03ffffff
8165 ++ vadd.i64 q6,q6,q4 @ h0 -> h1
8166 ++ vbic.i32 d10,#0xfc000000
8167 ++
8168 ++ vshrn.u64 d30,q9,#26
8169 ++ vmovn.i64 d18,q9
8170 ++ vshr.u64 q4,q6,#26
8171 ++ vmovn.i64 d12,q6
8172 ++ vadd.i64 q7,q7,q4 @ h1 -> h2
8173 ++ vbic.i32 d18,#0xfc000000
8174 ++ vbic.i32 d12,#0xfc000000
8175 ++
8176 ++ vadd.i32 d10,d10,d30
8177 ++ vshl.u32 d30,d30,#2
8178 ++ vshrn.u64 d8,q7,#26
8179 ++ vmovn.i64 d14,q7
8180 ++ vadd.i32 d10,d10,d30 @ h4 -> h0
8181 ++ vadd.i32 d16,d16,d8 @ h2 -> h3
8182 ++ vbic.i32 d14,#0xfc000000
8183 ++
8184 ++ vshr.u32 d30,d10,#26
8185 ++ vbic.i32 d10,#0xfc000000
8186 ++ vshr.u32 d8,d16,#26
8187 ++ vbic.i32 d16,#0xfc000000
8188 ++ vadd.i32 d12,d12,d30 @ h0 -> h1
8189 ++ vadd.i32 d18,d18,d8 @ h3 -> h4
8190 ++
8191 ++ subs r5,r5,#1
8192 ++ beq .Lsquare_break_neon
8193 ++
8194 ++ add r6,r0,#(48+0*9*4)
8195 ++ add r7,r0,#(48+1*9*4)
8196 ++
8197 ++ vtrn.32 d0,d10 @ r^2:r^1
8198 ++ vtrn.32 d3,d14
8199 ++ vtrn.32 d5,d16
8200 ++ vtrn.32 d1,d12
8201 ++ vtrn.32 d7,d18
8202 ++
8203 ++ vshl.u32 d4,d3,#2 @ *5
8204 ++ vshl.u32 d6,d5,#2
8205 ++ vshl.u32 d2,d1,#2
8206 ++ vshl.u32 d8,d7,#2
8207 ++ vadd.i32 d4,d4,d3
8208 ++ vadd.i32 d2,d2,d1
8209 ++ vadd.i32 d6,d6,d5
8210 ++ vadd.i32 d8,d8,d7
8211 ++
8212 ++ vst4.32 {d0[0],d1[0],d2[0],d3[0]},[r6]!
8213 ++ vst4.32 {d0[1],d1[1],d2[1],d3[1]},[r7]!
8214 ++ vst4.32 {d4[0],d5[0],d6[0],d7[0]},[r6]!
8215 ++ vst4.32 {d4[1],d5[1],d6[1],d7[1]},[r7]!
8216 ++ vst1.32 {d8[0]},[r6,:32]
8217 ++ vst1.32 {d8[1]},[r7,:32]
8218 ++
8219 ++ b .Lsquare_neon
8220 ++
8221 ++.align 4
8222 ++.Lsquare_break_neon:
8223 ++ add r6,r0,#(48+2*4*9)
8224 ++ add r7,r0,#(48+3*4*9)
8225 ++
8226 ++ vmov d0,d10 @ r^4:r^3
8227 ++ vshl.u32 d2,d12,#2 @ *5
8228 ++ vmov d1,d12
8229 ++ vshl.u32 d4,d14,#2
8230 ++ vmov d3,d14
8231 ++ vshl.u32 d6,d16,#2
8232 ++ vmov d5,d16
8233 ++ vshl.u32 d8,d18,#2
8234 ++ vmov d7,d18
8235 ++ vadd.i32 d2,d2,d12
8236 ++ vadd.i32 d4,d4,d14
8237 ++ vadd.i32 d6,d6,d16
8238 ++ vadd.i32 d8,d8,d18
8239 ++
8240 ++ vst4.32 {d0[0],d1[0],d2[0],d3[0]},[r6]!
8241 ++ vst4.32 {d0[1],d1[1],d2[1],d3[1]},[r7]!
8242 ++ vst4.32 {d4[0],d5[0],d6[0],d7[0]},[r6]!
8243 ++ vst4.32 {d4[1],d5[1],d6[1],d7[1]},[r7]!
8244 ++ vst1.32 {d8[0]},[r6]
8245 ++ vst1.32 {d8[1]},[r7]
8246 ++
8247 ++.Lno_init_neon:
8248 ++ bx lr @ bx lr
8249 ++.size poly1305_init_neon,.-poly1305_init_neon
8250 ++
8251 ++.type poly1305_blocks_neon,%function
8252 ++.align 5
8253 ++poly1305_blocks_neon:
8254 ++.Lpoly1305_blocks_neon:
8255 ++ ldr ip,[r0,#36] @ is_base2_26
8256 ++
8257 ++ cmp r2,#64
8258 ++ blo .Lpoly1305_blocks
8259 ++
8260 ++ stmdb sp!,{r4-r7}
8261 ++ vstmdb sp!,{d8-d15} @ ABI specification says so
8262 ++
8263 ++ tst ip,ip @ is_base2_26?
8264 ++ bne .Lbase2_26_neon
8265 ++
8266 ++ stmdb sp!,{r1-r3,lr}
8267 ++ bl .Lpoly1305_init_neon
8268 ++
8269 ++ ldr r4,[r0,#0] @ load hash value base 2^32
8270 ++ ldr r5,[r0,#4]
8271 ++ ldr r6,[r0,#8]
8272 ++ ldr r7,[r0,#12]
8273 ++ ldr ip,[r0,#16]
8274 ++
8275 ++ and r2,r4,#0x03ffffff @ base 2^32 -> base 2^26
8276 ++ mov r3,r4,lsr#26
8277 ++ veor d10,d10,d10
8278 ++ mov r4,r5,lsr#20
8279 ++ orr r3,r3,r5,lsl#6
8280 ++ veor d12,d12,d12
8281 ++ mov r5,r6,lsr#14
8282 ++ orr r4,r4,r6,lsl#12
8283 ++ veor d14,d14,d14
8284 ++ mov r6,r7,lsr#8
8285 ++ orr r5,r5,r7,lsl#18
8286 ++ veor d16,d16,d16
8287 ++ and r3,r3,#0x03ffffff
8288 ++ orr r6,r6,ip,lsl#24
8289 ++ veor d18,d18,d18
8290 ++ and r4,r4,#0x03ffffff
8291 ++ mov r1,#1
8292 ++ and r5,r5,#0x03ffffff
8293 ++ str r1,[r0,#36] @ set is_base2_26
8294 ++
8295 ++ vmov.32 d10[0],r2
8296 ++ vmov.32 d12[0],r3
8297 ++ vmov.32 d14[0],r4
8298 ++ vmov.32 d16[0],r5
8299 ++ vmov.32 d18[0],r6
8300 ++ adr r5,.Lzeros
8301 ++
8302 ++ ldmia sp!,{r1-r3,lr}
8303 ++ b .Lhash_loaded
8304 ++
8305 ++.align 4
8306 ++.Lbase2_26_neon:
8307 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8308 ++ @ load hash value
8309 ++
8310 ++ veor d10,d10,d10
8311 ++ veor d12,d12,d12
8312 ++ veor d14,d14,d14
8313 ++ veor d16,d16,d16
8314 ++ veor d18,d18,d18
8315 ++ vld4.32 {d10[0],d12[0],d14[0],d16[0]},[r0]!
8316 ++ adr r5,.Lzeros
8317 ++ vld1.32 {d18[0]},[r0]
8318 ++ sub r0,r0,#16 @ rewind
8319 ++
8320 ++.Lhash_loaded:
8321 ++ add r4,r1,#32
8322 ++ mov r3,r3,lsl#24
8323 ++ tst r2,#31
8324 ++ beq .Leven
8325 ++
8326 ++ vld4.32 {d20[0],d22[0],d24[0],d26[0]},[r1]!
8327 ++ vmov.32 d28[0],r3
8328 ++ sub r2,r2,#16
8329 ++ add r4,r1,#32
8330 ++
8331 ++# ifdef __ARMEB__
8332 ++ vrev32.8 q10,q10
8333 ++ vrev32.8 q13,q13
8334 ++ vrev32.8 q11,q11
8335 ++ vrev32.8 q12,q12
8336 ++# endif
8337 ++ vsri.u32 d28,d26,#8 @ base 2^32 -> base 2^26
8338 ++ vshl.u32 d26,d26,#18
8339 ++
8340 ++ vsri.u32 d26,d24,#14
8341 ++ vshl.u32 d24,d24,#12
8342 ++ vadd.i32 d29,d28,d18 @ add hash value and move to #hi
8343 ++
8344 ++ vbic.i32 d26,#0xfc000000
8345 ++ vsri.u32 d24,d22,#20
8346 ++ vshl.u32 d22,d22,#6
8347 ++
8348 ++ vbic.i32 d24,#0xfc000000
8349 ++ vsri.u32 d22,d20,#26
8350 ++ vadd.i32 d27,d26,d16
8351 ++
8352 ++ vbic.i32 d20,#0xfc000000
8353 ++ vbic.i32 d22,#0xfc000000
8354 ++ vadd.i32 d25,d24,d14
8355 ++
8356 ++ vadd.i32 d21,d20,d10
8357 ++ vadd.i32 d23,d22,d12
8358 ++
8359 ++ mov r7,r5
8360 ++ add r6,r0,#48
8361 ++
8362 ++ cmp r2,r2
8363 ++ b .Long_tail
8364 ++
8365 ++.align 4
8366 ++.Leven:
8367 ++ subs r2,r2,#64
8368 ++ it lo
8369 ++ movlo r4,r5
8370 ++
8371 ++ vmov.i32 q14,#1<<24 @ padbit, yes, always
8372 ++ vld4.32 {d20,d22,d24,d26},[r1] @ inp[0:1]
8373 ++ add r1,r1,#64
8374 ++ vld4.32 {d21,d23,d25,d27},[r4] @ inp[2:3] (or 0)
8375 ++ add r4,r4,#64
8376 ++ itt hi
8377 ++ addhi r7,r0,#(48+1*9*4)
8378 ++ addhi r6,r0,#(48+3*9*4)
8379 ++
8380 ++# ifdef __ARMEB__
8381 ++ vrev32.8 q10,q10
8382 ++ vrev32.8 q13,q13
8383 ++ vrev32.8 q11,q11
8384 ++ vrev32.8 q12,q12
8385 ++# endif
8386 ++ vsri.u32 q14,q13,#8 @ base 2^32 -> base 2^26
8387 ++ vshl.u32 q13,q13,#18
8388 ++
8389 ++ vsri.u32 q13,q12,#14
8390 ++ vshl.u32 q12,q12,#12
8391 ++
8392 ++ vbic.i32 q13,#0xfc000000
8393 ++ vsri.u32 q12,q11,#20
8394 ++ vshl.u32 q11,q11,#6
8395 ++
8396 ++ vbic.i32 q12,#0xfc000000
8397 ++ vsri.u32 q11,q10,#26
8398 ++
8399 ++ vbic.i32 q10,#0xfc000000
8400 ++ vbic.i32 q11,#0xfc000000
8401 ++
8402 ++ bls .Lskip_loop
8403 ++
8404 ++ vld4.32 {d0[1],d1[1],d2[1],d3[1]},[r7]! @ load r^2
8405 ++ vld4.32 {d0[0],d1[0],d2[0],d3[0]},[r6]! @ load r^4
8406 ++ vld4.32 {d4[1],d5[1],d6[1],d7[1]},[r7]!
8407 ++ vld4.32 {d4[0],d5[0],d6[0],d7[0]},[r6]!
8408 ++ b .Loop_neon
8409 ++
8410 ++.align 5
8411 ++.Loop_neon:
8412 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8413 ++ @ ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2
8414 ++ @ ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^3+inp[7]*r
8415 ++ @ ___________________/
8416 ++ @ ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2+inp[8])*r^2
8417 ++ @ ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^4+inp[7]*r^2+inp[9])*r
8418 ++ @ ___________________/ ____________________/
8419 ++ @
8420 ++ @ Note that we start with inp[2:3]*r^2. This is because it
8421 ++ @ doesn't depend on reduction in previous iteration.
8422 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8423 ++ @ d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
8424 ++ @ d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
8425 ++ @ d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
8426 ++ @ d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
8427 ++ @ d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
8428 ++
8429 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8430 ++ @ inp[2:3]*r^2
8431 ++
8432 ++ vadd.i32 d24,d24,d14 @ accumulate inp[0:1]
8433 ++ vmull.u32 q7,d25,d0[1]
8434 ++ vadd.i32 d20,d20,d10
8435 ++ vmull.u32 q5,d21,d0[1]
8436 ++ vadd.i32 d26,d26,d16
8437 ++ vmull.u32 q8,d27,d0[1]
8438 ++ vmlal.u32 q7,d23,d1[1]
8439 ++ vadd.i32 d22,d22,d12
8440 ++ vmull.u32 q6,d23,d0[1]
8441 ++
8442 ++ vadd.i32 d28,d28,d18
8443 ++ vmull.u32 q9,d29,d0[1]
8444 ++ subs r2,r2,#64
8445 ++ vmlal.u32 q5,d29,d2[1]
8446 ++ it lo
8447 ++ movlo r4,r5
8448 ++ vmlal.u32 q8,d25,d1[1]
8449 ++ vld1.32 d8[1],[r7,:32]
8450 ++ vmlal.u32 q6,d21,d1[1]
8451 ++ vmlal.u32 q9,d27,d1[1]
8452 ++
8453 ++ vmlal.u32 q5,d27,d4[1]
8454 ++ vmlal.u32 q8,d23,d3[1]
8455 ++ vmlal.u32 q9,d25,d3[1]
8456 ++ vmlal.u32 q6,d29,d4[1]
8457 ++ vmlal.u32 q7,d21,d3[1]
8458 ++
8459 ++ vmlal.u32 q8,d21,d5[1]
8460 ++ vmlal.u32 q5,d25,d6[1]
8461 ++ vmlal.u32 q9,d23,d5[1]
8462 ++ vmlal.u32 q6,d27,d6[1]
8463 ++ vmlal.u32 q7,d29,d6[1]
8464 ++
8465 ++ vmlal.u32 q8,d29,d8[1]
8466 ++ vmlal.u32 q5,d23,d8[1]
8467 ++ vmlal.u32 q9,d21,d7[1]
8468 ++ vmlal.u32 q6,d25,d8[1]
8469 ++ vmlal.u32 q7,d27,d8[1]
8470 ++
8471 ++ vld4.32 {d21,d23,d25,d27},[r4] @ inp[2:3] (or 0)
8472 ++ add r4,r4,#64
8473 ++
8474 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8475 ++ @ (hash+inp[0:1])*r^4 and accumulate
8476 ++
8477 ++ vmlal.u32 q8,d26,d0[0]
8478 ++ vmlal.u32 q5,d20,d0[0]
8479 ++ vmlal.u32 q9,d28,d0[0]
8480 ++ vmlal.u32 q6,d22,d0[0]
8481 ++ vmlal.u32 q7,d24,d0[0]
8482 ++ vld1.32 d8[0],[r6,:32]
8483 ++
8484 ++ vmlal.u32 q8,d24,d1[0]
8485 ++ vmlal.u32 q5,d28,d2[0]
8486 ++ vmlal.u32 q9,d26,d1[0]
8487 ++ vmlal.u32 q6,d20,d1[0]
8488 ++ vmlal.u32 q7,d22,d1[0]
8489 ++
8490 ++ vmlal.u32 q8,d22,d3[0]
8491 ++ vmlal.u32 q5,d26,d4[0]
8492 ++ vmlal.u32 q9,d24,d3[0]
8493 ++ vmlal.u32 q6,d28,d4[0]
8494 ++ vmlal.u32 q7,d20,d3[0]
8495 ++
8496 ++ vmlal.u32 q8,d20,d5[0]
8497 ++ vmlal.u32 q5,d24,d6[0]
8498 ++ vmlal.u32 q9,d22,d5[0]
8499 ++ vmlal.u32 q6,d26,d6[0]
8500 ++ vmlal.u32 q8,d28,d8[0]
8501 ++
8502 ++ vmlal.u32 q7,d28,d6[0]
8503 ++ vmlal.u32 q5,d22,d8[0]
8504 ++ vmlal.u32 q9,d20,d7[0]
8505 ++ vmov.i32 q14,#1<<24 @ padbit, yes, always
8506 ++ vmlal.u32 q6,d24,d8[0]
8507 ++ vmlal.u32 q7,d26,d8[0]
8508 ++
8509 ++ vld4.32 {d20,d22,d24,d26},[r1] @ inp[0:1]
8510 ++ add r1,r1,#64
8511 ++# ifdef __ARMEB__
8512 ++ vrev32.8 q10,q10
8513 ++ vrev32.8 q11,q11
8514 ++ vrev32.8 q12,q12
8515 ++ vrev32.8 q13,q13
8516 ++# endif
8517 ++
8518 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8519 ++ @ lazy reduction interleaved with base 2^32 -> base 2^26 of
8520 ++ @ inp[0:3] previously loaded to q10-q13 and smashed to q10-q14.
8521 ++
8522 ++ vshr.u64 q15,q8,#26
8523 ++ vmovn.i64 d16,q8
8524 ++ vshr.u64 q4,q5,#26
8525 ++ vmovn.i64 d10,q5
8526 ++ vadd.i64 q9,q9,q15 @ h3 -> h4
8527 ++ vbic.i32 d16,#0xfc000000
8528 ++ vsri.u32 q14,q13,#8 @ base 2^32 -> base 2^26
8529 ++ vadd.i64 q6,q6,q4 @ h0 -> h1
8530 ++ vshl.u32 q13,q13,#18
8531 ++ vbic.i32 d10,#0xfc000000
8532 ++
8533 ++ vshrn.u64 d30,q9,#26
8534 ++ vmovn.i64 d18,q9
8535 ++ vshr.u64 q4,q6,#26
8536 ++ vmovn.i64 d12,q6
8537 ++ vadd.i64 q7,q7,q4 @ h1 -> h2
8538 ++ vsri.u32 q13,q12,#14
8539 ++ vbic.i32 d18,#0xfc000000
8540 ++ vshl.u32 q12,q12,#12
8541 ++ vbic.i32 d12,#0xfc000000
8542 ++
8543 ++ vadd.i32 d10,d10,d30
8544 ++ vshl.u32 d30,d30,#2
8545 ++ vbic.i32 q13,#0xfc000000
8546 ++ vshrn.u64 d8,q7,#26
8547 ++ vmovn.i64 d14,q7
8548 ++ vaddl.u32 q5,d10,d30 @ h4 -> h0 [widen for a sec]
8549 ++ vsri.u32 q12,q11,#20
8550 ++ vadd.i32 d16,d16,d8 @ h2 -> h3
8551 ++ vshl.u32 q11,q11,#6
8552 ++ vbic.i32 d14,#0xfc000000
8553 ++ vbic.i32 q12,#0xfc000000
8554 ++
8555 ++ vshrn.u64 d30,q5,#26 @ re-narrow
8556 ++ vmovn.i64 d10,q5
8557 ++ vsri.u32 q11,q10,#26
8558 ++ vbic.i32 q10,#0xfc000000
8559 ++ vshr.u32 d8,d16,#26
8560 ++ vbic.i32 d16,#0xfc000000
8561 ++ vbic.i32 d10,#0xfc000000
8562 ++ vadd.i32 d12,d12,d30 @ h0 -> h1
8563 ++ vadd.i32 d18,d18,d8 @ h3 -> h4
8564 ++ vbic.i32 q11,#0xfc000000
8565 ++
8566 ++ bhi .Loop_neon
8567 ++
8568 ++.Lskip_loop:
8569 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8570 ++ @ multiply (inp[0:1]+hash) or inp[2:3] by r^2:r^1
8571 ++
8572 ++ add r7,r0,#(48+0*9*4)
8573 ++ add r6,r0,#(48+1*9*4)
8574 ++ adds r2,r2,#32
8575 ++ it ne
8576 ++ movne r2,#0
8577 ++ bne .Long_tail
8578 ++
8579 ++ vadd.i32 d25,d24,d14 @ add hash value and move to #hi
8580 ++ vadd.i32 d21,d20,d10
8581 ++ vadd.i32 d27,d26,d16
8582 ++ vadd.i32 d23,d22,d12
8583 ++ vadd.i32 d29,d28,d18
8584 ++
8585 ++.Long_tail:
8586 ++ vld4.32 {d0[1],d1[1],d2[1],d3[1]},[r7]! @ load r^1
8587 ++ vld4.32 {d0[0],d1[0],d2[0],d3[0]},[r6]! @ load r^2
8588 ++
8589 ++ vadd.i32 d24,d24,d14 @ can be redundant
8590 ++ vmull.u32 q7,d25,d0
8591 ++ vadd.i32 d20,d20,d10
8592 ++ vmull.u32 q5,d21,d0
8593 ++ vadd.i32 d26,d26,d16
8594 ++ vmull.u32 q8,d27,d0
8595 ++ vadd.i32 d22,d22,d12
8596 ++ vmull.u32 q6,d23,d0
8597 ++ vadd.i32 d28,d28,d18
8598 ++ vmull.u32 q9,d29,d0
8599 ++
8600 ++ vmlal.u32 q5,d29,d2
8601 ++ vld4.32 {d4[1],d5[1],d6[1],d7[1]},[r7]!
8602 ++ vmlal.u32 q8,d25,d1
8603 ++ vld4.32 {d4[0],d5[0],d6[0],d7[0]},[r6]!
8604 ++ vmlal.u32 q6,d21,d1
8605 ++ vmlal.u32 q9,d27,d1
8606 ++ vmlal.u32 q7,d23,d1
8607 ++
8608 ++ vmlal.u32 q8,d23,d3
8609 ++ vld1.32 d8[1],[r7,:32]
8610 ++ vmlal.u32 q5,d27,d4
8611 ++ vld1.32 d8[0],[r6,:32]
8612 ++ vmlal.u32 q9,d25,d3
8613 ++ vmlal.u32 q6,d29,d4
8614 ++ vmlal.u32 q7,d21,d3
8615 ++
8616 ++ vmlal.u32 q8,d21,d5
8617 ++ it ne
8618 ++ addne r7,r0,#(48+2*9*4)
8619 ++ vmlal.u32 q5,d25,d6
8620 ++ it ne
8621 ++ addne r6,r0,#(48+3*9*4)
8622 ++ vmlal.u32 q9,d23,d5
8623 ++ vmlal.u32 q6,d27,d6
8624 ++ vmlal.u32 q7,d29,d6
8625 ++
8626 ++ vmlal.u32 q8,d29,d8
8627 ++ vorn q0,q0,q0 @ all-ones, can be redundant
8628 ++ vmlal.u32 q5,d23,d8
8629 ++ vshr.u64 q0,q0,#38
8630 ++ vmlal.u32 q9,d21,d7
8631 ++ vmlal.u32 q6,d25,d8
8632 ++ vmlal.u32 q7,d27,d8
8633 ++
8634 ++ beq .Lshort_tail
8635 ++
8636 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8637 ++ @ (hash+inp[0:1])*r^4:r^3 and accumulate
8638 ++
8639 ++ vld4.32 {d0[1],d1[1],d2[1],d3[1]},[r7]! @ load r^3
8640 ++ vld4.32 {d0[0],d1[0],d2[0],d3[0]},[r6]! @ load r^4
8641 ++
8642 ++ vmlal.u32 q7,d24,d0
8643 ++ vmlal.u32 q5,d20,d0
8644 ++ vmlal.u32 q8,d26,d0
8645 ++ vmlal.u32 q6,d22,d0
8646 ++ vmlal.u32 q9,d28,d0
8647 ++
8648 ++ vmlal.u32 q5,d28,d2
8649 ++ vld4.32 {d4[1],d5[1],d6[1],d7[1]},[r7]!
8650 ++ vmlal.u32 q8,d24,d1
8651 ++ vld4.32 {d4[0],d5[0],d6[0],d7[0]},[r6]!
8652 ++ vmlal.u32 q6,d20,d1
8653 ++ vmlal.u32 q9,d26,d1
8654 ++ vmlal.u32 q7,d22,d1
8655 ++
8656 ++ vmlal.u32 q8,d22,d3
8657 ++ vld1.32 d8[1],[r7,:32]
8658 ++ vmlal.u32 q5,d26,d4
8659 ++ vld1.32 d8[0],[r6,:32]
8660 ++ vmlal.u32 q9,d24,d3
8661 ++ vmlal.u32 q6,d28,d4
8662 ++ vmlal.u32 q7,d20,d3
8663 ++
8664 ++ vmlal.u32 q8,d20,d5
8665 ++ vmlal.u32 q5,d24,d6
8666 ++ vmlal.u32 q9,d22,d5
8667 ++ vmlal.u32 q6,d26,d6
8668 ++ vmlal.u32 q7,d28,d6
8669 ++
8670 ++ vmlal.u32 q8,d28,d8
8671 ++ vorn q0,q0,q0 @ all-ones
8672 ++ vmlal.u32 q5,d22,d8
8673 ++ vshr.u64 q0,q0,#38
8674 ++ vmlal.u32 q9,d20,d7
8675 ++ vmlal.u32 q6,d24,d8
8676 ++ vmlal.u32 q7,d26,d8
8677 ++
8678 ++.Lshort_tail:
8679 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8680 ++ @ horizontal addition
8681 ++
8682 ++ vadd.i64 d16,d16,d17
8683 ++ vadd.i64 d10,d10,d11
8684 ++ vadd.i64 d18,d18,d19
8685 ++ vadd.i64 d12,d12,d13
8686 ++ vadd.i64 d14,d14,d15
8687 ++
8688 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8689 ++ @ lazy reduction, but without narrowing
8690 ++
8691 ++ vshr.u64 q15,q8,#26
8692 ++ vand.i64 q8,q8,q0
8693 ++ vshr.u64 q4,q5,#26
8694 ++ vand.i64 q5,q5,q0
8695 ++ vadd.i64 q9,q9,q15 @ h3 -> h4
8696 ++ vadd.i64 q6,q6,q4 @ h0 -> h1
8697 ++
8698 ++ vshr.u64 q15,q9,#26
8699 ++ vand.i64 q9,q9,q0
8700 ++ vshr.u64 q4,q6,#26
8701 ++ vand.i64 q6,q6,q0
8702 ++ vadd.i64 q7,q7,q4 @ h1 -> h2
8703 ++
8704 ++ vadd.i64 q5,q5,q15
8705 ++ vshl.u64 q15,q15,#2
8706 ++ vshr.u64 q4,q7,#26
8707 ++ vand.i64 q7,q7,q0
8708 ++ vadd.i64 q5,q5,q15 @ h4 -> h0
8709 ++ vadd.i64 q8,q8,q4 @ h2 -> h3
8710 ++
8711 ++ vshr.u64 q15,q5,#26
8712 ++ vand.i64 q5,q5,q0
8713 ++ vshr.u64 q4,q8,#26
8714 ++ vand.i64 q8,q8,q0
8715 ++ vadd.i64 q6,q6,q15 @ h0 -> h1
8716 ++ vadd.i64 q9,q9,q4 @ h3 -> h4
8717 ++
8718 ++ cmp r2,#0
8719 ++ bne .Leven
8720 ++
8721 ++ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8722 ++ @ store hash value
8723 ++
8724 ++ vst4.32 {d10[0],d12[0],d14[0],d16[0]},[r0]!
8725 ++ vst1.32 {d18[0]},[r0]
8726 ++
8727 ++ vldmia sp!,{d8-d15} @ epilogue
8728 ++ ldmia sp!,{r4-r7}
8729 ++ bx lr @ bx lr
8730 ++.size poly1305_blocks_neon,.-poly1305_blocks_neon
8731 ++
8732 ++.align 5
8733 ++.Lzeros:
8734 ++.long 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
8735 ++#ifndef __KERNEL__
8736 ++.LOPENSSL_armcap:
8737 ++# ifdef _WIN32
8738 ++.word OPENSSL_armcap_P
8739 ++# else
8740 ++.word OPENSSL_armcap_P-.Lpoly1305_init
8741 ++# endif
8742 ++.comm OPENSSL_armcap_P,4,4
8743 ++.hidden OPENSSL_armcap_P
8744 ++#endif
8745 ++#endif
8746 ++.asciz "Poly1305 for ARMv4/NEON, CRYPTOGAMS by @dot-asm"
8747 ++.align 2
8748 +--- b/arch/arm/crypto/poly1305-glue.c
8749 ++++ b/arch/arm/crypto/poly1305-glue.c
8750 +@@ -0,0 +1,273 @@
8751 ++// SPDX-License-Identifier: GPL-2.0
8752 ++/*
8753 ++ * OpenSSL/Cryptogams accelerated Poly1305 transform for ARM
8754 ++ *
8755 ++ * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@××××××.org>
8756 ++ */
8757 ++
8758 ++#include <asm/hwcap.h>
8759 ++#include <asm/neon.h>
8760 ++#include <asm/simd.h>
8761 ++#include <asm/unaligned.h>
8762 ++#include <crypto/algapi.h>
8763 ++#include <crypto/internal/hash.h>
8764 ++#include <crypto/internal/poly1305.h>
8765 ++#include <crypto/internal/simd.h>
8766 ++#include <linux/cpufeature.h>
8767 ++#include <linux/crypto.h>
8768 ++#include <linux/jump_label.h>
8769 ++#include <linux/module.h>
8770 ++
8771 ++void poly1305_init_arm(void *state, const u8 *key);
8772 ++void poly1305_blocks_arm(void *state, const u8 *src, u32 len, u32 hibit);
8773 ++void poly1305_blocks_neon(void *state, const u8 *src, u32 len, u32 hibit);
8774 ++void poly1305_emit_arm(void *state, u8 *digest, const u32 *nonce);
8775 ++
8776 ++void __weak poly1305_blocks_neon(void *state, const u8 *src, u32 len, u32 hibit)
8777 ++{
8778 ++}
8779 ++
8780 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
8781 ++
8782 ++void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 *key)
8783 ++{
8784 ++ poly1305_init_arm(&dctx->h, key);
8785 ++ dctx->s[0] = get_unaligned_le32(key + 16);
8786 ++ dctx->s[1] = get_unaligned_le32(key + 20);
8787 ++ dctx->s[2] = get_unaligned_le32(key + 24);
8788 ++ dctx->s[3] = get_unaligned_le32(key + 28);
8789 ++ dctx->buflen = 0;
8790 ++}
8791 ++EXPORT_SYMBOL(poly1305_init_arch);
8792 ++
8793 ++static int arm_poly1305_init(struct shash_desc *desc)
8794 ++{
8795 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
8796 ++
8797 ++ dctx->buflen = 0;
8798 ++ dctx->rset = 0;
8799 ++ dctx->sset = false;
8800 ++
8801 ++ return 0;
8802 ++}
8803 ++
8804 ++static void arm_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
8805 ++ u32 len, u32 hibit, bool do_neon)
8806 ++{
8807 ++ if (unlikely(!dctx->sset)) {
8808 ++ if (!dctx->rset) {
8809 ++ poly1305_init_arm(&dctx->h, src);
8810 ++ src += POLY1305_BLOCK_SIZE;
8811 ++ len -= POLY1305_BLOCK_SIZE;
8812 ++ dctx->rset = 1;
8813 ++ }
8814 ++ if (len >= POLY1305_BLOCK_SIZE) {
8815 ++ dctx->s[0] = get_unaligned_le32(src + 0);
8816 ++ dctx->s[1] = get_unaligned_le32(src + 4);
8817 ++ dctx->s[2] = get_unaligned_le32(src + 8);
8818 ++ dctx->s[3] = get_unaligned_le32(src + 12);
8819 ++ src += POLY1305_BLOCK_SIZE;
8820 ++ len -= POLY1305_BLOCK_SIZE;
8821 ++ dctx->sset = true;
8822 ++ }
8823 ++ if (len < POLY1305_BLOCK_SIZE)
8824 ++ return;
8825 ++ }
8826 ++
8827 ++ len &= ~(POLY1305_BLOCK_SIZE - 1);
8828 ++
8829 ++ if (static_branch_likely(&have_neon) && likely(do_neon))
8830 ++ poly1305_blocks_neon(&dctx->h, src, len, hibit);
8831 ++ else
8832 ++ poly1305_blocks_arm(&dctx->h, src, len, hibit);
8833 ++}
8834 ++
8835 ++static void arm_poly1305_do_update(struct poly1305_desc_ctx *dctx,
8836 ++ const u8 *src, u32 len, bool do_neon)
8837 ++{
8838 ++ if (unlikely(dctx->buflen)) {
8839 ++ u32 bytes = min(len, POLY1305_BLOCK_SIZE - dctx->buflen);
8840 ++
8841 ++ memcpy(dctx->buf + dctx->buflen, src, bytes);
8842 ++ src += bytes;
8843 ++ len -= bytes;
8844 ++ dctx->buflen += bytes;
8845 ++
8846 ++ if (dctx->buflen == POLY1305_BLOCK_SIZE) {
8847 ++ arm_poly1305_blocks(dctx, dctx->buf,
8848 ++ POLY1305_BLOCK_SIZE, 1, false);
8849 ++ dctx->buflen = 0;
8850 ++ }
8851 ++ }
8852 ++
8853 ++ if (likely(len >= POLY1305_BLOCK_SIZE)) {
8854 ++ arm_poly1305_blocks(dctx, src, len, 1, do_neon);
8855 ++ src += round_down(len, POLY1305_BLOCK_SIZE);
8856 ++ len %= POLY1305_BLOCK_SIZE;
8857 ++ }
8858 ++
8859 ++ if (unlikely(len)) {
8860 ++ dctx->buflen = len;
8861 ++ memcpy(dctx->buf, src, len);
8862 ++ }
8863 ++}
8864 ++
8865 ++static int arm_poly1305_update(struct shash_desc *desc,
8866 ++ const u8 *src, unsigned int srclen)
8867 ++{
8868 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
8869 ++
8870 ++ arm_poly1305_do_update(dctx, src, srclen, false);
8871 ++ return 0;
8872 ++}
8873 ++
8874 ++static int __maybe_unused arm_poly1305_update_neon(struct shash_desc *desc,
8875 ++ const u8 *src,
8876 ++ unsigned int srclen)
8877 ++{
8878 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
8879 ++ bool do_neon = crypto_simd_usable() && srclen > 128;
8880 ++
8881 ++ if (static_branch_likely(&have_neon) && do_neon)
8882 ++ kernel_neon_begin();
8883 ++ arm_poly1305_do_update(dctx, src, srclen, do_neon);
8884 ++ if (static_branch_likely(&have_neon) && do_neon)
8885 ++ kernel_neon_end();
8886 ++ return 0;
8887 ++}
8888 ++
8889 ++void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
8890 ++ unsigned int nbytes)
8891 ++{
8892 ++ bool do_neon = IS_ENABLED(CONFIG_KERNEL_MODE_NEON) &&
8893 ++ crypto_simd_usable();
8894 ++
8895 ++ if (unlikely(dctx->buflen)) {
8896 ++ u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
8897 ++
8898 ++ memcpy(dctx->buf + dctx->buflen, src, bytes);
8899 ++ src += bytes;
8900 ++ nbytes -= bytes;
8901 ++ dctx->buflen += bytes;
8902 ++
8903 ++ if (dctx->buflen == POLY1305_BLOCK_SIZE) {
8904 ++ poly1305_blocks_arm(&dctx->h, dctx->buf,
8905 ++ POLY1305_BLOCK_SIZE, 1);
8906 ++ dctx->buflen = 0;
8907 ++ }
8908 ++ }
8909 ++
8910 ++ if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
8911 ++ unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE);
8912 ++
8913 ++ if (static_branch_likely(&have_neon) && do_neon) {
8914 ++ do {
8915 ++ unsigned int todo = min_t(unsigned int, len, SZ_4K);
8916 ++
8917 ++ kernel_neon_begin();
8918 ++ poly1305_blocks_neon(&dctx->h, src, todo, 1);
8919 ++ kernel_neon_end();
8920 ++
8921 ++ len -= todo;
8922 ++ src += todo;
8923 ++ } while (len);
8924 ++ } else {
8925 ++ poly1305_blocks_arm(&dctx->h, src, len, 1);
8926 ++ src += len;
8927 ++ }
8928 ++ nbytes %= POLY1305_BLOCK_SIZE;
8929 ++ }
8930 ++
8931 ++ if (unlikely(nbytes)) {
8932 ++ dctx->buflen = nbytes;
8933 ++ memcpy(dctx->buf, src, nbytes);
8934 ++ }
8935 ++}
8936 ++EXPORT_SYMBOL(poly1305_update_arch);
8937 ++
8938 ++void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
8939 ++{
8940 ++ if (unlikely(dctx->buflen)) {
8941 ++ dctx->buf[dctx->buflen++] = 1;
8942 ++ memset(dctx->buf + dctx->buflen, 0,
8943 ++ POLY1305_BLOCK_SIZE - dctx->buflen);
8944 ++ poly1305_blocks_arm(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
8945 ++ }
8946 ++
8947 ++ poly1305_emit_arm(&dctx->h, dst, dctx->s);
8948 ++ *dctx = (struct poly1305_desc_ctx){};
8949 ++}
8950 ++EXPORT_SYMBOL(poly1305_final_arch);
8951 ++
8952 ++static int arm_poly1305_final(struct shash_desc *desc, u8 *dst)
8953 ++{
8954 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
8955 ++
8956 ++ if (unlikely(!dctx->sset))
8957 ++ return -ENOKEY;
8958 ++
8959 ++ poly1305_final_arch(dctx, dst);
8960 ++ return 0;
8961 ++}
8962 ++
8963 ++static struct shash_alg arm_poly1305_algs[] = {{
8964 ++ .init = arm_poly1305_init,
8965 ++ .update = arm_poly1305_update,
8966 ++ .final = arm_poly1305_final,
8967 ++ .digestsize = POLY1305_DIGEST_SIZE,
8968 ++ .descsize = sizeof(struct poly1305_desc_ctx),
8969 ++
8970 ++ .base.cra_name = "poly1305",
8971 ++ .base.cra_driver_name = "poly1305-arm",
8972 ++ .base.cra_priority = 150,
8973 ++ .base.cra_blocksize = POLY1305_BLOCK_SIZE,
8974 ++ .base.cra_module = THIS_MODULE,
8975 ++#ifdef CONFIG_KERNEL_MODE_NEON
8976 ++}, {
8977 ++ .init = arm_poly1305_init,
8978 ++ .update = arm_poly1305_update_neon,
8979 ++ .final = arm_poly1305_final,
8980 ++ .digestsize = POLY1305_DIGEST_SIZE,
8981 ++ .descsize = sizeof(struct poly1305_desc_ctx),
8982 ++
8983 ++ .base.cra_name = "poly1305",
8984 ++ .base.cra_driver_name = "poly1305-neon",
8985 ++ .base.cra_priority = 200,
8986 ++ .base.cra_blocksize = POLY1305_BLOCK_SIZE,
8987 ++ .base.cra_module = THIS_MODULE,
8988 ++#endif
8989 ++}};
8990 ++
8991 ++static int __init arm_poly1305_mod_init(void)
8992 ++{
8993 ++ if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) &&
8994 ++ (elf_hwcap & HWCAP_NEON))
8995 ++ static_branch_enable(&have_neon);
8996 ++ else if (IS_REACHABLE(CONFIG_CRYPTO_HASH))
8997 ++ /* register only the first entry */
8998 ++ return crypto_register_shash(&arm_poly1305_algs[0]);
8999 ++
9000 ++ return IS_REACHABLE(CONFIG_CRYPTO_HASH) ?
9001 ++ crypto_register_shashes(arm_poly1305_algs,
9002 ++ ARRAY_SIZE(arm_poly1305_algs)) : 0;
9003 ++}
9004 ++
9005 ++static void __exit arm_poly1305_mod_exit(void)
9006 ++{
9007 ++ if (!IS_REACHABLE(CONFIG_CRYPTO_HASH))
9008 ++ return;
9009 ++ if (!static_branch_likely(&have_neon)) {
9010 ++ crypto_unregister_shash(&arm_poly1305_algs[0]);
9011 ++ return;
9012 ++ }
9013 ++ crypto_unregister_shashes(arm_poly1305_algs,
9014 ++ ARRAY_SIZE(arm_poly1305_algs));
9015 ++}
9016 ++
9017 ++module_init(arm_poly1305_mod_init);
9018 ++module_exit(arm_poly1305_mod_exit);
9019 ++
9020 ++MODULE_LICENSE("GPL v2");
9021 ++MODULE_ALIAS_CRYPTO("poly1305");
9022 ++MODULE_ALIAS_CRYPTO("poly1305-arm");
9023 ++MODULE_ALIAS_CRYPTO("poly1305-neon");
9024 +--- b/arch/mips/crypto/poly1305-glue.c
9025 ++++ b/arch/mips/crypto/poly1305-glue.c
9026 +@@ -0,0 +1,191 @@
9027 ++// SPDX-License-Identifier: GPL-2.0
9028 ++/*
9029 ++ * OpenSSL/Cryptogams accelerated Poly1305 transform for MIPS
9030 ++ *
9031 ++ * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@××××××.org>
9032 ++ */
9033 ++
9034 ++#include <asm/unaligned.h>
9035 ++#include <crypto/algapi.h>
9036 ++#include <crypto/internal/hash.h>
9037 ++#include <crypto/internal/poly1305.h>
9038 ++#include <linux/cpufeature.h>
9039 ++#include <linux/crypto.h>
9040 ++#include <linux/module.h>
9041 ++
9042 ++asmlinkage void poly1305_init_mips(void *state, const u8 *key);
9043 ++asmlinkage void poly1305_blocks_mips(void *state, const u8 *src, u32 len, u32 hibit);
9044 ++asmlinkage void poly1305_emit_mips(void *state, u8 *digest, const u32 *nonce);
9045 ++
9046 ++void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 *key)
9047 ++{
9048 ++ poly1305_init_mips(&dctx->h, key);
9049 ++ dctx->s[0] = get_unaligned_le32(key + 16);
9050 ++ dctx->s[1] = get_unaligned_le32(key + 20);
9051 ++ dctx->s[2] = get_unaligned_le32(key + 24);
9052 ++ dctx->s[3] = get_unaligned_le32(key + 28);
9053 ++ dctx->buflen = 0;
9054 ++}
9055 ++EXPORT_SYMBOL(poly1305_init_arch);
9056 ++
9057 ++static int mips_poly1305_init(struct shash_desc *desc)
9058 ++{
9059 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
9060 ++
9061 ++ dctx->buflen = 0;
9062 ++ dctx->rset = 0;
9063 ++ dctx->sset = false;
9064 ++
9065 ++ return 0;
9066 ++}
9067 ++
9068 ++static void mips_poly1305_blocks(struct poly1305_desc_ctx *dctx, const u8 *src,
9069 ++ u32 len, u32 hibit)
9070 ++{
9071 ++ if (unlikely(!dctx->sset)) {
9072 ++ if (!dctx->rset) {
9073 ++ poly1305_init_mips(&dctx->h, src);
9074 ++ src += POLY1305_BLOCK_SIZE;
9075 ++ len -= POLY1305_BLOCK_SIZE;
9076 ++ dctx->rset = 1;
9077 ++ }
9078 ++ if (len >= POLY1305_BLOCK_SIZE) {
9079 ++ dctx->s[0] = get_unaligned_le32(src + 0);
9080 ++ dctx->s[1] = get_unaligned_le32(src + 4);
9081 ++ dctx->s[2] = get_unaligned_le32(src + 8);
9082 ++ dctx->s[3] = get_unaligned_le32(src + 12);
9083 ++ src += POLY1305_BLOCK_SIZE;
9084 ++ len -= POLY1305_BLOCK_SIZE;
9085 ++ dctx->sset = true;
9086 ++ }
9087 ++ if (len < POLY1305_BLOCK_SIZE)
9088 ++ return;
9089 ++ }
9090 ++
9091 ++ len &= ~(POLY1305_BLOCK_SIZE - 1);
9092 ++
9093 ++ poly1305_blocks_mips(&dctx->h, src, len, hibit);
9094 ++}
9095 ++
9096 ++static int mips_poly1305_update(struct shash_desc *desc, const u8 *src,
9097 ++ unsigned int len)
9098 ++{
9099 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
9100 ++
9101 ++ if (unlikely(dctx->buflen)) {
9102 ++ u32 bytes = min(len, POLY1305_BLOCK_SIZE - dctx->buflen);
9103 ++
9104 ++ memcpy(dctx->buf + dctx->buflen, src, bytes);
9105 ++ src += bytes;
9106 ++ len -= bytes;
9107 ++ dctx->buflen += bytes;
9108 ++
9109 ++ if (dctx->buflen == POLY1305_BLOCK_SIZE) {
9110 ++ mips_poly1305_blocks(dctx, dctx->buf, POLY1305_BLOCK_SIZE, 1);
9111 ++ dctx->buflen = 0;
9112 ++ }
9113 ++ }
9114 ++
9115 ++ if (likely(len >= POLY1305_BLOCK_SIZE)) {
9116 ++ mips_poly1305_blocks(dctx, src, len, 1);
9117 ++ src += round_down(len, POLY1305_BLOCK_SIZE);
9118 ++ len %= POLY1305_BLOCK_SIZE;
9119 ++ }
9120 ++
9121 ++ if (unlikely(len)) {
9122 ++ dctx->buflen = len;
9123 ++ memcpy(dctx->buf, src, len);
9124 ++ }
9125 ++ return 0;
9126 ++}
9127 ++
9128 ++void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
9129 ++ unsigned int nbytes)
9130 ++{
9131 ++ if (unlikely(dctx->buflen)) {
9132 ++ u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
9133 ++
9134 ++ memcpy(dctx->buf + dctx->buflen, src, bytes);
9135 ++ src += bytes;
9136 ++ nbytes -= bytes;
9137 ++ dctx->buflen += bytes;
9138 ++
9139 ++ if (dctx->buflen == POLY1305_BLOCK_SIZE) {
9140 ++ poly1305_blocks_mips(&dctx->h, dctx->buf,
9141 ++ POLY1305_BLOCK_SIZE, 1);
9142 ++ dctx->buflen = 0;
9143 ++ }
9144 ++ }
9145 ++
9146 ++ if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
9147 ++ unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE);
9148 ++
9149 ++ poly1305_blocks_mips(&dctx->h, src, len, 1);
9150 ++ src += len;
9151 ++ nbytes %= POLY1305_BLOCK_SIZE;
9152 ++ }
9153 ++
9154 ++ if (unlikely(nbytes)) {
9155 ++ dctx->buflen = nbytes;
9156 ++ memcpy(dctx->buf, src, nbytes);
9157 ++ }
9158 ++}
9159 ++EXPORT_SYMBOL(poly1305_update_arch);
9160 ++
9161 ++void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
9162 ++{
9163 ++ if (unlikely(dctx->buflen)) {
9164 ++ dctx->buf[dctx->buflen++] = 1;
9165 ++ memset(dctx->buf + dctx->buflen, 0,
9166 ++ POLY1305_BLOCK_SIZE - dctx->buflen);
9167 ++ poly1305_blocks_mips(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
9168 ++ }
9169 ++
9170 ++ poly1305_emit_mips(&dctx->h, dst, dctx->s);
9171 ++ *dctx = (struct poly1305_desc_ctx){};
9172 ++}
9173 ++EXPORT_SYMBOL(poly1305_final_arch);
9174 ++
9175 ++static int mips_poly1305_final(struct shash_desc *desc, u8 *dst)
9176 ++{
9177 ++ struct poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
9178 ++
9179 ++ if (unlikely(!dctx->sset))
9180 ++ return -ENOKEY;
9181 ++
9182 ++ poly1305_final_arch(dctx, dst);
9183 ++ return 0;
9184 ++}
9185 ++
9186 ++static struct shash_alg mips_poly1305_alg = {
9187 ++ .init = mips_poly1305_init,
9188 ++ .update = mips_poly1305_update,
9189 ++ .final = mips_poly1305_final,
9190 ++ .digestsize = POLY1305_DIGEST_SIZE,
9191 ++ .descsize = sizeof(struct poly1305_desc_ctx),
9192 ++
9193 ++ .base.cra_name = "poly1305",
9194 ++ .base.cra_driver_name = "poly1305-mips",
9195 ++ .base.cra_priority = 200,
9196 ++ .base.cra_blocksize = POLY1305_BLOCK_SIZE,
9197 ++ .base.cra_module = THIS_MODULE,
9198 ++};
9199 ++
9200 ++static int __init mips_poly1305_mod_init(void)
9201 ++{
9202 ++ return IS_REACHABLE(CONFIG_CRYPTO_HASH) ?
9203 ++ crypto_register_shash(&mips_poly1305_alg) : 0;
9204 ++}
9205 ++
9206 ++static void __exit mips_poly1305_mod_exit(void)
9207 ++{
9208 ++ if (IS_REACHABLE(CONFIG_CRYPTO_HASH))
9209 ++ crypto_unregister_shash(&mips_poly1305_alg);
9210 ++}
9211 ++
9212 ++module_init(mips_poly1305_mod_init);
9213 ++module_exit(mips_poly1305_mod_exit);
9214 ++
9215 ++MODULE_LICENSE("GPL v2");
9216 ++MODULE_ALIAS_CRYPTO("poly1305");
9217 ++MODULE_ALIAS_CRYPTO("poly1305-mips");
9218 +--- /dev/null
9219 ++++ b/arch/mips/crypto/poly1305-mips.pl
9220 +@@ -0,0 +1,1273 @@
9221 ++#!/usr/bin/env perl
9222 ++# SPDX-License-Identifier: GPL-1.0+ OR BSD-3-Clause
9223 ++#
9224 ++# ====================================================================
9225 ++# Written by Andy Polyakov, @dot-asm, originally for the OpenSSL
9226 ++# project.
9227 ++# ====================================================================
9228 ++
9229 ++# Poly1305 hash for MIPS.
9230 ++#
9231 ++# May 2016
9232 ++#
9233 ++# Numbers are cycles per processed byte with poly1305_blocks alone.
9234 ++#
9235 ++# IALU/gcc
9236 ++# R1x000 ~5.5/+130% (big-endian)
9237 ++# Octeon II 2.50/+70% (little-endian)
9238 ++#
9239 ++# March 2019
9240 ++#
9241 ++# Add 32-bit code path.
9242 ++#
9243 ++# October 2019
9244 ++#
9245 ++# Modulo-scheduling reduction allows to omit dependency chain at the
9246 ++# end of inner loop and improve performance. Also optimize MIPS32R2
9247 ++# code path for MIPS 1004K core. Per René von Dorst's suggestions.
9248 ++#
9249 ++# IALU/gcc
9250 ++# R1x000 ~9.8/? (big-endian)
9251 ++# Octeon II 3.65/+140% (little-endian)
9252 ++# MT7621/1004K 4.75/? (little-endian)
9253 ++#
9254 ++######################################################################
9255 ++# There is a number of MIPS ABI in use, O32 and N32/64 are most
9256 ++# widely used. Then there is a new contender: NUBI. It appears that if
9257 ++# one picks the latter, it's possible to arrange code in ABI neutral
9258 ++# manner. Therefore let's stick to NUBI register layout:
9259 ++#
9260 ++($zero,$at,$t0,$t1,$t2)=map("\$$_",(0..2,24,25));
9261 ++($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$$_",(4..11));
9262 ++($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7,$s8,$s9,$s10,$s11)=map("\$$_",(12..23));
9263 ++($gp,$tp,$sp,$fp,$ra)=map("\$$_",(3,28..31));
9264 ++#
9265 ++# The return value is placed in $a0. Following coding rules facilitate
9266 ++# interoperability:
9267 ++#
9268 ++# - never ever touch $tp, "thread pointer", former $gp [o32 can be
9269 ++# excluded from the rule, because it's specified volatile];
9270 ++# - copy return value to $t0, former $v0 [or to $a0 if you're adapting
9271 ++# old code];
9272 ++# - on O32 populate $a4-$a7 with 'lw $aN,4*N($sp)' if necessary;
9273 ++#
9274 ++# For reference here is register layout for N32/64 MIPS ABIs:
9275 ++#
9276 ++# ($zero,$at,$v0,$v1)=map("\$$_",(0..3));
9277 ++# ($a0,$a1,$a2,$a3,$a4,$a5,$a6,$a7)=map("\$$_",(4..11));
9278 ++# ($t0,$t1,$t2,$t3,$t8,$t9)=map("\$$_",(12..15,24,25));
9279 ++# ($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7)=map("\$$_",(16..23));
9280 ++# ($gp,$sp,$fp,$ra)=map("\$$_",(28..31));
9281 ++#
9282 ++# <appro@×××××××.org>
9283 ++#
9284 ++######################################################################
9285 ++
9286 ++$flavour = shift || "64"; # supported flavours are o32,n32,64,nubi32,nubi64
9287 ++
9288 ++$v0 = ($flavour =~ /nubi/i) ? $a0 : $t0;
9289 ++
9290 ++if ($flavour =~ /64|n32/i) {{{
9291 ++######################################################################
9292 ++# 64-bit code path
9293 ++#
9294 ++
9295 ++my ($ctx,$inp,$len,$padbit) = ($a0,$a1,$a2,$a3);
9296 ++my ($in0,$in1,$tmp0,$tmp1,$tmp2,$tmp3,$tmp4) = ($a4,$a5,$a6,$a7,$at,$t0,$t1);
9297 ++
9298 ++$code.=<<___;
9299 ++#if (defined(_MIPS_ARCH_MIPS64R3) || defined(_MIPS_ARCH_MIPS64R5) || \\
9300 ++ defined(_MIPS_ARCH_MIPS64R6)) \\
9301 ++ && !defined(_MIPS_ARCH_MIPS64R2)
9302 ++# define _MIPS_ARCH_MIPS64R2
9303 ++#endif
9304 ++
9305 ++#if defined(_MIPS_ARCH_MIPS64R6)
9306 ++# define dmultu(rs,rt)
9307 ++# define mflo(rd,rs,rt) dmulu rd,rs,rt
9308 ++# define mfhi(rd,rs,rt) dmuhu rd,rs,rt
9309 ++#else
9310 ++# define dmultu(rs,rt) dmultu rs,rt
9311 ++# define mflo(rd,rs,rt) mflo rd
9312 ++# define mfhi(rd,rs,rt) mfhi rd
9313 ++#endif
9314 ++
9315 ++#ifdef __KERNEL__
9316 ++# define poly1305_init poly1305_init_mips
9317 ++# define poly1305_blocks poly1305_blocks_mips
9318 ++# define poly1305_emit poly1305_emit_mips
9319 ++#endif
9320 ++
9321 ++#if defined(__MIPSEB__) && !defined(MIPSEB)
9322 ++# define MIPSEB
9323 ++#endif
9324 ++
9325 ++#ifdef MIPSEB
9326 ++# define MSB 0
9327 ++# define LSB 7
9328 ++#else
9329 ++# define MSB 7
9330 ++# define LSB 0
9331 ++#endif
9332 ++
9333 ++.text
9334 ++.set noat
9335 ++.set noreorder
9336 ++
9337 ++.align 5
9338 ++.globl poly1305_init
9339 ++.ent poly1305_init
9340 ++poly1305_init:
9341 ++ .frame $sp,0,$ra
9342 ++ .set reorder
9343 ++
9344 ++ sd $zero,0($ctx)
9345 ++ sd $zero,8($ctx)
9346 ++ sd $zero,16($ctx)
9347 ++
9348 ++ beqz $inp,.Lno_key
9349 ++
9350 ++#if defined(_MIPS_ARCH_MIPS64R6)
9351 ++ andi $tmp0,$inp,7 # $inp % 8
9352 ++ dsubu $inp,$inp,$tmp0 # align $inp
9353 ++ sll $tmp0,$tmp0,3 # byte to bit offset
9354 ++ ld $in0,0($inp)
9355 ++ ld $in1,8($inp)
9356 ++ beqz $tmp0,.Laligned_key
9357 ++ ld $tmp2,16($inp)
9358 ++
9359 ++ subu $tmp1,$zero,$tmp0
9360 ++# ifdef MIPSEB
9361 ++ dsllv $in0,$in0,$tmp0
9362 ++ dsrlv $tmp3,$in1,$tmp1
9363 ++ dsllv $in1,$in1,$tmp0
9364 ++ dsrlv $tmp2,$tmp2,$tmp1
9365 ++# else
9366 ++ dsrlv $in0,$in0,$tmp0
9367 ++ dsllv $tmp3,$in1,$tmp1
9368 ++ dsrlv $in1,$in1,$tmp0
9369 ++ dsllv $tmp2,$tmp2,$tmp1
9370 ++# endif
9371 ++ or $in0,$in0,$tmp3
9372 ++ or $in1,$in1,$tmp2
9373 ++.Laligned_key:
9374 ++#else
9375 ++ ldl $in0,0+MSB($inp)
9376 ++ ldl $in1,8+MSB($inp)
9377 ++ ldr $in0,0+LSB($inp)
9378 ++ ldr $in1,8+LSB($inp)
9379 ++#endif
9380 ++#ifdef MIPSEB
9381 ++# if defined(_MIPS_ARCH_MIPS64R2)
9382 ++ dsbh $in0,$in0 # byte swap
9383 ++ dsbh $in1,$in1
9384 ++ dshd $in0,$in0
9385 ++ dshd $in1,$in1
9386 ++# else
9387 ++ ori $tmp0,$zero,0xFF
9388 ++ dsll $tmp2,$tmp0,32
9389 ++ or $tmp0,$tmp2 # 0x000000FF000000FF
9390 ++
9391 ++ and $tmp1,$in0,$tmp0 # byte swap
9392 ++ and $tmp3,$in1,$tmp0
9393 ++ dsrl $tmp2,$in0,24
9394 ++ dsrl $tmp4,$in1,24
9395 ++ dsll $tmp1,24
9396 ++ dsll $tmp3,24
9397 ++ and $tmp2,$tmp0
9398 ++ and $tmp4,$tmp0
9399 ++ dsll $tmp0,8 # 0x0000FF000000FF00
9400 ++ or $tmp1,$tmp2
9401 ++ or $tmp3,$tmp4
9402 ++ and $tmp2,$in0,$tmp0
9403 ++ and $tmp4,$in1,$tmp0
9404 ++ dsrl $in0,8
9405 ++ dsrl $in1,8
9406 ++ dsll $tmp2,8
9407 ++ dsll $tmp4,8
9408 ++ and $in0,$tmp0
9409 ++ and $in1,$tmp0
9410 ++ or $tmp1,$tmp2
9411 ++ or $tmp3,$tmp4
9412 ++ or $in0,$tmp1
9413 ++ or $in1,$tmp3
9414 ++ dsrl $tmp1,$in0,32
9415 ++ dsrl $tmp3,$in1,32
9416 ++ dsll $in0,32
9417 ++ dsll $in1,32
9418 ++ or $in0,$tmp1
9419 ++ or $in1,$tmp3
9420 ++# endif
9421 ++#endif
9422 ++ li $tmp0,1
9423 ++ dsll $tmp0,32 # 0x0000000100000000
9424 ++ daddiu $tmp0,-63 # 0x00000000ffffffc1
9425 ++ dsll $tmp0,28 # 0x0ffffffc10000000
9426 ++ daddiu $tmp0,-1 # 0x0ffffffc0fffffff
9427 ++
9428 ++ and $in0,$tmp0
9429 ++ daddiu $tmp0,-3 # 0x0ffffffc0ffffffc
9430 ++ and $in1,$tmp0
9431 ++
9432 ++ sd $in0,24($ctx)
9433 ++ dsrl $tmp0,$in1,2
9434 ++ sd $in1,32($ctx)
9435 ++ daddu $tmp0,$in1 # s1 = r1 + (r1 >> 2)
9436 ++ sd $tmp0,40($ctx)
9437 ++
9438 ++.Lno_key:
9439 ++ li $v0,0 # return 0
9440 ++ jr $ra
9441 ++.end poly1305_init
9442 ++___
9443 ++{
9444 ++my $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0x0003f000" : "0x00030000";
9445 ++
9446 ++my ($h0,$h1,$h2,$r0,$r1,$rs1,$d0,$d1,$d2) =
9447 ++ ($s0,$s1,$s2,$s3,$s4,$s5,$in0,$in1,$t2);
9448 ++my ($shr,$shl) = ($s6,$s7); # used on R6
9449 ++
9450 ++$code.=<<___;
9451 ++.align 5
9452 ++.globl poly1305_blocks
9453 ++.ent poly1305_blocks
9454 ++poly1305_blocks:
9455 ++ .set noreorder
9456 ++ dsrl $len,4 # number of complete blocks
9457 ++ bnez $len,poly1305_blocks_internal
9458 ++ nop
9459 ++ jr $ra
9460 ++ nop
9461 ++.end poly1305_blocks
9462 ++
9463 ++.align 5
9464 ++.ent poly1305_blocks_internal
9465 ++poly1305_blocks_internal:
9466 ++ .set noreorder
9467 ++#if defined(_MIPS_ARCH_MIPS64R6)
9468 ++ .frame $sp,8*8,$ra
9469 ++ .mask $SAVED_REGS_MASK|0x000c0000,-8
9470 ++ dsubu $sp,8*8
9471 ++ sd $s7,56($sp)
9472 ++ sd $s6,48($sp)
9473 ++#else
9474 ++ .frame $sp,6*8,$ra
9475 ++ .mask $SAVED_REGS_MASK,-8
9476 ++ dsubu $sp,6*8
9477 ++#endif
9478 ++ sd $s5,40($sp)
9479 ++ sd $s4,32($sp)
9480 ++___
9481 ++$code.=<<___ if ($flavour =~ /nubi/i); # optimize non-nubi prologue
9482 ++ sd $s3,24($sp)
9483 ++ sd $s2,16($sp)
9484 ++ sd $s1,8($sp)
9485 ++ sd $s0,0($sp)
9486 ++___
9487 ++$code.=<<___;
9488 ++ .set reorder
9489 ++
9490 ++#if defined(_MIPS_ARCH_MIPS64R6)
9491 ++ andi $shr,$inp,7
9492 ++ dsubu $inp,$inp,$shr # align $inp
9493 ++ sll $shr,$shr,3 # byte to bit offset
9494 ++ subu $shl,$zero,$shr
9495 ++#endif
9496 ++
9497 ++ ld $h0,0($ctx) # load hash value
9498 ++ ld $h1,8($ctx)
9499 ++ ld $h2,16($ctx)
9500 ++
9501 ++ ld $r0,24($ctx) # load key
9502 ++ ld $r1,32($ctx)
9503 ++ ld $rs1,40($ctx)
9504 ++
9505 ++ dsll $len,4
9506 ++ daddu $len,$inp # end of buffer
9507 ++ b .Loop
9508 ++
9509 ++.align 4
9510 ++.Loop:
9511 ++#if defined(_MIPS_ARCH_MIPS64R6)
9512 ++ ld $in0,0($inp) # load input
9513 ++ ld $in1,8($inp)
9514 ++ beqz $shr,.Laligned_inp
9515 ++
9516 ++ ld $tmp2,16($inp)
9517 ++# ifdef MIPSEB
9518 ++ dsllv $in0,$in0,$shr
9519 ++ dsrlv $tmp3,$in1,$shl
9520 ++ dsllv $in1,$in1,$shr
9521 ++ dsrlv $tmp2,$tmp2,$shl
9522 ++# else
9523 ++ dsrlv $in0,$in0,$shr
9524 ++ dsllv $tmp3,$in1,$shl
9525 ++ dsrlv $in1,$in1,$shr
9526 ++ dsllv $tmp2,$tmp2,$shl
9527 ++# endif
9528 ++ or $in0,$in0,$tmp3
9529 ++ or $in1,$in1,$tmp2
9530 ++.Laligned_inp:
9531 ++#else
9532 ++ ldl $in0,0+MSB($inp) # load input
9533 ++ ldl $in1,8+MSB($inp)
9534 ++ ldr $in0,0+LSB($inp)
9535 ++ ldr $in1,8+LSB($inp)
9536 ++#endif
9537 ++ daddiu $inp,16
9538 ++#ifdef MIPSEB
9539 ++# if defined(_MIPS_ARCH_MIPS64R2)
9540 ++ dsbh $in0,$in0 # byte swap
9541 ++ dsbh $in1,$in1
9542 ++ dshd $in0,$in0
9543 ++ dshd $in1,$in1
9544 ++# else
9545 ++ ori $tmp0,$zero,0xFF
9546 ++ dsll $tmp2,$tmp0,32
9547 ++ or $tmp0,$tmp2 # 0x000000FF000000FF
9548 ++
9549 ++ and $tmp1,$in0,$tmp0 # byte swap
9550 ++ and $tmp3,$in1,$tmp0
9551 ++ dsrl $tmp2,$in0,24
9552 ++ dsrl $tmp4,$in1,24
9553 ++ dsll $tmp1,24
9554 ++ dsll $tmp3,24
9555 ++ and $tmp2,$tmp0
9556 ++ and $tmp4,$tmp0
9557 ++ dsll $tmp0,8 # 0x0000FF000000FF00
9558 ++ or $tmp1,$tmp2
9559 ++ or $tmp3,$tmp4
9560 ++ and $tmp2,$in0,$tmp0
9561 ++ and $tmp4,$in1,$tmp0
9562 ++ dsrl $in0,8
9563 ++ dsrl $in1,8
9564 ++ dsll $tmp2,8
9565 ++ dsll $tmp4,8
9566 ++ and $in0,$tmp0
9567 ++ and $in1,$tmp0
9568 ++ or $tmp1,$tmp2
9569 ++ or $tmp3,$tmp4
9570 ++ or $in0,$tmp1
9571 ++ or $in1,$tmp3
9572 ++ dsrl $tmp1,$in0,32
9573 ++ dsrl $tmp3,$in1,32
9574 ++ dsll $in0,32
9575 ++ dsll $in1,32
9576 ++ or $in0,$tmp1
9577 ++ or $in1,$tmp3
9578 ++# endif
9579 ++#endif
9580 ++ dsrl $tmp1,$h2,2 # modulo-scheduled reduction
9581 ++ andi $h2,$h2,3
9582 ++ dsll $tmp0,$tmp1,2
9583 ++
9584 ++ daddu $d0,$h0,$in0 # accumulate input
9585 ++ daddu $tmp1,$tmp0
9586 ++ sltu $tmp0,$d0,$h0
9587 ++ daddu $d0,$d0,$tmp1 # ... and residue
9588 ++ sltu $tmp1,$d0,$tmp1
9589 ++ daddu $d1,$h1,$in1
9590 ++ daddu $tmp0,$tmp1
9591 ++ sltu $tmp1,$d1,$h1
9592 ++ daddu $d1,$tmp0
9593 ++
9594 ++ dmultu ($r0,$d0) # h0*r0
9595 ++ daddu $d2,$h2,$padbit
9596 ++ sltu $tmp0,$d1,$tmp0
9597 ++ mflo ($h0,$r0,$d0)
9598 ++ mfhi ($h1,$r0,$d0)
9599 ++
9600 ++ dmultu ($rs1,$d1) # h1*5*r1
9601 ++ daddu $d2,$tmp1
9602 ++ daddu $d2,$tmp0
9603 ++ mflo ($tmp0,$rs1,$d1)
9604 ++ mfhi ($tmp1,$rs1,$d1)
9605 ++
9606 ++ dmultu ($r1,$d0) # h0*r1
9607 ++ mflo ($tmp2,$r1,$d0)
9608 ++ mfhi ($h2,$r1,$d0)
9609 ++ daddu $h0,$tmp0
9610 ++ daddu $h1,$tmp1
9611 ++ sltu $tmp0,$h0,$tmp0
9612 ++
9613 ++ dmultu ($r0,$d1) # h1*r0
9614 ++ daddu $h1,$tmp0
9615 ++ daddu $h1,$tmp2
9616 ++ mflo ($tmp0,$r0,$d1)
9617 ++ mfhi ($tmp1,$r0,$d1)
9618 ++
9619 ++ dmultu ($rs1,$d2) # h2*5*r1
9620 ++ sltu $tmp2,$h1,$tmp2
9621 ++ daddu $h2,$tmp2
9622 ++ mflo ($tmp2,$rs1,$d2)
9623 ++
9624 ++ dmultu ($r0,$d2) # h2*r0
9625 ++ daddu $h1,$tmp0
9626 ++ daddu $h2,$tmp1
9627 ++ mflo ($tmp3,$r0,$d2)
9628 ++ sltu $tmp0,$h1,$tmp0
9629 ++ daddu $h2,$tmp0
9630 ++
9631 ++ daddu $h1,$tmp2
9632 ++ sltu $tmp2,$h1,$tmp2
9633 ++ daddu $h2,$tmp2
9634 ++ daddu $h2,$tmp3
9635 ++
9636 ++ bne $inp,$len,.Loop
9637 ++
9638 ++ sd $h0,0($ctx) # store hash value
9639 ++ sd $h1,8($ctx)
9640 ++ sd $h2,16($ctx)
9641 ++
9642 ++ .set noreorder
9643 ++#if defined(_MIPS_ARCH_MIPS64R6)
9644 ++ ld $s7,56($sp)
9645 ++ ld $s6,48($sp)
9646 ++#endif
9647 ++ ld $s5,40($sp) # epilogue
9648 ++ ld $s4,32($sp)
9649 ++___
9650 ++$code.=<<___ if ($flavour =~ /nubi/i); # optimize non-nubi epilogue
9651 ++ ld $s3,24($sp)
9652 ++ ld $s2,16($sp)
9653 ++ ld $s1,8($sp)
9654 ++ ld $s0,0($sp)
9655 ++___
9656 ++$code.=<<___;
9657 ++ jr $ra
9658 ++#if defined(_MIPS_ARCH_MIPS64R6)
9659 ++ daddu $sp,8*8
9660 ++#else
9661 ++ daddu $sp,6*8
9662 ++#endif
9663 ++.end poly1305_blocks_internal
9664 ++___
9665 ++}
9666 ++{
9667 ++my ($ctx,$mac,$nonce) = ($a0,$a1,$a2);
9668 ++
9669 ++$code.=<<___;
9670 ++.align 5
9671 ++.globl poly1305_emit
9672 ++.ent poly1305_emit
9673 ++poly1305_emit:
9674 ++ .frame $sp,0,$ra
9675 ++ .set reorder
9676 ++
9677 ++ ld $tmp2,16($ctx)
9678 ++ ld $tmp0,0($ctx)
9679 ++ ld $tmp1,8($ctx)
9680 ++
9681 ++ li $in0,-4 # final reduction
9682 ++ dsrl $in1,$tmp2,2
9683 ++ and $in0,$tmp2
9684 ++ andi $tmp2,$tmp2,3
9685 ++ daddu $in0,$in1
9686 ++
9687 ++ daddu $tmp0,$tmp0,$in0
9688 ++ sltu $in1,$tmp0,$in0
9689 ++ daddiu $in0,$tmp0,5 # compare to modulus
9690 ++ daddu $tmp1,$tmp1,$in1
9691 ++ sltiu $tmp3,$in0,5
9692 ++ sltu $tmp4,$tmp1,$in1
9693 ++ daddu $in1,$tmp1,$tmp3
9694 ++ daddu $tmp2,$tmp2,$tmp4
9695 ++ sltu $tmp3,$in1,$tmp3
9696 ++ daddu $tmp2,$tmp2,$tmp3
9697 ++
9698 ++ dsrl $tmp2,2 # see if it carried/borrowed
9699 ++ dsubu $tmp2,$zero,$tmp2
9700 ++
9701 ++ xor $in0,$tmp0
9702 ++ xor $in1,$tmp1
9703 ++ and $in0,$tmp2
9704 ++ and $in1,$tmp2
9705 ++ xor $in0,$tmp0
9706 ++ xor $in1,$tmp1
9707 ++
9708 ++ lwu $tmp0,0($nonce) # load nonce
9709 ++ lwu $tmp1,4($nonce)
9710 ++ lwu $tmp2,8($nonce)
9711 ++ lwu $tmp3,12($nonce)
9712 ++ dsll $tmp1,32
9713 ++ dsll $tmp3,32
9714 ++ or $tmp0,$tmp1
9715 ++ or $tmp2,$tmp3
9716 ++
9717 ++ daddu $in0,$tmp0 # accumulate nonce
9718 ++ daddu $in1,$tmp2
9719 ++ sltu $tmp0,$in0,$tmp0
9720 ++ daddu $in1,$tmp0
9721 ++
9722 ++ dsrl $tmp0,$in0,8 # write mac value
9723 ++ dsrl $tmp1,$in0,16
9724 ++ dsrl $tmp2,$in0,24
9725 ++ sb $in0,0($mac)
9726 ++ dsrl $tmp3,$in0,32
9727 ++ sb $tmp0,1($mac)
9728 ++ dsrl $tmp0,$in0,40
9729 ++ sb $tmp1,2($mac)
9730 ++ dsrl $tmp1,$in0,48
9731 ++ sb $tmp2,3($mac)
9732 ++ dsrl $tmp2,$in0,56
9733 ++ sb $tmp3,4($mac)
9734 ++ dsrl $tmp3,$in1,8
9735 ++ sb $tmp0,5($mac)
9736 ++ dsrl $tmp0,$in1,16
9737 ++ sb $tmp1,6($mac)
9738 ++ dsrl $tmp1,$in1,24
9739 ++ sb $tmp2,7($mac)
9740 ++
9741 ++ sb $in1,8($mac)
9742 ++ dsrl $tmp2,$in1,32
9743 ++ sb $tmp3,9($mac)
9744 ++ dsrl $tmp3,$in1,40
9745 ++ sb $tmp0,10($mac)
9746 ++ dsrl $tmp0,$in1,48
9747 ++ sb $tmp1,11($mac)
9748 ++ dsrl $tmp1,$in1,56
9749 ++ sb $tmp2,12($mac)
9750 ++ sb $tmp3,13($mac)
9751 ++ sb $tmp0,14($mac)
9752 ++ sb $tmp1,15($mac)
9753 ++
9754 ++ jr $ra
9755 ++.end poly1305_emit
9756 ++.rdata
9757 ++.asciiz "Poly1305 for MIPS64, CRYPTOGAMS by \@dot-asm"
9758 ++.align 2
9759 ++___
9760 ++}
9761 ++}}} else {{{
9762 ++######################################################################
9763 ++# 32-bit code path
9764 ++#
9765 ++
9766 ++my ($ctx,$inp,$len,$padbit) = ($a0,$a1,$a2,$a3);
9767 ++my ($in0,$in1,$in2,$in3,$tmp0,$tmp1,$tmp2,$tmp3) =
9768 ++ ($a4,$a5,$a6,$a7,$at,$t0,$t1,$t2);
9769 ++
9770 ++$code.=<<___;
9771 ++#if (defined(_MIPS_ARCH_MIPS32R3) || defined(_MIPS_ARCH_MIPS32R5) || \\
9772 ++ defined(_MIPS_ARCH_MIPS32R6)) \\
9773 ++ && !defined(_MIPS_ARCH_MIPS32R2)
9774 ++# define _MIPS_ARCH_MIPS32R2
9775 ++#endif
9776 ++
9777 ++#if defined(_MIPS_ARCH_MIPS32R6)
9778 ++# define multu(rs,rt)
9779 ++# define mflo(rd,rs,rt) mulu rd,rs,rt
9780 ++# define mfhi(rd,rs,rt) muhu rd,rs,rt
9781 ++#else
9782 ++# define multu(rs,rt) multu rs,rt
9783 ++# define mflo(rd,rs,rt) mflo rd
9784 ++# define mfhi(rd,rs,rt) mfhi rd
9785 ++#endif
9786 ++
9787 ++#ifdef __KERNEL__
9788 ++# define poly1305_init poly1305_init_mips
9789 ++# define poly1305_blocks poly1305_blocks_mips
9790 ++# define poly1305_emit poly1305_emit_mips
9791 ++#endif
9792 ++
9793 ++#if defined(__MIPSEB__) && !defined(MIPSEB)
9794 ++# define MIPSEB
9795 ++#endif
9796 ++
9797 ++#ifdef MIPSEB
9798 ++# define MSB 0
9799 ++# define LSB 3
9800 ++#else
9801 ++# define MSB 3
9802 ++# define LSB 0
9803 ++#endif
9804 ++
9805 ++.text
9806 ++.set noat
9807 ++.set noreorder
9808 ++
9809 ++.align 5
9810 ++.globl poly1305_init
9811 ++.ent poly1305_init
9812 ++poly1305_init:
9813 ++ .frame $sp,0,$ra
9814 ++ .set reorder
9815 ++
9816 ++ sw $zero,0($ctx)
9817 ++ sw $zero,4($ctx)
9818 ++ sw $zero,8($ctx)
9819 ++ sw $zero,12($ctx)
9820 ++ sw $zero,16($ctx)
9821 ++
9822 ++ beqz $inp,.Lno_key
9823 ++
9824 ++#if defined(_MIPS_ARCH_MIPS32R6)
9825 ++ andi $tmp0,$inp,3 # $inp % 4
9826 ++ subu $inp,$inp,$tmp0 # align $inp
9827 ++ sll $tmp0,$tmp0,3 # byte to bit offset
9828 ++ lw $in0,0($inp)
9829 ++ lw $in1,4($inp)
9830 ++ lw $in2,8($inp)
9831 ++ lw $in3,12($inp)
9832 ++ beqz $tmp0,.Laligned_key
9833 ++
9834 ++ lw $tmp2,16($inp)
9835 ++ subu $tmp1,$zero,$tmp0
9836 ++# ifdef MIPSEB
9837 ++ sllv $in0,$in0,$tmp0
9838 ++ srlv $tmp3,$in1,$tmp1
9839 ++ sllv $in1,$in1,$tmp0
9840 ++ or $in0,$in0,$tmp3
9841 ++ srlv $tmp3,$in2,$tmp1
9842 ++ sllv $in2,$in2,$tmp0
9843 ++ or $in1,$in1,$tmp3
9844 ++ srlv $tmp3,$in3,$tmp1
9845 ++ sllv $in3,$in3,$tmp0
9846 ++ or $in2,$in2,$tmp3
9847 ++ srlv $tmp2,$tmp2,$tmp1
9848 ++ or $in3,$in3,$tmp2
9849 ++# else
9850 ++ srlv $in0,$in0,$tmp0
9851 ++ sllv $tmp3,$in1,$tmp1
9852 ++ srlv $in1,$in1,$tmp0
9853 ++ or $in0,$in0,$tmp3
9854 ++ sllv $tmp3,$in2,$tmp1
9855 ++ srlv $in2,$in2,$tmp0
9856 ++ or $in1,$in1,$tmp3
9857 ++ sllv $tmp3,$in3,$tmp1
9858 ++ srlv $in3,$in3,$tmp0
9859 ++ or $in2,$in2,$tmp3
9860 ++ sllv $tmp2,$tmp2,$tmp1
9861 ++ or $in3,$in3,$tmp2
9862 ++# endif
9863 ++.Laligned_key:
9864 ++#else
9865 ++ lwl $in0,0+MSB($inp)
9866 ++ lwl $in1,4+MSB($inp)
9867 ++ lwl $in2,8+MSB($inp)
9868 ++ lwl $in3,12+MSB($inp)
9869 ++ lwr $in0,0+LSB($inp)
9870 ++ lwr $in1,4+LSB($inp)
9871 ++ lwr $in2,8+LSB($inp)
9872 ++ lwr $in3,12+LSB($inp)
9873 ++#endif
9874 ++#ifdef MIPSEB
9875 ++# if defined(_MIPS_ARCH_MIPS32R2)
9876 ++ wsbh $in0,$in0 # byte swap
9877 ++ wsbh $in1,$in1
9878 ++ wsbh $in2,$in2
9879 ++ wsbh $in3,$in3
9880 ++ rotr $in0,$in0,16
9881 ++ rotr $in1,$in1,16
9882 ++ rotr $in2,$in2,16
9883 ++ rotr $in3,$in3,16
9884 ++# else
9885 ++ srl $tmp0,$in0,24 # byte swap
9886 ++ srl $tmp1,$in0,8
9887 ++ andi $tmp2,$in0,0xFF00
9888 ++ sll $in0,$in0,24
9889 ++ andi $tmp1,0xFF00
9890 ++ sll $tmp2,$tmp2,8
9891 ++ or $in0,$tmp0
9892 ++ srl $tmp0,$in1,24
9893 ++ or $tmp1,$tmp2
9894 ++ srl $tmp2,$in1,8
9895 ++ or $in0,$tmp1
9896 ++ andi $tmp1,$in1,0xFF00
9897 ++ sll $in1,$in1,24
9898 ++ andi $tmp2,0xFF00
9899 ++ sll $tmp1,$tmp1,8
9900 ++ or $in1,$tmp0
9901 ++ srl $tmp0,$in2,24
9902 ++ or $tmp2,$tmp1
9903 ++ srl $tmp1,$in2,8
9904 ++ or $in1,$tmp2
9905 ++ andi $tmp2,$in2,0xFF00
9906 ++ sll $in2,$in2,24
9907 ++ andi $tmp1,0xFF00
9908 ++ sll $tmp2,$tmp2,8
9909 ++ or $in2,$tmp0
9910 ++ srl $tmp0,$in3,24
9911 ++ or $tmp1,$tmp2
9912 ++ srl $tmp2,$in3,8
9913 ++ or $in2,$tmp1
9914 ++ andi $tmp1,$in3,0xFF00
9915 ++ sll $in3,$in3,24
9916 ++ andi $tmp2,0xFF00
9917 ++ sll $tmp1,$tmp1,8
9918 ++ or $in3,$tmp0
9919 ++ or $tmp2,$tmp1
9920 ++ or $in3,$tmp2
9921 ++# endif
9922 ++#endif
9923 ++ lui $tmp0,0x0fff
9924 ++ ori $tmp0,0xffff # 0x0fffffff
9925 ++ and $in0,$in0,$tmp0
9926 ++ subu $tmp0,3 # 0x0ffffffc
9927 ++ and $in1,$in1,$tmp0
9928 ++ and $in2,$in2,$tmp0
9929 ++ and $in3,$in3,$tmp0
9930 ++
9931 ++ sw $in0,20($ctx)
9932 ++ sw $in1,24($ctx)
9933 ++ sw $in2,28($ctx)
9934 ++ sw $in3,32($ctx)
9935 ++
9936 ++ srl $tmp1,$in1,2
9937 ++ srl $tmp2,$in2,2
9938 ++ srl $tmp3,$in3,2
9939 ++ addu $in1,$in1,$tmp1 # s1 = r1 + (r1 >> 2)
9940 ++ addu $in2,$in2,$tmp2
9941 ++ addu $in3,$in3,$tmp3
9942 ++ sw $in1,36($ctx)
9943 ++ sw $in2,40($ctx)
9944 ++ sw $in3,44($ctx)
9945 ++.Lno_key:
9946 ++ li $v0,0
9947 ++ jr $ra
9948 ++.end poly1305_init
9949 ++___
9950 ++{
9951 ++my $SAVED_REGS_MASK = ($flavour =~ /nubi/i) ? "0x00fff000" : "0x00ff0000";
9952 ++
9953 ++my ($h0,$h1,$h2,$h3,$h4, $r0,$r1,$r2,$r3, $rs1,$rs2,$rs3) =
9954 ++ ($s0,$s1,$s2,$s3,$s4, $s5,$s6,$s7,$s8, $s9,$s10,$s11);
9955 ++my ($d0,$d1,$d2,$d3) =
9956 ++ ($a4,$a5,$a6,$a7);
9957 ++my $shr = $t2; # used on R6
9958 ++my $one = $t2; # used on R2
9959 ++
9960 ++$code.=<<___;
9961 ++.globl poly1305_blocks
9962 ++.align 5
9963 ++.ent poly1305_blocks
9964 ++poly1305_blocks:
9965 ++ .frame $sp,16*4,$ra
9966 ++ .mask $SAVED_REGS_MASK,-4
9967 ++ .set noreorder
9968 ++ subu $sp, $sp,4*12
9969 ++ sw $s11,4*11($sp)
9970 ++ sw $s10,4*10($sp)
9971 ++ sw $s9, 4*9($sp)
9972 ++ sw $s8, 4*8($sp)
9973 ++ sw $s7, 4*7($sp)
9974 ++ sw $s6, 4*6($sp)
9975 ++ sw $s5, 4*5($sp)
9976 ++ sw $s4, 4*4($sp)
9977 ++___
9978 ++$code.=<<___ if ($flavour =~ /nubi/i); # optimize non-nubi prologue
9979 ++ sw $s3, 4*3($sp)
9980 ++ sw $s2, 4*2($sp)
9981 ++ sw $s1, 4*1($sp)
9982 ++ sw $s0, 4*0($sp)
9983 ++___
9984 ++$code.=<<___;
9985 ++ .set reorder
9986 ++
9987 ++ srl $len,4 # number of complete blocks
9988 ++ li $one,1
9989 ++ beqz $len,.Labort
9990 ++
9991 ++#if defined(_MIPS_ARCH_MIPS32R6)
9992 ++ andi $shr,$inp,3
9993 ++ subu $inp,$inp,$shr # align $inp
9994 ++ sll $shr,$shr,3 # byte to bit offset
9995 ++#endif
9996 ++
9997 ++ lw $h0,0($ctx) # load hash value
9998 ++ lw $h1,4($ctx)
9999 ++ lw $h2,8($ctx)
10000 ++ lw $h3,12($ctx)
10001 ++ lw $h4,16($ctx)
10002 ++
10003 ++ lw $r0,20($ctx) # load key
10004 ++ lw $r1,24($ctx)
10005 ++ lw $r2,28($ctx)
10006 ++ lw $r3,32($ctx)
10007 ++ lw $rs1,36($ctx)
10008 ++ lw $rs2,40($ctx)
10009 ++ lw $rs3,44($ctx)
10010 ++
10011 ++ sll $len,4
10012 ++ addu $len,$len,$inp # end of buffer
10013 ++ b .Loop
10014 ++
10015 ++.align 4
10016 ++.Loop:
10017 ++#if defined(_MIPS_ARCH_MIPS32R6)
10018 ++ lw $d0,0($inp) # load input
10019 ++ lw $d1,4($inp)
10020 ++ lw $d2,8($inp)
10021 ++ lw $d3,12($inp)
10022 ++ beqz $shr,.Laligned_inp
10023 ++
10024 ++ lw $t0,16($inp)
10025 ++ subu $t1,$zero,$shr
10026 ++# ifdef MIPSEB
10027 ++ sllv $d0,$d0,$shr
10028 ++ srlv $at,$d1,$t1
10029 ++ sllv $d1,$d1,$shr
10030 ++ or $d0,$d0,$at
10031 ++ srlv $at,$d2,$t1
10032 ++ sllv $d2,$d2,$shr
10033 ++ or $d1,$d1,$at
10034 ++ srlv $at,$d3,$t1
10035 ++ sllv $d3,$d3,$shr
10036 ++ or $d2,$d2,$at
10037 ++ srlv $t0,$t0,$t1
10038 ++ or $d3,$d3,$t0
10039 ++# else
10040 ++ srlv $d0,$d0,$shr
10041 ++ sllv $at,$d1,$t1
10042 ++ srlv $d1,$d1,$shr
10043 ++ or $d0,$d0,$at
10044 ++ sllv $at,$d2,$t1
10045 ++ srlv $d2,$d2,$shr
10046 ++ or $d1,$d1,$at
10047 ++ sllv $at,$d3,$t1
10048 ++ srlv $d3,$d3,$shr
10049 ++ or $d2,$d2,$at
10050 ++ sllv $t0,$t0,$t1
10051 ++ or $d3,$d3,$t0
10052 ++# endif
10053 ++.Laligned_inp:
10054 ++#else
10055 ++ lwl $d0,0+MSB($inp) # load input
10056 ++ lwl $d1,4+MSB($inp)
10057 ++ lwl $d2,8+MSB($inp)
10058 ++ lwl $d3,12+MSB($inp)
10059 ++ lwr $d0,0+LSB($inp)
10060 ++ lwr $d1,4+LSB($inp)
10061 ++ lwr $d2,8+LSB($inp)
10062 ++ lwr $d3,12+LSB($inp)
10063 ++#endif
10064 ++#ifdef MIPSEB
10065 ++# if defined(_MIPS_ARCH_MIPS32R2)
10066 ++ wsbh $d0,$d0 # byte swap
10067 ++ wsbh $d1,$d1
10068 ++ wsbh $d2,$d2
10069 ++ wsbh $d3,$d3
10070 ++ rotr $d0,$d0,16
10071 ++ rotr $d1,$d1,16
10072 ++ rotr $d2,$d2,16
10073 ++ rotr $d3,$d3,16
10074 ++# else
10075 ++ srl $at,$d0,24 # byte swap
10076 ++ srl $t0,$d0,8
10077 ++ andi $t1,$d0,0xFF00
10078 ++ sll $d0,$d0,24
10079 ++ andi $t0,0xFF00
10080 ++ sll $t1,$t1,8
10081 ++ or $d0,$at
10082 ++ srl $at,$d1,24
10083 ++ or $t0,$t1
10084 ++ srl $t1,$d1,8
10085 ++ or $d0,$t0
10086 ++ andi $t0,$d1,0xFF00
10087 ++ sll $d1,$d1,24
10088 ++ andi $t1,0xFF00
10089 ++ sll $t0,$t0,8
10090 ++ or $d1,$at
10091 ++ srl $at,$d2,24
10092 ++ or $t1,$t0
10093 ++ srl $t0,$d2,8
10094 ++ or $d1,$t1
10095 ++ andi $t1,$d2,0xFF00
10096 ++ sll $d2,$d2,24
10097 ++ andi $t0,0xFF00
10098 ++ sll $t1,$t1,8
10099 ++ or $d2,$at
10100 ++ srl $at,$d3,24
10101 ++ or $t0,$t1
10102 ++ srl $t1,$d3,8
10103 ++ or $d2,$t0
10104 ++ andi $t0,$d3,0xFF00
10105 ++ sll $d3,$d3,24
10106 ++ andi $t1,0xFF00
10107 ++ sll $t0,$t0,8
10108 ++ or $d3,$at
10109 ++ or $t1,$t0
10110 ++ or $d3,$t1
10111 ++# endif
10112 ++#endif
10113 ++ srl $t0,$h4,2 # modulo-scheduled reduction
10114 ++ andi $h4,$h4,3
10115 ++ sll $at,$t0,2
10116 ++
10117 ++ addu $d0,$d0,$h0 # accumulate input
10118 ++ addu $t0,$t0,$at
10119 ++ sltu $h0,$d0,$h0
10120 ++ addu $d0,$d0,$t0 # ... and residue
10121 ++ sltu $at,$d0,$t0
10122 ++
10123 ++ addu $d1,$d1,$h1
10124 ++ addu $h0,$h0,$at # carry
10125 ++ sltu $h1,$d1,$h1
10126 ++ addu $d1,$d1,$h0
10127 ++ sltu $h0,$d1,$h0
10128 ++
10129 ++ addu $d2,$d2,$h2
10130 ++ addu $h1,$h1,$h0 # carry
10131 ++ sltu $h2,$d2,$h2
10132 ++ addu $d2,$d2,$h1
10133 ++ sltu $h1,$d2,$h1
10134 ++
10135 ++ addu $d3,$d3,$h3
10136 ++ addu $h2,$h2,$h1 # carry
10137 ++ sltu $h3,$d3,$h3
10138 ++ addu $d3,$d3,$h2
10139 ++
10140 ++#if defined(_MIPS_ARCH_MIPS32R2) && !defined(_MIPS_ARCH_MIPS32R6)
10141 ++ multu $r0,$d0 # d0*r0
10142 ++ sltu $h2,$d3,$h2
10143 ++ maddu $rs3,$d1 # d1*s3
10144 ++ addu $h3,$h3,$h2 # carry
10145 ++ maddu $rs2,$d2 # d2*s2
10146 ++ addu $h4,$h4,$padbit
10147 ++ maddu $rs1,$d3 # d3*s1
10148 ++ addu $h4,$h4,$h3
10149 ++ mfhi $at
10150 ++ mflo $h0
10151 ++
10152 ++ multu $r1,$d0 # d0*r1
10153 ++ maddu $r0,$d1 # d1*r0
10154 ++ maddu $rs3,$d2 # d2*s3
10155 ++ maddu $rs2,$d3 # d3*s2
10156 ++ maddu $rs1,$h4 # h4*s1
10157 ++ maddu $at,$one # hi*1
10158 ++ mfhi $at
10159 ++ mflo $h1
10160 ++
10161 ++ multu $r2,$d0 # d0*r2
10162 ++ maddu $r1,$d1 # d1*r1
10163 ++ maddu $r0,$d2 # d2*r0
10164 ++ maddu $rs3,$d3 # d3*s3
10165 ++ maddu $rs2,$h4 # h4*s2
10166 ++ maddu $at,$one # hi*1
10167 ++ mfhi $at
10168 ++ mflo $h2
10169 ++
10170 ++ mul $t0,$r0,$h4 # h4*r0
10171 ++
10172 ++ multu $r3,$d0 # d0*r3
10173 ++ maddu $r2,$d1 # d1*r2
10174 ++ maddu $r1,$d2 # d2*r1
10175 ++ maddu $r0,$d3 # d3*r0
10176 ++ maddu $rs3,$h4 # h4*s3
10177 ++ maddu $at,$one # hi*1
10178 ++ mfhi $at
10179 ++ mflo $h3
10180 ++
10181 ++ addiu $inp,$inp,16
10182 ++
10183 ++ addu $h4,$t0,$at
10184 ++#else
10185 ++ multu ($r0,$d0) # d0*r0
10186 ++ mflo ($h0,$r0,$d0)
10187 ++ mfhi ($h1,$r0,$d0)
10188 ++
10189 ++ sltu $h2,$d3,$h2
10190 ++ addu $h3,$h3,$h2 # carry
10191 ++
10192 ++ multu ($rs3,$d1) # d1*s3
10193 ++ mflo ($at,$rs3,$d1)
10194 ++ mfhi ($t0,$rs3,$d1)
10195 ++
10196 ++ addu $h4,$h4,$padbit
10197 ++ addiu $inp,$inp,16
10198 ++ addu $h4,$h4,$h3
10199 ++
10200 ++ multu ($rs2,$d2) # d2*s2
10201 ++ mflo ($a3,$rs2,$d2)
10202 ++ mfhi ($t1,$rs2,$d2)
10203 ++ addu $h0,$h0,$at
10204 ++ addu $h1,$h1,$t0
10205 ++ multu ($rs1,$d3) # d3*s1
10206 ++ sltu $at,$h0,$at
10207 ++ addu $h1,$h1,$at
10208 ++
10209 ++ mflo ($at,$rs1,$d3)
10210 ++ mfhi ($t0,$rs1,$d3)
10211 ++ addu $h0,$h0,$a3
10212 ++ addu $h1,$h1,$t1
10213 ++ multu ($r1,$d0) # d0*r1
10214 ++ sltu $a3,$h0,$a3
10215 ++ addu $h1,$h1,$a3
10216 ++
10217 ++
10218 ++ mflo ($a3,$r1,$d0)
10219 ++ mfhi ($h2,$r1,$d0)
10220 ++ addu $h0,$h0,$at
10221 ++ addu $h1,$h1,$t0
10222 ++ multu ($r0,$d1) # d1*r0
10223 ++ sltu $at,$h0,$at
10224 ++ addu $h1,$h1,$at
10225 ++
10226 ++ mflo ($at,$r0,$d1)
10227 ++ mfhi ($t0,$r0,$d1)
10228 ++ addu $h1,$h1,$a3
10229 ++ sltu $a3,$h1,$a3
10230 ++ multu ($rs3,$d2) # d2*s3
10231 ++ addu $h2,$h2,$a3
10232 ++
10233 ++ mflo ($a3,$rs3,$d2)
10234 ++ mfhi ($t1,$rs3,$d2)
10235 ++ addu $h1,$h1,$at
10236 ++ addu $h2,$h2,$t0
10237 ++ multu ($rs2,$d3) # d3*s2
10238 ++ sltu $at,$h1,$at
10239 ++ addu $h2,$h2,$at
10240 ++
10241 ++ mflo ($at,$rs2,$d3)
10242 ++ mfhi ($t0,$rs2,$d3)
10243 ++ addu $h1,$h1,$a3
10244 ++ addu $h2,$h2,$t1
10245 ++ multu ($rs1,$h4) # h4*s1
10246 ++ sltu $a3,$h1,$a3
10247 ++ addu $h2,$h2,$a3
10248 ++
10249 ++ mflo ($a3,$rs1,$h4)
10250 ++ addu $h1,$h1,$at
10251 ++ addu $h2,$h2,$t0
10252 ++ multu ($r2,$d0) # d0*r2
10253 ++ sltu $at,$h1,$at
10254 ++ addu $h2,$h2,$at
10255 ++
10256 ++
10257 ++ mflo ($at,$r2,$d0)
10258 ++ mfhi ($h3,$r2,$d0)
10259 ++ addu $h1,$h1,$a3
10260 ++ sltu $a3,$h1,$a3
10261 ++ multu ($r1,$d1) # d1*r1
10262 ++ addu $h2,$h2,$a3
10263 ++
10264 ++ mflo ($a3,$r1,$d1)
10265 ++ mfhi ($t1,$r1,$d1)
10266 ++ addu $h2,$h2,$at
10267 ++ sltu $at,$h2,$at
10268 ++ multu ($r0,$d2) # d2*r0
10269 ++ addu $h3,$h3,$at
10270 ++
10271 ++ mflo ($at,$r0,$d2)
10272 ++ mfhi ($t0,$r0,$d2)
10273 ++ addu $h2,$h2,$a3
10274 ++ addu $h3,$h3,$t1
10275 ++ multu ($rs3,$d3) # d3*s3
10276 ++ sltu $a3,$h2,$a3
10277 ++ addu $h3,$h3,$a3
10278 ++
10279 ++ mflo ($a3,$rs3,$d3)
10280 ++ mfhi ($t1,$rs3,$d3)
10281 ++ addu $h2,$h2,$at
10282 ++ addu $h3,$h3,$t0
10283 ++ multu ($rs2,$h4) # h4*s2
10284 ++ sltu $at,$h2,$at
10285 ++ addu $h3,$h3,$at
10286 ++
10287 ++ mflo ($at,$rs2,$h4)
10288 ++ addu $h2,$h2,$a3
10289 ++ addu $h3,$h3,$t1
10290 ++ multu ($r3,$d0) # d0*r3
10291 ++ sltu $a3,$h2,$a3
10292 ++ addu $h3,$h3,$a3
10293 ++
10294 ++
10295 ++ mflo ($a3,$r3,$d0)
10296 ++ mfhi ($t1,$r3,$d0)
10297 ++ addu $h2,$h2,$at
10298 ++ sltu $at,$h2,$at
10299 ++ multu ($r2,$d1) # d1*r2
10300 ++ addu $h3,$h3,$at
10301 ++
10302 ++ mflo ($at,$r2,$d1)
10303 ++ mfhi ($t0,$r2,$d1)
10304 ++ addu $h3,$h3,$a3
10305 ++ sltu $a3,$h3,$a3
10306 ++ multu ($r0,$d3) # d3*r0
10307 ++ addu $t1,$t1,$a3
10308 ++
10309 ++ mflo ($a3,$r0,$d3)
10310 ++ mfhi ($d3,$r0,$d3)
10311 ++ addu $h3,$h3,$at
10312 ++ addu $t1,$t1,$t0
10313 ++ multu ($r1,$d2) # d2*r1
10314 ++ sltu $at,$h3,$at
10315 ++ addu $t1,$t1,$at
10316 ++
10317 ++ mflo ($at,$r1,$d2)
10318 ++ mfhi ($t0,$r1,$d2)
10319 ++ addu $h3,$h3,$a3
10320 ++ addu $t1,$t1,$d3
10321 ++ multu ($rs3,$h4) # h4*s3
10322 ++ sltu $a3,$h3,$a3
10323 ++ addu $t1,$t1,$a3
10324 ++
10325 ++ mflo ($a3,$rs3,$h4)
10326 ++ addu $h3,$h3,$at
10327 ++ addu $t1,$t1,$t0
10328 ++ multu ($r0,$h4) # h4*r0
10329 ++ sltu $at,$h3,$at
10330 ++ addu $t1,$t1,$at
10331 ++
10332 ++
10333 ++ mflo ($h4,$r0,$h4)
10334 ++ addu $h3,$h3,$a3
10335 ++ sltu $a3,$h3,$a3
10336 ++ addu $t1,$t1,$a3
10337 ++ addu $h4,$h4,$t1
10338 ++
10339 ++ li $padbit,1 # if we loop, padbit is 1
10340 ++#endif
10341 ++ bne $inp,$len,.Loop
10342 ++
10343 ++ sw $h0,0($ctx) # store hash value
10344 ++ sw $h1,4($ctx)
10345 ++ sw $h2,8($ctx)
10346 ++ sw $h3,12($ctx)
10347 ++ sw $h4,16($ctx)
10348 ++
10349 ++ .set noreorder
10350 ++.Labort:
10351 ++ lw $s11,4*11($sp)
10352 ++ lw $s10,4*10($sp)
10353 ++ lw $s9, 4*9($sp)
10354 ++ lw $s8, 4*8($sp)
10355 ++ lw $s7, 4*7($sp)
10356 ++ lw $s6, 4*6($sp)
10357 ++ lw $s5, 4*5($sp)
10358 ++ lw $s4, 4*4($sp)
10359 ++___
10360 ++$code.=<<___ if ($flavour =~ /nubi/i); # optimize non-nubi prologue
10361 ++ lw $s3, 4*3($sp)
10362 ++ lw $s2, 4*2($sp)
10363 ++ lw $s1, 4*1($sp)
10364 ++ lw $s0, 4*0($sp)
10365 ++___
10366 ++$code.=<<___;
10367 ++ jr $ra
10368 ++ addu $sp,$sp,4*12
10369 ++.end poly1305_blocks
10370 ++___
10371 ++}
10372 ++{
10373 ++my ($ctx,$mac,$nonce,$tmp4) = ($a0,$a1,$a2,$a3);
10374 ++
10375 ++$code.=<<___;
10376 ++.align 5
10377 ++.globl poly1305_emit
10378 ++.ent poly1305_emit
10379 ++poly1305_emit:
10380 ++ .frame $sp,0,$ra
10381 ++ .set reorder
10382 ++
10383 ++ lw $tmp4,16($ctx)
10384 ++ lw $tmp0,0($ctx)
10385 ++ lw $tmp1,4($ctx)
10386 ++ lw $tmp2,8($ctx)
10387 ++ lw $tmp3,12($ctx)
10388 ++
10389 ++ li $in0,-4 # final reduction
10390 ++ srl $ctx,$tmp4,2
10391 ++ and $in0,$in0,$tmp4
10392 ++ andi $tmp4,$tmp4,3
10393 ++ addu $ctx,$ctx,$in0
10394 ++
10395 ++ addu $tmp0,$tmp0,$ctx
10396 ++ sltu $ctx,$tmp0,$ctx
10397 ++ addiu $in0,$tmp0,5 # compare to modulus
10398 ++ addu $tmp1,$tmp1,$ctx
10399 ++ sltiu $in1,$in0,5
10400 ++ sltu $ctx,$tmp1,$ctx
10401 ++ addu $in1,$in1,$tmp1
10402 ++ addu $tmp2,$tmp2,$ctx
10403 ++ sltu $in2,$in1,$tmp1
10404 ++ sltu $ctx,$tmp2,$ctx
10405 ++ addu $in2,$in2,$tmp2
10406 ++ addu $tmp3,$tmp3,$ctx
10407 ++ sltu $in3,$in2,$tmp2
10408 ++ sltu $ctx,$tmp3,$ctx
10409 ++ addu $in3,$in3,$tmp3
10410 ++ addu $tmp4,$tmp4,$ctx
10411 ++ sltu $ctx,$in3,$tmp3
10412 ++ addu $ctx,$tmp4
10413 ++
10414 ++ srl $ctx,2 # see if it carried/borrowed
10415 ++ subu $ctx,$zero,$ctx
10416 ++
10417 ++ xor $in0,$tmp0
10418 ++ xor $in1,$tmp1
10419 ++ xor $in2,$tmp2
10420 ++ xor $in3,$tmp3
10421 ++ and $in0,$ctx
10422 ++ and $in1,$ctx
10423 ++ and $in2,$ctx
10424 ++ and $in3,$ctx
10425 ++ xor $in0,$tmp0
10426 ++ xor $in1,$tmp1
10427 ++ xor $in2,$tmp2
10428 ++ xor $in3,$tmp3
10429 ++
10430 ++ lw $tmp0,0($nonce) # load nonce
10431 ++ lw $tmp1,4($nonce)
10432 ++ lw $tmp2,8($nonce)
10433 ++ lw $tmp3,12($nonce)
10434 ++
10435 ++ addu $in0,$tmp0 # accumulate nonce
10436 ++ sltu $ctx,$in0,$tmp0
10437 ++
10438 ++ addu $in1,$tmp1
10439 ++ sltu $tmp1,$in1,$tmp1
10440 ++ addu $in1,$ctx
10441 ++ sltu $ctx,$in1,$ctx
10442 ++ addu $ctx,$tmp1
10443 ++
10444 ++ addu $in2,$tmp2
10445 ++ sltu $tmp2,$in2,$tmp2
10446 ++ addu $in2,$ctx
10447 ++ sltu $ctx,$in2,$ctx
10448 ++ addu $ctx,$tmp2
10449 ++
10450 ++ addu $in3,$tmp3
10451 ++ addu $in3,$ctx
10452 ++
10453 ++ srl $tmp0,$in0,8 # write mac value
10454 ++ srl $tmp1,$in0,16
10455 ++ srl $tmp2,$in0,24
10456 ++ sb $in0, 0($mac)
10457 ++ sb $tmp0,1($mac)
10458 ++ srl $tmp0,$in1,8
10459 ++ sb $tmp1,2($mac)
10460 ++ srl $tmp1,$in1,16
10461 ++ sb $tmp2,3($mac)
10462 ++ srl $tmp2,$in1,24
10463 ++ sb $in1, 4($mac)
10464 ++ sb $tmp0,5($mac)
10465 ++ srl $tmp0,$in2,8
10466 ++ sb $tmp1,6($mac)
10467 ++ srl $tmp1,$in2,16
10468 ++ sb $tmp2,7($mac)
10469 ++ srl $tmp2,$in2,24
10470 ++ sb $in2, 8($mac)
10471 ++ sb $tmp0,9($mac)
10472 ++ srl $tmp0,$in3,8
10473 ++ sb $tmp1,10($mac)
10474 ++ srl $tmp1,$in3,16
10475 ++ sb $tmp2,11($mac)
10476 ++ srl $tmp2,$in3,24
10477 ++ sb $in3, 12($mac)
10478 ++ sb $tmp0,13($mac)
10479 ++ sb $tmp1,14($mac)
10480 ++ sb $tmp2,15($mac)
10481 ++
10482 ++ jr $ra
10483 ++.end poly1305_emit
10484 ++.rdata
10485 ++.asciiz "Poly1305 for MIPS32, CRYPTOGAMS by \@dot-asm"
10486 ++.align 2
10487 ++___
10488 ++}
10489 ++}}}
10490 ++
10491 ++$output=pop and open STDOUT,">$output";
10492 ++print $code;
10493 ++close STDOUT;
10494 +--- /dev/null
10495 ++++ b/include/crypto/blake2s.h
10496 +@@ -0,0 +1,106 @@
10497 ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
10498 ++/*
10499 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
10500 ++ */
10501 ++
10502 ++#ifndef BLAKE2S_H
10503 ++#define BLAKE2S_H
10504 ++
10505 ++#include <linux/types.h>
10506 ++#include <linux/kernel.h>
10507 ++#include <linux/string.h>
10508 ++
10509 ++#include <asm/bug.h>
10510 ++
10511 ++enum blake2s_lengths {
10512 ++ BLAKE2S_BLOCK_SIZE = 64,
10513 ++ BLAKE2S_HASH_SIZE = 32,
10514 ++ BLAKE2S_KEY_SIZE = 32,
10515 ++
10516 ++ BLAKE2S_128_HASH_SIZE = 16,
10517 ++ BLAKE2S_160_HASH_SIZE = 20,
10518 ++ BLAKE2S_224_HASH_SIZE = 28,
10519 ++ BLAKE2S_256_HASH_SIZE = 32,
10520 ++};
10521 ++
10522 ++struct blake2s_state {
10523 ++ u32 h[8];
10524 ++ u32 t[2];
10525 ++ u32 f[2];
10526 ++ u8 buf[BLAKE2S_BLOCK_SIZE];
10527 ++ unsigned int buflen;
10528 ++ unsigned int outlen;
10529 ++};
10530 ++
10531 ++enum blake2s_iv {
10532 ++ BLAKE2S_IV0 = 0x6A09E667UL,
10533 ++ BLAKE2S_IV1 = 0xBB67AE85UL,
10534 ++ BLAKE2S_IV2 = 0x3C6EF372UL,
10535 ++ BLAKE2S_IV3 = 0xA54FF53AUL,
10536 ++ BLAKE2S_IV4 = 0x510E527FUL,
10537 ++ BLAKE2S_IV5 = 0x9B05688CUL,
10538 ++ BLAKE2S_IV6 = 0x1F83D9ABUL,
10539 ++ BLAKE2S_IV7 = 0x5BE0CD19UL,
10540 ++};
10541 ++
10542 ++void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen);
10543 ++void blake2s_final(struct blake2s_state *state, u8 *out);
10544 ++
10545 ++static inline void blake2s_init_param(struct blake2s_state *state,
10546 ++ const u32 param)
10547 ++{
10548 ++ *state = (struct blake2s_state){{
10549 ++ BLAKE2S_IV0 ^ param,
10550 ++ BLAKE2S_IV1,
10551 ++ BLAKE2S_IV2,
10552 ++ BLAKE2S_IV3,
10553 ++ BLAKE2S_IV4,
10554 ++ BLAKE2S_IV5,
10555 ++ BLAKE2S_IV6,
10556 ++ BLAKE2S_IV7,
10557 ++ }};
10558 ++}
10559 ++
10560 ++static inline void blake2s_init(struct blake2s_state *state,
10561 ++ const size_t outlen)
10562 ++{
10563 ++ blake2s_init_param(state, 0x01010000 | outlen);
10564 ++ state->outlen = outlen;
10565 ++}
10566 ++
10567 ++static inline void blake2s_init_key(struct blake2s_state *state,
10568 ++ const size_t outlen, const void *key,
10569 ++ const size_t keylen)
10570 ++{
10571 ++ WARN_ON(IS_ENABLED(DEBUG) && (!outlen || outlen > BLAKE2S_HASH_SIZE ||
10572 ++ !key || !keylen || keylen > BLAKE2S_KEY_SIZE));
10573 ++
10574 ++ blake2s_init_param(state, 0x01010000 | keylen << 8 | outlen);
10575 ++ memcpy(state->buf, key, keylen);
10576 ++ state->buflen = BLAKE2S_BLOCK_SIZE;
10577 ++ state->outlen = outlen;
10578 ++}
10579 ++
10580 ++static inline void blake2s(u8 *out, const u8 *in, const u8 *key,
10581 ++ const size_t outlen, const size_t inlen,
10582 ++ const size_t keylen)
10583 ++{
10584 ++ struct blake2s_state state;
10585 ++
10586 ++ WARN_ON(IS_ENABLED(DEBUG) && ((!in && inlen > 0) || !out || !outlen ||
10587 ++ outlen > BLAKE2S_HASH_SIZE || keylen > BLAKE2S_KEY_SIZE ||
10588 ++ (!key && keylen)));
10589 ++
10590 ++ if (keylen)
10591 ++ blake2s_init_key(&state, outlen, key, keylen);
10592 ++ else
10593 ++ blake2s_init(&state, outlen);
10594 ++
10595 ++ blake2s_update(&state, in, inlen);
10596 ++ blake2s_final(&state, out);
10597 ++}
10598 ++
10599 ++void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
10600 ++ const size_t keylen);
10601 ++
10602 ++#endif /* BLAKE2S_H */
10603 +--- b/include/crypto/internal/blake2s.h
10604 ++++ b/include/crypto/internal/blake2s.h
10605 +@@ -0,0 +1,24 @@
10606 ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
10607 ++
10608 ++#ifndef BLAKE2S_INTERNAL_H
10609 ++#define BLAKE2S_INTERNAL_H
10610 ++
10611 ++#include <crypto/blake2s.h>
10612 ++
10613 ++struct blake2s_tfm_ctx {
10614 ++ u8 key[BLAKE2S_KEY_SIZE];
10615 ++ unsigned int keylen;
10616 ++};
10617 ++
10618 ++void blake2s_compress_generic(struct blake2s_state *state,const u8 *block,
10619 ++ size_t nblocks, const u32 inc);
10620 ++
10621 ++void blake2s_compress_arch(struct blake2s_state *state,const u8 *block,
10622 ++ size_t nblocks, const u32 inc);
10623 ++
10624 ++static inline void blake2s_set_lastblock(struct blake2s_state *state)
10625 ++{
10626 ++ state->f[0] = -1;
10627 ++}
10628 ++
10629 ++#endif /* BLAKE2S_INTERNAL_H */
10630 +--- /dev/null
10631 ++++ b/lib/crypto/blake2s-generic.c
10632 +@@ -0,0 +1,111 @@
10633 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
10634 ++/*
10635 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
10636 ++ *
10637 ++ * This is an implementation of the BLAKE2s hash and PRF functions.
10638 ++ *
10639 ++ * Information: https://blake2.net/
10640 ++ *
10641 ++ */
10642 ++
10643 ++#include <crypto/internal/blake2s.h>
10644 ++#include <linux/types.h>
10645 ++#include <linux/string.h>
10646 ++#include <linux/kernel.h>
10647 ++#include <linux/module.h>
10648 ++#include <linux/init.h>
10649 ++#include <linux/bug.h>
10650 ++#include <asm/unaligned.h>
10651 ++
10652 ++static const u8 blake2s_sigma[10][16] = {
10653 ++ { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 },
10654 ++ { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 },
10655 ++ { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 },
10656 ++ { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 },
10657 ++ { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 },
10658 ++ { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 },
10659 ++ { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 },
10660 ++ { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 },
10661 ++ { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 },
10662 ++ { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 },
10663 ++};
10664 ++
10665 ++static inline void blake2s_increment_counter(struct blake2s_state *state,
10666 ++ const u32 inc)
10667 ++{
10668 ++ state->t[0] += inc;
10669 ++ state->t[1] += (state->t[0] < inc);
10670 ++}
10671 ++
10672 ++void blake2s_compress_generic(struct blake2s_state *state,const u8 *block,
10673 ++ size_t nblocks, const u32 inc)
10674 ++{
10675 ++ u32 m[16];
10676 ++ u32 v[16];
10677 ++ int i;
10678 ++
10679 ++ WARN_ON(IS_ENABLED(DEBUG) &&
10680 ++ (nblocks > 1 && inc != BLAKE2S_BLOCK_SIZE));
10681 ++
10682 ++ while (nblocks > 0) {
10683 ++ blake2s_increment_counter(state, inc);
10684 ++ memcpy(m, block, BLAKE2S_BLOCK_SIZE);
10685 ++ le32_to_cpu_array(m, ARRAY_SIZE(m));
10686 ++ memcpy(v, state->h, 32);
10687 ++ v[ 8] = BLAKE2S_IV0;
10688 ++ v[ 9] = BLAKE2S_IV1;
10689 ++ v[10] = BLAKE2S_IV2;
10690 ++ v[11] = BLAKE2S_IV3;
10691 ++ v[12] = BLAKE2S_IV4 ^ state->t[0];
10692 ++ v[13] = BLAKE2S_IV5 ^ state->t[1];
10693 ++ v[14] = BLAKE2S_IV6 ^ state->f[0];
10694 ++ v[15] = BLAKE2S_IV7 ^ state->f[1];
10695 ++
10696 ++#define G(r, i, a, b, c, d) do { \
10697 ++ a += b + m[blake2s_sigma[r][2 * i + 0]]; \
10698 ++ d = ror32(d ^ a, 16); \
10699 ++ c += d; \
10700 ++ b = ror32(b ^ c, 12); \
10701 ++ a += b + m[blake2s_sigma[r][2 * i + 1]]; \
10702 ++ d = ror32(d ^ a, 8); \
10703 ++ c += d; \
10704 ++ b = ror32(b ^ c, 7); \
10705 ++} while (0)
10706 ++
10707 ++#define ROUND(r) do { \
10708 ++ G(r, 0, v[0], v[ 4], v[ 8], v[12]); \
10709 ++ G(r, 1, v[1], v[ 5], v[ 9], v[13]); \
10710 ++ G(r, 2, v[2], v[ 6], v[10], v[14]); \
10711 ++ G(r, 3, v[3], v[ 7], v[11], v[15]); \
10712 ++ G(r, 4, v[0], v[ 5], v[10], v[15]); \
10713 ++ G(r, 5, v[1], v[ 6], v[11], v[12]); \
10714 ++ G(r, 6, v[2], v[ 7], v[ 8], v[13]); \
10715 ++ G(r, 7, v[3], v[ 4], v[ 9], v[14]); \
10716 ++} while (0)
10717 ++ ROUND(0);
10718 ++ ROUND(1);
10719 ++ ROUND(2);
10720 ++ ROUND(3);
10721 ++ ROUND(4);
10722 ++ ROUND(5);
10723 ++ ROUND(6);
10724 ++ ROUND(7);
10725 ++ ROUND(8);
10726 ++ ROUND(9);
10727 ++
10728 ++#undef G
10729 ++#undef ROUND
10730 ++
10731 ++ for (i = 0; i < 8; ++i)
10732 ++ state->h[i] ^= v[i] ^ v[i + 8];
10733 ++
10734 ++ block += BLAKE2S_BLOCK_SIZE;
10735 ++ --nblocks;
10736 ++ }
10737 ++}
10738 ++
10739 ++EXPORT_SYMBOL(blake2s_compress_generic);
10740 ++
10741 ++MODULE_LICENSE("GPL v2");
10742 ++MODULE_DESCRIPTION("BLAKE2s hash function");
10743 ++MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
10744 +--- /dev/null
10745 ++++ b/lib/crypto/blake2s-selftest.c
10746 +@@ -0,0 +1,622 @@
10747 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
10748 ++/*
10749 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
10750 ++ */
10751 ++
10752 ++#include <crypto/blake2s.h>
10753 ++#include <linux/string.h>
10754 ++
10755 ++/*
10756 ++ * blake2s_testvecs[] generated with the program below (using libb2-dev and
10757 ++ * libssl-dev [OpenSSL])
10758 ++ *
10759 ++ * #include <blake2.h>
10760 ++ * #include <stdint.h>
10761 ++ * #include <stdio.h>
10762 ++ *
10763 ++ * #include <openssl/evp.h>
10764 ++ * #include <openssl/hmac.h>
10765 ++ *
10766 ++ * #define BLAKE2S_TESTVEC_COUNT 256
10767 ++ *
10768 ++ * static void print_vec(const uint8_t vec[], int len)
10769 ++ * {
10770 ++ * int i;
10771 ++ *
10772 ++ * printf(" { ");
10773 ++ * for (i = 0; i < len; i++) {
10774 ++ * if (i && (i % 12) == 0)
10775 ++ * printf("\n ");
10776 ++ * printf("0x%02x, ", vec[i]);
10777 ++ * }
10778 ++ * printf("},\n");
10779 ++ * }
10780 ++ *
10781 ++ * int main(void)
10782 ++ * {
10783 ++ * uint8_t key[BLAKE2S_KEYBYTES];
10784 ++ * uint8_t buf[BLAKE2S_TESTVEC_COUNT];
10785 ++ * uint8_t hash[BLAKE2S_OUTBYTES];
10786 ++ * int i, j;
10787 ++ *
10788 ++ * key[0] = key[1] = 1;
10789 ++ * for (i = 2; i < BLAKE2S_KEYBYTES; ++i)
10790 ++ * key[i] = key[i - 2] + key[i - 1];
10791 ++ *
10792 ++ * for (i = 0; i < BLAKE2S_TESTVEC_COUNT; ++i)
10793 ++ * buf[i] = (uint8_t)i;
10794 ++ *
10795 ++ * printf("static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
10796 ++ *
10797 ++ * for (i = 0; i < BLAKE2S_TESTVEC_COUNT; ++i) {
10798 ++ * int outlen = 1 + i % BLAKE2S_OUTBYTES;
10799 ++ * int keylen = (13 * i) % (BLAKE2S_KEYBYTES + 1);
10800 ++ *
10801 ++ * blake2s(hash, buf, key + BLAKE2S_KEYBYTES - keylen, outlen, i,
10802 ++ * keylen);
10803 ++ * print_vec(hash, outlen);
10804 ++ * }
10805 ++ * printf("};\n\n");
10806 ++ *
10807 ++ * printf("static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {\n");
10808 ++ *
10809 ++ * HMAC(EVP_blake2s256(), key, sizeof(key), buf, sizeof(buf), hash, NULL);
10810 ++ * print_vec(hash, BLAKE2S_OUTBYTES);
10811 ++ *
10812 ++ * HMAC(EVP_blake2s256(), buf, sizeof(buf), key, sizeof(key), hash, NULL);
10813 ++ * print_vec(hash, BLAKE2S_OUTBYTES);
10814 ++ *
10815 ++ * printf("};\n");
10816 ++ *
10817 ++ * return 0;
10818 ++ *}
10819 ++ */
10820 ++static const u8 blake2s_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
10821 ++ { 0xa1, },
10822 ++ { 0x7c, 0x89, },
10823 ++ { 0x74, 0x0e, 0xd4, },
10824 ++ { 0x47, 0x0c, 0x21, 0x15, },
10825 ++ { 0x18, 0xd6, 0x9c, 0xa6, 0xc4, },
10826 ++ { 0x13, 0x5d, 0x16, 0x63, 0x2e, 0xf9, },
10827 ++ { 0x2c, 0xb5, 0x04, 0xb7, 0x99, 0xe2, 0x73, },
10828 ++ { 0x9a, 0x0f, 0xd2, 0x39, 0xd6, 0x68, 0x1b, 0x92, },
10829 ++ { 0xc8, 0xde, 0x7a, 0xea, 0x2f, 0xf4, 0xd2, 0xe3, 0x2b, },
10830 ++ { 0x5b, 0xf9, 0x43, 0x52, 0x0c, 0x12, 0xba, 0xb5, 0x93, 0x9f, },
10831 ++ { 0xc6, 0x2c, 0x4e, 0x80, 0xfc, 0x32, 0x5b, 0x33, 0xb8, 0xb8, 0x0a, },
10832 ++ { 0xa7, 0x5c, 0xfd, 0x3a, 0xcc, 0xbf, 0x90, 0xca, 0xb7, 0x97, 0xde, 0xd8, },
10833 ++ { 0x66, 0xca, 0x3c, 0xc4, 0x19, 0xef, 0x92, 0x66, 0x3f, 0x21, 0x8f, 0xda,
10834 ++ 0xb7, },
10835 ++ { 0xba, 0xe5, 0xbb, 0x30, 0x25, 0x94, 0x6d, 0xc3, 0x89, 0x09, 0xc4, 0x25,
10836 ++ 0x52, 0x3e, },
10837 ++ { 0xa2, 0xef, 0x0e, 0x52, 0x0b, 0x5f, 0xa2, 0x01, 0x6d, 0x0a, 0x25, 0xbc,
10838 ++ 0x57, 0xe2, 0x27, },
10839 ++ { 0x4f, 0xe0, 0xf9, 0x52, 0x12, 0xda, 0x84, 0xb7, 0xab, 0xae, 0xb0, 0xa6,
10840 ++ 0x47, 0x2a, 0xc7, 0xf5, },
10841 ++ { 0x56, 0xe7, 0xa8, 0x1c, 0x4c, 0xca, 0xed, 0x90, 0x31, 0xec, 0x87, 0x43,
10842 ++ 0xe7, 0x72, 0x08, 0xec, 0xbe, },
10843 ++ { 0x7e, 0xdf, 0x80, 0x1c, 0x93, 0x33, 0xfd, 0x53, 0x44, 0xba, 0xfd, 0x96,
10844 ++ 0xe1, 0xbb, 0xb5, 0x65, 0xa5, 0x00, },
10845 ++ { 0xec, 0x6b, 0xed, 0xf7, 0x7b, 0x62, 0x1d, 0x7d, 0xf4, 0x82, 0xf3, 0x1e,
10846 ++ 0x18, 0xff, 0x2b, 0xc4, 0x06, 0x20, 0x2a, },
10847 ++ { 0x74, 0x98, 0xd7, 0x68, 0x63, 0xed, 0x87, 0xe4, 0x5d, 0x8d, 0x9e, 0x1d,
10848 ++ 0xfd, 0x2a, 0xbb, 0x86, 0xac, 0xe9, 0x2a, 0x89, },
10849 ++ { 0x89, 0xc3, 0x88, 0xce, 0x2b, 0x33, 0x1e, 0x10, 0xd1, 0x37, 0x20, 0x86,
10850 ++ 0x28, 0x43, 0x70, 0xd9, 0xfb, 0x96, 0xd9, 0xb5, 0xd3, },
10851 ++ { 0xcb, 0x56, 0x74, 0x41, 0x8d, 0x80, 0x01, 0x9a, 0x6b, 0x38, 0xe1, 0x41,
10852 ++ 0xad, 0x9c, 0x62, 0x74, 0xce, 0x35, 0xd5, 0x6c, 0x89, 0x6e, },
10853 ++ { 0x79, 0xaf, 0x94, 0x59, 0x99, 0x26, 0xe1, 0xc9, 0x34, 0xfe, 0x7c, 0x22,
10854 ++ 0xf7, 0x43, 0xd7, 0x65, 0xd4, 0x48, 0x18, 0xac, 0x3d, 0xfd, 0x93, },
10855 ++ { 0x85, 0x0d, 0xff, 0xb8, 0x3e, 0x87, 0x41, 0xb0, 0x95, 0xd3, 0x3d, 0x00,
10856 ++ 0x47, 0x55, 0x9e, 0xd2, 0x69, 0xea, 0xbf, 0xe9, 0x7a, 0x2d, 0x61, 0x45, },
10857 ++ { 0x03, 0xe0, 0x85, 0xec, 0x54, 0xb5, 0x16, 0x53, 0xa8, 0xc4, 0x71, 0xe9,
10858 ++ 0x6a, 0xe7, 0xcb, 0xc4, 0x15, 0x02, 0xfc, 0x34, 0xa4, 0xa4, 0x28, 0x13,
10859 ++ 0xd1, },
10860 ++ { 0xe3, 0x34, 0x4b, 0xe1, 0xd0, 0x4b, 0x55, 0x61, 0x8f, 0xc0, 0x24, 0x05,
10861 ++ 0xe6, 0xe0, 0x3d, 0x70, 0x24, 0x4d, 0xda, 0xb8, 0x91, 0x05, 0x29, 0x07,
10862 ++ 0x01, 0x3e, },
10863 ++ { 0x61, 0xff, 0x01, 0x72, 0xb1, 0x4d, 0xf6, 0xfe, 0xd1, 0xd1, 0x08, 0x74,
10864 ++ 0xe6, 0x91, 0x44, 0xeb, 0x61, 0xda, 0x40, 0xaf, 0xfc, 0x8c, 0x91, 0x6b,
10865 ++ 0xec, 0x13, 0xed, },
10866 ++ { 0xd4, 0x40, 0xd2, 0xa0, 0x7f, 0xc1, 0x58, 0x0c, 0x85, 0xa0, 0x86, 0xc7,
10867 ++ 0x86, 0xb9, 0x61, 0xc9, 0xea, 0x19, 0x86, 0x1f, 0xab, 0x07, 0xce, 0x37,
10868 ++ 0x72, 0x67, 0x09, 0xfc, },
10869 ++ { 0x9e, 0xf8, 0x18, 0x67, 0x93, 0x10, 0x9b, 0x39, 0x75, 0xe8, 0x8b, 0x38,
10870 ++ 0x82, 0x7d, 0xb8, 0xb7, 0xa5, 0xaf, 0xe6, 0x6a, 0x22, 0x5e, 0x1f, 0x9c,
10871 ++ 0x95, 0x29, 0x19, 0xf2, 0x4b, },
10872 ++ { 0xc8, 0x62, 0x25, 0xf5, 0x98, 0xc9, 0xea, 0xe5, 0x29, 0x3a, 0xd3, 0x22,
10873 ++ 0xeb, 0xeb, 0x07, 0x7c, 0x15, 0x07, 0xee, 0x15, 0x61, 0xbb, 0x05, 0x30,
10874 ++ 0x99, 0x7f, 0x11, 0xf6, 0x0a, 0x1d, },
10875 ++ { 0x68, 0x70, 0xf7, 0x90, 0xa1, 0x8b, 0x1f, 0x0f, 0xbb, 0xce, 0xd2, 0x0e,
10876 ++ 0x33, 0x1f, 0x7f, 0xa9, 0x78, 0xa8, 0xa6, 0x81, 0x66, 0xab, 0x8d, 0xcd,
10877 ++ 0x58, 0x55, 0x3a, 0x0b, 0x7a, 0xdb, 0xb5, },
10878 ++ { 0xdd, 0x35, 0xd2, 0xb4, 0xf6, 0xc7, 0xea, 0xab, 0x64, 0x24, 0x4e, 0xfe,
10879 ++ 0xe5, 0x3d, 0x4e, 0x95, 0x8b, 0x6d, 0x6c, 0xbc, 0xb0, 0xf8, 0x88, 0x61,
10880 ++ 0x09, 0xb7, 0x78, 0xa3, 0x31, 0xfe, 0xd9, 0x2f, },
10881 ++ { 0x0a, },
10882 ++ { 0x6e, 0xd4, },
10883 ++ { 0x64, 0xe9, 0xd1, },
10884 ++ { 0x30, 0xdd, 0x71, 0xef, },
10885 ++ { 0x11, 0xb5, 0x0c, 0x87, 0xc9, },
10886 ++ { 0x06, 0x1c, 0x6d, 0x04, 0x82, 0xd0, },
10887 ++ { 0x5c, 0x42, 0x0b, 0xee, 0xc5, 0x9c, 0xb2, },
10888 ++ { 0xe8, 0x29, 0xd6, 0xb4, 0x5d, 0xf7, 0x2b, 0x93, },
10889 ++ { 0x18, 0xca, 0x27, 0x72, 0x43, 0x39, 0x16, 0xbc, 0x6a, },
10890 ++ { 0x39, 0x8f, 0xfd, 0x64, 0xf5, 0x57, 0x23, 0xb0, 0x45, 0xf8, },
10891 ++ { 0xbb, 0x3a, 0x78, 0x6b, 0x02, 0x1d, 0x0b, 0x16, 0xe3, 0xb2, 0x9a, },
10892 ++ { 0xb8, 0xb4, 0x0b, 0xe5, 0xd4, 0x1d, 0x0d, 0x85, 0x49, 0x91, 0x35, 0xfa, },
10893 ++ { 0x6d, 0x48, 0x2a, 0x0c, 0x42, 0x08, 0xbd, 0xa9, 0x78, 0x6f, 0x18, 0xaf,
10894 ++ 0xe2, },
10895 ++ { 0x10, 0x45, 0xd4, 0x58, 0x88, 0xec, 0x4e, 0x1e, 0xf6, 0x14, 0x92, 0x64,
10896 ++ 0x7e, 0xb0, },
10897 ++ { 0x8b, 0x0b, 0x95, 0xee, 0x92, 0xc6, 0x3b, 0x91, 0xf1, 0x1e, 0xeb, 0x51,
10898 ++ 0x98, 0x0a, 0x8d, },
10899 ++ { 0xa3, 0x50, 0x4d, 0xa5, 0x1d, 0x03, 0x68, 0xe9, 0x57, 0x78, 0xd6, 0x04,
10900 ++ 0xf1, 0xc3, 0x94, 0xd8, },
10901 ++ { 0xb8, 0x66, 0x6e, 0xdd, 0x46, 0x15, 0xae, 0x3d, 0x83, 0x7e, 0xcf, 0xe7,
10902 ++ 0x2c, 0xe8, 0x8f, 0xc7, 0x34, },
10903 ++ { 0x2e, 0xc0, 0x1f, 0x29, 0xea, 0xf6, 0xb9, 0xe2, 0xc2, 0x93, 0xeb, 0x41,
10904 ++ 0x0d, 0xf0, 0x0a, 0x13, 0x0e, 0xa2, },
10905 ++ { 0x71, 0xb8, 0x33, 0xa9, 0x1b, 0xac, 0xf1, 0xb5, 0x42, 0x8f, 0x5e, 0x81,
10906 ++ 0x34, 0x43, 0xb7, 0xa4, 0x18, 0x5c, 0x47, },
10907 ++ { 0xda, 0x45, 0xb8, 0x2e, 0x82, 0x1e, 0xc0, 0x59, 0x77, 0x9d, 0xfa, 0xb4,
10908 ++ 0x1c, 0x5e, 0xa0, 0x2b, 0x33, 0x96, 0x5a, 0x58, },
10909 ++ { 0xe3, 0x09, 0x05, 0xa9, 0xeb, 0x48, 0x13, 0xad, 0x71, 0x88, 0x81, 0x9a,
10910 ++ 0x3e, 0x2c, 0xe1, 0x23, 0x99, 0x13, 0x35, 0x9f, 0xb5, },
10911 ++ { 0xb7, 0x86, 0x2d, 0x16, 0xe1, 0x04, 0x00, 0x47, 0x47, 0x61, 0x31, 0xfb,
10912 ++ 0x14, 0xac, 0xd8, 0xe9, 0xe3, 0x49, 0xbd, 0xf7, 0x9c, 0x3f, },
10913 ++ { 0x7f, 0xd9, 0x95, 0xa8, 0xa7, 0xa0, 0xcc, 0xba, 0xef, 0xb1, 0x0a, 0xa9,
10914 ++ 0x21, 0x62, 0x08, 0x0f, 0x1b, 0xff, 0x7b, 0x9d, 0xae, 0xb2, 0x95, },
10915 ++ { 0x85, 0x99, 0xea, 0x33, 0xe0, 0x56, 0xff, 0x13, 0xc6, 0x61, 0x8c, 0xf9,
10916 ++ 0x57, 0x05, 0x03, 0x11, 0xf9, 0xfb, 0x3a, 0xf7, 0xce, 0xbb, 0x52, 0x30, },
10917 ++ { 0xb2, 0x72, 0x9c, 0xf8, 0x77, 0x4e, 0x8f, 0x6b, 0x01, 0x6c, 0xff, 0x4e,
10918 ++ 0x4f, 0x02, 0xd2, 0xbc, 0xeb, 0x51, 0x28, 0x99, 0x50, 0xab, 0xc4, 0x42,
10919 ++ 0xe3, },
10920 ++ { 0x8b, 0x0a, 0xb5, 0x90, 0x8f, 0xf5, 0x7b, 0xdd, 0xba, 0x47, 0x37, 0xc9,
10921 ++ 0x2a, 0xd5, 0x4b, 0x25, 0x08, 0x8b, 0x02, 0x17, 0xa7, 0x9e, 0x6b, 0x6e,
10922 ++ 0xe3, 0x90, },
10923 ++ { 0x90, 0xdd, 0xf7, 0x75, 0xa7, 0xa3, 0x99, 0x5e, 0x5b, 0x7d, 0x75, 0xc3,
10924 ++ 0x39, 0x6b, 0xa0, 0xe2, 0x44, 0x53, 0xb1, 0x9e, 0xc8, 0xf1, 0x77, 0x10,
10925 ++ 0x58, 0x06, 0x9a, },
10926 ++ { 0x99, 0x52, 0xf0, 0x49, 0xa8, 0x8c, 0xec, 0xa6, 0x97, 0x32, 0x13, 0xb5,
10927 ++ 0xf7, 0xa3, 0x8e, 0xfb, 0x4b, 0x59, 0x31, 0x3d, 0x01, 0x59, 0x98, 0x5d,
10928 ++ 0x53, 0x03, 0x1a, 0x39, },
10929 ++ { 0x9f, 0xe0, 0xc2, 0xe5, 0x5d, 0x93, 0xd6, 0x9b, 0x47, 0x8f, 0x9b, 0xe0,
10930 ++ 0x26, 0x35, 0x84, 0x20, 0x1d, 0xc5, 0x53, 0x10, 0x0f, 0x22, 0xb9, 0xb5,
10931 ++ 0xd4, 0x36, 0xb1, 0xac, 0x73, },
10932 ++ { 0x30, 0x32, 0x20, 0x3b, 0x10, 0x28, 0xec, 0x1f, 0x4f, 0x9b, 0x47, 0x59,
10933 ++ 0xeb, 0x7b, 0xee, 0x45, 0xfb, 0x0c, 0x49, 0xd8, 0x3d, 0x69, 0xbd, 0x90,
10934 ++ 0x2c, 0xf0, 0x9e, 0x8d, 0xbf, 0xd5, },
10935 ++ { 0x2a, 0x37, 0x73, 0x7f, 0xf9, 0x96, 0x19, 0xaa, 0x25, 0xd8, 0x13, 0x28,
10936 ++ 0x01, 0x29, 0x89, 0xdf, 0x6e, 0x0c, 0x9b, 0x43, 0x44, 0x51, 0xe9, 0x75,
10937 ++ 0x26, 0x0c, 0xb7, 0x87, 0x66, 0x0b, 0x5f, },
10938 ++ { 0x23, 0xdf, 0x96, 0x68, 0x91, 0x86, 0xd0, 0x93, 0x55, 0x33, 0x24, 0xf6,
10939 ++ 0xba, 0x08, 0x75, 0x5b, 0x59, 0x11, 0x69, 0xb8, 0xb9, 0xe5, 0x2c, 0x77,
10940 ++ 0x02, 0xf6, 0x47, 0xee, 0x81, 0xdd, 0xb9, 0x06, },
10941 ++ { 0x9d, },
10942 ++ { 0x9d, 0x7d, },
10943 ++ { 0xfd, 0xc3, 0xda, },
10944 ++ { 0xe8, 0x82, 0xcd, 0x21, },
10945 ++ { 0xc3, 0x1d, 0x42, 0x4c, 0x74, },
10946 ++ { 0xe9, 0xda, 0xf1, 0xa2, 0xe5, 0x7c, },
10947 ++ { 0x52, 0xb8, 0x6f, 0x81, 0x5c, 0x3a, 0x4c, },
10948 ++ { 0x5b, 0x39, 0x26, 0xfc, 0x92, 0x5e, 0xe0, 0x49, },
10949 ++ { 0x59, 0xe4, 0x7c, 0x93, 0x1c, 0xf9, 0x28, 0x93, 0xde, },
10950 ++ { 0xde, 0xdf, 0xb2, 0x43, 0x61, 0x0b, 0x86, 0x16, 0x4c, 0x2e, },
10951 ++ { 0x14, 0x8f, 0x75, 0x51, 0xaf, 0xb9, 0xee, 0x51, 0x5a, 0xae, 0x23, },
10952 ++ { 0x43, 0x5f, 0x50, 0xd5, 0x70, 0xb0, 0x5b, 0x87, 0xf5, 0xd9, 0xb3, 0x6d, },
10953 ++ { 0x66, 0x0a, 0x64, 0x93, 0x79, 0x71, 0x94, 0x40, 0xb7, 0x68, 0x2d, 0xd3,
10954 ++ 0x63, },
10955 ++ { 0x15, 0x00, 0xc4, 0x0c, 0x7d, 0x1b, 0x10, 0xa9, 0x73, 0x1b, 0x90, 0x6f,
10956 ++ 0xe6, 0xa9, },
10957 ++ { 0x34, 0x75, 0xf3, 0x86, 0x8f, 0x56, 0xcf, 0x2a, 0x0a, 0xf2, 0x62, 0x0a,
10958 ++ 0xf6, 0x0e, 0x20, },
10959 ++ { 0xb1, 0xde, 0xc9, 0xf5, 0xdb, 0xf3, 0x2f, 0x4c, 0xd6, 0x41, 0x7d, 0x39,
10960 ++ 0x18, 0x3e, 0xc7, 0xc3, },
10961 ++ { 0xc5, 0x89, 0xb2, 0xf8, 0xb8, 0xc0, 0xa3, 0xb9, 0x3b, 0x10, 0x6d, 0x7c,
10962 ++ 0x92, 0xfc, 0x7f, 0x34, 0x41, },
10963 ++ { 0xc4, 0xd8, 0xef, 0xba, 0xef, 0xd2, 0xaa, 0xc5, 0x6c, 0x8e, 0x3e, 0xbb,
10964 ++ 0x12, 0xfc, 0x0f, 0x72, 0xbf, 0x0f, },
10965 ++ { 0xdd, 0x91, 0xd1, 0x15, 0x9e, 0x7d, 0xf8, 0xc1, 0xb9, 0x14, 0x63, 0x96,
10966 ++ 0xb5, 0xcb, 0x83, 0x1d, 0x35, 0x1c, 0xec, },
10967 ++ { 0xa9, 0xf8, 0x52, 0xc9, 0x67, 0x76, 0x2b, 0xad, 0xfb, 0xd8, 0x3a, 0xa6,
10968 ++ 0x74, 0x02, 0xae, 0xb8, 0x25, 0x2c, 0x63, 0x49, },
10969 ++ { 0x77, 0x1f, 0x66, 0x70, 0xfd, 0x50, 0x29, 0xaa, 0xeb, 0xdc, 0xee, 0xba,
10970 ++ 0x75, 0x98, 0xdc, 0x93, 0x12, 0x3f, 0xdc, 0x7c, 0x38, },
10971 ++ { 0xe2, 0xe1, 0x89, 0x5c, 0x37, 0x38, 0x6a, 0xa3, 0x40, 0xac, 0x3f, 0xb0,
10972 ++ 0xca, 0xfc, 0xa7, 0xf3, 0xea, 0xf9, 0x0f, 0x5d, 0x8e, 0x39, },
10973 ++ { 0x0f, 0x67, 0xc8, 0x38, 0x01, 0xb1, 0xb7, 0xb8, 0xa2, 0xe7, 0x0a, 0x6d,
10974 ++ 0xd2, 0x63, 0x69, 0x9e, 0xcc, 0xf0, 0xf2, 0xbe, 0x9b, 0x98, 0xdd, },
10975 ++ { 0x13, 0xe1, 0x36, 0x30, 0xfe, 0xc6, 0x01, 0x8a, 0xa1, 0x63, 0x96, 0x59,
10976 ++ 0xc2, 0xa9, 0x68, 0x3f, 0x58, 0xd4, 0x19, 0x0c, 0x40, 0xf3, 0xde, 0x02, },
10977 ++ { 0xa3, 0x9e, 0xce, 0xda, 0x42, 0xee, 0x8c, 0x6c, 0x5a, 0x7d, 0xdc, 0x89,
10978 ++ 0x02, 0x77, 0xdd, 0xe7, 0x95, 0xbb, 0xff, 0x0d, 0xa4, 0xb5, 0x38, 0x1e,
10979 ++ 0xaf, },
10980 ++ { 0x9a, 0xf6, 0xb5, 0x9a, 0x4f, 0xa9, 0x4f, 0x2c, 0x35, 0x3c, 0x24, 0xdc,
10981 ++ 0x97, 0x6f, 0xd9, 0xa1, 0x7d, 0x1a, 0x85, 0x0b, 0xf5, 0xda, 0x2e, 0xe7,
10982 ++ 0xb1, 0x1d, },
10983 ++ { 0x84, 0x1e, 0x8e, 0x3d, 0x45, 0xa5, 0xf2, 0x27, 0xf3, 0x31, 0xfe, 0xb9,
10984 ++ 0xfb, 0xc5, 0x45, 0x99, 0x99, 0xdd, 0x93, 0x43, 0x02, 0xee, 0x58, 0xaf,
10985 ++ 0xee, 0x6a, 0xbe, },
10986 ++ { 0x07, 0x2f, 0xc0, 0xa2, 0x04, 0xc4, 0xab, 0x7c, 0x26, 0xbb, 0xa8, 0xd8,
10987 ++ 0xe3, 0x1c, 0x75, 0x15, 0x64, 0x5d, 0x02, 0x6a, 0xf0, 0x86, 0xe9, 0xcd,
10988 ++ 0x5c, 0xef, 0xa3, 0x25, },
10989 ++ { 0x2f, 0x3b, 0x1f, 0xb5, 0x91, 0x8f, 0x86, 0xe0, 0xdc, 0x31, 0x48, 0xb6,
10990 ++ 0xa1, 0x8c, 0xfd, 0x75, 0xbb, 0x7d, 0x3d, 0xc1, 0xf0, 0x10, 0x9a, 0xd8,
10991 ++ 0x4b, 0x0e, 0xe3, 0x94, 0x9f, },
10992 ++ { 0x29, 0xbb, 0x8f, 0x6c, 0xd1, 0xf2, 0xb6, 0xaf, 0xe5, 0xe3, 0x2d, 0xdc,
10993 ++ 0x6f, 0xa4, 0x53, 0x88, 0xd8, 0xcf, 0x4d, 0x45, 0x42, 0x62, 0xdb, 0xdf,
10994 ++ 0xf8, 0x45, 0xc2, 0x13, 0xec, 0x35, },
10995 ++ { 0x06, 0x3c, 0xe3, 0x2c, 0x15, 0xc6, 0x43, 0x03, 0x81, 0xfb, 0x08, 0x76,
10996 ++ 0x33, 0xcb, 0x02, 0xc1, 0xba, 0x33, 0xe5, 0xe0, 0xd1, 0x92, 0xa8, 0x46,
10997 ++ 0x28, 0x3f, 0x3e, 0x9d, 0x2c, 0x44, 0x54, },
10998 ++ { 0xea, 0xbb, 0x96, 0xf8, 0xd1, 0x8b, 0x04, 0x11, 0x40, 0x78, 0x42, 0x02,
10999 ++ 0x19, 0xd1, 0xbc, 0x65, 0x92, 0xd3, 0xc3, 0xd6, 0xd9, 0x19, 0xe7, 0xc3,
11000 ++ 0x40, 0x97, 0xbd, 0xd4, 0xed, 0xfa, 0x5e, 0x28, },
11001 ++ { 0x02, },
11002 ++ { 0x52, 0xa8, },
11003 ++ { 0x38, 0x25, 0x0d, },
11004 ++ { 0xe3, 0x04, 0xd4, 0x92, },
11005 ++ { 0x97, 0xdb, 0xf7, 0x81, 0xca, },
11006 ++ { 0x8a, 0x56, 0x9d, 0x62, 0x56, 0xcc, },
11007 ++ { 0xa1, 0x8e, 0x3c, 0x72, 0x8f, 0x63, 0x03, },
11008 ++ { 0xf7, 0xf3, 0x39, 0x09, 0x0a, 0xa1, 0xbb, 0x23, },
11009 ++ { 0x6b, 0x03, 0xc0, 0xe9, 0xd9, 0x83, 0x05, 0x22, 0x01, },
11010 ++ { 0x1b, 0x4b, 0xf5, 0xd6, 0x4f, 0x05, 0x75, 0x91, 0x4c, 0x7f, },
11011 ++ { 0x4c, 0x8c, 0x25, 0x20, 0x21, 0xcb, 0xc2, 0x4b, 0x3a, 0x5b, 0x8d, },
11012 ++ { 0x56, 0xe2, 0x77, 0xa0, 0xb6, 0x9f, 0x81, 0xec, 0x83, 0x75, 0xc4, 0xf9, },
11013 ++ { 0x71, 0x70, 0x0f, 0xad, 0x4d, 0x35, 0x81, 0x9d, 0x88, 0x69, 0xf9, 0xaa,
11014 ++ 0xd3, },
11015 ++ { 0x50, 0x6e, 0x86, 0x6e, 0x43, 0xc0, 0xc2, 0x44, 0xc2, 0xe2, 0xa0, 0x1c,
11016 ++ 0xb7, 0x9a, },
11017 ++ { 0xe4, 0x7e, 0x72, 0xc6, 0x12, 0x8e, 0x7c, 0xfc, 0xbd, 0xe2, 0x08, 0x31,
11018 ++ 0x3d, 0x47, 0x3d, },
11019 ++ { 0x08, 0x97, 0x5b, 0x80, 0xae, 0xc4, 0x1d, 0x50, 0x77, 0xdf, 0x1f, 0xd0,
11020 ++ 0x24, 0xf0, 0x17, 0xc0, },
11021 ++ { 0x01, 0xb6, 0x29, 0xf4, 0xaf, 0x78, 0x5f, 0xb6, 0x91, 0xdd, 0x76, 0x76,
11022 ++ 0xd2, 0xfd, 0x0c, 0x47, 0x40, },
11023 ++ { 0xa1, 0xd8, 0x09, 0x97, 0x7a, 0xa6, 0xc8, 0x94, 0xf6, 0x91, 0x7b, 0xae,
11024 ++ 0x2b, 0x9f, 0x0d, 0x83, 0x48, 0xf7, },
11025 ++ { 0x12, 0xd5, 0x53, 0x7d, 0x9a, 0xb0, 0xbe, 0xd9, 0xed, 0xe9, 0x9e, 0xee,
11026 ++ 0x61, 0x5b, 0x42, 0xf2, 0xc0, 0x73, 0xc0, },
11027 ++ { 0xd5, 0x77, 0xd6, 0x5c, 0x6e, 0xa5, 0x69, 0x2b, 0x3b, 0x8c, 0xd6, 0x7d,
11028 ++ 0x1d, 0xbe, 0x2c, 0xa1, 0x02, 0x21, 0xcd, 0x29, },
11029 ++ { 0xa4, 0x98, 0x80, 0xca, 0x22, 0xcf, 0x6a, 0xab, 0x5e, 0x40, 0x0d, 0x61,
11030 ++ 0x08, 0x21, 0xef, 0xc0, 0x6c, 0x52, 0xb4, 0xb0, 0x53, },
11031 ++ { 0xbf, 0xaf, 0x8f, 0x3b, 0x7a, 0x97, 0x33, 0xe5, 0xca, 0x07, 0x37, 0xfd,
11032 ++ 0x15, 0xdf, 0xce, 0x26, 0x2a, 0xb1, 0xa7, 0x0b, 0xb3, 0xac, },
11033 ++ { 0x16, 0x22, 0xe1, 0xbc, 0x99, 0x4e, 0x01, 0xf0, 0xfa, 0xff, 0x8f, 0xa5,
11034 ++ 0x0c, 0x61, 0xb0, 0xad, 0xcc, 0xb1, 0xe1, 0x21, 0x46, 0xfa, 0x2e, },
11035 ++ { 0x11, 0x5b, 0x0b, 0x2b, 0xe6, 0x14, 0xc1, 0xd5, 0x4d, 0x71, 0x5e, 0x17,
11036 ++ 0xea, 0x23, 0xdd, 0x6c, 0xbd, 0x1d, 0xbe, 0x12, 0x1b, 0xee, 0x4c, 0x1a, },
11037 ++ { 0x40, 0x88, 0x22, 0xf3, 0x20, 0x6c, 0xed, 0xe1, 0x36, 0x34, 0x62, 0x2c,
11038 ++ 0x98, 0x83, 0x52, 0xe2, 0x25, 0xee, 0xe9, 0xf5, 0xe1, 0x17, 0xf0, 0x5c,
11039 ++ 0xae, },
11040 ++ { 0xc3, 0x76, 0x37, 0xde, 0x95, 0x8c, 0xca, 0x2b, 0x0c, 0x23, 0xe7, 0xb5,
11041 ++ 0x38, 0x70, 0x61, 0xcc, 0xff, 0xd3, 0x95, 0x7b, 0xf3, 0xff, 0x1f, 0x9d,
11042 ++ 0x59, 0x00, },
11043 ++ { 0x0c, 0x19, 0x52, 0x05, 0x22, 0x53, 0xcb, 0x48, 0xd7, 0x10, 0x0e, 0x7e,
11044 ++ 0x14, 0x69, 0xb5, 0xa2, 0x92, 0x43, 0xa3, 0x9e, 0x4b, 0x8f, 0x51, 0x2c,
11045 ++ 0x5a, 0x2c, 0x3b, },
11046 ++ { 0xe1, 0x9d, 0x70, 0x70, 0x28, 0xec, 0x86, 0x40, 0x55, 0x33, 0x56, 0xda,
11047 ++ 0x88, 0xca, 0xee, 0xc8, 0x6a, 0x20, 0xb1, 0xe5, 0x3d, 0x57, 0xf8, 0x3c,
11048 ++ 0x10, 0x07, 0x2a, 0xc4, },
11049 ++ { 0x0b, 0xae, 0xf1, 0xc4, 0x79, 0xee, 0x1b, 0x3d, 0x27, 0x35, 0x8d, 0x14,
11050 ++ 0xd6, 0xae, 0x4e, 0x3c, 0xe9, 0x53, 0x50, 0xb5, 0xcc, 0x0c, 0xf7, 0xdf,
11051 ++ 0xee, 0xa1, 0x74, 0xd6, 0x71, },
11052 ++ { 0xe6, 0xa4, 0xf4, 0x99, 0x98, 0xb9, 0x80, 0xea, 0x96, 0x7f, 0x4f, 0x33,
11053 ++ 0xcf, 0x74, 0x25, 0x6f, 0x17, 0x6c, 0xbf, 0xf5, 0x5c, 0x38, 0xd0, 0xff,
11054 ++ 0x96, 0xcb, 0x13, 0xf9, 0xdf, 0xfd, },
11055 ++ { 0xbe, 0x92, 0xeb, 0xba, 0x44, 0x2c, 0x24, 0x74, 0xd4, 0x03, 0x27, 0x3c,
11056 ++ 0x5d, 0x5b, 0x03, 0x30, 0x87, 0x63, 0x69, 0xe0, 0xb8, 0x94, 0xf4, 0x44,
11057 ++ 0x7e, 0xad, 0xcd, 0x20, 0x12, 0x16, 0x79, },
11058 ++ { 0x30, 0xf1, 0xc4, 0x8e, 0x05, 0x90, 0x2a, 0x97, 0x63, 0x94, 0x46, 0xff,
11059 ++ 0xce, 0xd8, 0x67, 0xa7, 0xac, 0x33, 0x8c, 0x95, 0xb7, 0xcd, 0xa3, 0x23,
11060 ++ 0x98, 0x9d, 0x76, 0x6c, 0x9d, 0xa8, 0xd6, 0x8a, },
11061 ++ { 0xbe, },
11062 ++ { 0x17, 0x6c, },
11063 ++ { 0x1a, 0x42, 0x4f, },
11064 ++ { 0xba, 0xaf, 0xb7, 0x65, },
11065 ++ { 0xc2, 0x63, 0x43, 0x6a, 0xea, },
11066 ++ { 0xe4, 0x4d, 0xad, 0xf2, 0x0b, 0x02, },
11067 ++ { 0x04, 0xc7, 0xc4, 0x7f, 0xa9, 0x2b, 0xce, },
11068 ++ { 0x66, 0xf6, 0x67, 0xcb, 0x03, 0x53, 0xc8, 0xf1, },
11069 ++ { 0x56, 0xa3, 0x60, 0x78, 0xc9, 0x5f, 0x70, 0x1b, 0x5e, },
11070 ++ { 0x99, 0xff, 0x81, 0x7c, 0x13, 0x3c, 0x29, 0x79, 0x4b, 0x65, },
11071 ++ { 0x51, 0x10, 0x50, 0x93, 0x01, 0x93, 0xb7, 0x01, 0xc9, 0x18, 0xb7, },
11072 ++ { 0x8e, 0x3c, 0x42, 0x1e, 0x5e, 0x7d, 0xc1, 0x50, 0x70, 0x1f, 0x00, 0x98, },
11073 ++ { 0x5f, 0xd9, 0x9b, 0xc8, 0xd7, 0xb2, 0x72, 0x62, 0x1a, 0x1e, 0xba, 0x92,
11074 ++ 0xe9, },
11075 ++ { 0x70, 0x2b, 0xba, 0xfe, 0xad, 0x5d, 0x96, 0x3f, 0x27, 0xc2, 0x41, 0x6d,
11076 ++ 0xc4, 0xb3, },
11077 ++ { 0xae, 0xe0, 0xd5, 0xd4, 0xc7, 0xae, 0x15, 0x5e, 0xdc, 0xdd, 0x33, 0x60,
11078 ++ 0xd7, 0xd3, 0x5e, },
11079 ++ { 0x79, 0x8e, 0xbc, 0x9e, 0x20, 0xb9, 0x19, 0x4b, 0x63, 0x80, 0xf3, 0x16,
11080 ++ 0xaf, 0x39, 0xbd, 0x92, },
11081 ++ { 0xc2, 0x0e, 0x85, 0xa0, 0x0b, 0x9a, 0xb0, 0xec, 0xde, 0x38, 0xd3, 0x10,
11082 ++ 0xd9, 0xa7, 0x66, 0x27, 0xcf, },
11083 ++ { 0x0e, 0x3b, 0x75, 0x80, 0x67, 0x14, 0x0c, 0x02, 0x90, 0xd6, 0xb3, 0x02,
11084 ++ 0x81, 0xf6, 0xa6, 0x87, 0xce, 0x58, },
11085 ++ { 0x79, 0xb5, 0xe9, 0x5d, 0x52, 0x4d, 0xf7, 0x59, 0xf4, 0x2e, 0x27, 0xdd,
11086 ++ 0xb3, 0xed, 0x57, 0x5b, 0x82, 0xea, 0x6f, },
11087 ++ { 0xa2, 0x97, 0xf5, 0x80, 0x02, 0x3d, 0xde, 0xa3, 0xf9, 0xf6, 0xab, 0xe3,
11088 ++ 0x57, 0x63, 0x7b, 0x9b, 0x10, 0x42, 0x6f, 0xf2, },
11089 ++ { 0x12, 0x7a, 0xfc, 0xb7, 0x67, 0x06, 0x0c, 0x78, 0x1a, 0xfe, 0x88, 0x4f,
11090 ++ 0xc6, 0xac, 0x52, 0x96, 0x64, 0x28, 0x97, 0x84, 0x06, },
11091 ++ { 0xc5, 0x04, 0x44, 0x6b, 0xb2, 0xa5, 0xa4, 0x66, 0xe1, 0x76, 0xa2, 0x51,
11092 ++ 0xf9, 0x59, 0x69, 0x97, 0x56, 0x0b, 0xbf, 0x50, 0xb3, 0x34, },
11093 ++ { 0x21, 0x32, 0x6b, 0x42, 0xb5, 0xed, 0x71, 0x8d, 0xf7, 0x5a, 0x35, 0xe3,
11094 ++ 0x90, 0xe2, 0xee, 0xaa, 0x89, 0xf6, 0xc9, 0x9c, 0x4d, 0x73, 0xf4, },
11095 ++ { 0x4c, 0xa6, 0x09, 0xf4, 0x48, 0xe7, 0x46, 0xbc, 0x49, 0xfc, 0xe5, 0xda,
11096 ++ 0xd1, 0x87, 0x13, 0x17, 0x4c, 0x59, 0x71, 0x26, 0x5b, 0x2c, 0x42, 0xb7, },
11097 ++ { 0x13, 0x63, 0xf3, 0x40, 0x02, 0xe5, 0xa3, 0x3a, 0x5e, 0x8e, 0xf8, 0xb6,
11098 ++ 0x8a, 0x49, 0x60, 0x76, 0x34, 0x72, 0x94, 0x73, 0xf6, 0xd9, 0x21, 0x6a,
11099 ++ 0x26, },
11100 ++ { 0xdf, 0x75, 0x16, 0x10, 0x1b, 0x5e, 0x81, 0xc3, 0xc8, 0xde, 0x34, 0x24,
11101 ++ 0xb0, 0x98, 0xeb, 0x1b, 0x8f, 0xa1, 0x9b, 0x05, 0xee, 0xa5, 0xe9, 0x35,
11102 ++ 0xf4, 0x1d, },
11103 ++ { 0xcd, 0x21, 0x93, 0x6e, 0x5b, 0xa0, 0x26, 0x2b, 0x21, 0x0e, 0xa0, 0xb9,
11104 ++ 0x1c, 0xb5, 0xbb, 0xb8, 0xf8, 0x1e, 0xff, 0x5c, 0xa8, 0xf9, 0x39, 0x46,
11105 ++ 0x4e, 0x29, 0x26, },
11106 ++ { 0x73, 0x7f, 0x0e, 0x3b, 0x0b, 0x5c, 0xf9, 0x60, 0xaa, 0x88, 0xa1, 0x09,
11107 ++ 0xb1, 0x5d, 0x38, 0x7b, 0x86, 0x8f, 0x13, 0x7a, 0x8d, 0x72, 0x7a, 0x98,
11108 ++ 0x1a, 0x5b, 0xff, 0xc9, },
11109 ++ { 0xd3, 0x3c, 0x61, 0x71, 0x44, 0x7e, 0x31, 0x74, 0x98, 0x9d, 0x9a, 0xd2,
11110 ++ 0x27, 0xf3, 0x46, 0x43, 0x42, 0x51, 0xd0, 0x5f, 0xe9, 0x1c, 0x5c, 0x69,
11111 ++ 0xbf, 0xf6, 0xbe, 0x3c, 0x40, },
11112 ++ { 0x31, 0x99, 0x31, 0x9f, 0xaa, 0x43, 0x2e, 0x77, 0x3e, 0x74, 0x26, 0x31,
11113 ++ 0x5e, 0x61, 0xf1, 0x87, 0xe2, 0xeb, 0x9b, 0xcd, 0xd0, 0x3a, 0xee, 0x20,
11114 ++ 0x7e, 0x10, 0x0a, 0x0b, 0x7e, 0xfa, },
11115 ++ { 0xa4, 0x27, 0x80, 0x67, 0x81, 0x2a, 0xa7, 0x62, 0xf7, 0x6e, 0xda, 0xd4,
11116 ++ 0x5c, 0x39, 0x74, 0xad, 0x7e, 0xbe, 0xad, 0xa5, 0x84, 0x7f, 0xa9, 0x30,
11117 ++ 0x5d, 0xdb, 0xe2, 0x05, 0x43, 0xf7, 0x1b, },
11118 ++ { 0x0b, 0x37, 0xd8, 0x02, 0xe1, 0x83, 0xd6, 0x80, 0xf2, 0x35, 0xc2, 0xb0,
11119 ++ 0x37, 0xef, 0xef, 0x5e, 0x43, 0x93, 0xf0, 0x49, 0x45, 0x0a, 0xef, 0xb5,
11120 ++ 0x76, 0x70, 0x12, 0x44, 0xc4, 0xdb, 0xf5, 0x7a, },
11121 ++ { 0x1f, },
11122 ++ { 0x82, 0x60, },
11123 ++ { 0xcc, 0xe3, 0x08, },
11124 ++ { 0x56, 0x17, 0xe4, 0x59, },
11125 ++ { 0xe2, 0xd7, 0x9e, 0xc4, 0x4c, },
11126 ++ { 0xb2, 0xad, 0xd3, 0x78, 0x58, 0x5a, },
11127 ++ { 0xce, 0x43, 0xb4, 0x02, 0x96, 0xab, 0x3c, },
11128 ++ { 0xe6, 0x05, 0x1a, 0x73, 0x22, 0x32, 0xbb, 0x77, },
11129 ++ { 0x23, 0xe7, 0xda, 0xfe, 0x2c, 0xef, 0x8c, 0x22, 0xec, },
11130 ++ { 0xe9, 0x8e, 0x55, 0x38, 0xd1, 0xd7, 0x35, 0x23, 0x98, 0xc7, },
11131 ++ { 0xb5, 0x81, 0x1a, 0xe5, 0xb5, 0xa5, 0xd9, 0x4d, 0xca, 0x41, 0xe7, },
11132 ++ { 0x41, 0x16, 0x16, 0x95, 0x8d, 0x9e, 0x0c, 0xea, 0x8c, 0x71, 0x9a, 0xc1, },
11133 ++ { 0x7c, 0x33, 0xc0, 0xa4, 0x00, 0x62, 0xea, 0x60, 0x67, 0xe4, 0x20, 0xbc,
11134 ++ 0x5b, },
11135 ++ { 0xdb, 0xb1, 0xdc, 0xfd, 0x08, 0xc0, 0xde, 0x82, 0xd1, 0xde, 0x38, 0xc0,
11136 ++ 0x90, 0x48, },
11137 ++ { 0x37, 0x18, 0x2e, 0x0d, 0x61, 0xaa, 0x61, 0xd7, 0x86, 0x20, 0x16, 0x60,
11138 ++ 0x04, 0xd9, 0xd5, },
11139 ++ { 0xb0, 0xcf, 0x2c, 0x4c, 0x5e, 0x5b, 0x4f, 0x2a, 0x23, 0x25, 0x58, 0x47,
11140 ++ 0xe5, 0x31, 0x06, 0x70, },
11141 ++ { 0x91, 0xa0, 0xa3, 0x86, 0x4e, 0xe0, 0x72, 0x38, 0x06, 0x67, 0x59, 0x5c,
11142 ++ 0x70, 0x25, 0xdb, 0x33, 0x27, },
11143 ++ { 0x44, 0x58, 0x66, 0xb8, 0x58, 0xc7, 0x13, 0xed, 0x4c, 0xc0, 0xf4, 0x9a,
11144 ++ 0x1e, 0x67, 0x75, 0x33, 0xb6, 0xb8, },
11145 ++ { 0x7f, 0x98, 0x4a, 0x8e, 0x50, 0xa2, 0x5c, 0xcd, 0x59, 0xde, 0x72, 0xb3,
11146 ++ 0x9d, 0xc3, 0x09, 0x8a, 0xab, 0x56, 0xf1, },
11147 ++ { 0x80, 0x96, 0x49, 0x1a, 0x59, 0xa2, 0xc5, 0xd5, 0xa7, 0x20, 0x8a, 0xb7,
11148 ++ 0x27, 0x62, 0x84, 0x43, 0xc6, 0xe1, 0x1b, 0x5d, },
11149 ++ { 0x6b, 0xb7, 0x2b, 0x26, 0x62, 0x14, 0x70, 0x19, 0x3d, 0x4d, 0xac, 0xac,
11150 ++ 0x63, 0x58, 0x5e, 0x94, 0xb5, 0xb7, 0xe8, 0xe8, 0xa2, },
11151 ++ { 0x20, 0xa8, 0xc0, 0xfd, 0x63, 0x3d, 0x6e, 0x98, 0xcf, 0x0c, 0x49, 0x98,
11152 ++ 0xe4, 0x5a, 0xfe, 0x8c, 0xaa, 0x70, 0x82, 0x1c, 0x7b, 0x74, },
11153 ++ { 0xc8, 0xe8, 0xdd, 0xdf, 0x69, 0x30, 0x01, 0xc2, 0x0f, 0x7e, 0x2f, 0x11,
11154 ++ 0xcc, 0x3e, 0x17, 0xa5, 0x69, 0x40, 0x3f, 0x0e, 0x79, 0x7f, 0xcf, },
11155 ++ { 0xdb, 0x61, 0xc0, 0xe2, 0x2e, 0x49, 0x07, 0x31, 0x1d, 0x91, 0x42, 0x8a,
11156 ++ 0xfc, 0x5e, 0xd3, 0xf8, 0x56, 0x1f, 0x2b, 0x73, 0xfd, 0x9f, 0xb2, 0x8e, },
11157 ++ { 0x0c, 0x89, 0x55, 0x0c, 0x1f, 0x59, 0x2c, 0x9d, 0x1b, 0x29, 0x1d, 0x41,
11158 ++ 0x1d, 0xe6, 0x47, 0x8f, 0x8c, 0x2b, 0xea, 0x8f, 0xf0, 0xff, 0x21, 0x70,
11159 ++ 0x88, },
11160 ++ { 0x12, 0x18, 0x95, 0xa6, 0x59, 0xb1, 0x31, 0x24, 0x45, 0x67, 0x55, 0xa4,
11161 ++ 0x1a, 0x2d, 0x48, 0x67, 0x1b, 0x43, 0x88, 0x2d, 0x8e, 0xa0, 0x70, 0xb3,
11162 ++ 0xc6, 0xbb, },
11163 ++ { 0xe7, 0xb1, 0x1d, 0xb2, 0x76, 0x4d, 0x68, 0x68, 0x68, 0x23, 0x02, 0x55,
11164 ++ 0x3a, 0xe2, 0xe5, 0xd5, 0x4b, 0x43, 0xf9, 0x34, 0x77, 0x5c, 0xa1, 0xf5,
11165 ++ 0x55, 0xfd, 0x4f, },
11166 ++ { 0x8c, 0x87, 0x5a, 0x08, 0x3a, 0x73, 0xad, 0x61, 0xe1, 0xe7, 0x99, 0x7e,
11167 ++ 0xf0, 0x5d, 0xe9, 0x5d, 0x16, 0x43, 0x80, 0x2f, 0xd0, 0x66, 0x34, 0xe2,
11168 ++ 0x42, 0x64, 0x3b, 0x1a, },
11169 ++ { 0x39, 0xc1, 0x99, 0xcf, 0x22, 0xbf, 0x16, 0x8f, 0x9f, 0x80, 0x7f, 0x95,
11170 ++ 0x0a, 0x05, 0x67, 0x27, 0xe7, 0x15, 0xdf, 0x9d, 0xb2, 0xfe, 0x1c, 0xb5,
11171 ++ 0x1d, 0x60, 0x8f, 0x8a, 0x1d, },
11172 ++ { 0x9b, 0x6e, 0x08, 0x09, 0x06, 0x73, 0xab, 0x68, 0x02, 0x62, 0x1a, 0xe4,
11173 ++ 0xd4, 0xdf, 0xc7, 0x02, 0x4c, 0x6a, 0x5f, 0xfd, 0x23, 0xac, 0xae, 0x6d,
11174 ++ 0x43, 0xa4, 0x7a, 0x50, 0x60, 0x3c, },
11175 ++ { 0x1d, 0xb4, 0xc6, 0xe1, 0xb1, 0x4b, 0xe3, 0xf2, 0xe2, 0x1a, 0x73, 0x1b,
11176 ++ 0xa0, 0x92, 0xa7, 0xf5, 0xff, 0x8f, 0x8b, 0x5d, 0xdf, 0xa8, 0x04, 0xb3,
11177 ++ 0xb0, 0xf7, 0xcc, 0x12, 0xfa, 0x35, 0x46, },
11178 ++ { 0x49, 0x45, 0x97, 0x11, 0x0f, 0x1c, 0x60, 0x8e, 0xe8, 0x47, 0x30, 0xcf,
11179 ++ 0x60, 0xa8, 0x71, 0xc5, 0x1b, 0xe9, 0x39, 0x4d, 0x49, 0xb6, 0x12, 0x1f,
11180 ++ 0x24, 0xab, 0x37, 0xff, 0x83, 0xc2, 0xe1, 0x3a, },
11181 ++ { 0x60, },
11182 ++ { 0x24, 0x26, },
11183 ++ { 0x47, 0xeb, 0xc9, },
11184 ++ { 0x4a, 0xd0, 0xbc, 0xf0, },
11185 ++ { 0x8e, 0x2b, 0xc9, 0x85, 0x3c, },
11186 ++ { 0xa2, 0x07, 0x15, 0xb8, 0x12, 0x74, },
11187 ++ { 0x0f, 0xdb, 0x5b, 0x33, 0x69, 0xfe, 0x4b, },
11188 ++ { 0xa2, 0x86, 0x54, 0xf4, 0xfd, 0xb2, 0xd4, 0xe6, },
11189 ++ { 0xbb, 0x84, 0x78, 0x49, 0x27, 0x8e, 0x61, 0xda, 0x60, },
11190 ++ { 0x04, 0xc3, 0xcd, 0xaa, 0x8f, 0xa7, 0x03, 0xc9, 0xf9, 0xb6, },
11191 ++ { 0xf8, 0x27, 0x1d, 0x61, 0xdc, 0x21, 0x42, 0xdd, 0xad, 0x92, 0x40, },
11192 ++ { 0x12, 0x87, 0xdf, 0xc2, 0x41, 0x45, 0x5a, 0x36, 0x48, 0x5b, 0x51, 0x2b, },
11193 ++ { 0xbb, 0x37, 0x5d, 0x1f, 0xf1, 0x68, 0x7a, 0xc4, 0xa5, 0xd2, 0xa4, 0x91,
11194 ++ 0x8d, },
11195 ++ { 0x5b, 0x27, 0xd1, 0x04, 0x54, 0x52, 0x9f, 0xa3, 0x47, 0x86, 0x33, 0x33,
11196 ++ 0xbf, 0xa0, },
11197 ++ { 0xcf, 0x04, 0xea, 0xf8, 0x03, 0x2a, 0x43, 0xff, 0xa6, 0x68, 0x21, 0x4c,
11198 ++ 0xd5, 0x4b, 0xed, },
11199 ++ { 0xaf, 0xb8, 0xbc, 0x63, 0x0f, 0x18, 0x4d, 0xe2, 0x7a, 0xdd, 0x46, 0x44,
11200 ++ 0xc8, 0x24, 0x0a, 0xb7, },
11201 ++ { 0x3e, 0xdc, 0x36, 0xe4, 0x89, 0xb1, 0xfa, 0xc6, 0x40, 0x93, 0x2e, 0x75,
11202 ++ 0xb2, 0x15, 0xd1, 0xb1, 0x10, },
11203 ++ { 0x6c, 0xd8, 0x20, 0x3b, 0x82, 0x79, 0xf9, 0xc8, 0xbc, 0x9d, 0xe0, 0x35,
11204 ++ 0xbe, 0x1b, 0x49, 0x1a, 0xbc, 0x3a, },
11205 ++ { 0x78, 0x65, 0x2c, 0xbe, 0x35, 0x67, 0xdc, 0x78, 0xd4, 0x41, 0xf6, 0xc9,
11206 ++ 0xde, 0xde, 0x1f, 0x18, 0x13, 0x31, 0x11, },
11207 ++ { 0x8a, 0x7f, 0xb1, 0x33, 0x8f, 0x0c, 0x3c, 0x0a, 0x06, 0x61, 0xf0, 0x47,
11208 ++ 0x29, 0x1b, 0x29, 0xbc, 0x1c, 0x47, 0xef, 0x7a, },
11209 ++ { 0x65, 0x91, 0xf1, 0xe6, 0xb3, 0x96, 0xd3, 0x8c, 0xc2, 0x4a, 0x59, 0x35,
11210 ++ 0x72, 0x8e, 0x0b, 0x9a, 0x87, 0xca, 0x34, 0x7b, 0x63, },
11211 ++ { 0x5f, 0x08, 0x87, 0x80, 0x56, 0x25, 0x89, 0x77, 0x61, 0x8c, 0x64, 0xa1,
11212 ++ 0x59, 0x6d, 0x59, 0x62, 0xe8, 0x4a, 0xc8, 0x58, 0x99, 0xd1, },
11213 ++ { 0x23, 0x87, 0x1d, 0xed, 0x6f, 0xf2, 0x91, 0x90, 0xe2, 0xfe, 0x43, 0x21,
11214 ++ 0xaf, 0x97, 0xc6, 0xbc, 0xd7, 0x15, 0xc7, 0x2d, 0x08, 0x77, 0x91, },
11215 ++ { 0x90, 0x47, 0x9a, 0x9e, 0x3a, 0xdf, 0xf3, 0xc9, 0x4c, 0x1e, 0xa7, 0xd4,
11216 ++ 0x6a, 0x32, 0x90, 0xfe, 0xb7, 0xb6, 0x7b, 0xfa, 0x96, 0x61, 0xfb, 0xa4, },
11217 ++ { 0xb1, 0x67, 0x60, 0x45, 0xb0, 0x96, 0xc5, 0x15, 0x9f, 0x4d, 0x26, 0xd7,
11218 ++ 0x9d, 0xf1, 0xf5, 0x6d, 0x21, 0x00, 0x94, 0x31, 0x64, 0x94, 0xd3, 0xa7,
11219 ++ 0xd3, },
11220 ++ { 0x02, 0x3e, 0xaf, 0xf3, 0x79, 0x73, 0xa5, 0xf5, 0xcc, 0x7a, 0x7f, 0xfb,
11221 ++ 0x79, 0x2b, 0x85, 0x8c, 0x88, 0x72, 0x06, 0xbe, 0xfe, 0xaf, 0xc1, 0x16,
11222 ++ 0xa6, 0xd6, },
11223 ++ { 0x2a, 0xb0, 0x1a, 0xe5, 0xaa, 0x6e, 0xb3, 0xae, 0x53, 0x85, 0x33, 0x80,
11224 ++ 0x75, 0xae, 0x30, 0xe6, 0xb8, 0x72, 0x42, 0xf6, 0x25, 0x4f, 0x38, 0x88,
11225 ++ 0x55, 0xd1, 0xa9, },
11226 ++ { 0x90, 0xd8, 0x0c, 0xc0, 0x93, 0x4b, 0x4f, 0x9e, 0x65, 0x6c, 0xa1, 0x54,
11227 ++ 0xa6, 0xf6, 0x6e, 0xca, 0xd2, 0xbb, 0x7e, 0x6a, 0x1c, 0xd3, 0xce, 0x46,
11228 ++ 0xef, 0xb0, 0x00, 0x8d, },
11229 ++ { 0xed, 0x9c, 0x49, 0xcd, 0xc2, 0xde, 0x38, 0x0e, 0xe9, 0x98, 0x6c, 0xc8,
11230 ++ 0x90, 0x9e, 0x3c, 0xd4, 0xd3, 0xeb, 0x88, 0x32, 0xc7, 0x28, 0xe3, 0x94,
11231 ++ 0x1c, 0x9f, 0x8b, 0xf3, 0xcb, },
11232 ++ { 0xac, 0xe7, 0x92, 0x16, 0xb4, 0x14, 0xa0, 0xe4, 0x04, 0x79, 0xa2, 0xf4,
11233 ++ 0x31, 0xe6, 0x0c, 0x26, 0xdc, 0xbf, 0x2f, 0x69, 0x1b, 0x55, 0x94, 0x67,
11234 ++ 0xda, 0x0c, 0xd7, 0x32, 0x1f, 0xef, },
11235 ++ { 0x68, 0x63, 0x85, 0x57, 0x95, 0x9e, 0x42, 0x27, 0x41, 0x43, 0x42, 0x02,
11236 ++ 0xa5, 0x78, 0xa7, 0xc6, 0x43, 0xc1, 0x6a, 0xba, 0x70, 0x80, 0xcd, 0x04,
11237 ++ 0xb6, 0x78, 0x76, 0x29, 0xf3, 0xe8, 0xa0, },
11238 ++ { 0xe6, 0xac, 0x8d, 0x9d, 0xf0, 0xc0, 0xf7, 0xf7, 0xe3, 0x3e, 0x4e, 0x28,
11239 ++ 0x0f, 0x59, 0xb2, 0x67, 0x9e, 0x84, 0x34, 0x42, 0x96, 0x30, 0x2b, 0xca,
11240 ++ 0x49, 0xb6, 0xc5, 0x9a, 0x84, 0x59, 0xa7, 0x81, },
11241 ++ { 0x7e, },
11242 ++ { 0x1e, 0x21, },
11243 ++ { 0x26, 0xd3, 0xdd, },
11244 ++ { 0x2c, 0xd4, 0xb3, 0x3d, },
11245 ++ { 0x86, 0x7b, 0x76, 0x3c, 0xf0, },
11246 ++ { 0x12, 0xc3, 0x70, 0x1d, 0x55, 0x18, },
11247 ++ { 0x96, 0xc2, 0xbd, 0x61, 0x55, 0xf4, 0x24, },
11248 ++ { 0x20, 0x51, 0xf7, 0x86, 0x58, 0x8f, 0x07, 0x2a, },
11249 ++ { 0x93, 0x15, 0xa8, 0x1d, 0xda, 0x97, 0xee, 0x0e, 0x6c, },
11250 ++ { 0x39, 0x93, 0xdf, 0xd5, 0x0e, 0xca, 0xdc, 0x7a, 0x92, 0xce, },
11251 ++ { 0x60, 0xd5, 0xfd, 0xf5, 0x1b, 0x26, 0x82, 0x26, 0x73, 0x02, 0xbc, },
11252 ++ { 0x98, 0xf2, 0x34, 0xe1, 0xf5, 0xfb, 0x00, 0xac, 0x10, 0x4a, 0x38, 0x9f, },
11253 ++ { 0xda, 0x3a, 0x92, 0x8a, 0xd0, 0xcd, 0x12, 0xcd, 0x15, 0xbb, 0xab, 0x77,
11254 ++ 0x66, },
11255 ++ { 0xa2, 0x92, 0x1a, 0xe5, 0xca, 0x0c, 0x30, 0x75, 0xeb, 0xaf, 0x00, 0x31,
11256 ++ 0x55, 0x66, },
11257 ++ { 0x06, 0xea, 0xfd, 0x3e, 0x86, 0x38, 0x62, 0x4e, 0xa9, 0x12, 0xa4, 0x12,
11258 ++ 0x43, 0xbf, 0xa1, },
11259 ++ { 0xe4, 0x71, 0x7b, 0x94, 0xdb, 0xa0, 0xd2, 0xff, 0x9b, 0xeb, 0xad, 0x8e,
11260 ++ 0x95, 0x8a, 0xc5, 0xed, },
11261 ++ { 0x25, 0x5a, 0x77, 0x71, 0x41, 0x0e, 0x7a, 0xe9, 0xed, 0x0c, 0x10, 0xef,
11262 ++ 0xf6, 0x2b, 0x3a, 0xba, 0x60, },
11263 ++ { 0xee, 0xe2, 0xa3, 0x67, 0x64, 0x1d, 0xc6, 0x04, 0xc4, 0xe1, 0x68, 0xd2,
11264 ++ 0x6e, 0xd2, 0x91, 0x75, 0x53, 0x07, },
11265 ++ { 0xe0, 0xf6, 0x4d, 0x8f, 0x68, 0xfc, 0x06, 0x7e, 0x18, 0x79, 0x7f, 0x2b,
11266 ++ 0x6d, 0xef, 0x46, 0x7f, 0xab, 0xb2, 0xad, },
11267 ++ { 0x3d, 0x35, 0x88, 0x9f, 0x2e, 0xcf, 0x96, 0x45, 0x07, 0x60, 0x71, 0x94,
11268 ++ 0x00, 0x8d, 0xbf, 0xf4, 0xef, 0x46, 0x2e, 0x3c, },
11269 ++ { 0x43, 0xcf, 0x98, 0xf7, 0x2d, 0xf4, 0x17, 0xe7, 0x8c, 0x05, 0x2d, 0x9b,
11270 ++ 0x24, 0xfb, 0x4d, 0xea, 0x4a, 0xec, 0x01, 0x25, 0x29, },
11271 ++ { 0x8e, 0x73, 0x9a, 0x78, 0x11, 0xfe, 0x48, 0xa0, 0x3b, 0x1a, 0x26, 0xdf,
11272 ++ 0x25, 0xe9, 0x59, 0x1c, 0x70, 0x07, 0x9f, 0xdc, 0xa0, 0xa6, },
11273 ++ { 0xe8, 0x47, 0x71, 0xc7, 0x3e, 0xdf, 0xb5, 0x13, 0xb9, 0x85, 0x13, 0xa8,
11274 ++ 0x54, 0x47, 0x6e, 0x59, 0x96, 0x09, 0x13, 0x5f, 0x82, 0x16, 0x0b, },
11275 ++ { 0xfb, 0xc0, 0x8c, 0x03, 0x21, 0xb3, 0xc4, 0xb5, 0x43, 0x32, 0x6c, 0xea,
11276 ++ 0x7f, 0xa8, 0x43, 0x91, 0xe8, 0x4e, 0x3f, 0xbf, 0x45, 0x58, 0x6a, 0xa3, },
11277 ++ { 0x55, 0xf8, 0xf3, 0x00, 0x76, 0x09, 0xef, 0x69, 0x5d, 0xd2, 0x8a, 0xf2,
11278 ++ 0x65, 0xc3, 0xcb, 0x9b, 0x43, 0xfd, 0xb1, 0x7e, 0x7f, 0xa1, 0x94, 0xb0,
11279 ++ 0xd7, },
11280 ++ { 0xaa, 0x13, 0xc1, 0x51, 0x40, 0x6d, 0x8d, 0x4c, 0x0a, 0x95, 0x64, 0x7b,
11281 ++ 0xd1, 0x96, 0xb6, 0x56, 0xb4, 0x5b, 0xcf, 0xd6, 0xd9, 0x15, 0x97, 0xdd,
11282 ++ 0xb6, 0xef, },
11283 ++ { 0xaf, 0xb7, 0x36, 0xb0, 0x04, 0xdb, 0xd7, 0x9c, 0x9a, 0x44, 0xc4, 0xf6,
11284 ++ 0x1f, 0x12, 0x21, 0x2d, 0x59, 0x30, 0x54, 0xab, 0x27, 0x61, 0xa3, 0x57,
11285 ++ 0xef, 0xf8, 0x53, },
11286 ++ { 0x97, 0x34, 0x45, 0x3e, 0xce, 0x7c, 0x35, 0xa2, 0xda, 0x9f, 0x4b, 0x46,
11287 ++ 0x6c, 0x11, 0x67, 0xff, 0x2f, 0x76, 0x58, 0x15, 0x71, 0xfa, 0x44, 0x89,
11288 ++ 0x89, 0xfd, 0xf7, 0x99, },
11289 ++ { 0x1f, 0xb1, 0x62, 0xeb, 0x83, 0xc5, 0x9c, 0x89, 0xf9, 0x2c, 0xd2, 0x03,
11290 ++ 0x61, 0xbc, 0xbb, 0xa5, 0x74, 0x0e, 0x9b, 0x7e, 0x82, 0x3e, 0x70, 0x0a,
11291 ++ 0xa9, 0x8f, 0x2b, 0x59, 0xfb, },
11292 ++ { 0xf8, 0xca, 0x5e, 0x3a, 0x4f, 0x9e, 0x10, 0x69, 0x10, 0xd5, 0x4c, 0xeb,
11293 ++ 0x1a, 0x0f, 0x3c, 0x6a, 0x98, 0xf5, 0xb0, 0x97, 0x5b, 0x37, 0x2f, 0x0d,
11294 ++ 0xbd, 0x42, 0x4b, 0x69, 0xa1, 0x82, },
11295 ++ { 0x12, 0x8c, 0x6d, 0x52, 0x08, 0xef, 0x74, 0xb2, 0xe6, 0xaa, 0xd3, 0xb0,
11296 ++ 0x26, 0xb0, 0xd9, 0x94, 0xb6, 0x11, 0x45, 0x0e, 0x36, 0x71, 0x14, 0x2d,
11297 ++ 0x41, 0x8c, 0x21, 0x53, 0x31, 0xe9, 0x68, },
11298 ++ { 0xee, 0xea, 0x0d, 0x89, 0x47, 0x7e, 0x72, 0xd1, 0xd8, 0xce, 0x58, 0x4c,
11299 ++ 0x94, 0x1f, 0x0d, 0x51, 0x08, 0xa3, 0xb6, 0x3d, 0xe7, 0x82, 0x46, 0x92,
11300 ++ 0xd6, 0x98, 0x6b, 0x07, 0x10, 0x65, 0x52, 0x65, },
11301 ++};
11302 ++
11303 ++static const u8 blake2s_hmac_testvecs[][BLAKE2S_HASH_SIZE] __initconst = {
11304 ++ { 0xce, 0xe1, 0x57, 0x69, 0x82, 0xdc, 0xbf, 0x43, 0xad, 0x56, 0x4c, 0x70,
11305 ++ 0xed, 0x68, 0x16, 0x96, 0xcf, 0xa4, 0x73, 0xe8, 0xe8, 0xfc, 0x32, 0x79,
11306 ++ 0x08, 0x0a, 0x75, 0x82, 0xda, 0x3f, 0x05, 0x11, },
11307 ++ { 0x77, 0x2f, 0x0c, 0x71, 0x41, 0xf4, 0x4b, 0x2b, 0xb3, 0xc6, 0xb6, 0xf9,
11308 ++ 0x60, 0xde, 0xe4, 0x52, 0x38, 0x66, 0xe8, 0xbf, 0x9b, 0x96, 0xc4, 0x9f,
11309 ++ 0x60, 0xd9, 0x24, 0x37, 0x99, 0xd6, 0xec, 0x31, },
11310 ++};
11311 ++
11312 ++bool __init blake2s_selftest(void)
11313 ++{
11314 ++ u8 key[BLAKE2S_KEY_SIZE];
11315 ++ u8 buf[ARRAY_SIZE(blake2s_testvecs)];
11316 ++ u8 hash[BLAKE2S_HASH_SIZE];
11317 ++ struct blake2s_state state;
11318 ++ bool success = true;
11319 ++ int i, l;
11320 ++
11321 ++ key[0] = key[1] = 1;
11322 ++ for (i = 2; i < sizeof(key); ++i)
11323 ++ key[i] = key[i - 2] + key[i - 1];
11324 ++
11325 ++ for (i = 0; i < sizeof(buf); ++i)
11326 ++ buf[i] = (u8)i;
11327 ++
11328 ++ for (i = l = 0; i < ARRAY_SIZE(blake2s_testvecs); l = (l + 37) % ++i) {
11329 ++ int outlen = 1 + i % BLAKE2S_HASH_SIZE;
11330 ++ int keylen = (13 * i) % (BLAKE2S_KEY_SIZE + 1);
11331 ++
11332 ++ blake2s(hash, buf, key + BLAKE2S_KEY_SIZE - keylen, outlen, i,
11333 ++ keylen);
11334 ++ if (memcmp(hash, blake2s_testvecs[i], outlen)) {
11335 ++ pr_err("blake2s self-test %d: FAIL\n", i + 1);
11336 ++ success = false;
11337 ++ }
11338 ++
11339 ++ if (!keylen)
11340 ++ blake2s_init(&state, outlen);
11341 ++ else
11342 ++ blake2s_init_key(&state, outlen,
11343 ++ key + BLAKE2S_KEY_SIZE - keylen,
11344 ++ keylen);
11345 ++
11346 ++ blake2s_update(&state, buf, l);
11347 ++ blake2s_update(&state, buf + l, i - l);
11348 ++ blake2s_final(&state, hash);
11349 ++ if (memcmp(hash, blake2s_testvecs[i], outlen)) {
11350 ++ pr_err("blake2s init/update/final self-test %d: FAIL\n",
11351 ++ i + 1);
11352 ++ success = false;
11353 ++ }
11354 ++ }
11355 ++
11356 ++ if (success) {
11357 ++ blake2s256_hmac(hash, buf, key, sizeof(buf), sizeof(key));
11358 ++ success &= !memcmp(hash, blake2s_hmac_testvecs[0], BLAKE2S_HASH_SIZE);
11359 ++
11360 ++ blake2s256_hmac(hash, key, buf, sizeof(key), sizeof(buf));
11361 ++ success &= !memcmp(hash, blake2s_hmac_testvecs[1], BLAKE2S_HASH_SIZE);
11362 ++
11363 ++ if (!success)
11364 ++ pr_err("blake2s256_hmac self-test: FAIL\n");
11365 ++ }
11366 ++
11367 ++ return success;
11368 ++}
11369 +--- /dev/null
11370 ++++ b/lib/crypto/blake2s.c
11371 +@@ -0,0 +1,126 @@
11372 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
11373 ++/*
11374 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
11375 ++ *
11376 ++ * This is an implementation of the BLAKE2s hash and PRF functions.
11377 ++ *
11378 ++ * Information: https://blake2.net/
11379 ++ *
11380 ++ */
11381 ++
11382 ++#include <crypto/internal/blake2s.h>
11383 ++#include <linux/types.h>
11384 ++#include <linux/string.h>
11385 ++#include <linux/kernel.h>
11386 ++#include <linux/module.h>
11387 ++#include <linux/init.h>
11388 ++#include <linux/bug.h>
11389 ++#include <asm/unaligned.h>
11390 ++
11391 ++bool blake2s_selftest(void);
11392 ++
11393 ++void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
11394 ++{
11395 ++ const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
11396 ++
11397 ++ if (unlikely(!inlen))
11398 ++ return;
11399 ++ if (inlen > fill) {
11400 ++ memcpy(state->buf + state->buflen, in, fill);
11401 ++ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
11402 ++ blake2s_compress_arch(state, state->buf, 1,
11403 ++ BLAKE2S_BLOCK_SIZE);
11404 ++ else
11405 ++ blake2s_compress_generic(state, state->buf, 1,
11406 ++ BLAKE2S_BLOCK_SIZE);
11407 ++ state->buflen = 0;
11408 ++ in += fill;
11409 ++ inlen -= fill;
11410 ++ }
11411 ++ if (inlen > BLAKE2S_BLOCK_SIZE) {
11412 ++ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
11413 ++ /* Hash one less (full) block than strictly possible */
11414 ++ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
11415 ++ blake2s_compress_arch(state, in, nblocks - 1,
11416 ++ BLAKE2S_BLOCK_SIZE);
11417 ++ else
11418 ++ blake2s_compress_generic(state, in, nblocks - 1,
11419 ++ BLAKE2S_BLOCK_SIZE);
11420 ++ in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
11421 ++ inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
11422 ++ }
11423 ++ memcpy(state->buf + state->buflen, in, inlen);
11424 ++ state->buflen += inlen;
11425 ++}
11426 ++EXPORT_SYMBOL(blake2s_update);
11427 ++
11428 ++void blake2s_final(struct blake2s_state *state, u8 *out)
11429 ++{
11430 ++ WARN_ON(IS_ENABLED(DEBUG) && !out);
11431 ++ blake2s_set_lastblock(state);
11432 ++ memset(state->buf + state->buflen, 0,
11433 ++ BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
11434 ++ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
11435 ++ blake2s_compress_arch(state, state->buf, 1, state->buflen);
11436 ++ else
11437 ++ blake2s_compress_generic(state, state->buf, 1, state->buflen);
11438 ++ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
11439 ++ memcpy(out, state->h, state->outlen);
11440 ++ memzero_explicit(state, sizeof(*state));
11441 ++}
11442 ++EXPORT_SYMBOL(blake2s_final);
11443 ++
11444 ++void blake2s256_hmac(u8 *out, const u8 *in, const u8 *key, const size_t inlen,
11445 ++ const size_t keylen)
11446 ++{
11447 ++ struct blake2s_state state;
11448 ++ u8 x_key[BLAKE2S_BLOCK_SIZE] __aligned(__alignof__(u32)) = { 0 };
11449 ++ u8 i_hash[BLAKE2S_HASH_SIZE] __aligned(__alignof__(u32));
11450 ++ int i;
11451 ++
11452 ++ if (keylen > BLAKE2S_BLOCK_SIZE) {
11453 ++ blake2s_init(&state, BLAKE2S_HASH_SIZE);
11454 ++ blake2s_update(&state, key, keylen);
11455 ++ blake2s_final(&state, x_key);
11456 ++ } else
11457 ++ memcpy(x_key, key, keylen);
11458 ++
11459 ++ for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
11460 ++ x_key[i] ^= 0x36;
11461 ++
11462 ++ blake2s_init(&state, BLAKE2S_HASH_SIZE);
11463 ++ blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
11464 ++ blake2s_update(&state, in, inlen);
11465 ++ blake2s_final(&state, i_hash);
11466 ++
11467 ++ for (i = 0; i < BLAKE2S_BLOCK_SIZE; ++i)
11468 ++ x_key[i] ^= 0x5c ^ 0x36;
11469 ++
11470 ++ blake2s_init(&state, BLAKE2S_HASH_SIZE);
11471 ++ blake2s_update(&state, x_key, BLAKE2S_BLOCK_SIZE);
11472 ++ blake2s_update(&state, i_hash, BLAKE2S_HASH_SIZE);
11473 ++ blake2s_final(&state, i_hash);
11474 ++
11475 ++ memcpy(out, i_hash, BLAKE2S_HASH_SIZE);
11476 ++ memzero_explicit(x_key, BLAKE2S_BLOCK_SIZE);
11477 ++ memzero_explicit(i_hash, BLAKE2S_HASH_SIZE);
11478 ++}
11479 ++EXPORT_SYMBOL(blake2s256_hmac);
11480 ++
11481 ++static int __init mod_init(void)
11482 ++{
11483 ++ if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
11484 ++ WARN_ON(!blake2s_selftest()))
11485 ++ return -ENODEV;
11486 ++ return 0;
11487 ++}
11488 ++
11489 ++static void __exit mod_exit(void)
11490 ++{
11491 ++}
11492 ++
11493 ++module_init(mod_init);
11494 ++module_exit(mod_exit);
11495 ++MODULE_LICENSE("GPL v2");
11496 ++MODULE_DESCRIPTION("BLAKE2s hash function");
11497 ++MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
11498 +--- b/crypto/testmgr.c
11499 ++++ b/crypto/testmgr.c
11500 +@@ -4036,4 +4036,28 @@
11501 + .fips_allowed = 1,
11502 + }, {
11503 ++ .alg = "blake2s-128",
11504 ++ .test = alg_test_hash,
11505 ++ .suite = {
11506 ++ .hash = __VECS(blakes2s_128_tv_template)
11507 ++ }
11508 ++ }, {
11509 ++ .alg = "blake2s-160",
11510 ++ .test = alg_test_hash,
11511 ++ .suite = {
11512 ++ .hash = __VECS(blakes2s_160_tv_template)
11513 ++ }
11514 ++ }, {
11515 ++ .alg = "blake2s-224",
11516 ++ .test = alg_test_hash,
11517 ++ .suite = {
11518 ++ .hash = __VECS(blakes2s_224_tv_template)
11519 ++ }
11520 ++ }, {
11521 ++ .alg = "blake2s-256",
11522 ++ .test = alg_test_hash,
11523 ++ .suite = {
11524 ++ .hash = __VECS(blakes2s_256_tv_template)
11525 ++ }
11526 ++ }, {
11527 + .alg = "cbc(aes)",
11528 + .test = alg_test_skcipher,
11529 +@@ -4273,4 +4297,10 @@
11530 + .fips_allowed = 1,
11531 + }, {
11532 ++ .alg = "curve25519",
11533 ++ .test = alg_test_kpp,
11534 ++ .suite = {
11535 ++ .kpp = __VECS(curve25519_tv_template)
11536 ++ }
11537 ++ }, {
11538 + .alg = "deflate",
11539 + .test = alg_test_comp,
11540 +--- b/crypto/testmgr.h
11541 ++++ b/crypto/testmgr.h
11542 +@@ -1030,6 +1030,1231 @@
11543 + }
11544 + };
11545 +
11546 ++static const struct kpp_testvec curve25519_tv_template[] = {
11547 ++{
11548 ++ .secret = (u8[32]){ 0x77, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d,
11549 ++ 0x3c, 0x16, 0xc1, 0x72, 0x51, 0xb2, 0x66, 0x45,
11550 ++ 0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, 0x99, 0x2a,
11551 ++ 0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x2a },
11552 ++ .b_public = (u8[32]){ 0xde, 0x9e, 0xdb, 0x7d, 0x7b, 0x7d, 0xc1, 0xb4,
11553 ++ 0xd3, 0x5b, 0x61, 0xc2, 0xec, 0xe4, 0x35, 0x37,
11554 ++ 0x3f, 0x83, 0x43, 0xc8, 0x5b, 0x78, 0x67, 0x4d,
11555 ++ 0xad, 0xfc, 0x7e, 0x14, 0x6f, 0x88, 0x2b, 0x4f },
11556 ++ .expected_ss = (u8[32]){ 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1,
11557 ++ 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25,
11558 ++ 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33,
11559 ++ 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 },
11560 ++ .secret_size = 32,
11561 ++ .b_public_size = 32,
11562 ++ .expected_ss_size = 32,
11563 ++
11564 ++},
11565 ++{
11566 ++ .secret = (u8[32]){ 0x5d, 0xab, 0x08, 0x7e, 0x62, 0x4a, 0x8a, 0x4b,
11567 ++ 0x79, 0xe1, 0x7f, 0x8b, 0x83, 0x80, 0x0e, 0xe6,
11568 ++ 0x6f, 0x3b, 0xb1, 0x29, 0x26, 0x18, 0xb6, 0xfd,
11569 ++ 0x1c, 0x2f, 0x8b, 0x27, 0xff, 0x88, 0xe0, 0xeb },
11570 ++ .b_public = (u8[32]){ 0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54,
11571 ++ 0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a,
11572 ++ 0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4,
11573 ++ 0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a },
11574 ++ .expected_ss = (u8[32]){ 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1,
11575 ++ 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25,
11576 ++ 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33,
11577 ++ 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 },
11578 ++ .secret_size = 32,
11579 ++ .b_public_size = 32,
11580 ++ .expected_ss_size = 32,
11581 ++
11582 ++},
11583 ++{
11584 ++ .secret = (u8[32]){ 1 },
11585 ++ .b_public = (u8[32]){ 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11586 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11587 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11588 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
11589 ++ .expected_ss = (u8[32]){ 0x3c, 0x77, 0x77, 0xca, 0xf9, 0x97, 0xb2, 0x64,
11590 ++ 0x41, 0x60, 0x77, 0x66, 0x5b, 0x4e, 0x22, 0x9d,
11591 ++ 0x0b, 0x95, 0x48, 0xdc, 0x0c, 0xd8, 0x19, 0x98,
11592 ++ 0xdd, 0xcd, 0xc5, 0xc8, 0x53, 0x3c, 0x79, 0x7f },
11593 ++ .secret_size = 32,
11594 ++ .b_public_size = 32,
11595 ++ .expected_ss_size = 32,
11596 ++
11597 ++},
11598 ++{
11599 ++ .secret = (u8[32]){ 1 },
11600 ++ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11601 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11602 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11603 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
11604 ++ .expected_ss = (u8[32]){ 0xb3, 0x2d, 0x13, 0x62, 0xc2, 0x48, 0xd6, 0x2f,
11605 ++ 0xe6, 0x26, 0x19, 0xcf, 0xf0, 0x4d, 0xd4, 0x3d,
11606 ++ 0xb7, 0x3f, 0xfc, 0x1b, 0x63, 0x08, 0xed, 0xe3,
11607 ++ 0x0b, 0x78, 0xd8, 0x73, 0x80, 0xf1, 0xe8, 0x34 },
11608 ++ .secret_size = 32,
11609 ++ .b_public_size = 32,
11610 ++ .expected_ss_size = 32,
11611 ++
11612 ++},
11613 ++{
11614 ++ .secret = (u8[32]){ 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d,
11615 ++ 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd,
11616 ++ 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18,
11617 ++ 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0xc4 },
11618 ++ .b_public = (u8[32]){ 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb,
11619 ++ 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c,
11620 ++ 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b,
11621 ++ 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c },
11622 ++ .expected_ss = (u8[32]){ 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90,
11623 ++ 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f,
11624 ++ 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7,
11625 ++ 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 },
11626 ++ .secret_size = 32,
11627 ++ .b_public_size = 32,
11628 ++ .expected_ss_size = 32,
11629 ++
11630 ++},
11631 ++{
11632 ++ .secret = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0x0a, 0xff, 0xff, 0xff,
11633 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11634 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11635 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
11636 ++ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11637 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11638 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11639 ++ 0xff, 0xff, 0xff, 0xff, 0x0a, 0x00, 0xfb, 0x9f },
11640 ++ .expected_ss = (u8[32]){ 0x77, 0x52, 0xb6, 0x18, 0xc1, 0x2d, 0x48, 0xd2,
11641 ++ 0xc6, 0x93, 0x46, 0x83, 0x81, 0x7c, 0xc6, 0x57,
11642 ++ 0xf3, 0x31, 0x03, 0x19, 0x49, 0x48, 0x20, 0x05,
11643 ++ 0x42, 0x2b, 0x4e, 0xae, 0x8d, 0x1d, 0x43, 0x23 },
11644 ++ .secret_size = 32,
11645 ++ .b_public_size = 32,
11646 ++ .expected_ss_size = 32,
11647 ++
11648 ++},
11649 ++{
11650 ++ .secret = (u8[32]){ 0x8e, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11651 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11652 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11653 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
11654 ++ .b_public = (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11655 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11656 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11657 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8e, 0x06 },
11658 ++ .expected_ss = (u8[32]){ 0x5a, 0xdf, 0xaa, 0x25, 0x86, 0x8e, 0x32, 0x3d,
11659 ++ 0xae, 0x49, 0x62, 0xc1, 0x01, 0x5c, 0xb3, 0x12,
11660 ++ 0xe1, 0xc5, 0xc7, 0x9e, 0x95, 0x3f, 0x03, 0x99,
11661 ++ 0xb0, 0xba, 0x16, 0x22, 0xf3, 0xb6, 0xf7, 0x0c },
11662 ++ .secret_size = 32,
11663 ++ .b_public_size = 32,
11664 ++ .expected_ss_size = 32,
11665 ++
11666 ++},
11667 ++/* wycheproof - normal case */
11668 ++{
11669 ++ .secret = (u8[32]){ 0x48, 0x52, 0x83, 0x4d, 0x9d, 0x6b, 0x77, 0xda,
11670 ++ 0xde, 0xab, 0xaa, 0xf2, 0xe1, 0x1d, 0xca, 0x66,
11671 ++ 0xd1, 0x9f, 0xe7, 0x49, 0x93, 0xa7, 0xbe, 0xc3,
11672 ++ 0x6c, 0x6e, 0x16, 0xa0, 0x98, 0x3f, 0xea, 0xba },
11673 ++ .b_public = (u8[32]){ 0x9c, 0x64, 0x7d, 0x9a, 0xe5, 0x89, 0xb9, 0xf5,
11674 ++ 0x8f, 0xdc, 0x3c, 0xa4, 0x94, 0x7e, 0xfb, 0xc9,
11675 ++ 0x15, 0xc4, 0xb2, 0xe0, 0x8e, 0x74, 0x4a, 0x0e,
11676 ++ 0xdf, 0x46, 0x9d, 0xac, 0x59, 0xc8, 0xf8, 0x5a },
11677 ++ .expected_ss = (u8[32]){ 0x87, 0xb7, 0xf2, 0x12, 0xb6, 0x27, 0xf7, 0xa5,
11678 ++ 0x4c, 0xa5, 0xe0, 0xbc, 0xda, 0xdd, 0xd5, 0x38,
11679 ++ 0x9d, 0x9d, 0xe6, 0x15, 0x6c, 0xdb, 0xcf, 0x8e,
11680 ++ 0xbe, 0x14, 0xff, 0xbc, 0xfb, 0x43, 0x65, 0x51 },
11681 ++ .secret_size = 32,
11682 ++ .b_public_size = 32,
11683 ++ .expected_ss_size = 32,
11684 ++
11685 ++},
11686 ++/* wycheproof - public key on twist */
11687 ++{
11688 ++ .secret = (u8[32]){ 0x58, 0x8c, 0x06, 0x1a, 0x50, 0x80, 0x4a, 0xc4,
11689 ++ 0x88, 0xad, 0x77, 0x4a, 0xc7, 0x16, 0xc3, 0xf5,
11690 ++ 0xba, 0x71, 0x4b, 0x27, 0x12, 0xe0, 0x48, 0x49,
11691 ++ 0x13, 0x79, 0xa5, 0x00, 0x21, 0x19, 0x98, 0xa8 },
11692 ++ .b_public = (u8[32]){ 0x63, 0xaa, 0x40, 0xc6, 0xe3, 0x83, 0x46, 0xc5,
11693 ++ 0xca, 0xf2, 0x3a, 0x6d, 0xf0, 0xa5, 0xe6, 0xc8,
11694 ++ 0x08, 0x89, 0xa0, 0x86, 0x47, 0xe5, 0x51, 0xb3,
11695 ++ 0x56, 0x34, 0x49, 0xbe, 0xfc, 0xfc, 0x97, 0x33 },
11696 ++ .expected_ss = (u8[32]){ 0xb1, 0xa7, 0x07, 0x51, 0x94, 0x95, 0xff, 0xff,
11697 ++ 0xb2, 0x98, 0xff, 0x94, 0x17, 0x16, 0xb0, 0x6d,
11698 ++ 0xfa, 0xb8, 0x7c, 0xf8, 0xd9, 0x11, 0x23, 0xfe,
11699 ++ 0x2b, 0xe9, 0xa2, 0x33, 0xdd, 0xa2, 0x22, 0x12 },
11700 ++ .secret_size = 32,
11701 ++ .b_public_size = 32,
11702 ++ .expected_ss_size = 32,
11703 ++
11704 ++},
11705 ++/* wycheproof - public key on twist */
11706 ++{
11707 ++ .secret = (u8[32]){ 0xb0, 0x5b, 0xfd, 0x32, 0xe5, 0x53, 0x25, 0xd9,
11708 ++ 0xfd, 0x64, 0x8c, 0xb3, 0x02, 0x84, 0x80, 0x39,
11709 ++ 0x00, 0x0b, 0x39, 0x0e, 0x44, 0xd5, 0x21, 0xe5,
11710 ++ 0x8a, 0xab, 0x3b, 0x29, 0xa6, 0x96, 0x0b, 0xa8 },
11711 ++ .b_public = (u8[32]){ 0x0f, 0x83, 0xc3, 0x6f, 0xde, 0xd9, 0xd3, 0x2f,
11712 ++ 0xad, 0xf4, 0xef, 0xa3, 0xae, 0x93, 0xa9, 0x0b,
11713 ++ 0xb5, 0xcf, 0xa6, 0x68, 0x93, 0xbc, 0x41, 0x2c,
11714 ++ 0x43, 0xfa, 0x72, 0x87, 0xdb, 0xb9, 0x97, 0x79 },
11715 ++ .expected_ss = (u8[32]){ 0x67, 0xdd, 0x4a, 0x6e, 0x16, 0x55, 0x33, 0x53,
11716 ++ 0x4c, 0x0e, 0x3f, 0x17, 0x2e, 0x4a, 0xb8, 0x57,
11717 ++ 0x6b, 0xca, 0x92, 0x3a, 0x5f, 0x07, 0xb2, 0xc0,
11718 ++ 0x69, 0xb4, 0xc3, 0x10, 0xff, 0x2e, 0x93, 0x5b },
11719 ++ .secret_size = 32,
11720 ++ .b_public_size = 32,
11721 ++ .expected_ss_size = 32,
11722 ++
11723 ++},
11724 ++/* wycheproof - public key on twist */
11725 ++{
11726 ++ .secret = (u8[32]){ 0x70, 0xe3, 0x4b, 0xcb, 0xe1, 0xf4, 0x7f, 0xbc,
11727 ++ 0x0f, 0xdd, 0xfd, 0x7c, 0x1e, 0x1a, 0xa5, 0x3d,
11728 ++ 0x57, 0xbf, 0xe0, 0xf6, 0x6d, 0x24, 0x30, 0x67,
11729 ++ 0xb4, 0x24, 0xbb, 0x62, 0x10, 0xbe, 0xd1, 0x9c },
11730 ++ .b_public = (u8[32]){ 0x0b, 0x82, 0x11, 0xa2, 0xb6, 0x04, 0x90, 0x97,
11731 ++ 0xf6, 0x87, 0x1c, 0x6c, 0x05, 0x2d, 0x3c, 0x5f,
11732 ++ 0xc1, 0xba, 0x17, 0xda, 0x9e, 0x32, 0xae, 0x45,
11733 ++ 0x84, 0x03, 0xb0, 0x5b, 0xb2, 0x83, 0x09, 0x2a },
11734 ++ .expected_ss = (u8[32]){ 0x4a, 0x06, 0x38, 0xcf, 0xaa, 0x9e, 0xf1, 0x93,
11735 ++ 0x3b, 0x47, 0xf8, 0x93, 0x92, 0x96, 0xa6, 0xb2,
11736 ++ 0x5b, 0xe5, 0x41, 0xef, 0x7f, 0x70, 0xe8, 0x44,
11737 ++ 0xc0, 0xbc, 0xc0, 0x0b, 0x13, 0x4d, 0xe6, 0x4a },
11738 ++ .secret_size = 32,
11739 ++ .b_public_size = 32,
11740 ++ .expected_ss_size = 32,
11741 ++
11742 ++},
11743 ++/* wycheproof - public key on twist */
11744 ++{
11745 ++ .secret = (u8[32]){ 0x68, 0xc1, 0xf3, 0xa6, 0x53, 0xa4, 0xcd, 0xb1,
11746 ++ 0xd3, 0x7b, 0xba, 0x94, 0x73, 0x8f, 0x8b, 0x95,
11747 ++ 0x7a, 0x57, 0xbe, 0xb2, 0x4d, 0x64, 0x6e, 0x99,
11748 ++ 0x4d, 0xc2, 0x9a, 0x27, 0x6a, 0xad, 0x45, 0x8d },
11749 ++ .b_public = (u8[32]){ 0x34, 0x3a, 0xc2, 0x0a, 0x3b, 0x9c, 0x6a, 0x27,
11750 ++ 0xb1, 0x00, 0x81, 0x76, 0x50, 0x9a, 0xd3, 0x07,
11751 ++ 0x35, 0x85, 0x6e, 0xc1, 0xc8, 0xd8, 0xfc, 0xae,
11752 ++ 0x13, 0x91, 0x2d, 0x08, 0xd1, 0x52, 0xf4, 0x6c },
11753 ++ .expected_ss = (u8[32]){ 0x39, 0x94, 0x91, 0xfc, 0xe8, 0xdf, 0xab, 0x73,
11754 ++ 0xb4, 0xf9, 0xf6, 0x11, 0xde, 0x8e, 0xa0, 0xb2,
11755 ++ 0x7b, 0x28, 0xf8, 0x59, 0x94, 0x25, 0x0b, 0x0f,
11756 ++ 0x47, 0x5d, 0x58, 0x5d, 0x04, 0x2a, 0xc2, 0x07 },
11757 ++ .secret_size = 32,
11758 ++ .b_public_size = 32,
11759 ++ .expected_ss_size = 32,
11760 ++
11761 ++},
11762 ++/* wycheproof - public key on twist */
11763 ++{
11764 ++ .secret = (u8[32]){ 0xd8, 0x77, 0xb2, 0x6d, 0x06, 0xdf, 0xf9, 0xd9,
11765 ++ 0xf7, 0xfd, 0x4c, 0x5b, 0x37, 0x69, 0xf8, 0xcd,
11766 ++ 0xd5, 0xb3, 0x05, 0x16, 0xa5, 0xab, 0x80, 0x6b,
11767 ++ 0xe3, 0x24, 0xff, 0x3e, 0xb6, 0x9e, 0xa0, 0xb2 },
11768 ++ .b_public = (u8[32]){ 0xfa, 0x69, 0x5f, 0xc7, 0xbe, 0x8d, 0x1b, 0xe5,
11769 ++ 0xbf, 0x70, 0x48, 0x98, 0xf3, 0x88, 0xc4, 0x52,
11770 ++ 0xba, 0xfd, 0xd3, 0xb8, 0xea, 0xe8, 0x05, 0xf8,
11771 ++ 0x68, 0x1a, 0x8d, 0x15, 0xc2, 0xd4, 0xe1, 0x42 },
11772 ++ .expected_ss = (u8[32]){ 0x2c, 0x4f, 0xe1, 0x1d, 0x49, 0x0a, 0x53, 0x86,
11773 ++ 0x17, 0x76, 0xb1, 0x3b, 0x43, 0x54, 0xab, 0xd4,
11774 ++ 0xcf, 0x5a, 0x97, 0x69, 0x9d, 0xb6, 0xe6, 0xc6,
11775 ++ 0x8c, 0x16, 0x26, 0xd0, 0x76, 0x62, 0xf7, 0x58 },
11776 ++ .secret_size = 32,
11777 ++ .b_public_size = 32,
11778 ++ .expected_ss_size = 32,
11779 ++
11780 ++},
11781 ++/* wycheproof - edge case on twist */
11782 ++{
11783 ++ .secret = (u8[32]){ 0x38, 0xdd, 0xe9, 0xf3, 0xe7, 0xb7, 0x99, 0x04,
11784 ++ 0x5f, 0x9a, 0xc3, 0x79, 0x3d, 0x4a, 0x92, 0x77,
11785 ++ 0xda, 0xde, 0xad, 0xc4, 0x1b, 0xec, 0x02, 0x90,
11786 ++ 0xf8, 0x1f, 0x74, 0x4f, 0x73, 0x77, 0x5f, 0x84 },
11787 ++ .b_public = (u8[32]){ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11788 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11789 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11790 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
11791 ++ .expected_ss = (u8[32]){ 0x9a, 0x2c, 0xfe, 0x84, 0xff, 0x9c, 0x4a, 0x97,
11792 ++ 0x39, 0x62, 0x5c, 0xae, 0x4a, 0x3b, 0x82, 0xa9,
11793 ++ 0x06, 0x87, 0x7a, 0x44, 0x19, 0x46, 0xf8, 0xd7,
11794 ++ 0xb3, 0xd7, 0x95, 0xfe, 0x8f, 0x5d, 0x16, 0x39 },
11795 ++ .secret_size = 32,
11796 ++ .b_public_size = 32,
11797 ++ .expected_ss_size = 32,
11798 ++
11799 ++},
11800 ++/* wycheproof - edge case on twist */
11801 ++{
11802 ++ .secret = (u8[32]){ 0x98, 0x57, 0xa9, 0x14, 0xe3, 0xc2, 0x90, 0x36,
11803 ++ 0xfd, 0x9a, 0x44, 0x2b, 0xa5, 0x26, 0xb5, 0xcd,
11804 ++ 0xcd, 0xf2, 0x82, 0x16, 0x15, 0x3e, 0x63, 0x6c,
11805 ++ 0x10, 0x67, 0x7a, 0xca, 0xb6, 0xbd, 0x6a, 0xa5 },
11806 ++ .b_public = (u8[32]){ 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11807 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11808 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11809 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
11810 ++ .expected_ss = (u8[32]){ 0x4d, 0xa4, 0xe0, 0xaa, 0x07, 0x2c, 0x23, 0x2e,
11811 ++ 0xe2, 0xf0, 0xfa, 0x4e, 0x51, 0x9a, 0xe5, 0x0b,
11812 ++ 0x52, 0xc1, 0xed, 0xd0, 0x8a, 0x53, 0x4d, 0x4e,
11813 ++ 0xf3, 0x46, 0xc2, 0xe1, 0x06, 0xd2, 0x1d, 0x60 },
11814 ++ .secret_size = 32,
11815 ++ .b_public_size = 32,
11816 ++ .expected_ss_size = 32,
11817 ++
11818 ++},
11819 ++/* wycheproof - edge case on twist */
11820 ++{
11821 ++ .secret = (u8[32]){ 0x48, 0xe2, 0x13, 0x0d, 0x72, 0x33, 0x05, 0xed,
11822 ++ 0x05, 0xe6, 0xe5, 0x89, 0x4d, 0x39, 0x8a, 0x5e,
11823 ++ 0x33, 0x36, 0x7a, 0x8c, 0x6a, 0xac, 0x8f, 0xcd,
11824 ++ 0xf0, 0xa8, 0x8e, 0x4b, 0x42, 0x82, 0x0d, 0xb7 },
11825 ++ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0xf8, 0xff,
11826 ++ 0xff, 0x1f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff,
11827 ++ 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0x07, 0x00,
11828 ++ 0x00, 0xf0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00 },
11829 ++ .expected_ss = (u8[32]){ 0x9e, 0xd1, 0x0c, 0x53, 0x74, 0x7f, 0x64, 0x7f,
11830 ++ 0x82, 0xf4, 0x51, 0x25, 0xd3, 0xde, 0x15, 0xa1,
11831 ++ 0xe6, 0xb8, 0x24, 0x49, 0x6a, 0xb4, 0x04, 0x10,
11832 ++ 0xff, 0xcc, 0x3c, 0xfe, 0x95, 0x76, 0x0f, 0x3b },
11833 ++ .secret_size = 32,
11834 ++ .b_public_size = 32,
11835 ++ .expected_ss_size = 32,
11836 ++
11837 ++},
11838 ++/* wycheproof - edge case on twist */
11839 ++{
11840 ++ .secret = (u8[32]){ 0x28, 0xf4, 0x10, 0x11, 0x69, 0x18, 0x51, 0xb3,
11841 ++ 0xa6, 0x2b, 0x64, 0x15, 0x53, 0xb3, 0x0d, 0x0d,
11842 ++ 0xfd, 0xdc, 0xb8, 0xff, 0xfc, 0xf5, 0x37, 0x00,
11843 ++ 0xa7, 0xbe, 0x2f, 0x6a, 0x87, 0x2e, 0x9f, 0xb0 },
11844 ++ .b_public = (u8[32]){ 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0x07, 0x00,
11845 ++ 0x00, 0xe0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00,
11846 ++ 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0xf8, 0xff,
11847 ++ 0xff, 0x0f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x7f },
11848 ++ .expected_ss = (u8[32]){ 0xcf, 0x72, 0xb4, 0xaa, 0x6a, 0xa1, 0xc9, 0xf8,
11849 ++ 0x94, 0xf4, 0x16, 0x5b, 0x86, 0x10, 0x9a, 0xa4,
11850 ++ 0x68, 0x51, 0x76, 0x48, 0xe1, 0xf0, 0xcc, 0x70,
11851 ++ 0xe1, 0xab, 0x08, 0x46, 0x01, 0x76, 0x50, 0x6b },
11852 ++ .secret_size = 32,
11853 ++ .b_public_size = 32,
11854 ++ .expected_ss_size = 32,
11855 ++
11856 ++},
11857 ++/* wycheproof - edge case on twist */
11858 ++{
11859 ++ .secret = (u8[32]){ 0x18, 0xa9, 0x3b, 0x64, 0x99, 0xb9, 0xf6, 0xb3,
11860 ++ 0x22, 0x5c, 0xa0, 0x2f, 0xef, 0x41, 0x0e, 0x0a,
11861 ++ 0xde, 0xc2, 0x35, 0x32, 0x32, 0x1d, 0x2d, 0x8e,
11862 ++ 0xf1, 0xa6, 0xd6, 0x02, 0xa8, 0xc6, 0x5b, 0x83 },
11863 ++ .b_public = (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
11864 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
11865 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
11866 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f },
11867 ++ .expected_ss = (u8[32]){ 0x5d, 0x50, 0xb6, 0x28, 0x36, 0xbb, 0x69, 0x57,
11868 ++ 0x94, 0x10, 0x38, 0x6c, 0xf7, 0xbb, 0x81, 0x1c,
11869 ++ 0x14, 0xbf, 0x85, 0xb1, 0xc7, 0xb1, 0x7e, 0x59,
11870 ++ 0x24, 0xc7, 0xff, 0xea, 0x91, 0xef, 0x9e, 0x12 },
11871 ++ .secret_size = 32,
11872 ++ .b_public_size = 32,
11873 ++ .expected_ss_size = 32,
11874 ++
11875 ++},
11876 ++/* wycheproof - edge case on twist */
11877 ++{
11878 ++ .secret = (u8[32]){ 0xc0, 0x1d, 0x13, 0x05, 0xa1, 0x33, 0x8a, 0x1f,
11879 ++ 0xca, 0xc2, 0xba, 0x7e, 0x2e, 0x03, 0x2b, 0x42,
11880 ++ 0x7e, 0x0b, 0x04, 0x90, 0x31, 0x65, 0xac, 0xa9,
11881 ++ 0x57, 0xd8, 0xd0, 0x55, 0x3d, 0x87, 0x17, 0xb0 },
11882 ++ .b_public = (u8[32]){ 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11883 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11884 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11885 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
11886 ++ .expected_ss = (u8[32]){ 0x19, 0x23, 0x0e, 0xb1, 0x48, 0xd5, 0xd6, 0x7c,
11887 ++ 0x3c, 0x22, 0xab, 0x1d, 0xae, 0xff, 0x80, 0xa5,
11888 ++ 0x7e, 0xae, 0x42, 0x65, 0xce, 0x28, 0x72, 0x65,
11889 ++ 0x7b, 0x2c, 0x80, 0x99, 0xfc, 0x69, 0x8e, 0x50 },
11890 ++ .secret_size = 32,
11891 ++ .b_public_size = 32,
11892 ++ .expected_ss_size = 32,
11893 ++
11894 ++},
11895 ++/* wycheproof - edge case for public key */
11896 ++{
11897 ++ .secret = (u8[32]){ 0x38, 0x6f, 0x7f, 0x16, 0xc5, 0x07, 0x31, 0xd6,
11898 ++ 0x4f, 0x82, 0xe6, 0xa1, 0x70, 0xb1, 0x42, 0xa4,
11899 ++ 0xe3, 0x4f, 0x31, 0xfd, 0x77, 0x68, 0xfc, 0xb8,
11900 ++ 0x90, 0x29, 0x25, 0xe7, 0xd1, 0xe2, 0x1a, 0xbe },
11901 ++ .b_public = (u8[32]){ 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11902 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11903 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
11904 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
11905 ++ .expected_ss = (u8[32]){ 0x0f, 0xca, 0xb5, 0xd8, 0x42, 0xa0, 0x78, 0xd7,
11906 ++ 0xa7, 0x1f, 0xc5, 0x9b, 0x57, 0xbf, 0xb4, 0xca,
11907 ++ 0x0b, 0xe6, 0x87, 0x3b, 0x49, 0xdc, 0xdb, 0x9f,
11908 ++ 0x44, 0xe1, 0x4a, 0xe8, 0xfb, 0xdf, 0xa5, 0x42 },
11909 ++ .secret_size = 32,
11910 ++ .b_public_size = 32,
11911 ++ .expected_ss_size = 32,
11912 ++
11913 ++},
11914 ++/* wycheproof - edge case for public key */
11915 ++{
11916 ++ .secret = (u8[32]){ 0xe0, 0x23, 0xa2, 0x89, 0xbd, 0x5e, 0x90, 0xfa,
11917 ++ 0x28, 0x04, 0xdd, 0xc0, 0x19, 0xa0, 0x5e, 0xf3,
11918 ++ 0xe7, 0x9d, 0x43, 0x4b, 0xb6, 0xea, 0x2f, 0x52,
11919 ++ 0x2e, 0xcb, 0x64, 0x3a, 0x75, 0x29, 0x6e, 0x95 },
11920 ++ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
11921 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
11922 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
11923 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00 },
11924 ++ .expected_ss = (u8[32]){ 0x54, 0xce, 0x8f, 0x22, 0x75, 0xc0, 0x77, 0xe3,
11925 ++ 0xb1, 0x30, 0x6a, 0x39, 0x39, 0xc5, 0xe0, 0x3e,
11926 ++ 0xef, 0x6b, 0xbb, 0x88, 0x06, 0x05, 0x44, 0x75,
11927 ++ 0x8d, 0x9f, 0xef, 0x59, 0xb0, 0xbc, 0x3e, 0x4f },
11928 ++ .secret_size = 32,
11929 ++ .b_public_size = 32,
11930 ++ .expected_ss_size = 32,
11931 ++
11932 ++},
11933 ++/* wycheproof - edge case for public key */
11934 ++{
11935 ++ .secret = (u8[32]){ 0x68, 0xf0, 0x10, 0xd6, 0x2e, 0xe8, 0xd9, 0x26,
11936 ++ 0x05, 0x3a, 0x36, 0x1c, 0x3a, 0x75, 0xc6, 0xea,
11937 ++ 0x4e, 0xbd, 0xc8, 0x60, 0x6a, 0xb2, 0x85, 0x00,
11938 ++ 0x3a, 0x6f, 0x8f, 0x40, 0x76, 0xb0, 0x1e, 0x83 },
11939 ++ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11940 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11941 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11942 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 },
11943 ++ .expected_ss = (u8[32]){ 0xf1, 0x36, 0x77, 0x5c, 0x5b, 0xeb, 0x0a, 0xf8,
11944 ++ 0x11, 0x0a, 0xf1, 0x0b, 0x20, 0x37, 0x23, 0x32,
11945 ++ 0x04, 0x3c, 0xab, 0x75, 0x24, 0x19, 0x67, 0x87,
11946 ++ 0x75, 0xa2, 0x23, 0xdf, 0x57, 0xc9, 0xd3, 0x0d },
11947 ++ .secret_size = 32,
11948 ++ .b_public_size = 32,
11949 ++ .expected_ss_size = 32,
11950 ++
11951 ++},
11952 ++/* wycheproof - edge case for public key */
11953 ++{
11954 ++ .secret = (u8[32]){ 0x58, 0xeb, 0xcb, 0x35, 0xb0, 0xf8, 0x84, 0x5c,
11955 ++ 0xaf, 0x1e, 0xc6, 0x30, 0xf9, 0x65, 0x76, 0xb6,
11956 ++ 0x2c, 0x4b, 0x7b, 0x6c, 0x36, 0xb2, 0x9d, 0xeb,
11957 ++ 0x2c, 0xb0, 0x08, 0x46, 0x51, 0x75, 0x5c, 0x96 },
11958 ++ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xfb, 0xff, 0xff, 0xfb, 0xff,
11959 ++ 0xff, 0xdf, 0xff, 0xff, 0xdf, 0xff, 0xff, 0xff,
11960 ++ 0xfe, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xf7, 0xff,
11961 ++ 0xff, 0xf7, 0xff, 0xff, 0xbf, 0xff, 0xff, 0x3f },
11962 ++ .expected_ss = (u8[32]){ 0xbf, 0x9a, 0xff, 0xd0, 0x6b, 0x84, 0x40, 0x85,
11963 ++ 0x58, 0x64, 0x60, 0x96, 0x2e, 0xf2, 0x14, 0x6f,
11964 ++ 0xf3, 0xd4, 0x53, 0x3d, 0x94, 0x44, 0xaa, 0xb0,
11965 ++ 0x06, 0xeb, 0x88, 0xcc, 0x30, 0x54, 0x40, 0x7d },
11966 ++ .secret_size = 32,
11967 ++ .b_public_size = 32,
11968 ++ .expected_ss_size = 32,
11969 ++
11970 ++},
11971 ++/* wycheproof - edge case for public key */
11972 ++{
11973 ++ .secret = (u8[32]){ 0x18, 0x8c, 0x4b, 0xc5, 0xb9, 0xc4, 0x4b, 0x38,
11974 ++ 0xbb, 0x65, 0x8b, 0x9b, 0x2a, 0xe8, 0x2d, 0x5b,
11975 ++ 0x01, 0x01, 0x5e, 0x09, 0x31, 0x84, 0xb1, 0x7c,
11976 ++ 0xb7, 0x86, 0x35, 0x03, 0xa7, 0x83, 0xe1, 0xbb },
11977 ++ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11978 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11979 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
11980 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
11981 ++ .expected_ss = (u8[32]){ 0xd4, 0x80, 0xde, 0x04, 0xf6, 0x99, 0xcb, 0x3b,
11982 ++ 0xe0, 0x68, 0x4a, 0x9c, 0xc2, 0xe3, 0x12, 0x81,
11983 ++ 0xea, 0x0b, 0xc5, 0xa9, 0xdc, 0xc1, 0x57, 0xd3,
11984 ++ 0xd2, 0x01, 0x58, 0xd4, 0x6c, 0xa5, 0x24, 0x6d },
11985 ++ .secret_size = 32,
11986 ++ .b_public_size = 32,
11987 ++ .expected_ss_size = 32,
11988 ++
11989 ++},
11990 ++/* wycheproof - edge case for public key */
11991 ++{
11992 ++ .secret = (u8[32]){ 0xe0, 0x6c, 0x11, 0xbb, 0x2e, 0x13, 0xce, 0x3d,
11993 ++ 0xc7, 0x67, 0x3f, 0x67, 0xf5, 0x48, 0x22, 0x42,
11994 ++ 0x90, 0x94, 0x23, 0xa9, 0xae, 0x95, 0xee, 0x98,
11995 ++ 0x6a, 0x98, 0x8d, 0x98, 0xfa, 0xee, 0x23, 0xa2 },
11996 ++ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f,
11997 ++ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f,
11998 ++ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f,
11999 ++ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f },
12000 ++ .expected_ss = (u8[32]){ 0x4c, 0x44, 0x01, 0xcc, 0xe6, 0xb5, 0x1e, 0x4c,
12001 ++ 0xb1, 0x8f, 0x27, 0x90, 0x24, 0x6c, 0x9b, 0xf9,
12002 ++ 0x14, 0xdb, 0x66, 0x77, 0x50, 0xa1, 0xcb, 0x89,
12003 ++ 0x06, 0x90, 0x92, 0xaf, 0x07, 0x29, 0x22, 0x76 },
12004 ++ .secret_size = 32,
12005 ++ .b_public_size = 32,
12006 ++ .expected_ss_size = 32,
12007 ++
12008 ++},
12009 ++/* wycheproof - edge case for public key */
12010 ++{
12011 ++ .secret = (u8[32]){ 0xc0, 0x65, 0x8c, 0x46, 0xdd, 0xe1, 0x81, 0x29,
12012 ++ 0x29, 0x38, 0x77, 0x53, 0x5b, 0x11, 0x62, 0xb6,
12013 ++ 0xf9, 0xf5, 0x41, 0x4a, 0x23, 0xcf, 0x4d, 0x2c,
12014 ++ 0xbc, 0x14, 0x0a, 0x4d, 0x99, 0xda, 0x2b, 0x8f },
12015 ++ .b_public = (u8[32]){ 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12016 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12017 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12018 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12019 ++ .expected_ss = (u8[32]){ 0x57, 0x8b, 0xa8, 0xcc, 0x2d, 0xbd, 0xc5, 0x75,
12020 ++ 0xaf, 0xcf, 0x9d, 0xf2, 0xb3, 0xee, 0x61, 0x89,
12021 ++ 0xf5, 0x33, 0x7d, 0x68, 0x54, 0xc7, 0x9b, 0x4c,
12022 ++ 0xe1, 0x65, 0xea, 0x12, 0x29, 0x3b, 0x3a, 0x0f },
12023 ++ .secret_size = 32,
12024 ++ .b_public_size = 32,
12025 ++ .expected_ss_size = 32,
12026 ++
12027 ++},
12028 ++/* wycheproof - public key >= p */
12029 ++{
12030 ++ .secret = (u8[32]){ 0xf0, 0x1e, 0x48, 0xda, 0xfa, 0xc9, 0xd7, 0xbc,
12031 ++ 0xf5, 0x89, 0xcb, 0xc3, 0x82, 0xc8, 0x78, 0xd1,
12032 ++ 0x8b, 0xda, 0x35, 0x50, 0x58, 0x9f, 0xfb, 0x5d,
12033 ++ 0x50, 0xb5, 0x23, 0xbe, 0xbe, 0x32, 0x9d, 0xae },
12034 ++ .b_public = (u8[32]){ 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12035 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12036 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12037 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12038 ++ .expected_ss = (u8[32]){ 0xbd, 0x36, 0xa0, 0x79, 0x0e, 0xb8, 0x83, 0x09,
12039 ++ 0x8c, 0x98, 0x8b, 0x21, 0x78, 0x67, 0x73, 0xde,
12040 ++ 0x0b, 0x3a, 0x4d, 0xf1, 0x62, 0x28, 0x2c, 0xf1,
12041 ++ 0x10, 0xde, 0x18, 0xdd, 0x48, 0x4c, 0xe7, 0x4b },
12042 ++ .secret_size = 32,
12043 ++ .b_public_size = 32,
12044 ++ .expected_ss_size = 32,
12045 ++
12046 ++},
12047 ++/* wycheproof - public key >= p */
12048 ++{
12049 ++ .secret = (u8[32]){ 0x28, 0x87, 0x96, 0xbc, 0x5a, 0xff, 0x4b, 0x81,
12050 ++ 0xa3, 0x75, 0x01, 0x75, 0x7b, 0xc0, 0x75, 0x3a,
12051 ++ 0x3c, 0x21, 0x96, 0x47, 0x90, 0xd3, 0x86, 0x99,
12052 ++ 0x30, 0x8d, 0xeb, 0xc1, 0x7a, 0x6e, 0xaf, 0x8d },
12053 ++ .b_public = (u8[32]){ 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12054 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12055 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12056 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12057 ++ .expected_ss = (u8[32]){ 0xb4, 0xe0, 0xdd, 0x76, 0xda, 0x7b, 0x07, 0x17,
12058 ++ 0x28, 0xb6, 0x1f, 0x85, 0x67, 0x71, 0xaa, 0x35,
12059 ++ 0x6e, 0x57, 0xed, 0xa7, 0x8a, 0x5b, 0x16, 0x55,
12060 ++ 0xcc, 0x38, 0x20, 0xfb, 0x5f, 0x85, 0x4c, 0x5c },
12061 ++ .secret_size = 32,
12062 ++ .b_public_size = 32,
12063 ++ .expected_ss_size = 32,
12064 ++
12065 ++},
12066 ++/* wycheproof - public key >= p */
12067 ++{
12068 ++ .secret = (u8[32]){ 0x98, 0xdf, 0x84, 0x5f, 0x66, 0x51, 0xbf, 0x11,
12069 ++ 0x38, 0x22, 0x1f, 0x11, 0x90, 0x41, 0xf7, 0x2b,
12070 ++ 0x6d, 0xbc, 0x3c, 0x4a, 0xce, 0x71, 0x43, 0xd9,
12071 ++ 0x9f, 0xd5, 0x5a, 0xd8, 0x67, 0x48, 0x0d, 0xa8 },
12072 ++ .b_public = (u8[32]){ 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12073 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12074 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12075 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12076 ++ .expected_ss = (u8[32]){ 0x6f, 0xdf, 0x6c, 0x37, 0x61, 0x1d, 0xbd, 0x53,
12077 ++ 0x04, 0xdc, 0x0f, 0x2e, 0xb7, 0xc9, 0x51, 0x7e,
12078 ++ 0xb3, 0xc5, 0x0e, 0x12, 0xfd, 0x05, 0x0a, 0xc6,
12079 ++ 0xde, 0xc2, 0x70, 0x71, 0xd4, 0xbf, 0xc0, 0x34 },
12080 ++ .secret_size = 32,
12081 ++ .b_public_size = 32,
12082 ++ .expected_ss_size = 32,
12083 ++
12084 ++},
12085 ++/* wycheproof - public key >= p */
12086 ++{
12087 ++ .secret = (u8[32]){ 0xf0, 0x94, 0x98, 0xe4, 0x6f, 0x02, 0xf8, 0x78,
12088 ++ 0x82, 0x9e, 0x78, 0xb8, 0x03, 0xd3, 0x16, 0xa2,
12089 ++ 0xed, 0x69, 0x5d, 0x04, 0x98, 0xa0, 0x8a, 0xbd,
12090 ++ 0xf8, 0x27, 0x69, 0x30, 0xe2, 0x4e, 0xdc, 0xb0 },
12091 ++ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12092 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12093 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12094 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12095 ++ .expected_ss = (u8[32]){ 0x4c, 0x8f, 0xc4, 0xb1, 0xc6, 0xab, 0x88, 0xfb,
12096 ++ 0x21, 0xf1, 0x8f, 0x6d, 0x4c, 0x81, 0x02, 0x40,
12097 ++ 0xd4, 0xe9, 0x46, 0x51, 0xba, 0x44, 0xf7, 0xa2,
12098 ++ 0xc8, 0x63, 0xce, 0xc7, 0xdc, 0x56, 0x60, 0x2d },
12099 ++ .secret_size = 32,
12100 ++ .b_public_size = 32,
12101 ++ .expected_ss_size = 32,
12102 ++
12103 ++},
12104 ++/* wycheproof - public key >= p */
12105 ++{
12106 ++ .secret = (u8[32]){ 0x18, 0x13, 0xc1, 0x0a, 0x5c, 0x7f, 0x21, 0xf9,
12107 ++ 0x6e, 0x17, 0xf2, 0x88, 0xc0, 0xcc, 0x37, 0x60,
12108 ++ 0x7c, 0x04, 0xc5, 0xf5, 0xae, 0xa2, 0xdb, 0x13,
12109 ++ 0x4f, 0x9e, 0x2f, 0xfc, 0x66, 0xbd, 0x9d, 0xb8 },
12110 ++ .b_public = (u8[32]){ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12111 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12112 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12113 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
12114 ++ .expected_ss = (u8[32]){ 0x1c, 0xd0, 0xb2, 0x82, 0x67, 0xdc, 0x54, 0x1c,
12115 ++ 0x64, 0x2d, 0x6d, 0x7d, 0xca, 0x44, 0xa8, 0xb3,
12116 ++ 0x8a, 0x63, 0x73, 0x6e, 0xef, 0x5c, 0x4e, 0x65,
12117 ++ 0x01, 0xff, 0xbb, 0xb1, 0x78, 0x0c, 0x03, 0x3c },
12118 ++ .secret_size = 32,
12119 ++ .b_public_size = 32,
12120 ++ .expected_ss_size = 32,
12121 ++
12122 ++},
12123 ++/* wycheproof - public key >= p */
12124 ++{
12125 ++ .secret = (u8[32]){ 0x78, 0x57, 0xfb, 0x80, 0x86, 0x53, 0x64, 0x5a,
12126 ++ 0x0b, 0xeb, 0x13, 0x8a, 0x64, 0xf5, 0xf4, 0xd7,
12127 ++ 0x33, 0xa4, 0x5e, 0xa8, 0x4c, 0x3c, 0xda, 0x11,
12128 ++ 0xa9, 0xc0, 0x6f, 0x7e, 0x71, 0x39, 0x14, 0x9e },
12129 ++ .b_public = (u8[32]){ 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12130 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12131 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12132 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
12133 ++ .expected_ss = (u8[32]){ 0x87, 0x55, 0xbe, 0x01, 0xc6, 0x0a, 0x7e, 0x82,
12134 ++ 0x5c, 0xff, 0x3e, 0x0e, 0x78, 0xcb, 0x3a, 0xa4,
12135 ++ 0x33, 0x38, 0x61, 0x51, 0x6a, 0xa5, 0x9b, 0x1c,
12136 ++ 0x51, 0xa8, 0xb2, 0xa5, 0x43, 0xdf, 0xa8, 0x22 },
12137 ++ .secret_size = 32,
12138 ++ .b_public_size = 32,
12139 ++ .expected_ss_size = 32,
12140 ++
12141 ++},
12142 ++/* wycheproof - public key >= p */
12143 ++{
12144 ++ .secret = (u8[32]){ 0xe0, 0x3a, 0xa8, 0x42, 0xe2, 0xab, 0xc5, 0x6e,
12145 ++ 0x81, 0xe8, 0x7b, 0x8b, 0x9f, 0x41, 0x7b, 0x2a,
12146 ++ 0x1e, 0x59, 0x13, 0xc7, 0x23, 0xee, 0xd2, 0x8d,
12147 ++ 0x75, 0x2f, 0x8d, 0x47, 0xa5, 0x9f, 0x49, 0x8f },
12148 ++ .b_public = (u8[32]){ 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12149 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12150 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12151 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
12152 ++ .expected_ss = (u8[32]){ 0x54, 0xc9, 0xa1, 0xed, 0x95, 0xe5, 0x46, 0xd2,
12153 ++ 0x78, 0x22, 0xa3, 0x60, 0x93, 0x1d, 0xda, 0x60,
12154 ++ 0xa1, 0xdf, 0x04, 0x9d, 0xa6, 0xf9, 0x04, 0x25,
12155 ++ 0x3c, 0x06, 0x12, 0xbb, 0xdc, 0x08, 0x74, 0x76 },
12156 ++ .secret_size = 32,
12157 ++ .b_public_size = 32,
12158 ++ .expected_ss_size = 32,
12159 ++
12160 ++},
12161 ++/* wycheproof - public key >= p */
12162 ++{
12163 ++ .secret = (u8[32]){ 0xf8, 0xf7, 0x07, 0xb7, 0x99, 0x9b, 0x18, 0xcb,
12164 ++ 0x0d, 0x6b, 0x96, 0x12, 0x4f, 0x20, 0x45, 0x97,
12165 ++ 0x2c, 0xa2, 0x74, 0xbf, 0xc1, 0x54, 0xad, 0x0c,
12166 ++ 0x87, 0x03, 0x8c, 0x24, 0xc6, 0xd0, 0xd4, 0xb2 },
12167 ++ .b_public = (u8[32]){ 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12168 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12169 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12170 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12171 ++ .expected_ss = (u8[32]){ 0xcc, 0x1f, 0x40, 0xd7, 0x43, 0xcd, 0xc2, 0x23,
12172 ++ 0x0e, 0x10, 0x43, 0xda, 0xba, 0x8b, 0x75, 0xe8,
12173 ++ 0x10, 0xf1, 0xfb, 0xab, 0x7f, 0x25, 0x52, 0x69,
12174 ++ 0xbd, 0x9e, 0xbb, 0x29, 0xe6, 0xbf, 0x49, 0x4f },
12175 ++ .secret_size = 32,
12176 ++ .b_public_size = 32,
12177 ++ .expected_ss_size = 32,
12178 ++
12179 ++},
12180 ++/* wycheproof - public key >= p */
12181 ++{
12182 ++ .secret = (u8[32]){ 0xa0, 0x34, 0xf6, 0x84, 0xfa, 0x63, 0x1e, 0x1a,
12183 ++ 0x34, 0x81, 0x18, 0xc1, 0xce, 0x4c, 0x98, 0x23,
12184 ++ 0x1f, 0x2d, 0x9e, 0xec, 0x9b, 0xa5, 0x36, 0x5b,
12185 ++ 0x4a, 0x05, 0xd6, 0x9a, 0x78, 0x5b, 0x07, 0x96 },
12186 ++ .b_public = (u8[32]){ 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12187 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12188 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12189 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12190 ++ .expected_ss = (u8[32]){ 0x54, 0x99, 0x8e, 0xe4, 0x3a, 0x5b, 0x00, 0x7b,
12191 ++ 0xf4, 0x99, 0xf0, 0x78, 0xe7, 0x36, 0x52, 0x44,
12192 ++ 0x00, 0xa8, 0xb5, 0xc7, 0xe9, 0xb9, 0xb4, 0x37,
12193 ++ 0x71, 0x74, 0x8c, 0x7c, 0xdf, 0x88, 0x04, 0x12 },
12194 ++ .secret_size = 32,
12195 ++ .b_public_size = 32,
12196 ++ .expected_ss_size = 32,
12197 ++
12198 ++},
12199 ++/* wycheproof - public key >= p */
12200 ++{
12201 ++ .secret = (u8[32]){ 0x30, 0xb6, 0xc6, 0xa0, 0xf2, 0xff, 0xa6, 0x80,
12202 ++ 0x76, 0x8f, 0x99, 0x2b, 0xa8, 0x9e, 0x15, 0x2d,
12203 ++ 0x5b, 0xc9, 0x89, 0x3d, 0x38, 0xc9, 0x11, 0x9b,
12204 ++ 0xe4, 0xf7, 0x67, 0xbf, 0xab, 0x6e, 0x0c, 0xa5 },
12205 ++ .b_public = (u8[32]){ 0xdc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12206 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12207 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12208 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12209 ++ .expected_ss = (u8[32]){ 0xea, 0xd9, 0xb3, 0x8e, 0xfd, 0xd7, 0x23, 0x63,
12210 ++ 0x79, 0x34, 0xe5, 0x5a, 0xb7, 0x17, 0xa7, 0xae,
12211 ++ 0x09, 0xeb, 0x86, 0xa2, 0x1d, 0xc3, 0x6a, 0x3f,
12212 ++ 0xee, 0xb8, 0x8b, 0x75, 0x9e, 0x39, 0x1e, 0x09 },
12213 ++ .secret_size = 32,
12214 ++ .b_public_size = 32,
12215 ++ .expected_ss_size = 32,
12216 ++
12217 ++},
12218 ++/* wycheproof - public key >= p */
12219 ++{
12220 ++ .secret = (u8[32]){ 0x90, 0x1b, 0x9d, 0xcf, 0x88, 0x1e, 0x01, 0xe0,
12221 ++ 0x27, 0x57, 0x50, 0x35, 0xd4, 0x0b, 0x43, 0xbd,
12222 ++ 0xc1, 0xc5, 0x24, 0x2e, 0x03, 0x08, 0x47, 0x49,
12223 ++ 0x5b, 0x0c, 0x72, 0x86, 0x46, 0x9b, 0x65, 0x91 },
12224 ++ .b_public = (u8[32]){ 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12225 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12226 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12227 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12228 ++ .expected_ss = (u8[32]){ 0x60, 0x2f, 0xf4, 0x07, 0x89, 0xb5, 0x4b, 0x41,
12229 ++ 0x80, 0x59, 0x15, 0xfe, 0x2a, 0x62, 0x21, 0xf0,
12230 ++ 0x7a, 0x50, 0xff, 0xc2, 0xc3, 0xfc, 0x94, 0xcf,
12231 ++ 0x61, 0xf1, 0x3d, 0x79, 0x04, 0xe8, 0x8e, 0x0e },
12232 ++ .secret_size = 32,
12233 ++ .b_public_size = 32,
12234 ++ .expected_ss_size = 32,
12235 ++
12236 ++},
12237 ++/* wycheproof - public key >= p */
12238 ++{
12239 ++ .secret = (u8[32]){ 0x80, 0x46, 0x67, 0x7c, 0x28, 0xfd, 0x82, 0xc9,
12240 ++ 0xa1, 0xbd, 0xb7, 0x1a, 0x1a, 0x1a, 0x34, 0xfa,
12241 ++ 0xba, 0x12, 0x25, 0xe2, 0x50, 0x7f, 0xe3, 0xf5,
12242 ++ 0x4d, 0x10, 0xbd, 0x5b, 0x0d, 0x86, 0x5f, 0x8e },
12243 ++ .b_public = (u8[32]){ 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12244 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12245 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12246 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12247 ++ .expected_ss = (u8[32]){ 0xe0, 0x0a, 0xe8, 0xb1, 0x43, 0x47, 0x12, 0x47,
12248 ++ 0xba, 0x24, 0xf1, 0x2c, 0x88, 0x55, 0x36, 0xc3,
12249 ++ 0xcb, 0x98, 0x1b, 0x58, 0xe1, 0xe5, 0x6b, 0x2b,
12250 ++ 0xaf, 0x35, 0xc1, 0x2a, 0xe1, 0xf7, 0x9c, 0x26 },
12251 ++ .secret_size = 32,
12252 ++ .b_public_size = 32,
12253 ++ .expected_ss_size = 32,
12254 ++
12255 ++},
12256 ++/* wycheproof - public key >= p */
12257 ++{
12258 ++ .secret = (u8[32]){ 0x60, 0x2f, 0x7e, 0x2f, 0x68, 0xa8, 0x46, 0xb8,
12259 ++ 0x2c, 0xc2, 0x69, 0xb1, 0xd4, 0x8e, 0x93, 0x98,
12260 ++ 0x86, 0xae, 0x54, 0xfd, 0x63, 0x6c, 0x1f, 0xe0,
12261 ++ 0x74, 0xd7, 0x10, 0x12, 0x7d, 0x47, 0x24, 0x91 },
12262 ++ .b_public = (u8[32]){ 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12263 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12264 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12265 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12266 ++ .expected_ss = (u8[32]){ 0x98, 0xcb, 0x9b, 0x50, 0xdd, 0x3f, 0xc2, 0xb0,
12267 ++ 0xd4, 0xf2, 0xd2, 0xbf, 0x7c, 0x5c, 0xfd, 0xd1,
12268 ++ 0x0c, 0x8f, 0xcd, 0x31, 0xfc, 0x40, 0xaf, 0x1a,
12269 ++ 0xd4, 0x4f, 0x47, 0xc1, 0x31, 0x37, 0x63, 0x62 },
12270 ++ .secret_size = 32,
12271 ++ .b_public_size = 32,
12272 ++ .expected_ss_size = 32,
12273 ++
12274 ++},
12275 ++/* wycheproof - public key >= p */
12276 ++{
12277 ++ .secret = (u8[32]){ 0x60, 0x88, 0x7b, 0x3d, 0xc7, 0x24, 0x43, 0x02,
12278 ++ 0x6e, 0xbe, 0xdb, 0xbb, 0xb7, 0x06, 0x65, 0xf4,
12279 ++ 0x2b, 0x87, 0xad, 0xd1, 0x44, 0x0e, 0x77, 0x68,
12280 ++ 0xfb, 0xd7, 0xe8, 0xe2, 0xce, 0x5f, 0x63, 0x9d },
12281 ++ .b_public = (u8[32]){ 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12282 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12283 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12284 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12285 ++ .expected_ss = (u8[32]){ 0x38, 0xd6, 0x30, 0x4c, 0x4a, 0x7e, 0x6d, 0x9f,
12286 ++ 0x79, 0x59, 0x33, 0x4f, 0xb5, 0x24, 0x5b, 0xd2,
12287 ++ 0xc7, 0x54, 0x52, 0x5d, 0x4c, 0x91, 0xdb, 0x95,
12288 ++ 0x02, 0x06, 0x92, 0x62, 0x34, 0xc1, 0xf6, 0x33 },
12289 ++ .secret_size = 32,
12290 ++ .b_public_size = 32,
12291 ++ .expected_ss_size = 32,
12292 ++
12293 ++},
12294 ++/* wycheproof - public key >= p */
12295 ++{
12296 ++ .secret = (u8[32]){ 0x78, 0xd3, 0x1d, 0xfa, 0x85, 0x44, 0x97, 0xd7,
12297 ++ 0x2d, 0x8d, 0xef, 0x8a, 0x1b, 0x7f, 0xb0, 0x06,
12298 ++ 0xce, 0xc2, 0xd8, 0xc4, 0x92, 0x46, 0x47, 0xc9,
12299 ++ 0x38, 0x14, 0xae, 0x56, 0xfa, 0xed, 0xa4, 0x95 },
12300 ++ .b_public = (u8[32]){ 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12301 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12302 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12303 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12304 ++ .expected_ss = (u8[32]){ 0x78, 0x6c, 0xd5, 0x49, 0x96, 0xf0, 0x14, 0xa5,
12305 ++ 0xa0, 0x31, 0xec, 0x14, 0xdb, 0x81, 0x2e, 0xd0,
12306 ++ 0x83, 0x55, 0x06, 0x1f, 0xdb, 0x5d, 0xe6, 0x80,
12307 ++ 0xa8, 0x00, 0xac, 0x52, 0x1f, 0x31, 0x8e, 0x23 },
12308 ++ .secret_size = 32,
12309 ++ .b_public_size = 32,
12310 ++ .expected_ss_size = 32,
12311 ++
12312 ++},
12313 ++/* wycheproof - public key >= p */
12314 ++{
12315 ++ .secret = (u8[32]){ 0xc0, 0x4c, 0x5b, 0xae, 0xfa, 0x83, 0x02, 0xdd,
12316 ++ 0xde, 0xd6, 0xa4, 0xbb, 0x95, 0x77, 0x61, 0xb4,
12317 ++ 0xeb, 0x97, 0xae, 0xfa, 0x4f, 0xc3, 0xb8, 0x04,
12318 ++ 0x30, 0x85, 0xf9, 0x6a, 0x56, 0x59, 0xb3, 0xa5 },
12319 ++ .b_public = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12320 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12321 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12322 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
12323 ++ .expected_ss = (u8[32]){ 0x29, 0xae, 0x8b, 0xc7, 0x3e, 0x9b, 0x10, 0xa0,
12324 ++ 0x8b, 0x4f, 0x68, 0x1c, 0x43, 0xc3, 0xe0, 0xac,
12325 ++ 0x1a, 0x17, 0x1d, 0x31, 0xb3, 0x8f, 0x1a, 0x48,
12326 ++ 0xef, 0xba, 0x29, 0xae, 0x63, 0x9e, 0xa1, 0x34 },
12327 ++ .secret_size = 32,
12328 ++ .b_public_size = 32,
12329 ++ .expected_ss_size = 32,
12330 ++
12331 ++},
12332 ++/* wycheproof - RFC 7748 */
12333 ++{
12334 ++ .secret = (u8[32]){ 0xa0, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d,
12335 ++ 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd,
12336 ++ 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18,
12337 ++ 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0x44 },
12338 ++ .b_public = (u8[32]){ 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb,
12339 ++ 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c,
12340 ++ 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b,
12341 ++ 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c },
12342 ++ .expected_ss = (u8[32]){ 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90,
12343 ++ 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f,
12344 ++ 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7,
12345 ++ 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 },
12346 ++ .secret_size = 32,
12347 ++ .b_public_size = 32,
12348 ++ .expected_ss_size = 32,
12349 ++
12350 ++},
12351 ++/* wycheproof - RFC 7748 */
12352 ++{
12353 ++ .secret = (u8[32]){ 0x48, 0x66, 0xe9, 0xd4, 0xd1, 0xb4, 0x67, 0x3c,
12354 ++ 0x5a, 0xd2, 0x26, 0x91, 0x95, 0x7d, 0x6a, 0xf5,
12355 ++ 0xc1, 0x1b, 0x64, 0x21, 0xe0, 0xea, 0x01, 0xd4,
12356 ++ 0x2c, 0xa4, 0x16, 0x9e, 0x79, 0x18, 0xba, 0x4d },
12357 ++ .b_public = (u8[32]){ 0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3,
12358 ++ 0xf4, 0xb7, 0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c,
12359 ++ 0x31, 0xdb, 0xe7, 0x10, 0x6f, 0xc0, 0x3c, 0x3e,
12360 ++ 0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15, 0xa4, 0x13 },
12361 ++ .expected_ss = (u8[32]){ 0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d,
12362 ++ 0x7a, 0xad, 0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8,
12363 ++ 0x8b, 0x59, 0x5a, 0x68, 0x79, 0x9f, 0xa1, 0x52,
12364 ++ 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac, 0x79, 0x57 },
12365 ++ .secret_size = 32,
12366 ++ .b_public_size = 32,
12367 ++ .expected_ss_size = 32,
12368 ++
12369 ++},
12370 ++/* wycheproof - edge case for shared secret */
12371 ++{
12372 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12373 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12374 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12375 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12376 ++ .b_public = (u8[32]){ 0x0a, 0xb4, 0xe7, 0x63, 0x80, 0xd8, 0x4d, 0xde,
12377 ++ 0x4f, 0x68, 0x33, 0xc5, 0x8f, 0x2a, 0x9f, 0xb8,
12378 ++ 0xf8, 0x3b, 0xb0, 0x16, 0x9b, 0x17, 0x2b, 0xe4,
12379 ++ 0xb6, 0xe0, 0x59, 0x28, 0x87, 0x74, 0x1a, 0x36 },
12380 ++ .expected_ss = (u8[32]){ 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12381 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12382 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12383 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
12384 ++ .secret_size = 32,
12385 ++ .b_public_size = 32,
12386 ++ .expected_ss_size = 32,
12387 ++
12388 ++},
12389 ++/* wycheproof - edge case for shared secret */
12390 ++{
12391 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12392 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12393 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12394 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12395 ++ .b_public = (u8[32]){ 0x89, 0xe1, 0x0d, 0x57, 0x01, 0xb4, 0x33, 0x7d,
12396 ++ 0x2d, 0x03, 0x21, 0x81, 0x53, 0x8b, 0x10, 0x64,
12397 ++ 0xbd, 0x40, 0x84, 0x40, 0x1c, 0xec, 0xa1, 0xfd,
12398 ++ 0x12, 0x66, 0x3a, 0x19, 0x59, 0x38, 0x80, 0x00 },
12399 ++ .expected_ss = (u8[32]){ 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12400 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12401 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12402 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
12403 ++ .secret_size = 32,
12404 ++ .b_public_size = 32,
12405 ++ .expected_ss_size = 32,
12406 ++
12407 ++},
12408 ++/* wycheproof - edge case for shared secret */
12409 ++{
12410 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12411 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12412 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12413 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12414 ++ .b_public = (u8[32]){ 0x2b, 0x55, 0xd3, 0xaa, 0x4a, 0x8f, 0x80, 0xc8,
12415 ++ 0xc0, 0xb2, 0xae, 0x5f, 0x93, 0x3e, 0x85, 0xaf,
12416 ++ 0x49, 0xbe, 0xac, 0x36, 0xc2, 0xfa, 0x73, 0x94,
12417 ++ 0xba, 0xb7, 0x6c, 0x89, 0x33, 0xf8, 0xf8, 0x1d },
12418 ++ .expected_ss = (u8[32]){ 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12419 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12420 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12421 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
12422 ++ .secret_size = 32,
12423 ++ .b_public_size = 32,
12424 ++ .expected_ss_size = 32,
12425 ++
12426 ++},
12427 ++/* wycheproof - edge case for shared secret */
12428 ++{
12429 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12430 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12431 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12432 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12433 ++ .b_public = (u8[32]){ 0x63, 0xe5, 0xb1, 0xfe, 0x96, 0x01, 0xfe, 0x84,
12434 ++ 0x38, 0x5d, 0x88, 0x66, 0xb0, 0x42, 0x12, 0x62,
12435 ++ 0xf7, 0x8f, 0xbf, 0xa5, 0xaf, 0xf9, 0x58, 0x5e,
12436 ++ 0x62, 0x66, 0x79, 0xb1, 0x85, 0x47, 0xd9, 0x59 },
12437 ++ .expected_ss = (u8[32]){ 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12438 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12439 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12440 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
12441 ++ .secret_size = 32,
12442 ++ .b_public_size = 32,
12443 ++ .expected_ss_size = 32,
12444 ++
12445 ++},
12446 ++/* wycheproof - edge case for shared secret */
12447 ++{
12448 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12449 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12450 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12451 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12452 ++ .b_public = (u8[32]){ 0xe4, 0x28, 0xf3, 0xda, 0xc1, 0x78, 0x09, 0xf8,
12453 ++ 0x27, 0xa5, 0x22, 0xce, 0x32, 0x35, 0x50, 0x58,
12454 ++ 0xd0, 0x73, 0x69, 0x36, 0x4a, 0xa7, 0x89, 0x02,
12455 ++ 0xee, 0x10, 0x13, 0x9b, 0x9f, 0x9d, 0xd6, 0x53 },
12456 ++ .expected_ss = (u8[32]){ 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12457 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12458 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12459 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
12460 ++ .secret_size = 32,
12461 ++ .b_public_size = 32,
12462 ++ .expected_ss_size = 32,
12463 ++
12464 ++},
12465 ++/* wycheproof - edge case for shared secret */
12466 ++{
12467 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12468 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12469 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12470 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12471 ++ .b_public = (u8[32]){ 0xb3, 0xb5, 0x0e, 0x3e, 0xd3, 0xa4, 0x07, 0xb9,
12472 ++ 0x5d, 0xe9, 0x42, 0xef, 0x74, 0x57, 0x5b, 0x5a,
12473 ++ 0xb8, 0xa1, 0x0c, 0x09, 0xee, 0x10, 0x35, 0x44,
12474 ++ 0xd6, 0x0b, 0xdf, 0xed, 0x81, 0x38, 0xab, 0x2b },
12475 ++ .expected_ss = (u8[32]){ 0xf9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12476 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12477 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12478 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
12479 ++ .secret_size = 32,
12480 ++ .b_public_size = 32,
12481 ++ .expected_ss_size = 32,
12482 ++
12483 ++},
12484 ++/* wycheproof - edge case for shared secret */
12485 ++{
12486 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12487 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12488 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12489 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12490 ++ .b_public = (u8[32]){ 0x21, 0x3f, 0xff, 0xe9, 0x3d, 0x5e, 0xa8, 0xcd,
12491 ++ 0x24, 0x2e, 0x46, 0x28, 0x44, 0x02, 0x99, 0x22,
12492 ++ 0xc4, 0x3c, 0x77, 0xc9, 0xe3, 0xe4, 0x2f, 0x56,
12493 ++ 0x2f, 0x48, 0x5d, 0x24, 0xc5, 0x01, 0xa2, 0x0b },
12494 ++ .expected_ss = (u8[32]){ 0xf3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12495 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12496 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12497 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
12498 ++ .secret_size = 32,
12499 ++ .b_public_size = 32,
12500 ++ .expected_ss_size = 32,
12501 ++
12502 ++},
12503 ++/* wycheproof - edge case for shared secret */
12504 ++{
12505 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12506 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12507 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12508 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12509 ++ .b_public = (u8[32]){ 0x91, 0xb2, 0x32, 0xa1, 0x78, 0xb3, 0xcd, 0x53,
12510 ++ 0x09, 0x32, 0x44, 0x1e, 0x61, 0x39, 0x41, 0x8f,
12511 ++ 0x72, 0x17, 0x22, 0x92, 0xf1, 0xda, 0x4c, 0x18,
12512 ++ 0x34, 0xfc, 0x5e, 0xbf, 0xef, 0xb5, 0x1e, 0x3f },
12513 ++ .expected_ss = (u8[32]){ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12514 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12515 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12516 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 },
12517 ++ .secret_size = 32,
12518 ++ .b_public_size = 32,
12519 ++ .expected_ss_size = 32,
12520 ++
12521 ++},
12522 ++/* wycheproof - edge case for shared secret */
12523 ++{
12524 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12525 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12526 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12527 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12528 ++ .b_public = (u8[32]){ 0x04, 0x5c, 0x6e, 0x11, 0xc5, 0xd3, 0x32, 0x55,
12529 ++ 0x6c, 0x78, 0x22, 0xfe, 0x94, 0xeb, 0xf8, 0x9b,
12530 ++ 0x56, 0xa3, 0x87, 0x8d, 0xc2, 0x7c, 0xa0, 0x79,
12531 ++ 0x10, 0x30, 0x58, 0x84, 0x9f, 0xab, 0xcb, 0x4f },
12532 ++ .expected_ss = (u8[32]){ 0xe5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12533 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12534 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12535 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12536 ++ .secret_size = 32,
12537 ++ .b_public_size = 32,
12538 ++ .expected_ss_size = 32,
12539 ++
12540 ++},
12541 ++/* wycheproof - edge case for shared secret */
12542 ++{
12543 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12544 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12545 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12546 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12547 ++ .b_public = (u8[32]){ 0x1c, 0xa2, 0x19, 0x0b, 0x71, 0x16, 0x35, 0x39,
12548 ++ 0x06, 0x3c, 0x35, 0x77, 0x3b, 0xda, 0x0c, 0x9c,
12549 ++ 0x92, 0x8e, 0x91, 0x36, 0xf0, 0x62, 0x0a, 0xeb,
12550 ++ 0x09, 0x3f, 0x09, 0x91, 0x97, 0xb7, 0xf7, 0x4e },
12551 ++ .expected_ss = (u8[32]){ 0xe3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12552 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12553 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12554 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12555 ++ .secret_size = 32,
12556 ++ .b_public_size = 32,
12557 ++ .expected_ss_size = 32,
12558 ++
12559 ++},
12560 ++/* wycheproof - edge case for shared secret */
12561 ++{
12562 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12563 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12564 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12565 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12566 ++ .b_public = (u8[32]){ 0xf7, 0x6e, 0x90, 0x10, 0xac, 0x33, 0xc5, 0x04,
12567 ++ 0x3b, 0x2d, 0x3b, 0x76, 0xa8, 0x42, 0x17, 0x10,
12568 ++ 0x00, 0xc4, 0x91, 0x62, 0x22, 0xe9, 0xe8, 0x58,
12569 ++ 0x97, 0xa0, 0xae, 0xc7, 0xf6, 0x35, 0x0b, 0x3c },
12570 ++ .expected_ss = (u8[32]){ 0xdd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12571 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12572 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12573 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12574 ++ .secret_size = 32,
12575 ++ .b_public_size = 32,
12576 ++ .expected_ss_size = 32,
12577 ++
12578 ++},
12579 ++/* wycheproof - edge case for shared secret */
12580 ++{
12581 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12582 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12583 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12584 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12585 ++ .b_public = (u8[32]){ 0xbb, 0x72, 0x68, 0x8d, 0x8f, 0x8a, 0xa7, 0xa3,
12586 ++ 0x9c, 0xd6, 0x06, 0x0c, 0xd5, 0xc8, 0x09, 0x3c,
12587 ++ 0xde, 0xc6, 0xfe, 0x34, 0x19, 0x37, 0xc3, 0x88,
12588 ++ 0x6a, 0x99, 0x34, 0x6c, 0xd0, 0x7f, 0xaa, 0x55 },
12589 ++ .expected_ss = (u8[32]){ 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12590 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12591 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12592 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
12593 ++ .secret_size = 32,
12594 ++ .b_public_size = 32,
12595 ++ .expected_ss_size = 32,
12596 ++
12597 ++},
12598 ++/* wycheproof - edge case for shared secret */
12599 ++{
12600 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12601 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12602 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12603 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12604 ++ .b_public = (u8[32]){ 0x88, 0xfd, 0xde, 0xa1, 0x93, 0x39, 0x1c, 0x6a,
12605 ++ 0x59, 0x33, 0xef, 0x9b, 0x71, 0x90, 0x15, 0x49,
12606 ++ 0x44, 0x72, 0x05, 0xaa, 0xe9, 0xda, 0x92, 0x8a,
12607 ++ 0x6b, 0x91, 0xa3, 0x52, 0xba, 0x10, 0xf4, 0x1f },
12608 ++ .expected_ss = (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12609 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12610 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12611 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
12612 ++ .secret_size = 32,
12613 ++ .b_public_size = 32,
12614 ++ .expected_ss_size = 32,
12615 ++
12616 ++},
12617 ++/* wycheproof - edge case for shared secret */
12618 ++{
12619 ++ .secret = (u8[32]){ 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
12620 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
12621 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
12622 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
12623 ++ .b_public = (u8[32]){ 0x30, 0x3b, 0x39, 0x2f, 0x15, 0x31, 0x16, 0xca,
12624 ++ 0xd9, 0xcc, 0x68, 0x2a, 0x00, 0xcc, 0xc4, 0x4c,
12625 ++ 0x95, 0xff, 0x0d, 0x3b, 0xbe, 0x56, 0x8b, 0xeb,
12626 ++ 0x6c, 0x4e, 0x73, 0x9b, 0xaf, 0xdc, 0x2c, 0x68 },
12627 ++ .expected_ss = (u8[32]){ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12628 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12629 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12630 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 },
12631 ++ .secret_size = 32,
12632 ++ .b_public_size = 32,
12633 ++ .expected_ss_size = 32,
12634 ++
12635 ++},
12636 ++/* wycheproof - checking for overflow */
12637 ++{
12638 ++ .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
12639 ++ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
12640 ++ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
12641 ++ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
12642 ++ .b_public = (u8[32]){ 0xfd, 0x30, 0x0a, 0xeb, 0x40, 0xe1, 0xfa, 0x58,
12643 ++ 0x25, 0x18, 0x41, 0x2b, 0x49, 0xb2, 0x08, 0xa7,
12644 ++ 0x84, 0x2b, 0x1e, 0x1f, 0x05, 0x6a, 0x04, 0x01,
12645 ++ 0x78, 0xea, 0x41, 0x41, 0x53, 0x4f, 0x65, 0x2d },
12646 ++ .expected_ss = (u8[32]){ 0xb7, 0x34, 0x10, 0x5d, 0xc2, 0x57, 0x58, 0x5d,
12647 ++ 0x73, 0xb5, 0x66, 0xcc, 0xb7, 0x6f, 0x06, 0x27,
12648 ++ 0x95, 0xcc, 0xbe, 0xc8, 0x91, 0x28, 0xe5, 0x2b,
12649 ++ 0x02, 0xf3, 0xe5, 0x96, 0x39, 0xf1, 0x3c, 0x46 },
12650 ++ .secret_size = 32,
12651 ++ .b_public_size = 32,
12652 ++ .expected_ss_size = 32,
12653 ++
12654 ++},
12655 ++/* wycheproof - checking for overflow */
12656 ++{
12657 ++ .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
12658 ++ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
12659 ++ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
12660 ++ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
12661 ++ .b_public = (u8[32]){ 0xc8, 0xef, 0x79, 0xb5, 0x14, 0xd7, 0x68, 0x26,
12662 ++ 0x77, 0xbc, 0x79, 0x31, 0xe0, 0x6e, 0xe5, 0xc2,
12663 ++ 0x7c, 0x9b, 0x39, 0x2b, 0x4a, 0xe9, 0x48, 0x44,
12664 ++ 0x73, 0xf5, 0x54, 0xe6, 0x67, 0x8e, 0xcc, 0x2e },
12665 ++ .expected_ss = (u8[32]){ 0x64, 0x7a, 0x46, 0xb6, 0xfc, 0x3f, 0x40, 0xd6,
12666 ++ 0x21, 0x41, 0xee, 0x3c, 0xee, 0x70, 0x6b, 0x4d,
12667 ++ 0x7a, 0x92, 0x71, 0x59, 0x3a, 0x7b, 0x14, 0x3e,
12668 ++ 0x8e, 0x2e, 0x22, 0x79, 0x88, 0x3e, 0x45, 0x50 },
12669 ++ .secret_size = 32,
12670 ++ .b_public_size = 32,
12671 ++ .expected_ss_size = 32,
12672 ++
12673 ++},
12674 ++/* wycheproof - checking for overflow */
12675 ++{
12676 ++ .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
12677 ++ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
12678 ++ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
12679 ++ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
12680 ++ .b_public = (u8[32]){ 0x64, 0xae, 0xac, 0x25, 0x04, 0x14, 0x48, 0x61,
12681 ++ 0x53, 0x2b, 0x7b, 0xbc, 0xb6, 0xc8, 0x7d, 0x67,
12682 ++ 0xdd, 0x4c, 0x1f, 0x07, 0xeb, 0xc2, 0xe0, 0x6e,
12683 ++ 0xff, 0xb9, 0x5a, 0xec, 0xc6, 0x17, 0x0b, 0x2c },
12684 ++ .expected_ss = (u8[32]){ 0x4f, 0xf0, 0x3d, 0x5f, 0xb4, 0x3c, 0xd8, 0x65,
12685 ++ 0x7a, 0x3c, 0xf3, 0x7c, 0x13, 0x8c, 0xad, 0xce,
12686 ++ 0xcc, 0xe5, 0x09, 0xe4, 0xeb, 0xa0, 0x89, 0xd0,
12687 ++ 0xef, 0x40, 0xb4, 0xe4, 0xfb, 0x94, 0x61, 0x55 },
12688 ++ .secret_size = 32,
12689 ++ .b_public_size = 32,
12690 ++ .expected_ss_size = 32,
12691 ++
12692 ++},
12693 ++/* wycheproof - checking for overflow */
12694 ++{
12695 ++ .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
12696 ++ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
12697 ++ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
12698 ++ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
12699 ++ .b_public = (u8[32]){ 0xbf, 0x68, 0xe3, 0x5e, 0x9b, 0xdb, 0x7e, 0xee,
12700 ++ 0x1b, 0x50, 0x57, 0x02, 0x21, 0x86, 0x0f, 0x5d,
12701 ++ 0xcd, 0xad, 0x8a, 0xcb, 0xab, 0x03, 0x1b, 0x14,
12702 ++ 0x97, 0x4c, 0xc4, 0x90, 0x13, 0xc4, 0x98, 0x31 },
12703 ++ .expected_ss = (u8[32]){ 0x21, 0xce, 0xe5, 0x2e, 0xfd, 0xbc, 0x81, 0x2e,
12704 ++ 0x1d, 0x02, 0x1a, 0x4a, 0xf1, 0xe1, 0xd8, 0xbc,
12705 ++ 0x4d, 0xb3, 0xc4, 0x00, 0xe4, 0xd2, 0xa2, 0xc5,
12706 ++ 0x6a, 0x39, 0x26, 0xdb, 0x4d, 0x99, 0xc6, 0x5b },
12707 ++ .secret_size = 32,
12708 ++ .b_public_size = 32,
12709 ++ .expected_ss_size = 32,
12710 ++
12711 ++},
12712 ++/* wycheproof - checking for overflow */
12713 ++{
12714 ++ .secret = (u8[32]){ 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
12715 ++ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
12716 ++ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
12717 ++ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
12718 ++ .b_public = (u8[32]){ 0x53, 0x47, 0xc4, 0x91, 0x33, 0x1a, 0x64, 0xb4,
12719 ++ 0x3d, 0xdc, 0x68, 0x30, 0x34, 0xe6, 0x77, 0xf5,
12720 ++ 0x3d, 0xc3, 0x2b, 0x52, 0xa5, 0x2a, 0x57, 0x7c,
12721 ++ 0x15, 0xa8, 0x3b, 0xf2, 0x98, 0xe9, 0x9f, 0x19 },
12722 ++ .expected_ss = (u8[32]){ 0x18, 0xcb, 0x89, 0xe4, 0xe2, 0x0c, 0x0c, 0x2b,
12723 ++ 0xd3, 0x24, 0x30, 0x52, 0x45, 0x26, 0x6c, 0x93,
12724 ++ 0x27, 0x69, 0x0b, 0xbe, 0x79, 0xac, 0xb8, 0x8f,
12725 ++ 0x5b, 0x8f, 0xb3, 0xf7, 0x4e, 0xca, 0x3e, 0x52 },
12726 ++ .secret_size = 32,
12727 ++ .b_public_size = 32,
12728 ++ .expected_ss_size = 32,
12729 ++
12730 ++},
12731 ++/* wycheproof - private key == -1 (mod order) */
12732 ++{
12733 ++ .secret = (u8[32]){ 0xa0, 0x23, 0xcd, 0xd0, 0x83, 0xef, 0x5b, 0xb8,
12734 ++ 0x2f, 0x10, 0xd6, 0x2e, 0x59, 0xe1, 0x5a, 0x68,
12735 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
12736 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50 },
12737 ++ .b_public = (u8[32]){ 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e,
12738 ++ 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57,
12739 ++ 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f,
12740 ++ 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 },
12741 ++ .expected_ss = (u8[32]){ 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e,
12742 ++ 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57,
12743 ++ 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f,
12744 ++ 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 },
12745 ++ .secret_size = 32,
12746 ++ .b_public_size = 32,
12747 ++ .expected_ss_size = 32,
12748 ++
12749 ++},
12750 ++/* wycheproof - private key == 1 (mod order) on twist */
12751 ++{
12752 ++ .secret = (u8[32]){ 0x58, 0x08, 0x3d, 0xd2, 0x61, 0xad, 0x91, 0xef,
12753 ++ 0xf9, 0x52, 0x32, 0x2e, 0xc8, 0x24, 0xc6, 0x82,
12754 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
12755 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x5f },
12756 ++ .b_public = (u8[32]){ 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f,
12757 ++ 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6,
12758 ++ 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64,
12759 ++ 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 },
12760 ++ .expected_ss = (u8[32]){ 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f,
12761 ++ 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6,
12762 ++ 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64,
12763 ++ 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 },
12764 ++ .secret_size = 32,
12765 ++ .b_public_size = 32,
12766 ++ .expected_ss_size = 32,
12767 ++
12768 ++}
12769 ++};
12770 ++
12771 + static const struct kpp_testvec ecdh_tv_template[] = {
12772 + {
12773 + #ifndef CONFIG_CRYPTO_FIPS
12774 +@@ -31569,2 +32794,253 @@
12775 +
12776 ++static const char blake2_ordered_sequence[] =
12777 ++ "\x00\x01\x02\x03\x04\x05\x06\x07"
12778 ++ "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
12779 ++ "\x10\x11\x12\x13\x14\x15\x16\x17"
12780 ++ "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
12781 ++ "\x20\x21\x22\x23\x24\x25\x26\x27"
12782 ++ "\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
12783 ++ "\x30\x31\x32\x33\x34\x35\x36\x37"
12784 ++ "\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
12785 ++ "\x40\x41\x42\x43\x44\x45\x46\x47"
12786 ++ "\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f"
12787 ++ "\x50\x51\x52\x53\x54\x55\x56\x57"
12788 ++ "\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
12789 ++ "\x60\x61\x62\x63\x64\x65\x66\x67"
12790 ++ "\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f"
12791 ++ "\x70\x71\x72\x73\x74\x75\x76\x77"
12792 ++ "\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
12793 ++ "\x80\x81\x82\x83\x84\x85\x86\x87"
12794 ++ "\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
12795 ++ "\x90\x91\x92\x93\x94\x95\x96\x97"
12796 ++ "\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
12797 ++ "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7"
12798 ++ "\xa8\xa9\xaa\xab\xac\xad\xae\xaf"
12799 ++ "\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7"
12800 ++ "\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
12801 ++ "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7"
12802 ++ "\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf"
12803 ++ "\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7"
12804 ++ "\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
12805 ++ "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7"
12806 ++ "\xe8\xe9\xea\xeb\xec\xed\xee\xef"
12807 ++ "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7"
12808 ++ "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff";
12809 ++
12810 ++static const struct hash_testvec blakes2s_128_tv_template[] = {{
12811 ++ .digest = (u8[]){ 0x64, 0x55, 0x0d, 0x6f, 0xfe, 0x2c, 0x0a, 0x01,
12812 ++ 0xa1, 0x4a, 0xba, 0x1e, 0xad, 0xe0, 0x20, 0x0c, },
12813 ++}, {
12814 ++ .plaintext = blake2_ordered_sequence,
12815 ++ .psize = 64,
12816 ++ .digest = (u8[]){ 0xdc, 0x66, 0xca, 0x8f, 0x03, 0x86, 0x58, 0x01,
12817 ++ 0xb0, 0xff, 0xe0, 0x6e, 0xd8, 0xa1, 0xa9, 0x0e, },
12818 ++}, {
12819 ++ .ksize = 16,
12820 ++ .key = blake2_ordered_sequence,
12821 ++ .plaintext = blake2_ordered_sequence,
12822 ++ .psize = 1,
12823 ++ .digest = (u8[]){ 0x88, 0x1e, 0x42, 0xe7, 0xbb, 0x35, 0x80, 0x82,
12824 ++ 0x63, 0x7c, 0x0a, 0x0f, 0xd7, 0xec, 0x6c, 0x2f, },
12825 ++}, {
12826 ++ .ksize = 32,
12827 ++ .key = blake2_ordered_sequence,
12828 ++ .plaintext = blake2_ordered_sequence,
12829 ++ .psize = 7,
12830 ++ .digest = (u8[]){ 0xcf, 0x9e, 0x07, 0x2a, 0xd5, 0x22, 0xf2, 0xcd,
12831 ++ 0xa2, 0xd8, 0x25, 0x21, 0x80, 0x86, 0x73, 0x1c, },
12832 ++}, {
12833 ++ .ksize = 1,
12834 ++ .key = "B",
12835 ++ .plaintext = blake2_ordered_sequence,
12836 ++ .psize = 15,
12837 ++ .digest = (u8[]){ 0xf6, 0x33, 0x5a, 0x2c, 0x22, 0xa0, 0x64, 0xb2,
12838 ++ 0xb6, 0x3f, 0xeb, 0xbc, 0xd1, 0xc3, 0xe5, 0xb2, },
12839 ++}, {
12840 ++ .ksize = 16,
12841 ++ .key = blake2_ordered_sequence,
12842 ++ .plaintext = blake2_ordered_sequence,
12843 ++ .psize = 247,
12844 ++ .digest = (u8[]){ 0x72, 0x66, 0x49, 0x60, 0xf9, 0x4a, 0xea, 0xbe,
12845 ++ 0x1f, 0xf4, 0x60, 0xce, 0xb7, 0x81, 0xcb, 0x09, },
12846 ++}, {
12847 ++ .ksize = 32,
12848 ++ .key = blake2_ordered_sequence,
12849 ++ .plaintext = blake2_ordered_sequence,
12850 ++ .psize = 256,
12851 ++ .digest = (u8[]){ 0xd5, 0xa4, 0x0e, 0xc3, 0x16, 0xc7, 0x51, 0xa6,
12852 ++ 0x3c, 0xd0, 0xd9, 0x11, 0x57, 0xfa, 0x1e, 0xbb, },
12853 ++}};
12854 ++
12855 ++static const struct hash_testvec blakes2s_160_tv_template[] = {{
12856 ++ .plaintext = blake2_ordered_sequence,
12857 ++ .psize = 7,
12858 ++ .digest = (u8[]){ 0xb4, 0xf2, 0x03, 0x49, 0x37, 0xed, 0xb1, 0x3e,
12859 ++ 0x5b, 0x2a, 0xca, 0x64, 0x82, 0x74, 0xf6, 0x62,
12860 ++ 0xe3, 0xf2, 0x84, 0xff, },
12861 ++}, {
12862 ++ .plaintext = blake2_ordered_sequence,
12863 ++ .psize = 256,
12864 ++ .digest = (u8[]){ 0xaa, 0x56, 0x9b, 0xdc, 0x98, 0x17, 0x75, 0xf2,
12865 ++ 0xb3, 0x68, 0x83, 0xb7, 0x9b, 0x8d, 0x48, 0xb1,
12866 ++ 0x9b, 0x2d, 0x35, 0x05, },
12867 ++}, {
12868 ++ .ksize = 1,
12869 ++ .key = "B",
12870 ++ .digest = (u8[]){ 0x50, 0x16, 0xe7, 0x0c, 0x01, 0xd0, 0xd3, 0xc3,
12871 ++ 0xf4, 0x3e, 0xb1, 0x6e, 0x97, 0xa9, 0x4e, 0xd1,
12872 ++ 0x79, 0x65, 0x32, 0x93, },
12873 ++}, {
12874 ++ .ksize = 32,
12875 ++ .key = blake2_ordered_sequence,
12876 ++ .plaintext = blake2_ordered_sequence,
12877 ++ .psize = 1,
12878 ++ .digest = (u8[]){ 0x1c, 0x2b, 0xcd, 0x9a, 0x68, 0xca, 0x8c, 0x71,
12879 ++ 0x90, 0x29, 0x6c, 0x54, 0xfa, 0x56, 0x4a, 0xef,
12880 ++ 0xa2, 0x3a, 0x56, 0x9c, },
12881 ++}, {
12882 ++ .ksize = 16,
12883 ++ .key = blake2_ordered_sequence,
12884 ++ .plaintext = blake2_ordered_sequence,
12885 ++ .psize = 15,
12886 ++ .digest = (u8[]){ 0x36, 0xc3, 0x5f, 0x9a, 0xdc, 0x7e, 0xbf, 0x19,
12887 ++ 0x68, 0xaa, 0xca, 0xd8, 0x81, 0xbf, 0x09, 0x34,
12888 ++ 0x83, 0x39, 0x0f, 0x30, },
12889 ++}, {
12890 ++ .ksize = 1,
12891 ++ .key = "B",
12892 ++ .plaintext = blake2_ordered_sequence,
12893 ++ .psize = 64,
12894 ++ .digest = (u8[]){ 0x86, 0x80, 0x78, 0xa4, 0x14, 0xec, 0x03, 0xe5,
12895 ++ 0xb6, 0x9a, 0x52, 0x0e, 0x42, 0xee, 0x39, 0x9d,
12896 ++ 0xac, 0xa6, 0x81, 0x63, },
12897 ++}, {
12898 ++ .ksize = 32,
12899 ++ .key = blake2_ordered_sequence,
12900 ++ .plaintext = blake2_ordered_sequence,
12901 ++ .psize = 247,
12902 ++ .digest = (u8[]){ 0x2d, 0xd8, 0xd2, 0x53, 0x66, 0xfa, 0xa9, 0x01,
12903 ++ 0x1c, 0x9c, 0xaf, 0xa3, 0xe2, 0x9d, 0x9b, 0x10,
12904 ++ 0x0a, 0xf6, 0x73, 0xe8, },
12905 ++}};
12906 ++
12907 ++static const struct hash_testvec blakes2s_224_tv_template[] = {{
12908 ++ .plaintext = blake2_ordered_sequence,
12909 ++ .psize = 1,
12910 ++ .digest = (u8[]){ 0x61, 0xb9, 0x4e, 0xc9, 0x46, 0x22, 0xa3, 0x91,
12911 ++ 0xd2, 0xae, 0x42, 0xe6, 0x45, 0x6c, 0x90, 0x12,
12912 ++ 0xd5, 0x80, 0x07, 0x97, 0xb8, 0x86, 0x5a, 0xfc,
12913 ++ 0x48, 0x21, 0x97, 0xbb, },
12914 ++}, {
12915 ++ .plaintext = blake2_ordered_sequence,
12916 ++ .psize = 247,
12917 ++ .digest = (u8[]){ 0x9e, 0xda, 0xc7, 0x20, 0x2c, 0xd8, 0x48, 0x2e,
12918 ++ 0x31, 0x94, 0xab, 0x46, 0x6d, 0x94, 0xd8, 0xb4,
12919 ++ 0x69, 0xcd, 0xae, 0x19, 0x6d, 0x9e, 0x41, 0xcc,
12920 ++ 0x2b, 0xa4, 0xd5, 0xf6, },
12921 ++}, {
12922 ++ .ksize = 16,
12923 ++ .key = blake2_ordered_sequence,
12924 ++ .digest = (u8[]){ 0x32, 0xc0, 0xac, 0xf4, 0x3b, 0xd3, 0x07, 0x9f,
12925 ++ 0xbe, 0xfb, 0xfa, 0x4d, 0x6b, 0x4e, 0x56, 0xb3,
12926 ++ 0xaa, 0xd3, 0x27, 0xf6, 0x14, 0xbf, 0xb9, 0x32,
12927 ++ 0xa7, 0x19, 0xfc, 0xb8, },
12928 ++}, {
12929 ++ .ksize = 1,
12930 ++ .key = "B",
12931 ++ .plaintext = blake2_ordered_sequence,
12932 ++ .psize = 7,
12933 ++ .digest = (u8[]){ 0x73, 0xad, 0x5e, 0x6d, 0xb9, 0x02, 0x8e, 0x76,
12934 ++ 0xf2, 0x66, 0x42, 0x4b, 0x4c, 0xfa, 0x1f, 0xe6,
12935 ++ 0x2e, 0x56, 0x40, 0xe5, 0xa2, 0xb0, 0x3c, 0xe8,
12936 ++ 0x7b, 0x45, 0xfe, 0x05, },
12937 ++}, {
12938 ++ .ksize = 32,
12939 ++ .key = blake2_ordered_sequence,
12940 ++ .plaintext = blake2_ordered_sequence,
12941 ++ .psize = 15,
12942 ++ .digest = (u8[]){ 0x16, 0x60, 0xfb, 0x92, 0x54, 0xb3, 0x6e, 0x36,
12943 ++ 0x81, 0xf4, 0x16, 0x41, 0xc3, 0x3d, 0xd3, 0x43,
12944 ++ 0x84, 0xed, 0x10, 0x6f, 0x65, 0x80, 0x7a, 0x3e,
12945 ++ 0x25, 0xab, 0xc5, 0x02, },
12946 ++}, {
12947 ++ .ksize = 16,
12948 ++ .key = blake2_ordered_sequence,
12949 ++ .plaintext = blake2_ordered_sequence,
12950 ++ .psize = 64,
12951 ++ .digest = (u8[]){ 0xca, 0xaa, 0x39, 0x67, 0x9c, 0xf7, 0x6b, 0xc7,
12952 ++ 0xb6, 0x82, 0xca, 0x0e, 0x65, 0x36, 0x5b, 0x7c,
12953 ++ 0x24, 0x00, 0xfa, 0x5f, 0xda, 0x06, 0x91, 0x93,
12954 ++ 0x6a, 0x31, 0x83, 0xb5, },
12955 ++}, {
12956 ++ .ksize = 1,
12957 ++ .key = "B",
12958 ++ .plaintext = blake2_ordered_sequence,
12959 ++ .psize = 256,
12960 ++ .digest = (u8[]){ 0x90, 0x02, 0x26, 0xb5, 0x06, 0x9c, 0x36, 0x86,
12961 ++ 0x94, 0x91, 0x90, 0x1e, 0x7d, 0x2a, 0x71, 0xb2,
12962 ++ 0x48, 0xb5, 0xe8, 0x16, 0xfd, 0x64, 0x33, 0x45,
12963 ++ 0xb3, 0xd7, 0xec, 0xcc, },
12964 ++}};
12965 ++
12966 ++static const struct hash_testvec blakes2s_256_tv_template[] = {{
12967 ++ .plaintext = blake2_ordered_sequence,
12968 ++ .psize = 15,
12969 ++ .digest = (u8[]){ 0xd9, 0x7c, 0x82, 0x8d, 0x81, 0x82, 0xa7, 0x21,
12970 ++ 0x80, 0xa0, 0x6a, 0x78, 0x26, 0x83, 0x30, 0x67,
12971 ++ 0x3f, 0x7c, 0x4e, 0x06, 0x35, 0x94, 0x7c, 0x04,
12972 ++ 0xc0, 0x23, 0x23, 0xfd, 0x45, 0xc0, 0xa5, 0x2d, },
12973 ++}, {
12974 ++ .ksize = 32,
12975 ++ .key = blake2_ordered_sequence,
12976 ++ .digest = (u8[]){ 0x48, 0xa8, 0x99, 0x7d, 0xa4, 0x07, 0x87, 0x6b,
12977 ++ 0x3d, 0x79, 0xc0, 0xd9, 0x23, 0x25, 0xad, 0x3b,
12978 ++ 0x89, 0xcb, 0xb7, 0x54, 0xd8, 0x6a, 0xb7, 0x1a,
12979 ++ 0xee, 0x04, 0x7a, 0xd3, 0x45, 0xfd, 0x2c, 0x49, },
12980 ++}, {
12981 ++ .ksize = 1,
12982 ++ .key = "B",
12983 ++ .plaintext = blake2_ordered_sequence,
12984 ++ .psize = 1,
12985 ++ .digest = (u8[]){ 0x22, 0x27, 0xae, 0xaa, 0x6e, 0x81, 0x56, 0x03,
12986 ++ 0xa7, 0xe3, 0xa1, 0x18, 0xa5, 0x9a, 0x2c, 0x18,
12987 ++ 0xf4, 0x63, 0xbc, 0x16, 0x70, 0xf1, 0xe7, 0x4b,
12988 ++ 0x00, 0x6d, 0x66, 0x16, 0xae, 0x9e, 0x74, 0x4e, },
12989 ++}, {
12990 ++ .ksize = 16,
12991 ++ .key = blake2_ordered_sequence,
12992 ++ .plaintext = blake2_ordered_sequence,
12993 ++ .psize = 7,
12994 ++ .digest = (u8[]){ 0x58, 0x5d, 0xa8, 0x60, 0x1c, 0xa4, 0xd8, 0x03,
12995 ++ 0x86, 0x86, 0x84, 0x64, 0xd7, 0xa0, 0x8e, 0x15,
12996 ++ 0x2f, 0x05, 0xa2, 0x1b, 0xbc, 0xef, 0x7a, 0x34,
12997 ++ 0xb3, 0xc5, 0xbc, 0x4b, 0xf0, 0x32, 0xeb, 0x12, },
12998 ++}, {
12999 ++ .ksize = 32,
13000 ++ .key = blake2_ordered_sequence,
13001 ++ .plaintext = blake2_ordered_sequence,
13002 ++ .psize = 64,
13003 ++ .digest = (u8[]){ 0x89, 0x75, 0xb0, 0x57, 0x7f, 0xd3, 0x55, 0x66,
13004 ++ 0xd7, 0x50, 0xb3, 0x62, 0xb0, 0x89, 0x7a, 0x26,
13005 ++ 0xc3, 0x99, 0x13, 0x6d, 0xf0, 0x7b, 0xab, 0xab,
13006 ++ 0xbd, 0xe6, 0x20, 0x3f, 0xf2, 0x95, 0x4e, 0xd4, },
13007 ++}, {
13008 ++ .ksize = 1,
13009 ++ .key = "B",
13010 ++ .plaintext = blake2_ordered_sequence,
13011 ++ .psize = 247,
13012 ++ .digest = (u8[]){ 0x2e, 0x74, 0x1c, 0x1d, 0x03, 0xf4, 0x9d, 0x84,
13013 ++ 0x6f, 0xfc, 0x86, 0x32, 0x92, 0x49, 0x7e, 0x66,
13014 ++ 0xd7, 0xc3, 0x10, 0x88, 0xfe, 0x28, 0xb3, 0xe0,
13015 ++ 0xbf, 0x50, 0x75, 0xad, 0x8e, 0xa4, 0xe6, 0xb2, },
13016 ++}, {
13017 ++ .ksize = 16,
13018 ++ .key = blake2_ordered_sequence,
13019 ++ .plaintext = blake2_ordered_sequence,
13020 ++ .psize = 256,
13021 ++ .digest = (u8[]){ 0xb9, 0xd2, 0x81, 0x0e, 0x3a, 0xb1, 0x62, 0x9b,
13022 ++ 0xad, 0x44, 0x05, 0xf4, 0x92, 0x2e, 0x99, 0xc1,
13023 ++ 0x4a, 0x47, 0xbb, 0x5b, 0x6f, 0xb2, 0x96, 0xed,
13024 ++ 0xd5, 0x06, 0xb5, 0x3a, 0x7c, 0x7a, 0x65, 0x1d, },
13025 ++}};
13026 ++
13027 + #endif /* _CRYPTO_TESTMGR_H */
13028 +--- b/crypto/Makefile
13029 ++++ b/crypto/Makefile
13030 +@@ -74,6 +74,7 @@
13031 + obj-$(CONFIG_CRYPTO_WP512) += wp512.o
13032 + CFLAGS_wp512.o := $(call cc-option,-fno-schedule-insns) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
13033 + obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o
13034 ++obj-$(CONFIG_CRYPTO_BLAKE2S) += blake2s_generic.o
13035 + obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o
13036 + obj-$(CONFIG_CRYPTO_ECB) += ecb.o
13037 + obj-$(CONFIG_CRYPTO_CBC) += cbc.o
13038 +@@ -166,6 +167,7 @@
13039 + obj-$(CONFIG_CRYPTO_OFB) += ofb.o
13040 + obj-$(CONFIG_CRYPTO_ECC) += ecc.o
13041 + obj-$(CONFIG_CRYPTO_ESSIV) += essiv.o
13042 ++obj-$(CONFIG_CRYPTO_CURVE25519) += curve25519-generic.o
13043 +
13044 + ecdh_generic-y += ecdh.o
13045 + ecdh_generic-y += ecdh_helper.o
13046 +--- /dev/null
13047 ++++ b/crypto/blake2s_generic.c
13048 +@@ -0,0 +1,171 @@
13049 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
13050 ++/*
13051 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
13052 ++ */
13053 ++
13054 ++#include <crypto/internal/blake2s.h>
13055 ++#include <crypto/internal/simd.h>
13056 ++#include <crypto/internal/hash.h>
13057 ++
13058 ++#include <linux/types.h>
13059 ++#include <linux/jump_label.h>
13060 ++#include <linux/kernel.h>
13061 ++#include <linux/module.h>
13062 ++
13063 ++static int crypto_blake2s_setkey(struct crypto_shash *tfm, const u8 *key,
13064 ++ unsigned int keylen)
13065 ++{
13066 ++ struct blake2s_tfm_ctx *tctx = crypto_shash_ctx(tfm);
13067 ++
13068 ++ if (keylen == 0 || keylen > BLAKE2S_KEY_SIZE) {
13069 ++ crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
13070 ++ return -EINVAL;
13071 ++ }
13072 ++
13073 ++ memcpy(tctx->key, key, keylen);
13074 ++ tctx->keylen = keylen;
13075 ++
13076 ++ return 0;
13077 ++}
13078 ++
13079 ++static int crypto_blake2s_init(struct shash_desc *desc)
13080 ++{
13081 ++ struct blake2s_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
13082 ++ struct blake2s_state *state = shash_desc_ctx(desc);
13083 ++ const int outlen = crypto_shash_digestsize(desc->tfm);
13084 ++
13085 ++ if (tctx->keylen)
13086 ++ blake2s_init_key(state, outlen, tctx->key, tctx->keylen);
13087 ++ else
13088 ++ blake2s_init(state, outlen);
13089 ++
13090 ++ return 0;
13091 ++}
13092 ++
13093 ++static int crypto_blake2s_update(struct shash_desc *desc, const u8 *in,
13094 ++ unsigned int inlen)
13095 ++{
13096 ++ struct blake2s_state *state = shash_desc_ctx(desc);
13097 ++ const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
13098 ++
13099 ++ if (unlikely(!inlen))
13100 ++ return 0;
13101 ++ if (inlen > fill) {
13102 ++ memcpy(state->buf + state->buflen, in, fill);
13103 ++ blake2s_compress_generic(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
13104 ++ state->buflen = 0;
13105 ++ in += fill;
13106 ++ inlen -= fill;
13107 ++ }
13108 ++ if (inlen > BLAKE2S_BLOCK_SIZE) {
13109 ++ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
13110 ++ /* Hash one less (full) block than strictly possible */
13111 ++ blake2s_compress_generic(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
13112 ++ in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
13113 ++ inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
13114 ++ }
13115 ++ memcpy(state->buf + state->buflen, in, inlen);
13116 ++ state->buflen += inlen;
13117 ++
13118 ++ return 0;
13119 ++}
13120 ++
13121 ++static int crypto_blake2s_final(struct shash_desc *desc, u8 *out)
13122 ++{
13123 ++ struct blake2s_state *state = shash_desc_ctx(desc);
13124 ++
13125 ++ blake2s_set_lastblock(state);
13126 ++ memset(state->buf + state->buflen, 0,
13127 ++ BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
13128 ++ blake2s_compress_generic(state, state->buf, 1, state->buflen);
13129 ++ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
13130 ++ memcpy(out, state->h, state->outlen);
13131 ++ memzero_explicit(state, sizeof(*state));
13132 ++
13133 ++ return 0;
13134 ++}
13135 ++
13136 ++static struct shash_alg blake2s_algs[] = {{
13137 ++ .base.cra_name = "blake2s-128",
13138 ++ .base.cra_driver_name = "blake2s-128-generic",
13139 ++ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13140 ++ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13141 ++ .base.cra_priority = 200,
13142 ++ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13143 ++ .base.cra_module = THIS_MODULE,
13144 ++
13145 ++ .digestsize = BLAKE2S_128_HASH_SIZE,
13146 ++ .setkey = crypto_blake2s_setkey,
13147 ++ .init = crypto_blake2s_init,
13148 ++ .update = crypto_blake2s_update,
13149 ++ .final = crypto_blake2s_final,
13150 ++ .descsize = sizeof(struct blake2s_state),
13151 ++}, {
13152 ++ .base.cra_name = "blake2s-160",
13153 ++ .base.cra_driver_name = "blake2s-160-generic",
13154 ++ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13155 ++ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13156 ++ .base.cra_priority = 200,
13157 ++ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13158 ++ .base.cra_module = THIS_MODULE,
13159 ++
13160 ++ .digestsize = BLAKE2S_160_HASH_SIZE,
13161 ++ .setkey = crypto_blake2s_setkey,
13162 ++ .init = crypto_blake2s_init,
13163 ++ .update = crypto_blake2s_update,
13164 ++ .final = crypto_blake2s_final,
13165 ++ .descsize = sizeof(struct blake2s_state),
13166 ++}, {
13167 ++ .base.cra_name = "blake2s-224",
13168 ++ .base.cra_driver_name = "blake2s-224-generic",
13169 ++ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13170 ++ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13171 ++ .base.cra_priority = 200,
13172 ++ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13173 ++ .base.cra_module = THIS_MODULE,
13174 ++
13175 ++ .digestsize = BLAKE2S_224_HASH_SIZE,
13176 ++ .setkey = crypto_blake2s_setkey,
13177 ++ .init = crypto_blake2s_init,
13178 ++ .update = crypto_blake2s_update,
13179 ++ .final = crypto_blake2s_final,
13180 ++ .descsize = sizeof(struct blake2s_state),
13181 ++}, {
13182 ++ .base.cra_name = "blake2s-256",
13183 ++ .base.cra_driver_name = "blake2s-256-generic",
13184 ++ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13185 ++ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13186 ++ .base.cra_priority = 200,
13187 ++ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13188 ++ .base.cra_module = THIS_MODULE,
13189 ++
13190 ++ .digestsize = BLAKE2S_256_HASH_SIZE,
13191 ++ .setkey = crypto_blake2s_setkey,
13192 ++ .init = crypto_blake2s_init,
13193 ++ .update = crypto_blake2s_update,
13194 ++ .final = crypto_blake2s_final,
13195 ++ .descsize = sizeof(struct blake2s_state),
13196 ++}};
13197 ++
13198 ++static int __init blake2s_mod_init(void)
13199 ++{
13200 ++ return crypto_register_shashes(blake2s_algs, ARRAY_SIZE(blake2s_algs));
13201 ++}
13202 ++
13203 ++static void __exit blake2s_mod_exit(void)
13204 ++{
13205 ++ crypto_unregister_shashes(blake2s_algs, ARRAY_SIZE(blake2s_algs));
13206 ++}
13207 ++
13208 ++subsys_initcall(blake2s_mod_init);
13209 ++module_exit(blake2s_mod_exit);
13210 ++
13211 ++MODULE_ALIAS_CRYPTO("blake2s-128");
13212 ++MODULE_ALIAS_CRYPTO("blake2s-128-generic");
13213 ++MODULE_ALIAS_CRYPTO("blake2s-160");
13214 ++MODULE_ALIAS_CRYPTO("blake2s-160-generic");
13215 ++MODULE_ALIAS_CRYPTO("blake2s-224");
13216 ++MODULE_ALIAS_CRYPTO("blake2s-224-generic");
13217 ++MODULE_ALIAS_CRYPTO("blake2s-256");
13218 ++MODULE_ALIAS_CRYPTO("blake2s-256-generic");
13219 ++MODULE_LICENSE("GPL v2");
13220 +--- b/arch/x86/crypto/Makefile
13221 ++++ b/arch/x86/crypto/Makefile
13222 +@@ -11,6 +11,7 @@
13223 + avx512_supported :=$(call as-instr,vpmovm2b %k1$(comma)%zmm5,yes,no)
13224 + sha1_ni_supported :=$(call as-instr,sha1msg1 %xmm0$(comma)%xmm1,yes,no)
13225 + sha256_ni_supported :=$(call as-instr,sha256msg1 %xmm0$(comma)%xmm1,yes,no)
13226 ++adx_supported := $(call as-instr,adox %r10$(comma)%r10,yes,no)
13227 +
13228 + obj-$(CONFIG_CRYPTO_GLUE_HELPER_X86) += glue_helper.o
13229 +
13230 +@@ -41,4 +42,9 @@
13231 + obj-$(CONFIG_CRYPTO_NHPOLY1305_AVX2) += nhpoly1305-avx2.o
13232 +
13233 ++# These modules require the assembler to support ADX.
13234 ++ifeq ($(adx_supported),yes)
13235 ++ obj-$(CONFIG_CRYPTO_CURVE25519_X86) += curve25519-x86_64.o
13236 ++endif
13237 ++
13238 + # These modules require assembler to support AVX.
13239 + ifeq ($(avx_supported),yes)
13240 +@@ -48,6 +54,7 @@
13241 + obj-$(CONFIG_CRYPTO_CAST6_AVX_X86_64) += cast6-avx-x86_64.o
13242 + obj-$(CONFIG_CRYPTO_TWOFISH_AVX_X86_64) += twofish-avx-x86_64.o
13243 + obj-$(CONFIG_CRYPTO_SERPENT_AVX_X86_64) += serpent-avx-x86_64.o
13244 ++ obj-$(CONFIG_CRYPTO_BLAKE2S_X86) += blake2s-x86_64.o
13245 + endif
13246 +
13247 + # These modules require assembler to support AVX2.
13248 +@@ -70,6 +77,11 @@
13249 + aegis128-aesni-y := aegis128-aesni-asm.o aegis128-aesni-glue.o
13250 +
13251 + nhpoly1305-sse2-y := nh-sse2-x86_64.o nhpoly1305-sse2-glue.o
13252 ++blake2s-x86_64-y := blake2s-core.o blake2s-glue.o
13253 ++poly1305-x86_64-y := poly1305-x86_64-cryptogams.o poly1305_glue.o
13254 ++ifneq ($(CONFIG_CRYPTO_POLY1305_X86_64),)
13255 ++targets += poly1305-x86_64-cryptogams.S
13256 ++endif
13257 +
13258 + ifeq ($(avx_supported),yes)
13259 + camellia-aesni-avx-x86_64-y := camellia-aesni-avx-asm_64.o \
13260 +@@ -98,10 +110,8 @@
13261 + aesni-intel-$(CONFIG_64BIT) += aesni-intel_avx-x86_64.o aes_ctrby8_avx-x86_64.o
13262 + ghash-clmulni-intel-y := ghash-clmulni-intel_asm.o ghash-clmulni-intel_glue.o
13263 + sha1-ssse3-y := sha1_ssse3_asm.o sha1_ssse3_glue.o
13264 +-poly1305-x86_64-y := poly1305-sse2-x86_64.o poly1305_glue.o
13265 + ifeq ($(avx2_supported),yes)
13266 + sha1-ssse3-y += sha1_avx2_x86_64_asm.o
13267 +-poly1305-x86_64-y += poly1305-avx2-x86_64.o
13268 + endif
13269 + ifeq ($(sha1_ni_supported),yes)
13270 + sha1-ssse3-y += sha1_ni_asm.o
13271 +@@ -117,0 +128,5 @@
13272 ++
13273 ++quiet_cmd_perlasm = PERLASM $@
13274 ++ cmd_perlasm = $(PERL) $< > $@
13275 ++$(obj)/%.S: $(src)/%.pl FORCE
13276 ++ $(call if_changed,perlasm)
13277 +--- /dev/null
13278 ++++ b/arch/x86/crypto/blake2s-core.S
13279 +@@ -0,0 +1,258 @@
13280 ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
13281 ++/*
13282 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
13283 ++ * Copyright (C) 2017-2019 Samuel Neves <sneves@××××××.pt>. All Rights Reserved.
13284 ++ */
13285 ++
13286 ++#include <linux/linkage.h>
13287 ++
13288 ++.section .rodata.cst32.BLAKE2S_IV, "aM", @progbits, 32
13289 ++.align 32
13290 ++IV: .octa 0xA54FF53A3C6EF372BB67AE856A09E667
13291 ++ .octa 0x5BE0CD191F83D9AB9B05688C510E527F
13292 ++.section .rodata.cst16.ROT16, "aM", @progbits, 16
13293 ++.align 16
13294 ++ROT16: .octa 0x0D0C0F0E09080B0A0504070601000302
13295 ++.section .rodata.cst16.ROR328, "aM", @progbits, 16
13296 ++.align 16
13297 ++ROR328: .octa 0x0C0F0E0D080B0A090407060500030201
13298 ++.section .rodata.cst64.BLAKE2S_SIGMA, "aM", @progbits, 160
13299 ++.align 64
13300 ++SIGMA:
13301 ++.byte 0, 2, 4, 6, 1, 3, 5, 7, 14, 8, 10, 12, 15, 9, 11, 13
13302 ++.byte 14, 4, 9, 13, 10, 8, 15, 6, 5, 1, 0, 11, 3, 12, 2, 7
13303 ++.byte 11, 12, 5, 15, 8, 0, 2, 13, 9, 10, 3, 7, 4, 14, 6, 1
13304 ++.byte 7, 3, 13, 11, 9, 1, 12, 14, 15, 2, 5, 4, 8, 6, 10, 0
13305 ++.byte 9, 5, 2, 10, 0, 7, 4, 15, 3, 14, 11, 6, 13, 1, 12, 8
13306 ++.byte 2, 6, 0, 8, 12, 10, 11, 3, 1, 4, 7, 15, 9, 13, 5, 14
13307 ++.byte 12, 1, 14, 4, 5, 15, 13, 10, 8, 0, 6, 9, 11, 7, 3, 2
13308 ++.byte 13, 7, 12, 3, 11, 14, 1, 9, 2, 5, 15, 8, 10, 0, 4, 6
13309 ++.byte 6, 14, 11, 0, 15, 9, 3, 8, 10, 12, 13, 1, 5, 2, 7, 4
13310 ++.byte 10, 8, 7, 1, 2, 4, 6, 5, 13, 15, 9, 3, 0, 11, 14, 12
13311 ++#ifdef CONFIG_AS_AVX512
13312 ++.section .rodata.cst64.BLAKE2S_SIGMA2, "aM", @progbits, 640
13313 ++.align 64
13314 ++SIGMA2:
13315 ++.long 0, 2, 4, 6, 1, 3, 5, 7, 14, 8, 10, 12, 15, 9, 11, 13
13316 ++.long 8, 2, 13, 15, 10, 9, 12, 3, 6, 4, 0, 14, 5, 11, 1, 7
13317 ++.long 11, 13, 8, 6, 5, 10, 14, 3, 2, 4, 12, 15, 1, 0, 7, 9
13318 ++.long 11, 10, 7, 0, 8, 15, 1, 13, 3, 6, 2, 12, 4, 14, 9, 5
13319 ++.long 4, 10, 9, 14, 15, 0, 11, 8, 1, 7, 3, 13, 2, 5, 6, 12
13320 ++.long 2, 11, 4, 15, 14, 3, 10, 8, 13, 6, 5, 7, 0, 12, 1, 9
13321 ++.long 4, 8, 15, 9, 14, 11, 13, 5, 3, 2, 1, 12, 6, 10, 7, 0
13322 ++.long 6, 13, 0, 14, 12, 2, 1, 11, 15, 4, 5, 8, 7, 9, 3, 10
13323 ++.long 15, 5, 4, 13, 10, 7, 3, 11, 12, 2, 0, 6, 9, 8, 1, 14
13324 ++.long 8, 7, 14, 11, 13, 15, 0, 12, 10, 4, 5, 6, 3, 2, 1, 9
13325 ++#endif /* CONFIG_AS_AVX512 */
13326 ++
13327 ++.text
13328 ++#ifdef CONFIG_AS_SSSE3
13329 ++ENTRY(blake2s_compress_ssse3)
13330 ++ testq %rdx,%rdx
13331 ++ je .Lendofloop
13332 ++ movdqu (%rdi),%xmm0
13333 ++ movdqu 0x10(%rdi),%xmm1
13334 ++ movdqa ROT16(%rip),%xmm12
13335 ++ movdqa ROR328(%rip),%xmm13
13336 ++ movdqu 0x20(%rdi),%xmm14
13337 ++ movq %rcx,%xmm15
13338 ++ leaq SIGMA+0xa0(%rip),%r8
13339 ++ jmp .Lbeginofloop
13340 ++ .align 32
13341 ++.Lbeginofloop:
13342 ++ movdqa %xmm0,%xmm10
13343 ++ movdqa %xmm1,%xmm11
13344 ++ paddq %xmm15,%xmm14
13345 ++ movdqa IV(%rip),%xmm2
13346 ++ movdqa %xmm14,%xmm3
13347 ++ pxor IV+0x10(%rip),%xmm3
13348 ++ leaq SIGMA(%rip),%rcx
13349 ++.Lroundloop:
13350 ++ movzbl (%rcx),%eax
13351 ++ movd (%rsi,%rax,4),%xmm4
13352 ++ movzbl 0x1(%rcx),%eax
13353 ++ movd (%rsi,%rax,4),%xmm5
13354 ++ movzbl 0x2(%rcx),%eax
13355 ++ movd (%rsi,%rax,4),%xmm6
13356 ++ movzbl 0x3(%rcx),%eax
13357 ++ movd (%rsi,%rax,4),%xmm7
13358 ++ punpckldq %xmm5,%xmm4
13359 ++ punpckldq %xmm7,%xmm6
13360 ++ punpcklqdq %xmm6,%xmm4
13361 ++ paddd %xmm4,%xmm0
13362 ++ paddd %xmm1,%xmm0
13363 ++ pxor %xmm0,%xmm3
13364 ++ pshufb %xmm12,%xmm3
13365 ++ paddd %xmm3,%xmm2
13366 ++ pxor %xmm2,%xmm1
13367 ++ movdqa %xmm1,%xmm8
13368 ++ psrld $0xc,%xmm1
13369 ++ pslld $0x14,%xmm8
13370 ++ por %xmm8,%xmm1
13371 ++ movzbl 0x4(%rcx),%eax
13372 ++ movd (%rsi,%rax,4),%xmm5
13373 ++ movzbl 0x5(%rcx),%eax
13374 ++ movd (%rsi,%rax,4),%xmm6
13375 ++ movzbl 0x6(%rcx),%eax
13376 ++ movd (%rsi,%rax,4),%xmm7
13377 ++ movzbl 0x7(%rcx),%eax
13378 ++ movd (%rsi,%rax,4),%xmm4
13379 ++ punpckldq %xmm6,%xmm5
13380 ++ punpckldq %xmm4,%xmm7
13381 ++ punpcklqdq %xmm7,%xmm5
13382 ++ paddd %xmm5,%xmm0
13383 ++ paddd %xmm1,%xmm0
13384 ++ pxor %xmm0,%xmm3
13385 ++ pshufb %xmm13,%xmm3
13386 ++ paddd %xmm3,%xmm2
13387 ++ pxor %xmm2,%xmm1
13388 ++ movdqa %xmm1,%xmm8
13389 ++ psrld $0x7,%xmm1
13390 ++ pslld $0x19,%xmm8
13391 ++ por %xmm8,%xmm1
13392 ++ pshufd $0x93,%xmm0,%xmm0
13393 ++ pshufd $0x4e,%xmm3,%xmm3
13394 ++ pshufd $0x39,%xmm2,%xmm2
13395 ++ movzbl 0x8(%rcx),%eax
13396 ++ movd (%rsi,%rax,4),%xmm6
13397 ++ movzbl 0x9(%rcx),%eax
13398 ++ movd (%rsi,%rax,4),%xmm7
13399 ++ movzbl 0xa(%rcx),%eax
13400 ++ movd (%rsi,%rax,4),%xmm4
13401 ++ movzbl 0xb(%rcx),%eax
13402 ++ movd (%rsi,%rax,4),%xmm5
13403 ++ punpckldq %xmm7,%xmm6
13404 ++ punpckldq %xmm5,%xmm4
13405 ++ punpcklqdq %xmm4,%xmm6
13406 ++ paddd %xmm6,%xmm0
13407 ++ paddd %xmm1,%xmm0
13408 ++ pxor %xmm0,%xmm3
13409 ++ pshufb %xmm12,%xmm3
13410 ++ paddd %xmm3,%xmm2
13411 ++ pxor %xmm2,%xmm1
13412 ++ movdqa %xmm1,%xmm8
13413 ++ psrld $0xc,%xmm1
13414 ++ pslld $0x14,%xmm8
13415 ++ por %xmm8,%xmm1
13416 ++ movzbl 0xc(%rcx),%eax
13417 ++ movd (%rsi,%rax,4),%xmm7
13418 ++ movzbl 0xd(%rcx),%eax
13419 ++ movd (%rsi,%rax,4),%xmm4
13420 ++ movzbl 0xe(%rcx),%eax
13421 ++ movd (%rsi,%rax,4),%xmm5
13422 ++ movzbl 0xf(%rcx),%eax
13423 ++ movd (%rsi,%rax,4),%xmm6
13424 ++ punpckldq %xmm4,%xmm7
13425 ++ punpckldq %xmm6,%xmm5
13426 ++ punpcklqdq %xmm5,%xmm7
13427 ++ paddd %xmm7,%xmm0
13428 ++ paddd %xmm1,%xmm0
13429 ++ pxor %xmm0,%xmm3
13430 ++ pshufb %xmm13,%xmm3
13431 ++ paddd %xmm3,%xmm2
13432 ++ pxor %xmm2,%xmm1
13433 ++ movdqa %xmm1,%xmm8
13434 ++ psrld $0x7,%xmm1
13435 ++ pslld $0x19,%xmm8
13436 ++ por %xmm8,%xmm1
13437 ++ pshufd $0x39,%xmm0,%xmm0
13438 ++ pshufd $0x4e,%xmm3,%xmm3
13439 ++ pshufd $0x93,%xmm2,%xmm2
13440 ++ addq $0x10,%rcx
13441 ++ cmpq %r8,%rcx
13442 ++ jnz .Lroundloop
13443 ++ pxor %xmm2,%xmm0
13444 ++ pxor %xmm3,%xmm1
13445 ++ pxor %xmm10,%xmm0
13446 ++ pxor %xmm11,%xmm1
13447 ++ addq $0x40,%rsi
13448 ++ decq %rdx
13449 ++ jnz .Lbeginofloop
13450 ++ movdqu %xmm0,(%rdi)
13451 ++ movdqu %xmm1,0x10(%rdi)
13452 ++ movdqu %xmm14,0x20(%rdi)
13453 ++.Lendofloop:
13454 ++ ret
13455 ++ENDPROC(blake2s_compress_ssse3)
13456 ++#endif /* CONFIG_AS_SSSE3 */
13457 ++
13458 ++#ifdef CONFIG_AS_AVX512
13459 ++ENTRY(blake2s_compress_avx512)
13460 ++ vmovdqu (%rdi),%xmm0
13461 ++ vmovdqu 0x10(%rdi),%xmm1
13462 ++ vmovdqu 0x20(%rdi),%xmm4
13463 ++ vmovq %rcx,%xmm5
13464 ++ vmovdqa IV(%rip),%xmm14
13465 ++ vmovdqa IV+16(%rip),%xmm15
13466 ++ jmp .Lblake2s_compress_avx512_mainloop
13467 ++.align 32
13468 ++.Lblake2s_compress_avx512_mainloop:
13469 ++ vmovdqa %xmm0,%xmm10
13470 ++ vmovdqa %xmm1,%xmm11
13471 ++ vpaddq %xmm5,%xmm4,%xmm4
13472 ++ vmovdqa %xmm14,%xmm2
13473 ++ vpxor %xmm15,%xmm4,%xmm3
13474 ++ vmovdqu (%rsi),%ymm6
13475 ++ vmovdqu 0x20(%rsi),%ymm7
13476 ++ addq $0x40,%rsi
13477 ++ leaq SIGMA2(%rip),%rax
13478 ++ movb $0xa,%cl
13479 ++.Lblake2s_compress_avx512_roundloop:
13480 ++ addq $0x40,%rax
13481 ++ vmovdqa -0x40(%rax),%ymm8
13482 ++ vmovdqa -0x20(%rax),%ymm9
13483 ++ vpermi2d %ymm7,%ymm6,%ymm8
13484 ++ vpermi2d %ymm7,%ymm6,%ymm9
13485 ++ vmovdqa %ymm8,%ymm6
13486 ++ vmovdqa %ymm9,%ymm7
13487 ++ vpaddd %xmm8,%xmm0,%xmm0
13488 ++ vpaddd %xmm1,%xmm0,%xmm0
13489 ++ vpxor %xmm0,%xmm3,%xmm3
13490 ++ vprord $0x10,%xmm3,%xmm3
13491 ++ vpaddd %xmm3,%xmm2,%xmm2
13492 ++ vpxor %xmm2,%xmm1,%xmm1
13493 ++ vprord $0xc,%xmm1,%xmm1
13494 ++ vextracti128 $0x1,%ymm8,%xmm8
13495 ++ vpaddd %xmm8,%xmm0,%xmm0
13496 ++ vpaddd %xmm1,%xmm0,%xmm0
13497 ++ vpxor %xmm0,%xmm3,%xmm3
13498 ++ vprord $0x8,%xmm3,%xmm3
13499 ++ vpaddd %xmm3,%xmm2,%xmm2
13500 ++ vpxor %xmm2,%xmm1,%xmm1
13501 ++ vprord $0x7,%xmm1,%xmm1
13502 ++ vpshufd $0x93,%xmm0,%xmm0
13503 ++ vpshufd $0x4e,%xmm3,%xmm3
13504 ++ vpshufd $0x39,%xmm2,%xmm2
13505 ++ vpaddd %xmm9,%xmm0,%xmm0
13506 ++ vpaddd %xmm1,%xmm0,%xmm0
13507 ++ vpxor %xmm0,%xmm3,%xmm3
13508 ++ vprord $0x10,%xmm3,%xmm3
13509 ++ vpaddd %xmm3,%xmm2,%xmm2
13510 ++ vpxor %xmm2,%xmm1,%xmm1
13511 ++ vprord $0xc,%xmm1,%xmm1
13512 ++ vextracti128 $0x1,%ymm9,%xmm9
13513 ++ vpaddd %xmm9,%xmm0,%xmm0
13514 ++ vpaddd %xmm1,%xmm0,%xmm0
13515 ++ vpxor %xmm0,%xmm3,%xmm3
13516 ++ vprord $0x8,%xmm3,%xmm3
13517 ++ vpaddd %xmm3,%xmm2,%xmm2
13518 ++ vpxor %xmm2,%xmm1,%xmm1
13519 ++ vprord $0x7,%xmm1,%xmm1
13520 ++ vpshufd $0x39,%xmm0,%xmm0
13521 ++ vpshufd $0x4e,%xmm3,%xmm3
13522 ++ vpshufd $0x93,%xmm2,%xmm2
13523 ++ decb %cl
13524 ++ jne .Lblake2s_compress_avx512_roundloop
13525 ++ vpxor %xmm10,%xmm0,%xmm0
13526 ++ vpxor %xmm11,%xmm1,%xmm1
13527 ++ vpxor %xmm2,%xmm0,%xmm0
13528 ++ vpxor %xmm3,%xmm1,%xmm1
13529 ++ decq %rdx
13530 ++ jne .Lblake2s_compress_avx512_mainloop
13531 ++ vmovdqu %xmm0,(%rdi)
13532 ++ vmovdqu %xmm1,0x10(%rdi)
13533 ++ vmovdqu %xmm4,0x20(%rdi)
13534 ++ vzeroupper
13535 ++ retq
13536 ++ENDPROC(blake2s_compress_avx512)
13537 ++#endif /* CONFIG_AS_AVX512 */
13538 +--- b/arch/x86/crypto/blake2s-glue.c
13539 ++++ b/arch/x86/crypto/blake2s-glue.c
13540 +@@ -0,0 +1,233 @@
13541 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
13542 ++/*
13543 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
13544 ++ */
13545 ++
13546 ++#include <crypto/internal/blake2s.h>
13547 ++#include <crypto/internal/simd.h>
13548 ++#include <crypto/internal/hash.h>
13549 ++
13550 ++#include <linux/types.h>
13551 ++#include <linux/jump_label.h>
13552 ++#include <linux/kernel.h>
13553 ++#include <linux/module.h>
13554 ++
13555 ++#include <asm/cpufeature.h>
13556 ++#include <asm/fpu/api.h>
13557 ++#include <asm/processor.h>
13558 ++#include <asm/simd.h>
13559 ++
13560 ++asmlinkage void blake2s_compress_ssse3(struct blake2s_state *state,
13561 ++ const u8 *block, const size_t nblocks,
13562 ++ const u32 inc);
13563 ++asmlinkage void blake2s_compress_avx512(struct blake2s_state *state,
13564 ++ const u8 *block, const size_t nblocks,
13565 ++ const u32 inc);
13566 ++
13567 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(blake2s_use_ssse3);
13568 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(blake2s_use_avx512);
13569 ++
13570 ++void blake2s_compress_arch(struct blake2s_state *state,
13571 ++ const u8 *block, size_t nblocks,
13572 ++ const u32 inc)
13573 ++{
13574 ++ /* SIMD disables preemption, so relax after processing each page. */
13575 ++ BUILD_BUG_ON(SZ_4K / BLAKE2S_BLOCK_SIZE < 8);
13576 ++
13577 ++ if (!static_branch_likely(&blake2s_use_ssse3) || !crypto_simd_usable()) {
13578 ++ blake2s_compress_generic(state, block, nblocks, inc);
13579 ++ return;
13580 ++ }
13581 ++
13582 ++ do {
13583 ++ const size_t blocks = min_t(size_t, nblocks,
13584 ++ SZ_4K / BLAKE2S_BLOCK_SIZE);
13585 ++
13586 ++ kernel_fpu_begin();
13587 ++ if (IS_ENABLED(CONFIG_AS_AVX512) &&
13588 ++ static_branch_likely(&blake2s_use_avx512))
13589 ++ blake2s_compress_avx512(state, block, blocks, inc);
13590 ++ else
13591 ++ blake2s_compress_ssse3(state, block, blocks, inc);
13592 ++ kernel_fpu_end();
13593 ++
13594 ++ nblocks -= blocks;
13595 ++ block += blocks * BLAKE2S_BLOCK_SIZE;
13596 ++ } while (nblocks);
13597 ++}
13598 ++EXPORT_SYMBOL(blake2s_compress_arch);
13599 ++
13600 ++static int crypto_blake2s_setkey(struct crypto_shash *tfm, const u8 *key,
13601 ++ unsigned int keylen)
13602 ++{
13603 ++ struct blake2s_tfm_ctx *tctx = crypto_shash_ctx(tfm);
13604 ++
13605 ++ if (keylen == 0 || keylen > BLAKE2S_KEY_SIZE) {
13606 ++ crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
13607 ++ return -EINVAL;
13608 ++ }
13609 ++
13610 ++ memcpy(tctx->key, key, keylen);
13611 ++ tctx->keylen = keylen;
13612 ++
13613 ++ return 0;
13614 ++}
13615 ++
13616 ++static int crypto_blake2s_init(struct shash_desc *desc)
13617 ++{
13618 ++ struct blake2s_tfm_ctx *tctx = crypto_shash_ctx(desc->tfm);
13619 ++ struct blake2s_state *state = shash_desc_ctx(desc);
13620 ++ const int outlen = crypto_shash_digestsize(desc->tfm);
13621 ++
13622 ++ if (tctx->keylen)
13623 ++ blake2s_init_key(state, outlen, tctx->key, tctx->keylen);
13624 ++ else
13625 ++ blake2s_init(state, outlen);
13626 ++
13627 ++ return 0;
13628 ++}
13629 ++
13630 ++static int crypto_blake2s_update(struct shash_desc *desc, const u8 *in,
13631 ++ unsigned int inlen)
13632 ++{
13633 ++ struct blake2s_state *state = shash_desc_ctx(desc);
13634 ++ const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
13635 ++
13636 ++ if (unlikely(!inlen))
13637 ++ return 0;
13638 ++ if (inlen > fill) {
13639 ++ memcpy(state->buf + state->buflen, in, fill);
13640 ++ blake2s_compress_arch(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
13641 ++ state->buflen = 0;
13642 ++ in += fill;
13643 ++ inlen -= fill;
13644 ++ }
13645 ++ if (inlen > BLAKE2S_BLOCK_SIZE) {
13646 ++ const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
13647 ++ /* Hash one less (full) block than strictly possible */
13648 ++ blake2s_compress_arch(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
13649 ++ in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
13650 ++ inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
13651 ++ }
13652 ++ memcpy(state->buf + state->buflen, in, inlen);
13653 ++ state->buflen += inlen;
13654 ++
13655 ++ return 0;
13656 ++}
13657 ++
13658 ++static int crypto_blake2s_final(struct shash_desc *desc, u8 *out)
13659 ++{
13660 ++ struct blake2s_state *state = shash_desc_ctx(desc);
13661 ++
13662 ++ blake2s_set_lastblock(state);
13663 ++ memset(state->buf + state->buflen, 0,
13664 ++ BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
13665 ++ blake2s_compress_arch(state, state->buf, 1, state->buflen);
13666 ++ cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
13667 ++ memcpy(out, state->h, state->outlen);
13668 ++ memzero_explicit(state, sizeof(*state));
13669 ++
13670 ++ return 0;
13671 ++}
13672 ++
13673 ++static struct shash_alg blake2s_algs[] = {{
13674 ++ .base.cra_name = "blake2s-128",
13675 ++ .base.cra_driver_name = "blake2s-128-x86",
13676 ++ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13677 ++ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13678 ++ .base.cra_priority = 200,
13679 ++ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13680 ++ .base.cra_module = THIS_MODULE,
13681 ++
13682 ++ .digestsize = BLAKE2S_128_HASH_SIZE,
13683 ++ .setkey = crypto_blake2s_setkey,
13684 ++ .init = crypto_blake2s_init,
13685 ++ .update = crypto_blake2s_update,
13686 ++ .final = crypto_blake2s_final,
13687 ++ .descsize = sizeof(struct blake2s_state),
13688 ++}, {
13689 ++ .base.cra_name = "blake2s-160",
13690 ++ .base.cra_driver_name = "blake2s-160-x86",
13691 ++ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13692 ++ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13693 ++ .base.cra_priority = 200,
13694 ++ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13695 ++ .base.cra_module = THIS_MODULE,
13696 ++
13697 ++ .digestsize = BLAKE2S_160_HASH_SIZE,
13698 ++ .setkey = crypto_blake2s_setkey,
13699 ++ .init = crypto_blake2s_init,
13700 ++ .update = crypto_blake2s_update,
13701 ++ .final = crypto_blake2s_final,
13702 ++ .descsize = sizeof(struct blake2s_state),
13703 ++}, {
13704 ++ .base.cra_name = "blake2s-224",
13705 ++ .base.cra_driver_name = "blake2s-224-x86",
13706 ++ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13707 ++ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13708 ++ .base.cra_priority = 200,
13709 ++ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13710 ++ .base.cra_module = THIS_MODULE,
13711 ++
13712 ++ .digestsize = BLAKE2S_224_HASH_SIZE,
13713 ++ .setkey = crypto_blake2s_setkey,
13714 ++ .init = crypto_blake2s_init,
13715 ++ .update = crypto_blake2s_update,
13716 ++ .final = crypto_blake2s_final,
13717 ++ .descsize = sizeof(struct blake2s_state),
13718 ++}, {
13719 ++ .base.cra_name = "blake2s-256",
13720 ++ .base.cra_driver_name = "blake2s-256-x86",
13721 ++ .base.cra_flags = CRYPTO_ALG_OPTIONAL_KEY,
13722 ++ .base.cra_ctxsize = sizeof(struct blake2s_tfm_ctx),
13723 ++ .base.cra_priority = 200,
13724 ++ .base.cra_blocksize = BLAKE2S_BLOCK_SIZE,
13725 ++ .base.cra_module = THIS_MODULE,
13726 ++
13727 ++ .digestsize = BLAKE2S_256_HASH_SIZE,
13728 ++ .setkey = crypto_blake2s_setkey,
13729 ++ .init = crypto_blake2s_init,
13730 ++ .update = crypto_blake2s_update,
13731 ++ .final = crypto_blake2s_final,
13732 ++ .descsize = sizeof(struct blake2s_state),
13733 ++}};
13734 ++
13735 ++static int __init blake2s_mod_init(void)
13736 ++{
13737 ++ if (!boot_cpu_has(X86_FEATURE_SSSE3))
13738 ++ return 0;
13739 ++
13740 ++ static_branch_enable(&blake2s_use_ssse3);
13741 ++
13742 ++ if (IS_ENABLED(CONFIG_AS_AVX512) &&
13743 ++ boot_cpu_has(X86_FEATURE_AVX) &&
13744 ++ boot_cpu_has(X86_FEATURE_AVX2) &&
13745 ++ boot_cpu_has(X86_FEATURE_AVX512F) &&
13746 ++ boot_cpu_has(X86_FEATURE_AVX512VL) &&
13747 ++ cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM |
13748 ++ XFEATURE_MASK_AVX512, NULL))
13749 ++ static_branch_enable(&blake2s_use_avx512);
13750 ++
13751 ++ return IS_REACHABLE(CONFIG_CRYPTO_HASH) ?
13752 ++ crypto_register_shashes(blake2s_algs,
13753 ++ ARRAY_SIZE(blake2s_algs)) : 0;
13754 ++}
13755 ++
13756 ++static void __exit blake2s_mod_exit(void)
13757 ++{
13758 ++ if (IS_REACHABLE(CONFIG_CRYPTO_HASH) && boot_cpu_has(X86_FEATURE_SSSE3))
13759 ++ crypto_unregister_shashes(blake2s_algs, ARRAY_SIZE(blake2s_algs));
13760 ++}
13761 ++
13762 ++module_init(blake2s_mod_init);
13763 ++module_exit(blake2s_mod_exit);
13764 ++
13765 ++MODULE_ALIAS_CRYPTO("blake2s-128");
13766 ++MODULE_ALIAS_CRYPTO("blake2s-128-x86");
13767 ++MODULE_ALIAS_CRYPTO("blake2s-160");
13768 ++MODULE_ALIAS_CRYPTO("blake2s-160-x86");
13769 ++MODULE_ALIAS_CRYPTO("blake2s-224");
13770 ++MODULE_ALIAS_CRYPTO("blake2s-224-x86");
13771 ++MODULE_ALIAS_CRYPTO("blake2s-256");
13772 ++MODULE_ALIAS_CRYPTO("blake2s-256-x86");
13773 ++MODULE_LICENSE("GPL v2");
13774 +--- b/include/crypto/curve25519.h
13775 ++++ b/include/crypto/curve25519.h
13776 +@@ -0,0 +1,73 @@
13777 ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
13778 ++/*
13779 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
13780 ++ */
13781 ++
13782 ++#ifndef CURVE25519_H
13783 ++#define CURVE25519_H
13784 ++
13785 ++#include <crypto/algapi.h> // For crypto_memneq.
13786 ++#include <linux/types.h>
13787 ++#include <linux/random.h>
13788 ++
13789 ++enum curve25519_lengths {
13790 ++ CURVE25519_KEY_SIZE = 32
13791 ++};
13792 ++
13793 ++extern const u8 curve25519_null_point[];
13794 ++extern const u8 curve25519_base_point[];
13795 ++
13796 ++void curve25519_generic(u8 out[CURVE25519_KEY_SIZE],
13797 ++ const u8 scalar[CURVE25519_KEY_SIZE],
13798 ++ const u8 point[CURVE25519_KEY_SIZE]);
13799 ++
13800 ++void curve25519_arch(u8 out[CURVE25519_KEY_SIZE],
13801 ++ const u8 scalar[CURVE25519_KEY_SIZE],
13802 ++ const u8 point[CURVE25519_KEY_SIZE]);
13803 ++
13804 ++void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE],
13805 ++ const u8 secret[CURVE25519_KEY_SIZE]);
13806 ++
13807 ++static inline
13808 ++bool __must_check curve25519(u8 mypublic[CURVE25519_KEY_SIZE],
13809 ++ const u8 secret[CURVE25519_KEY_SIZE],
13810 ++ const u8 basepoint[CURVE25519_KEY_SIZE])
13811 ++{
13812 ++ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519) &&
13813 ++ (!IS_ENABLED(CONFIG_CRYPTO_CURVE25519_X86) || IS_ENABLED(CONFIG_AS_ADX)))
13814 ++ curve25519_arch(mypublic, secret, basepoint);
13815 ++ else
13816 ++ curve25519_generic(mypublic, secret, basepoint);
13817 ++ return crypto_memneq(mypublic, curve25519_null_point,
13818 ++ CURVE25519_KEY_SIZE);
13819 ++}
13820 ++
13821 ++static inline bool
13822 ++__must_check curve25519_generate_public(u8 pub[CURVE25519_KEY_SIZE],
13823 ++ const u8 secret[CURVE25519_KEY_SIZE])
13824 ++{
13825 ++ if (unlikely(!crypto_memneq(secret, curve25519_null_point,
13826 ++ CURVE25519_KEY_SIZE)))
13827 ++ return false;
13828 ++
13829 ++ if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_CURVE25519) &&
13830 ++ (!IS_ENABLED(CONFIG_CRYPTO_CURVE25519_X86) || IS_ENABLED(CONFIG_AS_ADX)))
13831 ++ curve25519_base_arch(pub, secret);
13832 ++ else
13833 ++ curve25519_generic(pub, secret, curve25519_base_point);
13834 ++ return crypto_memneq(pub, curve25519_null_point, CURVE25519_KEY_SIZE);
13835 ++}
13836 ++
13837 ++static inline void curve25519_clamp_secret(u8 secret[CURVE25519_KEY_SIZE])
13838 ++{
13839 ++ secret[0] &= 248;
13840 ++ secret[31] = (secret[31] & 127) | 64;
13841 ++}
13842 ++
13843 ++static inline void curve25519_generate_secret(u8 secret[CURVE25519_KEY_SIZE])
13844 ++{
13845 ++ get_random_bytes_wait(secret, CURVE25519_KEY_SIZE);
13846 ++ curve25519_clamp_secret(secret);
13847 ++}
13848 ++
13849 ++#endif /* CURVE25519_H */
13850 +--- b/lib/crypto/curve25519-fiat32.c
13851 ++++ b/lib/crypto/curve25519-fiat32.c
13852 +@@ -0,0 +1,864 @@
13853 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
13854 ++/*
13855 ++ * Copyright (C) 2015-2016 The fiat-crypto Authors.
13856 ++ * Copyright (C) 2018-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
13857 ++ *
13858 ++ * This is a machine-generated formally verified implementation of Curve25519
13859 ++ * ECDH from: <https://github.com/mit-plv/fiat-crypto>. Though originally
13860 ++ * machine generated, it has been tweaked to be suitable for use in the kernel.
13861 ++ * It is optimized for 32-bit machines and machines that cannot work efficiently
13862 ++ * with 128-bit integer types.
13863 ++ */
13864 ++
13865 ++#include <asm/unaligned.h>
13866 ++#include <crypto/curve25519.h>
13867 ++#include <linux/string.h>
13868 ++
13869 ++/* fe means field element. Here the field is \Z/(2^255-19). An element t,
13870 ++ * entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
13871 ++ * t[3]+2^102 t[4]+...+2^230 t[9].
13872 ++ * fe limbs are bounded by 1.125*2^26,1.125*2^25,1.125*2^26,1.125*2^25,etc.
13873 ++ * Multiplication and carrying produce fe from fe_loose.
13874 ++ */
13875 ++typedef struct fe { u32 v[10]; } fe;
13876 ++
13877 ++/* fe_loose limbs are bounded by 3.375*2^26,3.375*2^25,3.375*2^26,3.375*2^25,etc
13878 ++ * Addition and subtraction produce fe_loose from (fe, fe).
13879 ++ */
13880 ++typedef struct fe_loose { u32 v[10]; } fe_loose;
13881 ++
13882 ++static __always_inline void fe_frombytes_impl(u32 h[10], const u8 *s)
13883 ++{
13884 ++ /* Ignores top bit of s. */
13885 ++ u32 a0 = get_unaligned_le32(s);
13886 ++ u32 a1 = get_unaligned_le32(s+4);
13887 ++ u32 a2 = get_unaligned_le32(s+8);
13888 ++ u32 a3 = get_unaligned_le32(s+12);
13889 ++ u32 a4 = get_unaligned_le32(s+16);
13890 ++ u32 a5 = get_unaligned_le32(s+20);
13891 ++ u32 a6 = get_unaligned_le32(s+24);
13892 ++ u32 a7 = get_unaligned_le32(s+28);
13893 ++ h[0] = a0&((1<<26)-1); /* 26 used, 32-26 left. 26 */
13894 ++ h[1] = (a0>>26) | ((a1&((1<<19)-1))<< 6); /* (32-26) + 19 = 6+19 = 25 */
13895 ++ h[2] = (a1>>19) | ((a2&((1<<13)-1))<<13); /* (32-19) + 13 = 13+13 = 26 */
13896 ++ h[3] = (a2>>13) | ((a3&((1<< 6)-1))<<19); /* (32-13) + 6 = 19+ 6 = 25 */
13897 ++ h[4] = (a3>> 6); /* (32- 6) = 26 */
13898 ++ h[5] = a4&((1<<25)-1); /* 25 */
13899 ++ h[6] = (a4>>25) | ((a5&((1<<19)-1))<< 7); /* (32-25) + 19 = 7+19 = 26 */
13900 ++ h[7] = (a5>>19) | ((a6&((1<<12)-1))<<13); /* (32-19) + 12 = 13+12 = 25 */
13901 ++ h[8] = (a6>>12) | ((a7&((1<< 6)-1))<<20); /* (32-12) + 6 = 20+ 6 = 26 */
13902 ++ h[9] = (a7>> 6)&((1<<25)-1); /* 25 */
13903 ++}
13904 ++
13905 ++static __always_inline void fe_frombytes(fe *h, const u8 *s)
13906 ++{
13907 ++ fe_frombytes_impl(h->v, s);
13908 ++}
13909 ++
13910 ++static __always_inline u8 /*bool*/
13911 ++addcarryx_u25(u8 /*bool*/ c, u32 a, u32 b, u32 *low)
13912 ++{
13913 ++ /* This function extracts 25 bits of result and 1 bit of carry
13914 ++ * (26 total), so a 32-bit intermediate is sufficient.
13915 ++ */
13916 ++ u32 x = a + b + c;
13917 ++ *low = x & ((1 << 25) - 1);
13918 ++ return (x >> 25) & 1;
13919 ++}
13920 ++
13921 ++static __always_inline u8 /*bool*/
13922 ++addcarryx_u26(u8 /*bool*/ c, u32 a, u32 b, u32 *low)
13923 ++{
13924 ++ /* This function extracts 26 bits of result and 1 bit of carry
13925 ++ * (27 total), so a 32-bit intermediate is sufficient.
13926 ++ */
13927 ++ u32 x = a + b + c;
13928 ++ *low = x & ((1 << 26) - 1);
13929 ++ return (x >> 26) & 1;
13930 ++}
13931 ++
13932 ++static __always_inline u8 /*bool*/
13933 ++subborrow_u25(u8 /*bool*/ c, u32 a, u32 b, u32 *low)
13934 ++{
13935 ++ /* This function extracts 25 bits of result and 1 bit of borrow
13936 ++ * (26 total), so a 32-bit intermediate is sufficient.
13937 ++ */
13938 ++ u32 x = a - b - c;
13939 ++ *low = x & ((1 << 25) - 1);
13940 ++ return x >> 31;
13941 ++}
13942 ++
13943 ++static __always_inline u8 /*bool*/
13944 ++subborrow_u26(u8 /*bool*/ c, u32 a, u32 b, u32 *low)
13945 ++{
13946 ++ /* This function extracts 26 bits of result and 1 bit of borrow
13947 ++ *(27 total), so a 32-bit intermediate is sufficient.
13948 ++ */
13949 ++ u32 x = a - b - c;
13950 ++ *low = x & ((1 << 26) - 1);
13951 ++ return x >> 31;
13952 ++}
13953 ++
13954 ++static __always_inline u32 cmovznz32(u32 t, u32 z, u32 nz)
13955 ++{
13956 ++ t = -!!t; /* all set if nonzero, 0 if 0 */
13957 ++ return (t&nz) | ((~t)&z);
13958 ++}
13959 ++
13960 ++static __always_inline void fe_freeze(u32 out[10], const u32 in1[10])
13961 ++{
13962 ++ { const u32 x17 = in1[9];
13963 ++ { const u32 x18 = in1[8];
13964 ++ { const u32 x16 = in1[7];
13965 ++ { const u32 x14 = in1[6];
13966 ++ { const u32 x12 = in1[5];
13967 ++ { const u32 x10 = in1[4];
13968 ++ { const u32 x8 = in1[3];
13969 ++ { const u32 x6 = in1[2];
13970 ++ { const u32 x4 = in1[1];
13971 ++ { const u32 x2 = in1[0];
13972 ++ { u32 x20; u8/*bool*/ x21 = subborrow_u26(0x0, x2, 0x3ffffed, &x20);
13973 ++ { u32 x23; u8/*bool*/ x24 = subborrow_u25(x21, x4, 0x1ffffff, &x23);
13974 ++ { u32 x26; u8/*bool*/ x27 = subborrow_u26(x24, x6, 0x3ffffff, &x26);
13975 ++ { u32 x29; u8/*bool*/ x30 = subborrow_u25(x27, x8, 0x1ffffff, &x29);
13976 ++ { u32 x32; u8/*bool*/ x33 = subborrow_u26(x30, x10, 0x3ffffff, &x32);
13977 ++ { u32 x35; u8/*bool*/ x36 = subborrow_u25(x33, x12, 0x1ffffff, &x35);
13978 ++ { u32 x38; u8/*bool*/ x39 = subborrow_u26(x36, x14, 0x3ffffff, &x38);
13979 ++ { u32 x41; u8/*bool*/ x42 = subborrow_u25(x39, x16, 0x1ffffff, &x41);
13980 ++ { u32 x44; u8/*bool*/ x45 = subborrow_u26(x42, x18, 0x3ffffff, &x44);
13981 ++ { u32 x47; u8/*bool*/ x48 = subborrow_u25(x45, x17, 0x1ffffff, &x47);
13982 ++ { u32 x49 = cmovznz32(x48, 0x0, 0xffffffff);
13983 ++ { u32 x50 = (x49 & 0x3ffffed);
13984 ++ { u32 x52; u8/*bool*/ x53 = addcarryx_u26(0x0, x20, x50, &x52);
13985 ++ { u32 x54 = (x49 & 0x1ffffff);
13986 ++ { u32 x56; u8/*bool*/ x57 = addcarryx_u25(x53, x23, x54, &x56);
13987 ++ { u32 x58 = (x49 & 0x3ffffff);
13988 ++ { u32 x60; u8/*bool*/ x61 = addcarryx_u26(x57, x26, x58, &x60);
13989 ++ { u32 x62 = (x49 & 0x1ffffff);
13990 ++ { u32 x64; u8/*bool*/ x65 = addcarryx_u25(x61, x29, x62, &x64);
13991 ++ { u32 x66 = (x49 & 0x3ffffff);
13992 ++ { u32 x68; u8/*bool*/ x69 = addcarryx_u26(x65, x32, x66, &x68);
13993 ++ { u32 x70 = (x49 & 0x1ffffff);
13994 ++ { u32 x72; u8/*bool*/ x73 = addcarryx_u25(x69, x35, x70, &x72);
13995 ++ { u32 x74 = (x49 & 0x3ffffff);
13996 ++ { u32 x76; u8/*bool*/ x77 = addcarryx_u26(x73, x38, x74, &x76);
13997 ++ { u32 x78 = (x49 & 0x1ffffff);
13998 ++ { u32 x80; u8/*bool*/ x81 = addcarryx_u25(x77, x41, x78, &x80);
13999 ++ { u32 x82 = (x49 & 0x3ffffff);
14000 ++ { u32 x84; u8/*bool*/ x85 = addcarryx_u26(x81, x44, x82, &x84);
14001 ++ { u32 x86 = (x49 & 0x1ffffff);
14002 ++ { u32 x88; addcarryx_u25(x85, x47, x86, &x88);
14003 ++ out[0] = x52;
14004 ++ out[1] = x56;
14005 ++ out[2] = x60;
14006 ++ out[3] = x64;
14007 ++ out[4] = x68;
14008 ++ out[5] = x72;
14009 ++ out[6] = x76;
14010 ++ out[7] = x80;
14011 ++ out[8] = x84;
14012 ++ out[9] = x88;
14013 ++ }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
14014 ++}
14015 ++
14016 ++static __always_inline void fe_tobytes(u8 s[32], const fe *f)
14017 ++{
14018 ++ u32 h[10];
14019 ++ fe_freeze(h, f->v);
14020 ++ s[0] = h[0] >> 0;
14021 ++ s[1] = h[0] >> 8;
14022 ++ s[2] = h[0] >> 16;
14023 ++ s[3] = (h[0] >> 24) | (h[1] << 2);
14024 ++ s[4] = h[1] >> 6;
14025 ++ s[5] = h[1] >> 14;
14026 ++ s[6] = (h[1] >> 22) | (h[2] << 3);
14027 ++ s[7] = h[2] >> 5;
14028 ++ s[8] = h[2] >> 13;
14029 ++ s[9] = (h[2] >> 21) | (h[3] << 5);
14030 ++ s[10] = h[3] >> 3;
14031 ++ s[11] = h[3] >> 11;
14032 ++ s[12] = (h[3] >> 19) | (h[4] << 6);
14033 ++ s[13] = h[4] >> 2;
14034 ++ s[14] = h[4] >> 10;
14035 ++ s[15] = h[4] >> 18;
14036 ++ s[16] = h[5] >> 0;
14037 ++ s[17] = h[5] >> 8;
14038 ++ s[18] = h[5] >> 16;
14039 ++ s[19] = (h[5] >> 24) | (h[6] << 1);
14040 ++ s[20] = h[6] >> 7;
14041 ++ s[21] = h[6] >> 15;
14042 ++ s[22] = (h[6] >> 23) | (h[7] << 3);
14043 ++ s[23] = h[7] >> 5;
14044 ++ s[24] = h[7] >> 13;
14045 ++ s[25] = (h[7] >> 21) | (h[8] << 4);
14046 ++ s[26] = h[8] >> 4;
14047 ++ s[27] = h[8] >> 12;
14048 ++ s[28] = (h[8] >> 20) | (h[9] << 6);
14049 ++ s[29] = h[9] >> 2;
14050 ++ s[30] = h[9] >> 10;
14051 ++ s[31] = h[9] >> 18;
14052 ++}
14053 ++
14054 ++/* h = f */
14055 ++static __always_inline void fe_copy(fe *h, const fe *f)
14056 ++{
14057 ++ memmove(h, f, sizeof(u32) * 10);
14058 ++}
14059 ++
14060 ++static __always_inline void fe_copy_lt(fe_loose *h, const fe *f)
14061 ++{
14062 ++ memmove(h, f, sizeof(u32) * 10);
14063 ++}
14064 ++
14065 ++/* h = 0 */
14066 ++static __always_inline void fe_0(fe *h)
14067 ++{
14068 ++ memset(h, 0, sizeof(u32) * 10);
14069 ++}
14070 ++
14071 ++/* h = 1 */
14072 ++static __always_inline void fe_1(fe *h)
14073 ++{
14074 ++ memset(h, 0, sizeof(u32) * 10);
14075 ++ h->v[0] = 1;
14076 ++}
14077 ++
14078 ++static noinline void fe_add_impl(u32 out[10], const u32 in1[10], const u32 in2[10])
14079 ++{
14080 ++ { const u32 x20 = in1[9];
14081 ++ { const u32 x21 = in1[8];
14082 ++ { const u32 x19 = in1[7];
14083 ++ { const u32 x17 = in1[6];
14084 ++ { const u32 x15 = in1[5];
14085 ++ { const u32 x13 = in1[4];
14086 ++ { const u32 x11 = in1[3];
14087 ++ { const u32 x9 = in1[2];
14088 ++ { const u32 x7 = in1[1];
14089 ++ { const u32 x5 = in1[0];
14090 ++ { const u32 x38 = in2[9];
14091 ++ { const u32 x39 = in2[8];
14092 ++ { const u32 x37 = in2[7];
14093 ++ { const u32 x35 = in2[6];
14094 ++ { const u32 x33 = in2[5];
14095 ++ { const u32 x31 = in2[4];
14096 ++ { const u32 x29 = in2[3];
14097 ++ { const u32 x27 = in2[2];
14098 ++ { const u32 x25 = in2[1];
14099 ++ { const u32 x23 = in2[0];
14100 ++ out[0] = (x5 + x23);
14101 ++ out[1] = (x7 + x25);
14102 ++ out[2] = (x9 + x27);
14103 ++ out[3] = (x11 + x29);
14104 ++ out[4] = (x13 + x31);
14105 ++ out[5] = (x15 + x33);
14106 ++ out[6] = (x17 + x35);
14107 ++ out[7] = (x19 + x37);
14108 ++ out[8] = (x21 + x39);
14109 ++ out[9] = (x20 + x38);
14110 ++ }}}}}}}}}}}}}}}}}}}}
14111 ++}
14112 ++
14113 ++/* h = f + g
14114 ++ * Can overlap h with f or g.
14115 ++ */
14116 ++static __always_inline void fe_add(fe_loose *h, const fe *f, const fe *g)
14117 ++{
14118 ++ fe_add_impl(h->v, f->v, g->v);
14119 ++}
14120 ++
14121 ++static noinline void fe_sub_impl(u32 out[10], const u32 in1[10], const u32 in2[10])
14122 ++{
14123 ++ { const u32 x20 = in1[9];
14124 ++ { const u32 x21 = in1[8];
14125 ++ { const u32 x19 = in1[7];
14126 ++ { const u32 x17 = in1[6];
14127 ++ { const u32 x15 = in1[5];
14128 ++ { const u32 x13 = in1[4];
14129 ++ { const u32 x11 = in1[3];
14130 ++ { const u32 x9 = in1[2];
14131 ++ { const u32 x7 = in1[1];
14132 ++ { const u32 x5 = in1[0];
14133 ++ { const u32 x38 = in2[9];
14134 ++ { const u32 x39 = in2[8];
14135 ++ { const u32 x37 = in2[7];
14136 ++ { const u32 x35 = in2[6];
14137 ++ { const u32 x33 = in2[5];
14138 ++ { const u32 x31 = in2[4];
14139 ++ { const u32 x29 = in2[3];
14140 ++ { const u32 x27 = in2[2];
14141 ++ { const u32 x25 = in2[1];
14142 ++ { const u32 x23 = in2[0];
14143 ++ out[0] = ((0x7ffffda + x5) - x23);
14144 ++ out[1] = ((0x3fffffe + x7) - x25);
14145 ++ out[2] = ((0x7fffffe + x9) - x27);
14146 ++ out[3] = ((0x3fffffe + x11) - x29);
14147 ++ out[4] = ((0x7fffffe + x13) - x31);
14148 ++ out[5] = ((0x3fffffe + x15) - x33);
14149 ++ out[6] = ((0x7fffffe + x17) - x35);
14150 ++ out[7] = ((0x3fffffe + x19) - x37);
14151 ++ out[8] = ((0x7fffffe + x21) - x39);
14152 ++ out[9] = ((0x3fffffe + x20) - x38);
14153 ++ }}}}}}}}}}}}}}}}}}}}
14154 ++}
14155 ++
14156 ++/* h = f - g
14157 ++ * Can overlap h with f or g.
14158 ++ */
14159 ++static __always_inline void fe_sub(fe_loose *h, const fe *f, const fe *g)
14160 ++{
14161 ++ fe_sub_impl(h->v, f->v, g->v);
14162 ++}
14163 ++
14164 ++static noinline void fe_mul_impl(u32 out[10], const u32 in1[10], const u32 in2[10])
14165 ++{
14166 ++ { const u32 x20 = in1[9];
14167 ++ { const u32 x21 = in1[8];
14168 ++ { const u32 x19 = in1[7];
14169 ++ { const u32 x17 = in1[6];
14170 ++ { const u32 x15 = in1[5];
14171 ++ { const u32 x13 = in1[4];
14172 ++ { const u32 x11 = in1[3];
14173 ++ { const u32 x9 = in1[2];
14174 ++ { const u32 x7 = in1[1];
14175 ++ { const u32 x5 = in1[0];
14176 ++ { const u32 x38 = in2[9];
14177 ++ { const u32 x39 = in2[8];
14178 ++ { const u32 x37 = in2[7];
14179 ++ { const u32 x35 = in2[6];
14180 ++ { const u32 x33 = in2[5];
14181 ++ { const u32 x31 = in2[4];
14182 ++ { const u32 x29 = in2[3];
14183 ++ { const u32 x27 = in2[2];
14184 ++ { const u32 x25 = in2[1];
14185 ++ { const u32 x23 = in2[0];
14186 ++ { u64 x40 = ((u64)x23 * x5);
14187 ++ { u64 x41 = (((u64)x23 * x7) + ((u64)x25 * x5));
14188 ++ { u64 x42 = ((((u64)(0x2 * x25) * x7) + ((u64)x23 * x9)) + ((u64)x27 * x5));
14189 ++ { u64 x43 = (((((u64)x25 * x9) + ((u64)x27 * x7)) + ((u64)x23 * x11)) + ((u64)x29 * x5));
14190 ++ { u64 x44 = (((((u64)x27 * x9) + (0x2 * (((u64)x25 * x11) + ((u64)x29 * x7)))) + ((u64)x23 * x13)) + ((u64)x31 * x5));
14191 ++ { u64 x45 = (((((((u64)x27 * x11) + ((u64)x29 * x9)) + ((u64)x25 * x13)) + ((u64)x31 * x7)) + ((u64)x23 * x15)) + ((u64)x33 * x5));
14192 ++ { u64 x46 = (((((0x2 * ((((u64)x29 * x11) + ((u64)x25 * x15)) + ((u64)x33 * x7))) + ((u64)x27 * x13)) + ((u64)x31 * x9)) + ((u64)x23 * x17)) + ((u64)x35 * x5));
14193 ++ { u64 x47 = (((((((((u64)x29 * x13) + ((u64)x31 * x11)) + ((u64)x27 * x15)) + ((u64)x33 * x9)) + ((u64)x25 * x17)) + ((u64)x35 * x7)) + ((u64)x23 * x19)) + ((u64)x37 * x5));
14194 ++ { u64 x48 = (((((((u64)x31 * x13) + (0x2 * (((((u64)x29 * x15) + ((u64)x33 * x11)) + ((u64)x25 * x19)) + ((u64)x37 * x7)))) + ((u64)x27 * x17)) + ((u64)x35 * x9)) + ((u64)x23 * x21)) + ((u64)x39 * x5));
14195 ++ { u64 x49 = (((((((((((u64)x31 * x15) + ((u64)x33 * x13)) + ((u64)x29 * x17)) + ((u64)x35 * x11)) + ((u64)x27 * x19)) + ((u64)x37 * x9)) + ((u64)x25 * x21)) + ((u64)x39 * x7)) + ((u64)x23 * x20)) + ((u64)x38 * x5));
14196 ++ { u64 x50 = (((((0x2 * ((((((u64)x33 * x15) + ((u64)x29 * x19)) + ((u64)x37 * x11)) + ((u64)x25 * x20)) + ((u64)x38 * x7))) + ((u64)x31 * x17)) + ((u64)x35 * x13)) + ((u64)x27 * x21)) + ((u64)x39 * x9));
14197 ++ { u64 x51 = (((((((((u64)x33 * x17) + ((u64)x35 * x15)) + ((u64)x31 * x19)) + ((u64)x37 * x13)) + ((u64)x29 * x21)) + ((u64)x39 * x11)) + ((u64)x27 * x20)) + ((u64)x38 * x9));
14198 ++ { u64 x52 = (((((u64)x35 * x17) + (0x2 * (((((u64)x33 * x19) + ((u64)x37 * x15)) + ((u64)x29 * x20)) + ((u64)x38 * x11)))) + ((u64)x31 * x21)) + ((u64)x39 * x13));
14199 ++ { u64 x53 = (((((((u64)x35 * x19) + ((u64)x37 * x17)) + ((u64)x33 * x21)) + ((u64)x39 * x15)) + ((u64)x31 * x20)) + ((u64)x38 * x13));
14200 ++ { u64 x54 = (((0x2 * ((((u64)x37 * x19) + ((u64)x33 * x20)) + ((u64)x38 * x15))) + ((u64)x35 * x21)) + ((u64)x39 * x17));
14201 ++ { u64 x55 = (((((u64)x37 * x21) + ((u64)x39 * x19)) + ((u64)x35 * x20)) + ((u64)x38 * x17));
14202 ++ { u64 x56 = (((u64)x39 * x21) + (0x2 * (((u64)x37 * x20) + ((u64)x38 * x19))));
14203 ++ { u64 x57 = (((u64)x39 * x20) + ((u64)x38 * x21));
14204 ++ { u64 x58 = ((u64)(0x2 * x38) * x20);
14205 ++ { u64 x59 = (x48 + (x58 << 0x4));
14206 ++ { u64 x60 = (x59 + (x58 << 0x1));
14207 ++ { u64 x61 = (x60 + x58);
14208 ++ { u64 x62 = (x47 + (x57 << 0x4));
14209 ++ { u64 x63 = (x62 + (x57 << 0x1));
14210 ++ { u64 x64 = (x63 + x57);
14211 ++ { u64 x65 = (x46 + (x56 << 0x4));
14212 ++ { u64 x66 = (x65 + (x56 << 0x1));
14213 ++ { u64 x67 = (x66 + x56);
14214 ++ { u64 x68 = (x45 + (x55 << 0x4));
14215 ++ { u64 x69 = (x68 + (x55 << 0x1));
14216 ++ { u64 x70 = (x69 + x55);
14217 ++ { u64 x71 = (x44 + (x54 << 0x4));
14218 ++ { u64 x72 = (x71 + (x54 << 0x1));
14219 ++ { u64 x73 = (x72 + x54);
14220 ++ { u64 x74 = (x43 + (x53 << 0x4));
14221 ++ { u64 x75 = (x74 + (x53 << 0x1));
14222 ++ { u64 x76 = (x75 + x53);
14223 ++ { u64 x77 = (x42 + (x52 << 0x4));
14224 ++ { u64 x78 = (x77 + (x52 << 0x1));
14225 ++ { u64 x79 = (x78 + x52);
14226 ++ { u64 x80 = (x41 + (x51 << 0x4));
14227 ++ { u64 x81 = (x80 + (x51 << 0x1));
14228 ++ { u64 x82 = (x81 + x51);
14229 ++ { u64 x83 = (x40 + (x50 << 0x4));
14230 ++ { u64 x84 = (x83 + (x50 << 0x1));
14231 ++ { u64 x85 = (x84 + x50);
14232 ++ { u64 x86 = (x85 >> 0x1a);
14233 ++ { u32 x87 = ((u32)x85 & 0x3ffffff);
14234 ++ { u64 x88 = (x86 + x82);
14235 ++ { u64 x89 = (x88 >> 0x19);
14236 ++ { u32 x90 = ((u32)x88 & 0x1ffffff);
14237 ++ { u64 x91 = (x89 + x79);
14238 ++ { u64 x92 = (x91 >> 0x1a);
14239 ++ { u32 x93 = ((u32)x91 & 0x3ffffff);
14240 ++ { u64 x94 = (x92 + x76);
14241 ++ { u64 x95 = (x94 >> 0x19);
14242 ++ { u32 x96 = ((u32)x94 & 0x1ffffff);
14243 ++ { u64 x97 = (x95 + x73);
14244 ++ { u64 x98 = (x97 >> 0x1a);
14245 ++ { u32 x99 = ((u32)x97 & 0x3ffffff);
14246 ++ { u64 x100 = (x98 + x70);
14247 ++ { u64 x101 = (x100 >> 0x19);
14248 ++ { u32 x102 = ((u32)x100 & 0x1ffffff);
14249 ++ { u64 x103 = (x101 + x67);
14250 ++ { u64 x104 = (x103 >> 0x1a);
14251 ++ { u32 x105 = ((u32)x103 & 0x3ffffff);
14252 ++ { u64 x106 = (x104 + x64);
14253 ++ { u64 x107 = (x106 >> 0x19);
14254 ++ { u32 x108 = ((u32)x106 & 0x1ffffff);
14255 ++ { u64 x109 = (x107 + x61);
14256 ++ { u64 x110 = (x109 >> 0x1a);
14257 ++ { u32 x111 = ((u32)x109 & 0x3ffffff);
14258 ++ { u64 x112 = (x110 + x49);
14259 ++ { u64 x113 = (x112 >> 0x19);
14260 ++ { u32 x114 = ((u32)x112 & 0x1ffffff);
14261 ++ { u64 x115 = (x87 + (0x13 * x113));
14262 ++ { u32 x116 = (u32) (x115 >> 0x1a);
14263 ++ { u32 x117 = ((u32)x115 & 0x3ffffff);
14264 ++ { u32 x118 = (x116 + x90);
14265 ++ { u32 x119 = (x118 >> 0x19);
14266 ++ { u32 x120 = (x118 & 0x1ffffff);
14267 ++ out[0] = x117;
14268 ++ out[1] = x120;
14269 ++ out[2] = (x119 + x93);
14270 ++ out[3] = x96;
14271 ++ out[4] = x99;
14272 ++ out[5] = x102;
14273 ++ out[6] = x105;
14274 ++ out[7] = x108;
14275 ++ out[8] = x111;
14276 ++ out[9] = x114;
14277 ++ }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
14278 ++}
14279 ++
14280 ++static __always_inline void fe_mul_ttt(fe *h, const fe *f, const fe *g)
14281 ++{
14282 ++ fe_mul_impl(h->v, f->v, g->v);
14283 ++}
14284 ++
14285 ++static __always_inline void fe_mul_tlt(fe *h, const fe_loose *f, const fe *g)
14286 ++{
14287 ++ fe_mul_impl(h->v, f->v, g->v);
14288 ++}
14289 ++
14290 ++static __always_inline void
14291 ++fe_mul_tll(fe *h, const fe_loose *f, const fe_loose *g)
14292 ++{
14293 ++ fe_mul_impl(h->v, f->v, g->v);
14294 ++}
14295 ++
14296 ++static noinline void fe_sqr_impl(u32 out[10], const u32 in1[10])
14297 ++{
14298 ++ { const u32 x17 = in1[9];
14299 ++ { const u32 x18 = in1[8];
14300 ++ { const u32 x16 = in1[7];
14301 ++ { const u32 x14 = in1[6];
14302 ++ { const u32 x12 = in1[5];
14303 ++ { const u32 x10 = in1[4];
14304 ++ { const u32 x8 = in1[3];
14305 ++ { const u32 x6 = in1[2];
14306 ++ { const u32 x4 = in1[1];
14307 ++ { const u32 x2 = in1[0];
14308 ++ { u64 x19 = ((u64)x2 * x2);
14309 ++ { u64 x20 = ((u64)(0x2 * x2) * x4);
14310 ++ { u64 x21 = (0x2 * (((u64)x4 * x4) + ((u64)x2 * x6)));
14311 ++ { u64 x22 = (0x2 * (((u64)x4 * x6) + ((u64)x2 * x8)));
14312 ++ { u64 x23 = ((((u64)x6 * x6) + ((u64)(0x4 * x4) * x8)) + ((u64)(0x2 * x2) * x10));
14313 ++ { u64 x24 = (0x2 * ((((u64)x6 * x8) + ((u64)x4 * x10)) + ((u64)x2 * x12)));
14314 ++ { u64 x25 = (0x2 * (((((u64)x8 * x8) + ((u64)x6 * x10)) + ((u64)x2 * x14)) + ((u64)(0x2 * x4) * x12)));
14315 ++ { u64 x26 = (0x2 * (((((u64)x8 * x10) + ((u64)x6 * x12)) + ((u64)x4 * x14)) + ((u64)x2 * x16)));
14316 ++ { u64 x27 = (((u64)x10 * x10) + (0x2 * ((((u64)x6 * x14) + ((u64)x2 * x18)) + (0x2 * (((u64)x4 * x16) + ((u64)x8 * x12))))));
14317 ++ { u64 x28 = (0x2 * ((((((u64)x10 * x12) + ((u64)x8 * x14)) + ((u64)x6 * x16)) + ((u64)x4 * x18)) + ((u64)x2 * x17)));
14318 ++ { u64 x29 = (0x2 * (((((u64)x12 * x12) + ((u64)x10 * x14)) + ((u64)x6 * x18)) + (0x2 * (((u64)x8 * x16) + ((u64)x4 * x17)))));
14319 ++ { u64 x30 = (0x2 * (((((u64)x12 * x14) + ((u64)x10 * x16)) + ((u64)x8 * x18)) + ((u64)x6 * x17)));
14320 ++ { u64 x31 = (((u64)x14 * x14) + (0x2 * (((u64)x10 * x18) + (0x2 * (((u64)x12 * x16) + ((u64)x8 * x17))))));
14321 ++ { u64 x32 = (0x2 * ((((u64)x14 * x16) + ((u64)x12 * x18)) + ((u64)x10 * x17)));
14322 ++ { u64 x33 = (0x2 * ((((u64)x16 * x16) + ((u64)x14 * x18)) + ((u64)(0x2 * x12) * x17)));
14323 ++ { u64 x34 = (0x2 * (((u64)x16 * x18) + ((u64)x14 * x17)));
14324 ++ { u64 x35 = (((u64)x18 * x18) + ((u64)(0x4 * x16) * x17));
14325 ++ { u64 x36 = ((u64)(0x2 * x18) * x17);
14326 ++ { u64 x37 = ((u64)(0x2 * x17) * x17);
14327 ++ { u64 x38 = (x27 + (x37 << 0x4));
14328 ++ { u64 x39 = (x38 + (x37 << 0x1));
14329 ++ { u64 x40 = (x39 + x37);
14330 ++ { u64 x41 = (x26 + (x36 << 0x4));
14331 ++ { u64 x42 = (x41 + (x36 << 0x1));
14332 ++ { u64 x43 = (x42 + x36);
14333 ++ { u64 x44 = (x25 + (x35 << 0x4));
14334 ++ { u64 x45 = (x44 + (x35 << 0x1));
14335 ++ { u64 x46 = (x45 + x35);
14336 ++ { u64 x47 = (x24 + (x34 << 0x4));
14337 ++ { u64 x48 = (x47 + (x34 << 0x1));
14338 ++ { u64 x49 = (x48 + x34);
14339 ++ { u64 x50 = (x23 + (x33 << 0x4));
14340 ++ { u64 x51 = (x50 + (x33 << 0x1));
14341 ++ { u64 x52 = (x51 + x33);
14342 ++ { u64 x53 = (x22 + (x32 << 0x4));
14343 ++ { u64 x54 = (x53 + (x32 << 0x1));
14344 ++ { u64 x55 = (x54 + x32);
14345 ++ { u64 x56 = (x21 + (x31 << 0x4));
14346 ++ { u64 x57 = (x56 + (x31 << 0x1));
14347 ++ { u64 x58 = (x57 + x31);
14348 ++ { u64 x59 = (x20 + (x30 << 0x4));
14349 ++ { u64 x60 = (x59 + (x30 << 0x1));
14350 ++ { u64 x61 = (x60 + x30);
14351 ++ { u64 x62 = (x19 + (x29 << 0x4));
14352 ++ { u64 x63 = (x62 + (x29 << 0x1));
14353 ++ { u64 x64 = (x63 + x29);
14354 ++ { u64 x65 = (x64 >> 0x1a);
14355 ++ { u32 x66 = ((u32)x64 & 0x3ffffff);
14356 ++ { u64 x67 = (x65 + x61);
14357 ++ { u64 x68 = (x67 >> 0x19);
14358 ++ { u32 x69 = ((u32)x67 & 0x1ffffff);
14359 ++ { u64 x70 = (x68 + x58);
14360 ++ { u64 x71 = (x70 >> 0x1a);
14361 ++ { u32 x72 = ((u32)x70 & 0x3ffffff);
14362 ++ { u64 x73 = (x71 + x55);
14363 ++ { u64 x74 = (x73 >> 0x19);
14364 ++ { u32 x75 = ((u32)x73 & 0x1ffffff);
14365 ++ { u64 x76 = (x74 + x52);
14366 ++ { u64 x77 = (x76 >> 0x1a);
14367 ++ { u32 x78 = ((u32)x76 & 0x3ffffff);
14368 ++ { u64 x79 = (x77 + x49);
14369 ++ { u64 x80 = (x79 >> 0x19);
14370 ++ { u32 x81 = ((u32)x79 & 0x1ffffff);
14371 ++ { u64 x82 = (x80 + x46);
14372 ++ { u64 x83 = (x82 >> 0x1a);
14373 ++ { u32 x84 = ((u32)x82 & 0x3ffffff);
14374 ++ { u64 x85 = (x83 + x43);
14375 ++ { u64 x86 = (x85 >> 0x19);
14376 ++ { u32 x87 = ((u32)x85 & 0x1ffffff);
14377 ++ { u64 x88 = (x86 + x40);
14378 ++ { u64 x89 = (x88 >> 0x1a);
14379 ++ { u32 x90 = ((u32)x88 & 0x3ffffff);
14380 ++ { u64 x91 = (x89 + x28);
14381 ++ { u64 x92 = (x91 >> 0x19);
14382 ++ { u32 x93 = ((u32)x91 & 0x1ffffff);
14383 ++ { u64 x94 = (x66 + (0x13 * x92));
14384 ++ { u32 x95 = (u32) (x94 >> 0x1a);
14385 ++ { u32 x96 = ((u32)x94 & 0x3ffffff);
14386 ++ { u32 x97 = (x95 + x69);
14387 ++ { u32 x98 = (x97 >> 0x19);
14388 ++ { u32 x99 = (x97 & 0x1ffffff);
14389 ++ out[0] = x96;
14390 ++ out[1] = x99;
14391 ++ out[2] = (x98 + x72);
14392 ++ out[3] = x75;
14393 ++ out[4] = x78;
14394 ++ out[5] = x81;
14395 ++ out[6] = x84;
14396 ++ out[7] = x87;
14397 ++ out[8] = x90;
14398 ++ out[9] = x93;
14399 ++ }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
14400 ++}
14401 ++
14402 ++static __always_inline void fe_sq_tl(fe *h, const fe_loose *f)
14403 ++{
14404 ++ fe_sqr_impl(h->v, f->v);
14405 ++}
14406 ++
14407 ++static __always_inline void fe_sq_tt(fe *h, const fe *f)
14408 ++{
14409 ++ fe_sqr_impl(h->v, f->v);
14410 ++}
14411 ++
14412 ++static __always_inline void fe_loose_invert(fe *out, const fe_loose *z)
14413 ++{
14414 ++ fe t0;
14415 ++ fe t1;
14416 ++ fe t2;
14417 ++ fe t3;
14418 ++ int i;
14419 ++
14420 ++ fe_sq_tl(&t0, z);
14421 ++ fe_sq_tt(&t1, &t0);
14422 ++ for (i = 1; i < 2; ++i)
14423 ++ fe_sq_tt(&t1, &t1);
14424 ++ fe_mul_tlt(&t1, z, &t1);
14425 ++ fe_mul_ttt(&t0, &t0, &t1);
14426 ++ fe_sq_tt(&t2, &t0);
14427 ++ fe_mul_ttt(&t1, &t1, &t2);
14428 ++ fe_sq_tt(&t2, &t1);
14429 ++ for (i = 1; i < 5; ++i)
14430 ++ fe_sq_tt(&t2, &t2);
14431 ++ fe_mul_ttt(&t1, &t2, &t1);
14432 ++ fe_sq_tt(&t2, &t1);
14433 ++ for (i = 1; i < 10; ++i)
14434 ++ fe_sq_tt(&t2, &t2);
14435 ++ fe_mul_ttt(&t2, &t2, &t1);
14436 ++ fe_sq_tt(&t3, &t2);
14437 ++ for (i = 1; i < 20; ++i)
14438 ++ fe_sq_tt(&t3, &t3);
14439 ++ fe_mul_ttt(&t2, &t3, &t2);
14440 ++ fe_sq_tt(&t2, &t2);
14441 ++ for (i = 1; i < 10; ++i)
14442 ++ fe_sq_tt(&t2, &t2);
14443 ++ fe_mul_ttt(&t1, &t2, &t1);
14444 ++ fe_sq_tt(&t2, &t1);
14445 ++ for (i = 1; i < 50; ++i)
14446 ++ fe_sq_tt(&t2, &t2);
14447 ++ fe_mul_ttt(&t2, &t2, &t1);
14448 ++ fe_sq_tt(&t3, &t2);
14449 ++ for (i = 1; i < 100; ++i)
14450 ++ fe_sq_tt(&t3, &t3);
14451 ++ fe_mul_ttt(&t2, &t3, &t2);
14452 ++ fe_sq_tt(&t2, &t2);
14453 ++ for (i = 1; i < 50; ++i)
14454 ++ fe_sq_tt(&t2, &t2);
14455 ++ fe_mul_ttt(&t1, &t2, &t1);
14456 ++ fe_sq_tt(&t1, &t1);
14457 ++ for (i = 1; i < 5; ++i)
14458 ++ fe_sq_tt(&t1, &t1);
14459 ++ fe_mul_ttt(out, &t1, &t0);
14460 ++}
14461 ++
14462 ++static __always_inline void fe_invert(fe *out, const fe *z)
14463 ++{
14464 ++ fe_loose l;
14465 ++ fe_copy_lt(&l, z);
14466 ++ fe_loose_invert(out, &l);
14467 ++}
14468 ++
14469 ++/* Replace (f,g) with (g,f) if b == 1;
14470 ++ * replace (f,g) with (f,g) if b == 0.
14471 ++ *
14472 ++ * Preconditions: b in {0,1}
14473 ++ */
14474 ++static noinline void fe_cswap(fe *f, fe *g, unsigned int b)
14475 ++{
14476 ++ unsigned i;
14477 ++ b = 0 - b;
14478 ++ for (i = 0; i < 10; i++) {
14479 ++ u32 x = f->v[i] ^ g->v[i];
14480 ++ x &= b;
14481 ++ f->v[i] ^= x;
14482 ++ g->v[i] ^= x;
14483 ++ }
14484 ++}
14485 ++
14486 ++/* NOTE: based on fiat-crypto fe_mul, edited for in2=121666, 0, 0.*/
14487 ++static __always_inline void fe_mul_121666_impl(u32 out[10], const u32 in1[10])
14488 ++{
14489 ++ { const u32 x20 = in1[9];
14490 ++ { const u32 x21 = in1[8];
14491 ++ { const u32 x19 = in1[7];
14492 ++ { const u32 x17 = in1[6];
14493 ++ { const u32 x15 = in1[5];
14494 ++ { const u32 x13 = in1[4];
14495 ++ { const u32 x11 = in1[3];
14496 ++ { const u32 x9 = in1[2];
14497 ++ { const u32 x7 = in1[1];
14498 ++ { const u32 x5 = in1[0];
14499 ++ { const u32 x38 = 0;
14500 ++ { const u32 x39 = 0;
14501 ++ { const u32 x37 = 0;
14502 ++ { const u32 x35 = 0;
14503 ++ { const u32 x33 = 0;
14504 ++ { const u32 x31 = 0;
14505 ++ { const u32 x29 = 0;
14506 ++ { const u32 x27 = 0;
14507 ++ { const u32 x25 = 0;
14508 ++ { const u32 x23 = 121666;
14509 ++ { u64 x40 = ((u64)x23 * x5);
14510 ++ { u64 x41 = (((u64)x23 * x7) + ((u64)x25 * x5));
14511 ++ { u64 x42 = ((((u64)(0x2 * x25) * x7) + ((u64)x23 * x9)) + ((u64)x27 * x5));
14512 ++ { u64 x43 = (((((u64)x25 * x9) + ((u64)x27 * x7)) + ((u64)x23 * x11)) + ((u64)x29 * x5));
14513 ++ { u64 x44 = (((((u64)x27 * x9) + (0x2 * (((u64)x25 * x11) + ((u64)x29 * x7)))) + ((u64)x23 * x13)) + ((u64)x31 * x5));
14514 ++ { u64 x45 = (((((((u64)x27 * x11) + ((u64)x29 * x9)) + ((u64)x25 * x13)) + ((u64)x31 * x7)) + ((u64)x23 * x15)) + ((u64)x33 * x5));
14515 ++ { u64 x46 = (((((0x2 * ((((u64)x29 * x11) + ((u64)x25 * x15)) + ((u64)x33 * x7))) + ((u64)x27 * x13)) + ((u64)x31 * x9)) + ((u64)x23 * x17)) + ((u64)x35 * x5));
14516 ++ { u64 x47 = (((((((((u64)x29 * x13) + ((u64)x31 * x11)) + ((u64)x27 * x15)) + ((u64)x33 * x9)) + ((u64)x25 * x17)) + ((u64)x35 * x7)) + ((u64)x23 * x19)) + ((u64)x37 * x5));
14517 ++ { u64 x48 = (((((((u64)x31 * x13) + (0x2 * (((((u64)x29 * x15) + ((u64)x33 * x11)) + ((u64)x25 * x19)) + ((u64)x37 * x7)))) + ((u64)x27 * x17)) + ((u64)x35 * x9)) + ((u64)x23 * x21)) + ((u64)x39 * x5));
14518 ++ { u64 x49 = (((((((((((u64)x31 * x15) + ((u64)x33 * x13)) + ((u64)x29 * x17)) + ((u64)x35 * x11)) + ((u64)x27 * x19)) + ((u64)x37 * x9)) + ((u64)x25 * x21)) + ((u64)x39 * x7)) + ((u64)x23 * x20)) + ((u64)x38 * x5));
14519 ++ { u64 x50 = (((((0x2 * ((((((u64)x33 * x15) + ((u64)x29 * x19)) + ((u64)x37 * x11)) + ((u64)x25 * x20)) + ((u64)x38 * x7))) + ((u64)x31 * x17)) + ((u64)x35 * x13)) + ((u64)x27 * x21)) + ((u64)x39 * x9));
14520 ++ { u64 x51 = (((((((((u64)x33 * x17) + ((u64)x35 * x15)) + ((u64)x31 * x19)) + ((u64)x37 * x13)) + ((u64)x29 * x21)) + ((u64)x39 * x11)) + ((u64)x27 * x20)) + ((u64)x38 * x9));
14521 ++ { u64 x52 = (((((u64)x35 * x17) + (0x2 * (((((u64)x33 * x19) + ((u64)x37 * x15)) + ((u64)x29 * x20)) + ((u64)x38 * x11)))) + ((u64)x31 * x21)) + ((u64)x39 * x13));
14522 ++ { u64 x53 = (((((((u64)x35 * x19) + ((u64)x37 * x17)) + ((u64)x33 * x21)) + ((u64)x39 * x15)) + ((u64)x31 * x20)) + ((u64)x38 * x13));
14523 ++ { u64 x54 = (((0x2 * ((((u64)x37 * x19) + ((u64)x33 * x20)) + ((u64)x38 * x15))) + ((u64)x35 * x21)) + ((u64)x39 * x17));
14524 ++ { u64 x55 = (((((u64)x37 * x21) + ((u64)x39 * x19)) + ((u64)x35 * x20)) + ((u64)x38 * x17));
14525 ++ { u64 x56 = (((u64)x39 * x21) + (0x2 * (((u64)x37 * x20) + ((u64)x38 * x19))));
14526 ++ { u64 x57 = (((u64)x39 * x20) + ((u64)x38 * x21));
14527 ++ { u64 x58 = ((u64)(0x2 * x38) * x20);
14528 ++ { u64 x59 = (x48 + (x58 << 0x4));
14529 ++ { u64 x60 = (x59 + (x58 << 0x1));
14530 ++ { u64 x61 = (x60 + x58);
14531 ++ { u64 x62 = (x47 + (x57 << 0x4));
14532 ++ { u64 x63 = (x62 + (x57 << 0x1));
14533 ++ { u64 x64 = (x63 + x57);
14534 ++ { u64 x65 = (x46 + (x56 << 0x4));
14535 ++ { u64 x66 = (x65 + (x56 << 0x1));
14536 ++ { u64 x67 = (x66 + x56);
14537 ++ { u64 x68 = (x45 + (x55 << 0x4));
14538 ++ { u64 x69 = (x68 + (x55 << 0x1));
14539 ++ { u64 x70 = (x69 + x55);
14540 ++ { u64 x71 = (x44 + (x54 << 0x4));
14541 ++ { u64 x72 = (x71 + (x54 << 0x1));
14542 ++ { u64 x73 = (x72 + x54);
14543 ++ { u64 x74 = (x43 + (x53 << 0x4));
14544 ++ { u64 x75 = (x74 + (x53 << 0x1));
14545 ++ { u64 x76 = (x75 + x53);
14546 ++ { u64 x77 = (x42 + (x52 << 0x4));
14547 ++ { u64 x78 = (x77 + (x52 << 0x1));
14548 ++ { u64 x79 = (x78 + x52);
14549 ++ { u64 x80 = (x41 + (x51 << 0x4));
14550 ++ { u64 x81 = (x80 + (x51 << 0x1));
14551 ++ { u64 x82 = (x81 + x51);
14552 ++ { u64 x83 = (x40 + (x50 << 0x4));
14553 ++ { u64 x84 = (x83 + (x50 << 0x1));
14554 ++ { u64 x85 = (x84 + x50);
14555 ++ { u64 x86 = (x85 >> 0x1a);
14556 ++ { u32 x87 = ((u32)x85 & 0x3ffffff);
14557 ++ { u64 x88 = (x86 + x82);
14558 ++ { u64 x89 = (x88 >> 0x19);
14559 ++ { u32 x90 = ((u32)x88 & 0x1ffffff);
14560 ++ { u64 x91 = (x89 + x79);
14561 ++ { u64 x92 = (x91 >> 0x1a);
14562 ++ { u32 x93 = ((u32)x91 & 0x3ffffff);
14563 ++ { u64 x94 = (x92 + x76);
14564 ++ { u64 x95 = (x94 >> 0x19);
14565 ++ { u32 x96 = ((u32)x94 & 0x1ffffff);
14566 ++ { u64 x97 = (x95 + x73);
14567 ++ { u64 x98 = (x97 >> 0x1a);
14568 ++ { u32 x99 = ((u32)x97 & 0x3ffffff);
14569 ++ { u64 x100 = (x98 + x70);
14570 ++ { u64 x101 = (x100 >> 0x19);
14571 ++ { u32 x102 = ((u32)x100 & 0x1ffffff);
14572 ++ { u64 x103 = (x101 + x67);
14573 ++ { u64 x104 = (x103 >> 0x1a);
14574 ++ { u32 x105 = ((u32)x103 & 0x3ffffff);
14575 ++ { u64 x106 = (x104 + x64);
14576 ++ { u64 x107 = (x106 >> 0x19);
14577 ++ { u32 x108 = ((u32)x106 & 0x1ffffff);
14578 ++ { u64 x109 = (x107 + x61);
14579 ++ { u64 x110 = (x109 >> 0x1a);
14580 ++ { u32 x111 = ((u32)x109 & 0x3ffffff);
14581 ++ { u64 x112 = (x110 + x49);
14582 ++ { u64 x113 = (x112 >> 0x19);
14583 ++ { u32 x114 = ((u32)x112 & 0x1ffffff);
14584 ++ { u64 x115 = (x87 + (0x13 * x113));
14585 ++ { u32 x116 = (u32) (x115 >> 0x1a);
14586 ++ { u32 x117 = ((u32)x115 & 0x3ffffff);
14587 ++ { u32 x118 = (x116 + x90);
14588 ++ { u32 x119 = (x118 >> 0x19);
14589 ++ { u32 x120 = (x118 & 0x1ffffff);
14590 ++ out[0] = x117;
14591 ++ out[1] = x120;
14592 ++ out[2] = (x119 + x93);
14593 ++ out[3] = x96;
14594 ++ out[4] = x99;
14595 ++ out[5] = x102;
14596 ++ out[6] = x105;
14597 ++ out[7] = x108;
14598 ++ out[8] = x111;
14599 ++ out[9] = x114;
14600 ++ }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
14601 ++}
14602 ++
14603 ++static __always_inline void fe_mul121666(fe *h, const fe_loose *f)
14604 ++{
14605 ++ fe_mul_121666_impl(h->v, f->v);
14606 ++}
14607 ++
14608 ++void curve25519_generic(u8 out[CURVE25519_KEY_SIZE],
14609 ++ const u8 scalar[CURVE25519_KEY_SIZE],
14610 ++ const u8 point[CURVE25519_KEY_SIZE])
14611 ++{
14612 ++ fe x1, x2, z2, x3, z3;
14613 ++ fe_loose x2l, z2l, x3l;
14614 ++ unsigned swap = 0;
14615 ++ int pos;
14616 ++ u8 e[32];
14617 ++
14618 ++ memcpy(e, scalar, 32);
14619 ++ curve25519_clamp_secret(e);
14620 ++
14621 ++ /* The following implementation was transcribed to Coq and proven to
14622 ++ * correspond to unary scalar multiplication in affine coordinates given
14623 ++ * that x1 != 0 is the x coordinate of some point on the curve. It was
14624 ++ * also checked in Coq that doing a ladderstep with x1 = x3 = 0 gives
14625 ++ * z2' = z3' = 0, and z2 = z3 = 0 gives z2' = z3' = 0. The statement was
14626 ++ * quantified over the underlying field, so it applies to Curve25519
14627 ++ * itself and the quadratic twist of Curve25519. It was not proven in
14628 ++ * Coq that prime-field arithmetic correctly simulates extension-field
14629 ++ * arithmetic on prime-field values. The decoding of the byte array
14630 ++ * representation of e was not considered.
14631 ++ *
14632 ++ * Specification of Montgomery curves in affine coordinates:
14633 ++ * <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Spec/MontgomeryCurve.v#L27>
14634 ++ *
14635 ++ * Proof that these form a group that is isomorphic to a Weierstrass
14636 ++ * curve:
14637 ++ * <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/AffineProofs.v#L35>
14638 ++ *
14639 ++ * Coq transcription and correctness proof of the loop
14640 ++ * (where scalarbits=255):
14641 ++ * <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/XZ.v#L118>
14642 ++ * <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/XZProofs.v#L278>
14643 ++ * preconditions: 0 <= e < 2^255 (not necessarily e < order),
14644 ++ * fe_invert(0) = 0
14645 ++ */
14646 ++ fe_frombytes(&x1, point);
14647 ++ fe_1(&x2);
14648 ++ fe_0(&z2);
14649 ++ fe_copy(&x3, &x1);
14650 ++ fe_1(&z3);
14651 ++
14652 ++ for (pos = 254; pos >= 0; --pos) {
14653 ++ fe tmp0, tmp1;
14654 ++ fe_loose tmp0l, tmp1l;
14655 ++ /* loop invariant as of right before the test, for the case
14656 ++ * where x1 != 0:
14657 ++ * pos >= -1; if z2 = 0 then x2 is nonzero; if z3 = 0 then x3
14658 ++ * is nonzero
14659 ++ * let r := e >> (pos+1) in the following equalities of
14660 ++ * projective points:
14661 ++ * to_xz (r*P) === if swap then (x3, z3) else (x2, z2)
14662 ++ * to_xz ((r+1)*P) === if swap then (x2, z2) else (x3, z3)
14663 ++ * x1 is the nonzero x coordinate of the nonzero
14664 ++ * point (r*P-(r+1)*P)
14665 ++ */
14666 ++ unsigned b = 1 & (e[pos / 8] >> (pos & 7));
14667 ++ swap ^= b;
14668 ++ fe_cswap(&x2, &x3, swap);
14669 ++ fe_cswap(&z2, &z3, swap);
14670 ++ swap = b;
14671 ++ /* Coq transcription of ladderstep formula (called from
14672 ++ * transcribed loop):
14673 ++ * <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/XZ.v#L89>
14674 ++ * <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/XZProofs.v#L131>
14675 ++ * x1 != 0 <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/XZProofs.v#L217>
14676 ++ * x1 = 0 <https://github.com/mit-plv/fiat-crypto/blob/2456d821825521f7e03e65882cc3521795b0320f/src/Curves/Montgomery/XZProofs.v#L147>
14677 ++ */
14678 ++ fe_sub(&tmp0l, &x3, &z3);
14679 ++ fe_sub(&tmp1l, &x2, &z2);
14680 ++ fe_add(&x2l, &x2, &z2);
14681 ++ fe_add(&z2l, &x3, &z3);
14682 ++ fe_mul_tll(&z3, &tmp0l, &x2l);
14683 ++ fe_mul_tll(&z2, &z2l, &tmp1l);
14684 ++ fe_sq_tl(&tmp0, &tmp1l);
14685 ++ fe_sq_tl(&tmp1, &x2l);
14686 ++ fe_add(&x3l, &z3, &z2);
14687 ++ fe_sub(&z2l, &z3, &z2);
14688 ++ fe_mul_ttt(&x2, &tmp1, &tmp0);
14689 ++ fe_sub(&tmp1l, &tmp1, &tmp0);
14690 ++ fe_sq_tl(&z2, &z2l);
14691 ++ fe_mul121666(&z3, &tmp1l);
14692 ++ fe_sq_tl(&x3, &x3l);
14693 ++ fe_add(&tmp0l, &tmp0, &z3);
14694 ++ fe_mul_ttt(&z3, &x1, &z2);
14695 ++ fe_mul_tll(&z2, &tmp1l, &tmp0l);
14696 ++ }
14697 ++ /* here pos=-1, so r=e, so to_xz (e*P) === if swap then (x3, z3)
14698 ++ * else (x2, z2)
14699 ++ */
14700 ++ fe_cswap(&x2, &x3, swap);
14701 ++ fe_cswap(&z2, &z3, swap);
14702 ++
14703 ++ fe_invert(&z2, &z2);
14704 ++ fe_mul_ttt(&x2, &x2, &z2);
14705 ++ fe_tobytes(out, &x2);
14706 ++
14707 ++ memzero_explicit(&x1, sizeof(x1));
14708 ++ memzero_explicit(&x2, sizeof(x2));
14709 ++ memzero_explicit(&z2, sizeof(z2));
14710 ++ memzero_explicit(&x3, sizeof(x3));
14711 ++ memzero_explicit(&z3, sizeof(z3));
14712 ++ memzero_explicit(&x2l, sizeof(x2l));
14713 ++ memzero_explicit(&z2l, sizeof(z2l));
14714 ++ memzero_explicit(&x3l, sizeof(x3l));
14715 ++ memzero_explicit(&e, sizeof(e));
14716 ++}
14717 +--- /dev/null
14718 ++++ b/lib/crypto/curve25519-hacl64.c
14719 +@@ -0,0 +1,788 @@
14720 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
14721 ++/*
14722 ++ * Copyright (C) 2016-2017 INRIA and Microsoft Corporation.
14723 ++ * Copyright (C) 2018-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
14724 ++ *
14725 ++ * This is a machine-generated formally verified implementation of Curve25519
14726 ++ * ECDH from: <https://github.com/mitls/hacl-star>. Though originally machine
14727 ++ * generated, it has been tweaked to be suitable for use in the kernel. It is
14728 ++ * optimized for 64-bit machines that can efficiently work with 128-bit
14729 ++ * integer types.
14730 ++ */
14731 ++
14732 ++#include <asm/unaligned.h>
14733 ++#include <crypto/curve25519.h>
14734 ++#include <linux/string.h>
14735 ++
14736 ++typedef __uint128_t u128;
14737 ++
14738 ++static __always_inline u64 u64_eq_mask(u64 a, u64 b)
14739 ++{
14740 ++ u64 x = a ^ b;
14741 ++ u64 minus_x = ~x + (u64)1U;
14742 ++ u64 x_or_minus_x = x | minus_x;
14743 ++ u64 xnx = x_or_minus_x >> (u32)63U;
14744 ++ u64 c = xnx - (u64)1U;
14745 ++ return c;
14746 ++}
14747 ++
14748 ++static __always_inline u64 u64_gte_mask(u64 a, u64 b)
14749 ++{
14750 ++ u64 x = a;
14751 ++ u64 y = b;
14752 ++ u64 x_xor_y = x ^ y;
14753 ++ u64 x_sub_y = x - y;
14754 ++ u64 x_sub_y_xor_y = x_sub_y ^ y;
14755 ++ u64 q = x_xor_y | x_sub_y_xor_y;
14756 ++ u64 x_xor_q = x ^ q;
14757 ++ u64 x_xor_q_ = x_xor_q >> (u32)63U;
14758 ++ u64 c = x_xor_q_ - (u64)1U;
14759 ++ return c;
14760 ++}
14761 ++
14762 ++static __always_inline void modulo_carry_top(u64 *b)
14763 ++{
14764 ++ u64 b4 = b[4];
14765 ++ u64 b0 = b[0];
14766 ++ u64 b4_ = b4 & 0x7ffffffffffffLLU;
14767 ++ u64 b0_ = b0 + 19 * (b4 >> 51);
14768 ++ b[4] = b4_;
14769 ++ b[0] = b0_;
14770 ++}
14771 ++
14772 ++static __always_inline void fproduct_copy_from_wide_(u64 *output, u128 *input)
14773 ++{
14774 ++ {
14775 ++ u128 xi = input[0];
14776 ++ output[0] = ((u64)(xi));
14777 ++ }
14778 ++ {
14779 ++ u128 xi = input[1];
14780 ++ output[1] = ((u64)(xi));
14781 ++ }
14782 ++ {
14783 ++ u128 xi = input[2];
14784 ++ output[2] = ((u64)(xi));
14785 ++ }
14786 ++ {
14787 ++ u128 xi = input[3];
14788 ++ output[3] = ((u64)(xi));
14789 ++ }
14790 ++ {
14791 ++ u128 xi = input[4];
14792 ++ output[4] = ((u64)(xi));
14793 ++ }
14794 ++}
14795 ++
14796 ++static __always_inline void
14797 ++fproduct_sum_scalar_multiplication_(u128 *output, u64 *input, u64 s)
14798 ++{
14799 ++ output[0] += (u128)input[0] * s;
14800 ++ output[1] += (u128)input[1] * s;
14801 ++ output[2] += (u128)input[2] * s;
14802 ++ output[3] += (u128)input[3] * s;
14803 ++ output[4] += (u128)input[4] * s;
14804 ++}
14805 ++
14806 ++static __always_inline void fproduct_carry_wide_(u128 *tmp)
14807 ++{
14808 ++ {
14809 ++ u32 ctr = 0;
14810 ++ u128 tctr = tmp[ctr];
14811 ++ u128 tctrp1 = tmp[ctr + 1];
14812 ++ u64 r0 = ((u64)(tctr)) & 0x7ffffffffffffLLU;
14813 ++ u128 c = ((tctr) >> (51));
14814 ++ tmp[ctr] = ((u128)(r0));
14815 ++ tmp[ctr + 1] = ((tctrp1) + (c));
14816 ++ }
14817 ++ {
14818 ++ u32 ctr = 1;
14819 ++ u128 tctr = tmp[ctr];
14820 ++ u128 tctrp1 = tmp[ctr + 1];
14821 ++ u64 r0 = ((u64)(tctr)) & 0x7ffffffffffffLLU;
14822 ++ u128 c = ((tctr) >> (51));
14823 ++ tmp[ctr] = ((u128)(r0));
14824 ++ tmp[ctr + 1] = ((tctrp1) + (c));
14825 ++ }
14826 ++
14827 ++ {
14828 ++ u32 ctr = 2;
14829 ++ u128 tctr = tmp[ctr];
14830 ++ u128 tctrp1 = tmp[ctr + 1];
14831 ++ u64 r0 = ((u64)(tctr)) & 0x7ffffffffffffLLU;
14832 ++ u128 c = ((tctr) >> (51));
14833 ++ tmp[ctr] = ((u128)(r0));
14834 ++ tmp[ctr + 1] = ((tctrp1) + (c));
14835 ++ }
14836 ++ {
14837 ++ u32 ctr = 3;
14838 ++ u128 tctr = tmp[ctr];
14839 ++ u128 tctrp1 = tmp[ctr + 1];
14840 ++ u64 r0 = ((u64)(tctr)) & 0x7ffffffffffffLLU;
14841 ++ u128 c = ((tctr) >> (51));
14842 ++ tmp[ctr] = ((u128)(r0));
14843 ++ tmp[ctr + 1] = ((tctrp1) + (c));
14844 ++ }
14845 ++}
14846 ++
14847 ++static __always_inline void fmul_shift_reduce(u64 *output)
14848 ++{
14849 ++ u64 tmp = output[4];
14850 ++ u64 b0;
14851 ++ {
14852 ++ u32 ctr = 5 - 0 - 1;
14853 ++ u64 z = output[ctr - 1];
14854 ++ output[ctr] = z;
14855 ++ }
14856 ++ {
14857 ++ u32 ctr = 5 - 1 - 1;
14858 ++ u64 z = output[ctr - 1];
14859 ++ output[ctr] = z;
14860 ++ }
14861 ++ {
14862 ++ u32 ctr = 5 - 2 - 1;
14863 ++ u64 z = output[ctr - 1];
14864 ++ output[ctr] = z;
14865 ++ }
14866 ++ {
14867 ++ u32 ctr = 5 - 3 - 1;
14868 ++ u64 z = output[ctr - 1];
14869 ++ output[ctr] = z;
14870 ++ }
14871 ++ output[0] = tmp;
14872 ++ b0 = output[0];
14873 ++ output[0] = 19 * b0;
14874 ++}
14875 ++
14876 ++static __always_inline void fmul_mul_shift_reduce_(u128 *output, u64 *input,
14877 ++ u64 *input21)
14878 ++{
14879 ++ u32 i;
14880 ++ u64 input2i;
14881 ++ {
14882 ++ u64 input2i = input21[0];
14883 ++ fproduct_sum_scalar_multiplication_(output, input, input2i);
14884 ++ fmul_shift_reduce(input);
14885 ++ }
14886 ++ {
14887 ++ u64 input2i = input21[1];
14888 ++ fproduct_sum_scalar_multiplication_(output, input, input2i);
14889 ++ fmul_shift_reduce(input);
14890 ++ }
14891 ++ {
14892 ++ u64 input2i = input21[2];
14893 ++ fproduct_sum_scalar_multiplication_(output, input, input2i);
14894 ++ fmul_shift_reduce(input);
14895 ++ }
14896 ++ {
14897 ++ u64 input2i = input21[3];
14898 ++ fproduct_sum_scalar_multiplication_(output, input, input2i);
14899 ++ fmul_shift_reduce(input);
14900 ++ }
14901 ++ i = 4;
14902 ++ input2i = input21[i];
14903 ++ fproduct_sum_scalar_multiplication_(output, input, input2i);
14904 ++}
14905 ++
14906 ++static __always_inline void fmul_fmul(u64 *output, u64 *input, u64 *input21)
14907 ++{
14908 ++ u64 tmp[5] = { input[0], input[1], input[2], input[3], input[4] };
14909 ++ {
14910 ++ u128 b4;
14911 ++ u128 b0;
14912 ++ u128 b4_;
14913 ++ u128 b0_;
14914 ++ u64 i0;
14915 ++ u64 i1;
14916 ++ u64 i0_;
14917 ++ u64 i1_;
14918 ++ u128 t[5] = { 0 };
14919 ++ fmul_mul_shift_reduce_(t, tmp, input21);
14920 ++ fproduct_carry_wide_(t);
14921 ++ b4 = t[4];
14922 ++ b0 = t[0];
14923 ++ b4_ = ((b4) & (((u128)(0x7ffffffffffffLLU))));
14924 ++ b0_ = ((b0) + (((u128)(19) * (((u64)(((b4) >> (51))))))));
14925 ++ t[4] = b4_;
14926 ++ t[0] = b0_;
14927 ++ fproduct_copy_from_wide_(output, t);
14928 ++ i0 = output[0];
14929 ++ i1 = output[1];
14930 ++ i0_ = i0 & 0x7ffffffffffffLLU;
14931 ++ i1_ = i1 + (i0 >> 51);
14932 ++ output[0] = i0_;
14933 ++ output[1] = i1_;
14934 ++ }
14935 ++}
14936 ++
14937 ++static __always_inline void fsquare_fsquare__(u128 *tmp, u64 *output)
14938 ++{
14939 ++ u64 r0 = output[0];
14940 ++ u64 r1 = output[1];
14941 ++ u64 r2 = output[2];
14942 ++ u64 r3 = output[3];
14943 ++ u64 r4 = output[4];
14944 ++ u64 d0 = r0 * 2;
14945 ++ u64 d1 = r1 * 2;
14946 ++ u64 d2 = r2 * 2 * 19;
14947 ++ u64 d419 = r4 * 19;
14948 ++ u64 d4 = d419 * 2;
14949 ++ u128 s0 = ((((((u128)(r0) * (r0))) + (((u128)(d4) * (r1))))) +
14950 ++ (((u128)(d2) * (r3))));
14951 ++ u128 s1 = ((((((u128)(d0) * (r1))) + (((u128)(d4) * (r2))))) +
14952 ++ (((u128)(r3 * 19) * (r3))));
14953 ++ u128 s2 = ((((((u128)(d0) * (r2))) + (((u128)(r1) * (r1))))) +
14954 ++ (((u128)(d4) * (r3))));
14955 ++ u128 s3 = ((((((u128)(d0) * (r3))) + (((u128)(d1) * (r2))))) +
14956 ++ (((u128)(r4) * (d419))));
14957 ++ u128 s4 = ((((((u128)(d0) * (r4))) + (((u128)(d1) * (r3))))) +
14958 ++ (((u128)(r2) * (r2))));
14959 ++ tmp[0] = s0;
14960 ++ tmp[1] = s1;
14961 ++ tmp[2] = s2;
14962 ++ tmp[3] = s3;
14963 ++ tmp[4] = s4;
14964 ++}
14965 ++
14966 ++static __always_inline void fsquare_fsquare_(u128 *tmp, u64 *output)
14967 ++{
14968 ++ u128 b4;
14969 ++ u128 b0;
14970 ++ u128 b4_;
14971 ++ u128 b0_;
14972 ++ u64 i0;
14973 ++ u64 i1;
14974 ++ u64 i0_;
14975 ++ u64 i1_;
14976 ++ fsquare_fsquare__(tmp, output);
14977 ++ fproduct_carry_wide_(tmp);
14978 ++ b4 = tmp[4];
14979 ++ b0 = tmp[0];
14980 ++ b4_ = ((b4) & (((u128)(0x7ffffffffffffLLU))));
14981 ++ b0_ = ((b0) + (((u128)(19) * (((u64)(((b4) >> (51))))))));
14982 ++ tmp[4] = b4_;
14983 ++ tmp[0] = b0_;
14984 ++ fproduct_copy_from_wide_(output, tmp);
14985 ++ i0 = output[0];
14986 ++ i1 = output[1];
14987 ++ i0_ = i0 & 0x7ffffffffffffLLU;
14988 ++ i1_ = i1 + (i0 >> 51);
14989 ++ output[0] = i0_;
14990 ++ output[1] = i1_;
14991 ++}
14992 ++
14993 ++static __always_inline void fsquare_fsquare_times_(u64 *output, u128 *tmp,
14994 ++ u32 count1)
14995 ++{
14996 ++ u32 i;
14997 ++ fsquare_fsquare_(tmp, output);
14998 ++ for (i = 1; i < count1; ++i)
14999 ++ fsquare_fsquare_(tmp, output);
15000 ++}
15001 ++
15002 ++static __always_inline void fsquare_fsquare_times(u64 *output, u64 *input,
15003 ++ u32 count1)
15004 ++{
15005 ++ u128 t[5];
15006 ++ memcpy(output, input, 5 * sizeof(*input));
15007 ++ fsquare_fsquare_times_(output, t, count1);
15008 ++}
15009 ++
15010 ++static __always_inline void fsquare_fsquare_times_inplace(u64 *output,
15011 ++ u32 count1)
15012 ++{
15013 ++ u128 t[5];
15014 ++ fsquare_fsquare_times_(output, t, count1);
15015 ++}
15016 ++
15017 ++static __always_inline void crecip_crecip(u64 *out, u64 *z)
15018 ++{
15019 ++ u64 buf[20] = { 0 };
15020 ++ u64 *a0 = buf;
15021 ++ u64 *t00 = buf + 5;
15022 ++ u64 *b0 = buf + 10;
15023 ++ u64 *t01;
15024 ++ u64 *b1;
15025 ++ u64 *c0;
15026 ++ u64 *a;
15027 ++ u64 *t0;
15028 ++ u64 *b;
15029 ++ u64 *c;
15030 ++ fsquare_fsquare_times(a0, z, 1);
15031 ++ fsquare_fsquare_times(t00, a0, 2);
15032 ++ fmul_fmul(b0, t00, z);
15033 ++ fmul_fmul(a0, b0, a0);
15034 ++ fsquare_fsquare_times(t00, a0, 1);
15035 ++ fmul_fmul(b0, t00, b0);
15036 ++ fsquare_fsquare_times(t00, b0, 5);
15037 ++ t01 = buf + 5;
15038 ++ b1 = buf + 10;
15039 ++ c0 = buf + 15;
15040 ++ fmul_fmul(b1, t01, b1);
15041 ++ fsquare_fsquare_times(t01, b1, 10);
15042 ++ fmul_fmul(c0, t01, b1);
15043 ++ fsquare_fsquare_times(t01, c0, 20);
15044 ++ fmul_fmul(t01, t01, c0);
15045 ++ fsquare_fsquare_times_inplace(t01, 10);
15046 ++ fmul_fmul(b1, t01, b1);
15047 ++ fsquare_fsquare_times(t01, b1, 50);
15048 ++ a = buf;
15049 ++ t0 = buf + 5;
15050 ++ b = buf + 10;
15051 ++ c = buf + 15;
15052 ++ fmul_fmul(c, t0, b);
15053 ++ fsquare_fsquare_times(t0, c, 100);
15054 ++ fmul_fmul(t0, t0, c);
15055 ++ fsquare_fsquare_times_inplace(t0, 50);
15056 ++ fmul_fmul(t0, t0, b);
15057 ++ fsquare_fsquare_times_inplace(t0, 5);
15058 ++ fmul_fmul(out, t0, a);
15059 ++}
15060 ++
15061 ++static __always_inline void fsum(u64 *a, u64 *b)
15062 ++{
15063 ++ a[0] += b[0];
15064 ++ a[1] += b[1];
15065 ++ a[2] += b[2];
15066 ++ a[3] += b[3];
15067 ++ a[4] += b[4];
15068 ++}
15069 ++
15070 ++static __always_inline void fdifference(u64 *a, u64 *b)
15071 ++{
15072 ++ u64 tmp[5] = { 0 };
15073 ++ u64 b0;
15074 ++ u64 b1;
15075 ++ u64 b2;
15076 ++ u64 b3;
15077 ++ u64 b4;
15078 ++ memcpy(tmp, b, 5 * sizeof(*b));
15079 ++ b0 = tmp[0];
15080 ++ b1 = tmp[1];
15081 ++ b2 = tmp[2];
15082 ++ b3 = tmp[3];
15083 ++ b4 = tmp[4];
15084 ++ tmp[0] = b0 + 0x3fffffffffff68LLU;
15085 ++ tmp[1] = b1 + 0x3ffffffffffff8LLU;
15086 ++ tmp[2] = b2 + 0x3ffffffffffff8LLU;
15087 ++ tmp[3] = b3 + 0x3ffffffffffff8LLU;
15088 ++ tmp[4] = b4 + 0x3ffffffffffff8LLU;
15089 ++ {
15090 ++ u64 xi = a[0];
15091 ++ u64 yi = tmp[0];
15092 ++ a[0] = yi - xi;
15093 ++ }
15094 ++ {
15095 ++ u64 xi = a[1];
15096 ++ u64 yi = tmp[1];
15097 ++ a[1] = yi - xi;
15098 ++ }
15099 ++ {
15100 ++ u64 xi = a[2];
15101 ++ u64 yi = tmp[2];
15102 ++ a[2] = yi - xi;
15103 ++ }
15104 ++ {
15105 ++ u64 xi = a[3];
15106 ++ u64 yi = tmp[3];
15107 ++ a[3] = yi - xi;
15108 ++ }
15109 ++ {
15110 ++ u64 xi = a[4];
15111 ++ u64 yi = tmp[4];
15112 ++ a[4] = yi - xi;
15113 ++ }
15114 ++}
15115 ++
15116 ++static __always_inline void fscalar(u64 *output, u64 *b, u64 s)
15117 ++{
15118 ++ u128 tmp[5];
15119 ++ u128 b4;
15120 ++ u128 b0;
15121 ++ u128 b4_;
15122 ++ u128 b0_;
15123 ++ {
15124 ++ u64 xi = b[0];
15125 ++ tmp[0] = ((u128)(xi) * (s));
15126 ++ }
15127 ++ {
15128 ++ u64 xi = b[1];
15129 ++ tmp[1] = ((u128)(xi) * (s));
15130 ++ }
15131 ++ {
15132 ++ u64 xi = b[2];
15133 ++ tmp[2] = ((u128)(xi) * (s));
15134 ++ }
15135 ++ {
15136 ++ u64 xi = b[3];
15137 ++ tmp[3] = ((u128)(xi) * (s));
15138 ++ }
15139 ++ {
15140 ++ u64 xi = b[4];
15141 ++ tmp[4] = ((u128)(xi) * (s));
15142 ++ }
15143 ++ fproduct_carry_wide_(tmp);
15144 ++ b4 = tmp[4];
15145 ++ b0 = tmp[0];
15146 ++ b4_ = ((b4) & (((u128)(0x7ffffffffffffLLU))));
15147 ++ b0_ = ((b0) + (((u128)(19) * (((u64)(((b4) >> (51))))))));
15148 ++ tmp[4] = b4_;
15149 ++ tmp[0] = b0_;
15150 ++ fproduct_copy_from_wide_(output, tmp);
15151 ++}
15152 ++
15153 ++static __always_inline void fmul(u64 *output, u64 *a, u64 *b)
15154 ++{
15155 ++ fmul_fmul(output, a, b);
15156 ++}
15157 ++
15158 ++static __always_inline void crecip(u64 *output, u64 *input)
15159 ++{
15160 ++ crecip_crecip(output, input);
15161 ++}
15162 ++
15163 ++static __always_inline void point_swap_conditional_step(u64 *a, u64 *b,
15164 ++ u64 swap1, u32 ctr)
15165 ++{
15166 ++ u32 i = ctr - 1;
15167 ++ u64 ai = a[i];
15168 ++ u64 bi = b[i];
15169 ++ u64 x = swap1 & (ai ^ bi);
15170 ++ u64 ai1 = ai ^ x;
15171 ++ u64 bi1 = bi ^ x;
15172 ++ a[i] = ai1;
15173 ++ b[i] = bi1;
15174 ++}
15175 ++
15176 ++static __always_inline void point_swap_conditional5(u64 *a, u64 *b, u64 swap1)
15177 ++{
15178 ++ point_swap_conditional_step(a, b, swap1, 5);
15179 ++ point_swap_conditional_step(a, b, swap1, 4);
15180 ++ point_swap_conditional_step(a, b, swap1, 3);
15181 ++ point_swap_conditional_step(a, b, swap1, 2);
15182 ++ point_swap_conditional_step(a, b, swap1, 1);
15183 ++}
15184 ++
15185 ++static __always_inline void point_swap_conditional(u64 *a, u64 *b, u64 iswap)
15186 ++{
15187 ++ u64 swap1 = 0 - iswap;
15188 ++ point_swap_conditional5(a, b, swap1);
15189 ++ point_swap_conditional5(a + 5, b + 5, swap1);
15190 ++}
15191 ++
15192 ++static __always_inline void point_copy(u64 *output, u64 *input)
15193 ++{
15194 ++ memcpy(output, input, 5 * sizeof(*input));
15195 ++ memcpy(output + 5, input + 5, 5 * sizeof(*input));
15196 ++}
15197 ++
15198 ++static __always_inline void addanddouble_fmonty(u64 *pp, u64 *ppq, u64 *p,
15199 ++ u64 *pq, u64 *qmqp)
15200 ++{
15201 ++ u64 *qx = qmqp;
15202 ++ u64 *x2 = pp;
15203 ++ u64 *z2 = pp + 5;
15204 ++ u64 *x3 = ppq;
15205 ++ u64 *z3 = ppq + 5;
15206 ++ u64 *x = p;
15207 ++ u64 *z = p + 5;
15208 ++ u64 *xprime = pq;
15209 ++ u64 *zprime = pq + 5;
15210 ++ u64 buf[40] = { 0 };
15211 ++ u64 *origx = buf;
15212 ++ u64 *origxprime0 = buf + 5;
15213 ++ u64 *xxprime0;
15214 ++ u64 *zzprime0;
15215 ++ u64 *origxprime;
15216 ++ xxprime0 = buf + 25;
15217 ++ zzprime0 = buf + 30;
15218 ++ memcpy(origx, x, 5 * sizeof(*x));
15219 ++ fsum(x, z);
15220 ++ fdifference(z, origx);
15221 ++ memcpy(origxprime0, xprime, 5 * sizeof(*xprime));
15222 ++ fsum(xprime, zprime);
15223 ++ fdifference(zprime, origxprime0);
15224 ++ fmul(xxprime0, xprime, z);
15225 ++ fmul(zzprime0, x, zprime);
15226 ++ origxprime = buf + 5;
15227 ++ {
15228 ++ u64 *xx0;
15229 ++ u64 *zz0;
15230 ++ u64 *xxprime;
15231 ++ u64 *zzprime;
15232 ++ u64 *zzzprime;
15233 ++ xx0 = buf + 15;
15234 ++ zz0 = buf + 20;
15235 ++ xxprime = buf + 25;
15236 ++ zzprime = buf + 30;
15237 ++ zzzprime = buf + 35;
15238 ++ memcpy(origxprime, xxprime, 5 * sizeof(*xxprime));
15239 ++ fsum(xxprime, zzprime);
15240 ++ fdifference(zzprime, origxprime);
15241 ++ fsquare_fsquare_times(x3, xxprime, 1);
15242 ++ fsquare_fsquare_times(zzzprime, zzprime, 1);
15243 ++ fmul(z3, zzzprime, qx);
15244 ++ fsquare_fsquare_times(xx0, x, 1);
15245 ++ fsquare_fsquare_times(zz0, z, 1);
15246 ++ {
15247 ++ u64 *zzz;
15248 ++ u64 *xx;
15249 ++ u64 *zz;
15250 ++ u64 scalar;
15251 ++ zzz = buf + 10;
15252 ++ xx = buf + 15;
15253 ++ zz = buf + 20;
15254 ++ fmul(x2, xx, zz);
15255 ++ fdifference(zz, xx);
15256 ++ scalar = 121665;
15257 ++ fscalar(zzz, zz, scalar);
15258 ++ fsum(zzz, xx);
15259 ++ fmul(z2, zzz, zz);
15260 ++ }
15261 ++ }
15262 ++}
15263 ++
15264 ++static __always_inline void
15265 ++ladder_smallloop_cmult_small_loop_step(u64 *nq, u64 *nqpq, u64 *nq2, u64 *nqpq2,
15266 ++ u64 *q, u8 byt)
15267 ++{
15268 ++ u64 bit0 = (u64)(byt >> 7);
15269 ++ u64 bit;
15270 ++ point_swap_conditional(nq, nqpq, bit0);
15271 ++ addanddouble_fmonty(nq2, nqpq2, nq, nqpq, q);
15272 ++ bit = (u64)(byt >> 7);
15273 ++ point_swap_conditional(nq2, nqpq2, bit);
15274 ++}
15275 ++
15276 ++static __always_inline void
15277 ++ladder_smallloop_cmult_small_loop_double_step(u64 *nq, u64 *nqpq, u64 *nq2,
15278 ++ u64 *nqpq2, u64 *q, u8 byt)
15279 ++{
15280 ++ u8 byt1;
15281 ++ ladder_smallloop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt);
15282 ++ byt1 = byt << 1;
15283 ++ ladder_smallloop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1);
15284 ++}
15285 ++
15286 ++static __always_inline void
15287 ++ladder_smallloop_cmult_small_loop(u64 *nq, u64 *nqpq, u64 *nq2, u64 *nqpq2,
15288 ++ u64 *q, u8 byt, u32 i)
15289 ++{
15290 ++ while (i--) {
15291 ++ ladder_smallloop_cmult_small_loop_double_step(nq, nqpq, nq2,
15292 ++ nqpq2, q, byt);
15293 ++ byt <<= 2;
15294 ++ }
15295 ++}
15296 ++
15297 ++static __always_inline void ladder_bigloop_cmult_big_loop(u8 *n1, u64 *nq,
15298 ++ u64 *nqpq, u64 *nq2,
15299 ++ u64 *nqpq2, u64 *q,
15300 ++ u32 i)
15301 ++{
15302 ++ while (i--) {
15303 ++ u8 byte = n1[i];
15304 ++ ladder_smallloop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q,
15305 ++ byte, 4);
15306 ++ }
15307 ++}
15308 ++
15309 ++static void ladder_cmult(u64 *result, u8 *n1, u64 *q)
15310 ++{
15311 ++ u64 point_buf[40] = { 0 };
15312 ++ u64 *nq = point_buf;
15313 ++ u64 *nqpq = point_buf + 10;
15314 ++ u64 *nq2 = point_buf + 20;
15315 ++ u64 *nqpq2 = point_buf + 30;
15316 ++ point_copy(nqpq, q);
15317 ++ nq[0] = 1;
15318 ++ ladder_bigloop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, 32);
15319 ++ point_copy(result, nq);
15320 ++}
15321 ++
15322 ++static __always_inline void format_fexpand(u64 *output, const u8 *input)
15323 ++{
15324 ++ const u8 *x00 = input + 6;
15325 ++ const u8 *x01 = input + 12;
15326 ++ const u8 *x02 = input + 19;
15327 ++ const u8 *x0 = input + 24;
15328 ++ u64 i0, i1, i2, i3, i4, output0, output1, output2, output3, output4;
15329 ++ i0 = get_unaligned_le64(input);
15330 ++ i1 = get_unaligned_le64(x00);
15331 ++ i2 = get_unaligned_le64(x01);
15332 ++ i3 = get_unaligned_le64(x02);
15333 ++ i4 = get_unaligned_le64(x0);
15334 ++ output0 = i0 & 0x7ffffffffffffLLU;
15335 ++ output1 = i1 >> 3 & 0x7ffffffffffffLLU;
15336 ++ output2 = i2 >> 6 & 0x7ffffffffffffLLU;
15337 ++ output3 = i3 >> 1 & 0x7ffffffffffffLLU;
15338 ++ output4 = i4 >> 12 & 0x7ffffffffffffLLU;
15339 ++ output[0] = output0;
15340 ++ output[1] = output1;
15341 ++ output[2] = output2;
15342 ++ output[3] = output3;
15343 ++ output[4] = output4;
15344 ++}
15345 ++
15346 ++static __always_inline void format_fcontract_first_carry_pass(u64 *input)
15347 ++{
15348 ++ u64 t0 = input[0];
15349 ++ u64 t1 = input[1];
15350 ++ u64 t2 = input[2];
15351 ++ u64 t3 = input[3];
15352 ++ u64 t4 = input[4];
15353 ++ u64 t1_ = t1 + (t0 >> 51);
15354 ++ u64 t0_ = t0 & 0x7ffffffffffffLLU;
15355 ++ u64 t2_ = t2 + (t1_ >> 51);
15356 ++ u64 t1__ = t1_ & 0x7ffffffffffffLLU;
15357 ++ u64 t3_ = t3 + (t2_ >> 51);
15358 ++ u64 t2__ = t2_ & 0x7ffffffffffffLLU;
15359 ++ u64 t4_ = t4 + (t3_ >> 51);
15360 ++ u64 t3__ = t3_ & 0x7ffffffffffffLLU;
15361 ++ input[0] = t0_;
15362 ++ input[1] = t1__;
15363 ++ input[2] = t2__;
15364 ++ input[3] = t3__;
15365 ++ input[4] = t4_;
15366 ++}
15367 ++
15368 ++static __always_inline void format_fcontract_first_carry_full(u64 *input)
15369 ++{
15370 ++ format_fcontract_first_carry_pass(input);
15371 ++ modulo_carry_top(input);
15372 ++}
15373 ++
15374 ++static __always_inline void format_fcontract_second_carry_pass(u64 *input)
15375 ++{
15376 ++ u64 t0 = input[0];
15377 ++ u64 t1 = input[1];
15378 ++ u64 t2 = input[2];
15379 ++ u64 t3 = input[3];
15380 ++ u64 t4 = input[4];
15381 ++ u64 t1_ = t1 + (t0 >> 51);
15382 ++ u64 t0_ = t0 & 0x7ffffffffffffLLU;
15383 ++ u64 t2_ = t2 + (t1_ >> 51);
15384 ++ u64 t1__ = t1_ & 0x7ffffffffffffLLU;
15385 ++ u64 t3_ = t3 + (t2_ >> 51);
15386 ++ u64 t2__ = t2_ & 0x7ffffffffffffLLU;
15387 ++ u64 t4_ = t4 + (t3_ >> 51);
15388 ++ u64 t3__ = t3_ & 0x7ffffffffffffLLU;
15389 ++ input[0] = t0_;
15390 ++ input[1] = t1__;
15391 ++ input[2] = t2__;
15392 ++ input[3] = t3__;
15393 ++ input[4] = t4_;
15394 ++}
15395 ++
15396 ++static __always_inline void format_fcontract_second_carry_full(u64 *input)
15397 ++{
15398 ++ u64 i0;
15399 ++ u64 i1;
15400 ++ u64 i0_;
15401 ++ u64 i1_;
15402 ++ format_fcontract_second_carry_pass(input);
15403 ++ modulo_carry_top(input);
15404 ++ i0 = input[0];
15405 ++ i1 = input[1];
15406 ++ i0_ = i0 & 0x7ffffffffffffLLU;
15407 ++ i1_ = i1 + (i0 >> 51);
15408 ++ input[0] = i0_;
15409 ++ input[1] = i1_;
15410 ++}
15411 ++
15412 ++static __always_inline void format_fcontract_trim(u64 *input)
15413 ++{
15414 ++ u64 a0 = input[0];
15415 ++ u64 a1 = input[1];
15416 ++ u64 a2 = input[2];
15417 ++ u64 a3 = input[3];
15418 ++ u64 a4 = input[4];
15419 ++ u64 mask0 = u64_gte_mask(a0, 0x7ffffffffffedLLU);
15420 ++ u64 mask1 = u64_eq_mask(a1, 0x7ffffffffffffLLU);
15421 ++ u64 mask2 = u64_eq_mask(a2, 0x7ffffffffffffLLU);
15422 ++ u64 mask3 = u64_eq_mask(a3, 0x7ffffffffffffLLU);
15423 ++ u64 mask4 = u64_eq_mask(a4, 0x7ffffffffffffLLU);
15424 ++ u64 mask = (((mask0 & mask1) & mask2) & mask3) & mask4;
15425 ++ u64 a0_ = a0 - (0x7ffffffffffedLLU & mask);
15426 ++ u64 a1_ = a1 - (0x7ffffffffffffLLU & mask);
15427 ++ u64 a2_ = a2 - (0x7ffffffffffffLLU & mask);
15428 ++ u64 a3_ = a3 - (0x7ffffffffffffLLU & mask);
15429 ++ u64 a4_ = a4 - (0x7ffffffffffffLLU & mask);
15430 ++ input[0] = a0_;
15431 ++ input[1] = a1_;
15432 ++ input[2] = a2_;
15433 ++ input[3] = a3_;
15434 ++ input[4] = a4_;
15435 ++}
15436 ++
15437 ++static __always_inline void format_fcontract_store(u8 *output, u64 *input)
15438 ++{
15439 ++ u64 t0 = input[0];
15440 ++ u64 t1 = input[1];
15441 ++ u64 t2 = input[2];
15442 ++ u64 t3 = input[3];
15443 ++ u64 t4 = input[4];
15444 ++ u64 o0 = t1 << 51 | t0;
15445 ++ u64 o1 = t2 << 38 | t1 >> 13;
15446 ++ u64 o2 = t3 << 25 | t2 >> 26;
15447 ++ u64 o3 = t4 << 12 | t3 >> 39;
15448 ++ u8 *b0 = output;
15449 ++ u8 *b1 = output + 8;
15450 ++ u8 *b2 = output + 16;
15451 ++ u8 *b3 = output + 24;
15452 ++ put_unaligned_le64(o0, b0);
15453 ++ put_unaligned_le64(o1, b1);
15454 ++ put_unaligned_le64(o2, b2);
15455 ++ put_unaligned_le64(o3, b3);
15456 ++}
15457 ++
15458 ++static __always_inline void format_fcontract(u8 *output, u64 *input)
15459 ++{
15460 ++ format_fcontract_first_carry_full(input);
15461 ++ format_fcontract_second_carry_full(input);
15462 ++ format_fcontract_trim(input);
15463 ++ format_fcontract_store(output, input);
15464 ++}
15465 ++
15466 ++static __always_inline void format_scalar_of_point(u8 *scalar, u64 *point)
15467 ++{
15468 ++ u64 *x = point;
15469 ++ u64 *z = point + 5;
15470 ++ u64 buf[10] __aligned(32) = { 0 };
15471 ++ u64 *zmone = buf;
15472 ++ u64 *sc = buf + 5;
15473 ++ crecip(zmone, z);
15474 ++ fmul(sc, x, zmone);
15475 ++ format_fcontract(scalar, sc);
15476 ++}
15477 ++
15478 ++void curve25519_generic(u8 mypublic[CURVE25519_KEY_SIZE],
15479 ++ const u8 secret[CURVE25519_KEY_SIZE],
15480 ++ const u8 basepoint[CURVE25519_KEY_SIZE])
15481 ++{
15482 ++ u64 buf0[10] __aligned(32) = { 0 };
15483 ++ u64 *x0 = buf0;
15484 ++ u64 *z = buf0 + 5;
15485 ++ u64 *q;
15486 ++ format_fexpand(x0, basepoint);
15487 ++ z[0] = 1;
15488 ++ q = buf0;
15489 ++ {
15490 ++ u8 e[32] __aligned(32) = { 0 };
15491 ++ u8 *scalar;
15492 ++ memcpy(e, secret, 32);
15493 ++ curve25519_clamp_secret(e);
15494 ++ scalar = e;
15495 ++ {
15496 ++ u64 buf[15] = { 0 };
15497 ++ u64 *nq = buf;
15498 ++ u64 *x = nq;
15499 ++ x[0] = 1;
15500 ++ ladder_cmult(nq, scalar, q);
15501 ++ format_scalar_of_point(mypublic, nq);
15502 ++ memzero_explicit(buf, sizeof(buf));
15503 ++ }
15504 ++ memzero_explicit(e, sizeof(e));
15505 ++ }
15506 ++ memzero_explicit(buf0, sizeof(buf0));
15507 ++}
15508 +--- b/lib/crypto/curve25519.c
15509 ++++ b/lib/crypto/curve25519.c
15510 +@@ -0,0 +1,35 @@
15511 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
15512 ++/*
15513 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
15514 ++ *
15515 ++ * This is an implementation of the Curve25519 ECDH algorithm, using either
15516 ++ * a 32-bit implementation or a 64-bit implementation with 128-bit integers,
15517 ++ * depending on what is supported by the target compiler.
15518 ++ *
15519 ++ * Information: https://cr.yp.to/ecdh.html
15520 ++ */
15521 ++
15522 ++#include <crypto/curve25519.h>
15523 ++#include <linux/module.h>
15524 ++#include <linux/init.h>
15525 ++
15526 ++bool curve25519_selftest(void);
15527 ++
15528 ++static int __init mod_init(void)
15529 ++{
15530 ++ if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
15531 ++ WARN_ON(!curve25519_selftest()))
15532 ++ return -ENODEV;
15533 ++ return 0;
15534 ++}
15535 ++
15536 ++static void __exit mod_exit(void)
15537 ++{
15538 ++}
15539 ++
15540 ++module_init(mod_init);
15541 ++module_exit(mod_exit);
15542 ++
15543 ++MODULE_LICENSE("GPL v2");
15544 ++MODULE_DESCRIPTION("Curve25519 scalar multiplication");
15545 ++MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
15546 +--- /dev/null
15547 ++++ b/crypto/curve25519-generic.c
15548 +@@ -0,0 +1,90 @@
15549 ++// SPDX-License-Identifier: GPL-2.0-or-later
15550 ++
15551 ++#include <crypto/curve25519.h>
15552 ++#include <crypto/internal/kpp.h>
15553 ++#include <crypto/kpp.h>
15554 ++#include <linux/module.h>
15555 ++#include <linux/scatterlist.h>
15556 ++
15557 ++static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf,
15558 ++ unsigned int len)
15559 ++{
15560 ++ u8 *secret = kpp_tfm_ctx(tfm);
15561 ++
15562 ++ if (!len)
15563 ++ curve25519_generate_secret(secret);
15564 ++ else if (len == CURVE25519_KEY_SIZE &&
15565 ++ crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE))
15566 ++ memcpy(secret, buf, CURVE25519_KEY_SIZE);
15567 ++ else
15568 ++ return -EINVAL;
15569 ++ return 0;
15570 ++}
15571 ++
15572 ++static int curve25519_compute_value(struct kpp_request *req)
15573 ++{
15574 ++ struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
15575 ++ const u8 *secret = kpp_tfm_ctx(tfm);
15576 ++ u8 public_key[CURVE25519_KEY_SIZE];
15577 ++ u8 buf[CURVE25519_KEY_SIZE];
15578 ++ int copied, nbytes;
15579 ++ u8 const *bp;
15580 ++
15581 ++ if (req->src) {
15582 ++ copied = sg_copy_to_buffer(req->src,
15583 ++ sg_nents_for_len(req->src,
15584 ++ CURVE25519_KEY_SIZE),
15585 ++ public_key, CURVE25519_KEY_SIZE);
15586 ++ if (copied != CURVE25519_KEY_SIZE)
15587 ++ return -EINVAL;
15588 ++ bp = public_key;
15589 ++ } else {
15590 ++ bp = curve25519_base_point;
15591 ++ }
15592 ++
15593 ++ curve25519_generic(buf, secret, bp);
15594 ++
15595 ++ /* might want less than we've got */
15596 ++ nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len);
15597 ++ copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst,
15598 ++ nbytes),
15599 ++ buf, nbytes);
15600 ++ if (copied != nbytes)
15601 ++ return -EINVAL;
15602 ++ return 0;
15603 ++}
15604 ++
15605 ++static unsigned int curve25519_max_size(struct crypto_kpp *tfm)
15606 ++{
15607 ++ return CURVE25519_KEY_SIZE;
15608 ++}
15609 ++
15610 ++static struct kpp_alg curve25519_alg = {
15611 ++ .base.cra_name = "curve25519",
15612 ++ .base.cra_driver_name = "curve25519-generic",
15613 ++ .base.cra_priority = 100,
15614 ++ .base.cra_module = THIS_MODULE,
15615 ++ .base.cra_ctxsize = CURVE25519_KEY_SIZE,
15616 ++
15617 ++ .set_secret = curve25519_set_secret,
15618 ++ .generate_public_key = curve25519_compute_value,
15619 ++ .compute_shared_secret = curve25519_compute_value,
15620 ++ .max_size = curve25519_max_size,
15621 ++};
15622 ++
15623 ++static int curve25519_init(void)
15624 ++{
15625 ++ return crypto_register_kpp(&curve25519_alg);
15626 ++}
15627 ++
15628 ++static void curve25519_exit(void)
15629 ++{
15630 ++ crypto_unregister_kpp(&curve25519_alg);
15631 ++}
15632 ++
15633 ++subsys_initcall(curve25519_init);
15634 ++module_exit(curve25519_exit);
15635 ++
15636 ++MODULE_ALIAS_CRYPTO("curve25519");
15637 ++MODULE_ALIAS_CRYPTO("curve25519-generic");
15638 ++MODULE_LICENSE("GPL");
15639 +--- b/arch/x86/crypto/curve25519-x86_64.c
15640 ++++ b/arch/x86/crypto/curve25519-x86_64.c
15641 +@@ -0,0 +1,1512 @@
15642 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
15643 ++/*
15644 ++ * Copyright (C) 2020 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
15645 ++ * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
15646 ++ */
15647 ++
15648 ++#include <crypto/curve25519.h>
15649 ++#include <crypto/internal/kpp.h>
15650 ++
15651 ++#include <linux/types.h>
15652 ++#include <linux/jump_label.h>
15653 ++#include <linux/kernel.h>
15654 ++#include <linux/module.h>
15655 ++
15656 ++#include <asm/cpufeature.h>
15657 ++#include <asm/processor.h>
15658 ++
15659 ++static __always_inline u64 eq_mask(u64 a, u64 b)
15660 ++{
15661 ++ u64 x = a ^ b;
15662 ++ u64 minus_x = ~x + (u64)1U;
15663 ++ u64 x_or_minus_x = x | minus_x;
15664 ++ u64 xnx = x_or_minus_x >> (u32)63U;
15665 ++ return xnx - (u64)1U;
15666 ++}
15667 ++
15668 ++static __always_inline u64 gte_mask(u64 a, u64 b)
15669 ++{
15670 ++ u64 x = a;
15671 ++ u64 y = b;
15672 ++ u64 x_xor_y = x ^ y;
15673 ++ u64 x_sub_y = x - y;
15674 ++ u64 x_sub_y_xor_y = x_sub_y ^ y;
15675 ++ u64 q = x_xor_y | x_sub_y_xor_y;
15676 ++ u64 x_xor_q = x ^ q;
15677 ++ u64 x_xor_q_ = x_xor_q >> (u32)63U;
15678 ++ return x_xor_q_ - (u64)1U;
15679 ++}
15680 ++
15681 ++/* Computes the addition of four-element f1 with value in f2
15682 ++ * and returns the carry (if any) */
15683 ++static inline u64 add_scalar(u64 *out, const u64 *f1, u64 f2)
15684 ++{
15685 ++ u64 carry_r;
15686 ++
15687 ++ asm volatile(
15688 ++ /* Clear registers to propagate the carry bit */
15689 ++ " xor %%r8d, %%r8d;"
15690 ++ " xor %%r9d, %%r9d;"
15691 ++ " xor %%r10d, %%r10d;"
15692 ++ " xor %%r11d, %%r11d;"
15693 ++ " xor %k1, %k1;"
15694 ++
15695 ++ /* Begin addition chain */
15696 ++ " addq 0(%3), %0;"
15697 ++ " movq %0, 0(%2);"
15698 ++ " adcxq 8(%3), %%r8;"
15699 ++ " movq %%r8, 8(%2);"
15700 ++ " adcxq 16(%3), %%r9;"
15701 ++ " movq %%r9, 16(%2);"
15702 ++ " adcxq 24(%3), %%r10;"
15703 ++ " movq %%r10, 24(%2);"
15704 ++
15705 ++ /* Return the carry bit in a register */
15706 ++ " adcx %%r11, %1;"
15707 ++ : "+&r" (f2), "=&r" (carry_r)
15708 ++ : "r" (out), "r" (f1)
15709 ++ : "%r8", "%r9", "%r10", "%r11", "memory", "cc"
15710 ++ );
15711 ++
15712 ++ return carry_r;
15713 ++}
15714 ++
15715 ++/* Computes the field addition of two field elements */
15716 ++static inline void fadd(u64 *out, const u64 *f1, const u64 *f2)
15717 ++{
15718 ++ asm volatile(
15719 ++ /* Compute the raw addition of f1 + f2 */
15720 ++ " movq 0(%0), %%r8;"
15721 ++ " addq 0(%2), %%r8;"
15722 ++ " movq 8(%0), %%r9;"
15723 ++ " adcxq 8(%2), %%r9;"
15724 ++ " movq 16(%0), %%r10;"
15725 ++ " adcxq 16(%2), %%r10;"
15726 ++ " movq 24(%0), %%r11;"
15727 ++ " adcxq 24(%2), %%r11;"
15728 ++
15729 ++ /* Wrap the result back into the field */
15730 ++
15731 ++ /* Step 1: Compute carry*38 */
15732 ++ " mov $0, %%rax;"
15733 ++ " mov $38, %0;"
15734 ++ " cmovc %0, %%rax;"
15735 ++
15736 ++ /* Step 2: Add carry*38 to the original sum */
15737 ++ " xor %%ecx, %%ecx;"
15738 ++ " add %%rax, %%r8;"
15739 ++ " adcx %%rcx, %%r9;"
15740 ++ " movq %%r9, 8(%1);"
15741 ++ " adcx %%rcx, %%r10;"
15742 ++ " movq %%r10, 16(%1);"
15743 ++ " adcx %%rcx, %%r11;"
15744 ++ " movq %%r11, 24(%1);"
15745 ++
15746 ++ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
15747 ++ " mov $0, %%rax;"
15748 ++ " cmovc %0, %%rax;"
15749 ++ " add %%rax, %%r8;"
15750 ++ " movq %%r8, 0(%1);"
15751 ++ : "+&r" (f2)
15752 ++ : "r" (out), "r" (f1)
15753 ++ : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc"
15754 ++ );
15755 ++}
15756 ++
15757 ++/* Computes the field substraction of two field elements */
15758 ++static inline void fsub(u64 *out, const u64 *f1, const u64 *f2)
15759 ++{
15760 ++ asm volatile(
15761 ++ /* Compute the raw substraction of f1-f2 */
15762 ++ " movq 0(%1), %%r8;"
15763 ++ " subq 0(%2), %%r8;"
15764 ++ " movq 8(%1), %%r9;"
15765 ++ " sbbq 8(%2), %%r9;"
15766 ++ " movq 16(%1), %%r10;"
15767 ++ " sbbq 16(%2), %%r10;"
15768 ++ " movq 24(%1), %%r11;"
15769 ++ " sbbq 24(%2), %%r11;"
15770 ++
15771 ++ /* Wrap the result back into the field */
15772 ++
15773 ++ /* Step 1: Compute carry*38 */
15774 ++ " mov $0, %%rax;"
15775 ++ " mov $38, %%rcx;"
15776 ++ " cmovc %%rcx, %%rax;"
15777 ++
15778 ++ /* Step 2: Substract carry*38 from the original difference */
15779 ++ " sub %%rax, %%r8;"
15780 ++ " sbb $0, %%r9;"
15781 ++ " sbb $0, %%r10;"
15782 ++ " sbb $0, %%r11;"
15783 ++
15784 ++ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
15785 ++ " mov $0, %%rax;"
15786 ++ " cmovc %%rcx, %%rax;"
15787 ++ " sub %%rax, %%r8;"
15788 ++
15789 ++ /* Store the result */
15790 ++ " movq %%r8, 0(%0);"
15791 ++ " movq %%r9, 8(%0);"
15792 ++ " movq %%r10, 16(%0);"
15793 ++ " movq %%r11, 24(%0);"
15794 ++ :
15795 ++ : "r" (out), "r" (f1), "r" (f2)
15796 ++ : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "memory", "cc"
15797 ++ );
15798 ++}
15799 ++
15800 ++/* Computes a field multiplication: out <- f1 * f2
15801 ++ * Uses the 8-element buffer tmp for intermediate results */
15802 ++static inline void fmul(u64 *out, const u64 *f1, const u64 *f2, u64 *tmp)
15803 ++{
15804 ++ asm volatile(
15805 ++ /* Compute the raw multiplication: tmp <- src1 * src2 */
15806 ++
15807 ++ /* Compute src1[0] * src2 */
15808 ++ " movq 0(%1), %%rdx;"
15809 ++ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 0(%0);"
15810 ++ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 8(%0);"
15811 ++ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;"
15812 ++ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;"
15813 ++ " adox %%rdx, %%rax;"
15814 ++ /* Compute src1[1] * src2 */
15815 ++ " movq 8(%1), %%rdx;"
15816 ++ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 8(%0), %%r8;" " movq %%r8, 8(%0);"
15817 ++ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 16(%0);"
15818 ++ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;"
15819 ++ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;"
15820 ++ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;"
15821 ++ /* Compute src1[2] * src2 */
15822 ++ " movq 16(%1), %%rdx;"
15823 ++ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 16(%0), %%r8;" " movq %%r8, 16(%0);"
15824 ++ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 24(%0);"
15825 ++ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;"
15826 ++ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;"
15827 ++ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;"
15828 ++ /* Compute src1[3] * src2 */
15829 ++ " movq 24(%1), %%rdx;"
15830 ++ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 24(%0), %%r8;" " movq %%r8, 24(%0);"
15831 ++ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 32(%0);"
15832 ++ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 40(%0);" " mov $0, %%r8;"
15833 ++ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 48(%0);" " mov $0, %%rax;"
15834 ++ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 56(%0);"
15835 ++ /* Line up pointers */
15836 ++ " mov %0, %1;"
15837 ++ " mov %2, %0;"
15838 ++
15839 ++ /* Wrap the result back into the field */
15840 ++
15841 ++ /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */
15842 ++ " mov $38, %%rdx;"
15843 ++ " mulxq 32(%1), %%r8, %%r13;"
15844 ++ " xor %k3, %k3;"
15845 ++ " adoxq 0(%1), %%r8;"
15846 ++ " mulxq 40(%1), %%r9, %%rbx;"
15847 ++ " adcx %%r13, %%r9;"
15848 ++ " adoxq 8(%1), %%r9;"
15849 ++ " mulxq 48(%1), %%r10, %%r13;"
15850 ++ " adcx %%rbx, %%r10;"
15851 ++ " adoxq 16(%1), %%r10;"
15852 ++ " mulxq 56(%1), %%r11, %%rax;"
15853 ++ " adcx %%r13, %%r11;"
15854 ++ " adoxq 24(%1), %%r11;"
15855 ++ " adcx %3, %%rax;"
15856 ++ " adox %3, %%rax;"
15857 ++ " imul %%rdx, %%rax;"
15858 ++
15859 ++ /* Step 2: Fold the carry back into dst */
15860 ++ " add %%rax, %%r8;"
15861 ++ " adcx %3, %%r9;"
15862 ++ " movq %%r9, 8(%0);"
15863 ++ " adcx %3, %%r10;"
15864 ++ " movq %%r10, 16(%0);"
15865 ++ " adcx %3, %%r11;"
15866 ++ " movq %%r11, 24(%0);"
15867 ++
15868 ++ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
15869 ++ " mov $0, %%rax;"
15870 ++ " cmovc %%rdx, %%rax;"
15871 ++ " add %%rax, %%r8;"
15872 ++ " movq %%r8, 0(%0);"
15873 ++ : "+&r" (tmp), "+&r" (f1), "+&r" (out), "+&r" (f2)
15874 ++ :
15875 ++ : "%rax", "%rdx", "%r8", "%r9", "%r10", "%r11", "%rbx", "%r13", "%r14", "memory", "cc"
15876 ++ );
15877 ++}
15878 ++
15879 ++/* Computes two field multiplications:
15880 ++ * out[0] <- f1[0] * f2[0]
15881 ++ * out[1] <- f1[1] * f2[1]
15882 ++ * Uses the 16-element buffer tmp for intermediate results. */
15883 ++static inline void fmul2(u64 *out, const u64 *f1, const u64 *f2, u64 *tmp)
15884 ++{
15885 ++ asm volatile(
15886 ++ /* Compute the raw multiplication tmp[0] <- f1[0] * f2[0] */
15887 ++
15888 ++ /* Compute src1[0] * src2 */
15889 ++ " movq 0(%1), %%rdx;"
15890 ++ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 0(%0);"
15891 ++ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 8(%0);"
15892 ++ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;"
15893 ++ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;"
15894 ++ " adox %%rdx, %%rax;"
15895 ++ /* Compute src1[1] * src2 */
15896 ++ " movq 8(%1), %%rdx;"
15897 ++ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 8(%0), %%r8;" " movq %%r8, 8(%0);"
15898 ++ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 16(%0);"
15899 ++ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;"
15900 ++ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;"
15901 ++ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;"
15902 ++ /* Compute src1[2] * src2 */
15903 ++ " movq 16(%1), %%rdx;"
15904 ++ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 16(%0), %%r8;" " movq %%r8, 16(%0);"
15905 ++ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 24(%0);"
15906 ++ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;"
15907 ++ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;"
15908 ++ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;"
15909 ++ /* Compute src1[3] * src2 */
15910 ++ " movq 24(%1), %%rdx;"
15911 ++ " mulxq 0(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 24(%0), %%r8;" " movq %%r8, 24(%0);"
15912 ++ " mulxq 8(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 32(%0);"
15913 ++ " mulxq 16(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 40(%0);" " mov $0, %%r8;"
15914 ++ " mulxq 24(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 48(%0);" " mov $0, %%rax;"
15915 ++ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 56(%0);"
15916 ++
15917 ++ /* Compute the raw multiplication tmp[1] <- f1[1] * f2[1] */
15918 ++
15919 ++ /* Compute src1[0] * src2 */
15920 ++ " movq 32(%1), %%rdx;"
15921 ++ " mulxq 32(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " movq %%r8, 64(%0);"
15922 ++ " mulxq 40(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " movq %%r10, 72(%0);"
15923 ++ " mulxq 48(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;"
15924 ++ " mulxq 56(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " mov $0, %%rax;"
15925 ++ " adox %%rdx, %%rax;"
15926 ++ /* Compute src1[1] * src2 */
15927 ++ " movq 40(%1), %%rdx;"
15928 ++ " mulxq 32(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 72(%0), %%r8;" " movq %%r8, 72(%0);"
15929 ++ " mulxq 40(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 80(%0);"
15930 ++ " mulxq 48(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;"
15931 ++ " mulxq 56(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;"
15932 ++ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;"
15933 ++ /* Compute src1[2] * src2 */
15934 ++ " movq 48(%1), %%rdx;"
15935 ++ " mulxq 32(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 80(%0), %%r8;" " movq %%r8, 80(%0);"
15936 ++ " mulxq 40(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 88(%0);"
15937 ++ " mulxq 48(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " mov $0, %%r8;"
15938 ++ " mulxq 56(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " mov $0, %%rax;"
15939 ++ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;"
15940 ++ /* Compute src1[3] * src2 */
15941 ++ " movq 56(%1), %%rdx;"
15942 ++ " mulxq 32(%3), %%r8, %%r9;" " xor %%r10d, %%r10d;" " adcxq 88(%0), %%r8;" " movq %%r8, 88(%0);"
15943 ++ " mulxq 40(%3), %%r10, %%r11;" " adox %%r9, %%r10;" " adcx %%rbx, %%r10;" " movq %%r10, 96(%0);"
15944 ++ " mulxq 48(%3), %%rbx, %%r13;" " adox %%r11, %%rbx;" " adcx %%r14, %%rbx;" " movq %%rbx, 104(%0);" " mov $0, %%r8;"
15945 ++ " mulxq 56(%3), %%r14, %%rdx;" " adox %%r13, %%r14;" " adcx %%rax, %%r14;" " movq %%r14, 112(%0);" " mov $0, %%rax;"
15946 ++ " adox %%rdx, %%rax;" " adcx %%r8, %%rax;" " movq %%rax, 120(%0);"
15947 ++ /* Line up pointers */
15948 ++ " mov %0, %1;"
15949 ++ " mov %2, %0;"
15950 ++
15951 ++ /* Wrap the results back into the field */
15952 ++
15953 ++ /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */
15954 ++ " mov $38, %%rdx;"
15955 ++ " mulxq 32(%1), %%r8, %%r13;"
15956 ++ " xor %k3, %k3;"
15957 ++ " adoxq 0(%1), %%r8;"
15958 ++ " mulxq 40(%1), %%r9, %%rbx;"
15959 ++ " adcx %%r13, %%r9;"
15960 ++ " adoxq 8(%1), %%r9;"
15961 ++ " mulxq 48(%1), %%r10, %%r13;"
15962 ++ " adcx %%rbx, %%r10;"
15963 ++ " adoxq 16(%1), %%r10;"
15964 ++ " mulxq 56(%1), %%r11, %%rax;"
15965 ++ " adcx %%r13, %%r11;"
15966 ++ " adoxq 24(%1), %%r11;"
15967 ++ " adcx %3, %%rax;"
15968 ++ " adox %3, %%rax;"
15969 ++ " imul %%rdx, %%rax;"
15970 ++
15971 ++ /* Step 2: Fold the carry back into dst */
15972 ++ " add %%rax, %%r8;"
15973 ++ " adcx %3, %%r9;"
15974 ++ " movq %%r9, 8(%0);"
15975 ++ " adcx %3, %%r10;"
15976 ++ " movq %%r10, 16(%0);"
15977 ++ " adcx %3, %%r11;"
15978 ++ " movq %%r11, 24(%0);"
15979 ++
15980 ++ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
15981 ++ " mov $0, %%rax;"
15982 ++ " cmovc %%rdx, %%rax;"
15983 ++ " add %%rax, %%r8;"
15984 ++ " movq %%r8, 0(%0);"
15985 ++
15986 ++ /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */
15987 ++ " mov $38, %%rdx;"
15988 ++ " mulxq 96(%1), %%r8, %%r13;"
15989 ++ " xor %k3, %k3;"
15990 ++ " adoxq 64(%1), %%r8;"
15991 ++ " mulxq 104(%1), %%r9, %%rbx;"
15992 ++ " adcx %%r13, %%r9;"
15993 ++ " adoxq 72(%1), %%r9;"
15994 ++ " mulxq 112(%1), %%r10, %%r13;"
15995 ++ " adcx %%rbx, %%r10;"
15996 ++ " adoxq 80(%1), %%r10;"
15997 ++ " mulxq 120(%1), %%r11, %%rax;"
15998 ++ " adcx %%r13, %%r11;"
15999 ++ " adoxq 88(%1), %%r11;"
16000 ++ " adcx %3, %%rax;"
16001 ++ " adox %3, %%rax;"
16002 ++ " imul %%rdx, %%rax;"
16003 ++
16004 ++ /* Step 2: Fold the carry back into dst */
16005 ++ " add %%rax, %%r8;"
16006 ++ " adcx %3, %%r9;"
16007 ++ " movq %%r9, 40(%0);"
16008 ++ " adcx %3, %%r10;"
16009 ++ " movq %%r10, 48(%0);"
16010 ++ " adcx %3, %%r11;"
16011 ++ " movq %%r11, 56(%0);"
16012 ++
16013 ++ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
16014 ++ " mov $0, %%rax;"
16015 ++ " cmovc %%rdx, %%rax;"
16016 ++ " add %%rax, %%r8;"
16017 ++ " movq %%r8, 32(%0);"
16018 ++ : "+&r" (tmp), "+&r" (f1), "+&r" (out), "+&r" (f2)
16019 ++ :
16020 ++ : "%rax", "%rdx", "%r8", "%r9", "%r10", "%r11", "%rbx", "%r13", "%r14", "memory", "cc"
16021 ++ );
16022 ++}
16023 ++
16024 ++/* Computes the field multiplication of four-element f1 with value in f2 */
16025 ++static inline void fmul_scalar(u64 *out, const u64 *f1, u64 f2)
16026 ++{
16027 ++ register u64 f2_r asm("rdx") = f2;
16028 ++
16029 ++ asm volatile(
16030 ++ /* Compute the raw multiplication of f1*f2 */
16031 ++ " mulxq 0(%2), %%r8, %%rcx;" /* f1[0]*f2 */
16032 ++ " mulxq 8(%2), %%r9, %%rbx;" /* f1[1]*f2 */
16033 ++ " add %%rcx, %%r9;"
16034 ++ " mov $0, %%rcx;"
16035 ++ " mulxq 16(%2), %%r10, %%r13;" /* f1[2]*f2 */
16036 ++ " adcx %%rbx, %%r10;"
16037 ++ " mulxq 24(%2), %%r11, %%rax;" /* f1[3]*f2 */
16038 ++ " adcx %%r13, %%r11;"
16039 ++ " adcx %%rcx, %%rax;"
16040 ++
16041 ++ /* Wrap the result back into the field */
16042 ++
16043 ++ /* Step 1: Compute carry*38 */
16044 ++ " mov $38, %%rdx;"
16045 ++ " imul %%rdx, %%rax;"
16046 ++
16047 ++ /* Step 2: Fold the carry back into dst */
16048 ++ " add %%rax, %%r8;"
16049 ++ " adcx %%rcx, %%r9;"
16050 ++ " movq %%r9, 8(%1);"
16051 ++ " adcx %%rcx, %%r10;"
16052 ++ " movq %%r10, 16(%1);"
16053 ++ " adcx %%rcx, %%r11;"
16054 ++ " movq %%r11, 24(%1);"
16055 ++
16056 ++ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
16057 ++ " mov $0, %%rax;"
16058 ++ " cmovc %%rdx, %%rax;"
16059 ++ " add %%rax, %%r8;"
16060 ++ " movq %%r8, 0(%1);"
16061 ++ : "+&r" (f2_r)
16062 ++ : "r" (out), "r" (f1)
16063 ++ : "%rax", "%rcx", "%r8", "%r9", "%r10", "%r11", "%rbx", "%r13", "memory", "cc"
16064 ++ );
16065 ++}
16066 ++
16067 ++/* Computes p1 <- bit ? p2 : p1 in constant time */
16068 ++static inline void cswap2(u64 bit, const u64 *p1, const u64 *p2)
16069 ++{
16070 ++ asm volatile(
16071 ++ /* Invert the polarity of bit to match cmov expectations */
16072 ++ " add $18446744073709551615, %0;"
16073 ++
16074 ++ /* cswap p1[0], p2[0] */
16075 ++ " movq 0(%1), %%r8;"
16076 ++ " movq 0(%2), %%r9;"
16077 ++ " mov %%r8, %%r10;"
16078 ++ " cmovc %%r9, %%r8;"
16079 ++ " cmovc %%r10, %%r9;"
16080 ++ " movq %%r8, 0(%1);"
16081 ++ " movq %%r9, 0(%2);"
16082 ++
16083 ++ /* cswap p1[1], p2[1] */
16084 ++ " movq 8(%1), %%r8;"
16085 ++ " movq 8(%2), %%r9;"
16086 ++ " mov %%r8, %%r10;"
16087 ++ " cmovc %%r9, %%r8;"
16088 ++ " cmovc %%r10, %%r9;"
16089 ++ " movq %%r8, 8(%1);"
16090 ++ " movq %%r9, 8(%2);"
16091 ++
16092 ++ /* cswap p1[2], p2[2] */
16093 ++ " movq 16(%1), %%r8;"
16094 ++ " movq 16(%2), %%r9;"
16095 ++ " mov %%r8, %%r10;"
16096 ++ " cmovc %%r9, %%r8;"
16097 ++ " cmovc %%r10, %%r9;"
16098 ++ " movq %%r8, 16(%1);"
16099 ++ " movq %%r9, 16(%2);"
16100 ++
16101 ++ /* cswap p1[3], p2[3] */
16102 ++ " movq 24(%1), %%r8;"
16103 ++ " movq 24(%2), %%r9;"
16104 ++ " mov %%r8, %%r10;"
16105 ++ " cmovc %%r9, %%r8;"
16106 ++ " cmovc %%r10, %%r9;"
16107 ++ " movq %%r8, 24(%1);"
16108 ++ " movq %%r9, 24(%2);"
16109 ++
16110 ++ /* cswap p1[4], p2[4] */
16111 ++ " movq 32(%1), %%r8;"
16112 ++ " movq 32(%2), %%r9;"
16113 ++ " mov %%r8, %%r10;"
16114 ++ " cmovc %%r9, %%r8;"
16115 ++ " cmovc %%r10, %%r9;"
16116 ++ " movq %%r8, 32(%1);"
16117 ++ " movq %%r9, 32(%2);"
16118 ++
16119 ++ /* cswap p1[5], p2[5] */
16120 ++ " movq 40(%1), %%r8;"
16121 ++ " movq 40(%2), %%r9;"
16122 ++ " mov %%r8, %%r10;"
16123 ++ " cmovc %%r9, %%r8;"
16124 ++ " cmovc %%r10, %%r9;"
16125 ++ " movq %%r8, 40(%1);"
16126 ++ " movq %%r9, 40(%2);"
16127 ++
16128 ++ /* cswap p1[6], p2[6] */
16129 ++ " movq 48(%1), %%r8;"
16130 ++ " movq 48(%2), %%r9;"
16131 ++ " mov %%r8, %%r10;"
16132 ++ " cmovc %%r9, %%r8;"
16133 ++ " cmovc %%r10, %%r9;"
16134 ++ " movq %%r8, 48(%1);"
16135 ++ " movq %%r9, 48(%2);"
16136 ++
16137 ++ /* cswap p1[7], p2[7] */
16138 ++ " movq 56(%1), %%r8;"
16139 ++ " movq 56(%2), %%r9;"
16140 ++ " mov %%r8, %%r10;"
16141 ++ " cmovc %%r9, %%r8;"
16142 ++ " cmovc %%r10, %%r9;"
16143 ++ " movq %%r8, 56(%1);"
16144 ++ " movq %%r9, 56(%2);"
16145 ++ : "+&r" (bit)
16146 ++ : "r" (p1), "r" (p2)
16147 ++ : "%r8", "%r9", "%r10", "memory", "cc"
16148 ++ );
16149 ++}
16150 ++
16151 ++/* Computes the square of a field element: out <- f * f
16152 ++ * Uses the 8-element buffer tmp for intermediate results */
16153 ++static inline void fsqr(u64 *out, const u64 *f, u64 *tmp)
16154 ++{
16155 ++ asm volatile(
16156 ++ /* Compute the raw multiplication: tmp <- f * f */
16157 ++
16158 ++ /* Step 1: Compute all partial products */
16159 ++ " movq 0(%1), %%rdx;" /* f[0] */
16160 ++ " mulxq 8(%1), %%r8, %%r14;" " xor %%r15d, %%r15d;" /* f[1]*f[0] */
16161 ++ " mulxq 16(%1), %%r9, %%r10;" " adcx %%r14, %%r9;" /* f[2]*f[0] */
16162 ++ " mulxq 24(%1), %%rax, %%rcx;" " adcx %%rax, %%r10;" /* f[3]*f[0] */
16163 ++ " movq 24(%1), %%rdx;" /* f[3] */
16164 ++ " mulxq 8(%1), %%r11, %%rbx;" " adcx %%rcx, %%r11;" /* f[1]*f[3] */
16165 ++ " mulxq 16(%1), %%rax, %%r13;" " adcx %%rax, %%rbx;" /* f[2]*f[3] */
16166 ++ " movq 8(%1), %%rdx;" " adcx %%r15, %%r13;" /* f1 */
16167 ++ " mulxq 16(%1), %%rax, %%rcx;" " mov $0, %%r14;" /* f[2]*f[1] */
16168 ++
16169 ++ /* Step 2: Compute two parallel carry chains */
16170 ++ " xor %%r15d, %%r15d;"
16171 ++ " adox %%rax, %%r10;"
16172 ++ " adcx %%r8, %%r8;"
16173 ++ " adox %%rcx, %%r11;"
16174 ++ " adcx %%r9, %%r9;"
16175 ++ " adox %%r15, %%rbx;"
16176 ++ " adcx %%r10, %%r10;"
16177 ++ " adox %%r15, %%r13;"
16178 ++ " adcx %%r11, %%r11;"
16179 ++ " adox %%r15, %%r14;"
16180 ++ " adcx %%rbx, %%rbx;"
16181 ++ " adcx %%r13, %%r13;"
16182 ++ " adcx %%r14, %%r14;"
16183 ++
16184 ++ /* Step 3: Compute intermediate squares */
16185 ++ " movq 0(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[0]^2 */
16186 ++ " movq %%rax, 0(%0);"
16187 ++ " add %%rcx, %%r8;" " movq %%r8, 8(%0);"
16188 ++ " movq 8(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[1]^2 */
16189 ++ " adcx %%rax, %%r9;" " movq %%r9, 16(%0);"
16190 ++ " adcx %%rcx, %%r10;" " movq %%r10, 24(%0);"
16191 ++ " movq 16(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[2]^2 */
16192 ++ " adcx %%rax, %%r11;" " movq %%r11, 32(%0);"
16193 ++ " adcx %%rcx, %%rbx;" " movq %%rbx, 40(%0);"
16194 ++ " movq 24(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[3]^2 */
16195 ++ " adcx %%rax, %%r13;" " movq %%r13, 48(%0);"
16196 ++ " adcx %%rcx, %%r14;" " movq %%r14, 56(%0);"
16197 ++
16198 ++ /* Line up pointers */
16199 ++ " mov %0, %1;"
16200 ++ " mov %2, %0;"
16201 ++
16202 ++ /* Wrap the result back into the field */
16203 ++
16204 ++ /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */
16205 ++ " mov $38, %%rdx;"
16206 ++ " mulxq 32(%1), %%r8, %%r13;"
16207 ++ " xor %%ecx, %%ecx;"
16208 ++ " adoxq 0(%1), %%r8;"
16209 ++ " mulxq 40(%1), %%r9, %%rbx;"
16210 ++ " adcx %%r13, %%r9;"
16211 ++ " adoxq 8(%1), %%r9;"
16212 ++ " mulxq 48(%1), %%r10, %%r13;"
16213 ++ " adcx %%rbx, %%r10;"
16214 ++ " adoxq 16(%1), %%r10;"
16215 ++ " mulxq 56(%1), %%r11, %%rax;"
16216 ++ " adcx %%r13, %%r11;"
16217 ++ " adoxq 24(%1), %%r11;"
16218 ++ " adcx %%rcx, %%rax;"
16219 ++ " adox %%rcx, %%rax;"
16220 ++ " imul %%rdx, %%rax;"
16221 ++
16222 ++ /* Step 2: Fold the carry back into dst */
16223 ++ " add %%rax, %%r8;"
16224 ++ " adcx %%rcx, %%r9;"
16225 ++ " movq %%r9, 8(%0);"
16226 ++ " adcx %%rcx, %%r10;"
16227 ++ " movq %%r10, 16(%0);"
16228 ++ " adcx %%rcx, %%r11;"
16229 ++ " movq %%r11, 24(%0);"
16230 ++
16231 ++ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
16232 ++ " mov $0, %%rax;"
16233 ++ " cmovc %%rdx, %%rax;"
16234 ++ " add %%rax, %%r8;"
16235 ++ " movq %%r8, 0(%0);"
16236 ++ : "+&r" (tmp), "+&r" (f), "+&r" (out)
16237 ++ :
16238 ++ : "%rax", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%rbx", "%r13", "%r14", "%r15", "memory", "cc"
16239 ++ );
16240 ++}
16241 ++
16242 ++/* Computes two field squarings:
16243 ++ * out[0] <- f[0] * f[0]
16244 ++ * out[1] <- f[1] * f[1]
16245 ++ * Uses the 16-element buffer tmp for intermediate results */
16246 ++static inline void fsqr2(u64 *out, const u64 *f, u64 *tmp)
16247 ++{
16248 ++ asm volatile(
16249 ++ /* Step 1: Compute all partial products */
16250 ++ " movq 0(%1), %%rdx;" /* f[0] */
16251 ++ " mulxq 8(%1), %%r8, %%r14;" " xor %%r15d, %%r15d;" /* f[1]*f[0] */
16252 ++ " mulxq 16(%1), %%r9, %%r10;" " adcx %%r14, %%r9;" /* f[2]*f[0] */
16253 ++ " mulxq 24(%1), %%rax, %%rcx;" " adcx %%rax, %%r10;" /* f[3]*f[0] */
16254 ++ " movq 24(%1), %%rdx;" /* f[3] */
16255 ++ " mulxq 8(%1), %%r11, %%rbx;" " adcx %%rcx, %%r11;" /* f[1]*f[3] */
16256 ++ " mulxq 16(%1), %%rax, %%r13;" " adcx %%rax, %%rbx;" /* f[2]*f[3] */
16257 ++ " movq 8(%1), %%rdx;" " adcx %%r15, %%r13;" /* f1 */
16258 ++ " mulxq 16(%1), %%rax, %%rcx;" " mov $0, %%r14;" /* f[2]*f[1] */
16259 ++
16260 ++ /* Step 2: Compute two parallel carry chains */
16261 ++ " xor %%r15d, %%r15d;"
16262 ++ " adox %%rax, %%r10;"
16263 ++ " adcx %%r8, %%r8;"
16264 ++ " adox %%rcx, %%r11;"
16265 ++ " adcx %%r9, %%r9;"
16266 ++ " adox %%r15, %%rbx;"
16267 ++ " adcx %%r10, %%r10;"
16268 ++ " adox %%r15, %%r13;"
16269 ++ " adcx %%r11, %%r11;"
16270 ++ " adox %%r15, %%r14;"
16271 ++ " adcx %%rbx, %%rbx;"
16272 ++ " adcx %%r13, %%r13;"
16273 ++ " adcx %%r14, %%r14;"
16274 ++
16275 ++ /* Step 3: Compute intermediate squares */
16276 ++ " movq 0(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[0]^2 */
16277 ++ " movq %%rax, 0(%0);"
16278 ++ " add %%rcx, %%r8;" " movq %%r8, 8(%0);"
16279 ++ " movq 8(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[1]^2 */
16280 ++ " adcx %%rax, %%r9;" " movq %%r9, 16(%0);"
16281 ++ " adcx %%rcx, %%r10;" " movq %%r10, 24(%0);"
16282 ++ " movq 16(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[2]^2 */
16283 ++ " adcx %%rax, %%r11;" " movq %%r11, 32(%0);"
16284 ++ " adcx %%rcx, %%rbx;" " movq %%rbx, 40(%0);"
16285 ++ " movq 24(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[3]^2 */
16286 ++ " adcx %%rax, %%r13;" " movq %%r13, 48(%0);"
16287 ++ " adcx %%rcx, %%r14;" " movq %%r14, 56(%0);"
16288 ++
16289 ++ /* Step 1: Compute all partial products */
16290 ++ " movq 32(%1), %%rdx;" /* f[0] */
16291 ++ " mulxq 40(%1), %%r8, %%r14;" " xor %%r15d, %%r15d;" /* f[1]*f[0] */
16292 ++ " mulxq 48(%1), %%r9, %%r10;" " adcx %%r14, %%r9;" /* f[2]*f[0] */
16293 ++ " mulxq 56(%1), %%rax, %%rcx;" " adcx %%rax, %%r10;" /* f[3]*f[0] */
16294 ++ " movq 56(%1), %%rdx;" /* f[3] */
16295 ++ " mulxq 40(%1), %%r11, %%rbx;" " adcx %%rcx, %%r11;" /* f[1]*f[3] */
16296 ++ " mulxq 48(%1), %%rax, %%r13;" " adcx %%rax, %%rbx;" /* f[2]*f[3] */
16297 ++ " movq 40(%1), %%rdx;" " adcx %%r15, %%r13;" /* f1 */
16298 ++ " mulxq 48(%1), %%rax, %%rcx;" " mov $0, %%r14;" /* f[2]*f[1] */
16299 ++
16300 ++ /* Step 2: Compute two parallel carry chains */
16301 ++ " xor %%r15d, %%r15d;"
16302 ++ " adox %%rax, %%r10;"
16303 ++ " adcx %%r8, %%r8;"
16304 ++ " adox %%rcx, %%r11;"
16305 ++ " adcx %%r9, %%r9;"
16306 ++ " adox %%r15, %%rbx;"
16307 ++ " adcx %%r10, %%r10;"
16308 ++ " adox %%r15, %%r13;"
16309 ++ " adcx %%r11, %%r11;"
16310 ++ " adox %%r15, %%r14;"
16311 ++ " adcx %%rbx, %%rbx;"
16312 ++ " adcx %%r13, %%r13;"
16313 ++ " adcx %%r14, %%r14;"
16314 ++
16315 ++ /* Step 3: Compute intermediate squares */
16316 ++ " movq 32(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[0]^2 */
16317 ++ " movq %%rax, 64(%0);"
16318 ++ " add %%rcx, %%r8;" " movq %%r8, 72(%0);"
16319 ++ " movq 40(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[1]^2 */
16320 ++ " adcx %%rax, %%r9;" " movq %%r9, 80(%0);"
16321 ++ " adcx %%rcx, %%r10;" " movq %%r10, 88(%0);"
16322 ++ " movq 48(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[2]^2 */
16323 ++ " adcx %%rax, %%r11;" " movq %%r11, 96(%0);"
16324 ++ " adcx %%rcx, %%rbx;" " movq %%rbx, 104(%0);"
16325 ++ " movq 56(%1), %%rdx;" " mulx %%rdx, %%rax, %%rcx;" /* f[3]^2 */
16326 ++ " adcx %%rax, %%r13;" " movq %%r13, 112(%0);"
16327 ++ " adcx %%rcx, %%r14;" " movq %%r14, 120(%0);"
16328 ++
16329 ++ /* Line up pointers */
16330 ++ " mov %0, %1;"
16331 ++ " mov %2, %0;"
16332 ++
16333 ++ /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */
16334 ++ " mov $38, %%rdx;"
16335 ++ " mulxq 32(%1), %%r8, %%r13;"
16336 ++ " xor %%ecx, %%ecx;"
16337 ++ " adoxq 0(%1), %%r8;"
16338 ++ " mulxq 40(%1), %%r9, %%rbx;"
16339 ++ " adcx %%r13, %%r9;"
16340 ++ " adoxq 8(%1), %%r9;"
16341 ++ " mulxq 48(%1), %%r10, %%r13;"
16342 ++ " adcx %%rbx, %%r10;"
16343 ++ " adoxq 16(%1), %%r10;"
16344 ++ " mulxq 56(%1), %%r11, %%rax;"
16345 ++ " adcx %%r13, %%r11;"
16346 ++ " adoxq 24(%1), %%r11;"
16347 ++ " adcx %%rcx, %%rax;"
16348 ++ " adox %%rcx, %%rax;"
16349 ++ " imul %%rdx, %%rax;"
16350 ++
16351 ++ /* Step 2: Fold the carry back into dst */
16352 ++ " add %%rax, %%r8;"
16353 ++ " adcx %%rcx, %%r9;"
16354 ++ " movq %%r9, 8(%0);"
16355 ++ " adcx %%rcx, %%r10;"
16356 ++ " movq %%r10, 16(%0);"
16357 ++ " adcx %%rcx, %%r11;"
16358 ++ " movq %%r11, 24(%0);"
16359 ++
16360 ++ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
16361 ++ " mov $0, %%rax;"
16362 ++ " cmovc %%rdx, %%rax;"
16363 ++ " add %%rax, %%r8;"
16364 ++ " movq %%r8, 0(%0);"
16365 ++
16366 ++ /* Step 1: Compute dst + carry == tmp_hi * 38 + tmp_lo */
16367 ++ " mov $38, %%rdx;"
16368 ++ " mulxq 96(%1), %%r8, %%r13;"
16369 ++ " xor %%ecx, %%ecx;"
16370 ++ " adoxq 64(%1), %%r8;"
16371 ++ " mulxq 104(%1), %%r9, %%rbx;"
16372 ++ " adcx %%r13, %%r9;"
16373 ++ " adoxq 72(%1), %%r9;"
16374 ++ " mulxq 112(%1), %%r10, %%r13;"
16375 ++ " adcx %%rbx, %%r10;"
16376 ++ " adoxq 80(%1), %%r10;"
16377 ++ " mulxq 120(%1), %%r11, %%rax;"
16378 ++ " adcx %%r13, %%r11;"
16379 ++ " adoxq 88(%1), %%r11;"
16380 ++ " adcx %%rcx, %%rax;"
16381 ++ " adox %%rcx, %%rax;"
16382 ++ " imul %%rdx, %%rax;"
16383 ++
16384 ++ /* Step 2: Fold the carry back into dst */
16385 ++ " add %%rax, %%r8;"
16386 ++ " adcx %%rcx, %%r9;"
16387 ++ " movq %%r9, 40(%0);"
16388 ++ " adcx %%rcx, %%r10;"
16389 ++ " movq %%r10, 48(%0);"
16390 ++ " adcx %%rcx, %%r11;"
16391 ++ " movq %%r11, 56(%0);"
16392 ++
16393 ++ /* Step 3: Fold the carry bit back in; guaranteed not to carry at this point */
16394 ++ " mov $0, %%rax;"
16395 ++ " cmovc %%rdx, %%rax;"
16396 ++ " add %%rax, %%r8;"
16397 ++ " movq %%r8, 32(%0);"
16398 ++ : "+&r" (tmp), "+&r" (f), "+&r" (out)
16399 ++ :
16400 ++ : "%rax", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11", "%rbx", "%r13", "%r14", "%r15", "memory", "cc"
16401 ++ );
16402 ++}
16403 ++
16404 ++static void point_add_and_double(u64 *q, u64 *p01_tmp1, u64 *tmp2)
16405 ++{
16406 ++ u64 *nq = p01_tmp1;
16407 ++ u64 *nq_p1 = p01_tmp1 + (u32)8U;
16408 ++ u64 *tmp1 = p01_tmp1 + (u32)16U;
16409 ++ u64 *x1 = q;
16410 ++ u64 *x2 = nq;
16411 ++ u64 *z2 = nq + (u32)4U;
16412 ++ u64 *z3 = nq_p1 + (u32)4U;
16413 ++ u64 *a = tmp1;
16414 ++ u64 *b = tmp1 + (u32)4U;
16415 ++ u64 *ab = tmp1;
16416 ++ u64 *dc = tmp1 + (u32)8U;
16417 ++ u64 *x3;
16418 ++ u64 *z31;
16419 ++ u64 *d0;
16420 ++ u64 *c0;
16421 ++ u64 *a1;
16422 ++ u64 *b1;
16423 ++ u64 *d;
16424 ++ u64 *c;
16425 ++ u64 *ab1;
16426 ++ u64 *dc1;
16427 ++ fadd(a, x2, z2);
16428 ++ fsub(b, x2, z2);
16429 ++ x3 = nq_p1;
16430 ++ z31 = nq_p1 + (u32)4U;
16431 ++ d0 = dc;
16432 ++ c0 = dc + (u32)4U;
16433 ++ fadd(c0, x3, z31);
16434 ++ fsub(d0, x3, z31);
16435 ++ fmul2(dc, dc, ab, tmp2);
16436 ++ fadd(x3, d0, c0);
16437 ++ fsub(z31, d0, c0);
16438 ++ a1 = tmp1;
16439 ++ b1 = tmp1 + (u32)4U;
16440 ++ d = tmp1 + (u32)8U;
16441 ++ c = tmp1 + (u32)12U;
16442 ++ ab1 = tmp1;
16443 ++ dc1 = tmp1 + (u32)8U;
16444 ++ fsqr2(dc1, ab1, tmp2);
16445 ++ fsqr2(nq_p1, nq_p1, tmp2);
16446 ++ a1[0U] = c[0U];
16447 ++ a1[1U] = c[1U];
16448 ++ a1[2U] = c[2U];
16449 ++ a1[3U] = c[3U];
16450 ++ fsub(c, d, c);
16451 ++ fmul_scalar(b1, c, (u64)121665U);
16452 ++ fadd(b1, b1, d);
16453 ++ fmul2(nq, dc1, ab1, tmp2);
16454 ++ fmul(z3, z3, x1, tmp2);
16455 ++}
16456 ++
16457 ++static void point_double(u64 *nq, u64 *tmp1, u64 *tmp2)
16458 ++{
16459 ++ u64 *x2 = nq;
16460 ++ u64 *z2 = nq + (u32)4U;
16461 ++ u64 *a = tmp1;
16462 ++ u64 *b = tmp1 + (u32)4U;
16463 ++ u64 *d = tmp1 + (u32)8U;
16464 ++ u64 *c = tmp1 + (u32)12U;
16465 ++ u64 *ab = tmp1;
16466 ++ u64 *dc = tmp1 + (u32)8U;
16467 ++ fadd(a, x2, z2);
16468 ++ fsub(b, x2, z2);
16469 ++ fsqr2(dc, ab, tmp2);
16470 ++ a[0U] = c[0U];
16471 ++ a[1U] = c[1U];
16472 ++ a[2U] = c[2U];
16473 ++ a[3U] = c[3U];
16474 ++ fsub(c, d, c);
16475 ++ fmul_scalar(b, c, (u64)121665U);
16476 ++ fadd(b, b, d);
16477 ++ fmul2(nq, dc, ab, tmp2);
16478 ++}
16479 ++
16480 ++static void montgomery_ladder(u64 *out, const u8 *key, u64 *init1)
16481 ++{
16482 ++ u64 tmp2[16U] = { 0U };
16483 ++ u64 p01_tmp1_swap[33U] = { 0U };
16484 ++ u64 *p0 = p01_tmp1_swap;
16485 ++ u64 *p01 = p01_tmp1_swap;
16486 ++ u64 *p03 = p01;
16487 ++ u64 *p11 = p01 + (u32)8U;
16488 ++ u64 *x0;
16489 ++ u64 *z0;
16490 ++ u64 *p01_tmp1;
16491 ++ u64 *p01_tmp11;
16492 ++ u64 *nq10;
16493 ++ u64 *nq_p11;
16494 ++ u64 *swap1;
16495 ++ u64 sw0;
16496 ++ u64 *nq1;
16497 ++ u64 *tmp1;
16498 ++ memcpy(p11, init1, (u32)8U * sizeof(init1[0U]));
16499 ++ x0 = p03;
16500 ++ z0 = p03 + (u32)4U;
16501 ++ x0[0U] = (u64)1U;
16502 ++ x0[1U] = (u64)0U;
16503 ++ x0[2U] = (u64)0U;
16504 ++ x0[3U] = (u64)0U;
16505 ++ z0[0U] = (u64)0U;
16506 ++ z0[1U] = (u64)0U;
16507 ++ z0[2U] = (u64)0U;
16508 ++ z0[3U] = (u64)0U;
16509 ++ p01_tmp1 = p01_tmp1_swap;
16510 ++ p01_tmp11 = p01_tmp1_swap;
16511 ++ nq10 = p01_tmp1_swap;
16512 ++ nq_p11 = p01_tmp1_swap + (u32)8U;
16513 ++ swap1 = p01_tmp1_swap + (u32)32U;
16514 ++ cswap2((u64)1U, nq10, nq_p11);
16515 ++ point_add_and_double(init1, p01_tmp11, tmp2);
16516 ++ swap1[0U] = (u64)1U;
16517 ++ {
16518 ++ u32 i;
16519 ++ for (i = (u32)0U; i < (u32)251U; i = i + (u32)1U) {
16520 ++ u64 *p01_tmp12 = p01_tmp1_swap;
16521 ++ u64 *swap2 = p01_tmp1_swap + (u32)32U;
16522 ++ u64 *nq2 = p01_tmp12;
16523 ++ u64 *nq_p12 = p01_tmp12 + (u32)8U;
16524 ++ u64 bit = (u64)(key[((u32)253U - i) / (u32)8U] >> ((u32)253U - i) % (u32)8U & (u8)1U);
16525 ++ u64 sw = swap2[0U] ^ bit;
16526 ++ cswap2(sw, nq2, nq_p12);
16527 ++ point_add_and_double(init1, p01_tmp12, tmp2);
16528 ++ swap2[0U] = bit;
16529 ++ }
16530 ++ }
16531 ++ sw0 = swap1[0U];
16532 ++ cswap2(sw0, nq10, nq_p11);
16533 ++ nq1 = p01_tmp1;
16534 ++ tmp1 = p01_tmp1 + (u32)16U;
16535 ++ point_double(nq1, tmp1, tmp2);
16536 ++ point_double(nq1, tmp1, tmp2);
16537 ++ point_double(nq1, tmp1, tmp2);
16538 ++ memcpy(out, p0, (u32)8U * sizeof(p0[0U]));
16539 ++
16540 ++ memzero_explicit(tmp2, sizeof(tmp2));
16541 ++ memzero_explicit(p01_tmp1_swap, sizeof(p01_tmp1_swap));
16542 ++}
16543 ++
16544 ++static void fsquare_times(u64 *o, const u64 *inp, u64 *tmp, u32 n1)
16545 ++{
16546 ++ u32 i;
16547 ++ fsqr(o, inp, tmp);
16548 ++ for (i = (u32)0U; i < n1 - (u32)1U; i = i + (u32)1U)
16549 ++ fsqr(o, o, tmp);
16550 ++}
16551 ++
16552 ++static void finv(u64 *o, const u64 *i, u64 *tmp)
16553 ++{
16554 ++ u64 t1[16U] = { 0U };
16555 ++ u64 *a0 = t1;
16556 ++ u64 *b = t1 + (u32)4U;
16557 ++ u64 *c = t1 + (u32)8U;
16558 ++ u64 *t00 = t1 + (u32)12U;
16559 ++ u64 *tmp1 = tmp;
16560 ++ u64 *a;
16561 ++ u64 *t0;
16562 ++ fsquare_times(a0, i, tmp1, (u32)1U);
16563 ++ fsquare_times(t00, a0, tmp1, (u32)2U);
16564 ++ fmul(b, t00, i, tmp);
16565 ++ fmul(a0, b, a0, tmp);
16566 ++ fsquare_times(t00, a0, tmp1, (u32)1U);
16567 ++ fmul(b, t00, b, tmp);
16568 ++ fsquare_times(t00, b, tmp1, (u32)5U);
16569 ++ fmul(b, t00, b, tmp);
16570 ++ fsquare_times(t00, b, tmp1, (u32)10U);
16571 ++ fmul(c, t00, b, tmp);
16572 ++ fsquare_times(t00, c, tmp1, (u32)20U);
16573 ++ fmul(t00, t00, c, tmp);
16574 ++ fsquare_times(t00, t00, tmp1, (u32)10U);
16575 ++ fmul(b, t00, b, tmp);
16576 ++ fsquare_times(t00, b, tmp1, (u32)50U);
16577 ++ fmul(c, t00, b, tmp);
16578 ++ fsquare_times(t00, c, tmp1, (u32)100U);
16579 ++ fmul(t00, t00, c, tmp);
16580 ++ fsquare_times(t00, t00, tmp1, (u32)50U);
16581 ++ fmul(t00, t00, b, tmp);
16582 ++ fsquare_times(t00, t00, tmp1, (u32)5U);
16583 ++ a = t1;
16584 ++ t0 = t1 + (u32)12U;
16585 ++ fmul(o, t0, a, tmp);
16586 ++}
16587 ++
16588 ++static void store_felem(u64 *b, u64 *f)
16589 ++{
16590 ++ u64 f30 = f[3U];
16591 ++ u64 top_bit0 = f30 >> (u32)63U;
16592 ++ u64 f31;
16593 ++ u64 top_bit;
16594 ++ u64 f0;
16595 ++ u64 f1;
16596 ++ u64 f2;
16597 ++ u64 f3;
16598 ++ u64 m0;
16599 ++ u64 m1;
16600 ++ u64 m2;
16601 ++ u64 m3;
16602 ++ u64 mask;
16603 ++ u64 f0_;
16604 ++ u64 f1_;
16605 ++ u64 f2_;
16606 ++ u64 f3_;
16607 ++ u64 o0;
16608 ++ u64 o1;
16609 ++ u64 o2;
16610 ++ u64 o3;
16611 ++ f[3U] = f30 & (u64)0x7fffffffffffffffU;
16612 ++ add_scalar(f, f, (u64)19U * top_bit0);
16613 ++ f31 = f[3U];
16614 ++ top_bit = f31 >> (u32)63U;
16615 ++ f[3U] = f31 & (u64)0x7fffffffffffffffU;
16616 ++ add_scalar(f, f, (u64)19U * top_bit);
16617 ++ f0 = f[0U];
16618 ++ f1 = f[1U];
16619 ++ f2 = f[2U];
16620 ++ f3 = f[3U];
16621 ++ m0 = gte_mask(f0, (u64)0xffffffffffffffedU);
16622 ++ m1 = eq_mask(f1, (u64)0xffffffffffffffffU);
16623 ++ m2 = eq_mask(f2, (u64)0xffffffffffffffffU);
16624 ++ m3 = eq_mask(f3, (u64)0x7fffffffffffffffU);
16625 ++ mask = ((m0 & m1) & m2) & m3;
16626 ++ f0_ = f0 - (mask & (u64)0xffffffffffffffedU);
16627 ++ f1_ = f1 - (mask & (u64)0xffffffffffffffffU);
16628 ++ f2_ = f2 - (mask & (u64)0xffffffffffffffffU);
16629 ++ f3_ = f3 - (mask & (u64)0x7fffffffffffffffU);
16630 ++ o0 = f0_;
16631 ++ o1 = f1_;
16632 ++ o2 = f2_;
16633 ++ o3 = f3_;
16634 ++ b[0U] = o0;
16635 ++ b[1U] = o1;
16636 ++ b[2U] = o2;
16637 ++ b[3U] = o3;
16638 ++}
16639 ++
16640 ++static void encode_point(u8 *o, const u64 *i)
16641 ++{
16642 ++ const u64 *x = i;
16643 ++ const u64 *z = i + (u32)4U;
16644 ++ u64 tmp[4U] = { 0U };
16645 ++ u64 tmp_w[16U] = { 0U };
16646 ++ finv(tmp, z, tmp_w);
16647 ++ fmul(tmp, tmp, x, tmp_w);
16648 ++ store_felem((u64 *)o, tmp);
16649 ++}
16650 ++
16651 ++static void curve25519_ever64(u8 *out, const u8 *priv, const u8 *pub)
16652 ++{
16653 ++ u64 init1[8U] = { 0U };
16654 ++ u64 tmp[4U] = { 0U };
16655 ++ u64 tmp3;
16656 ++ u64 *x;
16657 ++ u64 *z;
16658 ++ {
16659 ++ u32 i;
16660 ++ for (i = (u32)0U; i < (u32)4U; i = i + (u32)1U) {
16661 ++ u64 *os = tmp;
16662 ++ const u8 *bj = pub + i * (u32)8U;
16663 ++ u64 u = *(u64 *)bj;
16664 ++ u64 r = u;
16665 ++ u64 x0 = r;
16666 ++ os[i] = x0;
16667 ++ }
16668 ++ }
16669 ++ tmp3 = tmp[3U];
16670 ++ tmp[3U] = tmp3 & (u64)0x7fffffffffffffffU;
16671 ++ x = init1;
16672 ++ z = init1 + (u32)4U;
16673 ++ z[0U] = (u64)1U;
16674 ++ z[1U] = (u64)0U;
16675 ++ z[2U] = (u64)0U;
16676 ++ z[3U] = (u64)0U;
16677 ++ x[0U] = tmp[0U];
16678 ++ x[1U] = tmp[1U];
16679 ++ x[2U] = tmp[2U];
16680 ++ x[3U] = tmp[3U];
16681 ++ montgomery_ladder(init1, priv, init1);
16682 ++ encode_point(out, init1);
16683 ++}
16684 ++
16685 ++/* The below constants were generated using this sage script:
16686 ++ *
16687 ++ * #!/usr/bin/env sage
16688 ++ * import sys
16689 ++ * from sage.all import *
16690 ++ * def limbs(n):
16691 ++ * n = int(n)
16692 ++ * l = ((n >> 0) % 2^64, (n >> 64) % 2^64, (n >> 128) % 2^64, (n >> 192) % 2^64)
16693 ++ * return "0x%016xULL, 0x%016xULL, 0x%016xULL, 0x%016xULL" % l
16694 ++ * ec = EllipticCurve(GF(2^255 - 19), [0, 486662, 0, 1, 0])
16695 ++ * p_minus_s = (ec.lift_x(9) - ec.lift_x(1))[0]
16696 ++ * print("static const u64 p_minus_s[] = { %s };\n" % limbs(p_minus_s))
16697 ++ * print("static const u64 table_ladder[] = {")
16698 ++ * p = ec.lift_x(9)
16699 ++ * for i in range(252):
16700 ++ * l = (p[0] + p[2]) / (p[0] - p[2])
16701 ++ * print(("\t%s" + ("," if i != 251 else "")) % limbs(l))
16702 ++ * p = p * 2
16703 ++ * print("};")
16704 ++ *
16705 ++ */
16706 ++
16707 ++static const u64 p_minus_s[] = { 0x816b1e0137d48290ULL, 0x440f6a51eb4d1207ULL, 0x52385f46dca2b71dULL, 0x215132111d8354cbULL };
16708 ++
16709 ++static const u64 table_ladder[] = {
16710 ++ 0xfffffffffffffff3ULL, 0xffffffffffffffffULL, 0xffffffffffffffffULL, 0x5fffffffffffffffULL,
16711 ++ 0x6b8220f416aafe96ULL, 0x82ebeb2b4f566a34ULL, 0xd5a9a5b075a5950fULL, 0x5142b2cf4b2488f4ULL,
16712 ++ 0x6aaebc750069680cULL, 0x89cf7820a0f99c41ULL, 0x2a58d9183b56d0f4ULL, 0x4b5aca80e36011a4ULL,
16713 ++ 0x329132348c29745dULL, 0xf4a2e616e1642fd7ULL, 0x1e45bb03ff67bc34ULL, 0x306912d0f42a9b4aULL,
16714 ++ 0xff886507e6af7154ULL, 0x04f50e13dfeec82fULL, 0xaa512fe82abab5ceULL, 0x174e251a68d5f222ULL,
16715 ++ 0xcf96700d82028898ULL, 0x1743e3370a2c02c5ULL, 0x379eec98b4e86eaaULL, 0x0c59888a51e0482eULL,
16716 ++ 0xfbcbf1d699b5d189ULL, 0xacaef0d58e9fdc84ULL, 0xc1c20d06231f7614ULL, 0x2938218da274f972ULL,
16717 ++ 0xf6af49beff1d7f18ULL, 0xcc541c22387ac9c2ULL, 0x96fcc9ef4015c56bULL, 0x69c1627c690913a9ULL,
16718 ++ 0x7a86fd2f4733db0eULL, 0xfdb8c4f29e087de9ULL, 0x095e4b1a8ea2a229ULL, 0x1ad7a7c829b37a79ULL,
16719 ++ 0x342d89cad17ea0c0ULL, 0x67bedda6cced2051ULL, 0x19ca31bf2bb42f74ULL, 0x3df7b4c84980acbbULL,
16720 ++ 0xa8c6444dc80ad883ULL, 0xb91e440366e3ab85ULL, 0xc215cda00164f6d8ULL, 0x3d867c6ef247e668ULL,
16721 ++ 0xc7dd582bcc3e658cULL, 0xfd2c4748ee0e5528ULL, 0xa0fd9b95cc9f4f71ULL, 0x7529d871b0675ddfULL,
16722 ++ 0xb8f568b42d3cbd78ULL, 0x1233011b91f3da82ULL, 0x2dce6ccd4a7c3b62ULL, 0x75e7fc8e9e498603ULL,
16723 ++ 0x2f4f13f1fcd0b6ecULL, 0xf1a8ca1f29ff7a45ULL, 0xc249c1a72981e29bULL, 0x6ebe0dbb8c83b56aULL,
16724 ++ 0x7114fa8d170bb222ULL, 0x65a2dcd5bf93935fULL, 0xbdc41f68b59c979aULL, 0x2f0eef79a2ce9289ULL,
16725 ++ 0x42ecbf0c083c37ceULL, 0x2930bc09ec496322ULL, 0xf294b0c19cfeac0dULL, 0x3780aa4bedfabb80ULL,
16726 ++ 0x56c17d3e7cead929ULL, 0xe7cb4beb2e5722c5ULL, 0x0ce931732dbfe15aULL, 0x41b883c7621052f8ULL,
16727 ++ 0xdbf75ca0c3d25350ULL, 0x2936be086eb1e351ULL, 0xc936e03cb4a9b212ULL, 0x1d45bf82322225aaULL,
16728 ++ 0xe81ab1036a024cc5ULL, 0xe212201c304c9a72ULL, 0xc5d73fba6832b1fcULL, 0x20ffdb5a4d839581ULL,
16729 ++ 0xa283d367be5d0fadULL, 0x6c2b25ca8b164475ULL, 0x9d4935467caaf22eULL, 0x5166408eee85ff49ULL,
16730 ++ 0x3c67baa2fab4e361ULL, 0xb3e433c67ef35cefULL, 0x5259729241159b1cULL, 0x6a621892d5b0ab33ULL,
16731 ++ 0x20b74a387555cdcbULL, 0x532aa10e1208923fULL, 0xeaa17b7762281dd1ULL, 0x61ab3443f05c44bfULL,
16732 ++ 0x257a6c422324def8ULL, 0x131c6c1017e3cf7fULL, 0x23758739f630a257ULL, 0x295a407a01a78580ULL,
16733 ++ 0xf8c443246d5da8d9ULL, 0x19d775450c52fa5dULL, 0x2afcfc92731bf83dULL, 0x7d10c8e81b2b4700ULL,
16734 ++ 0xc8e0271f70baa20bULL, 0x993748867ca63957ULL, 0x5412efb3cb7ed4bbULL, 0x3196d36173e62975ULL,
16735 ++ 0xde5bcad141c7dffcULL, 0x47cc8cd2b395c848ULL, 0xa34cd942e11af3cbULL, 0x0256dbf2d04ecec2ULL,
16736 ++ 0x875ab7e94b0e667fULL, 0xcad4dd83c0850d10ULL, 0x47f12e8f4e72c79fULL, 0x5f1a87bb8c85b19bULL,
16737 ++ 0x7ae9d0b6437f51b8ULL, 0x12c7ce5518879065ULL, 0x2ade09fe5cf77aeeULL, 0x23a05a2f7d2c5627ULL,
16738 ++ 0x5908e128f17c169aULL, 0xf77498dd8ad0852dULL, 0x74b4c4ceab102f64ULL, 0x183abadd10139845ULL,
16739 ++ 0xb165ba8daa92aaacULL, 0xd5c5ef9599386705ULL, 0xbe2f8f0cf8fc40d1ULL, 0x2701e635ee204514ULL,
16740 ++ 0x629fa80020156514ULL, 0xf223868764a8c1ceULL, 0x5b894fff0b3f060eULL, 0x60d9944cf708a3faULL,
16741 ++ 0xaeea001a1c7a201fULL, 0xebf16a633ee2ce63ULL, 0x6f7709594c7a07e1ULL, 0x79b958150d0208cbULL,
16742 ++ 0x24b55e5301d410e7ULL, 0xe3a34edff3fdc84dULL, 0xd88768e4904032d8ULL, 0x131384427b3aaeecULL,
16743 ++ 0x8405e51286234f14ULL, 0x14dc4739adb4c529ULL, 0xb8a2b5b250634ffdULL, 0x2fe2a94ad8a7ff93ULL,
16744 ++ 0xec5c57efe843faddULL, 0x2843ce40f0bb9918ULL, 0xa4b561d6cf3d6305ULL, 0x743629bde8fb777eULL,
16745 ++ 0x343edd46bbaf738fULL, 0xed981828b101a651ULL, 0xa401760b882c797aULL, 0x1fc223e28dc88730ULL,
16746 ++ 0x48604e91fc0fba0eULL, 0xb637f78f052c6fa4ULL, 0x91ccac3d09e9239cULL, 0x23f7eed4437a687cULL,
16747 ++ 0x5173b1118d9bd800ULL, 0x29d641b63189d4a7ULL, 0xfdbf177988bbc586ULL, 0x2959894fcad81df5ULL,
16748 ++ 0xaebc8ef3b4bbc899ULL, 0x4148995ab26992b9ULL, 0x24e20b0134f92cfbULL, 0x40d158894a05dee8ULL,
16749 ++ 0x46b00b1185af76f6ULL, 0x26bac77873187a79ULL, 0x3dc0bf95ab8fff5fULL, 0x2a608bd8945524d7ULL,
16750 ++ 0x26449588bd446302ULL, 0x7c4bc21c0388439cULL, 0x8e98a4f383bd11b2ULL, 0x26218d7bc9d876b9ULL,
16751 ++ 0xe3081542997c178aULL, 0x3c2d29a86fb6606fULL, 0x5c217736fa279374ULL, 0x7dde05734afeb1faULL,
16752 ++ 0x3bf10e3906d42babULL, 0xe4f7803e1980649cULL, 0xe6053bf89595bf7aULL, 0x394faf38da245530ULL,
16753 ++ 0x7a8efb58896928f4ULL, 0xfbc778e9cc6a113cULL, 0x72670ce330af596fULL, 0x48f222a81d3d6cf7ULL,
16754 ++ 0xf01fce410d72caa7ULL, 0x5a20ecc7213b5595ULL, 0x7bc21165c1fa1483ULL, 0x07f89ae31da8a741ULL,
16755 ++ 0x05d2c2b4c6830ff9ULL, 0xd43e330fc6316293ULL, 0xa5a5590a96d3a904ULL, 0x705edb91a65333b6ULL,
16756 ++ 0x048ee15e0bb9a5f7ULL, 0x3240cfca9e0aaf5dULL, 0x8f4b71ceedc4a40bULL, 0x621c0da3de544a6dULL,
16757 ++ 0x92872836a08c4091ULL, 0xce8375b010c91445ULL, 0x8a72eb524f276394ULL, 0x2667fcfa7ec83635ULL,
16758 ++ 0x7f4c173345e8752aULL, 0x061b47feee7079a5ULL, 0x25dd9afa9f86ff34ULL, 0x3780cef5425dc89cULL,
16759 ++ 0x1a46035a513bb4e9ULL, 0x3e1ef379ac575adaULL, 0xc78c5f1c5fa24b50ULL, 0x321a967634fd9f22ULL,
16760 ++ 0x946707b8826e27faULL, 0x3dca84d64c506fd0ULL, 0xc189218075e91436ULL, 0x6d9284169b3b8484ULL,
16761 ++ 0x3a67e840383f2ddfULL, 0x33eec9a30c4f9b75ULL, 0x3ec7c86fa783ef47ULL, 0x26ec449fbac9fbc4ULL,
16762 ++ 0x5c0f38cba09b9e7dULL, 0x81168cc762a3478cULL, 0x3e23b0d306fc121cULL, 0x5a238aa0a5efdcddULL,
16763 ++ 0x1ba26121c4ea43ffULL, 0x36f8c77f7c8832b5ULL, 0x88fbea0b0adcf99aULL, 0x5ca9938ec25bebf9ULL,
16764 ++ 0xd5436a5e51fccda0ULL, 0x1dbc4797c2cd893bULL, 0x19346a65d3224a08ULL, 0x0f5034e49b9af466ULL,
16765 ++ 0xf23c3967a1e0b96eULL, 0xe58b08fa867a4d88ULL, 0xfb2fabc6a7341679ULL, 0x2a75381eb6026946ULL,
16766 ++ 0xc80a3be4c19420acULL, 0x66b1f6c681f2b6dcULL, 0x7cf7036761e93388ULL, 0x25abbbd8a660a4c4ULL,
16767 ++ 0x91ea12ba14fd5198ULL, 0x684950fc4a3cffa9ULL, 0xf826842130f5ad28ULL, 0x3ea988f75301a441ULL,
16768 ++ 0xc978109a695f8c6fULL, 0x1746eb4a0530c3f3ULL, 0x444d6d77b4459995ULL, 0x75952b8c054e5cc7ULL,
16769 ++ 0xa3703f7915f4d6aaULL, 0x66c346202f2647d8ULL, 0xd01469df811d644bULL, 0x77fea47d81a5d71fULL,
16770 ++ 0xc5e9529ef57ca381ULL, 0x6eeeb4b9ce2f881aULL, 0xb6e91a28e8009bd6ULL, 0x4b80be3e9afc3fecULL,
16771 ++ 0x7e3773c526aed2c5ULL, 0x1b4afcb453c9a49dULL, 0xa920bdd7baffb24dULL, 0x7c54699f122d400eULL,
16772 ++ 0xef46c8e14fa94bc8ULL, 0xe0b074ce2952ed5eULL, 0xbea450e1dbd885d5ULL, 0x61b68649320f712cULL,
16773 ++ 0x8a485f7309ccbdd1ULL, 0xbd06320d7d4d1a2dULL, 0x25232973322dbef4ULL, 0x445dc4758c17f770ULL,
16774 ++ 0xdb0434177cc8933cULL, 0xed6fe82175ea059fULL, 0x1efebefdc053db34ULL, 0x4adbe867c65daf99ULL,
16775 ++ 0x3acd71a2a90609dfULL, 0xe5e991856dd04050ULL, 0x1ec69b688157c23cULL, 0x697427f6885cfe4dULL,
16776 ++ 0xd7be7b9b65e1a851ULL, 0xa03d28d522c536ddULL, 0x28399d658fd2b645ULL, 0x49e5b7e17c2641e1ULL,
16777 ++ 0x6f8c3a98700457a4ULL, 0x5078f0a25ebb6778ULL, 0xd13c3ccbc382960fULL, 0x2e003258a7df84b1ULL,
16778 ++ 0x8ad1f39be6296a1cULL, 0xc1eeaa652a5fbfb2ULL, 0x33ee0673fd26f3cbULL, 0x59256173a69d2cccULL,
16779 ++ 0x41ea07aa4e18fc41ULL, 0xd9fc19527c87a51eULL, 0xbdaacb805831ca6fULL, 0x445b652dc916694fULL,
16780 ++ 0xce92a3a7f2172315ULL, 0x1edc282de11b9964ULL, 0xa1823aafe04c314aULL, 0x790a2d94437cf586ULL,
16781 ++ 0x71c447fb93f6e009ULL, 0x8922a56722845276ULL, 0xbf70903b204f5169ULL, 0x2f7a89891ba319feULL,
16782 ++ 0x02a08eb577e2140cULL, 0xed9a4ed4427bdcf4ULL, 0x5253ec44e4323cd1ULL, 0x3e88363c14e9355bULL,
16783 ++ 0xaa66c14277110b8cULL, 0x1ae0391610a23390ULL, 0x2030bd12c93fc2a2ULL, 0x3ee141579555c7abULL,
16784 ++ 0x9214de3a6d6e7d41ULL, 0x3ccdd88607f17efeULL, 0x674f1288f8e11217ULL, 0x5682250f329f93d0ULL,
16785 ++ 0x6cf00b136d2e396eULL, 0x6e4cf86f1014debfULL, 0x5930b1b5bfcc4e83ULL, 0x047069b48aba16b6ULL,
16786 ++ 0x0d4ce4ab69b20793ULL, 0xb24db91a97d0fb9eULL, 0xcdfa50f54e00d01dULL, 0x221b1085368bddb5ULL,
16787 ++ 0xe7e59468b1e3d8d2ULL, 0x53c56563bd122f93ULL, 0xeee8a903e0663f09ULL, 0x61efa662cbbe3d42ULL,
16788 ++ 0x2cf8ddddde6eab2aULL, 0x9bf80ad51435f231ULL, 0x5deadacec9f04973ULL, 0x29275b5d41d29b27ULL,
16789 ++ 0xcfde0f0895ebf14fULL, 0xb9aab96b054905a7ULL, 0xcae80dd9a1c420fdULL, 0x0a63bf2f1673bbc7ULL,
16790 ++ 0x092f6e11958fbc8cULL, 0x672a81e804822fadULL, 0xcac8351560d52517ULL, 0x6f3f7722c8f192f8ULL,
16791 ++ 0xf8ba90ccc2e894b7ULL, 0x2c7557a438ff9f0dULL, 0x894d1d855ae52359ULL, 0x68e122157b743d69ULL,
16792 ++ 0xd87e5570cfb919f3ULL, 0x3f2cdecd95798db9ULL, 0x2121154710c0a2ceULL, 0x3c66a115246dc5b2ULL,
16793 ++ 0xcbedc562294ecb72ULL, 0xba7143c36a280b16ULL, 0x9610c2efd4078b67ULL, 0x6144735d946a4b1eULL,
16794 ++ 0x536f111ed75b3350ULL, 0x0211db8c2041d81bULL, 0xf93cb1000e10413cULL, 0x149dfd3c039e8876ULL,
16795 ++ 0xd479dde46b63155bULL, 0xb66e15e93c837976ULL, 0xdafde43b1f13e038ULL, 0x5fafda1a2e4b0b35ULL,
16796 ++ 0x3600bbdf17197581ULL, 0x3972050bbe3cd2c2ULL, 0x5938906dbdd5be86ULL, 0x34fce5e43f9b860fULL,
16797 ++ 0x75a8a4cd42d14d02ULL, 0x828dabc53441df65ULL, 0x33dcabedd2e131d3ULL, 0x3ebad76fb814d25fULL,
16798 ++ 0xd4906f566f70e10fULL, 0x5d12f7aa51690f5aULL, 0x45adb16e76cefcf2ULL, 0x01f768aead232999ULL,
16799 ++ 0x2b6cc77b6248febdULL, 0x3cd30628ec3aaffdULL, 0xce1c0b80d4ef486aULL, 0x4c3bff2ea6f66c23ULL,
16800 ++ 0x3f2ec4094aeaeb5fULL, 0x61b19b286e372ca7ULL, 0x5eefa966de2a701dULL, 0x23b20565de55e3efULL,
16801 ++ 0xe301ca5279d58557ULL, 0x07b2d4ce27c2874fULL, 0xa532cd8a9dcf1d67ULL, 0x2a52fee23f2bff56ULL,
16802 ++ 0x8624efb37cd8663dULL, 0xbbc7ac20ffbd7594ULL, 0x57b85e9c82d37445ULL, 0x7b3052cb86a6ec66ULL,
16803 ++ 0x3482f0ad2525e91eULL, 0x2cb68043d28edca0ULL, 0xaf4f6d052e1b003aULL, 0x185f8c2529781b0aULL,
16804 ++ 0xaa41de5bd80ce0d6ULL, 0x9407b2416853e9d6ULL, 0x563ec36e357f4c3aULL, 0x4cc4b8dd0e297bceULL,
16805 ++ 0xa2fc1a52ffb8730eULL, 0x1811f16e67058e37ULL, 0x10f9a366cddf4ee1ULL, 0x72f4a0c4a0b9f099ULL,
16806 ++ 0x8c16c06f663f4ea7ULL, 0x693b3af74e970fbaULL, 0x2102e7f1d69ec345ULL, 0x0ba53cbc968a8089ULL,
16807 ++ 0xca3d9dc7fea15537ULL, 0x4c6824bb51536493ULL, 0xb9886314844006b1ULL, 0x40d2a72ab454cc60ULL,
16808 ++ 0x5936a1b712570975ULL, 0x91b9d648debda657ULL, 0x3344094bb64330eaULL, 0x006ba10d12ee51d0ULL,
16809 ++ 0x19228468f5de5d58ULL, 0x0eb12f4c38cc05b0ULL, 0xa1039f9dd5601990ULL, 0x4502d4ce4fff0e0bULL,
16810 ++ 0xeb2054106837c189ULL, 0xd0f6544c6dd3b93cULL, 0x40727064c416d74fULL, 0x6e15c6114b502ef0ULL,
16811 ++ 0x4df2a398cfb1a76bULL, 0x11256c7419f2f6b1ULL, 0x4a497962066e6043ULL, 0x705b3aab41355b44ULL,
16812 ++ 0x365ef536d797b1d8ULL, 0x00076bd622ddf0dbULL, 0x3bbf33b0e0575a88ULL, 0x3777aa05c8e4ca4dULL,
16813 ++ 0x392745c85578db5fULL, 0x6fda4149dbae5ae2ULL, 0xb1f0b00b8adc9867ULL, 0x09963437d36f1da3ULL,
16814 ++ 0x7e824e90a5dc3853ULL, 0xccb5f6641f135cbdULL, 0x6736d86c87ce8fccULL, 0x625f3ce26604249fULL,
16815 ++ 0xaf8ac8059502f63fULL, 0x0c05e70a2e351469ULL, 0x35292e9c764b6305ULL, 0x1a394360c7e23ac3ULL,
16816 ++ 0xd5c6d53251183264ULL, 0x62065abd43c2b74fULL, 0xb5fbf5d03b973f9bULL, 0x13a3da3661206e5eULL,
16817 ++ 0xc6bd5837725d94e5ULL, 0x18e30912205016c5ULL, 0x2088ce1570033c68ULL, 0x7fba1f495c837987ULL,
16818 ++ 0x5a8c7423f2f9079dULL, 0x1735157b34023fc5ULL, 0xe4f9b49ad2fab351ULL, 0x6691ff72c878e33cULL,
16819 ++ 0x122c2adedc5eff3eULL, 0xf8dd4bf1d8956cf4ULL, 0xeb86205d9e9e5bdaULL, 0x049b92b9d975c743ULL,
16820 ++ 0xa5379730b0f6c05aULL, 0x72a0ffacc6f3a553ULL, 0xb0032c34b20dcd6dULL, 0x470e9dbc88d5164aULL,
16821 ++ 0xb19cf10ca237c047ULL, 0xb65466711f6c81a2ULL, 0xb3321bd16dd80b43ULL, 0x48c14f600c5fbe8eULL,
16822 ++ 0x66451c264aa6c803ULL, 0xb66e3904a4fa7da6ULL, 0xd45f19b0b3128395ULL, 0x31602627c3c9bc10ULL,
16823 ++ 0x3120dc4832e4e10dULL, 0xeb20c46756c717f7ULL, 0x00f52e3f67280294ULL, 0x566d4fc14730c509ULL,
16824 ++ 0x7e3a5d40fd837206ULL, 0xc1e926dc7159547aULL, 0x216730fba68d6095ULL, 0x22e8c3843f69cea7ULL,
16825 ++ 0x33d074e8930e4b2bULL, 0xb6e4350e84d15816ULL, 0x5534c26ad6ba2365ULL, 0x7773c12f89f1f3f3ULL,
16826 ++ 0x8cba404da57962aaULL, 0x5b9897a81999ce56ULL, 0x508e862f121692fcULL, 0x3a81907fa093c291ULL,
16827 ++ 0x0dded0ff4725a510ULL, 0x10d8cc10673fc503ULL, 0x5b9d151c9f1f4e89ULL, 0x32a5c1d5cb09a44cULL,
16828 ++ 0x1e0aa442b90541fbULL, 0x5f85eb7cc1b485dbULL, 0xbee595ce8a9df2e5ULL, 0x25e496c722422236ULL,
16829 ++ 0x5edf3c46cd0fe5b9ULL, 0x34e75a7ed2a43388ULL, 0xe488de11d761e352ULL, 0x0e878a01a085545cULL,
16830 ++ 0xba493c77e021bb04ULL, 0x2b4d1843c7df899aULL, 0x9ea37a487ae80d67ULL, 0x67a9958011e41794ULL,
16831 ++ 0x4b58051a6697b065ULL, 0x47e33f7d8d6ba6d4ULL, 0xbb4da8d483ca46c1ULL, 0x68becaa181c2db0dULL,
16832 ++ 0x8d8980e90b989aa5ULL, 0xf95eb14a2c93c99bULL, 0x51c6c7c4796e73a2ULL, 0x6e228363b5efb569ULL,
16833 ++ 0xc6bbc0b02dd624c8ULL, 0x777eb47dec8170eeULL, 0x3cde15a004cfafa9ULL, 0x1dc6bc087160bf9bULL,
16834 ++ 0x2e07e043eec34002ULL, 0x18e9fc677a68dc7fULL, 0xd8da03188bd15b9aULL, 0x48fbc3bb00568253ULL,
16835 ++ 0x57547d4cfb654ce1ULL, 0xd3565b82a058e2adULL, 0xf63eaf0bbf154478ULL, 0x47531ef114dfbb18ULL,
16836 ++ 0xe1ec630a4278c587ULL, 0x5507d546ca8e83f3ULL, 0x85e135c63adc0c2bULL, 0x0aa7efa85682844eULL,
16837 ++ 0x72691ba8b3e1f615ULL, 0x32b4e9701fbe3ffaULL, 0x97b6d92e39bb7868ULL, 0x2cfe53dea02e39e8ULL,
16838 ++ 0x687392cd85cd52b0ULL, 0x27ff66c910e29831ULL, 0x97134556a9832d06ULL, 0x269bb0360a84f8a0ULL,
16839 ++ 0x706e55457643f85cULL, 0x3734a48c9b597d1bULL, 0x7aee91e8c6efa472ULL, 0x5cd6abc198a9d9e0ULL,
16840 ++ 0x0e04de06cb3ce41aULL, 0xd8c6eb893402e138ULL, 0x904659bb686e3772ULL, 0x7215c371746ba8c8ULL,
16841 ++ 0xfd12a97eeae4a2d9ULL, 0x9514b7516394f2c5ULL, 0x266fd5809208f294ULL, 0x5c847085619a26b9ULL,
16842 ++ 0x52985410fed694eaULL, 0x3c905b934a2ed254ULL, 0x10bb47692d3be467ULL, 0x063b3d2d69e5e9e1ULL,
16843 ++ 0x472726eedda57debULL, 0xefb6c4ae10f41891ULL, 0x2b1641917b307614ULL, 0x117c554fc4f45b7cULL,
16844 ++ 0xc07cf3118f9d8812ULL, 0x01dbd82050017939ULL, 0xd7e803f4171b2827ULL, 0x1015e87487d225eaULL,
16845 ++ 0xc58de3fed23acc4dULL, 0x50db91c294a7be2dULL, 0x0b94d43d1c9cf457ULL, 0x6b1640fa6e37524aULL,
16846 ++ 0x692f346c5fda0d09ULL, 0x200b1c59fa4d3151ULL, 0xb8c46f760777a296ULL, 0x4b38395f3ffdfbcfULL,
16847 ++ 0x18d25e00be54d671ULL, 0x60d50582bec8aba6ULL, 0x87ad8f263b78b982ULL, 0x50fdf64e9cda0432ULL,
16848 ++ 0x90f567aac578dcf0ULL, 0xef1e9b0ef2a3133bULL, 0x0eebba9242d9de71ULL, 0x15473c9bf03101c7ULL,
16849 ++ 0x7c77e8ae56b78095ULL, 0xb678e7666e6f078eULL, 0x2da0b9615348ba1fULL, 0x7cf931c1ff733f0bULL,
16850 ++ 0x26b357f50a0a366cULL, 0xe9708cf42b87d732ULL, 0xc13aeea5f91cb2c0ULL, 0x35d90c991143bb4cULL,
16851 ++ 0x47c1c404a9a0d9dcULL, 0x659e58451972d251ULL, 0x3875a8c473b38c31ULL, 0x1fbd9ed379561f24ULL,
16852 ++ 0x11fabc6fd41ec28dULL, 0x7ef8dfe3cd2a2dcaULL, 0x72e73b5d8c404595ULL, 0x6135fa4954b72f27ULL,
16853 ++ 0xccfc32a2de24b69cULL, 0x3f55698c1f095d88ULL, 0xbe3350ed5ac3f929ULL, 0x5e9bf806ca477eebULL,
16854 ++ 0xe9ce8fb63c309f68ULL, 0x5376f63565e1f9f4ULL, 0xd1afcfb35a6393f1ULL, 0x6632a1ede5623506ULL,
16855 ++ 0x0b7d6c390c2ded4cULL, 0x56cb3281df04cb1fULL, 0x66305a1249ecc3c7ULL, 0x5d588b60a38ca72aULL,
16856 ++ 0xa6ecbf78e8e5f42dULL, 0x86eeb44b3c8a3eecULL, 0xec219c48fbd21604ULL, 0x1aaf1af517c36731ULL,
16857 ++ 0xc306a2836769bde7ULL, 0x208280622b1e2adbULL, 0x8027f51ffbff94a6ULL, 0x76cfa1ce1124f26bULL,
16858 ++ 0x18eb00562422abb6ULL, 0xf377c4d58f8c29c3ULL, 0x4dbbc207f531561aULL, 0x0253b7f082128a27ULL,
16859 ++ 0x3d1f091cb62c17e0ULL, 0x4860e1abd64628a9ULL, 0x52d17436309d4253ULL, 0x356f97e13efae576ULL,
16860 ++ 0xd351e11aa150535bULL, 0x3e6b45bb1dd878ccULL, 0x0c776128bed92c98ULL, 0x1d34ae93032885b8ULL,
16861 ++ 0x4ba0488ca85ba4c3ULL, 0x985348c33c9ce6ceULL, 0x66124c6f97bda770ULL, 0x0f81a0290654124aULL,
16862 ++ 0x9ed09ca6569b86fdULL, 0x811009fd18af9a2dULL, 0xff08d03f93d8c20aULL, 0x52a148199faef26bULL,
16863 ++ 0x3e03f9dc2d8d1b73ULL, 0x4205801873961a70ULL, 0xc0d987f041a35970ULL, 0x07aa1f15a1c0d549ULL,
16864 ++ 0xdfd46ce08cd27224ULL, 0x6d0a024f934e4239ULL, 0x808a7a6399897b59ULL, 0x0a4556e9e13d95a2ULL,
16865 ++ 0xd21a991fe9c13045ULL, 0x9b0e8548fe7751b8ULL, 0x5da643cb4bf30035ULL, 0x77db28d63940f721ULL,
16866 ++ 0xfc5eeb614adc9011ULL, 0x5229419ae8c411ebULL, 0x9ec3e7787d1dcf74ULL, 0x340d053e216e4cb5ULL,
16867 ++ 0xcac7af39b48df2b4ULL, 0xc0faec2871a10a94ULL, 0x140a69245ca575edULL, 0x0cf1c37134273a4cULL,
16868 ++ 0xc8ee306ac224b8a5ULL, 0x57eaee7ccb4930b0ULL, 0xa1e806bdaacbe74fULL, 0x7d9a62742eeb657dULL,
16869 ++ 0x9eb6b6ef546c4830ULL, 0x885cca1fddb36e2eULL, 0xe6b9f383ef0d7105ULL, 0x58654fef9d2e0412ULL,
16870 ++ 0xa905c4ffbe0e8e26ULL, 0x942de5df9b31816eULL, 0x497d723f802e88e1ULL, 0x30684dea602f408dULL,
16871 ++ 0x21e5a278a3e6cb34ULL, 0xaefb6e6f5b151dc4ULL, 0xb30b8e049d77ca15ULL, 0x28c3c9cf53b98981ULL,
16872 ++ 0x287fb721556cdd2aULL, 0x0d317ca897022274ULL, 0x7468c7423a543258ULL, 0x4a7f11464eb5642fULL,
16873 ++ 0xa237a4774d193aa6ULL, 0xd865986ea92129a1ULL, 0x24c515ecf87c1a88ULL, 0x604003575f39f5ebULL,
16874 ++ 0x47b9f189570a9b27ULL, 0x2b98cede465e4b78ULL, 0x026df551dbb85c20ULL, 0x74fcd91047e21901ULL,
16875 ++ 0x13e2a90a23c1bfa3ULL, 0x0cb0074e478519f6ULL, 0x5ff1cbbe3af6cf44ULL, 0x67fe5438be812dbeULL,
16876 ++ 0xd13cf64fa40f05b0ULL, 0x054dfb2f32283787ULL, 0x4173915b7f0d2aeaULL, 0x482f144f1f610d4eULL,
16877 ++ 0xf6210201b47f8234ULL, 0x5d0ae1929e70b990ULL, 0xdcd7f455b049567cULL, 0x7e93d0f1f0916f01ULL,
16878 ++ 0xdd79cbf18a7db4faULL, 0xbe8391bf6f74c62fULL, 0x027145d14b8291bdULL, 0x585a73ea2cbf1705ULL,
16879 ++ 0x485ca03e928a0db2ULL, 0x10fc01a5742857e7ULL, 0x2f482edbd6d551a7ULL, 0x0f0433b5048fdb8aULL,
16880 ++ 0x60da2e8dd7dc6247ULL, 0x88b4c9d38cd4819aULL, 0x13033ac001f66697ULL, 0x273b24fe3b367d75ULL,
16881 ++ 0xc6e8f66a31b3b9d4ULL, 0x281514a494df49d5ULL, 0xd1726fdfc8b23da7ULL, 0x4b3ae7d103dee548ULL,
16882 ++ 0xc6256e19ce4b9d7eULL, 0xff5c5cf186e3c61cULL, 0xacc63ca34b8ec145ULL, 0x74621888fee66574ULL,
16883 ++ 0x956f409645290a1eULL, 0xef0bf8e3263a962eULL, 0xed6a50eb5ec2647bULL, 0x0694283a9dca7502ULL,
16884 ++ 0x769b963643a2dcd1ULL, 0x42b7c8ea09fc5353ULL, 0x4f002aee13397eabULL, 0x63005e2c19b7d63aULL,
16885 ++ 0xca6736da63023beaULL, 0x966c7f6db12a99b7ULL, 0xace09390c537c5e1ULL, 0x0b696063a1aa89eeULL,
16886 ++ 0xebb03e97288c56e5ULL, 0x432a9f9f938c8be8ULL, 0xa6a5a93d5b717f71ULL, 0x1a5fb4c3e18f9d97ULL,
16887 ++ 0x1c94e7ad1c60cdceULL, 0xee202a43fc02c4a0ULL, 0x8dafe4d867c46a20ULL, 0x0a10263c8ac27b58ULL,
16888 ++ 0xd0dea9dfe4432a4aULL, 0x856af87bbe9277c5ULL, 0xce8472acc212c71aULL, 0x6f151b6d9bbb1e91ULL,
16889 ++ 0x26776c527ceed56aULL, 0x7d211cb7fbf8faecULL, 0x37ae66a6fd4609ccULL, 0x1f81b702d2770c42ULL,
16890 ++ 0x2fb0b057eac58392ULL, 0xe1dd89fe29744e9dULL, 0xc964f8eb17beb4f8ULL, 0x29571073c9a2d41eULL,
16891 ++ 0xa948a18981c0e254ULL, 0x2df6369b65b22830ULL, 0xa33eb2d75fcfd3c6ULL, 0x078cd6ec4199a01fULL,
16892 ++ 0x4a584a41ad900d2fULL, 0x32142b78e2c74c52ULL, 0x68c4e8338431c978ULL, 0x7f69ea9008689fc2ULL,
16893 ++ 0x52f2c81e46a38265ULL, 0xfd78072d04a832fdULL, 0x8cd7d5fa25359e94ULL, 0x4de71b7454cc29d2ULL,
16894 ++ 0x42eb60ad1eda6ac9ULL, 0x0aad37dfdbc09c3aULL, 0x81004b71e33cc191ULL, 0x44e6be345122803cULL,
16895 ++ 0x03fe8388ba1920dbULL, 0xf5d57c32150db008ULL, 0x49c8c4281af60c29ULL, 0x21edb518de701aeeULL,
16896 ++ 0x7fb63e418f06dc99ULL, 0xa4460d99c166d7b8ULL, 0x24dd5248ce520a83ULL, 0x5ec3ad712b928358ULL,
16897 ++ 0x15022a5fbd17930fULL, 0xa4f64a77d82570e3ULL, 0x12bc8d6915783712ULL, 0x498194c0fc620abbULL,
16898 ++ 0x38a2d9d255686c82ULL, 0x785c6bd9193e21f0ULL, 0xe4d5c81ab24a5484ULL, 0x56307860b2e20989ULL,
16899 ++ 0x429d55f78b4d74c4ULL, 0x22f1834643350131ULL, 0x1e60c24598c71fffULL, 0x59f2f014979983efULL,
16900 ++ 0x46a47d56eb494a44ULL, 0x3e22a854d636a18eULL, 0xb346e15274491c3bULL, 0x2ceafd4e5390cde7ULL,
16901 ++ 0xba8a8538be0d6675ULL, 0x4b9074bb50818e23ULL, 0xcbdab89085d304c3ULL, 0x61a24fe0e56192c4ULL,
16902 ++ 0xcb7615e6db525bcbULL, 0xdd7d8c35a567e4caULL, 0xe6b4153acafcdd69ULL, 0x2d668e097f3c9766ULL,
16903 ++ 0xa57e7e265ce55ef0ULL, 0x5d9f4e527cd4b967ULL, 0xfbc83606492fd1e5ULL, 0x090d52beb7c3f7aeULL,
16904 ++ 0x09b9515a1e7b4d7cULL, 0x1f266a2599da44c0ULL, 0xa1c49548e2c55504ULL, 0x7ef04287126f15ccULL,
16905 ++ 0xfed1659dbd30ef15ULL, 0x8b4ab9eec4e0277bULL, 0x884d6236a5df3291ULL, 0x1fd96ea6bf5cf788ULL,
16906 ++ 0x42a161981f190d9aULL, 0x61d849507e6052c1ULL, 0x9fe113bf285a2cd5ULL, 0x7c22d676dbad85d8ULL,
16907 ++ 0x82e770ed2bfbd27dULL, 0x4c05b2ece996f5a5ULL, 0xcd40a9c2b0900150ULL, 0x5895319213d9bf64ULL,
16908 ++ 0xe7cc5d703fea2e08ULL, 0xb50c491258e2188cULL, 0xcce30baa48205bf0ULL, 0x537c659ccfa32d62ULL,
16909 ++ 0x37b6623a98cfc088ULL, 0xfe9bed1fa4d6aca4ULL, 0x04d29b8e56a8d1b0ULL, 0x725f71c40b519575ULL,
16910 ++ 0x28c7f89cd0339ce6ULL, 0x8367b14469ddc18bULL, 0x883ada83a6a1652cULL, 0x585f1974034d6c17ULL,
16911 ++ 0x89cfb266f1b19188ULL, 0xe63b4863e7c35217ULL, 0xd88c9da6b4c0526aULL, 0x3e035c9df0954635ULL,
16912 ++ 0xdd9d5412fb45de9dULL, 0xdd684532e4cff40dULL, 0x4b5c999b151d671cULL, 0x2d8c2cc811e7f690ULL,
16913 ++ 0x7f54be1d90055d40ULL, 0xa464c5df464aaf40ULL, 0x33979624f0e917beULL, 0x2c018dc527356b30ULL,
16914 ++ 0xa5415024e330b3d4ULL, 0x73ff3d96691652d3ULL, 0x94ec42c4ef9b59f1ULL, 0x0747201618d08e5aULL,
16915 ++ 0x4d6ca48aca411c53ULL, 0x66415f2fcfa66119ULL, 0x9c4dd40051e227ffULL, 0x59810bc09a02f7ebULL,
16916 ++ 0x2a7eb171b3dc101dULL, 0x441c5ab99ffef68eULL, 0x32025c9b93b359eaULL, 0x5e8ce0a71e9d112fULL,
16917 ++ 0xbfcccb92429503fdULL, 0xd271ba752f095d55ULL, 0x345ead5e972d091eULL, 0x18c8df11a83103baULL,
16918 ++ 0x90cd949a9aed0f4cULL, 0xc5d1f4cb6660e37eULL, 0xb8cac52d56c52e0bULL, 0x6e42e400c5808e0dULL,
16919 ++ 0xa3b46966eeaefd23ULL, 0x0c4f1f0be39ecdcaULL, 0x189dc8c9d683a51dULL, 0x51f27f054c09351bULL,
16920 ++ 0x4c487ccd2a320682ULL, 0x587ea95bb3df1c96ULL, 0xc8ccf79e555cb8e8ULL, 0x547dc829a206d73dULL,
16921 ++ 0xb822a6cd80c39b06ULL, 0xe96d54732000d4c6ULL, 0x28535b6f91463b4dULL, 0x228f4660e2486e1dULL,
16922 ++ 0x98799538de8d3abfULL, 0x8cd8330045ebca6eULL, 0x79952a008221e738ULL, 0x4322e1a7535cd2bbULL,
16923 ++ 0xb114c11819d1801cULL, 0x2016e4d84f3f5ec7ULL, 0xdd0e2df409260f4cULL, 0x5ec362c0ae5f7266ULL,
16924 ++ 0xc0462b18b8b2b4eeULL, 0x7cc8d950274d1afbULL, 0xf25f7105436b02d2ULL, 0x43bbf8dcbff9ccd3ULL,
16925 ++ 0xb6ad1767a039e9dfULL, 0xb0714da8f69d3583ULL, 0x5e55fa18b42931f5ULL, 0x4ed5558f33c60961ULL,
16926 ++ 0x1fe37901c647a5ddULL, 0x593ddf1f8081d357ULL, 0x0249a4fd813fd7a6ULL, 0x69acca274e9caf61ULL,
16927 ++ 0x047ba3ea330721c9ULL, 0x83423fc20e7e1ea0ULL, 0x1df4c0af01314a60ULL, 0x09a62dab89289527ULL,
16928 ++ 0xa5b325a49cc6cb00ULL, 0xe94b5dc654b56cb6ULL, 0x3be28779adc994a0ULL, 0x4296e8f8ba3a4aadULL,
16929 ++ 0x328689761e451eabULL, 0x2e4d598bff59594aULL, 0x49b96853d7a7084aULL, 0x4980a319601420a8ULL,
16930 ++ 0x9565b9e12f552c42ULL, 0x8a5318db7100fe96ULL, 0x05c90b4d43add0d7ULL, 0x538b4cd66a5d4edaULL,
16931 ++ 0xf4e94fc3e89f039fULL, 0x592c9af26f618045ULL, 0x08a36eb5fd4b9550ULL, 0x25fffaf6c2ed1419ULL,
16932 ++ 0x34434459cc79d354ULL, 0xeeecbfb4b1d5476bULL, 0xddeb34a061615d99ULL, 0x5129cecceb64b773ULL,
16933 ++ 0xee43215894993520ULL, 0x772f9c7cf14c0b3bULL, 0xd2e2fce306bedad5ULL, 0x715f42b546f06a97ULL,
16934 ++ 0x434ecdceda5b5f1aULL, 0x0da17115a49741a9ULL, 0x680bd77c73edad2eULL, 0x487c02354edd9041ULL,
16935 ++ 0xb8efeff3a70ed9c4ULL, 0x56a32aa3e857e302ULL, 0xdf3a68bd48a2a5a0ULL, 0x07f650b73176c444ULL,
16936 ++ 0xe38b9b1626e0ccb1ULL, 0x79e053c18b09fb36ULL, 0x56d90319c9f94964ULL, 0x1ca941e7ac9ff5c4ULL,
16937 ++ 0x49c4df29162fa0bbULL, 0x8488cf3282b33305ULL, 0x95dfda14cabb437dULL, 0x3391f78264d5ad86ULL,
16938 ++ 0x729ae06ae2b5095dULL, 0xd58a58d73259a946ULL, 0xe9834262d13921edULL, 0x27fedafaa54bb592ULL,
16939 ++ 0xa99dc5b829ad48bbULL, 0x5f025742499ee260ULL, 0x802c8ecd5d7513fdULL, 0x78ceb3ef3f6dd938ULL,
16940 ++ 0xc342f44f8a135d94ULL, 0x7b9edb44828cdda3ULL, 0x9436d11a0537cfe7ULL, 0x5064b164ec1ab4c8ULL,
16941 ++ 0x7020eccfd37eb2fcULL, 0x1f31ea3ed90d25fcULL, 0x1b930d7bdfa1bb34ULL, 0x5344467a48113044ULL,
16942 ++ 0x70073170f25e6dfbULL, 0xe385dc1a50114cc8ULL, 0x2348698ac8fc4f00ULL, 0x2a77a55284dd40d8ULL,
16943 ++ 0xfe06afe0c98c6ce4ULL, 0xc235df96dddfd6e4ULL, 0x1428d01e33bf1ed3ULL, 0x785768ec9300bdafULL,
16944 ++ 0x9702e57a91deb63bULL, 0x61bdb8bfe5ce8b80ULL, 0x645b426f3d1d58acULL, 0x4804a82227a557bcULL,
16945 ++ 0x8e57048ab44d2601ULL, 0x68d6501a4b3a6935ULL, 0xc39c9ec3f9e1c293ULL, 0x4172f257d4de63e2ULL,
16946 ++ 0xd368b450330c6401ULL, 0x040d3017418f2391ULL, 0x2c34bb6090b7d90dULL, 0x16f649228fdfd51fULL,
16947 ++ 0xbea6818e2b928ef5ULL, 0xe28ccf91cdc11e72ULL, 0x594aaa68e77a36cdULL, 0x313034806c7ffd0fULL,
16948 ++ 0x8a9d27ac2249bd65ULL, 0x19a3b464018e9512ULL, 0xc26ccff352b37ec7ULL, 0x056f68341d797b21ULL,
16949 ++ 0x5e79d6757efd2327ULL, 0xfabdbcb6553afe15ULL, 0xd3e7222c6eaf5a60ULL, 0x7046c76d4dae743bULL,
16950 ++ 0x660be872b18d4a55ULL, 0x19992518574e1496ULL, 0xc103053a302bdcbbULL, 0x3ed8e9800b218e8eULL,
16951 ++ 0x7b0b9239fa75e03eULL, 0xefe9fb684633c083ULL, 0x98a35fbe391a7793ULL, 0x6065510fe2d0fe34ULL,
16952 ++ 0x55cb668548abad0cULL, 0xb4584548da87e527ULL, 0x2c43ecea0107c1ddULL, 0x526028809372de35ULL,
16953 ++ 0x3415c56af9213b1fULL, 0x5bee1a4d017e98dbULL, 0x13f6b105b5cf709bULL, 0x5ff20e3482b29ab6ULL,
16954 ++ 0x0aa29c75cc2e6c90ULL, 0xfc7d73ca3a70e206ULL, 0x899fc38fc4b5c515ULL, 0x250386b124ffc207ULL,
16955 ++ 0x54ea28d5ae3d2b56ULL, 0x9913149dd6de60ceULL, 0x16694fc58f06d6c1ULL, 0x46b23975eb018fc7ULL,
16956 ++ 0x470a6a0fb4b7b4e2ULL, 0x5d92475a8f7253deULL, 0xabeee5b52fbd3adbULL, 0x7fa20801a0806968ULL,
16957 ++ 0x76f3faf19f7714d2ULL, 0xb3e840c12f4660c3ULL, 0x0fb4cd8df212744eULL, 0x4b065a251d3a2dd2ULL,
16958 ++ 0x5cebde383d77cd4aULL, 0x6adf39df882c9cb1ULL, 0xa2dd242eb09af759ULL, 0x3147c0e50e5f6422ULL,
16959 ++ 0x164ca5101d1350dbULL, 0xf8d13479c33fc962ULL, 0xe640ce4d13e5da08ULL, 0x4bdee0c45061f8baULL,
16960 ++ 0xd7c46dc1a4edb1c9ULL, 0x5514d7b6437fd98aULL, 0x58942f6bb2a1c00bULL, 0x2dffb2ab1d70710eULL,
16961 ++ 0xccdfcf2fc18b6d68ULL, 0xa8ebcba8b7806167ULL, 0x980697f95e2937e3ULL, 0x02fbba1cd0126e8cULL
16962 ++};
16963 ++
16964 ++static void curve25519_ever64_base(u8 *out, const u8 *priv)
16965 ++{
16966 ++ u64 swap = 1;
16967 ++ int i, j, k;
16968 ++ u64 tmp[16 + 32 + 4];
16969 ++ u64 *x1 = &tmp[0];
16970 ++ u64 *z1 = &tmp[4];
16971 ++ u64 *x2 = &tmp[8];
16972 ++ u64 *z2 = &tmp[12];
16973 ++ u64 *xz1 = &tmp[0];
16974 ++ u64 *xz2 = &tmp[8];
16975 ++ u64 *a = &tmp[0 + 16];
16976 ++ u64 *b = &tmp[4 + 16];
16977 ++ u64 *c = &tmp[8 + 16];
16978 ++ u64 *ab = &tmp[0 + 16];
16979 ++ u64 *abcd = &tmp[0 + 16];
16980 ++ u64 *ef = &tmp[16 + 16];
16981 ++ u64 *efgh = &tmp[16 + 16];
16982 ++ u64 *key = &tmp[0 + 16 + 32];
16983 ++
16984 ++ memcpy(key, priv, 32);
16985 ++ ((u8 *)key)[0] &= 248;
16986 ++ ((u8 *)key)[31] = (((u8 *)key)[31] & 127) | 64;
16987 ++
16988 ++ x1[0] = 1, x1[1] = x1[2] = x1[3] = 0;
16989 ++ z1[0] = 1, z1[1] = z1[2] = z1[3] = 0;
16990 ++ z2[0] = 1, z2[1] = z2[2] = z2[3] = 0;
16991 ++ memcpy(x2, p_minus_s, sizeof(p_minus_s));
16992 ++
16993 ++ j = 3;
16994 ++ for (i = 0; i < 4; ++i) {
16995 ++ while (j < (const int[]){ 64, 64, 64, 63 }[i]) {
16996 ++ u64 bit = (key[i] >> j) & 1;
16997 ++ k = (64 * i + j - 3);
16998 ++ swap = swap ^ bit;
16999 ++ cswap2(swap, xz1, xz2);
17000 ++ swap = bit;
17001 ++ fsub(b, x1, z1);
17002 ++ fadd(a, x1, z1);
17003 ++ fmul(c, &table_ladder[4 * k], b, ef);
17004 ++ fsub(b, a, c);
17005 ++ fadd(a, a, c);
17006 ++ fsqr2(ab, ab, efgh);
17007 ++ fmul2(xz1, xz2, ab, efgh);
17008 ++ ++j;
17009 ++ }
17010 ++ j = 0;
17011 ++ }
17012 ++
17013 ++ point_double(xz1, abcd, efgh);
17014 ++ point_double(xz1, abcd, efgh);
17015 ++ point_double(xz1, abcd, efgh);
17016 ++ encode_point(out, xz1);
17017 ++
17018 ++ memzero_explicit(tmp, sizeof(tmp));
17019 ++}
17020 ++
17021 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(curve25519_use_bmi2_adx);
17022 ++
17023 ++void curve25519_arch(u8 mypublic[CURVE25519_KEY_SIZE],
17024 ++ const u8 secret[CURVE25519_KEY_SIZE],
17025 ++ const u8 basepoint[CURVE25519_KEY_SIZE])
17026 ++{
17027 ++ if (static_branch_likely(&curve25519_use_bmi2_adx))
17028 ++ curve25519_ever64(mypublic, secret, basepoint);
17029 ++ else
17030 ++ curve25519_generic(mypublic, secret, basepoint);
17031 ++}
17032 ++EXPORT_SYMBOL(curve25519_arch);
17033 ++
17034 ++void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE],
17035 ++ const u8 secret[CURVE25519_KEY_SIZE])
17036 ++{
17037 ++ if (static_branch_likely(&curve25519_use_bmi2_adx))
17038 ++ curve25519_ever64_base(pub, secret);
17039 ++ else
17040 ++ curve25519_generic(pub, secret, curve25519_base_point);
17041 ++}
17042 ++EXPORT_SYMBOL(curve25519_base_arch);
17043 ++
17044 ++static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf,
17045 ++ unsigned int len)
17046 ++{
17047 ++ u8 *secret = kpp_tfm_ctx(tfm);
17048 ++
17049 ++ if (!len)
17050 ++ curve25519_generate_secret(secret);
17051 ++ else if (len == CURVE25519_KEY_SIZE &&
17052 ++ crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE))
17053 ++ memcpy(secret, buf, CURVE25519_KEY_SIZE);
17054 ++ else
17055 ++ return -EINVAL;
17056 ++ return 0;
17057 ++}
17058 ++
17059 ++static int curve25519_generate_public_key(struct kpp_request *req)
17060 ++{
17061 ++ struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
17062 ++ const u8 *secret = kpp_tfm_ctx(tfm);
17063 ++ u8 buf[CURVE25519_KEY_SIZE];
17064 ++ int copied, nbytes;
17065 ++
17066 ++ if (req->src)
17067 ++ return -EINVAL;
17068 ++
17069 ++ curve25519_base_arch(buf, secret);
17070 ++
17071 ++ /* might want less than we've got */
17072 ++ nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len);
17073 ++ copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst,
17074 ++ nbytes),
17075 ++ buf, nbytes);
17076 ++ if (copied != nbytes)
17077 ++ return -EINVAL;
17078 ++ return 0;
17079 ++}
17080 ++
17081 ++static int curve25519_compute_shared_secret(struct kpp_request *req)
17082 ++{
17083 ++ struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
17084 ++ const u8 *secret = kpp_tfm_ctx(tfm);
17085 ++ u8 public_key[CURVE25519_KEY_SIZE];
17086 ++ u8 buf[CURVE25519_KEY_SIZE];
17087 ++ int copied, nbytes;
17088 ++
17089 ++ if (!req->src)
17090 ++ return -EINVAL;
17091 ++
17092 ++ copied = sg_copy_to_buffer(req->src,
17093 ++ sg_nents_for_len(req->src,
17094 ++ CURVE25519_KEY_SIZE),
17095 ++ public_key, CURVE25519_KEY_SIZE);
17096 ++ if (copied != CURVE25519_KEY_SIZE)
17097 ++ return -EINVAL;
17098 ++
17099 ++ curve25519_arch(buf, secret, public_key);
17100 ++
17101 ++ /* might want less than we've got */
17102 ++ nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len);
17103 ++ copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst,
17104 ++ nbytes),
17105 ++ buf, nbytes);
17106 ++ if (copied != nbytes)
17107 ++ return -EINVAL;
17108 ++ return 0;
17109 ++}
17110 ++
17111 ++static unsigned int curve25519_max_size(struct crypto_kpp *tfm)
17112 ++{
17113 ++ return CURVE25519_KEY_SIZE;
17114 ++}
17115 ++
17116 ++static struct kpp_alg curve25519_alg = {
17117 ++ .base.cra_name = "curve25519",
17118 ++ .base.cra_driver_name = "curve25519-x86",
17119 ++ .base.cra_priority = 200,
17120 ++ .base.cra_module = THIS_MODULE,
17121 ++ .base.cra_ctxsize = CURVE25519_KEY_SIZE,
17122 ++
17123 ++ .set_secret = curve25519_set_secret,
17124 ++ .generate_public_key = curve25519_generate_public_key,
17125 ++ .compute_shared_secret = curve25519_compute_shared_secret,
17126 ++ .max_size = curve25519_max_size,
17127 ++};
17128 ++
17129 ++
17130 ++static int __init curve25519_mod_init(void)
17131 ++{
17132 ++ if (boot_cpu_has(X86_FEATURE_BMI2) && boot_cpu_has(X86_FEATURE_ADX))
17133 ++ static_branch_enable(&curve25519_use_bmi2_adx);
17134 ++ else
17135 ++ return 0;
17136 ++ return IS_REACHABLE(CONFIG_CRYPTO_KPP) ?
17137 ++ crypto_register_kpp(&curve25519_alg) : 0;
17138 ++}
17139 ++
17140 ++static void __exit curve25519_mod_exit(void)
17141 ++{
17142 ++ if (IS_REACHABLE(CONFIG_CRYPTO_KPP) &&
17143 ++ (boot_cpu_has(X86_FEATURE_BMI2) || boot_cpu_has(X86_FEATURE_ADX)))
17144 ++ crypto_unregister_kpp(&curve25519_alg);
17145 ++}
17146 ++
17147 ++module_init(curve25519_mod_init);
17148 ++module_exit(curve25519_mod_exit);
17149 ++
17150 ++MODULE_ALIAS_CRYPTO("curve25519");
17151 ++MODULE_ALIAS_CRYPTO("curve25519-x86");
17152 ++MODULE_LICENSE("GPL v2");
17153 ++MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
17154 +--- b/arch/arm/crypto/curve25519-core.S
17155 ++++ b/arch/arm/crypto/curve25519-core.S
17156 +@@ -0,0 +1,2062 @@
17157 ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
17158 ++/*
17159 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
17160 ++ *
17161 ++ * Based on public domain code from Daniel J. Bernstein and Peter Schwabe. This
17162 ++ * began from SUPERCOP's curve25519/neon2/scalarmult.s, but has subsequently been
17163 ++ * manually reworked for use in kernel space.
17164 ++ */
17165 ++
17166 ++#include <linux/linkage.h>
17167 ++
17168 ++.text
17169 ++.fpu neon
17170 ++.arch armv7-a
17171 ++.align 4
17172 ++
17173 ++ENTRY(curve25519_neon)
17174 ++ push {r4-r11, lr}
17175 ++ mov ip, sp
17176 ++ sub r3, sp, #704
17177 ++ and r3, r3, #0xfffffff0
17178 ++ mov sp, r3
17179 ++ movw r4, #0
17180 ++ movw r5, #254
17181 ++ vmov.i32 q0, #1
17182 ++ vshr.u64 q1, q0, #7
17183 ++ vshr.u64 q0, q0, #8
17184 ++ vmov.i32 d4, #19
17185 ++ vmov.i32 d5, #38
17186 ++ add r6, sp, #480
17187 ++ vst1.8 {d2-d3}, [r6, : 128]!
17188 ++ vst1.8 {d0-d1}, [r6, : 128]!
17189 ++ vst1.8 {d4-d5}, [r6, : 128]
17190 ++ add r6, r3, #0
17191 ++ vmov.i32 q2, #0
17192 ++ vst1.8 {d4-d5}, [r6, : 128]!
17193 ++ vst1.8 {d4-d5}, [r6, : 128]!
17194 ++ vst1.8 d4, [r6, : 64]
17195 ++ add r6, r3, #0
17196 ++ movw r7, #960
17197 ++ sub r7, r7, #2
17198 ++ neg r7, r7
17199 ++ sub r7, r7, r7, LSL #7
17200 ++ str r7, [r6]
17201 ++ add r6, sp, #672
17202 ++ vld1.8 {d4-d5}, [r1]!
17203 ++ vld1.8 {d6-d7}, [r1]
17204 ++ vst1.8 {d4-d5}, [r6, : 128]!
17205 ++ vst1.8 {d6-d7}, [r6, : 128]
17206 ++ sub r1, r6, #16
17207 ++ ldrb r6, [r1]
17208 ++ and r6, r6, #248
17209 ++ strb r6, [r1]
17210 ++ ldrb r6, [r1, #31]
17211 ++ and r6, r6, #127
17212 ++ orr r6, r6, #64
17213 ++ strb r6, [r1, #31]
17214 ++ vmov.i64 q2, #0xffffffff
17215 ++ vshr.u64 q3, q2, #7
17216 ++ vshr.u64 q2, q2, #6
17217 ++ vld1.8 {d8}, [r2]
17218 ++ vld1.8 {d10}, [r2]
17219 ++ add r2, r2, #6
17220 ++ vld1.8 {d12}, [r2]
17221 ++ vld1.8 {d14}, [r2]
17222 ++ add r2, r2, #6
17223 ++ vld1.8 {d16}, [r2]
17224 ++ add r2, r2, #4
17225 ++ vld1.8 {d18}, [r2]
17226 ++ vld1.8 {d20}, [r2]
17227 ++ add r2, r2, #6
17228 ++ vld1.8 {d22}, [r2]
17229 ++ add r2, r2, #2
17230 ++ vld1.8 {d24}, [r2]
17231 ++ vld1.8 {d26}, [r2]
17232 ++ vshr.u64 q5, q5, #26
17233 ++ vshr.u64 q6, q6, #3
17234 ++ vshr.u64 q7, q7, #29
17235 ++ vshr.u64 q8, q8, #6
17236 ++ vshr.u64 q10, q10, #25
17237 ++ vshr.u64 q11, q11, #3
17238 ++ vshr.u64 q12, q12, #12
17239 ++ vshr.u64 q13, q13, #38
17240 ++ vand q4, q4, q2
17241 ++ vand q6, q6, q2
17242 ++ vand q8, q8, q2
17243 ++ vand q10, q10, q2
17244 ++ vand q2, q12, q2
17245 ++ vand q5, q5, q3
17246 ++ vand q7, q7, q3
17247 ++ vand q9, q9, q3
17248 ++ vand q11, q11, q3
17249 ++ vand q3, q13, q3
17250 ++ add r2, r3, #48
17251 ++ vadd.i64 q12, q4, q1
17252 ++ vadd.i64 q13, q10, q1
17253 ++ vshr.s64 q12, q12, #26
17254 ++ vshr.s64 q13, q13, #26
17255 ++ vadd.i64 q5, q5, q12
17256 ++ vshl.i64 q12, q12, #26
17257 ++ vadd.i64 q14, q5, q0
17258 ++ vadd.i64 q11, q11, q13
17259 ++ vshl.i64 q13, q13, #26
17260 ++ vadd.i64 q15, q11, q0
17261 ++ vsub.i64 q4, q4, q12
17262 ++ vshr.s64 q12, q14, #25
17263 ++ vsub.i64 q10, q10, q13
17264 ++ vshr.s64 q13, q15, #25
17265 ++ vadd.i64 q6, q6, q12
17266 ++ vshl.i64 q12, q12, #25
17267 ++ vadd.i64 q14, q6, q1
17268 ++ vadd.i64 q2, q2, q13
17269 ++ vsub.i64 q5, q5, q12
17270 ++ vshr.s64 q12, q14, #26
17271 ++ vshl.i64 q13, q13, #25
17272 ++ vadd.i64 q14, q2, q1
17273 ++ vadd.i64 q7, q7, q12
17274 ++ vshl.i64 q12, q12, #26
17275 ++ vadd.i64 q15, q7, q0
17276 ++ vsub.i64 q11, q11, q13
17277 ++ vshr.s64 q13, q14, #26
17278 ++ vsub.i64 q6, q6, q12
17279 ++ vshr.s64 q12, q15, #25
17280 ++ vadd.i64 q3, q3, q13
17281 ++ vshl.i64 q13, q13, #26
17282 ++ vadd.i64 q14, q3, q0
17283 ++ vadd.i64 q8, q8, q12
17284 ++ vshl.i64 q12, q12, #25
17285 ++ vadd.i64 q15, q8, q1
17286 ++ add r2, r2, #8
17287 ++ vsub.i64 q2, q2, q13
17288 ++ vshr.s64 q13, q14, #25
17289 ++ vsub.i64 q7, q7, q12
17290 ++ vshr.s64 q12, q15, #26
17291 ++ vadd.i64 q14, q13, q13
17292 ++ vadd.i64 q9, q9, q12
17293 ++ vtrn.32 d12, d14
17294 ++ vshl.i64 q12, q12, #26
17295 ++ vtrn.32 d13, d15
17296 ++ vadd.i64 q0, q9, q0
17297 ++ vadd.i64 q4, q4, q14
17298 ++ vst1.8 d12, [r2, : 64]!
17299 ++ vshl.i64 q6, q13, #4
17300 ++ vsub.i64 q7, q8, q12
17301 ++ vshr.s64 q0, q0, #25
17302 ++ vadd.i64 q4, q4, q6
17303 ++ vadd.i64 q6, q10, q0
17304 ++ vshl.i64 q0, q0, #25
17305 ++ vadd.i64 q8, q6, q1
17306 ++ vadd.i64 q4, q4, q13
17307 ++ vshl.i64 q10, q13, #25
17308 ++ vadd.i64 q1, q4, q1
17309 ++ vsub.i64 q0, q9, q0
17310 ++ vshr.s64 q8, q8, #26
17311 ++ vsub.i64 q3, q3, q10
17312 ++ vtrn.32 d14, d0
17313 ++ vshr.s64 q1, q1, #26
17314 ++ vtrn.32 d15, d1
17315 ++ vadd.i64 q0, q11, q8
17316 ++ vst1.8 d14, [r2, : 64]
17317 ++ vshl.i64 q7, q8, #26
17318 ++ vadd.i64 q5, q5, q1
17319 ++ vtrn.32 d4, d6
17320 ++ vshl.i64 q1, q1, #26
17321 ++ vtrn.32 d5, d7
17322 ++ vsub.i64 q3, q6, q7
17323 ++ add r2, r2, #16
17324 ++ vsub.i64 q1, q4, q1
17325 ++ vst1.8 d4, [r2, : 64]
17326 ++ vtrn.32 d6, d0
17327 ++ vtrn.32 d7, d1
17328 ++ sub r2, r2, #8
17329 ++ vtrn.32 d2, d10
17330 ++ vtrn.32 d3, d11
17331 ++ vst1.8 d6, [r2, : 64]
17332 ++ sub r2, r2, #24
17333 ++ vst1.8 d2, [r2, : 64]
17334 ++ add r2, r3, #96
17335 ++ vmov.i32 q0, #0
17336 ++ vmov.i64 d2, #0xff
17337 ++ vmov.i64 d3, #0
17338 ++ vshr.u32 q1, q1, #7
17339 ++ vst1.8 {d2-d3}, [r2, : 128]!
17340 ++ vst1.8 {d0-d1}, [r2, : 128]!
17341 ++ vst1.8 d0, [r2, : 64]
17342 ++ add r2, r3, #144
17343 ++ vmov.i32 q0, #0
17344 ++ vst1.8 {d0-d1}, [r2, : 128]!
17345 ++ vst1.8 {d0-d1}, [r2, : 128]!
17346 ++ vst1.8 d0, [r2, : 64]
17347 ++ add r2, r3, #240
17348 ++ vmov.i32 q0, #0
17349 ++ vmov.i64 d2, #0xff
17350 ++ vmov.i64 d3, #0
17351 ++ vshr.u32 q1, q1, #7
17352 ++ vst1.8 {d2-d3}, [r2, : 128]!
17353 ++ vst1.8 {d0-d1}, [r2, : 128]!
17354 ++ vst1.8 d0, [r2, : 64]
17355 ++ add r2, r3, #48
17356 ++ add r6, r3, #192
17357 ++ vld1.8 {d0-d1}, [r2, : 128]!
17358 ++ vld1.8 {d2-d3}, [r2, : 128]!
17359 ++ vld1.8 {d4}, [r2, : 64]
17360 ++ vst1.8 {d0-d1}, [r6, : 128]!
17361 ++ vst1.8 {d2-d3}, [r6, : 128]!
17362 ++ vst1.8 d4, [r6, : 64]
17363 ++.Lmainloop:
17364 ++ mov r2, r5, LSR #3
17365 ++ and r6, r5, #7
17366 ++ ldrb r2, [r1, r2]
17367 ++ mov r2, r2, LSR r6
17368 ++ and r2, r2, #1
17369 ++ str r5, [sp, #456]
17370 ++ eor r4, r4, r2
17371 ++ str r2, [sp, #460]
17372 ++ neg r2, r4
17373 ++ add r4, r3, #96
17374 ++ add r5, r3, #192
17375 ++ add r6, r3, #144
17376 ++ vld1.8 {d8-d9}, [r4, : 128]!
17377 ++ add r7, r3, #240
17378 ++ vld1.8 {d10-d11}, [r5, : 128]!
17379 ++ veor q6, q4, q5
17380 ++ vld1.8 {d14-d15}, [r6, : 128]!
17381 ++ vdup.i32 q8, r2
17382 ++ vld1.8 {d18-d19}, [r7, : 128]!
17383 ++ veor q10, q7, q9
17384 ++ vld1.8 {d22-d23}, [r4, : 128]!
17385 ++ vand q6, q6, q8
17386 ++ vld1.8 {d24-d25}, [r5, : 128]!
17387 ++ vand q10, q10, q8
17388 ++ vld1.8 {d26-d27}, [r6, : 128]!
17389 ++ veor q4, q4, q6
17390 ++ vld1.8 {d28-d29}, [r7, : 128]!
17391 ++ veor q5, q5, q6
17392 ++ vld1.8 {d0}, [r4, : 64]
17393 ++ veor q6, q7, q10
17394 ++ vld1.8 {d2}, [r5, : 64]
17395 ++ veor q7, q9, q10
17396 ++ vld1.8 {d4}, [r6, : 64]
17397 ++ veor q9, q11, q12
17398 ++ vld1.8 {d6}, [r7, : 64]
17399 ++ veor q10, q0, q1
17400 ++ sub r2, r4, #32
17401 ++ vand q9, q9, q8
17402 ++ sub r4, r5, #32
17403 ++ vand q10, q10, q8
17404 ++ sub r5, r6, #32
17405 ++ veor q11, q11, q9
17406 ++ sub r6, r7, #32
17407 ++ veor q0, q0, q10
17408 ++ veor q9, q12, q9
17409 ++ veor q1, q1, q10
17410 ++ veor q10, q13, q14
17411 ++ veor q12, q2, q3
17412 ++ vand q10, q10, q8
17413 ++ vand q8, q12, q8
17414 ++ veor q12, q13, q10
17415 ++ veor q2, q2, q8
17416 ++ veor q10, q14, q10
17417 ++ veor q3, q3, q8
17418 ++ vadd.i32 q8, q4, q6
17419 ++ vsub.i32 q4, q4, q6
17420 ++ vst1.8 {d16-d17}, [r2, : 128]!
17421 ++ vadd.i32 q6, q11, q12
17422 ++ vst1.8 {d8-d9}, [r5, : 128]!
17423 ++ vsub.i32 q4, q11, q12
17424 ++ vst1.8 {d12-d13}, [r2, : 128]!
17425 ++ vadd.i32 q6, q0, q2
17426 ++ vst1.8 {d8-d9}, [r5, : 128]!
17427 ++ vsub.i32 q0, q0, q2
17428 ++ vst1.8 d12, [r2, : 64]
17429 ++ vadd.i32 q2, q5, q7
17430 ++ vst1.8 d0, [r5, : 64]
17431 ++ vsub.i32 q0, q5, q7
17432 ++ vst1.8 {d4-d5}, [r4, : 128]!
17433 ++ vadd.i32 q2, q9, q10
17434 ++ vst1.8 {d0-d1}, [r6, : 128]!
17435 ++ vsub.i32 q0, q9, q10
17436 ++ vst1.8 {d4-d5}, [r4, : 128]!
17437 ++ vadd.i32 q2, q1, q3
17438 ++ vst1.8 {d0-d1}, [r6, : 128]!
17439 ++ vsub.i32 q0, q1, q3
17440 ++ vst1.8 d4, [r4, : 64]
17441 ++ vst1.8 d0, [r6, : 64]
17442 ++ add r2, sp, #512
17443 ++ add r4, r3, #96
17444 ++ add r5, r3, #144
17445 ++ vld1.8 {d0-d1}, [r2, : 128]
17446 ++ vld1.8 {d2-d3}, [r4, : 128]!
17447 ++ vld1.8 {d4-d5}, [r5, : 128]!
17448 ++ vzip.i32 q1, q2
17449 ++ vld1.8 {d6-d7}, [r4, : 128]!
17450 ++ vld1.8 {d8-d9}, [r5, : 128]!
17451 ++ vshl.i32 q5, q1, #1
17452 ++ vzip.i32 q3, q4
17453 ++ vshl.i32 q6, q2, #1
17454 ++ vld1.8 {d14}, [r4, : 64]
17455 ++ vshl.i32 q8, q3, #1
17456 ++ vld1.8 {d15}, [r5, : 64]
17457 ++ vshl.i32 q9, q4, #1
17458 ++ vmul.i32 d21, d7, d1
17459 ++ vtrn.32 d14, d15
17460 ++ vmul.i32 q11, q4, q0
17461 ++ vmul.i32 q0, q7, q0
17462 ++ vmull.s32 q12, d2, d2
17463 ++ vmlal.s32 q12, d11, d1
17464 ++ vmlal.s32 q12, d12, d0
17465 ++ vmlal.s32 q12, d13, d23
17466 ++ vmlal.s32 q12, d16, d22
17467 ++ vmlal.s32 q12, d7, d21
17468 ++ vmull.s32 q10, d2, d11
17469 ++ vmlal.s32 q10, d4, d1
17470 ++ vmlal.s32 q10, d13, d0
17471 ++ vmlal.s32 q10, d6, d23
17472 ++ vmlal.s32 q10, d17, d22
17473 ++ vmull.s32 q13, d10, d4
17474 ++ vmlal.s32 q13, d11, d3
17475 ++ vmlal.s32 q13, d13, d1
17476 ++ vmlal.s32 q13, d16, d0
17477 ++ vmlal.s32 q13, d17, d23
17478 ++ vmlal.s32 q13, d8, d22
17479 ++ vmull.s32 q1, d10, d5
17480 ++ vmlal.s32 q1, d11, d4
17481 ++ vmlal.s32 q1, d6, d1
17482 ++ vmlal.s32 q1, d17, d0
17483 ++ vmlal.s32 q1, d8, d23
17484 ++ vmull.s32 q14, d10, d6
17485 ++ vmlal.s32 q14, d11, d13
17486 ++ vmlal.s32 q14, d4, d4
17487 ++ vmlal.s32 q14, d17, d1
17488 ++ vmlal.s32 q14, d18, d0
17489 ++ vmlal.s32 q14, d9, d23
17490 ++ vmull.s32 q11, d10, d7
17491 ++ vmlal.s32 q11, d11, d6
17492 ++ vmlal.s32 q11, d12, d5
17493 ++ vmlal.s32 q11, d8, d1
17494 ++ vmlal.s32 q11, d19, d0
17495 ++ vmull.s32 q15, d10, d8
17496 ++ vmlal.s32 q15, d11, d17
17497 ++ vmlal.s32 q15, d12, d6
17498 ++ vmlal.s32 q15, d13, d5
17499 ++ vmlal.s32 q15, d19, d1
17500 ++ vmlal.s32 q15, d14, d0
17501 ++ vmull.s32 q2, d10, d9
17502 ++ vmlal.s32 q2, d11, d8
17503 ++ vmlal.s32 q2, d12, d7
17504 ++ vmlal.s32 q2, d13, d6
17505 ++ vmlal.s32 q2, d14, d1
17506 ++ vmull.s32 q0, d15, d1
17507 ++ vmlal.s32 q0, d10, d14
17508 ++ vmlal.s32 q0, d11, d19
17509 ++ vmlal.s32 q0, d12, d8
17510 ++ vmlal.s32 q0, d13, d17
17511 ++ vmlal.s32 q0, d6, d6
17512 ++ add r2, sp, #480
17513 ++ vld1.8 {d18-d19}, [r2, : 128]!
17514 ++ vmull.s32 q3, d16, d7
17515 ++ vmlal.s32 q3, d10, d15
17516 ++ vmlal.s32 q3, d11, d14
17517 ++ vmlal.s32 q3, d12, d9
17518 ++ vmlal.s32 q3, d13, d8
17519 ++ vld1.8 {d8-d9}, [r2, : 128]
17520 ++ vadd.i64 q5, q12, q9
17521 ++ vadd.i64 q6, q15, q9
17522 ++ vshr.s64 q5, q5, #26
17523 ++ vshr.s64 q6, q6, #26
17524 ++ vadd.i64 q7, q10, q5
17525 ++ vshl.i64 q5, q5, #26
17526 ++ vadd.i64 q8, q7, q4
17527 ++ vadd.i64 q2, q2, q6
17528 ++ vshl.i64 q6, q6, #26
17529 ++ vadd.i64 q10, q2, q4
17530 ++ vsub.i64 q5, q12, q5
17531 ++ vshr.s64 q8, q8, #25
17532 ++ vsub.i64 q6, q15, q6
17533 ++ vshr.s64 q10, q10, #25
17534 ++ vadd.i64 q12, q13, q8
17535 ++ vshl.i64 q8, q8, #25
17536 ++ vadd.i64 q13, q12, q9
17537 ++ vadd.i64 q0, q0, q10
17538 ++ vsub.i64 q7, q7, q8
17539 ++ vshr.s64 q8, q13, #26
17540 ++ vshl.i64 q10, q10, #25
17541 ++ vadd.i64 q13, q0, q9
17542 ++ vadd.i64 q1, q1, q8
17543 ++ vshl.i64 q8, q8, #26
17544 ++ vadd.i64 q15, q1, q4
17545 ++ vsub.i64 q2, q2, q10
17546 ++ vshr.s64 q10, q13, #26
17547 ++ vsub.i64 q8, q12, q8
17548 ++ vshr.s64 q12, q15, #25
17549 ++ vadd.i64 q3, q3, q10
17550 ++ vshl.i64 q10, q10, #26
17551 ++ vadd.i64 q13, q3, q4
17552 ++ vadd.i64 q14, q14, q12
17553 ++ add r2, r3, #288
17554 ++ vshl.i64 q12, q12, #25
17555 ++ add r4, r3, #336
17556 ++ vadd.i64 q15, q14, q9
17557 ++ add r2, r2, #8
17558 ++ vsub.i64 q0, q0, q10
17559 ++ add r4, r4, #8
17560 ++ vshr.s64 q10, q13, #25
17561 ++ vsub.i64 q1, q1, q12
17562 ++ vshr.s64 q12, q15, #26
17563 ++ vadd.i64 q13, q10, q10
17564 ++ vadd.i64 q11, q11, q12
17565 ++ vtrn.32 d16, d2
17566 ++ vshl.i64 q12, q12, #26
17567 ++ vtrn.32 d17, d3
17568 ++ vadd.i64 q1, q11, q4
17569 ++ vadd.i64 q4, q5, q13
17570 ++ vst1.8 d16, [r2, : 64]!
17571 ++ vshl.i64 q5, q10, #4
17572 ++ vst1.8 d17, [r4, : 64]!
17573 ++ vsub.i64 q8, q14, q12
17574 ++ vshr.s64 q1, q1, #25
17575 ++ vadd.i64 q4, q4, q5
17576 ++ vadd.i64 q5, q6, q1
17577 ++ vshl.i64 q1, q1, #25
17578 ++ vadd.i64 q6, q5, q9
17579 ++ vadd.i64 q4, q4, q10
17580 ++ vshl.i64 q10, q10, #25
17581 ++ vadd.i64 q9, q4, q9
17582 ++ vsub.i64 q1, q11, q1
17583 ++ vshr.s64 q6, q6, #26
17584 ++ vsub.i64 q3, q3, q10
17585 ++ vtrn.32 d16, d2
17586 ++ vshr.s64 q9, q9, #26
17587 ++ vtrn.32 d17, d3
17588 ++ vadd.i64 q1, q2, q6
17589 ++ vst1.8 d16, [r2, : 64]
17590 ++ vshl.i64 q2, q6, #26
17591 ++ vst1.8 d17, [r4, : 64]
17592 ++ vadd.i64 q6, q7, q9
17593 ++ vtrn.32 d0, d6
17594 ++ vshl.i64 q7, q9, #26
17595 ++ vtrn.32 d1, d7
17596 ++ vsub.i64 q2, q5, q2
17597 ++ add r2, r2, #16
17598 ++ vsub.i64 q3, q4, q7
17599 ++ vst1.8 d0, [r2, : 64]
17600 ++ add r4, r4, #16
17601 ++ vst1.8 d1, [r4, : 64]
17602 ++ vtrn.32 d4, d2
17603 ++ vtrn.32 d5, d3
17604 ++ sub r2, r2, #8
17605 ++ sub r4, r4, #8
17606 ++ vtrn.32 d6, d12
17607 ++ vtrn.32 d7, d13
17608 ++ vst1.8 d4, [r2, : 64]
17609 ++ vst1.8 d5, [r4, : 64]
17610 ++ sub r2, r2, #24
17611 ++ sub r4, r4, #24
17612 ++ vst1.8 d6, [r2, : 64]
17613 ++ vst1.8 d7, [r4, : 64]
17614 ++ add r2, r3, #240
17615 ++ add r4, r3, #96
17616 ++ vld1.8 {d0-d1}, [r4, : 128]!
17617 ++ vld1.8 {d2-d3}, [r4, : 128]!
17618 ++ vld1.8 {d4}, [r4, : 64]
17619 ++ add r4, r3, #144
17620 ++ vld1.8 {d6-d7}, [r4, : 128]!
17621 ++ vtrn.32 q0, q3
17622 ++ vld1.8 {d8-d9}, [r4, : 128]!
17623 ++ vshl.i32 q5, q0, #4
17624 ++ vtrn.32 q1, q4
17625 ++ vshl.i32 q6, q3, #4
17626 ++ vadd.i32 q5, q5, q0
17627 ++ vadd.i32 q6, q6, q3
17628 ++ vshl.i32 q7, q1, #4
17629 ++ vld1.8 {d5}, [r4, : 64]
17630 ++ vshl.i32 q8, q4, #4
17631 ++ vtrn.32 d4, d5
17632 ++ vadd.i32 q7, q7, q1
17633 ++ vadd.i32 q8, q8, q4
17634 ++ vld1.8 {d18-d19}, [r2, : 128]!
17635 ++ vshl.i32 q10, q2, #4
17636 ++ vld1.8 {d22-d23}, [r2, : 128]!
17637 ++ vadd.i32 q10, q10, q2
17638 ++ vld1.8 {d24}, [r2, : 64]
17639 ++ vadd.i32 q5, q5, q0
17640 ++ add r2, r3, #192
17641 ++ vld1.8 {d26-d27}, [r2, : 128]!
17642 ++ vadd.i32 q6, q6, q3
17643 ++ vld1.8 {d28-d29}, [r2, : 128]!
17644 ++ vadd.i32 q8, q8, q4
17645 ++ vld1.8 {d25}, [r2, : 64]
17646 ++ vadd.i32 q10, q10, q2
17647 ++ vtrn.32 q9, q13
17648 ++ vadd.i32 q7, q7, q1
17649 ++ vadd.i32 q5, q5, q0
17650 ++ vtrn.32 q11, q14
17651 ++ vadd.i32 q6, q6, q3
17652 ++ add r2, sp, #528
17653 ++ vadd.i32 q10, q10, q2
17654 ++ vtrn.32 d24, d25
17655 ++ vst1.8 {d12-d13}, [r2, : 128]!
17656 ++ vshl.i32 q6, q13, #1
17657 ++ vst1.8 {d20-d21}, [r2, : 128]!
17658 ++ vshl.i32 q10, q14, #1
17659 ++ vst1.8 {d12-d13}, [r2, : 128]!
17660 ++ vshl.i32 q15, q12, #1
17661 ++ vadd.i32 q8, q8, q4
17662 ++ vext.32 d10, d31, d30, #0
17663 ++ vadd.i32 q7, q7, q1
17664 ++ vst1.8 {d16-d17}, [r2, : 128]!
17665 ++ vmull.s32 q8, d18, d5
17666 ++ vmlal.s32 q8, d26, d4
17667 ++ vmlal.s32 q8, d19, d9
17668 ++ vmlal.s32 q8, d27, d3
17669 ++ vmlal.s32 q8, d22, d8
17670 ++ vmlal.s32 q8, d28, d2
17671 ++ vmlal.s32 q8, d23, d7
17672 ++ vmlal.s32 q8, d29, d1
17673 ++ vmlal.s32 q8, d24, d6
17674 ++ vmlal.s32 q8, d25, d0
17675 ++ vst1.8 {d14-d15}, [r2, : 128]!
17676 ++ vmull.s32 q2, d18, d4
17677 ++ vmlal.s32 q2, d12, d9
17678 ++ vmlal.s32 q2, d13, d8
17679 ++ vmlal.s32 q2, d19, d3
17680 ++ vmlal.s32 q2, d22, d2
17681 ++ vmlal.s32 q2, d23, d1
17682 ++ vmlal.s32 q2, d24, d0
17683 ++ vst1.8 {d20-d21}, [r2, : 128]!
17684 ++ vmull.s32 q7, d18, d9
17685 ++ vmlal.s32 q7, d26, d3
17686 ++ vmlal.s32 q7, d19, d8
17687 ++ vmlal.s32 q7, d27, d2
17688 ++ vmlal.s32 q7, d22, d7
17689 ++ vmlal.s32 q7, d28, d1
17690 ++ vmlal.s32 q7, d23, d6
17691 ++ vmlal.s32 q7, d29, d0
17692 ++ vst1.8 {d10-d11}, [r2, : 128]!
17693 ++ vmull.s32 q5, d18, d3
17694 ++ vmlal.s32 q5, d19, d2
17695 ++ vmlal.s32 q5, d22, d1
17696 ++ vmlal.s32 q5, d23, d0
17697 ++ vmlal.s32 q5, d12, d8
17698 ++ vst1.8 {d16-d17}, [r2, : 128]
17699 ++ vmull.s32 q4, d18, d8
17700 ++ vmlal.s32 q4, d26, d2
17701 ++ vmlal.s32 q4, d19, d7
17702 ++ vmlal.s32 q4, d27, d1
17703 ++ vmlal.s32 q4, d22, d6
17704 ++ vmlal.s32 q4, d28, d0
17705 ++ vmull.s32 q8, d18, d7
17706 ++ vmlal.s32 q8, d26, d1
17707 ++ vmlal.s32 q8, d19, d6
17708 ++ vmlal.s32 q8, d27, d0
17709 ++ add r2, sp, #544
17710 ++ vld1.8 {d20-d21}, [r2, : 128]
17711 ++ vmlal.s32 q7, d24, d21
17712 ++ vmlal.s32 q7, d25, d20
17713 ++ vmlal.s32 q4, d23, d21
17714 ++ vmlal.s32 q4, d29, d20
17715 ++ vmlal.s32 q8, d22, d21
17716 ++ vmlal.s32 q8, d28, d20
17717 ++ vmlal.s32 q5, d24, d20
17718 ++ vst1.8 {d14-d15}, [r2, : 128]
17719 ++ vmull.s32 q7, d18, d6
17720 ++ vmlal.s32 q7, d26, d0
17721 ++ add r2, sp, #624
17722 ++ vld1.8 {d30-d31}, [r2, : 128]
17723 ++ vmlal.s32 q2, d30, d21
17724 ++ vmlal.s32 q7, d19, d21
17725 ++ vmlal.s32 q7, d27, d20
17726 ++ add r2, sp, #592
17727 ++ vld1.8 {d26-d27}, [r2, : 128]
17728 ++ vmlal.s32 q4, d25, d27
17729 ++ vmlal.s32 q8, d29, d27
17730 ++ vmlal.s32 q8, d25, d26
17731 ++ vmlal.s32 q7, d28, d27
17732 ++ vmlal.s32 q7, d29, d26
17733 ++ add r2, sp, #576
17734 ++ vld1.8 {d28-d29}, [r2, : 128]
17735 ++ vmlal.s32 q4, d24, d29
17736 ++ vmlal.s32 q8, d23, d29
17737 ++ vmlal.s32 q8, d24, d28
17738 ++ vmlal.s32 q7, d22, d29
17739 ++ vmlal.s32 q7, d23, d28
17740 ++ vst1.8 {d8-d9}, [r2, : 128]
17741 ++ add r2, sp, #528
17742 ++ vld1.8 {d8-d9}, [r2, : 128]
17743 ++ vmlal.s32 q7, d24, d9
17744 ++ vmlal.s32 q7, d25, d31
17745 ++ vmull.s32 q1, d18, d2
17746 ++ vmlal.s32 q1, d19, d1
17747 ++ vmlal.s32 q1, d22, d0
17748 ++ vmlal.s32 q1, d24, d27
17749 ++ vmlal.s32 q1, d23, d20
17750 ++ vmlal.s32 q1, d12, d7
17751 ++ vmlal.s32 q1, d13, d6
17752 ++ vmull.s32 q6, d18, d1
17753 ++ vmlal.s32 q6, d19, d0
17754 ++ vmlal.s32 q6, d23, d27
17755 ++ vmlal.s32 q6, d22, d20
17756 ++ vmlal.s32 q6, d24, d26
17757 ++ vmull.s32 q0, d18, d0
17758 ++ vmlal.s32 q0, d22, d27
17759 ++ vmlal.s32 q0, d23, d26
17760 ++ vmlal.s32 q0, d24, d31
17761 ++ vmlal.s32 q0, d19, d20
17762 ++ add r2, sp, #608
17763 ++ vld1.8 {d18-d19}, [r2, : 128]
17764 ++ vmlal.s32 q2, d18, d7
17765 ++ vmlal.s32 q5, d18, d6
17766 ++ vmlal.s32 q1, d18, d21
17767 ++ vmlal.s32 q0, d18, d28
17768 ++ vmlal.s32 q6, d18, d29
17769 ++ vmlal.s32 q2, d19, d6
17770 ++ vmlal.s32 q5, d19, d21
17771 ++ vmlal.s32 q1, d19, d29
17772 ++ vmlal.s32 q0, d19, d9
17773 ++ vmlal.s32 q6, d19, d28
17774 ++ add r2, sp, #560
17775 ++ vld1.8 {d18-d19}, [r2, : 128]
17776 ++ add r2, sp, #480
17777 ++ vld1.8 {d22-d23}, [r2, : 128]
17778 ++ vmlal.s32 q5, d19, d7
17779 ++ vmlal.s32 q0, d18, d21
17780 ++ vmlal.s32 q0, d19, d29
17781 ++ vmlal.s32 q6, d18, d6
17782 ++ add r2, sp, #496
17783 ++ vld1.8 {d6-d7}, [r2, : 128]
17784 ++ vmlal.s32 q6, d19, d21
17785 ++ add r2, sp, #544
17786 ++ vld1.8 {d18-d19}, [r2, : 128]
17787 ++ vmlal.s32 q0, d30, d8
17788 ++ add r2, sp, #640
17789 ++ vld1.8 {d20-d21}, [r2, : 128]
17790 ++ vmlal.s32 q5, d30, d29
17791 ++ add r2, sp, #576
17792 ++ vld1.8 {d24-d25}, [r2, : 128]
17793 ++ vmlal.s32 q1, d30, d28
17794 ++ vadd.i64 q13, q0, q11
17795 ++ vadd.i64 q14, q5, q11
17796 ++ vmlal.s32 q6, d30, d9
17797 ++ vshr.s64 q4, q13, #26
17798 ++ vshr.s64 q13, q14, #26
17799 ++ vadd.i64 q7, q7, q4
17800 ++ vshl.i64 q4, q4, #26
17801 ++ vadd.i64 q14, q7, q3
17802 ++ vadd.i64 q9, q9, q13
17803 ++ vshl.i64 q13, q13, #26
17804 ++ vadd.i64 q15, q9, q3
17805 ++ vsub.i64 q0, q0, q4
17806 ++ vshr.s64 q4, q14, #25
17807 ++ vsub.i64 q5, q5, q13
17808 ++ vshr.s64 q13, q15, #25
17809 ++ vadd.i64 q6, q6, q4
17810 ++ vshl.i64 q4, q4, #25
17811 ++ vadd.i64 q14, q6, q11
17812 ++ vadd.i64 q2, q2, q13
17813 ++ vsub.i64 q4, q7, q4
17814 ++ vshr.s64 q7, q14, #26
17815 ++ vshl.i64 q13, q13, #25
17816 ++ vadd.i64 q14, q2, q11
17817 ++ vadd.i64 q8, q8, q7
17818 ++ vshl.i64 q7, q7, #26
17819 ++ vadd.i64 q15, q8, q3
17820 ++ vsub.i64 q9, q9, q13
17821 ++ vshr.s64 q13, q14, #26
17822 ++ vsub.i64 q6, q6, q7
17823 ++ vshr.s64 q7, q15, #25
17824 ++ vadd.i64 q10, q10, q13
17825 ++ vshl.i64 q13, q13, #26
17826 ++ vadd.i64 q14, q10, q3
17827 ++ vadd.i64 q1, q1, q7
17828 ++ add r2, r3, #144
17829 ++ vshl.i64 q7, q7, #25
17830 ++ add r4, r3, #96
17831 ++ vadd.i64 q15, q1, q11
17832 ++ add r2, r2, #8
17833 ++ vsub.i64 q2, q2, q13
17834 ++ add r4, r4, #8
17835 ++ vshr.s64 q13, q14, #25
17836 ++ vsub.i64 q7, q8, q7
17837 ++ vshr.s64 q8, q15, #26
17838 ++ vadd.i64 q14, q13, q13
17839 ++ vadd.i64 q12, q12, q8
17840 ++ vtrn.32 d12, d14
17841 ++ vshl.i64 q8, q8, #26
17842 ++ vtrn.32 d13, d15
17843 ++ vadd.i64 q3, q12, q3
17844 ++ vadd.i64 q0, q0, q14
17845 ++ vst1.8 d12, [r2, : 64]!
17846 ++ vshl.i64 q7, q13, #4
17847 ++ vst1.8 d13, [r4, : 64]!
17848 ++ vsub.i64 q1, q1, q8
17849 ++ vshr.s64 q3, q3, #25
17850 ++ vadd.i64 q0, q0, q7
17851 ++ vadd.i64 q5, q5, q3
17852 ++ vshl.i64 q3, q3, #25
17853 ++ vadd.i64 q6, q5, q11
17854 ++ vadd.i64 q0, q0, q13
17855 ++ vshl.i64 q7, q13, #25
17856 ++ vadd.i64 q8, q0, q11
17857 ++ vsub.i64 q3, q12, q3
17858 ++ vshr.s64 q6, q6, #26
17859 ++ vsub.i64 q7, q10, q7
17860 ++ vtrn.32 d2, d6
17861 ++ vshr.s64 q8, q8, #26
17862 ++ vtrn.32 d3, d7
17863 ++ vadd.i64 q3, q9, q6
17864 ++ vst1.8 d2, [r2, : 64]
17865 ++ vshl.i64 q6, q6, #26
17866 ++ vst1.8 d3, [r4, : 64]
17867 ++ vadd.i64 q1, q4, q8
17868 ++ vtrn.32 d4, d14
17869 ++ vshl.i64 q4, q8, #26
17870 ++ vtrn.32 d5, d15
17871 ++ vsub.i64 q5, q5, q6
17872 ++ add r2, r2, #16
17873 ++ vsub.i64 q0, q0, q4
17874 ++ vst1.8 d4, [r2, : 64]
17875 ++ add r4, r4, #16
17876 ++ vst1.8 d5, [r4, : 64]
17877 ++ vtrn.32 d10, d6
17878 ++ vtrn.32 d11, d7
17879 ++ sub r2, r2, #8
17880 ++ sub r4, r4, #8
17881 ++ vtrn.32 d0, d2
17882 ++ vtrn.32 d1, d3
17883 ++ vst1.8 d10, [r2, : 64]
17884 ++ vst1.8 d11, [r4, : 64]
17885 ++ sub r2, r2, #24
17886 ++ sub r4, r4, #24
17887 ++ vst1.8 d0, [r2, : 64]
17888 ++ vst1.8 d1, [r4, : 64]
17889 ++ add r2, r3, #288
17890 ++ add r4, r3, #336
17891 ++ vld1.8 {d0-d1}, [r2, : 128]!
17892 ++ vld1.8 {d2-d3}, [r4, : 128]!
17893 ++ vsub.i32 q0, q0, q1
17894 ++ vld1.8 {d2-d3}, [r2, : 128]!
17895 ++ vld1.8 {d4-d5}, [r4, : 128]!
17896 ++ vsub.i32 q1, q1, q2
17897 ++ add r5, r3, #240
17898 ++ vld1.8 {d4}, [r2, : 64]
17899 ++ vld1.8 {d6}, [r4, : 64]
17900 ++ vsub.i32 q2, q2, q3
17901 ++ vst1.8 {d0-d1}, [r5, : 128]!
17902 ++ vst1.8 {d2-d3}, [r5, : 128]!
17903 ++ vst1.8 d4, [r5, : 64]
17904 ++ add r2, r3, #144
17905 ++ add r4, r3, #96
17906 ++ add r5, r3, #144
17907 ++ add r6, r3, #192
17908 ++ vld1.8 {d0-d1}, [r2, : 128]!
17909 ++ vld1.8 {d2-d3}, [r4, : 128]!
17910 ++ vsub.i32 q2, q0, q1
17911 ++ vadd.i32 q0, q0, q1
17912 ++ vld1.8 {d2-d3}, [r2, : 128]!
17913 ++ vld1.8 {d6-d7}, [r4, : 128]!
17914 ++ vsub.i32 q4, q1, q3
17915 ++ vadd.i32 q1, q1, q3
17916 ++ vld1.8 {d6}, [r2, : 64]
17917 ++ vld1.8 {d10}, [r4, : 64]
17918 ++ vsub.i32 q6, q3, q5
17919 ++ vadd.i32 q3, q3, q5
17920 ++ vst1.8 {d4-d5}, [r5, : 128]!
17921 ++ vst1.8 {d0-d1}, [r6, : 128]!
17922 ++ vst1.8 {d8-d9}, [r5, : 128]!
17923 ++ vst1.8 {d2-d3}, [r6, : 128]!
17924 ++ vst1.8 d12, [r5, : 64]
17925 ++ vst1.8 d6, [r6, : 64]
17926 ++ add r2, r3, #0
17927 ++ add r4, r3, #240
17928 ++ vld1.8 {d0-d1}, [r4, : 128]!
17929 ++ vld1.8 {d2-d3}, [r4, : 128]!
17930 ++ vld1.8 {d4}, [r4, : 64]
17931 ++ add r4, r3, #336
17932 ++ vld1.8 {d6-d7}, [r4, : 128]!
17933 ++ vtrn.32 q0, q3
17934 ++ vld1.8 {d8-d9}, [r4, : 128]!
17935 ++ vshl.i32 q5, q0, #4
17936 ++ vtrn.32 q1, q4
17937 ++ vshl.i32 q6, q3, #4
17938 ++ vadd.i32 q5, q5, q0
17939 ++ vadd.i32 q6, q6, q3
17940 ++ vshl.i32 q7, q1, #4
17941 ++ vld1.8 {d5}, [r4, : 64]
17942 ++ vshl.i32 q8, q4, #4
17943 ++ vtrn.32 d4, d5
17944 ++ vadd.i32 q7, q7, q1
17945 ++ vadd.i32 q8, q8, q4
17946 ++ vld1.8 {d18-d19}, [r2, : 128]!
17947 ++ vshl.i32 q10, q2, #4
17948 ++ vld1.8 {d22-d23}, [r2, : 128]!
17949 ++ vadd.i32 q10, q10, q2
17950 ++ vld1.8 {d24}, [r2, : 64]
17951 ++ vadd.i32 q5, q5, q0
17952 ++ add r2, r3, #288
17953 ++ vld1.8 {d26-d27}, [r2, : 128]!
17954 ++ vadd.i32 q6, q6, q3
17955 ++ vld1.8 {d28-d29}, [r2, : 128]!
17956 ++ vadd.i32 q8, q8, q4
17957 ++ vld1.8 {d25}, [r2, : 64]
17958 ++ vadd.i32 q10, q10, q2
17959 ++ vtrn.32 q9, q13
17960 ++ vadd.i32 q7, q7, q1
17961 ++ vadd.i32 q5, q5, q0
17962 ++ vtrn.32 q11, q14
17963 ++ vadd.i32 q6, q6, q3
17964 ++ add r2, sp, #528
17965 ++ vadd.i32 q10, q10, q2
17966 ++ vtrn.32 d24, d25
17967 ++ vst1.8 {d12-d13}, [r2, : 128]!
17968 ++ vshl.i32 q6, q13, #1
17969 ++ vst1.8 {d20-d21}, [r2, : 128]!
17970 ++ vshl.i32 q10, q14, #1
17971 ++ vst1.8 {d12-d13}, [r2, : 128]!
17972 ++ vshl.i32 q15, q12, #1
17973 ++ vadd.i32 q8, q8, q4
17974 ++ vext.32 d10, d31, d30, #0
17975 ++ vadd.i32 q7, q7, q1
17976 ++ vst1.8 {d16-d17}, [r2, : 128]!
17977 ++ vmull.s32 q8, d18, d5
17978 ++ vmlal.s32 q8, d26, d4
17979 ++ vmlal.s32 q8, d19, d9
17980 ++ vmlal.s32 q8, d27, d3
17981 ++ vmlal.s32 q8, d22, d8
17982 ++ vmlal.s32 q8, d28, d2
17983 ++ vmlal.s32 q8, d23, d7
17984 ++ vmlal.s32 q8, d29, d1
17985 ++ vmlal.s32 q8, d24, d6
17986 ++ vmlal.s32 q8, d25, d0
17987 ++ vst1.8 {d14-d15}, [r2, : 128]!
17988 ++ vmull.s32 q2, d18, d4
17989 ++ vmlal.s32 q2, d12, d9
17990 ++ vmlal.s32 q2, d13, d8
17991 ++ vmlal.s32 q2, d19, d3
17992 ++ vmlal.s32 q2, d22, d2
17993 ++ vmlal.s32 q2, d23, d1
17994 ++ vmlal.s32 q2, d24, d0
17995 ++ vst1.8 {d20-d21}, [r2, : 128]!
17996 ++ vmull.s32 q7, d18, d9
17997 ++ vmlal.s32 q7, d26, d3
17998 ++ vmlal.s32 q7, d19, d8
17999 ++ vmlal.s32 q7, d27, d2
18000 ++ vmlal.s32 q7, d22, d7
18001 ++ vmlal.s32 q7, d28, d1
18002 ++ vmlal.s32 q7, d23, d6
18003 ++ vmlal.s32 q7, d29, d0
18004 ++ vst1.8 {d10-d11}, [r2, : 128]!
18005 ++ vmull.s32 q5, d18, d3
18006 ++ vmlal.s32 q5, d19, d2
18007 ++ vmlal.s32 q5, d22, d1
18008 ++ vmlal.s32 q5, d23, d0
18009 ++ vmlal.s32 q5, d12, d8
18010 ++ vst1.8 {d16-d17}, [r2, : 128]!
18011 ++ vmull.s32 q4, d18, d8
18012 ++ vmlal.s32 q4, d26, d2
18013 ++ vmlal.s32 q4, d19, d7
18014 ++ vmlal.s32 q4, d27, d1
18015 ++ vmlal.s32 q4, d22, d6
18016 ++ vmlal.s32 q4, d28, d0
18017 ++ vmull.s32 q8, d18, d7
18018 ++ vmlal.s32 q8, d26, d1
18019 ++ vmlal.s32 q8, d19, d6
18020 ++ vmlal.s32 q8, d27, d0
18021 ++ add r2, sp, #544
18022 ++ vld1.8 {d20-d21}, [r2, : 128]
18023 ++ vmlal.s32 q7, d24, d21
18024 ++ vmlal.s32 q7, d25, d20
18025 ++ vmlal.s32 q4, d23, d21
18026 ++ vmlal.s32 q4, d29, d20
18027 ++ vmlal.s32 q8, d22, d21
18028 ++ vmlal.s32 q8, d28, d20
18029 ++ vmlal.s32 q5, d24, d20
18030 ++ vst1.8 {d14-d15}, [r2, : 128]
18031 ++ vmull.s32 q7, d18, d6
18032 ++ vmlal.s32 q7, d26, d0
18033 ++ add r2, sp, #624
18034 ++ vld1.8 {d30-d31}, [r2, : 128]
18035 ++ vmlal.s32 q2, d30, d21
18036 ++ vmlal.s32 q7, d19, d21
18037 ++ vmlal.s32 q7, d27, d20
18038 ++ add r2, sp, #592
18039 ++ vld1.8 {d26-d27}, [r2, : 128]
18040 ++ vmlal.s32 q4, d25, d27
18041 ++ vmlal.s32 q8, d29, d27
18042 ++ vmlal.s32 q8, d25, d26
18043 ++ vmlal.s32 q7, d28, d27
18044 ++ vmlal.s32 q7, d29, d26
18045 ++ add r2, sp, #576
18046 ++ vld1.8 {d28-d29}, [r2, : 128]
18047 ++ vmlal.s32 q4, d24, d29
18048 ++ vmlal.s32 q8, d23, d29
18049 ++ vmlal.s32 q8, d24, d28
18050 ++ vmlal.s32 q7, d22, d29
18051 ++ vmlal.s32 q7, d23, d28
18052 ++ vst1.8 {d8-d9}, [r2, : 128]
18053 ++ add r2, sp, #528
18054 ++ vld1.8 {d8-d9}, [r2, : 128]
18055 ++ vmlal.s32 q7, d24, d9
18056 ++ vmlal.s32 q7, d25, d31
18057 ++ vmull.s32 q1, d18, d2
18058 ++ vmlal.s32 q1, d19, d1
18059 ++ vmlal.s32 q1, d22, d0
18060 ++ vmlal.s32 q1, d24, d27
18061 ++ vmlal.s32 q1, d23, d20
18062 ++ vmlal.s32 q1, d12, d7
18063 ++ vmlal.s32 q1, d13, d6
18064 ++ vmull.s32 q6, d18, d1
18065 ++ vmlal.s32 q6, d19, d0
18066 ++ vmlal.s32 q6, d23, d27
18067 ++ vmlal.s32 q6, d22, d20
18068 ++ vmlal.s32 q6, d24, d26
18069 ++ vmull.s32 q0, d18, d0
18070 ++ vmlal.s32 q0, d22, d27
18071 ++ vmlal.s32 q0, d23, d26
18072 ++ vmlal.s32 q0, d24, d31
18073 ++ vmlal.s32 q0, d19, d20
18074 ++ add r2, sp, #608
18075 ++ vld1.8 {d18-d19}, [r2, : 128]
18076 ++ vmlal.s32 q2, d18, d7
18077 ++ vmlal.s32 q5, d18, d6
18078 ++ vmlal.s32 q1, d18, d21
18079 ++ vmlal.s32 q0, d18, d28
18080 ++ vmlal.s32 q6, d18, d29
18081 ++ vmlal.s32 q2, d19, d6
18082 ++ vmlal.s32 q5, d19, d21
18083 ++ vmlal.s32 q1, d19, d29
18084 ++ vmlal.s32 q0, d19, d9
18085 ++ vmlal.s32 q6, d19, d28
18086 ++ add r2, sp, #560
18087 ++ vld1.8 {d18-d19}, [r2, : 128]
18088 ++ add r2, sp, #480
18089 ++ vld1.8 {d22-d23}, [r2, : 128]
18090 ++ vmlal.s32 q5, d19, d7
18091 ++ vmlal.s32 q0, d18, d21
18092 ++ vmlal.s32 q0, d19, d29
18093 ++ vmlal.s32 q6, d18, d6
18094 ++ add r2, sp, #496
18095 ++ vld1.8 {d6-d7}, [r2, : 128]
18096 ++ vmlal.s32 q6, d19, d21
18097 ++ add r2, sp, #544
18098 ++ vld1.8 {d18-d19}, [r2, : 128]
18099 ++ vmlal.s32 q0, d30, d8
18100 ++ add r2, sp, #640
18101 ++ vld1.8 {d20-d21}, [r2, : 128]
18102 ++ vmlal.s32 q5, d30, d29
18103 ++ add r2, sp, #576
18104 ++ vld1.8 {d24-d25}, [r2, : 128]
18105 ++ vmlal.s32 q1, d30, d28
18106 ++ vadd.i64 q13, q0, q11
18107 ++ vadd.i64 q14, q5, q11
18108 ++ vmlal.s32 q6, d30, d9
18109 ++ vshr.s64 q4, q13, #26
18110 ++ vshr.s64 q13, q14, #26
18111 ++ vadd.i64 q7, q7, q4
18112 ++ vshl.i64 q4, q4, #26
18113 ++ vadd.i64 q14, q7, q3
18114 ++ vadd.i64 q9, q9, q13
18115 ++ vshl.i64 q13, q13, #26
18116 ++ vadd.i64 q15, q9, q3
18117 ++ vsub.i64 q0, q0, q4
18118 ++ vshr.s64 q4, q14, #25
18119 ++ vsub.i64 q5, q5, q13
18120 ++ vshr.s64 q13, q15, #25
18121 ++ vadd.i64 q6, q6, q4
18122 ++ vshl.i64 q4, q4, #25
18123 ++ vadd.i64 q14, q6, q11
18124 ++ vadd.i64 q2, q2, q13
18125 ++ vsub.i64 q4, q7, q4
18126 ++ vshr.s64 q7, q14, #26
18127 ++ vshl.i64 q13, q13, #25
18128 ++ vadd.i64 q14, q2, q11
18129 ++ vadd.i64 q8, q8, q7
18130 ++ vshl.i64 q7, q7, #26
18131 ++ vadd.i64 q15, q8, q3
18132 ++ vsub.i64 q9, q9, q13
18133 ++ vshr.s64 q13, q14, #26
18134 ++ vsub.i64 q6, q6, q7
18135 ++ vshr.s64 q7, q15, #25
18136 ++ vadd.i64 q10, q10, q13
18137 ++ vshl.i64 q13, q13, #26
18138 ++ vadd.i64 q14, q10, q3
18139 ++ vadd.i64 q1, q1, q7
18140 ++ add r2, r3, #288
18141 ++ vshl.i64 q7, q7, #25
18142 ++ add r4, r3, #96
18143 ++ vadd.i64 q15, q1, q11
18144 ++ add r2, r2, #8
18145 ++ vsub.i64 q2, q2, q13
18146 ++ add r4, r4, #8
18147 ++ vshr.s64 q13, q14, #25
18148 ++ vsub.i64 q7, q8, q7
18149 ++ vshr.s64 q8, q15, #26
18150 ++ vadd.i64 q14, q13, q13
18151 ++ vadd.i64 q12, q12, q8
18152 ++ vtrn.32 d12, d14
18153 ++ vshl.i64 q8, q8, #26
18154 ++ vtrn.32 d13, d15
18155 ++ vadd.i64 q3, q12, q3
18156 ++ vadd.i64 q0, q0, q14
18157 ++ vst1.8 d12, [r2, : 64]!
18158 ++ vshl.i64 q7, q13, #4
18159 ++ vst1.8 d13, [r4, : 64]!
18160 ++ vsub.i64 q1, q1, q8
18161 ++ vshr.s64 q3, q3, #25
18162 ++ vadd.i64 q0, q0, q7
18163 ++ vadd.i64 q5, q5, q3
18164 ++ vshl.i64 q3, q3, #25
18165 ++ vadd.i64 q6, q5, q11
18166 ++ vadd.i64 q0, q0, q13
18167 ++ vshl.i64 q7, q13, #25
18168 ++ vadd.i64 q8, q0, q11
18169 ++ vsub.i64 q3, q12, q3
18170 ++ vshr.s64 q6, q6, #26
18171 ++ vsub.i64 q7, q10, q7
18172 ++ vtrn.32 d2, d6
18173 ++ vshr.s64 q8, q8, #26
18174 ++ vtrn.32 d3, d7
18175 ++ vadd.i64 q3, q9, q6
18176 ++ vst1.8 d2, [r2, : 64]
18177 ++ vshl.i64 q6, q6, #26
18178 ++ vst1.8 d3, [r4, : 64]
18179 ++ vadd.i64 q1, q4, q8
18180 ++ vtrn.32 d4, d14
18181 ++ vshl.i64 q4, q8, #26
18182 ++ vtrn.32 d5, d15
18183 ++ vsub.i64 q5, q5, q6
18184 ++ add r2, r2, #16
18185 ++ vsub.i64 q0, q0, q4
18186 ++ vst1.8 d4, [r2, : 64]
18187 ++ add r4, r4, #16
18188 ++ vst1.8 d5, [r4, : 64]
18189 ++ vtrn.32 d10, d6
18190 ++ vtrn.32 d11, d7
18191 ++ sub r2, r2, #8
18192 ++ sub r4, r4, #8
18193 ++ vtrn.32 d0, d2
18194 ++ vtrn.32 d1, d3
18195 ++ vst1.8 d10, [r2, : 64]
18196 ++ vst1.8 d11, [r4, : 64]
18197 ++ sub r2, r2, #24
18198 ++ sub r4, r4, #24
18199 ++ vst1.8 d0, [r2, : 64]
18200 ++ vst1.8 d1, [r4, : 64]
18201 ++ add r2, sp, #512
18202 ++ add r4, r3, #144
18203 ++ add r5, r3, #192
18204 ++ vld1.8 {d0-d1}, [r2, : 128]
18205 ++ vld1.8 {d2-d3}, [r4, : 128]!
18206 ++ vld1.8 {d4-d5}, [r5, : 128]!
18207 ++ vzip.i32 q1, q2
18208 ++ vld1.8 {d6-d7}, [r4, : 128]!
18209 ++ vld1.8 {d8-d9}, [r5, : 128]!
18210 ++ vshl.i32 q5, q1, #1
18211 ++ vzip.i32 q3, q4
18212 ++ vshl.i32 q6, q2, #1
18213 ++ vld1.8 {d14}, [r4, : 64]
18214 ++ vshl.i32 q8, q3, #1
18215 ++ vld1.8 {d15}, [r5, : 64]
18216 ++ vshl.i32 q9, q4, #1
18217 ++ vmul.i32 d21, d7, d1
18218 ++ vtrn.32 d14, d15
18219 ++ vmul.i32 q11, q4, q0
18220 ++ vmul.i32 q0, q7, q0
18221 ++ vmull.s32 q12, d2, d2
18222 ++ vmlal.s32 q12, d11, d1
18223 ++ vmlal.s32 q12, d12, d0
18224 ++ vmlal.s32 q12, d13, d23
18225 ++ vmlal.s32 q12, d16, d22
18226 ++ vmlal.s32 q12, d7, d21
18227 ++ vmull.s32 q10, d2, d11
18228 ++ vmlal.s32 q10, d4, d1
18229 ++ vmlal.s32 q10, d13, d0
18230 ++ vmlal.s32 q10, d6, d23
18231 ++ vmlal.s32 q10, d17, d22
18232 ++ vmull.s32 q13, d10, d4
18233 ++ vmlal.s32 q13, d11, d3
18234 ++ vmlal.s32 q13, d13, d1
18235 ++ vmlal.s32 q13, d16, d0
18236 ++ vmlal.s32 q13, d17, d23
18237 ++ vmlal.s32 q13, d8, d22
18238 ++ vmull.s32 q1, d10, d5
18239 ++ vmlal.s32 q1, d11, d4
18240 ++ vmlal.s32 q1, d6, d1
18241 ++ vmlal.s32 q1, d17, d0
18242 ++ vmlal.s32 q1, d8, d23
18243 ++ vmull.s32 q14, d10, d6
18244 ++ vmlal.s32 q14, d11, d13
18245 ++ vmlal.s32 q14, d4, d4
18246 ++ vmlal.s32 q14, d17, d1
18247 ++ vmlal.s32 q14, d18, d0
18248 ++ vmlal.s32 q14, d9, d23
18249 ++ vmull.s32 q11, d10, d7
18250 ++ vmlal.s32 q11, d11, d6
18251 ++ vmlal.s32 q11, d12, d5
18252 ++ vmlal.s32 q11, d8, d1
18253 ++ vmlal.s32 q11, d19, d0
18254 ++ vmull.s32 q15, d10, d8
18255 ++ vmlal.s32 q15, d11, d17
18256 ++ vmlal.s32 q15, d12, d6
18257 ++ vmlal.s32 q15, d13, d5
18258 ++ vmlal.s32 q15, d19, d1
18259 ++ vmlal.s32 q15, d14, d0
18260 ++ vmull.s32 q2, d10, d9
18261 ++ vmlal.s32 q2, d11, d8
18262 ++ vmlal.s32 q2, d12, d7
18263 ++ vmlal.s32 q2, d13, d6
18264 ++ vmlal.s32 q2, d14, d1
18265 ++ vmull.s32 q0, d15, d1
18266 ++ vmlal.s32 q0, d10, d14
18267 ++ vmlal.s32 q0, d11, d19
18268 ++ vmlal.s32 q0, d12, d8
18269 ++ vmlal.s32 q0, d13, d17
18270 ++ vmlal.s32 q0, d6, d6
18271 ++ add r2, sp, #480
18272 ++ vld1.8 {d18-d19}, [r2, : 128]!
18273 ++ vmull.s32 q3, d16, d7
18274 ++ vmlal.s32 q3, d10, d15
18275 ++ vmlal.s32 q3, d11, d14
18276 ++ vmlal.s32 q3, d12, d9
18277 ++ vmlal.s32 q3, d13, d8
18278 ++ vld1.8 {d8-d9}, [r2, : 128]
18279 ++ vadd.i64 q5, q12, q9
18280 ++ vadd.i64 q6, q15, q9
18281 ++ vshr.s64 q5, q5, #26
18282 ++ vshr.s64 q6, q6, #26
18283 ++ vadd.i64 q7, q10, q5
18284 ++ vshl.i64 q5, q5, #26
18285 ++ vadd.i64 q8, q7, q4
18286 ++ vadd.i64 q2, q2, q6
18287 ++ vshl.i64 q6, q6, #26
18288 ++ vadd.i64 q10, q2, q4
18289 ++ vsub.i64 q5, q12, q5
18290 ++ vshr.s64 q8, q8, #25
18291 ++ vsub.i64 q6, q15, q6
18292 ++ vshr.s64 q10, q10, #25
18293 ++ vadd.i64 q12, q13, q8
18294 ++ vshl.i64 q8, q8, #25
18295 ++ vadd.i64 q13, q12, q9
18296 ++ vadd.i64 q0, q0, q10
18297 ++ vsub.i64 q7, q7, q8
18298 ++ vshr.s64 q8, q13, #26
18299 ++ vshl.i64 q10, q10, #25
18300 ++ vadd.i64 q13, q0, q9
18301 ++ vadd.i64 q1, q1, q8
18302 ++ vshl.i64 q8, q8, #26
18303 ++ vadd.i64 q15, q1, q4
18304 ++ vsub.i64 q2, q2, q10
18305 ++ vshr.s64 q10, q13, #26
18306 ++ vsub.i64 q8, q12, q8
18307 ++ vshr.s64 q12, q15, #25
18308 ++ vadd.i64 q3, q3, q10
18309 ++ vshl.i64 q10, q10, #26
18310 ++ vadd.i64 q13, q3, q4
18311 ++ vadd.i64 q14, q14, q12
18312 ++ add r2, r3, #144
18313 ++ vshl.i64 q12, q12, #25
18314 ++ add r4, r3, #192
18315 ++ vadd.i64 q15, q14, q9
18316 ++ add r2, r2, #8
18317 ++ vsub.i64 q0, q0, q10
18318 ++ add r4, r4, #8
18319 ++ vshr.s64 q10, q13, #25
18320 ++ vsub.i64 q1, q1, q12
18321 ++ vshr.s64 q12, q15, #26
18322 ++ vadd.i64 q13, q10, q10
18323 ++ vadd.i64 q11, q11, q12
18324 ++ vtrn.32 d16, d2
18325 ++ vshl.i64 q12, q12, #26
18326 ++ vtrn.32 d17, d3
18327 ++ vadd.i64 q1, q11, q4
18328 ++ vadd.i64 q4, q5, q13
18329 ++ vst1.8 d16, [r2, : 64]!
18330 ++ vshl.i64 q5, q10, #4
18331 ++ vst1.8 d17, [r4, : 64]!
18332 ++ vsub.i64 q8, q14, q12
18333 ++ vshr.s64 q1, q1, #25
18334 ++ vadd.i64 q4, q4, q5
18335 ++ vadd.i64 q5, q6, q1
18336 ++ vshl.i64 q1, q1, #25
18337 ++ vadd.i64 q6, q5, q9
18338 ++ vadd.i64 q4, q4, q10
18339 ++ vshl.i64 q10, q10, #25
18340 ++ vadd.i64 q9, q4, q9
18341 ++ vsub.i64 q1, q11, q1
18342 ++ vshr.s64 q6, q6, #26
18343 ++ vsub.i64 q3, q3, q10
18344 ++ vtrn.32 d16, d2
18345 ++ vshr.s64 q9, q9, #26
18346 ++ vtrn.32 d17, d3
18347 ++ vadd.i64 q1, q2, q6
18348 ++ vst1.8 d16, [r2, : 64]
18349 ++ vshl.i64 q2, q6, #26
18350 ++ vst1.8 d17, [r4, : 64]
18351 ++ vadd.i64 q6, q7, q9
18352 ++ vtrn.32 d0, d6
18353 ++ vshl.i64 q7, q9, #26
18354 ++ vtrn.32 d1, d7
18355 ++ vsub.i64 q2, q5, q2
18356 ++ add r2, r2, #16
18357 ++ vsub.i64 q3, q4, q7
18358 ++ vst1.8 d0, [r2, : 64]
18359 ++ add r4, r4, #16
18360 ++ vst1.8 d1, [r4, : 64]
18361 ++ vtrn.32 d4, d2
18362 ++ vtrn.32 d5, d3
18363 ++ sub r2, r2, #8
18364 ++ sub r4, r4, #8
18365 ++ vtrn.32 d6, d12
18366 ++ vtrn.32 d7, d13
18367 ++ vst1.8 d4, [r2, : 64]
18368 ++ vst1.8 d5, [r4, : 64]
18369 ++ sub r2, r2, #24
18370 ++ sub r4, r4, #24
18371 ++ vst1.8 d6, [r2, : 64]
18372 ++ vst1.8 d7, [r4, : 64]
18373 ++ add r2, r3, #336
18374 ++ add r4, r3, #288
18375 ++ vld1.8 {d0-d1}, [r2, : 128]!
18376 ++ vld1.8 {d2-d3}, [r4, : 128]!
18377 ++ vadd.i32 q0, q0, q1
18378 ++ vld1.8 {d2-d3}, [r2, : 128]!
18379 ++ vld1.8 {d4-d5}, [r4, : 128]!
18380 ++ vadd.i32 q1, q1, q2
18381 ++ add r5, r3, #288
18382 ++ vld1.8 {d4}, [r2, : 64]
18383 ++ vld1.8 {d6}, [r4, : 64]
18384 ++ vadd.i32 q2, q2, q3
18385 ++ vst1.8 {d0-d1}, [r5, : 128]!
18386 ++ vst1.8 {d2-d3}, [r5, : 128]!
18387 ++ vst1.8 d4, [r5, : 64]
18388 ++ add r2, r3, #48
18389 ++ add r4, r3, #144
18390 ++ vld1.8 {d0-d1}, [r4, : 128]!
18391 ++ vld1.8 {d2-d3}, [r4, : 128]!
18392 ++ vld1.8 {d4}, [r4, : 64]
18393 ++ add r4, r3, #288
18394 ++ vld1.8 {d6-d7}, [r4, : 128]!
18395 ++ vtrn.32 q0, q3
18396 ++ vld1.8 {d8-d9}, [r4, : 128]!
18397 ++ vshl.i32 q5, q0, #4
18398 ++ vtrn.32 q1, q4
18399 ++ vshl.i32 q6, q3, #4
18400 ++ vadd.i32 q5, q5, q0
18401 ++ vadd.i32 q6, q6, q3
18402 ++ vshl.i32 q7, q1, #4
18403 ++ vld1.8 {d5}, [r4, : 64]
18404 ++ vshl.i32 q8, q4, #4
18405 ++ vtrn.32 d4, d5
18406 ++ vadd.i32 q7, q7, q1
18407 ++ vadd.i32 q8, q8, q4
18408 ++ vld1.8 {d18-d19}, [r2, : 128]!
18409 ++ vshl.i32 q10, q2, #4
18410 ++ vld1.8 {d22-d23}, [r2, : 128]!
18411 ++ vadd.i32 q10, q10, q2
18412 ++ vld1.8 {d24}, [r2, : 64]
18413 ++ vadd.i32 q5, q5, q0
18414 ++ add r2, r3, #240
18415 ++ vld1.8 {d26-d27}, [r2, : 128]!
18416 ++ vadd.i32 q6, q6, q3
18417 ++ vld1.8 {d28-d29}, [r2, : 128]!
18418 ++ vadd.i32 q8, q8, q4
18419 ++ vld1.8 {d25}, [r2, : 64]
18420 ++ vadd.i32 q10, q10, q2
18421 ++ vtrn.32 q9, q13
18422 ++ vadd.i32 q7, q7, q1
18423 ++ vadd.i32 q5, q5, q0
18424 ++ vtrn.32 q11, q14
18425 ++ vadd.i32 q6, q6, q3
18426 ++ add r2, sp, #528
18427 ++ vadd.i32 q10, q10, q2
18428 ++ vtrn.32 d24, d25
18429 ++ vst1.8 {d12-d13}, [r2, : 128]!
18430 ++ vshl.i32 q6, q13, #1
18431 ++ vst1.8 {d20-d21}, [r2, : 128]!
18432 ++ vshl.i32 q10, q14, #1
18433 ++ vst1.8 {d12-d13}, [r2, : 128]!
18434 ++ vshl.i32 q15, q12, #1
18435 ++ vadd.i32 q8, q8, q4
18436 ++ vext.32 d10, d31, d30, #0
18437 ++ vadd.i32 q7, q7, q1
18438 ++ vst1.8 {d16-d17}, [r2, : 128]!
18439 ++ vmull.s32 q8, d18, d5
18440 ++ vmlal.s32 q8, d26, d4
18441 ++ vmlal.s32 q8, d19, d9
18442 ++ vmlal.s32 q8, d27, d3
18443 ++ vmlal.s32 q8, d22, d8
18444 ++ vmlal.s32 q8, d28, d2
18445 ++ vmlal.s32 q8, d23, d7
18446 ++ vmlal.s32 q8, d29, d1
18447 ++ vmlal.s32 q8, d24, d6
18448 ++ vmlal.s32 q8, d25, d0
18449 ++ vst1.8 {d14-d15}, [r2, : 128]!
18450 ++ vmull.s32 q2, d18, d4
18451 ++ vmlal.s32 q2, d12, d9
18452 ++ vmlal.s32 q2, d13, d8
18453 ++ vmlal.s32 q2, d19, d3
18454 ++ vmlal.s32 q2, d22, d2
18455 ++ vmlal.s32 q2, d23, d1
18456 ++ vmlal.s32 q2, d24, d0
18457 ++ vst1.8 {d20-d21}, [r2, : 128]!
18458 ++ vmull.s32 q7, d18, d9
18459 ++ vmlal.s32 q7, d26, d3
18460 ++ vmlal.s32 q7, d19, d8
18461 ++ vmlal.s32 q7, d27, d2
18462 ++ vmlal.s32 q7, d22, d7
18463 ++ vmlal.s32 q7, d28, d1
18464 ++ vmlal.s32 q7, d23, d6
18465 ++ vmlal.s32 q7, d29, d0
18466 ++ vst1.8 {d10-d11}, [r2, : 128]!
18467 ++ vmull.s32 q5, d18, d3
18468 ++ vmlal.s32 q5, d19, d2
18469 ++ vmlal.s32 q5, d22, d1
18470 ++ vmlal.s32 q5, d23, d0
18471 ++ vmlal.s32 q5, d12, d8
18472 ++ vst1.8 {d16-d17}, [r2, : 128]!
18473 ++ vmull.s32 q4, d18, d8
18474 ++ vmlal.s32 q4, d26, d2
18475 ++ vmlal.s32 q4, d19, d7
18476 ++ vmlal.s32 q4, d27, d1
18477 ++ vmlal.s32 q4, d22, d6
18478 ++ vmlal.s32 q4, d28, d0
18479 ++ vmull.s32 q8, d18, d7
18480 ++ vmlal.s32 q8, d26, d1
18481 ++ vmlal.s32 q8, d19, d6
18482 ++ vmlal.s32 q8, d27, d0
18483 ++ add r2, sp, #544
18484 ++ vld1.8 {d20-d21}, [r2, : 128]
18485 ++ vmlal.s32 q7, d24, d21
18486 ++ vmlal.s32 q7, d25, d20
18487 ++ vmlal.s32 q4, d23, d21
18488 ++ vmlal.s32 q4, d29, d20
18489 ++ vmlal.s32 q8, d22, d21
18490 ++ vmlal.s32 q8, d28, d20
18491 ++ vmlal.s32 q5, d24, d20
18492 ++ vst1.8 {d14-d15}, [r2, : 128]
18493 ++ vmull.s32 q7, d18, d6
18494 ++ vmlal.s32 q7, d26, d0
18495 ++ add r2, sp, #624
18496 ++ vld1.8 {d30-d31}, [r2, : 128]
18497 ++ vmlal.s32 q2, d30, d21
18498 ++ vmlal.s32 q7, d19, d21
18499 ++ vmlal.s32 q7, d27, d20
18500 ++ add r2, sp, #592
18501 ++ vld1.8 {d26-d27}, [r2, : 128]
18502 ++ vmlal.s32 q4, d25, d27
18503 ++ vmlal.s32 q8, d29, d27
18504 ++ vmlal.s32 q8, d25, d26
18505 ++ vmlal.s32 q7, d28, d27
18506 ++ vmlal.s32 q7, d29, d26
18507 ++ add r2, sp, #576
18508 ++ vld1.8 {d28-d29}, [r2, : 128]
18509 ++ vmlal.s32 q4, d24, d29
18510 ++ vmlal.s32 q8, d23, d29
18511 ++ vmlal.s32 q8, d24, d28
18512 ++ vmlal.s32 q7, d22, d29
18513 ++ vmlal.s32 q7, d23, d28
18514 ++ vst1.8 {d8-d9}, [r2, : 128]
18515 ++ add r2, sp, #528
18516 ++ vld1.8 {d8-d9}, [r2, : 128]
18517 ++ vmlal.s32 q7, d24, d9
18518 ++ vmlal.s32 q7, d25, d31
18519 ++ vmull.s32 q1, d18, d2
18520 ++ vmlal.s32 q1, d19, d1
18521 ++ vmlal.s32 q1, d22, d0
18522 ++ vmlal.s32 q1, d24, d27
18523 ++ vmlal.s32 q1, d23, d20
18524 ++ vmlal.s32 q1, d12, d7
18525 ++ vmlal.s32 q1, d13, d6
18526 ++ vmull.s32 q6, d18, d1
18527 ++ vmlal.s32 q6, d19, d0
18528 ++ vmlal.s32 q6, d23, d27
18529 ++ vmlal.s32 q6, d22, d20
18530 ++ vmlal.s32 q6, d24, d26
18531 ++ vmull.s32 q0, d18, d0
18532 ++ vmlal.s32 q0, d22, d27
18533 ++ vmlal.s32 q0, d23, d26
18534 ++ vmlal.s32 q0, d24, d31
18535 ++ vmlal.s32 q0, d19, d20
18536 ++ add r2, sp, #608
18537 ++ vld1.8 {d18-d19}, [r2, : 128]
18538 ++ vmlal.s32 q2, d18, d7
18539 ++ vmlal.s32 q5, d18, d6
18540 ++ vmlal.s32 q1, d18, d21
18541 ++ vmlal.s32 q0, d18, d28
18542 ++ vmlal.s32 q6, d18, d29
18543 ++ vmlal.s32 q2, d19, d6
18544 ++ vmlal.s32 q5, d19, d21
18545 ++ vmlal.s32 q1, d19, d29
18546 ++ vmlal.s32 q0, d19, d9
18547 ++ vmlal.s32 q6, d19, d28
18548 ++ add r2, sp, #560
18549 ++ vld1.8 {d18-d19}, [r2, : 128]
18550 ++ add r2, sp, #480
18551 ++ vld1.8 {d22-d23}, [r2, : 128]
18552 ++ vmlal.s32 q5, d19, d7
18553 ++ vmlal.s32 q0, d18, d21
18554 ++ vmlal.s32 q0, d19, d29
18555 ++ vmlal.s32 q6, d18, d6
18556 ++ add r2, sp, #496
18557 ++ vld1.8 {d6-d7}, [r2, : 128]
18558 ++ vmlal.s32 q6, d19, d21
18559 ++ add r2, sp, #544
18560 ++ vld1.8 {d18-d19}, [r2, : 128]
18561 ++ vmlal.s32 q0, d30, d8
18562 ++ add r2, sp, #640
18563 ++ vld1.8 {d20-d21}, [r2, : 128]
18564 ++ vmlal.s32 q5, d30, d29
18565 ++ add r2, sp, #576
18566 ++ vld1.8 {d24-d25}, [r2, : 128]
18567 ++ vmlal.s32 q1, d30, d28
18568 ++ vadd.i64 q13, q0, q11
18569 ++ vadd.i64 q14, q5, q11
18570 ++ vmlal.s32 q6, d30, d9
18571 ++ vshr.s64 q4, q13, #26
18572 ++ vshr.s64 q13, q14, #26
18573 ++ vadd.i64 q7, q7, q4
18574 ++ vshl.i64 q4, q4, #26
18575 ++ vadd.i64 q14, q7, q3
18576 ++ vadd.i64 q9, q9, q13
18577 ++ vshl.i64 q13, q13, #26
18578 ++ vadd.i64 q15, q9, q3
18579 ++ vsub.i64 q0, q0, q4
18580 ++ vshr.s64 q4, q14, #25
18581 ++ vsub.i64 q5, q5, q13
18582 ++ vshr.s64 q13, q15, #25
18583 ++ vadd.i64 q6, q6, q4
18584 ++ vshl.i64 q4, q4, #25
18585 ++ vadd.i64 q14, q6, q11
18586 ++ vadd.i64 q2, q2, q13
18587 ++ vsub.i64 q4, q7, q4
18588 ++ vshr.s64 q7, q14, #26
18589 ++ vshl.i64 q13, q13, #25
18590 ++ vadd.i64 q14, q2, q11
18591 ++ vadd.i64 q8, q8, q7
18592 ++ vshl.i64 q7, q7, #26
18593 ++ vadd.i64 q15, q8, q3
18594 ++ vsub.i64 q9, q9, q13
18595 ++ vshr.s64 q13, q14, #26
18596 ++ vsub.i64 q6, q6, q7
18597 ++ vshr.s64 q7, q15, #25
18598 ++ vadd.i64 q10, q10, q13
18599 ++ vshl.i64 q13, q13, #26
18600 ++ vadd.i64 q14, q10, q3
18601 ++ vadd.i64 q1, q1, q7
18602 ++ add r2, r3, #240
18603 ++ vshl.i64 q7, q7, #25
18604 ++ add r4, r3, #144
18605 ++ vadd.i64 q15, q1, q11
18606 ++ add r2, r2, #8
18607 ++ vsub.i64 q2, q2, q13
18608 ++ add r4, r4, #8
18609 ++ vshr.s64 q13, q14, #25
18610 ++ vsub.i64 q7, q8, q7
18611 ++ vshr.s64 q8, q15, #26
18612 ++ vadd.i64 q14, q13, q13
18613 ++ vadd.i64 q12, q12, q8
18614 ++ vtrn.32 d12, d14
18615 ++ vshl.i64 q8, q8, #26
18616 ++ vtrn.32 d13, d15
18617 ++ vadd.i64 q3, q12, q3
18618 ++ vadd.i64 q0, q0, q14
18619 ++ vst1.8 d12, [r2, : 64]!
18620 ++ vshl.i64 q7, q13, #4
18621 ++ vst1.8 d13, [r4, : 64]!
18622 ++ vsub.i64 q1, q1, q8
18623 ++ vshr.s64 q3, q3, #25
18624 ++ vadd.i64 q0, q0, q7
18625 ++ vadd.i64 q5, q5, q3
18626 ++ vshl.i64 q3, q3, #25
18627 ++ vadd.i64 q6, q5, q11
18628 ++ vadd.i64 q0, q0, q13
18629 ++ vshl.i64 q7, q13, #25
18630 ++ vadd.i64 q8, q0, q11
18631 ++ vsub.i64 q3, q12, q3
18632 ++ vshr.s64 q6, q6, #26
18633 ++ vsub.i64 q7, q10, q7
18634 ++ vtrn.32 d2, d6
18635 ++ vshr.s64 q8, q8, #26
18636 ++ vtrn.32 d3, d7
18637 ++ vadd.i64 q3, q9, q6
18638 ++ vst1.8 d2, [r2, : 64]
18639 ++ vshl.i64 q6, q6, #26
18640 ++ vst1.8 d3, [r4, : 64]
18641 ++ vadd.i64 q1, q4, q8
18642 ++ vtrn.32 d4, d14
18643 ++ vshl.i64 q4, q8, #26
18644 ++ vtrn.32 d5, d15
18645 ++ vsub.i64 q5, q5, q6
18646 ++ add r2, r2, #16
18647 ++ vsub.i64 q0, q0, q4
18648 ++ vst1.8 d4, [r2, : 64]
18649 ++ add r4, r4, #16
18650 ++ vst1.8 d5, [r4, : 64]
18651 ++ vtrn.32 d10, d6
18652 ++ vtrn.32 d11, d7
18653 ++ sub r2, r2, #8
18654 ++ sub r4, r4, #8
18655 ++ vtrn.32 d0, d2
18656 ++ vtrn.32 d1, d3
18657 ++ vst1.8 d10, [r2, : 64]
18658 ++ vst1.8 d11, [r4, : 64]
18659 ++ sub r2, r2, #24
18660 ++ sub r4, r4, #24
18661 ++ vst1.8 d0, [r2, : 64]
18662 ++ vst1.8 d1, [r4, : 64]
18663 ++ ldr r2, [sp, #456]
18664 ++ ldr r4, [sp, #460]
18665 ++ subs r5, r2, #1
18666 ++ bge .Lmainloop
18667 ++ add r1, r3, #144
18668 ++ add r2, r3, #336
18669 ++ vld1.8 {d0-d1}, [r1, : 128]!
18670 ++ vld1.8 {d2-d3}, [r1, : 128]!
18671 ++ vld1.8 {d4}, [r1, : 64]
18672 ++ vst1.8 {d0-d1}, [r2, : 128]!
18673 ++ vst1.8 {d2-d3}, [r2, : 128]!
18674 ++ vst1.8 d4, [r2, : 64]
18675 ++ movw r1, #0
18676 ++.Linvertloop:
18677 ++ add r2, r3, #144
18678 ++ movw r4, #0
18679 ++ movw r5, #2
18680 ++ cmp r1, #1
18681 ++ moveq r5, #1
18682 ++ addeq r2, r3, #336
18683 ++ addeq r4, r3, #48
18684 ++ cmp r1, #2
18685 ++ moveq r5, #1
18686 ++ addeq r2, r3, #48
18687 ++ cmp r1, #3
18688 ++ moveq r5, #5
18689 ++ addeq r4, r3, #336
18690 ++ cmp r1, #4
18691 ++ moveq r5, #10
18692 ++ cmp r1, #5
18693 ++ moveq r5, #20
18694 ++ cmp r1, #6
18695 ++ moveq r5, #10
18696 ++ addeq r2, r3, #336
18697 ++ addeq r4, r3, #336
18698 ++ cmp r1, #7
18699 ++ moveq r5, #50
18700 ++ cmp r1, #8
18701 ++ moveq r5, #100
18702 ++ cmp r1, #9
18703 ++ moveq r5, #50
18704 ++ addeq r2, r3, #336
18705 ++ cmp r1, #10
18706 ++ moveq r5, #5
18707 ++ addeq r2, r3, #48
18708 ++ cmp r1, #11
18709 ++ moveq r5, #0
18710 ++ addeq r2, r3, #96
18711 ++ add r6, r3, #144
18712 ++ add r7, r3, #288
18713 ++ vld1.8 {d0-d1}, [r6, : 128]!
18714 ++ vld1.8 {d2-d3}, [r6, : 128]!
18715 ++ vld1.8 {d4}, [r6, : 64]
18716 ++ vst1.8 {d0-d1}, [r7, : 128]!
18717 ++ vst1.8 {d2-d3}, [r7, : 128]!
18718 ++ vst1.8 d4, [r7, : 64]
18719 ++ cmp r5, #0
18720 ++ beq .Lskipsquaringloop
18721 ++.Lsquaringloop:
18722 ++ add r6, r3, #288
18723 ++ add r7, r3, #288
18724 ++ add r8, r3, #288
18725 ++ vmov.i32 q0, #19
18726 ++ vmov.i32 q1, #0
18727 ++ vmov.i32 q2, #1
18728 ++ vzip.i32 q1, q2
18729 ++ vld1.8 {d4-d5}, [r7, : 128]!
18730 ++ vld1.8 {d6-d7}, [r7, : 128]!
18731 ++ vld1.8 {d9}, [r7, : 64]
18732 ++ vld1.8 {d10-d11}, [r6, : 128]!
18733 ++ add r7, sp, #384
18734 ++ vld1.8 {d12-d13}, [r6, : 128]!
18735 ++ vmul.i32 q7, q2, q0
18736 ++ vld1.8 {d8}, [r6, : 64]
18737 ++ vext.32 d17, d11, d10, #1
18738 ++ vmul.i32 q9, q3, q0
18739 ++ vext.32 d16, d10, d8, #1
18740 ++ vshl.u32 q10, q5, q1
18741 ++ vext.32 d22, d14, d4, #1
18742 ++ vext.32 d24, d18, d6, #1
18743 ++ vshl.u32 q13, q6, q1
18744 ++ vshl.u32 d28, d8, d2
18745 ++ vrev64.i32 d22, d22
18746 ++ vmul.i32 d1, d9, d1
18747 ++ vrev64.i32 d24, d24
18748 ++ vext.32 d29, d8, d13, #1
18749 ++ vext.32 d0, d1, d9, #1
18750 ++ vrev64.i32 d0, d0
18751 ++ vext.32 d2, d9, d1, #1
18752 ++ vext.32 d23, d15, d5, #1
18753 ++ vmull.s32 q4, d20, d4
18754 ++ vrev64.i32 d23, d23
18755 ++ vmlal.s32 q4, d21, d1
18756 ++ vrev64.i32 d2, d2
18757 ++ vmlal.s32 q4, d26, d19
18758 ++ vext.32 d3, d5, d15, #1
18759 ++ vmlal.s32 q4, d27, d18
18760 ++ vrev64.i32 d3, d3
18761 ++ vmlal.s32 q4, d28, d15
18762 ++ vext.32 d14, d12, d11, #1
18763 ++ vmull.s32 q5, d16, d23
18764 ++ vext.32 d15, d13, d12, #1
18765 ++ vmlal.s32 q5, d17, d4
18766 ++ vst1.8 d8, [r7, : 64]!
18767 ++ vmlal.s32 q5, d14, d1
18768 ++ vext.32 d12, d9, d8, #0
18769 ++ vmlal.s32 q5, d15, d19
18770 ++ vmov.i64 d13, #0
18771 ++ vmlal.s32 q5, d29, d18
18772 ++ vext.32 d25, d19, d7, #1
18773 ++ vmlal.s32 q6, d20, d5
18774 ++ vrev64.i32 d25, d25
18775 ++ vmlal.s32 q6, d21, d4
18776 ++ vst1.8 d11, [r7, : 64]!
18777 ++ vmlal.s32 q6, d26, d1
18778 ++ vext.32 d9, d10, d10, #0
18779 ++ vmlal.s32 q6, d27, d19
18780 ++ vmov.i64 d8, #0
18781 ++ vmlal.s32 q6, d28, d18
18782 ++ vmlal.s32 q4, d16, d24
18783 ++ vmlal.s32 q4, d17, d5
18784 ++ vmlal.s32 q4, d14, d4
18785 ++ vst1.8 d12, [r7, : 64]!
18786 ++ vmlal.s32 q4, d15, d1
18787 ++ vext.32 d10, d13, d12, #0
18788 ++ vmlal.s32 q4, d29, d19
18789 ++ vmov.i64 d11, #0
18790 ++ vmlal.s32 q5, d20, d6
18791 ++ vmlal.s32 q5, d21, d5
18792 ++ vmlal.s32 q5, d26, d4
18793 ++ vext.32 d13, d8, d8, #0
18794 ++ vmlal.s32 q5, d27, d1
18795 ++ vmov.i64 d12, #0
18796 ++ vmlal.s32 q5, d28, d19
18797 ++ vst1.8 d9, [r7, : 64]!
18798 ++ vmlal.s32 q6, d16, d25
18799 ++ vmlal.s32 q6, d17, d6
18800 ++ vst1.8 d10, [r7, : 64]
18801 ++ vmlal.s32 q6, d14, d5
18802 ++ vext.32 d8, d11, d10, #0
18803 ++ vmlal.s32 q6, d15, d4
18804 ++ vmov.i64 d9, #0
18805 ++ vmlal.s32 q6, d29, d1
18806 ++ vmlal.s32 q4, d20, d7
18807 ++ vmlal.s32 q4, d21, d6
18808 ++ vmlal.s32 q4, d26, d5
18809 ++ vext.32 d11, d12, d12, #0
18810 ++ vmlal.s32 q4, d27, d4
18811 ++ vmov.i64 d10, #0
18812 ++ vmlal.s32 q4, d28, d1
18813 ++ vmlal.s32 q5, d16, d0
18814 ++ sub r6, r7, #32
18815 ++ vmlal.s32 q5, d17, d7
18816 ++ vmlal.s32 q5, d14, d6
18817 ++ vext.32 d30, d9, d8, #0
18818 ++ vmlal.s32 q5, d15, d5
18819 ++ vld1.8 {d31}, [r6, : 64]!
18820 ++ vmlal.s32 q5, d29, d4
18821 ++ vmlal.s32 q15, d20, d0
18822 ++ vext.32 d0, d6, d18, #1
18823 ++ vmlal.s32 q15, d21, d25
18824 ++ vrev64.i32 d0, d0
18825 ++ vmlal.s32 q15, d26, d24
18826 ++ vext.32 d1, d7, d19, #1
18827 ++ vext.32 d7, d10, d10, #0
18828 ++ vmlal.s32 q15, d27, d23
18829 ++ vrev64.i32 d1, d1
18830 ++ vld1.8 {d6}, [r6, : 64]
18831 ++ vmlal.s32 q15, d28, d22
18832 ++ vmlal.s32 q3, d16, d4
18833 ++ add r6, r6, #24
18834 ++ vmlal.s32 q3, d17, d2
18835 ++ vext.32 d4, d31, d30, #0
18836 ++ vmov d17, d11
18837 ++ vmlal.s32 q3, d14, d1
18838 ++ vext.32 d11, d13, d13, #0
18839 ++ vext.32 d13, d30, d30, #0
18840 ++ vmlal.s32 q3, d15, d0
18841 ++ vext.32 d1, d8, d8, #0
18842 ++ vmlal.s32 q3, d29, d3
18843 ++ vld1.8 {d5}, [r6, : 64]
18844 ++ sub r6, r6, #16
18845 ++ vext.32 d10, d6, d6, #0
18846 ++ vmov.i32 q1, #0xffffffff
18847 ++ vshl.i64 q4, q1, #25
18848 ++ add r7, sp, #480
18849 ++ vld1.8 {d14-d15}, [r7, : 128]
18850 ++ vadd.i64 q9, q2, q7
18851 ++ vshl.i64 q1, q1, #26
18852 ++ vshr.s64 q10, q9, #26
18853 ++ vld1.8 {d0}, [r6, : 64]!
18854 ++ vadd.i64 q5, q5, q10
18855 ++ vand q9, q9, q1
18856 ++ vld1.8 {d16}, [r6, : 64]!
18857 ++ add r6, sp, #496
18858 ++ vld1.8 {d20-d21}, [r6, : 128]
18859 ++ vadd.i64 q11, q5, q10
18860 ++ vsub.i64 q2, q2, q9
18861 ++ vshr.s64 q9, q11, #25
18862 ++ vext.32 d12, d5, d4, #0
18863 ++ vand q11, q11, q4
18864 ++ vadd.i64 q0, q0, q9
18865 ++ vmov d19, d7
18866 ++ vadd.i64 q3, q0, q7
18867 ++ vsub.i64 q5, q5, q11
18868 ++ vshr.s64 q11, q3, #26
18869 ++ vext.32 d18, d11, d10, #0
18870 ++ vand q3, q3, q1
18871 ++ vadd.i64 q8, q8, q11
18872 ++ vadd.i64 q11, q8, q10
18873 ++ vsub.i64 q0, q0, q3
18874 ++ vshr.s64 q3, q11, #25
18875 ++ vand q11, q11, q4
18876 ++ vadd.i64 q3, q6, q3
18877 ++ vadd.i64 q6, q3, q7
18878 ++ vsub.i64 q8, q8, q11
18879 ++ vshr.s64 q11, q6, #26
18880 ++ vand q6, q6, q1
18881 ++ vadd.i64 q9, q9, q11
18882 ++ vadd.i64 d25, d19, d21
18883 ++ vsub.i64 q3, q3, q6
18884 ++ vshr.s64 d23, d25, #25
18885 ++ vand q4, q12, q4
18886 ++ vadd.i64 d21, d23, d23
18887 ++ vshl.i64 d25, d23, #4
18888 ++ vadd.i64 d21, d21, d23
18889 ++ vadd.i64 d25, d25, d21
18890 ++ vadd.i64 d4, d4, d25
18891 ++ vzip.i32 q0, q8
18892 ++ vadd.i64 d12, d4, d14
18893 ++ add r6, r8, #8
18894 ++ vst1.8 d0, [r6, : 64]
18895 ++ vsub.i64 d19, d19, d9
18896 ++ add r6, r6, #16
18897 ++ vst1.8 d16, [r6, : 64]
18898 ++ vshr.s64 d22, d12, #26
18899 ++ vand q0, q6, q1
18900 ++ vadd.i64 d10, d10, d22
18901 ++ vzip.i32 q3, q9
18902 ++ vsub.i64 d4, d4, d0
18903 ++ sub r6, r6, #8
18904 ++ vst1.8 d6, [r6, : 64]
18905 ++ add r6, r6, #16
18906 ++ vst1.8 d18, [r6, : 64]
18907 ++ vzip.i32 q2, q5
18908 ++ sub r6, r6, #32
18909 ++ vst1.8 d4, [r6, : 64]
18910 ++ subs r5, r5, #1
18911 ++ bhi .Lsquaringloop
18912 ++.Lskipsquaringloop:
18913 ++ mov r2, r2
18914 ++ add r5, r3, #288
18915 ++ add r6, r3, #144
18916 ++ vmov.i32 q0, #19
18917 ++ vmov.i32 q1, #0
18918 ++ vmov.i32 q2, #1
18919 ++ vzip.i32 q1, q2
18920 ++ vld1.8 {d4-d5}, [r5, : 128]!
18921 ++ vld1.8 {d6-d7}, [r5, : 128]!
18922 ++ vld1.8 {d9}, [r5, : 64]
18923 ++ vld1.8 {d10-d11}, [r2, : 128]!
18924 ++ add r5, sp, #384
18925 ++ vld1.8 {d12-d13}, [r2, : 128]!
18926 ++ vmul.i32 q7, q2, q0
18927 ++ vld1.8 {d8}, [r2, : 64]
18928 ++ vext.32 d17, d11, d10, #1
18929 ++ vmul.i32 q9, q3, q0
18930 ++ vext.32 d16, d10, d8, #1
18931 ++ vshl.u32 q10, q5, q1
18932 ++ vext.32 d22, d14, d4, #1
18933 ++ vext.32 d24, d18, d6, #1
18934 ++ vshl.u32 q13, q6, q1
18935 ++ vshl.u32 d28, d8, d2
18936 ++ vrev64.i32 d22, d22
18937 ++ vmul.i32 d1, d9, d1
18938 ++ vrev64.i32 d24, d24
18939 ++ vext.32 d29, d8, d13, #1
18940 ++ vext.32 d0, d1, d9, #1
18941 ++ vrev64.i32 d0, d0
18942 ++ vext.32 d2, d9, d1, #1
18943 ++ vext.32 d23, d15, d5, #1
18944 ++ vmull.s32 q4, d20, d4
18945 ++ vrev64.i32 d23, d23
18946 ++ vmlal.s32 q4, d21, d1
18947 ++ vrev64.i32 d2, d2
18948 ++ vmlal.s32 q4, d26, d19
18949 ++ vext.32 d3, d5, d15, #1
18950 ++ vmlal.s32 q4, d27, d18
18951 ++ vrev64.i32 d3, d3
18952 ++ vmlal.s32 q4, d28, d15
18953 ++ vext.32 d14, d12, d11, #1
18954 ++ vmull.s32 q5, d16, d23
18955 ++ vext.32 d15, d13, d12, #1
18956 ++ vmlal.s32 q5, d17, d4
18957 ++ vst1.8 d8, [r5, : 64]!
18958 ++ vmlal.s32 q5, d14, d1
18959 ++ vext.32 d12, d9, d8, #0
18960 ++ vmlal.s32 q5, d15, d19
18961 ++ vmov.i64 d13, #0
18962 ++ vmlal.s32 q5, d29, d18
18963 ++ vext.32 d25, d19, d7, #1
18964 ++ vmlal.s32 q6, d20, d5
18965 ++ vrev64.i32 d25, d25
18966 ++ vmlal.s32 q6, d21, d4
18967 ++ vst1.8 d11, [r5, : 64]!
18968 ++ vmlal.s32 q6, d26, d1
18969 ++ vext.32 d9, d10, d10, #0
18970 ++ vmlal.s32 q6, d27, d19
18971 ++ vmov.i64 d8, #0
18972 ++ vmlal.s32 q6, d28, d18
18973 ++ vmlal.s32 q4, d16, d24
18974 ++ vmlal.s32 q4, d17, d5
18975 ++ vmlal.s32 q4, d14, d4
18976 ++ vst1.8 d12, [r5, : 64]!
18977 ++ vmlal.s32 q4, d15, d1
18978 ++ vext.32 d10, d13, d12, #0
18979 ++ vmlal.s32 q4, d29, d19
18980 ++ vmov.i64 d11, #0
18981 ++ vmlal.s32 q5, d20, d6
18982 ++ vmlal.s32 q5, d21, d5
18983 ++ vmlal.s32 q5, d26, d4
18984 ++ vext.32 d13, d8, d8, #0
18985 ++ vmlal.s32 q5, d27, d1
18986 ++ vmov.i64 d12, #0
18987 ++ vmlal.s32 q5, d28, d19
18988 ++ vst1.8 d9, [r5, : 64]!
18989 ++ vmlal.s32 q6, d16, d25
18990 ++ vmlal.s32 q6, d17, d6
18991 ++ vst1.8 d10, [r5, : 64]
18992 ++ vmlal.s32 q6, d14, d5
18993 ++ vext.32 d8, d11, d10, #0
18994 ++ vmlal.s32 q6, d15, d4
18995 ++ vmov.i64 d9, #0
18996 ++ vmlal.s32 q6, d29, d1
18997 ++ vmlal.s32 q4, d20, d7
18998 ++ vmlal.s32 q4, d21, d6
18999 ++ vmlal.s32 q4, d26, d5
19000 ++ vext.32 d11, d12, d12, #0
19001 ++ vmlal.s32 q4, d27, d4
19002 ++ vmov.i64 d10, #0
19003 ++ vmlal.s32 q4, d28, d1
19004 ++ vmlal.s32 q5, d16, d0
19005 ++ sub r2, r5, #32
19006 ++ vmlal.s32 q5, d17, d7
19007 ++ vmlal.s32 q5, d14, d6
19008 ++ vext.32 d30, d9, d8, #0
19009 ++ vmlal.s32 q5, d15, d5
19010 ++ vld1.8 {d31}, [r2, : 64]!
19011 ++ vmlal.s32 q5, d29, d4
19012 ++ vmlal.s32 q15, d20, d0
19013 ++ vext.32 d0, d6, d18, #1
19014 ++ vmlal.s32 q15, d21, d25
19015 ++ vrev64.i32 d0, d0
19016 ++ vmlal.s32 q15, d26, d24
19017 ++ vext.32 d1, d7, d19, #1
19018 ++ vext.32 d7, d10, d10, #0
19019 ++ vmlal.s32 q15, d27, d23
19020 ++ vrev64.i32 d1, d1
19021 ++ vld1.8 {d6}, [r2, : 64]
19022 ++ vmlal.s32 q15, d28, d22
19023 ++ vmlal.s32 q3, d16, d4
19024 ++ add r2, r2, #24
19025 ++ vmlal.s32 q3, d17, d2
19026 ++ vext.32 d4, d31, d30, #0
19027 ++ vmov d17, d11
19028 ++ vmlal.s32 q3, d14, d1
19029 ++ vext.32 d11, d13, d13, #0
19030 ++ vext.32 d13, d30, d30, #0
19031 ++ vmlal.s32 q3, d15, d0
19032 ++ vext.32 d1, d8, d8, #0
19033 ++ vmlal.s32 q3, d29, d3
19034 ++ vld1.8 {d5}, [r2, : 64]
19035 ++ sub r2, r2, #16
19036 ++ vext.32 d10, d6, d6, #0
19037 ++ vmov.i32 q1, #0xffffffff
19038 ++ vshl.i64 q4, q1, #25
19039 ++ add r5, sp, #480
19040 ++ vld1.8 {d14-d15}, [r5, : 128]
19041 ++ vadd.i64 q9, q2, q7
19042 ++ vshl.i64 q1, q1, #26
19043 ++ vshr.s64 q10, q9, #26
19044 ++ vld1.8 {d0}, [r2, : 64]!
19045 ++ vadd.i64 q5, q5, q10
19046 ++ vand q9, q9, q1
19047 ++ vld1.8 {d16}, [r2, : 64]!
19048 ++ add r2, sp, #496
19049 ++ vld1.8 {d20-d21}, [r2, : 128]
19050 ++ vadd.i64 q11, q5, q10
19051 ++ vsub.i64 q2, q2, q9
19052 ++ vshr.s64 q9, q11, #25
19053 ++ vext.32 d12, d5, d4, #0
19054 ++ vand q11, q11, q4
19055 ++ vadd.i64 q0, q0, q9
19056 ++ vmov d19, d7
19057 ++ vadd.i64 q3, q0, q7
19058 ++ vsub.i64 q5, q5, q11
19059 ++ vshr.s64 q11, q3, #26
19060 ++ vext.32 d18, d11, d10, #0
19061 ++ vand q3, q3, q1
19062 ++ vadd.i64 q8, q8, q11
19063 ++ vadd.i64 q11, q8, q10
19064 ++ vsub.i64 q0, q0, q3
19065 ++ vshr.s64 q3, q11, #25
19066 ++ vand q11, q11, q4
19067 ++ vadd.i64 q3, q6, q3
19068 ++ vadd.i64 q6, q3, q7
19069 ++ vsub.i64 q8, q8, q11
19070 ++ vshr.s64 q11, q6, #26
19071 ++ vand q6, q6, q1
19072 ++ vadd.i64 q9, q9, q11
19073 ++ vadd.i64 d25, d19, d21
19074 ++ vsub.i64 q3, q3, q6
19075 ++ vshr.s64 d23, d25, #25
19076 ++ vand q4, q12, q4
19077 ++ vadd.i64 d21, d23, d23
19078 ++ vshl.i64 d25, d23, #4
19079 ++ vadd.i64 d21, d21, d23
19080 ++ vadd.i64 d25, d25, d21
19081 ++ vadd.i64 d4, d4, d25
19082 ++ vzip.i32 q0, q8
19083 ++ vadd.i64 d12, d4, d14
19084 ++ add r2, r6, #8
19085 ++ vst1.8 d0, [r2, : 64]
19086 ++ vsub.i64 d19, d19, d9
19087 ++ add r2, r2, #16
19088 ++ vst1.8 d16, [r2, : 64]
19089 ++ vshr.s64 d22, d12, #26
19090 ++ vand q0, q6, q1
19091 ++ vadd.i64 d10, d10, d22
19092 ++ vzip.i32 q3, q9
19093 ++ vsub.i64 d4, d4, d0
19094 ++ sub r2, r2, #8
19095 ++ vst1.8 d6, [r2, : 64]
19096 ++ add r2, r2, #16
19097 ++ vst1.8 d18, [r2, : 64]
19098 ++ vzip.i32 q2, q5
19099 ++ sub r2, r2, #32
19100 ++ vst1.8 d4, [r2, : 64]
19101 ++ cmp r4, #0
19102 ++ beq .Lskippostcopy
19103 ++ add r2, r3, #144
19104 ++ mov r4, r4
19105 ++ vld1.8 {d0-d1}, [r2, : 128]!
19106 ++ vld1.8 {d2-d3}, [r2, : 128]!
19107 ++ vld1.8 {d4}, [r2, : 64]
19108 ++ vst1.8 {d0-d1}, [r4, : 128]!
19109 ++ vst1.8 {d2-d3}, [r4, : 128]!
19110 ++ vst1.8 d4, [r4, : 64]
19111 ++.Lskippostcopy:
19112 ++ cmp r1, #1
19113 ++ bne .Lskipfinalcopy
19114 ++ add r2, r3, #288
19115 ++ add r4, r3, #144
19116 ++ vld1.8 {d0-d1}, [r2, : 128]!
19117 ++ vld1.8 {d2-d3}, [r2, : 128]!
19118 ++ vld1.8 {d4}, [r2, : 64]
19119 ++ vst1.8 {d0-d1}, [r4, : 128]!
19120 ++ vst1.8 {d2-d3}, [r4, : 128]!
19121 ++ vst1.8 d4, [r4, : 64]
19122 ++.Lskipfinalcopy:
19123 ++ add r1, r1, #1
19124 ++ cmp r1, #12
19125 ++ blo .Linvertloop
19126 ++ add r1, r3, #144
19127 ++ ldr r2, [r1], #4
19128 ++ ldr r3, [r1], #4
19129 ++ ldr r4, [r1], #4
19130 ++ ldr r5, [r1], #4
19131 ++ ldr r6, [r1], #4
19132 ++ ldr r7, [r1], #4
19133 ++ ldr r8, [r1], #4
19134 ++ ldr r9, [r1], #4
19135 ++ ldr r10, [r1], #4
19136 ++ ldr r1, [r1]
19137 ++ add r11, r1, r1, LSL #4
19138 ++ add r11, r11, r1, LSL #1
19139 ++ add r11, r11, #16777216
19140 ++ mov r11, r11, ASR #25
19141 ++ add r11, r11, r2
19142 ++ mov r11, r11, ASR #26
19143 ++ add r11, r11, r3
19144 ++ mov r11, r11, ASR #25
19145 ++ add r11, r11, r4
19146 ++ mov r11, r11, ASR #26
19147 ++ add r11, r11, r5
19148 ++ mov r11, r11, ASR #25
19149 ++ add r11, r11, r6
19150 ++ mov r11, r11, ASR #26
19151 ++ add r11, r11, r7
19152 ++ mov r11, r11, ASR #25
19153 ++ add r11, r11, r8
19154 ++ mov r11, r11, ASR #26
19155 ++ add r11, r11, r9
19156 ++ mov r11, r11, ASR #25
19157 ++ add r11, r11, r10
19158 ++ mov r11, r11, ASR #26
19159 ++ add r11, r11, r1
19160 ++ mov r11, r11, ASR #25
19161 ++ add r2, r2, r11
19162 ++ add r2, r2, r11, LSL #1
19163 ++ add r2, r2, r11, LSL #4
19164 ++ mov r11, r2, ASR #26
19165 ++ add r3, r3, r11
19166 ++ sub r2, r2, r11, LSL #26
19167 ++ mov r11, r3, ASR #25
19168 ++ add r4, r4, r11
19169 ++ sub r3, r3, r11, LSL #25
19170 ++ mov r11, r4, ASR #26
19171 ++ add r5, r5, r11
19172 ++ sub r4, r4, r11, LSL #26
19173 ++ mov r11, r5, ASR #25
19174 ++ add r6, r6, r11
19175 ++ sub r5, r5, r11, LSL #25
19176 ++ mov r11, r6, ASR #26
19177 ++ add r7, r7, r11
19178 ++ sub r6, r6, r11, LSL #26
19179 ++ mov r11, r7, ASR #25
19180 ++ add r8, r8, r11
19181 ++ sub r7, r7, r11, LSL #25
19182 ++ mov r11, r8, ASR #26
19183 ++ add r9, r9, r11
19184 ++ sub r8, r8, r11, LSL #26
19185 ++ mov r11, r9, ASR #25
19186 ++ add r10, r10, r11
19187 ++ sub r9, r9, r11, LSL #25
19188 ++ mov r11, r10, ASR #26
19189 ++ add r1, r1, r11
19190 ++ sub r10, r10, r11, LSL #26
19191 ++ mov r11, r1, ASR #25
19192 ++ sub r1, r1, r11, LSL #25
19193 ++ add r2, r2, r3, LSL #26
19194 ++ mov r3, r3, LSR #6
19195 ++ add r3, r3, r4, LSL #19
19196 ++ mov r4, r4, LSR #13
19197 ++ add r4, r4, r5, LSL #13
19198 ++ mov r5, r5, LSR #19
19199 ++ add r5, r5, r6, LSL #6
19200 ++ add r6, r7, r8, LSL #25
19201 ++ mov r7, r8, LSR #7
19202 ++ add r7, r7, r9, LSL #19
19203 ++ mov r8, r9, LSR #13
19204 ++ add r8, r8, r10, LSL #12
19205 ++ mov r9, r10, LSR #20
19206 ++ add r1, r9, r1, LSL #6
19207 ++ str r2, [r0]
19208 ++ str r3, [r0, #4]
19209 ++ str r4, [r0, #8]
19210 ++ str r5, [r0, #12]
19211 ++ str r6, [r0, #16]
19212 ++ str r7, [r0, #20]
19213 ++ str r8, [r0, #24]
19214 ++ str r1, [r0, #28]
19215 ++ movw r0, #0
19216 ++ mov sp, ip
19217 ++ pop {r4-r11, pc}
19218 ++ENDPROC(curve25519_neon)
19219 +--- b/arch/arm/crypto/curve25519-glue.c
19220 ++++ b/arch/arm/crypto/curve25519-glue.c
19221 +@@ -0,0 +1,136 @@
19222 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
19223 ++/*
19224 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
19225 ++ *
19226 ++ * Based on public domain code from Daniel J. Bernstein and Peter Schwabe. This
19227 ++ * began from SUPERCOP's curve25519/neon2/scalarmult.s, but has subsequently been
19228 ++ * manually reworked for use in kernel space.
19229 ++ */
19230 ++
19231 ++#include <asm/hwcap.h>
19232 ++#include <asm/neon.h>
19233 ++#include <asm/simd.h>
19234 ++#include <crypto/internal/kpp.h>
19235 ++#include <crypto/internal/simd.h>
19236 ++#include <linux/types.h>
19237 ++#include <linux/module.h>
19238 ++#include <linux/init.h>
19239 ++#include <linux/jump_label.h>
19240 ++#include <linux/scatterlist.h>
19241 ++#include <crypto/curve25519.h>
19242 ++
19243 ++asmlinkage void curve25519_neon(u8 mypublic[CURVE25519_KEY_SIZE],
19244 ++ const u8 secret[CURVE25519_KEY_SIZE],
19245 ++ const u8 basepoint[CURVE25519_KEY_SIZE]);
19246 ++
19247 ++static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
19248 ++
19249 ++void curve25519_arch(u8 out[CURVE25519_KEY_SIZE],
19250 ++ const u8 scalar[CURVE25519_KEY_SIZE],
19251 ++ const u8 point[CURVE25519_KEY_SIZE])
19252 ++{
19253 ++ if (static_branch_likely(&have_neon) && crypto_simd_usable()) {
19254 ++ kernel_neon_begin();
19255 ++ curve25519_neon(out, scalar, point);
19256 ++ kernel_neon_end();
19257 ++ } else {
19258 ++ curve25519_generic(out, scalar, point);
19259 ++ }
19260 ++}
19261 ++EXPORT_SYMBOL(curve25519_arch);
19262 ++
19263 ++void curve25519_base_arch(u8 pub[CURVE25519_KEY_SIZE],
19264 ++ const u8 secret[CURVE25519_KEY_SIZE])
19265 ++{
19266 ++ return curve25519_arch(pub, secret, curve25519_base_point);
19267 ++}
19268 ++EXPORT_SYMBOL(curve25519_base_arch);
19269 ++
19270 ++static int curve25519_set_secret(struct crypto_kpp *tfm, const void *buf,
19271 ++ unsigned int len)
19272 ++{
19273 ++ u8 *secret = kpp_tfm_ctx(tfm);
19274 ++
19275 ++ if (!len)
19276 ++ curve25519_generate_secret(secret);
19277 ++ else if (len == CURVE25519_KEY_SIZE &&
19278 ++ crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE))
19279 ++ memcpy(secret, buf, CURVE25519_KEY_SIZE);
19280 ++ else
19281 ++ return -EINVAL;
19282 ++ return 0;
19283 ++}
19284 ++
19285 ++static int curve25519_compute_value(struct kpp_request *req)
19286 ++{
19287 ++ struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
19288 ++ const u8 *secret = kpp_tfm_ctx(tfm);
19289 ++ u8 public_key[CURVE25519_KEY_SIZE];
19290 ++ u8 buf[CURVE25519_KEY_SIZE];
19291 ++ int copied, nbytes;
19292 ++ u8 const *bp;
19293 ++
19294 ++ if (req->src) {
19295 ++ copied = sg_copy_to_buffer(req->src,
19296 ++ sg_nents_for_len(req->src,
19297 ++ CURVE25519_KEY_SIZE),
19298 ++ public_key, CURVE25519_KEY_SIZE);
19299 ++ if (copied != CURVE25519_KEY_SIZE)
19300 ++ return -EINVAL;
19301 ++ bp = public_key;
19302 ++ } else {
19303 ++ bp = curve25519_base_point;
19304 ++ }
19305 ++
19306 ++ curve25519_arch(buf, secret, bp);
19307 ++
19308 ++ /* might want less than we've got */
19309 ++ nbytes = min_t(size_t, CURVE25519_KEY_SIZE, req->dst_len);
19310 ++ copied = sg_copy_from_buffer(req->dst, sg_nents_for_len(req->dst,
19311 ++ nbytes),
19312 ++ buf, nbytes);
19313 ++ if (copied != nbytes)
19314 ++ return -EINVAL;
19315 ++ return 0;
19316 ++}
19317 ++
19318 ++static unsigned int curve25519_max_size(struct crypto_kpp *tfm)
19319 ++{
19320 ++ return CURVE25519_KEY_SIZE;
19321 ++}
19322 ++
19323 ++static struct kpp_alg curve25519_alg = {
19324 ++ .base.cra_name = "curve25519",
19325 ++ .base.cra_driver_name = "curve25519-neon",
19326 ++ .base.cra_priority = 200,
19327 ++ .base.cra_module = THIS_MODULE,
19328 ++ .base.cra_ctxsize = CURVE25519_KEY_SIZE,
19329 ++
19330 ++ .set_secret = curve25519_set_secret,
19331 ++ .generate_public_key = curve25519_compute_value,
19332 ++ .compute_shared_secret = curve25519_compute_value,
19333 ++ .max_size = curve25519_max_size,
19334 ++};
19335 ++
19336 ++static int __init mod_init(void)
19337 ++{
19338 ++ if (elf_hwcap & HWCAP_NEON) {
19339 ++ static_branch_enable(&have_neon);
19340 ++ return IS_REACHABLE(CONFIG_CRYPTO_KPP) ?
19341 ++ crypto_register_kpp(&curve25519_alg) : 0;
19342 ++ }
19343 ++ return 0;
19344 ++}
19345 ++
19346 ++static void __exit mod_exit(void)
19347 ++{
19348 ++ if (IS_REACHABLE(CONFIG_CRYPTO_KPP) && elf_hwcap & HWCAP_NEON)
19349 ++ crypto_unregister_kpp(&curve25519_alg);
19350 ++}
19351 ++
19352 ++module_init(mod_init);
19353 ++module_exit(mod_exit);
19354 ++
19355 ++MODULE_ALIAS_CRYPTO("curve25519");
19356 ++MODULE_ALIAS_CRYPTO("curve25519-neon");
19357 ++MODULE_LICENSE("GPL v2");
19358 +--- b/include/crypto/chacha20poly1305.h
19359 ++++ b/include/crypto/chacha20poly1305.h
19360 +@@ -0,0 +1,50 @@
19361 ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */
19362 ++/*
19363 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
19364 ++ */
19365 ++
19366 ++#ifndef __CHACHA20POLY1305_H
19367 ++#define __CHACHA20POLY1305_H
19368 ++
19369 ++#include <linux/types.h>
19370 ++#include <linux/scatterlist.h>
19371 ++
19372 ++enum chacha20poly1305_lengths {
19373 ++ XCHACHA20POLY1305_NONCE_SIZE = 24,
19374 ++ CHACHA20POLY1305_KEY_SIZE = 32,
19375 ++ CHACHA20POLY1305_AUTHTAG_SIZE = 16
19376 ++};
19377 ++
19378 ++void chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
19379 ++ const u8 *ad, const size_t ad_len,
19380 ++ const u64 nonce,
19381 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE]);
19382 ++
19383 ++bool __must_check
19384 ++chacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len,
19385 ++ const u8 *ad, const size_t ad_len, const u64 nonce,
19386 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE]);
19387 ++
19388 ++void xchacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
19389 ++ const u8 *ad, const size_t ad_len,
19390 ++ const u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
19391 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE]);
19392 ++
19393 ++bool __must_check xchacha20poly1305_decrypt(
19394 ++ u8 *dst, const u8 *src, const size_t src_len, const u8 *ad,
19395 ++ const size_t ad_len, const u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
19396 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE]);
19397 ++
19398 ++bool chacha20poly1305_encrypt_sg_inplace(struct scatterlist *src, size_t src_len,
19399 ++ const u8 *ad, const size_t ad_len,
19400 ++ const u64 nonce,
19401 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE]);
19402 ++
19403 ++bool chacha20poly1305_decrypt_sg_inplace(struct scatterlist *src, size_t src_len,
19404 ++ const u8 *ad, const size_t ad_len,
19405 ++ const u64 nonce,
19406 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE]);
19407 ++
19408 ++bool chacha20poly1305_selftest(void);
19409 ++
19410 ++#endif /* __CHACHA20POLY1305_H */
19411 +--- b/lib/crypto/chacha20poly1305-selftest.c
19412 ++++ b/lib/crypto/chacha20poly1305-selftest.c
19413 +@@ -0,0 +1,9082 @@
19414 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
19415 ++/*
19416 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
19417 ++ */
19418 ++
19419 ++#include <crypto/chacha20poly1305.h>
19420 ++#include <crypto/chacha.h>
19421 ++#include <crypto/poly1305.h>
19422 ++
19423 ++#include <asm/unaligned.h>
19424 ++#include <linux/bug.h>
19425 ++#include <linux/init.h>
19426 ++#include <linux/mm.h>
19427 ++#include <linux/kernel.h>
19428 ++#include <linux/slab.h>
19429 ++
19430 ++struct chacha20poly1305_testvec {
19431 ++ const u8 *input, *output, *assoc, *nonce, *key;
19432 ++ size_t ilen, alen, nlen;
19433 ++ bool failure;
19434 ++};
19435 ++
19436 ++/* The first of these are the ChaCha20-Poly1305 AEAD test vectors from RFC7539
19437 ++ * 2.8.2. After they are generated by reference implementations. And the final
19438 ++ * marked ones are taken from wycheproof, but we only do these for the encrypt
19439 ++ * side, because mostly we're stressing the primitives rather than the actual
19440 ++ * chapoly construction.
19441 ++ */
19442 ++
19443 ++static const u8 enc_input001[] __initconst = {
19444 ++ 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
19445 ++ 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20,
19446 ++ 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66,
19447 ++ 0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
19448 ++ 0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c, 0x69,
19449 ++ 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20,
19450 ++ 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20,
19451 ++ 0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d,
19452 ++ 0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e,
19453 ++ 0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65,
19454 ++ 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64,
19455 ++ 0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
19456 ++ 0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f,
19457 ++ 0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64,
19458 ++ 0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65,
19459 ++ 0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
19460 ++ 0x6e, 0x74, 0x73, 0x20, 0x61, 0x74, 0x20, 0x61,
19461 ++ 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e,
19462 ++ 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69,
19463 ++ 0x6e, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x70, 0x72,
19464 ++ 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20,
19465 ++ 0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65,
19466 ++ 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61,
19467 ++ 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72,
19468 ++ 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
19469 ++ 0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61,
19470 ++ 0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20,
19471 ++ 0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65,
19472 ++ 0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20,
19473 ++ 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20,
19474 ++ 0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b,
19475 ++ 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67,
19476 ++ 0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80,
19477 ++ 0x9d
19478 ++};
19479 ++static const u8 enc_output001[] __initconst = {
19480 ++ 0x64, 0xa0, 0x86, 0x15, 0x75, 0x86, 0x1a, 0xf4,
19481 ++ 0x60, 0xf0, 0x62, 0xc7, 0x9b, 0xe6, 0x43, 0xbd,
19482 ++ 0x5e, 0x80, 0x5c, 0xfd, 0x34, 0x5c, 0xf3, 0x89,
19483 ++ 0xf1, 0x08, 0x67, 0x0a, 0xc7, 0x6c, 0x8c, 0xb2,
19484 ++ 0x4c, 0x6c, 0xfc, 0x18, 0x75, 0x5d, 0x43, 0xee,
19485 ++ 0xa0, 0x9e, 0xe9, 0x4e, 0x38, 0x2d, 0x26, 0xb0,
19486 ++ 0xbd, 0xb7, 0xb7, 0x3c, 0x32, 0x1b, 0x01, 0x00,
19487 ++ 0xd4, 0xf0, 0x3b, 0x7f, 0x35, 0x58, 0x94, 0xcf,
19488 ++ 0x33, 0x2f, 0x83, 0x0e, 0x71, 0x0b, 0x97, 0xce,
19489 ++ 0x98, 0xc8, 0xa8, 0x4a, 0xbd, 0x0b, 0x94, 0x81,
19490 ++ 0x14, 0xad, 0x17, 0x6e, 0x00, 0x8d, 0x33, 0xbd,
19491 ++ 0x60, 0xf9, 0x82, 0xb1, 0xff, 0x37, 0xc8, 0x55,
19492 ++ 0x97, 0x97, 0xa0, 0x6e, 0xf4, 0xf0, 0xef, 0x61,
19493 ++ 0xc1, 0x86, 0x32, 0x4e, 0x2b, 0x35, 0x06, 0x38,
19494 ++ 0x36, 0x06, 0x90, 0x7b, 0x6a, 0x7c, 0x02, 0xb0,
19495 ++ 0xf9, 0xf6, 0x15, 0x7b, 0x53, 0xc8, 0x67, 0xe4,
19496 ++ 0xb9, 0x16, 0x6c, 0x76, 0x7b, 0x80, 0x4d, 0x46,
19497 ++ 0xa5, 0x9b, 0x52, 0x16, 0xcd, 0xe7, 0xa4, 0xe9,
19498 ++ 0x90, 0x40, 0xc5, 0xa4, 0x04, 0x33, 0x22, 0x5e,
19499 ++ 0xe2, 0x82, 0xa1, 0xb0, 0xa0, 0x6c, 0x52, 0x3e,
19500 ++ 0xaf, 0x45, 0x34, 0xd7, 0xf8, 0x3f, 0xa1, 0x15,
19501 ++ 0x5b, 0x00, 0x47, 0x71, 0x8c, 0xbc, 0x54, 0x6a,
19502 ++ 0x0d, 0x07, 0x2b, 0x04, 0xb3, 0x56, 0x4e, 0xea,
19503 ++ 0x1b, 0x42, 0x22, 0x73, 0xf5, 0x48, 0x27, 0x1a,
19504 ++ 0x0b, 0xb2, 0x31, 0x60, 0x53, 0xfa, 0x76, 0x99,
19505 ++ 0x19, 0x55, 0xeb, 0xd6, 0x31, 0x59, 0x43, 0x4e,
19506 ++ 0xce, 0xbb, 0x4e, 0x46, 0x6d, 0xae, 0x5a, 0x10,
19507 ++ 0x73, 0xa6, 0x72, 0x76, 0x27, 0x09, 0x7a, 0x10,
19508 ++ 0x49, 0xe6, 0x17, 0xd9, 0x1d, 0x36, 0x10, 0x94,
19509 ++ 0xfa, 0x68, 0xf0, 0xff, 0x77, 0x98, 0x71, 0x30,
19510 ++ 0x30, 0x5b, 0xea, 0xba, 0x2e, 0xda, 0x04, 0xdf,
19511 ++ 0x99, 0x7b, 0x71, 0x4d, 0x6c, 0x6f, 0x2c, 0x29,
19512 ++ 0xa6, 0xad, 0x5c, 0xb4, 0x02, 0x2b, 0x02, 0x70,
19513 ++ 0x9b, 0xee, 0xad, 0x9d, 0x67, 0x89, 0x0c, 0xbb,
19514 ++ 0x22, 0x39, 0x23, 0x36, 0xfe, 0xa1, 0x85, 0x1f,
19515 ++ 0x38
19516 ++};
19517 ++static const u8 enc_assoc001[] __initconst = {
19518 ++ 0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00,
19519 ++ 0x00, 0x00, 0x4e, 0x91
19520 ++};
19521 ++static const u8 enc_nonce001[] __initconst = {
19522 ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
19523 ++};
19524 ++static const u8 enc_key001[] __initconst = {
19525 ++ 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
19526 ++ 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
19527 ++ 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
19528 ++ 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
19529 ++};
19530 ++
19531 ++static const u8 enc_input002[] __initconst = { };
19532 ++static const u8 enc_output002[] __initconst = {
19533 ++ 0xea, 0xe0, 0x1e, 0x9e, 0x2c, 0x91, 0xaa, 0xe1,
19534 ++ 0xdb, 0x5d, 0x99, 0x3f, 0x8a, 0xf7, 0x69, 0x92
19535 ++};
19536 ++static const u8 enc_assoc002[] __initconst = { };
19537 ++static const u8 enc_nonce002[] __initconst = {
19538 ++ 0xca, 0xbf, 0x33, 0x71, 0x32, 0x45, 0x77, 0x8e
19539 ++};
19540 ++static const u8 enc_key002[] __initconst = {
19541 ++ 0x4c, 0xf5, 0x96, 0x83, 0x38, 0xe6, 0xae, 0x7f,
19542 ++ 0x2d, 0x29, 0x25, 0x76, 0xd5, 0x75, 0x27, 0x86,
19543 ++ 0x91, 0x9a, 0x27, 0x7a, 0xfb, 0x46, 0xc5, 0xef,
19544 ++ 0x94, 0x81, 0x79, 0x57, 0x14, 0x59, 0x40, 0x68
19545 ++};
19546 ++
19547 ++static const u8 enc_input003[] __initconst = { };
19548 ++static const u8 enc_output003[] __initconst = {
19549 ++ 0xdd, 0x6b, 0x3b, 0x82, 0xce, 0x5a, 0xbd, 0xd6,
19550 ++ 0xa9, 0x35, 0x83, 0xd8, 0x8c, 0x3d, 0x85, 0x77
19551 ++};
19552 ++static const u8 enc_assoc003[] __initconst = {
19553 ++ 0x33, 0x10, 0x41, 0x12, 0x1f, 0xf3, 0xd2, 0x6b
19554 ++};
19555 ++static const u8 enc_nonce003[] __initconst = {
19556 ++ 0x3d, 0x86, 0xb5, 0x6b, 0xc8, 0xa3, 0x1f, 0x1d
19557 ++};
19558 ++static const u8 enc_key003[] __initconst = {
19559 ++ 0x2d, 0xb0, 0x5d, 0x40, 0xc8, 0xed, 0x44, 0x88,
19560 ++ 0x34, 0xd1, 0x13, 0xaf, 0x57, 0xa1, 0xeb, 0x3a,
19561 ++ 0x2a, 0x80, 0x51, 0x36, 0xec, 0x5b, 0xbc, 0x08,
19562 ++ 0x93, 0x84, 0x21, 0xb5, 0x13, 0x88, 0x3c, 0x0d
19563 ++};
19564 ++
19565 ++static const u8 enc_input004[] __initconst = {
19566 ++ 0xa4
19567 ++};
19568 ++static const u8 enc_output004[] __initconst = {
19569 ++ 0xb7, 0x1b, 0xb0, 0x73, 0x59, 0xb0, 0x84, 0xb2,
19570 ++ 0x6d, 0x8e, 0xab, 0x94, 0x31, 0xa1, 0xae, 0xac,
19571 ++ 0x89
19572 ++};
19573 ++static const u8 enc_assoc004[] __initconst = {
19574 ++ 0x6a, 0xe2, 0xad, 0x3f, 0x88, 0x39, 0x5a, 0x40
19575 ++};
19576 ++static const u8 enc_nonce004[] __initconst = {
19577 ++ 0xd2, 0x32, 0x1f, 0x29, 0x28, 0xc6, 0xc4, 0xc4
19578 ++};
19579 ++static const u8 enc_key004[] __initconst = {
19580 ++ 0x4b, 0x28, 0x4b, 0xa3, 0x7b, 0xbe, 0xe9, 0xf8,
19581 ++ 0x31, 0x80, 0x82, 0xd7, 0xd8, 0xe8, 0xb5, 0xa1,
19582 ++ 0xe2, 0x18, 0x18, 0x8a, 0x9c, 0xfa, 0xa3, 0x3d,
19583 ++ 0x25, 0x71, 0x3e, 0x40, 0xbc, 0x54, 0x7a, 0x3e
19584 ++};
19585 ++
19586 ++static const u8 enc_input005[] __initconst = {
19587 ++ 0x2d
19588 ++};
19589 ++static const u8 enc_output005[] __initconst = {
19590 ++ 0xbf, 0xe1, 0x5b, 0x0b, 0xdb, 0x6b, 0xf5, 0x5e,
19591 ++ 0x6c, 0x5d, 0x84, 0x44, 0x39, 0x81, 0xc1, 0x9c,
19592 ++ 0xac
19593 ++};
19594 ++static const u8 enc_assoc005[] __initconst = { };
19595 ++static const u8 enc_nonce005[] __initconst = {
19596 ++ 0x20, 0x1c, 0xaa, 0x5f, 0x9c, 0xbf, 0x92, 0x30
19597 ++};
19598 ++static const u8 enc_key005[] __initconst = {
19599 ++ 0x66, 0xca, 0x9c, 0x23, 0x2a, 0x4b, 0x4b, 0x31,
19600 ++ 0x0e, 0x92, 0x89, 0x8b, 0xf4, 0x93, 0xc7, 0x87,
19601 ++ 0x98, 0xa3, 0xd8, 0x39, 0xf8, 0xf4, 0xa7, 0x01,
19602 ++ 0xc0, 0x2e, 0x0a, 0xa6, 0x7e, 0x5a, 0x78, 0x87
19603 ++};
19604 ++
19605 ++static const u8 enc_input006[] __initconst = {
19606 ++ 0x33, 0x2f, 0x94, 0xc1, 0xa4, 0xef, 0xcc, 0x2a,
19607 ++ 0x5b, 0xa6, 0xe5, 0x8f, 0x1d, 0x40, 0xf0, 0x92,
19608 ++ 0x3c, 0xd9, 0x24, 0x11, 0xa9, 0x71, 0xf9, 0x37,
19609 ++ 0x14, 0x99, 0xfa, 0xbe, 0xe6, 0x80, 0xde, 0x50,
19610 ++ 0xc9, 0x96, 0xd4, 0xb0, 0xec, 0x9e, 0x17, 0xec,
19611 ++ 0xd2, 0x5e, 0x72, 0x99, 0xfc, 0x0a, 0xe1, 0xcb,
19612 ++ 0x48, 0xd2, 0x85, 0xdd, 0x2f, 0x90, 0xe0, 0x66,
19613 ++ 0x3b, 0xe6, 0x20, 0x74, 0xbe, 0x23, 0x8f, 0xcb,
19614 ++ 0xb4, 0xe4, 0xda, 0x48, 0x40, 0xa6, 0xd1, 0x1b,
19615 ++ 0xc7, 0x42, 0xce, 0x2f, 0x0c, 0xa6, 0x85, 0x6e,
19616 ++ 0x87, 0x37, 0x03, 0xb1, 0x7c, 0x25, 0x96, 0xa3,
19617 ++ 0x05, 0xd8, 0xb0, 0xf4, 0xed, 0xea, 0xc2, 0xf0,
19618 ++ 0x31, 0x98, 0x6c, 0xd1, 0x14, 0x25, 0xc0, 0xcb,
19619 ++ 0x01, 0x74, 0xd0, 0x82, 0xf4, 0x36, 0xf5, 0x41,
19620 ++ 0xd5, 0xdc, 0xca, 0xc5, 0xbb, 0x98, 0xfe, 0xfc,
19621 ++ 0x69, 0x21, 0x70, 0xd8, 0xa4, 0x4b, 0xc8, 0xde,
19622 ++ 0x8f
19623 ++};
19624 ++static const u8 enc_output006[] __initconst = {
19625 ++ 0x8b, 0x06, 0xd3, 0x31, 0xb0, 0x93, 0x45, 0xb1,
19626 ++ 0x75, 0x6e, 0x26, 0xf9, 0x67, 0xbc, 0x90, 0x15,
19627 ++ 0x81, 0x2c, 0xb5, 0xf0, 0xc6, 0x2b, 0xc7, 0x8c,
19628 ++ 0x56, 0xd1, 0xbf, 0x69, 0x6c, 0x07, 0xa0, 0xda,
19629 ++ 0x65, 0x27, 0xc9, 0x90, 0x3d, 0xef, 0x4b, 0x11,
19630 ++ 0x0f, 0x19, 0x07, 0xfd, 0x29, 0x92, 0xd9, 0xc8,
19631 ++ 0xf7, 0x99, 0x2e, 0x4a, 0xd0, 0xb8, 0x2c, 0xdc,
19632 ++ 0x93, 0xf5, 0x9e, 0x33, 0x78, 0xd1, 0x37, 0xc3,
19633 ++ 0x66, 0xd7, 0x5e, 0xbc, 0x44, 0xbf, 0x53, 0xa5,
19634 ++ 0xbc, 0xc4, 0xcb, 0x7b, 0x3a, 0x8e, 0x7f, 0x02,
19635 ++ 0xbd, 0xbb, 0xe7, 0xca, 0xa6, 0x6c, 0x6b, 0x93,
19636 ++ 0x21, 0x93, 0x10, 0x61, 0xe7, 0x69, 0xd0, 0x78,
19637 ++ 0xf3, 0x07, 0x5a, 0x1a, 0x8f, 0x73, 0xaa, 0xb1,
19638 ++ 0x4e, 0xd3, 0xda, 0x4f, 0xf3, 0x32, 0xe1, 0x66,
19639 ++ 0x3e, 0x6c, 0xc6, 0x13, 0xba, 0x06, 0x5b, 0xfc,
19640 ++ 0x6a, 0xe5, 0x6f, 0x60, 0xfb, 0x07, 0x40, 0xb0,
19641 ++ 0x8c, 0x9d, 0x84, 0x43, 0x6b, 0xc1, 0xf7, 0x8d,
19642 ++ 0x8d, 0x31, 0xf7, 0x7a, 0x39, 0x4d, 0x8f, 0x9a,
19643 ++ 0xeb
19644 ++};
19645 ++static const u8 enc_assoc006[] __initconst = {
19646 ++ 0x70, 0xd3, 0x33, 0xf3, 0x8b, 0x18, 0x0b
19647 ++};
19648 ++static const u8 enc_nonce006[] __initconst = {
19649 ++ 0xdf, 0x51, 0x84, 0x82, 0x42, 0x0c, 0x75, 0x9c
19650 ++};
19651 ++static const u8 enc_key006[] __initconst = {
19652 ++ 0x68, 0x7b, 0x8d, 0x8e, 0xe3, 0xc4, 0xdd, 0xae,
19653 ++ 0xdf, 0x72, 0x7f, 0x53, 0x72, 0x25, 0x1e, 0x78,
19654 ++ 0x91, 0xcb, 0x69, 0x76, 0x1f, 0x49, 0x93, 0xf9,
19655 ++ 0x6f, 0x21, 0xcc, 0x39, 0x9c, 0xad, 0xb1, 0x01
19656 ++};
19657 ++
19658 ++static const u8 enc_input007[] __initconst = {
19659 ++ 0x9b, 0x18, 0xdb, 0xdd, 0x9a, 0x0f, 0x3e, 0xa5,
19660 ++ 0x15, 0x17, 0xde, 0xdf, 0x08, 0x9d, 0x65, 0x0a,
19661 ++ 0x67, 0x30, 0x12, 0xe2, 0x34, 0x77, 0x4b, 0xc1,
19662 ++ 0xd9, 0xc6, 0x1f, 0xab, 0xc6, 0x18, 0x50, 0x17,
19663 ++ 0xa7, 0x9d, 0x3c, 0xa6, 0xc5, 0x35, 0x8c, 0x1c,
19664 ++ 0xc0, 0xa1, 0x7c, 0x9f, 0x03, 0x89, 0xca, 0xe1,
19665 ++ 0xe6, 0xe9, 0xd4, 0xd3, 0x88, 0xdb, 0xb4, 0x51,
19666 ++ 0x9d, 0xec, 0xb4, 0xfc, 0x52, 0xee, 0x6d, 0xf1,
19667 ++ 0x75, 0x42, 0xc6, 0xfd, 0xbd, 0x7a, 0x8e, 0x86,
19668 ++ 0xfc, 0x44, 0xb3, 0x4f, 0xf3, 0xea, 0x67, 0x5a,
19669 ++ 0x41, 0x13, 0xba, 0xb0, 0xdc, 0xe1, 0xd3, 0x2a,
19670 ++ 0x7c, 0x22, 0xb3, 0xca, 0xac, 0x6a, 0x37, 0x98,
19671 ++ 0x3e, 0x1d, 0x40, 0x97, 0xf7, 0x9b, 0x1d, 0x36,
19672 ++ 0x6b, 0xb3, 0x28, 0xbd, 0x60, 0x82, 0x47, 0x34,
19673 ++ 0xaa, 0x2f, 0x7d, 0xe9, 0xa8, 0x70, 0x81, 0x57,
19674 ++ 0xd4, 0xb9, 0x77, 0x0a, 0x9d, 0x29, 0xa7, 0x84,
19675 ++ 0x52, 0x4f, 0xc2, 0x4a, 0x40, 0x3b, 0x3c, 0xd4,
19676 ++ 0xc9, 0x2a, 0xdb, 0x4a, 0x53, 0xc4, 0xbe, 0x80,
19677 ++ 0xe9, 0x51, 0x7f, 0x8f, 0xc7, 0xa2, 0xce, 0x82,
19678 ++ 0x5c, 0x91, 0x1e, 0x74, 0xd9, 0xd0, 0xbd, 0xd5,
19679 ++ 0xf3, 0xfd, 0xda, 0x4d, 0x25, 0xb4, 0xbb, 0x2d,
19680 ++ 0xac, 0x2f, 0x3d, 0x71, 0x85, 0x7b, 0xcf, 0x3c,
19681 ++ 0x7b, 0x3e, 0x0e, 0x22, 0x78, 0x0c, 0x29, 0xbf,
19682 ++ 0xe4, 0xf4, 0x57, 0xb3, 0xcb, 0x49, 0xa0, 0xfc,
19683 ++ 0x1e, 0x05, 0x4e, 0x16, 0xbc, 0xd5, 0xa8, 0xa3,
19684 ++ 0xee, 0x05, 0x35, 0xc6, 0x7c, 0xab, 0x60, 0x14,
19685 ++ 0x55, 0x1a, 0x8e, 0xc5, 0x88, 0x5d, 0xd5, 0x81,
19686 ++ 0xc2, 0x81, 0xa5, 0xc4, 0x60, 0xdb, 0xaf, 0x77,
19687 ++ 0x91, 0xe1, 0xce, 0xa2, 0x7e, 0x7f, 0x42, 0xe3,
19688 ++ 0xb0, 0x13, 0x1c, 0x1f, 0x25, 0x60, 0x21, 0xe2,
19689 ++ 0x40, 0x5f, 0x99, 0xb7, 0x73, 0xec, 0x9b, 0x2b,
19690 ++ 0xf0, 0x65, 0x11, 0xc8, 0xd0, 0x0a, 0x9f, 0xd3
19691 ++};
19692 ++static const u8 enc_output007[] __initconst = {
19693 ++ 0x85, 0x04, 0xc2, 0xed, 0x8d, 0xfd, 0x97, 0x5c,
19694 ++ 0xd2, 0xb7, 0xe2, 0xc1, 0x6b, 0xa3, 0xba, 0xf8,
19695 ++ 0xc9, 0x50, 0xc3, 0xc6, 0xa5, 0xe3, 0xa4, 0x7c,
19696 ++ 0xc3, 0x23, 0x49, 0x5e, 0xa9, 0xb9, 0x32, 0xeb,
19697 ++ 0x8a, 0x7c, 0xca, 0xe5, 0xec, 0xfb, 0x7c, 0xc0,
19698 ++ 0xcb, 0x7d, 0xdc, 0x2c, 0x9d, 0x92, 0x55, 0x21,
19699 ++ 0x0a, 0xc8, 0x43, 0x63, 0x59, 0x0a, 0x31, 0x70,
19700 ++ 0x82, 0x67, 0x41, 0x03, 0xf8, 0xdf, 0xf2, 0xac,
19701 ++ 0xa7, 0x02, 0xd4, 0xd5, 0x8a, 0x2d, 0xc8, 0x99,
19702 ++ 0x19, 0x66, 0xd0, 0xf6, 0x88, 0x2c, 0x77, 0xd9,
19703 ++ 0xd4, 0x0d, 0x6c, 0xbd, 0x98, 0xde, 0xe7, 0x7f,
19704 ++ 0xad, 0x7e, 0x8a, 0xfb, 0xe9, 0x4b, 0xe5, 0xf7,
19705 ++ 0xe5, 0x50, 0xa0, 0x90, 0x3f, 0xd6, 0x22, 0x53,
19706 ++ 0xe3, 0xfe, 0x1b, 0xcc, 0x79, 0x3b, 0xec, 0x12,
19707 ++ 0x47, 0x52, 0xa7, 0xd6, 0x04, 0xe3, 0x52, 0xe6,
19708 ++ 0x93, 0x90, 0x91, 0x32, 0x73, 0x79, 0xb8, 0xd0,
19709 ++ 0x31, 0xde, 0x1f, 0x9f, 0x2f, 0x05, 0x38, 0x54,
19710 ++ 0x2f, 0x35, 0x04, 0x39, 0xe0, 0xa7, 0xba, 0xc6,
19711 ++ 0x52, 0xf6, 0x37, 0x65, 0x4c, 0x07, 0xa9, 0x7e,
19712 ++ 0xb3, 0x21, 0x6f, 0x74, 0x8c, 0xc9, 0xde, 0xdb,
19713 ++ 0x65, 0x1b, 0x9b, 0xaa, 0x60, 0xb1, 0x03, 0x30,
19714 ++ 0x6b, 0xb2, 0x03, 0xc4, 0x1c, 0x04, 0xf8, 0x0f,
19715 ++ 0x64, 0xaf, 0x46, 0xe4, 0x65, 0x99, 0x49, 0xe2,
19716 ++ 0xea, 0xce, 0x78, 0x00, 0xd8, 0x8b, 0xd5, 0x2e,
19717 ++ 0xcf, 0xfc, 0x40, 0x49, 0xe8, 0x58, 0xdc, 0x34,
19718 ++ 0x9c, 0x8c, 0x61, 0xbf, 0x0a, 0x8e, 0xec, 0x39,
19719 ++ 0xa9, 0x30, 0x05, 0x5a, 0xd2, 0x56, 0x01, 0xc7,
19720 ++ 0xda, 0x8f, 0x4e, 0xbb, 0x43, 0xa3, 0x3a, 0xf9,
19721 ++ 0x15, 0x2a, 0xd0, 0xa0, 0x7a, 0x87, 0x34, 0x82,
19722 ++ 0xfe, 0x8a, 0xd1, 0x2d, 0x5e, 0xc7, 0xbf, 0x04,
19723 ++ 0x53, 0x5f, 0x3b, 0x36, 0xd4, 0x25, 0x5c, 0x34,
19724 ++ 0x7a, 0x8d, 0xd5, 0x05, 0xce, 0x72, 0xca, 0xef,
19725 ++ 0x7a, 0x4b, 0xbc, 0xb0, 0x10, 0x5c, 0x96, 0x42,
19726 ++ 0x3a, 0x00, 0x98, 0xcd, 0x15, 0xe8, 0xb7, 0x53
19727 ++};
19728 ++static const u8 enc_assoc007[] __initconst = { };
19729 ++static const u8 enc_nonce007[] __initconst = {
19730 ++ 0xde, 0x7b, 0xef, 0xc3, 0x65, 0x1b, 0x68, 0xb0
19731 ++};
19732 ++static const u8 enc_key007[] __initconst = {
19733 ++ 0x8d, 0xb8, 0x91, 0x48, 0xf0, 0xe7, 0x0a, 0xbd,
19734 ++ 0xf9, 0x3f, 0xcd, 0xd9, 0xa0, 0x1e, 0x42, 0x4c,
19735 ++ 0xe7, 0xde, 0x25, 0x3d, 0xa3, 0xd7, 0x05, 0x80,
19736 ++ 0x8d, 0xf2, 0x82, 0xac, 0x44, 0x16, 0x51, 0x01
19737 ++};
19738 ++
19739 ++static const u8 enc_input008[] __initconst = {
19740 ++ 0xc3, 0x09, 0x94, 0x62, 0xe6, 0x46, 0x2e, 0x10,
19741 ++ 0xbe, 0x00, 0xe4, 0xfc, 0xf3, 0x40, 0xa3, 0xe2,
19742 ++ 0x0f, 0xc2, 0x8b, 0x28, 0xdc, 0xba, 0xb4, 0x3c,
19743 ++ 0xe4, 0x21, 0x58, 0x61, 0xcd, 0x8b, 0xcd, 0xfb,
19744 ++ 0xac, 0x94, 0xa1, 0x45, 0xf5, 0x1c, 0xe1, 0x12,
19745 ++ 0xe0, 0x3b, 0x67, 0x21, 0x54, 0x5e, 0x8c, 0xaa,
19746 ++ 0xcf, 0xdb, 0xb4, 0x51, 0xd4, 0x13, 0xda, 0xe6,
19747 ++ 0x83, 0x89, 0xb6, 0x92, 0xe9, 0x21, 0x76, 0xa4,
19748 ++ 0x93, 0x7d, 0x0e, 0xfd, 0x96, 0x36, 0x03, 0x91,
19749 ++ 0x43, 0x5c, 0x92, 0x49, 0x62, 0x61, 0x7b, 0xeb,
19750 ++ 0x43, 0x89, 0xb8, 0x12, 0x20, 0x43, 0xd4, 0x47,
19751 ++ 0x06, 0x84, 0xee, 0x47, 0xe9, 0x8a, 0x73, 0x15,
19752 ++ 0x0f, 0x72, 0xcf, 0xed, 0xce, 0x96, 0xb2, 0x7f,
19753 ++ 0x21, 0x45, 0x76, 0xeb, 0x26, 0x28, 0x83, 0x6a,
19754 ++ 0xad, 0xaa, 0xa6, 0x81, 0xd8, 0x55, 0xb1, 0xa3,
19755 ++ 0x85, 0xb3, 0x0c, 0xdf, 0xf1, 0x69, 0x2d, 0x97,
19756 ++ 0x05, 0x2a, 0xbc, 0x7c, 0x7b, 0x25, 0xf8, 0x80,
19757 ++ 0x9d, 0x39, 0x25, 0xf3, 0x62, 0xf0, 0x66, 0x5e,
19758 ++ 0xf4, 0xa0, 0xcf, 0xd8, 0xfd, 0x4f, 0xb1, 0x1f,
19759 ++ 0x60, 0x3a, 0x08, 0x47, 0xaf, 0xe1, 0xf6, 0x10,
19760 ++ 0x77, 0x09, 0xa7, 0x27, 0x8f, 0x9a, 0x97, 0x5a,
19761 ++ 0x26, 0xfa, 0xfe, 0x41, 0x32, 0x83, 0x10, 0xe0,
19762 ++ 0x1d, 0xbf, 0x64, 0x0d, 0xf4, 0x1c, 0x32, 0x35,
19763 ++ 0xe5, 0x1b, 0x36, 0xef, 0xd4, 0x4a, 0x93, 0x4d,
19764 ++ 0x00, 0x7c, 0xec, 0x02, 0x07, 0x8b, 0x5d, 0x7d,
19765 ++ 0x1b, 0x0e, 0xd1, 0xa6, 0xa5, 0x5d, 0x7d, 0x57,
19766 ++ 0x88, 0xa8, 0xcc, 0x81, 0xb4, 0x86, 0x4e, 0xb4,
19767 ++ 0x40, 0xe9, 0x1d, 0xc3, 0xb1, 0x24, 0x3e, 0x7f,
19768 ++ 0xcc, 0x8a, 0x24, 0x9b, 0xdf, 0x6d, 0xf0, 0x39,
19769 ++ 0x69, 0x3e, 0x4c, 0xc0, 0x96, 0xe4, 0x13, 0xda,
19770 ++ 0x90, 0xda, 0xf4, 0x95, 0x66, 0x8b, 0x17, 0x17,
19771 ++ 0xfe, 0x39, 0x43, 0x25, 0xaa, 0xda, 0xa0, 0x43,
19772 ++ 0x3c, 0xb1, 0x41, 0x02, 0xa3, 0xf0, 0xa7, 0x19,
19773 ++ 0x59, 0xbc, 0x1d, 0x7d, 0x6c, 0x6d, 0x91, 0x09,
19774 ++ 0x5c, 0xb7, 0x5b, 0x01, 0xd1, 0x6f, 0x17, 0x21,
19775 ++ 0x97, 0xbf, 0x89, 0x71, 0xa5, 0xb0, 0x6e, 0x07,
19776 ++ 0x45, 0xfd, 0x9d, 0xea, 0x07, 0xf6, 0x7a, 0x9f,
19777 ++ 0x10, 0x18, 0x22, 0x30, 0x73, 0xac, 0xd4, 0x6b,
19778 ++ 0x72, 0x44, 0xed, 0xd9, 0x19, 0x9b, 0x2d, 0x4a,
19779 ++ 0x41, 0xdd, 0xd1, 0x85, 0x5e, 0x37, 0x19, 0xed,
19780 ++ 0xd2, 0x15, 0x8f, 0x5e, 0x91, 0xdb, 0x33, 0xf2,
19781 ++ 0xe4, 0xdb, 0xff, 0x98, 0xfb, 0xa3, 0xb5, 0xca,
19782 ++ 0x21, 0x69, 0x08, 0xe7, 0x8a, 0xdf, 0x90, 0xff,
19783 ++ 0x3e, 0xe9, 0x20, 0x86, 0x3c, 0xe9, 0xfc, 0x0b,
19784 ++ 0xfe, 0x5c, 0x61, 0xaa, 0x13, 0x92, 0x7f, 0x7b,
19785 ++ 0xec, 0xe0, 0x6d, 0xa8, 0x23, 0x22, 0xf6, 0x6b,
19786 ++ 0x77, 0xc4, 0xfe, 0x40, 0x07, 0x3b, 0xb6, 0xf6,
19787 ++ 0x8e, 0x5f, 0xd4, 0xb9, 0xb7, 0x0f, 0x21, 0x04,
19788 ++ 0xef, 0x83, 0x63, 0x91, 0x69, 0x40, 0xa3, 0x48,
19789 ++ 0x5c, 0xd2, 0x60, 0xf9, 0x4f, 0x6c, 0x47, 0x8b,
19790 ++ 0x3b, 0xb1, 0x9f, 0x8e, 0xee, 0x16, 0x8a, 0x13,
19791 ++ 0xfc, 0x46, 0x17, 0xc3, 0xc3, 0x32, 0x56, 0xf8,
19792 ++ 0x3c, 0x85, 0x3a, 0xb6, 0x3e, 0xaa, 0x89, 0x4f,
19793 ++ 0xb3, 0xdf, 0x38, 0xfd, 0xf1, 0xe4, 0x3a, 0xc0,
19794 ++ 0xe6, 0x58, 0xb5, 0x8f, 0xc5, 0x29, 0xa2, 0x92,
19795 ++ 0x4a, 0xb6, 0xa0, 0x34, 0x7f, 0xab, 0xb5, 0x8a,
19796 ++ 0x90, 0xa1, 0xdb, 0x4d, 0xca, 0xb6, 0x2c, 0x41,
19797 ++ 0x3c, 0xf7, 0x2b, 0x21, 0xc3, 0xfd, 0xf4, 0x17,
19798 ++ 0x5c, 0xb5, 0x33, 0x17, 0x68, 0x2b, 0x08, 0x30,
19799 ++ 0xf3, 0xf7, 0x30, 0x3c, 0x96, 0xe6, 0x6a, 0x20,
19800 ++ 0x97, 0xe7, 0x4d, 0x10, 0x5f, 0x47, 0x5f, 0x49,
19801 ++ 0x96, 0x09, 0xf0, 0x27, 0x91, 0xc8, 0xf8, 0x5a,
19802 ++ 0x2e, 0x79, 0xb5, 0xe2, 0xb8, 0xe8, 0xb9, 0x7b,
19803 ++ 0xd5, 0x10, 0xcb, 0xff, 0x5d, 0x14, 0x73, 0xf3
19804 ++};
19805 ++static const u8 enc_output008[] __initconst = {
19806 ++ 0x14, 0xf6, 0x41, 0x37, 0xa6, 0xd4, 0x27, 0xcd,
19807 ++ 0xdb, 0x06, 0x3e, 0x9a, 0x4e, 0xab, 0xd5, 0xb1,
19808 ++ 0x1e, 0x6b, 0xd2, 0xbc, 0x11, 0xf4, 0x28, 0x93,
19809 ++ 0x63, 0x54, 0xef, 0xbb, 0x5e, 0x1d, 0x3a, 0x1d,
19810 ++ 0x37, 0x3c, 0x0a, 0x6c, 0x1e, 0xc2, 0xd1, 0x2c,
19811 ++ 0xb5, 0xa3, 0xb5, 0x7b, 0xb8, 0x8f, 0x25, 0xa6,
19812 ++ 0x1b, 0x61, 0x1c, 0xec, 0x28, 0x58, 0x26, 0xa4,
19813 ++ 0xa8, 0x33, 0x28, 0x25, 0x5c, 0x45, 0x05, 0xe5,
19814 ++ 0x6c, 0x99, 0xe5, 0x45, 0xc4, 0xa2, 0x03, 0x84,
19815 ++ 0x03, 0x73, 0x1e, 0x8c, 0x49, 0xac, 0x20, 0xdd,
19816 ++ 0x8d, 0xb3, 0xc4, 0xf5, 0xe7, 0x4f, 0xf1, 0xed,
19817 ++ 0xa1, 0x98, 0xde, 0xa4, 0x96, 0xdd, 0x2f, 0xab,
19818 ++ 0xab, 0x97, 0xcf, 0x3e, 0xd2, 0x9e, 0xb8, 0x13,
19819 ++ 0x07, 0x28, 0x29, 0x19, 0xaf, 0xfd, 0xf2, 0x49,
19820 ++ 0x43, 0xea, 0x49, 0x26, 0x91, 0xc1, 0x07, 0xd6,
19821 ++ 0xbb, 0x81, 0x75, 0x35, 0x0d, 0x24, 0x7f, 0xc8,
19822 ++ 0xda, 0xd4, 0xb7, 0xeb, 0xe8, 0x5c, 0x09, 0xa2,
19823 ++ 0x2f, 0xdc, 0x28, 0x7d, 0x3a, 0x03, 0xfa, 0x94,
19824 ++ 0xb5, 0x1d, 0x17, 0x99, 0x36, 0xc3, 0x1c, 0x18,
19825 ++ 0x34, 0xe3, 0x9f, 0xf5, 0x55, 0x7c, 0xb0, 0x60,
19826 ++ 0x9d, 0xff, 0xac, 0xd4, 0x61, 0xf2, 0xad, 0xf8,
19827 ++ 0xce, 0xc7, 0xbe, 0x5c, 0xd2, 0x95, 0xa8, 0x4b,
19828 ++ 0x77, 0x13, 0x19, 0x59, 0x26, 0xc9, 0xb7, 0x8f,
19829 ++ 0x6a, 0xcb, 0x2d, 0x37, 0x91, 0xea, 0x92, 0x9c,
19830 ++ 0x94, 0x5b, 0xda, 0x0b, 0xce, 0xfe, 0x30, 0x20,
19831 ++ 0xf8, 0x51, 0xad, 0xf2, 0xbe, 0xe7, 0xc7, 0xff,
19832 ++ 0xb3, 0x33, 0x91, 0x6a, 0xc9, 0x1a, 0x41, 0xc9,
19833 ++ 0x0f, 0xf3, 0x10, 0x0e, 0xfd, 0x53, 0xff, 0x6c,
19834 ++ 0x16, 0x52, 0xd9, 0xf3, 0xf7, 0x98, 0x2e, 0xc9,
19835 ++ 0x07, 0x31, 0x2c, 0x0c, 0x72, 0xd7, 0xc5, 0xc6,
19836 ++ 0x08, 0x2a, 0x7b, 0xda, 0xbd, 0x7e, 0x02, 0xea,
19837 ++ 0x1a, 0xbb, 0xf2, 0x04, 0x27, 0x61, 0x28, 0x8e,
19838 ++ 0xf5, 0x04, 0x03, 0x1f, 0x4c, 0x07, 0x55, 0x82,
19839 ++ 0xec, 0x1e, 0xd7, 0x8b, 0x2f, 0x65, 0x56, 0xd1,
19840 ++ 0xd9, 0x1e, 0x3c, 0xe9, 0x1f, 0x5e, 0x98, 0x70,
19841 ++ 0x38, 0x4a, 0x8c, 0x49, 0xc5, 0x43, 0xa0, 0xa1,
19842 ++ 0x8b, 0x74, 0x9d, 0x4c, 0x62, 0x0d, 0x10, 0x0c,
19843 ++ 0xf4, 0x6c, 0x8f, 0xe0, 0xaa, 0x9a, 0x8d, 0xb7,
19844 ++ 0xe0, 0xbe, 0x4c, 0x87, 0xf1, 0x98, 0x2f, 0xcc,
19845 ++ 0xed, 0xc0, 0x52, 0x29, 0xdc, 0x83, 0xf8, 0xfc,
19846 ++ 0x2c, 0x0e, 0xa8, 0x51, 0x4d, 0x80, 0x0d, 0xa3,
19847 ++ 0xfe, 0xd8, 0x37, 0xe7, 0x41, 0x24, 0xfc, 0xfb,
19848 ++ 0x75, 0xe3, 0x71, 0x7b, 0x57, 0x45, 0xf5, 0x97,
19849 ++ 0x73, 0x65, 0x63, 0x14, 0x74, 0xb8, 0x82, 0x9f,
19850 ++ 0xf8, 0x60, 0x2f, 0x8a, 0xf2, 0x4e, 0xf1, 0x39,
19851 ++ 0xda, 0x33, 0x91, 0xf8, 0x36, 0xe0, 0x8d, 0x3f,
19852 ++ 0x1f, 0x3b, 0x56, 0xdc, 0xa0, 0x8f, 0x3c, 0x9d,
19853 ++ 0x71, 0x52, 0xa7, 0xb8, 0xc0, 0xa5, 0xc6, 0xa2,
19854 ++ 0x73, 0xda, 0xf4, 0x4b, 0x74, 0x5b, 0x00, 0x3d,
19855 ++ 0x99, 0xd7, 0x96, 0xba, 0xe6, 0xe1, 0xa6, 0x96,
19856 ++ 0x38, 0xad, 0xb3, 0xc0, 0xd2, 0xba, 0x91, 0x6b,
19857 ++ 0xf9, 0x19, 0xdd, 0x3b, 0xbe, 0xbe, 0x9c, 0x20,
19858 ++ 0x50, 0xba, 0xa1, 0xd0, 0xce, 0x11, 0xbd, 0x95,
19859 ++ 0xd8, 0xd1, 0xdd, 0x33, 0x85, 0x74, 0xdc, 0xdb,
19860 ++ 0x66, 0x76, 0x44, 0xdc, 0x03, 0x74, 0x48, 0x35,
19861 ++ 0x98, 0xb1, 0x18, 0x47, 0x94, 0x7d, 0xff, 0x62,
19862 ++ 0xe4, 0x58, 0x78, 0xab, 0xed, 0x95, 0x36, 0xd9,
19863 ++ 0x84, 0x91, 0x82, 0x64, 0x41, 0xbb, 0x58, 0xe6,
19864 ++ 0x1c, 0x20, 0x6d, 0x15, 0x6b, 0x13, 0x96, 0xe8,
19865 ++ 0x35, 0x7f, 0xdc, 0x40, 0x2c, 0xe9, 0xbc, 0x8a,
19866 ++ 0x4f, 0x92, 0xec, 0x06, 0x2d, 0x50, 0xdf, 0x93,
19867 ++ 0x5d, 0x65, 0x5a, 0xa8, 0xfc, 0x20, 0x50, 0x14,
19868 ++ 0xa9, 0x8a, 0x7e, 0x1d, 0x08, 0x1f, 0xe2, 0x99,
19869 ++ 0xd0, 0xbe, 0xfb, 0x3a, 0x21, 0x9d, 0xad, 0x86,
19870 ++ 0x54, 0xfd, 0x0d, 0x98, 0x1c, 0x5a, 0x6f, 0x1f,
19871 ++ 0x9a, 0x40, 0xcd, 0xa2, 0xff, 0x6a, 0xf1, 0x54
19872 ++};
19873 ++static const u8 enc_assoc008[] __initconst = { };
19874 ++static const u8 enc_nonce008[] __initconst = {
19875 ++ 0x0e, 0x0d, 0x57, 0xbb, 0x7b, 0x40, 0x54, 0x02
19876 ++};
19877 ++static const u8 enc_key008[] __initconst = {
19878 ++ 0xf2, 0xaa, 0x4f, 0x99, 0xfd, 0x3e, 0xa8, 0x53,
19879 ++ 0xc1, 0x44, 0xe9, 0x81, 0x18, 0xdc, 0xf5, 0xf0,
19880 ++ 0x3e, 0x44, 0x15, 0x59, 0xe0, 0xc5, 0x44, 0x86,
19881 ++ 0xc3, 0x91, 0xa8, 0x75, 0xc0, 0x12, 0x46, 0xba
19882 ++};
19883 ++
19884 ++static const u8 enc_input009[] __initconst = {
19885 ++ 0xe6, 0xc3, 0xdb, 0x63, 0x55, 0x15, 0xe3, 0x5b,
19886 ++ 0xb7, 0x4b, 0x27, 0x8b, 0x5a, 0xdd, 0xc2, 0xe8,
19887 ++ 0x3a, 0x6b, 0xd7, 0x81, 0x96, 0x35, 0x97, 0xca,
19888 ++ 0xd7, 0x68, 0xe8, 0xef, 0xce, 0xab, 0xda, 0x09,
19889 ++ 0x6e, 0xd6, 0x8e, 0xcb, 0x55, 0xb5, 0xe1, 0xe5,
19890 ++ 0x57, 0xfd, 0xc4, 0xe3, 0xe0, 0x18, 0x4f, 0x85,
19891 ++ 0xf5, 0x3f, 0x7e, 0x4b, 0x88, 0xc9, 0x52, 0x44,
19892 ++ 0x0f, 0xea, 0xaf, 0x1f, 0x71, 0x48, 0x9f, 0x97,
19893 ++ 0x6d, 0xb9, 0x6f, 0x00, 0xa6, 0xde, 0x2b, 0x77,
19894 ++ 0x8b, 0x15, 0xad, 0x10, 0xa0, 0x2b, 0x7b, 0x41,
19895 ++ 0x90, 0x03, 0x2d, 0x69, 0xae, 0xcc, 0x77, 0x7c,
19896 ++ 0xa5, 0x9d, 0x29, 0x22, 0xc2, 0xea, 0xb4, 0x00,
19897 ++ 0x1a, 0xd2, 0x7a, 0x98, 0x8a, 0xf9, 0xf7, 0x82,
19898 ++ 0xb0, 0xab, 0xd8, 0xa6, 0x94, 0x8d, 0x58, 0x2f,
19899 ++ 0x01, 0x9e, 0x00, 0x20, 0xfc, 0x49, 0xdc, 0x0e,
19900 ++ 0x03, 0xe8, 0x45, 0x10, 0xd6, 0xa8, 0xda, 0x55,
19901 ++ 0x10, 0x9a, 0xdf, 0x67, 0x22, 0x8b, 0x43, 0xab,
19902 ++ 0x00, 0xbb, 0x02, 0xc8, 0xdd, 0x7b, 0x97, 0x17,
19903 ++ 0xd7, 0x1d, 0x9e, 0x02, 0x5e, 0x48, 0xde, 0x8e,
19904 ++ 0xcf, 0x99, 0x07, 0x95, 0x92, 0x3c, 0x5f, 0x9f,
19905 ++ 0xc5, 0x8a, 0xc0, 0x23, 0xaa, 0xd5, 0x8c, 0x82,
19906 ++ 0x6e, 0x16, 0x92, 0xb1, 0x12, 0x17, 0x07, 0xc3,
19907 ++ 0xfb, 0x36, 0xf5, 0x6c, 0x35, 0xd6, 0x06, 0x1f,
19908 ++ 0x9f, 0xa7, 0x94, 0xa2, 0x38, 0x63, 0x9c, 0xb0,
19909 ++ 0x71, 0xb3, 0xa5, 0xd2, 0xd8, 0xba, 0x9f, 0x08,
19910 ++ 0x01, 0xb3, 0xff, 0x04, 0x97, 0x73, 0x45, 0x1b,
19911 ++ 0xd5, 0xa9, 0x9c, 0x80, 0xaf, 0x04, 0x9a, 0x85,
19912 ++ 0xdb, 0x32, 0x5b, 0x5d, 0x1a, 0xc1, 0x36, 0x28,
19913 ++ 0x10, 0x79, 0xf1, 0x3c, 0xbf, 0x1a, 0x41, 0x5c,
19914 ++ 0x4e, 0xdf, 0xb2, 0x7c, 0x79, 0x3b, 0x7a, 0x62,
19915 ++ 0x3d, 0x4b, 0xc9, 0x9b, 0x2a, 0x2e, 0x7c, 0xa2,
19916 ++ 0xb1, 0x11, 0x98, 0xa7, 0x34, 0x1a, 0x00, 0xf3,
19917 ++ 0xd1, 0xbc, 0x18, 0x22, 0xba, 0x02, 0x56, 0x62,
19918 ++ 0x31, 0x10, 0x11, 0x6d, 0xe0, 0x54, 0x9d, 0x40,
19919 ++ 0x1f, 0x26, 0x80, 0x41, 0xca, 0x3f, 0x68, 0x0f,
19920 ++ 0x32, 0x1d, 0x0a, 0x8e, 0x79, 0xd8, 0xa4, 0x1b,
19921 ++ 0x29, 0x1c, 0x90, 0x8e, 0xc5, 0xe3, 0xb4, 0x91,
19922 ++ 0x37, 0x9a, 0x97, 0x86, 0x99, 0xd5, 0x09, 0xc5,
19923 ++ 0xbb, 0xa3, 0x3f, 0x21, 0x29, 0x82, 0x14, 0x5c,
19924 ++ 0xab, 0x25, 0xfb, 0xf2, 0x4f, 0x58, 0x26, 0xd4,
19925 ++ 0x83, 0xaa, 0x66, 0x89, 0x67, 0x7e, 0xc0, 0x49,
19926 ++ 0xe1, 0x11, 0x10, 0x7f, 0x7a, 0xda, 0x29, 0x04,
19927 ++ 0xff, 0xf0, 0xcb, 0x09, 0x7c, 0x9d, 0xfa, 0x03,
19928 ++ 0x6f, 0x81, 0x09, 0x31, 0x60, 0xfb, 0x08, 0xfa,
19929 ++ 0x74, 0xd3, 0x64, 0x44, 0x7c, 0x55, 0x85, 0xec,
19930 ++ 0x9c, 0x6e, 0x25, 0xb7, 0x6c, 0xc5, 0x37, 0xb6,
19931 ++ 0x83, 0x87, 0x72, 0x95, 0x8b, 0x9d, 0xe1, 0x69,
19932 ++ 0x5c, 0x31, 0x95, 0x42, 0xa6, 0x2c, 0xd1, 0x36,
19933 ++ 0x47, 0x1f, 0xec, 0x54, 0xab, 0xa2, 0x1c, 0xd8,
19934 ++ 0x00, 0xcc, 0xbc, 0x0d, 0x65, 0xe2, 0x67, 0xbf,
19935 ++ 0xbc, 0xea, 0xee, 0x9e, 0xe4, 0x36, 0x95, 0xbe,
19936 ++ 0x73, 0xd9, 0xa6, 0xd9, 0x0f, 0xa0, 0xcc, 0x82,
19937 ++ 0x76, 0x26, 0xad, 0x5b, 0x58, 0x6c, 0x4e, 0xab,
19938 ++ 0x29, 0x64, 0xd3, 0xd9, 0xa9, 0x08, 0x8c, 0x1d,
19939 ++ 0xa1, 0x4f, 0x80, 0xd8, 0x3f, 0x94, 0xfb, 0xd3,
19940 ++ 0x7b, 0xfc, 0xd1, 0x2b, 0xc3, 0x21, 0xeb, 0xe5,
19941 ++ 0x1c, 0x84, 0x23, 0x7f, 0x4b, 0xfa, 0xdb, 0x34,
19942 ++ 0x18, 0xa2, 0xc2, 0xe5, 0x13, 0xfe, 0x6c, 0x49,
19943 ++ 0x81, 0xd2, 0x73, 0xe7, 0xe2, 0xd7, 0xe4, 0x4f,
19944 ++ 0x4b, 0x08, 0x6e, 0xb1, 0x12, 0x22, 0x10, 0x9d,
19945 ++ 0xac, 0x51, 0x1e, 0x17, 0xd9, 0x8a, 0x0b, 0x42,
19946 ++ 0x88, 0x16, 0x81, 0x37, 0x7c, 0x6a, 0xf7, 0xef,
19947 ++ 0x2d, 0xe3, 0xd9, 0xf8, 0x5f, 0xe0, 0x53, 0x27,
19948 ++ 0x74, 0xb9, 0xe2, 0xd6, 0x1c, 0x80, 0x2c, 0x52,
19949 ++ 0x65
19950 ++};
19951 ++static const u8 enc_output009[] __initconst = {
19952 ++ 0xfd, 0x81, 0x8d, 0xd0, 0x3d, 0xb4, 0xd5, 0xdf,
19953 ++ 0xd3, 0x42, 0x47, 0x5a, 0x6d, 0x19, 0x27, 0x66,
19954 ++ 0x4b, 0x2e, 0x0c, 0x27, 0x9c, 0x96, 0x4c, 0x72,
19955 ++ 0x02, 0xa3, 0x65, 0xc3, 0xb3, 0x6f, 0x2e, 0xbd,
19956 ++ 0x63, 0x8a, 0x4a, 0x5d, 0x29, 0xa2, 0xd0, 0x28,
19957 ++ 0x48, 0xc5, 0x3d, 0x98, 0xa3, 0xbc, 0xe0, 0xbe,
19958 ++ 0x3b, 0x3f, 0xe6, 0x8a, 0xa4, 0x7f, 0x53, 0x06,
19959 ++ 0xfa, 0x7f, 0x27, 0x76, 0x72, 0x31, 0xa1, 0xf5,
19960 ++ 0xd6, 0x0c, 0x52, 0x47, 0xba, 0xcd, 0x4f, 0xd7,
19961 ++ 0xeb, 0x05, 0x48, 0x0d, 0x7c, 0x35, 0x4a, 0x09,
19962 ++ 0xc9, 0x76, 0x71, 0x02, 0xa3, 0xfb, 0xb7, 0x1a,
19963 ++ 0x65, 0xb7, 0xed, 0x98, 0xc6, 0x30, 0x8a, 0x00,
19964 ++ 0xae, 0xa1, 0x31, 0xe5, 0xb5, 0x9e, 0x6d, 0x62,
19965 ++ 0xda, 0xda, 0x07, 0x0f, 0x38, 0x38, 0xd3, 0xcb,
19966 ++ 0xc1, 0xb0, 0xad, 0xec, 0x72, 0xec, 0xb1, 0xa2,
19967 ++ 0x7b, 0x59, 0xf3, 0x3d, 0x2b, 0xef, 0xcd, 0x28,
19968 ++ 0x5b, 0x83, 0xcc, 0x18, 0x91, 0x88, 0xb0, 0x2e,
19969 ++ 0xf9, 0x29, 0x31, 0x18, 0xf9, 0x4e, 0xe9, 0x0a,
19970 ++ 0x91, 0x92, 0x9f, 0xae, 0x2d, 0xad, 0xf4, 0xe6,
19971 ++ 0x1a, 0xe2, 0xa4, 0xee, 0x47, 0x15, 0xbf, 0x83,
19972 ++ 0x6e, 0xd7, 0x72, 0x12, 0x3b, 0x2d, 0x24, 0xe9,
19973 ++ 0xb2, 0x55, 0xcb, 0x3c, 0x10, 0xf0, 0x24, 0x8a,
19974 ++ 0x4a, 0x02, 0xea, 0x90, 0x25, 0xf0, 0xb4, 0x79,
19975 ++ 0x3a, 0xef, 0x6e, 0xf5, 0x52, 0xdf, 0xb0, 0x0a,
19976 ++ 0xcd, 0x24, 0x1c, 0xd3, 0x2e, 0x22, 0x74, 0xea,
19977 ++ 0x21, 0x6f, 0xe9, 0xbd, 0xc8, 0x3e, 0x36, 0x5b,
19978 ++ 0x19, 0xf1, 0xca, 0x99, 0x0a, 0xb4, 0xa7, 0x52,
19979 ++ 0x1a, 0x4e, 0xf2, 0xad, 0x8d, 0x56, 0x85, 0xbb,
19980 ++ 0x64, 0x89, 0xba, 0x26, 0xf9, 0xc7, 0xe1, 0x89,
19981 ++ 0x19, 0x22, 0x77, 0xc3, 0xa8, 0xfc, 0xff, 0xad,
19982 ++ 0xfe, 0xb9, 0x48, 0xae, 0x12, 0x30, 0x9f, 0x19,
19983 ++ 0xfb, 0x1b, 0xef, 0x14, 0x87, 0x8a, 0x78, 0x71,
19984 ++ 0xf3, 0xf4, 0xb7, 0x00, 0x9c, 0x1d, 0xb5, 0x3d,
19985 ++ 0x49, 0x00, 0x0c, 0x06, 0xd4, 0x50, 0xf9, 0x54,
19986 ++ 0x45, 0xb2, 0x5b, 0x43, 0xdb, 0x6d, 0xcf, 0x1a,
19987 ++ 0xe9, 0x7a, 0x7a, 0xcf, 0xfc, 0x8a, 0x4e, 0x4d,
19988 ++ 0x0b, 0x07, 0x63, 0x28, 0xd8, 0xe7, 0x08, 0x95,
19989 ++ 0xdf, 0xa6, 0x72, 0x93, 0x2e, 0xbb, 0xa0, 0x42,
19990 ++ 0x89, 0x16, 0xf1, 0xd9, 0x0c, 0xf9, 0xa1, 0x16,
19991 ++ 0xfd, 0xd9, 0x03, 0xb4, 0x3b, 0x8a, 0xf5, 0xf6,
19992 ++ 0xe7, 0x6b, 0x2e, 0x8e, 0x4c, 0x3d, 0xe2, 0xaf,
19993 ++ 0x08, 0x45, 0x03, 0xff, 0x09, 0xb6, 0xeb, 0x2d,
19994 ++ 0xc6, 0x1b, 0x88, 0x94, 0xac, 0x3e, 0xf1, 0x9f,
19995 ++ 0x0e, 0x0e, 0x2b, 0xd5, 0x00, 0x4d, 0x3f, 0x3b,
19996 ++ 0x53, 0xae, 0xaf, 0x1c, 0x33, 0x5f, 0x55, 0x6e,
19997 ++ 0x8d, 0xaf, 0x05, 0x7a, 0x10, 0x34, 0xc9, 0xf4,
19998 ++ 0x66, 0xcb, 0x62, 0x12, 0xa6, 0xee, 0xe8, 0x1c,
19999 ++ 0x5d, 0x12, 0x86, 0xdb, 0x6f, 0x1c, 0x33, 0xc4,
20000 ++ 0x1c, 0xda, 0x82, 0x2d, 0x3b, 0x59, 0xfe, 0xb1,
20001 ++ 0xa4, 0x59, 0x41, 0x86, 0xd0, 0xef, 0xae, 0xfb,
20002 ++ 0xda, 0x6d, 0x11, 0xb8, 0xca, 0xe9, 0x6e, 0xff,
20003 ++ 0xf7, 0xa9, 0xd9, 0x70, 0x30, 0xfc, 0x53, 0xe2,
20004 ++ 0xd7, 0xa2, 0x4e, 0xc7, 0x91, 0xd9, 0x07, 0x06,
20005 ++ 0xaa, 0xdd, 0xb0, 0x59, 0x28, 0x1d, 0x00, 0x66,
20006 ++ 0xc5, 0x54, 0xc2, 0xfc, 0x06, 0xda, 0x05, 0x90,
20007 ++ 0x52, 0x1d, 0x37, 0x66, 0xee, 0xf0, 0xb2, 0x55,
20008 ++ 0x8a, 0x5d, 0xd2, 0x38, 0x86, 0x94, 0x9b, 0xfc,
20009 ++ 0x10, 0x4c, 0xa1, 0xb9, 0x64, 0x3e, 0x44, 0xb8,
20010 ++ 0x5f, 0xb0, 0x0c, 0xec, 0xe0, 0xc9, 0xe5, 0x62,
20011 ++ 0x75, 0x3f, 0x09, 0xd5, 0xf5, 0xd9, 0x26, 0xba,
20012 ++ 0x9e, 0xd2, 0xf4, 0xb9, 0x48, 0x0a, 0xbc, 0xa2,
20013 ++ 0xd6, 0x7c, 0x36, 0x11, 0x7d, 0x26, 0x81, 0x89,
20014 ++ 0xcf, 0xa4, 0xad, 0x73, 0x0e, 0xee, 0xcc, 0x06,
20015 ++ 0xa9, 0xdb, 0xb1, 0xfd, 0xfb, 0x09, 0x7f, 0x90,
20016 ++ 0x42, 0x37, 0x2f, 0xe1, 0x9c, 0x0f, 0x6f, 0xcf,
20017 ++ 0x43, 0xb5, 0xd9, 0x90, 0xe1, 0x85, 0xf5, 0xa8,
20018 ++ 0xae
20019 ++};
20020 ++static const u8 enc_assoc009[] __initconst = {
20021 ++ 0x5a, 0x27, 0xff, 0xeb, 0xdf, 0x84, 0xb2, 0x9e,
20022 ++ 0xef
20023 ++};
20024 ++static const u8 enc_nonce009[] __initconst = {
20025 ++ 0xef, 0x2d, 0x63, 0xee, 0x6b, 0x80, 0x8b, 0x78
20026 ++};
20027 ++static const u8 enc_key009[] __initconst = {
20028 ++ 0xea, 0xbc, 0x56, 0x99, 0xe3, 0x50, 0xff, 0xc5,
20029 ++ 0xcc, 0x1a, 0xd7, 0xc1, 0x57, 0x72, 0xea, 0x86,
20030 ++ 0x5b, 0x89, 0x88, 0x61, 0x3d, 0x2f, 0x9b, 0xb2,
20031 ++ 0xe7, 0x9c, 0xec, 0x74, 0x6e, 0x3e, 0xf4, 0x3b
20032 ++};
20033 ++
20034 ++static const u8 enc_input010[] __initconst = {
20035 ++ 0x42, 0x93, 0xe4, 0xeb, 0x97, 0xb0, 0x57, 0xbf,
20036 ++ 0x1a, 0x8b, 0x1f, 0xe4, 0x5f, 0x36, 0x20, 0x3c,
20037 ++ 0xef, 0x0a, 0xa9, 0x48, 0x5f, 0x5f, 0x37, 0x22,
20038 ++ 0x3a, 0xde, 0xe3, 0xae, 0xbe, 0xad, 0x07, 0xcc,
20039 ++ 0xb1, 0xf6, 0xf5, 0xf9, 0x56, 0xdd, 0xe7, 0x16,
20040 ++ 0x1e, 0x7f, 0xdf, 0x7a, 0x9e, 0x75, 0xb7, 0xc7,
20041 ++ 0xbe, 0xbe, 0x8a, 0x36, 0x04, 0xc0, 0x10, 0xf4,
20042 ++ 0x95, 0x20, 0x03, 0xec, 0xdc, 0x05, 0xa1, 0x7d,
20043 ++ 0xc4, 0xa9, 0x2c, 0x82, 0xd0, 0xbc, 0x8b, 0xc5,
20044 ++ 0xc7, 0x45, 0x50, 0xf6, 0xa2, 0x1a, 0xb5, 0x46,
20045 ++ 0x3b, 0x73, 0x02, 0xa6, 0x83, 0x4b, 0x73, 0x82,
20046 ++ 0x58, 0x5e, 0x3b, 0x65, 0x2f, 0x0e, 0xfd, 0x2b,
20047 ++ 0x59, 0x16, 0xce, 0xa1, 0x60, 0x9c, 0xe8, 0x3a,
20048 ++ 0x99, 0xed, 0x8d, 0x5a, 0xcf, 0xf6, 0x83, 0xaf,
20049 ++ 0xba, 0xd7, 0x73, 0x73, 0x40, 0x97, 0x3d, 0xca,
20050 ++ 0xef, 0x07, 0x57, 0xe6, 0xd9, 0x70, 0x0e, 0x95,
20051 ++ 0xae, 0xa6, 0x8d, 0x04, 0xcc, 0xee, 0xf7, 0x09,
20052 ++ 0x31, 0x77, 0x12, 0xa3, 0x23, 0x97, 0x62, 0xb3,
20053 ++ 0x7b, 0x32, 0xfb, 0x80, 0x14, 0x48, 0x81, 0xc3,
20054 ++ 0xe5, 0xea, 0x91, 0x39, 0x52, 0x81, 0xa2, 0x4f,
20055 ++ 0xe4, 0xb3, 0x09, 0xff, 0xde, 0x5e, 0xe9, 0x58,
20056 ++ 0x84, 0x6e, 0xf9, 0x3d, 0xdf, 0x25, 0xea, 0xad,
20057 ++ 0xae, 0xe6, 0x9a, 0xd1, 0x89, 0x55, 0xd3, 0xde,
20058 ++ 0x6c, 0x52, 0xdb, 0x70, 0xfe, 0x37, 0xce, 0x44,
20059 ++ 0x0a, 0xa8, 0x25, 0x5f, 0x92, 0xc1, 0x33, 0x4a,
20060 ++ 0x4f, 0x9b, 0x62, 0x35, 0xff, 0xce, 0xc0, 0xa9,
20061 ++ 0x60, 0xce, 0x52, 0x00, 0x97, 0x51, 0x35, 0x26,
20062 ++ 0x2e, 0xb9, 0x36, 0xa9, 0x87, 0x6e, 0x1e, 0xcc,
20063 ++ 0x91, 0x78, 0x53, 0x98, 0x86, 0x5b, 0x9c, 0x74,
20064 ++ 0x7d, 0x88, 0x33, 0xe1, 0xdf, 0x37, 0x69, 0x2b,
20065 ++ 0xbb, 0xf1, 0x4d, 0xf4, 0xd1, 0xf1, 0x39, 0x93,
20066 ++ 0x17, 0x51, 0x19, 0xe3, 0x19, 0x1e, 0x76, 0x37,
20067 ++ 0x25, 0xfb, 0x09, 0x27, 0x6a, 0xab, 0x67, 0x6f,
20068 ++ 0x14, 0x12, 0x64, 0xe7, 0xc4, 0x07, 0xdf, 0x4d,
20069 ++ 0x17, 0xbb, 0x6d, 0xe0, 0xe9, 0xb9, 0xab, 0xca,
20070 ++ 0x10, 0x68, 0xaf, 0x7e, 0xb7, 0x33, 0x54, 0x73,
20071 ++ 0x07, 0x6e, 0xf7, 0x81, 0x97, 0x9c, 0x05, 0x6f,
20072 ++ 0x84, 0x5f, 0xd2, 0x42, 0xfb, 0x38, 0xcf, 0xd1,
20073 ++ 0x2f, 0x14, 0x30, 0x88, 0x98, 0x4d, 0x5a, 0xa9,
20074 ++ 0x76, 0xd5, 0x4f, 0x3e, 0x70, 0x6c, 0x85, 0x76,
20075 ++ 0xd7, 0x01, 0xa0, 0x1a, 0xc8, 0x4e, 0xaa, 0xac,
20076 ++ 0x78, 0xfe, 0x46, 0xde, 0x6a, 0x05, 0x46, 0xa7,
20077 ++ 0x43, 0x0c, 0xb9, 0xde, 0xb9, 0x68, 0xfb, 0xce,
20078 ++ 0x42, 0x99, 0x07, 0x4d, 0x0b, 0x3b, 0x5a, 0x30,
20079 ++ 0x35, 0xa8, 0xf9, 0x3a, 0x73, 0xef, 0x0f, 0xdb,
20080 ++ 0x1e, 0x16, 0x42, 0xc4, 0xba, 0xae, 0x58, 0xaa,
20081 ++ 0xf8, 0xe5, 0x75, 0x2f, 0x1b, 0x15, 0x5c, 0xfd,
20082 ++ 0x0a, 0x97, 0xd0, 0xe4, 0x37, 0x83, 0x61, 0x5f,
20083 ++ 0x43, 0xa6, 0xc7, 0x3f, 0x38, 0x59, 0xe6, 0xeb,
20084 ++ 0xa3, 0x90, 0xc3, 0xaa, 0xaa, 0x5a, 0xd3, 0x34,
20085 ++ 0xd4, 0x17, 0xc8, 0x65, 0x3e, 0x57, 0xbc, 0x5e,
20086 ++ 0xdd, 0x9e, 0xb7, 0xf0, 0x2e, 0x5b, 0xb2, 0x1f,
20087 ++ 0x8a, 0x08, 0x0d, 0x45, 0x91, 0x0b, 0x29, 0x53,
20088 ++ 0x4f, 0x4c, 0x5a, 0x73, 0x56, 0xfe, 0xaf, 0x41,
20089 ++ 0x01, 0x39, 0x0a, 0x24, 0x3c, 0x7e, 0xbe, 0x4e,
20090 ++ 0x53, 0xf3, 0xeb, 0x06, 0x66, 0x51, 0x28, 0x1d,
20091 ++ 0xbd, 0x41, 0x0a, 0x01, 0xab, 0x16, 0x47, 0x27,
20092 ++ 0x47, 0x47, 0xf7, 0xcb, 0x46, 0x0a, 0x70, 0x9e,
20093 ++ 0x01, 0x9c, 0x09, 0xe1, 0x2a, 0x00, 0x1a, 0xd8,
20094 ++ 0xd4, 0x79, 0x9d, 0x80, 0x15, 0x8e, 0x53, 0x2a,
20095 ++ 0x65, 0x83, 0x78, 0x3e, 0x03, 0x00, 0x07, 0x12,
20096 ++ 0x1f, 0x33, 0x3e, 0x7b, 0x13, 0x37, 0xf1, 0xc3,
20097 ++ 0xef, 0xb7, 0xc1, 0x20, 0x3c, 0x3e, 0x67, 0x66,
20098 ++ 0x5d, 0x88, 0xa7, 0x7d, 0x33, 0x50, 0x77, 0xb0,
20099 ++ 0x28, 0x8e, 0xe7, 0x2c, 0x2e, 0x7a, 0xf4, 0x3c,
20100 ++ 0x8d, 0x74, 0x83, 0xaf, 0x8e, 0x87, 0x0f, 0xe4,
20101 ++ 0x50, 0xff, 0x84, 0x5c, 0x47, 0x0c, 0x6a, 0x49,
20102 ++ 0xbf, 0x42, 0x86, 0x77, 0x15, 0x48, 0xa5, 0x90,
20103 ++ 0x5d, 0x93, 0xd6, 0x2a, 0x11, 0xd5, 0xd5, 0x11,
20104 ++ 0xaa, 0xce, 0xe7, 0x6f, 0xa5, 0xb0, 0x09, 0x2c,
20105 ++ 0x8d, 0xd3, 0x92, 0xf0, 0x5a, 0x2a, 0xda, 0x5b,
20106 ++ 0x1e, 0xd5, 0x9a, 0xc4, 0xc4, 0xf3, 0x49, 0x74,
20107 ++ 0x41, 0xca, 0xe8, 0xc1, 0xf8, 0x44, 0xd6, 0x3c,
20108 ++ 0xae, 0x6c, 0x1d, 0x9a, 0x30, 0x04, 0x4d, 0x27,
20109 ++ 0x0e, 0xb1, 0x5f, 0x59, 0xa2, 0x24, 0xe8, 0xe1,
20110 ++ 0x98, 0xc5, 0x6a, 0x4c, 0xfe, 0x41, 0xd2, 0x27,
20111 ++ 0x42, 0x52, 0xe1, 0xe9, 0x7d, 0x62, 0xe4, 0x88,
20112 ++ 0x0f, 0xad, 0xb2, 0x70, 0xcb, 0x9d, 0x4c, 0x27,
20113 ++ 0x2e, 0x76, 0x1e, 0x1a, 0x63, 0x65, 0xf5, 0x3b,
20114 ++ 0xf8, 0x57, 0x69, 0xeb, 0x5b, 0x38, 0x26, 0x39,
20115 ++ 0x33, 0x25, 0x45, 0x3e, 0x91, 0xb8, 0xd8, 0xc7,
20116 ++ 0xd5, 0x42, 0xc0, 0x22, 0x31, 0x74, 0xf4, 0xbc,
20117 ++ 0x0c, 0x23, 0xf1, 0xca, 0xc1, 0x8d, 0xd7, 0xbe,
20118 ++ 0xc9, 0x62, 0xe4, 0x08, 0x1a, 0xcf, 0x36, 0xd5,
20119 ++ 0xfe, 0x55, 0x21, 0x59, 0x91, 0x87, 0x87, 0xdf,
20120 ++ 0x06, 0xdb, 0xdf, 0x96, 0x45, 0x58, 0xda, 0x05,
20121 ++ 0xcd, 0x50, 0x4d, 0xd2, 0x7d, 0x05, 0x18, 0x73,
20122 ++ 0x6a, 0x8d, 0x11, 0x85, 0xa6, 0x88, 0xe8, 0xda,
20123 ++ 0xe6, 0x30, 0x33, 0xa4, 0x89, 0x31, 0x75, 0xbe,
20124 ++ 0x69, 0x43, 0x84, 0x43, 0x50, 0x87, 0xdd, 0x71,
20125 ++ 0x36, 0x83, 0xc3, 0x78, 0x74, 0x24, 0x0a, 0xed,
20126 ++ 0x7b, 0xdb, 0xa4, 0x24, 0x0b, 0xb9, 0x7e, 0x5d,
20127 ++ 0xff, 0xde, 0xb1, 0xef, 0x61, 0x5a, 0x45, 0x33,
20128 ++ 0xf6, 0x17, 0x07, 0x08, 0x98, 0x83, 0x92, 0x0f,
20129 ++ 0x23, 0x6d, 0xe6, 0xaa, 0x17, 0x54, 0xad, 0x6a,
20130 ++ 0xc8, 0xdb, 0x26, 0xbe, 0xb8, 0xb6, 0x08, 0xfa,
20131 ++ 0x68, 0xf1, 0xd7, 0x79, 0x6f, 0x18, 0xb4, 0x9e,
20132 ++ 0x2d, 0x3f, 0x1b, 0x64, 0xaf, 0x8d, 0x06, 0x0e,
20133 ++ 0x49, 0x28, 0xe0, 0x5d, 0x45, 0x68, 0x13, 0x87,
20134 ++ 0xfa, 0xde, 0x40, 0x7b, 0xd2, 0xc3, 0x94, 0xd5,
20135 ++ 0xe1, 0xd9, 0xc2, 0xaf, 0x55, 0x89, 0xeb, 0xb4,
20136 ++ 0x12, 0x59, 0xa8, 0xd4, 0xc5, 0x29, 0x66, 0x38,
20137 ++ 0xe6, 0xac, 0x22, 0x22, 0xd9, 0x64, 0x9b, 0x34,
20138 ++ 0x0a, 0x32, 0x9f, 0xc2, 0xbf, 0x17, 0x6c, 0x3f,
20139 ++ 0x71, 0x7a, 0x38, 0x6b, 0x98, 0xfb, 0x49, 0x36,
20140 ++ 0x89, 0xc9, 0xe2, 0xd6, 0xc7, 0x5d, 0xd0, 0x69,
20141 ++ 0x5f, 0x23, 0x35, 0xc9, 0x30, 0xe2, 0xfd, 0x44,
20142 ++ 0x58, 0x39, 0xd7, 0x97, 0xfb, 0x5c, 0x00, 0xd5,
20143 ++ 0x4f, 0x7a, 0x1a, 0x95, 0x8b, 0x62, 0x4b, 0xce,
20144 ++ 0xe5, 0x91, 0x21, 0x7b, 0x30, 0x00, 0xd6, 0xdd,
20145 ++ 0x6d, 0x02, 0x86, 0x49, 0x0f, 0x3c, 0x1a, 0x27,
20146 ++ 0x3c, 0xd3, 0x0e, 0x71, 0xf2, 0xff, 0xf5, 0x2f,
20147 ++ 0x87, 0xac, 0x67, 0x59, 0x81, 0xa3, 0xf7, 0xf8,
20148 ++ 0xd6, 0x11, 0x0c, 0x84, 0xa9, 0x03, 0xee, 0x2a,
20149 ++ 0xc4, 0xf3, 0x22, 0xab, 0x7c, 0xe2, 0x25, 0xf5,
20150 ++ 0x67, 0xa3, 0xe4, 0x11, 0xe0, 0x59, 0xb3, 0xca,
20151 ++ 0x87, 0xa0, 0xae, 0xc9, 0xa6, 0x62, 0x1b, 0x6e,
20152 ++ 0x4d, 0x02, 0x6b, 0x07, 0x9d, 0xfd, 0xd0, 0x92,
20153 ++ 0x06, 0xe1, 0xb2, 0x9a, 0x4a, 0x1f, 0x1f, 0x13,
20154 ++ 0x49, 0x99, 0x97, 0x08, 0xde, 0x7f, 0x98, 0xaf,
20155 ++ 0x51, 0x98, 0xee, 0x2c, 0xcb, 0xf0, 0x0b, 0xc6,
20156 ++ 0xb6, 0xb7, 0x2d, 0x9a, 0xb1, 0xac, 0xa6, 0xe3,
20157 ++ 0x15, 0x77, 0x9d, 0x6b, 0x1a, 0xe4, 0xfc, 0x8b,
20158 ++ 0xf2, 0x17, 0x59, 0x08, 0x04, 0x58, 0x81, 0x9d,
20159 ++ 0x1b, 0x1b, 0x69, 0x55, 0xc2, 0xb4, 0x3c, 0x1f,
20160 ++ 0x50, 0xf1, 0x7f, 0x77, 0x90, 0x4c, 0x66, 0x40,
20161 ++ 0x5a, 0xc0, 0x33, 0x1f, 0xcb, 0x05, 0x6d, 0x5c,
20162 ++ 0x06, 0x87, 0x52, 0xa2, 0x8f, 0x26, 0xd5, 0x4f
20163 ++};
20164 ++static const u8 enc_output010[] __initconst = {
20165 ++ 0xe5, 0x26, 0xa4, 0x3d, 0xbd, 0x33, 0xd0, 0x4b,
20166 ++ 0x6f, 0x05, 0xa7, 0x6e, 0x12, 0x7a, 0xd2, 0x74,
20167 ++ 0xa6, 0xdd, 0xbd, 0x95, 0xeb, 0xf9, 0xa4, 0xf1,
20168 ++ 0x59, 0x93, 0x91, 0x70, 0xd9, 0xfe, 0x9a, 0xcd,
20169 ++ 0x53, 0x1f, 0x3a, 0xab, 0xa6, 0x7c, 0x9f, 0xa6,
20170 ++ 0x9e, 0xbd, 0x99, 0xd9, 0xb5, 0x97, 0x44, 0xd5,
20171 ++ 0x14, 0x48, 0x4d, 0x9d, 0xc0, 0xd0, 0x05, 0x96,
20172 ++ 0xeb, 0x4c, 0x78, 0x55, 0x09, 0x08, 0x01, 0x02,
20173 ++ 0x30, 0x90, 0x7b, 0x96, 0x7a, 0x7b, 0x5f, 0x30,
20174 ++ 0x41, 0x24, 0xce, 0x68, 0x61, 0x49, 0x86, 0x57,
20175 ++ 0x82, 0xdd, 0x53, 0x1c, 0x51, 0x28, 0x2b, 0x53,
20176 ++ 0x6e, 0x2d, 0xc2, 0x20, 0x4c, 0xdd, 0x8f, 0x65,
20177 ++ 0x10, 0x20, 0x50, 0xdd, 0x9d, 0x50, 0xe5, 0x71,
20178 ++ 0x40, 0x53, 0x69, 0xfc, 0x77, 0x48, 0x11, 0xb9,
20179 ++ 0xde, 0xa4, 0x8d, 0x58, 0xe4, 0xa6, 0x1a, 0x18,
20180 ++ 0x47, 0x81, 0x7e, 0xfc, 0xdd, 0xf6, 0xef, 0xce,
20181 ++ 0x2f, 0x43, 0x68, 0xd6, 0x06, 0xe2, 0x74, 0x6a,
20182 ++ 0xad, 0x90, 0xf5, 0x37, 0xf3, 0x3d, 0x82, 0x69,
20183 ++ 0x40, 0xe9, 0x6b, 0xa7, 0x3d, 0xa8, 0x1e, 0xd2,
20184 ++ 0x02, 0x7c, 0xb7, 0x9b, 0xe4, 0xda, 0x8f, 0x95,
20185 ++ 0x06, 0xc5, 0xdf, 0x73, 0xa3, 0x20, 0x9a, 0x49,
20186 ++ 0xde, 0x9c, 0xbc, 0xee, 0x14, 0x3f, 0x81, 0x5e,
20187 ++ 0xf8, 0x3b, 0x59, 0x3c, 0xe1, 0x68, 0x12, 0x5a,
20188 ++ 0x3a, 0x76, 0x3a, 0x3f, 0xf7, 0x87, 0x33, 0x0a,
20189 ++ 0x01, 0xb8, 0xd4, 0xed, 0xb6, 0xbe, 0x94, 0x5e,
20190 ++ 0x70, 0x40, 0x56, 0x67, 0x1f, 0x50, 0x44, 0x19,
20191 ++ 0xce, 0x82, 0x70, 0x10, 0x87, 0x13, 0x20, 0x0b,
20192 ++ 0x4c, 0x5a, 0xb6, 0xf6, 0xa7, 0xae, 0x81, 0x75,
20193 ++ 0x01, 0x81, 0xe6, 0x4b, 0x57, 0x7c, 0xdd, 0x6d,
20194 ++ 0xf8, 0x1c, 0x29, 0x32, 0xf7, 0xda, 0x3c, 0x2d,
20195 ++ 0xf8, 0x9b, 0x25, 0x6e, 0x00, 0xb4, 0xf7, 0x2f,
20196 ++ 0xf7, 0x04, 0xf7, 0xa1, 0x56, 0xac, 0x4f, 0x1a,
20197 ++ 0x64, 0xb8, 0x47, 0x55, 0x18, 0x7b, 0x07, 0x4d,
20198 ++ 0xbd, 0x47, 0x24, 0x80, 0x5d, 0xa2, 0x70, 0xc5,
20199 ++ 0xdd, 0x8e, 0x82, 0xd4, 0xeb, 0xec, 0xb2, 0x0c,
20200 ++ 0x39, 0xd2, 0x97, 0xc1, 0xcb, 0xeb, 0xf4, 0x77,
20201 ++ 0x59, 0xb4, 0x87, 0xef, 0xcb, 0x43, 0x2d, 0x46,
20202 ++ 0x54, 0xd1, 0xa7, 0xd7, 0x15, 0x99, 0x0a, 0x43,
20203 ++ 0xa1, 0xe0, 0x99, 0x33, 0x71, 0xc1, 0xed, 0xfe,
20204 ++ 0x72, 0x46, 0x33, 0x8e, 0x91, 0x08, 0x9f, 0xc8,
20205 ++ 0x2e, 0xca, 0xfa, 0xdc, 0x59, 0xd5, 0xc3, 0x76,
20206 ++ 0x84, 0x9f, 0xa3, 0x37, 0x68, 0xc3, 0xf0, 0x47,
20207 ++ 0x2c, 0x68, 0xdb, 0x5e, 0xc3, 0x49, 0x4c, 0xe8,
20208 ++ 0x92, 0x85, 0xe2, 0x23, 0xd3, 0x3f, 0xad, 0x32,
20209 ++ 0xe5, 0x2b, 0x82, 0xd7, 0x8f, 0x99, 0x0a, 0x59,
20210 ++ 0x5c, 0x45, 0xd9, 0xb4, 0x51, 0x52, 0xc2, 0xae,
20211 ++ 0xbf, 0x80, 0xcf, 0xc9, 0xc9, 0x51, 0x24, 0x2a,
20212 ++ 0x3b, 0x3a, 0x4d, 0xae, 0xeb, 0xbd, 0x22, 0xc3,
20213 ++ 0x0e, 0x0f, 0x59, 0x25, 0x92, 0x17, 0xe9, 0x74,
20214 ++ 0xc7, 0x8b, 0x70, 0x70, 0x36, 0x55, 0x95, 0x75,
20215 ++ 0x4b, 0xad, 0x61, 0x2b, 0x09, 0xbc, 0x82, 0xf2,
20216 ++ 0x6e, 0x94, 0x43, 0xae, 0xc3, 0xd5, 0xcd, 0x8e,
20217 ++ 0xfe, 0x5b, 0x9a, 0x88, 0x43, 0x01, 0x75, 0xb2,
20218 ++ 0x23, 0x09, 0xf7, 0x89, 0x83, 0xe7, 0xfa, 0xf9,
20219 ++ 0xb4, 0x9b, 0xf8, 0xef, 0xbd, 0x1c, 0x92, 0xc1,
20220 ++ 0xda, 0x7e, 0xfe, 0x05, 0xba, 0x5a, 0xcd, 0x07,
20221 ++ 0x6a, 0x78, 0x9e, 0x5d, 0xfb, 0x11, 0x2f, 0x79,
20222 ++ 0x38, 0xb6, 0xc2, 0x5b, 0x6b, 0x51, 0xb4, 0x71,
20223 ++ 0xdd, 0xf7, 0x2a, 0xe4, 0xf4, 0x72, 0x76, 0xad,
20224 ++ 0xc2, 0xdd, 0x64, 0x5d, 0x79, 0xb6, 0xf5, 0x7a,
20225 ++ 0x77, 0x20, 0x05, 0x3d, 0x30, 0x06, 0xd4, 0x4c,
20226 ++ 0x0a, 0x2c, 0x98, 0x5a, 0xb9, 0xd4, 0x98, 0xa9,
20227 ++ 0x3f, 0xc6, 0x12, 0xea, 0x3b, 0x4b, 0xc5, 0x79,
20228 ++ 0x64, 0x63, 0x6b, 0x09, 0x54, 0x3b, 0x14, 0x27,
20229 ++ 0xba, 0x99, 0x80, 0xc8, 0x72, 0xa8, 0x12, 0x90,
20230 ++ 0x29, 0xba, 0x40, 0x54, 0x97, 0x2b, 0x7b, 0xfe,
20231 ++ 0xeb, 0xcd, 0x01, 0x05, 0x44, 0x72, 0xdb, 0x99,
20232 ++ 0xe4, 0x61, 0xc9, 0x69, 0xd6, 0xb9, 0x28, 0xd1,
20233 ++ 0x05, 0x3e, 0xf9, 0x0b, 0x49, 0x0a, 0x49, 0xe9,
20234 ++ 0x8d, 0x0e, 0xa7, 0x4a, 0x0f, 0xaf, 0x32, 0xd0,
20235 ++ 0xe0, 0xb2, 0x3a, 0x55, 0x58, 0xfe, 0x5c, 0x28,
20236 ++ 0x70, 0x51, 0x23, 0xb0, 0x7b, 0x6a, 0x5f, 0x1e,
20237 ++ 0xb8, 0x17, 0xd7, 0x94, 0x15, 0x8f, 0xee, 0x20,
20238 ++ 0xc7, 0x42, 0x25, 0x3e, 0x9a, 0x14, 0xd7, 0x60,
20239 ++ 0x72, 0x39, 0x47, 0x48, 0xa9, 0xfe, 0xdd, 0x47,
20240 ++ 0x0a, 0xb1, 0xe6, 0x60, 0x28, 0x8c, 0x11, 0x68,
20241 ++ 0xe1, 0xff, 0xd7, 0xce, 0xc8, 0xbe, 0xb3, 0xfe,
20242 ++ 0x27, 0x30, 0x09, 0x70, 0xd7, 0xfa, 0x02, 0x33,
20243 ++ 0x3a, 0x61, 0x2e, 0xc7, 0xff, 0xa4, 0x2a, 0xa8,
20244 ++ 0x6e, 0xb4, 0x79, 0x35, 0x6d, 0x4c, 0x1e, 0x38,
20245 ++ 0xf8, 0xee, 0xd4, 0x84, 0x4e, 0x6e, 0x28, 0xa7,
20246 ++ 0xce, 0xc8, 0xc1, 0xcf, 0x80, 0x05, 0xf3, 0x04,
20247 ++ 0xef, 0xc8, 0x18, 0x28, 0x2e, 0x8d, 0x5e, 0x0c,
20248 ++ 0xdf, 0xb8, 0x5f, 0x96, 0xe8, 0xc6, 0x9c, 0x2f,
20249 ++ 0xe5, 0xa6, 0x44, 0xd7, 0xe7, 0x99, 0x44, 0x0c,
20250 ++ 0xec, 0xd7, 0x05, 0x60, 0x97, 0xbb, 0x74, 0x77,
20251 ++ 0x58, 0xd5, 0xbb, 0x48, 0xde, 0x5a, 0xb2, 0x54,
20252 ++ 0x7f, 0x0e, 0x46, 0x70, 0x6a, 0x6f, 0x78, 0xa5,
20253 ++ 0x08, 0x89, 0x05, 0x4e, 0x7e, 0xa0, 0x69, 0xb4,
20254 ++ 0x40, 0x60, 0x55, 0x77, 0x75, 0x9b, 0x19, 0xf2,
20255 ++ 0xd5, 0x13, 0x80, 0x77, 0xf9, 0x4b, 0x3f, 0x1e,
20256 ++ 0xee, 0xe6, 0x76, 0x84, 0x7b, 0x8c, 0xe5, 0x27,
20257 ++ 0xa8, 0x0a, 0x91, 0x01, 0x68, 0x71, 0x8a, 0x3f,
20258 ++ 0x06, 0xab, 0xf6, 0xa9, 0xa5, 0xe6, 0x72, 0x92,
20259 ++ 0xe4, 0x67, 0xe2, 0xa2, 0x46, 0x35, 0x84, 0x55,
20260 ++ 0x7d, 0xca, 0xa8, 0x85, 0xd0, 0xf1, 0x3f, 0xbe,
20261 ++ 0xd7, 0x34, 0x64, 0xfc, 0xae, 0xe3, 0xe4, 0x04,
20262 ++ 0x9f, 0x66, 0x02, 0xb9, 0x88, 0x10, 0xd9, 0xc4,
20263 ++ 0x4c, 0x31, 0x43, 0x7a, 0x93, 0xe2, 0x9b, 0x56,
20264 ++ 0x43, 0x84, 0xdc, 0xdc, 0xde, 0x1d, 0xa4, 0x02,
20265 ++ 0x0e, 0xc2, 0xef, 0xc3, 0xf8, 0x78, 0xd1, 0xb2,
20266 ++ 0x6b, 0x63, 0x18, 0xc9, 0xa9, 0xe5, 0x72, 0xd8,
20267 ++ 0xf3, 0xb9, 0xd1, 0x8a, 0xc7, 0x1a, 0x02, 0x27,
20268 ++ 0x20, 0x77, 0x10, 0xe5, 0xc8, 0xd4, 0x4a, 0x47,
20269 ++ 0xe5, 0xdf, 0x5f, 0x01, 0xaa, 0xb0, 0xd4, 0x10,
20270 ++ 0xbb, 0x69, 0xe3, 0x36, 0xc8, 0xe1, 0x3d, 0x43,
20271 ++ 0xfb, 0x86, 0xcd, 0xcc, 0xbf, 0xf4, 0x88, 0xe0,
20272 ++ 0x20, 0xca, 0xb7, 0x1b, 0xf1, 0x2f, 0x5c, 0xee,
20273 ++ 0xd4, 0xd3, 0xa3, 0xcc, 0xa4, 0x1e, 0x1c, 0x47,
20274 ++ 0xfb, 0xbf, 0xfc, 0xa2, 0x41, 0x55, 0x9d, 0xf6,
20275 ++ 0x5a, 0x5e, 0x65, 0x32, 0x34, 0x7b, 0x52, 0x8d,
20276 ++ 0xd5, 0xd0, 0x20, 0x60, 0x03, 0xab, 0x3f, 0x8c,
20277 ++ 0xd4, 0x21, 0xea, 0x2a, 0xd9, 0xc4, 0xd0, 0xd3,
20278 ++ 0x65, 0xd8, 0x7a, 0x13, 0x28, 0x62, 0x32, 0x4b,
20279 ++ 0x2c, 0x87, 0x93, 0xa8, 0xb4, 0x52, 0x45, 0x09,
20280 ++ 0x44, 0xec, 0xec, 0xc3, 0x17, 0xdb, 0x9a, 0x4d,
20281 ++ 0x5c, 0xa9, 0x11, 0xd4, 0x7d, 0xaf, 0x9e, 0xf1,
20282 ++ 0x2d, 0xb2, 0x66, 0xc5, 0x1d, 0xed, 0xb7, 0xcd,
20283 ++ 0x0b, 0x25, 0x5e, 0x30, 0x47, 0x3f, 0x40, 0xf4,
20284 ++ 0xa1, 0xa0, 0x00, 0x94, 0x10, 0xc5, 0x6a, 0x63,
20285 ++ 0x1a, 0xd5, 0x88, 0x92, 0x8e, 0x82, 0x39, 0x87,
20286 ++ 0x3c, 0x78, 0x65, 0x58, 0x42, 0x75, 0x5b, 0xdd,
20287 ++ 0x77, 0x3e, 0x09, 0x4e, 0x76, 0x5b, 0xe6, 0x0e,
20288 ++ 0x4d, 0x38, 0xb2, 0xc0, 0xb8, 0x95, 0x01, 0x7a,
20289 ++ 0x10, 0xe0, 0xfb, 0x07, 0xf2, 0xab, 0x2d, 0x8c,
20290 ++ 0x32, 0xed, 0x2b, 0xc0, 0x46, 0xc2, 0xf5, 0x38,
20291 ++ 0x83, 0xf0, 0x17, 0xec, 0xc1, 0x20, 0x6a, 0x9a,
20292 ++ 0x0b, 0x00, 0xa0, 0x98, 0x22, 0x50, 0x23, 0xd5,
20293 ++ 0x80, 0x6b, 0xf6, 0x1f, 0xc3, 0xcc, 0x97, 0xc9,
20294 ++ 0x24, 0x9f, 0xf3, 0xaf, 0x43, 0x14, 0xd5, 0xa0
20295 ++};
20296 ++static const u8 enc_assoc010[] __initconst = {
20297 ++ 0xd2, 0xa1, 0x70, 0xdb, 0x7a, 0xf8, 0xfa, 0x27,
20298 ++ 0xba, 0x73, 0x0f, 0xbf, 0x3d, 0x1e, 0x82, 0xb2
20299 ++};
20300 ++static const u8 enc_nonce010[] __initconst = {
20301 ++ 0xdb, 0x92, 0x0f, 0x7f, 0x17, 0x54, 0x0c, 0x30
20302 ++};
20303 ++static const u8 enc_key010[] __initconst = {
20304 ++ 0x47, 0x11, 0xeb, 0x86, 0x2b, 0x2c, 0xab, 0x44,
20305 ++ 0x34, 0xda, 0x7f, 0x57, 0x03, 0x39, 0x0c, 0xaf,
20306 ++ 0x2c, 0x14, 0xfd, 0x65, 0x23, 0xe9, 0x8e, 0x74,
20307 ++ 0xd5, 0x08, 0x68, 0x08, 0xe7, 0xb4, 0x72, 0xd7
20308 ++};
20309 ++
20310 ++static const u8 enc_input011[] __initconst = {
20311 ++ 0x7a, 0x57, 0xf2, 0xc7, 0x06, 0x3f, 0x50, 0x7b,
20312 ++ 0x36, 0x1a, 0x66, 0x5c, 0xb9, 0x0e, 0x5e, 0x3b,
20313 ++ 0x45, 0x60, 0xbe, 0x9a, 0x31, 0x9f, 0xff, 0x5d,
20314 ++ 0x66, 0x34, 0xb4, 0xdc, 0xfb, 0x9d, 0x8e, 0xee,
20315 ++ 0x6a, 0x33, 0xa4, 0x07, 0x3c, 0xf9, 0x4c, 0x30,
20316 ++ 0xa1, 0x24, 0x52, 0xf9, 0x50, 0x46, 0x88, 0x20,
20317 ++ 0x02, 0x32, 0x3a, 0x0e, 0x99, 0x63, 0xaf, 0x1f,
20318 ++ 0x15, 0x28, 0x2a, 0x05, 0xff, 0x57, 0x59, 0x5e,
20319 ++ 0x18, 0xa1, 0x1f, 0xd0, 0x92, 0x5c, 0x88, 0x66,
20320 ++ 0x1b, 0x00, 0x64, 0xa5, 0x93, 0x8d, 0x06, 0x46,
20321 ++ 0xb0, 0x64, 0x8b, 0x8b, 0xef, 0x99, 0x05, 0x35,
20322 ++ 0x85, 0xb3, 0xf3, 0x33, 0xbb, 0xec, 0x66, 0xb6,
20323 ++ 0x3d, 0x57, 0x42, 0xe3, 0xb4, 0xc6, 0xaa, 0xb0,
20324 ++ 0x41, 0x2a, 0xb9, 0x59, 0xa9, 0xf6, 0x3e, 0x15,
20325 ++ 0x26, 0x12, 0x03, 0x21, 0x4c, 0x74, 0x43, 0x13,
20326 ++ 0x2a, 0x03, 0x27, 0x09, 0xb4, 0xfb, 0xe7, 0xb7,
20327 ++ 0x40, 0xff, 0x5e, 0xce, 0x48, 0x9a, 0x60, 0xe3,
20328 ++ 0x8b, 0x80, 0x8c, 0x38, 0x2d, 0xcb, 0x93, 0x37,
20329 ++ 0x74, 0x05, 0x52, 0x6f, 0x73, 0x3e, 0xc3, 0xbc,
20330 ++ 0xca, 0x72, 0x0a, 0xeb, 0xf1, 0x3b, 0xa0, 0x95,
20331 ++ 0xdc, 0x8a, 0xc4, 0xa9, 0xdc, 0xca, 0x44, 0xd8,
20332 ++ 0x08, 0x63, 0x6a, 0x36, 0xd3, 0x3c, 0xb8, 0xac,
20333 ++ 0x46, 0x7d, 0xfd, 0xaa, 0xeb, 0x3e, 0x0f, 0x45,
20334 ++ 0x8f, 0x49, 0xda, 0x2b, 0xf2, 0x12, 0xbd, 0xaf,
20335 ++ 0x67, 0x8a, 0x63, 0x48, 0x4b, 0x55, 0x5f, 0x6d,
20336 ++ 0x8c, 0xb9, 0x76, 0x34, 0x84, 0xae, 0xc2, 0xfc,
20337 ++ 0x52, 0x64, 0x82, 0xf7, 0xb0, 0x06, 0xf0, 0x45,
20338 ++ 0x73, 0x12, 0x50, 0x30, 0x72, 0xea, 0x78, 0x9a,
20339 ++ 0xa8, 0xaf, 0xb5, 0xe3, 0xbb, 0x77, 0x52, 0xec,
20340 ++ 0x59, 0x84, 0xbf, 0x6b, 0x8f, 0xce, 0x86, 0x5e,
20341 ++ 0x1f, 0x23, 0xe9, 0xfb, 0x08, 0x86, 0xf7, 0x10,
20342 ++ 0xb9, 0xf2, 0x44, 0x96, 0x44, 0x63, 0xa9, 0xa8,
20343 ++ 0x78, 0x00, 0x23, 0xd6, 0xc7, 0xe7, 0x6e, 0x66,
20344 ++ 0x4f, 0xcc, 0xee, 0x15, 0xb3, 0xbd, 0x1d, 0xa0,
20345 ++ 0xe5, 0x9c, 0x1b, 0x24, 0x2c, 0x4d, 0x3c, 0x62,
20346 ++ 0x35, 0x9c, 0x88, 0x59, 0x09, 0xdd, 0x82, 0x1b,
20347 ++ 0xcf, 0x0a, 0x83, 0x6b, 0x3f, 0xae, 0x03, 0xc4,
20348 ++ 0xb4, 0xdd, 0x7e, 0x5b, 0x28, 0x76, 0x25, 0x96,
20349 ++ 0xd9, 0xc9, 0x9d, 0x5f, 0x86, 0xfa, 0xf6, 0xd7,
20350 ++ 0xd2, 0xe6, 0x76, 0x1d, 0x0f, 0xa1, 0xdc, 0x74,
20351 ++ 0x05, 0x1b, 0x1d, 0xe0, 0xcd, 0x16, 0xb0, 0xa8,
20352 ++ 0x8a, 0x34, 0x7b, 0x15, 0x11, 0x77, 0xe5, 0x7b,
20353 ++ 0x7e, 0x20, 0xf7, 0xda, 0x38, 0xda, 0xce, 0x70,
20354 ++ 0xe9, 0xf5, 0x6c, 0xd9, 0xbe, 0x0c, 0x4c, 0x95,
20355 ++ 0x4c, 0xc2, 0x9b, 0x34, 0x55, 0x55, 0xe1, 0xf3,
20356 ++ 0x46, 0x8e, 0x48, 0x74, 0x14, 0x4f, 0x9d, 0xc9,
20357 ++ 0xf5, 0xe8, 0x1a, 0xf0, 0x11, 0x4a, 0xc1, 0x8d,
20358 ++ 0xe0, 0x93, 0xa0, 0xbe, 0x09, 0x1c, 0x2b, 0x4e,
20359 ++ 0x0f, 0xb2, 0x87, 0x8b, 0x84, 0xfe, 0x92, 0x32,
20360 ++ 0x14, 0xd7, 0x93, 0xdf, 0xe7, 0x44, 0xbc, 0xc5,
20361 ++ 0xae, 0x53, 0x69, 0xd8, 0xb3, 0x79, 0x37, 0x80,
20362 ++ 0xe3, 0x17, 0x5c, 0xec, 0x53, 0x00, 0x9a, 0xe3,
20363 ++ 0x8e, 0xdc, 0x38, 0xb8, 0x66, 0xf0, 0xd3, 0xad,
20364 ++ 0x1d, 0x02, 0x96, 0x86, 0x3e, 0x9d, 0x3b, 0x5d,
20365 ++ 0xa5, 0x7f, 0x21, 0x10, 0xf1, 0x1f, 0x13, 0x20,
20366 ++ 0xf9, 0x57, 0x87, 0x20, 0xf5, 0x5f, 0xf1, 0x17,
20367 ++ 0x48, 0x0a, 0x51, 0x5a, 0xcd, 0x19, 0x03, 0xa6,
20368 ++ 0x5a, 0xd1, 0x12, 0x97, 0xe9, 0x48, 0xe2, 0x1d,
20369 ++ 0x83, 0x75, 0x50, 0xd9, 0x75, 0x7d, 0x6a, 0x82,
20370 ++ 0xa1, 0xf9, 0x4e, 0x54, 0x87, 0x89, 0xc9, 0x0c,
20371 ++ 0xb7, 0x5b, 0x6a, 0x91, 0xc1, 0x9c, 0xb2, 0xa9,
20372 ++ 0xdc, 0x9a, 0xa4, 0x49, 0x0a, 0x6d, 0x0d, 0xbb,
20373 ++ 0xde, 0x86, 0x44, 0xdd, 0x5d, 0x89, 0x2b, 0x96,
20374 ++ 0x0f, 0x23, 0x95, 0xad, 0xcc, 0xa2, 0xb3, 0xb9,
20375 ++ 0x7e, 0x74, 0x38, 0xba, 0x9f, 0x73, 0xae, 0x5f,
20376 ++ 0xf8, 0x68, 0xa2, 0xe0, 0xa9, 0xce, 0xbd, 0x40,
20377 ++ 0xd4, 0x4c, 0x6b, 0xd2, 0x56, 0x62, 0xb0, 0xcc,
20378 ++ 0x63, 0x7e, 0x5b, 0xd3, 0xae, 0xd1, 0x75, 0xce,
20379 ++ 0xbb, 0xb4, 0x5b, 0xa8, 0xf8, 0xb4, 0xac, 0x71,
20380 ++ 0x75, 0xaa, 0xc9, 0x9f, 0xbb, 0x6c, 0xad, 0x0f,
20381 ++ 0x55, 0x5d, 0xe8, 0x85, 0x7d, 0xf9, 0x21, 0x35,
20382 ++ 0xea, 0x92, 0x85, 0x2b, 0x00, 0xec, 0x84, 0x90,
20383 ++ 0x0a, 0x63, 0x96, 0xe4, 0x6b, 0xa9, 0x77, 0xb8,
20384 ++ 0x91, 0xf8, 0x46, 0x15, 0x72, 0x63, 0x70, 0x01,
20385 ++ 0x40, 0xa3, 0xa5, 0x76, 0x62, 0x2b, 0xbf, 0xf1,
20386 ++ 0xe5, 0x8d, 0x9f, 0xa3, 0xfa, 0x9b, 0x03, 0xbe,
20387 ++ 0xfe, 0x65, 0x6f, 0xa2, 0x29, 0x0d, 0x54, 0xb4,
20388 ++ 0x71, 0xce, 0xa9, 0xd6, 0x3d, 0x88, 0xf9, 0xaf,
20389 ++ 0x6b, 0xa8, 0x9e, 0xf4, 0x16, 0x96, 0x36, 0xb9,
20390 ++ 0x00, 0xdc, 0x10, 0xab, 0xb5, 0x08, 0x31, 0x1f,
20391 ++ 0x00, 0xb1, 0x3c, 0xd9, 0x38, 0x3e, 0xc6, 0x04,
20392 ++ 0xa7, 0x4e, 0xe8, 0xae, 0xed, 0x98, 0xc2, 0xf7,
20393 ++ 0xb9, 0x00, 0x5f, 0x8c, 0x60, 0xd1, 0xe5, 0x15,
20394 ++ 0xf7, 0xae, 0x1e, 0x84, 0x88, 0xd1, 0xf6, 0xbc,
20395 ++ 0x3a, 0x89, 0x35, 0x22, 0x83, 0x7c, 0xca, 0xf0,
20396 ++ 0x33, 0x82, 0x4c, 0x79, 0x3c, 0xfd, 0xb1, 0xae,
20397 ++ 0x52, 0x62, 0x55, 0xd2, 0x41, 0x60, 0xc6, 0xbb,
20398 ++ 0xfa, 0x0e, 0x59, 0xd6, 0xa8, 0xfe, 0x5d, 0xed,
20399 ++ 0x47, 0x3d, 0xe0, 0xea, 0x1f, 0x6e, 0x43, 0x51,
20400 ++ 0xec, 0x10, 0x52, 0x56, 0x77, 0x42, 0x6b, 0x52,
20401 ++ 0x87, 0xd8, 0xec, 0xe0, 0xaa, 0x76, 0xa5, 0x84,
20402 ++ 0x2a, 0x22, 0x24, 0xfd, 0x92, 0x40, 0x88, 0xd5,
20403 ++ 0x85, 0x1c, 0x1f, 0x6b, 0x47, 0xa0, 0xc4, 0xe4,
20404 ++ 0xef, 0xf4, 0xea, 0xd7, 0x59, 0xac, 0x2a, 0x9e,
20405 ++ 0x8c, 0xfa, 0x1f, 0x42, 0x08, 0xfe, 0x4f, 0x74,
20406 ++ 0xa0, 0x26, 0xf5, 0xb3, 0x84, 0xf6, 0x58, 0x5f,
20407 ++ 0x26, 0x66, 0x3e, 0xd7, 0xe4, 0x22, 0x91, 0x13,
20408 ++ 0xc8, 0xac, 0x25, 0x96, 0x23, 0xd8, 0x09, 0xea,
20409 ++ 0x45, 0x75, 0x23, 0xb8, 0x5f, 0xc2, 0x90, 0x8b,
20410 ++ 0x09, 0xc4, 0xfc, 0x47, 0x6c, 0x6d, 0x0a, 0xef,
20411 ++ 0x69, 0xa4, 0x38, 0x19, 0xcf, 0x7d, 0xf9, 0x09,
20412 ++ 0x73, 0x9b, 0x60, 0x5a, 0xf7, 0x37, 0xb5, 0xfe,
20413 ++ 0x9f, 0xe3, 0x2b, 0x4c, 0x0d, 0x6e, 0x19, 0xf1,
20414 ++ 0xd6, 0xc0, 0x70, 0xf3, 0x9d, 0x22, 0x3c, 0xf9,
20415 ++ 0x49, 0xce, 0x30, 0x8e, 0x44, 0xb5, 0x76, 0x15,
20416 ++ 0x8f, 0x52, 0xfd, 0xa5, 0x04, 0xb8, 0x55, 0x6a,
20417 ++ 0x36, 0x59, 0x7c, 0xc4, 0x48, 0xb8, 0xd7, 0xab,
20418 ++ 0x05, 0x66, 0xe9, 0x5e, 0x21, 0x6f, 0x6b, 0x36,
20419 ++ 0x29, 0xbb, 0xe9, 0xe3, 0xa2, 0x9a, 0xa8, 0xcd,
20420 ++ 0x55, 0x25, 0x11, 0xba, 0x5a, 0x58, 0xa0, 0xde,
20421 ++ 0xae, 0x19, 0x2a, 0x48, 0x5a, 0xff, 0x36, 0xcd,
20422 ++ 0x6d, 0x16, 0x7a, 0x73, 0x38, 0x46, 0xe5, 0x47,
20423 ++ 0x59, 0xc8, 0xa2, 0xf6, 0xe2, 0x6c, 0x83, 0xc5,
20424 ++ 0x36, 0x2c, 0x83, 0x7d, 0xb4, 0x01, 0x05, 0x69,
20425 ++ 0xe7, 0xaf, 0x5c, 0xc4, 0x64, 0x82, 0x12, 0x21,
20426 ++ 0xef, 0xf7, 0xd1, 0x7d, 0xb8, 0x8d, 0x8c, 0x98,
20427 ++ 0x7c, 0x5f, 0x7d, 0x92, 0x88, 0xb9, 0x94, 0x07,
20428 ++ 0x9c, 0xd8, 0xe9, 0x9c, 0x17, 0x38, 0xe3, 0x57,
20429 ++ 0x6c, 0xe0, 0xdc, 0xa5, 0x92, 0x42, 0xb3, 0xbd,
20430 ++ 0x50, 0xa2, 0x7e, 0xb5, 0xb1, 0x52, 0x72, 0x03,
20431 ++ 0x97, 0xd8, 0xaa, 0x9a, 0x1e, 0x75, 0x41, 0x11,
20432 ++ 0xa3, 0x4f, 0xcc, 0xd4, 0xe3, 0x73, 0xad, 0x96,
20433 ++ 0xdc, 0x47, 0x41, 0x9f, 0xb0, 0xbe, 0x79, 0x91,
20434 ++ 0xf5, 0xb6, 0x18, 0xfe, 0xc2, 0x83, 0x18, 0x7d,
20435 ++ 0x73, 0xd9, 0x4f, 0x83, 0x84, 0x03, 0xb3, 0xf0,
20436 ++ 0x77, 0x66, 0x3d, 0x83, 0x63, 0x2e, 0x2c, 0xf9,
20437 ++ 0xdd, 0xa6, 0x1f, 0x89, 0x82, 0xb8, 0x23, 0x42,
20438 ++ 0xeb, 0xe2, 0xca, 0x70, 0x82, 0x61, 0x41, 0x0a,
20439 ++ 0x6d, 0x5f, 0x75, 0xc5, 0xe2, 0xc4, 0x91, 0x18,
20440 ++ 0x44, 0x22, 0xfa, 0x34, 0x10, 0xf5, 0x20, 0xdc,
20441 ++ 0xb7, 0xdd, 0x2a, 0x20, 0x77, 0xf5, 0xf9, 0xce,
20442 ++ 0xdb, 0xa0, 0x0a, 0x52, 0x2a, 0x4e, 0xdd, 0xcc,
20443 ++ 0x97, 0xdf, 0x05, 0xe4, 0x5e, 0xb7, 0xaa, 0xf0,
20444 ++ 0xe2, 0x80, 0xff, 0xba, 0x1a, 0x0f, 0xac, 0xdf,
20445 ++ 0x02, 0x32, 0xe6, 0xf7, 0xc7, 0x17, 0x13, 0xb7,
20446 ++ 0xfc, 0x98, 0x48, 0x8c, 0x0d, 0x82, 0xc9, 0x80,
20447 ++ 0x7a, 0xe2, 0x0a, 0xc5, 0xb4, 0xde, 0x7c, 0x3c,
20448 ++ 0x79, 0x81, 0x0e, 0x28, 0x65, 0x79, 0x67, 0x82,
20449 ++ 0x69, 0x44, 0x66, 0x09, 0xf7, 0x16, 0x1a, 0xf9,
20450 ++ 0x7d, 0x80, 0xa1, 0x79, 0x14, 0xa9, 0xc8, 0x20,
20451 ++ 0xfb, 0xa2, 0x46, 0xbe, 0x08, 0x35, 0x17, 0x58,
20452 ++ 0xc1, 0x1a, 0xda, 0x2a, 0x6b, 0x2e, 0x1e, 0xe6,
20453 ++ 0x27, 0x55, 0x7b, 0x19, 0xe2, 0xfb, 0x64, 0xfc,
20454 ++ 0x5e, 0x15, 0x54, 0x3c, 0xe7, 0xc2, 0x11, 0x50,
20455 ++ 0x30, 0xb8, 0x72, 0x03, 0x0b, 0x1a, 0x9f, 0x86,
20456 ++ 0x27, 0x11, 0x5c, 0x06, 0x2b, 0xbd, 0x75, 0x1a,
20457 ++ 0x0a, 0xda, 0x01, 0xfa, 0x5c, 0x4a, 0xc1, 0x80,
20458 ++ 0x3a, 0x6e, 0x30, 0xc8, 0x2c, 0xeb, 0x56, 0xec,
20459 ++ 0x89, 0xfa, 0x35, 0x7b, 0xb2, 0xf0, 0x97, 0x08,
20460 ++ 0x86, 0x53, 0xbe, 0xbd, 0x40, 0x41, 0x38, 0x1c,
20461 ++ 0xb4, 0x8b, 0x79, 0x2e, 0x18, 0x96, 0x94, 0xde,
20462 ++ 0xe8, 0xca, 0xe5, 0x9f, 0x92, 0x9f, 0x15, 0x5d,
20463 ++ 0x56, 0x60, 0x5c, 0x09, 0xf9, 0x16, 0xf4, 0x17,
20464 ++ 0x0f, 0xf6, 0x4c, 0xda, 0xe6, 0x67, 0x89, 0x9f,
20465 ++ 0xca, 0x6c, 0xe7, 0x9b, 0x04, 0x62, 0x0e, 0x26,
20466 ++ 0xa6, 0x52, 0xbd, 0x29, 0xff, 0xc7, 0xa4, 0x96,
20467 ++ 0xe6, 0x6a, 0x02, 0xa5, 0x2e, 0x7b, 0xfe, 0x97,
20468 ++ 0x68, 0x3e, 0x2e, 0x5f, 0x3b, 0x0f, 0x36, 0xd6,
20469 ++ 0x98, 0x19, 0x59, 0x48, 0xd2, 0xc6, 0xe1, 0x55,
20470 ++ 0x1a, 0x6e, 0xd6, 0xed, 0x2c, 0xba, 0xc3, 0x9e,
20471 ++ 0x64, 0xc9, 0x95, 0x86, 0x35, 0x5e, 0x3e, 0x88,
20472 ++ 0x69, 0x99, 0x4b, 0xee, 0xbe, 0x9a, 0x99, 0xb5,
20473 ++ 0x6e, 0x58, 0xae, 0xdd, 0x22, 0xdb, 0xdd, 0x6b,
20474 ++ 0xfc, 0xaf, 0x90, 0xa3, 0x3d, 0xa4, 0xc1, 0x15,
20475 ++ 0x92, 0x18, 0x8d, 0xd2, 0x4b, 0x7b, 0x06, 0xd1,
20476 ++ 0x37, 0xb5, 0xe2, 0x7c, 0x2c, 0xf0, 0x25, 0xe4,
20477 ++ 0x94, 0x2a, 0xbd, 0xe3, 0x82, 0x70, 0x78, 0xa3,
20478 ++ 0x82, 0x10, 0x5a, 0x90, 0xd7, 0xa4, 0xfa, 0xaf,
20479 ++ 0x1a, 0x88, 0x59, 0xdc, 0x74, 0x12, 0xb4, 0x8e,
20480 ++ 0xd7, 0x19, 0x46, 0xf4, 0x84, 0x69, 0x9f, 0xbb,
20481 ++ 0x70, 0xa8, 0x4c, 0x52, 0x81, 0xa9, 0xff, 0x76,
20482 ++ 0x1c, 0xae, 0xd8, 0x11, 0x3d, 0x7f, 0x7d, 0xc5,
20483 ++ 0x12, 0x59, 0x28, 0x18, 0xc2, 0xa2, 0xb7, 0x1c,
20484 ++ 0x88, 0xf8, 0xd6, 0x1b, 0xa6, 0x7d, 0x9e, 0xde,
20485 ++ 0x29, 0xf8, 0xed, 0xff, 0xeb, 0x92, 0x24, 0x4f,
20486 ++ 0x05, 0xaa, 0xd9, 0x49, 0xba, 0x87, 0x59, 0x51,
20487 ++ 0xc9, 0x20, 0x5c, 0x9b, 0x74, 0xcf, 0x03, 0xd9,
20488 ++ 0x2d, 0x34, 0xc7, 0x5b, 0xa5, 0x40, 0xb2, 0x99,
20489 ++ 0xf5, 0xcb, 0xb4, 0xf6, 0xb7, 0x72, 0x4a, 0xd6,
20490 ++ 0xbd, 0xb0, 0xf3, 0x93, 0xe0, 0x1b, 0xa8, 0x04,
20491 ++ 0x1e, 0x35, 0xd4, 0x80, 0x20, 0xf4, 0x9c, 0x31,
20492 ++ 0x6b, 0x45, 0xb9, 0x15, 0xb0, 0x5e, 0xdd, 0x0a,
20493 ++ 0x33, 0x9c, 0x83, 0xcd, 0x58, 0x89, 0x50, 0x56,
20494 ++ 0xbb, 0x81, 0x00, 0x91, 0x32, 0xf3, 0x1b, 0x3e,
20495 ++ 0xcf, 0x45, 0xe1, 0xf9, 0xe1, 0x2c, 0x26, 0x78,
20496 ++ 0x93, 0x9a, 0x60, 0x46, 0xc9, 0xb5, 0x5e, 0x6a,
20497 ++ 0x28, 0x92, 0x87, 0x3f, 0x63, 0x7b, 0xdb, 0xf7,
20498 ++ 0xd0, 0x13, 0x9d, 0x32, 0x40, 0x5e, 0xcf, 0xfb,
20499 ++ 0x79, 0x68, 0x47, 0x4c, 0xfd, 0x01, 0x17, 0xe6,
20500 ++ 0x97, 0x93, 0x78, 0xbb, 0xa6, 0x27, 0xa3, 0xe8,
20501 ++ 0x1a, 0xe8, 0x94, 0x55, 0x7d, 0x08, 0xe5, 0xdc,
20502 ++ 0x66, 0xa3, 0x69, 0xc8, 0xca, 0xc5, 0xa1, 0x84,
20503 ++ 0x55, 0xde, 0x08, 0x91, 0x16, 0x3a, 0x0c, 0x86,
20504 ++ 0xab, 0x27, 0x2b, 0x64, 0x34, 0x02, 0x6c, 0x76,
20505 ++ 0x8b, 0xc6, 0xaf, 0xcc, 0xe1, 0xd6, 0x8c, 0x2a,
20506 ++ 0x18, 0x3d, 0xa6, 0x1b, 0x37, 0x75, 0x45, 0x73,
20507 ++ 0xc2, 0x75, 0xd7, 0x53, 0x78, 0x3a, 0xd6, 0xe8,
20508 ++ 0x29, 0xd2, 0x4a, 0xa8, 0x1e, 0x82, 0xf6, 0xb6,
20509 ++ 0x81, 0xde, 0x21, 0xed, 0x2b, 0x56, 0xbb, 0xf2,
20510 ++ 0xd0, 0x57, 0xc1, 0x7c, 0xd2, 0x6a, 0xd2, 0x56,
20511 ++ 0xf5, 0x13, 0x5f, 0x1c, 0x6a, 0x0b, 0x74, 0xfb,
20512 ++ 0xe9, 0xfe, 0x9e, 0xea, 0x95, 0xb2, 0x46, 0xab,
20513 ++ 0x0a, 0xfc, 0xfd, 0xf3, 0xbb, 0x04, 0x2b, 0x76,
20514 ++ 0x1b, 0xa4, 0x74, 0xb0, 0xc1, 0x78, 0xc3, 0x69,
20515 ++ 0xe2, 0xb0, 0x01, 0xe1, 0xde, 0x32, 0x4c, 0x8d,
20516 ++ 0x1a, 0xb3, 0x38, 0x08, 0xd5, 0xfc, 0x1f, 0xdc,
20517 ++ 0x0e, 0x2c, 0x9c, 0xb1, 0xa1, 0x63, 0x17, 0x22,
20518 ++ 0xf5, 0x6c, 0x93, 0x70, 0x74, 0x00, 0xf8, 0x39,
20519 ++ 0x01, 0x94, 0xd1, 0x32, 0x23, 0x56, 0x5d, 0xa6,
20520 ++ 0x02, 0x76, 0x76, 0x93, 0xce, 0x2f, 0x19, 0xe9,
20521 ++ 0x17, 0x52, 0xae, 0x6e, 0x2c, 0x6d, 0x61, 0x7f,
20522 ++ 0x3b, 0xaa, 0xe0, 0x52, 0x85, 0xc5, 0x65, 0xc1,
20523 ++ 0xbb, 0x8e, 0x5b, 0x21, 0xd5, 0xc9, 0x78, 0x83,
20524 ++ 0x07, 0x97, 0x4c, 0x62, 0x61, 0x41, 0xd4, 0xfc,
20525 ++ 0xc9, 0x39, 0xe3, 0x9b, 0xd0, 0xcc, 0x75, 0xc4,
20526 ++ 0x97, 0xe6, 0xdd, 0x2a, 0x5f, 0xa6, 0xe8, 0x59,
20527 ++ 0x6c, 0x98, 0xb9, 0x02, 0xe2, 0xa2, 0xd6, 0x68,
20528 ++ 0xee, 0x3b, 0x1d, 0xe3, 0x4d, 0x5b, 0x30, 0xef,
20529 ++ 0x03, 0xf2, 0xeb, 0x18, 0x57, 0x36, 0xe8, 0xa1,
20530 ++ 0xf4, 0x47, 0xfb, 0xcb, 0x8f, 0xcb, 0xc8, 0xf3,
20531 ++ 0x4f, 0x74, 0x9d, 0x9d, 0xb1, 0x8d, 0x14, 0x44,
20532 ++ 0xd9, 0x19, 0xb4, 0x54, 0x4f, 0x75, 0x19, 0x09,
20533 ++ 0xa0, 0x75, 0xbc, 0x3b, 0x82, 0xc6, 0x3f, 0xb8,
20534 ++ 0x83, 0x19, 0x6e, 0xd6, 0x37, 0xfe, 0x6e, 0x8a,
20535 ++ 0x4e, 0xe0, 0x4a, 0xab, 0x7b, 0xc8, 0xb4, 0x1d,
20536 ++ 0xf4, 0xed, 0x27, 0x03, 0x65, 0xa2, 0xa1, 0xae,
20537 ++ 0x11, 0xe7, 0x98, 0x78, 0x48, 0x91, 0xd2, 0xd2,
20538 ++ 0xd4, 0x23, 0x78, 0x50, 0xb1, 0x5b, 0x85, 0x10,
20539 ++ 0x8d, 0xca, 0x5f, 0x0f, 0x71, 0xae, 0x72, 0x9a,
20540 ++ 0xf6, 0x25, 0x19, 0x60, 0x06, 0xf7, 0x10, 0x34,
20541 ++ 0x18, 0x0d, 0xc9, 0x9f, 0x7b, 0x0c, 0x9b, 0x8f,
20542 ++ 0x91, 0x1b, 0x9f, 0xcd, 0x10, 0xee, 0x75, 0xf9,
20543 ++ 0x97, 0x66, 0xfc, 0x4d, 0x33, 0x6e, 0x28, 0x2b,
20544 ++ 0x92, 0x85, 0x4f, 0xab, 0x43, 0x8d, 0x8f, 0x7d,
20545 ++ 0x86, 0xa7, 0xc7, 0xd8, 0xd3, 0x0b, 0x8b, 0x57,
20546 ++ 0xb6, 0x1d, 0x95, 0x0d, 0xe9, 0xbc, 0xd9, 0x03,
20547 ++ 0xd9, 0x10, 0x19, 0xc3, 0x46, 0x63, 0x55, 0x87,
20548 ++ 0x61, 0x79, 0x6c, 0x95, 0x0e, 0x9c, 0xdd, 0xca,
20549 ++ 0xc3, 0xf3, 0x64, 0xf0, 0x7d, 0x76, 0xb7, 0x53,
20550 ++ 0x67, 0x2b, 0x1e, 0x44, 0x56, 0x81, 0xea, 0x8f,
20551 ++ 0x5c, 0x42, 0x16, 0xb8, 0x28, 0xeb, 0x1b, 0x61,
20552 ++ 0x10, 0x1e, 0xbf, 0xec, 0xa8
20553 ++};
20554 ++static const u8 enc_output011[] __initconst = {
20555 ++ 0x6a, 0xfc, 0x4b, 0x25, 0xdf, 0xc0, 0xe4, 0xe8,
20556 ++ 0x17, 0x4d, 0x4c, 0xc9, 0x7e, 0xde, 0x3a, 0xcc,
20557 ++ 0x3c, 0xba, 0x6a, 0x77, 0x47, 0xdb, 0xe3, 0x74,
20558 ++ 0x7a, 0x4d, 0x5f, 0x8d, 0x37, 0x55, 0x80, 0x73,
20559 ++ 0x90, 0x66, 0x5d, 0x3a, 0x7d, 0x5d, 0x86, 0x5e,
20560 ++ 0x8d, 0xfd, 0x83, 0xff, 0x4e, 0x74, 0x6f, 0xf9,
20561 ++ 0xe6, 0x70, 0x17, 0x70, 0x3e, 0x96, 0xa7, 0x7e,
20562 ++ 0xcb, 0xab, 0x8f, 0x58, 0x24, 0x9b, 0x01, 0xfd,
20563 ++ 0xcb, 0xe6, 0x4d, 0x9b, 0xf0, 0x88, 0x94, 0x57,
20564 ++ 0x66, 0xef, 0x72, 0x4c, 0x42, 0x6e, 0x16, 0x19,
20565 ++ 0x15, 0xea, 0x70, 0x5b, 0xac, 0x13, 0xdb, 0x9f,
20566 ++ 0x18, 0xe2, 0x3c, 0x26, 0x97, 0xbc, 0xdc, 0x45,
20567 ++ 0x8c, 0x6c, 0x24, 0x69, 0x9c, 0xf7, 0x65, 0x1e,
20568 ++ 0x18, 0x59, 0x31, 0x7c, 0xe4, 0x73, 0xbc, 0x39,
20569 ++ 0x62, 0xc6, 0x5c, 0x9f, 0xbf, 0xfa, 0x90, 0x03,
20570 ++ 0xc9, 0x72, 0x26, 0xb6, 0x1b, 0xc2, 0xb7, 0x3f,
20571 ++ 0xf2, 0x13, 0x77, 0xf2, 0x8d, 0xb9, 0x47, 0xd0,
20572 ++ 0x53, 0xdd, 0xc8, 0x91, 0x83, 0x8b, 0xb1, 0xce,
20573 ++ 0xa3, 0xfe, 0xcd, 0xd9, 0xdd, 0x92, 0x7b, 0xdb,
20574 ++ 0xb8, 0xfb, 0xc9, 0x2d, 0x01, 0x59, 0x39, 0x52,
20575 ++ 0xad, 0x1b, 0xec, 0xcf, 0xd7, 0x70, 0x13, 0x21,
20576 ++ 0xf5, 0x47, 0xaa, 0x18, 0x21, 0x5c, 0xc9, 0x9a,
20577 ++ 0xd2, 0x6b, 0x05, 0x9c, 0x01, 0xa1, 0xda, 0x35,
20578 ++ 0x5d, 0xb3, 0x70, 0xe6, 0xa9, 0x80, 0x8b, 0x91,
20579 ++ 0xb7, 0xb3, 0x5f, 0x24, 0x9a, 0xb7, 0xd1, 0x6b,
20580 ++ 0xa1, 0x1c, 0x50, 0xba, 0x49, 0xe0, 0xee, 0x2e,
20581 ++ 0x75, 0xac, 0x69, 0xc0, 0xeb, 0x03, 0xdd, 0x19,
20582 ++ 0xe5, 0xf6, 0x06, 0xdd, 0xc3, 0xd7, 0x2b, 0x07,
20583 ++ 0x07, 0x30, 0xa7, 0x19, 0x0c, 0xbf, 0xe6, 0x18,
20584 ++ 0xcc, 0xb1, 0x01, 0x11, 0x85, 0x77, 0x1d, 0x96,
20585 ++ 0xa7, 0xa3, 0x00, 0x84, 0x02, 0xa2, 0x83, 0x68,
20586 ++ 0xda, 0x17, 0x27, 0xc8, 0x7f, 0x23, 0xb7, 0xf4,
20587 ++ 0x13, 0x85, 0xcf, 0xdd, 0x7a, 0x7d, 0x24, 0x57,
20588 ++ 0xfe, 0x05, 0x93, 0xf5, 0x74, 0xce, 0xed, 0x0c,
20589 ++ 0x20, 0x98, 0x8d, 0x92, 0x30, 0xa1, 0x29, 0x23,
20590 ++ 0x1a, 0xa0, 0x4f, 0x69, 0x56, 0x4c, 0xe1, 0xc8,
20591 ++ 0xce, 0xf6, 0x9a, 0x0c, 0xa4, 0xfa, 0x04, 0xf6,
20592 ++ 0x62, 0x95, 0xf2, 0xfa, 0xc7, 0x40, 0x68, 0x40,
20593 ++ 0x8f, 0x41, 0xda, 0xb4, 0x26, 0x6f, 0x70, 0xab,
20594 ++ 0x40, 0x61, 0xa4, 0x0e, 0x75, 0xfb, 0x86, 0xeb,
20595 ++ 0x9d, 0x9a, 0x1f, 0xec, 0x76, 0x99, 0xe7, 0xea,
20596 ++ 0xaa, 0x1e, 0x2d, 0xb5, 0xd4, 0xa6, 0x1a, 0xb8,
20597 ++ 0x61, 0x0a, 0x1d, 0x16, 0x5b, 0x98, 0xc2, 0x31,
20598 ++ 0x40, 0xe7, 0x23, 0x1d, 0x66, 0x99, 0xc8, 0xc0,
20599 ++ 0xd7, 0xce, 0xf3, 0x57, 0x40, 0x04, 0x3f, 0xfc,
20600 ++ 0xea, 0xb3, 0xfc, 0xd2, 0xd3, 0x99, 0xa4, 0x94,
20601 ++ 0x69, 0xa0, 0xef, 0xd1, 0x85, 0xb3, 0xa6, 0xb1,
20602 ++ 0x28, 0xbf, 0x94, 0x67, 0x22, 0xc3, 0x36, 0x46,
20603 ++ 0xf8, 0xd2, 0x0f, 0x5f, 0xf4, 0x59, 0x80, 0xe6,
20604 ++ 0x2d, 0x43, 0x08, 0x7d, 0x19, 0x09, 0x97, 0xa7,
20605 ++ 0x4c, 0x3d, 0x8d, 0xba, 0x65, 0x62, 0xa3, 0x71,
20606 ++ 0x33, 0x29, 0x62, 0xdb, 0xc1, 0x33, 0x34, 0x1a,
20607 ++ 0x63, 0x33, 0x16, 0xb6, 0x64, 0x7e, 0xab, 0x33,
20608 ++ 0xf0, 0xe6, 0x26, 0x68, 0xba, 0x1d, 0x2e, 0x38,
20609 ++ 0x08, 0xe6, 0x02, 0xd3, 0x25, 0x2c, 0x47, 0x23,
20610 ++ 0x58, 0x34, 0x0f, 0x9d, 0x63, 0x4f, 0x63, 0xbb,
20611 ++ 0x7f, 0x3b, 0x34, 0x38, 0xa7, 0xb5, 0x8d, 0x65,
20612 ++ 0xd9, 0x9f, 0x79, 0x55, 0x3e, 0x4d, 0xe7, 0x73,
20613 ++ 0xd8, 0xf6, 0x98, 0x97, 0x84, 0x60, 0x9c, 0xc8,
20614 ++ 0xa9, 0x3c, 0xf6, 0xdc, 0x12, 0x5c, 0xe1, 0xbb,
20615 ++ 0x0b, 0x8b, 0x98, 0x9c, 0x9d, 0x26, 0x7c, 0x4a,
20616 ++ 0xe6, 0x46, 0x36, 0x58, 0x21, 0x4a, 0xee, 0xca,
20617 ++ 0xd7, 0x3b, 0xc2, 0x6c, 0x49, 0x2f, 0xe5, 0xd5,
20618 ++ 0x03, 0x59, 0x84, 0x53, 0xcb, 0xfe, 0x92, 0x71,
20619 ++ 0x2e, 0x7c, 0x21, 0xcc, 0x99, 0x85, 0x7f, 0xb8,
20620 ++ 0x74, 0x90, 0x13, 0x42, 0x3f, 0xe0, 0x6b, 0x1d,
20621 ++ 0xf2, 0x4d, 0x54, 0xd4, 0xfc, 0x3a, 0x05, 0xe6,
20622 ++ 0x74, 0xaf, 0xa6, 0xa0, 0x2a, 0x20, 0x23, 0x5d,
20623 ++ 0x34, 0x5c, 0xd9, 0x3e, 0x4e, 0xfa, 0x93, 0xe7,
20624 ++ 0xaa, 0xe9, 0x6f, 0x08, 0x43, 0x67, 0x41, 0xc5,
20625 ++ 0xad, 0xfb, 0x31, 0x95, 0x82, 0x73, 0x32, 0xd8,
20626 ++ 0xa6, 0xa3, 0xed, 0x0e, 0x2d, 0xf6, 0x5f, 0xfd,
20627 ++ 0x80, 0xa6, 0x7a, 0xe0, 0xdf, 0x78, 0x15, 0x29,
20628 ++ 0x74, 0x33, 0xd0, 0x9e, 0x83, 0x86, 0x72, 0x22,
20629 ++ 0x57, 0x29, 0xb9, 0x9e, 0x5d, 0xd3, 0x1a, 0xb5,
20630 ++ 0x96, 0x72, 0x41, 0x3d, 0xf1, 0x64, 0x43, 0x67,
20631 ++ 0xee, 0xaa, 0x5c, 0xd3, 0x9a, 0x96, 0x13, 0x11,
20632 ++ 0x5d, 0xf3, 0x0c, 0x87, 0x82, 0x1e, 0x41, 0x9e,
20633 ++ 0xd0, 0x27, 0xd7, 0x54, 0x3b, 0x67, 0x73, 0x09,
20634 ++ 0x91, 0xe9, 0xd5, 0x36, 0xa7, 0xb5, 0x55, 0xe4,
20635 ++ 0xf3, 0x21, 0x51, 0x49, 0x22, 0x07, 0x55, 0x4f,
20636 ++ 0x44, 0x4b, 0xd2, 0x15, 0x93, 0x17, 0x2a, 0xfa,
20637 ++ 0x4d, 0x4a, 0x57, 0xdb, 0x4c, 0xa6, 0xeb, 0xec,
20638 ++ 0x53, 0x25, 0x6c, 0x21, 0xed, 0x00, 0x4c, 0x3b,
20639 ++ 0xca, 0x14, 0x57, 0xa9, 0xd6, 0x6a, 0xcd, 0x8d,
20640 ++ 0x5e, 0x74, 0xac, 0x72, 0xc1, 0x97, 0xe5, 0x1b,
20641 ++ 0x45, 0x4e, 0xda, 0xfc, 0xcc, 0x40, 0xe8, 0x48,
20642 ++ 0x88, 0x0b, 0xa3, 0xe3, 0x8d, 0x83, 0x42, 0xc3,
20643 ++ 0x23, 0xfd, 0x68, 0xb5, 0x8e, 0xf1, 0x9d, 0x63,
20644 ++ 0x77, 0xe9, 0xa3, 0x8e, 0x8c, 0x26, 0x6b, 0xbd,
20645 ++ 0x72, 0x73, 0x35, 0x0c, 0x03, 0xf8, 0x43, 0x78,
20646 ++ 0x52, 0x71, 0x15, 0x1f, 0x71, 0x5d, 0x6e, 0xed,
20647 ++ 0xb9, 0xcc, 0x86, 0x30, 0xdb, 0x2b, 0xd3, 0x82,
20648 ++ 0x88, 0x23, 0x71, 0x90, 0x53, 0x5c, 0xa9, 0x2f,
20649 ++ 0x76, 0x01, 0xb7, 0x9a, 0xfe, 0x43, 0x55, 0xa3,
20650 ++ 0x04, 0x9b, 0x0e, 0xe4, 0x59, 0xdf, 0xc9, 0xe9,
20651 ++ 0xb1, 0xea, 0x29, 0x28, 0x3c, 0x5c, 0xae, 0x72,
20652 ++ 0x84, 0xb6, 0xc6, 0xeb, 0x0c, 0x27, 0x07, 0x74,
20653 ++ 0x90, 0x0d, 0x31, 0xb0, 0x00, 0x77, 0xe9, 0x40,
20654 ++ 0x70, 0x6f, 0x68, 0xa7, 0xfd, 0x06, 0xec, 0x4b,
20655 ++ 0xc0, 0xb7, 0xac, 0xbc, 0x33, 0xb7, 0x6d, 0x0a,
20656 ++ 0xbd, 0x12, 0x1b, 0x59, 0xcb, 0xdd, 0x32, 0xf5,
20657 ++ 0x1d, 0x94, 0x57, 0x76, 0x9e, 0x0c, 0x18, 0x98,
20658 ++ 0x71, 0xd7, 0x2a, 0xdb, 0x0b, 0x7b, 0xa7, 0x71,
20659 ++ 0xb7, 0x67, 0x81, 0x23, 0x96, 0xae, 0xb9, 0x7e,
20660 ++ 0x32, 0x43, 0x92, 0x8a, 0x19, 0xa0, 0xc4, 0xd4,
20661 ++ 0x3b, 0x57, 0xf9, 0x4a, 0x2c, 0xfb, 0x51, 0x46,
20662 ++ 0xbb, 0xcb, 0x5d, 0xb3, 0xef, 0x13, 0x93, 0x6e,
20663 ++ 0x68, 0x42, 0x54, 0x57, 0xd3, 0x6a, 0x3a, 0x8f,
20664 ++ 0x9d, 0x66, 0xbf, 0xbd, 0x36, 0x23, 0xf5, 0x93,
20665 ++ 0x83, 0x7b, 0x9c, 0xc0, 0xdd, 0xc5, 0x49, 0xc0,
20666 ++ 0x64, 0xed, 0x07, 0x12, 0xb3, 0xe6, 0xe4, 0xe5,
20667 ++ 0x38, 0x95, 0x23, 0xb1, 0xa0, 0x3b, 0x1a, 0x61,
20668 ++ 0xda, 0x17, 0xac, 0xc3, 0x58, 0xdd, 0x74, 0x64,
20669 ++ 0x22, 0x11, 0xe8, 0x32, 0x1d, 0x16, 0x93, 0x85,
20670 ++ 0x99, 0xa5, 0x9c, 0x34, 0x55, 0xb1, 0xe9, 0x20,
20671 ++ 0x72, 0xc9, 0x28, 0x7b, 0x79, 0x00, 0xa1, 0xa6,
20672 ++ 0xa3, 0x27, 0x40, 0x18, 0x8a, 0x54, 0xe0, 0xcc,
20673 ++ 0xe8, 0x4e, 0x8e, 0x43, 0x96, 0xe7, 0x3f, 0xc8,
20674 ++ 0xe9, 0xb2, 0xf9, 0xc9, 0xda, 0x04, 0x71, 0x50,
20675 ++ 0x47, 0xe4, 0xaa, 0xce, 0xa2, 0x30, 0xc8, 0xe4,
20676 ++ 0xac, 0xc7, 0x0d, 0x06, 0x2e, 0xe6, 0xe8, 0x80,
20677 ++ 0x36, 0x29, 0x9e, 0x01, 0xb8, 0xc3, 0xf0, 0xa0,
20678 ++ 0x5d, 0x7a, 0xca, 0x4d, 0xa0, 0x57, 0xbd, 0x2a,
20679 ++ 0x45, 0xa7, 0x7f, 0x9c, 0x93, 0x07, 0x8f, 0x35,
20680 ++ 0x67, 0x92, 0xe3, 0xe9, 0x7f, 0xa8, 0x61, 0x43,
20681 ++ 0x9e, 0x25, 0x4f, 0x33, 0x76, 0x13, 0x6e, 0x12,
20682 ++ 0xb9, 0xdd, 0xa4, 0x7c, 0x08, 0x9f, 0x7c, 0xe7,
20683 ++ 0x0a, 0x8d, 0x84, 0x06, 0xa4, 0x33, 0x17, 0x34,
20684 ++ 0x5e, 0x10, 0x7c, 0xc0, 0xa8, 0x3d, 0x1f, 0x42,
20685 ++ 0x20, 0x51, 0x65, 0x5d, 0x09, 0xc3, 0xaa, 0xc0,
20686 ++ 0xc8, 0x0d, 0xf0, 0x79, 0xbc, 0x20, 0x1b, 0x95,
20687 ++ 0xe7, 0x06, 0x7d, 0x47, 0x20, 0x03, 0x1a, 0x74,
20688 ++ 0xdd, 0xe2, 0xd4, 0xae, 0x38, 0x71, 0x9b, 0xf5,
20689 ++ 0x80, 0xec, 0x08, 0x4e, 0x56, 0xba, 0x76, 0x12,
20690 ++ 0x1a, 0xdf, 0x48, 0xf3, 0xae, 0xb3, 0xe6, 0xe6,
20691 ++ 0xbe, 0xc0, 0x91, 0x2e, 0x01, 0xb3, 0x01, 0x86,
20692 ++ 0xa2, 0xb9, 0x52, 0xd1, 0x21, 0xae, 0xd4, 0x97,
20693 ++ 0x1d, 0xef, 0x41, 0x12, 0x95, 0x3d, 0x48, 0x45,
20694 ++ 0x1c, 0x56, 0x32, 0x8f, 0xb8, 0x43, 0xbb, 0x19,
20695 ++ 0xf3, 0xca, 0xe9, 0xeb, 0x6d, 0x84, 0xbe, 0x86,
20696 ++ 0x06, 0xe2, 0x36, 0xb2, 0x62, 0x9d, 0xd3, 0x4c,
20697 ++ 0x48, 0x18, 0x54, 0x13, 0x4e, 0xcf, 0xfd, 0xba,
20698 ++ 0x84, 0xb9, 0x30, 0x53, 0xcf, 0xfb, 0xb9, 0x29,
20699 ++ 0x8f, 0xdc, 0x9f, 0xef, 0x60, 0x0b, 0x64, 0xf6,
20700 ++ 0x8b, 0xee, 0xa6, 0x91, 0xc2, 0x41, 0x6c, 0xf6,
20701 ++ 0xfa, 0x79, 0x67, 0x4b, 0xc1, 0x3f, 0xaf, 0x09,
20702 ++ 0x81, 0xd4, 0x5d, 0xcb, 0x09, 0xdf, 0x36, 0x31,
20703 ++ 0xc0, 0x14, 0x3c, 0x7c, 0x0e, 0x65, 0x95, 0x99,
20704 ++ 0x6d, 0xa3, 0xf4, 0xd7, 0x38, 0xee, 0x1a, 0x2b,
20705 ++ 0x37, 0xe2, 0xa4, 0x3b, 0x4b, 0xd0, 0x65, 0xca,
20706 ++ 0xf8, 0xc3, 0xe8, 0x15, 0x20, 0xef, 0xf2, 0x00,
20707 ++ 0xfd, 0x01, 0x09, 0xc5, 0xc8, 0x17, 0x04, 0x93,
20708 ++ 0xd0, 0x93, 0x03, 0x55, 0xc5, 0xfe, 0x32, 0xa3,
20709 ++ 0x3e, 0x28, 0x2d, 0x3b, 0x93, 0x8a, 0xcc, 0x07,
20710 ++ 0x72, 0x80, 0x8b, 0x74, 0x16, 0x24, 0xbb, 0xda,
20711 ++ 0x94, 0x39, 0x30, 0x8f, 0xb1, 0xcd, 0x4a, 0x90,
20712 ++ 0x92, 0x7c, 0x14, 0x8f, 0x95, 0x4e, 0xac, 0x9b,
20713 ++ 0xd8, 0x8f, 0x1a, 0x87, 0xa4, 0x32, 0x27, 0x8a,
20714 ++ 0xba, 0xf7, 0x41, 0xcf, 0x84, 0x37, 0x19, 0xe6,
20715 ++ 0x06, 0xf5, 0x0e, 0xcf, 0x36, 0xf5, 0x9e, 0x6c,
20716 ++ 0xde, 0xbc, 0xff, 0x64, 0x7e, 0x4e, 0x59, 0x57,
20717 ++ 0x48, 0xfe, 0x14, 0xf7, 0x9c, 0x93, 0x5d, 0x15,
20718 ++ 0xad, 0xcc, 0x11, 0xb1, 0x17, 0x18, 0xb2, 0x7e,
20719 ++ 0xcc, 0xab, 0xe9, 0xce, 0x7d, 0x77, 0x5b, 0x51,
20720 ++ 0x1b, 0x1e, 0x20, 0xa8, 0x32, 0x06, 0x0e, 0x75,
20721 ++ 0x93, 0xac, 0xdb, 0x35, 0x37, 0x1f, 0xe9, 0x19,
20722 ++ 0x1d, 0xb4, 0x71, 0x97, 0xd6, 0x4e, 0x2c, 0x08,
20723 ++ 0xa5, 0x13, 0xf9, 0x0e, 0x7e, 0x78, 0x6e, 0x14,
20724 ++ 0xe0, 0xa9, 0xb9, 0x96, 0x4c, 0x80, 0x82, 0xba,
20725 ++ 0x17, 0xb3, 0x9d, 0x69, 0xb0, 0x84, 0x46, 0xff,
20726 ++ 0xf9, 0x52, 0x79, 0x94, 0x58, 0x3a, 0x62, 0x90,
20727 ++ 0x15, 0x35, 0x71, 0x10, 0x37, 0xed, 0xa1, 0x8e,
20728 ++ 0x53, 0x6e, 0xf4, 0x26, 0x57, 0x93, 0x15, 0x93,
20729 ++ 0xf6, 0x81, 0x2c, 0x5a, 0x10, 0xda, 0x92, 0xad,
20730 ++ 0x2f, 0xdb, 0x28, 0x31, 0x2d, 0x55, 0x04, 0xd2,
20731 ++ 0x06, 0x28, 0x8c, 0x1e, 0xdc, 0xea, 0x54, 0xac,
20732 ++ 0xff, 0xb7, 0x6c, 0x30, 0x15, 0xd4, 0xb4, 0x0d,
20733 ++ 0x00, 0x93, 0x57, 0xdd, 0xd2, 0x07, 0x07, 0x06,
20734 ++ 0xd9, 0x43, 0x9b, 0xcd, 0x3a, 0xf4, 0x7d, 0x4c,
20735 ++ 0x36, 0x5d, 0x23, 0xa2, 0xcc, 0x57, 0x40, 0x91,
20736 ++ 0xe9, 0x2c, 0x2f, 0x2c, 0xd5, 0x30, 0x9b, 0x17,
20737 ++ 0xb0, 0xc9, 0xf7, 0xa7, 0x2f, 0xd1, 0x93, 0x20,
20738 ++ 0x6b, 0xc6, 0xc1, 0xe4, 0x6f, 0xcb, 0xd1, 0xe7,
20739 ++ 0x09, 0x0f, 0x9e, 0xdc, 0xaa, 0x9f, 0x2f, 0xdf,
20740 ++ 0x56, 0x9f, 0xd4, 0x33, 0x04, 0xaf, 0xd3, 0x6c,
20741 ++ 0x58, 0x61, 0xf0, 0x30, 0xec, 0xf2, 0x7f, 0xf2,
20742 ++ 0x9c, 0xdf, 0x39, 0xbb, 0x6f, 0xa2, 0x8c, 0x7e,
20743 ++ 0xc4, 0x22, 0x51, 0x71, 0xc0, 0x4d, 0x14, 0x1a,
20744 ++ 0xc4, 0xcd, 0x04, 0xd9, 0x87, 0x08, 0x50, 0x05,
20745 ++ 0xcc, 0xaf, 0xf6, 0xf0, 0x8f, 0x92, 0x54, 0x58,
20746 ++ 0xc2, 0xc7, 0x09, 0x7a, 0x59, 0x02, 0x05, 0xe8,
20747 ++ 0xb0, 0x86, 0xd9, 0xbf, 0x7b, 0x35, 0x51, 0x4d,
20748 ++ 0xaf, 0x08, 0x97, 0x2c, 0x65, 0xda, 0x2a, 0x71,
20749 ++ 0x3a, 0xa8, 0x51, 0xcc, 0xf2, 0x73, 0x27, 0xc3,
20750 ++ 0xfd, 0x62, 0xcf, 0xe3, 0xb2, 0xca, 0xcb, 0xbe,
20751 ++ 0x1a, 0x0a, 0xa1, 0x34, 0x7b, 0x77, 0xc4, 0x62,
20752 ++ 0x68, 0x78, 0x5f, 0x94, 0x07, 0x04, 0x65, 0x16,
20753 ++ 0x4b, 0x61, 0xcb, 0xff, 0x75, 0x26, 0x50, 0x66,
20754 ++ 0x1f, 0x6e, 0x93, 0xf8, 0xc5, 0x51, 0xeb, 0xa4,
20755 ++ 0x4a, 0x48, 0x68, 0x6b, 0xe2, 0x5e, 0x44, 0xb2,
20756 ++ 0x50, 0x2c, 0x6c, 0xae, 0x79, 0x4e, 0x66, 0x35,
20757 ++ 0x81, 0x50, 0xac, 0xbc, 0x3f, 0xb1, 0x0c, 0xf3,
20758 ++ 0x05, 0x3c, 0x4a, 0xa3, 0x6c, 0x2a, 0x79, 0xb4,
20759 ++ 0xb7, 0xab, 0xca, 0xc7, 0x9b, 0x8e, 0xcd, 0x5f,
20760 ++ 0x11, 0x03, 0xcb, 0x30, 0xa3, 0xab, 0xda, 0xfe,
20761 ++ 0x64, 0xb9, 0xbb, 0xd8, 0x5e, 0x3a, 0x1a, 0x56,
20762 ++ 0xe5, 0x05, 0x48, 0x90, 0x1e, 0x61, 0x69, 0x1b,
20763 ++ 0x22, 0xe6, 0x1a, 0x3c, 0x75, 0xad, 0x1f, 0x37,
20764 ++ 0x28, 0xdc, 0xe4, 0x6d, 0xbd, 0x42, 0xdc, 0xd3,
20765 ++ 0xc8, 0xb6, 0x1c, 0x48, 0xfe, 0x94, 0x77, 0x7f,
20766 ++ 0xbd, 0x62, 0xac, 0xa3, 0x47, 0x27, 0xcf, 0x5f,
20767 ++ 0xd9, 0xdb, 0xaf, 0xec, 0xf7, 0x5e, 0xc1, 0xb0,
20768 ++ 0x9d, 0x01, 0x26, 0x99, 0x7e, 0x8f, 0x03, 0x70,
20769 ++ 0xb5, 0x42, 0xbe, 0x67, 0x28, 0x1b, 0x7c, 0xbd,
20770 ++ 0x61, 0x21, 0x97, 0xcc, 0x5c, 0xe1, 0x97, 0x8f,
20771 ++ 0x8d, 0xde, 0x2b, 0xaa, 0xa7, 0x71, 0x1d, 0x1e,
20772 ++ 0x02, 0x73, 0x70, 0x58, 0x32, 0x5b, 0x1d, 0x67,
20773 ++ 0x3d, 0xe0, 0x74, 0x4f, 0x03, 0xf2, 0x70, 0x51,
20774 ++ 0x79, 0xf1, 0x61, 0x70, 0x15, 0x74, 0x9d, 0x23,
20775 ++ 0x89, 0xde, 0xac, 0xfd, 0xde, 0xd0, 0x1f, 0xc3,
20776 ++ 0x87, 0x44, 0x35, 0x4b, 0xe5, 0xb0, 0x60, 0xc5,
20777 ++ 0x22, 0xe4, 0x9e, 0xca, 0xeb, 0xd5, 0x3a, 0x09,
20778 ++ 0x45, 0xa4, 0xdb, 0xfa, 0x3f, 0xeb, 0x1b, 0xc7,
20779 ++ 0xc8, 0x14, 0x99, 0x51, 0x92, 0x10, 0xed, 0xed,
20780 ++ 0x28, 0xe0, 0xa1, 0xf8, 0x26, 0xcf, 0xcd, 0xcb,
20781 ++ 0x63, 0xa1, 0x3b, 0xe3, 0xdf, 0x7e, 0xfe, 0xa6,
20782 ++ 0xf0, 0x81, 0x9a, 0xbf, 0x55, 0xde, 0x54, 0xd5,
20783 ++ 0x56, 0x60, 0x98, 0x10, 0x68, 0xf4, 0x38, 0x96,
20784 ++ 0x8e, 0x6f, 0x1d, 0x44, 0x7f, 0xd6, 0x2f, 0xfe,
20785 ++ 0x55, 0xfb, 0x0c, 0x7e, 0x67, 0xe2, 0x61, 0x44,
20786 ++ 0xed, 0xf2, 0x35, 0x30, 0x5d, 0xe9, 0xc7, 0xd6,
20787 ++ 0x6d, 0xe0, 0xa0, 0xed, 0xf3, 0xfc, 0xd8, 0x3e,
20788 ++ 0x0a, 0x7b, 0xcd, 0xaf, 0x65, 0x68, 0x18, 0xc0,
20789 ++ 0xec, 0x04, 0x1c, 0x74, 0x6d, 0xe2, 0x6e, 0x79,
20790 ++ 0xd4, 0x11, 0x2b, 0x62, 0xd5, 0x27, 0xad, 0x4f,
20791 ++ 0x01, 0x59, 0x73, 0xcc, 0x6a, 0x53, 0xfb, 0x2d,
20792 ++ 0xd5, 0x4e, 0x99, 0x21, 0x65, 0x4d, 0xf5, 0x82,
20793 ++ 0xf7, 0xd8, 0x42, 0xce, 0x6f, 0x3d, 0x36, 0x47,
20794 ++ 0xf1, 0x05, 0x16, 0xe8, 0x1b, 0x6a, 0x8f, 0x93,
20795 ++ 0xf2, 0x8f, 0x37, 0x40, 0x12, 0x28, 0xa3, 0xe6,
20796 ++ 0xb9, 0x17, 0x4a, 0x1f, 0xb1, 0xd1, 0x66, 0x69,
20797 ++ 0x86, 0xc4, 0xfc, 0x97, 0xae, 0x3f, 0x8f, 0x1e,
20798 ++ 0x2b, 0xdf, 0xcd, 0xf9, 0x3c
20799 ++};
20800 ++static const u8 enc_assoc011[] __initconst = {
20801 ++ 0xd6, 0x31, 0xda, 0x5d, 0x42, 0x5e, 0xd7
20802 ++};
20803 ++static const u8 enc_nonce011[] __initconst = {
20804 ++ 0xfd, 0x87, 0xd4, 0xd8, 0x62, 0xfd, 0xec, 0xaa
20805 ++};
20806 ++static const u8 enc_key011[] __initconst = {
20807 ++ 0x35, 0x4e, 0xb5, 0x70, 0x50, 0x42, 0x8a, 0x85,
20808 ++ 0xf2, 0xfb, 0xed, 0x7b, 0xd0, 0x9e, 0x97, 0xca,
20809 ++ 0xfa, 0x98, 0x66, 0x63, 0xee, 0x37, 0xcc, 0x52,
20810 ++ 0xfe, 0xd1, 0xdf, 0x95, 0x15, 0x34, 0x29, 0x38
20811 ++};
20812 ++
20813 ++static const u8 enc_input012[] __initconst = {
20814 ++ 0x74, 0xa6, 0x3e, 0xe4, 0xb1, 0xcb, 0xaf, 0xb0,
20815 ++ 0x40, 0xe5, 0x0f, 0x9e, 0xf1, 0xf2, 0x89, 0xb5,
20816 ++ 0x42, 0x34, 0x8a, 0xa1, 0x03, 0xb7, 0xe9, 0x57,
20817 ++ 0x46, 0xbe, 0x20, 0xe4, 0x6e, 0xb0, 0xeb, 0xff,
20818 ++ 0xea, 0x07, 0x7e, 0xef, 0xe2, 0x55, 0x9f, 0xe5,
20819 ++ 0x78, 0x3a, 0xb7, 0x83, 0xc2, 0x18, 0x40, 0x7b,
20820 ++ 0xeb, 0xcd, 0x81, 0xfb, 0x90, 0x12, 0x9e, 0x46,
20821 ++ 0xa9, 0xd6, 0x4a, 0xba, 0xb0, 0x62, 0xdb, 0x6b,
20822 ++ 0x99, 0xc4, 0xdb, 0x54, 0x4b, 0xb8, 0xa5, 0x71,
20823 ++ 0xcb, 0xcd, 0x63, 0x32, 0x55, 0xfb, 0x31, 0xf0,
20824 ++ 0x38, 0xf5, 0xbe, 0x78, 0xe4, 0x45, 0xce, 0x1b,
20825 ++ 0x6a, 0x5b, 0x0e, 0xf4, 0x16, 0xe4, 0xb1, 0x3d,
20826 ++ 0xf6, 0x63, 0x7b, 0xa7, 0x0c, 0xde, 0x6f, 0x8f,
20827 ++ 0x74, 0xdf, 0xe0, 0x1e, 0x9d, 0xce, 0x8f, 0x24,
20828 ++ 0xef, 0x23, 0x35, 0x33, 0x7b, 0x83, 0x34, 0x23,
20829 ++ 0x58, 0x74, 0x14, 0x77, 0x1f, 0xc2, 0x4f, 0x4e,
20830 ++ 0xc6, 0x89, 0xf9, 0x52, 0x09, 0x37, 0x64, 0x14,
20831 ++ 0xc4, 0x01, 0x6b, 0x9d, 0x77, 0xe8, 0x90, 0x5d,
20832 ++ 0xa8, 0x4a, 0x2a, 0xef, 0x5c, 0x7f, 0xeb, 0xbb,
20833 ++ 0xb2, 0xc6, 0x93, 0x99, 0x66, 0xdc, 0x7f, 0xd4,
20834 ++ 0x9e, 0x2a, 0xca, 0x8d, 0xdb, 0xe7, 0x20, 0xcf,
20835 ++ 0xe4, 0x73, 0xae, 0x49, 0x7d, 0x64, 0x0f, 0x0e,
20836 ++ 0x28, 0x46, 0xa9, 0xa8, 0x32, 0xe4, 0x0e, 0xf6,
20837 ++ 0x51, 0x53, 0xb8, 0x3c, 0xb1, 0xff, 0xa3, 0x33,
20838 ++ 0x41, 0x75, 0xff, 0xf1, 0x6f, 0xf1, 0xfb, 0xbb,
20839 ++ 0x83, 0x7f, 0x06, 0x9b, 0xe7, 0x1b, 0x0a, 0xe0,
20840 ++ 0x5c, 0x33, 0x60, 0x5b, 0xdb, 0x5b, 0xed, 0xfe,
20841 ++ 0xa5, 0x16, 0x19, 0x72, 0xa3, 0x64, 0x23, 0x00,
20842 ++ 0x02, 0xc7, 0xf3, 0x6a, 0x81, 0x3e, 0x44, 0x1d,
20843 ++ 0x79, 0x15, 0x5f, 0x9a, 0xde, 0xe2, 0xfd, 0x1b,
20844 ++ 0x73, 0xc1, 0xbc, 0x23, 0xba, 0x31, 0xd2, 0x50,
20845 ++ 0xd5, 0xad, 0x7f, 0x74, 0xa7, 0xc9, 0xf8, 0x3e,
20846 ++ 0x2b, 0x26, 0x10, 0xf6, 0x03, 0x36, 0x74, 0xe4,
20847 ++ 0x0e, 0x6a, 0x72, 0xb7, 0x73, 0x0a, 0x42, 0x28,
20848 ++ 0xc2, 0xad, 0x5e, 0x03, 0xbe, 0xb8, 0x0b, 0xa8,
20849 ++ 0x5b, 0xd4, 0xb8, 0xba, 0x52, 0x89, 0xb1, 0x9b,
20850 ++ 0xc1, 0xc3, 0x65, 0x87, 0xed, 0xa5, 0xf4, 0x86,
20851 ++ 0xfd, 0x41, 0x80, 0x91, 0x27, 0x59, 0x53, 0x67,
20852 ++ 0x15, 0x78, 0x54, 0x8b, 0x2d, 0x3d, 0xc7, 0xff,
20853 ++ 0x02, 0x92, 0x07, 0x5f, 0x7a, 0x4b, 0x60, 0x59,
20854 ++ 0x3c, 0x6f, 0x5c, 0xd8, 0xec, 0x95, 0xd2, 0xfe,
20855 ++ 0xa0, 0x3b, 0xd8, 0x3f, 0xd1, 0x69, 0xa6, 0xd6,
20856 ++ 0x41, 0xb2, 0xf4, 0x4d, 0x12, 0xf4, 0x58, 0x3e,
20857 ++ 0x66, 0x64, 0x80, 0x31, 0x9b, 0xa8, 0x4c, 0x8b,
20858 ++ 0x07, 0xb2, 0xec, 0x66, 0x94, 0x66, 0x47, 0x50,
20859 ++ 0x50, 0x5f, 0x18, 0x0b, 0x0e, 0xd6, 0xc0, 0x39,
20860 ++ 0x21, 0x13, 0x9e, 0x33, 0xbc, 0x79, 0x36, 0x02,
20861 ++ 0x96, 0x70, 0xf0, 0x48, 0x67, 0x2f, 0x26, 0xe9,
20862 ++ 0x6d, 0x10, 0xbb, 0xd6, 0x3f, 0xd1, 0x64, 0x7a,
20863 ++ 0x2e, 0xbe, 0x0c, 0x61, 0xf0, 0x75, 0x42, 0x38,
20864 ++ 0x23, 0xb1, 0x9e, 0x9f, 0x7c, 0x67, 0x66, 0xd9,
20865 ++ 0x58, 0x9a, 0xf1, 0xbb, 0x41, 0x2a, 0x8d, 0x65,
20866 ++ 0x84, 0x94, 0xfc, 0xdc, 0x6a, 0x50, 0x64, 0xdb,
20867 ++ 0x56, 0x33, 0x76, 0x00, 0x10, 0xed, 0xbe, 0xd2,
20868 ++ 0x12, 0xf6, 0xf6, 0x1b, 0xa2, 0x16, 0xde, 0xae,
20869 ++ 0x31, 0x95, 0xdd, 0xb1, 0x08, 0x7e, 0x4e, 0xee,
20870 ++ 0xe7, 0xf9, 0xa5, 0xfb, 0x5b, 0x61, 0x43, 0x00,
20871 ++ 0x40, 0xf6, 0x7e, 0x02, 0x04, 0x32, 0x4e, 0x0c,
20872 ++ 0xe2, 0x66, 0x0d, 0xd7, 0x07, 0x98, 0x0e, 0xf8,
20873 ++ 0x72, 0x34, 0x6d, 0x95, 0x86, 0xd7, 0xcb, 0x31,
20874 ++ 0x54, 0x47, 0xd0, 0x38, 0x29, 0x9c, 0x5a, 0x68,
20875 ++ 0xd4, 0x87, 0x76, 0xc9, 0xe7, 0x7e, 0xe3, 0xf4,
20876 ++ 0x81, 0x6d, 0x18, 0xcb, 0xc9, 0x05, 0xaf, 0xa0,
20877 ++ 0xfb, 0x66, 0xf7, 0xf1, 0x1c, 0xc6, 0x14, 0x11,
20878 ++ 0x4f, 0x2b, 0x79, 0x42, 0x8b, 0xbc, 0xac, 0xe7,
20879 ++ 0x6c, 0xfe, 0x0f, 0x58, 0xe7, 0x7c, 0x78, 0x39,
20880 ++ 0x30, 0xb0, 0x66, 0x2c, 0x9b, 0x6d, 0x3a, 0xe1,
20881 ++ 0xcf, 0xc9, 0xa4, 0x0e, 0x6d, 0x6d, 0x8a, 0xa1,
20882 ++ 0x3a, 0xe7, 0x28, 0xd4, 0x78, 0x4c, 0xa6, 0xa2,
20883 ++ 0x2a, 0xa6, 0x03, 0x30, 0xd7, 0xa8, 0x25, 0x66,
20884 ++ 0x87, 0x2f, 0x69, 0x5c, 0x4e, 0xdd, 0xa5, 0x49,
20885 ++ 0x5d, 0x37, 0x4a, 0x59, 0xc4, 0xaf, 0x1f, 0xa2,
20886 ++ 0xe4, 0xf8, 0xa6, 0x12, 0x97, 0xd5, 0x79, 0xf5,
20887 ++ 0xe2, 0x4a, 0x2b, 0x5f, 0x61, 0xe4, 0x9e, 0xe3,
20888 ++ 0xee, 0xb8, 0xa7, 0x5b, 0x2f, 0xf4, 0x9e, 0x6c,
20889 ++ 0xfb, 0xd1, 0xc6, 0x56, 0x77, 0xba, 0x75, 0xaa,
20890 ++ 0x3d, 0x1a, 0xa8, 0x0b, 0xb3, 0x68, 0x24, 0x00,
20891 ++ 0x10, 0x7f, 0xfd, 0xd7, 0xa1, 0x8d, 0x83, 0x54,
20892 ++ 0x4f, 0x1f, 0xd8, 0x2a, 0xbe, 0x8a, 0x0c, 0x87,
20893 ++ 0xab, 0xa2, 0xde, 0xc3, 0x39, 0xbf, 0x09, 0x03,
20894 ++ 0xa5, 0xf3, 0x05, 0x28, 0xe1, 0xe1, 0xee, 0x39,
20895 ++ 0x70, 0x9c, 0xd8, 0x81, 0x12, 0x1e, 0x02, 0x40,
20896 ++ 0xd2, 0x6e, 0xf0, 0xeb, 0x1b, 0x3d, 0x22, 0xc6,
20897 ++ 0xe5, 0xe3, 0xb4, 0x5a, 0x98, 0xbb, 0xf0, 0x22,
20898 ++ 0x28, 0x8d, 0xe5, 0xd3, 0x16, 0x48, 0x24, 0xa5,
20899 ++ 0xe6, 0x66, 0x0c, 0xf9, 0x08, 0xf9, 0x7e, 0x1e,
20900 ++ 0xe1, 0x28, 0x26, 0x22, 0xc7, 0xc7, 0x0a, 0x32,
20901 ++ 0x47, 0xfa, 0xa3, 0xbe, 0x3c, 0xc4, 0xc5, 0x53,
20902 ++ 0x0a, 0xd5, 0x94, 0x4a, 0xd7, 0x93, 0xd8, 0x42,
20903 ++ 0x99, 0xb9, 0x0a, 0xdb, 0x56, 0xf7, 0xb9, 0x1c,
20904 ++ 0x53, 0x4f, 0xfa, 0xd3, 0x74, 0xad, 0xd9, 0x68,
20905 ++ 0xf1, 0x1b, 0xdf, 0x61, 0xc6, 0x5e, 0xa8, 0x48,
20906 ++ 0xfc, 0xd4, 0x4a, 0x4c, 0x3c, 0x32, 0xf7, 0x1c,
20907 ++ 0x96, 0x21, 0x9b, 0xf9, 0xa3, 0xcc, 0x5a, 0xce,
20908 ++ 0xd5, 0xd7, 0x08, 0x24, 0xf6, 0x1c, 0xfd, 0xdd,
20909 ++ 0x38, 0xc2, 0x32, 0xe9, 0xb8, 0xe7, 0xb6, 0xfa,
20910 ++ 0x9d, 0x45, 0x13, 0x2c, 0x83, 0xfd, 0x4a, 0x69,
20911 ++ 0x82, 0xcd, 0xdc, 0xb3, 0x76, 0x0c, 0x9e, 0xd8,
20912 ++ 0xf4, 0x1b, 0x45, 0x15, 0xb4, 0x97, 0xe7, 0x58,
20913 ++ 0x34, 0xe2, 0x03, 0x29, 0x5a, 0xbf, 0xb6, 0xe0,
20914 ++ 0x5d, 0x13, 0xd9, 0x2b, 0xb4, 0x80, 0xb2, 0x45,
20915 ++ 0x81, 0x6a, 0x2e, 0x6c, 0x89, 0x7d, 0xee, 0xbb,
20916 ++ 0x52, 0xdd, 0x1f, 0x18, 0xe7, 0x13, 0x6b, 0x33,
20917 ++ 0x0e, 0xea, 0x36, 0x92, 0x77, 0x7b, 0x6d, 0x9c,
20918 ++ 0x5a, 0x5f, 0x45, 0x7b, 0x7b, 0x35, 0x62, 0x23,
20919 ++ 0xd1, 0xbf, 0x0f, 0xd0, 0x08, 0x1b, 0x2b, 0x80,
20920 ++ 0x6b, 0x7e, 0xf1, 0x21, 0x47, 0xb0, 0x57, 0xd1,
20921 ++ 0x98, 0x72, 0x90, 0x34, 0x1c, 0x20, 0x04, 0xff,
20922 ++ 0x3d, 0x5c, 0xee, 0x0e, 0x57, 0x5f, 0x6f, 0x24,
20923 ++ 0x4e, 0x3c, 0xea, 0xfc, 0xa5, 0xa9, 0x83, 0xc9,
20924 ++ 0x61, 0xb4, 0x51, 0x24, 0xf8, 0x27, 0x5e, 0x46,
20925 ++ 0x8c, 0xb1, 0x53, 0x02, 0x96, 0x35, 0xba, 0xb8,
20926 ++ 0x4c, 0x71, 0xd3, 0x15, 0x59, 0x35, 0x22, 0x20,
20927 ++ 0xad, 0x03, 0x9f, 0x66, 0x44, 0x3b, 0x9c, 0x35,
20928 ++ 0x37, 0x1f, 0x9b, 0xbb, 0xf3, 0xdb, 0x35, 0x63,
20929 ++ 0x30, 0x64, 0xaa, 0xa2, 0x06, 0xa8, 0x5d, 0xbb,
20930 ++ 0xe1, 0x9f, 0x70, 0xec, 0x82, 0x11, 0x06, 0x36,
20931 ++ 0xec, 0x8b, 0x69, 0x66, 0x24, 0x44, 0xc9, 0x4a,
20932 ++ 0x57, 0xbb, 0x9b, 0x78, 0x13, 0xce, 0x9c, 0x0c,
20933 ++ 0xba, 0x92, 0x93, 0x63, 0xb8, 0xe2, 0x95, 0x0f,
20934 ++ 0x0f, 0x16, 0x39, 0x52, 0xfd, 0x3a, 0x6d, 0x02,
20935 ++ 0x4b, 0xdf, 0x13, 0xd3, 0x2a, 0x22, 0xb4, 0x03,
20936 ++ 0x7c, 0x54, 0x49, 0x96, 0x68, 0x54, 0x10, 0xfa,
20937 ++ 0xef, 0xaa, 0x6c, 0xe8, 0x22, 0xdc, 0x71, 0x16,
20938 ++ 0x13, 0x1a, 0xf6, 0x28, 0xe5, 0x6d, 0x77, 0x3d,
20939 ++ 0xcd, 0x30, 0x63, 0xb1, 0x70, 0x52, 0xa1, 0xc5,
20940 ++ 0x94, 0x5f, 0xcf, 0xe8, 0xb8, 0x26, 0x98, 0xf7,
20941 ++ 0x06, 0xa0, 0x0a, 0x70, 0xfa, 0x03, 0x80, 0xac,
20942 ++ 0xc1, 0xec, 0xd6, 0x4c, 0x54, 0xd7, 0xfe, 0x47,
20943 ++ 0xb6, 0x88, 0x4a, 0xf7, 0x71, 0x24, 0xee, 0xf3,
20944 ++ 0xd2, 0xc2, 0x4a, 0x7f, 0xfe, 0x61, 0xc7, 0x35,
20945 ++ 0xc9, 0x37, 0x67, 0xcb, 0x24, 0x35, 0xda, 0x7e,
20946 ++ 0xca, 0x5f, 0xf3, 0x8d, 0xd4, 0x13, 0x8e, 0xd6,
20947 ++ 0xcb, 0x4d, 0x53, 0x8f, 0x53, 0x1f, 0xc0, 0x74,
20948 ++ 0xf7, 0x53, 0xb9, 0x5e, 0x23, 0x37, 0xba, 0x6e,
20949 ++ 0xe3, 0x9d, 0x07, 0x55, 0x25, 0x7b, 0xe6, 0x2a,
20950 ++ 0x64, 0xd1, 0x32, 0xdd, 0x54, 0x1b, 0x4b, 0xc0,
20951 ++ 0xe1, 0xd7, 0x69, 0x58, 0xf8, 0x93, 0x29, 0xc4,
20952 ++ 0xdd, 0x23, 0x2f, 0xa5, 0xfc, 0x9d, 0x7e, 0xf8,
20953 ++ 0xd4, 0x90, 0xcd, 0x82, 0x55, 0xdc, 0x16, 0x16,
20954 ++ 0x9f, 0x07, 0x52, 0x9b, 0x9d, 0x25, 0xed, 0x32,
20955 ++ 0xc5, 0x7b, 0xdf, 0xf6, 0x83, 0x46, 0x3d, 0x65,
20956 ++ 0xb7, 0xef, 0x87, 0x7a, 0x12, 0x69, 0x8f, 0x06,
20957 ++ 0x7c, 0x51, 0x15, 0x4a, 0x08, 0xe8, 0xac, 0x9a,
20958 ++ 0x0c, 0x24, 0xa7, 0x27, 0xd8, 0x46, 0x2f, 0xe7,
20959 ++ 0x01, 0x0e, 0x1c, 0xc6, 0x91, 0xb0, 0x6e, 0x85,
20960 ++ 0x65, 0xf0, 0x29, 0x0d, 0x2e, 0x6b, 0x3b, 0xfb,
20961 ++ 0x4b, 0xdf, 0xe4, 0x80, 0x93, 0x03, 0x66, 0x46,
20962 ++ 0x3e, 0x8a, 0x6e, 0xf3, 0x5e, 0x4d, 0x62, 0x0e,
20963 ++ 0x49, 0x05, 0xaf, 0xd4, 0xf8, 0x21, 0x20, 0x61,
20964 ++ 0x1d, 0x39, 0x17, 0xf4, 0x61, 0x47, 0x95, 0xfb,
20965 ++ 0x15, 0x2e, 0xb3, 0x4f, 0xd0, 0x5d, 0xf5, 0x7d,
20966 ++ 0x40, 0xda, 0x90, 0x3c, 0x6b, 0xcb, 0x17, 0x00,
20967 ++ 0x13, 0x3b, 0x64, 0x34, 0x1b, 0xf0, 0xf2, 0xe5,
20968 ++ 0x3b, 0xb2, 0xc7, 0xd3, 0x5f, 0x3a, 0x44, 0xa6,
20969 ++ 0x9b, 0xb7, 0x78, 0x0e, 0x42, 0x5d, 0x4c, 0xc1,
20970 ++ 0xe9, 0xd2, 0xcb, 0xb7, 0x78, 0xd1, 0xfe, 0x9a,
20971 ++ 0xb5, 0x07, 0xe9, 0xe0, 0xbe, 0xe2, 0x8a, 0xa7,
20972 ++ 0x01, 0x83, 0x00, 0x8c, 0x5c, 0x08, 0xe6, 0x63,
20973 ++ 0x12, 0x92, 0xb7, 0xb7, 0xa6, 0x19, 0x7d, 0x38,
20974 ++ 0x13, 0x38, 0x92, 0x87, 0x24, 0xf9, 0x48, 0xb3,
20975 ++ 0x5e, 0x87, 0x6a, 0x40, 0x39, 0x5c, 0x3f, 0xed,
20976 ++ 0x8f, 0xee, 0xdb, 0x15, 0x82, 0x06, 0xda, 0x49,
20977 ++ 0x21, 0x2b, 0xb5, 0xbf, 0x32, 0x7c, 0x9f, 0x42,
20978 ++ 0x28, 0x63, 0xcf, 0xaf, 0x1e, 0xf8, 0xc6, 0xa0,
20979 ++ 0xd1, 0x02, 0x43, 0x57, 0x62, 0xec, 0x9b, 0x0f,
20980 ++ 0x01, 0x9e, 0x71, 0xd8, 0x87, 0x9d, 0x01, 0xc1,
20981 ++ 0x58, 0x77, 0xd9, 0xaf, 0xb1, 0x10, 0x7e, 0xdd,
20982 ++ 0xa6, 0x50, 0x96, 0xe5, 0xf0, 0x72, 0x00, 0x6d,
20983 ++ 0x4b, 0xf8, 0x2a, 0x8f, 0x19, 0xf3, 0x22, 0x88,
20984 ++ 0x11, 0x4a, 0x8b, 0x7c, 0xfd, 0xb7, 0xed, 0xe1,
20985 ++ 0xf6, 0x40, 0x39, 0xe0, 0xe9, 0xf6, 0x3d, 0x25,
20986 ++ 0xe6, 0x74, 0x3c, 0x58, 0x57, 0x7f, 0xe1, 0x22,
20987 ++ 0x96, 0x47, 0x31, 0x91, 0xba, 0x70, 0x85, 0x28,
20988 ++ 0x6b, 0x9f, 0x6e, 0x25, 0xac, 0x23, 0x66, 0x2f,
20989 ++ 0x29, 0x88, 0x28, 0xce, 0x8c, 0x5c, 0x88, 0x53,
20990 ++ 0xd1, 0x3b, 0xcc, 0x6a, 0x51, 0xb2, 0xe1, 0x28,
20991 ++ 0x3f, 0x91, 0xb4, 0x0d, 0x00, 0x3a, 0xe3, 0xf8,
20992 ++ 0xc3, 0x8f, 0xd7, 0x96, 0x62, 0x0e, 0x2e, 0xfc,
20993 ++ 0xc8, 0x6c, 0x77, 0xa6, 0x1d, 0x22, 0xc1, 0xb8,
20994 ++ 0xe6, 0x61, 0xd7, 0x67, 0x36, 0x13, 0x7b, 0xbb,
20995 ++ 0x9b, 0x59, 0x09, 0xa6, 0xdf, 0xf7, 0x6b, 0xa3,
20996 ++ 0x40, 0x1a, 0xf5, 0x4f, 0xb4, 0xda, 0xd3, 0xf3,
20997 ++ 0x81, 0x93, 0xc6, 0x18, 0xd9, 0x26, 0xee, 0xac,
20998 ++ 0xf0, 0xaa, 0xdf, 0xc5, 0x9c, 0xca, 0xc2, 0xa2,
20999 ++ 0xcc, 0x7b, 0x5c, 0x24, 0xb0, 0xbc, 0xd0, 0x6a,
21000 ++ 0x4d, 0x89, 0x09, 0xb8, 0x07, 0xfe, 0x87, 0xad,
21001 ++ 0x0a, 0xea, 0xb8, 0x42, 0xf9, 0x5e, 0xb3, 0x3e,
21002 ++ 0x36, 0x4c, 0xaf, 0x75, 0x9e, 0x1c, 0xeb, 0xbd,
21003 ++ 0xbc, 0xbb, 0x80, 0x40, 0xa7, 0x3a, 0x30, 0xbf,
21004 ++ 0xa8, 0x44, 0xf4, 0xeb, 0x38, 0xad, 0x29, 0xba,
21005 ++ 0x23, 0xed, 0x41, 0x0c, 0xea, 0xd2, 0xbb, 0x41,
21006 ++ 0x18, 0xd6, 0xb9, 0xba, 0x65, 0x2b, 0xa3, 0x91,
21007 ++ 0x6d, 0x1f, 0xa9, 0xf4, 0xd1, 0x25, 0x8d, 0x4d,
21008 ++ 0x38, 0xff, 0x64, 0xa0, 0xec, 0xde, 0xa6, 0xb6,
21009 ++ 0x79, 0xab, 0x8e, 0x33, 0x6c, 0x47, 0xde, 0xaf,
21010 ++ 0x94, 0xa4, 0xa5, 0x86, 0x77, 0x55, 0x09, 0x92,
21011 ++ 0x81, 0x31, 0x76, 0xc7, 0x34, 0x22, 0x89, 0x8e,
21012 ++ 0x3d, 0x26, 0x26, 0xd7, 0xfc, 0x1e, 0x16, 0x72,
21013 ++ 0x13, 0x33, 0x63, 0xd5, 0x22, 0xbe, 0xb8, 0x04,
21014 ++ 0x34, 0x84, 0x41, 0xbb, 0x80, 0xd0, 0x9f, 0x46,
21015 ++ 0x48, 0x07, 0xa7, 0xfc, 0x2b, 0x3a, 0x75, 0x55,
21016 ++ 0x8c, 0xc7, 0x6a, 0xbd, 0x7e, 0x46, 0x08, 0x84,
21017 ++ 0x0f, 0xd5, 0x74, 0xc0, 0x82, 0x8e, 0xaa, 0x61,
21018 ++ 0x05, 0x01, 0xb2, 0x47, 0x6e, 0x20, 0x6a, 0x2d,
21019 ++ 0x58, 0x70, 0x48, 0x32, 0xa7, 0x37, 0xd2, 0xb8,
21020 ++ 0x82, 0x1a, 0x51, 0xb9, 0x61, 0xdd, 0xfd, 0x9d,
21021 ++ 0x6b, 0x0e, 0x18, 0x97, 0xf8, 0x45, 0x5f, 0x87,
21022 ++ 0x10, 0xcf, 0x34, 0x72, 0x45, 0x26, 0x49, 0x70,
21023 ++ 0xe7, 0xa3, 0x78, 0xe0, 0x52, 0x89, 0x84, 0x94,
21024 ++ 0x83, 0x82, 0xc2, 0x69, 0x8f, 0xe3, 0xe1, 0x3f,
21025 ++ 0x60, 0x74, 0x88, 0xc4, 0xf7, 0x75, 0x2c, 0xfb,
21026 ++ 0xbd, 0xb6, 0xc4, 0x7e, 0x10, 0x0a, 0x6c, 0x90,
21027 ++ 0x04, 0x9e, 0xc3, 0x3f, 0x59, 0x7c, 0xce, 0x31,
21028 ++ 0x18, 0x60, 0x57, 0x73, 0x46, 0x94, 0x7d, 0x06,
21029 ++ 0xa0, 0x6d, 0x44, 0xec, 0xa2, 0x0a, 0x9e, 0x05,
21030 ++ 0x15, 0xef, 0xca, 0x5c, 0xbf, 0x00, 0xeb, 0xf7,
21031 ++ 0x3d, 0x32, 0xd4, 0xa5, 0xef, 0x49, 0x89, 0x5e,
21032 ++ 0x46, 0xb0, 0xa6, 0x63, 0x5b, 0x8a, 0x73, 0xae,
21033 ++ 0x6f, 0xd5, 0x9d, 0xf8, 0x4f, 0x40, 0xb5, 0xb2,
21034 ++ 0x6e, 0xd3, 0xb6, 0x01, 0xa9, 0x26, 0xa2, 0x21,
21035 ++ 0xcf, 0x33, 0x7a, 0x3a, 0xa4, 0x23, 0x13, 0xb0,
21036 ++ 0x69, 0x6a, 0xee, 0xce, 0xd8, 0x9d, 0x01, 0x1d,
21037 ++ 0x50, 0xc1, 0x30, 0x6c, 0xb1, 0xcd, 0xa0, 0xf0,
21038 ++ 0xf0, 0xa2, 0x64, 0x6f, 0xbb, 0xbf, 0x5e, 0xe6,
21039 ++ 0xab, 0x87, 0xb4, 0x0f, 0x4f, 0x15, 0xaf, 0xb5,
21040 ++ 0x25, 0xa1, 0xb2, 0xd0, 0x80, 0x2c, 0xfb, 0xf9,
21041 ++ 0xfe, 0xd2, 0x33, 0xbb, 0x76, 0xfe, 0x7c, 0xa8,
21042 ++ 0x66, 0xf7, 0xe7, 0x85, 0x9f, 0x1f, 0x85, 0x57,
21043 ++ 0x88, 0xe1, 0xe9, 0x63, 0xe4, 0xd8, 0x1c, 0xa1,
21044 ++ 0xfb, 0xda, 0x44, 0x05, 0x2e, 0x1d, 0x3a, 0x1c,
21045 ++ 0xff, 0xc8, 0x3b, 0xc0, 0xfe, 0xda, 0x22, 0x0b,
21046 ++ 0x43, 0xd6, 0x88, 0x39, 0x4c, 0x4a, 0xa6, 0x69,
21047 ++ 0x18, 0x93, 0x42, 0x4e, 0xb5, 0xcc, 0x66, 0x0d,
21048 ++ 0x09, 0xf8, 0x1e, 0x7c, 0xd3, 0x3c, 0x99, 0x0d,
21049 ++ 0x50, 0x1d, 0x62, 0xe9, 0x57, 0x06, 0xbf, 0x19,
21050 ++ 0x88, 0xdd, 0xad, 0x7b, 0x4f, 0xf9, 0xc7, 0x82,
21051 ++ 0x6d, 0x8d, 0xc8, 0xc4, 0xc5, 0x78, 0x17, 0x20,
21052 ++ 0x15, 0xc5, 0x52, 0x41, 0xcf, 0x5b, 0xd6, 0x7f,
21053 ++ 0x94, 0x02, 0x41, 0xe0, 0x40, 0x22, 0x03, 0x5e,
21054 ++ 0xd1, 0x53, 0xd4, 0x86, 0xd3, 0x2c, 0x9f, 0x0f,
21055 ++ 0x96, 0xe3, 0x6b, 0x9a, 0x76, 0x32, 0x06, 0x47,
21056 ++ 0x4b, 0x11, 0xb3, 0xdd, 0x03, 0x65, 0xbd, 0x9b,
21057 ++ 0x01, 0xda, 0x9c, 0xb9, 0x7e, 0x3f, 0x6a, 0xc4,
21058 ++ 0x7b, 0xea, 0xd4, 0x3c, 0xb9, 0xfb, 0x5c, 0x6b,
21059 ++ 0x64, 0x33, 0x52, 0xba, 0x64, 0x78, 0x8f, 0xa4,
21060 ++ 0xaf, 0x7a, 0x61, 0x8d, 0xbc, 0xc5, 0x73, 0xe9,
21061 ++ 0x6b, 0x58, 0x97, 0x4b, 0xbf, 0x63, 0x22, 0xd3,
21062 ++ 0x37, 0x02, 0x54, 0xc5, 0xb9, 0x16, 0x4a, 0xf0,
21063 ++ 0x19, 0xd8, 0x94, 0x57, 0xb8, 0x8a, 0xb3, 0x16,
21064 ++ 0x3b, 0xd0, 0x84, 0x8e, 0x67, 0xa6, 0xa3, 0x7d,
21065 ++ 0x78, 0xec, 0x00
21066 ++};
21067 ++static const u8 enc_output012[] __initconst = {
21068 ++ 0x52, 0x34, 0xb3, 0x65, 0x3b, 0xb7, 0xe5, 0xd3,
21069 ++ 0xab, 0x49, 0x17, 0x60, 0xd2, 0x52, 0x56, 0xdf,
21070 ++ 0xdf, 0x34, 0x56, 0x82, 0xe2, 0xbe, 0xe5, 0xe1,
21071 ++ 0x28, 0xd1, 0x4e, 0x5f, 0x4f, 0x01, 0x7d, 0x3f,
21072 ++ 0x99, 0x6b, 0x30, 0x6e, 0x1a, 0x7c, 0x4c, 0x8e,
21073 ++ 0x62, 0x81, 0xae, 0x86, 0x3f, 0x6b, 0xd0, 0xb5,
21074 ++ 0xa9, 0xcf, 0x50, 0xf1, 0x02, 0x12, 0xa0, 0x0b,
21075 ++ 0x24, 0xe9, 0xe6, 0x72, 0x89, 0x2c, 0x52, 0x1b,
21076 ++ 0x34, 0x38, 0xf8, 0x75, 0x5f, 0xa0, 0x74, 0xe2,
21077 ++ 0x99, 0xdd, 0xa6, 0x4b, 0x14, 0x50, 0x4e, 0xf1,
21078 ++ 0xbe, 0xd6, 0x9e, 0xdb, 0xb2, 0x24, 0x27, 0x74,
21079 ++ 0x12, 0x4a, 0x78, 0x78, 0x17, 0xa5, 0x58, 0x8e,
21080 ++ 0x2f, 0xf9, 0xf4, 0x8d, 0xee, 0x03, 0x88, 0xae,
21081 ++ 0xb8, 0x29, 0xa1, 0x2f, 0x4b, 0xee, 0x92, 0xbd,
21082 ++ 0x87, 0xb3, 0xce, 0x34, 0x21, 0x57, 0x46, 0x04,
21083 ++ 0x49, 0x0c, 0x80, 0xf2, 0x01, 0x13, 0xa1, 0x55,
21084 ++ 0xb3, 0xff, 0x44, 0x30, 0x3c, 0x1c, 0xd0, 0xef,
21085 ++ 0xbc, 0x18, 0x74, 0x26, 0xad, 0x41, 0x5b, 0x5b,
21086 ++ 0x3e, 0x9a, 0x7a, 0x46, 0x4f, 0x16, 0xd6, 0x74,
21087 ++ 0x5a, 0xb7, 0x3a, 0x28, 0x31, 0xd8, 0xae, 0x26,
21088 ++ 0xac, 0x50, 0x53, 0x86, 0xf2, 0x56, 0xd7, 0x3f,
21089 ++ 0x29, 0xbc, 0x45, 0x68, 0x8e, 0xcb, 0x98, 0x64,
21090 ++ 0xdd, 0xc9, 0xba, 0xb8, 0x4b, 0x7b, 0x82, 0xdd,
21091 ++ 0x14, 0xa7, 0xcb, 0x71, 0x72, 0x00, 0x5c, 0xad,
21092 ++ 0x7b, 0x6a, 0x89, 0xa4, 0x3d, 0xbf, 0xb5, 0x4b,
21093 ++ 0x3e, 0x7c, 0x5a, 0xcf, 0xb8, 0xa1, 0xc5, 0x6e,
21094 ++ 0xc8, 0xb6, 0x31, 0x57, 0x7b, 0xdf, 0xa5, 0x7e,
21095 ++ 0xb1, 0xd6, 0x42, 0x2a, 0x31, 0x36, 0xd1, 0xd0,
21096 ++ 0x3f, 0x7a, 0xe5, 0x94, 0xd6, 0x36, 0xa0, 0x6f,
21097 ++ 0xb7, 0x40, 0x7d, 0x37, 0xc6, 0x55, 0x7c, 0x50,
21098 ++ 0x40, 0x6d, 0x29, 0x89, 0xe3, 0x5a, 0xae, 0x97,
21099 ++ 0xe7, 0x44, 0x49, 0x6e, 0xbd, 0x81, 0x3d, 0x03,
21100 ++ 0x93, 0x06, 0x12, 0x06, 0xe2, 0x41, 0x12, 0x4a,
21101 ++ 0xf1, 0x6a, 0xa4, 0x58, 0xa2, 0xfb, 0xd2, 0x15,
21102 ++ 0xba, 0xc9, 0x79, 0xc9, 0xce, 0x5e, 0x13, 0xbb,
21103 ++ 0xf1, 0x09, 0x04, 0xcc, 0xfd, 0xe8, 0x51, 0x34,
21104 ++ 0x6a, 0xe8, 0x61, 0x88, 0xda, 0xed, 0x01, 0x47,
21105 ++ 0x84, 0xf5, 0x73, 0x25, 0xf9, 0x1c, 0x42, 0x86,
21106 ++ 0x07, 0xf3, 0x5b, 0x1a, 0x01, 0xb3, 0xeb, 0x24,
21107 ++ 0x32, 0x8d, 0xf6, 0xed, 0x7c, 0x4b, 0xeb, 0x3c,
21108 ++ 0x36, 0x42, 0x28, 0xdf, 0xdf, 0xb6, 0xbe, 0xd9,
21109 ++ 0x8c, 0x52, 0xd3, 0x2b, 0x08, 0x90, 0x8c, 0xe7,
21110 ++ 0x98, 0x31, 0xe2, 0x32, 0x8e, 0xfc, 0x11, 0x48,
21111 ++ 0x00, 0xa8, 0x6a, 0x42, 0x4a, 0x02, 0xc6, 0x4b,
21112 ++ 0x09, 0xf1, 0xe3, 0x49, 0xf3, 0x45, 0x1f, 0x0e,
21113 ++ 0xbc, 0x56, 0xe2, 0xe4, 0xdf, 0xfb, 0xeb, 0x61,
21114 ++ 0xfa, 0x24, 0xc1, 0x63, 0x75, 0xbb, 0x47, 0x75,
21115 ++ 0xaf, 0xe1, 0x53, 0x16, 0x96, 0x21, 0x85, 0x26,
21116 ++ 0x11, 0xb3, 0x76, 0xe3, 0x23, 0xa1, 0x6b, 0x74,
21117 ++ 0x37, 0xd0, 0xde, 0x06, 0x90, 0x71, 0x5d, 0x43,
21118 ++ 0x88, 0x9b, 0x00, 0x54, 0xa6, 0x75, 0x2f, 0xa1,
21119 ++ 0xc2, 0x0b, 0x73, 0x20, 0x1d, 0xb6, 0x21, 0x79,
21120 ++ 0x57, 0x3f, 0xfa, 0x09, 0xbe, 0x8a, 0x33, 0xc3,
21121 ++ 0x52, 0xf0, 0x1d, 0x82, 0x31, 0xd1, 0x55, 0xb5,
21122 ++ 0x6c, 0x99, 0x25, 0xcf, 0x5c, 0x32, 0xce, 0xe9,
21123 ++ 0x0d, 0xfa, 0x69, 0x2c, 0xd5, 0x0d, 0xc5, 0x6d,
21124 ++ 0x86, 0xd0, 0x0c, 0x3b, 0x06, 0x50, 0x79, 0xe8,
21125 ++ 0xc3, 0xae, 0x04, 0xe6, 0xcd, 0x51, 0xe4, 0x26,
21126 ++ 0x9b, 0x4f, 0x7e, 0xa6, 0x0f, 0xab, 0xd8, 0xe5,
21127 ++ 0xde, 0xa9, 0x00, 0x95, 0xbe, 0xa3, 0x9d, 0x5d,
21128 ++ 0xb2, 0x09, 0x70, 0x18, 0x1c, 0xf0, 0xac, 0x29,
21129 ++ 0x23, 0x02, 0x29, 0x28, 0xd2, 0x74, 0x35, 0x57,
21130 ++ 0x62, 0x0f, 0x24, 0xea, 0x5e, 0x33, 0xc2, 0x92,
21131 ++ 0xf3, 0x78, 0x4d, 0x30, 0x1e, 0xa1, 0x99, 0xa9,
21132 ++ 0x82, 0xb0, 0x42, 0x31, 0x8d, 0xad, 0x8a, 0xbc,
21133 ++ 0xfc, 0xd4, 0x57, 0x47, 0x3e, 0xb4, 0x50, 0xdd,
21134 ++ 0x6e, 0x2c, 0x80, 0x4d, 0x22, 0xf1, 0xfb, 0x57,
21135 ++ 0xc4, 0xdd, 0x17, 0xe1, 0x8a, 0x36, 0x4a, 0xb3,
21136 ++ 0x37, 0xca, 0xc9, 0x4e, 0xab, 0xd5, 0x69, 0xc4,
21137 ++ 0xf4, 0xbc, 0x0b, 0x3b, 0x44, 0x4b, 0x29, 0x9c,
21138 ++ 0xee, 0xd4, 0x35, 0x22, 0x21, 0xb0, 0x1f, 0x27,
21139 ++ 0x64, 0xa8, 0x51, 0x1b, 0xf0, 0x9f, 0x19, 0x5c,
21140 ++ 0xfb, 0x5a, 0x64, 0x74, 0x70, 0x45, 0x09, 0xf5,
21141 ++ 0x64, 0xfe, 0x1a, 0x2d, 0xc9, 0x14, 0x04, 0x14,
21142 ++ 0xcf, 0xd5, 0x7d, 0x60, 0xaf, 0x94, 0x39, 0x94,
21143 ++ 0xe2, 0x7d, 0x79, 0x82, 0xd0, 0x65, 0x3b, 0x6b,
21144 ++ 0x9c, 0x19, 0x84, 0xb4, 0x6d, 0xb3, 0x0c, 0x99,
21145 ++ 0xc0, 0x56, 0xa8, 0xbd, 0x73, 0xce, 0x05, 0x84,
21146 ++ 0x3e, 0x30, 0xaa, 0xc4, 0x9b, 0x1b, 0x04, 0x2a,
21147 ++ 0x9f, 0xd7, 0x43, 0x2b, 0x23, 0xdf, 0xbf, 0xaa,
21148 ++ 0xd5, 0xc2, 0x43, 0x2d, 0x70, 0xab, 0xdc, 0x75,
21149 ++ 0xad, 0xac, 0xf7, 0xc0, 0xbe, 0x67, 0xb2, 0x74,
21150 ++ 0xed, 0x67, 0x10, 0x4a, 0x92, 0x60, 0xc1, 0x40,
21151 ++ 0x50, 0x19, 0x8a, 0x8a, 0x8c, 0x09, 0x0e, 0x72,
21152 ++ 0xe1, 0x73, 0x5e, 0xe8, 0x41, 0x85, 0x63, 0x9f,
21153 ++ 0x3f, 0xd7, 0x7d, 0xc4, 0xfb, 0x22, 0x5d, 0x92,
21154 ++ 0x6c, 0xb3, 0x1e, 0xe2, 0x50, 0x2f, 0x82, 0xa8,
21155 ++ 0x28, 0xc0, 0xb5, 0xd7, 0x5f, 0x68, 0x0d, 0x2c,
21156 ++ 0x2d, 0xaf, 0x7e, 0xfa, 0x2e, 0x08, 0x0f, 0x1f,
21157 ++ 0x70, 0x9f, 0xe9, 0x19, 0x72, 0x55, 0xf8, 0xfb,
21158 ++ 0x51, 0xd2, 0x33, 0x5d, 0xa0, 0xd3, 0x2b, 0x0a,
21159 ++ 0x6c, 0xbc, 0x4e, 0xcf, 0x36, 0x4d, 0xdc, 0x3b,
21160 ++ 0xe9, 0x3e, 0x81, 0x7c, 0x61, 0xdb, 0x20, 0x2d,
21161 ++ 0x3a, 0xc3, 0xb3, 0x0c, 0x1e, 0x00, 0xb9, 0x7c,
21162 ++ 0xf5, 0xca, 0x10, 0x5f, 0x3a, 0x71, 0xb3, 0xe4,
21163 ++ 0x20, 0xdb, 0x0c, 0x2a, 0x98, 0x63, 0x45, 0x00,
21164 ++ 0x58, 0xf6, 0x68, 0xe4, 0x0b, 0xda, 0x13, 0x3b,
21165 ++ 0x60, 0x5c, 0x76, 0xdb, 0xb9, 0x97, 0x71, 0xe4,
21166 ++ 0xd9, 0xb7, 0xdb, 0xbd, 0x68, 0xc7, 0x84, 0x84,
21167 ++ 0xaa, 0x7c, 0x68, 0x62, 0x5e, 0x16, 0xfc, 0xba,
21168 ++ 0x72, 0xaa, 0x9a, 0xa9, 0xeb, 0x7c, 0x75, 0x47,
21169 ++ 0x97, 0x7e, 0xad, 0xe2, 0xd9, 0x91, 0xe8, 0xe4,
21170 ++ 0xa5, 0x31, 0xd7, 0x01, 0x8e, 0xa2, 0x11, 0x88,
21171 ++ 0x95, 0xb9, 0xf2, 0x9b, 0xd3, 0x7f, 0x1b, 0x81,
21172 ++ 0x22, 0xf7, 0x98, 0x60, 0x0a, 0x64, 0xa6, 0xc1,
21173 ++ 0xf6, 0x49, 0xc7, 0xe3, 0x07, 0x4d, 0x94, 0x7a,
21174 ++ 0xcf, 0x6e, 0x68, 0x0c, 0x1b, 0x3f, 0x6e, 0x2e,
21175 ++ 0xee, 0x92, 0xfa, 0x52, 0xb3, 0x59, 0xf8, 0xf1,
21176 ++ 0x8f, 0x6a, 0x66, 0xa3, 0x82, 0x76, 0x4a, 0x07,
21177 ++ 0x1a, 0xc7, 0xdd, 0xf5, 0xda, 0x9c, 0x3c, 0x24,
21178 ++ 0xbf, 0xfd, 0x42, 0xa1, 0x10, 0x64, 0x6a, 0x0f,
21179 ++ 0x89, 0xee, 0x36, 0xa5, 0xce, 0x99, 0x48, 0x6a,
21180 ++ 0xf0, 0x9f, 0x9e, 0x69, 0xa4, 0x40, 0x20, 0xe9,
21181 ++ 0x16, 0x15, 0xf7, 0xdb, 0x75, 0x02, 0xcb, 0xe9,
21182 ++ 0x73, 0x8b, 0x3b, 0x49, 0x2f, 0xf0, 0xaf, 0x51,
21183 ++ 0x06, 0x5c, 0xdf, 0x27, 0x27, 0x49, 0x6a, 0xd1,
21184 ++ 0xcc, 0xc7, 0xb5, 0x63, 0xb5, 0xfc, 0xb8, 0x5c,
21185 ++ 0x87, 0x7f, 0x84, 0xb4, 0xcc, 0x14, 0xa9, 0x53,
21186 ++ 0xda, 0xa4, 0x56, 0xf8, 0xb6, 0x1b, 0xcc, 0x40,
21187 ++ 0x27, 0x52, 0x06, 0x5a, 0x13, 0x81, 0xd7, 0x3a,
21188 ++ 0xd4, 0x3b, 0xfb, 0x49, 0x65, 0x31, 0x33, 0xb2,
21189 ++ 0xfa, 0xcd, 0xad, 0x58, 0x4e, 0x2b, 0xae, 0xd2,
21190 ++ 0x20, 0xfb, 0x1a, 0x48, 0xb4, 0x3f, 0x9a, 0xd8,
21191 ++ 0x7a, 0x35, 0x4a, 0xc8, 0xee, 0x88, 0x5e, 0x07,
21192 ++ 0x66, 0x54, 0xb9, 0xec, 0x9f, 0xa3, 0xe3, 0xb9,
21193 ++ 0x37, 0xaa, 0x49, 0x76, 0x31, 0xda, 0x74, 0x2d,
21194 ++ 0x3c, 0xa4, 0x65, 0x10, 0x32, 0x38, 0xf0, 0xde,
21195 ++ 0xd3, 0x99, 0x17, 0xaa, 0x71, 0xaa, 0x8f, 0x0f,
21196 ++ 0x8c, 0xaf, 0xa2, 0xf8, 0x5d, 0x64, 0xba, 0x1d,
21197 ++ 0xa3, 0xef, 0x96, 0x73, 0xe8, 0xa1, 0x02, 0x8d,
21198 ++ 0x0c, 0x6d, 0xb8, 0x06, 0x90, 0xb8, 0x08, 0x56,
21199 ++ 0x2c, 0xa7, 0x06, 0xc9, 0xc2, 0x38, 0xdb, 0x7c,
21200 ++ 0x63, 0xb1, 0x57, 0x8e, 0xea, 0x7c, 0x79, 0xf3,
21201 ++ 0x49, 0x1d, 0xfe, 0x9f, 0xf3, 0x6e, 0xb1, 0x1d,
21202 ++ 0xba, 0x19, 0x80, 0x1a, 0x0a, 0xd3, 0xb0, 0x26,
21203 ++ 0x21, 0x40, 0xb1, 0x7c, 0xf9, 0x4d, 0x8d, 0x10,
21204 ++ 0xc1, 0x7e, 0xf4, 0xf6, 0x3c, 0xa8, 0xfd, 0x7c,
21205 ++ 0xa3, 0x92, 0xb2, 0x0f, 0xaa, 0xcc, 0xa6, 0x11,
21206 ++ 0xfe, 0x04, 0xe3, 0xd1, 0x7a, 0x32, 0x89, 0xdf,
21207 ++ 0x0d, 0xc4, 0x8f, 0x79, 0x6b, 0xca, 0x16, 0x7c,
21208 ++ 0x6e, 0xf9, 0xad, 0x0f, 0xf6, 0xfe, 0x27, 0xdb,
21209 ++ 0xc4, 0x13, 0x70, 0xf1, 0x62, 0x1a, 0x4f, 0x79,
21210 ++ 0x40, 0xc9, 0x9b, 0x8b, 0x21, 0xea, 0x84, 0xfa,
21211 ++ 0xf5, 0xf1, 0x89, 0xce, 0xb7, 0x55, 0x0a, 0x80,
21212 ++ 0x39, 0x2f, 0x55, 0x36, 0x16, 0x9c, 0x7b, 0x08,
21213 ++ 0xbd, 0x87, 0x0d, 0xa5, 0x32, 0xf1, 0x52, 0x7c,
21214 ++ 0xe8, 0x55, 0x60, 0x5b, 0xd7, 0x69, 0xe4, 0xfc,
21215 ++ 0xfa, 0x12, 0x85, 0x96, 0xea, 0x50, 0x28, 0xab,
21216 ++ 0x8a, 0xf7, 0xbb, 0x0e, 0x53, 0x74, 0xca, 0xa6,
21217 ++ 0x27, 0x09, 0xc2, 0xb5, 0xde, 0x18, 0x14, 0xd9,
21218 ++ 0xea, 0xe5, 0x29, 0x1c, 0x40, 0x56, 0xcf, 0xd7,
21219 ++ 0xae, 0x05, 0x3f, 0x65, 0xaf, 0x05, 0x73, 0xe2,
21220 ++ 0x35, 0x96, 0x27, 0x07, 0x14, 0xc0, 0xad, 0x33,
21221 ++ 0xf1, 0xdc, 0x44, 0x7a, 0x89, 0x17, 0x77, 0xd2,
21222 ++ 0x9c, 0x58, 0x60, 0xf0, 0x3f, 0x7b, 0x2d, 0x2e,
21223 ++ 0x57, 0x95, 0x54, 0x87, 0xed, 0xf2, 0xc7, 0x4c,
21224 ++ 0xf0, 0xae, 0x56, 0x29, 0x19, 0x7d, 0x66, 0x4b,
21225 ++ 0x9b, 0x83, 0x84, 0x42, 0x3b, 0x01, 0x25, 0x66,
21226 ++ 0x8e, 0x02, 0xde, 0xb9, 0x83, 0x54, 0x19, 0xf6,
21227 ++ 0x9f, 0x79, 0x0d, 0x67, 0xc5, 0x1d, 0x7a, 0x44,
21228 ++ 0x02, 0x98, 0xa7, 0x16, 0x1c, 0x29, 0x0d, 0x74,
21229 ++ 0xff, 0x85, 0x40, 0x06, 0xef, 0x2c, 0xa9, 0xc6,
21230 ++ 0xf5, 0x53, 0x07, 0x06, 0xae, 0xe4, 0xfa, 0x5f,
21231 ++ 0xd8, 0x39, 0x4d, 0xf1, 0x9b, 0x6b, 0xd9, 0x24,
21232 ++ 0x84, 0xfe, 0x03, 0x4c, 0xb2, 0x3f, 0xdf, 0xa1,
21233 ++ 0x05, 0x9e, 0x50, 0x14, 0x5a, 0xd9, 0x1a, 0xa2,
21234 ++ 0xa7, 0xfa, 0xfa, 0x17, 0xf7, 0x78, 0xd6, 0xb5,
21235 ++ 0x92, 0x61, 0x91, 0xac, 0x36, 0xfa, 0x56, 0x0d,
21236 ++ 0x38, 0x32, 0x18, 0x85, 0x08, 0x58, 0x37, 0xf0,
21237 ++ 0x4b, 0xdb, 0x59, 0xe7, 0xa4, 0x34, 0xc0, 0x1b,
21238 ++ 0x01, 0xaf, 0x2d, 0xde, 0xa1, 0xaa, 0x5d, 0xd3,
21239 ++ 0xec, 0xe1, 0xd4, 0xf7, 0xe6, 0x54, 0x68, 0xf0,
21240 ++ 0x51, 0x97, 0xa7, 0x89, 0xea, 0x24, 0xad, 0xd3,
21241 ++ 0x6e, 0x47, 0x93, 0x8b, 0x4b, 0xb4, 0xf7, 0x1c,
21242 ++ 0x42, 0x06, 0x67, 0xe8, 0x99, 0xf6, 0xf5, 0x7b,
21243 ++ 0x85, 0xb5, 0x65, 0xb5, 0xb5, 0xd2, 0x37, 0xf5,
21244 ++ 0xf3, 0x02, 0xa6, 0x4d, 0x11, 0xa7, 0xdc, 0x51,
21245 ++ 0x09, 0x7f, 0xa0, 0xd8, 0x88, 0x1c, 0x13, 0x71,
21246 ++ 0xae, 0x9c, 0xb7, 0x7b, 0x34, 0xd6, 0x4e, 0x68,
21247 ++ 0x26, 0x83, 0x51, 0xaf, 0x1d, 0xee, 0x8b, 0xbb,
21248 ++ 0x69, 0x43, 0x2b, 0x9e, 0x8a, 0xbc, 0x02, 0x0e,
21249 ++ 0xa0, 0x1b, 0xe0, 0xa8, 0x5f, 0x6f, 0xaf, 0x1b,
21250 ++ 0x8f, 0xe7, 0x64, 0x71, 0x74, 0x11, 0x7e, 0xa8,
21251 ++ 0xd8, 0xf9, 0x97, 0x06, 0xc3, 0xb6, 0xfb, 0xfb,
21252 ++ 0xb7, 0x3d, 0x35, 0x9d, 0x3b, 0x52, 0xed, 0x54,
21253 ++ 0xca, 0xf4, 0x81, 0x01, 0x2d, 0x1b, 0xc3, 0xa7,
21254 ++ 0x00, 0x3d, 0x1a, 0x39, 0x54, 0xe1, 0xf6, 0xff,
21255 ++ 0xed, 0x6f, 0x0b, 0x5a, 0x68, 0xda, 0x58, 0xdd,
21256 ++ 0xa9, 0xcf, 0x5c, 0x4a, 0xe5, 0x09, 0x4e, 0xde,
21257 ++ 0x9d, 0xbc, 0x3e, 0xee, 0x5a, 0x00, 0x3b, 0x2c,
21258 ++ 0x87, 0x10, 0x65, 0x60, 0xdd, 0xd7, 0x56, 0xd1,
21259 ++ 0x4c, 0x64, 0x45, 0xe4, 0x21, 0xec, 0x78, 0xf8,
21260 ++ 0x25, 0x7a, 0x3e, 0x16, 0x5d, 0x09, 0x53, 0x14,
21261 ++ 0xbe, 0x4f, 0xae, 0x87, 0xd8, 0xd1, 0xaa, 0x3c,
21262 ++ 0xf6, 0x3e, 0xa4, 0x70, 0x8c, 0x5e, 0x70, 0xa4,
21263 ++ 0xb3, 0x6b, 0x66, 0x73, 0xd3, 0xbf, 0x31, 0x06,
21264 ++ 0x19, 0x62, 0x93, 0x15, 0xf2, 0x86, 0xe4, 0x52,
21265 ++ 0x7e, 0x53, 0x4c, 0x12, 0x38, 0xcc, 0x34, 0x7d,
21266 ++ 0x57, 0xf6, 0x42, 0x93, 0x8a, 0xc4, 0xee, 0x5c,
21267 ++ 0x8a, 0xe1, 0x52, 0x8f, 0x56, 0x64, 0xf6, 0xa6,
21268 ++ 0xd1, 0x91, 0x57, 0x70, 0xcd, 0x11, 0x76, 0xf5,
21269 ++ 0x59, 0x60, 0x60, 0x3c, 0xc1, 0xc3, 0x0b, 0x7f,
21270 ++ 0x58, 0x1a, 0x50, 0x91, 0xf1, 0x68, 0x8f, 0x6e,
21271 ++ 0x74, 0x74, 0xa8, 0x51, 0x0b, 0xf7, 0x7a, 0x98,
21272 ++ 0x37, 0xf2, 0x0a, 0x0e, 0xa4, 0x97, 0x04, 0xb8,
21273 ++ 0x9b, 0xfd, 0xa0, 0xea, 0xf7, 0x0d, 0xe1, 0xdb,
21274 ++ 0x03, 0xf0, 0x31, 0x29, 0xf8, 0xdd, 0x6b, 0x8b,
21275 ++ 0x5d, 0xd8, 0x59, 0xa9, 0x29, 0xcf, 0x9a, 0x79,
21276 ++ 0x89, 0x19, 0x63, 0x46, 0x09, 0x79, 0x6a, 0x11,
21277 ++ 0xda, 0x63, 0x68, 0x48, 0x77, 0x23, 0xfb, 0x7d,
21278 ++ 0x3a, 0x43, 0xcb, 0x02, 0x3b, 0x7a, 0x6d, 0x10,
21279 ++ 0x2a, 0x9e, 0xac, 0xf1, 0xd4, 0x19, 0xf8, 0x23,
21280 ++ 0x64, 0x1d, 0x2c, 0x5f, 0xf2, 0xb0, 0x5c, 0x23,
21281 ++ 0x27, 0xf7, 0x27, 0x30, 0x16, 0x37, 0xb1, 0x90,
21282 ++ 0xab, 0x38, 0xfb, 0x55, 0xcd, 0x78, 0x58, 0xd4,
21283 ++ 0x7d, 0x43, 0xf6, 0x45, 0x5e, 0x55, 0x8d, 0xb1,
21284 ++ 0x02, 0x65, 0x58, 0xb4, 0x13, 0x4b, 0x36, 0xf7,
21285 ++ 0xcc, 0xfe, 0x3d, 0x0b, 0x82, 0xe2, 0x12, 0x11,
21286 ++ 0xbb, 0xe6, 0xb8, 0x3a, 0x48, 0x71, 0xc7, 0x50,
21287 ++ 0x06, 0x16, 0x3a, 0xe6, 0x7c, 0x05, 0xc7, 0xc8,
21288 ++ 0x4d, 0x2f, 0x08, 0x6a, 0x17, 0x9a, 0x95, 0x97,
21289 ++ 0x50, 0x68, 0xdc, 0x28, 0x18, 0xc4, 0x61, 0x38,
21290 ++ 0xb9, 0xe0, 0x3e, 0x78, 0xdb, 0x29, 0xe0, 0x9f,
21291 ++ 0x52, 0xdd, 0xf8, 0x4f, 0x91, 0xc1, 0xd0, 0x33,
21292 ++ 0xa1, 0x7a, 0x8e, 0x30, 0x13, 0x82, 0x07, 0x9f,
21293 ++ 0xd3, 0x31, 0x0f, 0x23, 0xbe, 0x32, 0x5a, 0x75,
21294 ++ 0xcf, 0x96, 0xb2, 0xec, 0xb5, 0x32, 0xac, 0x21,
21295 ++ 0xd1, 0x82, 0x33, 0xd3, 0x15, 0x74, 0xbd, 0x90,
21296 ++ 0xf1, 0x2c, 0xe6, 0x5f, 0x8d, 0xe3, 0x02, 0xe8,
21297 ++ 0xe9, 0xc4, 0xca, 0x96, 0xeb, 0x0e, 0xbc, 0x91,
21298 ++ 0xf4, 0xb9, 0xea, 0xd9, 0x1b, 0x75, 0xbd, 0xe1,
21299 ++ 0xac, 0x2a, 0x05, 0x37, 0x52, 0x9b, 0x1b, 0x3f,
21300 ++ 0x5a, 0xdc, 0x21, 0xc3, 0x98, 0xbb, 0xaf, 0xa3,
21301 ++ 0xf2, 0x00, 0xbf, 0x0d, 0x30, 0x89, 0x05, 0xcc,
21302 ++ 0xa5, 0x76, 0xf5, 0x06, 0xf0, 0xc6, 0x54, 0x8a,
21303 ++ 0x5d, 0xd4, 0x1e, 0xc1, 0xf2, 0xce, 0xb0, 0x62,
21304 ++ 0xc8, 0xfc, 0x59, 0x42, 0x9a, 0x90, 0x60, 0x55,
21305 ++ 0xfe, 0x88, 0xa5, 0x8b, 0xb8, 0x33, 0x0c, 0x23,
21306 ++ 0x24, 0x0d, 0x15, 0x70, 0x37, 0x1e, 0x3d, 0xf6,
21307 ++ 0xd2, 0xea, 0x92, 0x10, 0xb2, 0xc4, 0x51, 0xac,
21308 ++ 0xf2, 0xac, 0xf3, 0x6b, 0x6c, 0xaa, 0xcf, 0x12,
21309 ++ 0xc5, 0x6c, 0x90, 0x50, 0xb5, 0x0c, 0xfc, 0x1a,
21310 ++ 0x15, 0x52, 0xe9, 0x26, 0xc6, 0x52, 0xa4, 0xe7,
21311 ++ 0x81, 0x69, 0xe1, 0xe7, 0x9e, 0x30, 0x01, 0xec,
21312 ++ 0x84, 0x89, 0xb2, 0x0d, 0x66, 0xdd, 0xce, 0x28,
21313 ++ 0x5c, 0xec, 0x98, 0x46, 0x68, 0x21, 0x9f, 0x88,
21314 ++ 0x3f, 0x1f, 0x42, 0x77, 0xce, 0xd0, 0x61, 0xd4,
21315 ++ 0x20, 0xa7, 0xff, 0x53, 0xad, 0x37, 0xd0, 0x17,
21316 ++ 0x35, 0xc9, 0xfc, 0xba, 0x0a, 0x78, 0x3f, 0xf2,
21317 ++ 0xcc, 0x86, 0x89, 0xe8, 0x4b, 0x3c, 0x48, 0x33,
21318 ++ 0x09, 0x7f, 0xc6, 0xc0, 0xdd, 0xb8, 0xfd, 0x7a,
21319 ++ 0x66, 0x66, 0x65, 0xeb, 0x47, 0xa7, 0x04, 0x28,
21320 ++ 0xa3, 0x19, 0x8e, 0xa9, 0xb1, 0x13, 0x67, 0x62,
21321 ++ 0x70, 0xcf, 0xd6
21322 ++};
21323 ++static const u8 enc_assoc012[] __initconst = {
21324 ++ 0xb1, 0x69, 0x83, 0x87, 0x30, 0xaa, 0x5d, 0xb8,
21325 ++ 0x77, 0xe8, 0x21, 0xff, 0x06, 0x59, 0x35, 0xce,
21326 ++ 0x75, 0xfe, 0x38, 0xef, 0xb8, 0x91, 0x43, 0x8c,
21327 ++ 0xcf, 0x70, 0xdd, 0x0a, 0x68, 0xbf, 0xd4, 0xbc,
21328 ++ 0x16, 0x76, 0x99, 0x36, 0x1e, 0x58, 0x79, 0x5e,
21329 ++ 0xd4, 0x29, 0xf7, 0x33, 0x93, 0x48, 0xdb, 0x5f,
21330 ++ 0x01, 0xae, 0x9c, 0xb6, 0xe4, 0x88, 0x6d, 0x2b,
21331 ++ 0x76, 0x75, 0xe0, 0xf3, 0x74, 0xe2, 0xc9
21332 ++};
21333 ++static const u8 enc_nonce012[] __initconst = {
21334 ++ 0x05, 0xa3, 0x93, 0xed, 0x30, 0xc5, 0xa2, 0x06
21335 ++};
21336 ++static const u8 enc_key012[] __initconst = {
21337 ++ 0xb3, 0x35, 0x50, 0x03, 0x54, 0x2e, 0x40, 0x5e,
21338 ++ 0x8f, 0x59, 0x8e, 0xc5, 0x90, 0xd5, 0x27, 0x2d,
21339 ++ 0xba, 0x29, 0x2e, 0xcb, 0x1b, 0x70, 0x44, 0x1e,
21340 ++ 0x65, 0x91, 0x6e, 0x2a, 0x79, 0x22, 0xda, 0x64
21341 ++};
21342 ++
21343 ++/* wycheproof - rfc7539 */
21344 ++static const u8 enc_input013[] __initconst = {
21345 ++ 0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
21346 ++ 0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
21347 ++ 0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
21348 ++ 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
21349 ++ 0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
21350 ++ 0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
21351 ++ 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
21352 ++ 0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
21353 ++ 0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
21354 ++ 0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
21355 ++ 0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
21356 ++ 0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
21357 ++ 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
21358 ++ 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
21359 ++ 0x74, 0x2e
21360 ++};
21361 ++static const u8 enc_output013[] __initconst = {
21362 ++ 0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
21363 ++ 0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
21364 ++ 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
21365 ++ 0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
21366 ++ 0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
21367 ++ 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
21368 ++ 0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
21369 ++ 0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
21370 ++ 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
21371 ++ 0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
21372 ++ 0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
21373 ++ 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
21374 ++ 0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
21375 ++ 0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
21376 ++ 0x61, 0x16, 0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09,
21377 ++ 0xe2, 0x6a, 0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60,
21378 ++ 0x06, 0x91
21379 ++};
21380 ++static const u8 enc_assoc013[] __initconst = {
21381 ++ 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
21382 ++ 0xc4, 0xc5, 0xc6, 0xc7
21383 ++};
21384 ++static const u8 enc_nonce013[] __initconst = {
21385 ++ 0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43,
21386 ++ 0x44, 0x45, 0x46, 0x47
21387 ++};
21388 ++static const u8 enc_key013[] __initconst = {
21389 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
21390 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
21391 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
21392 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
21393 ++};
21394 ++
21395 ++/* wycheproof - misc */
21396 ++static const u8 enc_input014[] __initconst = { };
21397 ++static const u8 enc_output014[] __initconst = {
21398 ++ 0x76, 0xac, 0xb3, 0x42, 0xcf, 0x31, 0x66, 0xa5,
21399 ++ 0xb6, 0x3c, 0x0c, 0x0e, 0xa1, 0x38, 0x3c, 0x8d
21400 ++};
21401 ++static const u8 enc_assoc014[] __initconst = { };
21402 ++static const u8 enc_nonce014[] __initconst = {
21403 ++ 0x4d, 0xa5, 0xbf, 0x8d, 0xfd, 0x58, 0x52, 0xc1,
21404 ++ 0xea, 0x12, 0x37, 0x9d
21405 ++};
21406 ++static const u8 enc_key014[] __initconst = {
21407 ++ 0x80, 0xba, 0x31, 0x92, 0xc8, 0x03, 0xce, 0x96,
21408 ++ 0x5e, 0xa3, 0x71, 0xd5, 0xff, 0x07, 0x3c, 0xf0,
21409 ++ 0xf4, 0x3b, 0x6a, 0x2a, 0xb5, 0x76, 0xb2, 0x08,
21410 ++ 0x42, 0x6e, 0x11, 0x40, 0x9c, 0x09, 0xb9, 0xb0
21411 ++};
21412 ++
21413 ++/* wycheproof - misc */
21414 ++static const u8 enc_input015[] __initconst = { };
21415 ++static const u8 enc_output015[] __initconst = {
21416 ++ 0x90, 0x6f, 0xa6, 0x28, 0x4b, 0x52, 0xf8, 0x7b,
21417 ++ 0x73, 0x59, 0xcb, 0xaa, 0x75, 0x63, 0xc7, 0x09
21418 ++};
21419 ++static const u8 enc_assoc015[] __initconst = {
21420 ++ 0xbd, 0x50, 0x67, 0x64, 0xf2, 0xd2, 0xc4, 0x10
21421 ++};
21422 ++static const u8 enc_nonce015[] __initconst = {
21423 ++ 0xa9, 0x2e, 0xf0, 0xac, 0x99, 0x1d, 0xd5, 0x16,
21424 ++ 0xa3, 0xc6, 0xf6, 0x89
21425 ++};
21426 ++static const u8 enc_key015[] __initconst = {
21427 ++ 0x7a, 0x4c, 0xd7, 0x59, 0x17, 0x2e, 0x02, 0xeb,
21428 ++ 0x20, 0x4d, 0xb2, 0xc3, 0xf5, 0xc7, 0x46, 0x22,
21429 ++ 0x7d, 0xf5, 0x84, 0xfc, 0x13, 0x45, 0x19, 0x63,
21430 ++ 0x91, 0xdb, 0xb9, 0x57, 0x7a, 0x25, 0x07, 0x42
21431 ++};
21432 ++
21433 ++/* wycheproof - misc */
21434 ++static const u8 enc_input016[] __initconst = {
21435 ++ 0x2a
21436 ++};
21437 ++static const u8 enc_output016[] __initconst = {
21438 ++ 0x3a, 0xca, 0xc2, 0x7d, 0xec, 0x09, 0x68, 0x80,
21439 ++ 0x1e, 0x9f, 0x6e, 0xde, 0xd6, 0x9d, 0x80, 0x75,
21440 ++ 0x22
21441 ++};
21442 ++static const u8 enc_assoc016[] __initconst = { };
21443 ++static const u8 enc_nonce016[] __initconst = {
21444 ++ 0x99, 0xe2, 0x3e, 0xc4, 0x89, 0x85, 0xbc, 0xcd,
21445 ++ 0xee, 0xab, 0x60, 0xf1
21446 ++};
21447 ++static const u8 enc_key016[] __initconst = {
21448 ++ 0xcc, 0x56, 0xb6, 0x80, 0x55, 0x2e, 0xb7, 0x50,
21449 ++ 0x08, 0xf5, 0x48, 0x4b, 0x4c, 0xb8, 0x03, 0xfa,
21450 ++ 0x50, 0x63, 0xeb, 0xd6, 0xea, 0xb9, 0x1f, 0x6a,
21451 ++ 0xb6, 0xae, 0xf4, 0x91, 0x6a, 0x76, 0x62, 0x73
21452 ++};
21453 ++
21454 ++/* wycheproof - misc */
21455 ++static const u8 enc_input017[] __initconst = {
21456 ++ 0x51
21457 ++};
21458 ++static const u8 enc_output017[] __initconst = {
21459 ++ 0xc4, 0x16, 0x83, 0x10, 0xca, 0x45, 0xb1, 0xf7,
21460 ++ 0xc6, 0x6c, 0xad, 0x4e, 0x99, 0xe4, 0x3f, 0x72,
21461 ++ 0xb9
21462 ++};
21463 ++static const u8 enc_assoc017[] __initconst = {
21464 ++ 0x91, 0xca, 0x6c, 0x59, 0x2c, 0xbc, 0xca, 0x53
21465 ++};
21466 ++static const u8 enc_nonce017[] __initconst = {
21467 ++ 0xab, 0x0d, 0xca, 0x71, 0x6e, 0xe0, 0x51, 0xd2,
21468 ++ 0x78, 0x2f, 0x44, 0x03
21469 ++};
21470 ++static const u8 enc_key017[] __initconst = {
21471 ++ 0x46, 0xf0, 0x25, 0x49, 0x65, 0xf7, 0x69, 0xd5,
21472 ++ 0x2b, 0xdb, 0x4a, 0x70, 0xb4, 0x43, 0x19, 0x9f,
21473 ++ 0x8e, 0xf2, 0x07, 0x52, 0x0d, 0x12, 0x20, 0xc5,
21474 ++ 0x5e, 0x4b, 0x70, 0xf0, 0xfd, 0xa6, 0x20, 0xee
21475 ++};
21476 ++
21477 ++/* wycheproof - misc */
21478 ++static const u8 enc_input018[] __initconst = {
21479 ++ 0x5c, 0x60
21480 ++};
21481 ++static const u8 enc_output018[] __initconst = {
21482 ++ 0x4d, 0x13, 0x91, 0xe8, 0xb6, 0x1e, 0xfb, 0x39,
21483 ++ 0xc1, 0x22, 0x19, 0x54, 0x53, 0x07, 0x7b, 0x22,
21484 ++ 0xe5, 0xe2
21485 ++};
21486 ++static const u8 enc_assoc018[] __initconst = { };
21487 ++static const u8 enc_nonce018[] __initconst = {
21488 ++ 0x46, 0x1a, 0xf1, 0x22, 0xe9, 0xf2, 0xe0, 0x34,
21489 ++ 0x7e, 0x03, 0xf2, 0xdb
21490 ++};
21491 ++static const u8 enc_key018[] __initconst = {
21492 ++ 0x2f, 0x7f, 0x7e, 0x4f, 0x59, 0x2b, 0xb3, 0x89,
21493 ++ 0x19, 0x49, 0x89, 0x74, 0x35, 0x07, 0xbf, 0x3e,
21494 ++ 0xe9, 0xcb, 0xde, 0x17, 0x86, 0xb6, 0x69, 0x5f,
21495 ++ 0xe6, 0xc0, 0x25, 0xfd, 0x9b, 0xa4, 0xc1, 0x00
21496 ++};
21497 ++
21498 ++/* wycheproof - misc */
21499 ++static const u8 enc_input019[] __initconst = {
21500 ++ 0xdd, 0xf2
21501 ++};
21502 ++static const u8 enc_output019[] __initconst = {
21503 ++ 0xb6, 0x0d, 0xea, 0xd0, 0xfd, 0x46, 0x97, 0xec,
21504 ++ 0x2e, 0x55, 0x58, 0x23, 0x77, 0x19, 0xd0, 0x24,
21505 ++ 0x37, 0xa2
21506 ++};
21507 ++static const u8 enc_assoc019[] __initconst = {
21508 ++ 0x88, 0x36, 0x4f, 0xc8, 0x06, 0x05, 0x18, 0xbf
21509 ++};
21510 ++static const u8 enc_nonce019[] __initconst = {
21511 ++ 0x61, 0x54, 0x6b, 0xa5, 0xf1, 0x72, 0x05, 0x90,
21512 ++ 0xb6, 0x04, 0x0a, 0xc6
21513 ++};
21514 ++static const u8 enc_key019[] __initconst = {
21515 ++ 0xc8, 0x83, 0x3d, 0xce, 0x5e, 0xa9, 0xf2, 0x48,
21516 ++ 0xaa, 0x20, 0x30, 0xea, 0xcf, 0xe7, 0x2b, 0xff,
21517 ++ 0xe6, 0x9a, 0x62, 0x0c, 0xaf, 0x79, 0x33, 0x44,
21518 ++ 0xe5, 0x71, 0x8f, 0xe0, 0xd7, 0xab, 0x1a, 0x58
21519 ++};
21520 ++
21521 ++/* wycheproof - misc */
21522 ++static const u8 enc_input020[] __initconst = {
21523 ++ 0xab, 0x85, 0xe9, 0xc1, 0x57, 0x17, 0x31
21524 ++};
21525 ++static const u8 enc_output020[] __initconst = {
21526 ++ 0x5d, 0xfe, 0x34, 0x40, 0xdb, 0xb3, 0xc3, 0xed,
21527 ++ 0x7a, 0x43, 0x4e, 0x26, 0x02, 0xd3, 0x94, 0x28,
21528 ++ 0x1e, 0x0a, 0xfa, 0x9f, 0xb7, 0xaa, 0x42
21529 ++};
21530 ++static const u8 enc_assoc020[] __initconst = { };
21531 ++static const u8 enc_nonce020[] __initconst = {
21532 ++ 0x3c, 0x4e, 0x65, 0x4d, 0x66, 0x3f, 0xa4, 0x59,
21533 ++ 0x6d, 0xc5, 0x5b, 0xb7
21534 ++};
21535 ++static const u8 enc_key020[] __initconst = {
21536 ++ 0x55, 0x56, 0x81, 0x58, 0xd3, 0xa6, 0x48, 0x3f,
21537 ++ 0x1f, 0x70, 0x21, 0xea, 0xb6, 0x9b, 0x70, 0x3f,
21538 ++ 0x61, 0x42, 0x51, 0xca, 0xdc, 0x1a, 0xf5, 0xd3,
21539 ++ 0x4a, 0x37, 0x4f, 0xdb, 0xfc, 0x5a, 0xda, 0xc7
21540 ++};
21541 ++
21542 ++/* wycheproof - misc */
21543 ++static const u8 enc_input021[] __initconst = {
21544 ++ 0x4e, 0xe5, 0xcd, 0xa2, 0x0d, 0x42, 0x90
21545 ++};
21546 ++static const u8 enc_output021[] __initconst = {
21547 ++ 0x4b, 0xd4, 0x72, 0x12, 0x94, 0x1c, 0xe3, 0x18,
21548 ++ 0x5f, 0x14, 0x08, 0xee, 0x7f, 0xbf, 0x18, 0xf5,
21549 ++ 0xab, 0xad, 0x6e, 0x22, 0x53, 0xa1, 0xba
21550 ++};
21551 ++static const u8 enc_assoc021[] __initconst = {
21552 ++ 0x84, 0xe4, 0x6b, 0xe8, 0xc0, 0x91, 0x90, 0x53
21553 ++};
21554 ++static const u8 enc_nonce021[] __initconst = {
21555 ++ 0x58, 0x38, 0x93, 0x75, 0xc6, 0x9e, 0xe3, 0x98,
21556 ++ 0xde, 0x94, 0x83, 0x96
21557 ++};
21558 ++static const u8 enc_key021[] __initconst = {
21559 ++ 0xe3, 0xc0, 0x9e, 0x7f, 0xab, 0x1a, 0xef, 0xb5,
21560 ++ 0x16, 0xda, 0x6a, 0x33, 0x02, 0x2a, 0x1d, 0xd4,
21561 ++ 0xeb, 0x27, 0x2c, 0x80, 0xd5, 0x40, 0xc5, 0xda,
21562 ++ 0x52, 0xa7, 0x30, 0xf3, 0x4d, 0x84, 0x0d, 0x7f
21563 ++};
21564 ++
21565 ++/* wycheproof - misc */
21566 ++static const u8 enc_input022[] __initconst = {
21567 ++ 0xbe, 0x33, 0x08, 0xf7, 0x2a, 0x2c, 0x6a, 0xed
21568 ++};
21569 ++static const u8 enc_output022[] __initconst = {
21570 ++ 0x8e, 0x94, 0x39, 0xa5, 0x6e, 0xee, 0xc8, 0x17,
21571 ++ 0xfb, 0xe8, 0xa6, 0xed, 0x8f, 0xab, 0xb1, 0x93,
21572 ++ 0x75, 0x39, 0xdd, 0x6c, 0x00, 0xe9, 0x00, 0x21
21573 ++};
21574 ++static const u8 enc_assoc022[] __initconst = { };
21575 ++static const u8 enc_nonce022[] __initconst = {
21576 ++ 0x4f, 0x07, 0xaf, 0xed, 0xfd, 0xc3, 0xb6, 0xc2,
21577 ++ 0x36, 0x18, 0x23, 0xd3
21578 ++};
21579 ++static const u8 enc_key022[] __initconst = {
21580 ++ 0x51, 0xe4, 0xbf, 0x2b, 0xad, 0x92, 0xb7, 0xaf,
21581 ++ 0xf1, 0xa4, 0xbc, 0x05, 0x55, 0x0b, 0xa8, 0x1d,
21582 ++ 0xf4, 0xb9, 0x6f, 0xab, 0xf4, 0x1c, 0x12, 0xc7,
21583 ++ 0xb0, 0x0e, 0x60, 0xe4, 0x8d, 0xb7, 0xe1, 0x52
21584 ++};
21585 ++
21586 ++/* wycheproof - misc */
21587 ++static const u8 enc_input023[] __initconst = {
21588 ++ 0xa4, 0xc9, 0xc2, 0x80, 0x1b, 0x71, 0xf7, 0xdf
21589 ++};
21590 ++static const u8 enc_output023[] __initconst = {
21591 ++ 0xb9, 0xb9, 0x10, 0x43, 0x3a, 0xf0, 0x52, 0xb0,
21592 ++ 0x45, 0x30, 0xf5, 0x1a, 0xee, 0xe0, 0x24, 0xe0,
21593 ++ 0xa4, 0x45, 0xa6, 0x32, 0x8f, 0xa6, 0x7a, 0x18
21594 ++};
21595 ++static const u8 enc_assoc023[] __initconst = {
21596 ++ 0x66, 0xc0, 0xae, 0x70, 0x07, 0x6c, 0xb1, 0x4d
21597 ++};
21598 ++static const u8 enc_nonce023[] __initconst = {
21599 ++ 0xb4, 0xea, 0x66, 0x6e, 0xe1, 0x19, 0x56, 0x33,
21600 ++ 0x66, 0x48, 0x4a, 0x78
21601 ++};
21602 ++static const u8 enc_key023[] __initconst = {
21603 ++ 0x11, 0x31, 0xc1, 0x41, 0x85, 0x77, 0xa0, 0x54,
21604 ++ 0xde, 0x7a, 0x4a, 0xc5, 0x51, 0x95, 0x0f, 0x1a,
21605 ++ 0x05, 0x3f, 0x9a, 0xe4, 0x6e, 0x5b, 0x75, 0xfe,
21606 ++ 0x4a, 0xbd, 0x56, 0x08, 0xd7, 0xcd, 0xda, 0xdd
21607 ++};
21608 ++
21609 ++/* wycheproof - misc */
21610 ++static const u8 enc_input024[] __initconst = {
21611 ++ 0x42, 0xba, 0xae, 0x59, 0x78, 0xfe, 0xaf, 0x5c,
21612 ++ 0x36, 0x8d, 0x14, 0xe0
21613 ++};
21614 ++static const u8 enc_output024[] __initconst = {
21615 ++ 0xff, 0x7d, 0xc2, 0x03, 0xb2, 0x6c, 0x46, 0x7a,
21616 ++ 0x6b, 0x50, 0xdb, 0x33, 0x57, 0x8c, 0x0f, 0x27,
21617 ++ 0x58, 0xc2, 0xe1, 0x4e, 0x36, 0xd4, 0xfc, 0x10,
21618 ++ 0x6d, 0xcb, 0x29, 0xb4
21619 ++};
21620 ++static const u8 enc_assoc024[] __initconst = { };
21621 ++static const u8 enc_nonce024[] __initconst = {
21622 ++ 0x9a, 0x59, 0xfc, 0xe2, 0x6d, 0xf0, 0x00, 0x5e,
21623 ++ 0x07, 0x53, 0x86, 0x56
21624 ++};
21625 ++static const u8 enc_key024[] __initconst = {
21626 ++ 0x99, 0xb6, 0x2b, 0xd5, 0xaf, 0xbe, 0x3f, 0xb0,
21627 ++ 0x15, 0xbd, 0xe9, 0x3f, 0x0a, 0xbf, 0x48, 0x39,
21628 ++ 0x57, 0xa1, 0xc3, 0xeb, 0x3c, 0xa5, 0x9c, 0xb5,
21629 ++ 0x0b, 0x39, 0xf7, 0xf8, 0xa9, 0xcc, 0x51, 0xbe
21630 ++};
21631 ++
21632 ++/* wycheproof - misc */
21633 ++static const u8 enc_input025[] __initconst = {
21634 ++ 0xfd, 0xc8, 0x5b, 0x94, 0xa4, 0xb2, 0xa6, 0xb7,
21635 ++ 0x59, 0xb1, 0xa0, 0xda
21636 ++};
21637 ++static const u8 enc_output025[] __initconst = {
21638 ++ 0x9f, 0x88, 0x16, 0xde, 0x09, 0x94, 0xe9, 0x38,
21639 ++ 0xd9, 0xe5, 0x3f, 0x95, 0xd0, 0x86, 0xfc, 0x6c,
21640 ++ 0x9d, 0x8f, 0xa9, 0x15, 0xfd, 0x84, 0x23, 0xa7,
21641 ++ 0xcf, 0x05, 0x07, 0x2f
21642 ++};
21643 ++static const u8 enc_assoc025[] __initconst = {
21644 ++ 0xa5, 0x06, 0xe1, 0xa5, 0xc6, 0x90, 0x93, 0xf9
21645 ++};
21646 ++static const u8 enc_nonce025[] __initconst = {
21647 ++ 0x58, 0xdb, 0xd4, 0xad, 0x2c, 0x4a, 0xd3, 0x5d,
21648 ++ 0xd9, 0x06, 0xe9, 0xce
21649 ++};
21650 ++static const u8 enc_key025[] __initconst = {
21651 ++ 0x85, 0xf3, 0x5b, 0x62, 0x82, 0xcf, 0xf4, 0x40,
21652 ++ 0xbc, 0x10, 0x20, 0xc8, 0x13, 0x6f, 0xf2, 0x70,
21653 ++ 0x31, 0x11, 0x0f, 0xa6, 0x3e, 0xc1, 0x6f, 0x1e,
21654 ++ 0x82, 0x51, 0x18, 0xb0, 0x06, 0xb9, 0x12, 0x57
21655 ++};
21656 ++
21657 ++/* wycheproof - misc */
21658 ++static const u8 enc_input026[] __initconst = {
21659 ++ 0x51, 0xf8, 0xc1, 0xf7, 0x31, 0xea, 0x14, 0xac,
21660 ++ 0xdb, 0x21, 0x0a, 0x6d, 0x97, 0x3e, 0x07
21661 ++};
21662 ++static const u8 enc_output026[] __initconst = {
21663 ++ 0x0b, 0x29, 0x63, 0x8e, 0x1f, 0xbd, 0xd6, 0xdf,
21664 ++ 0x53, 0x97, 0x0b, 0xe2, 0x21, 0x00, 0x42, 0x2a,
21665 ++ 0x91, 0x34, 0x08, 0x7d, 0x67, 0xa4, 0x6e, 0x79,
21666 ++ 0x17, 0x8d, 0x0a, 0x93, 0xf5, 0xe1, 0xd2
21667 ++};
21668 ++static const u8 enc_assoc026[] __initconst = { };
21669 ++static const u8 enc_nonce026[] __initconst = {
21670 ++ 0x68, 0xab, 0x7f, 0xdb, 0xf6, 0x19, 0x01, 0xda,
21671 ++ 0xd4, 0x61, 0xd2, 0x3c
21672 ++};
21673 ++static const u8 enc_key026[] __initconst = {
21674 ++ 0x67, 0x11, 0x96, 0x27, 0xbd, 0x98, 0x8e, 0xda,
21675 ++ 0x90, 0x62, 0x19, 0xe0, 0x8c, 0x0d, 0x0d, 0x77,
21676 ++ 0x9a, 0x07, 0xd2, 0x08, 0xce, 0x8a, 0x4f, 0xe0,
21677 ++ 0x70, 0x9a, 0xf7, 0x55, 0xee, 0xec, 0x6d, 0xcb
21678 ++};
21679 ++
21680 ++/* wycheproof - misc */
21681 ++static const u8 enc_input027[] __initconst = {
21682 ++ 0x97, 0x46, 0x9d, 0xa6, 0x67, 0xd6, 0x11, 0x0f,
21683 ++ 0x9c, 0xbd, 0xa1, 0xd1, 0xa2, 0x06, 0x73
21684 ++};
21685 ++static const u8 enc_output027[] __initconst = {
21686 ++ 0x32, 0xdb, 0x66, 0xc4, 0xa3, 0x81, 0x9d, 0x81,
21687 ++ 0x55, 0x74, 0x55, 0xe5, 0x98, 0x0f, 0xed, 0xfe,
21688 ++ 0xae, 0x30, 0xde, 0xc9, 0x4e, 0x6a, 0xd3, 0xa9,
21689 ++ 0xee, 0xa0, 0x6a, 0x0d, 0x70, 0x39, 0x17
21690 ++};
21691 ++static const u8 enc_assoc027[] __initconst = {
21692 ++ 0x64, 0x53, 0xa5, 0x33, 0x84, 0x63, 0x22, 0x12
21693 ++};
21694 ++static const u8 enc_nonce027[] __initconst = {
21695 ++ 0xd9, 0x5b, 0x32, 0x43, 0xaf, 0xae, 0xf7, 0x14,
21696 ++ 0xc5, 0x03, 0x5b, 0x6a
21697 ++};
21698 ++static const u8 enc_key027[] __initconst = {
21699 ++ 0xe6, 0xf1, 0x11, 0x8d, 0x41, 0xe4, 0xb4, 0x3f,
21700 ++ 0xb5, 0x82, 0x21, 0xb7, 0xed, 0x79, 0x67, 0x38,
21701 ++ 0x34, 0xe0, 0xd8, 0xac, 0x5c, 0x4f, 0xa6, 0x0b,
21702 ++ 0xbc, 0x8b, 0xc4, 0x89, 0x3a, 0x58, 0x89, 0x4d
21703 ++};
21704 ++
21705 ++/* wycheproof - misc */
21706 ++static const u8 enc_input028[] __initconst = {
21707 ++ 0x54, 0x9b, 0x36, 0x5a, 0xf9, 0x13, 0xf3, 0xb0,
21708 ++ 0x81, 0x13, 0x1c, 0xcb, 0x6b, 0x82, 0x55, 0x88
21709 ++};
21710 ++static const u8 enc_output028[] __initconst = {
21711 ++ 0xe9, 0x11, 0x0e, 0x9f, 0x56, 0xab, 0x3c, 0xa4,
21712 ++ 0x83, 0x50, 0x0c, 0xea, 0xba, 0xb6, 0x7a, 0x13,
21713 ++ 0x83, 0x6c, 0xca, 0xbf, 0x15, 0xa6, 0xa2, 0x2a,
21714 ++ 0x51, 0xc1, 0x07, 0x1c, 0xfa, 0x68, 0xfa, 0x0c
21715 ++};
21716 ++static const u8 enc_assoc028[] __initconst = { };
21717 ++static const u8 enc_nonce028[] __initconst = {
21718 ++ 0x2f, 0xcb, 0x1b, 0x38, 0xa9, 0x9e, 0x71, 0xb8,
21719 ++ 0x47, 0x40, 0xad, 0x9b
21720 ++};
21721 ++static const u8 enc_key028[] __initconst = {
21722 ++ 0x59, 0xd4, 0xea, 0xfb, 0x4d, 0xe0, 0xcf, 0xc7,
21723 ++ 0xd3, 0xdb, 0x99, 0xa8, 0xf5, 0x4b, 0x15, 0xd7,
21724 ++ 0xb3, 0x9f, 0x0a, 0xcc, 0x8d, 0xa6, 0x97, 0x63,
21725 ++ 0xb0, 0x19, 0xc1, 0x69, 0x9f, 0x87, 0x67, 0x4a
21726 ++};
21727 ++
21728 ++/* wycheproof - misc */
21729 ++static const u8 enc_input029[] __initconst = {
21730 ++ 0x55, 0xa4, 0x65, 0x64, 0x4f, 0x5b, 0x65, 0x09,
21731 ++ 0x28, 0xcb, 0xee, 0x7c, 0x06, 0x32, 0x14, 0xd6
21732 ++};
21733 ++static const u8 enc_output029[] __initconst = {
21734 ++ 0xe4, 0xb1, 0x13, 0xcb, 0x77, 0x59, 0x45, 0xf3,
21735 ++ 0xd3, 0xa8, 0xae, 0x9e, 0xc1, 0x41, 0xc0, 0x0c,
21736 ++ 0x7c, 0x43, 0xf1, 0x6c, 0xe0, 0x96, 0xd0, 0xdc,
21737 ++ 0x27, 0xc9, 0x58, 0x49, 0xdc, 0x38, 0x3b, 0x7d
21738 ++};
21739 ++static const u8 enc_assoc029[] __initconst = {
21740 ++ 0x03, 0x45, 0x85, 0x62, 0x1a, 0xf8, 0xd7, 0xff
21741 ++};
21742 ++static const u8 enc_nonce029[] __initconst = {
21743 ++ 0x11, 0x8a, 0x69, 0x64, 0xc2, 0xd3, 0xe3, 0x80,
21744 ++ 0x07, 0x1f, 0x52, 0x66
21745 ++};
21746 ++static const u8 enc_key029[] __initconst = {
21747 ++ 0xb9, 0x07, 0xa4, 0x50, 0x75, 0x51, 0x3f, 0xe8,
21748 ++ 0xa8, 0x01, 0x9e, 0xde, 0xe3, 0xf2, 0x59, 0x14,
21749 ++ 0x87, 0xb2, 0xa0, 0x30, 0xb0, 0x3c, 0x6e, 0x1d,
21750 ++ 0x77, 0x1c, 0x86, 0x25, 0x71, 0xd2, 0xea, 0x1e
21751 ++};
21752 ++
21753 ++/* wycheproof - misc */
21754 ++static const u8 enc_input030[] __initconst = {
21755 ++ 0x3f, 0xf1, 0x51, 0x4b, 0x1c, 0x50, 0x39, 0x15,
21756 ++ 0x91, 0x8f, 0x0c, 0x0c, 0x31, 0x09, 0x4a, 0x6e,
21757 ++ 0x1f
21758 ++};
21759 ++static const u8 enc_output030[] __initconst = {
21760 ++ 0x02, 0xcc, 0x3a, 0xcb, 0x5e, 0xe1, 0xfc, 0xdd,
21761 ++ 0x12, 0xa0, 0x3b, 0xb8, 0x57, 0x97, 0x64, 0x74,
21762 ++ 0xd3, 0xd8, 0x3b, 0x74, 0x63, 0xa2, 0xc3, 0x80,
21763 ++ 0x0f, 0xe9, 0x58, 0xc2, 0x8e, 0xaa, 0x29, 0x08,
21764 ++ 0x13
21765 ++};
21766 ++static const u8 enc_assoc030[] __initconst = { };
21767 ++static const u8 enc_nonce030[] __initconst = {
21768 ++ 0x45, 0xaa, 0xa3, 0xe5, 0xd1, 0x6d, 0x2d, 0x42,
21769 ++ 0xdc, 0x03, 0x44, 0x5d
21770 ++};
21771 ++static const u8 enc_key030[] __initconst = {
21772 ++ 0x3b, 0x24, 0x58, 0xd8, 0x17, 0x6e, 0x16, 0x21,
21773 ++ 0xc0, 0xcc, 0x24, 0xc0, 0xc0, 0xe2, 0x4c, 0x1e,
21774 ++ 0x80, 0xd7, 0x2f, 0x7e, 0xe9, 0x14, 0x9a, 0x4b,
21775 ++ 0x16, 0x61, 0x76, 0x62, 0x96, 0x16, 0xd0, 0x11
21776 ++};
21777 ++
21778 ++/* wycheproof - misc */
21779 ++static const u8 enc_input031[] __initconst = {
21780 ++ 0x63, 0x85, 0x8c, 0xa3, 0xe2, 0xce, 0x69, 0x88,
21781 ++ 0x7b, 0x57, 0x8a, 0x3c, 0x16, 0x7b, 0x42, 0x1c,
21782 ++ 0x9c
21783 ++};
21784 ++static const u8 enc_output031[] __initconst = {
21785 ++ 0x35, 0x76, 0x64, 0x88, 0xd2, 0xbc, 0x7c, 0x2b,
21786 ++ 0x8d, 0x17, 0xcb, 0xbb, 0x9a, 0xbf, 0xad, 0x9e,
21787 ++ 0x6d, 0x1f, 0x39, 0x1e, 0x65, 0x7b, 0x27, 0x38,
21788 ++ 0xdd, 0xa0, 0x84, 0x48, 0xcb, 0xa2, 0x81, 0x1c,
21789 ++ 0xeb
21790 ++};
21791 ++static const u8 enc_assoc031[] __initconst = {
21792 ++ 0x9a, 0xaf, 0x29, 0x9e, 0xee, 0xa7, 0x8f, 0x79
21793 ++};
21794 ++static const u8 enc_nonce031[] __initconst = {
21795 ++ 0xf0, 0x38, 0x4f, 0xb8, 0x76, 0x12, 0x14, 0x10,
21796 ++ 0x63, 0x3d, 0x99, 0x3d
21797 ++};
21798 ++static const u8 enc_key031[] __initconst = {
21799 ++ 0xf6, 0x0c, 0x6a, 0x1b, 0x62, 0x57, 0x25, 0xf7,
21800 ++ 0x6c, 0x70, 0x37, 0xb4, 0x8f, 0xe3, 0x57, 0x7f,
21801 ++ 0xa7, 0xf7, 0xb8, 0x7b, 0x1b, 0xd5, 0xa9, 0x82,
21802 ++ 0x17, 0x6d, 0x18, 0x23, 0x06, 0xff, 0xb8, 0x70
21803 ++};
21804 ++
21805 ++/* wycheproof - misc */
21806 ++static const u8 enc_input032[] __initconst = {
21807 ++ 0x10, 0xf1, 0xec, 0xf9, 0xc6, 0x05, 0x84, 0x66,
21808 ++ 0x5d, 0x9a, 0xe5, 0xef, 0xe2, 0x79, 0xe7, 0xf7,
21809 ++ 0x37, 0x7e, 0xea, 0x69, 0x16, 0xd2, 0xb1, 0x11
21810 ++};
21811 ++static const u8 enc_output032[] __initconst = {
21812 ++ 0x42, 0xf2, 0x6c, 0x56, 0xcb, 0x4b, 0xe2, 0x1d,
21813 ++ 0x9d, 0x8d, 0x0c, 0x80, 0xfc, 0x99, 0xdd, 0xe0,
21814 ++ 0x0d, 0x75, 0xf3, 0x80, 0x74, 0xbf, 0xe7, 0x64,
21815 ++ 0x54, 0xaa, 0x7e, 0x13, 0xd4, 0x8f, 0xff, 0x7d,
21816 ++ 0x75, 0x57, 0x03, 0x94, 0x57, 0x04, 0x0a, 0x3a
21817 ++};
21818 ++static const u8 enc_assoc032[] __initconst = { };
21819 ++static const u8 enc_nonce032[] __initconst = {
21820 ++ 0xe6, 0xb1, 0xad, 0xf2, 0xfd, 0x58, 0xa8, 0x76,
21821 ++ 0x2c, 0x65, 0xf3, 0x1b
21822 ++};
21823 ++static const u8 enc_key032[] __initconst = {
21824 ++ 0x02, 0x12, 0xa8, 0xde, 0x50, 0x07, 0xed, 0x87,
21825 ++ 0xb3, 0x3f, 0x1a, 0x70, 0x90, 0xb6, 0x11, 0x4f,
21826 ++ 0x9e, 0x08, 0xce, 0xfd, 0x96, 0x07, 0xf2, 0xc2,
21827 ++ 0x76, 0xbd, 0xcf, 0xdb, 0xc5, 0xce, 0x9c, 0xd7
21828 ++};
21829 ++
21830 ++/* wycheproof - misc */
21831 ++static const u8 enc_input033[] __initconst = {
21832 ++ 0x92, 0x22, 0xf9, 0x01, 0x8e, 0x54, 0xfd, 0x6d,
21833 ++ 0xe1, 0x20, 0x08, 0x06, 0xa9, 0xee, 0x8e, 0x4c,
21834 ++ 0xc9, 0x04, 0xd2, 0x9f, 0x25, 0xcb, 0xa1, 0x93
21835 ++};
21836 ++static const u8 enc_output033[] __initconst = {
21837 ++ 0x12, 0x30, 0x32, 0x43, 0x7b, 0x4b, 0xfd, 0x69,
21838 ++ 0x20, 0xe8, 0xf7, 0xe7, 0xe0, 0x08, 0x7a, 0xe4,
21839 ++ 0x88, 0x9e, 0xbe, 0x7a, 0x0a, 0xd0, 0xe9, 0x00,
21840 ++ 0x3c, 0xf6, 0x8f, 0x17, 0x95, 0x50, 0xda, 0x63,
21841 ++ 0xd3, 0xb9, 0x6c, 0x2d, 0x55, 0x41, 0x18, 0x65
21842 ++};
21843 ++static const u8 enc_assoc033[] __initconst = {
21844 ++ 0x3e, 0x8b, 0xc5, 0xad, 0xe1, 0x82, 0xff, 0x08
21845 ++};
21846 ++static const u8 enc_nonce033[] __initconst = {
21847 ++ 0x6b, 0x28, 0x2e, 0xbe, 0xcc, 0x54, 0x1b, 0xcd,
21848 ++ 0x78, 0x34, 0xed, 0x55
21849 ++};
21850 ++static const u8 enc_key033[] __initconst = {
21851 ++ 0xc5, 0xbc, 0x09, 0x56, 0x56, 0x46, 0xe7, 0xed,
21852 ++ 0xda, 0x95, 0x4f, 0x1f, 0x73, 0x92, 0x23, 0xda,
21853 ++ 0xda, 0x20, 0xb9, 0x5c, 0x44, 0xab, 0x03, 0x3d,
21854 ++ 0x0f, 0xae, 0x4b, 0x02, 0x83, 0xd1, 0x8b, 0xe3
21855 ++};
21856 ++
21857 ++/* wycheproof - misc */
21858 ++static const u8 enc_input034[] __initconst = {
21859 ++ 0xb0, 0x53, 0x99, 0x92, 0x86, 0xa2, 0x82, 0x4f,
21860 ++ 0x42, 0xcc, 0x8c, 0x20, 0x3a, 0xb2, 0x4e, 0x2c,
21861 ++ 0x97, 0xa6, 0x85, 0xad, 0xcc, 0x2a, 0xd3, 0x26,
21862 ++ 0x62, 0x55, 0x8e, 0x55, 0xa5, 0xc7, 0x29
21863 ++};
21864 ++static const u8 enc_output034[] __initconst = {
21865 ++ 0x45, 0xc7, 0xd6, 0xb5, 0x3a, 0xca, 0xd4, 0xab,
21866 ++ 0xb6, 0x88, 0x76, 0xa6, 0xe9, 0x6a, 0x48, 0xfb,
21867 ++ 0x59, 0x52, 0x4d, 0x2c, 0x92, 0xc9, 0xd8, 0xa1,
21868 ++ 0x89, 0xc9, 0xfd, 0x2d, 0xb9, 0x17, 0x46, 0x56,
21869 ++ 0x6d, 0x3c, 0xa1, 0x0e, 0x31, 0x1b, 0x69, 0x5f,
21870 ++ 0x3e, 0xae, 0x15, 0x51, 0x65, 0x24, 0x93
21871 ++};
21872 ++static const u8 enc_assoc034[] __initconst = { };
21873 ++static const u8 enc_nonce034[] __initconst = {
21874 ++ 0x04, 0xa9, 0xbe, 0x03, 0x50, 0x8a, 0x5f, 0x31,
21875 ++ 0x37, 0x1a, 0x6f, 0xd2
21876 ++};
21877 ++static const u8 enc_key034[] __initconst = {
21878 ++ 0x2e, 0xb5, 0x1c, 0x46, 0x9a, 0xa8, 0xeb, 0x9e,
21879 ++ 0x6c, 0x54, 0xa8, 0x34, 0x9b, 0xae, 0x50, 0xa2,
21880 ++ 0x0f, 0x0e, 0x38, 0x27, 0x11, 0xbb, 0xa1, 0x15,
21881 ++ 0x2c, 0x42, 0x4f, 0x03, 0xb6, 0x67, 0x1d, 0x71
21882 ++};
21883 ++
21884 ++/* wycheproof - misc */
21885 ++static const u8 enc_input035[] __initconst = {
21886 ++ 0xf4, 0x52, 0x06, 0xab, 0xc2, 0x55, 0x52, 0xb2,
21887 ++ 0xab, 0xc9, 0xab, 0x7f, 0xa2, 0x43, 0x03, 0x5f,
21888 ++ 0xed, 0xaa, 0xdd, 0xc3, 0xb2, 0x29, 0x39, 0x56,
21889 ++ 0xf1, 0xea, 0x6e, 0x71, 0x56, 0xe7, 0xeb
21890 ++};
21891 ++static const u8 enc_output035[] __initconst = {
21892 ++ 0x46, 0xa8, 0x0c, 0x41, 0x87, 0x02, 0x47, 0x20,
21893 ++ 0x08, 0x46, 0x27, 0x58, 0x00, 0x80, 0xdd, 0xe5,
21894 ++ 0xa3, 0xf4, 0xa1, 0x10, 0x93, 0xa7, 0x07, 0x6e,
21895 ++ 0xd6, 0xf3, 0xd3, 0x26, 0xbc, 0x7b, 0x70, 0x53,
21896 ++ 0x4d, 0x4a, 0xa2, 0x83, 0x5a, 0x52, 0xe7, 0x2d,
21897 ++ 0x14, 0xdf, 0x0e, 0x4f, 0x47, 0xf2, 0x5f
21898 ++};
21899 ++static const u8 enc_assoc035[] __initconst = {
21900 ++ 0x37, 0x46, 0x18, 0xa0, 0x6e, 0xa9, 0x8a, 0x48
21901 ++};
21902 ++static const u8 enc_nonce035[] __initconst = {
21903 ++ 0x47, 0x0a, 0x33, 0x9e, 0xcb, 0x32, 0x19, 0xb8,
21904 ++ 0xb8, 0x1a, 0x1f, 0x8b
21905 ++};
21906 ++static const u8 enc_key035[] __initconst = {
21907 ++ 0x7f, 0x5b, 0x74, 0xc0, 0x7e, 0xd1, 0xb4, 0x0f,
21908 ++ 0xd1, 0x43, 0x58, 0xfe, 0x2f, 0xf2, 0xa7, 0x40,
21909 ++ 0xc1, 0x16, 0xc7, 0x70, 0x65, 0x10, 0xe6, 0xa4,
21910 ++ 0x37, 0xf1, 0x9e, 0xa4, 0x99, 0x11, 0xce, 0xc4
21911 ++};
21912 ++
21913 ++/* wycheproof - misc */
21914 ++static const u8 enc_input036[] __initconst = {
21915 ++ 0xb9, 0xc5, 0x54, 0xcb, 0xc3, 0x6a, 0xc1, 0x8a,
21916 ++ 0xe8, 0x97, 0xdf, 0x7b, 0xee, 0xca, 0xc1, 0xdb,
21917 ++ 0xeb, 0x4e, 0xaf, 0xa1, 0x56, 0xbb, 0x60, 0xce,
21918 ++ 0x2e, 0x5d, 0x48, 0xf0, 0x57, 0x15, 0xe6, 0x78
21919 ++};
21920 ++static const u8 enc_output036[] __initconst = {
21921 ++ 0xea, 0x29, 0xaf, 0xa4, 0x9d, 0x36, 0xe8, 0x76,
21922 ++ 0x0f, 0x5f, 0xe1, 0x97, 0x23, 0xb9, 0x81, 0x1e,
21923 ++ 0xd5, 0xd5, 0x19, 0x93, 0x4a, 0x44, 0x0f, 0x50,
21924 ++ 0x81, 0xac, 0x43, 0x0b, 0x95, 0x3b, 0x0e, 0x21,
21925 ++ 0x22, 0x25, 0x41, 0xaf, 0x46, 0xb8, 0x65, 0x33,
21926 ++ 0xc6, 0xb6, 0x8d, 0x2f, 0xf1, 0x08, 0xa7, 0xea
21927 ++};
21928 ++static const u8 enc_assoc036[] __initconst = { };
21929 ++static const u8 enc_nonce036[] __initconst = {
21930 ++ 0x72, 0xcf, 0xd9, 0x0e, 0xf3, 0x02, 0x6c, 0xa2,
21931 ++ 0x2b, 0x7e, 0x6e, 0x6a
21932 ++};
21933 ++static const u8 enc_key036[] __initconst = {
21934 ++ 0xe1, 0x73, 0x1d, 0x58, 0x54, 0xe1, 0xb7, 0x0c,
21935 ++ 0xb3, 0xff, 0xe8, 0xb7, 0x86, 0xa2, 0xb3, 0xeb,
21936 ++ 0xf0, 0x99, 0x43, 0x70, 0x95, 0x47, 0x57, 0xb9,
21937 ++ 0xdc, 0x8c, 0x7b, 0xc5, 0x35, 0x46, 0x34, 0xa3
21938 ++};
21939 ++
21940 ++/* wycheproof - misc */
21941 ++static const u8 enc_input037[] __initconst = {
21942 ++ 0x6b, 0x26, 0x04, 0x99, 0x6c, 0xd3, 0x0c, 0x14,
21943 ++ 0xa1, 0x3a, 0x52, 0x57, 0xed, 0x6c, 0xff, 0xd3,
21944 ++ 0xbc, 0x5e, 0x29, 0xd6, 0xb9, 0x7e, 0xb1, 0x79,
21945 ++ 0x9e, 0xb3, 0x35, 0xe2, 0x81, 0xea, 0x45, 0x1e
21946 ++};
21947 ++static const u8 enc_output037[] __initconst = {
21948 ++ 0x6d, 0xad, 0x63, 0x78, 0x97, 0x54, 0x4d, 0x8b,
21949 ++ 0xf6, 0xbe, 0x95, 0x07, 0xed, 0x4d, 0x1b, 0xb2,
21950 ++ 0xe9, 0x54, 0xbc, 0x42, 0x7e, 0x5d, 0xe7, 0x29,
21951 ++ 0xda, 0xf5, 0x07, 0x62, 0x84, 0x6f, 0xf2, 0xf4,
21952 ++ 0x7b, 0x99, 0x7d, 0x93, 0xc9, 0x82, 0x18, 0x9d,
21953 ++ 0x70, 0x95, 0xdc, 0x79, 0x4c, 0x74, 0x62, 0x32
21954 ++};
21955 ++static const u8 enc_assoc037[] __initconst = {
21956 ++ 0x23, 0x33, 0xe5, 0xce, 0x0f, 0x93, 0xb0, 0x59
21957 ++};
21958 ++static const u8 enc_nonce037[] __initconst = {
21959 ++ 0x26, 0x28, 0x80, 0xd4, 0x75, 0xf3, 0xda, 0xc5,
21960 ++ 0x34, 0x0d, 0xd1, 0xb8
21961 ++};
21962 ++static const u8 enc_key037[] __initconst = {
21963 ++ 0x27, 0xd8, 0x60, 0x63, 0x1b, 0x04, 0x85, 0xa4,
21964 ++ 0x10, 0x70, 0x2f, 0xea, 0x61, 0xbc, 0x87, 0x3f,
21965 ++ 0x34, 0x42, 0x26, 0x0c, 0xad, 0xed, 0x4a, 0xbd,
21966 ++ 0xe2, 0x5b, 0x78, 0x6a, 0x2d, 0x97, 0xf1, 0x45
21967 ++};
21968 ++
21969 ++/* wycheproof - misc */
21970 ++static const u8 enc_input038[] __initconst = {
21971 ++ 0x97, 0x3d, 0x0c, 0x75, 0x38, 0x26, 0xba, 0xe4,
21972 ++ 0x66, 0xcf, 0x9a, 0xbb, 0x34, 0x93, 0x15, 0x2e,
21973 ++ 0x9d, 0xe7, 0x81, 0x9e, 0x2b, 0xd0, 0xc7, 0x11,
21974 ++ 0x71, 0x34, 0x6b, 0x4d, 0x2c, 0xeb, 0xf8, 0x04,
21975 ++ 0x1a, 0xa3, 0xce, 0xdc, 0x0d, 0xfd, 0x7b, 0x46,
21976 ++ 0x7e, 0x26, 0x22, 0x8b, 0xc8, 0x6c, 0x9a
21977 ++};
21978 ++static const u8 enc_output038[] __initconst = {
21979 ++ 0xfb, 0xa7, 0x8a, 0xe4, 0xf9, 0xd8, 0x08, 0xa6,
21980 ++ 0x2e, 0x3d, 0xa4, 0x0b, 0xe2, 0xcb, 0x77, 0x00,
21981 ++ 0xc3, 0x61, 0x3d, 0x9e, 0xb2, 0xc5, 0x29, 0xc6,
21982 ++ 0x52, 0xe7, 0x6a, 0x43, 0x2c, 0x65, 0x8d, 0x27,
21983 ++ 0x09, 0x5f, 0x0e, 0xb8, 0xf9, 0x40, 0xc3, 0x24,
21984 ++ 0x98, 0x1e, 0xa9, 0x35, 0xe5, 0x07, 0xf9, 0x8f,
21985 ++ 0x04, 0x69, 0x56, 0xdb, 0x3a, 0x51, 0x29, 0x08,
21986 ++ 0xbd, 0x7a, 0xfc, 0x8f, 0x2a, 0xb0, 0xa9
21987 ++};
21988 ++static const u8 enc_assoc038[] __initconst = { };
21989 ++static const u8 enc_nonce038[] __initconst = {
21990 ++ 0xe7, 0x4a, 0x51, 0x5e, 0x7e, 0x21, 0x02, 0xb9,
21991 ++ 0x0b, 0xef, 0x55, 0xd2
21992 ++};
21993 ++static const u8 enc_key038[] __initconst = {
21994 ++ 0xcf, 0x0d, 0x40, 0xa4, 0x64, 0x4e, 0x5f, 0x51,
21995 ++ 0x81, 0x51, 0x65, 0xd5, 0x30, 0x1b, 0x22, 0x63,
21996 ++ 0x1f, 0x45, 0x44, 0xc4, 0x9a, 0x18, 0x78, 0xe3,
21997 ++ 0xa0, 0xa5, 0xe8, 0xe1, 0xaa, 0xe0, 0xf2, 0x64
21998 ++};
21999 ++
22000 ++/* wycheproof - misc */
22001 ++static const u8 enc_input039[] __initconst = {
22002 ++ 0xa9, 0x89, 0x95, 0x50, 0x4d, 0xf1, 0x6f, 0x74,
22003 ++ 0x8b, 0xfb, 0x77, 0x85, 0xff, 0x91, 0xee, 0xb3,
22004 ++ 0xb6, 0x60, 0xea, 0x9e, 0xd3, 0x45, 0x0c, 0x3d,
22005 ++ 0x5e, 0x7b, 0x0e, 0x79, 0xef, 0x65, 0x36, 0x59,
22006 ++ 0xa9, 0x97, 0x8d, 0x75, 0x54, 0x2e, 0xf9, 0x1c,
22007 ++ 0x45, 0x67, 0x62, 0x21, 0x56, 0x40, 0xb9
22008 ++};
22009 ++static const u8 enc_output039[] __initconst = {
22010 ++ 0xa1, 0xff, 0xed, 0x80, 0x76, 0x18, 0x29, 0xec,
22011 ++ 0xce, 0x24, 0x2e, 0x0e, 0x88, 0xb1, 0x38, 0x04,
22012 ++ 0x90, 0x16, 0xbc, 0xa0, 0x18, 0xda, 0x2b, 0x6e,
22013 ++ 0x19, 0x98, 0x6b, 0x3e, 0x31, 0x8c, 0xae, 0x8d,
22014 ++ 0x80, 0x61, 0x98, 0xfb, 0x4c, 0x52, 0x7c, 0xc3,
22015 ++ 0x93, 0x50, 0xeb, 0xdd, 0xea, 0xc5, 0x73, 0xc4,
22016 ++ 0xcb, 0xf0, 0xbe, 0xfd, 0xa0, 0xb7, 0x02, 0x42,
22017 ++ 0xc6, 0x40, 0xd7, 0xcd, 0x02, 0xd7, 0xa3
22018 ++};
22019 ++static const u8 enc_assoc039[] __initconst = {
22020 ++ 0xb3, 0xe4, 0x06, 0x46, 0x83, 0xb0, 0x2d, 0x84
22021 ++};
22022 ++static const u8 enc_nonce039[] __initconst = {
22023 ++ 0xd4, 0xd8, 0x07, 0x34, 0x16, 0x83, 0x82, 0x5b,
22024 ++ 0x31, 0xcd, 0x4d, 0x95
22025 ++};
22026 ++static const u8 enc_key039[] __initconst = {
22027 ++ 0x6c, 0xbf, 0xd7, 0x1c, 0x64, 0x5d, 0x18, 0x4c,
22028 ++ 0xf5, 0xd2, 0x3c, 0x40, 0x2b, 0xdb, 0x0d, 0x25,
22029 ++ 0xec, 0x54, 0x89, 0x8c, 0x8a, 0x02, 0x73, 0xd4,
22030 ++ 0x2e, 0xb5, 0xbe, 0x10, 0x9f, 0xdc, 0xb2, 0xac
22031 ++};
22032 ++
22033 ++/* wycheproof - misc */
22034 ++static const u8 enc_input040[] __initconst = {
22035 ++ 0xd0, 0x96, 0x80, 0x31, 0x81, 0xbe, 0xef, 0x9e,
22036 ++ 0x00, 0x8f, 0xf8, 0x5d, 0x5d, 0xdc, 0x38, 0xdd,
22037 ++ 0xac, 0xf0, 0xf0, 0x9e, 0xe5, 0xf7, 0xe0, 0x7f,
22038 ++ 0x1e, 0x40, 0x79, 0xcb, 0x64, 0xd0, 0xdc, 0x8f,
22039 ++ 0x5e, 0x67, 0x11, 0xcd, 0x49, 0x21, 0xa7, 0x88,
22040 ++ 0x7d, 0xe7, 0x6e, 0x26, 0x78, 0xfd, 0xc6, 0x76,
22041 ++ 0x18, 0xf1, 0x18, 0x55, 0x86, 0xbf, 0xea, 0x9d,
22042 ++ 0x4c, 0x68, 0x5d, 0x50, 0xe4, 0xbb, 0x9a, 0x82
22043 ++};
22044 ++static const u8 enc_output040[] __initconst = {
22045 ++ 0x9a, 0x4e, 0xf2, 0x2b, 0x18, 0x16, 0x77, 0xb5,
22046 ++ 0x75, 0x5c, 0x08, 0xf7, 0x47, 0xc0, 0xf8, 0xd8,
22047 ++ 0xe8, 0xd4, 0xc1, 0x8a, 0x9c, 0xc2, 0x40, 0x5c,
22048 ++ 0x12, 0xbb, 0x51, 0xbb, 0x18, 0x72, 0xc8, 0xe8,
22049 ++ 0xb8, 0x77, 0x67, 0x8b, 0xec, 0x44, 0x2c, 0xfc,
22050 ++ 0xbb, 0x0f, 0xf4, 0x64, 0xa6, 0x4b, 0x74, 0x33,
22051 ++ 0x2c, 0xf0, 0x72, 0x89, 0x8c, 0x7e, 0x0e, 0xdd,
22052 ++ 0xf6, 0x23, 0x2e, 0xa6, 0xe2, 0x7e, 0xfe, 0x50,
22053 ++ 0x9f, 0xf3, 0x42, 0x7a, 0x0f, 0x32, 0xfa, 0x56,
22054 ++ 0x6d, 0x9c, 0xa0, 0xa7, 0x8a, 0xef, 0xc0, 0x13
22055 ++};
22056 ++static const u8 enc_assoc040[] __initconst = { };
22057 ++static const u8 enc_nonce040[] __initconst = {
22058 ++ 0xd6, 0x10, 0x40, 0xa3, 0x13, 0xed, 0x49, 0x28,
22059 ++ 0x23, 0xcc, 0x06, 0x5b
22060 ++};
22061 ++static const u8 enc_key040[] __initconst = {
22062 ++ 0x5b, 0x1d, 0x10, 0x35, 0xc0, 0xb1, 0x7e, 0xe0,
22063 ++ 0xb0, 0x44, 0x47, 0x67, 0xf8, 0x0a, 0x25, 0xb8,
22064 ++ 0xc1, 0xb7, 0x41, 0xf4, 0xb5, 0x0a, 0x4d, 0x30,
22065 ++ 0x52, 0x22, 0x6b, 0xaa, 0x1c, 0x6f, 0xb7, 0x01
22066 ++};
22067 ++
22068 ++/* wycheproof - misc */
22069 ++static const u8 enc_input041[] __initconst = {
22070 ++ 0x94, 0xee, 0x16, 0x6d, 0x6d, 0x6e, 0xcf, 0x88,
22071 ++ 0x32, 0x43, 0x71, 0x36, 0xb4, 0xae, 0x80, 0x5d,
22072 ++ 0x42, 0x88, 0x64, 0x35, 0x95, 0x86, 0xd9, 0x19,
22073 ++ 0x3a, 0x25, 0x01, 0x62, 0x93, 0xed, 0xba, 0x44,
22074 ++ 0x3c, 0x58, 0xe0, 0x7e, 0x7b, 0x71, 0x95, 0xec,
22075 ++ 0x5b, 0xd8, 0x45, 0x82, 0xa9, 0xd5, 0x6c, 0x8d,
22076 ++ 0x4a, 0x10, 0x8c, 0x7d, 0x7c, 0xe3, 0x4e, 0x6c,
22077 ++ 0x6f, 0x8e, 0xa1, 0xbe, 0xc0, 0x56, 0x73, 0x17
22078 ++};
22079 ++static const u8 enc_output041[] __initconst = {
22080 ++ 0x5f, 0xbb, 0xde, 0xcc, 0x34, 0xbe, 0x20, 0x16,
22081 ++ 0x14, 0xf6, 0x36, 0x03, 0x1e, 0xeb, 0x42, 0xf1,
22082 ++ 0xca, 0xce, 0x3c, 0x79, 0xa1, 0x2c, 0xff, 0xd8,
22083 ++ 0x71, 0xee, 0x8e, 0x73, 0x82, 0x0c, 0x82, 0x97,
22084 ++ 0x49, 0xf1, 0xab, 0xb4, 0x29, 0x43, 0x67, 0x84,
22085 ++ 0x9f, 0xb6, 0xc2, 0xaa, 0x56, 0xbd, 0xa8, 0xa3,
22086 ++ 0x07, 0x8f, 0x72, 0x3d, 0x7c, 0x1c, 0x85, 0x20,
22087 ++ 0x24, 0xb0, 0x17, 0xb5, 0x89, 0x73, 0xfb, 0x1e,
22088 ++ 0x09, 0x26, 0x3d, 0xa7, 0xb4, 0xcb, 0x92, 0x14,
22089 ++ 0x52, 0xf9, 0x7d, 0xca, 0x40, 0xf5, 0x80, 0xec
22090 ++};
22091 ++static const u8 enc_assoc041[] __initconst = {
22092 ++ 0x71, 0x93, 0xf6, 0x23, 0x66, 0x33, 0x21, 0xa2
22093 ++};
22094 ++static const u8 enc_nonce041[] __initconst = {
22095 ++ 0xd3, 0x1c, 0x21, 0xab, 0xa1, 0x75, 0xb7, 0x0d,
22096 ++ 0xe4, 0xeb, 0xb1, 0x9c
22097 ++};
22098 ++static const u8 enc_key041[] __initconst = {
22099 ++ 0x97, 0xd6, 0x35, 0xc4, 0xf4, 0x75, 0x74, 0xd9,
22100 ++ 0x99, 0x8a, 0x90, 0x87, 0x5d, 0xa1, 0xd3, 0xa2,
22101 ++ 0x84, 0xb7, 0x55, 0xb2, 0xd3, 0x92, 0x97, 0xa5,
22102 ++ 0x72, 0x52, 0x35, 0x19, 0x0e, 0x10, 0xa9, 0x7e
22103 ++};
22104 ++
22105 ++/* wycheproof - misc */
22106 ++static const u8 enc_input042[] __initconst = {
22107 ++ 0xb4, 0x29, 0xeb, 0x80, 0xfb, 0x8f, 0xe8, 0xba,
22108 ++ 0xed, 0xa0, 0xc8, 0x5b, 0x9c, 0x33, 0x34, 0x58,
22109 ++ 0xe7, 0xc2, 0x99, 0x2e, 0x55, 0x84, 0x75, 0x06,
22110 ++ 0x9d, 0x12, 0xd4, 0x5c, 0x22, 0x21, 0x75, 0x64,
22111 ++ 0x12, 0x15, 0x88, 0x03, 0x22, 0x97, 0xef, 0xf5,
22112 ++ 0x67, 0x83, 0x74, 0x2a, 0x5f, 0xc2, 0x2d, 0x74,
22113 ++ 0x10, 0xff, 0xb2, 0x9d, 0x66, 0x09, 0x86, 0x61,
22114 ++ 0xd7, 0x6f, 0x12, 0x6c, 0x3c, 0x27, 0x68, 0x9e,
22115 ++ 0x43, 0xb3, 0x72, 0x67, 0xca, 0xc5, 0xa3, 0xa6,
22116 ++ 0xd3, 0xab, 0x49, 0xe3, 0x91, 0xda, 0x29, 0xcd,
22117 ++ 0x30, 0x54, 0xa5, 0x69, 0x2e, 0x28, 0x07, 0xe4,
22118 ++ 0xc3, 0xea, 0x46, 0xc8, 0x76, 0x1d, 0x50, 0xf5,
22119 ++ 0x92
22120 ++};
22121 ++static const u8 enc_output042[] __initconst = {
22122 ++ 0xd0, 0x10, 0x2f, 0x6c, 0x25, 0x8b, 0xf4, 0x97,
22123 ++ 0x42, 0xce, 0xc3, 0x4c, 0xf2, 0xd0, 0xfe, 0xdf,
22124 ++ 0x23, 0xd1, 0x05, 0xfb, 0x4c, 0x84, 0xcf, 0x98,
22125 ++ 0x51, 0x5e, 0x1b, 0xc9, 0xa6, 0x4f, 0x8a, 0xd5,
22126 ++ 0xbe, 0x8f, 0x07, 0x21, 0xbd, 0xe5, 0x06, 0x45,
22127 ++ 0xd0, 0x00, 0x83, 0xc3, 0xa2, 0x63, 0xa3, 0x10,
22128 ++ 0x53, 0xb7, 0x60, 0x24, 0x5f, 0x52, 0xae, 0x28,
22129 ++ 0x66, 0xa5, 0xec, 0x83, 0xb1, 0x9f, 0x61, 0xbe,
22130 ++ 0x1d, 0x30, 0xd5, 0xc5, 0xd9, 0xfe, 0xcc, 0x4c,
22131 ++ 0xbb, 0xe0, 0x8f, 0xd3, 0x85, 0x81, 0x3a, 0x2a,
22132 ++ 0xa3, 0x9a, 0x00, 0xff, 0x9c, 0x10, 0xf7, 0xf2,
22133 ++ 0x37, 0x02, 0xad, 0xd1, 0xe4, 0xb2, 0xff, 0xa3,
22134 ++ 0x1c, 0x41, 0x86, 0x5f, 0xc7, 0x1d, 0xe1, 0x2b,
22135 ++ 0x19, 0x61, 0x21, 0x27, 0xce, 0x49, 0x99, 0x3b,
22136 ++ 0xb0
22137 ++};
22138 ++static const u8 enc_assoc042[] __initconst = { };
22139 ++static const u8 enc_nonce042[] __initconst = {
22140 ++ 0x17, 0xc8, 0x6a, 0x8a, 0xbb, 0xb7, 0xe0, 0x03,
22141 ++ 0xac, 0xde, 0x27, 0x99
22142 ++};
22143 ++static const u8 enc_key042[] __initconst = {
22144 ++ 0xfe, 0x6e, 0x55, 0xbd, 0xae, 0xd1, 0xf7, 0x28,
22145 ++ 0x4c, 0xa5, 0xfc, 0x0f, 0x8c, 0x5f, 0x2b, 0x8d,
22146 ++ 0xf5, 0x6d, 0xc0, 0xf4, 0x9e, 0x8c, 0xa6, 0x6a,
22147 ++ 0x41, 0x99, 0x5e, 0x78, 0x33, 0x51, 0xf9, 0x01
22148 ++};
22149 ++
22150 ++/* wycheproof - misc */
22151 ++static const u8 enc_input043[] __initconst = {
22152 ++ 0xce, 0xb5, 0x34, 0xce, 0x50, 0xdc, 0x23, 0xff,
22153 ++ 0x63, 0x8a, 0xce, 0x3e, 0xf6, 0x3a, 0xb2, 0xcc,
22154 ++ 0x29, 0x73, 0xee, 0xad, 0xa8, 0x07, 0x85, 0xfc,
22155 ++ 0x16, 0x5d, 0x06, 0xc2, 0xf5, 0x10, 0x0f, 0xf5,
22156 ++ 0xe8, 0xab, 0x28, 0x82, 0xc4, 0x75, 0xaf, 0xcd,
22157 ++ 0x05, 0xcc, 0xd4, 0x9f, 0x2e, 0x7d, 0x8f, 0x55,
22158 ++ 0xef, 0x3a, 0x72, 0xe3, 0xdc, 0x51, 0xd6, 0x85,
22159 ++ 0x2b, 0x8e, 0x6b, 0x9e, 0x7a, 0xec, 0xe5, 0x7b,
22160 ++ 0xe6, 0x55, 0x6b, 0x0b, 0x6d, 0x94, 0x13, 0xe3,
22161 ++ 0x3f, 0xc5, 0xfc, 0x24, 0xa9, 0xa2, 0x05, 0xad,
22162 ++ 0x59, 0x57, 0x4b, 0xb3, 0x9d, 0x94, 0x4a, 0x92,
22163 ++ 0xdc, 0x47, 0x97, 0x0d, 0x84, 0xa6, 0xad, 0x31,
22164 ++ 0x76
22165 ++};
22166 ++static const u8 enc_output043[] __initconst = {
22167 ++ 0x75, 0x45, 0x39, 0x1b, 0x51, 0xde, 0x01, 0xd5,
22168 ++ 0xc5, 0x3d, 0xfa, 0xca, 0x77, 0x79, 0x09, 0x06,
22169 ++ 0x3e, 0x58, 0xed, 0xee, 0x4b, 0xb1, 0x22, 0x7e,
22170 ++ 0x71, 0x10, 0xac, 0x4d, 0x26, 0x20, 0xc2, 0xae,
22171 ++ 0xc2, 0xf8, 0x48, 0xf5, 0x6d, 0xee, 0xb0, 0x37,
22172 ++ 0xa8, 0xdc, 0xed, 0x75, 0xaf, 0xa8, 0xa6, 0xc8,
22173 ++ 0x90, 0xe2, 0xde, 0xe4, 0x2f, 0x95, 0x0b, 0xb3,
22174 ++ 0x3d, 0x9e, 0x24, 0x24, 0xd0, 0x8a, 0x50, 0x5d,
22175 ++ 0x89, 0x95, 0x63, 0x97, 0x3e, 0xd3, 0x88, 0x70,
22176 ++ 0xf3, 0xde, 0x6e, 0xe2, 0xad, 0xc7, 0xfe, 0x07,
22177 ++ 0x2c, 0x36, 0x6c, 0x14, 0xe2, 0xcf, 0x7c, 0xa6,
22178 ++ 0x2f, 0xb3, 0xd3, 0x6b, 0xee, 0x11, 0x68, 0x54,
22179 ++ 0x61, 0xb7, 0x0d, 0x44, 0xef, 0x8c, 0x66, 0xc5,
22180 ++ 0xc7, 0xbb, 0xf1, 0x0d, 0xca, 0xdd, 0x7f, 0xac,
22181 ++ 0xf6
22182 ++};
22183 ++static const u8 enc_assoc043[] __initconst = {
22184 ++ 0xa1, 0x1c, 0x40, 0xb6, 0x03, 0x76, 0x73, 0x30
22185 ++};
22186 ++static const u8 enc_nonce043[] __initconst = {
22187 ++ 0x46, 0x36, 0x2f, 0x45, 0xd6, 0x37, 0x9e, 0x63,
22188 ++ 0xe5, 0x22, 0x94, 0x60
22189 ++};
22190 ++static const u8 enc_key043[] __initconst = {
22191 ++ 0xaa, 0xbc, 0x06, 0x34, 0x74, 0xe6, 0x5c, 0x4c,
22192 ++ 0x3e, 0x9b, 0xdc, 0x48, 0x0d, 0xea, 0x97, 0xb4,
22193 ++ 0x51, 0x10, 0xc8, 0x61, 0x88, 0x46, 0xff, 0x6b,
22194 ++ 0x15, 0xbd, 0xd2, 0xa4, 0xa5, 0x68, 0x2c, 0x4e
22195 ++};
22196 ++
22197 ++/* wycheproof - misc */
22198 ++static const u8 enc_input044[] __initconst = {
22199 ++ 0xe5, 0xcc, 0xaa, 0x44, 0x1b, 0xc8, 0x14, 0x68,
22200 ++ 0x8f, 0x8f, 0x6e, 0x8f, 0x28, 0xb5, 0x00, 0xb2
22201 ++};
22202 ++static const u8 enc_output044[] __initconst = {
22203 ++ 0x7e, 0x72, 0xf5, 0xa1, 0x85, 0xaf, 0x16, 0xa6,
22204 ++ 0x11, 0x92, 0x1b, 0x43, 0x8f, 0x74, 0x9f, 0x0b,
22205 ++ 0x12, 0x42, 0xc6, 0x70, 0x73, 0x23, 0x34, 0x02,
22206 ++ 0x9a, 0xdf, 0xe1, 0xc5, 0x00, 0x16, 0x51, 0xe4
22207 ++};
22208 ++static const u8 enc_assoc044[] __initconst = {
22209 ++ 0x02
22210 ++};
22211 ++static const u8 enc_nonce044[] __initconst = {
22212 ++ 0x87, 0x34, 0x5f, 0x10, 0x55, 0xfd, 0x9e, 0x21,
22213 ++ 0x02, 0xd5, 0x06, 0x56
22214 ++};
22215 ++static const u8 enc_key044[] __initconst = {
22216 ++ 0x7d, 0x00, 0xb4, 0x80, 0x95, 0xad, 0xfa, 0x32,
22217 ++ 0x72, 0x05, 0x06, 0x07, 0xb2, 0x64, 0x18, 0x50,
22218 ++ 0x02, 0xba, 0x99, 0x95, 0x7c, 0x49, 0x8b, 0xe0,
22219 ++ 0x22, 0x77, 0x0f, 0x2c, 0xe2, 0xf3, 0x14, 0x3c
22220 ++};
22221 ++
22222 ++/* wycheproof - misc */
22223 ++static const u8 enc_input045[] __initconst = {
22224 ++ 0x02, 0xcd, 0xe1, 0x68, 0xfb, 0xa3, 0xf5, 0x44,
22225 ++ 0xbb, 0xd0, 0x33, 0x2f, 0x7a, 0xde, 0xad, 0xa8
22226 ++};
22227 ++static const u8 enc_output045[] __initconst = {
22228 ++ 0x85, 0xf2, 0x9a, 0x71, 0x95, 0x57, 0xcd, 0xd1,
22229 ++ 0x4d, 0x1f, 0x8f, 0xff, 0xab, 0x6d, 0x9e, 0x60,
22230 ++ 0x73, 0x2c, 0xa3, 0x2b, 0xec, 0xd5, 0x15, 0xa1,
22231 ++ 0xed, 0x35, 0x3f, 0x54, 0x2e, 0x99, 0x98, 0x58
22232 ++};
22233 ++static const u8 enc_assoc045[] __initconst = {
22234 ++ 0xb6, 0x48
22235 ++};
22236 ++static const u8 enc_nonce045[] __initconst = {
22237 ++ 0x87, 0xa3, 0x16, 0x3e, 0xc0, 0x59, 0x8a, 0xd9,
22238 ++ 0x5b, 0x3a, 0xa7, 0x13
22239 ++};
22240 ++static const u8 enc_key045[] __initconst = {
22241 ++ 0x64, 0x32, 0x71, 0x7f, 0x1d, 0xb8, 0x5e, 0x41,
22242 ++ 0xac, 0x78, 0x36, 0xbc, 0xe2, 0x51, 0x85, 0xa0,
22243 ++ 0x80, 0xd5, 0x76, 0x2b, 0x9e, 0x2b, 0x18, 0x44,
22244 ++ 0x4b, 0x6e, 0xc7, 0x2c, 0x3b, 0xd8, 0xe4, 0xdc
22245 ++};
22246 ++
22247 ++/* wycheproof - misc */
22248 ++static const u8 enc_input046[] __initconst = {
22249 ++ 0x16, 0xdd, 0xd2, 0x3f, 0xf5, 0x3f, 0x3d, 0x23,
22250 ++ 0xc0, 0x63, 0x34, 0x48, 0x70, 0x40, 0xeb, 0x47
22251 ++};
22252 ++static const u8 enc_output046[] __initconst = {
22253 ++ 0xc1, 0xb2, 0x95, 0x93, 0x6d, 0x56, 0xfa, 0xda,
22254 ++ 0xc0, 0x3e, 0x5f, 0x74, 0x2b, 0xff, 0x73, 0xa1,
22255 ++ 0x39, 0xc4, 0x57, 0xdb, 0xab, 0x66, 0x38, 0x2b,
22256 ++ 0xab, 0xb3, 0xb5, 0x58, 0x00, 0xcd, 0xa5, 0xb8
22257 ++};
22258 ++static const u8 enc_assoc046[] __initconst = {
22259 ++ 0xbd, 0x4c, 0xd0, 0x2f, 0xc7, 0x50, 0x2b, 0xbd,
22260 ++ 0xbd, 0xf6, 0xc9, 0xa3, 0xcb, 0xe8, 0xf0
22261 ++};
22262 ++static const u8 enc_nonce046[] __initconst = {
22263 ++ 0x6f, 0x57, 0x3a, 0xa8, 0x6b, 0xaa, 0x49, 0x2b,
22264 ++ 0xa4, 0x65, 0x96, 0xdf
22265 ++};
22266 ++static const u8 enc_key046[] __initconst = {
22267 ++ 0x8e, 0x34, 0xcf, 0x73, 0xd2, 0x45, 0xa1, 0x08,
22268 ++ 0x2a, 0x92, 0x0b, 0x86, 0x36, 0x4e, 0xb8, 0x96,
22269 ++ 0xc4, 0x94, 0x64, 0x67, 0xbc, 0xb3, 0xd5, 0x89,
22270 ++ 0x29, 0xfc, 0xb3, 0x66, 0x90, 0xe6, 0x39, 0x4f
22271 ++};
22272 ++
22273 ++/* wycheproof - misc */
22274 ++static const u8 enc_input047[] __initconst = {
22275 ++ 0x62, 0x3b, 0x78, 0x50, 0xc3, 0x21, 0xe2, 0xcf,
22276 ++ 0x0c, 0x6f, 0xbc, 0xc8, 0xdf, 0xd1, 0xaf, 0xf2
22277 ++};
22278 ++static const u8 enc_output047[] __initconst = {
22279 ++ 0xc8, 0x4c, 0x9b, 0xb7, 0xc6, 0x1c, 0x1b, 0xcb,
22280 ++ 0x17, 0x77, 0x2a, 0x1c, 0x50, 0x0c, 0x50, 0x95,
22281 ++ 0xdb, 0xad, 0xf7, 0xa5, 0x13, 0x8c, 0xa0, 0x34,
22282 ++ 0x59, 0xa2, 0xcd, 0x65, 0x83, 0x1e, 0x09, 0x2f
22283 ++};
22284 ++static const u8 enc_assoc047[] __initconst = {
22285 ++ 0x89, 0xcc, 0xe9, 0xfb, 0x47, 0x44, 0x1d, 0x07,
22286 ++ 0xe0, 0x24, 0x5a, 0x66, 0xfe, 0x8b, 0x77, 0x8b
22287 ++};
22288 ++static const u8 enc_nonce047[] __initconst = {
22289 ++ 0x1a, 0x65, 0x18, 0xf0, 0x2e, 0xde, 0x1d, 0xa6,
22290 ++ 0x80, 0x92, 0x66, 0xd9
22291 ++};
22292 ++static const u8 enc_key047[] __initconst = {
22293 ++ 0xcb, 0x55, 0x75, 0xf5, 0xc7, 0xc4, 0x5c, 0x91,
22294 ++ 0xcf, 0x32, 0x0b, 0x13, 0x9f, 0xb5, 0x94, 0x23,
22295 ++ 0x75, 0x60, 0xd0, 0xa3, 0xe6, 0xf8, 0x65, 0xa6,
22296 ++ 0x7d, 0x4f, 0x63, 0x3f, 0x2c, 0x08, 0xf0, 0x16
22297 ++};
22298 ++
22299 ++/* wycheproof - misc */
22300 ++static const u8 enc_input048[] __initconst = {
22301 ++ 0x87, 0xb3, 0xa4, 0xd7, 0xb2, 0x6d, 0x8d, 0x32,
22302 ++ 0x03, 0xa0, 0xde, 0x1d, 0x64, 0xef, 0x82, 0xe3
22303 ++};
22304 ++static const u8 enc_output048[] __initconst = {
22305 ++ 0x94, 0xbc, 0x80, 0x62, 0x1e, 0xd1, 0xe7, 0x1b,
22306 ++ 0x1f, 0xd2, 0xb5, 0xc3, 0xa1, 0x5e, 0x35, 0x68,
22307 ++ 0x33, 0x35, 0x11, 0x86, 0x17, 0x96, 0x97, 0x84,
22308 ++ 0x01, 0x59, 0x8b, 0x96, 0x37, 0x22, 0xf5, 0xb3
22309 ++};
22310 ++static const u8 enc_assoc048[] __initconst = {
22311 ++ 0xd1, 0x9f, 0x2d, 0x98, 0x90, 0x95, 0xf7, 0xab,
22312 ++ 0x03, 0xa5, 0xfd, 0xe8, 0x44, 0x16, 0xe0, 0x0c,
22313 ++ 0x0e
22314 ++};
22315 ++static const u8 enc_nonce048[] __initconst = {
22316 ++ 0x56, 0x4d, 0xee, 0x49, 0xab, 0x00, 0xd2, 0x40,
22317 ++ 0xfc, 0x10, 0x68, 0xc3
22318 ++};
22319 ++static const u8 enc_key048[] __initconst = {
22320 ++ 0xa5, 0x56, 0x9e, 0x72, 0x9a, 0x69, 0xb2, 0x4b,
22321 ++ 0xa6, 0xe0, 0xff, 0x15, 0xc4, 0x62, 0x78, 0x97,
22322 ++ 0x43, 0x68, 0x24, 0xc9, 0x41, 0xe9, 0xd0, 0x0b,
22323 ++ 0x2e, 0x93, 0xfd, 0xdc, 0x4b, 0xa7, 0x76, 0x57
22324 ++};
22325 ++
22326 ++/* wycheproof - misc */
22327 ++static const u8 enc_input049[] __initconst = {
22328 ++ 0xe6, 0x01, 0xb3, 0x85, 0x57, 0x79, 0x7d, 0xa2,
22329 ++ 0xf8, 0xa4, 0x10, 0x6a, 0x08, 0x9d, 0x1d, 0xa6
22330 ++};
22331 ++static const u8 enc_output049[] __initconst = {
22332 ++ 0x29, 0x9b, 0x5d, 0x3f, 0x3d, 0x03, 0xc0, 0x87,
22333 ++ 0x20, 0x9a, 0x16, 0xe2, 0x85, 0x14, 0x31, 0x11,
22334 ++ 0x4b, 0x45, 0x4e, 0xd1, 0x98, 0xde, 0x11, 0x7e,
22335 ++ 0x83, 0xec, 0x49, 0xfa, 0x8d, 0x85, 0x08, 0xd6
22336 ++};
22337 ++static const u8 enc_assoc049[] __initconst = {
22338 ++ 0x5e, 0x64, 0x70, 0xfa, 0xcd, 0x99, 0xc1, 0xd8,
22339 ++ 0x1e, 0x37, 0xcd, 0x44, 0x01, 0x5f, 0xe1, 0x94,
22340 ++ 0x80, 0xa2, 0xa4, 0xd3, 0x35, 0x2a, 0x4f, 0xf5,
22341 ++ 0x60, 0xc0, 0x64, 0x0f, 0xdb, 0xda
22342 ++};
22343 ++static const u8 enc_nonce049[] __initconst = {
22344 ++ 0xdf, 0x87, 0x13, 0xe8, 0x7e, 0xc3, 0xdb, 0xcf,
22345 ++ 0xad, 0x14, 0xd5, 0x3e
22346 ++};
22347 ++static const u8 enc_key049[] __initconst = {
22348 ++ 0x56, 0x20, 0x74, 0x65, 0xb4, 0xe4, 0x8e, 0x6d,
22349 ++ 0x04, 0x63, 0x0f, 0x4a, 0x42, 0xf3, 0x5c, 0xfc,
22350 ++ 0x16, 0x3a, 0xb2, 0x89, 0xc2, 0x2a, 0x2b, 0x47,
22351 ++ 0x84, 0xf6, 0xf9, 0x29, 0x03, 0x30, 0xbe, 0xe0
22352 ++};
22353 ++
22354 ++/* wycheproof - misc */
22355 ++static const u8 enc_input050[] __initconst = {
22356 ++ 0xdc, 0x9e, 0x9e, 0xaf, 0x11, 0xe3, 0x14, 0x18,
22357 ++ 0x2d, 0xf6, 0xa4, 0xeb, 0xa1, 0x7a, 0xec, 0x9c
22358 ++};
22359 ++static const u8 enc_output050[] __initconst = {
22360 ++ 0x60, 0x5b, 0xbf, 0x90, 0xae, 0xb9, 0x74, 0xf6,
22361 ++ 0x60, 0x2b, 0xc7, 0x78, 0x05, 0x6f, 0x0d, 0xca,
22362 ++ 0x38, 0xea, 0x23, 0xd9, 0x90, 0x54, 0xb4, 0x6b,
22363 ++ 0x42, 0xff, 0xe0, 0x04, 0x12, 0x9d, 0x22, 0x04
22364 ++};
22365 ++static const u8 enc_assoc050[] __initconst = {
22366 ++ 0xba, 0x44, 0x6f, 0x6f, 0x9a, 0x0c, 0xed, 0x22,
22367 ++ 0x45, 0x0f, 0xeb, 0x10, 0x73, 0x7d, 0x90, 0x07,
22368 ++ 0xfd, 0x69, 0xab, 0xc1, 0x9b, 0x1d, 0x4d, 0x90,
22369 ++ 0x49, 0xa5, 0x55, 0x1e, 0x86, 0xec, 0x2b, 0x37
22370 ++};
22371 ++static const u8 enc_nonce050[] __initconst = {
22372 ++ 0x8d, 0xf4, 0xb1, 0x5a, 0x88, 0x8c, 0x33, 0x28,
22373 ++ 0x6a, 0x7b, 0x76, 0x51
22374 ++};
22375 ++static const u8 enc_key050[] __initconst = {
22376 ++ 0x39, 0x37, 0x98, 0x6a, 0xf8, 0x6d, 0xaf, 0xc1,
22377 ++ 0xba, 0x0c, 0x46, 0x72, 0xd8, 0xab, 0xc4, 0x6c,
22378 ++ 0x20, 0x70, 0x62, 0x68, 0x2d, 0x9c, 0x26, 0x4a,
22379 ++ 0xb0, 0x6d, 0x6c, 0x58, 0x07, 0x20, 0x51, 0x30
22380 ++};
22381 ++
22382 ++/* wycheproof - misc */
22383 ++static const u8 enc_input051[] __initconst = {
22384 ++ 0x81, 0xce, 0x84, 0xed, 0xe9, 0xb3, 0x58, 0x59,
22385 ++ 0xcc, 0x8c, 0x49, 0xa8, 0xf6, 0xbe, 0x7d, 0xc6
22386 ++};
22387 ++static const u8 enc_output051[] __initconst = {
22388 ++ 0x7b, 0x7c, 0xe0, 0xd8, 0x24, 0x80, 0x9a, 0x70,
22389 ++ 0xde, 0x32, 0x56, 0x2c, 0xcf, 0x2c, 0x2b, 0xbd,
22390 ++ 0x15, 0xd4, 0x4a, 0x00, 0xce, 0x0d, 0x19, 0xb4,
22391 ++ 0x23, 0x1f, 0x92, 0x1e, 0x22, 0xbc, 0x0a, 0x43
22392 ++};
22393 ++static const u8 enc_assoc051[] __initconst = {
22394 ++ 0xd4, 0x1a, 0x82, 0x8d, 0x5e, 0x71, 0x82, 0x92,
22395 ++ 0x47, 0x02, 0x19, 0x05, 0x40, 0x2e, 0xa2, 0x57,
22396 ++ 0xdc, 0xcb, 0xc3, 0xb8, 0x0f, 0xcd, 0x56, 0x75,
22397 ++ 0x05, 0x6b, 0x68, 0xbb, 0x59, 0xe6, 0x2e, 0x88,
22398 ++ 0x73
22399 ++};
22400 ++static const u8 enc_nonce051[] __initconst = {
22401 ++ 0xbe, 0x40, 0xe5, 0xf1, 0xa1, 0x18, 0x17, 0xa0,
22402 ++ 0xa8, 0xfa, 0x89, 0x49
22403 ++};
22404 ++static const u8 enc_key051[] __initconst = {
22405 ++ 0x36, 0x37, 0x2a, 0xbc, 0xdb, 0x78, 0xe0, 0x27,
22406 ++ 0x96, 0x46, 0xac, 0x3d, 0x17, 0x6b, 0x96, 0x74,
22407 ++ 0xe9, 0x15, 0x4e, 0xec, 0xf0, 0xd5, 0x46, 0x9c,
22408 ++ 0x65, 0x1e, 0xc7, 0xe1, 0x6b, 0x4c, 0x11, 0x99
22409 ++};
22410 ++
22411 ++/* wycheproof - misc */
22412 ++static const u8 enc_input052[] __initconst = {
22413 ++ 0xa6, 0x67, 0x47, 0xc8, 0x9e, 0x85, 0x7a, 0xf3,
22414 ++ 0xa1, 0x8e, 0x2c, 0x79, 0x50, 0x00, 0x87, 0xed
22415 ++};
22416 ++static const u8 enc_output052[] __initconst = {
22417 ++ 0xca, 0x82, 0xbf, 0xf3, 0xe2, 0xf3, 0x10, 0xcc,
22418 ++ 0xc9, 0x76, 0x67, 0x2c, 0x44, 0x15, 0xe6, 0x9b,
22419 ++ 0x57, 0x63, 0x8c, 0x62, 0xa5, 0xd8, 0x5d, 0xed,
22420 ++ 0x77, 0x4f, 0x91, 0x3c, 0x81, 0x3e, 0xa0, 0x32
22421 ++};
22422 ++static const u8 enc_assoc052[] __initconst = {
22423 ++ 0x3f, 0x2d, 0xd4, 0x9b, 0xbf, 0x09, 0xd6, 0x9a,
22424 ++ 0x78, 0xa3, 0xd8, 0x0e, 0xa2, 0x56, 0x66, 0x14,
22425 ++ 0xfc, 0x37, 0x94, 0x74, 0x19, 0x6c, 0x1a, 0xae,
22426 ++ 0x84, 0x58, 0x3d, 0xa7, 0x3d, 0x7f, 0xf8, 0x5c,
22427 ++ 0x6f, 0x42, 0xca, 0x42, 0x05, 0x6a, 0x97, 0x92,
22428 ++ 0xcc, 0x1b, 0x9f, 0xb3, 0xc7, 0xd2, 0x61
22429 ++};
22430 ++static const u8 enc_nonce052[] __initconst = {
22431 ++ 0x84, 0xc8, 0x7d, 0xae, 0x4e, 0xee, 0x27, 0x73,
22432 ++ 0x0e, 0xc3, 0x5d, 0x12
22433 ++};
22434 ++static const u8 enc_key052[] __initconst = {
22435 ++ 0x9f, 0x14, 0x79, 0xed, 0x09, 0x7d, 0x7f, 0xe5,
22436 ++ 0x29, 0xc1, 0x1f, 0x2f, 0x5a, 0xdd, 0x9a, 0xaf,
22437 ++ 0xf4, 0xa1, 0xca, 0x0b, 0x68, 0x99, 0x7a, 0x2c,
22438 ++ 0xb7, 0xf7, 0x97, 0x49, 0xbd, 0x90, 0xaa, 0xf4
22439 ++};
22440 ++
22441 ++/* wycheproof - misc */
22442 ++static const u8 enc_input053[] __initconst = {
22443 ++ 0x25, 0x6d, 0x40, 0x88, 0x80, 0x94, 0x17, 0x83,
22444 ++ 0x55, 0xd3, 0x04, 0x84, 0x64, 0x43, 0xfe, 0xe8,
22445 ++ 0xdf, 0x99, 0x47, 0x03, 0x03, 0xfb, 0x3b, 0x7b,
22446 ++ 0x80, 0xe0, 0x30, 0xbe, 0xeb, 0xd3, 0x29, 0xbe
22447 ++};
22448 ++static const u8 enc_output053[] __initconst = {
22449 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22450 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22451 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22452 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22453 ++ 0xe6, 0xd3, 0xd7, 0x32, 0x4a, 0x1c, 0xbb, 0xa7,
22454 ++ 0x77, 0xbb, 0xb0, 0xec, 0xdd, 0xa3, 0x78, 0x07
22455 ++};
22456 ++static const u8 enc_assoc053[] __initconst = {
22457 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22458 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
22459 ++};
22460 ++static const u8 enc_nonce053[] __initconst = {
22461 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22462 ++};
22463 ++static const u8 enc_key053[] __initconst = {
22464 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22465 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22466 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22467 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22468 ++};
22469 ++
22470 ++/* wycheproof - misc */
22471 ++static const u8 enc_input054[] __initconst = {
22472 ++ 0x25, 0x6d, 0x40, 0x88, 0x80, 0x94, 0x17, 0x83,
22473 ++ 0x55, 0xd3, 0x04, 0x84, 0x64, 0x43, 0xfe, 0xe8,
22474 ++ 0xdf, 0x99, 0x47, 0x03, 0x03, 0xfb, 0x3b, 0x7b,
22475 ++ 0x80, 0xe0, 0x30, 0xbe, 0xeb, 0xd3, 0x29, 0xbe,
22476 ++ 0xe3, 0xbc, 0xdb, 0x5b, 0x1e, 0xde, 0xfc, 0xfe,
22477 ++ 0x8b, 0xcd, 0xa1, 0xb6, 0xa1, 0x5c, 0x8c, 0x2b,
22478 ++ 0x08, 0x69, 0xff, 0xd2, 0xec, 0x5e, 0x26, 0xe5,
22479 ++ 0x53, 0xb7, 0xb2, 0x27, 0xfe, 0x87, 0xfd, 0xbd
22480 ++};
22481 ++static const u8 enc_output054[] __initconst = {
22482 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22483 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22484 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22485 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22486 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22487 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22488 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22489 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22490 ++ 0x06, 0x2d, 0xe6, 0x79, 0x5f, 0x27, 0x4f, 0xd2,
22491 ++ 0xa3, 0x05, 0xd7, 0x69, 0x80, 0xbc, 0x9c, 0xce
22492 ++};
22493 ++static const u8 enc_assoc054[] __initconst = {
22494 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22495 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
22496 ++};
22497 ++static const u8 enc_nonce054[] __initconst = {
22498 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22499 ++};
22500 ++static const u8 enc_key054[] __initconst = {
22501 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22502 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22503 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22504 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22505 ++};
22506 ++
22507 ++/* wycheproof - misc */
22508 ++static const u8 enc_input055[] __initconst = {
22509 ++ 0x25, 0x6d, 0x40, 0x88, 0x80, 0x94, 0x17, 0x83,
22510 ++ 0x55, 0xd3, 0x04, 0x84, 0x64, 0x43, 0xfe, 0xe8,
22511 ++ 0xdf, 0x99, 0x47, 0x03, 0x03, 0xfb, 0x3b, 0x7b,
22512 ++ 0x80, 0xe0, 0x30, 0xbe, 0xeb, 0xd3, 0x29, 0xbe,
22513 ++ 0xe3, 0xbc, 0xdb, 0x5b, 0x1e, 0xde, 0xfc, 0xfe,
22514 ++ 0x8b, 0xcd, 0xa1, 0xb6, 0xa1, 0x5c, 0x8c, 0x2b,
22515 ++ 0x08, 0x69, 0xff, 0xd2, 0xec, 0x5e, 0x26, 0xe5,
22516 ++ 0x53, 0xb7, 0xb2, 0x27, 0xfe, 0x87, 0xfd, 0xbd,
22517 ++ 0x7a, 0xda, 0x44, 0x42, 0x42, 0x69, 0xbf, 0xfa,
22518 ++ 0x55, 0x27, 0xf2, 0x70, 0xac, 0xf6, 0x85, 0x02,
22519 ++ 0xb7, 0x4c, 0x5a, 0xe2, 0xe6, 0x0c, 0x05, 0x80,
22520 ++ 0x98, 0x1a, 0x49, 0x38, 0x45, 0x93, 0x92, 0xc4,
22521 ++ 0x9b, 0xb2, 0xf2, 0x84, 0xb6, 0x46, 0xef, 0xc7,
22522 ++ 0xf3, 0xf0, 0xb1, 0x36, 0x1d, 0xc3, 0x48, 0xed,
22523 ++ 0x77, 0xd3, 0x0b, 0xc5, 0x76, 0x92, 0xed, 0x38,
22524 ++ 0xfb, 0xac, 0x01, 0x88, 0x38, 0x04, 0x88, 0xc7
22525 ++};
22526 ++static const u8 enc_output055[] __initconst = {
22527 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22528 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22529 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22530 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22531 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22532 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22533 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22534 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22535 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22536 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22537 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22538 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22539 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22540 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22541 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22542 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22543 ++ 0xd8, 0xb4, 0x79, 0x02, 0xba, 0xae, 0xaf, 0xb3,
22544 ++ 0x42, 0x03, 0x05, 0x15, 0x29, 0xaf, 0x28, 0x2e
22545 ++};
22546 ++static const u8 enc_assoc055[] __initconst = {
22547 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
22548 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
22549 ++};
22550 ++static const u8 enc_nonce055[] __initconst = {
22551 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22552 ++};
22553 ++static const u8 enc_key055[] __initconst = {
22554 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22555 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22556 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22557 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22558 ++};
22559 ++
22560 ++/* wycheproof - misc */
22561 ++static const u8 enc_input056[] __initconst = {
22562 ++ 0xda, 0x92, 0xbf, 0x77, 0x7f, 0x6b, 0xe8, 0x7c,
22563 ++ 0xaa, 0x2c, 0xfb, 0x7b, 0x9b, 0xbc, 0x01, 0x17,
22564 ++ 0x20, 0x66, 0xb8, 0xfc, 0xfc, 0x04, 0xc4, 0x84,
22565 ++ 0x7f, 0x1f, 0xcf, 0x41, 0x14, 0x2c, 0xd6, 0x41
22566 ++};
22567 ++static const u8 enc_output056[] __initconst = {
22568 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22569 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22570 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22571 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22572 ++ 0xb3, 0x89, 0x1c, 0x84, 0x9c, 0xb5, 0x2c, 0x27,
22573 ++ 0x74, 0x7e, 0xdf, 0xcf, 0x31, 0x21, 0x3b, 0xb6
22574 ++};
22575 ++static const u8 enc_assoc056[] __initconst = {
22576 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22577 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
22578 ++};
22579 ++static const u8 enc_nonce056[] __initconst = {
22580 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22581 ++};
22582 ++static const u8 enc_key056[] __initconst = {
22583 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22584 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22585 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22586 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22587 ++};
22588 ++
22589 ++/* wycheproof - misc */
22590 ++static const u8 enc_input057[] __initconst = {
22591 ++ 0xda, 0x92, 0xbf, 0x77, 0x7f, 0x6b, 0xe8, 0x7c,
22592 ++ 0xaa, 0x2c, 0xfb, 0x7b, 0x9b, 0xbc, 0x01, 0x17,
22593 ++ 0x20, 0x66, 0xb8, 0xfc, 0xfc, 0x04, 0xc4, 0x84,
22594 ++ 0x7f, 0x1f, 0xcf, 0x41, 0x14, 0x2c, 0xd6, 0x41,
22595 ++ 0x1c, 0x43, 0x24, 0xa4, 0xe1, 0x21, 0x03, 0x01,
22596 ++ 0x74, 0x32, 0x5e, 0x49, 0x5e, 0xa3, 0x73, 0xd4,
22597 ++ 0xf7, 0x96, 0x00, 0x2d, 0x13, 0xa1, 0xd9, 0x1a,
22598 ++ 0xac, 0x48, 0x4d, 0xd8, 0x01, 0x78, 0x02, 0x42
22599 ++};
22600 ++static const u8 enc_output057[] __initconst = {
22601 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22602 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22603 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22604 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22605 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22606 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22607 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22608 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22609 ++ 0xf0, 0xc1, 0x2d, 0x26, 0xef, 0x03, 0x02, 0x9b,
22610 ++ 0x62, 0xc0, 0x08, 0xda, 0x27, 0xc5, 0xdc, 0x68
22611 ++};
22612 ++static const u8 enc_assoc057[] __initconst = {
22613 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22614 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
22615 ++};
22616 ++static const u8 enc_nonce057[] __initconst = {
22617 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22618 ++};
22619 ++static const u8 enc_key057[] __initconst = {
22620 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22621 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22622 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22623 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22624 ++};
22625 ++
22626 ++/* wycheproof - misc */
22627 ++static const u8 enc_input058[] __initconst = {
22628 ++ 0xda, 0x92, 0xbf, 0x77, 0x7f, 0x6b, 0xe8, 0x7c,
22629 ++ 0xaa, 0x2c, 0xfb, 0x7b, 0x9b, 0xbc, 0x01, 0x17,
22630 ++ 0x20, 0x66, 0xb8, 0xfc, 0xfc, 0x04, 0xc4, 0x84,
22631 ++ 0x7f, 0x1f, 0xcf, 0x41, 0x14, 0x2c, 0xd6, 0x41,
22632 ++ 0x1c, 0x43, 0x24, 0xa4, 0xe1, 0x21, 0x03, 0x01,
22633 ++ 0x74, 0x32, 0x5e, 0x49, 0x5e, 0xa3, 0x73, 0xd4,
22634 ++ 0xf7, 0x96, 0x00, 0x2d, 0x13, 0xa1, 0xd9, 0x1a,
22635 ++ 0xac, 0x48, 0x4d, 0xd8, 0x01, 0x78, 0x02, 0x42,
22636 ++ 0x85, 0x25, 0xbb, 0xbd, 0xbd, 0x96, 0x40, 0x05,
22637 ++ 0xaa, 0xd8, 0x0d, 0x8f, 0x53, 0x09, 0x7a, 0xfd,
22638 ++ 0x48, 0xb3, 0xa5, 0x1d, 0x19, 0xf3, 0xfa, 0x7f,
22639 ++ 0x67, 0xe5, 0xb6, 0xc7, 0xba, 0x6c, 0x6d, 0x3b,
22640 ++ 0x64, 0x4d, 0x0d, 0x7b, 0x49, 0xb9, 0x10, 0x38,
22641 ++ 0x0c, 0x0f, 0x4e, 0xc9, 0xe2, 0x3c, 0xb7, 0x12,
22642 ++ 0x88, 0x2c, 0xf4, 0x3a, 0x89, 0x6d, 0x12, 0xc7,
22643 ++ 0x04, 0x53, 0xfe, 0x77, 0xc7, 0xfb, 0x77, 0x38
22644 ++};
22645 ++static const u8 enc_output058[] __initconst = {
22646 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22647 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22648 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22649 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22650 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22651 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22652 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22653 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22654 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22655 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22656 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22657 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22658 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22659 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22660 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22661 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22662 ++ 0xee, 0x65, 0x78, 0x30, 0x01, 0xc2, 0x56, 0x91,
22663 ++ 0xfa, 0x28, 0xd0, 0xf5, 0xf1, 0xc1, 0xd7, 0x62
22664 ++};
22665 ++static const u8 enc_assoc058[] __initconst = {
22666 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
22667 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
22668 ++};
22669 ++static const u8 enc_nonce058[] __initconst = {
22670 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22671 ++};
22672 ++static const u8 enc_key058[] __initconst = {
22673 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22674 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22675 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22676 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22677 ++};
22678 ++
22679 ++/* wycheproof - misc */
22680 ++static const u8 enc_input059[] __initconst = {
22681 ++ 0x25, 0x6d, 0x40, 0x08, 0x80, 0x94, 0x17, 0x03,
22682 ++ 0x55, 0xd3, 0x04, 0x04, 0x64, 0x43, 0xfe, 0x68,
22683 ++ 0xdf, 0x99, 0x47, 0x83, 0x03, 0xfb, 0x3b, 0xfb,
22684 ++ 0x80, 0xe0, 0x30, 0x3e, 0xeb, 0xd3, 0x29, 0x3e
22685 ++};
22686 ++static const u8 enc_output059[] __initconst = {
22687 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22688 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22689 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22690 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22691 ++ 0x79, 0xba, 0x7a, 0x29, 0xf5, 0xa7, 0xbb, 0x75,
22692 ++ 0x79, 0x7a, 0xf8, 0x7a, 0x61, 0x01, 0x29, 0xa4
22693 ++};
22694 ++static const u8 enc_assoc059[] __initconst = {
22695 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22696 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80
22697 ++};
22698 ++static const u8 enc_nonce059[] __initconst = {
22699 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22700 ++};
22701 ++static const u8 enc_key059[] __initconst = {
22702 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22703 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22704 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22705 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22706 ++};
22707 ++
22708 ++/* wycheproof - misc */
22709 ++static const u8 enc_input060[] __initconst = {
22710 ++ 0x25, 0x6d, 0x40, 0x08, 0x80, 0x94, 0x17, 0x03,
22711 ++ 0x55, 0xd3, 0x04, 0x04, 0x64, 0x43, 0xfe, 0x68,
22712 ++ 0xdf, 0x99, 0x47, 0x83, 0x03, 0xfb, 0x3b, 0xfb,
22713 ++ 0x80, 0xe0, 0x30, 0x3e, 0xeb, 0xd3, 0x29, 0x3e,
22714 ++ 0xe3, 0xbc, 0xdb, 0xdb, 0x1e, 0xde, 0xfc, 0x7e,
22715 ++ 0x8b, 0xcd, 0xa1, 0x36, 0xa1, 0x5c, 0x8c, 0xab,
22716 ++ 0x08, 0x69, 0xff, 0x52, 0xec, 0x5e, 0x26, 0x65,
22717 ++ 0x53, 0xb7, 0xb2, 0xa7, 0xfe, 0x87, 0xfd, 0x3d
22718 ++};
22719 ++static const u8 enc_output060[] __initconst = {
22720 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22721 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22722 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22723 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22724 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22725 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22726 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22727 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22728 ++ 0x36, 0xb1, 0x74, 0x38, 0x19, 0xe1, 0xb9, 0xba,
22729 ++ 0x15, 0x51, 0xe8, 0xed, 0x92, 0x2a, 0x95, 0x9a
22730 ++};
22731 ++static const u8 enc_assoc060[] __initconst = {
22732 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22733 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80
22734 ++};
22735 ++static const u8 enc_nonce060[] __initconst = {
22736 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22737 ++};
22738 ++static const u8 enc_key060[] __initconst = {
22739 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22740 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22741 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22742 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22743 ++};
22744 ++
22745 ++/* wycheproof - misc */
22746 ++static const u8 enc_input061[] __initconst = {
22747 ++ 0x25, 0x6d, 0x40, 0x08, 0x80, 0x94, 0x17, 0x03,
22748 ++ 0x55, 0xd3, 0x04, 0x04, 0x64, 0x43, 0xfe, 0x68,
22749 ++ 0xdf, 0x99, 0x47, 0x83, 0x03, 0xfb, 0x3b, 0xfb,
22750 ++ 0x80, 0xe0, 0x30, 0x3e, 0xeb, 0xd3, 0x29, 0x3e,
22751 ++ 0xe3, 0xbc, 0xdb, 0xdb, 0x1e, 0xde, 0xfc, 0x7e,
22752 ++ 0x8b, 0xcd, 0xa1, 0x36, 0xa1, 0x5c, 0x8c, 0xab,
22753 ++ 0x08, 0x69, 0xff, 0x52, 0xec, 0x5e, 0x26, 0x65,
22754 ++ 0x53, 0xb7, 0xb2, 0xa7, 0xfe, 0x87, 0xfd, 0x3d,
22755 ++ 0x7a, 0xda, 0x44, 0xc2, 0x42, 0x69, 0xbf, 0x7a,
22756 ++ 0x55, 0x27, 0xf2, 0xf0, 0xac, 0xf6, 0x85, 0x82,
22757 ++ 0xb7, 0x4c, 0x5a, 0x62, 0xe6, 0x0c, 0x05, 0x00,
22758 ++ 0x98, 0x1a, 0x49, 0xb8, 0x45, 0x93, 0x92, 0x44,
22759 ++ 0x9b, 0xb2, 0xf2, 0x04, 0xb6, 0x46, 0xef, 0x47,
22760 ++ 0xf3, 0xf0, 0xb1, 0xb6, 0x1d, 0xc3, 0x48, 0x6d,
22761 ++ 0x77, 0xd3, 0x0b, 0x45, 0x76, 0x92, 0xed, 0xb8,
22762 ++ 0xfb, 0xac, 0x01, 0x08, 0x38, 0x04, 0x88, 0x47
22763 ++};
22764 ++static const u8 enc_output061[] __initconst = {
22765 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22766 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22767 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22768 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22769 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22770 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22771 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22772 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22773 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22774 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22775 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22776 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22777 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22778 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22779 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22780 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22781 ++ 0xfe, 0xac, 0x49, 0x55, 0x55, 0x4e, 0x80, 0x6f,
22782 ++ 0x3a, 0x19, 0x02, 0xe2, 0x44, 0x32, 0xc0, 0x8a
22783 ++};
22784 ++static const u8 enc_assoc061[] __initconst = {
22785 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
22786 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80
22787 ++};
22788 ++static const u8 enc_nonce061[] __initconst = {
22789 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22790 ++};
22791 ++static const u8 enc_key061[] __initconst = {
22792 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22793 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22794 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22795 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22796 ++};
22797 ++
22798 ++/* wycheproof - misc */
22799 ++static const u8 enc_input062[] __initconst = {
22800 ++ 0xda, 0x92, 0xbf, 0xf7, 0x7f, 0x6b, 0xe8, 0xfc,
22801 ++ 0xaa, 0x2c, 0xfb, 0xfb, 0x9b, 0xbc, 0x01, 0x97,
22802 ++ 0x20, 0x66, 0xb8, 0x7c, 0xfc, 0x04, 0xc4, 0x04,
22803 ++ 0x7f, 0x1f, 0xcf, 0xc1, 0x14, 0x2c, 0xd6, 0xc1
22804 ++};
22805 ++static const u8 enc_output062[] __initconst = {
22806 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22807 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22808 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22809 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22810 ++ 0x20, 0xa3, 0x79, 0x8d, 0xf1, 0x29, 0x2c, 0x59,
22811 ++ 0x72, 0xbf, 0x97, 0x41, 0xae, 0xc3, 0x8a, 0x19
22812 ++};
22813 ++static const u8 enc_assoc062[] __initconst = {
22814 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22815 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f
22816 ++};
22817 ++static const u8 enc_nonce062[] __initconst = {
22818 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22819 ++};
22820 ++static const u8 enc_key062[] __initconst = {
22821 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22822 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22823 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22824 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22825 ++};
22826 ++
22827 ++/* wycheproof - misc */
22828 ++static const u8 enc_input063[] __initconst = {
22829 ++ 0xda, 0x92, 0xbf, 0xf7, 0x7f, 0x6b, 0xe8, 0xfc,
22830 ++ 0xaa, 0x2c, 0xfb, 0xfb, 0x9b, 0xbc, 0x01, 0x97,
22831 ++ 0x20, 0x66, 0xb8, 0x7c, 0xfc, 0x04, 0xc4, 0x04,
22832 ++ 0x7f, 0x1f, 0xcf, 0xc1, 0x14, 0x2c, 0xd6, 0xc1,
22833 ++ 0x1c, 0x43, 0x24, 0x24, 0xe1, 0x21, 0x03, 0x81,
22834 ++ 0x74, 0x32, 0x5e, 0xc9, 0x5e, 0xa3, 0x73, 0x54,
22835 ++ 0xf7, 0x96, 0x00, 0xad, 0x13, 0xa1, 0xd9, 0x9a,
22836 ++ 0xac, 0x48, 0x4d, 0x58, 0x01, 0x78, 0x02, 0xc2
22837 ++};
22838 ++static const u8 enc_output063[] __initconst = {
22839 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22840 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22841 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22842 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22843 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22844 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22845 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22846 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22847 ++ 0xc0, 0x3d, 0x9f, 0x67, 0x35, 0x4a, 0x97, 0xb2,
22848 ++ 0xf0, 0x74, 0xf7, 0x55, 0x15, 0x57, 0xe4, 0x9c
22849 ++};
22850 ++static const u8 enc_assoc063[] __initconst = {
22851 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22852 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f
22853 ++};
22854 ++static const u8 enc_nonce063[] __initconst = {
22855 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22856 ++};
22857 ++static const u8 enc_key063[] __initconst = {
22858 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22859 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22860 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22861 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22862 ++};
22863 ++
22864 ++/* wycheproof - misc */
22865 ++static const u8 enc_input064[] __initconst = {
22866 ++ 0xda, 0x92, 0xbf, 0xf7, 0x7f, 0x6b, 0xe8, 0xfc,
22867 ++ 0xaa, 0x2c, 0xfb, 0xfb, 0x9b, 0xbc, 0x01, 0x97,
22868 ++ 0x20, 0x66, 0xb8, 0x7c, 0xfc, 0x04, 0xc4, 0x04,
22869 ++ 0x7f, 0x1f, 0xcf, 0xc1, 0x14, 0x2c, 0xd6, 0xc1,
22870 ++ 0x1c, 0x43, 0x24, 0x24, 0xe1, 0x21, 0x03, 0x81,
22871 ++ 0x74, 0x32, 0x5e, 0xc9, 0x5e, 0xa3, 0x73, 0x54,
22872 ++ 0xf7, 0x96, 0x00, 0xad, 0x13, 0xa1, 0xd9, 0x9a,
22873 ++ 0xac, 0x48, 0x4d, 0x58, 0x01, 0x78, 0x02, 0xc2,
22874 ++ 0x85, 0x25, 0xbb, 0x3d, 0xbd, 0x96, 0x40, 0x85,
22875 ++ 0xaa, 0xd8, 0x0d, 0x0f, 0x53, 0x09, 0x7a, 0x7d,
22876 ++ 0x48, 0xb3, 0xa5, 0x9d, 0x19, 0xf3, 0xfa, 0xff,
22877 ++ 0x67, 0xe5, 0xb6, 0x47, 0xba, 0x6c, 0x6d, 0xbb,
22878 ++ 0x64, 0x4d, 0x0d, 0xfb, 0x49, 0xb9, 0x10, 0xb8,
22879 ++ 0x0c, 0x0f, 0x4e, 0x49, 0xe2, 0x3c, 0xb7, 0x92,
22880 ++ 0x88, 0x2c, 0xf4, 0xba, 0x89, 0x6d, 0x12, 0x47,
22881 ++ 0x04, 0x53, 0xfe, 0xf7, 0xc7, 0xfb, 0x77, 0xb8
22882 ++};
22883 ++static const u8 enc_output064[] __initconst = {
22884 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22885 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22886 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22887 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22888 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22889 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22890 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22891 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22892 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22893 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22894 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22895 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22896 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22897 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22898 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22899 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22900 ++ 0xc8, 0x6d, 0xa8, 0xdd, 0x65, 0x22, 0x86, 0xd5,
22901 ++ 0x02, 0x13, 0xd3, 0x28, 0xd6, 0x3e, 0x40, 0x06
22902 ++};
22903 ++static const u8 enc_assoc064[] __initconst = {
22904 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
22905 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f
22906 ++};
22907 ++static const u8 enc_nonce064[] __initconst = {
22908 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22909 ++};
22910 ++static const u8 enc_key064[] __initconst = {
22911 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22912 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22913 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22914 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22915 ++};
22916 ++
22917 ++/* wycheproof - misc */
22918 ++static const u8 enc_input065[] __initconst = {
22919 ++ 0x5a, 0x92, 0xbf, 0x77, 0xff, 0x6b, 0xe8, 0x7c,
22920 ++ 0x2a, 0x2c, 0xfb, 0x7b, 0x1b, 0xbc, 0x01, 0x17,
22921 ++ 0xa0, 0x66, 0xb8, 0xfc, 0x7c, 0x04, 0xc4, 0x84,
22922 ++ 0xff, 0x1f, 0xcf, 0x41, 0x94, 0x2c, 0xd6, 0x41
22923 ++};
22924 ++static const u8 enc_output065[] __initconst = {
22925 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22926 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22927 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22928 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22929 ++ 0xbe, 0xde, 0x90, 0x83, 0xce, 0xb3, 0x6d, 0xdf,
22930 ++ 0xe5, 0xfa, 0x81, 0x1f, 0x95, 0x47, 0x1c, 0x67
22931 ++};
22932 ++static const u8 enc_assoc065[] __initconst = {
22933 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22934 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff
22935 ++};
22936 ++static const u8 enc_nonce065[] __initconst = {
22937 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22938 ++};
22939 ++static const u8 enc_key065[] __initconst = {
22940 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22941 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22942 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22943 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22944 ++};
22945 ++
22946 ++/* wycheproof - misc */
22947 ++static const u8 enc_input066[] __initconst = {
22948 ++ 0x5a, 0x92, 0xbf, 0x77, 0xff, 0x6b, 0xe8, 0x7c,
22949 ++ 0x2a, 0x2c, 0xfb, 0x7b, 0x1b, 0xbc, 0x01, 0x17,
22950 ++ 0xa0, 0x66, 0xb8, 0xfc, 0x7c, 0x04, 0xc4, 0x84,
22951 ++ 0xff, 0x1f, 0xcf, 0x41, 0x94, 0x2c, 0xd6, 0x41,
22952 ++ 0x9c, 0x43, 0x24, 0xa4, 0x61, 0x21, 0x03, 0x01,
22953 ++ 0xf4, 0x32, 0x5e, 0x49, 0xde, 0xa3, 0x73, 0xd4,
22954 ++ 0x77, 0x96, 0x00, 0x2d, 0x93, 0xa1, 0xd9, 0x1a,
22955 ++ 0x2c, 0x48, 0x4d, 0xd8, 0x81, 0x78, 0x02, 0x42
22956 ++};
22957 ++static const u8 enc_output066[] __initconst = {
22958 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22959 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22960 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22961 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22962 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22963 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22964 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22965 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22966 ++ 0x30, 0x08, 0x74, 0xbb, 0x06, 0x92, 0xb6, 0x89,
22967 ++ 0xde, 0xad, 0x9a, 0xe1, 0x5b, 0x06, 0x73, 0x90
22968 ++};
22969 ++static const u8 enc_assoc066[] __initconst = {
22970 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
22971 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff
22972 ++};
22973 ++static const u8 enc_nonce066[] __initconst = {
22974 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
22975 ++};
22976 ++static const u8 enc_key066[] __initconst = {
22977 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
22978 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
22979 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
22980 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
22981 ++};
22982 ++
22983 ++/* wycheproof - misc */
22984 ++static const u8 enc_input067[] __initconst = {
22985 ++ 0x5a, 0x92, 0xbf, 0x77, 0xff, 0x6b, 0xe8, 0x7c,
22986 ++ 0x2a, 0x2c, 0xfb, 0x7b, 0x1b, 0xbc, 0x01, 0x17,
22987 ++ 0xa0, 0x66, 0xb8, 0xfc, 0x7c, 0x04, 0xc4, 0x84,
22988 ++ 0xff, 0x1f, 0xcf, 0x41, 0x94, 0x2c, 0xd6, 0x41,
22989 ++ 0x9c, 0x43, 0x24, 0xa4, 0x61, 0x21, 0x03, 0x01,
22990 ++ 0xf4, 0x32, 0x5e, 0x49, 0xde, 0xa3, 0x73, 0xd4,
22991 ++ 0x77, 0x96, 0x00, 0x2d, 0x93, 0xa1, 0xd9, 0x1a,
22992 ++ 0x2c, 0x48, 0x4d, 0xd8, 0x81, 0x78, 0x02, 0x42,
22993 ++ 0x05, 0x25, 0xbb, 0xbd, 0x3d, 0x96, 0x40, 0x05,
22994 ++ 0x2a, 0xd8, 0x0d, 0x8f, 0xd3, 0x09, 0x7a, 0xfd,
22995 ++ 0xc8, 0xb3, 0xa5, 0x1d, 0x99, 0xf3, 0xfa, 0x7f,
22996 ++ 0xe7, 0xe5, 0xb6, 0xc7, 0x3a, 0x6c, 0x6d, 0x3b,
22997 ++ 0xe4, 0x4d, 0x0d, 0x7b, 0xc9, 0xb9, 0x10, 0x38,
22998 ++ 0x8c, 0x0f, 0x4e, 0xc9, 0x62, 0x3c, 0xb7, 0x12,
22999 ++ 0x08, 0x2c, 0xf4, 0x3a, 0x09, 0x6d, 0x12, 0xc7,
23000 ++ 0x84, 0x53, 0xfe, 0x77, 0x47, 0xfb, 0x77, 0x38
23001 ++};
23002 ++static const u8 enc_output067[] __initconst = {
23003 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23004 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23005 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23006 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23007 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23008 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23009 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23010 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23011 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23012 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23013 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23014 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23015 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23016 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23017 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23018 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23019 ++ 0x99, 0xca, 0xd8, 0x5f, 0x45, 0xca, 0x40, 0x94,
23020 ++ 0x2d, 0x0d, 0x4d, 0x5e, 0x95, 0x0a, 0xde, 0x22
23021 ++};
23022 ++static const u8 enc_assoc067[] __initconst = {
23023 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff,
23024 ++ 0x7f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff
23025 ++};
23026 ++static const u8 enc_nonce067[] __initconst = {
23027 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23028 ++};
23029 ++static const u8 enc_key067[] __initconst = {
23030 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23031 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23032 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23033 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23034 ++};
23035 ++
23036 ++/* wycheproof - misc */
23037 ++static const u8 enc_input068[] __initconst = {
23038 ++ 0x25, 0x6d, 0x40, 0x88, 0x7f, 0x6b, 0xe8, 0x7c,
23039 ++ 0x55, 0xd3, 0x04, 0x84, 0x9b, 0xbc, 0x01, 0x17,
23040 ++ 0xdf, 0x99, 0x47, 0x03, 0xfc, 0x04, 0xc4, 0x84,
23041 ++ 0x80, 0xe0, 0x30, 0xbe, 0x14, 0x2c, 0xd6, 0x41
23042 ++};
23043 ++static const u8 enc_output068[] __initconst = {
23044 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23045 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23046 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23047 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23048 ++ 0x8b, 0xbe, 0x14, 0x52, 0x72, 0xe7, 0xc2, 0xd9,
23049 ++ 0xa1, 0x89, 0x1a, 0x3a, 0xb0, 0x98, 0x3d, 0x9d
23050 ++};
23051 ++static const u8 enc_assoc068[] __initconst = {
23052 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23053 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff
23054 ++};
23055 ++static const u8 enc_nonce068[] __initconst = {
23056 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23057 ++};
23058 ++static const u8 enc_key068[] __initconst = {
23059 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23060 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23061 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23062 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23063 ++};
23064 ++
23065 ++/* wycheproof - misc */
23066 ++static const u8 enc_input069[] __initconst = {
23067 ++ 0x25, 0x6d, 0x40, 0x88, 0x7f, 0x6b, 0xe8, 0x7c,
23068 ++ 0x55, 0xd3, 0x04, 0x84, 0x9b, 0xbc, 0x01, 0x17,
23069 ++ 0xdf, 0x99, 0x47, 0x03, 0xfc, 0x04, 0xc4, 0x84,
23070 ++ 0x80, 0xe0, 0x30, 0xbe, 0x14, 0x2c, 0xd6, 0x41,
23071 ++ 0xe3, 0xbc, 0xdb, 0x5b, 0xe1, 0x21, 0x03, 0x01,
23072 ++ 0x8b, 0xcd, 0xa1, 0xb6, 0x5e, 0xa3, 0x73, 0xd4,
23073 ++ 0x08, 0x69, 0xff, 0xd2, 0x13, 0xa1, 0xd9, 0x1a,
23074 ++ 0x53, 0xb7, 0xb2, 0x27, 0x01, 0x78, 0x02, 0x42
23075 ++};
23076 ++static const u8 enc_output069[] __initconst = {
23077 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23078 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23079 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23080 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23081 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23082 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23083 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23084 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23085 ++ 0x3b, 0x41, 0x86, 0x19, 0x13, 0xa8, 0xf6, 0xde,
23086 ++ 0x7f, 0x61, 0xe2, 0x25, 0x63, 0x1b, 0xc3, 0x82
23087 ++};
23088 ++static const u8 enc_assoc069[] __initconst = {
23089 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23090 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff
23091 ++};
23092 ++static const u8 enc_nonce069[] __initconst = {
23093 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23094 ++};
23095 ++static const u8 enc_key069[] __initconst = {
23096 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23097 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23098 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23099 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23100 ++};
23101 ++
23102 ++/* wycheproof - misc */
23103 ++static const u8 enc_input070[] __initconst = {
23104 ++ 0x25, 0x6d, 0x40, 0x88, 0x7f, 0x6b, 0xe8, 0x7c,
23105 ++ 0x55, 0xd3, 0x04, 0x84, 0x9b, 0xbc, 0x01, 0x17,
23106 ++ 0xdf, 0x99, 0x47, 0x03, 0xfc, 0x04, 0xc4, 0x84,
23107 ++ 0x80, 0xe0, 0x30, 0xbe, 0x14, 0x2c, 0xd6, 0x41,
23108 ++ 0xe3, 0xbc, 0xdb, 0x5b, 0xe1, 0x21, 0x03, 0x01,
23109 ++ 0x8b, 0xcd, 0xa1, 0xb6, 0x5e, 0xa3, 0x73, 0xd4,
23110 ++ 0x08, 0x69, 0xff, 0xd2, 0x13, 0xa1, 0xd9, 0x1a,
23111 ++ 0x53, 0xb7, 0xb2, 0x27, 0x01, 0x78, 0x02, 0x42,
23112 ++ 0x7a, 0xda, 0x44, 0x42, 0xbd, 0x96, 0x40, 0x05,
23113 ++ 0x55, 0x27, 0xf2, 0x70, 0x53, 0x09, 0x7a, 0xfd,
23114 ++ 0xb7, 0x4c, 0x5a, 0xe2, 0x19, 0xf3, 0xfa, 0x7f,
23115 ++ 0x98, 0x1a, 0x49, 0x38, 0xba, 0x6c, 0x6d, 0x3b,
23116 ++ 0x9b, 0xb2, 0xf2, 0x84, 0x49, 0xb9, 0x10, 0x38,
23117 ++ 0xf3, 0xf0, 0xb1, 0x36, 0xe2, 0x3c, 0xb7, 0x12,
23118 ++ 0x77, 0xd3, 0x0b, 0xc5, 0x89, 0x6d, 0x12, 0xc7,
23119 ++ 0xfb, 0xac, 0x01, 0x88, 0xc7, 0xfb, 0x77, 0x38
23120 ++};
23121 ++static const u8 enc_output070[] __initconst = {
23122 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23123 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23124 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23125 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23126 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23127 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23128 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23129 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23130 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23131 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23132 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23133 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23134 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23135 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23136 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23137 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23138 ++ 0x84, 0x28, 0xbc, 0xf0, 0x23, 0xec, 0x6b, 0xf3,
23139 ++ 0x1f, 0xd9, 0xef, 0xb2, 0x03, 0xff, 0x08, 0x71
23140 ++};
23141 ++static const u8 enc_assoc070[] __initconst = {
23142 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
23143 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff
23144 ++};
23145 ++static const u8 enc_nonce070[] __initconst = {
23146 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23147 ++};
23148 ++static const u8 enc_key070[] __initconst = {
23149 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23150 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23151 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23152 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23153 ++};
23154 ++
23155 ++/* wycheproof - misc */
23156 ++static const u8 enc_input071[] __initconst = {
23157 ++ 0xda, 0x92, 0xbf, 0x77, 0x80, 0x94, 0x17, 0x83,
23158 ++ 0xaa, 0x2c, 0xfb, 0x7b, 0x64, 0x43, 0xfe, 0xe8,
23159 ++ 0x20, 0x66, 0xb8, 0xfc, 0x03, 0xfb, 0x3b, 0x7b,
23160 ++ 0x7f, 0x1f, 0xcf, 0x41, 0xeb, 0xd3, 0x29, 0xbe
23161 ++};
23162 ++static const u8 enc_output071[] __initconst = {
23163 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23164 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23165 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23166 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23167 ++ 0x13, 0x9f, 0xdf, 0x64, 0x74, 0xea, 0x24, 0xf5,
23168 ++ 0x49, 0xb0, 0x75, 0x82, 0x5f, 0x2c, 0x76, 0x20
23169 ++};
23170 ++static const u8 enc_assoc071[] __initconst = {
23171 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23172 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00
23173 ++};
23174 ++static const u8 enc_nonce071[] __initconst = {
23175 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23176 ++};
23177 ++static const u8 enc_key071[] __initconst = {
23178 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23179 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23180 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23181 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23182 ++};
23183 ++
23184 ++/* wycheproof - misc */
23185 ++static const u8 enc_input072[] __initconst = {
23186 ++ 0xda, 0x92, 0xbf, 0x77, 0x80, 0x94, 0x17, 0x83,
23187 ++ 0xaa, 0x2c, 0xfb, 0x7b, 0x64, 0x43, 0xfe, 0xe8,
23188 ++ 0x20, 0x66, 0xb8, 0xfc, 0x03, 0xfb, 0x3b, 0x7b,
23189 ++ 0x7f, 0x1f, 0xcf, 0x41, 0xeb, 0xd3, 0x29, 0xbe,
23190 ++ 0x1c, 0x43, 0x24, 0xa4, 0x1e, 0xde, 0xfc, 0xfe,
23191 ++ 0x74, 0x32, 0x5e, 0x49, 0xa1, 0x5c, 0x8c, 0x2b,
23192 ++ 0xf7, 0x96, 0x00, 0x2d, 0xec, 0x5e, 0x26, 0xe5,
23193 ++ 0xac, 0x48, 0x4d, 0xd8, 0xfe, 0x87, 0xfd, 0xbd
23194 ++};
23195 ++static const u8 enc_output072[] __initconst = {
23196 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23197 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23198 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23199 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23200 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23201 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23202 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23203 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23204 ++ 0xbb, 0xad, 0x8d, 0x86, 0x3b, 0x83, 0x5a, 0x8e,
23205 ++ 0x86, 0x64, 0xfd, 0x1d, 0x45, 0x66, 0xb6, 0xb4
23206 ++};
23207 ++static const u8 enc_assoc072[] __initconst = {
23208 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23209 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00
23210 ++};
23211 ++static const u8 enc_nonce072[] __initconst = {
23212 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23213 ++};
23214 ++static const u8 enc_key072[] __initconst = {
23215 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23216 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23217 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23218 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23219 ++};
23220 ++
23221 ++/* wycheproof - misc */
23222 ++static const u8 enc_input073[] __initconst = {
23223 ++ 0xda, 0x92, 0xbf, 0x77, 0x80, 0x94, 0x17, 0x83,
23224 ++ 0xaa, 0x2c, 0xfb, 0x7b, 0x64, 0x43, 0xfe, 0xe8,
23225 ++ 0x20, 0x66, 0xb8, 0xfc, 0x03, 0xfb, 0x3b, 0x7b,
23226 ++ 0x7f, 0x1f, 0xcf, 0x41, 0xeb, 0xd3, 0x29, 0xbe,
23227 ++ 0x1c, 0x43, 0x24, 0xa4, 0x1e, 0xde, 0xfc, 0xfe,
23228 ++ 0x74, 0x32, 0x5e, 0x49, 0xa1, 0x5c, 0x8c, 0x2b,
23229 ++ 0xf7, 0x96, 0x00, 0x2d, 0xec, 0x5e, 0x26, 0xe5,
23230 ++ 0xac, 0x48, 0x4d, 0xd8, 0xfe, 0x87, 0xfd, 0xbd,
23231 ++ 0x85, 0x25, 0xbb, 0xbd, 0x42, 0x69, 0xbf, 0xfa,
23232 ++ 0xaa, 0xd8, 0x0d, 0x8f, 0xac, 0xf6, 0x85, 0x02,
23233 ++ 0x48, 0xb3, 0xa5, 0x1d, 0xe6, 0x0c, 0x05, 0x80,
23234 ++ 0x67, 0xe5, 0xb6, 0xc7, 0x45, 0x93, 0x92, 0xc4,
23235 ++ 0x64, 0x4d, 0x0d, 0x7b, 0xb6, 0x46, 0xef, 0xc7,
23236 ++ 0x0c, 0x0f, 0x4e, 0xc9, 0x1d, 0xc3, 0x48, 0xed,
23237 ++ 0x88, 0x2c, 0xf4, 0x3a, 0x76, 0x92, 0xed, 0x38,
23238 ++ 0x04, 0x53, 0xfe, 0x77, 0x38, 0x04, 0x88, 0xc7
23239 ++};
23240 ++static const u8 enc_output073[] __initconst = {
23241 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23242 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23243 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23244 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23245 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23246 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23247 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23248 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23249 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23250 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23251 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23252 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23253 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23254 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23255 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23256 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23257 ++ 0x42, 0xf2, 0x35, 0x42, 0x97, 0x84, 0x9a, 0x51,
23258 ++ 0x1d, 0x53, 0xe5, 0x57, 0x17, 0x72, 0xf7, 0x1f
23259 ++};
23260 ++static const u8 enc_assoc073[] __initconst = {
23261 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
23262 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00
23263 ++};
23264 ++static const u8 enc_nonce073[] __initconst = {
23265 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0xee, 0x32, 0x00
23266 ++};
23267 ++static const u8 enc_key073[] __initconst = {
23268 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23269 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23270 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23271 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23272 ++};
23273 ++
23274 ++/* wycheproof - checking for int overflows */
23275 ++static const u8 enc_input074[] __initconst = {
23276 ++ 0xd4, 0x50, 0x0b, 0xf0, 0x09, 0x49, 0x35, 0x51,
23277 ++ 0xc3, 0x80, 0xad, 0xf5, 0x2c, 0x57, 0x3a, 0x69,
23278 ++ 0xdf, 0x7e, 0x8b, 0x76, 0x24, 0x63, 0x33, 0x0f,
23279 ++ 0xac, 0xc1, 0x6a, 0x57, 0x26, 0xbe, 0x71, 0x90,
23280 ++ 0xc6, 0x3c, 0x5a, 0x1c, 0x92, 0x65, 0x84, 0xa0,
23281 ++ 0x96, 0x75, 0x68, 0x28, 0xdc, 0xdc, 0x64, 0xac,
23282 ++ 0xdf, 0x96, 0x3d, 0x93, 0x1b, 0xf1, 0xda, 0xe2,
23283 ++ 0x38, 0xf3, 0xf1, 0x57, 0x22, 0x4a, 0xc4, 0xb5,
23284 ++ 0x42, 0xd7, 0x85, 0xb0, 0xdd, 0x84, 0xdb, 0x6b,
23285 ++ 0xe3, 0xbc, 0x5a, 0x36, 0x63, 0xe8, 0x41, 0x49,
23286 ++ 0xff, 0xbe, 0xd0, 0x9e, 0x54, 0xf7, 0x8f, 0x16,
23287 ++ 0xa8, 0x22, 0x3b, 0x24, 0xcb, 0x01, 0x9f, 0x58,
23288 ++ 0xb2, 0x1b, 0x0e, 0x55, 0x1e, 0x7a, 0xa0, 0x73,
23289 ++ 0x27, 0x62, 0x95, 0x51, 0x37, 0x6c, 0xcb, 0xc3,
23290 ++ 0x93, 0x76, 0x71, 0xa0, 0x62, 0x9b, 0xd9, 0x5c,
23291 ++ 0x99, 0x15, 0xc7, 0x85, 0x55, 0x77, 0x1e, 0x7a
23292 ++};
23293 ++static const u8 enc_output074[] __initconst = {
23294 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23295 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23296 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23297 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23298 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23299 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23300 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23301 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23302 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23303 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23304 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23305 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23306 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23307 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23308 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23309 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23310 ++ 0x0b, 0x30, 0x0d, 0x8d, 0xa5, 0x6c, 0x21, 0x85,
23311 ++ 0x75, 0x52, 0x79, 0x55, 0x3c, 0x4c, 0x82, 0xca
23312 ++};
23313 ++static const u8 enc_assoc074[] __initconst = {
23314 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23315 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23316 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23317 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23318 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23319 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23320 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23321 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23322 ++};
23323 ++static const u8 enc_nonce074[] __initconst = {
23324 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23325 ++ 0x00, 0x02, 0x50, 0x6e
23326 ++};
23327 ++static const u8 enc_key074[] __initconst = {
23328 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23329 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23330 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23331 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23332 ++};
23333 ++
23334 ++/* wycheproof - checking for int overflows */
23335 ++static const u8 enc_input075[] __initconst = {
23336 ++ 0x7d, 0xe8, 0x7f, 0x67, 0x29, 0x94, 0x52, 0x75,
23337 ++ 0xd0, 0x65, 0x5d, 0xa4, 0xc7, 0xfd, 0xe4, 0x56,
23338 ++ 0x9e, 0x16, 0xf1, 0x11, 0xb5, 0xeb, 0x26, 0xc2,
23339 ++ 0x2d, 0x85, 0x9e, 0x3f, 0xf8, 0x22, 0xec, 0xed,
23340 ++ 0x3a, 0x6d, 0xd9, 0xa6, 0x0f, 0x22, 0x95, 0x7f,
23341 ++ 0x7b, 0x7c, 0x85, 0x7e, 0x88, 0x22, 0xeb, 0x9f,
23342 ++ 0xe0, 0xb8, 0xd7, 0x02, 0x21, 0x41, 0xf2, 0xd0,
23343 ++ 0xb4, 0x8f, 0x4b, 0x56, 0x12, 0xd3, 0x22, 0xa8,
23344 ++ 0x8d, 0xd0, 0xfe, 0x0b, 0x4d, 0x91, 0x79, 0x32,
23345 ++ 0x4f, 0x7c, 0x6c, 0x9e, 0x99, 0x0e, 0xfb, 0xd8,
23346 ++ 0x0e, 0x5e, 0xd6, 0x77, 0x58, 0x26, 0x49, 0x8b,
23347 ++ 0x1e, 0xfe, 0x0f, 0x71, 0xa0, 0xf3, 0xec, 0x5b,
23348 ++ 0x29, 0xcb, 0x28, 0xc2, 0x54, 0x0a, 0x7d, 0xcd,
23349 ++ 0x51, 0xb7, 0xda, 0xae, 0xe0, 0xff, 0x4a, 0x7f,
23350 ++ 0x3a, 0xc1, 0xee, 0x54, 0xc2, 0x9e, 0xe4, 0xc1,
23351 ++ 0x70, 0xde, 0x40, 0x8f, 0x66, 0x69, 0x21, 0x94
23352 ++};
23353 ++static const u8 enc_output075[] __initconst = {
23354 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23355 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23356 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23357 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23358 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23359 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23360 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23361 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23362 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23363 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23364 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23365 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23366 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23367 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23368 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23369 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23370 ++ 0xc5, 0x78, 0xe2, 0xaa, 0x44, 0xd3, 0x09, 0xb7,
23371 ++ 0xb6, 0xa5, 0x19, 0x3b, 0xdc, 0x61, 0x18, 0xf5
23372 ++};
23373 ++static const u8 enc_assoc075[] __initconst = {
23374 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23375 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23376 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23377 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23378 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23379 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23380 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23381 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23382 ++};
23383 ++static const u8 enc_nonce075[] __initconst = {
23384 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23385 ++ 0x00, 0x03, 0x18, 0xa5
23386 ++};
23387 ++static const u8 enc_key075[] __initconst = {
23388 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23389 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23390 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23391 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23392 ++};
23393 ++
23394 ++/* wycheproof - checking for int overflows */
23395 ++static const u8 enc_input076[] __initconst = {
23396 ++ 0x1b, 0x99, 0x6f, 0x9a, 0x3c, 0xcc, 0x67, 0x85,
23397 ++ 0xde, 0x22, 0xff, 0x5b, 0x8a, 0xdd, 0x95, 0x02,
23398 ++ 0xce, 0x03, 0xa0, 0xfa, 0xf5, 0x99, 0x2a, 0x09,
23399 ++ 0x52, 0x2c, 0xdd, 0x12, 0x06, 0xd2, 0x20, 0xb8,
23400 ++ 0xf8, 0xbd, 0x07, 0xd1, 0xf1, 0xf5, 0xa1, 0xbd,
23401 ++ 0x9a, 0x71, 0xd1, 0x1c, 0x7f, 0x57, 0x9b, 0x85,
23402 ++ 0x58, 0x18, 0xc0, 0x8d, 0x4d, 0xe0, 0x36, 0x39,
23403 ++ 0x31, 0x83, 0xb7, 0xf5, 0x90, 0xb3, 0x35, 0xae,
23404 ++ 0xd8, 0xde, 0x5b, 0x57, 0xb1, 0x3c, 0x5f, 0xed,
23405 ++ 0xe2, 0x44, 0x1c, 0x3e, 0x18, 0x4a, 0xa9, 0xd4,
23406 ++ 0x6e, 0x61, 0x59, 0x85, 0x06, 0xb3, 0xe1, 0x1c,
23407 ++ 0x43, 0xc6, 0x2c, 0xbc, 0xac, 0xec, 0xed, 0x33,
23408 ++ 0x19, 0x08, 0x75, 0xb0, 0x12, 0x21, 0x8b, 0x19,
23409 ++ 0x30, 0xfb, 0x7c, 0x38, 0xec, 0x45, 0xac, 0x11,
23410 ++ 0xc3, 0x53, 0xd0, 0xcf, 0x93, 0x8d, 0xcc, 0xb9,
23411 ++ 0xef, 0xad, 0x8f, 0xed, 0xbe, 0x46, 0xda, 0xa5
23412 ++};
23413 ++static const u8 enc_output076[] __initconst = {
23414 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23415 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23416 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23417 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23418 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23419 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23420 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23421 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23422 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23423 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23424 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23425 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23426 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23427 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23428 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23429 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23430 ++ 0x4b, 0x0b, 0xda, 0x8a, 0xd0, 0x43, 0x83, 0x0d,
23431 ++ 0x83, 0x19, 0xab, 0x82, 0xc5, 0x0c, 0x76, 0x63
23432 ++};
23433 ++static const u8 enc_assoc076[] __initconst = {
23434 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23435 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23436 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23437 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23438 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23439 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23440 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23441 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23442 ++};
23443 ++static const u8 enc_nonce076[] __initconst = {
23444 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0xb4, 0xf0
23445 ++};
23446 ++static const u8 enc_key076[] __initconst = {
23447 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23448 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23449 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23450 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23451 ++};
23452 ++
23453 ++/* wycheproof - checking for int overflows */
23454 ++static const u8 enc_input077[] __initconst = {
23455 ++ 0x86, 0xcb, 0xac, 0xae, 0x4d, 0x3f, 0x74, 0xae,
23456 ++ 0x01, 0x21, 0x3e, 0x05, 0x51, 0xcc, 0x15, 0x16,
23457 ++ 0x0e, 0xa1, 0xbe, 0x84, 0x08, 0xe3, 0xd5, 0xd7,
23458 ++ 0x4f, 0x01, 0x46, 0x49, 0x95, 0xa6, 0x9e, 0x61,
23459 ++ 0x76, 0xcb, 0x9e, 0x02, 0xb2, 0x24, 0x7e, 0xd2,
23460 ++ 0x99, 0x89, 0x2f, 0x91, 0x82, 0xa4, 0x5c, 0xaf,
23461 ++ 0x4c, 0x69, 0x40, 0x56, 0x11, 0x76, 0x6e, 0xdf,
23462 ++ 0xaf, 0xdc, 0x28, 0x55, 0x19, 0xea, 0x30, 0x48,
23463 ++ 0x0c, 0x44, 0xf0, 0x5e, 0x78, 0x1e, 0xac, 0xf8,
23464 ++ 0xfc, 0xec, 0xc7, 0x09, 0x0a, 0xbb, 0x28, 0xfa,
23465 ++ 0x5f, 0xd5, 0x85, 0xac, 0x8c, 0xda, 0x7e, 0x87,
23466 ++ 0x72, 0xe5, 0x94, 0xe4, 0xce, 0x6c, 0x88, 0x32,
23467 ++ 0x81, 0x93, 0x2e, 0x0f, 0x89, 0xf8, 0x77, 0xa1,
23468 ++ 0xf0, 0x4d, 0x9c, 0x32, 0xb0, 0x6c, 0xf9, 0x0b,
23469 ++ 0x0e, 0x76, 0x2b, 0x43, 0x0c, 0x4d, 0x51, 0x7c,
23470 ++ 0x97, 0x10, 0x70, 0x68, 0xf4, 0x98, 0xef, 0x7f
23471 ++};
23472 ++static const u8 enc_output077[] __initconst = {
23473 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23474 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23475 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23476 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23477 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23478 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23479 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23480 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23481 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23482 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23483 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23484 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23485 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23486 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23487 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23488 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23489 ++ 0x4b, 0xc9, 0x8f, 0x72, 0xc4, 0x94, 0xc2, 0xa4,
23490 ++ 0x3c, 0x2b, 0x15, 0xa1, 0x04, 0x3f, 0x1c, 0xfa
23491 ++};
23492 ++static const u8 enc_assoc077[] __initconst = {
23493 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23494 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23495 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23496 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23497 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23498 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23499 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23500 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23501 ++};
23502 ++static const u8 enc_nonce077[] __initconst = {
23503 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0xfb, 0x66
23504 ++};
23505 ++static const u8 enc_key077[] __initconst = {
23506 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23507 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23508 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23509 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23510 ++};
23511 ++
23512 ++/* wycheproof - checking for int overflows */
23513 ++static const u8 enc_input078[] __initconst = {
23514 ++ 0xfa, 0xb1, 0xcd, 0xdf, 0x4f, 0xe1, 0x98, 0xef,
23515 ++ 0x63, 0xad, 0xd8, 0x81, 0xd6, 0xea, 0xd6, 0xc5,
23516 ++ 0x76, 0x37, 0xbb, 0xe9, 0x20, 0x18, 0xca, 0x7c,
23517 ++ 0x0b, 0x96, 0xfb, 0xa0, 0x87, 0x1e, 0x93, 0x2d,
23518 ++ 0xb1, 0xfb, 0xf9, 0x07, 0x61, 0xbe, 0x25, 0xdf,
23519 ++ 0x8d, 0xfa, 0xf9, 0x31, 0xce, 0x57, 0x57, 0xe6,
23520 ++ 0x17, 0xb3, 0xd7, 0xa9, 0xf0, 0xbf, 0x0f, 0xfe,
23521 ++ 0x5d, 0x59, 0x1a, 0x33, 0xc1, 0x43, 0xb8, 0xf5,
23522 ++ 0x3f, 0xd0, 0xb5, 0xa1, 0x96, 0x09, 0xfd, 0x62,
23523 ++ 0xe5, 0xc2, 0x51, 0xa4, 0x28, 0x1a, 0x20, 0x0c,
23524 ++ 0xfd, 0xc3, 0x4f, 0x28, 0x17, 0x10, 0x40, 0x6f,
23525 ++ 0x4e, 0x37, 0x62, 0x54, 0x46, 0xff, 0x6e, 0xf2,
23526 ++ 0x24, 0x91, 0x3d, 0xeb, 0x0d, 0x89, 0xaf, 0x33,
23527 ++ 0x71, 0x28, 0xe3, 0xd1, 0x55, 0xd1, 0x6d, 0x3e,
23528 ++ 0xc3, 0x24, 0x60, 0x41, 0x43, 0x21, 0x43, 0xe9,
23529 ++ 0xab, 0x3a, 0x6d, 0x2c, 0xcc, 0x2f, 0x4d, 0x62
23530 ++};
23531 ++static const u8 enc_output078[] __initconst = {
23532 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23533 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23534 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23535 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23536 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23537 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23538 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23539 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23540 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23541 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23542 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23543 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23544 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23545 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23546 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23547 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23548 ++ 0xf7, 0xe9, 0xe1, 0x51, 0xb0, 0x25, 0x33, 0xc7,
23549 ++ 0x46, 0x58, 0xbf, 0xc7, 0x73, 0x7c, 0x68, 0x0d
23550 ++};
23551 ++static const u8 enc_assoc078[] __initconst = {
23552 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23553 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23554 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23555 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23556 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23557 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23558 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23559 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23560 ++};
23561 ++static const u8 enc_nonce078[] __initconst = {
23562 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0xbb, 0x90
23563 ++};
23564 ++static const u8 enc_key078[] __initconst = {
23565 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23566 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23567 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23568 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23569 ++};
23570 ++
23571 ++/* wycheproof - checking for int overflows */
23572 ++static const u8 enc_input079[] __initconst = {
23573 ++ 0x22, 0x72, 0x02, 0xbe, 0x7f, 0x35, 0x15, 0xe9,
23574 ++ 0xd1, 0xc0, 0x2e, 0xea, 0x2f, 0x19, 0x50, 0xb6,
23575 ++ 0x48, 0x1b, 0x04, 0x8a, 0x4c, 0x91, 0x50, 0x6c,
23576 ++ 0xb4, 0x0d, 0x50, 0x4e, 0x6c, 0x94, 0x9f, 0x82,
23577 ++ 0xd1, 0x97, 0xc2, 0x5a, 0xd1, 0x7d, 0xc7, 0x21,
23578 ++ 0x65, 0x11, 0x25, 0x78, 0x2a, 0xc7, 0xa7, 0x12,
23579 ++ 0x47, 0xfe, 0xae, 0xf3, 0x2f, 0x1f, 0x25, 0x0c,
23580 ++ 0xe4, 0xbb, 0x8f, 0x79, 0xac, 0xaa, 0x17, 0x9d,
23581 ++ 0x45, 0xa7, 0xb0, 0x54, 0x5f, 0x09, 0x24, 0x32,
23582 ++ 0x5e, 0xfa, 0x87, 0xd5, 0xe4, 0x41, 0xd2, 0x84,
23583 ++ 0x78, 0xc6, 0x1f, 0x22, 0x23, 0xee, 0x67, 0xc3,
23584 ++ 0xb4, 0x1f, 0x43, 0x94, 0x53, 0x5e, 0x2a, 0x24,
23585 ++ 0x36, 0x9a, 0x2e, 0x16, 0x61, 0x3c, 0x45, 0x94,
23586 ++ 0x90, 0xc1, 0x4f, 0xb1, 0xd7, 0x55, 0xfe, 0x53,
23587 ++ 0xfb, 0xe1, 0xee, 0x45, 0xb1, 0xb2, 0x1f, 0x71,
23588 ++ 0x62, 0xe2, 0xfc, 0xaa, 0x74, 0x2a, 0xbe, 0xfd
23589 ++};
23590 ++static const u8 enc_output079[] __initconst = {
23591 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23592 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23593 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23594 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23595 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23596 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23597 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23598 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23599 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23600 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23601 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23602 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23603 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23604 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23605 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23606 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23607 ++ 0x79, 0x5b, 0xcf, 0xf6, 0x47, 0xc5, 0x53, 0xc2,
23608 ++ 0xe4, 0xeb, 0x6e, 0x0e, 0xaf, 0xd9, 0xe0, 0x4e
23609 ++};
23610 ++static const u8 enc_assoc079[] __initconst = {
23611 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23612 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23613 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23614 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23615 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23616 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23617 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23618 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23619 ++};
23620 ++static const u8 enc_nonce079[] __initconst = {
23621 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x48, 0x4a
23622 ++};
23623 ++static const u8 enc_key079[] __initconst = {
23624 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23625 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23626 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23627 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23628 ++};
23629 ++
23630 ++/* wycheproof - checking for int overflows */
23631 ++static const u8 enc_input080[] __initconst = {
23632 ++ 0xfa, 0xe5, 0x83, 0x45, 0xc1, 0x6c, 0xb0, 0xf5,
23633 ++ 0xcc, 0x53, 0x7f, 0x2b, 0x1b, 0x34, 0x69, 0xc9,
23634 ++ 0x69, 0x46, 0x3b, 0x3e, 0xa7, 0x1b, 0xcf, 0x6b,
23635 ++ 0x98, 0xd6, 0x69, 0xa8, 0xe6, 0x0e, 0x04, 0xfc,
23636 ++ 0x08, 0xd5, 0xfd, 0x06, 0x9c, 0x36, 0x26, 0x38,
23637 ++ 0xe3, 0x40, 0x0e, 0xf4, 0xcb, 0x24, 0x2e, 0x27,
23638 ++ 0xe2, 0x24, 0x5e, 0x68, 0xcb, 0x9e, 0xc5, 0x83,
23639 ++ 0xda, 0x53, 0x40, 0xb1, 0x2e, 0xdf, 0x42, 0x3b,
23640 ++ 0x73, 0x26, 0xad, 0x20, 0xfe, 0xeb, 0x57, 0xda,
23641 ++ 0xca, 0x2e, 0x04, 0x67, 0xa3, 0x28, 0x99, 0xb4,
23642 ++ 0x2d, 0xf8, 0xe5, 0x6d, 0x84, 0xe0, 0x06, 0xbc,
23643 ++ 0x8a, 0x7a, 0xcc, 0x73, 0x1e, 0x7c, 0x1f, 0x6b,
23644 ++ 0xec, 0xb5, 0x71, 0x9f, 0x70, 0x77, 0xf0, 0xd4,
23645 ++ 0xf4, 0xc6, 0x1a, 0xb1, 0x1e, 0xba, 0xc1, 0x00,
23646 ++ 0x18, 0x01, 0xce, 0x33, 0xc4, 0xe4, 0xa7, 0x7d,
23647 ++ 0x83, 0x1d, 0x3c, 0xe3, 0x4e, 0x84, 0x10, 0xe1
23648 ++};
23649 ++static const u8 enc_output080[] __initconst = {
23650 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23651 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23652 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23653 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23654 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23655 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23656 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23657 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23658 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23659 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23660 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23661 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23662 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23663 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23664 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23665 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23666 ++ 0x19, 0x46, 0xd6, 0x53, 0x96, 0x0f, 0x94, 0x7a,
23667 ++ 0x74, 0xd3, 0xe8, 0x09, 0x3c, 0xf4, 0x85, 0x02
23668 ++};
23669 ++static const u8 enc_assoc080[] __initconst = {
23670 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23671 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23672 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23673 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23674 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23675 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23676 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23677 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23678 ++};
23679 ++static const u8 enc_nonce080[] __initconst = {
23680 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x93, 0x2f, 0x40
23681 ++};
23682 ++static const u8 enc_key080[] __initconst = {
23683 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23684 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23685 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23686 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23687 ++};
23688 ++
23689 ++/* wycheproof - checking for int overflows */
23690 ++static const u8 enc_input081[] __initconst = {
23691 ++ 0xeb, 0xb2, 0x16, 0xdd, 0xd7, 0xca, 0x70, 0x92,
23692 ++ 0x15, 0xf5, 0x03, 0xdf, 0x9c, 0xe6, 0x3c, 0x5c,
23693 ++ 0xd2, 0x19, 0x4e, 0x7d, 0x90, 0x99, 0xe8, 0xa9,
23694 ++ 0x0b, 0x2a, 0xfa, 0xad, 0x5e, 0xba, 0x35, 0x06,
23695 ++ 0x99, 0x25, 0xa6, 0x03, 0xfd, 0xbc, 0x34, 0x1a,
23696 ++ 0xae, 0xd4, 0x15, 0x05, 0xb1, 0x09, 0x41, 0xfa,
23697 ++ 0x38, 0x56, 0xa7, 0xe2, 0x47, 0xb1, 0x04, 0x07,
23698 ++ 0x09, 0x74, 0x6c, 0xfc, 0x20, 0x96, 0xca, 0xa6,
23699 ++ 0x31, 0xb2, 0xff, 0xf4, 0x1c, 0x25, 0x05, 0x06,
23700 ++ 0xd8, 0x89, 0xc1, 0xc9, 0x06, 0x71, 0xad, 0xe8,
23701 ++ 0x53, 0xee, 0x63, 0x94, 0xc1, 0x91, 0x92, 0xa5,
23702 ++ 0xcf, 0x37, 0x10, 0xd1, 0x07, 0x30, 0x99, 0xe5,
23703 ++ 0xbc, 0x94, 0x65, 0x82, 0xfc, 0x0f, 0xab, 0x9f,
23704 ++ 0x54, 0x3c, 0x71, 0x6a, 0xe2, 0x48, 0x6a, 0x86,
23705 ++ 0x83, 0xfd, 0xca, 0x39, 0xd2, 0xe1, 0x4f, 0x23,
23706 ++ 0xd0, 0x0a, 0x58, 0x26, 0x64, 0xf4, 0xec, 0xb1
23707 ++};
23708 ++static const u8 enc_output081[] __initconst = {
23709 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23710 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23711 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23712 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23713 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23714 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23715 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23716 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23717 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23718 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23719 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23720 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23721 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23722 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23723 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23724 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23725 ++ 0x36, 0xc3, 0x00, 0x29, 0x85, 0xdd, 0x21, 0xba,
23726 ++ 0xf8, 0x95, 0xd6, 0x33, 0x57, 0x3f, 0x12, 0xc0
23727 ++};
23728 ++static const u8 enc_assoc081[] __initconst = {
23729 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23730 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23731 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23732 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23733 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23734 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23735 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23736 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23737 ++};
23738 ++static const u8 enc_nonce081[] __initconst = {
23739 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0xe2, 0x93, 0x35
23740 ++};
23741 ++static const u8 enc_key081[] __initconst = {
23742 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23743 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23744 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30,
23745 ++ 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30
23746 ++};
23747 ++
23748 ++/* wycheproof - checking for int overflows */
23749 ++static const u8 enc_input082[] __initconst = {
23750 ++ 0x40, 0x8a, 0xe6, 0xef, 0x1c, 0x7e, 0xf0, 0xfb,
23751 ++ 0x2c, 0x2d, 0x61, 0x08, 0x16, 0xfc, 0x78, 0x49,
23752 ++ 0xef, 0xa5, 0x8f, 0x78, 0x27, 0x3f, 0x5f, 0x16,
23753 ++ 0x6e, 0xa6, 0x5f, 0x81, 0xb5, 0x75, 0x74, 0x7d,
23754 ++ 0x03, 0x5b, 0x30, 0x40, 0xfe, 0xde, 0x1e, 0xb9,
23755 ++ 0x45, 0x97, 0x88, 0x66, 0x97, 0x88, 0x40, 0x8e,
23756 ++ 0x00, 0x41, 0x3b, 0x3e, 0x37, 0x6d, 0x15, 0x2d,
23757 ++ 0x20, 0x4a, 0xa2, 0xb7, 0xa8, 0x35, 0x58, 0xfc,
23758 ++ 0xd4, 0x8a, 0x0e, 0xf7, 0xa2, 0x6b, 0x1c, 0xd6,
23759 ++ 0xd3, 0x5d, 0x23, 0xb3, 0xf5, 0xdf, 0xe0, 0xca,
23760 ++ 0x77, 0xa4, 0xce, 0x32, 0xb9, 0x4a, 0xbf, 0x83,
23761 ++ 0xda, 0x2a, 0xef, 0xca, 0xf0, 0x68, 0x38, 0x08,
23762 ++ 0x79, 0xe8, 0x9f, 0xb0, 0xa3, 0x82, 0x95, 0x95,
23763 ++ 0xcf, 0x44, 0xc3, 0x85, 0x2a, 0xe2, 0xcc, 0x66,
23764 ++ 0x2b, 0x68, 0x9f, 0x93, 0x55, 0xd9, 0xc1, 0x83,
23765 ++ 0x80, 0x1f, 0x6a, 0xcc, 0x31, 0x3f, 0x89, 0x07
23766 ++};
23767 ++static const u8 enc_output082[] __initconst = {
23768 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23769 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23770 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23771 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23772 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23773 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23774 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23775 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23776 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23777 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23778 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23779 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23780 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23781 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23782 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23783 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23784 ++ 0x65, 0x14, 0x51, 0x8e, 0x0a, 0x26, 0x41, 0x42,
23785 ++ 0xe0, 0xb7, 0x35, 0x1f, 0x96, 0x7f, 0xc2, 0xae
23786 ++};
23787 ++static const u8 enc_assoc082[] __initconst = {
23788 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23789 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23790 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23791 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23792 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23793 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23794 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23795 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23796 ++};
23797 ++static const u8 enc_nonce082[] __initconst = {
23798 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0xf7, 0xd5
23799 ++};
23800 ++static const u8 enc_key082[] __initconst = {
23801 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23802 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23803 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23804 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23805 ++};
23806 ++
23807 ++/* wycheproof - checking for int overflows */
23808 ++static const u8 enc_input083[] __initconst = {
23809 ++ 0x0a, 0x0a, 0x24, 0x49, 0x9b, 0xca, 0xde, 0x58,
23810 ++ 0xcf, 0x15, 0x76, 0xc3, 0x12, 0xac, 0xa9, 0x84,
23811 ++ 0x71, 0x8c, 0xb4, 0xcc, 0x7e, 0x01, 0x53, 0xf5,
23812 ++ 0xa9, 0x01, 0x58, 0x10, 0x85, 0x96, 0x44, 0xdf,
23813 ++ 0xc0, 0x21, 0x17, 0x4e, 0x0b, 0x06, 0x0a, 0x39,
23814 ++ 0x74, 0x48, 0xde, 0x8b, 0x48, 0x4a, 0x86, 0x03,
23815 ++ 0xbe, 0x68, 0x0a, 0x69, 0x34, 0xc0, 0x90, 0x6f,
23816 ++ 0x30, 0xdd, 0x17, 0xea, 0xe2, 0xd4, 0xc5, 0xfa,
23817 ++ 0xa7, 0x77, 0xf8, 0xca, 0x53, 0x37, 0x0e, 0x08,
23818 ++ 0x33, 0x1b, 0x88, 0xc3, 0x42, 0xba, 0xc9, 0x59,
23819 ++ 0x78, 0x7b, 0xbb, 0x33, 0x93, 0x0e, 0x3b, 0x56,
23820 ++ 0xbe, 0x86, 0xda, 0x7f, 0x2a, 0x6e, 0xb1, 0xf9,
23821 ++ 0x40, 0x89, 0xd1, 0xd1, 0x81, 0x07, 0x4d, 0x43,
23822 ++ 0x02, 0xf8, 0xe0, 0x55, 0x2d, 0x0d, 0xe1, 0xfa,
23823 ++ 0xb3, 0x06, 0xa2, 0x1b, 0x42, 0xd4, 0xc3, 0xba,
23824 ++ 0x6e, 0x6f, 0x0c, 0xbc, 0xc8, 0x1e, 0x87, 0x7a
23825 ++};
23826 ++static const u8 enc_output083[] __initconst = {
23827 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23828 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23829 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23830 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23831 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23832 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23833 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23834 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23835 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23836 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23837 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23838 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23839 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23840 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23841 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23842 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23843 ++ 0x4c, 0x19, 0x4d, 0xa6, 0xa9, 0x9f, 0xd6, 0x5b,
23844 ++ 0x40, 0xe9, 0xca, 0xd7, 0x98, 0xf4, 0x4b, 0x19
23845 ++};
23846 ++static const u8 enc_assoc083[] __initconst = {
23847 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23848 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23849 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23850 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23851 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23852 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23853 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23854 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23855 ++};
23856 ++static const u8 enc_nonce083[] __initconst = {
23857 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x3d, 0xfc, 0xe4
23858 ++};
23859 ++static const u8 enc_key083[] __initconst = {
23860 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23861 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23862 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23863 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23864 ++};
23865 ++
23866 ++/* wycheproof - checking for int overflows */
23867 ++static const u8 enc_input084[] __initconst = {
23868 ++ 0x4a, 0x0a, 0xaf, 0xf8, 0x49, 0x47, 0x29, 0x18,
23869 ++ 0x86, 0x91, 0x70, 0x13, 0x40, 0xf3, 0xce, 0x2b,
23870 ++ 0x8a, 0x78, 0xee, 0xd3, 0xa0, 0xf0, 0x65, 0x99,
23871 ++ 0x4b, 0x72, 0x48, 0x4e, 0x79, 0x91, 0xd2, 0x5c,
23872 ++ 0x29, 0xaa, 0x07, 0x5e, 0xb1, 0xfc, 0x16, 0xde,
23873 ++ 0x93, 0xfe, 0x06, 0x90, 0x58, 0x11, 0x2a, 0xb2,
23874 ++ 0x84, 0xa3, 0xed, 0x18, 0x78, 0x03, 0x26, 0xd1,
23875 ++ 0x25, 0x8a, 0x47, 0x22, 0x2f, 0xa6, 0x33, 0xd8,
23876 ++ 0xb2, 0x9f, 0x3b, 0xd9, 0x15, 0x0b, 0x23, 0x9b,
23877 ++ 0x15, 0x46, 0xc2, 0xbb, 0x9b, 0x9f, 0x41, 0x0f,
23878 ++ 0xeb, 0xea, 0xd3, 0x96, 0x00, 0x0e, 0xe4, 0x77,
23879 ++ 0x70, 0x15, 0x32, 0xc3, 0xd0, 0xf5, 0xfb, 0xf8,
23880 ++ 0x95, 0xd2, 0x80, 0x19, 0x6d, 0x2f, 0x73, 0x7c,
23881 ++ 0x5e, 0x9f, 0xec, 0x50, 0xd9, 0x2b, 0xb0, 0xdf,
23882 ++ 0x5d, 0x7e, 0x51, 0x3b, 0xe5, 0xb8, 0xea, 0x97,
23883 ++ 0x13, 0x10, 0xd5, 0xbf, 0x16, 0xba, 0x7a, 0xee
23884 ++};
23885 ++static const u8 enc_output084[] __initconst = {
23886 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23887 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23888 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23889 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23890 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23891 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23892 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23893 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23894 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23895 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23896 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23897 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23898 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23899 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23900 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23901 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23902 ++ 0xc8, 0xae, 0x77, 0x88, 0xcd, 0x28, 0x74, 0xab,
23903 ++ 0xc1, 0x38, 0x54, 0x1e, 0x11, 0xfd, 0x05, 0x87
23904 ++};
23905 ++static const u8 enc_assoc084[] __initconst = {
23906 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23907 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23908 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23909 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23910 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23911 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23912 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23913 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23914 ++};
23915 ++static const u8 enc_nonce084[] __initconst = {
23916 ++ 0x00, 0x00, 0x00, 0x00, 0x01, 0x84, 0x86, 0xa8
23917 ++};
23918 ++static const u8 enc_key084[] __initconst = {
23919 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23920 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23921 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23922 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23923 ++};
23924 ++
23925 ++/* wycheproof - checking for int overflows */
23926 ++static const u8 enc_input085[] __initconst = {
23927 ++ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
23928 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
23929 ++ 0x78, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
23930 ++ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
23931 ++ 0x9f, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
23932 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
23933 ++ 0x9c, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
23934 ++ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
23935 ++ 0x47, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
23936 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
23937 ++ 0xd4, 0xd2, 0x06, 0x61, 0x6f, 0x92, 0x93, 0xf6,
23938 ++ 0x5b, 0x45, 0xdb, 0xbc, 0x74, 0xe7, 0xc2, 0xed,
23939 ++ 0xfb, 0xcb, 0xbf, 0x1c, 0xfb, 0x67, 0x9b, 0xb7,
23940 ++ 0x39, 0xa5, 0x86, 0x2d, 0xe2, 0xbc, 0xb9, 0x37,
23941 ++ 0xf7, 0x4d, 0x5b, 0xf8, 0x67, 0x1c, 0x5a, 0x8a,
23942 ++ 0x50, 0x92, 0xf6, 0x1d, 0x54, 0xc9, 0xaa, 0x5b
23943 ++};
23944 ++static const u8 enc_output085[] __initconst = {
23945 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23946 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23947 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23948 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23949 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23950 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23951 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23952 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23953 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23954 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23955 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23956 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23957 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23958 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23959 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23960 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23961 ++ 0x93, 0x3a, 0x51, 0x63, 0xc7, 0xf6, 0x23, 0x68,
23962 ++ 0x32, 0x7b, 0x3f, 0xbc, 0x10, 0x36, 0xc9, 0x43
23963 ++};
23964 ++static const u8 enc_assoc085[] __initconst = {
23965 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23966 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23967 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23968 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23969 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23970 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23971 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23972 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
23973 ++};
23974 ++static const u8 enc_nonce085[] __initconst = {
23975 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
23976 ++};
23977 ++static const u8 enc_key085[] __initconst = {
23978 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
23979 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
23980 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
23981 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
23982 ++};
23983 ++
23984 ++/* wycheproof - special case tag */
23985 ++static const u8 enc_input086[] __initconst = {
23986 ++ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
23987 ++ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
23988 ++ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
23989 ++ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
23990 ++ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
23991 ++ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
23992 ++ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
23993 ++ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
23994 ++};
23995 ++static const u8 enc_output086[] __initconst = {
23996 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23997 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23998 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
23999 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24000 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24001 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24002 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24003 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24004 ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24005 ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
24006 ++};
24007 ++static const u8 enc_assoc086[] __initconst = {
24008 ++ 0x85, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24009 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24010 ++ 0xa6, 0x90, 0x2f, 0xcb, 0xc8, 0x83, 0xbb, 0xc1,
24011 ++ 0x80, 0xb2, 0x56, 0xae, 0x34, 0xad, 0x7f, 0x00
24012 ++};
24013 ++static const u8 enc_nonce086[] __initconst = {
24014 ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24015 ++ 0x08, 0x09, 0x0a, 0x0b
24016 ++};
24017 ++static const u8 enc_key086[] __initconst = {
24018 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24019 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24020 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24021 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24022 ++};
24023 ++
24024 ++/* wycheproof - special case tag */
24025 ++static const u8 enc_input087[] __initconst = {
24026 ++ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
24027 ++ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
24028 ++ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
24029 ++ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
24030 ++ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
24031 ++ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
24032 ++ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
24033 ++ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
24034 ++};
24035 ++static const u8 enc_output087[] __initconst = {
24036 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24037 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24038 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24039 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24040 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24041 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24042 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24043 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24044 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
24045 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
24046 ++};
24047 ++static const u8 enc_assoc087[] __initconst = {
24048 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24049 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24050 ++ 0x24, 0x7e, 0x50, 0x64, 0x2a, 0x1c, 0x0a, 0x2f,
24051 ++ 0x8f, 0x77, 0x21, 0x96, 0x09, 0xdb, 0xa9, 0x58
24052 ++};
24053 ++static const u8 enc_nonce087[] __initconst = {
24054 ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24055 ++ 0x08, 0x09, 0x0a, 0x0b
24056 ++};
24057 ++static const u8 enc_key087[] __initconst = {
24058 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24059 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24060 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24061 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24062 ++};
24063 ++
24064 ++/* wycheproof - special case tag */
24065 ++static const u8 enc_input088[] __initconst = {
24066 ++ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
24067 ++ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
24068 ++ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
24069 ++ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
24070 ++ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
24071 ++ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
24072 ++ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
24073 ++ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
24074 ++};
24075 ++static const u8 enc_output088[] __initconst = {
24076 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24077 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24078 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24079 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24080 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24081 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24082 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24083 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24084 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24085 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
24086 ++};
24087 ++static const u8 enc_assoc088[] __initconst = {
24088 ++ 0x7c, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24089 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24090 ++ 0xd9, 0xe7, 0x2c, 0x06, 0x4a, 0xc8, 0x96, 0x1f,
24091 ++ 0x3f, 0xa5, 0x85, 0xe0, 0xe2, 0xab, 0xd6, 0x00
24092 ++};
24093 ++static const u8 enc_nonce088[] __initconst = {
24094 ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24095 ++ 0x08, 0x09, 0x0a, 0x0b
24096 ++};
24097 ++static const u8 enc_key088[] __initconst = {
24098 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24099 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24100 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24101 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24102 ++};
24103 ++
24104 ++/* wycheproof - special case tag */
24105 ++static const u8 enc_input089[] __initconst = {
24106 ++ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
24107 ++ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
24108 ++ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
24109 ++ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
24110 ++ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
24111 ++ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
24112 ++ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
24113 ++ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
24114 ++};
24115 ++static const u8 enc_output089[] __initconst = {
24116 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24117 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24118 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24119 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24120 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24121 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24122 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24123 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24124 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80,
24125 ++ 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x80
24126 ++};
24127 ++static const u8 enc_assoc089[] __initconst = {
24128 ++ 0x65, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24129 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24130 ++ 0x95, 0xaf, 0x0f, 0x4d, 0x0b, 0x68, 0x6e, 0xae,
24131 ++ 0xcc, 0xca, 0x43, 0x07, 0xd5, 0x96, 0xf5, 0x02
24132 ++};
24133 ++static const u8 enc_nonce089[] __initconst = {
24134 ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24135 ++ 0x08, 0x09, 0x0a, 0x0b
24136 ++};
24137 ++static const u8 enc_key089[] __initconst = {
24138 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24139 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24140 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24141 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24142 ++};
24143 ++
24144 ++/* wycheproof - special case tag */
24145 ++static const u8 enc_input090[] __initconst = {
24146 ++ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
24147 ++ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
24148 ++ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
24149 ++ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
24150 ++ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
24151 ++ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
24152 ++ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
24153 ++ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
24154 ++};
24155 ++static const u8 enc_output090[] __initconst = {
24156 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24157 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24158 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24159 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24160 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24161 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24162 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24163 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24164 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f,
24165 ++ 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0x7f
24166 ++};
24167 ++static const u8 enc_assoc090[] __initconst = {
24168 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24169 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24170 ++ 0x85, 0x40, 0xb4, 0x64, 0x35, 0x77, 0x07, 0xbe,
24171 ++ 0x3a, 0x39, 0xd5, 0x5c, 0x34, 0xf8, 0xbc, 0xb3
24172 ++};
24173 ++static const u8 enc_nonce090[] __initconst = {
24174 ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24175 ++ 0x08, 0x09, 0x0a, 0x0b
24176 ++};
24177 ++static const u8 enc_key090[] __initconst = {
24178 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24179 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24180 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24181 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24182 ++};
24183 ++
24184 ++/* wycheproof - special case tag */
24185 ++static const u8 enc_input091[] __initconst = {
24186 ++ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
24187 ++ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
24188 ++ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
24189 ++ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
24190 ++ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
24191 ++ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
24192 ++ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
24193 ++ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
24194 ++};
24195 ++static const u8 enc_output091[] __initconst = {
24196 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24197 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24198 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24199 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24200 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24201 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24202 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24203 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24204 ++ 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
24205 ++ 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00
24206 ++};
24207 ++static const u8 enc_assoc091[] __initconst = {
24208 ++ 0x4f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24209 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24210 ++ 0x66, 0x23, 0xd9, 0x90, 0xb8, 0x98, 0xd8, 0x30,
24211 ++ 0xd2, 0x12, 0xaf, 0x23, 0x83, 0x33, 0x07, 0x01
24212 ++};
24213 ++static const u8 enc_nonce091[] __initconst = {
24214 ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24215 ++ 0x08, 0x09, 0x0a, 0x0b
24216 ++};
24217 ++static const u8 enc_key091[] __initconst = {
24218 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24219 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24220 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24221 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24222 ++};
24223 ++
24224 ++/* wycheproof - special case tag */
24225 ++static const u8 enc_input092[] __initconst = {
24226 ++ 0x9a, 0x49, 0xc4, 0x0f, 0x8b, 0x48, 0xd7, 0xc6,
24227 ++ 0x6d, 0x1d, 0xb4, 0xe5, 0x3f, 0x20, 0xf2, 0xdd,
24228 ++ 0x4a, 0xaa, 0x24, 0x1d, 0xda, 0xb2, 0x6b, 0x5b,
24229 ++ 0xc0, 0xe2, 0x18, 0xb7, 0x2c, 0x33, 0x90, 0xf2,
24230 ++ 0xdf, 0x3e, 0xbd, 0x01, 0x76, 0x70, 0x44, 0x19,
24231 ++ 0x97, 0x2b, 0xcd, 0xbc, 0x6b, 0xbc, 0xb3, 0xe4,
24232 ++ 0xe7, 0x4a, 0x71, 0x52, 0x8e, 0xf5, 0x12, 0x63,
24233 ++ 0xce, 0x24, 0xe0, 0xd5, 0x75, 0xe0, 0xe4, 0x4d
24234 ++};
24235 ++static const u8 enc_output092[] __initconst = {
24236 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24237 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24238 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24239 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24240 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24241 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24242 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24243 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24244 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
24245 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
24246 ++};
24247 ++static const u8 enc_assoc092[] __initconst = {
24248 ++ 0x83, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24249 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24250 ++ 0x5f, 0x16, 0xd0, 0x9f, 0x17, 0x78, 0x72, 0x11,
24251 ++ 0xb7, 0xd4, 0x84, 0xe0, 0x24, 0xf8, 0x97, 0x01
24252 ++};
24253 ++static const u8 enc_nonce092[] __initconst = {
24254 ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24255 ++ 0x08, 0x09, 0x0a, 0x0b
24256 ++};
24257 ++static const u8 enc_key092[] __initconst = {
24258 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24259 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24260 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24261 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24262 ++};
24263 ++
24264 ++/* wycheproof - edge case intermediate sums in poly1305 */
24265 ++static const u8 enc_input093[] __initconst = {
24266 ++ 0x00, 0x52, 0x35, 0xd2, 0xa9, 0x19, 0xf2, 0x8d,
24267 ++ 0x3d, 0xb7, 0x66, 0x4a, 0x34, 0xae, 0x6b, 0x44,
24268 ++ 0x4d, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24269 ++ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24270 ++ 0x5b, 0x8b, 0x94, 0x50, 0x9e, 0x2b, 0x74, 0xa3,
24271 ++ 0x6d, 0x34, 0x6e, 0x33, 0xd5, 0x72, 0x65, 0x9b,
24272 ++ 0xa9, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24273 ++ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24274 ++ 0x83, 0xdc, 0xe9, 0xf3, 0x07, 0x3e, 0xfa, 0xdb,
24275 ++ 0x7d, 0x23, 0xb8, 0x7a, 0xce, 0x35, 0x16, 0x8c
24276 ++};
24277 ++static const u8 enc_output093[] __initconst = {
24278 ++ 0x00, 0x39, 0xe2, 0xfd, 0x2f, 0xd3, 0x12, 0x14,
24279 ++ 0x9e, 0x98, 0x98, 0x80, 0x88, 0x48, 0x13, 0xe7,
24280 ++ 0xca, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24281 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24282 ++ 0x3b, 0x0e, 0x86, 0x9a, 0xaa, 0x8e, 0xa4, 0x96,
24283 ++ 0x32, 0xff, 0xff, 0x37, 0xb9, 0xe8, 0xce, 0x00,
24284 ++ 0xca, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24285 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24286 ++ 0x3b, 0x0e, 0x86, 0x9a, 0xaa, 0x8e, 0xa4, 0x96,
24287 ++ 0x32, 0xff, 0xff, 0x37, 0xb9, 0xe8, 0xce, 0x00,
24288 ++ 0xa5, 0x19, 0xac, 0x1a, 0x35, 0xb4, 0xa5, 0x77,
24289 ++ 0x87, 0x51, 0x0a, 0xf7, 0x8d, 0x8d, 0x20, 0x0a
24290 ++};
24291 ++static const u8 enc_assoc093[] __initconst = {
24292 ++ 0xff, 0xff, 0xff, 0xff
24293 ++};
24294 ++static const u8 enc_nonce093[] __initconst = {
24295 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24296 ++};
24297 ++static const u8 enc_key093[] __initconst = {
24298 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24299 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24300 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24301 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24302 ++};
24303 ++
24304 ++/* wycheproof - edge case intermediate sums in poly1305 */
24305 ++static const u8 enc_input094[] __initconst = {
24306 ++ 0xd3, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24307 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24308 ++ 0xe5, 0xda, 0x78, 0x76, 0x6f, 0xa1, 0x92, 0x90,
24309 ++ 0xc0, 0x31, 0xf7, 0x52, 0x08, 0x50, 0x67, 0x45,
24310 ++ 0xae, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24311 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24312 ++ 0x49, 0x6d, 0xde, 0xb0, 0x55, 0x09, 0xc6, 0xef,
24313 ++ 0xff, 0xab, 0x75, 0xeb, 0x2d, 0xf4, 0xab, 0x09,
24314 ++ 0x76, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24315 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24316 ++ 0x01, 0x49, 0xef, 0x50, 0x4b, 0x71, 0xb1, 0x20,
24317 ++ 0xca, 0x4f, 0xf3, 0x95, 0x19, 0xc2, 0xc2, 0x10
24318 ++};
24319 ++static const u8 enc_output094[] __initconst = {
24320 ++ 0xd3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24321 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24322 ++ 0x62, 0x18, 0xb2, 0x7f, 0x83, 0xb8, 0xb4, 0x66,
24323 ++ 0x02, 0xf6, 0xe1, 0xd8, 0x34, 0x20, 0x7b, 0x02,
24324 ++ 0xce, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24325 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24326 ++ 0x2a, 0x64, 0x16, 0xce, 0xdb, 0x1c, 0xdd, 0x29,
24327 ++ 0x6e, 0xf5, 0xd7, 0xd6, 0x92, 0xda, 0xff, 0x02,
24328 ++ 0xce, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24329 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24330 ++ 0x2a, 0x64, 0x16, 0xce, 0xdb, 0x1c, 0xdd, 0x29,
24331 ++ 0x6e, 0xf5, 0xd7, 0xd6, 0x92, 0xda, 0xff, 0x02,
24332 ++ 0x30, 0x2f, 0xe8, 0x2a, 0xb0, 0xa0, 0x9a, 0xf6,
24333 ++ 0x44, 0x00, 0xd0, 0x15, 0xae, 0x83, 0xd9, 0xcc
24334 ++};
24335 ++static const u8 enc_assoc094[] __initconst = {
24336 ++ 0xff, 0xff, 0xff, 0xff
24337 ++};
24338 ++static const u8 enc_nonce094[] __initconst = {
24339 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24340 ++};
24341 ++static const u8 enc_key094[] __initconst = {
24342 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24343 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24344 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24345 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24346 ++};
24347 ++
24348 ++/* wycheproof - edge case intermediate sums in poly1305 */
24349 ++static const u8 enc_input095[] __initconst = {
24350 ++ 0xe9, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24351 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24352 ++ 0x6d, 0xf1, 0x39, 0x4e, 0xdc, 0x53, 0x9b, 0x5b,
24353 ++ 0x3a, 0x09, 0x57, 0xbe, 0x0f, 0xb8, 0x59, 0x46,
24354 ++ 0x80, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24355 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24356 ++ 0xd1, 0x76, 0x9f, 0xe8, 0x06, 0xbb, 0xfe, 0xb6,
24357 ++ 0xf5, 0x90, 0x95, 0x0f, 0x2e, 0xac, 0x9e, 0x0a,
24358 ++ 0x58, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24359 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24360 ++ 0x99, 0x52, 0xae, 0x08, 0x18, 0xc3, 0x89, 0x79,
24361 ++ 0xc0, 0x74, 0x13, 0x71, 0x1a, 0x9a, 0xf7, 0x13
24362 ++};
24363 ++static const u8 enc_output095[] __initconst = {
24364 ++ 0xe9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24365 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24366 ++ 0xea, 0x33, 0xf3, 0x47, 0x30, 0x4a, 0xbd, 0xad,
24367 ++ 0xf8, 0xce, 0x41, 0x34, 0x33, 0xc8, 0x45, 0x01,
24368 ++ 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24369 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24370 ++ 0xb2, 0x7f, 0x57, 0x96, 0x88, 0xae, 0xe5, 0x70,
24371 ++ 0x64, 0xce, 0x37, 0x32, 0x91, 0x82, 0xca, 0x01,
24372 ++ 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24373 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24374 ++ 0xb2, 0x7f, 0x57, 0x96, 0x88, 0xae, 0xe5, 0x70,
24375 ++ 0x64, 0xce, 0x37, 0x32, 0x91, 0x82, 0xca, 0x01,
24376 ++ 0x98, 0xa7, 0xe8, 0x36, 0xe0, 0xee, 0x4d, 0x02,
24377 ++ 0x35, 0x00, 0xd0, 0x55, 0x7e, 0xc2, 0xcb, 0xe0
24378 ++};
24379 ++static const u8 enc_assoc095[] __initconst = {
24380 ++ 0xff, 0xff, 0xff, 0xff
24381 ++};
24382 ++static const u8 enc_nonce095[] __initconst = {
24383 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24384 ++};
24385 ++static const u8 enc_key095[] __initconst = {
24386 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24387 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24388 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24389 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24390 ++};
24391 ++
24392 ++/* wycheproof - edge case intermediate sums in poly1305 */
24393 ++static const u8 enc_input096[] __initconst = {
24394 ++ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24395 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24396 ++ 0x64, 0xf9, 0x0f, 0x5b, 0x26, 0x92, 0xb8, 0x60,
24397 ++ 0xd4, 0x59, 0x6f, 0xf4, 0xb3, 0x40, 0x2c, 0x5c,
24398 ++ 0x00, 0xb9, 0xbb, 0x53, 0x70, 0x7a, 0xa6, 0x67,
24399 ++ 0xd3, 0x56, 0xfe, 0x50, 0xc7, 0x19, 0x96, 0x94,
24400 ++ 0x03, 0x35, 0x61, 0xe7, 0xca, 0xca, 0x6d, 0x94,
24401 ++ 0x1d, 0xc3, 0xcd, 0x69, 0x14, 0xad, 0x69, 0x04
24402 ++};
24403 ++static const u8 enc_output096[] __initconst = {
24404 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24405 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24406 ++ 0xe3, 0x3b, 0xc5, 0x52, 0xca, 0x8b, 0x9e, 0x96,
24407 ++ 0x16, 0x9e, 0x79, 0x7e, 0x8f, 0x30, 0x30, 0x1b,
24408 ++ 0x60, 0x3c, 0xa9, 0x99, 0x44, 0xdf, 0x76, 0x52,
24409 ++ 0x8c, 0x9d, 0x6f, 0x54, 0xab, 0x83, 0x3d, 0x0f,
24410 ++ 0x60, 0x3c, 0xa9, 0x99, 0x44, 0xdf, 0x76, 0x52,
24411 ++ 0x8c, 0x9d, 0x6f, 0x54, 0xab, 0x83, 0x3d, 0x0f,
24412 ++ 0x6a, 0xb8, 0xdc, 0xe2, 0xc5, 0x9d, 0xa4, 0x73,
24413 ++ 0x71, 0x30, 0xb0, 0x25, 0x2f, 0x68, 0xa8, 0xd8
24414 ++};
24415 ++static const u8 enc_assoc096[] __initconst = {
24416 ++ 0xff, 0xff, 0xff, 0xff
24417 ++};
24418 ++static const u8 enc_nonce096[] __initconst = {
24419 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24420 ++};
24421 ++static const u8 enc_key096[] __initconst = {
24422 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24423 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24424 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24425 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24426 ++};
24427 ++
24428 ++/* wycheproof - edge case intermediate sums in poly1305 */
24429 ++static const u8 enc_input097[] __initconst = {
24430 ++ 0x68, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24431 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24432 ++ 0xb0, 0x8f, 0x25, 0x67, 0x5b, 0x9b, 0xcb, 0xf6,
24433 ++ 0xe3, 0x84, 0x07, 0xde, 0x2e, 0xc7, 0x5a, 0x47,
24434 ++ 0x9f, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24435 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24436 ++ 0x2d, 0x2a, 0xf7, 0xcd, 0x6b, 0x08, 0x05, 0x01,
24437 ++ 0xd3, 0x1b, 0xa5, 0x4f, 0xb2, 0xeb, 0x75, 0x96,
24438 ++ 0x47, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24439 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24440 ++ 0x65, 0x0e, 0xc6, 0x2d, 0x75, 0x70, 0x72, 0xce,
24441 ++ 0xe6, 0xff, 0x23, 0x31, 0x86, 0xdd, 0x1c, 0x8f
24442 ++};
24443 ++static const u8 enc_output097[] __initconst = {
24444 ++ 0x68, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24445 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24446 ++ 0x37, 0x4d, 0xef, 0x6e, 0xb7, 0x82, 0xed, 0x00,
24447 ++ 0x21, 0x43, 0x11, 0x54, 0x12, 0xb7, 0x46, 0x00,
24448 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24449 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24450 ++ 0x4e, 0x23, 0x3f, 0xb3, 0xe5, 0x1d, 0x1e, 0xc7,
24451 ++ 0x42, 0x45, 0x07, 0x72, 0x0d, 0xc5, 0x21, 0x9d,
24452 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24453 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24454 ++ 0x4e, 0x23, 0x3f, 0xb3, 0xe5, 0x1d, 0x1e, 0xc7,
24455 ++ 0x42, 0x45, 0x07, 0x72, 0x0d, 0xc5, 0x21, 0x9d,
24456 ++ 0x04, 0x4d, 0xea, 0x60, 0x88, 0x80, 0x41, 0x2b,
24457 ++ 0xfd, 0xff, 0xcf, 0x35, 0x57, 0x9e, 0x9b, 0x26
24458 ++};
24459 ++static const u8 enc_assoc097[] __initconst = {
24460 ++ 0xff, 0xff, 0xff, 0xff
24461 ++};
24462 ++static const u8 enc_nonce097[] __initconst = {
24463 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24464 ++};
24465 ++static const u8 enc_key097[] __initconst = {
24466 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24467 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24468 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24469 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24470 ++};
24471 ++
24472 ++/* wycheproof - edge case intermediate sums in poly1305 */
24473 ++static const u8 enc_input098[] __initconst = {
24474 ++ 0x6d, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24475 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24476 ++ 0xa1, 0x61, 0xb5, 0xab, 0x04, 0x09, 0x00, 0x62,
24477 ++ 0x9e, 0xfe, 0xff, 0x78, 0xd7, 0xd8, 0x6b, 0x45,
24478 ++ 0x9f, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24479 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24480 ++ 0xc6, 0xf8, 0x07, 0x8c, 0xc8, 0xef, 0x12, 0xa0,
24481 ++ 0xff, 0x65, 0x7d, 0x6d, 0x08, 0xdb, 0x10, 0xb8,
24482 ++ 0x47, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24483 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24484 ++ 0x8e, 0xdc, 0x36, 0x6c, 0xd6, 0x97, 0x65, 0x6f,
24485 ++ 0xca, 0x81, 0xfb, 0x13, 0x3c, 0xed, 0x79, 0xa1
24486 ++};
24487 ++static const u8 enc_output098[] __initconst = {
24488 ++ 0x6d, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24489 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24490 ++ 0x26, 0xa3, 0x7f, 0xa2, 0xe8, 0x10, 0x26, 0x94,
24491 ++ 0x5c, 0x39, 0xe9, 0xf2, 0xeb, 0xa8, 0x77, 0x02,
24492 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24493 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24494 ++ 0xa5, 0xf1, 0xcf, 0xf2, 0x46, 0xfa, 0x09, 0x66,
24495 ++ 0x6e, 0x3b, 0xdf, 0x50, 0xb7, 0xf5, 0x44, 0xb3,
24496 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24497 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24498 ++ 0xa5, 0xf1, 0xcf, 0xf2, 0x46, 0xfa, 0x09, 0x66,
24499 ++ 0x6e, 0x3b, 0xdf, 0x50, 0xb7, 0xf5, 0x44, 0xb3,
24500 ++ 0x1e, 0x6b, 0xea, 0x63, 0x14, 0x54, 0x2e, 0x2e,
24501 ++ 0xf9, 0xff, 0xcf, 0x45, 0x0b, 0x2e, 0x98, 0x2b
24502 ++};
24503 ++static const u8 enc_assoc098[] __initconst = {
24504 ++ 0xff, 0xff, 0xff, 0xff
24505 ++};
24506 ++static const u8 enc_nonce098[] __initconst = {
24507 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24508 ++};
24509 ++static const u8 enc_key098[] __initconst = {
24510 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24511 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24512 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24513 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24514 ++};
24515 ++
24516 ++/* wycheproof - edge case intermediate sums in poly1305 */
24517 ++static const u8 enc_input099[] __initconst = {
24518 ++ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24519 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24520 ++ 0xfc, 0x01, 0xb8, 0x91, 0xe5, 0xf0, 0xf9, 0x12,
24521 ++ 0x8d, 0x7d, 0x1c, 0x57, 0x91, 0x92, 0xb6, 0x98,
24522 ++ 0x63, 0x41, 0x44, 0x15, 0xb6, 0x99, 0x68, 0x95,
24523 ++ 0x9a, 0x72, 0x91, 0xb7, 0xa5, 0xaf, 0x13, 0x48,
24524 ++ 0x60, 0xcd, 0x9e, 0xa1, 0x0c, 0x29, 0xa3, 0x66,
24525 ++ 0x54, 0xe7, 0xa2, 0x8e, 0x76, 0x1b, 0xec, 0xd8
24526 ++};
24527 ++static const u8 enc_output099[] __initconst = {
24528 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24529 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24530 ++ 0x7b, 0xc3, 0x72, 0x98, 0x09, 0xe9, 0xdf, 0xe4,
24531 ++ 0x4f, 0xba, 0x0a, 0xdd, 0xad, 0xe2, 0xaa, 0xdf,
24532 ++ 0x03, 0xc4, 0x56, 0xdf, 0x82, 0x3c, 0xb8, 0xa0,
24533 ++ 0xc5, 0xb9, 0x00, 0xb3, 0xc9, 0x35, 0xb8, 0xd3,
24534 ++ 0x03, 0xc4, 0x56, 0xdf, 0x82, 0x3c, 0xb8, 0xa0,
24535 ++ 0xc5, 0xb9, 0x00, 0xb3, 0xc9, 0x35, 0xb8, 0xd3,
24536 ++ 0xed, 0x20, 0x17, 0xc8, 0xdb, 0xa4, 0x77, 0x56,
24537 ++ 0x29, 0x04, 0x9d, 0x78, 0x6e, 0x3b, 0xce, 0xb1
24538 ++};
24539 ++static const u8 enc_assoc099[] __initconst = {
24540 ++ 0xff, 0xff, 0xff, 0xff
24541 ++};
24542 ++static const u8 enc_nonce099[] __initconst = {
24543 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24544 ++};
24545 ++static const u8 enc_key099[] __initconst = {
24546 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24547 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24548 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24549 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24550 ++};
24551 ++
24552 ++/* wycheproof - edge case intermediate sums in poly1305 */
24553 ++static const u8 enc_input100[] __initconst = {
24554 ++ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24555 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24556 ++ 0x6b, 0x6d, 0xc9, 0xd2, 0x1a, 0x81, 0x9e, 0x70,
24557 ++ 0xb5, 0x77, 0xf4, 0x41, 0x37, 0xd3, 0xd6, 0xbd,
24558 ++ 0x13, 0x35, 0xf5, 0xeb, 0x44, 0x49, 0x40, 0x77,
24559 ++ 0xb2, 0x64, 0x49, 0xa5, 0x4b, 0x6c, 0x7c, 0x75,
24560 ++ 0x10, 0xb9, 0x2f, 0x5f, 0xfe, 0xf9, 0x8b, 0x84,
24561 ++ 0x7c, 0xf1, 0x7a, 0x9c, 0x98, 0xd8, 0x83, 0xe5
24562 ++};
24563 ++static const u8 enc_output100[] __initconst = {
24564 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24565 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24566 ++ 0xec, 0xaf, 0x03, 0xdb, 0xf6, 0x98, 0xb8, 0x86,
24567 ++ 0x77, 0xb0, 0xe2, 0xcb, 0x0b, 0xa3, 0xca, 0xfa,
24568 ++ 0x73, 0xb0, 0xe7, 0x21, 0x70, 0xec, 0x90, 0x42,
24569 ++ 0xed, 0xaf, 0xd8, 0xa1, 0x27, 0xf6, 0xd7, 0xee,
24570 ++ 0x73, 0xb0, 0xe7, 0x21, 0x70, 0xec, 0x90, 0x42,
24571 ++ 0xed, 0xaf, 0xd8, 0xa1, 0x27, 0xf6, 0xd7, 0xee,
24572 ++ 0x07, 0x3f, 0x17, 0xcb, 0x67, 0x78, 0x64, 0x59,
24573 ++ 0x25, 0x04, 0x9d, 0x88, 0x22, 0xcb, 0xca, 0xb6
24574 ++};
24575 ++static const u8 enc_assoc100[] __initconst = {
24576 ++ 0xff, 0xff, 0xff, 0xff
24577 ++};
24578 ++static const u8 enc_nonce100[] __initconst = {
24579 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24580 ++};
24581 ++static const u8 enc_key100[] __initconst = {
24582 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24583 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24584 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24585 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24586 ++};
24587 ++
24588 ++/* wycheproof - edge case intermediate sums in poly1305 */
24589 ++static const u8 enc_input101[] __initconst = {
24590 ++ 0xff, 0xcb, 0x2b, 0x11, 0x06, 0xf8, 0x23, 0x4c,
24591 ++ 0x5e, 0x99, 0xd4, 0xdb, 0x4c, 0x70, 0x48, 0xde,
24592 ++ 0x32, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24593 ++ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24594 ++ 0x16, 0xe9, 0x88, 0x4a, 0x11, 0x4f, 0x0e, 0x92,
24595 ++ 0x66, 0xce, 0xa3, 0x88, 0x5f, 0xe3, 0x6b, 0x9f,
24596 ++ 0xd6, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24597 ++ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24598 ++ 0xce, 0xbe, 0xf5, 0xe9, 0x88, 0x5a, 0x80, 0xea,
24599 ++ 0x76, 0xd9, 0x75, 0xc1, 0x44, 0xa4, 0x18, 0x88
24600 ++};
24601 ++static const u8 enc_output101[] __initconst = {
24602 ++ 0xff, 0xa0, 0xfc, 0x3e, 0x80, 0x32, 0xc3, 0xd5,
24603 ++ 0xfd, 0xb6, 0x2a, 0x11, 0xf0, 0x96, 0x30, 0x7d,
24604 ++ 0xb5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24605 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24606 ++ 0x76, 0x6c, 0x9a, 0x80, 0x25, 0xea, 0xde, 0xa7,
24607 ++ 0x39, 0x05, 0x32, 0x8c, 0x33, 0x79, 0xc0, 0x04,
24608 ++ 0xb5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24609 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24610 ++ 0x76, 0x6c, 0x9a, 0x80, 0x25, 0xea, 0xde, 0xa7,
24611 ++ 0x39, 0x05, 0x32, 0x8c, 0x33, 0x79, 0xc0, 0x04,
24612 ++ 0x8b, 0x9b, 0xb4, 0xb4, 0x86, 0x12, 0x89, 0x65,
24613 ++ 0x8c, 0x69, 0x6a, 0x83, 0x40, 0x15, 0x04, 0x05
24614 ++};
24615 ++static const u8 enc_assoc101[] __initconst = {
24616 ++ 0xff, 0xff, 0xff, 0xff
24617 ++};
24618 ++static const u8 enc_nonce101[] __initconst = {
24619 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24620 ++};
24621 ++static const u8 enc_key101[] __initconst = {
24622 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24623 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24624 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24625 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24626 ++};
24627 ++
24628 ++/* wycheproof - edge case intermediate sums in poly1305 */
24629 ++static const u8 enc_input102[] __initconst = {
24630 ++ 0x6f, 0x9e, 0x70, 0xed, 0x3b, 0x8b, 0xac, 0xa0,
24631 ++ 0x26, 0xe4, 0x6a, 0x5a, 0x09, 0x43, 0x15, 0x8d,
24632 ++ 0x21, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24633 ++ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24634 ++ 0x0c, 0x61, 0x2c, 0x5e, 0x8d, 0x89, 0xa8, 0x73,
24635 ++ 0xdb, 0xca, 0xad, 0x5b, 0x73, 0x46, 0x42, 0x9b,
24636 ++ 0xc5, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24637 ++ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24638 ++ 0xd4, 0x36, 0x51, 0xfd, 0x14, 0x9c, 0x26, 0x0b,
24639 ++ 0xcb, 0xdd, 0x7b, 0x12, 0x68, 0x01, 0x31, 0x8c
24640 ++};
24641 ++static const u8 enc_output102[] __initconst = {
24642 ++ 0x6f, 0xf5, 0xa7, 0xc2, 0xbd, 0x41, 0x4c, 0x39,
24643 ++ 0x85, 0xcb, 0x94, 0x90, 0xb5, 0xa5, 0x6d, 0x2e,
24644 ++ 0xa6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24645 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24646 ++ 0x6c, 0xe4, 0x3e, 0x94, 0xb9, 0x2c, 0x78, 0x46,
24647 ++ 0x84, 0x01, 0x3c, 0x5f, 0x1f, 0xdc, 0xe9, 0x00,
24648 ++ 0xa6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24649 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24650 ++ 0x6c, 0xe4, 0x3e, 0x94, 0xb9, 0x2c, 0x78, 0x46,
24651 ++ 0x84, 0x01, 0x3c, 0x5f, 0x1f, 0xdc, 0xe9, 0x00,
24652 ++ 0x8b, 0x3b, 0xbd, 0x51, 0x64, 0x44, 0x59, 0x56,
24653 ++ 0x8d, 0x81, 0xca, 0x1f, 0xa7, 0x2c, 0xe4, 0x04
24654 ++};
24655 ++static const u8 enc_assoc102[] __initconst = {
24656 ++ 0xff, 0xff, 0xff, 0xff
24657 ++};
24658 ++static const u8 enc_nonce102[] __initconst = {
24659 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24660 ++};
24661 ++static const u8 enc_key102[] __initconst = {
24662 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24663 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24664 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24665 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24666 ++};
24667 ++
24668 ++/* wycheproof - edge case intermediate sums in poly1305 */
24669 ++static const u8 enc_input103[] __initconst = {
24670 ++ 0x41, 0x2b, 0x08, 0x0a, 0x3e, 0x19, 0xc1, 0x0d,
24671 ++ 0x44, 0xa1, 0xaf, 0x1e, 0xab, 0xde, 0xb4, 0xce,
24672 ++ 0x35, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24673 ++ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24674 ++ 0x6b, 0x83, 0x94, 0x33, 0x09, 0x21, 0x48, 0x6c,
24675 ++ 0xa1, 0x1d, 0x29, 0x1c, 0x3e, 0x97, 0xee, 0x9a,
24676 ++ 0xd1, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24677 ++ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24678 ++ 0xb3, 0xd4, 0xe9, 0x90, 0x90, 0x34, 0xc6, 0x14,
24679 ++ 0xb1, 0x0a, 0xff, 0x55, 0x25, 0xd0, 0x9d, 0x8d
24680 ++};
24681 ++static const u8 enc_output103[] __initconst = {
24682 ++ 0x41, 0x40, 0xdf, 0x25, 0xb8, 0xd3, 0x21, 0x94,
24683 ++ 0xe7, 0x8e, 0x51, 0xd4, 0x17, 0x38, 0xcc, 0x6d,
24684 ++ 0xb2, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24685 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24686 ++ 0x0b, 0x06, 0x86, 0xf9, 0x3d, 0x84, 0x98, 0x59,
24687 ++ 0xfe, 0xd6, 0xb8, 0x18, 0x52, 0x0d, 0x45, 0x01,
24688 ++ 0xb2, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24689 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24690 ++ 0x0b, 0x06, 0x86, 0xf9, 0x3d, 0x84, 0x98, 0x59,
24691 ++ 0xfe, 0xd6, 0xb8, 0x18, 0x52, 0x0d, 0x45, 0x01,
24692 ++ 0x86, 0xfb, 0xab, 0x2b, 0x4a, 0x94, 0xf4, 0x7a,
24693 ++ 0xa5, 0x6f, 0x0a, 0xea, 0x65, 0xd1, 0x10, 0x08
24694 ++};
24695 ++static const u8 enc_assoc103[] __initconst = {
24696 ++ 0xff, 0xff, 0xff, 0xff
24697 ++};
24698 ++static const u8 enc_nonce103[] __initconst = {
24699 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24700 ++};
24701 ++static const u8 enc_key103[] __initconst = {
24702 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24703 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24704 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24705 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24706 ++};
24707 ++
24708 ++/* wycheproof - edge case intermediate sums in poly1305 */
24709 ++static const u8 enc_input104[] __initconst = {
24710 ++ 0xb2, 0x47, 0xa7, 0x47, 0x23, 0x49, 0x1a, 0xac,
24711 ++ 0xac, 0xaa, 0xd7, 0x09, 0xc9, 0x1e, 0x93, 0x2b,
24712 ++ 0x31, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24713 ++ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24714 ++ 0x9a, 0xde, 0x04, 0xe7, 0x5b, 0xb7, 0x01, 0xd9,
24715 ++ 0x66, 0x06, 0x01, 0xb3, 0x47, 0x65, 0xde, 0x98,
24716 ++ 0xd5, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24717 ++ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24718 ++ 0x42, 0x89, 0x79, 0x44, 0xc2, 0xa2, 0x8f, 0xa1,
24719 ++ 0x76, 0x11, 0xd7, 0xfa, 0x5c, 0x22, 0xad, 0x8f
24720 ++};
24721 ++static const u8 enc_output104[] __initconst = {
24722 ++ 0xb2, 0x2c, 0x70, 0x68, 0xa5, 0x83, 0xfa, 0x35,
24723 ++ 0x0f, 0x85, 0x29, 0xc3, 0x75, 0xf8, 0xeb, 0x88,
24724 ++ 0xb6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24725 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24726 ++ 0xfa, 0x5b, 0x16, 0x2d, 0x6f, 0x12, 0xd1, 0xec,
24727 ++ 0x39, 0xcd, 0x90, 0xb7, 0x2b, 0xff, 0x75, 0x03,
24728 ++ 0xb6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24729 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24730 ++ 0xfa, 0x5b, 0x16, 0x2d, 0x6f, 0x12, 0xd1, 0xec,
24731 ++ 0x39, 0xcd, 0x90, 0xb7, 0x2b, 0xff, 0x75, 0x03,
24732 ++ 0xa0, 0x19, 0xac, 0x2e, 0xd6, 0x67, 0xe1, 0x7d,
24733 ++ 0xa1, 0x6f, 0x0a, 0xfa, 0x19, 0x61, 0x0d, 0x0d
24734 ++};
24735 ++static const u8 enc_assoc104[] __initconst = {
24736 ++ 0xff, 0xff, 0xff, 0xff
24737 ++};
24738 ++static const u8 enc_nonce104[] __initconst = {
24739 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24740 ++};
24741 ++static const u8 enc_key104[] __initconst = {
24742 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24743 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24744 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24745 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24746 ++};
24747 ++
24748 ++/* wycheproof - edge case intermediate sums in poly1305 */
24749 ++static const u8 enc_input105[] __initconst = {
24750 ++ 0x74, 0x0f, 0x9e, 0x49, 0xf6, 0x10, 0xef, 0xa5,
24751 ++ 0x85, 0xb6, 0x59, 0xca, 0x6e, 0xd8, 0xb4, 0x99,
24752 ++ 0x2d, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24753 ++ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24754 ++ 0x41, 0x2d, 0x96, 0xaf, 0xbe, 0x80, 0xec, 0x3e,
24755 ++ 0x79, 0xd4, 0x51, 0xb0, 0x0a, 0x2d, 0xb2, 0x9a,
24756 ++ 0xc9, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24757 ++ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24758 ++ 0x99, 0x7a, 0xeb, 0x0c, 0x27, 0x95, 0x62, 0x46,
24759 ++ 0x69, 0xc3, 0x87, 0xf9, 0x11, 0x6a, 0xc1, 0x8d
24760 ++};
24761 ++static const u8 enc_output105[] __initconst = {
24762 ++ 0x74, 0x64, 0x49, 0x66, 0x70, 0xda, 0x0f, 0x3c,
24763 ++ 0x26, 0x99, 0xa7, 0x00, 0xd2, 0x3e, 0xcc, 0x3a,
24764 ++ 0xaa, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24765 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24766 ++ 0x21, 0xa8, 0x84, 0x65, 0x8a, 0x25, 0x3c, 0x0b,
24767 ++ 0x26, 0x1f, 0xc0, 0xb4, 0x66, 0xb7, 0x19, 0x01,
24768 ++ 0xaa, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24769 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24770 ++ 0x21, 0xa8, 0x84, 0x65, 0x8a, 0x25, 0x3c, 0x0b,
24771 ++ 0x26, 0x1f, 0xc0, 0xb4, 0x66, 0xb7, 0x19, 0x01,
24772 ++ 0x73, 0x6e, 0x18, 0x18, 0x16, 0x96, 0xa5, 0x88,
24773 ++ 0x9c, 0x31, 0x59, 0xfa, 0xab, 0xab, 0x20, 0xfd
24774 ++};
24775 ++static const u8 enc_assoc105[] __initconst = {
24776 ++ 0xff, 0xff, 0xff, 0xff
24777 ++};
24778 ++static const u8 enc_nonce105[] __initconst = {
24779 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24780 ++};
24781 ++static const u8 enc_key105[] __initconst = {
24782 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24783 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24784 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24785 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24786 ++};
24787 ++
24788 ++/* wycheproof - edge case intermediate sums in poly1305 */
24789 ++static const u8 enc_input106[] __initconst = {
24790 ++ 0xad, 0xba, 0x5d, 0x10, 0x5b, 0xc8, 0xaa, 0x06,
24791 ++ 0x2c, 0x23, 0x36, 0xcb, 0x88, 0x9d, 0xdb, 0xd5,
24792 ++ 0x37, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24793 ++ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24794 ++ 0x17, 0x7c, 0x5f, 0xfe, 0x28, 0x75, 0xf4, 0x68,
24795 ++ 0xf6, 0xc2, 0x96, 0x57, 0x48, 0xf3, 0x59, 0x9a,
24796 ++ 0xd3, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24797 ++ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24798 ++ 0xcf, 0x2b, 0x22, 0x5d, 0xb1, 0x60, 0x7a, 0x10,
24799 ++ 0xe6, 0xd5, 0x40, 0x1e, 0x53, 0xb4, 0x2a, 0x8d
24800 ++};
24801 ++static const u8 enc_output106[] __initconst = {
24802 ++ 0xad, 0xd1, 0x8a, 0x3f, 0xdd, 0x02, 0x4a, 0x9f,
24803 ++ 0x8f, 0x0c, 0xc8, 0x01, 0x34, 0x7b, 0xa3, 0x76,
24804 ++ 0xb0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24805 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24806 ++ 0x77, 0xf9, 0x4d, 0x34, 0x1c, 0xd0, 0x24, 0x5d,
24807 ++ 0xa9, 0x09, 0x07, 0x53, 0x24, 0x69, 0xf2, 0x01,
24808 ++ 0xb0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24809 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24810 ++ 0x77, 0xf9, 0x4d, 0x34, 0x1c, 0xd0, 0x24, 0x5d,
24811 ++ 0xa9, 0x09, 0x07, 0x53, 0x24, 0x69, 0xf2, 0x01,
24812 ++ 0xba, 0xd5, 0x8f, 0x10, 0xa9, 0x1e, 0x6a, 0x88,
24813 ++ 0x9a, 0xba, 0x32, 0xfd, 0x17, 0xd8, 0x33, 0x1a
24814 ++};
24815 ++static const u8 enc_assoc106[] __initconst = {
24816 ++ 0xff, 0xff, 0xff, 0xff
24817 ++};
24818 ++static const u8 enc_nonce106[] __initconst = {
24819 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24820 ++};
24821 ++static const u8 enc_key106[] __initconst = {
24822 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24823 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24824 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24825 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24826 ++};
24827 ++
24828 ++/* wycheproof - edge case intermediate sums in poly1305 */
24829 ++static const u8 enc_input107[] __initconst = {
24830 ++ 0xfe, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24831 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24832 ++ 0xc0, 0x01, 0xed, 0xc5, 0xda, 0x44, 0x2e, 0x71,
24833 ++ 0x9b, 0xce, 0x9a, 0xbe, 0x27, 0x3a, 0xf1, 0x44,
24834 ++ 0xb4, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24835 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24836 ++ 0x48, 0x02, 0x5f, 0x41, 0xfa, 0x4e, 0x33, 0x6c,
24837 ++ 0x78, 0x69, 0x57, 0xa2, 0xa7, 0xc4, 0x93, 0x0a,
24838 ++ 0x6c, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24839 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24840 ++ 0x00, 0x26, 0x6e, 0xa1, 0xe4, 0x36, 0x44, 0xa3,
24841 ++ 0x4d, 0x8d, 0xd1, 0xdc, 0x93, 0xf2, 0xfa, 0x13
24842 ++};
24843 ++static const u8 enc_output107[] __initconst = {
24844 ++ 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24845 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24846 ++ 0x47, 0xc3, 0x27, 0xcc, 0x36, 0x5d, 0x08, 0x87,
24847 ++ 0x59, 0x09, 0x8c, 0x34, 0x1b, 0x4a, 0xed, 0x03,
24848 ++ 0xd4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24849 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24850 ++ 0x2b, 0x0b, 0x97, 0x3f, 0x74, 0x5b, 0x28, 0xaa,
24851 ++ 0xe9, 0x37, 0xf5, 0x9f, 0x18, 0xea, 0xc7, 0x01,
24852 ++ 0xd4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24853 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24854 ++ 0x2b, 0x0b, 0x97, 0x3f, 0x74, 0x5b, 0x28, 0xaa,
24855 ++ 0xe9, 0x37, 0xf5, 0x9f, 0x18, 0xea, 0xc7, 0x01,
24856 ++ 0xd6, 0x8c, 0xe1, 0x74, 0x07, 0x9a, 0xdd, 0x02,
24857 ++ 0x8d, 0xd0, 0x5c, 0xf8, 0x14, 0x63, 0x04, 0x88
24858 ++};
24859 ++static const u8 enc_assoc107[] __initconst = {
24860 ++ 0xff, 0xff, 0xff, 0xff
24861 ++};
24862 ++static const u8 enc_nonce107[] __initconst = {
24863 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24864 ++};
24865 ++static const u8 enc_key107[] __initconst = {
24866 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24867 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24868 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24869 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24870 ++};
24871 ++
24872 ++/* wycheproof - edge case intermediate sums in poly1305 */
24873 ++static const u8 enc_input108[] __initconst = {
24874 ++ 0xb5, 0x13, 0xb0, 0x6a, 0xb9, 0xac, 0x14, 0x43,
24875 ++ 0x5a, 0xcb, 0x8a, 0xa3, 0xa3, 0x7a, 0xfd, 0xb6,
24876 ++ 0x54, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
24877 ++ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
24878 ++ 0x61, 0x95, 0x01, 0x93, 0xb1, 0xbf, 0x03, 0x11,
24879 ++ 0xff, 0x11, 0x79, 0x89, 0xae, 0xd9, 0xa9, 0x99,
24880 ++ 0xb0, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
24881 ++ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
24882 ++ 0xb9, 0xc2, 0x7c, 0x30, 0x28, 0xaa, 0x8d, 0x69,
24883 ++ 0xef, 0x06, 0xaf, 0xc0, 0xb5, 0x9e, 0xda, 0x8e
24884 ++};
24885 ++static const u8 enc_output108[] __initconst = {
24886 ++ 0xb5, 0x78, 0x67, 0x45, 0x3f, 0x66, 0xf4, 0xda,
24887 ++ 0xf9, 0xe4, 0x74, 0x69, 0x1f, 0x9c, 0x85, 0x15,
24888 ++ 0xd3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24889 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24890 ++ 0x01, 0x10, 0x13, 0x59, 0x85, 0x1a, 0xd3, 0x24,
24891 ++ 0xa0, 0xda, 0xe8, 0x8d, 0xc2, 0x43, 0x02, 0x02,
24892 ++ 0xd3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24893 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24894 ++ 0x01, 0x10, 0x13, 0x59, 0x85, 0x1a, 0xd3, 0x24,
24895 ++ 0xa0, 0xda, 0xe8, 0x8d, 0xc2, 0x43, 0x02, 0x02,
24896 ++ 0xaa, 0x48, 0xa3, 0x88, 0x7d, 0x4b, 0x05, 0x96,
24897 ++ 0x99, 0xc2, 0xfd, 0xf9, 0xc6, 0x78, 0x7e, 0x0a
24898 ++};
24899 ++static const u8 enc_assoc108[] __initconst = {
24900 ++ 0xff, 0xff, 0xff, 0xff
24901 ++};
24902 ++static const u8 enc_nonce108[] __initconst = {
24903 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24904 ++};
24905 ++static const u8 enc_key108[] __initconst = {
24906 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24907 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24908 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24909 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24910 ++};
24911 ++
24912 ++/* wycheproof - edge case intermediate sums in poly1305 */
24913 ++static const u8 enc_input109[] __initconst = {
24914 ++ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24915 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24916 ++ 0xd4, 0xf1, 0x09, 0xe8, 0x14, 0xce, 0xa8, 0x5a,
24917 ++ 0x08, 0xc0, 0x11, 0xd8, 0x50, 0xdd, 0x1d, 0xcb,
24918 ++ 0xcf, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24919 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24920 ++ 0x53, 0x40, 0xb8, 0x5a, 0x9a, 0xa0, 0x82, 0x96,
24921 ++ 0xb7, 0x7a, 0x5f, 0xc3, 0x96, 0x1f, 0x66, 0x0f,
24922 ++ 0x17, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24923 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24924 ++ 0x1b, 0x64, 0x89, 0xba, 0x84, 0xd8, 0xf5, 0x59,
24925 ++ 0x82, 0x9e, 0xd9, 0xbd, 0xa2, 0x29, 0x0f, 0x16
24926 ++};
24927 ++static const u8 enc_output109[] __initconst = {
24928 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24929 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24930 ++ 0x53, 0x33, 0xc3, 0xe1, 0xf8, 0xd7, 0x8e, 0xac,
24931 ++ 0xca, 0x07, 0x07, 0x52, 0x6c, 0xad, 0x01, 0x8c,
24932 ++ 0xaf, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24933 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24934 ++ 0x30, 0x49, 0x70, 0x24, 0x14, 0xb5, 0x99, 0x50,
24935 ++ 0x26, 0x24, 0xfd, 0xfe, 0x29, 0x31, 0x32, 0x04,
24936 ++ 0xaf, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24937 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24938 ++ 0x30, 0x49, 0x70, 0x24, 0x14, 0xb5, 0x99, 0x50,
24939 ++ 0x26, 0x24, 0xfd, 0xfe, 0x29, 0x31, 0x32, 0x04,
24940 ++ 0xb9, 0x36, 0xa8, 0x17, 0xf2, 0x21, 0x1a, 0xf1,
24941 ++ 0x29, 0xe2, 0xcf, 0x16, 0x0f, 0xd4, 0x2b, 0xcb
24942 ++};
24943 ++static const u8 enc_assoc109[] __initconst = {
24944 ++ 0xff, 0xff, 0xff, 0xff
24945 ++};
24946 ++static const u8 enc_nonce109[] __initconst = {
24947 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24948 ++};
24949 ++static const u8 enc_key109[] __initconst = {
24950 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24951 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24952 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24953 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24954 ++};
24955 ++
24956 ++/* wycheproof - edge case intermediate sums in poly1305 */
24957 ++static const u8 enc_input110[] __initconst = {
24958 ++ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
24959 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
24960 ++ 0xdf, 0x4c, 0x62, 0x03, 0x2d, 0x41, 0x19, 0xb5,
24961 ++ 0x88, 0x47, 0x7e, 0x99, 0x92, 0x5a, 0x56, 0xd9,
24962 ++ 0xd6, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
24963 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
24964 ++ 0xfa, 0x84, 0xf0, 0x64, 0x55, 0x36, 0x42, 0x1b,
24965 ++ 0x2b, 0xb9, 0x24, 0x6e, 0xc2, 0x19, 0xed, 0x0b,
24966 ++ 0x0e, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
24967 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
24968 ++ 0xb2, 0xa0, 0xc1, 0x84, 0x4b, 0x4e, 0x35, 0xd4,
24969 ++ 0x1e, 0x5d, 0xa2, 0x10, 0xf6, 0x2f, 0x84, 0x12
24970 ++};
24971 ++static const u8 enc_output110[] __initconst = {
24972 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24973 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24974 ++ 0x58, 0x8e, 0xa8, 0x0a, 0xc1, 0x58, 0x3f, 0x43,
24975 ++ 0x4a, 0x80, 0x68, 0x13, 0xae, 0x2a, 0x4a, 0x9e,
24976 ++ 0xb6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24977 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24978 ++ 0x99, 0x8d, 0x38, 0x1a, 0xdb, 0x23, 0x59, 0xdd,
24979 ++ 0xba, 0xe7, 0x86, 0x53, 0x7d, 0x37, 0xb9, 0x00,
24980 ++ 0xb6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24981 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
24982 ++ 0x99, 0x8d, 0x38, 0x1a, 0xdb, 0x23, 0x59, 0xdd,
24983 ++ 0xba, 0xe7, 0x86, 0x53, 0x7d, 0x37, 0xb9, 0x00,
24984 ++ 0x9f, 0x7a, 0xc4, 0x35, 0x1f, 0x6b, 0x91, 0xe6,
24985 ++ 0x30, 0x97, 0xa7, 0x13, 0x11, 0x5d, 0x05, 0xbe
24986 ++};
24987 ++static const u8 enc_assoc110[] __initconst = {
24988 ++ 0xff, 0xff, 0xff, 0xff
24989 ++};
24990 ++static const u8 enc_nonce110[] __initconst = {
24991 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
24992 ++};
24993 ++static const u8 enc_key110[] __initconst = {
24994 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
24995 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
24996 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
24997 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
24998 ++};
24999 ++
25000 ++/* wycheproof - edge case intermediate sums in poly1305 */
25001 ++static const u8 enc_input111[] __initconst = {
25002 ++ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
25003 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
25004 ++ 0x13, 0xf8, 0x0a, 0x00, 0x6d, 0xc1, 0xbb, 0xda,
25005 ++ 0xd6, 0x39, 0xa9, 0x2f, 0xc7, 0xec, 0xa6, 0x55,
25006 ++ 0xf7, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
25007 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
25008 ++ 0x63, 0x48, 0xb8, 0xfd, 0x29, 0xbf, 0x96, 0xd5,
25009 ++ 0x63, 0xa5, 0x17, 0xe2, 0x7d, 0x7b, 0xfc, 0x0f,
25010 ++ 0x2f, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
25011 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
25012 ++ 0x2b, 0x6c, 0x89, 0x1d, 0x37, 0xc7, 0xe1, 0x1a,
25013 ++ 0x56, 0x41, 0x91, 0x9c, 0x49, 0x4d, 0x95, 0x16
25014 ++};
25015 ++static const u8 enc_output111[] __initconst = {
25016 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25017 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25018 ++ 0x94, 0x3a, 0xc0, 0x09, 0x81, 0xd8, 0x9d, 0x2c,
25019 ++ 0x14, 0xfe, 0xbf, 0xa5, 0xfb, 0x9c, 0xba, 0x12,
25020 ++ 0x97, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25021 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25022 ++ 0x00, 0x41, 0x70, 0x83, 0xa7, 0xaa, 0x8d, 0x13,
25023 ++ 0xf2, 0xfb, 0xb5, 0xdf, 0xc2, 0x55, 0xa8, 0x04,
25024 ++ 0x97, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25025 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25026 ++ 0x00, 0x41, 0x70, 0x83, 0xa7, 0xaa, 0x8d, 0x13,
25027 ++ 0xf2, 0xfb, 0xb5, 0xdf, 0xc2, 0x55, 0xa8, 0x04,
25028 ++ 0x9a, 0x18, 0xa8, 0x28, 0x07, 0x02, 0x69, 0xf4,
25029 ++ 0x47, 0x00, 0xd0, 0x09, 0xe7, 0x17, 0x1c, 0xc9
25030 ++};
25031 ++static const u8 enc_assoc111[] __initconst = {
25032 ++ 0xff, 0xff, 0xff, 0xff
25033 ++};
25034 ++static const u8 enc_nonce111[] __initconst = {
25035 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25036 ++};
25037 ++static const u8 enc_key111[] __initconst = {
25038 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25039 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25040 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25041 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25042 ++};
25043 ++
25044 ++/* wycheproof - edge case intermediate sums in poly1305 */
25045 ++static const u8 enc_input112[] __initconst = {
25046 ++ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
25047 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
25048 ++ 0x82, 0xe5, 0x9b, 0x45, 0x82, 0x91, 0x50, 0x38,
25049 ++ 0xf9, 0x33, 0x81, 0x1e, 0x65, 0x2d, 0xc6, 0x6a,
25050 ++ 0xfc, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
25051 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
25052 ++ 0xb6, 0x71, 0xc8, 0xca, 0xc2, 0x70, 0xc2, 0x65,
25053 ++ 0xa0, 0xac, 0x2f, 0x53, 0x57, 0x99, 0x88, 0x0a,
25054 ++ 0x24, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
25055 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
25056 ++ 0xfe, 0x55, 0xf9, 0x2a, 0xdc, 0x08, 0xb5, 0xaa,
25057 ++ 0x95, 0x48, 0xa9, 0x2d, 0x63, 0xaf, 0xe1, 0x13
25058 ++};
25059 ++static const u8 enc_output112[] __initconst = {
25060 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25061 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25062 ++ 0x05, 0x27, 0x51, 0x4c, 0x6e, 0x88, 0x76, 0xce,
25063 ++ 0x3b, 0xf4, 0x97, 0x94, 0x59, 0x5d, 0xda, 0x2d,
25064 ++ 0x9c, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25065 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25066 ++ 0xd5, 0x78, 0x00, 0xb4, 0x4c, 0x65, 0xd9, 0xa3,
25067 ++ 0x31, 0xf2, 0x8d, 0x6e, 0xe8, 0xb7, 0xdc, 0x01,
25068 ++ 0x9c, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25069 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25070 ++ 0xd5, 0x78, 0x00, 0xb4, 0x4c, 0x65, 0xd9, 0xa3,
25071 ++ 0x31, 0xf2, 0x8d, 0x6e, 0xe8, 0xb7, 0xdc, 0x01,
25072 ++ 0xb4, 0x36, 0xa8, 0x2b, 0x93, 0xd5, 0x55, 0xf7,
25073 ++ 0x43, 0x00, 0xd0, 0x19, 0x9b, 0xa7, 0x18, 0xce
25074 ++};
25075 ++static const u8 enc_assoc112[] __initconst = {
25076 ++ 0xff, 0xff, 0xff, 0xff
25077 ++};
25078 ++static const u8 enc_nonce112[] __initconst = {
25079 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25080 ++};
25081 ++static const u8 enc_key112[] __initconst = {
25082 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25083 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25084 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25085 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25086 ++};
25087 ++
25088 ++/* wycheproof - edge case intermediate sums in poly1305 */
25089 ++static const u8 enc_input113[] __initconst = {
25090 ++ 0xff, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
25091 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
25092 ++ 0xf1, 0xd1, 0x28, 0x87, 0xb7, 0x21, 0x69, 0x86,
25093 ++ 0xa1, 0x2d, 0x79, 0x09, 0x8b, 0x6d, 0xe6, 0x0f,
25094 ++ 0xc0, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
25095 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
25096 ++ 0xa7, 0xc7, 0x58, 0x99, 0xf3, 0xe6, 0x0a, 0xf1,
25097 ++ 0xfc, 0xb6, 0xc7, 0x30, 0x7d, 0x87, 0x59, 0x0f,
25098 ++ 0x18, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
25099 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
25100 ++ 0xef, 0xe3, 0x69, 0x79, 0xed, 0x9e, 0x7d, 0x3e,
25101 ++ 0xc9, 0x52, 0x41, 0x4e, 0x49, 0xb1, 0x30, 0x16
25102 ++};
25103 ++static const u8 enc_output113[] __initconst = {
25104 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25105 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25106 ++ 0x76, 0x13, 0xe2, 0x8e, 0x5b, 0x38, 0x4f, 0x70,
25107 ++ 0x63, 0xea, 0x6f, 0x83, 0xb7, 0x1d, 0xfa, 0x48,
25108 ++ 0xa0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25109 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25110 ++ 0xc4, 0xce, 0x90, 0xe7, 0x7d, 0xf3, 0x11, 0x37,
25111 ++ 0x6d, 0xe8, 0x65, 0x0d, 0xc2, 0xa9, 0x0d, 0x04,
25112 ++ 0xa0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25113 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25114 ++ 0xc4, 0xce, 0x90, 0xe7, 0x7d, 0xf3, 0x11, 0x37,
25115 ++ 0x6d, 0xe8, 0x65, 0x0d, 0xc2, 0xa9, 0x0d, 0x04,
25116 ++ 0xce, 0x54, 0xa8, 0x2e, 0x1f, 0xa9, 0x42, 0xfa,
25117 ++ 0x3f, 0x00, 0xd0, 0x29, 0x4f, 0x37, 0x15, 0xd3
25118 ++};
25119 ++static const u8 enc_assoc113[] __initconst = {
25120 ++ 0xff, 0xff, 0xff, 0xff
25121 ++};
25122 ++static const u8 enc_nonce113[] __initconst = {
25123 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25124 ++};
25125 ++static const u8 enc_key113[] __initconst = {
25126 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25127 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25128 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25129 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25130 ++};
25131 ++
25132 ++/* wycheproof - edge case intermediate sums in poly1305 */
25133 ++static const u8 enc_input114[] __initconst = {
25134 ++ 0xcb, 0xf1, 0xda, 0x9e, 0x0b, 0xa9, 0x37, 0x73,
25135 ++ 0x74, 0xe6, 0x9e, 0x1c, 0x0e, 0x60, 0x0c, 0xfc,
25136 ++ 0x34, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
25137 ++ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
25138 ++ 0xbe, 0x3f, 0xa6, 0x6b, 0x6c, 0xe7, 0x80, 0x8a,
25139 ++ 0xa3, 0xe4, 0x59, 0x49, 0xf9, 0x44, 0x64, 0x9f,
25140 ++ 0xd0, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
25141 ++ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
25142 ++ 0x66, 0x68, 0xdb, 0xc8, 0xf5, 0xf2, 0x0e, 0xf2,
25143 ++ 0xb3, 0xf3, 0x8f, 0x00, 0xe2, 0x03, 0x17, 0x88
25144 ++};
25145 ++static const u8 enc_output114[] __initconst = {
25146 ++ 0xcb, 0x9a, 0x0d, 0xb1, 0x8d, 0x63, 0xd7, 0xea,
25147 ++ 0xd7, 0xc9, 0x60, 0xd6, 0xb2, 0x86, 0x74, 0x5f,
25148 ++ 0xb3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25149 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25150 ++ 0xde, 0xba, 0xb4, 0xa1, 0x58, 0x42, 0x50, 0xbf,
25151 ++ 0xfc, 0x2f, 0xc8, 0x4d, 0x95, 0xde, 0xcf, 0x04,
25152 ++ 0xb3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25153 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25154 ++ 0xde, 0xba, 0xb4, 0xa1, 0x58, 0x42, 0x50, 0xbf,
25155 ++ 0xfc, 0x2f, 0xc8, 0x4d, 0x95, 0xde, 0xcf, 0x04,
25156 ++ 0x23, 0x83, 0xab, 0x0b, 0x79, 0x92, 0x05, 0x69,
25157 ++ 0x9b, 0x51, 0x0a, 0xa7, 0x09, 0xbf, 0x31, 0xf1
25158 ++};
25159 ++static const u8 enc_assoc114[] __initconst = {
25160 ++ 0xff, 0xff, 0xff, 0xff
25161 ++};
25162 ++static const u8 enc_nonce114[] __initconst = {
25163 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25164 ++};
25165 ++static const u8 enc_key114[] __initconst = {
25166 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25167 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25168 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25169 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25170 ++};
25171 ++
25172 ++/* wycheproof - edge case intermediate sums in poly1305 */
25173 ++static const u8 enc_input115[] __initconst = {
25174 ++ 0x8f, 0x27, 0x86, 0x94, 0xc4, 0xe9, 0xda, 0xeb,
25175 ++ 0xd5, 0x8d, 0x3e, 0x5b, 0x96, 0x6e, 0x8b, 0x68,
25176 ++ 0x42, 0x3d, 0x35, 0xf6, 0x13, 0xe6, 0xd9, 0x09,
25177 ++ 0x3d, 0x38, 0xe9, 0x75, 0xc3, 0x8f, 0xe3, 0xb8,
25178 ++ 0x06, 0x53, 0xe7, 0xa3, 0x31, 0x71, 0x88, 0x33,
25179 ++ 0xac, 0xc3, 0xb9, 0xad, 0xff, 0x1c, 0x31, 0x98,
25180 ++ 0xa6, 0xf6, 0x37, 0x81, 0x71, 0xea, 0xe4, 0x39,
25181 ++ 0x6e, 0xa1, 0x5d, 0xc2, 0x40, 0xd1, 0xab, 0xf4,
25182 ++ 0xde, 0x04, 0x9a, 0x00, 0xa8, 0x64, 0x06, 0x4b,
25183 ++ 0xbc, 0xd4, 0x6f, 0xe4, 0xe4, 0x5b, 0x42, 0x8f
25184 ++};
25185 ++static const u8 enc_output115[] __initconst = {
25186 ++ 0x8f, 0x4c, 0x51, 0xbb, 0x42, 0x23, 0x3a, 0x72,
25187 ++ 0x76, 0xa2, 0xc0, 0x91, 0x2a, 0x88, 0xf3, 0xcb,
25188 ++ 0xc5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25189 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25190 ++ 0x66, 0xd6, 0xf5, 0x69, 0x05, 0xd4, 0x58, 0x06,
25191 ++ 0xf3, 0x08, 0x28, 0xa9, 0x93, 0x86, 0x9a, 0x03,
25192 ++ 0xc5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25193 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25194 ++ 0x66, 0xd6, 0xf5, 0x69, 0x05, 0xd4, 0x58, 0x06,
25195 ++ 0xf3, 0x08, 0x28, 0xa9, 0x93, 0x86, 0x9a, 0x03,
25196 ++ 0x8b, 0xfb, 0xab, 0x17, 0xa9, 0xe0, 0xb8, 0x74,
25197 ++ 0x8b, 0x51, 0x0a, 0xe7, 0xd9, 0xfd, 0x23, 0x05
25198 ++};
25199 ++static const u8 enc_assoc115[] __initconst = {
25200 ++ 0xff, 0xff, 0xff, 0xff
25201 ++};
25202 ++static const u8 enc_nonce115[] __initconst = {
25203 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25204 ++};
25205 ++static const u8 enc_key115[] __initconst = {
25206 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25207 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25208 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25209 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25210 ++};
25211 ++
25212 ++/* wycheproof - edge case intermediate sums in poly1305 */
25213 ++static const u8 enc_input116[] __initconst = {
25214 ++ 0xd5, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
25215 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
25216 ++ 0x9a, 0x22, 0xd7, 0x0a, 0x48, 0xe2, 0x4f, 0xdd,
25217 ++ 0xcd, 0xd4, 0x41, 0x9d, 0xe6, 0x4c, 0x8f, 0x44,
25218 ++ 0xfc, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
25219 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
25220 ++ 0x77, 0xb5, 0xc9, 0x07, 0xd9, 0xc9, 0xe1, 0xea,
25221 ++ 0x51, 0x85, 0x1a, 0x20, 0x4a, 0xad, 0x9f, 0x0a,
25222 ++ 0x24, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
25223 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
25224 ++ 0x3f, 0x91, 0xf8, 0xe7, 0xc7, 0xb1, 0x96, 0x25,
25225 ++ 0x64, 0x61, 0x9c, 0x5e, 0x7e, 0x9b, 0xf6, 0x13
25226 ++};
25227 ++static const u8 enc_output116[] __initconst = {
25228 ++ 0xd5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25229 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25230 ++ 0x1d, 0xe0, 0x1d, 0x03, 0xa4, 0xfb, 0x69, 0x2b,
25231 ++ 0x0f, 0x13, 0x57, 0x17, 0xda, 0x3c, 0x93, 0x03,
25232 ++ 0x9c, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25233 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25234 ++ 0x14, 0xbc, 0x01, 0x79, 0x57, 0xdc, 0xfa, 0x2c,
25235 ++ 0xc0, 0xdb, 0xb8, 0x1d, 0xf5, 0x83, 0xcb, 0x01,
25236 ++ 0x9c, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25237 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25238 ++ 0x14, 0xbc, 0x01, 0x79, 0x57, 0xdc, 0xfa, 0x2c,
25239 ++ 0xc0, 0xdb, 0xb8, 0x1d, 0xf5, 0x83, 0xcb, 0x01,
25240 ++ 0x49, 0xbc, 0x6e, 0x9f, 0xc5, 0x1c, 0x4d, 0x50,
25241 ++ 0x30, 0x36, 0x64, 0x4d, 0x84, 0x27, 0x73, 0xd2
25242 ++};
25243 ++static const u8 enc_assoc116[] __initconst = {
25244 ++ 0xff, 0xff, 0xff, 0xff
25245 ++};
25246 ++static const u8 enc_nonce116[] __initconst = {
25247 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25248 ++};
25249 ++static const u8 enc_key116[] __initconst = {
25250 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25251 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25252 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25253 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25254 ++};
25255 ++
25256 ++/* wycheproof - edge case intermediate sums in poly1305 */
25257 ++static const u8 enc_input117[] __initconst = {
25258 ++ 0xdb, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
25259 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
25260 ++ 0x75, 0xd5, 0x64, 0x3a, 0xa5, 0xaf, 0x93, 0x4d,
25261 ++ 0x8c, 0xce, 0x39, 0x2c, 0xc3, 0xee, 0xdb, 0x47,
25262 ++ 0xc0, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
25263 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
25264 ++ 0x60, 0x1b, 0x5a, 0xd2, 0x06, 0x7f, 0x28, 0x06,
25265 ++ 0x6a, 0x8f, 0x32, 0x81, 0x71, 0x5b, 0xa8, 0x08,
25266 ++ 0x18, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
25267 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
25268 ++ 0x28, 0x3f, 0x6b, 0x32, 0x18, 0x07, 0x5f, 0xc9,
25269 ++ 0x5f, 0x6b, 0xb4, 0xff, 0x45, 0x6d, 0xc1, 0x11
25270 ++};
25271 ++static const u8 enc_output117[] __initconst = {
25272 ++ 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25273 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25274 ++ 0xf2, 0x17, 0xae, 0x33, 0x49, 0xb6, 0xb5, 0xbb,
25275 ++ 0x4e, 0x09, 0x2f, 0xa6, 0xff, 0x9e, 0xc7, 0x00,
25276 ++ 0xa0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25277 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25278 ++ 0x03, 0x12, 0x92, 0xac, 0x88, 0x6a, 0x33, 0xc0,
25279 ++ 0xfb, 0xd1, 0x90, 0xbc, 0xce, 0x75, 0xfc, 0x03,
25280 ++ 0xa0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25281 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25282 ++ 0x03, 0x12, 0x92, 0xac, 0x88, 0x6a, 0x33, 0xc0,
25283 ++ 0xfb, 0xd1, 0x90, 0xbc, 0xce, 0x75, 0xfc, 0x03,
25284 ++ 0x63, 0xda, 0x6e, 0xa2, 0x51, 0xf0, 0x39, 0x53,
25285 ++ 0x2c, 0x36, 0x64, 0x5d, 0x38, 0xb7, 0x6f, 0xd7
25286 ++};
25287 ++static const u8 enc_assoc117[] __initconst = {
25288 ++ 0xff, 0xff, 0xff, 0xff
25289 ++};
25290 ++static const u8 enc_nonce117[] __initconst = {
25291 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25292 ++};
25293 ++static const u8 enc_key117[] __initconst = {
25294 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25295 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25296 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25297 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25298 ++};
25299 ++
25300 ++/* wycheproof - edge case intermediate sums in poly1305 */
25301 ++static const u8 enc_input118[] __initconst = {
25302 ++ 0x93, 0x94, 0x28, 0xd0, 0x79, 0x35, 0x1f, 0x66,
25303 ++ 0x5c, 0xd0, 0x01, 0x35, 0x43, 0x19, 0x87, 0x5c,
25304 ++ 0x62, 0x48, 0x39, 0x60, 0x42, 0x16, 0xe4, 0x03,
25305 ++ 0xeb, 0xcc, 0x6a, 0xf5, 0x59, 0xec, 0x8b, 0x43,
25306 ++ 0x97, 0x7a, 0xed, 0x35, 0xcb, 0x5a, 0x2f, 0xca,
25307 ++ 0xa0, 0x34, 0x6e, 0xfb, 0x93, 0x65, 0x54, 0x64,
25308 ++ 0xd8, 0xc8, 0xc3, 0xfa, 0x1a, 0x9e, 0x47, 0x4a,
25309 ++ 0xbe, 0x52, 0xd0, 0x2c, 0x81, 0x87, 0xe9, 0x0f,
25310 ++ 0x4f, 0x2d, 0x90, 0x96, 0x52, 0x4f, 0xa1, 0xb2,
25311 ++ 0xb0, 0x23, 0xb8, 0xb2, 0x88, 0x22, 0x27, 0x73,
25312 ++ 0x90, 0xec, 0xf2, 0x1a, 0x04, 0xe6, 0x30, 0x85,
25313 ++ 0x8b, 0xb6, 0x56, 0x52, 0xb5, 0xb1, 0x80, 0x16
25314 ++};
25315 ++static const u8 enc_output118[] __initconst = {
25316 ++ 0x93, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25317 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25318 ++ 0xe5, 0x8a, 0xf3, 0x69, 0xae, 0x0f, 0xc2, 0xf5,
25319 ++ 0x29, 0x0b, 0x7c, 0x7f, 0x65, 0x9c, 0x97, 0x04,
25320 ++ 0xf7, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25321 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25322 ++ 0xbb, 0xc1, 0x0b, 0x84, 0x94, 0x8b, 0x5c, 0x8c,
25323 ++ 0x2f, 0x0c, 0x72, 0x11, 0x3e, 0xa9, 0xbd, 0x04,
25324 ++ 0xf7, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25325 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
25326 ++ 0xbb, 0xc1, 0x0b, 0x84, 0x94, 0x8b, 0x5c, 0x8c,
25327 ++ 0x2f, 0x0c, 0x72, 0x11, 0x3e, 0xa9, 0xbd, 0x04,
25328 ++ 0x73, 0xeb, 0x27, 0x24, 0xb5, 0xc4, 0x05, 0xf0,
25329 ++ 0x4d, 0x00, 0xd0, 0xf1, 0x58, 0x40, 0xa1, 0xc1
25330 ++};
25331 ++static const u8 enc_assoc118[] __initconst = {
25332 ++ 0xff, 0xff, 0xff, 0xff
25333 ++};
25334 ++static const u8 enc_nonce118[] __initconst = {
25335 ++ 0x00, 0x00, 0x00, 0x00, 0x06, 0x4c, 0x2d, 0x52
25336 ++};
25337 ++static const u8 enc_key118[] __initconst = {
25338 ++ 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
25339 ++ 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
25340 ++ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
25341 ++ 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
25342 ++};
25343 ++
25344 ++static const struct chacha20poly1305_testvec
25345 ++chacha20poly1305_enc_vectors[] __initconst = {
25346 ++ { enc_input001, enc_output001, enc_assoc001, enc_nonce001, enc_key001,
25347 ++ sizeof(enc_input001), sizeof(enc_assoc001), sizeof(enc_nonce001) },
25348 ++ { enc_input002, enc_output002, enc_assoc002, enc_nonce002, enc_key002,
25349 ++ sizeof(enc_input002), sizeof(enc_assoc002), sizeof(enc_nonce002) },
25350 ++ { enc_input003, enc_output003, enc_assoc003, enc_nonce003, enc_key003,
25351 ++ sizeof(enc_input003), sizeof(enc_assoc003), sizeof(enc_nonce003) },
25352 ++ { enc_input004, enc_output004, enc_assoc004, enc_nonce004, enc_key004,
25353 ++ sizeof(enc_input004), sizeof(enc_assoc004), sizeof(enc_nonce004) },
25354 ++ { enc_input005, enc_output005, enc_assoc005, enc_nonce005, enc_key005,
25355 ++ sizeof(enc_input005), sizeof(enc_assoc005), sizeof(enc_nonce005) },
25356 ++ { enc_input006, enc_output006, enc_assoc006, enc_nonce006, enc_key006,
25357 ++ sizeof(enc_input006), sizeof(enc_assoc006), sizeof(enc_nonce006) },
25358 ++ { enc_input007, enc_output007, enc_assoc007, enc_nonce007, enc_key007,
25359 ++ sizeof(enc_input007), sizeof(enc_assoc007), sizeof(enc_nonce007) },
25360 ++ { enc_input008, enc_output008, enc_assoc008, enc_nonce008, enc_key008,
25361 ++ sizeof(enc_input008), sizeof(enc_assoc008), sizeof(enc_nonce008) },
25362 ++ { enc_input009, enc_output009, enc_assoc009, enc_nonce009, enc_key009,
25363 ++ sizeof(enc_input009), sizeof(enc_assoc009), sizeof(enc_nonce009) },
25364 ++ { enc_input010, enc_output010, enc_assoc010, enc_nonce010, enc_key010,
25365 ++ sizeof(enc_input010), sizeof(enc_assoc010), sizeof(enc_nonce010) },
25366 ++ { enc_input011, enc_output011, enc_assoc011, enc_nonce011, enc_key011,
25367 ++ sizeof(enc_input011), sizeof(enc_assoc011), sizeof(enc_nonce011) },
25368 ++ { enc_input012, enc_output012, enc_assoc012, enc_nonce012, enc_key012,
25369 ++ sizeof(enc_input012), sizeof(enc_assoc012), sizeof(enc_nonce012) },
25370 ++ { enc_input013, enc_output013, enc_assoc013, enc_nonce013, enc_key013,
25371 ++ sizeof(enc_input013), sizeof(enc_assoc013), sizeof(enc_nonce013) },
25372 ++ { enc_input014, enc_output014, enc_assoc014, enc_nonce014, enc_key014,
25373 ++ sizeof(enc_input014), sizeof(enc_assoc014), sizeof(enc_nonce014) },
25374 ++ { enc_input015, enc_output015, enc_assoc015, enc_nonce015, enc_key015,
25375 ++ sizeof(enc_input015), sizeof(enc_assoc015), sizeof(enc_nonce015) },
25376 ++ { enc_input016, enc_output016, enc_assoc016, enc_nonce016, enc_key016,
25377 ++ sizeof(enc_input016), sizeof(enc_assoc016), sizeof(enc_nonce016) },
25378 ++ { enc_input017, enc_output017, enc_assoc017, enc_nonce017, enc_key017,
25379 ++ sizeof(enc_input017), sizeof(enc_assoc017), sizeof(enc_nonce017) },
25380 ++ { enc_input018, enc_output018, enc_assoc018, enc_nonce018, enc_key018,
25381 ++ sizeof(enc_input018), sizeof(enc_assoc018), sizeof(enc_nonce018) },
25382 ++ { enc_input019, enc_output019, enc_assoc019, enc_nonce019, enc_key019,
25383 ++ sizeof(enc_input019), sizeof(enc_assoc019), sizeof(enc_nonce019) },
25384 ++ { enc_input020, enc_output020, enc_assoc020, enc_nonce020, enc_key020,
25385 ++ sizeof(enc_input020), sizeof(enc_assoc020), sizeof(enc_nonce020) },
25386 ++ { enc_input021, enc_output021, enc_assoc021, enc_nonce021, enc_key021,
25387 ++ sizeof(enc_input021), sizeof(enc_assoc021), sizeof(enc_nonce021) },
25388 ++ { enc_input022, enc_output022, enc_assoc022, enc_nonce022, enc_key022,
25389 ++ sizeof(enc_input022), sizeof(enc_assoc022), sizeof(enc_nonce022) },
25390 ++ { enc_input023, enc_output023, enc_assoc023, enc_nonce023, enc_key023,
25391 ++ sizeof(enc_input023), sizeof(enc_assoc023), sizeof(enc_nonce023) },
25392 ++ { enc_input024, enc_output024, enc_assoc024, enc_nonce024, enc_key024,
25393 ++ sizeof(enc_input024), sizeof(enc_assoc024), sizeof(enc_nonce024) },
25394 ++ { enc_input025, enc_output025, enc_assoc025, enc_nonce025, enc_key025,
25395 ++ sizeof(enc_input025), sizeof(enc_assoc025), sizeof(enc_nonce025) },
25396 ++ { enc_input026, enc_output026, enc_assoc026, enc_nonce026, enc_key026,
25397 ++ sizeof(enc_input026), sizeof(enc_assoc026), sizeof(enc_nonce026) },
25398 ++ { enc_input027, enc_output027, enc_assoc027, enc_nonce027, enc_key027,
25399 ++ sizeof(enc_input027), sizeof(enc_assoc027), sizeof(enc_nonce027) },
25400 ++ { enc_input028, enc_output028, enc_assoc028, enc_nonce028, enc_key028,
25401 ++ sizeof(enc_input028), sizeof(enc_assoc028), sizeof(enc_nonce028) },
25402 ++ { enc_input029, enc_output029, enc_assoc029, enc_nonce029, enc_key029,
25403 ++ sizeof(enc_input029), sizeof(enc_assoc029), sizeof(enc_nonce029) },
25404 ++ { enc_input030, enc_output030, enc_assoc030, enc_nonce030, enc_key030,
25405 ++ sizeof(enc_input030), sizeof(enc_assoc030), sizeof(enc_nonce030) },
25406 ++ { enc_input031, enc_output031, enc_assoc031, enc_nonce031, enc_key031,
25407 ++ sizeof(enc_input031), sizeof(enc_assoc031), sizeof(enc_nonce031) },
25408 ++ { enc_input032, enc_output032, enc_assoc032, enc_nonce032, enc_key032,
25409 ++ sizeof(enc_input032), sizeof(enc_assoc032), sizeof(enc_nonce032) },
25410 ++ { enc_input033, enc_output033, enc_assoc033, enc_nonce033, enc_key033,
25411 ++ sizeof(enc_input033), sizeof(enc_assoc033), sizeof(enc_nonce033) },
25412 ++ { enc_input034, enc_output034, enc_assoc034, enc_nonce034, enc_key034,
25413 ++ sizeof(enc_input034), sizeof(enc_assoc034), sizeof(enc_nonce034) },
25414 ++ { enc_input035, enc_output035, enc_assoc035, enc_nonce035, enc_key035,
25415 ++ sizeof(enc_input035), sizeof(enc_assoc035), sizeof(enc_nonce035) },
25416 ++ { enc_input036, enc_output036, enc_assoc036, enc_nonce036, enc_key036,
25417 ++ sizeof(enc_input036), sizeof(enc_assoc036), sizeof(enc_nonce036) },
25418 ++ { enc_input037, enc_output037, enc_assoc037, enc_nonce037, enc_key037,
25419 ++ sizeof(enc_input037), sizeof(enc_assoc037), sizeof(enc_nonce037) },
25420 ++ { enc_input038, enc_output038, enc_assoc038, enc_nonce038, enc_key038,
25421 ++ sizeof(enc_input038), sizeof(enc_assoc038), sizeof(enc_nonce038) },
25422 ++ { enc_input039, enc_output039, enc_assoc039, enc_nonce039, enc_key039,
25423 ++ sizeof(enc_input039), sizeof(enc_assoc039), sizeof(enc_nonce039) },
25424 ++ { enc_input040, enc_output040, enc_assoc040, enc_nonce040, enc_key040,
25425 ++ sizeof(enc_input040), sizeof(enc_assoc040), sizeof(enc_nonce040) },
25426 ++ { enc_input041, enc_output041, enc_assoc041, enc_nonce041, enc_key041,
25427 ++ sizeof(enc_input041), sizeof(enc_assoc041), sizeof(enc_nonce041) },
25428 ++ { enc_input042, enc_output042, enc_assoc042, enc_nonce042, enc_key042,
25429 ++ sizeof(enc_input042), sizeof(enc_assoc042), sizeof(enc_nonce042) },
25430 ++ { enc_input043, enc_output043, enc_assoc043, enc_nonce043, enc_key043,
25431 ++ sizeof(enc_input043), sizeof(enc_assoc043), sizeof(enc_nonce043) },
25432 ++ { enc_input044, enc_output044, enc_assoc044, enc_nonce044, enc_key044,
25433 ++ sizeof(enc_input044), sizeof(enc_assoc044), sizeof(enc_nonce044) },
25434 ++ { enc_input045, enc_output045, enc_assoc045, enc_nonce045, enc_key045,
25435 ++ sizeof(enc_input045), sizeof(enc_assoc045), sizeof(enc_nonce045) },
25436 ++ { enc_input046, enc_output046, enc_assoc046, enc_nonce046, enc_key046,
25437 ++ sizeof(enc_input046), sizeof(enc_assoc046), sizeof(enc_nonce046) },
25438 ++ { enc_input047, enc_output047, enc_assoc047, enc_nonce047, enc_key047,
25439 ++ sizeof(enc_input047), sizeof(enc_assoc047), sizeof(enc_nonce047) },
25440 ++ { enc_input048, enc_output048, enc_assoc048, enc_nonce048, enc_key048,
25441 ++ sizeof(enc_input048), sizeof(enc_assoc048), sizeof(enc_nonce048) },
25442 ++ { enc_input049, enc_output049, enc_assoc049, enc_nonce049, enc_key049,
25443 ++ sizeof(enc_input049), sizeof(enc_assoc049), sizeof(enc_nonce049) },
25444 ++ { enc_input050, enc_output050, enc_assoc050, enc_nonce050, enc_key050,
25445 ++ sizeof(enc_input050), sizeof(enc_assoc050), sizeof(enc_nonce050) },
25446 ++ { enc_input051, enc_output051, enc_assoc051, enc_nonce051, enc_key051,
25447 ++ sizeof(enc_input051), sizeof(enc_assoc051), sizeof(enc_nonce051) },
25448 ++ { enc_input052, enc_output052, enc_assoc052, enc_nonce052, enc_key052,
25449 ++ sizeof(enc_input052), sizeof(enc_assoc052), sizeof(enc_nonce052) },
25450 ++ { enc_input053, enc_output053, enc_assoc053, enc_nonce053, enc_key053,
25451 ++ sizeof(enc_input053), sizeof(enc_assoc053), sizeof(enc_nonce053) },
25452 ++ { enc_input054, enc_output054, enc_assoc054, enc_nonce054, enc_key054,
25453 ++ sizeof(enc_input054), sizeof(enc_assoc054), sizeof(enc_nonce054) },
25454 ++ { enc_input055, enc_output055, enc_assoc055, enc_nonce055, enc_key055,
25455 ++ sizeof(enc_input055), sizeof(enc_assoc055), sizeof(enc_nonce055) },
25456 ++ { enc_input056, enc_output056, enc_assoc056, enc_nonce056, enc_key056,
25457 ++ sizeof(enc_input056), sizeof(enc_assoc056), sizeof(enc_nonce056) },
25458 ++ { enc_input057, enc_output057, enc_assoc057, enc_nonce057, enc_key057,
25459 ++ sizeof(enc_input057), sizeof(enc_assoc057), sizeof(enc_nonce057) },
25460 ++ { enc_input058, enc_output058, enc_assoc058, enc_nonce058, enc_key058,
25461 ++ sizeof(enc_input058), sizeof(enc_assoc058), sizeof(enc_nonce058) },
25462 ++ { enc_input059, enc_output059, enc_assoc059, enc_nonce059, enc_key059,
25463 ++ sizeof(enc_input059), sizeof(enc_assoc059), sizeof(enc_nonce059) },
25464 ++ { enc_input060, enc_output060, enc_assoc060, enc_nonce060, enc_key060,
25465 ++ sizeof(enc_input060), sizeof(enc_assoc060), sizeof(enc_nonce060) },
25466 ++ { enc_input061, enc_output061, enc_assoc061, enc_nonce061, enc_key061,
25467 ++ sizeof(enc_input061), sizeof(enc_assoc061), sizeof(enc_nonce061) },
25468 ++ { enc_input062, enc_output062, enc_assoc062, enc_nonce062, enc_key062,
25469 ++ sizeof(enc_input062), sizeof(enc_assoc062), sizeof(enc_nonce062) },
25470 ++ { enc_input063, enc_output063, enc_assoc063, enc_nonce063, enc_key063,
25471 ++ sizeof(enc_input063), sizeof(enc_assoc063), sizeof(enc_nonce063) },
25472 ++ { enc_input064, enc_output064, enc_assoc064, enc_nonce064, enc_key064,
25473 ++ sizeof(enc_input064), sizeof(enc_assoc064), sizeof(enc_nonce064) },
25474 ++ { enc_input065, enc_output065, enc_assoc065, enc_nonce065, enc_key065,
25475 ++ sizeof(enc_input065), sizeof(enc_assoc065), sizeof(enc_nonce065) },
25476 ++ { enc_input066, enc_output066, enc_assoc066, enc_nonce066, enc_key066,
25477 ++ sizeof(enc_input066), sizeof(enc_assoc066), sizeof(enc_nonce066) },
25478 ++ { enc_input067, enc_output067, enc_assoc067, enc_nonce067, enc_key067,
25479 ++ sizeof(enc_input067), sizeof(enc_assoc067), sizeof(enc_nonce067) },
25480 ++ { enc_input068, enc_output068, enc_assoc068, enc_nonce068, enc_key068,
25481 ++ sizeof(enc_input068), sizeof(enc_assoc068), sizeof(enc_nonce068) },
25482 ++ { enc_input069, enc_output069, enc_assoc069, enc_nonce069, enc_key069,
25483 ++ sizeof(enc_input069), sizeof(enc_assoc069), sizeof(enc_nonce069) },
25484 ++ { enc_input070, enc_output070, enc_assoc070, enc_nonce070, enc_key070,
25485 ++ sizeof(enc_input070), sizeof(enc_assoc070), sizeof(enc_nonce070) },
25486 ++ { enc_input071, enc_output071, enc_assoc071, enc_nonce071, enc_key071,
25487 ++ sizeof(enc_input071), sizeof(enc_assoc071), sizeof(enc_nonce071) },
25488 ++ { enc_input072, enc_output072, enc_assoc072, enc_nonce072, enc_key072,
25489 ++ sizeof(enc_input072), sizeof(enc_assoc072), sizeof(enc_nonce072) },
25490 ++ { enc_input073, enc_output073, enc_assoc073, enc_nonce073, enc_key073,
25491 ++ sizeof(enc_input073), sizeof(enc_assoc073), sizeof(enc_nonce073) },
25492 ++ { enc_input074, enc_output074, enc_assoc074, enc_nonce074, enc_key074,
25493 ++ sizeof(enc_input074), sizeof(enc_assoc074), sizeof(enc_nonce074) },
25494 ++ { enc_input075, enc_output075, enc_assoc075, enc_nonce075, enc_key075,
25495 ++ sizeof(enc_input075), sizeof(enc_assoc075), sizeof(enc_nonce075) },
25496 ++ { enc_input076, enc_output076, enc_assoc076, enc_nonce076, enc_key076,
25497 ++ sizeof(enc_input076), sizeof(enc_assoc076), sizeof(enc_nonce076) },
25498 ++ { enc_input077, enc_output077, enc_assoc077, enc_nonce077, enc_key077,
25499 ++ sizeof(enc_input077), sizeof(enc_assoc077), sizeof(enc_nonce077) },
25500 ++ { enc_input078, enc_output078, enc_assoc078, enc_nonce078, enc_key078,
25501 ++ sizeof(enc_input078), sizeof(enc_assoc078), sizeof(enc_nonce078) },
25502 ++ { enc_input079, enc_output079, enc_assoc079, enc_nonce079, enc_key079,
25503 ++ sizeof(enc_input079), sizeof(enc_assoc079), sizeof(enc_nonce079) },
25504 ++ { enc_input080, enc_output080, enc_assoc080, enc_nonce080, enc_key080,
25505 ++ sizeof(enc_input080), sizeof(enc_assoc080), sizeof(enc_nonce080) },
25506 ++ { enc_input081, enc_output081, enc_assoc081, enc_nonce081, enc_key081,
25507 ++ sizeof(enc_input081), sizeof(enc_assoc081), sizeof(enc_nonce081) },
25508 ++ { enc_input082, enc_output082, enc_assoc082, enc_nonce082, enc_key082,
25509 ++ sizeof(enc_input082), sizeof(enc_assoc082), sizeof(enc_nonce082) },
25510 ++ { enc_input083, enc_output083, enc_assoc083, enc_nonce083, enc_key083,
25511 ++ sizeof(enc_input083), sizeof(enc_assoc083), sizeof(enc_nonce083) },
25512 ++ { enc_input084, enc_output084, enc_assoc084, enc_nonce084, enc_key084,
25513 ++ sizeof(enc_input084), sizeof(enc_assoc084), sizeof(enc_nonce084) },
25514 ++ { enc_input085, enc_output085, enc_assoc085, enc_nonce085, enc_key085,
25515 ++ sizeof(enc_input085), sizeof(enc_assoc085), sizeof(enc_nonce085) },
25516 ++ { enc_input086, enc_output086, enc_assoc086, enc_nonce086, enc_key086,
25517 ++ sizeof(enc_input086), sizeof(enc_assoc086), sizeof(enc_nonce086) },
25518 ++ { enc_input087, enc_output087, enc_assoc087, enc_nonce087, enc_key087,
25519 ++ sizeof(enc_input087), sizeof(enc_assoc087), sizeof(enc_nonce087) },
25520 ++ { enc_input088, enc_output088, enc_assoc088, enc_nonce088, enc_key088,
25521 ++ sizeof(enc_input088), sizeof(enc_assoc088), sizeof(enc_nonce088) },
25522 ++ { enc_input089, enc_output089, enc_assoc089, enc_nonce089, enc_key089,
25523 ++ sizeof(enc_input089), sizeof(enc_assoc089), sizeof(enc_nonce089) },
25524 ++ { enc_input090, enc_output090, enc_assoc090, enc_nonce090, enc_key090,
25525 ++ sizeof(enc_input090), sizeof(enc_assoc090), sizeof(enc_nonce090) },
25526 ++ { enc_input091, enc_output091, enc_assoc091, enc_nonce091, enc_key091,
25527 ++ sizeof(enc_input091), sizeof(enc_assoc091), sizeof(enc_nonce091) },
25528 ++ { enc_input092, enc_output092, enc_assoc092, enc_nonce092, enc_key092,
25529 ++ sizeof(enc_input092), sizeof(enc_assoc092), sizeof(enc_nonce092) },
25530 ++ { enc_input093, enc_output093, enc_assoc093, enc_nonce093, enc_key093,
25531 ++ sizeof(enc_input093), sizeof(enc_assoc093), sizeof(enc_nonce093) },
25532 ++ { enc_input094, enc_output094, enc_assoc094, enc_nonce094, enc_key094,
25533 ++ sizeof(enc_input094), sizeof(enc_assoc094), sizeof(enc_nonce094) },
25534 ++ { enc_input095, enc_output095, enc_assoc095, enc_nonce095, enc_key095,
25535 ++ sizeof(enc_input095), sizeof(enc_assoc095), sizeof(enc_nonce095) },
25536 ++ { enc_input096, enc_output096, enc_assoc096, enc_nonce096, enc_key096,
25537 ++ sizeof(enc_input096), sizeof(enc_assoc096), sizeof(enc_nonce096) },
25538 ++ { enc_input097, enc_output097, enc_assoc097, enc_nonce097, enc_key097,
25539 ++ sizeof(enc_input097), sizeof(enc_assoc097), sizeof(enc_nonce097) },
25540 ++ { enc_input098, enc_output098, enc_assoc098, enc_nonce098, enc_key098,
25541 ++ sizeof(enc_input098), sizeof(enc_assoc098), sizeof(enc_nonce098) },
25542 ++ { enc_input099, enc_output099, enc_assoc099, enc_nonce099, enc_key099,
25543 ++ sizeof(enc_input099), sizeof(enc_assoc099), sizeof(enc_nonce099) },
25544 ++ { enc_input100, enc_output100, enc_assoc100, enc_nonce100, enc_key100,
25545 ++ sizeof(enc_input100), sizeof(enc_assoc100), sizeof(enc_nonce100) },
25546 ++ { enc_input101, enc_output101, enc_assoc101, enc_nonce101, enc_key101,
25547 ++ sizeof(enc_input101), sizeof(enc_assoc101), sizeof(enc_nonce101) },
25548 ++ { enc_input102, enc_output102, enc_assoc102, enc_nonce102, enc_key102,
25549 ++ sizeof(enc_input102), sizeof(enc_assoc102), sizeof(enc_nonce102) },
25550 ++ { enc_input103, enc_output103, enc_assoc103, enc_nonce103, enc_key103,
25551 ++ sizeof(enc_input103), sizeof(enc_assoc103), sizeof(enc_nonce103) },
25552 ++ { enc_input104, enc_output104, enc_assoc104, enc_nonce104, enc_key104,
25553 ++ sizeof(enc_input104), sizeof(enc_assoc104), sizeof(enc_nonce104) },
25554 ++ { enc_input105, enc_output105, enc_assoc105, enc_nonce105, enc_key105,
25555 ++ sizeof(enc_input105), sizeof(enc_assoc105), sizeof(enc_nonce105) },
25556 ++ { enc_input106, enc_output106, enc_assoc106, enc_nonce106, enc_key106,
25557 ++ sizeof(enc_input106), sizeof(enc_assoc106), sizeof(enc_nonce106) },
25558 ++ { enc_input107, enc_output107, enc_assoc107, enc_nonce107, enc_key107,
25559 ++ sizeof(enc_input107), sizeof(enc_assoc107), sizeof(enc_nonce107) },
25560 ++ { enc_input108, enc_output108, enc_assoc108, enc_nonce108, enc_key108,
25561 ++ sizeof(enc_input108), sizeof(enc_assoc108), sizeof(enc_nonce108) },
25562 ++ { enc_input109, enc_output109, enc_assoc109, enc_nonce109, enc_key109,
25563 ++ sizeof(enc_input109), sizeof(enc_assoc109), sizeof(enc_nonce109) },
25564 ++ { enc_input110, enc_output110, enc_assoc110, enc_nonce110, enc_key110,
25565 ++ sizeof(enc_input110), sizeof(enc_assoc110), sizeof(enc_nonce110) },
25566 ++ { enc_input111, enc_output111, enc_assoc111, enc_nonce111, enc_key111,
25567 ++ sizeof(enc_input111), sizeof(enc_assoc111), sizeof(enc_nonce111) },
25568 ++ { enc_input112, enc_output112, enc_assoc112, enc_nonce112, enc_key112,
25569 ++ sizeof(enc_input112), sizeof(enc_assoc112), sizeof(enc_nonce112) },
25570 ++ { enc_input113, enc_output113, enc_assoc113, enc_nonce113, enc_key113,
25571 ++ sizeof(enc_input113), sizeof(enc_assoc113), sizeof(enc_nonce113) },
25572 ++ { enc_input114, enc_output114, enc_assoc114, enc_nonce114, enc_key114,
25573 ++ sizeof(enc_input114), sizeof(enc_assoc114), sizeof(enc_nonce114) },
25574 ++ { enc_input115, enc_output115, enc_assoc115, enc_nonce115, enc_key115,
25575 ++ sizeof(enc_input115), sizeof(enc_assoc115), sizeof(enc_nonce115) },
25576 ++ { enc_input116, enc_output116, enc_assoc116, enc_nonce116, enc_key116,
25577 ++ sizeof(enc_input116), sizeof(enc_assoc116), sizeof(enc_nonce116) },
25578 ++ { enc_input117, enc_output117, enc_assoc117, enc_nonce117, enc_key117,
25579 ++ sizeof(enc_input117), sizeof(enc_assoc117), sizeof(enc_nonce117) },
25580 ++ { enc_input118, enc_output118, enc_assoc118, enc_nonce118, enc_key118,
25581 ++ sizeof(enc_input118), sizeof(enc_assoc118), sizeof(enc_nonce118) }
25582 ++};
25583 ++
25584 ++static const u8 dec_input001[] __initconst = {
25585 ++ 0x64, 0xa0, 0x86, 0x15, 0x75, 0x86, 0x1a, 0xf4,
25586 ++ 0x60, 0xf0, 0x62, 0xc7, 0x9b, 0xe6, 0x43, 0xbd,
25587 ++ 0x5e, 0x80, 0x5c, 0xfd, 0x34, 0x5c, 0xf3, 0x89,
25588 ++ 0xf1, 0x08, 0x67, 0x0a, 0xc7, 0x6c, 0x8c, 0xb2,
25589 ++ 0x4c, 0x6c, 0xfc, 0x18, 0x75, 0x5d, 0x43, 0xee,
25590 ++ 0xa0, 0x9e, 0xe9, 0x4e, 0x38, 0x2d, 0x26, 0xb0,
25591 ++ 0xbd, 0xb7, 0xb7, 0x3c, 0x32, 0x1b, 0x01, 0x00,
25592 ++ 0xd4, 0xf0, 0x3b, 0x7f, 0x35, 0x58, 0x94, 0xcf,
25593 ++ 0x33, 0x2f, 0x83, 0x0e, 0x71, 0x0b, 0x97, 0xce,
25594 ++ 0x98, 0xc8, 0xa8, 0x4a, 0xbd, 0x0b, 0x94, 0x81,
25595 ++ 0x14, 0xad, 0x17, 0x6e, 0x00, 0x8d, 0x33, 0xbd,
25596 ++ 0x60, 0xf9, 0x82, 0xb1, 0xff, 0x37, 0xc8, 0x55,
25597 ++ 0x97, 0x97, 0xa0, 0x6e, 0xf4, 0xf0, 0xef, 0x61,
25598 ++ 0xc1, 0x86, 0x32, 0x4e, 0x2b, 0x35, 0x06, 0x38,
25599 ++ 0x36, 0x06, 0x90, 0x7b, 0x6a, 0x7c, 0x02, 0xb0,
25600 ++ 0xf9, 0xf6, 0x15, 0x7b, 0x53, 0xc8, 0x67, 0xe4,
25601 ++ 0xb9, 0x16, 0x6c, 0x76, 0x7b, 0x80, 0x4d, 0x46,
25602 ++ 0xa5, 0x9b, 0x52, 0x16, 0xcd, 0xe7, 0xa4, 0xe9,
25603 ++ 0x90, 0x40, 0xc5, 0xa4, 0x04, 0x33, 0x22, 0x5e,
25604 ++ 0xe2, 0x82, 0xa1, 0xb0, 0xa0, 0x6c, 0x52, 0x3e,
25605 ++ 0xaf, 0x45, 0x34, 0xd7, 0xf8, 0x3f, 0xa1, 0x15,
25606 ++ 0x5b, 0x00, 0x47, 0x71, 0x8c, 0xbc, 0x54, 0x6a,
25607 ++ 0x0d, 0x07, 0x2b, 0x04, 0xb3, 0x56, 0x4e, 0xea,
25608 ++ 0x1b, 0x42, 0x22, 0x73, 0xf5, 0x48, 0x27, 0x1a,
25609 ++ 0x0b, 0xb2, 0x31, 0x60, 0x53, 0xfa, 0x76, 0x99,
25610 ++ 0x19, 0x55, 0xeb, 0xd6, 0x31, 0x59, 0x43, 0x4e,
25611 ++ 0xce, 0xbb, 0x4e, 0x46, 0x6d, 0xae, 0x5a, 0x10,
25612 ++ 0x73, 0xa6, 0x72, 0x76, 0x27, 0x09, 0x7a, 0x10,
25613 ++ 0x49, 0xe6, 0x17, 0xd9, 0x1d, 0x36, 0x10, 0x94,
25614 ++ 0xfa, 0x68, 0xf0, 0xff, 0x77, 0x98, 0x71, 0x30,
25615 ++ 0x30, 0x5b, 0xea, 0xba, 0x2e, 0xda, 0x04, 0xdf,
25616 ++ 0x99, 0x7b, 0x71, 0x4d, 0x6c, 0x6f, 0x2c, 0x29,
25617 ++ 0xa6, 0xad, 0x5c, 0xb4, 0x02, 0x2b, 0x02, 0x70,
25618 ++ 0x9b, 0xee, 0xad, 0x9d, 0x67, 0x89, 0x0c, 0xbb,
25619 ++ 0x22, 0x39, 0x23, 0x36, 0xfe, 0xa1, 0x85, 0x1f,
25620 ++ 0x38
25621 ++};
25622 ++static const u8 dec_output001[] __initconst = {
25623 ++ 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
25624 ++ 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20,
25625 ++ 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66,
25626 ++ 0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
25627 ++ 0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c, 0x69,
25628 ++ 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20,
25629 ++ 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20,
25630 ++ 0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d,
25631 ++ 0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e,
25632 ++ 0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65,
25633 ++ 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64,
25634 ++ 0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
25635 ++ 0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f,
25636 ++ 0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64,
25637 ++ 0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65,
25638 ++ 0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
25639 ++ 0x6e, 0x74, 0x73, 0x20, 0x61, 0x74, 0x20, 0x61,
25640 ++ 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e,
25641 ++ 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69,
25642 ++ 0x6e, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x70, 0x72,
25643 ++ 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20,
25644 ++ 0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65,
25645 ++ 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61,
25646 ++ 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72,
25647 ++ 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
25648 ++ 0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61,
25649 ++ 0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20,
25650 ++ 0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65,
25651 ++ 0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20,
25652 ++ 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20,
25653 ++ 0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b,
25654 ++ 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67,
25655 ++ 0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80,
25656 ++ 0x9d
25657 ++};
25658 ++static const u8 dec_assoc001[] __initconst = {
25659 ++ 0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00,
25660 ++ 0x00, 0x00, 0x4e, 0x91
25661 ++};
25662 ++static const u8 dec_nonce001[] __initconst = {
25663 ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08
25664 ++};
25665 ++static const u8 dec_key001[] __initconst = {
25666 ++ 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
25667 ++ 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
25668 ++ 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
25669 ++ 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
25670 ++};
25671 ++
25672 ++static const u8 dec_input002[] __initconst = {
25673 ++ 0xea, 0xe0, 0x1e, 0x9e, 0x2c, 0x91, 0xaa, 0xe1,
25674 ++ 0xdb, 0x5d, 0x99, 0x3f, 0x8a, 0xf7, 0x69, 0x92
25675 ++};
25676 ++static const u8 dec_output002[] __initconst = { };
25677 ++static const u8 dec_assoc002[] __initconst = { };
25678 ++static const u8 dec_nonce002[] __initconst = {
25679 ++ 0xca, 0xbf, 0x33, 0x71, 0x32, 0x45, 0x77, 0x8e
25680 ++};
25681 ++static const u8 dec_key002[] __initconst = {
25682 ++ 0x4c, 0xf5, 0x96, 0x83, 0x38, 0xe6, 0xae, 0x7f,
25683 ++ 0x2d, 0x29, 0x25, 0x76, 0xd5, 0x75, 0x27, 0x86,
25684 ++ 0x91, 0x9a, 0x27, 0x7a, 0xfb, 0x46, 0xc5, 0xef,
25685 ++ 0x94, 0x81, 0x79, 0x57, 0x14, 0x59, 0x40, 0x68
25686 ++};
25687 ++
25688 ++static const u8 dec_input003[] __initconst = {
25689 ++ 0xdd, 0x6b, 0x3b, 0x82, 0xce, 0x5a, 0xbd, 0xd6,
25690 ++ 0xa9, 0x35, 0x83, 0xd8, 0x8c, 0x3d, 0x85, 0x77
25691 ++};
25692 ++static const u8 dec_output003[] __initconst = { };
25693 ++static const u8 dec_assoc003[] __initconst = {
25694 ++ 0x33, 0x10, 0x41, 0x12, 0x1f, 0xf3, 0xd2, 0x6b
25695 ++};
25696 ++static const u8 dec_nonce003[] __initconst = {
25697 ++ 0x3d, 0x86, 0xb5, 0x6b, 0xc8, 0xa3, 0x1f, 0x1d
25698 ++};
25699 ++static const u8 dec_key003[] __initconst = {
25700 ++ 0x2d, 0xb0, 0x5d, 0x40, 0xc8, 0xed, 0x44, 0x88,
25701 ++ 0x34, 0xd1, 0x13, 0xaf, 0x57, 0xa1, 0xeb, 0x3a,
25702 ++ 0x2a, 0x80, 0x51, 0x36, 0xec, 0x5b, 0xbc, 0x08,
25703 ++ 0x93, 0x84, 0x21, 0xb5, 0x13, 0x88, 0x3c, 0x0d
25704 ++};
25705 ++
25706 ++static const u8 dec_input004[] __initconst = {
25707 ++ 0xb7, 0x1b, 0xb0, 0x73, 0x59, 0xb0, 0x84, 0xb2,
25708 ++ 0x6d, 0x8e, 0xab, 0x94, 0x31, 0xa1, 0xae, 0xac,
25709 ++ 0x89
25710 ++};
25711 ++static const u8 dec_output004[] __initconst = {
25712 ++ 0xa4
25713 ++};
25714 ++static const u8 dec_assoc004[] __initconst = {
25715 ++ 0x6a, 0xe2, 0xad, 0x3f, 0x88, 0x39, 0x5a, 0x40
25716 ++};
25717 ++static const u8 dec_nonce004[] __initconst = {
25718 ++ 0xd2, 0x32, 0x1f, 0x29, 0x28, 0xc6, 0xc4, 0xc4
25719 ++};
25720 ++static const u8 dec_key004[] __initconst = {
25721 ++ 0x4b, 0x28, 0x4b, 0xa3, 0x7b, 0xbe, 0xe9, 0xf8,
25722 ++ 0x31, 0x80, 0x82, 0xd7, 0xd8, 0xe8, 0xb5, 0xa1,
25723 ++ 0xe2, 0x18, 0x18, 0x8a, 0x9c, 0xfa, 0xa3, 0x3d,
25724 ++ 0x25, 0x71, 0x3e, 0x40, 0xbc, 0x54, 0x7a, 0x3e
25725 ++};
25726 ++
25727 ++static const u8 dec_input005[] __initconst = {
25728 ++ 0xbf, 0xe1, 0x5b, 0x0b, 0xdb, 0x6b, 0xf5, 0x5e,
25729 ++ 0x6c, 0x5d, 0x84, 0x44, 0x39, 0x81, 0xc1, 0x9c,
25730 ++ 0xac
25731 ++};
25732 ++static const u8 dec_output005[] __initconst = {
25733 ++ 0x2d
25734 ++};
25735 ++static const u8 dec_assoc005[] __initconst = { };
25736 ++static const u8 dec_nonce005[] __initconst = {
25737 ++ 0x20, 0x1c, 0xaa, 0x5f, 0x9c, 0xbf, 0x92, 0x30
25738 ++};
25739 ++static const u8 dec_key005[] __initconst = {
25740 ++ 0x66, 0xca, 0x9c, 0x23, 0x2a, 0x4b, 0x4b, 0x31,
25741 ++ 0x0e, 0x92, 0x89, 0x8b, 0xf4, 0x93, 0xc7, 0x87,
25742 ++ 0x98, 0xa3, 0xd8, 0x39, 0xf8, 0xf4, 0xa7, 0x01,
25743 ++ 0xc0, 0x2e, 0x0a, 0xa6, 0x7e, 0x5a, 0x78, 0x87
25744 ++};
25745 ++
25746 ++static const u8 dec_input006[] __initconst = {
25747 ++ 0x8b, 0x06, 0xd3, 0x31, 0xb0, 0x93, 0x45, 0xb1,
25748 ++ 0x75, 0x6e, 0x26, 0xf9, 0x67, 0xbc, 0x90, 0x15,
25749 ++ 0x81, 0x2c, 0xb5, 0xf0, 0xc6, 0x2b, 0xc7, 0x8c,
25750 ++ 0x56, 0xd1, 0xbf, 0x69, 0x6c, 0x07, 0xa0, 0xda,
25751 ++ 0x65, 0x27, 0xc9, 0x90, 0x3d, 0xef, 0x4b, 0x11,
25752 ++ 0x0f, 0x19, 0x07, 0xfd, 0x29, 0x92, 0xd9, 0xc8,
25753 ++ 0xf7, 0x99, 0x2e, 0x4a, 0xd0, 0xb8, 0x2c, 0xdc,
25754 ++ 0x93, 0xf5, 0x9e, 0x33, 0x78, 0xd1, 0x37, 0xc3,
25755 ++ 0x66, 0xd7, 0x5e, 0xbc, 0x44, 0xbf, 0x53, 0xa5,
25756 ++ 0xbc, 0xc4, 0xcb, 0x7b, 0x3a, 0x8e, 0x7f, 0x02,
25757 ++ 0xbd, 0xbb, 0xe7, 0xca, 0xa6, 0x6c, 0x6b, 0x93,
25758 ++ 0x21, 0x93, 0x10, 0x61, 0xe7, 0x69, 0xd0, 0x78,
25759 ++ 0xf3, 0x07, 0x5a, 0x1a, 0x8f, 0x73, 0xaa, 0xb1,
25760 ++ 0x4e, 0xd3, 0xda, 0x4f, 0xf3, 0x32, 0xe1, 0x66,
25761 ++ 0x3e, 0x6c, 0xc6, 0x13, 0xba, 0x06, 0x5b, 0xfc,
25762 ++ 0x6a, 0xe5, 0x6f, 0x60, 0xfb, 0x07, 0x40, 0xb0,
25763 ++ 0x8c, 0x9d, 0x84, 0x43, 0x6b, 0xc1, 0xf7, 0x8d,
25764 ++ 0x8d, 0x31, 0xf7, 0x7a, 0x39, 0x4d, 0x8f, 0x9a,
25765 ++ 0xeb
25766 ++};
25767 ++static const u8 dec_output006[] __initconst = {
25768 ++ 0x33, 0x2f, 0x94, 0xc1, 0xa4, 0xef, 0xcc, 0x2a,
25769 ++ 0x5b, 0xa6, 0xe5, 0x8f, 0x1d, 0x40, 0xf0, 0x92,
25770 ++ 0x3c, 0xd9, 0x24, 0x11, 0xa9, 0x71, 0xf9, 0x37,
25771 ++ 0x14, 0x99, 0xfa, 0xbe, 0xe6, 0x80, 0xde, 0x50,
25772 ++ 0xc9, 0x96, 0xd4, 0xb0, 0xec, 0x9e, 0x17, 0xec,
25773 ++ 0xd2, 0x5e, 0x72, 0x99, 0xfc, 0x0a, 0xe1, 0xcb,
25774 ++ 0x48, 0xd2, 0x85, 0xdd, 0x2f, 0x90, 0xe0, 0x66,
25775 ++ 0x3b, 0xe6, 0x20, 0x74, 0xbe, 0x23, 0x8f, 0xcb,
25776 ++ 0xb4, 0xe4, 0xda, 0x48, 0x40, 0xa6, 0xd1, 0x1b,
25777 ++ 0xc7, 0x42, 0xce, 0x2f, 0x0c, 0xa6, 0x85, 0x6e,
25778 ++ 0x87, 0x37, 0x03, 0xb1, 0x7c, 0x25, 0x96, 0xa3,
25779 ++ 0x05, 0xd8, 0xb0, 0xf4, 0xed, 0xea, 0xc2, 0xf0,
25780 ++ 0x31, 0x98, 0x6c, 0xd1, 0x14, 0x25, 0xc0, 0xcb,
25781 ++ 0x01, 0x74, 0xd0, 0x82, 0xf4, 0x36, 0xf5, 0x41,
25782 ++ 0xd5, 0xdc, 0xca, 0xc5, 0xbb, 0x98, 0xfe, 0xfc,
25783 ++ 0x69, 0x21, 0x70, 0xd8, 0xa4, 0x4b, 0xc8, 0xde,
25784 ++ 0x8f
25785 ++};
25786 ++static const u8 dec_assoc006[] __initconst = {
25787 ++ 0x70, 0xd3, 0x33, 0xf3, 0x8b, 0x18, 0x0b
25788 ++};
25789 ++static const u8 dec_nonce006[] __initconst = {
25790 ++ 0xdf, 0x51, 0x84, 0x82, 0x42, 0x0c, 0x75, 0x9c
25791 ++};
25792 ++static const u8 dec_key006[] __initconst = {
25793 ++ 0x68, 0x7b, 0x8d, 0x8e, 0xe3, 0xc4, 0xdd, 0xae,
25794 ++ 0xdf, 0x72, 0x7f, 0x53, 0x72, 0x25, 0x1e, 0x78,
25795 ++ 0x91, 0xcb, 0x69, 0x76, 0x1f, 0x49, 0x93, 0xf9,
25796 ++ 0x6f, 0x21, 0xcc, 0x39, 0x9c, 0xad, 0xb1, 0x01
25797 ++};
25798 ++
25799 ++static const u8 dec_input007[] __initconst = {
25800 ++ 0x85, 0x04, 0xc2, 0xed, 0x8d, 0xfd, 0x97, 0x5c,
25801 ++ 0xd2, 0xb7, 0xe2, 0xc1, 0x6b, 0xa3, 0xba, 0xf8,
25802 ++ 0xc9, 0x50, 0xc3, 0xc6, 0xa5, 0xe3, 0xa4, 0x7c,
25803 ++ 0xc3, 0x23, 0x49, 0x5e, 0xa9, 0xb9, 0x32, 0xeb,
25804 ++ 0x8a, 0x7c, 0xca, 0xe5, 0xec, 0xfb, 0x7c, 0xc0,
25805 ++ 0xcb, 0x7d, 0xdc, 0x2c, 0x9d, 0x92, 0x55, 0x21,
25806 ++ 0x0a, 0xc8, 0x43, 0x63, 0x59, 0x0a, 0x31, 0x70,
25807 ++ 0x82, 0x67, 0x41, 0x03, 0xf8, 0xdf, 0xf2, 0xac,
25808 ++ 0xa7, 0x02, 0xd4, 0xd5, 0x8a, 0x2d, 0xc8, 0x99,
25809 ++ 0x19, 0x66, 0xd0, 0xf6, 0x88, 0x2c, 0x77, 0xd9,
25810 ++ 0xd4, 0x0d, 0x6c, 0xbd, 0x98, 0xde, 0xe7, 0x7f,
25811 ++ 0xad, 0x7e, 0x8a, 0xfb, 0xe9, 0x4b, 0xe5, 0xf7,
25812 ++ 0xe5, 0x50, 0xa0, 0x90, 0x3f, 0xd6, 0x22, 0x53,
25813 ++ 0xe3, 0xfe, 0x1b, 0xcc, 0x79, 0x3b, 0xec, 0x12,
25814 ++ 0x47, 0x52, 0xa7, 0xd6, 0x04, 0xe3, 0x52, 0xe6,
25815 ++ 0x93, 0x90, 0x91, 0x32, 0x73, 0x79, 0xb8, 0xd0,
25816 ++ 0x31, 0xde, 0x1f, 0x9f, 0x2f, 0x05, 0x38, 0x54,
25817 ++ 0x2f, 0x35, 0x04, 0x39, 0xe0, 0xa7, 0xba, 0xc6,
25818 ++ 0x52, 0xf6, 0x37, 0x65, 0x4c, 0x07, 0xa9, 0x7e,
25819 ++ 0xb3, 0x21, 0x6f, 0x74, 0x8c, 0xc9, 0xde, 0xdb,
25820 ++ 0x65, 0x1b, 0x9b, 0xaa, 0x60, 0xb1, 0x03, 0x30,
25821 ++ 0x6b, 0xb2, 0x03, 0xc4, 0x1c, 0x04, 0xf8, 0x0f,
25822 ++ 0x64, 0xaf, 0x46, 0xe4, 0x65, 0x99, 0x49, 0xe2,
25823 ++ 0xea, 0xce, 0x78, 0x00, 0xd8, 0x8b, 0xd5, 0x2e,
25824 ++ 0xcf, 0xfc, 0x40, 0x49, 0xe8, 0x58, 0xdc, 0x34,
25825 ++ 0x9c, 0x8c, 0x61, 0xbf, 0x0a, 0x8e, 0xec, 0x39,
25826 ++ 0xa9, 0x30, 0x05, 0x5a, 0xd2, 0x56, 0x01, 0xc7,
25827 ++ 0xda, 0x8f, 0x4e, 0xbb, 0x43, 0xa3, 0x3a, 0xf9,
25828 ++ 0x15, 0x2a, 0xd0, 0xa0, 0x7a, 0x87, 0x34, 0x82,
25829 ++ 0xfe, 0x8a, 0xd1, 0x2d, 0x5e, 0xc7, 0xbf, 0x04,
25830 ++ 0x53, 0x5f, 0x3b, 0x36, 0xd4, 0x25, 0x5c, 0x34,
25831 ++ 0x7a, 0x8d, 0xd5, 0x05, 0xce, 0x72, 0xca, 0xef,
25832 ++ 0x7a, 0x4b, 0xbc, 0xb0, 0x10, 0x5c, 0x96, 0x42,
25833 ++ 0x3a, 0x00, 0x98, 0xcd, 0x15, 0xe8, 0xb7, 0x53
25834 ++};
25835 ++static const u8 dec_output007[] __initconst = {
25836 ++ 0x9b, 0x18, 0xdb, 0xdd, 0x9a, 0x0f, 0x3e, 0xa5,
25837 ++ 0x15, 0x17, 0xde, 0xdf, 0x08, 0x9d, 0x65, 0x0a,
25838 ++ 0x67, 0x30, 0x12, 0xe2, 0x34, 0x77, 0x4b, 0xc1,
25839 ++ 0xd9, 0xc6, 0x1f, 0xab, 0xc6, 0x18, 0x50, 0x17,
25840 ++ 0xa7, 0x9d, 0x3c, 0xa6, 0xc5, 0x35, 0x8c, 0x1c,
25841 ++ 0xc0, 0xa1, 0x7c, 0x9f, 0x03, 0x89, 0xca, 0xe1,
25842 ++ 0xe6, 0xe9, 0xd4, 0xd3, 0x88, 0xdb, 0xb4, 0x51,
25843 ++ 0x9d, 0xec, 0xb4, 0xfc, 0x52, 0xee, 0x6d, 0xf1,
25844 ++ 0x75, 0x42, 0xc6, 0xfd, 0xbd, 0x7a, 0x8e, 0x86,
25845 ++ 0xfc, 0x44, 0xb3, 0x4f, 0xf3, 0xea, 0x67, 0x5a,
25846 ++ 0x41, 0x13, 0xba, 0xb0, 0xdc, 0xe1, 0xd3, 0x2a,
25847 ++ 0x7c, 0x22, 0xb3, 0xca, 0xac, 0x6a, 0x37, 0x98,
25848 ++ 0x3e, 0x1d, 0x40, 0x97, 0xf7, 0x9b, 0x1d, 0x36,
25849 ++ 0x6b, 0xb3, 0x28, 0xbd, 0x60, 0x82, 0x47, 0x34,
25850 ++ 0xaa, 0x2f, 0x7d, 0xe9, 0xa8, 0x70, 0x81, 0x57,
25851 ++ 0xd4, 0xb9, 0x77, 0x0a, 0x9d, 0x29, 0xa7, 0x84,
25852 ++ 0x52, 0x4f, 0xc2, 0x4a, 0x40, 0x3b, 0x3c, 0xd4,
25853 ++ 0xc9, 0x2a, 0xdb, 0x4a, 0x53, 0xc4, 0xbe, 0x80,
25854 ++ 0xe9, 0x51, 0x7f, 0x8f, 0xc7, 0xa2, 0xce, 0x82,
25855 ++ 0x5c, 0x91, 0x1e, 0x74, 0xd9, 0xd0, 0xbd, 0xd5,
25856 ++ 0xf3, 0xfd, 0xda, 0x4d, 0x25, 0xb4, 0xbb, 0x2d,
25857 ++ 0xac, 0x2f, 0x3d, 0x71, 0x85, 0x7b, 0xcf, 0x3c,
25858 ++ 0x7b, 0x3e, 0x0e, 0x22, 0x78, 0x0c, 0x29, 0xbf,
25859 ++ 0xe4, 0xf4, 0x57, 0xb3, 0xcb, 0x49, 0xa0, 0xfc,
25860 ++ 0x1e, 0x05, 0x4e, 0x16, 0xbc, 0xd5, 0xa8, 0xa3,
25861 ++ 0xee, 0x05, 0x35, 0xc6, 0x7c, 0xab, 0x60, 0x14,
25862 ++ 0x55, 0x1a, 0x8e, 0xc5, 0x88, 0x5d, 0xd5, 0x81,
25863 ++ 0xc2, 0x81, 0xa5, 0xc4, 0x60, 0xdb, 0xaf, 0x77,
25864 ++ 0x91, 0xe1, 0xce, 0xa2, 0x7e, 0x7f, 0x42, 0xe3,
25865 ++ 0xb0, 0x13, 0x1c, 0x1f, 0x25, 0x60, 0x21, 0xe2,
25866 ++ 0x40, 0x5f, 0x99, 0xb7, 0x73, 0xec, 0x9b, 0x2b,
25867 ++ 0xf0, 0x65, 0x11, 0xc8, 0xd0, 0x0a, 0x9f, 0xd3
25868 ++};
25869 ++static const u8 dec_assoc007[] __initconst = { };
25870 ++static const u8 dec_nonce007[] __initconst = {
25871 ++ 0xde, 0x7b, 0xef, 0xc3, 0x65, 0x1b, 0x68, 0xb0
25872 ++};
25873 ++static const u8 dec_key007[] __initconst = {
25874 ++ 0x8d, 0xb8, 0x91, 0x48, 0xf0, 0xe7, 0x0a, 0xbd,
25875 ++ 0xf9, 0x3f, 0xcd, 0xd9, 0xa0, 0x1e, 0x42, 0x4c,
25876 ++ 0xe7, 0xde, 0x25, 0x3d, 0xa3, 0xd7, 0x05, 0x80,
25877 ++ 0x8d, 0xf2, 0x82, 0xac, 0x44, 0x16, 0x51, 0x01
25878 ++};
25879 ++
25880 ++static const u8 dec_input008[] __initconst = {
25881 ++ 0x14, 0xf6, 0x41, 0x37, 0xa6, 0xd4, 0x27, 0xcd,
25882 ++ 0xdb, 0x06, 0x3e, 0x9a, 0x4e, 0xab, 0xd5, 0xb1,
25883 ++ 0x1e, 0x6b, 0xd2, 0xbc, 0x11, 0xf4, 0x28, 0x93,
25884 ++ 0x63, 0x54, 0xef, 0xbb, 0x5e, 0x1d, 0x3a, 0x1d,
25885 ++ 0x37, 0x3c, 0x0a, 0x6c, 0x1e, 0xc2, 0xd1, 0x2c,
25886 ++ 0xb5, 0xa3, 0xb5, 0x7b, 0xb8, 0x8f, 0x25, 0xa6,
25887 ++ 0x1b, 0x61, 0x1c, 0xec, 0x28, 0x58, 0x26, 0xa4,
25888 ++ 0xa8, 0x33, 0x28, 0x25, 0x5c, 0x45, 0x05, 0xe5,
25889 ++ 0x6c, 0x99, 0xe5, 0x45, 0xc4, 0xa2, 0x03, 0x84,
25890 ++ 0x03, 0x73, 0x1e, 0x8c, 0x49, 0xac, 0x20, 0xdd,
25891 ++ 0x8d, 0xb3, 0xc4, 0xf5, 0xe7, 0x4f, 0xf1, 0xed,
25892 ++ 0xa1, 0x98, 0xde, 0xa4, 0x96, 0xdd, 0x2f, 0xab,
25893 ++ 0xab, 0x97, 0xcf, 0x3e, 0xd2, 0x9e, 0xb8, 0x13,
25894 ++ 0x07, 0x28, 0x29, 0x19, 0xaf, 0xfd, 0xf2, 0x49,
25895 ++ 0x43, 0xea, 0x49, 0x26, 0x91, 0xc1, 0x07, 0xd6,
25896 ++ 0xbb, 0x81, 0x75, 0x35, 0x0d, 0x24, 0x7f, 0xc8,
25897 ++ 0xda, 0xd4, 0xb7, 0xeb, 0xe8, 0x5c, 0x09, 0xa2,
25898 ++ 0x2f, 0xdc, 0x28, 0x7d, 0x3a, 0x03, 0xfa, 0x94,
25899 ++ 0xb5, 0x1d, 0x17, 0x99, 0x36, 0xc3, 0x1c, 0x18,
25900 ++ 0x34, 0xe3, 0x9f, 0xf5, 0x55, 0x7c, 0xb0, 0x60,
25901 ++ 0x9d, 0xff, 0xac, 0xd4, 0x61, 0xf2, 0xad, 0xf8,
25902 ++ 0xce, 0xc7, 0xbe, 0x5c, 0xd2, 0x95, 0xa8, 0x4b,
25903 ++ 0x77, 0x13, 0x19, 0x59, 0x26, 0xc9, 0xb7, 0x8f,
25904 ++ 0x6a, 0xcb, 0x2d, 0x37, 0x91, 0xea, 0x92, 0x9c,
25905 ++ 0x94, 0x5b, 0xda, 0x0b, 0xce, 0xfe, 0x30, 0x20,
25906 ++ 0xf8, 0x51, 0xad, 0xf2, 0xbe, 0xe7, 0xc7, 0xff,
25907 ++ 0xb3, 0x33, 0x91, 0x6a, 0xc9, 0x1a, 0x41, 0xc9,
25908 ++ 0x0f, 0xf3, 0x10, 0x0e, 0xfd, 0x53, 0xff, 0x6c,
25909 ++ 0x16, 0x52, 0xd9, 0xf3, 0xf7, 0x98, 0x2e, 0xc9,
25910 ++ 0x07, 0x31, 0x2c, 0x0c, 0x72, 0xd7, 0xc5, 0xc6,
25911 ++ 0x08, 0x2a, 0x7b, 0xda, 0xbd, 0x7e, 0x02, 0xea,
25912 ++ 0x1a, 0xbb, 0xf2, 0x04, 0x27, 0x61, 0x28, 0x8e,
25913 ++ 0xf5, 0x04, 0x03, 0x1f, 0x4c, 0x07, 0x55, 0x82,
25914 ++ 0xec, 0x1e, 0xd7, 0x8b, 0x2f, 0x65, 0x56, 0xd1,
25915 ++ 0xd9, 0x1e, 0x3c, 0xe9, 0x1f, 0x5e, 0x98, 0x70,
25916 ++ 0x38, 0x4a, 0x8c, 0x49, 0xc5, 0x43, 0xa0, 0xa1,
25917 ++ 0x8b, 0x74, 0x9d, 0x4c, 0x62, 0x0d, 0x10, 0x0c,
25918 ++ 0xf4, 0x6c, 0x8f, 0xe0, 0xaa, 0x9a, 0x8d, 0xb7,
25919 ++ 0xe0, 0xbe, 0x4c, 0x87, 0xf1, 0x98, 0x2f, 0xcc,
25920 ++ 0xed, 0xc0, 0x52, 0x29, 0xdc, 0x83, 0xf8, 0xfc,
25921 ++ 0x2c, 0x0e, 0xa8, 0x51, 0x4d, 0x80, 0x0d, 0xa3,
25922 ++ 0xfe, 0xd8, 0x37, 0xe7, 0x41, 0x24, 0xfc, 0xfb,
25923 ++ 0x75, 0xe3, 0x71, 0x7b, 0x57, 0x45, 0xf5, 0x97,
25924 ++ 0x73, 0x65, 0x63, 0x14, 0x74, 0xb8, 0x82, 0x9f,
25925 ++ 0xf8, 0x60, 0x2f, 0x8a, 0xf2, 0x4e, 0xf1, 0x39,
25926 ++ 0xda, 0x33, 0x91, 0xf8, 0x36, 0xe0, 0x8d, 0x3f,
25927 ++ 0x1f, 0x3b, 0x56, 0xdc, 0xa0, 0x8f, 0x3c, 0x9d,
25928 ++ 0x71, 0x52, 0xa7, 0xb8, 0xc0, 0xa5, 0xc6, 0xa2,
25929 ++ 0x73, 0xda, 0xf4, 0x4b, 0x74, 0x5b, 0x00, 0x3d,
25930 ++ 0x99, 0xd7, 0x96, 0xba, 0xe6, 0xe1, 0xa6, 0x96,
25931 ++ 0x38, 0xad, 0xb3, 0xc0, 0xd2, 0xba, 0x91, 0x6b,
25932 ++ 0xf9, 0x19, 0xdd, 0x3b, 0xbe, 0xbe, 0x9c, 0x20,
25933 ++ 0x50, 0xba, 0xa1, 0xd0, 0xce, 0x11, 0xbd, 0x95,
25934 ++ 0xd8, 0xd1, 0xdd, 0x33, 0x85, 0x74, 0xdc, 0xdb,
25935 ++ 0x66, 0x76, 0x44, 0xdc, 0x03, 0x74, 0x48, 0x35,
25936 ++ 0x98, 0xb1, 0x18, 0x47, 0x94, 0x7d, 0xff, 0x62,
25937 ++ 0xe4, 0x58, 0x78, 0xab, 0xed, 0x95, 0x36, 0xd9,
25938 ++ 0x84, 0x91, 0x82, 0x64, 0x41, 0xbb, 0x58, 0xe6,
25939 ++ 0x1c, 0x20, 0x6d, 0x15, 0x6b, 0x13, 0x96, 0xe8,
25940 ++ 0x35, 0x7f, 0xdc, 0x40, 0x2c, 0xe9, 0xbc, 0x8a,
25941 ++ 0x4f, 0x92, 0xec, 0x06, 0x2d, 0x50, 0xdf, 0x93,
25942 ++ 0x5d, 0x65, 0x5a, 0xa8, 0xfc, 0x20, 0x50, 0x14,
25943 ++ 0xa9, 0x8a, 0x7e, 0x1d, 0x08, 0x1f, 0xe2, 0x99,
25944 ++ 0xd0, 0xbe, 0xfb, 0x3a, 0x21, 0x9d, 0xad, 0x86,
25945 ++ 0x54, 0xfd, 0x0d, 0x98, 0x1c, 0x5a, 0x6f, 0x1f,
25946 ++ 0x9a, 0x40, 0xcd, 0xa2, 0xff, 0x6a, 0xf1, 0x54
25947 ++};
25948 ++static const u8 dec_output008[] __initconst = {
25949 ++ 0xc3, 0x09, 0x94, 0x62, 0xe6, 0x46, 0x2e, 0x10,
25950 ++ 0xbe, 0x00, 0xe4, 0xfc, 0xf3, 0x40, 0xa3, 0xe2,
25951 ++ 0x0f, 0xc2, 0x8b, 0x28, 0xdc, 0xba, 0xb4, 0x3c,
25952 ++ 0xe4, 0x21, 0x58, 0x61, 0xcd, 0x8b, 0xcd, 0xfb,
25953 ++ 0xac, 0x94, 0xa1, 0x45, 0xf5, 0x1c, 0xe1, 0x12,
25954 ++ 0xe0, 0x3b, 0x67, 0x21, 0x54, 0x5e, 0x8c, 0xaa,
25955 ++ 0xcf, 0xdb, 0xb4, 0x51, 0xd4, 0x13, 0xda, 0xe6,
25956 ++ 0x83, 0x89, 0xb6, 0x92, 0xe9, 0x21, 0x76, 0xa4,
25957 ++ 0x93, 0x7d, 0x0e, 0xfd, 0x96, 0x36, 0x03, 0x91,
25958 ++ 0x43, 0x5c, 0x92, 0x49, 0x62, 0x61, 0x7b, 0xeb,
25959 ++ 0x43, 0x89, 0xb8, 0x12, 0x20, 0x43, 0xd4, 0x47,
25960 ++ 0x06, 0x84, 0xee, 0x47, 0xe9, 0x8a, 0x73, 0x15,
25961 ++ 0x0f, 0x72, 0xcf, 0xed, 0xce, 0x96, 0xb2, 0x7f,
25962 ++ 0x21, 0x45, 0x76, 0xeb, 0x26, 0x28, 0x83, 0x6a,
25963 ++ 0xad, 0xaa, 0xa6, 0x81, 0xd8, 0x55, 0xb1, 0xa3,
25964 ++ 0x85, 0xb3, 0x0c, 0xdf, 0xf1, 0x69, 0x2d, 0x97,
25965 ++ 0x05, 0x2a, 0xbc, 0x7c, 0x7b, 0x25, 0xf8, 0x80,
25966 ++ 0x9d, 0x39, 0x25, 0xf3, 0x62, 0xf0, 0x66, 0x5e,
25967 ++ 0xf4, 0xa0, 0xcf, 0xd8, 0xfd, 0x4f, 0xb1, 0x1f,
25968 ++ 0x60, 0x3a, 0x08, 0x47, 0xaf, 0xe1, 0xf6, 0x10,
25969 ++ 0x77, 0x09, 0xa7, 0x27, 0x8f, 0x9a, 0x97, 0x5a,
25970 ++ 0x26, 0xfa, 0xfe, 0x41, 0x32, 0x83, 0x10, 0xe0,
25971 ++ 0x1d, 0xbf, 0x64, 0x0d, 0xf4, 0x1c, 0x32, 0x35,
25972 ++ 0xe5, 0x1b, 0x36, 0xef, 0xd4, 0x4a, 0x93, 0x4d,
25973 ++ 0x00, 0x7c, 0xec, 0x02, 0x07, 0x8b, 0x5d, 0x7d,
25974 ++ 0x1b, 0x0e, 0xd1, 0xa6, 0xa5, 0x5d, 0x7d, 0x57,
25975 ++ 0x88, 0xa8, 0xcc, 0x81, 0xb4, 0x86, 0x4e, 0xb4,
25976 ++ 0x40, 0xe9, 0x1d, 0xc3, 0xb1, 0x24, 0x3e, 0x7f,
25977 ++ 0xcc, 0x8a, 0x24, 0x9b, 0xdf, 0x6d, 0xf0, 0x39,
25978 ++ 0x69, 0x3e, 0x4c, 0xc0, 0x96, 0xe4, 0x13, 0xda,
25979 ++ 0x90, 0xda, 0xf4, 0x95, 0x66, 0x8b, 0x17, 0x17,
25980 ++ 0xfe, 0x39, 0x43, 0x25, 0xaa, 0xda, 0xa0, 0x43,
25981 ++ 0x3c, 0xb1, 0x41, 0x02, 0xa3, 0xf0, 0xa7, 0x19,
25982 ++ 0x59, 0xbc, 0x1d, 0x7d, 0x6c, 0x6d, 0x91, 0x09,
25983 ++ 0x5c, 0xb7, 0x5b, 0x01, 0xd1, 0x6f, 0x17, 0x21,
25984 ++ 0x97, 0xbf, 0x89, 0x71, 0xa5, 0xb0, 0x6e, 0x07,
25985 ++ 0x45, 0xfd, 0x9d, 0xea, 0x07, 0xf6, 0x7a, 0x9f,
25986 ++ 0x10, 0x18, 0x22, 0x30, 0x73, 0xac, 0xd4, 0x6b,
25987 ++ 0x72, 0x44, 0xed, 0xd9, 0x19, 0x9b, 0x2d, 0x4a,
25988 ++ 0x41, 0xdd, 0xd1, 0x85, 0x5e, 0x37, 0x19, 0xed,
25989 ++ 0xd2, 0x15, 0x8f, 0x5e, 0x91, 0xdb, 0x33, 0xf2,
25990 ++ 0xe4, 0xdb, 0xff, 0x98, 0xfb, 0xa3, 0xb5, 0xca,
25991 ++ 0x21, 0x69, 0x08, 0xe7, 0x8a, 0xdf, 0x90, 0xff,
25992 ++ 0x3e, 0xe9, 0x20, 0x86, 0x3c, 0xe9, 0xfc, 0x0b,
25993 ++ 0xfe, 0x5c, 0x61, 0xaa, 0x13, 0x92, 0x7f, 0x7b,
25994 ++ 0xec, 0xe0, 0x6d, 0xa8, 0x23, 0x22, 0xf6, 0x6b,
25995 ++ 0x77, 0xc4, 0xfe, 0x40, 0x07, 0x3b, 0xb6, 0xf6,
25996 ++ 0x8e, 0x5f, 0xd4, 0xb9, 0xb7, 0x0f, 0x21, 0x04,
25997 ++ 0xef, 0x83, 0x63, 0x91, 0x69, 0x40, 0xa3, 0x48,
25998 ++ 0x5c, 0xd2, 0x60, 0xf9, 0x4f, 0x6c, 0x47, 0x8b,
25999 ++ 0x3b, 0xb1, 0x9f, 0x8e, 0xee, 0x16, 0x8a, 0x13,
26000 ++ 0xfc, 0x46, 0x17, 0xc3, 0xc3, 0x32, 0x56, 0xf8,
26001 ++ 0x3c, 0x85, 0x3a, 0xb6, 0x3e, 0xaa, 0x89, 0x4f,
26002 ++ 0xb3, 0xdf, 0x38, 0xfd, 0xf1, 0xe4, 0x3a, 0xc0,
26003 ++ 0xe6, 0x58, 0xb5, 0x8f, 0xc5, 0x29, 0xa2, 0x92,
26004 ++ 0x4a, 0xb6, 0xa0, 0x34, 0x7f, 0xab, 0xb5, 0x8a,
26005 ++ 0x90, 0xa1, 0xdb, 0x4d, 0xca, 0xb6, 0x2c, 0x41,
26006 ++ 0x3c, 0xf7, 0x2b, 0x21, 0xc3, 0xfd, 0xf4, 0x17,
26007 ++ 0x5c, 0xb5, 0x33, 0x17, 0x68, 0x2b, 0x08, 0x30,
26008 ++ 0xf3, 0xf7, 0x30, 0x3c, 0x96, 0xe6, 0x6a, 0x20,
26009 ++ 0x97, 0xe7, 0x4d, 0x10, 0x5f, 0x47, 0x5f, 0x49,
26010 ++ 0x96, 0x09, 0xf0, 0x27, 0x91, 0xc8, 0xf8, 0x5a,
26011 ++ 0x2e, 0x79, 0xb5, 0xe2, 0xb8, 0xe8, 0xb9, 0x7b,
26012 ++ 0xd5, 0x10, 0xcb, 0xff, 0x5d, 0x14, 0x73, 0xf3
26013 ++};
26014 ++static const u8 dec_assoc008[] __initconst = { };
26015 ++static const u8 dec_nonce008[] __initconst = {
26016 ++ 0x0e, 0x0d, 0x57, 0xbb, 0x7b, 0x40, 0x54, 0x02
26017 ++};
26018 ++static const u8 dec_key008[] __initconst = {
26019 ++ 0xf2, 0xaa, 0x4f, 0x99, 0xfd, 0x3e, 0xa8, 0x53,
26020 ++ 0xc1, 0x44, 0xe9, 0x81, 0x18, 0xdc, 0xf5, 0xf0,
26021 ++ 0x3e, 0x44, 0x15, 0x59, 0xe0, 0xc5, 0x44, 0x86,
26022 ++ 0xc3, 0x91, 0xa8, 0x75, 0xc0, 0x12, 0x46, 0xba
26023 ++};
26024 ++
26025 ++static const u8 dec_input009[] __initconst = {
26026 ++ 0xfd, 0x81, 0x8d, 0xd0, 0x3d, 0xb4, 0xd5, 0xdf,
26027 ++ 0xd3, 0x42, 0x47, 0x5a, 0x6d, 0x19, 0x27, 0x66,
26028 ++ 0x4b, 0x2e, 0x0c, 0x27, 0x9c, 0x96, 0x4c, 0x72,
26029 ++ 0x02, 0xa3, 0x65, 0xc3, 0xb3, 0x6f, 0x2e, 0xbd,
26030 ++ 0x63, 0x8a, 0x4a, 0x5d, 0x29, 0xa2, 0xd0, 0x28,
26031 ++ 0x48, 0xc5, 0x3d, 0x98, 0xa3, 0xbc, 0xe0, 0xbe,
26032 ++ 0x3b, 0x3f, 0xe6, 0x8a, 0xa4, 0x7f, 0x53, 0x06,
26033 ++ 0xfa, 0x7f, 0x27, 0x76, 0x72, 0x31, 0xa1, 0xf5,
26034 ++ 0xd6, 0x0c, 0x52, 0x47, 0xba, 0xcd, 0x4f, 0xd7,
26035 ++ 0xeb, 0x05, 0x48, 0x0d, 0x7c, 0x35, 0x4a, 0x09,
26036 ++ 0xc9, 0x76, 0x71, 0x02, 0xa3, 0xfb, 0xb7, 0x1a,
26037 ++ 0x65, 0xb7, 0xed, 0x98, 0xc6, 0x30, 0x8a, 0x00,
26038 ++ 0xae, 0xa1, 0x31, 0xe5, 0xb5, 0x9e, 0x6d, 0x62,
26039 ++ 0xda, 0xda, 0x07, 0x0f, 0x38, 0x38, 0xd3, 0xcb,
26040 ++ 0xc1, 0xb0, 0xad, 0xec, 0x72, 0xec, 0xb1, 0xa2,
26041 ++ 0x7b, 0x59, 0xf3, 0x3d, 0x2b, 0xef, 0xcd, 0x28,
26042 ++ 0x5b, 0x83, 0xcc, 0x18, 0x91, 0x88, 0xb0, 0x2e,
26043 ++ 0xf9, 0x29, 0x31, 0x18, 0xf9, 0x4e, 0xe9, 0x0a,
26044 ++ 0x91, 0x92, 0x9f, 0xae, 0x2d, 0xad, 0xf4, 0xe6,
26045 ++ 0x1a, 0xe2, 0xa4, 0xee, 0x47, 0x15, 0xbf, 0x83,
26046 ++ 0x6e, 0xd7, 0x72, 0x12, 0x3b, 0x2d, 0x24, 0xe9,
26047 ++ 0xb2, 0x55, 0xcb, 0x3c, 0x10, 0xf0, 0x24, 0x8a,
26048 ++ 0x4a, 0x02, 0xea, 0x90, 0x25, 0xf0, 0xb4, 0x79,
26049 ++ 0x3a, 0xef, 0x6e, 0xf5, 0x52, 0xdf, 0xb0, 0x0a,
26050 ++ 0xcd, 0x24, 0x1c, 0xd3, 0x2e, 0x22, 0x74, 0xea,
26051 ++ 0x21, 0x6f, 0xe9, 0xbd, 0xc8, 0x3e, 0x36, 0x5b,
26052 ++ 0x19, 0xf1, 0xca, 0x99, 0x0a, 0xb4, 0xa7, 0x52,
26053 ++ 0x1a, 0x4e, 0xf2, 0xad, 0x8d, 0x56, 0x85, 0xbb,
26054 ++ 0x64, 0x89, 0xba, 0x26, 0xf9, 0xc7, 0xe1, 0x89,
26055 ++ 0x19, 0x22, 0x77, 0xc3, 0xa8, 0xfc, 0xff, 0xad,
26056 ++ 0xfe, 0xb9, 0x48, 0xae, 0x12, 0x30, 0x9f, 0x19,
26057 ++ 0xfb, 0x1b, 0xef, 0x14, 0x87, 0x8a, 0x78, 0x71,
26058 ++ 0xf3, 0xf4, 0xb7, 0x00, 0x9c, 0x1d, 0xb5, 0x3d,
26059 ++ 0x49, 0x00, 0x0c, 0x06, 0xd4, 0x50, 0xf9, 0x54,
26060 ++ 0x45, 0xb2, 0x5b, 0x43, 0xdb, 0x6d, 0xcf, 0x1a,
26061 ++ 0xe9, 0x7a, 0x7a, 0xcf, 0xfc, 0x8a, 0x4e, 0x4d,
26062 ++ 0x0b, 0x07, 0x63, 0x28, 0xd8, 0xe7, 0x08, 0x95,
26063 ++ 0xdf, 0xa6, 0x72, 0x93, 0x2e, 0xbb, 0xa0, 0x42,
26064 ++ 0x89, 0x16, 0xf1, 0xd9, 0x0c, 0xf9, 0xa1, 0x16,
26065 ++ 0xfd, 0xd9, 0x03, 0xb4, 0x3b, 0x8a, 0xf5, 0xf6,
26066 ++ 0xe7, 0x6b, 0x2e, 0x8e, 0x4c, 0x3d, 0xe2, 0xaf,
26067 ++ 0x08, 0x45, 0x03, 0xff, 0x09, 0xb6, 0xeb, 0x2d,
26068 ++ 0xc6, 0x1b, 0x88, 0x94, 0xac, 0x3e, 0xf1, 0x9f,
26069 ++ 0x0e, 0x0e, 0x2b, 0xd5, 0x00, 0x4d, 0x3f, 0x3b,
26070 ++ 0x53, 0xae, 0xaf, 0x1c, 0x33, 0x5f, 0x55, 0x6e,
26071 ++ 0x8d, 0xaf, 0x05, 0x7a, 0x10, 0x34, 0xc9, 0xf4,
26072 ++ 0x66, 0xcb, 0x62, 0x12, 0xa6, 0xee, 0xe8, 0x1c,
26073 ++ 0x5d, 0x12, 0x86, 0xdb, 0x6f, 0x1c, 0x33, 0xc4,
26074 ++ 0x1c, 0xda, 0x82, 0x2d, 0x3b, 0x59, 0xfe, 0xb1,
26075 ++ 0xa4, 0x59, 0x41, 0x86, 0xd0, 0xef, 0xae, 0xfb,
26076 ++ 0xda, 0x6d, 0x11, 0xb8, 0xca, 0xe9, 0x6e, 0xff,
26077 ++ 0xf7, 0xa9, 0xd9, 0x70, 0x30, 0xfc, 0x53, 0xe2,
26078 ++ 0xd7, 0xa2, 0x4e, 0xc7, 0x91, 0xd9, 0x07, 0x06,
26079 ++ 0xaa, 0xdd, 0xb0, 0x59, 0x28, 0x1d, 0x00, 0x66,
26080 ++ 0xc5, 0x54, 0xc2, 0xfc, 0x06, 0xda, 0x05, 0x90,
26081 ++ 0x52, 0x1d, 0x37, 0x66, 0xee, 0xf0, 0xb2, 0x55,
26082 ++ 0x8a, 0x5d, 0xd2, 0x38, 0x86, 0x94, 0x9b, 0xfc,
26083 ++ 0x10, 0x4c, 0xa1, 0xb9, 0x64, 0x3e, 0x44, 0xb8,
26084 ++ 0x5f, 0xb0, 0x0c, 0xec, 0xe0, 0xc9, 0xe5, 0x62,
26085 ++ 0x75, 0x3f, 0x09, 0xd5, 0xf5, 0xd9, 0x26, 0xba,
26086 ++ 0x9e, 0xd2, 0xf4, 0xb9, 0x48, 0x0a, 0xbc, 0xa2,
26087 ++ 0xd6, 0x7c, 0x36, 0x11, 0x7d, 0x26, 0x81, 0x89,
26088 ++ 0xcf, 0xa4, 0xad, 0x73, 0x0e, 0xee, 0xcc, 0x06,
26089 ++ 0xa9, 0xdb, 0xb1, 0xfd, 0xfb, 0x09, 0x7f, 0x90,
26090 ++ 0x42, 0x37, 0x2f, 0xe1, 0x9c, 0x0f, 0x6f, 0xcf,
26091 ++ 0x43, 0xb5, 0xd9, 0x90, 0xe1, 0x85, 0xf5, 0xa8,
26092 ++ 0xae
26093 ++};
26094 ++static const u8 dec_output009[] __initconst = {
26095 ++ 0xe6, 0xc3, 0xdb, 0x63, 0x55, 0x15, 0xe3, 0x5b,
26096 ++ 0xb7, 0x4b, 0x27, 0x8b, 0x5a, 0xdd, 0xc2, 0xe8,
26097 ++ 0x3a, 0x6b, 0xd7, 0x81, 0x96, 0x35, 0x97, 0xca,
26098 ++ 0xd7, 0x68, 0xe8, 0xef, 0xce, 0xab, 0xda, 0x09,
26099 ++ 0x6e, 0xd6, 0x8e, 0xcb, 0x55, 0xb5, 0xe1, 0xe5,
26100 ++ 0x57, 0xfd, 0xc4, 0xe3, 0xe0, 0x18, 0x4f, 0x85,
26101 ++ 0xf5, 0x3f, 0x7e, 0x4b, 0x88, 0xc9, 0x52, 0x44,
26102 ++ 0x0f, 0xea, 0xaf, 0x1f, 0x71, 0x48, 0x9f, 0x97,
26103 ++ 0x6d, 0xb9, 0x6f, 0x00, 0xa6, 0xde, 0x2b, 0x77,
26104 ++ 0x8b, 0x15, 0xad, 0x10, 0xa0, 0x2b, 0x7b, 0x41,
26105 ++ 0x90, 0x03, 0x2d, 0x69, 0xae, 0xcc, 0x77, 0x7c,
26106 ++ 0xa5, 0x9d, 0x29, 0x22, 0xc2, 0xea, 0xb4, 0x00,
26107 ++ 0x1a, 0xd2, 0x7a, 0x98, 0x8a, 0xf9, 0xf7, 0x82,
26108 ++ 0xb0, 0xab, 0xd8, 0xa6, 0x94, 0x8d, 0x58, 0x2f,
26109 ++ 0x01, 0x9e, 0x00, 0x20, 0xfc, 0x49, 0xdc, 0x0e,
26110 ++ 0x03, 0xe8, 0x45, 0x10, 0xd6, 0xa8, 0xda, 0x55,
26111 ++ 0x10, 0x9a, 0xdf, 0x67, 0x22, 0x8b, 0x43, 0xab,
26112 ++ 0x00, 0xbb, 0x02, 0xc8, 0xdd, 0x7b, 0x97, 0x17,
26113 ++ 0xd7, 0x1d, 0x9e, 0x02, 0x5e, 0x48, 0xde, 0x8e,
26114 ++ 0xcf, 0x99, 0x07, 0x95, 0x92, 0x3c, 0x5f, 0x9f,
26115 ++ 0xc5, 0x8a, 0xc0, 0x23, 0xaa, 0xd5, 0x8c, 0x82,
26116 ++ 0x6e, 0x16, 0x92, 0xb1, 0x12, 0x17, 0x07, 0xc3,
26117 ++ 0xfb, 0x36, 0xf5, 0x6c, 0x35, 0xd6, 0x06, 0x1f,
26118 ++ 0x9f, 0xa7, 0x94, 0xa2, 0x38, 0x63, 0x9c, 0xb0,
26119 ++ 0x71, 0xb3, 0xa5, 0xd2, 0xd8, 0xba, 0x9f, 0x08,
26120 ++ 0x01, 0xb3, 0xff, 0x04, 0x97, 0x73, 0x45, 0x1b,
26121 ++ 0xd5, 0xa9, 0x9c, 0x80, 0xaf, 0x04, 0x9a, 0x85,
26122 ++ 0xdb, 0x32, 0x5b, 0x5d, 0x1a, 0xc1, 0x36, 0x28,
26123 ++ 0x10, 0x79, 0xf1, 0x3c, 0xbf, 0x1a, 0x41, 0x5c,
26124 ++ 0x4e, 0xdf, 0xb2, 0x7c, 0x79, 0x3b, 0x7a, 0x62,
26125 ++ 0x3d, 0x4b, 0xc9, 0x9b, 0x2a, 0x2e, 0x7c, 0xa2,
26126 ++ 0xb1, 0x11, 0x98, 0xa7, 0x34, 0x1a, 0x00, 0xf3,
26127 ++ 0xd1, 0xbc, 0x18, 0x22, 0xba, 0x02, 0x56, 0x62,
26128 ++ 0x31, 0x10, 0x11, 0x6d, 0xe0, 0x54, 0x9d, 0x40,
26129 ++ 0x1f, 0x26, 0x80, 0x41, 0xca, 0x3f, 0x68, 0x0f,
26130 ++ 0x32, 0x1d, 0x0a, 0x8e, 0x79, 0xd8, 0xa4, 0x1b,
26131 ++ 0x29, 0x1c, 0x90, 0x8e, 0xc5, 0xe3, 0xb4, 0x91,
26132 ++ 0x37, 0x9a, 0x97, 0x86, 0x99, 0xd5, 0x09, 0xc5,
26133 ++ 0xbb, 0xa3, 0x3f, 0x21, 0x29, 0x82, 0x14, 0x5c,
26134 ++ 0xab, 0x25, 0xfb, 0xf2, 0x4f, 0x58, 0x26, 0xd4,
26135 ++ 0x83, 0xaa, 0x66, 0x89, 0x67, 0x7e, 0xc0, 0x49,
26136 ++ 0xe1, 0x11, 0x10, 0x7f, 0x7a, 0xda, 0x29, 0x04,
26137 ++ 0xff, 0xf0, 0xcb, 0x09, 0x7c, 0x9d, 0xfa, 0x03,
26138 ++ 0x6f, 0x81, 0x09, 0x31, 0x60, 0xfb, 0x08, 0xfa,
26139 ++ 0x74, 0xd3, 0x64, 0x44, 0x7c, 0x55, 0x85, 0xec,
26140 ++ 0x9c, 0x6e, 0x25, 0xb7, 0x6c, 0xc5, 0x37, 0xb6,
26141 ++ 0x83, 0x87, 0x72, 0x95, 0x8b, 0x9d, 0xe1, 0x69,
26142 ++ 0x5c, 0x31, 0x95, 0x42, 0xa6, 0x2c, 0xd1, 0x36,
26143 ++ 0x47, 0x1f, 0xec, 0x54, 0xab, 0xa2, 0x1c, 0xd8,
26144 ++ 0x00, 0xcc, 0xbc, 0x0d, 0x65, 0xe2, 0x67, 0xbf,
26145 ++ 0xbc, 0xea, 0xee, 0x9e, 0xe4, 0x36, 0x95, 0xbe,
26146 ++ 0x73, 0xd9, 0xa6, 0xd9, 0x0f, 0xa0, 0xcc, 0x82,
26147 ++ 0x76, 0x26, 0xad, 0x5b, 0x58, 0x6c, 0x4e, 0xab,
26148 ++ 0x29, 0x64, 0xd3, 0xd9, 0xa9, 0x08, 0x8c, 0x1d,
26149 ++ 0xa1, 0x4f, 0x80, 0xd8, 0x3f, 0x94, 0xfb, 0xd3,
26150 ++ 0x7b, 0xfc, 0xd1, 0x2b, 0xc3, 0x21, 0xeb, 0xe5,
26151 ++ 0x1c, 0x84, 0x23, 0x7f, 0x4b, 0xfa, 0xdb, 0x34,
26152 ++ 0x18, 0xa2, 0xc2, 0xe5, 0x13, 0xfe, 0x6c, 0x49,
26153 ++ 0x81, 0xd2, 0x73, 0xe7, 0xe2, 0xd7, 0xe4, 0x4f,
26154 ++ 0x4b, 0x08, 0x6e, 0xb1, 0x12, 0x22, 0x10, 0x9d,
26155 ++ 0xac, 0x51, 0x1e, 0x17, 0xd9, 0x8a, 0x0b, 0x42,
26156 ++ 0x88, 0x16, 0x81, 0x37, 0x7c, 0x6a, 0xf7, 0xef,
26157 ++ 0x2d, 0xe3, 0xd9, 0xf8, 0x5f, 0xe0, 0x53, 0x27,
26158 ++ 0x74, 0xb9, 0xe2, 0xd6, 0x1c, 0x80, 0x2c, 0x52,
26159 ++ 0x65
26160 ++};
26161 ++static const u8 dec_assoc009[] __initconst = {
26162 ++ 0x5a, 0x27, 0xff, 0xeb, 0xdf, 0x84, 0xb2, 0x9e,
26163 ++ 0xef
26164 ++};
26165 ++static const u8 dec_nonce009[] __initconst = {
26166 ++ 0xef, 0x2d, 0x63, 0xee, 0x6b, 0x80, 0x8b, 0x78
26167 ++};
26168 ++static const u8 dec_key009[] __initconst = {
26169 ++ 0xea, 0xbc, 0x56, 0x99, 0xe3, 0x50, 0xff, 0xc5,
26170 ++ 0xcc, 0x1a, 0xd7, 0xc1, 0x57, 0x72, 0xea, 0x86,
26171 ++ 0x5b, 0x89, 0x88, 0x61, 0x3d, 0x2f, 0x9b, 0xb2,
26172 ++ 0xe7, 0x9c, 0xec, 0x74, 0x6e, 0x3e, 0xf4, 0x3b
26173 ++};
26174 ++
26175 ++static const u8 dec_input010[] __initconst = {
26176 ++ 0xe5, 0x26, 0xa4, 0x3d, 0xbd, 0x33, 0xd0, 0x4b,
26177 ++ 0x6f, 0x05, 0xa7, 0x6e, 0x12, 0x7a, 0xd2, 0x74,
26178 ++ 0xa6, 0xdd, 0xbd, 0x95, 0xeb, 0xf9, 0xa4, 0xf1,
26179 ++ 0x59, 0x93, 0x91, 0x70, 0xd9, 0xfe, 0x9a, 0xcd,
26180 ++ 0x53, 0x1f, 0x3a, 0xab, 0xa6, 0x7c, 0x9f, 0xa6,
26181 ++ 0x9e, 0xbd, 0x99, 0xd9, 0xb5, 0x97, 0x44, 0xd5,
26182 ++ 0x14, 0x48, 0x4d, 0x9d, 0xc0, 0xd0, 0x05, 0x96,
26183 ++ 0xeb, 0x4c, 0x78, 0x55, 0x09, 0x08, 0x01, 0x02,
26184 ++ 0x30, 0x90, 0x7b, 0x96, 0x7a, 0x7b, 0x5f, 0x30,
26185 ++ 0x41, 0x24, 0xce, 0x68, 0x61, 0x49, 0x86, 0x57,
26186 ++ 0x82, 0xdd, 0x53, 0x1c, 0x51, 0x28, 0x2b, 0x53,
26187 ++ 0x6e, 0x2d, 0xc2, 0x20, 0x4c, 0xdd, 0x8f, 0x65,
26188 ++ 0x10, 0x20, 0x50, 0xdd, 0x9d, 0x50, 0xe5, 0x71,
26189 ++ 0x40, 0x53, 0x69, 0xfc, 0x77, 0x48, 0x11, 0xb9,
26190 ++ 0xde, 0xa4, 0x8d, 0x58, 0xe4, 0xa6, 0x1a, 0x18,
26191 ++ 0x47, 0x81, 0x7e, 0xfc, 0xdd, 0xf6, 0xef, 0xce,
26192 ++ 0x2f, 0x43, 0x68, 0xd6, 0x06, 0xe2, 0x74, 0x6a,
26193 ++ 0xad, 0x90, 0xf5, 0x37, 0xf3, 0x3d, 0x82, 0x69,
26194 ++ 0x40, 0xe9, 0x6b, 0xa7, 0x3d, 0xa8, 0x1e, 0xd2,
26195 ++ 0x02, 0x7c, 0xb7, 0x9b, 0xe4, 0xda, 0x8f, 0x95,
26196 ++ 0x06, 0xc5, 0xdf, 0x73, 0xa3, 0x20, 0x9a, 0x49,
26197 ++ 0xde, 0x9c, 0xbc, 0xee, 0x14, 0x3f, 0x81, 0x5e,
26198 ++ 0xf8, 0x3b, 0x59, 0x3c, 0xe1, 0x68, 0x12, 0x5a,
26199 ++ 0x3a, 0x76, 0x3a, 0x3f, 0xf7, 0x87, 0x33, 0x0a,
26200 ++ 0x01, 0xb8, 0xd4, 0xed, 0xb6, 0xbe, 0x94, 0x5e,
26201 ++ 0x70, 0x40, 0x56, 0x67, 0x1f, 0x50, 0x44, 0x19,
26202 ++ 0xce, 0x82, 0x70, 0x10, 0x87, 0x13, 0x20, 0x0b,
26203 ++ 0x4c, 0x5a, 0xb6, 0xf6, 0xa7, 0xae, 0x81, 0x75,
26204 ++ 0x01, 0x81, 0xe6, 0x4b, 0x57, 0x7c, 0xdd, 0x6d,
26205 ++ 0xf8, 0x1c, 0x29, 0x32, 0xf7, 0xda, 0x3c, 0x2d,
26206 ++ 0xf8, 0x9b, 0x25, 0x6e, 0x00, 0xb4, 0xf7, 0x2f,
26207 ++ 0xf7, 0x04, 0xf7, 0xa1, 0x56, 0xac, 0x4f, 0x1a,
26208 ++ 0x64, 0xb8, 0x47, 0x55, 0x18, 0x7b, 0x07, 0x4d,
26209 ++ 0xbd, 0x47, 0x24, 0x80, 0x5d, 0xa2, 0x70, 0xc5,
26210 ++ 0xdd, 0x8e, 0x82, 0xd4, 0xeb, 0xec, 0xb2, 0x0c,
26211 ++ 0x39, 0xd2, 0x97, 0xc1, 0xcb, 0xeb, 0xf4, 0x77,
26212 ++ 0x59, 0xb4, 0x87, 0xef, 0xcb, 0x43, 0x2d, 0x46,
26213 ++ 0x54, 0xd1, 0xa7, 0xd7, 0x15, 0x99, 0x0a, 0x43,
26214 ++ 0xa1, 0xe0, 0x99, 0x33, 0x71, 0xc1, 0xed, 0xfe,
26215 ++ 0x72, 0x46, 0x33, 0x8e, 0x91, 0x08, 0x9f, 0xc8,
26216 ++ 0x2e, 0xca, 0xfa, 0xdc, 0x59, 0xd5, 0xc3, 0x76,
26217 ++ 0x84, 0x9f, 0xa3, 0x37, 0x68, 0xc3, 0xf0, 0x47,
26218 ++ 0x2c, 0x68, 0xdb, 0x5e, 0xc3, 0x49, 0x4c, 0xe8,
26219 ++ 0x92, 0x85, 0xe2, 0x23, 0xd3, 0x3f, 0xad, 0x32,
26220 ++ 0xe5, 0x2b, 0x82, 0xd7, 0x8f, 0x99, 0x0a, 0x59,
26221 ++ 0x5c, 0x45, 0xd9, 0xb4, 0x51, 0x52, 0xc2, 0xae,
26222 ++ 0xbf, 0x80, 0xcf, 0xc9, 0xc9, 0x51, 0x24, 0x2a,
26223 ++ 0x3b, 0x3a, 0x4d, 0xae, 0xeb, 0xbd, 0x22, 0xc3,
26224 ++ 0x0e, 0x0f, 0x59, 0x25, 0x92, 0x17, 0xe9, 0x74,
26225 ++ 0xc7, 0x8b, 0x70, 0x70, 0x36, 0x55, 0x95, 0x75,
26226 ++ 0x4b, 0xad, 0x61, 0x2b, 0x09, 0xbc, 0x82, 0xf2,
26227 ++ 0x6e, 0x94, 0x43, 0xae, 0xc3, 0xd5, 0xcd, 0x8e,
26228 ++ 0xfe, 0x5b, 0x9a, 0x88, 0x43, 0x01, 0x75, 0xb2,
26229 ++ 0x23, 0x09, 0xf7, 0x89, 0x83, 0xe7, 0xfa, 0xf9,
26230 ++ 0xb4, 0x9b, 0xf8, 0xef, 0xbd, 0x1c, 0x92, 0xc1,
26231 ++ 0xda, 0x7e, 0xfe, 0x05, 0xba, 0x5a, 0xcd, 0x07,
26232 ++ 0x6a, 0x78, 0x9e, 0x5d, 0xfb, 0x11, 0x2f, 0x79,
26233 ++ 0x38, 0xb6, 0xc2, 0x5b, 0x6b, 0x51, 0xb4, 0x71,
26234 ++ 0xdd, 0xf7, 0x2a, 0xe4, 0xf4, 0x72, 0x76, 0xad,
26235 ++ 0xc2, 0xdd, 0x64, 0x5d, 0x79, 0xb6, 0xf5, 0x7a,
26236 ++ 0x77, 0x20, 0x05, 0x3d, 0x30, 0x06, 0xd4, 0x4c,
26237 ++ 0x0a, 0x2c, 0x98, 0x5a, 0xb9, 0xd4, 0x98, 0xa9,
26238 ++ 0x3f, 0xc6, 0x12, 0xea, 0x3b, 0x4b, 0xc5, 0x79,
26239 ++ 0x64, 0x63, 0x6b, 0x09, 0x54, 0x3b, 0x14, 0x27,
26240 ++ 0xba, 0x99, 0x80, 0xc8, 0x72, 0xa8, 0x12, 0x90,
26241 ++ 0x29, 0xba, 0x40, 0x54, 0x97, 0x2b, 0x7b, 0xfe,
26242 ++ 0xeb, 0xcd, 0x01, 0x05, 0x44, 0x72, 0xdb, 0x99,
26243 ++ 0xe4, 0x61, 0xc9, 0x69, 0xd6, 0xb9, 0x28, 0xd1,
26244 ++ 0x05, 0x3e, 0xf9, 0x0b, 0x49, 0x0a, 0x49, 0xe9,
26245 ++ 0x8d, 0x0e, 0xa7, 0x4a, 0x0f, 0xaf, 0x32, 0xd0,
26246 ++ 0xe0, 0xb2, 0x3a, 0x55, 0x58, 0xfe, 0x5c, 0x28,
26247 ++ 0x70, 0x51, 0x23, 0xb0, 0x7b, 0x6a, 0x5f, 0x1e,
26248 ++ 0xb8, 0x17, 0xd7, 0x94, 0x15, 0x8f, 0xee, 0x20,
26249 ++ 0xc7, 0x42, 0x25, 0x3e, 0x9a, 0x14, 0xd7, 0x60,
26250 ++ 0x72, 0x39, 0x47, 0x48, 0xa9, 0xfe, 0xdd, 0x47,
26251 ++ 0x0a, 0xb1, 0xe6, 0x60, 0x28, 0x8c, 0x11, 0x68,
26252 ++ 0xe1, 0xff, 0xd7, 0xce, 0xc8, 0xbe, 0xb3, 0xfe,
26253 ++ 0x27, 0x30, 0x09, 0x70, 0xd7, 0xfa, 0x02, 0x33,
26254 ++ 0x3a, 0x61, 0x2e, 0xc7, 0xff, 0xa4, 0x2a, 0xa8,
26255 ++ 0x6e, 0xb4, 0x79, 0x35, 0x6d, 0x4c, 0x1e, 0x38,
26256 ++ 0xf8, 0xee, 0xd4, 0x84, 0x4e, 0x6e, 0x28, 0xa7,
26257 ++ 0xce, 0xc8, 0xc1, 0xcf, 0x80, 0x05, 0xf3, 0x04,
26258 ++ 0xef, 0xc8, 0x18, 0x28, 0x2e, 0x8d, 0x5e, 0x0c,
26259 ++ 0xdf, 0xb8, 0x5f, 0x96, 0xe8, 0xc6, 0x9c, 0x2f,
26260 ++ 0xe5, 0xa6, 0x44, 0xd7, 0xe7, 0x99, 0x44, 0x0c,
26261 ++ 0xec, 0xd7, 0x05, 0x60, 0x97, 0xbb, 0x74, 0x77,
26262 ++ 0x58, 0xd5, 0xbb, 0x48, 0xde, 0x5a, 0xb2, 0x54,
26263 ++ 0x7f, 0x0e, 0x46, 0x70, 0x6a, 0x6f, 0x78, 0xa5,
26264 ++ 0x08, 0x89, 0x05, 0x4e, 0x7e, 0xa0, 0x69, 0xb4,
26265 ++ 0x40, 0x60, 0x55, 0x77, 0x75, 0x9b, 0x19, 0xf2,
26266 ++ 0xd5, 0x13, 0x80, 0x77, 0xf9, 0x4b, 0x3f, 0x1e,
26267 ++ 0xee, 0xe6, 0x76, 0x84, 0x7b, 0x8c, 0xe5, 0x27,
26268 ++ 0xa8, 0x0a, 0x91, 0x01, 0x68, 0x71, 0x8a, 0x3f,
26269 ++ 0x06, 0xab, 0xf6, 0xa9, 0xa5, 0xe6, 0x72, 0x92,
26270 ++ 0xe4, 0x67, 0xe2, 0xa2, 0x46, 0x35, 0x84, 0x55,
26271 ++ 0x7d, 0xca, 0xa8, 0x85, 0xd0, 0xf1, 0x3f, 0xbe,
26272 ++ 0xd7, 0x34, 0x64, 0xfc, 0xae, 0xe3, 0xe4, 0x04,
26273 ++ 0x9f, 0x66, 0x02, 0xb9, 0x88, 0x10, 0xd9, 0xc4,
26274 ++ 0x4c, 0x31, 0x43, 0x7a, 0x93, 0xe2, 0x9b, 0x56,
26275 ++ 0x43, 0x84, 0xdc, 0xdc, 0xde, 0x1d, 0xa4, 0x02,
26276 ++ 0x0e, 0xc2, 0xef, 0xc3, 0xf8, 0x78, 0xd1, 0xb2,
26277 ++ 0x6b, 0x63, 0x18, 0xc9, 0xa9, 0xe5, 0x72, 0xd8,
26278 ++ 0xf3, 0xb9, 0xd1, 0x8a, 0xc7, 0x1a, 0x02, 0x27,
26279 ++ 0x20, 0x77, 0x10, 0xe5, 0xc8, 0xd4, 0x4a, 0x47,
26280 ++ 0xe5, 0xdf, 0x5f, 0x01, 0xaa, 0xb0, 0xd4, 0x10,
26281 ++ 0xbb, 0x69, 0xe3, 0x36, 0xc8, 0xe1, 0x3d, 0x43,
26282 ++ 0xfb, 0x86, 0xcd, 0xcc, 0xbf, 0xf4, 0x88, 0xe0,
26283 ++ 0x20, 0xca, 0xb7, 0x1b, 0xf1, 0x2f, 0x5c, 0xee,
26284 ++ 0xd4, 0xd3, 0xa3, 0xcc, 0xa4, 0x1e, 0x1c, 0x47,
26285 ++ 0xfb, 0xbf, 0xfc, 0xa2, 0x41, 0x55, 0x9d, 0xf6,
26286 ++ 0x5a, 0x5e, 0x65, 0x32, 0x34, 0x7b, 0x52, 0x8d,
26287 ++ 0xd5, 0xd0, 0x20, 0x60, 0x03, 0xab, 0x3f, 0x8c,
26288 ++ 0xd4, 0x21, 0xea, 0x2a, 0xd9, 0xc4, 0xd0, 0xd3,
26289 ++ 0x65, 0xd8, 0x7a, 0x13, 0x28, 0x62, 0x32, 0x4b,
26290 ++ 0x2c, 0x87, 0x93, 0xa8, 0xb4, 0x52, 0x45, 0x09,
26291 ++ 0x44, 0xec, 0xec, 0xc3, 0x17, 0xdb, 0x9a, 0x4d,
26292 ++ 0x5c, 0xa9, 0x11, 0xd4, 0x7d, 0xaf, 0x9e, 0xf1,
26293 ++ 0x2d, 0xb2, 0x66, 0xc5, 0x1d, 0xed, 0xb7, 0xcd,
26294 ++ 0x0b, 0x25, 0x5e, 0x30, 0x47, 0x3f, 0x40, 0xf4,
26295 ++ 0xa1, 0xa0, 0x00, 0x94, 0x10, 0xc5, 0x6a, 0x63,
26296 ++ 0x1a, 0xd5, 0x88, 0x92, 0x8e, 0x82, 0x39, 0x87,
26297 ++ 0x3c, 0x78, 0x65, 0x58, 0x42, 0x75, 0x5b, 0xdd,
26298 ++ 0x77, 0x3e, 0x09, 0x4e, 0x76, 0x5b, 0xe6, 0x0e,
26299 ++ 0x4d, 0x38, 0xb2, 0xc0, 0xb8, 0x95, 0x01, 0x7a,
26300 ++ 0x10, 0xe0, 0xfb, 0x07, 0xf2, 0xab, 0x2d, 0x8c,
26301 ++ 0x32, 0xed, 0x2b, 0xc0, 0x46, 0xc2, 0xf5, 0x38,
26302 ++ 0x83, 0xf0, 0x17, 0xec, 0xc1, 0x20, 0x6a, 0x9a,
26303 ++ 0x0b, 0x00, 0xa0, 0x98, 0x22, 0x50, 0x23, 0xd5,
26304 ++ 0x80, 0x6b, 0xf6, 0x1f, 0xc3, 0xcc, 0x97, 0xc9,
26305 ++ 0x24, 0x9f, 0xf3, 0xaf, 0x43, 0x14, 0xd5, 0xa0
26306 ++};
26307 ++static const u8 dec_output010[] __initconst = {
26308 ++ 0x42, 0x93, 0xe4, 0xeb, 0x97, 0xb0, 0x57, 0xbf,
26309 ++ 0x1a, 0x8b, 0x1f, 0xe4, 0x5f, 0x36, 0x20, 0x3c,
26310 ++ 0xef, 0x0a, 0xa9, 0x48, 0x5f, 0x5f, 0x37, 0x22,
26311 ++ 0x3a, 0xde, 0xe3, 0xae, 0xbe, 0xad, 0x07, 0xcc,
26312 ++ 0xb1, 0xf6, 0xf5, 0xf9, 0x56, 0xdd, 0xe7, 0x16,
26313 ++ 0x1e, 0x7f, 0xdf, 0x7a, 0x9e, 0x75, 0xb7, 0xc7,
26314 ++ 0xbe, 0xbe, 0x8a, 0x36, 0x04, 0xc0, 0x10, 0xf4,
26315 ++ 0x95, 0x20, 0x03, 0xec, 0xdc, 0x05, 0xa1, 0x7d,
26316 ++ 0xc4, 0xa9, 0x2c, 0x82, 0xd0, 0xbc, 0x8b, 0xc5,
26317 ++ 0xc7, 0x45, 0x50, 0xf6, 0xa2, 0x1a, 0xb5, 0x46,
26318 ++ 0x3b, 0x73, 0x02, 0xa6, 0x83, 0x4b, 0x73, 0x82,
26319 ++ 0x58, 0x5e, 0x3b, 0x65, 0x2f, 0x0e, 0xfd, 0x2b,
26320 ++ 0x59, 0x16, 0xce, 0xa1, 0x60, 0x9c, 0xe8, 0x3a,
26321 ++ 0x99, 0xed, 0x8d, 0x5a, 0xcf, 0xf6, 0x83, 0xaf,
26322 ++ 0xba, 0xd7, 0x73, 0x73, 0x40, 0x97, 0x3d, 0xca,
26323 ++ 0xef, 0x07, 0x57, 0xe6, 0xd9, 0x70, 0x0e, 0x95,
26324 ++ 0xae, 0xa6, 0x8d, 0x04, 0xcc, 0xee, 0xf7, 0x09,
26325 ++ 0x31, 0x77, 0x12, 0xa3, 0x23, 0x97, 0x62, 0xb3,
26326 ++ 0x7b, 0x32, 0xfb, 0x80, 0x14, 0x48, 0x81, 0xc3,
26327 ++ 0xe5, 0xea, 0x91, 0x39, 0x52, 0x81, 0xa2, 0x4f,
26328 ++ 0xe4, 0xb3, 0x09, 0xff, 0xde, 0x5e, 0xe9, 0x58,
26329 ++ 0x84, 0x6e, 0xf9, 0x3d, 0xdf, 0x25, 0xea, 0xad,
26330 ++ 0xae, 0xe6, 0x9a, 0xd1, 0x89, 0x55, 0xd3, 0xde,
26331 ++ 0x6c, 0x52, 0xdb, 0x70, 0xfe, 0x37, 0xce, 0x44,
26332 ++ 0x0a, 0xa8, 0x25, 0x5f, 0x92, 0xc1, 0x33, 0x4a,
26333 ++ 0x4f, 0x9b, 0x62, 0x35, 0xff, 0xce, 0xc0, 0xa9,
26334 ++ 0x60, 0xce, 0x52, 0x00, 0x97, 0x51, 0x35, 0x26,
26335 ++ 0x2e, 0xb9, 0x36, 0xa9, 0x87, 0x6e, 0x1e, 0xcc,
26336 ++ 0x91, 0x78, 0x53, 0x98, 0x86, 0x5b, 0x9c, 0x74,
26337 ++ 0x7d, 0x88, 0x33, 0xe1, 0xdf, 0x37, 0x69, 0x2b,
26338 ++ 0xbb, 0xf1, 0x4d, 0xf4, 0xd1, 0xf1, 0x39, 0x93,
26339 ++ 0x17, 0x51, 0x19, 0xe3, 0x19, 0x1e, 0x76, 0x37,
26340 ++ 0x25, 0xfb, 0x09, 0x27, 0x6a, 0xab, 0x67, 0x6f,
26341 ++ 0x14, 0x12, 0x64, 0xe7, 0xc4, 0x07, 0xdf, 0x4d,
26342 ++ 0x17, 0xbb, 0x6d, 0xe0, 0xe9, 0xb9, 0xab, 0xca,
26343 ++ 0x10, 0x68, 0xaf, 0x7e, 0xb7, 0x33, 0x54, 0x73,
26344 ++ 0x07, 0x6e, 0xf7, 0x81, 0x97, 0x9c, 0x05, 0x6f,
26345 ++ 0x84, 0x5f, 0xd2, 0x42, 0xfb, 0x38, 0xcf, 0xd1,
26346 ++ 0x2f, 0x14, 0x30, 0x88, 0x98, 0x4d, 0x5a, 0xa9,
26347 ++ 0x76, 0xd5, 0x4f, 0x3e, 0x70, 0x6c, 0x85, 0x76,
26348 ++ 0xd7, 0x01, 0xa0, 0x1a, 0xc8, 0x4e, 0xaa, 0xac,
26349 ++ 0x78, 0xfe, 0x46, 0xde, 0x6a, 0x05, 0x46, 0xa7,
26350 ++ 0x43, 0x0c, 0xb9, 0xde, 0xb9, 0x68, 0xfb, 0xce,
26351 ++ 0x42, 0x99, 0x07, 0x4d, 0x0b, 0x3b, 0x5a, 0x30,
26352 ++ 0x35, 0xa8, 0xf9, 0x3a, 0x73, 0xef, 0x0f, 0xdb,
26353 ++ 0x1e, 0x16, 0x42, 0xc4, 0xba, 0xae, 0x58, 0xaa,
26354 ++ 0xf8, 0xe5, 0x75, 0x2f, 0x1b, 0x15, 0x5c, 0xfd,
26355 ++ 0x0a, 0x97, 0xd0, 0xe4, 0x37, 0x83, 0x61, 0x5f,
26356 ++ 0x43, 0xa6, 0xc7, 0x3f, 0x38, 0x59, 0xe6, 0xeb,
26357 ++ 0xa3, 0x90, 0xc3, 0xaa, 0xaa, 0x5a, 0xd3, 0x34,
26358 ++ 0xd4, 0x17, 0xc8, 0x65, 0x3e, 0x57, 0xbc, 0x5e,
26359 ++ 0xdd, 0x9e, 0xb7, 0xf0, 0x2e, 0x5b, 0xb2, 0x1f,
26360 ++ 0x8a, 0x08, 0x0d, 0x45, 0x91, 0x0b, 0x29, 0x53,
26361 ++ 0x4f, 0x4c, 0x5a, 0x73, 0x56, 0xfe, 0xaf, 0x41,
26362 ++ 0x01, 0x39, 0x0a, 0x24, 0x3c, 0x7e, 0xbe, 0x4e,
26363 ++ 0x53, 0xf3, 0xeb, 0x06, 0x66, 0x51, 0x28, 0x1d,
26364 ++ 0xbd, 0x41, 0x0a, 0x01, 0xab, 0x16, 0x47, 0x27,
26365 ++ 0x47, 0x47, 0xf7, 0xcb, 0x46, 0x0a, 0x70, 0x9e,
26366 ++ 0x01, 0x9c, 0x09, 0xe1, 0x2a, 0x00, 0x1a, 0xd8,
26367 ++ 0xd4, 0x79, 0x9d, 0x80, 0x15, 0x8e, 0x53, 0x2a,
26368 ++ 0x65, 0x83, 0x78, 0x3e, 0x03, 0x00, 0x07, 0x12,
26369 ++ 0x1f, 0x33, 0x3e, 0x7b, 0x13, 0x37, 0xf1, 0xc3,
26370 ++ 0xef, 0xb7, 0xc1, 0x20, 0x3c, 0x3e, 0x67, 0x66,
26371 ++ 0x5d, 0x88, 0xa7, 0x7d, 0x33, 0x50, 0x77, 0xb0,
26372 ++ 0x28, 0x8e, 0xe7, 0x2c, 0x2e, 0x7a, 0xf4, 0x3c,
26373 ++ 0x8d, 0x74, 0x83, 0xaf, 0x8e, 0x87, 0x0f, 0xe4,
26374 ++ 0x50, 0xff, 0x84, 0x5c, 0x47, 0x0c, 0x6a, 0x49,
26375 ++ 0xbf, 0x42, 0x86, 0x77, 0x15, 0x48, 0xa5, 0x90,
26376 ++ 0x5d, 0x93, 0xd6, 0x2a, 0x11, 0xd5, 0xd5, 0x11,
26377 ++ 0xaa, 0xce, 0xe7, 0x6f, 0xa5, 0xb0, 0x09, 0x2c,
26378 ++ 0x8d, 0xd3, 0x92, 0xf0, 0x5a, 0x2a, 0xda, 0x5b,
26379 ++ 0x1e, 0xd5, 0x9a, 0xc4, 0xc4, 0xf3, 0x49, 0x74,
26380 ++ 0x41, 0xca, 0xe8, 0xc1, 0xf8, 0x44, 0xd6, 0x3c,
26381 ++ 0xae, 0x6c, 0x1d, 0x9a, 0x30, 0x04, 0x4d, 0x27,
26382 ++ 0x0e, 0xb1, 0x5f, 0x59, 0xa2, 0x24, 0xe8, 0xe1,
26383 ++ 0x98, 0xc5, 0x6a, 0x4c, 0xfe, 0x41, 0xd2, 0x27,
26384 ++ 0x42, 0x52, 0xe1, 0xe9, 0x7d, 0x62, 0xe4, 0x88,
26385 ++ 0x0f, 0xad, 0xb2, 0x70, 0xcb, 0x9d, 0x4c, 0x27,
26386 ++ 0x2e, 0x76, 0x1e, 0x1a, 0x63, 0x65, 0xf5, 0x3b,
26387 ++ 0xf8, 0x57, 0x69, 0xeb, 0x5b, 0x38, 0x26, 0x39,
26388 ++ 0x33, 0x25, 0x45, 0x3e, 0x91, 0xb8, 0xd8, 0xc7,
26389 ++ 0xd5, 0x42, 0xc0, 0x22, 0x31, 0x74, 0xf4, 0xbc,
26390 ++ 0x0c, 0x23, 0xf1, 0xca, 0xc1, 0x8d, 0xd7, 0xbe,
26391 ++ 0xc9, 0x62, 0xe4, 0x08, 0x1a, 0xcf, 0x36, 0xd5,
26392 ++ 0xfe, 0x55, 0x21, 0x59, 0x91, 0x87, 0x87, 0xdf,
26393 ++ 0x06, 0xdb, 0xdf, 0x96, 0x45, 0x58, 0xda, 0x05,
26394 ++ 0xcd, 0x50, 0x4d, 0xd2, 0x7d, 0x05, 0x18, 0x73,
26395 ++ 0x6a, 0x8d, 0x11, 0x85, 0xa6, 0x88, 0xe8, 0xda,
26396 ++ 0xe6, 0x30, 0x33, 0xa4, 0x89, 0x31, 0x75, 0xbe,
26397 ++ 0x69, 0x43, 0x84, 0x43, 0x50, 0x87, 0xdd, 0x71,
26398 ++ 0x36, 0x83, 0xc3, 0x78, 0x74, 0x24, 0x0a, 0xed,
26399 ++ 0x7b, 0xdb, 0xa4, 0x24, 0x0b, 0xb9, 0x7e, 0x5d,
26400 ++ 0xff, 0xde, 0xb1, 0xef, 0x61, 0x5a, 0x45, 0x33,
26401 ++ 0xf6, 0x17, 0x07, 0x08, 0x98, 0x83, 0x92, 0x0f,
26402 ++ 0x23, 0x6d, 0xe6, 0xaa, 0x17, 0x54, 0xad, 0x6a,
26403 ++ 0xc8, 0xdb, 0x26, 0xbe, 0xb8, 0xb6, 0x08, 0xfa,
26404 ++ 0x68, 0xf1, 0xd7, 0x79, 0x6f, 0x18, 0xb4, 0x9e,
26405 ++ 0x2d, 0x3f, 0x1b, 0x64, 0xaf, 0x8d, 0x06, 0x0e,
26406 ++ 0x49, 0x28, 0xe0, 0x5d, 0x45, 0x68, 0x13, 0x87,
26407 ++ 0xfa, 0xde, 0x40, 0x7b, 0xd2, 0xc3, 0x94, 0xd5,
26408 ++ 0xe1, 0xd9, 0xc2, 0xaf, 0x55, 0x89, 0xeb, 0xb4,
26409 ++ 0x12, 0x59, 0xa8, 0xd4, 0xc5, 0x29, 0x66, 0x38,
26410 ++ 0xe6, 0xac, 0x22, 0x22, 0xd9, 0x64, 0x9b, 0x34,
26411 ++ 0x0a, 0x32, 0x9f, 0xc2, 0xbf, 0x17, 0x6c, 0x3f,
26412 ++ 0x71, 0x7a, 0x38, 0x6b, 0x98, 0xfb, 0x49, 0x36,
26413 ++ 0x89, 0xc9, 0xe2, 0xd6, 0xc7, 0x5d, 0xd0, 0x69,
26414 ++ 0x5f, 0x23, 0x35, 0xc9, 0x30, 0xe2, 0xfd, 0x44,
26415 ++ 0x58, 0x39, 0xd7, 0x97, 0xfb, 0x5c, 0x00, 0xd5,
26416 ++ 0x4f, 0x7a, 0x1a, 0x95, 0x8b, 0x62, 0x4b, 0xce,
26417 ++ 0xe5, 0x91, 0x21, 0x7b, 0x30, 0x00, 0xd6, 0xdd,
26418 ++ 0x6d, 0x02, 0x86, 0x49, 0x0f, 0x3c, 0x1a, 0x27,
26419 ++ 0x3c, 0xd3, 0x0e, 0x71, 0xf2, 0xff, 0xf5, 0x2f,
26420 ++ 0x87, 0xac, 0x67, 0x59, 0x81, 0xa3, 0xf7, 0xf8,
26421 ++ 0xd6, 0x11, 0x0c, 0x84, 0xa9, 0x03, 0xee, 0x2a,
26422 ++ 0xc4, 0xf3, 0x22, 0xab, 0x7c, 0xe2, 0x25, 0xf5,
26423 ++ 0x67, 0xa3, 0xe4, 0x11, 0xe0, 0x59, 0xb3, 0xca,
26424 ++ 0x87, 0xa0, 0xae, 0xc9, 0xa6, 0x62, 0x1b, 0x6e,
26425 ++ 0x4d, 0x02, 0x6b, 0x07, 0x9d, 0xfd, 0xd0, 0x92,
26426 ++ 0x06, 0xe1, 0xb2, 0x9a, 0x4a, 0x1f, 0x1f, 0x13,
26427 ++ 0x49, 0x99, 0x97, 0x08, 0xde, 0x7f, 0x98, 0xaf,
26428 ++ 0x51, 0x98, 0xee, 0x2c, 0xcb, 0xf0, 0x0b, 0xc6,
26429 ++ 0xb6, 0xb7, 0x2d, 0x9a, 0xb1, 0xac, 0xa6, 0xe3,
26430 ++ 0x15, 0x77, 0x9d, 0x6b, 0x1a, 0xe4, 0xfc, 0x8b,
26431 ++ 0xf2, 0x17, 0x59, 0x08, 0x04, 0x58, 0x81, 0x9d,
26432 ++ 0x1b, 0x1b, 0x69, 0x55, 0xc2, 0xb4, 0x3c, 0x1f,
26433 ++ 0x50, 0xf1, 0x7f, 0x77, 0x90, 0x4c, 0x66, 0x40,
26434 ++ 0x5a, 0xc0, 0x33, 0x1f, 0xcb, 0x05, 0x6d, 0x5c,
26435 ++ 0x06, 0x87, 0x52, 0xa2, 0x8f, 0x26, 0xd5, 0x4f
26436 ++};
26437 ++static const u8 dec_assoc010[] __initconst = {
26438 ++ 0xd2, 0xa1, 0x70, 0xdb, 0x7a, 0xf8, 0xfa, 0x27,
26439 ++ 0xba, 0x73, 0x0f, 0xbf, 0x3d, 0x1e, 0x82, 0xb2
26440 ++};
26441 ++static const u8 dec_nonce010[] __initconst = {
26442 ++ 0xdb, 0x92, 0x0f, 0x7f, 0x17, 0x54, 0x0c, 0x30
26443 ++};
26444 ++static const u8 dec_key010[] __initconst = {
26445 ++ 0x47, 0x11, 0xeb, 0x86, 0x2b, 0x2c, 0xab, 0x44,
26446 ++ 0x34, 0xda, 0x7f, 0x57, 0x03, 0x39, 0x0c, 0xaf,
26447 ++ 0x2c, 0x14, 0xfd, 0x65, 0x23, 0xe9, 0x8e, 0x74,
26448 ++ 0xd5, 0x08, 0x68, 0x08, 0xe7, 0xb4, 0x72, 0xd7
26449 ++};
26450 ++
26451 ++static const u8 dec_input011[] __initconst = {
26452 ++ 0x6a, 0xfc, 0x4b, 0x25, 0xdf, 0xc0, 0xe4, 0xe8,
26453 ++ 0x17, 0x4d, 0x4c, 0xc9, 0x7e, 0xde, 0x3a, 0xcc,
26454 ++ 0x3c, 0xba, 0x6a, 0x77, 0x47, 0xdb, 0xe3, 0x74,
26455 ++ 0x7a, 0x4d, 0x5f, 0x8d, 0x37, 0x55, 0x80, 0x73,
26456 ++ 0x90, 0x66, 0x5d, 0x3a, 0x7d, 0x5d, 0x86, 0x5e,
26457 ++ 0x8d, 0xfd, 0x83, 0xff, 0x4e, 0x74, 0x6f, 0xf9,
26458 ++ 0xe6, 0x70, 0x17, 0x70, 0x3e, 0x96, 0xa7, 0x7e,
26459 ++ 0xcb, 0xab, 0x8f, 0x58, 0x24, 0x9b, 0x01, 0xfd,
26460 ++ 0xcb, 0xe6, 0x4d, 0x9b, 0xf0, 0x88, 0x94, 0x57,
26461 ++ 0x66, 0xef, 0x72, 0x4c, 0x42, 0x6e, 0x16, 0x19,
26462 ++ 0x15, 0xea, 0x70, 0x5b, 0xac, 0x13, 0xdb, 0x9f,
26463 ++ 0x18, 0xe2, 0x3c, 0x26, 0x97, 0xbc, 0xdc, 0x45,
26464 ++ 0x8c, 0x6c, 0x24, 0x69, 0x9c, 0xf7, 0x65, 0x1e,
26465 ++ 0x18, 0x59, 0x31, 0x7c, 0xe4, 0x73, 0xbc, 0x39,
26466 ++ 0x62, 0xc6, 0x5c, 0x9f, 0xbf, 0xfa, 0x90, 0x03,
26467 ++ 0xc9, 0x72, 0x26, 0xb6, 0x1b, 0xc2, 0xb7, 0x3f,
26468 ++ 0xf2, 0x13, 0x77, 0xf2, 0x8d, 0xb9, 0x47, 0xd0,
26469 ++ 0x53, 0xdd, 0xc8, 0x91, 0x83, 0x8b, 0xb1, 0xce,
26470 ++ 0xa3, 0xfe, 0xcd, 0xd9, 0xdd, 0x92, 0x7b, 0xdb,
26471 ++ 0xb8, 0xfb, 0xc9, 0x2d, 0x01, 0x59, 0x39, 0x52,
26472 ++ 0xad, 0x1b, 0xec, 0xcf, 0xd7, 0x70, 0x13, 0x21,
26473 ++ 0xf5, 0x47, 0xaa, 0x18, 0x21, 0x5c, 0xc9, 0x9a,
26474 ++ 0xd2, 0x6b, 0x05, 0x9c, 0x01, 0xa1, 0xda, 0x35,
26475 ++ 0x5d, 0xb3, 0x70, 0xe6, 0xa9, 0x80, 0x8b, 0x91,
26476 ++ 0xb7, 0xb3, 0x5f, 0x24, 0x9a, 0xb7, 0xd1, 0x6b,
26477 ++ 0xa1, 0x1c, 0x50, 0xba, 0x49, 0xe0, 0xee, 0x2e,
26478 ++ 0x75, 0xac, 0x69, 0xc0, 0xeb, 0x03, 0xdd, 0x19,
26479 ++ 0xe5, 0xf6, 0x06, 0xdd, 0xc3, 0xd7, 0x2b, 0x07,
26480 ++ 0x07, 0x30, 0xa7, 0x19, 0x0c, 0xbf, 0xe6, 0x18,
26481 ++ 0xcc, 0xb1, 0x01, 0x11, 0x85, 0x77, 0x1d, 0x96,
26482 ++ 0xa7, 0xa3, 0x00, 0x84, 0x02, 0xa2, 0x83, 0x68,
26483 ++ 0xda, 0x17, 0x27, 0xc8, 0x7f, 0x23, 0xb7, 0xf4,
26484 ++ 0x13, 0x85, 0xcf, 0xdd, 0x7a, 0x7d, 0x24, 0x57,
26485 ++ 0xfe, 0x05, 0x93, 0xf5, 0x74, 0xce, 0xed, 0x0c,
26486 ++ 0x20, 0x98, 0x8d, 0x92, 0x30, 0xa1, 0x29, 0x23,
26487 ++ 0x1a, 0xa0, 0x4f, 0x69, 0x56, 0x4c, 0xe1, 0xc8,
26488 ++ 0xce, 0xf6, 0x9a, 0x0c, 0xa4, 0xfa, 0x04, 0xf6,
26489 ++ 0x62, 0x95, 0xf2, 0xfa, 0xc7, 0x40, 0x68, 0x40,
26490 ++ 0x8f, 0x41, 0xda, 0xb4, 0x26, 0x6f, 0x70, 0xab,
26491 ++ 0x40, 0x61, 0xa4, 0x0e, 0x75, 0xfb, 0x86, 0xeb,
26492 ++ 0x9d, 0x9a, 0x1f, 0xec, 0x76, 0x99, 0xe7, 0xea,
26493 ++ 0xaa, 0x1e, 0x2d, 0xb5, 0xd4, 0xa6, 0x1a, 0xb8,
26494 ++ 0x61, 0x0a, 0x1d, 0x16, 0x5b, 0x98, 0xc2, 0x31,
26495 ++ 0x40, 0xe7, 0x23, 0x1d, 0x66, 0x99, 0xc8, 0xc0,
26496 ++ 0xd7, 0xce, 0xf3, 0x57, 0x40, 0x04, 0x3f, 0xfc,
26497 ++ 0xea, 0xb3, 0xfc, 0xd2, 0xd3, 0x99, 0xa4, 0x94,
26498 ++ 0x69, 0xa0, 0xef, 0xd1, 0x85, 0xb3, 0xa6, 0xb1,
26499 ++ 0x28, 0xbf, 0x94, 0x67, 0x22, 0xc3, 0x36, 0x46,
26500 ++ 0xf8, 0xd2, 0x0f, 0x5f, 0xf4, 0x59, 0x80, 0xe6,
26501 ++ 0x2d, 0x43, 0x08, 0x7d, 0x19, 0x09, 0x97, 0xa7,
26502 ++ 0x4c, 0x3d, 0x8d, 0xba, 0x65, 0x62, 0xa3, 0x71,
26503 ++ 0x33, 0x29, 0x62, 0xdb, 0xc1, 0x33, 0x34, 0x1a,
26504 ++ 0x63, 0x33, 0x16, 0xb6, 0x64, 0x7e, 0xab, 0x33,
26505 ++ 0xf0, 0xe6, 0x26, 0x68, 0xba, 0x1d, 0x2e, 0x38,
26506 ++ 0x08, 0xe6, 0x02, 0xd3, 0x25, 0x2c, 0x47, 0x23,
26507 ++ 0x58, 0x34, 0x0f, 0x9d, 0x63, 0x4f, 0x63, 0xbb,
26508 ++ 0x7f, 0x3b, 0x34, 0x38, 0xa7, 0xb5, 0x8d, 0x65,
26509 ++ 0xd9, 0x9f, 0x79, 0x55, 0x3e, 0x4d, 0xe7, 0x73,
26510 ++ 0xd8, 0xf6, 0x98, 0x97, 0x84, 0x60, 0x9c, 0xc8,
26511 ++ 0xa9, 0x3c, 0xf6, 0xdc, 0x12, 0x5c, 0xe1, 0xbb,
26512 ++ 0x0b, 0x8b, 0x98, 0x9c, 0x9d, 0x26, 0x7c, 0x4a,
26513 ++ 0xe6, 0x46, 0x36, 0x58, 0x21, 0x4a, 0xee, 0xca,
26514 ++ 0xd7, 0x3b, 0xc2, 0x6c, 0x49, 0x2f, 0xe5, 0xd5,
26515 ++ 0x03, 0x59, 0x84, 0x53, 0xcb, 0xfe, 0x92, 0x71,
26516 ++ 0x2e, 0x7c, 0x21, 0xcc, 0x99, 0x85, 0x7f, 0xb8,
26517 ++ 0x74, 0x90, 0x13, 0x42, 0x3f, 0xe0, 0x6b, 0x1d,
26518 ++ 0xf2, 0x4d, 0x54, 0xd4, 0xfc, 0x3a, 0x05, 0xe6,
26519 ++ 0x74, 0xaf, 0xa6, 0xa0, 0x2a, 0x20, 0x23, 0x5d,
26520 ++ 0x34, 0x5c, 0xd9, 0x3e, 0x4e, 0xfa, 0x93, 0xe7,
26521 ++ 0xaa, 0xe9, 0x6f, 0x08, 0x43, 0x67, 0x41, 0xc5,
26522 ++ 0xad, 0xfb, 0x31, 0x95, 0x82, 0x73, 0x32, 0xd8,
26523 ++ 0xa6, 0xa3, 0xed, 0x0e, 0x2d, 0xf6, 0x5f, 0xfd,
26524 ++ 0x80, 0xa6, 0x7a, 0xe0, 0xdf, 0x78, 0x15, 0x29,
26525 ++ 0x74, 0x33, 0xd0, 0x9e, 0x83, 0x86, 0x72, 0x22,
26526 ++ 0x57, 0x29, 0xb9, 0x9e, 0x5d, 0xd3, 0x1a, 0xb5,
26527 ++ 0x96, 0x72, 0x41, 0x3d, 0xf1, 0x64, 0x43, 0x67,
26528 ++ 0xee, 0xaa, 0x5c, 0xd3, 0x9a, 0x96, 0x13, 0x11,
26529 ++ 0x5d, 0xf3, 0x0c, 0x87, 0x82, 0x1e, 0x41, 0x9e,
26530 ++ 0xd0, 0x27, 0xd7, 0x54, 0x3b, 0x67, 0x73, 0x09,
26531 ++ 0x91, 0xe9, 0xd5, 0x36, 0xa7, 0xb5, 0x55, 0xe4,
26532 ++ 0xf3, 0x21, 0x51, 0x49, 0x22, 0x07, 0x55, 0x4f,
26533 ++ 0x44, 0x4b, 0xd2, 0x15, 0x93, 0x17, 0x2a, 0xfa,
26534 ++ 0x4d, 0x4a, 0x57, 0xdb, 0x4c, 0xa6, 0xeb, 0xec,
26535 ++ 0x53, 0x25, 0x6c, 0x21, 0xed, 0x00, 0x4c, 0x3b,
26536 ++ 0xca, 0x14, 0x57, 0xa9, 0xd6, 0x6a, 0xcd, 0x8d,
26537 ++ 0x5e, 0x74, 0xac, 0x72, 0xc1, 0x97, 0xe5, 0x1b,
26538 ++ 0x45, 0x4e, 0xda, 0xfc, 0xcc, 0x40, 0xe8, 0x48,
26539 ++ 0x88, 0x0b, 0xa3, 0xe3, 0x8d, 0x83, 0x42, 0xc3,
26540 ++ 0x23, 0xfd, 0x68, 0xb5, 0x8e, 0xf1, 0x9d, 0x63,
26541 ++ 0x77, 0xe9, 0xa3, 0x8e, 0x8c, 0x26, 0x6b, 0xbd,
26542 ++ 0x72, 0x73, 0x35, 0x0c, 0x03, 0xf8, 0x43, 0x78,
26543 ++ 0x52, 0x71, 0x15, 0x1f, 0x71, 0x5d, 0x6e, 0xed,
26544 ++ 0xb9, 0xcc, 0x86, 0x30, 0xdb, 0x2b, 0xd3, 0x82,
26545 ++ 0x88, 0x23, 0x71, 0x90, 0x53, 0x5c, 0xa9, 0x2f,
26546 ++ 0x76, 0x01, 0xb7, 0x9a, 0xfe, 0x43, 0x55, 0xa3,
26547 ++ 0x04, 0x9b, 0x0e, 0xe4, 0x59, 0xdf, 0xc9, 0xe9,
26548 ++ 0xb1, 0xea, 0x29, 0x28, 0x3c, 0x5c, 0xae, 0x72,
26549 ++ 0x84, 0xb6, 0xc6, 0xeb, 0x0c, 0x27, 0x07, 0x74,
26550 ++ 0x90, 0x0d, 0x31, 0xb0, 0x00, 0x77, 0xe9, 0x40,
26551 ++ 0x70, 0x6f, 0x68, 0xa7, 0xfd, 0x06, 0xec, 0x4b,
26552 ++ 0xc0, 0xb7, 0xac, 0xbc, 0x33, 0xb7, 0x6d, 0x0a,
26553 ++ 0xbd, 0x12, 0x1b, 0x59, 0xcb, 0xdd, 0x32, 0xf5,
26554 ++ 0x1d, 0x94, 0x57, 0x76, 0x9e, 0x0c, 0x18, 0x98,
26555 ++ 0x71, 0xd7, 0x2a, 0xdb, 0x0b, 0x7b, 0xa7, 0x71,
26556 ++ 0xb7, 0x67, 0x81, 0x23, 0x96, 0xae, 0xb9, 0x7e,
26557 ++ 0x32, 0x43, 0x92, 0x8a, 0x19, 0xa0, 0xc4, 0xd4,
26558 ++ 0x3b, 0x57, 0xf9, 0x4a, 0x2c, 0xfb, 0x51, 0x46,
26559 ++ 0xbb, 0xcb, 0x5d, 0xb3, 0xef, 0x13, 0x93, 0x6e,
26560 ++ 0x68, 0x42, 0x54, 0x57, 0xd3, 0x6a, 0x3a, 0x8f,
26561 ++ 0x9d, 0x66, 0xbf, 0xbd, 0x36, 0x23, 0xf5, 0x93,
26562 ++ 0x83, 0x7b, 0x9c, 0xc0, 0xdd, 0xc5, 0x49, 0xc0,
26563 ++ 0x64, 0xed, 0x07, 0x12, 0xb3, 0xe6, 0xe4, 0xe5,
26564 ++ 0x38, 0x95, 0x23, 0xb1, 0xa0, 0x3b, 0x1a, 0x61,
26565 ++ 0xda, 0x17, 0xac, 0xc3, 0x58, 0xdd, 0x74, 0x64,
26566 ++ 0x22, 0x11, 0xe8, 0x32, 0x1d, 0x16, 0x93, 0x85,
26567 ++ 0x99, 0xa5, 0x9c, 0x34, 0x55, 0xb1, 0xe9, 0x20,
26568 ++ 0x72, 0xc9, 0x28, 0x7b, 0x79, 0x00, 0xa1, 0xa6,
26569 ++ 0xa3, 0x27, 0x40, 0x18, 0x8a, 0x54, 0xe0, 0xcc,
26570 ++ 0xe8, 0x4e, 0x8e, 0x43, 0x96, 0xe7, 0x3f, 0xc8,
26571 ++ 0xe9, 0xb2, 0xf9, 0xc9, 0xda, 0x04, 0x71, 0x50,
26572 ++ 0x47, 0xe4, 0xaa, 0xce, 0xa2, 0x30, 0xc8, 0xe4,
26573 ++ 0xac, 0xc7, 0x0d, 0x06, 0x2e, 0xe6, 0xe8, 0x80,
26574 ++ 0x36, 0x29, 0x9e, 0x01, 0xb8, 0xc3, 0xf0, 0xa0,
26575 ++ 0x5d, 0x7a, 0xca, 0x4d, 0xa0, 0x57, 0xbd, 0x2a,
26576 ++ 0x45, 0xa7, 0x7f, 0x9c, 0x93, 0x07, 0x8f, 0x35,
26577 ++ 0x67, 0x92, 0xe3, 0xe9, 0x7f, 0xa8, 0x61, 0x43,
26578 ++ 0x9e, 0x25, 0x4f, 0x33, 0x76, 0x13, 0x6e, 0x12,
26579 ++ 0xb9, 0xdd, 0xa4, 0x7c, 0x08, 0x9f, 0x7c, 0xe7,
26580 ++ 0x0a, 0x8d, 0x84, 0x06, 0xa4, 0x33, 0x17, 0x34,
26581 ++ 0x5e, 0x10, 0x7c, 0xc0, 0xa8, 0x3d, 0x1f, 0x42,
26582 ++ 0x20, 0x51, 0x65, 0x5d, 0x09, 0xc3, 0xaa, 0xc0,
26583 ++ 0xc8, 0x0d, 0xf0, 0x79, 0xbc, 0x20, 0x1b, 0x95,
26584 ++ 0xe7, 0x06, 0x7d, 0x47, 0x20, 0x03, 0x1a, 0x74,
26585 ++ 0xdd, 0xe2, 0xd4, 0xae, 0x38, 0x71, 0x9b, 0xf5,
26586 ++ 0x80, 0xec, 0x08, 0x4e, 0x56, 0xba, 0x76, 0x12,
26587 ++ 0x1a, 0xdf, 0x48, 0xf3, 0xae, 0xb3, 0xe6, 0xe6,
26588 ++ 0xbe, 0xc0, 0x91, 0x2e, 0x01, 0xb3, 0x01, 0x86,
26589 ++ 0xa2, 0xb9, 0x52, 0xd1, 0x21, 0xae, 0xd4, 0x97,
26590 ++ 0x1d, 0xef, 0x41, 0x12, 0x95, 0x3d, 0x48, 0x45,
26591 ++ 0x1c, 0x56, 0x32, 0x8f, 0xb8, 0x43, 0xbb, 0x19,
26592 ++ 0xf3, 0xca, 0xe9, 0xeb, 0x6d, 0x84, 0xbe, 0x86,
26593 ++ 0x06, 0xe2, 0x36, 0xb2, 0x62, 0x9d, 0xd3, 0x4c,
26594 ++ 0x48, 0x18, 0x54, 0x13, 0x4e, 0xcf, 0xfd, 0xba,
26595 ++ 0x84, 0xb9, 0x30, 0x53, 0xcf, 0xfb, 0xb9, 0x29,
26596 ++ 0x8f, 0xdc, 0x9f, 0xef, 0x60, 0x0b, 0x64, 0xf6,
26597 ++ 0x8b, 0xee, 0xa6, 0x91, 0xc2, 0x41, 0x6c, 0xf6,
26598 ++ 0xfa, 0x79, 0x67, 0x4b, 0xc1, 0x3f, 0xaf, 0x09,
26599 ++ 0x81, 0xd4, 0x5d, 0xcb, 0x09, 0xdf, 0x36, 0x31,
26600 ++ 0xc0, 0x14, 0x3c, 0x7c, 0x0e, 0x65, 0x95, 0x99,
26601 ++ 0x6d, 0xa3, 0xf4, 0xd7, 0x38, 0xee, 0x1a, 0x2b,
26602 ++ 0x37, 0xe2, 0xa4, 0x3b, 0x4b, 0xd0, 0x65, 0xca,
26603 ++ 0xf8, 0xc3, 0xe8, 0x15, 0x20, 0xef, 0xf2, 0x00,
26604 ++ 0xfd, 0x01, 0x09, 0xc5, 0xc8, 0x17, 0x04, 0x93,
26605 ++ 0xd0, 0x93, 0x03, 0x55, 0xc5, 0xfe, 0x32, 0xa3,
26606 ++ 0x3e, 0x28, 0x2d, 0x3b, 0x93, 0x8a, 0xcc, 0x07,
26607 ++ 0x72, 0x80, 0x8b, 0x74, 0x16, 0x24, 0xbb, 0xda,
26608 ++ 0x94, 0x39, 0x30, 0x8f, 0xb1, 0xcd, 0x4a, 0x90,
26609 ++ 0x92, 0x7c, 0x14, 0x8f, 0x95, 0x4e, 0xac, 0x9b,
26610 ++ 0xd8, 0x8f, 0x1a, 0x87, 0xa4, 0x32, 0x27, 0x8a,
26611 ++ 0xba, 0xf7, 0x41, 0xcf, 0x84, 0x37, 0x19, 0xe6,
26612 ++ 0x06, 0xf5, 0x0e, 0xcf, 0x36, 0xf5, 0x9e, 0x6c,
26613 ++ 0xde, 0xbc, 0xff, 0x64, 0x7e, 0x4e, 0x59, 0x57,
26614 ++ 0x48, 0xfe, 0x14, 0xf7, 0x9c, 0x93, 0x5d, 0x15,
26615 ++ 0xad, 0xcc, 0x11, 0xb1, 0x17, 0x18, 0xb2, 0x7e,
26616 ++ 0xcc, 0xab, 0xe9, 0xce, 0x7d, 0x77, 0x5b, 0x51,
26617 ++ 0x1b, 0x1e, 0x20, 0xa8, 0x32, 0x06, 0x0e, 0x75,
26618 ++ 0x93, 0xac, 0xdb, 0x35, 0x37, 0x1f, 0xe9, 0x19,
26619 ++ 0x1d, 0xb4, 0x71, 0x97, 0xd6, 0x4e, 0x2c, 0x08,
26620 ++ 0xa5, 0x13, 0xf9, 0x0e, 0x7e, 0x78, 0x6e, 0x14,
26621 ++ 0xe0, 0xa9, 0xb9, 0x96, 0x4c, 0x80, 0x82, 0xba,
26622 ++ 0x17, 0xb3, 0x9d, 0x69, 0xb0, 0x84, 0x46, 0xff,
26623 ++ 0xf9, 0x52, 0x79, 0x94, 0x58, 0x3a, 0x62, 0x90,
26624 ++ 0x15, 0x35, 0x71, 0x10, 0x37, 0xed, 0xa1, 0x8e,
26625 ++ 0x53, 0x6e, 0xf4, 0x26, 0x57, 0x93, 0x15, 0x93,
26626 ++ 0xf6, 0x81, 0x2c, 0x5a, 0x10, 0xda, 0x92, 0xad,
26627 ++ 0x2f, 0xdb, 0x28, 0x31, 0x2d, 0x55, 0x04, 0xd2,
26628 ++ 0x06, 0x28, 0x8c, 0x1e, 0xdc, 0xea, 0x54, 0xac,
26629 ++ 0xff, 0xb7, 0x6c, 0x30, 0x15, 0xd4, 0xb4, 0x0d,
26630 ++ 0x00, 0x93, 0x57, 0xdd, 0xd2, 0x07, 0x07, 0x06,
26631 ++ 0xd9, 0x43, 0x9b, 0xcd, 0x3a, 0xf4, 0x7d, 0x4c,
26632 ++ 0x36, 0x5d, 0x23, 0xa2, 0xcc, 0x57, 0x40, 0x91,
26633 ++ 0xe9, 0x2c, 0x2f, 0x2c, 0xd5, 0x30, 0x9b, 0x17,
26634 ++ 0xb0, 0xc9, 0xf7, 0xa7, 0x2f, 0xd1, 0x93, 0x20,
26635 ++ 0x6b, 0xc6, 0xc1, 0xe4, 0x6f, 0xcb, 0xd1, 0xe7,
26636 ++ 0x09, 0x0f, 0x9e, 0xdc, 0xaa, 0x9f, 0x2f, 0xdf,
26637 ++ 0x56, 0x9f, 0xd4, 0x33, 0x04, 0xaf, 0xd3, 0x6c,
26638 ++ 0x58, 0x61, 0xf0, 0x30, 0xec, 0xf2, 0x7f, 0xf2,
26639 ++ 0x9c, 0xdf, 0x39, 0xbb, 0x6f, 0xa2, 0x8c, 0x7e,
26640 ++ 0xc4, 0x22, 0x51, 0x71, 0xc0, 0x4d, 0x14, 0x1a,
26641 ++ 0xc4, 0xcd, 0x04, 0xd9, 0x87, 0x08, 0x50, 0x05,
26642 ++ 0xcc, 0xaf, 0xf6, 0xf0, 0x8f, 0x92, 0x54, 0x58,
26643 ++ 0xc2, 0xc7, 0x09, 0x7a, 0x59, 0x02, 0x05, 0xe8,
26644 ++ 0xb0, 0x86, 0xd9, 0xbf, 0x7b, 0x35, 0x51, 0x4d,
26645 ++ 0xaf, 0x08, 0x97, 0x2c, 0x65, 0xda, 0x2a, 0x71,
26646 ++ 0x3a, 0xa8, 0x51, 0xcc, 0xf2, 0x73, 0x27, 0xc3,
26647 ++ 0xfd, 0x62, 0xcf, 0xe3, 0xb2, 0xca, 0xcb, 0xbe,
26648 ++ 0x1a, 0x0a, 0xa1, 0x34, 0x7b, 0x77, 0xc4, 0x62,
26649 ++ 0x68, 0x78, 0x5f, 0x94, 0x07, 0x04, 0x65, 0x16,
26650 ++ 0x4b, 0x61, 0xcb, 0xff, 0x75, 0x26, 0x50, 0x66,
26651 ++ 0x1f, 0x6e, 0x93, 0xf8, 0xc5, 0x51, 0xeb, 0xa4,
26652 ++ 0x4a, 0x48, 0x68, 0x6b, 0xe2, 0x5e, 0x44, 0xb2,
26653 ++ 0x50, 0x2c, 0x6c, 0xae, 0x79, 0x4e, 0x66, 0x35,
26654 ++ 0x81, 0x50, 0xac, 0xbc, 0x3f, 0xb1, 0x0c, 0xf3,
26655 ++ 0x05, 0x3c, 0x4a, 0xa3, 0x6c, 0x2a, 0x79, 0xb4,
26656 ++ 0xb7, 0xab, 0xca, 0xc7, 0x9b, 0x8e, 0xcd, 0x5f,
26657 ++ 0x11, 0x03, 0xcb, 0x30, 0xa3, 0xab, 0xda, 0xfe,
26658 ++ 0x64, 0xb9, 0xbb, 0xd8, 0x5e, 0x3a, 0x1a, 0x56,
26659 ++ 0xe5, 0x05, 0x48, 0x90, 0x1e, 0x61, 0x69, 0x1b,
26660 ++ 0x22, 0xe6, 0x1a, 0x3c, 0x75, 0xad, 0x1f, 0x37,
26661 ++ 0x28, 0xdc, 0xe4, 0x6d, 0xbd, 0x42, 0xdc, 0xd3,
26662 ++ 0xc8, 0xb6, 0x1c, 0x48, 0xfe, 0x94, 0x77, 0x7f,
26663 ++ 0xbd, 0x62, 0xac, 0xa3, 0x47, 0x27, 0xcf, 0x5f,
26664 ++ 0xd9, 0xdb, 0xaf, 0xec, 0xf7, 0x5e, 0xc1, 0xb0,
26665 ++ 0x9d, 0x01, 0x26, 0x99, 0x7e, 0x8f, 0x03, 0x70,
26666 ++ 0xb5, 0x42, 0xbe, 0x67, 0x28, 0x1b, 0x7c, 0xbd,
26667 ++ 0x61, 0x21, 0x97, 0xcc, 0x5c, 0xe1, 0x97, 0x8f,
26668 ++ 0x8d, 0xde, 0x2b, 0xaa, 0xa7, 0x71, 0x1d, 0x1e,
26669 ++ 0x02, 0x73, 0x70, 0x58, 0x32, 0x5b, 0x1d, 0x67,
26670 ++ 0x3d, 0xe0, 0x74, 0x4f, 0x03, 0xf2, 0x70, 0x51,
26671 ++ 0x79, 0xf1, 0x61, 0x70, 0x15, 0x74, 0x9d, 0x23,
26672 ++ 0x89, 0xde, 0xac, 0xfd, 0xde, 0xd0, 0x1f, 0xc3,
26673 ++ 0x87, 0x44, 0x35, 0x4b, 0xe5, 0xb0, 0x60, 0xc5,
26674 ++ 0x22, 0xe4, 0x9e, 0xca, 0xeb, 0xd5, 0x3a, 0x09,
26675 ++ 0x45, 0xa4, 0xdb, 0xfa, 0x3f, 0xeb, 0x1b, 0xc7,
26676 ++ 0xc8, 0x14, 0x99, 0x51, 0x92, 0x10, 0xed, 0xed,
26677 ++ 0x28, 0xe0, 0xa1, 0xf8, 0x26, 0xcf, 0xcd, 0xcb,
26678 ++ 0x63, 0xa1, 0x3b, 0xe3, 0xdf, 0x7e, 0xfe, 0xa6,
26679 ++ 0xf0, 0x81, 0x9a, 0xbf, 0x55, 0xde, 0x54, 0xd5,
26680 ++ 0x56, 0x60, 0x98, 0x10, 0x68, 0xf4, 0x38, 0x96,
26681 ++ 0x8e, 0x6f, 0x1d, 0x44, 0x7f, 0xd6, 0x2f, 0xfe,
26682 ++ 0x55, 0xfb, 0x0c, 0x7e, 0x67, 0xe2, 0x61, 0x44,
26683 ++ 0xed, 0xf2, 0x35, 0x30, 0x5d, 0xe9, 0xc7, 0xd6,
26684 ++ 0x6d, 0xe0, 0xa0, 0xed, 0xf3, 0xfc, 0xd8, 0x3e,
26685 ++ 0x0a, 0x7b, 0xcd, 0xaf, 0x65, 0x68, 0x18, 0xc0,
26686 ++ 0xec, 0x04, 0x1c, 0x74, 0x6d, 0xe2, 0x6e, 0x79,
26687 ++ 0xd4, 0x11, 0x2b, 0x62, 0xd5, 0x27, 0xad, 0x4f,
26688 ++ 0x01, 0x59, 0x73, 0xcc, 0x6a, 0x53, 0xfb, 0x2d,
26689 ++ 0xd5, 0x4e, 0x99, 0x21, 0x65, 0x4d, 0xf5, 0x82,
26690 ++ 0xf7, 0xd8, 0x42, 0xce, 0x6f, 0x3d, 0x36, 0x47,
26691 ++ 0xf1, 0x05, 0x16, 0xe8, 0x1b, 0x6a, 0x8f, 0x93,
26692 ++ 0xf2, 0x8f, 0x37, 0x40, 0x12, 0x28, 0xa3, 0xe6,
26693 ++ 0xb9, 0x17, 0x4a, 0x1f, 0xb1, 0xd1, 0x66, 0x69,
26694 ++ 0x86, 0xc4, 0xfc, 0x97, 0xae, 0x3f, 0x8f, 0x1e,
26695 ++ 0x2b, 0xdf, 0xcd, 0xf9, 0x3c
26696 ++};
26697 ++static const u8 dec_output011[] __initconst = {
26698 ++ 0x7a, 0x57, 0xf2, 0xc7, 0x06, 0x3f, 0x50, 0x7b,
26699 ++ 0x36, 0x1a, 0x66, 0x5c, 0xb9, 0x0e, 0x5e, 0x3b,
26700 ++ 0x45, 0x60, 0xbe, 0x9a, 0x31, 0x9f, 0xff, 0x5d,
26701 ++ 0x66, 0x34, 0xb4, 0xdc, 0xfb, 0x9d, 0x8e, 0xee,
26702 ++ 0x6a, 0x33, 0xa4, 0x07, 0x3c, 0xf9, 0x4c, 0x30,
26703 ++ 0xa1, 0x24, 0x52, 0xf9, 0x50, 0x46, 0x88, 0x20,
26704 ++ 0x02, 0x32, 0x3a, 0x0e, 0x99, 0x63, 0xaf, 0x1f,
26705 ++ 0x15, 0x28, 0x2a, 0x05, 0xff, 0x57, 0x59, 0x5e,
26706 ++ 0x18, 0xa1, 0x1f, 0xd0, 0x92, 0x5c, 0x88, 0x66,
26707 ++ 0x1b, 0x00, 0x64, 0xa5, 0x93, 0x8d, 0x06, 0x46,
26708 ++ 0xb0, 0x64, 0x8b, 0x8b, 0xef, 0x99, 0x05, 0x35,
26709 ++ 0x85, 0xb3, 0xf3, 0x33, 0xbb, 0xec, 0x66, 0xb6,
26710 ++ 0x3d, 0x57, 0x42, 0xe3, 0xb4, 0xc6, 0xaa, 0xb0,
26711 ++ 0x41, 0x2a, 0xb9, 0x59, 0xa9, 0xf6, 0x3e, 0x15,
26712 ++ 0x26, 0x12, 0x03, 0x21, 0x4c, 0x74, 0x43, 0x13,
26713 ++ 0x2a, 0x03, 0x27, 0x09, 0xb4, 0xfb, 0xe7, 0xb7,
26714 ++ 0x40, 0xff, 0x5e, 0xce, 0x48, 0x9a, 0x60, 0xe3,
26715 ++ 0x8b, 0x80, 0x8c, 0x38, 0x2d, 0xcb, 0x93, 0x37,
26716 ++ 0x74, 0x05, 0x52, 0x6f, 0x73, 0x3e, 0xc3, 0xbc,
26717 ++ 0xca, 0x72, 0x0a, 0xeb, 0xf1, 0x3b, 0xa0, 0x95,
26718 ++ 0xdc, 0x8a, 0xc4, 0xa9, 0xdc, 0xca, 0x44, 0xd8,
26719 ++ 0x08, 0x63, 0x6a, 0x36, 0xd3, 0x3c, 0xb8, 0xac,
26720 ++ 0x46, 0x7d, 0xfd, 0xaa, 0xeb, 0x3e, 0x0f, 0x45,
26721 ++ 0x8f, 0x49, 0xda, 0x2b, 0xf2, 0x12, 0xbd, 0xaf,
26722 ++ 0x67, 0x8a, 0x63, 0x48, 0x4b, 0x55, 0x5f, 0x6d,
26723 ++ 0x8c, 0xb9, 0x76, 0x34, 0x84, 0xae, 0xc2, 0xfc,
26724 ++ 0x52, 0x64, 0x82, 0xf7, 0xb0, 0x06, 0xf0, 0x45,
26725 ++ 0x73, 0x12, 0x50, 0x30, 0x72, 0xea, 0x78, 0x9a,
26726 ++ 0xa8, 0xaf, 0xb5, 0xe3, 0xbb, 0x77, 0x52, 0xec,
26727 ++ 0x59, 0x84, 0xbf, 0x6b, 0x8f, 0xce, 0x86, 0x5e,
26728 ++ 0x1f, 0x23, 0xe9, 0xfb, 0x08, 0x86, 0xf7, 0x10,
26729 ++ 0xb9, 0xf2, 0x44, 0x96, 0x44, 0x63, 0xa9, 0xa8,
26730 ++ 0x78, 0x00, 0x23, 0xd6, 0xc7, 0xe7, 0x6e, 0x66,
26731 ++ 0x4f, 0xcc, 0xee, 0x15, 0xb3, 0xbd, 0x1d, 0xa0,
26732 ++ 0xe5, 0x9c, 0x1b, 0x24, 0x2c, 0x4d, 0x3c, 0x62,
26733 ++ 0x35, 0x9c, 0x88, 0x59, 0x09, 0xdd, 0x82, 0x1b,
26734 ++ 0xcf, 0x0a, 0x83, 0x6b, 0x3f, 0xae, 0x03, 0xc4,
26735 ++ 0xb4, 0xdd, 0x7e, 0x5b, 0x28, 0x76, 0x25, 0x96,
26736 ++ 0xd9, 0xc9, 0x9d, 0x5f, 0x86, 0xfa, 0xf6, 0xd7,
26737 ++ 0xd2, 0xe6, 0x76, 0x1d, 0x0f, 0xa1, 0xdc, 0x74,
26738 ++ 0x05, 0x1b, 0x1d, 0xe0, 0xcd, 0x16, 0xb0, 0xa8,
26739 ++ 0x8a, 0x34, 0x7b, 0x15, 0x11, 0x77, 0xe5, 0x7b,
26740 ++ 0x7e, 0x20, 0xf7, 0xda, 0x38, 0xda, 0xce, 0x70,
26741 ++ 0xe9, 0xf5, 0x6c, 0xd9, 0xbe, 0x0c, 0x4c, 0x95,
26742 ++ 0x4c, 0xc2, 0x9b, 0x34, 0x55, 0x55, 0xe1, 0xf3,
26743 ++ 0x46, 0x8e, 0x48, 0x74, 0x14, 0x4f, 0x9d, 0xc9,
26744 ++ 0xf5, 0xe8, 0x1a, 0xf0, 0x11, 0x4a, 0xc1, 0x8d,
26745 ++ 0xe0, 0x93, 0xa0, 0xbe, 0x09, 0x1c, 0x2b, 0x4e,
26746 ++ 0x0f, 0xb2, 0x87, 0x8b, 0x84, 0xfe, 0x92, 0x32,
26747 ++ 0x14, 0xd7, 0x93, 0xdf, 0xe7, 0x44, 0xbc, 0xc5,
26748 ++ 0xae, 0x53, 0x69, 0xd8, 0xb3, 0x79, 0x37, 0x80,
26749 ++ 0xe3, 0x17, 0x5c, 0xec, 0x53, 0x00, 0x9a, 0xe3,
26750 ++ 0x8e, 0xdc, 0x38, 0xb8, 0x66, 0xf0, 0xd3, 0xad,
26751 ++ 0x1d, 0x02, 0x96, 0x86, 0x3e, 0x9d, 0x3b, 0x5d,
26752 ++ 0xa5, 0x7f, 0x21, 0x10, 0xf1, 0x1f, 0x13, 0x20,
26753 ++ 0xf9, 0x57, 0x87, 0x20, 0xf5, 0x5f, 0xf1, 0x17,
26754 ++ 0x48, 0x0a, 0x51, 0x5a, 0xcd, 0x19, 0x03, 0xa6,
26755 ++ 0x5a, 0xd1, 0x12, 0x97, 0xe9, 0x48, 0xe2, 0x1d,
26756 ++ 0x83, 0x75, 0x50, 0xd9, 0x75, 0x7d, 0x6a, 0x82,
26757 ++ 0xa1, 0xf9, 0x4e, 0x54, 0x87, 0x89, 0xc9, 0x0c,
26758 ++ 0xb7, 0x5b, 0x6a, 0x91, 0xc1, 0x9c, 0xb2, 0xa9,
26759 ++ 0xdc, 0x9a, 0xa4, 0x49, 0x0a, 0x6d, 0x0d, 0xbb,
26760 ++ 0xde, 0x86, 0x44, 0xdd, 0x5d, 0x89, 0x2b, 0x96,
26761 ++ 0x0f, 0x23, 0x95, 0xad, 0xcc, 0xa2, 0xb3, 0xb9,
26762 ++ 0x7e, 0x74, 0x38, 0xba, 0x9f, 0x73, 0xae, 0x5f,
26763 ++ 0xf8, 0x68, 0xa2, 0xe0, 0xa9, 0xce, 0xbd, 0x40,
26764 ++ 0xd4, 0x4c, 0x6b, 0xd2, 0x56, 0x62, 0xb0, 0xcc,
26765 ++ 0x63, 0x7e, 0x5b, 0xd3, 0xae, 0xd1, 0x75, 0xce,
26766 ++ 0xbb, 0xb4, 0x5b, 0xa8, 0xf8, 0xb4, 0xac, 0x71,
26767 ++ 0x75, 0xaa, 0xc9, 0x9f, 0xbb, 0x6c, 0xad, 0x0f,
26768 ++ 0x55, 0x5d, 0xe8, 0x85, 0x7d, 0xf9, 0x21, 0x35,
26769 ++ 0xea, 0x92, 0x85, 0x2b, 0x00, 0xec, 0x84, 0x90,
26770 ++ 0x0a, 0x63, 0x96, 0xe4, 0x6b, 0xa9, 0x77, 0xb8,
26771 ++ 0x91, 0xf8, 0x46, 0x15, 0x72, 0x63, 0x70, 0x01,
26772 ++ 0x40, 0xa3, 0xa5, 0x76, 0x62, 0x2b, 0xbf, 0xf1,
26773 ++ 0xe5, 0x8d, 0x9f, 0xa3, 0xfa, 0x9b, 0x03, 0xbe,
26774 ++ 0xfe, 0x65, 0x6f, 0xa2, 0x29, 0x0d, 0x54, 0xb4,
26775 ++ 0x71, 0xce, 0xa9, 0xd6, 0x3d, 0x88, 0xf9, 0xaf,
26776 ++ 0x6b, 0xa8, 0x9e, 0xf4, 0x16, 0x96, 0x36, 0xb9,
26777 ++ 0x00, 0xdc, 0x10, 0xab, 0xb5, 0x08, 0x31, 0x1f,
26778 ++ 0x00, 0xb1, 0x3c, 0xd9, 0x38, 0x3e, 0xc6, 0x04,
26779 ++ 0xa7, 0x4e, 0xe8, 0xae, 0xed, 0x98, 0xc2, 0xf7,
26780 ++ 0xb9, 0x00, 0x5f, 0x8c, 0x60, 0xd1, 0xe5, 0x15,
26781 ++ 0xf7, 0xae, 0x1e, 0x84, 0x88, 0xd1, 0xf6, 0xbc,
26782 ++ 0x3a, 0x89, 0x35, 0x22, 0x83, 0x7c, 0xca, 0xf0,
26783 ++ 0x33, 0x82, 0x4c, 0x79, 0x3c, 0xfd, 0xb1, 0xae,
26784 ++ 0x52, 0x62, 0x55, 0xd2, 0x41, 0x60, 0xc6, 0xbb,
26785 ++ 0xfa, 0x0e, 0x59, 0xd6, 0xa8, 0xfe, 0x5d, 0xed,
26786 ++ 0x47, 0x3d, 0xe0, 0xea, 0x1f, 0x6e, 0x43, 0x51,
26787 ++ 0xec, 0x10, 0x52, 0x56, 0x77, 0x42, 0x6b, 0x52,
26788 ++ 0x87, 0xd8, 0xec, 0xe0, 0xaa, 0x76, 0xa5, 0x84,
26789 ++ 0x2a, 0x22, 0x24, 0xfd, 0x92, 0x40, 0x88, 0xd5,
26790 ++ 0x85, 0x1c, 0x1f, 0x6b, 0x47, 0xa0, 0xc4, 0xe4,
26791 ++ 0xef, 0xf4, 0xea, 0xd7, 0x59, 0xac, 0x2a, 0x9e,
26792 ++ 0x8c, 0xfa, 0x1f, 0x42, 0x08, 0xfe, 0x4f, 0x74,
26793 ++ 0xa0, 0x26, 0xf5, 0xb3, 0x84, 0xf6, 0x58, 0x5f,
26794 ++ 0x26, 0x66, 0x3e, 0xd7, 0xe4, 0x22, 0x91, 0x13,
26795 ++ 0xc8, 0xac, 0x25, 0x96, 0x23, 0xd8, 0x09, 0xea,
26796 ++ 0x45, 0x75, 0x23, 0xb8, 0x5f, 0xc2, 0x90, 0x8b,
26797 ++ 0x09, 0xc4, 0xfc, 0x47, 0x6c, 0x6d, 0x0a, 0xef,
26798 ++ 0x69, 0xa4, 0x38, 0x19, 0xcf, 0x7d, 0xf9, 0x09,
26799 ++ 0x73, 0x9b, 0x60, 0x5a, 0xf7, 0x37, 0xb5, 0xfe,
26800 ++ 0x9f, 0xe3, 0x2b, 0x4c, 0x0d, 0x6e, 0x19, 0xf1,
26801 ++ 0xd6, 0xc0, 0x70, 0xf3, 0x9d, 0x22, 0x3c, 0xf9,
26802 ++ 0x49, 0xce, 0x30, 0x8e, 0x44, 0xb5, 0x76, 0x15,
26803 ++ 0x8f, 0x52, 0xfd, 0xa5, 0x04, 0xb8, 0x55, 0x6a,
26804 ++ 0x36, 0x59, 0x7c, 0xc4, 0x48, 0xb8, 0xd7, 0xab,
26805 ++ 0x05, 0x66, 0xe9, 0x5e, 0x21, 0x6f, 0x6b, 0x36,
26806 ++ 0x29, 0xbb, 0xe9, 0xe3, 0xa2, 0x9a, 0xa8, 0xcd,
26807 ++ 0x55, 0x25, 0x11, 0xba, 0x5a, 0x58, 0xa0, 0xde,
26808 ++ 0xae, 0x19, 0x2a, 0x48, 0x5a, 0xff, 0x36, 0xcd,
26809 ++ 0x6d, 0x16, 0x7a, 0x73, 0x38, 0x46, 0xe5, 0x47,
26810 ++ 0x59, 0xc8, 0xa2, 0xf6, 0xe2, 0x6c, 0x83, 0xc5,
26811 ++ 0x36, 0x2c, 0x83, 0x7d, 0xb4, 0x01, 0x05, 0x69,
26812 ++ 0xe7, 0xaf, 0x5c, 0xc4, 0x64, 0x82, 0x12, 0x21,
26813 ++ 0xef, 0xf7, 0xd1, 0x7d, 0xb8, 0x8d, 0x8c, 0x98,
26814 ++ 0x7c, 0x5f, 0x7d, 0x92, 0x88, 0xb9, 0x94, 0x07,
26815 ++ 0x9c, 0xd8, 0xe9, 0x9c, 0x17, 0x38, 0xe3, 0x57,
26816 ++ 0x6c, 0xe0, 0xdc, 0xa5, 0x92, 0x42, 0xb3, 0xbd,
26817 ++ 0x50, 0xa2, 0x7e, 0xb5, 0xb1, 0x52, 0x72, 0x03,
26818 ++ 0x97, 0xd8, 0xaa, 0x9a, 0x1e, 0x75, 0x41, 0x11,
26819 ++ 0xa3, 0x4f, 0xcc, 0xd4, 0xe3, 0x73, 0xad, 0x96,
26820 ++ 0xdc, 0x47, 0x41, 0x9f, 0xb0, 0xbe, 0x79, 0x91,
26821 ++ 0xf5, 0xb6, 0x18, 0xfe, 0xc2, 0x83, 0x18, 0x7d,
26822 ++ 0x73, 0xd9, 0x4f, 0x83, 0x84, 0x03, 0xb3, 0xf0,
26823 ++ 0x77, 0x66, 0x3d, 0x83, 0x63, 0x2e, 0x2c, 0xf9,
26824 ++ 0xdd, 0xa6, 0x1f, 0x89, 0x82, 0xb8, 0x23, 0x42,
26825 ++ 0xeb, 0xe2, 0xca, 0x70, 0x82, 0x61, 0x41, 0x0a,
26826 ++ 0x6d, 0x5f, 0x75, 0xc5, 0xe2, 0xc4, 0x91, 0x18,
26827 ++ 0x44, 0x22, 0xfa, 0x34, 0x10, 0xf5, 0x20, 0xdc,
26828 ++ 0xb7, 0xdd, 0x2a, 0x20, 0x77, 0xf5, 0xf9, 0xce,
26829 ++ 0xdb, 0xa0, 0x0a, 0x52, 0x2a, 0x4e, 0xdd, 0xcc,
26830 ++ 0x97, 0xdf, 0x05, 0xe4, 0x5e, 0xb7, 0xaa, 0xf0,
26831 ++ 0xe2, 0x80, 0xff, 0xba, 0x1a, 0x0f, 0xac, 0xdf,
26832 ++ 0x02, 0x32, 0xe6, 0xf7, 0xc7, 0x17, 0x13, 0xb7,
26833 ++ 0xfc, 0x98, 0x48, 0x8c, 0x0d, 0x82, 0xc9, 0x80,
26834 ++ 0x7a, 0xe2, 0x0a, 0xc5, 0xb4, 0xde, 0x7c, 0x3c,
26835 ++ 0x79, 0x81, 0x0e, 0x28, 0x65, 0x79, 0x67, 0x82,
26836 ++ 0x69, 0x44, 0x66, 0x09, 0xf7, 0x16, 0x1a, 0xf9,
26837 ++ 0x7d, 0x80, 0xa1, 0x79, 0x14, 0xa9, 0xc8, 0x20,
26838 ++ 0xfb, 0xa2, 0x46, 0xbe, 0x08, 0x35, 0x17, 0x58,
26839 ++ 0xc1, 0x1a, 0xda, 0x2a, 0x6b, 0x2e, 0x1e, 0xe6,
26840 ++ 0x27, 0x55, 0x7b, 0x19, 0xe2, 0xfb, 0x64, 0xfc,
26841 ++ 0x5e, 0x15, 0x54, 0x3c, 0xe7, 0xc2, 0x11, 0x50,
26842 ++ 0x30, 0xb8, 0x72, 0x03, 0x0b, 0x1a, 0x9f, 0x86,
26843 ++ 0x27, 0x11, 0x5c, 0x06, 0x2b, 0xbd, 0x75, 0x1a,
26844 ++ 0x0a, 0xda, 0x01, 0xfa, 0x5c, 0x4a, 0xc1, 0x80,
26845 ++ 0x3a, 0x6e, 0x30, 0xc8, 0x2c, 0xeb, 0x56, 0xec,
26846 ++ 0x89, 0xfa, 0x35, 0x7b, 0xb2, 0xf0, 0x97, 0x08,
26847 ++ 0x86, 0x53, 0xbe, 0xbd, 0x40, 0x41, 0x38, 0x1c,
26848 ++ 0xb4, 0x8b, 0x79, 0x2e, 0x18, 0x96, 0x94, 0xde,
26849 ++ 0xe8, 0xca, 0xe5, 0x9f, 0x92, 0x9f, 0x15, 0x5d,
26850 ++ 0x56, 0x60, 0x5c, 0x09, 0xf9, 0x16, 0xf4, 0x17,
26851 ++ 0x0f, 0xf6, 0x4c, 0xda, 0xe6, 0x67, 0x89, 0x9f,
26852 ++ 0xca, 0x6c, 0xe7, 0x9b, 0x04, 0x62, 0x0e, 0x26,
26853 ++ 0xa6, 0x52, 0xbd, 0x29, 0xff, 0xc7, 0xa4, 0x96,
26854 ++ 0xe6, 0x6a, 0x02, 0xa5, 0x2e, 0x7b, 0xfe, 0x97,
26855 ++ 0x68, 0x3e, 0x2e, 0x5f, 0x3b, 0x0f, 0x36, 0xd6,
26856 ++ 0x98, 0x19, 0x59, 0x48, 0xd2, 0xc6, 0xe1, 0x55,
26857 ++ 0x1a, 0x6e, 0xd6, 0xed, 0x2c, 0xba, 0xc3, 0x9e,
26858 ++ 0x64, 0xc9, 0x95, 0x86, 0x35, 0x5e, 0x3e, 0x88,
26859 ++ 0x69, 0x99, 0x4b, 0xee, 0xbe, 0x9a, 0x99, 0xb5,
26860 ++ 0x6e, 0x58, 0xae, 0xdd, 0x22, 0xdb, 0xdd, 0x6b,
26861 ++ 0xfc, 0xaf, 0x90, 0xa3, 0x3d, 0xa4, 0xc1, 0x15,
26862 ++ 0x92, 0x18, 0x8d, 0xd2, 0x4b, 0x7b, 0x06, 0xd1,
26863 ++ 0x37, 0xb5, 0xe2, 0x7c, 0x2c, 0xf0, 0x25, 0xe4,
26864 ++ 0x94, 0x2a, 0xbd, 0xe3, 0x82, 0x70, 0x78, 0xa3,
26865 ++ 0x82, 0x10, 0x5a, 0x90, 0xd7, 0xa4, 0xfa, 0xaf,
26866 ++ 0x1a, 0x88, 0x59, 0xdc, 0x74, 0x12, 0xb4, 0x8e,
26867 ++ 0xd7, 0x19, 0x46, 0xf4, 0x84, 0x69, 0x9f, 0xbb,
26868 ++ 0x70, 0xa8, 0x4c, 0x52, 0x81, 0xa9, 0xff, 0x76,
26869 ++ 0x1c, 0xae, 0xd8, 0x11, 0x3d, 0x7f, 0x7d, 0xc5,
26870 ++ 0x12, 0x59, 0x28, 0x18, 0xc2, 0xa2, 0xb7, 0x1c,
26871 ++ 0x88, 0xf8, 0xd6, 0x1b, 0xa6, 0x7d, 0x9e, 0xde,
26872 ++ 0x29, 0xf8, 0xed, 0xff, 0xeb, 0x92, 0x24, 0x4f,
26873 ++ 0x05, 0xaa, 0xd9, 0x49, 0xba, 0x87, 0x59, 0x51,
26874 ++ 0xc9, 0x20, 0x5c, 0x9b, 0x74, 0xcf, 0x03, 0xd9,
26875 ++ 0x2d, 0x34, 0xc7, 0x5b, 0xa5, 0x40, 0xb2, 0x99,
26876 ++ 0xf5, 0xcb, 0xb4, 0xf6, 0xb7, 0x72, 0x4a, 0xd6,
26877 ++ 0xbd, 0xb0, 0xf3, 0x93, 0xe0, 0x1b, 0xa8, 0x04,
26878 ++ 0x1e, 0x35, 0xd4, 0x80, 0x20, 0xf4, 0x9c, 0x31,
26879 ++ 0x6b, 0x45, 0xb9, 0x15, 0xb0, 0x5e, 0xdd, 0x0a,
26880 ++ 0x33, 0x9c, 0x83, 0xcd, 0x58, 0x89, 0x50, 0x56,
26881 ++ 0xbb, 0x81, 0x00, 0x91, 0x32, 0xf3, 0x1b, 0x3e,
26882 ++ 0xcf, 0x45, 0xe1, 0xf9, 0xe1, 0x2c, 0x26, 0x78,
26883 ++ 0x93, 0x9a, 0x60, 0x46, 0xc9, 0xb5, 0x5e, 0x6a,
26884 ++ 0x28, 0x92, 0x87, 0x3f, 0x63, 0x7b, 0xdb, 0xf7,
26885 ++ 0xd0, 0x13, 0x9d, 0x32, 0x40, 0x5e, 0xcf, 0xfb,
26886 ++ 0x79, 0x68, 0x47, 0x4c, 0xfd, 0x01, 0x17, 0xe6,
26887 ++ 0x97, 0x93, 0x78, 0xbb, 0xa6, 0x27, 0xa3, 0xe8,
26888 ++ 0x1a, 0xe8, 0x94, 0x55, 0x7d, 0x08, 0xe5, 0xdc,
26889 ++ 0x66, 0xa3, 0x69, 0xc8, 0xca, 0xc5, 0xa1, 0x84,
26890 ++ 0x55, 0xde, 0x08, 0x91, 0x16, 0x3a, 0x0c, 0x86,
26891 ++ 0xab, 0x27, 0x2b, 0x64, 0x34, 0x02, 0x6c, 0x76,
26892 ++ 0x8b, 0xc6, 0xaf, 0xcc, 0xe1, 0xd6, 0x8c, 0x2a,
26893 ++ 0x18, 0x3d, 0xa6, 0x1b, 0x37, 0x75, 0x45, 0x73,
26894 ++ 0xc2, 0x75, 0xd7, 0x53, 0x78, 0x3a, 0xd6, 0xe8,
26895 ++ 0x29, 0xd2, 0x4a, 0xa8, 0x1e, 0x82, 0xf6, 0xb6,
26896 ++ 0x81, 0xde, 0x21, 0xed, 0x2b, 0x56, 0xbb, 0xf2,
26897 ++ 0xd0, 0x57, 0xc1, 0x7c, 0xd2, 0x6a, 0xd2, 0x56,
26898 ++ 0xf5, 0x13, 0x5f, 0x1c, 0x6a, 0x0b, 0x74, 0xfb,
26899 ++ 0xe9, 0xfe, 0x9e, 0xea, 0x95, 0xb2, 0x46, 0xab,
26900 ++ 0x0a, 0xfc, 0xfd, 0xf3, 0xbb, 0x04, 0x2b, 0x76,
26901 ++ 0x1b, 0xa4, 0x74, 0xb0, 0xc1, 0x78, 0xc3, 0x69,
26902 ++ 0xe2, 0xb0, 0x01, 0xe1, 0xde, 0x32, 0x4c, 0x8d,
26903 ++ 0x1a, 0xb3, 0x38, 0x08, 0xd5, 0xfc, 0x1f, 0xdc,
26904 ++ 0x0e, 0x2c, 0x9c, 0xb1, 0xa1, 0x63, 0x17, 0x22,
26905 ++ 0xf5, 0x6c, 0x93, 0x70, 0x74, 0x00, 0xf8, 0x39,
26906 ++ 0x01, 0x94, 0xd1, 0x32, 0x23, 0x56, 0x5d, 0xa6,
26907 ++ 0x02, 0x76, 0x76, 0x93, 0xce, 0x2f, 0x19, 0xe9,
26908 ++ 0x17, 0x52, 0xae, 0x6e, 0x2c, 0x6d, 0x61, 0x7f,
26909 ++ 0x3b, 0xaa, 0xe0, 0x52, 0x85, 0xc5, 0x65, 0xc1,
26910 ++ 0xbb, 0x8e, 0x5b, 0x21, 0xd5, 0xc9, 0x78, 0x83,
26911 ++ 0x07, 0x97, 0x4c, 0x62, 0x61, 0x41, 0xd4, 0xfc,
26912 ++ 0xc9, 0x39, 0xe3, 0x9b, 0xd0, 0xcc, 0x75, 0xc4,
26913 ++ 0x97, 0xe6, 0xdd, 0x2a, 0x5f, 0xa6, 0xe8, 0x59,
26914 ++ 0x6c, 0x98, 0xb9, 0x02, 0xe2, 0xa2, 0xd6, 0x68,
26915 ++ 0xee, 0x3b, 0x1d, 0xe3, 0x4d, 0x5b, 0x30, 0xef,
26916 ++ 0x03, 0xf2, 0xeb, 0x18, 0x57, 0x36, 0xe8, 0xa1,
26917 ++ 0xf4, 0x47, 0xfb, 0xcb, 0x8f, 0xcb, 0xc8, 0xf3,
26918 ++ 0x4f, 0x74, 0x9d, 0x9d, 0xb1, 0x8d, 0x14, 0x44,
26919 ++ 0xd9, 0x19, 0xb4, 0x54, 0x4f, 0x75, 0x19, 0x09,
26920 ++ 0xa0, 0x75, 0xbc, 0x3b, 0x82, 0xc6, 0x3f, 0xb8,
26921 ++ 0x83, 0x19, 0x6e, 0xd6, 0x37, 0xfe, 0x6e, 0x8a,
26922 ++ 0x4e, 0xe0, 0x4a, 0xab, 0x7b, 0xc8, 0xb4, 0x1d,
26923 ++ 0xf4, 0xed, 0x27, 0x03, 0x65, 0xa2, 0xa1, 0xae,
26924 ++ 0x11, 0xe7, 0x98, 0x78, 0x48, 0x91, 0xd2, 0xd2,
26925 ++ 0xd4, 0x23, 0x78, 0x50, 0xb1, 0x5b, 0x85, 0x10,
26926 ++ 0x8d, 0xca, 0x5f, 0x0f, 0x71, 0xae, 0x72, 0x9a,
26927 ++ 0xf6, 0x25, 0x19, 0x60, 0x06, 0xf7, 0x10, 0x34,
26928 ++ 0x18, 0x0d, 0xc9, 0x9f, 0x7b, 0x0c, 0x9b, 0x8f,
26929 ++ 0x91, 0x1b, 0x9f, 0xcd, 0x10, 0xee, 0x75, 0xf9,
26930 ++ 0x97, 0x66, 0xfc, 0x4d, 0x33, 0x6e, 0x28, 0x2b,
26931 ++ 0x92, 0x85, 0x4f, 0xab, 0x43, 0x8d, 0x8f, 0x7d,
26932 ++ 0x86, 0xa7, 0xc7, 0xd8, 0xd3, 0x0b, 0x8b, 0x57,
26933 ++ 0xb6, 0x1d, 0x95, 0x0d, 0xe9, 0xbc, 0xd9, 0x03,
26934 ++ 0xd9, 0x10, 0x19, 0xc3, 0x46, 0x63, 0x55, 0x87,
26935 ++ 0x61, 0x79, 0x6c, 0x95, 0x0e, 0x9c, 0xdd, 0xca,
26936 ++ 0xc3, 0xf3, 0x64, 0xf0, 0x7d, 0x76, 0xb7, 0x53,
26937 ++ 0x67, 0x2b, 0x1e, 0x44, 0x56, 0x81, 0xea, 0x8f,
26938 ++ 0x5c, 0x42, 0x16, 0xb8, 0x28, 0xeb, 0x1b, 0x61,
26939 ++ 0x10, 0x1e, 0xbf, 0xec, 0xa8
26940 ++};
26941 ++static const u8 dec_assoc011[] __initconst = {
26942 ++ 0xd6, 0x31, 0xda, 0x5d, 0x42, 0x5e, 0xd7
26943 ++};
26944 ++static const u8 dec_nonce011[] __initconst = {
26945 ++ 0xfd, 0x87, 0xd4, 0xd8, 0x62, 0xfd, 0xec, 0xaa
26946 ++};
26947 ++static const u8 dec_key011[] __initconst = {
26948 ++ 0x35, 0x4e, 0xb5, 0x70, 0x50, 0x42, 0x8a, 0x85,
26949 ++ 0xf2, 0xfb, 0xed, 0x7b, 0xd0, 0x9e, 0x97, 0xca,
26950 ++ 0xfa, 0x98, 0x66, 0x63, 0xee, 0x37, 0xcc, 0x52,
26951 ++ 0xfe, 0xd1, 0xdf, 0x95, 0x15, 0x34, 0x29, 0x38
26952 ++};
26953 ++
26954 ++static const u8 dec_input012[] __initconst = {
26955 ++ 0x52, 0x34, 0xb3, 0x65, 0x3b, 0xb7, 0xe5, 0xd3,
26956 ++ 0xab, 0x49, 0x17, 0x60, 0xd2, 0x52, 0x56, 0xdf,
26957 ++ 0xdf, 0x34, 0x56, 0x82, 0xe2, 0xbe, 0xe5, 0xe1,
26958 ++ 0x28, 0xd1, 0x4e, 0x5f, 0x4f, 0x01, 0x7d, 0x3f,
26959 ++ 0x99, 0x6b, 0x30, 0x6e, 0x1a, 0x7c, 0x4c, 0x8e,
26960 ++ 0x62, 0x81, 0xae, 0x86, 0x3f, 0x6b, 0xd0, 0xb5,
26961 ++ 0xa9, 0xcf, 0x50, 0xf1, 0x02, 0x12, 0xa0, 0x0b,
26962 ++ 0x24, 0xe9, 0xe6, 0x72, 0x89, 0x2c, 0x52, 0x1b,
26963 ++ 0x34, 0x38, 0xf8, 0x75, 0x5f, 0xa0, 0x74, 0xe2,
26964 ++ 0x99, 0xdd, 0xa6, 0x4b, 0x14, 0x50, 0x4e, 0xf1,
26965 ++ 0xbe, 0xd6, 0x9e, 0xdb, 0xb2, 0x24, 0x27, 0x74,
26966 ++ 0x12, 0x4a, 0x78, 0x78, 0x17, 0xa5, 0x58, 0x8e,
26967 ++ 0x2f, 0xf9, 0xf4, 0x8d, 0xee, 0x03, 0x88, 0xae,
26968 ++ 0xb8, 0x29, 0xa1, 0x2f, 0x4b, 0xee, 0x92, 0xbd,
26969 ++ 0x87, 0xb3, 0xce, 0x34, 0x21, 0x57, 0x46, 0x04,
26970 ++ 0x49, 0x0c, 0x80, 0xf2, 0x01, 0x13, 0xa1, 0x55,
26971 ++ 0xb3, 0xff, 0x44, 0x30, 0x3c, 0x1c, 0xd0, 0xef,
26972 ++ 0xbc, 0x18, 0x74, 0x26, 0xad, 0x41, 0x5b, 0x5b,
26973 ++ 0x3e, 0x9a, 0x7a, 0x46, 0x4f, 0x16, 0xd6, 0x74,
26974 ++ 0x5a, 0xb7, 0x3a, 0x28, 0x31, 0xd8, 0xae, 0x26,
26975 ++ 0xac, 0x50, 0x53, 0x86, 0xf2, 0x56, 0xd7, 0x3f,
26976 ++ 0x29, 0xbc, 0x45, 0x68, 0x8e, 0xcb, 0x98, 0x64,
26977 ++ 0xdd, 0xc9, 0xba, 0xb8, 0x4b, 0x7b, 0x82, 0xdd,
26978 ++ 0x14, 0xa7, 0xcb, 0x71, 0x72, 0x00, 0x5c, 0xad,
26979 ++ 0x7b, 0x6a, 0x89, 0xa4, 0x3d, 0xbf, 0xb5, 0x4b,
26980 ++ 0x3e, 0x7c, 0x5a, 0xcf, 0xb8, 0xa1, 0xc5, 0x6e,
26981 ++ 0xc8, 0xb6, 0x31, 0x57, 0x7b, 0xdf, 0xa5, 0x7e,
26982 ++ 0xb1, 0xd6, 0x42, 0x2a, 0x31, 0x36, 0xd1, 0xd0,
26983 ++ 0x3f, 0x7a, 0xe5, 0x94, 0xd6, 0x36, 0xa0, 0x6f,
26984 ++ 0xb7, 0x40, 0x7d, 0x37, 0xc6, 0x55, 0x7c, 0x50,
26985 ++ 0x40, 0x6d, 0x29, 0x89, 0xe3, 0x5a, 0xae, 0x97,
26986 ++ 0xe7, 0x44, 0x49, 0x6e, 0xbd, 0x81, 0x3d, 0x03,
26987 ++ 0x93, 0x06, 0x12, 0x06, 0xe2, 0x41, 0x12, 0x4a,
26988 ++ 0xf1, 0x6a, 0xa4, 0x58, 0xa2, 0xfb, 0xd2, 0x15,
26989 ++ 0xba, 0xc9, 0x79, 0xc9, 0xce, 0x5e, 0x13, 0xbb,
26990 ++ 0xf1, 0x09, 0x04, 0xcc, 0xfd, 0xe8, 0x51, 0x34,
26991 ++ 0x6a, 0xe8, 0x61, 0x88, 0xda, 0xed, 0x01, 0x47,
26992 ++ 0x84, 0xf5, 0x73, 0x25, 0xf9, 0x1c, 0x42, 0x86,
26993 ++ 0x07, 0xf3, 0x5b, 0x1a, 0x01, 0xb3, 0xeb, 0x24,
26994 ++ 0x32, 0x8d, 0xf6, 0xed, 0x7c, 0x4b, 0xeb, 0x3c,
26995 ++ 0x36, 0x42, 0x28, 0xdf, 0xdf, 0xb6, 0xbe, 0xd9,
26996 ++ 0x8c, 0x52, 0xd3, 0x2b, 0x08, 0x90, 0x8c, 0xe7,
26997 ++ 0x98, 0x31, 0xe2, 0x32, 0x8e, 0xfc, 0x11, 0x48,
26998 ++ 0x00, 0xa8, 0x6a, 0x42, 0x4a, 0x02, 0xc6, 0x4b,
26999 ++ 0x09, 0xf1, 0xe3, 0x49, 0xf3, 0x45, 0x1f, 0x0e,
27000 ++ 0xbc, 0x56, 0xe2, 0xe4, 0xdf, 0xfb, 0xeb, 0x61,
27001 ++ 0xfa, 0x24, 0xc1, 0x63, 0x75, 0xbb, 0x47, 0x75,
27002 ++ 0xaf, 0xe1, 0x53, 0x16, 0x96, 0x21, 0x85, 0x26,
27003 ++ 0x11, 0xb3, 0x76, 0xe3, 0x23, 0xa1, 0x6b, 0x74,
27004 ++ 0x37, 0xd0, 0xde, 0x06, 0x90, 0x71, 0x5d, 0x43,
27005 ++ 0x88, 0x9b, 0x00, 0x54, 0xa6, 0x75, 0x2f, 0xa1,
27006 ++ 0xc2, 0x0b, 0x73, 0x20, 0x1d, 0xb6, 0x21, 0x79,
27007 ++ 0x57, 0x3f, 0xfa, 0x09, 0xbe, 0x8a, 0x33, 0xc3,
27008 ++ 0x52, 0xf0, 0x1d, 0x82, 0x31, 0xd1, 0x55, 0xb5,
27009 ++ 0x6c, 0x99, 0x25, 0xcf, 0x5c, 0x32, 0xce, 0xe9,
27010 ++ 0x0d, 0xfa, 0x69, 0x2c, 0xd5, 0x0d, 0xc5, 0x6d,
27011 ++ 0x86, 0xd0, 0x0c, 0x3b, 0x06, 0x50, 0x79, 0xe8,
27012 ++ 0xc3, 0xae, 0x04, 0xe6, 0xcd, 0x51, 0xe4, 0x26,
27013 ++ 0x9b, 0x4f, 0x7e, 0xa6, 0x0f, 0xab, 0xd8, 0xe5,
27014 ++ 0xde, 0xa9, 0x00, 0x95, 0xbe, 0xa3, 0x9d, 0x5d,
27015 ++ 0xb2, 0x09, 0x70, 0x18, 0x1c, 0xf0, 0xac, 0x29,
27016 ++ 0x23, 0x02, 0x29, 0x28, 0xd2, 0x74, 0x35, 0x57,
27017 ++ 0x62, 0x0f, 0x24, 0xea, 0x5e, 0x33, 0xc2, 0x92,
27018 ++ 0xf3, 0x78, 0x4d, 0x30, 0x1e, 0xa1, 0x99, 0xa9,
27019 ++ 0x82, 0xb0, 0x42, 0x31, 0x8d, 0xad, 0x8a, 0xbc,
27020 ++ 0xfc, 0xd4, 0x57, 0x47, 0x3e, 0xb4, 0x50, 0xdd,
27021 ++ 0x6e, 0x2c, 0x80, 0x4d, 0x22, 0xf1, 0xfb, 0x57,
27022 ++ 0xc4, 0xdd, 0x17, 0xe1, 0x8a, 0x36, 0x4a, 0xb3,
27023 ++ 0x37, 0xca, 0xc9, 0x4e, 0xab, 0xd5, 0x69, 0xc4,
27024 ++ 0xf4, 0xbc, 0x0b, 0x3b, 0x44, 0x4b, 0x29, 0x9c,
27025 ++ 0xee, 0xd4, 0x35, 0x22, 0x21, 0xb0, 0x1f, 0x27,
27026 ++ 0x64, 0xa8, 0x51, 0x1b, 0xf0, 0x9f, 0x19, 0x5c,
27027 ++ 0xfb, 0x5a, 0x64, 0x74, 0x70, 0x45, 0x09, 0xf5,
27028 ++ 0x64, 0xfe, 0x1a, 0x2d, 0xc9, 0x14, 0x04, 0x14,
27029 ++ 0xcf, 0xd5, 0x7d, 0x60, 0xaf, 0x94, 0x39, 0x94,
27030 ++ 0xe2, 0x7d, 0x79, 0x82, 0xd0, 0x65, 0x3b, 0x6b,
27031 ++ 0x9c, 0x19, 0x84, 0xb4, 0x6d, 0xb3, 0x0c, 0x99,
27032 ++ 0xc0, 0x56, 0xa8, 0xbd, 0x73, 0xce, 0x05, 0x84,
27033 ++ 0x3e, 0x30, 0xaa, 0xc4, 0x9b, 0x1b, 0x04, 0x2a,
27034 ++ 0x9f, 0xd7, 0x43, 0x2b, 0x23, 0xdf, 0xbf, 0xaa,
27035 ++ 0xd5, 0xc2, 0x43, 0x2d, 0x70, 0xab, 0xdc, 0x75,
27036 ++ 0xad, 0xac, 0xf7, 0xc0, 0xbe, 0x67, 0xb2, 0x74,
27037 ++ 0xed, 0x67, 0x10, 0x4a, 0x92, 0x60, 0xc1, 0x40,
27038 ++ 0x50, 0x19, 0x8a, 0x8a, 0x8c, 0x09, 0x0e, 0x72,
27039 ++ 0xe1, 0x73, 0x5e, 0xe8, 0x41, 0x85, 0x63, 0x9f,
27040 ++ 0x3f, 0xd7, 0x7d, 0xc4, 0xfb, 0x22, 0x5d, 0x92,
27041 ++ 0x6c, 0xb3, 0x1e, 0xe2, 0x50, 0x2f, 0x82, 0xa8,
27042 ++ 0x28, 0xc0, 0xb5, 0xd7, 0x5f, 0x68, 0x0d, 0x2c,
27043 ++ 0x2d, 0xaf, 0x7e, 0xfa, 0x2e, 0x08, 0x0f, 0x1f,
27044 ++ 0x70, 0x9f, 0xe9, 0x19, 0x72, 0x55, 0xf8, 0xfb,
27045 ++ 0x51, 0xd2, 0x33, 0x5d, 0xa0, 0xd3, 0x2b, 0x0a,
27046 ++ 0x6c, 0xbc, 0x4e, 0xcf, 0x36, 0x4d, 0xdc, 0x3b,
27047 ++ 0xe9, 0x3e, 0x81, 0x7c, 0x61, 0xdb, 0x20, 0x2d,
27048 ++ 0x3a, 0xc3, 0xb3, 0x0c, 0x1e, 0x00, 0xb9, 0x7c,
27049 ++ 0xf5, 0xca, 0x10, 0x5f, 0x3a, 0x71, 0xb3, 0xe4,
27050 ++ 0x20, 0xdb, 0x0c, 0x2a, 0x98, 0x63, 0x45, 0x00,
27051 ++ 0x58, 0xf6, 0x68, 0xe4, 0x0b, 0xda, 0x13, 0x3b,
27052 ++ 0x60, 0x5c, 0x76, 0xdb, 0xb9, 0x97, 0x71, 0xe4,
27053 ++ 0xd9, 0xb7, 0xdb, 0xbd, 0x68, 0xc7, 0x84, 0x84,
27054 ++ 0xaa, 0x7c, 0x68, 0x62, 0x5e, 0x16, 0xfc, 0xba,
27055 ++ 0x72, 0xaa, 0x9a, 0xa9, 0xeb, 0x7c, 0x75, 0x47,
27056 ++ 0x97, 0x7e, 0xad, 0xe2, 0xd9, 0x91, 0xe8, 0xe4,
27057 ++ 0xa5, 0x31, 0xd7, 0x01, 0x8e, 0xa2, 0x11, 0x88,
27058 ++ 0x95, 0xb9, 0xf2, 0x9b, 0xd3, 0x7f, 0x1b, 0x81,
27059 ++ 0x22, 0xf7, 0x98, 0x60, 0x0a, 0x64, 0xa6, 0xc1,
27060 ++ 0xf6, 0x49, 0xc7, 0xe3, 0x07, 0x4d, 0x94, 0x7a,
27061 ++ 0xcf, 0x6e, 0x68, 0x0c, 0x1b, 0x3f, 0x6e, 0x2e,
27062 ++ 0xee, 0x92, 0xfa, 0x52, 0xb3, 0x59, 0xf8, 0xf1,
27063 ++ 0x8f, 0x6a, 0x66, 0xa3, 0x82, 0x76, 0x4a, 0x07,
27064 ++ 0x1a, 0xc7, 0xdd, 0xf5, 0xda, 0x9c, 0x3c, 0x24,
27065 ++ 0xbf, 0xfd, 0x42, 0xa1, 0x10, 0x64, 0x6a, 0x0f,
27066 ++ 0x89, 0xee, 0x36, 0xa5, 0xce, 0x99, 0x48, 0x6a,
27067 ++ 0xf0, 0x9f, 0x9e, 0x69, 0xa4, 0x40, 0x20, 0xe9,
27068 ++ 0x16, 0x15, 0xf7, 0xdb, 0x75, 0x02, 0xcb, 0xe9,
27069 ++ 0x73, 0x8b, 0x3b, 0x49, 0x2f, 0xf0, 0xaf, 0x51,
27070 ++ 0x06, 0x5c, 0xdf, 0x27, 0x27, 0x49, 0x6a, 0xd1,
27071 ++ 0xcc, 0xc7, 0xb5, 0x63, 0xb5, 0xfc, 0xb8, 0x5c,
27072 ++ 0x87, 0x7f, 0x84, 0xb4, 0xcc, 0x14, 0xa9, 0x53,
27073 ++ 0xda, 0xa4, 0x56, 0xf8, 0xb6, 0x1b, 0xcc, 0x40,
27074 ++ 0x27, 0x52, 0x06, 0x5a, 0x13, 0x81, 0xd7, 0x3a,
27075 ++ 0xd4, 0x3b, 0xfb, 0x49, 0x65, 0x31, 0x33, 0xb2,
27076 ++ 0xfa, 0xcd, 0xad, 0x58, 0x4e, 0x2b, 0xae, 0xd2,
27077 ++ 0x20, 0xfb, 0x1a, 0x48, 0xb4, 0x3f, 0x9a, 0xd8,
27078 ++ 0x7a, 0x35, 0x4a, 0xc8, 0xee, 0x88, 0x5e, 0x07,
27079 ++ 0x66, 0x54, 0xb9, 0xec, 0x9f, 0xa3, 0xe3, 0xb9,
27080 ++ 0x37, 0xaa, 0x49, 0x76, 0x31, 0xda, 0x74, 0x2d,
27081 ++ 0x3c, 0xa4, 0x65, 0x10, 0x32, 0x38, 0xf0, 0xde,
27082 ++ 0xd3, 0x99, 0x17, 0xaa, 0x71, 0xaa, 0x8f, 0x0f,
27083 ++ 0x8c, 0xaf, 0xa2, 0xf8, 0x5d, 0x64, 0xba, 0x1d,
27084 ++ 0xa3, 0xef, 0x96, 0x73, 0xe8, 0xa1, 0x02, 0x8d,
27085 ++ 0x0c, 0x6d, 0xb8, 0x06, 0x90, 0xb8, 0x08, 0x56,
27086 ++ 0x2c, 0xa7, 0x06, 0xc9, 0xc2, 0x38, 0xdb, 0x7c,
27087 ++ 0x63, 0xb1, 0x57, 0x8e, 0xea, 0x7c, 0x79, 0xf3,
27088 ++ 0x49, 0x1d, 0xfe, 0x9f, 0xf3, 0x6e, 0xb1, 0x1d,
27089 ++ 0xba, 0x19, 0x80, 0x1a, 0x0a, 0xd3, 0xb0, 0x26,
27090 ++ 0x21, 0x40, 0xb1, 0x7c, 0xf9, 0x4d, 0x8d, 0x10,
27091 ++ 0xc1, 0x7e, 0xf4, 0xf6, 0x3c, 0xa8, 0xfd, 0x7c,
27092 ++ 0xa3, 0x92, 0xb2, 0x0f, 0xaa, 0xcc, 0xa6, 0x11,
27093 ++ 0xfe, 0x04, 0xe3, 0xd1, 0x7a, 0x32, 0x89, 0xdf,
27094 ++ 0x0d, 0xc4, 0x8f, 0x79, 0x6b, 0xca, 0x16, 0x7c,
27095 ++ 0x6e, 0xf9, 0xad, 0x0f, 0xf6, 0xfe, 0x27, 0xdb,
27096 ++ 0xc4, 0x13, 0x70, 0xf1, 0x62, 0x1a, 0x4f, 0x79,
27097 ++ 0x40, 0xc9, 0x9b, 0x8b, 0x21, 0xea, 0x84, 0xfa,
27098 ++ 0xf5, 0xf1, 0x89, 0xce, 0xb7, 0x55, 0x0a, 0x80,
27099 ++ 0x39, 0x2f, 0x55, 0x36, 0x16, 0x9c, 0x7b, 0x08,
27100 ++ 0xbd, 0x87, 0x0d, 0xa5, 0x32, 0xf1, 0x52, 0x7c,
27101 ++ 0xe8, 0x55, 0x60, 0x5b, 0xd7, 0x69, 0xe4, 0xfc,
27102 ++ 0xfa, 0x12, 0x85, 0x96, 0xea, 0x50, 0x28, 0xab,
27103 ++ 0x8a, 0xf7, 0xbb, 0x0e, 0x53, 0x74, 0xca, 0xa6,
27104 ++ 0x27, 0x09, 0xc2, 0xb5, 0xde, 0x18, 0x14, 0xd9,
27105 ++ 0xea, 0xe5, 0x29, 0x1c, 0x40, 0x56, 0xcf, 0xd7,
27106 ++ 0xae, 0x05, 0x3f, 0x65, 0xaf, 0x05, 0x73, 0xe2,
27107 ++ 0x35, 0x96, 0x27, 0x07, 0x14, 0xc0, 0xad, 0x33,
27108 ++ 0xf1, 0xdc, 0x44, 0x7a, 0x89, 0x17, 0x77, 0xd2,
27109 ++ 0x9c, 0x58, 0x60, 0xf0, 0x3f, 0x7b, 0x2d, 0x2e,
27110 ++ 0x57, 0x95, 0x54, 0x87, 0xed, 0xf2, 0xc7, 0x4c,
27111 ++ 0xf0, 0xae, 0x56, 0x29, 0x19, 0x7d, 0x66, 0x4b,
27112 ++ 0x9b, 0x83, 0x84, 0x42, 0x3b, 0x01, 0x25, 0x66,
27113 ++ 0x8e, 0x02, 0xde, 0xb9, 0x83, 0x54, 0x19, 0xf6,
27114 ++ 0x9f, 0x79, 0x0d, 0x67, 0xc5, 0x1d, 0x7a, 0x44,
27115 ++ 0x02, 0x98, 0xa7, 0x16, 0x1c, 0x29, 0x0d, 0x74,
27116 ++ 0xff, 0x85, 0x40, 0x06, 0xef, 0x2c, 0xa9, 0xc6,
27117 ++ 0xf5, 0x53, 0x07, 0x06, 0xae, 0xe4, 0xfa, 0x5f,
27118 ++ 0xd8, 0x39, 0x4d, 0xf1, 0x9b, 0x6b, 0xd9, 0x24,
27119 ++ 0x84, 0xfe, 0x03, 0x4c, 0xb2, 0x3f, 0xdf, 0xa1,
27120 ++ 0x05, 0x9e, 0x50, 0x14, 0x5a, 0xd9, 0x1a, 0xa2,
27121 ++ 0xa7, 0xfa, 0xfa, 0x17, 0xf7, 0x78, 0xd6, 0xb5,
27122 ++ 0x92, 0x61, 0x91, 0xac, 0x36, 0xfa, 0x56, 0x0d,
27123 ++ 0x38, 0x32, 0x18, 0x85, 0x08, 0x58, 0x37, 0xf0,
27124 ++ 0x4b, 0xdb, 0x59, 0xe7, 0xa4, 0x34, 0xc0, 0x1b,
27125 ++ 0x01, 0xaf, 0x2d, 0xde, 0xa1, 0xaa, 0x5d, 0xd3,
27126 ++ 0xec, 0xe1, 0xd4, 0xf7, 0xe6, 0x54, 0x68, 0xf0,
27127 ++ 0x51, 0x97, 0xa7, 0x89, 0xea, 0x24, 0xad, 0xd3,
27128 ++ 0x6e, 0x47, 0x93, 0x8b, 0x4b, 0xb4, 0xf7, 0x1c,
27129 ++ 0x42, 0x06, 0x67, 0xe8, 0x99, 0xf6, 0xf5, 0x7b,
27130 ++ 0x85, 0xb5, 0x65, 0xb5, 0xb5, 0xd2, 0x37, 0xf5,
27131 ++ 0xf3, 0x02, 0xa6, 0x4d, 0x11, 0xa7, 0xdc, 0x51,
27132 ++ 0x09, 0x7f, 0xa0, 0xd8, 0x88, 0x1c, 0x13, 0x71,
27133 ++ 0xae, 0x9c, 0xb7, 0x7b, 0x34, 0xd6, 0x4e, 0x68,
27134 ++ 0x26, 0x83, 0x51, 0xaf, 0x1d, 0xee, 0x8b, 0xbb,
27135 ++ 0x69, 0x43, 0x2b, 0x9e, 0x8a, 0xbc, 0x02, 0x0e,
27136 ++ 0xa0, 0x1b, 0xe0, 0xa8, 0x5f, 0x6f, 0xaf, 0x1b,
27137 ++ 0x8f, 0xe7, 0x64, 0x71, 0x74, 0x11, 0x7e, 0xa8,
27138 ++ 0xd8, 0xf9, 0x97, 0x06, 0xc3, 0xb6, 0xfb, 0xfb,
27139 ++ 0xb7, 0x3d, 0x35, 0x9d, 0x3b, 0x52, 0xed, 0x54,
27140 ++ 0xca, 0xf4, 0x81, 0x01, 0x2d, 0x1b, 0xc3, 0xa7,
27141 ++ 0x00, 0x3d, 0x1a, 0x39, 0x54, 0xe1, 0xf6, 0xff,
27142 ++ 0xed, 0x6f, 0x0b, 0x5a, 0x68, 0xda, 0x58, 0xdd,
27143 ++ 0xa9, 0xcf, 0x5c, 0x4a, 0xe5, 0x09, 0x4e, 0xde,
27144 ++ 0x9d, 0xbc, 0x3e, 0xee, 0x5a, 0x00, 0x3b, 0x2c,
27145 ++ 0x87, 0x10, 0x65, 0x60, 0xdd, 0xd7, 0x56, 0xd1,
27146 ++ 0x4c, 0x64, 0x45, 0xe4, 0x21, 0xec, 0x78, 0xf8,
27147 ++ 0x25, 0x7a, 0x3e, 0x16, 0x5d, 0x09, 0x53, 0x14,
27148 ++ 0xbe, 0x4f, 0xae, 0x87, 0xd8, 0xd1, 0xaa, 0x3c,
27149 ++ 0xf6, 0x3e, 0xa4, 0x70, 0x8c, 0x5e, 0x70, 0xa4,
27150 ++ 0xb3, 0x6b, 0x66, 0x73, 0xd3, 0xbf, 0x31, 0x06,
27151 ++ 0x19, 0x62, 0x93, 0x15, 0xf2, 0x86, 0xe4, 0x52,
27152 ++ 0x7e, 0x53, 0x4c, 0x12, 0x38, 0xcc, 0x34, 0x7d,
27153 ++ 0x57, 0xf6, 0x42, 0x93, 0x8a, 0xc4, 0xee, 0x5c,
27154 ++ 0x8a, 0xe1, 0x52, 0x8f, 0x56, 0x64, 0xf6, 0xa6,
27155 ++ 0xd1, 0x91, 0x57, 0x70, 0xcd, 0x11, 0x76, 0xf5,
27156 ++ 0x59, 0x60, 0x60, 0x3c, 0xc1, 0xc3, 0x0b, 0x7f,
27157 ++ 0x58, 0x1a, 0x50, 0x91, 0xf1, 0x68, 0x8f, 0x6e,
27158 ++ 0x74, 0x74, 0xa8, 0x51, 0x0b, 0xf7, 0x7a, 0x98,
27159 ++ 0x37, 0xf2, 0x0a, 0x0e, 0xa4, 0x97, 0x04, 0xb8,
27160 ++ 0x9b, 0xfd, 0xa0, 0xea, 0xf7, 0x0d, 0xe1, 0xdb,
27161 ++ 0x03, 0xf0, 0x31, 0x29, 0xf8, 0xdd, 0x6b, 0x8b,
27162 ++ 0x5d, 0xd8, 0x59, 0xa9, 0x29, 0xcf, 0x9a, 0x79,
27163 ++ 0x89, 0x19, 0x63, 0x46, 0x09, 0x79, 0x6a, 0x11,
27164 ++ 0xda, 0x63, 0x68, 0x48, 0x77, 0x23, 0xfb, 0x7d,
27165 ++ 0x3a, 0x43, 0xcb, 0x02, 0x3b, 0x7a, 0x6d, 0x10,
27166 ++ 0x2a, 0x9e, 0xac, 0xf1, 0xd4, 0x19, 0xf8, 0x23,
27167 ++ 0x64, 0x1d, 0x2c, 0x5f, 0xf2, 0xb0, 0x5c, 0x23,
27168 ++ 0x27, 0xf7, 0x27, 0x30, 0x16, 0x37, 0xb1, 0x90,
27169 ++ 0xab, 0x38, 0xfb, 0x55, 0xcd, 0x78, 0x58, 0xd4,
27170 ++ 0x7d, 0x43, 0xf6, 0x45, 0x5e, 0x55, 0x8d, 0xb1,
27171 ++ 0x02, 0x65, 0x58, 0xb4, 0x13, 0x4b, 0x36, 0xf7,
27172 ++ 0xcc, 0xfe, 0x3d, 0x0b, 0x82, 0xe2, 0x12, 0x11,
27173 ++ 0xbb, 0xe6, 0xb8, 0x3a, 0x48, 0x71, 0xc7, 0x50,
27174 ++ 0x06, 0x16, 0x3a, 0xe6, 0x7c, 0x05, 0xc7, 0xc8,
27175 ++ 0x4d, 0x2f, 0x08, 0x6a, 0x17, 0x9a, 0x95, 0x97,
27176 ++ 0x50, 0x68, 0xdc, 0x28, 0x18, 0xc4, 0x61, 0x38,
27177 ++ 0xb9, 0xe0, 0x3e, 0x78, 0xdb, 0x29, 0xe0, 0x9f,
27178 ++ 0x52, 0xdd, 0xf8, 0x4f, 0x91, 0xc1, 0xd0, 0x33,
27179 ++ 0xa1, 0x7a, 0x8e, 0x30, 0x13, 0x82, 0x07, 0x9f,
27180 ++ 0xd3, 0x31, 0x0f, 0x23, 0xbe, 0x32, 0x5a, 0x75,
27181 ++ 0xcf, 0x96, 0xb2, 0xec, 0xb5, 0x32, 0xac, 0x21,
27182 ++ 0xd1, 0x82, 0x33, 0xd3, 0x15, 0x74, 0xbd, 0x90,
27183 ++ 0xf1, 0x2c, 0xe6, 0x5f, 0x8d, 0xe3, 0x02, 0xe8,
27184 ++ 0xe9, 0xc4, 0xca, 0x96, 0xeb, 0x0e, 0xbc, 0x91,
27185 ++ 0xf4, 0xb9, 0xea, 0xd9, 0x1b, 0x75, 0xbd, 0xe1,
27186 ++ 0xac, 0x2a, 0x05, 0x37, 0x52, 0x9b, 0x1b, 0x3f,
27187 ++ 0x5a, 0xdc, 0x21, 0xc3, 0x98, 0xbb, 0xaf, 0xa3,
27188 ++ 0xf2, 0x00, 0xbf, 0x0d, 0x30, 0x89, 0x05, 0xcc,
27189 ++ 0xa5, 0x76, 0xf5, 0x06, 0xf0, 0xc6, 0x54, 0x8a,
27190 ++ 0x5d, 0xd4, 0x1e, 0xc1, 0xf2, 0xce, 0xb0, 0x62,
27191 ++ 0xc8, 0xfc, 0x59, 0x42, 0x9a, 0x90, 0x60, 0x55,
27192 ++ 0xfe, 0x88, 0xa5, 0x8b, 0xb8, 0x33, 0x0c, 0x23,
27193 ++ 0x24, 0x0d, 0x15, 0x70, 0x37, 0x1e, 0x3d, 0xf6,
27194 ++ 0xd2, 0xea, 0x92, 0x10, 0xb2, 0xc4, 0x51, 0xac,
27195 ++ 0xf2, 0xac, 0xf3, 0x6b, 0x6c, 0xaa, 0xcf, 0x12,
27196 ++ 0xc5, 0x6c, 0x90, 0x50, 0xb5, 0x0c, 0xfc, 0x1a,
27197 ++ 0x15, 0x52, 0xe9, 0x26, 0xc6, 0x52, 0xa4, 0xe7,
27198 ++ 0x81, 0x69, 0xe1, 0xe7, 0x9e, 0x30, 0x01, 0xec,
27199 ++ 0x84, 0x89, 0xb2, 0x0d, 0x66, 0xdd, 0xce, 0x28,
27200 ++ 0x5c, 0xec, 0x98, 0x46, 0x68, 0x21, 0x9f, 0x88,
27201 ++ 0x3f, 0x1f, 0x42, 0x77, 0xce, 0xd0, 0x61, 0xd4,
27202 ++ 0x20, 0xa7, 0xff, 0x53, 0xad, 0x37, 0xd0, 0x17,
27203 ++ 0x35, 0xc9, 0xfc, 0xba, 0x0a, 0x78, 0x3f, 0xf2,
27204 ++ 0xcc, 0x86, 0x89, 0xe8, 0x4b, 0x3c, 0x48, 0x33,
27205 ++ 0x09, 0x7f, 0xc6, 0xc0, 0xdd, 0xb8, 0xfd, 0x7a,
27206 ++ 0x66, 0x66, 0x65, 0xeb, 0x47, 0xa7, 0x04, 0x28,
27207 ++ 0xa3, 0x19, 0x8e, 0xa9, 0xb1, 0x13, 0x67, 0x62,
27208 ++ 0x70, 0xcf, 0xd6
27209 ++};
27210 ++static const u8 dec_output012[] __initconst = {
27211 ++ 0x74, 0xa6, 0x3e, 0xe4, 0xb1, 0xcb, 0xaf, 0xb0,
27212 ++ 0x40, 0xe5, 0x0f, 0x9e, 0xf1, 0xf2, 0x89, 0xb5,
27213 ++ 0x42, 0x34, 0x8a, 0xa1, 0x03, 0xb7, 0xe9, 0x57,
27214 ++ 0x46, 0xbe, 0x20, 0xe4, 0x6e, 0xb0, 0xeb, 0xff,
27215 ++ 0xea, 0x07, 0x7e, 0xef, 0xe2, 0x55, 0x9f, 0xe5,
27216 ++ 0x78, 0x3a, 0xb7, 0x83, 0xc2, 0x18, 0x40, 0x7b,
27217 ++ 0xeb, 0xcd, 0x81, 0xfb, 0x90, 0x12, 0x9e, 0x46,
27218 ++ 0xa9, 0xd6, 0x4a, 0xba, 0xb0, 0x62, 0xdb, 0x6b,
27219 ++ 0x99, 0xc4, 0xdb, 0x54, 0x4b, 0xb8, 0xa5, 0x71,
27220 ++ 0xcb, 0xcd, 0x63, 0x32, 0x55, 0xfb, 0x31, 0xf0,
27221 ++ 0x38, 0xf5, 0xbe, 0x78, 0xe4, 0x45, 0xce, 0x1b,
27222 ++ 0x6a, 0x5b, 0x0e, 0xf4, 0x16, 0xe4, 0xb1, 0x3d,
27223 ++ 0xf6, 0x63, 0x7b, 0xa7, 0x0c, 0xde, 0x6f, 0x8f,
27224 ++ 0x74, 0xdf, 0xe0, 0x1e, 0x9d, 0xce, 0x8f, 0x24,
27225 ++ 0xef, 0x23, 0x35, 0x33, 0x7b, 0x83, 0x34, 0x23,
27226 ++ 0x58, 0x74, 0x14, 0x77, 0x1f, 0xc2, 0x4f, 0x4e,
27227 ++ 0xc6, 0x89, 0xf9, 0x52, 0x09, 0x37, 0x64, 0x14,
27228 ++ 0xc4, 0x01, 0x6b, 0x9d, 0x77, 0xe8, 0x90, 0x5d,
27229 ++ 0xa8, 0x4a, 0x2a, 0xef, 0x5c, 0x7f, 0xeb, 0xbb,
27230 ++ 0xb2, 0xc6, 0x93, 0x99, 0x66, 0xdc, 0x7f, 0xd4,
27231 ++ 0x9e, 0x2a, 0xca, 0x8d, 0xdb, 0xe7, 0x20, 0xcf,
27232 ++ 0xe4, 0x73, 0xae, 0x49, 0x7d, 0x64, 0x0f, 0x0e,
27233 ++ 0x28, 0x46, 0xa9, 0xa8, 0x32, 0xe4, 0x0e, 0xf6,
27234 ++ 0x51, 0x53, 0xb8, 0x3c, 0xb1, 0xff, 0xa3, 0x33,
27235 ++ 0x41, 0x75, 0xff, 0xf1, 0x6f, 0xf1, 0xfb, 0xbb,
27236 ++ 0x83, 0x7f, 0x06, 0x9b, 0xe7, 0x1b, 0x0a, 0xe0,
27237 ++ 0x5c, 0x33, 0x60, 0x5b, 0xdb, 0x5b, 0xed, 0xfe,
27238 ++ 0xa5, 0x16, 0x19, 0x72, 0xa3, 0x64, 0x23, 0x00,
27239 ++ 0x02, 0xc7, 0xf3, 0x6a, 0x81, 0x3e, 0x44, 0x1d,
27240 ++ 0x79, 0x15, 0x5f, 0x9a, 0xde, 0xe2, 0xfd, 0x1b,
27241 ++ 0x73, 0xc1, 0xbc, 0x23, 0xba, 0x31, 0xd2, 0x50,
27242 ++ 0xd5, 0xad, 0x7f, 0x74, 0xa7, 0xc9, 0xf8, 0x3e,
27243 ++ 0x2b, 0x26, 0x10, 0xf6, 0x03, 0x36, 0x74, 0xe4,
27244 ++ 0x0e, 0x6a, 0x72, 0xb7, 0x73, 0x0a, 0x42, 0x28,
27245 ++ 0xc2, 0xad, 0x5e, 0x03, 0xbe, 0xb8, 0x0b, 0xa8,
27246 ++ 0x5b, 0xd4, 0xb8, 0xba, 0x52, 0x89, 0xb1, 0x9b,
27247 ++ 0xc1, 0xc3, 0x65, 0x87, 0xed, 0xa5, 0xf4, 0x86,
27248 ++ 0xfd, 0x41, 0x80, 0x91, 0x27, 0x59, 0x53, 0x67,
27249 ++ 0x15, 0x78, 0x54, 0x8b, 0x2d, 0x3d, 0xc7, 0xff,
27250 ++ 0x02, 0x92, 0x07, 0x5f, 0x7a, 0x4b, 0x60, 0x59,
27251 ++ 0x3c, 0x6f, 0x5c, 0xd8, 0xec, 0x95, 0xd2, 0xfe,
27252 ++ 0xa0, 0x3b, 0xd8, 0x3f, 0xd1, 0x69, 0xa6, 0xd6,
27253 ++ 0x41, 0xb2, 0xf4, 0x4d, 0x12, 0xf4, 0x58, 0x3e,
27254 ++ 0x66, 0x64, 0x80, 0x31, 0x9b, 0xa8, 0x4c, 0x8b,
27255 ++ 0x07, 0xb2, 0xec, 0x66, 0x94, 0x66, 0x47, 0x50,
27256 ++ 0x50, 0x5f, 0x18, 0x0b, 0x0e, 0xd6, 0xc0, 0x39,
27257 ++ 0x21, 0x13, 0x9e, 0x33, 0xbc, 0x79, 0x36, 0x02,
27258 ++ 0x96, 0x70, 0xf0, 0x48, 0x67, 0x2f, 0x26, 0xe9,
27259 ++ 0x6d, 0x10, 0xbb, 0xd6, 0x3f, 0xd1, 0x64, 0x7a,
27260 ++ 0x2e, 0xbe, 0x0c, 0x61, 0xf0, 0x75, 0x42, 0x38,
27261 ++ 0x23, 0xb1, 0x9e, 0x9f, 0x7c, 0x67, 0x66, 0xd9,
27262 ++ 0x58, 0x9a, 0xf1, 0xbb, 0x41, 0x2a, 0x8d, 0x65,
27263 ++ 0x84, 0x94, 0xfc, 0xdc, 0x6a, 0x50, 0x64, 0xdb,
27264 ++ 0x56, 0x33, 0x76, 0x00, 0x10, 0xed, 0xbe, 0xd2,
27265 ++ 0x12, 0xf6, 0xf6, 0x1b, 0xa2, 0x16, 0xde, 0xae,
27266 ++ 0x31, 0x95, 0xdd, 0xb1, 0x08, 0x7e, 0x4e, 0xee,
27267 ++ 0xe7, 0xf9, 0xa5, 0xfb, 0x5b, 0x61, 0x43, 0x00,
27268 ++ 0x40, 0xf6, 0x7e, 0x02, 0x04, 0x32, 0x4e, 0x0c,
27269 ++ 0xe2, 0x66, 0x0d, 0xd7, 0x07, 0x98, 0x0e, 0xf8,
27270 ++ 0x72, 0x34, 0x6d, 0x95, 0x86, 0xd7, 0xcb, 0x31,
27271 ++ 0x54, 0x47, 0xd0, 0x38, 0x29, 0x9c, 0x5a, 0x68,
27272 ++ 0xd4, 0x87, 0x76, 0xc9, 0xe7, 0x7e, 0xe3, 0xf4,
27273 ++ 0x81, 0x6d, 0x18, 0xcb, 0xc9, 0x05, 0xaf, 0xa0,
27274 ++ 0xfb, 0x66, 0xf7, 0xf1, 0x1c, 0xc6, 0x14, 0x11,
27275 ++ 0x4f, 0x2b, 0x79, 0x42, 0x8b, 0xbc, 0xac, 0xe7,
27276 ++ 0x6c, 0xfe, 0x0f, 0x58, 0xe7, 0x7c, 0x78, 0x39,
27277 ++ 0x30, 0xb0, 0x66, 0x2c, 0x9b, 0x6d, 0x3a, 0xe1,
27278 ++ 0xcf, 0xc9, 0xa4, 0x0e, 0x6d, 0x6d, 0x8a, 0xa1,
27279 ++ 0x3a, 0xe7, 0x28, 0xd4, 0x78, 0x4c, 0xa6, 0xa2,
27280 ++ 0x2a, 0xa6, 0x03, 0x30, 0xd7, 0xa8, 0x25, 0x66,
27281 ++ 0x87, 0x2f, 0x69, 0x5c, 0x4e, 0xdd, 0xa5, 0x49,
27282 ++ 0x5d, 0x37, 0x4a, 0x59, 0xc4, 0xaf, 0x1f, 0xa2,
27283 ++ 0xe4, 0xf8, 0xa6, 0x12, 0x97, 0xd5, 0x79, 0xf5,
27284 ++ 0xe2, 0x4a, 0x2b, 0x5f, 0x61, 0xe4, 0x9e, 0xe3,
27285 ++ 0xee, 0xb8, 0xa7, 0x5b, 0x2f, 0xf4, 0x9e, 0x6c,
27286 ++ 0xfb, 0xd1, 0xc6, 0x56, 0x77, 0xba, 0x75, 0xaa,
27287 ++ 0x3d, 0x1a, 0xa8, 0x0b, 0xb3, 0x68, 0x24, 0x00,
27288 ++ 0x10, 0x7f, 0xfd, 0xd7, 0xa1, 0x8d, 0x83, 0x54,
27289 ++ 0x4f, 0x1f, 0xd8, 0x2a, 0xbe, 0x8a, 0x0c, 0x87,
27290 ++ 0xab, 0xa2, 0xde, 0xc3, 0x39, 0xbf, 0x09, 0x03,
27291 ++ 0xa5, 0xf3, 0x05, 0x28, 0xe1, 0xe1, 0xee, 0x39,
27292 ++ 0x70, 0x9c, 0xd8, 0x81, 0x12, 0x1e, 0x02, 0x40,
27293 ++ 0xd2, 0x6e, 0xf0, 0xeb, 0x1b, 0x3d, 0x22, 0xc6,
27294 ++ 0xe5, 0xe3, 0xb4, 0x5a, 0x98, 0xbb, 0xf0, 0x22,
27295 ++ 0x28, 0x8d, 0xe5, 0xd3, 0x16, 0x48, 0x24, 0xa5,
27296 ++ 0xe6, 0x66, 0x0c, 0xf9, 0x08, 0xf9, 0x7e, 0x1e,
27297 ++ 0xe1, 0x28, 0x26, 0x22, 0xc7, 0xc7, 0x0a, 0x32,
27298 ++ 0x47, 0xfa, 0xa3, 0xbe, 0x3c, 0xc4, 0xc5, 0x53,
27299 ++ 0x0a, 0xd5, 0x94, 0x4a, 0xd7, 0x93, 0xd8, 0x42,
27300 ++ 0x99, 0xb9, 0x0a, 0xdb, 0x56, 0xf7, 0xb9, 0x1c,
27301 ++ 0x53, 0x4f, 0xfa, 0xd3, 0x74, 0xad, 0xd9, 0x68,
27302 ++ 0xf1, 0x1b, 0xdf, 0x61, 0xc6, 0x5e, 0xa8, 0x48,
27303 ++ 0xfc, 0xd4, 0x4a, 0x4c, 0x3c, 0x32, 0xf7, 0x1c,
27304 ++ 0x96, 0x21, 0x9b, 0xf9, 0xa3, 0xcc, 0x5a, 0xce,
27305 ++ 0xd5, 0xd7, 0x08, 0x24, 0xf6, 0x1c, 0xfd, 0xdd,
27306 ++ 0x38, 0xc2, 0x32, 0xe9, 0xb8, 0xe7, 0xb6, 0xfa,
27307 ++ 0x9d, 0x45, 0x13, 0x2c, 0x83, 0xfd, 0x4a, 0x69,
27308 ++ 0x82, 0xcd, 0xdc, 0xb3, 0x76, 0x0c, 0x9e, 0xd8,
27309 ++ 0xf4, 0x1b, 0x45, 0x15, 0xb4, 0x97, 0xe7, 0x58,
27310 ++ 0x34, 0xe2, 0x03, 0x29, 0x5a, 0xbf, 0xb6, 0xe0,
27311 ++ 0x5d, 0x13, 0xd9, 0x2b, 0xb4, 0x80, 0xb2, 0x45,
27312 ++ 0x81, 0x6a, 0x2e, 0x6c, 0x89, 0x7d, 0xee, 0xbb,
27313 ++ 0x52, 0xdd, 0x1f, 0x18, 0xe7, 0x13, 0x6b, 0x33,
27314 ++ 0x0e, 0xea, 0x36, 0x92, 0x77, 0x7b, 0x6d, 0x9c,
27315 ++ 0x5a, 0x5f, 0x45, 0x7b, 0x7b, 0x35, 0x62, 0x23,
27316 ++ 0xd1, 0xbf, 0x0f, 0xd0, 0x08, 0x1b, 0x2b, 0x80,
27317 ++ 0x6b, 0x7e, 0xf1, 0x21, 0x47, 0xb0, 0x57, 0xd1,
27318 ++ 0x98, 0x72, 0x90, 0x34, 0x1c, 0x20, 0x04, 0xff,
27319 ++ 0x3d, 0x5c, 0xee, 0x0e, 0x57, 0x5f, 0x6f, 0x24,
27320 ++ 0x4e, 0x3c, 0xea, 0xfc, 0xa5, 0xa9, 0x83, 0xc9,
27321 ++ 0x61, 0xb4, 0x51, 0x24, 0xf8, 0x27, 0x5e, 0x46,
27322 ++ 0x8c, 0xb1, 0x53, 0x02, 0x96, 0x35, 0xba, 0xb8,
27323 ++ 0x4c, 0x71, 0xd3, 0x15, 0x59, 0x35, 0x22, 0x20,
27324 ++ 0xad, 0x03, 0x9f, 0x66, 0x44, 0x3b, 0x9c, 0x35,
27325 ++ 0x37, 0x1f, 0x9b, 0xbb, 0xf3, 0xdb, 0x35, 0x63,
27326 ++ 0x30, 0x64, 0xaa, 0xa2, 0x06, 0xa8, 0x5d, 0xbb,
27327 ++ 0xe1, 0x9f, 0x70, 0xec, 0x82, 0x11, 0x06, 0x36,
27328 ++ 0xec, 0x8b, 0x69, 0x66, 0x24, 0x44, 0xc9, 0x4a,
27329 ++ 0x57, 0xbb, 0x9b, 0x78, 0x13, 0xce, 0x9c, 0x0c,
27330 ++ 0xba, 0x92, 0x93, 0x63, 0xb8, 0xe2, 0x95, 0x0f,
27331 ++ 0x0f, 0x16, 0x39, 0x52, 0xfd, 0x3a, 0x6d, 0x02,
27332 ++ 0x4b, 0xdf, 0x13, 0xd3, 0x2a, 0x22, 0xb4, 0x03,
27333 ++ 0x7c, 0x54, 0x49, 0x96, 0x68, 0x54, 0x10, 0xfa,
27334 ++ 0xef, 0xaa, 0x6c, 0xe8, 0x22, 0xdc, 0x71, 0x16,
27335 ++ 0x13, 0x1a, 0xf6, 0x28, 0xe5, 0x6d, 0x77, 0x3d,
27336 ++ 0xcd, 0x30, 0x63, 0xb1, 0x70, 0x52, 0xa1, 0xc5,
27337 ++ 0x94, 0x5f, 0xcf, 0xe8, 0xb8, 0x26, 0x98, 0xf7,
27338 ++ 0x06, 0xa0, 0x0a, 0x70, 0xfa, 0x03, 0x80, 0xac,
27339 ++ 0xc1, 0xec, 0xd6, 0x4c, 0x54, 0xd7, 0xfe, 0x47,
27340 ++ 0xb6, 0x88, 0x4a, 0xf7, 0x71, 0x24, 0xee, 0xf3,
27341 ++ 0xd2, 0xc2, 0x4a, 0x7f, 0xfe, 0x61, 0xc7, 0x35,
27342 ++ 0xc9, 0x37, 0x67, 0xcb, 0x24, 0x35, 0xda, 0x7e,
27343 ++ 0xca, 0x5f, 0xf3, 0x8d, 0xd4, 0x13, 0x8e, 0xd6,
27344 ++ 0xcb, 0x4d, 0x53, 0x8f, 0x53, 0x1f, 0xc0, 0x74,
27345 ++ 0xf7, 0x53, 0xb9, 0x5e, 0x23, 0x37, 0xba, 0x6e,
27346 ++ 0xe3, 0x9d, 0x07, 0x55, 0x25, 0x7b, 0xe6, 0x2a,
27347 ++ 0x64, 0xd1, 0x32, 0xdd, 0x54, 0x1b, 0x4b, 0xc0,
27348 ++ 0xe1, 0xd7, 0x69, 0x58, 0xf8, 0x93, 0x29, 0xc4,
27349 ++ 0xdd, 0x23, 0x2f, 0xa5, 0xfc, 0x9d, 0x7e, 0xf8,
27350 ++ 0xd4, 0x90, 0xcd, 0x82, 0x55, 0xdc, 0x16, 0x16,
27351 ++ 0x9f, 0x07, 0x52, 0x9b, 0x9d, 0x25, 0xed, 0x32,
27352 ++ 0xc5, 0x7b, 0xdf, 0xf6, 0x83, 0x46, 0x3d, 0x65,
27353 ++ 0xb7, 0xef, 0x87, 0x7a, 0x12, 0x69, 0x8f, 0x06,
27354 ++ 0x7c, 0x51, 0x15, 0x4a, 0x08, 0xe8, 0xac, 0x9a,
27355 ++ 0x0c, 0x24, 0xa7, 0x27, 0xd8, 0x46, 0x2f, 0xe7,
27356 ++ 0x01, 0x0e, 0x1c, 0xc6, 0x91, 0xb0, 0x6e, 0x85,
27357 ++ 0x65, 0xf0, 0x29, 0x0d, 0x2e, 0x6b, 0x3b, 0xfb,
27358 ++ 0x4b, 0xdf, 0xe4, 0x80, 0x93, 0x03, 0x66, 0x46,
27359 ++ 0x3e, 0x8a, 0x6e, 0xf3, 0x5e, 0x4d, 0x62, 0x0e,
27360 ++ 0x49, 0x05, 0xaf, 0xd4, 0xf8, 0x21, 0x20, 0x61,
27361 ++ 0x1d, 0x39, 0x17, 0xf4, 0x61, 0x47, 0x95, 0xfb,
27362 ++ 0x15, 0x2e, 0xb3, 0x4f, 0xd0, 0x5d, 0xf5, 0x7d,
27363 ++ 0x40, 0xda, 0x90, 0x3c, 0x6b, 0xcb, 0x17, 0x00,
27364 ++ 0x13, 0x3b, 0x64, 0x34, 0x1b, 0xf0, 0xf2, 0xe5,
27365 ++ 0x3b, 0xb2, 0xc7, 0xd3, 0x5f, 0x3a, 0x44, 0xa6,
27366 ++ 0x9b, 0xb7, 0x78, 0x0e, 0x42, 0x5d, 0x4c, 0xc1,
27367 ++ 0xe9, 0xd2, 0xcb, 0xb7, 0x78, 0xd1, 0xfe, 0x9a,
27368 ++ 0xb5, 0x07, 0xe9, 0xe0, 0xbe, 0xe2, 0x8a, 0xa7,
27369 ++ 0x01, 0x83, 0x00, 0x8c, 0x5c, 0x08, 0xe6, 0x63,
27370 ++ 0x12, 0x92, 0xb7, 0xb7, 0xa6, 0x19, 0x7d, 0x38,
27371 ++ 0x13, 0x38, 0x92, 0x87, 0x24, 0xf9, 0x48, 0xb3,
27372 ++ 0x5e, 0x87, 0x6a, 0x40, 0x39, 0x5c, 0x3f, 0xed,
27373 ++ 0x8f, 0xee, 0xdb, 0x15, 0x82, 0x06, 0xda, 0x49,
27374 ++ 0x21, 0x2b, 0xb5, 0xbf, 0x32, 0x7c, 0x9f, 0x42,
27375 ++ 0x28, 0x63, 0xcf, 0xaf, 0x1e, 0xf8, 0xc6, 0xa0,
27376 ++ 0xd1, 0x02, 0x43, 0x57, 0x62, 0xec, 0x9b, 0x0f,
27377 ++ 0x01, 0x9e, 0x71, 0xd8, 0x87, 0x9d, 0x01, 0xc1,
27378 ++ 0x58, 0x77, 0xd9, 0xaf, 0xb1, 0x10, 0x7e, 0xdd,
27379 ++ 0xa6, 0x50, 0x96, 0xe5, 0xf0, 0x72, 0x00, 0x6d,
27380 ++ 0x4b, 0xf8, 0x2a, 0x8f, 0x19, 0xf3, 0x22, 0x88,
27381 ++ 0x11, 0x4a, 0x8b, 0x7c, 0xfd, 0xb7, 0xed, 0xe1,
27382 ++ 0xf6, 0x40, 0x39, 0xe0, 0xe9, 0xf6, 0x3d, 0x25,
27383 ++ 0xe6, 0x74, 0x3c, 0x58, 0x57, 0x7f, 0xe1, 0x22,
27384 ++ 0x96, 0x47, 0x31, 0x91, 0xba, 0x70, 0x85, 0x28,
27385 ++ 0x6b, 0x9f, 0x6e, 0x25, 0xac, 0x23, 0x66, 0x2f,
27386 ++ 0x29, 0x88, 0x28, 0xce, 0x8c, 0x5c, 0x88, 0x53,
27387 ++ 0xd1, 0x3b, 0xcc, 0x6a, 0x51, 0xb2, 0xe1, 0x28,
27388 ++ 0x3f, 0x91, 0xb4, 0x0d, 0x00, 0x3a, 0xe3, 0xf8,
27389 ++ 0xc3, 0x8f, 0xd7, 0x96, 0x62, 0x0e, 0x2e, 0xfc,
27390 ++ 0xc8, 0x6c, 0x77, 0xa6, 0x1d, 0x22, 0xc1, 0xb8,
27391 ++ 0xe6, 0x61, 0xd7, 0x67, 0x36, 0x13, 0x7b, 0xbb,
27392 ++ 0x9b, 0x59, 0x09, 0xa6, 0xdf, 0xf7, 0x6b, 0xa3,
27393 ++ 0x40, 0x1a, 0xf5, 0x4f, 0xb4, 0xda, 0xd3, 0xf3,
27394 ++ 0x81, 0x93, 0xc6, 0x18, 0xd9, 0x26, 0xee, 0xac,
27395 ++ 0xf0, 0xaa, 0xdf, 0xc5, 0x9c, 0xca, 0xc2, 0xa2,
27396 ++ 0xcc, 0x7b, 0x5c, 0x24, 0xb0, 0xbc, 0xd0, 0x6a,
27397 ++ 0x4d, 0x89, 0x09, 0xb8, 0x07, 0xfe, 0x87, 0xad,
27398 ++ 0x0a, 0xea, 0xb8, 0x42, 0xf9, 0x5e, 0xb3, 0x3e,
27399 ++ 0x36, 0x4c, 0xaf, 0x75, 0x9e, 0x1c, 0xeb, 0xbd,
27400 ++ 0xbc, 0xbb, 0x80, 0x40, 0xa7, 0x3a, 0x30, 0xbf,
27401 ++ 0xa8, 0x44, 0xf4, 0xeb, 0x38, 0xad, 0x29, 0xba,
27402 ++ 0x23, 0xed, 0x41, 0x0c, 0xea, 0xd2, 0xbb, 0x41,
27403 ++ 0x18, 0xd6, 0xb9, 0xba, 0x65, 0x2b, 0xa3, 0x91,
27404 ++ 0x6d, 0x1f, 0xa9, 0xf4, 0xd1, 0x25, 0x8d, 0x4d,
27405 ++ 0x38, 0xff, 0x64, 0xa0, 0xec, 0xde, 0xa6, 0xb6,
27406 ++ 0x79, 0xab, 0x8e, 0x33, 0x6c, 0x47, 0xde, 0xaf,
27407 ++ 0x94, 0xa4, 0xa5, 0x86, 0x77, 0x55, 0x09, 0x92,
27408 ++ 0x81, 0x31, 0x76, 0xc7, 0x34, 0x22, 0x89, 0x8e,
27409 ++ 0x3d, 0x26, 0x26, 0xd7, 0xfc, 0x1e, 0x16, 0x72,
27410 ++ 0x13, 0x33, 0x63, 0xd5, 0x22, 0xbe, 0xb8, 0x04,
27411 ++ 0x34, 0x84, 0x41, 0xbb, 0x80, 0xd0, 0x9f, 0x46,
27412 ++ 0x48, 0x07, 0xa7, 0xfc, 0x2b, 0x3a, 0x75, 0x55,
27413 ++ 0x8c, 0xc7, 0x6a, 0xbd, 0x7e, 0x46, 0x08, 0x84,
27414 ++ 0x0f, 0xd5, 0x74, 0xc0, 0x82, 0x8e, 0xaa, 0x61,
27415 ++ 0x05, 0x01, 0xb2, 0x47, 0x6e, 0x20, 0x6a, 0x2d,
27416 ++ 0x58, 0x70, 0x48, 0x32, 0xa7, 0x37, 0xd2, 0xb8,
27417 ++ 0x82, 0x1a, 0x51, 0xb9, 0x61, 0xdd, 0xfd, 0x9d,
27418 ++ 0x6b, 0x0e, 0x18, 0x97, 0xf8, 0x45, 0x5f, 0x87,
27419 ++ 0x10, 0xcf, 0x34, 0x72, 0x45, 0x26, 0x49, 0x70,
27420 ++ 0xe7, 0xa3, 0x78, 0xe0, 0x52, 0x89, 0x84, 0x94,
27421 ++ 0x83, 0x82, 0xc2, 0x69, 0x8f, 0xe3, 0xe1, 0x3f,
27422 ++ 0x60, 0x74, 0x88, 0xc4, 0xf7, 0x75, 0x2c, 0xfb,
27423 ++ 0xbd, 0xb6, 0xc4, 0x7e, 0x10, 0x0a, 0x6c, 0x90,
27424 ++ 0x04, 0x9e, 0xc3, 0x3f, 0x59, 0x7c, 0xce, 0x31,
27425 ++ 0x18, 0x60, 0x57, 0x73, 0x46, 0x94, 0x7d, 0x06,
27426 ++ 0xa0, 0x6d, 0x44, 0xec, 0xa2, 0x0a, 0x9e, 0x05,
27427 ++ 0x15, 0xef, 0xca, 0x5c, 0xbf, 0x00, 0xeb, 0xf7,
27428 ++ 0x3d, 0x32, 0xd4, 0xa5, 0xef, 0x49, 0x89, 0x5e,
27429 ++ 0x46, 0xb0, 0xa6, 0x63, 0x5b, 0x8a, 0x73, 0xae,
27430 ++ 0x6f, 0xd5, 0x9d, 0xf8, 0x4f, 0x40, 0xb5, 0xb2,
27431 ++ 0x6e, 0xd3, 0xb6, 0x01, 0xa9, 0x26, 0xa2, 0x21,
27432 ++ 0xcf, 0x33, 0x7a, 0x3a, 0xa4, 0x23, 0x13, 0xb0,
27433 ++ 0x69, 0x6a, 0xee, 0xce, 0xd8, 0x9d, 0x01, 0x1d,
27434 ++ 0x50, 0xc1, 0x30, 0x6c, 0xb1, 0xcd, 0xa0, 0xf0,
27435 ++ 0xf0, 0xa2, 0x64, 0x6f, 0xbb, 0xbf, 0x5e, 0xe6,
27436 ++ 0xab, 0x87, 0xb4, 0x0f, 0x4f, 0x15, 0xaf, 0xb5,
27437 ++ 0x25, 0xa1, 0xb2, 0xd0, 0x80, 0x2c, 0xfb, 0xf9,
27438 ++ 0xfe, 0xd2, 0x33, 0xbb, 0x76, 0xfe, 0x7c, 0xa8,
27439 ++ 0x66, 0xf7, 0xe7, 0x85, 0x9f, 0x1f, 0x85, 0x57,
27440 ++ 0x88, 0xe1, 0xe9, 0x63, 0xe4, 0xd8, 0x1c, 0xa1,
27441 ++ 0xfb, 0xda, 0x44, 0x05, 0x2e, 0x1d, 0x3a, 0x1c,
27442 ++ 0xff, 0xc8, 0x3b, 0xc0, 0xfe, 0xda, 0x22, 0x0b,
27443 ++ 0x43, 0xd6, 0x88, 0x39, 0x4c, 0x4a, 0xa6, 0x69,
27444 ++ 0x18, 0x93, 0x42, 0x4e, 0xb5, 0xcc, 0x66, 0x0d,
27445 ++ 0x09, 0xf8, 0x1e, 0x7c, 0xd3, 0x3c, 0x99, 0x0d,
27446 ++ 0x50, 0x1d, 0x62, 0xe9, 0x57, 0x06, 0xbf, 0x19,
27447 ++ 0x88, 0xdd, 0xad, 0x7b, 0x4f, 0xf9, 0xc7, 0x82,
27448 ++ 0x6d, 0x8d, 0xc8, 0xc4, 0xc5, 0x78, 0x17, 0x20,
27449 ++ 0x15, 0xc5, 0x52, 0x41, 0xcf, 0x5b, 0xd6, 0x7f,
27450 ++ 0x94, 0x02, 0x41, 0xe0, 0x40, 0x22, 0x03, 0x5e,
27451 ++ 0xd1, 0x53, 0xd4, 0x86, 0xd3, 0x2c, 0x9f, 0x0f,
27452 ++ 0x96, 0xe3, 0x6b, 0x9a, 0x76, 0x32, 0x06, 0x47,
27453 ++ 0x4b, 0x11, 0xb3, 0xdd, 0x03, 0x65, 0xbd, 0x9b,
27454 ++ 0x01, 0xda, 0x9c, 0xb9, 0x7e, 0x3f, 0x6a, 0xc4,
27455 ++ 0x7b, 0xea, 0xd4, 0x3c, 0xb9, 0xfb, 0x5c, 0x6b,
27456 ++ 0x64, 0x33, 0x52, 0xba, 0x64, 0x78, 0x8f, 0xa4,
27457 ++ 0xaf, 0x7a, 0x61, 0x8d, 0xbc, 0xc5, 0x73, 0xe9,
27458 ++ 0x6b, 0x58, 0x97, 0x4b, 0xbf, 0x63, 0x22, 0xd3,
27459 ++ 0x37, 0x02, 0x54, 0xc5, 0xb9, 0x16, 0x4a, 0xf0,
27460 ++ 0x19, 0xd8, 0x94, 0x57, 0xb8, 0x8a, 0xb3, 0x16,
27461 ++ 0x3b, 0xd0, 0x84, 0x8e, 0x67, 0xa6, 0xa3, 0x7d,
27462 ++ 0x78, 0xec, 0x00
27463 ++};
27464 ++static const u8 dec_assoc012[] __initconst = {
27465 ++ 0xb1, 0x69, 0x83, 0x87, 0x30, 0xaa, 0x5d, 0xb8,
27466 ++ 0x77, 0xe8, 0x21, 0xff, 0x06, 0x59, 0x35, 0xce,
27467 ++ 0x75, 0xfe, 0x38, 0xef, 0xb8, 0x91, 0x43, 0x8c,
27468 ++ 0xcf, 0x70, 0xdd, 0x0a, 0x68, 0xbf, 0xd4, 0xbc,
27469 ++ 0x16, 0x76, 0x99, 0x36, 0x1e, 0x58, 0x79, 0x5e,
27470 ++ 0xd4, 0x29, 0xf7, 0x33, 0x93, 0x48, 0xdb, 0x5f,
27471 ++ 0x01, 0xae, 0x9c, 0xb6, 0xe4, 0x88, 0x6d, 0x2b,
27472 ++ 0x76, 0x75, 0xe0, 0xf3, 0x74, 0xe2, 0xc9
27473 ++};
27474 ++static const u8 dec_nonce012[] __initconst = {
27475 ++ 0x05, 0xa3, 0x93, 0xed, 0x30, 0xc5, 0xa2, 0x06
27476 ++};
27477 ++static const u8 dec_key012[] __initconst = {
27478 ++ 0xb3, 0x35, 0x50, 0x03, 0x54, 0x2e, 0x40, 0x5e,
27479 ++ 0x8f, 0x59, 0x8e, 0xc5, 0x90, 0xd5, 0x27, 0x2d,
27480 ++ 0xba, 0x29, 0x2e, 0xcb, 0x1b, 0x70, 0x44, 0x1e,
27481 ++ 0x65, 0x91, 0x6e, 0x2a, 0x79, 0x22, 0xda, 0x64
27482 ++};
27483 ++
27484 ++static const u8 dec_input013[] __initconst = {
27485 ++ 0x52, 0x34, 0xb3, 0x65, 0x3b, 0xb7, 0xe5, 0xd3,
27486 ++ 0xab, 0x49, 0x17, 0x60, 0xd2, 0x52, 0x56, 0xdf,
27487 ++ 0xdf, 0x34, 0x56, 0x82, 0xe2, 0xbe, 0xe5, 0xe1,
27488 ++ 0x28, 0xd1, 0x4e, 0x5f, 0x4f, 0x01, 0x7d, 0x3f,
27489 ++ 0x99, 0x6b, 0x30, 0x6e, 0x1a, 0x7c, 0x4c, 0x8e,
27490 ++ 0x62, 0x81, 0xae, 0x86, 0x3f, 0x6b, 0xd0, 0xb5,
27491 ++ 0xa9, 0xcf, 0x50, 0xf1, 0x02, 0x12, 0xa0, 0x0b,
27492 ++ 0x24, 0xe9, 0xe6, 0x72, 0x89, 0x2c, 0x52, 0x1b,
27493 ++ 0x34, 0x38, 0xf8, 0x75, 0x5f, 0xa0, 0x74, 0xe2,
27494 ++ 0x99, 0xdd, 0xa6, 0x4b, 0x14, 0x50, 0x4e, 0xf1,
27495 ++ 0xbe, 0xd6, 0x9e, 0xdb, 0xb2, 0x24, 0x27, 0x74,
27496 ++ 0x12, 0x4a, 0x78, 0x78, 0x17, 0xa5, 0x58, 0x8e,
27497 ++ 0x2f, 0xf9, 0xf4, 0x8d, 0xee, 0x03, 0x88, 0xae,
27498 ++ 0xb8, 0x29, 0xa1, 0x2f, 0x4b, 0xee, 0x92, 0xbd,
27499 ++ 0x87, 0xb3, 0xce, 0x34, 0x21, 0x57, 0x46, 0x04,
27500 ++ 0x49, 0x0c, 0x80, 0xf2, 0x01, 0x13, 0xa1, 0x55,
27501 ++ 0xb3, 0xff, 0x44, 0x30, 0x3c, 0x1c, 0xd0, 0xef,
27502 ++ 0xbc, 0x18, 0x74, 0x26, 0xad, 0x41, 0x5b, 0x5b,
27503 ++ 0x3e, 0x9a, 0x7a, 0x46, 0x4f, 0x16, 0xd6, 0x74,
27504 ++ 0x5a, 0xb7, 0x3a, 0x28, 0x31, 0xd8, 0xae, 0x26,
27505 ++ 0xac, 0x50, 0x53, 0x86, 0xf2, 0x56, 0xd7, 0x3f,
27506 ++ 0x29, 0xbc, 0x45, 0x68, 0x8e, 0xcb, 0x98, 0x64,
27507 ++ 0xdd, 0xc9, 0xba, 0xb8, 0x4b, 0x7b, 0x82, 0xdd,
27508 ++ 0x14, 0xa7, 0xcb, 0x71, 0x72, 0x00, 0x5c, 0xad,
27509 ++ 0x7b, 0x6a, 0x89, 0xa4, 0x3d, 0xbf, 0xb5, 0x4b,
27510 ++ 0x3e, 0x7c, 0x5a, 0xcf, 0xb8, 0xa1, 0xc5, 0x6e,
27511 ++ 0xc8, 0xb6, 0x31, 0x57, 0x7b, 0xdf, 0xa5, 0x7e,
27512 ++ 0xb1, 0xd6, 0x42, 0x2a, 0x31, 0x36, 0xd1, 0xd0,
27513 ++ 0x3f, 0x7a, 0xe5, 0x94, 0xd6, 0x36, 0xa0, 0x6f,
27514 ++ 0xb7, 0x40, 0x7d, 0x37, 0xc6, 0x55, 0x7c, 0x50,
27515 ++ 0x40, 0x6d, 0x29, 0x89, 0xe3, 0x5a, 0xae, 0x97,
27516 ++ 0xe7, 0x44, 0x49, 0x6e, 0xbd, 0x81, 0x3d, 0x03,
27517 ++ 0x93, 0x06, 0x12, 0x06, 0xe2, 0x41, 0x12, 0x4a,
27518 ++ 0xf1, 0x6a, 0xa4, 0x58, 0xa2, 0xfb, 0xd2, 0x15,
27519 ++ 0xba, 0xc9, 0x79, 0xc9, 0xce, 0x5e, 0x13, 0xbb,
27520 ++ 0xf1, 0x09, 0x04, 0xcc, 0xfd, 0xe8, 0x51, 0x34,
27521 ++ 0x6a, 0xe8, 0x61, 0x88, 0xda, 0xed, 0x01, 0x47,
27522 ++ 0x84, 0xf5, 0x73, 0x25, 0xf9, 0x1c, 0x42, 0x86,
27523 ++ 0x07, 0xf3, 0x5b, 0x1a, 0x01, 0xb3, 0xeb, 0x24,
27524 ++ 0x32, 0x8d, 0xf6, 0xed, 0x7c, 0x4b, 0xeb, 0x3c,
27525 ++ 0x36, 0x42, 0x28, 0xdf, 0xdf, 0xb6, 0xbe, 0xd9,
27526 ++ 0x8c, 0x52, 0xd3, 0x2b, 0x08, 0x90, 0x8c, 0xe7,
27527 ++ 0x98, 0x31, 0xe2, 0x32, 0x8e, 0xfc, 0x11, 0x48,
27528 ++ 0x00, 0xa8, 0x6a, 0x42, 0x4a, 0x02, 0xc6, 0x4b,
27529 ++ 0x09, 0xf1, 0xe3, 0x49, 0xf3, 0x45, 0x1f, 0x0e,
27530 ++ 0xbc, 0x56, 0xe2, 0xe4, 0xdf, 0xfb, 0xeb, 0x61,
27531 ++ 0xfa, 0x24, 0xc1, 0x63, 0x75, 0xbb, 0x47, 0x75,
27532 ++ 0xaf, 0xe1, 0x53, 0x16, 0x96, 0x21, 0x85, 0x26,
27533 ++ 0x11, 0xb3, 0x76, 0xe3, 0x23, 0xa1, 0x6b, 0x74,
27534 ++ 0x37, 0xd0, 0xde, 0x06, 0x90, 0x71, 0x5d, 0x43,
27535 ++ 0x88, 0x9b, 0x00, 0x54, 0xa6, 0x75, 0x2f, 0xa1,
27536 ++ 0xc2, 0x0b, 0x73, 0x20, 0x1d, 0xb6, 0x21, 0x79,
27537 ++ 0x57, 0x3f, 0xfa, 0x09, 0xbe, 0x8a, 0x33, 0xc3,
27538 ++ 0x52, 0xf0, 0x1d, 0x82, 0x31, 0xd1, 0x55, 0xb5,
27539 ++ 0x6c, 0x99, 0x25, 0xcf, 0x5c, 0x32, 0xce, 0xe9,
27540 ++ 0x0d, 0xfa, 0x69, 0x2c, 0xd5, 0x0d, 0xc5, 0x6d,
27541 ++ 0x86, 0xd0, 0x0c, 0x3b, 0x06, 0x50, 0x79, 0xe8,
27542 ++ 0xc3, 0xae, 0x04, 0xe6, 0xcd, 0x51, 0xe4, 0x26,
27543 ++ 0x9b, 0x4f, 0x7e, 0xa6, 0x0f, 0xab, 0xd8, 0xe5,
27544 ++ 0xde, 0xa9, 0x00, 0x95, 0xbe, 0xa3, 0x9d, 0x5d,
27545 ++ 0xb2, 0x09, 0x70, 0x18, 0x1c, 0xf0, 0xac, 0x29,
27546 ++ 0x23, 0x02, 0x29, 0x28, 0xd2, 0x74, 0x35, 0x57,
27547 ++ 0x62, 0x0f, 0x24, 0xea, 0x5e, 0x33, 0xc2, 0x92,
27548 ++ 0xf3, 0x78, 0x4d, 0x30, 0x1e, 0xa1, 0x99, 0xa9,
27549 ++ 0x82, 0xb0, 0x42, 0x31, 0x8d, 0xad, 0x8a, 0xbc,
27550 ++ 0xfc, 0xd4, 0x57, 0x47, 0x3e, 0xb4, 0x50, 0xdd,
27551 ++ 0x6e, 0x2c, 0x80, 0x4d, 0x22, 0xf1, 0xfb, 0x57,
27552 ++ 0xc4, 0xdd, 0x17, 0xe1, 0x8a, 0x36, 0x4a, 0xb3,
27553 ++ 0x37, 0xca, 0xc9, 0x4e, 0xab, 0xd5, 0x69, 0xc4,
27554 ++ 0xf4, 0xbc, 0x0b, 0x3b, 0x44, 0x4b, 0x29, 0x9c,
27555 ++ 0xee, 0xd4, 0x35, 0x22, 0x21, 0xb0, 0x1f, 0x27,
27556 ++ 0x64, 0xa8, 0x51, 0x1b, 0xf0, 0x9f, 0x19, 0x5c,
27557 ++ 0xfb, 0x5a, 0x64, 0x74, 0x70, 0x45, 0x09, 0xf5,
27558 ++ 0x64, 0xfe, 0x1a, 0x2d, 0xc9, 0x14, 0x04, 0x14,
27559 ++ 0xcf, 0xd5, 0x7d, 0x60, 0xaf, 0x94, 0x39, 0x94,
27560 ++ 0xe2, 0x7d, 0x79, 0x82, 0xd0, 0x65, 0x3b, 0x6b,
27561 ++ 0x9c, 0x19, 0x84, 0xb4, 0x6d, 0xb3, 0x0c, 0x99,
27562 ++ 0xc0, 0x56, 0xa8, 0xbd, 0x73, 0xce, 0x05, 0x84,
27563 ++ 0x3e, 0x30, 0xaa, 0xc4, 0x9b, 0x1b, 0x04, 0x2a,
27564 ++ 0x9f, 0xd7, 0x43, 0x2b, 0x23, 0xdf, 0xbf, 0xaa,
27565 ++ 0xd5, 0xc2, 0x43, 0x2d, 0x70, 0xab, 0xdc, 0x75,
27566 ++ 0xad, 0xac, 0xf7, 0xc0, 0xbe, 0x67, 0xb2, 0x74,
27567 ++ 0xed, 0x67, 0x10, 0x4a, 0x92, 0x60, 0xc1, 0x40,
27568 ++ 0x50, 0x19, 0x8a, 0x8a, 0x8c, 0x09, 0x0e, 0x72,
27569 ++ 0xe1, 0x73, 0x5e, 0xe8, 0x41, 0x85, 0x63, 0x9f,
27570 ++ 0x3f, 0xd7, 0x7d, 0xc4, 0xfb, 0x22, 0x5d, 0x92,
27571 ++ 0x6c, 0xb3, 0x1e, 0xe2, 0x50, 0x2f, 0x82, 0xa8,
27572 ++ 0x28, 0xc0, 0xb5, 0xd7, 0x5f, 0x68, 0x0d, 0x2c,
27573 ++ 0x2d, 0xaf, 0x7e, 0xfa, 0x2e, 0x08, 0x0f, 0x1f,
27574 ++ 0x70, 0x9f, 0xe9, 0x19, 0x72, 0x55, 0xf8, 0xfb,
27575 ++ 0x51, 0xd2, 0x33, 0x5d, 0xa0, 0xd3, 0x2b, 0x0a,
27576 ++ 0x6c, 0xbc, 0x4e, 0xcf, 0x36, 0x4d, 0xdc, 0x3b,
27577 ++ 0xe9, 0x3e, 0x81, 0x7c, 0x61, 0xdb, 0x20, 0x2d,
27578 ++ 0x3a, 0xc3, 0xb3, 0x0c, 0x1e, 0x00, 0xb9, 0x7c,
27579 ++ 0xf5, 0xca, 0x10, 0x5f, 0x3a, 0x71, 0xb3, 0xe4,
27580 ++ 0x20, 0xdb, 0x0c, 0x2a, 0x98, 0x63, 0x45, 0x00,
27581 ++ 0x58, 0xf6, 0x68, 0xe4, 0x0b, 0xda, 0x13, 0x3b,
27582 ++ 0x60, 0x5c, 0x76, 0xdb, 0xb9, 0x97, 0x71, 0xe4,
27583 ++ 0xd9, 0xb7, 0xdb, 0xbd, 0x68, 0xc7, 0x84, 0x84,
27584 ++ 0xaa, 0x7c, 0x68, 0x62, 0x5e, 0x16, 0xfc, 0xba,
27585 ++ 0x72, 0xaa, 0x9a, 0xa9, 0xeb, 0x7c, 0x75, 0x47,
27586 ++ 0x97, 0x7e, 0xad, 0xe2, 0xd9, 0x91, 0xe8, 0xe4,
27587 ++ 0xa5, 0x31, 0xd7, 0x01, 0x8e, 0xa2, 0x11, 0x88,
27588 ++ 0x95, 0xb9, 0xf2, 0x9b, 0xd3, 0x7f, 0x1b, 0x81,
27589 ++ 0x22, 0xf7, 0x98, 0x60, 0x0a, 0x64, 0xa6, 0xc1,
27590 ++ 0xf6, 0x49, 0xc7, 0xe3, 0x07, 0x4d, 0x94, 0x7a,
27591 ++ 0xcf, 0x6e, 0x68, 0x0c, 0x1b, 0x3f, 0x6e, 0x2e,
27592 ++ 0xee, 0x92, 0xfa, 0x52, 0xb3, 0x59, 0xf8, 0xf1,
27593 ++ 0x8f, 0x6a, 0x66, 0xa3, 0x82, 0x76, 0x4a, 0x07,
27594 ++ 0x1a, 0xc7, 0xdd, 0xf5, 0xda, 0x9c, 0x3c, 0x24,
27595 ++ 0xbf, 0xfd, 0x42, 0xa1, 0x10, 0x64, 0x6a, 0x0f,
27596 ++ 0x89, 0xee, 0x36, 0xa5, 0xce, 0x99, 0x48, 0x6a,
27597 ++ 0xf0, 0x9f, 0x9e, 0x69, 0xa4, 0x40, 0x20, 0xe9,
27598 ++ 0x16, 0x15, 0xf7, 0xdb, 0x75, 0x02, 0xcb, 0xe9,
27599 ++ 0x73, 0x8b, 0x3b, 0x49, 0x2f, 0xf0, 0xaf, 0x51,
27600 ++ 0x06, 0x5c, 0xdf, 0x27, 0x27, 0x49, 0x6a, 0xd1,
27601 ++ 0xcc, 0xc7, 0xb5, 0x63, 0xb5, 0xfc, 0xb8, 0x5c,
27602 ++ 0x87, 0x7f, 0x84, 0xb4, 0xcc, 0x14, 0xa9, 0x53,
27603 ++ 0xda, 0xa4, 0x56, 0xf8, 0xb6, 0x1b, 0xcc, 0x40,
27604 ++ 0x27, 0x52, 0x06, 0x5a, 0x13, 0x81, 0xd7, 0x3a,
27605 ++ 0xd4, 0x3b, 0xfb, 0x49, 0x65, 0x31, 0x33, 0xb2,
27606 ++ 0xfa, 0xcd, 0xad, 0x58, 0x4e, 0x2b, 0xae, 0xd2,
27607 ++ 0x20, 0xfb, 0x1a, 0x48, 0xb4, 0x3f, 0x9a, 0xd8,
27608 ++ 0x7a, 0x35, 0x4a, 0xc8, 0xee, 0x88, 0x5e, 0x07,
27609 ++ 0x66, 0x54, 0xb9, 0xec, 0x9f, 0xa3, 0xe3, 0xb9,
27610 ++ 0x37, 0xaa, 0x49, 0x76, 0x31, 0xda, 0x74, 0x2d,
27611 ++ 0x3c, 0xa4, 0x65, 0x10, 0x32, 0x38, 0xf0, 0xde,
27612 ++ 0xd3, 0x99, 0x17, 0xaa, 0x71, 0xaa, 0x8f, 0x0f,
27613 ++ 0x8c, 0xaf, 0xa2, 0xf8, 0x5d, 0x64, 0xba, 0x1d,
27614 ++ 0xa3, 0xef, 0x96, 0x73, 0xe8, 0xa1, 0x02, 0x8d,
27615 ++ 0x0c, 0x6d, 0xb8, 0x06, 0x90, 0xb8, 0x08, 0x56,
27616 ++ 0x2c, 0xa7, 0x06, 0xc9, 0xc2, 0x38, 0xdb, 0x7c,
27617 ++ 0x63, 0xb1, 0x57, 0x8e, 0xea, 0x7c, 0x79, 0xf3,
27618 ++ 0x49, 0x1d, 0xfe, 0x9f, 0xf3, 0x6e, 0xb1, 0x1d,
27619 ++ 0xba, 0x19, 0x80, 0x1a, 0x0a, 0xd3, 0xb0, 0x26,
27620 ++ 0x21, 0x40, 0xb1, 0x7c, 0xf9, 0x4d, 0x8d, 0x10,
27621 ++ 0xc1, 0x7e, 0xf4, 0xf6, 0x3c, 0xa8, 0xfd, 0x7c,
27622 ++ 0xa3, 0x92, 0xb2, 0x0f, 0xaa, 0xcc, 0xa6, 0x11,
27623 ++ 0xfe, 0x04, 0xe3, 0xd1, 0x7a, 0x32, 0x89, 0xdf,
27624 ++ 0x0d, 0xc4, 0x8f, 0x79, 0x6b, 0xca, 0x16, 0x7c,
27625 ++ 0x6e, 0xf9, 0xad, 0x0f, 0xf6, 0xfe, 0x27, 0xdb,
27626 ++ 0xc4, 0x13, 0x70, 0xf1, 0x62, 0x1a, 0x4f, 0x79,
27627 ++ 0x40, 0xc9, 0x9b, 0x8b, 0x21, 0xea, 0x84, 0xfa,
27628 ++ 0xf5, 0xf1, 0x89, 0xce, 0xb7, 0x55, 0x0a, 0x80,
27629 ++ 0x39, 0x2f, 0x55, 0x36, 0x16, 0x9c, 0x7b, 0x08,
27630 ++ 0xbd, 0x87, 0x0d, 0xa5, 0x32, 0xf1, 0x52, 0x7c,
27631 ++ 0xe8, 0x55, 0x60, 0x5b, 0xd7, 0x69, 0xe4, 0xfc,
27632 ++ 0xfa, 0x12, 0x85, 0x96, 0xea, 0x50, 0x28, 0xab,
27633 ++ 0x8a, 0xf7, 0xbb, 0x0e, 0x53, 0x74, 0xca, 0xa6,
27634 ++ 0x27, 0x09, 0xc2, 0xb5, 0xde, 0x18, 0x14, 0xd9,
27635 ++ 0xea, 0xe5, 0x29, 0x1c, 0x40, 0x56, 0xcf, 0xd7,
27636 ++ 0xae, 0x05, 0x3f, 0x65, 0xaf, 0x05, 0x73, 0xe2,
27637 ++ 0x35, 0x96, 0x27, 0x07, 0x14, 0xc0, 0xad, 0x33,
27638 ++ 0xf1, 0xdc, 0x44, 0x7a, 0x89, 0x17, 0x77, 0xd2,
27639 ++ 0x9c, 0x58, 0x60, 0xf0, 0x3f, 0x7b, 0x2d, 0x2e,
27640 ++ 0x57, 0x95, 0x54, 0x87, 0xed, 0xf2, 0xc7, 0x4c,
27641 ++ 0xf0, 0xae, 0x56, 0x29, 0x19, 0x7d, 0x66, 0x4b,
27642 ++ 0x9b, 0x83, 0x84, 0x42, 0x3b, 0x01, 0x25, 0x66,
27643 ++ 0x8e, 0x02, 0xde, 0xb9, 0x83, 0x54, 0x19, 0xf6,
27644 ++ 0x9f, 0x79, 0x0d, 0x67, 0xc5, 0x1d, 0x7a, 0x44,
27645 ++ 0x02, 0x98, 0xa7, 0x16, 0x1c, 0x29, 0x0d, 0x74,
27646 ++ 0xff, 0x85, 0x40, 0x06, 0xef, 0x2c, 0xa9, 0xc6,
27647 ++ 0xf5, 0x53, 0x07, 0x06, 0xae, 0xe4, 0xfa, 0x5f,
27648 ++ 0xd8, 0x39, 0x4d, 0xf1, 0x9b, 0x6b, 0xd9, 0x24,
27649 ++ 0x84, 0xfe, 0x03, 0x4c, 0xb2, 0x3f, 0xdf, 0xa1,
27650 ++ 0x05, 0x9e, 0x50, 0x14, 0x5a, 0xd9, 0x1a, 0xa2,
27651 ++ 0xa7, 0xfa, 0xfa, 0x17, 0xf7, 0x78, 0xd6, 0xb5,
27652 ++ 0x92, 0x61, 0x91, 0xac, 0x36, 0xfa, 0x56, 0x0d,
27653 ++ 0x38, 0x32, 0x18, 0x85, 0x08, 0x58, 0x37, 0xf0,
27654 ++ 0x4b, 0xdb, 0x59, 0xe7, 0xa4, 0x34, 0xc0, 0x1b,
27655 ++ 0x01, 0xaf, 0x2d, 0xde, 0xa1, 0xaa, 0x5d, 0xd3,
27656 ++ 0xec, 0xe1, 0xd4, 0xf7, 0xe6, 0x54, 0x68, 0xf0,
27657 ++ 0x51, 0x97, 0xa7, 0x89, 0xea, 0x24, 0xad, 0xd3,
27658 ++ 0x6e, 0x47, 0x93, 0x8b, 0x4b, 0xb4, 0xf7, 0x1c,
27659 ++ 0x42, 0x06, 0x67, 0xe8, 0x99, 0xf6, 0xf5, 0x7b,
27660 ++ 0x85, 0xb5, 0x65, 0xb5, 0xb5, 0xd2, 0x37, 0xf5,
27661 ++ 0xf3, 0x02, 0xa6, 0x4d, 0x11, 0xa7, 0xdc, 0x51,
27662 ++ 0x09, 0x7f, 0xa0, 0xd8, 0x88, 0x1c, 0x13, 0x71,
27663 ++ 0xae, 0x9c, 0xb7, 0x7b, 0x34, 0xd6, 0x4e, 0x68,
27664 ++ 0x26, 0x83, 0x51, 0xaf, 0x1d, 0xee, 0x8b, 0xbb,
27665 ++ 0x69, 0x43, 0x2b, 0x9e, 0x8a, 0xbc, 0x02, 0x0e,
27666 ++ 0xa0, 0x1b, 0xe0, 0xa8, 0x5f, 0x6f, 0xaf, 0x1b,
27667 ++ 0x8f, 0xe7, 0x64, 0x71, 0x74, 0x11, 0x7e, 0xa8,
27668 ++ 0xd8, 0xf9, 0x97, 0x06, 0xc3, 0xb6, 0xfb, 0xfb,
27669 ++ 0xb7, 0x3d, 0x35, 0x9d, 0x3b, 0x52, 0xed, 0x54,
27670 ++ 0xca, 0xf4, 0x81, 0x01, 0x2d, 0x1b, 0xc3, 0xa7,
27671 ++ 0x00, 0x3d, 0x1a, 0x39, 0x54, 0xe1, 0xf6, 0xff,
27672 ++ 0xed, 0x6f, 0x0b, 0x5a, 0x68, 0xda, 0x58, 0xdd,
27673 ++ 0xa9, 0xcf, 0x5c, 0x4a, 0xe5, 0x09, 0x4e, 0xde,
27674 ++ 0x9d, 0xbc, 0x3e, 0xee, 0x5a, 0x00, 0x3b, 0x2c,
27675 ++ 0x87, 0x10, 0x65, 0x60, 0xdd, 0xd7, 0x56, 0xd1,
27676 ++ 0x4c, 0x64, 0x45, 0xe4, 0x21, 0xec, 0x78, 0xf8,
27677 ++ 0x25, 0x7a, 0x3e, 0x16, 0x5d, 0x09, 0x53, 0x14,
27678 ++ 0xbe, 0x4f, 0xae, 0x87, 0xd8, 0xd1, 0xaa, 0x3c,
27679 ++ 0xf6, 0x3e, 0xa4, 0x70, 0x8c, 0x5e, 0x70, 0xa4,
27680 ++ 0xb3, 0x6b, 0x66, 0x73, 0xd3, 0xbf, 0x31, 0x06,
27681 ++ 0x19, 0x62, 0x93, 0x15, 0xf2, 0x86, 0xe4, 0x52,
27682 ++ 0x7e, 0x53, 0x4c, 0x12, 0x38, 0xcc, 0x34, 0x7d,
27683 ++ 0x57, 0xf6, 0x42, 0x93, 0x8a, 0xc4, 0xee, 0x5c,
27684 ++ 0x8a, 0xe1, 0x52, 0x8f, 0x56, 0x64, 0xf6, 0xa6,
27685 ++ 0xd1, 0x91, 0x57, 0x70, 0xcd, 0x11, 0x76, 0xf5,
27686 ++ 0x59, 0x60, 0x60, 0x3c, 0xc1, 0xc3, 0x0b, 0x7f,
27687 ++ 0x58, 0x1a, 0x50, 0x91, 0xf1, 0x68, 0x8f, 0x6e,
27688 ++ 0x74, 0x74, 0xa8, 0x51, 0x0b, 0xf7, 0x7a, 0x98,
27689 ++ 0x37, 0xf2, 0x0a, 0x0e, 0xa4, 0x97, 0x04, 0xb8,
27690 ++ 0x9b, 0xfd, 0xa0, 0xea, 0xf7, 0x0d, 0xe1, 0xdb,
27691 ++ 0x03, 0xf0, 0x31, 0x29, 0xf8, 0xdd, 0x6b, 0x8b,
27692 ++ 0x5d, 0xd8, 0x59, 0xa9, 0x29, 0xcf, 0x9a, 0x79,
27693 ++ 0x89, 0x19, 0x63, 0x46, 0x09, 0x79, 0x6a, 0x11,
27694 ++ 0xda, 0x63, 0x68, 0x48, 0x77, 0x23, 0xfb, 0x7d,
27695 ++ 0x3a, 0x43, 0xcb, 0x02, 0x3b, 0x7a, 0x6d, 0x10,
27696 ++ 0x2a, 0x9e, 0xac, 0xf1, 0xd4, 0x19, 0xf8, 0x23,
27697 ++ 0x64, 0x1d, 0x2c, 0x5f, 0xf2, 0xb0, 0x5c, 0x23,
27698 ++ 0x27, 0xf7, 0x27, 0x30, 0x16, 0x37, 0xb1, 0x90,
27699 ++ 0xab, 0x38, 0xfb, 0x55, 0xcd, 0x78, 0x58, 0xd4,
27700 ++ 0x7d, 0x43, 0xf6, 0x45, 0x5e, 0x55, 0x8d, 0xb1,
27701 ++ 0x02, 0x65, 0x58, 0xb4, 0x13, 0x4b, 0x36, 0xf7,
27702 ++ 0xcc, 0xfe, 0x3d, 0x0b, 0x82, 0xe2, 0x12, 0x11,
27703 ++ 0xbb, 0xe6, 0xb8, 0x3a, 0x48, 0x71, 0xc7, 0x50,
27704 ++ 0x06, 0x16, 0x3a, 0xe6, 0x7c, 0x05, 0xc7, 0xc8,
27705 ++ 0x4d, 0x2f, 0x08, 0x6a, 0x17, 0x9a, 0x95, 0x97,
27706 ++ 0x50, 0x68, 0xdc, 0x28, 0x18, 0xc4, 0x61, 0x38,
27707 ++ 0xb9, 0xe0, 0x3e, 0x78, 0xdb, 0x29, 0xe0, 0x9f,
27708 ++ 0x52, 0xdd, 0xf8, 0x4f, 0x91, 0xc1, 0xd0, 0x33,
27709 ++ 0xa1, 0x7a, 0x8e, 0x30, 0x13, 0x82, 0x07, 0x9f,
27710 ++ 0xd3, 0x31, 0x0f, 0x23, 0xbe, 0x32, 0x5a, 0x75,
27711 ++ 0xcf, 0x96, 0xb2, 0xec, 0xb5, 0x32, 0xac, 0x21,
27712 ++ 0xd1, 0x82, 0x33, 0xd3, 0x15, 0x74, 0xbd, 0x90,
27713 ++ 0xf1, 0x2c, 0xe6, 0x5f, 0x8d, 0xe3, 0x02, 0xe8,
27714 ++ 0xe9, 0xc4, 0xca, 0x96, 0xeb, 0x0e, 0xbc, 0x91,
27715 ++ 0xf4, 0xb9, 0xea, 0xd9, 0x1b, 0x75, 0xbd, 0xe1,
27716 ++ 0xac, 0x2a, 0x05, 0x37, 0x52, 0x9b, 0x1b, 0x3f,
27717 ++ 0x5a, 0xdc, 0x21, 0xc3, 0x98, 0xbb, 0xaf, 0xa3,
27718 ++ 0xf2, 0x00, 0xbf, 0x0d, 0x30, 0x89, 0x05, 0xcc,
27719 ++ 0xa5, 0x76, 0xf5, 0x06, 0xf0, 0xc6, 0x54, 0x8a,
27720 ++ 0x5d, 0xd4, 0x1e, 0xc1, 0xf2, 0xce, 0xb0, 0x62,
27721 ++ 0xc8, 0xfc, 0x59, 0x42, 0x9a, 0x90, 0x60, 0x55,
27722 ++ 0xfe, 0x88, 0xa5, 0x8b, 0xb8, 0x33, 0x0c, 0x23,
27723 ++ 0x24, 0x0d, 0x15, 0x70, 0x37, 0x1e, 0x3d, 0xf6,
27724 ++ 0xd2, 0xea, 0x92, 0x10, 0xb2, 0xc4, 0x51, 0xac,
27725 ++ 0xf2, 0xac, 0xf3, 0x6b, 0x6c, 0xaa, 0xcf, 0x12,
27726 ++ 0xc5, 0x6c, 0x90, 0x50, 0xb5, 0x0c, 0xfc, 0x1a,
27727 ++ 0x15, 0x52, 0xe9, 0x26, 0xc6, 0x52, 0xa4, 0xe7,
27728 ++ 0x81, 0x69, 0xe1, 0xe7, 0x9e, 0x30, 0x01, 0xec,
27729 ++ 0x84, 0x89, 0xb2, 0x0d, 0x66, 0xdd, 0xce, 0x28,
27730 ++ 0x5c, 0xec, 0x98, 0x46, 0x68, 0x21, 0x9f, 0x88,
27731 ++ 0x3f, 0x1f, 0x42, 0x77, 0xce, 0xd0, 0x61, 0xd4,
27732 ++ 0x20, 0xa7, 0xff, 0x53, 0xad, 0x37, 0xd0, 0x17,
27733 ++ 0x35, 0xc9, 0xfc, 0xba, 0x0a, 0x78, 0x3f, 0xf2,
27734 ++ 0xcc, 0x86, 0x89, 0xe8, 0x4b, 0x3c, 0x48, 0x33,
27735 ++ 0x09, 0x7f, 0xc6, 0xc0, 0xdd, 0xb8, 0xfd, 0x7a,
27736 ++ 0x66, 0x66, 0x65, 0xeb, 0x47, 0xa7, 0x04, 0x28,
27737 ++ 0xa3, 0x19, 0x8e, 0xa9, 0xb1, 0x13, 0x67, 0x62,
27738 ++ 0x70, 0xcf, 0xd7
27739 ++};
27740 ++static const u8 dec_output013[] __initconst = {
27741 ++ 0x74, 0xa6, 0x3e, 0xe4, 0xb1, 0xcb, 0xaf, 0xb0,
27742 ++ 0x40, 0xe5, 0x0f, 0x9e, 0xf1, 0xf2, 0x89, 0xb5,
27743 ++ 0x42, 0x34, 0x8a, 0xa1, 0x03, 0xb7, 0xe9, 0x57,
27744 ++ 0x46, 0xbe, 0x20, 0xe4, 0x6e, 0xb0, 0xeb, 0xff,
27745 ++ 0xea, 0x07, 0x7e, 0xef, 0xe2, 0x55, 0x9f, 0xe5,
27746 ++ 0x78, 0x3a, 0xb7, 0x83, 0xc2, 0x18, 0x40, 0x7b,
27747 ++ 0xeb, 0xcd, 0x81, 0xfb, 0x90, 0x12, 0x9e, 0x46,
27748 ++ 0xa9, 0xd6, 0x4a, 0xba, 0xb0, 0x62, 0xdb, 0x6b,
27749 ++ 0x99, 0xc4, 0xdb, 0x54, 0x4b, 0xb8, 0xa5, 0x71,
27750 ++ 0xcb, 0xcd, 0x63, 0x32, 0x55, 0xfb, 0x31, 0xf0,
27751 ++ 0x38, 0xf5, 0xbe, 0x78, 0xe4, 0x45, 0xce, 0x1b,
27752 ++ 0x6a, 0x5b, 0x0e, 0xf4, 0x16, 0xe4, 0xb1, 0x3d,
27753 ++ 0xf6, 0x63, 0x7b, 0xa7, 0x0c, 0xde, 0x6f, 0x8f,
27754 ++ 0x74, 0xdf, 0xe0, 0x1e, 0x9d, 0xce, 0x8f, 0x24,
27755 ++ 0xef, 0x23, 0x35, 0x33, 0x7b, 0x83, 0x34, 0x23,
27756 ++ 0x58, 0x74, 0x14, 0x77, 0x1f, 0xc2, 0x4f, 0x4e,
27757 ++ 0xc6, 0x89, 0xf9, 0x52, 0x09, 0x37, 0x64, 0x14,
27758 ++ 0xc4, 0x01, 0x6b, 0x9d, 0x77, 0xe8, 0x90, 0x5d,
27759 ++ 0xa8, 0x4a, 0x2a, 0xef, 0x5c, 0x7f, 0xeb, 0xbb,
27760 ++ 0xb2, 0xc6, 0x93, 0x99, 0x66, 0xdc, 0x7f, 0xd4,
27761 ++ 0x9e, 0x2a, 0xca, 0x8d, 0xdb, 0xe7, 0x20, 0xcf,
27762 ++ 0xe4, 0x73, 0xae, 0x49, 0x7d, 0x64, 0x0f, 0x0e,
27763 ++ 0x28, 0x46, 0xa9, 0xa8, 0x32, 0xe4, 0x0e, 0xf6,
27764 ++ 0x51, 0x53, 0xb8, 0x3c, 0xb1, 0xff, 0xa3, 0x33,
27765 ++ 0x41, 0x75, 0xff, 0xf1, 0x6f, 0xf1, 0xfb, 0xbb,
27766 ++ 0x83, 0x7f, 0x06, 0x9b, 0xe7, 0x1b, 0x0a, 0xe0,
27767 ++ 0x5c, 0x33, 0x60, 0x5b, 0xdb, 0x5b, 0xed, 0xfe,
27768 ++ 0xa5, 0x16, 0x19, 0x72, 0xa3, 0x64, 0x23, 0x00,
27769 ++ 0x02, 0xc7, 0xf3, 0x6a, 0x81, 0x3e, 0x44, 0x1d,
27770 ++ 0x79, 0x15, 0x5f, 0x9a, 0xde, 0xe2, 0xfd, 0x1b,
27771 ++ 0x73, 0xc1, 0xbc, 0x23, 0xba, 0x31, 0xd2, 0x50,
27772 ++ 0xd5, 0xad, 0x7f, 0x74, 0xa7, 0xc9, 0xf8, 0x3e,
27773 ++ 0x2b, 0x26, 0x10, 0xf6, 0x03, 0x36, 0x74, 0xe4,
27774 ++ 0x0e, 0x6a, 0x72, 0xb7, 0x73, 0x0a, 0x42, 0x28,
27775 ++ 0xc2, 0xad, 0x5e, 0x03, 0xbe, 0xb8, 0x0b, 0xa8,
27776 ++ 0x5b, 0xd4, 0xb8, 0xba, 0x52, 0x89, 0xb1, 0x9b,
27777 ++ 0xc1, 0xc3, 0x65, 0x87, 0xed, 0xa5, 0xf4, 0x86,
27778 ++ 0xfd, 0x41, 0x80, 0x91, 0x27, 0x59, 0x53, 0x67,
27779 ++ 0x15, 0x78, 0x54, 0x8b, 0x2d, 0x3d, 0xc7, 0xff,
27780 ++ 0x02, 0x92, 0x07, 0x5f, 0x7a, 0x4b, 0x60, 0x59,
27781 ++ 0x3c, 0x6f, 0x5c, 0xd8, 0xec, 0x95, 0xd2, 0xfe,
27782 ++ 0xa0, 0x3b, 0xd8, 0x3f, 0xd1, 0x69, 0xa6, 0xd6,
27783 ++ 0x41, 0xb2, 0xf4, 0x4d, 0x12, 0xf4, 0x58, 0x3e,
27784 ++ 0x66, 0x64, 0x80, 0x31, 0x9b, 0xa8, 0x4c, 0x8b,
27785 ++ 0x07, 0xb2, 0xec, 0x66, 0x94, 0x66, 0x47, 0x50,
27786 ++ 0x50, 0x5f, 0x18, 0x0b, 0x0e, 0xd6, 0xc0, 0x39,
27787 ++ 0x21, 0x13, 0x9e, 0x33, 0xbc, 0x79, 0x36, 0x02,
27788 ++ 0x96, 0x70, 0xf0, 0x48, 0x67, 0x2f, 0x26, 0xe9,
27789 ++ 0x6d, 0x10, 0xbb, 0xd6, 0x3f, 0xd1, 0x64, 0x7a,
27790 ++ 0x2e, 0xbe, 0x0c, 0x61, 0xf0, 0x75, 0x42, 0x38,
27791 ++ 0x23, 0xb1, 0x9e, 0x9f, 0x7c, 0x67, 0x66, 0xd9,
27792 ++ 0x58, 0x9a, 0xf1, 0xbb, 0x41, 0x2a, 0x8d, 0x65,
27793 ++ 0x84, 0x94, 0xfc, 0xdc, 0x6a, 0x50, 0x64, 0xdb,
27794 ++ 0x56, 0x33, 0x76, 0x00, 0x10, 0xed, 0xbe, 0xd2,
27795 ++ 0x12, 0xf6, 0xf6, 0x1b, 0xa2, 0x16, 0xde, 0xae,
27796 ++ 0x31, 0x95, 0xdd, 0xb1, 0x08, 0x7e, 0x4e, 0xee,
27797 ++ 0xe7, 0xf9, 0xa5, 0xfb, 0x5b, 0x61, 0x43, 0x00,
27798 ++ 0x40, 0xf6, 0x7e, 0x02, 0x04, 0x32, 0x4e, 0x0c,
27799 ++ 0xe2, 0x66, 0x0d, 0xd7, 0x07, 0x98, 0x0e, 0xf8,
27800 ++ 0x72, 0x34, 0x6d, 0x95, 0x86, 0xd7, 0xcb, 0x31,
27801 ++ 0x54, 0x47, 0xd0, 0x38, 0x29, 0x9c, 0x5a, 0x68,
27802 ++ 0xd4, 0x87, 0x76, 0xc9, 0xe7, 0x7e, 0xe3, 0xf4,
27803 ++ 0x81, 0x6d, 0x18, 0xcb, 0xc9, 0x05, 0xaf, 0xa0,
27804 ++ 0xfb, 0x66, 0xf7, 0xf1, 0x1c, 0xc6, 0x14, 0x11,
27805 ++ 0x4f, 0x2b, 0x79, 0x42, 0x8b, 0xbc, 0xac, 0xe7,
27806 ++ 0x6c, 0xfe, 0x0f, 0x58, 0xe7, 0x7c, 0x78, 0x39,
27807 ++ 0x30, 0xb0, 0x66, 0x2c, 0x9b, 0x6d, 0x3a, 0xe1,
27808 ++ 0xcf, 0xc9, 0xa4, 0x0e, 0x6d, 0x6d, 0x8a, 0xa1,
27809 ++ 0x3a, 0xe7, 0x28, 0xd4, 0x78, 0x4c, 0xa6, 0xa2,
27810 ++ 0x2a, 0xa6, 0x03, 0x30, 0xd7, 0xa8, 0x25, 0x66,
27811 ++ 0x87, 0x2f, 0x69, 0x5c, 0x4e, 0xdd, 0xa5, 0x49,
27812 ++ 0x5d, 0x37, 0x4a, 0x59, 0xc4, 0xaf, 0x1f, 0xa2,
27813 ++ 0xe4, 0xf8, 0xa6, 0x12, 0x97, 0xd5, 0x79, 0xf5,
27814 ++ 0xe2, 0x4a, 0x2b, 0x5f, 0x61, 0xe4, 0x9e, 0xe3,
27815 ++ 0xee, 0xb8, 0xa7, 0x5b, 0x2f, 0xf4, 0x9e, 0x6c,
27816 ++ 0xfb, 0xd1, 0xc6, 0x56, 0x77, 0xba, 0x75, 0xaa,
27817 ++ 0x3d, 0x1a, 0xa8, 0x0b, 0xb3, 0x68, 0x24, 0x00,
27818 ++ 0x10, 0x7f, 0xfd, 0xd7, 0xa1, 0x8d, 0x83, 0x54,
27819 ++ 0x4f, 0x1f, 0xd8, 0x2a, 0xbe, 0x8a, 0x0c, 0x87,
27820 ++ 0xab, 0xa2, 0xde, 0xc3, 0x39, 0xbf, 0x09, 0x03,
27821 ++ 0xa5, 0xf3, 0x05, 0x28, 0xe1, 0xe1, 0xee, 0x39,
27822 ++ 0x70, 0x9c, 0xd8, 0x81, 0x12, 0x1e, 0x02, 0x40,
27823 ++ 0xd2, 0x6e, 0xf0, 0xeb, 0x1b, 0x3d, 0x22, 0xc6,
27824 ++ 0xe5, 0xe3, 0xb4, 0x5a, 0x98, 0xbb, 0xf0, 0x22,
27825 ++ 0x28, 0x8d, 0xe5, 0xd3, 0x16, 0x48, 0x24, 0xa5,
27826 ++ 0xe6, 0x66, 0x0c, 0xf9, 0x08, 0xf9, 0x7e, 0x1e,
27827 ++ 0xe1, 0x28, 0x26, 0x22, 0xc7, 0xc7, 0x0a, 0x32,
27828 ++ 0x47, 0xfa, 0xa3, 0xbe, 0x3c, 0xc4, 0xc5, 0x53,
27829 ++ 0x0a, 0xd5, 0x94, 0x4a, 0xd7, 0x93, 0xd8, 0x42,
27830 ++ 0x99, 0xb9, 0x0a, 0xdb, 0x56, 0xf7, 0xb9, 0x1c,
27831 ++ 0x53, 0x4f, 0xfa, 0xd3, 0x74, 0xad, 0xd9, 0x68,
27832 ++ 0xf1, 0x1b, 0xdf, 0x61, 0xc6, 0x5e, 0xa8, 0x48,
27833 ++ 0xfc, 0xd4, 0x4a, 0x4c, 0x3c, 0x32, 0xf7, 0x1c,
27834 ++ 0x96, 0x21, 0x9b, 0xf9, 0xa3, 0xcc, 0x5a, 0xce,
27835 ++ 0xd5, 0xd7, 0x08, 0x24, 0xf6, 0x1c, 0xfd, 0xdd,
27836 ++ 0x38, 0xc2, 0x32, 0xe9, 0xb8, 0xe7, 0xb6, 0xfa,
27837 ++ 0x9d, 0x45, 0x13, 0x2c, 0x83, 0xfd, 0x4a, 0x69,
27838 ++ 0x82, 0xcd, 0xdc, 0xb3, 0x76, 0x0c, 0x9e, 0xd8,
27839 ++ 0xf4, 0x1b, 0x45, 0x15, 0xb4, 0x97, 0xe7, 0x58,
27840 ++ 0x34, 0xe2, 0x03, 0x29, 0x5a, 0xbf, 0xb6, 0xe0,
27841 ++ 0x5d, 0x13, 0xd9, 0x2b, 0xb4, 0x80, 0xb2, 0x45,
27842 ++ 0x81, 0x6a, 0x2e, 0x6c, 0x89, 0x7d, 0xee, 0xbb,
27843 ++ 0x52, 0xdd, 0x1f, 0x18, 0xe7, 0x13, 0x6b, 0x33,
27844 ++ 0x0e, 0xea, 0x36, 0x92, 0x77, 0x7b, 0x6d, 0x9c,
27845 ++ 0x5a, 0x5f, 0x45, 0x7b, 0x7b, 0x35, 0x62, 0x23,
27846 ++ 0xd1, 0xbf, 0x0f, 0xd0, 0x08, 0x1b, 0x2b, 0x80,
27847 ++ 0x6b, 0x7e, 0xf1, 0x21, 0x47, 0xb0, 0x57, 0xd1,
27848 ++ 0x98, 0x72, 0x90, 0x34, 0x1c, 0x20, 0x04, 0xff,
27849 ++ 0x3d, 0x5c, 0xee, 0x0e, 0x57, 0x5f, 0x6f, 0x24,
27850 ++ 0x4e, 0x3c, 0xea, 0xfc, 0xa5, 0xa9, 0x83, 0xc9,
27851 ++ 0x61, 0xb4, 0x51, 0x24, 0xf8, 0x27, 0x5e, 0x46,
27852 ++ 0x8c, 0xb1, 0x53, 0x02, 0x96, 0x35, 0xba, 0xb8,
27853 ++ 0x4c, 0x71, 0xd3, 0x15, 0x59, 0x35, 0x22, 0x20,
27854 ++ 0xad, 0x03, 0x9f, 0x66, 0x44, 0x3b, 0x9c, 0x35,
27855 ++ 0x37, 0x1f, 0x9b, 0xbb, 0xf3, 0xdb, 0x35, 0x63,
27856 ++ 0x30, 0x64, 0xaa, 0xa2, 0x06, 0xa8, 0x5d, 0xbb,
27857 ++ 0xe1, 0x9f, 0x70, 0xec, 0x82, 0x11, 0x06, 0x36,
27858 ++ 0xec, 0x8b, 0x69, 0x66, 0x24, 0x44, 0xc9, 0x4a,
27859 ++ 0x57, 0xbb, 0x9b, 0x78, 0x13, 0xce, 0x9c, 0x0c,
27860 ++ 0xba, 0x92, 0x93, 0x63, 0xb8, 0xe2, 0x95, 0x0f,
27861 ++ 0x0f, 0x16, 0x39, 0x52, 0xfd, 0x3a, 0x6d, 0x02,
27862 ++ 0x4b, 0xdf, 0x13, 0xd3, 0x2a, 0x22, 0xb4, 0x03,
27863 ++ 0x7c, 0x54, 0x49, 0x96, 0x68, 0x54, 0x10, 0xfa,
27864 ++ 0xef, 0xaa, 0x6c, 0xe8, 0x22, 0xdc, 0x71, 0x16,
27865 ++ 0x13, 0x1a, 0xf6, 0x28, 0xe5, 0x6d, 0x77, 0x3d,
27866 ++ 0xcd, 0x30, 0x63, 0xb1, 0x70, 0x52, 0xa1, 0xc5,
27867 ++ 0x94, 0x5f, 0xcf, 0xe8, 0xb8, 0x26, 0x98, 0xf7,
27868 ++ 0x06, 0xa0, 0x0a, 0x70, 0xfa, 0x03, 0x80, 0xac,
27869 ++ 0xc1, 0xec, 0xd6, 0x4c, 0x54, 0xd7, 0xfe, 0x47,
27870 ++ 0xb6, 0x88, 0x4a, 0xf7, 0x71, 0x24, 0xee, 0xf3,
27871 ++ 0xd2, 0xc2, 0x4a, 0x7f, 0xfe, 0x61, 0xc7, 0x35,
27872 ++ 0xc9, 0x37, 0x67, 0xcb, 0x24, 0x35, 0xda, 0x7e,
27873 ++ 0xca, 0x5f, 0xf3, 0x8d, 0xd4, 0x13, 0x8e, 0xd6,
27874 ++ 0xcb, 0x4d, 0x53, 0x8f, 0x53, 0x1f, 0xc0, 0x74,
27875 ++ 0xf7, 0x53, 0xb9, 0x5e, 0x23, 0x37, 0xba, 0x6e,
27876 ++ 0xe3, 0x9d, 0x07, 0x55, 0x25, 0x7b, 0xe6, 0x2a,
27877 ++ 0x64, 0xd1, 0x32, 0xdd, 0x54, 0x1b, 0x4b, 0xc0,
27878 ++ 0xe1, 0xd7, 0x69, 0x58, 0xf8, 0x93, 0x29, 0xc4,
27879 ++ 0xdd, 0x23, 0x2f, 0xa5, 0xfc, 0x9d, 0x7e, 0xf8,
27880 ++ 0xd4, 0x90, 0xcd, 0x82, 0x55, 0xdc, 0x16, 0x16,
27881 ++ 0x9f, 0x07, 0x52, 0x9b, 0x9d, 0x25, 0xed, 0x32,
27882 ++ 0xc5, 0x7b, 0xdf, 0xf6, 0x83, 0x46, 0x3d, 0x65,
27883 ++ 0xb7, 0xef, 0x87, 0x7a, 0x12, 0x69, 0x8f, 0x06,
27884 ++ 0x7c, 0x51, 0x15, 0x4a, 0x08, 0xe8, 0xac, 0x9a,
27885 ++ 0x0c, 0x24, 0xa7, 0x27, 0xd8, 0x46, 0x2f, 0xe7,
27886 ++ 0x01, 0x0e, 0x1c, 0xc6, 0x91, 0xb0, 0x6e, 0x85,
27887 ++ 0x65, 0xf0, 0x29, 0x0d, 0x2e, 0x6b, 0x3b, 0xfb,
27888 ++ 0x4b, 0xdf, 0xe4, 0x80, 0x93, 0x03, 0x66, 0x46,
27889 ++ 0x3e, 0x8a, 0x6e, 0xf3, 0x5e, 0x4d, 0x62, 0x0e,
27890 ++ 0x49, 0x05, 0xaf, 0xd4, 0xf8, 0x21, 0x20, 0x61,
27891 ++ 0x1d, 0x39, 0x17, 0xf4, 0x61, 0x47, 0x95, 0xfb,
27892 ++ 0x15, 0x2e, 0xb3, 0x4f, 0xd0, 0x5d, 0xf5, 0x7d,
27893 ++ 0x40, 0xda, 0x90, 0x3c, 0x6b, 0xcb, 0x17, 0x00,
27894 ++ 0x13, 0x3b, 0x64, 0x34, 0x1b, 0xf0, 0xf2, 0xe5,
27895 ++ 0x3b, 0xb2, 0xc7, 0xd3, 0x5f, 0x3a, 0x44, 0xa6,
27896 ++ 0x9b, 0xb7, 0x78, 0x0e, 0x42, 0x5d, 0x4c, 0xc1,
27897 ++ 0xe9, 0xd2, 0xcb, 0xb7, 0x78, 0xd1, 0xfe, 0x9a,
27898 ++ 0xb5, 0x07, 0xe9, 0xe0, 0xbe, 0xe2, 0x8a, 0xa7,
27899 ++ 0x01, 0x83, 0x00, 0x8c, 0x5c, 0x08, 0xe6, 0x63,
27900 ++ 0x12, 0x92, 0xb7, 0xb7, 0xa6, 0x19, 0x7d, 0x38,
27901 ++ 0x13, 0x38, 0x92, 0x87, 0x24, 0xf9, 0x48, 0xb3,
27902 ++ 0x5e, 0x87, 0x6a, 0x40, 0x39, 0x5c, 0x3f, 0xed,
27903 ++ 0x8f, 0xee, 0xdb, 0x15, 0x82, 0x06, 0xda, 0x49,
27904 ++ 0x21, 0x2b, 0xb5, 0xbf, 0x32, 0x7c, 0x9f, 0x42,
27905 ++ 0x28, 0x63, 0xcf, 0xaf, 0x1e, 0xf8, 0xc6, 0xa0,
27906 ++ 0xd1, 0x02, 0x43, 0x57, 0x62, 0xec, 0x9b, 0x0f,
27907 ++ 0x01, 0x9e, 0x71, 0xd8, 0x87, 0x9d, 0x01, 0xc1,
27908 ++ 0x58, 0x77, 0xd9, 0xaf, 0xb1, 0x10, 0x7e, 0xdd,
27909 ++ 0xa6, 0x50, 0x96, 0xe5, 0xf0, 0x72, 0x00, 0x6d,
27910 ++ 0x4b, 0xf8, 0x2a, 0x8f, 0x19, 0xf3, 0x22, 0x88,
27911 ++ 0x11, 0x4a, 0x8b, 0x7c, 0xfd, 0xb7, 0xed, 0xe1,
27912 ++ 0xf6, 0x40, 0x39, 0xe0, 0xe9, 0xf6, 0x3d, 0x25,
27913 ++ 0xe6, 0x74, 0x3c, 0x58, 0x57, 0x7f, 0xe1, 0x22,
27914 ++ 0x96, 0x47, 0x31, 0x91, 0xba, 0x70, 0x85, 0x28,
27915 ++ 0x6b, 0x9f, 0x6e, 0x25, 0xac, 0x23, 0x66, 0x2f,
27916 ++ 0x29, 0x88, 0x28, 0xce, 0x8c, 0x5c, 0x88, 0x53,
27917 ++ 0xd1, 0x3b, 0xcc, 0x6a, 0x51, 0xb2, 0xe1, 0x28,
27918 ++ 0x3f, 0x91, 0xb4, 0x0d, 0x00, 0x3a, 0xe3, 0xf8,
27919 ++ 0xc3, 0x8f, 0xd7, 0x96, 0x62, 0x0e, 0x2e, 0xfc,
27920 ++ 0xc8, 0x6c, 0x77, 0xa6, 0x1d, 0x22, 0xc1, 0xb8,
27921 ++ 0xe6, 0x61, 0xd7, 0x67, 0x36, 0x13, 0x7b, 0xbb,
27922 ++ 0x9b, 0x59, 0x09, 0xa6, 0xdf, 0xf7, 0x6b, 0xa3,
27923 ++ 0x40, 0x1a, 0xf5, 0x4f, 0xb4, 0xda, 0xd3, 0xf3,
27924 ++ 0x81, 0x93, 0xc6, 0x18, 0xd9, 0x26, 0xee, 0xac,
27925 ++ 0xf0, 0xaa, 0xdf, 0xc5, 0x9c, 0xca, 0xc2, 0xa2,
27926 ++ 0xcc, 0x7b, 0x5c, 0x24, 0xb0, 0xbc, 0xd0, 0x6a,
27927 ++ 0x4d, 0x89, 0x09, 0xb8, 0x07, 0xfe, 0x87, 0xad,
27928 ++ 0x0a, 0xea, 0xb8, 0x42, 0xf9, 0x5e, 0xb3, 0x3e,
27929 ++ 0x36, 0x4c, 0xaf, 0x75, 0x9e, 0x1c, 0xeb, 0xbd,
27930 ++ 0xbc, 0xbb, 0x80, 0x40, 0xa7, 0x3a, 0x30, 0xbf,
27931 ++ 0xa8, 0x44, 0xf4, 0xeb, 0x38, 0xad, 0x29, 0xba,
27932 ++ 0x23, 0xed, 0x41, 0x0c, 0xea, 0xd2, 0xbb, 0x41,
27933 ++ 0x18, 0xd6, 0xb9, 0xba, 0x65, 0x2b, 0xa3, 0x91,
27934 ++ 0x6d, 0x1f, 0xa9, 0xf4, 0xd1, 0x25, 0x8d, 0x4d,
27935 ++ 0x38, 0xff, 0x64, 0xa0, 0xec, 0xde, 0xa6, 0xb6,
27936 ++ 0x79, 0xab, 0x8e, 0x33, 0x6c, 0x47, 0xde, 0xaf,
27937 ++ 0x94, 0xa4, 0xa5, 0x86, 0x77, 0x55, 0x09, 0x92,
27938 ++ 0x81, 0x31, 0x76, 0xc7, 0x34, 0x22, 0x89, 0x8e,
27939 ++ 0x3d, 0x26, 0x26, 0xd7, 0xfc, 0x1e, 0x16, 0x72,
27940 ++ 0x13, 0x33, 0x63, 0xd5, 0x22, 0xbe, 0xb8, 0x04,
27941 ++ 0x34, 0x84, 0x41, 0xbb, 0x80, 0xd0, 0x9f, 0x46,
27942 ++ 0x48, 0x07, 0xa7, 0xfc, 0x2b, 0x3a, 0x75, 0x55,
27943 ++ 0x8c, 0xc7, 0x6a, 0xbd, 0x7e, 0x46, 0x08, 0x84,
27944 ++ 0x0f, 0xd5, 0x74, 0xc0, 0x82, 0x8e, 0xaa, 0x61,
27945 ++ 0x05, 0x01, 0xb2, 0x47, 0x6e, 0x20, 0x6a, 0x2d,
27946 ++ 0x58, 0x70, 0x48, 0x32, 0xa7, 0x37, 0xd2, 0xb8,
27947 ++ 0x82, 0x1a, 0x51, 0xb9, 0x61, 0xdd, 0xfd, 0x9d,
27948 ++ 0x6b, 0x0e, 0x18, 0x97, 0xf8, 0x45, 0x5f, 0x87,
27949 ++ 0x10, 0xcf, 0x34, 0x72, 0x45, 0x26, 0x49, 0x70,
27950 ++ 0xe7, 0xa3, 0x78, 0xe0, 0x52, 0x89, 0x84, 0x94,
27951 ++ 0x83, 0x82, 0xc2, 0x69, 0x8f, 0xe3, 0xe1, 0x3f,
27952 ++ 0x60, 0x74, 0x88, 0xc4, 0xf7, 0x75, 0x2c, 0xfb,
27953 ++ 0xbd, 0xb6, 0xc4, 0x7e, 0x10, 0x0a, 0x6c, 0x90,
27954 ++ 0x04, 0x9e, 0xc3, 0x3f, 0x59, 0x7c, 0xce, 0x31,
27955 ++ 0x18, 0x60, 0x57, 0x73, 0x46, 0x94, 0x7d, 0x06,
27956 ++ 0xa0, 0x6d, 0x44, 0xec, 0xa2, 0x0a, 0x9e, 0x05,
27957 ++ 0x15, 0xef, 0xca, 0x5c, 0xbf, 0x00, 0xeb, 0xf7,
27958 ++ 0x3d, 0x32, 0xd4, 0xa5, 0xef, 0x49, 0x89, 0x5e,
27959 ++ 0x46, 0xb0, 0xa6, 0x63, 0x5b, 0x8a, 0x73, 0xae,
27960 ++ 0x6f, 0xd5, 0x9d, 0xf8, 0x4f, 0x40, 0xb5, 0xb2,
27961 ++ 0x6e, 0xd3, 0xb6, 0x01, 0xa9, 0x26, 0xa2, 0x21,
27962 ++ 0xcf, 0x33, 0x7a, 0x3a, 0xa4, 0x23, 0x13, 0xb0,
27963 ++ 0x69, 0x6a, 0xee, 0xce, 0xd8, 0x9d, 0x01, 0x1d,
27964 ++ 0x50, 0xc1, 0x30, 0x6c, 0xb1, 0xcd, 0xa0, 0xf0,
27965 ++ 0xf0, 0xa2, 0x64, 0x6f, 0xbb, 0xbf, 0x5e, 0xe6,
27966 ++ 0xab, 0x87, 0xb4, 0x0f, 0x4f, 0x15, 0xaf, 0xb5,
27967 ++ 0x25, 0xa1, 0xb2, 0xd0, 0x80, 0x2c, 0xfb, 0xf9,
27968 ++ 0xfe, 0xd2, 0x33, 0xbb, 0x76, 0xfe, 0x7c, 0xa8,
27969 ++ 0x66, 0xf7, 0xe7, 0x85, 0x9f, 0x1f, 0x85, 0x57,
27970 ++ 0x88, 0xe1, 0xe9, 0x63, 0xe4, 0xd8, 0x1c, 0xa1,
27971 ++ 0xfb, 0xda, 0x44, 0x05, 0x2e, 0x1d, 0x3a, 0x1c,
27972 ++ 0xff, 0xc8, 0x3b, 0xc0, 0xfe, 0xda, 0x22, 0x0b,
27973 ++ 0x43, 0xd6, 0x88, 0x39, 0x4c, 0x4a, 0xa6, 0x69,
27974 ++ 0x18, 0x93, 0x42, 0x4e, 0xb5, 0xcc, 0x66, 0x0d,
27975 ++ 0x09, 0xf8, 0x1e, 0x7c, 0xd3, 0x3c, 0x99, 0x0d,
27976 ++ 0x50, 0x1d, 0x62, 0xe9, 0x57, 0x06, 0xbf, 0x19,
27977 ++ 0x88, 0xdd, 0xad, 0x7b, 0x4f, 0xf9, 0xc7, 0x82,
27978 ++ 0x6d, 0x8d, 0xc8, 0xc4, 0xc5, 0x78, 0x17, 0x20,
27979 ++ 0x15, 0xc5, 0x52, 0x41, 0xcf, 0x5b, 0xd6, 0x7f,
27980 ++ 0x94, 0x02, 0x41, 0xe0, 0x40, 0x22, 0x03, 0x5e,
27981 ++ 0xd1, 0x53, 0xd4, 0x86, 0xd3, 0x2c, 0x9f, 0x0f,
27982 ++ 0x96, 0xe3, 0x6b, 0x9a, 0x76, 0x32, 0x06, 0x47,
27983 ++ 0x4b, 0x11, 0xb3, 0xdd, 0x03, 0x65, 0xbd, 0x9b,
27984 ++ 0x01, 0xda, 0x9c, 0xb9, 0x7e, 0x3f, 0x6a, 0xc4,
27985 ++ 0x7b, 0xea, 0xd4, 0x3c, 0xb9, 0xfb, 0x5c, 0x6b,
27986 ++ 0x64, 0x33, 0x52, 0xba, 0x64, 0x78, 0x8f, 0xa4,
27987 ++ 0xaf, 0x7a, 0x61, 0x8d, 0xbc, 0xc5, 0x73, 0xe9,
27988 ++ 0x6b, 0x58, 0x97, 0x4b, 0xbf, 0x63, 0x22, 0xd3,
27989 ++ 0x37, 0x02, 0x54, 0xc5, 0xb9, 0x16, 0x4a, 0xf0,
27990 ++ 0x19, 0xd8, 0x94, 0x57, 0xb8, 0x8a, 0xb3, 0x16,
27991 ++ 0x3b, 0xd0, 0x84, 0x8e, 0x67, 0xa6, 0xa3, 0x7d,
27992 ++ 0x78, 0xec, 0x00
27993 ++};
27994 ++static const u8 dec_assoc013[] __initconst = {
27995 ++ 0xb1, 0x69, 0x83, 0x87, 0x30, 0xaa, 0x5d, 0xb8,
27996 ++ 0x77, 0xe8, 0x21, 0xff, 0x06, 0x59, 0x35, 0xce,
27997 ++ 0x75, 0xfe, 0x38, 0xef, 0xb8, 0x91, 0x43, 0x8c,
27998 ++ 0xcf, 0x70, 0xdd, 0x0a, 0x68, 0xbf, 0xd4, 0xbc,
27999 ++ 0x16, 0x76, 0x99, 0x36, 0x1e, 0x58, 0x79, 0x5e,
28000 ++ 0xd4, 0x29, 0xf7, 0x33, 0x93, 0x48, 0xdb, 0x5f,
28001 ++ 0x01, 0xae, 0x9c, 0xb6, 0xe4, 0x88, 0x6d, 0x2b,
28002 ++ 0x76, 0x75, 0xe0, 0xf3, 0x74, 0xe2, 0xc9
28003 ++};
28004 ++static const u8 dec_nonce013[] __initconst = {
28005 ++ 0x05, 0xa3, 0x93, 0xed, 0x30, 0xc5, 0xa2, 0x06
28006 ++};
28007 ++static const u8 dec_key013[] __initconst = {
28008 ++ 0xb3, 0x35, 0x50, 0x03, 0x54, 0x2e, 0x40, 0x5e,
28009 ++ 0x8f, 0x59, 0x8e, 0xc5, 0x90, 0xd5, 0x27, 0x2d,
28010 ++ 0xba, 0x29, 0x2e, 0xcb, 0x1b, 0x70, 0x44, 0x1e,
28011 ++ 0x65, 0x91, 0x6e, 0x2a, 0x79, 0x22, 0xda, 0x64
28012 ++};
28013 ++
28014 ++static const struct chacha20poly1305_testvec
28015 ++chacha20poly1305_dec_vectors[] __initconst = {
28016 ++ { dec_input001, dec_output001, dec_assoc001, dec_nonce001, dec_key001,
28017 ++ sizeof(dec_input001), sizeof(dec_assoc001), sizeof(dec_nonce001) },
28018 ++ { dec_input002, dec_output002, dec_assoc002, dec_nonce002, dec_key002,
28019 ++ sizeof(dec_input002), sizeof(dec_assoc002), sizeof(dec_nonce002) },
28020 ++ { dec_input003, dec_output003, dec_assoc003, dec_nonce003, dec_key003,
28021 ++ sizeof(dec_input003), sizeof(dec_assoc003), sizeof(dec_nonce003) },
28022 ++ { dec_input004, dec_output004, dec_assoc004, dec_nonce004, dec_key004,
28023 ++ sizeof(dec_input004), sizeof(dec_assoc004), sizeof(dec_nonce004) },
28024 ++ { dec_input005, dec_output005, dec_assoc005, dec_nonce005, dec_key005,
28025 ++ sizeof(dec_input005), sizeof(dec_assoc005), sizeof(dec_nonce005) },
28026 ++ { dec_input006, dec_output006, dec_assoc006, dec_nonce006, dec_key006,
28027 ++ sizeof(dec_input006), sizeof(dec_assoc006), sizeof(dec_nonce006) },
28028 ++ { dec_input007, dec_output007, dec_assoc007, dec_nonce007, dec_key007,
28029 ++ sizeof(dec_input007), sizeof(dec_assoc007), sizeof(dec_nonce007) },
28030 ++ { dec_input008, dec_output008, dec_assoc008, dec_nonce008, dec_key008,
28031 ++ sizeof(dec_input008), sizeof(dec_assoc008), sizeof(dec_nonce008) },
28032 ++ { dec_input009, dec_output009, dec_assoc009, dec_nonce009, dec_key009,
28033 ++ sizeof(dec_input009), sizeof(dec_assoc009), sizeof(dec_nonce009) },
28034 ++ { dec_input010, dec_output010, dec_assoc010, dec_nonce010, dec_key010,
28035 ++ sizeof(dec_input010), sizeof(dec_assoc010), sizeof(dec_nonce010) },
28036 ++ { dec_input011, dec_output011, dec_assoc011, dec_nonce011, dec_key011,
28037 ++ sizeof(dec_input011), sizeof(dec_assoc011), sizeof(dec_nonce011) },
28038 ++ { dec_input012, dec_output012, dec_assoc012, dec_nonce012, dec_key012,
28039 ++ sizeof(dec_input012), sizeof(dec_assoc012), sizeof(dec_nonce012) },
28040 ++ { dec_input013, dec_output013, dec_assoc013, dec_nonce013, dec_key013,
28041 ++ sizeof(dec_input013), sizeof(dec_assoc013), sizeof(dec_nonce013),
28042 ++ true }
28043 ++};
28044 ++
28045 ++static const u8 xenc_input001[] __initconst = {
28046 ++ 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
28047 ++ 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20,
28048 ++ 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66,
28049 ++ 0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
28050 ++ 0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c, 0x69,
28051 ++ 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20,
28052 ++ 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20,
28053 ++ 0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d,
28054 ++ 0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e,
28055 ++ 0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65,
28056 ++ 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64,
28057 ++ 0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
28058 ++ 0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f,
28059 ++ 0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64,
28060 ++ 0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65,
28061 ++ 0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
28062 ++ 0x6e, 0x74, 0x73, 0x20, 0x61, 0x74, 0x20, 0x61,
28063 ++ 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e,
28064 ++ 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69,
28065 ++ 0x6e, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x70, 0x72,
28066 ++ 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20,
28067 ++ 0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65,
28068 ++ 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61,
28069 ++ 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72,
28070 ++ 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
28071 ++ 0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61,
28072 ++ 0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20,
28073 ++ 0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65,
28074 ++ 0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20,
28075 ++ 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20,
28076 ++ 0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b,
28077 ++ 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67,
28078 ++ 0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80,
28079 ++ 0x9d
28080 ++};
28081 ++static const u8 xenc_output001[] __initconst = {
28082 ++ 0x1a, 0x6e, 0x3a, 0xd9, 0xfd, 0x41, 0x3f, 0x77,
28083 ++ 0x54, 0x72, 0x0a, 0x70, 0x9a, 0xa0, 0x29, 0x92,
28084 ++ 0x2e, 0xed, 0x93, 0xcf, 0x0f, 0x71, 0x88, 0x18,
28085 ++ 0x7a, 0x9d, 0x2d, 0x24, 0xe0, 0xf5, 0xea, 0x3d,
28086 ++ 0x55, 0x64, 0xd7, 0xad, 0x2a, 0x1a, 0x1f, 0x7e,
28087 ++ 0x86, 0x6d, 0xb0, 0xce, 0x80, 0x41, 0x72, 0x86,
28088 ++ 0x26, 0xee, 0x84, 0xd7, 0xef, 0x82, 0x9e, 0xe2,
28089 ++ 0x60, 0x9d, 0x5a, 0xfc, 0xf0, 0xe4, 0x19, 0x85,
28090 ++ 0xea, 0x09, 0xc6, 0xfb, 0xb3, 0xa9, 0x50, 0x09,
28091 ++ 0xec, 0x5e, 0x11, 0x90, 0xa1, 0xc5, 0x4e, 0x49,
28092 ++ 0xef, 0x50, 0xd8, 0x8f, 0xe0, 0x78, 0xd7, 0xfd,
28093 ++ 0xb9, 0x3b, 0xc9, 0xf2, 0x91, 0xc8, 0x25, 0xc8,
28094 ++ 0xa7, 0x63, 0x60, 0xce, 0x10, 0xcd, 0xc6, 0x7f,
28095 ++ 0xf8, 0x16, 0xf8, 0xe1, 0x0a, 0xd9, 0xde, 0x79,
28096 ++ 0x50, 0x33, 0xf2, 0x16, 0x0f, 0x17, 0xba, 0xb8,
28097 ++ 0x5d, 0xd8, 0xdf, 0x4e, 0x51, 0xa8, 0x39, 0xd0,
28098 ++ 0x85, 0xca, 0x46, 0x6a, 0x10, 0xa7, 0xa3, 0x88,
28099 ++ 0xef, 0x79, 0xb9, 0xf8, 0x24, 0xf3, 0xe0, 0x71,
28100 ++ 0x7b, 0x76, 0x28, 0x46, 0x3a, 0x3a, 0x1b, 0x91,
28101 ++ 0xb6, 0xd4, 0x3e, 0x23, 0xe5, 0x44, 0x15, 0xbf,
28102 ++ 0x60, 0x43, 0x9d, 0xa4, 0xbb, 0xd5, 0x5f, 0x89,
28103 ++ 0xeb, 0xef, 0x8e, 0xfd, 0xdd, 0xb4, 0x0d, 0x46,
28104 ++ 0xf0, 0x69, 0x23, 0x63, 0xae, 0x94, 0xf5, 0x5e,
28105 ++ 0xa5, 0xad, 0x13, 0x1c, 0x41, 0x76, 0xe6, 0x90,
28106 ++ 0xd6, 0x6d, 0xa2, 0x8f, 0x97, 0x4c, 0xa8, 0x0b,
28107 ++ 0xcf, 0x8d, 0x43, 0x2b, 0x9c, 0x9b, 0xc5, 0x58,
28108 ++ 0xa5, 0xb6, 0x95, 0x9a, 0xbf, 0x81, 0xc6, 0x54,
28109 ++ 0xc9, 0x66, 0x0c, 0xe5, 0x4f, 0x6a, 0x53, 0xa1,
28110 ++ 0xe5, 0x0c, 0xba, 0x31, 0xde, 0x34, 0x64, 0x73,
28111 ++ 0x8a, 0x3b, 0xbd, 0x92, 0x01, 0xdb, 0x71, 0x69,
28112 ++ 0xf3, 0x58, 0x99, 0xbc, 0xd1, 0xcb, 0x4a, 0x05,
28113 ++ 0xe2, 0x58, 0x9c, 0x25, 0x17, 0xcd, 0xdc, 0x83,
28114 ++ 0xb7, 0xff, 0xfb, 0x09, 0x61, 0xad, 0xbf, 0x13,
28115 ++ 0x5b, 0x5e, 0xed, 0x46, 0x82, 0x6f, 0x22, 0xd8,
28116 ++ 0x93, 0xa6, 0x85, 0x5b, 0x40, 0x39, 0x5c, 0xc5,
28117 ++ 0x9c
28118 ++};
28119 ++static const u8 xenc_assoc001[] __initconst = {
28120 ++ 0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00,
28121 ++ 0x00, 0x00, 0x4e, 0x91
28122 ++};
28123 ++static const u8 xenc_nonce001[] __initconst = {
28124 ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
28125 ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
28126 ++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
28127 ++};
28128 ++static const u8 xenc_key001[] __initconst = {
28129 ++ 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
28130 ++ 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
28131 ++ 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
28132 ++ 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
28133 ++};
28134 ++
28135 ++static const struct chacha20poly1305_testvec
28136 ++xchacha20poly1305_enc_vectors[] __initconst = {
28137 ++ { xenc_input001, xenc_output001, xenc_assoc001, xenc_nonce001, xenc_key001,
28138 ++ sizeof(xenc_input001), sizeof(xenc_assoc001), sizeof(xenc_nonce001) }
28139 ++};
28140 ++
28141 ++static const u8 xdec_input001[] __initconst = {
28142 ++ 0x1a, 0x6e, 0x3a, 0xd9, 0xfd, 0x41, 0x3f, 0x77,
28143 ++ 0x54, 0x72, 0x0a, 0x70, 0x9a, 0xa0, 0x29, 0x92,
28144 ++ 0x2e, 0xed, 0x93, 0xcf, 0x0f, 0x71, 0x88, 0x18,
28145 ++ 0x7a, 0x9d, 0x2d, 0x24, 0xe0, 0xf5, 0xea, 0x3d,
28146 ++ 0x55, 0x64, 0xd7, 0xad, 0x2a, 0x1a, 0x1f, 0x7e,
28147 ++ 0x86, 0x6d, 0xb0, 0xce, 0x80, 0x41, 0x72, 0x86,
28148 ++ 0x26, 0xee, 0x84, 0xd7, 0xef, 0x82, 0x9e, 0xe2,
28149 ++ 0x60, 0x9d, 0x5a, 0xfc, 0xf0, 0xe4, 0x19, 0x85,
28150 ++ 0xea, 0x09, 0xc6, 0xfb, 0xb3, 0xa9, 0x50, 0x09,
28151 ++ 0xec, 0x5e, 0x11, 0x90, 0xa1, 0xc5, 0x4e, 0x49,
28152 ++ 0xef, 0x50, 0xd8, 0x8f, 0xe0, 0x78, 0xd7, 0xfd,
28153 ++ 0xb9, 0x3b, 0xc9, 0xf2, 0x91, 0xc8, 0x25, 0xc8,
28154 ++ 0xa7, 0x63, 0x60, 0xce, 0x10, 0xcd, 0xc6, 0x7f,
28155 ++ 0xf8, 0x16, 0xf8, 0xe1, 0x0a, 0xd9, 0xde, 0x79,
28156 ++ 0x50, 0x33, 0xf2, 0x16, 0x0f, 0x17, 0xba, 0xb8,
28157 ++ 0x5d, 0xd8, 0xdf, 0x4e, 0x51, 0xa8, 0x39, 0xd0,
28158 ++ 0x85, 0xca, 0x46, 0x6a, 0x10, 0xa7, 0xa3, 0x88,
28159 ++ 0xef, 0x79, 0xb9, 0xf8, 0x24, 0xf3, 0xe0, 0x71,
28160 ++ 0x7b, 0x76, 0x28, 0x46, 0x3a, 0x3a, 0x1b, 0x91,
28161 ++ 0xb6, 0xd4, 0x3e, 0x23, 0xe5, 0x44, 0x15, 0xbf,
28162 ++ 0x60, 0x43, 0x9d, 0xa4, 0xbb, 0xd5, 0x5f, 0x89,
28163 ++ 0xeb, 0xef, 0x8e, 0xfd, 0xdd, 0xb4, 0x0d, 0x46,
28164 ++ 0xf0, 0x69, 0x23, 0x63, 0xae, 0x94, 0xf5, 0x5e,
28165 ++ 0xa5, 0xad, 0x13, 0x1c, 0x41, 0x76, 0xe6, 0x90,
28166 ++ 0xd6, 0x6d, 0xa2, 0x8f, 0x97, 0x4c, 0xa8, 0x0b,
28167 ++ 0xcf, 0x8d, 0x43, 0x2b, 0x9c, 0x9b, 0xc5, 0x58,
28168 ++ 0xa5, 0xb6, 0x95, 0x9a, 0xbf, 0x81, 0xc6, 0x54,
28169 ++ 0xc9, 0x66, 0x0c, 0xe5, 0x4f, 0x6a, 0x53, 0xa1,
28170 ++ 0xe5, 0x0c, 0xba, 0x31, 0xde, 0x34, 0x64, 0x73,
28171 ++ 0x8a, 0x3b, 0xbd, 0x92, 0x01, 0xdb, 0x71, 0x69,
28172 ++ 0xf3, 0x58, 0x99, 0xbc, 0xd1, 0xcb, 0x4a, 0x05,
28173 ++ 0xe2, 0x58, 0x9c, 0x25, 0x17, 0xcd, 0xdc, 0x83,
28174 ++ 0xb7, 0xff, 0xfb, 0x09, 0x61, 0xad, 0xbf, 0x13,
28175 ++ 0x5b, 0x5e, 0xed, 0x46, 0x82, 0x6f, 0x22, 0xd8,
28176 ++ 0x93, 0xa6, 0x85, 0x5b, 0x40, 0x39, 0x5c, 0xc5,
28177 ++ 0x9c
28178 ++};
28179 ++static const u8 xdec_output001[] __initconst = {
28180 ++ 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
28181 ++ 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x73, 0x20,
28182 ++ 0x61, 0x72, 0x65, 0x20, 0x64, 0x72, 0x61, 0x66,
28183 ++ 0x74, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
28184 ++ 0x6e, 0x74, 0x73, 0x20, 0x76, 0x61, 0x6c, 0x69,
28185 ++ 0x64, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x20,
28186 ++ 0x6d, 0x61, 0x78, 0x69, 0x6d, 0x75, 0x6d, 0x20,
28187 ++ 0x6f, 0x66, 0x20, 0x73, 0x69, 0x78, 0x20, 0x6d,
28188 ++ 0x6f, 0x6e, 0x74, 0x68, 0x73, 0x20, 0x61, 0x6e,
28189 ++ 0x64, 0x20, 0x6d, 0x61, 0x79, 0x20, 0x62, 0x65,
28190 ++ 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64,
28191 ++ 0x2c, 0x20, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63,
28192 ++ 0x65, 0x64, 0x2c, 0x20, 0x6f, 0x72, 0x20, 0x6f,
28193 ++ 0x62, 0x73, 0x6f, 0x6c, 0x65, 0x74, 0x65, 0x64,
28194 ++ 0x20, 0x62, 0x79, 0x20, 0x6f, 0x74, 0x68, 0x65,
28195 ++ 0x72, 0x20, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65,
28196 ++ 0x6e, 0x74, 0x73, 0x20, 0x61, 0x74, 0x20, 0x61,
28197 ++ 0x6e, 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x2e,
28198 ++ 0x20, 0x49, 0x74, 0x20, 0x69, 0x73, 0x20, 0x69,
28199 ++ 0x6e, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x70, 0x72,
28200 ++ 0x69, 0x61, 0x74, 0x65, 0x20, 0x74, 0x6f, 0x20,
28201 ++ 0x75, 0x73, 0x65, 0x20, 0x49, 0x6e, 0x74, 0x65,
28202 ++ 0x72, 0x6e, 0x65, 0x74, 0x2d, 0x44, 0x72, 0x61,
28203 ++ 0x66, 0x74, 0x73, 0x20, 0x61, 0x73, 0x20, 0x72,
28204 ++ 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
28205 ++ 0x20, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61,
28206 ++ 0x6c, 0x20, 0x6f, 0x72, 0x20, 0x74, 0x6f, 0x20,
28207 ++ 0x63, 0x69, 0x74, 0x65, 0x20, 0x74, 0x68, 0x65,
28208 ++ 0x6d, 0x20, 0x6f, 0x74, 0x68, 0x65, 0x72, 0x20,
28209 ++ 0x74, 0x68, 0x61, 0x6e, 0x20, 0x61, 0x73, 0x20,
28210 ++ 0x2f, 0xe2, 0x80, 0x9c, 0x77, 0x6f, 0x72, 0x6b,
28211 ++ 0x20, 0x69, 0x6e, 0x20, 0x70, 0x72, 0x6f, 0x67,
28212 ++ 0x72, 0x65, 0x73, 0x73, 0x2e, 0x2f, 0xe2, 0x80,
28213 ++ 0x9d
28214 ++};
28215 ++static const u8 xdec_assoc001[] __initconst = {
28216 ++ 0xf3, 0x33, 0x88, 0x86, 0x00, 0x00, 0x00, 0x00,
28217 ++ 0x00, 0x00, 0x4e, 0x91
28218 ++};
28219 ++static const u8 xdec_nonce001[] __initconst = {
28220 ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
28221 ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
28222 ++ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
28223 ++};
28224 ++static const u8 xdec_key001[] __initconst = {
28225 ++ 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
28226 ++ 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
28227 ++ 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
28228 ++ 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
28229 ++};
28230 ++
28231 ++static const struct chacha20poly1305_testvec
28232 ++xchacha20poly1305_dec_vectors[] __initconst = {
28233 ++ { xdec_input001, xdec_output001, xdec_assoc001, xdec_nonce001, xdec_key001,
28234 ++ sizeof(xdec_input001), sizeof(xdec_assoc001), sizeof(xdec_nonce001) }
28235 ++};
28236 ++
28237 ++/* This is for the selftests-only, since it is only useful for the purpose of
28238 ++ * testing the underlying primitives and interactions.
28239 ++ */
28240 ++static void __init
28241 ++chacha20poly1305_encrypt_bignonce(u8 *dst, const u8 *src, const size_t src_len,
28242 ++ const u8 *ad, const size_t ad_len,
28243 ++ const u8 nonce[12],
28244 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28245 ++{
28246 ++ const u8 *pad0 = page_address(ZERO_PAGE(0));
28247 ++ struct poly1305_desc_ctx poly1305_state;
28248 ++ u32 chacha20_state[CHACHA_STATE_WORDS];
28249 ++ union {
28250 ++ u8 block0[POLY1305_KEY_SIZE];
28251 ++ __le64 lens[2];
28252 ++ } b = {{ 0 }};
28253 ++ u8 bottom_row[16] = { 0 };
28254 ++ u32 le_key[8];
28255 ++ int i;
28256 ++
28257 ++ memcpy(&bottom_row[4], nonce, 12);
28258 ++ for (i = 0; i < 8; ++i)
28259 ++ le_key[i] = get_unaligned_le32(key + sizeof(le_key[i]) * i);
28260 ++ chacha_init(chacha20_state, le_key, bottom_row);
28261 ++ chacha20_crypt(chacha20_state, b.block0, b.block0, sizeof(b.block0));
28262 ++ poly1305_init(&poly1305_state, b.block0);
28263 ++ poly1305_update(&poly1305_state, ad, ad_len);
28264 ++ poly1305_update(&poly1305_state, pad0, (0x10 - ad_len) & 0xf);
28265 ++ chacha20_crypt(chacha20_state, dst, src, src_len);
28266 ++ poly1305_update(&poly1305_state, dst, src_len);
28267 ++ poly1305_update(&poly1305_state, pad0, (0x10 - src_len) & 0xf);
28268 ++ b.lens[0] = cpu_to_le64(ad_len);
28269 ++ b.lens[1] = cpu_to_le64(src_len);
28270 ++ poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens));
28271 ++ poly1305_final(&poly1305_state, dst + src_len);
28272 ++}
28273 ++
28274 ++static void __init
28275 ++chacha20poly1305_selftest_encrypt(u8 *dst, const u8 *src, const size_t src_len,
28276 ++ const u8 *ad, const size_t ad_len,
28277 ++ const u8 *nonce, const size_t nonce_len,
28278 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28279 ++{
28280 ++ if (nonce_len == 8)
28281 ++ chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len,
28282 ++ get_unaligned_le64(nonce), key);
28283 ++ else if (nonce_len == 12)
28284 ++ chacha20poly1305_encrypt_bignonce(dst, src, src_len, ad,
28285 ++ ad_len, nonce, key);
28286 ++ else
28287 ++ BUG();
28288 ++}
28289 ++
28290 ++static bool __init
28291 ++decryption_success(bool func_ret, bool expect_failure, int memcmp_result)
28292 ++{
28293 ++ if (expect_failure)
28294 ++ return !func_ret;
28295 ++ return func_ret && !memcmp_result;
28296 ++}
28297 ++
28298 ++bool __init chacha20poly1305_selftest(void)
28299 ++{
28300 ++ enum { MAXIMUM_TEST_BUFFER_LEN = 1UL << 12 };
28301 ++ size_t i, j, k, total_len;
28302 ++ u8 *computed_output = NULL, *input = NULL;
28303 ++ bool success = true, ret;
28304 ++ struct scatterlist sg_src[3];
28305 ++
28306 ++ computed_output = kmalloc(MAXIMUM_TEST_BUFFER_LEN, GFP_KERNEL);
28307 ++ input = kmalloc(MAXIMUM_TEST_BUFFER_LEN, GFP_KERNEL);
28308 ++ if (!computed_output || !input) {
28309 ++ pr_err("chacha20poly1305 self-test malloc: FAIL\n");
28310 ++ success = false;
28311 ++ goto out;
28312 ++ }
28313 ++
28314 ++ for (i = 0; i < ARRAY_SIZE(chacha20poly1305_enc_vectors); ++i) {
28315 ++ memset(computed_output, 0, MAXIMUM_TEST_BUFFER_LEN);
28316 ++ chacha20poly1305_selftest_encrypt(computed_output,
28317 ++ chacha20poly1305_enc_vectors[i].input,
28318 ++ chacha20poly1305_enc_vectors[i].ilen,
28319 ++ chacha20poly1305_enc_vectors[i].assoc,
28320 ++ chacha20poly1305_enc_vectors[i].alen,
28321 ++ chacha20poly1305_enc_vectors[i].nonce,
28322 ++ chacha20poly1305_enc_vectors[i].nlen,
28323 ++ chacha20poly1305_enc_vectors[i].key);
28324 ++ if (memcmp(computed_output,
28325 ++ chacha20poly1305_enc_vectors[i].output,
28326 ++ chacha20poly1305_enc_vectors[i].ilen +
28327 ++ POLY1305_DIGEST_SIZE)) {
28328 ++ pr_err("chacha20poly1305 encryption self-test %zu: FAIL\n",
28329 ++ i + 1);
28330 ++ success = false;
28331 ++ }
28332 ++ }
28333 ++
28334 ++ for (i = 0; i < ARRAY_SIZE(chacha20poly1305_enc_vectors); ++i) {
28335 ++ if (chacha20poly1305_enc_vectors[i].nlen != 8)
28336 ++ continue;
28337 ++ memcpy(computed_output, chacha20poly1305_enc_vectors[i].input,
28338 ++ chacha20poly1305_enc_vectors[i].ilen);
28339 ++ sg_init_one(sg_src, computed_output,
28340 ++ chacha20poly1305_enc_vectors[i].ilen + POLY1305_DIGEST_SIZE);
28341 ++ ret = chacha20poly1305_encrypt_sg_inplace(sg_src,
28342 ++ chacha20poly1305_enc_vectors[i].ilen,
28343 ++ chacha20poly1305_enc_vectors[i].assoc,
28344 ++ chacha20poly1305_enc_vectors[i].alen,
28345 ++ get_unaligned_le64(chacha20poly1305_enc_vectors[i].nonce),
28346 ++ chacha20poly1305_enc_vectors[i].key);
28347 ++ if (!ret || memcmp(computed_output,
28348 ++ chacha20poly1305_enc_vectors[i].output,
28349 ++ chacha20poly1305_enc_vectors[i].ilen +
28350 ++ POLY1305_DIGEST_SIZE)) {
28351 ++ pr_err("chacha20poly1305 sg encryption self-test %zu: FAIL\n",
28352 ++ i + 1);
28353 ++ success = false;
28354 ++ }
28355 ++ }
28356 ++
28357 ++ for (i = 0; i < ARRAY_SIZE(chacha20poly1305_dec_vectors); ++i) {
28358 ++ memset(computed_output, 0, MAXIMUM_TEST_BUFFER_LEN);
28359 ++ ret = chacha20poly1305_decrypt(computed_output,
28360 ++ chacha20poly1305_dec_vectors[i].input,
28361 ++ chacha20poly1305_dec_vectors[i].ilen,
28362 ++ chacha20poly1305_dec_vectors[i].assoc,
28363 ++ chacha20poly1305_dec_vectors[i].alen,
28364 ++ get_unaligned_le64(chacha20poly1305_dec_vectors[i].nonce),
28365 ++ chacha20poly1305_dec_vectors[i].key);
28366 ++ if (!decryption_success(ret,
28367 ++ chacha20poly1305_dec_vectors[i].failure,
28368 ++ memcmp(computed_output,
28369 ++ chacha20poly1305_dec_vectors[i].output,
28370 ++ chacha20poly1305_dec_vectors[i].ilen -
28371 ++ POLY1305_DIGEST_SIZE))) {
28372 ++ pr_err("chacha20poly1305 decryption self-test %zu: FAIL\n",
28373 ++ i + 1);
28374 ++ success = false;
28375 ++ }
28376 ++ }
28377 ++
28378 ++ for (i = 0; i < ARRAY_SIZE(chacha20poly1305_dec_vectors); ++i) {
28379 ++ memcpy(computed_output, chacha20poly1305_dec_vectors[i].input,
28380 ++ chacha20poly1305_dec_vectors[i].ilen);
28381 ++ sg_init_one(sg_src, computed_output,
28382 ++ chacha20poly1305_dec_vectors[i].ilen);
28383 ++ ret = chacha20poly1305_decrypt_sg_inplace(sg_src,
28384 ++ chacha20poly1305_dec_vectors[i].ilen,
28385 ++ chacha20poly1305_dec_vectors[i].assoc,
28386 ++ chacha20poly1305_dec_vectors[i].alen,
28387 ++ get_unaligned_le64(chacha20poly1305_dec_vectors[i].nonce),
28388 ++ chacha20poly1305_dec_vectors[i].key);
28389 ++ if (!decryption_success(ret,
28390 ++ chacha20poly1305_dec_vectors[i].failure,
28391 ++ memcmp(computed_output, chacha20poly1305_dec_vectors[i].output,
28392 ++ chacha20poly1305_dec_vectors[i].ilen -
28393 ++ POLY1305_DIGEST_SIZE))) {
28394 ++ pr_err("chacha20poly1305 sg decryption self-test %zu: FAIL\n",
28395 ++ i + 1);
28396 ++ success = false;
28397 ++ }
28398 ++ }
28399 ++
28400 ++ for (i = 0; i < ARRAY_SIZE(xchacha20poly1305_enc_vectors); ++i) {
28401 ++ memset(computed_output, 0, MAXIMUM_TEST_BUFFER_LEN);
28402 ++ xchacha20poly1305_encrypt(computed_output,
28403 ++ xchacha20poly1305_enc_vectors[i].input,
28404 ++ xchacha20poly1305_enc_vectors[i].ilen,
28405 ++ xchacha20poly1305_enc_vectors[i].assoc,
28406 ++ xchacha20poly1305_enc_vectors[i].alen,
28407 ++ xchacha20poly1305_enc_vectors[i].nonce,
28408 ++ xchacha20poly1305_enc_vectors[i].key);
28409 ++ if (memcmp(computed_output,
28410 ++ xchacha20poly1305_enc_vectors[i].output,
28411 ++ xchacha20poly1305_enc_vectors[i].ilen +
28412 ++ POLY1305_DIGEST_SIZE)) {
28413 ++ pr_err("xchacha20poly1305 encryption self-test %zu: FAIL\n",
28414 ++ i + 1);
28415 ++ success = false;
28416 ++ }
28417 ++ }
28418 ++
28419 ++ for (i = 0; i < ARRAY_SIZE(xchacha20poly1305_dec_vectors); ++i) {
28420 ++ memset(computed_output, 0, MAXIMUM_TEST_BUFFER_LEN);
28421 ++ ret = xchacha20poly1305_decrypt(computed_output,
28422 ++ xchacha20poly1305_dec_vectors[i].input,
28423 ++ xchacha20poly1305_dec_vectors[i].ilen,
28424 ++ xchacha20poly1305_dec_vectors[i].assoc,
28425 ++ xchacha20poly1305_dec_vectors[i].alen,
28426 ++ xchacha20poly1305_dec_vectors[i].nonce,
28427 ++ xchacha20poly1305_dec_vectors[i].key);
28428 ++ if (!decryption_success(ret,
28429 ++ xchacha20poly1305_dec_vectors[i].failure,
28430 ++ memcmp(computed_output,
28431 ++ xchacha20poly1305_dec_vectors[i].output,
28432 ++ xchacha20poly1305_dec_vectors[i].ilen -
28433 ++ POLY1305_DIGEST_SIZE))) {
28434 ++ pr_err("xchacha20poly1305 decryption self-test %zu: FAIL\n",
28435 ++ i + 1);
28436 ++ success = false;
28437 ++ }
28438 ++ }
28439 ++
28440 ++ for (total_len = POLY1305_DIGEST_SIZE; IS_ENABLED(DEBUG_CHACHA20POLY1305_SLOW_CHUNK_TEST)
28441 ++ && total_len <= 1 << 10; ++total_len) {
28442 ++ for (i = 0; i <= total_len; ++i) {
28443 ++ for (j = i; j <= total_len; ++j) {
28444 ++ k = 0;
28445 ++ sg_init_table(sg_src, 3);
28446 ++ if (i)
28447 ++ sg_set_buf(&sg_src[k++], input, i);
28448 ++ if (j - i)
28449 ++ sg_set_buf(&sg_src[k++], input + i, j - i);
28450 ++ if (total_len - j)
28451 ++ sg_set_buf(&sg_src[k++], input + j, total_len - j);
28452 ++ sg_init_marker(sg_src, k);
28453 ++ memset(computed_output, 0, total_len);
28454 ++ memset(input, 0, total_len);
28455 ++
28456 ++ if (!chacha20poly1305_encrypt_sg_inplace(sg_src,
28457 ++ total_len - POLY1305_DIGEST_SIZE, NULL, 0,
28458 ++ 0, enc_key001))
28459 ++ goto chunkfail;
28460 ++ chacha20poly1305_encrypt(computed_output,
28461 ++ computed_output,
28462 ++ total_len - POLY1305_DIGEST_SIZE, NULL, 0, 0,
28463 ++ enc_key001);
28464 ++ if (memcmp(computed_output, input, total_len))
28465 ++ goto chunkfail;
28466 ++ if (!chacha20poly1305_decrypt(computed_output,
28467 ++ input, total_len, NULL, 0, 0, enc_key001))
28468 ++ goto chunkfail;
28469 ++ for (k = 0; k < total_len - POLY1305_DIGEST_SIZE; ++k) {
28470 ++ if (computed_output[k])
28471 ++ goto chunkfail;
28472 ++ }
28473 ++ if (!chacha20poly1305_decrypt_sg_inplace(sg_src,
28474 ++ total_len, NULL, 0, 0, enc_key001))
28475 ++ goto chunkfail;
28476 ++ for (k = 0; k < total_len - POLY1305_DIGEST_SIZE; ++k) {
28477 ++ if (input[k])
28478 ++ goto chunkfail;
28479 ++ }
28480 ++ continue;
28481 ++
28482 ++ chunkfail:
28483 ++ pr_err("chacha20poly1305 chunked self-test %zu/%zu/%zu: FAIL\n",
28484 ++ total_len, i, j);
28485 ++ success = false;
28486 ++ }
28487 ++
28488 ++ }
28489 ++ }
28490 ++
28491 ++out:
28492 ++ kfree(computed_output);
28493 ++ kfree(input);
28494 ++ return success;
28495 ++}
28496 +--- b/lib/crypto/chacha20poly1305.c
28497 ++++ b/lib/crypto/chacha20poly1305.c
28498 +@@ -0,0 +1,375 @@
28499 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
28500 ++/*
28501 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
28502 ++ *
28503 ++ * This is an implementation of the ChaCha20Poly1305 AEAD construction.
28504 ++ *
28505 ++ * Information: https://tools.ietf.org/html/rfc8439
28506 ++ */
28507 ++
28508 ++#include <crypto/algapi.h>
28509 ++#include <crypto/chacha20poly1305.h>
28510 ++#include <crypto/chacha.h>
28511 ++#include <crypto/poly1305.h>
28512 ++#include <crypto/scatterwalk.h>
28513 ++
28514 ++#include <asm/unaligned.h>
28515 ++#include <linux/kernel.h>
28516 ++#include <linux/init.h>
28517 ++#include <linux/mm.h>
28518 ++#include <linux/module.h>
28519 ++
28520 ++#define CHACHA_KEY_WORDS (CHACHA_KEY_SIZE / sizeof(u32))
28521 ++
28522 ++static void chacha_load_key(u32 *k, const u8 *in)
28523 ++{
28524 ++ k[0] = get_unaligned_le32(in);
28525 ++ k[1] = get_unaligned_le32(in + 4);
28526 ++ k[2] = get_unaligned_le32(in + 8);
28527 ++ k[3] = get_unaligned_le32(in + 12);
28528 ++ k[4] = get_unaligned_le32(in + 16);
28529 ++ k[5] = get_unaligned_le32(in + 20);
28530 ++ k[6] = get_unaligned_le32(in + 24);
28531 ++ k[7] = get_unaligned_le32(in + 28);
28532 ++}
28533 ++
28534 ++static void xchacha_init(u32 *chacha_state, const u8 *key, const u8 *nonce)
28535 ++{
28536 ++ u32 k[CHACHA_KEY_WORDS];
28537 ++ u8 iv[CHACHA_IV_SIZE];
28538 ++
28539 ++ memset(iv, 0, 8);
28540 ++ memcpy(iv + 8, nonce + 16, 8);
28541 ++
28542 ++ chacha_load_key(k, key);
28543 ++
28544 ++ /* Compute the subkey given the original key and first 128 nonce bits */
28545 ++ chacha_init(chacha_state, k, nonce);
28546 ++ hchacha_block(chacha_state, k, 20);
28547 ++
28548 ++ chacha_init(chacha_state, k, iv);
28549 ++
28550 ++ memzero_explicit(k, sizeof(k));
28551 ++ memzero_explicit(iv, sizeof(iv));
28552 ++}
28553 ++
28554 ++static void
28555 ++__chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
28556 ++ const u8 *ad, const size_t ad_len, u32 *chacha_state)
28557 ++{
28558 ++ const u8 *pad0 = page_address(ZERO_PAGE(0));
28559 ++ struct poly1305_desc_ctx poly1305_state;
28560 ++ union {
28561 ++ u8 block0[POLY1305_KEY_SIZE];
28562 ++ __le64 lens[2];
28563 ++ } b;
28564 ++
28565 ++ chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
28566 ++ poly1305_init(&poly1305_state, b.block0);
28567 ++
28568 ++ poly1305_update(&poly1305_state, ad, ad_len);
28569 ++ if (ad_len & 0xf)
28570 ++ poly1305_update(&poly1305_state, pad0, 0x10 - (ad_len & 0xf));
28571 ++
28572 ++ chacha20_crypt(chacha_state, dst, src, src_len);
28573 ++
28574 ++ poly1305_update(&poly1305_state, dst, src_len);
28575 ++ if (src_len & 0xf)
28576 ++ poly1305_update(&poly1305_state, pad0, 0x10 - (src_len & 0xf));
28577 ++
28578 ++ b.lens[0] = cpu_to_le64(ad_len);
28579 ++ b.lens[1] = cpu_to_le64(src_len);
28580 ++ poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens));
28581 ++
28582 ++ poly1305_final(&poly1305_state, dst + src_len);
28583 ++
28584 ++ memzero_explicit(chacha_state, CHACHA_STATE_WORDS * sizeof(u32));
28585 ++ memzero_explicit(&b, sizeof(b));
28586 ++}
28587 ++
28588 ++void chacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
28589 ++ const u8 *ad, const size_t ad_len,
28590 ++ const u64 nonce,
28591 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28592 ++{
28593 ++ u32 chacha_state[CHACHA_STATE_WORDS];
28594 ++ u32 k[CHACHA_KEY_WORDS];
28595 ++ __le64 iv[2];
28596 ++
28597 ++ chacha_load_key(k, key);
28598 ++
28599 ++ iv[0] = 0;
28600 ++ iv[1] = cpu_to_le64(nonce);
28601 ++
28602 ++ chacha_init(chacha_state, k, (u8 *)iv);
28603 ++ __chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len, chacha_state);
28604 ++
28605 ++ memzero_explicit(iv, sizeof(iv));
28606 ++ memzero_explicit(k, sizeof(k));
28607 ++}
28608 ++EXPORT_SYMBOL(chacha20poly1305_encrypt);
28609 ++
28610 ++void xchacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
28611 ++ const u8 *ad, const size_t ad_len,
28612 ++ const u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
28613 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28614 ++{
28615 ++ u32 chacha_state[CHACHA_STATE_WORDS];
28616 ++
28617 ++ xchacha_init(chacha_state, key, nonce);
28618 ++ __chacha20poly1305_encrypt(dst, src, src_len, ad, ad_len, chacha_state);
28619 ++}
28620 ++EXPORT_SYMBOL(xchacha20poly1305_encrypt);
28621 ++
28622 ++static bool
28623 ++__chacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len,
28624 ++ const u8 *ad, const size_t ad_len, u32 *chacha_state)
28625 ++{
28626 ++ const u8 *pad0 = page_address(ZERO_PAGE(0));
28627 ++ struct poly1305_desc_ctx poly1305_state;
28628 ++ size_t dst_len;
28629 ++ int ret;
28630 ++ union {
28631 ++ u8 block0[POLY1305_KEY_SIZE];
28632 ++ u8 mac[POLY1305_DIGEST_SIZE];
28633 ++ __le64 lens[2];
28634 ++ } b;
28635 ++
28636 ++ if (unlikely(src_len < POLY1305_DIGEST_SIZE))
28637 ++ return false;
28638 ++
28639 ++ chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
28640 ++ poly1305_init(&poly1305_state, b.block0);
28641 ++
28642 ++ poly1305_update(&poly1305_state, ad, ad_len);
28643 ++ if (ad_len & 0xf)
28644 ++ poly1305_update(&poly1305_state, pad0, 0x10 - (ad_len & 0xf));
28645 ++
28646 ++ dst_len = src_len - POLY1305_DIGEST_SIZE;
28647 ++ poly1305_update(&poly1305_state, src, dst_len);
28648 ++ if (dst_len & 0xf)
28649 ++ poly1305_update(&poly1305_state, pad0, 0x10 - (dst_len & 0xf));
28650 ++
28651 ++ b.lens[0] = cpu_to_le64(ad_len);
28652 ++ b.lens[1] = cpu_to_le64(dst_len);
28653 ++ poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens));
28654 ++
28655 ++ poly1305_final(&poly1305_state, b.mac);
28656 ++
28657 ++ ret = crypto_memneq(b.mac, src + dst_len, POLY1305_DIGEST_SIZE);
28658 ++ if (likely(!ret))
28659 ++ chacha20_crypt(chacha_state, dst, src, dst_len);
28660 ++
28661 ++ memzero_explicit(&b, sizeof(b));
28662 ++
28663 ++ return !ret;
28664 ++}
28665 ++
28666 ++bool chacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len,
28667 ++ const u8 *ad, const size_t ad_len,
28668 ++ const u64 nonce,
28669 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28670 ++{
28671 ++ u32 chacha_state[CHACHA_STATE_WORDS];
28672 ++ u32 k[CHACHA_KEY_WORDS];
28673 ++ __le64 iv[2];
28674 ++ bool ret;
28675 ++
28676 ++ chacha_load_key(k, key);
28677 ++
28678 ++ iv[0] = 0;
28679 ++ iv[1] = cpu_to_le64(nonce);
28680 ++
28681 ++ chacha_init(chacha_state, k, (u8 *)iv);
28682 ++ ret = __chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len,
28683 ++ chacha_state);
28684 ++
28685 ++ memzero_explicit(chacha_state, sizeof(chacha_state));
28686 ++ memzero_explicit(iv, sizeof(iv));
28687 ++ memzero_explicit(k, sizeof(k));
28688 ++ return ret;
28689 ++}
28690 ++EXPORT_SYMBOL(chacha20poly1305_decrypt);
28691 ++
28692 ++bool xchacha20poly1305_decrypt(u8 *dst, const u8 *src, const size_t src_len,
28693 ++ const u8 *ad, const size_t ad_len,
28694 ++ const u8 nonce[XCHACHA20POLY1305_NONCE_SIZE],
28695 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28696 ++{
28697 ++ u32 chacha_state[CHACHA_STATE_WORDS];
28698 ++
28699 ++ xchacha_init(chacha_state, key, nonce);
28700 ++ return __chacha20poly1305_decrypt(dst, src, src_len, ad, ad_len,
28701 ++ chacha_state);
28702 ++}
28703 ++EXPORT_SYMBOL(xchacha20poly1305_decrypt);
28704 ++
28705 ++static
28706 ++bool chacha20poly1305_crypt_sg_inplace(struct scatterlist *src,
28707 ++ const size_t src_len,
28708 ++ const u8 *ad, const size_t ad_len,
28709 ++ const u64 nonce,
28710 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE],
28711 ++ int encrypt)
28712 ++{
28713 ++ const u8 *pad0 = page_address(ZERO_PAGE(0));
28714 ++ struct poly1305_desc_ctx poly1305_state;
28715 ++ u32 chacha_state[CHACHA_STATE_WORDS];
28716 ++ struct sg_mapping_iter miter;
28717 ++ size_t partial = 0;
28718 ++ unsigned int flags;
28719 ++ bool ret = true;
28720 ++ int sl;
28721 ++ union {
28722 ++ struct {
28723 ++ u32 k[CHACHA_KEY_WORDS];
28724 ++ __le64 iv[2];
28725 ++ };
28726 ++ u8 block0[POLY1305_KEY_SIZE];
28727 ++ u8 chacha_stream[CHACHA_BLOCK_SIZE];
28728 ++ struct {
28729 ++ u8 mac[2][POLY1305_DIGEST_SIZE];
28730 ++ };
28731 ++ __le64 lens[2];
28732 ++ } b __aligned(16);
28733 ++
28734 ++ if (WARN_ON(src_len > INT_MAX))
28735 ++ return false;
28736 ++
28737 ++ chacha_load_key(b.k, key);
28738 ++
28739 ++ b.iv[0] = 0;
28740 ++ b.iv[1] = cpu_to_le64(nonce);
28741 ++
28742 ++ chacha_init(chacha_state, b.k, (u8 *)b.iv);
28743 ++ chacha20_crypt(chacha_state, b.block0, pad0, sizeof(b.block0));
28744 ++ poly1305_init(&poly1305_state, b.block0);
28745 ++
28746 ++ if (unlikely(ad_len)) {
28747 ++ poly1305_update(&poly1305_state, ad, ad_len);
28748 ++ if (ad_len & 0xf)
28749 ++ poly1305_update(&poly1305_state, pad0, 0x10 - (ad_len & 0xf));
28750 ++ }
28751 ++
28752 ++ flags = SG_MITER_TO_SG;
28753 ++ if (!preemptible())
28754 ++ flags |= SG_MITER_ATOMIC;
28755 ++
28756 ++ sg_miter_start(&miter, src, sg_nents(src), flags);
28757 ++
28758 ++ for (sl = src_len; sl > 0 && sg_miter_next(&miter); sl -= miter.length) {
28759 ++ u8 *addr = miter.addr;
28760 ++ size_t length = min_t(size_t, sl, miter.length);
28761 ++
28762 ++ if (!encrypt)
28763 ++ poly1305_update(&poly1305_state, addr, length);
28764 ++
28765 ++ if (unlikely(partial)) {
28766 ++ size_t l = min(length, CHACHA_BLOCK_SIZE - partial);
28767 ++
28768 ++ crypto_xor(addr, b.chacha_stream + partial, l);
28769 ++ partial = (partial + l) & (CHACHA_BLOCK_SIZE - 1);
28770 ++
28771 ++ addr += l;
28772 ++ length -= l;
28773 ++ }
28774 ++
28775 ++ if (likely(length >= CHACHA_BLOCK_SIZE || length == sl)) {
28776 ++ size_t l = length;
28777 ++
28778 ++ if (unlikely(length < sl))
28779 ++ l &= ~(CHACHA_BLOCK_SIZE - 1);
28780 ++ chacha20_crypt(chacha_state, addr, addr, l);
28781 ++ addr += l;
28782 ++ length -= l;
28783 ++ }
28784 ++
28785 ++ if (unlikely(length > 0)) {
28786 ++ chacha20_crypt(chacha_state, b.chacha_stream, pad0,
28787 ++ CHACHA_BLOCK_SIZE);
28788 ++ crypto_xor(addr, b.chacha_stream, length);
28789 ++ partial = length;
28790 ++ }
28791 ++
28792 ++ if (encrypt)
28793 ++ poly1305_update(&poly1305_state, miter.addr,
28794 ++ min_t(size_t, sl, miter.length));
28795 ++ }
28796 ++
28797 ++ if (src_len & 0xf)
28798 ++ poly1305_update(&poly1305_state, pad0, 0x10 - (src_len & 0xf));
28799 ++
28800 ++ b.lens[0] = cpu_to_le64(ad_len);
28801 ++ b.lens[1] = cpu_to_le64(src_len);
28802 ++ poly1305_update(&poly1305_state, (u8 *)b.lens, sizeof(b.lens));
28803 ++
28804 ++ if (likely(sl <= -POLY1305_DIGEST_SIZE)) {
28805 ++ if (encrypt) {
28806 ++ poly1305_final(&poly1305_state,
28807 ++ miter.addr + miter.length + sl);
28808 ++ ret = true;
28809 ++ } else {
28810 ++ poly1305_final(&poly1305_state, b.mac[0]);
28811 ++ ret = !crypto_memneq(b.mac[0],
28812 ++ miter.addr + miter.length + sl,
28813 ++ POLY1305_DIGEST_SIZE);
28814 ++ }
28815 ++ }
28816 ++
28817 ++ sg_miter_stop(&miter);
28818 ++
28819 ++ if (unlikely(sl > -POLY1305_DIGEST_SIZE)) {
28820 ++ poly1305_final(&poly1305_state, b.mac[1]);
28821 ++ scatterwalk_map_and_copy(b.mac[encrypt], src, src_len,
28822 ++ sizeof(b.mac[1]), encrypt);
28823 ++ ret = encrypt ||
28824 ++ !crypto_memneq(b.mac[0], b.mac[1], POLY1305_DIGEST_SIZE);
28825 ++ }
28826 ++
28827 ++ memzero_explicit(chacha_state, sizeof(chacha_state));
28828 ++ memzero_explicit(&b, sizeof(b));
28829 ++
28830 ++ return ret;
28831 ++}
28832 ++
28833 ++bool chacha20poly1305_encrypt_sg_inplace(struct scatterlist *src, size_t src_len,
28834 ++ const u8 *ad, const size_t ad_len,
28835 ++ const u64 nonce,
28836 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28837 ++{
28838 ++ return chacha20poly1305_crypt_sg_inplace(src, src_len, ad, ad_len,
28839 ++ nonce, key, 1);
28840 ++}
28841 ++EXPORT_SYMBOL(chacha20poly1305_encrypt_sg_inplace);
28842 ++
28843 ++bool chacha20poly1305_decrypt_sg_inplace(struct scatterlist *src, size_t src_len,
28844 ++ const u8 *ad, const size_t ad_len,
28845 ++ const u64 nonce,
28846 ++ const u8 key[CHACHA20POLY1305_KEY_SIZE])
28847 ++{
28848 ++ if (unlikely(src_len < POLY1305_DIGEST_SIZE))
28849 ++ return false;
28850 ++
28851 ++ return chacha20poly1305_crypt_sg_inplace(src,
28852 ++ src_len - POLY1305_DIGEST_SIZE,
28853 ++ ad, ad_len, nonce, key, 0);
28854 ++}
28855 ++EXPORT_SYMBOL(chacha20poly1305_decrypt_sg_inplace);
28856 ++
28857 ++static int __init mod_init(void)
28858 ++{
28859 ++ if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) &&
28860 ++ WARN_ON(!chacha20poly1305_selftest()))
28861 ++ return -ENODEV;
28862 ++ return 0;
28863 ++}
28864 ++
28865 ++static void __exit mod_exit(void)
28866 ++{
28867 ++}
28868 ++
28869 ++module_init(mod_init);
28870 ++module_exit(mod_exit);
28871 ++MODULE_LICENSE("GPL v2");
28872 ++MODULE_DESCRIPTION("ChaCha20Poly1305 AEAD construction");
28873 ++MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
28874 +--- /dev/null
28875 ++++ b/lib/crypto/curve25519-selftest.c
28876 +@@ -0,0 +1,1321 @@
28877 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
28878 ++/*
28879 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
28880 ++ */
28881 ++
28882 ++#include <crypto/curve25519.h>
28883 ++
28884 ++struct curve25519_test_vector {
28885 ++ u8 private[CURVE25519_KEY_SIZE];
28886 ++ u8 public[CURVE25519_KEY_SIZE];
28887 ++ u8 result[CURVE25519_KEY_SIZE];
28888 ++ bool valid;
28889 ++};
28890 ++static const struct curve25519_test_vector curve25519_test_vectors[] __initconst = {
28891 ++ {
28892 ++ .private = { 0x77, 0x07, 0x6d, 0x0a, 0x73, 0x18, 0xa5, 0x7d,
28893 ++ 0x3c, 0x16, 0xc1, 0x72, 0x51, 0xb2, 0x66, 0x45,
28894 ++ 0xdf, 0x4c, 0x2f, 0x87, 0xeb, 0xc0, 0x99, 0x2a,
28895 ++ 0xb1, 0x77, 0xfb, 0xa5, 0x1d, 0xb9, 0x2c, 0x2a },
28896 ++ .public = { 0xde, 0x9e, 0xdb, 0x7d, 0x7b, 0x7d, 0xc1, 0xb4,
28897 ++ 0xd3, 0x5b, 0x61, 0xc2, 0xec, 0xe4, 0x35, 0x37,
28898 ++ 0x3f, 0x83, 0x43, 0xc8, 0x5b, 0x78, 0x67, 0x4d,
28899 ++ 0xad, 0xfc, 0x7e, 0x14, 0x6f, 0x88, 0x2b, 0x4f },
28900 ++ .result = { 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1,
28901 ++ 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25,
28902 ++ 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33,
28903 ++ 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 },
28904 ++ .valid = true
28905 ++ },
28906 ++ {
28907 ++ .private = { 0x5d, 0xab, 0x08, 0x7e, 0x62, 0x4a, 0x8a, 0x4b,
28908 ++ 0x79, 0xe1, 0x7f, 0x8b, 0x83, 0x80, 0x0e, 0xe6,
28909 ++ 0x6f, 0x3b, 0xb1, 0x29, 0x26, 0x18, 0xb6, 0xfd,
28910 ++ 0x1c, 0x2f, 0x8b, 0x27, 0xff, 0x88, 0xe0, 0xeb },
28911 ++ .public = { 0x85, 0x20, 0xf0, 0x09, 0x89, 0x30, 0xa7, 0x54,
28912 ++ 0x74, 0x8b, 0x7d, 0xdc, 0xb4, 0x3e, 0xf7, 0x5a,
28913 ++ 0x0d, 0xbf, 0x3a, 0x0d, 0x26, 0x38, 0x1a, 0xf4,
28914 ++ 0xeb, 0xa4, 0xa9, 0x8e, 0xaa, 0x9b, 0x4e, 0x6a },
28915 ++ .result = { 0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d, 0xe1,
28916 ++ 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35, 0x0f, 0x25,
28917 ++ 0xe0, 0x7e, 0x21, 0xc9, 0x47, 0xd1, 0x9e, 0x33,
28918 ++ 0x76, 0xf0, 0x9b, 0x3c, 0x1e, 0x16, 0x17, 0x42 },
28919 ++ .valid = true
28920 ++ },
28921 ++ {
28922 ++ .private = { 1 },
28923 ++ .public = { 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28924 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28925 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28926 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
28927 ++ .result = { 0x3c, 0x77, 0x77, 0xca, 0xf9, 0x97, 0xb2, 0x64,
28928 ++ 0x41, 0x60, 0x77, 0x66, 0x5b, 0x4e, 0x22, 0x9d,
28929 ++ 0x0b, 0x95, 0x48, 0xdc, 0x0c, 0xd8, 0x19, 0x98,
28930 ++ 0xdd, 0xcd, 0xc5, 0xc8, 0x53, 0x3c, 0x79, 0x7f },
28931 ++ .valid = true
28932 ++ },
28933 ++ {
28934 ++ .private = { 1 },
28935 ++ .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28936 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28937 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28938 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
28939 ++ .result = { 0xb3, 0x2d, 0x13, 0x62, 0xc2, 0x48, 0xd6, 0x2f,
28940 ++ 0xe6, 0x26, 0x19, 0xcf, 0xf0, 0x4d, 0xd4, 0x3d,
28941 ++ 0xb7, 0x3f, 0xfc, 0x1b, 0x63, 0x08, 0xed, 0xe3,
28942 ++ 0x0b, 0x78, 0xd8, 0x73, 0x80, 0xf1, 0xe8, 0x34 },
28943 ++ .valid = true
28944 ++ },
28945 ++ {
28946 ++ .private = { 0xa5, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d,
28947 ++ 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd,
28948 ++ 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18,
28949 ++ 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0xc4 },
28950 ++ .public = { 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb,
28951 ++ 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c,
28952 ++ 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b,
28953 ++ 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c },
28954 ++ .result = { 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90,
28955 ++ 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f,
28956 ++ 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7,
28957 ++ 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 },
28958 ++ .valid = true
28959 ++ },
28960 ++ {
28961 ++ .private = { 1, 2, 3, 4 },
28962 ++ .public = { 0 },
28963 ++ .result = { 0 },
28964 ++ .valid = false
28965 ++ },
28966 ++ {
28967 ++ .private = { 2, 4, 6, 8 },
28968 ++ .public = { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae,
28969 ++ 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a,
28970 ++ 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd,
28971 ++ 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8 },
28972 ++ .result = { 0 },
28973 ++ .valid = false
28974 ++ },
28975 ++ {
28976 ++ .private = { 0xff, 0xff, 0xff, 0xff, 0x0a, 0xff, 0xff, 0xff,
28977 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28978 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28979 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
28980 ++ .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28981 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28982 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
28983 ++ 0xff, 0xff, 0xff, 0xff, 0x0a, 0x00, 0xfb, 0x9f },
28984 ++ .result = { 0x77, 0x52, 0xb6, 0x18, 0xc1, 0x2d, 0x48, 0xd2,
28985 ++ 0xc6, 0x93, 0x46, 0x83, 0x81, 0x7c, 0xc6, 0x57,
28986 ++ 0xf3, 0x31, 0x03, 0x19, 0x49, 0x48, 0x20, 0x05,
28987 ++ 0x42, 0x2b, 0x4e, 0xae, 0x8d, 0x1d, 0x43, 0x23 },
28988 ++ .valid = true
28989 ++ },
28990 ++ {
28991 ++ .private = { 0x8e, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28992 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28993 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28994 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
28995 ++ .public = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28996 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28997 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
28998 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8e, 0x06 },
28999 ++ .result = { 0x5a, 0xdf, 0xaa, 0x25, 0x86, 0x8e, 0x32, 0x3d,
29000 ++ 0xae, 0x49, 0x62, 0xc1, 0x01, 0x5c, 0xb3, 0x12,
29001 ++ 0xe1, 0xc5, 0xc7, 0x9e, 0x95, 0x3f, 0x03, 0x99,
29002 ++ 0xb0, 0xba, 0x16, 0x22, 0xf3, 0xb6, 0xf7, 0x0c },
29003 ++ .valid = true
29004 ++ },
29005 ++ /* wycheproof - normal case */
29006 ++ {
29007 ++ .private = { 0x48, 0x52, 0x83, 0x4d, 0x9d, 0x6b, 0x77, 0xda,
29008 ++ 0xde, 0xab, 0xaa, 0xf2, 0xe1, 0x1d, 0xca, 0x66,
29009 ++ 0xd1, 0x9f, 0xe7, 0x49, 0x93, 0xa7, 0xbe, 0xc3,
29010 ++ 0x6c, 0x6e, 0x16, 0xa0, 0x98, 0x3f, 0xea, 0xba },
29011 ++ .public = { 0x9c, 0x64, 0x7d, 0x9a, 0xe5, 0x89, 0xb9, 0xf5,
29012 ++ 0x8f, 0xdc, 0x3c, 0xa4, 0x94, 0x7e, 0xfb, 0xc9,
29013 ++ 0x15, 0xc4, 0xb2, 0xe0, 0x8e, 0x74, 0x4a, 0x0e,
29014 ++ 0xdf, 0x46, 0x9d, 0xac, 0x59, 0xc8, 0xf8, 0x5a },
29015 ++ .result = { 0x87, 0xb7, 0xf2, 0x12, 0xb6, 0x27, 0xf7, 0xa5,
29016 ++ 0x4c, 0xa5, 0xe0, 0xbc, 0xda, 0xdd, 0xd5, 0x38,
29017 ++ 0x9d, 0x9d, 0xe6, 0x15, 0x6c, 0xdb, 0xcf, 0x8e,
29018 ++ 0xbe, 0x14, 0xff, 0xbc, 0xfb, 0x43, 0x65, 0x51 },
29019 ++ .valid = true
29020 ++ },
29021 ++ /* wycheproof - public key on twist */
29022 ++ {
29023 ++ .private = { 0x58, 0x8c, 0x06, 0x1a, 0x50, 0x80, 0x4a, 0xc4,
29024 ++ 0x88, 0xad, 0x77, 0x4a, 0xc7, 0x16, 0xc3, 0xf5,
29025 ++ 0xba, 0x71, 0x4b, 0x27, 0x12, 0xe0, 0x48, 0x49,
29026 ++ 0x13, 0x79, 0xa5, 0x00, 0x21, 0x19, 0x98, 0xa8 },
29027 ++ .public = { 0x63, 0xaa, 0x40, 0xc6, 0xe3, 0x83, 0x46, 0xc5,
29028 ++ 0xca, 0xf2, 0x3a, 0x6d, 0xf0, 0xa5, 0xe6, 0xc8,
29029 ++ 0x08, 0x89, 0xa0, 0x86, 0x47, 0xe5, 0x51, 0xb3,
29030 ++ 0x56, 0x34, 0x49, 0xbe, 0xfc, 0xfc, 0x97, 0x33 },
29031 ++ .result = { 0xb1, 0xa7, 0x07, 0x51, 0x94, 0x95, 0xff, 0xff,
29032 ++ 0xb2, 0x98, 0xff, 0x94, 0x17, 0x16, 0xb0, 0x6d,
29033 ++ 0xfa, 0xb8, 0x7c, 0xf8, 0xd9, 0x11, 0x23, 0xfe,
29034 ++ 0x2b, 0xe9, 0xa2, 0x33, 0xdd, 0xa2, 0x22, 0x12 },
29035 ++ .valid = true
29036 ++ },
29037 ++ /* wycheproof - public key on twist */
29038 ++ {
29039 ++ .private = { 0xb0, 0x5b, 0xfd, 0x32, 0xe5, 0x53, 0x25, 0xd9,
29040 ++ 0xfd, 0x64, 0x8c, 0xb3, 0x02, 0x84, 0x80, 0x39,
29041 ++ 0x00, 0x0b, 0x39, 0x0e, 0x44, 0xd5, 0x21, 0xe5,
29042 ++ 0x8a, 0xab, 0x3b, 0x29, 0xa6, 0x96, 0x0b, 0xa8 },
29043 ++ .public = { 0x0f, 0x83, 0xc3, 0x6f, 0xde, 0xd9, 0xd3, 0x2f,
29044 ++ 0xad, 0xf4, 0xef, 0xa3, 0xae, 0x93, 0xa9, 0x0b,
29045 ++ 0xb5, 0xcf, 0xa6, 0x68, 0x93, 0xbc, 0x41, 0x2c,
29046 ++ 0x43, 0xfa, 0x72, 0x87, 0xdb, 0xb9, 0x97, 0x79 },
29047 ++ .result = { 0x67, 0xdd, 0x4a, 0x6e, 0x16, 0x55, 0x33, 0x53,
29048 ++ 0x4c, 0x0e, 0x3f, 0x17, 0x2e, 0x4a, 0xb8, 0x57,
29049 ++ 0x6b, 0xca, 0x92, 0x3a, 0x5f, 0x07, 0xb2, 0xc0,
29050 ++ 0x69, 0xb4, 0xc3, 0x10, 0xff, 0x2e, 0x93, 0x5b },
29051 ++ .valid = true
29052 ++ },
29053 ++ /* wycheproof - public key on twist */
29054 ++ {
29055 ++ .private = { 0x70, 0xe3, 0x4b, 0xcb, 0xe1, 0xf4, 0x7f, 0xbc,
29056 ++ 0x0f, 0xdd, 0xfd, 0x7c, 0x1e, 0x1a, 0xa5, 0x3d,
29057 ++ 0x57, 0xbf, 0xe0, 0xf6, 0x6d, 0x24, 0x30, 0x67,
29058 ++ 0xb4, 0x24, 0xbb, 0x62, 0x10, 0xbe, 0xd1, 0x9c },
29059 ++ .public = { 0x0b, 0x82, 0x11, 0xa2, 0xb6, 0x04, 0x90, 0x97,
29060 ++ 0xf6, 0x87, 0x1c, 0x6c, 0x05, 0x2d, 0x3c, 0x5f,
29061 ++ 0xc1, 0xba, 0x17, 0xda, 0x9e, 0x32, 0xae, 0x45,
29062 ++ 0x84, 0x03, 0xb0, 0x5b, 0xb2, 0x83, 0x09, 0x2a },
29063 ++ .result = { 0x4a, 0x06, 0x38, 0xcf, 0xaa, 0x9e, 0xf1, 0x93,
29064 ++ 0x3b, 0x47, 0xf8, 0x93, 0x92, 0x96, 0xa6, 0xb2,
29065 ++ 0x5b, 0xe5, 0x41, 0xef, 0x7f, 0x70, 0xe8, 0x44,
29066 ++ 0xc0, 0xbc, 0xc0, 0x0b, 0x13, 0x4d, 0xe6, 0x4a },
29067 ++ .valid = true
29068 ++ },
29069 ++ /* wycheproof - public key on twist */
29070 ++ {
29071 ++ .private = { 0x68, 0xc1, 0xf3, 0xa6, 0x53, 0xa4, 0xcd, 0xb1,
29072 ++ 0xd3, 0x7b, 0xba, 0x94, 0x73, 0x8f, 0x8b, 0x95,
29073 ++ 0x7a, 0x57, 0xbe, 0xb2, 0x4d, 0x64, 0x6e, 0x99,
29074 ++ 0x4d, 0xc2, 0x9a, 0x27, 0x6a, 0xad, 0x45, 0x8d },
29075 ++ .public = { 0x34, 0x3a, 0xc2, 0x0a, 0x3b, 0x9c, 0x6a, 0x27,
29076 ++ 0xb1, 0x00, 0x81, 0x76, 0x50, 0x9a, 0xd3, 0x07,
29077 ++ 0x35, 0x85, 0x6e, 0xc1, 0xc8, 0xd8, 0xfc, 0xae,
29078 ++ 0x13, 0x91, 0x2d, 0x08, 0xd1, 0x52, 0xf4, 0x6c },
29079 ++ .result = { 0x39, 0x94, 0x91, 0xfc, 0xe8, 0xdf, 0xab, 0x73,
29080 ++ 0xb4, 0xf9, 0xf6, 0x11, 0xde, 0x8e, 0xa0, 0xb2,
29081 ++ 0x7b, 0x28, 0xf8, 0x59, 0x94, 0x25, 0x0b, 0x0f,
29082 ++ 0x47, 0x5d, 0x58, 0x5d, 0x04, 0x2a, 0xc2, 0x07 },
29083 ++ .valid = true
29084 ++ },
29085 ++ /* wycheproof - public key on twist */
29086 ++ {
29087 ++ .private = { 0xd8, 0x77, 0xb2, 0x6d, 0x06, 0xdf, 0xf9, 0xd9,
29088 ++ 0xf7, 0xfd, 0x4c, 0x5b, 0x37, 0x69, 0xf8, 0xcd,
29089 ++ 0xd5, 0xb3, 0x05, 0x16, 0xa5, 0xab, 0x80, 0x6b,
29090 ++ 0xe3, 0x24, 0xff, 0x3e, 0xb6, 0x9e, 0xa0, 0xb2 },
29091 ++ .public = { 0xfa, 0x69, 0x5f, 0xc7, 0xbe, 0x8d, 0x1b, 0xe5,
29092 ++ 0xbf, 0x70, 0x48, 0x98, 0xf3, 0x88, 0xc4, 0x52,
29093 ++ 0xba, 0xfd, 0xd3, 0xb8, 0xea, 0xe8, 0x05, 0xf8,
29094 ++ 0x68, 0x1a, 0x8d, 0x15, 0xc2, 0xd4, 0xe1, 0x42 },
29095 ++ .result = { 0x2c, 0x4f, 0xe1, 0x1d, 0x49, 0x0a, 0x53, 0x86,
29096 ++ 0x17, 0x76, 0xb1, 0x3b, 0x43, 0x54, 0xab, 0xd4,
29097 ++ 0xcf, 0x5a, 0x97, 0x69, 0x9d, 0xb6, 0xe6, 0xc6,
29098 ++ 0x8c, 0x16, 0x26, 0xd0, 0x76, 0x62, 0xf7, 0x58 },
29099 ++ .valid = true
29100 ++ },
29101 ++ /* wycheproof - public key = 0 */
29102 ++ {
29103 ++ .private = { 0x20, 0x74, 0x94, 0x03, 0x8f, 0x2b, 0xb8, 0x11,
29104 ++ 0xd4, 0x78, 0x05, 0xbc, 0xdf, 0x04, 0xa2, 0xac,
29105 ++ 0x58, 0x5a, 0xda, 0x7f, 0x2f, 0x23, 0x38, 0x9b,
29106 ++ 0xfd, 0x46, 0x58, 0xf9, 0xdd, 0xd4, 0xde, 0xbc },
29107 ++ .public = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29108 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29109 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29110 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29111 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29112 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29113 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29114 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29115 ++ .valid = false
29116 ++ },
29117 ++ /* wycheproof - public key = 1 */
29118 ++ {
29119 ++ .private = { 0x20, 0x2e, 0x89, 0x72, 0xb6, 0x1c, 0x7e, 0x61,
29120 ++ 0x93, 0x0e, 0xb9, 0x45, 0x0b, 0x50, 0x70, 0xea,
29121 ++ 0xe1, 0xc6, 0x70, 0x47, 0x56, 0x85, 0x54, 0x1f,
29122 ++ 0x04, 0x76, 0x21, 0x7e, 0x48, 0x18, 0xcf, 0xab },
29123 ++ .public = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29124 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29125 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29126 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29127 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29128 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29129 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29130 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29131 ++ .valid = false
29132 ++ },
29133 ++ /* wycheproof - edge case on twist */
29134 ++ {
29135 ++ .private = { 0x38, 0xdd, 0xe9, 0xf3, 0xe7, 0xb7, 0x99, 0x04,
29136 ++ 0x5f, 0x9a, 0xc3, 0x79, 0x3d, 0x4a, 0x92, 0x77,
29137 ++ 0xda, 0xde, 0xad, 0xc4, 0x1b, 0xec, 0x02, 0x90,
29138 ++ 0xf8, 0x1f, 0x74, 0x4f, 0x73, 0x77, 0x5f, 0x84 },
29139 ++ .public = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29140 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29141 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29142 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29143 ++ .result = { 0x9a, 0x2c, 0xfe, 0x84, 0xff, 0x9c, 0x4a, 0x97,
29144 ++ 0x39, 0x62, 0x5c, 0xae, 0x4a, 0x3b, 0x82, 0xa9,
29145 ++ 0x06, 0x87, 0x7a, 0x44, 0x19, 0x46, 0xf8, 0xd7,
29146 ++ 0xb3, 0xd7, 0x95, 0xfe, 0x8f, 0x5d, 0x16, 0x39 },
29147 ++ .valid = true
29148 ++ },
29149 ++ /* wycheproof - edge case on twist */
29150 ++ {
29151 ++ .private = { 0x98, 0x57, 0xa9, 0x14, 0xe3, 0xc2, 0x90, 0x36,
29152 ++ 0xfd, 0x9a, 0x44, 0x2b, 0xa5, 0x26, 0xb5, 0xcd,
29153 ++ 0xcd, 0xf2, 0x82, 0x16, 0x15, 0x3e, 0x63, 0x6c,
29154 ++ 0x10, 0x67, 0x7a, 0xca, 0xb6, 0xbd, 0x6a, 0xa5 },
29155 ++ .public = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29156 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29157 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29158 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29159 ++ .result = { 0x4d, 0xa4, 0xe0, 0xaa, 0x07, 0x2c, 0x23, 0x2e,
29160 ++ 0xe2, 0xf0, 0xfa, 0x4e, 0x51, 0x9a, 0xe5, 0x0b,
29161 ++ 0x52, 0xc1, 0xed, 0xd0, 0x8a, 0x53, 0x4d, 0x4e,
29162 ++ 0xf3, 0x46, 0xc2, 0xe1, 0x06, 0xd2, 0x1d, 0x60 },
29163 ++ .valid = true
29164 ++ },
29165 ++ /* wycheproof - edge case on twist */
29166 ++ {
29167 ++ .private = { 0x48, 0xe2, 0x13, 0x0d, 0x72, 0x33, 0x05, 0xed,
29168 ++ 0x05, 0xe6, 0xe5, 0x89, 0x4d, 0x39, 0x8a, 0x5e,
29169 ++ 0x33, 0x36, 0x7a, 0x8c, 0x6a, 0xac, 0x8f, 0xcd,
29170 ++ 0xf0, 0xa8, 0x8e, 0x4b, 0x42, 0x82, 0x0d, 0xb7 },
29171 ++ .public = { 0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0xf8, 0xff,
29172 ++ 0xff, 0x1f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff,
29173 ++ 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0x07, 0x00,
29174 ++ 0x00, 0xf0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00 },
29175 ++ .result = { 0x9e, 0xd1, 0x0c, 0x53, 0x74, 0x7f, 0x64, 0x7f,
29176 ++ 0x82, 0xf4, 0x51, 0x25, 0xd3, 0xde, 0x15, 0xa1,
29177 ++ 0xe6, 0xb8, 0x24, 0x49, 0x6a, 0xb4, 0x04, 0x10,
29178 ++ 0xff, 0xcc, 0x3c, 0xfe, 0x95, 0x76, 0x0f, 0x3b },
29179 ++ .valid = true
29180 ++ },
29181 ++ /* wycheproof - edge case on twist */
29182 ++ {
29183 ++ .private = { 0x28, 0xf4, 0x10, 0x11, 0x69, 0x18, 0x51, 0xb3,
29184 ++ 0xa6, 0x2b, 0x64, 0x15, 0x53, 0xb3, 0x0d, 0x0d,
29185 ++ 0xfd, 0xdc, 0xb8, 0xff, 0xfc, 0xf5, 0x37, 0x00,
29186 ++ 0xa7, 0xbe, 0x2f, 0x6a, 0x87, 0x2e, 0x9f, 0xb0 },
29187 ++ .public = { 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0x07, 0x00,
29188 ++ 0x00, 0xe0, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00,
29189 ++ 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0xf8, 0xff,
29190 ++ 0xff, 0x0f, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x7f },
29191 ++ .result = { 0xcf, 0x72, 0xb4, 0xaa, 0x6a, 0xa1, 0xc9, 0xf8,
29192 ++ 0x94, 0xf4, 0x16, 0x5b, 0x86, 0x10, 0x9a, 0xa4,
29193 ++ 0x68, 0x51, 0x76, 0x48, 0xe1, 0xf0, 0xcc, 0x70,
29194 ++ 0xe1, 0xab, 0x08, 0x46, 0x01, 0x76, 0x50, 0x6b },
29195 ++ .valid = true
29196 ++ },
29197 ++ /* wycheproof - edge case on twist */
29198 ++ {
29199 ++ .private = { 0x18, 0xa9, 0x3b, 0x64, 0x99, 0xb9, 0xf6, 0xb3,
29200 ++ 0x22, 0x5c, 0xa0, 0x2f, 0xef, 0x41, 0x0e, 0x0a,
29201 ++ 0xde, 0xc2, 0x35, 0x32, 0x32, 0x1d, 0x2d, 0x8e,
29202 ++ 0xf1, 0xa6, 0xd6, 0x02, 0xa8, 0xc6, 0x5b, 0x83 },
29203 ++ .public = { 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
29204 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
29205 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
29206 ++ 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0x7f },
29207 ++ .result = { 0x5d, 0x50, 0xb6, 0x28, 0x36, 0xbb, 0x69, 0x57,
29208 ++ 0x94, 0x10, 0x38, 0x6c, 0xf7, 0xbb, 0x81, 0x1c,
29209 ++ 0x14, 0xbf, 0x85, 0xb1, 0xc7, 0xb1, 0x7e, 0x59,
29210 ++ 0x24, 0xc7, 0xff, 0xea, 0x91, 0xef, 0x9e, 0x12 },
29211 ++ .valid = true
29212 ++ },
29213 ++ /* wycheproof - edge case on twist */
29214 ++ {
29215 ++ .private = { 0xc0, 0x1d, 0x13, 0x05, 0xa1, 0x33, 0x8a, 0x1f,
29216 ++ 0xca, 0xc2, 0xba, 0x7e, 0x2e, 0x03, 0x2b, 0x42,
29217 ++ 0x7e, 0x0b, 0x04, 0x90, 0x31, 0x65, 0xac, 0xa9,
29218 ++ 0x57, 0xd8, 0xd0, 0x55, 0x3d, 0x87, 0x17, 0xb0 },
29219 ++ .public = { 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29220 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29221 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29222 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29223 ++ .result = { 0x19, 0x23, 0x0e, 0xb1, 0x48, 0xd5, 0xd6, 0x7c,
29224 ++ 0x3c, 0x22, 0xab, 0x1d, 0xae, 0xff, 0x80, 0xa5,
29225 ++ 0x7e, 0xae, 0x42, 0x65, 0xce, 0x28, 0x72, 0x65,
29226 ++ 0x7b, 0x2c, 0x80, 0x99, 0xfc, 0x69, 0x8e, 0x50 },
29227 ++ .valid = true
29228 ++ },
29229 ++ /* wycheproof - edge case for public key */
29230 ++ {
29231 ++ .private = { 0x38, 0x6f, 0x7f, 0x16, 0xc5, 0x07, 0x31, 0xd6,
29232 ++ 0x4f, 0x82, 0xe6, 0xa1, 0x70, 0xb1, 0x42, 0xa4,
29233 ++ 0xe3, 0x4f, 0x31, 0xfd, 0x77, 0x68, 0xfc, 0xb8,
29234 ++ 0x90, 0x29, 0x25, 0xe7, 0xd1, 0xe2, 0x1a, 0xbe },
29235 ++ .public = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29236 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29237 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29238 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29239 ++ .result = { 0x0f, 0xca, 0xb5, 0xd8, 0x42, 0xa0, 0x78, 0xd7,
29240 ++ 0xa7, 0x1f, 0xc5, 0x9b, 0x57, 0xbf, 0xb4, 0xca,
29241 ++ 0x0b, 0xe6, 0x87, 0x3b, 0x49, 0xdc, 0xdb, 0x9f,
29242 ++ 0x44, 0xe1, 0x4a, 0xe8, 0xfb, 0xdf, 0xa5, 0x42 },
29243 ++ .valid = true
29244 ++ },
29245 ++ /* wycheproof - edge case for public key */
29246 ++ {
29247 ++ .private = { 0xe0, 0x23, 0xa2, 0x89, 0xbd, 0x5e, 0x90, 0xfa,
29248 ++ 0x28, 0x04, 0xdd, 0xc0, 0x19, 0xa0, 0x5e, 0xf3,
29249 ++ 0xe7, 0x9d, 0x43, 0x4b, 0xb6, 0xea, 0x2f, 0x52,
29250 ++ 0x2e, 0xcb, 0x64, 0x3a, 0x75, 0x29, 0x6e, 0x95 },
29251 ++ .public = { 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
29252 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
29253 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
29254 ++ 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00 },
29255 ++ .result = { 0x54, 0xce, 0x8f, 0x22, 0x75, 0xc0, 0x77, 0xe3,
29256 ++ 0xb1, 0x30, 0x6a, 0x39, 0x39, 0xc5, 0xe0, 0x3e,
29257 ++ 0xef, 0x6b, 0xbb, 0x88, 0x06, 0x05, 0x44, 0x75,
29258 ++ 0x8d, 0x9f, 0xef, 0x59, 0xb0, 0xbc, 0x3e, 0x4f },
29259 ++ .valid = true
29260 ++ },
29261 ++ /* wycheproof - edge case for public key */
29262 ++ {
29263 ++ .private = { 0x68, 0xf0, 0x10, 0xd6, 0x2e, 0xe8, 0xd9, 0x26,
29264 ++ 0x05, 0x3a, 0x36, 0x1c, 0x3a, 0x75, 0xc6, 0xea,
29265 ++ 0x4e, 0xbd, 0xc8, 0x60, 0x6a, 0xb2, 0x85, 0x00,
29266 ++ 0x3a, 0x6f, 0x8f, 0x40, 0x76, 0xb0, 0x1e, 0x83 },
29267 ++ .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29268 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29269 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29270 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 },
29271 ++ .result = { 0xf1, 0x36, 0x77, 0x5c, 0x5b, 0xeb, 0x0a, 0xf8,
29272 ++ 0x11, 0x0a, 0xf1, 0x0b, 0x20, 0x37, 0x23, 0x32,
29273 ++ 0x04, 0x3c, 0xab, 0x75, 0x24, 0x19, 0x67, 0x87,
29274 ++ 0x75, 0xa2, 0x23, 0xdf, 0x57, 0xc9, 0xd3, 0x0d },
29275 ++ .valid = true
29276 ++ },
29277 ++ /* wycheproof - edge case for public key */
29278 ++ {
29279 ++ .private = { 0x58, 0xeb, 0xcb, 0x35, 0xb0, 0xf8, 0x84, 0x5c,
29280 ++ 0xaf, 0x1e, 0xc6, 0x30, 0xf9, 0x65, 0x76, 0xb6,
29281 ++ 0x2c, 0x4b, 0x7b, 0x6c, 0x36, 0xb2, 0x9d, 0xeb,
29282 ++ 0x2c, 0xb0, 0x08, 0x46, 0x51, 0x75, 0x5c, 0x96 },
29283 ++ .public = { 0xff, 0xff, 0xff, 0xfb, 0xff, 0xff, 0xfb, 0xff,
29284 ++ 0xff, 0xdf, 0xff, 0xff, 0xdf, 0xff, 0xff, 0xff,
29285 ++ 0xfe, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xf7, 0xff,
29286 ++ 0xff, 0xf7, 0xff, 0xff, 0xbf, 0xff, 0xff, 0x3f },
29287 ++ .result = { 0xbf, 0x9a, 0xff, 0xd0, 0x6b, 0x84, 0x40, 0x85,
29288 ++ 0x58, 0x64, 0x60, 0x96, 0x2e, 0xf2, 0x14, 0x6f,
29289 ++ 0xf3, 0xd4, 0x53, 0x3d, 0x94, 0x44, 0xaa, 0xb0,
29290 ++ 0x06, 0xeb, 0x88, 0xcc, 0x30, 0x54, 0x40, 0x7d },
29291 ++ .valid = true
29292 ++ },
29293 ++ /* wycheproof - edge case for public key */
29294 ++ {
29295 ++ .private = { 0x18, 0x8c, 0x4b, 0xc5, 0xb9, 0xc4, 0x4b, 0x38,
29296 ++ 0xbb, 0x65, 0x8b, 0x9b, 0x2a, 0xe8, 0x2d, 0x5b,
29297 ++ 0x01, 0x01, 0x5e, 0x09, 0x31, 0x84, 0xb1, 0x7c,
29298 ++ 0xb7, 0x86, 0x35, 0x03, 0xa7, 0x83, 0xe1, 0xbb },
29299 ++ .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29300 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29301 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29302 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
29303 ++ .result = { 0xd4, 0x80, 0xde, 0x04, 0xf6, 0x99, 0xcb, 0x3b,
29304 ++ 0xe0, 0x68, 0x4a, 0x9c, 0xc2, 0xe3, 0x12, 0x81,
29305 ++ 0xea, 0x0b, 0xc5, 0xa9, 0xdc, 0xc1, 0x57, 0xd3,
29306 ++ 0xd2, 0x01, 0x58, 0xd4, 0x6c, 0xa5, 0x24, 0x6d },
29307 ++ .valid = true
29308 ++ },
29309 ++ /* wycheproof - edge case for public key */
29310 ++ {
29311 ++ .private = { 0xe0, 0x6c, 0x11, 0xbb, 0x2e, 0x13, 0xce, 0x3d,
29312 ++ 0xc7, 0x67, 0x3f, 0x67, 0xf5, 0x48, 0x22, 0x42,
29313 ++ 0x90, 0x94, 0x23, 0xa9, 0xae, 0x95, 0xee, 0x98,
29314 ++ 0x6a, 0x98, 0x8d, 0x98, 0xfa, 0xee, 0x23, 0xa2 },
29315 ++ .public = { 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f,
29316 ++ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f,
29317 ++ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f,
29318 ++ 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0x7f },
29319 ++ .result = { 0x4c, 0x44, 0x01, 0xcc, 0xe6, 0xb5, 0x1e, 0x4c,
29320 ++ 0xb1, 0x8f, 0x27, 0x90, 0x24, 0x6c, 0x9b, 0xf9,
29321 ++ 0x14, 0xdb, 0x66, 0x77, 0x50, 0xa1, 0xcb, 0x89,
29322 ++ 0x06, 0x90, 0x92, 0xaf, 0x07, 0x29, 0x22, 0x76 },
29323 ++ .valid = true
29324 ++ },
29325 ++ /* wycheproof - edge case for public key */
29326 ++ {
29327 ++ .private = { 0xc0, 0x65, 0x8c, 0x46, 0xdd, 0xe1, 0x81, 0x29,
29328 ++ 0x29, 0x38, 0x77, 0x53, 0x5b, 0x11, 0x62, 0xb6,
29329 ++ 0xf9, 0xf5, 0x41, 0x4a, 0x23, 0xcf, 0x4d, 0x2c,
29330 ++ 0xbc, 0x14, 0x0a, 0x4d, 0x99, 0xda, 0x2b, 0x8f },
29331 ++ .public = { 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29332 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29333 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29334 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29335 ++ .result = { 0x57, 0x8b, 0xa8, 0xcc, 0x2d, 0xbd, 0xc5, 0x75,
29336 ++ 0xaf, 0xcf, 0x9d, 0xf2, 0xb3, 0xee, 0x61, 0x89,
29337 ++ 0xf5, 0x33, 0x7d, 0x68, 0x54, 0xc7, 0x9b, 0x4c,
29338 ++ 0xe1, 0x65, 0xea, 0x12, 0x29, 0x3b, 0x3a, 0x0f },
29339 ++ .valid = true
29340 ++ },
29341 ++ /* wycheproof - public key with low order */
29342 ++ {
29343 ++ .private = { 0x10, 0x25, 0x5c, 0x92, 0x30, 0xa9, 0x7a, 0x30,
29344 ++ 0xa4, 0x58, 0xca, 0x28, 0x4a, 0x62, 0x96, 0x69,
29345 ++ 0x29, 0x3a, 0x31, 0x89, 0x0c, 0xda, 0x9d, 0x14,
29346 ++ 0x7f, 0xeb, 0xc7, 0xd1, 0xe2, 0x2d, 0x6b, 0xb1 },
29347 ++ .public = { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae,
29348 ++ 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a,
29349 ++ 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd,
29350 ++ 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 },
29351 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29352 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29353 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29354 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29355 ++ .valid = false
29356 ++ },
29357 ++ /* wycheproof - public key with low order */
29358 ++ {
29359 ++ .private = { 0x78, 0xf1, 0xe8, 0xed, 0xf1, 0x44, 0x81, 0xb3,
29360 ++ 0x89, 0x44, 0x8d, 0xac, 0x8f, 0x59, 0xc7, 0x0b,
29361 ++ 0x03, 0x8e, 0x7c, 0xf9, 0x2e, 0xf2, 0xc7, 0xef,
29362 ++ 0xf5, 0x7a, 0x72, 0x46, 0x6e, 0x11, 0x52, 0x96 },
29363 ++ .public = { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24,
29364 ++ 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b,
29365 ++ 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86,
29366 ++ 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 },
29367 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29368 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29369 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29370 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29371 ++ .valid = false
29372 ++ },
29373 ++ /* wycheproof - public key with low order */
29374 ++ {
29375 ++ .private = { 0xa0, 0xa0, 0x5a, 0x3e, 0x8f, 0x9f, 0x44, 0x20,
29376 ++ 0x4d, 0x5f, 0x80, 0x59, 0xa9, 0x4a, 0xc7, 0xdf,
29377 ++ 0xc3, 0x9a, 0x49, 0xac, 0x01, 0x6d, 0xd7, 0x43,
29378 ++ 0xdb, 0xfa, 0x43, 0xc5, 0xd6, 0x71, 0xfd, 0x88 },
29379 ++ .public = { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29380 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29381 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29382 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29383 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29384 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29385 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29386 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29387 ++ .valid = false
29388 ++ },
29389 ++ /* wycheproof - public key with low order */
29390 ++ {
29391 ++ .private = { 0xd0, 0xdb, 0xb3, 0xed, 0x19, 0x06, 0x66, 0x3f,
29392 ++ 0x15, 0x42, 0x0a, 0xf3, 0x1f, 0x4e, 0xaf, 0x65,
29393 ++ 0x09, 0xd9, 0xa9, 0x94, 0x97, 0x23, 0x50, 0x06,
29394 ++ 0x05, 0xad, 0x7c, 0x1c, 0x6e, 0x74, 0x50, 0xa9 },
29395 ++ .public = { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29396 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29397 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29398 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29399 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29400 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29401 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29402 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29403 ++ .valid = false
29404 ++ },
29405 ++ /* wycheproof - public key with low order */
29406 ++ {
29407 ++ .private = { 0xc0, 0xb1, 0xd0, 0xeb, 0x22, 0xb2, 0x44, 0xfe,
29408 ++ 0x32, 0x91, 0x14, 0x00, 0x72, 0xcd, 0xd9, 0xd9,
29409 ++ 0x89, 0xb5, 0xf0, 0xec, 0xd9, 0x6c, 0x10, 0x0f,
29410 ++ 0xeb, 0x5b, 0xca, 0x24, 0x1c, 0x1d, 0x9f, 0x8f },
29411 ++ .public = { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29412 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29413 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29414 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29415 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29416 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29417 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29418 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29419 ++ .valid = false
29420 ++ },
29421 ++ /* wycheproof - public key with low order */
29422 ++ {
29423 ++ .private = { 0x48, 0x0b, 0xf4, 0x5f, 0x59, 0x49, 0x42, 0xa8,
29424 ++ 0xbc, 0x0f, 0x33, 0x53, 0xc6, 0xe8, 0xb8, 0x85,
29425 ++ 0x3d, 0x77, 0xf3, 0x51, 0xf1, 0xc2, 0xca, 0x6c,
29426 ++ 0x2d, 0x1a, 0xbf, 0x8a, 0x00, 0xb4, 0x22, 0x9c },
29427 ++ .public = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29428 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29429 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29430 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
29431 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29432 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29433 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29434 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29435 ++ .valid = false
29436 ++ },
29437 ++ /* wycheproof - public key with low order */
29438 ++ {
29439 ++ .private = { 0x30, 0xf9, 0x93, 0xfc, 0xf8, 0x51, 0x4f, 0xc8,
29440 ++ 0x9b, 0xd8, 0xdb, 0x14, 0xcd, 0x43, 0xba, 0x0d,
29441 ++ 0x4b, 0x25, 0x30, 0xe7, 0x3c, 0x42, 0x76, 0xa0,
29442 ++ 0x5e, 0x1b, 0x14, 0x5d, 0x42, 0x0c, 0xed, 0xb4 },
29443 ++ .public = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29444 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29445 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29446 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
29447 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29448 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29449 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29450 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29451 ++ .valid = false
29452 ++ },
29453 ++ /* wycheproof - public key with low order */
29454 ++ {
29455 ++ .private = { 0xc0, 0x49, 0x74, 0xb7, 0x58, 0x38, 0x0e, 0x2a,
29456 ++ 0x5b, 0x5d, 0xf6, 0xeb, 0x09, 0xbb, 0x2f, 0x6b,
29457 ++ 0x34, 0x34, 0xf9, 0x82, 0x72, 0x2a, 0x8e, 0x67,
29458 ++ 0x6d, 0x3d, 0xa2, 0x51, 0xd1, 0xb3, 0xde, 0x83 },
29459 ++ .public = { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae,
29460 ++ 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a,
29461 ++ 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd,
29462 ++ 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x80 },
29463 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29464 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29465 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29466 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29467 ++ .valid = false
29468 ++ },
29469 ++ /* wycheproof - public key with low order */
29470 ++ {
29471 ++ .private = { 0x50, 0x2a, 0x31, 0x37, 0x3d, 0xb3, 0x24, 0x46,
29472 ++ 0x84, 0x2f, 0xe5, 0xad, 0xd3, 0xe0, 0x24, 0x02,
29473 ++ 0x2e, 0xa5, 0x4f, 0x27, 0x41, 0x82, 0xaf, 0xc3,
29474 ++ 0xd9, 0xf1, 0xbb, 0x3d, 0x39, 0x53, 0x4e, 0xb5 },
29475 ++ .public = { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24,
29476 ++ 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b,
29477 ++ 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86,
29478 ++ 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7 },
29479 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29480 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29481 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29482 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29483 ++ .valid = false
29484 ++ },
29485 ++ /* wycheproof - public key with low order */
29486 ++ {
29487 ++ .private = { 0x90, 0xfa, 0x64, 0x17, 0xb0, 0xe3, 0x70, 0x30,
29488 ++ 0xfd, 0x6e, 0x43, 0xef, 0xf2, 0xab, 0xae, 0xf1,
29489 ++ 0x4c, 0x67, 0x93, 0x11, 0x7a, 0x03, 0x9c, 0xf6,
29490 ++ 0x21, 0x31, 0x8b, 0xa9, 0x0f, 0x4e, 0x98, 0xbe },
29491 ++ .public = { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29492 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29493 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29494 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29495 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29496 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29497 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29498 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29499 ++ .valid = false
29500 ++ },
29501 ++ /* wycheproof - public key with low order */
29502 ++ {
29503 ++ .private = { 0x78, 0xad, 0x3f, 0x26, 0x02, 0x7f, 0x1c, 0x9f,
29504 ++ 0xdd, 0x97, 0x5a, 0x16, 0x13, 0xb9, 0x47, 0x77,
29505 ++ 0x9b, 0xad, 0x2c, 0xf2, 0xb7, 0x41, 0xad, 0xe0,
29506 ++ 0x18, 0x40, 0x88, 0x5a, 0x30, 0xbb, 0x97, 0x9c },
29507 ++ .public = { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29508 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29509 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29510 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29511 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29512 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29513 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29514 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29515 ++ .valid = false
29516 ++ },
29517 ++ /* wycheproof - public key with low order */
29518 ++ {
29519 ++ .private = { 0x98, 0xe2, 0x3d, 0xe7, 0xb1, 0xe0, 0x92, 0x6e,
29520 ++ 0xd9, 0xc8, 0x7e, 0x7b, 0x14, 0xba, 0xf5, 0x5f,
29521 ++ 0x49, 0x7a, 0x1d, 0x70, 0x96, 0xf9, 0x39, 0x77,
29522 ++ 0x68, 0x0e, 0x44, 0xdc, 0x1c, 0x7b, 0x7b, 0x8b },
29523 ++ .public = { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29524 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29525 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29526 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29527 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29528 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29529 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29530 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29531 ++ .valid = false
29532 ++ },
29533 ++ /* wycheproof - public key >= p */
29534 ++ {
29535 ++ .private = { 0xf0, 0x1e, 0x48, 0xda, 0xfa, 0xc9, 0xd7, 0xbc,
29536 ++ 0xf5, 0x89, 0xcb, 0xc3, 0x82, 0xc8, 0x78, 0xd1,
29537 ++ 0x8b, 0xda, 0x35, 0x50, 0x58, 0x9f, 0xfb, 0x5d,
29538 ++ 0x50, 0xb5, 0x23, 0xbe, 0xbe, 0x32, 0x9d, 0xae },
29539 ++ .public = { 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29540 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29541 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29542 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29543 ++ .result = { 0xbd, 0x36, 0xa0, 0x79, 0x0e, 0xb8, 0x83, 0x09,
29544 ++ 0x8c, 0x98, 0x8b, 0x21, 0x78, 0x67, 0x73, 0xde,
29545 ++ 0x0b, 0x3a, 0x4d, 0xf1, 0x62, 0x28, 0x2c, 0xf1,
29546 ++ 0x10, 0xde, 0x18, 0xdd, 0x48, 0x4c, 0xe7, 0x4b },
29547 ++ .valid = true
29548 ++ },
29549 ++ /* wycheproof - public key >= p */
29550 ++ {
29551 ++ .private = { 0x28, 0x87, 0x96, 0xbc, 0x5a, 0xff, 0x4b, 0x81,
29552 ++ 0xa3, 0x75, 0x01, 0x75, 0x7b, 0xc0, 0x75, 0x3a,
29553 ++ 0x3c, 0x21, 0x96, 0x47, 0x90, 0xd3, 0x86, 0x99,
29554 ++ 0x30, 0x8d, 0xeb, 0xc1, 0x7a, 0x6e, 0xaf, 0x8d },
29555 ++ .public = { 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29556 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29557 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29558 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29559 ++ .result = { 0xb4, 0xe0, 0xdd, 0x76, 0xda, 0x7b, 0x07, 0x17,
29560 ++ 0x28, 0xb6, 0x1f, 0x85, 0x67, 0x71, 0xaa, 0x35,
29561 ++ 0x6e, 0x57, 0xed, 0xa7, 0x8a, 0x5b, 0x16, 0x55,
29562 ++ 0xcc, 0x38, 0x20, 0xfb, 0x5f, 0x85, 0x4c, 0x5c },
29563 ++ .valid = true
29564 ++ },
29565 ++ /* wycheproof - public key >= p */
29566 ++ {
29567 ++ .private = { 0x98, 0xdf, 0x84, 0x5f, 0x66, 0x51, 0xbf, 0x11,
29568 ++ 0x38, 0x22, 0x1f, 0x11, 0x90, 0x41, 0xf7, 0x2b,
29569 ++ 0x6d, 0xbc, 0x3c, 0x4a, 0xce, 0x71, 0x43, 0xd9,
29570 ++ 0x9f, 0xd5, 0x5a, 0xd8, 0x67, 0x48, 0x0d, 0xa8 },
29571 ++ .public = { 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29572 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29573 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29574 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29575 ++ .result = { 0x6f, 0xdf, 0x6c, 0x37, 0x61, 0x1d, 0xbd, 0x53,
29576 ++ 0x04, 0xdc, 0x0f, 0x2e, 0xb7, 0xc9, 0x51, 0x7e,
29577 ++ 0xb3, 0xc5, 0x0e, 0x12, 0xfd, 0x05, 0x0a, 0xc6,
29578 ++ 0xde, 0xc2, 0x70, 0x71, 0xd4, 0xbf, 0xc0, 0x34 },
29579 ++ .valid = true
29580 ++ },
29581 ++ /* wycheproof - public key >= p */
29582 ++ {
29583 ++ .private = { 0xf0, 0x94, 0x98, 0xe4, 0x6f, 0x02, 0xf8, 0x78,
29584 ++ 0x82, 0x9e, 0x78, 0xb8, 0x03, 0xd3, 0x16, 0xa2,
29585 ++ 0xed, 0x69, 0x5d, 0x04, 0x98, 0xa0, 0x8a, 0xbd,
29586 ++ 0xf8, 0x27, 0x69, 0x30, 0xe2, 0x4e, 0xdc, 0xb0 },
29587 ++ .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29588 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29589 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29590 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29591 ++ .result = { 0x4c, 0x8f, 0xc4, 0xb1, 0xc6, 0xab, 0x88, 0xfb,
29592 ++ 0x21, 0xf1, 0x8f, 0x6d, 0x4c, 0x81, 0x02, 0x40,
29593 ++ 0xd4, 0xe9, 0x46, 0x51, 0xba, 0x44, 0xf7, 0xa2,
29594 ++ 0xc8, 0x63, 0xce, 0xc7, 0xdc, 0x56, 0x60, 0x2d },
29595 ++ .valid = true
29596 ++ },
29597 ++ /* wycheproof - public key >= p */
29598 ++ {
29599 ++ .private = { 0x18, 0x13, 0xc1, 0x0a, 0x5c, 0x7f, 0x21, 0xf9,
29600 ++ 0x6e, 0x17, 0xf2, 0x88, 0xc0, 0xcc, 0x37, 0x60,
29601 ++ 0x7c, 0x04, 0xc5, 0xf5, 0xae, 0xa2, 0xdb, 0x13,
29602 ++ 0x4f, 0x9e, 0x2f, 0xfc, 0x66, 0xbd, 0x9d, 0xb8 },
29603 ++ .public = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29604 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29605 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29606 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
29607 ++ .result = { 0x1c, 0xd0, 0xb2, 0x82, 0x67, 0xdc, 0x54, 0x1c,
29608 ++ 0x64, 0x2d, 0x6d, 0x7d, 0xca, 0x44, 0xa8, 0xb3,
29609 ++ 0x8a, 0x63, 0x73, 0x6e, 0xef, 0x5c, 0x4e, 0x65,
29610 ++ 0x01, 0xff, 0xbb, 0xb1, 0x78, 0x0c, 0x03, 0x3c },
29611 ++ .valid = true
29612 ++ },
29613 ++ /* wycheproof - public key >= p */
29614 ++ {
29615 ++ .private = { 0x78, 0x57, 0xfb, 0x80, 0x86, 0x53, 0x64, 0x5a,
29616 ++ 0x0b, 0xeb, 0x13, 0x8a, 0x64, 0xf5, 0xf4, 0xd7,
29617 ++ 0x33, 0xa4, 0x5e, 0xa8, 0x4c, 0x3c, 0xda, 0x11,
29618 ++ 0xa9, 0xc0, 0x6f, 0x7e, 0x71, 0x39, 0x14, 0x9e },
29619 ++ .public = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29620 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29621 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29622 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
29623 ++ .result = { 0x87, 0x55, 0xbe, 0x01, 0xc6, 0x0a, 0x7e, 0x82,
29624 ++ 0x5c, 0xff, 0x3e, 0x0e, 0x78, 0xcb, 0x3a, 0xa4,
29625 ++ 0x33, 0x38, 0x61, 0x51, 0x6a, 0xa5, 0x9b, 0x1c,
29626 ++ 0x51, 0xa8, 0xb2, 0xa5, 0x43, 0xdf, 0xa8, 0x22 },
29627 ++ .valid = true
29628 ++ },
29629 ++ /* wycheproof - public key >= p */
29630 ++ {
29631 ++ .private = { 0xe0, 0x3a, 0xa8, 0x42, 0xe2, 0xab, 0xc5, 0x6e,
29632 ++ 0x81, 0xe8, 0x7b, 0x8b, 0x9f, 0x41, 0x7b, 0x2a,
29633 ++ 0x1e, 0x59, 0x13, 0xc7, 0x23, 0xee, 0xd2, 0x8d,
29634 ++ 0x75, 0x2f, 0x8d, 0x47, 0xa5, 0x9f, 0x49, 0x8f },
29635 ++ .public = { 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29636 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29637 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29638 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80 },
29639 ++ .result = { 0x54, 0xc9, 0xa1, 0xed, 0x95, 0xe5, 0x46, 0xd2,
29640 ++ 0x78, 0x22, 0xa3, 0x60, 0x93, 0x1d, 0xda, 0x60,
29641 ++ 0xa1, 0xdf, 0x04, 0x9d, 0xa6, 0xf9, 0x04, 0x25,
29642 ++ 0x3c, 0x06, 0x12, 0xbb, 0xdc, 0x08, 0x74, 0x76 },
29643 ++ .valid = true
29644 ++ },
29645 ++ /* wycheproof - public key >= p */
29646 ++ {
29647 ++ .private = { 0xf8, 0xf7, 0x07, 0xb7, 0x99, 0x9b, 0x18, 0xcb,
29648 ++ 0x0d, 0x6b, 0x96, 0x12, 0x4f, 0x20, 0x45, 0x97,
29649 ++ 0x2c, 0xa2, 0x74, 0xbf, 0xc1, 0x54, 0xad, 0x0c,
29650 ++ 0x87, 0x03, 0x8c, 0x24, 0xc6, 0xd0, 0xd4, 0xb2 },
29651 ++ .public = { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29652 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29653 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29654 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29655 ++ .result = { 0xcc, 0x1f, 0x40, 0xd7, 0x43, 0xcd, 0xc2, 0x23,
29656 ++ 0x0e, 0x10, 0x43, 0xda, 0xba, 0x8b, 0x75, 0xe8,
29657 ++ 0x10, 0xf1, 0xfb, 0xab, 0x7f, 0x25, 0x52, 0x69,
29658 ++ 0xbd, 0x9e, 0xbb, 0x29, 0xe6, 0xbf, 0x49, 0x4f },
29659 ++ .valid = true
29660 ++ },
29661 ++ /* wycheproof - public key >= p */
29662 ++ {
29663 ++ .private = { 0xa0, 0x34, 0xf6, 0x84, 0xfa, 0x63, 0x1e, 0x1a,
29664 ++ 0x34, 0x81, 0x18, 0xc1, 0xce, 0x4c, 0x98, 0x23,
29665 ++ 0x1f, 0x2d, 0x9e, 0xec, 0x9b, 0xa5, 0x36, 0x5b,
29666 ++ 0x4a, 0x05, 0xd6, 0x9a, 0x78, 0x5b, 0x07, 0x96 },
29667 ++ .public = { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29668 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29669 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29670 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29671 ++ .result = { 0x54, 0x99, 0x8e, 0xe4, 0x3a, 0x5b, 0x00, 0x7b,
29672 ++ 0xf4, 0x99, 0xf0, 0x78, 0xe7, 0x36, 0x52, 0x44,
29673 ++ 0x00, 0xa8, 0xb5, 0xc7, 0xe9, 0xb9, 0xb4, 0x37,
29674 ++ 0x71, 0x74, 0x8c, 0x7c, 0xdf, 0x88, 0x04, 0x12 },
29675 ++ .valid = true
29676 ++ },
29677 ++ /* wycheproof - public key >= p */
29678 ++ {
29679 ++ .private = { 0x30, 0xb6, 0xc6, 0xa0, 0xf2, 0xff, 0xa6, 0x80,
29680 ++ 0x76, 0x8f, 0x99, 0x2b, 0xa8, 0x9e, 0x15, 0x2d,
29681 ++ 0x5b, 0xc9, 0x89, 0x3d, 0x38, 0xc9, 0x11, 0x9b,
29682 ++ 0xe4, 0xf7, 0x67, 0xbf, 0xab, 0x6e, 0x0c, 0xa5 },
29683 ++ .public = { 0xdc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29684 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29685 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29686 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29687 ++ .result = { 0xea, 0xd9, 0xb3, 0x8e, 0xfd, 0xd7, 0x23, 0x63,
29688 ++ 0x79, 0x34, 0xe5, 0x5a, 0xb7, 0x17, 0xa7, 0xae,
29689 ++ 0x09, 0xeb, 0x86, 0xa2, 0x1d, 0xc3, 0x6a, 0x3f,
29690 ++ 0xee, 0xb8, 0x8b, 0x75, 0x9e, 0x39, 0x1e, 0x09 },
29691 ++ .valid = true
29692 ++ },
29693 ++ /* wycheproof - public key >= p */
29694 ++ {
29695 ++ .private = { 0x90, 0x1b, 0x9d, 0xcf, 0x88, 0x1e, 0x01, 0xe0,
29696 ++ 0x27, 0x57, 0x50, 0x35, 0xd4, 0x0b, 0x43, 0xbd,
29697 ++ 0xc1, 0xc5, 0x24, 0x2e, 0x03, 0x08, 0x47, 0x49,
29698 ++ 0x5b, 0x0c, 0x72, 0x86, 0x46, 0x9b, 0x65, 0x91 },
29699 ++ .public = { 0xea, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29700 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29701 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29702 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29703 ++ .result = { 0x60, 0x2f, 0xf4, 0x07, 0x89, 0xb5, 0x4b, 0x41,
29704 ++ 0x80, 0x59, 0x15, 0xfe, 0x2a, 0x62, 0x21, 0xf0,
29705 ++ 0x7a, 0x50, 0xff, 0xc2, 0xc3, 0xfc, 0x94, 0xcf,
29706 ++ 0x61, 0xf1, 0x3d, 0x79, 0x04, 0xe8, 0x8e, 0x0e },
29707 ++ .valid = true
29708 ++ },
29709 ++ /* wycheproof - public key >= p */
29710 ++ {
29711 ++ .private = { 0x80, 0x46, 0x67, 0x7c, 0x28, 0xfd, 0x82, 0xc9,
29712 ++ 0xa1, 0xbd, 0xb7, 0x1a, 0x1a, 0x1a, 0x34, 0xfa,
29713 ++ 0xba, 0x12, 0x25, 0xe2, 0x50, 0x7f, 0xe3, 0xf5,
29714 ++ 0x4d, 0x10, 0xbd, 0x5b, 0x0d, 0x86, 0x5f, 0x8e },
29715 ++ .public = { 0xeb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29716 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29717 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29718 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29719 ++ .result = { 0xe0, 0x0a, 0xe8, 0xb1, 0x43, 0x47, 0x12, 0x47,
29720 ++ 0xba, 0x24, 0xf1, 0x2c, 0x88, 0x55, 0x36, 0xc3,
29721 ++ 0xcb, 0x98, 0x1b, 0x58, 0xe1, 0xe5, 0x6b, 0x2b,
29722 ++ 0xaf, 0x35, 0xc1, 0x2a, 0xe1, 0xf7, 0x9c, 0x26 },
29723 ++ .valid = true
29724 ++ },
29725 ++ /* wycheproof - public key >= p */
29726 ++ {
29727 ++ .private = { 0x60, 0x2f, 0x7e, 0x2f, 0x68, 0xa8, 0x46, 0xb8,
29728 ++ 0x2c, 0xc2, 0x69, 0xb1, 0xd4, 0x8e, 0x93, 0x98,
29729 ++ 0x86, 0xae, 0x54, 0xfd, 0x63, 0x6c, 0x1f, 0xe0,
29730 ++ 0x74, 0xd7, 0x10, 0x12, 0x7d, 0x47, 0x24, 0x91 },
29731 ++ .public = { 0xef, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29732 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29733 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29734 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29735 ++ .result = { 0x98, 0xcb, 0x9b, 0x50, 0xdd, 0x3f, 0xc2, 0xb0,
29736 ++ 0xd4, 0xf2, 0xd2, 0xbf, 0x7c, 0x5c, 0xfd, 0xd1,
29737 ++ 0x0c, 0x8f, 0xcd, 0x31, 0xfc, 0x40, 0xaf, 0x1a,
29738 ++ 0xd4, 0x4f, 0x47, 0xc1, 0x31, 0x37, 0x63, 0x62 },
29739 ++ .valid = true
29740 ++ },
29741 ++ /* wycheproof - public key >= p */
29742 ++ {
29743 ++ .private = { 0x60, 0x88, 0x7b, 0x3d, 0xc7, 0x24, 0x43, 0x02,
29744 ++ 0x6e, 0xbe, 0xdb, 0xbb, 0xb7, 0x06, 0x65, 0xf4,
29745 ++ 0x2b, 0x87, 0xad, 0xd1, 0x44, 0x0e, 0x77, 0x68,
29746 ++ 0xfb, 0xd7, 0xe8, 0xe2, 0xce, 0x5f, 0x63, 0x9d },
29747 ++ .public = { 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29748 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29749 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29750 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29751 ++ .result = { 0x38, 0xd6, 0x30, 0x4c, 0x4a, 0x7e, 0x6d, 0x9f,
29752 ++ 0x79, 0x59, 0x33, 0x4f, 0xb5, 0x24, 0x5b, 0xd2,
29753 ++ 0xc7, 0x54, 0x52, 0x5d, 0x4c, 0x91, 0xdb, 0x95,
29754 ++ 0x02, 0x06, 0x92, 0x62, 0x34, 0xc1, 0xf6, 0x33 },
29755 ++ .valid = true
29756 ++ },
29757 ++ /* wycheproof - public key >= p */
29758 ++ {
29759 ++ .private = { 0x78, 0xd3, 0x1d, 0xfa, 0x85, 0x44, 0x97, 0xd7,
29760 ++ 0x2d, 0x8d, 0xef, 0x8a, 0x1b, 0x7f, 0xb0, 0x06,
29761 ++ 0xce, 0xc2, 0xd8, 0xc4, 0x92, 0x46, 0x47, 0xc9,
29762 ++ 0x38, 0x14, 0xae, 0x56, 0xfa, 0xed, 0xa4, 0x95 },
29763 ++ .public = { 0xf1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29764 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29765 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29766 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29767 ++ .result = { 0x78, 0x6c, 0xd5, 0x49, 0x96, 0xf0, 0x14, 0xa5,
29768 ++ 0xa0, 0x31, 0xec, 0x14, 0xdb, 0x81, 0x2e, 0xd0,
29769 ++ 0x83, 0x55, 0x06, 0x1f, 0xdb, 0x5d, 0xe6, 0x80,
29770 ++ 0xa8, 0x00, 0xac, 0x52, 0x1f, 0x31, 0x8e, 0x23 },
29771 ++ .valid = true
29772 ++ },
29773 ++ /* wycheproof - public key >= p */
29774 ++ {
29775 ++ .private = { 0xc0, 0x4c, 0x5b, 0xae, 0xfa, 0x83, 0x02, 0xdd,
29776 ++ 0xde, 0xd6, 0xa4, 0xbb, 0x95, 0x77, 0x61, 0xb4,
29777 ++ 0xeb, 0x97, 0xae, 0xfa, 0x4f, 0xc3, 0xb8, 0x04,
29778 ++ 0x30, 0x85, 0xf9, 0x6a, 0x56, 0x59, 0xb3, 0xa5 },
29779 ++ .public = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29780 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29781 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29782 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
29783 ++ .result = { 0x29, 0xae, 0x8b, 0xc7, 0x3e, 0x9b, 0x10, 0xa0,
29784 ++ 0x8b, 0x4f, 0x68, 0x1c, 0x43, 0xc3, 0xe0, 0xac,
29785 ++ 0x1a, 0x17, 0x1d, 0x31, 0xb3, 0x8f, 0x1a, 0x48,
29786 ++ 0xef, 0xba, 0x29, 0xae, 0x63, 0x9e, 0xa1, 0x34 },
29787 ++ .valid = true
29788 ++ },
29789 ++ /* wycheproof - RFC 7748 */
29790 ++ {
29791 ++ .private = { 0xa0, 0x46, 0xe3, 0x6b, 0xf0, 0x52, 0x7c, 0x9d,
29792 ++ 0x3b, 0x16, 0x15, 0x4b, 0x82, 0x46, 0x5e, 0xdd,
29793 ++ 0x62, 0x14, 0x4c, 0x0a, 0xc1, 0xfc, 0x5a, 0x18,
29794 ++ 0x50, 0x6a, 0x22, 0x44, 0xba, 0x44, 0x9a, 0x44 },
29795 ++ .public = { 0xe6, 0xdb, 0x68, 0x67, 0x58, 0x30, 0x30, 0xdb,
29796 ++ 0x35, 0x94, 0xc1, 0xa4, 0x24, 0xb1, 0x5f, 0x7c,
29797 ++ 0x72, 0x66, 0x24, 0xec, 0x26, 0xb3, 0x35, 0x3b,
29798 ++ 0x10, 0xa9, 0x03, 0xa6, 0xd0, 0xab, 0x1c, 0x4c },
29799 ++ .result = { 0xc3, 0xda, 0x55, 0x37, 0x9d, 0xe9, 0xc6, 0x90,
29800 ++ 0x8e, 0x94, 0xea, 0x4d, 0xf2, 0x8d, 0x08, 0x4f,
29801 ++ 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c, 0x71, 0xf7,
29802 ++ 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52 },
29803 ++ .valid = true
29804 ++ },
29805 ++ /* wycheproof - RFC 7748 */
29806 ++ {
29807 ++ .private = { 0x48, 0x66, 0xe9, 0xd4, 0xd1, 0xb4, 0x67, 0x3c,
29808 ++ 0x5a, 0xd2, 0x26, 0x91, 0x95, 0x7d, 0x6a, 0xf5,
29809 ++ 0xc1, 0x1b, 0x64, 0x21, 0xe0, 0xea, 0x01, 0xd4,
29810 ++ 0x2c, 0xa4, 0x16, 0x9e, 0x79, 0x18, 0xba, 0x4d },
29811 ++ .public = { 0xe5, 0x21, 0x0f, 0x12, 0x78, 0x68, 0x11, 0xd3,
29812 ++ 0xf4, 0xb7, 0x95, 0x9d, 0x05, 0x38, 0xae, 0x2c,
29813 ++ 0x31, 0xdb, 0xe7, 0x10, 0x6f, 0xc0, 0x3c, 0x3e,
29814 ++ 0xfc, 0x4c, 0xd5, 0x49, 0xc7, 0x15, 0xa4, 0x13 },
29815 ++ .result = { 0x95, 0xcb, 0xde, 0x94, 0x76, 0xe8, 0x90, 0x7d,
29816 ++ 0x7a, 0xad, 0xe4, 0x5c, 0xb4, 0xb8, 0x73, 0xf8,
29817 ++ 0x8b, 0x59, 0x5a, 0x68, 0x79, 0x9f, 0xa1, 0x52,
29818 ++ 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac, 0x79, 0x57 },
29819 ++ .valid = true
29820 ++ },
29821 ++ /* wycheproof - edge case for shared secret */
29822 ++ {
29823 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29824 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29825 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29826 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29827 ++ .public = { 0x0a, 0xb4, 0xe7, 0x63, 0x80, 0xd8, 0x4d, 0xde,
29828 ++ 0x4f, 0x68, 0x33, 0xc5, 0x8f, 0x2a, 0x9f, 0xb8,
29829 ++ 0xf8, 0x3b, 0xb0, 0x16, 0x9b, 0x17, 0x2b, 0xe4,
29830 ++ 0xb6, 0xe0, 0x59, 0x28, 0x87, 0x74, 0x1a, 0x36 },
29831 ++ .result = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29832 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29833 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29834 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29835 ++ .valid = true
29836 ++ },
29837 ++ /* wycheproof - edge case for shared secret */
29838 ++ {
29839 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29840 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29841 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29842 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29843 ++ .public = { 0x89, 0xe1, 0x0d, 0x57, 0x01, 0xb4, 0x33, 0x7d,
29844 ++ 0x2d, 0x03, 0x21, 0x81, 0x53, 0x8b, 0x10, 0x64,
29845 ++ 0xbd, 0x40, 0x84, 0x40, 0x1c, 0xec, 0xa1, 0xfd,
29846 ++ 0x12, 0x66, 0x3a, 0x19, 0x59, 0x38, 0x80, 0x00 },
29847 ++ .result = { 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29848 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29849 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29850 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29851 ++ .valid = true
29852 ++ },
29853 ++ /* wycheproof - edge case for shared secret */
29854 ++ {
29855 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29856 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29857 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29858 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29859 ++ .public = { 0x2b, 0x55, 0xd3, 0xaa, 0x4a, 0x8f, 0x80, 0xc8,
29860 ++ 0xc0, 0xb2, 0xae, 0x5f, 0x93, 0x3e, 0x85, 0xaf,
29861 ++ 0x49, 0xbe, 0xac, 0x36, 0xc2, 0xfa, 0x73, 0x94,
29862 ++ 0xba, 0xb7, 0x6c, 0x89, 0x33, 0xf8, 0xf8, 0x1d },
29863 ++ .result = { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29864 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29865 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
29866 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
29867 ++ .valid = true
29868 ++ },
29869 ++ /* wycheproof - edge case for shared secret */
29870 ++ {
29871 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29872 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29873 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29874 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29875 ++ .public = { 0x63, 0xe5, 0xb1, 0xfe, 0x96, 0x01, 0xfe, 0x84,
29876 ++ 0x38, 0x5d, 0x88, 0x66, 0xb0, 0x42, 0x12, 0x62,
29877 ++ 0xf7, 0x8f, 0xbf, 0xa5, 0xaf, 0xf9, 0x58, 0x5e,
29878 ++ 0x62, 0x66, 0x79, 0xb1, 0x85, 0x47, 0xd9, 0x59 },
29879 ++ .result = { 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29880 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29881 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29882 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
29883 ++ .valid = true
29884 ++ },
29885 ++ /* wycheproof - edge case for shared secret */
29886 ++ {
29887 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29888 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29889 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29890 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29891 ++ .public = { 0xe4, 0x28, 0xf3, 0xda, 0xc1, 0x78, 0x09, 0xf8,
29892 ++ 0x27, 0xa5, 0x22, 0xce, 0x32, 0x35, 0x50, 0x58,
29893 ++ 0xd0, 0x73, 0x69, 0x36, 0x4a, 0xa7, 0x89, 0x02,
29894 ++ 0xee, 0x10, 0x13, 0x9b, 0x9f, 0x9d, 0xd6, 0x53 },
29895 ++ .result = { 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29896 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29897 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29898 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
29899 ++ .valid = true
29900 ++ },
29901 ++ /* wycheproof - edge case for shared secret */
29902 ++ {
29903 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29904 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29905 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29906 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29907 ++ .public = { 0xb3, 0xb5, 0x0e, 0x3e, 0xd3, 0xa4, 0x07, 0xb9,
29908 ++ 0x5d, 0xe9, 0x42, 0xef, 0x74, 0x57, 0x5b, 0x5a,
29909 ++ 0xb8, 0xa1, 0x0c, 0x09, 0xee, 0x10, 0x35, 0x44,
29910 ++ 0xd6, 0x0b, 0xdf, 0xed, 0x81, 0x38, 0xab, 0x2b },
29911 ++ .result = { 0xf9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29912 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29913 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29914 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
29915 ++ .valid = true
29916 ++ },
29917 ++ /* wycheproof - edge case for shared secret */
29918 ++ {
29919 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29920 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29921 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29922 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29923 ++ .public = { 0x21, 0x3f, 0xff, 0xe9, 0x3d, 0x5e, 0xa8, 0xcd,
29924 ++ 0x24, 0x2e, 0x46, 0x28, 0x44, 0x02, 0x99, 0x22,
29925 ++ 0xc4, 0x3c, 0x77, 0xc9, 0xe3, 0xe4, 0x2f, 0x56,
29926 ++ 0x2f, 0x48, 0x5d, 0x24, 0xc5, 0x01, 0xa2, 0x0b },
29927 ++ .result = { 0xf3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29928 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29929 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29930 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f },
29931 ++ .valid = true
29932 ++ },
29933 ++ /* wycheproof - edge case for shared secret */
29934 ++ {
29935 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29936 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29937 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29938 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29939 ++ .public = { 0x91, 0xb2, 0x32, 0xa1, 0x78, 0xb3, 0xcd, 0x53,
29940 ++ 0x09, 0x32, 0x44, 0x1e, 0x61, 0x39, 0x41, 0x8f,
29941 ++ 0x72, 0x17, 0x22, 0x92, 0xf1, 0xda, 0x4c, 0x18,
29942 ++ 0x34, 0xfc, 0x5e, 0xbf, 0xef, 0xb5, 0x1e, 0x3f },
29943 ++ .result = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29944 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29945 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29946 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03 },
29947 ++ .valid = true
29948 ++ },
29949 ++ /* wycheproof - edge case for shared secret */
29950 ++ {
29951 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29952 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29953 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29954 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29955 ++ .public = { 0x04, 0x5c, 0x6e, 0x11, 0xc5, 0xd3, 0x32, 0x55,
29956 ++ 0x6c, 0x78, 0x22, 0xfe, 0x94, 0xeb, 0xf8, 0x9b,
29957 ++ 0x56, 0xa3, 0x87, 0x8d, 0xc2, 0x7c, 0xa0, 0x79,
29958 ++ 0x10, 0x30, 0x58, 0x84, 0x9f, 0xab, 0xcb, 0x4f },
29959 ++ .result = { 0xe5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29960 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29961 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29962 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29963 ++ .valid = true
29964 ++ },
29965 ++ /* wycheproof - edge case for shared secret */
29966 ++ {
29967 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29968 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29969 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29970 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29971 ++ .public = { 0x1c, 0xa2, 0x19, 0x0b, 0x71, 0x16, 0x35, 0x39,
29972 ++ 0x06, 0x3c, 0x35, 0x77, 0x3b, 0xda, 0x0c, 0x9c,
29973 ++ 0x92, 0x8e, 0x91, 0x36, 0xf0, 0x62, 0x0a, 0xeb,
29974 ++ 0x09, 0x3f, 0x09, 0x91, 0x97, 0xb7, 0xf7, 0x4e },
29975 ++ .result = { 0xe3, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29976 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29977 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29978 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29979 ++ .valid = true
29980 ++ },
29981 ++ /* wycheproof - edge case for shared secret */
29982 ++ {
29983 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
29984 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
29985 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
29986 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
29987 ++ .public = { 0xf7, 0x6e, 0x90, 0x10, 0xac, 0x33, 0xc5, 0x04,
29988 ++ 0x3b, 0x2d, 0x3b, 0x76, 0xa8, 0x42, 0x17, 0x10,
29989 ++ 0x00, 0xc4, 0x91, 0x62, 0x22, 0xe9, 0xe8, 0x58,
29990 ++ 0x97, 0xa0, 0xae, 0xc7, 0xf6, 0x35, 0x0b, 0x3c },
29991 ++ .result = { 0xdd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29992 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29993 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
29994 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
29995 ++ .valid = true
29996 ++ },
29997 ++ /* wycheproof - edge case for shared secret */
29998 ++ {
29999 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
30000 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
30001 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
30002 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
30003 ++ .public = { 0xbb, 0x72, 0x68, 0x8d, 0x8f, 0x8a, 0xa7, 0xa3,
30004 ++ 0x9c, 0xd6, 0x06, 0x0c, 0xd5, 0xc8, 0x09, 0x3c,
30005 ++ 0xde, 0xc6, 0xfe, 0x34, 0x19, 0x37, 0xc3, 0x88,
30006 ++ 0x6a, 0x99, 0x34, 0x6c, 0xd0, 0x7f, 0xaa, 0x55 },
30007 ++ .result = { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
30008 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
30009 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
30010 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
30011 ++ .valid = true
30012 ++ },
30013 ++ /* wycheproof - edge case for shared secret */
30014 ++ {
30015 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
30016 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
30017 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
30018 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
30019 ++ .public = { 0x88, 0xfd, 0xde, 0xa1, 0x93, 0x39, 0x1c, 0x6a,
30020 ++ 0x59, 0x33, 0xef, 0x9b, 0x71, 0x90, 0x15, 0x49,
30021 ++ 0x44, 0x72, 0x05, 0xaa, 0xe9, 0xda, 0x92, 0x8a,
30022 ++ 0x6b, 0x91, 0xa3, 0x52, 0xba, 0x10, 0xf4, 0x1f },
30023 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30024 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30025 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30026 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02 },
30027 ++ .valid = true
30028 ++ },
30029 ++ /* wycheproof - edge case for shared secret */
30030 ++ {
30031 ++ .private = { 0xa0, 0xa4, 0xf1, 0x30, 0xb9, 0x8a, 0x5b, 0xe4,
30032 ++ 0xb1, 0xce, 0xdb, 0x7c, 0xb8, 0x55, 0x84, 0xa3,
30033 ++ 0x52, 0x0e, 0x14, 0x2d, 0x47, 0x4d, 0xc9, 0xcc,
30034 ++ 0xb9, 0x09, 0xa0, 0x73, 0xa9, 0x76, 0xbf, 0x63 },
30035 ++ .public = { 0x30, 0x3b, 0x39, 0x2f, 0x15, 0x31, 0x16, 0xca,
30036 ++ 0xd9, 0xcc, 0x68, 0x2a, 0x00, 0xcc, 0xc4, 0x4c,
30037 ++ 0x95, 0xff, 0x0d, 0x3b, 0xbe, 0x56, 0x8b, 0xeb,
30038 ++ 0x6c, 0x4e, 0x73, 0x9b, 0xaf, 0xdc, 0x2c, 0x68 },
30039 ++ .result = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30040 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30041 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30042 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00 },
30043 ++ .valid = true
30044 ++ },
30045 ++ /* wycheproof - checking for overflow */
30046 ++ {
30047 ++ .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
30048 ++ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
30049 ++ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
30050 ++ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
30051 ++ .public = { 0xfd, 0x30, 0x0a, 0xeb, 0x40, 0xe1, 0xfa, 0x58,
30052 ++ 0x25, 0x18, 0x41, 0x2b, 0x49, 0xb2, 0x08, 0xa7,
30053 ++ 0x84, 0x2b, 0x1e, 0x1f, 0x05, 0x6a, 0x04, 0x01,
30054 ++ 0x78, 0xea, 0x41, 0x41, 0x53, 0x4f, 0x65, 0x2d },
30055 ++ .result = { 0xb7, 0x34, 0x10, 0x5d, 0xc2, 0x57, 0x58, 0x5d,
30056 ++ 0x73, 0xb5, 0x66, 0xcc, 0xb7, 0x6f, 0x06, 0x27,
30057 ++ 0x95, 0xcc, 0xbe, 0xc8, 0x91, 0x28, 0xe5, 0x2b,
30058 ++ 0x02, 0xf3, 0xe5, 0x96, 0x39, 0xf1, 0x3c, 0x46 },
30059 ++ .valid = true
30060 ++ },
30061 ++ /* wycheproof - checking for overflow */
30062 ++ {
30063 ++ .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
30064 ++ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
30065 ++ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
30066 ++ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
30067 ++ .public = { 0xc8, 0xef, 0x79, 0xb5, 0x14, 0xd7, 0x68, 0x26,
30068 ++ 0x77, 0xbc, 0x79, 0x31, 0xe0, 0x6e, 0xe5, 0xc2,
30069 ++ 0x7c, 0x9b, 0x39, 0x2b, 0x4a, 0xe9, 0x48, 0x44,
30070 ++ 0x73, 0xf5, 0x54, 0xe6, 0x67, 0x8e, 0xcc, 0x2e },
30071 ++ .result = { 0x64, 0x7a, 0x46, 0xb6, 0xfc, 0x3f, 0x40, 0xd6,
30072 ++ 0x21, 0x41, 0xee, 0x3c, 0xee, 0x70, 0x6b, 0x4d,
30073 ++ 0x7a, 0x92, 0x71, 0x59, 0x3a, 0x7b, 0x14, 0x3e,
30074 ++ 0x8e, 0x2e, 0x22, 0x79, 0x88, 0x3e, 0x45, 0x50 },
30075 ++ .valid = true
30076 ++ },
30077 ++ /* wycheproof - checking for overflow */
30078 ++ {
30079 ++ .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
30080 ++ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
30081 ++ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
30082 ++ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
30083 ++ .public = { 0x64, 0xae, 0xac, 0x25, 0x04, 0x14, 0x48, 0x61,
30084 ++ 0x53, 0x2b, 0x7b, 0xbc, 0xb6, 0xc8, 0x7d, 0x67,
30085 ++ 0xdd, 0x4c, 0x1f, 0x07, 0xeb, 0xc2, 0xe0, 0x6e,
30086 ++ 0xff, 0xb9, 0x5a, 0xec, 0xc6, 0x17, 0x0b, 0x2c },
30087 ++ .result = { 0x4f, 0xf0, 0x3d, 0x5f, 0xb4, 0x3c, 0xd8, 0x65,
30088 ++ 0x7a, 0x3c, 0xf3, 0x7c, 0x13, 0x8c, 0xad, 0xce,
30089 ++ 0xcc, 0xe5, 0x09, 0xe4, 0xeb, 0xa0, 0x89, 0xd0,
30090 ++ 0xef, 0x40, 0xb4, 0xe4, 0xfb, 0x94, 0x61, 0x55 },
30091 ++ .valid = true
30092 ++ },
30093 ++ /* wycheproof - checking for overflow */
30094 ++ {
30095 ++ .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
30096 ++ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
30097 ++ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
30098 ++ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
30099 ++ .public = { 0xbf, 0x68, 0xe3, 0x5e, 0x9b, 0xdb, 0x7e, 0xee,
30100 ++ 0x1b, 0x50, 0x57, 0x02, 0x21, 0x86, 0x0f, 0x5d,
30101 ++ 0xcd, 0xad, 0x8a, 0xcb, 0xab, 0x03, 0x1b, 0x14,
30102 ++ 0x97, 0x4c, 0xc4, 0x90, 0x13, 0xc4, 0x98, 0x31 },
30103 ++ .result = { 0x21, 0xce, 0xe5, 0x2e, 0xfd, 0xbc, 0x81, 0x2e,
30104 ++ 0x1d, 0x02, 0x1a, 0x4a, 0xf1, 0xe1, 0xd8, 0xbc,
30105 ++ 0x4d, 0xb3, 0xc4, 0x00, 0xe4, 0xd2, 0xa2, 0xc5,
30106 ++ 0x6a, 0x39, 0x26, 0xdb, 0x4d, 0x99, 0xc6, 0x5b },
30107 ++ .valid = true
30108 ++ },
30109 ++ /* wycheproof - checking for overflow */
30110 ++ {
30111 ++ .private = { 0xc8, 0x17, 0x24, 0x70, 0x40, 0x00, 0xb2, 0x6d,
30112 ++ 0x31, 0x70, 0x3c, 0xc9, 0x7e, 0x3a, 0x37, 0x8d,
30113 ++ 0x56, 0xfa, 0xd8, 0x21, 0x93, 0x61, 0xc8, 0x8c,
30114 ++ 0xca, 0x8b, 0xd7, 0xc5, 0x71, 0x9b, 0x12, 0xb2 },
30115 ++ .public = { 0x53, 0x47, 0xc4, 0x91, 0x33, 0x1a, 0x64, 0xb4,
30116 ++ 0x3d, 0xdc, 0x68, 0x30, 0x34, 0xe6, 0x77, 0xf5,
30117 ++ 0x3d, 0xc3, 0x2b, 0x52, 0xa5, 0x2a, 0x57, 0x7c,
30118 ++ 0x15, 0xa8, 0x3b, 0xf2, 0x98, 0xe9, 0x9f, 0x19 },
30119 ++ .result = { 0x18, 0xcb, 0x89, 0xe4, 0xe2, 0x0c, 0x0c, 0x2b,
30120 ++ 0xd3, 0x24, 0x30, 0x52, 0x45, 0x26, 0x6c, 0x93,
30121 ++ 0x27, 0x69, 0x0b, 0xbe, 0x79, 0xac, 0xb8, 0x8f,
30122 ++ 0x5b, 0x8f, 0xb3, 0xf7, 0x4e, 0xca, 0x3e, 0x52 },
30123 ++ .valid = true
30124 ++ },
30125 ++ /* wycheproof - private key == -1 (mod order) */
30126 ++ {
30127 ++ .private = { 0xa0, 0x23, 0xcd, 0xd0, 0x83, 0xef, 0x5b, 0xb8,
30128 ++ 0x2f, 0x10, 0xd6, 0x2e, 0x59, 0xe1, 0x5a, 0x68,
30129 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
30130 ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50 },
30131 ++ .public = { 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e,
30132 ++ 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57,
30133 ++ 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f,
30134 ++ 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 },
30135 ++ .result = { 0x25, 0x8e, 0x04, 0x52, 0x3b, 0x8d, 0x25, 0x3e,
30136 ++ 0xe6, 0x57, 0x19, 0xfc, 0x69, 0x06, 0xc6, 0x57,
30137 ++ 0x19, 0x2d, 0x80, 0x71, 0x7e, 0xdc, 0x82, 0x8f,
30138 ++ 0xa0, 0xaf, 0x21, 0x68, 0x6e, 0x2f, 0xaa, 0x75 },
30139 ++ .valid = true
30140 ++ },
30141 ++ /* wycheproof - private key == 1 (mod order) on twist */
30142 ++ {
30143 ++ .private = { 0x58, 0x08, 0x3d, 0xd2, 0x61, 0xad, 0x91, 0xef,
30144 ++ 0xf9, 0x52, 0x32, 0x2e, 0xc8, 0x24, 0xc6, 0x82,
30145 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
30146 ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x5f },
30147 ++ .public = { 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f,
30148 ++ 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6,
30149 ++ 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64,
30150 ++ 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 },
30151 ++ .result = { 0x2e, 0xae, 0x5e, 0xc3, 0xdd, 0x49, 0x4e, 0x9f,
30152 ++ 0x2d, 0x37, 0xd2, 0x58, 0xf8, 0x73, 0xa8, 0xe6,
30153 ++ 0xe9, 0xd0, 0xdb, 0xd1, 0xe3, 0x83, 0xef, 0x64,
30154 ++ 0xd9, 0x8b, 0xb9, 0x1b, 0x3e, 0x0b, 0xe0, 0x35 },
30155 ++ .valid = true
30156 ++ }
30157 ++};
30158 ++
30159 ++bool __init curve25519_selftest(void)
30160 ++{
30161 ++ bool success = true, ret, ret2;
30162 ++ size_t i = 0, j;
30163 ++ u8 in[CURVE25519_KEY_SIZE];
30164 ++ u8 out[CURVE25519_KEY_SIZE], out2[CURVE25519_KEY_SIZE],
30165 ++ out3[CURVE25519_KEY_SIZE];
30166 ++
30167 ++ for (i = 0; i < ARRAY_SIZE(curve25519_test_vectors); ++i) {
30168 ++ memset(out, 0, CURVE25519_KEY_SIZE);
30169 ++ ret = curve25519(out, curve25519_test_vectors[i].private,
30170 ++ curve25519_test_vectors[i].public);
30171 ++ if (ret != curve25519_test_vectors[i].valid ||
30172 ++ memcmp(out, curve25519_test_vectors[i].result,
30173 ++ CURVE25519_KEY_SIZE)) {
30174 ++ pr_err("curve25519 self-test %zu: FAIL\n", i + 1);
30175 ++ success = false;
30176 ++ }
30177 ++ }
30178 ++
30179 ++ for (i = 0; i < 5; ++i) {
30180 ++ get_random_bytes(in, sizeof(in));
30181 ++ ret = curve25519_generate_public(out, in);
30182 ++ ret2 = curve25519(out2, in, (u8[CURVE25519_KEY_SIZE]){ 9 });
30183 ++ curve25519_generic(out3, in, (u8[CURVE25519_KEY_SIZE]){ 9 });
30184 ++ if (ret != ret2 ||
30185 ++ memcmp(out, out2, CURVE25519_KEY_SIZE) ||
30186 ++ memcmp(out, out3, CURVE25519_KEY_SIZE)) {
30187 ++ pr_err("curve25519 basepoint self-test %zu: FAIL: input - 0x",
30188 ++ i + 1);
30189 ++ for (j = CURVE25519_KEY_SIZE; j-- > 0;)
30190 ++ printk(KERN_CONT "%02x", in[j]);
30191 ++ printk(KERN_CONT "\n");
30192 ++ success = false;
30193 ++ }
30194 ++ }
30195 ++
30196 ++ return success;
30197 ++}
30198 +--- b/arch/x86/crypto/poly1305-avx2-x86_64.S
30199 ++++ /dev/null
30200 +@@ -1,390 +0,0 @@
30201 +-/* SPDX-License-Identifier: GPL-2.0-or-later */
30202 +-/*
30203 +- * Poly1305 authenticator algorithm, RFC7539, x64 AVX2 functions
30204 +- *
30205 +- * Copyright (C) 2015 Martin Willi
30206 +- */
30207 +-
30208 +-#include <linux/linkage.h>
30209 +-
30210 +-.section .rodata.cst32.ANMASK, "aM", @progbits, 32
30211 +-.align 32
30212 +-ANMASK: .octa 0x0000000003ffffff0000000003ffffff
30213 +- .octa 0x0000000003ffffff0000000003ffffff
30214 +-
30215 +-.section .rodata.cst32.ORMASK, "aM", @progbits, 32
30216 +-.align 32
30217 +-ORMASK: .octa 0x00000000010000000000000001000000
30218 +- .octa 0x00000000010000000000000001000000
30219 +-
30220 +-.text
30221 +-
30222 +-#define h0 0x00(%rdi)
30223 +-#define h1 0x04(%rdi)
30224 +-#define h2 0x08(%rdi)
30225 +-#define h3 0x0c(%rdi)
30226 +-#define h4 0x10(%rdi)
30227 +-#define r0 0x00(%rdx)
30228 +-#define r1 0x04(%rdx)
30229 +-#define r2 0x08(%rdx)
30230 +-#define r3 0x0c(%rdx)
30231 +-#define r4 0x10(%rdx)
30232 +-#define u0 0x00(%r8)
30233 +-#define u1 0x04(%r8)
30234 +-#define u2 0x08(%r8)
30235 +-#define u3 0x0c(%r8)
30236 +-#define u4 0x10(%r8)
30237 +-#define w0 0x14(%r8)
30238 +-#define w1 0x18(%r8)
30239 +-#define w2 0x1c(%r8)
30240 +-#define w3 0x20(%r8)
30241 +-#define w4 0x24(%r8)
30242 +-#define y0 0x28(%r8)
30243 +-#define y1 0x2c(%r8)
30244 +-#define y2 0x30(%r8)
30245 +-#define y3 0x34(%r8)
30246 +-#define y4 0x38(%r8)
30247 +-#define m %rsi
30248 +-#define hc0 %ymm0
30249 +-#define hc1 %ymm1
30250 +-#define hc2 %ymm2
30251 +-#define hc3 %ymm3
30252 +-#define hc4 %ymm4
30253 +-#define hc0x %xmm0
30254 +-#define hc1x %xmm1
30255 +-#define hc2x %xmm2
30256 +-#define hc3x %xmm3
30257 +-#define hc4x %xmm4
30258 +-#define t1 %ymm5
30259 +-#define t2 %ymm6
30260 +-#define t1x %xmm5
30261 +-#define t2x %xmm6
30262 +-#define ruwy0 %ymm7
30263 +-#define ruwy1 %ymm8
30264 +-#define ruwy2 %ymm9
30265 +-#define ruwy3 %ymm10
30266 +-#define ruwy4 %ymm11
30267 +-#define ruwy0x %xmm7
30268 +-#define ruwy1x %xmm8
30269 +-#define ruwy2x %xmm9
30270 +-#define ruwy3x %xmm10
30271 +-#define ruwy4x %xmm11
30272 +-#define svxz1 %ymm12
30273 +-#define svxz2 %ymm13
30274 +-#define svxz3 %ymm14
30275 +-#define svxz4 %ymm15
30276 +-#define d0 %r9
30277 +-#define d1 %r10
30278 +-#define d2 %r11
30279 +-#define d3 %r12
30280 +-#define d4 %r13
30281 +-
30282 +-ENTRY(poly1305_4block_avx2)
30283 +- # %rdi: Accumulator h[5]
30284 +- # %rsi: 64 byte input block m
30285 +- # %rdx: Poly1305 key r[5]
30286 +- # %rcx: Quadblock count
30287 +- # %r8: Poly1305 derived key r^2 u[5], r^3 w[5], r^4 y[5],
30288 +-
30289 +- # This four-block variant uses loop unrolled block processing. It
30290 +- # requires 4 Poly1305 keys: r, r^2, r^3 and r^4:
30291 +- # h = (h + m) * r => h = (h + m1) * r^4 + m2 * r^3 + m3 * r^2 + m4 * r
30292 +-
30293 +- vzeroupper
30294 +- push %rbx
30295 +- push %r12
30296 +- push %r13
30297 +-
30298 +- # combine r0,u0,w0,y0
30299 +- vmovd y0,ruwy0x
30300 +- vmovd w0,t1x
30301 +- vpunpcklqdq t1,ruwy0,ruwy0
30302 +- vmovd u0,t1x
30303 +- vmovd r0,t2x
30304 +- vpunpcklqdq t2,t1,t1
30305 +- vperm2i128 $0x20,t1,ruwy0,ruwy0
30306 +-
30307 +- # combine r1,u1,w1,y1 and s1=r1*5,v1=u1*5,x1=w1*5,z1=y1*5
30308 +- vmovd y1,ruwy1x
30309 +- vmovd w1,t1x
30310 +- vpunpcklqdq t1,ruwy1,ruwy1
30311 +- vmovd u1,t1x
30312 +- vmovd r1,t2x
30313 +- vpunpcklqdq t2,t1,t1
30314 +- vperm2i128 $0x20,t1,ruwy1,ruwy1
30315 +- vpslld $2,ruwy1,svxz1
30316 +- vpaddd ruwy1,svxz1,svxz1
30317 +-
30318 +- # combine r2,u2,w2,y2 and s2=r2*5,v2=u2*5,x2=w2*5,z2=y2*5
30319 +- vmovd y2,ruwy2x
30320 +- vmovd w2,t1x
30321 +- vpunpcklqdq t1,ruwy2,ruwy2
30322 +- vmovd u2,t1x
30323 +- vmovd r2,t2x
30324 +- vpunpcklqdq t2,t1,t1
30325 +- vperm2i128 $0x20,t1,ruwy2,ruwy2
30326 +- vpslld $2,ruwy2,svxz2
30327 +- vpaddd ruwy2,svxz2,svxz2
30328 +-
30329 +- # combine r3,u3,w3,y3 and s3=r3*5,v3=u3*5,x3=w3*5,z3=y3*5
30330 +- vmovd y3,ruwy3x
30331 +- vmovd w3,t1x
30332 +- vpunpcklqdq t1,ruwy3,ruwy3
30333 +- vmovd u3,t1x
30334 +- vmovd r3,t2x
30335 +- vpunpcklqdq t2,t1,t1
30336 +- vperm2i128 $0x20,t1,ruwy3,ruwy3
30337 +- vpslld $2,ruwy3,svxz3
30338 +- vpaddd ruwy3,svxz3,svxz3
30339 +-
30340 +- # combine r4,u4,w4,y4 and s4=r4*5,v4=u4*5,x4=w4*5,z4=y4*5
30341 +- vmovd y4,ruwy4x
30342 +- vmovd w4,t1x
30343 +- vpunpcklqdq t1,ruwy4,ruwy4
30344 +- vmovd u4,t1x
30345 +- vmovd r4,t2x
30346 +- vpunpcklqdq t2,t1,t1
30347 +- vperm2i128 $0x20,t1,ruwy4,ruwy4
30348 +- vpslld $2,ruwy4,svxz4
30349 +- vpaddd ruwy4,svxz4,svxz4
30350 +-
30351 +-.Ldoblock4:
30352 +- # hc0 = [m[48-51] & 0x3ffffff, m[32-35] & 0x3ffffff,
30353 +- # m[16-19] & 0x3ffffff, m[ 0- 3] & 0x3ffffff + h0]
30354 +- vmovd 0x00(m),hc0x
30355 +- vmovd 0x10(m),t1x
30356 +- vpunpcklqdq t1,hc0,hc0
30357 +- vmovd 0x20(m),t1x
30358 +- vmovd 0x30(m),t2x
30359 +- vpunpcklqdq t2,t1,t1
30360 +- vperm2i128 $0x20,t1,hc0,hc0
30361 +- vpand ANMASK(%rip),hc0,hc0
30362 +- vmovd h0,t1x
30363 +- vpaddd t1,hc0,hc0
30364 +- # hc1 = [(m[51-54] >> 2) & 0x3ffffff, (m[35-38] >> 2) & 0x3ffffff,
30365 +- # (m[19-22] >> 2) & 0x3ffffff, (m[ 3- 6] >> 2) & 0x3ffffff + h1]
30366 +- vmovd 0x03(m),hc1x
30367 +- vmovd 0x13(m),t1x
30368 +- vpunpcklqdq t1,hc1,hc1
30369 +- vmovd 0x23(m),t1x
30370 +- vmovd 0x33(m),t2x
30371 +- vpunpcklqdq t2,t1,t1
30372 +- vperm2i128 $0x20,t1,hc1,hc1
30373 +- vpsrld $2,hc1,hc1
30374 +- vpand ANMASK(%rip),hc1,hc1
30375 +- vmovd h1,t1x
30376 +- vpaddd t1,hc1,hc1
30377 +- # hc2 = [(m[54-57] >> 4) & 0x3ffffff, (m[38-41] >> 4) & 0x3ffffff,
30378 +- # (m[22-25] >> 4) & 0x3ffffff, (m[ 6- 9] >> 4) & 0x3ffffff + h2]
30379 +- vmovd 0x06(m),hc2x
30380 +- vmovd 0x16(m),t1x
30381 +- vpunpcklqdq t1,hc2,hc2
30382 +- vmovd 0x26(m),t1x
30383 +- vmovd 0x36(m),t2x
30384 +- vpunpcklqdq t2,t1,t1
30385 +- vperm2i128 $0x20,t1,hc2,hc2
30386 +- vpsrld $4,hc2,hc2
30387 +- vpand ANMASK(%rip),hc2,hc2
30388 +- vmovd h2,t1x
30389 +- vpaddd t1,hc2,hc2
30390 +- # hc3 = [(m[57-60] >> 6) & 0x3ffffff, (m[41-44] >> 6) & 0x3ffffff,
30391 +- # (m[25-28] >> 6) & 0x3ffffff, (m[ 9-12] >> 6) & 0x3ffffff + h3]
30392 +- vmovd 0x09(m),hc3x
30393 +- vmovd 0x19(m),t1x
30394 +- vpunpcklqdq t1,hc3,hc3
30395 +- vmovd 0x29(m),t1x
30396 +- vmovd 0x39(m),t2x
30397 +- vpunpcklqdq t2,t1,t1
30398 +- vperm2i128 $0x20,t1,hc3,hc3
30399 +- vpsrld $6,hc3,hc3
30400 +- vpand ANMASK(%rip),hc3,hc3
30401 +- vmovd h3,t1x
30402 +- vpaddd t1,hc3,hc3
30403 +- # hc4 = [(m[60-63] >> 8) | (1<<24), (m[44-47] >> 8) | (1<<24),
30404 +- # (m[28-31] >> 8) | (1<<24), (m[12-15] >> 8) | (1<<24) + h4]
30405 +- vmovd 0x0c(m),hc4x
30406 +- vmovd 0x1c(m),t1x
30407 +- vpunpcklqdq t1,hc4,hc4
30408 +- vmovd 0x2c(m),t1x
30409 +- vmovd 0x3c(m),t2x
30410 +- vpunpcklqdq t2,t1,t1
30411 +- vperm2i128 $0x20,t1,hc4,hc4
30412 +- vpsrld $8,hc4,hc4
30413 +- vpor ORMASK(%rip),hc4,hc4
30414 +- vmovd h4,t1x
30415 +- vpaddd t1,hc4,hc4
30416 +-
30417 +- # t1 = [ hc0[3] * r0, hc0[2] * u0, hc0[1] * w0, hc0[0] * y0 ]
30418 +- vpmuludq hc0,ruwy0,t1
30419 +- # t1 += [ hc1[3] * s4, hc1[2] * v4, hc1[1] * x4, hc1[0] * z4 ]
30420 +- vpmuludq hc1,svxz4,t2
30421 +- vpaddq t2,t1,t1
30422 +- # t1 += [ hc2[3] * s3, hc2[2] * v3, hc2[1] * x3, hc2[0] * z3 ]
30423 +- vpmuludq hc2,svxz3,t2
30424 +- vpaddq t2,t1,t1
30425 +- # t1 += [ hc3[3] * s2, hc3[2] * v2, hc3[1] * x2, hc3[0] * z2 ]
30426 +- vpmuludq hc3,svxz2,t2
30427 +- vpaddq t2,t1,t1
30428 +- # t1 += [ hc4[3] * s1, hc4[2] * v1, hc4[1] * x1, hc4[0] * z1 ]
30429 +- vpmuludq hc4,svxz1,t2
30430 +- vpaddq t2,t1,t1
30431 +- # d0 = t1[0] + t1[1] + t[2] + t[3]
30432 +- vpermq $0xee,t1,t2
30433 +- vpaddq t2,t1,t1
30434 +- vpsrldq $8,t1,t2
30435 +- vpaddq t2,t1,t1
30436 +- vmovq t1x,d0
30437 +-
30438 +- # t1 = [ hc0[3] * r1, hc0[2] * u1,hc0[1] * w1, hc0[0] * y1 ]
30439 +- vpmuludq hc0,ruwy1,t1
30440 +- # t1 += [ hc1[3] * r0, hc1[2] * u0, hc1[1] * w0, hc1[0] * y0 ]
30441 +- vpmuludq hc1,ruwy0,t2
30442 +- vpaddq t2,t1,t1
30443 +- # t1 += [ hc2[3] * s4, hc2[2] * v4, hc2[1] * x4, hc2[0] * z4 ]
30444 +- vpmuludq hc2,svxz4,t2
30445 +- vpaddq t2,t1,t1
30446 +- # t1 += [ hc3[3] * s3, hc3[2] * v3, hc3[1] * x3, hc3[0] * z3 ]
30447 +- vpmuludq hc3,svxz3,t2
30448 +- vpaddq t2,t1,t1
30449 +- # t1 += [ hc4[3] * s2, hc4[2] * v2, hc4[1] * x2, hc4[0] * z2 ]
30450 +- vpmuludq hc4,svxz2,t2
30451 +- vpaddq t2,t1,t1
30452 +- # d1 = t1[0] + t1[1] + t1[3] + t1[4]
30453 +- vpermq $0xee,t1,t2
30454 +- vpaddq t2,t1,t1
30455 +- vpsrldq $8,t1,t2
30456 +- vpaddq t2,t1,t1
30457 +- vmovq t1x,d1
30458 +-
30459 +- # t1 = [ hc0[3] * r2, hc0[2] * u2, hc0[1] * w2, hc0[0] * y2 ]
30460 +- vpmuludq hc0,ruwy2,t1
30461 +- # t1 += [ hc1[3] * r1, hc1[2] * u1, hc1[1] * w1, hc1[0] * y1 ]
30462 +- vpmuludq hc1,ruwy1,t2
30463 +- vpaddq t2,t1,t1
30464 +- # t1 += [ hc2[3] * r0, hc2[2] * u0, hc2[1] * w0, hc2[0] * y0 ]
30465 +- vpmuludq hc2,ruwy0,t2
30466 +- vpaddq t2,t1,t1
30467 +- # t1 += [ hc3[3] * s4, hc3[2] * v4, hc3[1] * x4, hc3[0] * z4 ]
30468 +- vpmuludq hc3,svxz4,t2
30469 +- vpaddq t2,t1,t1
30470 +- # t1 += [ hc4[3] * s3, hc4[2] * v3, hc4[1] * x3, hc4[0] * z3 ]
30471 +- vpmuludq hc4,svxz3,t2
30472 +- vpaddq t2,t1,t1
30473 +- # d2 = t1[0] + t1[1] + t1[2] + t1[3]
30474 +- vpermq $0xee,t1,t2
30475 +- vpaddq t2,t1,t1
30476 +- vpsrldq $8,t1,t2
30477 +- vpaddq t2,t1,t1
30478 +- vmovq t1x,d2
30479 +-
30480 +- # t1 = [ hc0[3] * r3, hc0[2] * u3, hc0[1] * w3, hc0[0] * y3 ]
30481 +- vpmuludq hc0,ruwy3,t1
30482 +- # t1 += [ hc1[3] * r2, hc1[2] * u2, hc1[1] * w2, hc1[0] * y2 ]
30483 +- vpmuludq hc1,ruwy2,t2
30484 +- vpaddq t2,t1,t1
30485 +- # t1 += [ hc2[3] * r1, hc2[2] * u1, hc2[1] * w1, hc2[0] * y1 ]
30486 +- vpmuludq hc2,ruwy1,t2
30487 +- vpaddq t2,t1,t1
30488 +- # t1 += [ hc3[3] * r0, hc3[2] * u0, hc3[1] * w0, hc3[0] * y0 ]
30489 +- vpmuludq hc3,ruwy0,t2
30490 +- vpaddq t2,t1,t1
30491 +- # t1 += [ hc4[3] * s4, hc4[2] * v4, hc4[1] * x4, hc4[0] * z4 ]
30492 +- vpmuludq hc4,svxz4,t2
30493 +- vpaddq t2,t1,t1
30494 +- # d3 = t1[0] + t1[1] + t1[2] + t1[3]
30495 +- vpermq $0xee,t1,t2
30496 +- vpaddq t2,t1,t1
30497 +- vpsrldq $8,t1,t2
30498 +- vpaddq t2,t1,t1
30499 +- vmovq t1x,d3
30500 +-
30501 +- # t1 = [ hc0[3] * r4, hc0[2] * u4, hc0[1] * w4, hc0[0] * y4 ]
30502 +- vpmuludq hc0,ruwy4,t1
30503 +- # t1 += [ hc1[3] * r3, hc1[2] * u3, hc1[1] * w3, hc1[0] * y3 ]
30504 +- vpmuludq hc1,ruwy3,t2
30505 +- vpaddq t2,t1,t1
30506 +- # t1 += [ hc2[3] * r2, hc2[2] * u2, hc2[1] * w2, hc2[0] * y2 ]
30507 +- vpmuludq hc2,ruwy2,t2
30508 +- vpaddq t2,t1,t1
30509 +- # t1 += [ hc3[3] * r1, hc3[2] * u1, hc3[1] * w1, hc3[0] * y1 ]
30510 +- vpmuludq hc3,ruwy1,t2
30511 +- vpaddq t2,t1,t1
30512 +- # t1 += [ hc4[3] * r0, hc4[2] * u0, hc4[1] * w0, hc4[0] * y0 ]
30513 +- vpmuludq hc4,ruwy0,t2
30514 +- vpaddq t2,t1,t1
30515 +- # d4 = t1[0] + t1[1] + t1[2] + t1[3]
30516 +- vpermq $0xee,t1,t2
30517 +- vpaddq t2,t1,t1
30518 +- vpsrldq $8,t1,t2
30519 +- vpaddq t2,t1,t1
30520 +- vmovq t1x,d4
30521 +-
30522 +- # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 ->
30523 +- # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small
30524 +- # amount. Careful: we must not assume the carry bits 'd0 >> 26',
30525 +- # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit
30526 +- # integers. It's true in a single-block implementation, but not here.
30527 +-
30528 +- # d1 += d0 >> 26
30529 +- mov d0,%rax
30530 +- shr $26,%rax
30531 +- add %rax,d1
30532 +- # h0 = d0 & 0x3ffffff
30533 +- mov d0,%rbx
30534 +- and $0x3ffffff,%ebx
30535 +-
30536 +- # d2 += d1 >> 26
30537 +- mov d1,%rax
30538 +- shr $26,%rax
30539 +- add %rax,d2
30540 +- # h1 = d1 & 0x3ffffff
30541 +- mov d1,%rax
30542 +- and $0x3ffffff,%eax
30543 +- mov %eax,h1
30544 +-
30545 +- # d3 += d2 >> 26
30546 +- mov d2,%rax
30547 +- shr $26,%rax
30548 +- add %rax,d3
30549 +- # h2 = d2 & 0x3ffffff
30550 +- mov d2,%rax
30551 +- and $0x3ffffff,%eax
30552 +- mov %eax,h2
30553 +-
30554 +- # d4 += d3 >> 26
30555 +- mov d3,%rax
30556 +- shr $26,%rax
30557 +- add %rax,d4
30558 +- # h3 = d3 & 0x3ffffff
30559 +- mov d3,%rax
30560 +- and $0x3ffffff,%eax
30561 +- mov %eax,h3
30562 +-
30563 +- # h0 += (d4 >> 26) * 5
30564 +- mov d4,%rax
30565 +- shr $26,%rax
30566 +- lea (%rax,%rax,4),%rax
30567 +- add %rax,%rbx
30568 +- # h4 = d4 & 0x3ffffff
30569 +- mov d4,%rax
30570 +- and $0x3ffffff,%eax
30571 +- mov %eax,h4
30572 +-
30573 +- # h1 += h0 >> 26
30574 +- mov %rbx,%rax
30575 +- shr $26,%rax
30576 +- add %eax,h1
30577 +- # h0 = h0 & 0x3ffffff
30578 +- andl $0x3ffffff,%ebx
30579 +- mov %ebx,h0
30580 +-
30581 +- add $0x40,m
30582 +- dec %rcx
30583 +- jnz .Ldoblock4
30584 +-
30585 +- vzeroupper
30586 +- pop %r13
30587 +- pop %r12
30588 +- pop %rbx
30589 +- ret
30590 +-ENDPROC(poly1305_4block_avx2)
30591 +--- a/include/crypto/nhpoly1305.h
30592 ++++ b/include/crypto/nhpoly1305.h
30593 +@@ -7,7 +7,7 @@
30594 + #define _NHPOLY1305_H
30595 +
30596 + #include <crypto/hash.h>
30597 +-#include <crypto/poly1305.h>
30598 ++#include <crypto/internal/poly1305.h>
30599 +
30600 + /* NH parameterization: */
30601 +
30602 +@@ -33,7 +33,7 @@
30603 + #define NHPOLY1305_KEY_SIZE (POLY1305_BLOCK_SIZE + NH_KEY_BYTES)
30604 +
30605 + struct nhpoly1305_key {
30606 +- struct poly1305_key poly_key;
30607 ++ struct poly1305_core_key poly_key;
30608 + u32 nh_key[NH_KEY_WORDS];
30609 + };
30610 +
30611 +--- /dev/null
30612 ++++ b/lib/crypto/poly1305-donna32.c
30613 +@@ -0,0 +1,204 @@
30614 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
30615 ++/*
30616 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
30617 ++ *
30618 ++ * This is based in part on Andrew Moon's poly1305-donna, which is in the
30619 ++ * public domain.
30620 ++ */
30621 ++
30622 ++#include <linux/kernel.h>
30623 ++#include <asm/unaligned.h>
30624 ++#include <crypto/internal/poly1305.h>
30625 ++
30626 ++void poly1305_core_setkey(struct poly1305_core_key *key, const u8 raw_key[16])
30627 ++{
30628 ++ /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
30629 ++ key->key.r[0] = (get_unaligned_le32(&raw_key[0])) & 0x3ffffff;
30630 ++ key->key.r[1] = (get_unaligned_le32(&raw_key[3]) >> 2) & 0x3ffff03;
30631 ++ key->key.r[2] = (get_unaligned_le32(&raw_key[6]) >> 4) & 0x3ffc0ff;
30632 ++ key->key.r[3] = (get_unaligned_le32(&raw_key[9]) >> 6) & 0x3f03fff;
30633 ++ key->key.r[4] = (get_unaligned_le32(&raw_key[12]) >> 8) & 0x00fffff;
30634 ++
30635 ++ /* s = 5*r */
30636 ++ key->precomputed_s.r[0] = key->key.r[1] * 5;
30637 ++ key->precomputed_s.r[1] = key->key.r[2] * 5;
30638 ++ key->precomputed_s.r[2] = key->key.r[3] * 5;
30639 ++ key->precomputed_s.r[3] = key->key.r[4] * 5;
30640 ++}
30641 ++EXPORT_SYMBOL(poly1305_core_setkey);
30642 ++
30643 ++void poly1305_core_blocks(struct poly1305_state *state,
30644 ++ const struct poly1305_core_key *key, const void *src,
30645 ++ unsigned int nblocks, u32 hibit)
30646 ++{
30647 ++ const u8 *input = src;
30648 ++ u32 r0, r1, r2, r3, r4;
30649 ++ u32 s1, s2, s3, s4;
30650 ++ u32 h0, h1, h2, h3, h4;
30651 ++ u64 d0, d1, d2, d3, d4;
30652 ++ u32 c;
30653 ++
30654 ++ if (!nblocks)
30655 ++ return;
30656 ++
30657 ++ hibit <<= 24;
30658 ++
30659 ++ r0 = key->key.r[0];
30660 ++ r1 = key->key.r[1];
30661 ++ r2 = key->key.r[2];
30662 ++ r3 = key->key.r[3];
30663 ++ r4 = key->key.r[4];
30664 ++
30665 ++ s1 = key->precomputed_s.r[0];
30666 ++ s2 = key->precomputed_s.r[1];
30667 ++ s3 = key->precomputed_s.r[2];
30668 ++ s4 = key->precomputed_s.r[3];
30669 ++
30670 ++ h0 = state->h[0];
30671 ++ h1 = state->h[1];
30672 ++ h2 = state->h[2];
30673 ++ h3 = state->h[3];
30674 ++ h4 = state->h[4];
30675 ++
30676 ++ do {
30677 ++ /* h += m[i] */
30678 ++ h0 += (get_unaligned_le32(&input[0])) & 0x3ffffff;
30679 ++ h1 += (get_unaligned_le32(&input[3]) >> 2) & 0x3ffffff;
30680 ++ h2 += (get_unaligned_le32(&input[6]) >> 4) & 0x3ffffff;
30681 ++ h3 += (get_unaligned_le32(&input[9]) >> 6) & 0x3ffffff;
30682 ++ h4 += (get_unaligned_le32(&input[12]) >> 8) | hibit;
30683 ++
30684 ++ /* h *= r */
30685 ++ d0 = ((u64)h0 * r0) + ((u64)h1 * s4) +
30686 ++ ((u64)h2 * s3) + ((u64)h3 * s2) +
30687 ++ ((u64)h4 * s1);
30688 ++ d1 = ((u64)h0 * r1) + ((u64)h1 * r0) +
30689 ++ ((u64)h2 * s4) + ((u64)h3 * s3) +
30690 ++ ((u64)h4 * s2);
30691 ++ d2 = ((u64)h0 * r2) + ((u64)h1 * r1) +
30692 ++ ((u64)h2 * r0) + ((u64)h3 * s4) +
30693 ++ ((u64)h4 * s3);
30694 ++ d3 = ((u64)h0 * r3) + ((u64)h1 * r2) +
30695 ++ ((u64)h2 * r1) + ((u64)h3 * r0) +
30696 ++ ((u64)h4 * s4);
30697 ++ d4 = ((u64)h0 * r4) + ((u64)h1 * r3) +
30698 ++ ((u64)h2 * r2) + ((u64)h3 * r1) +
30699 ++ ((u64)h4 * r0);
30700 ++
30701 ++ /* (partial) h %= p */
30702 ++ c = (u32)(d0 >> 26);
30703 ++ h0 = (u32)d0 & 0x3ffffff;
30704 ++ d1 += c;
30705 ++ c = (u32)(d1 >> 26);
30706 ++ h1 = (u32)d1 & 0x3ffffff;
30707 ++ d2 += c;
30708 ++ c = (u32)(d2 >> 26);
30709 ++ h2 = (u32)d2 & 0x3ffffff;
30710 ++ d3 += c;
30711 ++ c = (u32)(d3 >> 26);
30712 ++ h3 = (u32)d3 & 0x3ffffff;
30713 ++ d4 += c;
30714 ++ c = (u32)(d4 >> 26);
30715 ++ h4 = (u32)d4 & 0x3ffffff;
30716 ++ h0 += c * 5;
30717 ++ c = (h0 >> 26);
30718 ++ h0 = h0 & 0x3ffffff;
30719 ++ h1 += c;
30720 ++
30721 ++ input += POLY1305_BLOCK_SIZE;
30722 ++ } while (--nblocks);
30723 ++
30724 ++ state->h[0] = h0;
30725 ++ state->h[1] = h1;
30726 ++ state->h[2] = h2;
30727 ++ state->h[3] = h3;
30728 ++ state->h[4] = h4;
30729 ++}
30730 ++EXPORT_SYMBOL(poly1305_core_blocks);
30731 ++
30732 ++void poly1305_core_emit(const struct poly1305_state *state, const u32 nonce[4],
30733 ++ void *dst)
30734 ++{
30735 ++ u8 *mac = dst;
30736 ++ u32 h0, h1, h2, h3, h4, c;
30737 ++ u32 g0, g1, g2, g3, g4;
30738 ++ u64 f;
30739 ++ u32 mask;
30740 ++
30741 ++ /* fully carry h */
30742 ++ h0 = state->h[0];
30743 ++ h1 = state->h[1];
30744 ++ h2 = state->h[2];
30745 ++ h3 = state->h[3];
30746 ++ h4 = state->h[4];
30747 ++
30748 ++ c = h1 >> 26;
30749 ++ h1 = h1 & 0x3ffffff;
30750 ++ h2 += c;
30751 ++ c = h2 >> 26;
30752 ++ h2 = h2 & 0x3ffffff;
30753 ++ h3 += c;
30754 ++ c = h3 >> 26;
30755 ++ h3 = h3 & 0x3ffffff;
30756 ++ h4 += c;
30757 ++ c = h4 >> 26;
30758 ++ h4 = h4 & 0x3ffffff;
30759 ++ h0 += c * 5;
30760 ++ c = h0 >> 26;
30761 ++ h0 = h0 & 0x3ffffff;
30762 ++ h1 += c;
30763 ++
30764 ++ /* compute h + -p */
30765 ++ g0 = h0 + 5;
30766 ++ c = g0 >> 26;
30767 ++ g0 &= 0x3ffffff;
30768 ++ g1 = h1 + c;
30769 ++ c = g1 >> 26;
30770 ++ g1 &= 0x3ffffff;
30771 ++ g2 = h2 + c;
30772 ++ c = g2 >> 26;
30773 ++ g2 &= 0x3ffffff;
30774 ++ g3 = h3 + c;
30775 ++ c = g3 >> 26;
30776 ++ g3 &= 0x3ffffff;
30777 ++ g4 = h4 + c - (1UL << 26);
30778 ++
30779 ++ /* select h if h < p, or h + -p if h >= p */
30780 ++ mask = (g4 >> ((sizeof(u32) * 8) - 1)) - 1;
30781 ++ g0 &= mask;
30782 ++ g1 &= mask;
30783 ++ g2 &= mask;
30784 ++ g3 &= mask;
30785 ++ g4 &= mask;
30786 ++ mask = ~mask;
30787 ++
30788 ++ h0 = (h0 & mask) | g0;
30789 ++ h1 = (h1 & mask) | g1;
30790 ++ h2 = (h2 & mask) | g2;
30791 ++ h3 = (h3 & mask) | g3;
30792 ++ h4 = (h4 & mask) | g4;
30793 ++
30794 ++ /* h = h % (2^128) */
30795 ++ h0 = ((h0) | (h1 << 26)) & 0xffffffff;
30796 ++ h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff;
30797 ++ h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;
30798 ++ h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff;
30799 ++
30800 ++ if (likely(nonce)) {
30801 ++ /* mac = (h + nonce) % (2^128) */
30802 ++ f = (u64)h0 + nonce[0];
30803 ++ h0 = (u32)f;
30804 ++ f = (u64)h1 + nonce[1] + (f >> 32);
30805 ++ h1 = (u32)f;
30806 ++ f = (u64)h2 + nonce[2] + (f >> 32);
30807 ++ h2 = (u32)f;
30808 ++ f = (u64)h3 + nonce[3] + (f >> 32);
30809 ++ h3 = (u32)f;
30810 ++ }
30811 ++
30812 ++ put_unaligned_le32(h0, &mac[0]);
30813 ++ put_unaligned_le32(h1, &mac[4]);
30814 ++ put_unaligned_le32(h2, &mac[8]);
30815 ++ put_unaligned_le32(h3, &mac[12]);
30816 ++}
30817 ++EXPORT_SYMBOL(poly1305_core_emit);
30818 +--- /dev/null
30819 ++++ b/lib/crypto/poly1305-donna64.c
30820 +@@ -0,0 +1,185 @@
30821 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
30822 ++/*
30823 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
30824 ++ *
30825 ++ * This is based in part on Andrew Moon's poly1305-donna, which is in the
30826 ++ * public domain.
30827 ++ */
30828 ++
30829 ++#include <linux/kernel.h>
30830 ++#include <asm/unaligned.h>
30831 ++#include <crypto/internal/poly1305.h>
30832 ++
30833 ++typedef __uint128_t u128;
30834 ++
30835 ++void poly1305_core_setkey(struct poly1305_core_key *key, const u8 raw_key[16])
30836 ++{
30837 ++ u64 t0, t1;
30838 ++
30839 ++ /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
30840 ++ t0 = get_unaligned_le64(&raw_key[0]);
30841 ++ t1 = get_unaligned_le64(&raw_key[8]);
30842 ++
30843 ++ key->key.r64[0] = t0 & 0xffc0fffffffULL;
30844 ++ key->key.r64[1] = ((t0 >> 44) | (t1 << 20)) & 0xfffffc0ffffULL;
30845 ++ key->key.r64[2] = ((t1 >> 24)) & 0x00ffffffc0fULL;
30846 ++
30847 ++ /* s = 20*r */
30848 ++ key->precomputed_s.r64[0] = key->key.r64[1] * 20;
30849 ++ key->precomputed_s.r64[1] = key->key.r64[2] * 20;
30850 ++}
30851 ++EXPORT_SYMBOL(poly1305_core_setkey);
30852 ++
30853 ++void poly1305_core_blocks(struct poly1305_state *state,
30854 ++ const struct poly1305_core_key *key, const void *src,
30855 ++ unsigned int nblocks, u32 hibit)
30856 ++{
30857 ++ const u8 *input = src;
30858 ++ u64 hibit64;
30859 ++ u64 r0, r1, r2;
30860 ++ u64 s1, s2;
30861 ++ u64 h0, h1, h2;
30862 ++ u64 c;
30863 ++ u128 d0, d1, d2, d;
30864 ++
30865 ++ if (!nblocks)
30866 ++ return;
30867 ++
30868 ++ hibit64 = ((u64)hibit) << 40;
30869 ++
30870 ++ r0 = key->key.r64[0];
30871 ++ r1 = key->key.r64[1];
30872 ++ r2 = key->key.r64[2];
30873 ++
30874 ++ h0 = state->h64[0];
30875 ++ h1 = state->h64[1];
30876 ++ h2 = state->h64[2];
30877 ++
30878 ++ s1 = key->precomputed_s.r64[0];
30879 ++ s2 = key->precomputed_s.r64[1];
30880 ++
30881 ++ do {
30882 ++ u64 t0, t1;
30883 ++
30884 ++ /* h += m[i] */
30885 ++ t0 = get_unaligned_le64(&input[0]);
30886 ++ t1 = get_unaligned_le64(&input[8]);
30887 ++
30888 ++ h0 += t0 & 0xfffffffffffULL;
30889 ++ h1 += ((t0 >> 44) | (t1 << 20)) & 0xfffffffffffULL;
30890 ++ h2 += (((t1 >> 24)) & 0x3ffffffffffULL) | hibit64;
30891 ++
30892 ++ /* h *= r */
30893 ++ d0 = (u128)h0 * r0;
30894 ++ d = (u128)h1 * s2;
30895 ++ d0 += d;
30896 ++ d = (u128)h2 * s1;
30897 ++ d0 += d;
30898 ++ d1 = (u128)h0 * r1;
30899 ++ d = (u128)h1 * r0;
30900 ++ d1 += d;
30901 ++ d = (u128)h2 * s2;
30902 ++ d1 += d;
30903 ++ d2 = (u128)h0 * r2;
30904 ++ d = (u128)h1 * r1;
30905 ++ d2 += d;
30906 ++ d = (u128)h2 * r0;
30907 ++ d2 += d;
30908 ++
30909 ++ /* (partial) h %= p */
30910 ++ c = (u64)(d0 >> 44);
30911 ++ h0 = (u64)d0 & 0xfffffffffffULL;
30912 ++ d1 += c;
30913 ++ c = (u64)(d1 >> 44);
30914 ++ h1 = (u64)d1 & 0xfffffffffffULL;
30915 ++ d2 += c;
30916 ++ c = (u64)(d2 >> 42);
30917 ++ h2 = (u64)d2 & 0x3ffffffffffULL;
30918 ++ h0 += c * 5;
30919 ++ c = h0 >> 44;
30920 ++ h0 = h0 & 0xfffffffffffULL;
30921 ++ h1 += c;
30922 ++
30923 ++ input += POLY1305_BLOCK_SIZE;
30924 ++ } while (--nblocks);
30925 ++
30926 ++ state->h64[0] = h0;
30927 ++ state->h64[1] = h1;
30928 ++ state->h64[2] = h2;
30929 ++}
30930 ++EXPORT_SYMBOL(poly1305_core_blocks);
30931 ++
30932 ++void poly1305_core_emit(const struct poly1305_state *state, const u32 nonce[4],
30933 ++ void *dst)
30934 ++{
30935 ++ u8 *mac = dst;
30936 ++ u64 h0, h1, h2, c;
30937 ++ u64 g0, g1, g2;
30938 ++ u64 t0, t1;
30939 ++
30940 ++ /* fully carry h */
30941 ++ h0 = state->h64[0];
30942 ++ h1 = state->h64[1];
30943 ++ h2 = state->h64[2];
30944 ++
30945 ++ c = h1 >> 44;
30946 ++ h1 &= 0xfffffffffffULL;
30947 ++ h2 += c;
30948 ++ c = h2 >> 42;
30949 ++ h2 &= 0x3ffffffffffULL;
30950 ++ h0 += c * 5;
30951 ++ c = h0 >> 44;
30952 ++ h0 &= 0xfffffffffffULL;
30953 ++ h1 += c;
30954 ++ c = h1 >> 44;
30955 ++ h1 &= 0xfffffffffffULL;
30956 ++ h2 += c;
30957 ++ c = h2 >> 42;
30958 ++ h2 &= 0x3ffffffffffULL;
30959 ++ h0 += c * 5;
30960 ++ c = h0 >> 44;
30961 ++ h0 &= 0xfffffffffffULL;
30962 ++ h1 += c;
30963 ++
30964 ++ /* compute h + -p */
30965 ++ g0 = h0 + 5;
30966 ++ c = g0 >> 44;
30967 ++ g0 &= 0xfffffffffffULL;
30968 ++ g1 = h1 + c;
30969 ++ c = g1 >> 44;
30970 ++ g1 &= 0xfffffffffffULL;
30971 ++ g2 = h2 + c - (1ULL << 42);
30972 ++
30973 ++ /* select h if h < p, or h + -p if h >= p */
30974 ++ c = (g2 >> ((sizeof(u64) * 8) - 1)) - 1;
30975 ++ g0 &= c;
30976 ++ g1 &= c;
30977 ++ g2 &= c;
30978 ++ c = ~c;
30979 ++ h0 = (h0 & c) | g0;
30980 ++ h1 = (h1 & c) | g1;
30981 ++ h2 = (h2 & c) | g2;
30982 ++
30983 ++ if (likely(nonce)) {
30984 ++ /* h = (h + nonce) */
30985 ++ t0 = ((u64)nonce[1] << 32) | nonce[0];
30986 ++ t1 = ((u64)nonce[3] << 32) | nonce[2];
30987 ++
30988 ++ h0 += t0 & 0xfffffffffffULL;
30989 ++ c = h0 >> 44;
30990 ++ h0 &= 0xfffffffffffULL;
30991 ++ h1 += (((t0 >> 44) | (t1 << 20)) & 0xfffffffffffULL) + c;
30992 ++ c = h1 >> 44;
30993 ++ h1 &= 0xfffffffffffULL;
30994 ++ h2 += (((t1 >> 24)) & 0x3ffffffffffULL) + c;
30995 ++ h2 &= 0x3ffffffffffULL;
30996 ++ }
30997 ++
30998 ++ /* mac = h % (2^128) */
30999 ++ h0 = h0 | (h1 << 44);
31000 ++ h1 = (h1 >> 20) | (h2 << 24);
31001 ++
31002 ++ put_unaligned_le64(h0, &mac[0]);
31003 ++ put_unaligned_le64(h1, &mac[8]);
31004 ++}
31005 ++EXPORT_SYMBOL(poly1305_core_emit);
31006 +--- b/arch/x86/crypto/poly1305-x86_64-cryptogams.pl
31007 ++++ b/arch/x86/crypto/poly1305-x86_64-cryptogams.pl
31008 +@@ -0,0 +1,4265 @@
31009 ++#!/usr/bin/env perl
31010 ++# SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
31011 ++#
31012 ++# Copyright (C) 2017-2018 Samuel Neves <sneves@××××××.pt>. All Rights Reserved.
31013 ++# Copyright (C) 2017-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
31014 ++# Copyright (C) 2006-2017 CRYPTOGAMS by <appro@×××××××.org>. All Rights Reserved.
31015 ++#
31016 ++# This code is taken from the OpenSSL project but the author, Andy Polyakov,
31017 ++# has relicensed it under the licenses specified in the SPDX header above.
31018 ++# The original headers, including the original license headers, are
31019 ++# included below for completeness.
31020 ++#
31021 ++# ====================================================================
31022 ++# Written by Andy Polyakov <appro@×××××××.org> for the OpenSSL
31023 ++# project. The module is, however, dual licensed under OpenSSL and
31024 ++# CRYPTOGAMS licenses depending on where you obtain it. For further
31025 ++# details see http://www.openssl.org/~appro/cryptogams/.
31026 ++# ====================================================================
31027 ++#
31028 ++# This module implements Poly1305 hash for x86_64.
31029 ++#
31030 ++# March 2015
31031 ++#
31032 ++# Initial release.
31033 ++#
31034 ++# December 2016
31035 ++#
31036 ++# Add AVX512F+VL+BW code path.
31037 ++#
31038 ++# November 2017
31039 ++#
31040 ++# Convert AVX512F+VL+BW code path to pure AVX512F, so that it can be
31041 ++# executed even on Knights Landing. Trigger for modification was
31042 ++# observation that AVX512 code paths can negatively affect overall
31043 ++# Skylake-X system performance. Since we are likely to suppress
31044 ++# AVX512F capability flag [at least on Skylake-X], conversion serves
31045 ++# as kind of "investment protection". Note that next *lake processor,
31046 ++# Cannonlake, has AVX512IFMA code path to execute...
31047 ++#
31048 ++# Numbers are cycles per processed byte with poly1305_blocks alone,
31049 ++# measured with rdtsc at fixed clock frequency.
31050 ++#
31051 ++# IALU/gcc-4.8(*) AVX(**) AVX2 AVX-512
31052 ++# P4 4.46/+120% -
31053 ++# Core 2 2.41/+90% -
31054 ++# Westmere 1.88/+120% -
31055 ++# Sandy Bridge 1.39/+140% 1.10
31056 ++# Haswell 1.14/+175% 1.11 0.65
31057 ++# Skylake[-X] 1.13/+120% 0.96 0.51 [0.35]
31058 ++# Silvermont 2.83/+95% -
31059 ++# Knights L 3.60/? 1.65 1.10 0.41(***)
31060 ++# Goldmont 1.70/+180% -
31061 ++# VIA Nano 1.82/+150% -
31062 ++# Sledgehammer 1.38/+160% -
31063 ++# Bulldozer 2.30/+130% 0.97
31064 ++# Ryzen 1.15/+200% 1.08 1.18
31065 ++#
31066 ++# (*) improvement coefficients relative to clang are more modest and
31067 ++# are ~50% on most processors, in both cases we are comparing to
31068 ++# __int128 code;
31069 ++# (**) SSE2 implementation was attempted, but among non-AVX processors
31070 ++# it was faster than integer-only code only on older Intel P4 and
31071 ++# Core processors, 50-30%, less newer processor is, but slower on
31072 ++# contemporary ones, for example almost 2x slower on Atom, and as
31073 ++# former are naturally disappearing, SSE2 is deemed unnecessary;
31074 ++# (***) strangely enough performance seems to vary from core to core,
31075 ++# listed result is best case;
31076 ++
31077 ++$flavour = shift;
31078 ++$output = shift;
31079 ++if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
31080 ++
31081 ++$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
31082 ++$kernel=0; $kernel=1 if (!$flavour && !$output);
31083 ++
31084 ++if (!$kernel) {
31085 ++ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
31086 ++ ( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
31087 ++ ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
31088 ++ die "can't locate x86_64-xlate.pl";
31089 ++
31090 ++ open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"";
31091 ++ *STDOUT=*OUT;
31092 ++
31093 ++ if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
31094 ++ =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
31095 ++ $avx = ($1>=2.19) + ($1>=2.22) + ($1>=2.25);
31096 ++ }
31097 ++
31098 ++ if (!$avx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
31099 ++ `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)(?:\.([0-9]+))?/) {
31100 ++ $avx = ($1>=2.09) + ($1>=2.10) + ($1>=2.12);
31101 ++ $avx += 1 if ($1==2.11 && $2>=8);
31102 ++ }
31103 ++
31104 ++ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
31105 ++ `ml64 2>&1` =~ /Version ([0-9]+)\./) {
31106 ++ $avx = ($1>=10) + ($1>=11);
31107 ++ }
31108 ++
31109 ++ if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) {
31110 ++ $avx = ($2>=3.0) + ($2>3.0);
31111 ++ }
31112 ++} else {
31113 ++ $avx = 4; # The kernel uses ifdefs for this.
31114 ++}
31115 ++
31116 ++sub declare_function() {
31117 ++ my ($name, $align, $nargs) = @_;
31118 ++ if($kernel) {
31119 ++ $code .= ".align $align\n";
31120 ++ $code .= "ENTRY($name)\n";
31121 ++ $code .= ".L$name:\n";
31122 ++ } else {
31123 ++ $code .= ".globl $name\n";
31124 ++ $code .= ".type $name,\@function,$nargs\n";
31125 ++ $code .= ".align $align\n";
31126 ++ $code .= "$name:\n";
31127 ++ }
31128 ++}
31129 ++
31130 ++sub end_function() {
31131 ++ my ($name) = @_;
31132 ++ if($kernel) {
31133 ++ $code .= "ENDPROC($name)\n";
31134 ++ } else {
31135 ++ $code .= ".size $name,.-$name\n";
31136 ++ }
31137 ++}
31138 ++
31139 ++$code.=<<___ if $kernel;
31140 ++#include <linux/linkage.h>
31141 ++___
31142 ++
31143 ++if ($avx) {
31144 ++$code.=<<___ if $kernel;
31145 ++.section .rodata
31146 ++___
31147 ++$code.=<<___;
31148 ++.align 64
31149 ++.Lconst:
31150 ++.Lmask24:
31151 ++.long 0x0ffffff,0,0x0ffffff,0,0x0ffffff,0,0x0ffffff,0
31152 ++.L129:
31153 ++.long `1<<24`,0,`1<<24`,0,`1<<24`,0,`1<<24`,0
31154 ++.Lmask26:
31155 ++.long 0x3ffffff,0,0x3ffffff,0,0x3ffffff,0,0x3ffffff,0
31156 ++.Lpermd_avx2:
31157 ++.long 2,2,2,3,2,0,2,1
31158 ++.Lpermd_avx512:
31159 ++.long 0,0,0,1, 0,2,0,3, 0,4,0,5, 0,6,0,7
31160 ++
31161 ++.L2_44_inp_permd:
31162 ++.long 0,1,1,2,2,3,7,7
31163 ++.L2_44_inp_shift:
31164 ++.quad 0,12,24,64
31165 ++.L2_44_mask:
31166 ++.quad 0xfffffffffff,0xfffffffffff,0x3ffffffffff,0xffffffffffffffff
31167 ++.L2_44_shift_rgt:
31168 ++.quad 44,44,42,64
31169 ++.L2_44_shift_lft:
31170 ++.quad 8,8,10,64
31171 ++
31172 ++.align 64
31173 ++.Lx_mask44:
31174 ++.quad 0xfffffffffff,0xfffffffffff,0xfffffffffff,0xfffffffffff
31175 ++.quad 0xfffffffffff,0xfffffffffff,0xfffffffffff,0xfffffffffff
31176 ++.Lx_mask42:
31177 ++.quad 0x3ffffffffff,0x3ffffffffff,0x3ffffffffff,0x3ffffffffff
31178 ++.quad 0x3ffffffffff,0x3ffffffffff,0x3ffffffffff,0x3ffffffffff
31179 ++___
31180 ++}
31181 ++$code.=<<___ if (!$kernel);
31182 ++.asciz "Poly1305 for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
31183 ++.align 16
31184 ++___
31185 ++
31186 ++my ($ctx,$inp,$len,$padbit)=("%rdi","%rsi","%rdx","%rcx");
31187 ++my ($mac,$nonce)=($inp,$len); # *_emit arguments
31188 ++my ($d1,$d2,$d3, $r0,$r1,$s1)=("%r8","%r9","%rdi","%r11","%r12","%r13");
31189 ++my ($h0,$h1,$h2)=("%r14","%rbx","%r10");
31190 ++
31191 ++sub poly1305_iteration {
31192 ++# input: copy of $r1 in %rax, $h0-$h2, $r0-$r1
31193 ++# output: $h0-$h2 *= $r0-$r1
31194 ++$code.=<<___;
31195 ++ mulq $h0 # h0*r1
31196 ++ mov %rax,$d2
31197 ++ mov $r0,%rax
31198 ++ mov %rdx,$d3
31199 ++
31200 ++ mulq $h0 # h0*r0
31201 ++ mov %rax,$h0 # future $h0
31202 ++ mov $r0,%rax
31203 ++ mov %rdx,$d1
31204 ++
31205 ++ mulq $h1 # h1*r0
31206 ++ add %rax,$d2
31207 ++ mov $s1,%rax
31208 ++ adc %rdx,$d3
31209 ++
31210 ++ mulq $h1 # h1*s1
31211 ++ mov $h2,$h1 # borrow $h1
31212 ++ add %rax,$h0
31213 ++ adc %rdx,$d1
31214 ++
31215 ++ imulq $s1,$h1 # h2*s1
31216 ++ add $h1,$d2
31217 ++ mov $d1,$h1
31218 ++ adc \$0,$d3
31219 ++
31220 ++ imulq $r0,$h2 # h2*r0
31221 ++ add $d2,$h1
31222 ++ mov \$-4,%rax # mask value
31223 ++ adc $h2,$d3
31224 ++
31225 ++ and $d3,%rax # last reduction step
31226 ++ mov $d3,$h2
31227 ++ shr \$2,$d3
31228 ++ and \$3,$h2
31229 ++ add $d3,%rax
31230 ++ add %rax,$h0
31231 ++ adc \$0,$h1
31232 ++ adc \$0,$h2
31233 ++___
31234 ++}
31235 ++
31236 ++########################################################################
31237 ++# Layout of opaque area is following.
31238 ++#
31239 ++# unsigned __int64 h[3]; # current hash value base 2^64
31240 ++# unsigned __int64 r[2]; # key value base 2^64
31241 ++
31242 ++$code.=<<___;
31243 ++.text
31244 ++___
31245 ++$code.=<<___ if (!$kernel);
31246 ++.extern OPENSSL_ia32cap_P
31247 ++
31248 ++.globl poly1305_init_x86_64
31249 ++.hidden poly1305_init_x86_64
31250 ++.globl poly1305_blocks_x86_64
31251 ++.hidden poly1305_blocks_x86_64
31252 ++.globl poly1305_emit_x86_64
31253 ++.hidden poly1305_emit_x86_64
31254 ++___
31255 ++&declare_function("poly1305_init_x86_64", 32, 3);
31256 ++$code.=<<___;
31257 ++ xor %eax,%eax
31258 ++ mov %rax,0($ctx) # initialize hash value
31259 ++ mov %rax,8($ctx)
31260 ++ mov %rax,16($ctx)
31261 ++
31262 ++ cmp \$0,$inp
31263 ++ je .Lno_key
31264 ++___
31265 ++$code.=<<___ if (!$kernel);
31266 ++ lea poly1305_blocks_x86_64(%rip),%r10
31267 ++ lea poly1305_emit_x86_64(%rip),%r11
31268 ++___
31269 ++$code.=<<___ if (!$kernel && $avx);
31270 ++ mov OPENSSL_ia32cap_P+4(%rip),%r9
31271 ++ lea poly1305_blocks_avx(%rip),%rax
31272 ++ lea poly1305_emit_avx(%rip),%rcx
31273 ++ bt \$`60-32`,%r9 # AVX?
31274 ++ cmovc %rax,%r10
31275 ++ cmovc %rcx,%r11
31276 ++___
31277 ++$code.=<<___ if (!$kernel && $avx>1);
31278 ++ lea poly1305_blocks_avx2(%rip),%rax
31279 ++ bt \$`5+32`,%r9 # AVX2?
31280 ++ cmovc %rax,%r10
31281 ++___
31282 ++$code.=<<___ if (!$kernel && $avx>3);
31283 ++ mov \$`(1<<31|1<<21|1<<16)`,%rax
31284 ++ shr \$32,%r9
31285 ++ and %rax,%r9
31286 ++ cmp %rax,%r9
31287 ++ je .Linit_base2_44
31288 ++___
31289 ++$code.=<<___;
31290 ++ mov \$0x0ffffffc0fffffff,%rax
31291 ++ mov \$0x0ffffffc0ffffffc,%rcx
31292 ++ and 0($inp),%rax
31293 ++ and 8($inp),%rcx
31294 ++ mov %rax,24($ctx)
31295 ++ mov %rcx,32($ctx)
31296 ++___
31297 ++$code.=<<___ if (!$kernel && $flavour !~ /elf32/);
31298 ++ mov %r10,0(%rdx)
31299 ++ mov %r11,8(%rdx)
31300 ++___
31301 ++$code.=<<___ if (!$kernel && $flavour =~ /elf32/);
31302 ++ mov %r10d,0(%rdx)
31303 ++ mov %r11d,4(%rdx)
31304 ++___
31305 ++$code.=<<___;
31306 ++ mov \$1,%eax
31307 ++.Lno_key:
31308 ++ ret
31309 ++___
31310 ++&end_function("poly1305_init_x86_64");
31311 ++
31312 ++&declare_function("poly1305_blocks_x86_64", 32, 4);
31313 ++$code.=<<___;
31314 ++.cfi_startproc
31315 ++.Lblocks:
31316 ++ shr \$4,$len
31317 ++ jz .Lno_data # too short
31318 ++
31319 ++ push %rbx
31320 ++.cfi_push %rbx
31321 ++ push %r12
31322 ++.cfi_push %r12
31323 ++ push %r13
31324 ++.cfi_push %r13
31325 ++ push %r14
31326 ++.cfi_push %r14
31327 ++ push %r15
31328 ++.cfi_push %r15
31329 ++ push $ctx
31330 ++.cfi_push $ctx
31331 ++.Lblocks_body:
31332 ++
31333 ++ mov $len,%r15 # reassign $len
31334 ++
31335 ++ mov 24($ctx),$r0 # load r
31336 ++ mov 32($ctx),$s1
31337 ++
31338 ++ mov 0($ctx),$h0 # load hash value
31339 ++ mov 8($ctx),$h1
31340 ++ mov 16($ctx),$h2
31341 ++
31342 ++ mov $s1,$r1
31343 ++ shr \$2,$s1
31344 ++ mov $r1,%rax
31345 ++ add $r1,$s1 # s1 = r1 + (r1 >> 2)
31346 ++ jmp .Loop
31347 ++
31348 ++.align 32
31349 ++.Loop:
31350 ++ add 0($inp),$h0 # accumulate input
31351 ++ adc 8($inp),$h1
31352 ++ lea 16($inp),$inp
31353 ++ adc $padbit,$h2
31354 ++___
31355 ++
31356 ++ &poly1305_iteration();
31357 ++
31358 ++$code.=<<___;
31359 ++ mov $r1,%rax
31360 ++ dec %r15 # len-=16
31361 ++ jnz .Loop
31362 ++
31363 ++ mov 0(%rsp),$ctx
31364 ++.cfi_restore $ctx
31365 ++
31366 ++ mov $h0,0($ctx) # store hash value
31367 ++ mov $h1,8($ctx)
31368 ++ mov $h2,16($ctx)
31369 ++
31370 ++ mov 8(%rsp),%r15
31371 ++.cfi_restore %r15
31372 ++ mov 16(%rsp),%r14
31373 ++.cfi_restore %r14
31374 ++ mov 24(%rsp),%r13
31375 ++.cfi_restore %r13
31376 ++ mov 32(%rsp),%r12
31377 ++.cfi_restore %r12
31378 ++ mov 40(%rsp),%rbx
31379 ++.cfi_restore %rbx
31380 ++ lea 48(%rsp),%rsp
31381 ++.cfi_adjust_cfa_offset -48
31382 ++.Lno_data:
31383 ++.Lblocks_epilogue:
31384 ++ ret
31385 ++.cfi_endproc
31386 ++___
31387 ++&end_function("poly1305_blocks_x86_64");
31388 ++
31389 ++&declare_function("poly1305_emit_x86_64", 32, 3);
31390 ++$code.=<<___;
31391 ++.Lemit:
31392 ++ mov 0($ctx),%r8 # load hash value
31393 ++ mov 8($ctx),%r9
31394 ++ mov 16($ctx),%r10
31395 ++
31396 ++ mov %r8,%rax
31397 ++ add \$5,%r8 # compare to modulus
31398 ++ mov %r9,%rcx
31399 ++ adc \$0,%r9
31400 ++ adc \$0,%r10
31401 ++ shr \$2,%r10 # did 130-bit value overflow?
31402 ++ cmovnz %r8,%rax
31403 ++ cmovnz %r9,%rcx
31404 ++
31405 ++ add 0($nonce),%rax # accumulate nonce
31406 ++ adc 8($nonce),%rcx
31407 ++ mov %rax,0($mac) # write result
31408 ++ mov %rcx,8($mac)
31409 ++
31410 ++ ret
31411 ++___
31412 ++&end_function("poly1305_emit_x86_64");
31413 ++if ($avx) {
31414 ++
31415 ++if($kernel) {
31416 ++ $code .= "#ifdef CONFIG_AS_AVX\n";
31417 ++}
31418 ++
31419 ++########################################################################
31420 ++# Layout of opaque area is following.
31421 ++#
31422 ++# unsigned __int32 h[5]; # current hash value base 2^26
31423 ++# unsigned __int32 is_base2_26;
31424 ++# unsigned __int64 r[2]; # key value base 2^64
31425 ++# unsigned __int64 pad;
31426 ++# struct { unsigned __int32 r^2, r^1, r^4, r^3; } r[9];
31427 ++#
31428 ++# where r^n are base 2^26 digits of degrees of multiplier key. There are
31429 ++# 5 digits, but last four are interleaved with multiples of 5, totalling
31430 ++# in 9 elements: r0, r1, 5*r1, r2, 5*r2, r3, 5*r3, r4, 5*r4.
31431 ++
31432 ++my ($H0,$H1,$H2,$H3,$H4, $T0,$T1,$T2,$T3,$T4, $D0,$D1,$D2,$D3,$D4, $MASK) =
31433 ++ map("%xmm$_",(0..15));
31434 ++
31435 ++$code.=<<___;
31436 ++.type __poly1305_block,\@abi-omnipotent
31437 ++.align 32
31438 ++__poly1305_block:
31439 ++ push $ctx
31440 ++___
31441 ++ &poly1305_iteration();
31442 ++$code.=<<___;
31443 ++ pop $ctx
31444 ++ ret
31445 ++.size __poly1305_block,.-__poly1305_block
31446 ++
31447 ++.type __poly1305_init_avx,\@abi-omnipotent
31448 ++.align 32
31449 ++__poly1305_init_avx:
31450 ++ push %rbp
31451 ++ mov %rsp,%rbp
31452 ++ mov $r0,$h0
31453 ++ mov $r1,$h1
31454 ++ xor $h2,$h2
31455 ++
31456 ++ lea 48+64($ctx),$ctx # size optimization
31457 ++
31458 ++ mov $r1,%rax
31459 ++ call __poly1305_block # r^2
31460 ++
31461 ++ mov \$0x3ffffff,%eax # save interleaved r^2 and r base 2^26
31462 ++ mov \$0x3ffffff,%edx
31463 ++ mov $h0,$d1
31464 ++ and $h0#d,%eax
31465 ++ mov $r0,$d2
31466 ++ and $r0#d,%edx
31467 ++ mov %eax,`16*0+0-64`($ctx)
31468 ++ shr \$26,$d1
31469 ++ mov %edx,`16*0+4-64`($ctx)
31470 ++ shr \$26,$d2
31471 ++
31472 ++ mov \$0x3ffffff,%eax
31473 ++ mov \$0x3ffffff,%edx
31474 ++ and $d1#d,%eax
31475 ++ and $d2#d,%edx
31476 ++ mov %eax,`16*1+0-64`($ctx)
31477 ++ lea (%rax,%rax,4),%eax # *5
31478 ++ mov %edx,`16*1+4-64`($ctx)
31479 ++ lea (%rdx,%rdx,4),%edx # *5
31480 ++ mov %eax,`16*2+0-64`($ctx)
31481 ++ shr \$26,$d1
31482 ++ mov %edx,`16*2+4-64`($ctx)
31483 ++ shr \$26,$d2
31484 ++
31485 ++ mov $h1,%rax
31486 ++ mov $r1,%rdx
31487 ++ shl \$12,%rax
31488 ++ shl \$12,%rdx
31489 ++ or $d1,%rax
31490 ++ or $d2,%rdx
31491 ++ and \$0x3ffffff,%eax
31492 ++ and \$0x3ffffff,%edx
31493 ++ mov %eax,`16*3+0-64`($ctx)
31494 ++ lea (%rax,%rax,4),%eax # *5
31495 ++ mov %edx,`16*3+4-64`($ctx)
31496 ++ lea (%rdx,%rdx,4),%edx # *5
31497 ++ mov %eax,`16*4+0-64`($ctx)
31498 ++ mov $h1,$d1
31499 ++ mov %edx,`16*4+4-64`($ctx)
31500 ++ mov $r1,$d2
31501 ++
31502 ++ mov \$0x3ffffff,%eax
31503 ++ mov \$0x3ffffff,%edx
31504 ++ shr \$14,$d1
31505 ++ shr \$14,$d2
31506 ++ and $d1#d,%eax
31507 ++ and $d2#d,%edx
31508 ++ mov %eax,`16*5+0-64`($ctx)
31509 ++ lea (%rax,%rax,4),%eax # *5
31510 ++ mov %edx,`16*5+4-64`($ctx)
31511 ++ lea (%rdx,%rdx,4),%edx # *5
31512 ++ mov %eax,`16*6+0-64`($ctx)
31513 ++ shr \$26,$d1
31514 ++ mov %edx,`16*6+4-64`($ctx)
31515 ++ shr \$26,$d2
31516 ++
31517 ++ mov $h2,%rax
31518 ++ shl \$24,%rax
31519 ++ or %rax,$d1
31520 ++ mov $d1#d,`16*7+0-64`($ctx)
31521 ++ lea ($d1,$d1,4),$d1 # *5
31522 ++ mov $d2#d,`16*7+4-64`($ctx)
31523 ++ lea ($d2,$d2,4),$d2 # *5
31524 ++ mov $d1#d,`16*8+0-64`($ctx)
31525 ++ mov $d2#d,`16*8+4-64`($ctx)
31526 ++
31527 ++ mov $r1,%rax
31528 ++ call __poly1305_block # r^3
31529 ++
31530 ++ mov \$0x3ffffff,%eax # save r^3 base 2^26
31531 ++ mov $h0,$d1
31532 ++ and $h0#d,%eax
31533 ++ shr \$26,$d1
31534 ++ mov %eax,`16*0+12-64`($ctx)
31535 ++
31536 ++ mov \$0x3ffffff,%edx
31537 ++ and $d1#d,%edx
31538 ++ mov %edx,`16*1+12-64`($ctx)
31539 ++ lea (%rdx,%rdx,4),%edx # *5
31540 ++ shr \$26,$d1
31541 ++ mov %edx,`16*2+12-64`($ctx)
31542 ++
31543 ++ mov $h1,%rax
31544 ++ shl \$12,%rax
31545 ++ or $d1,%rax
31546 ++ and \$0x3ffffff,%eax
31547 ++ mov %eax,`16*3+12-64`($ctx)
31548 ++ lea (%rax,%rax,4),%eax # *5
31549 ++ mov $h1,$d1
31550 ++ mov %eax,`16*4+12-64`($ctx)
31551 ++
31552 ++ mov \$0x3ffffff,%edx
31553 ++ shr \$14,$d1
31554 ++ and $d1#d,%edx
31555 ++ mov %edx,`16*5+12-64`($ctx)
31556 ++ lea (%rdx,%rdx,4),%edx # *5
31557 ++ shr \$26,$d1
31558 ++ mov %edx,`16*6+12-64`($ctx)
31559 ++
31560 ++ mov $h2,%rax
31561 ++ shl \$24,%rax
31562 ++ or %rax,$d1
31563 ++ mov $d1#d,`16*7+12-64`($ctx)
31564 ++ lea ($d1,$d1,4),$d1 # *5
31565 ++ mov $d1#d,`16*8+12-64`($ctx)
31566 ++
31567 ++ mov $r1,%rax
31568 ++ call __poly1305_block # r^4
31569 ++
31570 ++ mov \$0x3ffffff,%eax # save r^4 base 2^26
31571 ++ mov $h0,$d1
31572 ++ and $h0#d,%eax
31573 ++ shr \$26,$d1
31574 ++ mov %eax,`16*0+8-64`($ctx)
31575 ++
31576 ++ mov \$0x3ffffff,%edx
31577 ++ and $d1#d,%edx
31578 ++ mov %edx,`16*1+8-64`($ctx)
31579 ++ lea (%rdx,%rdx,4),%edx # *5
31580 ++ shr \$26,$d1
31581 ++ mov %edx,`16*2+8-64`($ctx)
31582 ++
31583 ++ mov $h1,%rax
31584 ++ shl \$12,%rax
31585 ++ or $d1,%rax
31586 ++ and \$0x3ffffff,%eax
31587 ++ mov %eax,`16*3+8-64`($ctx)
31588 ++ lea (%rax,%rax,4),%eax # *5
31589 ++ mov $h1,$d1
31590 ++ mov %eax,`16*4+8-64`($ctx)
31591 ++
31592 ++ mov \$0x3ffffff,%edx
31593 ++ shr \$14,$d1
31594 ++ and $d1#d,%edx
31595 ++ mov %edx,`16*5+8-64`($ctx)
31596 ++ lea (%rdx,%rdx,4),%edx # *5
31597 ++ shr \$26,$d1
31598 ++ mov %edx,`16*6+8-64`($ctx)
31599 ++
31600 ++ mov $h2,%rax
31601 ++ shl \$24,%rax
31602 ++ or %rax,$d1
31603 ++ mov $d1#d,`16*7+8-64`($ctx)
31604 ++ lea ($d1,$d1,4),$d1 # *5
31605 ++ mov $d1#d,`16*8+8-64`($ctx)
31606 ++
31607 ++ lea -48-64($ctx),$ctx # size [de-]optimization
31608 ++ pop %rbp
31609 ++ ret
31610 ++.size __poly1305_init_avx,.-__poly1305_init_avx
31611 ++___
31612 ++
31613 ++&declare_function("poly1305_blocks_avx", 32, 4);
31614 ++$code.=<<___;
31615 ++.cfi_startproc
31616 ++ mov 20($ctx),%r8d # is_base2_26
31617 ++ cmp \$128,$len
31618 ++ jae .Lblocks_avx
31619 ++ test %r8d,%r8d
31620 ++ jz .Lblocks
31621 ++
31622 ++.Lblocks_avx:
31623 ++ and \$-16,$len
31624 ++ jz .Lno_data_avx
31625 ++
31626 ++ vzeroupper
31627 ++
31628 ++ test %r8d,%r8d
31629 ++ jz .Lbase2_64_avx
31630 ++
31631 ++ test \$31,$len
31632 ++ jz .Leven_avx
31633 ++
31634 ++ push %rbp
31635 ++.cfi_push %rbp
31636 ++ mov %rsp,%rbp
31637 ++ push %rbx
31638 ++.cfi_push %rbx
31639 ++ push %r12
31640 ++.cfi_push %r12
31641 ++ push %r13
31642 ++.cfi_push %r13
31643 ++ push %r14
31644 ++.cfi_push %r14
31645 ++ push %r15
31646 ++.cfi_push %r15
31647 ++.Lblocks_avx_body:
31648 ++
31649 ++ mov $len,%r15 # reassign $len
31650 ++
31651 ++ mov 0($ctx),$d1 # load hash value
31652 ++ mov 8($ctx),$d2
31653 ++ mov 16($ctx),$h2#d
31654 ++
31655 ++ mov 24($ctx),$r0 # load r
31656 ++ mov 32($ctx),$s1
31657 ++
31658 ++ ################################# base 2^26 -> base 2^64
31659 ++ mov $d1#d,$h0#d
31660 ++ and \$`-1*(1<<31)`,$d1
31661 ++ mov $d2,$r1 # borrow $r1
31662 ++ mov $d2#d,$h1#d
31663 ++ and \$`-1*(1<<31)`,$d2
31664 ++
31665 ++ shr \$6,$d1
31666 ++ shl \$52,$r1
31667 ++ add $d1,$h0
31668 ++ shr \$12,$h1
31669 ++ shr \$18,$d2
31670 ++ add $r1,$h0
31671 ++ adc $d2,$h1
31672 ++
31673 ++ mov $h2,$d1
31674 ++ shl \$40,$d1
31675 ++ shr \$24,$h2
31676 ++ add $d1,$h1
31677 ++ adc \$0,$h2 # can be partially reduced...
31678 ++
31679 ++ mov \$-4,$d2 # ... so reduce
31680 ++ mov $h2,$d1
31681 ++ and $h2,$d2
31682 ++ shr \$2,$d1
31683 ++ and \$3,$h2
31684 ++ add $d2,$d1 # =*5
31685 ++ add $d1,$h0
31686 ++ adc \$0,$h1
31687 ++ adc \$0,$h2
31688 ++
31689 ++ mov $s1,$r1
31690 ++ mov $s1,%rax
31691 ++ shr \$2,$s1
31692 ++ add $r1,$s1 # s1 = r1 + (r1 >> 2)
31693 ++
31694 ++ add 0($inp),$h0 # accumulate input
31695 ++ adc 8($inp),$h1
31696 ++ lea 16($inp),$inp
31697 ++ adc $padbit,$h2
31698 ++
31699 ++ call __poly1305_block
31700 ++
31701 ++ test $padbit,$padbit # if $padbit is zero,
31702 ++ jz .Lstore_base2_64_avx # store hash in base 2^64 format
31703 ++
31704 ++ ################################# base 2^64 -> base 2^26
31705 ++ mov $h0,%rax
31706 ++ mov $h0,%rdx
31707 ++ shr \$52,$h0
31708 ++ mov $h1,$r0
31709 ++ mov $h1,$r1
31710 ++ shr \$26,%rdx
31711 ++ and \$0x3ffffff,%rax # h[0]
31712 ++ shl \$12,$r0
31713 ++ and \$0x3ffffff,%rdx # h[1]
31714 ++ shr \$14,$h1
31715 ++ or $r0,$h0
31716 ++ shl \$24,$h2
31717 ++ and \$0x3ffffff,$h0 # h[2]
31718 ++ shr \$40,$r1
31719 ++ and \$0x3ffffff,$h1 # h[3]
31720 ++ or $r1,$h2 # h[4]
31721 ++
31722 ++ sub \$16,%r15
31723 ++ jz .Lstore_base2_26_avx
31724 ++
31725 ++ vmovd %rax#d,$H0
31726 ++ vmovd %rdx#d,$H1
31727 ++ vmovd $h0#d,$H2
31728 ++ vmovd $h1#d,$H3
31729 ++ vmovd $h2#d,$H4
31730 ++ jmp .Lproceed_avx
31731 ++
31732 ++.align 32
31733 ++.Lstore_base2_64_avx:
31734 ++ mov $h0,0($ctx)
31735 ++ mov $h1,8($ctx)
31736 ++ mov $h2,16($ctx) # note that is_base2_26 is zeroed
31737 ++ jmp .Ldone_avx
31738 ++
31739 ++.align 16
31740 ++.Lstore_base2_26_avx:
31741 ++ mov %rax#d,0($ctx) # store hash value base 2^26
31742 ++ mov %rdx#d,4($ctx)
31743 ++ mov $h0#d,8($ctx)
31744 ++ mov $h1#d,12($ctx)
31745 ++ mov $h2#d,16($ctx)
31746 ++.align 16
31747 ++.Ldone_avx:
31748 ++ pop %r15
31749 ++.cfi_restore %r15
31750 ++ pop %r14
31751 ++.cfi_restore %r14
31752 ++ pop %r13
31753 ++.cfi_restore %r13
31754 ++ pop %r12
31755 ++.cfi_restore %r12
31756 ++ pop %rbx
31757 ++.cfi_restore %rbx
31758 ++ pop %rbp
31759 ++.cfi_restore %rbp
31760 ++.Lno_data_avx:
31761 ++.Lblocks_avx_epilogue:
31762 ++ ret
31763 ++.cfi_endproc
31764 ++
31765 ++.align 32
31766 ++.Lbase2_64_avx:
31767 ++.cfi_startproc
31768 ++ push %rbp
31769 ++.cfi_push %rbp
31770 ++ mov %rsp,%rbp
31771 ++ push %rbx
31772 ++.cfi_push %rbx
31773 ++ push %r12
31774 ++.cfi_push %r12
31775 ++ push %r13
31776 ++.cfi_push %r13
31777 ++ push %r14
31778 ++.cfi_push %r14
31779 ++ push %r15
31780 ++.cfi_push %r15
31781 ++.Lbase2_64_avx_body:
31782 ++
31783 ++ mov $len,%r15 # reassign $len
31784 ++
31785 ++ mov 24($ctx),$r0 # load r
31786 ++ mov 32($ctx),$s1
31787 ++
31788 ++ mov 0($ctx),$h0 # load hash value
31789 ++ mov 8($ctx),$h1
31790 ++ mov 16($ctx),$h2#d
31791 ++
31792 ++ mov $s1,$r1
31793 ++ mov $s1,%rax
31794 ++ shr \$2,$s1
31795 ++ add $r1,$s1 # s1 = r1 + (r1 >> 2)
31796 ++
31797 ++ test \$31,$len
31798 ++ jz .Linit_avx
31799 ++
31800 ++ add 0($inp),$h0 # accumulate input
31801 ++ adc 8($inp),$h1
31802 ++ lea 16($inp),$inp
31803 ++ adc $padbit,$h2
31804 ++ sub \$16,%r15
31805 ++
31806 ++ call __poly1305_block
31807 ++
31808 ++.Linit_avx:
31809 ++ ################################# base 2^64 -> base 2^26
31810 ++ mov $h0,%rax
31811 ++ mov $h0,%rdx
31812 ++ shr \$52,$h0
31813 ++ mov $h1,$d1
31814 ++ mov $h1,$d2
31815 ++ shr \$26,%rdx
31816 ++ and \$0x3ffffff,%rax # h[0]
31817 ++ shl \$12,$d1
31818 ++ and \$0x3ffffff,%rdx # h[1]
31819 ++ shr \$14,$h1
31820 ++ or $d1,$h0
31821 ++ shl \$24,$h2
31822 ++ and \$0x3ffffff,$h0 # h[2]
31823 ++ shr \$40,$d2
31824 ++ and \$0x3ffffff,$h1 # h[3]
31825 ++ or $d2,$h2 # h[4]
31826 ++
31827 ++ vmovd %rax#d,$H0
31828 ++ vmovd %rdx#d,$H1
31829 ++ vmovd $h0#d,$H2
31830 ++ vmovd $h1#d,$H3
31831 ++ vmovd $h2#d,$H4
31832 ++ movl \$1,20($ctx) # set is_base2_26
31833 ++
31834 ++ call __poly1305_init_avx
31835 ++
31836 ++.Lproceed_avx:
31837 ++ mov %r15,$len
31838 ++ pop %r15
31839 ++.cfi_restore %r15
31840 ++ pop %r14
31841 ++.cfi_restore %r14
31842 ++ pop %r13
31843 ++.cfi_restore %r13
31844 ++ pop %r12
31845 ++.cfi_restore %r12
31846 ++ pop %rbx
31847 ++.cfi_restore %rbx
31848 ++ pop %rbp
31849 ++.cfi_restore %rbp
31850 ++.Lbase2_64_avx_epilogue:
31851 ++ jmp .Ldo_avx
31852 ++.cfi_endproc
31853 ++
31854 ++.align 32
31855 ++.Leven_avx:
31856 ++.cfi_startproc
31857 ++ vmovd 4*0($ctx),$H0 # load hash value
31858 ++ vmovd 4*1($ctx),$H1
31859 ++ vmovd 4*2($ctx),$H2
31860 ++ vmovd 4*3($ctx),$H3
31861 ++ vmovd 4*4($ctx),$H4
31862 ++
31863 ++.Ldo_avx:
31864 ++___
31865 ++$code.=<<___ if (!$win64);
31866 ++ lea 8(%rsp),%r10
31867 ++.cfi_def_cfa_register %r10
31868 ++ and \$-32,%rsp
31869 ++ sub \$-8,%rsp
31870 ++ lea -0x58(%rsp),%r11
31871 ++ sub \$0x178,%rsp
31872 ++___
31873 ++$code.=<<___ if ($win64);
31874 ++ lea -0xf8(%rsp),%r11
31875 ++ sub \$0x218,%rsp
31876 ++ vmovdqa %xmm6,0x50(%r11)
31877 ++ vmovdqa %xmm7,0x60(%r11)
31878 ++ vmovdqa %xmm8,0x70(%r11)
31879 ++ vmovdqa %xmm9,0x80(%r11)
31880 ++ vmovdqa %xmm10,0x90(%r11)
31881 ++ vmovdqa %xmm11,0xa0(%r11)
31882 ++ vmovdqa %xmm12,0xb0(%r11)
31883 ++ vmovdqa %xmm13,0xc0(%r11)
31884 ++ vmovdqa %xmm14,0xd0(%r11)
31885 ++ vmovdqa %xmm15,0xe0(%r11)
31886 ++.Ldo_avx_body:
31887 ++___
31888 ++$code.=<<___;
31889 ++ sub \$64,$len
31890 ++ lea -32($inp),%rax
31891 ++ cmovc %rax,$inp
31892 ++
31893 ++ vmovdqu `16*3`($ctx),$D4 # preload r0^2
31894 ++ lea `16*3+64`($ctx),$ctx # size optimization
31895 ++ lea .Lconst(%rip),%rcx
31896 ++
31897 ++ ################################################################
31898 ++ # load input
31899 ++ vmovdqu 16*2($inp),$T0
31900 ++ vmovdqu 16*3($inp),$T1
31901 ++ vmovdqa 64(%rcx),$MASK # .Lmask26
31902 ++
31903 ++ vpsrldq \$6,$T0,$T2 # splat input
31904 ++ vpsrldq \$6,$T1,$T3
31905 ++ vpunpckhqdq $T1,$T0,$T4 # 4
31906 ++ vpunpcklqdq $T1,$T0,$T0 # 0:1
31907 ++ vpunpcklqdq $T3,$T2,$T3 # 2:3
31908 ++
31909 ++ vpsrlq \$40,$T4,$T4 # 4
31910 ++ vpsrlq \$26,$T0,$T1
31911 ++ vpand $MASK,$T0,$T0 # 0
31912 ++ vpsrlq \$4,$T3,$T2
31913 ++ vpand $MASK,$T1,$T1 # 1
31914 ++ vpsrlq \$30,$T3,$T3
31915 ++ vpand $MASK,$T2,$T2 # 2
31916 ++ vpand $MASK,$T3,$T3 # 3
31917 ++ vpor 32(%rcx),$T4,$T4 # padbit, yes, always
31918 ++
31919 ++ jbe .Lskip_loop_avx
31920 ++
31921 ++ # expand and copy pre-calculated table to stack
31922 ++ vmovdqu `16*1-64`($ctx),$D1
31923 ++ vmovdqu `16*2-64`($ctx),$D2
31924 ++ vpshufd \$0xEE,$D4,$D3 # 34xx -> 3434
31925 ++ vpshufd \$0x44,$D4,$D0 # xx12 -> 1212
31926 ++ vmovdqa $D3,-0x90(%r11)
31927 ++ vmovdqa $D0,0x00(%rsp)
31928 ++ vpshufd \$0xEE,$D1,$D4
31929 ++ vmovdqu `16*3-64`($ctx),$D0
31930 ++ vpshufd \$0x44,$D1,$D1
31931 ++ vmovdqa $D4,-0x80(%r11)
31932 ++ vmovdqa $D1,0x10(%rsp)
31933 ++ vpshufd \$0xEE,$D2,$D3
31934 ++ vmovdqu `16*4-64`($ctx),$D1
31935 ++ vpshufd \$0x44,$D2,$D2
31936 ++ vmovdqa $D3,-0x70(%r11)
31937 ++ vmovdqa $D2,0x20(%rsp)
31938 ++ vpshufd \$0xEE,$D0,$D4
31939 ++ vmovdqu `16*5-64`($ctx),$D2
31940 ++ vpshufd \$0x44,$D0,$D0
31941 ++ vmovdqa $D4,-0x60(%r11)
31942 ++ vmovdqa $D0,0x30(%rsp)
31943 ++ vpshufd \$0xEE,$D1,$D3
31944 ++ vmovdqu `16*6-64`($ctx),$D0
31945 ++ vpshufd \$0x44,$D1,$D1
31946 ++ vmovdqa $D3,-0x50(%r11)
31947 ++ vmovdqa $D1,0x40(%rsp)
31948 ++ vpshufd \$0xEE,$D2,$D4
31949 ++ vmovdqu `16*7-64`($ctx),$D1
31950 ++ vpshufd \$0x44,$D2,$D2
31951 ++ vmovdqa $D4,-0x40(%r11)
31952 ++ vmovdqa $D2,0x50(%rsp)
31953 ++ vpshufd \$0xEE,$D0,$D3
31954 ++ vmovdqu `16*8-64`($ctx),$D2
31955 ++ vpshufd \$0x44,$D0,$D0
31956 ++ vmovdqa $D3,-0x30(%r11)
31957 ++ vmovdqa $D0,0x60(%rsp)
31958 ++ vpshufd \$0xEE,$D1,$D4
31959 ++ vpshufd \$0x44,$D1,$D1
31960 ++ vmovdqa $D4,-0x20(%r11)
31961 ++ vmovdqa $D1,0x70(%rsp)
31962 ++ vpshufd \$0xEE,$D2,$D3
31963 ++ vmovdqa 0x00(%rsp),$D4 # preload r0^2
31964 ++ vpshufd \$0x44,$D2,$D2
31965 ++ vmovdqa $D3,-0x10(%r11)
31966 ++ vmovdqa $D2,0x80(%rsp)
31967 ++
31968 ++ jmp .Loop_avx
31969 ++
31970 ++.align 32
31971 ++.Loop_avx:
31972 ++ ################################################################
31973 ++ # ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2
31974 ++ # ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^3+inp[7]*r
31975 ++ # \___________________/
31976 ++ # ((inp[0]*r^4+inp[2]*r^2+inp[4])*r^4+inp[6]*r^2+inp[8])*r^2
31977 ++ # ((inp[1]*r^4+inp[3]*r^2+inp[5])*r^4+inp[7]*r^2+inp[9])*r
31978 ++ # \___________________/ \____________________/
31979 ++ #
31980 ++ # Note that we start with inp[2:3]*r^2. This is because it
31981 ++ # doesn't depend on reduction in previous iteration.
31982 ++ ################################################################
31983 ++ # d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
31984 ++ # d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
31985 ++ # d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
31986 ++ # d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
31987 ++ # d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
31988 ++ #
31989 ++ # though note that $Tx and $Hx are "reversed" in this section,
31990 ++ # and $D4 is preloaded with r0^2...
31991 ++
31992 ++ vpmuludq $T0,$D4,$D0 # d0 = h0*r0
31993 ++ vpmuludq $T1,$D4,$D1 # d1 = h1*r0
31994 ++ vmovdqa $H2,0x20(%r11) # offload hash
31995 ++ vpmuludq $T2,$D4,$D2 # d3 = h2*r0
31996 ++ vmovdqa 0x10(%rsp),$H2 # r1^2
31997 ++ vpmuludq $T3,$D4,$D3 # d3 = h3*r0
31998 ++ vpmuludq $T4,$D4,$D4 # d4 = h4*r0
31999 ++
32000 ++ vmovdqa $H0,0x00(%r11) #
32001 ++ vpmuludq 0x20(%rsp),$T4,$H0 # h4*s1
32002 ++ vmovdqa $H1,0x10(%r11) #
32003 ++ vpmuludq $T3,$H2,$H1 # h3*r1
32004 ++ vpaddq $H0,$D0,$D0 # d0 += h4*s1
32005 ++ vpaddq $H1,$D4,$D4 # d4 += h3*r1
32006 ++ vmovdqa $H3,0x30(%r11) #
32007 ++ vpmuludq $T2,$H2,$H0 # h2*r1
32008 ++ vpmuludq $T1,$H2,$H1 # h1*r1
32009 ++ vpaddq $H0,$D3,$D3 # d3 += h2*r1
32010 ++ vmovdqa 0x30(%rsp),$H3 # r2^2
32011 ++ vpaddq $H1,$D2,$D2 # d2 += h1*r1
32012 ++ vmovdqa $H4,0x40(%r11) #
32013 ++ vpmuludq $T0,$H2,$H2 # h0*r1
32014 ++ vpmuludq $T2,$H3,$H0 # h2*r2
32015 ++ vpaddq $H2,$D1,$D1 # d1 += h0*r1
32016 ++
32017 ++ vmovdqa 0x40(%rsp),$H4 # s2^2
32018 ++ vpaddq $H0,$D4,$D4 # d4 += h2*r2
32019 ++ vpmuludq $T1,$H3,$H1 # h1*r2
32020 ++ vpmuludq $T0,$H3,$H3 # h0*r2
32021 ++ vpaddq $H1,$D3,$D3 # d3 += h1*r2
32022 ++ vmovdqa 0x50(%rsp),$H2 # r3^2
32023 ++ vpaddq $H3,$D2,$D2 # d2 += h0*r2
32024 ++ vpmuludq $T4,$H4,$H0 # h4*s2
32025 ++ vpmuludq $T3,$H4,$H4 # h3*s2
32026 ++ vpaddq $H0,$D1,$D1 # d1 += h4*s2
32027 ++ vmovdqa 0x60(%rsp),$H3 # s3^2
32028 ++ vpaddq $H4,$D0,$D0 # d0 += h3*s2
32029 ++
32030 ++ vmovdqa 0x80(%rsp),$H4 # s4^2
32031 ++ vpmuludq $T1,$H2,$H1 # h1*r3
32032 ++ vpmuludq $T0,$H2,$H2 # h0*r3
32033 ++ vpaddq $H1,$D4,$D4 # d4 += h1*r3
32034 ++ vpaddq $H2,$D3,$D3 # d3 += h0*r3
32035 ++ vpmuludq $T4,$H3,$H0 # h4*s3
32036 ++ vpmuludq $T3,$H3,$H1 # h3*s3
32037 ++ vpaddq $H0,$D2,$D2 # d2 += h4*s3
32038 ++ vmovdqu 16*0($inp),$H0 # load input
32039 ++ vpaddq $H1,$D1,$D1 # d1 += h3*s3
32040 ++ vpmuludq $T2,$H3,$H3 # h2*s3
32041 ++ vpmuludq $T2,$H4,$T2 # h2*s4
32042 ++ vpaddq $H3,$D0,$D0 # d0 += h2*s3
32043 ++
32044 ++ vmovdqu 16*1($inp),$H1 #
32045 ++ vpaddq $T2,$D1,$D1 # d1 += h2*s4
32046 ++ vpmuludq $T3,$H4,$T3 # h3*s4
32047 ++ vpmuludq $T4,$H4,$T4 # h4*s4
32048 ++ vpsrldq \$6,$H0,$H2 # splat input
32049 ++ vpaddq $T3,$D2,$D2 # d2 += h3*s4
32050 ++ vpaddq $T4,$D3,$D3 # d3 += h4*s4
32051 ++ vpsrldq \$6,$H1,$H3 #
32052 ++ vpmuludq 0x70(%rsp),$T0,$T4 # h0*r4
32053 ++ vpmuludq $T1,$H4,$T0 # h1*s4
32054 ++ vpunpckhqdq $H1,$H0,$H4 # 4
32055 ++ vpaddq $T4,$D4,$D4 # d4 += h0*r4
32056 ++ vmovdqa -0x90(%r11),$T4 # r0^4
32057 ++ vpaddq $T0,$D0,$D0 # d0 += h1*s4
32058 ++
32059 ++ vpunpcklqdq $H1,$H0,$H0 # 0:1
32060 ++ vpunpcklqdq $H3,$H2,$H3 # 2:3
32061 ++
32062 ++ #vpsrlq \$40,$H4,$H4 # 4
32063 ++ vpsrldq \$`40/8`,$H4,$H4 # 4
32064 ++ vpsrlq \$26,$H0,$H1
32065 ++ vpand $MASK,$H0,$H0 # 0
32066 ++ vpsrlq \$4,$H3,$H2
32067 ++ vpand $MASK,$H1,$H1 # 1
32068 ++ vpand 0(%rcx),$H4,$H4 # .Lmask24
32069 ++ vpsrlq \$30,$H3,$H3
32070 ++ vpand $MASK,$H2,$H2 # 2
32071 ++ vpand $MASK,$H3,$H3 # 3
32072 ++ vpor 32(%rcx),$H4,$H4 # padbit, yes, always
32073 ++
32074 ++ vpaddq 0x00(%r11),$H0,$H0 # add hash value
32075 ++ vpaddq 0x10(%r11),$H1,$H1
32076 ++ vpaddq 0x20(%r11),$H2,$H2
32077 ++ vpaddq 0x30(%r11),$H3,$H3
32078 ++ vpaddq 0x40(%r11),$H4,$H4
32079 ++
32080 ++ lea 16*2($inp),%rax
32081 ++ lea 16*4($inp),$inp
32082 ++ sub \$64,$len
32083 ++ cmovc %rax,$inp
32084 ++
32085 ++ ################################################################
32086 ++ # Now we accumulate (inp[0:1]+hash)*r^4
32087 ++ ################################################################
32088 ++ # d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
32089 ++ # d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
32090 ++ # d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
32091 ++ # d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
32092 ++ # d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
32093 ++
32094 ++ vpmuludq $H0,$T4,$T0 # h0*r0
32095 ++ vpmuludq $H1,$T4,$T1 # h1*r0
32096 ++ vpaddq $T0,$D0,$D0
32097 ++ vpaddq $T1,$D1,$D1
32098 ++ vmovdqa -0x80(%r11),$T2 # r1^4
32099 ++ vpmuludq $H2,$T4,$T0 # h2*r0
32100 ++ vpmuludq $H3,$T4,$T1 # h3*r0
32101 ++ vpaddq $T0,$D2,$D2
32102 ++ vpaddq $T1,$D3,$D3
32103 ++ vpmuludq $H4,$T4,$T4 # h4*r0
32104 ++ vpmuludq -0x70(%r11),$H4,$T0 # h4*s1
32105 ++ vpaddq $T4,$D4,$D4
32106 ++
32107 ++ vpaddq $T0,$D0,$D0 # d0 += h4*s1
32108 ++ vpmuludq $H2,$T2,$T1 # h2*r1
32109 ++ vpmuludq $H3,$T2,$T0 # h3*r1
32110 ++ vpaddq $T1,$D3,$D3 # d3 += h2*r1
32111 ++ vmovdqa -0x60(%r11),$T3 # r2^4
32112 ++ vpaddq $T0,$D4,$D4 # d4 += h3*r1
32113 ++ vpmuludq $H1,$T2,$T1 # h1*r1
32114 ++ vpmuludq $H0,$T2,$T2 # h0*r1
32115 ++ vpaddq $T1,$D2,$D2 # d2 += h1*r1
32116 ++ vpaddq $T2,$D1,$D1 # d1 += h0*r1
32117 ++
32118 ++ vmovdqa -0x50(%r11),$T4 # s2^4
32119 ++ vpmuludq $H2,$T3,$T0 # h2*r2
32120 ++ vpmuludq $H1,$T3,$T1 # h1*r2
32121 ++ vpaddq $T0,$D4,$D4 # d4 += h2*r2
32122 ++ vpaddq $T1,$D3,$D3 # d3 += h1*r2
32123 ++ vmovdqa -0x40(%r11),$T2 # r3^4
32124 ++ vpmuludq $H0,$T3,$T3 # h0*r2
32125 ++ vpmuludq $H4,$T4,$T0 # h4*s2
32126 ++ vpaddq $T3,$D2,$D2 # d2 += h0*r2
32127 ++ vpaddq $T0,$D1,$D1 # d1 += h4*s2
32128 ++ vmovdqa -0x30(%r11),$T3 # s3^4
32129 ++ vpmuludq $H3,$T4,$T4 # h3*s2
32130 ++ vpmuludq $H1,$T2,$T1 # h1*r3
32131 ++ vpaddq $T4,$D0,$D0 # d0 += h3*s2
32132 ++
32133 ++ vmovdqa -0x10(%r11),$T4 # s4^4
32134 ++ vpaddq $T1,$D4,$D4 # d4 += h1*r3
32135 ++ vpmuludq $H0,$T2,$T2 # h0*r3
32136 ++ vpmuludq $H4,$T3,$T0 # h4*s3
32137 ++ vpaddq $T2,$D3,$D3 # d3 += h0*r3
32138 ++ vpaddq $T0,$D2,$D2 # d2 += h4*s3
32139 ++ vmovdqu 16*2($inp),$T0 # load input
32140 ++ vpmuludq $H3,$T3,$T2 # h3*s3
32141 ++ vpmuludq $H2,$T3,$T3 # h2*s3
32142 ++ vpaddq $T2,$D1,$D1 # d1 += h3*s3
32143 ++ vmovdqu 16*3($inp),$T1 #
32144 ++ vpaddq $T3,$D0,$D0 # d0 += h2*s3
32145 ++
32146 ++ vpmuludq $H2,$T4,$H2 # h2*s4
32147 ++ vpmuludq $H3,$T4,$H3 # h3*s4
32148 ++ vpsrldq \$6,$T0,$T2 # splat input
32149 ++ vpaddq $H2,$D1,$D1 # d1 += h2*s4
32150 ++ vpmuludq $H4,$T4,$H4 # h4*s4
32151 ++ vpsrldq \$6,$T1,$T3 #
32152 ++ vpaddq $H3,$D2,$H2 # h2 = d2 + h3*s4
32153 ++ vpaddq $H4,$D3,$H3 # h3 = d3 + h4*s4
32154 ++ vpmuludq -0x20(%r11),$H0,$H4 # h0*r4
32155 ++ vpmuludq $H1,$T4,$H0
32156 ++ vpunpckhqdq $T1,$T0,$T4 # 4
32157 ++ vpaddq $H4,$D4,$H4 # h4 = d4 + h0*r4
32158 ++ vpaddq $H0,$D0,$H0 # h0 = d0 + h1*s4
32159 ++
32160 ++ vpunpcklqdq $T1,$T0,$T0 # 0:1
32161 ++ vpunpcklqdq $T3,$T2,$T3 # 2:3
32162 ++
32163 ++ #vpsrlq \$40,$T4,$T4 # 4
32164 ++ vpsrldq \$`40/8`,$T4,$T4 # 4
32165 ++ vpsrlq \$26,$T0,$T1
32166 ++ vmovdqa 0x00(%rsp),$D4 # preload r0^2
32167 ++ vpand $MASK,$T0,$T0 # 0
32168 ++ vpsrlq \$4,$T3,$T2
32169 ++ vpand $MASK,$T1,$T1 # 1
32170 ++ vpand 0(%rcx),$T4,$T4 # .Lmask24
32171 ++ vpsrlq \$30,$T3,$T3
32172 ++ vpand $MASK,$T2,$T2 # 2
32173 ++ vpand $MASK,$T3,$T3 # 3
32174 ++ vpor 32(%rcx),$T4,$T4 # padbit, yes, always
32175 ++
32176 ++ ################################################################
32177 ++ # lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
32178 ++ # and P. Schwabe
32179 ++
32180 ++ vpsrlq \$26,$H3,$D3
32181 ++ vpand $MASK,$H3,$H3
32182 ++ vpaddq $D3,$H4,$H4 # h3 -> h4
32183 ++
32184 ++ vpsrlq \$26,$H0,$D0
32185 ++ vpand $MASK,$H0,$H0
32186 ++ vpaddq $D0,$D1,$H1 # h0 -> h1
32187 ++
32188 ++ vpsrlq \$26,$H4,$D0
32189 ++ vpand $MASK,$H4,$H4
32190 ++
32191 ++ vpsrlq \$26,$H1,$D1
32192 ++ vpand $MASK,$H1,$H1
32193 ++ vpaddq $D1,$H2,$H2 # h1 -> h2
32194 ++
32195 ++ vpaddq $D0,$H0,$H0
32196 ++ vpsllq \$2,$D0,$D0
32197 ++ vpaddq $D0,$H0,$H0 # h4 -> h0
32198 ++
32199 ++ vpsrlq \$26,$H2,$D2
32200 ++ vpand $MASK,$H2,$H2
32201 ++ vpaddq $D2,$H3,$H3 # h2 -> h3
32202 ++
32203 ++ vpsrlq \$26,$H0,$D0
32204 ++ vpand $MASK,$H0,$H0
32205 ++ vpaddq $D0,$H1,$H1 # h0 -> h1
32206 ++
32207 ++ vpsrlq \$26,$H3,$D3
32208 ++ vpand $MASK,$H3,$H3
32209 ++ vpaddq $D3,$H4,$H4 # h3 -> h4
32210 ++
32211 ++ ja .Loop_avx
32212 ++
32213 ++.Lskip_loop_avx:
32214 ++ ################################################################
32215 ++ # multiply (inp[0:1]+hash) or inp[2:3] by r^2:r^1
32216 ++
32217 ++ vpshufd \$0x10,$D4,$D4 # r0^n, xx12 -> x1x2
32218 ++ add \$32,$len
32219 ++ jnz .Long_tail_avx
32220 ++
32221 ++ vpaddq $H2,$T2,$T2
32222 ++ vpaddq $H0,$T0,$T0
32223 ++ vpaddq $H1,$T1,$T1
32224 ++ vpaddq $H3,$T3,$T3
32225 ++ vpaddq $H4,$T4,$T4
32226 ++
32227 ++.Long_tail_avx:
32228 ++ vmovdqa $H2,0x20(%r11)
32229 ++ vmovdqa $H0,0x00(%r11)
32230 ++ vmovdqa $H1,0x10(%r11)
32231 ++ vmovdqa $H3,0x30(%r11)
32232 ++ vmovdqa $H4,0x40(%r11)
32233 ++
32234 ++ # d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
32235 ++ # d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
32236 ++ # d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
32237 ++ # d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
32238 ++ # d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
32239 ++
32240 ++ vpmuludq $T2,$D4,$D2 # d2 = h2*r0
32241 ++ vpmuludq $T0,$D4,$D0 # d0 = h0*r0
32242 ++ vpshufd \$0x10,`16*1-64`($ctx),$H2 # r1^n
32243 ++ vpmuludq $T1,$D4,$D1 # d1 = h1*r0
32244 ++ vpmuludq $T3,$D4,$D3 # d3 = h3*r0
32245 ++ vpmuludq $T4,$D4,$D4 # d4 = h4*r0
32246 ++
32247 ++ vpmuludq $T3,$H2,$H0 # h3*r1
32248 ++ vpaddq $H0,$D4,$D4 # d4 += h3*r1
32249 ++ vpshufd \$0x10,`16*2-64`($ctx),$H3 # s1^n
32250 ++ vpmuludq $T2,$H2,$H1 # h2*r1
32251 ++ vpaddq $H1,$D3,$D3 # d3 += h2*r1
32252 ++ vpshufd \$0x10,`16*3-64`($ctx),$H4 # r2^n
32253 ++ vpmuludq $T1,$H2,$H0 # h1*r1
32254 ++ vpaddq $H0,$D2,$D2 # d2 += h1*r1
32255 ++ vpmuludq $T0,$H2,$H2 # h0*r1
32256 ++ vpaddq $H2,$D1,$D1 # d1 += h0*r1
32257 ++ vpmuludq $T4,$H3,$H3 # h4*s1
32258 ++ vpaddq $H3,$D0,$D0 # d0 += h4*s1
32259 ++
32260 ++ vpshufd \$0x10,`16*4-64`($ctx),$H2 # s2^n
32261 ++ vpmuludq $T2,$H4,$H1 # h2*r2
32262 ++ vpaddq $H1,$D4,$D4 # d4 += h2*r2
32263 ++ vpmuludq $T1,$H4,$H0 # h1*r2
32264 ++ vpaddq $H0,$D3,$D3 # d3 += h1*r2
32265 ++ vpshufd \$0x10,`16*5-64`($ctx),$H3 # r3^n
32266 ++ vpmuludq $T0,$H4,$H4 # h0*r2
32267 ++ vpaddq $H4,$D2,$D2 # d2 += h0*r2
32268 ++ vpmuludq $T4,$H2,$H1 # h4*s2
32269 ++ vpaddq $H1,$D1,$D1 # d1 += h4*s2
32270 ++ vpshufd \$0x10,`16*6-64`($ctx),$H4 # s3^n
32271 ++ vpmuludq $T3,$H2,$H2 # h3*s2
32272 ++ vpaddq $H2,$D0,$D0 # d0 += h3*s2
32273 ++
32274 ++ vpmuludq $T1,$H3,$H0 # h1*r3
32275 ++ vpaddq $H0,$D4,$D4 # d4 += h1*r3
32276 ++ vpmuludq $T0,$H3,$H3 # h0*r3
32277 ++ vpaddq $H3,$D3,$D3 # d3 += h0*r3
32278 ++ vpshufd \$0x10,`16*7-64`($ctx),$H2 # r4^n
32279 ++ vpmuludq $T4,$H4,$H1 # h4*s3
32280 ++ vpaddq $H1,$D2,$D2 # d2 += h4*s3
32281 ++ vpshufd \$0x10,`16*8-64`($ctx),$H3 # s4^n
32282 ++ vpmuludq $T3,$H4,$H0 # h3*s3
32283 ++ vpaddq $H0,$D1,$D1 # d1 += h3*s3
32284 ++ vpmuludq $T2,$H4,$H4 # h2*s3
32285 ++ vpaddq $H4,$D0,$D0 # d0 += h2*s3
32286 ++
32287 ++ vpmuludq $T0,$H2,$H2 # h0*r4
32288 ++ vpaddq $H2,$D4,$D4 # h4 = d4 + h0*r4
32289 ++ vpmuludq $T4,$H3,$H1 # h4*s4
32290 ++ vpaddq $H1,$D3,$D3 # h3 = d3 + h4*s4
32291 ++ vpmuludq $T3,$H3,$H0 # h3*s4
32292 ++ vpaddq $H0,$D2,$D2 # h2 = d2 + h3*s4
32293 ++ vpmuludq $T2,$H3,$H1 # h2*s4
32294 ++ vpaddq $H1,$D1,$D1 # h1 = d1 + h2*s4
32295 ++ vpmuludq $T1,$H3,$H3 # h1*s4
32296 ++ vpaddq $H3,$D0,$D0 # h0 = d0 + h1*s4
32297 ++
32298 ++ jz .Lshort_tail_avx
32299 ++
32300 ++ vmovdqu 16*0($inp),$H0 # load input
32301 ++ vmovdqu 16*1($inp),$H1
32302 ++
32303 ++ vpsrldq \$6,$H0,$H2 # splat input
32304 ++ vpsrldq \$6,$H1,$H3
32305 ++ vpunpckhqdq $H1,$H0,$H4 # 4
32306 ++ vpunpcklqdq $H1,$H0,$H0 # 0:1
32307 ++ vpunpcklqdq $H3,$H2,$H3 # 2:3
32308 ++
32309 ++ vpsrlq \$40,$H4,$H4 # 4
32310 ++ vpsrlq \$26,$H0,$H1
32311 ++ vpand $MASK,$H0,$H0 # 0
32312 ++ vpsrlq \$4,$H3,$H2
32313 ++ vpand $MASK,$H1,$H1 # 1
32314 ++ vpsrlq \$30,$H3,$H3
32315 ++ vpand $MASK,$H2,$H2 # 2
32316 ++ vpand $MASK,$H3,$H3 # 3
32317 ++ vpor 32(%rcx),$H4,$H4 # padbit, yes, always
32318 ++
32319 ++ vpshufd \$0x32,`16*0-64`($ctx),$T4 # r0^n, 34xx -> x3x4
32320 ++ vpaddq 0x00(%r11),$H0,$H0
32321 ++ vpaddq 0x10(%r11),$H1,$H1
32322 ++ vpaddq 0x20(%r11),$H2,$H2
32323 ++ vpaddq 0x30(%r11),$H3,$H3
32324 ++ vpaddq 0x40(%r11),$H4,$H4
32325 ++
32326 ++ ################################################################
32327 ++ # multiply (inp[0:1]+hash) by r^4:r^3 and accumulate
32328 ++
32329 ++ vpmuludq $H0,$T4,$T0 # h0*r0
32330 ++ vpaddq $T0,$D0,$D0 # d0 += h0*r0
32331 ++ vpmuludq $H1,$T4,$T1 # h1*r0
32332 ++ vpaddq $T1,$D1,$D1 # d1 += h1*r0
32333 ++ vpmuludq $H2,$T4,$T0 # h2*r0
32334 ++ vpaddq $T0,$D2,$D2 # d2 += h2*r0
32335 ++ vpshufd \$0x32,`16*1-64`($ctx),$T2 # r1^n
32336 ++ vpmuludq $H3,$T4,$T1 # h3*r0
32337 ++ vpaddq $T1,$D3,$D3 # d3 += h3*r0
32338 ++ vpmuludq $H4,$T4,$T4 # h4*r0
32339 ++ vpaddq $T4,$D4,$D4 # d4 += h4*r0
32340 ++
32341 ++ vpmuludq $H3,$T2,$T0 # h3*r1
32342 ++ vpaddq $T0,$D4,$D4 # d4 += h3*r1
32343 ++ vpshufd \$0x32,`16*2-64`($ctx),$T3 # s1
32344 ++ vpmuludq $H2,$T2,$T1 # h2*r1
32345 ++ vpaddq $T1,$D3,$D3 # d3 += h2*r1
32346 ++ vpshufd \$0x32,`16*3-64`($ctx),$T4 # r2
32347 ++ vpmuludq $H1,$T2,$T0 # h1*r1
32348 ++ vpaddq $T0,$D2,$D2 # d2 += h1*r1
32349 ++ vpmuludq $H0,$T2,$T2 # h0*r1
32350 ++ vpaddq $T2,$D1,$D1 # d1 += h0*r1
32351 ++ vpmuludq $H4,$T3,$T3 # h4*s1
32352 ++ vpaddq $T3,$D0,$D0 # d0 += h4*s1
32353 ++
32354 ++ vpshufd \$0x32,`16*4-64`($ctx),$T2 # s2
32355 ++ vpmuludq $H2,$T4,$T1 # h2*r2
32356 ++ vpaddq $T1,$D4,$D4 # d4 += h2*r2
32357 ++ vpmuludq $H1,$T4,$T0 # h1*r2
32358 ++ vpaddq $T0,$D3,$D3 # d3 += h1*r2
32359 ++ vpshufd \$0x32,`16*5-64`($ctx),$T3 # r3
32360 ++ vpmuludq $H0,$T4,$T4 # h0*r2
32361 ++ vpaddq $T4,$D2,$D2 # d2 += h0*r2
32362 ++ vpmuludq $H4,$T2,$T1 # h4*s2
32363 ++ vpaddq $T1,$D1,$D1 # d1 += h4*s2
32364 ++ vpshufd \$0x32,`16*6-64`($ctx),$T4 # s3
32365 ++ vpmuludq $H3,$T2,$T2 # h3*s2
32366 ++ vpaddq $T2,$D0,$D0 # d0 += h3*s2
32367 ++
32368 ++ vpmuludq $H1,$T3,$T0 # h1*r3
32369 ++ vpaddq $T0,$D4,$D4 # d4 += h1*r3
32370 ++ vpmuludq $H0,$T3,$T3 # h0*r3
32371 ++ vpaddq $T3,$D3,$D3 # d3 += h0*r3
32372 ++ vpshufd \$0x32,`16*7-64`($ctx),$T2 # r4
32373 ++ vpmuludq $H4,$T4,$T1 # h4*s3
32374 ++ vpaddq $T1,$D2,$D2 # d2 += h4*s3
32375 ++ vpshufd \$0x32,`16*8-64`($ctx),$T3 # s4
32376 ++ vpmuludq $H3,$T4,$T0 # h3*s3
32377 ++ vpaddq $T0,$D1,$D1 # d1 += h3*s3
32378 ++ vpmuludq $H2,$T4,$T4 # h2*s3
32379 ++ vpaddq $T4,$D0,$D0 # d0 += h2*s3
32380 ++
32381 ++ vpmuludq $H0,$T2,$T2 # h0*r4
32382 ++ vpaddq $T2,$D4,$D4 # d4 += h0*r4
32383 ++ vpmuludq $H4,$T3,$T1 # h4*s4
32384 ++ vpaddq $T1,$D3,$D3 # d3 += h4*s4
32385 ++ vpmuludq $H3,$T3,$T0 # h3*s4
32386 ++ vpaddq $T0,$D2,$D2 # d2 += h3*s4
32387 ++ vpmuludq $H2,$T3,$T1 # h2*s4
32388 ++ vpaddq $T1,$D1,$D1 # d1 += h2*s4
32389 ++ vpmuludq $H1,$T3,$T3 # h1*s4
32390 ++ vpaddq $T3,$D0,$D0 # d0 += h1*s4
32391 ++
32392 ++.Lshort_tail_avx:
32393 ++ ################################################################
32394 ++ # horizontal addition
32395 ++
32396 ++ vpsrldq \$8,$D4,$T4
32397 ++ vpsrldq \$8,$D3,$T3
32398 ++ vpsrldq \$8,$D1,$T1
32399 ++ vpsrldq \$8,$D0,$T0
32400 ++ vpsrldq \$8,$D2,$T2
32401 ++ vpaddq $T3,$D3,$D3
32402 ++ vpaddq $T4,$D4,$D4
32403 ++ vpaddq $T0,$D0,$D0
32404 ++ vpaddq $T1,$D1,$D1
32405 ++ vpaddq $T2,$D2,$D2
32406 ++
32407 ++ ################################################################
32408 ++ # lazy reduction
32409 ++
32410 ++ vpsrlq \$26,$D3,$H3
32411 ++ vpand $MASK,$D3,$D3
32412 ++ vpaddq $H3,$D4,$D4 # h3 -> h4
32413 ++
32414 ++ vpsrlq \$26,$D0,$H0
32415 ++ vpand $MASK,$D0,$D0
32416 ++ vpaddq $H0,$D1,$D1 # h0 -> h1
32417 ++
32418 ++ vpsrlq \$26,$D4,$H4
32419 ++ vpand $MASK,$D4,$D4
32420 ++
32421 ++ vpsrlq \$26,$D1,$H1
32422 ++ vpand $MASK,$D1,$D1
32423 ++ vpaddq $H1,$D2,$D2 # h1 -> h2
32424 ++
32425 ++ vpaddq $H4,$D0,$D0
32426 ++ vpsllq \$2,$H4,$H4
32427 ++ vpaddq $H4,$D0,$D0 # h4 -> h0
32428 ++
32429 ++ vpsrlq \$26,$D2,$H2
32430 ++ vpand $MASK,$D2,$D2
32431 ++ vpaddq $H2,$D3,$D3 # h2 -> h3
32432 ++
32433 ++ vpsrlq \$26,$D0,$H0
32434 ++ vpand $MASK,$D0,$D0
32435 ++ vpaddq $H0,$D1,$D1 # h0 -> h1
32436 ++
32437 ++ vpsrlq \$26,$D3,$H3
32438 ++ vpand $MASK,$D3,$D3
32439 ++ vpaddq $H3,$D4,$D4 # h3 -> h4
32440 ++
32441 ++ vmovd $D0,`4*0-48-64`($ctx) # save partially reduced
32442 ++ vmovd $D1,`4*1-48-64`($ctx)
32443 ++ vmovd $D2,`4*2-48-64`($ctx)
32444 ++ vmovd $D3,`4*3-48-64`($ctx)
32445 ++ vmovd $D4,`4*4-48-64`($ctx)
32446 ++___
32447 ++$code.=<<___ if ($win64);
32448 ++ vmovdqa 0x50(%r11),%xmm6
32449 ++ vmovdqa 0x60(%r11),%xmm7
32450 ++ vmovdqa 0x70(%r11),%xmm8
32451 ++ vmovdqa 0x80(%r11),%xmm9
32452 ++ vmovdqa 0x90(%r11),%xmm10
32453 ++ vmovdqa 0xa0(%r11),%xmm11
32454 ++ vmovdqa 0xb0(%r11),%xmm12
32455 ++ vmovdqa 0xc0(%r11),%xmm13
32456 ++ vmovdqa 0xd0(%r11),%xmm14
32457 ++ vmovdqa 0xe0(%r11),%xmm15
32458 ++ lea 0xf8(%r11),%rsp
32459 ++.Ldo_avx_epilogue:
32460 ++___
32461 ++$code.=<<___ if (!$win64);
32462 ++ lea -8(%r10),%rsp
32463 ++.cfi_def_cfa_register %rsp
32464 ++___
32465 ++$code.=<<___;
32466 ++ vzeroupper
32467 ++ ret
32468 ++.cfi_endproc
32469 ++___
32470 ++&end_function("poly1305_blocks_avx");
32471 ++
32472 ++&declare_function("poly1305_emit_avx", 32, 3);
32473 ++$code.=<<___;
32474 ++ cmpl \$0,20($ctx) # is_base2_26?
32475 ++ je .Lemit
32476 ++
32477 ++ mov 0($ctx),%eax # load hash value base 2^26
32478 ++ mov 4($ctx),%ecx
32479 ++ mov 8($ctx),%r8d
32480 ++ mov 12($ctx),%r11d
32481 ++ mov 16($ctx),%r10d
32482 ++
32483 ++ shl \$26,%rcx # base 2^26 -> base 2^64
32484 ++ mov %r8,%r9
32485 ++ shl \$52,%r8
32486 ++ add %rcx,%rax
32487 ++ shr \$12,%r9
32488 ++ add %rax,%r8 # h0
32489 ++ adc \$0,%r9
32490 ++
32491 ++ shl \$14,%r11
32492 ++ mov %r10,%rax
32493 ++ shr \$24,%r10
32494 ++ add %r11,%r9
32495 ++ shl \$40,%rax
32496 ++ add %rax,%r9 # h1
32497 ++ adc \$0,%r10 # h2
32498 ++
32499 ++ mov %r10,%rax # could be partially reduced, so reduce
32500 ++ mov %r10,%rcx
32501 ++ and \$3,%r10
32502 ++ shr \$2,%rax
32503 ++ and \$-4,%rcx
32504 ++ add %rcx,%rax
32505 ++ add %rax,%r8
32506 ++ adc \$0,%r9
32507 ++ adc \$0,%r10
32508 ++
32509 ++ mov %r8,%rax
32510 ++ add \$5,%r8 # compare to modulus
32511 ++ mov %r9,%rcx
32512 ++ adc \$0,%r9
32513 ++ adc \$0,%r10
32514 ++ shr \$2,%r10 # did 130-bit value overflow?
32515 ++ cmovnz %r8,%rax
32516 ++ cmovnz %r9,%rcx
32517 ++
32518 ++ add 0($nonce),%rax # accumulate nonce
32519 ++ adc 8($nonce),%rcx
32520 ++ mov %rax,0($mac) # write result
32521 ++ mov %rcx,8($mac)
32522 ++
32523 ++ ret
32524 ++___
32525 ++&end_function("poly1305_emit_avx");
32526 ++
32527 ++if ($kernel) {
32528 ++ $code .= "#endif\n";
32529 ++}
32530 ++
32531 ++if ($avx>1) {
32532 ++
32533 ++if ($kernel) {
32534 ++ $code .= "#ifdef CONFIG_AS_AVX2\n";
32535 ++}
32536 ++
32537 ++my ($H0,$H1,$H2,$H3,$H4, $MASK, $T4,$T0,$T1,$T2,$T3, $D0,$D1,$D2,$D3,$D4) =
32538 ++ map("%ymm$_",(0..15));
32539 ++my $S4=$MASK;
32540 ++
32541 ++sub poly1305_blocks_avxN {
32542 ++ my ($avx512) = @_;
32543 ++ my $suffix = $avx512 ? "_avx512" : "";
32544 ++$code.=<<___;
32545 ++.cfi_startproc
32546 ++ mov 20($ctx),%r8d # is_base2_26
32547 ++ cmp \$128,$len
32548 ++ jae .Lblocks_avx2$suffix
32549 ++ test %r8d,%r8d
32550 ++ jz .Lblocks
32551 ++
32552 ++.Lblocks_avx2$suffix:
32553 ++ and \$-16,$len
32554 ++ jz .Lno_data_avx2$suffix
32555 ++
32556 ++ vzeroupper
32557 ++
32558 ++ test %r8d,%r8d
32559 ++ jz .Lbase2_64_avx2$suffix
32560 ++
32561 ++ test \$63,$len
32562 ++ jz .Leven_avx2$suffix
32563 ++
32564 ++ push %rbp
32565 ++.cfi_push %rbp
32566 ++ mov %rsp,%rbp
32567 ++ push %rbx
32568 ++.cfi_push %rbx
32569 ++ push %r12
32570 ++.cfi_push %r12
32571 ++ push %r13
32572 ++.cfi_push %r13
32573 ++ push %r14
32574 ++.cfi_push %r14
32575 ++ push %r15
32576 ++.cfi_push %r15
32577 ++.Lblocks_avx2_body$suffix:
32578 ++
32579 ++ mov $len,%r15 # reassign $len
32580 ++
32581 ++ mov 0($ctx),$d1 # load hash value
32582 ++ mov 8($ctx),$d2
32583 ++ mov 16($ctx),$h2#d
32584 ++
32585 ++ mov 24($ctx),$r0 # load r
32586 ++ mov 32($ctx),$s1
32587 ++
32588 ++ ################################# base 2^26 -> base 2^64
32589 ++ mov $d1#d,$h0#d
32590 ++ and \$`-1*(1<<31)`,$d1
32591 ++ mov $d2,$r1 # borrow $r1
32592 ++ mov $d2#d,$h1#d
32593 ++ and \$`-1*(1<<31)`,$d2
32594 ++
32595 ++ shr \$6,$d1
32596 ++ shl \$52,$r1
32597 ++ add $d1,$h0
32598 ++ shr \$12,$h1
32599 ++ shr \$18,$d2
32600 ++ add $r1,$h0
32601 ++ adc $d2,$h1
32602 ++
32603 ++ mov $h2,$d1
32604 ++ shl \$40,$d1
32605 ++ shr \$24,$h2
32606 ++ add $d1,$h1
32607 ++ adc \$0,$h2 # can be partially reduced...
32608 ++
32609 ++ mov \$-4,$d2 # ... so reduce
32610 ++ mov $h2,$d1
32611 ++ and $h2,$d2
32612 ++ shr \$2,$d1
32613 ++ and \$3,$h2
32614 ++ add $d2,$d1 # =*5
32615 ++ add $d1,$h0
32616 ++ adc \$0,$h1
32617 ++ adc \$0,$h2
32618 ++
32619 ++ mov $s1,$r1
32620 ++ mov $s1,%rax
32621 ++ shr \$2,$s1
32622 ++ add $r1,$s1 # s1 = r1 + (r1 >> 2)
32623 ++
32624 ++.Lbase2_26_pre_avx2$suffix:
32625 ++ add 0($inp),$h0 # accumulate input
32626 ++ adc 8($inp),$h1
32627 ++ lea 16($inp),$inp
32628 ++ adc $padbit,$h2
32629 ++ sub \$16,%r15
32630 ++
32631 ++ call __poly1305_block
32632 ++ mov $r1,%rax
32633 ++
32634 ++ test \$63,%r15
32635 ++ jnz .Lbase2_26_pre_avx2$suffix
32636 ++
32637 ++ test $padbit,$padbit # if $padbit is zero,
32638 ++ jz .Lstore_base2_64_avx2$suffix # store hash in base 2^64 format
32639 ++
32640 ++ ################################# base 2^64 -> base 2^26
32641 ++ mov $h0,%rax
32642 ++ mov $h0,%rdx
32643 ++ shr \$52,$h0
32644 ++ mov $h1,$r0
32645 ++ mov $h1,$r1
32646 ++ shr \$26,%rdx
32647 ++ and \$0x3ffffff,%rax # h[0]
32648 ++ shl \$12,$r0
32649 ++ and \$0x3ffffff,%rdx # h[1]
32650 ++ shr \$14,$h1
32651 ++ or $r0,$h0
32652 ++ shl \$24,$h2
32653 ++ and \$0x3ffffff,$h0 # h[2]
32654 ++ shr \$40,$r1
32655 ++ and \$0x3ffffff,$h1 # h[3]
32656 ++ or $r1,$h2 # h[4]
32657 ++
32658 ++ test %r15,%r15
32659 ++ jz .Lstore_base2_26_avx2$suffix
32660 ++
32661 ++ vmovd %rax#d,%x#$H0
32662 ++ vmovd %rdx#d,%x#$H1
32663 ++ vmovd $h0#d,%x#$H2
32664 ++ vmovd $h1#d,%x#$H3
32665 ++ vmovd $h2#d,%x#$H4
32666 ++ jmp .Lproceed_avx2$suffix
32667 ++
32668 ++.align 32
32669 ++.Lstore_base2_64_avx2$suffix:
32670 ++ mov $h0,0($ctx)
32671 ++ mov $h1,8($ctx)
32672 ++ mov $h2,16($ctx) # note that is_base2_26 is zeroed
32673 ++ jmp .Ldone_avx2$suffix
32674 ++
32675 ++.align 16
32676 ++.Lstore_base2_26_avx2$suffix:
32677 ++ mov %rax#d,0($ctx) # store hash value base 2^26
32678 ++ mov %rdx#d,4($ctx)
32679 ++ mov $h0#d,8($ctx)
32680 ++ mov $h1#d,12($ctx)
32681 ++ mov $h2#d,16($ctx)
32682 ++.align 16
32683 ++.Ldone_avx2$suffix:
32684 ++ pop %r15
32685 ++.cfi_restore %r15
32686 ++ pop %r14
32687 ++.cfi_restore %r14
32688 ++ pop %r13
32689 ++.cfi_restore %r13
32690 ++ pop %r12
32691 ++.cfi_restore %r12
32692 ++ pop %rbx
32693 ++.cfi_restore %rbx
32694 ++ pop %rbp
32695 ++.cfi_restore %rbp
32696 ++.Lno_data_avx2$suffix:
32697 ++.Lblocks_avx2_epilogue$suffix:
32698 ++ ret
32699 ++.cfi_endproc
32700 ++
32701 ++.align 32
32702 ++.Lbase2_64_avx2$suffix:
32703 ++.cfi_startproc
32704 ++ push %rbp
32705 ++.cfi_push %rbp
32706 ++ mov %rsp,%rbp
32707 ++ push %rbx
32708 ++.cfi_push %rbx
32709 ++ push %r12
32710 ++.cfi_push %r12
32711 ++ push %r13
32712 ++.cfi_push %r13
32713 ++ push %r14
32714 ++.cfi_push %r14
32715 ++ push %r15
32716 ++.cfi_push %r15
32717 ++.Lbase2_64_avx2_body$suffix:
32718 ++
32719 ++ mov $len,%r15 # reassign $len
32720 ++
32721 ++ mov 24($ctx),$r0 # load r
32722 ++ mov 32($ctx),$s1
32723 ++
32724 ++ mov 0($ctx),$h0 # load hash value
32725 ++ mov 8($ctx),$h1
32726 ++ mov 16($ctx),$h2#d
32727 ++
32728 ++ mov $s1,$r1
32729 ++ mov $s1,%rax
32730 ++ shr \$2,$s1
32731 ++ add $r1,$s1 # s1 = r1 + (r1 >> 2)
32732 ++
32733 ++ test \$63,$len
32734 ++ jz .Linit_avx2$suffix
32735 ++
32736 ++.Lbase2_64_pre_avx2$suffix:
32737 ++ add 0($inp),$h0 # accumulate input
32738 ++ adc 8($inp),$h1
32739 ++ lea 16($inp),$inp
32740 ++ adc $padbit,$h2
32741 ++ sub \$16,%r15
32742 ++
32743 ++ call __poly1305_block
32744 ++ mov $r1,%rax
32745 ++
32746 ++ test \$63,%r15
32747 ++ jnz .Lbase2_64_pre_avx2$suffix
32748 ++
32749 ++.Linit_avx2$suffix:
32750 ++ ################################# base 2^64 -> base 2^26
32751 ++ mov $h0,%rax
32752 ++ mov $h0,%rdx
32753 ++ shr \$52,$h0
32754 ++ mov $h1,$d1
32755 ++ mov $h1,$d2
32756 ++ shr \$26,%rdx
32757 ++ and \$0x3ffffff,%rax # h[0]
32758 ++ shl \$12,$d1
32759 ++ and \$0x3ffffff,%rdx # h[1]
32760 ++ shr \$14,$h1
32761 ++ or $d1,$h0
32762 ++ shl \$24,$h2
32763 ++ and \$0x3ffffff,$h0 # h[2]
32764 ++ shr \$40,$d2
32765 ++ and \$0x3ffffff,$h1 # h[3]
32766 ++ or $d2,$h2 # h[4]
32767 ++
32768 ++ vmovd %rax#d,%x#$H0
32769 ++ vmovd %rdx#d,%x#$H1
32770 ++ vmovd $h0#d,%x#$H2
32771 ++ vmovd $h1#d,%x#$H3
32772 ++ vmovd $h2#d,%x#$H4
32773 ++ movl \$1,20($ctx) # set is_base2_26
32774 ++
32775 ++ call __poly1305_init_avx
32776 ++
32777 ++.Lproceed_avx2$suffix:
32778 ++ mov %r15,$len # restore $len
32779 ++___
32780 ++$code.=<<___ if (!$kernel);
32781 ++ mov OPENSSL_ia32cap_P+8(%rip),%r9d
32782 ++ mov \$`(1<<31|1<<30|1<<16)`,%r11d
32783 ++___
32784 ++$code.=<<___;
32785 ++ pop %r15
32786 ++.cfi_restore %r15
32787 ++ pop %r14
32788 ++.cfi_restore %r14
32789 ++ pop %r13
32790 ++.cfi_restore %r13
32791 ++ pop %r12
32792 ++.cfi_restore %r12
32793 ++ pop %rbx
32794 ++.cfi_restore %rbx
32795 ++ pop %rbp
32796 ++.cfi_restore %rbp
32797 ++.Lbase2_64_avx2_epilogue$suffix:
32798 ++ jmp .Ldo_avx2$suffix
32799 ++.cfi_endproc
32800 ++
32801 ++.align 32
32802 ++.Leven_avx2$suffix:
32803 ++.cfi_startproc
32804 ++___
32805 ++$code.=<<___ if (!$kernel);
32806 ++ mov OPENSSL_ia32cap_P+8(%rip),%r9d
32807 ++___
32808 ++$code.=<<___;
32809 ++ vmovd 4*0($ctx),%x#$H0 # load hash value base 2^26
32810 ++ vmovd 4*1($ctx),%x#$H1
32811 ++ vmovd 4*2($ctx),%x#$H2
32812 ++ vmovd 4*3($ctx),%x#$H3
32813 ++ vmovd 4*4($ctx),%x#$H4
32814 ++
32815 ++.Ldo_avx2$suffix:
32816 ++___
32817 ++$code.=<<___ if (!$kernel && $avx>2);
32818 ++ cmp \$512,$len
32819 ++ jb .Lskip_avx512
32820 ++ and %r11d,%r9d
32821 ++ test \$`1<<16`,%r9d # check for AVX512F
32822 ++ jnz .Lblocks_avx512
32823 ++.Lskip_avx512$suffix:
32824 ++___
32825 ++$code.=<<___ if ($avx > 2 && $avx512 && $kernel);
32826 ++ cmp \$512,$len
32827 ++ jae .Lblocks_avx512
32828 ++___
32829 ++$code.=<<___ if (!$win64);
32830 ++ lea 8(%rsp),%r10
32831 ++.cfi_def_cfa_register %r10
32832 ++ sub \$0x128,%rsp
32833 ++___
32834 ++$code.=<<___ if ($win64);
32835 ++ lea 8(%rsp),%r10
32836 ++ sub \$0x1c8,%rsp
32837 ++ vmovdqa %xmm6,-0xb0(%r10)
32838 ++ vmovdqa %xmm7,-0xa0(%r10)
32839 ++ vmovdqa %xmm8,-0x90(%r10)
32840 ++ vmovdqa %xmm9,-0x80(%r10)
32841 ++ vmovdqa %xmm10,-0x70(%r10)
32842 ++ vmovdqa %xmm11,-0x60(%r10)
32843 ++ vmovdqa %xmm12,-0x50(%r10)
32844 ++ vmovdqa %xmm13,-0x40(%r10)
32845 ++ vmovdqa %xmm14,-0x30(%r10)
32846 ++ vmovdqa %xmm15,-0x20(%r10)
32847 ++.Ldo_avx2_body$suffix:
32848 ++___
32849 ++$code.=<<___;
32850 ++ lea .Lconst(%rip),%rcx
32851 ++ lea 48+64($ctx),$ctx # size optimization
32852 ++ vmovdqa 96(%rcx),$T0 # .Lpermd_avx2
32853 ++
32854 ++ # expand and copy pre-calculated table to stack
32855 ++ vmovdqu `16*0-64`($ctx),%x#$T2
32856 ++ and \$-512,%rsp
32857 ++ vmovdqu `16*1-64`($ctx),%x#$T3
32858 ++ vmovdqu `16*2-64`($ctx),%x#$T4
32859 ++ vmovdqu `16*3-64`($ctx),%x#$D0
32860 ++ vmovdqu `16*4-64`($ctx),%x#$D1
32861 ++ vmovdqu `16*5-64`($ctx),%x#$D2
32862 ++ lea 0x90(%rsp),%rax # size optimization
32863 ++ vmovdqu `16*6-64`($ctx),%x#$D3
32864 ++ vpermd $T2,$T0,$T2 # 00003412 -> 14243444
32865 ++ vmovdqu `16*7-64`($ctx),%x#$D4
32866 ++ vpermd $T3,$T0,$T3
32867 ++ vmovdqu `16*8-64`($ctx),%x#$MASK
32868 ++ vpermd $T4,$T0,$T4
32869 ++ vmovdqa $T2,0x00(%rsp)
32870 ++ vpermd $D0,$T0,$D0
32871 ++ vmovdqa $T3,0x20-0x90(%rax)
32872 ++ vpermd $D1,$T0,$D1
32873 ++ vmovdqa $T4,0x40-0x90(%rax)
32874 ++ vpermd $D2,$T0,$D2
32875 ++ vmovdqa $D0,0x60-0x90(%rax)
32876 ++ vpermd $D3,$T0,$D3
32877 ++ vmovdqa $D1,0x80-0x90(%rax)
32878 ++ vpermd $D4,$T0,$D4
32879 ++ vmovdqa $D2,0xa0-0x90(%rax)
32880 ++ vpermd $MASK,$T0,$MASK
32881 ++ vmovdqa $D3,0xc0-0x90(%rax)
32882 ++ vmovdqa $D4,0xe0-0x90(%rax)
32883 ++ vmovdqa $MASK,0x100-0x90(%rax)
32884 ++ vmovdqa 64(%rcx),$MASK # .Lmask26
32885 ++
32886 ++ ################################################################
32887 ++ # load input
32888 ++ vmovdqu 16*0($inp),%x#$T0
32889 ++ vmovdqu 16*1($inp),%x#$T1
32890 ++ vinserti128 \$1,16*2($inp),$T0,$T0
32891 ++ vinserti128 \$1,16*3($inp),$T1,$T1
32892 ++ lea 16*4($inp),$inp
32893 ++
32894 ++ vpsrldq \$6,$T0,$T2 # splat input
32895 ++ vpsrldq \$6,$T1,$T3
32896 ++ vpunpckhqdq $T1,$T0,$T4 # 4
32897 ++ vpunpcklqdq $T3,$T2,$T2 # 2:3
32898 ++ vpunpcklqdq $T1,$T0,$T0 # 0:1
32899 ++
32900 ++ vpsrlq \$30,$T2,$T3
32901 ++ vpsrlq \$4,$T2,$T2
32902 ++ vpsrlq \$26,$T0,$T1
32903 ++ vpsrlq \$40,$T4,$T4 # 4
32904 ++ vpand $MASK,$T2,$T2 # 2
32905 ++ vpand $MASK,$T0,$T0 # 0
32906 ++ vpand $MASK,$T1,$T1 # 1
32907 ++ vpand $MASK,$T3,$T3 # 3
32908 ++ vpor 32(%rcx),$T4,$T4 # padbit, yes, always
32909 ++
32910 ++ vpaddq $H2,$T2,$H2 # accumulate input
32911 ++ sub \$64,$len
32912 ++ jz .Ltail_avx2$suffix
32913 ++ jmp .Loop_avx2$suffix
32914 ++
32915 ++.align 32
32916 ++.Loop_avx2$suffix:
32917 ++ ################################################################
32918 ++ # ((inp[0]*r^4+inp[4])*r^4+inp[ 8])*r^4
32919 ++ # ((inp[1]*r^4+inp[5])*r^4+inp[ 9])*r^3
32920 ++ # ((inp[2]*r^4+inp[6])*r^4+inp[10])*r^2
32921 ++ # ((inp[3]*r^4+inp[7])*r^4+inp[11])*r^1
32922 ++ # \________/\__________/
32923 ++ ################################################################
32924 ++ #vpaddq $H2,$T2,$H2 # accumulate input
32925 ++ vpaddq $H0,$T0,$H0
32926 ++ vmovdqa `32*0`(%rsp),$T0 # r0^4
32927 ++ vpaddq $H1,$T1,$H1
32928 ++ vmovdqa `32*1`(%rsp),$T1 # r1^4
32929 ++ vpaddq $H3,$T3,$H3
32930 ++ vmovdqa `32*3`(%rsp),$T2 # r2^4
32931 ++ vpaddq $H4,$T4,$H4
32932 ++ vmovdqa `32*6-0x90`(%rax),$T3 # s3^4
32933 ++ vmovdqa `32*8-0x90`(%rax),$S4 # s4^4
32934 ++
32935 ++ # d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
32936 ++ # d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
32937 ++ # d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
32938 ++ # d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
32939 ++ # d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
32940 ++ #
32941 ++ # however, as h2 is "chronologically" first one available pull
32942 ++ # corresponding operations up, so it's
32943 ++ #
32944 ++ # d4 = h2*r2 + h4*r0 + h3*r1 + h1*r3 + h0*r4
32945 ++ # d3 = h2*r1 + h3*r0 + h1*r2 + h0*r3 + h4*5*r4
32946 ++ # d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
32947 ++ # d1 = h2*5*r4 + h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3
32948 ++ # d0 = h2*5*r3 + h0*r0 + h4*5*r1 + h3*5*r2 + h1*5*r4
32949 ++
32950 ++ vpmuludq $H2,$T0,$D2 # d2 = h2*r0
32951 ++ vpmuludq $H2,$T1,$D3 # d3 = h2*r1
32952 ++ vpmuludq $H2,$T2,$D4 # d4 = h2*r2
32953 ++ vpmuludq $H2,$T3,$D0 # d0 = h2*s3
32954 ++ vpmuludq $H2,$S4,$D1 # d1 = h2*s4
32955 ++
32956 ++ vpmuludq $H0,$T1,$T4 # h0*r1
32957 ++ vpmuludq $H1,$T1,$H2 # h1*r1, borrow $H2 as temp
32958 ++ vpaddq $T4,$D1,$D1 # d1 += h0*r1
32959 ++ vpaddq $H2,$D2,$D2 # d2 += h1*r1
32960 ++ vpmuludq $H3,$T1,$T4 # h3*r1
32961 ++ vpmuludq `32*2`(%rsp),$H4,$H2 # h4*s1
32962 ++ vpaddq $T4,$D4,$D4 # d4 += h3*r1
32963 ++ vpaddq $H2,$D0,$D0 # d0 += h4*s1
32964 ++ vmovdqa `32*4-0x90`(%rax),$T1 # s2
32965 ++
32966 ++ vpmuludq $H0,$T0,$T4 # h0*r0
32967 ++ vpmuludq $H1,$T0,$H2 # h1*r0
32968 ++ vpaddq $T4,$D0,$D0 # d0 += h0*r0
32969 ++ vpaddq $H2,$D1,$D1 # d1 += h1*r0
32970 ++ vpmuludq $H3,$T0,$T4 # h3*r0
32971 ++ vpmuludq $H4,$T0,$H2 # h4*r0
32972 ++ vmovdqu 16*0($inp),%x#$T0 # load input
32973 ++ vpaddq $T4,$D3,$D3 # d3 += h3*r0
32974 ++ vpaddq $H2,$D4,$D4 # d4 += h4*r0
32975 ++ vinserti128 \$1,16*2($inp),$T0,$T0
32976 ++
32977 ++ vpmuludq $H3,$T1,$T4 # h3*s2
32978 ++ vpmuludq $H4,$T1,$H2 # h4*s2
32979 ++ vmovdqu 16*1($inp),%x#$T1
32980 ++ vpaddq $T4,$D0,$D0 # d0 += h3*s2
32981 ++ vpaddq $H2,$D1,$D1 # d1 += h4*s2
32982 ++ vmovdqa `32*5-0x90`(%rax),$H2 # r3
32983 ++ vpmuludq $H1,$T2,$T4 # h1*r2
32984 ++ vpmuludq $H0,$T2,$T2 # h0*r2
32985 ++ vpaddq $T4,$D3,$D3 # d3 += h1*r2
32986 ++ vpaddq $T2,$D2,$D2 # d2 += h0*r2
32987 ++ vinserti128 \$1,16*3($inp),$T1,$T1
32988 ++ lea 16*4($inp),$inp
32989 ++
32990 ++ vpmuludq $H1,$H2,$T4 # h1*r3
32991 ++ vpmuludq $H0,$H2,$H2 # h0*r3
32992 ++ vpsrldq \$6,$T0,$T2 # splat input
32993 ++ vpaddq $T4,$D4,$D4 # d4 += h1*r3
32994 ++ vpaddq $H2,$D3,$D3 # d3 += h0*r3
32995 ++ vpmuludq $H3,$T3,$T4 # h3*s3
32996 ++ vpmuludq $H4,$T3,$H2 # h4*s3
32997 ++ vpsrldq \$6,$T1,$T3
32998 ++ vpaddq $T4,$D1,$D1 # d1 += h3*s3
32999 ++ vpaddq $H2,$D2,$D2 # d2 += h4*s3
33000 ++ vpunpckhqdq $T1,$T0,$T4 # 4
33001 ++
33002 ++ vpmuludq $H3,$S4,$H3 # h3*s4
33003 ++ vpmuludq $H4,$S4,$H4 # h4*s4
33004 ++ vpunpcklqdq $T1,$T0,$T0 # 0:1
33005 ++ vpaddq $H3,$D2,$H2 # h2 = d2 + h3*r4
33006 ++ vpaddq $H4,$D3,$H3 # h3 = d3 + h4*r4
33007 ++ vpunpcklqdq $T3,$T2,$T3 # 2:3
33008 ++ vpmuludq `32*7-0x90`(%rax),$H0,$H4 # h0*r4
33009 ++ vpmuludq $H1,$S4,$H0 # h1*s4
33010 ++ vmovdqa 64(%rcx),$MASK # .Lmask26
33011 ++ vpaddq $H4,$D4,$H4 # h4 = d4 + h0*r4
33012 ++ vpaddq $H0,$D0,$H0 # h0 = d0 + h1*s4
33013 ++
33014 ++ ################################################################
33015 ++ # lazy reduction (interleaved with tail of input splat)
33016 ++
33017 ++ vpsrlq \$26,$H3,$D3
33018 ++ vpand $MASK,$H3,$H3
33019 ++ vpaddq $D3,$H4,$H4 # h3 -> h4
33020 ++
33021 ++ vpsrlq \$26,$H0,$D0
33022 ++ vpand $MASK,$H0,$H0
33023 ++ vpaddq $D0,$D1,$H1 # h0 -> h1
33024 ++
33025 ++ vpsrlq \$26,$H4,$D4
33026 ++ vpand $MASK,$H4,$H4
33027 ++
33028 ++ vpsrlq \$4,$T3,$T2
33029 ++
33030 ++ vpsrlq \$26,$H1,$D1
33031 ++ vpand $MASK,$H1,$H1
33032 ++ vpaddq $D1,$H2,$H2 # h1 -> h2
33033 ++
33034 ++ vpaddq $D4,$H0,$H0
33035 ++ vpsllq \$2,$D4,$D4
33036 ++ vpaddq $D4,$H0,$H0 # h4 -> h0
33037 ++
33038 ++ vpand $MASK,$T2,$T2 # 2
33039 ++ vpsrlq \$26,$T0,$T1
33040 ++
33041 ++ vpsrlq \$26,$H2,$D2
33042 ++ vpand $MASK,$H2,$H2
33043 ++ vpaddq $D2,$H3,$H3 # h2 -> h3
33044 ++
33045 ++ vpaddq $T2,$H2,$H2 # modulo-scheduled
33046 ++ vpsrlq \$30,$T3,$T3
33047 ++
33048 ++ vpsrlq \$26,$H0,$D0
33049 ++ vpand $MASK,$H0,$H0
33050 ++ vpaddq $D0,$H1,$H1 # h0 -> h1
33051 ++
33052 ++ vpsrlq \$40,$T4,$T4 # 4
33053 ++
33054 ++ vpsrlq \$26,$H3,$D3
33055 ++ vpand $MASK,$H3,$H3
33056 ++ vpaddq $D3,$H4,$H4 # h3 -> h4
33057 ++
33058 ++ vpand $MASK,$T0,$T0 # 0
33059 ++ vpand $MASK,$T1,$T1 # 1
33060 ++ vpand $MASK,$T3,$T3 # 3
33061 ++ vpor 32(%rcx),$T4,$T4 # padbit, yes, always
33062 ++
33063 ++ sub \$64,$len
33064 ++ jnz .Loop_avx2$suffix
33065 ++
33066 ++ .byte 0x66,0x90
33067 ++.Ltail_avx2$suffix:
33068 ++ ################################################################
33069 ++ # while above multiplications were by r^4 in all lanes, in last
33070 ++ # iteration we multiply least significant lane by r^4 and most
33071 ++ # significant one by r, so copy of above except that references
33072 ++ # to the precomputed table are displaced by 4...
33073 ++
33074 ++ #vpaddq $H2,$T2,$H2 # accumulate input
33075 ++ vpaddq $H0,$T0,$H0
33076 ++ vmovdqu `32*0+4`(%rsp),$T0 # r0^4
33077 ++ vpaddq $H1,$T1,$H1
33078 ++ vmovdqu `32*1+4`(%rsp),$T1 # r1^4
33079 ++ vpaddq $H3,$T3,$H3
33080 ++ vmovdqu `32*3+4`(%rsp),$T2 # r2^4
33081 ++ vpaddq $H4,$T4,$H4
33082 ++ vmovdqu `32*6+4-0x90`(%rax),$T3 # s3^4
33083 ++ vmovdqu `32*8+4-0x90`(%rax),$S4 # s4^4
33084 ++
33085 ++ vpmuludq $H2,$T0,$D2 # d2 = h2*r0
33086 ++ vpmuludq $H2,$T1,$D3 # d3 = h2*r1
33087 ++ vpmuludq $H2,$T2,$D4 # d4 = h2*r2
33088 ++ vpmuludq $H2,$T3,$D0 # d0 = h2*s3
33089 ++ vpmuludq $H2,$S4,$D1 # d1 = h2*s4
33090 ++
33091 ++ vpmuludq $H0,$T1,$T4 # h0*r1
33092 ++ vpmuludq $H1,$T1,$H2 # h1*r1
33093 ++ vpaddq $T4,$D1,$D1 # d1 += h0*r1
33094 ++ vpaddq $H2,$D2,$D2 # d2 += h1*r1
33095 ++ vpmuludq $H3,$T1,$T4 # h3*r1
33096 ++ vpmuludq `32*2+4`(%rsp),$H4,$H2 # h4*s1
33097 ++ vpaddq $T4,$D4,$D4 # d4 += h3*r1
33098 ++ vpaddq $H2,$D0,$D0 # d0 += h4*s1
33099 ++
33100 ++ vpmuludq $H0,$T0,$T4 # h0*r0
33101 ++ vpmuludq $H1,$T0,$H2 # h1*r0
33102 ++ vpaddq $T4,$D0,$D0 # d0 += h0*r0
33103 ++ vmovdqu `32*4+4-0x90`(%rax),$T1 # s2
33104 ++ vpaddq $H2,$D1,$D1 # d1 += h1*r0
33105 ++ vpmuludq $H3,$T0,$T4 # h3*r0
33106 ++ vpmuludq $H4,$T0,$H2 # h4*r0
33107 ++ vpaddq $T4,$D3,$D3 # d3 += h3*r0
33108 ++ vpaddq $H2,$D4,$D4 # d4 += h4*r0
33109 ++
33110 ++ vpmuludq $H3,$T1,$T4 # h3*s2
33111 ++ vpmuludq $H4,$T1,$H2 # h4*s2
33112 ++ vpaddq $T4,$D0,$D0 # d0 += h3*s2
33113 ++ vpaddq $H2,$D1,$D1 # d1 += h4*s2
33114 ++ vmovdqu `32*5+4-0x90`(%rax),$H2 # r3
33115 ++ vpmuludq $H1,$T2,$T4 # h1*r2
33116 ++ vpmuludq $H0,$T2,$T2 # h0*r2
33117 ++ vpaddq $T4,$D3,$D3 # d3 += h1*r2
33118 ++ vpaddq $T2,$D2,$D2 # d2 += h0*r2
33119 ++
33120 ++ vpmuludq $H1,$H2,$T4 # h1*r3
33121 ++ vpmuludq $H0,$H2,$H2 # h0*r3
33122 ++ vpaddq $T4,$D4,$D4 # d4 += h1*r3
33123 ++ vpaddq $H2,$D3,$D3 # d3 += h0*r3
33124 ++ vpmuludq $H3,$T3,$T4 # h3*s3
33125 ++ vpmuludq $H4,$T3,$H2 # h4*s3
33126 ++ vpaddq $T4,$D1,$D1 # d1 += h3*s3
33127 ++ vpaddq $H2,$D2,$D2 # d2 += h4*s3
33128 ++
33129 ++ vpmuludq $H3,$S4,$H3 # h3*s4
33130 ++ vpmuludq $H4,$S4,$H4 # h4*s4
33131 ++ vpaddq $H3,$D2,$H2 # h2 = d2 + h3*r4
33132 ++ vpaddq $H4,$D3,$H3 # h3 = d3 + h4*r4
33133 ++ vpmuludq `32*7+4-0x90`(%rax),$H0,$H4 # h0*r4
33134 ++ vpmuludq $H1,$S4,$H0 # h1*s4
33135 ++ vmovdqa 64(%rcx),$MASK # .Lmask26
33136 ++ vpaddq $H4,$D4,$H4 # h4 = d4 + h0*r4
33137 ++ vpaddq $H0,$D0,$H0 # h0 = d0 + h1*s4
33138 ++
33139 ++ ################################################################
33140 ++ # horizontal addition
33141 ++
33142 ++ vpsrldq \$8,$D1,$T1
33143 ++ vpsrldq \$8,$H2,$T2
33144 ++ vpsrldq \$8,$H3,$T3
33145 ++ vpsrldq \$8,$H4,$T4
33146 ++ vpsrldq \$8,$H0,$T0
33147 ++ vpaddq $T1,$D1,$D1
33148 ++ vpaddq $T2,$H2,$H2
33149 ++ vpaddq $T3,$H3,$H3
33150 ++ vpaddq $T4,$H4,$H4
33151 ++ vpaddq $T0,$H0,$H0
33152 ++
33153 ++ vpermq \$0x2,$H3,$T3
33154 ++ vpermq \$0x2,$H4,$T4
33155 ++ vpermq \$0x2,$H0,$T0
33156 ++ vpermq \$0x2,$D1,$T1
33157 ++ vpermq \$0x2,$H2,$T2
33158 ++ vpaddq $T3,$H3,$H3
33159 ++ vpaddq $T4,$H4,$H4
33160 ++ vpaddq $T0,$H0,$H0
33161 ++ vpaddq $T1,$D1,$D1
33162 ++ vpaddq $T2,$H2,$H2
33163 ++
33164 ++ ################################################################
33165 ++ # lazy reduction
33166 ++
33167 ++ vpsrlq \$26,$H3,$D3
33168 ++ vpand $MASK,$H3,$H3
33169 ++ vpaddq $D3,$H4,$H4 # h3 -> h4
33170 ++
33171 ++ vpsrlq \$26,$H0,$D0
33172 ++ vpand $MASK,$H0,$H0
33173 ++ vpaddq $D0,$D1,$H1 # h0 -> h1
33174 ++
33175 ++ vpsrlq \$26,$H4,$D4
33176 ++ vpand $MASK,$H4,$H4
33177 ++
33178 ++ vpsrlq \$26,$H1,$D1
33179 ++ vpand $MASK,$H1,$H1
33180 ++ vpaddq $D1,$H2,$H2 # h1 -> h2
33181 ++
33182 ++ vpaddq $D4,$H0,$H0
33183 ++ vpsllq \$2,$D4,$D4
33184 ++ vpaddq $D4,$H0,$H0 # h4 -> h0
33185 ++
33186 ++ vpsrlq \$26,$H2,$D2
33187 ++ vpand $MASK,$H2,$H2
33188 ++ vpaddq $D2,$H3,$H3 # h2 -> h3
33189 ++
33190 ++ vpsrlq \$26,$H0,$D0
33191 ++ vpand $MASK,$H0,$H0
33192 ++ vpaddq $D0,$H1,$H1 # h0 -> h1
33193 ++
33194 ++ vpsrlq \$26,$H3,$D3
33195 ++ vpand $MASK,$H3,$H3
33196 ++ vpaddq $D3,$H4,$H4 # h3 -> h4
33197 ++
33198 ++ vmovd %x#$H0,`4*0-48-64`($ctx)# save partially reduced
33199 ++ vmovd %x#$H1,`4*1-48-64`($ctx)
33200 ++ vmovd %x#$H2,`4*2-48-64`($ctx)
33201 ++ vmovd %x#$H3,`4*3-48-64`($ctx)
33202 ++ vmovd %x#$H4,`4*4-48-64`($ctx)
33203 ++___
33204 ++$code.=<<___ if ($win64);
33205 ++ vmovdqa -0xb0(%r10),%xmm6
33206 ++ vmovdqa -0xa0(%r10),%xmm7
33207 ++ vmovdqa -0x90(%r10),%xmm8
33208 ++ vmovdqa -0x80(%r10),%xmm9
33209 ++ vmovdqa -0x70(%r10),%xmm10
33210 ++ vmovdqa -0x60(%r10),%xmm11
33211 ++ vmovdqa -0x50(%r10),%xmm12
33212 ++ vmovdqa -0x40(%r10),%xmm13
33213 ++ vmovdqa -0x30(%r10),%xmm14
33214 ++ vmovdqa -0x20(%r10),%xmm15
33215 ++ lea -8(%r10),%rsp
33216 ++.Ldo_avx2_epilogue$suffix:
33217 ++___
33218 ++$code.=<<___ if (!$win64);
33219 ++ lea -8(%r10),%rsp
33220 ++.cfi_def_cfa_register %rsp
33221 ++___
33222 ++$code.=<<___;
33223 ++ vzeroupper
33224 ++ ret
33225 ++.cfi_endproc
33226 ++___
33227 ++if($avx > 2 && $avx512) {
33228 ++my ($R0,$R1,$R2,$R3,$R4, $S1,$S2,$S3,$S4) = map("%zmm$_",(16..24));
33229 ++my ($M0,$M1,$M2,$M3,$M4) = map("%zmm$_",(25..29));
33230 ++my $PADBIT="%zmm30";
33231 ++
33232 ++map(s/%y/%z/,($T4,$T0,$T1,$T2,$T3)); # switch to %zmm domain
33233 ++map(s/%y/%z/,($D0,$D1,$D2,$D3,$D4));
33234 ++map(s/%y/%z/,($H0,$H1,$H2,$H3,$H4));
33235 ++map(s/%y/%z/,($MASK));
33236 ++
33237 ++$code.=<<___;
33238 ++.cfi_startproc
33239 ++.Lblocks_avx512:
33240 ++ mov \$15,%eax
33241 ++ kmovw %eax,%k2
33242 ++___
33243 ++$code.=<<___ if (!$win64);
33244 ++ lea 8(%rsp),%r10
33245 ++.cfi_def_cfa_register %r10
33246 ++ sub \$0x128,%rsp
33247 ++___
33248 ++$code.=<<___ if ($win64);
33249 ++ lea 8(%rsp),%r10
33250 ++ sub \$0x1c8,%rsp
33251 ++ vmovdqa %xmm6,-0xb0(%r10)
33252 ++ vmovdqa %xmm7,-0xa0(%r10)
33253 ++ vmovdqa %xmm8,-0x90(%r10)
33254 ++ vmovdqa %xmm9,-0x80(%r10)
33255 ++ vmovdqa %xmm10,-0x70(%r10)
33256 ++ vmovdqa %xmm11,-0x60(%r10)
33257 ++ vmovdqa %xmm12,-0x50(%r10)
33258 ++ vmovdqa %xmm13,-0x40(%r10)
33259 ++ vmovdqa %xmm14,-0x30(%r10)
33260 ++ vmovdqa %xmm15,-0x20(%r10)
33261 ++.Ldo_avx512_body:
33262 ++___
33263 ++$code.=<<___;
33264 ++ lea .Lconst(%rip),%rcx
33265 ++ lea 48+64($ctx),$ctx # size optimization
33266 ++ vmovdqa 96(%rcx),%y#$T2 # .Lpermd_avx2
33267 ++
33268 ++ # expand pre-calculated table
33269 ++ vmovdqu `16*0-64`($ctx),%x#$D0 # will become expanded ${R0}
33270 ++ and \$-512,%rsp
33271 ++ vmovdqu `16*1-64`($ctx),%x#$D1 # will become ... ${R1}
33272 ++ mov \$0x20,%rax
33273 ++ vmovdqu `16*2-64`($ctx),%x#$T0 # ... ${S1}
33274 ++ vmovdqu `16*3-64`($ctx),%x#$D2 # ... ${R2}
33275 ++ vmovdqu `16*4-64`($ctx),%x#$T1 # ... ${S2}
33276 ++ vmovdqu `16*5-64`($ctx),%x#$D3 # ... ${R3}
33277 ++ vmovdqu `16*6-64`($ctx),%x#$T3 # ... ${S3}
33278 ++ vmovdqu `16*7-64`($ctx),%x#$D4 # ... ${R4}
33279 ++ vmovdqu `16*8-64`($ctx),%x#$T4 # ... ${S4}
33280 ++ vpermd $D0,$T2,$R0 # 00003412 -> 14243444
33281 ++ vpbroadcastq 64(%rcx),$MASK # .Lmask26
33282 ++ vpermd $D1,$T2,$R1
33283 ++ vpermd $T0,$T2,$S1
33284 ++ vpermd $D2,$T2,$R2
33285 ++ vmovdqa64 $R0,0x00(%rsp){%k2} # save in case $len%128 != 0
33286 ++ vpsrlq \$32,$R0,$T0 # 14243444 -> 01020304
33287 ++ vpermd $T1,$T2,$S2
33288 ++ vmovdqu64 $R1,0x00(%rsp,%rax){%k2}
33289 ++ vpsrlq \$32,$R1,$T1
33290 ++ vpermd $D3,$T2,$R3
33291 ++ vmovdqa64 $S1,0x40(%rsp){%k2}
33292 ++ vpermd $T3,$T2,$S3
33293 ++ vpermd $D4,$T2,$R4
33294 ++ vmovdqu64 $R2,0x40(%rsp,%rax){%k2}
33295 ++ vpermd $T4,$T2,$S4
33296 ++ vmovdqa64 $S2,0x80(%rsp){%k2}
33297 ++ vmovdqu64 $R3,0x80(%rsp,%rax){%k2}
33298 ++ vmovdqa64 $S3,0xc0(%rsp){%k2}
33299 ++ vmovdqu64 $R4,0xc0(%rsp,%rax){%k2}
33300 ++ vmovdqa64 $S4,0x100(%rsp){%k2}
33301 ++
33302 ++ ################################################################
33303 ++ # calculate 5th through 8th powers of the key
33304 ++ #
33305 ++ # d0 = r0'*r0 + r1'*5*r4 + r2'*5*r3 + r3'*5*r2 + r4'*5*r1
33306 ++ # d1 = r0'*r1 + r1'*r0 + r2'*5*r4 + r3'*5*r3 + r4'*5*r2
33307 ++ # d2 = r0'*r2 + r1'*r1 + r2'*r0 + r3'*5*r4 + r4'*5*r3
33308 ++ # d3 = r0'*r3 + r1'*r2 + r2'*r1 + r3'*r0 + r4'*5*r4
33309 ++ # d4 = r0'*r4 + r1'*r3 + r2'*r2 + r3'*r1 + r4'*r0
33310 ++
33311 ++ vpmuludq $T0,$R0,$D0 # d0 = r0'*r0
33312 ++ vpmuludq $T0,$R1,$D1 # d1 = r0'*r1
33313 ++ vpmuludq $T0,$R2,$D2 # d2 = r0'*r2
33314 ++ vpmuludq $T0,$R3,$D3 # d3 = r0'*r3
33315 ++ vpmuludq $T0,$R4,$D4 # d4 = r0'*r4
33316 ++ vpsrlq \$32,$R2,$T2
33317 ++
33318 ++ vpmuludq $T1,$S4,$M0
33319 ++ vpmuludq $T1,$R0,$M1
33320 ++ vpmuludq $T1,$R1,$M2
33321 ++ vpmuludq $T1,$R2,$M3
33322 ++ vpmuludq $T1,$R3,$M4
33323 ++ vpsrlq \$32,$R3,$T3
33324 ++ vpaddq $M0,$D0,$D0 # d0 += r1'*5*r4
33325 ++ vpaddq $M1,$D1,$D1 # d1 += r1'*r0
33326 ++ vpaddq $M2,$D2,$D2 # d2 += r1'*r1
33327 ++ vpaddq $M3,$D3,$D3 # d3 += r1'*r2
33328 ++ vpaddq $M4,$D4,$D4 # d4 += r1'*r3
33329 ++
33330 ++ vpmuludq $T2,$S3,$M0
33331 ++ vpmuludq $T2,$S4,$M1
33332 ++ vpmuludq $T2,$R1,$M3
33333 ++ vpmuludq $T2,$R2,$M4
33334 ++ vpmuludq $T2,$R0,$M2
33335 ++ vpsrlq \$32,$R4,$T4
33336 ++ vpaddq $M0,$D0,$D0 # d0 += r2'*5*r3
33337 ++ vpaddq $M1,$D1,$D1 # d1 += r2'*5*r4
33338 ++ vpaddq $M3,$D3,$D3 # d3 += r2'*r1
33339 ++ vpaddq $M4,$D4,$D4 # d4 += r2'*r2
33340 ++ vpaddq $M2,$D2,$D2 # d2 += r2'*r0
33341 ++
33342 ++ vpmuludq $T3,$S2,$M0
33343 ++ vpmuludq $T3,$R0,$M3
33344 ++ vpmuludq $T3,$R1,$M4
33345 ++ vpmuludq $T3,$S3,$M1
33346 ++ vpmuludq $T3,$S4,$M2
33347 ++ vpaddq $M0,$D0,$D0 # d0 += r3'*5*r2
33348 ++ vpaddq $M3,$D3,$D3 # d3 += r3'*r0
33349 ++ vpaddq $M4,$D4,$D4 # d4 += r3'*r1
33350 ++ vpaddq $M1,$D1,$D1 # d1 += r3'*5*r3
33351 ++ vpaddq $M2,$D2,$D2 # d2 += r3'*5*r4
33352 ++
33353 ++ vpmuludq $T4,$S4,$M3
33354 ++ vpmuludq $T4,$R0,$M4
33355 ++ vpmuludq $T4,$S1,$M0
33356 ++ vpmuludq $T4,$S2,$M1
33357 ++ vpmuludq $T4,$S3,$M2
33358 ++ vpaddq $M3,$D3,$D3 # d3 += r2'*5*r4
33359 ++ vpaddq $M4,$D4,$D4 # d4 += r2'*r0
33360 ++ vpaddq $M0,$D0,$D0 # d0 += r2'*5*r1
33361 ++ vpaddq $M1,$D1,$D1 # d1 += r2'*5*r2
33362 ++ vpaddq $M2,$D2,$D2 # d2 += r2'*5*r3
33363 ++
33364 ++ ################################################################
33365 ++ # load input
33366 ++ vmovdqu64 16*0($inp),%z#$T3
33367 ++ vmovdqu64 16*4($inp),%z#$T4
33368 ++ lea 16*8($inp),$inp
33369 ++
33370 ++ ################################################################
33371 ++ # lazy reduction
33372 ++
33373 ++ vpsrlq \$26,$D3,$M3
33374 ++ vpandq $MASK,$D3,$D3
33375 ++ vpaddq $M3,$D4,$D4 # d3 -> d4
33376 ++
33377 ++ vpsrlq \$26,$D0,$M0
33378 ++ vpandq $MASK,$D0,$D0
33379 ++ vpaddq $M0,$D1,$D1 # d0 -> d1
33380 ++
33381 ++ vpsrlq \$26,$D4,$M4
33382 ++ vpandq $MASK,$D4,$D4
33383 ++
33384 ++ vpsrlq \$26,$D1,$M1
33385 ++ vpandq $MASK,$D1,$D1
33386 ++ vpaddq $M1,$D2,$D2 # d1 -> d2
33387 ++
33388 ++ vpaddq $M4,$D0,$D0
33389 ++ vpsllq \$2,$M4,$M4
33390 ++ vpaddq $M4,$D0,$D0 # d4 -> d0
33391 ++
33392 ++ vpsrlq \$26,$D2,$M2
33393 ++ vpandq $MASK,$D2,$D2
33394 ++ vpaddq $M2,$D3,$D3 # d2 -> d3
33395 ++
33396 ++ vpsrlq \$26,$D0,$M0
33397 ++ vpandq $MASK,$D0,$D0
33398 ++ vpaddq $M0,$D1,$D1 # d0 -> d1
33399 ++
33400 ++ vpsrlq \$26,$D3,$M3
33401 ++ vpandq $MASK,$D3,$D3
33402 ++ vpaddq $M3,$D4,$D4 # d3 -> d4
33403 ++
33404 ++ ################################################################
33405 ++ # at this point we have 14243444 in $R0-$S4 and 05060708 in
33406 ++ # $D0-$D4, ...
33407 ++
33408 ++ vpunpcklqdq $T4,$T3,$T0 # transpose input
33409 ++ vpunpckhqdq $T4,$T3,$T4
33410 ++
33411 ++ # ... since input 64-bit lanes are ordered as 73625140, we could
33412 ++ # "vperm" it to 76543210 (here and in each loop iteration), *or*
33413 ++ # we could just flow along, hence the goal for $R0-$S4 is
33414 ++ # 1858286838784888 ...
33415 ++
33416 ++ vmovdqa32 128(%rcx),$M0 # .Lpermd_avx512:
33417 ++ mov \$0x7777,%eax
33418 ++ kmovw %eax,%k1
33419 ++
33420 ++ vpermd $R0,$M0,$R0 # 14243444 -> 1---2---3---4---
33421 ++ vpermd $R1,$M0,$R1
33422 ++ vpermd $R2,$M0,$R2
33423 ++ vpermd $R3,$M0,$R3
33424 ++ vpermd $R4,$M0,$R4
33425 ++
33426 ++ vpermd $D0,$M0,${R0}{%k1} # 05060708 -> 1858286838784888
33427 ++ vpermd $D1,$M0,${R1}{%k1}
33428 ++ vpermd $D2,$M0,${R2}{%k1}
33429 ++ vpermd $D3,$M0,${R3}{%k1}
33430 ++ vpermd $D4,$M0,${R4}{%k1}
33431 ++
33432 ++ vpslld \$2,$R1,$S1 # *5
33433 ++ vpslld \$2,$R2,$S2
33434 ++ vpslld \$2,$R3,$S3
33435 ++ vpslld \$2,$R4,$S4
33436 ++ vpaddd $R1,$S1,$S1
33437 ++ vpaddd $R2,$S2,$S2
33438 ++ vpaddd $R3,$S3,$S3
33439 ++ vpaddd $R4,$S4,$S4
33440 ++
33441 ++ vpbroadcastq 32(%rcx),$PADBIT # .L129
33442 ++
33443 ++ vpsrlq \$52,$T0,$T2 # splat input
33444 ++ vpsllq \$12,$T4,$T3
33445 ++ vporq $T3,$T2,$T2
33446 ++ vpsrlq \$26,$T0,$T1
33447 ++ vpsrlq \$14,$T4,$T3
33448 ++ vpsrlq \$40,$T4,$T4 # 4
33449 ++ vpandq $MASK,$T2,$T2 # 2
33450 ++ vpandq $MASK,$T0,$T0 # 0
33451 ++ #vpandq $MASK,$T1,$T1 # 1
33452 ++ #vpandq $MASK,$T3,$T3 # 3
33453 ++ #vporq $PADBIT,$T4,$T4 # padbit, yes, always
33454 ++
33455 ++ vpaddq $H2,$T2,$H2 # accumulate input
33456 ++ sub \$192,$len
33457 ++ jbe .Ltail_avx512
33458 ++ jmp .Loop_avx512
33459 ++
33460 ++.align 32
33461 ++.Loop_avx512:
33462 ++ ################################################################
33463 ++ # ((inp[0]*r^8+inp[ 8])*r^8+inp[16])*r^8
33464 ++ # ((inp[1]*r^8+inp[ 9])*r^8+inp[17])*r^7
33465 ++ # ((inp[2]*r^8+inp[10])*r^8+inp[18])*r^6
33466 ++ # ((inp[3]*r^8+inp[11])*r^8+inp[19])*r^5
33467 ++ # ((inp[4]*r^8+inp[12])*r^8+inp[20])*r^4
33468 ++ # ((inp[5]*r^8+inp[13])*r^8+inp[21])*r^3
33469 ++ # ((inp[6]*r^8+inp[14])*r^8+inp[22])*r^2
33470 ++ # ((inp[7]*r^8+inp[15])*r^8+inp[23])*r^1
33471 ++ # \________/\___________/
33472 ++ ################################################################
33473 ++ #vpaddq $H2,$T2,$H2 # accumulate input
33474 ++
33475 ++ # d4 = h4*r0 + h3*r1 + h2*r2 + h1*r3 + h0*r4
33476 ++ # d3 = h3*r0 + h2*r1 + h1*r2 + h0*r3 + h4*5*r4
33477 ++ # d2 = h2*r0 + h1*r1 + h0*r2 + h4*5*r3 + h3*5*r4
33478 ++ # d1 = h1*r0 + h0*r1 + h4*5*r2 + h3*5*r3 + h2*5*r4
33479 ++ # d0 = h0*r0 + h4*5*r1 + h3*5*r2 + h2*5*r3 + h1*5*r4
33480 ++ #
33481 ++ # however, as h2 is "chronologically" first one available pull
33482 ++ # corresponding operations up, so it's
33483 ++ #
33484 ++ # d3 = h2*r1 + h0*r3 + h1*r2 + h3*r0 + h4*5*r4
33485 ++ # d4 = h2*r2 + h0*r4 + h1*r3 + h3*r1 + h4*r0
33486 ++ # d0 = h2*5*r3 + h0*r0 + h1*5*r4 + h3*5*r2 + h4*5*r1
33487 ++ # d1 = h2*5*r4 + h0*r1 + h1*r0 + h3*5*r3 + h4*5*r2
33488 ++ # d2 = h2*r0 + h0*r2 + h1*r1 + h3*5*r4 + h4*5*r3
33489 ++
33490 ++ vpmuludq $H2,$R1,$D3 # d3 = h2*r1
33491 ++ vpaddq $H0,$T0,$H0
33492 ++ vpmuludq $H2,$R2,$D4 # d4 = h2*r2
33493 ++ vpandq $MASK,$T1,$T1 # 1
33494 ++ vpmuludq $H2,$S3,$D0 # d0 = h2*s3
33495 ++ vpandq $MASK,$T3,$T3 # 3
33496 ++ vpmuludq $H2,$S4,$D1 # d1 = h2*s4
33497 ++ vporq $PADBIT,$T4,$T4 # padbit, yes, always
33498 ++ vpmuludq $H2,$R0,$D2 # d2 = h2*r0
33499 ++ vpaddq $H1,$T1,$H1 # accumulate input
33500 ++ vpaddq $H3,$T3,$H3
33501 ++ vpaddq $H4,$T4,$H4
33502 ++
33503 ++ vmovdqu64 16*0($inp),$T3 # load input
33504 ++ vmovdqu64 16*4($inp),$T4
33505 ++ lea 16*8($inp),$inp
33506 ++ vpmuludq $H0,$R3,$M3
33507 ++ vpmuludq $H0,$R4,$M4
33508 ++ vpmuludq $H0,$R0,$M0
33509 ++ vpmuludq $H0,$R1,$M1
33510 ++ vpaddq $M3,$D3,$D3 # d3 += h0*r3
33511 ++ vpaddq $M4,$D4,$D4 # d4 += h0*r4
33512 ++ vpaddq $M0,$D0,$D0 # d0 += h0*r0
33513 ++ vpaddq $M1,$D1,$D1 # d1 += h0*r1
33514 ++
33515 ++ vpmuludq $H1,$R2,$M3
33516 ++ vpmuludq $H1,$R3,$M4
33517 ++ vpmuludq $H1,$S4,$M0
33518 ++ vpmuludq $H0,$R2,$M2
33519 ++ vpaddq $M3,$D3,$D3 # d3 += h1*r2
33520 ++ vpaddq $M4,$D4,$D4 # d4 += h1*r3
33521 ++ vpaddq $M0,$D0,$D0 # d0 += h1*s4
33522 ++ vpaddq $M2,$D2,$D2 # d2 += h0*r2
33523 ++
33524 ++ vpunpcklqdq $T4,$T3,$T0 # transpose input
33525 ++ vpunpckhqdq $T4,$T3,$T4
33526 ++
33527 ++ vpmuludq $H3,$R0,$M3
33528 ++ vpmuludq $H3,$R1,$M4
33529 ++ vpmuludq $H1,$R0,$M1
33530 ++ vpmuludq $H1,$R1,$M2
33531 ++ vpaddq $M3,$D3,$D3 # d3 += h3*r0
33532 ++ vpaddq $M4,$D4,$D4 # d4 += h3*r1
33533 ++ vpaddq $M1,$D1,$D1 # d1 += h1*r0
33534 ++ vpaddq $M2,$D2,$D2 # d2 += h1*r1
33535 ++
33536 ++ vpmuludq $H4,$S4,$M3
33537 ++ vpmuludq $H4,$R0,$M4
33538 ++ vpmuludq $H3,$S2,$M0
33539 ++ vpmuludq $H3,$S3,$M1
33540 ++ vpaddq $M3,$D3,$D3 # d3 += h4*s4
33541 ++ vpmuludq $H3,$S4,$M2
33542 ++ vpaddq $M4,$D4,$D4 # d4 += h4*r0
33543 ++ vpaddq $M0,$D0,$D0 # d0 += h3*s2
33544 ++ vpaddq $M1,$D1,$D1 # d1 += h3*s3
33545 ++ vpaddq $M2,$D2,$D2 # d2 += h3*s4
33546 ++
33547 ++ vpmuludq $H4,$S1,$M0
33548 ++ vpmuludq $H4,$S2,$M1
33549 ++ vpmuludq $H4,$S3,$M2
33550 ++ vpaddq $M0,$D0,$H0 # h0 = d0 + h4*s1
33551 ++ vpaddq $M1,$D1,$H1 # h1 = d2 + h4*s2
33552 ++ vpaddq $M2,$D2,$H2 # h2 = d3 + h4*s3
33553 ++
33554 ++ ################################################################
33555 ++ # lazy reduction (interleaved with input splat)
33556 ++
33557 ++ vpsrlq \$52,$T0,$T2 # splat input
33558 ++ vpsllq \$12,$T4,$T3
33559 ++
33560 ++ vpsrlq \$26,$D3,$H3
33561 ++ vpandq $MASK,$D3,$D3
33562 ++ vpaddq $H3,$D4,$H4 # h3 -> h4
33563 ++
33564 ++ vporq $T3,$T2,$T2
33565 ++
33566 ++ vpsrlq \$26,$H0,$D0
33567 ++ vpandq $MASK,$H0,$H0
33568 ++ vpaddq $D0,$H1,$H1 # h0 -> h1
33569 ++
33570 ++ vpandq $MASK,$T2,$T2 # 2
33571 ++
33572 ++ vpsrlq \$26,$H4,$D4
33573 ++ vpandq $MASK,$H4,$H4
33574 ++
33575 ++ vpsrlq \$26,$H1,$D1
33576 ++ vpandq $MASK,$H1,$H1
33577 ++ vpaddq $D1,$H2,$H2 # h1 -> h2
33578 ++
33579 ++ vpaddq $D4,$H0,$H0
33580 ++ vpsllq \$2,$D4,$D4
33581 ++ vpaddq $D4,$H0,$H0 # h4 -> h0
33582 ++
33583 ++ vpaddq $T2,$H2,$H2 # modulo-scheduled
33584 ++ vpsrlq \$26,$T0,$T1
33585 ++
33586 ++ vpsrlq \$26,$H2,$D2
33587 ++ vpandq $MASK,$H2,$H2
33588 ++ vpaddq $D2,$D3,$H3 # h2 -> h3
33589 ++
33590 ++ vpsrlq \$14,$T4,$T3
33591 ++
33592 ++ vpsrlq \$26,$H0,$D0
33593 ++ vpandq $MASK,$H0,$H0
33594 ++ vpaddq $D0,$H1,$H1 # h0 -> h1
33595 ++
33596 ++ vpsrlq \$40,$T4,$T4 # 4
33597 ++
33598 ++ vpsrlq \$26,$H3,$D3
33599 ++ vpandq $MASK,$H3,$H3
33600 ++ vpaddq $D3,$H4,$H4 # h3 -> h4
33601 ++
33602 ++ vpandq $MASK,$T0,$T0 # 0
33603 ++ #vpandq $MASK,$T1,$T1 # 1
33604 ++ #vpandq $MASK,$T3,$T3 # 3
33605 ++ #vporq $PADBIT,$T4,$T4 # padbit, yes, always
33606 ++
33607 ++ sub \$128,$len
33608 ++ ja .Loop_avx512
33609 ++
33610 ++.Ltail_avx512:
33611 ++ ################################################################
33612 ++ # while above multiplications were by r^8 in all lanes, in last
33613 ++ # iteration we multiply least significant lane by r^8 and most
33614 ++ # significant one by r, that's why table gets shifted...
33615 ++
33616 ++ vpsrlq \$32,$R0,$R0 # 0105020603070408
33617 ++ vpsrlq \$32,$R1,$R1
33618 ++ vpsrlq \$32,$R2,$R2
33619 ++ vpsrlq \$32,$S3,$S3
33620 ++ vpsrlq \$32,$S4,$S4
33621 ++ vpsrlq \$32,$R3,$R3
33622 ++ vpsrlq \$32,$R4,$R4
33623 ++ vpsrlq \$32,$S1,$S1
33624 ++ vpsrlq \$32,$S2,$S2
33625 ++
33626 ++ ################################################################
33627 ++ # load either next or last 64 byte of input
33628 ++ lea ($inp,$len),$inp
33629 ++
33630 ++ #vpaddq $H2,$T2,$H2 # accumulate input
33631 ++ vpaddq $H0,$T0,$H0
33632 ++
33633 ++ vpmuludq $H2,$R1,$D3 # d3 = h2*r1
33634 ++ vpmuludq $H2,$R2,$D4 # d4 = h2*r2
33635 ++ vpmuludq $H2,$S3,$D0 # d0 = h2*s3
33636 ++ vpandq $MASK,$T1,$T1 # 1
33637 ++ vpmuludq $H2,$S4,$D1 # d1 = h2*s4
33638 ++ vpandq $MASK,$T3,$T3 # 3
33639 ++ vpmuludq $H2,$R0,$D2 # d2 = h2*r0
33640 ++ vporq $PADBIT,$T4,$T4 # padbit, yes, always
33641 ++ vpaddq $H1,$T1,$H1 # accumulate input
33642 ++ vpaddq $H3,$T3,$H3
33643 ++ vpaddq $H4,$T4,$H4
33644 ++
33645 ++ vmovdqu 16*0($inp),%x#$T0
33646 ++ vpmuludq $H0,$R3,$M3
33647 ++ vpmuludq $H0,$R4,$M4
33648 ++ vpmuludq $H0,$R0,$M0
33649 ++ vpmuludq $H0,$R1,$M1
33650 ++ vpaddq $M3,$D3,$D3 # d3 += h0*r3
33651 ++ vpaddq $M4,$D4,$D4 # d4 += h0*r4
33652 ++ vpaddq $M0,$D0,$D0 # d0 += h0*r0
33653 ++ vpaddq $M1,$D1,$D1 # d1 += h0*r1
33654 ++
33655 ++ vmovdqu 16*1($inp),%x#$T1
33656 ++ vpmuludq $H1,$R2,$M3
33657 ++ vpmuludq $H1,$R3,$M4
33658 ++ vpmuludq $H1,$S4,$M0
33659 ++ vpmuludq $H0,$R2,$M2
33660 ++ vpaddq $M3,$D3,$D3 # d3 += h1*r2
33661 ++ vpaddq $M4,$D4,$D4 # d4 += h1*r3
33662 ++ vpaddq $M0,$D0,$D0 # d0 += h1*s4
33663 ++ vpaddq $M2,$D2,$D2 # d2 += h0*r2
33664 ++
33665 ++ vinserti128 \$1,16*2($inp),%y#$T0,%y#$T0
33666 ++ vpmuludq $H3,$R0,$M3
33667 ++ vpmuludq $H3,$R1,$M4
33668 ++ vpmuludq $H1,$R0,$M1
33669 ++ vpmuludq $H1,$R1,$M2
33670 ++ vpaddq $M3,$D3,$D3 # d3 += h3*r0
33671 ++ vpaddq $M4,$D4,$D4 # d4 += h3*r1
33672 ++ vpaddq $M1,$D1,$D1 # d1 += h1*r0
33673 ++ vpaddq $M2,$D2,$D2 # d2 += h1*r1
33674 ++
33675 ++ vinserti128 \$1,16*3($inp),%y#$T1,%y#$T1
33676 ++ vpmuludq $H4,$S4,$M3
33677 ++ vpmuludq $H4,$R0,$M4
33678 ++ vpmuludq $H3,$S2,$M0
33679 ++ vpmuludq $H3,$S3,$M1
33680 ++ vpmuludq $H3,$S4,$M2
33681 ++ vpaddq $M3,$D3,$H3 # h3 = d3 + h4*s4
33682 ++ vpaddq $M4,$D4,$D4 # d4 += h4*r0
33683 ++ vpaddq $M0,$D0,$D0 # d0 += h3*s2
33684 ++ vpaddq $M1,$D1,$D1 # d1 += h3*s3
33685 ++ vpaddq $M2,$D2,$D2 # d2 += h3*s4
33686 ++
33687 ++ vpmuludq $H4,$S1,$M0
33688 ++ vpmuludq $H4,$S2,$M1
33689 ++ vpmuludq $H4,$S3,$M2
33690 ++ vpaddq $M0,$D0,$H0 # h0 = d0 + h4*s1
33691 ++ vpaddq $M1,$D1,$H1 # h1 = d2 + h4*s2
33692 ++ vpaddq $M2,$D2,$H2 # h2 = d3 + h4*s3
33693 ++
33694 ++ ################################################################
33695 ++ # horizontal addition
33696 ++
33697 ++ mov \$1,%eax
33698 ++ vpermq \$0xb1,$H3,$D3
33699 ++ vpermq \$0xb1,$D4,$H4
33700 ++ vpermq \$0xb1,$H0,$D0
33701 ++ vpermq \$0xb1,$H1,$D1
33702 ++ vpermq \$0xb1,$H2,$D2
33703 ++ vpaddq $D3,$H3,$H3
33704 ++ vpaddq $D4,$H4,$H4
33705 ++ vpaddq $D0,$H0,$H0
33706 ++ vpaddq $D1,$H1,$H1
33707 ++ vpaddq $D2,$H2,$H2
33708 ++
33709 ++ kmovw %eax,%k3
33710 ++ vpermq \$0x2,$H3,$D3
33711 ++ vpermq \$0x2,$H4,$D4
33712 ++ vpermq \$0x2,$H0,$D0
33713 ++ vpermq \$0x2,$H1,$D1
33714 ++ vpermq \$0x2,$H2,$D2
33715 ++ vpaddq $D3,$H3,$H3
33716 ++ vpaddq $D4,$H4,$H4
33717 ++ vpaddq $D0,$H0,$H0
33718 ++ vpaddq $D1,$H1,$H1
33719 ++ vpaddq $D2,$H2,$H2
33720 ++
33721 ++ vextracti64x4 \$0x1,$H3,%y#$D3
33722 ++ vextracti64x4 \$0x1,$H4,%y#$D4
33723 ++ vextracti64x4 \$0x1,$H0,%y#$D0
33724 ++ vextracti64x4 \$0x1,$H1,%y#$D1
33725 ++ vextracti64x4 \$0x1,$H2,%y#$D2
33726 ++ vpaddq $D3,$H3,${H3}{%k3}{z} # keep single qword in case
33727 ++ vpaddq $D4,$H4,${H4}{%k3}{z} # it's passed to .Ltail_avx2
33728 ++ vpaddq $D0,$H0,${H0}{%k3}{z}
33729 ++ vpaddq $D1,$H1,${H1}{%k3}{z}
33730 ++ vpaddq $D2,$H2,${H2}{%k3}{z}
33731 ++___
33732 ++map(s/%z/%y/,($T0,$T1,$T2,$T3,$T4, $PADBIT));
33733 ++map(s/%z/%y/,($H0,$H1,$H2,$H3,$H4, $D0,$D1,$D2,$D3,$D4, $MASK));
33734 ++$code.=<<___;
33735 ++ ################################################################
33736 ++ # lazy reduction (interleaved with input splat)
33737 ++
33738 ++ vpsrlq \$26,$H3,$D3
33739 ++ vpand $MASK,$H3,$H3
33740 ++ vpsrldq \$6,$T0,$T2 # splat input
33741 ++ vpsrldq \$6,$T1,$T3
33742 ++ vpunpckhqdq $T1,$T0,$T4 # 4
33743 ++ vpaddq $D3,$H4,$H4 # h3 -> h4
33744 ++
33745 ++ vpsrlq \$26,$H0,$D0
33746 ++ vpand $MASK,$H0,$H0
33747 ++ vpunpcklqdq $T3,$T2,$T2 # 2:3
33748 ++ vpunpcklqdq $T1,$T0,$T0 # 0:1
33749 ++ vpaddq $D0,$H1,$H1 # h0 -> h1
33750 ++
33751 ++ vpsrlq \$26,$H4,$D4
33752 ++ vpand $MASK,$H4,$H4
33753 ++
33754 ++ vpsrlq \$26,$H1,$D1
33755 ++ vpand $MASK,$H1,$H1
33756 ++ vpsrlq \$30,$T2,$T3
33757 ++ vpsrlq \$4,$T2,$T2
33758 ++ vpaddq $D1,$H2,$H2 # h1 -> h2
33759 ++
33760 ++ vpaddq $D4,$H0,$H0
33761 ++ vpsllq \$2,$D4,$D4
33762 ++ vpsrlq \$26,$T0,$T1
33763 ++ vpsrlq \$40,$T4,$T4 # 4
33764 ++ vpaddq $D4,$H0,$H0 # h4 -> h0
33765 ++
33766 ++ vpsrlq \$26,$H2,$D2
33767 ++ vpand $MASK,$H2,$H2
33768 ++ vpand $MASK,$T2,$T2 # 2
33769 ++ vpand $MASK,$T0,$T0 # 0
33770 ++ vpaddq $D2,$H3,$H3 # h2 -> h3
33771 ++
33772 ++ vpsrlq \$26,$H0,$D0
33773 ++ vpand $MASK,$H0,$H0
33774 ++ vpaddq $H2,$T2,$H2 # accumulate input for .Ltail_avx2
33775 ++ vpand $MASK,$T1,$T1 # 1
33776 ++ vpaddq $D0,$H1,$H1 # h0 -> h1
33777 ++
33778 ++ vpsrlq \$26,$H3,$D3
33779 ++ vpand $MASK,$H3,$H3
33780 ++ vpand $MASK,$T3,$T3 # 3
33781 ++ vpor 32(%rcx),$T4,$T4 # padbit, yes, always
33782 ++ vpaddq $D3,$H4,$H4 # h3 -> h4
33783 ++
33784 ++ lea 0x90(%rsp),%rax # size optimization for .Ltail_avx2
33785 ++ add \$64,$len
33786 ++ jnz .Ltail_avx2$suffix
33787 ++
33788 ++ vpsubq $T2,$H2,$H2 # undo input accumulation
33789 ++ vmovd %x#$H0,`4*0-48-64`($ctx)# save partially reduced
33790 ++ vmovd %x#$H1,`4*1-48-64`($ctx)
33791 ++ vmovd %x#$H2,`4*2-48-64`($ctx)
33792 ++ vmovd %x#$H3,`4*3-48-64`($ctx)
33793 ++ vmovd %x#$H4,`4*4-48-64`($ctx)
33794 ++ vzeroall
33795 ++___
33796 ++$code.=<<___ if ($win64);
33797 ++ movdqa -0xb0(%r10),%xmm6
33798 ++ movdqa -0xa0(%r10),%xmm7
33799 ++ movdqa -0x90(%r10),%xmm8
33800 ++ movdqa -0x80(%r10),%xmm9
33801 ++ movdqa -0x70(%r10),%xmm10
33802 ++ movdqa -0x60(%r10),%xmm11
33803 ++ movdqa -0x50(%r10),%xmm12
33804 ++ movdqa -0x40(%r10),%xmm13
33805 ++ movdqa -0x30(%r10),%xmm14
33806 ++ movdqa -0x20(%r10),%xmm15
33807 ++ lea -8(%r10),%rsp
33808 ++.Ldo_avx512_epilogue:
33809 ++___
33810 ++$code.=<<___ if (!$win64);
33811 ++ lea -8(%r10),%rsp
33812 ++.cfi_def_cfa_register %rsp
33813 ++___
33814 ++$code.=<<___;
33815 ++ ret
33816 ++.cfi_endproc
33817 ++___
33818 ++
33819 ++}
33820 ++
33821 ++}
33822 ++
33823 ++&declare_function("poly1305_blocks_avx2", 32, 4);
33824 ++poly1305_blocks_avxN(0);
33825 ++&end_function("poly1305_blocks_avx2");
33826 ++
33827 ++if($kernel) {
33828 ++ $code .= "#endif\n";
33829 ++}
33830 ++
33831 ++#######################################################################
33832 ++if ($avx>2) {
33833 ++# On entry we have input length divisible by 64. But since inner loop
33834 ++# processes 128 bytes per iteration, cases when length is not divisible
33835 ++# by 128 are handled by passing tail 64 bytes to .Ltail_avx2. For this
33836 ++# reason stack layout is kept identical to poly1305_blocks_avx2. If not
33837 ++# for this tail, we wouldn't have to even allocate stack frame...
33838 ++
33839 ++if($kernel) {
33840 ++ $code .= "#ifdef CONFIG_AS_AVX512\n";
33841 ++}
33842 ++
33843 ++&declare_function("poly1305_blocks_avx512", 32, 4);
33844 ++poly1305_blocks_avxN(1);
33845 ++&end_function("poly1305_blocks_avx512");
33846 ++
33847 ++if ($kernel) {
33848 ++ $code .= "#endif\n";
33849 ++}
33850 ++
33851 ++if (!$kernel && $avx>3) {
33852 ++########################################################################
33853 ++# VPMADD52 version using 2^44 radix.
33854 ++#
33855 ++# One can argue that base 2^52 would be more natural. Well, even though
33856 ++# some operations would be more natural, one has to recognize couple of
33857 ++# things. Base 2^52 doesn't provide advantage over base 2^44 if you look
33858 ++# at amount of multiply-n-accumulate operations. Secondly, it makes it
33859 ++# impossible to pre-compute multiples of 5 [referred to as s[]/sN in
33860 ++# reference implementations], which means that more such operations
33861 ++# would have to be performed in inner loop, which in turn makes critical
33862 ++# path longer. In other words, even though base 2^44 reduction might
33863 ++# look less elegant, overall critical path is actually shorter...
33864 ++
33865 ++########################################################################
33866 ++# Layout of opaque area is following.
33867 ++#
33868 ++# unsigned __int64 h[3]; # current hash value base 2^44
33869 ++# unsigned __int64 s[2]; # key value*20 base 2^44
33870 ++# unsigned __int64 r[3]; # key value base 2^44
33871 ++# struct { unsigned __int64 r^1, r^3, r^2, r^4; } R[4];
33872 ++# # r^n positions reflect
33873 ++# # placement in register, not
33874 ++# # memory, R[3] is R[1]*20
33875 ++
33876 ++$code.=<<___;
33877 ++.type poly1305_init_base2_44,\@function,3
33878 ++.align 32
33879 ++poly1305_init_base2_44:
33880 ++ xor %eax,%eax
33881 ++ mov %rax,0($ctx) # initialize hash value
33882 ++ mov %rax,8($ctx)
33883 ++ mov %rax,16($ctx)
33884 ++
33885 ++.Linit_base2_44:
33886 ++ lea poly1305_blocks_vpmadd52(%rip),%r10
33887 ++ lea poly1305_emit_base2_44(%rip),%r11
33888 ++
33889 ++ mov \$0x0ffffffc0fffffff,%rax
33890 ++ mov \$0x0ffffffc0ffffffc,%rcx
33891 ++ and 0($inp),%rax
33892 ++ mov \$0x00000fffffffffff,%r8
33893 ++ and 8($inp),%rcx
33894 ++ mov \$0x00000fffffffffff,%r9
33895 ++ and %rax,%r8
33896 ++ shrd \$44,%rcx,%rax
33897 ++ mov %r8,40($ctx) # r0
33898 ++ and %r9,%rax
33899 ++ shr \$24,%rcx
33900 ++ mov %rax,48($ctx) # r1
33901 ++ lea (%rax,%rax,4),%rax # *5
33902 ++ mov %rcx,56($ctx) # r2
33903 ++ shl \$2,%rax # magic <<2
33904 ++ lea (%rcx,%rcx,4),%rcx # *5
33905 ++ shl \$2,%rcx # magic <<2
33906 ++ mov %rax,24($ctx) # s1
33907 ++ mov %rcx,32($ctx) # s2
33908 ++ movq \$-1,64($ctx) # write impossible value
33909 ++___
33910 ++$code.=<<___ if ($flavour !~ /elf32/);
33911 ++ mov %r10,0(%rdx)
33912 ++ mov %r11,8(%rdx)
33913 ++___
33914 ++$code.=<<___ if ($flavour =~ /elf32/);
33915 ++ mov %r10d,0(%rdx)
33916 ++ mov %r11d,4(%rdx)
33917 ++___
33918 ++$code.=<<___;
33919 ++ mov \$1,%eax
33920 ++ ret
33921 ++.size poly1305_init_base2_44,.-poly1305_init_base2_44
33922 ++___
33923 ++{
33924 ++my ($H0,$H1,$H2,$r2r1r0,$r1r0s2,$r0s2s1,$Dlo,$Dhi) = map("%ymm$_",(0..5,16,17));
33925 ++my ($T0,$inp_permd,$inp_shift,$PAD) = map("%ymm$_",(18..21));
33926 ++my ($reduc_mask,$reduc_rght,$reduc_left) = map("%ymm$_",(22..25));
33927 ++
33928 ++$code.=<<___;
33929 ++.type poly1305_blocks_vpmadd52,\@function,4
33930 ++.align 32
33931 ++poly1305_blocks_vpmadd52:
33932 ++ shr \$4,$len
33933 ++ jz .Lno_data_vpmadd52 # too short
33934 ++
33935 ++ shl \$40,$padbit
33936 ++ mov 64($ctx),%r8 # peek on power of the key
33937 ++
33938 ++ # if powers of the key are not calculated yet, process up to 3
33939 ++ # blocks with this single-block subroutine, otherwise ensure that
33940 ++ # length is divisible by 2 blocks and pass the rest down to next
33941 ++ # subroutine...
33942 ++
33943 ++ mov \$3,%rax
33944 ++ mov \$1,%r10
33945 ++ cmp \$4,$len # is input long
33946 ++ cmovae %r10,%rax
33947 ++ test %r8,%r8 # is power value impossible?
33948 ++ cmovns %r10,%rax
33949 ++
33950 ++ and $len,%rax # is input of favourable length?
33951 ++ jz .Lblocks_vpmadd52_4x
33952 ++
33953 ++ sub %rax,$len
33954 ++ mov \$7,%r10d
33955 ++ mov \$1,%r11d
33956 ++ kmovw %r10d,%k7
33957 ++ lea .L2_44_inp_permd(%rip),%r10
33958 ++ kmovw %r11d,%k1
33959 ++
33960 ++ vmovq $padbit,%x#$PAD
33961 ++ vmovdqa64 0(%r10),$inp_permd # .L2_44_inp_permd
33962 ++ vmovdqa64 32(%r10),$inp_shift # .L2_44_inp_shift
33963 ++ vpermq \$0xcf,$PAD,$PAD
33964 ++ vmovdqa64 64(%r10),$reduc_mask # .L2_44_mask
33965 ++
33966 ++ vmovdqu64 0($ctx),${Dlo}{%k7}{z} # load hash value
33967 ++ vmovdqu64 40($ctx),${r2r1r0}{%k7}{z} # load keys
33968 ++ vmovdqu64 32($ctx),${r1r0s2}{%k7}{z}
33969 ++ vmovdqu64 24($ctx),${r0s2s1}{%k7}{z}
33970 ++
33971 ++ vmovdqa64 96(%r10),$reduc_rght # .L2_44_shift_rgt
33972 ++ vmovdqa64 128(%r10),$reduc_left # .L2_44_shift_lft
33973 ++
33974 ++ jmp .Loop_vpmadd52
33975 ++
33976 ++.align 32
33977 ++.Loop_vpmadd52:
33978 ++ vmovdqu32 0($inp),%x#$T0 # load input as ----3210
33979 ++ lea 16($inp),$inp
33980 ++
33981 ++ vpermd $T0,$inp_permd,$T0 # ----3210 -> --322110
33982 ++ vpsrlvq $inp_shift,$T0,$T0
33983 ++ vpandq $reduc_mask,$T0,$T0
33984 ++ vporq $PAD,$T0,$T0
33985 ++
33986 ++ vpaddq $T0,$Dlo,$Dlo # accumulate input
33987 ++
33988 ++ vpermq \$0,$Dlo,${H0}{%k7}{z} # smash hash value
33989 ++ vpermq \$0b01010101,$Dlo,${H1}{%k7}{z}
33990 ++ vpermq \$0b10101010,$Dlo,${H2}{%k7}{z}
33991 ++
33992 ++ vpxord $Dlo,$Dlo,$Dlo
33993 ++ vpxord $Dhi,$Dhi,$Dhi
33994 ++
33995 ++ vpmadd52luq $r2r1r0,$H0,$Dlo
33996 ++ vpmadd52huq $r2r1r0,$H0,$Dhi
33997 ++
33998 ++ vpmadd52luq $r1r0s2,$H1,$Dlo
33999 ++ vpmadd52huq $r1r0s2,$H1,$Dhi
34000 ++
34001 ++ vpmadd52luq $r0s2s1,$H2,$Dlo
34002 ++ vpmadd52huq $r0s2s1,$H2,$Dhi
34003 ++
34004 ++ vpsrlvq $reduc_rght,$Dlo,$T0 # 0 in topmost qword
34005 ++ vpsllvq $reduc_left,$Dhi,$Dhi # 0 in topmost qword
34006 ++ vpandq $reduc_mask,$Dlo,$Dlo
34007 ++
34008 ++ vpaddq $T0,$Dhi,$Dhi
34009 ++
34010 ++ vpermq \$0b10010011,$Dhi,$Dhi # 0 in lowest qword
34011 ++
34012 ++ vpaddq $Dhi,$Dlo,$Dlo # note topmost qword :-)
34013 ++
34014 ++ vpsrlvq $reduc_rght,$Dlo,$T0 # 0 in topmost word
34015 ++ vpandq $reduc_mask,$Dlo,$Dlo
34016 ++
34017 ++ vpermq \$0b10010011,$T0,$T0
34018 ++
34019 ++ vpaddq $T0,$Dlo,$Dlo
34020 ++
34021 ++ vpermq \$0b10010011,$Dlo,${T0}{%k1}{z}
34022 ++
34023 ++ vpaddq $T0,$Dlo,$Dlo
34024 ++ vpsllq \$2,$T0,$T0
34025 ++
34026 ++ vpaddq $T0,$Dlo,$Dlo
34027 ++
34028 ++ dec %rax # len-=16
34029 ++ jnz .Loop_vpmadd52
34030 ++
34031 ++ vmovdqu64 $Dlo,0($ctx){%k7} # store hash value
34032 ++
34033 ++ test $len,$len
34034 ++ jnz .Lblocks_vpmadd52_4x
34035 ++
34036 ++.Lno_data_vpmadd52:
34037 ++ ret
34038 ++.size poly1305_blocks_vpmadd52,.-poly1305_blocks_vpmadd52
34039 ++___
34040 ++}
34041 ++{
34042 ++########################################################################
34043 ++# As implied by its name 4x subroutine processes 4 blocks in parallel
34044 ++# (but handles even 4*n+2 blocks lengths). It takes up to 4th key power
34045 ++# and is handled in 256-bit %ymm registers.
34046 ++
34047 ++my ($H0,$H1,$H2,$R0,$R1,$R2,$S1,$S2) = map("%ymm$_",(0..5,16,17));
34048 ++my ($D0lo,$D0hi,$D1lo,$D1hi,$D2lo,$D2hi) = map("%ymm$_",(18..23));
34049 ++my ($T0,$T1,$T2,$T3,$mask44,$mask42,$tmp,$PAD) = map("%ymm$_",(24..31));
34050 ++
34051 ++$code.=<<___;
34052 ++.type poly1305_blocks_vpmadd52_4x,\@function,4
34053 ++.align 32
34054 ++poly1305_blocks_vpmadd52_4x:
34055 ++ shr \$4,$len
34056 ++ jz .Lno_data_vpmadd52_4x # too short
34057 ++
34058 ++ shl \$40,$padbit
34059 ++ mov 64($ctx),%r8 # peek on power of the key
34060 ++
34061 ++.Lblocks_vpmadd52_4x:
34062 ++ vpbroadcastq $padbit,$PAD
34063 ++
34064 ++ vmovdqa64 .Lx_mask44(%rip),$mask44
34065 ++ mov \$5,%eax
34066 ++ vmovdqa64 .Lx_mask42(%rip),$mask42
34067 ++ kmovw %eax,%k1 # used in 2x path
34068 ++
34069 ++ test %r8,%r8 # is power value impossible?
34070 ++ js .Linit_vpmadd52 # if it is, then init R[4]
34071 ++
34072 ++ vmovq 0($ctx),%x#$H0 # load current hash value
34073 ++ vmovq 8($ctx),%x#$H1
34074 ++ vmovq 16($ctx),%x#$H2
34075 ++
34076 ++ test \$3,$len # is length 4*n+2?
34077 ++ jnz .Lblocks_vpmadd52_2x_do
34078 ++
34079 ++.Lblocks_vpmadd52_4x_do:
34080 ++ vpbroadcastq 64($ctx),$R0 # load 4th power of the key
34081 ++ vpbroadcastq 96($ctx),$R1
34082 ++ vpbroadcastq 128($ctx),$R2
34083 ++ vpbroadcastq 160($ctx),$S1
34084 ++
34085 ++.Lblocks_vpmadd52_4x_key_loaded:
34086 ++ vpsllq \$2,$R2,$S2 # S2 = R2*5*4
34087 ++ vpaddq $R2,$S2,$S2
34088 ++ vpsllq \$2,$S2,$S2
34089 ++
34090 ++ test \$7,$len # is len 8*n?
34091 ++ jz .Lblocks_vpmadd52_8x
34092 ++
34093 ++ vmovdqu64 16*0($inp),$T2 # load data
34094 ++ vmovdqu64 16*2($inp),$T3
34095 ++ lea 16*4($inp),$inp
34096 ++
34097 ++ vpunpcklqdq $T3,$T2,$T1 # transpose data
34098 ++ vpunpckhqdq $T3,$T2,$T3
34099 ++
34100 ++ # at this point 64-bit lanes are ordered as 3-1-2-0
34101 ++
34102 ++ vpsrlq \$24,$T3,$T2 # splat the data
34103 ++ vporq $PAD,$T2,$T2
34104 ++ vpaddq $T2,$H2,$H2 # accumulate input
34105 ++ vpandq $mask44,$T1,$T0
34106 ++ vpsrlq \$44,$T1,$T1
34107 ++ vpsllq \$20,$T3,$T3
34108 ++ vporq $T3,$T1,$T1
34109 ++ vpandq $mask44,$T1,$T1
34110 ++
34111 ++ sub \$4,$len
34112 ++ jz .Ltail_vpmadd52_4x
34113 ++ jmp .Loop_vpmadd52_4x
34114 ++ ud2
34115 ++
34116 ++.align 32
34117 ++.Linit_vpmadd52:
34118 ++ vmovq 24($ctx),%x#$S1 # load key
34119 ++ vmovq 56($ctx),%x#$H2
34120 ++ vmovq 32($ctx),%x#$S2
34121 ++ vmovq 40($ctx),%x#$R0
34122 ++ vmovq 48($ctx),%x#$R1
34123 ++
34124 ++ vmovdqa $R0,$H0
34125 ++ vmovdqa $R1,$H1
34126 ++ vmovdqa $H2,$R2
34127 ++
34128 ++ mov \$2,%eax
34129 ++
34130 ++.Lmul_init_vpmadd52:
34131 ++ vpxorq $D0lo,$D0lo,$D0lo
34132 ++ vpmadd52luq $H2,$S1,$D0lo
34133 ++ vpxorq $D0hi,$D0hi,$D0hi
34134 ++ vpmadd52huq $H2,$S1,$D0hi
34135 ++ vpxorq $D1lo,$D1lo,$D1lo
34136 ++ vpmadd52luq $H2,$S2,$D1lo
34137 ++ vpxorq $D1hi,$D1hi,$D1hi
34138 ++ vpmadd52huq $H2,$S2,$D1hi
34139 ++ vpxorq $D2lo,$D2lo,$D2lo
34140 ++ vpmadd52luq $H2,$R0,$D2lo
34141 ++ vpxorq $D2hi,$D2hi,$D2hi
34142 ++ vpmadd52huq $H2,$R0,$D2hi
34143 ++
34144 ++ vpmadd52luq $H0,$R0,$D0lo
34145 ++ vpmadd52huq $H0,$R0,$D0hi
34146 ++ vpmadd52luq $H0,$R1,$D1lo
34147 ++ vpmadd52huq $H0,$R1,$D1hi
34148 ++ vpmadd52luq $H0,$R2,$D2lo
34149 ++ vpmadd52huq $H0,$R2,$D2hi
34150 ++
34151 ++ vpmadd52luq $H1,$S2,$D0lo
34152 ++ vpmadd52huq $H1,$S2,$D0hi
34153 ++ vpmadd52luq $H1,$R0,$D1lo
34154 ++ vpmadd52huq $H1,$R0,$D1hi
34155 ++ vpmadd52luq $H1,$R1,$D2lo
34156 ++ vpmadd52huq $H1,$R1,$D2hi
34157 ++
34158 ++ ################################################################
34159 ++ # partial reduction
34160 ++ vpsrlq \$44,$D0lo,$tmp
34161 ++ vpsllq \$8,$D0hi,$D0hi
34162 ++ vpandq $mask44,$D0lo,$H0
34163 ++ vpaddq $tmp,$D0hi,$D0hi
34164 ++
34165 ++ vpaddq $D0hi,$D1lo,$D1lo
34166 ++
34167 ++ vpsrlq \$44,$D1lo,$tmp
34168 ++ vpsllq \$8,$D1hi,$D1hi
34169 ++ vpandq $mask44,$D1lo,$H1
34170 ++ vpaddq $tmp,$D1hi,$D1hi
34171 ++
34172 ++ vpaddq $D1hi,$D2lo,$D2lo
34173 ++
34174 ++ vpsrlq \$42,$D2lo,$tmp
34175 ++ vpsllq \$10,$D2hi,$D2hi
34176 ++ vpandq $mask42,$D2lo,$H2
34177 ++ vpaddq $tmp,$D2hi,$D2hi
34178 ++
34179 ++ vpaddq $D2hi,$H0,$H0
34180 ++ vpsllq \$2,$D2hi,$D2hi
34181 ++
34182 ++ vpaddq $D2hi,$H0,$H0
34183 ++
34184 ++ vpsrlq \$44,$H0,$tmp # additional step
34185 ++ vpandq $mask44,$H0,$H0
34186 ++
34187 ++ vpaddq $tmp,$H1,$H1
34188 ++
34189 ++ dec %eax
34190 ++ jz .Ldone_init_vpmadd52
34191 ++
34192 ++ vpunpcklqdq $R1,$H1,$R1 # 1,2
34193 ++ vpbroadcastq %x#$H1,%x#$H1 # 2,2
34194 ++ vpunpcklqdq $R2,$H2,$R2
34195 ++ vpbroadcastq %x#$H2,%x#$H2
34196 ++ vpunpcklqdq $R0,$H0,$R0
34197 ++ vpbroadcastq %x#$H0,%x#$H0
34198 ++
34199 ++ vpsllq \$2,$R1,$S1 # S1 = R1*5*4
34200 ++ vpsllq \$2,$R2,$S2 # S2 = R2*5*4
34201 ++ vpaddq $R1,$S1,$S1
34202 ++ vpaddq $R2,$S2,$S2
34203 ++ vpsllq \$2,$S1,$S1
34204 ++ vpsllq \$2,$S2,$S2
34205 ++
34206 ++ jmp .Lmul_init_vpmadd52
34207 ++ ud2
34208 ++
34209 ++.align 32
34210 ++.Ldone_init_vpmadd52:
34211 ++ vinserti128 \$1,%x#$R1,$H1,$R1 # 1,2,3,4
34212 ++ vinserti128 \$1,%x#$R2,$H2,$R2
34213 ++ vinserti128 \$1,%x#$R0,$H0,$R0
34214 ++
34215 ++ vpermq \$0b11011000,$R1,$R1 # 1,3,2,4
34216 ++ vpermq \$0b11011000,$R2,$R2
34217 ++ vpermq \$0b11011000,$R0,$R0
34218 ++
34219 ++ vpsllq \$2,$R1,$S1 # S1 = R1*5*4
34220 ++ vpaddq $R1,$S1,$S1
34221 ++ vpsllq \$2,$S1,$S1
34222 ++
34223 ++ vmovq 0($ctx),%x#$H0 # load current hash value
34224 ++ vmovq 8($ctx),%x#$H1
34225 ++ vmovq 16($ctx),%x#$H2
34226 ++
34227 ++ test \$3,$len # is length 4*n+2?
34228 ++ jnz .Ldone_init_vpmadd52_2x
34229 ++
34230 ++ vmovdqu64 $R0,64($ctx) # save key powers
34231 ++ vpbroadcastq %x#$R0,$R0 # broadcast 4th power
34232 ++ vmovdqu64 $R1,96($ctx)
34233 ++ vpbroadcastq %x#$R1,$R1
34234 ++ vmovdqu64 $R2,128($ctx)
34235 ++ vpbroadcastq %x#$R2,$R2
34236 ++ vmovdqu64 $S1,160($ctx)
34237 ++ vpbroadcastq %x#$S1,$S1
34238 ++
34239 ++ jmp .Lblocks_vpmadd52_4x_key_loaded
34240 ++ ud2
34241 ++
34242 ++.align 32
34243 ++.Ldone_init_vpmadd52_2x:
34244 ++ vmovdqu64 $R0,64($ctx) # save key powers
34245 ++ vpsrldq \$8,$R0,$R0 # 0-1-0-2
34246 ++ vmovdqu64 $R1,96($ctx)
34247 ++ vpsrldq \$8,$R1,$R1
34248 ++ vmovdqu64 $R2,128($ctx)
34249 ++ vpsrldq \$8,$R2,$R2
34250 ++ vmovdqu64 $S1,160($ctx)
34251 ++ vpsrldq \$8,$S1,$S1
34252 ++ jmp .Lblocks_vpmadd52_2x_key_loaded
34253 ++ ud2
34254 ++
34255 ++.align 32
34256 ++.Lblocks_vpmadd52_2x_do:
34257 ++ vmovdqu64 128+8($ctx),${R2}{%k1}{z}# load 2nd and 1st key powers
34258 ++ vmovdqu64 160+8($ctx),${S1}{%k1}{z}
34259 ++ vmovdqu64 64+8($ctx),${R0}{%k1}{z}
34260 ++ vmovdqu64 96+8($ctx),${R1}{%k1}{z}
34261 ++
34262 ++.Lblocks_vpmadd52_2x_key_loaded:
34263 ++ vmovdqu64 16*0($inp),$T2 # load data
34264 ++ vpxorq $T3,$T3,$T3
34265 ++ lea 16*2($inp),$inp
34266 ++
34267 ++ vpunpcklqdq $T3,$T2,$T1 # transpose data
34268 ++ vpunpckhqdq $T3,$T2,$T3
34269 ++
34270 ++ # at this point 64-bit lanes are ordered as x-1-x-0
34271 ++
34272 ++ vpsrlq \$24,$T3,$T2 # splat the data
34273 ++ vporq $PAD,$T2,$T2
34274 ++ vpaddq $T2,$H2,$H2 # accumulate input
34275 ++ vpandq $mask44,$T1,$T0
34276 ++ vpsrlq \$44,$T1,$T1
34277 ++ vpsllq \$20,$T3,$T3
34278 ++ vporq $T3,$T1,$T1
34279 ++ vpandq $mask44,$T1,$T1
34280 ++
34281 ++ jmp .Ltail_vpmadd52_2x
34282 ++ ud2
34283 ++
34284 ++.align 32
34285 ++.Loop_vpmadd52_4x:
34286 ++ #vpaddq $T2,$H2,$H2 # accumulate input
34287 ++ vpaddq $T0,$H0,$H0
34288 ++ vpaddq $T1,$H1,$H1
34289 ++
34290 ++ vpxorq $D0lo,$D0lo,$D0lo
34291 ++ vpmadd52luq $H2,$S1,$D0lo
34292 ++ vpxorq $D0hi,$D0hi,$D0hi
34293 ++ vpmadd52huq $H2,$S1,$D0hi
34294 ++ vpxorq $D1lo,$D1lo,$D1lo
34295 ++ vpmadd52luq $H2,$S2,$D1lo
34296 ++ vpxorq $D1hi,$D1hi,$D1hi
34297 ++ vpmadd52huq $H2,$S2,$D1hi
34298 ++ vpxorq $D2lo,$D2lo,$D2lo
34299 ++ vpmadd52luq $H2,$R0,$D2lo
34300 ++ vpxorq $D2hi,$D2hi,$D2hi
34301 ++ vpmadd52huq $H2,$R0,$D2hi
34302 ++
34303 ++ vmovdqu64 16*0($inp),$T2 # load data
34304 ++ vmovdqu64 16*2($inp),$T3
34305 ++ lea 16*4($inp),$inp
34306 ++ vpmadd52luq $H0,$R0,$D0lo
34307 ++ vpmadd52huq $H0,$R0,$D0hi
34308 ++ vpmadd52luq $H0,$R1,$D1lo
34309 ++ vpmadd52huq $H0,$R1,$D1hi
34310 ++ vpmadd52luq $H0,$R2,$D2lo
34311 ++ vpmadd52huq $H0,$R2,$D2hi
34312 ++
34313 ++ vpunpcklqdq $T3,$T2,$T1 # transpose data
34314 ++ vpunpckhqdq $T3,$T2,$T3
34315 ++ vpmadd52luq $H1,$S2,$D0lo
34316 ++ vpmadd52huq $H1,$S2,$D0hi
34317 ++ vpmadd52luq $H1,$R0,$D1lo
34318 ++ vpmadd52huq $H1,$R0,$D1hi
34319 ++ vpmadd52luq $H1,$R1,$D2lo
34320 ++ vpmadd52huq $H1,$R1,$D2hi
34321 ++
34322 ++ ################################################################
34323 ++ # partial reduction (interleaved with data splat)
34324 ++ vpsrlq \$44,$D0lo,$tmp
34325 ++ vpsllq \$8,$D0hi,$D0hi
34326 ++ vpandq $mask44,$D0lo,$H0
34327 ++ vpaddq $tmp,$D0hi,$D0hi
34328 ++
34329 ++ vpsrlq \$24,$T3,$T2
34330 ++ vporq $PAD,$T2,$T2
34331 ++ vpaddq $D0hi,$D1lo,$D1lo
34332 ++
34333 ++ vpsrlq \$44,$D1lo,$tmp
34334 ++ vpsllq \$8,$D1hi,$D1hi
34335 ++ vpandq $mask44,$D1lo,$H1
34336 ++ vpaddq $tmp,$D1hi,$D1hi
34337 ++
34338 ++ vpandq $mask44,$T1,$T0
34339 ++ vpsrlq \$44,$T1,$T1
34340 ++ vpsllq \$20,$T3,$T3
34341 ++ vpaddq $D1hi,$D2lo,$D2lo
34342 ++
34343 ++ vpsrlq \$42,$D2lo,$tmp
34344 ++ vpsllq \$10,$D2hi,$D2hi
34345 ++ vpandq $mask42,$D2lo,$H2
34346 ++ vpaddq $tmp,$D2hi,$D2hi
34347 ++
34348 ++ vpaddq $T2,$H2,$H2 # accumulate input
34349 ++ vpaddq $D2hi,$H0,$H0
34350 ++ vpsllq \$2,$D2hi,$D2hi
34351 ++
34352 ++ vpaddq $D2hi,$H0,$H0
34353 ++ vporq $T3,$T1,$T1
34354 ++ vpandq $mask44,$T1,$T1
34355 ++
34356 ++ vpsrlq \$44,$H0,$tmp # additional step
34357 ++ vpandq $mask44,$H0,$H0
34358 ++
34359 ++ vpaddq $tmp,$H1,$H1
34360 ++
34361 ++ sub \$4,$len # len-=64
34362 ++ jnz .Loop_vpmadd52_4x
34363 ++
34364 ++.Ltail_vpmadd52_4x:
34365 ++ vmovdqu64 128($ctx),$R2 # load all key powers
34366 ++ vmovdqu64 160($ctx),$S1
34367 ++ vmovdqu64 64($ctx),$R0
34368 ++ vmovdqu64 96($ctx),$R1
34369 ++
34370 ++.Ltail_vpmadd52_2x:
34371 ++ vpsllq \$2,$R2,$S2 # S2 = R2*5*4
34372 ++ vpaddq $R2,$S2,$S2
34373 ++ vpsllq \$2,$S2,$S2
34374 ++
34375 ++ #vpaddq $T2,$H2,$H2 # accumulate input
34376 ++ vpaddq $T0,$H0,$H0
34377 ++ vpaddq $T1,$H1,$H1
34378 ++
34379 ++ vpxorq $D0lo,$D0lo,$D0lo
34380 ++ vpmadd52luq $H2,$S1,$D0lo
34381 ++ vpxorq $D0hi,$D0hi,$D0hi
34382 ++ vpmadd52huq $H2,$S1,$D0hi
34383 ++ vpxorq $D1lo,$D1lo,$D1lo
34384 ++ vpmadd52luq $H2,$S2,$D1lo
34385 ++ vpxorq $D1hi,$D1hi,$D1hi
34386 ++ vpmadd52huq $H2,$S2,$D1hi
34387 ++ vpxorq $D2lo,$D2lo,$D2lo
34388 ++ vpmadd52luq $H2,$R0,$D2lo
34389 ++ vpxorq $D2hi,$D2hi,$D2hi
34390 ++ vpmadd52huq $H2,$R0,$D2hi
34391 ++
34392 ++ vpmadd52luq $H0,$R0,$D0lo
34393 ++ vpmadd52huq $H0,$R0,$D0hi
34394 ++ vpmadd52luq $H0,$R1,$D1lo
34395 ++ vpmadd52huq $H0,$R1,$D1hi
34396 ++ vpmadd52luq $H0,$R2,$D2lo
34397 ++ vpmadd52huq $H0,$R2,$D2hi
34398 ++
34399 ++ vpmadd52luq $H1,$S2,$D0lo
34400 ++ vpmadd52huq $H1,$S2,$D0hi
34401 ++ vpmadd52luq $H1,$R0,$D1lo
34402 ++ vpmadd52huq $H1,$R0,$D1hi
34403 ++ vpmadd52luq $H1,$R1,$D2lo
34404 ++ vpmadd52huq $H1,$R1,$D2hi
34405 ++
34406 ++ ################################################################
34407 ++ # horizontal addition
34408 ++
34409 ++ mov \$1,%eax
34410 ++ kmovw %eax,%k1
34411 ++ vpsrldq \$8,$D0lo,$T0
34412 ++ vpsrldq \$8,$D0hi,$H0
34413 ++ vpsrldq \$8,$D1lo,$T1
34414 ++ vpsrldq \$8,$D1hi,$H1
34415 ++ vpaddq $T0,$D0lo,$D0lo
34416 ++ vpaddq $H0,$D0hi,$D0hi
34417 ++ vpsrldq \$8,$D2lo,$T2
34418 ++ vpsrldq \$8,$D2hi,$H2
34419 ++ vpaddq $T1,$D1lo,$D1lo
34420 ++ vpaddq $H1,$D1hi,$D1hi
34421 ++ vpermq \$0x2,$D0lo,$T0
34422 ++ vpermq \$0x2,$D0hi,$H0
34423 ++ vpaddq $T2,$D2lo,$D2lo
34424 ++ vpaddq $H2,$D2hi,$D2hi
34425 ++
34426 ++ vpermq \$0x2,$D1lo,$T1
34427 ++ vpermq \$0x2,$D1hi,$H1
34428 ++ vpaddq $T0,$D0lo,${D0lo}{%k1}{z}
34429 ++ vpaddq $H0,$D0hi,${D0hi}{%k1}{z}
34430 ++ vpermq \$0x2,$D2lo,$T2
34431 ++ vpermq \$0x2,$D2hi,$H2
34432 ++ vpaddq $T1,$D1lo,${D1lo}{%k1}{z}
34433 ++ vpaddq $H1,$D1hi,${D1hi}{%k1}{z}
34434 ++ vpaddq $T2,$D2lo,${D2lo}{%k1}{z}
34435 ++ vpaddq $H2,$D2hi,${D2hi}{%k1}{z}
34436 ++
34437 ++ ################################################################
34438 ++ # partial reduction
34439 ++ vpsrlq \$44,$D0lo,$tmp
34440 ++ vpsllq \$8,$D0hi,$D0hi
34441 ++ vpandq $mask44,$D0lo,$H0
34442 ++ vpaddq $tmp,$D0hi,$D0hi
34443 ++
34444 ++ vpaddq $D0hi,$D1lo,$D1lo
34445 ++
34446 ++ vpsrlq \$44,$D1lo,$tmp
34447 ++ vpsllq \$8,$D1hi,$D1hi
34448 ++ vpandq $mask44,$D1lo,$H1
34449 ++ vpaddq $tmp,$D1hi,$D1hi
34450 ++
34451 ++ vpaddq $D1hi,$D2lo,$D2lo
34452 ++
34453 ++ vpsrlq \$42,$D2lo,$tmp
34454 ++ vpsllq \$10,$D2hi,$D2hi
34455 ++ vpandq $mask42,$D2lo,$H2
34456 ++ vpaddq $tmp,$D2hi,$D2hi
34457 ++
34458 ++ vpaddq $D2hi,$H0,$H0
34459 ++ vpsllq \$2,$D2hi,$D2hi
34460 ++
34461 ++ vpaddq $D2hi,$H0,$H0
34462 ++
34463 ++ vpsrlq \$44,$H0,$tmp # additional step
34464 ++ vpandq $mask44,$H0,$H0
34465 ++
34466 ++ vpaddq $tmp,$H1,$H1
34467 ++ # at this point $len is
34468 ++ # either 4*n+2 or 0...
34469 ++ sub \$2,$len # len-=32
34470 ++ ja .Lblocks_vpmadd52_4x_do
34471 ++
34472 ++ vmovq %x#$H0,0($ctx)
34473 ++ vmovq %x#$H1,8($ctx)
34474 ++ vmovq %x#$H2,16($ctx)
34475 ++ vzeroall
34476 ++
34477 ++.Lno_data_vpmadd52_4x:
34478 ++ ret
34479 ++.size poly1305_blocks_vpmadd52_4x,.-poly1305_blocks_vpmadd52_4x
34480 ++___
34481 ++}
34482 ++{
34483 ++########################################################################
34484 ++# As implied by its name 8x subroutine processes 8 blocks in parallel...
34485 ++# This is intermediate version, as it's used only in cases when input
34486 ++# length is either 8*n, 8*n+1 or 8*n+2...
34487 ++
34488 ++my ($H0,$H1,$H2,$R0,$R1,$R2,$S1,$S2) = map("%ymm$_",(0..5,16,17));
34489 ++my ($D0lo,$D0hi,$D1lo,$D1hi,$D2lo,$D2hi) = map("%ymm$_",(18..23));
34490 ++my ($T0,$T1,$T2,$T3,$mask44,$mask42,$tmp,$PAD) = map("%ymm$_",(24..31));
34491 ++my ($RR0,$RR1,$RR2,$SS1,$SS2) = map("%ymm$_",(6..10));
34492 ++
34493 ++$code.=<<___;
34494 ++.type poly1305_blocks_vpmadd52_8x,\@function,4
34495 ++.align 32
34496 ++poly1305_blocks_vpmadd52_8x:
34497 ++ shr \$4,$len
34498 ++ jz .Lno_data_vpmadd52_8x # too short
34499 ++
34500 ++ shl \$40,$padbit
34501 ++ mov 64($ctx),%r8 # peek on power of the key
34502 ++
34503 ++ vmovdqa64 .Lx_mask44(%rip),$mask44
34504 ++ vmovdqa64 .Lx_mask42(%rip),$mask42
34505 ++
34506 ++ test %r8,%r8 # is power value impossible?
34507 ++ js .Linit_vpmadd52 # if it is, then init R[4]
34508 ++
34509 ++ vmovq 0($ctx),%x#$H0 # load current hash value
34510 ++ vmovq 8($ctx),%x#$H1
34511 ++ vmovq 16($ctx),%x#$H2
34512 ++
34513 ++.Lblocks_vpmadd52_8x:
34514 ++ ################################################################
34515 ++ # fist we calculate more key powers
34516 ++
34517 ++ vmovdqu64 128($ctx),$R2 # load 1-3-2-4 powers
34518 ++ vmovdqu64 160($ctx),$S1
34519 ++ vmovdqu64 64($ctx),$R0
34520 ++ vmovdqu64 96($ctx),$R1
34521 ++
34522 ++ vpsllq \$2,$R2,$S2 # S2 = R2*5*4
34523 ++ vpaddq $R2,$S2,$S2
34524 ++ vpsllq \$2,$S2,$S2
34525 ++
34526 ++ vpbroadcastq %x#$R2,$RR2 # broadcast 4th power
34527 ++ vpbroadcastq %x#$R0,$RR0
34528 ++ vpbroadcastq %x#$R1,$RR1
34529 ++
34530 ++ vpxorq $D0lo,$D0lo,$D0lo
34531 ++ vpmadd52luq $RR2,$S1,$D0lo
34532 ++ vpxorq $D0hi,$D0hi,$D0hi
34533 ++ vpmadd52huq $RR2,$S1,$D0hi
34534 ++ vpxorq $D1lo,$D1lo,$D1lo
34535 ++ vpmadd52luq $RR2,$S2,$D1lo
34536 ++ vpxorq $D1hi,$D1hi,$D1hi
34537 ++ vpmadd52huq $RR2,$S2,$D1hi
34538 ++ vpxorq $D2lo,$D2lo,$D2lo
34539 ++ vpmadd52luq $RR2,$R0,$D2lo
34540 ++ vpxorq $D2hi,$D2hi,$D2hi
34541 ++ vpmadd52huq $RR2,$R0,$D2hi
34542 ++
34543 ++ vpmadd52luq $RR0,$R0,$D0lo
34544 ++ vpmadd52huq $RR0,$R0,$D0hi
34545 ++ vpmadd52luq $RR0,$R1,$D1lo
34546 ++ vpmadd52huq $RR0,$R1,$D1hi
34547 ++ vpmadd52luq $RR0,$R2,$D2lo
34548 ++ vpmadd52huq $RR0,$R2,$D2hi
34549 ++
34550 ++ vpmadd52luq $RR1,$S2,$D0lo
34551 ++ vpmadd52huq $RR1,$S2,$D0hi
34552 ++ vpmadd52luq $RR1,$R0,$D1lo
34553 ++ vpmadd52huq $RR1,$R0,$D1hi
34554 ++ vpmadd52luq $RR1,$R1,$D2lo
34555 ++ vpmadd52huq $RR1,$R1,$D2hi
34556 ++
34557 ++ ################################################################
34558 ++ # partial reduction
34559 ++ vpsrlq \$44,$D0lo,$tmp
34560 ++ vpsllq \$8,$D0hi,$D0hi
34561 ++ vpandq $mask44,$D0lo,$RR0
34562 ++ vpaddq $tmp,$D0hi,$D0hi
34563 ++
34564 ++ vpaddq $D0hi,$D1lo,$D1lo
34565 ++
34566 ++ vpsrlq \$44,$D1lo,$tmp
34567 ++ vpsllq \$8,$D1hi,$D1hi
34568 ++ vpandq $mask44,$D1lo,$RR1
34569 ++ vpaddq $tmp,$D1hi,$D1hi
34570 ++
34571 ++ vpaddq $D1hi,$D2lo,$D2lo
34572 ++
34573 ++ vpsrlq \$42,$D2lo,$tmp
34574 ++ vpsllq \$10,$D2hi,$D2hi
34575 ++ vpandq $mask42,$D2lo,$RR2
34576 ++ vpaddq $tmp,$D2hi,$D2hi
34577 ++
34578 ++ vpaddq $D2hi,$RR0,$RR0
34579 ++ vpsllq \$2,$D2hi,$D2hi
34580 ++
34581 ++ vpaddq $D2hi,$RR0,$RR0
34582 ++
34583 ++ vpsrlq \$44,$RR0,$tmp # additional step
34584 ++ vpandq $mask44,$RR0,$RR0
34585 ++
34586 ++ vpaddq $tmp,$RR1,$RR1
34587 ++
34588 ++ ################################################################
34589 ++ # At this point Rx holds 1324 powers, RRx - 5768, and the goal
34590 ++ # is 15263748, which reflects how data is loaded...
34591 ++
34592 ++ vpunpcklqdq $R2,$RR2,$T2 # 3748
34593 ++ vpunpckhqdq $R2,$RR2,$R2 # 1526
34594 ++ vpunpcklqdq $R0,$RR0,$T0
34595 ++ vpunpckhqdq $R0,$RR0,$R0
34596 ++ vpunpcklqdq $R1,$RR1,$T1
34597 ++ vpunpckhqdq $R1,$RR1,$R1
34598 ++___
34599 ++######## switch to %zmm
34600 ++map(s/%y/%z/, $H0,$H1,$H2,$R0,$R1,$R2,$S1,$S2);
34601 ++map(s/%y/%z/, $D0lo,$D0hi,$D1lo,$D1hi,$D2lo,$D2hi);
34602 ++map(s/%y/%z/, $T0,$T1,$T2,$T3,$mask44,$mask42,$tmp,$PAD);
34603 ++map(s/%y/%z/, $RR0,$RR1,$RR2,$SS1,$SS2);
34604 ++
34605 ++$code.=<<___;
34606 ++ vshufi64x2 \$0x44,$R2,$T2,$RR2 # 15263748
34607 ++ vshufi64x2 \$0x44,$R0,$T0,$RR0
34608 ++ vshufi64x2 \$0x44,$R1,$T1,$RR1
34609 ++
34610 ++ vmovdqu64 16*0($inp),$T2 # load data
34611 ++ vmovdqu64 16*4($inp),$T3
34612 ++ lea 16*8($inp),$inp
34613 ++
34614 ++ vpsllq \$2,$RR2,$SS2 # S2 = R2*5*4
34615 ++ vpsllq \$2,$RR1,$SS1 # S1 = R1*5*4
34616 ++ vpaddq $RR2,$SS2,$SS2
34617 ++ vpaddq $RR1,$SS1,$SS1
34618 ++ vpsllq \$2,$SS2,$SS2
34619 ++ vpsllq \$2,$SS1,$SS1
34620 ++
34621 ++ vpbroadcastq $padbit,$PAD
34622 ++ vpbroadcastq %x#$mask44,$mask44
34623 ++ vpbroadcastq %x#$mask42,$mask42
34624 ++
34625 ++ vpbroadcastq %x#$SS1,$S1 # broadcast 8th power
34626 ++ vpbroadcastq %x#$SS2,$S2
34627 ++ vpbroadcastq %x#$RR0,$R0
34628 ++ vpbroadcastq %x#$RR1,$R1
34629 ++ vpbroadcastq %x#$RR2,$R2
34630 ++
34631 ++ vpunpcklqdq $T3,$T2,$T1 # transpose data
34632 ++ vpunpckhqdq $T3,$T2,$T3
34633 ++
34634 ++ # at this point 64-bit lanes are ordered as 73625140
34635 ++
34636 ++ vpsrlq \$24,$T3,$T2 # splat the data
34637 ++ vporq $PAD,$T2,$T2
34638 ++ vpaddq $T2,$H2,$H2 # accumulate input
34639 ++ vpandq $mask44,$T1,$T0
34640 ++ vpsrlq \$44,$T1,$T1
34641 ++ vpsllq \$20,$T3,$T3
34642 ++ vporq $T3,$T1,$T1
34643 ++ vpandq $mask44,$T1,$T1
34644 ++
34645 ++ sub \$8,$len
34646 ++ jz .Ltail_vpmadd52_8x
34647 ++ jmp .Loop_vpmadd52_8x
34648 ++
34649 ++.align 32
34650 ++.Loop_vpmadd52_8x:
34651 ++ #vpaddq $T2,$H2,$H2 # accumulate input
34652 ++ vpaddq $T0,$H0,$H0
34653 ++ vpaddq $T1,$H1,$H1
34654 ++
34655 ++ vpxorq $D0lo,$D0lo,$D0lo
34656 ++ vpmadd52luq $H2,$S1,$D0lo
34657 ++ vpxorq $D0hi,$D0hi,$D0hi
34658 ++ vpmadd52huq $H2,$S1,$D0hi
34659 ++ vpxorq $D1lo,$D1lo,$D1lo
34660 ++ vpmadd52luq $H2,$S2,$D1lo
34661 ++ vpxorq $D1hi,$D1hi,$D1hi
34662 ++ vpmadd52huq $H2,$S2,$D1hi
34663 ++ vpxorq $D2lo,$D2lo,$D2lo
34664 ++ vpmadd52luq $H2,$R0,$D2lo
34665 ++ vpxorq $D2hi,$D2hi,$D2hi
34666 ++ vpmadd52huq $H2,$R0,$D2hi
34667 ++
34668 ++ vmovdqu64 16*0($inp),$T2 # load data
34669 ++ vmovdqu64 16*4($inp),$T3
34670 ++ lea 16*8($inp),$inp
34671 ++ vpmadd52luq $H0,$R0,$D0lo
34672 ++ vpmadd52huq $H0,$R0,$D0hi
34673 ++ vpmadd52luq $H0,$R1,$D1lo
34674 ++ vpmadd52huq $H0,$R1,$D1hi
34675 ++ vpmadd52luq $H0,$R2,$D2lo
34676 ++ vpmadd52huq $H0,$R2,$D2hi
34677 ++
34678 ++ vpunpcklqdq $T3,$T2,$T1 # transpose data
34679 ++ vpunpckhqdq $T3,$T2,$T3
34680 ++ vpmadd52luq $H1,$S2,$D0lo
34681 ++ vpmadd52huq $H1,$S2,$D0hi
34682 ++ vpmadd52luq $H1,$R0,$D1lo
34683 ++ vpmadd52huq $H1,$R0,$D1hi
34684 ++ vpmadd52luq $H1,$R1,$D2lo
34685 ++ vpmadd52huq $H1,$R1,$D2hi
34686 ++
34687 ++ ################################################################
34688 ++ # partial reduction (interleaved with data splat)
34689 ++ vpsrlq \$44,$D0lo,$tmp
34690 ++ vpsllq \$8,$D0hi,$D0hi
34691 ++ vpandq $mask44,$D0lo,$H0
34692 ++ vpaddq $tmp,$D0hi,$D0hi
34693 ++
34694 ++ vpsrlq \$24,$T3,$T2
34695 ++ vporq $PAD,$T2,$T2
34696 ++ vpaddq $D0hi,$D1lo,$D1lo
34697 ++
34698 ++ vpsrlq \$44,$D1lo,$tmp
34699 ++ vpsllq \$8,$D1hi,$D1hi
34700 ++ vpandq $mask44,$D1lo,$H1
34701 ++ vpaddq $tmp,$D1hi,$D1hi
34702 ++
34703 ++ vpandq $mask44,$T1,$T0
34704 ++ vpsrlq \$44,$T1,$T1
34705 ++ vpsllq \$20,$T3,$T3
34706 ++ vpaddq $D1hi,$D2lo,$D2lo
34707 ++
34708 ++ vpsrlq \$42,$D2lo,$tmp
34709 ++ vpsllq \$10,$D2hi,$D2hi
34710 ++ vpandq $mask42,$D2lo,$H2
34711 ++ vpaddq $tmp,$D2hi,$D2hi
34712 ++
34713 ++ vpaddq $T2,$H2,$H2 # accumulate input
34714 ++ vpaddq $D2hi,$H0,$H0
34715 ++ vpsllq \$2,$D2hi,$D2hi
34716 ++
34717 ++ vpaddq $D2hi,$H0,$H0
34718 ++ vporq $T3,$T1,$T1
34719 ++ vpandq $mask44,$T1,$T1
34720 ++
34721 ++ vpsrlq \$44,$H0,$tmp # additional step
34722 ++ vpandq $mask44,$H0,$H0
34723 ++
34724 ++ vpaddq $tmp,$H1,$H1
34725 ++
34726 ++ sub \$8,$len # len-=128
34727 ++ jnz .Loop_vpmadd52_8x
34728 ++
34729 ++.Ltail_vpmadd52_8x:
34730 ++ #vpaddq $T2,$H2,$H2 # accumulate input
34731 ++ vpaddq $T0,$H0,$H0
34732 ++ vpaddq $T1,$H1,$H1
34733 ++
34734 ++ vpxorq $D0lo,$D0lo,$D0lo
34735 ++ vpmadd52luq $H2,$SS1,$D0lo
34736 ++ vpxorq $D0hi,$D0hi,$D0hi
34737 ++ vpmadd52huq $H2,$SS1,$D0hi
34738 ++ vpxorq $D1lo,$D1lo,$D1lo
34739 ++ vpmadd52luq $H2,$SS2,$D1lo
34740 ++ vpxorq $D1hi,$D1hi,$D1hi
34741 ++ vpmadd52huq $H2,$SS2,$D1hi
34742 ++ vpxorq $D2lo,$D2lo,$D2lo
34743 ++ vpmadd52luq $H2,$RR0,$D2lo
34744 ++ vpxorq $D2hi,$D2hi,$D2hi
34745 ++ vpmadd52huq $H2,$RR0,$D2hi
34746 ++
34747 ++ vpmadd52luq $H0,$RR0,$D0lo
34748 ++ vpmadd52huq $H0,$RR0,$D0hi
34749 ++ vpmadd52luq $H0,$RR1,$D1lo
34750 ++ vpmadd52huq $H0,$RR1,$D1hi
34751 ++ vpmadd52luq $H0,$RR2,$D2lo
34752 ++ vpmadd52huq $H0,$RR2,$D2hi
34753 ++
34754 ++ vpmadd52luq $H1,$SS2,$D0lo
34755 ++ vpmadd52huq $H1,$SS2,$D0hi
34756 ++ vpmadd52luq $H1,$RR0,$D1lo
34757 ++ vpmadd52huq $H1,$RR0,$D1hi
34758 ++ vpmadd52luq $H1,$RR1,$D2lo
34759 ++ vpmadd52huq $H1,$RR1,$D2hi
34760 ++
34761 ++ ################################################################
34762 ++ # horizontal addition
34763 ++
34764 ++ mov \$1,%eax
34765 ++ kmovw %eax,%k1
34766 ++ vpsrldq \$8,$D0lo,$T0
34767 ++ vpsrldq \$8,$D0hi,$H0
34768 ++ vpsrldq \$8,$D1lo,$T1
34769 ++ vpsrldq \$8,$D1hi,$H1
34770 ++ vpaddq $T0,$D0lo,$D0lo
34771 ++ vpaddq $H0,$D0hi,$D0hi
34772 ++ vpsrldq \$8,$D2lo,$T2
34773 ++ vpsrldq \$8,$D2hi,$H2
34774 ++ vpaddq $T1,$D1lo,$D1lo
34775 ++ vpaddq $H1,$D1hi,$D1hi
34776 ++ vpermq \$0x2,$D0lo,$T0
34777 ++ vpermq \$0x2,$D0hi,$H0
34778 ++ vpaddq $T2,$D2lo,$D2lo
34779 ++ vpaddq $H2,$D2hi,$D2hi
34780 ++
34781 ++ vpermq \$0x2,$D1lo,$T1
34782 ++ vpermq \$0x2,$D1hi,$H1
34783 ++ vpaddq $T0,$D0lo,$D0lo
34784 ++ vpaddq $H0,$D0hi,$D0hi
34785 ++ vpermq \$0x2,$D2lo,$T2
34786 ++ vpermq \$0x2,$D2hi,$H2
34787 ++ vpaddq $T1,$D1lo,$D1lo
34788 ++ vpaddq $H1,$D1hi,$D1hi
34789 ++ vextracti64x4 \$1,$D0lo,%y#$T0
34790 ++ vextracti64x4 \$1,$D0hi,%y#$H0
34791 ++ vpaddq $T2,$D2lo,$D2lo
34792 ++ vpaddq $H2,$D2hi,$D2hi
34793 ++
34794 ++ vextracti64x4 \$1,$D1lo,%y#$T1
34795 ++ vextracti64x4 \$1,$D1hi,%y#$H1
34796 ++ vextracti64x4 \$1,$D2lo,%y#$T2
34797 ++ vextracti64x4 \$1,$D2hi,%y#$H2
34798 ++___
34799 ++######## switch back to %ymm
34800 ++map(s/%z/%y/, $H0,$H1,$H2,$R0,$R1,$R2,$S1,$S2);
34801 ++map(s/%z/%y/, $D0lo,$D0hi,$D1lo,$D1hi,$D2lo,$D2hi);
34802 ++map(s/%z/%y/, $T0,$T1,$T2,$T3,$mask44,$mask42,$tmp,$PAD);
34803 ++
34804 ++$code.=<<___;
34805 ++ vpaddq $T0,$D0lo,${D0lo}{%k1}{z}
34806 ++ vpaddq $H0,$D0hi,${D0hi}{%k1}{z}
34807 ++ vpaddq $T1,$D1lo,${D1lo}{%k1}{z}
34808 ++ vpaddq $H1,$D1hi,${D1hi}{%k1}{z}
34809 ++ vpaddq $T2,$D2lo,${D2lo}{%k1}{z}
34810 ++ vpaddq $H2,$D2hi,${D2hi}{%k1}{z}
34811 ++
34812 ++ ################################################################
34813 ++ # partial reduction
34814 ++ vpsrlq \$44,$D0lo,$tmp
34815 ++ vpsllq \$8,$D0hi,$D0hi
34816 ++ vpandq $mask44,$D0lo,$H0
34817 ++ vpaddq $tmp,$D0hi,$D0hi
34818 ++
34819 ++ vpaddq $D0hi,$D1lo,$D1lo
34820 ++
34821 ++ vpsrlq \$44,$D1lo,$tmp
34822 ++ vpsllq \$8,$D1hi,$D1hi
34823 ++ vpandq $mask44,$D1lo,$H1
34824 ++ vpaddq $tmp,$D1hi,$D1hi
34825 ++
34826 ++ vpaddq $D1hi,$D2lo,$D2lo
34827 ++
34828 ++ vpsrlq \$42,$D2lo,$tmp
34829 ++ vpsllq \$10,$D2hi,$D2hi
34830 ++ vpandq $mask42,$D2lo,$H2
34831 ++ vpaddq $tmp,$D2hi,$D2hi
34832 ++
34833 ++ vpaddq $D2hi,$H0,$H0
34834 ++ vpsllq \$2,$D2hi,$D2hi
34835 ++
34836 ++ vpaddq $D2hi,$H0,$H0
34837 ++
34838 ++ vpsrlq \$44,$H0,$tmp # additional step
34839 ++ vpandq $mask44,$H0,$H0
34840 ++
34841 ++ vpaddq $tmp,$H1,$H1
34842 ++
34843 ++ ################################################################
34844 ++
34845 ++ vmovq %x#$H0,0($ctx)
34846 ++ vmovq %x#$H1,8($ctx)
34847 ++ vmovq %x#$H2,16($ctx)
34848 ++ vzeroall
34849 ++
34850 ++.Lno_data_vpmadd52_8x:
34851 ++ ret
34852 ++.size poly1305_blocks_vpmadd52_8x,.-poly1305_blocks_vpmadd52_8x
34853 ++___
34854 ++}
34855 ++$code.=<<___;
34856 ++.type poly1305_emit_base2_44,\@function,3
34857 ++.align 32
34858 ++poly1305_emit_base2_44:
34859 ++ mov 0($ctx),%r8 # load hash value
34860 ++ mov 8($ctx),%r9
34861 ++ mov 16($ctx),%r10
34862 ++
34863 ++ mov %r9,%rax
34864 ++ shr \$20,%r9
34865 ++ shl \$44,%rax
34866 ++ mov %r10,%rcx
34867 ++ shr \$40,%r10
34868 ++ shl \$24,%rcx
34869 ++
34870 ++ add %rax,%r8
34871 ++ adc %rcx,%r9
34872 ++ adc \$0,%r10
34873 ++
34874 ++ mov %r8,%rax
34875 ++ add \$5,%r8 # compare to modulus
34876 ++ mov %r9,%rcx
34877 ++ adc \$0,%r9
34878 ++ adc \$0,%r10
34879 ++ shr \$2,%r10 # did 130-bit value overflow?
34880 ++ cmovnz %r8,%rax
34881 ++ cmovnz %r9,%rcx
34882 ++
34883 ++ add 0($nonce),%rax # accumulate nonce
34884 ++ adc 8($nonce),%rcx
34885 ++ mov %rax,0($mac) # write result
34886 ++ mov %rcx,8($mac)
34887 ++
34888 ++ ret
34889 ++.size poly1305_emit_base2_44,.-poly1305_emit_base2_44
34890 ++___
34891 ++} } }
34892 ++}
34893 ++
34894 ++if (!$kernel)
34895 ++{ # chacha20-poly1305 helpers
34896 ++my ($out,$inp,$otp,$len)=$win64 ? ("%rcx","%rdx","%r8", "%r9") : # Win64 order
34897 ++ ("%rdi","%rsi","%rdx","%rcx"); # Unix order
34898 ++$code.=<<___;
34899 ++.globl xor128_encrypt_n_pad
34900 ++.type xor128_encrypt_n_pad,\@abi-omnipotent
34901 ++.align 16
34902 ++xor128_encrypt_n_pad:
34903 ++ sub $otp,$inp
34904 ++ sub $otp,$out
34905 ++ mov $len,%r10 # put len aside
34906 ++ shr \$4,$len # len / 16
34907 ++ jz .Ltail_enc
34908 ++ nop
34909 ++.Loop_enc_xmm:
34910 ++ movdqu ($inp,$otp),%xmm0
34911 ++ pxor ($otp),%xmm0
34912 ++ movdqu %xmm0,($out,$otp)
34913 ++ movdqa %xmm0,($otp)
34914 ++ lea 16($otp),$otp
34915 ++ dec $len
34916 ++ jnz .Loop_enc_xmm
34917 ++
34918 ++ and \$15,%r10 # len % 16
34919 ++ jz .Ldone_enc
34920 ++
34921 ++.Ltail_enc:
34922 ++ mov \$16,$len
34923 ++ sub %r10,$len
34924 ++ xor %eax,%eax
34925 ++.Loop_enc_byte:
34926 ++ mov ($inp,$otp),%al
34927 ++ xor ($otp),%al
34928 ++ mov %al,($out,$otp)
34929 ++ mov %al,($otp)
34930 ++ lea 1($otp),$otp
34931 ++ dec %r10
34932 ++ jnz .Loop_enc_byte
34933 ++
34934 ++ xor %eax,%eax
34935 ++.Loop_enc_pad:
34936 ++ mov %al,($otp)
34937 ++ lea 1($otp),$otp
34938 ++ dec $len
34939 ++ jnz .Loop_enc_pad
34940 ++
34941 ++.Ldone_enc:
34942 ++ mov $otp,%rax
34943 ++ ret
34944 ++.size xor128_encrypt_n_pad,.-xor128_encrypt_n_pad
34945 ++
34946 ++.globl xor128_decrypt_n_pad
34947 ++.type xor128_decrypt_n_pad,\@abi-omnipotent
34948 ++.align 16
34949 ++xor128_decrypt_n_pad:
34950 ++ sub $otp,$inp
34951 ++ sub $otp,$out
34952 ++ mov $len,%r10 # put len aside
34953 ++ shr \$4,$len # len / 16
34954 ++ jz .Ltail_dec
34955 ++ nop
34956 ++.Loop_dec_xmm:
34957 ++ movdqu ($inp,$otp),%xmm0
34958 ++ movdqa ($otp),%xmm1
34959 ++ pxor %xmm0,%xmm1
34960 ++ movdqu %xmm1,($out,$otp)
34961 ++ movdqa %xmm0,($otp)
34962 ++ lea 16($otp),$otp
34963 ++ dec $len
34964 ++ jnz .Loop_dec_xmm
34965 ++
34966 ++ pxor %xmm1,%xmm1
34967 ++ and \$15,%r10 # len % 16
34968 ++ jz .Ldone_dec
34969 ++
34970 ++.Ltail_dec:
34971 ++ mov \$16,$len
34972 ++ sub %r10,$len
34973 ++ xor %eax,%eax
34974 ++ xor %r11d,%r11d
34975 ++.Loop_dec_byte:
34976 ++ mov ($inp,$otp),%r11b
34977 ++ mov ($otp),%al
34978 ++ xor %r11b,%al
34979 ++ mov %al,($out,$otp)
34980 ++ mov %r11b,($otp)
34981 ++ lea 1($otp),$otp
34982 ++ dec %r10
34983 ++ jnz .Loop_dec_byte
34984 ++
34985 ++ xor %eax,%eax
34986 ++.Loop_dec_pad:
34987 ++ mov %al,($otp)
34988 ++ lea 1($otp),$otp
34989 ++ dec $len
34990 ++ jnz .Loop_dec_pad
34991 ++
34992 ++.Ldone_dec:
34993 ++ mov $otp,%rax
34994 ++ ret
34995 ++.size xor128_decrypt_n_pad,.-xor128_decrypt_n_pad
34996 ++___
34997 ++}
34998 ++
34999 ++# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
35000 ++# CONTEXT *context,DISPATCHER_CONTEXT *disp)
35001 ++if ($win64) {
35002 ++$rec="%rcx";
35003 ++$frame="%rdx";
35004 ++$context="%r8";
35005 ++$disp="%r9";
35006 ++
35007 ++$code.=<<___;
35008 ++.extern __imp_RtlVirtualUnwind
35009 ++.type se_handler,\@abi-omnipotent
35010 ++.align 16
35011 ++se_handler:
35012 ++ push %rsi
35013 ++ push %rdi
35014 ++ push %rbx
35015 ++ push %rbp
35016 ++ push %r12
35017 ++ push %r13
35018 ++ push %r14
35019 ++ push %r15
35020 ++ pushfq
35021 ++ sub \$64,%rsp
35022 ++
35023 ++ mov 120($context),%rax # pull context->Rax
35024 ++ mov 248($context),%rbx # pull context->Rip
35025 ++
35026 ++ mov 8($disp),%rsi # disp->ImageBase
35027 ++ mov 56($disp),%r11 # disp->HandlerData
35028 ++
35029 ++ mov 0(%r11),%r10d # HandlerData[0]
35030 ++ lea (%rsi,%r10),%r10 # prologue label
35031 ++ cmp %r10,%rbx # context->Rip<.Lprologue
35032 ++ jb .Lcommon_seh_tail
35033 ++
35034 ++ mov 152($context),%rax # pull context->Rsp
35035 ++
35036 ++ mov 4(%r11),%r10d # HandlerData[1]
35037 ++ lea (%rsi,%r10),%r10 # epilogue label
35038 ++ cmp %r10,%rbx # context->Rip>=.Lepilogue
35039 ++ jae .Lcommon_seh_tail
35040 ++
35041 ++ lea 48(%rax),%rax
35042 ++
35043 ++ mov -8(%rax),%rbx
35044 ++ mov -16(%rax),%rbp
35045 ++ mov -24(%rax),%r12
35046 ++ mov -32(%rax),%r13
35047 ++ mov -40(%rax),%r14
35048 ++ mov -48(%rax),%r15
35049 ++ mov %rbx,144($context) # restore context->Rbx
35050 ++ mov %rbp,160($context) # restore context->Rbp
35051 ++ mov %r12,216($context) # restore context->R12
35052 ++ mov %r13,224($context) # restore context->R13
35053 ++ mov %r14,232($context) # restore context->R14
35054 ++ mov %r15,240($context) # restore context->R14
35055 ++
35056 ++ jmp .Lcommon_seh_tail
35057 ++.size se_handler,.-se_handler
35058 ++
35059 ++.type avx_handler,\@abi-omnipotent
35060 ++.align 16
35061 ++avx_handler:
35062 ++ push %rsi
35063 ++ push %rdi
35064 ++ push %rbx
35065 ++ push %rbp
35066 ++ push %r12
35067 ++ push %r13
35068 ++ push %r14
35069 ++ push %r15
35070 ++ pushfq
35071 ++ sub \$64,%rsp
35072 ++
35073 ++ mov 120($context),%rax # pull context->Rax
35074 ++ mov 248($context),%rbx # pull context->Rip
35075 ++
35076 ++ mov 8($disp),%rsi # disp->ImageBase
35077 ++ mov 56($disp),%r11 # disp->HandlerData
35078 ++
35079 ++ mov 0(%r11),%r10d # HandlerData[0]
35080 ++ lea (%rsi,%r10),%r10 # prologue label
35081 ++ cmp %r10,%rbx # context->Rip<prologue label
35082 ++ jb .Lcommon_seh_tail
35083 ++
35084 ++ mov 152($context),%rax # pull context->Rsp
35085 ++
35086 ++ mov 4(%r11),%r10d # HandlerData[1]
35087 ++ lea (%rsi,%r10),%r10 # epilogue label
35088 ++ cmp %r10,%rbx # context->Rip>=epilogue label
35089 ++ jae .Lcommon_seh_tail
35090 ++
35091 ++ mov 208($context),%rax # pull context->R11
35092 ++
35093 ++ lea 0x50(%rax),%rsi
35094 ++ lea 0xf8(%rax),%rax
35095 ++ lea 512($context),%rdi # &context.Xmm6
35096 ++ mov \$20,%ecx
35097 ++ .long 0xa548f3fc # cld; rep movsq
35098 ++
35099 ++.Lcommon_seh_tail:
35100 ++ mov 8(%rax),%rdi
35101 ++ mov 16(%rax),%rsi
35102 ++ mov %rax,152($context) # restore context->Rsp
35103 ++ mov %rsi,168($context) # restore context->Rsi
35104 ++ mov %rdi,176($context) # restore context->Rdi
35105 ++
35106 ++ mov 40($disp),%rdi # disp->ContextRecord
35107 ++ mov $context,%rsi # context
35108 ++ mov \$154,%ecx # sizeof(CONTEXT)
35109 ++ .long 0xa548f3fc # cld; rep movsq
35110 ++
35111 ++ mov $disp,%rsi
35112 ++ xor %ecx,%ecx # arg1, UNW_FLAG_NHANDLER
35113 ++ mov 8(%rsi),%rdx # arg2, disp->ImageBase
35114 ++ mov 0(%rsi),%r8 # arg3, disp->ControlPc
35115 ++ mov 16(%rsi),%r9 # arg4, disp->FunctionEntry
35116 ++ mov 40(%rsi),%r10 # disp->ContextRecord
35117 ++ lea 56(%rsi),%r11 # &disp->HandlerData
35118 ++ lea 24(%rsi),%r12 # &disp->EstablisherFrame
35119 ++ mov %r10,32(%rsp) # arg5
35120 ++ mov %r11,40(%rsp) # arg6
35121 ++ mov %r12,48(%rsp) # arg7
35122 ++ mov %rcx,56(%rsp) # arg8, (NULL)
35123 ++ call *__imp_RtlVirtualUnwind(%rip)
35124 ++
35125 ++ mov \$1,%eax # ExceptionContinueSearch
35126 ++ add \$64,%rsp
35127 ++ popfq
35128 ++ pop %r15
35129 ++ pop %r14
35130 ++ pop %r13
35131 ++ pop %r12
35132 ++ pop %rbp
35133 ++ pop %rbx
35134 ++ pop %rdi
35135 ++ pop %rsi
35136 ++ ret
35137 ++.size avx_handler,.-avx_handler
35138 ++
35139 ++.section .pdata
35140 ++.align 4
35141 ++ .rva .LSEH_begin_poly1305_init_x86_64
35142 ++ .rva .LSEH_end_poly1305_init_x86_64
35143 ++ .rva .LSEH_info_poly1305_init_x86_64
35144 ++
35145 ++ .rva .LSEH_begin_poly1305_blocks_x86_64
35146 ++ .rva .LSEH_end_poly1305_blocks_x86_64
35147 ++ .rva .LSEH_info_poly1305_blocks_x86_64
35148 ++
35149 ++ .rva .LSEH_begin_poly1305_emit_x86_64
35150 ++ .rva .LSEH_end_poly1305_emit_x86_64
35151 ++ .rva .LSEH_info_poly1305_emit_x86_64
35152 ++___
35153 ++$code.=<<___ if ($avx);
35154 ++ .rva .LSEH_begin_poly1305_blocks_avx
35155 ++ .rva .Lbase2_64_avx
35156 ++ .rva .LSEH_info_poly1305_blocks_avx_1
35157 ++
35158 ++ .rva .Lbase2_64_avx
35159 ++ .rva .Leven_avx
35160 ++ .rva .LSEH_info_poly1305_blocks_avx_2
35161 ++
35162 ++ .rva .Leven_avx
35163 ++ .rva .LSEH_end_poly1305_blocks_avx
35164 ++ .rva .LSEH_info_poly1305_blocks_avx_3
35165 ++
35166 ++ .rva .LSEH_begin_poly1305_emit_avx
35167 ++ .rva .LSEH_end_poly1305_emit_avx
35168 ++ .rva .LSEH_info_poly1305_emit_avx
35169 ++___
35170 ++$code.=<<___ if ($avx>1);
35171 ++ .rva .LSEH_begin_poly1305_blocks_avx2
35172 ++ .rva .Lbase2_64_avx2
35173 ++ .rva .LSEH_info_poly1305_blocks_avx2_1
35174 ++
35175 ++ .rva .Lbase2_64_avx2
35176 ++ .rva .Leven_avx2
35177 ++ .rva .LSEH_info_poly1305_blocks_avx2_2
35178 ++
35179 ++ .rva .Leven_avx2
35180 ++ .rva .LSEH_end_poly1305_blocks_avx2
35181 ++ .rva .LSEH_info_poly1305_blocks_avx2_3
35182 ++___
35183 ++$code.=<<___ if ($avx>2);
35184 ++ .rva .LSEH_begin_poly1305_blocks_avx512
35185 ++ .rva .LSEH_end_poly1305_blocks_avx512
35186 ++ .rva .LSEH_info_poly1305_blocks_avx512
35187 ++___
35188 ++$code.=<<___;
35189 ++.section .xdata
35190 ++.align 8
35191 ++.LSEH_info_poly1305_init_x86_64:
35192 ++ .byte 9,0,0,0
35193 ++ .rva se_handler
35194 ++ .rva .LSEH_begin_poly1305_init_x86_64,.LSEH_begin_poly1305_init_x86_64
35195 ++
35196 ++.LSEH_info_poly1305_blocks_x86_64:
35197 ++ .byte 9,0,0,0
35198 ++ .rva se_handler
35199 ++ .rva .Lblocks_body,.Lblocks_epilogue
35200 ++
35201 ++.LSEH_info_poly1305_emit_x86_64:
35202 ++ .byte 9,0,0,0
35203 ++ .rva se_handler
35204 ++ .rva .LSEH_begin_poly1305_emit_x86_64,.LSEH_begin_poly1305_emit_x86_64
35205 ++___
35206 ++$code.=<<___ if ($avx);
35207 ++.LSEH_info_poly1305_blocks_avx_1:
35208 ++ .byte 9,0,0,0
35209 ++ .rva se_handler
35210 ++ .rva .Lblocks_avx_body,.Lblocks_avx_epilogue # HandlerData[]
35211 ++
35212 ++.LSEH_info_poly1305_blocks_avx_2:
35213 ++ .byte 9,0,0,0
35214 ++ .rva se_handler
35215 ++ .rva .Lbase2_64_avx_body,.Lbase2_64_avx_epilogue # HandlerData[]
35216 ++
35217 ++.LSEH_info_poly1305_blocks_avx_3:
35218 ++ .byte 9,0,0,0
35219 ++ .rva avx_handler
35220 ++ .rva .Ldo_avx_body,.Ldo_avx_epilogue # HandlerData[]
35221 ++
35222 ++.LSEH_info_poly1305_emit_avx:
35223 ++ .byte 9,0,0,0
35224 ++ .rva se_handler
35225 ++ .rva .LSEH_begin_poly1305_emit_avx,.LSEH_begin_poly1305_emit_avx
35226 ++___
35227 ++$code.=<<___ if ($avx>1);
35228 ++.LSEH_info_poly1305_blocks_avx2_1:
35229 ++ .byte 9,0,0,0
35230 ++ .rva se_handler
35231 ++ .rva .Lblocks_avx2_body,.Lblocks_avx2_epilogue # HandlerData[]
35232 ++
35233 ++.LSEH_info_poly1305_blocks_avx2_2:
35234 ++ .byte 9,0,0,0
35235 ++ .rva se_handler
35236 ++ .rva .Lbase2_64_avx2_body,.Lbase2_64_avx2_epilogue # HandlerData[]
35237 ++
35238 ++.LSEH_info_poly1305_blocks_avx2_3:
35239 ++ .byte 9,0,0,0
35240 ++ .rva avx_handler
35241 ++ .rva .Ldo_avx2_body,.Ldo_avx2_epilogue # HandlerData[]
35242 ++___
35243 ++$code.=<<___ if ($avx>2);
35244 ++.LSEH_info_poly1305_blocks_avx512:
35245 ++ .byte 9,0,0,0
35246 ++ .rva avx_handler
35247 ++ .rva .Ldo_avx512_body,.Ldo_avx512_epilogue # HandlerData[]
35248 ++___
35249 ++}
35250 ++
35251 ++open SELF,$0;
35252 ++while(<SELF>) {
35253 ++ next if (/^#!/);
35254 ++ last if (!s/^#/\/\// and !/^$/);
35255 ++ print;
35256 ++}
35257 ++close SELF;
35258 ++
35259 ++foreach (split('\n',$code)) {
35260 ++ s/\`([^\`]*)\`/eval($1)/ge;
35261 ++ s/%r([a-z]+)#d/%e$1/g;
35262 ++ s/%r([0-9]+)#d/%r$1d/g;
35263 ++ s/%x#%[yz]/%x/g or s/%y#%z/%y/g or s/%z#%[yz]/%z/g;
35264 ++
35265 ++ if ($kernel) {
35266 ++ s/(^\.type.*),[0-9]+$/\1/;
35267 ++ s/(^\.type.*),\@abi-omnipotent+$/\1,\@function/;
35268 ++ next if /^\.cfi.*/;
35269 ++ }
35270 ++
35271 ++ print $_,"\n";
35272 ++}
35273 ++close STDOUT;
35274 +--- b/arch/x86/crypto/.gitignore
35275 ++++ b/arch/x86/crypto/.gitignore
35276 +@@ -0,0 +1 @@
35277 ++poly1305-x86_64-cryptogams.S
35278 +--- a/arch/x86/crypto/poly1305-sse2-x86_64.S
35279 ++++ /dev/null
35280 +@@ -1,590 +0,0 @@
35281 +-/* SPDX-License-Identifier: GPL-2.0-or-later */
35282 +-/*
35283 +- * Poly1305 authenticator algorithm, RFC7539, x64 SSE2 functions
35284 +- *
35285 +- * Copyright (C) 2015 Martin Willi
35286 +- */
35287 +-
35288 +-#include <linux/linkage.h>
35289 +-
35290 +-.section .rodata.cst16.ANMASK, "aM", @progbits, 16
35291 +-.align 16
35292 +-ANMASK: .octa 0x0000000003ffffff0000000003ffffff
35293 +-
35294 +-.section .rodata.cst16.ORMASK, "aM", @progbits, 16
35295 +-.align 16
35296 +-ORMASK: .octa 0x00000000010000000000000001000000
35297 +-
35298 +-.text
35299 +-
35300 +-#define h0 0x00(%rdi)
35301 +-#define h1 0x04(%rdi)
35302 +-#define h2 0x08(%rdi)
35303 +-#define h3 0x0c(%rdi)
35304 +-#define h4 0x10(%rdi)
35305 +-#define r0 0x00(%rdx)
35306 +-#define r1 0x04(%rdx)
35307 +-#define r2 0x08(%rdx)
35308 +-#define r3 0x0c(%rdx)
35309 +-#define r4 0x10(%rdx)
35310 +-#define s1 0x00(%rsp)
35311 +-#define s2 0x04(%rsp)
35312 +-#define s3 0x08(%rsp)
35313 +-#define s4 0x0c(%rsp)
35314 +-#define m %rsi
35315 +-#define h01 %xmm0
35316 +-#define h23 %xmm1
35317 +-#define h44 %xmm2
35318 +-#define t1 %xmm3
35319 +-#define t2 %xmm4
35320 +-#define t3 %xmm5
35321 +-#define t4 %xmm6
35322 +-#define mask %xmm7
35323 +-#define d0 %r8
35324 +-#define d1 %r9
35325 +-#define d2 %r10
35326 +-#define d3 %r11
35327 +-#define d4 %r12
35328 +-
35329 +-ENTRY(poly1305_block_sse2)
35330 +- # %rdi: Accumulator h[5]
35331 +- # %rsi: 16 byte input block m
35332 +- # %rdx: Poly1305 key r[5]
35333 +- # %rcx: Block count
35334 +-
35335 +- # This single block variant tries to improve performance by doing two
35336 +- # multiplications in parallel using SSE instructions. There is quite
35337 +- # some quardword packing involved, hence the speedup is marginal.
35338 +-
35339 +- push %rbx
35340 +- push %r12
35341 +- sub $0x10,%rsp
35342 +-
35343 +- # s1..s4 = r1..r4 * 5
35344 +- mov r1,%eax
35345 +- lea (%eax,%eax,4),%eax
35346 +- mov %eax,s1
35347 +- mov r2,%eax
35348 +- lea (%eax,%eax,4),%eax
35349 +- mov %eax,s2
35350 +- mov r3,%eax
35351 +- lea (%eax,%eax,4),%eax
35352 +- mov %eax,s3
35353 +- mov r4,%eax
35354 +- lea (%eax,%eax,4),%eax
35355 +- mov %eax,s4
35356 +-
35357 +- movdqa ANMASK(%rip),mask
35358 +-
35359 +-.Ldoblock:
35360 +- # h01 = [0, h1, 0, h0]
35361 +- # h23 = [0, h3, 0, h2]
35362 +- # h44 = [0, h4, 0, h4]
35363 +- movd h0,h01
35364 +- movd h1,t1
35365 +- movd h2,h23
35366 +- movd h3,t2
35367 +- movd h4,h44
35368 +- punpcklqdq t1,h01
35369 +- punpcklqdq t2,h23
35370 +- punpcklqdq h44,h44
35371 +-
35372 +- # h01 += [ (m[3-6] >> 2) & 0x3ffffff, m[0-3] & 0x3ffffff ]
35373 +- movd 0x00(m),t1
35374 +- movd 0x03(m),t2
35375 +- psrld $2,t2
35376 +- punpcklqdq t2,t1
35377 +- pand mask,t1
35378 +- paddd t1,h01
35379 +- # h23 += [ (m[9-12] >> 6) & 0x3ffffff, (m[6-9] >> 4) & 0x3ffffff ]
35380 +- movd 0x06(m),t1
35381 +- movd 0x09(m),t2
35382 +- psrld $4,t1
35383 +- psrld $6,t2
35384 +- punpcklqdq t2,t1
35385 +- pand mask,t1
35386 +- paddd t1,h23
35387 +- # h44 += [ (m[12-15] >> 8) | (1 << 24), (m[12-15] >> 8) | (1 << 24) ]
35388 +- mov 0x0c(m),%eax
35389 +- shr $8,%eax
35390 +- or $0x01000000,%eax
35391 +- movd %eax,t1
35392 +- pshufd $0xc4,t1,t1
35393 +- paddd t1,h44
35394 +-
35395 +- # t1[0] = h0 * r0 + h2 * s3
35396 +- # t1[1] = h1 * s4 + h3 * s2
35397 +- movd r0,t1
35398 +- movd s4,t2
35399 +- punpcklqdq t2,t1
35400 +- pmuludq h01,t1
35401 +- movd s3,t2
35402 +- movd s2,t3
35403 +- punpcklqdq t3,t2
35404 +- pmuludq h23,t2
35405 +- paddq t2,t1
35406 +- # t2[0] = h0 * r1 + h2 * s4
35407 +- # t2[1] = h1 * r0 + h3 * s3
35408 +- movd r1,t2
35409 +- movd r0,t3
35410 +- punpcklqdq t3,t2
35411 +- pmuludq h01,t2
35412 +- movd s4,t3
35413 +- movd s3,t4
35414 +- punpcklqdq t4,t3
35415 +- pmuludq h23,t3
35416 +- paddq t3,t2
35417 +- # t3[0] = h4 * s1
35418 +- # t3[1] = h4 * s2
35419 +- movd s1,t3
35420 +- movd s2,t4
35421 +- punpcklqdq t4,t3
35422 +- pmuludq h44,t3
35423 +- # d0 = t1[0] + t1[1] + t3[0]
35424 +- # d1 = t2[0] + t2[1] + t3[1]
35425 +- movdqa t1,t4
35426 +- punpcklqdq t2,t4
35427 +- punpckhqdq t2,t1
35428 +- paddq t4,t1
35429 +- paddq t3,t1
35430 +- movq t1,d0
35431 +- psrldq $8,t1
35432 +- movq t1,d1
35433 +-
35434 +- # t1[0] = h0 * r2 + h2 * r0
35435 +- # t1[1] = h1 * r1 + h3 * s4
35436 +- movd r2,t1
35437 +- movd r1,t2
35438 +- punpcklqdq t2,t1
35439 +- pmuludq h01,t1
35440 +- movd r0,t2
35441 +- movd s4,t3
35442 +- punpcklqdq t3,t2
35443 +- pmuludq h23,t2
35444 +- paddq t2,t1
35445 +- # t2[0] = h0 * r3 + h2 * r1
35446 +- # t2[1] = h1 * r2 + h3 * r0
35447 +- movd r3,t2
35448 +- movd r2,t3
35449 +- punpcklqdq t3,t2
35450 +- pmuludq h01,t2
35451 +- movd r1,t3
35452 +- movd r0,t4
35453 +- punpcklqdq t4,t3
35454 +- pmuludq h23,t3
35455 +- paddq t3,t2
35456 +- # t3[0] = h4 * s3
35457 +- # t3[1] = h4 * s4
35458 +- movd s3,t3
35459 +- movd s4,t4
35460 +- punpcklqdq t4,t3
35461 +- pmuludq h44,t3
35462 +- # d2 = t1[0] + t1[1] + t3[0]
35463 +- # d3 = t2[0] + t2[1] + t3[1]
35464 +- movdqa t1,t4
35465 +- punpcklqdq t2,t4
35466 +- punpckhqdq t2,t1
35467 +- paddq t4,t1
35468 +- paddq t3,t1
35469 +- movq t1,d2
35470 +- psrldq $8,t1
35471 +- movq t1,d3
35472 +-
35473 +- # t1[0] = h0 * r4 + h2 * r2
35474 +- # t1[1] = h1 * r3 + h3 * r1
35475 +- movd r4,t1
35476 +- movd r3,t2
35477 +- punpcklqdq t2,t1
35478 +- pmuludq h01,t1
35479 +- movd r2,t2
35480 +- movd r1,t3
35481 +- punpcklqdq t3,t2
35482 +- pmuludq h23,t2
35483 +- paddq t2,t1
35484 +- # t3[0] = h4 * r0
35485 +- movd r0,t3
35486 +- pmuludq h44,t3
35487 +- # d4 = t1[0] + t1[1] + t3[0]
35488 +- movdqa t1,t4
35489 +- psrldq $8,t4
35490 +- paddq t4,t1
35491 +- paddq t3,t1
35492 +- movq t1,d4
35493 +-
35494 +- # d1 += d0 >> 26
35495 +- mov d0,%rax
35496 +- shr $26,%rax
35497 +- add %rax,d1
35498 +- # h0 = d0 & 0x3ffffff
35499 +- mov d0,%rbx
35500 +- and $0x3ffffff,%ebx
35501 +-
35502 +- # d2 += d1 >> 26
35503 +- mov d1,%rax
35504 +- shr $26,%rax
35505 +- add %rax,d2
35506 +- # h1 = d1 & 0x3ffffff
35507 +- mov d1,%rax
35508 +- and $0x3ffffff,%eax
35509 +- mov %eax,h1
35510 +-
35511 +- # d3 += d2 >> 26
35512 +- mov d2,%rax
35513 +- shr $26,%rax
35514 +- add %rax,d3
35515 +- # h2 = d2 & 0x3ffffff
35516 +- mov d2,%rax
35517 +- and $0x3ffffff,%eax
35518 +- mov %eax,h2
35519 +-
35520 +- # d4 += d3 >> 26
35521 +- mov d3,%rax
35522 +- shr $26,%rax
35523 +- add %rax,d4
35524 +- # h3 = d3 & 0x3ffffff
35525 +- mov d3,%rax
35526 +- and $0x3ffffff,%eax
35527 +- mov %eax,h3
35528 +-
35529 +- # h0 += (d4 >> 26) * 5
35530 +- mov d4,%rax
35531 +- shr $26,%rax
35532 +- lea (%rax,%rax,4),%rax
35533 +- add %rax,%rbx
35534 +- # h4 = d4 & 0x3ffffff
35535 +- mov d4,%rax
35536 +- and $0x3ffffff,%eax
35537 +- mov %eax,h4
35538 +-
35539 +- # h1 += h0 >> 26
35540 +- mov %rbx,%rax
35541 +- shr $26,%rax
35542 +- add %eax,h1
35543 +- # h0 = h0 & 0x3ffffff
35544 +- andl $0x3ffffff,%ebx
35545 +- mov %ebx,h0
35546 +-
35547 +- add $0x10,m
35548 +- dec %rcx
35549 +- jnz .Ldoblock
35550 +-
35551 +- # Zeroing of key material
35552 +- mov %rcx,0x00(%rsp)
35553 +- mov %rcx,0x08(%rsp)
35554 +-
35555 +- add $0x10,%rsp
35556 +- pop %r12
35557 +- pop %rbx
35558 +- ret
35559 +-ENDPROC(poly1305_block_sse2)
35560 +-
35561 +-
35562 +-#define u0 0x00(%r8)
35563 +-#define u1 0x04(%r8)
35564 +-#define u2 0x08(%r8)
35565 +-#define u3 0x0c(%r8)
35566 +-#define u4 0x10(%r8)
35567 +-#define hc0 %xmm0
35568 +-#define hc1 %xmm1
35569 +-#define hc2 %xmm2
35570 +-#define hc3 %xmm5
35571 +-#define hc4 %xmm6
35572 +-#define ru0 %xmm7
35573 +-#define ru1 %xmm8
35574 +-#define ru2 %xmm9
35575 +-#define ru3 %xmm10
35576 +-#define ru4 %xmm11
35577 +-#define sv1 %xmm12
35578 +-#define sv2 %xmm13
35579 +-#define sv3 %xmm14
35580 +-#define sv4 %xmm15
35581 +-#undef d0
35582 +-#define d0 %r13
35583 +-
35584 +-ENTRY(poly1305_2block_sse2)
35585 +- # %rdi: Accumulator h[5]
35586 +- # %rsi: 16 byte input block m
35587 +- # %rdx: Poly1305 key r[5]
35588 +- # %rcx: Doubleblock count
35589 +- # %r8: Poly1305 derived key r^2 u[5]
35590 +-
35591 +- # This two-block variant further improves performance by using loop
35592 +- # unrolled block processing. This is more straight forward and does
35593 +- # less byte shuffling, but requires a second Poly1305 key r^2:
35594 +- # h = (h + m) * r => h = (h + m1) * r^2 + m2 * r
35595 +-
35596 +- push %rbx
35597 +- push %r12
35598 +- push %r13
35599 +-
35600 +- # combine r0,u0
35601 +- movd u0,ru0
35602 +- movd r0,t1
35603 +- punpcklqdq t1,ru0
35604 +-
35605 +- # combine r1,u1 and s1=r1*5,v1=u1*5
35606 +- movd u1,ru1
35607 +- movd r1,t1
35608 +- punpcklqdq t1,ru1
35609 +- movdqa ru1,sv1
35610 +- pslld $2,sv1
35611 +- paddd ru1,sv1
35612 +-
35613 +- # combine r2,u2 and s2=r2*5,v2=u2*5
35614 +- movd u2,ru2
35615 +- movd r2,t1
35616 +- punpcklqdq t1,ru2
35617 +- movdqa ru2,sv2
35618 +- pslld $2,sv2
35619 +- paddd ru2,sv2
35620 +-
35621 +- # combine r3,u3 and s3=r3*5,v3=u3*5
35622 +- movd u3,ru3
35623 +- movd r3,t1
35624 +- punpcklqdq t1,ru3
35625 +- movdqa ru3,sv3
35626 +- pslld $2,sv3
35627 +- paddd ru3,sv3
35628 +-
35629 +- # combine r4,u4 and s4=r4*5,v4=u4*5
35630 +- movd u4,ru4
35631 +- movd r4,t1
35632 +- punpcklqdq t1,ru4
35633 +- movdqa ru4,sv4
35634 +- pslld $2,sv4
35635 +- paddd ru4,sv4
35636 +-
35637 +-.Ldoblock2:
35638 +- # hc0 = [ m[16-19] & 0x3ffffff, h0 + m[0-3] & 0x3ffffff ]
35639 +- movd 0x00(m),hc0
35640 +- movd 0x10(m),t1
35641 +- punpcklqdq t1,hc0
35642 +- pand ANMASK(%rip),hc0
35643 +- movd h0,t1
35644 +- paddd t1,hc0
35645 +- # hc1 = [ (m[19-22] >> 2) & 0x3ffffff, h1 + (m[3-6] >> 2) & 0x3ffffff ]
35646 +- movd 0x03(m),hc1
35647 +- movd 0x13(m),t1
35648 +- punpcklqdq t1,hc1
35649 +- psrld $2,hc1
35650 +- pand ANMASK(%rip),hc1
35651 +- movd h1,t1
35652 +- paddd t1,hc1
35653 +- # hc2 = [ (m[22-25] >> 4) & 0x3ffffff, h2 + (m[6-9] >> 4) & 0x3ffffff ]
35654 +- movd 0x06(m),hc2
35655 +- movd 0x16(m),t1
35656 +- punpcklqdq t1,hc2
35657 +- psrld $4,hc2
35658 +- pand ANMASK(%rip),hc2
35659 +- movd h2,t1
35660 +- paddd t1,hc2
35661 +- # hc3 = [ (m[25-28] >> 6) & 0x3ffffff, h3 + (m[9-12] >> 6) & 0x3ffffff ]
35662 +- movd 0x09(m),hc3
35663 +- movd 0x19(m),t1
35664 +- punpcklqdq t1,hc3
35665 +- psrld $6,hc3
35666 +- pand ANMASK(%rip),hc3
35667 +- movd h3,t1
35668 +- paddd t1,hc3
35669 +- # hc4 = [ (m[28-31] >> 8) | (1<<24), h4 + (m[12-15] >> 8) | (1<<24) ]
35670 +- movd 0x0c(m),hc4
35671 +- movd 0x1c(m),t1
35672 +- punpcklqdq t1,hc4
35673 +- psrld $8,hc4
35674 +- por ORMASK(%rip),hc4
35675 +- movd h4,t1
35676 +- paddd t1,hc4
35677 +-
35678 +- # t1 = [ hc0[1] * r0, hc0[0] * u0 ]
35679 +- movdqa ru0,t1
35680 +- pmuludq hc0,t1
35681 +- # t1 += [ hc1[1] * s4, hc1[0] * v4 ]
35682 +- movdqa sv4,t2
35683 +- pmuludq hc1,t2
35684 +- paddq t2,t1
35685 +- # t1 += [ hc2[1] * s3, hc2[0] * v3 ]
35686 +- movdqa sv3,t2
35687 +- pmuludq hc2,t2
35688 +- paddq t2,t1
35689 +- # t1 += [ hc3[1] * s2, hc3[0] * v2 ]
35690 +- movdqa sv2,t2
35691 +- pmuludq hc3,t2
35692 +- paddq t2,t1
35693 +- # t1 += [ hc4[1] * s1, hc4[0] * v1 ]
35694 +- movdqa sv1,t2
35695 +- pmuludq hc4,t2
35696 +- paddq t2,t1
35697 +- # d0 = t1[0] + t1[1]
35698 +- movdqa t1,t2
35699 +- psrldq $8,t2
35700 +- paddq t2,t1
35701 +- movq t1,d0
35702 +-
35703 +- # t1 = [ hc0[1] * r1, hc0[0] * u1 ]
35704 +- movdqa ru1,t1
35705 +- pmuludq hc0,t1
35706 +- # t1 += [ hc1[1] * r0, hc1[0] * u0 ]
35707 +- movdqa ru0,t2
35708 +- pmuludq hc1,t2
35709 +- paddq t2,t1
35710 +- # t1 += [ hc2[1] * s4, hc2[0] * v4 ]
35711 +- movdqa sv4,t2
35712 +- pmuludq hc2,t2
35713 +- paddq t2,t1
35714 +- # t1 += [ hc3[1] * s3, hc3[0] * v3 ]
35715 +- movdqa sv3,t2
35716 +- pmuludq hc3,t2
35717 +- paddq t2,t1
35718 +- # t1 += [ hc4[1] * s2, hc4[0] * v2 ]
35719 +- movdqa sv2,t2
35720 +- pmuludq hc4,t2
35721 +- paddq t2,t1
35722 +- # d1 = t1[0] + t1[1]
35723 +- movdqa t1,t2
35724 +- psrldq $8,t2
35725 +- paddq t2,t1
35726 +- movq t1,d1
35727 +-
35728 +- # t1 = [ hc0[1] * r2, hc0[0] * u2 ]
35729 +- movdqa ru2,t1
35730 +- pmuludq hc0,t1
35731 +- # t1 += [ hc1[1] * r1, hc1[0] * u1 ]
35732 +- movdqa ru1,t2
35733 +- pmuludq hc1,t2
35734 +- paddq t2,t1
35735 +- # t1 += [ hc2[1] * r0, hc2[0] * u0 ]
35736 +- movdqa ru0,t2
35737 +- pmuludq hc2,t2
35738 +- paddq t2,t1
35739 +- # t1 += [ hc3[1] * s4, hc3[0] * v4 ]
35740 +- movdqa sv4,t2
35741 +- pmuludq hc3,t2
35742 +- paddq t2,t1
35743 +- # t1 += [ hc4[1] * s3, hc4[0] * v3 ]
35744 +- movdqa sv3,t2
35745 +- pmuludq hc4,t2
35746 +- paddq t2,t1
35747 +- # d2 = t1[0] + t1[1]
35748 +- movdqa t1,t2
35749 +- psrldq $8,t2
35750 +- paddq t2,t1
35751 +- movq t1,d2
35752 +-
35753 +- # t1 = [ hc0[1] * r3, hc0[0] * u3 ]
35754 +- movdqa ru3,t1
35755 +- pmuludq hc0,t1
35756 +- # t1 += [ hc1[1] * r2, hc1[0] * u2 ]
35757 +- movdqa ru2,t2
35758 +- pmuludq hc1,t2
35759 +- paddq t2,t1
35760 +- # t1 += [ hc2[1] * r1, hc2[0] * u1 ]
35761 +- movdqa ru1,t2
35762 +- pmuludq hc2,t2
35763 +- paddq t2,t1
35764 +- # t1 += [ hc3[1] * r0, hc3[0] * u0 ]
35765 +- movdqa ru0,t2
35766 +- pmuludq hc3,t2
35767 +- paddq t2,t1
35768 +- # t1 += [ hc4[1] * s4, hc4[0] * v4 ]
35769 +- movdqa sv4,t2
35770 +- pmuludq hc4,t2
35771 +- paddq t2,t1
35772 +- # d3 = t1[0] + t1[1]
35773 +- movdqa t1,t2
35774 +- psrldq $8,t2
35775 +- paddq t2,t1
35776 +- movq t1,d3
35777 +-
35778 +- # t1 = [ hc0[1] * r4, hc0[0] * u4 ]
35779 +- movdqa ru4,t1
35780 +- pmuludq hc0,t1
35781 +- # t1 += [ hc1[1] * r3, hc1[0] * u3 ]
35782 +- movdqa ru3,t2
35783 +- pmuludq hc1,t2
35784 +- paddq t2,t1
35785 +- # t1 += [ hc2[1] * r2, hc2[0] * u2 ]
35786 +- movdqa ru2,t2
35787 +- pmuludq hc2,t2
35788 +- paddq t2,t1
35789 +- # t1 += [ hc3[1] * r1, hc3[0] * u1 ]
35790 +- movdqa ru1,t2
35791 +- pmuludq hc3,t2
35792 +- paddq t2,t1
35793 +- # t1 += [ hc4[1] * r0, hc4[0] * u0 ]
35794 +- movdqa ru0,t2
35795 +- pmuludq hc4,t2
35796 +- paddq t2,t1
35797 +- # d4 = t1[0] + t1[1]
35798 +- movdqa t1,t2
35799 +- psrldq $8,t2
35800 +- paddq t2,t1
35801 +- movq t1,d4
35802 +-
35803 +- # Now do a partial reduction mod (2^130)-5, carrying h0 -> h1 -> h2 ->
35804 +- # h3 -> h4 -> h0 -> h1 to get h0,h2,h3,h4 < 2^26 and h1 < 2^26 + a small
35805 +- # amount. Careful: we must not assume the carry bits 'd0 >> 26',
35806 +- # 'd1 >> 26', 'd2 >> 26', 'd3 >> 26', and '(d4 >> 26) * 5' fit in 32-bit
35807 +- # integers. It's true in a single-block implementation, but not here.
35808 +-
35809 +- # d1 += d0 >> 26
35810 +- mov d0,%rax
35811 +- shr $26,%rax
35812 +- add %rax,d1
35813 +- # h0 = d0 & 0x3ffffff
35814 +- mov d0,%rbx
35815 +- and $0x3ffffff,%ebx
35816 +-
35817 +- # d2 += d1 >> 26
35818 +- mov d1,%rax
35819 +- shr $26,%rax
35820 +- add %rax,d2
35821 +- # h1 = d1 & 0x3ffffff
35822 +- mov d1,%rax
35823 +- and $0x3ffffff,%eax
35824 +- mov %eax,h1
35825 +-
35826 +- # d3 += d2 >> 26
35827 +- mov d2,%rax
35828 +- shr $26,%rax
35829 +- add %rax,d3
35830 +- # h2 = d2 & 0x3ffffff
35831 +- mov d2,%rax
35832 +- and $0x3ffffff,%eax
35833 +- mov %eax,h2
35834 +-
35835 +- # d4 += d3 >> 26
35836 +- mov d3,%rax
35837 +- shr $26,%rax
35838 +- add %rax,d4
35839 +- # h3 = d3 & 0x3ffffff
35840 +- mov d3,%rax
35841 +- and $0x3ffffff,%eax
35842 +- mov %eax,h3
35843 +-
35844 +- # h0 += (d4 >> 26) * 5
35845 +- mov d4,%rax
35846 +- shr $26,%rax
35847 +- lea (%rax,%rax,4),%rax
35848 +- add %rax,%rbx
35849 +- # h4 = d4 & 0x3ffffff
35850 +- mov d4,%rax
35851 +- and $0x3ffffff,%eax
35852 +- mov %eax,h4
35853 +-
35854 +- # h1 += h0 >> 26
35855 +- mov %rbx,%rax
35856 +- shr $26,%rax
35857 +- add %eax,h1
35858 +- # h0 = h0 & 0x3ffffff
35859 +- andl $0x3ffffff,%ebx
35860 +- mov %ebx,h0
35861 +-
35862 +- add $0x20,m
35863 +- dec %rcx
35864 +- jnz .Ldoblock2
35865 +-
35866 +- pop %r13
35867 +- pop %r12
35868 +- pop %rbx
35869 +- ret
35870 +-ENDPROC(poly1305_2block_sse2)
35871 +--- /dev/null
35872 ++++ b/lib/crypto/curve25519-generic.c
35873 +@@ -0,0 +1,24 @@
35874 ++// SPDX-License-Identifier: GPL-2.0 OR MIT
35875 ++/*
35876 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
35877 ++ *
35878 ++ * This is an implementation of the Curve25519 ECDH algorithm, using either
35879 ++ * a 32-bit implementation or a 64-bit implementation with 128-bit integers,
35880 ++ * depending on what is supported by the target compiler.
35881 ++ *
35882 ++ * Information: https://cr.yp.to/ecdh.html
35883 ++ */
35884 ++
35885 ++#include <crypto/curve25519.h>
35886 ++#include <linux/module.h>
35887 ++
35888 ++const u8 curve25519_null_point[CURVE25519_KEY_SIZE] __aligned(32) = { 0 };
35889 ++const u8 curve25519_base_point[CURVE25519_KEY_SIZE] __aligned(32) = { 9 };
35890 ++
35891 ++EXPORT_SYMBOL(curve25519_null_point);
35892 ++EXPORT_SYMBOL(curve25519_base_point);
35893 ++EXPORT_SYMBOL(curve25519_generic);
35894 ++
35895 ++MODULE_LICENSE("GPL v2");
35896 ++MODULE_DESCRIPTION("Curve25519 scalar multiplication");
35897 ++MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
35898 +--- a/arch/x86/Makefile
35899 ++++ b/arch/x86/Makefile
35900 +@@ -197,9 +197,10 @@ avx2_instr :=$(call as-instr,vpbroadcastb %xmm0$(comma)%ymm1,-DCONFIG_AS_AVX2=1)
35901 + avx512_instr :=$(call as-instr,vpmovm2b %k1$(comma)%zmm5,-DCONFIG_AS_AVX512=1)
35902 + sha1_ni_instr :=$(call as-instr,sha1msg1 %xmm0$(comma)%xmm1,-DCONFIG_AS_SHA1_NI=1)
35903 + sha256_ni_instr :=$(call as-instr,sha256msg1 %xmm0$(comma)%xmm1,-DCONFIG_AS_SHA256_NI=1)
35904 ++adx_instr := $(call as-instr,adox %r10$(comma)%r10,-DCONFIG_AS_ADX=1)
35905 +
35906 +-KBUILD_AFLAGS += $(cfi) $(cfi-sigframe) $(cfi-sections) $(asinstr) $(avx_instr) $(avx2_instr) $(avx512_instr) $(sha1_ni_instr) $(sha256_ni_instr)
35907 +-KBUILD_CFLAGS += $(cfi) $(cfi-sigframe) $(cfi-sections) $(asinstr) $(avx_instr) $(avx2_instr) $(avx512_instr) $(sha1_ni_instr) $(sha256_ni_instr)
35908 ++KBUILD_AFLAGS += $(cfi) $(cfi-sigframe) $(cfi-sections) $(asinstr) $(avx_instr) $(avx2_instr) $(avx512_instr) $(sha1_ni_instr) $(sha256_ni_instr) $(adx_instr)
35909 ++KBUILD_CFLAGS += $(cfi) $(cfi-sigframe) $(cfi-sections) $(asinstr) $(avx_instr) $(avx2_instr) $(avx512_instr) $(sha1_ni_instr) $(sha256_ni_instr) $(adx_instr)
35910 +
35911 + KBUILD_LDFLAGS := -m elf_$(UTS_MACHINE)
35912 +
35913 +--- a/arch/arm/crypto/.gitignore
35914 ++++ b/arch/arm/crypto/.gitignore
35915 +@@ -1,3 +1,4 @@
35916 + aesbs-core.S
35917 + sha256-core.S
35918 + sha512-core.S
35919 ++poly1305-core.S
35920 +--- a/arch/arm64/crypto/.gitignore
35921 ++++ b/arch/arm64/crypto/.gitignore
35922 +@@ -1,2 +1,3 @@
35923 + sha256-core.S
35924 + sha512-core.S
35925 ++poly1305-core.S
35926 +--- a/arch/x86/crypto/chacha-ssse3-x86_64.S
35927 ++++ b/arch/x86/crypto/chacha-ssse3-x86_64.S
35928 +@@ -120,10 +120,10 @@ ENTRY(chacha_block_xor_ssse3)
35929 + FRAME_BEGIN
35930 +
35931 + # x0..3 = s0..3
35932 +- movdqa 0x00(%rdi),%xmm0
35933 +- movdqa 0x10(%rdi),%xmm1
35934 +- movdqa 0x20(%rdi),%xmm2
35935 +- movdqa 0x30(%rdi),%xmm3
35936 ++ movdqu 0x00(%rdi),%xmm0
35937 ++ movdqu 0x10(%rdi),%xmm1
35938 ++ movdqu 0x20(%rdi),%xmm2
35939 ++ movdqu 0x30(%rdi),%xmm3
35940 + movdqa %xmm0,%xmm8
35941 + movdqa %xmm1,%xmm9
35942 + movdqa %xmm2,%xmm10
35943 +@@ -205,10 +205,10 @@ ENTRY(hchacha_block_ssse3)
35944 + # %edx: nrounds
35945 + FRAME_BEGIN
35946 +
35947 +- movdqa 0x00(%rdi),%xmm0
35948 +- movdqa 0x10(%rdi),%xmm1
35949 +- movdqa 0x20(%rdi),%xmm2
35950 +- movdqa 0x30(%rdi),%xmm3
35951 ++ movdqu 0x00(%rdi),%xmm0
35952 ++ movdqu 0x10(%rdi),%xmm1
35953 ++ movdqu 0x20(%rdi),%xmm2
35954 ++ movdqu 0x30(%rdi),%xmm3
35955 +
35956 + mov %edx,%r8d
35957 + call chacha_permute
35958 +--- a/arch/arm/crypto/chacha-neon-core.S
35959 ++++ b/arch/arm/crypto/chacha-neon-core.S
35960 +@@ -47,6 +47,7 @@
35961 + */
35962 +
35963 + #include <linux/linkage.h>
35964 ++#include <asm/cache.h>
35965 +
35966 + .text
35967 + .fpu neon
35968 +@@ -205,7 +206,7 @@ ENDPROC(hchacha_block_neon)
35969 +
35970 + .align 5
35971 + ENTRY(chacha_4block_xor_neon)
35972 +- push {r4-r5}
35973 ++ push {r4, lr}
35974 + mov r4, sp // preserve the stack pointer
35975 + sub ip, sp, #0x20 // allocate a 32 byte buffer
35976 + bic ip, ip, #0x1f // aligned to 32 bytes
35977 +@@ -229,10 +230,10 @@ ENTRY(chacha_4block_xor_neon)
35978 + vld1.32 {q0-q1}, [r0]
35979 + vld1.32 {q2-q3}, [ip]
35980 +
35981 +- adr r5, .Lctrinc
35982 ++ adr lr, .Lctrinc
35983 + vdup.32 q15, d7[1]
35984 + vdup.32 q14, d7[0]
35985 +- vld1.32 {q4}, [r5, :128]
35986 ++ vld1.32 {q4}, [lr, :128]
35987 + vdup.32 q13, d6[1]
35988 + vdup.32 q12, d6[0]
35989 + vdup.32 q11, d5[1]
35990 +@@ -455,7 +456,7 @@ ENTRY(chacha_4block_xor_neon)
35991 +
35992 + // Re-interleave the words in the first two rows of each block (x0..7).
35993 + // Also add the counter values 0-3 to x12[0-3].
35994 +- vld1.32 {q8}, [r5, :128] // load counter values 0-3
35995 ++ vld1.32 {q8}, [lr, :128] // load counter values 0-3
35996 + vzip.32 q0, q1 // => (0 1 0 1) (0 1 0 1)
35997 + vzip.32 q2, q3 // => (2 3 2 3) (2 3 2 3)
35998 + vzip.32 q4, q5 // => (4 5 4 5) (4 5 4 5)
35999 +@@ -493,6 +494,8 @@ ENTRY(chacha_4block_xor_neon)
36000 +
36001 + // Re-interleave the words in the last two rows of each block (x8..15).
36002 + vld1.32 {q8-q9}, [sp, :256]
36003 ++ mov sp, r4 // restore original stack pointer
36004 ++ ldr r4, [r4, #8] // load number of bytes
36005 + vzip.32 q12, q13 // => (12 13 12 13) (12 13 12 13)
36006 + vzip.32 q14, q15 // => (14 15 14 15) (14 15 14 15)
36007 + vzip.32 q8, q9 // => (8 9 8 9) (8 9 8 9)
36008 +@@ -520,41 +523,121 @@ ENTRY(chacha_4block_xor_neon)
36009 + // XOR the rest of the data with the keystream
36010 +
36011 + vld1.8 {q0-q1}, [r2]!
36012 ++ subs r4, r4, #96
36013 + veor q0, q0, q8
36014 + veor q1, q1, q12
36015 ++ ble .Lle96
36016 + vst1.8 {q0-q1}, [r1]!
36017 +
36018 + vld1.8 {q0-q1}, [r2]!
36019 ++ subs r4, r4, #32
36020 + veor q0, q0, q2
36021 + veor q1, q1, q6
36022 ++ ble .Lle128
36023 + vst1.8 {q0-q1}, [r1]!
36024 +
36025 + vld1.8 {q0-q1}, [r2]!
36026 ++ subs r4, r4, #32
36027 + veor q0, q0, q10
36028 + veor q1, q1, q14
36029 ++ ble .Lle160
36030 + vst1.8 {q0-q1}, [r1]!
36031 +
36032 + vld1.8 {q0-q1}, [r2]!
36033 ++ subs r4, r4, #32
36034 + veor q0, q0, q4
36035 + veor q1, q1, q5
36036 ++ ble .Lle192
36037 + vst1.8 {q0-q1}, [r1]!
36038 +
36039 + vld1.8 {q0-q1}, [r2]!
36040 ++ subs r4, r4, #32
36041 + veor q0, q0, q9
36042 + veor q1, q1, q13
36043 ++ ble .Lle224
36044 + vst1.8 {q0-q1}, [r1]!
36045 +
36046 + vld1.8 {q0-q1}, [r2]!
36047 ++ subs r4, r4, #32
36048 + veor q0, q0, q3
36049 + veor q1, q1, q7
36050 ++ blt .Llt256
36051 ++.Lout:
36052 + vst1.8 {q0-q1}, [r1]!
36053 +
36054 + vld1.8 {q0-q1}, [r2]
36055 +- mov sp, r4 // restore original stack pointer
36056 + veor q0, q0, q11
36057 + veor q1, q1, q15
36058 + vst1.8 {q0-q1}, [r1]
36059 +
36060 +- pop {r4-r5}
36061 +- bx lr
36062 ++ pop {r4, pc}
36063 ++
36064 ++.Lle192:
36065 ++ vmov q4, q9
36066 ++ vmov q5, q13
36067 ++
36068 ++.Lle160:
36069 ++ // nothing to do
36070 ++
36071 ++.Lfinalblock:
36072 ++ // Process the final block if processing less than 4 full blocks.
36073 ++ // Entered with 32 bytes of ChaCha cipher stream in q4-q5, and the
36074 ++ // previous 32 byte output block that still needs to be written at
36075 ++ // [r1] in q0-q1.
36076 ++ beq .Lfullblock
36077 ++
36078 ++.Lpartialblock:
36079 ++ adr lr, .Lpermute + 32
36080 ++ add r2, r2, r4
36081 ++ add lr, lr, r4
36082 ++ add r4, r4, r1
36083 ++
36084 ++ vld1.8 {q2-q3}, [lr]
36085 ++ vld1.8 {q6-q7}, [r2]
36086 ++
36087 ++ add r4, r4, #32
36088 ++
36089 ++ vtbl.8 d4, {q4-q5}, d4
36090 ++ vtbl.8 d5, {q4-q5}, d5
36091 ++ vtbl.8 d6, {q4-q5}, d6
36092 ++ vtbl.8 d7, {q4-q5}, d7
36093 ++
36094 ++ veor q6, q6, q2
36095 ++ veor q7, q7, q3
36096 ++
36097 ++ vst1.8 {q6-q7}, [r4] // overlapping stores
36098 ++ vst1.8 {q0-q1}, [r1]
36099 ++ pop {r4, pc}
36100 ++
36101 ++.Lfullblock:
36102 ++ vmov q11, q4
36103 ++ vmov q15, q5
36104 ++ b .Lout
36105 ++.Lle96:
36106 ++ vmov q4, q2
36107 ++ vmov q5, q6
36108 ++ b .Lfinalblock
36109 ++.Lle128:
36110 ++ vmov q4, q10
36111 ++ vmov q5, q14
36112 ++ b .Lfinalblock
36113 ++.Lle224:
36114 ++ vmov q4, q3
36115 ++ vmov q5, q7
36116 ++ b .Lfinalblock
36117 ++.Llt256:
36118 ++ vmov q4, q11
36119 ++ vmov q5, q15
36120 ++ b .Lpartialblock
36121 + ENDPROC(chacha_4block_xor_neon)
36122 ++
36123 ++ .align L1_CACHE_SHIFT
36124 ++.Lpermute:
36125 ++ .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
36126 ++ .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
36127 ++ .byte 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
36128 ++ .byte 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
36129 ++ .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
36130 ++ .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
36131 ++ .byte 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
36132 ++ .byte 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
36133 +--- a/arch/arm64/crypto/chacha-neon-core.S
36134 ++++ b/arch/arm64/crypto/chacha-neon-core.S
36135 +@@ -195,7 +195,6 @@ ENTRY(chacha_4block_xor_neon)
36136 + adr_l x10, .Lpermute
36137 + and x5, x4, #63
36138 + add x10, x10, x5
36139 +- add x11, x10, #64
36140 +
36141 + //
36142 + // This function encrypts four consecutive ChaCha blocks by loading
36143 +@@ -645,11 +644,11 @@ CPU_BE( rev a15, a15 )
36144 + zip2 v31.4s, v14.4s, v15.4s
36145 + eor a15, a15, w9
36146 +
36147 +- mov x3, #64
36148 ++ add x3, x2, x4
36149 ++ sub x3, x3, #128 // start of last block
36150 ++
36151 + subs x5, x4, #128
36152 +- add x6, x5, x2
36153 +- csel x3, x3, xzr, ge
36154 +- csel x2, x2, x6, ge
36155 ++ csel x2, x2, x3, ge
36156 +
36157 + // interleave 64-bit words in state n, n+2
36158 + zip1 v0.2d, v16.2d, v18.2d
36159 +@@ -658,13 +657,10 @@ CPU_BE( rev a15, a15 )
36160 + zip1 v8.2d, v17.2d, v19.2d
36161 + zip2 v12.2d, v17.2d, v19.2d
36162 + stp a2, a3, [x1, #-56]
36163 +- ld1 {v16.16b-v19.16b}, [x2], x3
36164 +
36165 + subs x6, x4, #192
36166 +- ccmp x3, xzr, #4, lt
36167 +- add x7, x6, x2
36168 +- csel x3, x3, xzr, eq
36169 +- csel x2, x2, x7, eq
36170 ++ ld1 {v16.16b-v19.16b}, [x2], #64
36171 ++ csel x2, x2, x3, ge
36172 +
36173 + zip1 v1.2d, v20.2d, v22.2d
36174 + zip2 v5.2d, v20.2d, v22.2d
36175 +@@ -672,13 +668,10 @@ CPU_BE( rev a15, a15 )
36176 + zip1 v9.2d, v21.2d, v23.2d
36177 + zip2 v13.2d, v21.2d, v23.2d
36178 + stp a6, a7, [x1, #-40]
36179 +- ld1 {v20.16b-v23.16b}, [x2], x3
36180 +
36181 + subs x7, x4, #256
36182 +- ccmp x3, xzr, #4, lt
36183 +- add x8, x7, x2
36184 +- csel x3, x3, xzr, eq
36185 +- csel x2, x2, x8, eq
36186 ++ ld1 {v20.16b-v23.16b}, [x2], #64
36187 ++ csel x2, x2, x3, ge
36188 +
36189 + zip1 v2.2d, v24.2d, v26.2d
36190 + zip2 v6.2d, v24.2d, v26.2d
36191 +@@ -686,12 +679,10 @@ CPU_BE( rev a15, a15 )
36192 + zip1 v10.2d, v25.2d, v27.2d
36193 + zip2 v14.2d, v25.2d, v27.2d
36194 + stp a10, a11, [x1, #-24]
36195 +- ld1 {v24.16b-v27.16b}, [x2], x3
36196 +
36197 + subs x8, x4, #320
36198 +- ccmp x3, xzr, #4, lt
36199 +- add x9, x8, x2
36200 +- csel x2, x2, x9, eq
36201 ++ ld1 {v24.16b-v27.16b}, [x2], #64
36202 ++ csel x2, x2, x3, ge
36203 +
36204 + zip1 v3.2d, v28.2d, v30.2d
36205 + zip2 v7.2d, v28.2d, v30.2d
36206 +@@ -699,151 +690,105 @@ CPU_BE( rev a15, a15 )
36207 + zip1 v11.2d, v29.2d, v31.2d
36208 + zip2 v15.2d, v29.2d, v31.2d
36209 + stp a14, a15, [x1, #-8]
36210 ++
36211 ++ tbnz x5, #63, .Lt128
36212 + ld1 {v28.16b-v31.16b}, [x2]
36213 +
36214 + // xor with corresponding input, write to output
36215 +- tbnz x5, #63, 0f
36216 + eor v16.16b, v16.16b, v0.16b
36217 + eor v17.16b, v17.16b, v1.16b
36218 + eor v18.16b, v18.16b, v2.16b
36219 + eor v19.16b, v19.16b, v3.16b
36220 +- st1 {v16.16b-v19.16b}, [x1], #64
36221 +- cbz x5, .Lout
36222 +
36223 +- tbnz x6, #63, 1f
36224 ++ tbnz x6, #63, .Lt192
36225 ++
36226 + eor v20.16b, v20.16b, v4.16b
36227 + eor v21.16b, v21.16b, v5.16b
36228 + eor v22.16b, v22.16b, v6.16b
36229 + eor v23.16b, v23.16b, v7.16b
36230 +- st1 {v20.16b-v23.16b}, [x1], #64
36231 +- cbz x6, .Lout
36232 +
36233 +- tbnz x7, #63, 2f
36234 ++ st1 {v16.16b-v19.16b}, [x1], #64
36235 ++ tbnz x7, #63, .Lt256
36236 ++
36237 + eor v24.16b, v24.16b, v8.16b
36238 + eor v25.16b, v25.16b, v9.16b
36239 + eor v26.16b, v26.16b, v10.16b
36240 + eor v27.16b, v27.16b, v11.16b
36241 +- st1 {v24.16b-v27.16b}, [x1], #64
36242 +- cbz x7, .Lout
36243 +
36244 +- tbnz x8, #63, 3f
36245 ++ st1 {v20.16b-v23.16b}, [x1], #64
36246 ++ tbnz x8, #63, .Lt320
36247 ++
36248 + eor v28.16b, v28.16b, v12.16b
36249 + eor v29.16b, v29.16b, v13.16b
36250 + eor v30.16b, v30.16b, v14.16b
36251 + eor v31.16b, v31.16b, v15.16b
36252 ++
36253 ++ st1 {v24.16b-v27.16b}, [x1], #64
36254 + st1 {v28.16b-v31.16b}, [x1]
36255 +
36256 + .Lout: frame_pop
36257 + ret
36258 +
36259 +- // fewer than 128 bytes of in/output
36260 +-0: ld1 {v8.16b}, [x10]
36261 +- ld1 {v9.16b}, [x11]
36262 +- movi v10.16b, #16
36263 +- sub x2, x1, #64
36264 +- add x1, x1, x5
36265 +- ld1 {v16.16b-v19.16b}, [x2]
36266 +- tbl v4.16b, {v0.16b-v3.16b}, v8.16b
36267 +- tbx v20.16b, {v16.16b-v19.16b}, v9.16b
36268 +- add v8.16b, v8.16b, v10.16b
36269 +- add v9.16b, v9.16b, v10.16b
36270 +- tbl v5.16b, {v0.16b-v3.16b}, v8.16b
36271 +- tbx v21.16b, {v16.16b-v19.16b}, v9.16b
36272 +- add v8.16b, v8.16b, v10.16b
36273 +- add v9.16b, v9.16b, v10.16b
36274 +- tbl v6.16b, {v0.16b-v3.16b}, v8.16b
36275 +- tbx v22.16b, {v16.16b-v19.16b}, v9.16b
36276 +- add v8.16b, v8.16b, v10.16b
36277 +- add v9.16b, v9.16b, v10.16b
36278 +- tbl v7.16b, {v0.16b-v3.16b}, v8.16b
36279 +- tbx v23.16b, {v16.16b-v19.16b}, v9.16b
36280 +-
36281 +- eor v20.16b, v20.16b, v4.16b
36282 +- eor v21.16b, v21.16b, v5.16b
36283 +- eor v22.16b, v22.16b, v6.16b
36284 +- eor v23.16b, v23.16b, v7.16b
36285 +- st1 {v20.16b-v23.16b}, [x1]
36286 +- b .Lout
36287 +-
36288 + // fewer than 192 bytes of in/output
36289 +-1: ld1 {v8.16b}, [x10]
36290 +- ld1 {v9.16b}, [x11]
36291 +- movi v10.16b, #16
36292 +- add x1, x1, x6
36293 +- tbl v0.16b, {v4.16b-v7.16b}, v8.16b
36294 +- tbx v20.16b, {v16.16b-v19.16b}, v9.16b
36295 +- add v8.16b, v8.16b, v10.16b
36296 +- add v9.16b, v9.16b, v10.16b
36297 +- tbl v1.16b, {v4.16b-v7.16b}, v8.16b
36298 +- tbx v21.16b, {v16.16b-v19.16b}, v9.16b
36299 +- add v8.16b, v8.16b, v10.16b
36300 +- add v9.16b, v9.16b, v10.16b
36301 +- tbl v2.16b, {v4.16b-v7.16b}, v8.16b
36302 +- tbx v22.16b, {v16.16b-v19.16b}, v9.16b
36303 +- add v8.16b, v8.16b, v10.16b
36304 +- add v9.16b, v9.16b, v10.16b
36305 +- tbl v3.16b, {v4.16b-v7.16b}, v8.16b
36306 +- tbx v23.16b, {v16.16b-v19.16b}, v9.16b
36307 +-
36308 +- eor v20.16b, v20.16b, v0.16b
36309 +- eor v21.16b, v21.16b, v1.16b
36310 +- eor v22.16b, v22.16b, v2.16b
36311 +- eor v23.16b, v23.16b, v3.16b
36312 +- st1 {v20.16b-v23.16b}, [x1]
36313 ++.Lt192: cbz x5, 1f // exactly 128 bytes?
36314 ++ ld1 {v28.16b-v31.16b}, [x10]
36315 ++ add x5, x5, x1
36316 ++ tbl v28.16b, {v4.16b-v7.16b}, v28.16b
36317 ++ tbl v29.16b, {v4.16b-v7.16b}, v29.16b
36318 ++ tbl v30.16b, {v4.16b-v7.16b}, v30.16b
36319 ++ tbl v31.16b, {v4.16b-v7.16b}, v31.16b
36320 ++
36321 ++0: eor v20.16b, v20.16b, v28.16b
36322 ++ eor v21.16b, v21.16b, v29.16b
36323 ++ eor v22.16b, v22.16b, v30.16b
36324 ++ eor v23.16b, v23.16b, v31.16b
36325 ++ st1 {v20.16b-v23.16b}, [x5] // overlapping stores
36326 ++1: st1 {v16.16b-v19.16b}, [x1]
36327 + b .Lout
36328 +
36329 ++ // fewer than 128 bytes of in/output
36330 ++.Lt128: ld1 {v28.16b-v31.16b}, [x10]
36331 ++ add x5, x5, x1
36332 ++ sub x1, x1, #64
36333 ++ tbl v28.16b, {v0.16b-v3.16b}, v28.16b
36334 ++ tbl v29.16b, {v0.16b-v3.16b}, v29.16b
36335 ++ tbl v30.16b, {v0.16b-v3.16b}, v30.16b
36336 ++ tbl v31.16b, {v0.16b-v3.16b}, v31.16b
36337 ++ ld1 {v16.16b-v19.16b}, [x1] // reload first output block
36338 ++ b 0b
36339 ++
36340 + // fewer than 256 bytes of in/output
36341 +-2: ld1 {v4.16b}, [x10]
36342 +- ld1 {v5.16b}, [x11]
36343 +- movi v6.16b, #16
36344 +- add x1, x1, x7
36345 ++.Lt256: cbz x6, 2f // exactly 192 bytes?
36346 ++ ld1 {v4.16b-v7.16b}, [x10]
36347 ++ add x6, x6, x1
36348 + tbl v0.16b, {v8.16b-v11.16b}, v4.16b
36349 +- tbx v24.16b, {v20.16b-v23.16b}, v5.16b
36350 +- add v4.16b, v4.16b, v6.16b
36351 +- add v5.16b, v5.16b, v6.16b
36352 +- tbl v1.16b, {v8.16b-v11.16b}, v4.16b
36353 +- tbx v25.16b, {v20.16b-v23.16b}, v5.16b
36354 +- add v4.16b, v4.16b, v6.16b
36355 +- add v5.16b, v5.16b, v6.16b
36356 +- tbl v2.16b, {v8.16b-v11.16b}, v4.16b
36357 +- tbx v26.16b, {v20.16b-v23.16b}, v5.16b
36358 +- add v4.16b, v4.16b, v6.16b
36359 +- add v5.16b, v5.16b, v6.16b
36360 +- tbl v3.16b, {v8.16b-v11.16b}, v4.16b
36361 +- tbx v27.16b, {v20.16b-v23.16b}, v5.16b
36362 +-
36363 +- eor v24.16b, v24.16b, v0.16b
36364 +- eor v25.16b, v25.16b, v1.16b
36365 +- eor v26.16b, v26.16b, v2.16b
36366 +- eor v27.16b, v27.16b, v3.16b
36367 +- st1 {v24.16b-v27.16b}, [x1]
36368 ++ tbl v1.16b, {v8.16b-v11.16b}, v5.16b
36369 ++ tbl v2.16b, {v8.16b-v11.16b}, v6.16b
36370 ++ tbl v3.16b, {v8.16b-v11.16b}, v7.16b
36371 ++
36372 ++ eor v28.16b, v28.16b, v0.16b
36373 ++ eor v29.16b, v29.16b, v1.16b
36374 ++ eor v30.16b, v30.16b, v2.16b
36375 ++ eor v31.16b, v31.16b, v3.16b
36376 ++ st1 {v28.16b-v31.16b}, [x6] // overlapping stores
36377 ++2: st1 {v20.16b-v23.16b}, [x1]
36378 + b .Lout
36379 +
36380 + // fewer than 320 bytes of in/output
36381 +-3: ld1 {v4.16b}, [x10]
36382 +- ld1 {v5.16b}, [x11]
36383 +- movi v6.16b, #16
36384 +- add x1, x1, x8
36385 ++.Lt320: cbz x7, 3f // exactly 256 bytes?
36386 ++ ld1 {v4.16b-v7.16b}, [x10]
36387 ++ add x7, x7, x1
36388 + tbl v0.16b, {v12.16b-v15.16b}, v4.16b
36389 +- tbx v28.16b, {v24.16b-v27.16b}, v5.16b
36390 +- add v4.16b, v4.16b, v6.16b
36391 +- add v5.16b, v5.16b, v6.16b
36392 +- tbl v1.16b, {v12.16b-v15.16b}, v4.16b
36393 +- tbx v29.16b, {v24.16b-v27.16b}, v5.16b
36394 +- add v4.16b, v4.16b, v6.16b
36395 +- add v5.16b, v5.16b, v6.16b
36396 +- tbl v2.16b, {v12.16b-v15.16b}, v4.16b
36397 +- tbx v30.16b, {v24.16b-v27.16b}, v5.16b
36398 +- add v4.16b, v4.16b, v6.16b
36399 +- add v5.16b, v5.16b, v6.16b
36400 +- tbl v3.16b, {v12.16b-v15.16b}, v4.16b
36401 +- tbx v31.16b, {v24.16b-v27.16b}, v5.16b
36402 ++ tbl v1.16b, {v12.16b-v15.16b}, v5.16b
36403 ++ tbl v2.16b, {v12.16b-v15.16b}, v6.16b
36404 ++ tbl v3.16b, {v12.16b-v15.16b}, v7.16b
36405 +
36406 + eor v28.16b, v28.16b, v0.16b
36407 + eor v29.16b, v29.16b, v1.16b
36408 + eor v30.16b, v30.16b, v2.16b
36409 + eor v31.16b, v31.16b, v3.16b
36410 +- st1 {v28.16b-v31.16b}, [x1]
36411 ++ st1 {v28.16b-v31.16b}, [x7] // overlapping stores
36412 ++3: st1 {v24.16b-v27.16b}, [x1]
36413 + b .Lout
36414 + ENDPROC(chacha_4block_xor_neon)
36415 +
36416 +@@ -851,7 +796,7 @@ ENDPROC(chacha_4block_xor_neon)
36417 + .align L1_CACHE_SHIFT
36418 + .Lpermute:
36419 + .set .Li, 0
36420 +- .rept 192
36421 ++ .rept 128
36422 + .byte (.Li - 64)
36423 + .set .Li, .Li + 1
36424 + .endr
36425 +--- b/include/linux/icmpv6.h
36426 ++++ b/include/linux/icmpv6.h
36427 +@@ -3,6 +3,7 @@
36428 + #define _LINUX_ICMPV6_H
36429 +
36430 + #include <linux/skbuff.h>
36431 ++#include <linux/ipv6.h>
36432 + #include <uapi/linux/icmpv6.h>
36433 +
36434 + static inline struct icmp6hdr *icmp6_hdr(const struct sk_buff *skb)
36435 +@@ -13,21 +14,41 @@
36436 + #include <linux/netdevice.h>
36437 +
36438 + #if IS_ENABLED(CONFIG_IPV6)
36439 +-extern void icmpv6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info);
36440 ++extern void __icmpv6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
36441 ++ const struct inet6_skb_parm *parm);
36442 +
36443 ++static inline void icmpv6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info)
36444 ++{
36445 ++ __icmpv6_send(skb, type, code, info, IP6CB(skb));
36446 ++}
36447 + typedef void ip6_icmp_send_t(struct sk_buff *skb, u8 type, u8 code, __u32 info,
36448 +- const struct in6_addr *force_saddr);
36449 ++ const struct in6_addr *force_saddr,
36450 ++ const struct inet6_skb_parm *parm);
36451 + extern int inet6_register_icmp_sender(ip6_icmp_send_t *fn);
36452 + extern int inet6_unregister_icmp_sender(ip6_icmp_send_t *fn);
36453 + int ip6_err_gen_icmpv6_unreach(struct sk_buff *skb, int nhs, int type,
36454 + unsigned int data_len);
36455 +
36456 ++#if IS_ENABLED(CONFIG_NF_NAT)
36457 ++void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info);
36458 ++#else
36459 ++static inline void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
36460 ++{
36461 ++ struct inet6_skb_parm parm = { 0 };
36462 ++ __icmpv6_send(skb_in, type, code, info, &parm);
36463 ++}
36464 ++#endif
36465 ++
36466 + #else
36467 +
36468 + static inline void icmpv6_send(struct sk_buff *skb,
36469 + u8 type, u8 code, __u32 info)
36470 + {
36471 ++}
36472 +
36473 ++static inline void icmpv6_ndo_send(struct sk_buff *skb,
36474 ++ u8 type, u8 code, __u32 info)
36475 ++{
36476 + }
36477 + #endif
36478 +
36479 +--- b/include/net/icmp.h
36480 ++++ b/include/net/icmp.h
36481 +@@ -43,6 +43,16 @@
36482 + __icmp_send(skb_in, type, code, info, &IPCB(skb_in)->opt);
36483 + }
36484 +
36485 ++#if IS_ENABLED(CONFIG_NF_NAT)
36486 ++void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info);
36487 ++#else
36488 ++static inline void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
36489 ++{
36490 ++ struct ip_options opts = { 0 };
36491 ++ __icmp_send(skb_in, type, code, info, &opts);
36492 ++}
36493 ++#endif
36494 ++
36495 + int icmp_rcv(struct sk_buff *skb);
36496 + int icmp_err(struct sk_buff *skb, u32 info);
36497 + int icmp_init(void);
36498 +--- b/net/ipv4/icmp.c
36499 ++++ b/net/ipv4/icmp.c
36500 +@@ -750,6 +750,40 @@
36501 + }
36502 + EXPORT_SYMBOL(__icmp_send);
36503 +
36504 ++#if IS_ENABLED(CONFIG_NF_NAT)
36505 ++#include <net/netfilter/nf_conntrack.h>
36506 ++void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
36507 ++{
36508 ++ struct sk_buff *cloned_skb = NULL;
36509 ++ struct ip_options opts = { 0 };
36510 ++ enum ip_conntrack_info ctinfo;
36511 ++ struct nf_conn *ct;
36512 ++ __be32 orig_ip;
36513 ++
36514 ++ ct = nf_ct_get(skb_in, &ctinfo);
36515 ++ if (!ct || !(ct->status & IPS_SRC_NAT)) {
36516 ++ __icmp_send(skb_in, type, code, info, &opts);
36517 ++ return;
36518 ++ }
36519 ++
36520 ++ if (skb_shared(skb_in))
36521 ++ skb_in = cloned_skb = skb_clone(skb_in, GFP_ATOMIC);
36522 ++
36523 ++ if (unlikely(!skb_in || skb_network_header(skb_in) < skb_in->head ||
36524 ++ (skb_network_header(skb_in) + sizeof(struct iphdr)) >
36525 ++ skb_tail_pointer(skb_in) || skb_ensure_writable(skb_in,
36526 ++ skb_network_offset(skb_in) + sizeof(struct iphdr))))
36527 ++ goto out;
36528 ++
36529 ++ orig_ip = ip_hdr(skb_in)->saddr;
36530 ++ ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip;
36531 ++ __icmp_send(skb_in, type, code, info, &opts);
36532 ++ ip_hdr(skb_in)->saddr = orig_ip;
36533 ++out:
36534 ++ consume_skb(cloned_skb);
36535 ++}
36536 ++EXPORT_SYMBOL(icmp_ndo_send);
36537 ++#endif
36538 +
36539 + static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
36540 + {
36541 +--- b/net/ipv6/ip6_icmp.c
36542 ++++ b/net/ipv6/ip6_icmp.c
36543 +@@ -31,7 +31,8 @@
36544 + }
36545 + EXPORT_SYMBOL(inet6_unregister_icmp_sender);
36546 +
36547 +-void icmpv6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info)
36548 ++void __icmpv6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
36549 ++ const struct inet6_skb_parm *parm)
36550 + {
36551 + ip6_icmp_send_t *send;
36552 +
36553 +@@ -42,7 +43,42 @@
36554 + goto out;
36555 +- send(skb, type, code, info, NULL);
36556 ++ send(skb, type, code, info, NULL, parm);
36557 + out:
36558 + rcu_read_unlock();
36559 + }
36560 +-EXPORT_SYMBOL(icmpv6_send);
36561 ++EXPORT_SYMBOL(__icmpv6_send);
36562 ++
36563 ++#if IS_ENABLED(CONFIG_NF_NAT)
36564 ++#include <net/netfilter/nf_conntrack.h>
36565 ++void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info)
36566 ++{
36567 ++ struct inet6_skb_parm parm = { 0 };
36568 ++ struct sk_buff *cloned_skb = NULL;
36569 ++ enum ip_conntrack_info ctinfo;
36570 ++ struct in6_addr orig_ip;
36571 ++ struct nf_conn *ct;
36572 ++
36573 ++ ct = nf_ct_get(skb_in, &ctinfo);
36574 ++ if (!ct || !(ct->status & IPS_SRC_NAT)) {
36575 ++ __icmpv6_send(skb_in, type, code, info, &parm);
36576 ++ return;
36577 ++ }
36578 ++
36579 ++ if (skb_shared(skb_in))
36580 ++ skb_in = cloned_skb = skb_clone(skb_in, GFP_ATOMIC);
36581 ++
36582 ++ if (unlikely(!skb_in || skb_network_header(skb_in) < skb_in->head ||
36583 ++ (skb_network_header(skb_in) + sizeof(struct ipv6hdr)) >
36584 ++ skb_tail_pointer(skb_in) || skb_ensure_writable(skb_in,
36585 ++ skb_network_offset(skb_in) + sizeof(struct ipv6hdr))))
36586 ++ goto out;
36587 ++
36588 ++ orig_ip = ipv6_hdr(skb_in)->saddr;
36589 ++ ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6;
36590 ++ __icmpv6_send(skb_in, type, code, info, &parm);
36591 ++ ipv6_hdr(skb_in)->saddr = orig_ip;
36592 ++out:
36593 ++ consume_skb(cloned_skb);
36594 ++}
36595 ++EXPORT_SYMBOL(icmpv6_ndo_send);
36596 ++#endif
36597 + #endif
36598 +--- a/include/linux/ipv6.h
36599 ++++ b/include/linux/ipv6.h
36600 +@@ -83,7 +83,6 @@ struct ipv6_params {
36601 + __s32 autoconf;
36602 + };
36603 + extern struct ipv6_params ipv6_defaults;
36604 +-#include <linux/icmpv6.h>
36605 + #include <linux/tcp.h>
36606 + #include <linux/udp.h>
36607 +
36608 +--- a/net/ipv6/icmp.c
36609 ++++ b/net/ipv6/icmp.c
36610 +@@ -312,10 +312,9 @@ static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, st
36611 + }
36612 +
36613 + #if IS_ENABLED(CONFIG_IPV6_MIP6)
36614 +-static void mip6_addr_swap(struct sk_buff *skb)
36615 ++static void mip6_addr_swap(struct sk_buff *skb, const struct inet6_skb_parm *opt)
36616 + {
36617 + struct ipv6hdr *iph = ipv6_hdr(skb);
36618 +- struct inet6_skb_parm *opt = IP6CB(skb);
36619 + struct ipv6_destopt_hao *hao;
36620 + struct in6_addr tmp;
36621 + int off;
36622 +@@ -332,7 +331,7 @@ static void mip6_addr_swap(struct sk_buff *skb)
36623 + }
36624 + }
36625 + #else
36626 +-static inline void mip6_addr_swap(struct sk_buff *skb) {}
36627 ++static inline void mip6_addr_swap(struct sk_buff *skb, const struct inet6_skb_parm *opt) {}
36628 + #endif
36629 +
36630 + static struct dst_entry *icmpv6_route_lookup(struct net *net,
36631 +@@ -427,7 +426,8 @@ static int icmp6_iif(const struct sk_buff *skb)
36632 + * Send an ICMP message in response to a packet in error
36633 + */
36634 + static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
36635 +- const struct in6_addr *force_saddr)
36636 ++ const struct in6_addr *force_saddr,
36637 ++ const struct inet6_skb_parm *parm)
36638 + {
36639 + struct inet6_dev *idev = NULL;
36640 + struct ipv6hdr *hdr = ipv6_hdr(skb);
36641 +@@ -520,7 +520,7 @@ static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
36642 + if (!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, type))
36643 + goto out_bh_enable;
36644 +
36645 +- mip6_addr_swap(skb);
36646 ++ mip6_addr_swap(skb, parm);
36647 +
36648 + memset(&fl6, 0, sizeof(fl6));
36649 + fl6.flowi6_proto = IPPROTO_ICMPV6;
36650 +@@ -605,7 +605,7 @@ out_bh_enable:
36651 + */
36652 + void icmpv6_param_prob(struct sk_buff *skb, u8 code, int pos)
36653 + {
36654 +- icmp6_send(skb, ICMPV6_PARAMPROB, code, pos, NULL);
36655 ++ icmp6_send(skb, ICMPV6_PARAMPROB, code, pos, NULL, IP6CB(skb));
36656 + kfree_skb(skb);
36657 + }
36658 +
36659 +@@ -662,10 +662,10 @@ int ip6_err_gen_icmpv6_unreach(struct sk_buff *skb, int nhs, int type,
36660 + }
36661 + if (type == ICMP_TIME_EXCEEDED)
36662 + icmp6_send(skb2, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT,
36663 +- info, &temp_saddr);
36664 ++ info, &temp_saddr, IP6CB(skb2));
36665 + else
36666 + icmp6_send(skb2, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH,
36667 +- info, &temp_saddr);
36668 ++ info, &temp_saddr, IP6CB(skb2));
36669 + if (rt)
36670 + ip6_rt_put(rt);
36671 +
36672 +--- a/MAINTAINERS
36673 ++++ b/MAINTAINERS
36674 +@@ -17584,6 +17584,14 @@ L: linux-gpio@×××××××××××.org
36675 + S: Maintained
36676 + F: drivers/gpio/gpio-ws16c48.c
36677 +
36678 ++WIREGUARD SECURE NETWORK TUNNEL
36679 ++M: Jason A. Donenfeld <Jason@×××××.com>
36680 ++S: Maintained
36681 ++F: drivers/net/wireguard/
36682 ++F: tools/testing/selftests/wireguard/
36683 ++L: wireguard@×××××××××××.com
36684 ++L: netdev@×××××××××××.org
36685 ++
36686 + WISTRON LAPTOP BUTTON DRIVER
36687 + M: Miloslav Trmac <mitr@×××××.cz>
36688 + S: Maintained
36689 +--- b/drivers/net/Kconfig
36690 ++++ b/drivers/net/Kconfig
36691 +@@ -71,6 +71,49 @@
36692 + To compile this driver as a module, choose M here: the module
36693 + will be called dummy.
36694 +
36695 ++config WIREGUARD
36696 ++ tristate "WireGuard secure network tunnel"
36697 ++ depends on NET && INET
36698 ++ depends on IPV6 || !IPV6
36699 ++ select NET_UDP_TUNNEL
36700 ++ select DST_CACHE
36701 ++ select CRYPTO
36702 ++ select CRYPTO_LIB_CURVE25519
36703 ++ select CRYPTO_LIB_CHACHA20POLY1305
36704 ++ select CRYPTO_LIB_BLAKE2S
36705 ++ select CRYPTO_CHACHA20_X86_64 if X86 && 64BIT
36706 ++ select CRYPTO_POLY1305_X86_64 if X86 && 64BIT
36707 ++ select CRYPTO_BLAKE2S_X86 if X86 && 64BIT
36708 ++ select CRYPTO_CURVE25519_X86 if X86 && 64BIT
36709 ++ select ARM_CRYPTO if ARM
36710 ++ select ARM64_CRYPTO if ARM64
36711 ++ select CRYPTO_CHACHA20_NEON if ARM || (ARM64 && KERNEL_MODE_NEON)
36712 ++ select CRYPTO_POLY1305_NEON if ARM64 && KERNEL_MODE_NEON
36713 ++ select CRYPTO_POLY1305_ARM if ARM
36714 ++ select CRYPTO_CURVE25519_NEON if ARM && KERNEL_MODE_NEON
36715 ++ select CRYPTO_CHACHA_MIPS if CPU_MIPS32_R2
36716 ++ select CRYPTO_POLY1305_MIPS if CPU_MIPS32 || (CPU_MIPS64 && 64BIT)
36717 ++ help
36718 ++ WireGuard is a secure, fast, and easy to use replacement for IPSec
36719 ++ that uses modern cryptography and clever networking tricks. It's
36720 ++ designed to be fairly general purpose and abstract enough to fit most
36721 ++ use cases, while at the same time remaining extremely simple to
36722 ++ configure. See www.wireguard.com for more info.
36723 ++
36724 ++ It's safe to say Y or M here, as the driver is very lightweight and
36725 ++ is only in use when an administrator chooses to add an interface.
36726 ++
36727 ++config WIREGUARD_DEBUG
36728 ++ bool "Debugging checks and verbose messages"
36729 ++ depends on WIREGUARD
36730 ++ help
36731 ++ This will write log messages for handshake and other events
36732 ++ that occur for a WireGuard interface. It will also perform some
36733 ++ extra validation checks and unit tests at various points. This is
36734 ++ only useful for debugging.
36735 ++
36736 ++ Say N here unless you know what you're doing.
36737 ++
36738 + config EQUALIZER
36739 + tristate "EQL (serial line load balancing) support"
36740 + ---help---
36741 +--- a/drivers/net/Makefile
36742 ++++ b/drivers/net/Makefile
36743 +@@ -10,6 +10,7 @@ obj-$(CONFIG_BONDING) += bonding/
36744 + obj-$(CONFIG_IPVLAN) += ipvlan/
36745 + obj-$(CONFIG_IPVTAP) += ipvlan/
36746 + obj-$(CONFIG_DUMMY) += dummy.o
36747 ++obj-$(CONFIG_WIREGUARD) += wireguard/
36748 + obj-$(CONFIG_EQUALIZER) += eql.o
36749 + obj-$(CONFIG_IFB) += ifb.o
36750 + obj-$(CONFIG_MACSEC) += macsec.o
36751 +--- /dev/null
36752 ++++ b/drivers/net/wireguard/Makefile
36753 +@@ -0,0 +1,18 @@
36754 ++ccflags-y := -O3
36755 ++ccflags-y += -D'pr_fmt(fmt)=KBUILD_MODNAME ": " fmt'
36756 ++ccflags-$(CONFIG_WIREGUARD_DEBUG) += -DDEBUG
36757 ++wireguard-y := main.o
36758 ++wireguard-y += noise.o
36759 ++wireguard-y += device.o
36760 ++wireguard-y += peer.o
36761 ++wireguard-y += timers.o
36762 ++wireguard-y += queueing.o
36763 ++wireguard-y += send.o
36764 ++wireguard-y += receive.o
36765 ++wireguard-y += socket.o
36766 ++wireguard-y += peerlookup.o
36767 ++wireguard-y += allowedips.o
36768 ++wireguard-y += ratelimiter.o
36769 ++wireguard-y += cookie.o
36770 ++wireguard-y += netlink.o
36771 ++obj-$(CONFIG_WIREGUARD) := wireguard.o
36772 +--- b/drivers/net/wireguard/allowedips.c
36773 ++++ b/drivers/net/wireguard/allowedips.c
36774 +@@ -0,0 +1,377 @@
36775 ++// SPDX-License-Identifier: GPL-2.0
36776 ++/*
36777 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
36778 ++ */
36779 ++
36780 ++#include "allowedips.h"
36781 ++#include "peer.h"
36782 ++
36783 ++static void swap_endian(u8 *dst, const u8 *src, u8 bits)
36784 ++{
36785 ++ if (bits == 32) {
36786 ++ *(u32 *)dst = be32_to_cpu(*(const __be32 *)src);
36787 ++ } else if (bits == 128) {
36788 ++ ((u64 *)dst)[0] = be64_to_cpu(((const __be64 *)src)[0]);
36789 ++ ((u64 *)dst)[1] = be64_to_cpu(((const __be64 *)src)[1]);
36790 ++ }
36791 ++}
36792 ++
36793 ++static void copy_and_assign_cidr(struct allowedips_node *node, const u8 *src,
36794 ++ u8 cidr, u8 bits)
36795 ++{
36796 ++ node->cidr = cidr;
36797 ++ node->bit_at_a = cidr / 8U;
36798 ++#ifdef __LITTLE_ENDIAN
36799 ++ node->bit_at_a ^= (bits / 8U - 1U) % 8U;
36800 ++#endif
36801 ++ node->bit_at_b = 7U - (cidr % 8U);
36802 ++ node->bitlen = bits;
36803 ++ memcpy(node->bits, src, bits / 8U);
36804 ++}
36805 ++#define CHOOSE_NODE(parent, key) \
36806 ++ parent->bit[(key[parent->bit_at_a] >> parent->bit_at_b) & 1]
36807 ++
36808 ++static void push_rcu(struct allowedips_node **stack,
36809 ++ struct allowedips_node __rcu *p, unsigned int *len)
36810 ++{
36811 ++ if (rcu_access_pointer(p)) {
36812 ++ WARN_ON(IS_ENABLED(DEBUG) && *len >= 128);
36813 ++ stack[(*len)++] = rcu_dereference_raw(p);
36814 ++ }
36815 ++}
36816 ++
36817 ++static void root_free_rcu(struct rcu_head *rcu)
36818 ++{
36819 ++ struct allowedips_node *node, *stack[128] = {
36820 ++ container_of(rcu, struct allowedips_node, rcu) };
36821 ++ unsigned int len = 1;
36822 ++
36823 ++ while (len > 0 && (node = stack[--len])) {
36824 ++ push_rcu(stack, node->bit[0], &len);
36825 ++ push_rcu(stack, node->bit[1], &len);
36826 ++ kfree(node);
36827 ++ }
36828 ++}
36829 ++
36830 ++static void root_remove_peer_lists(struct allowedips_node *root)
36831 ++{
36832 ++ struct allowedips_node *node, *stack[128] = { root };
36833 ++ unsigned int len = 1;
36834 ++
36835 ++ while (len > 0 && (node = stack[--len])) {
36836 ++ push_rcu(stack, node->bit[0], &len);
36837 ++ push_rcu(stack, node->bit[1], &len);
36838 ++ if (rcu_access_pointer(node->peer))
36839 ++ list_del(&node->peer_list);
36840 ++ }
36841 ++}
36842 ++
36843 ++static void walk_remove_by_peer(struct allowedips_node __rcu **top,
36844 ++ struct wg_peer *peer, struct mutex *lock)
36845 ++{
36846 ++#define REF(p) rcu_access_pointer(p)
36847 ++#define DEREF(p) rcu_dereference_protected(*(p), lockdep_is_held(lock))
36848 ++#define PUSH(p) ({ \
36849 ++ WARN_ON(IS_ENABLED(DEBUG) && len >= 128); \
36850 ++ stack[len++] = p; \
36851 ++ })
36852 ++
36853 ++ struct allowedips_node __rcu **stack[128], **nptr;
36854 ++ struct allowedips_node *node, *prev;
36855 ++ unsigned int len;
36856 ++
36857 ++ if (unlikely(!peer || !REF(*top)))
36858 ++ return;
36859 ++
36860 ++ for (prev = NULL, len = 0, PUSH(top); len > 0; prev = node) {
36861 ++ nptr = stack[len - 1];
36862 ++ node = DEREF(nptr);
36863 ++ if (!node) {
36864 ++ --len;
36865 ++ continue;
36866 ++ }
36867 ++ if (!prev || REF(prev->bit[0]) == node ||
36868 ++ REF(prev->bit[1]) == node) {
36869 ++ if (REF(node->bit[0]))
36870 ++ PUSH(&node->bit[0]);
36871 ++ else if (REF(node->bit[1]))
36872 ++ PUSH(&node->bit[1]);
36873 ++ } else if (REF(node->bit[0]) == prev) {
36874 ++ if (REF(node->bit[1]))
36875 ++ PUSH(&node->bit[1]);
36876 ++ } else {
36877 ++ if (rcu_dereference_protected(node->peer,
36878 ++ lockdep_is_held(lock)) == peer) {
36879 ++ RCU_INIT_POINTER(node->peer, NULL);
36880 ++ list_del_init(&node->peer_list);
36881 ++ if (!node->bit[0] || !node->bit[1]) {
36882 ++ rcu_assign_pointer(*nptr, DEREF(
36883 ++ &node->bit[!REF(node->bit[0])]));
36884 ++ kfree_rcu(node, rcu);
36885 ++ node = DEREF(nptr);
36886 ++ }
36887 ++ }
36888 ++ --len;
36889 ++ }
36890 ++ }
36891 ++
36892 ++#undef REF
36893 ++#undef DEREF
36894 ++#undef PUSH
36895 ++}
36896 ++
36897 ++static unsigned int fls128(u64 a, u64 b)
36898 ++{
36899 ++ return a ? fls64(a) + 64U : fls64(b);
36900 ++}
36901 ++
36902 ++static u8 common_bits(const struct allowedips_node *node, const u8 *key,
36903 ++ u8 bits)
36904 ++{
36905 ++ if (bits == 32)
36906 ++ return 32U - fls(*(const u32 *)node->bits ^ *(const u32 *)key);
36907 ++ else if (bits == 128)
36908 ++ return 128U - fls128(
36909 ++ *(const u64 *)&node->bits[0] ^ *(const u64 *)&key[0],
36910 ++ *(const u64 *)&node->bits[8] ^ *(const u64 *)&key[8]);
36911 ++ return 0;
36912 ++}
36913 ++
36914 ++static bool prefix_matches(const struct allowedips_node *node, const u8 *key,
36915 ++ u8 bits)
36916 ++{
36917 ++ /* This could be much faster if it actually just compared the common
36918 ++ * bits properly, by precomputing a mask bswap(~0 << (32 - cidr)), and
36919 ++ * the rest, but it turns out that common_bits is already super fast on
36920 ++ * modern processors, even taking into account the unfortunate bswap.
36921 ++ * So, we just inline it like this instead.
36922 ++ */
36923 ++ return common_bits(node, key, bits) >= node->cidr;
36924 ++}
36925 ++
36926 ++static struct allowedips_node *find_node(struct allowedips_node *trie, u8 bits,
36927 ++ const u8 *key)
36928 ++{
36929 ++ struct allowedips_node *node = trie, *found = NULL;
36930 ++
36931 ++ while (node && prefix_matches(node, key, bits)) {
36932 ++ if (rcu_access_pointer(node->peer))
36933 ++ found = node;
36934 ++ if (node->cidr == bits)
36935 ++ break;
36936 ++ node = rcu_dereference_bh(CHOOSE_NODE(node, key));
36937 ++ }
36938 ++ return found;
36939 ++}
36940 ++
36941 ++/* Returns a strong reference to a peer */
36942 ++static struct wg_peer *lookup(struct allowedips_node __rcu *root, u8 bits,
36943 ++ const void *be_ip)
36944 ++{
36945 ++ /* Aligned so it can be passed to fls/fls64 */
36946 ++ u8 ip[16] __aligned(__alignof(u64));
36947 ++ struct allowedips_node *node;
36948 ++ struct wg_peer *peer = NULL;
36949 ++
36950 ++ swap_endian(ip, be_ip, bits);
36951 ++
36952 ++ rcu_read_lock_bh();
36953 ++retry:
36954 ++ node = find_node(rcu_dereference_bh(root), bits, ip);
36955 ++ if (node) {
36956 ++ peer = wg_peer_get_maybe_zero(rcu_dereference_bh(node->peer));
36957 ++ if (!peer)
36958 ++ goto retry;
36959 ++ }
36960 ++ rcu_read_unlock_bh();
36961 ++ return peer;
36962 ++}
36963 ++
36964 ++static bool node_placement(struct allowedips_node __rcu *trie, const u8 *key,
36965 ++ u8 cidr, u8 bits, struct allowedips_node **rnode,
36966 ++ struct mutex *lock)
36967 ++{
36968 ++ struct allowedips_node *node = rcu_dereference_protected(trie,
36969 ++ lockdep_is_held(lock));
36970 ++ struct allowedips_node *parent = NULL;
36971 ++ bool exact = false;
36972 ++
36973 ++ while (node && node->cidr <= cidr && prefix_matches(node, key, bits)) {
36974 ++ parent = node;
36975 ++ if (parent->cidr == cidr) {
36976 ++ exact = true;
36977 ++ break;
36978 ++ }
36979 ++ node = rcu_dereference_protected(CHOOSE_NODE(parent, key),
36980 ++ lockdep_is_held(lock));
36981 ++ }
36982 ++ *rnode = parent;
36983 ++ return exact;
36984 ++}
36985 ++
36986 ++static int add(struct allowedips_node __rcu **trie, u8 bits, const u8 *key,
36987 ++ u8 cidr, struct wg_peer *peer, struct mutex *lock)
36988 ++{
36989 ++ struct allowedips_node *node, *parent, *down, *newnode;
36990 ++
36991 ++ if (unlikely(cidr > bits || !peer))
36992 ++ return -EINVAL;
36993 ++
36994 ++ if (!rcu_access_pointer(*trie)) {
36995 ++ node = kzalloc(sizeof(*node), GFP_KERNEL);
36996 ++ if (unlikely(!node))
36997 ++ return -ENOMEM;
36998 ++ RCU_INIT_POINTER(node->peer, peer);
36999 ++ list_add_tail(&node->peer_list, &peer->allowedips_list);
37000 ++ copy_and_assign_cidr(node, key, cidr, bits);
37001 ++ rcu_assign_pointer(*trie, node);
37002 ++ return 0;
37003 ++ }
37004 ++ if (node_placement(*trie, key, cidr, bits, &node, lock)) {
37005 ++ rcu_assign_pointer(node->peer, peer);
37006 ++ list_move_tail(&node->peer_list, &peer->allowedips_list);
37007 ++ return 0;
37008 ++ }
37009 ++
37010 ++ newnode = kzalloc(sizeof(*newnode), GFP_KERNEL);
37011 ++ if (unlikely(!newnode))
37012 ++ return -ENOMEM;
37013 ++ RCU_INIT_POINTER(newnode->peer, peer);
37014 ++ list_add_tail(&newnode->peer_list, &peer->allowedips_list);
37015 ++ copy_and_assign_cidr(newnode, key, cidr, bits);
37016 ++
37017 ++ if (!node) {
37018 ++ down = rcu_dereference_protected(*trie, lockdep_is_held(lock));
37019 ++ } else {
37020 ++ down = rcu_dereference_protected(CHOOSE_NODE(node, key),
37021 ++ lockdep_is_held(lock));
37022 ++ if (!down) {
37023 ++ rcu_assign_pointer(CHOOSE_NODE(node, key), newnode);
37024 ++ return 0;
37025 ++ }
37026 ++ }
37027 ++ cidr = min(cidr, common_bits(down, key, bits));
37028 ++ parent = node;
37029 ++
37030 ++ if (newnode->cidr == cidr) {
37031 ++ rcu_assign_pointer(CHOOSE_NODE(newnode, down->bits), down);
37032 ++ if (!parent)
37033 ++ rcu_assign_pointer(*trie, newnode);
37034 ++ else
37035 ++ rcu_assign_pointer(CHOOSE_NODE(parent, newnode->bits),
37036 ++ newnode);
37037 ++ } else {
37038 ++ node = kzalloc(sizeof(*node), GFP_KERNEL);
37039 ++ if (unlikely(!node)) {
37040 ++ list_del(&newnode->peer_list);
37041 ++ kfree(newnode);
37042 ++ return -ENOMEM;
37043 ++ }
37044 ++ INIT_LIST_HEAD(&node->peer_list);
37045 ++ copy_and_assign_cidr(node, newnode->bits, cidr, bits);
37046 ++
37047 ++ rcu_assign_pointer(CHOOSE_NODE(node, down->bits), down);
37048 ++ rcu_assign_pointer(CHOOSE_NODE(node, newnode->bits), newnode);
37049 ++ if (!parent)
37050 ++ rcu_assign_pointer(*trie, node);
37051 ++ else
37052 ++ rcu_assign_pointer(CHOOSE_NODE(parent, node->bits),
37053 ++ node);
37054 ++ }
37055 ++ return 0;
37056 ++}
37057 ++
37058 ++void wg_allowedips_init(struct allowedips *table)
37059 ++{
37060 ++ table->root4 = table->root6 = NULL;
37061 ++ table->seq = 1;
37062 ++}
37063 ++
37064 ++void wg_allowedips_free(struct allowedips *table, struct mutex *lock)
37065 ++{
37066 ++ struct allowedips_node __rcu *old4 = table->root4, *old6 = table->root6;
37067 ++
37068 ++ ++table->seq;
37069 ++ RCU_INIT_POINTER(table->root4, NULL);
37070 ++ RCU_INIT_POINTER(table->root6, NULL);
37071 ++ if (rcu_access_pointer(old4)) {
37072 ++ struct allowedips_node *node = rcu_dereference_protected(old4,
37073 ++ lockdep_is_held(lock));
37074 ++
37075 ++ root_remove_peer_lists(node);
37076 ++ call_rcu(&node->rcu, root_free_rcu);
37077 ++ }
37078 ++ if (rcu_access_pointer(old6)) {
37079 ++ struct allowedips_node *node = rcu_dereference_protected(old6,
37080 ++ lockdep_is_held(lock));
37081 ++
37082 ++ root_remove_peer_lists(node);
37083 ++ call_rcu(&node->rcu, root_free_rcu);
37084 ++ }
37085 ++}
37086 ++
37087 ++int wg_allowedips_insert_v4(struct allowedips *table, const struct in_addr *ip,
37088 ++ u8 cidr, struct wg_peer *peer, struct mutex *lock)
37089 ++{
37090 ++ /* Aligned so it can be passed to fls */
37091 ++ u8 key[4] __aligned(__alignof(u32));
37092 ++
37093 ++ ++table->seq;
37094 ++ swap_endian(key, (const u8 *)ip, 32);
37095 ++ return add(&table->root4, 32, key, cidr, peer, lock);
37096 ++}
37097 ++
37098 ++int wg_allowedips_insert_v6(struct allowedips *table, const struct in6_addr *ip,
37099 ++ u8 cidr, struct wg_peer *peer, struct mutex *lock)
37100 ++{
37101 ++ /* Aligned so it can be passed to fls64 */
37102 ++ u8 key[16] __aligned(__alignof(u64));
37103 ++
37104 ++ ++table->seq;
37105 ++ swap_endian(key, (const u8 *)ip, 128);
37106 ++ return add(&table->root6, 128, key, cidr, peer, lock);
37107 ++}
37108 ++
37109 ++void wg_allowedips_remove_by_peer(struct allowedips *table,
37110 ++ struct wg_peer *peer, struct mutex *lock)
37111 ++{
37112 ++ ++table->seq;
37113 ++ walk_remove_by_peer(&table->root4, peer, lock);
37114 ++ walk_remove_by_peer(&table->root6, peer, lock);
37115 ++}
37116 ++
37117 ++int wg_allowedips_read_node(struct allowedips_node *node, u8 ip[16], u8 *cidr)
37118 ++{
37119 ++ const unsigned int cidr_bytes = DIV_ROUND_UP(node->cidr, 8U);
37120 ++ swap_endian(ip, node->bits, node->bitlen);
37121 ++ memset(ip + cidr_bytes, 0, node->bitlen / 8U - cidr_bytes);
37122 ++ if (node->cidr)
37123 ++ ip[cidr_bytes - 1U] &= ~0U << (-node->cidr % 8U);
37124 ++
37125 ++ *cidr = node->cidr;
37126 ++ return node->bitlen == 32 ? AF_INET : AF_INET6;
37127 ++}
37128 ++
37129 ++/* Returns a strong reference to a peer */
37130 ++struct wg_peer *wg_allowedips_lookup_dst(struct allowedips *table,
37131 ++ struct sk_buff *skb)
37132 ++{
37133 ++ if (skb->protocol == htons(ETH_P_IP))
37134 ++ return lookup(table->root4, 32, &ip_hdr(skb)->daddr);
37135 ++ else if (skb->protocol == htons(ETH_P_IPV6))
37136 ++ return lookup(table->root6, 128, &ipv6_hdr(skb)->daddr);
37137 ++ return NULL;
37138 ++}
37139 ++
37140 ++/* Returns a strong reference to a peer */
37141 ++struct wg_peer *wg_allowedips_lookup_src(struct allowedips *table,
37142 ++ struct sk_buff *skb)
37143 ++{
37144 ++ if (skb->protocol == htons(ETH_P_IP))
37145 ++ return lookup(table->root4, 32, &ip_hdr(skb)->saddr);
37146 ++ else if (skb->protocol == htons(ETH_P_IPV6))
37147 ++ return lookup(table->root6, 128, &ipv6_hdr(skb)->saddr);
37148 ++ return NULL;
37149 ++}
37150 ++
37151 ++#include "selftest/allowedips.c"
37152 +--- /dev/null
37153 ++++ b/drivers/net/wireguard/allowedips.h
37154 +@@ -0,0 +1,59 @@
37155 ++/* SPDX-License-Identifier: GPL-2.0 */
37156 ++/*
37157 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
37158 ++ */
37159 ++
37160 ++#ifndef _WG_ALLOWEDIPS_H
37161 ++#define _WG_ALLOWEDIPS_H
37162 ++
37163 ++#include <linux/mutex.h>
37164 ++#include <linux/ip.h>
37165 ++#include <linux/ipv6.h>
37166 ++
37167 ++struct wg_peer;
37168 ++
37169 ++struct allowedips_node {
37170 ++ struct wg_peer __rcu *peer;
37171 ++ struct allowedips_node __rcu *bit[2];
37172 ++ /* While it may seem scandalous that we waste space for v4,
37173 ++ * we're alloc'ing to the nearest power of 2 anyway, so this
37174 ++ * doesn't actually make a difference.
37175 ++ */
37176 ++ u8 bits[16] __aligned(__alignof(u64));
37177 ++ u8 cidr, bit_at_a, bit_at_b, bitlen;
37178 ++
37179 ++ /* Keep rarely used list at bottom to be beyond cache line. */
37180 ++ union {
37181 ++ struct list_head peer_list;
37182 ++ struct rcu_head rcu;
37183 ++ };
37184 ++};
37185 ++
37186 ++struct allowedips {
37187 ++ struct allowedips_node __rcu *root4;
37188 ++ struct allowedips_node __rcu *root6;
37189 ++ u64 seq;
37190 ++};
37191 ++
37192 ++void wg_allowedips_init(struct allowedips *table);
37193 ++void wg_allowedips_free(struct allowedips *table, struct mutex *mutex);
37194 ++int wg_allowedips_insert_v4(struct allowedips *table, const struct in_addr *ip,
37195 ++ u8 cidr, struct wg_peer *peer, struct mutex *lock);
37196 ++int wg_allowedips_insert_v6(struct allowedips *table, const struct in6_addr *ip,
37197 ++ u8 cidr, struct wg_peer *peer, struct mutex *lock);
37198 ++void wg_allowedips_remove_by_peer(struct allowedips *table,
37199 ++ struct wg_peer *peer, struct mutex *lock);
37200 ++/* The ip input pointer should be __aligned(__alignof(u64))) */
37201 ++int wg_allowedips_read_node(struct allowedips_node *node, u8 ip[16], u8 *cidr);
37202 ++
37203 ++/* These return a strong reference to a peer: */
37204 ++struct wg_peer *wg_allowedips_lookup_dst(struct allowedips *table,
37205 ++ struct sk_buff *skb);
37206 ++struct wg_peer *wg_allowedips_lookup_src(struct allowedips *table,
37207 ++ struct sk_buff *skb);
37208 ++
37209 ++#ifdef DEBUG
37210 ++bool wg_allowedips_selftest(void);
37211 ++#endif
37212 ++
37213 ++#endif /* _WG_ALLOWEDIPS_H */
37214 +--- /dev/null
37215 ++++ b/drivers/net/wireguard/cookie.c
37216 +@@ -0,0 +1,236 @@
37217 ++// SPDX-License-Identifier: GPL-2.0
37218 ++/*
37219 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
37220 ++ */
37221 ++
37222 ++#include "cookie.h"
37223 ++#include "peer.h"
37224 ++#include "device.h"
37225 ++#include "messages.h"
37226 ++#include "ratelimiter.h"
37227 ++#include "timers.h"
37228 ++
37229 ++#include <crypto/blake2s.h>
37230 ++#include <crypto/chacha20poly1305.h>
37231 ++
37232 ++#include <net/ipv6.h>
37233 ++#include <crypto/algapi.h>
37234 ++
37235 ++void wg_cookie_checker_init(struct cookie_checker *checker,
37236 ++ struct wg_device *wg)
37237 ++{
37238 ++ init_rwsem(&checker->secret_lock);
37239 ++ checker->secret_birthdate = ktime_get_coarse_boottime_ns();
37240 ++ get_random_bytes(checker->secret, NOISE_HASH_LEN);
37241 ++ checker->device = wg;
37242 ++}
37243 ++
37244 ++enum { COOKIE_KEY_LABEL_LEN = 8 };
37245 ++static const u8 mac1_key_label[COOKIE_KEY_LABEL_LEN] = "mac1----";
37246 ++static const u8 cookie_key_label[COOKIE_KEY_LABEL_LEN] = "cookie--";
37247 ++
37248 ++static void precompute_key(u8 key[NOISE_SYMMETRIC_KEY_LEN],
37249 ++ const u8 pubkey[NOISE_PUBLIC_KEY_LEN],
37250 ++ const u8 label[COOKIE_KEY_LABEL_LEN])
37251 ++{
37252 ++ struct blake2s_state blake;
37253 ++
37254 ++ blake2s_init(&blake, NOISE_SYMMETRIC_KEY_LEN);
37255 ++ blake2s_update(&blake, label, COOKIE_KEY_LABEL_LEN);
37256 ++ blake2s_update(&blake, pubkey, NOISE_PUBLIC_KEY_LEN);
37257 ++ blake2s_final(&blake, key);
37258 ++}
37259 ++
37260 ++/* Must hold peer->handshake.static_identity->lock */
37261 ++void wg_cookie_checker_precompute_device_keys(struct cookie_checker *checker)
37262 ++{
37263 ++ if (likely(checker->device->static_identity.has_identity)) {
37264 ++ precompute_key(checker->cookie_encryption_key,
37265 ++ checker->device->static_identity.static_public,
37266 ++ cookie_key_label);
37267 ++ precompute_key(checker->message_mac1_key,
37268 ++ checker->device->static_identity.static_public,
37269 ++ mac1_key_label);
37270 ++ } else {
37271 ++ memset(checker->cookie_encryption_key, 0,
37272 ++ NOISE_SYMMETRIC_KEY_LEN);
37273 ++ memset(checker->message_mac1_key, 0, NOISE_SYMMETRIC_KEY_LEN);
37274 ++ }
37275 ++}
37276 ++
37277 ++void wg_cookie_checker_precompute_peer_keys(struct wg_peer *peer)
37278 ++{
37279 ++ precompute_key(peer->latest_cookie.cookie_decryption_key,
37280 ++ peer->handshake.remote_static, cookie_key_label);
37281 ++ precompute_key(peer->latest_cookie.message_mac1_key,
37282 ++ peer->handshake.remote_static, mac1_key_label);
37283 ++}
37284 ++
37285 ++void wg_cookie_init(struct cookie *cookie)
37286 ++{
37287 ++ memset(cookie, 0, sizeof(*cookie));
37288 ++ init_rwsem(&cookie->lock);
37289 ++}
37290 ++
37291 ++static void compute_mac1(u8 mac1[COOKIE_LEN], const void *message, size_t len,
37292 ++ const u8 key[NOISE_SYMMETRIC_KEY_LEN])
37293 ++{
37294 ++ len = len - sizeof(struct message_macs) +
37295 ++ offsetof(struct message_macs, mac1);
37296 ++ blake2s(mac1, message, key, COOKIE_LEN, len, NOISE_SYMMETRIC_KEY_LEN);
37297 ++}
37298 ++
37299 ++static void compute_mac2(u8 mac2[COOKIE_LEN], const void *message, size_t len,
37300 ++ const u8 cookie[COOKIE_LEN])
37301 ++{
37302 ++ len = len - sizeof(struct message_macs) +
37303 ++ offsetof(struct message_macs, mac2);
37304 ++ blake2s(mac2, message, cookie, COOKIE_LEN, len, COOKIE_LEN);
37305 ++}
37306 ++
37307 ++static void make_cookie(u8 cookie[COOKIE_LEN], struct sk_buff *skb,
37308 ++ struct cookie_checker *checker)
37309 ++{
37310 ++ struct blake2s_state state;
37311 ++
37312 ++ if (wg_birthdate_has_expired(checker->secret_birthdate,
37313 ++ COOKIE_SECRET_MAX_AGE)) {
37314 ++ down_write(&checker->secret_lock);
37315 ++ checker->secret_birthdate = ktime_get_coarse_boottime_ns();
37316 ++ get_random_bytes(checker->secret, NOISE_HASH_LEN);
37317 ++ up_write(&checker->secret_lock);
37318 ++ }
37319 ++
37320 ++ down_read(&checker->secret_lock);
37321 ++
37322 ++ blake2s_init_key(&state, COOKIE_LEN, checker->secret, NOISE_HASH_LEN);
37323 ++ if (skb->protocol == htons(ETH_P_IP))
37324 ++ blake2s_update(&state, (u8 *)&ip_hdr(skb)->saddr,
37325 ++ sizeof(struct in_addr));
37326 ++ else if (skb->protocol == htons(ETH_P_IPV6))
37327 ++ blake2s_update(&state, (u8 *)&ipv6_hdr(skb)->saddr,
37328 ++ sizeof(struct in6_addr));
37329 ++ blake2s_update(&state, (u8 *)&udp_hdr(skb)->source, sizeof(__be16));
37330 ++ blake2s_final(&state, cookie);
37331 ++
37332 ++ up_read(&checker->secret_lock);
37333 ++}
37334 ++
37335 ++enum cookie_mac_state wg_cookie_validate_packet(struct cookie_checker *checker,
37336 ++ struct sk_buff *skb,
37337 ++ bool check_cookie)
37338 ++{
37339 ++ struct message_macs *macs = (struct message_macs *)
37340 ++ (skb->data + skb->len - sizeof(*macs));
37341 ++ enum cookie_mac_state ret;
37342 ++ u8 computed_mac[COOKIE_LEN];
37343 ++ u8 cookie[COOKIE_LEN];
37344 ++
37345 ++ ret = INVALID_MAC;
37346 ++ compute_mac1(computed_mac, skb->data, skb->len,
37347 ++ checker->message_mac1_key);
37348 ++ if (crypto_memneq(computed_mac, macs->mac1, COOKIE_LEN))
37349 ++ goto out;
37350 ++
37351 ++ ret = VALID_MAC_BUT_NO_COOKIE;
37352 ++
37353 ++ if (!check_cookie)
37354 ++ goto out;
37355 ++
37356 ++ make_cookie(cookie, skb, checker);
37357 ++
37358 ++ compute_mac2(computed_mac, skb->data, skb->len, cookie);
37359 ++ if (crypto_memneq(computed_mac, macs->mac2, COOKIE_LEN))
37360 ++ goto out;
37361 ++
37362 ++ ret = VALID_MAC_WITH_COOKIE_BUT_RATELIMITED;
37363 ++ if (!wg_ratelimiter_allow(skb, dev_net(checker->device->dev)))
37364 ++ goto out;
37365 ++
37366 ++ ret = VALID_MAC_WITH_COOKIE;
37367 ++
37368 ++out:
37369 ++ return ret;
37370 ++}
37371 ++
37372 ++void wg_cookie_add_mac_to_packet(void *message, size_t len,
37373 ++ struct wg_peer *peer)
37374 ++{
37375 ++ struct message_macs *macs = (struct message_macs *)
37376 ++ ((u8 *)message + len - sizeof(*macs));
37377 ++
37378 ++ down_write(&peer->latest_cookie.lock);
37379 ++ compute_mac1(macs->mac1, message, len,
37380 ++ peer->latest_cookie.message_mac1_key);
37381 ++ memcpy(peer->latest_cookie.last_mac1_sent, macs->mac1, COOKIE_LEN);
37382 ++ peer->latest_cookie.have_sent_mac1 = true;
37383 ++ up_write(&peer->latest_cookie.lock);
37384 ++
37385 ++ down_read(&peer->latest_cookie.lock);
37386 ++ if (peer->latest_cookie.is_valid &&
37387 ++ !wg_birthdate_has_expired(peer->latest_cookie.birthdate,
37388 ++ COOKIE_SECRET_MAX_AGE - COOKIE_SECRET_LATENCY))
37389 ++ compute_mac2(macs->mac2, message, len,
37390 ++ peer->latest_cookie.cookie);
37391 ++ else
37392 ++ memset(macs->mac2, 0, COOKIE_LEN);
37393 ++ up_read(&peer->latest_cookie.lock);
37394 ++}
37395 ++
37396 ++void wg_cookie_message_create(struct message_handshake_cookie *dst,
37397 ++ struct sk_buff *skb, __le32 index,
37398 ++ struct cookie_checker *checker)
37399 ++{
37400 ++ struct message_macs *macs = (struct message_macs *)
37401 ++ ((u8 *)skb->data + skb->len - sizeof(*macs));
37402 ++ u8 cookie[COOKIE_LEN];
37403 ++
37404 ++ dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE);
37405 ++ dst->receiver_index = index;
37406 ++ get_random_bytes_wait(dst->nonce, COOKIE_NONCE_LEN);
37407 ++
37408 ++ make_cookie(cookie, skb, checker);
37409 ++ xchacha20poly1305_encrypt(dst->encrypted_cookie, cookie, COOKIE_LEN,
37410 ++ macs->mac1, COOKIE_LEN, dst->nonce,
37411 ++ checker->cookie_encryption_key);
37412 ++}
37413 ++
37414 ++void wg_cookie_message_consume(struct message_handshake_cookie *src,
37415 ++ struct wg_device *wg)
37416 ++{
37417 ++ struct wg_peer *peer = NULL;
37418 ++ u8 cookie[COOKIE_LEN];
37419 ++ bool ret;
37420 ++
37421 ++ if (unlikely(!wg_index_hashtable_lookup(wg->index_hashtable,
37422 ++ INDEX_HASHTABLE_HANDSHAKE |
37423 ++ INDEX_HASHTABLE_KEYPAIR,
37424 ++ src->receiver_index, &peer)))
37425 ++ return;
37426 ++
37427 ++ down_read(&peer->latest_cookie.lock);
37428 ++ if (unlikely(!peer->latest_cookie.have_sent_mac1)) {
37429 ++ up_read(&peer->latest_cookie.lock);
37430 ++ goto out;
37431 ++ }
37432 ++ ret = xchacha20poly1305_decrypt(
37433 ++ cookie, src->encrypted_cookie, sizeof(src->encrypted_cookie),
37434 ++ peer->latest_cookie.last_mac1_sent, COOKIE_LEN, src->nonce,
37435 ++ peer->latest_cookie.cookie_decryption_key);
37436 ++ up_read(&peer->latest_cookie.lock);
37437 ++
37438 ++ if (ret) {
37439 ++ down_write(&peer->latest_cookie.lock);
37440 ++ memcpy(peer->latest_cookie.cookie, cookie, COOKIE_LEN);
37441 ++ peer->latest_cookie.birthdate = ktime_get_coarse_boottime_ns();
37442 ++ peer->latest_cookie.is_valid = true;
37443 ++ peer->latest_cookie.have_sent_mac1 = false;
37444 ++ up_write(&peer->latest_cookie.lock);
37445 ++ } else {
37446 ++ net_dbg_ratelimited("%s: Could not decrypt invalid cookie response\n",
37447 ++ wg->dev->name);
37448 ++ }
37449 ++
37450 ++out:
37451 ++ wg_peer_put(peer);
37452 ++}
37453 +--- /dev/null
37454 ++++ b/drivers/net/wireguard/cookie.h
37455 +@@ -0,0 +1,59 @@
37456 ++/* SPDX-License-Identifier: GPL-2.0 */
37457 ++/*
37458 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
37459 ++ */
37460 ++
37461 ++#ifndef _WG_COOKIE_H
37462 ++#define _WG_COOKIE_H
37463 ++
37464 ++#include "messages.h"
37465 ++#include <linux/rwsem.h>
37466 ++
37467 ++struct wg_peer;
37468 ++
37469 ++struct cookie_checker {
37470 ++ u8 secret[NOISE_HASH_LEN];
37471 ++ u8 cookie_encryption_key[NOISE_SYMMETRIC_KEY_LEN];
37472 ++ u8 message_mac1_key[NOISE_SYMMETRIC_KEY_LEN];
37473 ++ u64 secret_birthdate;
37474 ++ struct rw_semaphore secret_lock;
37475 ++ struct wg_device *device;
37476 ++};
37477 ++
37478 ++struct cookie {
37479 ++ u64 birthdate;
37480 ++ bool is_valid;
37481 ++ u8 cookie[COOKIE_LEN];
37482 ++ bool have_sent_mac1;
37483 ++ u8 last_mac1_sent[COOKIE_LEN];
37484 ++ u8 cookie_decryption_key[NOISE_SYMMETRIC_KEY_LEN];
37485 ++ u8 message_mac1_key[NOISE_SYMMETRIC_KEY_LEN];
37486 ++ struct rw_semaphore lock;
37487 ++};
37488 ++
37489 ++enum cookie_mac_state {
37490 ++ INVALID_MAC,
37491 ++ VALID_MAC_BUT_NO_COOKIE,
37492 ++ VALID_MAC_WITH_COOKIE_BUT_RATELIMITED,
37493 ++ VALID_MAC_WITH_COOKIE
37494 ++};
37495 ++
37496 ++void wg_cookie_checker_init(struct cookie_checker *checker,
37497 ++ struct wg_device *wg);
37498 ++void wg_cookie_checker_precompute_device_keys(struct cookie_checker *checker);
37499 ++void wg_cookie_checker_precompute_peer_keys(struct wg_peer *peer);
37500 ++void wg_cookie_init(struct cookie *cookie);
37501 ++
37502 ++enum cookie_mac_state wg_cookie_validate_packet(struct cookie_checker *checker,
37503 ++ struct sk_buff *skb,
37504 ++ bool check_cookie);
37505 ++void wg_cookie_add_mac_to_packet(void *message, size_t len,
37506 ++ struct wg_peer *peer);
37507 ++
37508 ++void wg_cookie_message_create(struct message_handshake_cookie *src,
37509 ++ struct sk_buff *skb, __le32 index,
37510 ++ struct cookie_checker *checker);
37511 ++void wg_cookie_message_consume(struct message_handshake_cookie *src,
37512 ++ struct wg_device *wg);
37513 ++
37514 ++#endif /* _WG_COOKIE_H */
37515 +--- b/drivers/net/wireguard/device.c
37516 ++++ b/drivers/net/wireguard/device.c
37517 +@@ -0,0 +1,457 @@
37518 ++// SPDX-License-Identifier: GPL-2.0
37519 ++/*
37520 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
37521 ++ */
37522 ++
37523 ++#include "queueing.h"
37524 ++#include "socket.h"
37525 ++#include "timers.h"
37526 ++#include "device.h"
37527 ++#include "ratelimiter.h"
37528 ++#include "peer.h"
37529 ++#include "messages.h"
37530 ++
37531 ++#include <linux/module.h>
37532 ++#include <linux/rtnetlink.h>
37533 ++#include <linux/inet.h>
37534 ++#include <linux/netdevice.h>
37535 ++#include <linux/inetdevice.h>
37536 ++#include <linux/if_arp.h>
37537 ++#include <linux/icmp.h>
37538 ++#include <linux/suspend.h>
37539 ++#include <net/icmp.h>
37540 ++#include <net/rtnetlink.h>
37541 ++#include <net/ip_tunnels.h>
37542 ++#include <net/addrconf.h>
37543 ++
37544 ++static LIST_HEAD(device_list);
37545 ++
37546 ++static int wg_open(struct net_device *dev)
37547 ++{
37548 ++ struct in_device *dev_v4 = __in_dev_get_rtnl(dev);
37549 ++ struct inet6_dev *dev_v6 = __in6_dev_get(dev);
37550 ++ struct wg_device *wg = netdev_priv(dev);
37551 ++ struct wg_peer *peer;
37552 ++ int ret;
37553 ++
37554 ++ if (dev_v4) {
37555 ++ /* At some point we might put this check near the ip_rt_send_
37556 ++ * redirect call of ip_forward in net/ipv4/ip_forward.c, similar
37557 ++ * to the current secpath check.
37558 ++ */
37559 ++ IN_DEV_CONF_SET(dev_v4, SEND_REDIRECTS, false);
37560 ++ IPV4_DEVCONF_ALL(dev_net(dev), SEND_REDIRECTS) = false;
37561 ++ }
37562 ++ if (dev_v6)
37563 ++ dev_v6->cnf.addr_gen_mode = IN6_ADDR_GEN_MODE_NONE;
37564 ++
37565 ++ mutex_lock(&wg->device_update_lock);
37566 ++ ret = wg_socket_init(wg, wg->incoming_port);
37567 ++ if (ret < 0)
37568 ++ goto out;
37569 ++ list_for_each_entry(peer, &wg->peer_list, peer_list) {
37570 ++ wg_packet_send_staged_packets(peer);
37571 ++ if (peer->persistent_keepalive_interval)
37572 ++ wg_packet_send_keepalive(peer);
37573 ++ }
37574 ++out:
37575 ++ mutex_unlock(&wg->device_update_lock);
37576 ++ return ret;
37577 ++}
37578 ++
37579 ++#ifdef CONFIG_PM_SLEEP
37580 ++static int wg_pm_notification(struct notifier_block *nb, unsigned long action,
37581 ++ void *data)
37582 ++{
37583 ++ struct wg_device *wg;
37584 ++ struct wg_peer *peer;
37585 ++
37586 ++ /* If the machine is constantly suspending and resuming, as part of
37587 ++ * its normal operation rather than as a somewhat rare event, then we
37588 ++ * don't actually want to clear keys.
37589 ++ */
37590 ++ if (IS_ENABLED(CONFIG_PM_AUTOSLEEP) || IS_ENABLED(CONFIG_ANDROID))
37591 ++ return 0;
37592 ++
37593 ++ if (action != PM_HIBERNATION_PREPARE && action != PM_SUSPEND_PREPARE)
37594 ++ return 0;
37595 ++
37596 ++ rtnl_lock();
37597 ++ list_for_each_entry(wg, &device_list, device_list) {
37598 ++ mutex_lock(&wg->device_update_lock);
37599 ++ list_for_each_entry(peer, &wg->peer_list, peer_list) {
37600 ++ del_timer(&peer->timer_zero_key_material);
37601 ++ wg_noise_handshake_clear(&peer->handshake);
37602 ++ wg_noise_keypairs_clear(&peer->keypairs);
37603 ++ }
37604 ++ mutex_unlock(&wg->device_update_lock);
37605 ++ }
37606 ++ rtnl_unlock();
37607 ++ rcu_barrier();
37608 ++ return 0;
37609 ++}
37610 ++
37611 ++static struct notifier_block pm_notifier = { .notifier_call = wg_pm_notification };
37612 ++#endif
37613 ++
37614 ++static int wg_stop(struct net_device *dev)
37615 ++{
37616 ++ struct wg_device *wg = netdev_priv(dev);
37617 ++ struct wg_peer *peer;
37618 ++
37619 ++ mutex_lock(&wg->device_update_lock);
37620 ++ list_for_each_entry(peer, &wg->peer_list, peer_list) {
37621 ++ wg_packet_purge_staged_packets(peer);
37622 ++ wg_timers_stop(peer);
37623 ++ wg_noise_handshake_clear(&peer->handshake);
37624 ++ wg_noise_keypairs_clear(&peer->keypairs);
37625 ++ wg_noise_reset_last_sent_handshake(&peer->last_sent_handshake);
37626 ++ }
37627 ++ mutex_unlock(&wg->device_update_lock);
37628 ++ skb_queue_purge(&wg->incoming_handshakes);
37629 ++ wg_socket_reinit(wg, NULL, NULL);
37630 ++ return 0;
37631 ++}
37632 ++
37633 ++static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev)
37634 ++{
37635 ++ struct wg_device *wg = netdev_priv(dev);
37636 ++ struct sk_buff_head packets;
37637 ++ struct wg_peer *peer;
37638 ++ struct sk_buff *next;
37639 ++ sa_family_t family;
37640 ++ u32 mtu;
37641 ++ int ret;
37642 ++
37643 ++ if (unlikely(!wg_check_packet_protocol(skb))) {
37644 ++ ret = -EPROTONOSUPPORT;
37645 ++ net_dbg_ratelimited("%s: Invalid IP packet\n", dev->name);
37646 ++ goto err;
37647 ++ }
37648 ++
37649 ++ peer = wg_allowedips_lookup_dst(&wg->peer_allowedips, skb);
37650 ++ if (unlikely(!peer)) {
37651 ++ ret = -ENOKEY;
37652 ++ if (skb->protocol == htons(ETH_P_IP))
37653 ++ net_dbg_ratelimited("%s: No peer has allowed IPs matching %pI4\n",
37654 ++ dev->name, &ip_hdr(skb)->daddr);
37655 ++ else if (skb->protocol == htons(ETH_P_IPV6))
37656 ++ net_dbg_ratelimited("%s: No peer has allowed IPs matching %pI6\n",
37657 ++ dev->name, &ipv6_hdr(skb)->daddr);
37658 ++ goto err_icmp;
37659 ++ }
37660 ++
37661 ++ family = READ_ONCE(peer->endpoint.addr.sa_family);
37662 ++ if (unlikely(family != AF_INET && family != AF_INET6)) {
37663 ++ ret = -EDESTADDRREQ;
37664 ++ net_dbg_ratelimited("%s: No valid endpoint has been configured or discovered for peer %llu\n",
37665 ++ dev->name, peer->internal_id);
37666 ++ goto err_peer;
37667 ++ }
37668 ++
37669 ++ mtu = skb_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu;
37670 ++
37671 ++ __skb_queue_head_init(&packets);
37672 ++ if (!skb_is_gso(skb)) {
37673 ++ skb_mark_not_on_list(skb);
37674 ++ } else {
37675 ++ struct sk_buff *segs = skb_gso_segment(skb, 0);
37676 ++
37677 ++ if (IS_ERR(segs)) {
37678 ++ ret = PTR_ERR(segs);
37679 ++ goto err_peer;
37680 ++ }
37681 ++ dev_kfree_skb(skb);
37682 ++ skb = segs;
37683 ++ }
37684 ++
37685 ++ skb_list_walk_safe(skb, skb, next) {
37686 ++ skb_mark_not_on_list(skb);
37687 ++
37688 ++ skb = skb_share_check(skb, GFP_ATOMIC);
37689 ++ if (unlikely(!skb))
37690 ++ continue;
37691 ++
37692 ++ /* We only need to keep the original dst around for icmp,
37693 ++ * so at this point we're in a position to drop it.
37694 ++ */
37695 ++ skb_dst_drop(skb);
37696 ++
37697 ++ PACKET_CB(skb)->mtu = mtu;
37698 ++
37699 ++ __skb_queue_tail(&packets, skb);
37700 ++ }
37701 ++
37702 ++ spin_lock_bh(&peer->staged_packet_queue.lock);
37703 ++ /* If the queue is getting too big, we start removing the oldest packets
37704 ++ * until it's small again. We do this before adding the new packet, so
37705 ++ * we don't remove GSO segments that are in excess.
37706 ++ */
37707 ++ while (skb_queue_len(&peer->staged_packet_queue) > MAX_STAGED_PACKETS) {
37708 ++ dev_kfree_skb(__skb_dequeue(&peer->staged_packet_queue));
37709 ++ ++dev->stats.tx_dropped;
37710 ++ }
37711 ++ skb_queue_splice_tail(&packets, &peer->staged_packet_queue);
37712 ++ spin_unlock_bh(&peer->staged_packet_queue.lock);
37713 ++
37714 ++ wg_packet_send_staged_packets(peer);
37715 ++
37716 ++ wg_peer_put(peer);
37717 ++ return NETDEV_TX_OK;
37718 ++
37719 ++err_peer:
37720 ++ wg_peer_put(peer);
37721 ++err_icmp:
37722 ++ if (skb->protocol == htons(ETH_P_IP))
37723 ++ icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
37724 ++ else if (skb->protocol == htons(ETH_P_IPV6))
37725 ++ icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0);
37726 ++err:
37727 ++ ++dev->stats.tx_errors;
37728 ++ kfree_skb(skb);
37729 ++ return ret;
37730 ++}
37731 ++
37732 ++static const struct net_device_ops netdev_ops = {
37733 ++ .ndo_open = wg_open,
37734 ++ .ndo_stop = wg_stop,
37735 ++ .ndo_start_xmit = wg_xmit,
37736 ++ .ndo_get_stats64 = ip_tunnel_get_stats64
37737 ++};
37738 ++
37739 ++static void wg_destruct(struct net_device *dev)
37740 ++{
37741 ++ struct wg_device *wg = netdev_priv(dev);
37742 ++
37743 ++ rtnl_lock();
37744 ++ list_del(&wg->device_list);
37745 ++ rtnl_unlock();
37746 ++ mutex_lock(&wg->device_update_lock);
37747 ++ rcu_assign_pointer(wg->creating_net, NULL);
37748 ++ wg->incoming_port = 0;
37749 ++ wg_socket_reinit(wg, NULL, NULL);
37750 ++ /* The final references are cleared in the below calls to destroy_workqueue. */
37751 ++ wg_peer_remove_all(wg);
37752 ++ destroy_workqueue(wg->handshake_receive_wq);
37753 ++ destroy_workqueue(wg->handshake_send_wq);
37754 ++ destroy_workqueue(wg->packet_crypt_wq);
37755 ++ wg_packet_queue_free(&wg->decrypt_queue);
37756 ++ wg_packet_queue_free(&wg->encrypt_queue);
37757 ++ rcu_barrier(); /* Wait for all the peers to be actually freed. */
37758 ++ wg_ratelimiter_uninit();
37759 ++ memzero_explicit(&wg->static_identity, sizeof(wg->static_identity));
37760 ++ skb_queue_purge(&wg->incoming_handshakes);
37761 ++ free_percpu(dev->tstats);
37762 ++ free_percpu(wg->incoming_handshakes_worker);
37763 ++ kvfree(wg->index_hashtable);
37764 ++ kvfree(wg->peer_hashtable);
37765 ++ mutex_unlock(&wg->device_update_lock);
37766 ++
37767 ++ pr_debug("%s: Interface destroyed\n", dev->name);
37768 ++ free_netdev(dev);
37769 ++}
37770 ++
37771 ++static const struct device_type device_type = { .name = KBUILD_MODNAME };
37772 ++
37773 ++static void wg_setup(struct net_device *dev)
37774 ++{
37775 ++ struct wg_device *wg = netdev_priv(dev);
37776 ++ enum { WG_NETDEV_FEATURES = NETIF_F_HW_CSUM | NETIF_F_RXCSUM |
37777 ++ NETIF_F_SG | NETIF_F_GSO |
37778 ++ NETIF_F_GSO_SOFTWARE | NETIF_F_HIGHDMA };
37779 ++ const int overhead = MESSAGE_MINIMUM_LENGTH + sizeof(struct udphdr) +
37780 ++ max(sizeof(struct ipv6hdr), sizeof(struct iphdr));
37781 ++
37782 ++ dev->netdev_ops = &netdev_ops;
37783 ++ dev->header_ops = &ip_tunnel_header_ops;
37784 ++ dev->hard_header_len = 0;
37785 ++ dev->addr_len = 0;
37786 ++ dev->needed_headroom = DATA_PACKET_HEAD_ROOM;
37787 ++ dev->needed_tailroom = noise_encrypted_len(MESSAGE_PADDING_MULTIPLE);
37788 ++ dev->type = ARPHRD_NONE;
37789 ++ dev->flags = IFF_POINTOPOINT | IFF_NOARP;
37790 ++ dev->priv_flags |= IFF_NO_QUEUE;
37791 ++ dev->features |= NETIF_F_LLTX;
37792 ++ dev->features |= WG_NETDEV_FEATURES;
37793 ++ dev->hw_features |= WG_NETDEV_FEATURES;
37794 ++ dev->hw_enc_features |= WG_NETDEV_FEATURES;
37795 ++ dev->mtu = ETH_DATA_LEN - overhead;
37796 ++ dev->max_mtu = round_down(INT_MAX, MESSAGE_PADDING_MULTIPLE) - overhead;
37797 ++
37798 ++ SET_NETDEV_DEVTYPE(dev, &device_type);
37799 ++
37800 ++ /* We need to keep the dst around in case of icmp replies. */
37801 ++ netif_keep_dst(dev);
37802 ++
37803 ++ memset(wg, 0, sizeof(*wg));
37804 ++ wg->dev = dev;
37805 ++}
37806 ++
37807 ++static int wg_newlink(struct net *src_net, struct net_device *dev,
37808 ++ struct nlattr *tb[], struct nlattr *data[],
37809 ++ struct netlink_ext_ack *extack)
37810 ++{
37811 ++ struct wg_device *wg = netdev_priv(dev);
37812 ++ int ret = -ENOMEM;
37813 ++
37814 ++ rcu_assign_pointer(wg->creating_net, src_net);
37815 ++ init_rwsem(&wg->static_identity.lock);
37816 ++ mutex_init(&wg->socket_update_lock);
37817 ++ mutex_init(&wg->device_update_lock);
37818 ++ skb_queue_head_init(&wg->incoming_handshakes);
37819 ++ wg_allowedips_init(&wg->peer_allowedips);
37820 ++ wg_cookie_checker_init(&wg->cookie_checker, wg);
37821 ++ INIT_LIST_HEAD(&wg->peer_list);
37822 ++ wg->device_update_gen = 1;
37823 ++
37824 ++ wg->peer_hashtable = wg_pubkey_hashtable_alloc();
37825 ++ if (!wg->peer_hashtable)
37826 ++ return ret;
37827 ++
37828 ++ wg->index_hashtable = wg_index_hashtable_alloc();
37829 ++ if (!wg->index_hashtable)
37830 ++ goto err_free_peer_hashtable;
37831 ++
37832 ++ dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
37833 ++ if (!dev->tstats)
37834 ++ goto err_free_index_hashtable;
37835 ++
37836 ++ wg->incoming_handshakes_worker =
37837 ++ wg_packet_percpu_multicore_worker_alloc(
37838 ++ wg_packet_handshake_receive_worker, wg);
37839 ++ if (!wg->incoming_handshakes_worker)
37840 ++ goto err_free_tstats;
37841 ++
37842 ++ wg->handshake_receive_wq = alloc_workqueue("wg-kex-%s",
37843 ++ WQ_CPU_INTENSIVE | WQ_FREEZABLE, 0, dev->name);
37844 ++ if (!wg->handshake_receive_wq)
37845 ++ goto err_free_incoming_handshakes;
37846 ++
37847 ++ wg->handshake_send_wq = alloc_workqueue("wg-kex-%s",
37848 ++ WQ_UNBOUND | WQ_FREEZABLE, 0, dev->name);
37849 ++ if (!wg->handshake_send_wq)
37850 ++ goto err_destroy_handshake_receive;
37851 ++
37852 ++ wg->packet_crypt_wq = alloc_workqueue("wg-crypt-%s",
37853 ++ WQ_CPU_INTENSIVE | WQ_MEM_RECLAIM, 0, dev->name);
37854 ++ if (!wg->packet_crypt_wq)
37855 ++ goto err_destroy_handshake_send;
37856 ++
37857 ++ ret = wg_packet_queue_init(&wg->encrypt_queue, wg_packet_encrypt_worker,
37858 ++ MAX_QUEUED_PACKETS);
37859 ++ if (ret < 0)
37860 ++ goto err_destroy_packet_crypt;
37861 ++
37862 ++ ret = wg_packet_queue_init(&wg->decrypt_queue, wg_packet_decrypt_worker,
37863 ++ MAX_QUEUED_PACKETS);
37864 ++ if (ret < 0)
37865 ++ goto err_free_encrypt_queue;
37866 ++
37867 ++ ret = wg_ratelimiter_init();
37868 ++ if (ret < 0)
37869 ++ goto err_free_decrypt_queue;
37870 ++
37871 ++ ret = register_netdevice(dev);
37872 ++ if (ret < 0)
37873 ++ goto err_uninit_ratelimiter;
37874 ++
37875 ++ list_add(&wg->device_list, &device_list);
37876 ++
37877 ++ /* We wait until the end to assign priv_destructor, so that
37878 ++ * register_netdevice doesn't call it for us if it fails.
37879 ++ */
37880 ++ dev->priv_destructor = wg_destruct;
37881 ++
37882 ++ pr_debug("%s: Interface created\n", dev->name);
37883 ++ return ret;
37884 ++
37885 ++err_uninit_ratelimiter:
37886 ++ wg_ratelimiter_uninit();
37887 ++err_free_decrypt_queue:
37888 ++ wg_packet_queue_free(&wg->decrypt_queue);
37889 ++err_free_encrypt_queue:
37890 ++ wg_packet_queue_free(&wg->encrypt_queue);
37891 ++err_destroy_packet_crypt:
37892 ++ destroy_workqueue(wg->packet_crypt_wq);
37893 ++err_destroy_handshake_send:
37894 ++ destroy_workqueue(wg->handshake_send_wq);
37895 ++err_destroy_handshake_receive:
37896 ++ destroy_workqueue(wg->handshake_receive_wq);
37897 ++err_free_incoming_handshakes:
37898 ++ free_percpu(wg->incoming_handshakes_worker);
37899 ++err_free_tstats:
37900 ++ free_percpu(dev->tstats);
37901 ++err_free_index_hashtable:
37902 ++ kvfree(wg->index_hashtable);
37903 ++err_free_peer_hashtable:
37904 ++ kvfree(wg->peer_hashtable);
37905 ++ return ret;
37906 ++}
37907 ++
37908 ++static struct rtnl_link_ops link_ops __read_mostly = {
37909 ++ .kind = KBUILD_MODNAME,
37910 ++ .priv_size = sizeof(struct wg_device),
37911 ++ .setup = wg_setup,
37912 ++ .newlink = wg_newlink,
37913 ++};
37914 ++
37915 ++static void wg_netns_pre_exit(struct net *net)
37916 ++{
37917 ++ struct wg_device *wg;
37918 ++
37919 ++ rtnl_lock();
37920 ++ list_for_each_entry(wg, &device_list, device_list) {
37921 ++ if (rcu_access_pointer(wg->creating_net) == net) {
37922 ++ pr_debug("%s: Creating namespace exiting\n", wg->dev->name);
37923 ++ netif_carrier_off(wg->dev);
37924 ++ mutex_lock(&wg->device_update_lock);
37925 ++ rcu_assign_pointer(wg->creating_net, NULL);
37926 ++ wg_socket_reinit(wg, NULL, NULL);
37927 ++ mutex_unlock(&wg->device_update_lock);
37928 ++ }
37929 ++ }
37930 ++ rtnl_unlock();
37931 ++}
37932 ++
37933 ++static struct pernet_operations pernet_ops = {
37934 ++ .pre_exit = wg_netns_pre_exit
37935 ++};
37936 ++
37937 ++int __init wg_device_init(void)
37938 ++{
37939 ++ int ret;
37940 ++
37941 ++#ifdef CONFIG_PM_SLEEP
37942 ++ ret = register_pm_notifier(&pm_notifier);
37943 ++ if (ret)
37944 ++ return ret;
37945 ++#endif
37946 ++
37947 ++ ret = register_pernet_device(&pernet_ops);
37948 ++ if (ret)
37949 ++ goto error_pm;
37950 ++
37951 ++ ret = rtnl_link_register(&link_ops);
37952 ++ if (ret)
37953 ++ goto error_pernet;
37954 ++
37955 ++ return 0;
37956 ++
37957 ++error_pernet:
37958 ++ unregister_pernet_device(&pernet_ops);
37959 ++error_pm:
37960 ++#ifdef CONFIG_PM_SLEEP
37961 ++ unregister_pm_notifier(&pm_notifier);
37962 ++#endif
37963 ++ return ret;
37964 ++}
37965 ++
37966 ++void wg_device_uninit(void)
37967 ++{
37968 ++ rtnl_link_unregister(&link_ops);
37969 ++ unregister_pernet_device(&pernet_ops);
37970 ++#ifdef CONFIG_PM_SLEEP
37971 ++ unregister_pm_notifier(&pm_notifier);
37972 ++#endif
37973 ++ rcu_barrier();
37974 ++}
37975 +--- b/drivers/net/wireguard/device.h
37976 ++++ b/drivers/net/wireguard/device.h
37977 +@@ -0,0 +1,65 @@
37978 ++/* SPDX-License-Identifier: GPL-2.0 */
37979 ++/*
37980 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
37981 ++ */
37982 ++
37983 ++#ifndef _WG_DEVICE_H
37984 ++#define _WG_DEVICE_H
37985 ++
37986 ++#include "noise.h"
37987 ++#include "allowedips.h"
37988 ++#include "peerlookup.h"
37989 ++#include "cookie.h"
37990 ++
37991 ++#include <linux/types.h>
37992 ++#include <linux/netdevice.h>
37993 ++#include <linux/workqueue.h>
37994 ++#include <linux/mutex.h>
37995 ++#include <linux/net.h>
37996 ++#include <linux/ptr_ring.h>
37997 ++
37998 ++struct wg_device;
37999 ++
38000 ++struct multicore_worker {
38001 ++ void *ptr;
38002 ++ struct work_struct work;
38003 ++};
38004 ++
38005 ++struct crypt_queue {
38006 ++ struct ptr_ring ring;
38007 ++ struct multicore_worker __percpu *worker;
38008 ++ int last_cpu;
38009 ++};
38010 ++
38011 ++struct prev_queue {
38012 ++ struct sk_buff *head, *tail, *peeked;
38013 ++ struct { struct sk_buff *next, *prev; } empty; // Match first 2 members of struct sk_buff.
38014 ++ atomic_t count;
38015 ++};
38016 ++
38017 ++struct wg_device {
38018 ++ struct net_device *dev;
38019 ++ struct crypt_queue encrypt_queue, decrypt_queue;
38020 ++ struct sock __rcu *sock4, *sock6;
38021 ++ struct net __rcu *creating_net;
38022 ++ struct noise_static_identity static_identity;
38023 ++ struct workqueue_struct *handshake_receive_wq, *handshake_send_wq;
38024 ++ struct workqueue_struct *packet_crypt_wq;
38025 ++ struct sk_buff_head incoming_handshakes;
38026 ++ int incoming_handshake_cpu;
38027 ++ struct multicore_worker __percpu *incoming_handshakes_worker;
38028 ++ struct cookie_checker cookie_checker;
38029 ++ struct pubkey_hashtable *peer_hashtable;
38030 ++ struct index_hashtable *index_hashtable;
38031 ++ struct allowedips peer_allowedips;
38032 ++ struct mutex device_update_lock, socket_update_lock;
38033 ++ struct list_head device_list, peer_list;
38034 ++ unsigned int num_peers, device_update_gen;
38035 ++ u32 fwmark;
38036 ++ u16 incoming_port;
38037 ++};
38038 ++
38039 ++int wg_device_init(void);
38040 ++void wg_device_uninit(void);
38041 ++
38042 ++#endif /* _WG_DEVICE_H */
38043 +--- b/drivers/net/wireguard/main.c
38044 ++++ b/drivers/net/wireguard/main.c
38045 +@@ -0,0 +1,63 @@
38046 ++// SPDX-License-Identifier: GPL-2.0
38047 ++/*
38048 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
38049 ++ */
38050 ++
38051 ++#include "version.h"
38052 ++#include "device.h"
38053 ++#include "noise.h"
38054 ++#include "queueing.h"
38055 ++#include "ratelimiter.h"
38056 ++#include "netlink.h"
38057 ++
38058 ++#include <uapi/linux/wireguard.h>
38059 ++
38060 ++#include <linux/init.h>
38061 ++#include <linux/module.h>
38062 ++#include <linux/genetlink.h>
38063 ++#include <net/rtnetlink.h>
38064 ++
38065 ++static int __init mod_init(void)
38066 ++{
38067 ++ int ret;
38068 ++
38069 ++#ifdef DEBUG
38070 ++ if (!wg_allowedips_selftest() || !wg_packet_counter_selftest() ||
38071 ++ !wg_ratelimiter_selftest())
38072 ++ return -ENOTRECOVERABLE;
38073 ++#endif
38074 ++ wg_noise_init();
38075 ++
38076 ++ ret = wg_device_init();
38077 ++ if (ret < 0)
38078 ++ goto err_device;
38079 ++
38080 ++ ret = wg_genetlink_init();
38081 ++ if (ret < 0)
38082 ++ goto err_netlink;
38083 ++
38084 ++ pr_info("WireGuard " WIREGUARD_VERSION " loaded. See www.wireguard.com for information.\n");
38085 ++ pr_info("Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.\n");
38086 ++
38087 ++ return 0;
38088 ++
38089 ++err_netlink:
38090 ++ wg_device_uninit();
38091 ++err_device:
38092 ++ return ret;
38093 ++}
38094 ++
38095 ++static void __exit mod_exit(void)
38096 ++{
38097 ++ wg_genetlink_uninit();
38098 ++ wg_device_uninit();
38099 ++}
38100 ++
38101 ++module_init(mod_init);
38102 ++module_exit(mod_exit);
38103 ++MODULE_LICENSE("GPL v2");
38104 ++MODULE_DESCRIPTION("WireGuard secure network tunnel");
38105 ++MODULE_AUTHOR("Jason A. Donenfeld <Jason@×××××.com>");
38106 ++MODULE_VERSION(WIREGUARD_VERSION);
38107 ++MODULE_ALIAS_RTNL_LINK(KBUILD_MODNAME);
38108 ++MODULE_ALIAS_GENL_FAMILY(WG_GENL_NAME);
38109 +--- b/drivers/net/wireguard/messages.h
38110 ++++ b/drivers/net/wireguard/messages.h
38111 +@@ -0,0 +1,128 @@
38112 ++/* SPDX-License-Identifier: GPL-2.0 */
38113 ++/*
38114 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
38115 ++ */
38116 ++
38117 ++#ifndef _WG_MESSAGES_H
38118 ++#define _WG_MESSAGES_H
38119 ++
38120 ++#include <crypto/curve25519.h>
38121 ++#include <crypto/chacha20poly1305.h>
38122 ++#include <crypto/blake2s.h>
38123 ++
38124 ++#include <linux/kernel.h>
38125 ++#include <linux/param.h>
38126 ++#include <linux/skbuff.h>
38127 ++
38128 ++enum noise_lengths {
38129 ++ NOISE_PUBLIC_KEY_LEN = CURVE25519_KEY_SIZE,
38130 ++ NOISE_SYMMETRIC_KEY_LEN = CHACHA20POLY1305_KEY_SIZE,
38131 ++ NOISE_TIMESTAMP_LEN = sizeof(u64) + sizeof(u32),
38132 ++ NOISE_AUTHTAG_LEN = CHACHA20POLY1305_AUTHTAG_SIZE,
38133 ++ NOISE_HASH_LEN = BLAKE2S_HASH_SIZE
38134 ++};
38135 ++
38136 ++#define noise_encrypted_len(plain_len) ((plain_len) + NOISE_AUTHTAG_LEN)
38137 ++
38138 ++enum cookie_values {
38139 ++ COOKIE_SECRET_MAX_AGE = 2 * 60,
38140 ++ COOKIE_SECRET_LATENCY = 5,
38141 ++ COOKIE_NONCE_LEN = XCHACHA20POLY1305_NONCE_SIZE,
38142 ++ COOKIE_LEN = 16
38143 ++};
38144 ++
38145 ++enum counter_values {
38146 ++ COUNTER_BITS_TOTAL = 8192,
38147 ++ COUNTER_REDUNDANT_BITS = BITS_PER_LONG,
38148 ++ COUNTER_WINDOW_SIZE = COUNTER_BITS_TOTAL - COUNTER_REDUNDANT_BITS
38149 ++};
38150 ++
38151 ++enum limits {
38152 ++ REKEY_AFTER_MESSAGES = 1ULL << 60,
38153 ++ REJECT_AFTER_MESSAGES = U64_MAX - COUNTER_WINDOW_SIZE - 1,
38154 ++ REKEY_TIMEOUT = 5,
38155 ++ REKEY_TIMEOUT_JITTER_MAX_JIFFIES = HZ / 3,
38156 ++ REKEY_AFTER_TIME = 120,
38157 ++ REJECT_AFTER_TIME = 180,
38158 ++ INITIATIONS_PER_SECOND = 50,
38159 ++ MAX_PEERS_PER_DEVICE = 1U << 20,
38160 ++ KEEPALIVE_TIMEOUT = 10,
38161 ++ MAX_TIMER_HANDSHAKES = 90 / REKEY_TIMEOUT,
38162 ++ MAX_QUEUED_INCOMING_HANDSHAKES = 4096, /* TODO: replace this with DQL */
38163 ++ MAX_STAGED_PACKETS = 128,
38164 ++ MAX_QUEUED_PACKETS = 1024 /* TODO: replace this with DQL */
38165 ++};
38166 ++
38167 ++enum message_type {
38168 ++ MESSAGE_INVALID = 0,
38169 ++ MESSAGE_HANDSHAKE_INITIATION = 1,
38170 ++ MESSAGE_HANDSHAKE_RESPONSE = 2,
38171 ++ MESSAGE_HANDSHAKE_COOKIE = 3,
38172 ++ MESSAGE_DATA = 4
38173 ++};
38174 ++
38175 ++struct message_header {
38176 ++ /* The actual layout of this that we want is:
38177 ++ * u8 type
38178 ++ * u8 reserved_zero[3]
38179 ++ *
38180 ++ * But it turns out that by encoding this as little endian,
38181 ++ * we achieve the same thing, and it makes checking faster.
38182 ++ */
38183 ++ __le32 type;
38184 ++};
38185 ++
38186 ++struct message_macs {
38187 ++ u8 mac1[COOKIE_LEN];
38188 ++ u8 mac2[COOKIE_LEN];
38189 ++};
38190 ++
38191 ++struct message_handshake_initiation {
38192 ++ struct message_header header;
38193 ++ __le32 sender_index;
38194 ++ u8 unencrypted_ephemeral[NOISE_PUBLIC_KEY_LEN];
38195 ++ u8 encrypted_static[noise_encrypted_len(NOISE_PUBLIC_KEY_LEN)];
38196 ++ u8 encrypted_timestamp[noise_encrypted_len(NOISE_TIMESTAMP_LEN)];
38197 ++ struct message_macs macs;
38198 ++};
38199 ++
38200 ++struct message_handshake_response {
38201 ++ struct message_header header;
38202 ++ __le32 sender_index;
38203 ++ __le32 receiver_index;
38204 ++ u8 unencrypted_ephemeral[NOISE_PUBLIC_KEY_LEN];
38205 ++ u8 encrypted_nothing[noise_encrypted_len(0)];
38206 ++ struct message_macs macs;
38207 ++};
38208 ++
38209 ++struct message_handshake_cookie {
38210 ++ struct message_header header;
38211 ++ __le32 receiver_index;
38212 ++ u8 nonce[COOKIE_NONCE_LEN];
38213 ++ u8 encrypted_cookie[noise_encrypted_len(COOKIE_LEN)];
38214 ++};
38215 ++
38216 ++struct message_data {
38217 ++ struct message_header header;
38218 ++ __le32 key_idx;
38219 ++ __le64 counter;
38220 ++ u8 encrypted_data[];
38221 ++};
38222 ++
38223 ++#define message_data_len(plain_len) \
38224 ++ (noise_encrypted_len(plain_len) + sizeof(struct message_data))
38225 ++
38226 ++enum message_alignments {
38227 ++ MESSAGE_PADDING_MULTIPLE = 16,
38228 ++ MESSAGE_MINIMUM_LENGTH = message_data_len(0)
38229 ++};
38230 ++
38231 ++#define SKB_HEADER_LEN \
38232 ++ (max(sizeof(struct iphdr), sizeof(struct ipv6hdr)) + \
38233 ++ sizeof(struct udphdr) + NET_SKB_PAD)
38234 ++#define DATA_PACKET_HEAD_ROOM \
38235 ++ ALIGN(sizeof(struct message_data) + SKB_HEADER_LEN, 4)
38236 ++
38237 ++enum { HANDSHAKE_DSCP = 0x88 /* AF41, plus 00 ECN */ };
38238 ++
38239 ++#endif /* _WG_MESSAGES_H */
38240 +--- b/drivers/net/wireguard/netlink.c
38241 ++++ b/drivers/net/wireguard/netlink.c
38242 +@@ -0,0 +1,646 @@
38243 ++// SPDX-License-Identifier: GPL-2.0
38244 ++/*
38245 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
38246 ++ */
38247 ++
38248 ++#include "netlink.h"
38249 ++#include "device.h"
38250 ++#include "peer.h"
38251 ++#include "socket.h"
38252 ++#include "queueing.h"
38253 ++#include "messages.h"
38254 ++
38255 ++#include <uapi/linux/wireguard.h>
38256 ++
38257 ++#include <linux/if.h>
38258 ++#include <net/genetlink.h>
38259 ++#include <net/sock.h>
38260 ++#include <crypto/algapi.h>
38261 ++
38262 ++static struct genl_family genl_family;
38263 ++
38264 ++static const struct nla_policy device_policy[WGDEVICE_A_MAX + 1] = {
38265 ++ [WGDEVICE_A_IFINDEX] = { .type = NLA_U32 },
38266 ++ [WGDEVICE_A_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ - 1 },
38267 ++ [WGDEVICE_A_PRIVATE_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN),
38268 ++ [WGDEVICE_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN),
38269 ++ [WGDEVICE_A_FLAGS] = { .type = NLA_U32 },
38270 ++ [WGDEVICE_A_LISTEN_PORT] = { .type = NLA_U16 },
38271 ++ [WGDEVICE_A_FWMARK] = { .type = NLA_U32 },
38272 ++ [WGDEVICE_A_PEERS] = { .type = NLA_NESTED }
38273 ++};
38274 ++
38275 ++static const struct nla_policy peer_policy[WGPEER_A_MAX + 1] = {
38276 ++ [WGPEER_A_PUBLIC_KEY] = NLA_POLICY_EXACT_LEN(NOISE_PUBLIC_KEY_LEN),
38277 ++ [WGPEER_A_PRESHARED_KEY] = NLA_POLICY_EXACT_LEN(NOISE_SYMMETRIC_KEY_LEN),
38278 ++ [WGPEER_A_FLAGS] = { .type = NLA_U32 },
38279 ++ [WGPEER_A_ENDPOINT] = NLA_POLICY_MIN_LEN(sizeof(struct sockaddr)),
38280 ++ [WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL] = { .type = NLA_U16 },
38281 ++ [WGPEER_A_LAST_HANDSHAKE_TIME] = NLA_POLICY_EXACT_LEN(sizeof(struct __kernel_timespec)),
38282 ++ [WGPEER_A_RX_BYTES] = { .type = NLA_U64 },
38283 ++ [WGPEER_A_TX_BYTES] = { .type = NLA_U64 },
38284 ++ [WGPEER_A_ALLOWEDIPS] = { .type = NLA_NESTED },
38285 ++ [WGPEER_A_PROTOCOL_VERSION] = { .type = NLA_U32 }
38286 ++};
38287 ++
38288 ++static const struct nla_policy allowedip_policy[WGALLOWEDIP_A_MAX + 1] = {
38289 ++ [WGALLOWEDIP_A_FAMILY] = { .type = NLA_U16 },
38290 ++ [WGALLOWEDIP_A_IPADDR] = NLA_POLICY_MIN_LEN(sizeof(struct in_addr)),
38291 ++ [WGALLOWEDIP_A_CIDR_MASK] = { .type = NLA_U8 }
38292 ++};
38293 ++
38294 ++static struct wg_device *lookup_interface(struct nlattr **attrs,
38295 ++ struct sk_buff *skb)
38296 ++{
38297 ++ struct net_device *dev = NULL;
38298 ++
38299 ++ if (!attrs[WGDEVICE_A_IFINDEX] == !attrs[WGDEVICE_A_IFNAME])
38300 ++ return ERR_PTR(-EBADR);
38301 ++ if (attrs[WGDEVICE_A_IFINDEX])
38302 ++ dev = dev_get_by_index(sock_net(skb->sk),
38303 ++ nla_get_u32(attrs[WGDEVICE_A_IFINDEX]));
38304 ++ else if (attrs[WGDEVICE_A_IFNAME])
38305 ++ dev = dev_get_by_name(sock_net(skb->sk),
38306 ++ nla_data(attrs[WGDEVICE_A_IFNAME]));
38307 ++ if (!dev)
38308 ++ return ERR_PTR(-ENODEV);
38309 ++ if (!dev->rtnl_link_ops || !dev->rtnl_link_ops->kind ||
38310 ++ strcmp(dev->rtnl_link_ops->kind, KBUILD_MODNAME)) {
38311 ++ dev_put(dev);
38312 ++ return ERR_PTR(-EOPNOTSUPP);
38313 ++ }
38314 ++ return netdev_priv(dev);
38315 ++}
38316 ++
38317 ++static int get_allowedips(struct sk_buff *skb, const u8 *ip, u8 cidr,
38318 ++ int family)
38319 ++{
38320 ++ struct nlattr *allowedip_nest;
38321 ++
38322 ++ allowedip_nest = nla_nest_start(skb, 0);
38323 ++ if (!allowedip_nest)
38324 ++ return -EMSGSIZE;
38325 ++
38326 ++ if (nla_put_u8(skb, WGALLOWEDIP_A_CIDR_MASK, cidr) ||
38327 ++ nla_put_u16(skb, WGALLOWEDIP_A_FAMILY, family) ||
38328 ++ nla_put(skb, WGALLOWEDIP_A_IPADDR, family == AF_INET6 ?
38329 ++ sizeof(struct in6_addr) : sizeof(struct in_addr), ip)) {
38330 ++ nla_nest_cancel(skb, allowedip_nest);
38331 ++ return -EMSGSIZE;
38332 ++ }
38333 ++
38334 ++ nla_nest_end(skb, allowedip_nest);
38335 ++ return 0;
38336 ++}
38337 ++
38338 ++struct dump_ctx {
38339 ++ struct wg_device *wg;
38340 ++ struct wg_peer *next_peer;
38341 ++ u64 allowedips_seq;
38342 ++ struct allowedips_node *next_allowedip;
38343 ++};
38344 ++
38345 ++#define DUMP_CTX(cb) ((struct dump_ctx *)(cb)->args)
38346 ++
38347 ++static int
38348 ++get_peer(struct wg_peer *peer, struct sk_buff *skb, struct dump_ctx *ctx)
38349 ++{
38350 ++
38351 ++ struct nlattr *allowedips_nest, *peer_nest = nla_nest_start(skb, 0);
38352 ++ struct allowedips_node *allowedips_node = ctx->next_allowedip;
38353 ++ bool fail;
38354 ++
38355 ++ if (!peer_nest)
38356 ++ return -EMSGSIZE;
38357 ++
38358 ++ down_read(&peer->handshake.lock);
38359 ++ fail = nla_put(skb, WGPEER_A_PUBLIC_KEY, NOISE_PUBLIC_KEY_LEN,
38360 ++ peer->handshake.remote_static);
38361 ++ up_read(&peer->handshake.lock);
38362 ++ if (fail)
38363 ++ goto err;
38364 ++
38365 ++ if (!allowedips_node) {
38366 ++ const struct __kernel_timespec last_handshake = {
38367 ++ .tv_sec = peer->walltime_last_handshake.tv_sec,
38368 ++ .tv_nsec = peer->walltime_last_handshake.tv_nsec
38369 ++ };
38370 ++
38371 ++ down_read(&peer->handshake.lock);
38372 ++ fail = nla_put(skb, WGPEER_A_PRESHARED_KEY,
38373 ++ NOISE_SYMMETRIC_KEY_LEN,
38374 ++ peer->handshake.preshared_key);
38375 ++ up_read(&peer->handshake.lock);
38376 ++ if (fail)
38377 ++ goto err;
38378 ++
38379 ++ if (nla_put(skb, WGPEER_A_LAST_HANDSHAKE_TIME,
38380 ++ sizeof(last_handshake), &last_handshake) ||
38381 ++ nla_put_u16(skb, WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
38382 ++ peer->persistent_keepalive_interval) ||
38383 ++ nla_put_u64_64bit(skb, WGPEER_A_TX_BYTES, peer->tx_bytes,
38384 ++ WGPEER_A_UNSPEC) ||
38385 ++ nla_put_u64_64bit(skb, WGPEER_A_RX_BYTES, peer->rx_bytes,
38386 ++ WGPEER_A_UNSPEC) ||
38387 ++ nla_put_u32(skb, WGPEER_A_PROTOCOL_VERSION, 1))
38388 ++ goto err;
38389 ++
38390 ++ read_lock_bh(&peer->endpoint_lock);
38391 ++ if (peer->endpoint.addr.sa_family == AF_INET)
38392 ++ fail = nla_put(skb, WGPEER_A_ENDPOINT,
38393 ++ sizeof(peer->endpoint.addr4),
38394 ++ &peer->endpoint.addr4);
38395 ++ else if (peer->endpoint.addr.sa_family == AF_INET6)
38396 ++ fail = nla_put(skb, WGPEER_A_ENDPOINT,
38397 ++ sizeof(peer->endpoint.addr6),
38398 ++ &peer->endpoint.addr6);
38399 ++ read_unlock_bh(&peer->endpoint_lock);
38400 ++ if (fail)
38401 ++ goto err;
38402 ++ allowedips_node =
38403 ++ list_first_entry_or_null(&peer->allowedips_list,
38404 ++ struct allowedips_node, peer_list);
38405 ++ }
38406 ++ if (!allowedips_node)
38407 ++ goto no_allowedips;
38408 ++ if (!ctx->allowedips_seq)
38409 ++ ctx->allowedips_seq = peer->device->peer_allowedips.seq;
38410 ++ else if (ctx->allowedips_seq != peer->device->peer_allowedips.seq)
38411 ++ goto no_allowedips;
38412 ++
38413 ++ allowedips_nest = nla_nest_start(skb, WGPEER_A_ALLOWEDIPS);
38414 ++ if (!allowedips_nest)
38415 ++ goto err;
38416 ++
38417 ++ list_for_each_entry_from(allowedips_node, &peer->allowedips_list,
38418 ++ peer_list) {
38419 ++ u8 cidr, ip[16] __aligned(__alignof(u64));
38420 ++ int family;
38421 ++
38422 ++ family = wg_allowedips_read_node(allowedips_node, ip, &cidr);
38423 ++ if (get_allowedips(skb, ip, cidr, family)) {
38424 ++ nla_nest_end(skb, allowedips_nest);
38425 ++ nla_nest_end(skb, peer_nest);
38426 ++ ctx->next_allowedip = allowedips_node;
38427 ++ return -EMSGSIZE;
38428 ++ }
38429 ++ }
38430 ++ nla_nest_end(skb, allowedips_nest);
38431 ++no_allowedips:
38432 ++ nla_nest_end(skb, peer_nest);
38433 ++ ctx->next_allowedip = NULL;
38434 ++ ctx->allowedips_seq = 0;
38435 ++ return 0;
38436 ++err:
38437 ++ nla_nest_cancel(skb, peer_nest);
38438 ++ return -EMSGSIZE;
38439 ++}
38440 ++
38441 ++static int wg_get_device_start(struct netlink_callback *cb)
38442 ++{
38443 ++ struct nlattr **attrs = genl_family_attrbuf(&genl_family);
38444 ++ struct wg_device *wg;
38445 ++ int ret;
38446 ++
38447 ++ ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + genl_family.hdrsize, attrs,
38448 ++ genl_family.maxattr, device_policy, NULL);
38449 ++ if (ret < 0)
38450 ++ return ret;
38451 ++ wg = lookup_interface(attrs, cb->skb);
38452 ++ if (IS_ERR(wg))
38453 ++ return PTR_ERR(wg);
38454 ++ DUMP_CTX(cb)->wg = wg;
38455 ++ return 0;
38456 ++}
38457 ++
38458 ++static int wg_get_device_dump(struct sk_buff *skb, struct netlink_callback *cb)
38459 ++{
38460 ++ struct wg_peer *peer, *next_peer_cursor;
38461 ++ struct dump_ctx *ctx = DUMP_CTX(cb);
38462 ++ struct wg_device *wg = ctx->wg;
38463 ++ struct nlattr *peers_nest;
38464 ++ int ret = -EMSGSIZE;
38465 ++ bool done = true;
38466 ++ void *hdr;
38467 ++
38468 ++ rtnl_lock();
38469 ++ mutex_lock(&wg->device_update_lock);
38470 ++ cb->seq = wg->device_update_gen;
38471 ++ next_peer_cursor = ctx->next_peer;
38472 ++
38473 ++ hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
38474 ++ &genl_family, NLM_F_MULTI, WG_CMD_GET_DEVICE);
38475 ++ if (!hdr)
38476 ++ goto out;
38477 ++ genl_dump_check_consistent(cb, hdr);
38478 ++
38479 ++ if (!ctx->next_peer) {
38480 ++ if (nla_put_u16(skb, WGDEVICE_A_LISTEN_PORT,
38481 ++ wg->incoming_port) ||
38482 ++ nla_put_u32(skb, WGDEVICE_A_FWMARK, wg->fwmark) ||
38483 ++ nla_put_u32(skb, WGDEVICE_A_IFINDEX, wg->dev->ifindex) ||
38484 ++ nla_put_string(skb, WGDEVICE_A_IFNAME, wg->dev->name))
38485 ++ goto out;
38486 ++
38487 ++ down_read(&wg->static_identity.lock);
38488 ++ if (wg->static_identity.has_identity) {
38489 ++ if (nla_put(skb, WGDEVICE_A_PRIVATE_KEY,
38490 ++ NOISE_PUBLIC_KEY_LEN,
38491 ++ wg->static_identity.static_private) ||
38492 ++ nla_put(skb, WGDEVICE_A_PUBLIC_KEY,
38493 ++ NOISE_PUBLIC_KEY_LEN,
38494 ++ wg->static_identity.static_public)) {
38495 ++ up_read(&wg->static_identity.lock);
38496 ++ goto out;
38497 ++ }
38498 ++ }
38499 ++ up_read(&wg->static_identity.lock);
38500 ++ }
38501 ++
38502 ++ peers_nest = nla_nest_start(skb, WGDEVICE_A_PEERS);
38503 ++ if (!peers_nest)
38504 ++ goto out;
38505 ++ ret = 0;
38506 ++ /* If the last cursor was removed via list_del_init in peer_remove, then
38507 ++ * we just treat this the same as there being no more peers left. The
38508 ++ * reason is that seq_nr should indicate to userspace that this isn't a
38509 ++ * coherent dump anyway, so they'll try again.
38510 ++ */
38511 ++ if (list_empty(&wg->peer_list) ||
38512 ++ (ctx->next_peer && list_empty(&ctx->next_peer->peer_list))) {
38513 ++ nla_nest_cancel(skb, peers_nest);
38514 ++ goto out;
38515 ++ }
38516 ++ lockdep_assert_held(&wg->device_update_lock);
38517 ++ peer = list_prepare_entry(ctx->next_peer, &wg->peer_list, peer_list);
38518 ++ list_for_each_entry_continue(peer, &wg->peer_list, peer_list) {
38519 ++ if (get_peer(peer, skb, ctx)) {
38520 ++ done = false;
38521 ++ break;
38522 ++ }
38523 ++ next_peer_cursor = peer;
38524 ++ }
38525 ++ nla_nest_end(skb, peers_nest);
38526 ++
38527 ++out:
38528 ++ if (!ret && !done && next_peer_cursor)
38529 ++ wg_peer_get(next_peer_cursor);
38530 ++ wg_peer_put(ctx->next_peer);
38531 ++ mutex_unlock(&wg->device_update_lock);
38532 ++ rtnl_unlock();
38533 ++
38534 ++ if (ret) {
38535 ++ genlmsg_cancel(skb, hdr);
38536 ++ return ret;
38537 ++ }
38538 ++ genlmsg_end(skb, hdr);
38539 ++ if (done) {
38540 ++ ctx->next_peer = NULL;
38541 ++ return 0;
38542 ++ }
38543 ++ ctx->next_peer = next_peer_cursor;
38544 ++ return skb->len;
38545 ++
38546 ++ /* At this point, we can't really deal ourselves with safely zeroing out
38547 ++ * the private key material after usage. This will need an additional API
38548 ++ * in the kernel for marking skbs as zero_on_free.
38549 ++ */
38550 ++}
38551 ++
38552 ++static int wg_get_device_done(struct netlink_callback *cb)
38553 ++{
38554 ++ struct dump_ctx *ctx = DUMP_CTX(cb);
38555 ++
38556 ++ if (ctx->wg)
38557 ++ dev_put(ctx->wg->dev);
38558 ++ wg_peer_put(ctx->next_peer);
38559 ++ return 0;
38560 ++}
38561 ++
38562 ++static int set_port(struct wg_device *wg, u16 port)
38563 ++{
38564 ++ struct wg_peer *peer;
38565 ++
38566 ++ if (wg->incoming_port == port)
38567 ++ return 0;
38568 ++ list_for_each_entry(peer, &wg->peer_list, peer_list)
38569 ++ wg_socket_clear_peer_endpoint_src(peer);
38570 ++ if (!netif_running(wg->dev)) {
38571 ++ wg->incoming_port = port;
38572 ++ return 0;
38573 ++ }
38574 ++ return wg_socket_init(wg, port);
38575 ++}
38576 ++
38577 ++static int set_allowedip(struct wg_peer *peer, struct nlattr **attrs)
38578 ++{
38579 ++ int ret = -EINVAL;
38580 ++ u16 family;
38581 ++ u8 cidr;
38582 ++
38583 ++ if (!attrs[WGALLOWEDIP_A_FAMILY] || !attrs[WGALLOWEDIP_A_IPADDR] ||
38584 ++ !attrs[WGALLOWEDIP_A_CIDR_MASK])
38585 ++ return ret;
38586 ++ family = nla_get_u16(attrs[WGALLOWEDIP_A_FAMILY]);
38587 ++ cidr = nla_get_u8(attrs[WGALLOWEDIP_A_CIDR_MASK]);
38588 ++
38589 ++ if (family == AF_INET && cidr <= 32 &&
38590 ++ nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in_addr))
38591 ++ ret = wg_allowedips_insert_v4(
38592 ++ &peer->device->peer_allowedips,
38593 ++ nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, peer,
38594 ++ &peer->device->device_update_lock);
38595 ++ else if (family == AF_INET6 && cidr <= 128 &&
38596 ++ nla_len(attrs[WGALLOWEDIP_A_IPADDR]) == sizeof(struct in6_addr))
38597 ++ ret = wg_allowedips_insert_v6(
38598 ++ &peer->device->peer_allowedips,
38599 ++ nla_data(attrs[WGALLOWEDIP_A_IPADDR]), cidr, peer,
38600 ++ &peer->device->device_update_lock);
38601 ++
38602 ++ return ret;
38603 ++}
38604 ++
38605 ++static int set_peer(struct wg_device *wg, struct nlattr **attrs)
38606 ++{
38607 ++ u8 *public_key = NULL, *preshared_key = NULL;
38608 ++ struct wg_peer *peer = NULL;
38609 ++ u32 flags = 0;
38610 ++ int ret;
38611 ++
38612 ++ ret = -EINVAL;
38613 ++ if (attrs[WGPEER_A_PUBLIC_KEY] &&
38614 ++ nla_len(attrs[WGPEER_A_PUBLIC_KEY]) == NOISE_PUBLIC_KEY_LEN)
38615 ++ public_key = nla_data(attrs[WGPEER_A_PUBLIC_KEY]);
38616 ++ else
38617 ++ goto out;
38618 ++ if (attrs[WGPEER_A_PRESHARED_KEY] &&
38619 ++ nla_len(attrs[WGPEER_A_PRESHARED_KEY]) == NOISE_SYMMETRIC_KEY_LEN)
38620 ++ preshared_key = nla_data(attrs[WGPEER_A_PRESHARED_KEY]);
38621 ++
38622 ++ if (attrs[WGPEER_A_FLAGS])
38623 ++ flags = nla_get_u32(attrs[WGPEER_A_FLAGS]);
38624 ++ ret = -EOPNOTSUPP;
38625 ++ if (flags & ~__WGPEER_F_ALL)
38626 ++ goto out;
38627 ++
38628 ++ ret = -EPFNOSUPPORT;
38629 ++ if (attrs[WGPEER_A_PROTOCOL_VERSION]) {
38630 ++ if (nla_get_u32(attrs[WGPEER_A_PROTOCOL_VERSION]) != 1)
38631 ++ goto out;
38632 ++ }
38633 ++
38634 ++ peer = wg_pubkey_hashtable_lookup(wg->peer_hashtable,
38635 ++ nla_data(attrs[WGPEER_A_PUBLIC_KEY]));
38636 ++ ret = 0;
38637 ++ if (!peer) { /* Peer doesn't exist yet. Add a new one. */
38638 ++ if (flags & (WGPEER_F_REMOVE_ME | WGPEER_F_UPDATE_ONLY))
38639 ++ goto out;
38640 ++
38641 ++ /* The peer is new, so there aren't allowed IPs to remove. */
38642 ++ flags &= ~WGPEER_F_REPLACE_ALLOWEDIPS;
38643 ++
38644 ++ down_read(&wg->static_identity.lock);
38645 ++ if (wg->static_identity.has_identity &&
38646 ++ !memcmp(nla_data(attrs[WGPEER_A_PUBLIC_KEY]),
38647 ++ wg->static_identity.static_public,
38648 ++ NOISE_PUBLIC_KEY_LEN)) {
38649 ++ /* We silently ignore peers that have the same public
38650 ++ * key as the device. The reason we do it silently is
38651 ++ * that we'd like for people to be able to reuse the
38652 ++ * same set of API calls across peers.
38653 ++ */
38654 ++ up_read(&wg->static_identity.lock);
38655 ++ ret = 0;
38656 ++ goto out;
38657 ++ }
38658 ++ up_read(&wg->static_identity.lock);
38659 ++
38660 ++ peer = wg_peer_create(wg, public_key, preshared_key);
38661 ++ if (IS_ERR(peer)) {
38662 ++ ret = PTR_ERR(peer);
38663 ++ peer = NULL;
38664 ++ goto out;
38665 ++ }
38666 ++ /* Take additional reference, as though we've just been
38667 ++ * looked up.
38668 ++ */
38669 ++ wg_peer_get(peer);
38670 ++ }
38671 ++
38672 ++ if (flags & WGPEER_F_REMOVE_ME) {
38673 ++ wg_peer_remove(peer);
38674 ++ goto out;
38675 ++ }
38676 ++
38677 ++ if (preshared_key) {
38678 ++ down_write(&peer->handshake.lock);
38679 ++ memcpy(&peer->handshake.preshared_key, preshared_key,
38680 ++ NOISE_SYMMETRIC_KEY_LEN);
38681 ++ up_write(&peer->handshake.lock);
38682 ++ }
38683 ++
38684 ++ if (attrs[WGPEER_A_ENDPOINT]) {
38685 ++ struct sockaddr *addr = nla_data(attrs[WGPEER_A_ENDPOINT]);
38686 ++ size_t len = nla_len(attrs[WGPEER_A_ENDPOINT]);
38687 ++
38688 ++ if ((len == sizeof(struct sockaddr_in) &&
38689 ++ addr->sa_family == AF_INET) ||
38690 ++ (len == sizeof(struct sockaddr_in6) &&
38691 ++ addr->sa_family == AF_INET6)) {
38692 ++ struct endpoint endpoint = { { { 0 } } };
38693 ++
38694 ++ memcpy(&endpoint.addr, addr, len);
38695 ++ wg_socket_set_peer_endpoint(peer, &endpoint);
38696 ++ }
38697 ++ }
38698 ++
38699 ++ if (flags & WGPEER_F_REPLACE_ALLOWEDIPS)
38700 ++ wg_allowedips_remove_by_peer(&wg->peer_allowedips, peer,
38701 ++ &wg->device_update_lock);
38702 ++
38703 ++ if (attrs[WGPEER_A_ALLOWEDIPS]) {
38704 ++ struct nlattr *attr, *allowedip[WGALLOWEDIP_A_MAX + 1];
38705 ++ int rem;
38706 ++
38707 ++ nla_for_each_nested(attr, attrs[WGPEER_A_ALLOWEDIPS], rem) {
38708 ++ ret = nla_parse_nested(allowedip, WGALLOWEDIP_A_MAX,
38709 ++ attr, allowedip_policy, NULL);
38710 ++ if (ret < 0)
38711 ++ goto out;
38712 ++ ret = set_allowedip(peer, allowedip);
38713 ++ if (ret < 0)
38714 ++ goto out;
38715 ++ }
38716 ++ }
38717 ++
38718 ++ if (attrs[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL]) {
38719 ++ const u16 persistent_keepalive_interval = nla_get_u16(
38720 ++ attrs[WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL]);
38721 ++ const bool send_keepalive =
38722 ++ !peer->persistent_keepalive_interval &&
38723 ++ persistent_keepalive_interval &&
38724 ++ netif_running(wg->dev);
38725 ++
38726 ++ peer->persistent_keepalive_interval = persistent_keepalive_interval;
38727 ++ if (send_keepalive)
38728 ++ wg_packet_send_keepalive(peer);
38729 ++ }
38730 ++
38731 ++ if (netif_running(wg->dev))
38732 ++ wg_packet_send_staged_packets(peer);
38733 ++
38734 ++out:
38735 ++ wg_peer_put(peer);
38736 ++ if (attrs[WGPEER_A_PRESHARED_KEY])
38737 ++ memzero_explicit(nla_data(attrs[WGPEER_A_PRESHARED_KEY]),
38738 ++ nla_len(attrs[WGPEER_A_PRESHARED_KEY]));
38739 ++ return ret;
38740 ++}
38741 ++
38742 ++static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
38743 ++{
38744 ++ struct wg_device *wg = lookup_interface(info->attrs, skb);
38745 ++ u32 flags = 0;
38746 ++ int ret;
38747 ++
38748 ++ if (IS_ERR(wg)) {
38749 ++ ret = PTR_ERR(wg);
38750 ++ goto out_nodev;
38751 ++ }
38752 ++
38753 ++ rtnl_lock();
38754 ++ mutex_lock(&wg->device_update_lock);
38755 ++
38756 ++ if (info->attrs[WGDEVICE_A_FLAGS])
38757 ++ flags = nla_get_u32(info->attrs[WGDEVICE_A_FLAGS]);
38758 ++ ret = -EOPNOTSUPP;
38759 ++ if (flags & ~__WGDEVICE_F_ALL)
38760 ++ goto out;
38761 ++
38762 ++ if (info->attrs[WGDEVICE_A_LISTEN_PORT] || info->attrs[WGDEVICE_A_FWMARK]) {
38763 ++ struct net *net;
38764 ++ rcu_read_lock();
38765 ++ net = rcu_dereference(wg->creating_net);
38766 ++ ret = !net || !ns_capable(net->user_ns, CAP_NET_ADMIN) ? -EPERM : 0;
38767 ++ rcu_read_unlock();
38768 ++ if (ret)
38769 ++ goto out;
38770 ++ }
38771 ++
38772 ++ ++wg->device_update_gen;
38773 ++
38774 ++ if (info->attrs[WGDEVICE_A_FWMARK]) {
38775 ++ struct wg_peer *peer;
38776 ++
38777 ++ wg->fwmark = nla_get_u32(info->attrs[WGDEVICE_A_FWMARK]);
38778 ++ list_for_each_entry(peer, &wg->peer_list, peer_list)
38779 ++ wg_socket_clear_peer_endpoint_src(peer);
38780 ++ }
38781 ++
38782 ++ if (info->attrs[WGDEVICE_A_LISTEN_PORT]) {
38783 ++ ret = set_port(wg,
38784 ++ nla_get_u16(info->attrs[WGDEVICE_A_LISTEN_PORT]));
38785 ++ if (ret)
38786 ++ goto out;
38787 ++ }
38788 ++
38789 ++ if (flags & WGDEVICE_F_REPLACE_PEERS)
38790 ++ wg_peer_remove_all(wg);
38791 ++
38792 ++ if (info->attrs[WGDEVICE_A_PRIVATE_KEY] &&
38793 ++ nla_len(info->attrs[WGDEVICE_A_PRIVATE_KEY]) ==
38794 ++ NOISE_PUBLIC_KEY_LEN) {
38795 ++ u8 *private_key = nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]);
38796 ++ u8 public_key[NOISE_PUBLIC_KEY_LEN];
38797 ++ struct wg_peer *peer, *temp;
38798 ++
38799 ++ if (!crypto_memneq(wg->static_identity.static_private,
38800 ++ private_key, NOISE_PUBLIC_KEY_LEN))
38801 ++ goto skip_set_private_key;
38802 ++
38803 ++ /* We remove before setting, to prevent race, which means doing
38804 ++ * two 25519-genpub ops.
38805 ++ */
38806 ++ if (curve25519_generate_public(public_key, private_key)) {
38807 ++ peer = wg_pubkey_hashtable_lookup(wg->peer_hashtable,
38808 ++ public_key);
38809 ++ if (peer) {
38810 ++ wg_peer_put(peer);
38811 ++ wg_peer_remove(peer);
38812 ++ }
38813 ++ }
38814 ++
38815 ++ down_write(&wg->static_identity.lock);
38816 ++ wg_noise_set_static_identity_private_key(&wg->static_identity,
38817 ++ private_key);
38818 ++ list_for_each_entry_safe(peer, temp, &wg->peer_list,
38819 ++ peer_list) {
38820 ++ wg_noise_precompute_static_static(peer);
38821 ++ wg_noise_expire_current_peer_keypairs(peer);
38822 ++ }
38823 ++ wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
38824 ++ up_write(&wg->static_identity.lock);
38825 ++ }
38826 ++skip_set_private_key:
38827 ++
38828 ++ if (info->attrs[WGDEVICE_A_PEERS]) {
38829 ++ struct nlattr *attr, *peer[WGPEER_A_MAX + 1];
38830 ++ int rem;
38831 ++
38832 ++ nla_for_each_nested(attr, info->attrs[WGDEVICE_A_PEERS], rem) {
38833 ++ ret = nla_parse_nested(peer, WGPEER_A_MAX, attr,
38834 ++ peer_policy, NULL);
38835 ++ if (ret < 0)
38836 ++ goto out;
38837 ++ ret = set_peer(wg, peer);
38838 ++ if (ret < 0)
38839 ++ goto out;
38840 ++ }
38841 ++ }
38842 ++ ret = 0;
38843 ++
38844 ++out:
38845 ++ mutex_unlock(&wg->device_update_lock);
38846 ++ rtnl_unlock();
38847 ++ dev_put(wg->dev);
38848 ++out_nodev:
38849 ++ if (info->attrs[WGDEVICE_A_PRIVATE_KEY])
38850 ++ memzero_explicit(nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]),
38851 ++ nla_len(info->attrs[WGDEVICE_A_PRIVATE_KEY]));
38852 ++ return ret;
38853 ++}
38854 ++
38855 ++static const struct genl_ops genl_ops[] = {
38856 ++ {
38857 ++ .cmd = WG_CMD_GET_DEVICE,
38858 ++ .start = wg_get_device_start,
38859 ++ .dumpit = wg_get_device_dump,
38860 ++ .done = wg_get_device_done,
38861 ++ .flags = GENL_UNS_ADMIN_PERM
38862 ++ }, {
38863 ++ .cmd = WG_CMD_SET_DEVICE,
38864 ++ .doit = wg_set_device,
38865 ++ .flags = GENL_UNS_ADMIN_PERM
38866 ++ }
38867 ++};
38868 ++
38869 ++static struct genl_family genl_family __ro_after_init = {
38870 ++ .ops = genl_ops,
38871 ++ .n_ops = ARRAY_SIZE(genl_ops),
38872 ++ .name = WG_GENL_NAME,
38873 ++ .version = WG_GENL_VERSION,
38874 ++ .maxattr = WGDEVICE_A_MAX,
38875 ++ .module = THIS_MODULE,
38876 ++ .policy = device_policy,
38877 ++ .netnsok = true
38878 ++};
38879 ++
38880 ++int __init wg_genetlink_init(void)
38881 ++{
38882 ++ return genl_register_family(&genl_family);
38883 ++}
38884 ++
38885 ++void __exit wg_genetlink_uninit(void)
38886 ++{
38887 ++ genl_unregister_family(&genl_family);
38888 ++}
38889 +--- /dev/null
38890 ++++ b/drivers/net/wireguard/netlink.h
38891 +@@ -0,0 +1,12 @@
38892 ++/* SPDX-License-Identifier: GPL-2.0 */
38893 ++/*
38894 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
38895 ++ */
38896 ++
38897 ++#ifndef _WG_NETLINK_H
38898 ++#define _WG_NETLINK_H
38899 ++
38900 ++int wg_genetlink_init(void);
38901 ++void wg_genetlink_uninit(void);
38902 ++
38903 ++#endif /* _WG_NETLINK_H */
38904 +--- b/drivers/net/wireguard/noise.c
38905 ++++ b/drivers/net/wireguard/noise.c
38906 +@@ -0,0 +1,828 @@
38907 ++// SPDX-License-Identifier: GPL-2.0
38908 ++/*
38909 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
38910 ++ */
38911 ++
38912 ++#include "noise.h"
38913 ++#include "device.h"
38914 ++#include "peer.h"
38915 ++#include "messages.h"
38916 ++#include "queueing.h"
38917 ++#include "peerlookup.h"
38918 ++
38919 ++#include <linux/rcupdate.h>
38920 ++#include <linux/slab.h>
38921 ++#include <linux/bitmap.h>
38922 ++#include <linux/scatterlist.h>
38923 ++#include <linux/highmem.h>
38924 ++#include <crypto/algapi.h>
38925 ++
38926 ++/* This implements Noise_IKpsk2:
38927 ++ *
38928 ++ * <- s
38929 ++ * ******
38930 ++ * -> e, es, s, ss, {t}
38931 ++ * <- e, ee, se, psk, {}
38932 ++ */
38933 ++
38934 ++static const u8 handshake_name[37] = "Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s";
38935 ++static const u8 identifier_name[34] = "WireGuard v1 zx2c4 Jason@×××××.com";
38936 ++static u8 handshake_init_hash[NOISE_HASH_LEN] __ro_after_init;
38937 ++static u8 handshake_init_chaining_key[NOISE_HASH_LEN] __ro_after_init;
38938 ++static atomic64_t keypair_counter = ATOMIC64_INIT(0);
38939 ++
38940 ++void __init wg_noise_init(void)
38941 ++{
38942 ++ struct blake2s_state blake;
38943 ++
38944 ++ blake2s(handshake_init_chaining_key, handshake_name, NULL,
38945 ++ NOISE_HASH_LEN, sizeof(handshake_name), 0);
38946 ++ blake2s_init(&blake, NOISE_HASH_LEN);
38947 ++ blake2s_update(&blake, handshake_init_chaining_key, NOISE_HASH_LEN);
38948 ++ blake2s_update(&blake, identifier_name, sizeof(identifier_name));
38949 ++ blake2s_final(&blake, handshake_init_hash);
38950 ++}
38951 ++
38952 ++/* Must hold peer->handshake.static_identity->lock */
38953 ++void wg_noise_precompute_static_static(struct wg_peer *peer)
38954 ++{
38955 ++ down_write(&peer->handshake.lock);
38956 ++ if (!peer->handshake.static_identity->has_identity ||
38957 ++ !curve25519(peer->handshake.precomputed_static_static,
38958 ++ peer->handshake.static_identity->static_private,
38959 ++ peer->handshake.remote_static))
38960 ++ memset(peer->handshake.precomputed_static_static, 0,
38961 ++ NOISE_PUBLIC_KEY_LEN);
38962 ++ up_write(&peer->handshake.lock);
38963 ++}
38964 ++
38965 ++void wg_noise_handshake_init(struct noise_handshake *handshake,
38966 ++ struct noise_static_identity *static_identity,
38967 ++ const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN],
38968 ++ const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN],
38969 ++ struct wg_peer *peer)
38970 ++{
38971 ++ memset(handshake, 0, sizeof(*handshake));
38972 ++ init_rwsem(&handshake->lock);
38973 ++ handshake->entry.type = INDEX_HASHTABLE_HANDSHAKE;
38974 ++ handshake->entry.peer = peer;
38975 ++ memcpy(handshake->remote_static, peer_public_key, NOISE_PUBLIC_KEY_LEN);
38976 ++ if (peer_preshared_key)
38977 ++ memcpy(handshake->preshared_key, peer_preshared_key,
38978 ++ NOISE_SYMMETRIC_KEY_LEN);
38979 ++ handshake->static_identity = static_identity;
38980 ++ handshake->state = HANDSHAKE_ZEROED;
38981 ++ wg_noise_precompute_static_static(peer);
38982 ++}
38983 ++
38984 ++static void handshake_zero(struct noise_handshake *handshake)
38985 ++{
38986 ++ memset(&handshake->ephemeral_private, 0, NOISE_PUBLIC_KEY_LEN);
38987 ++ memset(&handshake->remote_ephemeral, 0, NOISE_PUBLIC_KEY_LEN);
38988 ++ memset(&handshake->hash, 0, NOISE_HASH_LEN);
38989 ++ memset(&handshake->chaining_key, 0, NOISE_HASH_LEN);
38990 ++ handshake->remote_index = 0;
38991 ++ handshake->state = HANDSHAKE_ZEROED;
38992 ++}
38993 ++
38994 ++void wg_noise_handshake_clear(struct noise_handshake *handshake)
38995 ++{
38996 ++ down_write(&handshake->lock);
38997 ++ wg_index_hashtable_remove(
38998 ++ handshake->entry.peer->device->index_hashtable,
38999 ++ &handshake->entry);
39000 ++ handshake_zero(handshake);
39001 ++ up_write(&handshake->lock);
39002 ++}
39003 ++
39004 ++static struct noise_keypair *keypair_create(struct wg_peer *peer)
39005 ++{
39006 ++ struct noise_keypair *keypair = kzalloc(sizeof(*keypair), GFP_KERNEL);
39007 ++
39008 ++ if (unlikely(!keypair))
39009 ++ return NULL;
39010 ++ spin_lock_init(&keypair->receiving_counter.lock);
39011 ++ keypair->internal_id = atomic64_inc_return(&keypair_counter);
39012 ++ keypair->entry.type = INDEX_HASHTABLE_KEYPAIR;
39013 ++ keypair->entry.peer = peer;
39014 ++ kref_init(&keypair->refcount);
39015 ++ return keypair;
39016 ++}
39017 ++
39018 ++static void keypair_free_rcu(struct rcu_head *rcu)
39019 ++{
39020 ++ kzfree(container_of(rcu, struct noise_keypair, rcu));
39021 ++}
39022 ++
39023 ++static void keypair_free_kref(struct kref *kref)
39024 ++{
39025 ++ struct noise_keypair *keypair =
39026 ++ container_of(kref, struct noise_keypair, refcount);
39027 ++
39028 ++ net_dbg_ratelimited("%s: Keypair %llu destroyed for peer %llu\n",
39029 ++ keypair->entry.peer->device->dev->name,
39030 ++ keypair->internal_id,
39031 ++ keypair->entry.peer->internal_id);
39032 ++ wg_index_hashtable_remove(keypair->entry.peer->device->index_hashtable,
39033 ++ &keypair->entry);
39034 ++ call_rcu(&keypair->rcu, keypair_free_rcu);
39035 ++}
39036 ++
39037 ++void wg_noise_keypair_put(struct noise_keypair *keypair, bool unreference_now)
39038 ++{
39039 ++ if (unlikely(!keypair))
39040 ++ return;
39041 ++ if (unlikely(unreference_now))
39042 ++ wg_index_hashtable_remove(
39043 ++ keypair->entry.peer->device->index_hashtable,
39044 ++ &keypair->entry);
39045 ++ kref_put(&keypair->refcount, keypair_free_kref);
39046 ++}
39047 ++
39048 ++struct noise_keypair *wg_noise_keypair_get(struct noise_keypair *keypair)
39049 ++{
39050 ++ RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(),
39051 ++ "Taking noise keypair reference without holding the RCU BH read lock");
39052 ++ if (unlikely(!keypair || !kref_get_unless_zero(&keypair->refcount)))
39053 ++ return NULL;
39054 ++ return keypair;
39055 ++}
39056 ++
39057 ++void wg_noise_keypairs_clear(struct noise_keypairs *keypairs)
39058 ++{
39059 ++ struct noise_keypair *old;
39060 ++
39061 ++ spin_lock_bh(&keypairs->keypair_update_lock);
39062 ++
39063 ++ /* We zero the next_keypair before zeroing the others, so that
39064 ++ * wg_noise_received_with_keypair returns early before subsequent ones
39065 ++ * are zeroed.
39066 ++ */
39067 ++ old = rcu_dereference_protected(keypairs->next_keypair,
39068 ++ lockdep_is_held(&keypairs->keypair_update_lock));
39069 ++ RCU_INIT_POINTER(keypairs->next_keypair, NULL);
39070 ++ wg_noise_keypair_put(old, true);
39071 ++
39072 ++ old = rcu_dereference_protected(keypairs->previous_keypair,
39073 ++ lockdep_is_held(&keypairs->keypair_update_lock));
39074 ++ RCU_INIT_POINTER(keypairs->previous_keypair, NULL);
39075 ++ wg_noise_keypair_put(old, true);
39076 ++
39077 ++ old = rcu_dereference_protected(keypairs->current_keypair,
39078 ++ lockdep_is_held(&keypairs->keypair_update_lock));
39079 ++ RCU_INIT_POINTER(keypairs->current_keypair, NULL);
39080 ++ wg_noise_keypair_put(old, true);
39081 ++
39082 ++ spin_unlock_bh(&keypairs->keypair_update_lock);
39083 ++}
39084 ++
39085 ++void wg_noise_expire_current_peer_keypairs(struct wg_peer *peer)
39086 ++{
39087 ++ struct noise_keypair *keypair;
39088 ++
39089 ++ wg_noise_handshake_clear(&peer->handshake);
39090 ++ wg_noise_reset_last_sent_handshake(&peer->last_sent_handshake);
39091 ++
39092 ++ spin_lock_bh(&peer->keypairs.keypair_update_lock);
39093 ++ keypair = rcu_dereference_protected(peer->keypairs.next_keypair,
39094 ++ lockdep_is_held(&peer->keypairs.keypair_update_lock));
39095 ++ if (keypair)
39096 ++ keypair->sending.is_valid = false;
39097 ++ keypair = rcu_dereference_protected(peer->keypairs.current_keypair,
39098 ++ lockdep_is_held(&peer->keypairs.keypair_update_lock));
39099 ++ if (keypair)
39100 ++ keypair->sending.is_valid = false;
39101 ++ spin_unlock_bh(&peer->keypairs.keypair_update_lock);
39102 ++}
39103 ++
39104 ++static void add_new_keypair(struct noise_keypairs *keypairs,
39105 ++ struct noise_keypair *new_keypair)
39106 ++{
39107 ++ struct noise_keypair *previous_keypair, *next_keypair, *current_keypair;
39108 ++
39109 ++ spin_lock_bh(&keypairs->keypair_update_lock);
39110 ++ previous_keypair = rcu_dereference_protected(keypairs->previous_keypair,
39111 ++ lockdep_is_held(&keypairs->keypair_update_lock));
39112 ++ next_keypair = rcu_dereference_protected(keypairs->next_keypair,
39113 ++ lockdep_is_held(&keypairs->keypair_update_lock));
39114 ++ current_keypair = rcu_dereference_protected(keypairs->current_keypair,
39115 ++ lockdep_is_held(&keypairs->keypair_update_lock));
39116 ++ if (new_keypair->i_am_the_initiator) {
39117 ++ /* If we're the initiator, it means we've sent a handshake, and
39118 ++ * received a confirmation response, which means this new
39119 ++ * keypair can now be used.
39120 ++ */
39121 ++ if (next_keypair) {
39122 ++ /* If there already was a next keypair pending, we
39123 ++ * demote it to be the previous keypair, and free the
39124 ++ * existing current. Note that this means KCI can result
39125 ++ * in this transition. It would perhaps be more sound to
39126 ++ * always just get rid of the unused next keypair
39127 ++ * instead of putting it in the previous slot, but this
39128 ++ * might be a bit less robust. Something to think about
39129 ++ * for the future.
39130 ++ */
39131 ++ RCU_INIT_POINTER(keypairs->next_keypair, NULL);
39132 ++ rcu_assign_pointer(keypairs->previous_keypair,
39133 ++ next_keypair);
39134 ++ wg_noise_keypair_put(current_keypair, true);
39135 ++ } else /* If there wasn't an existing next keypair, we replace
39136 ++ * the previous with the current one.
39137 ++ */
39138 ++ rcu_assign_pointer(keypairs->previous_keypair,
39139 ++ current_keypair);
39140 ++ /* At this point we can get rid of the old previous keypair, and
39141 ++ * set up the new keypair.
39142 ++ */
39143 ++ wg_noise_keypair_put(previous_keypair, true);
39144 ++ rcu_assign_pointer(keypairs->current_keypair, new_keypair);
39145 ++ } else {
39146 ++ /* If we're the responder, it means we can't use the new keypair
39147 ++ * until we receive confirmation via the first data packet, so
39148 ++ * we get rid of the existing previous one, the possibly
39149 ++ * existing next one, and slide in the new next one.
39150 ++ */
39151 ++ rcu_assign_pointer(keypairs->next_keypair, new_keypair);
39152 ++ wg_noise_keypair_put(next_keypair, true);
39153 ++ RCU_INIT_POINTER(keypairs->previous_keypair, NULL);
39154 ++ wg_noise_keypair_put(previous_keypair, true);
39155 ++ }
39156 ++ spin_unlock_bh(&keypairs->keypair_update_lock);
39157 ++}
39158 ++
39159 ++bool wg_noise_received_with_keypair(struct noise_keypairs *keypairs,
39160 ++ struct noise_keypair *received_keypair)
39161 ++{
39162 ++ struct noise_keypair *old_keypair;
39163 ++ bool key_is_new;
39164 ++
39165 ++ /* We first check without taking the spinlock. */
39166 ++ key_is_new = received_keypair ==
39167 ++ rcu_access_pointer(keypairs->next_keypair);
39168 ++ if (likely(!key_is_new))
39169 ++ return false;
39170 ++
39171 ++ spin_lock_bh(&keypairs->keypair_update_lock);
39172 ++ /* After locking, we double check that things didn't change from
39173 ++ * beneath us.
39174 ++ */
39175 ++ if (unlikely(received_keypair !=
39176 ++ rcu_dereference_protected(keypairs->next_keypair,
39177 ++ lockdep_is_held(&keypairs->keypair_update_lock)))) {
39178 ++ spin_unlock_bh(&keypairs->keypair_update_lock);
39179 ++ return false;
39180 ++ }
39181 ++
39182 ++ /* When we've finally received the confirmation, we slide the next
39183 ++ * into the current, the current into the previous, and get rid of
39184 ++ * the old previous.
39185 ++ */
39186 ++ old_keypair = rcu_dereference_protected(keypairs->previous_keypair,
39187 ++ lockdep_is_held(&keypairs->keypair_update_lock));
39188 ++ rcu_assign_pointer(keypairs->previous_keypair,
39189 ++ rcu_dereference_protected(keypairs->current_keypair,
39190 ++ lockdep_is_held(&keypairs->keypair_update_lock)));
39191 ++ wg_noise_keypair_put(old_keypair, true);
39192 ++ rcu_assign_pointer(keypairs->current_keypair, received_keypair);
39193 ++ RCU_INIT_POINTER(keypairs->next_keypair, NULL);
39194 ++
39195 ++ spin_unlock_bh(&keypairs->keypair_update_lock);
39196 ++ return true;
39197 ++}
39198 ++
39199 ++/* Must hold static_identity->lock */
39200 ++void wg_noise_set_static_identity_private_key(
39201 ++ struct noise_static_identity *static_identity,
39202 ++ const u8 private_key[NOISE_PUBLIC_KEY_LEN])
39203 ++{
39204 ++ memcpy(static_identity->static_private, private_key,
39205 ++ NOISE_PUBLIC_KEY_LEN);
39206 ++ curve25519_clamp_secret(static_identity->static_private);
39207 ++ static_identity->has_identity = curve25519_generate_public(
39208 ++ static_identity->static_public, private_key);
39209 ++}
39210 ++
39211 ++/* This is Hugo Krawczyk's HKDF:
39212 ++ * - https://eprint.iacr.org/2010/264.pdf
39213 ++ * - https://tools.ietf.org/html/rfc5869
39214 ++ */
39215 ++static void kdf(u8 *first_dst, u8 *second_dst, u8 *third_dst, const u8 *data,
39216 ++ size_t first_len, size_t second_len, size_t third_len,
39217 ++ size_t data_len, const u8 chaining_key[NOISE_HASH_LEN])
39218 ++{
39219 ++ u8 output[BLAKE2S_HASH_SIZE + 1];
39220 ++ u8 secret[BLAKE2S_HASH_SIZE];
39221 ++
39222 ++ WARN_ON(IS_ENABLED(DEBUG) &&
39223 ++ (first_len > BLAKE2S_HASH_SIZE ||
39224 ++ second_len > BLAKE2S_HASH_SIZE ||
39225 ++ third_len > BLAKE2S_HASH_SIZE ||
39226 ++ ((second_len || second_dst || third_len || third_dst) &&
39227 ++ (!first_len || !first_dst)) ||
39228 ++ ((third_len || third_dst) && (!second_len || !second_dst))));
39229 ++
39230 ++ /* Extract entropy from data into secret */
39231 ++ blake2s256_hmac(secret, data, chaining_key, data_len, NOISE_HASH_LEN);
39232 ++
39233 ++ if (!first_dst || !first_len)
39234 ++ goto out;
39235 ++
39236 ++ /* Expand first key: key = secret, data = 0x1 */
39237 ++ output[0] = 1;
39238 ++ blake2s256_hmac(output, output, secret, 1, BLAKE2S_HASH_SIZE);
39239 ++ memcpy(first_dst, output, first_len);
39240 ++
39241 ++ if (!second_dst || !second_len)
39242 ++ goto out;
39243 ++
39244 ++ /* Expand second key: key = secret, data = first-key || 0x2 */
39245 ++ output[BLAKE2S_HASH_SIZE] = 2;
39246 ++ blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
39247 ++ BLAKE2S_HASH_SIZE);
39248 ++ memcpy(second_dst, output, second_len);
39249 ++
39250 ++ if (!third_dst || !third_len)
39251 ++ goto out;
39252 ++
39253 ++ /* Expand third key: key = secret, data = second-key || 0x3 */
39254 ++ output[BLAKE2S_HASH_SIZE] = 3;
39255 ++ blake2s256_hmac(output, output, secret, BLAKE2S_HASH_SIZE + 1,
39256 ++ BLAKE2S_HASH_SIZE);
39257 ++ memcpy(third_dst, output, third_len);
39258 ++
39259 ++out:
39260 ++ /* Clear sensitive data from stack */
39261 ++ memzero_explicit(secret, BLAKE2S_HASH_SIZE);
39262 ++ memzero_explicit(output, BLAKE2S_HASH_SIZE + 1);
39263 ++}
39264 ++
39265 ++static void derive_keys(struct noise_symmetric_key *first_dst,
39266 ++ struct noise_symmetric_key *second_dst,
39267 ++ const u8 chaining_key[NOISE_HASH_LEN])
39268 ++{
39269 ++ u64 birthdate = ktime_get_coarse_boottime_ns();
39270 ++ kdf(first_dst->key, second_dst->key, NULL, NULL,
39271 ++ NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, 0, 0,
39272 ++ chaining_key);
39273 ++ first_dst->birthdate = second_dst->birthdate = birthdate;
39274 ++ first_dst->is_valid = second_dst->is_valid = true;
39275 ++}
39276 ++
39277 ++static bool __must_check mix_dh(u8 chaining_key[NOISE_HASH_LEN],
39278 ++ u8 key[NOISE_SYMMETRIC_KEY_LEN],
39279 ++ const u8 private[NOISE_PUBLIC_KEY_LEN],
39280 ++ const u8 public[NOISE_PUBLIC_KEY_LEN])
39281 ++{
39282 ++ u8 dh_calculation[NOISE_PUBLIC_KEY_LEN];
39283 ++
39284 ++ if (unlikely(!curve25519(dh_calculation, private, public)))
39285 ++ return false;
39286 ++ kdf(chaining_key, key, NULL, dh_calculation, NOISE_HASH_LEN,
39287 ++ NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN, chaining_key);
39288 ++ memzero_explicit(dh_calculation, NOISE_PUBLIC_KEY_LEN);
39289 ++ return true;
39290 ++}
39291 ++
39292 ++static bool __must_check mix_precomputed_dh(u8 chaining_key[NOISE_HASH_LEN],
39293 ++ u8 key[NOISE_SYMMETRIC_KEY_LEN],
39294 ++ const u8 precomputed[NOISE_PUBLIC_KEY_LEN])
39295 ++{
39296 ++ static u8 zero_point[NOISE_PUBLIC_KEY_LEN];
39297 ++ if (unlikely(!crypto_memneq(precomputed, zero_point, NOISE_PUBLIC_KEY_LEN)))
39298 ++ return false;
39299 ++ kdf(chaining_key, key, NULL, precomputed, NOISE_HASH_LEN,
39300 ++ NOISE_SYMMETRIC_KEY_LEN, 0, NOISE_PUBLIC_KEY_LEN,
39301 ++ chaining_key);
39302 ++ return true;
39303 ++}
39304 ++
39305 ++static void mix_hash(u8 hash[NOISE_HASH_LEN], const u8 *src, size_t src_len)
39306 ++{
39307 ++ struct blake2s_state blake;
39308 ++
39309 ++ blake2s_init(&blake, NOISE_HASH_LEN);
39310 ++ blake2s_update(&blake, hash, NOISE_HASH_LEN);
39311 ++ blake2s_update(&blake, src, src_len);
39312 ++ blake2s_final(&blake, hash);
39313 ++}
39314 ++
39315 ++static void mix_psk(u8 chaining_key[NOISE_HASH_LEN], u8 hash[NOISE_HASH_LEN],
39316 ++ u8 key[NOISE_SYMMETRIC_KEY_LEN],
39317 ++ const u8 psk[NOISE_SYMMETRIC_KEY_LEN])
39318 ++{
39319 ++ u8 temp_hash[NOISE_HASH_LEN];
39320 ++
39321 ++ kdf(chaining_key, temp_hash, key, psk, NOISE_HASH_LEN, NOISE_HASH_LEN,
39322 ++ NOISE_SYMMETRIC_KEY_LEN, NOISE_SYMMETRIC_KEY_LEN, chaining_key);
39323 ++ mix_hash(hash, temp_hash, NOISE_HASH_LEN);
39324 ++ memzero_explicit(temp_hash, NOISE_HASH_LEN);
39325 ++}
39326 ++
39327 ++static void handshake_init(u8 chaining_key[NOISE_HASH_LEN],
39328 ++ u8 hash[NOISE_HASH_LEN],
39329 ++ const u8 remote_static[NOISE_PUBLIC_KEY_LEN])
39330 ++{
39331 ++ memcpy(hash, handshake_init_hash, NOISE_HASH_LEN);
39332 ++ memcpy(chaining_key, handshake_init_chaining_key, NOISE_HASH_LEN);
39333 ++ mix_hash(hash, remote_static, NOISE_PUBLIC_KEY_LEN);
39334 ++}
39335 ++
39336 ++static void message_encrypt(u8 *dst_ciphertext, const u8 *src_plaintext,
39337 ++ size_t src_len, u8 key[NOISE_SYMMETRIC_KEY_LEN],
39338 ++ u8 hash[NOISE_HASH_LEN])
39339 ++{
39340 ++ chacha20poly1305_encrypt(dst_ciphertext, src_plaintext, src_len, hash,
39341 ++ NOISE_HASH_LEN,
39342 ++ 0 /* Always zero for Noise_IK */, key);
39343 ++ mix_hash(hash, dst_ciphertext, noise_encrypted_len(src_len));
39344 ++}
39345 ++
39346 ++static bool message_decrypt(u8 *dst_plaintext, const u8 *src_ciphertext,
39347 ++ size_t src_len, u8 key[NOISE_SYMMETRIC_KEY_LEN],
39348 ++ u8 hash[NOISE_HASH_LEN])
39349 ++{
39350 ++ if (!chacha20poly1305_decrypt(dst_plaintext, src_ciphertext, src_len,
39351 ++ hash, NOISE_HASH_LEN,
39352 ++ 0 /* Always zero for Noise_IK */, key))
39353 ++ return false;
39354 ++ mix_hash(hash, src_ciphertext, src_len);
39355 ++ return true;
39356 ++}
39357 ++
39358 ++static void message_ephemeral(u8 ephemeral_dst[NOISE_PUBLIC_KEY_LEN],
39359 ++ const u8 ephemeral_src[NOISE_PUBLIC_KEY_LEN],
39360 ++ u8 chaining_key[NOISE_HASH_LEN],
39361 ++ u8 hash[NOISE_HASH_LEN])
39362 ++{
39363 ++ if (ephemeral_dst != ephemeral_src)
39364 ++ memcpy(ephemeral_dst, ephemeral_src, NOISE_PUBLIC_KEY_LEN);
39365 ++ mix_hash(hash, ephemeral_src, NOISE_PUBLIC_KEY_LEN);
39366 ++ kdf(chaining_key, NULL, NULL, ephemeral_src, NOISE_HASH_LEN, 0, 0,
39367 ++ NOISE_PUBLIC_KEY_LEN, chaining_key);
39368 ++}
39369 ++
39370 ++static void tai64n_now(u8 output[NOISE_TIMESTAMP_LEN])
39371 ++{
39372 ++ struct timespec64 now;
39373 ++
39374 ++ ktime_get_real_ts64(&now);
39375 ++
39376 ++ /* In order to prevent some sort of infoleak from precise timers, we
39377 ++ * round down the nanoseconds part to the closest rounded-down power of
39378 ++ * two to the maximum initiations per second allowed anyway by the
39379 ++ * implementation.
39380 ++ */
39381 ++ now.tv_nsec = ALIGN_DOWN(now.tv_nsec,
39382 ++ rounddown_pow_of_two(NSEC_PER_SEC / INITIATIONS_PER_SECOND));
39383 ++
39384 ++ /* https://cr.yp.to/libtai/tai64.html */
39385 ++ *(__be64 *)output = cpu_to_be64(0x400000000000000aULL + now.tv_sec);
39386 ++ *(__be32 *)(output + sizeof(__be64)) = cpu_to_be32(now.tv_nsec);
39387 ++}
39388 ++
39389 ++bool
39390 ++wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
39391 ++ struct noise_handshake *handshake)
39392 ++{
39393 ++ u8 timestamp[NOISE_TIMESTAMP_LEN];
39394 ++ u8 key[NOISE_SYMMETRIC_KEY_LEN];
39395 ++ bool ret = false;
39396 ++
39397 ++ /* We need to wait for crng _before_ taking any locks, since
39398 ++ * curve25519_generate_secret uses get_random_bytes_wait.
39399 ++ */
39400 ++ wait_for_random_bytes();
39401 ++
39402 ++ down_read(&handshake->static_identity->lock);
39403 ++ down_write(&handshake->lock);
39404 ++
39405 ++ if (unlikely(!handshake->static_identity->has_identity))
39406 ++ goto out;
39407 ++
39408 ++ dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION);
39409 ++
39410 ++ handshake_init(handshake->chaining_key, handshake->hash,
39411 ++ handshake->remote_static);
39412 ++
39413 ++ /* e */
39414 ++ curve25519_generate_secret(handshake->ephemeral_private);
39415 ++ if (!curve25519_generate_public(dst->unencrypted_ephemeral,
39416 ++ handshake->ephemeral_private))
39417 ++ goto out;
39418 ++ message_ephemeral(dst->unencrypted_ephemeral,
39419 ++ dst->unencrypted_ephemeral, handshake->chaining_key,
39420 ++ handshake->hash);
39421 ++
39422 ++ /* es */
39423 ++ if (!mix_dh(handshake->chaining_key, key, handshake->ephemeral_private,
39424 ++ handshake->remote_static))
39425 ++ goto out;
39426 ++
39427 ++ /* s */
39428 ++ message_encrypt(dst->encrypted_static,
39429 ++ handshake->static_identity->static_public,
39430 ++ NOISE_PUBLIC_KEY_LEN, key, handshake->hash);
39431 ++
39432 ++ /* ss */
39433 ++ if (!mix_precomputed_dh(handshake->chaining_key, key,
39434 ++ handshake->precomputed_static_static))
39435 ++ goto out;
39436 ++
39437 ++ /* {t} */
39438 ++ tai64n_now(timestamp);
39439 ++ message_encrypt(dst->encrypted_timestamp, timestamp,
39440 ++ NOISE_TIMESTAMP_LEN, key, handshake->hash);
39441 ++
39442 ++ dst->sender_index = wg_index_hashtable_insert(
39443 ++ handshake->entry.peer->device->index_hashtable,
39444 ++ &handshake->entry);
39445 ++
39446 ++ handshake->state = HANDSHAKE_CREATED_INITIATION;
39447 ++ ret = true;
39448 ++
39449 ++out:
39450 ++ up_write(&handshake->lock);
39451 ++ up_read(&handshake->static_identity->lock);
39452 ++ memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
39453 ++ return ret;
39454 ++}
39455 ++
39456 ++struct wg_peer *
39457 ++wg_noise_handshake_consume_initiation(struct message_handshake_initiation *src,
39458 ++ struct wg_device *wg)
39459 ++{
39460 ++ struct wg_peer *peer = NULL, *ret_peer = NULL;
39461 ++ struct noise_handshake *handshake;
39462 ++ bool replay_attack, flood_attack;
39463 ++ u8 key[NOISE_SYMMETRIC_KEY_LEN];
39464 ++ u8 chaining_key[NOISE_HASH_LEN];
39465 ++ u8 hash[NOISE_HASH_LEN];
39466 ++ u8 s[NOISE_PUBLIC_KEY_LEN];
39467 ++ u8 e[NOISE_PUBLIC_KEY_LEN];
39468 ++ u8 t[NOISE_TIMESTAMP_LEN];
39469 ++ u64 initiation_consumption;
39470 ++
39471 ++ down_read(&wg->static_identity.lock);
39472 ++ if (unlikely(!wg->static_identity.has_identity))
39473 ++ goto out;
39474 ++
39475 ++ handshake_init(chaining_key, hash, wg->static_identity.static_public);
39476 ++
39477 ++ /* e */
39478 ++ message_ephemeral(e, src->unencrypted_ephemeral, chaining_key, hash);
39479 ++
39480 ++ /* es */
39481 ++ if (!mix_dh(chaining_key, key, wg->static_identity.static_private, e))
39482 ++ goto out;
39483 ++
39484 ++ /* s */
39485 ++ if (!message_decrypt(s, src->encrypted_static,
39486 ++ sizeof(src->encrypted_static), key, hash))
39487 ++ goto out;
39488 ++
39489 ++ /* Lookup which peer we're actually talking to */
39490 ++ peer = wg_pubkey_hashtable_lookup(wg->peer_hashtable, s);
39491 ++ if (!peer)
39492 ++ goto out;
39493 ++ handshake = &peer->handshake;
39494 ++
39495 ++ /* ss */
39496 ++ if (!mix_precomputed_dh(chaining_key, key,
39497 ++ handshake->precomputed_static_static))
39498 ++ goto out;
39499 ++
39500 ++ /* {t} */
39501 ++ if (!message_decrypt(t, src->encrypted_timestamp,
39502 ++ sizeof(src->encrypted_timestamp), key, hash))
39503 ++ goto out;
39504 ++
39505 ++ down_read(&handshake->lock);
39506 ++ replay_attack = memcmp(t, handshake->latest_timestamp,
39507 ++ NOISE_TIMESTAMP_LEN) <= 0;
39508 ++ flood_attack = (s64)handshake->last_initiation_consumption +
39509 ++ NSEC_PER_SEC / INITIATIONS_PER_SECOND >
39510 ++ (s64)ktime_get_coarse_boottime_ns();
39511 ++ up_read(&handshake->lock);
39512 ++ if (replay_attack || flood_attack)
39513 ++ goto out;
39514 ++
39515 ++ /* Success! Copy everything to peer */
39516 ++ down_write(&handshake->lock);
39517 ++ memcpy(handshake->remote_ephemeral, e, NOISE_PUBLIC_KEY_LEN);
39518 ++ if (memcmp(t, handshake->latest_timestamp, NOISE_TIMESTAMP_LEN) > 0)
39519 ++ memcpy(handshake->latest_timestamp, t, NOISE_TIMESTAMP_LEN);
39520 ++ memcpy(handshake->hash, hash, NOISE_HASH_LEN);
39521 ++ memcpy(handshake->chaining_key, chaining_key, NOISE_HASH_LEN);
39522 ++ handshake->remote_index = src->sender_index;
39523 ++ initiation_consumption = ktime_get_coarse_boottime_ns();
39524 ++ if ((s64)(handshake->last_initiation_consumption - initiation_consumption) < 0)
39525 ++ handshake->last_initiation_consumption = initiation_consumption;
39526 ++ handshake->state = HANDSHAKE_CONSUMED_INITIATION;
39527 ++ up_write(&handshake->lock);
39528 ++ ret_peer = peer;
39529 ++
39530 ++out:
39531 ++ memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
39532 ++ memzero_explicit(hash, NOISE_HASH_LEN);
39533 ++ memzero_explicit(chaining_key, NOISE_HASH_LEN);
39534 ++ up_read(&wg->static_identity.lock);
39535 ++ if (!ret_peer)
39536 ++ wg_peer_put(peer);
39537 ++ return ret_peer;
39538 ++}
39539 ++
39540 ++bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
39541 ++ struct noise_handshake *handshake)
39542 ++{
39543 ++ u8 key[NOISE_SYMMETRIC_KEY_LEN];
39544 ++ bool ret = false;
39545 ++
39546 ++ /* We need to wait for crng _before_ taking any locks, since
39547 ++ * curve25519_generate_secret uses get_random_bytes_wait.
39548 ++ */
39549 ++ wait_for_random_bytes();
39550 ++
39551 ++ down_read(&handshake->static_identity->lock);
39552 ++ down_write(&handshake->lock);
39553 ++
39554 ++ if (handshake->state != HANDSHAKE_CONSUMED_INITIATION)
39555 ++ goto out;
39556 ++
39557 ++ dst->header.type = cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE);
39558 ++ dst->receiver_index = handshake->remote_index;
39559 ++
39560 ++ /* e */
39561 ++ curve25519_generate_secret(handshake->ephemeral_private);
39562 ++ if (!curve25519_generate_public(dst->unencrypted_ephemeral,
39563 ++ handshake->ephemeral_private))
39564 ++ goto out;
39565 ++ message_ephemeral(dst->unencrypted_ephemeral,
39566 ++ dst->unencrypted_ephemeral, handshake->chaining_key,
39567 ++ handshake->hash);
39568 ++
39569 ++ /* ee */
39570 ++ if (!mix_dh(handshake->chaining_key, NULL, handshake->ephemeral_private,
39571 ++ handshake->remote_ephemeral))
39572 ++ goto out;
39573 ++
39574 ++ /* se */
39575 ++ if (!mix_dh(handshake->chaining_key, NULL, handshake->ephemeral_private,
39576 ++ handshake->remote_static))
39577 ++ goto out;
39578 ++
39579 ++ /* psk */
39580 ++ mix_psk(handshake->chaining_key, handshake->hash, key,
39581 ++ handshake->preshared_key);
39582 ++
39583 ++ /* {} */
39584 ++ message_encrypt(dst->encrypted_nothing, NULL, 0, key, handshake->hash);
39585 ++
39586 ++ dst->sender_index = wg_index_hashtable_insert(
39587 ++ handshake->entry.peer->device->index_hashtable,
39588 ++ &handshake->entry);
39589 ++
39590 ++ handshake->state = HANDSHAKE_CREATED_RESPONSE;
39591 ++ ret = true;
39592 ++
39593 ++out:
39594 ++ up_write(&handshake->lock);
39595 ++ up_read(&handshake->static_identity->lock);
39596 ++ memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
39597 ++ return ret;
39598 ++}
39599 ++
39600 ++struct wg_peer *
39601 ++wg_noise_handshake_consume_response(struct message_handshake_response *src,
39602 ++ struct wg_device *wg)
39603 ++{
39604 ++ enum noise_handshake_state state = HANDSHAKE_ZEROED;
39605 ++ struct wg_peer *peer = NULL, *ret_peer = NULL;
39606 ++ struct noise_handshake *handshake;
39607 ++ u8 key[NOISE_SYMMETRIC_KEY_LEN];
39608 ++ u8 hash[NOISE_HASH_LEN];
39609 ++ u8 chaining_key[NOISE_HASH_LEN];
39610 ++ u8 e[NOISE_PUBLIC_KEY_LEN];
39611 ++ u8 ephemeral_private[NOISE_PUBLIC_KEY_LEN];
39612 ++ u8 static_private[NOISE_PUBLIC_KEY_LEN];
39613 ++ u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN];
39614 ++
39615 ++ down_read(&wg->static_identity.lock);
39616 ++
39617 ++ if (unlikely(!wg->static_identity.has_identity))
39618 ++ goto out;
39619 ++
39620 ++ handshake = (struct noise_handshake *)wg_index_hashtable_lookup(
39621 ++ wg->index_hashtable, INDEX_HASHTABLE_HANDSHAKE,
39622 ++ src->receiver_index, &peer);
39623 ++ if (unlikely(!handshake))
39624 ++ goto out;
39625 ++
39626 ++ down_read(&handshake->lock);
39627 ++ state = handshake->state;
39628 ++ memcpy(hash, handshake->hash, NOISE_HASH_LEN);
39629 ++ memcpy(chaining_key, handshake->chaining_key, NOISE_HASH_LEN);
39630 ++ memcpy(ephemeral_private, handshake->ephemeral_private,
39631 ++ NOISE_PUBLIC_KEY_LEN);
39632 ++ memcpy(preshared_key, handshake->preshared_key,
39633 ++ NOISE_SYMMETRIC_KEY_LEN);
39634 ++ up_read(&handshake->lock);
39635 ++
39636 ++ if (state != HANDSHAKE_CREATED_INITIATION)
39637 ++ goto fail;
39638 ++
39639 ++ /* e */
39640 ++ message_ephemeral(e, src->unencrypted_ephemeral, chaining_key, hash);
39641 ++
39642 ++ /* ee */
39643 ++ if (!mix_dh(chaining_key, NULL, ephemeral_private, e))
39644 ++ goto fail;
39645 ++
39646 ++ /* se */
39647 ++ if (!mix_dh(chaining_key, NULL, wg->static_identity.static_private, e))
39648 ++ goto fail;
39649 ++
39650 ++ /* psk */
39651 ++ mix_psk(chaining_key, hash, key, preshared_key);
39652 ++
39653 ++ /* {} */
39654 ++ if (!message_decrypt(NULL, src->encrypted_nothing,
39655 ++ sizeof(src->encrypted_nothing), key, hash))
39656 ++ goto fail;
39657 ++
39658 ++ /* Success! Copy everything to peer */
39659 ++ down_write(&handshake->lock);
39660 ++ /* It's important to check that the state is still the same, while we
39661 ++ * have an exclusive lock.
39662 ++ */
39663 ++ if (handshake->state != state) {
39664 ++ up_write(&handshake->lock);
39665 ++ goto fail;
39666 ++ }
39667 ++ memcpy(handshake->remote_ephemeral, e, NOISE_PUBLIC_KEY_LEN);
39668 ++ memcpy(handshake->hash, hash, NOISE_HASH_LEN);
39669 ++ memcpy(handshake->chaining_key, chaining_key, NOISE_HASH_LEN);
39670 ++ handshake->remote_index = src->sender_index;
39671 ++ handshake->state = HANDSHAKE_CONSUMED_RESPONSE;
39672 ++ up_write(&handshake->lock);
39673 ++ ret_peer = peer;
39674 ++ goto out;
39675 ++
39676 ++fail:
39677 ++ wg_peer_put(peer);
39678 ++out:
39679 ++ memzero_explicit(key, NOISE_SYMMETRIC_KEY_LEN);
39680 ++ memzero_explicit(hash, NOISE_HASH_LEN);
39681 ++ memzero_explicit(chaining_key, NOISE_HASH_LEN);
39682 ++ memzero_explicit(ephemeral_private, NOISE_PUBLIC_KEY_LEN);
39683 ++ memzero_explicit(static_private, NOISE_PUBLIC_KEY_LEN);
39684 ++ memzero_explicit(preshared_key, NOISE_SYMMETRIC_KEY_LEN);
39685 ++ up_read(&wg->static_identity.lock);
39686 ++ return ret_peer;
39687 ++}
39688 ++
39689 ++bool wg_noise_handshake_begin_session(struct noise_handshake *handshake,
39690 ++ struct noise_keypairs *keypairs)
39691 ++{
39692 ++ struct noise_keypair *new_keypair;
39693 ++ bool ret = false;
39694 ++
39695 ++ down_write(&handshake->lock);
39696 ++ if (handshake->state != HANDSHAKE_CREATED_RESPONSE &&
39697 ++ handshake->state != HANDSHAKE_CONSUMED_RESPONSE)
39698 ++ goto out;
39699 ++
39700 ++ new_keypair = keypair_create(handshake->entry.peer);
39701 ++ if (!new_keypair)
39702 ++ goto out;
39703 ++ new_keypair->i_am_the_initiator = handshake->state ==
39704 ++ HANDSHAKE_CONSUMED_RESPONSE;
39705 ++ new_keypair->remote_index = handshake->remote_index;
39706 ++
39707 ++ if (new_keypair->i_am_the_initiator)
39708 ++ derive_keys(&new_keypair->sending, &new_keypair->receiving,
39709 ++ handshake->chaining_key);
39710 ++ else
39711 ++ derive_keys(&new_keypair->receiving, &new_keypair->sending,
39712 ++ handshake->chaining_key);
39713 ++
39714 ++ handshake_zero(handshake);
39715 ++ rcu_read_lock_bh();
39716 ++ if (likely(!READ_ONCE(container_of(handshake, struct wg_peer,
39717 ++ handshake)->is_dead))) {
39718 ++ add_new_keypair(keypairs, new_keypair);
39719 ++ net_dbg_ratelimited("%s: Keypair %llu created for peer %llu\n",
39720 ++ handshake->entry.peer->device->dev->name,
39721 ++ new_keypair->internal_id,
39722 ++ handshake->entry.peer->internal_id);
39723 ++ ret = wg_index_hashtable_replace(
39724 ++ handshake->entry.peer->device->index_hashtable,
39725 ++ &handshake->entry, &new_keypair->entry);
39726 ++ } else {
39727 ++ kzfree(new_keypair);
39728 ++ }
39729 ++ rcu_read_unlock_bh();
39730 ++
39731 ++out:
39732 ++ up_write(&handshake->lock);
39733 ++ return ret;
39734 ++}
39735 +--- b/drivers/net/wireguard/noise.h
39736 ++++ b/drivers/net/wireguard/noise.h
39737 +@@ -0,0 +1,135 @@
39738 ++/* SPDX-License-Identifier: GPL-2.0 */
39739 ++/*
39740 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
39741 ++ */
39742 ++#ifndef _WG_NOISE_H
39743 ++#define _WG_NOISE_H
39744 ++
39745 ++#include "messages.h"
39746 ++#include "peerlookup.h"
39747 ++
39748 ++#include <linux/types.h>
39749 ++#include <linux/spinlock.h>
39750 ++#include <linux/atomic.h>
39751 ++#include <linux/rwsem.h>
39752 ++#include <linux/mutex.h>
39753 ++#include <linux/kref.h>
39754 ++
39755 ++struct noise_replay_counter {
39756 ++ u64 counter;
39757 ++ spinlock_t lock;
39758 ++ unsigned long backtrack[COUNTER_BITS_TOTAL / BITS_PER_LONG];
39759 ++};
39760 ++
39761 ++struct noise_symmetric_key {
39762 ++ u8 key[NOISE_SYMMETRIC_KEY_LEN];
39763 ++ u64 birthdate;
39764 ++ bool is_valid;
39765 ++};
39766 ++
39767 ++struct noise_keypair {
39768 ++ struct index_hashtable_entry entry;
39769 ++ struct noise_symmetric_key sending;
39770 ++ atomic64_t sending_counter;
39771 ++ struct noise_symmetric_key receiving;
39772 ++ struct noise_replay_counter receiving_counter;
39773 ++ __le32 remote_index;
39774 ++ bool i_am_the_initiator;
39775 ++ struct kref refcount;
39776 ++ struct rcu_head rcu;
39777 ++ u64 internal_id;
39778 ++};
39779 ++
39780 ++struct noise_keypairs {
39781 ++ struct noise_keypair __rcu *current_keypair;
39782 ++ struct noise_keypair __rcu *previous_keypair;
39783 ++ struct noise_keypair __rcu *next_keypair;
39784 ++ spinlock_t keypair_update_lock;
39785 ++};
39786 ++
39787 ++struct noise_static_identity {
39788 ++ u8 static_public[NOISE_PUBLIC_KEY_LEN];
39789 ++ u8 static_private[NOISE_PUBLIC_KEY_LEN];
39790 ++ struct rw_semaphore lock;
39791 ++ bool has_identity;
39792 ++};
39793 ++
39794 ++enum noise_handshake_state {
39795 ++ HANDSHAKE_ZEROED,
39796 ++ HANDSHAKE_CREATED_INITIATION,
39797 ++ HANDSHAKE_CONSUMED_INITIATION,
39798 ++ HANDSHAKE_CREATED_RESPONSE,
39799 ++ HANDSHAKE_CONSUMED_RESPONSE
39800 ++};
39801 ++
39802 ++struct noise_handshake {
39803 ++ struct index_hashtable_entry entry;
39804 ++
39805 ++ enum noise_handshake_state state;
39806 ++ u64 last_initiation_consumption;
39807 ++
39808 ++ struct noise_static_identity *static_identity;
39809 ++
39810 ++ u8 ephemeral_private[NOISE_PUBLIC_KEY_LEN];
39811 ++ u8 remote_static[NOISE_PUBLIC_KEY_LEN];
39812 ++ u8 remote_ephemeral[NOISE_PUBLIC_KEY_LEN];
39813 ++ u8 precomputed_static_static[NOISE_PUBLIC_KEY_LEN];
39814 ++
39815 ++ u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN];
39816 ++
39817 ++ u8 hash[NOISE_HASH_LEN];
39818 ++ u8 chaining_key[NOISE_HASH_LEN];
39819 ++
39820 ++ u8 latest_timestamp[NOISE_TIMESTAMP_LEN];
39821 ++ __le32 remote_index;
39822 ++
39823 ++ /* Protects all members except the immutable (after noise_handshake_
39824 ++ * init): remote_static, precomputed_static_static, static_identity.
39825 ++ */
39826 ++ struct rw_semaphore lock;
39827 ++};
39828 ++
39829 ++struct wg_device;
39830 ++
39831 ++void wg_noise_init(void);
39832 ++void wg_noise_handshake_init(struct noise_handshake *handshake,
39833 ++ struct noise_static_identity *static_identity,
39834 ++ const u8 peer_public_key[NOISE_PUBLIC_KEY_LEN],
39835 ++ const u8 peer_preshared_key[NOISE_SYMMETRIC_KEY_LEN],
39836 ++ struct wg_peer *peer);
39837 ++void wg_noise_handshake_clear(struct noise_handshake *handshake);
39838 ++static inline void wg_noise_reset_last_sent_handshake(atomic64_t *handshake_ns)
39839 ++{
39840 ++ atomic64_set(handshake_ns, ktime_get_coarse_boottime_ns() -
39841 ++ (u64)(REKEY_TIMEOUT + 1) * NSEC_PER_SEC);
39842 ++}
39843 ++
39844 ++void wg_noise_keypair_put(struct noise_keypair *keypair, bool unreference_now);
39845 ++struct noise_keypair *wg_noise_keypair_get(struct noise_keypair *keypair);
39846 ++void wg_noise_keypairs_clear(struct noise_keypairs *keypairs);
39847 ++bool wg_noise_received_with_keypair(struct noise_keypairs *keypairs,
39848 ++ struct noise_keypair *received_keypair);
39849 ++void wg_noise_expire_current_peer_keypairs(struct wg_peer *peer);
39850 ++
39851 ++void wg_noise_set_static_identity_private_key(
39852 ++ struct noise_static_identity *static_identity,
39853 ++ const u8 private_key[NOISE_PUBLIC_KEY_LEN]);
39854 ++void wg_noise_precompute_static_static(struct wg_peer *peer);
39855 ++
39856 ++bool
39857 ++wg_noise_handshake_create_initiation(struct message_handshake_initiation *dst,
39858 ++ struct noise_handshake *handshake);
39859 ++struct wg_peer *
39860 ++wg_noise_handshake_consume_initiation(struct message_handshake_initiation *src,
39861 ++ struct wg_device *wg);
39862 ++
39863 ++bool wg_noise_handshake_create_response(struct message_handshake_response *dst,
39864 ++ struct noise_handshake *handshake);
39865 ++struct wg_peer *
39866 ++wg_noise_handshake_consume_response(struct message_handshake_response *src,
39867 ++ struct wg_device *wg);
39868 ++
39869 ++bool wg_noise_handshake_begin_session(struct noise_handshake *handshake,
39870 ++ struct noise_keypairs *keypairs);
39871 ++
39872 ++#endif /* _WG_NOISE_H */
39873 +--- b/drivers/net/wireguard/peer.c
39874 ++++ b/drivers/net/wireguard/peer.c
39875 +@@ -0,0 +1,227 @@
39876 ++// SPDX-License-Identifier: GPL-2.0
39877 ++/*
39878 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
39879 ++ */
39880 ++
39881 ++#include "peer.h"
39882 ++#include "device.h"
39883 ++#include "queueing.h"
39884 ++#include "timers.h"
39885 ++#include "peerlookup.h"
39886 ++#include "noise.h"
39887 ++
39888 ++#include <linux/kref.h>
39889 ++#include <linux/lockdep.h>
39890 ++#include <linux/rcupdate.h>
39891 ++#include <linux/list.h>
39892 ++
39893 ++static atomic64_t peer_counter = ATOMIC64_INIT(0);
39894 ++
39895 ++struct wg_peer *wg_peer_create(struct wg_device *wg,
39896 ++ const u8 public_key[NOISE_PUBLIC_KEY_LEN],
39897 ++ const u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN])
39898 ++{
39899 ++ struct wg_peer *peer;
39900 ++ int ret = -ENOMEM;
39901 ++
39902 ++ lockdep_assert_held(&wg->device_update_lock);
39903 ++
39904 ++ if (wg->num_peers >= MAX_PEERS_PER_DEVICE)
39905 ++ return ERR_PTR(ret);
39906 ++
39907 ++ peer = kzalloc(sizeof(*peer), GFP_KERNEL);
39908 ++ if (unlikely(!peer))
39909 ++ return ERR_PTR(ret);
39910 ++ if (dst_cache_init(&peer->endpoint_cache, GFP_KERNEL))
39911 ++ goto err;
39912 ++
39913 ++ peer->device = wg;
39914 ++ wg_noise_handshake_init(&peer->handshake, &wg->static_identity,
39915 ++ public_key, preshared_key, peer);
39916 ++ peer->internal_id = atomic64_inc_return(&peer_counter);
39917 ++ peer->serial_work_cpu = nr_cpumask_bits;
39918 ++ wg_cookie_init(&peer->latest_cookie);
39919 ++ wg_timers_init(peer);
39920 ++ wg_cookie_checker_precompute_peer_keys(peer);
39921 ++ spin_lock_init(&peer->keypairs.keypair_update_lock);
39922 ++ INIT_WORK(&peer->transmit_handshake_work, wg_packet_handshake_send_worker);
39923 ++ INIT_WORK(&peer->transmit_packet_work, wg_packet_tx_worker);
39924 ++ wg_prev_queue_init(&peer->tx_queue);
39925 ++ wg_prev_queue_init(&peer->rx_queue);
39926 ++ rwlock_init(&peer->endpoint_lock);
39927 ++ kref_init(&peer->refcount);
39928 ++ skb_queue_head_init(&peer->staged_packet_queue);
39929 ++ wg_noise_reset_last_sent_handshake(&peer->last_sent_handshake);
39930 ++ set_bit(NAPI_STATE_NO_BUSY_POLL, &peer->napi.state);
39931 ++ netif_napi_add(wg->dev, &peer->napi, wg_packet_rx_poll,
39932 ++ NAPI_POLL_WEIGHT);
39933 ++ napi_enable(&peer->napi);
39934 ++ list_add_tail(&peer->peer_list, &wg->peer_list);
39935 ++ INIT_LIST_HEAD(&peer->allowedips_list);
39936 ++ wg_pubkey_hashtable_add(wg->peer_hashtable, peer);
39937 ++ ++wg->num_peers;
39938 ++ pr_debug("%s: Peer %llu created\n", wg->dev->name, peer->internal_id);
39939 ++ return peer;
39940 ++
39941 ++err:
39942 ++ kfree(peer);
39943 ++ return ERR_PTR(ret);
39944 ++}
39945 ++
39946 ++struct wg_peer *wg_peer_get_maybe_zero(struct wg_peer *peer)
39947 ++{
39948 ++ RCU_LOCKDEP_WARN(!rcu_read_lock_bh_held(),
39949 ++ "Taking peer reference without holding the RCU read lock");
39950 ++ if (unlikely(!peer || !kref_get_unless_zero(&peer->refcount)))
39951 ++ return NULL;
39952 ++ return peer;
39953 ++}
39954 ++
39955 ++static void peer_make_dead(struct wg_peer *peer)
39956 ++{
39957 ++ /* Remove from configuration-time lookup structures. */
39958 ++ list_del_init(&peer->peer_list);
39959 ++ wg_allowedips_remove_by_peer(&peer->device->peer_allowedips, peer,
39960 ++ &peer->device->device_update_lock);
39961 ++ wg_pubkey_hashtable_remove(peer->device->peer_hashtable, peer);
39962 ++
39963 ++ /* Mark as dead, so that we don't allow jumping contexts after. */
39964 ++ WRITE_ONCE(peer->is_dead, true);
39965 ++
39966 ++ /* The caller must now synchronize_rcu() for this to take effect. */
39967 ++}
39968 ++
39969 ++static void peer_remove_after_dead(struct wg_peer *peer)
39970 ++{
39971 ++ WARN_ON(!peer->is_dead);
39972 ++
39973 ++ /* No more keypairs can be created for this peer, since is_dead protects
39974 ++ * add_new_keypair, so we can now destroy existing ones.
39975 ++ */
39976 ++ wg_noise_keypairs_clear(&peer->keypairs);
39977 ++
39978 ++ /* Destroy all ongoing timers that were in-flight at the beginning of
39979 ++ * this function.
39980 ++ */
39981 ++ wg_timers_stop(peer);
39982 ++
39983 ++ /* The transition between packet encryption/decryption queues isn't
39984 ++ * guarded by is_dead, but each reference's life is strictly bounded by
39985 ++ * two generations: once for parallel crypto and once for serial
39986 ++ * ingestion, so we can simply flush twice, and be sure that we no
39987 ++ * longer have references inside these queues.
39988 ++ */
39989 ++
39990 ++ /* a) For encrypt/decrypt. */
39991 ++ flush_workqueue(peer->device->packet_crypt_wq);
39992 ++ /* b.1) For send (but not receive, since that's napi). */
39993 ++ flush_workqueue(peer->device->packet_crypt_wq);
39994 ++ /* b.2.1) For receive (but not send, since that's wq). */
39995 ++ napi_disable(&peer->napi);
39996 ++ /* b.2.1) It's now safe to remove the napi struct, which must be done
39997 ++ * here from process context.
39998 ++ */
39999 ++ netif_napi_del(&peer->napi);
40000 ++
40001 ++ /* Ensure any workstructs we own (like transmit_handshake_work or
40002 ++ * clear_peer_work) no longer are in use.
40003 ++ */
40004 ++ flush_workqueue(peer->device->handshake_send_wq);
40005 ++
40006 ++ /* After the above flushes, a peer might still be active in a few
40007 ++ * different contexts: 1) from xmit(), before hitting is_dead and
40008 ++ * returning, 2) from wg_packet_consume_data(), before hitting is_dead
40009 ++ * and returning, 3) from wg_receive_handshake_packet() after a point
40010 ++ * where it has processed an incoming handshake packet, but where
40011 ++ * all calls to pass it off to timers fails because of is_dead. We won't
40012 ++ * have new references in (1) eventually, because we're removed from
40013 ++ * allowedips; we won't have new references in (2) eventually, because
40014 ++ * wg_index_hashtable_lookup will always return NULL, since we removed
40015 ++ * all existing keypairs and no more can be created; we won't have new
40016 ++ * references in (3) eventually, because we're removed from the pubkey
40017 ++ * hash table, which allows for a maximum of one handshake response,
40018 ++ * via the still-uncleared index hashtable entry, but not more than one,
40019 ++ * and in wg_cookie_message_consume, the lookup eventually gets a peer
40020 ++ * with a refcount of zero, so no new reference is taken.
40021 ++ */
40022 ++
40023 ++ --peer->device->num_peers;
40024 ++ wg_peer_put(peer);
40025 ++}
40026 ++
40027 ++/* We have a separate "remove" function make sure that all active places where
40028 ++ * a peer is currently operating will eventually come to an end and not pass
40029 ++ * their reference onto another context.
40030 ++ */
40031 ++void wg_peer_remove(struct wg_peer *peer)
40032 ++{
40033 ++ if (unlikely(!peer))
40034 ++ return;
40035 ++ lockdep_assert_held(&peer->device->device_update_lock);
40036 ++
40037 ++ peer_make_dead(peer);
40038 ++ synchronize_rcu();
40039 ++ peer_remove_after_dead(peer);
40040 ++}
40041 ++
40042 ++void wg_peer_remove_all(struct wg_device *wg)
40043 ++{
40044 ++ struct wg_peer *peer, *temp;
40045 ++ LIST_HEAD(dead_peers);
40046 ++
40047 ++ lockdep_assert_held(&wg->device_update_lock);
40048 ++
40049 ++ /* Avoid having to traverse individually for each one. */
40050 ++ wg_allowedips_free(&wg->peer_allowedips, &wg->device_update_lock);
40051 ++
40052 ++ list_for_each_entry_safe(peer, temp, &wg->peer_list, peer_list) {
40053 ++ peer_make_dead(peer);
40054 ++ list_add_tail(&peer->peer_list, &dead_peers);
40055 ++ }
40056 ++ synchronize_rcu();
40057 ++ list_for_each_entry_safe(peer, temp, &dead_peers, peer_list)
40058 ++ peer_remove_after_dead(peer);
40059 ++}
40060 ++
40061 ++static void rcu_release(struct rcu_head *rcu)
40062 ++{
40063 ++ struct wg_peer *peer = container_of(rcu, struct wg_peer, rcu);
40064 ++
40065 ++ dst_cache_destroy(&peer->endpoint_cache);
40066 ++ WARN_ON(wg_prev_queue_peek(&peer->tx_queue) || wg_prev_queue_peek(&peer->rx_queue));
40067 ++
40068 ++ /* The final zeroing takes care of clearing any remaining handshake key
40069 ++ * material and other potentially sensitive information.
40070 ++ */
40071 ++ kzfree(peer);
40072 ++}
40073 ++
40074 ++static void kref_release(struct kref *refcount)
40075 ++{
40076 ++ struct wg_peer *peer = container_of(refcount, struct wg_peer, refcount);
40077 ++
40078 ++ pr_debug("%s: Peer %llu (%pISpfsc) destroyed\n",
40079 ++ peer->device->dev->name, peer->internal_id,
40080 ++ &peer->endpoint.addr);
40081 ++
40082 ++ /* Remove ourself from dynamic runtime lookup structures, now that the
40083 ++ * last reference is gone.
40084 ++ */
40085 ++ wg_index_hashtable_remove(peer->device->index_hashtable,
40086 ++ &peer->handshake.entry);
40087 ++
40088 ++ /* Remove any lingering packets that didn't have a chance to be
40089 ++ * transmitted.
40090 ++ */
40091 ++ wg_packet_purge_staged_packets(peer);
40092 ++
40093 ++ /* Free the memory used. */
40094 ++ call_rcu(&peer->rcu, rcu_release);
40095 ++}
40096 ++
40097 ++void wg_peer_put(struct wg_peer *peer)
40098 ++{
40099 ++ if (unlikely(!peer))
40100 ++ return;
40101 ++ kref_put(&peer->refcount, kref_release);
40102 ++}
40103 +--- b/drivers/net/wireguard/peer.h
40104 ++++ b/drivers/net/wireguard/peer.h
40105 +@@ -0,0 +1,83 @@
40106 ++/* SPDX-License-Identifier: GPL-2.0 */
40107 ++/*
40108 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40109 ++ */
40110 ++
40111 ++#ifndef _WG_PEER_H
40112 ++#define _WG_PEER_H
40113 ++
40114 ++#include "device.h"
40115 ++#include "noise.h"
40116 ++#include "cookie.h"
40117 ++
40118 ++#include <linux/types.h>
40119 ++#include <linux/netfilter.h>
40120 ++#include <linux/spinlock.h>
40121 ++#include <linux/kref.h>
40122 ++#include <net/dst_cache.h>
40123 ++
40124 ++struct wg_device;
40125 ++
40126 ++struct endpoint {
40127 ++ union {
40128 ++ struct sockaddr addr;
40129 ++ struct sockaddr_in addr4;
40130 ++ struct sockaddr_in6 addr6;
40131 ++ };
40132 ++ union {
40133 ++ struct {
40134 ++ struct in_addr src4;
40135 ++ /* Essentially the same as addr6->scope_id */
40136 ++ int src_if4;
40137 ++ };
40138 ++ struct in6_addr src6;
40139 ++ };
40140 ++};
40141 ++
40142 ++struct wg_peer {
40143 ++ struct wg_device *device;
40144 ++ struct prev_queue tx_queue, rx_queue;
40145 ++ struct sk_buff_head staged_packet_queue;
40146 ++ int serial_work_cpu;
40147 ++ bool is_dead;
40148 ++ struct noise_keypairs keypairs;
40149 ++ struct endpoint endpoint;
40150 ++ struct dst_cache endpoint_cache;
40151 ++ rwlock_t endpoint_lock;
40152 ++ struct noise_handshake handshake;
40153 ++ atomic64_t last_sent_handshake;
40154 ++ struct work_struct transmit_handshake_work, clear_peer_work, transmit_packet_work;
40155 ++ struct cookie latest_cookie;
40156 ++ struct hlist_node pubkey_hash;
40157 ++ u64 rx_bytes, tx_bytes;
40158 ++ struct timer_list timer_retransmit_handshake, timer_send_keepalive;
40159 ++ struct timer_list timer_new_handshake, timer_zero_key_material;
40160 ++ struct timer_list timer_persistent_keepalive;
40161 ++ unsigned int timer_handshake_attempts;
40162 ++ u16 persistent_keepalive_interval;
40163 ++ bool timer_need_another_keepalive;
40164 ++ bool sent_lastminute_handshake;
40165 ++ struct timespec64 walltime_last_handshake;
40166 ++ struct kref refcount;
40167 ++ struct rcu_head rcu;
40168 ++ struct list_head peer_list;
40169 ++ struct list_head allowedips_list;
40170 ++ struct napi_struct napi;
40171 ++ u64 internal_id;
40172 ++};
40173 ++
40174 ++struct wg_peer *wg_peer_create(struct wg_device *wg,
40175 ++ const u8 public_key[NOISE_PUBLIC_KEY_LEN],
40176 ++ const u8 preshared_key[NOISE_SYMMETRIC_KEY_LEN]);
40177 ++
40178 ++struct wg_peer *__must_check wg_peer_get_maybe_zero(struct wg_peer *peer);
40179 ++static inline struct wg_peer *wg_peer_get(struct wg_peer *peer)
40180 ++{
40181 ++ kref_get(&peer->refcount);
40182 ++ return peer;
40183 ++}
40184 ++void wg_peer_put(struct wg_peer *peer);
40185 ++void wg_peer_remove(struct wg_peer *peer);
40186 ++void wg_peer_remove_all(struct wg_device *wg);
40187 ++
40188 ++#endif /* _WG_PEER_H */
40189 +--- b/drivers/net/wireguard/peerlookup.c
40190 ++++ b/drivers/net/wireguard/peerlookup.c
40191 +@@ -0,0 +1,226 @@
40192 ++// SPDX-License-Identifier: GPL-2.0
40193 ++/*
40194 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40195 ++ */
40196 ++
40197 ++#include "peerlookup.h"
40198 ++#include "peer.h"
40199 ++#include "noise.h"
40200 ++
40201 ++static struct hlist_head *pubkey_bucket(struct pubkey_hashtable *table,
40202 ++ const u8 pubkey[NOISE_PUBLIC_KEY_LEN])
40203 ++{
40204 ++ /* siphash gives us a secure 64bit number based on a random key. Since
40205 ++ * the bits are uniformly distributed, we can then mask off to get the
40206 ++ * bits we need.
40207 ++ */
40208 ++ const u64 hash = siphash(pubkey, NOISE_PUBLIC_KEY_LEN, &table->key);
40209 ++
40210 ++ return &table->hashtable[hash & (HASH_SIZE(table->hashtable) - 1)];
40211 ++}
40212 ++
40213 ++struct pubkey_hashtable *wg_pubkey_hashtable_alloc(void)
40214 ++{
40215 ++ struct pubkey_hashtable *table = kvmalloc(sizeof(*table), GFP_KERNEL);
40216 ++
40217 ++ if (!table)
40218 ++ return NULL;
40219 ++
40220 ++ get_random_bytes(&table->key, sizeof(table->key));
40221 ++ hash_init(table->hashtable);
40222 ++ mutex_init(&table->lock);
40223 ++ return table;
40224 ++}
40225 ++
40226 ++void wg_pubkey_hashtable_add(struct pubkey_hashtable *table,
40227 ++ struct wg_peer *peer)
40228 ++{
40229 ++ mutex_lock(&table->lock);
40230 ++ hlist_add_head_rcu(&peer->pubkey_hash,
40231 ++ pubkey_bucket(table, peer->handshake.remote_static));
40232 ++ mutex_unlock(&table->lock);
40233 ++}
40234 ++
40235 ++void wg_pubkey_hashtable_remove(struct pubkey_hashtable *table,
40236 ++ struct wg_peer *peer)
40237 ++{
40238 ++ mutex_lock(&table->lock);
40239 ++ hlist_del_init_rcu(&peer->pubkey_hash);
40240 ++ mutex_unlock(&table->lock);
40241 ++}
40242 ++
40243 ++/* Returns a strong reference to a peer */
40244 ++struct wg_peer *
40245 ++wg_pubkey_hashtable_lookup(struct pubkey_hashtable *table,
40246 ++ const u8 pubkey[NOISE_PUBLIC_KEY_LEN])
40247 ++{
40248 ++ struct wg_peer *iter_peer, *peer = NULL;
40249 ++
40250 ++ rcu_read_lock_bh();
40251 ++ hlist_for_each_entry_rcu_bh(iter_peer, pubkey_bucket(table, pubkey),
40252 ++ pubkey_hash) {
40253 ++ if (!memcmp(pubkey, iter_peer->handshake.remote_static,
40254 ++ NOISE_PUBLIC_KEY_LEN)) {
40255 ++ peer = iter_peer;
40256 ++ break;
40257 ++ }
40258 ++ }
40259 ++ peer = wg_peer_get_maybe_zero(peer);
40260 ++ rcu_read_unlock_bh();
40261 ++ return peer;
40262 ++}
40263 ++
40264 ++static struct hlist_head *index_bucket(struct index_hashtable *table,
40265 ++ const __le32 index)
40266 ++{
40267 ++ /* Since the indices are random and thus all bits are uniformly
40268 ++ * distributed, we can find its bucket simply by masking.
40269 ++ */
40270 ++ return &table->hashtable[(__force u32)index &
40271 ++ (HASH_SIZE(table->hashtable) - 1)];
40272 ++}
40273 ++
40274 ++struct index_hashtable *wg_index_hashtable_alloc(void)
40275 ++{
40276 ++ struct index_hashtable *table = kvmalloc(sizeof(*table), GFP_KERNEL);
40277 ++
40278 ++ if (!table)
40279 ++ return NULL;
40280 ++
40281 ++ hash_init(table->hashtable);
40282 ++ spin_lock_init(&table->lock);
40283 ++ return table;
40284 ++}
40285 ++
40286 ++/* At the moment, we limit ourselves to 2^20 total peers, which generally might
40287 ++ * amount to 2^20*3 items in this hashtable. The algorithm below works by
40288 ++ * picking a random number and testing it. We can see that these limits mean we
40289 ++ * usually succeed pretty quickly:
40290 ++ *
40291 ++ * >>> def calculation(tries, size):
40292 ++ * ... return (size / 2**32)**(tries - 1) * (1 - (size / 2**32))
40293 ++ * ...
40294 ++ * >>> calculation(1, 2**20 * 3)
40295 ++ * 0.999267578125
40296 ++ * >>> calculation(2, 2**20 * 3)
40297 ++ * 0.0007318854331970215
40298 ++ * >>> calculation(3, 2**20 * 3)
40299 ++ * 5.360489012673497e-07
40300 ++ * >>> calculation(4, 2**20 * 3)
40301 ++ * 3.9261394135792216e-10
40302 ++ *
40303 ++ * At the moment, we don't do any masking, so this algorithm isn't exactly
40304 ++ * constant time in either the random guessing or in the hash list lookup. We
40305 ++ * could require a minimum of 3 tries, which would successfully mask the
40306 ++ * guessing. this would not, however, help with the growing hash lengths, which
40307 ++ * is another thing to consider moving forward.
40308 ++ */
40309 ++
40310 ++__le32 wg_index_hashtable_insert(struct index_hashtable *table,
40311 ++ struct index_hashtable_entry *entry)
40312 ++{
40313 ++ struct index_hashtable_entry *existing_entry;
40314 ++
40315 ++ spin_lock_bh(&table->lock);
40316 ++ hlist_del_init_rcu(&entry->index_hash);
40317 ++ spin_unlock_bh(&table->lock);
40318 ++
40319 ++ rcu_read_lock_bh();
40320 ++
40321 ++search_unused_slot:
40322 ++ /* First we try to find an unused slot, randomly, while unlocked. */
40323 ++ entry->index = (__force __le32)get_random_u32();
40324 ++ hlist_for_each_entry_rcu_bh(existing_entry,
40325 ++ index_bucket(table, entry->index),
40326 ++ index_hash) {
40327 ++ if (existing_entry->index == entry->index)
40328 ++ /* If it's already in use, we continue searching. */
40329 ++ goto search_unused_slot;
40330 ++ }
40331 ++
40332 ++ /* Once we've found an unused slot, we lock it, and then double-check
40333 ++ * that nobody else stole it from us.
40334 ++ */
40335 ++ spin_lock_bh(&table->lock);
40336 ++ hlist_for_each_entry_rcu_bh(existing_entry,
40337 ++ index_bucket(table, entry->index),
40338 ++ index_hash) {
40339 ++ if (existing_entry->index == entry->index) {
40340 ++ spin_unlock_bh(&table->lock);
40341 ++ /* If it was stolen, we start over. */
40342 ++ goto search_unused_slot;
40343 ++ }
40344 ++ }
40345 ++ /* Otherwise, we know we have it exclusively (since we're locked),
40346 ++ * so we insert.
40347 ++ */
40348 ++ hlist_add_head_rcu(&entry->index_hash,
40349 ++ index_bucket(table, entry->index));
40350 ++ spin_unlock_bh(&table->lock);
40351 ++
40352 ++ rcu_read_unlock_bh();
40353 ++
40354 ++ return entry->index;
40355 ++}
40356 ++
40357 ++bool wg_index_hashtable_replace(struct index_hashtable *table,
40358 ++ struct index_hashtable_entry *old,
40359 ++ struct index_hashtable_entry *new)
40360 ++{
40361 ++ bool ret;
40362 ++
40363 ++ spin_lock_bh(&table->lock);
40364 ++ ret = !hlist_unhashed(&old->index_hash);
40365 ++ if (unlikely(!ret))
40366 ++ goto out;
40367 ++
40368 ++ new->index = old->index;
40369 ++ hlist_replace_rcu(&old->index_hash, &new->index_hash);
40370 ++
40371 ++ /* Calling init here NULLs out index_hash, and in fact after this
40372 ++ * function returns, it's theoretically possible for this to get
40373 ++ * reinserted elsewhere. That means the RCU lookup below might either
40374 ++ * terminate early or jump between buckets, in which case the packet
40375 ++ * simply gets dropped, which isn't terrible.
40376 ++ */
40377 ++ INIT_HLIST_NODE(&old->index_hash);
40378 ++out:
40379 ++ spin_unlock_bh(&table->lock);
40380 ++ return ret;
40381 ++}
40382 ++
40383 ++void wg_index_hashtable_remove(struct index_hashtable *table,
40384 ++ struct index_hashtable_entry *entry)
40385 ++{
40386 ++ spin_lock_bh(&table->lock);
40387 ++ hlist_del_init_rcu(&entry->index_hash);
40388 ++ spin_unlock_bh(&table->lock);
40389 ++}
40390 ++
40391 ++/* Returns a strong reference to a entry->peer */
40392 ++struct index_hashtable_entry *
40393 ++wg_index_hashtable_lookup(struct index_hashtable *table,
40394 ++ const enum index_hashtable_type type_mask,
40395 ++ const __le32 index, struct wg_peer **peer)
40396 ++{
40397 ++ struct index_hashtable_entry *iter_entry, *entry = NULL;
40398 ++
40399 ++ rcu_read_lock_bh();
40400 ++ hlist_for_each_entry_rcu_bh(iter_entry, index_bucket(table, index),
40401 ++ index_hash) {
40402 ++ if (iter_entry->index == index) {
40403 ++ if (likely(iter_entry->type & type_mask))
40404 ++ entry = iter_entry;
40405 ++ break;
40406 ++ }
40407 ++ }
40408 ++ if (likely(entry)) {
40409 ++ entry->peer = wg_peer_get_maybe_zero(entry->peer);
40410 ++ if (likely(entry->peer))
40411 ++ *peer = entry->peer;
40412 ++ else
40413 ++ entry = NULL;
40414 ++ }
40415 ++ rcu_read_unlock_bh();
40416 ++ return entry;
40417 ++}
40418 +--- /dev/null
40419 ++++ b/drivers/net/wireguard/peerlookup.h
40420 +@@ -0,0 +1,64 @@
40421 ++/* SPDX-License-Identifier: GPL-2.0 */
40422 ++/*
40423 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40424 ++ */
40425 ++
40426 ++#ifndef _WG_PEERLOOKUP_H
40427 ++#define _WG_PEERLOOKUP_H
40428 ++
40429 ++#include "messages.h"
40430 ++
40431 ++#include <linux/hashtable.h>
40432 ++#include <linux/mutex.h>
40433 ++#include <linux/siphash.h>
40434 ++
40435 ++struct wg_peer;
40436 ++
40437 ++struct pubkey_hashtable {
40438 ++ /* TODO: move to rhashtable */
40439 ++ DECLARE_HASHTABLE(hashtable, 11);
40440 ++ siphash_key_t key;
40441 ++ struct mutex lock;
40442 ++};
40443 ++
40444 ++struct pubkey_hashtable *wg_pubkey_hashtable_alloc(void);
40445 ++void wg_pubkey_hashtable_add(struct pubkey_hashtable *table,
40446 ++ struct wg_peer *peer);
40447 ++void wg_pubkey_hashtable_remove(struct pubkey_hashtable *table,
40448 ++ struct wg_peer *peer);
40449 ++struct wg_peer *
40450 ++wg_pubkey_hashtable_lookup(struct pubkey_hashtable *table,
40451 ++ const u8 pubkey[NOISE_PUBLIC_KEY_LEN]);
40452 ++
40453 ++struct index_hashtable {
40454 ++ /* TODO: move to rhashtable */
40455 ++ DECLARE_HASHTABLE(hashtable, 13);
40456 ++ spinlock_t lock;
40457 ++};
40458 ++
40459 ++enum index_hashtable_type {
40460 ++ INDEX_HASHTABLE_HANDSHAKE = 1U << 0,
40461 ++ INDEX_HASHTABLE_KEYPAIR = 1U << 1
40462 ++};
40463 ++
40464 ++struct index_hashtable_entry {
40465 ++ struct wg_peer *peer;
40466 ++ struct hlist_node index_hash;
40467 ++ enum index_hashtable_type type;
40468 ++ __le32 index;
40469 ++};
40470 ++
40471 ++struct index_hashtable *wg_index_hashtable_alloc(void);
40472 ++__le32 wg_index_hashtable_insert(struct index_hashtable *table,
40473 ++ struct index_hashtable_entry *entry);
40474 ++bool wg_index_hashtable_replace(struct index_hashtable *table,
40475 ++ struct index_hashtable_entry *old,
40476 ++ struct index_hashtable_entry *new);
40477 ++void wg_index_hashtable_remove(struct index_hashtable *table,
40478 ++ struct index_hashtable_entry *entry);
40479 ++struct index_hashtable_entry *
40480 ++wg_index_hashtable_lookup(struct index_hashtable *table,
40481 ++ const enum index_hashtable_type type_mask,
40482 ++ const __le32 index, struct wg_peer **peer);
40483 ++
40484 ++#endif /* _WG_PEERLOOKUP_H */
40485 +--- b/drivers/net/wireguard/queueing.c
40486 ++++ b/drivers/net/wireguard/queueing.c
40487 +@@ -0,0 +1,107 @@
40488 ++// SPDX-License-Identifier: GPL-2.0
40489 ++/*
40490 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40491 ++ */
40492 ++
40493 ++#include "queueing.h"
40494 ++
40495 ++struct multicore_worker __percpu *
40496 ++wg_packet_percpu_multicore_worker_alloc(work_func_t function, void *ptr)
40497 ++{
40498 ++ int cpu;
40499 ++ struct multicore_worker __percpu *worker = alloc_percpu(struct multicore_worker);
40500 ++
40501 ++ if (!worker)
40502 ++ return NULL;
40503 ++
40504 ++ for_each_possible_cpu(cpu) {
40505 ++ per_cpu_ptr(worker, cpu)->ptr = ptr;
40506 ++ INIT_WORK(&per_cpu_ptr(worker, cpu)->work, function);
40507 ++ }
40508 ++ return worker;
40509 ++}
40510 ++
40511 ++int wg_packet_queue_init(struct crypt_queue *queue, work_func_t function,
40512 ++ unsigned int len)
40513 ++{
40514 ++ int ret;
40515 ++
40516 ++ memset(queue, 0, sizeof(*queue));
40517 ++ ret = ptr_ring_init(&queue->ring, len, GFP_KERNEL);
40518 ++ if (ret)
40519 ++ return ret;
40520 ++ queue->worker = wg_packet_percpu_multicore_worker_alloc(function, queue);
40521 ++ if (!queue->worker) {
40522 ++ ptr_ring_cleanup(&queue->ring, NULL);
40523 ++ return -ENOMEM;
40524 ++ }
40525 ++ return 0;
40526 ++}
40527 ++
40528 ++void wg_packet_queue_free(struct crypt_queue *queue)
40529 ++{
40530 ++ free_percpu(queue->worker);
40531 ++ WARN_ON(!__ptr_ring_empty(&queue->ring));
40532 ++ ptr_ring_cleanup(&queue->ring, NULL);
40533 ++}
40534 ++
40535 ++#define NEXT(skb) ((skb)->prev)
40536 ++#define STUB(queue) ((struct sk_buff *)&queue->empty)
40537 ++
40538 ++void wg_prev_queue_init(struct prev_queue *queue)
40539 ++{
40540 ++ NEXT(STUB(queue)) = NULL;
40541 ++ queue->head = queue->tail = STUB(queue);
40542 ++ queue->peeked = NULL;
40543 ++ atomic_set(&queue->count, 0);
40544 ++ BUILD_BUG_ON(
40545 ++ offsetof(struct sk_buff, next) != offsetof(struct prev_queue, empty.next) -
40546 ++ offsetof(struct prev_queue, empty) ||
40547 ++ offsetof(struct sk_buff, prev) != offsetof(struct prev_queue, empty.prev) -
40548 ++ offsetof(struct prev_queue, empty));
40549 ++}
40550 ++
40551 ++static void __wg_prev_queue_enqueue(struct prev_queue *queue, struct sk_buff *skb)
40552 ++{
40553 ++ WRITE_ONCE(NEXT(skb), NULL);
40554 ++ WRITE_ONCE(NEXT(xchg_release(&queue->head, skb)), skb);
40555 ++}
40556 ++
40557 ++bool wg_prev_queue_enqueue(struct prev_queue *queue, struct sk_buff *skb)
40558 ++{
40559 ++ if (!atomic_add_unless(&queue->count, 1, MAX_QUEUED_PACKETS))
40560 ++ return false;
40561 ++ __wg_prev_queue_enqueue(queue, skb);
40562 ++ return true;
40563 ++}
40564 ++
40565 ++struct sk_buff *wg_prev_queue_dequeue(struct prev_queue *queue)
40566 ++{
40567 ++ struct sk_buff *tail = queue->tail, *next = smp_load_acquire(&NEXT(tail));
40568 ++
40569 ++ if (tail == STUB(queue)) {
40570 ++ if (!next)
40571 ++ return NULL;
40572 ++ queue->tail = next;
40573 ++ tail = next;
40574 ++ next = smp_load_acquire(&NEXT(next));
40575 ++ }
40576 ++ if (next) {
40577 ++ queue->tail = next;
40578 ++ atomic_dec(&queue->count);
40579 ++ return tail;
40580 ++ }
40581 ++ if (tail != READ_ONCE(queue->head))
40582 ++ return NULL;
40583 ++ __wg_prev_queue_enqueue(queue, STUB(queue));
40584 ++ next = smp_load_acquire(&NEXT(tail));
40585 ++ if (next) {
40586 ++ queue->tail = next;
40587 ++ atomic_dec(&queue->count);
40588 ++ return tail;
40589 ++ }
40590 ++ return NULL;
40591 ++}
40592 ++
40593 ++#undef NEXT
40594 ++#undef STUB
40595 +--- b/drivers/net/wireguard/queueing.h
40596 ++++ b/drivers/net/wireguard/queueing.h
40597 +@@ -0,0 +1,214 @@
40598 ++/* SPDX-License-Identifier: GPL-2.0 */
40599 ++/*
40600 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40601 ++ */
40602 ++
40603 ++#ifndef _WG_QUEUEING_H
40604 ++#define _WG_QUEUEING_H
40605 ++
40606 ++#include "peer.h"
40607 ++#include <linux/types.h>
40608 ++#include <linux/skbuff.h>
40609 ++#include <linux/ip.h>
40610 ++#include <linux/ipv6.h>
40611 ++#include <net/ip_tunnels.h>
40612 ++
40613 ++struct wg_device;
40614 ++struct wg_peer;
40615 ++struct multicore_worker;
40616 ++struct crypt_queue;
40617 ++struct prev_queue;
40618 ++struct sk_buff;
40619 ++
40620 ++/* queueing.c APIs: */
40621 ++int wg_packet_queue_init(struct crypt_queue *queue, work_func_t function,
40622 ++ unsigned int len);
40623 ++void wg_packet_queue_free(struct crypt_queue *queue);
40624 ++struct multicore_worker __percpu *
40625 ++wg_packet_percpu_multicore_worker_alloc(work_func_t function, void *ptr);
40626 ++
40627 ++/* receive.c APIs: */
40628 ++void wg_packet_receive(struct wg_device *wg, struct sk_buff *skb);
40629 ++void wg_packet_handshake_receive_worker(struct work_struct *work);
40630 ++/* NAPI poll function: */
40631 ++int wg_packet_rx_poll(struct napi_struct *napi, int budget);
40632 ++/* Workqueue worker: */
40633 ++void wg_packet_decrypt_worker(struct work_struct *work);
40634 ++
40635 ++/* send.c APIs: */
40636 ++void wg_packet_send_queued_handshake_initiation(struct wg_peer *peer,
40637 ++ bool is_retry);
40638 ++void wg_packet_send_handshake_response(struct wg_peer *peer);
40639 ++void wg_packet_send_handshake_cookie(struct wg_device *wg,
40640 ++ struct sk_buff *initiating_skb,
40641 ++ __le32 sender_index);
40642 ++void wg_packet_send_keepalive(struct wg_peer *peer);
40643 ++void wg_packet_purge_staged_packets(struct wg_peer *peer);
40644 ++void wg_packet_send_staged_packets(struct wg_peer *peer);
40645 ++/* Workqueue workers: */
40646 ++void wg_packet_handshake_send_worker(struct work_struct *work);
40647 ++void wg_packet_tx_worker(struct work_struct *work);
40648 ++void wg_packet_encrypt_worker(struct work_struct *work);
40649 ++
40650 ++enum packet_state {
40651 ++ PACKET_STATE_UNCRYPTED,
40652 ++ PACKET_STATE_CRYPTED,
40653 ++ PACKET_STATE_DEAD
40654 ++};
40655 ++
40656 ++struct packet_cb {
40657 ++ u64 nonce;
40658 ++ struct noise_keypair *keypair;
40659 ++ atomic_t state;
40660 ++ u32 mtu;
40661 ++ u8 ds;
40662 ++};
40663 ++
40664 ++#define PACKET_CB(skb) ((struct packet_cb *)((skb)->cb))
40665 ++#define PACKET_PEER(skb) (PACKET_CB(skb)->keypair->entry.peer)
40666 ++
40667 ++static inline bool wg_check_packet_protocol(struct sk_buff *skb)
40668 ++{
40669 ++ __be16 real_protocol = ip_tunnel_parse_protocol(skb);
40670 ++ return real_protocol && skb->protocol == real_protocol;
40671 ++}
40672 ++
40673 ++static inline void wg_reset_packet(struct sk_buff *skb, bool encapsulating)
40674 ++{
40675 ++ u8 l4_hash = skb->l4_hash;
40676 ++ u8 sw_hash = skb->sw_hash;
40677 ++ u32 hash = skb->hash;
40678 ++ skb_scrub_packet(skb, true);
40679 ++ memset(&skb->headers_start, 0,
40680 ++ offsetof(struct sk_buff, headers_end) -
40681 ++ offsetof(struct sk_buff, headers_start));
40682 ++ if (encapsulating) {
40683 ++ skb->l4_hash = l4_hash;
40684 ++ skb->sw_hash = sw_hash;
40685 ++ skb->hash = hash;
40686 ++ }
40687 ++ skb->queue_mapping = 0;
40688 ++ skb->nohdr = 0;
40689 ++ skb->peeked = 0;
40690 ++ skb->mac_len = 0;
40691 ++ skb->dev = NULL;
40692 ++#ifdef CONFIG_NET_SCHED
40693 ++ skb->tc_index = 0;
40694 ++#endif
40695 ++ skb_reset_redirect(skb);
40696 ++ skb->hdr_len = skb_headroom(skb);
40697 ++ skb_reset_mac_header(skb);
40698 ++ skb_reset_network_header(skb);
40699 ++ skb_reset_transport_header(skb);
40700 ++ skb_probe_transport_header(skb);
40701 ++ skb_reset_inner_headers(skb);
40702 ++}
40703 ++
40704 ++static inline int wg_cpumask_choose_online(int *stored_cpu, unsigned int id)
40705 ++{
40706 ++ unsigned int cpu = *stored_cpu, cpu_index, i;
40707 ++
40708 ++ if (unlikely(cpu == nr_cpumask_bits ||
40709 ++ !cpumask_test_cpu(cpu, cpu_online_mask))) {
40710 ++ cpu_index = id % cpumask_weight(cpu_online_mask);
40711 ++ cpu = cpumask_first(cpu_online_mask);
40712 ++ for (i = 0; i < cpu_index; ++i)
40713 ++ cpu = cpumask_next(cpu, cpu_online_mask);
40714 ++ *stored_cpu = cpu;
40715 ++ }
40716 ++ return cpu;
40717 ++}
40718 ++
40719 ++/* This function is racy, in the sense that next is unlocked, so it could return
40720 ++ * the same CPU twice. A race-free version of this would be to instead store an
40721 ++ * atomic sequence number, do an increment-and-return, and then iterate through
40722 ++ * every possible CPU until we get to that index -- choose_cpu. However that's
40723 ++ * a bit slower, and it doesn't seem like this potential race actually
40724 ++ * introduces any performance loss, so we live with it.
40725 ++ */
40726 ++static inline int wg_cpumask_next_online(int *next)
40727 ++{
40728 ++ int cpu = *next;
40729 ++
40730 ++ while (unlikely(!cpumask_test_cpu(cpu, cpu_online_mask)))
40731 ++ cpu = cpumask_next(cpu, cpu_online_mask) % nr_cpumask_bits;
40732 ++ *next = cpumask_next(cpu, cpu_online_mask) % nr_cpumask_bits;
40733 ++ return cpu;
40734 ++}
40735 ++
40736 ++void wg_prev_queue_init(struct prev_queue *queue);
40737 ++
40738 ++/* Multi producer */
40739 ++bool wg_prev_queue_enqueue(struct prev_queue *queue, struct sk_buff *skb);
40740 ++
40741 ++/* Single consumer */
40742 ++struct sk_buff *wg_prev_queue_dequeue(struct prev_queue *queue);
40743 ++
40744 ++/* Single consumer */
40745 ++static inline struct sk_buff *wg_prev_queue_peek(struct prev_queue *queue)
40746 ++{
40747 ++ if (queue->peeked)
40748 ++ return queue->peeked;
40749 ++ queue->peeked = wg_prev_queue_dequeue(queue);
40750 ++ return queue->peeked;
40751 ++}
40752 ++
40753 ++/* Single consumer */
40754 ++static inline void wg_prev_queue_drop_peeked(struct prev_queue *queue)
40755 ++{
40756 ++ queue->peeked = NULL;
40757 ++}
40758 ++
40759 ++static inline int wg_queue_enqueue_per_device_and_peer(
40760 ++ struct crypt_queue *device_queue, struct prev_queue *peer_queue,
40761 ++ struct sk_buff *skb, struct workqueue_struct *wq, int *next_cpu)
40762 ++{
40763 ++ int cpu;
40764 ++
40765 ++ atomic_set_release(&PACKET_CB(skb)->state, PACKET_STATE_UNCRYPTED);
40766 ++ /* We first queue this up for the peer ingestion, but the consumer
40767 ++ * will wait for the state to change to CRYPTED or DEAD before.
40768 ++ */
40769 ++ if (unlikely(!wg_prev_queue_enqueue(peer_queue, skb)))
40770 ++ return -ENOSPC;
40771 ++
40772 ++ /* Then we queue it up in the device queue, which consumes the
40773 ++ * packet as soon as it can.
40774 ++ */
40775 ++ cpu = wg_cpumask_next_online(next_cpu);
40776 ++ if (unlikely(ptr_ring_produce_bh(&device_queue->ring, skb)))
40777 ++ return -EPIPE;
40778 ++ queue_work_on(cpu, wq, &per_cpu_ptr(device_queue->worker, cpu)->work);
40779 ++ return 0;
40780 ++}
40781 ++
40782 ++static inline void wg_queue_enqueue_per_peer_tx(struct sk_buff *skb, enum packet_state state)
40783 ++{
40784 ++ /* We take a reference, because as soon as we call atomic_set, the
40785 ++ * peer can be freed from below us.
40786 ++ */
40787 ++ struct wg_peer *peer = wg_peer_get(PACKET_PEER(skb));
40788 ++
40789 ++ atomic_set_release(&PACKET_CB(skb)->state, state);
40790 ++ queue_work_on(wg_cpumask_choose_online(&peer->serial_work_cpu, peer->internal_id),
40791 ++ peer->device->packet_crypt_wq, &peer->transmit_packet_work);
40792 ++ wg_peer_put(peer);
40793 ++}
40794 ++
40795 ++static inline void wg_queue_enqueue_per_peer_rx(struct sk_buff *skb, enum packet_state state)
40796 ++{
40797 ++ /* We take a reference, because as soon as we call atomic_set, the
40798 ++ * peer can be freed from below us.
40799 ++ */
40800 ++ struct wg_peer *peer = wg_peer_get(PACKET_PEER(skb));
40801 ++
40802 ++ atomic_set_release(&PACKET_CB(skb)->state, state);
40803 ++ napi_schedule(&peer->napi);
40804 ++ wg_peer_put(peer);
40805 ++}
40806 ++
40807 ++#ifdef DEBUG
40808 ++bool wg_packet_counter_selftest(void);
40809 ++#endif
40810 ++
40811 ++#endif /* _WG_QUEUEING_H */
40812 +--- /dev/null
40813 ++++ b/drivers/net/wireguard/ratelimiter.c
40814 +@@ -0,0 +1,223 @@
40815 ++// SPDX-License-Identifier: GPL-2.0
40816 ++/*
40817 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
40818 ++ */
40819 ++
40820 ++#include "ratelimiter.h"
40821 ++#include <linux/siphash.h>
40822 ++#include <linux/mm.h>
40823 ++#include <linux/slab.h>
40824 ++#include <net/ip.h>
40825 ++
40826 ++static struct kmem_cache *entry_cache;
40827 ++static hsiphash_key_t key;
40828 ++static spinlock_t table_lock = __SPIN_LOCK_UNLOCKED("ratelimiter_table_lock");
40829 ++static DEFINE_MUTEX(init_lock);
40830 ++static u64 init_refcnt; /* Protected by init_lock, hence not atomic. */
40831 ++static atomic_t total_entries = ATOMIC_INIT(0);
40832 ++static unsigned int max_entries, table_size;
40833 ++static void wg_ratelimiter_gc_entries(struct work_struct *);
40834 ++static DECLARE_DEFERRABLE_WORK(gc_work, wg_ratelimiter_gc_entries);
40835 ++static struct hlist_head *table_v4;
40836 ++#if IS_ENABLED(CONFIG_IPV6)
40837 ++static struct hlist_head *table_v6;
40838 ++#endif
40839 ++
40840 ++struct ratelimiter_entry {
40841 ++ u64 last_time_ns, tokens, ip;
40842 ++ void *net;
40843 ++ spinlock_t lock;
40844 ++ struct hlist_node hash;
40845 ++ struct rcu_head rcu;
40846 ++};
40847 ++
40848 ++enum {
40849 ++ PACKETS_PER_SECOND = 20,
40850 ++ PACKETS_BURSTABLE = 5,
40851 ++ PACKET_COST = NSEC_PER_SEC / PACKETS_PER_SECOND,
40852 ++ TOKEN_MAX = PACKET_COST * PACKETS_BURSTABLE
40853 ++};
40854 ++
40855 ++static void entry_free(struct rcu_head *rcu)
40856 ++{
40857 ++ kmem_cache_free(entry_cache,
40858 ++ container_of(rcu, struct ratelimiter_entry, rcu));
40859 ++ atomic_dec(&total_entries);
40860 ++}
40861 ++
40862 ++static void entry_uninit(struct ratelimiter_entry *entry)
40863 ++{
40864 ++ hlist_del_rcu(&entry->hash);
40865 ++ call_rcu(&entry->rcu, entry_free);
40866 ++}
40867 ++
40868 ++/* Calling this function with a NULL work uninits all entries. */
40869 ++static void wg_ratelimiter_gc_entries(struct work_struct *work)
40870 ++{
40871 ++ const u64 now = ktime_get_coarse_boottime_ns();
40872 ++ struct ratelimiter_entry *entry;
40873 ++ struct hlist_node *temp;
40874 ++ unsigned int i;
40875 ++
40876 ++ for (i = 0; i < table_size; ++i) {
40877 ++ spin_lock(&table_lock);
40878 ++ hlist_for_each_entry_safe(entry, temp, &table_v4[i], hash) {
40879 ++ if (unlikely(!work) ||
40880 ++ now - entry->last_time_ns > NSEC_PER_SEC)
40881 ++ entry_uninit(entry);
40882 ++ }
40883 ++#if IS_ENABLED(CONFIG_IPV6)
40884 ++ hlist_for_each_entry_safe(entry, temp, &table_v6[i], hash) {
40885 ++ if (unlikely(!work) ||
40886 ++ now - entry->last_time_ns > NSEC_PER_SEC)
40887 ++ entry_uninit(entry);
40888 ++ }
40889 ++#endif
40890 ++ spin_unlock(&table_lock);
40891 ++ if (likely(work))
40892 ++ cond_resched();
40893 ++ }
40894 ++ if (likely(work))
40895 ++ queue_delayed_work(system_power_efficient_wq, &gc_work, HZ);
40896 ++}
40897 ++
40898 ++bool wg_ratelimiter_allow(struct sk_buff *skb, struct net *net)
40899 ++{
40900 ++ /* We only take the bottom half of the net pointer, so that we can hash
40901 ++ * 3 words in the end. This way, siphash's len param fits into the final
40902 ++ * u32, and we don't incur an extra round.
40903 ++ */
40904 ++ const u32 net_word = (unsigned long)net;
40905 ++ struct ratelimiter_entry *entry;
40906 ++ struct hlist_head *bucket;
40907 ++ u64 ip;
40908 ++
40909 ++ if (skb->protocol == htons(ETH_P_IP)) {
40910 ++ ip = (u64 __force)ip_hdr(skb)->saddr;
40911 ++ bucket = &table_v4[hsiphash_2u32(net_word, ip, &key) &
40912 ++ (table_size - 1)];
40913 ++ }
40914 ++#if IS_ENABLED(CONFIG_IPV6)
40915 ++ else if (skb->protocol == htons(ETH_P_IPV6)) {
40916 ++ /* Only use 64 bits, so as to ratelimit the whole /64. */
40917 ++ memcpy(&ip, &ipv6_hdr(skb)->saddr, sizeof(ip));
40918 ++ bucket = &table_v6[hsiphash_3u32(net_word, ip >> 32, ip, &key) &
40919 ++ (table_size - 1)];
40920 ++ }
40921 ++#endif
40922 ++ else
40923 ++ return false;
40924 ++ rcu_read_lock();
40925 ++ hlist_for_each_entry_rcu(entry, bucket, hash) {
40926 ++ if (entry->net == net && entry->ip == ip) {
40927 ++ u64 now, tokens;
40928 ++ bool ret;
40929 ++ /* Quasi-inspired by nft_limit.c, but this is actually a
40930 ++ * slightly different algorithm. Namely, we incorporate
40931 ++ * the burst as part of the maximum tokens, rather than
40932 ++ * as part of the rate.
40933 ++ */
40934 ++ spin_lock(&entry->lock);
40935 ++ now = ktime_get_coarse_boottime_ns();
40936 ++ tokens = min_t(u64, TOKEN_MAX,
40937 ++ entry->tokens + now -
40938 ++ entry->last_time_ns);
40939 ++ entry->last_time_ns = now;
40940 ++ ret = tokens >= PACKET_COST;
40941 ++ entry->tokens = ret ? tokens - PACKET_COST : tokens;
40942 ++ spin_unlock(&entry->lock);
40943 ++ rcu_read_unlock();
40944 ++ return ret;
40945 ++ }
40946 ++ }
40947 ++ rcu_read_unlock();
40948 ++
40949 ++ if (atomic_inc_return(&total_entries) > max_entries)
40950 ++ goto err_oom;
40951 ++
40952 ++ entry = kmem_cache_alloc(entry_cache, GFP_KERNEL);
40953 ++ if (unlikely(!entry))
40954 ++ goto err_oom;
40955 ++
40956 ++ entry->net = net;
40957 ++ entry->ip = ip;
40958 ++ INIT_HLIST_NODE(&entry->hash);
40959 ++ spin_lock_init(&entry->lock);
40960 ++ entry->last_time_ns = ktime_get_coarse_boottime_ns();
40961 ++ entry->tokens = TOKEN_MAX - PACKET_COST;
40962 ++ spin_lock(&table_lock);
40963 ++ hlist_add_head_rcu(&entry->hash, bucket);
40964 ++ spin_unlock(&table_lock);
40965 ++ return true;
40966 ++
40967 ++err_oom:
40968 ++ atomic_dec(&total_entries);
40969 ++ return false;
40970 ++}
40971 ++
40972 ++int wg_ratelimiter_init(void)
40973 ++{
40974 ++ mutex_lock(&init_lock);
40975 ++ if (++init_refcnt != 1)
40976 ++ goto out;
40977 ++
40978 ++ entry_cache = KMEM_CACHE(ratelimiter_entry, 0);
40979 ++ if (!entry_cache)
40980 ++ goto err;
40981 ++
40982 ++ /* xt_hashlimit.c uses a slightly different algorithm for ratelimiting,
40983 ++ * but what it shares in common is that it uses a massive hashtable. So,
40984 ++ * we borrow their wisdom about good table sizes on different systems
40985 ++ * dependent on RAM. This calculation here comes from there.
40986 ++ */
40987 ++ table_size = (totalram_pages() > (1U << 30) / PAGE_SIZE) ? 8192 :
40988 ++ max_t(unsigned long, 16, roundup_pow_of_two(
40989 ++ (totalram_pages() << PAGE_SHIFT) /
40990 ++ (1U << 14) / sizeof(struct hlist_head)));
40991 ++ max_entries = table_size * 8;
40992 ++
40993 ++ table_v4 = kvzalloc(table_size * sizeof(*table_v4), GFP_KERNEL);
40994 ++ if (unlikely(!table_v4))
40995 ++ goto err_kmemcache;
40996 ++
40997 ++#if IS_ENABLED(CONFIG_IPV6)
40998 ++ table_v6 = kvzalloc(table_size * sizeof(*table_v6), GFP_KERNEL);
40999 ++ if (unlikely(!table_v6)) {
41000 ++ kvfree(table_v4);
41001 ++ goto err_kmemcache;
41002 ++ }
41003 ++#endif
41004 ++
41005 ++ queue_delayed_work(system_power_efficient_wq, &gc_work, HZ);
41006 ++ get_random_bytes(&key, sizeof(key));
41007 ++out:
41008 ++ mutex_unlock(&init_lock);
41009 ++ return 0;
41010 ++
41011 ++err_kmemcache:
41012 ++ kmem_cache_destroy(entry_cache);
41013 ++err:
41014 ++ --init_refcnt;
41015 ++ mutex_unlock(&init_lock);
41016 ++ return -ENOMEM;
41017 ++}
41018 ++
41019 ++void wg_ratelimiter_uninit(void)
41020 ++{
41021 ++ mutex_lock(&init_lock);
41022 ++ if (!init_refcnt || --init_refcnt)
41023 ++ goto out;
41024 ++
41025 ++ cancel_delayed_work_sync(&gc_work);
41026 ++ wg_ratelimiter_gc_entries(NULL);
41027 ++ rcu_barrier();
41028 ++ kvfree(table_v4);
41029 ++#if IS_ENABLED(CONFIG_IPV6)
41030 ++ kvfree(table_v6);
41031 ++#endif
41032 ++ kmem_cache_destroy(entry_cache);
41033 ++out:
41034 ++ mutex_unlock(&init_lock);
41035 ++}
41036 ++
41037 ++#include "selftest/ratelimiter.c"
41038 +--- /dev/null
41039 ++++ b/drivers/net/wireguard/ratelimiter.h
41040 +@@ -0,0 +1,19 @@
41041 ++/* SPDX-License-Identifier: GPL-2.0 */
41042 ++/*
41043 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
41044 ++ */
41045 ++
41046 ++#ifndef _WG_RATELIMITER_H
41047 ++#define _WG_RATELIMITER_H
41048 ++
41049 ++#include <linux/skbuff.h>
41050 ++
41051 ++int wg_ratelimiter_init(void);
41052 ++void wg_ratelimiter_uninit(void);
41053 ++bool wg_ratelimiter_allow(struct sk_buff *skb, struct net *net);
41054 ++
41055 ++#ifdef DEBUG
41056 ++bool wg_ratelimiter_selftest(void);
41057 ++#endif
41058 ++
41059 ++#endif /* _WG_RATELIMITER_H */
41060 +--- b/drivers/net/wireguard/receive.c
41061 ++++ b/drivers/net/wireguard/receive.c
41062 +@@ -0,0 +1,586 @@
41063 ++// SPDX-License-Identifier: GPL-2.0
41064 ++/*
41065 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
41066 ++ */
41067 ++
41068 ++#include "queueing.h"
41069 ++#include "device.h"
41070 ++#include "peer.h"
41071 ++#include "timers.h"
41072 ++#include "messages.h"
41073 ++#include "cookie.h"
41074 ++#include "socket.h"
41075 ++
41076 ++#include <linux/ip.h>
41077 ++#include <linux/ipv6.h>
41078 ++#include <linux/udp.h>
41079 ++#include <net/ip_tunnels.h>
41080 ++
41081 ++/* Must be called with bh disabled. */
41082 ++static void update_rx_stats(struct wg_peer *peer, size_t len)
41083 ++{
41084 ++ struct pcpu_sw_netstats *tstats =
41085 ++ get_cpu_ptr(peer->device->dev->tstats);
41086 ++
41087 ++ u64_stats_update_begin(&tstats->syncp);
41088 ++ ++tstats->rx_packets;
41089 ++ tstats->rx_bytes += len;
41090 ++ peer->rx_bytes += len;
41091 ++ u64_stats_update_end(&tstats->syncp);
41092 ++ put_cpu_ptr(tstats);
41093 ++}
41094 ++
41095 ++#define SKB_TYPE_LE32(skb) (((struct message_header *)(skb)->data)->type)
41096 ++
41097 ++static size_t validate_header_len(struct sk_buff *skb)
41098 ++{
41099 ++ if (unlikely(skb->len < sizeof(struct message_header)))
41100 ++ return 0;
41101 ++ if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_DATA) &&
41102 ++ skb->len >= MESSAGE_MINIMUM_LENGTH)
41103 ++ return sizeof(struct message_data);
41104 ++ if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION) &&
41105 ++ skb->len == sizeof(struct message_handshake_initiation))
41106 ++ return sizeof(struct message_handshake_initiation);
41107 ++ if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE) &&
41108 ++ skb->len == sizeof(struct message_handshake_response))
41109 ++ return sizeof(struct message_handshake_response);
41110 ++ if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE) &&
41111 ++ skb->len == sizeof(struct message_handshake_cookie))
41112 ++ return sizeof(struct message_handshake_cookie);
41113 ++ return 0;
41114 ++}
41115 ++
41116 ++static int prepare_skb_header(struct sk_buff *skb, struct wg_device *wg)
41117 ++{
41118 ++ size_t data_offset, data_len, header_len;
41119 ++ struct udphdr *udp;
41120 ++
41121 ++ if (unlikely(!wg_check_packet_protocol(skb) ||
41122 ++ skb_transport_header(skb) < skb->head ||
41123 ++ (skb_transport_header(skb) + sizeof(struct udphdr)) >
41124 ++ skb_tail_pointer(skb)))
41125 ++ return -EINVAL; /* Bogus IP header */
41126 ++ udp = udp_hdr(skb);
41127 ++ data_offset = (u8 *)udp - skb->data;
41128 ++ if (unlikely(data_offset > U16_MAX ||
41129 ++ data_offset + sizeof(struct udphdr) > skb->len))
41130 ++ /* Packet has offset at impossible location or isn't big enough
41131 ++ * to have UDP fields.
41132 ++ */
41133 ++ return -EINVAL;
41134 ++ data_len = ntohs(udp->len);
41135 ++ if (unlikely(data_len < sizeof(struct udphdr) ||
41136 ++ data_len > skb->len - data_offset))
41137 ++ /* UDP packet is reporting too small of a size or lying about
41138 ++ * its size.
41139 ++ */
41140 ++ return -EINVAL;
41141 ++ data_len -= sizeof(struct udphdr);
41142 ++ data_offset = (u8 *)udp + sizeof(struct udphdr) - skb->data;
41143 ++ if (unlikely(!pskb_may_pull(skb,
41144 ++ data_offset + sizeof(struct message_header)) ||
41145 ++ pskb_trim(skb, data_len + data_offset) < 0))
41146 ++ return -EINVAL;
41147 ++ skb_pull(skb, data_offset);
41148 ++ if (unlikely(skb->len != data_len))
41149 ++ /* Final len does not agree with calculated len */
41150 ++ return -EINVAL;
41151 ++ header_len = validate_header_len(skb);
41152 ++ if (unlikely(!header_len))
41153 ++ return -EINVAL;
41154 ++ __skb_push(skb, data_offset);
41155 ++ if (unlikely(!pskb_may_pull(skb, data_offset + header_len)))
41156 ++ return -EINVAL;
41157 ++ __skb_pull(skb, data_offset);
41158 ++ return 0;
41159 ++}
41160 ++
41161 ++static void wg_receive_handshake_packet(struct wg_device *wg,
41162 ++ struct sk_buff *skb)
41163 ++{
41164 ++ enum cookie_mac_state mac_state;
41165 ++ struct wg_peer *peer = NULL;
41166 ++ /* This is global, so that our load calculation applies to the whole
41167 ++ * system. We don't care about races with it at all.
41168 ++ */
41169 ++ static u64 last_under_load;
41170 ++ bool packet_needs_cookie;
41171 ++ bool under_load;
41172 ++
41173 ++ if (SKB_TYPE_LE32(skb) == cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE)) {
41174 ++ net_dbg_skb_ratelimited("%s: Receiving cookie response from %pISpfsc\n",
41175 ++ wg->dev->name, skb);
41176 ++ wg_cookie_message_consume(
41177 ++ (struct message_handshake_cookie *)skb->data, wg);
41178 ++ return;
41179 ++ }
41180 ++
41181 ++ under_load = skb_queue_len(&wg->incoming_handshakes) >=
41182 ++ MAX_QUEUED_INCOMING_HANDSHAKES / 8;
41183 ++ if (under_load) {
41184 ++ last_under_load = ktime_get_coarse_boottime_ns();
41185 ++ } else if (last_under_load) {
41186 ++ under_load = !wg_birthdate_has_expired(last_under_load, 1);
41187 ++ if (!under_load)
41188 ++ last_under_load = 0;
41189 ++ }
41190 ++ mac_state = wg_cookie_validate_packet(&wg->cookie_checker, skb,
41191 ++ under_load);
41192 ++ if ((under_load && mac_state == VALID_MAC_WITH_COOKIE) ||
41193 ++ (!under_load && mac_state == VALID_MAC_BUT_NO_COOKIE)) {
41194 ++ packet_needs_cookie = false;
41195 ++ } else if (under_load && mac_state == VALID_MAC_BUT_NO_COOKIE) {
41196 ++ packet_needs_cookie = true;
41197 ++ } else {
41198 ++ net_dbg_skb_ratelimited("%s: Invalid MAC of handshake, dropping packet from %pISpfsc\n",
41199 ++ wg->dev->name, skb);
41200 ++ return;
41201 ++ }
41202 ++
41203 ++ switch (SKB_TYPE_LE32(skb)) {
41204 ++ case cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION): {
41205 ++ struct message_handshake_initiation *message =
41206 ++ (struct message_handshake_initiation *)skb->data;
41207 ++
41208 ++ if (packet_needs_cookie) {
41209 ++ wg_packet_send_handshake_cookie(wg, skb,
41210 ++ message->sender_index);
41211 ++ return;
41212 ++ }
41213 ++ peer = wg_noise_handshake_consume_initiation(message, wg);
41214 ++ if (unlikely(!peer)) {
41215 ++ net_dbg_skb_ratelimited("%s: Invalid handshake initiation from %pISpfsc\n",
41216 ++ wg->dev->name, skb);
41217 ++ return;
41218 ++ }
41219 ++ wg_socket_set_peer_endpoint_from_skb(peer, skb);
41220 ++ net_dbg_ratelimited("%s: Receiving handshake initiation from peer %llu (%pISpfsc)\n",
41221 ++ wg->dev->name, peer->internal_id,
41222 ++ &peer->endpoint.addr);
41223 ++ wg_packet_send_handshake_response(peer);
41224 ++ break;
41225 ++ }
41226 ++ case cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE): {
41227 ++ struct message_handshake_response *message =
41228 ++ (struct message_handshake_response *)skb->data;
41229 ++
41230 ++ if (packet_needs_cookie) {
41231 ++ wg_packet_send_handshake_cookie(wg, skb,
41232 ++ message->sender_index);
41233 ++ return;
41234 ++ }
41235 ++ peer = wg_noise_handshake_consume_response(message, wg);
41236 ++ if (unlikely(!peer)) {
41237 ++ net_dbg_skb_ratelimited("%s: Invalid handshake response from %pISpfsc\n",
41238 ++ wg->dev->name, skb);
41239 ++ return;
41240 ++ }
41241 ++ wg_socket_set_peer_endpoint_from_skb(peer, skb);
41242 ++ net_dbg_ratelimited("%s: Receiving handshake response from peer %llu (%pISpfsc)\n",
41243 ++ wg->dev->name, peer->internal_id,
41244 ++ &peer->endpoint.addr);
41245 ++ if (wg_noise_handshake_begin_session(&peer->handshake,
41246 ++ &peer->keypairs)) {
41247 ++ wg_timers_session_derived(peer);
41248 ++ wg_timers_handshake_complete(peer);
41249 ++ /* Calling this function will either send any existing
41250 ++ * packets in the queue and not send a keepalive, which
41251 ++ * is the best case, Or, if there's nothing in the
41252 ++ * queue, it will send a keepalive, in order to give
41253 ++ * immediate confirmation of the session.
41254 ++ */
41255 ++ wg_packet_send_keepalive(peer);
41256 ++ }
41257 ++ break;
41258 ++ }
41259 ++ }
41260 ++
41261 ++ if (unlikely(!peer)) {
41262 ++ WARN(1, "Somehow a wrong type of packet wound up in the handshake queue!\n");
41263 ++ return;
41264 ++ }
41265 ++
41266 ++ local_bh_disable();
41267 ++ update_rx_stats(peer, skb->len);
41268 ++ local_bh_enable();
41269 ++
41270 ++ wg_timers_any_authenticated_packet_received(peer);
41271 ++ wg_timers_any_authenticated_packet_traversal(peer);
41272 ++ wg_peer_put(peer);
41273 ++}
41274 ++
41275 ++void wg_packet_handshake_receive_worker(struct work_struct *work)
41276 ++{
41277 ++ struct wg_device *wg = container_of(work, struct multicore_worker,
41278 ++ work)->ptr;
41279 ++ struct sk_buff *skb;
41280 ++
41281 ++ while ((skb = skb_dequeue(&wg->incoming_handshakes)) != NULL) {
41282 ++ wg_receive_handshake_packet(wg, skb);
41283 ++ dev_kfree_skb(skb);
41284 ++ cond_resched();
41285 ++ }
41286 ++}
41287 ++
41288 ++static void keep_key_fresh(struct wg_peer *peer)
41289 ++{
41290 ++ struct noise_keypair *keypair;
41291 ++ bool send;
41292 ++
41293 ++ if (peer->sent_lastminute_handshake)
41294 ++ return;
41295 ++
41296 ++ rcu_read_lock_bh();
41297 ++ keypair = rcu_dereference_bh(peer->keypairs.current_keypair);
41298 ++ send = keypair && READ_ONCE(keypair->sending.is_valid) &&
41299 ++ keypair->i_am_the_initiator &&
41300 ++ wg_birthdate_has_expired(keypair->sending.birthdate,
41301 ++ REJECT_AFTER_TIME - KEEPALIVE_TIMEOUT - REKEY_TIMEOUT);
41302 ++ rcu_read_unlock_bh();
41303 ++
41304 ++ if (unlikely(send)) {
41305 ++ peer->sent_lastminute_handshake = true;
41306 ++ wg_packet_send_queued_handshake_initiation(peer, false);
41307 ++ }
41308 ++}
41309 ++
41310 ++static bool decrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair)
41311 ++{
41312 ++ struct scatterlist sg[MAX_SKB_FRAGS + 8];
41313 ++ struct sk_buff *trailer;
41314 ++ unsigned int offset;
41315 ++ int num_frags;
41316 ++
41317 ++ if (unlikely(!keypair))
41318 ++ return false;
41319 ++
41320 ++ if (unlikely(!READ_ONCE(keypair->receiving.is_valid) ||
41321 ++ wg_birthdate_has_expired(keypair->receiving.birthdate, REJECT_AFTER_TIME) ||
41322 ++ keypair->receiving_counter.counter >= REJECT_AFTER_MESSAGES)) {
41323 ++ WRITE_ONCE(keypair->receiving.is_valid, false);
41324 ++ return false;
41325 ++ }
41326 ++
41327 ++ PACKET_CB(skb)->nonce =
41328 ++ le64_to_cpu(((struct message_data *)skb->data)->counter);
41329 ++
41330 ++ /* We ensure that the network header is part of the packet before we
41331 ++ * call skb_cow_data, so that there's no chance that data is removed
41332 ++ * from the skb, so that later we can extract the original endpoint.
41333 ++ */
41334 ++ offset = skb->data - skb_network_header(skb);
41335 ++ skb_push(skb, offset);
41336 ++ num_frags = skb_cow_data(skb, 0, &trailer);
41337 ++ offset += sizeof(struct message_data);
41338 ++ skb_pull(skb, offset);
41339 ++ if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
41340 ++ return false;
41341 ++
41342 ++ sg_init_table(sg, num_frags);
41343 ++ if (skb_to_sgvec(skb, sg, 0, skb->len) <= 0)
41344 ++ return false;
41345 ++
41346 ++ if (!chacha20poly1305_decrypt_sg_inplace(sg, skb->len, NULL, 0,
41347 ++ PACKET_CB(skb)->nonce,
41348 ++ keypair->receiving.key))
41349 ++ return false;
41350 ++
41351 ++ /* Another ugly situation of pushing and pulling the header so as to
41352 ++ * keep endpoint information intact.
41353 ++ */
41354 ++ skb_push(skb, offset);
41355 ++ if (pskb_trim(skb, skb->len - noise_encrypted_len(0)))
41356 ++ return false;
41357 ++ skb_pull(skb, offset);
41358 ++
41359 ++ return true;
41360 ++}
41361 ++
41362 ++/* This is RFC6479, a replay detection bitmap algorithm that avoids bitshifts */
41363 ++static bool counter_validate(struct noise_replay_counter *counter, u64 their_counter)
41364 ++{
41365 ++ unsigned long index, index_current, top, i;
41366 ++ bool ret = false;
41367 ++
41368 ++ spin_lock_bh(&counter->lock);
41369 ++
41370 ++ if (unlikely(counter->counter >= REJECT_AFTER_MESSAGES + 1 ||
41371 ++ their_counter >= REJECT_AFTER_MESSAGES))
41372 ++ goto out;
41373 ++
41374 ++ ++their_counter;
41375 ++
41376 ++ if (unlikely((COUNTER_WINDOW_SIZE + their_counter) <
41377 ++ counter->counter))
41378 ++ goto out;
41379 ++
41380 ++ index = their_counter >> ilog2(BITS_PER_LONG);
41381 ++
41382 ++ if (likely(their_counter > counter->counter)) {
41383 ++ index_current = counter->counter >> ilog2(BITS_PER_LONG);
41384 ++ top = min_t(unsigned long, index - index_current,
41385 ++ COUNTER_BITS_TOTAL / BITS_PER_LONG);
41386 ++ for (i = 1; i <= top; ++i)
41387 ++ counter->backtrack[(i + index_current) &
41388 ++ ((COUNTER_BITS_TOTAL / BITS_PER_LONG) - 1)] = 0;
41389 ++ counter->counter = their_counter;
41390 ++ }
41391 ++
41392 ++ index &= (COUNTER_BITS_TOTAL / BITS_PER_LONG) - 1;
41393 ++ ret = !test_and_set_bit(their_counter & (BITS_PER_LONG - 1),
41394 ++ &counter->backtrack[index]);
41395 ++
41396 ++out:
41397 ++ spin_unlock_bh(&counter->lock);
41398 ++ return ret;
41399 ++}
41400 ++
41401 ++#include "selftest/counter.c"
41402 ++
41403 ++static void wg_packet_consume_data_done(struct wg_peer *peer,
41404 ++ struct sk_buff *skb,
41405 ++ struct endpoint *endpoint)
41406 ++{
41407 ++ struct net_device *dev = peer->device->dev;
41408 ++ unsigned int len, len_before_trim;
41409 ++ struct wg_peer *routed_peer;
41410 ++
41411 ++ wg_socket_set_peer_endpoint(peer, endpoint);
41412 ++
41413 ++ if (unlikely(wg_noise_received_with_keypair(&peer->keypairs,
41414 ++ PACKET_CB(skb)->keypair))) {
41415 ++ wg_timers_handshake_complete(peer);
41416 ++ wg_packet_send_staged_packets(peer);
41417 ++ }
41418 ++
41419 ++ keep_key_fresh(peer);
41420 ++
41421 ++ wg_timers_any_authenticated_packet_received(peer);
41422 ++ wg_timers_any_authenticated_packet_traversal(peer);
41423 ++
41424 ++ /* A packet with length 0 is a keepalive packet */
41425 ++ if (unlikely(!skb->len)) {
41426 ++ update_rx_stats(peer, message_data_len(0));
41427 ++ net_dbg_ratelimited("%s: Receiving keepalive packet from peer %llu (%pISpfsc)\n",
41428 ++ dev->name, peer->internal_id,
41429 ++ &peer->endpoint.addr);
41430 ++ goto packet_processed;
41431 ++ }
41432 ++
41433 ++ wg_timers_data_received(peer);
41434 ++
41435 ++ if (unlikely(skb_network_header(skb) < skb->head))
41436 ++ goto dishonest_packet_size;
41437 ++ if (unlikely(!(pskb_network_may_pull(skb, sizeof(struct iphdr)) &&
41438 ++ (ip_hdr(skb)->version == 4 ||
41439 ++ (ip_hdr(skb)->version == 6 &&
41440 ++ pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))))))
41441 ++ goto dishonest_packet_type;
41442 ++
41443 ++ skb->dev = dev;
41444 ++ /* We've already verified the Poly1305 auth tag, which means this packet
41445 ++ * was not modified in transit. We can therefore tell the networking
41446 ++ * stack that all checksums of every layer of encapsulation have already
41447 ++ * been checked "by the hardware" and therefore is unnecessary to check
41448 ++ * again in software.
41449 ++ */
41450 ++ skb->ip_summed = CHECKSUM_UNNECESSARY;
41451 ++ skb->csum_level = ~0; /* All levels */
41452 ++ skb->protocol = ip_tunnel_parse_protocol(skb);
41453 ++ if (skb->protocol == htons(ETH_P_IP)) {
41454 ++ len = ntohs(ip_hdr(skb)->tot_len);
41455 ++ if (unlikely(len < sizeof(struct iphdr)))
41456 ++ goto dishonest_packet_size;
41457 ++ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ip_hdr(skb)->tos);
41458 ++ } else if (skb->protocol == htons(ETH_P_IPV6)) {
41459 ++ len = ntohs(ipv6_hdr(skb)->payload_len) +
41460 ++ sizeof(struct ipv6hdr);
41461 ++ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ipv6_get_dsfield(ipv6_hdr(skb)));
41462 ++ } else {
41463 ++ goto dishonest_packet_type;
41464 ++ }
41465 ++
41466 ++ if (unlikely(len > skb->len))
41467 ++ goto dishonest_packet_size;
41468 ++ len_before_trim = skb->len;
41469 ++ if (unlikely(pskb_trim(skb, len)))
41470 ++ goto packet_processed;
41471 ++
41472 ++ routed_peer = wg_allowedips_lookup_src(&peer->device->peer_allowedips,
41473 ++ skb);
41474 ++ wg_peer_put(routed_peer); /* We don't need the extra reference. */
41475 ++
41476 ++ if (unlikely(routed_peer != peer))
41477 ++ goto dishonest_packet_peer;
41478 ++
41479 ++ napi_gro_receive(&peer->napi, skb);
41480 ++ update_rx_stats(peer, message_data_len(len_before_trim));
41481 ++ return;
41482 ++
41483 ++dishonest_packet_peer:
41484 ++ net_dbg_skb_ratelimited("%s: Packet has unallowed src IP (%pISc) from peer %llu (%pISpfsc)\n",
41485 ++ dev->name, skb, peer->internal_id,
41486 ++ &peer->endpoint.addr);
41487 ++ ++dev->stats.rx_errors;
41488 ++ ++dev->stats.rx_frame_errors;
41489 ++ goto packet_processed;
41490 ++dishonest_packet_type:
41491 ++ net_dbg_ratelimited("%s: Packet is neither ipv4 nor ipv6 from peer %llu (%pISpfsc)\n",
41492 ++ dev->name, peer->internal_id, &peer->endpoint.addr);
41493 ++ ++dev->stats.rx_errors;
41494 ++ ++dev->stats.rx_frame_errors;
41495 ++ goto packet_processed;
41496 ++dishonest_packet_size:
41497 ++ net_dbg_ratelimited("%s: Packet has incorrect size from peer %llu (%pISpfsc)\n",
41498 ++ dev->name, peer->internal_id, &peer->endpoint.addr);
41499 ++ ++dev->stats.rx_errors;
41500 ++ ++dev->stats.rx_length_errors;
41501 ++ goto packet_processed;
41502 ++packet_processed:
41503 ++ dev_kfree_skb(skb);
41504 ++}
41505 ++
41506 ++int wg_packet_rx_poll(struct napi_struct *napi, int budget)
41507 ++{
41508 ++ struct wg_peer *peer = container_of(napi, struct wg_peer, napi);
41509 ++ struct noise_keypair *keypair;
41510 ++ struct endpoint endpoint;
41511 ++ enum packet_state state;
41512 ++ struct sk_buff *skb;
41513 ++ int work_done = 0;
41514 ++ bool free;
41515 ++
41516 ++ if (unlikely(budget <= 0))
41517 ++ return 0;
41518 ++
41519 ++ while ((skb = wg_prev_queue_peek(&peer->rx_queue)) != NULL &&
41520 ++ (state = atomic_read_acquire(&PACKET_CB(skb)->state)) !=
41521 ++ PACKET_STATE_UNCRYPTED) {
41522 ++ wg_prev_queue_drop_peeked(&peer->rx_queue);
41523 ++ keypair = PACKET_CB(skb)->keypair;
41524 ++ free = true;
41525 ++
41526 ++ if (unlikely(state != PACKET_STATE_CRYPTED))
41527 ++ goto next;
41528 ++
41529 ++ if (unlikely(!counter_validate(&keypair->receiving_counter,
41530 ++ PACKET_CB(skb)->nonce))) {
41531 ++ net_dbg_ratelimited("%s: Packet has invalid nonce %llu (max %llu)\n",
41532 ++ peer->device->dev->name,
41533 ++ PACKET_CB(skb)->nonce,
41534 ++ keypair->receiving_counter.counter);
41535 ++ goto next;
41536 ++ }
41537 ++
41538 ++ if (unlikely(wg_socket_endpoint_from_skb(&endpoint, skb)))
41539 ++ goto next;
41540 ++
41541 ++ wg_reset_packet(skb, false);
41542 ++ wg_packet_consume_data_done(peer, skb, &endpoint);
41543 ++ free = false;
41544 ++
41545 ++next:
41546 ++ wg_noise_keypair_put(keypair, false);
41547 ++ wg_peer_put(peer);
41548 ++ if (unlikely(free))
41549 ++ dev_kfree_skb(skb);
41550 ++
41551 ++ if (++work_done >= budget)
41552 ++ break;
41553 ++ }
41554 ++
41555 ++ if (work_done < budget)
41556 ++ napi_complete_done(napi, work_done);
41557 ++
41558 ++ return work_done;
41559 ++}
41560 ++
41561 ++void wg_packet_decrypt_worker(struct work_struct *work)
41562 ++{
41563 ++ struct crypt_queue *queue = container_of(work, struct multicore_worker,
41564 ++ work)->ptr;
41565 ++ struct sk_buff *skb;
41566 ++
41567 ++ while ((skb = ptr_ring_consume_bh(&queue->ring)) != NULL) {
41568 ++ enum packet_state state =
41569 ++ likely(decrypt_packet(skb, PACKET_CB(skb)->keypair)) ?
41570 ++ PACKET_STATE_CRYPTED : PACKET_STATE_DEAD;
41571 ++ wg_queue_enqueue_per_peer_rx(skb, state);
41572 ++ if (need_resched())
41573 ++ cond_resched();
41574 ++ }
41575 ++}
41576 ++
41577 ++static void wg_packet_consume_data(struct wg_device *wg, struct sk_buff *skb)
41578 ++{
41579 ++ __le32 idx = ((struct message_data *)skb->data)->key_idx;
41580 ++ struct wg_peer *peer = NULL;
41581 ++ int ret;
41582 ++
41583 ++ rcu_read_lock_bh();
41584 ++ PACKET_CB(skb)->keypair =
41585 ++ (struct noise_keypair *)wg_index_hashtable_lookup(
41586 ++ wg->index_hashtable, INDEX_HASHTABLE_KEYPAIR, idx,
41587 ++ &peer);
41588 ++ if (unlikely(!wg_noise_keypair_get(PACKET_CB(skb)->keypair)))
41589 ++ goto err_keypair;
41590 ++
41591 ++ if (unlikely(READ_ONCE(peer->is_dead)))
41592 ++ goto err;
41593 ++
41594 ++ ret = wg_queue_enqueue_per_device_and_peer(&wg->decrypt_queue, &peer->rx_queue, skb,
41595 ++ wg->packet_crypt_wq, &wg->decrypt_queue.last_cpu);
41596 ++ if (unlikely(ret == -EPIPE))
41597 ++ wg_queue_enqueue_per_peer_rx(skb, PACKET_STATE_DEAD);
41598 ++ if (likely(!ret || ret == -EPIPE)) {
41599 ++ rcu_read_unlock_bh();
41600 ++ return;
41601 ++ }
41602 ++err:
41603 ++ wg_noise_keypair_put(PACKET_CB(skb)->keypair, false);
41604 ++err_keypair:
41605 ++ rcu_read_unlock_bh();
41606 ++ wg_peer_put(peer);
41607 ++ dev_kfree_skb(skb);
41608 ++}
41609 ++
41610 ++void wg_packet_receive(struct wg_device *wg, struct sk_buff *skb)
41611 ++{
41612 ++ if (unlikely(prepare_skb_header(skb, wg) < 0))
41613 ++ goto err;
41614 ++ switch (SKB_TYPE_LE32(skb)) {
41615 ++ case cpu_to_le32(MESSAGE_HANDSHAKE_INITIATION):
41616 ++ case cpu_to_le32(MESSAGE_HANDSHAKE_RESPONSE):
41617 ++ case cpu_to_le32(MESSAGE_HANDSHAKE_COOKIE): {
41618 ++ int cpu;
41619 ++
41620 ++ if (skb_queue_len(&wg->incoming_handshakes) >
41621 ++ MAX_QUEUED_INCOMING_HANDSHAKES ||
41622 ++ unlikely(!rng_is_initialized())) {
41623 ++ net_dbg_skb_ratelimited("%s: Dropping handshake packet from %pISpfsc\n",
41624 ++ wg->dev->name, skb);
41625 ++ goto err;
41626 ++ }
41627 ++ skb_queue_tail(&wg->incoming_handshakes, skb);
41628 ++ /* Queues up a call to packet_process_queued_handshake_
41629 ++ * packets(skb):
41630 ++ */
41631 ++ cpu = wg_cpumask_next_online(&wg->incoming_handshake_cpu);
41632 ++ queue_work_on(cpu, wg->handshake_receive_wq,
41633 ++ &per_cpu_ptr(wg->incoming_handshakes_worker, cpu)->work);
41634 ++ break;
41635 ++ }
41636 ++ case cpu_to_le32(MESSAGE_DATA):
41637 ++ PACKET_CB(skb)->ds = ip_tunnel_get_dsfield(ip_hdr(skb), skb);
41638 ++ wg_packet_consume_data(wg, skb);
41639 ++ break;
41640 ++ default:
41641 ++ WARN(1, "Non-exhaustive parsing of packet header lead to unknown packet type!\n");
41642 ++ goto err;
41643 ++ }
41644 ++ return;
41645 ++
41646 ++err:
41647 ++ dev_kfree_skb(skb);
41648 ++}
41649 +--- /dev/null
41650 ++++ b/drivers/net/wireguard/selftest/allowedips.c
41651 +@@ -0,0 +1,683 @@
41652 ++// SPDX-License-Identifier: GPL-2.0
41653 ++/*
41654 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
41655 ++ *
41656 ++ * This contains some basic static unit tests for the allowedips data structure.
41657 ++ * It also has two additional modes that are disabled and meant to be used by
41658 ++ * folks directly playing with this file. If you define the macro
41659 ++ * DEBUG_PRINT_TRIE_GRAPHVIZ to be 1, then every time there's a full tree in
41660 ++ * memory, it will be printed out as KERN_DEBUG in a format that can be passed
41661 ++ * to graphviz (the dot command) to visualize it. If you define the macro
41662 ++ * DEBUG_RANDOM_TRIE to be 1, then there will be an extremely costly set of
41663 ++ * randomized tests done against a trivial implementation, which may take
41664 ++ * upwards of a half-hour to complete. There's no set of users who should be
41665 ++ * enabling these, and the only developers that should go anywhere near these
41666 ++ * nobs are the ones who are reading this comment.
41667 ++ */
41668 ++
41669 ++#ifdef DEBUG
41670 ++
41671 ++#include <linux/siphash.h>
41672 ++
41673 ++static __init void swap_endian_and_apply_cidr(u8 *dst, const u8 *src, u8 bits,
41674 ++ u8 cidr)
41675 ++{
41676 ++ swap_endian(dst, src, bits);
41677 ++ memset(dst + (cidr + 7) / 8, 0, bits / 8 - (cidr + 7) / 8);
41678 ++ if (cidr)
41679 ++ dst[(cidr + 7) / 8 - 1] &= ~0U << ((8 - (cidr % 8)) % 8);
41680 ++}
41681 ++
41682 ++static __init void print_node(struct allowedips_node *node, u8 bits)
41683 ++{
41684 ++ char *fmt_connection = KERN_DEBUG "\t\"%p/%d\" -> \"%p/%d\";\n";
41685 ++ char *fmt_declaration = KERN_DEBUG
41686 ++ "\t\"%p/%d\"[style=%s, color=\"#%06x\"];\n";
41687 ++ char *style = "dotted";
41688 ++ u8 ip1[16], ip2[16];
41689 ++ u32 color = 0;
41690 ++
41691 ++ if (bits == 32) {
41692 ++ fmt_connection = KERN_DEBUG "\t\"%pI4/%d\" -> \"%pI4/%d\";\n";
41693 ++ fmt_declaration = KERN_DEBUG
41694 ++ "\t\"%pI4/%d\"[style=%s, color=\"#%06x\"];\n";
41695 ++ } else if (bits == 128) {
41696 ++ fmt_connection = KERN_DEBUG "\t\"%pI6/%d\" -> \"%pI6/%d\";\n";
41697 ++ fmt_declaration = KERN_DEBUG
41698 ++ "\t\"%pI6/%d\"[style=%s, color=\"#%06x\"];\n";
41699 ++ }
41700 ++ if (node->peer) {
41701 ++ hsiphash_key_t key = { { 0 } };
41702 ++
41703 ++ memcpy(&key, &node->peer, sizeof(node->peer));
41704 ++ color = hsiphash_1u32(0xdeadbeef, &key) % 200 << 16 |
41705 ++ hsiphash_1u32(0xbabecafe, &key) % 200 << 8 |
41706 ++ hsiphash_1u32(0xabad1dea, &key) % 200;
41707 ++ style = "bold";
41708 ++ }
41709 ++ swap_endian_and_apply_cidr(ip1, node->bits, bits, node->cidr);
41710 ++ printk(fmt_declaration, ip1, node->cidr, style, color);
41711 ++ if (node->bit[0]) {
41712 ++ swap_endian_and_apply_cidr(ip2,
41713 ++ rcu_dereference_raw(node->bit[0])->bits, bits,
41714 ++ node->cidr);
41715 ++ printk(fmt_connection, ip1, node->cidr, ip2,
41716 ++ rcu_dereference_raw(node->bit[0])->cidr);
41717 ++ print_node(rcu_dereference_raw(node->bit[0]), bits);
41718 ++ }
41719 ++ if (node->bit[1]) {
41720 ++ swap_endian_and_apply_cidr(ip2,
41721 ++ rcu_dereference_raw(node->bit[1])->bits,
41722 ++ bits, node->cidr);
41723 ++ printk(fmt_connection, ip1, node->cidr, ip2,
41724 ++ rcu_dereference_raw(node->bit[1])->cidr);
41725 ++ print_node(rcu_dereference_raw(node->bit[1]), bits);
41726 ++ }
41727 ++}
41728 ++
41729 ++static __init void print_tree(struct allowedips_node __rcu *top, u8 bits)
41730 ++{
41731 ++ printk(KERN_DEBUG "digraph trie {\n");
41732 ++ print_node(rcu_dereference_raw(top), bits);
41733 ++ printk(KERN_DEBUG "}\n");
41734 ++}
41735 ++
41736 ++enum {
41737 ++ NUM_PEERS = 2000,
41738 ++ NUM_RAND_ROUTES = 400,
41739 ++ NUM_MUTATED_ROUTES = 100,
41740 ++ NUM_QUERIES = NUM_RAND_ROUTES * NUM_MUTATED_ROUTES * 30
41741 ++};
41742 ++
41743 ++struct horrible_allowedips {
41744 ++ struct hlist_head head;
41745 ++};
41746 ++
41747 ++struct horrible_allowedips_node {
41748 ++ struct hlist_node table;
41749 ++ union nf_inet_addr ip;
41750 ++ union nf_inet_addr mask;
41751 ++ u8 ip_version;
41752 ++ void *value;
41753 ++};
41754 ++
41755 ++static __init void horrible_allowedips_init(struct horrible_allowedips *table)
41756 ++{
41757 ++ INIT_HLIST_HEAD(&table->head);
41758 ++}
41759 ++
41760 ++static __init void horrible_allowedips_free(struct horrible_allowedips *table)
41761 ++{
41762 ++ struct horrible_allowedips_node *node;
41763 ++ struct hlist_node *h;
41764 ++
41765 ++ hlist_for_each_entry_safe(node, h, &table->head, table) {
41766 ++ hlist_del(&node->table);
41767 ++ kfree(node);
41768 ++ }
41769 ++}
41770 ++
41771 ++static __init inline union nf_inet_addr horrible_cidr_to_mask(u8 cidr)
41772 ++{
41773 ++ union nf_inet_addr mask;
41774 ++
41775 ++ memset(&mask, 0x00, 128 / 8);
41776 ++ memset(&mask, 0xff, cidr / 8);
41777 ++ if (cidr % 32)
41778 ++ mask.all[cidr / 32] = (__force u32)htonl(
41779 ++ (0xFFFFFFFFUL << (32 - (cidr % 32))) & 0xFFFFFFFFUL);
41780 ++ return mask;
41781 ++}
41782 ++
41783 ++static __init inline u8 horrible_mask_to_cidr(union nf_inet_addr subnet)
41784 ++{
41785 ++ return hweight32(subnet.all[0]) + hweight32(subnet.all[1]) +
41786 ++ hweight32(subnet.all[2]) + hweight32(subnet.all[3]);
41787 ++}
41788 ++
41789 ++static __init inline void
41790 ++horrible_mask_self(struct horrible_allowedips_node *node)
41791 ++{
41792 ++ if (node->ip_version == 4) {
41793 ++ node->ip.ip &= node->mask.ip;
41794 ++ } else if (node->ip_version == 6) {
41795 ++ node->ip.ip6[0] &= node->mask.ip6[0];
41796 ++ node->ip.ip6[1] &= node->mask.ip6[1];
41797 ++ node->ip.ip6[2] &= node->mask.ip6[2];
41798 ++ node->ip.ip6[3] &= node->mask.ip6[3];
41799 ++ }
41800 ++}
41801 ++
41802 ++static __init inline bool
41803 ++horrible_match_v4(const struct horrible_allowedips_node *node,
41804 ++ struct in_addr *ip)
41805 ++{
41806 ++ return (ip->s_addr & node->mask.ip) == node->ip.ip;
41807 ++}
41808 ++
41809 ++static __init inline bool
41810 ++horrible_match_v6(const struct horrible_allowedips_node *node,
41811 ++ struct in6_addr *ip)
41812 ++{
41813 ++ return (ip->in6_u.u6_addr32[0] & node->mask.ip6[0]) ==
41814 ++ node->ip.ip6[0] &&
41815 ++ (ip->in6_u.u6_addr32[1] & node->mask.ip6[1]) ==
41816 ++ node->ip.ip6[1] &&
41817 ++ (ip->in6_u.u6_addr32[2] & node->mask.ip6[2]) ==
41818 ++ node->ip.ip6[2] &&
41819 ++ (ip->in6_u.u6_addr32[3] & node->mask.ip6[3]) == node->ip.ip6[3];
41820 ++}
41821 ++
41822 ++static __init void
41823 ++horrible_insert_ordered(struct horrible_allowedips *table,
41824 ++ struct horrible_allowedips_node *node)
41825 ++{
41826 ++ struct horrible_allowedips_node *other = NULL, *where = NULL;
41827 ++ u8 my_cidr = horrible_mask_to_cidr(node->mask);
41828 ++
41829 ++ hlist_for_each_entry(other, &table->head, table) {
41830 ++ if (!memcmp(&other->mask, &node->mask,
41831 ++ sizeof(union nf_inet_addr)) &&
41832 ++ !memcmp(&other->ip, &node->ip,
41833 ++ sizeof(union nf_inet_addr)) &&
41834 ++ other->ip_version == node->ip_version) {
41835 ++ other->value = node->value;
41836 ++ kfree(node);
41837 ++ return;
41838 ++ }
41839 ++ where = other;
41840 ++ if (horrible_mask_to_cidr(other->mask) <= my_cidr)
41841 ++ break;
41842 ++ }
41843 ++ if (!other && !where)
41844 ++ hlist_add_head(&node->table, &table->head);
41845 ++ else if (!other)
41846 ++ hlist_add_behind(&node->table, &where->table);
41847 ++ else
41848 ++ hlist_add_before(&node->table, &where->table);
41849 ++}
41850 ++
41851 ++static __init int
41852 ++horrible_allowedips_insert_v4(struct horrible_allowedips *table,
41853 ++ struct in_addr *ip, u8 cidr, void *value)
41854 ++{
41855 ++ struct horrible_allowedips_node *node = kzalloc(sizeof(*node),
41856 ++ GFP_KERNEL);
41857 ++
41858 ++ if (unlikely(!node))
41859 ++ return -ENOMEM;
41860 ++ node->ip.in = *ip;
41861 ++ node->mask = horrible_cidr_to_mask(cidr);
41862 ++ node->ip_version = 4;
41863 ++ node->value = value;
41864 ++ horrible_mask_self(node);
41865 ++ horrible_insert_ordered(table, node);
41866 ++ return 0;
41867 ++}
41868 ++
41869 ++static __init int
41870 ++horrible_allowedips_insert_v6(struct horrible_allowedips *table,
41871 ++ struct in6_addr *ip, u8 cidr, void *value)
41872 ++{
41873 ++ struct horrible_allowedips_node *node = kzalloc(sizeof(*node),
41874 ++ GFP_KERNEL);
41875 ++
41876 ++ if (unlikely(!node))
41877 ++ return -ENOMEM;
41878 ++ node->ip.in6 = *ip;
41879 ++ node->mask = horrible_cidr_to_mask(cidr);
41880 ++ node->ip_version = 6;
41881 ++ node->value = value;
41882 ++ horrible_mask_self(node);
41883 ++ horrible_insert_ordered(table, node);
41884 ++ return 0;
41885 ++}
41886 ++
41887 ++static __init void *
41888 ++horrible_allowedips_lookup_v4(struct horrible_allowedips *table,
41889 ++ struct in_addr *ip)
41890 ++{
41891 ++ struct horrible_allowedips_node *node;
41892 ++ void *ret = NULL;
41893 ++
41894 ++ hlist_for_each_entry(node, &table->head, table) {
41895 ++ if (node->ip_version != 4)
41896 ++ continue;
41897 ++ if (horrible_match_v4(node, ip)) {
41898 ++ ret = node->value;
41899 ++ break;
41900 ++ }
41901 ++ }
41902 ++ return ret;
41903 ++}
41904 ++
41905 ++static __init void *
41906 ++horrible_allowedips_lookup_v6(struct horrible_allowedips *table,
41907 ++ struct in6_addr *ip)
41908 ++{
41909 ++ struct horrible_allowedips_node *node;
41910 ++ void *ret = NULL;
41911 ++
41912 ++ hlist_for_each_entry(node, &table->head, table) {
41913 ++ if (node->ip_version != 6)
41914 ++ continue;
41915 ++ if (horrible_match_v6(node, ip)) {
41916 ++ ret = node->value;
41917 ++ break;
41918 ++ }
41919 ++ }
41920 ++ return ret;
41921 ++}
41922 ++
41923 ++static __init bool randomized_test(void)
41924 ++{
41925 ++ unsigned int i, j, k, mutate_amount, cidr;
41926 ++ u8 ip[16], mutate_mask[16], mutated[16];
41927 ++ struct wg_peer **peers, *peer;
41928 ++ struct horrible_allowedips h;
41929 ++ DEFINE_MUTEX(mutex);
41930 ++ struct allowedips t;
41931 ++ bool ret = false;
41932 ++
41933 ++ mutex_init(&mutex);
41934 ++
41935 ++ wg_allowedips_init(&t);
41936 ++ horrible_allowedips_init(&h);
41937 ++
41938 ++ peers = kcalloc(NUM_PEERS, sizeof(*peers), GFP_KERNEL);
41939 ++ if (unlikely(!peers)) {
41940 ++ pr_err("allowedips random self-test malloc: FAIL\n");
41941 ++ goto free;
41942 ++ }
41943 ++ for (i = 0; i < NUM_PEERS; ++i) {
41944 ++ peers[i] = kzalloc(sizeof(*peers[i]), GFP_KERNEL);
41945 ++ if (unlikely(!peers[i])) {
41946 ++ pr_err("allowedips random self-test malloc: FAIL\n");
41947 ++ goto free;
41948 ++ }
41949 ++ kref_init(&peers[i]->refcount);
41950 ++ }
41951 ++
41952 ++ mutex_lock(&mutex);
41953 ++
41954 ++ for (i = 0; i < NUM_RAND_ROUTES; ++i) {
41955 ++ prandom_bytes(ip, 4);
41956 ++ cidr = prandom_u32_max(32) + 1;
41957 ++ peer = peers[prandom_u32_max(NUM_PEERS)];
41958 ++ if (wg_allowedips_insert_v4(&t, (struct in_addr *)ip, cidr,
41959 ++ peer, &mutex) < 0) {
41960 ++ pr_err("allowedips random self-test malloc: FAIL\n");
41961 ++ goto free_locked;
41962 ++ }
41963 ++ if (horrible_allowedips_insert_v4(&h, (struct in_addr *)ip,
41964 ++ cidr, peer) < 0) {
41965 ++ pr_err("allowedips random self-test malloc: FAIL\n");
41966 ++ goto free_locked;
41967 ++ }
41968 ++ for (j = 0; j < NUM_MUTATED_ROUTES; ++j) {
41969 ++ memcpy(mutated, ip, 4);
41970 ++ prandom_bytes(mutate_mask, 4);
41971 ++ mutate_amount = prandom_u32_max(32);
41972 ++ for (k = 0; k < mutate_amount / 8; ++k)
41973 ++ mutate_mask[k] = 0xff;
41974 ++ mutate_mask[k] = 0xff
41975 ++ << ((8 - (mutate_amount % 8)) % 8);
41976 ++ for (; k < 4; ++k)
41977 ++ mutate_mask[k] = 0;
41978 ++ for (k = 0; k < 4; ++k)
41979 ++ mutated[k] = (mutated[k] & mutate_mask[k]) |
41980 ++ (~mutate_mask[k] &
41981 ++ prandom_u32_max(256));
41982 ++ cidr = prandom_u32_max(32) + 1;
41983 ++ peer = peers[prandom_u32_max(NUM_PEERS)];
41984 ++ if (wg_allowedips_insert_v4(&t,
41985 ++ (struct in_addr *)mutated,
41986 ++ cidr, peer, &mutex) < 0) {
41987 ++ pr_err("allowedips random malloc: FAIL\n");
41988 ++ goto free_locked;
41989 ++ }
41990 ++ if (horrible_allowedips_insert_v4(&h,
41991 ++ (struct in_addr *)mutated, cidr, peer)) {
41992 ++ pr_err("allowedips random self-test malloc: FAIL\n");
41993 ++ goto free_locked;
41994 ++ }
41995 ++ }
41996 ++ }
41997 ++
41998 ++ for (i = 0; i < NUM_RAND_ROUTES; ++i) {
41999 ++ prandom_bytes(ip, 16);
42000 ++ cidr = prandom_u32_max(128) + 1;
42001 ++ peer = peers[prandom_u32_max(NUM_PEERS)];
42002 ++ if (wg_allowedips_insert_v6(&t, (struct in6_addr *)ip, cidr,
42003 ++ peer, &mutex) < 0) {
42004 ++ pr_err("allowedips random self-test malloc: FAIL\n");
42005 ++ goto free_locked;
42006 ++ }
42007 ++ if (horrible_allowedips_insert_v6(&h, (struct in6_addr *)ip,
42008 ++ cidr, peer) < 0) {
42009 ++ pr_err("allowedips random self-test malloc: FAIL\n");
42010 ++ goto free_locked;
42011 ++ }
42012 ++ for (j = 0; j < NUM_MUTATED_ROUTES; ++j) {
42013 ++ memcpy(mutated, ip, 16);
42014 ++ prandom_bytes(mutate_mask, 16);
42015 ++ mutate_amount = prandom_u32_max(128);
42016 ++ for (k = 0; k < mutate_amount / 8; ++k)
42017 ++ mutate_mask[k] = 0xff;
42018 ++ mutate_mask[k] = 0xff
42019 ++ << ((8 - (mutate_amount % 8)) % 8);
42020 ++ for (; k < 4; ++k)
42021 ++ mutate_mask[k] = 0;
42022 ++ for (k = 0; k < 4; ++k)
42023 ++ mutated[k] = (mutated[k] & mutate_mask[k]) |
42024 ++ (~mutate_mask[k] &
42025 ++ prandom_u32_max(256));
42026 ++ cidr = prandom_u32_max(128) + 1;
42027 ++ peer = peers[prandom_u32_max(NUM_PEERS)];
42028 ++ if (wg_allowedips_insert_v6(&t,
42029 ++ (struct in6_addr *)mutated,
42030 ++ cidr, peer, &mutex) < 0) {
42031 ++ pr_err("allowedips random self-test malloc: FAIL\n");
42032 ++ goto free_locked;
42033 ++ }
42034 ++ if (horrible_allowedips_insert_v6(
42035 ++ &h, (struct in6_addr *)mutated, cidr,
42036 ++ peer)) {
42037 ++ pr_err("allowedips random self-test malloc: FAIL\n");
42038 ++ goto free_locked;
42039 ++ }
42040 ++ }
42041 ++ }
42042 ++
42043 ++ mutex_unlock(&mutex);
42044 ++
42045 ++ if (IS_ENABLED(DEBUG_PRINT_TRIE_GRAPHVIZ)) {
42046 ++ print_tree(t.root4, 32);
42047 ++ print_tree(t.root6, 128);
42048 ++ }
42049 ++
42050 ++ for (i = 0; i < NUM_QUERIES; ++i) {
42051 ++ prandom_bytes(ip, 4);
42052 ++ if (lookup(t.root4, 32, ip) !=
42053 ++ horrible_allowedips_lookup_v4(&h, (struct in_addr *)ip)) {
42054 ++ pr_err("allowedips random self-test: FAIL\n");
42055 ++ goto free;
42056 ++ }
42057 ++ }
42058 ++
42059 ++ for (i = 0; i < NUM_QUERIES; ++i) {
42060 ++ prandom_bytes(ip, 16);
42061 ++ if (lookup(t.root6, 128, ip) !=
42062 ++ horrible_allowedips_lookup_v6(&h, (struct in6_addr *)ip)) {
42063 ++ pr_err("allowedips random self-test: FAIL\n");
42064 ++ goto free;
42065 ++ }
42066 ++ }
42067 ++ ret = true;
42068 ++
42069 ++free:
42070 ++ mutex_lock(&mutex);
42071 ++free_locked:
42072 ++ wg_allowedips_free(&t, &mutex);
42073 ++ mutex_unlock(&mutex);
42074 ++ horrible_allowedips_free(&h);
42075 ++ if (peers) {
42076 ++ for (i = 0; i < NUM_PEERS; ++i)
42077 ++ kfree(peers[i]);
42078 ++ }
42079 ++ kfree(peers);
42080 ++ return ret;
42081 ++}
42082 ++
42083 ++static __init inline struct in_addr *ip4(u8 a, u8 b, u8 c, u8 d)
42084 ++{
42085 ++ static struct in_addr ip;
42086 ++ u8 *split = (u8 *)&ip;
42087 ++
42088 ++ split[0] = a;
42089 ++ split[1] = b;
42090 ++ split[2] = c;
42091 ++ split[3] = d;
42092 ++ return &ip;
42093 ++}
42094 ++
42095 ++static __init inline struct in6_addr *ip6(u32 a, u32 b, u32 c, u32 d)
42096 ++{
42097 ++ static struct in6_addr ip;
42098 ++ __be32 *split = (__be32 *)&ip;
42099 ++
42100 ++ split[0] = cpu_to_be32(a);
42101 ++ split[1] = cpu_to_be32(b);
42102 ++ split[2] = cpu_to_be32(c);
42103 ++ split[3] = cpu_to_be32(d);
42104 ++ return &ip;
42105 ++}
42106 ++
42107 ++static __init struct wg_peer *init_peer(void)
42108 ++{
42109 ++ struct wg_peer *peer = kzalloc(sizeof(*peer), GFP_KERNEL);
42110 ++
42111 ++ if (!peer)
42112 ++ return NULL;
42113 ++ kref_init(&peer->refcount);
42114 ++ INIT_LIST_HEAD(&peer->allowedips_list);
42115 ++ return peer;
42116 ++}
42117 ++
42118 ++#define insert(version, mem, ipa, ipb, ipc, ipd, cidr) \
42119 ++ wg_allowedips_insert_v##version(&t, ip##version(ipa, ipb, ipc, ipd), \
42120 ++ cidr, mem, &mutex)
42121 ++
42122 ++#define maybe_fail() do { \
42123 ++ ++i; \
42124 ++ if (!_s) { \
42125 ++ pr_info("allowedips self-test %zu: FAIL\n", i); \
42126 ++ success = false; \
42127 ++ } \
42128 ++ } while (0)
42129 ++
42130 ++#define test(version, mem, ipa, ipb, ipc, ipd) do { \
42131 ++ bool _s = lookup(t.root##version, (version) == 4 ? 32 : 128, \
42132 ++ ip##version(ipa, ipb, ipc, ipd)) == (mem); \
42133 ++ maybe_fail(); \
42134 ++ } while (0)
42135 ++
42136 ++#define test_negative(version, mem, ipa, ipb, ipc, ipd) do { \
42137 ++ bool _s = lookup(t.root##version, (version) == 4 ? 32 : 128, \
42138 ++ ip##version(ipa, ipb, ipc, ipd)) != (mem); \
42139 ++ maybe_fail(); \
42140 ++ } while (0)
42141 ++
42142 ++#define test_boolean(cond) do { \
42143 ++ bool _s = (cond); \
42144 ++ maybe_fail(); \
42145 ++ } while (0)
42146 ++
42147 ++bool __init wg_allowedips_selftest(void)
42148 ++{
42149 ++ bool found_a = false, found_b = false, found_c = false, found_d = false,
42150 ++ found_e = false, found_other = false;
42151 ++ struct wg_peer *a = init_peer(), *b = init_peer(), *c = init_peer(),
42152 ++ *d = init_peer(), *e = init_peer(), *f = init_peer(),
42153 ++ *g = init_peer(), *h = init_peer();
42154 ++ struct allowedips_node *iter_node;
42155 ++ bool success = false;
42156 ++ struct allowedips t;
42157 ++ DEFINE_MUTEX(mutex);
42158 ++ struct in6_addr ip;
42159 ++ size_t i = 0, count = 0;
42160 ++ __be64 part;
42161 ++
42162 ++ mutex_init(&mutex);
42163 ++ mutex_lock(&mutex);
42164 ++ wg_allowedips_init(&t);
42165 ++
42166 ++ if (!a || !b || !c || !d || !e || !f || !g || !h) {
42167 ++ pr_err("allowedips self-test malloc: FAIL\n");
42168 ++ goto free;
42169 ++ }
42170 ++
42171 ++ insert(4, a, 192, 168, 4, 0, 24);
42172 ++ insert(4, b, 192, 168, 4, 4, 32);
42173 ++ insert(4, c, 192, 168, 0, 0, 16);
42174 ++ insert(4, d, 192, 95, 5, 64, 27);
42175 ++ /* replaces previous entry, and maskself is required */
42176 ++ insert(4, c, 192, 95, 5, 65, 27);
42177 ++ insert(6, d, 0x26075300, 0x60006b00, 0, 0xc05f0543, 128);
42178 ++ insert(6, c, 0x26075300, 0x60006b00, 0, 0, 64);
42179 ++ insert(4, e, 0, 0, 0, 0, 0);
42180 ++ insert(6, e, 0, 0, 0, 0, 0);
42181 ++ /* replaces previous entry */
42182 ++ insert(6, f, 0, 0, 0, 0, 0);
42183 ++ insert(6, g, 0x24046800, 0, 0, 0, 32);
42184 ++ /* maskself is required */
42185 ++ insert(6, h, 0x24046800, 0x40040800, 0xdeadbeef, 0xdeadbeef, 64);
42186 ++ insert(6, a, 0x24046800, 0x40040800, 0xdeadbeef, 0xdeadbeef, 128);
42187 ++ insert(6, c, 0x24446800, 0x40e40800, 0xdeaebeef, 0xdefbeef, 128);
42188 ++ insert(6, b, 0x24446800, 0xf0e40800, 0xeeaebeef, 0, 98);
42189 ++ insert(4, g, 64, 15, 112, 0, 20);
42190 ++ /* maskself is required */
42191 ++ insert(4, h, 64, 15, 123, 211, 25);
42192 ++ insert(4, a, 10, 0, 0, 0, 25);
42193 ++ insert(4, b, 10, 0, 0, 128, 25);
42194 ++ insert(4, a, 10, 1, 0, 0, 30);
42195 ++ insert(4, b, 10, 1, 0, 4, 30);
42196 ++ insert(4, c, 10, 1, 0, 8, 29);
42197 ++ insert(4, d, 10, 1, 0, 16, 29);
42198 ++
42199 ++ if (IS_ENABLED(DEBUG_PRINT_TRIE_GRAPHVIZ)) {
42200 ++ print_tree(t.root4, 32);
42201 ++ print_tree(t.root6, 128);
42202 ++ }
42203 ++
42204 ++ success = true;
42205 ++
42206 ++ test(4, a, 192, 168, 4, 20);
42207 ++ test(4, a, 192, 168, 4, 0);
42208 ++ test(4, b, 192, 168, 4, 4);
42209 ++ test(4, c, 192, 168, 200, 182);
42210 ++ test(4, c, 192, 95, 5, 68);
42211 ++ test(4, e, 192, 95, 5, 96);
42212 ++ test(6, d, 0x26075300, 0x60006b00, 0, 0xc05f0543);
42213 ++ test(6, c, 0x26075300, 0x60006b00, 0, 0xc02e01ee);
42214 ++ test(6, f, 0x26075300, 0x60006b01, 0, 0);
42215 ++ test(6, g, 0x24046800, 0x40040806, 0, 0x1006);
42216 ++ test(6, g, 0x24046800, 0x40040806, 0x1234, 0x5678);
42217 ++ test(6, f, 0x240467ff, 0x40040806, 0x1234, 0x5678);
42218 ++ test(6, f, 0x24046801, 0x40040806, 0x1234, 0x5678);
42219 ++ test(6, h, 0x24046800, 0x40040800, 0x1234, 0x5678);
42220 ++ test(6, h, 0x24046800, 0x40040800, 0, 0);
42221 ++ test(6, h, 0x24046800, 0x40040800, 0x10101010, 0x10101010);
42222 ++ test(6, a, 0x24046800, 0x40040800, 0xdeadbeef, 0xdeadbeef);
42223 ++ test(4, g, 64, 15, 116, 26);
42224 ++ test(4, g, 64, 15, 127, 3);
42225 ++ test(4, g, 64, 15, 123, 1);
42226 ++ test(4, h, 64, 15, 123, 128);
42227 ++ test(4, h, 64, 15, 123, 129);
42228 ++ test(4, a, 10, 0, 0, 52);
42229 ++ test(4, b, 10, 0, 0, 220);
42230 ++ test(4, a, 10, 1, 0, 2);
42231 ++ test(4, b, 10, 1, 0, 6);
42232 ++ test(4, c, 10, 1, 0, 10);
42233 ++ test(4, d, 10, 1, 0, 20);
42234 ++
42235 ++ insert(4, a, 1, 0, 0, 0, 32);
42236 ++ insert(4, a, 64, 0, 0, 0, 32);
42237 ++ insert(4, a, 128, 0, 0, 0, 32);
42238 ++ insert(4, a, 192, 0, 0, 0, 32);
42239 ++ insert(4, a, 255, 0, 0, 0, 32);
42240 ++ wg_allowedips_remove_by_peer(&t, a, &mutex);
42241 ++ test_negative(4, a, 1, 0, 0, 0);
42242 ++ test_negative(4, a, 64, 0, 0, 0);
42243 ++ test_negative(4, a, 128, 0, 0, 0);
42244 ++ test_negative(4, a, 192, 0, 0, 0);
42245 ++ test_negative(4, a, 255, 0, 0, 0);
42246 ++
42247 ++ wg_allowedips_free(&t, &mutex);
42248 ++ wg_allowedips_init(&t);
42249 ++ insert(4, a, 192, 168, 0, 0, 16);
42250 ++ insert(4, a, 192, 168, 0, 0, 24);
42251 ++ wg_allowedips_remove_by_peer(&t, a, &mutex);
42252 ++ test_negative(4, a, 192, 168, 0, 1);
42253 ++
42254 ++ /* These will hit the WARN_ON(len >= 128) in free_node if something
42255 ++ * goes wrong.
42256 ++ */
42257 ++ for (i = 0; i < 128; ++i) {
42258 ++ part = cpu_to_be64(~(1LLU << (i % 64)));
42259 ++ memset(&ip, 0xff, 16);
42260 ++ memcpy((u8 *)&ip + (i < 64) * 8, &part, 8);
42261 ++ wg_allowedips_insert_v6(&t, &ip, 128, a, &mutex);
42262 ++ }
42263 ++
42264 ++ wg_allowedips_free(&t, &mutex);
42265 ++
42266 ++ wg_allowedips_init(&t);
42267 ++ insert(4, a, 192, 95, 5, 93, 27);
42268 ++ insert(6, a, 0x26075300, 0x60006b00, 0, 0xc05f0543, 128);
42269 ++ insert(4, a, 10, 1, 0, 20, 29);
42270 ++ insert(6, a, 0x26075300, 0x6d8a6bf8, 0xdab1f1df, 0xc05f1523, 83);
42271 ++ insert(6, a, 0x26075300, 0x6d8a6bf8, 0xdab1f1df, 0xc05f1523, 21);
42272 ++ list_for_each_entry(iter_node, &a->allowedips_list, peer_list) {
42273 ++ u8 cidr, ip[16] __aligned(__alignof(u64));
42274 ++ int family = wg_allowedips_read_node(iter_node, ip, &cidr);
42275 ++
42276 ++ count++;
42277 ++
42278 ++ if (cidr == 27 && family == AF_INET &&
42279 ++ !memcmp(ip, ip4(192, 95, 5, 64), sizeof(struct in_addr)))
42280 ++ found_a = true;
42281 ++ else if (cidr == 128 && family == AF_INET6 &&
42282 ++ !memcmp(ip, ip6(0x26075300, 0x60006b00, 0, 0xc05f0543),
42283 ++ sizeof(struct in6_addr)))
42284 ++ found_b = true;
42285 ++ else if (cidr == 29 && family == AF_INET &&
42286 ++ !memcmp(ip, ip4(10, 1, 0, 16), sizeof(struct in_addr)))
42287 ++ found_c = true;
42288 ++ else if (cidr == 83 && family == AF_INET6 &&
42289 ++ !memcmp(ip, ip6(0x26075300, 0x6d8a6bf8, 0xdab1e000, 0),
42290 ++ sizeof(struct in6_addr)))
42291 ++ found_d = true;
42292 ++ else if (cidr == 21 && family == AF_INET6 &&
42293 ++ !memcmp(ip, ip6(0x26075000, 0, 0, 0),
42294 ++ sizeof(struct in6_addr)))
42295 ++ found_e = true;
42296 ++ else
42297 ++ found_other = true;
42298 ++ }
42299 ++ test_boolean(count == 5);
42300 ++ test_boolean(found_a);
42301 ++ test_boolean(found_b);
42302 ++ test_boolean(found_c);
42303 ++ test_boolean(found_d);
42304 ++ test_boolean(found_e);
42305 ++ test_boolean(!found_other);
42306 ++
42307 ++ if (IS_ENABLED(DEBUG_RANDOM_TRIE) && success)
42308 ++ success = randomized_test();
42309 ++
42310 ++ if (success)
42311 ++ pr_info("allowedips self-tests: pass\n");
42312 ++
42313 ++free:
42314 ++ wg_allowedips_free(&t, &mutex);
42315 ++ kfree(a);
42316 ++ kfree(b);
42317 ++ kfree(c);
42318 ++ kfree(d);
42319 ++ kfree(e);
42320 ++ kfree(f);
42321 ++ kfree(g);
42322 ++ kfree(h);
42323 ++ mutex_unlock(&mutex);
42324 ++
42325 ++ return success;
42326 ++}
42327 ++
42328 ++#undef test_negative
42329 ++#undef test
42330 ++#undef remove
42331 ++#undef insert
42332 ++#undef init_peer
42333 ++
42334 ++#endif
42335 +--- b/drivers/net/wireguard/selftest/counter.c
42336 ++++ b/drivers/net/wireguard/selftest/counter.c
42337 +@@ -0,0 +1,111 @@
42338 ++// SPDX-License-Identifier: GPL-2.0
42339 ++/*
42340 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
42341 ++ */
42342 ++
42343 ++#ifdef DEBUG
42344 ++bool __init wg_packet_counter_selftest(void)
42345 ++{
42346 ++ struct noise_replay_counter *counter;
42347 ++ unsigned int test_num = 0, i;
42348 ++ bool success = true;
42349 ++
42350 ++ counter = kmalloc(sizeof(*counter), GFP_KERNEL);
42351 ++ if (unlikely(!counter)) {
42352 ++ pr_err("nonce counter self-test malloc: FAIL\n");
42353 ++ return false;
42354 ++ }
42355 ++
42356 ++#define T_INIT do { \
42357 ++ memset(counter, 0, sizeof(*counter)); \
42358 ++ spin_lock_init(&counter->lock); \
42359 ++ } while (0)
42360 ++#define T_LIM (COUNTER_WINDOW_SIZE + 1)
42361 ++#define T(n, v) do { \
42362 ++ ++test_num; \
42363 ++ if (counter_validate(counter, n) != (v)) { \
42364 ++ pr_err("nonce counter self-test %u: FAIL\n", \
42365 ++ test_num); \
42366 ++ success = false; \
42367 ++ } \
42368 ++ } while (0)
42369 ++
42370 ++ T_INIT;
42371 ++ /* 1 */ T(0, true);
42372 ++ /* 2 */ T(1, true);
42373 ++ /* 3 */ T(1, false);
42374 ++ /* 4 */ T(9, true);
42375 ++ /* 5 */ T(8, true);
42376 ++ /* 6 */ T(7, true);
42377 ++ /* 7 */ T(7, false);
42378 ++ /* 8 */ T(T_LIM, true);
42379 ++ /* 9 */ T(T_LIM - 1, true);
42380 ++ /* 10 */ T(T_LIM - 1, false);
42381 ++ /* 11 */ T(T_LIM - 2, true);
42382 ++ /* 12 */ T(2, true);
42383 ++ /* 13 */ T(2, false);
42384 ++ /* 14 */ T(T_LIM + 16, true);
42385 ++ /* 15 */ T(3, false);
42386 ++ /* 16 */ T(T_LIM + 16, false);
42387 ++ /* 17 */ T(T_LIM * 4, true);
42388 ++ /* 18 */ T(T_LIM * 4 - (T_LIM - 1), true);
42389 ++ /* 19 */ T(10, false);
42390 ++ /* 20 */ T(T_LIM * 4 - T_LIM, false);
42391 ++ /* 21 */ T(T_LIM * 4 - (T_LIM + 1), false);
42392 ++ /* 22 */ T(T_LIM * 4 - (T_LIM - 2), true);
42393 ++ /* 23 */ T(T_LIM * 4 + 1 - T_LIM, false);
42394 ++ /* 24 */ T(0, false);
42395 ++ /* 25 */ T(REJECT_AFTER_MESSAGES, false);
42396 ++ /* 26 */ T(REJECT_AFTER_MESSAGES - 1, true);
42397 ++ /* 27 */ T(REJECT_AFTER_MESSAGES, false);
42398 ++ /* 28 */ T(REJECT_AFTER_MESSAGES - 1, false);
42399 ++ /* 29 */ T(REJECT_AFTER_MESSAGES - 2, true);
42400 ++ /* 30 */ T(REJECT_AFTER_MESSAGES + 1, false);
42401 ++ /* 31 */ T(REJECT_AFTER_MESSAGES + 2, false);
42402 ++ /* 32 */ T(REJECT_AFTER_MESSAGES - 2, false);
42403 ++ /* 33 */ T(REJECT_AFTER_MESSAGES - 3, true);
42404 ++ /* 34 */ T(0, false);
42405 ++
42406 ++ T_INIT;
42407 ++ for (i = 1; i <= COUNTER_WINDOW_SIZE; ++i)
42408 ++ T(i, true);
42409 ++ T(0, true);
42410 ++ T(0, false);
42411 ++
42412 ++ T_INIT;
42413 ++ for (i = 2; i <= COUNTER_WINDOW_SIZE + 1; ++i)
42414 ++ T(i, true);
42415 ++ T(1, true);
42416 ++ T(0, false);
42417 ++
42418 ++ T_INIT;
42419 ++ for (i = COUNTER_WINDOW_SIZE + 1; i-- > 0;)
42420 ++ T(i, true);
42421 ++
42422 ++ T_INIT;
42423 ++ for (i = COUNTER_WINDOW_SIZE + 2; i-- > 1;)
42424 ++ T(i, true);
42425 ++ T(0, false);
42426 ++
42427 ++ T_INIT;
42428 ++ for (i = COUNTER_WINDOW_SIZE + 1; i-- > 1;)
42429 ++ T(i, true);
42430 ++ T(COUNTER_WINDOW_SIZE + 1, true);
42431 ++ T(0, false);
42432 ++
42433 ++ T_INIT;
42434 ++ for (i = COUNTER_WINDOW_SIZE + 1; i-- > 1;)
42435 ++ T(i, true);
42436 ++ T(0, true);
42437 ++ T(COUNTER_WINDOW_SIZE + 1, true);
42438 ++
42439 ++#undef T
42440 ++#undef T_LIM
42441 ++#undef T_INIT
42442 ++
42443 ++ if (success)
42444 ++ pr_info("nonce counter self-tests: pass\n");
42445 ++ kfree(counter);
42446 ++ return success;
42447 ++}
42448 ++#endif
42449 +--- b/drivers/net/wireguard/selftest/ratelimiter.c
42450 ++++ b/drivers/net/wireguard/selftest/ratelimiter.c
42451 +@@ -0,0 +1,226 @@
42452 ++// SPDX-License-Identifier: GPL-2.0
42453 ++/*
42454 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
42455 ++ */
42456 ++
42457 ++#ifdef DEBUG
42458 ++
42459 ++#include <linux/jiffies.h>
42460 ++
42461 ++static const struct {
42462 ++ bool result;
42463 ++ unsigned int msec_to_sleep_before;
42464 ++} expected_results[] __initconst = {
42465 ++ [0 ... PACKETS_BURSTABLE - 1] = { true, 0 },
42466 ++ [PACKETS_BURSTABLE] = { false, 0 },
42467 ++ [PACKETS_BURSTABLE + 1] = { true, MSEC_PER_SEC / PACKETS_PER_SECOND },
42468 ++ [PACKETS_BURSTABLE + 2] = { false, 0 },
42469 ++ [PACKETS_BURSTABLE + 3] = { true, (MSEC_PER_SEC / PACKETS_PER_SECOND) * 2 },
42470 ++ [PACKETS_BURSTABLE + 4] = { true, 0 },
42471 ++ [PACKETS_BURSTABLE + 5] = { false, 0 }
42472 ++};
42473 ++
42474 ++static __init unsigned int maximum_jiffies_at_index(int index)
42475 ++{
42476 ++ unsigned int total_msecs = 2 * MSEC_PER_SEC / PACKETS_PER_SECOND / 3;
42477 ++ int i;
42478 ++
42479 ++ for (i = 0; i <= index; ++i)
42480 ++ total_msecs += expected_results[i].msec_to_sleep_before;
42481 ++ return msecs_to_jiffies(total_msecs);
42482 ++}
42483 ++
42484 ++static __init int timings_test(struct sk_buff *skb4, struct iphdr *hdr4,
42485 ++ struct sk_buff *skb6, struct ipv6hdr *hdr6,
42486 ++ int *test)
42487 ++{
42488 ++ unsigned long loop_start_time;
42489 ++ int i;
42490 ++
42491 ++ wg_ratelimiter_gc_entries(NULL);
42492 ++ rcu_barrier();
42493 ++ loop_start_time = jiffies;
42494 ++
42495 ++ for (i = 0; i < ARRAY_SIZE(expected_results); ++i) {
42496 ++ if (expected_results[i].msec_to_sleep_before)
42497 ++ msleep(expected_results[i].msec_to_sleep_before);
42498 ++
42499 ++ if (time_is_before_jiffies(loop_start_time +
42500 ++ maximum_jiffies_at_index(i)))
42501 ++ return -ETIMEDOUT;
42502 ++ if (wg_ratelimiter_allow(skb4, &init_net) !=
42503 ++ expected_results[i].result)
42504 ++ return -EXFULL;
42505 ++ ++(*test);
42506 ++
42507 ++ hdr4->saddr = htonl(ntohl(hdr4->saddr) + i + 1);
42508 ++ if (time_is_before_jiffies(loop_start_time +
42509 ++ maximum_jiffies_at_index(i)))
42510 ++ return -ETIMEDOUT;
42511 ++ if (!wg_ratelimiter_allow(skb4, &init_net))
42512 ++ return -EXFULL;
42513 ++ ++(*test);
42514 ++
42515 ++ hdr4->saddr = htonl(ntohl(hdr4->saddr) - i - 1);
42516 ++
42517 ++#if IS_ENABLED(CONFIG_IPV6)
42518 ++ hdr6->saddr.in6_u.u6_addr32[2] = htonl(i);
42519 ++ hdr6->saddr.in6_u.u6_addr32[3] = htonl(i);
42520 ++ if (time_is_before_jiffies(loop_start_time +
42521 ++ maximum_jiffies_at_index(i)))
42522 ++ return -ETIMEDOUT;
42523 ++ if (wg_ratelimiter_allow(skb6, &init_net) !=
42524 ++ expected_results[i].result)
42525 ++ return -EXFULL;
42526 ++ ++(*test);
42527 ++
42528 ++ hdr6->saddr.in6_u.u6_addr32[0] =
42529 ++ htonl(ntohl(hdr6->saddr.in6_u.u6_addr32[0]) + i + 1);
42530 ++ if (time_is_before_jiffies(loop_start_time +
42531 ++ maximum_jiffies_at_index(i)))
42532 ++ return -ETIMEDOUT;
42533 ++ if (!wg_ratelimiter_allow(skb6, &init_net))
42534 ++ return -EXFULL;
42535 ++ ++(*test);
42536 ++
42537 ++ hdr6->saddr.in6_u.u6_addr32[0] =
42538 ++ htonl(ntohl(hdr6->saddr.in6_u.u6_addr32[0]) - i - 1);
42539 ++
42540 ++ if (time_is_before_jiffies(loop_start_time +
42541 ++ maximum_jiffies_at_index(i)))
42542 ++ return -ETIMEDOUT;
42543 ++#endif
42544 ++ }
42545 ++ return 0;
42546 ++}
42547 ++
42548 ++static __init int capacity_test(struct sk_buff *skb4, struct iphdr *hdr4,
42549 ++ int *test)
42550 ++{
42551 ++ int i;
42552 ++
42553 ++ wg_ratelimiter_gc_entries(NULL);
42554 ++ rcu_barrier();
42555 ++
42556 ++ if (atomic_read(&total_entries))
42557 ++ return -EXFULL;
42558 ++ ++(*test);
42559 ++
42560 ++ for (i = 0; i <= max_entries; ++i) {
42561 ++ hdr4->saddr = htonl(i);
42562 ++ if (wg_ratelimiter_allow(skb4, &init_net) != (i != max_entries))
42563 ++ return -EXFULL;
42564 ++ ++(*test);
42565 ++ }
42566 ++ return 0;
42567 ++}
42568 ++
42569 ++bool __init wg_ratelimiter_selftest(void)
42570 ++{
42571 ++ enum { TRIALS_BEFORE_GIVING_UP = 5000 };
42572 ++ bool success = false;
42573 ++ int test = 0, trials;
42574 ++ struct sk_buff *skb4, *skb6 = NULL;
42575 ++ struct iphdr *hdr4;
42576 ++ struct ipv6hdr *hdr6 = NULL;
42577 ++
42578 ++ if (IS_ENABLED(CONFIG_KASAN) || IS_ENABLED(CONFIG_UBSAN))
42579 ++ return true;
42580 ++
42581 ++ BUILD_BUG_ON(MSEC_PER_SEC % PACKETS_PER_SECOND != 0);
42582 ++
42583 ++ if (wg_ratelimiter_init())
42584 ++ goto out;
42585 ++ ++test;
42586 ++ if (wg_ratelimiter_init()) {
42587 ++ wg_ratelimiter_uninit();
42588 ++ goto out;
42589 ++ }
42590 ++ ++test;
42591 ++ if (wg_ratelimiter_init()) {
42592 ++ wg_ratelimiter_uninit();
42593 ++ wg_ratelimiter_uninit();
42594 ++ goto out;
42595 ++ }
42596 ++ ++test;
42597 ++
42598 ++ skb4 = alloc_skb(sizeof(struct iphdr), GFP_KERNEL);
42599 ++ if (unlikely(!skb4))
42600 ++ goto err_nofree;
42601 ++ skb4->protocol = htons(ETH_P_IP);
42602 ++ hdr4 = (struct iphdr *)skb_put(skb4, sizeof(*hdr4));
42603 ++ hdr4->saddr = htonl(8182);
42604 ++ skb_reset_network_header(skb4);
42605 ++ ++test;
42606 ++
42607 ++#if IS_ENABLED(CONFIG_IPV6)
42608 ++ skb6 = alloc_skb(sizeof(struct ipv6hdr), GFP_KERNEL);
42609 ++ if (unlikely(!skb6)) {
42610 ++ kfree_skb(skb4);
42611 ++ goto err_nofree;
42612 ++ }
42613 ++ skb6->protocol = htons(ETH_P_IPV6);
42614 ++ hdr6 = (struct ipv6hdr *)skb_put(skb6, sizeof(*hdr6));
42615 ++ hdr6->saddr.in6_u.u6_addr32[0] = htonl(1212);
42616 ++ hdr6->saddr.in6_u.u6_addr32[1] = htonl(289188);
42617 ++ skb_reset_network_header(skb6);
42618 ++ ++test;
42619 ++#endif
42620 ++
42621 ++ for (trials = TRIALS_BEFORE_GIVING_UP;;) {
42622 ++ int test_count = 0, ret;
42623 ++
42624 ++ ret = timings_test(skb4, hdr4, skb6, hdr6, &test_count);
42625 ++ if (ret == -ETIMEDOUT) {
42626 ++ if (!trials--) {
42627 ++ test += test_count;
42628 ++ goto err;
42629 ++ }
42630 ++ msleep(500);
42631 ++ continue;
42632 ++ } else if (ret < 0) {
42633 ++ test += test_count;
42634 ++ goto err;
42635 ++ } else {
42636 ++ test += test_count;
42637 ++ break;
42638 ++ }
42639 ++ }
42640 ++
42641 ++ for (trials = TRIALS_BEFORE_GIVING_UP;;) {
42642 ++ int test_count = 0;
42643 ++
42644 ++ if (capacity_test(skb4, hdr4, &test_count) < 0) {
42645 ++ if (!trials--) {
42646 ++ test += test_count;
42647 ++ goto err;
42648 ++ }
42649 ++ msleep(50);
42650 ++ continue;
42651 ++ }
42652 ++ test += test_count;
42653 ++ break;
42654 ++ }
42655 ++
42656 ++ success = true;
42657 ++
42658 ++err:
42659 ++ kfree_skb(skb4);
42660 ++#if IS_ENABLED(CONFIG_IPV6)
42661 ++ kfree_skb(skb6);
42662 ++#endif
42663 ++err_nofree:
42664 ++ wg_ratelimiter_uninit();
42665 ++ wg_ratelimiter_uninit();
42666 ++ wg_ratelimiter_uninit();
42667 ++ /* Uninit one extra time to check underflow detection. */
42668 ++ wg_ratelimiter_uninit();
42669 ++out:
42670 ++ if (success)
42671 ++ pr_info("ratelimiter self-tests: pass\n");
42672 ++ else
42673 ++ pr_err("ratelimiter self-test %d: FAIL\n", test);
42674 ++
42675 ++ return success;
42676 ++}
42677 ++#endif
42678 +--- b/drivers/net/wireguard/send.c
42679 ++++ b/drivers/net/wireguard/send.c
42680 +@@ -0,0 +1,413 @@
42681 ++// SPDX-License-Identifier: GPL-2.0
42682 ++/*
42683 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
42684 ++ */
42685 ++
42686 ++#include "queueing.h"
42687 ++#include "timers.h"
42688 ++#include "device.h"
42689 ++#include "peer.h"
42690 ++#include "socket.h"
42691 ++#include "messages.h"
42692 ++#include "cookie.h"
42693 ++
42694 ++#include <linux/uio.h>
42695 ++#include <linux/inetdevice.h>
42696 ++#include <linux/socket.h>
42697 ++#include <net/ip_tunnels.h>
42698 ++#include <net/udp.h>
42699 ++#include <net/sock.h>
42700 ++
42701 ++static void wg_packet_send_handshake_initiation(struct wg_peer *peer)
42702 ++{
42703 ++ struct message_handshake_initiation packet;
42704 ++
42705 ++ if (!wg_birthdate_has_expired(atomic64_read(&peer->last_sent_handshake),
42706 ++ REKEY_TIMEOUT))
42707 ++ return; /* This function is rate limited. */
42708 ++
42709 ++ atomic64_set(&peer->last_sent_handshake, ktime_get_coarse_boottime_ns());
42710 ++ net_dbg_ratelimited("%s: Sending handshake initiation to peer %llu (%pISpfsc)\n",
42711 ++ peer->device->dev->name, peer->internal_id,
42712 ++ &peer->endpoint.addr);
42713 ++
42714 ++ if (wg_noise_handshake_create_initiation(&packet, &peer->handshake)) {
42715 ++ wg_cookie_add_mac_to_packet(&packet, sizeof(packet), peer);
42716 ++ wg_timers_any_authenticated_packet_traversal(peer);
42717 ++ wg_timers_any_authenticated_packet_sent(peer);
42718 ++ atomic64_set(&peer->last_sent_handshake,
42719 ++ ktime_get_coarse_boottime_ns());
42720 ++ wg_socket_send_buffer_to_peer(peer, &packet, sizeof(packet),
42721 ++ HANDSHAKE_DSCP);
42722 ++ wg_timers_handshake_initiated(peer);
42723 ++ }
42724 ++}
42725 ++
42726 ++void wg_packet_handshake_send_worker(struct work_struct *work)
42727 ++{
42728 ++ struct wg_peer *peer = container_of(work, struct wg_peer,
42729 ++ transmit_handshake_work);
42730 ++
42731 ++ wg_packet_send_handshake_initiation(peer);
42732 ++ wg_peer_put(peer);
42733 ++}
42734 ++
42735 ++void wg_packet_send_queued_handshake_initiation(struct wg_peer *peer,
42736 ++ bool is_retry)
42737 ++{
42738 ++ if (!is_retry)
42739 ++ peer->timer_handshake_attempts = 0;
42740 ++
42741 ++ rcu_read_lock_bh();
42742 ++ /* We check last_sent_handshake here in addition to the actual function
42743 ++ * we're queueing up, so that we don't queue things if not strictly
42744 ++ * necessary:
42745 ++ */
42746 ++ if (!wg_birthdate_has_expired(atomic64_read(&peer->last_sent_handshake),
42747 ++ REKEY_TIMEOUT) ||
42748 ++ unlikely(READ_ONCE(peer->is_dead)))
42749 ++ goto out;
42750 ++
42751 ++ wg_peer_get(peer);
42752 ++ /* Queues up calling packet_send_queued_handshakes(peer), where we do a
42753 ++ * peer_put(peer) after:
42754 ++ */
42755 ++ if (!queue_work(peer->device->handshake_send_wq,
42756 ++ &peer->transmit_handshake_work))
42757 ++ /* If the work was already queued, we want to drop the
42758 ++ * extra reference:
42759 ++ */
42760 ++ wg_peer_put(peer);
42761 ++out:
42762 ++ rcu_read_unlock_bh();
42763 ++}
42764 ++
42765 ++void wg_packet_send_handshake_response(struct wg_peer *peer)
42766 ++{
42767 ++ struct message_handshake_response packet;
42768 ++
42769 ++ atomic64_set(&peer->last_sent_handshake, ktime_get_coarse_boottime_ns());
42770 ++ net_dbg_ratelimited("%s: Sending handshake response to peer %llu (%pISpfsc)\n",
42771 ++ peer->device->dev->name, peer->internal_id,
42772 ++ &peer->endpoint.addr);
42773 ++
42774 ++ if (wg_noise_handshake_create_response(&packet, &peer->handshake)) {
42775 ++ wg_cookie_add_mac_to_packet(&packet, sizeof(packet), peer);
42776 ++ if (wg_noise_handshake_begin_session(&peer->handshake,
42777 ++ &peer->keypairs)) {
42778 ++ wg_timers_session_derived(peer);
42779 ++ wg_timers_any_authenticated_packet_traversal(peer);
42780 ++ wg_timers_any_authenticated_packet_sent(peer);
42781 ++ atomic64_set(&peer->last_sent_handshake,
42782 ++ ktime_get_coarse_boottime_ns());
42783 ++ wg_socket_send_buffer_to_peer(peer, &packet,
42784 ++ sizeof(packet),
42785 ++ HANDSHAKE_DSCP);
42786 ++ }
42787 ++ }
42788 ++}
42789 ++
42790 ++void wg_packet_send_handshake_cookie(struct wg_device *wg,
42791 ++ struct sk_buff *initiating_skb,
42792 ++ __le32 sender_index)
42793 ++{
42794 ++ struct message_handshake_cookie packet;
42795 ++
42796 ++ net_dbg_skb_ratelimited("%s: Sending cookie response for denied handshake message for %pISpfsc\n",
42797 ++ wg->dev->name, initiating_skb);
42798 ++ wg_cookie_message_create(&packet, initiating_skb, sender_index,
42799 ++ &wg->cookie_checker);
42800 ++ wg_socket_send_buffer_as_reply_to_skb(wg, initiating_skb, &packet,
42801 ++ sizeof(packet));
42802 ++}
42803 ++
42804 ++static void keep_key_fresh(struct wg_peer *peer)
42805 ++{
42806 ++ struct noise_keypair *keypair;
42807 ++ bool send;
42808 ++
42809 ++ rcu_read_lock_bh();
42810 ++ keypair = rcu_dereference_bh(peer->keypairs.current_keypair);
42811 ++ send = keypair && READ_ONCE(keypair->sending.is_valid) &&
42812 ++ (atomic64_read(&keypair->sending_counter) > REKEY_AFTER_MESSAGES ||
42813 ++ (keypair->i_am_the_initiator &&
42814 ++ wg_birthdate_has_expired(keypair->sending.birthdate, REKEY_AFTER_TIME)));
42815 ++ rcu_read_unlock_bh();
42816 ++
42817 ++ if (unlikely(send))
42818 ++ wg_packet_send_queued_handshake_initiation(peer, false);
42819 ++}
42820 ++
42821 ++static unsigned int calculate_skb_padding(struct sk_buff *skb)
42822 ++{
42823 ++ unsigned int padded_size, last_unit = skb->len;
42824 ++
42825 ++ if (unlikely(!PACKET_CB(skb)->mtu))
42826 ++ return ALIGN(last_unit, MESSAGE_PADDING_MULTIPLE) - last_unit;
42827 ++
42828 ++ /* We do this modulo business with the MTU, just in case the networking
42829 ++ * layer gives us a packet that's bigger than the MTU. In that case, we
42830 ++ * wouldn't want the final subtraction to overflow in the case of the
42831 ++ * padded_size being clamped. Fortunately, that's very rarely the case,
42832 ++ * so we optimize for that not happening.
42833 ++ */
42834 ++ if (unlikely(last_unit > PACKET_CB(skb)->mtu))
42835 ++ last_unit %= PACKET_CB(skb)->mtu;
42836 ++
42837 ++ padded_size = min(PACKET_CB(skb)->mtu,
42838 ++ ALIGN(last_unit, MESSAGE_PADDING_MULTIPLE));
42839 ++ return padded_size - last_unit;
42840 ++}
42841 ++
42842 ++static bool encrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair)
42843 ++{
42844 ++ unsigned int padding_len, plaintext_len, trailer_len;
42845 ++ struct scatterlist sg[MAX_SKB_FRAGS + 8];
42846 ++ struct message_data *header;
42847 ++ struct sk_buff *trailer;
42848 ++ int num_frags;
42849 ++
42850 ++ /* Force hash calculation before encryption so that flow analysis is
42851 ++ * consistent over the inner packet.
42852 ++ */
42853 ++ skb_get_hash(skb);
42854 ++
42855 ++ /* Calculate lengths. */
42856 ++ padding_len = calculate_skb_padding(skb);
42857 ++ trailer_len = padding_len + noise_encrypted_len(0);
42858 ++ plaintext_len = skb->len + padding_len;
42859 ++
42860 ++ /* Expand data section to have room for padding and auth tag. */
42861 ++ num_frags = skb_cow_data(skb, trailer_len, &trailer);
42862 ++ if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
42863 ++ return false;
42864 ++
42865 ++ /* Set the padding to zeros, and make sure it and the auth tag are part
42866 ++ * of the skb.
42867 ++ */
42868 ++ memset(skb_tail_pointer(trailer), 0, padding_len);
42869 ++
42870 ++ /* Expand head section to have room for our header and the network
42871 ++ * stack's headers.
42872 ++ */
42873 ++ if (unlikely(skb_cow_head(skb, DATA_PACKET_HEAD_ROOM) < 0))
42874 ++ return false;
42875 ++
42876 ++ /* Finalize checksum calculation for the inner packet, if required. */
42877 ++ if (unlikely(skb->ip_summed == CHECKSUM_PARTIAL &&
42878 ++ skb_checksum_help(skb)))
42879 ++ return false;
42880 ++
42881 ++ /* Only after checksumming can we safely add on the padding at the end
42882 ++ * and the header.
42883 ++ */
42884 ++ skb_set_inner_network_header(skb, 0);
42885 ++ header = (struct message_data *)skb_push(skb, sizeof(*header));
42886 ++ header->header.type = cpu_to_le32(MESSAGE_DATA);
42887 ++ header->key_idx = keypair->remote_index;
42888 ++ header->counter = cpu_to_le64(PACKET_CB(skb)->nonce);
42889 ++ pskb_put(skb, trailer, trailer_len);
42890 ++
42891 ++ /* Now we can encrypt the scattergather segments */
42892 ++ sg_init_table(sg, num_frags);
42893 ++ if (skb_to_sgvec(skb, sg, sizeof(struct message_data),
42894 ++ noise_encrypted_len(plaintext_len)) <= 0)
42895 ++ return false;
42896 ++ return chacha20poly1305_encrypt_sg_inplace(sg, plaintext_len, NULL, 0,
42897 ++ PACKET_CB(skb)->nonce,
42898 ++ keypair->sending.key);
42899 ++}
42900 ++
42901 ++void wg_packet_send_keepalive(struct wg_peer *peer)
42902 ++{
42903 ++ struct sk_buff *skb;
42904 ++
42905 ++ if (skb_queue_empty(&peer->staged_packet_queue)) {
42906 ++ skb = alloc_skb(DATA_PACKET_HEAD_ROOM + MESSAGE_MINIMUM_LENGTH,
42907 ++ GFP_ATOMIC);
42908 ++ if (unlikely(!skb))
42909 ++ return;
42910 ++ skb_reserve(skb, DATA_PACKET_HEAD_ROOM);
42911 ++ skb->dev = peer->device->dev;
42912 ++ PACKET_CB(skb)->mtu = skb->dev->mtu;
42913 ++ skb_queue_tail(&peer->staged_packet_queue, skb);
42914 ++ net_dbg_ratelimited("%s: Sending keepalive packet to peer %llu (%pISpfsc)\n",
42915 ++ peer->device->dev->name, peer->internal_id,
42916 ++ &peer->endpoint.addr);
42917 ++ }
42918 ++
42919 ++ wg_packet_send_staged_packets(peer);
42920 ++}
42921 ++
42922 ++static void wg_packet_create_data_done(struct wg_peer *peer, struct sk_buff *first)
42923 ++{
42924 ++ struct sk_buff *skb, *next;
42925 ++ bool is_keepalive, data_sent = false;
42926 ++
42927 ++ wg_timers_any_authenticated_packet_traversal(peer);
42928 ++ wg_timers_any_authenticated_packet_sent(peer);
42929 ++ skb_list_walk_safe(first, skb, next) {
42930 ++ is_keepalive = skb->len == message_data_len(0);
42931 ++ if (likely(!wg_socket_send_skb_to_peer(peer, skb,
42932 ++ PACKET_CB(skb)->ds) && !is_keepalive))
42933 ++ data_sent = true;
42934 ++ }
42935 ++
42936 ++ if (likely(data_sent))
42937 ++ wg_timers_data_sent(peer);
42938 ++
42939 ++ keep_key_fresh(peer);
42940 ++}
42941 ++
42942 ++void wg_packet_tx_worker(struct work_struct *work)
42943 ++{
42944 ++ struct wg_peer *peer = container_of(work, struct wg_peer, transmit_packet_work);
42945 ++ struct noise_keypair *keypair;
42946 ++ enum packet_state state;
42947 ++ struct sk_buff *first;
42948 ++
42949 ++ while ((first = wg_prev_queue_peek(&peer->tx_queue)) != NULL &&
42950 ++ (state = atomic_read_acquire(&PACKET_CB(first)->state)) !=
42951 ++ PACKET_STATE_UNCRYPTED) {
42952 ++ wg_prev_queue_drop_peeked(&peer->tx_queue);
42953 ++ keypair = PACKET_CB(first)->keypair;
42954 ++
42955 ++ if (likely(state == PACKET_STATE_CRYPTED))
42956 ++ wg_packet_create_data_done(peer, first);
42957 ++ else
42958 ++ kfree_skb_list(first);
42959 ++
42960 ++ wg_noise_keypair_put(keypair, false);
42961 ++ wg_peer_put(peer);
42962 ++ if (need_resched())
42963 ++ cond_resched();
42964 ++ }
42965 ++}
42966 ++
42967 ++void wg_packet_encrypt_worker(struct work_struct *work)
42968 ++{
42969 ++ struct crypt_queue *queue = container_of(work, struct multicore_worker,
42970 ++ work)->ptr;
42971 ++ struct sk_buff *first, *skb, *next;
42972 ++
42973 ++ while ((first = ptr_ring_consume_bh(&queue->ring)) != NULL) {
42974 ++ enum packet_state state = PACKET_STATE_CRYPTED;
42975 ++
42976 ++ skb_list_walk_safe(first, skb, next) {
42977 ++ if (likely(encrypt_packet(skb,
42978 ++ PACKET_CB(first)->keypair))) {
42979 ++ wg_reset_packet(skb, true);
42980 ++ } else {
42981 ++ state = PACKET_STATE_DEAD;
42982 ++ break;
42983 ++ }
42984 ++ }
42985 ++ wg_queue_enqueue_per_peer_tx(first, state);
42986 ++ if (need_resched())
42987 ++ cond_resched();
42988 ++ }
42989 ++}
42990 ++
42991 ++static void wg_packet_create_data(struct wg_peer *peer, struct sk_buff *first)
42992 ++{
42993 ++ struct wg_device *wg = peer->device;
42994 ++ int ret = -EINVAL;
42995 ++
42996 ++ rcu_read_lock_bh();
42997 ++ if (unlikely(READ_ONCE(peer->is_dead)))
42998 ++ goto err;
42999 ++
43000 ++ ret = wg_queue_enqueue_per_device_and_peer(&wg->encrypt_queue, &peer->tx_queue, first,
43001 ++ wg->packet_crypt_wq, &wg->encrypt_queue.last_cpu);
43002 ++ if (unlikely(ret == -EPIPE))
43003 ++ wg_queue_enqueue_per_peer_tx(first, PACKET_STATE_DEAD);
43004 ++err:
43005 ++ rcu_read_unlock_bh();
43006 ++ if (likely(!ret || ret == -EPIPE))
43007 ++ return;
43008 ++ wg_noise_keypair_put(PACKET_CB(first)->keypair, false);
43009 ++ wg_peer_put(peer);
43010 ++ kfree_skb_list(first);
43011 ++}
43012 ++
43013 ++void wg_packet_purge_staged_packets(struct wg_peer *peer)
43014 ++{
43015 ++ spin_lock_bh(&peer->staged_packet_queue.lock);
43016 ++ peer->device->dev->stats.tx_dropped += peer->staged_packet_queue.qlen;
43017 ++ __skb_queue_purge(&peer->staged_packet_queue);
43018 ++ spin_unlock_bh(&peer->staged_packet_queue.lock);
43019 ++}
43020 ++
43021 ++void wg_packet_send_staged_packets(struct wg_peer *peer)
43022 ++{
43023 ++ struct noise_keypair *keypair;
43024 ++ struct sk_buff_head packets;
43025 ++ struct sk_buff *skb;
43026 ++
43027 ++ /* Steal the current queue into our local one. */
43028 ++ __skb_queue_head_init(&packets);
43029 ++ spin_lock_bh(&peer->staged_packet_queue.lock);
43030 ++ skb_queue_splice_init(&peer->staged_packet_queue, &packets);
43031 ++ spin_unlock_bh(&peer->staged_packet_queue.lock);
43032 ++ if (unlikely(skb_queue_empty(&packets)))
43033 ++ return;
43034 ++
43035 ++ /* First we make sure we have a valid reference to a valid key. */
43036 ++ rcu_read_lock_bh();
43037 ++ keypair = wg_noise_keypair_get(
43038 ++ rcu_dereference_bh(peer->keypairs.current_keypair));
43039 ++ rcu_read_unlock_bh();
43040 ++ if (unlikely(!keypair))
43041 ++ goto out_nokey;
43042 ++ if (unlikely(!READ_ONCE(keypair->sending.is_valid)))
43043 ++ goto out_nokey;
43044 ++ if (unlikely(wg_birthdate_has_expired(keypair->sending.birthdate,
43045 ++ REJECT_AFTER_TIME)))
43046 ++ goto out_invalid;
43047 ++
43048 ++ /* After we know we have a somewhat valid key, we now try to assign
43049 ++ * nonces to all of the packets in the queue. If we can't assign nonces
43050 ++ * for all of them, we just consider it a failure and wait for the next
43051 ++ * handshake.
43052 ++ */
43053 ++ skb_queue_walk(&packets, skb) {
43054 ++ /* 0 for no outer TOS: no leak. TODO: at some later point, we
43055 ++ * might consider using flowi->tos as outer instead.
43056 ++ */
43057 ++ PACKET_CB(skb)->ds = ip_tunnel_ecn_encap(0, ip_hdr(skb), skb);
43058 ++ PACKET_CB(skb)->nonce =
43059 ++ atomic64_inc_return(&keypair->sending_counter) - 1;
43060 ++ if (unlikely(PACKET_CB(skb)->nonce >= REJECT_AFTER_MESSAGES))
43061 ++ goto out_invalid;
43062 ++ }
43063 ++
43064 ++ packets.prev->next = NULL;
43065 ++ wg_peer_get(keypair->entry.peer);
43066 ++ PACKET_CB(packets.next)->keypair = keypair;
43067 ++ wg_packet_create_data(peer, packets.next);
43068 ++ return;
43069 ++
43070 ++out_invalid:
43071 ++ WRITE_ONCE(keypair->sending.is_valid, false);
43072 ++out_nokey:
43073 ++ wg_noise_keypair_put(keypair, false);
43074 ++
43075 ++ /* We orphan the packets if we're waiting on a handshake, so that they
43076 ++ * don't block a socket's pool.
43077 ++ */
43078 ++ skb_queue_walk(&packets, skb)
43079 ++ skb_orphan(skb);
43080 ++ /* Then we put them back on the top of the queue. We're not too
43081 ++ * concerned about accidentally getting things a little out of order if
43082 ++ * packets are being added really fast, because this queue is for before
43083 ++ * packets can even be sent and it's small anyway.
43084 ++ */
43085 ++ spin_lock_bh(&peer->staged_packet_queue.lock);
43086 ++ skb_queue_splice(&packets, &peer->staged_packet_queue);
43087 ++ spin_unlock_bh(&peer->staged_packet_queue.lock);
43088 ++
43089 ++ /* If we're exiting because there's something wrong with the key, it
43090 ++ * means we should initiate a new handshake.
43091 ++ */
43092 ++ wg_packet_send_queued_handshake_initiation(peer, false);
43093 ++}
43094 +--- b/drivers/net/wireguard/socket.c
43095 ++++ b/drivers/net/wireguard/socket.c
43096 +@@ -0,0 +1,436 @@
43097 ++// SPDX-License-Identifier: GPL-2.0
43098 ++/*
43099 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
43100 ++ */
43101 ++
43102 ++#include "device.h"
43103 ++#include "peer.h"
43104 ++#include "socket.h"
43105 ++#include "queueing.h"
43106 ++#include "messages.h"
43107 ++
43108 ++#include <linux/ctype.h>
43109 ++#include <linux/net.h>
43110 ++#include <linux/if_vlan.h>
43111 ++#include <linux/if_ether.h>
43112 ++#include <linux/inetdevice.h>
43113 ++#include <net/udp_tunnel.h>
43114 ++#include <net/ipv6.h>
43115 ++
43116 ++static int send4(struct wg_device *wg, struct sk_buff *skb,
43117 ++ struct endpoint *endpoint, u8 ds, struct dst_cache *cache)
43118 ++{
43119 ++ struct flowi4 fl = {
43120 ++ .saddr = endpoint->src4.s_addr,
43121 ++ .daddr = endpoint->addr4.sin_addr.s_addr,
43122 ++ .fl4_dport = endpoint->addr4.sin_port,
43123 ++ .flowi4_mark = wg->fwmark,
43124 ++ .flowi4_proto = IPPROTO_UDP
43125 ++ };
43126 ++ struct rtable *rt = NULL;
43127 ++ struct sock *sock;
43128 ++ int ret = 0;
43129 ++
43130 ++ skb_mark_not_on_list(skb);
43131 ++ skb->dev = wg->dev;
43132 ++ skb->mark = wg->fwmark;
43133 ++
43134 ++ rcu_read_lock_bh();
43135 ++ sock = rcu_dereference_bh(wg->sock4);
43136 ++
43137 ++ if (unlikely(!sock)) {
43138 ++ ret = -ENONET;
43139 ++ goto err;
43140 ++ }
43141 ++
43142 ++ fl.fl4_sport = inet_sk(sock)->inet_sport;
43143 ++
43144 ++ if (cache)
43145 ++ rt = dst_cache_get_ip4(cache, &fl.saddr);
43146 ++
43147 ++ if (!rt) {
43148 ++ security_sk_classify_flow(sock, flowi4_to_flowi(&fl));
43149 ++ if (unlikely(!inet_confirm_addr(sock_net(sock), NULL, 0,
43150 ++ fl.saddr, RT_SCOPE_HOST))) {
43151 ++ endpoint->src4.s_addr = 0;
43152 ++ endpoint->src_if4 = 0;
43153 ++ fl.saddr = 0;
43154 ++ if (cache)
43155 ++ dst_cache_reset(cache);
43156 ++ }
43157 ++ rt = ip_route_output_flow(sock_net(sock), &fl, sock);
43158 ++ if (unlikely(endpoint->src_if4 && ((IS_ERR(rt) &&
43159 ++ PTR_ERR(rt) == -EINVAL) || (!IS_ERR(rt) &&
43160 ++ rt->dst.dev->ifindex != endpoint->src_if4)))) {
43161 ++ endpoint->src4.s_addr = 0;
43162 ++ endpoint->src_if4 = 0;
43163 ++ fl.saddr = 0;
43164 ++ if (cache)
43165 ++ dst_cache_reset(cache);
43166 ++ if (!IS_ERR(rt))
43167 ++ ip_rt_put(rt);
43168 ++ rt = ip_route_output_flow(sock_net(sock), &fl, sock);
43169 ++ }
43170 ++ if (IS_ERR(rt)) {
43171 ++ ret = PTR_ERR(rt);
43172 ++ net_dbg_ratelimited("%s: No route to %pISpfsc, error %d\n",
43173 ++ wg->dev->name, &endpoint->addr, ret);
43174 ++ goto err;
43175 ++ }
43176 ++ if (cache)
43177 ++ dst_cache_set_ip4(cache, &rt->dst, fl.saddr);
43178 ++ }
43179 ++
43180 ++ skb->ignore_df = 1;
43181 ++ udp_tunnel_xmit_skb(rt, sock, skb, fl.saddr, fl.daddr, ds,
43182 ++ ip4_dst_hoplimit(&rt->dst), 0, fl.fl4_sport,
43183 ++ fl.fl4_dport, false, false);
43184 ++ goto out;
43185 ++
43186 ++err:
43187 ++ kfree_skb(skb);
43188 ++out:
43189 ++ rcu_read_unlock_bh();
43190 ++ return ret;
43191 ++}
43192 ++
43193 ++static int send6(struct wg_device *wg, struct sk_buff *skb,
43194 ++ struct endpoint *endpoint, u8 ds, struct dst_cache *cache)
43195 ++{
43196 ++#if IS_ENABLED(CONFIG_IPV6)
43197 ++ struct flowi6 fl = {
43198 ++ .saddr = endpoint->src6,
43199 ++ .daddr = endpoint->addr6.sin6_addr,
43200 ++ .fl6_dport = endpoint->addr6.sin6_port,
43201 ++ .flowi6_mark = wg->fwmark,
43202 ++ .flowi6_oif = endpoint->addr6.sin6_scope_id,
43203 ++ .flowi6_proto = IPPROTO_UDP
43204 ++ /* TODO: addr->sin6_flowinfo */
43205 ++ };
43206 ++ struct dst_entry *dst = NULL;
43207 ++ struct sock *sock;
43208 ++ int ret = 0;
43209 ++
43210 ++ skb_mark_not_on_list(skb);
43211 ++ skb->dev = wg->dev;
43212 ++ skb->mark = wg->fwmark;
43213 ++
43214 ++ rcu_read_lock_bh();
43215 ++ sock = rcu_dereference_bh(wg->sock6);
43216 ++
43217 ++ if (unlikely(!sock)) {
43218 ++ ret = -ENONET;
43219 ++ goto err;
43220 ++ }
43221 ++
43222 ++ fl.fl6_sport = inet_sk(sock)->inet_sport;
43223 ++
43224 ++ if (cache)
43225 ++ dst = dst_cache_get_ip6(cache, &fl.saddr);
43226 ++
43227 ++ if (!dst) {
43228 ++ security_sk_classify_flow(sock, flowi6_to_flowi(&fl));
43229 ++ if (unlikely(!ipv6_addr_any(&fl.saddr) &&
43230 ++ !ipv6_chk_addr(sock_net(sock), &fl.saddr, NULL, 0))) {
43231 ++ endpoint->src6 = fl.saddr = in6addr_any;
43232 ++ if (cache)
43233 ++ dst_cache_reset(cache);
43234 ++ }
43235 ++ dst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(sock), sock, &fl,
43236 ++ NULL);
43237 ++ if (IS_ERR(dst)) {
43238 ++ ret = PTR_ERR(dst);
43239 ++ net_dbg_ratelimited("%s: No route to %pISpfsc, error %d\n",
43240 ++ wg->dev->name, &endpoint->addr, ret);
43241 ++ goto err;
43242 ++ }
43243 ++ if (cache)
43244 ++ dst_cache_set_ip6(cache, dst, &fl.saddr);
43245 ++ }
43246 ++
43247 ++ skb->ignore_df = 1;
43248 ++ udp_tunnel6_xmit_skb(dst, sock, skb, skb->dev, &fl.saddr, &fl.daddr, ds,
43249 ++ ip6_dst_hoplimit(dst), 0, fl.fl6_sport,
43250 ++ fl.fl6_dport, false);
43251 ++ goto out;
43252 ++
43253 ++err:
43254 ++ kfree_skb(skb);
43255 ++out:
43256 ++ rcu_read_unlock_bh();
43257 ++ return ret;
43258 ++#else
43259 ++ return -EAFNOSUPPORT;
43260 ++#endif
43261 ++}
43262 ++
43263 ++int wg_socket_send_skb_to_peer(struct wg_peer *peer, struct sk_buff *skb, u8 ds)
43264 ++{
43265 ++ size_t skb_len = skb->len;
43266 ++ int ret = -EAFNOSUPPORT;
43267 ++
43268 ++ read_lock_bh(&peer->endpoint_lock);
43269 ++ if (peer->endpoint.addr.sa_family == AF_INET)
43270 ++ ret = send4(peer->device, skb, &peer->endpoint, ds,
43271 ++ &peer->endpoint_cache);
43272 ++ else if (peer->endpoint.addr.sa_family == AF_INET6)
43273 ++ ret = send6(peer->device, skb, &peer->endpoint, ds,
43274 ++ &peer->endpoint_cache);
43275 ++ else
43276 ++ dev_kfree_skb(skb);
43277 ++ if (likely(!ret))
43278 ++ peer->tx_bytes += skb_len;
43279 ++ read_unlock_bh(&peer->endpoint_lock);
43280 ++
43281 ++ return ret;
43282 ++}
43283 ++
43284 ++int wg_socket_send_buffer_to_peer(struct wg_peer *peer, void *buffer,
43285 ++ size_t len, u8 ds)
43286 ++{
43287 ++ struct sk_buff *skb = alloc_skb(len + SKB_HEADER_LEN, GFP_ATOMIC);
43288 ++
43289 ++ if (unlikely(!skb))
43290 ++ return -ENOMEM;
43291 ++
43292 ++ skb_reserve(skb, SKB_HEADER_LEN);
43293 ++ skb_set_inner_network_header(skb, 0);
43294 ++ skb_put_data(skb, buffer, len);
43295 ++ return wg_socket_send_skb_to_peer(peer, skb, ds);
43296 ++}
43297 ++
43298 ++int wg_socket_send_buffer_as_reply_to_skb(struct wg_device *wg,
43299 ++ struct sk_buff *in_skb, void *buffer,
43300 ++ size_t len)
43301 ++{
43302 ++ int ret = 0;
43303 ++ struct sk_buff *skb;
43304 ++ struct endpoint endpoint;
43305 ++
43306 ++ if (unlikely(!in_skb))
43307 ++ return -EINVAL;
43308 ++ ret = wg_socket_endpoint_from_skb(&endpoint, in_skb);
43309 ++ if (unlikely(ret < 0))
43310 ++ return ret;
43311 ++
43312 ++ skb = alloc_skb(len + SKB_HEADER_LEN, GFP_ATOMIC);
43313 ++ if (unlikely(!skb))
43314 ++ return -ENOMEM;
43315 ++ skb_reserve(skb, SKB_HEADER_LEN);
43316 ++ skb_set_inner_network_header(skb, 0);
43317 ++ skb_put_data(skb, buffer, len);
43318 ++
43319 ++ if (endpoint.addr.sa_family == AF_INET)
43320 ++ ret = send4(wg, skb, &endpoint, 0, NULL);
43321 ++ else if (endpoint.addr.sa_family == AF_INET6)
43322 ++ ret = send6(wg, skb, &endpoint, 0, NULL);
43323 ++ /* No other possibilities if the endpoint is valid, which it is,
43324 ++ * as we checked above.
43325 ++ */
43326 ++
43327 ++ return ret;
43328 ++}
43329 ++
43330 ++int wg_socket_endpoint_from_skb(struct endpoint *endpoint,
43331 ++ const struct sk_buff *skb)
43332 ++{
43333 ++ memset(endpoint, 0, sizeof(*endpoint));
43334 ++ if (skb->protocol == htons(ETH_P_IP)) {
43335 ++ endpoint->addr4.sin_family = AF_INET;
43336 ++ endpoint->addr4.sin_port = udp_hdr(skb)->source;
43337 ++ endpoint->addr4.sin_addr.s_addr = ip_hdr(skb)->saddr;
43338 ++ endpoint->src4.s_addr = ip_hdr(skb)->daddr;
43339 ++ endpoint->src_if4 = skb->skb_iif;
43340 ++ } else if (skb->protocol == htons(ETH_P_IPV6)) {
43341 ++ endpoint->addr6.sin6_family = AF_INET6;
43342 ++ endpoint->addr6.sin6_port = udp_hdr(skb)->source;
43343 ++ endpoint->addr6.sin6_addr = ipv6_hdr(skb)->saddr;
43344 ++ endpoint->addr6.sin6_scope_id = ipv6_iface_scope_id(
43345 ++ &ipv6_hdr(skb)->saddr, skb->skb_iif);
43346 ++ endpoint->src6 = ipv6_hdr(skb)->daddr;
43347 ++ } else {
43348 ++ return -EINVAL;
43349 ++ }
43350 ++ return 0;
43351 ++}
43352 ++
43353 ++static bool endpoint_eq(const struct endpoint *a, const struct endpoint *b)
43354 ++{
43355 ++ return (a->addr.sa_family == AF_INET && b->addr.sa_family == AF_INET &&
43356 ++ a->addr4.sin_port == b->addr4.sin_port &&
43357 ++ a->addr4.sin_addr.s_addr == b->addr4.sin_addr.s_addr &&
43358 ++ a->src4.s_addr == b->src4.s_addr && a->src_if4 == b->src_if4) ||
43359 ++ (a->addr.sa_family == AF_INET6 &&
43360 ++ b->addr.sa_family == AF_INET6 &&
43361 ++ a->addr6.sin6_port == b->addr6.sin6_port &&
43362 ++ ipv6_addr_equal(&a->addr6.sin6_addr, &b->addr6.sin6_addr) &&
43363 ++ a->addr6.sin6_scope_id == b->addr6.sin6_scope_id &&
43364 ++ ipv6_addr_equal(&a->src6, &b->src6)) ||
43365 ++ unlikely(!a->addr.sa_family && !b->addr.sa_family);
43366 ++}
43367 ++
43368 ++void wg_socket_set_peer_endpoint(struct wg_peer *peer,
43369 ++ const struct endpoint *endpoint)
43370 ++{
43371 ++ /* First we check unlocked, in order to optimize, since it's pretty rare
43372 ++ * that an endpoint will change. If we happen to be mid-write, and two
43373 ++ * CPUs wind up writing the same thing or something slightly different,
43374 ++ * it doesn't really matter much either.
43375 ++ */
43376 ++ if (endpoint_eq(endpoint, &peer->endpoint))
43377 ++ return;
43378 ++ write_lock_bh(&peer->endpoint_lock);
43379 ++ if (endpoint->addr.sa_family == AF_INET) {
43380 ++ peer->endpoint.addr4 = endpoint->addr4;
43381 ++ peer->endpoint.src4 = endpoint->src4;
43382 ++ peer->endpoint.src_if4 = endpoint->src_if4;
43383 ++ } else if (endpoint->addr.sa_family == AF_INET6) {
43384 ++ peer->endpoint.addr6 = endpoint->addr6;
43385 ++ peer->endpoint.src6 = endpoint->src6;
43386 ++ } else {
43387 ++ goto out;
43388 ++ }
43389 ++ dst_cache_reset(&peer->endpoint_cache);
43390 ++out:
43391 ++ write_unlock_bh(&peer->endpoint_lock);
43392 ++}
43393 ++
43394 ++void wg_socket_set_peer_endpoint_from_skb(struct wg_peer *peer,
43395 ++ const struct sk_buff *skb)
43396 ++{
43397 ++ struct endpoint endpoint;
43398 ++
43399 ++ if (!wg_socket_endpoint_from_skb(&endpoint, skb))
43400 ++ wg_socket_set_peer_endpoint(peer, &endpoint);
43401 ++}
43402 ++
43403 ++void wg_socket_clear_peer_endpoint_src(struct wg_peer *peer)
43404 ++{
43405 ++ write_lock_bh(&peer->endpoint_lock);
43406 ++ memset(&peer->endpoint.src6, 0, sizeof(peer->endpoint.src6));
43407 ++ dst_cache_reset(&peer->endpoint_cache);
43408 ++ write_unlock_bh(&peer->endpoint_lock);
43409 ++}
43410 ++
43411 ++static int wg_receive(struct sock *sk, struct sk_buff *skb)
43412 ++{
43413 ++ struct wg_device *wg;
43414 ++
43415 ++ if (unlikely(!sk))
43416 ++ goto err;
43417 ++ wg = sk->sk_user_data;
43418 ++ if (unlikely(!wg))
43419 ++ goto err;
43420 ++ skb_mark_not_on_list(skb);
43421 ++ wg_packet_receive(wg, skb);
43422 ++ return 0;
43423 ++
43424 ++err:
43425 ++ kfree_skb(skb);
43426 ++ return 0;
43427 ++}
43428 ++
43429 ++static void sock_free(struct sock *sock)
43430 ++{
43431 ++ if (unlikely(!sock))
43432 ++ return;
43433 ++ sk_clear_memalloc(sock);
43434 ++ udp_tunnel_sock_release(sock->sk_socket);
43435 ++}
43436 ++
43437 ++static void set_sock_opts(struct socket *sock)
43438 ++{
43439 ++ sock->sk->sk_allocation = GFP_ATOMIC;
43440 ++ sock->sk->sk_sndbuf = INT_MAX;
43441 ++ sk_set_memalloc(sock->sk);
43442 ++}
43443 ++
43444 ++int wg_socket_init(struct wg_device *wg, u16 port)
43445 ++{
43446 ++ struct net *net;
43447 ++ int ret;
43448 ++ struct udp_tunnel_sock_cfg cfg = {
43449 ++ .sk_user_data = wg,
43450 ++ .encap_type = 1,
43451 ++ .encap_rcv = wg_receive
43452 ++ };
43453 ++ struct socket *new4 = NULL, *new6 = NULL;
43454 ++ struct udp_port_cfg port4 = {
43455 ++ .family = AF_INET,
43456 ++ .local_ip.s_addr = htonl(INADDR_ANY),
43457 ++ .local_udp_port = htons(port),
43458 ++ .use_udp_checksums = true
43459 ++ };
43460 ++#if IS_ENABLED(CONFIG_IPV6)
43461 ++ int retries = 0;
43462 ++ struct udp_port_cfg port6 = {
43463 ++ .family = AF_INET6,
43464 ++ .local_ip6 = IN6ADDR_ANY_INIT,
43465 ++ .use_udp6_tx_checksums = true,
43466 ++ .use_udp6_rx_checksums = true,
43467 ++ .ipv6_v6only = true
43468 ++ };
43469 ++#endif
43470 ++
43471 ++ rcu_read_lock();
43472 ++ net = rcu_dereference(wg->creating_net);
43473 ++ net = net ? maybe_get_net(net) : NULL;
43474 ++ rcu_read_unlock();
43475 ++ if (unlikely(!net))
43476 ++ return -ENONET;
43477 ++
43478 ++#if IS_ENABLED(CONFIG_IPV6)
43479 ++retry:
43480 ++#endif
43481 ++
43482 ++ ret = udp_sock_create(net, &port4, &new4);
43483 ++ if (ret < 0) {
43484 ++ pr_err("%s: Could not create IPv4 socket\n", wg->dev->name);
43485 ++ goto out;
43486 ++ }
43487 ++ set_sock_opts(new4);
43488 ++ setup_udp_tunnel_sock(net, new4, &cfg);
43489 ++
43490 ++#if IS_ENABLED(CONFIG_IPV6)
43491 ++ if (ipv6_mod_enabled()) {
43492 ++ port6.local_udp_port = inet_sk(new4->sk)->inet_sport;
43493 ++ ret = udp_sock_create(net, &port6, &new6);
43494 ++ if (ret < 0) {
43495 ++ udp_tunnel_sock_release(new4);
43496 ++ if (ret == -EADDRINUSE && !port && retries++ < 100)
43497 ++ goto retry;
43498 ++ pr_err("%s: Could not create IPv6 socket\n",
43499 ++ wg->dev->name);
43500 ++ goto out;
43501 ++ }
43502 ++ set_sock_opts(new6);
43503 ++ setup_udp_tunnel_sock(net, new6, &cfg);
43504 ++ }
43505 ++#endif
43506 ++
43507 ++ wg_socket_reinit(wg, new4->sk, new6 ? new6->sk : NULL);
43508 ++ ret = 0;
43509 ++out:
43510 ++ put_net(net);
43511 ++ return ret;
43512 ++}
43513 ++
43514 ++void wg_socket_reinit(struct wg_device *wg, struct sock *new4,
43515 ++ struct sock *new6)
43516 ++{
43517 ++ struct sock *old4, *old6;
43518 ++
43519 ++ mutex_lock(&wg->socket_update_lock);
43520 ++ old4 = rcu_dereference_protected(wg->sock4,
43521 ++ lockdep_is_held(&wg->socket_update_lock));
43522 ++ old6 = rcu_dereference_protected(wg->sock6,
43523 ++ lockdep_is_held(&wg->socket_update_lock));
43524 ++ rcu_assign_pointer(wg->sock4, new4);
43525 ++ rcu_assign_pointer(wg->sock6, new6);
43526 ++ if (new4)
43527 ++ wg->incoming_port = ntohs(inet_sk(new4)->inet_sport);
43528 ++ mutex_unlock(&wg->socket_update_lock);
43529 ++ synchronize_rcu();
43530 ++ sock_free(old4);
43531 ++ sock_free(old6);
43532 ++}
43533 +--- /dev/null
43534 ++++ b/drivers/net/wireguard/socket.h
43535 +@@ -0,0 +1,44 @@
43536 ++/* SPDX-License-Identifier: GPL-2.0 */
43537 ++/*
43538 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
43539 ++ */
43540 ++
43541 ++#ifndef _WG_SOCKET_H
43542 ++#define _WG_SOCKET_H
43543 ++
43544 ++#include <linux/netdevice.h>
43545 ++#include <linux/udp.h>
43546 ++#include <linux/if_vlan.h>
43547 ++#include <linux/if_ether.h>
43548 ++
43549 ++int wg_socket_init(struct wg_device *wg, u16 port);
43550 ++void wg_socket_reinit(struct wg_device *wg, struct sock *new4,
43551 ++ struct sock *new6);
43552 ++int wg_socket_send_buffer_to_peer(struct wg_peer *peer, void *data,
43553 ++ size_t len, u8 ds);
43554 ++int wg_socket_send_skb_to_peer(struct wg_peer *peer, struct sk_buff *skb,
43555 ++ u8 ds);
43556 ++int wg_socket_send_buffer_as_reply_to_skb(struct wg_device *wg,
43557 ++ struct sk_buff *in_skb,
43558 ++ void *out_buffer, size_t len);
43559 ++
43560 ++int wg_socket_endpoint_from_skb(struct endpoint *endpoint,
43561 ++ const struct sk_buff *skb);
43562 ++void wg_socket_set_peer_endpoint(struct wg_peer *peer,
43563 ++ const struct endpoint *endpoint);
43564 ++void wg_socket_set_peer_endpoint_from_skb(struct wg_peer *peer,
43565 ++ const struct sk_buff *skb);
43566 ++void wg_socket_clear_peer_endpoint_src(struct wg_peer *peer);
43567 ++
43568 ++#if defined(CONFIG_DYNAMIC_DEBUG) || defined(DEBUG)
43569 ++#define net_dbg_skb_ratelimited(fmt, dev, skb, ...) do { \
43570 ++ struct endpoint __endpoint; \
43571 ++ wg_socket_endpoint_from_skb(&__endpoint, skb); \
43572 ++ net_dbg_ratelimited(fmt, dev, &__endpoint.addr, \
43573 ++ ##__VA_ARGS__); \
43574 ++ } while (0)
43575 ++#else
43576 ++#define net_dbg_skb_ratelimited(fmt, skb, ...)
43577 ++#endif
43578 ++
43579 ++#endif /* _WG_SOCKET_H */
43580 +--- /dev/null
43581 ++++ b/drivers/net/wireguard/timers.c
43582 +@@ -0,0 +1,243 @@
43583 ++// SPDX-License-Identifier: GPL-2.0
43584 ++/*
43585 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
43586 ++ */
43587 ++
43588 ++#include "timers.h"
43589 ++#include "device.h"
43590 ++#include "peer.h"
43591 ++#include "queueing.h"
43592 ++#include "socket.h"
43593 ++
43594 ++/*
43595 ++ * - Timer for retransmitting the handshake if we don't hear back after
43596 ++ * `REKEY_TIMEOUT + jitter` ms.
43597 ++ *
43598 ++ * - Timer for sending empty packet if we have received a packet but after have
43599 ++ * not sent one for `KEEPALIVE_TIMEOUT` ms.
43600 ++ *
43601 ++ * - Timer for initiating new handshake if we have sent a packet but after have
43602 ++ * not received one (even empty) for `(KEEPALIVE_TIMEOUT + REKEY_TIMEOUT) +
43603 ++ * jitter` ms.
43604 ++ *
43605 ++ * - Timer for zeroing out all ephemeral keys after `(REJECT_AFTER_TIME * 3)` ms
43606 ++ * if no new keys have been received.
43607 ++ *
43608 ++ * - Timer for, if enabled, sending an empty authenticated packet every user-
43609 ++ * specified seconds.
43610 ++ */
43611 ++
43612 ++static inline void mod_peer_timer(struct wg_peer *peer,
43613 ++ struct timer_list *timer,
43614 ++ unsigned long expires)
43615 ++{
43616 ++ rcu_read_lock_bh();
43617 ++ if (likely(netif_running(peer->device->dev) &&
43618 ++ !READ_ONCE(peer->is_dead)))
43619 ++ mod_timer(timer, expires);
43620 ++ rcu_read_unlock_bh();
43621 ++}
43622 ++
43623 ++static void wg_expired_retransmit_handshake(struct timer_list *timer)
43624 ++{
43625 ++ struct wg_peer *peer = from_timer(peer, timer,
43626 ++ timer_retransmit_handshake);
43627 ++
43628 ++ if (peer->timer_handshake_attempts > MAX_TIMER_HANDSHAKES) {
43629 ++ pr_debug("%s: Handshake for peer %llu (%pISpfsc) did not complete after %d attempts, giving up\n",
43630 ++ peer->device->dev->name, peer->internal_id,
43631 ++ &peer->endpoint.addr, MAX_TIMER_HANDSHAKES + 2);
43632 ++
43633 ++ del_timer(&peer->timer_send_keepalive);
43634 ++ /* We drop all packets without a keypair and don't try again,
43635 ++ * if we try unsuccessfully for too long to make a handshake.
43636 ++ */
43637 ++ wg_packet_purge_staged_packets(peer);
43638 ++
43639 ++ /* We set a timer for destroying any residue that might be left
43640 ++ * of a partial exchange.
43641 ++ */
43642 ++ if (!timer_pending(&peer->timer_zero_key_material))
43643 ++ mod_peer_timer(peer, &peer->timer_zero_key_material,
43644 ++ jiffies + REJECT_AFTER_TIME * 3 * HZ);
43645 ++ } else {
43646 ++ ++peer->timer_handshake_attempts;
43647 ++ pr_debug("%s: Handshake for peer %llu (%pISpfsc) did not complete after %d seconds, retrying (try %d)\n",
43648 ++ peer->device->dev->name, peer->internal_id,
43649 ++ &peer->endpoint.addr, REKEY_TIMEOUT,
43650 ++ peer->timer_handshake_attempts + 1);
43651 ++
43652 ++ /* We clear the endpoint address src address, in case this is
43653 ++ * the cause of trouble.
43654 ++ */
43655 ++ wg_socket_clear_peer_endpoint_src(peer);
43656 ++
43657 ++ wg_packet_send_queued_handshake_initiation(peer, true);
43658 ++ }
43659 ++}
43660 ++
43661 ++static void wg_expired_send_keepalive(struct timer_list *timer)
43662 ++{
43663 ++ struct wg_peer *peer = from_timer(peer, timer, timer_send_keepalive);
43664 ++
43665 ++ wg_packet_send_keepalive(peer);
43666 ++ if (peer->timer_need_another_keepalive) {
43667 ++ peer->timer_need_another_keepalive = false;
43668 ++ mod_peer_timer(peer, &peer->timer_send_keepalive,
43669 ++ jiffies + KEEPALIVE_TIMEOUT * HZ);
43670 ++ }
43671 ++}
43672 ++
43673 ++static void wg_expired_new_handshake(struct timer_list *timer)
43674 ++{
43675 ++ struct wg_peer *peer = from_timer(peer, timer, timer_new_handshake);
43676 ++
43677 ++ pr_debug("%s: Retrying handshake with peer %llu (%pISpfsc) because we stopped hearing back after %d seconds\n",
43678 ++ peer->device->dev->name, peer->internal_id,
43679 ++ &peer->endpoint.addr, KEEPALIVE_TIMEOUT + REKEY_TIMEOUT);
43680 ++ /* We clear the endpoint address src address, in case this is the cause
43681 ++ * of trouble.
43682 ++ */
43683 ++ wg_socket_clear_peer_endpoint_src(peer);
43684 ++ wg_packet_send_queued_handshake_initiation(peer, false);
43685 ++}
43686 ++
43687 ++static void wg_expired_zero_key_material(struct timer_list *timer)
43688 ++{
43689 ++ struct wg_peer *peer = from_timer(peer, timer, timer_zero_key_material);
43690 ++
43691 ++ rcu_read_lock_bh();
43692 ++ if (!READ_ONCE(peer->is_dead)) {
43693 ++ wg_peer_get(peer);
43694 ++ if (!queue_work(peer->device->handshake_send_wq,
43695 ++ &peer->clear_peer_work))
43696 ++ /* If the work was already on the queue, we want to drop
43697 ++ * the extra reference.
43698 ++ */
43699 ++ wg_peer_put(peer);
43700 ++ }
43701 ++ rcu_read_unlock_bh();
43702 ++}
43703 ++
43704 ++static void wg_queued_expired_zero_key_material(struct work_struct *work)
43705 ++{
43706 ++ struct wg_peer *peer = container_of(work, struct wg_peer,
43707 ++ clear_peer_work);
43708 ++
43709 ++ pr_debug("%s: Zeroing out all keys for peer %llu (%pISpfsc), since we haven't received a new one in %d seconds\n",
43710 ++ peer->device->dev->name, peer->internal_id,
43711 ++ &peer->endpoint.addr, REJECT_AFTER_TIME * 3);
43712 ++ wg_noise_handshake_clear(&peer->handshake);
43713 ++ wg_noise_keypairs_clear(&peer->keypairs);
43714 ++ wg_peer_put(peer);
43715 ++}
43716 ++
43717 ++static void wg_expired_send_persistent_keepalive(struct timer_list *timer)
43718 ++{
43719 ++ struct wg_peer *peer = from_timer(peer, timer,
43720 ++ timer_persistent_keepalive);
43721 ++
43722 ++ if (likely(peer->persistent_keepalive_interval))
43723 ++ wg_packet_send_keepalive(peer);
43724 ++}
43725 ++
43726 ++/* Should be called after an authenticated data packet is sent. */
43727 ++void wg_timers_data_sent(struct wg_peer *peer)
43728 ++{
43729 ++ if (!timer_pending(&peer->timer_new_handshake))
43730 ++ mod_peer_timer(peer, &peer->timer_new_handshake,
43731 ++ jiffies + (KEEPALIVE_TIMEOUT + REKEY_TIMEOUT) * HZ +
43732 ++ prandom_u32_max(REKEY_TIMEOUT_JITTER_MAX_JIFFIES));
43733 ++}
43734 ++
43735 ++/* Should be called after an authenticated data packet is received. */
43736 ++void wg_timers_data_received(struct wg_peer *peer)
43737 ++{
43738 ++ if (likely(netif_running(peer->device->dev))) {
43739 ++ if (!timer_pending(&peer->timer_send_keepalive))
43740 ++ mod_peer_timer(peer, &peer->timer_send_keepalive,
43741 ++ jiffies + KEEPALIVE_TIMEOUT * HZ);
43742 ++ else
43743 ++ peer->timer_need_another_keepalive = true;
43744 ++ }
43745 ++}
43746 ++
43747 ++/* Should be called after any type of authenticated packet is sent, whether
43748 ++ * keepalive, data, or handshake.
43749 ++ */
43750 ++void wg_timers_any_authenticated_packet_sent(struct wg_peer *peer)
43751 ++{
43752 ++ del_timer(&peer->timer_send_keepalive);
43753 ++}
43754 ++
43755 ++/* Should be called after any type of authenticated packet is received, whether
43756 ++ * keepalive, data, or handshake.
43757 ++ */
43758 ++void wg_timers_any_authenticated_packet_received(struct wg_peer *peer)
43759 ++{
43760 ++ del_timer(&peer->timer_new_handshake);
43761 ++}
43762 ++
43763 ++/* Should be called after a handshake initiation message is sent. */
43764 ++void wg_timers_handshake_initiated(struct wg_peer *peer)
43765 ++{
43766 ++ mod_peer_timer(peer, &peer->timer_retransmit_handshake,
43767 ++ jiffies + REKEY_TIMEOUT * HZ +
43768 ++ prandom_u32_max(REKEY_TIMEOUT_JITTER_MAX_JIFFIES));
43769 ++}
43770 ++
43771 ++/* Should be called after a handshake response message is received and processed
43772 ++ * or when getting key confirmation via the first data message.
43773 ++ */
43774 ++void wg_timers_handshake_complete(struct wg_peer *peer)
43775 ++{
43776 ++ del_timer(&peer->timer_retransmit_handshake);
43777 ++ peer->timer_handshake_attempts = 0;
43778 ++ peer->sent_lastminute_handshake = false;
43779 ++ ktime_get_real_ts64(&peer->walltime_last_handshake);
43780 ++}
43781 ++
43782 ++/* Should be called after an ephemeral key is created, which is before sending a
43783 ++ * handshake response or after receiving a handshake response.
43784 ++ */
43785 ++void wg_timers_session_derived(struct wg_peer *peer)
43786 ++{
43787 ++ mod_peer_timer(peer, &peer->timer_zero_key_material,
43788 ++ jiffies + REJECT_AFTER_TIME * 3 * HZ);
43789 ++}
43790 ++
43791 ++/* Should be called before a packet with authentication, whether
43792 ++ * keepalive, data, or handshakem is sent, or after one is received.
43793 ++ */
43794 ++void wg_timers_any_authenticated_packet_traversal(struct wg_peer *peer)
43795 ++{
43796 ++ if (peer->persistent_keepalive_interval)
43797 ++ mod_peer_timer(peer, &peer->timer_persistent_keepalive,
43798 ++ jiffies + peer->persistent_keepalive_interval * HZ);
43799 ++}
43800 ++
43801 ++void wg_timers_init(struct wg_peer *peer)
43802 ++{
43803 ++ timer_setup(&peer->timer_retransmit_handshake,
43804 ++ wg_expired_retransmit_handshake, 0);
43805 ++ timer_setup(&peer->timer_send_keepalive, wg_expired_send_keepalive, 0);
43806 ++ timer_setup(&peer->timer_new_handshake, wg_expired_new_handshake, 0);
43807 ++ timer_setup(&peer->timer_zero_key_material,
43808 ++ wg_expired_zero_key_material, 0);
43809 ++ timer_setup(&peer->timer_persistent_keepalive,
43810 ++ wg_expired_send_persistent_keepalive, 0);
43811 ++ INIT_WORK(&peer->clear_peer_work, wg_queued_expired_zero_key_material);
43812 ++ peer->timer_handshake_attempts = 0;
43813 ++ peer->sent_lastminute_handshake = false;
43814 ++ peer->timer_need_another_keepalive = false;
43815 ++}
43816 ++
43817 ++void wg_timers_stop(struct wg_peer *peer)
43818 ++{
43819 ++ del_timer_sync(&peer->timer_retransmit_handshake);
43820 ++ del_timer_sync(&peer->timer_send_keepalive);
43821 ++ del_timer_sync(&peer->timer_new_handshake);
43822 ++ del_timer_sync(&peer->timer_zero_key_material);
43823 ++ del_timer_sync(&peer->timer_persistent_keepalive);
43824 ++ flush_work(&peer->clear_peer_work);
43825 ++}
43826 +--- /dev/null
43827 ++++ b/drivers/net/wireguard/timers.h
43828 +@@ -0,0 +1,31 @@
43829 ++/* SPDX-License-Identifier: GPL-2.0 */
43830 ++/*
43831 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
43832 ++ */
43833 ++
43834 ++#ifndef _WG_TIMERS_H
43835 ++#define _WG_TIMERS_H
43836 ++
43837 ++#include <linux/ktime.h>
43838 ++
43839 ++struct wg_peer;
43840 ++
43841 ++void wg_timers_init(struct wg_peer *peer);
43842 ++void wg_timers_stop(struct wg_peer *peer);
43843 ++void wg_timers_data_sent(struct wg_peer *peer);
43844 ++void wg_timers_data_received(struct wg_peer *peer);
43845 ++void wg_timers_any_authenticated_packet_sent(struct wg_peer *peer);
43846 ++void wg_timers_any_authenticated_packet_received(struct wg_peer *peer);
43847 ++void wg_timers_handshake_initiated(struct wg_peer *peer);
43848 ++void wg_timers_handshake_complete(struct wg_peer *peer);
43849 ++void wg_timers_session_derived(struct wg_peer *peer);
43850 ++void wg_timers_any_authenticated_packet_traversal(struct wg_peer *peer);
43851 ++
43852 ++static inline bool wg_birthdate_has_expired(u64 birthday_nanoseconds,
43853 ++ u64 expiration_seconds)
43854 ++{
43855 ++ return (s64)(birthday_nanoseconds + expiration_seconds * NSEC_PER_SEC)
43856 ++ <= (s64)ktime_get_coarse_boottime_ns();
43857 ++}
43858 ++
43859 ++#endif /* _WG_TIMERS_H */
43860 +--- /dev/null
43861 ++++ b/drivers/net/wireguard/version.h
43862 +@@ -0,0 +1 @@
43863 ++#define WIREGUARD_VERSION "1.0.0"
43864 +--- b/include/uapi/linux/wireguard.h
43865 ++++ b/include/uapi/linux/wireguard.h
43866 +@@ -0,0 +1,196 @@
43867 ++/* SPDX-License-Identifier: (GPL-2.0 WITH Linux-syscall-note) OR MIT */
43868 ++/*
43869 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
43870 ++ *
43871 ++ * Documentation
43872 ++ * =============
43873 ++ *
43874 ++ * The below enums and macros are for interfacing with WireGuard, using generic
43875 ++ * netlink, with family WG_GENL_NAME and version WG_GENL_VERSION. It defines two
43876 ++ * methods: get and set. Note that while they share many common attributes,
43877 ++ * these two functions actually accept a slightly different set of inputs and
43878 ++ * outputs.
43879 ++ *
43880 ++ * WG_CMD_GET_DEVICE
43881 ++ * -----------------
43882 ++ *
43883 ++ * May only be called via NLM_F_REQUEST | NLM_F_DUMP. The command should contain
43884 ++ * one but not both of:
43885 ++ *
43886 ++ * WGDEVICE_A_IFINDEX: NLA_U32
43887 ++ * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1
43888 ++ *
43889 ++ * The kernel will then return several messages (NLM_F_MULTI) containing the
43890 ++ * following tree of nested items:
43891 ++ *
43892 ++ * WGDEVICE_A_IFINDEX: NLA_U32
43893 ++ * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1
43894 ++ * WGDEVICE_A_PRIVATE_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
43895 ++ * WGDEVICE_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
43896 ++ * WGDEVICE_A_LISTEN_PORT: NLA_U16
43897 ++ * WGDEVICE_A_FWMARK: NLA_U32
43898 ++ * WGDEVICE_A_PEERS: NLA_NESTED
43899 ++ * 0: NLA_NESTED
43900 ++ * WGPEER_A_PUBLIC_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
43901 ++ * WGPEER_A_PRESHARED_KEY: NLA_EXACT_LEN, len WG_KEY_LEN
43902 ++ * WGPEER_A_ENDPOINT: NLA_MIN_LEN(struct sockaddr), struct sockaddr_in or struct sockaddr_in6
43903 ++ * WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL: NLA_U16
43904 ++ * WGPEER_A_LAST_HANDSHAKE_TIME: NLA_EXACT_LEN, struct __kernel_timespec
43905 ++ * WGPEER_A_RX_BYTES: NLA_U64
43906 ++ * WGPEER_A_TX_BYTES: NLA_U64
43907 ++ * WGPEER_A_ALLOWEDIPS: NLA_NESTED
43908 ++ * 0: NLA_NESTED
43909 ++ * WGALLOWEDIP_A_FAMILY: NLA_U16
43910 ++ * WGALLOWEDIP_A_IPADDR: NLA_MIN_LEN(struct in_addr), struct in_addr or struct in6_addr
43911 ++ * WGALLOWEDIP_A_CIDR_MASK: NLA_U8
43912 ++ * 0: NLA_NESTED
43913 ++ * ...
43914 ++ * 0: NLA_NESTED
43915 ++ * ...
43916 ++ * ...
43917 ++ * WGPEER_A_PROTOCOL_VERSION: NLA_U32
43918 ++ * 0: NLA_NESTED
43919 ++ * ...
43920 ++ * ...
43921 ++ *
43922 ++ * It is possible that all of the allowed IPs of a single peer will not
43923 ++ * fit within a single netlink message. In that case, the same peer will
43924 ++ * be written in the following message, except it will only contain
43925 ++ * WGPEER_A_PUBLIC_KEY and WGPEER_A_ALLOWEDIPS. This may occur several
43926 ++ * times in a row for the same peer. It is then up to the receiver to
43927 ++ * coalesce adjacent peers. Likewise, it is possible that all peers will
43928 ++ * not fit within a single message. So, subsequent peers will be sent
43929 ++ * in following messages, except those will only contain WGDEVICE_A_IFNAME
43930 ++ * and WGDEVICE_A_PEERS. It is then up to the receiver to coalesce these
43931 ++ * messages to form the complete list of peers.
43932 ++ *
43933 ++ * Since this is an NLA_F_DUMP command, the final message will always be
43934 ++ * NLMSG_DONE, even if an error occurs. However, this NLMSG_DONE message
43935 ++ * contains an integer error code. It is either zero or a negative error
43936 ++ * code corresponding to the errno.
43937 ++ *
43938 ++ * WG_CMD_SET_DEVICE
43939 ++ * -----------------
43940 ++ *
43941 ++ * May only be called via NLM_F_REQUEST. The command should contain the
43942 ++ * following tree of nested items, containing one but not both of
43943 ++ * WGDEVICE_A_IFINDEX and WGDEVICE_A_IFNAME:
43944 ++ *
43945 ++ * WGDEVICE_A_IFINDEX: NLA_U32
43946 ++ * WGDEVICE_A_IFNAME: NLA_NUL_STRING, maxlen IFNAMSIZ - 1
43947 ++ * WGDEVICE_A_FLAGS: NLA_U32, 0 or WGDEVICE_F_REPLACE_PEERS if all current
43948 ++ * peers should be removed prior to adding the list below.
43949 ++ * WGDEVICE_A_PRIVATE_KEY: len WG_KEY_LEN, all zeros to remove
43950 ++ * WGDEVICE_A_LISTEN_PORT: NLA_U16, 0 to choose randomly
43951 ++ * WGDEVICE_A_FWMARK: NLA_U32, 0 to disable
43952 ++ * WGDEVICE_A_PEERS: NLA_NESTED
43953 ++ * 0: NLA_NESTED
43954 ++ * WGPEER_A_PUBLIC_KEY: len WG_KEY_LEN
43955 ++ * WGPEER_A_FLAGS: NLA_U32, 0 and/or WGPEER_F_REMOVE_ME if the
43956 ++ * specified peer should not exist at the end of the
43957 ++ * operation, rather than added/updated and/or
43958 ++ * WGPEER_F_REPLACE_ALLOWEDIPS if all current allowed
43959 ++ * IPs of this peer should be removed prior to adding
43960 ++ * the list below and/or WGPEER_F_UPDATE_ONLY if the
43961 ++ * peer should only be set if it already exists.
43962 ++ * WGPEER_A_PRESHARED_KEY: len WG_KEY_LEN, all zeros to remove
43963 ++ * WGPEER_A_ENDPOINT: struct sockaddr_in or struct sockaddr_in6
43964 ++ * WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL: NLA_U16, 0 to disable
43965 ++ * WGPEER_A_ALLOWEDIPS: NLA_NESTED
43966 ++ * 0: NLA_NESTED
43967 ++ * WGALLOWEDIP_A_FAMILY: NLA_U16
43968 ++ * WGALLOWEDIP_A_IPADDR: struct in_addr or struct in6_addr
43969 ++ * WGALLOWEDIP_A_CIDR_MASK: NLA_U8
43970 ++ * 0: NLA_NESTED
43971 ++ * ...
43972 ++ * 0: NLA_NESTED
43973 ++ * ...
43974 ++ * ...
43975 ++ * WGPEER_A_PROTOCOL_VERSION: NLA_U32, should not be set or used at
43976 ++ * all by most users of this API, as the
43977 ++ * most recent protocol will be used when
43978 ++ * this is unset. Otherwise, must be set
43979 ++ * to 1.
43980 ++ * 0: NLA_NESTED
43981 ++ * ...
43982 ++ * ...
43983 ++ *
43984 ++ * It is possible that the amount of configuration data exceeds that of
43985 ++ * the maximum message length accepted by the kernel. In that case, several
43986 ++ * messages should be sent one after another, with each successive one
43987 ++ * filling in information not contained in the prior. Note that if
43988 ++ * WGDEVICE_F_REPLACE_PEERS is specified in the first message, it probably
43989 ++ * should not be specified in fragments that come after, so that the list
43990 ++ * of peers is only cleared the first time but appended after. Likewise for
43991 ++ * peers, if WGPEER_F_REPLACE_ALLOWEDIPS is specified in the first message
43992 ++ * of a peer, it likely should not be specified in subsequent fragments.
43993 ++ *
43994 ++ * If an error occurs, NLMSG_ERROR will reply containing an errno.
43995 ++ */
43996 ++
43997 ++#ifndef _WG_UAPI_WIREGUARD_H
43998 ++#define _WG_UAPI_WIREGUARD_H
43999 ++
44000 ++#define WG_GENL_NAME "wireguard"
44001 ++#define WG_GENL_VERSION 1
44002 ++
44003 ++#define WG_KEY_LEN 32
44004 ++
44005 ++enum wg_cmd {
44006 ++ WG_CMD_GET_DEVICE,
44007 ++ WG_CMD_SET_DEVICE,
44008 ++ __WG_CMD_MAX
44009 ++};
44010 ++#define WG_CMD_MAX (__WG_CMD_MAX - 1)
44011 ++
44012 ++enum wgdevice_flag {
44013 ++ WGDEVICE_F_REPLACE_PEERS = 1U << 0,
44014 ++ __WGDEVICE_F_ALL = WGDEVICE_F_REPLACE_PEERS
44015 ++};
44016 ++enum wgdevice_attribute {
44017 ++ WGDEVICE_A_UNSPEC,
44018 ++ WGDEVICE_A_IFINDEX,
44019 ++ WGDEVICE_A_IFNAME,
44020 ++ WGDEVICE_A_PRIVATE_KEY,
44021 ++ WGDEVICE_A_PUBLIC_KEY,
44022 ++ WGDEVICE_A_FLAGS,
44023 ++ WGDEVICE_A_LISTEN_PORT,
44024 ++ WGDEVICE_A_FWMARK,
44025 ++ WGDEVICE_A_PEERS,
44026 ++ __WGDEVICE_A_LAST
44027 ++};
44028 ++#define WGDEVICE_A_MAX (__WGDEVICE_A_LAST - 1)
44029 ++
44030 ++enum wgpeer_flag {
44031 ++ WGPEER_F_REMOVE_ME = 1U << 0,
44032 ++ WGPEER_F_REPLACE_ALLOWEDIPS = 1U << 1,
44033 ++ WGPEER_F_UPDATE_ONLY = 1U << 2,
44034 ++ __WGPEER_F_ALL = WGPEER_F_REMOVE_ME | WGPEER_F_REPLACE_ALLOWEDIPS |
44035 ++ WGPEER_F_UPDATE_ONLY
44036 ++};
44037 ++enum wgpeer_attribute {
44038 ++ WGPEER_A_UNSPEC,
44039 ++ WGPEER_A_PUBLIC_KEY,
44040 ++ WGPEER_A_PRESHARED_KEY,
44041 ++ WGPEER_A_FLAGS,
44042 ++ WGPEER_A_ENDPOINT,
44043 ++ WGPEER_A_PERSISTENT_KEEPALIVE_INTERVAL,
44044 ++ WGPEER_A_LAST_HANDSHAKE_TIME,
44045 ++ WGPEER_A_RX_BYTES,
44046 ++ WGPEER_A_TX_BYTES,
44047 ++ WGPEER_A_ALLOWEDIPS,
44048 ++ WGPEER_A_PROTOCOL_VERSION,
44049 ++ __WGPEER_A_LAST
44050 ++};
44051 ++#define WGPEER_A_MAX (__WGPEER_A_LAST - 1)
44052 ++
44053 ++enum wgallowedip_attribute {
44054 ++ WGALLOWEDIP_A_UNSPEC,
44055 ++ WGALLOWEDIP_A_FAMILY,
44056 ++ WGALLOWEDIP_A_IPADDR,
44057 ++ WGALLOWEDIP_A_CIDR_MASK,
44058 ++ __WGALLOWEDIP_A_LAST
44059 ++};
44060 ++#define WGALLOWEDIP_A_MAX (__WGALLOWEDIP_A_LAST - 1)
44061 ++
44062 ++#endif /* _WG_UAPI_WIREGUARD_H */
44063 +--- b/tools/testing/selftests/wireguard/netns.sh
44064 ++++ b/tools/testing/selftests/wireguard/netns.sh
44065 +@@ -0,0 +1,635 @@
44066 ++#!/bin/bash
44067 ++# SPDX-License-Identifier: GPL-2.0
44068 ++#
44069 ++# Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
44070 ++#
44071 ++# This script tests the below topology:
44072 ++#
44073 ++# ┌─────────────────────┐ ┌──────────────────────────────────┐ ┌─────────────────────┐
44074 ++# │ $ns1 namespace │ │ $ns0 namespace │ │ $ns2 namespace │
44075 ++# │ │ │ │ │ │
44076 ++# │┌────────┐ │ │ ┌────────┐ │ │ ┌────────┐│
44077 ++# ││ wg0 │───────────┼───┼────────────│ lo │────────────┼───┼───────────│ wg0 ││
44078 ++# │├────────┴──────────┐│ │ ┌───────┴────────┴────────┐ │ │┌──────────┴────────┤│
44079 ++# ││192.168.241.1/24 ││ │ │(ns1) (ns2) │ │ ││192.168.241.2/24 ││
44080 ++# ││fd00::1/24 ││ │ │127.0.0.1:1 127.0.0.1:2│ │ ││fd00::2/24 ││
44081 ++# │└───────────────────┘│ │ │[::]:1 [::]:2 │ │ │└───────────────────┘│
44082 ++# └─────────────────────┘ │ └─────────────────────────┘ │ └─────────────────────┘
44083 ++# └──────────────────────────────────┘
44084 ++#
44085 ++# After the topology is prepared we run a series of TCP/UDP iperf3 tests between the
44086 ++# wireguard peers in $ns1 and $ns2. Note that $ns0 is the endpoint for the wg0
44087 ++# interfaces in $ns1 and $ns2. See https://www.wireguard.com/netns/ for further
44088 ++# details on how this is accomplished.
44089 ++set -e
44090 ++
44091 ++exec 3>&1
44092 ++export LANG=C
44093 ++export WG_HIDE_KEYS=never
44094 ++netns0="wg-test-$$-0"
44095 ++netns1="wg-test-$$-1"
44096 ++netns2="wg-test-$$-2"
44097 ++pretty() { echo -e "\x1b[32m\x1b[1m[+] ${1:+NS$1: }${2}\x1b[0m" >&3; }
44098 ++pp() { pretty "" "$*"; "$@"; }
44099 ++maybe_exec() { if [[ $BASHPID -eq $$ ]]; then "$@"; else exec "$@"; fi; }
44100 ++n0() { pretty 0 "$*"; maybe_exec ip netns exec $netns0 "$@"; }
44101 ++n1() { pretty 1 "$*"; maybe_exec ip netns exec $netns1 "$@"; }
44102 ++n2() { pretty 2 "$*"; maybe_exec ip netns exec $netns2 "$@"; }
44103 ++ip0() { pretty 0 "ip $*"; ip -n $netns0 "$@"; }
44104 ++ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; }
44105 ++ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; }
44106 ++sleep() { read -t "$1" -N 1 || true; }
44107 ++waitiperf() { pretty "${1//*-}" "wait for iperf:${3:-5201} pid $2"; while [[ $(ss -N "$1" -tlpH "sport = ${3:-5201}") != *\"iperf3\",pid=$2,fd=* ]]; do sleep 0.1; done; }
44108 ++waitncatudp() { pretty "${1//*-}" "wait for udp:1111 pid $2"; while [[ $(ss -N "$1" -ulpH 'sport = 1111') != *\"ncat\",pid=$2,fd=* ]]; do sleep 0.1; done; }
44109 ++waitiface() { pretty "${1//*-}" "wait for $2 to come up"; ip netns exec "$1" bash -c "while [[ \$(< \"/sys/class/net/$2/operstate\") != up ]]; do read -t .1 -N 0 || true; done;"; }
44110 ++
44111 ++cleanup() {
44112 ++ set +e
44113 ++ exec 2>/dev/null
44114 ++ printf "$orig_message_cost" > /proc/sys/net/core/message_cost
44115 ++ ip0 link del dev wg0
44116 ++ ip0 link del dev wg1
44117 ++ ip1 link del dev wg0
44118 ++ ip1 link del dev wg1
44119 ++ ip2 link del dev wg0
44120 ++ ip2 link del dev wg1
44121 ++ local to_kill="$(ip netns pids $netns0) $(ip netns pids $netns1) $(ip netns pids $netns2)"
44122 ++ [[ -n $to_kill ]] && kill $to_kill
44123 ++ pp ip netns del $netns1
44124 ++ pp ip netns del $netns2
44125 ++ pp ip netns del $netns0
44126 ++ exit
44127 ++}
44128 ++
44129 ++orig_message_cost="$(< /proc/sys/net/core/message_cost)"
44130 ++trap cleanup EXIT
44131 ++printf 0 > /proc/sys/net/core/message_cost
44132 ++
44133 ++ip netns del $netns0 2>/dev/null || true
44134 ++ip netns del $netns1 2>/dev/null || true
44135 ++ip netns del $netns2 2>/dev/null || true
44136 ++pp ip netns add $netns0
44137 ++pp ip netns add $netns1
44138 ++pp ip netns add $netns2
44139 ++ip0 link set up dev lo
44140 ++
44141 ++ip0 link add dev wg0 type wireguard
44142 ++ip0 link set wg0 netns $netns1
44143 ++ip0 link add dev wg0 type wireguard
44144 ++ip0 link set wg0 netns $netns2
44145 ++key1="$(pp wg genkey)"
44146 ++key2="$(pp wg genkey)"
44147 ++key3="$(pp wg genkey)"
44148 ++key4="$(pp wg genkey)"
44149 ++pub1="$(pp wg pubkey <<<"$key1")"
44150 ++pub2="$(pp wg pubkey <<<"$key2")"
44151 ++pub3="$(pp wg pubkey <<<"$key3")"
44152 ++pub4="$(pp wg pubkey <<<"$key4")"
44153 ++psk="$(pp wg genpsk)"
44154 ++[[ -n $key1 && -n $key2 && -n $psk ]]
44155 ++
44156 ++configure_peers() {
44157 ++ ip1 addr add 192.168.241.1/24 dev wg0
44158 ++ ip1 addr add fd00::1/112 dev wg0
44159 ++
44160 ++ ip2 addr add 192.168.241.2/24 dev wg0
44161 ++ ip2 addr add fd00::2/112 dev wg0
44162 ++
44163 ++ n1 wg set wg0 \
44164 ++ private-key <(echo "$key1") \
44165 ++ listen-port 1 \
44166 ++ peer "$pub2" \
44167 ++ preshared-key <(echo "$psk") \
44168 ++ allowed-ips 192.168.241.2/32,fd00::2/128
44169 ++ n2 wg set wg0 \
44170 ++ private-key <(echo "$key2") \
44171 ++ listen-port 2 \
44172 ++ peer "$pub1" \
44173 ++ preshared-key <(echo "$psk") \
44174 ++ allowed-ips 192.168.241.1/32,fd00::1/128
44175 ++
44176 ++ ip1 link set up dev wg0
44177 ++ ip2 link set up dev wg0
44178 ++}
44179 ++configure_peers
44180 ++
44181 ++tests() {
44182 ++ # Ping over IPv4
44183 ++ n2 ping -c 10 -f -W 1 192.168.241.1
44184 ++ n1 ping -c 10 -f -W 1 192.168.241.2
44185 ++
44186 ++ # Ping over IPv6
44187 ++ n2 ping6 -c 10 -f -W 1 fd00::1
44188 ++ n1 ping6 -c 10 -f -W 1 fd00::2
44189 ++
44190 ++ # TCP over IPv4
44191 ++ n2 iperf3 -s -1 -B 192.168.241.2 &
44192 ++ waitiperf $netns2 $!
44193 ++ n1 iperf3 -Z -t 3 -c 192.168.241.2
44194 ++
44195 ++ # TCP over IPv6
44196 ++ n1 iperf3 -s -1 -B fd00::1 &
44197 ++ waitiperf $netns1 $!
44198 ++ n2 iperf3 -Z -t 3 -c fd00::1
44199 ++
44200 ++ # UDP over IPv4
44201 ++ n1 iperf3 -s -1 -B 192.168.241.1 &
44202 ++ waitiperf $netns1 $!
44203 ++ n2 iperf3 -Z -t 3 -b 0 -u -c 192.168.241.1
44204 ++
44205 ++ # UDP over IPv6
44206 ++ n2 iperf3 -s -1 -B fd00::2 &
44207 ++ waitiperf $netns2 $!
44208 ++ n1 iperf3 -Z -t 3 -b 0 -u -c fd00::2
44209 ++
44210 ++ # TCP over IPv4, in parallel
44211 ++ for max in 4 5 50; do
44212 ++ local pids=( )
44213 ++ for ((i=0; i < max; ++i)) do
44214 ++ n2 iperf3 -p $(( 5200 + i )) -s -1 -B 192.168.241.2 &
44215 ++ pids+=( $! ); waitiperf $netns2 $! $(( 5200 + i ))
44216 ++ done
44217 ++ for ((i=0; i < max; ++i)) do
44218 ++ n1 iperf3 -Z -t 3 -p $(( 5200 + i )) -c 192.168.241.2 &
44219 ++ done
44220 ++ wait "${pids[@]}"
44221 ++ done
44222 ++}
44223 ++
44224 ++[[ $(ip1 link show dev wg0) =~ mtu\ ([0-9]+) ]] && orig_mtu="${BASH_REMATCH[1]}"
44225 ++big_mtu=$(( 34816 - 1500 + $orig_mtu ))
44226 ++
44227 ++# Test using IPv4 as outer transport
44228 ++n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
44229 ++n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
44230 ++# Before calling tests, we first make sure that the stats counters and timestamper are working
44231 ++n2 ping -c 10 -f -W 1 192.168.241.1
44232 ++{ read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip2 -stats link show dev wg0)
44233 ++(( rx_bytes == 1372 && (tx_bytes == 1428 || tx_bytes == 1460) ))
44234 ++{ read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip1 -stats link show dev wg0)
44235 ++(( tx_bytes == 1372 && (rx_bytes == 1428 || rx_bytes == 1460) ))
44236 ++read _ rx_bytes tx_bytes < <(n2 wg show wg0 transfer)
44237 ++(( rx_bytes == 1372 && (tx_bytes == 1428 || tx_bytes == 1460) ))
44238 ++read _ rx_bytes tx_bytes < <(n1 wg show wg0 transfer)
44239 ++(( tx_bytes == 1372 && (rx_bytes == 1428 || rx_bytes == 1460) ))
44240 ++read _ timestamp < <(n1 wg show wg0 latest-handshakes)
44241 ++(( timestamp != 0 ))
44242 ++
44243 ++tests
44244 ++ip1 link set wg0 mtu $big_mtu
44245 ++ip2 link set wg0 mtu $big_mtu
44246 ++tests
44247 ++
44248 ++ip1 link set wg0 mtu $orig_mtu
44249 ++ip2 link set wg0 mtu $orig_mtu
44250 ++
44251 ++# Test using IPv6 as outer transport
44252 ++n1 wg set wg0 peer "$pub2" endpoint [::1]:2
44253 ++n2 wg set wg0 peer "$pub1" endpoint [::1]:1
44254 ++tests
44255 ++ip1 link set wg0 mtu $big_mtu
44256 ++ip2 link set wg0 mtu $big_mtu
44257 ++tests
44258 ++
44259 ++# Test that route MTUs work with the padding
44260 ++ip1 link set wg0 mtu 1300
44261 ++ip2 link set wg0 mtu 1300
44262 ++n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
44263 ++n2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
44264 ++n0 iptables -A INPUT -m length --length 1360 -j DROP
44265 ++n1 ip route add 192.168.241.2/32 dev wg0 mtu 1299
44266 ++n2 ip route add 192.168.241.1/32 dev wg0 mtu 1299
44267 ++n2 ping -c 1 -W 1 -s 1269 192.168.241.1
44268 ++n2 ip route delete 192.168.241.1/32 dev wg0 mtu 1299
44269 ++n1 ip route delete 192.168.241.2/32 dev wg0 mtu 1299
44270 ++n0 iptables -F INPUT
44271 ++
44272 ++ip1 link set wg0 mtu $orig_mtu
44273 ++ip2 link set wg0 mtu $orig_mtu
44274 ++
44275 ++# Test using IPv4 that roaming works
44276 ++ip0 -4 addr del 127.0.0.1/8 dev lo
44277 ++ip0 -4 addr add 127.212.121.99/8 dev lo
44278 ++n1 wg set wg0 listen-port 9999
44279 ++n1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
44280 ++n1 ping6 -W 1 -c 1 fd00::2
44281 ++[[ $(n2 wg show wg0 endpoints) == "$pub1 127.212.121.99:9999" ]]
44282 ++
44283 ++# Test using IPv6 that roaming works
44284 ++n1 wg set wg0 listen-port 9998
44285 ++n1 wg set wg0 peer "$pub2" endpoint [::1]:2
44286 ++n1 ping -W 1 -c 1 192.168.241.2
44287 ++[[ $(n2 wg show wg0 endpoints) == "$pub1 [::1]:9998" ]]
44288 ++
44289 ++# Test that crypto-RP filter works
44290 ++n1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24
44291 ++exec 4< <(n1 ncat -l -u -p 1111)
44292 ++ncat_pid=$!
44293 ++waitncatudp $netns1 $ncat_pid
44294 ++n2 ncat -u 192.168.241.1 1111 <<<"X"
44295 ++read -r -N 1 -t 1 out <&4 && [[ $out == "X" ]]
44296 ++kill $ncat_pid
44297 ++more_specific_key="$(pp wg genkey | pp wg pubkey)"
44298 ++n1 wg set wg0 peer "$more_specific_key" allowed-ips 192.168.241.2/32
44299 ++n2 wg set wg0 listen-port 9997
44300 ++exec 4< <(n1 ncat -l -u -p 1111)
44301 ++ncat_pid=$!
44302 ++waitncatudp $netns1 $ncat_pid
44303 ++n2 ncat -u 192.168.241.1 1111 <<<"X"
44304 ++! read -r -N 1 -t 1 out <&4 || false
44305 ++kill $ncat_pid
44306 ++n1 wg set wg0 peer "$more_specific_key" remove
44307 ++[[ $(n1 wg show wg0 endpoints) == "$pub2 [::1]:9997" ]]
44308 ++
44309 ++# Test that we can change private keys keys and immediately handshake
44310 ++n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips 192.168.241.2/32 endpoint 127.0.0.1:2
44311 ++n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32
44312 ++n1 ping -W 1 -c 1 192.168.241.2
44313 ++n1 wg set wg0 private-key <(echo "$key3")
44314 ++n2 wg set wg0 peer "$pub3" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32 peer "$pub1" remove
44315 ++n1 ping -W 1 -c 1 192.168.241.2
44316 ++n2 wg set wg0 peer "$pub3" remove
44317 ++
44318 ++# Test that we can route wg through wg
44319 ++ip1 addr flush dev wg0
44320 ++ip2 addr flush dev wg0
44321 ++ip1 addr add fd00::5:1/112 dev wg0
44322 ++ip2 addr add fd00::5:2/112 dev wg0
44323 ++n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips fd00::5:2/128 endpoint 127.0.0.1:2
44324 ++n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") allowed-ips fd00::5:1/128 endpoint 127.212.121.99:9998
44325 ++ip1 link add wg1 type wireguard
44326 ++ip2 link add wg1 type wireguard
44327 ++ip1 addr add 192.168.241.1/24 dev wg1
44328 ++ip1 addr add fd00::1/112 dev wg1
44329 ++ip2 addr add 192.168.241.2/24 dev wg1
44330 ++ip2 addr add fd00::2/112 dev wg1
44331 ++ip1 link set mtu 1340 up dev wg1
44332 ++ip2 link set mtu 1340 up dev wg1
44333 ++n1 wg set wg1 listen-port 5 private-key <(echo "$key3") peer "$pub4" allowed-ips 192.168.241.2/32,fd00::2/128 endpoint [fd00::5:2]:5
44334 ++n2 wg set wg1 listen-port 5 private-key <(echo "$key4") peer "$pub3" allowed-ips 192.168.241.1/32,fd00::1/128 endpoint [fd00::5:1]:5
44335 ++tests
44336 ++# Try to set up a routing loop between the two namespaces
44337 ++ip1 link set netns $netns0 dev wg1
44338 ++ip0 addr add 192.168.241.1/24 dev wg1
44339 ++ip0 link set up dev wg1
44340 ++n0 ping -W 1 -c 1 192.168.241.2
44341 ++n1 wg set wg0 peer "$pub2" endpoint 192.168.241.2:7
44342 ++ip2 link del wg0
44343 ++ip2 link del wg1
44344 ++! n0 ping -W 1 -c 10 -f 192.168.241.2 || false # Should not crash kernel
44345 ++
44346 ++ip0 link del wg1
44347 ++ip1 link del wg0
44348 ++
44349 ++# Test using NAT. We now change the topology to this:
44350 ++# ┌────────────────────────────────────────┐ ┌────────────────────────────────────────────────┐ ┌────────────────────────────────────────┐
44351 ++# │ $ns1 namespace │ │ $ns0 namespace │ │ $ns2 namespace │
44352 ++# │ │ │ │ │ │
44353 ++# │ ┌─────┐ ┌─────┐ │ │ ┌──────┐ ┌──────┐ │ │ ┌─────┐ ┌─────┐ │
44354 ++# │ │ wg0 │─────────────│vethc│───────────┼────┼────│vethrc│ │vethrs│──────────────┼─────┼──│veths│────────────│ wg0 │ │
44355 ++# │ ├─────┴──────────┐ ├─────┴──────────┐│ │ ├──────┴─────────┐ ├──────┴────────────┐ │ │ ├─────┴──────────┐ ├─────┴──────────┐ │
44356 ++# │ │192.168.241.1/24│ │192.168.1.100/24││ │ │192.168.1.1/24 │ │10.0.0.1/24 │ │ │ │10.0.0.100/24 │ │192.168.241.2/24│ │
44357 ++# │ │fd00::1/24 │ │ ││ │ │ │ │SNAT:192.168.1.0/24│ │ │ │ │ │fd00::2/24 │ │
44358 ++# │ └────────────────┘ └────────────────┘│ │ └────────────────┘ └───────────────────┘ │ │ └────────────────┘ └────────────────┘ │
44359 ++# └────────────────────────────────────────┘ └────────────────────────────────────────────────┘ └────────────────────────────────────────┘
44360 ++
44361 ++ip1 link add dev wg0 type wireguard
44362 ++ip2 link add dev wg0 type wireguard
44363 ++configure_peers
44364 ++
44365 ++ip0 link add vethrc type veth peer name vethc
44366 ++ip0 link add vethrs type veth peer name veths
44367 ++ip0 link set vethc netns $netns1
44368 ++ip0 link set veths netns $netns2
44369 ++ip0 link set vethrc up
44370 ++ip0 link set vethrs up
44371 ++ip0 addr add 192.168.1.1/24 dev vethrc
44372 ++ip0 addr add 10.0.0.1/24 dev vethrs
44373 ++ip1 addr add 192.168.1.100/24 dev vethc
44374 ++ip1 link set vethc up
44375 ++ip1 route add default via 192.168.1.1
44376 ++ip2 addr add 10.0.0.100/24 dev veths
44377 ++ip2 link set veths up
44378 ++waitiface $netns0 vethrc
44379 ++waitiface $netns0 vethrs
44380 ++waitiface $netns1 vethc
44381 ++waitiface $netns2 veths
44382 ++
44383 ++n0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
44384 ++n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout'
44385 ++n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream'
44386 ++n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1
44387 ++
44388 ++n1 wg set wg0 peer "$pub2" endpoint 10.0.0.100:2 persistent-keepalive 1
44389 ++n1 ping -W 1 -c 1 192.168.241.2
44390 ++n2 ping -W 1 -c 1 192.168.241.1
44391 ++[[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.1:1" ]]
44392 ++# Demonstrate n2 can still send packets to n1, since persistent-keepalive will prevent connection tracking entry from expiring (to see entries: `n0 conntrack -L`).
44393 ++pp sleep 3
44394 ++n2 ping -W 1 -c 1 192.168.241.1
44395 ++n1 wg set wg0 peer "$pub2" persistent-keepalive 0
44396 ++
44397 ++# Test that sk_bound_dev_if works
44398 ++n1 ping -I wg0 -c 1 -W 1 192.168.241.2
44399 ++# What about when the mark changes and the packet must be rerouted?
44400 ++n1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1
44401 ++n1 ping -c 1 -W 1 192.168.241.2 # First the boring case
44402 ++n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # Then the sk_bound_dev_if case
44403 ++n1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1
44404 ++
44405 ++# Test that onion routing works, even when it loops
44406 ++n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5
44407 ++ip1 addr add 192.168.242.1/24 dev wg0
44408 ++ip2 link add wg1 type wireguard
44409 ++ip2 addr add 192.168.242.2/24 dev wg1
44410 ++n2 wg set wg1 private-key <(echo "$key3") listen-port 5 peer "$pub1" allowed-ips 192.168.242.1/32
44411 ++ip2 link set wg1 up
44412 ++n1 ping -W 1 -c 1 192.168.242.2
44413 ++ip2 link del wg1
44414 ++n1 wg set wg0 peer "$pub3" endpoint 192.168.242.2:5
44415 ++! n1 ping -W 1 -c 1 192.168.242.2 || false # Should not crash kernel
44416 ++n1 wg set wg0 peer "$pub3" remove
44417 ++ip1 addr del 192.168.242.1/24 dev wg0
44418 ++
44419 ++# Do a wg-quick(8)-style policy routing for the default route, making sure vethc has a v6 address to tease out bugs.
44420 ++ip1 -6 addr add fc00::9/96 dev vethc
44421 ++ip1 -6 route add default via fc00::1
44422 ++ip2 -4 addr add 192.168.99.7/32 dev wg0
44423 ++ip2 -6 addr add abab::1111/128 dev wg0
44424 ++n1 wg set wg0 fwmark 51820 peer "$pub2" allowed-ips 192.168.99.7,abab::1111
44425 ++ip1 -6 route add default dev wg0 table 51820
44426 ++ip1 -6 rule add not fwmark 51820 table 51820
44427 ++ip1 -6 rule add table main suppress_prefixlength 0
44428 ++ip1 -4 route add default dev wg0 table 51820
44429 ++ip1 -4 rule add not fwmark 51820 table 51820
44430 ++ip1 -4 rule add table main suppress_prefixlength 0
44431 ++# Flood the pings instead of sending just one, to trigger routing table reference counting bugs.
44432 ++n1 ping -W 1 -c 100 -f 192.168.99.7
44433 ++n1 ping -W 1 -c 100 -f abab::1111
44434 ++
44435 ++# Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route.
44436 ++n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
44437 ++n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit.
44438 ++n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
44439 ++ip0 -4 route add 192.168.241.1 via 10.0.0.100
44440 ++n2 wg set wg0 peer "$pub1" remove
44441 ++[[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]]
44442 ++
44443 ++n0 iptables -t nat -F
44444 ++n0 iptables -t filter -F
44445 ++n2 iptables -t nat -F
44446 ++ip0 link del vethrc
44447 ++ip0 link del vethrs
44448 ++ip1 link del wg0
44449 ++ip2 link del wg0
44450 ++
44451 ++# Test that saddr routing is sticky but not too sticky, changing to this topology:
44452 ++# ┌────────────────────────────────────────┐ ┌────────────────────────────────────────┐
44453 ++# │ $ns1 namespace │ │ $ns2 namespace │
44454 ++# │ │ │ │
44455 ++# │ ┌─────┐ ┌─────┐ │ │ ┌─────┐ ┌─────┐ │
44456 ++# │ │ wg0 │─────────────│veth1│───────────┼────┼──│veth2│────────────│ wg0 │ │
44457 ++# │ ├─────┴──────────┐ ├─────┴──────────┐│ │ ├─────┴──────────┐ ├─────┴──────────┐ │
44458 ++# │ │192.168.241.1/24│ │10.0.0.1/24 ││ │ │10.0.0.2/24 │ │192.168.241.2/24│ │
44459 ++# │ │fd00::1/24 │ │fd00:aa::1/96 ││ │ │fd00:aa::2/96 │ │fd00::2/24 │ │
44460 ++# │ └────────────────┘ └────────────────┘│ │ └────────────────┘ └────────────────┘ │
44461 ++# └────────────────────────────────────────┘ └────────────────────────────────────────┘
44462 ++
44463 ++ip1 link add dev wg0 type wireguard
44464 ++ip2 link add dev wg0 type wireguard
44465 ++configure_peers
44466 ++ip1 link add veth1 type veth peer name veth2
44467 ++ip1 link set veth2 netns $netns2
44468 ++n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
44469 ++n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
44470 ++n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth1/accept_dad'
44471 ++n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth2/accept_dad'
44472 ++n1 bash -c 'printf 1 > /proc/sys/net/ipv4/conf/veth1/promote_secondaries'
44473 ++
44474 ++# First we check that we aren't overly sticky and can fall over to new IPs when old ones are removed
44475 ++ip1 addr add 10.0.0.1/24 dev veth1
44476 ++ip1 addr add fd00:aa::1/96 dev veth1
44477 ++ip2 addr add 10.0.0.2/24 dev veth2
44478 ++ip2 addr add fd00:aa::2/96 dev veth2
44479 ++ip1 link set veth1 up
44480 ++ip2 link set veth2 up
44481 ++waitiface $netns1 veth1
44482 ++waitiface $netns2 veth2
44483 ++n1 wg set wg0 peer "$pub2" endpoint 10.0.0.2:2
44484 ++n1 ping -W 1 -c 1 192.168.241.2
44485 ++ip1 addr add 10.0.0.10/24 dev veth1
44486 ++ip1 addr del 10.0.0.1/24 dev veth1
44487 ++n1 ping -W 1 -c 1 192.168.241.2
44488 ++n1 wg set wg0 peer "$pub2" endpoint [fd00:aa::2]:2
44489 ++n1 ping -W 1 -c 1 192.168.241.2
44490 ++ip1 addr add fd00:aa::10/96 dev veth1
44491 ++ip1 addr del fd00:aa::1/96 dev veth1
44492 ++n1 ping -W 1 -c 1 192.168.241.2
44493 ++
44494 ++# Now we show that we can successfully do reply to sender routing
44495 ++ip1 link set veth1 down
44496 ++ip2 link set veth2 down
44497 ++ip1 addr flush dev veth1
44498 ++ip2 addr flush dev veth2
44499 ++ip1 addr add 10.0.0.1/24 dev veth1
44500 ++ip1 addr add 10.0.0.2/24 dev veth1
44501 ++ip1 addr add fd00:aa::1/96 dev veth1
44502 ++ip1 addr add fd00:aa::2/96 dev veth1
44503 ++ip2 addr add 10.0.0.3/24 dev veth2
44504 ++ip2 addr add fd00:aa::3/96 dev veth2
44505 ++ip1 link set veth1 up
44506 ++ip2 link set veth2 up
44507 ++waitiface $netns1 veth1
44508 ++waitiface $netns2 veth2
44509 ++n2 wg set wg0 peer "$pub1" endpoint 10.0.0.1:1
44510 ++n2 ping -W 1 -c 1 192.168.241.1
44511 ++[[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.1:1" ]]
44512 ++n2 wg set wg0 peer "$pub1" endpoint [fd00:aa::1]:1
44513 ++n2 ping -W 1 -c 1 192.168.241.1
44514 ++[[ $(n2 wg show wg0 endpoints) == "$pub1 [fd00:aa::1]:1" ]]
44515 ++n2 wg set wg0 peer "$pub1" endpoint 10.0.0.2:1
44516 ++n2 ping -W 1 -c 1 192.168.241.1
44517 ++[[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.2:1" ]]
44518 ++n2 wg set wg0 peer "$pub1" endpoint [fd00:aa::2]:1
44519 ++n2 ping -W 1 -c 1 192.168.241.1
44520 ++[[ $(n2 wg show wg0 endpoints) == "$pub1 [fd00:aa::2]:1" ]]
44521 ++
44522 ++# What happens if the inbound destination address belongs to a different interface as the default route?
44523 ++ip1 link add dummy0 type dummy
44524 ++ip1 addr add 10.50.0.1/24 dev dummy0
44525 ++ip1 link set dummy0 up
44526 ++ip2 route add 10.50.0.0/24 dev veth2
44527 ++n2 wg set wg0 peer "$pub1" endpoint 10.50.0.1:1
44528 ++n2 ping -W 1 -c 1 192.168.241.1
44529 ++[[ $(n2 wg show wg0 endpoints) == "$pub1 10.50.0.1:1" ]]
44530 ++
44531 ++ip1 link del dummy0
44532 ++ip1 addr flush dev veth1
44533 ++ip2 addr flush dev veth2
44534 ++ip1 route flush dev veth1
44535 ++ip2 route flush dev veth2
44536 ++
44537 ++# Now we see what happens if another interface route takes precedence over an ongoing one
44538 ++ip1 link add veth3 type veth peer name veth4
44539 ++ip1 link set veth4 netns $netns2
44540 ++ip1 addr add 10.0.0.1/24 dev veth1
44541 ++ip2 addr add 10.0.0.2/24 dev veth2
44542 ++ip1 addr add 10.0.0.3/24 dev veth3
44543 ++ip1 link set veth1 up
44544 ++ip2 link set veth2 up
44545 ++ip1 link set veth3 up
44546 ++ip2 link set veth4 up
44547 ++waitiface $netns1 veth1
44548 ++waitiface $netns2 veth2
44549 ++waitiface $netns1 veth3
44550 ++waitiface $netns2 veth4
44551 ++ip1 route flush dev veth1
44552 ++ip1 route flush dev veth3
44553 ++ip1 route add 10.0.0.0/24 dev veth1 src 10.0.0.1 metric 2
44554 ++n1 wg set wg0 peer "$pub2" endpoint 10.0.0.2:2
44555 ++n1 ping -W 1 -c 1 192.168.241.2
44556 ++[[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.1:1" ]]
44557 ++ip1 route add 10.0.0.0/24 dev veth3 src 10.0.0.3 metric 1
44558 ++n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth1/rp_filter'
44559 ++n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth4/rp_filter'
44560 ++n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
44561 ++n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
44562 ++n1 ping -W 1 -c 1 192.168.241.2
44563 ++[[ $(n2 wg show wg0 endpoints) == "$pub1 10.0.0.3:1" ]]
44564 ++
44565 ++ip1 link del veth1
44566 ++ip1 link del veth3
44567 ++ip1 link del wg0
44568 ++ip2 link del wg0
44569 ++
44570 ++# We test that Netlink/IPC is working properly by doing things that usually cause split responses
44571 ++ip0 link add dev wg0 type wireguard
44572 ++config=( "[Interface]" "PrivateKey=$(wg genkey)" "[Peer]" "PublicKey=$(wg genkey)" )
44573 ++for a in {1..255}; do
44574 ++ for b in {0..255}; do
44575 ++ config+=( "AllowedIPs=$a.$b.0.0/16,$a::$b/128" )
44576 ++ done
44577 ++done
44578 ++n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
44579 ++i=0
44580 ++for ip in $(n0 wg show wg0 allowed-ips); do
44581 ++ ((++i))
44582 ++done
44583 ++((i == 255*256*2+1))
44584 ++ip0 link del wg0
44585 ++ip0 link add dev wg0 type wireguard
44586 ++config=( "[Interface]" "PrivateKey=$(wg genkey)" )
44587 ++for a in {1..40}; do
44588 ++ config+=( "[Peer]" "PublicKey=$(wg genkey)" )
44589 ++ for b in {1..52}; do
44590 ++ config+=( "AllowedIPs=$a.$b.0.0/16" )
44591 ++ done
44592 ++done
44593 ++n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
44594 ++i=0
44595 ++while read -r line; do
44596 ++ j=0
44597 ++ for ip in $line; do
44598 ++ ((++j))
44599 ++ done
44600 ++ ((j == 53))
44601 ++ ((++i))
44602 ++done < <(n0 wg show wg0 allowed-ips)
44603 ++((i == 40))
44604 ++ip0 link del wg0
44605 ++ip0 link add wg0 type wireguard
44606 ++config=( )
44607 ++for i in {1..29}; do
44608 ++ config+=( "[Peer]" "PublicKey=$(wg genkey)" )
44609 ++done
44610 ++config+=( "[Peer]" "PublicKey=$(wg genkey)" "AllowedIPs=255.2.3.4/32,abcd::255/128" )
44611 ++n0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
44612 ++n0 wg showconf wg0 > /dev/null
44613 ++ip0 link del wg0
44614 ++
44615 ++allowedips=( )
44616 ++for i in {1..197}; do
44617 ++ allowedips+=( abcd::$i )
44618 ++done
44619 ++saved_ifs="$IFS"
44620 ++IFS=,
44621 ++allowedips="${allowedips[*]}"
44622 ++IFS="$saved_ifs"
44623 ++ip0 link add wg0 type wireguard
44624 ++n0 wg set wg0 peer "$pub1"
44625 ++n0 wg set wg0 peer "$pub2" allowed-ips "$allowedips"
44626 ++{
44627 ++ read -r pub allowedips
44628 ++ [[ $pub == "$pub1" && $allowedips == "(none)" ]]
44629 ++ read -r pub allowedips
44630 ++ [[ $pub == "$pub2" ]]
44631 ++ i=0
44632 ++ for _ in $allowedips; do
44633 ++ ((++i))
44634 ++ done
44635 ++ ((i == 197))
44636 ++} < <(n0 wg show wg0 allowed-ips)
44637 ++ip0 link del wg0
44638 ++
44639 ++! n0 wg show doesnotexist || false
44640 ++
44641 ++ip0 link add wg0 type wireguard
44642 ++n0 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk")
44643 ++[[ $(n0 wg show wg0 private-key) == "$key1" ]]
44644 ++[[ $(n0 wg show wg0 preshared-keys) == "$pub2 $psk" ]]
44645 ++n0 wg set wg0 private-key /dev/null peer "$pub2" preshared-key /dev/null
44646 ++[[ $(n0 wg show wg0 private-key) == "(none)" ]]
44647 ++[[ $(n0 wg show wg0 preshared-keys) == "$pub2 (none)" ]]
44648 ++n0 wg set wg0 peer "$pub2"
44649 ++n0 wg set wg0 private-key <(echo "$key2")
44650 ++[[ $(n0 wg show wg0 public-key) == "$pub2" ]]
44651 ++[[ -z $(n0 wg show wg0 peers) ]]
44652 ++n0 wg set wg0 peer "$pub2"
44653 ++[[ -z $(n0 wg show wg0 peers) ]]
44654 ++n0 wg set wg0 private-key <(echo "$key1")
44655 ++n0 wg set wg0 peer "$pub2"
44656 ++[[ $(n0 wg show wg0 peers) == "$pub2" ]]
44657 ++n0 wg set wg0 private-key <(echo "/${key1:1}")
44658 ++[[ $(n0 wg show wg0 private-key) == "+${key1:1}" ]]
44659 ++n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0,10.0.0.0/8,100.0.0.0/10,172.16.0.0/12,192.168.0.0/16
44660 ++n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0
44661 ++n0 wg set wg0 peer "$pub2" allowed-ips ::/0,1700::/111,5000::/4,e000::/37,9000::/75
44662 ++n0 wg set wg0 peer "$pub2" allowed-ips ::/0
44663 ++n0 wg set wg0 peer "$pub2" remove
44664 ++for low_order_point in AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= 4Ot6fDtBuK4WVuP68Z/EatoJjeucMrH9hmIFFl9JuAA= X5yVvKNQjCSx0LFVnIPvWwREXMRYHI6G2CJO3dCfEVc= 7P///////////////////////////////////////38= 7f///////////////////////////////////////38= 7v///////////////////////////////////////38=; do
44665 ++ n0 wg set wg0 peer "$low_order_point" persistent-keepalive 1 endpoint 127.0.0.1:1111
44666 ++done
44667 ++[[ -n $(n0 wg show wg0 peers) ]]
44668 ++exec 4< <(n0 ncat -l -u -p 1111)
44669 ++ncat_pid=$!
44670 ++waitncatudp $netns0 $ncat_pid
44671 ++ip0 link set wg0 up
44672 ++! read -r -n 1 -t 2 <&4 || false
44673 ++kill $ncat_pid
44674 ++ip0 link del wg0
44675 ++
44676 ++# Ensure there aren't circular reference loops
44677 ++ip1 link add wg1 type wireguard
44678 ++ip2 link add wg2 type wireguard
44679 ++ip1 link set wg1 netns $netns2
44680 ++ip2 link set wg2 netns $netns1
44681 ++pp ip netns delete $netns1
44682 ++pp ip netns delete $netns2
44683 ++pp ip netns add $netns1
44684 ++pp ip netns add $netns2
44685 ++
44686 ++sleep 2 # Wait for cleanup and grace periods
44687 ++declare -A objects
44688 ++while read -t 0.1 -r line 2>/dev/null || [[ $? -ne 142 ]]; do
44689 ++ [[ $line =~ .*(wg[0-9]+:\ [A-Z][a-z]+\ ?[0-9]*)\ .*(created|destroyed).* ]] || continue
44690 ++ objects["${BASH_REMATCH[1]}"]+="${BASH_REMATCH[2]}"
44691 ++done < /dev/kmsg
44692 ++alldeleted=1
44693 ++for object in "${!objects[@]}"; do
44694 ++ if [[ ${objects["$object"]} != *createddestroyed ]]; then
44695 ++ echo "Error: $object: merely ${objects["$object"]}" >&3
44696 ++ alldeleted=0
44697 ++ fi
44698 ++done
44699 ++[[ $alldeleted -eq 1 ]]
44700 ++pretty "" "Objects that were created were also destroyed."
44701 +--- /dev/null
44702 ++++ b/tools/testing/selftests/wireguard/qemu/.gitignore
44703 +@@ -0,0 +1,2 @@
44704 ++build/
44705 ++distfiles/
44706 +--- b/tools/testing/selftests/wireguard/qemu/Makefile
44707 ++++ b/tools/testing/selftests/wireguard/qemu/Makefile
44708 +@@ -0,0 +1,377 @@
44709 ++# SPDX-License-Identifier: GPL-2.0
44710 ++#
44711 ++# Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
44712 ++
44713 ++PWD := $(shell pwd)
44714 ++
44715 ++CHOST := $(shell gcc -dumpmachine)
44716 ++HOST_ARCH := $(firstword $(subst -, ,$(CHOST)))
44717 ++ifneq (,$(ARCH))
44718 ++CBUILD := $(subst -gcc,,$(lastword $(subst /, ,$(firstword $(wildcard $(foreach bindir,$(subst :, ,$(PATH)),$(bindir)/$(ARCH)-*-gcc))))))
44719 ++ifeq (,$(CBUILD))
44720 ++$(error The toolchain for $(ARCH) is not installed)
44721 ++endif
44722 ++else
44723 ++CBUILD := $(CHOST)
44724 ++ARCH := $(firstword $(subst -, ,$(CBUILD)))
44725 ++endif
44726 ++
44727 ++# Set these from the environment to override
44728 ++KERNEL_PATH ?= $(PWD)/../../../../..
44729 ++BUILD_PATH ?= $(PWD)/build/$(ARCH)
44730 ++DISTFILES_PATH ?= $(PWD)/distfiles
44731 ++NR_CPUS ?= 4
44732 ++
44733 ++MIRROR := https://download.wireguard.com/qemu-test/distfiles/
44734 ++
44735 ++default: qemu
44736 ++
44737 ++# variable name, tarball project name, version, tarball extension, default URI base
44738 ++define tar_download =
44739 ++$(1)_VERSION := $(3)
44740 ++$(1)_NAME := $(2)-$$($(1)_VERSION)
44741 ++$(1)_TAR := $(DISTFILES_PATH)/$$($(1)_NAME)$(4)
44742 ++$(1)_PATH := $(BUILD_PATH)/$$($(1)_NAME)
44743 ++$(call file_download,$$($(1)_NAME)$(4),$(5),$(6))
44744 ++endef
44745 ++
44746 ++define file_download =
44747 ++$(DISTFILES_PATH)/$(1):
44748 ++ mkdir -p $(DISTFILES_PATH)
44749 ++ flock -x $$@.lock -c '[ -f $$@ ] && exit 0; wget -O $$@.tmp $(MIRROR)$(1) || wget -O $$@.tmp $(2)$(1) || rm -f $$@.tmp; [ -f $$@.tmp ] || exit 1; if echo "$(3) $$@.tmp" | sha256sum -c -; then mv $$@.tmp $$@; else rm -f $$@.tmp; exit 71; fi'
44750 ++endef
44751 ++
44752 ++$(eval $(call tar_download,MUSL,musl,1.1.24,.tar.gz,https://www.musl-libc.org/releases/,1370c9a812b2cf2a7d92802510cca0058cc37e66a7bedd70051f0a34015022a3))
44753 ++$(eval $(call tar_download,IPERF,iperf,3.7,.tar.gz,https://downloads.es.net/pub/iperf/,d846040224317caf2f75c843d309a950a7db23f9b44b94688ccbe557d6d1710c))
44754 ++$(eval $(call tar_download,BASH,bash,5.0,.tar.gz,https://ftp.gnu.org/gnu/bash/,b4a80f2ac66170b2913efbfb9f2594f1f76c7b1afd11f799e22035d63077fb4d))
44755 ++$(eval $(call tar_download,IPROUTE2,iproute2,5.6.0,.tar.xz,https://www.kernel.org/pub/linux/utils/net/iproute2/,1b5b0e25ce6e23da7526ea1da044e814ad85ba761b10dd29c2b027c056b04692))
44756 ++$(eval $(call tar_download,IPTABLES,iptables,1.8.4,.tar.bz2,https://www.netfilter.org/projects/iptables/files/,993a3a5490a544c2cbf2ef15cf7e7ed21af1845baf228318d5c36ef8827e157c))
44757 ++$(eval $(call tar_download,NMAP,nmap,7.80,.tar.bz2,https://nmap.org/dist/,fcfa5a0e42099e12e4bf7a68ebe6fde05553383a682e816a7ec9256ab4773faa))
44758 ++$(eval $(call tar_download,IPUTILS,iputils,s20190709,.tar.gz,https://github.com/iputils/iputils/archive/s20190709.tar.gz/#,a15720dd741d7538dd2645f9f516d193636ae4300ff7dbc8bfca757bf166490a))
44759 ++$(eval $(call tar_download,WIREGUARD_TOOLS,wireguard-tools,1.0.20200206,.tar.xz,https://git.zx2c4.com/wireguard-tools/snapshot/,f5207248c6a3c3e3bfc9ab30b91c1897b00802ed861e1f9faaed873366078c64))
44760 ++
44761 ++KERNEL_BUILD_PATH := $(BUILD_PATH)/kernel$(if $(findstring yes,$(DEBUG_KERNEL)),-debug)
44762 ++rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d))
44763 ++WIREGUARD_SOURCES := $(call rwildcard,$(KERNEL_PATH)/drivers/net/wireguard/,*)
44764 ++
44765 ++export CFLAGS ?= -O3 -pipe
44766 ++export LDFLAGS ?=
44767 ++export CPPFLAGS := -I$(BUILD_PATH)/include
44768 ++
44769 ++ifeq ($(HOST_ARCH),$(ARCH))
44770 ++CROSS_COMPILE_FLAG := --host=$(CHOST)
44771 ++CFLAGS += -march=native
44772 ++STRIP := strip
44773 ++else
44774 ++$(info Cross compilation: building for $(CBUILD) using $(CHOST))
44775 ++CROSS_COMPILE_FLAG := --build=$(CBUILD) --host=$(CHOST)
44776 ++export CROSS_COMPILE=$(CBUILD)-
44777 ++STRIP := $(CBUILD)-strip
44778 ++endif
44779 ++ifeq ($(ARCH),aarch64)
44780 ++QEMU_ARCH := aarch64
44781 ++KERNEL_ARCH := arm64
44782 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/arm64/boot/Image
44783 ++ifeq ($(HOST_ARCH),$(ARCH))
44784 ++QEMU_MACHINE := -cpu host -machine virt,gic_version=host,accel=kvm
44785 ++else
44786 ++QEMU_MACHINE := -cpu cortex-a53 -machine virt
44787 ++CFLAGS += -march=armv8-a -mtune=cortex-a53
44788 ++endif
44789 ++else ifeq ($(ARCH),aarch64_be)
44790 ++QEMU_ARCH := aarch64
44791 ++KERNEL_ARCH := arm64
44792 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/arm64/boot/Image
44793 ++ifeq ($(HOST_ARCH),$(ARCH))
44794 ++QEMU_MACHINE := -cpu host -machine virt,gic_version=host,accel=kvm
44795 ++else
44796 ++QEMU_MACHINE := -cpu cortex-a53 -machine virt
44797 ++CFLAGS += -march=armv8-a -mtune=cortex-a53
44798 ++endif
44799 ++else ifeq ($(ARCH),arm)
44800 ++QEMU_ARCH := arm
44801 ++KERNEL_ARCH := arm
44802 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/arm/boot/zImage
44803 ++ifeq ($(HOST_ARCH),$(ARCH))
44804 ++QEMU_MACHINE := -cpu host -machine virt,gic_version=host,accel=kvm
44805 ++else
44806 ++QEMU_MACHINE := -cpu cortex-a15 -machine virt
44807 ++CFLAGS += -march=armv7-a -mtune=cortex-a15 -mabi=aapcs-linux
44808 ++endif
44809 ++else ifeq ($(ARCH),armeb)
44810 ++QEMU_ARCH := arm
44811 ++KERNEL_ARCH := arm
44812 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/arm/boot/zImage
44813 ++ifeq ($(HOST_ARCH),$(ARCH))
44814 ++QEMU_MACHINE := -cpu host -machine virt,gic_version=host,accel=kvm
44815 ++else
44816 ++QEMU_MACHINE := -cpu cortex-a15 -machine virt
44817 ++CFLAGS += -march=armv7-a -mabi=aapcs-linux # We don't pass -mtune=cortex-a15 due to a compiler bug on big endian.
44818 ++LDFLAGS += -Wl,--be8
44819 ++endif
44820 ++else ifeq ($(ARCH),x86_64)
44821 ++QEMU_ARCH := x86_64
44822 ++KERNEL_ARCH := x86_64
44823 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/x86/boot/bzImage
44824 ++ifeq ($(HOST_ARCH),$(ARCH))
44825 ++QEMU_MACHINE := -cpu host -machine q35,accel=kvm
44826 ++else
44827 ++QEMU_MACHINE := -cpu Skylake-Server -machine q35
44828 ++CFLAGS += -march=skylake-avx512
44829 ++endif
44830 ++else ifeq ($(ARCH),i686)
44831 ++QEMU_ARCH := i386
44832 ++KERNEL_ARCH := x86
44833 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/x86/boot/bzImage
44834 ++ifeq ($(subst x86_64,i686,$(HOST_ARCH)),$(ARCH))
44835 ++QEMU_MACHINE := -cpu host -machine q35,accel=kvm
44836 ++else
44837 ++QEMU_MACHINE := -cpu coreduo -machine q35
44838 ++CFLAGS += -march=prescott
44839 ++endif
44840 ++else ifeq ($(ARCH),mips64)
44841 ++QEMU_ARCH := mips64
44842 ++KERNEL_ARCH := mips
44843 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/vmlinux
44844 ++ifeq ($(HOST_ARCH),$(ARCH))
44845 ++QEMU_MACHINE := -cpu host -machine malta,accel=kvm
44846 ++CFLAGS += -EB
44847 ++else
44848 ++QEMU_MACHINE := -cpu MIPS64R2-generic -machine malta -smp 1
44849 ++CFLAGS += -march=mips64r2 -EB
44850 ++endif
44851 ++else ifeq ($(ARCH),mips64el)
44852 ++QEMU_ARCH := mips64el
44853 ++KERNEL_ARCH := mips
44854 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/vmlinux
44855 ++ifeq ($(HOST_ARCH),$(ARCH))
44856 ++QEMU_MACHINE := -cpu host -machine malta,accel=kvm
44857 ++CFLAGS += -EL
44858 ++else
44859 ++QEMU_MACHINE := -cpu MIPS64R2-generic -machine malta -smp 1
44860 ++CFLAGS += -march=mips64r2 -EL
44861 ++endif
44862 ++else ifeq ($(ARCH),mips)
44863 ++QEMU_ARCH := mips
44864 ++KERNEL_ARCH := mips
44865 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/vmlinux
44866 ++ifeq ($(HOST_ARCH),$(ARCH))
44867 ++QEMU_MACHINE := -cpu host -machine malta,accel=kvm
44868 ++CFLAGS += -EB
44869 ++else
44870 ++QEMU_MACHINE := -cpu 24Kf -machine malta -smp 1
44871 ++CFLAGS += -march=mips32r2 -EB
44872 ++endif
44873 ++else ifeq ($(ARCH),mipsel)
44874 ++QEMU_ARCH := mipsel
44875 ++KERNEL_ARCH := mips
44876 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/vmlinux
44877 ++ifeq ($(HOST_ARCH),$(ARCH))
44878 ++QEMU_MACHINE := -cpu host -machine malta,accel=kvm
44879 ++CFLAGS += -EL
44880 ++else
44881 ++QEMU_MACHINE := -cpu 24Kf -machine malta -smp 1
44882 ++CFLAGS += -march=mips32r2 -EL
44883 ++endif
44884 ++else ifeq ($(ARCH),powerpc64le)
44885 ++QEMU_ARCH := ppc64
44886 ++KERNEL_ARCH := powerpc
44887 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/vmlinux
44888 ++ifeq ($(HOST_ARCH),$(ARCH))
44889 ++QEMU_MACHINE := -cpu host,accel=kvm -machine pseries
44890 ++else
44891 ++QEMU_MACHINE := -machine pseries
44892 ++endif
44893 ++CFLAGS += -mcpu=powerpc64le -mlong-double-64
44894 ++else ifeq ($(ARCH),powerpc)
44895 ++QEMU_ARCH := ppc
44896 ++KERNEL_ARCH := powerpc
44897 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/arch/powerpc/boot/uImage
44898 ++ifeq ($(HOST_ARCH),$(ARCH))
44899 ++QEMU_MACHINE := -cpu host,accel=kvm -machine ppce500
44900 ++else
44901 ++QEMU_MACHINE := -machine ppce500
44902 ++endif
44903 ++CFLAGS += -mcpu=powerpc -mlong-double-64 -msecure-plt
44904 ++else ifeq ($(ARCH),m68k)
44905 ++QEMU_ARCH := m68k
44906 ++KERNEL_ARCH := m68k
44907 ++KERNEL_BZIMAGE := $(KERNEL_BUILD_PATH)/vmlinux
44908 ++KERNEL_CMDLINE := $(shell sed -n 's/CONFIG_CMDLINE=\(.*\)/\1/p' arch/m68k.config)
44909 ++ifeq ($(HOST_ARCH),$(ARCH))
44910 ++QEMU_MACHINE := -cpu host,accel=kvm -machine q800 -smp 1 -append $(KERNEL_CMDLINE)
44911 ++else
44912 ++QEMU_MACHINE := -machine q800 -smp 1 -append $(KERNEL_CMDLINE)
44913 ++endif
44914 ++else
44915 ++$(error I only build: x86_64, i686, arm, armeb, aarch64, aarch64_be, mips, mipsel, mips64, mips64el, powerpc64le, powerpc, m68k)
44916 ++endif
44917 ++
44918 ++REAL_CC := $(CBUILD)-gcc
44919 ++MUSL_CC := $(BUILD_PATH)/musl-gcc
44920 ++export CC := $(MUSL_CC)
44921 ++USERSPACE_DEPS := $(MUSL_CC) $(BUILD_PATH)/include/.installed $(BUILD_PATH)/include/linux/.installed
44922 ++
44923 ++build: $(KERNEL_BZIMAGE)
44924 ++qemu: $(KERNEL_BZIMAGE)
44925 ++ rm -f $(BUILD_PATH)/result
44926 ++ timeout --foreground 20m qemu-system-$(QEMU_ARCH) \
44927 ++ -nodefaults \
44928 ++ -nographic \
44929 ++ -smp $(NR_CPUS) \
44930 ++ $(QEMU_MACHINE) \
44931 ++ -m $$(grep -q CONFIG_DEBUG_KMEMLEAK=y $(KERNEL_BUILD_PATH)/.config && echo 1G || echo 256M) \
44932 ++ -serial stdio \
44933 ++ -serial file:$(BUILD_PATH)/result \
44934 ++ -no-reboot \
44935 ++ -monitor none \
44936 ++ -kernel $<
44937 ++ grep -Fq success $(BUILD_PATH)/result
44938 ++
44939 ++$(BUILD_PATH)/init-cpio-spec.txt:
44940 ++ mkdir -p $(BUILD_PATH)
44941 ++ echo "file /init $(BUILD_PATH)/init 755 0 0" > $@
44942 ++ echo "file /init.sh $(PWD)/../netns.sh 755 0 0" >> $@
44943 ++ echo "dir /dev 755 0 0" >> $@
44944 ++ echo "nod /dev/console 644 0 0 c 5 1" >> $@
44945 ++ echo "dir /bin 755 0 0" >> $@
44946 ++ echo "file /bin/iperf3 $(IPERF_PATH)/src/iperf3 755 0 0" >> $@
44947 ++ echo "file /bin/wg $(WIREGUARD_TOOLS_PATH)/src/wg 755 0 0" >> $@
44948 ++ echo "file /bin/bash $(BASH_PATH)/bash 755 0 0" >> $@
44949 ++ echo "file /bin/ip $(IPROUTE2_PATH)/ip/ip 755 0 0" >> $@
44950 ++ echo "file /bin/ss $(IPROUTE2_PATH)/misc/ss 755 0 0" >> $@
44951 ++ echo "file /bin/ping $(IPUTILS_PATH)/ping 755 0 0" >> $@
44952 ++ echo "file /bin/ncat $(NMAP_PATH)/ncat/ncat 755 0 0" >> $@
44953 ++ echo "file /bin/xtables-legacy-multi $(IPTABLES_PATH)/iptables/xtables-legacy-multi 755 0 0" >> $@
44954 ++ echo "slink /bin/iptables xtables-legacy-multi 777 0 0" >> $@
44955 ++ echo "slink /bin/ping6 ping 777 0 0" >> $@
44956 ++ echo "dir /lib 755 0 0" >> $@
44957 ++ echo "file /lib/libc.so $(MUSL_PATH)/lib/libc.so 755 0 0" >> $@
44958 ++ echo "slink /lib/ld-linux.so.1 libc.so 777 0 0" >> $@
44959 ++
44960 ++$(KERNEL_BUILD_PATH)/.config: kernel.config arch/$(ARCH).config
44961 ++ mkdir -p $(KERNEL_BUILD_PATH)
44962 ++ cp kernel.config $(KERNEL_BUILD_PATH)/minimal.config
44963 ++ printf 'CONFIG_NR_CPUS=$(NR_CPUS)\nCONFIG_INITRAMFS_SOURCE="$(BUILD_PATH)/init-cpio-spec.txt"\n' >> $(KERNEL_BUILD_PATH)/minimal.config
44964 ++ cat arch/$(ARCH).config >> $(KERNEL_BUILD_PATH)/minimal.config
44965 ++ $(MAKE) -C $(KERNEL_PATH) O=$(KERNEL_BUILD_PATH) ARCH=$(KERNEL_ARCH) allnoconfig
44966 ++ cd $(KERNEL_BUILD_PATH) && ARCH=$(KERNEL_ARCH) $(KERNEL_PATH)/scripts/kconfig/merge_config.sh -n $(KERNEL_BUILD_PATH)/.config $(KERNEL_BUILD_PATH)/minimal.config
44967 ++ $(if $(findstring yes,$(DEBUG_KERNEL)),cp debug.config $(KERNEL_BUILD_PATH) && cd $(KERNEL_BUILD_PATH) && ARCH=$(KERNEL_ARCH) $(KERNEL_PATH)/scripts/kconfig/merge_config.sh -n $(KERNEL_BUILD_PATH)/.config debug.config,)
44968 ++
44969 ++$(KERNEL_BZIMAGE): $(KERNEL_BUILD_PATH)/.config $(BUILD_PATH)/init-cpio-spec.txt $(MUSL_PATH)/lib/libc.so $(IPERF_PATH)/src/iperf3 $(IPUTILS_PATH)/ping $(BASH_PATH)/bash $(IPROUTE2_PATH)/misc/ss $(IPROUTE2_PATH)/ip/ip $(IPTABLES_PATH)/iptables/xtables-legacy-multi $(NMAP_PATH)/ncat/ncat $(WIREGUARD_TOOLS_PATH)/src/wg $(BUILD_PATH)/init ../netns.sh $(WIREGUARD_SOURCES)
44970 ++ $(MAKE) -C $(KERNEL_PATH) O=$(KERNEL_BUILD_PATH) ARCH=$(KERNEL_ARCH) CROSS_COMPILE=$(CROSS_COMPILE)
44971 ++
44972 ++$(BUILD_PATH)/include/linux/.installed: | $(KERNEL_BUILD_PATH)/.config
44973 ++ $(MAKE) -C $(KERNEL_PATH) O=$(KERNEL_BUILD_PATH) INSTALL_HDR_PATH=$(BUILD_PATH) ARCH=$(KERNEL_ARCH) CROSS_COMPILE=$(CROSS_COMPILE) headers_install
44974 ++ touch $@
44975 ++
44976 ++$(MUSL_PATH)/lib/libc.so: $(MUSL_TAR)
44977 ++ mkdir -p $(BUILD_PATH)
44978 ++ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
44979 ++ cd $(MUSL_PATH) && CC=$(REAL_CC) ./configure --prefix=/ --disable-static --build=$(CBUILD)
44980 ++ $(MAKE) -C $(MUSL_PATH)
44981 ++ $(STRIP) -s $@
44982 ++
44983 ++$(BUILD_PATH)/include/.installed: $(MUSL_PATH)/lib/libc.so
44984 ++ $(MAKE) -C $(MUSL_PATH) DESTDIR=$(BUILD_PATH) install-headers
44985 ++ touch $@
44986 ++
44987 ++$(MUSL_CC): $(MUSL_PATH)/lib/libc.so
44988 ++ sh $(MUSL_PATH)/tools/musl-gcc.specs.sh $(BUILD_PATH)/include $(MUSL_PATH)/lib /lib/ld-linux.so.1 > $(BUILD_PATH)/musl-gcc.specs
44989 ++ printf '#!/bin/sh\nexec "$(REAL_CC)" --specs="$(BUILD_PATH)/musl-gcc.specs" "$$@"\n' > $(BUILD_PATH)/musl-gcc
44990 ++ chmod +x $(BUILD_PATH)/musl-gcc
44991 ++
44992 ++$(IPERF_PATH)/.installed: $(IPERF_TAR)
44993 ++ mkdir -p $(BUILD_PATH)
44994 ++ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
44995 ++ sed -i '1s/^/#include <stdint.h>/' $(IPERF_PATH)/src/cjson.h $(IPERF_PATH)/src/timer.h
44996 ++ sed -i -r 's/-p?g//g' $(IPERF_PATH)/src/Makefile*
44997 ++ touch $@
44998 ++
44999 ++$(IPERF_PATH)/src/iperf3: | $(IPERF_PATH)/.installed $(USERSPACE_DEPS)
45000 ++ cd $(IPERF_PATH) && CFLAGS="$(CFLAGS) -D_GNU_SOURCE" ./configure --prefix=/ $(CROSS_COMPILE_FLAG) --enable-static --disable-shared --with-openssl=no
45001 ++ $(MAKE) -C $(IPERF_PATH)
45002 ++ $(STRIP) -s $@
45003 ++
45004 ++$(WIREGUARD_TOOLS_PATH)/.installed: $(WIREGUARD_TOOLS_TAR)
45005 ++ mkdir -p $(BUILD_PATH)
45006 ++ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
45007 ++ touch $@
45008 ++
45009 ++$(WIREGUARD_TOOLS_PATH)/src/wg: | $(WIREGUARD_TOOLS_PATH)/.installed $(USERSPACE_DEPS)
45010 ++ $(MAKE) -C $(WIREGUARD_TOOLS_PATH)/src wg
45011 ++ $(STRIP) -s $@
45012 ++
45013 ++$(BUILD_PATH)/init: init.c | $(USERSPACE_DEPS)
45014 ++ mkdir -p $(BUILD_PATH)
45015 ++ $(MUSL_CC) -o $@ $(CFLAGS) $(LDFLAGS) -std=gnu11 $<
45016 ++ $(STRIP) -s $@
45017 ++
45018 ++$(IPUTILS_PATH)/.installed: $(IPUTILS_TAR)
45019 ++ mkdir -p $(BUILD_PATH)
45020 ++ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
45021 ++ touch $@
45022 ++
45023 ++$(IPUTILS_PATH)/ping: | $(IPUTILS_PATH)/.installed $(USERSPACE_DEPS)
45024 ++ sed -i /atexit/d $(IPUTILS_PATH)/ping.c
45025 ++ cd $(IPUTILS_PATH) && $(CC) $(CFLAGS) -std=c99 -o $@ ping.c ping_common.c ping6_common.c iputils_common.c -D_GNU_SOURCE -D'IPUTILS_VERSION(f)=f' -lresolv $(LDFLAGS)
45026 ++ $(STRIP) -s $@
45027 ++
45028 ++$(BASH_PATH)/.installed: $(BASH_TAR)
45029 ++ mkdir -p $(BUILD_PATH)
45030 ++ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
45031 ++ touch $@
45032 ++
45033 ++$(BASH_PATH)/bash: | $(BASH_PATH)/.installed $(USERSPACE_DEPS)
45034 ++ cd $(BASH_PATH) && ./configure --prefix=/ $(CROSS_COMPILE_FLAG) --without-bash-malloc --disable-debugger --disable-help-builtin --disable-history --disable-multibyte --disable-progcomp --disable-readline --disable-mem-scramble
45035 ++ $(MAKE) -C $(BASH_PATH)
45036 ++ $(STRIP) -s $@
45037 ++
45038 ++$(IPROUTE2_PATH)/.installed: $(IPROUTE2_TAR)
45039 ++ mkdir -p $(BUILD_PATH)
45040 ++ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
45041 ++ printf 'CC:=$(CC)\nPKG_CONFIG:=pkg-config\nTC_CONFIG_XT:=n\nTC_CONFIG_ATM:=n\nTC_CONFIG_IPSET:=n\nIP_CONFIG_SETNS:=y\nHAVE_ELF:=n\nHAVE_MNL:=n\nHAVE_BERKELEY_DB:=n\nHAVE_LATEX:=n\nHAVE_PDFLATEX:=n\nCFLAGS+=-DHAVE_SETNS\n' > $(IPROUTE2_PATH)/config.mk
45042 ++ printf 'lib: snapshot\n\t$$(MAKE) -C lib\nip/ip: lib\n\t$$(MAKE) -C ip ip\nmisc/ss: lib\n\t$$(MAKE) -C misc ss\n' >> $(IPROUTE2_PATH)/Makefile
45043 ++ touch $@
45044 ++
45045 ++$(IPROUTE2_PATH)/ip/ip: | $(IPROUTE2_PATH)/.installed $(USERSPACE_DEPS)
45046 ++ $(MAKE) -C $(IPROUTE2_PATH) PREFIX=/ ip/ip
45047 ++ $(STRIP) -s $@
45048 ++
45049 ++$(IPROUTE2_PATH)/misc/ss: | $(IPROUTE2_PATH)/.installed $(USERSPACE_DEPS)
45050 ++ $(MAKE) -C $(IPROUTE2_PATH) PREFIX=/ misc/ss
45051 ++ $(STRIP) -s $@
45052 ++
45053 ++$(IPTABLES_PATH)/.installed: $(IPTABLES_TAR)
45054 ++ mkdir -p $(BUILD_PATH)
45055 ++ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
45056 ++ sed -i -e "/nfnetlink=[01]/s:=[01]:=0:" -e "/nfconntrack=[01]/s:=[01]:=0:" $(IPTABLES_PATH)/configure
45057 ++ touch $@
45058 ++
45059 ++$(IPTABLES_PATH)/iptables/xtables-legacy-multi: | $(IPTABLES_PATH)/.installed $(USERSPACE_DEPS)
45060 ++ cd $(IPTABLES_PATH) && ./configure --prefix=/ $(CROSS_COMPILE_FLAG) --enable-static --disable-shared --disable-nftables --disable-bpf-compiler --disable-nfsynproxy --disable-libipq --disable-connlabel --with-kernel=$(BUILD_PATH)/include
45061 ++ $(MAKE) -C $(IPTABLES_PATH)
45062 ++ $(STRIP) -s $@
45063 ++
45064 ++$(NMAP_PATH)/.installed: $(NMAP_TAR)
45065 ++ mkdir -p $(BUILD_PATH)
45066 ++ flock -s $<.lock tar -C $(BUILD_PATH) -xf $<
45067 ++ touch $@
45068 ++
45069 ++$(NMAP_PATH)/ncat/ncat: | $(NMAP_PATH)/.installed $(USERSPACE_DEPS)
45070 ++ cd $(NMAP_PATH) && ./configure --prefix=/ $(CROSS_COMPILE_FLAG) --enable-static --disable-shared --without-ndiff --without-zenmap --without-nping --with-libpcap=included --with-libpcre=included --with-libdnet=included --without-liblua --with-liblinear=included --without-nmap-update --without-openssl --with-pcap=linux --without-libssh
45071 ++ $(MAKE) -C $(NMAP_PATH)/libpcap
45072 ++ $(MAKE) -C $(NMAP_PATH)/ncat
45073 ++ $(STRIP) -s $@
45074 ++
45075 ++clean:
45076 ++ rm -rf $(BUILD_PATH)
45077 ++
45078 ++distclean: clean
45079 ++ rm -rf $(DISTFILES_PATH)
45080 ++
45081 ++menuconfig: $(KERNEL_BUILD_PATH)/.config
45082 ++ $(MAKE) -C $(KERNEL_PATH) O=$(KERNEL_BUILD_PATH) ARCH=$(KERNEL_ARCH) CROSS_COMPILE=$(CROSS_COMPILE) menuconfig
45083 ++
45084 ++.PHONY: qemu build clean distclean menuconfig
45085 ++.DELETE_ON_ERROR:
45086 +--- /dev/null
45087 ++++ b/tools/testing/selftests/wireguard/qemu/arch/aarch64.config
45088 +@@ -0,0 +1,5 @@
45089 ++CONFIG_SERIAL_AMBA_PL011=y
45090 ++CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
45091 ++CONFIG_CMDLINE_BOOL=y
45092 ++CONFIG_CMDLINE="console=ttyAMA0 wg.success=ttyAMA1"
45093 ++CONFIG_FRAME_WARN=1280
45094 +--- /dev/null
45095 ++++ b/tools/testing/selftests/wireguard/qemu/arch/aarch64_be.config
45096 +@@ -0,0 +1,6 @@
45097 ++CONFIG_CPU_BIG_ENDIAN=y
45098 ++CONFIG_SERIAL_AMBA_PL011=y
45099 ++CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
45100 ++CONFIG_CMDLINE_BOOL=y
45101 ++CONFIG_CMDLINE="console=ttyAMA0 wg.success=ttyAMA1"
45102 ++CONFIG_FRAME_WARN=1280
45103 +--- /dev/null
45104 ++++ b/tools/testing/selftests/wireguard/qemu/arch/arm.config
45105 +@@ -0,0 +1,9 @@
45106 ++CONFIG_MMU=y
45107 ++CONFIG_ARCH_MULTI_V7=y
45108 ++CONFIG_ARCH_VIRT=y
45109 ++CONFIG_THUMB2_KERNEL=n
45110 ++CONFIG_SERIAL_AMBA_PL011=y
45111 ++CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
45112 ++CONFIG_CMDLINE_BOOL=y
45113 ++CONFIG_CMDLINE="console=ttyAMA0 wg.success=ttyAMA1"
45114 ++CONFIG_FRAME_WARN=1024
45115 +--- /dev/null
45116 ++++ b/tools/testing/selftests/wireguard/qemu/arch/armeb.config
45117 +@@ -0,0 +1,10 @@
45118 ++CONFIG_MMU=y
45119 ++CONFIG_ARCH_MULTI_V7=y
45120 ++CONFIG_ARCH_VIRT=y
45121 ++CONFIG_THUMB2_KERNEL=n
45122 ++CONFIG_SERIAL_AMBA_PL011=y
45123 ++CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
45124 ++CONFIG_CMDLINE_BOOL=y
45125 ++CONFIG_CMDLINE="console=ttyAMA0 wg.success=ttyAMA1"
45126 ++CONFIG_CPU_BIG_ENDIAN=y
45127 ++CONFIG_FRAME_WARN=1024
45128 +--- /dev/null
45129 ++++ b/tools/testing/selftests/wireguard/qemu/arch/i686.config
45130 +@@ -0,0 +1,5 @@
45131 ++CONFIG_SERIAL_8250=y
45132 ++CONFIG_SERIAL_8250_CONSOLE=y
45133 ++CONFIG_CMDLINE_BOOL=y
45134 ++CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
45135 ++CONFIG_FRAME_WARN=1024
45136 +--- b/tools/testing/selftests/wireguard/qemu/arch/m68k.config
45137 ++++ b/tools/testing/selftests/wireguard/qemu/arch/m68k.config
45138 +@@ -0,0 +1,9 @@
45139 ++CONFIG_MMU=y
45140 ++CONFIG_M68KCLASSIC=y
45141 ++CONFIG_M68040=y
45142 ++CONFIG_MAC=y
45143 ++CONFIG_SERIAL_PMACZILOG=y
45144 ++CONFIG_SERIAL_PMACZILOG_TTYS=y
45145 ++CONFIG_SERIAL_PMACZILOG_CONSOLE=y
45146 ++CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
45147 ++CONFIG_FRAME_WARN=1024
45148 +--- /dev/null
45149 ++++ b/tools/testing/selftests/wireguard/qemu/arch/mips.config
45150 +@@ -0,0 +1,11 @@
45151 ++CONFIG_CPU_MIPS32_R2=y
45152 ++CONFIG_MIPS_MALTA=y
45153 ++CONFIG_MIPS_CPS=y
45154 ++CONFIG_MIPS_FP_SUPPORT=y
45155 ++CONFIG_POWER_RESET=y
45156 ++CONFIG_POWER_RESET_SYSCON=y
45157 ++CONFIG_SERIAL_8250=y
45158 ++CONFIG_SERIAL_8250_CONSOLE=y
45159 ++CONFIG_CMDLINE_BOOL=y
45160 ++CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
45161 ++CONFIG_FRAME_WARN=1024
45162 +--- /dev/null
45163 ++++ b/tools/testing/selftests/wireguard/qemu/arch/mips64.config
45164 +@@ -0,0 +1,14 @@
45165 ++CONFIG_64BIT=y
45166 ++CONFIG_CPU_MIPS64_R2=y
45167 ++CONFIG_MIPS32_N32=y
45168 ++CONFIG_CPU_HAS_MSA=y
45169 ++CONFIG_MIPS_MALTA=y
45170 ++CONFIG_MIPS_CPS=y
45171 ++CONFIG_MIPS_FP_SUPPORT=y
45172 ++CONFIG_POWER_RESET=y
45173 ++CONFIG_POWER_RESET_SYSCON=y
45174 ++CONFIG_SERIAL_8250=y
45175 ++CONFIG_SERIAL_8250_CONSOLE=y
45176 ++CONFIG_CMDLINE_BOOL=y
45177 ++CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
45178 ++CONFIG_FRAME_WARN=1280
45179 +--- /dev/null
45180 ++++ b/tools/testing/selftests/wireguard/qemu/arch/mips64el.config
45181 +@@ -0,0 +1,15 @@
45182 ++CONFIG_64BIT=y
45183 ++CONFIG_CPU_MIPS64_R2=y
45184 ++CONFIG_MIPS32_N32=y
45185 ++CONFIG_CPU_HAS_MSA=y
45186 ++CONFIG_MIPS_MALTA=y
45187 ++CONFIG_CPU_LITTLE_ENDIAN=y
45188 ++CONFIG_MIPS_CPS=y
45189 ++CONFIG_MIPS_FP_SUPPORT=y
45190 ++CONFIG_POWER_RESET=y
45191 ++CONFIG_POWER_RESET_SYSCON=y
45192 ++CONFIG_SERIAL_8250=y
45193 ++CONFIG_SERIAL_8250_CONSOLE=y
45194 ++CONFIG_CMDLINE_BOOL=y
45195 ++CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
45196 ++CONFIG_FRAME_WARN=1280
45197 +--- /dev/null
45198 ++++ b/tools/testing/selftests/wireguard/qemu/arch/mipsel.config
45199 +@@ -0,0 +1,12 @@
45200 ++CONFIG_CPU_MIPS32_R2=y
45201 ++CONFIG_MIPS_MALTA=y
45202 ++CONFIG_CPU_LITTLE_ENDIAN=y
45203 ++CONFIG_MIPS_CPS=y
45204 ++CONFIG_MIPS_FP_SUPPORT=y
45205 ++CONFIG_POWER_RESET=y
45206 ++CONFIG_POWER_RESET_SYSCON=y
45207 ++CONFIG_SERIAL_8250=y
45208 ++CONFIG_SERIAL_8250_CONSOLE=y
45209 ++CONFIG_CMDLINE_BOOL=y
45210 ++CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
45211 ++CONFIG_FRAME_WARN=1024
45212 +--- /dev/null
45213 ++++ b/tools/testing/selftests/wireguard/qemu/arch/powerpc.config
45214 +@@ -0,0 +1,10 @@
45215 ++CONFIG_PPC_QEMU_E500=y
45216 ++CONFIG_FSL_SOC_BOOKE=y
45217 ++CONFIG_PPC_85xx=y
45218 ++CONFIG_PHYS_64BIT=y
45219 ++CONFIG_SERIAL_8250=y
45220 ++CONFIG_SERIAL_8250_CONSOLE=y
45221 ++CONFIG_MATH_EMULATION=y
45222 ++CONFIG_CMDLINE_BOOL=y
45223 ++CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
45224 ++CONFIG_FRAME_WARN=1024
45225 +--- b/tools/testing/selftests/wireguard/qemu/arch/powerpc64le.config
45226 ++++ b/tools/testing/selftests/wireguard/qemu/arch/powerpc64le.config
45227 +@@ -0,0 +1,13 @@
45228 ++CONFIG_PPC64=y
45229 ++CONFIG_PPC_PSERIES=y
45230 ++CONFIG_ALTIVEC=y
45231 ++CONFIG_VSX=y
45232 ++CONFIG_PPC_OF_BOOT_TRAMPOLINE=y
45233 ++CONFIG_PPC_RADIX_MMU=y
45234 ++CONFIG_HVC_CONSOLE=y
45235 ++CONFIG_CPU_LITTLE_ENDIAN=y
45236 ++CONFIG_CMDLINE_BOOL=y
45237 ++CONFIG_CMDLINE="console=hvc0 wg.success=hvc1"
45238 ++CONFIG_SECTION_MISMATCH_WARN_ONLY=y
45239 ++CONFIG_FRAME_WARN=1280
45240 ++CONFIG_THREAD_SHIFT=14
45241 +--- /dev/null
45242 ++++ b/tools/testing/selftests/wireguard/qemu/arch/x86_64.config
45243 +@@ -0,0 +1,5 @@
45244 ++CONFIG_SERIAL_8250=y
45245 ++CONFIG_SERIAL_8250_CONSOLE=y
45246 ++CONFIG_CMDLINE_BOOL=y
45247 ++CONFIG_CMDLINE="console=ttyS0 wg.success=ttyS1"
45248 ++CONFIG_FRAME_WARN=1280
45249 +--- /dev/null
45250 ++++ b/tools/testing/selftests/wireguard/qemu/debug.config
45251 +@@ -0,0 +1,67 @@
45252 ++CONFIG_LOCALVERSION="-debug"
45253 ++CONFIG_ENABLE_WARN_DEPRECATED=y
45254 ++CONFIG_ENABLE_MUST_CHECK=y
45255 ++CONFIG_FRAME_POINTER=y
45256 ++CONFIG_STACK_VALIDATION=y
45257 ++CONFIG_DEBUG_KERNEL=y
45258 ++CONFIG_DEBUG_INFO=y
45259 ++CONFIG_DEBUG_INFO_DWARF4=y
45260 ++CONFIG_PAGE_EXTENSION=y
45261 ++CONFIG_PAGE_POISONING=y
45262 ++CONFIG_DEBUG_OBJECTS=y
45263 ++CONFIG_DEBUG_OBJECTS_FREE=y
45264 ++CONFIG_DEBUG_OBJECTS_TIMERS=y
45265 ++CONFIG_DEBUG_OBJECTS_WORK=y
45266 ++CONFIG_DEBUG_OBJECTS_RCU_HEAD=y
45267 ++CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y
45268 ++CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1
45269 ++CONFIG_SLUB_DEBUG_ON=y
45270 ++CONFIG_DEBUG_VM=y
45271 ++CONFIG_DEBUG_MEMORY_INIT=y
45272 ++CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
45273 ++CONFIG_DEBUG_STACKOVERFLOW=y
45274 ++CONFIG_HAVE_ARCH_KMEMCHECK=y
45275 ++CONFIG_HAVE_ARCH_KASAN=y
45276 ++CONFIG_KASAN=y
45277 ++CONFIG_KASAN_INLINE=y
45278 ++CONFIG_UBSAN=y
45279 ++CONFIG_UBSAN_SANITIZE_ALL=y
45280 ++CONFIG_UBSAN_NO_ALIGNMENT=y
45281 ++CONFIG_UBSAN_NULL=y
45282 ++CONFIG_DEBUG_KMEMLEAK=y
45283 ++CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=8192
45284 ++CONFIG_DEBUG_STACK_USAGE=y
45285 ++CONFIG_DEBUG_SHIRQ=y
45286 ++CONFIG_WQ_WATCHDOG=y
45287 ++CONFIG_SCHED_DEBUG=y
45288 ++CONFIG_SCHED_INFO=y
45289 ++CONFIG_SCHEDSTATS=y
45290 ++CONFIG_SCHED_STACK_END_CHECK=y
45291 ++CONFIG_DEBUG_TIMEKEEPING=y
45292 ++CONFIG_TIMER_STATS=y
45293 ++CONFIG_DEBUG_PREEMPT=y
45294 ++CONFIG_DEBUG_RT_MUTEXES=y
45295 ++CONFIG_DEBUG_SPINLOCK=y
45296 ++CONFIG_DEBUG_MUTEXES=y
45297 ++CONFIG_DEBUG_LOCK_ALLOC=y
45298 ++CONFIG_PROVE_LOCKING=y
45299 ++CONFIG_LOCKDEP=y
45300 ++CONFIG_DEBUG_ATOMIC_SLEEP=y
45301 ++CONFIG_TRACE_IRQFLAGS=y
45302 ++CONFIG_DEBUG_BUGVERBOSE=y
45303 ++CONFIG_DEBUG_LIST=y
45304 ++CONFIG_DEBUG_PI_LIST=y
45305 ++CONFIG_PROVE_RCU=y
45306 ++CONFIG_SPARSE_RCU_POINTER=y
45307 ++CONFIG_RCU_CPU_STALL_TIMEOUT=21
45308 ++CONFIG_RCU_TRACE=y
45309 ++CONFIG_RCU_EQS_DEBUG=y
45310 ++CONFIG_USER_STACKTRACE_SUPPORT=y
45311 ++CONFIG_DEBUG_SG=y
45312 ++CONFIG_DEBUG_NOTIFIERS=y
45313 ++CONFIG_DOUBLEFAULT=y
45314 ++CONFIG_X86_DEBUG_FPU=y
45315 ++CONFIG_DEBUG_SECTION_MISMATCH=y
45316 ++CONFIG_DEBUG_PAGEALLOC=y
45317 ++CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT=y
45318 ++CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
45319 +--- b/tools/testing/selftests/wireguard/qemu/init.c
45320 ++++ b/tools/testing/selftests/wireguard/qemu/init.c
45321 +@@ -0,0 +1,284 @@
45322 ++// SPDX-License-Identifier: GPL-2.0
45323 ++/*
45324 ++ * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@×××××.com>. All Rights Reserved.
45325 ++ */
45326 ++
45327 ++#define _GNU_SOURCE
45328 ++#include <unistd.h>
45329 ++#include <errno.h>
45330 ++#include <string.h>
45331 ++#include <stdio.h>
45332 ++#include <stdlib.h>
45333 ++#include <stdbool.h>
45334 ++#include <fcntl.h>
45335 ++#include <sys/wait.h>
45336 ++#include <sys/mount.h>
45337 ++#include <sys/stat.h>
45338 ++#include <sys/types.h>
45339 ++#include <sys/io.h>
45340 ++#include <sys/ioctl.h>
45341 ++#include <sys/reboot.h>
45342 ++#include <sys/utsname.h>
45343 ++#include <sys/sendfile.h>
45344 ++#include <sys/sysmacros.h>
45345 ++#include <linux/random.h>
45346 ++#include <linux/version.h>
45347 ++
45348 ++__attribute__((noreturn)) static void poweroff(void)
45349 ++{
45350 ++ fflush(stdout);
45351 ++ fflush(stderr);
45352 ++ reboot(RB_AUTOBOOT);
45353 ++ sleep(30);
45354 ++ fprintf(stderr, "\x1b[37m\x1b[41m\x1b[1mFailed to power off!!!\x1b[0m\n");
45355 ++ exit(1);
45356 ++}
45357 ++
45358 ++static void panic(const char *what)
45359 ++{
45360 ++ fprintf(stderr, "\n\n\x1b[37m\x1b[41m\x1b[1mSOMETHING WENT HORRIBLY WRONG\x1b[0m\n\n \x1b[31m\x1b[1m%s: %s\x1b[0m\n\n\x1b[37m\x1b[44m\x1b[1mPower off...\x1b[0m\n\n", what, strerror(errno));
45361 ++ poweroff();
45362 ++}
45363 ++
45364 ++#define pretty_message(msg) puts("\x1b[32m\x1b[1m" msg "\x1b[0m")
45365 ++
45366 ++static void print_banner(void)
45367 ++{
45368 ++ struct utsname utsname;
45369 ++ int len;
45370 ++
45371 ++ if (uname(&utsname) < 0)
45372 ++ panic("uname");
45373 ++
45374 ++ len = strlen(" WireGuard Test Suite on ") + strlen(utsname.sysname) + strlen(utsname.release) + strlen(utsname.machine);
45375 ++ printf("\x1b[45m\x1b[33m\x1b[1m%*.s\x1b[0m\n\x1b[45m\x1b[33m\x1b[1m WireGuard Test Suite on %s %s %s \x1b[0m\n\x1b[45m\x1b[33m\x1b[1m%*.s\x1b[0m\n\n", len, "", utsname.sysname, utsname.release, utsname.machine, len, "");
45376 ++}
45377 ++
45378 ++static void seed_rng(void)
45379 ++{
45380 ++ int fd;
45381 ++ struct {
45382 ++ int entropy_count;
45383 ++ int buffer_size;
45384 ++ unsigned char buffer[256];
45385 ++ } entropy = {
45386 ++ .entropy_count = sizeof(entropy.buffer) * 8,
45387 ++ .buffer_size = sizeof(entropy.buffer),
45388 ++ .buffer = "Adding real entropy is not actually important for these tests. Don't try this at home, kids!"
45389 ++ };
45390 ++
45391 ++ if (mknod("/dev/urandom", S_IFCHR | 0644, makedev(1, 9)))
45392 ++ panic("mknod(/dev/urandom)");
45393 ++ fd = open("/dev/urandom", O_WRONLY);
45394 ++ if (fd < 0)
45395 ++ panic("open(urandom)");
45396 ++ for (int i = 0; i < 256; ++i) {
45397 ++ if (ioctl(fd, RNDADDENTROPY, &entropy) < 0)
45398 ++ panic("ioctl(urandom)");
45399 ++ }
45400 ++ close(fd);
45401 ++}
45402 ++
45403 ++static void mount_filesystems(void)
45404 ++{
45405 ++ pretty_message("[+] Mounting filesystems...");
45406 ++ mkdir("/dev", 0755);
45407 ++ mkdir("/proc", 0755);
45408 ++ mkdir("/sys", 0755);
45409 ++ mkdir("/tmp", 0755);
45410 ++ mkdir("/run", 0755);
45411 ++ mkdir("/var", 0755);
45412 ++ if (mount("none", "/dev", "devtmpfs", 0, NULL))
45413 ++ panic("devtmpfs mount");
45414 ++ if (mount("none", "/proc", "proc", 0, NULL))
45415 ++ panic("procfs mount");
45416 ++ if (mount("none", "/sys", "sysfs", 0, NULL))
45417 ++ panic("sysfs mount");
45418 ++ if (mount("none", "/tmp", "tmpfs", 0, NULL))
45419 ++ panic("tmpfs mount");
45420 ++ if (mount("none", "/run", "tmpfs", 0, NULL))
45421 ++ panic("tmpfs mount");
45422 ++ if (mount("none", "/sys/kernel/debug", "debugfs", 0, NULL))
45423 ++ ; /* Not a problem if it fails.*/
45424 ++ if (symlink("/run", "/var/run"))
45425 ++ panic("run symlink");
45426 ++ if (symlink("/proc/self/fd", "/dev/fd"))
45427 ++ panic("fd symlink");
45428 ++}
45429 ++
45430 ++static void enable_logging(void)
45431 ++{
45432 ++ int fd;
45433 ++ pretty_message("[+] Enabling logging...");
45434 ++ fd = open("/proc/sys/kernel/printk", O_WRONLY);
45435 ++ if (fd >= 0) {
45436 ++ if (write(fd, "9\n", 2) != 2)
45437 ++ panic("write(printk)");
45438 ++ close(fd);
45439 ++ }
45440 ++ fd = open("/proc/sys/debug/exception-trace", O_WRONLY);
45441 ++ if (fd >= 0) {
45442 ++ if (write(fd, "1\n", 2) != 2)
45443 ++ panic("write(exception-trace)");
45444 ++ close(fd);
45445 ++ }
45446 ++ fd = open("/proc/sys/kernel/panic_on_warn", O_WRONLY);
45447 ++ if (fd >= 0) {
45448 ++ if (write(fd, "1\n", 2) != 2)
45449 ++ panic("write(panic_on_warn)");
45450 ++ close(fd);
45451 ++ }
45452 ++}
45453 ++
45454 ++static void kmod_selftests(void)
45455 ++{
45456 ++ FILE *file;
45457 ++ char line[2048], *start, *pass;
45458 ++ bool success = true;
45459 ++ pretty_message("[+] Module self-tests:");
45460 ++ file = fopen("/proc/kmsg", "r");
45461 ++ if (!file)
45462 ++ panic("fopen(kmsg)");
45463 ++ if (fcntl(fileno(file), F_SETFL, O_NONBLOCK) < 0)
45464 ++ panic("fcntl(kmsg, nonblock)");
45465 ++ while (fgets(line, sizeof(line), file)) {
45466 ++ start = strstr(line, "wireguard: ");
45467 ++ if (!start)
45468 ++ continue;
45469 ++ start += 11;
45470 ++ *strchrnul(start, '\n') = '\0';
45471 ++ if (strstr(start, "www.wireguard.com"))
45472 ++ break;
45473 ++ pass = strstr(start, ": pass");
45474 ++ if (!pass || pass[6] != '\0') {
45475 ++ success = false;
45476 ++ printf(" \x1b[31m* %s\x1b[0m\n", start);
45477 ++ } else
45478 ++ printf(" \x1b[32m* %s\x1b[0m\n", start);
45479 ++ }
45480 ++ fclose(file);
45481 ++ if (!success) {
45482 ++ puts("\x1b[31m\x1b[1m[-] Tests failed! \u2639\x1b[0m");
45483 ++ poweroff();
45484 ++ }
45485 ++}
45486 ++
45487 ++static void launch_tests(void)
45488 ++{
45489 ++ char cmdline[4096], *success_dev;
45490 ++ int status, fd;
45491 ++ pid_t pid;
45492 ++
45493 ++ pretty_message("[+] Launching tests...");
45494 ++ pid = fork();
45495 ++ if (pid == -1)
45496 ++ panic("fork");
45497 ++ else if (pid == 0) {
45498 ++ execl("/init.sh", "init", NULL);
45499 ++ panic("exec");
45500 ++ }
45501 ++ if (waitpid(pid, &status, 0) < 0)
45502 ++ panic("waitpid");
45503 ++ if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
45504 ++ pretty_message("[+] Tests successful! :-)");
45505 ++ fd = open("/proc/cmdline", O_RDONLY);
45506 ++ if (fd < 0)
45507 ++ panic("open(/proc/cmdline)");
45508 ++ if (read(fd, cmdline, sizeof(cmdline) - 1) <= 0)
45509 ++ panic("read(/proc/cmdline)");
45510 ++ cmdline[sizeof(cmdline) - 1] = '\0';
45511 ++ for (success_dev = strtok(cmdline, " \n"); success_dev; success_dev = strtok(NULL, " \n")) {
45512 ++ if (strncmp(success_dev, "wg.success=", 11))
45513 ++ continue;
45514 ++ memcpy(success_dev + 11 - 5, "/dev/", 5);
45515 ++ success_dev += 11 - 5;
45516 ++ break;
45517 ++ }
45518 ++ if (!success_dev || !strlen(success_dev))
45519 ++ panic("Unable to find success device");
45520 ++
45521 ++ fd = open(success_dev, O_WRONLY);
45522 ++ if (fd < 0)
45523 ++ panic("open(success_dev)");
45524 ++ if (write(fd, "success\n", 8) != 8)
45525 ++ panic("write(success_dev)");
45526 ++ close(fd);
45527 ++ } else {
45528 ++ const char *why = "unknown cause";
45529 ++ int what = -1;
45530 ++
45531 ++ if (WIFEXITED(status)) {
45532 ++ why = "exit code";
45533 ++ what = WEXITSTATUS(status);
45534 ++ } else if (WIFSIGNALED(status)) {
45535 ++ why = "signal";
45536 ++ what = WTERMSIG(status);
45537 ++ }
45538 ++ printf("\x1b[31m\x1b[1m[-] Tests failed with %s %d! \u2639\x1b[0m\n", why, what);
45539 ++ }
45540 ++}
45541 ++
45542 ++static void ensure_console(void)
45543 ++{
45544 ++ for (unsigned int i = 0; i < 1000; ++i) {
45545 ++ int fd = open("/dev/console", O_RDWR);
45546 ++ if (fd < 0) {
45547 ++ usleep(50000);
45548 ++ continue;
45549 ++ }
45550 ++ dup2(fd, 0);
45551 ++ dup2(fd, 1);
45552 ++ dup2(fd, 2);
45553 ++ close(fd);
45554 ++ if (write(1, "\0\0\0\0\n", 5) == 5)
45555 ++ return;
45556 ++ }
45557 ++ panic("Unable to open console device");
45558 ++}
45559 ++
45560 ++static void clear_leaks(void)
45561 ++{
45562 ++ int fd;
45563 ++
45564 ++ fd = open("/sys/kernel/debug/kmemleak", O_WRONLY);
45565 ++ if (fd < 0)
45566 ++ return;
45567 ++ pretty_message("[+] Starting memory leak detection...");
45568 ++ write(fd, "clear\n", 5);
45569 ++ close(fd);
45570 ++}
45571 ++
45572 ++static void check_leaks(void)
45573 ++{
45574 ++ int fd;
45575 ++
45576 ++ fd = open("/sys/kernel/debug/kmemleak", O_WRONLY);
45577 ++ if (fd < 0)
45578 ++ return;
45579 ++ pretty_message("[+] Scanning for memory leaks...");
45580 ++ sleep(2); /* Wait for any grace periods. */
45581 ++ write(fd, "scan\n", 5);
45582 ++ close(fd);
45583 ++
45584 ++ fd = open("/sys/kernel/debug/kmemleak", O_RDONLY);
45585 ++ if (fd < 0)
45586 ++ return;
45587 ++ if (sendfile(1, fd, NULL, 0x7ffff000) > 0)
45588 ++ panic("Memory leaks encountered");
45589 ++ close(fd);
45590 ++}
45591 ++
45592 ++int main(int argc, char *argv[])
45593 ++{
45594 ++ seed_rng();
45595 ++ ensure_console();
45596 ++ print_banner();
45597 ++ mount_filesystems();
45598 ++ kmod_selftests();
45599 ++ enable_logging();
45600 ++ clear_leaks();
45601 ++ launch_tests();
45602 ++ check_leaks();
45603 ++ poweroff();
45604 ++ return 1;
45605 ++}
45606 +--- b/tools/testing/selftests/wireguard/qemu/kernel.config
45607 ++++ b/tools/testing/selftests/wireguard/qemu/kernel.config
45608 +@@ -0,0 +1,90 @@
45609 ++CONFIG_LOCALVERSION=""
45610 ++CONFIG_NET=y
45611 ++CONFIG_NETDEVICES=y
45612 ++CONFIG_NET_CORE=y
45613 ++CONFIG_NET_IPIP=y
45614 ++CONFIG_DUMMY=y
45615 ++CONFIG_VETH=y
45616 ++CONFIG_MULTIUSER=y
45617 ++CONFIG_NAMESPACES=y
45618 ++CONFIG_NET_NS=y
45619 ++CONFIG_UNIX=y
45620 ++CONFIG_INET=y
45621 ++CONFIG_IPV6=y
45622 ++CONFIG_NETFILTER=y
45623 ++CONFIG_NETFILTER_ADVANCED=y
45624 ++CONFIG_NF_CONNTRACK=y
45625 ++CONFIG_NF_NAT=y
45626 ++CONFIG_NETFILTER_XTABLES=y
45627 ++CONFIG_NETFILTER_XT_NAT=y
45628 ++CONFIG_NETFILTER_XT_MATCH_LENGTH=y
45629 ++CONFIG_NETFILTER_XT_MARK=y
45630 ++CONFIG_NF_CONNTRACK_IPV4=y
45631 ++CONFIG_NF_NAT_IPV4=y
45632 ++CONFIG_IP_NF_IPTABLES=y
45633 ++CONFIG_IP_NF_FILTER=y
45634 ++CONFIG_IP_NF_MANGLE=y
45635 ++CONFIG_IP_NF_NAT=y
45636 ++CONFIG_IP_ADVANCED_ROUTER=y
45637 ++CONFIG_IP_MULTIPLE_TABLES=y
45638 ++CONFIG_IPV6_MULTIPLE_TABLES=y
45639 ++CONFIG_TTY=y
45640 ++CONFIG_BINFMT_ELF=y
45641 ++CONFIG_BINFMT_SCRIPT=y
45642 ++CONFIG_VDSO=y
45643 ++CONFIG_VIRTUALIZATION=y
45644 ++CONFIG_HYPERVISOR_GUEST=y
45645 ++CONFIG_PARAVIRT=y
45646 ++CONFIG_KVM_GUEST=y
45647 ++CONFIG_PARAVIRT_SPINLOCKS=y
45648 ++CONFIG_PRINTK=y
45649 ++CONFIG_KALLSYMS=y
45650 ++CONFIG_BUG=y
45651 ++CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
45652 ++CONFIG_JUMP_LABEL=y
45653 ++CONFIG_EMBEDDED=n
45654 ++CONFIG_BASE_FULL=y
45655 ++CONFIG_FUTEX=y
45656 ++CONFIG_SHMEM=y
45657 ++CONFIG_SLUB=y
45658 ++CONFIG_SPARSEMEM_VMEMMAP=y
45659 ++CONFIG_SMP=y
45660 ++CONFIG_SCHED_SMT=y
45661 ++CONFIG_SCHED_MC=y
45662 ++CONFIG_NUMA=y
45663 ++CONFIG_PREEMPT=y
45664 ++CONFIG_NO_HZ=y
45665 ++CONFIG_NO_HZ_IDLE=y
45666 ++CONFIG_NO_HZ_FULL=n
45667 ++CONFIG_HZ_PERIODIC=n
45668 ++CONFIG_HIGH_RES_TIMERS=y
45669 ++CONFIG_COMPAT_32BIT_TIME=y
45670 ++CONFIG_ARCH_RANDOM=y
45671 ++CONFIG_FILE_LOCKING=y
45672 ++CONFIG_POSIX_TIMERS=y
45673 ++CONFIG_DEVTMPFS=y
45674 ++CONFIG_PROC_FS=y
45675 ++CONFIG_PROC_SYSCTL=y
45676 ++CONFIG_SYSFS=y
45677 ++CONFIG_TMPFS=y
45678 ++CONFIG_CONSOLE_LOGLEVEL_DEFAULT=15
45679 ++CONFIG_PRINTK_TIME=y
45680 ++CONFIG_BLK_DEV_INITRD=y
45681 ++CONFIG_LEGACY_VSYSCALL_NONE=y
45682 ++CONFIG_KERNEL_GZIP=y
45683 ++CONFIG_PANIC_ON_OOPS=y
45684 ++CONFIG_BUG_ON_DATA_CORRUPTION=y
45685 ++CONFIG_LOCKUP_DETECTOR=y
45686 ++CONFIG_SOFTLOCKUP_DETECTOR=y
45687 ++CONFIG_HARDLOCKUP_DETECTOR=y
45688 ++CONFIG_WQ_WATCHDOG=y
45689 ++CONFIG_DETECT_HUNG_TASK=y
45690 ++CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
45691 ++CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
45692 ++CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y
45693 ++CONFIG_PANIC_TIMEOUT=-1
45694 ++CONFIG_STACKTRACE=y
45695 ++CONFIG_EARLY_PRINTK=y
45696 ++CONFIG_GDB_SCRIPTS=y
45697 ++CONFIG_WIREGUARD=y
45698 ++CONFIG_WIREGUARD_DEBUG=y
45699 +--- a/include/net/ip_tunnels.h
45700 ++++ b/include/net/ip_tunnels.h
45701 +@@ -289,6 +289,9 @@ int ip_tunnel_newlink(struct net_device *dev, struct nlattr *tb[],
45702 + struct ip_tunnel_parm *p, __u32 fwmark);
45703 + void ip_tunnel_setup(struct net_device *dev, unsigned int net_id);
45704 +
45705 ++extern const struct header_ops ip_tunnel_header_ops;
45706 ++__be16 ip_tunnel_parse_protocol(const struct sk_buff *skb);
45707 ++
45708 + struct ip_tunnel_encap_ops {
45709 + size_t (*encap_hlen)(struct ip_tunnel_encap *e);
45710 + int (*build_header)(struct sk_buff *skb, struct ip_tunnel_encap *e,
45711 +--- a/net/ipv4/ip_tunnel_core.c
45712 ++++ b/net/ipv4/ip_tunnel_core.c
45713 +@@ -446,3 +446,21 @@ void ip_tunnel_unneed_metadata(void)
45714 + static_branch_dec(&ip_tunnel_metadata_cnt);
45715 + }
45716 + EXPORT_SYMBOL_GPL(ip_tunnel_unneed_metadata);
45717 ++
45718 ++/* Returns either the correct skb->protocol value, or 0 if invalid. */
45719 ++__be16 ip_tunnel_parse_protocol(const struct sk_buff *skb)
45720 ++{
45721 ++ if (skb_network_header(skb) >= skb->head &&
45722 ++ (skb_network_header(skb) + sizeof(struct iphdr)) <= skb_tail_pointer(skb) &&
45723 ++ ip_hdr(skb)->version == 4)
45724 ++ return htons(ETH_P_IP);
45725 ++ if (skb_network_header(skb) >= skb->head &&
45726 ++ (skb_network_header(skb) + sizeof(struct ipv6hdr)) <= skb_tail_pointer(skb) &&
45727 ++ ipv6_hdr(skb)->version == 6)
45728 ++ return htons(ETH_P_IPV6);
45729 ++ return 0;
45730 ++}
45731 ++EXPORT_SYMBOL(ip_tunnel_parse_protocol);
45732 ++
45733 ++const struct header_ops ip_tunnel_header_ops = { .parse_protocol = ip_tunnel_parse_protocol };
45734 ++EXPORT_SYMBOL(ip_tunnel_header_ops);
Report Message
Find on MARC Find on Google Groups