From c2b485afc82c80f709b629275f4c5f0a4d879d37 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Tue, 11 Sep 2018 15:35:23 -0600 Subject: Add new hacl32 and hacl64 --- Makefile | 2 +- main.c | 21 +- poly1305-hacl32.c | 636 +++++++++++++++ poly1305-hacl64.c | 1117 ++++++++++++-------------- test_vectors.h | 2285 +++++++++++++++++++---------------------------------- 5 files changed, 1948 insertions(+), 2113 deletions(-) create mode 100644 poly1305-hacl32.c diff --git a/Makefile b/Makefile index 0a7958b..1c762dc 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ ifneq ($(KERNELRELEASE),) -kbench9000-y := main.o poly1305-hacl64.o poly1305-ref.o poly1305-openssl-asm.o poly1305-openssl.o poly1305-donna32.o poly1305-donna64.o +kbench9000-y := main.o poly1305-hacl32.o poly1305-hacl64.o poly1305-ref.o poly1305-openssl-asm.o poly1305-openssl.o poly1305-donna32.o poly1305-donna64.o obj-m := kbench9000.o ccflags-y += -O3 ccflags-y += -D'pr_fmt(fmt)=KBUILD_MODNAME ": " fmt' diff --git a/main.c b/main.c index ff26798..b904cb3 100644 --- a/main.c +++ b/main.c @@ -40,9 +40,9 @@ static __always_inline int name(size_t len) \ #define test_it(name, before, after) do { \ memset(out, __LINE__, POLY1305_MAC_SIZE); \ before; \ - ret = poly1305_ ## name(out, poly1305_test_vectors[i].input.data, poly1305_test_vectors[i].input.size, poly1305_test_vectors[i].key.data); \ + ret = poly1305_ ## name(out, poly1305_testvecs[i].input, poly1305_testvecs[i].ilen, poly1305_testvecs[i].key); \ after; \ - if (memcmp(out, poly1305_test_vectors[i].expected.data, POLY1305_MAC_SIZE)) { \ + if (memcmp(out, poly1305_testvecs[i].output, POLY1305_MAC_SIZE)) { \ pr_err(#name " self-test %zu: FAIL\n", i + 1); \ return false; \ } \ @@ -68,7 +68,6 @@ u8 dummy_out[POLY1305_MAC_SIZE]; u8 input_key[POLY1305_KEY_SIZE]; u8 input_data[STARTING_SIZE * (1ULL << DOUBLING_STEPS)]; -declare_it(hacl64) declare_it(ref) declare_it(ossl_c) declare_it(ossl_amd64) @@ -77,6 +76,8 @@ declare_it(ossl_avx2) declare_it(ossl_avx512) declare_it(donna32) declare_it(donna64) +declare_it(hacl32) +declare_it(hacl64) static bool verify(void) { @@ -84,12 +85,13 @@ static bool verify(void) size_t i = 0; u8 out[POLY1305_MAC_SIZE]; - for (i = 0; i < ARRAY_SIZE(poly1305_test_vectors); ++i) { - test_it(hacl64, {}, {}); + for (i = 0; i < ARRAY_SIZE(poly1305_testvecs); ++i) { test_it(ref, {}, {}); test_it(ossl_c, {}, {}); test_it(donna32, {}, {}); test_it(donna64, {}, {}); + test_it(hacl32, {}, {}); + test_it(hacl64, {}, {}); test_it(ossl_amd64, {}, {}); if (boot_cpu_has(X86_FEATURE_AVX) && cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL)) test_it(ossl_avx, kernel_fpu_begin(), kernel_fpu_end()); @@ -105,7 +107,6 @@ static int __init mod_init(void) { size_t s; int ret = 0, i, j; - cycles_t start_hacl64[DOUBLING_STEPS + 1], end_hacl64[DOUBLING_STEPS + 1]; cycles_t start_ref[DOUBLING_STEPS + 1], end_ref[DOUBLING_STEPS + 1]; cycles_t start_ossl_c[DOUBLING_STEPS + 1], end_ossl_c[DOUBLING_STEPS + 1]; cycles_t start_ossl_amd64[DOUBLING_STEPS + 1], end_ossl_amd64[DOUBLING_STEPS + 1]; @@ -114,6 +115,8 @@ static int __init mod_init(void) cycles_t start_ossl_avx512[DOUBLING_STEPS + 1], end_ossl_avx512[DOUBLING_STEPS + 1]; cycles_t start_donna32[DOUBLING_STEPS + 1], end_donna32[DOUBLING_STEPS + 1]; cycles_t start_donna64[DOUBLING_STEPS + 1], end_donna64[DOUBLING_STEPS + 1]; + cycles_t start_hacl32[DOUBLING_STEPS + 1], end_hacl32[DOUBLING_STEPS + 1]; + cycles_t start_hacl64[DOUBLING_STEPS + 1], end_hacl64[DOUBLING_STEPS + 1]; unsigned long flags; DEFINE_SPINLOCK(lock); @@ -131,11 +134,12 @@ static int __init mod_init(void) spin_lock_irqsave(&lock, flags); - do_it(hacl64); do_it(ref); do_it(ossl_c); do_it(donna32); do_it(donna64); + do_it(hacl32); + do_it(hacl64); do_it(ossl_amd64); if (boot_cpu_has(X86_FEATURE_AVX) && cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL)) do_it(ossl_avx); @@ -152,11 +156,12 @@ static int __init mod_init(void) pr_err("%lu: ", stamp); for (j = 0, s = STARTING_SIZE; j <= DOUBLING_STEPS; ++j, s *= 2) \ printk(KERN_CONT " \x1b[4m%6zu\x1b[24m", s); - report_it(hacl64); report_it(ref); report_it(ossl_c); report_it(donna32); report_it(donna64); + report_it(hacl32); + report_it(hacl64); report_it(ossl_amd64); if (boot_cpu_has(X86_FEATURE_AVX) && cpu_has_xfeatures(XFEATURE_MASK_SSE | XFEATURE_MASK_YMM, NULL)) report_it(ossl_avx); diff --git a/poly1305-hacl32.c b/poly1305-hacl32.c new file mode 100644 index 0000000..b2895cc --- /dev/null +++ b/poly1305-hacl32.c @@ -0,0 +1,636 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (c) 2016-2018 INRIA and Microsoft Corporation + */ + + +#include +#include +#include + +#define load64_le(x) get_unaligned_le64(x) +#define store64_le(d, s) put_unaligned_le64(s, d) + +static uint32_t Lib_Utils_uint32_eq_mask(uint32_t a, uint32_t b) +{ + uint32_t x = a ^ b; + uint32_t minus_x = ~x + (uint32_t)1U; + uint32_t x_or_minus_x = x | minus_x; + uint32_t xnx = x_or_minus_x >> (uint32_t)31U; + uint32_t c = xnx - (uint32_t)1U; + return c; +} + +static uint32_t Lib_Utils_uint32_gte_mask(uint32_t a, uint32_t b) +{ + uint32_t x = a; + uint32_t y = b; + uint32_t x_xor_y = x ^ y; + uint32_t x_sub_y = x - y; + uint32_t x_sub_y_xor_y = x_sub_y ^ y; + uint32_t q = x_xor_y | x_sub_y_xor_y; + uint32_t x_xor_q = x ^ q; + uint32_t x_xor_q_ = x_xor_q >> (uint32_t)31U; + uint32_t c = x_xor_q_ - (uint32_t)1U; + return c; +} + +inline static void Hacl_Impl_Poly1305_Field32_add_felem(uint32_t *f1, uint32_t *f2) +{ + uint32_t f10 = f1[0U]; + uint32_t f11 = f1[1U]; + uint32_t f12 = f1[2U]; + uint32_t f13 = f1[3U]; + uint32_t f14 = f1[4U]; + uint32_t f20 = f2[0U]; + uint32_t f21 = f2[1U]; + uint32_t f22 = f2[2U]; + uint32_t f23 = f2[3U]; + uint32_t f24 = f2[4U]; + f1[0U] = f10 + f20; + f1[1U] = f11 + f21; + f1[2U] = f12 + f22; + f1[3U] = f13 + f23; + f1[4U] = f14 + f24; +} + +inline static void +Hacl_Impl_Poly1305_Field32_smul_felem(uint64_t *out, uint32_t u1, uint32_t *f2) +{ + uint32_t f20 = f2[0U]; + uint32_t f21 = f2[1U]; + uint32_t f22 = f2[2U]; + uint32_t f23 = f2[3U]; + uint32_t f24 = f2[4U]; + out[0U] = (uint64_t)u1 * (uint64_t)f20; + out[1U] = (uint64_t)u1 * (uint64_t)f21; + out[2U] = (uint64_t)u1 * (uint64_t)f22; + out[3U] = (uint64_t)u1 * (uint64_t)f23; + out[4U] = (uint64_t)u1 * (uint64_t)f24; +} + +inline static void +Hacl_Impl_Poly1305_Field32_smul_add_felem(uint64_t *out, uint32_t u1, uint32_t *f2) +{ + uint32_t f20 = f2[0U]; + uint32_t f21 = f2[1U]; + uint32_t f22 = f2[2U]; + uint32_t f23 = f2[3U]; + uint32_t f24 = f2[4U]; + uint64_t o0 = out[0U]; + uint64_t o1 = out[1U]; + uint64_t o2 = out[2U]; + uint64_t o3 = out[3U]; + uint64_t o4 = out[4U]; + out[0U] = o0 + (uint64_t)u1 * (uint64_t)f20; + out[1U] = o1 + (uint64_t)u1 * (uint64_t)f21; + out[2U] = o2 + (uint64_t)u1 * (uint64_t)f22; + out[3U] = o3 + (uint64_t)u1 * (uint64_t)f23; + out[4U] = o4 + (uint64_t)u1 * (uint64_t)f24; +} + +inline static void +Hacl_Impl_Poly1305_Field32_mul_felem( + uint64_t *out, + uint32_t *f1, + uint32_t *f2, + uint32_t *f2_20 +) +{ + uint32_t tmp[5U] = { 0U }; + Hacl_Impl_Poly1305_Field32_smul_felem(out, f1[0U], f2); + tmp[0U] = f2_20[4U]; + tmp[1U] = f2[0U]; + tmp[2U] = f2[1U]; + tmp[3U] = f2[2U]; + tmp[4U] = f2[3U]; + Hacl_Impl_Poly1305_Field32_smul_add_felem(out, f1[1U], tmp); + tmp[0U] = f2_20[3U]; + tmp[1U] = f2_20[4U]; + tmp[2U] = f2[0U]; + tmp[3U] = f2[1U]; + tmp[4U] = f2[2U]; + Hacl_Impl_Poly1305_Field32_smul_add_felem(out, f1[2U], tmp); + tmp[0U] = f2_20[2U]; + tmp[1U] = f2_20[3U]; + tmp[2U] = f2_20[4U]; + tmp[3U] = f2[0U]; + tmp[4U] = f2[1U]; + Hacl_Impl_Poly1305_Field32_smul_add_felem(out, f1[3U], tmp); + tmp[0U] = f2_20[1U]; + tmp[1U] = f2_20[2U]; + tmp[2U] = f2_20[3U]; + tmp[3U] = f2_20[4U]; + tmp[4U] = f2[0U]; + Hacl_Impl_Poly1305_Field32_smul_add_felem(out, f1[4U], tmp); +} + +inline static void Hacl_Impl_Poly1305_Field32_carry_wide_felem(uint32_t *out, uint64_t *inp) +{ + uint64_t i0 = inp[0U]; + uint64_t i1 = inp[1U]; + uint64_t i2 = inp[2U]; + uint64_t i3 = inp[3U]; + uint64_t i4 = inp[4U]; + uint64_t l = i0 + (uint64_t)(uint32_t)0U; + uint32_t tmp0 = (uint32_t)l & (uint32_t)0x3ffffffU; + uint32_t carry1 = (uint32_t)(l >> (uint32_t)26U); + uint64_t l0 = i1 + (uint64_t)carry1; + uint32_t tmp1 = (uint32_t)l0 & (uint32_t)0x3ffffffU; + uint32_t carry2 = (uint32_t)(l0 >> (uint32_t)26U); + uint64_t l1 = i2 + (uint64_t)carry2; + uint32_t tmp2 = (uint32_t)l1 & (uint32_t)0x3ffffffU; + uint32_t carry3 = (uint32_t)(l1 >> (uint32_t)26U); + uint64_t l2 = i3 + (uint64_t)carry3; + uint32_t tmp3 = (uint32_t)l2 & (uint32_t)0x3ffffffU; + uint32_t carry4 = (uint32_t)(l2 >> (uint32_t)26U); + uint64_t l3 = i4 + (uint64_t)carry4; + uint32_t tmp4 = (uint32_t)l3 & (uint32_t)0x3ffffffU; + uint32_t carry5 = (uint32_t)(l3 >> (uint32_t)26U); + uint32_t tmp01 = tmp0 + carry5 * (uint32_t)5U; + out[0U] = tmp01; + out[1U] = tmp1; + out[2U] = tmp2; + out[3U] = tmp3; + out[4U] = tmp4; +} + +inline static void Hacl_Impl_Poly1305_Field32_carry_felem(uint32_t *f) +{ + uint32_t f0 = f[0U]; + uint32_t f1 = f[1U]; + uint32_t f2 = f[2U]; + uint32_t f3 = f[3U]; + uint32_t f4 = f[4U]; + uint32_t l = f0 + (uint32_t)0U; + uint32_t tmp0 = l & (uint32_t)0x3ffffffU; + uint32_t carry1 = l >> (uint32_t)26U; + uint32_t l0 = f1 + carry1; + uint32_t tmp1 = l0 & (uint32_t)0x3ffffffU; + uint32_t carry2 = l0 >> (uint32_t)26U; + uint32_t l1 = f2 + carry2; + uint32_t tmp2 = l1 & (uint32_t)0x3ffffffU; + uint32_t carry3 = l1 >> (uint32_t)26U; + uint32_t l2 = f3 + carry3; + uint32_t tmp3 = l2 & (uint32_t)0x3ffffffU; + uint32_t carry4 = l2 >> (uint32_t)26U; + uint32_t tmp4 = f4 + carry4; + f[0U] = tmp0; + f[1U] = tmp1; + f[2U] = tmp2; + f[3U] = tmp3; + f[4U] = tmp4; +} + +inline static void Hacl_Impl_Poly1305_Field32_carry_top_felem(uint32_t *f) +{ + uint32_t f0 = f[0U]; + uint32_t f1 = f[1U]; + uint32_t f4 = f[4U]; + uint32_t l = f4 + (uint32_t)0U; + uint32_t tmp4 = l & (uint32_t)0x3ffffffU; + uint32_t carry1 = l >> (uint32_t)26U; + uint32_t l0 = f0 + carry1 * (uint32_t)5U; + uint32_t tmp0 = l0 & (uint32_t)0x3ffffffU; + uint32_t carry2 = l0 >> (uint32_t)26U; + uint32_t tmp1 = f1 + carry2; + f[0U] = tmp0; + f[1U] = tmp1; + f[4U] = tmp4; +} + +uint32_t Hacl_Poly1305_32_ctxlen = (uint32_t)20U; + +uint32_t Hacl_Poly1305_32_blocklen = (uint32_t)16U; + +void Hacl_Poly1305_32_poly1305_init(uint32_t *ctx, uint8_t *key) +{ + uint8_t *kr = key; + uint8_t *ks = key + (uint32_t)16U; + uint32_t *acc = ctx; + uint32_t *r = ctx + (uint32_t)5U; + uint32_t *r_20 = ctx + (uint32_t)5U * (uint32_t)2U; + uint32_t *sk = ctx + (uint32_t)5U * (uint32_t)3U; + uint64_t u0; + uint64_t lo0; + uint64_t u1; + uint64_t hi0; + uint64_t lo2; + uint64_t hi2; + uint64_t mask0; + uint64_t mask1; + uint64_t lo1; + uint64_t hi1; + uint64_t u2; + uint64_t lo; + uint64_t u; + uint64_t hi; + uint64_t sl; + uint64_t sh; + acc[0U] = (uint32_t)0U; + acc[1U] = (uint32_t)0U; + acc[2U] = (uint32_t)0U; + acc[3U] = (uint32_t)0U; + acc[4U] = (uint32_t)0U; + u0 = load64_le(kr); + lo0 = u0; + u1 = load64_le(kr + (uint32_t)8U); + hi0 = u1; + lo2 = lo0; + hi2 = hi0; + mask0 = (uint64_t)0x0ffffffc0fffffffU; + mask1 = (uint64_t)0x0ffffffc0ffffffcU; + lo1 = lo2 & mask0; + hi1 = hi2 & mask1; + r[0U] = (uint32_t)lo1 & (uint32_t)0x3ffffffU; + r[1U] = (uint32_t)(lo1 >> (uint32_t)26U) & (uint32_t)0x3ffffffU; + r[2U] = (uint32_t)(lo1 >> (uint32_t)52U) ^ ((uint32_t)hi1 & (uint32_t)0x3fffU) << (uint32_t)12U; + r[3U] = (uint32_t)(hi1 >> (uint32_t)14U) & (uint32_t)0x3ffffffU; + r[4U] = (uint32_t)(hi1 >> (uint32_t)40U); + r_20[0U] = r[0U] * (uint32_t)5U; + r_20[1U] = r[1U] * (uint32_t)5U; + r_20[2U] = r[2U] * (uint32_t)5U; + r_20[3U] = r[3U] * (uint32_t)5U; + r_20[4U] = r[4U] * (uint32_t)5U; + u2 = load64_le(ks); + lo = u2; + u = load64_le(ks + (uint32_t)8U); + hi = u; + sl = lo; + sh = hi; + sk[0U] = (uint32_t)sl & (uint32_t)0x3ffffffU; + sk[1U] = (uint32_t)(sl >> (uint32_t)26U) & (uint32_t)0x3ffffffU; + sk[2U] = (uint32_t)(sl >> (uint32_t)52U) ^ ((uint32_t)sh & (uint32_t)0x3fffU) << (uint32_t)12U; + sk[3U] = (uint32_t)(sh >> (uint32_t)14U) & (uint32_t)0x3ffffffU; + sk[4U] = (uint32_t)(sh >> (uint32_t)40U); +} + +void Hacl_Poly1305_32_poly1305_update(uint32_t *ctx, uint8_t *text, uint32_t len) +{ + uint32_t *acc = ctx; + uint32_t *r = ctx + (uint32_t)5U; + uint32_t *r_20 = ctx + (uint32_t)5U * (uint32_t)2U; + uint32_t e[5U] = { 0U }; + uint32_t blocks = len / (uint32_t)16U; + uint32_t rem1; + { + uint32_t i; + for (i = (uint32_t)0U; i < blocks; i = i + (uint32_t)1U) + { + uint8_t *b = text + i * (uint32_t)16U; + uint64_t u0 = load64_le(b); + uint64_t lo0 = u0; + uint64_t u = load64_le(b + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t lo = lo0; + uint64_t hi = hi0; + e[0U] = (uint32_t)lo & (uint32_t)0x3ffffffU; + e[1U] = (uint32_t)(lo >> (uint32_t)26U) & (uint32_t)0x3ffffffU; + e[2U] = (uint32_t)(lo >> (uint32_t)52U) ^ ((uint32_t)hi & (uint32_t)0x3fffU) << (uint32_t)12U; + e[3U] = (uint32_t)(hi >> (uint32_t)14U) & (uint32_t)0x3ffffffU; + e[4U] = (uint32_t)(hi >> (uint32_t)40U); + e[4U] = e[4U] | (uint32_t)0x1000000U; + { + uint64_t tmp[5U] = { 0U }; + Hacl_Impl_Poly1305_Field32_add_felem(acc, e); + Hacl_Impl_Poly1305_Field32_mul_felem(tmp, acc, r, r_20); + Hacl_Impl_Poly1305_Field32_carry_wide_felem(acc, tmp); + } + } + } + rem1 = len % (uint32_t)16U; + if (rem1 > (uint32_t)0U) + { + uint8_t *b = text + blocks * (uint32_t)16U; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, b, rem1 * sizeof b[0U]); + { + uint64_t u0 = load64_le(tmp); + uint64_t lo0 = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t lo = lo0; + uint64_t hi = hi0; + e[0U] = (uint32_t)lo & (uint32_t)0x3ffffffU; + e[1U] = (uint32_t)(lo >> (uint32_t)26U) & (uint32_t)0x3ffffffU; + e[2U] = (uint32_t)(lo >> (uint32_t)52U) ^ ((uint32_t)hi & (uint32_t)0x3fffU) << (uint32_t)12U; + e[3U] = (uint32_t)(hi >> (uint32_t)14U) & (uint32_t)0x3ffffffU; + e[4U] = (uint32_t)(hi >> (uint32_t)40U); + if (rem1 * (uint32_t)8U < (uint32_t)26U) + { + e[0U] = e[0U] | (uint32_t)1U << rem1 * (uint32_t)8U; + } + else + { + if (rem1 * (uint32_t)8U < (uint32_t)52U) + { + e[1U] = e[1U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)26U); + } + else + { + if (rem1 * (uint32_t)8U < (uint32_t)78U) + { + e[2U] = e[2U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)52U); + } + else + { + if (rem1 * (uint32_t)8U < (uint32_t)104U) + { + e[3U] = e[3U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)78U); + } + else + { + e[4U] = e[4U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)104U); + } + } + } + } + { + uint64_t tmp0[5U] = { 0U }; + Hacl_Impl_Poly1305_Field32_add_felem(acc, e); + Hacl_Impl_Poly1305_Field32_mul_felem(tmp0, acc, r, r_20); + Hacl_Impl_Poly1305_Field32_carry_wide_felem(acc, tmp0); + } + } + } +} + +void Hacl_Poly1305_32_poly1305_finish(uint32_t *ctx, uint8_t *tag) +{ + uint32_t *acc = ctx; + uint32_t *sk = ctx + (uint32_t)5U * (uint32_t)3U; + uint32_t f00; + uint32_t f10; + uint32_t f2; + uint32_t f3; + uint32_t f4; + uint32_t mask; + uint32_t mask1; + uint32_t mask2; + uint32_t mask3; + uint32_t mask4; + uint32_t p0; + uint32_t p1; + uint32_t p2; + uint32_t p3; + uint32_t p4; + uint64_t f0; + uint64_t f1; + uint64_t lo; + uint64_t hi; + Hacl_Impl_Poly1305_Field32_carry_felem(acc); + Hacl_Impl_Poly1305_Field32_carry_top_felem(acc); + f00 = acc[0U]; + f10 = acc[1U]; + f2 = acc[2U]; + f3 = acc[3U]; + f4 = acc[4U]; + mask = Lib_Utils_uint32_eq_mask(f4, (uint32_t)0x3ffffffU); + mask1 = mask & Lib_Utils_uint32_eq_mask(f3, (uint32_t)0x3ffffffU); + mask2 = mask1 & Lib_Utils_uint32_eq_mask(f2, (uint32_t)0x3ffffffU); + mask3 = mask2 & Lib_Utils_uint32_eq_mask(f10, (uint32_t)0x3ffffffU); + mask4 = mask3 & Lib_Utils_uint32_gte_mask(f00, (uint32_t)0x3fffffbU); + p0 = mask4 & (uint32_t)0x3fffffbU; + p1 = mask4 & (uint32_t)0x3ffffffU; + p2 = mask4 & (uint32_t)0x3ffffffU; + p3 = mask4 & (uint32_t)0x3ffffffU; + p4 = mask4 & (uint32_t)0x3ffffffU; + acc[0U] = f00 - p0; + acc[1U] = f10 - p1; + acc[2U] = f2 - p2; + acc[3U] = f3 - p3; + acc[4U] = f4 - p4; + Hacl_Impl_Poly1305_Field32_add_felem(acc, sk); + Hacl_Impl_Poly1305_Field32_carry_felem(acc); + f0 = + ((uint64_t)acc[0U] | (uint64_t)acc[1U] << (uint32_t)26U) + | (uint64_t)acc[2U] << (uint32_t)52U; + f1 = + ((uint64_t)acc[2U] >> (uint32_t)12U | (uint64_t)acc[3U] << (uint32_t)14U) + | (uint64_t)acc[4U] << (uint32_t)40U; + lo = f0; + hi = f1; + store64_le(tag, lo); + store64_le(tag + (uint32_t)8U, hi); +} + +void poly1305_hacl32(uint8_t *o, uint8_t *t, uint32_t l, uint8_t *k) +{ + { + uint32_t ctx[(uint32_t)5U * (uint32_t)4U]; + memset(ctx, 0U, (uint32_t)5U * (uint32_t)4U * sizeof ctx[0U]); + { + uint8_t *kr = k; + uint8_t *ks = k + (uint32_t)16U; + uint32_t *acc0 = ctx; + uint32_t *r0 = ctx + (uint32_t)5U; + uint32_t *r_200 = ctx + (uint32_t)5U * (uint32_t)2U; + uint32_t *sk0 = ctx + (uint32_t)5U * (uint32_t)3U; + uint64_t u0; + uint64_t lo0; + uint64_t u1; + uint64_t hi0; + uint64_t lo2; + uint64_t hi2; + uint64_t mask0; + uint64_t mask10; + uint64_t lo1; + uint64_t hi1; + uint64_t u2; + uint64_t lo3; + uint64_t u3; + uint64_t hi3; + uint64_t sl; + uint64_t sh; + acc0[0U] = (uint32_t)0U; + acc0[1U] = (uint32_t)0U; + acc0[2U] = (uint32_t)0U; + acc0[3U] = (uint32_t)0U; + acc0[4U] = (uint32_t)0U; + u0 = load64_le(kr); + lo0 = u0; + u1 = load64_le(kr + (uint32_t)8U); + hi0 = u1; + lo2 = lo0; + hi2 = hi0; + mask0 = (uint64_t)0x0ffffffc0fffffffU; + mask10 = (uint64_t)0x0ffffffc0ffffffcU; + lo1 = lo2 & mask0; + hi1 = hi2 & mask10; + r0[0U] = (uint32_t)lo1 & (uint32_t)0x3ffffffU; + r0[1U] = (uint32_t)(lo1 >> (uint32_t)26U) & (uint32_t)0x3ffffffU; + r0[2U] = + (uint32_t)(lo1 >> (uint32_t)52U) + ^ ((uint32_t)hi1 & (uint32_t)0x3fffU) << (uint32_t)12U; + r0[3U] = (uint32_t)(hi1 >> (uint32_t)14U) & (uint32_t)0x3ffffffU; + r0[4U] = (uint32_t)(hi1 >> (uint32_t)40U); + r_200[0U] = r0[0U] * (uint32_t)5U; + r_200[1U] = r0[1U] * (uint32_t)5U; + r_200[2U] = r0[2U] * (uint32_t)5U; + r_200[3U] = r0[3U] * (uint32_t)5U; + r_200[4U] = r0[4U] * (uint32_t)5U; + u2 = load64_le(ks); + lo3 = u2; + u3 = load64_le(ks + (uint32_t)8U); + hi3 = u3; + sl = lo3; + sh = hi3; + sk0[0U] = (uint32_t)sl & (uint32_t)0x3ffffffU; + sk0[1U] = (uint32_t)(sl >> (uint32_t)26U) & (uint32_t)0x3ffffffU; + sk0[2U] = + (uint32_t)(sl >> (uint32_t)52U) + ^ ((uint32_t)sh & (uint32_t)0x3fffU) << (uint32_t)12U; + sk0[3U] = (uint32_t)(sh >> (uint32_t)14U) & (uint32_t)0x3ffffffU; + sk0[4U] = (uint32_t)(sh >> (uint32_t)40U); + { + uint32_t *acc1 = ctx; + uint32_t *r = ctx + (uint32_t)5U; + uint32_t *r_20 = ctx + (uint32_t)5U * (uint32_t)2U; + uint32_t e[5U] = { 0U }; + uint32_t blocks = l / (uint32_t)16U; + uint32_t rem1; + uint32_t *acc; + uint32_t *sk; + uint32_t f00; + uint32_t f10; + uint32_t f2; + uint32_t f3; + uint32_t f4; + uint32_t mask; + uint32_t mask1; + uint32_t mask2; + uint32_t mask3; + uint32_t mask4; + uint32_t p0; + uint32_t p1; + uint32_t p2; + uint32_t p3; + uint32_t p4; + uint64_t f0; + uint64_t f1; + uint64_t lo4; + uint64_t hi4; + { + uint32_t i; + for (i = (uint32_t)0U; i < blocks; i = i + (uint32_t)1U) + { + uint8_t *b = t + i * (uint32_t)16U; + uint64_t u0 = load64_le(b); + uint64_t lo0 = u0; + uint64_t u = load64_le(b + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t lo = lo0; + uint64_t hi = hi0; + e[0U] = (uint32_t)lo & (uint32_t)0x3ffffffU; + e[1U] = (uint32_t)(lo >> (uint32_t)26U) & (uint32_t)0x3ffffffU; + e[2U] = + (uint32_t)(lo >> (uint32_t)52U) + ^ ((uint32_t)hi & (uint32_t)0x3fffU) << (uint32_t)12U; + e[3U] = (uint32_t)(hi >> (uint32_t)14U) & (uint32_t)0x3ffffffU; + e[4U] = (uint32_t)(hi >> (uint32_t)40U); + e[4U] = e[4U] | (uint32_t)0x1000000U; + { + uint64_t tmp[5U] = { 0U }; + Hacl_Impl_Poly1305_Field32_add_felem(acc1, e); + Hacl_Impl_Poly1305_Field32_mul_felem(tmp, acc1, r, r_20); + Hacl_Impl_Poly1305_Field32_carry_wide_felem(acc1, tmp); + } + } + } + rem1 = l % (uint32_t)16U; + if (rem1 > (uint32_t)0U) + { + uint8_t *b = t + blocks * (uint32_t)16U; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, b, rem1 * sizeof b[0U]); + { + uint64_t u0 = load64_le(tmp); + uint64_t lo0 = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t lo = lo0; + uint64_t hi = hi0; + e[0U] = (uint32_t)lo & (uint32_t)0x3ffffffU; + e[1U] = (uint32_t)(lo >> (uint32_t)26U) & (uint32_t)0x3ffffffU; + e[2U] = + (uint32_t)(lo >> (uint32_t)52U) + ^ ((uint32_t)hi & (uint32_t)0x3fffU) << (uint32_t)12U; + e[3U] = (uint32_t)(hi >> (uint32_t)14U) & (uint32_t)0x3ffffffU; + e[4U] = (uint32_t)(hi >> (uint32_t)40U); + if (rem1 * (uint32_t)8U < (uint32_t)26U) + { + e[0U] = e[0U] | (uint32_t)1U << rem1 * (uint32_t)8U; + } + else + { + if (rem1 * (uint32_t)8U < (uint32_t)52U) + { + e[1U] = e[1U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)26U); + } + else + { + if (rem1 * (uint32_t)8U < (uint32_t)78U) + { + e[2U] = e[2U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)52U); + } + else + { + if (rem1 * (uint32_t)8U < (uint32_t)104U) + { + e[3U] = e[3U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)78U); + } + else + { + e[4U] = e[4U] | (uint32_t)1U << (rem1 * (uint32_t)8U - (uint32_t)104U); + } + } + } + } + { + uint64_t tmp0[5U] = { 0U }; + Hacl_Impl_Poly1305_Field32_add_felem(acc1, e); + Hacl_Impl_Poly1305_Field32_mul_felem(tmp0, acc1, r, r_20); + Hacl_Impl_Poly1305_Field32_carry_wide_felem(acc1, tmp0); + } + } + } + acc = ctx; + sk = ctx + (uint32_t)5U * (uint32_t)3U; + Hacl_Impl_Poly1305_Field32_carry_felem(acc); + Hacl_Impl_Poly1305_Field32_carry_top_felem(acc); + f00 = acc[0U]; + f10 = acc[1U]; + f2 = acc[2U]; + f3 = acc[3U]; + f4 = acc[4U]; + mask = Lib_Utils_uint32_eq_mask(f4, (uint32_t)0x3ffffffU); + mask1 = mask & Lib_Utils_uint32_eq_mask(f3, (uint32_t)0x3ffffffU); + mask2 = mask1 & Lib_Utils_uint32_eq_mask(f2, (uint32_t)0x3ffffffU); + mask3 = mask2 & Lib_Utils_uint32_eq_mask(f10, (uint32_t)0x3ffffffU); + mask4 = mask3 & Lib_Utils_uint32_gte_mask(f00, (uint32_t)0x3fffffbU); + p0 = mask4 & (uint32_t)0x3fffffbU; + p1 = mask4 & (uint32_t)0x3ffffffU; + p2 = mask4 & (uint32_t)0x3ffffffU; + p3 = mask4 & (uint32_t)0x3ffffffU; + p4 = mask4 & (uint32_t)0x3ffffffU; + acc[0U] = f00 - p0; + acc[1U] = f10 - p1; + acc[2U] = f2 - p2; + acc[3U] = f3 - p3; + acc[4U] = f4 - p4; + Hacl_Impl_Poly1305_Field32_add_felem(acc, sk); + Hacl_Impl_Poly1305_Field32_carry_felem(acc); + f0 = + ((uint64_t)acc[0U] | (uint64_t)acc[1U] << (uint32_t)26U) + | (uint64_t)acc[2U] << (uint32_t)52U; + f1 = + ((uint64_t)acc[2U] >> (uint32_t)12U | (uint64_t)acc[3U] << (uint32_t)14U) + | (uint64_t)acc[4U] << (uint32_t)40U; + lo4 = f0; + hi4 = f1; + store64_le(o, lo4); + store64_le(o + (uint32_t)8U, hi4); + } + } + } +} diff --git a/poly1305-hacl64.c b/poly1305-hacl64.c index 87fe277..55625f1 100644 --- a/poly1305-hacl64.c +++ b/poly1305-hacl64.c @@ -1,629 +1,488 @@ -/* MIT License - * - * Copyright (c) 2016-2017 INRIA and Microsoft Corporation - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -#include -#include - -typedef struct -{ - u64* r; - u64* h; - u64* r5; -} -Hacl_Impl_Poly1305_64_State_poly1305_state; - -typedef __uint128_t u128; - -#define u128_logand(a,b) ((a) & (b)) -#define u128_logor(a,b) ((a) | (b)) -#define u128_add(a,b) ((a) + (b)) -#define u128_add_mod(a,b) ((a) + (b)) -#define u128_shift_right(a,b) ((a) >> (b)) -#define u128_shift_left(a,b) ((a) << (b)) -#define u128_mul_wide(a,b) (((u128)(a)) * b) - -#define KRML_CHECK_SIZE(a,b) {} -#define u64_to_u128(a) ((u128)a) -#define u128_to_u64(a) ((u64)a) - -static __always_inline u64 FStar_UInt64_eq_mask(u64 x, u64 y) { - x = ~(x ^ y); - x &= x << 32; - x &= x << 16; - x &= x << 8; - x &= x << 4; - x &= x << 2; - x &= x << 1; - return ((s64)x) >> 63; -} - -static __always_inline u64 FStar_UInt64_gte_mask(u64 x, u64 y) { - u64 low63 = - ~((u64)((s64)((s64)(x & (u64)(0x7fffffffffffffff)) - - (s64)(y & (u64)(0x7fffffffffffffff))) >> - 63)); - u64 high_bit = - ~((u64)((s64)((s64)(x & (u64)(0x8000000000000000)) - - (s64)(y & (u64)(0x8000000000000000))) >> - 63)); - return low63 & high_bit; -} - -static __always_inline u128 load128_le(u8 *b) { - u64 l = le64_to_cpup((__force __le64 *)b); - u64 h = le64_to_cpup((__force __le64 *)(b+8)); - return ((((u128)h) << 64) | l); -} - -static __always_inline void store128_le(u8 *b, u128 n) { - *(__force __le64 *)b = cpu_to_le64((u64)n); - *(__force __le64 *)(b+8) = cpu_to_le64((u64)(n >> 64)); -} - -__always_inline static void Hacl_Bignum_Modulo_carry_top(u64 *b) -{ - u64 b2 = b[2U]; - u64 b0 = b[0U]; - u64 b2_42 = b2 >> (u32)42U; - b[2U] = b2 & (u64)0x3ffffffffffU; - b[0U] = (b2_42 << (u32)2U) + b2_42 + b0; -} - -__always_inline static void Hacl_Bignum_Modulo_carry_top_wide(u128 *b) -{ - u128 b2 = b[2U]; - u128 b0 = b[0U]; - u128 - b2_ = u128_logand(b2, u64_to_u128((u64)0x3ffffffffffU)); - u64 b2_42 = u128_to_u64(u128_shift_right(b2, (u32)42U)); - u128 - b0_ = u128_add(b0, u64_to_u128((b2_42 << (u32)2U) + b2_42)); - b[2U] = b2_; - b[0U] = b0_; -} - -__always_inline static void -Hacl_Bignum_Fproduct_copy_from_wide_(u64 *output, u128 *input) -{ - u32 i; - { i = 0; - u128 xi = input[i]; - output[i] = u128_to_u64(xi); - } - { i = 1; - u128 xi = input[i]; - output[i] = u128_to_u64(xi); - } - { i = 2; - u128 xi = input[i]; - output[i] = u128_to_u64(xi); - } -} - -__always_inline static void -Hacl_Bignum_Fproduct_sum_scalar_multiplication_( - u128 *output, - u64 *input, - u64 s -) -{ - u32 i; - { - i = 0; - u128 xi = output[i]; - u64 yi = input[i]; - output[i] = u128_add_mod(xi, u128_mul_wide(yi, s)); - } - { - i = 1; - u128 xi = output[i]; - u64 yi = input[i]; - output[i] = u128_add_mod(xi, u128_mul_wide(yi, s)); - } - { - i = 2; - u128 xi = output[i]; - u64 yi = input[i]; - output[i] = u128_add_mod(xi, u128_mul_wide(yi, s)); - } -} - -__always_inline static void Hacl_Bignum_Fproduct_carry_wide_(u128 *tmp) -{ - { - u32 ctr = 0; - u128 tctr = tmp[ctr]; - u128 tctrp1 = tmp[ctr + (u32)1U]; - u64 r0 = u128_to_u64(tctr) & (u64)0xfffffffffffU; - u128 c = u128_shift_right(tctr, (u32)44U); - tmp[ctr] = u64_to_u128(r0); - tmp[ctr + (u32)1U] = u128_add(tctrp1, c); - } - { - u32 ctr = 1; - u128 tctr = tmp[ctr]; - u128 tctrp1 = tmp[ctr + (u32)1U]; - u64 r0 = u128_to_u64(tctr) & (u64)0xfffffffffffU; - u128 c = u128_shift_right(tctr, (u32)44U); - tmp[ctr] = u64_to_u128(r0); - tmp[ctr + (u32)1U] = u128_add(tctrp1, c); - } -} - -__always_inline static void Hacl_Bignum_Fproduct_carry_limb_(u64 *tmp) -{ - { - u32 ctr = 0; - u64 tctr = tmp[ctr]; - u64 tctrp1 = tmp[ctr + (u32)1U]; - u64 r0 = tctr & (u64)0xfffffffffffU; - u64 c = tctr >> (u32)44U; - tmp[ctr] = r0; - tmp[ctr + (u32)1U] = tctrp1 + c; - } - { - u32 ctr = 1; - u64 tctr = tmp[ctr]; - u64 tctrp1 = tmp[ctr + (u32)1U]; - u64 r0 = tctr & (u64)0xfffffffffffU; - u64 c = tctr >> (u32)44U; - tmp[ctr] = r0; - tmp[ctr + (u32)1U] = tctrp1 + c; - } -} - - -__always_inline static void Hacl_Bignum_Modulo_reduce(u64 *key, u64 *key5, u32 i) -{ - u64 b0 = key5[2-i]; - key[0U] = b0; -} - - -__always_inline static void Hacl_Bignum_Fmul_shift_reduce(u64 *key,u64 *key5, u32 i) -{ - u64 tmp = key[2U]; - { - u32 ctr = (u32)3U - 0 - (u32)1U; - u64 z = key[ctr - (u32)1U]; - key[ctr] = z; - } - { - u32 ctr = (u32)3U - 1 - (u32)1U; - u64 z = key[ctr - (u32)1U]; - key[ctr] = z; - } - key[0U] = tmp; - Hacl_Bignum_Modulo_reduce(key,key5,i); -} - -__always_inline static void -Hacl_Bignum_Fmul_mul_shift_reduce_(u128 *output, u64 *input, u64 *key, u64 *key5) -{ - u64 tmp[3U]; - memcpy(tmp, key, (u32)3U * sizeof key[0U]); - u32 i; - { - i = 0; - u64 inputi = input[i]; - Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, tmp, inputi); - Hacl_Bignum_Fmul_shift_reduce(tmp,key5,i); - } - { - i = 1; - u64 inputi = input[i]; - Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, tmp, inputi); - Hacl_Bignum_Fmul_shift_reduce(tmp,key5,i); - } - i = 2; - u64 inputi = input[i]; - Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, tmp, inputi); -} - -__always_inline static void Hacl_Bignum_Fmul_fmul(u64 *output, u64 *input, u64 *key, u64* key5) -{ - u128 t[3U] = {0}; - Hacl_Bignum_Fmul_mul_shift_reduce_(t, input, key, key5); - Hacl_Bignum_Fproduct_carry_wide_(t); - Hacl_Bignum_Modulo_carry_top_wide(t); - Hacl_Bignum_Fproduct_copy_from_wide_(output, t); - u64 i0 = output[0U]; - u64 i1 = output[1U]; - u64 i0_ = i0 & (u64)0xfffffffffffU; - u64 i1_ = i1 + (i0 >> (u32)44U); - output[0U] = i0_; - output[1U] = i1_; -} - -__always_inline static void -Hacl_Bignum_AddAndMultiply_add_and_multiply(u64 *acc, u64 *block, u64 *r, u64* r5) -{ - u32 i; - { i = 0; - u64 xi = acc[i]; - u64 yi = block[i]; - acc[i] = xi + yi; - } - { i = 1; - u64 xi = acc[i]; - u64 yi = block[i]; - acc[i] = xi + yi; - } - { i = 2; - u64 xi = acc[i]; - u64 yi = block[i]; - acc[i] = xi + yi; - } - Hacl_Bignum_Fmul_fmul(acc, acc, r, r5); -} - - -__always_inline static void -Hacl_Impl_Poly1305_64_poly1305_update( - Hacl_Impl_Poly1305_64_State_poly1305_state st, - u8 *m -) -{ - Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st; - u64 *h = scrut0.h; - u64 *acc = h; - Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; - u64 *r = scrut.r; - u64 *r3 = r; - u64 *r5 = scrut.r5; - u64 tmp[3U] = { 0U }; - u128 m0 = load128_le(m); - u64 r0 = u128_to_u64(m0) & (u64)0xfffffffffffU; - u64 - r1 = - u128_to_u64(u128_shift_right(m0, (u32)44U)) - & (u64)0xfffffffffffU; - u64 r2 = u128_to_u64(u128_shift_right(m0, (u32)88U)); - tmp[0U] = r0; - tmp[1U] = r1; - tmp[2U] = r2; - u64 b2 = tmp[2U]; - u64 b2_ = (u64)0x10000000000U | b2; - tmp[2U] = b2_; - Hacl_Bignum_AddAndMultiply_add_and_multiply(acc, tmp, r3, r5); -} - -__always_inline static void -Hacl_Impl_Poly1305_64_poly1305_process_last_block_( - u8 *block, - Hacl_Impl_Poly1305_64_State_poly1305_state st, - u8 *m, - u64 rem_ -) -{ - u64 tmp[3U] = { 0U }; - u128 m0 = load128_le(block); - u64 r0 = u128_to_u64(m0) & (u64)0xfffffffffffU; - u64 - r1 = - u128_to_u64(u128_shift_right(m0, (u32)44U)) - & (u64)0xfffffffffffU; - u64 r2 = u128_to_u64(u128_shift_right(m0, (u32)88U)); - tmp[0U] = r0; - tmp[1U] = r1; - tmp[2U] = r2; - Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st; - u64 *h = scrut0.h; - Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; - u64 *r = scrut.r; - Hacl_Bignum_AddAndMultiply_add_and_multiply(h, tmp, r, scrut.r5); -} - -__always_inline static void -Hacl_Impl_Poly1305_64_poly1305_process_last_block( - Hacl_Impl_Poly1305_64_State_poly1305_state st, - u8 *m, - u64 rem_ -) -{ - u8 block[16U] = {0}; - u32 i0 = (u32)rem_; - u32 i = (u32)rem_; - memcpy(block, m, i * sizeof m[0U]); - block[i0] = (u8)1U; - Hacl_Impl_Poly1305_64_poly1305_process_last_block_(block, st, m, rem_); -} - -__always_inline static void Hacl_Impl_Poly1305_64_poly1305_last_pass(u64 *acc) -{ - Hacl_Bignum_Fproduct_carry_limb_(acc); - Hacl_Bignum_Modulo_carry_top(acc); - u64 a0 = acc[0U]; - u64 a10 = acc[1U]; - u64 a20 = acc[2U]; - u64 a0_ = a0 & (u64)0xfffffffffffU; - u64 r0 = a0 >> (u32)44U; - u64 a1_ = (a10 + r0) & (u64)0xfffffffffffU; - u64 r1 = (a10 + r0) >> (u32)44U; - u64 a2_ = a20 + r1; - acc[0U] = a0_; - acc[1U] = a1_; - acc[2U] = a2_; - Hacl_Bignum_Modulo_carry_top(acc); - u64 i0 = acc[0U]; - u64 i1 = acc[1U]; - u64 i0_ = i0 & (u64)0xfffffffffffU; - u64 i1_ = i1 + (i0 >> (u32)44U); - acc[0U] = i0_; - acc[1U] = i1_; - u64 a00 = acc[0U]; - u64 a1 = acc[1U]; - u64 a2 = acc[2U]; - u64 mask0 = FStar_UInt64_gte_mask(a00, (u64)0xffffffffffbU); - u64 mask1 = FStar_UInt64_eq_mask(a1, (u64)0xfffffffffffU); - u64 mask2 = FStar_UInt64_eq_mask(a2, (u64)0x3ffffffffffU); - u64 mask = (mask0 & mask1) & mask2; - u64 a0_0 = a00 - ((u64)0xffffffffffbU & mask); - u64 a1_0 = a1 - ((u64)0xfffffffffffU & mask); - u64 a2_0 = a2 - ((u64)0x3ffffffffffU & mask); - acc[0U] = a0_0; - acc[1U] = a1_0; - acc[2U] = a2_0; -} - -__always_inline static Hacl_Impl_Poly1305_64_State_poly1305_state -Hacl_Impl_Poly1305_64_mk_state(u64 *r, u64 *h, u64* r5) -{ - Hacl_Impl_Poly1305_64_State_poly1305_state st; - st.r = r; - st.h = h; - st.r5 = r5; - return st; -} - -static void -Hacl_Standalone_Poly1305_64_poly1305_blocks( - Hacl_Impl_Poly1305_64_State_poly1305_state st, - u8 *m, - u64 len1 -) -{ - u32 i; - u8* msg = m; - for (i = 0; i < len1; ++i) { - Hacl_Impl_Poly1305_64_poly1305_update(st, msg); - msg = msg + (u32)16U; - } -} - - -__always_inline static void -Hacl_Standalone_Poly1305_64_poly1305_partial( - Hacl_Impl_Poly1305_64_State_poly1305_state st, - u8 *input, - u64 len1, - u8 *kr -) -{ - Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; - u64 *r = scrut.r; - u64 *x0 = r; - u128 k1 = load128_le(kr); - u128 - k_clamped = - u128_logand(k1, - u128_logor(u128_shift_left(u64_to_u128((u64)0x0ffffffc0ffffffcU), - (u32)64U), - u64_to_u128((u64)0x0ffffffc0fffffffU))); - u64 r0 = u128_to_u64(k_clamped) & (u64)0xfffffffffffU; - u64 - r1 = - u128_to_u64(u128_shift_right(k_clamped, (u32)44U)) - & (u64)0xfffffffffffU; - u64 - r2 = u128_to_u64(u128_shift_right(k_clamped, (u32)88U)); - x0[0U] = r0; - x0[1U] = r1; - x0[2U] = r2; - u64 *r5 = scrut.r5; - r5[0U] = 20 * r0; - r5[1U] = 20 * r1; - r5[2U] = 20 * r2; - Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st; - u64 *h = scrut0.h; - u64 *x00 = h; - x00[0U] = (u64)0U; - x00[1U] = (u64)0U; - x00[2U] = (u64)0U; - Hacl_Standalone_Poly1305_64_poly1305_blocks(st, input, len1); -} - -__always_inline static void -Hacl_Standalone_Poly1305_64_poly1305_complete( - Hacl_Impl_Poly1305_64_State_poly1305_state st, - u8 *m, - u64 len1, - u8 *k1 -) -{ - u8 *kr = k1; - u64 len16 = len1 >> (u32)4U; - u64 rem16 = len1 & (u64)0xfU; - u8 *part_input = m; - u8 *last_block = m + (u32)((u64)16U * len16); - Hacl_Standalone_Poly1305_64_poly1305_partial(st, part_input, len16, kr); - if (!(rem16 == (u64)0U)) - Hacl_Impl_Poly1305_64_poly1305_process_last_block(st, last_block, rem16); - Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; - u64 *h = scrut.h; - u64 *acc = h; - Hacl_Impl_Poly1305_64_poly1305_last_pass(acc); -} - -__always_inline static void -Hacl_Standalone_Poly1305_64_crypto_onetimeauth_( - u8 *output, - u8 *input, - u64 len1, - u8 *k1 -) -{ - u64 buf[9U] = { 0U }; - u64 *r = buf; - u64 *h = buf + (u32)3U; - u64 *r5 = buf + (u32)6U; - - Hacl_Impl_Poly1305_64_State_poly1305_state st = Hacl_Impl_Poly1305_64_mk_state(r, h, r5); - u8 *key_s = k1 + (u32)16U; - Hacl_Standalone_Poly1305_64_poly1305_complete(st, input, len1, k1); - Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; - u64 *h3 = scrut.h; - u64 *acc = h3; - u128 k_ = load128_le(key_s); - u64 h0 = acc[0U]; - u64 h1 = acc[1U]; - u64 h2 = acc[2U]; - u128 - acc_ = - u128_logor(u128_shift_left(u64_to_u128(h2 - << (u32)24U - | h1 >> (u32)20U), - (u32)64U), - u64_to_u128(h1 << (u32)44U | h0)); - u128 mac_ = u128_add_mod(acc_, k_); - store128_le(output, mac_); -} - -__always_inline static void -Hacl_Standalone_Poly1305_64_crypto_onetimeauth( - u8 *output, - u8 *input, - u64 len1, - u8 *k1 -) -{ - Hacl_Standalone_Poly1305_64_crypto_onetimeauth_(output, input, len1, k1); -} - -void Hacl_Poly1305_64_init(Hacl_Impl_Poly1305_64_State_poly1305_state st, u8 *k1) -{ - Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; - u64 *r = scrut.r; - u64 *r5= scrut.r5; - u64 *x0 = r; - u128 k10 = load128_le(k1); - u128 - k_clamped = - u128_logand(k10, - u128_logor(u128_shift_left(u64_to_u128((u64)0x0ffffffc0ffffffcU), - (u32)64U), - u64_to_u128((u64)0x0ffffffc0fffffffU))); - u64 r0 = u128_to_u64(k_clamped) & (u64)0xfffffffffffU; - u64 - r1 = - u128_to_u64(u128_shift_right(k_clamped, (u32)44U)) - & (u64)0xfffffffffffU; - u64 - r2 = u128_to_u64(u128_shift_right(k_clamped, (u32)88U)); - x0[0U] = r0; - x0[1U] = r1; - x0[2U] = r2; - r5[0U] = 20 * r0; - r5[1U] = 20 * r1; - r5[2U] = 20 * r2; - Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st; - u64 *h = scrut0.h; - u64 *x00 = h; - x00[0U] = (u64)0U; - x00[1U] = (u64)0U; - x00[2U] = (u64)0U; -} - -void Hacl_Poly1305_64_update_block(Hacl_Impl_Poly1305_64_State_poly1305_state st, u8 *m) -{ - Hacl_Impl_Poly1305_64_poly1305_update(st, m); -} - -void -Hacl_Poly1305_64_update( - Hacl_Impl_Poly1305_64_State_poly1305_state st, - u8 *m, - u32 num_blocks -) -{ - u32 i; - u8* msg = m; - for (i = 0; i < num_blocks; i++) - { - u8 *block = msg; - Hacl_Poly1305_64_update_block(st, block); - msg = msg + (u32)16U; - } -} - -void -Hacl_Poly1305_64_update_last( - Hacl_Impl_Poly1305_64_State_poly1305_state st, - u8 *m, - u32 len1 -) -{ - if (!((u64)len1 == (u64)0U)) - Hacl_Impl_Poly1305_64_poly1305_process_last_block(st, m, (u64)len1); - Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; - u64 *h = scrut.h; - u64 *acc = h; - Hacl_Impl_Poly1305_64_poly1305_last_pass(acc); -} - -void -Hacl_Poly1305_64_finish( - Hacl_Impl_Poly1305_64_State_poly1305_state st, - u8 *mac, - u8 *k1 -) -{ - Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; - u64 *h = scrut.h; - u64 *acc = h; - u128 k_ = load128_le(k1); - u64 h0 = acc[0U]; - u64 h1 = acc[1U]; - u64 h2 = acc[2U]; - u128 - acc_ = - u128_logor(u128_shift_left(u64_to_u128(h2 - << (u32)24U - | h1 >> (u32)20U), - (u32)64U), - u64_to_u128(h1 << (u32)44U | h0)); - u128 mac_ = u128_add_mod(acc_, k_); - store128_le(mac, mac_); -} - -void -poly1305_hacl64( - u8 *output, - u8 *input, - u64 len1, - u8 *k1 -) -{ - Hacl_Standalone_Poly1305_64_crypto_onetimeauth(output, input, len1, k1); -} - +/* SPDX-License-Identifier: MIT + * + * Copyright (c) 2016-2018 INRIA and Microsoft Corporation + */ + +#include +#include +#include + +typedef __uint128_t uint128_t; +#define store64_le(d, s) put_unaligned_le64(s, d) +#define load64_le(x) get_unaligned_le64(x) + +static uint64_t Lib_Utils_uint64_eq_mask(uint64_t a, uint64_t b) +{ + uint64_t x = a ^ b; + uint64_t minus_x = ~x + (uint64_t)1U; + uint64_t x_or_minus_x = x | minus_x; + uint64_t xnx = x_or_minus_x >> (uint32_t)63U; + uint64_t c = xnx - (uint64_t)1U; + return c; +} + +static uint64_t Lib_Utils_uint64_gte_mask(uint64_t a, uint64_t b) +{ + uint64_t x = a; + uint64_t y = b; + uint64_t x_xor_y = x ^ y; + uint64_t x_sub_y = x - y; + uint64_t x_sub_y_xor_y = x_sub_y ^ y; + uint64_t q = x_xor_y | x_sub_y_xor_y; + uint64_t x_xor_q = x ^ q; + uint64_t x_xor_q_ = x_xor_q >> (uint32_t)63U; + uint64_t c = x_xor_q_ - (uint64_t)1U; + return c; +} + +inline static void Hacl_Impl_Poly1305_Field64_add_felem(uint64_t *f1, uint64_t *f2) +{ + uint64_t f10 = f1[0U]; + uint64_t f11 = f1[1U]; + uint64_t f12 = f1[2U]; + uint64_t f20 = f2[0U]; + uint64_t f21 = f2[1U]; + uint64_t f22 = f2[2U]; + f1[0U] = f10 + f20; + f1[1U] = f11 + f21; + f1[2U] = f12 + f22; +} + +inline static void +Hacl_Impl_Poly1305_Field64_smul_felem(uint128_t *out, uint64_t u1, uint64_t *f2) +{ + uint64_t f20 = f2[0U]; + uint64_t f21 = f2[1U]; + uint64_t f22 = f2[2U]; + out[0U] = (uint128_t)u1 * f20; + out[1U] = (uint128_t)u1 * f21; + out[2U] = (uint128_t)u1 * f22; +} + +inline static void +Hacl_Impl_Poly1305_Field64_smul_add_felem(uint128_t *out, uint64_t u1, uint64_t *f2) +{ + uint64_t f20 = f2[0U]; + uint64_t f21 = f2[1U]; + uint64_t f22 = f2[2U]; + uint128_t o0 = out[0U]; + uint128_t o1 = out[1U]; + uint128_t o2 = out[2U]; + out[0U] = o0 + (uint128_t)u1 * f20; + out[1U] = o1 + (uint128_t)u1 * f21; + out[2U] = o2 + (uint128_t)u1 * f22; +} + +inline static void +Hacl_Impl_Poly1305_Field64_mul_felem( + uint128_t *out, + uint64_t *f1, + uint64_t *f2, + uint64_t *f2_20 +) +{ + uint64_t tmp[3U] = { 0U }; + Hacl_Impl_Poly1305_Field64_smul_felem(out, f1[0U], f2); + tmp[0U] = f2_20[2U]; + tmp[1U] = f2[0U]; + tmp[2U] = f2[1U]; + Hacl_Impl_Poly1305_Field64_smul_add_felem(out, f1[1U], tmp); + tmp[0U] = f2_20[1U]; + tmp[1U] = f2_20[2U]; + tmp[2U] = f2[0U]; + Hacl_Impl_Poly1305_Field64_smul_add_felem(out, f1[2U], tmp); +} + +inline static void Hacl_Impl_Poly1305_Field64_carry_wide_felem(uint64_t *out, uint128_t *inp) +{ + uint128_t i0 = inp[0U]; + uint128_t i1 = inp[1U]; + uint128_t i2 = inp[2U]; + uint128_t l = i0 + (uint128_t)(uint64_t)0U; + uint64_t tmp0 = (uint64_t)l & (uint64_t)0xfffffffffffU; + uint64_t carry1 = (uint64_t)(l >> (uint32_t)44U); + uint128_t l0 = i1 + (uint128_t)carry1; + uint64_t tmp1 = (uint64_t)l0 & (uint64_t)0xfffffffffffU; + uint64_t carry2 = (uint64_t)(l0 >> (uint32_t)44U); + uint128_t l1 = i2 + (uint128_t)carry2; + uint64_t tmp2 = (uint64_t)l1 & (uint64_t)0x3ffffffffffU; + uint64_t carry3 = (uint64_t)(l1 >> (uint32_t)42U); + out[0U] = tmp0 + carry3 * (uint64_t)5U; + out[1U] = tmp1; + out[2U] = tmp2; +} + +inline static void Hacl_Impl_Poly1305_Field64_carry_felem(uint64_t *f) +{ + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t l = f0 + (uint64_t)0U; + uint64_t tmp0 = l & (uint64_t)0xfffffffffffU; + uint64_t carry1 = l >> (uint32_t)44U; + uint64_t l0 = f1 + carry1; + uint64_t tmp1 = l0 & (uint64_t)0xfffffffffffU; + uint64_t carry2 = l0 >> (uint32_t)44U; + uint64_t tmp2 = f2 + carry2; + f[0U] = tmp0; + f[1U] = tmp1; + f[2U] = tmp2; +} + +inline static void Hacl_Impl_Poly1305_Field64_carry_top_felem(uint64_t *f) +{ + uint64_t f0 = f[0U]; + uint64_t f1 = f[1U]; + uint64_t f2 = f[2U]; + uint64_t l = f2 + (uint64_t)0U; + uint64_t tmp2 = l & (uint64_t)0x3ffffffffffU; + uint64_t carry1 = l >> (uint32_t)42U; + uint64_t l0 = f0 + carry1 * (uint64_t)5U; + uint64_t tmp0 = l0 & (uint64_t)0xfffffffffffU; + uint64_t carry2 = l0 >> (uint32_t)44U; + uint64_t tmp1 = f1 + carry2; + f[0U] = tmp0; + f[1U] = tmp1; + f[2U] = tmp2; +} + +inline static void +Hacl_Impl_Poly1305_Field64_fadd_mul_felem( + uint64_t *acc, + uint64_t *f1, + uint64_t *f2, + uint64_t *f2_20 +) +{ + { + uint128_t tmp[3U]; + { + uint32_t _i; + for (_i = 0U; _i < (uint32_t)3U; ++_i) + tmp[_i] = (uint128_t)(uint64_t)0U; + } + Hacl_Impl_Poly1305_Field64_add_felem(acc, f1); + Hacl_Impl_Poly1305_Field64_mul_felem(tmp, acc, f2, f2_20); + Hacl_Impl_Poly1305_Field64_carry_wide_felem(acc, tmp); + } +} + +uint32_t Hacl_Poly1305_64_ctxlen = (uint32_t)12U; + +uint32_t Hacl_Poly1305_64_blocklen = (uint32_t)16U; + +void Hacl_Poly1305_64_poly1305_init(uint64_t *ctx, uint8_t *key) +{ + uint8_t *kr = key; + uint8_t *ks = key + (uint32_t)16U; + uint64_t *acc = ctx; + uint64_t *r = ctx + (uint32_t)3U; + uint64_t *r_20 = ctx + (uint32_t)3U * (uint32_t)2U; + uint64_t *sk = ctx + (uint32_t)3U * (uint32_t)3U; + uint64_t u0; + uint64_t lo0; + uint64_t u1; + uint64_t hi0; + uint64_t lo2; + uint64_t hi2; + uint64_t mask0; + uint64_t mask1; + uint64_t lo1; + uint64_t hi1; + uint64_t u2; + uint64_t lo; + uint64_t u; + uint64_t hi; + uint64_t sl; + uint64_t sh; + acc[0U] = (uint64_t)0U; + acc[1U] = (uint64_t)0U; + acc[2U] = (uint64_t)0U; + u0 = load64_le(kr); + lo0 = u0; + u1 = load64_le(kr + (uint32_t)8U); + hi0 = u1; + lo2 = lo0; + hi2 = hi0; + mask0 = (uint64_t)0x0ffffffc0fffffffU; + mask1 = (uint64_t)0x0ffffffc0ffffffcU; + lo1 = lo2 & mask0; + hi1 = hi2 & mask1; + r[0U] = lo1 & (uint64_t)0xfffffffffffU; + r[1U] = lo1 >> (uint32_t)44U ^ (hi1 & (uint64_t)0xffffffU) << (uint32_t)20U; + r[2U] = hi1 >> (uint32_t)24U; + r_20[0U] = r[0U] * (uint64_t)20U; + r_20[1U] = r[1U] * (uint64_t)20U; + r_20[2U] = r[2U] * (uint64_t)20U; + u2 = load64_le(ks); + lo = u2; + u = load64_le(ks + (uint32_t)8U); + hi = u; + sl = lo; + sh = hi; + sk[0U] = sl & (uint64_t)0xfffffffffffU; + sk[1U] = sl >> (uint32_t)44U ^ (sh & (uint64_t)0xffffffU) << (uint32_t)20U; + sk[2U] = sh >> (uint32_t)24U; +} + +void Hacl_Poly1305_64_poly1305_update(uint64_t *ctx, uint8_t *text, uint32_t len) +{ + uint64_t *acc = ctx; + uint64_t *r = ctx + (uint32_t)3U; + uint64_t *r_20 = ctx + (uint32_t)3U * (uint32_t)2U; + uint64_t e[3U] = { 0U }; + uint32_t blocks = len / (uint32_t)16U; + uint32_t rem1; + { + uint32_t i; + for (i = (uint32_t)0U; i < blocks; i = i + (uint32_t)1U) + { + uint8_t *b = text + i * (uint32_t)16U; + uint64_t u0 = load64_le(b); + uint64_t lo0 = u0; + uint64_t u = load64_le(b + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t lo = lo0; + uint64_t hi = hi0; + e[0U] = lo & (uint64_t)0xfffffffffffU; + e[1U] = lo >> (uint32_t)44U ^ (hi & (uint64_t)0xffffffU) << (uint32_t)20U; + e[2U] = hi >> (uint32_t)24U; + e[2U] = e[2U] | (uint64_t)0x10000000000U; + Hacl_Impl_Poly1305_Field64_fadd_mul_felem(acc, e, r, r_20); + } + } + rem1 = len % (uint32_t)16U; + if (rem1 > (uint32_t)0U) + { + uint8_t *b = text + blocks * (uint32_t)16U; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, b, rem1 * sizeof b[0U]); + { + uint64_t u0 = load64_le(tmp); + uint64_t lo0 = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t lo = lo0; + uint64_t hi = hi0; + e[0U] = lo & (uint64_t)0xfffffffffffU; + e[1U] = lo >> (uint32_t)44U ^ (hi & (uint64_t)0xffffffU) << (uint32_t)20U; + e[2U] = hi >> (uint32_t)24U; + if (rem1 * (uint32_t)8U < (uint32_t)44U) + { + e[0U] = e[0U] | (uint64_t)1U << rem1 * (uint32_t)8U; + } + else + { + if (rem1 * (uint32_t)8U < (uint32_t)88U) + { + e[1U] = e[1U] | (uint64_t)1U << (rem1 * (uint32_t)8U - (uint32_t)44U); + } + else + { + e[2U] = e[2U] | (uint64_t)1U << (rem1 * (uint32_t)8U - (uint32_t)88U); + } + } + Hacl_Impl_Poly1305_Field64_fadd_mul_felem(acc, e, r, r_20); + } + } +} + +void Hacl_Poly1305_64_poly1305_finish(uint64_t *ctx, uint8_t *tag) +{ + uint64_t *acc = ctx; + uint64_t *sk = ctx + (uint32_t)3U * (uint32_t)3U; + uint64_t f00; + uint64_t f10; + uint64_t f2; + uint64_t mask; + uint64_t mask1; + uint64_t mask2; + uint64_t p0; + uint64_t p1; + uint64_t p2; + uint64_t f0; + uint64_t f1; + uint64_t lo; + uint64_t hi; + Hacl_Impl_Poly1305_Field64_carry_felem(acc); + Hacl_Impl_Poly1305_Field64_carry_top_felem(acc); + f00 = acc[0U]; + f10 = acc[1U]; + f2 = acc[2U]; + mask = Lib_Utils_uint64_eq_mask(f2, (uint64_t)0x3ffffffffffU); + mask1 = mask & Lib_Utils_uint64_eq_mask(f10, (uint64_t)0xfffffffffffU); + mask2 = mask1 & Lib_Utils_uint64_gte_mask(f00, (uint64_t)0xffffffffffbU); + p0 = mask2 & (uint64_t)0xffffffffffbU; + p1 = mask2 & (uint64_t)0xfffffffffffU; + p2 = mask2 & (uint64_t)0x3ffffffffffU; + acc[0U] = f00 - p0; + acc[1U] = f10 - p1; + acc[2U] = f2 - p2; + Hacl_Impl_Poly1305_Field64_add_felem(acc, sk); + Hacl_Impl_Poly1305_Field64_carry_felem(acc); + f0 = acc[0U] | acc[1U] << (uint32_t)44U; + f1 = acc[1U] >> (uint32_t)20U | acc[2U] << (uint32_t)24U; + lo = f0; + hi = f1; + store64_le(tag, lo); + store64_le(tag + (uint32_t)8U, hi); +} + +void poly1305_hacl64(uint8_t *o, uint8_t *t, uint32_t l, uint8_t *k) +{ + { + uint64_t ctx[(uint32_t)3U * (uint32_t)4U]; + memset(ctx, 0U, (uint32_t)3U * (uint32_t)4U * sizeof ctx[0U]); + { + uint8_t *kr = k; + uint8_t *ks = k + (uint32_t)16U; + uint64_t *acc0 = ctx; + uint64_t *r0 = ctx + (uint32_t)3U; + uint64_t *r_200 = ctx + (uint32_t)3U * (uint32_t)2U; + uint64_t *sk0 = ctx + (uint32_t)3U * (uint32_t)3U; + uint64_t u0; + uint64_t lo0; + uint64_t u1; + uint64_t hi0; + uint64_t lo2; + uint64_t hi2; + uint64_t mask0; + uint64_t mask10; + uint64_t lo1; + uint64_t hi1; + uint64_t u2; + uint64_t lo3; + uint64_t u3; + uint64_t hi3; + uint64_t sl; + uint64_t sh; + acc0[0U] = (uint64_t)0U; + acc0[1U] = (uint64_t)0U; + acc0[2U] = (uint64_t)0U; + u0 = load64_le(kr); + lo0 = u0; + u1 = load64_le(kr + (uint32_t)8U); + hi0 = u1; + lo2 = lo0; + hi2 = hi0; + mask0 = (uint64_t)0x0ffffffc0fffffffU; + mask10 = (uint64_t)0x0ffffffc0ffffffcU; + lo1 = lo2 & mask0; + hi1 = hi2 & mask10; + r0[0U] = lo1 & (uint64_t)0xfffffffffffU; + r0[1U] = lo1 >> (uint32_t)44U ^ (hi1 & (uint64_t)0xffffffU) << (uint32_t)20U; + r0[2U] = hi1 >> (uint32_t)24U; + r_200[0U] = r0[0U] * (uint64_t)20U; + r_200[1U] = r0[1U] * (uint64_t)20U; + r_200[2U] = r0[2U] * (uint64_t)20U; + u2 = load64_le(ks); + lo3 = u2; + u3 = load64_le(ks + (uint32_t)8U); + hi3 = u3; + sl = lo3; + sh = hi3; + sk0[0U] = sl & (uint64_t)0xfffffffffffU; + sk0[1U] = sl >> (uint32_t)44U ^ (sh & (uint64_t)0xffffffU) << (uint32_t)20U; + sk0[2U] = sh >> (uint32_t)24U; + { + uint64_t *acc1 = ctx; + uint64_t *r = ctx + (uint32_t)3U; + uint64_t *r_20 = ctx + (uint32_t)3U * (uint32_t)2U; + uint64_t e[3U] = { 0U }; + uint32_t blocks = l / (uint32_t)16U; + uint32_t rem1; + uint64_t *acc; + uint64_t *sk; + uint64_t f00; + uint64_t f10; + uint64_t f2; + uint64_t mask; + uint64_t mask1; + uint64_t mask2; + uint64_t p0; + uint64_t p1; + uint64_t p2; + uint64_t f0; + uint64_t f1; + uint64_t lo4; + uint64_t hi4; + { + uint32_t i; + for (i = (uint32_t)0U; i < blocks; i = i + (uint32_t)1U) + { + uint8_t *b = t + i * (uint32_t)16U; + uint64_t u0 = load64_le(b); + uint64_t lo0 = u0; + uint64_t u = load64_le(b + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t lo = lo0; + uint64_t hi = hi0; + e[0U] = lo & (uint64_t)0xfffffffffffU; + e[1U] = lo >> (uint32_t)44U ^ (hi & (uint64_t)0xffffffU) << (uint32_t)20U; + e[2U] = hi >> (uint32_t)24U; + e[2U] = e[2U] | (uint64_t)0x10000000000U; + Hacl_Impl_Poly1305_Field64_fadd_mul_felem(acc1, e, r, r_20); + } + } + rem1 = l % (uint32_t)16U; + if (rem1 > (uint32_t)0U) + { + uint8_t *b = t + blocks * (uint32_t)16U; + uint8_t tmp[16U] = { 0U }; + memcpy(tmp, b, rem1 * sizeof b[0U]); + { + uint64_t u0 = load64_le(tmp); + uint64_t lo0 = u0; + uint64_t u = load64_le(tmp + (uint32_t)8U); + uint64_t hi0 = u; + uint64_t lo = lo0; + uint64_t hi = hi0; + e[0U] = lo & (uint64_t)0xfffffffffffU; + e[1U] = lo >> (uint32_t)44U ^ (hi & (uint64_t)0xffffffU) << (uint32_t)20U; + e[2U] = hi >> (uint32_t)24U; + if (rem1 * (uint32_t)8U < (uint32_t)44U) + { + e[0U] = e[0U] | (uint64_t)1U << rem1 * (uint32_t)8U; + } + else + { + if (rem1 * (uint32_t)8U < (uint32_t)88U) + { + e[1U] = e[1U] | (uint64_t)1U << (rem1 * (uint32_t)8U - (uint32_t)44U); + } + else + { + e[2U] = e[2U] | (uint64_t)1U << (rem1 * (uint32_t)8U - (uint32_t)88U); + } + } + Hacl_Impl_Poly1305_Field64_fadd_mul_felem(acc1, e, r, r_20); + } + } + acc = ctx; + sk = ctx + (uint32_t)3U * (uint32_t)3U; + Hacl_Impl_Poly1305_Field64_carry_felem(acc); + Hacl_Impl_Poly1305_Field64_carry_top_felem(acc); + f00 = acc[0U]; + f10 = acc[1U]; + f2 = acc[2U]; + mask = Lib_Utils_uint64_eq_mask(f2, (uint64_t)0x3ffffffffffU); + mask1 = mask & Lib_Utils_uint64_eq_mask(f10, (uint64_t)0xfffffffffffU); + mask2 = mask1 & Lib_Utils_uint64_gte_mask(f00, (uint64_t)0xffffffffffbU); + p0 = mask2 & (uint64_t)0xffffffffffbU; + p1 = mask2 & (uint64_t)0xfffffffffffU; + p2 = mask2 & (uint64_t)0x3ffffffffffU; + acc[0U] = f00 - p0; + acc[1U] = f10 - p1; + acc[2U] = f2 - p2; + Hacl_Impl_Poly1305_Field64_add_felem(acc, sk); + Hacl_Impl_Poly1305_Field64_carry_felem(acc); + f0 = acc[0U] | acc[1U] << (uint32_t)44U; + f1 = acc[1U] >> (uint32_t)20U | acc[2U] << (uint32_t)24U; + lo4 = f0; + hi4 = f1; + store64_le(o, lo4); + store64_le(o + (uint32_t)8U, hi4); + } + } + } +} diff --git a/test_vectors.h b/test_vectors.h index eff13c0..5b94601 100644 --- a/test_vectors.h +++ b/test_vectors.h @@ -3,1481 +3,816 @@ * Copyright (C) 2018 Jason A. Donenfeld . All Rights Reserved. */ -struct poly1305_testdata { - size_t size; - const u8 data[1024]; -}; - struct poly1305_testvec { - struct poly1305_testdata input, key, expected; + u8 input[600]; + u8 output[POLY1305_MAC_SIZE]; + u8 key[POLY1305_KEY_SIZE]; + size_t ilen; }; -static const struct poly1305_testvec poly1305_test_vectors[] = { - /* - * RFC7539 - */ - { - { - 34, - { - 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72, - 0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f, - 0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65, - 0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f, - - 0x75, 0x70 - } - }, - { - 32, - { - 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33, - 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8, - 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd, - 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b - } - }, - { - 16, - { - 0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6, - 0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9 - } - } - }, - /* - * test vectors from "The Poly1305-AES message-authentication code" - */ - { - { - 2, - { - 0xf3, 0xf6 - } - }, - { - 32, - { - 0x85, 0x1f, 0xc4, 0x0c, 0x34, 0x67, 0xac, 0x0b, - 0xe0, 0x5c, 0xc2, 0x04, 0x04, 0xf3, 0xf7, 0x00, - 0x58, 0x0b, 0x3b, 0x0f, 0x94, 0x47, 0xbb, 0x1e, - 0x69, 0xd0, 0x95, 0xb5, 0x92, 0x8b, 0x6d, 0xbc - } - }, - { - 16, - { - 0xf4, 0xc6, 0x33, 0xc3, 0x04, 0x4f, 0xc1, 0x45, - 0xf8, 0x4f, 0x33, 0x5c, 0xb8, 0x19, 0x53, 0xde - } - } - }, - { - { - 0, - { - 0 - } - }, - { - 32, - { - 0xa0, 0xf3, 0x08, 0x00, 0x00, 0xf4, 0x64, 0x00, - 0xd0, 0xc7, 0xe9, 0x07, 0x6c, 0x83, 0x44, 0x03, - 0xdd, 0x3f, 0xab, 0x22, 0x51, 0xf1, 0x1a, 0xc7, - 0x59, 0xf0, 0x88, 0x71, 0x29, 0xcc, 0x2e, 0xe7 - } - }, - { - 16, - { - 0xdd, 0x3f, 0xab, 0x22, 0x51, 0xf1, 0x1a, 0xc7, - 0x59, 0xf0, 0x88, 0x71, 0x29, 0xcc, 0x2e, 0xe7 - } - } - }, - { - { - 32, - { - 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, - 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, - 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, - 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36 - } - }, - { - 32, - { - 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, - 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, - 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, - 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef - } - }, - { - 16, - { - 0x0e, 0xe1, 0xc1, 0x6b, 0xb7, 0x3f, 0x0f, 0x4f, - 0xd1, 0x98, 0x81, 0x75, 0x3c, 0x01, 0xcd, 0xbe - } - } - }, - { - { - 63, - { - 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, - 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, - 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, - 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, - - 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, - 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, - 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, - 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9 - } - }, - { - 32, - { - 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, - 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, - 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, - 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 - } - }, - { - 16, - { - 0x51, 0x54, 0xad, 0x0d, 0x2c, 0xb2, 0x6e, 0x01, - 0x27, 0x4f, 0xc5, 0x11, 0x48, 0x49, 0x1f, 0x1b - } - }, - }, - /* - * self-generated vectors exercise "significant" lengths, such that - * are handled by different code paths - */ - { - { - 64, - { - 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, - 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, - 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, - 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, - - 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, - 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, - 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, - 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf - } - }, - { - 32, - { - 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, - 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, - 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, - 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 - } - }, - { - 16, - { - 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37, - 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66 - } - }, - }, - { - { - 48, - { - 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, - 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, - 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, - 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, - - 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, - 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67 - } - }, - { - 32, - { - 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, - 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, - 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, - 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 - - } - }, - { - 16, - { - 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2, - 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61 - } - }, - }, - { - { - 96, - { - 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, - 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, - 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, - 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, - - 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, - 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, - 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, - 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, - - 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, - 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, - 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, - 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36 - } - }, - { - 32, - { - 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, - 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, - 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, - 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 - } - }, - { - 16, - { - 0xbb, 0xb6, 0x13, 0xb2, 0xb6, 0xd7, 0x53, 0xba, - 0x07, 0x39, 0x5b, 0x91, 0x6a, 0xae, 0xce, 0x15 - } - }, - }, - { - { - 112, - { - 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, - 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, - 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, - 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, - - 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, - 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, - 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, - 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, - - 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, - 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, - 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, - 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, - - 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, - 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24 - } - }, - { - 32, - { - 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, - 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, - 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, - 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 - } - }, - { - 16, - { - 0xc7, 0x94, 0xd7, 0x05, 0x7d, 0x17, 0x78, 0xc4, - 0xbb, 0xee, 0x0a, 0x39, 0xb3, 0xd9, 0x73, 0x42 - } - }, - }, - { - { - 128, - { - 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, - 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, - 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, - 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, - - 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, - 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, - 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, - 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, - - 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, - 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, - 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, - 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, - - 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, - 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, - 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, - 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36 - } - }, - { - 32, - { - 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, - 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, - 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, - 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 - } - }, - { - 16, - { - 0xff, 0xbc, 0xb9, 0xb3, 0x71, 0x42, 0x31, 0x52, - 0xd7, 0xfc, 0xa5, 0xad, 0x04, 0x2f, 0xba, 0xa9 - } - }, - }, - { - { - 144, - { - 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, - 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, - 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, - 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, - - 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, - 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, - 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, - 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, - - 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, - 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, - 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, - 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, - - 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, - 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, - 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, - 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36, - - 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37, - 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66 - } - }, - { - 32, - { - 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, - 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, - 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, - 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 - } - }, - { - 16, - { - 0x06, 0x9e, 0xd6, 0xb8, 0xef, 0x0f, 0x20, 0x7b, - 0x3e, 0x24, 0x3b, 0xb1, 0x01, 0x9f, 0xe6, 0x32 - } - }, - }, - { - { - 160, - { - 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, - 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, - 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, - 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, - - 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, - 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, - 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, - 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, - - 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, - 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, - 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, - 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, - - 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, - 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, - 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, - 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36, - - 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37, - 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66, - 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2, - 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61 - } - }, - { - 32, - { - 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, - 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, - 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, - 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 - } - }, - { - 16, - { - 0xcc, 0xa3, 0x39, 0xd9, 0xa4, 0x5f, 0xa2, 0x36, - 0x8c, 0x2c, 0x68, 0xb3, 0xa4, 0x17, 0x91, 0x33 - } - }, - }, - { - { - 288, - { - 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, - 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, - 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, - 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, - - 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, - 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, - 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, - 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, - - 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, - 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, - 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, - 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, - - 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, - 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, - 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, - 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36, - - 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37, - 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66, - 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2, - 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61, - - 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, - 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, - 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, - 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, - - 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, - 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, - 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, - 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, - - 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, - 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, - 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, - 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, - - 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, - 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, - 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, - 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36 - } - }, - { - 32, - { - 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, - 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, - 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, - 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 - } - }, - { - 16, - { - 0x53, 0xf6, 0xe8, 0x28, 0xa2, 0xf0, 0xfe, 0x0e, - 0xe8, 0x15, 0xbf, 0x0b, 0xd5, 0x84, 0x1a, 0x34 - } - }, - }, - { - { - 320, - { - 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, - 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, - 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, - 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, - - 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, - 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, - 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, - 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, - - 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, - 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, - 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, - 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, - - 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, - 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, - 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, - 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36, - - 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37, - 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66, - 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2, - 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61, - - 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, - 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, - 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, - 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, - - 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, - 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, - 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, - 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, - - 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, - 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, - 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, - 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, - - 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, - 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, - 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, - 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36, - - 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37, - 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66, - 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2, - 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61 - } - }, - { - 32, - { - 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, - 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, - 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, - 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 - } - }, - { - 16, - { - 0xb8, 0x46, 0xd4, 0x4e, 0x9b, 0xbd, 0x53, 0xce, - 0xdf, 0xfb, 0xfb, 0xb6, 0xb7, 0xfa, 0x49, 0x33 - } - }, - }, - /* - * 4th power of the key spills to 131th bit in SIMD key setup - */ - { - { - 256, - { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff - } - }, - { - 32, - { - 0xad, 0x62, 0x81, 0x07, 0xe8, 0x35, 0x1d, 0x0f, - 0x2c, 0x23, 0x1a, 0x05, 0xdc, 0x4a, 0x41, 0x06, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - { - 16, - { - 0x07, 0x14, 0x5a, 0x4c, 0x02, 0xfe, 0x5f, 0xa3, - 0x20, 0x36, 0xde, 0x68, 0xfa, 0xbe, 0x90, 0x66 - } - }, - }, - /* - * OpenSSL's poly1305_ieee754.c failed this in final stage - */ - { - { - 252, - { - 0x84, 0x23, 0x64, 0xe1, 0x56, 0x33, 0x6c, 0x09, - 0x98, 0xb9, 0x33, 0xa6, 0x23, 0x77, 0x26, 0x18, - 0x0d, 0x9e, 0x3f, 0xdc, 0xbd, 0xe4, 0xcd, 0x5d, - 0x17, 0x08, 0x0f, 0xc3, 0xbe, 0xb4, 0x96, 0x14, - - 0xd7, 0x12, 0x2c, 0x03, 0x74, 0x63, 0xff, 0x10, - 0x4d, 0x73, 0xf1, 0x9c, 0x12, 0x70, 0x46, 0x28, - 0xd4, 0x17, 0xc4, 0xc5, 0x4a, 0x3f, 0xe3, 0x0d, - 0x3c, 0x3d, 0x77, 0x14, 0x38, 0x2d, 0x43, 0xb0, - - 0x38, 0x2a, 0x50, 0xa5, 0xde, 0xe5, 0x4b, 0xe8, - 0x44, 0xb0, 0x76, 0xe8, 0xdf, 0x88, 0x20, 0x1a, - 0x1c, 0xd4, 0x3b, 0x90, 0xeb, 0x21, 0x64, 0x3f, - 0xa9, 0x6f, 0x39, 0xb5, 0x18, 0xaa, 0x83, 0x40, - - 0xc9, 0x42, 0xff, 0x3c, 0x31, 0xba, 0xf7, 0xc9, - 0xbd, 0xbf, 0x0f, 0x31, 0xae, 0x3f, 0xa0, 0x96, - 0xbf, 0x8c, 0x63, 0x03, 0x06, 0x09, 0x82, 0x9f, - 0xe7, 0x2e, 0x17, 0x98, 0x24, 0x89, 0x0b, 0xc8, - - 0xe0, 0x8c, 0x31, 0x5c, 0x1c, 0xce, 0x2a, 0x83, - 0x14, 0x4d, 0xbb, 0xff, 0x09, 0xf7, 0x4e, 0x3e, - 0xfc, 0x77, 0x0b, 0x54, 0xd0, 0x98, 0x4a, 0x8f, - 0x19, 0xb1, 0x47, 0x19, 0xe6, 0x36, 0x35, 0x64, - - 0x1d, 0x6b, 0x1e, 0xed, 0xf6, 0x3e, 0xfb, 0xf0, - 0x80, 0xe1, 0x78, 0x3d, 0x32, 0x44, 0x54, 0x12, - 0x11, 0x4c, 0x20, 0xde, 0x0b, 0x83, 0x7a, 0x0d, - 0xfa, 0x33, 0xd6, 0xb8, 0x28, 0x25, 0xff, 0xf4, - - 0x4c, 0x9a, 0x70, 0xea, 0x54, 0xce, 0x47, 0xf0, - 0x7d, 0xf6, 0x98, 0xe6, 0xb0, 0x33, 0x23, 0xb5, - 0x30, 0x79, 0x36, 0x4a, 0x5f, 0xc3, 0xe9, 0xdd, - 0x03, 0x43, 0x92, 0xbd, 0xde, 0x86, 0xdc, 0xcd, - - 0xda, 0x94, 0x32, 0x1c, 0x5e, 0x44, 0x06, 0x04, - 0x89, 0x33, 0x6c, 0xb6, 0x5b, 0xf3, 0x98, 0x9c, - 0x36, 0xf7, 0x28, 0x2c, 0x2f, 0x5d, 0x2b, 0x88, - 0x2c, 0x17, 0x1e, 0x74 - } - }, - { - 32, - { - 0x95, 0xd5, 0xc0, 0x05, 0x50, 0x3e, 0x51, 0x0d, - 0x8c, 0xd0, 0xaa, 0x07, 0x2c, 0x4a, 0x4d, 0x06, - 0x6e, 0xab, 0xc5, 0x2d, 0x11, 0x65, 0x3d, 0xf4, - 0x7f, 0xbf, 0x63, 0xab, 0x19, 0x8b, 0xcc, 0x26 - } - }, - { - 16, - { - 0xf2, 0x48, 0x31, 0x2e, 0x57, 0x8d, 0x9d, 0x58, - 0xf8, 0xb7, 0xbb, 0x4d, 0x19, 0x10, 0x54, 0x31 - } - }, - }, - /* - * AVX2 in OpenSSL's poly1305-x86.pl failed this with 176+32 split - */ - { - { - 208, - { - 0x24, 0x8a, 0xc3, 0x10, 0x85, 0xb6, 0xc2, 0xad, - 0xaa, 0xa3, 0x82, 0x59, 0xa0, 0xd7, 0x19, 0x2c, - 0x5c, 0x35, 0xd1, 0xbb, 0x4e, 0xf3, 0x9a, 0xd9, - 0x4c, 0x38, 0xd1, 0xc8, 0x24, 0x79, 0xe2, 0xdd, - - 0x21, 0x59, 0xa0, 0x77, 0x02, 0x4b, 0x05, 0x89, - 0xbc, 0x8a, 0x20, 0x10, 0x1b, 0x50, 0x6f, 0x0a, - 0x1a, 0xd0, 0xbb, 0xab, 0x76, 0xe8, 0x3a, 0x83, - 0xf1, 0xb9, 0x4b, 0xe6, 0xbe, 0xae, 0x74, 0xe8, - - 0x74, 0xca, 0xb6, 0x92, 0xc5, 0x96, 0x3a, 0x75, - 0x43, 0x6b, 0x77, 0x61, 0x21, 0xec, 0x9f, 0x62, - 0x39, 0x9a, 0x3e, 0x66, 0xb2, 0xd2, 0x27, 0x07, - 0xda, 0xe8, 0x19, 0x33, 0xb6, 0x27, 0x7f, 0x3c, - - 0x85, 0x16, 0xbc, 0xbe, 0x26, 0xdb, 0xbd, 0x86, - 0xf3, 0x73, 0x10, 0x3d, 0x7c, 0xf4, 0xca, 0xd1, - 0x88, 0x8c, 0x95, 0x21, 0x18, 0xfb, 0xfb, 0xd0, - 0xd7, 0xb4, 0xbe, 0xdc, 0x4a, 0xe4, 0x93, 0x6a, - - 0xff, 0x91, 0x15, 0x7e, 0x7a, 0xa4, 0x7c, 0x54, - 0x44, 0x2e, 0xa7, 0x8d, 0x6a, 0xc2, 0x51, 0xd3, - 0x24, 0xa0, 0xfb, 0xe4, 0x9d, 0x89, 0xcc, 0x35, - 0x21, 0xb6, 0x6d, 0x16, 0xe9, 0xc6, 0x6a, 0x37, - - 0x09, 0x89, 0x4e, 0x4e, 0xb0, 0xa4, 0xee, 0xdc, - 0x4a, 0xe1, 0x94, 0x68, 0xe6, 0x6b, 0x81, 0xf2, - - 0x71, 0x35, 0x1b, 0x1d, 0x92, 0x1e, 0xa5, 0x51, - 0x04, 0x7a, 0xbc, 0xc6, 0xb8, 0x7a, 0x90, 0x1f, - 0xde, 0x7d, 0xb7, 0x9f, 0xa1, 0x81, 0x8c, 0x11, - 0x33, 0x6d, 0xbc, 0x07, 0x24, 0x4a, 0x40, 0xeb - } - }, - { - 32, - { - 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, - 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - { - 16, - { - 0xbc, 0x93, 0x9b, 0xc5, 0x28, 0x14, 0x80, 0xfa, - 0x99, 0xc6, 0xd6, 0x8c, 0x25, 0x8e, 0xc4, 0x2f - } - }, - }, - /* - * test vectors from Google - */ - { - { - 0, - { - 0x00, - } - }, - { - 32, - { - 0xc8, 0xaf, 0xaa, 0xc3, 0x31, 0xee, 0x37, 0x2c, - 0xd6, 0x08, 0x2d, 0xe1, 0x34, 0x94, 0x3b, 0x17, - 0x47, 0x10, 0x13, 0x0e, 0x9f, 0x6f, 0xea, 0x8d, - 0x72, 0x29, 0x38, 0x50, 0xa6, 0x67, 0xd8, 0x6c - } - }, - { - 16, - { - 0x47, 0x10, 0x13, 0x0e, 0x9f, 0x6f, 0xea, 0x8d, - 0x72, 0x29, 0x38, 0x50, 0xa6, 0x67, 0xd8, 0x6c - } - }, - }, - { - { - 12, - { - 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x77, 0x6f, - 0x72, 0x6c, 0x64, 0x21 - } - }, - { - 32, - { - 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, - 0x33, 0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, - 0x6b, 0x65, 0x79, 0x20, 0x66, 0x6f, 0x72, 0x20, - 0x50, 0x6f, 0x6c, 0x79, 0x31, 0x33, 0x30, 0x35 - } - }, - { - 16, - { - 0xa6, 0xf7, 0x45, 0x00, 0x8f, 0x81, 0xc9, 0x16, - 0xa2, 0x0d, 0xcc, 0x74, 0xee, 0xf2, 0xb2, 0xf0 - } - }, - }, - { - { - 32, - { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - { - 32, - { - 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, - 0x33, 0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, - 0x6b, 0x65, 0x79, 0x20, 0x66, 0x6f, 0x72, 0x20, - 0x50, 0x6f, 0x6c, 0x79, 0x31, 0x33, 0x30, 0x35 - } - }, - { - 16, - { - 0x49, 0xec, 0x78, 0x09, 0x0e, 0x48, 0x1e, 0xc6, - 0xc2, 0x6b, 0x33, 0xb9, 0x1c, 0xcc, 0x03, 0x07 - } - }, - }, - { - { - 128, - { - 0x89, 0xda, 0xb8, 0x0b, 0x77, 0x17, 0xc1, 0xdb, - 0x5d, 0xb4, 0x37, 0x86, 0x0a, 0x3f, 0x70, 0x21, - 0x8e, 0x93, 0xe1, 0xb8, 0xf4, 0x61, 0xfb, 0x67, - 0x7f, 0x16, 0xf3, 0x5f, 0x6f, 0x87, 0xe2, 0xa9, - - 0x1c, 0x99, 0xbc, 0x3a, 0x47, 0xac, 0xe4, 0x76, - 0x40, 0xcc, 0x95, 0xc3, 0x45, 0xbe, 0x5e, 0xcc, - 0xa5, 0xa3, 0x52, 0x3c, 0x35, 0xcc, 0x01, 0x89, - 0x3a, 0xf0, 0xb6, 0x4a, 0x62, 0x03, 0x34, 0x27, - - 0x03, 0x72, 0xec, 0x12, 0x48, 0x2d, 0x1b, 0x1e, - 0x36, 0x35, 0x61, 0x69, 0x8a, 0x57, 0x8b, 0x35, - 0x98, 0x03, 0x49, 0x5b, 0xb4, 0xe2, 0xef, 0x19, - 0x30, 0xb1, 0x7a, 0x51, 0x90, 0xb5, 0x80, 0xf1, - - 0x41, 0x30, 0x0d, 0xf3, 0x0a, 0xdb, 0xec, 0xa2, - 0x8f, 0x64, 0x27, 0xa8, 0xbc, 0x1a, 0x99, 0x9f, - 0xd5, 0x1c, 0x55, 0x4a, 0x01, 0x7d, 0x09, 0x5d, - 0x8c, 0x3e, 0x31, 0x27, 0xda, 0xf9, 0xf5, 0x95 - } - }, - { - 32, - { - 0x2d, 0x77, 0x3b, 0xe3, 0x7a, 0xdb, 0x1e, 0x4d, - 0x68, 0x3b, 0xf0, 0x07, 0x5e, 0x79, 0xc4, 0xee, - 0x03, 0x79, 0x18, 0x53, 0x5a, 0x7f, 0x99, 0xcc, - 0xb7, 0x04, 0x0f, 0xb5, 0xf5, 0xf4, 0x3a, 0xea - } - }, - { - 16, - { - 0xc8, 0x5d, 0x15, 0xed, 0x44, 0xc3, 0x78, 0xd6, - 0xb0, 0x0e, 0x23, 0x06, 0x4c, 0x7b, 0xcd, 0x51 - } - }, - }, - { - { - 528, - { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, - 0x17, 0x03, 0x03, 0x02, 0x00, 0x00, 0x00, 0x00, - - 0x06, 0xdb, 0x1f, 0x1f, 0x36, 0x8d, 0x69, 0x6a, - 0x81, 0x0a, 0x34, 0x9c, 0x0c, 0x71, 0x4c, 0x9a, - 0x5e, 0x78, 0x50, 0xc2, 0x40, 0x7d, 0x72, 0x1a, - 0xcd, 0xed, 0x95, 0xe0, 0x18, 0xd7, 0xa8, 0x52, - - 0x66, 0xa6, 0xe1, 0x28, 0x9c, 0xdb, 0x4a, 0xeb, - 0x18, 0xda, 0x5a, 0xc8, 0xa2, 0xb0, 0x02, 0x6d, - 0x24, 0xa5, 0x9a, 0xd4, 0x85, 0x22, 0x7f, 0x3e, - 0xae, 0xdb, 0xb2, 0xe7, 0xe3, 0x5e, 0x1c, 0x66, - - 0xcd, 0x60, 0xf9, 0xab, 0xf7, 0x16, 0xdc, 0xc9, - 0xac, 0x42, 0x68, 0x2d, 0xd7, 0xda, 0xb2, 0x87, - 0xa7, 0x02, 0x4c, 0x4e, 0xef, 0xc3, 0x21, 0xcc, - 0x05, 0x74, 0xe1, 0x67, 0x93, 0xe3, 0x7c, 0xec, - - 0x03, 0xc5, 0xbd, 0xa4, 0x2b, 0x54, 0xc1, 0x14, - 0xa8, 0x0b, 0x57, 0xaf, 0x26, 0x41, 0x6c, 0x7b, - 0xe7, 0x42, 0x00, 0x5e, 0x20, 0x85, 0x5c, 0x73, - 0xe2, 0x1d, 0xc8, 0xe2, 0xed, 0xc9, 0xd4, 0x35, - - 0xcb, 0x6f, 0x60, 0x59, 0x28, 0x00, 0x11, 0xc2, - 0x70, 0xb7, 0x15, 0x70, 0x05, 0x1c, 0x1c, 0x9b, - 0x30, 0x52, 0x12, 0x66, 0x20, 0xbc, 0x1e, 0x27, - 0x30, 0xfa, 0x06, 0x6c, 0x7a, 0x50, 0x9d, 0x53, - - 0xc6, 0x0e, 0x5a, 0xe1, 0xb4, 0x0a, 0xa6, 0xe3, - 0x9e, 0x49, 0x66, 0x92, 0x28, 0xc9, 0x0e, 0xec, - 0xb4, 0xa5, 0x0d, 0xb3, 0x2a, 0x50, 0xbc, 0x49, - 0xe9, 0x0b, 0x4f, 0x4b, 0x35, 0x9a, 0x1d, 0xfd, - - 0x11, 0x74, 0x9c, 0xd3, 0x86, 0x7f, 0xcf, 0x2f, - 0xb7, 0xbb, 0x6c, 0xd4, 0x73, 0x8f, 0x6a, 0x4a, - 0xd6, 0xf7, 0xca, 0x50, 0x58, 0xf7, 0x61, 0x88, - 0x45, 0xaf, 0x9f, 0x02, 0x0f, 0x6c, 0x3b, 0x96, - - 0x7b, 0x8f, 0x4c, 0xd4, 0xa9, 0x1e, 0x28, 0x13, - 0xb5, 0x07, 0xae, 0x66, 0xf2, 0xd3, 0x5c, 0x18, - 0x28, 0x4f, 0x72, 0x92, 0x18, 0x60, 0x62, 0xe1, - 0x0f, 0xd5, 0x51, 0x0d, 0x18, 0x77, 0x53, 0x51, - - 0xef, 0x33, 0x4e, 0x76, 0x34, 0xab, 0x47, 0x43, - 0xf5, 0xb6, 0x8f, 0x49, 0xad, 0xca, 0xb3, 0x84, - 0xd3, 0xfd, 0x75, 0xf7, 0x39, 0x0f, 0x40, 0x06, - 0xef, 0x2a, 0x29, 0x5c, 0x8c, 0x7a, 0x07, 0x6a, - - 0xd5, 0x45, 0x46, 0xcd, 0x25, 0xd2, 0x10, 0x7f, - 0xbe, 0x14, 0x36, 0xc8, 0x40, 0x92, 0x4a, 0xae, - 0xbe, 0x5b, 0x37, 0x08, 0x93, 0xcd, 0x63, 0xd1, - 0x32, 0x5b, 0x86, 0x16, 0xfc, 0x48, 0x10, 0x88, - - 0x6b, 0xc1, 0x52, 0xc5, 0x32, 0x21, 0xb6, 0xdf, - 0x37, 0x31, 0x19, 0x39, 0x32, 0x55, 0xee, 0x72, - 0xbc, 0xaa, 0x88, 0x01, 0x74, 0xf1, 0x71, 0x7f, - 0x91, 0x84, 0xfa, 0x91, 0x64, 0x6f, 0x17, 0xa2, - - 0x4a, 0xc5, 0x5d, 0x16, 0xbf, 0xdd, 0xca, 0x95, - 0x81, 0xa9, 0x2e, 0xda, 0x47, 0x92, 0x01, 0xf0, - 0xed, 0xbf, 0x63, 0x36, 0x00, 0xd6, 0x06, 0x6d, - 0x1a, 0xb3, 0x6d, 0x5d, 0x24, 0x15, 0xd7, 0x13, - - 0x51, 0xbb, 0xcd, 0x60, 0x8a, 0x25, 0x10, 0x8d, - 0x25, 0x64, 0x19, 0x92, 0xc1, 0xf2, 0x6c, 0x53, - 0x1c, 0xf9, 0xf9, 0x02, 0x03, 0xbc, 0x4c, 0xc1, - 0x9f, 0x59, 0x27, 0xd8, 0x34, 0xb0, 0xa4, 0x71, - - 0x16, 0xd3, 0x88, 0x4b, 0xbb, 0x16, 0x4b, 0x8e, - 0xc8, 0x83, 0xd1, 0xac, 0x83, 0x2e, 0x56, 0xb3, - 0x91, 0x8a, 0x98, 0x60, 0x1a, 0x08, 0xd1, 0x71, - 0x88, 0x15, 0x41, 0xd5, 0x94, 0xdb, 0x39, 0x9c, - - 0x6a, 0xe6, 0x15, 0x12, 0x21, 0x74, 0x5a, 0xec, - 0x81, 0x4c, 0x45, 0xb0, 0xb0, 0x5b, 0x56, 0x54, - 0x36, 0xfd, 0x6f, 0x13, 0x7a, 0xa1, 0x0a, 0x0c, - 0x0b, 0x64, 0x37, 0x61, 0xdb, 0xd6, 0xf9, 0xa9, - - 0xdc, 0xb9, 0x9b, 0x1a, 0x6e, 0x69, 0x08, 0x54, - 0xce, 0x07, 0x69, 0xcd, 0xe3, 0x97, 0x61, 0xd8, - 0x2f, 0xcd, 0xec, 0x15, 0xf0, 0xd9, 0x2d, 0x7d, - 0x8e, 0x94, 0xad, 0xe8, 0xeb, 0x83, 0xfb, 0xe0 - } - }, - { - 32, - { - 0x99, 0xe5, 0x82, 0x2d, 0xd4, 0x17, 0x3c, 0x99, - 0x5e, 0x3d, 0xae, 0x0d, 0xde, 0xfb, 0x97, 0x74, - 0x3f, 0xde, 0x3b, 0x08, 0x01, 0x34, 0xb3, 0x9f, - 0x76, 0xe9, 0xbf, 0x8d, 0x0e, 0x88, 0xd5, 0x46 - } - }, - { - 16, - { - 0x26, 0x37, 0x40, 0x8f, 0xe1, 0x30, 0x86, 0xea, - 0x73, 0xf9, 0x71, 0xe3, 0x42, 0x5e, 0x28, 0x20 - } - }, - }, - /* - * test vectors from Hanno Böck - */ - { - { - 257, - { - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - 0xcc, 0x80, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - 0xcc, 0xcc, 0xcc, 0xcc, 0xce, 0xcc, 0xcc, 0xcc, - - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xc5, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xe3, 0xcc, 0xcc, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - - 0xcc, 0xcc, 0xcc, 0xcc, 0xac, 0xcc, 0xcc, 0xcc, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xe6, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x00, 0x00, 0x00, - 0xaf, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, - - 0xcc, 0xcc, 0xff, 0xff, 0xff, 0xf5, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - - 0x00, 0xff, 0xff, 0xff, 0xe7, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x71, 0x92, 0x05, 0xa8, 0x52, 0x1d, - - 0xfc - } - }, - { - 32, - { - 0x7f, 0x1b, 0x02, 0x64, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc - } - }, - { - 16, - { - 0x85, 0x59, 0xb8, 0x76, 0xec, 0xee, 0xd6, 0x6e, - 0xb3, 0x77, 0x98, 0xc0, 0x45, 0x7b, 0xaf, 0xf9 - } - }, - }, - { - { - 39, - { - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00, 0x00, - - 0x00, 0x00, 0x00, 0x00, 0x80, 0x02, 0x64 - } - }, - { - 32, - { - 0xe0, 0x00, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, - 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa - } - }, - { - 16, - { - 0x00, 0xbd, 0x12, 0x58, 0x97, 0x8e, 0x20, 0x54, - 0x44, 0xc9, 0xaa, 0xaa, 0x82, 0x00, 0x6f, 0xed - } - }, - }, - { - { - 2, - { - 0x02, 0xfc - } - }, - { - 32, - { - 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, - 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, - 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, - 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c - } - }, - { - 16, - { - 0x06, 0x12, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, - 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c - } - }, - }, - { - { - 415, - { - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7a, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - - 0x7b, 0x7b, 0x5c, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x6e, 0x7b, 0x00, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7a, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x5c, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, - - 0x7b, 0x6e, 0x7b, 0x00, 0x13, 0x00, 0x00, 0x00, - 0x00, 0xb3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - - 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x20, 0x00, 0xef, 0xff, 0x00, - 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, - 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x64, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, - - 0xb3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf2, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x20, 0x00, 0xef, 0xff, 0x00, 0x09, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x7a, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, - - 0x00, 0x09, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc - } - }, - { - 32, - { - 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x7b - } - }, - { - 16, - { - 0x33, 0x20, 0x5b, 0xbf, 0x9e, 0x9f, 0x8f, 0x72, - 0x12, 0xab, 0x9e, 0x2a, 0xb9, 0xb7, 0xe4, 0xa5 - } - }, - }, - { - { - 118, - { - 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, - 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, - 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, - 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, - - 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, - 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, - 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, - 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, - - 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, - 0x77, 0x77, 0x77, 0x77, 0xff, 0xff, 0xff, 0xe9, - 0xe9, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac, - 0xac, 0xac, 0xac, 0xac, 0x00, 0x00, 0xac, 0xac, - - 0xec, 0x01, 0x00, 0xac, 0xac, 0xac, 0x2c, 0xac, - 0xa2, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac, - 0xac, 0xac, 0xac, 0xac, 0x64, 0xf2 - } - }, - { - 32, - { - 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00, 0x7f, - 0x01, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0xcf, 0x77, 0x77, 0x77, 0x77, 0x77, - 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77 - } - }, - { - 16, - { - 0x02, 0xee, 0x7c, 0x8c, 0x54, 0x6d, 0xde, 0xb1, - 0xa4, 0x67, 0xe4, 0xc3, 0x98, 0x11, 0x58, 0xb9 - } - }, - }, - /* - * test vectors from Andrew Moon - */ - { /* nacl */ - { - 131, - { - 0x8e, 0x99, 0x3b, 0x9f, 0x48, 0x68, 0x12, 0x73, - 0xc2, 0x96, 0x50, 0xba, 0x32, 0xfc, 0x76, 0xce, - 0x48, 0x33, 0x2e, 0xa7, 0x16, 0x4d, 0x96, 0xa4, - 0x47, 0x6f, 0xb8, 0xc5, 0x31, 0xa1, 0x18, 0x6a, - - 0xc0, 0xdf, 0xc1, 0x7c, 0x98, 0xdc, 0xe8, 0x7b, - 0x4d, 0xa7, 0xf0, 0x11, 0xec, 0x48, 0xc9, 0x72, - 0x71, 0xd2, 0xc2, 0x0f, 0x9b, 0x92, 0x8f, 0xe2, - 0x27, 0x0d, 0x6f, 0xb8, 0x63, 0xd5, 0x17, 0x38, - - 0xb4, 0x8e, 0xee, 0xe3, 0x14, 0xa7, 0xcc, 0x8a, - 0xb9, 0x32, 0x16, 0x45, 0x48, 0xe5, 0x26, 0xae, - 0x90, 0x22, 0x43, 0x68, 0x51, 0x7a, 0xcf, 0xea, - 0xbd, 0x6b, 0xb3, 0x73, 0x2b, 0xc0, 0xe9, 0xda, - - 0x99, 0x83, 0x2b, 0x61, 0xca, 0x01, 0xb6, 0xde, - 0x56, 0x24, 0x4a, 0x9e, 0x88, 0xd5, 0xf9, 0xb3, - 0x79, 0x73, 0xf6, 0x22, 0xa4, 0x3d, 0x14, 0xa6, - 0x59, 0x9b, 0x1f, 0x65, 0x4c, 0xb4, 0x5a, 0x74, - - 0xe3, 0x55, 0xa5 - } - }, - { - 32, - { - 0xee, 0xa6, 0xa7, 0x25, 0x1c, 0x1e, 0x72, 0x91, - 0x6d, 0x11, 0xc2, 0xcb, 0x21, 0x4d, 0x3c, 0x25, - 0x25, 0x39, 0x12, 0x1d, 0x8e, 0x23, 0x4e, 0x65, - 0x2d, 0x65, 0x1f, 0xa4, 0xc8, 0xcf, 0xf8, 0x80 - } - }, - { - 16, - { - 0xf3, 0xff, 0xc7, 0x70, 0x3f, 0x94, 0x00, 0xe5, - 0x2a, 0x7d, 0xfb, 0x4b, 0x3d, 0x33, 0x05, 0xd9 - } - }, - }, - { /* wrap 2^130-5 */ - { - 16, - { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff - } - }, - { - 32, - { - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - { - 16, - { - 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - }, - { /* wrap 2^128 */ - { - 16, - { - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - { - 32, - { - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff - } - }, - { - 16, - { - 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - }, - { /* limb carry */ - { - 48, - { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - - 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - { - 32, - { - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - { - 16, - { - 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - }, - { /* 2^130-5 */ - { - 48, - { - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xfb, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, - 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, - - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 - } - }, - { - 32, - { - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - { - 16, - { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - - } - }, - }, - { /* 2^130-6 */ - { - 16, - { - 0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff - } - }, - { - 32, - { - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - { - 16, - { - 0xfa, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff - } - }, - }, - { /* 5*H+L reduction intermediate */ - { - 64, - { - 0xe3, 0x35, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0xb9, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x33, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0x79, 0xcd, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - { - 32, - { - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - { - 16, - { - 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x55, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - }, - { /* 5*H+L reduction final */ - { - 48, - { - 0xe3, 0x35, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0xb9, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x33, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0x79, 0xcd, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - - } - }, - { - 32, - { - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - }, - { - 16, - { - 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - } - } - } -}; +static const struct poly1305_testvec poly1305_testvecs[] = { +{ /* RFC7539 */ + .input = { 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72, + 0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f, + 0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65, + 0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f, + 0x75, 0x70 }, + .ilen = 34, + .output = { 0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6, + 0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9 }, + .key = { 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33, + 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8, + 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd, + 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b }, +}, { /* "The Poly1305-AES message-authentication code" */ + .input = { 0xf3, 0xf6 }, + .ilen = 2, + .output = { 0xf4, 0xc6, 0x33, 0xc3, 0x04, 0x4f, 0xc1, 0x45, + 0xf8, 0x4f, 0x33, 0x5c, 0xb8, 0x19, 0x53, 0xde }, + .key = { 0x85, 0x1f, 0xc4, 0x0c, 0x34, 0x67, 0xac, 0x0b, + 0xe0, 0x5c, 0xc2, 0x04, 0x04, 0xf3, 0xf7, 0x00, + 0x58, 0x0b, 0x3b, 0x0f, 0x94, 0x47, 0xbb, 0x1e, + 0x69, 0xd0, 0x95, 0xb5, 0x92, 0x8b, 0x6d, 0xbc }, +}, { + .input = "", + .ilen = 0, + .output = { 0xdd, 0x3f, 0xab, 0x22, 0x51, 0xf1, 0x1a, 0xc7, + 0x59, 0xf0, 0x88, 0x71, 0x29, 0xcc, 0x2e, 0xe7 }, + .key = { 0xa0, 0xf3, 0x08, 0x00, 0x00, 0xf4, 0x64, 0x00, + 0xd0, 0xc7, 0xe9, 0x07, 0x6c, 0x83, 0x44, 0x03, + 0xdd, 0x3f, 0xab, 0x22, 0x51, 0xf1, 0x1a, 0xc7, + 0x59, 0xf0, 0x88, 0x71, 0x29, 0xcc, 0x2e, 0xe7 }, +}, { + .input = { 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, + 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, + 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, + 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36 }, + .ilen = 32, + .output = { 0x0e, 0xe1, 0xc1, 0x6b, 0xb7, 0x3f, 0x0f, 0x4f, + 0xd1, 0x98, 0x81, 0x75, 0x3c, 0x01, 0xcd, 0xbe }, + .key = { 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, + 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, + 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, + 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef }, +}, { + .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, + 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, + 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, + 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, + 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, + 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, + 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, + 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9 }, + .ilen = 63, + .output = { 0x51, 0x54, 0xad, 0x0d, 0x2c, 0xb2, 0x6e, 0x01, + 0x27, 0x4f, 0xc5, 0x11, 0x48, 0x49, 0x1f, 0x1b }, + .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, + 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, + 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, + 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 }, +}, { /* self-generated vectors exercise "significant" lengths, such that they + * are handled by different code paths */ + .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, + 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, + 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, + 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, + 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, + 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, + 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, + 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf }, + .ilen = 64, + .output = { 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37, + 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66 }, + .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, + 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, + 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, + 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 }, +}, { + .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, + 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, + 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, + 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, + 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, + 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67 }, + .ilen = 48, + .output = { 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2, + 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61 }, + .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, + 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, + 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, + 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 }, +}, { + .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, + 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, + 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, + 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, + 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, + 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, + 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, + 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, + 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, + 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, + 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, + 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36 }, + .ilen = 96, + .output = { 0xbb, 0xb6, 0x13, 0xb2, 0xb6, 0xd7, 0x53, 0xba, + 0x07, 0x39, 0x5b, 0x91, 0x6a, 0xae, 0xce, 0x15 }, + .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, + 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, + 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, + 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 }, +}, { + .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, + 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, + 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, + 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, + 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, + 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, + 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, + 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, + 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, + 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, + 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, + 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, + 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, + 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24 }, + .ilen = 112, + .output = { 0xc7, 0x94, 0xd7, 0x05, 0x7d, 0x17, 0x78, 0xc4, + 0xbb, 0xee, 0x0a, 0x39, 0xb3, 0xd9, 0x73, 0x42 }, + .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, + 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, + 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, + 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 }, +}, { + .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, + 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, + 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, + 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, + 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, + 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, + 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, + 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, + 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, + 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, + 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, + 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, + 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, + 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, + 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, + 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36 }, + .ilen = 128, + .output = { 0xff, 0xbc, 0xb9, 0xb3, 0x71, 0x42, 0x31, 0x52, + 0xd7, 0xfc, 0xa5, 0xad, 0x04, 0x2f, 0xba, 0xa9 }, + .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, + 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, + 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, + 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 }, +}, { + .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, + 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, + 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, + 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, + 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, + 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, + 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, + 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, + 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, + 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, + 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, + 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, + 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, + 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, + 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, + 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36, + 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37, + 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66 }, + .ilen = 144, + .output = { 0x06, 0x9e, 0xd6, 0xb8, 0xef, 0x0f, 0x20, 0x7b, + 0x3e, 0x24, 0x3b, 0xb1, 0x01, 0x9f, 0xe6, 0x32 }, + .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, + 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, + 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, + 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 }, +}, { + .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, + 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, + 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, + 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, + 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, + 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, + 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, + 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, + 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, + 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, + 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, + 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, + 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, + 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, + 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, + 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36, + 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37, + 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66, + 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2, + 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61 }, + .ilen = 160, + .output = { 0xcc, 0xa3, 0x39, 0xd9, 0xa4, 0x5f, 0xa2, 0x36, + 0x8c, 0x2c, 0x68, 0xb3, 0xa4, 0x17, 0x91, 0x33 }, + .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, + 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, + 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, + 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 }, +}, { + .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, + 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, + 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, + 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, + 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, + 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, + 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, + 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, + 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, + 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, + 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, + 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, + 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, + 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, + 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, + 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36, + 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37, + 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66, + 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2, + 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61, + 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, + 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, + 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, + 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, + 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, + 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, + 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, + 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, + 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, + 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, + 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, + 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, + 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, + 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, + 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, + 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36 }, + .ilen = 288, + .output = { 0x53, 0xf6, 0xe8, 0x28, 0xa2, 0xf0, 0xfe, 0x0e, + 0xe8, 0x15, 0xbf, 0x0b, 0xd5, 0x84, 0x1a, 0x34 }, + .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, + 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, + 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, + 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 }, +}, { + .input = { 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, + 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, + 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, + 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, + 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, + 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, + 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, + 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, + 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, + 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, + 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, + 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, + 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, + 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, + 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, + 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36, + 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37, + 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66, + 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2, + 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61, + 0xab, 0x08, 0x12, 0x72, 0x4a, 0x7f, 0x1e, 0x34, + 0x27, 0x42, 0xcb, 0xed, 0x37, 0x4d, 0x94, 0xd1, + 0x36, 0xc6, 0xb8, 0x79, 0x5d, 0x45, 0xb3, 0x81, + 0x98, 0x30, 0xf2, 0xc0, 0x44, 0x91, 0xfa, 0xf0, + 0x99, 0x0c, 0x62, 0xe4, 0x8b, 0x80, 0x18, 0xb2, + 0xc3, 0xe4, 0xa0, 0xfa, 0x31, 0x34, 0xcb, 0x67, + 0xfa, 0x83, 0xe1, 0x58, 0xc9, 0x94, 0xd9, 0x61, + 0xc4, 0xcb, 0x21, 0x09, 0x5c, 0x1b, 0xf9, 0xaf, + 0x48, 0x44, 0x3d, 0x0b, 0xb0, 0xd2, 0x11, 0x09, + 0xc8, 0x9a, 0x10, 0x0b, 0x5c, 0xe2, 0xc2, 0x08, + 0x83, 0x14, 0x9c, 0x69, 0xb5, 0x61, 0xdd, 0x88, + 0x29, 0x8a, 0x17, 0x98, 0xb1, 0x07, 0x16, 0xef, + 0x66, 0x3c, 0xea, 0x19, 0x0f, 0xfb, 0x83, 0xd8, + 0x95, 0x93, 0xf3, 0xf4, 0x76, 0xb6, 0xbc, 0x24, + 0xd7, 0xe6, 0x79, 0x10, 0x7e, 0xa2, 0x6a, 0xdb, + 0x8c, 0xaf, 0x66, 0x52, 0xd0, 0x65, 0x61, 0x36, + 0x81, 0x20, 0x59, 0xa5, 0xda, 0x19, 0x86, 0x37, + 0xca, 0xc7, 0xc4, 0xa6, 0x31, 0xbe, 0xe4, 0x66, + 0x5b, 0x88, 0xd7, 0xf6, 0x22, 0x8b, 0x11, 0xe2, + 0xe2, 0x85, 0x79, 0xa5, 0xc0, 0xc1, 0xf7, 0x61 }, + .ilen = 320, + .output = { 0xb8, 0x46, 0xd4, 0x4e, 0x9b, 0xbd, 0x53, 0xce, + 0xdf, 0xfb, 0xfb, 0xb6, 0xb7, 0xfa, 0x49, 0x33 }, + .key = { 0x12, 0x97, 0x6a, 0x08, 0xc4, 0x42, 0x6d, 0x0c, + 0xe8, 0xa8, 0x24, 0x07, 0xc4, 0xf4, 0x82, 0x07, + 0x80, 0xf8, 0xc2, 0x0a, 0xa7, 0x12, 0x02, 0xd1, + 0xe2, 0x91, 0x79, 0xcb, 0xcb, 0x55, 0x5a, 0x57 }, +}, { /* 4th power of the key spills to 131th bit in SIMD key setup */ + .input = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, + .ilen = 256, + .output = { 0x07, 0x14, 0x5a, 0x4c, 0x02, 0xfe, 0x5f, 0xa3, + 0x20, 0x36, 0xde, 0x68, 0xfa, 0xbe, 0x90, 0x66 }, + .key = { 0xad, 0x62, 0x81, 0x07, 0xe8, 0x35, 0x1d, 0x0f, + 0x2c, 0x23, 0x1a, 0x05, 0xdc, 0x4a, 0x41, 0x06, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, +}, { /* OpenSSL's poly1305_ieee754.c failed this in final stage */ + .input = { 0x84, 0x23, 0x64, 0xe1, 0x56, 0x33, 0x6c, 0x09, + 0x98, 0xb9, 0x33, 0xa6, 0x23, 0x77, 0x26, 0x18, + 0x0d, 0x9e, 0x3f, 0xdc, 0xbd, 0xe4, 0xcd, 0x5d, + 0x17, 0x08, 0x0f, 0xc3, 0xbe, 0xb4, 0x96, 0x14, + 0xd7, 0x12, 0x2c, 0x03, 0x74, 0x63, 0xff, 0x10, + 0x4d, 0x73, 0xf1, 0x9c, 0x12, 0x70, 0x46, 0x28, + 0xd4, 0x17, 0xc4, 0xc5, 0x4a, 0x3f, 0xe3, 0x0d, + 0x3c, 0x3d, 0x77, 0x14, 0x38, 0x2d, 0x43, 0xb0, + 0x38, 0x2a, 0x50, 0xa5, 0xde, 0xe5, 0x4b, 0xe8, + 0x44, 0xb0, 0x76, 0xe8, 0xdf, 0x88, 0x20, 0x1a, + 0x1c, 0xd4, 0x3b, 0x90, 0xeb, 0x21, 0x64, 0x3f, + 0xa9, 0x6f, 0x39, 0xb5, 0x18, 0xaa, 0x83, 0x40, + 0xc9, 0x42, 0xff, 0x3c, 0x31, 0xba, 0xf7, 0xc9, + 0xbd, 0xbf, 0x0f, 0x31, 0xae, 0x3f, 0xa0, 0x96, + 0xbf, 0x8c, 0x63, 0x03, 0x06, 0x09, 0x82, 0x9f, + 0xe7, 0x2e, 0x17, 0x98, 0x24, 0x89, 0x0b, 0xc8, + 0xe0, 0x8c, 0x31, 0x5c, 0x1c, 0xce, 0x2a, 0x83, + 0x14, 0x4d, 0xbb, 0xff, 0x09, 0xf7, 0x4e, 0x3e, + 0xfc, 0x77, 0x0b, 0x54, 0xd0, 0x98, 0x4a, 0x8f, + 0x19, 0xb1, 0x47, 0x19, 0xe6, 0x36, 0x35, 0x64, + 0x1d, 0x6b, 0x1e, 0xed, 0xf6, 0x3e, 0xfb, 0xf0, + 0x80, 0xe1, 0x78, 0x3d, 0x32, 0x44, 0x54, 0x12, + 0x11, 0x4c, 0x20, 0xde, 0x0b, 0x83, 0x7a, 0x0d, + 0xfa, 0x33, 0xd6, 0xb8, 0x28, 0x25, 0xff, 0xf4, + 0x4c, 0x9a, 0x70, 0xea, 0x54, 0xce, 0x47, 0xf0, + 0x7d, 0xf6, 0x98, 0xe6, 0xb0, 0x33, 0x23, 0xb5, + 0x30, 0x79, 0x36, 0x4a, 0x5f, 0xc3, 0xe9, 0xdd, + 0x03, 0x43, 0x92, 0xbd, 0xde, 0x86, 0xdc, 0xcd, + 0xda, 0x94, 0x32, 0x1c, 0x5e, 0x44, 0x06, 0x04, + 0x89, 0x33, 0x6c, 0xb6, 0x5b, 0xf3, 0x98, 0x9c, + 0x36, 0xf7, 0x28, 0x2c, 0x2f, 0x5d, 0x2b, 0x88, + 0x2c, 0x17, 0x1e, 0x74 }, + .ilen = 252, + .output = { 0xf2, 0x48, 0x31, 0x2e, 0x57, 0x8d, 0x9d, 0x58, + 0xf8, 0xb7, 0xbb, 0x4d, 0x19, 0x10, 0x54, 0x31 }, + .key = { 0x95, 0xd5, 0xc0, 0x05, 0x50, 0x3e, 0x51, 0x0d, + 0x8c, 0xd0, 0xaa, 0x07, 0x2c, 0x4a, 0x4d, 0x06, + 0x6e, 0xab, 0xc5, 0x2d, 0x11, 0x65, 0x3d, 0xf4, + 0x7f, 0xbf, 0x63, 0xab, 0x19, 0x8b, 0xcc, 0x26 }, +}, { /* AVX2 in OpenSSL's poly1305-x86.pl failed this with 176+32 split */ + .input = { 0x24, 0x8a, 0xc3, 0x10, 0x85, 0xb6, 0xc2, 0xad, + 0xaa, 0xa3, 0x82, 0x59, 0xa0, 0xd7, 0x19, 0x2c, + 0x5c, 0x35, 0xd1, 0xbb, 0x4e, 0xf3, 0x9a, 0xd9, + 0x4c, 0x38, 0xd1, 0xc8, 0x24, 0x79, 0xe2, 0xdd, + 0x21, 0x59, 0xa0, 0x77, 0x02, 0x4b, 0x05, 0x89, + 0xbc, 0x8a, 0x20, 0x10, 0x1b, 0x50, 0x6f, 0x0a, + 0x1a, 0xd0, 0xbb, 0xab, 0x76, 0xe8, 0x3a, 0x83, + 0xf1, 0xb9, 0x4b, 0xe6, 0xbe, 0xae, 0x74, 0xe8, + 0x74, 0xca, 0xb6, 0x92, 0xc5, 0x96, 0x3a, 0x75, + 0x43, 0x6b, 0x77, 0x61, 0x21, 0xec, 0x9f, 0x62, + 0x39, 0x9a, 0x3e, 0x66, 0xb2, 0xd2, 0x27, 0x07, + 0xda, 0xe8, 0x19, 0x33, 0xb6, 0x27, 0x7f, 0x3c, + 0x85, 0x16, 0xbc, 0xbe, 0x26, 0xdb, 0xbd, 0x86, + 0xf3, 0x73, 0x10, 0x3d, 0x7c, 0xf4, 0xca, 0xd1, + 0x88, 0x8c, 0x95, 0x21, 0x18, 0xfb, 0xfb, 0xd0, + 0xd7, 0xb4, 0xbe, 0xdc, 0x4a, 0xe4, 0x93, 0x6a, + 0xff, 0x91, 0x15, 0x7e, 0x7a, 0xa4, 0x7c, 0x54, + 0x44, 0x2e, 0xa7, 0x8d, 0x6a, 0xc2, 0x51, 0xd3, + 0x24, 0xa0, 0xfb, 0xe4, 0x9d, 0x89, 0xcc, 0x35, + 0x21, 0xb6, 0x6d, 0x16, 0xe9, 0xc6, 0x6a, 0x37, + 0x09, 0x89, 0x4e, 0x4e, 0xb0, 0xa4, 0xee, 0xdc, + 0x4a, 0xe1, 0x94, 0x68, 0xe6, 0x6b, 0x81, 0xf2, + 0x71, 0x35, 0x1b, 0x1d, 0x92, 0x1e, 0xa5, 0x51, + 0x04, 0x7a, 0xbc, 0xc6, 0xb8, 0x7a, 0x90, 0x1f, + 0xde, 0x7d, 0xb7, 0x9f, 0xa1, 0x81, 0x8c, 0x11, + 0x33, 0x6d, 0xbc, 0x07, 0x24, 0x4a, 0x40, 0xeb }, + .ilen = 208, + .output = { 0xbc, 0x93, 0x9b, 0xc5, 0x28, 0x14, 0x80, 0xfa, + 0x99, 0xc6, 0xd6, 0x8c, 0x25, 0x8e, 0xc4, 0x2f }, + .key = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, +}, { /* test vectors from Google */ + .input = "", + .ilen = 0, + .output = { 0x47, 0x10, 0x13, 0x0e, 0x9f, 0x6f, 0xea, 0x8d, + 0x72, 0x29, 0x38, 0x50, 0xa6, 0x67, 0xd8, 0x6c }, + .key = { 0xc8, 0xaf, 0xaa, 0xc3, 0x31, 0xee, 0x37, 0x2c, + 0xd6, 0x08, 0x2d, 0xe1, 0x34, 0x94, 0x3b, 0x17, + 0x47, 0x10, 0x13, 0x0e, 0x9f, 0x6f, 0xea, 0x8d, + 0x72, 0x29, 0x38, 0x50, 0xa6, 0x67, 0xd8, 0x6c }, +}, { + .input = { 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x77, 0x6f, + 0x72, 0x6c, 0x64, 0x21 }, + .ilen = 12, + .output = { 0xa6, 0xf7, 0x45, 0x00, 0x8f, 0x81, 0xc9, 0x16, + 0xa2, 0x0d, 0xcc, 0x74, 0xee, 0xf2, 0xb2, 0xf0 }, + .key = { 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, + 0x33, 0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, + 0x6b, 0x65, 0x79, 0x20, 0x66, 0x6f, 0x72, 0x20, + 0x50, 0x6f, 0x6c, 0x79, 0x31, 0x33, 0x30, 0x35 }, +}, { + .input = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + .ilen = 32, + .output = { 0x49, 0xec, 0x78, 0x09, 0x0e, 0x48, 0x1e, 0xc6, + 0xc2, 0x6b, 0x33, 0xb9, 0x1c, 0xcc, 0x03, 0x07 }, + .key = { 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, + 0x33, 0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, + 0x6b, 0x65, 0x79, 0x20, 0x66, 0x6f, 0x72, 0x20, + 0x50, 0x6f, 0x6c, 0x79, 0x31, 0x33, 0x30, 0x35 }, +}, { + .input = { 0x89, 0xda, 0xb8, 0x0b, 0x77, 0x17, 0xc1, 0xdb, + 0x5d, 0xb4, 0x37, 0x86, 0x0a, 0x3f, 0x70, 0x21, + 0x8e, 0x93, 0xe1, 0xb8, 0xf4, 0x61, 0xfb, 0x67, + 0x7f, 0x16, 0xf3, 0x5f, 0x6f, 0x87, 0xe2, 0xa9, + 0x1c, 0x99, 0xbc, 0x3a, 0x47, 0xac, 0xe4, 0x76, + 0x40, 0xcc, 0x95, 0xc3, 0x45, 0xbe, 0x5e, 0xcc, + 0xa5, 0xa3, 0x52, 0x3c, 0x35, 0xcc, 0x01, 0x89, + 0x3a, 0xf0, 0xb6, 0x4a, 0x62, 0x03, 0x34, 0x27, + 0x03, 0x72, 0xec, 0x12, 0x48, 0x2d, 0x1b, 0x1e, + 0x36, 0x35, 0x61, 0x69, 0x8a, 0x57, 0x8b, 0x35, + 0x98, 0x03, 0x49, 0x5b, 0xb4, 0xe2, 0xef, 0x19, + 0x30, 0xb1, 0x7a, 0x51, 0x90, 0xb5, 0x80, 0xf1, + 0x41, 0x30, 0x0d, 0xf3, 0x0a, 0xdb, 0xec, 0xa2, + 0x8f, 0x64, 0x27, 0xa8, 0xbc, 0x1a, 0x99, 0x9f, + 0xd5, 0x1c, 0x55, 0x4a, 0x01, 0x7d, 0x09, 0x5d, + 0x8c, 0x3e, 0x31, 0x27, 0xda, 0xf9, 0xf5, 0x95 }, + .ilen = 128, + .output = { 0xc8, 0x5d, 0x15, 0xed, 0x44, 0xc3, 0x78, 0xd6, + 0xb0, 0x0e, 0x23, 0x06, 0x4c, 0x7b, 0xcd, 0x51 }, + .key = { 0x2d, 0x77, 0x3b, 0xe3, 0x7a, 0xdb, 0x1e, 0x4d, + 0x68, 0x3b, 0xf0, 0x07, 0x5e, 0x79, 0xc4, 0xee, + 0x03, 0x79, 0x18, 0x53, 0x5a, 0x7f, 0x99, 0xcc, + 0xb7, 0x04, 0x0f, 0xb5, 0xf5, 0xf4, 0x3a, 0xea }, +}, { + .input = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, + 0x17, 0x03, 0x03, 0x02, 0x00, 0x00, 0x00, 0x00, + 0x06, 0xdb, 0x1f, 0x1f, 0x36, 0x8d, 0x69, 0x6a, + 0x81, 0x0a, 0x34, 0x9c, 0x0c, 0x71, 0x4c, 0x9a, + 0x5e, 0x78, 0x50, 0xc2, 0x40, 0x7d, 0x72, 0x1a, + 0xcd, 0xed, 0x95, 0xe0, 0x18, 0xd7, 0xa8, 0x52, + 0x66, 0xa6, 0xe1, 0x28, 0x9c, 0xdb, 0x4a, 0xeb, + 0x18, 0xda, 0x5a, 0xc8, 0xa2, 0xb0, 0x02, 0x6d, + 0x24, 0xa5, 0x9a, 0xd4, 0x85, 0x22, 0x7f, 0x3e, + 0xae, 0xdb, 0xb2, 0xe7, 0xe3, 0x5e, 0x1c, 0x66, + 0xcd, 0x60, 0xf9, 0xab, 0xf7, 0x16, 0xdc, 0xc9, + 0xac, 0x42, 0x68, 0x2d, 0xd7, 0xda, 0xb2, 0x87, + 0xa7, 0x02, 0x4c, 0x4e, 0xef, 0xc3, 0x21, 0xcc, + 0x05, 0x74, 0xe1, 0x67, 0x93, 0xe3, 0x7c, 0xec, + 0x03, 0xc5, 0xbd, 0xa4, 0x2b, 0x54, 0xc1, 0x14, + 0xa8, 0x0b, 0x57, 0xaf, 0x26, 0x41, 0x6c, 0x7b, + 0xe7, 0x42, 0x00, 0x5e, 0x20, 0x85, 0x5c, 0x73, + 0xe2, 0x1d, 0xc8, 0xe2, 0xed, 0xc9, 0xd4, 0x35, + 0xcb, 0x6f, 0x60, 0x59, 0x28, 0x00, 0x11, 0xc2, + 0x70, 0xb7, 0x15, 0x70, 0x05, 0x1c, 0x1c, 0x9b, + 0x30, 0x52, 0x12, 0x66, 0x20, 0xbc, 0x1e, 0x27, + 0x30, 0xfa, 0x06, 0x6c, 0x7a, 0x50, 0x9d, 0x53, + 0xc6, 0x0e, 0x5a, 0xe1, 0xb4, 0x0a, 0xa6, 0xe3, + 0x9e, 0x49, 0x66, 0x92, 0x28, 0xc9, 0x0e, 0xec, + 0xb4, 0xa5, 0x0d, 0xb3, 0x2a, 0x50, 0xbc, 0x49, + 0xe9, 0x0b, 0x4f, 0x4b, 0x35, 0x9a, 0x1d, 0xfd, + 0x11, 0x74, 0x9c, 0xd3, 0x86, 0x7f, 0xcf, 0x2f, + 0xb7, 0xbb, 0x6c, 0xd4, 0x73, 0x8f, 0x6a, 0x4a, + 0xd6, 0xf7, 0xca, 0x50, 0x58, 0xf7, 0x61, 0x88, + 0x45, 0xaf, 0x9f, 0x02, 0x0f, 0x6c, 0x3b, 0x96, + 0x7b, 0x8f, 0x4c, 0xd4, 0xa9, 0x1e, 0x28, 0x13, + 0xb5, 0x07, 0xae, 0x66, 0xf2, 0xd3, 0x5c, 0x18, + 0x28, 0x4f, 0x72, 0x92, 0x18, 0x60, 0x62, 0xe1, + 0x0f, 0xd5, 0x51, 0x0d, 0x18, 0x77, 0x53, 0x51, + 0xef, 0x33, 0x4e, 0x76, 0x34, 0xab, 0x47, 0x43, + 0xf5, 0xb6, 0x8f, 0x49, 0xad, 0xca, 0xb3, 0x84, + 0xd3, 0xfd, 0x75, 0xf7, 0x39, 0x0f, 0x40, 0x06, + 0xef, 0x2a, 0x29, 0x5c, 0x8c, 0x7a, 0x07, 0x6a, + 0xd5, 0x45, 0x46, 0xcd, 0x25, 0xd2, 0x10, 0x7f, + 0xbe, 0x14, 0x36, 0xc8, 0x40, 0x92, 0x4a, 0xae, + 0xbe, 0x5b, 0x37, 0x08, 0x93, 0xcd, 0x63, 0xd1, + 0x32, 0x5b, 0x86, 0x16, 0xfc, 0x48, 0x10, 0x88, + 0x6b, 0xc1, 0x52, 0xc5, 0x32, 0x21, 0xb6, 0xdf, + 0x37, 0x31, 0x19, 0x39, 0x32, 0x55, 0xee, 0x72, + 0xbc, 0xaa, 0x88, 0x01, 0x74, 0xf1, 0x71, 0x7f, + 0x91, 0x84, 0xfa, 0x91, 0x64, 0x6f, 0x17, 0xa2, + 0x4a, 0xc5, 0x5d, 0x16, 0xbf, 0xdd, 0xca, 0x95, + 0x81, 0xa9, 0x2e, 0xda, 0x47, 0x92, 0x01, 0xf0, + 0xed, 0xbf, 0x63, 0x36, 0x00, 0xd6, 0x06, 0x6d, + 0x1a, 0xb3, 0x6d, 0x5d, 0x24, 0x15, 0xd7, 0x13, + 0x51, 0xbb, 0xcd, 0x60, 0x8a, 0x25, 0x10, 0x8d, + 0x25, 0x64, 0x19, 0x92, 0xc1, 0xf2, 0x6c, 0x53, + 0x1c, 0xf9, 0xf9, 0x02, 0x03, 0xbc, 0x4c, 0xc1, + 0x9f, 0x59, 0x27, 0xd8, 0x34, 0xb0, 0xa4, 0x71, + 0x16, 0xd3, 0x88, 0x4b, 0xbb, 0x16, 0x4b, 0x8e, + 0xc8, 0x83, 0xd1, 0xac, 0x83, 0x2e, 0x56, 0xb3, + 0x91, 0x8a, 0x98, 0x60, 0x1a, 0x08, 0xd1, 0x71, + 0x88, 0x15, 0x41, 0xd5, 0x94, 0xdb, 0x39, 0x9c, + 0x6a, 0xe6, 0x15, 0x12, 0x21, 0x74, 0x5a, 0xec, + 0x81, 0x4c, 0x45, 0xb0, 0xb0, 0x5b, 0x56, 0x54, + 0x36, 0xfd, 0x6f, 0x13, 0x7a, 0xa1, 0x0a, 0x0c, + 0x0b, 0x64, 0x37, 0x61, 0xdb, 0xd6, 0xf9, 0xa9, + 0xdc, 0xb9, 0x9b, 0x1a, 0x6e, 0x69, 0x08, 0x54, + 0xce, 0x07, 0x69, 0xcd, 0xe3, 0x97, 0x61, 0xd8, + 0x2f, 0xcd, 0xec, 0x15, 0xf0, 0xd9, 0x2d, 0x7d, + 0x8e, 0x94, 0xad, 0xe8, 0xeb, 0x83, 0xfb, 0xe0 }, + .ilen = 528, + .output = { 0x26, 0x37, 0x40, 0x8f, 0xe1, 0x30, 0x86, 0xea, + 0x73, 0xf9, 0x71, 0xe3, 0x42, 0x5e, 0x28, 0x20 }, + .key = { 0x99, 0xe5, 0x82, 0x2d, 0xd4, 0x17, 0x3c, 0x99, + 0x5e, 0x3d, 0xae, 0x0d, 0xde, 0xfb, 0x97, 0x74, + 0x3f, 0xde, 0x3b, 0x08, 0x01, 0x34, 0xb3, 0x9f, + 0x76, 0xe9, 0xbf, 0x8d, 0x0e, 0x88, 0xd5, 0x46 }, +}, { /* test vectors from Hanno Böck */ + .input = { 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0x80, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xce, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xc5, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xe3, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xac, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xe6, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x00, 0x00, 0x00, + 0xaf, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, + 0xcc, 0xcc, 0xff, 0xff, 0xff, 0xf5, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0xff, 0xff, 0xff, 0xe7, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x71, 0x92, 0x05, 0xa8, 0x52, 0x1d, + 0xfc }, + .ilen = 257, + .output = { 0x85, 0x59, 0xb8, 0x76, 0xec, 0xee, 0xd6, 0x6e, + 0xb3, 0x77, 0x98, 0xc0, 0x45, 0x7b, 0xaf, 0xf9 }, + .key = { 0x7f, 0x1b, 0x02, 0x64, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc }, +}, { + .input = { 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x80, 0x02, 0x64 }, + .ilen = 39, + .output = { 0x00, 0xbd, 0x12, 0x58, 0x97, 0x8e, 0x20, 0x54, + 0x44, 0xc9, 0xaa, 0xaa, 0x82, 0x00, 0x6f, 0xed }, + .key = { 0xe0, 0x00, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, + 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa }, +}, { + .input = { 0x02, 0xfc }, + .ilen = 2, + .output = { 0x06, 0x12, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c }, + .key = { 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c }, +}, { + .input = { 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7a, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x5c, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x6e, 0x7b, 0x00, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7a, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x5c, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, 0x7b, + 0x7b, 0x6e, 0x7b, 0x00, 0x13, 0x00, 0x00, 0x00, + 0x00, 0xb3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xf2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x20, 0x00, 0xef, 0xff, 0x00, + 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, + 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x64, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, + 0xb3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf2, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x20, 0x00, 0xef, 0xff, 0x00, 0x09, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x7a, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x00, 0x09, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xfc }, + .ilen = 415, + .output = { 0x33, 0x20, 0x5b, 0xbf, 0x9e, 0x9f, 0x8f, 0x72, + 0x12, 0xab, 0x9e, 0x2a, 0xb9, 0xb7, 0xe4, 0xa5 }, + .key = { 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, 0x7b }, +}, { + .input = { 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, + 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, + 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, + 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, + 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, + 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, + 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, + 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, + 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, + 0x77, 0x77, 0x77, 0x77, 0xff, 0xff, 0xff, 0xe9, + 0xe9, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac, + 0xac, 0xac, 0xac, 0xac, 0x00, 0x00, 0xac, 0xac, + 0xec, 0x01, 0x00, 0xac, 0xac, 0xac, 0x2c, 0xac, + 0xa2, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac, 0xac, + 0xac, 0xac, 0xac, 0xac, 0x64, 0xf2 }, + .ilen = 118, + .output = { 0x02, 0xee, 0x7c, 0x8c, 0x54, 0x6d, 0xde, 0xb1, + 0xa4, 0x67, 0xe4, 0xc3, 0x98, 0x11, 0x58, 0xb9 }, + .key = { 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00, 0x7f, + 0x01, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xcf, 0x77, 0x77, 0x77, 0x77, 0x77, + 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77 }, +}, { /* nacl */ + .input = { 0x8e, 0x99, 0x3b, 0x9f, 0x48, 0x68, 0x12, 0x73, + 0xc2, 0x96, 0x50, 0xba, 0x32, 0xfc, 0x76, 0xce, + 0x48, 0x33, 0x2e, 0xa7, 0x16, 0x4d, 0x96, 0xa4, + 0x47, 0x6f, 0xb8, 0xc5, 0x31, 0xa1, 0x18, 0x6a, + 0xc0, 0xdf, 0xc1, 0x7c, 0x98, 0xdc, 0xe8, 0x7b, + 0x4d, 0xa7, 0xf0, 0x11, 0xec, 0x48, 0xc9, 0x72, + 0x71, 0xd2, 0xc2, 0x0f, 0x9b, 0x92, 0x8f, 0xe2, + 0x27, 0x0d, 0x6f, 0xb8, 0x63, 0xd5, 0x17, 0x38, + 0xb4, 0x8e, 0xee, 0xe3, 0x14, 0xa7, 0xcc, 0x8a, + 0xb9, 0x32, 0x16, 0x45, 0x48, 0xe5, 0x26, 0xae, + 0x90, 0x22, 0x43, 0x68, 0x51, 0x7a, 0xcf, 0xea, + 0xbd, 0x6b, 0xb3, 0x73, 0x2b, 0xc0, 0xe9, 0xda, + 0x99, 0x83, 0x2b, 0x61, 0xca, 0x01, 0xb6, 0xde, + 0x56, 0x24, 0x4a, 0x9e, 0x88, 0xd5, 0xf9, 0xb3, + 0x79, 0x73, 0xf6, 0x22, 0xa4, 0x3d, 0x14, 0xa6, + 0x59, 0x9b, 0x1f, 0x65, 0x4c, 0xb4, 0x5a, 0x74, + 0xe3, 0x55, 0xa5 }, + .ilen = 131, + .output = { 0xf3, 0xff, 0xc7, 0x70, 0x3f, 0x94, 0x00, 0xe5, + 0x2a, 0x7d, 0xfb, 0x4b, 0x3d, 0x33, 0x05, 0xd9 }, + .key = { 0xee, 0xa6, 0xa7, 0x25, 0x1c, 0x1e, 0x72, 0x91, + 0x6d, 0x11, 0xc2, 0xcb, 0x21, 0x4d, 0x3c, 0x25, + 0x25, 0x39, 0x12, 0x1d, 0x8e, 0x23, 0x4e, 0x65, + 0x2d, 0x65, 0x1f, 0xa4, 0xc8, 0xcf, 0xf8, 0x80 }, +}, { /* wrap 2^130-5 */ + .input = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, + .ilen = 16, + .output = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + .key = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, +}, { /* wrap 2^128 */ + .input = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + .ilen = 16, + .output = { 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + .key = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, +}, { /* limb carry */ + .input = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + .ilen = 48, + .output = { 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + .key = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, +}, { /* 2^130-5 */ + .input = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xfb, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, + 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }, + .ilen = 48, + .output = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + .key = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, +}, { /* 2^130-6 */ + .input = { 0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, + .ilen = 16, + .output = { 0xfa, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, + .key = { 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, +}, { /* 5*H+L reduction intermediate */ + .input = { 0xe3, 0x35, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0xb9, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x33, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0x79, 0xcd, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + .ilen = 64, + .output = { 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x55, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + .key = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, +}, { /* 5*H+L reduction final */ + .input = { 0xe3, 0x35, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0xb9, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x33, 0x94, 0xd7, 0x50, 0x5e, 0x43, 0x79, 0xcd, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + .ilen = 48, + .output = { 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + .key = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, +} }; -- cgit v1.2.3-59-g8ed1b