Botan 3.3.0
Crypto and TLS for C&
Namespaces | Classes | Concepts | Typedefs | Enumerations | Functions | Variables
Botan Namespace Reference

Namespaces

namespace  AES_AARCH64
 
namespace  ARIA_F
 
namespace  ASN1
 
namespace  Camellia_F
 
namespace  Cert_Extension
 
namespace  concepts
 
namespace  CryptoBox
 
namespace  CT
 
namespace  detail
 
namespace  details
 
namespace  Dilithium
 
namespace  fmt_detail
 
namespace  FPE
 
namespace  HTTP
 
namespace  KeyPair
 
namespace  Kuznyechik_F
 
namespace  OCSP
 
namespace  OIDS
 
namespace  OS
 
namespace  PEM_Code
 
namespace  PK_Ops
 
namespace  PKCS11
 
namespace  PKCS8
 
namespace  PKIX
 
namespace  ranges
 
namespace  Roughtime
 
namespace  Serpent_F
 
namespace  SHA1_F
 
namespace  SHA1_SSE2_F
 
namespace  Sodium
 
namespace  Threefish_F
 
namespace  TLS
 
namespace  X509
 

Classes

class  Adler32
 
class  AEAD_Mode
 
class  AES_128
 
class  AES_192
 
class  AES_256
 
class  AES_256_CTR_XOF
 
class  Algorithm_Not_Found
 
class  AlgorithmIdentifier
 
class  AlignmentBuffer
 Alignment buffer helper. More...
 
struct  all_same
 
class  Allocator_Initializer
 
class  AlternativeName
 
class  ANSI_X919_MAC
 
class  ANSI_X923_Padding
 
class  Argon2
 
class  Argon2_Family
 
class  ARIA_128
 
class  ARIA_192
 
class  ARIA_256
 
class  ASN1_Formatter
 
class  ASN1_Object
 
class  ASN1_Pretty_Printer
 
class  ASN1_String
 
class  ASN1_Time
 
class  Asymmetric_Key
 
class  Atomic
 
class  Attribute
 
class  AutoSeeded_RNG
 
class  Barrier
 
class  Base64_Decoder
 
class  Base64_Encoder
 
class  Bcrypt_PBKDF
 
class  Bcrypt_PBKDF_Family
 
class  BER_Bad_Tag
 
class  BER_Decoder
 
class  BER_Decoding_Error
 
class  BER_Object
 
class  BigInt
 
class  BitBucket
 
class  BLAKE2b
 
class  BLAKE2bMAC
 
class  BLAKE2s
 
class  Blinder
 
class  Block_Cipher_Fixed_Params
 
class  BlockCipher
 
class  BlockCipherModePaddingMethod
 
class  Blowfish
 
class  Buffered_Computation
 
class  Buffered_Filter
 
class  BufferSlicer
 
class  BufferStuffer
 Helper class to ease in-place marshalling of concatenated fixed-length values. More...
 
class  Bzip2_Compression
 
class  Bzip2_Decompression
 
class  calendar_point
 
class  Camellia_128
 
class  Camellia_192
 
class  Camellia_256
 
class  Cascade_Cipher
 
class  CAST_128
 
class  CBC_Decryption
 
class  CBC_Encryption
 
class  CBC_Mode
 
class  CCM_Decryption
 
class  CCM_Encryption
 
class  CCM_Mode
 
class  Certificate_Extension
 
class  Certificate_Store
 
class  Certificate_Store_In_Memory
 
class  Certificate_Store_In_SQL
 
class  Certificate_Store_In_SQLite
 
class  Certificate_Store_MacOS
 
class  Certificate_Store_Windows
 
class  CFB_Decryption
 
class  CFB_Encryption
 
class  CFB_Mode
 
class  ChaCha
 
class  ChaCha20Poly1305_Decryption
 
class  ChaCha20Poly1305_Encryption
 
class  ChaCha20Poly1305_Mode
 
class  ChaCha_RNG
 
class  Chain
 
class  Cipher_Mode
 
class  Cipher_Mode_Filter
 
class  CMAC
 
class  Comb4P
 
class  CommonCrypto_Error
 
struct  CommonCryptor_Opts
 
class  Compression_Algorithm
 
class  Compression_Alloc_Info
 
class  Compression_Error
 
class  Compression_Stream
 
class  CPUID
 
class  CRC24
 
class  CRC32
 
class  Credentials_Manager
 
class  CRL_Entry
 
class  cSHAKE_128_XOF
 
class  cSHAKE_256_XOF
 
class  cSHAKE_XOF
 
class  CTR_BE
 
class  CTS_Decryption
 
class  CTS_Encryption
 
class  Curve25519_PrivateKey
 
class  Curve25519_PublicKey
 
class  CurveGFp
 
class  CurveGFp_Repr
 
class  DataSink
 
class  DataSink_Stream
 
class  DataSource
 
class  DataSource_Memory
 
class  DataSource_Stream
 
class  Decoding_Error
 
class  Decompression_Algorithm
 
class  Deflate_Compression
 
class  Deflate_Decompression
 
class  DER_Encoder
 
class  DES
 
class  DH_PrivateKey
 
class  DH_PublicKey
 
class  Dilithium_AES_Symmetric_Primitives
 
class  Dilithium_Common_Symmetric_Primitives
 
class  Dilithium_PrivateKey
 
class  Dilithium_PublicKey
 
class  Dilithium_Symmetric_Primitives
 
class  DilithiumMode
 
class  DilithiumModeConstants
 
class  DL_Group
 
class  DL_PrivateKey
 
class  DL_PublicKey
 
class  DLIES_Decryptor
 
class  DLIES_Encryptor
 
class  donna128
 
class  DSA_PrivateKey
 
class  DSA_PublicKey
 
class  Dynamically_Loaded_Library
 
class  EAX_Decryption
 
class  EAX_Encryption
 
class  EAX_Mode
 
class  EC_Group
 
class  EC_Point
 
class  EC_Point_Base_Point_Precompute
 
class  EC_Point_Multi_Point_Precompute
 
class  EC_Point_Var_Point_Precompute
 
class  EC_PrivateKey
 
class  EC_PublicKey
 
class  ECDH_PrivateKey
 
class  ECDH_PublicKey
 
class  ECDSA_PrivateKey
 
class  ECDSA_PublicKey
 
class  ECGDSA_PrivateKey
 
class  ECGDSA_PublicKey
 
class  ECIES_Decryptor
 
class  ECIES_Encryptor
 
class  ECIES_KA_Operation
 
class  ECIES_KA_Params
 
class  ECIES_System_Params
 
class  ECKCDSA_PrivateKey
 
class  ECKCDSA_PublicKey
 
class  Ed25519_PrivateKey
 
class  Ed25519_PublicKey
 
class  ElGamal_PrivateKey
 
class  ElGamal_PublicKey
 
class  EME
 
class  EME_PKCS1v15
 
class  EME_Raw
 
class  EMSA
 
class  EMSA_PKCS1v15
 
class  EMSA_PKCS1v15_Raw
 
class  EMSA_Raw
 
class  EMSA_X931
 
struct  EnableArithmeticWithPlainNumber
 
class  Encoding_Error
 
class  Encrypted_PSK_Database
 
class  Encrypted_PSK_Database_SQL
 
class  Entropy_Source
 
class  Entropy_Sources
 
class  ESP_Padding
 
class  Exception
 
class  Extensions
 
class  Fanout_Filter
 
class  FE_25519
 
class  Filter
 
class  Flatfile_Certificate_Store
 
class  Fork
 
class  FPE_FE1
 
class  FrodoKEM_PrivateKey
 
class  FrodoKEM_PublicKey
 
class  FrodoKEMConstants
 
class  FrodoKEMMode
 
class  FrodoMatrix
 
class  GCM_Decryption
 
class  GCM_Encryption
 
class  GCM_Mode
 
struct  ge_p3
 
class  GeneralName
 X.509 GeneralName Type. More...
 
class  GeneralSubtree
 A single Name Constraint. More...
 
class  Getentropy
 
class  GF2m_Field
 
class  GHASH
 
class  GMAC
 
class  GOST_28147_89
 
class  GOST_28147_89_Params
 
class  GOST_3410_PrivateKey
 
class  GOST_3410_PublicKey
 
class  GOST_34_11
 
class  Gzip_Compression
 
class  Gzip_Decompression
 
class  Hardware_RNG
 
class  HashFunction
 
class  Hex_Decoder
 
class  Hex_Encoder
 
class  HKDF
 
class  HKDF_Expand
 
class  HKDF_Extract
 
class  HMAC
 
class  HMAC_DRBG
 
class  HOTP
 
class  IDEA
 
class  Integer_Overflow_Detected
 
class  Intel_Rdseed
 
class  Internal_Error
 
class  Invalid_Algorithm_Name
 
class  Invalid_Argument
 
class  Invalid_Authentication_Tag
 
class  Invalid_IV_Length
 
class  Invalid_Key_Length
 
class  Invalid_State
 
struct  is_strong_type
 
struct  is_strong_type< Strong< Ts... > >
 
class  ISO_9796_DS2
 
class  ISO_9796_DS3
 
class  KDF
 
class  KDF1
 
class  KDF1_18033
 
class  KDF2
 
class  Keccak_1600
 
class  Keccak_Permutation
 
class  KEM_Encapsulation
 
class  Key_Constraints
 
class  Key_Length_Specification
 
class  Key_Not_Set
 
class  Keyed_Filter
 
class  KMAC
 
class  KMAC128
 
class  KMAC256
 
class  Kuznyechik
 
class  Kyber_90s_Symmetric_Primitives
 
class  Kyber_Modern_Symmetric_Primitives
 
class  Kyber_PrivateKey
 
class  Kyber_PublicKey
 
class  Kyber_Symmetric_Primitives
 
class  KyberMode
 
class  Lion
 
class  lock_guard
 
class  Lookup_Error
 
class  LZMA_Compression
 
class  LZMA_Decompression
 
class  McEliece_PrivateKey
 
class  McEliece_PublicKey
 
class  MD4
 
class  MD5
 
class  Memory_Pool
 
class  MerkleDamgard_Hash
 
class  MessageAuthenticationCode
 
class  mlock_allocator
 
class  Modular_Reducer
 
class  Montgomery_Int
 
class  Montgomery_Params
 
class  NameConstraints
 Name Constraints. More...
 
class  No_Filesystem_Access
 
class  Noekeon
 
class  noop_mutex
 
class  Not_Implemented
 
class  Null_Padding
 
class  Null_RNG
 
class  OAEP
 
class  OCB_Decryption
 
class  OCB_Encryption
 
class  OCB_Mode
 
class  OctetString
 
class  OFB
 
class  OID
 
class  OID_Map
 
class  OneAndZeros_Padding
 
class  OpenPGP_S2K
 
class  Output_Buffers
 
struct  overloaded
 
class  Parallel
 
class  PasswordHash
 
class  PasswordHashFamily
 
class  Path_Validation_Restrictions
 
class  Path_Validation_Result
 
class  PBKDF
 
class  PBKDF2
 
class  PBKDF2_Family
 
class  Pipe
 
class  PK_Decryptor
 
class  PK_Decryptor_EME
 
class  PK_Encryptor
 
class  PK_Encryptor_EME
 
class  PK_KEM_Decryptor
 
class  PK_KEM_Encryptor
 
class  PK_Key_Agreement
 
class  PK_Key_Agreement_Key
 
class  PK_Signer
 
class  PK_Verifier
 
class  PKCS10_Request
 
class  PKCS5_PBKDF2
 
class  PKCS7_Padding
 
class  PKCS8_Exception
 
class  Poly1305
 
class  polyn_gf2m
 
class  Private_Key
 
class  PRNG_Unseeded
 
class  Processor_RNG
 
class  Provider_Not_Found
 
class  PSK_Database
 
class  PSS_Params
 
class  PSSR
 
class  PSSR_Raw
 
class  Public_Key
 
class  RandomNumberGenerator
 
class  RawHashFunction
 
class  RC4
 
class  RFC4880_S2K
 
class  RFC4880_S2K_Family
 
class  RFC6979_Nonce_Generator
 
class  RIPEMD_160
 
class  RSA_PrivateKey
 
class  RSA_PublicKey
 
class  RTSS_Share
 
class  RWLock
 
class  Salsa20
 
class  SCAN_Name
 
class  Scrypt
 
class  Scrypt_Family
 
class  secure_allocator
 
class  SecureQueue
 
class  SEED
 
class  Semaphore
 
class  Serpent
 
class  SHA_1
 
class  SHA_224
 
class  SHA_256
 
class  SHA_3
 
class  SHA_384
 
class  SHA_3_224
 
class  SHA_3_256
 
class  SHA_3_384
 
class  SHA_3_512
 
class  SHA_512
 
class  SHA_512_256
 
class  SHACAL2
 
class  SHAKE_128
 
class  SHAKE_128_Cipher
 
class  SHAKE_128_XOF
 
class  SHAKE_256
 
class  SHAKE_256_Cipher
 
class  SHAKE_256_XOF
 
class  SHAKE_Cipher
 
class  SHAKE_XOF
 
class  SIMD_16x32
 
class  SIMD_4x32
 
class  SIMD_8x32
 
class  SipHash
 
class  SIV_Decryption
 
class  SIV_Encryption
 
class  SIV_Mode
 
class  Skein_512
 
class  SM2_PrivateKey
 
class  SM2_PublicKey
 
class  SM3
 
class  SM4
 
class  SP800_108_Counter
 
class  SP800_108_Feedback
 
class  SP800_108_Pipeline
 
class  SP800_56A_Hash
 
class  SP800_56A_HMAC
 
class  SP800_56C
 
class  Sphincs_Address
 
class  Sphincs_Hash_Functions
 
class  Sphincs_Hash_Functions_Sha2
 
class  Sphincs_Hash_Functions_Shake
 
class  Sphincs_Parameters
 
class  SphincsPlus_PrivateKey
 
class  SphincsPlus_PublicKey
 
class  SQL_Database
 
class  Sqlite3_Database
 
class  SRP6_Server_Session
 
class  Stateful_RNG
 
class  Stream_Compression
 
class  Stream_Decompression
 
class  Stream_IO_Error
 
class  StreamCipher
 
class  Streebog
 
class  Strong
 
class  StrongSpan
 
class  SymmetricAlgorithm
 
class  System_Certificate_Store
 
class  System_Error
 
class  System_RNG
 
class  Thread_Pool
 
class  Threefish_512
 
class  Timer
 
class  TLS_12_PRF
 
class  TOTP
 
class  TPM_Context
 
class  TPM_Error
 
class  TPM_PrivateKey
 
class  TPM_RNG
 
class  TripleDES
 
class  Truncated_Hash
 
class  Tweakable_Block_Cipher
 
class  Twofish
 
class  Unknown_PK_Field_Name
 
struct  URI
 
class  UUID
 
class  Whirlpool
 
class  Win32_EntropySource
 
class  X509_CA
 
class  X509_Cert_Options
 
class  X509_Certificate
 
class  X509_CRL
 
class  X509_DN
 
class  X509_Object
 
class  X942_PRF
 
class  XMSS_Address
 
class  XMSS_Common_Ops
 
class  XMSS_Hash
 
class  XMSS_Index_Registry
 
class  XMSS_Parameters
 
class  XMSS_PrivateKey
 
class  XMSS_PublicKey
 
class  XMSS_Signature
 
class  XMSS_Signature_Operation
 
class  XMSS_Tools
 
class  XMSS_Verification_Operation
 
class  XMSS_WOTS_Base
 
class  XMSS_WOTS_Parameters
 
class  XMSS_WOTS_PrivateKey
 
class  XMSS_WOTS_PublicKey
 
class  XOF
 
class  XTS_Decryption
 
class  XTS_Encryption
 
class  XTS_Mode
 
class  ZFEC
 
class  Zlib_Compression
 
class  Zlib_Decompression
 
class  Zlib_Style_Stream
 

Concepts

concept  md_hash_implementation
 
concept  updatable_object
 
concept  appendable_object
 
concept  absorbing_object
 

Typedefs

typedef __vector unsigned int Altivec32x4
 
typedef __vector unsigned long long Altivec64x2
 
typedef __vector unsigned char Altivec8x16
 
using byte = std::uint8_t
 
typedef int32_t CCCryptorStatus
 
typedef std::vector< std::set< Certificate_Status_Code > > CertificatePathStatusCodes
 
typedef FE_25519 fe
 
using ForsLeafSecret = Strong<secure_vector<uint8_t>, struct ForsLeafSecret_>
 
using ForsSignature = Strong<std::vector<uint8_t>, struct ForsSignature_>
 
using FrodoDomainSeparator = Strong<std::array<uint8_t, 1>, struct FrodoDoaminSeparator_>
 
using FrodoIntermediateSharedSecret = Strong<secure_vector<uint8_t>, struct FrodoIntermediateSharedSecret_>
 
using FrodoPackedMatrix = Strong<std::vector<uint8_t>, struct FrodoPackedMatrix_>
 
using FrodoPlaintext = Strong<secure_vector<uint8_t>, struct FrodoPlaintext_>
 
using FrodoPublicKeyHash = Strong<std::vector<uint8_t>, struct FrodoPublicKeyHash_>
 
using FrodoSalt = Strong<std::vector<uint8_t>, struct FrodoSalt_>
 
using FrodoSampleR = Strong<secure_vector<uint8_t>, struct FrodoSampleR_>
 
using FrodoSeedA = Strong<std::vector<uint8_t>, struct FrodoSeedA_>
 
using FrodoSeedS = Strong<secure_vector<uint8_t>, struct FrodoSeedS_>
 
using FrodoSeedSE = Strong<secure_vector<uint8_t>, struct FrodoSeedSE_>
 
using FrodoSeedZ = Strong<std::vector<uint8_t>, struct FrodoSeedZ_>
 
using FrodoSerializedMatrix = Strong<secure_vector<uint8_t>, struct FrodoSerializedMatrix_>
 
using GenerateLeafFunction = std::function<void(StrongSpan<SphincsTreeNode> , TreeNodeIndex)>
 
typedef uint16_t gf2m
 
using HypertreeLayerIndex = Strong<uint32_t, struct HypertreeLayerIndex_>
 Index of a layer in the XMSS hyper-tree.
 
using InitializationVector = OctetString
 
typedef Invalid_Authentication_Tag Integrity_Failure
 
template<typename T >
using lock_guard_type = lock_guard<T>
 
typedef MessageAuthenticationCode MAC
 
using mutex_type = noop_mutex
 
typedef EC_Point PointGFp
 
using recursive_mutex_type = noop_mutex
 
typedef RandomNumberGenerator RNG
 
typedef PBKDF S2K
 
using s32bit = std::int32_t
 
template<typename T >
using secure_deque = std::deque<T, secure_allocator<T>>
 
template<typename T >
using secure_vector = std::vector<T, secure_allocator<T>>
 
template<typename T >
using SecureVector = secure_vector<T>
 
typedef SM2_PrivateKey SM2_Encryption_PrivateKey
 
typedef SM2_PublicKey SM2_Encryption_PublicKey
 
typedef SM2_PrivateKey SM2_Signature_PrivateKey
 
typedef SM2_PublicKey SM2_Signature_PublicKey
 
using SphincsAuthenticationPath = Strong<std::vector<uint8_t>, struct SphincsAuthenticationPath_>
 
using SphincsHashedMessage = Strong<std::vector<uint8_t>, struct SphincsHashedMessage_>
 
using SphincsHypertreeSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_>
 
using SphincsMessageRandomness = Strong<secure_vector<uint8_t>, struct SphincsMessageRandomness_>
 
using SphincsOptionalRandomness = Strong<secure_vector<uint8_t>, struct SphincsOptionalRandomness_>
 
using SphincsPublicSeed = Strong<std::vector<uint8_t>, struct SphincsPublicSeed_>
 
using SphincsSecretPRF = Strong<secure_vector<uint8_t>, struct SphincsSecretPRF_>
 
using SphincsSecretSeed = Strong<secure_vector<uint8_t>, struct SphincsSecretSeed_>
 
using SphincsTreeNode = Strong<std::vector<uint8_t>, struct SphincsTreeNode_>
 Either an XMSS or FORS tree node or leaf.
 
using SphincsXmssSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_>
 
using SymmetricKey = OctetString
 
using TreeLayerIndex = Strong<uint32_t, struct TreeLayerIndex_, EnableArithmeticWithPlainNumber>
 Index of the layer within a FORS/XMSS tree.
 
using TreeNodeIndex = Strong<uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber>
 Index of an individual node inside an XMSS or FORS tree.
 
using u16bit = std::uint16_t
 
using u32bit = std::uint32_t
 
using u64bit = std::uint64_t
 
typedef std::vector< secure_vector< uint8_t > > wots_keysig_t
 
using WotsChainIndex = Strong<uint32_t, struct WotsChainIndex_>
 Index of a WOTS chain within a single usage of WOTS.
 
using WotsHashIndex = Strong<uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber>
 Index of a hash application inside a single WOTS chain (integers in "base_w")
 
using WotsNode = Strong<secure_vector<uint8_t>, struct WotsNode_>
 Start (or intermediate) node of a WOTS+ chain.
 
using WotsPublicKey = Strong<std::vector<uint8_t>, struct WotsPublicKey_>
 
using WotsPublicKeyNode = Strong<std::vector<uint8_t>, struct WotsPublicKeyNode_>
 End node of a WOTS+ chain (part of the WOTS+ public key)
 
using WotsSignature = Strong<secure_vector<uint8_t>, struct WotsSignature_>
 
typedef Curve25519_PrivateKey X25519_PrivateKey
 
typedef Curve25519_PublicKey X25519_PublicKey
 
typedef ASN1_Time X509_Time
 
using XmssTreeIndexInLayer = Strong<uint64_t, struct XmssTreeIndexInLayer_, EnableArithmeticWithPlainNumber>
 Index of an XMSS tree (unique for just the local hyper-tree layer)
 

Enumerations

enum class  AlignmentBufferFinalBlock : size_t { is_not_special = 0 , must_be_deferred = 1 }
 
enum class  ASN1_Class : uint32_t {
  Universal = 0b0000'0000 , Application = 0b0100'0000 , ContextSpecific = 0b1000'0000 , Private = 0b1100'0000 ,
  Constructed = 0b0010'0000 , ExplicitContextSpecific = Constructed | ContextSpecific , NoObject = 0xFF00
}
 
enum class  ASN1_Type : uint32_t {
  Eoc = 0x00 , Boolean = 0x01 , Integer = 0x02 , BitString = 0x03 ,
  OctetString = 0x04 , Null = 0x05 , ObjectId = 0x06 , Enumerated = 0x0A ,
  Sequence = 0x10 , Set = 0x11 , Utf8String = 0x0C , NumericString = 0x12 ,
  PrintableString = 0x13 , TeletexString = 0x14 , Ia5String = 0x16 , VisibleString = 0x1A ,
  UniversalString = 0x1C , BmpString = 0x1E , UtcTime = 0x17 , GeneralizedTime = 0x18 ,
  NoObject = 0xFF00
}
 
enum class  Certificate_Status_Code {
  OK = 0 , VERIFIED = 0 , OCSP_RESPONSE_GOOD = 1 , OCSP_SIGNATURE_OK = 2 ,
  VALID_CRL_CHECKED = 3 , OCSP_NO_HTTP = 4 , FIRST_WARNING_STATUS = 500 , CERT_SERIAL_NEGATIVE = 500 ,
  DN_TOO_LONG = 501 , OCSP_NO_REVOCATION_URL = 502 , OCSP_SERVER_NOT_AVAILABLE = 503 , FIRST_ERROR_STATUS = 1000 ,
  SIGNATURE_METHOD_TOO_WEAK = 1000 , UNTRUSTED_HASH = 1001 , NO_REVOCATION_DATA = 1002 , NO_MATCHING_CRLDP = 1003 ,
  OCSP_ISSUER_NOT_TRUSTED = 1004 , CERT_NOT_YET_VALID = 2000 , CERT_HAS_EXPIRED = 2001 , OCSP_NOT_YET_VALID = 2002 ,
  OCSP_HAS_EXPIRED = 2003 , CRL_NOT_YET_VALID = 2004 , CRL_HAS_EXPIRED = 2005 , OCSP_IS_TOO_OLD = 2006 ,
  CERT_ISSUER_NOT_FOUND = 3000 , CANNOT_ESTABLISH_TRUST = 3001 , CERT_CHAIN_LOOP = 3002 , CHAIN_LACKS_TRUST_ROOT = 3003 ,
  CHAIN_NAME_MISMATCH = 3004 , POLICY_ERROR = 4000 , INVALID_USAGE = 4001 , CERT_CHAIN_TOO_LONG = 4002 ,
  CA_CERT_NOT_FOR_CERT_ISSUER = 4003 , NAME_CONSTRAINT_ERROR = 4004 , CA_CERT_NOT_FOR_CRL_ISSUER = 4005 , OCSP_CERT_NOT_LISTED = 4006 ,
  OCSP_BAD_STATUS = 4007 , CERT_NAME_NOMATCH = 4008 , UNKNOWN_CRITICAL_EXTENSION = 4009 , DUPLICATE_CERT_EXTENSION = 4010 ,
  OCSP_SIGNATURE_ERROR = 4501 , OCSP_ISSUER_NOT_FOUND = 4502 , OCSP_RESPONSE_MISSING_KEYUSAGE = 4503 , OCSP_RESPONSE_INVALID = 4504 ,
  EXT_IN_V1_V2_CERT = 4505 , DUPLICATE_CERT_POLICY = 4506 , V2_IDENTIFIERS_IN_V1_CERT = 4507 , CERT_IS_REVOKED = 5000 ,
  CRL_BAD_SIGNATURE = 5001 , SIGNATURE_ERROR = 5002 , CERT_PUBKEY_INVALID = 5003 , SIGNATURE_ALGO_UNKNOWN = 5004 ,
  SIGNATURE_ALGO_BAD_PARAMS = 5005
}
 
enum class  Cipher_Dir : int { Encryption , Decryption , ENCRYPTION = Encryption , DECRYPTION = Decryption }
 
enum class  CRL_Code : uint32_t {
  Unspecified = 0 , KeyCompromise = 1 , CaCompromise = 2 , AffiliationChanged = 3 ,
  Superseded = 4 , CessationOfOperation = 5 , CertificateHold = 6 , RemoveFromCrl = 8 ,
  PrivilegeWithdrawn = 9 , AaCompromise = 10
}
 
enum  Decoder_Checking { NONE , IGNORE_WS , FULL_CHECK }
 
enum  DilithiumEta : uint32_t { Eta2 = 2 , Eta4 = 4 }
 
enum class  DL_Group_Format {
  ANSI_X9_42 , ANSI_X9_57 , PKCS_3 , DSA_PARAMETERS = ANSI_X9_57 ,
  DH_PARAMETERS = ANSI_X9_42 , ANSI_X9_42_DH_PARAMETERS = ANSI_X9_42 , PKCS3_DH_PARAMETERS = PKCS_3
}
 
enum class  DL_Group_Source { Builtin , RandomlyGenerated , ExternalSource }
 
enum class  EC_Group_Encoding {
  Explicit , ImplicitCA , NamedCurve , EC_DOMPAR_ENC_EXPLICIT = Explicit ,
  EC_DOMPAR_ENC_IMPLICITCA = ImplicitCA , EC_DOMPAR_ENC_OID = NamedCurve
}
 
enum class  EC_Group_Source { Builtin , ExternalSource }
 
enum class  EC_Point_Format {
  Uncompressed = 0 , Compressed = 1 , Hybrid = 2 , UNCOMPRESSED = Uncompressed ,
  COMPRESSED = Compressed , HYBRID = Hybrid
}
 
enum class  ECIES_Flags : uint32_t {
  None = 0 , SingleHashMode = 1 , CofactorMode = 2 , OldCofactorMode = 4 ,
  CheckMode = 8 , NONE = None , SINGLE_HASH_MODE = SingleHashMode , COFACTOR_MODE = CofactorMode ,
  OLD_COFACTOR_MODE = OldCofactorMode , CHECK_MODE = CheckMode
}
 
enum class  ErrorType {
  Unknown = 1 , SystemError , NotImplemented , OutOfMemory ,
  InternalError , IoError , InvalidObjectState = 100 , KeyNotSet ,
  InvalidArgument , InvalidKeyLength , InvalidNonceLength , LookupError ,
  EncodingFailure , DecodingFailure , TLSError , HttpError ,
  InvalidTag , RoughtimeError , CommonCryptoError = 201 , Pkcs11Error ,
  TPMError , DatabaseError , ZlibError = 300 , Bzip2Error ,
  LzmaError
}
 
enum class  MD_Endian { Little , Big }
 
enum class  PublicKeyOperation { Encryption , Signature , KeyEncapsulation , KeyAgreement }
 
enum class  Signature_Format { Standard , DerSequence , IEEE_1363 = Standard , DER_SEQUENCE = DerSequence }
 
enum class  Sphincs_Address_Type : uint32_t {
  WotsHash = 0 , WotsPublicKeyCompression = 1 , HashTree = 2 , ForsTree = 3 ,
  ForsTreeRootsCompression = 4 , WotsKeyGeneration = 5 , ForsKeyGeneration = 6
}
 
enum class  Sphincs_Hash_Type { Shake256 , Sha256 , Haraka }
 
enum class  Sphincs_Parameter_Set {
  Sphincs128Small , Sphincs128Fast , Sphincs192Small , Sphincs192Fast ,
  Sphincs256Small , Sphincs256Fast
}
 
enum class  TPM_Storage_Type { User , System }
 
enum class  Usage_Type {
  UNSPECIFIED , TLS_SERVER_AUTH , TLS_CLIENT_AUTH , CERTIFICATE_AUTHORITY ,
  OCSP_RESPONDER , ENCRYPTION
}
 
enum class  WOTS_Derivation_Method { Botan2x = 1 , NIST_SP800_208 = 2 }
 

Functions

BigInt abs (const BigInt &n)
 
BOTAN_MALLOC_FN void * allocate_memory (size_t elems, size_t elem_size)
 
void argon2 (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, const uint8_t key[], size_t key_len, const uint8_t ad[], size_t ad_len, uint8_t y, size_t p, size_t M, size_t t)
 
bool argon2_check_pwhash (const char *password, size_t password_len, std::string_view input_hash)
 
std::string argon2_generate_pwhash (const char *password, size_t password_len, RandomNumberGenerator &rng, size_t p, size_t M, size_t t, uint8_t y, size_t salt_len, size_t output_len)
 
std::string asn1_class_to_string (ASN1_Class type)
 
std::string asn1_tag_to_string (ASN1_Type type)
 
void assert_unreachable (const char *file, int line)
 
void assertion_failure (const char *expr_str, const char *assertion_made, const char *func, const char *file, int line)
 
secure_vector< uint8_t > base32_decode (const char input[], size_t input_length, bool ignore_ws)
 
secure_vector< uint8_t > base32_decode (std::string_view input, bool ignore_ws)
 
size_t base32_decode (uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
 
size_t base32_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
 
size_t base32_decode (uint8_t output[], std::string_view input, bool ignore_ws)
 
size_t base32_encode (char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
 
std::string base32_encode (const uint8_t input[], size_t input_length)
 
std::string base32_encode (std::span< const uint8_t > input)
 
std::vector< uint8_t > base58_check_decode (const char input[], size_t input_length)
 
std::vector< uint8_t > base58_check_decode (std::string_view s)
 
std::string base58_check_encode (const uint8_t input[], size_t input_length)
 
std::string base58_check_encode (std::span< const uint8_t > vec)
 
std::vector< uint8_t > base58_decode (const char input[], size_t input_length)
 
std::vector< uint8_t > base58_decode (std::string_view s)
 
std::string base58_encode (const uint8_t input[], size_t input_length)
 
std::string base58_encode (std::span< const uint8_t > vec)
 
secure_vector< uint8_t > base64_decode (const char input[], size_t input_length, bool ignore_ws)
 
size_t base64_decode (std::span< uint8_t > output, std::string_view input, bool ignore_ws)
 
secure_vector< uint8_t > base64_decode (std::string_view input, bool ignore_ws)
 
size_t base64_decode (uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
 
size_t base64_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
 
size_t base64_decode (uint8_t output[], std::string_view input, bool ignore_ws)
 
size_t base64_decode_max_output (size_t input_length)
 
size_t base64_encode (char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
 
std::string base64_encode (const uint8_t input[], size_t input_length)
 
std::string base64_encode (std::span< const uint8_t > input)
 
size_t base64_encode_max_output (size_t input_length)
 
template<typename Base >
size_t base_decode (Base &&base, uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws=true)
 
template<typename Base >
size_t base_decode_full (Base &&base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
 
template<typename Vector , typename Base >
Vector base_decode_to_vec (Base &&base, const char input[], size_t input_length, bool ignore_ws)
 
template<class Base >
size_t base_encode (Base &&base, char output[], const uint8_t input[], size_t input_length, size_t &input_consumed, bool final_inputs)
 
template<typename Base >
std::string base_encode_to_string (Base &&base, const uint8_t input[], size_t input_length)
 
BOTAN_FUZZER_API void basecase_mul (word z[], size_t z_size, const word x[], size_t x_size, const word y[], size_t y_size)
 
BOTAN_FUZZER_API void basecase_sqr (word z[], size_t z_size, const word x[], size_t x_size)
 
void bcrypt_pbkdf (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, size_t rounds)
 
void bigint_add2 (word x[], size_t x_size, const word y[], size_t y_size)
 
word bigint_add2_nc (word x[], size_t x_size, const word y[], size_t y_size)
 
void bigint_add3 (word z[], const word x[], size_t x_size, const word y[], size_t y_size)
 
word bigint_add3_nc (word z[], const word x[], size_t x_size, const word y[], size_t y_size)
 
int32_t bigint_cmp (const word x[], size_t x_size, const word y[], size_t y_size)
 
void bigint_cnd_abs (word cnd, word x[], size_t size)
 
word bigint_cnd_add (word cnd, word x[], const word y[], size_t size)
 
word bigint_cnd_add (word cnd, word x[], word x_size, const word y[], size_t y_size)
 
void bigint_cnd_add_or_sub (CT::Mask< word > mask, word x[], const word y[], size_t size)
 
word bigint_cnd_addsub (CT::Mask< word > mask, word x[], const word y[], const word z[], size_t size)
 
word bigint_cnd_sub (word cnd, word x[], const word y[], size_t size)
 
word bigint_cnd_sub (word cnd, word x[], size_t x_size, const word y[], size_t y_size)
 
void bigint_cnd_swap (word cnd, word x[], word y[], size_t size)
 
void bigint_comba_mul16 (word z[32], const word x[16], const word y[16])
 
void bigint_comba_mul24 (word z[48], const word x[24], const word y[24])
 
void bigint_comba_mul4 (word z[8], const word x[4], const word y[4])
 
void bigint_comba_mul6 (word z[12], const word x[6], const word y[6])
 
void bigint_comba_mul8 (word z[16], const word x[8], const word y[8])
 
void bigint_comba_mul9 (word z[18], const word x[9], const word y[9])
 
void bigint_comba_sqr16 (word z[32], const word x[16])
 
void bigint_comba_sqr24 (word z[48], const word x[24])
 
void bigint_comba_sqr4 (word z[8], const word x[4])
 
void bigint_comba_sqr6 (word z[12], const word x[6])
 
void bigint_comba_sqr8 (word z[16], const word x[8])
 
void bigint_comba_sqr9 (word z[18], const word x[9])
 
CT::Mask< word > bigint_ct_is_eq (const word x[], size_t x_size, const word y[], size_t y_size)
 
CT::Mask< word > bigint_ct_is_lt (const word x[], size_t x_size, const word y[], size_t y_size, bool lt_or_equal=false)
 
word bigint_divop_vartime (word n1, word n0, word d)
 
word bigint_linmul2 (word x[], size_t x_size, word y)
 
void bigint_linmul3 (word z[], const word x[], size_t x_size, word y)
 
void bigint_mod_sub (word t[], const word s[], const word mod[], size_t mod_sw, word ws[])
 
template<size_t N>
void bigint_mod_sub_n (word t[], const word s[], const word mod[], word ws[])
 
word bigint_modop_vartime (word n1, word n0, word d)
 
void bigint_monty_redc (word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size)
 
BOTAN_FUZZER_API void bigint_monty_redc_16 (word z[32], const word p[16], word p_dash, word ws[])
 
BOTAN_FUZZER_API void bigint_monty_redc_24 (word z[48], const word p[24], word p_dash, word ws[])
 
BOTAN_FUZZER_API void bigint_monty_redc_32 (word z[64], const word p[32], word p_dash, word ws[])
 
BOTAN_FUZZER_API void bigint_monty_redc_4 (word z[8], const word p[4], word p_dash, word ws[])
 
BOTAN_FUZZER_API void bigint_monty_redc_6 (word z[12], const word p[6], word p_dash, word ws[])
 
BOTAN_FUZZER_API void bigint_monty_redc_8 (word z[16], const word p[8], word p_dash, word ws[])
 
BOTAN_FUZZER_API void bigint_monty_redc_generic (word z[], size_t z_size, const word p[], size_t p_size, word p_dash, word ws[])
 
void bigint_mul (word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
 
void bigint_shl1 (word x[], size_t x_size, size_t x_words, size_t word_shift, size_t bit_shift)
 
void bigint_shl2 (word y[], const word x[], size_t x_size, size_t word_shift, size_t bit_shift)
 
void bigint_shr1 (word x[], size_t x_size, size_t word_shift, size_t bit_shift)
 
void bigint_shr2 (word y[], const word x[], size_t x_size, size_t word_shift, size_t bit_shift)
 
void bigint_sqr (word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, word workspace[], size_t ws_size)
 
word bigint_sub2 (word x[], size_t x_size, const word y[], size_t y_size)
 
void bigint_sub2_rev (word x[], const word y[], size_t y_size)
 
word bigint_sub3 (word z[], const word x[], size_t x_size, const word y[], size_t y_size)
 
CT::Mask< word > bigint_sub_abs (word z[], const word x[], const word y[], size_t N, word ws[])
 
int32_t bigint_sub_abs (word z[], const word x[], size_t x_size, const word y[], size_t y_size)
 
template<typename T >
constexpr T bit_permute_step (T x, T mask, size_t shift)
 
size_t bit_size_to_32bit_size (size_t bit_size)
 
size_t bit_size_to_byte_size (size_t bit_size)
 
 BOTAN_FUNC_ISA ("avx2") void Argon2
 
 BOTAN_FUNC_ISA ("sse2") void IDEA
 
 BOTAN_FUNC_ISA ("ssse3,aes") void AES_128
 
 BOTAN_FUNC_ISA (BOTAN_VPERM_ISA) size_t ZFEC
 
template<typename T , typename Alloc , typename Alloc2 >
size_t buffer_insert (std::vector< T, Alloc > &buf, size_t buf_offset, const std::vector< T, Alloc2 > &input)
 
template<typename T , typename Alloc >
size_t buffer_insert (std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length)
 
template<size_t S, int64_t MUL = 1>
requires (S > 0 && S < 64)
void carry (int64_t &h0, int64_t &h1)
 
template<size_t S>
requires (S > 0 && S < 32)
void carry0 (int32_t &h0, int32_t &h1)
 
template<size_t S>
requires (S > 0 && S < 64)
void carry0 (int64_t &h0, int64_t &h1)
 
uint64_t carry_shift (const donna128 &a, size_t shift)
 
uint8_t * cast_char_ptr_to_uint8 (char *s)
 
const uint8_t * cast_char_ptr_to_uint8 (const char *s)
 
const char * cast_uint8_ptr_to_char (const uint8_t *b)
 
char * cast_uint8_ptr_to_char (uint8_t *b)
 
template<typename T >
requires (std::is_integral<T>::value && sizeof(T) < 32)
constexpr uint8_t ceil_log2 (T x)
 
template<typename T >
requires (std::is_integral<T>::value)
constexpr T ceil_tobytes (T bits)
 
std::vector< WotsHashIndexchain_lengths (const SphincsTreeNode &msg, const Sphincs_Parameters &params)
 
bool check_bcrypt (std::string_view pass, std::string_view hash)
 
bool check_passhash9 (std::string_view pass, std::string_view hash)
 
size_t checked_add (size_t x, size_t y, const char *file, int line)
 
template<typename RT , typename AT >
RT checked_cast_to (AT i)
 
std::optional< size_t > checked_mul (size_t x, size_t y)
 
template<typename T >
constexpr T choose (T mask, T a, T b)
 
constexpr void clear_bytes (void *ptr, size_t bytes)
 
template<ranges::contiguous_output_range R>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<R>>
constexpr void clear_mem (R &&mem)
 
template<typename T >
constexpr void clear_mem (T *ptr, size_t n)
 
uint64_t combine_lower (const donna128 &a, size_t s1, const donna128 &b, size_t s2)
 
void commoncrypto_adjust_key_size (const uint8_t key[], size_t length, const CommonCryptor_Opts &opts, secure_vector< uint8_t > &full_key)
 
CommonCryptor_Opts commoncrypto_opts_from_algo (std::string_view algo)
 
CommonCryptor_Opts commoncrypto_opts_from_algo_name (std::string_view algo_name)
 
void compute_root (StrongSpan< SphincsTreeNode > out, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, const SphincsTreeNode &leaf, TreeNodeIndex leaf_idx, uint32_t idx_offset, StrongSpan< const SphincsAuthenticationPath > authentication_path, uint32_t total_tree_height, Sphincs_Address &tree_address)
 
template<typename... Ts>
decltype(auto) concat (Ts &&... buffers)
 
template<typename ResultT , typename... Ts>
ResultT concat_as (Ts &&... buffers)
 
bool constant_time_compare (const uint8_t x[], const uint8_t y[], size_t len)
 
bool constant_time_compare (std::span< const uint8_t > x, std::span< const uint8_t > y)
 
template<ranges::contiguous_output_range OutR, ranges::contiguous_range InR>
requires std::is_same_v<std::ranges::range_value_t<OutR>, std::ranges::range_value_t<InR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<InR>>
constexpr void copy_mem (OutR &&out, InR &&in)
 
template<typename T >
requires std::is_trivial<typename std::decay<T>::type>::value
constexpr void copy_mem (T *out, const T *in, size_t n)
 
template<typename T >
void copy_out_be (uint8_t out[], size_t out_bytes, const T in[])
 
template<typename T >
void copy_out_le (uint8_t out[], size_t out_bytes, const T in[])
 
template<typename T , typename Alloc >
void copy_out_vec_be (uint8_t out[], size_t out_bytes, const std::vector< T, Alloc > &in)
 
template<typename T , typename Alloc >
void copy_out_vec_le (uint8_t out[], size_t out_bytes, const std::vector< T, Alloc > &in)
 
auto create_aes_row_generator (const FrodoKEMConstants &constants, StrongSpan< const FrodoSeedA > seed_a)
 
std::unique_ptr< Private_Keycreate_ec_private_key (std::string_view alg_name, const EC_Group &ec_group, RandomNumberGenerator &rng)
 
std::string create_hex_fingerprint (const uint8_t bits[], size_t bits_len, std::string_view hash_name)
 
std::string create_hex_fingerprint (std::span< const uint8_t > vec, std::string_view hash_name)
 
std::unique_ptr< Private_Keycreate_private_key (std::string_view alg_name, RandomNumberGenerator &rng, std::string_view params, std::string_view provider)
 
auto create_shake_row_generator (const FrodoKEMConstants &constants, StrongSpan< const FrodoSeedA > seed_a)
 
uint8_t ct_compare_u8 (const uint8_t x[], const uint8_t y[], size_t len)
 
BigInt ct_divide (const BigInt &x, const BigInt &y)
 
void ct_divide (const BigInt &x, const BigInt &y, BigInt &q_out, BigInt &r_out)
 
void ct_divide_word (const BigInt &x, word y, BigInt &q_out, word &r_out)
 
template<typename T >
requires (std::is_integral<T>::value)
constexpr T ct_is_zero (T x)
 
BigInt ct_modulo (const BigInt &x, const BigInt &y)
 
template<typename T >
requires (std::is_integral<T>::value)
constexpr size_t ctz (T n)
 
void curve25519_basepoint (uint8_t mypublic[32], const uint8_t secret[32])
 
void curve25519_donna (uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32])
 
void deallocate_memory (void *p, size_t elems, size_t elem_size)
 
gf2m decode_gf2m (const uint8_t *mem)
 
size_t dl_exponent_size (size_t bits)
 
size_t dl_work_factor (size_t bits)
 
template<typename E , typename... Args>
void do_throw_error (const char *file, int line, const char *func, Args... args)
 
size_t ecp_work_factor (size_t bits)
 
void ed25519_gen_keypair (uint8_t *pk, uint8_t *sk, const uint8_t seed[32])
 
void ed25519_gen_keypair (uint8_t pk[32], uint8_t sk[64], const uint8_t seed[32])
 
void ed25519_sign (uint8_t sig[64], const uint8_t m[], size_t mlen, const uint8_t sk[64], const uint8_t domain_sep[], size_t domain_sep_len)
 
bool ed25519_verify (const uint8_t *m, size_t mlen, const uint8_t sig[64], const uint8_t *pk, const uint8_t domain_sep[], size_t domain_sep_len)
 
bool ed25519_verify (const uint8_t msg[], size_t msg_len, const uint8_t sig[64], const uint8_t pk[32], const uint8_t domain_sep[], size_t domain_sep_len)
 
uint32_t encode_gf2m (gf2m to_enc, uint8_t *mem)
 
template<typename T >
uint16_t expand_mask_16bit (T tst)
 
void expand_message_xmd (std::string_view hash_fn, uint8_t output[], size_t output_len, const uint8_t input[], size_t input_len, const uint8_t domain_sep[], size_t domain_sep_len)
 
template<typename T >
requires (std::is_integral<T>::value)
constexpr T expand_top_bit (T a)
 
void fe_0 (fe &x)
 
void fe_1 (fe &x)
 
void fe_add (fe &x, const fe &a, const fe &b)
 
void fe_copy (fe &a, const fe &b)
 
void fe_frombytes (fe &x, const uint8_t *b)
 
void fe_invert (fe &x, const fe &z)
 
int fe_isnegative (const fe &x)
 
int fe_isnonzero (const fe &x)
 
void fe_mul (fe &x, const fe &a, const fe &b)
 
void fe_neg (fe &x, const fe &z)
 
void fe_pow22523 (fe &x, const fe &y)
 
void fe_sq (fe &x, const fe &z)
 
void fe_sq2 (fe &x, const fe &z)
 
void fe_sq_iter (fe &x, const fe &z, size_t iter)
 
void fe_sub (fe &x, const fe &a, const fe &b)
 
void fe_tobytes (uint8_t *b, const fe &x)
 
secure_vector< gf2mfind_roots_gf2m_decomp (const polyn_gf2m &polyn, size_t code_length)
 
template<typename... T>
std::string fmt (std::string_view format, const T &... args)
 
std::string format_char_for_display (char c)
 
SphincsTreeNode fors_public_key_from_signature (const SphincsHashedMessage &hashed_message, StrongSpan< const ForsSignature > signature, const Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 
SphincsTreeNode fors_sign_and_pkgen (StrongSpan< ForsSignature > sig_out, const SphincsHashedMessage &hashed_message, const SphincsSecretSeed &secret_seed, const Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 
void gamma (SIMD_4x32 &A0, SIMD_4x32 &A1, SIMD_4x32 &A2, SIMD_4x32 &A3)
 
BigInt gcd (const BigInt &a, const BigInt &b)
 
void ge_double_scalarmult_vartime (uint8_t out[32], const uint8_t *a, const ge_p3 *A, const uint8_t *b)
 
void ge_double_scalarmult_vartime (uint8_t out[32], const uint8_t a[], const ge_p3 *A, const uint8_t b[])
 
int ge_frombytes_negate_vartime (ge_p3 *v, const uint8_t *)
 
void ge_scalarmult_base (uint8_t out[32], const uint8_t in[32])
 
template<typename GeneralVariantT , typename SpecialT >
requires (std::is_constructible_v<GeneralVariantT, std::decay_t<SpecialT>>)
constexpr GeneralVariantT generalize_to (SpecialT &&specific) noexcept
 Converts a given variant into another variant-ish whose type states are a super set of the given variant.
 
template<typename GeneralVariantT , typename... SpecialTs>
constexpr GeneralVariantT generalize_to (std::variant< SpecialTs... > specific) noexcept
 Converts a given variant into another variant-ish whose type states are a super set of the given variant.
 
std::string generate_bcrypt (std::string_view pass, RandomNumberGenerator &rng, uint16_t work_factor, char version)
 
std::vector< uint8_t > generate_dsa_primes (RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits)
 
bool generate_dsa_primes (RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits, const std::vector< uint8_t > &seed_c, size_t offset)
 
McEliece_PrivateKey generate_mceliece_key (RandomNumberGenerator &rng, size_t ext_deg, size_t code_length, size_t t)
 
std::string generate_passhash9 (std::string_view pass, RandomNumberGenerator &rng, uint16_t work_factor, uint8_t alg_id)
 
BigInt generate_rfc6979_nonce (const BigInt &x, const BigInt &q, const BigInt &h, std::string_view hash)
 
BigInt generate_rsa_prime (RandomNumberGenerator &keygen_rng, RandomNumberGenerator &prime_test_rng, size_t bits, const BigInt &coprime, size_t prob)
 
AEAD_Modeget_aead (std::string_view name, Cipher_Dir direction)
 
template<size_t B, typename T >
requires (B < sizeof(T))
constexpr uint8_t get_byte (T input)
 
template<typename T >
constexpr uint8_t get_byte_var (size_t byte_num, T input)
 
Keyed_Filterget_cipher (std::string_view algo_spec, Cipher_Dir direction)
 
Keyed_Filterget_cipher (std::string_view algo_spec, const SymmetricKey &key, Cipher_Dir direction)
 
Keyed_Filterget_cipher (std::string_view algo_spec, const SymmetricKey &key, const InitializationVector &iv, Cipher_Dir direction)
 
Cipher_Modeget_cipher_mode (std::string_view algo_spec, Cipher_Dir direction, std::string_view provider="")
 
std::vector< std::string > get_files_recursive (std::string_view dir)
 
KDFget_kdf (std::string_view algo_spec)
 
PBKDFget_pbkdf (std::string_view algo_spec, std::string_view provider="")
 
PBKDFget_s2k (std::string_view algo_spec)
 
gf2m gray_to_lex (gf2m gray)
 
bool has_filesystem_impl ()
 
EC_Point hash_to_curve_sswu (const EC_Group &group, std::string_view hash_fn, const uint8_t input[], size_t input_len, const uint8_t domain_sep[], size_t domain_sep_len, bool random_oracle)
 
std::vector< uint8_t > hex_decode (const char input[], size_t input_length, bool ignore_ws)
 
size_t hex_decode (std::span< uint8_t > output, std::string_view input, bool ignore_ws)
 
std::vector< uint8_t > hex_decode (std::string_view input, bool ignore_ws)
 
size_t hex_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
 
size_t hex_decode (uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool ignore_ws)
 
size_t hex_decode (uint8_t output[], std::string_view input, bool ignore_ws)
 
secure_vector< uint8_t > hex_decode_locked (const char input[], size_t input_length, bool ignore_ws)
 
secure_vector< uint8_t > hex_decode_locked (std::string_view input, bool ignore_ws)
 
void hex_encode (char output[], const uint8_t input[], size_t input_length, bool uppercase)
 
std::string hex_encode (const uint8_t input[], size_t input_length, bool uppercase)
 
std::string hex_encode (std::span< const uint8_t > input, bool uppercase=true)
 
template<typename T >
requires (std::is_unsigned<T>::value)
constexpr size_t high_bit (T n)
 
secure_vector< uint8_t > hkdf_expand_label (std::string_view hash_fn, const uint8_t secret[], size_t secret_len, std::string_view label, const uint8_t hash_val[], size_t hash_val_len, size_t length)
 
template<typename... Alts, typename... Ts>
constexpr bool holds_any_of (const std::variant< Ts... > &v) noexcept
 
bool host_wildcard_match (std::string_view issued_, std::string_view host_)
 
void ht_sign (StrongSpan< SphincsHypertreeSignature > out_sig, const SphincsTreeNode &message_to_sign, const SphincsSecretSeed &secret_seed, XmssTreeIndexInLayer tree_index_in_layer, TreeNodeIndex idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 
bool ht_verify (const SphincsTreeNode &signed_msg, StrongSpan< const SphincsHypertreeSignature > ht_sig, const SphincsTreeNode &pk_root, XmssTreeIndexInLayer tree_index_in_layer, TreeNodeIndex idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 
uint8_t ieee1363_hash_id (std::string_view name)
 
size_t if_work_factor (size_t bits)
 
template<typename T >
void ignore_param (T &&)
 
template<typename... T>
void ignore_params (T &&... args)
 
void initialize_allocator ()
 
bool intersects (ASN1_Class x, ASN1_Class y)
 
BigInt inverse_mod (const BigInt &n, const BigInt &mod)
 
std::string ipv4_to_string (uint32_t ip)
 
bool is_bailie_psw_probable_prime (const BigInt &n)
 
bool is_bailie_psw_probable_prime (const BigInt &n, const Modular_Reducer &mod_n)
 
template<typename GeneralVariantT , typename SpecialT >
constexpr bool is_generalizable_to (const SpecialT &) noexcept
 
template<typename GeneralVariantT , typename... SpecialTs>
constexpr bool is_generalizable_to (const std::variant< SpecialTs... > &) noexcept
 
bool is_lucas_probable_prime (const BigInt &C, const Modular_Reducer &mod_C)
 
bool is_miller_rabin_probable_prime (const BigInt &n, const Modular_Reducer &mod_n, RandomNumberGenerator &rng, size_t test_iterations)
 
bool is_passhash9_alg_supported (uint8_t alg_id)
 
BigInt is_perfect_square (const BigInt &C)
 
template<typename T >
requires (std::is_unsigned<T>::value)
constexpr bool is_power_of_2 (T arg)
 
bool is_prime (const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
 
int32_t jacobi (const BigInt &a, const BigInt &n)
 
template<absorbing_object T, typename... Ts>
requires (std::constructible_from<std::span<const uint8_t>, Ts> && ...)
size_t keccak_absorb_padded_strings_encoding (T &sink, size_t padding_mod, Ts... byte_strings)
 
size_t keccak_int_encoding_size (size_t x)
 
std::span< const uint8_t > keccak_int_left_encode (std::span< uint8_t > out, size_t x)
 
std::span< const uint8_t > keccak_int_right_encode (std::span< uint8_t > out, size_t x)
 
constexpr size_t keccak_max_int_encoding_size ()
 
void Keccak_Permutation_round (uint64_t T[25], const uint64_t A[25], uint64_t RC)
 
std::string key_constraints_to_string (Key_Constraints c)
 
std::string latin1_to_utf8 (const uint8_t chars[], size_t len)
 
BigInt lcm (const BigInt &a, const BigInt &b)
 
gf2m lex_to_gray (gf2m lex)
 
uint64_t load_3 (const uint8_t in[3])
 
uint64_t load_4 (const uint8_t *in)
 
template<typename T >
constexpr T load_be (const uint8_t in[], size_t off)
 
template<std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void load_be (const uint8_t in[], Ts &... outs)
 
template<ranges::contiguous_range< uint8_t > InR, std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void load_be (InR &&in, Ts &... outs)
 
template<std::unsigned_integral T, ranges::contiguous_range< uint8_t > InR>
constexpr T load_be (InR &&in_range)
 
template<ranges::contiguous_range< uint8_t > InR>
constexpr auto load_be (InR &&in_range)
 
template<typename T >
constexpr void load_be (T out[], const uint8_t in[], size_t count)
 
template<typename T >
constexpr T load_le (const uint8_t in[], size_t off)
 
template<std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void load_le (const uint8_t in[], Ts &... outs)
 
template<ranges::contiguous_range< uint8_t > InR, std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void load_le (InR &&in, Ts &... outs)
 
template<std::unsigned_integral T, ranges::contiguous_range< uint8_t > InR>
constexpr T load_le (InR &&in_range)
 
template<ranges::contiguous_range< uint8_t > InR>
constexpr auto load_le (InR &&in_range)
 
template<typename T >
constexpr void load_le (T out[], const uint8_t in[], size_t count)
 
std::unique_ptr< Private_Keyload_private_key (const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
 
std::unique_ptr< Public_Keyload_public_key (const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
 
template<typename T >
secure_vector< Tlock (const std::vector< T > &in)
 
size_t low_zero_bits (const BigInt &n)
 
template<typename T >
constexpr T majority (T a, T b, T c)
 
std::unique_ptr< BlockCiphermake_commoncrypto_block_cipher (std::string_view name)
 
std::unique_ptr< Cipher_Modemake_commoncrypto_cipher_mode (std::string_view name, Cipher_Dir direction)
 
std::unique_ptr< HashFunctionmake_commoncrypto_hash (std::string_view name)
 
Compression_Algorithmmake_compressor (std::string_view type)
 
Decompression_Algorithmmake_decompressor (std::string_view type)
 
constexpr uint16_t make_uint16 (uint8_t i0, uint8_t i1)
 
constexpr uint32_t make_uint32 (uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3)
 
constexpr uint64_t make_uint64 (uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3, uint8_t i4, uint8_t i5, uint8_t i6, uint8_t i7)
 
template<typename K , typename V >
std::set< K > map_keys_as_set (const std::map< K, V > &kv)
 
template<typename K , typename V >
std::set< K > map_keys_as_set (const std::multimap< K, V > &kv)
 
template<typename T , typename Pred >
void map_remove_if (Pred pred, T &assoc)
 
secure_vector< uint8_t > mceliece_decrypt (secure_vector< gf2m > &error_pos, const uint8_t *ciphertext, size_t ciphertext_len, const McEliece_PrivateKey &key)
 
void mceliece_decrypt (secure_vector< uint8_t > &plaintext, secure_vector< uint8_t > &error_mask, const uint8_t ciphertext[], size_t ciphertext_len, const McEliece_PrivateKey &key)
 
void mceliece_decrypt (secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)
 
void mceliece_encrypt (secure_vector< uint8_t > &ciphertext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &plaintext, const McEliece_PublicKey &key, RandomNumberGenerator &rng)
 
size_t mceliece_work_factor (size_t n, size_t t)
 
void mgf1_mask (HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
 
size_t miller_rabin_test_iterations (size_t n_bits, size_t prob, bool random)
 
BigInt monty_execute (const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
 
BigInt monty_execute_vartime (const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)
 
BigInt monty_exp (const std::shared_ptr< const Montgomery_Params > &params_p, const BigInt &g, const BigInt &k, size_t max_k_bits)
 
BigInt monty_exp_vartime (const std::shared_ptr< const Montgomery_Params > &params_p, const BigInt &g, const BigInt &k)
 
word monty_inverse (word a)
 
BigInt monty_multi_exp (const std::shared_ptr< const Montgomery_Params > &params_p, const BigInt &x_bn, const BigInt &z1, const BigInt &y_bn, const BigInt &z2)
 
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute (const std::shared_ptr< const Montgomery_Params > &params, const BigInt &g, size_t window_bits, bool const_time)
 
void mul64x64_128 (uint64_t a, uint64_t b, uint64_t *lo, uint64_t *hi)
 
EC_Point multi_exponentiate (const EC_Point &p1, const BigInt &z1, const EC_Point &p2, const BigInt &z2)
 
template<typename K , typename V >
void multimap_insert (std::multimap< K, V > &multimap, const K &key, const V &value)
 
secure_vector< uint8_t > nist_key_unwrap (const uint8_t input[], size_t input_len, const BlockCipher &bc)
 
secure_vector< uint8_t > nist_key_unwrap_padded (const uint8_t input[], size_t input_len, const BlockCipher &bc)
 
std::vector< uint8_t > nist_key_wrap (const uint8_t input[], size_t input_len, const BlockCipher &bc)
 
std::vector< uint8_t > nist_key_wrap_padded (const uint8_t input[], size_t input_len, const BlockCipher &bc)
 
secure_vector< uint8_t > oaep_find_delim (uint8_t &valid_mask, const uint8_t input[], size_t input_len, const secure_vector< uint8_t > &Phash)
 
bool operator!= (const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
 
bool operator!= (const ASN1_Time &, const ASN1_Time &)
 
bool operator!= (const BigInt &a, const BigInt &b)
 
bool operator!= (const BigInt &a, word b)
 
bool operator!= (const CRL_Entry &a1, const CRL_Entry &a2)
 
bool operator!= (const CurveGFp &lhs, const CurveGFp &rhs)
 
bool operator!= (const EC_Group &lhs, const EC_Group &rhs)
 
bool operator!= (const EC_Point &lhs, const EC_Point &rhs)
 
bool operator!= (const OctetString &s1, const OctetString &s2)
 
bool operator!= (const OID &a, const OID &b)
 
template<typename T , typename U >
bool operator!= (const secure_allocator< T > &, const secure_allocator< U > &)
 
bool operator!= (const X509_Certificate &cert1, const X509_Certificate &cert2)
 
bool operator!= (const X509_DN &dn1, const X509_DN &dn2)
 
BigInt operator% (const BigInt &n, const BigInt &mod)
 
word operator% (const BigInt &n, word mod)
 
ECIES_Flags operator& (ECIES_Flags a, ECIES_Flags b)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator& (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator& (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator& (T1 a, Strong< T2, Tags... > b)
 
template<std::integral T, typename... Tags>
constexpr auto operator&= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator&= (Strong< T1, Tags... > &a, T2 b)
 
EC_Point operator* (const BigInt &scalar, const EC_Point &point)
 
BigInt operator* (const BigInt &x, const BigInt &y)
 
BigInt operator* (const BigInt &x, word y)
 
donna128 operator* (const donna128 &x, uint64_t y)
 
EC_Point operator* (const EC_Point &point, const BigInt &scalar)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator* (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator* (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator* (T1 a, Strong< T2, Tags... > b)
 
donna128 operator* (uint64_t y, const donna128 &x)
 
BigInt operator* (word x, const BigInt &y)
 
template<std::integral T, typename... Tags>
constexpr auto operator*= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator*= (Strong< T1, Tags... > &a, T2 b)
 
BigInt operator+ (const BigInt &x, const BigInt &y)
 
BigInt operator+ (const BigInt &x, word y)
 
donna128 operator+ (const donna128 &x, const donna128 &y)
 
donna128 operator+ (const donna128 &x, uint64_t y)
 
EC_Point operator+ (const EC_Point &lhs, const EC_Point &rhs)
 
OctetString operator+ (const OctetString &k1, const OctetString &k2)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator+ (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator+ (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator+ (T1 a, Strong< T2, Tags... > b)
 
BigInt operator+ (word x, const BigInt &y)
 
template<std::integral T, typename... Tags>
constexpr auto operator++ (Strong< T, Tags... > &a)
 
template<std::integral T, typename... Tags>
constexpr auto operator++ (Strong< T, Tags... > &a, int)
 
template<typename T , typename Alloc , typename L >
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, const std::pair< const T *, L > &in)
 
template<typename T , typename Alloc , typename L >
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, const std::pair< T *, L > &in)
 
template<typename T , typename Alloc , typename Alloc2 >
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, const std::vector< T, Alloc2 > &in)
 
template<typename T , typename Alloc >
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, T in)
 
template<std::integral T, typename... Tags>
constexpr auto operator+= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator+= (Strong< T1, Tags... > &a, T2 b)
 
BigInt operator- (const BigInt &x, const BigInt &y)
 
BigInt operator- (const BigInt &x, word y)
 
EC_Point operator- (const EC_Point &lhs)
 
EC_Point operator- (const EC_Point &lhs, const EC_Point &rhs)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator- (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator- (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator- (T1 a, Strong< T2, Tags... > b)
 
template<std::integral T, typename... Tags>
constexpr auto operator-- (Strong< T, Tags... > &a)
 
template<std::integral T, typename... Tags>
constexpr auto operator-- (Strong< T, Tags... > &a, int)
 
template<std::integral T, typename... Tags>
constexpr auto operator-= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator-= (Strong< T1, Tags... > &a, T2 b)
 
BigInt operator/ (const BigInt &x, const BigInt &y)
 
BigInt operator/ (const BigInt &x, word y)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator/ (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator/ (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator/ (T1 a, Strong< T2, Tags... > b)
 
template<std::integral T, typename... Tags>
constexpr auto operator/= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator/= (Strong< T1, Tags... > &a, T2 b)
 
bool operator< (const ASN1_Time &, const ASN1_Time &)
 
bool operator< (const BigInt &a, const BigInt &b)
 
bool operator< (const BigInt &a, word b)
 
bool operator< (const OID &a, const OID &b)
 
bool operator< (const X509_DN &dn1, const X509_DN &dn2)
 
BigInt operator<< (const BigInt &x, size_t shift)
 
int operator<< (int fd, Pipe &pipe)
 
std::ostream & operator<< (std::ostream &os, const GeneralName &gn)
 
std::ostream & operator<< (std::ostream &os, const GeneralSubtree &gs)
 
template<typename T , typename... Tags>
requires (concepts::streamable<T>)
decltype(auto) operator<< (std::ostream &os, const Strong< T, Tags... > &v)
 
std::ostream & operator<< (std::ostream &out, const OID &oid)
 
std::ostream & operator<< (std::ostream &out, const X509_DN &dn)
 
std::ostream & operator<< (std::ostream &out, Pipe &pipe)
 
std::ostream & operator<< (std::ostream &stream, const BigInt &n)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator<< (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator<< (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator<< (T1 a, Strong< T2, Tags... > b)
 
template<std::integral T, typename... Tags>
constexpr auto operator<<= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator<<= (Strong< T1, Tags... > &a, T2 b)
 
bool operator<= (const ASN1_Time &, const ASN1_Time &)
 
bool operator<= (const BigInt &a, const BigInt &b)
 
bool operator<= (const BigInt &a, word b)
 
template<typename T , typename... Tags>
requires (std::three_way_comparable<T>)
auto operator<=> (const Strong< T, Tags... > &lhs, const Strong< T, Tags... > &rhs)
 
template<std::integral T1, std::integral T2, typename... Tags>
auto operator<=> (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
auto operator<=> (T1 a, Strong< T2, Tags... > b)
 
bool operator== (const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
 
bool operator== (const ASN1_Time &, const ASN1_Time &)
 
bool operator== (const BigInt &a, const BigInt &b)
 
bool operator== (const BigInt &a, word b)
 
bool operator== (const CRL_Entry &a1, const CRL_Entry &a2)
 
bool operator== (const OctetString &s1, const OctetString &s2)
 
template<typename T , typename U >
bool operator== (const secure_allocator< T > &, const secure_allocator< U > &)
 
template<typename T , typename... Tags>
requires (std::equality_comparable<T>)
bool operator== (const Strong< T, Tags... > &lhs, const Strong< T, Tags... > &rhs)
 
bool operator== (const X509_DN &dn1, const X509_DN &dn2)
 
template<std::integral T1, std::integral T2, typename... Tags>
auto operator== (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
auto operator== (T1 a, Strong< T2, Tags... > b)
 
bool operator> (const ASN1_Time &, const ASN1_Time &)
 
bool operator> (const BigInt &a, const BigInt &b)
 
bool operator> (const BigInt &a, word b)
 
bool operator>= (const ASN1_Time &, const ASN1_Time &)
 
bool operator>= (const BigInt &a, const BigInt &b)
 
bool operator>= (const BigInt &a, word b)
 
BigInt operator>> (const BigInt &x, size_t shift)
 
int operator>> (int fd, Pipe &pipe)
 
std::istream & operator>> (std::istream &in, Pipe &pipe)
 
std::istream & operator>> (std::istream &in, X509_DN &dn)
 
std::istream & operator>> (std::istream &stream, BigInt &n)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator>> (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator>> (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator>> (T1 a, Strong< T2, Tags... > b)
 
template<std::integral T, typename... Tags>
constexpr auto operator>>= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator>>= (Strong< T1, Tags... > &a, T2 b)
 
OctetString operator^ (const OctetString &k1, const OctetString &k2)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator^ (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator^ (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator^ (T1 a, Strong< T2, Tags... > b)
 
template<typename Alloc , typename Alloc2 >
std::vector< uint8_t, Alloc > & operator^= (std::vector< uint8_t, Alloc > &out, const std::vector< uint8_t, Alloc2 > &in)
 
template<std::integral T, typename... Tags>
constexpr auto operator^= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator^= (Strong< T1, Tags... > &a, T2 b)
 
ASN1_Class operator| (ASN1_Class x, ASN1_Class y)
 
uint32_t operator| (ASN1_Class x, ASN1_Type y)
 
uint32_t operator| (ASN1_Type x, ASN1_Class y)
 
ASN1_Type operator| (ASN1_Type x, ASN1_Type y)
 
donna128 operator| (const donna128 &x, const donna128 &y)
 
ECIES_Flags operator| (ECIES_Flags a, ECIES_Flags b)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator| (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator| (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator| (T1 a, Strong< T2, Tags... > b)
 
template<std::integral T, typename... Tags>
constexpr auto operator|= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator|= (Strong< T1, Tags... > &a, T2 b)
 
template<typename Alloc >
EC_Point OS2ECP (const std::vector< uint8_t, Alloc > &data, const CurveGFp &curve)
 
std::pair< BigInt, BigIntOS2ECP (const uint8_t data[], size_t data_len, const BigInt &curve_p, const BigInt &curve_a, const BigInt &curve_b)
 
EC_Point OS2ECP (const uint8_t data[], size_t data_len, const CurveGFp &curve)
 
template<class... Ts>
 overloaded (Ts...) -> overloaded< Ts... >
 
std::vector< std::string > parse_algorithm_name (std::string_view namex)
 
bool passes_miller_rabin_test (const BigInt &n, const Modular_Reducer &mod_n, const std::shared_ptr< Montgomery_Params > &monty_n, const BigInt &a)
 
secure_vector< uint8_t > pbes2_decrypt (std::span< const uint8_t > key_bits, std::string_view passphrase, const std::vector< uint8_t > &params)
 
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt (std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
 
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_iter (std::span< const uint8_t > key_bits, std::string_view passphrase, size_t pbkdf_iter, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
 
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_msec (std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, size_t *out_iterations_if_nonnull, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
 
void pbkdf2 (MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, const uint8_t salt[], size_t salt_len, size_t iterations)
 
size_t pbkdf2 (MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec)
 
std::vector< uint8_t > pkcs_hash_id (std::string_view name)
 
void poly_double_n (uint8_t buf[], size_t n)
 
void poly_double_n (uint8_t out[], const uint8_t in[], size_t n)
 
void poly_double_n_le (uint8_t out[], const uint8_t in[], size_t n)
 
bool poly_double_supported_size (size_t n)
 
BigInt power_mod (const BigInt &base, const BigInt &exp, const BigInt &mod)
 
uint64_t prefetch_array_raw (size_t bytes, const void *arrayv) noexcept
 
template<typename T , size_t... Ns>
requires std::is_integral<T>::value
T prefetch_arrays (T(&... arr)[Ns]) noexcept
 
BOTAN_TEST_API const BigIntprime_p192 ()
 
BOTAN_TEST_API const BigIntprime_p224 ()
 
BOTAN_TEST_API const BigIntprime_p256 ()
 
BOTAN_TEST_API const BigIntprime_p384 ()
 
BOTAN_TEST_API const BigIntprime_p521 ()
 
std::vector< std::string > probe_provider_private_key (std::string_view alg_name, const std::vector< std::string > &possible)
 
template<typename T >
std::vector< std::string > probe_providers_of (std::string_view algo_spec, const std::vector< std::string > &possible={"base"})
 
gf2m random_code_element (uint16_t code_length, RandomNumberGenerator &rng)
 
gf2m random_gf2m (RandomNumberGenerator &rng)
 
BigInt random_prime (RandomNumberGenerator &rng, size_t bits, const BigInt &coprime, size_t equiv, size_t modulo, size_t prob)
 
BigInt random_safe_prime (RandomNumberGenerator &rng, size_t bits)
 
std::map< std::string, std::string > read_cfg (std::istream &is)
 
BOTAN_TEST_API std::map< std::string, std::string > read_kv (std::string_view kv)
 
void redc_mul (int64_t &s1, int64_t &s2, int64_t &s3, int64_t &s4, int64_t &s5, int64_t &s6, int64_t &X)
 
BOTAN_TEST_API void redc_p192 (BigInt &x, secure_vector< word > &ws)
 
BOTAN_TEST_API void redc_p224 (BigInt &x, secure_vector< word > &ws)
 
BOTAN_TEST_API void redc_p256 (BigInt &x, secure_vector< word > &ws)
 
BOTAN_TEST_API void redc_p384 (BigInt &x, secure_vector< word > &ws)
 
BOTAN_TEST_API void redc_p521 (BigInt &x, secure_vector< word > &ws)
 
template<typename RetT , typename KeyT , typename ReducerT >
requires std::is_convertible_v<ReducerT, std::function<RetT(RetT, const KeyT&)>>
RetT reduce (const std::vector< KeyT > &keys, RetT acc, ReducerT reducer)
 
constexpr uint16_t reverse_bytes (uint16_t x)
 
constexpr uint32_t reverse_bytes (uint32_t x)
 
constexpr uint64_t reverse_bytes (uint64_t x)
 
secure_vector< uint8_t > rfc3394_keyunwrap (const secure_vector< uint8_t > &key, const SymmetricKey &kek)
 
secure_vector< uint8_t > rfc3394_keywrap (const secure_vector< uint8_t > &key, const SymmetricKey &kek)
 
size_t RFC4880_decode_count (uint8_t iter)
 
uint8_t RFC4880_encode_count (size_t desired_iterations)
 
size_t RFC4880_round_iterations (size_t iterations)
 
template<size_t R1, size_t R2, size_t R3, typename T >
constexpr T rho (T x)
 
template<size_t R>
SIMD_16x32 rotl (SIMD_16x32 input)
 
template<size_t R>
SIMD_4x32 rotl (SIMD_4x32 input)
 
template<size_t R>
SIMD_8x32 rotl (SIMD_8x32 input)
 
template<size_t ROT, typename T >
requires (ROT > 0 && ROT < 8 * sizeof(T))
constexpr T rotl (T input)
 
template<typename T >
constexpr T rotl_var (T input, size_t rot)
 
template<size_t R>
SIMD_16x32 rotr (SIMD_16x32 input)
 
template<size_t R>
SIMD_4x32 rotr (SIMD_4x32 input)
 
template<size_t R>
SIMD_8x32 rotr (SIMD_8x32 input)
 
template<size_t ROT, typename T >
requires (ROT > 0 && ROT < 8 * sizeof(T))
constexpr T rotr (T input)
 
template<typename T >
constexpr T rotr_var (T input, size_t rot)
 
template<typename T >
constexpr T round_down (T n, T align_to)
 
size_t round_up (size_t n, size_t align_to)
 
std::string runtime_version_check (uint32_t major, uint32_t minor, uint32_t patch)
 
template<typename T >
bool same_mem (const T *p1, const T *p2, size_t n)
 
BOTAN_FORCE_INLINE void SBoxD0 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxD1 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxD2 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxD3 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxD4 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxD5 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxD6 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxD7 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxE0 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxE1 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxE2 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxE3 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxE4 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxE5 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxE6 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
BOTAN_FORCE_INLINE void SBoxE7 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d)
 
void sc_muladd (uint8_t *, const uint8_t *, const uint8_t *, const uint8_t *)
 
void sc_reduce (uint8_t *)
 
void scrypt (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, size_t N, size_t r, size_t p)
 
void scrypt (uint8_t output[], size_t output_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t N, size_t r, size_t p)
 
template<typename K , typename V , typename R >
search_map (const std::map< K, V > &mapping, const K &key, const R &null_result, const R &found_result)
 
template<typename K , typename V >
search_map (const std::map< K, V > &mapping, const K &key, const V &null_result=V())
 
void secure_scrub_memory (ranges::contiguous_output_range auto &&data)
 
void secure_scrub_memory (void *ptr, size_t n)
 
constexpr void set_mem (uint8_t *ptr, size_t n, uint8_t val)
 
BOTAN_FORCE_INLINE void SHA2_32_F (uint32_t A, uint32_t B, uint32_t C, uint32_t &D, uint32_t E, uint32_t F, uint32_t G, uint32_t &H, uint32_t &M1, uint32_t M2, uint32_t M3, uint32_t M4, uint32_t magic)
 
BOTAN_FORCE_INLINE void SHA2_64_F (uint64_t A, uint64_t B, uint64_t C, uint64_t &D, uint64_t E, uint64_t F, uint64_t G, uint64_t &H, uint64_t &M1, uint64_t M2, uint64_t M3, uint64_t M4, uint64_t magic)
 
template<size_t S>
SIMD_16x32 shl (SIMD_16x32 input)
 
template<size_t S>
SIMD_4x32 shl (SIMD_4x32 input)
 
template<size_t S>
SIMD_8x32 shl (SIMD_8x32 input)
 
const char * short_version_cstr ()
 
std::string short_version_string ()
 
template<size_t R1, size_t R2, size_t S, typename T >
constexpr T sigma (T x)
 
template<typename T >
requires (std::is_integral<T>::value)
constexpr size_t significant_bytes (T n)
 
std::vector< uint8_t > sm2_compute_za (HashFunction &hash, std::string_view user_id, const EC_Group &domain, const EC_Point &pubkey)
 
std::vector< std::string > split_on (std::string_view str, char delim)
 
BigInt sqrt_modulo_prime (const BigInt &a, const BigInt &p)
 
BigInt square (const BigInt &x)
 
std::pair< BigInt, SymmetricKeysrp6_client_agree (std::string_view identifier, std::string_view password, const DL_Group &group, std::string_view hash_id, const std::vector< uint8_t > &salt, const BigInt &B, const size_t a_bits, RandomNumberGenerator &rng)
 
std::pair< BigInt, SymmetricKeysrp6_client_agree (std::string_view identifier, std::string_view password, std::string_view group_id, std::string_view hash_id, const std::vector< uint8_t > &salt, const BigInt &B, RandomNumberGenerator &rng)
 
BigInt srp6_generate_verifier (std::string_view identifier, std::string_view password, const std::vector< uint8_t > &salt, const DL_Group &group, std::string_view hash_id)
 
BigInt srp6_generate_verifier (std::string_view identifier, std::string_view password, const std::vector< uint8_t > &salt, std::string_view group_id, std::string_view hash_id)
 
std::string srp6_group_identifier (const BigInt &N, const BigInt &g)
 
template<ranges::contiguous_output_range< uint8_t > OutR, std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void store_be (OutR &&out, Ts... ins)
 
template<std::unsigned_integral T>
constexpr auto store_be (T in)
 
template<std::unsigned_integral T, ranges::contiguous_output_range< uint8_t > OutR>
constexpr void store_be (T in, OutR &&out_range)
 
template<std::unsigned_integral T>
constexpr void store_be (T in, uint8_t out[sizeof(T)])
 
template<std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void store_be (uint8_t out[], Ts... ins)
 
template<ranges::contiguous_output_range< uint8_t > OutR, std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void store_le (OutR &&out, Ts... ins)
 
template<std::unsigned_integral T>
constexpr auto store_le (T in)
 
template<std::unsigned_integral T, ranges::contiguous_output_range< uint8_t > OutR>
constexpr void store_le (T in, OutR &&out_range)
 
template<std::unsigned_integral T>
constexpr void store_le (T in, uint8_t out[sizeof(T)])
 
template<std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void store_le (uint8_t out[], Ts... ins)
 
std::string string_join (const std::vector< std::string > &strs, char delim)
 
uint32_t string_to_ipv4 (std::string_view str)
 
template<typename T >
constexpr void swap_bits (T &x, T &y, T mask, size_t shift)
 
std::vector< polyn_gf2msyndrome_init (const polyn_gf2m &generator, const std::vector< gf2m > &support, int n)
 
RandomNumberGeneratorsystem_rng ()
 
void theta (SIMD_4x32 &A0, SIMD_4x32 &A1, SIMD_4x32 &A2, SIMD_4x32 &A3, const SIMD_4x32 &K0, const SIMD_4x32 &K1, const SIMD_4x32 &K2, const SIMD_4x32 &K3)
 
void throw_invalid_argument (const char *message, const char *func, const char *file)
 
void throw_invalid_state (const char *expr, const char *func, const char *file)
 
template<concepts::contiguous_container T = std::vector<uint8_t>>
T to_byte_vector (std::string_view s)
 
const char * to_string (Certificate_Status_Code code)
 
std::string to_string (ErrorType type)
 Convert an ErrorType to string.
 
std::string to_string (std::span< const uint8_t > bytes)
 
uint32_t to_u32bit (std::string_view str_view)
 
uint16_t to_uint16 (std::string_view str)
 
std::string tolower_string (std::string_view in)
 
void treehash (StrongSpan< SphincsTreeNode > out_root, StrongSpan< SphincsAuthenticationPath > out_auth_path, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, std::optional< TreeNodeIndex > leaf_idx, uint32_t idx_offset, uint32_t total_tree_height, const GenerateLeafFunction &gen_leaf, Sphincs_Address &tree_address)
 
template<typename To >
requires std::is_trivial<To>::value
constexpr To typecast_copy (const uint8_t src[]) noexcept
 
template<typename ToT , ranges::contiguous_range FromR>
requires std::is_trivial_v<ToT> && std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>>
constexpr ToT typecast_copy (FromR &&src) noexcept
 
template<typename T >
requires std::is_trivial<typename std::decay<T>::type>::value
constexpr void typecast_copy (T &out, const uint8_t in[])
 
template<typename T >
requires std::is_trivial<T>::value
constexpr void typecast_copy (T out[], const uint8_t in[], size_t N)
 
template<ranges::contiguous_output_range ToR, typename FromT >
requires std::is_trivially_copyable_v<FromT> && (!std::ranges::range<FromT>) && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
constexpr void typecast_copy (ToR &&out, const FromT &in)
 
template<ranges::contiguous_output_range ToR, ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
constexpr void typecast_copy (ToR &&out, FromR &&in)
 
template<typename ToT , ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<ToT> && (!std::ranges::range<ToT>)
constexpr void typecast_copy (ToT &out, FromR &&in) noexcept
 
template<typename T >
constexpr void typecast_copy (uint8_t out[], const T &in)
 
template<typename T >
requires std::is_trivially_copyable<T>::value
constexpr void typecast_copy (uint8_t out[], T in[], size_t N)
 
std::string ucs2_to_utf8 (const uint8_t ucs2[], size_t len)
 
std::string ucs4_to_utf8 (const uint8_t ucs4[], size_t len)
 
template<typename T >
std::vector< Tunlock (const secure_vector< T > &in)
 
template<typename T , typename OT >
bool value_exists (const std::vector< T > &vec, const OT &val)
 
constexpr size_t var_ctz32 (uint32_t n)
 
void vartime_divide (const BigInt &x, const BigInt &y_arg, BigInt &q_out, BigInt &r_out)
 
const char * version_cstr ()
 
uint32_t version_datestamp ()
 
uint32_t version_major ()
 
uint32_t version_minor ()
 
uint32_t version_patch ()
 
std::string version_string ()
 
void word3_add (word *w2, word *w1, word *w0, word x)
 
void word3_muladd (word *w2, word *w1, word *w0, word x, word y)
 
void word3_muladd_2 (word *w2, word *w1, word *w0, word x, word y)
 
word word8_add2 (word x[8], const word y[8], word carry)
 
word word8_add3 (word z[8], const word x[8], const word y[8], word carry)
 
word word8_linmul2 (word x[8], word y, word carry)
 
word word8_linmul3 (word z[8], const word x[8], word y, word carry)
 
word word8_madd3 (word z[8], const word x[8], word y, word carry)
 
word word8_sub2 (word x[8], const word y[8], word carry)
 
word word8_sub2_rev (word x[8], const word y[8], word carry)
 
word word8_sub3 (word z[8], const word x[8], const word y[8], word carry)
 
word word_add (word x, word y, word *carry)
 
word word_madd2 (word a, word b, word *c)
 
word word_madd3 (word a, word b, word c, word *d)
 
word word_sub (word x, word y, word *carry)
 
WotsPublicKey wots_public_key_from_signature (const SphincsTreeNode &hashed_message, StrongSpan< const WotsSignature > signature, Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 
void wots_sign_and_pkgen (StrongSpan< WotsSignature > sig_out, StrongSpan< SphincsTreeNode > leaf_out, const SphincsSecretSeed &secret_seed, TreeNodeIndex leaf_idx, std::optional< TreeNodeIndex > sign_leaf_idx, const std::vector< WotsHashIndex > &wots_steps, Sphincs_Address &leaf_addr, Sphincs_Address &pk_addr, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 
Path_Validation_Result x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
 
Path_Validation_Result x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point ref_time, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
 
Path_Validation_Result x509_path_validate (const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
 
Path_Validation_Result x509_path_validate (const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
 
SphincsTreeNode xmss_gen_root (const Sphincs_Parameters &params, const SphincsSecretSeed &secret_seed, Sphincs_Hash_Functions &hashes)
 
SphincsTreeNode xmss_sign_and_pkgen (StrongSpan< SphincsXmssSignature > out_sig, const SphincsTreeNode &root, const SphincsSecretSeed &secret_seed, Sphincs_Address &wots_addr, Sphincs_Address &tree_addr, std::optional< TreeNodeIndex > idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 
constexpr void xor_buf (ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
 
constexpr void xor_buf (ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in1, ranges::contiguous_range< uint8_t > auto &&in2)
 
void xor_buf (std::span< uint8_t > out, std::span< const uint8_t > in, size_t n)
 
template<typename Alloc , typename Alloc2 >
void xor_buf (std::vector< uint8_t, Alloc > &out, const uint8_t *in, const std::vector< uint8_t, Alloc2 > &in2, size_t n)
 
template<typename Alloc >
void xor_buf (std::vector< uint8_t, Alloc > &out, const uint8_t *in, size_t n)
 
void xor_buf (uint8_t out[], const uint8_t in[], const uint8_t in2[], size_t length)
 
void xor_buf (uint8_t out[], const uint8_t in[], size_t length)
 
template<typename T , typename Alloc >
void zap (std::vector< T, Alloc > &vec)
 
template<typename T , typename Alloc >
void zeroise (std::vector< T, Alloc > &vec)
 

Variables

constexpr size_t BLAKE2B_BLOCKBYTES = 128
 
const size_t HEX_CODEC_BUFFER_SIZE = 256
 
template<typename... Ts>
constexpr bool is_strong_type_v = is_strong_type<std::remove_const_t<Ts>...>::value
 
const size_t MAX_EXT_DEG = 16
 
const word MP_WORD_MAX = ~static_cast<word>(0)
 
const size_t PRIME_TABLE_SIZE = 6541
 
const uint16_t PRIMES []
 
const uint64_t STREEBOG_Ax [8][256]
 
const uint64_t STREEBOG_C [12][8]
 

Detailed Description

Wrapper for truncated hashes (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

(C) 2019 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018,2019,2021 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018,2019,2022 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018,2019 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2023 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2022 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018 Jack Lloyd (C) 2018 Ribose Inc

Botan is released under the Simplified BSD License (see license.txt)

Asymmetric primitives for dilithium (C) 2022-2023 Jack Lloyd (C) 2022-2023 Michael Boric, René Meusel - Rohde & Schwarz Cybersecurity (C) 2022 Manuel Glaser - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Ordinary applications should never need to include or use this header. It is exposed only for specialized applications which want to implement new versions of public key crypto without merging them as changes to the library. One actual example of such usage is an application which creates RSA signatures using a custom TPM library. Unless you're doing something like that, you don't need anything here. Instead use pubkey.h which wraps these types safely and provides a stable application-oriented API.

Note: This header was accidentally pulled from the public API between Botan 3.0.0 and 3.2.0, and then restored in 3.3.0. If you are maintaining an application which used this header in Botan 2.x, you should make sure to use Botan 3.3.0 or later when migrating.

Hybrid Session Manager emitting both Tickets and storing sessions in Memory (C) 2023 Jack Lloyd (C) 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

TLS Session Manager in Memory (C) 2011 Jack Lloyd (C) 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

TLS Stateless Session Manager for stateless servers (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Useful concepts that are available throughout the library (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

A wrapper class to implement strong types (C) 2022 Jack Lloyd 2022 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

utilities for PKIX::build_all_certificate_paths

Typedef Documentation

◆ Altivec32x4

typedef __vector unsigned int Botan::Altivec32x4

Definition at line 23 of file aes_power8.cpp.

◆ Altivec64x2

typedef __vector unsigned long long Botan::Altivec64x2

Definition at line 22 of file aes_power8.cpp.

◆ Altivec8x16

typedef __vector unsigned char Botan::Altivec8x16

Definition at line 24 of file aes_power8.cpp.

◆ byte

using Botan::byte = std::uint8_t

Definition at line 94 of file types.h.

◆ CCCryptorStatus

typedef int32_t Botan::CCCryptorStatus

Definition at line 24 of file commoncrypto.h.

◆ CertificatePathStatusCodes

This type represents the validation status of an entire certificate path. There is one set of status codes for each certificate in the path.

Definition at line 29 of file x509path.h.

◆ fe

Definition at line 140 of file ed25519_fe.h.

◆ ForsLeafSecret

using Botan::ForsLeafSecret = Strong<secure_vector<uint8_t>, struct ForsLeafSecret_>

Definition at line 57 of file sp_types.h.

◆ ForsSignature

using Botan::ForsSignature = Strong<std::vector<uint8_t>, struct ForsSignature_>

Definition at line 58 of file sp_types.h.

◆ FrodoDomainSeparator

using Botan::FrodoDomainSeparator = Strong<std::array<uint8_t, 1>, struct FrodoDoaminSeparator_>

Definition at line 47 of file frodo_types.h.

◆ FrodoIntermediateSharedSecret

using Botan::FrodoIntermediateSharedSecret = Strong<secure_vector<uint8_t>, struct FrodoIntermediateSharedSecret_>

Definition at line 56 of file frodo_types.h.

◆ FrodoPackedMatrix

using Botan::FrodoPackedMatrix = Strong<std::vector<uint8_t>, struct FrodoPackedMatrix_>

Definition at line 41 of file frodo_types.h.

◆ FrodoPlaintext

using Botan::FrodoPlaintext = Strong<secure_vector<uint8_t>, struct FrodoPlaintext_>

Definition at line 50 of file frodo_types.h.

◆ FrodoPublicKeyHash

using Botan::FrodoPublicKeyHash = Strong<std::vector<uint8_t>, struct FrodoPublicKeyHash_>

Definition at line 38 of file frodo_types.h.

◆ FrodoSalt

using Botan::FrodoSalt = Strong<std::vector<uint8_t>, struct FrodoSalt_>

Definition at line 53 of file frodo_types.h.

◆ FrodoSampleR

using Botan::FrodoSampleR = Strong<secure_vector<uint8_t>, struct FrodoSampleR_>

Definition at line 35 of file frodo_types.h.

◆ FrodoSeedA

using Botan::FrodoSeedA = Strong<std::vector<uint8_t>, struct FrodoSeedA_>

Definition at line 23 of file frodo_types.h.

◆ FrodoSeedS

using Botan::FrodoSeedS = Strong<secure_vector<uint8_t>, struct FrodoSeedS_>

Definition at line 26 of file frodo_types.h.

◆ FrodoSeedSE

using Botan::FrodoSeedSE = Strong<secure_vector<uint8_t>, struct FrodoSeedSE_>

Definition at line 29 of file frodo_types.h.

◆ FrodoSeedZ

using Botan::FrodoSeedZ = Strong<std::vector<uint8_t>, struct FrodoSeedZ_>

Definition at line 32 of file frodo_types.h.

◆ FrodoSerializedMatrix

using Botan::FrodoSerializedMatrix = Strong<secure_vector<uint8_t>, struct FrodoSerializedMatrix_>

Definition at line 44 of file frodo_types.h.

◆ GenerateLeafFunction

Definition at line 25 of file sp_treehash.h.

◆ gf2m

typedef uint16_t Botan::gf2m

Definition at line 20 of file gf2m_small_m.h.

◆ HypertreeLayerIndex

using Botan::HypertreeLayerIndex = Strong<uint32_t, struct HypertreeLayerIndex_>

Index of a layer in the XMSS hyper-tree.

Definition at line 72 of file sp_types.h.

◆ InitializationVector

Alternate name for octet string showing intent to use as an IV

Definition at line 146 of file symkey.h.

◆ Integrity_Failure

For compatability with older versions

Definition at line 283 of file exceptn.h.

◆ lock_guard_type

template<typename T >
using Botan::lock_guard_type = lock_guard<T>

Definition at line 55 of file mutex.h.

◆ MAC

Definition at line 133 of file mac.h.

◆ mutex_type

Definition at line 37 of file mutex.h.

◆ PointGFp

Definition at line 402 of file ec_point.h.

◆ recursive_mutex_type

Definition at line 38 of file mutex.h.

◆ RNG

Convenience typedef

Definition at line 258 of file rng.h.

◆ S2K

typedef PBKDF Botan::S2K

Definition at line 232 of file pbkdf.h.

◆ s32bit

using Botan::s32bit = std::int32_t

Definition at line 98 of file types.h.

◆ secure_deque

template<typename T >
using Botan::secure_deque = std::deque<T, secure_allocator<T>>

Definition at line 63 of file secmem.h.

◆ secure_vector

template<typename T >
using Botan::secure_vector = std::vector<T, secure_allocator<T>>

Definition at line 61 of file secmem.h.

◆ SecureVector

template<typename T >
using Botan::SecureVector = secure_vector<T>

Definition at line 67 of file secmem.h.

◆ SM2_Encryption_PrivateKey

Definition at line 117 of file sm2.h.

◆ SM2_Encryption_PublicKey

Definition at line 114 of file sm2.h.

◆ SM2_Signature_PrivateKey

Definition at line 116 of file sm2.h.

◆ SM2_Signature_PublicKey

Definition at line 113 of file sm2.h.

◆ SphincsAuthenticationPath

using Botan::SphincsAuthenticationPath = Strong<std::vector<uint8_t>, struct SphincsAuthenticationPath_>

Definition at line 53 of file sp_types.h.

◆ SphincsHashedMessage

using Botan::SphincsHashedMessage = Strong<std::vector<uint8_t>, struct SphincsHashedMessage_>

Definition at line 45 of file sp_types.h.

◆ SphincsHypertreeSignature

using Botan::SphincsHypertreeSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_>

Definition at line 52 of file sp_types.h.

◆ SphincsMessageRandomness

using Botan::SphincsMessageRandomness = Strong<secure_vector<uint8_t>, struct SphincsMessageRandomness_>

Definition at line 50 of file sp_types.h.

◆ SphincsOptionalRandomness

using Botan::SphincsOptionalRandomness = Strong<secure_vector<uint8_t>, struct SphincsOptionalRandomness_>

Definition at line 49 of file sp_types.h.

◆ SphincsPublicSeed

using Botan::SphincsPublicSeed = Strong<std::vector<uint8_t>, struct SphincsPublicSeed_>

Definition at line 46 of file sp_types.h.

◆ SphincsSecretPRF

using Botan::SphincsSecretPRF = Strong<secure_vector<uint8_t>, struct SphincsSecretPRF_>

Definition at line 48 of file sp_types.h.

◆ SphincsSecretSeed

using Botan::SphincsSecretSeed = Strong<secure_vector<uint8_t>, struct SphincsSecretSeed_>

Definition at line 47 of file sp_types.h.

◆ SphincsTreeNode

using Botan::SphincsTreeNode = Strong<std::vector<uint8_t>, struct SphincsTreeNode_>

Either an XMSS or FORS tree node or leaf.

Definition at line 56 of file sp_types.h.

◆ SphincsXmssSignature

using Botan::SphincsXmssSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_>

Definition at line 51 of file sp_types.h.

◆ SymmetricKey

Alternate name for octet string showing intent to use as a key

Definition at line 141 of file symkey.h.

◆ TreeLayerIndex

using Botan::TreeLayerIndex = Strong<uint32_t, struct TreeLayerIndex_, EnableArithmeticWithPlainNumber>

Index of the layer within a FORS/XMSS tree.

Definition at line 69 of file sp_types.h.

◆ TreeNodeIndex

using Botan::TreeNodeIndex = Strong<uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber>

Index of an individual node inside an XMSS or FORS tree.

Definition at line 78 of file sp_types.h.

◆ u16bit

using Botan::u16bit = std::uint16_t

Definition at line 95 of file types.h.

◆ u32bit

using Botan::u32bit = std::uint32_t

Definition at line 96 of file types.h.

◆ u64bit

using Botan::u64bit = std::uint64_t

Definition at line 97 of file types.h.

◆ wots_keysig_t

typedef std::vector< secure_vector< uint8_t > > Botan::wots_keysig_t

Definition at line 20 of file xmss_common_ops.h.

◆ WotsChainIndex

using Botan::WotsChainIndex = Strong<uint32_t, struct WotsChainIndex_>

Index of a WOTS chain within a single usage of WOTS.

Definition at line 81 of file sp_types.h.

◆ WotsHashIndex

using Botan::WotsHashIndex = Strong<uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber>

Index of a hash application inside a single WOTS chain (integers in "base_w")

Definition at line 84 of file sp_types.h.

◆ WotsNode

using Botan::WotsNode = Strong<secure_vector<uint8_t>, struct WotsNode_>

Start (or intermediate) node of a WOTS+ chain.

Definition at line 65 of file sp_types.h.

◆ WotsPublicKey

using Botan::WotsPublicKey = Strong<std::vector<uint8_t>, struct WotsPublicKey_>

Definition at line 59 of file sp_types.h.

◆ WotsPublicKeyNode

using Botan::WotsPublicKeyNode = Strong<std::vector<uint8_t>, struct WotsPublicKeyNode_>

End node of a WOTS+ chain (part of the WOTS+ public key)

Definition at line 62 of file sp_types.h.

◆ WotsSignature

using Botan::WotsSignature = Strong<secure_vector<uint8_t>, struct WotsSignature_>

Definition at line 66 of file sp_types.h.

◆ X25519_PrivateKey

Definition at line 112 of file curve25519.h.

◆ X25519_PublicKey

Definition at line 111 of file curve25519.h.

◆ X509_Time

Definition at line 402 of file asn1_obj.h.

◆ XmssTreeIndexInLayer

using Botan::XmssTreeIndexInLayer = Strong<uint64_t, struct XmssTreeIndexInLayer_, EnableArithmeticWithPlainNumber>

Index of an XMSS tree (unique for just the local hyper-tree layer)

Definition at line 75 of file sp_types.h.

Enumeration Type Documentation

◆ AlignmentBufferFinalBlock

enum class Botan::AlignmentBufferFinalBlock : size_t
strong

Defines the strategy for handling the final block of input data in the handle_unaligned_data() method of the AlignmentBuffer<>.

  • is_not_special: the final block is treated like any other block
  • must_be_deferred: the final block is not emitted while bulk processing (typically add_data()) but is deferred until manually consumed (typically final_result())

The AlignmentBuffer<> assumes data to be "the final block" if no further input data is available in the BufferSlicer<>. This might result in some performance overhead when using the must_be_deferred strategy.

Enumerator
is_not_special 
must_be_deferred 

Definition at line 34 of file alignment_buffer.h.

◆ ASN1_Class

enum class Botan::ASN1_Class : uint32_t
strong

ASN.1 Class Tags

Enumerator
Universal 
Application 
ContextSpecific 
Private 
Constructed 
ExplicitContextSpecific 
NoObject 

Definition at line 28 of file asn1_obj.h.

28 : uint32_t {
29 Universal = 0b0000'0000,
30 Application = 0b0100'0000,
31 ContextSpecific = 0b1000'0000,
32 Private = 0b1100'0000,
33
34 Constructed = 0b0010'0000,
36
37 NoObject = 0xFF00
38};

◆ ASN1_Type

enum class Botan::ASN1_Type : uint32_t
strong

ASN.1 Type Tags

Enumerator
Eoc 
Boolean 
Integer 
BitString 
OctetString 
Null 
ObjectId 
Enumerated 
Sequence 
Set 
Utf8String 
NumericString 
PrintableString 
TeletexString 
Ia5String 
VisibleString 
UniversalString 
BmpString 
UtcTime 
GeneralizedTime 
NoObject 

Definition at line 43 of file asn1_obj.h.

43 : uint32_t {
44 Eoc = 0x00,
45 Boolean = 0x01,
46 Integer = 0x02,
47 BitString = 0x03,
48 OctetString = 0x04,
49 Null = 0x05,
50 ObjectId = 0x06,
51 Enumerated = 0x0A,
52 Sequence = 0x10,
53 Set = 0x11,
54
55 Utf8String = 0x0C,
56 NumericString = 0x12,
57 PrintableString = 0x13,
58 TeletexString = 0x14,
59 Ia5String = 0x16,
60 VisibleString = 0x1A,
61 UniversalString = 0x1C,
62 BmpString = 0x1E,
63
64 UtcTime = 0x17,
65 GeneralizedTime = 0x18,
66
67 NoObject = 0xFF00,
68};

◆ Certificate_Status_Code

enum class Botan::Certificate_Status_Code
strong

Certificate validation status code

Enumerator
OK 
VERIFIED 
OCSP_RESPONSE_GOOD 
OCSP_SIGNATURE_OK 
VALID_CRL_CHECKED 
OCSP_NO_HTTP 
FIRST_WARNING_STATUS 
CERT_SERIAL_NEGATIVE 
DN_TOO_LONG 
OCSP_NO_REVOCATION_URL 
OCSP_SERVER_NOT_AVAILABLE 
FIRST_ERROR_STATUS 
SIGNATURE_METHOD_TOO_WEAK 
UNTRUSTED_HASH 
NO_REVOCATION_DATA 
NO_MATCHING_CRLDP 
OCSP_ISSUER_NOT_TRUSTED 
CERT_NOT_YET_VALID 
CERT_HAS_EXPIRED 
OCSP_NOT_YET_VALID 
OCSP_HAS_EXPIRED 
CRL_NOT_YET_VALID 
CRL_HAS_EXPIRED 
OCSP_IS_TOO_OLD 
CERT_ISSUER_NOT_FOUND 
CANNOT_ESTABLISH_TRUST 
CERT_CHAIN_LOOP 
CHAIN_LACKS_TRUST_ROOT 
CHAIN_NAME_MISMATCH 
POLICY_ERROR 
INVALID_USAGE 
CERT_CHAIN_TOO_LONG 
CA_CERT_NOT_FOR_CERT_ISSUER 
NAME_CONSTRAINT_ERROR 
CA_CERT_NOT_FOR_CRL_ISSUER 
OCSP_CERT_NOT_LISTED 
OCSP_BAD_STATUS 
CERT_NAME_NOMATCH 
UNKNOWN_CRITICAL_EXTENSION 
DUPLICATE_CERT_EXTENSION 
OCSP_SIGNATURE_ERROR 
OCSP_ISSUER_NOT_FOUND 
OCSP_RESPONSE_MISSING_KEYUSAGE 
OCSP_RESPONSE_INVALID 
EXT_IN_V1_V2_CERT 
DUPLICATE_CERT_POLICY 
V2_IDENTIFIERS_IN_V1_CERT 
CERT_IS_REVOKED 
CRL_BAD_SIGNATURE 
SIGNATURE_ERROR 
CERT_PUBKEY_INVALID 
SIGNATURE_ALGO_UNKNOWN 
SIGNATURE_ALGO_BAD_PARAMS 

Definition at line 20 of file pkix_enums.h.

20 {
21 OK = 0,
22 VERIFIED = 0,
23
24 // Revocation status
28 OCSP_NO_HTTP = 4,
29
30 // Warnings
33 DN_TOO_LONG = 501,
36
37 // Errors
38 FIRST_ERROR_STATUS = 1000,
39
41 UNTRUSTED_HASH = 1001,
42 NO_REVOCATION_DATA = 1002,
43 NO_MATCHING_CRLDP = 1003,
45
46 // Time problems
47 CERT_NOT_YET_VALID = 2000,
48 CERT_HAS_EXPIRED = 2001,
49 OCSP_NOT_YET_VALID = 2002,
50 OCSP_HAS_EXPIRED = 2003,
51 CRL_NOT_YET_VALID = 2004,
52 CRL_HAS_EXPIRED = 2005,
53 OCSP_IS_TOO_OLD = 2006,
54
55 // Chain generation problems
58 CERT_CHAIN_LOOP = 3002,
61
62 // Validation errors
63 POLICY_ERROR = 4000,
64 INVALID_USAGE = 4001,
68
69 // Revocation errors
72 OCSP_BAD_STATUS = 4007,
73
74 // Other problems
75 CERT_NAME_NOMATCH = 4008,
82 EXT_IN_V1_V2_CERT = 4505,
85
86 // Hard failures
87 CERT_IS_REVOKED = 5000,
88 CRL_BAD_SIGNATURE = 5001,
89 SIGNATURE_ERROR = 5002,
93};

◆ Cipher_Dir

enum class Botan::Cipher_Dir : int
strong

The two possible directions for cipher filters, determining whether they actually perform encryption or decryption.

Enumerator
Encryption 
Decryption 
ENCRYPTION 
DECRYPTION 

Definition at line 26 of file cipher_mode.h.

26 : int {
29
30 ENCRYPTION BOTAN_DEPRECATED("Use Cipher_Dir::Encryption") = Encryption,
31 DECRYPTION BOTAN_DEPRECATED("Use Cipher_Dir::Decryption") = Decryption,
32};
#define BOTAN_DEPRECATED(msg)
Definition compiler.h:125

◆ CRL_Code

enum class Botan::CRL_Code : uint32_t
strong

X.509v2 CRL Reason Code.

Enumerator
Unspecified 
KeyCompromise 
CaCompromise 
AffiliationChanged 
Superseded 
CessationOfOperation 
CertificateHold 
RemoveFromCrl 
PrivilegeWithdrawn 
AaCompromise 

Definition at line 185 of file pkix_enums.h.

185 : uint32_t {
186 Unspecified = 0,
187 KeyCompromise = 1,
188 CaCompromise = 2,
190 Superseded = 4,
192 CertificateHold = 6,
193 RemoveFromCrl = 8,
195 AaCompromise = 10,
196};

◆ Decoder_Checking

The type of checking to be performed by decoders: NONE - no checks, IGNORE_WS - perform checks, but ignore whitespaces, FULL_CHECK - perform checks, also complain about white spaces.

Enumerator
NONE 
IGNORE_WS 
FULL_CHECK 

Definition at line 165 of file filter.h.

@ FULL_CHECK
Definition filter.h:165
@ NONE
Definition filter.h:165
@ IGNORE_WS
Definition filter.h:165

◆ DilithiumEta

enum Botan::DilithiumEta : uint32_t
Enumerator
Eta2 
Eta4 

Definition at line 56 of file dilithium_symmetric_primitives.h.

◆ DL_Group_Format

enum class Botan::DL_Group_Format
strong

The DL group encoding format variants.

Enumerator
ANSI_X9_42 
ANSI_X9_57 
PKCS_3 
DSA_PARAMETERS 
DH_PARAMETERS 
ANSI_X9_42_DH_PARAMETERS 
PKCS3_DH_PARAMETERS 

Definition at line 28 of file dl_group.h.

◆ DL_Group_Source

enum class Botan::DL_Group_Source
strong
Enumerator
Builtin 
RandomlyGenerated 
ExternalSource 

Definition at line 19 of file dl_group.h.

◆ EC_Group_Encoding

enum class Botan::EC_Group_Encoding
strong

This class represents elliptic curce domain parameters

Enumerator
Explicit 
ImplicitCA 
NamedCurve 
EC_DOMPAR_ENC_EXPLICIT 
EC_DOMPAR_ENC_IMPLICITCA 
EC_DOMPAR_ENC_OID 

Definition at line 24 of file ec_group.h.

◆ EC_Group_Source

enum class Botan::EC_Group_Source
strong
Enumerator
Builtin 
ExternalSource 

Definition at line 34 of file ec_group.h.

34 {
35 Builtin,
37};

◆ EC_Point_Format

enum class Botan::EC_Point_Format
strong
Enumerator
Uncompressed 
Compressed 
Hybrid 
UNCOMPRESSED 
COMPRESSED 
HYBRID 

Definition at line 19 of file ec_point.h.

19 {
20 Uncompressed = 0,
21 Compressed = 1,
22 Hybrid = 2,
23
24 UNCOMPRESSED BOTAN_DEPRECATED("Use EC_Point_Format::Uncompressed") = Uncompressed,
25 COMPRESSED BOTAN_DEPRECATED("Use EC_Point_Format::Compressed") = Compressed,
26 HYBRID BOTAN_DEPRECATED("Use EC_Point_Format::Hybrid") = Hybrid,
27};

◆ ECIES_Flags

enum class Botan::ECIES_Flags : uint32_t
strong
Enumerator
None 
SingleHashMode 

if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key

CofactorMode 

(decryption only) if set: use cofactor multiplication during (ecdh) key agreement

OldCofactorMode 

if set: use ecdhc instead of ecdh

CheckMode 

(decryption only) if set: test if the (ephemeral) public key is on the curve

NONE 
SINGLE_HASH_MODE 
COFACTOR_MODE 
OLD_COFACTOR_MODE 
CHECK_MODE 

Definition at line 27 of file ecies.h.

27 : uint32_t {
28 None = 0,
29 /// if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key
31 /// (decryption only) if set: use cofactor multiplication during (ecdh) key agreement
32 CofactorMode = 2,
33 /// if set: use ecdhc instead of ecdh
35 /// (decryption only) if set: test if the (ephemeral) public key is on the curve
36 CheckMode = 8,
37
38 NONE BOTAN_DEPRECATED("Use None") = None,
39 SINGLE_HASH_MODE BOTAN_DEPRECATED("Use SingleHashMode") = SingleHashMode,
40 COFACTOR_MODE BOTAN_DEPRECATED("Use CofactorMode") = CofactorMode,
41 OLD_COFACTOR_MODE BOTAN_DEPRECATED("Use OldCofactorMode") = OldCofactorMode,
42 CHECK_MODE BOTAN_DEPRECATED("Use CheckMode") = CheckMode,
43};
@ CofactorMode
(decryption only) if set: use cofactor multiplication during (ecdh) key agreement
@ OldCofactorMode
if set: use ecdhc instead of ecdh
@ CheckMode
(decryption only) if set: test if the (ephemeral) public key is on the curve
@ SingleHashMode
if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key

◆ ErrorType

enum class Botan::ErrorType
strong

Different types of errors that might occur

Enumerator
Unknown 

Some unknown error

SystemError 

An error while calling a system interface

NotImplemented 

An operation seems valid, but not supported by the current version

OutOfMemory 

Memory allocation failure

InternalError 

An internal error occurred

IoError 

An I/O error occurred

InvalidObjectState 

Invalid object state

KeyNotSet 

A key was not set on an object when this is required

InvalidArgument 

The application provided an argument which is invalid

InvalidKeyLength 

A key with invalid length was provided

InvalidNonceLength 

A nonce with invalid length was provided

LookupError 

An object type was requested but cannot be found

EncodingFailure 

Encoding a message or datum failed

DecodingFailure 

Decoding a message or datum failed

TLSError 

A TLS error (error_code will be the alert type)

HttpError 

An error during an HTTP operation

InvalidTag 

A message with an invalid authentication tag was detected

RoughtimeError 

An error during Roughtime validation

CommonCryptoError 

An error when interacting with CommonCrypto API

Pkcs11Error 

An error when interacting with a PKCS11 device

TPMError 

An error when interacting with a TPM device

DatabaseError 

An error when interacting with a database

ZlibError 

An error when interacting with zlib

Bzip2Error 

An error when interacting with bzip2

LzmaError 

An error when interacting with lzma

Definition at line 20 of file exceptn.h.

20 {
21 /** Some unknown error */
22 Unknown = 1,
23 /** An error while calling a system interface */
25 /** An operation seems valid, but not supported by the current version */
27 /** Memory allocation failure */
29 /** An internal error occurred */
30 InternalError,
31 /** An I/O error occurred */
32 IoError,
33
34 /** Invalid object state */
36 /** A key was not set on an object when this is required */
38 /** The application provided an argument which is invalid */
40 /** A key with invalid length was provided */
42 /** A nonce with invalid length was provided */
44 /** An object type was requested but cannot be found */
46 /** Encoding a message or datum failed */
48 /** Decoding a message or datum failed */
50 /** A TLS error (error_code will be the alert type) */
52 /** An error during an HTTP operation */
54 /** A message with an invalid authentication tag was detected */
56 /** An error during Roughtime validation */
58
59 /** An error when interacting with CommonCrypto API */
61 /** An error when interacting with a PKCS11 device */
63 /** An error when interacting with a TPM device */
65 /** An error when interacting with a database */
67
68 /** An error when interacting with zlib */
69 ZlibError = 300,
70 /** An error when interacting with bzip2 */
72 /** An error when interacting with lzma */
74
75};

◆ MD_Endian

enum class Botan::MD_Endian
strong
Enumerator
Little 
Big 

Definition at line 20 of file mdx_hash.h.

20 {
21 Little,
22 Big,
23};

◆ PublicKeyOperation

enum class Botan::PublicKeyOperation
strong

Enumeration of possible operations a public key could be used for.

It is possible to query if a key supports a particular operation type using Asymmetric_Key::supports_operation()

Enumerator
Encryption 
Signature 
KeyEncapsulation 
KeyAgreement 

Definition at line 45 of file pk_keys.h.

◆ Signature_Format

enum class Botan::Signature_Format
strong

Enumeration specifying the signature format.

This is mostly used for requesting DER encoding of ECDSA signatures; most other algorithms only support "standard".

Enumerator
Standard 
DerSequence 
IEEE_1363 
DER_SEQUENCE 

Definition at line 31 of file pk_keys.h.

◆ Sphincs_Address_Type

enum class Botan::Sphincs_Address_Type : uint32_t
strong
Enumerator
WotsHash 
WotsPublicKeyCompression 
HashTree 
ForsTree 
ForsTreeRootsCompression 
WotsKeyGeneration 
ForsKeyGeneration 

Definition at line 20 of file sp_address.h.

◆ Sphincs_Hash_Type

enum class Botan::Sphincs_Hash_Type
strong
Enumerator
Shake256 
Sha256 
Haraka 

Haraka is currently not supported.

Definition at line 18 of file sp_parameters.h.

18 {
20 Sha256,
21 Haraka, ///< Haraka is currently not supported
22};
@ Haraka
Haraka is currently not supported.

◆ Sphincs_Parameter_Set

enum class Botan::Sphincs_Parameter_Set
strong
Enumerator
Sphincs128Small 
Sphincs128Fast 
Sphincs192Small 
Sphincs192Fast 
Sphincs256Small 
Sphincs256Fast 

Definition at line 24 of file sp_parameters.h.

◆ TPM_Storage_Type

enum class Botan::TPM_Storage_Type
strong
Enumerator
User 
System 

Definition at line 100 of file tpm.h.

100{ User, System };

◆ Usage_Type

enum class Botan::Usage_Type
strong
Enumerator
UNSPECIFIED 
TLS_SERVER_AUTH 
TLS_CLIENT_AUTH 
CERTIFICATE_AUTHORITY 
OCSP_RESPONDER 
ENCRYPTION 

Definition at line 22 of file x509cert.h.

◆ WOTS_Derivation_Method

enum class Botan::WOTS_Derivation_Method
strong

Determines how WOTS+ private keys are derived from the XMSS private key

Enumerator
Botan2x 

This roughly followed the suggestions in RFC 8391 but is vulnerable to a multi-target attack. For new private keys, we recommend using the derivation as suggested in NIST SP.800-208. Private keys generated with Botan 2.x will need to stay with this mode, otherwise they won't be able to generate valid signatures any longer.

NIST_SP800_208 

Derivation as specified in NIST SP.800-208 to avoid a multi-target attack on the WOTS+ key derivation suggested in RFC 8391. New private keys should use this mode.

Definition at line 136 of file xmss.h.

136 {
137 /// This roughly followed the suggestions in RFC 8391 but is vulnerable
138 /// to a multi-target attack. For new private keys, we recommend using
139 /// the derivation as suggested in NIST SP.800-208.
140 /// Private keys generated with Botan 2.x will need to stay with this mode,
141 /// otherwise they won't be able to generate valid signatures any longer.
142 Botan2x = 1,
143
144 /// Derivation as specified in NIST SP.800-208 to avoid a multi-target attack
145 /// on the WOTS+ key derivation suggested in RFC 8391. New private keys
146 /// should use this mode.
147 NIST_SP800_208 = 2,
148};

Function Documentation

◆ abs()

BigInt Botan::abs ( const BigInt & n)
inline

Return the absolute value

Parameters
nan integer
Returns
absolute value of n

Definition at line 22 of file numthry.h.

22 {
23 return n.abs();
24}
BigInt abs() const
Definition bigint.cpp:369

References Botan::BigInt::abs().

Referenced by gcd().

◆ allocate_memory()

BOTAN_MALLOC_FN void * Botan::allocate_memory ( size_t elems,
size_t elem_size )

Allocate a memory buffer by some method. This should only be used for primitive types (uint8_t, uint32_t, etc).

Parameters
elemsthe number of elements
elem_sizethe size of each element
Returns
pointer to allocated and zeroed memory, or throw std::bad_alloc on failure

Definition at line 20 of file allocator.cpp.

20 {
21 if(elems == 0 || elem_size == 0) {
22 return nullptr;
23 }
24
25 // Some calloc implementations do not check for overflow (?!?)
26
27 if(!BOTAN_CHECKED_MUL(elems, elem_size).has_value()) {
28 throw std::bad_alloc();
29 }
30
31#if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
32 if(void* p = mlock_allocator::instance().allocate(elems, elem_size)) {
33 return p;
34 }
35#endif
36
37#if defined(BOTAN_TARGET_OS_HAS_ALLOC_CONCEAL)
38 void* ptr = ::calloc_conceal(elems, elem_size);
39#else
40 void* ptr = std::calloc(elems, elem_size); // NOLINT(*-no-malloc)
41#endif
42 if(!ptr) {
43 [[unlikely]] throw std::bad_alloc();
44 }
45 return ptr;
46}
#define BOTAN_CHECKED_MUL(x, y)
Definition safeint.h:74

References BOTAN_CHECKED_MUL, and Botan::mlock_allocator::instance().

Referenced by Botan::secure_allocator< T >::allocate().

◆ argon2()

void Botan::argon2 ( uint8_t output[],
size_t output_len,
const char * password,
size_t password_len,
const uint8_t salt[],
size_t salt_len,
const uint8_t key[],
size_t key_len,
const uint8_t ad[],
size_t ad_len,
uint8_t y,
size_t p,
size_t M,
size_t t )
inline

Argon2 key derivation function

Parameters
outputthe output will be placed here
output_lenlength of output
passwordthe user password
password_lenthe length of password
saltthe salt
salt_lenlength of salt
keyan optional secret key
key_lenthe length of key
adan optional additional input
ad_lenthe length of ad
ythe Argon2 variant (0 = Argon2d, 1 = Argon2i, 2 = Argon2id)
pthe parallelization parameter
Mthe amount of memory to use in Kb
tthe number of iterations to use

Definition at line 144 of file argon2.h.

157 {
158 std::unique_ptr<PasswordHashFamily> pwdhash_fam;
159
160 if(y == 0) {
161 pwdhash_fam = PasswordHashFamily::create_or_throw("Argon2d");
162 } else if(y == 1) {
163 pwdhash_fam = PasswordHashFamily::create_or_throw("Argon2i");
164 } else if(y == 2) {
165 pwdhash_fam = PasswordHashFamily::create_or_throw("Argon2id");
166 } else {
167 throw Not_Implemented("Unknown Argon2 family type");
168 }
169
170 auto pwdhash = pwdhash_fam->from_params(M, t, p);
171
172 pwdhash->derive_key(output, output_len, password, password_len, salt, salt_len, ad, ad_len, key, key_len);
173}

◆ argon2_check_pwhash()

bool Botan::argon2_check_pwhash ( const char * password,
size_t password_len,
std::string_view hash )

Check a previously created password hash

Parameters
passwordthe password to check against
password_lenthe length of password
hashthe stored hash to check against

Definition at line 77 of file argon2fmt.cpp.

77 {
78 const std::vector<std::string> parts = split_on(input_hash, '$');
79
80 if(parts.size() != 5) {
81 return false;
82 }
83
84 uint8_t family = 0;
85
86 if(parts[0] == "argon2d") {
87 family = 0;
88 } else if(parts[0] == "argon2i") {
89 family = 1;
90 } else if(parts[0] == "argon2id") {
91 family = 2;
92 } else {
93 return false;
94 }
95
96 if(parts[1] != "v=19") {
97 return false;
98 }
99
100 const std::vector<std::string> params = split_on(parts[2], ',');
101
102 if(params.size() != 3) {
103 return false;
104 }
105
106 size_t M = 0, t = 0, p = 0;
107
108 for(const auto& param_str : params) {
109 const std::vector<std::string> param = split_on(param_str, '=');
110
111 if(param.size() != 2) {
112 return false;
113 }
114
115 std::string_view key = param[0];
116 const size_t val = to_u32bit(param[1]);
117 if(key == "m") {
118 M = val;
119 } else if(key == "t") {
120 t = val;
121 } else if(key == "p") {
122 p = val;
123 } else {
124 return false;
125 }
126 }
127
128 std::vector<uint8_t> salt(base64_decode_max_output(parts[3].size()));
129 salt.resize(base64_decode(salt.data(), parts[3], false));
130
131 std::vector<uint8_t> hash(base64_decode_max_output(parts[4].size()));
132 hash.resize(base64_decode(hash.data(), parts[4], false));
133
134 if(hash.size() < 4) {
135 return false;
136 }
137
138 std::vector<uint8_t> generated(hash.size());
139 auto pwdhash_fam = PasswordHashFamily::create_or_throw(argon2_family(family));
140 auto pwdhash = pwdhash_fam->from_params(M, t, p);
141
142 pwdhash->derive_key(generated.data(), generated.size(), password, password_len, salt.data(), salt.size());
143
144 return CT::is_equal(generated.data(), hash.data(), generated.size()).as_bool();
145}
uint32_t to_u32bit(std::string_view str_view)
Definition parsing.cpp:32
std::vector< std::string > split_on(std::string_view str, char delim)
Definition parsing.cpp:111
size_t base64_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition base64.cpp:154
size_t base64_decode_max_output(size_t input_length)
Definition base64.cpp:186

References base64_decode(), base64_decode_max_output(), Botan::PasswordHashFamily::create_or_throw(), Botan::CT::is_equal(), split_on(), and to_u32bit().

◆ argon2_generate_pwhash()

std::string Botan::argon2_generate_pwhash ( const char * password,
size_t password_len,
RandomNumberGenerator & rng,
size_t p,
size_t M,
size_t t,
uint8_t y,
size_t salt_len,
size_t output_len )

Definition at line 42 of file argon2fmt.cpp.

50 {
51 std::vector<uint8_t> salt(salt_len);
52 rng.randomize(salt.data(), salt.size());
53
54 std::vector<uint8_t> output(output_len);
55
56 auto pwdhash_fam = PasswordHashFamily::create_or_throw(argon2_family(y));
57 auto pwdhash = pwdhash_fam->from_params(M, t, p);
58
59 pwdhash->derive_key(output.data(), output.size(), password, password_len, salt.data(), salt.size());
60
61 const auto enc_salt = strip_padding(base64_encode(salt));
62 const auto enc_output = strip_padding(base64_encode(output));
63
64 const std::string argon2_mode = [&]() -> std::string {
65 if(y == 0) {
66 return "d";
67 } else if(y == 1) {
68 return "i";
69 } else {
70 return "id";
71 }
72 }();
73
74 return fmt("$argon2{}$v=19$m={},t={},p={}${}${}", argon2_mode, M, t, p, enc_salt, enc_output);
75}
void randomize(std::span< uint8_t > output)
Definition rng.h:52
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition base64.cpp:146

References base64_encode(), Botan::PasswordHashFamily::create_or_throw(), fmt(), and Botan::RandomNumberGenerator::randomize().

◆ asn1_class_to_string()

std::string BOTAN_UNSTABLE_API Botan::asn1_class_to_string ( ASN1_Class type)

Definition at line 74 of file asn1_obj.cpp.

74 {
75 switch(type) {
76 case ASN1_Class::Universal:
77 return "UNIVERSAL";
78 case ASN1_Class::Constructed:
79 return "CONSTRUCTED";
80 case ASN1_Class::ContextSpecific:
81 return "CONTEXT_SPECIFIC";
82 case ASN1_Class::Application:
83 return "APPLICATION";
84 case ASN1_Class::Private:
85 return "PRIVATE";
86 case ASN1_Class::NoObject:
87 return "NO_OBJECT";
88 default:
89 return "CLASS(" + std::to_string(static_cast<size_t>(type)) + ")";
90 }
91}

References Application, Constructed, ContextSpecific, NoObject, Private, and Universal.

Referenced by Botan::BER_Object::assert_is_a().

◆ asn1_tag_to_string()

std::string BOTAN_UNSTABLE_API Botan::asn1_tag_to_string ( ASN1_Type type)

Definition at line 93 of file asn1_obj.cpp.

93 {
94 switch(type) {
95 case ASN1_Type::Sequence:
96 return "SEQUENCE";
97
98 case ASN1_Type::Set:
99 return "SET";
100
101 case ASN1_Type::PrintableString:
102 return "PRINTABLE STRING";
103
104 case ASN1_Type::NumericString:
105 return "NUMERIC STRING";
106
107 case ASN1_Type::Ia5String:
108 return "IA5 STRING";
109
110 case ASN1_Type::TeletexString:
111 return "T61 STRING";
112
113 case ASN1_Type::Utf8String:
114 return "UTF8 STRING";
115
116 case ASN1_Type::VisibleString:
117 return "VISIBLE STRING";
118
119 case ASN1_Type::BmpString:
120 return "BMP STRING";
121
122 case ASN1_Type::UniversalString:
123 return "UNIVERSAL STRING";
124
125 case ASN1_Type::UtcTime:
126 return "UTC TIME";
127
128 case ASN1_Type::GeneralizedTime:
129 return "GENERALIZED TIME";
130
131 case ASN1_Type::OctetString:
132 return "OCTET STRING";
133
134 case ASN1_Type::BitString:
135 return "BIT STRING";
136
137 case ASN1_Type::Enumerated:
138 return "ENUMERATED";
139
140 case ASN1_Type::Integer:
141 return "INTEGER";
142
143 case ASN1_Type::Null:
144 return "NULL";
145
146 case ASN1_Type::ObjectId:
147 return "OBJECT";
148
149 case ASN1_Type::Boolean:
150 return "BOOLEAN";
151
152 case ASN1_Type::NoObject:
153 return "NO_OBJECT";
154
155 default:
156 return "TAG(" + std::to_string(static_cast<uint32_t>(type)) + ")";
157 }
158}

References BitString, BmpString, Boolean, Enumerated, GeneralizedTime, Ia5String, Integer, NoObject, Null, NumericString, ObjectId, OctetString, PrintableString, Sequence, Set, TeletexString, UniversalString, UtcTime, Utf8String, and VisibleString.

Referenced by Botan::BER_Object::assert_is_a().

◆ assert_unreachable()

void BOTAN_UNSTABLE_API Botan::assert_unreachable ( const char * file,
int line )

Definition at line 54 of file assert.cpp.

54 {
55 const std::string msg = fmt("Codepath that was marked unreachable was reached @{}:{}", file, line);
56
57#if defined(BOTAN_TERMINATE_ON_ASSERTS)
58 std::cerr << msg << '\n';
59 std::abort();
60#else
61 throw Internal_Error(msg);
62#endif
63}

References fmt().

◆ assertion_failure()

void Botan::assertion_failure ( const char * expr_str,
const char * assertion_made,
const char * func,
const char * file,
int line )

Called when an assertion fails Throws an Exception object

Definition at line 29 of file assert.cpp.

29 {
30 std::ostringstream format;
31
32 format << "False assertion ";
33
34 if(assertion_made && assertion_made[0] != 0) {
35 format << "'" << assertion_made << "' (expression " << expr_str << ") ";
36 } else {
37 format << expr_str << " ";
38 }
39
40 if(func) {
41 format << "in " << func << " ";
42 }
43
44 format << "@" << file << ":" << line;
45
46#if defined(BOTAN_TERMINATE_ON_ASSERTS)
47 std::cerr << format.str() << '\n';
48 std::abort();
49#else
50 throw Internal_Error(format.str());
51#endif
52}

◆ base32_decode() [1/5]

secure_vector< uint8_t > Botan::base32_decode ( const char input[],
size_t input_length,
bool ignore_ws = true )

Perform base32 decoding

Parameters
inputsome base32 input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base32 output

Definition at line 164 of file base32.cpp.

164 {
165 return base_decode_to_vec<secure_vector<uint8_t>>(Base32(), input, input_length, ignore_ws);
166}

◆ base32_decode() [2/5]

secure_vector< uint8_t > Botan::base32_decode ( std::string_view input,
bool ignore_ws = true )

Perform base32 decoding

Parameters
inputsome base32 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base32 output

Definition at line 168 of file base32.cpp.

168 {
169 return base32_decode(input.data(), input.size(), ignore_ws);
170}
size_t base32_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition base32.cpp:151

References base32_decode().

◆ base32_decode() [3/5]

size_t Botan::base32_decode ( uint8_t output[],
const char input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs,
bool ignore_ws = true )

Perform base32 decoding

Parameters
outputan array of at least base32_decode_max_output bytes
inputsome base32 input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding is allowed
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 151 of file base32.cpp.

152 {
153 return base_decode(Base32(), out, in, input_length, input_consumed, final_inputs, ignore_ws);
154}
size_t base_decode(Base &&base, uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws=true)
Definition codec_base.h:112

References base_decode().

Referenced by base32_decode(), and base32_decode().

◆ base32_decode() [4/5]

size_t Botan::base32_decode ( uint8_t output[],
const char input[],
size_t input_length,
bool ignore_ws = true )

Perform base32 decoding

Parameters
outputan array of at least base32_decode_max_output bytes
inputsome base32 input
input_lengthlength of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 156 of file base32.cpp.

156 {
157 return base_decode_full(Base32(), output, input, input_length, ignore_ws);
158}
size_t base_decode_full(Base &&base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
Definition codec_base.h:171

References base_decode_full().

◆ base32_decode() [5/5]

size_t Botan::base32_decode ( uint8_t output[],
std::string_view input,
bool ignore_ws = true )

Perform base32 decoding

Parameters
outputan array of at least base32_decode_max_output bytes
inputsome base32 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 160 of file base32.cpp.

160 {
161 return base32_decode(output, input.data(), input.length(), ignore_ws);
162}

References base32_decode().

◆ base32_encode() [1/3]

size_t Botan::base32_encode ( char output[],
const uint8_t input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs )

Perform base32 encoding

Parameters
outputan array of at least base32_encode_max_output bytes
inputis some binary data
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding chars will be applied if needed
Returns
number of bytes written to output

Definition at line 143 of file base32.cpp.

143 {
144 return base_encode(Base32(), out, in, input_length, input_consumed, final_inputs);
145}
size_t base_encode(Base &&base, char output[], const uint8_t input[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition codec_base.h:34

References base_encode().

Referenced by base32_encode().

◆ base32_encode() [2/3]

std::string Botan::base32_encode ( const uint8_t input[],
size_t input_length )

Perform base32 encoding

Parameters
inputsome input
input_lengthlength of input in bytes
Returns
base32 representation of input

Definition at line 147 of file base32.cpp.

147 {
148 return base_encode_to_string(Base32(), input, input_length);
149}
std::string base_encode_to_string(Base &&base, const uint8_t input[], size_t input_length)
Definition codec_base.h:78

References base_encode_to_string().

◆ base32_encode() [3/3]

std::string Botan::base32_encode ( std::span< const uint8_t > input)
inline

Perform base32 encoding

Parameters
inputsome input
Returns
base32 representation of input

Definition at line 47 of file base32.h.

47 {
48 return base32_encode(input.data(), input.size());
49}
size_t base32_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition base32.cpp:143

References base32_encode().

◆ base58_check_decode() [1/2]

std::vector< uint8_t > Botan::base58_check_decode ( const char input[],
size_t input_length )

Perform base58 decoding with checksum

Definition at line 166 of file base58.cpp.

166 {
167 std::vector<uint8_t> dec = base58_decode(input, input_length);
168
169 if(dec.size() < 4) {
170 throw Decoding_Error("Invalid base58 too short for checksum");
171 }
172
173 const uint32_t computed_checksum = sha256_d_checksum(dec.data(), dec.size() - 4);
174 const uint32_t checksum = load_be<uint32_t>(&dec[dec.size() - 4], 0);
175
176 if(checksum != computed_checksum) {
177 throw Decoding_Error("Invalid base58 checksum");
178 }
179
180 dec.resize(dec.size() - 4);
181
182 return dec;
183}
std::vector< uint8_t > base58_decode(const char input[], size_t input_length)
Definition base58.cpp:139

References base58_decode().

Referenced by base58_check_decode().

◆ base58_check_decode() [2/2]

std::vector< uint8_t > Botan::base58_check_decode ( std::string_view s)
inline

Definition at line 58 of file base58.h.

58 {
59 return base58_check_decode(s.data(), s.size());
60}
std::vector< uint8_t > base58_check_decode(const char input[], size_t input_length)
Definition base58.cpp:166

References base58_check_decode().

◆ base58_check_encode() [1/2]

std::string Botan::base58_check_encode ( const uint8_t input[],
size_t input_length )

Perform base58 encoding with checksum

Definition at line 132 of file base58.cpp.

132 {
133 BigInt v(input, input_length);
134 v <<= 32;
135 v += sha256_d_checksum(input, input_length);
136 return base58_encode(v, count_leading_zeros(input, input_length, 0));
137}
std::string base58_encode(const uint8_t input[], size_t input_length)
Definition base58.cpp:127

References base58_encode().

Referenced by base58_check_encode().

◆ base58_check_encode() [2/2]

std::string Botan::base58_check_encode ( std::span< const uint8_t > vec)
inline

Definition at line 50 of file base58.h.

50 {
51 return base58_check_encode(vec.data(), vec.size());
52}
std::string base58_check_encode(const uint8_t input[], size_t input_length)
Definition base58.cpp:132

References base58_check_encode().

◆ base58_decode() [1/2]

std::vector< uint8_t > Botan::base58_decode ( const char input[],
size_t input_length )

Perform base58 decoding

This is raw base58 encoding, without the checksum

Definition at line 139 of file base58.cpp.

139 {
140 const size_t leading_zeros = count_leading_zeros(input, input_length, '1');
141
142 BigInt v;
143
144 for(size_t i = leading_zeros; i != input_length; ++i) {
145 const char c = input[i];
146
147 if(c == ' ' || c == '\n') {
148 continue;
149 }
150
151 const uint8_t idx = base58_value_of(c);
152
153 if(idx == 0xFF) {
154 throw Decoding_Error("Invalid base58");
155 }
156
157 v *= 58;
158 v += idx;
159 }
160
161 std::vector<uint8_t> output(v.bytes() + leading_zeros);
162 v.binary_encode(output.data() + leading_zeros);
163 return output;
164}
void binary_encode(uint8_t buf[]) const
Definition bigint.cpp:375
size_t bytes() const
Definition bigint.cpp:277

References Botan::BigInt::binary_encode(), and Botan::BigInt::bytes().

Referenced by base58_check_decode(), and base58_decode().

◆ base58_decode() [2/2]

std::vector< uint8_t > Botan::base58_decode ( std::string_view s)
inline

Definition at line 54 of file base58.h.

54 {
55 return base58_decode(s.data(), s.size());
56}

References base58_decode().

◆ base58_encode() [1/2]

std::string Botan::base58_encode ( const uint8_t input[],
size_t input_length )

Perform base58 encoding

This is raw base58 encoding, without the checksum

Definition at line 127 of file base58.cpp.

127 {
128 BigInt v(input, input_length);
129 return base58_encode(v, count_leading_zeros(input, input_length, 0));
130}

References base58_encode().

Referenced by base58_check_encode(), base58_encode(), and base58_encode().

◆ base58_encode() [2/2]

std::string Botan::base58_encode ( std::span< const uint8_t > vec)
inline

Definition at line 46 of file base58.h.

46 {
47 return base58_encode(vec.data(), vec.size());
48}

References base58_encode().

◆ base64_decode() [1/6]

secure_vector< uint8_t > Botan::base64_decode ( const char input[],
size_t input_length,
bool ignore_ws = true )

Perform base64 decoding

Parameters
inputsome base64 input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base64 output

Definition at line 174 of file base64.cpp.

174 {
175 return base_decode_to_vec<secure_vector<uint8_t>>(Base64(), input, input_length, ignore_ws);
176}

◆ base64_decode() [2/6]

size_t Botan::base64_decode ( std::span< uint8_t > output,
std::string_view input,
bool ignore_ws = true )

Perform base64 decoding

Parameters
outputa contiguous byte buffer of at least base64_decode_max_output bytes
inputsome base64 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 167 of file base64.cpp.

167 {
168 if(output.size() < base64_decode_max_output(input.size())) {
169 throw Invalid_Argument("base64_decode: output buffer is too short");
170 }
171 return base64_decode(output.data(), input.data(), input.length(), ignore_ws);
172}

References base64_decode(), and base64_decode_max_output().

◆ base64_decode() [3/6]

secure_vector< uint8_t > Botan::base64_decode ( std::string_view input,
bool ignore_ws = true )

Perform base64 decoding

Parameters
inputsome base64 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base64 output

Definition at line 178 of file base64.cpp.

178 {
179 return base64_decode(input.data(), input.size(), ignore_ws);
180}

References base64_decode().

◆ base64_decode() [4/6]

size_t Botan::base64_decode ( uint8_t output[],
const char input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs,
bool ignore_ws = true )

Perform base64 decoding

Parameters
outputan array of at least base64_decode_max_output bytes
inputsome base64 input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding is allowed
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 154 of file base64.cpp.

155 {
156 return base_decode(Base64(), out, in, input_length, input_consumed, final_inputs, ignore_ws);
157}

References base_decode().

Referenced by argon2_check_pwhash(), base64_decode(), base64_decode(), base64_decode(), botan_base64_decode(), Botan::Roughtime::Chain::Chain(), check_passhash9(), Botan::PEM_Code::decode(), Botan::Base64_Decoder::end_msg(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::list_names(), Botan::Roughtime::servers_from_str(), and Botan::Base64_Decoder::write().

◆ base64_decode() [5/6]

size_t Botan::base64_decode ( uint8_t output[],
const char input[],
size_t input_length,
bool ignore_ws = true )

Perform base64 decoding

Parameters
outputan array of at least base64_decode_max_output bytes
inputsome base64 input
input_lengthlength of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 159 of file base64.cpp.

159 {
160 return base_decode_full(Base64(), output, input, input_length, ignore_ws);
161}

References base_decode_full().

◆ base64_decode() [6/6]

size_t Botan::base64_decode ( uint8_t output[],
std::string_view input,
bool ignore_ws = true )

Perform base64 decoding

Parameters
outputan array of at least base64_decode_max_output bytes
inputsome base64 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 163 of file base64.cpp.

163 {
164 return base64_decode(output, input.data(), input.length(), ignore_ws);
165}

References base64_decode().

◆ base64_decode_max_output()

size_t Botan::base64_decode_max_output ( size_t input_length)

Calculate the size of output buffer for base64_decode

Parameters
input_lengththe length of input in bytes
Returns
the size of output buffer in bytes

Definition at line 186 of file base64.cpp.

186 {
187 return Base64::decode_max_output(input_length);
188}

Referenced by argon2_check_pwhash(), base64_decode(), and botan_base64_decode().

◆ base64_encode() [1/3]

size_t Botan::base64_encode ( char output[],
const uint8_t input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs )

Perform base64 encoding

Parameters
outputan array of at least base64_encode_max_output bytes
inputis some binary data
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding chars will be applied if needed
Returns
number of bytes written to output

Definition at line 146 of file base64.cpp.

146 {
147 return base_encode(Base64(), out, in, input_length, input_consumed, final_inputs);
148}

References base_encode().

Referenced by argon2_generate_pwhash(), Botan::OCSP::Request::base64_encode(), base64_encode(), botan_base64_encode(), Botan::PEM_Code::encode(), generate_passhash9(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::remove(), Botan::Encrypted_PSK_Database::set(), and Botan::Roughtime::Chain::to_string().

◆ base64_encode() [2/3]

std::string Botan::base64_encode ( const uint8_t input[],
size_t input_length )

Perform base64 encoding

Parameters
inputsome input
input_lengthlength of input in bytes
Returns
base64adecimal representation of input

Definition at line 150 of file base64.cpp.

150 {
151 return base_encode_to_string(Base64(), input, input_length);
152}

References base_encode_to_string().

◆ base64_encode() [3/3]

std::string Botan::base64_encode ( std::span< const uint8_t > input)
inline

Perform base64 encoding

Parameters
inputsome input
Returns
base64adecimal representation of input

Definition at line 47 of file base64.h.

47 {
48 return base64_encode(input.data(), input.size());
49}

References base64_encode().

◆ base64_encode_max_output()

size_t Botan::base64_encode_max_output ( size_t input_length)

Calculate the size of output buffer for base64_encode

Parameters
input_lengththe length of input in bytes
Returns
the size of output buffer in bytes

Definition at line 182 of file base64.cpp.

182 {
183 return Base64::encode_max_output(input_length);
184}

◆ base_decode()

template<typename Base >
size_t Botan::base_decode ( Base && base,
uint8_t output[],
const char input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs,
bool ignore_ws = true )

Perform decoding using the base provided

Parameters
baseobject giving access to the encodings specifications
outputan array of at least Base::decode_max_output bytes
inputsome base input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding is allowed
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 112 of file codec_base.h.

118 {
119 const size_t decoding_bytes_in = base.decoding_bytes_in();
120 const size_t decoding_bytes_out = base.decoding_bytes_out();
121
122 uint8_t* out_ptr = output;
123 std::vector<uint8_t> decode_buf(decoding_bytes_in, 0);
124 size_t decode_buf_pos = 0;
125 size_t final_truncate = 0;
126
127 clear_mem(output, base.decode_max_output(input_length));
128
129 for(size_t i = 0; i != input_length; ++i) {
130 const uint8_t bin = base.lookup_binary_value(input[i]);
131
132 // This call might throw Invalid_Argument
133 if(base.check_bad_char(bin, input[i], ignore_ws)) {
134 decode_buf[decode_buf_pos] = bin;
135 ++decode_buf_pos;
136 }
137
138 /*
139 * If we're at the end of the input, pad with 0s and truncate
140 */
141 if(final_inputs && (i == input_length - 1)) {
142 if(decode_buf_pos) {
143 for(size_t j = decode_buf_pos; j < decoding_bytes_in; ++j) {
144 decode_buf[j] = 0;
145 }
146
147 final_truncate = decoding_bytes_in - decode_buf_pos;
148 decode_buf_pos = decoding_bytes_in;
149 }
150 }
151
152 if(decode_buf_pos == decoding_bytes_in) {
153 base.decode(out_ptr, decode_buf.data());
154
155 out_ptr += decoding_bytes_out;
156 decode_buf_pos = 0;
157 input_consumed = i + 1;
158 }
159 }
160
161 while(input_consumed < input_length && base.lookup_binary_value(input[input_consumed]) == 0x80) {
162 ++input_consumed;
163 }
164
165 size_t written = (out_ptr - output) - base.bytes_to_remove(final_truncate);
166
167 return written;
168}
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:120

References clear_mem().

Referenced by base32_decode(), base64_decode(), and base_decode_full().

◆ base_decode_full()

template<typename Base >
size_t Botan::base_decode_full ( Base && base,
uint8_t output[],
const char input[],
size_t input_length,
bool ignore_ws )

Definition at line 171 of file codec_base.h.

171 {
172 size_t consumed = 0;
173 const size_t written = base_decode(base, output, input, input_length, consumed, true, ignore_ws);
174
175 if(consumed != input_length) {
176 throw Invalid_Argument(base.name() + " decoding failed, input did not have full bytes");
177 }
178
179 return written;
180}

References base_decode().

Referenced by base32_decode(), base64_decode(), and base_decode_to_vec().

◆ base_decode_to_vec()

template<typename Vector , typename Base >
Vector Botan::base_decode_to_vec ( Base && base,
const char input[],
size_t input_length,
bool ignore_ws )

Definition at line 183 of file codec_base.h.

183 {
184 const size_t output_length = base.decode_max_output(input_length);
185 Vector bin(output_length);
186
187 const size_t written = base_decode_full(base, bin.data(), input, input_length, ignore_ws);
188
189 bin.resize(written);
190 return bin;
191}

References base_decode_full().

◆ base_encode()

template<class Base >
size_t Botan::base_encode ( Base && base,
char output[],
const uint8_t input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs )

Perform encoding using the base provided

Parameters
baseobject giving access to the encodings specifications
outputan array of at least base.encode_max_output bytes
inputis some binary data
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding chars will be applied if needed
Returns
number of bytes written to output

Definition at line 34 of file codec_base.h.

35 {
36 input_consumed = 0;
37
38 const size_t encoding_bytes_in = base.encoding_bytes_in();
39 const size_t encoding_bytes_out = base.encoding_bytes_out();
40
41 size_t input_remaining = input_length;
42 size_t output_produced = 0;
43
44 while(input_remaining >= encoding_bytes_in) {
45 base.encode(output + output_produced, input + input_consumed);
46
47 input_consumed += encoding_bytes_in;
48 output_produced += encoding_bytes_out;
49 input_remaining -= encoding_bytes_in;
50 }
51
52 if(final_inputs && input_remaining) {
53 std::vector<uint8_t> remainder(encoding_bytes_in, 0);
54 for(size_t i = 0; i != input_remaining; ++i) {
55 remainder[i] = input[input_consumed + i];
56 }
57
58 base.encode(output + output_produced, remainder.data());
59
60 const size_t bits_consumed = base.bits_consumed();
61 const size_t remaining_bits_before_padding = base.remaining_bits_before_padding();
62
63 size_t empty_bits = 8 * (encoding_bytes_in - input_remaining);
64 size_t index = output_produced + encoding_bytes_out - 1;
65 while(empty_bits >= remaining_bits_before_padding) {
66 output[index--] = '=';
67 empty_bits -= bits_consumed;
68 }
69
70 input_consumed += input_remaining;
71 output_produced += encoding_bytes_out;
72 }
73
74 return output_produced;
75}

Referenced by base32_encode(), base64_encode(), and base_encode_to_string().

◆ base_encode_to_string()

template<typename Base >
std::string Botan::base_encode_to_string ( Base && base,
const uint8_t input[],
size_t input_length )

Definition at line 78 of file codec_base.h.

78 {
79 const size_t output_length = base.encode_max_output(input_length);
80 std::string output(output_length, 0);
81
82 size_t consumed = 0;
83 size_t produced = 0;
84
85 if(output_length > 0) {
86 produced = base_encode(base, &output.front(), input, input_length, consumed, true);
87 }
88
89 BOTAN_ASSERT_EQUAL(consumed, input_length, "Consumed the entire input");
90 BOTAN_ASSERT_EQUAL(produced, output.size(), "Produced expected size");
91
92 return output;
93}
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition assert.h:68

References base_encode(), and BOTAN_ASSERT_EQUAL.

Referenced by base32_encode(), and base64_encode().

◆ basecase_mul()

void Botan::basecase_mul ( word z[],
size_t z_size,
const word x[],
size_t x_size,
const word y[],
size_t y_size )

Basecase O(N^2) multiplication

Definition at line 20 of file mp_karat.cpp.

20 {
21 if(z_size < x_size + y_size) {
22 throw Invalid_Argument("basecase_mul z_size too small");
23 }
24
25 const size_t x_size_8 = x_size - (x_size % 8);
26
27 clear_mem(z, z_size);
28
29 for(size_t i = 0; i != y_size; ++i) {
30 const word y_i = y[i];
31
32 word carry = 0;
33
34 for(size_t j = 0; j != x_size_8; j += 8) {
35 carry = word8_madd3(z + i + j, x + j, y_i, carry);
36 }
37
38 for(size_t j = x_size_8; j != x_size; ++j) {
39 z[i + j] = word_madd3(x[j], y_i, z[i + j], &carry);
40 }
41
42 z[x_size + i] = carry;
43 }
44}
word word_madd3(word a, word b, word c, word *d)
Definition mp_asmi.h:91
void carry(int64_t &h0, int64_t &h1)

References carry(), clear_mem(), word8_madd3(), and word_madd3().

Referenced by bigint_mul().

◆ basecase_sqr()

void Botan::basecase_sqr ( word z[],
size_t z_size,
const word x[],
size_t x_size )

Basecase O(N^2) squaring

Definition at line 46 of file mp_karat.cpp.

46 {
47 if(z_size < 2 * x_size) {
48 throw Invalid_Argument("basecase_sqr z_size too small");
49 }
50
51 const size_t x_size_8 = x_size - (x_size % 8);
52
53 clear_mem(z, z_size);
54
55 for(size_t i = 0; i != x_size; ++i) {
56 const word x_i = x[i];
57
58 word carry = 0;
59
60 for(size_t j = 0; j != x_size_8; j += 8) {
61 carry = word8_madd3(z + i + j, x + j, x_i, carry);
62 }
63
64 for(size_t j = x_size_8; j != x_size; ++j) {
65 z[i + j] = word_madd3(x[j], x_i, z[i + j], &carry);
66 }
67
68 z[x_size + i] = carry;
69 }
70}

References carry(), clear_mem(), word8_madd3(), and word_madd3().

Referenced by bigint_sqr().

◆ bcrypt_pbkdf()

void Botan::bcrypt_pbkdf ( uint8_t output[],
size_t output_len,
const char * password,
size_t password_len,
const uint8_t salt[],
size_t salt_len,
size_t rounds )
inline

Bcrypt PBKDF compatible with OpenBSD bcrypt_pbkdf

Definition at line 74 of file bcrypt_pbkdf.h.

80 {
81 auto pwdhash_fam = PasswordHashFamily::create_or_throw("Bcrypt-PBKDF");
82 auto pwdhash = pwdhash_fam->from_params(rounds);
83 pwdhash->derive_key(output, output_len, password, password_len, salt, salt_len);
84}

◆ bigint_add2()

void Botan::bigint_add2 ( word x[],
size_t x_size,
const word y[],
size_t y_size )
inline

Two operand addition

Parameters
xthe first operand (and output)
x_sizesize of x
ythe second operand
y_sizesize of y (must be <= x_size)

Definition at line 259 of file mp_core.h.

259 {
260 x[x_size] += bigint_add2_nc(x, x_size, y, y_size);
261}
word bigint_add2_nc(word x[], size_t x_size, const word y[], size_t y_size)
Definition mp_core.h:203

References bigint_add2_nc().

Referenced by Botan::BigInt::add().

◆ bigint_add2_nc()

word Botan::bigint_add2_nc ( word x[],
size_t x_size,
const word y[],
size_t y_size )
inline

Two operand addition with carry out

Definition at line 203 of file mp_core.h.

203 {
204 word carry = 0;
205
206 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
207
208 const size_t blocks = y_size - (y_size % 8);
209
210 for(size_t i = 0; i != blocks; i += 8) {
211 carry = word8_add2(x + i, y + i, carry);
212 }
213
214 for(size_t i = blocks; i != y_size; ++i) {
215 x[i] = word_add(x[i], y[i], &carry);
216 }
217
218 for(size_t i = y_size; i != x_size; ++i) {
219 x[i] = word_add(x[i], 0, &carry);
220 }
221
222 return carry;
223}
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
word word8_add2(word x[8], const word y[8], word carry)
Definition mp_asmi.h:265
word word_add(word x, word y, word *carry)
Definition mp_asmi.h:237

References BOTAN_ASSERT, carry(), word8_add2(), and word_add().

Referenced by bigint_add2().

◆ bigint_add3()

void Botan::bigint_add3 ( word z[],
const word x[],
size_t x_size,
const word y[],
size_t y_size )
inline

Three operand addition

Definition at line 266 of file mp_core.h.

266 {
267 z[x_size > y_size ? x_size : y_size] += bigint_add3_nc(z, x, x_size, y, y_size);
268}
word bigint_add3_nc(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition mp_core.h:228

References bigint_add3_nc().

Referenced by Botan::BigInt::add2().

◆ bigint_add3_nc()

word Botan::bigint_add3_nc ( word z[],
const word x[],
size_t x_size,
const word y[],
size_t y_size )
inline

Three operand addition with carry out

Definition at line 228 of file mp_core.h.

228 {
229 if(x_size < y_size) {
230 return bigint_add3_nc(z, y, y_size, x, x_size);
231 }
232
233 word carry = 0;
234
235 const size_t blocks = y_size - (y_size % 8);
236
237 for(size_t i = 0; i != blocks; i += 8) {
238 carry = word8_add3(z + i, x + i, y + i, carry);
239 }
240
241 for(size_t i = blocks; i != y_size; ++i) {
242 z[i] = word_add(x[i], y[i], &carry);
243 }
244
245 for(size_t i = y_size; i != x_size; ++i) {
246 z[i] = word_add(x[i], 0, &carry);
247 }
248
249 return carry;
250}

References bigint_add3_nc(), carry(), word8_add3(), and word_add().

Referenced by bigint_add3(), bigint_add3_nc(), Botan::BigInt::mod_add(), and redc_p521().

◆ bigint_cmp()

int32_t Botan::bigint_cmp ( const word x[],
size_t x_size,
const word y[],
size_t y_size )
inline

Compare x and y Return -1 if x < y Return 0 if x == y Return 1 if x > y

Definition at line 490 of file mp_core.h.

490 {
491 static_assert(sizeof(word) >= sizeof(uint32_t), "Size assumption");
492
493 const word LT = static_cast<word>(-1);
494 const word EQ = 0;
495 const word GT = 1;
496
497 const size_t common_elems = std::min(x_size, y_size);
498
499 word result = EQ; // until found otherwise
500
501 for(size_t i = 0; i != common_elems; i++) {
502 const auto is_eq = CT::Mask<word>::is_equal(x[i], y[i]);
503 const auto is_lt = CT::Mask<word>::is_lt(x[i], y[i]);
504
505 result = is_eq.select(result, is_lt.select(LT, GT));
506 }
507
508 if(x_size < y_size) {
509 word mask = 0;
510 for(size_t i = x_size; i != y_size; i++) {
511 mask |= y[i];
512 }
513
514 // If any bits were set in high part of y, then x < y
515 result = CT::Mask<word>::is_zero(mask).select(result, LT);
516 } else if(y_size < x_size) {
517 word mask = 0;
518 for(size_t i = y_size; i != x_size; i++) {
519 mask |= x[i];
520 }
521
522 // If any bits were set in high part of x, then x > y
523 result = CT::Mask<word>::is_zero(mask).select(result, GT);
524 }
525
526 CT::unpoison(result);
527 BOTAN_DEBUG_ASSERT(result == LT || result == GT || result == EQ);
528 return static_cast<int32_t>(result);
529}
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:98

References BOTAN_DEBUG_ASSERT, Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lt(), Botan::CT::Mask< T >::is_zero(), and Botan::CT::unpoison().

Referenced by Botan::BigInt::add(), bigint_sub_abs(), Botan::BigInt::cmp(), Botan::BigInt::cmp_word(), and gcd().

◆ bigint_cnd_abs()

void Botan::bigint_cnd_abs ( word cnd,
word x[],
size_t size )
inline

Definition at line 190 of file mp_core.h.

190 {
191 const auto mask = CT::Mask<word>::expand(cnd);
192
193 word carry = mask.if_set_return(1);
194 for(size_t i = 0; i != size; ++i) {
195 const word z = word_add(~x[i], 0, &carry);
196 x[i] = mask.select(z, x[i]);
197 }
198}

References carry(), Botan::CT::Mask< T >::expand(), and word_add().

◆ bigint_cnd_add() [1/2]

word Botan::bigint_cnd_add ( word cnd,
word x[],
const word y[],
size_t size )
inline

Definition at line 72 of file mp_core.h.

72 {
73 return bigint_cnd_add(cnd, x, size, y, size);
74}
word bigint_cnd_add(word cnd, word x[], word x_size, const word y[], size_t y_size)
Definition mp_core.h:40

References bigint_cnd_add().

◆ bigint_cnd_add() [2/2]

word Botan::bigint_cnd_add ( word cnd,
word x[],
word x_size,
const word y[],
size_t y_size )
inline

Definition at line 40 of file mp_core.h.

40 {
41 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
42
43 const auto mask = CT::Mask<word>::expand(cnd);
44
45 word carry = 0;
46
47 const size_t blocks = y_size - (y_size % 8);
48 word z[8] = {0};
49
50 for(size_t i = 0; i != blocks; i += 8) {
51 carry = word8_add3(z, x + i, y + i, carry);
52 mask.select_n(x + i, z, x + i, 8);
53 }
54
55 for(size_t i = blocks; i != y_size; ++i) {
56 z[0] = word_add(x[i], y[i], &carry);
57 x[i] = mask.select(z[0], x[i]);
58 }
59
60 for(size_t i = y_size; i != x_size; ++i) {
61 z[0] = word_add(x[i], 0, &carry);
62 x[i] = mask.select(z[0], x[i]);
63 }
64
65 return mask.if_set_return(carry);
66}

References BOTAN_ASSERT, carry(), Botan::CT::Mask< T >::expand(), word8_add3(), and word_add().

Referenced by bigint_cnd_add(), Botan::BigInt::ct_cond_add(), redc_p192(), redc_p224(), redc_p256(), and redc_p384().

◆ bigint_cnd_add_or_sub()

void Botan::bigint_cnd_add_or_sub ( CT::Mask< word > mask,
word x[],
const word y[],
size_t size )
inline

Definition at line 123 of file mp_core.h.

123 {
124 const size_t blocks = size - (size % 8);
125
126 word carry = 0;
127 word borrow = 0;
128
129 word t0[8] = {0};
130 word t1[8] = {0};
131
132 for(size_t i = 0; i != blocks; i += 8) {
133 carry = word8_add3(t0, x + i, y + i, carry);
134 borrow = word8_sub3(t1, x + i, y + i, borrow);
135
136 for(size_t j = 0; j != 8; ++j) {
137 x[i + j] = mask.select(t0[j], t1[j]);
138 }
139 }
140
141 for(size_t i = blocks; i != size; ++i) {
142 const word a = word_add(x[i], y[i], &carry);
143 const word s = word_sub(x[i], y[i], &borrow);
144
145 x[i] = mask.select(a, s);
146 }
147}
T select(T x, T y) const
Definition ct_utils.h:228
word word8_sub3(word z[8], const word x[8], const word y[8], word carry)
Definition mp_asmi.h:413
word word_sub(word x, word y, word *carry)
Definition mp_asmi.h:326
word word8_add3(word z[8], const word x[8], const word y[8], word carry)
Definition mp_asmi.h:296

References carry(), Botan::CT::Mask< T >::select(), word8_add3(), word8_sub3(), word_add(), and word_sub().

◆ bigint_cnd_addsub()

word Botan::bigint_cnd_addsub ( CT::Mask< word > mask,
word x[],
const word y[],
const word z[],
size_t size )
inline

Definition at line 158 of file mp_core.h.

158 {
159 const size_t blocks = size - (size % 8);
160
161 word carry = 0;
162 word borrow = 0;
163
164 word t0[8] = {0};
165 word t1[8] = {0};
166
167 for(size_t i = 0; i != blocks; i += 8) {
168 carry = word8_add3(t0, x + i, y + i, carry);
169 borrow = word8_sub3(t1, x + i, z + i, borrow);
170
171 for(size_t j = 0; j != 8; ++j) {
172 x[i + j] = mask.select(t0[j], t1[j]);
173 }
174 }
175
176 for(size_t i = blocks; i != size; ++i) {
177 t0[0] = word_add(x[i], y[i], &carry);
178 t1[0] = word_sub(x[i], z[i], &borrow);
179 x[i] = mask.select(t0[0], t1[0]);
180 }
181
182 return mask.select(carry, borrow);
183}

References carry(), Botan::CT::Mask< T >::select(), word8_add3(), word8_sub3(), word_add(), and word_sub().

Referenced by bigint_mod_sub(), and bigint_mod_sub_n().

◆ bigint_cnd_sub() [1/2]

word Botan::bigint_cnd_sub ( word cnd,
word x[],
const word y[],
size_t size )
inline

Definition at line 112 of file mp_core.h.

112 {
113 return bigint_cnd_sub(cnd, x, size, y, size);
114}
word bigint_cnd_sub(word cnd, word x[], size_t x_size, const word y[], size_t y_size)
Definition mp_core.h:80

References bigint_cnd_sub().

◆ bigint_cnd_sub() [2/2]

word Botan::bigint_cnd_sub ( word cnd,
word x[],
size_t x_size,
const word y[],
size_t y_size )
inline

Definition at line 80 of file mp_core.h.

80 {
81 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
82
83 const auto mask = CT::Mask<word>::expand(cnd);
84
85 word carry = 0;
86
87 const size_t blocks = y_size - (y_size % 8);
88 word z[8] = {0};
89
90 for(size_t i = 0; i != blocks; i += 8) {
91 carry = word8_sub3(z, x + i, y + i, carry);
92 mask.select_n(x + i, z, x + i, 8);
93 }
94
95 for(size_t i = blocks; i != y_size; ++i) {
96 z[0] = word_sub(x[i], y[i], &carry);
97 x[i] = mask.select(z[0], x[i]);
98 }
99
100 for(size_t i = y_size; i != x_size; ++i) {
101 z[0] = word_sub(x[i], 0, &carry);
102 x[i] = mask.select(z[0], x[i]);
103 }
104
105 return mask.if_set_return(carry);
106}

References BOTAN_ASSERT, carry(), Botan::CT::Mask< T >::expand(), word8_sub3(), and word_sub().

Referenced by bigint_cnd_sub(), and redc_p521().

◆ bigint_cnd_swap()

void Botan::bigint_cnd_swap ( word cnd,
word x[],
word y[],
size_t size )
inline

Definition at line 29 of file mp_core.h.

29 {
30 const auto mask = CT::Mask<word>::expand(cnd);
31
32 for(size_t i = 0; i != size; ++i) {
33 const word a = x[i];
34 const word b = y[i];
35 x[i] = mask.select(b, a);
36 y[i] = mask.select(a, b);
37 }
38}

References Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::ct_cond_swap().

◆ bigint_comba_mul16()

BOTAN_FUZZER_API void Botan::bigint_comba_mul16 ( word z[32],
const word x[16],
const word y[16] )

Definition at line 917 of file mp_comba.cpp.

917 {
918 word w2 = 0, w1 = 0, w0 = 0;
919
920 word3_muladd(&w2, &w1, &w0, x[0], y[0]);
921 z[0] = w0;
922 w0 = 0;
923
924 word3_muladd(&w0, &w2, &w1, x[0], y[1]);
925 word3_muladd(&w0, &w2, &w1, x[1], y[0]);
926 z[1] = w1;
927 w1 = 0;
928
929 word3_muladd(&w1, &w0, &w2, x[0], y[2]);
930 word3_muladd(&w1, &w0, &w2, x[1], y[1]);
931 word3_muladd(&w1, &w0, &w2, x[2], y[0]);
932 z[2] = w2;
933 w2 = 0;
934
935 word3_muladd(&w2, &w1, &w0, x[0], y[3]);
936 word3_muladd(&w2, &w1, &w0, x[1], y[2]);
937 word3_muladd(&w2, &w1, &w0, x[2], y[1]);
938 word3_muladd(&w2, &w1, &w0, x[3], y[0]);
939 z[3] = w0;
940 w0 = 0;
941
942 word3_muladd(&w0, &w2, &w1, x[0], y[4]);
943 word3_muladd(&w0, &w2, &w1, x[1], y[3]);
944 word3_muladd(&w0, &w2, &w1, x[2], y[2]);
945 word3_muladd(&w0, &w2, &w1, x[3], y[1]);
946 word3_muladd(&w0, &w2, &w1, x[4], y[0]);
947 z[4] = w1;
948 w1 = 0;
949
950 word3_muladd(&w1, &w0, &w2, x[0], y[5]);
951 word3_muladd(&w1, &w0, &w2, x[1], y[4]);
952 word3_muladd(&w1, &w0, &w2, x[2], y[3]);
953 word3_muladd(&w1, &w0, &w2, x[3], y[2]);
954 word3_muladd(&w1, &w0, &w2, x[4], y[1]);
955 word3_muladd(&w1, &w0, &w2, x[5], y[0]);
956 z[5] = w2;
957 w2 = 0;
958
959 word3_muladd(&w2, &w1, &w0, x[0], y[6]);
960 word3_muladd(&w2, &w1, &w0, x[1], y[5]);
961 word3_muladd(&w2, &w1, &w0, x[2], y[4]);
962 word3_muladd(&w2, &w1, &w0, x[3], y[3]);
963 word3_muladd(&w2, &w1, &w0, x[4], y[2]);
964 word3_muladd(&w2, &w1, &w0, x[5], y[1]);
965 word3_muladd(&w2, &w1, &w0, x[6], y[0]);
966 z[6] = w0;
967 w0 = 0;
968
969 word3_muladd(&w0, &w2, &w1, x[0], y[7]);
970 word3_muladd(&w0, &w2, &w1, x[1], y[6]);
971 word3_muladd(&w0, &w2, &w1, x[2], y[5]);
972 word3_muladd(&w0, &w2, &w1, x[3], y[4]);
973 word3_muladd(&w0, &w2, &w1, x[4], y[3]);
974 word3_muladd(&w0, &w2, &w1, x[5], y[2]);
975 word3_muladd(&w0, &w2, &w1, x[6], y[1]);
976 word3_muladd(&w0, &w2, &w1, x[7], y[0]);
977 z[7] = w1;
978 w1 = 0;
979
980 word3_muladd(&w1, &w0, &w2, x[0], y[8]);
981 word3_muladd(&w1, &w0, &w2, x[1], y[7]);
982 word3_muladd(&w1, &w0, &w2, x[2], y[6]);
983 word3_muladd(&w1, &w0, &w2, x[3], y[5]);
984 word3_muladd(&w1, &w0, &w2, x[4], y[4]);
985 word3_muladd(&w1, &w0, &w2, x[5], y[3]);
986 word3_muladd(&w1, &w0, &w2, x[6], y[2]);
987 word3_muladd(&w1, &w0, &w2, x[7], y[1]);
988 word3_muladd(&w1, &w0, &w2, x[8], y[0]);
989 z[8] = w2;
990 w2 = 0;
991
992 word3_muladd(&w2, &w1, &w0, x[0], y[9]);
993 word3_muladd(&w2, &w1, &w0, x[1], y[8]);
994 word3_muladd(&w2, &w1, &w0, x[2], y[7]);
995 word3_muladd(&w2, &w1, &w0, x[3], y[6]);
996 word3_muladd(&w2, &w1, &w0, x[4], y[5]);
997 word3_muladd(&w2, &w1, &w0, x[5], y[4]);
998 word3_muladd(&w2, &w1, &w0, x[6], y[3]);
999 word3_muladd(&w2, &w1, &w0, x[7], y[2]);
1000 word3_muladd(&w2, &w1, &w0, x[8], y[1]);
1001 word3_muladd(&w2, &w1, &w0, x[9], y[0]);
1002 z[9] = w0;
1003 w0 = 0;
1004
1005 word3_muladd(&w0, &w2, &w1, x[0], y[10]);
1006 word3_muladd(&w0, &w2, &w1, x[1], y[9]);
1007 word3_muladd(&w0, &w2, &w1, x[2], y[8]);
1008 word3_muladd(&w0, &w2, &w1, x[3], y[7]);
1009 word3_muladd(&w0, &w2, &w1, x[4], y[6]);
1010 word3_muladd(&w0, &w2, &w1, x[5], y[5]);
1011 word3_muladd(&w0, &w2, &w1, x[6], y[4]);
1012 word3_muladd(&w0, &w2, &w1, x[7], y[3]);
1013 word3_muladd(&w0, &w2, &w1, x[8], y[2]);
1014 word3_muladd(&w0, &w2, &w1, x[9], y[1]);
1015 word3_muladd(&w0, &w2, &w1, x[10], y[0]);
1016 z[10] = w1;
1017 w1 = 0;
1018
1019 word3_muladd(&w1, &w0, &w2, x[0], y[11]);
1020 word3_muladd(&w1, &w0, &w2, x[1], y[10]);
1021 word3_muladd(&w1, &w0, &w2, x[2], y[9]);
1022 word3_muladd(&w1, &w0, &w2, x[3], y[8]);
1023 word3_muladd(&w1, &w0, &w2, x[4], y[7]);
1024 word3_muladd(&w1, &w0, &w2, x[5], y[6]);
1025 word3_muladd(&w1, &w0, &w2, x[6], y[5]);
1026 word3_muladd(&w1, &w0, &w2, x[7], y[4]);
1027 word3_muladd(&w1, &w0, &w2, x[8], y[3]);
1028 word3_muladd(&w1, &w0, &w2, x[9], y[2]);
1029 word3_muladd(&w1, &w0, &w2, x[10], y[1]);
1030 word3_muladd(&w1, &w0, &w2, x[11], y[0]);
1031 z[11] = w2;
1032 w2 = 0;
1033
1034 word3_muladd(&w2, &w1, &w0, x[0], y[12]);
1035 word3_muladd(&w2, &w1, &w0, x[1], y[11]);
1036 word3_muladd(&w2, &w1, &w0, x[2], y[10]);
1037 word3_muladd(&w2, &w1, &w0, x[3], y[9]);
1038 word3_muladd(&w2, &w1, &w0, x[4], y[8]);
1039 word3_muladd(&w2, &w1, &w0, x[5], y[7]);
1040 word3_muladd(&w2, &w1, &w0, x[6], y[6]);
1041 word3_muladd(&w2, &w1, &w0, x[7], y[5]);
1042 word3_muladd(&w2, &w1, &w0, x[8], y[4]);
1043 word3_muladd(&w2, &w1, &w0, x[9], y[3]);
1044 word3_muladd(&w2, &w1, &w0, x[10], y[2]);
1045 word3_muladd(&w2, &w1, &w0, x[11], y[1]);
1046 word3_muladd(&w2, &w1, &w0, x[12], y[0]);
1047 z[12] = w0;
1048 w0 = 0;
1049
1050 word3_muladd(&w0, &w2, &w1, x[0], y[13]);
1051 word3_muladd(&w0, &w2, &w1, x[1], y[12]);
1052 word3_muladd(&w0, &w2, &w1, x[2], y[11]);
1053 word3_muladd(&w0, &w2, &w1, x[3], y[10]);
1054 word3_muladd(&w0, &w2, &w1, x[4], y[9]);
1055 word3_muladd(&w0, &w2, &w1, x[5], y[8]);
1056 word3_muladd(&w0, &w2, &w1, x[6], y[7]);
1057 word3_muladd(&w0, &w2, &w1, x[7], y[6]);
1058 word3_muladd(&w0, &w2, &w1, x[8], y[5]);
1059 word3_muladd(&w0, &w2, &w1, x[9], y[4]);
1060 word3_muladd(&w0, &w2, &w1, x[10], y[3]);
1061 word3_muladd(&w0, &w2, &w1, x[11], y[2]);
1062 word3_muladd(&w0, &w2, &w1, x[12], y[1]);
1063 word3_muladd(&w0, &w2, &w1, x[13], y[0]);
1064 z[13] = w1;
1065 w1 = 0;
1066
1067 word3_muladd(&w1, &w0, &w2, x[0], y[14]);
1068 word3_muladd(&w1, &w0, &w2, x[1], y[13]);
1069 word3_muladd(&w1, &w0, &w2, x[2], y[12]);
1070 word3_muladd(&w1, &w0, &w2, x[3], y[11]);
1071 word3_muladd(&w1, &w0, &w2, x[4], y[10]);
1072 word3_muladd(&w1, &w0, &w2, x[5], y[9]);
1073 word3_muladd(&w1, &w0, &w2, x[6], y[8]);
1074 word3_muladd(&w1, &w0, &w2, x[7], y[7]);
1075 word3_muladd(&w1, &w0, &w2, x[8], y[6]);
1076 word3_muladd(&w1, &w0, &w2, x[9], y[5]);
1077 word3_muladd(&w1, &w0, &w2, x[10], y[4]);
1078 word3_muladd(&w1, &w0, &w2, x[11], y[3]);
1079 word3_muladd(&w1, &w0, &w2, x[12], y[2]);
1080 word3_muladd(&w1, &w0, &w2, x[13], y[1]);
1081 word3_muladd(&w1, &w0, &w2, x[14], y[0]);
1082 z[14] = w2;
1083 w2 = 0;
1084
1085 word3_muladd(&w2, &w1, &w0, x[0], y[15]);
1086 word3_muladd(&w2, &w1, &w0, x[1], y[14]);
1087 word3_muladd(&w2, &w1, &w0, x[2], y[13]);
1088 word3_muladd(&w2, &w1, &w0, x[3], y[12]);
1089 word3_muladd(&w2, &w1, &w0, x[4], y[11]);
1090 word3_muladd(&w2, &w1, &w0, x[5], y[10]);
1091 word3_muladd(&w2, &w1, &w0, x[6], y[9]);
1092 word3_muladd(&w2, &w1, &w0, x[7], y[8]);
1093 word3_muladd(&w2, &w1, &w0, x[8], y[7]);
1094 word3_muladd(&w2, &w1, &w0, x[9], y[6]);
1095 word3_muladd(&w2, &w1, &w0, x[10], y[5]);
1096 word3_muladd(&w2, &w1, &w0, x[11], y[4]);
1097 word3_muladd(&w2, &w1, &w0, x[12], y[3]);
1098 word3_muladd(&w2, &w1, &w0, x[13], y[2]);
1099 word3_muladd(&w2, &w1, &w0, x[14], y[1]);
1100 word3_muladd(&w2, &w1, &w0, x[15], y[0]);
1101 z[15] = w0;
1102 w0 = 0;
1103
1104 word3_muladd(&w0, &w2, &w1, x[1], y[15]);
1105 word3_muladd(&w0, &w2, &w1, x[2], y[14]);
1106 word3_muladd(&w0, &w2, &w1, x[3], y[13]);
1107 word3_muladd(&w0, &w2, &w1, x[4], y[12]);
1108 word3_muladd(&w0, &w2, &w1, x[5], y[11]);
1109 word3_muladd(&w0, &w2, &w1, x[6], y[10]);
1110 word3_muladd(&w0, &w2, &w1, x[7], y[9]);
1111 word3_muladd(&w0, &w2, &w1, x[8], y[8]);
1112 word3_muladd(&w0, &w2, &w1, x[9], y[7]);
1113 word3_muladd(&w0, &w2, &w1, x[10], y[6]);
1114 word3_muladd(&w0, &w2, &w1, x[11], y[5]);
1115 word3_muladd(&w0, &w2, &w1, x[12], y[4]);
1116 word3_muladd(&w0, &w2, &w1, x[13], y[3]);
1117 word3_muladd(&w0, &w2, &w1, x[14], y[2]);
1118 word3_muladd(&w0, &w2, &w1, x[15], y[1]);
1119 z[16] = w1;
1120 w1 = 0;
1121
1122 word3_muladd(&w1, &w0, &w2, x[2], y[15]);
1123 word3_muladd(&w1, &w0, &w2, x[3], y[14]);
1124 word3_muladd(&w1, &w0, &w2, x[4], y[13]);
1125 word3_muladd(&w1, &w0, &w2, x[5], y[12]);
1126 word3_muladd(&w1, &w0, &w2, x[6], y[11]);
1127 word3_muladd(&w1, &w0, &w2, x[7], y[10]);
1128 word3_muladd(&w1, &w0, &w2, x[8], y[9]);
1129 word3_muladd(&w1, &w0, &w2, x[9], y[8]);
1130 word3_muladd(&w1, &w0, &w2, x[10], y[7]);
1131 word3_muladd(&w1, &w0, &w2, x[11], y[6]);
1132 word3_muladd(&w1, &w0, &w2, x[12], y[5]);
1133 word3_muladd(&w1, &w0, &w2, x[13], y[4]);
1134 word3_muladd(&w1, &w0, &w2, x[14], y[3]);
1135 word3_muladd(&w1, &w0, &w2, x[15], y[2]);
1136 z[17] = w2;
1137 w2 = 0;
1138
1139 word3_muladd(&w2, &w1, &w0, x[3], y[15]);
1140 word3_muladd(&w2, &w1, &w0, x[4], y[14]);
1141 word3_muladd(&w2, &w1, &w0, x[5], y[13]);
1142 word3_muladd(&w2, &w1, &w0, x[6], y[12]);
1143 word3_muladd(&w2, &w1, &w0, x[7], y[11]);
1144 word3_muladd(&w2, &w1, &w0, x[8], y[10]);
1145 word3_muladd(&w2, &w1, &w0, x[9], y[9]);
1146 word3_muladd(&w2, &w1, &w0, x[10], y[8]);
1147 word3_muladd(&w2, &w1, &w0, x[11], y[7]);
1148 word3_muladd(&w2, &w1, &w0, x[12], y[6]);
1149 word3_muladd(&w2, &w1, &w0, x[13], y[5]);
1150 word3_muladd(&w2, &w1, &w0, x[14], y[4]);
1151 word3_muladd(&w2, &w1, &w0, x[15], y[3]);
1152 z[18] = w0;
1153 w0 = 0;
1154
1155 word3_muladd(&w0, &w2, &w1, x[4], y[15]);
1156 word3_muladd(&w0, &w2, &w1, x[5], y[14]);
1157 word3_muladd(&w0, &w2, &w1, x[6], y[13]);
1158 word3_muladd(&w0, &w2, &w1, x[7], y[12]);
1159 word3_muladd(&w0, &w2, &w1, x[8], y[11]);
1160 word3_muladd(&w0, &w2, &w1, x[9], y[10]);
1161 word3_muladd(&w0, &w2, &w1, x[10], y[9]);
1162 word3_muladd(&w0, &w2, &w1, x[11], y[8]);
1163 word3_muladd(&w0, &w2, &w1, x[12], y[7]);
1164 word3_muladd(&w0, &w2, &w1, x[13], y[6]);
1165 word3_muladd(&w0, &w2, &w1, x[14], y[5]);
1166 word3_muladd(&w0, &w2, &w1, x[15], y[4]);
1167 z[19] = w1;
1168 w1 = 0;
1169
1170 word3_muladd(&w1, &w0, &w2, x[5], y[15]);
1171 word3_muladd(&w1, &w0, &w2, x[6], y[14]);
1172 word3_muladd(&w1, &w0, &w2, x[7], y[13]);
1173 word3_muladd(&w1, &w0, &w2, x[8], y[12]);
1174 word3_muladd(&w1, &w0, &w2, x[9], y[11]);
1175 word3_muladd(&w1, &w0, &w2, x[10], y[10]);
1176 word3_muladd(&w1, &w0, &w2, x[11], y[9]);
1177 word3_muladd(&w1, &w0, &w2, x[12], y[8]);
1178 word3_muladd(&w1, &w0, &w2, x[13], y[7]);
1179 word3_muladd(&w1, &w0, &w2, x[14], y[6]);
1180 word3_muladd(&w1, &w0, &w2, x[15], y[5]);
1181 z[20] = w2;
1182 w2 = 0;
1183
1184 word3_muladd(&w2, &w1, &w0, x[6], y[15]);
1185 word3_muladd(&w2, &w1, &w0, x[7], y[14]);
1186 word3_muladd(&w2, &w1, &w0, x[8], y[13]);
1187 word3_muladd(&w2, &w1, &w0, x[9], y[12]);
1188 word3_muladd(&w2, &w1, &w0, x[10], y[11]);
1189 word3_muladd(&w2, &w1, &w0, x[11], y[10]);
1190 word3_muladd(&w2, &w1, &w0, x[12], y[9]);
1191 word3_muladd(&w2, &w1, &w0, x[13], y[8]);
1192 word3_muladd(&w2, &w1, &w0, x[14], y[7]);
1193 word3_muladd(&w2, &w1, &w0, x[15], y[6]);
1194 z[21] = w0;
1195 w0 = 0;
1196
1197 word3_muladd(&w0, &w2, &w1, x[7], y[15]);
1198 word3_muladd(&w0, &w2, &w1, x[8], y[14]);
1199 word3_muladd(&w0, &w2, &w1, x[9], y[13]);
1200 word3_muladd(&w0, &w2, &w1, x[10], y[12]);
1201 word3_muladd(&w0, &w2, &w1, x[11], y[11]);
1202 word3_muladd(&w0, &w2, &w1, x[12], y[10]);
1203 word3_muladd(&w0, &w2, &w1, x[13], y[9]);
1204 word3_muladd(&w0, &w2, &w1, x[14], y[8]);
1205 word3_muladd(&w0, &w2, &w1, x[15], y[7]);
1206 z[22] = w1;
1207 w1 = 0;
1208
1209 word3_muladd(&w1, &w0, &w2, x[8], y[15]);
1210 word3_muladd(&w1, &w0, &w2, x[9], y[14]);
1211 word3_muladd(&w1, &w0, &w2, x[10], y[13]);
1212 word3_muladd(&w1, &w0, &w2, x[11], y[12]);
1213 word3_muladd(&w1, &w0, &w2, x[12], y[11]);
1214 word3_muladd(&w1, &w0, &w2, x[13], y[10]);
1215 word3_muladd(&w1, &w0, &w2, x[14], y[9]);
1216 word3_muladd(&w1, &w0, &w2, x[15], y[8]);
1217 z[23] = w2;
1218 w2 = 0;
1219
1220 word3_muladd(&w2, &w1, &w0, x[9], y[15]);
1221 word3_muladd(&w2, &w1, &w0, x[10], y[14]);
1222 word3_muladd(&w2, &w1, &w0, x[11], y[13]);
1223 word3_muladd(&w2, &w1, &w0, x[12], y[12]);
1224 word3_muladd(&w2, &w1, &w0, x[13], y[11]);
1225 word3_muladd(&w2, &w1, &w0, x[14], y[10]);
1226 word3_muladd(&w2, &w1, &w0, x[15], y[9]);
1227 z[24] = w0;
1228 w0 = 0;
1229
1230 word3_muladd(&w0, &w2, &w1, x[10], y[15]);
1231 word3_muladd(&w0, &w2, &w1, x[11], y[14]);
1232 word3_muladd(&w0, &w2, &w1, x[12], y[13]);
1233 word3_muladd(&w0, &w2, &w1, x[13], y[12]);
1234 word3_muladd(&w0, &w2, &w1, x[14], y[11]);
1235 word3_muladd(&w0, &w2, &w1, x[15], y[10]);
1236 z[25] = w1;
1237 w1 = 0;
1238
1239 word3_muladd(&w1, &w0, &w2, x[11], y[15]);
1240 word3_muladd(&w1, &w0, &w2, x[12], y[14]);
1241 word3_muladd(&w1, &w0, &w2, x[13], y[13]);
1242 word3_muladd(&w1, &w0, &w2, x[14], y[12]);
1243 word3_muladd(&w1, &w0, &w2, x[15], y[11]);
1244 z[26] = w2;
1245 w2 = 0;
1246
1247 word3_muladd(&w2, &w1, &w0, x[12], y[15]);
1248 word3_muladd(&w2, &w1, &w0, x[13], y[14]);
1249 word3_muladd(&w2, &w1, &w0, x[14], y[13]);
1250 word3_muladd(&w2, &w1, &w0, x[15], y[12]);
1251 z[27] = w0;
1252 w0 = 0;
1253
1254 word3_muladd(&w0, &w2, &w1, x[13], y[15]);
1255 word3_muladd(&w0, &w2, &w1, x[14], y[14]);
1256 word3_muladd(&w0, &w2, &w1, x[15], y[13]);
1257 z[28] = w1;
1258 w1 = 0;
1259
1260 word3_muladd(&w1, &w0, &w2, x[14], y[15]);
1261 word3_muladd(&w1, &w0, &w2, x[15], y[14]);
1262 z[29] = w2;
1263 w2 = 0;
1264
1265 word3_muladd(&w2, &w1, &w0, x[15], y[15]);
1266 z[30] = w0;
1267 z[31] = w1;
1268}
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition mp_asmi.h:528

References word3_muladd().

Referenced by bigint_mul().

◆ bigint_comba_mul24()

BOTAN_FUZZER_API void Botan::bigint_comba_mul24 ( word z[48],
const word x[24],
const word y[24] )

Definition at line 1721 of file mp_comba.cpp.

1721 {
1722 word w2 = 0, w1 = 0, w0 = 0;
1723
1724 word3_muladd(&w2, &w1, &w0, x[0], y[0]);
1725 z[0] = w0;
1726 w0 = 0;
1727
1728 word3_muladd(&w0, &w2, &w1, x[0], y[1]);
1729 word3_muladd(&w0, &w2, &w1, x[1], y[0]);
1730 z[1] = w1;
1731 w1 = 0;
1732
1733 word3_muladd(&w1, &w0, &w2, x[0], y[2]);
1734 word3_muladd(&w1, &w0, &w2, x[1], y[1]);
1735 word3_muladd(&w1, &w0, &w2, x[2], y[0]);
1736 z[2] = w2;
1737 w2 = 0;
1738
1739 word3_muladd(&w2, &w1, &w0, x[0], y[3]);
1740 word3_muladd(&w2, &w1, &w0, x[1], y[2]);
1741 word3_muladd(&w2, &w1, &w0, x[2], y[1]);
1742 word3_muladd(&w2, &w1, &w0, x[3], y[0]);
1743 z[3] = w0;
1744 w0 = 0;
1745
1746 word3_muladd(&w0, &w2, &w1, x[0], y[4]);
1747 word3_muladd(&w0, &w2, &w1, x[1], y[3]);
1748 word3_muladd(&w0, &w2, &w1, x[2], y[2]);
1749 word3_muladd(&w0, &w2, &w1, x[3], y[1]);
1750 word3_muladd(&w0, &w2, &w1, x[4], y[0]);
1751 z[4] = w1;
1752 w1 = 0;
1753
1754 word3_muladd(&w1, &w0, &w2, x[0], y[5]);
1755 word3_muladd(&w1, &w0, &w2, x[1], y[4]);
1756 word3_muladd(&w1, &w0, &w2, x[2], y[3]);
1757 word3_muladd(&w1, &w0, &w2, x[3], y[2]);
1758 word3_muladd(&w1, &w0, &w2, x[4], y[1]);
1759 word3_muladd(&w1, &w0, &w2, x[5], y[0]);
1760 z[5] = w2;
1761 w2 = 0;
1762
1763 word3_muladd(&w2, &w1, &w0, x[0], y[6]);
1764 word3_muladd(&w2, &w1, &w0, x[1], y[5]);
1765 word3_muladd(&w2, &w1, &w0, x[2], y[4]);
1766 word3_muladd(&w2, &w1, &w0, x[3], y[3]);
1767 word3_muladd(&w2, &w1, &w0, x[4], y[2]);
1768 word3_muladd(&w2, &w1, &w0, x[5], y[1]);
1769 word3_muladd(&w2, &w1, &w0, x[6], y[0]);
1770 z[6] = w0;
1771 w0 = 0;
1772
1773 word3_muladd(&w0, &w2, &w1, x[0], y[7]);
1774 word3_muladd(&w0, &w2, &w1, x[1], y[6]);
1775 word3_muladd(&w0, &w2, &w1, x[2], y[5]);
1776 word3_muladd(&w0, &w2, &w1, x[3], y[4]);
1777 word3_muladd(&w0, &w2, &w1, x[4], y[3]);
1778 word3_muladd(&w0, &w2, &w1, x[5], y[2]);
1779 word3_muladd(&w0, &w2, &w1, x[6], y[1]);
1780 word3_muladd(&w0, &w2, &w1, x[7], y[0]);
1781 z[7] = w1;
1782 w1 = 0;
1783
1784 word3_muladd(&w1, &w0, &w2, x[0], y[8]);
1785 word3_muladd(&w1, &w0, &w2, x[1], y[7]);
1786 word3_muladd(&w1, &w0, &w2, x[2], y[6]);
1787 word3_muladd(&w1, &w0, &w2, x[3], y[5]);
1788 word3_muladd(&w1, &w0, &w2, x[4], y[4]);
1789 word3_muladd(&w1, &w0, &w2, x[5], y[3]);
1790 word3_muladd(&w1, &w0, &w2, x[6], y[2]);
1791 word3_muladd(&w1, &w0, &w2, x[7], y[1]);
1792 word3_muladd(&w1, &w0, &w2, x[8], y[0]);
1793 z[8] = w2;
1794 w2 = 0;
1795
1796 word3_muladd(&w2, &w1, &w0, x[0], y[9]);
1797 word3_muladd(&w2, &w1, &w0, x[1], y[8]);
1798 word3_muladd(&w2, &w1, &w0, x[2], y[7]);
1799 word3_muladd(&w2, &w1, &w0, x[3], y[6]);
1800 word3_muladd(&w2, &w1, &w0, x[4], y[5]);
1801 word3_muladd(&w2, &w1, &w0, x[5], y[4]);
1802 word3_muladd(&w2, &w1, &w0, x[6], y[3]);
1803 word3_muladd(&w2, &w1, &w0, x[7], y[2]);
1804 word3_muladd(&w2, &w1, &w0, x[8], y[1]);
1805 word3_muladd(&w2, &w1, &w0, x[9], y[0]);
1806 z[9] = w0;
1807 w0 = 0;
1808
1809 word3_muladd(&w0, &w2, &w1, x[0], y[10]);
1810 word3_muladd(&w0, &w2, &w1, x[1], y[9]);
1811 word3_muladd(&w0, &w2, &w1, x[2], y[8]);
1812 word3_muladd(&w0, &w2, &w1, x[3], y[7]);
1813 word3_muladd(&w0, &w2, &w1, x[4], y[6]);
1814 word3_muladd(&w0, &w2, &w1, x[5], y[5]);
1815 word3_muladd(&w0, &w2, &w1, x[6], y[4]);
1816 word3_muladd(&w0, &w2, &w1, x[7], y[3]);
1817 word3_muladd(&w0, &w2, &w1, x[8], y[2]);
1818 word3_muladd(&w0, &w2, &w1, x[9], y[1]);
1819 word3_muladd(&w0, &w2, &w1, x[10], y[0]);
1820 z[10] = w1;
1821 w1 = 0;
1822
1823 word3_muladd(&w1, &w0, &w2, x[0], y[11]);
1824 word3_muladd(&w1, &w0, &w2, x[1], y[10]);
1825 word3_muladd(&w1, &w0, &w2, x[2], y[9]);
1826 word3_muladd(&w1, &w0, &w2, x[3], y[8]);
1827 word3_muladd(&w1, &w0, &w2, x[4], y[7]);
1828 word3_muladd(&w1, &w0, &w2, x[5], y[6]);
1829 word3_muladd(&w1, &w0, &w2, x[6], y[5]);
1830 word3_muladd(&w1, &w0, &w2, x[7], y[4]);
1831 word3_muladd(&w1, &w0, &w2, x[8], y[3]);
1832 word3_muladd(&w1, &w0, &w2, x[9], y[2]);
1833 word3_muladd(&w1, &w0, &w2, x[10], y[1]);
1834 word3_muladd(&w1, &w0, &w2, x[11], y[0]);
1835 z[11] = w2;
1836 w2 = 0;
1837
1838 word3_muladd(&w2, &w1, &w0, x[0], y[12]);
1839 word3_muladd(&w2, &w1, &w0, x[1], y[11]);
1840 word3_muladd(&w2, &w1, &w0, x[2], y[10]);
1841 word3_muladd(&w2, &w1, &w0, x[3], y[9]);
1842 word3_muladd(&w2, &w1, &w0, x[4], y[8]);
1843 word3_muladd(&w2, &w1, &w0, x[5], y[7]);
1844 word3_muladd(&w2, &w1, &w0, x[6], y[6]);
1845 word3_muladd(&w2, &w1, &w0, x[7], y[5]);
1846 word3_muladd(&w2, &w1, &w0, x[8], y[4]);
1847 word3_muladd(&w2, &w1, &w0, x[9], y[3]);
1848 word3_muladd(&w2, &w1, &w0, x[10], y[2]);
1849 word3_muladd(&w2, &w1, &w0, x[11], y[1]);
1850 word3_muladd(&w2, &w1, &w0, x[12], y[0]);
1851 z[12] = w0;
1852 w0 = 0;
1853
1854 word3_muladd(&w0, &w2, &w1, x[0], y[13]);
1855 word3_muladd(&w0, &w2, &w1, x[1], y[12]);
1856 word3_muladd(&w0, &w2, &w1, x[2], y[11]);
1857 word3_muladd(&w0, &w2, &w1, x[3], y[10]);
1858 word3_muladd(&w0, &w2, &w1, x[4], y[9]);
1859 word3_muladd(&w0, &w2, &w1, x[5], y[8]);
1860 word3_muladd(&w0, &w2, &w1, x[6], y[7]);
1861 word3_muladd(&w0, &w2, &w1, x[7], y[6]);
1862 word3_muladd(&w0, &w2, &w1, x[8], y[5]);
1863 word3_muladd(&w0, &w2, &w1, x[9], y[4]);
1864 word3_muladd(&w0, &w2, &w1, x[10], y[3]);
1865 word3_muladd(&w0, &w2, &w1, x[11], y[2]);
1866 word3_muladd(&w0, &w2, &w1, x[12], y[1]);
1867 word3_muladd(&w0, &w2, &w1, x[13], y[0]);
1868 z[13] = w1;
1869 w1 = 0;
1870
1871 word3_muladd(&w1, &w0, &w2, x[0], y[14]);
1872 word3_muladd(&w1, &w0, &w2, x[1], y[13]);
1873 word3_muladd(&w1, &w0, &w2, x[2], y[12]);
1874 word3_muladd(&w1, &w0, &w2, x[3], y[11]);
1875 word3_muladd(&w1, &w0, &w2, x[4], y[10]);
1876 word3_muladd(&w1, &w0, &w2, x[5], y[9]);
1877 word3_muladd(&w1, &w0, &w2, x[6], y[8]);
1878 word3_muladd(&w1, &w0, &w2, x[7], y[7]);
1879 word3_muladd(&w1, &w0, &w2, x[8], y[6]);
1880 word3_muladd(&w1, &w0, &w2, x[9], y[5]);
1881 word3_muladd(&w1, &w0, &w2, x[10], y[4]);
1882 word3_muladd(&w1, &w0, &w2, x[11], y[3]);
1883 word3_muladd(&w1, &w0, &w2, x[12], y[2]);
1884 word3_muladd(&w1, &w0, &w2, x[13], y[1]);
1885 word3_muladd(&w1, &w0, &w2, x[14], y[0]);
1886 z[14] = w2;
1887 w2 = 0;
1888
1889 word3_muladd(&w2, &w1, &w0, x[0], y[15]);
1890 word3_muladd(&w2, &w1, &w0, x[1], y[14]);
1891 word3_muladd(&w2, &w1, &w0, x[2], y[13]);
1892 word3_muladd(&w2, &w1, &w0, x[3], y[12]);
1893 word3_muladd(&w2, &w1, &w0, x[4], y[11]);
1894 word3_muladd(&w2, &w1, &w0, x[5], y[10]);
1895 word3_muladd(&w2, &w1, &w0, x[6], y[9]);
1896 word3_muladd(&w2, &w1, &w0, x[7], y[8]);
1897 word3_muladd(&w2, &w1, &w0, x[8], y[7]);
1898 word3_muladd(&w2, &w1, &w0, x[9], y[6]);
1899 word3_muladd(&w2, &w1, &w0, x[10], y[5]);
1900 word3_muladd(&w2, &w1, &w0, x[11], y[4]);
1901 word3_muladd(&w2, &w1, &w0, x[12], y[3]);
1902 word3_muladd(&w2, &w1, &w0, x[13], y[2]);
1903 word3_muladd(&w2, &w1, &w0, x[14], y[1]);
1904 word3_muladd(&w2, &w1, &w0, x[15], y[0]);
1905 z[15] = w0;
1906 w0 = 0;
1907
1908 word3_muladd(&w0, &w2, &w1, x[0], y[16]);
1909 word3_muladd(&w0, &w2, &w1, x[1], y[15]);
1910 word3_muladd(&w0, &w2, &w1, x[2], y[14]);
1911 word3_muladd(&w0, &w2, &w1, x[3], y[13]);
1912 word3_muladd(&w0, &w2, &w1, x[4], y[12]);
1913 word3_muladd(&w0, &w2, &w1, x[5], y[11]);
1914 word3_muladd(&w0, &w2, &w1, x[6], y[10]);
1915 word3_muladd(&w0, &w2, &w1, x[7], y[9]);
1916 word3_muladd(&w0, &w2, &w1, x[8], y[8]);
1917 word3_muladd(&w0, &w2, &w1, x[9], y[7]);
1918 word3_muladd(&w0, &w2, &w1, x[10], y[6]);
1919 word3_muladd(&w0, &w2, &w1, x[11], y[5]);
1920 word3_muladd(&w0, &w2, &w1, x[12], y[4]);
1921 word3_muladd(&w0, &w2, &w1, x[13], y[3]);
1922 word3_muladd(&w0, &w2, &w1, x[14], y[2]);
1923 word3_muladd(&w0, &w2, &w1, x[15], y[1]);
1924 word3_muladd(&w0, &w2, &w1, x[16], y[0]);
1925 z[16] = w1;
1926 w1 = 0;
1927
1928 word3_muladd(&w1, &w0, &w2, x[0], y[17]);
1929 word3_muladd(&w1, &w0, &w2, x[1], y[16]);
1930 word3_muladd(&w1, &w0, &w2, x[2], y[15]);
1931 word3_muladd(&w1, &w0, &w2, x[3], y[14]);
1932 word3_muladd(&w1, &w0, &w2, x[4], y[13]);
1933 word3_muladd(&w1, &w0, &w2, x[5], y[12]);
1934 word3_muladd(&w1, &w0, &w2, x[6], y[11]);
1935 word3_muladd(&w1, &w0, &w2, x[7], y[10]);
1936 word3_muladd(&w1, &w0, &w2, x[8], y[9]);
1937 word3_muladd(&w1, &w0, &w2, x[9], y[8]);
1938 word3_muladd(&w1, &w0, &w2, x[10], y[7]);
1939 word3_muladd(&w1, &w0, &w2, x[11], y[6]);
1940 word3_muladd(&w1, &w0, &w2, x[12], y[5]);
1941 word3_muladd(&w1, &w0, &w2, x[13], y[4]);
1942 word3_muladd(&w1, &w0, &w2, x[14], y[3]);
1943 word3_muladd(&w1, &w0, &w2, x[15], y[2]);
1944 word3_muladd(&w1, &w0, &w2, x[16], y[1]);
1945 word3_muladd(&w1, &w0, &w2, x[17], y[0]);
1946 z[17] = w2;
1947 w2 = 0;
1948
1949 word3_muladd(&w2, &w1, &w0, x[0], y[18]);
1950 word3_muladd(&w2, &w1, &w0, x[1], y[17]);
1951 word3_muladd(&w2, &w1, &w0, x[2], y[16]);
1952 word3_muladd(&w2, &w1, &w0, x[3], y[15]);
1953 word3_muladd(&w2, &w1, &w0, x[4], y[14]);
1954 word3_muladd(&w2, &w1, &w0, x[5], y[13]);
1955 word3_muladd(&w2, &w1, &w0, x[6], y[12]);
1956 word3_muladd(&w2, &w1, &w0, x[7], y[11]);
1957 word3_muladd(&w2, &w1, &w0, x[8], y[10]);
1958 word3_muladd(&w2, &w1, &w0, x[9], y[9]);
1959 word3_muladd(&w2, &w1, &w0, x[10], y[8]);
1960 word3_muladd(&w2, &w1, &w0, x[11], y[7]);
1961 word3_muladd(&w2, &w1, &w0, x[12], y[6]);
1962 word3_muladd(&w2, &w1, &w0, x[13], y[5]);
1963 word3_muladd(&w2, &w1, &w0, x[14], y[4]);
1964 word3_muladd(&w2, &w1, &w0, x[15], y[3]);
1965 word3_muladd(&w2, &w1, &w0, x[16], y[2]);
1966 word3_muladd(&w2, &w1, &w0, x[17], y[1]);
1967 word3_muladd(&w2, &w1, &w0, x[18], y[0]);
1968 z[18] = w0;
1969 w0 = 0;
1970
1971 word3_muladd(&w0, &w2, &w1, x[0], y[19]);
1972 word3_muladd(&w0, &w2, &w1, x[1], y[18]);
1973 word3_muladd(&w0, &w2, &w1, x[2], y[17]);
1974 word3_muladd(&w0, &w2, &w1, x[3], y[16]);
1975 word3_muladd(&w0, &w2, &w1, x[4], y[15]);
1976 word3_muladd(&w0, &w2, &w1, x[5], y[14]);
1977 word3_muladd(&w0, &w2, &w1, x[6], y[13]);
1978 word3_muladd(&w0, &w2, &w1, x[7], y[12]);
1979 word3_muladd(&w0, &w2, &w1, x[8], y[11]);
1980 word3_muladd(&w0, &w2, &w1, x[9], y[10]);
1981 word3_muladd(&w0, &w2, &w1, x[10], y[9]);
1982 word3_muladd(&w0, &w2, &w1, x[11], y[8]);
1983 word3_muladd(&w0, &w2, &w1, x[12], y[7]);
1984 word3_muladd(&w0, &w2, &w1, x[13], y[6]);
1985 word3_muladd(&w0, &w2, &w1, x[14], y[5]);
1986 word3_muladd(&w0, &w2, &w1, x[15], y[4]);
1987 word3_muladd(&w0, &w2, &w1, x[16], y[3]);
1988 word3_muladd(&w0, &w2, &w1, x[17], y[2]);
1989 word3_muladd(&w0, &w2, &w1, x[18], y[1]);
1990 word3_muladd(&w0, &w2, &w1, x[19], y[0]);
1991 z[19] = w1;
1992 w1 = 0;
1993
1994 word3_muladd(&w1, &w0, &w2, x[0], y[20]);
1995 word3_muladd(&w1, &w0, &w2, x[1], y[19]);
1996 word3_muladd(&w1, &w0, &w2, x[2], y[18]);
1997 word3_muladd(&w1, &w0, &w2, x[3], y[17]);
1998 word3_muladd(&w1, &w0, &w2, x[4], y[16]);
1999 word3_muladd(&w1, &w0, &w2, x[5], y[15]);
2000 word3_muladd(&w1, &w0, &w2, x[6], y[14]);
2001 word3_muladd(&w1, &w0, &w2, x[7], y[13]);
2002 word3_muladd(&w1, &w0, &w2, x[8], y[12]);
2003 word3_muladd(&w1, &w0, &w2, x[9], y[11]);
2004 word3_muladd(&w1, &w0, &w2, x[10], y[10]);
2005 word3_muladd(&w1, &w0, &w2, x[11], y[9]);
2006 word3_muladd(&w1, &w0, &w2, x[12], y[8]);
2007 word3_muladd(&w1, &w0, &w2, x[13], y[7]);
2008 word3_muladd(&w1, &w0, &w2, x[14], y[6]);
2009 word3_muladd(&w1, &w0, &w2, x[15], y[5]);
2010 word3_muladd(&w1, &w0, &w2, x[16], y[4]);
2011 word3_muladd(&w1, &w0, &w2, x[17], y[3]);
2012 word3_muladd(&w1, &w0, &w2, x[18], y[2]);
2013 word3_muladd(&w1, &w0, &w2, x[19], y[1]);
2014 word3_muladd(&w1, &w0, &w2, x[20], y[0]);
2015 z[20] = w2;
2016 w2 = 0;
2017
2018 word3_muladd(&w2, &w1, &w0, x[0], y[21]);
2019 word3_muladd(&w2, &w1, &w0, x[1], y[20]);
2020 word3_muladd(&w2, &w1, &w0, x[2], y[19]);
2021 word3_muladd(&w2, &w1, &w0, x[3], y[18]);
2022 word3_muladd(&w2, &w1, &w0, x[4], y[17]);
2023 word3_muladd(&w2, &w1, &w0, x[5], y[16]);
2024 word3_muladd(&w2, &w1, &w0, x[6], y[15]);
2025 word3_muladd(&w2, &w1, &w0, x[7], y[14]);
2026 word3_muladd(&w2, &w1, &w0, x[8], y[13]);
2027 word3_muladd(&w2, &w1, &w0, x[9], y[12]);
2028 word3_muladd(&w2, &w1, &w0, x[10], y[11]);
2029 word3_muladd(&w2, &w1, &w0, x[11], y[10]);
2030 word3_muladd(&w2, &w1, &w0, x[12], y[9]);
2031 word3_muladd(&w2, &w1, &w0, x[13], y[8]);
2032 word3_muladd(&w2, &w1, &w0, x[14], y[7]);
2033 word3_muladd(&w2, &w1, &w0, x[15], y[6]);
2034 word3_muladd(&w2, &w1, &w0, x[16], y[5]);
2035 word3_muladd(&w2, &w1, &w0, x[17], y[4]);
2036 word3_muladd(&w2, &w1, &w0, x[18], y[3]);
2037 word3_muladd(&w2, &w1, &w0, x[19], y[2]);
2038 word3_muladd(&w2, &w1, &w0, x[20], y[1]);
2039 word3_muladd(&w2, &w1, &w0, x[21], y[0]);
2040 z[21] = w0;
2041 w0 = 0;
2042
2043 word3_muladd(&w0, &w2, &w1, x[0], y[22]);
2044 word3_muladd(&w0, &w2, &w1, x[1], y[21]);
2045 word3_muladd(&w0, &w2, &w1, x[2], y[20]);
2046 word3_muladd(&w0, &w2, &w1, x[3], y[19]);
2047 word3_muladd(&w0, &w2, &w1, x[4], y[18]);
2048 word3_muladd(&w0, &w2, &w1, x[5], y[17]);
2049 word3_muladd(&w0, &w2, &w1, x[6], y[16]);
2050 word3_muladd(&w0, &w2, &w1, x[7], y[15]);
2051 word3_muladd(&w0, &w2, &w1, x[8], y[14]);
2052 word3_muladd(&w0, &w2, &w1, x[9], y[13]);
2053 word3_muladd(&w0, &w2, &w1, x[10], y[12]);
2054 word3_muladd(&w0, &w2, &w1, x[11], y[11]);
2055 word3_muladd(&w0, &w2, &w1, x[12], y[10]);
2056 word3_muladd(&w0, &w2, &w1, x[13], y[9]);
2057 word3_muladd(&w0, &w2, &w1, x[14], y[8]);
2058 word3_muladd(&w0, &w2, &w1, x[15], y[7]);
2059 word3_muladd(&w0, &w2, &w1, x[16], y[6]);
2060 word3_muladd(&w0, &w2, &w1, x[17], y[5]);
2061 word3_muladd(&w0, &w2, &w1, x[18], y[4]);
2062 word3_muladd(&w0, &w2, &w1, x[19], y[3]);
2063 word3_muladd(&w0, &w2, &w1, x[20], y[2]);
2064 word3_muladd(&w0, &w2, &w1, x[21], y[1]);
2065 word3_muladd(&w0, &w2, &w1, x[22], y[0]);
2066 z[22] = w1;
2067 w1 = 0;
2068
2069 word3_muladd(&w1, &w0, &w2, x[0], y[23]);
2070 word3_muladd(&w1, &w0, &w2, x[1], y[22]);
2071 word3_muladd(&w1, &w0, &w2, x[2], y[21]);
2072 word3_muladd(&w1, &w0, &w2, x[3], y[20]);
2073 word3_muladd(&w1, &w0, &w2, x[4], y[19]);
2074 word3_muladd(&w1, &w0, &w2, x[5], y[18]);
2075 word3_muladd(&w1, &w0, &w2, x[6], y[17]);
2076 word3_muladd(&w1, &w0, &w2, x[7], y[16]);
2077 word3_muladd(&w1, &w0, &w2, x[8], y[15]);
2078 word3_muladd(&w1, &w0, &w2, x[9], y[14]);
2079 word3_muladd(&w1, &w0, &w2, x[10], y[13]);
2080 word3_muladd(&w1, &w0, &w2, x[11], y[12]);
2081 word3_muladd(&w1, &w0, &w2, x[12], y[11]);
2082 word3_muladd(&w1, &w0, &w2, x[13], y[10]);
2083 word3_muladd(&w1, &w0, &w2, x[14], y[9]);
2084 word3_muladd(&w1, &w0, &w2, x[15], y[8]);
2085 word3_muladd(&w1, &w0, &w2, x[16], y[7]);
2086 word3_muladd(&w1, &w0, &w2, x[17], y[6]);
2087 word3_muladd(&w1, &w0, &w2, x[18], y[5]);
2088 word3_muladd(&w1, &w0, &w2, x[19], y[4]);
2089 word3_muladd(&w1, &w0, &w2, x[20], y[3]);
2090 word3_muladd(&w1, &w0, &w2, x[21], y[2]);
2091 word3_muladd(&w1, &w0, &w2, x[22], y[1]);
2092 word3_muladd(&w1, &w0, &w2, x[23], y[0]);
2093 z[23] = w2;
2094 w2 = 0;
2095
2096 word3_muladd(&w2, &w1, &w0, x[1], y[23]);
2097 word3_muladd(&w2, &w1, &w0, x[2], y[22]);
2098 word3_muladd(&w2, &w1, &w0, x[3], y[21]);
2099 word3_muladd(&w2, &w1, &w0, x[4], y[20]);
2100 word3_muladd(&w2, &w1, &w0, x[5], y[19]);
2101 word3_muladd(&w2, &w1, &w0, x[6], y[18]);
2102 word3_muladd(&w2, &w1, &w0, x[7], y[17]);
2103 word3_muladd(&w2, &w1, &w0, x[8], y[16]);
2104 word3_muladd(&w2, &w1, &w0, x[9], y[15]);
2105 word3_muladd(&w2, &w1, &w0, x[10], y[14]);
2106 word3_muladd(&w2, &w1, &w0, x[11], y[13]);
2107 word3_muladd(&w2, &w1, &w0, x[12], y[12]);
2108 word3_muladd(&w2, &w1, &w0, x[13], y[11]);
2109 word3_muladd(&w2, &w1, &w0, x[14], y[10]);
2110 word3_muladd(&w2, &w1, &w0, x[15], y[9]);
2111 word3_muladd(&w2, &w1, &w0, x[16], y[8]);
2112 word3_muladd(&w2, &w1, &w0, x[17], y[7]);
2113 word3_muladd(&w2, &w1, &w0, x[18], y[6]);
2114 word3_muladd(&w2, &w1, &w0, x[19], y[5]);
2115 word3_muladd(&w2, &w1, &w0, x[20], y[4]);
2116 word3_muladd(&w2, &w1, &w0, x[21], y[3]);
2117 word3_muladd(&w2, &w1, &w0, x[22], y[2]);
2118 word3_muladd(&w2, &w1, &w0, x[23], y[1]);
2119 z[24] = w0;
2120 w0 = 0;
2121
2122 word3_muladd(&w0, &w2, &w1, x[2], y[23]);
2123 word3_muladd(&w0, &w2, &w1, x[3], y[22]);
2124 word3_muladd(&w0, &w2, &w1, x[4], y[21]);
2125 word3_muladd(&w0, &w2, &w1, x[5], y[20]);
2126 word3_muladd(&w0, &w2, &w1, x[6], y[19]);
2127 word3_muladd(&w0, &w2, &w1, x[7], y[18]);
2128 word3_muladd(&w0, &w2, &w1, x[8], y[17]);
2129 word3_muladd(&w0, &w2, &w1, x[9], y[16]);
2130 word3_muladd(&w0, &w2, &w1, x[10], y[15]);
2131 word3_muladd(&w0, &w2, &w1, x[11], y[14]);
2132 word3_muladd(&w0, &w2, &w1, x[12], y[13]);
2133 word3_muladd(&w0, &w2, &w1, x[13], y[12]);
2134 word3_muladd(&w0, &w2, &w1, x[14], y[11]);
2135 word3_muladd(&w0, &w2, &w1, x[15], y[10]);
2136 word3_muladd(&w0, &w2, &w1, x[16], y[9]);
2137 word3_muladd(&w0, &w2, &w1, x[17], y[8]);
2138 word3_muladd(&w0, &w2, &w1, x[18], y[7]);
2139 word3_muladd(&w0, &w2, &w1, x[19], y[6]);
2140 word3_muladd(&w0, &w2, &w1, x[20], y[5]);
2141 word3_muladd(&w0, &w2, &w1, x[21], y[4]);
2142 word3_muladd(&w0, &w2, &w1, x[22], y[3]);
2143 word3_muladd(&w0, &w2, &w1, x[23], y[2]);
2144 z[25] = w1;
2145 w1 = 0;
2146
2147 word3_muladd(&w1, &w0, &w2, x[3], y[23]);
2148 word3_muladd(&w1, &w0, &w2, x[4], y[22]);
2149 word3_muladd(&w1, &w0, &w2, x[5], y[21]);
2150 word3_muladd(&w1, &w0, &w2, x[6], y[20]);
2151 word3_muladd(&w1, &w0, &w2, x[7], y[19]);
2152 word3_muladd(&w1, &w0, &w2, x[8], y[18]);
2153 word3_muladd(&w1, &w0, &w2, x[9], y[17]);
2154 word3_muladd(&w1, &w0, &w2, x[10], y[16]);
2155 word3_muladd(&w1, &w0, &w2, x[11], y[15]);
2156 word3_muladd(&w1, &w0, &w2, x[12], y[14]);
2157 word3_muladd(&w1, &w0, &w2, x[13], y[13]);
2158 word3_muladd(&w1, &w0, &w2, x[14], y[12]);
2159 word3_muladd(&w1, &w0, &w2, x[15], y[11]);
2160 word3_muladd(&w1, &w0, &w2, x[16], y[10]);
2161 word3_muladd(&w1, &w0, &w2, x[17], y[9]);
2162 word3_muladd(&w1, &w0, &w2, x[18], y[8]);
2163 word3_muladd(&w1, &w0, &w2, x[19], y[7]);
2164 word3_muladd(&w1, &w0, &w2, x[20], y[6]);
2165 word3_muladd(&w1, &w0, &w2, x[21], y[5]);
2166 word3_muladd(&w1, &w0, &w2, x[22], y[4]);
2167 word3_muladd(&w1, &w0, &w2, x[23], y[3]);
2168 z[26] = w2;
2169 w2 = 0;
2170
2171 word3_muladd(&w2, &w1, &w0, x[4], y[23]);
2172 word3_muladd(&w2, &w1, &w0, x[5], y[22]);
2173 word3_muladd(&w2, &w1, &w0, x[6], y[21]);
2174 word3_muladd(&w2, &w1, &w0, x[7], y[20]);
2175 word3_muladd(&w2, &w1, &w0, x[8], y[19]);
2176 word3_muladd(&w2, &w1, &w0, x[9], y[18]);
2177 word3_muladd(&w2, &w1, &w0, x[10], y[17]);
2178 word3_muladd(&w2, &w1, &w0, x[11], y[16]);
2179 word3_muladd(&w2, &w1, &w0, x[12], y[15]);
2180 word3_muladd(&w2, &w1, &w0, x[13], y[14]);
2181 word3_muladd(&w2, &w1, &w0, x[14], y[13]);
2182 word3_muladd(&w2, &w1, &w0, x[15], y[12]);
2183 word3_muladd(&w2, &w1, &w0, x[16], y[11]);
2184 word3_muladd(&w2, &w1, &w0, x[17], y[10]);
2185 word3_muladd(&w2, &w1, &w0, x[18], y[9]);
2186 word3_muladd(&w2, &w1, &w0, x[19], y[8]);
2187 word3_muladd(&w2, &w1, &w0, x[20], y[7]);
2188 word3_muladd(&w2, &w1, &w0, x[21], y[6]);
2189 word3_muladd(&w2, &w1, &w0, x[22], y[5]);
2190 word3_muladd(&w2, &w1, &w0, x[23], y[4]);
2191 z[27] = w0;
2192 w0 = 0;
2193
2194 word3_muladd(&w0, &w2, &w1, x[5], y[23]);
2195 word3_muladd(&w0, &w2, &w1, x[6], y[22]);
2196 word3_muladd(&w0, &w2, &w1, x[7], y[21]);
2197 word3_muladd(&w0, &w2, &w1, x[8], y[20]);
2198 word3_muladd(&w0, &w2, &w1, x[9], y[19]);
2199 word3_muladd(&w0, &w2, &w1, x[10], y[18]);
2200 word3_muladd(&w0, &w2, &w1, x[11], y[17]);
2201 word3_muladd(&w0, &w2, &w1, x[12], y[16]);
2202 word3_muladd(&w0, &w2, &w1, x[13], y[15]);
2203 word3_muladd(&w0, &w2, &w1, x[14], y[14]);
2204 word3_muladd(&w0, &w2, &w1, x[15], y[13]);
2205 word3_muladd(&w0, &w2, &w1, x[16], y[12]);
2206 word3_muladd(&w0, &w2, &w1, x[17], y[11]);
2207 word3_muladd(&w0, &w2, &w1, x[18], y[10]);
2208 word3_muladd(&w0, &w2, &w1, x[19], y[9]);
2209 word3_muladd(&w0, &w2, &w1, x[20], y[8]);
2210 word3_muladd(&w0, &w2, &w1, x[21], y[7]);
2211 word3_muladd(&w0, &w2, &w1, x[22], y[6]);
2212 word3_muladd(&w0, &w2, &w1, x[23], y[5]);
2213 z[28] = w1;
2214 w1 = 0;
2215
2216 word3_muladd(&w1, &w0, &w2, x[6], y[23]);
2217 word3_muladd(&w1, &w0, &w2, x[7], y[22]);
2218 word3_muladd(&w1, &w0, &w2, x[8], y[21]);
2219 word3_muladd(&w1, &w0, &w2, x[9], y[20]);
2220 word3_muladd(&w1, &w0, &w2, x[10], y[19]);
2221 word3_muladd(&w1, &w0, &w2, x[11], y[18]);
2222 word3_muladd(&w1, &w0, &w2, x[12], y[17]);
2223 word3_muladd(&w1, &w0, &w2, x[13], y[16]);
2224 word3_muladd(&w1, &w0, &w2, x[14], y[15]);
2225 word3_muladd(&w1, &w0, &w2, x[15], y[14]);
2226 word3_muladd(&w1, &w0, &w2, x[16], y[13]);
2227 word3_muladd(&w1, &w0, &w2, x[17], y[12]);
2228 word3_muladd(&w1, &w0, &w2, x[18], y[11]);
2229 word3_muladd(&w1, &w0, &w2, x[19], y[10]);
2230 word3_muladd(&w1, &w0, &w2, x[20], y[9]);
2231 word3_muladd(&w1, &w0, &w2, x[21], y[8]);
2232 word3_muladd(&w1, &w0, &w2, x[22], y[7]);
2233 word3_muladd(&w1, &w0, &w2, x[23], y[6]);
2234 z[29] = w2;
2235 w2 = 0;
2236
2237 word3_muladd(&w2, &w1, &w0, x[7], y[23]);
2238 word3_muladd(&w2, &w1, &w0, x[8], y[22]);
2239 word3_muladd(&w2, &w1, &w0, x[9], y[21]);
2240 word3_muladd(&w2, &w1, &w0, x[10], y[20]);
2241 word3_muladd(&w2, &w1, &w0, x[11], y[19]);
2242 word3_muladd(&w2, &w1, &w0, x[12], y[18]);
2243 word3_muladd(&w2, &w1, &w0, x[13], y[17]);
2244 word3_muladd(&w2, &w1, &w0, x[14], y[16]);
2245 word3_muladd(&w2, &w1, &w0, x[15], y[15]);
2246 word3_muladd(&w2, &w1, &w0, x[16], y[14]);
2247 word3_muladd(&w2, &w1, &w0, x[17], y[13]);
2248 word3_muladd(&w2, &w1, &w0, x[18], y[12]);
2249 word3_muladd(&w2, &w1, &w0, x[19], y[11]);
2250 word3_muladd(&w2, &w1, &w0, x[20], y[10]);
2251 word3_muladd(&w2, &w1, &w0, x[21], y[9]);
2252 word3_muladd(&w2, &w1, &w0, x[22], y[8]);
2253 word3_muladd(&w2, &w1, &w0, x[23], y[7]);
2254 z[30] = w0;
2255 w0 = 0;
2256
2257 word3_muladd(&w0, &w2, &w1, x[8], y[23]);
2258 word3_muladd(&w0, &w2, &w1, x[9], y[22]);
2259 word3_muladd(&w0, &w2, &w1, x[10], y[21]);
2260 word3_muladd(&w0, &w2, &w1, x[11], y[20]);
2261 word3_muladd(&w0, &w2, &w1, x[12], y[19]);
2262 word3_muladd(&w0, &w2, &w1, x[13], y[18]);
2263 word3_muladd(&w0, &w2, &w1, x[14], y[17]);
2264 word3_muladd(&w0, &w2, &w1, x[15], y[16]);
2265 word3_muladd(&w0, &w2, &w1, x[16], y[15]);
2266 word3_muladd(&w0, &w2, &w1, x[17], y[14]);
2267 word3_muladd(&w0, &w2, &w1, x[18], y[13]);
2268 word3_muladd(&w0, &w2, &w1, x[19], y[12]);
2269 word3_muladd(&w0, &w2, &w1, x[20], y[11]);
2270 word3_muladd(&w0, &w2, &w1, x[21], y[10]);
2271 word3_muladd(&w0, &w2, &w1, x[22], y[9]);
2272 word3_muladd(&w0, &w2, &w1, x[23], y[8]);
2273 z[31] = w1;
2274 w1 = 0;
2275
2276 word3_muladd(&w1, &w0, &w2, x[9], y[23]);
2277 word3_muladd(&w1, &w0, &w2, x[10], y[22]);
2278 word3_muladd(&w1, &w0, &w2, x[11], y[21]);
2279 word3_muladd(&w1, &w0, &w2, x[12], y[20]);
2280 word3_muladd(&w1, &w0, &w2, x[13], y[19]);
2281 word3_muladd(&w1, &w0, &w2, x[14], y[18]);
2282 word3_muladd(&w1, &w0, &w2, x[15], y[17]);
2283 word3_muladd(&w1, &w0, &w2, x[16], y[16]);
2284 word3_muladd(&w1, &w0, &w2, x[17], y[15]);
2285 word3_muladd(&w1, &w0, &w2, x[18], y[14]);
2286 word3_muladd(&w1, &w0, &w2, x[19], y[13]);
2287 word3_muladd(&w1, &w0, &w2, x[20], y[12]);
2288 word3_muladd(&w1, &w0, &w2, x[21], y[11]);
2289 word3_muladd(&w1, &w0, &w2, x[22], y[10]);
2290 word3_muladd(&w1, &w0, &w2, x[23], y[9]);
2291 z[32] = w2;
2292 w2 = 0;
2293
2294 word3_muladd(&w2, &w1, &w0, x[10], y[23]);
2295 word3_muladd(&w2, &w1, &w0, x[11], y[22]);
2296 word3_muladd(&w2, &w1, &w0, x[12], y[21]);
2297 word3_muladd(&w2, &w1, &w0, x[13], y[20]);
2298 word3_muladd(&w2, &w1, &w0, x[14], y[19]);
2299 word3_muladd(&w2, &w1, &w0, x[15], y[18]);
2300 word3_muladd(&w2, &w1, &w0, x[16], y[17]);
2301 word3_muladd(&w2, &w1, &w0, x[17], y[16]);
2302 word3_muladd(&w2, &w1, &w0, x[18], y[15]);
2303 word3_muladd(&w2, &w1, &w0, x[19], y[14]);
2304 word3_muladd(&w2, &w1, &w0, x[20], y[13]);
2305 word3_muladd(&w2, &w1, &w0, x[21], y[12]);
2306 word3_muladd(&w2, &w1, &w0, x[22], y[11]);
2307 word3_muladd(&w2, &w1, &w0, x[23], y[10]);
2308 z[33] = w0;
2309 w0 = 0;
2310
2311 word3_muladd(&w0, &w2, &w1, x[11], y[23]);
2312 word3_muladd(&w0, &w2, &w1, x[12], y[22]);
2313 word3_muladd(&w0, &w2, &w1, x[13], y[21]);
2314 word3_muladd(&w0, &w2, &w1, x[14], y[20]);
2315 word3_muladd(&w0, &w2, &w1, x[15], y[19]);
2316 word3_muladd(&w0, &w2, &w1, x[16], y[18]);
2317 word3_muladd(&w0, &w2, &w1, x[17], y[17]);
2318 word3_muladd(&w0, &w2, &w1, x[18], y[16]);
2319 word3_muladd(&w0, &w2, &w1, x[19], y[15]);
2320 word3_muladd(&w0, &w2, &w1, x[20], y[14]);
2321 word3_muladd(&w0, &w2, &w1, x[21], y[13]);
2322 word3_muladd(&w0, &w2, &w1, x[22], y[12]);
2323 word3_muladd(&w0, &w2, &w1, x[23], y[11]);
2324 z[34] = w1;
2325 w1 = 0;
2326
2327 word3_muladd(&w1, &w0, &w2, x[12], y[23]);
2328 word3_muladd(&w1, &w0, &w2, x[13], y[22]);
2329 word3_muladd(&w1, &w0, &w2, x[14], y[21]);
2330 word3_muladd(&w1, &w0, &w2, x[15], y[20]);
2331 word3_muladd(&w1, &w0, &w2, x[16], y[19]);
2332 word3_muladd(&w1, &w0, &w2, x[17], y[18]);
2333 word3_muladd(&w1, &w0, &w2, x[18], y[17]);
2334 word3_muladd(&w1, &w0, &w2, x[19], y[16]);
2335 word3_muladd(&w1, &w0, &w2, x[20], y[15]);
2336 word3_muladd(&w1, &w0, &w2, x[21], y[14]);
2337 word3_muladd(&w1, &w0, &w2, x[22], y[13]);
2338 word3_muladd(&w1, &w0, &w2, x[23], y[12]);
2339 z[35] = w2;
2340 w2 = 0;
2341
2342 word3_muladd(&w2, &w1, &w0, x[13], y[23]);
2343 word3_muladd(&w2, &w1, &w0, x[14], y[22]);
2344 word3_muladd(&w2, &w1, &w0, x[15], y[21]);
2345 word3_muladd(&w2, &w1, &w0, x[16], y[20]);
2346 word3_muladd(&w2, &w1, &w0, x[17], y[19]);
2347 word3_muladd(&w2, &w1, &w0, x[18], y[18]);
2348 word3_muladd(&w2, &w1, &w0, x[19], y[17]);
2349 word3_muladd(&w2, &w1, &w0, x[20], y[16]);
2350 word3_muladd(&w2, &w1, &w0, x[21], y[15]);
2351 word3_muladd(&w2, &w1, &w0, x[22], y[14]);
2352 word3_muladd(&w2, &w1, &w0, x[23], y[13]);
2353 z[36] = w0;
2354 w0 = 0;
2355
2356 word3_muladd(&w0, &w2, &w1, x[14], y[23]);
2357 word3_muladd(&w0, &w2, &w1, x[15], y[22]);
2358 word3_muladd(&w0, &w2, &w1, x[16], y[21]);
2359 word3_muladd(&w0, &w2, &w1, x[17], y[20]);
2360 word3_muladd(&w0, &w2, &w1, x[18], y[19]);
2361 word3_muladd(&w0, &w2, &w1, x[19], y[18]);
2362 word3_muladd(&w0, &w2, &w1, x[20], y[17]);
2363 word3_muladd(&w0, &w2, &w1, x[21], y[16]);
2364 word3_muladd(&w0, &w2, &w1, x[22], y[15]);
2365 word3_muladd(&w0, &w2, &w1, x[23], y[14]);
2366 z[37] = w1;
2367 w1 = 0;
2368
2369 word3_muladd(&w1, &w0, &w2, x[15], y[23]);
2370 word3_muladd(&w1, &w0, &w2, x[16], y[22]);
2371 word3_muladd(&w1, &w0, &w2, x[17], y[21]);
2372 word3_muladd(&w1, &w0, &w2, x[18], y[20]);
2373 word3_muladd(&w1, &w0, &w2, x[19], y[19]);
2374 word3_muladd(&w1, &w0, &w2, x[20], y[18]);
2375 word3_muladd(&w1, &w0, &w2, x[21], y[17]);
2376 word3_muladd(&w1, &w0, &w2, x[22], y[16]);
2377 word3_muladd(&w1, &w0, &w2, x[23], y[15]);
2378 z[38] = w2;
2379 w2 = 0;
2380
2381 word3_muladd(&w2, &w1, &w0, x[16], y[23]);
2382 word3_muladd(&w2, &w1, &w0, x[17], y[22]);
2383 word3_muladd(&w2, &w1, &w0, x[18], y[21]);
2384 word3_muladd(&w2, &w1, &w0, x[19], y[20]);
2385 word3_muladd(&w2, &w1, &w0, x[20], y[19]);
2386 word3_muladd(&w2, &w1, &w0, x[21], y[18]);
2387 word3_muladd(&w2, &w1, &w0, x[22], y[17]);
2388 word3_muladd(&w2, &w1, &w0, x[23], y[16]);
2389 z[39] = w0;
2390 w0 = 0;
2391
2392 word3_muladd(&w0, &w2, &w1, x[17], y[23]);
2393 word3_muladd(&w0, &w2, &w1, x[18], y[22]);
2394 word3_muladd(&w0, &w2, &w1, x[19], y[21]);
2395 word3_muladd(&w0, &w2, &w1, x[20], y[20]);
2396 word3_muladd(&w0, &w2, &w1, x[21], y[19]);
2397 word3_muladd(&w0, &w2, &w1, x[22], y[18]);
2398 word3_muladd(&w0, &w2, &w1, x[23], y[17]);
2399 z[40] = w1;
2400 w1 = 0;
2401
2402 word3_muladd(&w1, &w0, &w2, x[18], y[23]);
2403 word3_muladd(&w1, &w0, &w2, x[19], y[22]);
2404 word3_muladd(&w1, &w0, &w2, x[20], y[21]);
2405 word3_muladd(&w1, &w0, &w2, x[21], y[20]);
2406 word3_muladd(&w1, &w0, &w2, x[22], y[19]);
2407 word3_muladd(&w1, &w0, &w2, x[23], y[18]);
2408 z[41] = w2;
2409 w2 = 0;
2410
2411 word3_muladd(&w2, &w1, &w0, x[19], y[23]);
2412 word3_muladd(&w2, &w1, &w0, x[20], y[22]);
2413 word3_muladd(&w2, &w1, &w0, x[21], y[21]);
2414 word3_muladd(&w2, &w1, &w0, x[22], y[20]);
2415 word3_muladd(&w2, &w1, &w0, x[23], y[19]);
2416 z[42] = w0;
2417 w0 = 0;
2418
2419 word3_muladd(&w0, &w2, &w1, x[20], y[23]);
2420 word3_muladd(&w0, &w2, &w1, x[21], y[22]);
2421 word3_muladd(&w0, &w2, &w1, x[22], y[21]);
2422 word3_muladd(&w0, &w2, &w1, x[23], y[20]);
2423 z[43] = w1;
2424 w1 = 0;
2425
2426 word3_muladd(&w1, &w0, &w2, x[21], y[23]);
2427 word3_muladd(&w1, &w0, &w2, x[22], y[22]);
2428 word3_muladd(&w1, &w0, &w2, x[23], y[21]);
2429 z[44] = w2;
2430 w2 = 0;
2431
2432 word3_muladd(&w2, &w1, &w0, x[22], y[23]);
2433 word3_muladd(&w2, &w1, &w0, x[23], y[22]);
2434 z[45] = w0;
2435 w0 = 0;
2436
2437 word3_muladd(&w0, &w2, &w1, x[23], y[23]);
2438 z[46] = w1;
2439 z[47] = w2;
2440}

References word3_muladd().

Referenced by bigint_mul().

◆ bigint_comba_mul4()

BOTAN_FUZZER_API void Botan::bigint_comba_mul4 ( word z[8],
const word x[4],
const word y[4] )

Definition at line 54 of file mp_comba.cpp.

54 {
55 word w2 = 0, w1 = 0, w0 = 0;
56
57 word3_muladd(&w2, &w1, &w0, x[0], y[0]);
58 z[0] = w0;
59 w0 = 0;
60
61 word3_muladd(&w0, &w2, &w1, x[0], y[1]);
62 word3_muladd(&w0, &w2, &w1, x[1], y[0]);
63 z[1] = w1;
64 w1 = 0;
65
66 word3_muladd(&w1, &w0, &w2, x[0], y[2]);
67 word3_muladd(&w1, &w0, &w2, x[1], y[1]);
68 word3_muladd(&w1, &w0, &w2, x[2], y[0]);
69 z[2] = w2;
70 w2 = 0;
71
72 word3_muladd(&w2, &w1, &w0, x[0], y[3]);
73 word3_muladd(&w2, &w1, &w0, x[1], y[2]);
74 word3_muladd(&w2, &w1, &w0, x[2], y[1]);
75 word3_muladd(&w2, &w1, &w0, x[3], y[0]);
76 z[3] = w0;
77 w0 = 0;
78
79 word3_muladd(&w0, &w2, &w1, x[1], y[3]);
80 word3_muladd(&w0, &w2, &w1, x[2], y[2]);
81 word3_muladd(&w0, &w2, &w1, x[3], y[1]);
82 z[4] = w1;
83 w1 = 0;
84
85 word3_muladd(&w1, &w0, &w2, x[2], y[3]);
86 word3_muladd(&w1, &w0, &w2, x[3], y[2]);
87 z[5] = w2;
88 w2 = 0;
89
90 word3_muladd(&w2, &w1, &w0, x[3], y[3]);
91 z[6] = w0;
92 z[7] = w1;
93}

References word3_muladd().

Referenced by bigint_mul().

◆ bigint_comba_mul6()

BOTAN_FUZZER_API void Botan::bigint_comba_mul6 ( word z[12],
const word x[6],
const word y[6] )

Definition at line 159 of file mp_comba.cpp.

159 {
160 word w2 = 0, w1 = 0, w0 = 0;
161
162 word3_muladd(&w2, &w1, &w0, x[0], y[0]);
163 z[0] = w0;
164 w0 = 0;
165
166 word3_muladd(&w0, &w2, &w1, x[0], y[1]);
167 word3_muladd(&w0, &w2, &w1, x[1], y[0]);
168 z[1] = w1;
169 w1 = 0;
170
171 word3_muladd(&w1, &w0, &w2, x[0], y[2]);
172 word3_muladd(&w1, &w0, &w2, x[1], y[1]);
173 word3_muladd(&w1, &w0, &w2, x[2], y[0]);
174 z[2] = w2;
175 w2 = 0;
176
177 word3_muladd(&w2, &w1, &w0, x[0], y[3]);
178 word3_muladd(&w2, &w1, &w0, x[1], y[2]);
179 word3_muladd(&w2, &w1, &w0, x[2], y[1]);
180 word3_muladd(&w2, &w1, &w0, x[3], y[0]);
181 z[3] = w0;
182 w0 = 0;
183
184 word3_muladd(&w0, &w2, &w1, x[0], y[4]);
185 word3_muladd(&w0, &w2, &w1, x[1], y[3]);
186 word3_muladd(&w0, &w2, &w1, x[2], y[2]);
187 word3_muladd(&w0, &w2, &w1, x[3], y[1]);
188 word3_muladd(&w0, &w2, &w1, x[4], y[0]);
189 z[4] = w1;
190 w1 = 0;
191
192 word3_muladd(&w1, &w0, &w2, x[0], y[5]);
193 word3_muladd(&w1, &w0, &w2, x[1], y[4]);
194 word3_muladd(&w1, &w0, &w2, x[2], y[3]);
195 word3_muladd(&w1, &w0, &w2, x[3], y[2]);
196 word3_muladd(&w1, &w0, &w2, x[4], y[1]);
197 word3_muladd(&w1, &w0, &w2, x[5], y[0]);
198 z[5] = w2;
199 w2 = 0;
200
201 word3_muladd(&w2, &w1, &w0, x[1], y[5]);
202 word3_muladd(&w2, &w1, &w0, x[2], y[4]);
203 word3_muladd(&w2, &w1, &w0, x[3], y[3]);
204 word3_muladd(&w2, &w1, &w0, x[4], y[2]);
205 word3_muladd(&w2, &w1, &w0, x[5], y[1]);
206 z[6] = w0;
207 w0 = 0;
208
209 word3_muladd(&w0, &w2, &w1, x[2], y[5]);
210 word3_muladd(&w0, &w2, &w1, x[3], y[4]);
211 word3_muladd(&w0, &w2, &w1, x[4], y[3]);
212 word3_muladd(&w0, &w2, &w1, x[5], y[2]);
213 z[7] = w1;
214 w1 = 0;
215
216 word3_muladd(&w1, &w0, &w2, x[3], y[5]);
217 word3_muladd(&w1, &w0, &w2, x[4], y[4]);
218 word3_muladd(&w1, &w0, &w2, x[5], y[3]);
219 z[8] = w2;
220 w2 = 0;
221
222 word3_muladd(&w2, &w1, &w0, x[4], y[5]);
223 word3_muladd(&w2, &w1, &w0, x[5], y[4]);
224 z[9] = w0;
225 w0 = 0;
226
227 word3_muladd(&w0, &w2, &w1, x[5], y[5]);
228 z[10] = w1;
229 z[11] = w2;
230}

References word3_muladd().

Referenced by bigint_mul().

◆ bigint_comba_mul8()

BOTAN_FUZZER_API void Botan::bigint_comba_mul8 ( word z[16],
const word x[8],
const word y[8] )

Definition at line 323 of file mp_comba.cpp.

323 {
324 word w2 = 0, w1 = 0, w0 = 0;
325
326 word3_muladd(&w2, &w1, &w0, x[0], y[0]);
327 z[0] = w0;
328 w0 = 0;
329
330 word3_muladd(&w0, &w2, &w1, x[0], y[1]);
331 word3_muladd(&w0, &w2, &w1, x[1], y[0]);
332 z[1] = w1;
333 w1 = 0;
334
335 word3_muladd(&w1, &w0, &w2, x[0], y[2]);
336 word3_muladd(&w1, &w0, &w2, x[1], y[1]);
337 word3_muladd(&w1, &w0, &w2, x[2], y[0]);
338 z[2] = w2;
339 w2 = 0;
340
341 word3_muladd(&w2, &w1, &w0, x[0], y[3]);
342 word3_muladd(&w2, &w1, &w0, x[1], y[2]);
343 word3_muladd(&w2, &w1, &w0, x[2], y[1]);
344 word3_muladd(&w2, &w1, &w0, x[3], y[0]);
345 z[3] = w0;
346 w0 = 0;
347
348 word3_muladd(&w0, &w2, &w1, x[0], y[4]);
349 word3_muladd(&w0, &w2, &w1, x[1], y[3]);
350 word3_muladd(&w0, &w2, &w1, x[2], y[2]);
351 word3_muladd(&w0, &w2, &w1, x[3], y[1]);
352 word3_muladd(&w0, &w2, &w1, x[4], y[0]);
353 z[4] = w1;
354 w1 = 0;
355
356 word3_muladd(&w1, &w0, &w2, x[0], y[5]);
357 word3_muladd(&w1, &w0, &w2, x[1], y[4]);
358 word3_muladd(&w1, &w0, &w2, x[2], y[3]);
359 word3_muladd(&w1, &w0, &w2, x[3], y[2]);
360 word3_muladd(&w1, &w0, &w2, x[4], y[1]);
361 word3_muladd(&w1, &w0, &w2, x[5], y[0]);
362 z[5] = w2;
363 w2 = 0;
364
365 word3_muladd(&w2, &w1, &w0, x[0], y[6]);
366 word3_muladd(&w2, &w1, &w0, x[1], y[5]);
367 word3_muladd(&w2, &w1, &w0, x[2], y[4]);
368 word3_muladd(&w2, &w1, &w0, x[3], y[3]);
369 word3_muladd(&w2, &w1, &w0, x[4], y[2]);
370 word3_muladd(&w2, &w1, &w0, x[5], y[1]);
371 word3_muladd(&w2, &w1, &w0, x[6], y[0]);
372 z[6] = w0;
373 w0 = 0;
374
375 word3_muladd(&w0, &w2, &w1, x[0], y[7]);
376 word3_muladd(&w0, &w2, &w1, x[1], y[6]);
377 word3_muladd(&w0, &w2, &w1, x[2], y[5]);
378 word3_muladd(&w0, &w2, &w1, x[3], y[4]);
379 word3_muladd(&w0, &w2, &w1, x[4], y[3]);
380 word3_muladd(&w0, &w2, &w1, x[5], y[2]);
381 word3_muladd(&w0, &w2, &w1, x[6], y[1]);
382 word3_muladd(&w0, &w2, &w1, x[7], y[0]);
383 z[7] = w1;
384 w1 = 0;
385
386 word3_muladd(&w1, &w0, &w2, x[1], y[7]);
387 word3_muladd(&w1, &w0, &w2, x[2], y[6]);
388 word3_muladd(&w1, &w0, &w2, x[3], y[5]);
389 word3_muladd(&w1, &w0, &w2, x[4], y[4]);
390 word3_muladd(&w1, &w0, &w2, x[5], y[3]);
391 word3_muladd(&w1, &w0, &w2, x[6], y[2]);
392 word3_muladd(&w1, &w0, &w2, x[7], y[1]);
393 z[8] = w2;
394 w2 = 0;
395
396 word3_muladd(&w2, &w1, &w0, x[2], y[7]);
397 word3_muladd(&w2, &w1, &w0, x[3], y[6]);
398 word3_muladd(&w2, &w1, &w0, x[4], y[5]);
399 word3_muladd(&w2, &w1, &w0, x[5], y[4]);
400 word3_muladd(&w2, &w1, &w0, x[6], y[3]);
401 word3_muladd(&w2, &w1, &w0, x[7], y[2]);
402 z[9] = w0;
403 w0 = 0;
404
405 word3_muladd(&w0, &w2, &w1, x[3], y[7]);
406 word3_muladd(&w0, &w2, &w1, x[4], y[6]);
407 word3_muladd(&w0, &w2, &w1, x[5], y[5]);
408 word3_muladd(&w0, &w2, &w1, x[6], y[4]);
409 word3_muladd(&w0, &w2, &w1, x[7], y[3]);
410 z[10] = w1;
411 w1 = 0;
412
413 word3_muladd(&w1, &w0, &w2, x[4], y[7]);
414 word3_muladd(&w1, &w0, &w2, x[5], y[6]);
415 word3_muladd(&w1, &w0, &w2, x[6], y[5]);
416 word3_muladd(&w1, &w0, &w2, x[7], y[4]);
417 z[11] = w2;
418 w2 = 0;
419
420 word3_muladd(&w2, &w1, &w0, x[5], y[7]);
421 word3_muladd(&w2, &w1, &w0, x[6], y[6]);
422 word3_muladd(&w2, &w1, &w0, x[7], y[5]);
423 z[12] = w0;
424 w0 = 0;
425
426 word3_muladd(&w0, &w2, &w1, x[6], y[7]);
427 word3_muladd(&w0, &w2, &w1, x[7], y[6]);
428 z[13] = w1;
429 w1 = 0;
430
431 word3_muladd(&w1, &w0, &w2, x[7], y[7]);
432 z[14] = w2;
433 z[15] = w0;
434}

References word3_muladd().

Referenced by bigint_mul().

◆ bigint_comba_mul9()

BOTAN_FUZZER_API void Botan::bigint_comba_mul9 ( word z[18],
const word x[9],
const word y[9] )

Definition at line 542 of file mp_comba.cpp.

542 {
543 word w2 = 0, w1 = 0, w0 = 0;
544
545 word3_muladd(&w2, &w1, &w0, x[0], y[0]);
546 z[0] = w0;
547 w0 = 0;
548
549 word3_muladd(&w0, &w2, &w1, x[0], y[1]);
550 word3_muladd(&w0, &w2, &w1, x[1], y[0]);
551 z[1] = w1;
552 w1 = 0;
553
554 word3_muladd(&w1, &w0, &w2, x[0], y[2]);
555 word3_muladd(&w1, &w0, &w2, x[1], y[1]);
556 word3_muladd(&w1, &w0, &w2, x[2], y[0]);
557 z[2] = w2;
558 w2 = 0;
559
560 word3_muladd(&w2, &w1, &w0, x[0], y[3]);
561 word3_muladd(&w2, &w1, &w0, x[1], y[2]);
562 word3_muladd(&w2, &w1, &w0, x[2], y[1]);
563 word3_muladd(&w2, &w1, &w0, x[3], y[0]);
564 z[3] = w0;
565 w0 = 0;
566
567 word3_muladd(&w0, &w2, &w1, x[0], y[4]);
568 word3_muladd(&w0, &w2, &w1, x[1], y[3]);
569 word3_muladd(&w0, &w2, &w1, x[2], y[2]);
570 word3_muladd(&w0, &w2, &w1, x[3], y[1]);
571 word3_muladd(&w0, &w2, &w1, x[4], y[0]);
572 z[4] = w1;
573 w1 = 0;
574
575 word3_muladd(&w1, &w0, &w2, x[0], y[5]);
576 word3_muladd(&w1, &w0, &w2, x[1], y[4]);
577 word3_muladd(&w1, &w0, &w2, x[2], y[3]);
578 word3_muladd(&w1, &w0, &w2, x[3], y[2]);
579 word3_muladd(&w1, &w0, &w2, x[4], y[1]);
580 word3_muladd(&w1, &w0, &w2, x[5], y[0]);
581 z[5] = w2;
582 w2 = 0;
583
584 word3_muladd(&w2, &w1, &w0, x[0], y[6]);
585 word3_muladd(&w2, &w1, &w0, x[1], y[5]);
586 word3_muladd(&w2, &w1, &w0, x[2], y[4]);
587 word3_muladd(&w2, &w1, &w0, x[3], y[3]);
588 word3_muladd(&w2, &w1, &w0, x[4], y[2]);
589 word3_muladd(&w2, &w1, &w0, x[5], y[1]);
590 word3_muladd(&w2, &w1, &w0, x[6], y[0]);
591 z[6] = w0;
592 w0 = 0;
593
594 word3_muladd(&w0, &w2, &w1, x[0], y[7]);
595 word3_muladd(&w0, &w2, &w1, x[1], y[6]);
596 word3_muladd(&w0, &w2, &w1, x[2], y[5]);
597 word3_muladd(&w0, &w2, &w1, x[3], y[4]);
598 word3_muladd(&w0, &w2, &w1, x[4], y[3]);
599 word3_muladd(&w0, &w2, &w1, x[5], y[2]);
600 word3_muladd(&w0, &w2, &w1, x[6], y[1]);
601 word3_muladd(&w0, &w2, &w1, x[7], y[0]);
602 z[7] = w1;
603 w1 = 0;
604
605 word3_muladd(&w1, &w0, &w2, x[0], y[8]);
606 word3_muladd(&w1, &w0, &w2, x[1], y[7]);
607 word3_muladd(&w1, &w0, &w2, x[2], y[6]);
608 word3_muladd(&w1, &w0, &w2, x[3], y[5]);
609 word3_muladd(&w1, &w0, &w2, x[4], y[4]);
610 word3_muladd(&w1, &w0, &w2, x[5], y[3]);
611 word3_muladd(&w1, &w0, &w2, x[6], y[2]);
612 word3_muladd(&w1, &w0, &w2, x[7], y[1]);
613 word3_muladd(&w1, &w0, &w2, x[8], y[0]);
614 z[8] = w2;
615 w2 = 0;
616
617 word3_muladd(&w2, &w1, &w0, x[1], y[8]);
618 word3_muladd(&w2, &w1, &w0, x[2], y[7]);
619 word3_muladd(&w2, &w1, &w0, x[3], y[6]);
620 word3_muladd(&w2, &w1, &w0, x[4], y[5]);
621 word3_muladd(&w2, &w1, &w0, x[5], y[4]);
622 word3_muladd(&w2, &w1, &w0, x[6], y[3]);
623 word3_muladd(&w2, &w1, &w0, x[7], y[2]);
624 word3_muladd(&w2, &w1, &w0, x[8], y[1]);
625 z[9] = w0;
626 w0 = 0;
627
628 word3_muladd(&w0, &w2, &w1, x[2], y[8]);
629 word3_muladd(&w0, &w2, &w1, x[3], y[7]);
630 word3_muladd(&w0, &w2, &w1, x[4], y[6]);
631 word3_muladd(&w0, &w2, &w1, x[5], y[5]);
632 word3_muladd(&w0, &w2, &w1, x[6], y[4]);
633 word3_muladd(&w0, &w2, &w1, x[7], y[3]);
634 word3_muladd(&w0, &w2, &w1, x[8], y[2]);
635 z[10] = w1;
636 w1 = 0;
637
638 word3_muladd(&w1, &w0, &w2, x[3], y[8]);
639 word3_muladd(&w1, &w0, &w2, x[4], y[7]);
640 word3_muladd(&w1, &w0, &w2, x[5], y[6]);
641 word3_muladd(&w1, &w0, &w2, x[6], y[5]);
642 word3_muladd(&w1, &w0, &w2, x[7], y[4]);
643 word3_muladd(&w1, &w0, &w2, x[8], y[3]);
644 z[11] = w2;
645 w2 = 0;
646
647 word3_muladd(&w2, &w1, &w0, x[4], y[8]);
648 word3_muladd(&w2, &w1, &w0, x[5], y[7]);
649 word3_muladd(&w2, &w1, &w0, x[6], y[6]);
650 word3_muladd(&w2, &w1, &w0, x[7], y[5]);
651 word3_muladd(&w2, &w1, &w0, x[8], y[4]);
652 z[12] = w0;
653 w0 = 0;
654
655 word3_muladd(&w0, &w2, &w1, x[5], y[8]);
656 word3_muladd(&w0, &w2, &w1, x[6], y[7]);
657 word3_muladd(&w0, &w2, &w1, x[7], y[6]);
658 word3_muladd(&w0, &w2, &w1, x[8], y[5]);
659 z[13] = w1;
660 w1 = 0;
661
662 word3_muladd(&w1, &w0, &w2, x[6], y[8]);
663 word3_muladd(&w1, &w0, &w2, x[7], y[7]);
664 word3_muladd(&w1, &w0, &w2, x[8], y[6]);
665 z[14] = w2;
666 w2 = 0;
667
668 word3_muladd(&w2, &w1, &w0, x[7], y[8]);
669 word3_muladd(&w2, &w1, &w0, x[8], y[7]);
670 z[15] = w0;
671 w0 = 0;
672
673 word3_muladd(&w0, &w2, &w1, x[8], y[8]);
674 z[16] = w1;
675 z[17] = w2;
676}

References word3_muladd().

Referenced by bigint_mul().

◆ bigint_comba_sqr16()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr16 ( word z[32],
const word x[16] )

Definition at line 681 of file mp_comba.cpp.

681 {
682 word w2 = 0, w1 = 0, w0 = 0;
683
684 word3_muladd(&w2, &w1, &w0, x[0], x[0]);
685 z[0] = w0;
686 w0 = 0;
687
688 word3_muladd_2(&w0, &w2, &w1, x[0], x[1]);
689 z[1] = w1;
690 w1 = 0;
691
692 word3_muladd_2(&w1, &w0, &w2, x[0], x[2]);
693 word3_muladd(&w1, &w0, &w2, x[1], x[1]);
694 z[2] = w2;
695 w2 = 0;
696
697 word3_muladd_2(&w2, &w1, &w0, x[0], x[3]);
698 word3_muladd_2(&w2, &w1, &w0, x[1], x[2]);
699 z[3] = w0;
700 w0 = 0;
701
702 word3_muladd_2(&w0, &w2, &w1, x[0], x[4]);
703 word3_muladd_2(&w0, &w2, &w1, x[1], x[3]);
704 word3_muladd(&w0, &w2, &w1, x[2], x[2]);
705 z[4] = w1;
706 w1 = 0;
707
708 word3_muladd_2(&w1, &w0, &w2, x[0], x[5]);
709 word3_muladd_2(&w1, &w0, &w2, x[1], x[4]);
710 word3_muladd_2(&w1, &w0, &w2, x[2], x[3]);
711 z[5] = w2;
712 w2 = 0;
713
714 word3_muladd_2(&w2, &w1, &w0, x[0], x[6]);
715 word3_muladd_2(&w2, &w1, &w0, x[1], x[5]);
716 word3_muladd_2(&w2, &w1, &w0, x[2], x[4]);
717 word3_muladd(&w2, &w1, &w0, x[3], x[3]);
718 z[6] = w0;
719 w0 = 0;
720
721 word3_muladd_2(&w0, &w2, &w1, x[0], x[7]);
722 word3_muladd_2(&w0, &w2, &w1, x[1], x[6]);
723 word3_muladd_2(&w0, &w2, &w1, x[2], x[5]);
724 word3_muladd_2(&w0, &w2, &w1, x[3], x[4]);
725 z[7] = w1;
726 w1 = 0;
727
728 word3_muladd_2(&w1, &w0, &w2, x[0], x[8]);
729 word3_muladd_2(&w1, &w0, &w2, x[1], x[7]);
730 word3_muladd_2(&w1, &w0, &w2, x[2], x[6]);
731 word3_muladd_2(&w1, &w0, &w2, x[3], x[5]);
732 word3_muladd(&w1, &w0, &w2, x[4], x[4]);
733 z[8] = w2;
734 w2 = 0;
735
736 word3_muladd_2(&w2, &w1, &w0, x[0], x[9]);
737 word3_muladd_2(&w2, &w1, &w0, x[1], x[8]);
738 word3_muladd_2(&w2, &w1, &w0, x[2], x[7]);
739 word3_muladd_2(&w2, &w1, &w0, x[3], x[6]);
740 word3_muladd_2(&w2, &w1, &w0, x[4], x[5]);
741 z[9] = w0;
742 w0 = 0;
743
744 word3_muladd_2(&w0, &w2, &w1, x[0], x[10]);
745 word3_muladd_2(&w0, &w2, &w1, x[1], x[9]);
746 word3_muladd_2(&w0, &w2, &w1, x[2], x[8]);
747 word3_muladd_2(&w0, &w2, &w1, x[3], x[7]);
748 word3_muladd_2(&w0, &w2, &w1, x[4], x[6]);
749 word3_muladd(&w0, &w2, &w1, x[5], x[5]);
750 z[10] = w1;
751 w1 = 0;
752
753 word3_muladd_2(&w1, &w0, &w2, x[0], x[11]);
754 word3_muladd_2(&w1, &w0, &w2, x[1], x[10]);
755 word3_muladd_2(&w1, &w0, &w2, x[2], x[9]);
756 word3_muladd_2(&w1, &w0, &w2, x[3], x[8]);
757 word3_muladd_2(&w1, &w0, &w2, x[4], x[7]);
758 word3_muladd_2(&w1, &w0, &w2, x[5], x[6]);
759 z[11] = w2;
760 w2 = 0;
761
762 word3_muladd_2(&w2, &w1, &w0, x[0], x[12]);
763 word3_muladd_2(&w2, &w1, &w0, x[1], x[11]);
764 word3_muladd_2(&w2, &w1, &w0, x[2], x[10]);
765 word3_muladd_2(&w2, &w1, &w0, x[3], x[9]);
766 word3_muladd_2(&w2, &w1, &w0, x[4], x[8]);
767 word3_muladd_2(&w2, &w1, &w0, x[5], x[7]);
768 word3_muladd(&w2, &w1, &w0, x[6], x[6]);
769 z[12] = w0;
770 w0 = 0;
771
772 word3_muladd_2(&w0, &w2, &w1, x[0], x[13]);
773 word3_muladd_2(&w0, &w2, &w1, x[1], x[12]);
774 word3_muladd_2(&w0, &w2, &w1, x[2], x[11]);
775 word3_muladd_2(&w0, &w2, &w1, x[3], x[10]);
776 word3_muladd_2(&w0, &w2, &w1, x[4], x[9]);
777 word3_muladd_2(&w0, &w2, &w1, x[5], x[8]);
778 word3_muladd_2(&w0, &w2, &w1, x[6], x[7]);
779 z[13] = w1;
780 w1 = 0;
781
782 word3_muladd_2(&w1, &w0, &w2, x[0], x[14]);
783 word3_muladd_2(&w1, &w0, &w2, x[1], x[13]);
784 word3_muladd_2(&w1, &w0, &w2, x[2], x[12]);
785 word3_muladd_2(&w1, &w0, &w2, x[3], x[11]);
786 word3_muladd_2(&w1, &w0, &w2, x[4], x[10]);
787 word3_muladd_2(&w1, &w0, &w2, x[5], x[9]);
788 word3_muladd_2(&w1, &w0, &w2, x[6], x[8]);
789 word3_muladd(&w1, &w0, &w2, x[7], x[7]);
790 z[14] = w2;
791 w2 = 0;
792
793 word3_muladd_2(&w2, &w1, &w0, x[0], x[15]);
794 word3_muladd_2(&w2, &w1, &w0, x[1], x[14]);
795 word3_muladd_2(&w2, &w1, &w0, x[2], x[13]);
796 word3_muladd_2(&w2, &w1, &w0, x[3], x[12]);
797 word3_muladd_2(&w2, &w1, &w0, x[4], x[11]);
798 word3_muladd_2(&w2, &w1, &w0, x[5], x[10]);
799 word3_muladd_2(&w2, &w1, &w0, x[6], x[9]);
800 word3_muladd_2(&w2, &w1, &w0, x[7], x[8]);
801 z[15] = w0;
802 w0 = 0;
803
804 word3_muladd_2(&w0, &w2, &w1, x[1], x[15]);
805 word3_muladd_2(&w0, &w2, &w1, x[2], x[14]);
806 word3_muladd_2(&w0, &w2, &w1, x[3], x[13]);
807 word3_muladd_2(&w0, &w2, &w1, x[4], x[12]);
808 word3_muladd_2(&w0, &w2, &w1, x[5], x[11]);
809 word3_muladd_2(&w0, &w2, &w1, x[6], x[10]);
810 word3_muladd_2(&w0, &w2, &w1, x[7], x[9]);
811 word3_muladd(&w0, &w2, &w1, x[8], x[8]);
812 z[16] = w1;
813 w1 = 0;
814
815 word3_muladd_2(&w1, &w0, &w2, x[2], x[15]);
816 word3_muladd_2(&w1, &w0, &w2, x[3], x[14]);
817 word3_muladd_2(&w1, &w0, &w2, x[4], x[13]);
818 word3_muladd_2(&w1, &w0, &w2, x[5], x[12]);
819 word3_muladd_2(&w1, &w0, &w2, x[6], x[11]);
820 word3_muladd_2(&w1, &w0, &w2, x[7], x[10]);
821 word3_muladd_2(&w1, &w0, &w2, x[8], x[9]);
822 z[17] = w2;
823 w2 = 0;
824
825 word3_muladd_2(&w2, &w1, &w0, x[3], x[15]);
826 word3_muladd_2(&w2, &w1, &w0, x[4], x[14]);
827 word3_muladd_2(&w2, &w1, &w0, x[5], x[13]);
828 word3_muladd_2(&w2, &w1, &w0, x[6], x[12]);
829 word3_muladd_2(&w2, &w1, &w0, x[7], x[11]);
830 word3_muladd_2(&w2, &w1, &w0, x[8], x[10]);
831 word3_muladd(&w2, &w1, &w0, x[9], x[9]);
832 z[18] = w0;
833 w0 = 0;
834
835 word3_muladd_2(&w0, &w2, &w1, x[4], x[15]);
836 word3_muladd_2(&w0, &w2, &w1, x[5], x[14]);
837 word3_muladd_2(&w0, &w2, &w1, x[6], x[13]);
838 word3_muladd_2(&w0, &w2, &w1, x[7], x[12]);
839 word3_muladd_2(&w0, &w2, &w1, x[8], x[11]);
840 word3_muladd_2(&w0, &w2, &w1, x[9], x[10]);
841 z[19] = w1;
842 w1 = 0;
843
844 word3_muladd_2(&w1, &w0, &w2, x[5], x[15]);
845 word3_muladd_2(&w1, &w0, &w2, x[6], x[14]);
846 word3_muladd_2(&w1, &w0, &w2, x[7], x[13]);
847 word3_muladd_2(&w1, &w0, &w2, x[8], x[12]);
848 word3_muladd_2(&w1, &w0, &w2, x[9], x[11]);
849 word3_muladd(&w1, &w0, &w2, x[10], x[10]);
850 z[20] = w2;
851 w2 = 0;
852
853 word3_muladd_2(&w2, &w1, &w0, x[6], x[15]);
854 word3_muladd_2(&w2, &w1, &w0, x[7], x[14]);
855 word3_muladd_2(&w2, &w1, &w0, x[8], x[13]);
856 word3_muladd_2(&w2, &w1, &w0, x[9], x[12]);
857 word3_muladd_2(&w2, &w1, &w0, x[10], x[11]);
858 z[21] = w0;
859 w0 = 0;
860
861 word3_muladd_2(&w0, &w2, &w1, x[7], x[15]);
862 word3_muladd_2(&w0, &w2, &w1, x[8], x[14]);
863 word3_muladd_2(&w0, &w2, &w1, x[9], x[13]);
864 word3_muladd_2(&w0, &w2, &w1, x[10], x[12]);
865 word3_muladd(&w0, &w2, &w1, x[11], x[11]);
866 z[22] = w1;
867 w1 = 0;
868
869 word3_muladd_2(&w1, &w0, &w2, x[8], x[15]);
870 word3_muladd_2(&w1, &w0, &w2, x[9], x[14]);
871 word3_muladd_2(&w1, &w0, &w2, x[10], x[13]);
872 word3_muladd_2(&w1, &w0, &w2, x[11], x[12]);
873 z[23] = w2;
874 w2 = 0;
875
876 word3_muladd_2(&w2, &w1, &w0, x[9], x[15]);
877 word3_muladd_2(&w2, &w1, &w0, x[10], x[14]);
878 word3_muladd_2(&w2, &w1, &w0, x[11], x[13]);
879 word3_muladd(&w2, &w1, &w0, x[12], x[12]);
880 z[24] = w0;
881 w0 = 0;
882
883 word3_muladd_2(&w0, &w2, &w1, x[10], x[15]);
884 word3_muladd_2(&w0, &w2, &w1, x[11], x[14]);
885 word3_muladd_2(&w0, &w2, &w1, x[12], x[13]);
886 z[25] = w1;
887 w1 = 0;
888
889 word3_muladd_2(&w1, &w0, &w2, x[11], x[15]);
890 word3_muladd_2(&w1, &w0, &w2, x[12], x[14]);
891 word3_muladd(&w1, &w0, &w2, x[13], x[13]);
892 z[26] = w2;
893 w2 = 0;
894
895 word3_muladd_2(&w2, &w1, &w0, x[12], x[15]);
896 word3_muladd_2(&w2, &w1, &w0, x[13], x[14]);
897 z[27] = w0;
898 w0 = 0;
899
900 word3_muladd_2(&w0, &w2, &w1, x[13], x[15]);
901 word3_muladd(&w0, &w2, &w1, x[14], x[14]);
902 z[28] = w1;
903 w1 = 0;
904
905 word3_muladd_2(&w1, &w0, &w2, x[14], x[15]);
906 z[29] = w2;
907 w2 = 0;
908
909 word3_muladd(&w2, &w1, &w0, x[15], x[15]);
910 z[30] = w0;
911 z[31] = w1;
912}
void word3_muladd_2(word *w2, word *w1, word *w0, word x, word y)
Definition mp_asmi.h:603

References word3_muladd(), and word3_muladd_2().

Referenced by bigint_sqr().

◆ bigint_comba_sqr24()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr24 ( word z[48],
const word x[24] )

Definition at line 1273 of file mp_comba.cpp.

1273 {
1274 word w2 = 0, w1 = 0, w0 = 0;
1275
1276 word3_muladd(&w2, &w1, &w0, x[0], x[0]);
1277 z[0] = w0;
1278 w0 = 0;
1279
1280 word3_muladd_2(&w0, &w2, &w1, x[0], x[1]);
1281 z[1] = w1;
1282 w1 = 0;
1283
1284 word3_muladd_2(&w1, &w0, &w2, x[0], x[2]);
1285 word3_muladd(&w1, &w0, &w2, x[1], x[1]);
1286 z[2] = w2;
1287 w2 = 0;
1288
1289 word3_muladd_2(&w2, &w1, &w0, x[0], x[3]);
1290 word3_muladd_2(&w2, &w1, &w0, x[1], x[2]);
1291 z[3] = w0;
1292 w0 = 0;
1293
1294 word3_muladd_2(&w0, &w2, &w1, x[0], x[4]);
1295 word3_muladd_2(&w0, &w2, &w1, x[1], x[3]);
1296 word3_muladd(&w0, &w2, &w1, x[2], x[2]);
1297 z[4] = w1;
1298 w1 = 0;
1299
1300 word3_muladd_2(&w1, &w0, &w2, x[0], x[5]);
1301 word3_muladd_2(&w1, &w0, &w2, x[1], x[4]);
1302 word3_muladd_2(&w1, &w0, &w2, x[2], x[3]);
1303 z[5] = w2;
1304 w2 = 0;
1305
1306 word3_muladd_2(&w2, &w1, &w0, x[0], x[6]);
1307 word3_muladd_2(&w2, &w1, &w0, x[1], x[5]);
1308 word3_muladd_2(&w2, &w1, &w0, x[2], x[4]);
1309 word3_muladd(&w2, &w1, &w0, x[3], x[3]);
1310 z[6] = w0;
1311 w0 = 0;
1312
1313 word3_muladd_2(&w0, &w2, &w1, x[0], x[7]);
1314 word3_muladd_2(&w0, &w2, &w1, x[1], x[6]);
1315 word3_muladd_2(&w0, &w2, &w1, x[2], x[5]);
1316 word3_muladd_2(&w0, &w2, &w1, x[3], x[4]);
1317 z[7] = w1;
1318 w1 = 0;
1319
1320 word3_muladd_2(&w1, &w0, &w2, x[0], x[8]);
1321 word3_muladd_2(&w1, &w0, &w2, x[1], x[7]);
1322 word3_muladd_2(&w1, &w0, &w2, x[2], x[6]);
1323 word3_muladd_2(&w1, &w0, &w2, x[3], x[5]);
1324 word3_muladd(&w1, &w0, &w2, x[4], x[4]);
1325 z[8] = w2;
1326 w2 = 0;
1327
1328 word3_muladd_2(&w2, &w1, &w0, x[0], x[9]);
1329 word3_muladd_2(&w2, &w1, &w0, x[1], x[8]);
1330 word3_muladd_2(&w2, &w1, &w0, x[2], x[7]);
1331 word3_muladd_2(&w2, &w1, &w0, x[3], x[6]);
1332 word3_muladd_2(&w2, &w1, &w0, x[4], x[5]);
1333 z[9] = w0;
1334 w0 = 0;
1335
1336 word3_muladd_2(&w0, &w2, &w1, x[0], x[10]);
1337 word3_muladd_2(&w0, &w2, &w1, x[1], x[9]);
1338 word3_muladd_2(&w0, &w2, &w1, x[2], x[8]);
1339 word3_muladd_2(&w0, &w2, &w1, x[3], x[7]);
1340 word3_muladd_2(&w0, &w2, &w1, x[4], x[6]);
1341 word3_muladd(&w0, &w2, &w1, x[5], x[5]);
1342 z[10] = w1;
1343 w1 = 0;
1344
1345 word3_muladd_2(&w1, &w0, &w2, x[0], x[11]);
1346 word3_muladd_2(&w1, &w0, &w2, x[1], x[10]);
1347 word3_muladd_2(&w1, &w0, &w2, x[2], x[9]);
1348 word3_muladd_2(&w1, &w0, &w2, x[3], x[8]);
1349 word3_muladd_2(&w1, &w0, &w2, x[4], x[7]);
1350 word3_muladd_2(&w1, &w0, &w2, x[5], x[6]);
1351 z[11] = w2;
1352 w2 = 0;
1353
1354 word3_muladd_2(&w2, &w1, &w0, x[0], x[12]);
1355 word3_muladd_2(&w2, &w1, &w0, x[1], x[11]);
1356 word3_muladd_2(&w2, &w1, &w0, x[2], x[10]);
1357 word3_muladd_2(&w2, &w1, &w0, x[3], x[9]);
1358 word3_muladd_2(&w2, &w1, &w0, x[4], x[8]);
1359 word3_muladd_2(&w2, &w1, &w0, x[5], x[7]);
1360 word3_muladd(&w2, &w1, &w0, x[6], x[6]);
1361 z[12] = w0;
1362 w0 = 0;
1363
1364 word3_muladd_2(&w0, &w2, &w1, x[0], x[13]);
1365 word3_muladd_2(&w0, &w2, &w1, x[1], x[12]);
1366 word3_muladd_2(&w0, &w2, &w1, x[2], x[11]);
1367 word3_muladd_2(&w0, &w2, &w1, x[3], x[10]);
1368 word3_muladd_2(&w0, &w2, &w1, x[4], x[9]);
1369 word3_muladd_2(&w0, &w2, &w1, x[5], x[8]);
1370 word3_muladd_2(&w0, &w2, &w1, x[6], x[7]);
1371 z[13] = w1;
1372 w1 = 0;
1373
1374 word3_muladd_2(&w1, &w0, &w2, x[0], x[14]);
1375 word3_muladd_2(&w1, &w0, &w2, x[1], x[13]);
1376 word3_muladd_2(&w1, &w0, &w2, x[2], x[12]);
1377 word3_muladd_2(&w1, &w0, &w2, x[3], x[11]);
1378 word3_muladd_2(&w1, &w0, &w2, x[4], x[10]);
1379 word3_muladd_2(&w1, &w0, &w2, x[5], x[9]);
1380 word3_muladd_2(&w1, &w0, &w2, x[6], x[8]);
1381 word3_muladd(&w1, &w0, &w2, x[7], x[7]);
1382 z[14] = w2;
1383 w2 = 0;
1384
1385 word3_muladd_2(&w2, &w1, &w0, x[0], x[15]);
1386 word3_muladd_2(&w2, &w1, &w0, x[1], x[14]);
1387 word3_muladd_2(&w2, &w1, &w0, x[2], x[13]);
1388 word3_muladd_2(&w2, &w1, &w0, x[3], x[12]);
1389 word3_muladd_2(&w2, &w1, &w0, x[4], x[11]);
1390 word3_muladd_2(&w2, &w1, &w0, x[5], x[10]);
1391 word3_muladd_2(&w2, &w1, &w0, x[6], x[9]);
1392 word3_muladd_2(&w2, &w1, &w0, x[7], x[8]);
1393 z[15] = w0;
1394 w0 = 0;
1395
1396 word3_muladd_2(&w0, &w2, &w1, x[0], x[16]);
1397 word3_muladd_2(&w0, &w2, &w1, x[1], x[15]);
1398 word3_muladd_2(&w0, &w2, &w1, x[2], x[14]);
1399 word3_muladd_2(&w0, &w2, &w1, x[3], x[13]);
1400 word3_muladd_2(&w0, &w2, &w1, x[4], x[12]);
1401 word3_muladd_2(&w0, &w2, &w1, x[5], x[11]);
1402 word3_muladd_2(&w0, &w2, &w1, x[6], x[10]);
1403 word3_muladd_2(&w0, &w2, &w1, x[7], x[9]);
1404 word3_muladd(&w0, &w2, &w1, x[8], x[8]);
1405 z[16] = w1;
1406 w1 = 0;
1407
1408 word3_muladd_2(&w1, &w0, &w2, x[0], x[17]);
1409 word3_muladd_2(&w1, &w0, &w2, x[1], x[16]);
1410 word3_muladd_2(&w1, &w0, &w2, x[2], x[15]);
1411 word3_muladd_2(&w1, &w0, &w2, x[3], x[14]);
1412 word3_muladd_2(&w1, &w0, &w2, x[4], x[13]);
1413 word3_muladd_2(&w1, &w0, &w2, x[5], x[12]);
1414 word3_muladd_2(&w1, &w0, &w2, x[6], x[11]);
1415 word3_muladd_2(&w1, &w0, &w2, x[7], x[10]);
1416 word3_muladd_2(&w1, &w0, &w2, x[8], x[9]);
1417 z[17] = w2;
1418 w2 = 0;
1419
1420 word3_muladd_2(&w2, &w1, &w0, x[0], x[18]);
1421 word3_muladd_2(&w2, &w1, &w0, x[1], x[17]);
1422 word3_muladd_2(&w2, &w1, &w0, x[2], x[16]);
1423 word3_muladd_2(&w2, &w1, &w0, x[3], x[15]);
1424 word3_muladd_2(&w2, &w1, &w0, x[4], x[14]);
1425 word3_muladd_2(&w2, &w1, &w0, x[5], x[13]);
1426 word3_muladd_2(&w2, &w1, &w0, x[6], x[12]);
1427 word3_muladd_2(&w2, &w1, &w0, x[7], x[11]);
1428 word3_muladd_2(&w2, &w1, &w0, x[8], x[10]);
1429 word3_muladd(&w2, &w1, &w0, x[9], x[9]);
1430 z[18] = w0;
1431 w0 = 0;
1432
1433 word3_muladd_2(&w0, &w2, &w1, x[0], x[19]);
1434 word3_muladd_2(&w0, &w2, &w1, x[1], x[18]);
1435 word3_muladd_2(&w0, &w2, &w1, x[2], x[17]);
1436 word3_muladd_2(&w0, &w2, &w1, x[3], x[16]);
1437 word3_muladd_2(&w0, &w2, &w1, x[4], x[15]);
1438 word3_muladd_2(&w0, &w2, &w1, x[5], x[14]);
1439 word3_muladd_2(&w0, &w2, &w1, x[6], x[13]);
1440 word3_muladd_2(&w0, &w2, &w1, x[7], x[12]);
1441 word3_muladd_2(&w0, &w2, &w1, x[8], x[11]);
1442 word3_muladd_2(&w0, &w2, &w1, x[9], x[10]);
1443 z[19] = w1;
1444 w1 = 0;
1445
1446 word3_muladd_2(&w1, &w0, &w2, x[0], x[20]);
1447 word3_muladd_2(&w1, &w0, &w2, x[1], x[19]);
1448 word3_muladd_2(&w1, &w0, &w2, x[2], x[18]);
1449 word3_muladd_2(&w1, &w0, &w2, x[3], x[17]);
1450 word3_muladd_2(&w1, &w0, &w2, x[4], x[16]);
1451 word3_muladd_2(&w1, &w0, &w2, x[5], x[15]);
1452 word3_muladd_2(&w1, &w0, &w2, x[6], x[14]);
1453 word3_muladd_2(&w1, &w0, &w2, x[7], x[13]);
1454 word3_muladd_2(&w1, &w0, &w2, x[8], x[12]);
1455 word3_muladd_2(&w1, &w0, &w2, x[9], x[11]);
1456 word3_muladd(&w1, &w0, &w2, x[10], x[10]);
1457 z[20] = w2;
1458 w2 = 0;
1459
1460 word3_muladd_2(&w2, &w1, &w0, x[0], x[21]);
1461 word3_muladd_2(&w2, &w1, &w0, x[1], x[20]);
1462 word3_muladd_2(&w2, &w1, &w0, x[2], x[19]);
1463 word3_muladd_2(&w2, &w1, &w0, x[3], x[18]);
1464 word3_muladd_2(&w2, &w1, &w0, x[4], x[17]);
1465 word3_muladd_2(&w2, &w1, &w0, x[5], x[16]);
1466 word3_muladd_2(&w2, &w1, &w0, x[6], x[15]);
1467 word3_muladd_2(&w2, &w1, &w0, x[7], x[14]);
1468 word3_muladd_2(&w2, &w1, &w0, x[8], x[13]);
1469 word3_muladd_2(&w2, &w1, &w0, x[9], x[12]);
1470 word3_muladd_2(&w2, &w1, &w0, x[10], x[11]);
1471 z[21] = w0;
1472 w0 = 0;
1473
1474 word3_muladd_2(&w0, &w2, &w1, x[0], x[22]);
1475 word3_muladd_2(&w0, &w2, &w1, x[1], x[21]);
1476 word3_muladd_2(&w0, &w2, &w1, x[2], x[20]);
1477 word3_muladd_2(&w0, &w2, &w1, x[3], x[19]);
1478 word3_muladd_2(&w0, &w2, &w1, x[4], x[18]);
1479 word3_muladd_2(&w0, &w2, &w1, x[5], x[17]);
1480 word3_muladd_2(&w0, &w2, &w1, x[6], x[16]);
1481 word3_muladd_2(&w0, &w2, &w1, x[7], x[15]);
1482 word3_muladd_2(&w0, &w2, &w1, x[8], x[14]);
1483 word3_muladd_2(&w0, &w2, &w1, x[9], x[13]);
1484 word3_muladd_2(&w0, &w2, &w1, x[10], x[12]);
1485 word3_muladd(&w0, &w2, &w1, x[11], x[11]);
1486 z[22] = w1;
1487 w1 = 0;
1488
1489 word3_muladd_2(&w1, &w0, &w2, x[0], x[23]);
1490 word3_muladd_2(&w1, &w0, &w2, x[1], x[22]);
1491 word3_muladd_2(&w1, &w0, &w2, x[2], x[21]);
1492 word3_muladd_2(&w1, &w0, &w2, x[3], x[20]);
1493 word3_muladd_2(&w1, &w0, &w2, x[4], x[19]);
1494 word3_muladd_2(&w1, &w0, &w2, x[5], x[18]);
1495 word3_muladd_2(&w1, &w0, &w2, x[6], x[17]);
1496 word3_muladd_2(&w1, &w0, &w2, x[7], x[16]);
1497 word3_muladd_2(&w1, &w0, &w2, x[8], x[15]);
1498 word3_muladd_2(&w1, &w0, &w2, x[9], x[14]);
1499 word3_muladd_2(&w1, &w0, &w2, x[10], x[13]);
1500 word3_muladd_2(&w1, &w0, &w2, x[11], x[12]);
1501 z[23] = w2;
1502 w2 = 0;
1503
1504 word3_muladd_2(&w2, &w1, &w0, x[1], x[23]);
1505 word3_muladd_2(&w2, &w1, &w0, x[2], x[22]);
1506 word3_muladd_2(&w2, &w1, &w0, x[3], x[21]);
1507 word3_muladd_2(&w2, &w1, &w0, x[4], x[20]);
1508 word3_muladd_2(&w2, &w1, &w0, x[5], x[19]);
1509 word3_muladd_2(&w2, &w1, &w0, x[6], x[18]);
1510 word3_muladd_2(&w2, &w1, &w0, x[7], x[17]);
1511 word3_muladd_2(&w2, &w1, &w0, x[8], x[16]);
1512 word3_muladd_2(&w2, &w1, &w0, x[9], x[15]);
1513 word3_muladd_2(&w2, &w1, &w0, x[10], x[14]);
1514 word3_muladd_2(&w2, &w1, &w0, x[11], x[13]);
1515 word3_muladd(&w2, &w1, &w0, x[12], x[12]);
1516 z[24] = w0;
1517 w0 = 0;
1518
1519 word3_muladd_2(&w0, &w2, &w1, x[2], x[23]);
1520 word3_muladd_2(&w0, &w2, &w1, x[3], x[22]);
1521 word3_muladd_2(&w0, &w2, &w1, x[4], x[21]);
1522 word3_muladd_2(&w0, &w2, &w1, x[5], x[20]);
1523 word3_muladd_2(&w0, &w2, &w1, x[6], x[19]);
1524 word3_muladd_2(&w0, &w2, &w1, x[7], x[18]);
1525 word3_muladd_2(&w0, &w2, &w1, x[8], x[17]);
1526 word3_muladd_2(&w0, &w2, &w1, x[9], x[16]);
1527 word3_muladd_2(&w0, &w2, &w1, x[10], x[15]);
1528 word3_muladd_2(&w0, &w2, &w1, x[11], x[14]);
1529 word3_muladd_2(&w0, &w2, &w1, x[12], x[13]);
1530 z[25] = w1;
1531 w1 = 0;
1532
1533 word3_muladd_2(&w1, &w0, &w2, x[3], x[23]);
1534 word3_muladd_2(&w1, &w0, &w2, x[4], x[22]);
1535 word3_muladd_2(&w1, &w0, &w2, x[5], x[21]);
1536 word3_muladd_2(&w1, &w0, &w2, x[6], x[20]);
1537 word3_muladd_2(&w1, &w0, &w2, x[7], x[19]);
1538 word3_muladd_2(&w1, &w0, &w2, x[8], x[18]);
1539 word3_muladd_2(&w1, &w0, &w2, x[9], x[17]);
1540 word3_muladd_2(&w1, &w0, &w2, x[10], x[16]);
1541 word3_muladd_2(&w1, &w0, &w2, x[11], x[15]);
1542 word3_muladd_2(&w1, &w0, &w2, x[12], x[14]);
1543 word3_muladd(&w1, &w0, &w2, x[13], x[13]);
1544 z[26] = w2;
1545 w2 = 0;
1546
1547 word3_muladd_2(&w2, &w1, &w0, x[4], x[23]);
1548 word3_muladd_2(&w2, &w1, &w0, x[5], x[22]);
1549 word3_muladd_2(&w2, &w1, &w0, x[6], x[21]);
1550 word3_muladd_2(&w2, &w1, &w0, x[7], x[20]);
1551 word3_muladd_2(&w2, &w1, &w0, x[8], x[19]);
1552 word3_muladd_2(&w2, &w1, &w0, x[9], x[18]);
1553 word3_muladd_2(&w2, &w1, &w0, x[10], x[17]);
1554 word3_muladd_2(&w2, &w1, &w0, x[11], x[16]);
1555 word3_muladd_2(&w2, &w1, &w0, x[12], x[15]);
1556 word3_muladd_2(&w2, &w1, &w0, x[13], x[14]);
1557 z[27] = w0;
1558 w0 = 0;
1559
1560 word3_muladd_2(&w0, &w2, &w1, x[5], x[23]);
1561 word3_muladd_2(&w0, &w2, &w1, x[6], x[22]);
1562 word3_muladd_2(&w0, &w2, &w1, x[7], x[21]);
1563 word3_muladd_2(&w0, &w2, &w1, x[8], x[20]);
1564 word3_muladd_2(&w0, &w2, &w1, x[9], x[19]);
1565 word3_muladd_2(&w0, &w2, &w1, x[10], x[18]);
1566 word3_muladd_2(&w0, &w2, &w1, x[11], x[17]);
1567 word3_muladd_2(&w0, &w2, &w1, x[12], x[16]);
1568 word3_muladd_2(&w0, &w2, &w1, x[13], x[15]);
1569 word3_muladd(&w0, &w2, &w1, x[14], x[14]);
1570 z[28] = w1;
1571 w1 = 0;
1572
1573 word3_muladd_2(&w1, &w0, &w2, x[6], x[23]);
1574 word3_muladd_2(&w1, &w0, &w2, x[7], x[22]);
1575 word3_muladd_2(&w1, &w0, &w2, x[8], x[21]);
1576 word3_muladd_2(&w1, &w0, &w2, x[9], x[20]);
1577 word3_muladd_2(&w1, &w0, &w2, x[10], x[19]);
1578 word3_muladd_2(&w1, &w0, &w2, x[11], x[18]);
1579 word3_muladd_2(&w1, &w0, &w2, x[12], x[17]);
1580 word3_muladd_2(&w1, &w0, &w2, x[13], x[16]);
1581 word3_muladd_2(&w1, &w0, &w2, x[14], x[15]);
1582 z[29] = w2;
1583 w2 = 0;
1584
1585 word3_muladd_2(&w2, &w1, &w0, x[7], x[23]);
1586 word3_muladd_2(&w2, &w1, &w0, x[8], x[22]);
1587 word3_muladd_2(&w2, &w1, &w0, x[9], x[21]);
1588 word3_muladd_2(&w2, &w1, &w0, x[10], x[20]);
1589 word3_muladd_2(&w2, &w1, &w0, x[11], x[19]);
1590 word3_muladd_2(&w2, &w1, &w0, x[12], x[18]);
1591 word3_muladd_2(&w2, &w1, &w0, x[13], x[17]);
1592 word3_muladd_2(&w2, &w1, &w0, x[14], x[16]);
1593 word3_muladd(&w2, &w1, &w0, x[15], x[15]);
1594 z[30] = w0;
1595 w0 = 0;
1596
1597 word3_muladd_2(&w0, &w2, &w1, x[8], x[23]);
1598 word3_muladd_2(&w0, &w2, &w1, x[9], x[22]);
1599 word3_muladd_2(&w0, &w2, &w1, x[10], x[21]);
1600 word3_muladd_2(&w0, &w2, &w1, x[11], x[20]);
1601 word3_muladd_2(&w0, &w2, &w1, x[12], x[19]);
1602 word3_muladd_2(&w0, &w2, &w1, x[13], x[18]);
1603 word3_muladd_2(&w0, &w2, &w1, x[14], x[17]);
1604 word3_muladd_2(&w0, &w2, &w1, x[15], x[16]);
1605 z[31] = w1;
1606 w1 = 0;
1607
1608 word3_muladd_2(&w1, &w0, &w2, x[9], x[23]);
1609 word3_muladd_2(&w1, &w0, &w2, x[10], x[22]);
1610 word3_muladd_2(&w1, &w0, &w2, x[11], x[21]);
1611 word3_muladd_2(&w1, &w0, &w2, x[12], x[20]);
1612 word3_muladd_2(&w1, &w0, &w2, x[13], x[19]);
1613 word3_muladd_2(&w1, &w0, &w2, x[14], x[18]);
1614 word3_muladd_2(&w1, &w0, &w2, x[15], x[17]);
1615 word3_muladd(&w1, &w0, &w2, x[16], x[16]);
1616 z[32] = w2;
1617 w2 = 0;
1618
1619 word3_muladd_2(&w2, &w1, &w0, x[10], x[23]);
1620 word3_muladd_2(&w2, &w1, &w0, x[11], x[22]);
1621 word3_muladd_2(&w2, &w1, &w0, x[12], x[21]);
1622 word3_muladd_2(&w2, &w1, &w0, x[13], x[20]);
1623 word3_muladd_2(&w2, &w1, &w0, x[14], x[19]);
1624 word3_muladd_2(&w2, &w1, &w0, x[15], x[18]);
1625 word3_muladd_2(&w2, &w1, &w0, x[16], x[17]);
1626 z[33] = w0;
1627 w0 = 0;
1628
1629 word3_muladd_2(&w0, &w2, &w1, x[11], x[23]);
1630 word3_muladd_2(&w0, &w2, &w1, x[12], x[22]);
1631 word3_muladd_2(&w0, &w2, &w1, x[13], x[21]);
1632 word3_muladd_2(&w0, &w2, &w1, x[14], x[20]);
1633 word3_muladd_2(&w0, &w2, &w1, x[15], x[19]);
1634 word3_muladd_2(&w0, &w2, &w1, x[16], x[18]);
1635 word3_muladd(&w0, &w2, &w1, x[17], x[17]);
1636 z[34] = w1;
1637 w1 = 0;
1638
1639 word3_muladd_2(&w1, &w0, &w2, x[12], x[23]);
1640 word3_muladd_2(&w1, &w0, &w2, x[13], x[22]);
1641 word3_muladd_2(&w1, &w0, &w2, x[14], x[21]);
1642 word3_muladd_2(&w1, &w0, &w2, x[15], x[20]);
1643 word3_muladd_2(&w1, &w0, &w2, x[16], x[19]);
1644 word3_muladd_2(&w1, &w0, &w2, x[17], x[18]);
1645 z[35] = w2;
1646 w2 = 0;
1647
1648 word3_muladd_2(&w2, &w1, &w0, x[13], x[23]);
1649 word3_muladd_2(&w2, &w1, &w0, x[14], x[22]);
1650 word3_muladd_2(&w2, &w1, &w0, x[15], x[21]);
1651 word3_muladd_2(&w2, &w1, &w0, x[16], x[20]);
1652 word3_muladd_2(&w2, &w1, &w0, x[17], x[19]);
1653 word3_muladd(&w2, &w1, &w0, x[18], x[18]);
1654 z[36] = w0;
1655 w0 = 0;
1656
1657 word3_muladd_2(&w0, &w2, &w1, x[14], x[23]);
1658 word3_muladd_2(&w0, &w2, &w1, x[15], x[22]);
1659 word3_muladd_2(&w0, &w2, &w1, x[16], x[21]);
1660 word3_muladd_2(&w0, &w2, &w1, x[17], x[20]);
1661 word3_muladd_2(&w0, &w2, &w1, x[18], x[19]);
1662 z[37] = w1;
1663 w1 = 0;
1664
1665 word3_muladd_2(&w1, &w0, &w2, x[15], x[23]);
1666 word3_muladd_2(&w1, &w0, &w2, x[16], x[22]);
1667 word3_muladd_2(&w1, &w0, &w2, x[17], x[21]);
1668 word3_muladd_2(&w1, &w0, &w2, x[18], x[20]);
1669 word3_muladd(&w1, &w0, &w2, x[19], x[19]);
1670 z[38] = w2;
1671 w2 = 0;
1672
1673 word3_muladd_2(&w2, &w1, &w0, x[16], x[23]);
1674 word3_muladd_2(&w2, &w1, &w0, x[17], x[22]);
1675 word3_muladd_2(&w2, &w1, &w0, x[18], x[21]);
1676 word3_muladd_2(&w2, &w1, &w0, x[19], x[20]);
1677 z[39] = w0;
1678 w0 = 0;
1679
1680 word3_muladd_2(&w0, &w2, &w1, x[17], x[23]);
1681 word3_muladd_2(&w0, &w2, &w1, x[18], x[22]);
1682 word3_muladd_2(&w0, &w2, &w1, x[19], x[21]);
1683 word3_muladd(&w0, &w2, &w1, x[20], x[20]);
1684 z[40] = w1;
1685 w1 = 0;
1686
1687 word3_muladd_2(&w1, &w0, &w2, x[18], x[23]);
1688 word3_muladd_2(&w1, &w0, &w2, x[19], x[22]);
1689 word3_muladd_2(&w1, &w0, &w2, x[20], x[21]);
1690 z[41] = w2;
1691 w2 = 0;
1692
1693 word3_muladd_2(&w2, &w1, &w0, x[19], x[23]);
1694 word3_muladd_2(&w2, &w1, &w0, x[20], x[22]);
1695 word3_muladd(&w2, &w1, &w0, x[21], x[21]);
1696 z[42] = w0;
1697 w0 = 0;
1698
1699 word3_muladd_2(&w0, &w2, &w1, x[20], x[23]);
1700 word3_muladd_2(&w0, &w2, &w1, x[21], x[22]);
1701 z[43] = w1;
1702 w1 = 0;
1703
1704 word3_muladd_2(&w1, &w0, &w2, x[21], x[23]);
1705 word3_muladd(&w1, &w0, &w2, x[22], x[22]);
1706 z[44] = w2;
1707 w2 = 0;
1708
1709 word3_muladd_2(&w2, &w1, &w0, x[22], x[23]);
1710 z[45] = w0;
1711 w0 = 0;
1712
1713 word3_muladd(&w0, &w2, &w1, x[23], x[23]);
1714 z[46] = w1;
1715 z[47] = w2;
1716}

References word3_muladd(), and word3_muladd_2().

Referenced by bigint_sqr().

◆ bigint_comba_sqr4()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr4 ( word z[8],
const word x[4] )

Definition at line 16 of file mp_comba.cpp.

16 {
17 word w2 = 0, w1 = 0, w0 = 0;
18
19 word3_muladd(&w2, &w1, &w0, x[0], x[0]);
20 z[0] = w0;
21 w0 = 0;
22
23 word3_muladd_2(&w0, &w2, &w1, x[0], x[1]);
24 z[1] = w1;
25 w1 = 0;
26
27 word3_muladd_2(&w1, &w0, &w2, x[0], x[2]);
28 word3_muladd(&w1, &w0, &w2, x[1], x[1]);
29 z[2] = w2;
30 w2 = 0;
31
32 word3_muladd_2(&w2, &w1, &w0, x[0], x[3]);
33 word3_muladd_2(&w2, &w1, &w0, x[1], x[2]);
34 z[3] = w0;
35 w0 = 0;
36
37 word3_muladd_2(&w0, &w2, &w1, x[1], x[3]);
38 word3_muladd(&w0, &w2, &w1, x[2], x[2]);
39 z[4] = w1;
40 w1 = 0;
41
42 word3_muladd_2(&w1, &w0, &w2, x[2], x[3]);
43 z[5] = w2;
44 w2 = 0;
45
46 word3_muladd(&w2, &w1, &w0, x[3], x[3]);
47 z[6] = w0;
48 z[7] = w1;
49}

References word3_muladd(), and word3_muladd_2().

Referenced by bigint_sqr().

◆ bigint_comba_sqr6()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr6 ( word z[12],
const word x[6] )

Definition at line 98 of file mp_comba.cpp.

98 {
99 word w2 = 0, w1 = 0, w0 = 0;
100
101 word3_muladd(&w2, &w1, &w0, x[0], x[0]);
102 z[0] = w0;
103 w0 = 0;
104
105 word3_muladd_2(&w0, &w2, &w1, x[0], x[1]);
106 z[1] = w1;
107 w1 = 0;
108
109 word3_muladd_2(&w1, &w0, &w2, x[0], x[2]);
110 word3_muladd(&w1, &w0, &w2, x[1], x[1]);
111 z[2] = w2;
112 w2 = 0;
113
114 word3_muladd_2(&w2, &w1, &w0, x[0], x[3]);
115 word3_muladd_2(&w2, &w1, &w0, x[1], x[2]);
116 z[3] = w0;
117 w0 = 0;
118
119 word3_muladd_2(&w0, &w2, &w1, x[0], x[4]);
120 word3_muladd_2(&w0, &w2, &w1, x[1], x[3]);
121 word3_muladd(&w0, &w2, &w1, x[2], x[2]);
122 z[4] = w1;
123 w1 = 0;
124
125 word3_muladd_2(&w1, &w0, &w2, x[0], x[5]);
126 word3_muladd_2(&w1, &w0, &w2, x[1], x[4]);
127 word3_muladd_2(&w1, &w0, &w2, x[2], x[3]);
128 z[5] = w2;
129 w2 = 0;
130
131 word3_muladd_2(&w2, &w1, &w0, x[1], x[5]);
132 word3_muladd_2(&w2, &w1, &w0, x[2], x[4]);
133 word3_muladd(&w2, &w1, &w0, x[3], x[3]);
134 z[6] = w0;
135 w0 = 0;
136
137 word3_muladd_2(&w0, &w2, &w1, x[2], x[5]);
138 word3_muladd_2(&w0, &w2, &w1, x[3], x[4]);
139 z[7] = w1;
140 w1 = 0;
141
142 word3_muladd_2(&w1, &w0, &w2, x[3], x[5]);
143 word3_muladd(&w1, &w0, &w2, x[4], x[4]);
144 z[8] = w2;
145 w2 = 0;
146
147 word3_muladd_2(&w2, &w1, &w0, x[4], x[5]);
148 z[9] = w0;
149 w0 = 0;
150
151 word3_muladd(&w0, &w2, &w1, x[5], x[5]);
152 z[10] = w1;
153 z[11] = w2;
154}

References word3_muladd(), and word3_muladd_2().

Referenced by bigint_sqr().

◆ bigint_comba_sqr8()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr8 ( word z[16],
const word x[8] )

Definition at line 235 of file mp_comba.cpp.

235 {
236 word w2 = 0, w1 = 0, w0 = 0;
237
238 word3_muladd(&w2, &w1, &w0, x[0], x[0]);
239 z[0] = w0;
240 w0 = 0;
241
242 word3_muladd_2(&w0, &w2, &w1, x[0], x[1]);
243 z[1] = w1;
244 w1 = 0;
245
246 word3_muladd_2(&w1, &w0, &w2, x[0], x[2]);
247 word3_muladd(&w1, &w0, &w2, x[1], x[1]);
248 z[2] = w2;
249 w2 = 0;
250
251 word3_muladd_2(&w2, &w1, &w0, x[0], x[3]);
252 word3_muladd_2(&w2, &w1, &w0, x[1], x[2]);
253 z[3] = w0;
254 w0 = 0;
255
256 word3_muladd_2(&w0, &w2, &w1, x[0], x[4]);
257 word3_muladd_2(&w0, &w2, &w1, x[1], x[3]);
258 word3_muladd(&w0, &w2, &w1, x[2], x[2]);
259 z[4] = w1;
260 w1 = 0;
261
262 word3_muladd_2(&w1, &w0, &w2, x[0], x[5]);
263 word3_muladd_2(&w1, &w0, &w2, x[1], x[4]);
264 word3_muladd_2(&w1, &w0, &w2, x[2], x[3]);
265 z[5] = w2;
266 w2 = 0;
267
268 word3_muladd_2(&w2, &w1, &w0, x[0], x[6]);
269 word3_muladd_2(&w2, &w1, &w0, x[1], x[5]);
270 word3_muladd_2(&w2, &w1, &w0, x[2], x[4]);
271 word3_muladd(&w2, &w1, &w0, x[3], x[3]);
272 z[6] = w0;
273 w0 = 0;
274
275 word3_muladd_2(&w0, &w2, &w1, x[0], x[7]);
276 word3_muladd_2(&w0, &w2, &w1, x[1], x[6]);
277 word3_muladd_2(&w0, &w2, &w1, x[2], x[5]);
278 word3_muladd_2(&w0, &w2, &w1, x[3], x[4]);
279 z[7] = w1;
280 w1 = 0;
281
282 word3_muladd_2(&w1, &w0, &w2, x[1], x[7]);
283 word3_muladd_2(&w1, &w0, &w2, x[2], x[6]);
284 word3_muladd_2(&w1, &w0, &w2, x[3], x[5]);
285 word3_muladd(&w1, &w0, &w2, x[4], x[4]);
286 z[8] = w2;
287 w2 = 0;
288
289 word3_muladd_2(&w2, &w1, &w0, x[2], x[7]);
290 word3_muladd_2(&w2, &w1, &w0, x[3], x[6]);
291 word3_muladd_2(&w2, &w1, &w0, x[4], x[5]);
292 z[9] = w0;
293 w0 = 0;
294
295 word3_muladd_2(&w0, &w2, &w1, x[3], x[7]);
296 word3_muladd_2(&w0, &w2, &w1, x[4], x[6]);
297 word3_muladd(&w0, &w2, &w1, x[5], x[5]);
298 z[10] = w1;
299 w1 = 0;
300
301 word3_muladd_2(&w1, &w0, &w2, x[4], x[7]);
302 word3_muladd_2(&w1, &w0, &w2, x[5], x[6]);
303 z[11] = w2;
304 w2 = 0;
305
306 word3_muladd_2(&w2, &w1, &w0, x[5], x[7]);
307 word3_muladd(&w2, &w1, &w0, x[6], x[6]);
308 z[12] = w0;
309 w0 = 0;
310
311 word3_muladd_2(&w0, &w2, &w1, x[6], x[7]);
312 z[13] = w1;
313 w1 = 0;
314
315 word3_muladd(&w1, &w0, &w2, x[7], x[7]);
316 z[14] = w2;
317 z[15] = w0;
318}

References word3_muladd(), and word3_muladd_2().

Referenced by bigint_sqr().

◆ bigint_comba_sqr9()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr9 ( word z[18],
const word x[9] )

Definition at line 439 of file mp_comba.cpp.

439 {
440 word w2 = 0, w1 = 0, w0 = 0;
441
442 word3_muladd(&w2, &w1, &w0, x[0], x[0]);
443 z[0] = w0;
444 w0 = 0;
445
446 word3_muladd_2(&w0, &w2, &w1, x[0], x[1]);
447 z[1] = w1;
448 w1 = 0;
449
450 word3_muladd_2(&w1, &w0, &w2, x[0], x[2]);
451 word3_muladd(&w1, &w0, &w2, x[1], x[1]);
452 z[2] = w2;
453 w2 = 0;
454
455 word3_muladd_2(&w2, &w1, &w0, x[0], x[3]);
456 word3_muladd_2(&w2, &w1, &w0, x[1], x[2]);
457 z[3] = w0;
458 w0 = 0;
459
460 word3_muladd_2(&w0, &w2, &w1, x[0], x[4]);
461 word3_muladd_2(&w0, &w2, &w1, x[1], x[3]);
462 word3_muladd(&w0, &w2, &w1, x[2], x[2]);
463 z[4] = w1;
464 w1 = 0;
465
466 word3_muladd_2(&w1, &w0, &w2, x[0], x[5]);
467 word3_muladd_2(&w1, &w0, &w2, x[1], x[4]);
468 word3_muladd_2(&w1, &w0, &w2, x[2], x[3]);
469 z[5] = w2;
470 w2 = 0;
471
472 word3_muladd_2(&w2, &w1, &w0, x[0], x[6]);
473 word3_muladd_2(&w2, &w1, &w0, x[1], x[5]);
474 word3_muladd_2(&w2, &w1, &w0, x[2], x[4]);
475 word3_muladd(&w2, &w1, &w0, x[3], x[3]);
476 z[6] = w0;
477 w0 = 0;
478
479 word3_muladd_2(&w0, &w2, &w1, x[0], x[7]);
480 word3_muladd_2(&w0, &w2, &w1, x[1], x[6]);
481 word3_muladd_2(&w0, &w2, &w1, x[2], x[5]);
482 word3_muladd_2(&w0, &w2, &w1, x[3], x[4]);
483 z[7] = w1;
484 w1 = 0;
485
486 word3_muladd_2(&w1, &w0, &w2, x[0], x[8]);
487 word3_muladd_2(&w1, &w0, &w2, x[1], x[7]);
488 word3_muladd_2(&w1, &w0, &w2, x[2], x[6]);
489 word3_muladd_2(&w1, &w0, &w2, x[3], x[5]);
490 word3_muladd(&w1, &w0, &w2, x[4], x[4]);
491 z[8] = w2;
492 w2 = 0;
493
494 word3_muladd_2(&w2, &w1, &w0, x[1], x[8]);
495 word3_muladd_2(&w2, &w1, &w0, x[2], x[7]);
496 word3_muladd_2(&w2, &w1, &w0, x[3], x[6]);
497 word3_muladd_2(&w2, &w1, &w0, x[4], x[5]);
498 z[9] = w0;
499 w0 = 0;
500
501 word3_muladd_2(&w0, &w2, &w1, x[2], x[8]);
502 word3_muladd_2(&w0, &w2, &w1, x[3], x[7]);
503 word3_muladd_2(&w0, &w2, &w1, x[4], x[6]);
504 word3_muladd(&w0, &w2, &w1, x[5], x[5]);
505 z[10] = w1;
506 w1 = 0;
507
508 word3_muladd_2(&w1, &w0, &w2, x[3], x[8]);
509 word3_muladd_2(&w1, &w0, &w2, x[4], x[7]);
510 word3_muladd_2(&w1, &w0, &w2, x[5], x[6]);
511 z[11] = w2;
512 w2 = 0;
513
514 word3_muladd_2(&w2, &w1, &w0, x[4], x[8]);
515 word3_muladd_2(&w2, &w1, &w0, x[5], x[7]);
516 word3_muladd(&w2, &w1, &w0, x[6], x[6]);
517 z[12] = w0;
518 w0 = 0;
519
520 word3_muladd_2(&w0, &w2, &w1, x[5], x[8]);
521 word3_muladd_2(&w0, &w2, &w1, x[6], x[7]);
522 z[13] = w1;
523 w1 = 0;
524
525 word3_muladd_2(&w1, &w0, &w2, x[6], x[8]);
526 word3_muladd(&w1, &w0, &w2, x[7], x[7]);
527 z[14] = w2;
528 w2 = 0;
529
530 word3_muladd_2(&w2, &w1, &w0, x[7], x[8]);
531 z[15] = w0;
532 w0 = 0;
533
534 word3_muladd(&w0, &w2, &w1, x[8], x[8]);
535 z[16] = w1;
536 z[17] = w2;
537}

References word3_muladd(), and word3_muladd_2().

Referenced by bigint_sqr().

◆ bigint_ct_is_eq()

CT::Mask< word > Botan::bigint_ct_is_eq ( const word x[],
size_t x_size,
const word y[],
size_t y_size )
inline

Definition at line 568 of file mp_core.h.

568 {
569 const size_t common_elems = std::min(x_size, y_size);
570
571 word diff = 0;
572
573 for(size_t i = 0; i != common_elems; i++) {
574 diff |= (x[i] ^ y[i]);
575 }
576
577 // If any bits were set in high part of x/y, then they are not equal
578 if(x_size < y_size) {
579 for(size_t i = x_size; i != y_size; i++) {
580 diff |= y[i];
581 }
582 } else if(y_size < x_size) {
583 for(size_t i = y_size; i != x_size; i++) {
584 diff |= x[i];
585 }
586 }
587
588 return CT::Mask<word>::is_zero(diff);
589}

References Botan::CT::Mask< T >::is_zero().

Referenced by Botan::BigInt::is_equal().

◆ bigint_ct_is_lt()

CT::Mask< word > Botan::bigint_ct_is_lt ( const word x[],
size_t x_size,
const word y[],
size_t y_size,
bool lt_or_equal = false )
inline

Compare x and y Return ~0 if x[0:x_size] < y[0:y_size] or 0 otherwise If lt_or_equal is true, returns ~0 also for x == y

Definition at line 536 of file mp_core.h.

537 {
538 const size_t common_elems = std::min(x_size, y_size);
539
540 auto is_lt = CT::Mask<word>::expand(lt_or_equal);
541
542 for(size_t i = 0; i != common_elems; i++) {
543 const auto eq = CT::Mask<word>::is_equal(x[i], y[i]);
544 const auto lt = CT::Mask<word>::is_lt(x[i], y[i]);
545 is_lt = eq.select_mask(is_lt, lt);
546 }
547
548 if(x_size < y_size) {
549 word mask = 0;
550 for(size_t i = x_size; i != y_size; i++) {
551 mask |= y[i];
552 }
553 // If any bits were set in high part of y, then is_lt should be forced true
554 is_lt |= CT::Mask<word>::expand(mask);
555 } else if(y_size < x_size) {
556 word mask = 0;
557 for(size_t i = y_size; i != x_size; i++) {
558 mask |= x[i];
559 }
560
561 // If any bits were set in high part of x, then is_lt should be false
562 is_lt &= CT::Mask<word>::is_zero(mask);
563 }
564
565 return is_lt;
566}

References Botan::CT::Mask< T >::expand(), Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lt(), and Botan::CT::Mask< T >::is_zero().

Referenced by bigint_mod_sub(), bigint_mod_sub_n(), and Botan::BigInt::is_less_than().

◆ bigint_divop_vartime()

word Botan::bigint_divop_vartime ( word n1,
word n0,
word d )
inline

Compute ((n1<<bits) + n0) / d

Definition at line 665 of file mp_core.h.

665 {
666 if(d == 0) {
667 throw Invalid_Argument("bigint_divop_vartime divide by zero");
668 }
669
670#if defined(BOTAN_MP_DWORD)
671 return static_cast<word>(((static_cast<BOTAN_MP_DWORD>(n1) << BOTAN_MP_WORD_BITS) | n0) / d);
672#else
673
674 word high = n1 % d;
675 word quotient = 0;
676
677 for(size_t i = 0; i != BOTAN_MP_WORD_BITS; ++i) {
678 const word high_top_bit = high >> (BOTAN_MP_WORD_BITS - 1);
679
680 high <<= 1;
681 high |= (n0 >> (BOTAN_MP_WORD_BITS - 1 - i)) & 1;
682 quotient <<= 1;
683
684 if(high_top_bit || high >= d) {
685 high -= d;
686 quotient |= 1;
687 }
688 }
689
690 return quotient;
691#endif
692}
#define BOTAN_MP_WORD_BITS
Definition build.h:50

References BOTAN_MP_WORD_BITS.

Referenced by bigint_modop_vartime(), and vartime_divide().

◆ bigint_linmul2()

word Botan::bigint_linmul2 ( word x[],
size_t x_size,
word y )
inline

Definition at line 452 of file mp_core.h.

452 {
453 const size_t blocks = x_size - (x_size % 8);
454
455 word carry = 0;
456
457 for(size_t i = 0; i != blocks; i += 8) {
458 carry = word8_linmul2(x + i, y, carry);
459 }
460
461 for(size_t i = blocks; i != x_size; ++i) {
462 x[i] = word_madd2(x[i], y, &carry);
463 }
464
465 return carry;
466}
word word8_linmul2(word x[8], word y, word carry)
Definition mp_asmi.h:443

References carry(), word8_linmul2(), and word_madd2().

Referenced by Botan::BigInt::mul(), and Botan::BigInt::operator*=().

◆ bigint_linmul3()

void Botan::bigint_linmul3 ( word z[],
const word x[],
size_t x_size,
word y )
inline

Definition at line 468 of file mp_core.h.

468 {
469 const size_t blocks = x_size - (x_size % 8);
470
471 word carry = 0;
472
473 for(size_t i = 0; i != blocks; i += 8) {
474 carry = word8_linmul3(z + i, x + i, y, carry);
475 }
476
477 for(size_t i = blocks; i != x_size; ++i) {
478 z[i] = word_madd2(x[i], y, &carry);
479 }
480
481 z[x_size] = carry;
482}
word word8_linmul3(word z[8], const word x[8], word y, word carry)
Definition mp_asmi.h:467

References carry(), word8_linmul3(), and word_madd2().

Referenced by bigint_mul(), bigint_sqr(), Botan::BigInt::mul(), operator*(), and operator*().

◆ bigint_mod_sub()

void Botan::bigint_mod_sub ( word t[],
const word s[],
const word mod[],
size_t mod_sw,
word ws[] )
inline

Set t to t-s modulo mod

Parameters
tfirst integer
ssecond integer
modthe modulus
mod_swsize of t, s, and mod
wsworkspace of size mod_sw

Definition at line 633 of file mp_core.h.

633 {
634 // is t < s or not?
635 const auto is_lt = bigint_ct_is_lt(t, mod_sw, s, mod_sw);
636
637 // ws = p - s
638 const word borrow = bigint_sub3(ws, mod, mod_sw, s, mod_sw);
639
640 // Compute either (t - s) or (t + (p - s)) depending on mask
641 const word carry = bigint_cnd_addsub(is_lt, t, ws, s, mod_sw);
642
643 BOTAN_DEBUG_ASSERT(borrow == 0 && carry == 0);
644 BOTAN_UNUSED(carry, borrow);
645}
#define BOTAN_UNUSED
Definition assert.h:118
word bigint_cnd_addsub(CT::Mask< word > mask, word x[], const word y[], const word z[], size_t size)
Definition mp_core.h:158
CT::Mask< word > bigint_ct_is_lt(const word x[], size_t x_size, const word y[], size_t y_size, bool lt_or_equal=false)
Definition mp_core.h:536
word bigint_sub3(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition mp_core.h:321

References bigint_cnd_addsub(), bigint_ct_is_lt(), bigint_sub3(), BOTAN_DEBUG_ASSERT, BOTAN_UNUSED, and carry().

Referenced by Botan::BigInt::mod_sub().

◆ bigint_mod_sub_n()

template<size_t N>
void Botan::bigint_mod_sub_n ( word t[],
const word s[],
const word mod[],
word ws[] )
inline

Definition at line 648 of file mp_core.h.

648 {
649 // is t < s or not?
650 const auto is_lt = bigint_ct_is_lt(t, N, s, N);
651
652 // ws = p - s
653 const word borrow = bigint_sub3(ws, mod, N, s, N);
654
655 // Compute either (t - s) or (t + (p - s)) depending on mask
656 const word carry = bigint_cnd_addsub(is_lt, t, ws, s, N);
657
658 BOTAN_DEBUG_ASSERT(borrow == 0 && carry == 0);
659 BOTAN_UNUSED(carry, borrow);
660}

References bigint_cnd_addsub(), bigint_ct_is_lt(), bigint_sub3(), BOTAN_DEBUG_ASSERT, BOTAN_UNUSED, and carry().

◆ bigint_modop_vartime()

word Botan::bigint_modop_vartime ( word n1,
word n0,
word d )
inline

Compute ((n1<<bits) + n0) % d

Definition at line 697 of file mp_core.h.

697 {
698 if(d == 0) {
699 throw Invalid_Argument("bigint_modop_vartime divide by zero");
700 }
701
702#if defined(BOTAN_MP_DWORD)
703 return ((static_cast<BOTAN_MP_DWORD>(n1) << BOTAN_MP_WORD_BITS) | n0) % d;
704#else
705 word z = bigint_divop_vartime(n1, n0, d);
706 word dummy = 0;
707 z = word_madd2(z, d, &dummy);
708 return (n0 - z);
709#endif
710}

References bigint_divop_vartime(), BOTAN_MP_WORD_BITS, and word_madd2().

Referenced by operator%(), and Botan::BigInt::operator%=().

◆ bigint_monty_redc()

void Botan::bigint_monty_redc ( word z[],
const word p[],
size_t p_size,
word p_dash,
word ws[],
size_t ws_size )
inline

Montgomery Reduction

Parameters
zinteger to reduce, of size exactly 2*p_size. Output is in the first p_size+1 words, higher words are set to zero.
pmodulus
p_sizesize of p
p_dashMontgomery value
wsarray of at least p_size+1 words
ws_sizesize of ws in words

Definition at line 757 of file mp_core.h.

757 {
758 const size_t z_size = 2 * p_size;
759
760 BOTAN_ARG_CHECK(ws_size >= p_size + 1, "Montgomery workspace too small");
761
762 if(p_size == 4) {
763 bigint_monty_redc_4(z, p, p_dash, ws);
764 } else if(p_size == 6) {
765 bigint_monty_redc_6(z, p, p_dash, ws);
766 } else if(p_size == 8) {
767 bigint_monty_redc_8(z, p, p_dash, ws);
768 } else if(p_size == 16) {
769 bigint_monty_redc_16(z, p, p_dash, ws);
770 } else if(p_size == 24) {
771 bigint_monty_redc_24(z, p, p_dash, ws);
772 } else if(p_size == 32) {
773 bigint_monty_redc_32(z, p, p_dash, ws);
774 } else {
775 bigint_monty_redc_generic(z, z_size, p, p_size, p_dash, ws);
776 }
777}
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
BOTAN_FUZZER_API void bigint_monty_redc_24(word z[48], const word p[24], word p_dash, word ws[])
BOTAN_FUZZER_API void bigint_monty_redc_4(word z[8], const word p[4], word p_dash, word ws[])
BOTAN_FUZZER_API void bigint_monty_redc_generic(word z[], size_t z_size, const word p[], size_t p_size, word p_dash, word ws[])
Definition mp_monty.cpp:31
BOTAN_FUZZER_API void bigint_monty_redc_32(word z[64], const word p[32], word p_dash, word ws[])
BOTAN_FUZZER_API void bigint_monty_redc_16(word z[32], const word p[16], word p_dash, word ws[])
BOTAN_FUZZER_API void bigint_monty_redc_8(word z[16], const word p[8], word p_dash, word ws[])

References bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), bigint_monty_redc_generic(), and BOTAN_ARG_CHECK.

Referenced by Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::redc(), Botan::Montgomery_Params::sqr(), and Botan::Montgomery_Params::square_this().

◆ bigint_monty_redc_16()

void Botan::bigint_monty_redc_16 ( word z[32],
const word p[16],
word p_dash,
word ws[] )

Definition at line 325 of file mp_monty_n.cpp.

325 {
326 word w2 = 0, w1 = 0, w0 = 0;
327 w0 = z[0];
328 ws[0] = w0 * p_dash;
329 word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
330 w0 = w1;
331 w1 = w2;
332 w2 = 0;
333 word3_muladd(&w2, &w1, &w0, ws[0], p[1]);
334 word3_add(&w2, &w1, &w0, z[1]);
335 ws[1] = w0 * p_dash;
336 word3_muladd(&w2, &w1, &w0, ws[1], p[0]);
337 w0 = w1;
338 w1 = w2;
339 w2 = 0;
340 word3_muladd(&w2, &w1, &w0, ws[0], p[2]);
341 word3_muladd(&w2, &w1, &w0, ws[1], p[1]);
342 word3_add(&w2, &w1, &w0, z[2]);
343 ws[2] = w0 * p_dash;
344 word3_muladd(&w2, &w1, &w0, ws[2], p[0]);
345 w0 = w1;
346 w1 = w2;
347 w2 = 0;
348 word3_muladd(&w2, &w1, &w0, ws[0], p[3]);
349 word3_muladd(&w2, &w1, &w0, ws[1], p[2]);
350 word3_muladd(&w2, &w1, &w0, ws[2], p[1]);
351 word3_add(&w2, &w1, &w0, z[3]);
352 ws[3] = w0 * p_dash;
353 word3_muladd(&w2, &w1, &w0, ws[3], p[0]);
354 w0 = w1;
355 w1 = w2;
356 w2 = 0;
357 word3_muladd(&w2, &w1, &w0, ws[0], p[4]);
358 word3_muladd(&w2, &w1, &w0, ws[1], p[3]);
359 word3_muladd(&w2, &w1, &w0, ws[2], p[2]);
360 word3_muladd(&w2, &w1, &w0, ws[3], p[1]);
361 word3_add(&w2, &w1, &w0, z[4]);
362 ws[4] = w0 * p_dash;
363 word3_muladd(&w2, &w1, &w0, ws[4], p[0]);
364 w0 = w1;
365 w1 = w2;
366 w2 = 0;
367 word3_muladd(&w2, &w1, &w0, ws[0], p[5]);
368 word3_muladd(&w2, &w1, &w0, ws[1], p[4]);
369 word3_muladd(&w2, &w1, &w0, ws[2], p[3]);
370 word3_muladd(&w2, &w1, &w0, ws[3], p[2]);
371 word3_muladd(&w2, &w1, &w0, ws[4], p[1]);
372 word3_add(&w2, &w1, &w0, z[5]);
373 ws[5] = w0 * p_dash;
374 word3_muladd(&w2, &w1, &w0, ws[5], p[0]);
375 w0 = w1;
376 w1 = w2;
377 w2 = 0;
378 word3_muladd(&w2, &w1, &w0, ws[0], p[6]);
379 word3_muladd(&w2, &w1, &w0, ws[1], p[5]);
380 word3_muladd(&w2, &w1, &w0, ws[2], p[4]);
381 word3_muladd(&w2, &w1, &w0, ws[3], p[3]);
382 word3_muladd(&w2, &w1, &w0, ws[4], p[2]);
383 word3_muladd(&w2, &w1, &w0, ws[5], p[1]);
384 word3_add(&w2, &w1, &w0, z[6]);
385 ws[6] = w0 * p_dash;
386 word3_muladd(&w2, &w1, &w0, ws[6], p[0]);
387 w0 = w1;
388 w1 = w2;
389 w2 = 0;
390 word3_muladd(&w2, &w1, &w0, ws[0], p[7]);
391 word3_muladd(&w2, &w1, &w0, ws[1], p[6]);
392 word3_muladd(&w2, &w1, &w0, ws[2], p[5]);
393 word3_muladd(&w2, &w1, &w0, ws[3], p[4]);
394 word3_muladd(&w2, &w1, &w0, ws[4], p[3]);
395 word3_muladd(&w2, &w1, &w0, ws[5], p[2]);
396 word3_muladd(&w2, &w1, &w0, ws[6], p[1]);
397 word3_add(&w2, &w1, &w0, z[7]);
398 ws[7] = w0 * p_dash;
399 word3_muladd(&w2, &w1, &w0, ws[7], p[0]);
400 w0 = w1;
401 w1 = w2;
402 w2 = 0;
403 word3_muladd(&w2, &w1, &w0, ws[0], p[8]);
404 word3_muladd(&w2, &w1, &w0, ws[1], p[7]);
405 word3_muladd(&w2, &w1, &w0, ws[2], p[6]);
406 word3_muladd(&w2, &w1, &w0, ws[3], p[5]);
407 word3_muladd(&w2, &w1, &w0, ws[4], p[4]);
408 word3_muladd(&w2, &w1, &w0, ws[5], p[3]);
409 word3_muladd(&w2, &w1, &w0, ws[6], p[2]);
410 word3_muladd(&w2, &w1, &w0, ws[7], p[1]);
411 word3_add(&w2, &w1, &w0, z[8]);
412 ws[8] = w0 * p_dash;
413 word3_muladd(&w2, &w1, &w0, ws[8], p[0]);
414 w0 = w1;
415 w1 = w2;
416 w2 = 0;
417 word3_muladd(&w2, &w1, &w0, ws[0], p[9]);
418 word3_muladd(&w2, &w1, &w0, ws[1], p[8]);
419 word3_muladd(&w2, &w1, &w0, ws[2], p[7]);
420 word3_muladd(&w2, &w1, &w0, ws[3], p[6]);
421 word3_muladd(&w2, &w1, &w0, ws[4], p[5]);
422 word3_muladd(&w2, &w1, &w0, ws[5], p[4]);
423 word3_muladd(&w2, &w1, &w0, ws[6], p[3]);
424 word3_muladd(&w2, &w1, &w0, ws[7], p[2]);
425 word3_muladd(&w2, &w1, &w0, ws[8], p[1]);
426 word3_add(&w2, &w1, &w0, z[9]);
427 ws[9] = w0 * p_dash;
428 word3_muladd(&w2, &w1, &w0, ws[9], p[0]);
429 w0 = w1;
430 w1 = w2;
431 w2 = 0;
432 word3_muladd(&w2, &w1, &w0, ws[0], p[10]);
433 word3_muladd(&w2, &w1, &w0, ws[1], p[9]);
434 word3_muladd(&w2, &w1, &w0, ws[2], p[8]);
435 word3_muladd(&w2, &w1, &w0, ws[3], p[7]);
436 word3_muladd(&w2, &w1, &w0, ws[4], p[6]);
437 word3_muladd(&w2, &w1, &w0, ws[5], p[5]);
438 word3_muladd(&w2, &w1, &w0, ws[6], p[4]);
439 word3_muladd(&w2, &w1, &w0, ws[7], p[3]);
440 word3_muladd(&w2, &w1, &w0, ws[8], p[2]);
441 word3_muladd(&w2, &w1, &w0, ws[9], p[1]);
442 word3_add(&w2, &w1, &w0, z[10]);
443 ws[10] = w0 * p_dash;
444 word3_muladd(&w2, &w1, &w0, ws[10], p[0]);
445 w0 = w1;
446 w1 = w2;
447 w2 = 0;
448 word3_muladd(&w2, &w1, &w0, ws[0], p[11]);
449 word3_muladd(&w2, &w1, &w0, ws[1], p[10]);
450 word3_muladd(&w2, &w1, &w0, ws[2], p[9]);
451 word3_muladd(&w2, &w1, &w0, ws[3], p[8]);
452 word3_muladd(&w2, &w1, &w0, ws[4], p[7]);
453 word3_muladd(&w2, &w1, &w0, ws[5], p[6]);
454 word3_muladd(&w2, &w1, &w0, ws[6], p[5]);
455 word3_muladd(&w2, &w1, &w0, ws[7], p[4]);
456 word3_muladd(&w2, &w1, &w0, ws[8], p[3]);
457 word3_muladd(&w2, &w1, &w0, ws[9], p[2]);
458 word3_muladd(&w2, &w1, &w0, ws[10], p[1]);
459 word3_add(&w2, &w1, &w0, z[11]);
460 ws[11] = w0 * p_dash;
461 word3_muladd(&w2, &w1, &w0, ws[11], p[0]);
462 w0 = w1;
463 w1 = w2;
464 w2 = 0;
465 word3_muladd(&w2, &w1, &w0, ws[0], p[12]);
466 word3_muladd(&w2, &w1, &w0, ws[1], p[11]);
467 word3_muladd(&w2, &w1, &w0, ws[2], p[10]);
468 word3_muladd(&w2, &w1, &w0, ws[3], p[9]);
469 word3_muladd(&w2, &w1, &w0, ws[4], p[8]);
470 word3_muladd(&w2, &w1, &w0, ws[5], p[7]);
471 word3_muladd(&w2, &w1, &w0, ws[6], p[6]);
472 word3_muladd(&w2, &w1, &w0, ws[7], p[5]);
473 word3_muladd(&w2, &w1, &w0, ws[8], p[4]);
474 word3_muladd(&w2, &w1, &w0, ws[9], p[3]);
475 word3_muladd(&w2, &w1, &w0, ws[10], p[2]);
476 word3_muladd(&w2, &w1, &w0, ws[11], p[1]);
477 word3_add(&w2, &w1, &w0, z[12]);
478 ws[12] = w0 * p_dash;
479 word3_muladd(&w2, &w1, &w0, ws[12], p[0]);
480 w0 = w1;
481 w1 = w2;
482 w2 = 0;
483 word3_muladd(&w2, &w1, &w0, ws[0], p[13]);
484 word3_muladd(&w2, &w1, &w0, ws[1], p[12]);
485 word3_muladd(&w2, &w1, &w0, ws[2], p[11]);
486 word3_muladd(&w2, &w1, &w0, ws[3], p[10]);
487 word3_muladd(&w2, &w1, &w0, ws[4], p[9]);
488 word3_muladd(&w2, &w1, &w0, ws[5], p[8]);
489 word3_muladd(&w2, &w1, &w0, ws[6], p[7]);
490 word3_muladd(&w2, &w1, &w0, ws[7], p[6]);
491 word3_muladd(&w2, &w1, &w0, ws[8], p[5]);
492 word3_muladd(&w2, &w1, &w0, ws[9], p[4]);
493 word3_muladd(&w2, &w1, &w0, ws[10], p[3]);
494 word3_muladd(&w2, &w1, &w0, ws[11], p[2]);
495 word3_muladd(&w2, &w1, &w0, ws[12], p[1]);
496 word3_add(&w2, &w1, &w0, z[13]);
497 ws[13] = w0 * p_dash;
498 word3_muladd(&w2, &w1, &w0, ws[13], p[0]);
499 w0 = w1;
500 w1 = w2;
501 w2 = 0;
502 word3_muladd(&w2, &w1, &w0, ws[0], p[14]);
503 word3_muladd(&w2, &w1, &w0, ws[1], p[13]);
504 word3_muladd(&w2, &w1, &w0, ws[2], p[12]);
505 word3_muladd(&w2, &w1, &w0, ws[3], p[11]);
506 word3_muladd(&w2, &w1, &w0, ws[4], p[10]);
507 word3_muladd(&w2, &w1, &w0, ws[5], p[9]);
508 word3_muladd(&w2, &w1, &w0, ws[6], p[8]);
509 word3_muladd(&w2, &w1, &w0, ws[7], p[7]);
510 word3_muladd(&w2, &w1, &w0, ws[8], p[6]);
511 word3_muladd(&w2, &w1, &w0, ws[9], p[5]);
512 word3_muladd(&w2, &w1, &w0, ws[10], p[4]);
513 word3_muladd(&w2, &w1, &w0, ws[11], p[3]);
514 word3_muladd(&w2, &w1, &w0, ws[12], p[2]);
515 word3_muladd(&w2, &w1, &w0, ws[13], p[1]);
516 word3_add(&w2, &w1, &w0, z[14]);
517 ws[14] = w0 * p_dash;
518 word3_muladd(&w2, &w1, &w0, ws[14], p[0]);
519 w0 = w1;
520 w1 = w2;
521 w2 = 0;
522 word3_muladd(&w2, &w1, &w0, ws[0], p[15]);
523 word3_muladd(&w2, &w1, &w0, ws[1], p[14]);
524 word3_muladd(&w2, &w1, &w0, ws[2], p[13]);
525 word3_muladd(&w2, &w1, &w0, ws[3], p[12]);
526 word3_muladd(&w2, &w1, &w0, ws[4], p[11]);
527 word3_muladd(&w2, &w1, &w0, ws[5], p[10]);
528 word3_muladd(&w2, &w1, &w0, ws[6], p[9]);
529 word3_muladd(&w2, &w1, &w0, ws[7], p[8]);
530 word3_muladd(&w2, &w1, &w0, ws[8], p[7]);
531 word3_muladd(&w2, &w1, &w0, ws[9], p[6]);
532 word3_muladd(&w2, &w1, &w0, ws[10], p[5]);
533 word3_muladd(&w2, &w1, &w0, ws[11], p[4]);
534 word3_muladd(&w2, &w1, &w0, ws[12], p[3]);
535 word3_muladd(&w2, &w1, &w0, ws[13], p[2]);
536 word3_muladd(&w2, &w1, &w0, ws[14], p[1]);
537 word3_add(&w2, &w1, &w0, z[15]);
538 ws[15] = w0 * p_dash;
539 word3_muladd(&w2, &w1, &w0, ws[15], p[0]);
540 w0 = w1;
541 w1 = w2;
542 w2 = 0;
543 word3_muladd(&w2, &w1, &w0, ws[1], p[15]);
544 word3_muladd(&w2, &w1, &w0, ws[2], p[14]);
545 word3_muladd(&w2, &w1, &w0, ws[3], p[13]);
546 word3_muladd(&w2, &w1, &w0, ws[4], p[12]);
547 word3_muladd(&w2, &w1, &w0, ws[5], p[11]);
548 word3_muladd(&w2, &w1, &w0, ws[6], p[10]);
549 word3_muladd(&w2, &w1, &w0, ws[7], p[9]);
550 word3_muladd(&w2, &w1, &w0, ws[8], p[8]);
551 word3_muladd(&w2, &w1, &w0, ws[9], p[7]);
552 word3_muladd(&w2, &w1, &w0, ws[10], p[6]);
553 word3_muladd(&w2, &w1, &w0, ws[11], p[5]);
554 word3_muladd(&w2, &w1, &w0, ws[12], p[4]);
555 word3_muladd(&w2, &w1, &w0, ws[13], p[3]);
556 word3_muladd(&w2, &w1, &w0, ws[14], p[2]);
557 word3_muladd(&w2, &w1, &w0, ws[15], p[1]);
558 word3_add(&w2, &w1, &w0, z[16]);
559 ws[0] = w0;
560 w0 = w1;
561 w1 = w2;
562 w2 = 0;
563 word3_muladd(&w2, &w1, &w0, ws[2], p[15]);
564 word3_muladd(&w2, &w1, &w0, ws[3], p[14]);
565 word3_muladd(&w2, &w1, &w0, ws[4], p[13]);
566 word3_muladd(&w2, &w1, &w0, ws[5], p[12]);
567 word3_muladd(&w2, &w1, &w0, ws[6], p[11]);
568 word3_muladd(&w2, &w1, &w0, ws[7], p[10]);
569 word3_muladd(&w2, &w1, &w0, ws[8], p[9]);
570 word3_muladd(&w2, &w1, &w0, ws[9], p[8]);
571 word3_muladd(&w2, &w1, &w0, ws[10], p[7]);
572 word3_muladd(&w2, &w1, &w0, ws[11], p[6]);
573 word3_muladd(&w2, &w1, &w0, ws[12], p[5]);
574 word3_muladd(&w2, &w1, &w0, ws[13], p[4]);
575 word3_muladd(&w2, &w1, &w0, ws[14], p[3]);
576 word3_muladd(&w2, &w1, &w0, ws[15], p[2]);
577 word3_add(&w2, &w1, &w0, z[17]);
578 ws[1] = w0;
579 w0 = w1;
580 w1 = w2;
581 w2 = 0;
582 word3_muladd(&w2, &w1, &w0, ws[3], p[15]);
583 word3_muladd(&w2, &w1, &w0, ws[4], p[14]);
584 word3_muladd(&w2, &w1, &w0, ws[5], p[13]);
585 word3_muladd(&w2, &w1, &w0, ws[6], p[12]);
586 word3_muladd(&w2, &w1, &w0, ws[7], p[11]);
587 word3_muladd(&w2, &w1, &w0, ws[8], p[10]);
588 word3_muladd(&w2, &w1, &w0, ws[9], p[9]);
589 word3_muladd(&w2, &w1, &w0, ws[10], p[8]);
590 word3_muladd(&w2, &w1, &w0, ws[11], p[7]);
591 word3_muladd(&w2, &w1, &w0, ws[12], p[6]);
592 word3_muladd(&w2, &w1, &w0, ws[13], p[5]);
593 word3_muladd(&w2, &w1, &w0, ws[14], p[4]);
594 word3_muladd(&w2, &w1, &w0, ws[15], p[3]);
595 word3_add(&w2, &w1, &w0, z[18]);
596 ws[2] = w0;
597 w0 = w1;
598 w1 = w2;
599 w2 = 0;
600 word3_muladd(&w2, &w1, &w0, ws[4], p[15]);
601 word3_muladd(&w2, &w1, &w0, ws[5], p[14]);
602 word3_muladd(&w2, &w1, &w0, ws[6], p[13]);
603 word3_muladd(&w2, &w1, &w0, ws[7], p[12]);
604 word3_muladd(&w2, &w1, &w0, ws[8], p[11]);
605 word3_muladd(&w2, &w1, &w0, ws[9], p[10]);
606 word3_muladd(&w2, &w1, &w0, ws[10], p[9]);
607 word3_muladd(&w2, &w1, &w0, ws[11], p[8]);
608 word3_muladd(&w2, &w1, &w0, ws[12], p[7]);
609 word3_muladd(&w2, &w1, &w0, ws[13], p[6]);
610 word3_muladd(&w2, &w1, &w0, ws[14], p[5]);
611 word3_muladd(&w2, &w1, &w0, ws[15], p[4]);
612 word3_add(&w2, &w1, &w0, z[19]);
613 ws[3] = w0;
614 w0 = w1;
615 w1 = w2;
616 w2 = 0;
617 word3_muladd(&w2, &w1, &w0, ws[5], p[15]);
618 word3_muladd(&w2, &w1, &w0, ws[6], p[14]);
619 word3_muladd(&w2, &w1, &w0, ws[7], p[13]);
620 word3_muladd(&w2, &w1, &w0, ws[8], p[12]);
621 word3_muladd(&w2, &w1, &w0, ws[9], p[11]);
622 word3_muladd(&w2, &w1, &w0, ws[10], p[10]);
623 word3_muladd(&w2, &w1, &w0, ws[11], p[9]);
624 word3_muladd(&w2, &w1, &w0, ws[12], p[8]);
625 word3_muladd(&w2, &w1, &w0, ws[13], p[7]);
626 word3_muladd(&w2, &w1, &w0, ws[14], p[6]);
627 word3_muladd(&w2, &w1, &w0, ws[15], p[5]);
628 word3_add(&w2, &w1, &w0, z[20]);
629 ws[4] = w0;
630 w0 = w1;
631 w1 = w2;
632 w2 = 0;
633 word3_muladd(&w2, &w1, &w0, ws[6], p[15]);
634 word3_muladd(&w2, &w1, &w0, ws[7], p[14]);
635 word3_muladd(&w2, &w1, &w0, ws[8], p[13]);
636 word3_muladd(&w2, &w1, &w0, ws[9], p[12]);
637 word3_muladd(&w2, &w1, &w0, ws[10], p[11]);
638 word3_muladd(&w2, &w1, &w0, ws[11], p[10]);
639 word3_muladd(&w2, &w1, &w0, ws[12], p[9]);
640 word3_muladd(&w2, &w1, &w0, ws[13], p[8]);
641 word3_muladd(&w2, &w1, &w0, ws[14], p[7]);
642 word3_muladd(&w2, &w1, &w0, ws[15], p[6]);
643 word3_add(&w2, &w1, &w0, z[21]);
644 ws[5] = w0;
645 w0 = w1;
646 w1 = w2;
647 w2 = 0;
648 word3_muladd(&w2, &w1, &w0, ws[7], p[15]);
649 word3_muladd(&w2, &w1, &w0, ws[8], p[14]);
650 word3_muladd(&w2, &w1, &w0, ws[9], p[13]);
651 word3_muladd(&w2, &w1, &w0, ws[10], p[12]);
652 word3_muladd(&w2, &w1, &w0, ws[11], p[11]);
653 word3_muladd(&w2, &w1, &w0, ws[12], p[10]);
654 word3_muladd(&w2, &w1, &w0, ws[13], p[9]);
655 word3_muladd(&w2, &w1, &w0, ws[14], p[8]);
656 word3_muladd(&w2, &w1, &w0, ws[15], p[7]);
657 word3_add(&w2, &w1, &w0, z[22]);
658 ws[6] = w0;
659 w0 = w1;
660 w1 = w2;
661 w2 = 0;
662 word3_muladd(&w2, &w1, &w0, ws[8], p[15]);
663 word3_muladd(&w2, &w1, &w0, ws[9], p[14]);
664 word3_muladd(&w2, &w1, &w0, ws[10], p[13]);
665 word3_muladd(&w2, &w1, &w0, ws[11], p[12]);
666 word3_muladd(&w2, &w1, &w0, ws[12], p[11]);
667 word3_muladd(&w2, &w1, &w0, ws[13], p[10]);
668 word3_muladd(&w2, &w1, &w0, ws[14], p[9]);
669 word3_muladd(&w2, &w1, &w0, ws[15], p[8]);
670 word3_add(&w2, &w1, &w0, z[23]);
671 ws[7] = w0;
672 w0 = w1;
673 w1 = w2;
674 w2 = 0;
675 word3_muladd(&w2, &w1, &w0, ws[9], p[15]);
676 word3_muladd(&w2, &w1, &w0, ws[10], p[14]);
677 word3_muladd(&w2, &w1, &w0, ws[11], p[13]);
678 word3_muladd(&w2, &w1, &w0, ws[12], p[12]);
679 word3_muladd(&w2, &w1, &w0, ws[13], p[11]);
680 word3_muladd(&w2, &w1, &w0, ws[14], p[10]);
681 word3_muladd(&w2, &w1, &w0, ws[15], p[9]);
682 word3_add(&w2, &w1, &w0, z[24]);
683 ws[8] = w0;
684 w0 = w1;
685 w1 = w2;
686 w2 = 0;
687 word3_muladd(&w2, &w1, &w0, ws[10], p[15]);
688 word3_muladd(&w2, &w1, &w0, ws[11], p[14]);
689 word3_muladd(&w2, &w1, &w0, ws[12], p[13]);
690 word3_muladd(&w2, &w1, &w0, ws[13], p[12]);
691 word3_muladd(&w2, &w1, &w0, ws[14], p[11]);
692 word3_muladd(&w2, &w1, &w0, ws[15], p[10]);
693 word3_add(&w2, &w1, &w0, z[25]);
694 ws[9] = w0;
695 w0 = w1;
696 w1 = w2;
697 w2 = 0;
698 word3_muladd(&w2, &w1, &w0, ws[11], p[15]);
699 word3_muladd(&w2, &w1, &w0, ws[12], p[14]);
700 word3_muladd(&w2, &w1, &w0, ws[13], p[13]);
701 word3_muladd(&w2, &w1, &w0, ws[14], p[12]);
702 word3_muladd(&w2, &w1, &w0, ws[15], p[11]);
703 word3_add(&w2, &w1, &w0, z[26]);
704 ws[10] = w0;
705 w0 = w1;
706 w1 = w2;
707 w2 = 0;
708 word3_muladd(&w2, &w1, &w0, ws[12], p[15]);
709 word3_muladd(&w2, &w1, &w0, ws[13], p[14]);
710 word3_muladd(&w2, &w1, &w0, ws[14], p[13]);
711 word3_muladd(&w2, &w1, &w0, ws[15], p[12]);
712 word3_add(&w2, &w1, &w0, z[27]);
713 ws[11] = w0;
714 w0 = w1;
715 w1 = w2;
716 w2 = 0;
717 word3_muladd(&w2, &w1, &w0, ws[13], p[15]);
718 word3_muladd(&w2, &w1, &w0, ws[14], p[14]);
719 word3_muladd(&w2, &w1, &w0, ws[15], p[13]);
720 word3_add(&w2, &w1, &w0, z[28]);
721 ws[12] = w0;
722 w0 = w1;
723 w1 = w2;
724 w2 = 0;
725 word3_muladd(&w2, &w1, &w0, ws[14], p[15]);
726 word3_muladd(&w2, &w1, &w0, ws[15], p[14]);
727 word3_add(&w2, &w1, &w0, z[29]);
728 ws[13] = w0;
729 w0 = w1;
730 w1 = w2;
731 w2 = 0;
732 word3_muladd(&w2, &w1, &w0, ws[15], p[15]);
733 word3_add(&w2, &w1, &w0, z[30]);
734 ws[14] = w0;
735 w0 = w1;
736 w1 = w2;
737 w2 = 0;
738 word3_add(&w2, &w1, &w0, z[31]);
739 ws[15] = w0;
740 ws[16] = w1;
741 word borrow = bigint_sub3(z, ws, 16 + 1, p, 16);
742 CT::conditional_assign_mem(borrow, z, ws, 16);
743 clear_mem(z + 16, 16);
744}
void word3_add(word *w2, word *w1, word *w0, word x)
Definition mp_asmi.h:569

References bigint_sub3(), clear_mem(), Botan::CT::conditional_assign_mem(), word3_add(), and word3_muladd().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_24()

void Botan::bigint_monty_redc_24 ( word z[48],
const word p[24],
word p_dash,
word ws[] )

Definition at line 746 of file mp_monty_n.cpp.

746 {
747 word w2 = 0, w1 = 0, w0 = 0;
748 w0 = z[0];
749 ws[0] = w0 * p_dash;
750 word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
751 w0 = w1;
752 w1 = w2;
753 w2 = 0;
754 word3_muladd(&w2, &w1, &w0, ws[0], p[1]);
755 word3_add(&w2, &w1, &w0, z[1]);
756 ws[1] = w0 * p_dash;
757 word3_muladd(&w2, &w1, &w0, ws[1], p[0]);
758 w0 = w1;
759 w1 = w2;
760 w2 = 0;
761 word3_muladd(&w2, &w1, &w0, ws[0], p[2]);
762 word3_muladd(&w2, &w1, &w0, ws[1], p[1]);
763 word3_add(&w2, &w1, &w0, z[2]);
764 ws[2] = w0 * p_dash;
765 word3_muladd(&w2, &w1, &w0, ws[2], p[0]);
766 w0 = w1;
767 w1 = w2;
768 w2 = 0;
769 word3_muladd(&w2, &w1, &w0, ws[0], p[3]);
770 word3_muladd(&w2, &w1, &w0, ws[1], p[2]);
771 word3_muladd(&w2, &w1, &w0, ws[2], p[1]);
772 word3_add(&w2, &w1, &w0, z[3]);
773 ws[3] = w0 * p_dash;
774 word3_muladd(&w2, &w1, &w0, ws[3], p[0]);
775 w0 = w1;
776 w1 = w2;
777 w2 = 0;
778 word3_muladd(&w2, &w1, &w0, ws[0], p[4]);
779 word3_muladd(&w2, &w1, &w0, ws[1], p[3]);
780 word3_muladd(&w2, &w1, &w0, ws[2], p[2]);
781 word3_muladd(&w2, &w1, &w0, ws[3], p[1]);
782 word3_add(&w2, &w1, &w0, z[4]);
783 ws[4] = w0 * p_dash;
784 word3_muladd(&w2, &w1, &w0, ws[4], p[0]);
785 w0 = w1;
786 w1 = w2;
787 w2 = 0;
788 word3_muladd(&w2, &w1, &w0, ws[0], p[5]);
789 word3_muladd(&w2, &w1, &w0, ws[1], p[4]);
790 word3_muladd(&w2, &w1, &w0, ws[2], p[3]);
791 word3_muladd(&w2, &w1, &w0, ws[3], p[2]);
792 word3_muladd(&w2, &w1, &w0, ws[4], p[1]);
793 word3_add(&w2, &w1, &w0, z[5]);
794 ws[5] = w0 * p_dash;
795 word3_muladd(&w2, &w1, &w0, ws[5], p[0]);
796 w0 = w1;
797 w1 = w2;
798 w2 = 0;
799 word3_muladd(&w2, &w1, &w0, ws[0], p[6]);
800 word3_muladd(&w2, &w1, &w0, ws[1], p[5]);
801 word3_muladd(&w2, &w1, &w0, ws[2], p[4]);
802 word3_muladd(&w2, &w1, &w0, ws[3], p[3]);
803 word3_muladd(&w2, &w1, &w0, ws[4], p[2]);
804 word3_muladd(&w2, &w1, &w0, ws[5], p[1]);
805 word3_add(&w2, &w1, &w0, z[6]);
806 ws[6] = w0 * p_dash;
807 word3_muladd(&w2, &w1, &w0, ws[6], p[0]);
808 w0 = w1;
809 w1 = w2;
810 w2 = 0;
811 word3_muladd(&w2, &w1, &w0, ws[0], p[7]);
812 word3_muladd(&w2, &w1, &w0, ws[1], p[6]);
813 word3_muladd(&w2, &w1, &w0, ws[2], p[5]);
814 word3_muladd(&w2, &w1, &w0, ws[3], p[4]);
815 word3_muladd(&w2, &w1, &w0, ws[4], p[3]);
816 word3_muladd(&w2, &w1, &w0, ws[5], p[2]);
817 word3_muladd(&w2, &w1, &w0, ws[6], p[1]);
818 word3_add(&w2, &w1, &w0, z[7]);
819 ws[7] = w0 * p_dash;
820 word3_muladd(&w2, &w1, &w0, ws[7], p[0]);
821 w0 = w1;
822 w1 = w2;
823 w2 = 0;
824 word3_muladd(&w2, &w1, &w0, ws[0], p[8]);
825 word3_muladd(&w2, &w1, &w0, ws[1], p[7]);
826 word3_muladd(&w2, &w1, &w0, ws[2], p[6]);
827 word3_muladd(&w2, &w1, &w0, ws[3], p[5]);
828 word3_muladd(&w2, &w1, &w0, ws[4], p[4]);
829 word3_muladd(&w2, &w1, &w0, ws[5], p[3]);
830 word3_muladd(&w2, &w1, &w0, ws[6], p[2]);
831 word3_muladd(&w2, &w1, &w0, ws[7], p[1]);
832 word3_add(&w2, &w1, &w0, z[8]);
833 ws[8] = w0 * p_dash;
834 word3_muladd(&w2, &w1, &w0, ws[8], p[0]);
835 w0 = w1;
836 w1 = w2;
837 w2 = 0;
838 word3_muladd(&w2, &w1, &w0, ws[0], p[9]);
839 word3_muladd(&w2, &w1, &w0, ws[1], p[8]);
840 word3_muladd(&w2, &w1, &w0, ws[2], p[7]);
841 word3_muladd(&w2, &w1, &w0, ws[3], p[6]);
842 word3_muladd(&w2, &w1, &w0, ws[4], p[5]);
843 word3_muladd(&w2, &w1, &w0, ws[5], p[4]);
844 word3_muladd(&w2, &w1, &w0, ws[6], p[3]);
845 word3_muladd(&w2, &w1, &w0, ws[7], p[2]);
846 word3_muladd(&w2, &w1, &w0, ws[8], p[1]);
847 word3_add(&w2, &w1, &w0, z[9]);
848 ws[9] = w0 * p_dash;
849 word3_muladd(&w2, &w1, &w0, ws[9], p[0]);
850 w0 = w1;
851 w1 = w2;
852 w2 = 0;
853 word3_muladd(&w2, &w1, &w0, ws[0], p[10]);
854 word3_muladd(&w2, &w1, &w0, ws[1], p[9]);
855 word3_muladd(&w2, &w1, &w0, ws[2], p[8]);
856 word3_muladd(&w2, &w1, &w0, ws[3], p[7]);
857 word3_muladd(&w2, &w1, &w0, ws[4], p[6]);
858 word3_muladd(&w2, &w1, &w0, ws[5], p[5]);
859 word3_muladd(&w2, &w1, &w0, ws[6], p[4]);
860 word3_muladd(&w2, &w1, &w0, ws[7], p[3]);
861 word3_muladd(&w2, &w1, &w0, ws[8], p[2]);
862 word3_muladd(&w2, &w1, &w0, ws[9], p[1]);
863 word3_add(&w2, &w1, &w0, z[10]);
864 ws[10] = w0 * p_dash;
865 word3_muladd(&w2, &w1, &w0, ws[10], p[0]);
866 w0 = w1;
867 w1 = w2;
868 w2 = 0;
869 word3_muladd(&w2, &w1, &w0, ws[0], p[11]);
870 word3_muladd(&w2, &w1, &w0, ws[1], p[10]);
871 word3_muladd(&w2, &w1, &w0, ws[2], p[9]);
872 word3_muladd(&w2, &w1, &w0, ws[3], p[8]);
873 word3_muladd(&w2, &w1, &w0, ws[4], p[7]);
874 word3_muladd(&w2, &w1, &w0, ws[5], p[6]);
875 word3_muladd(&w2, &w1, &w0, ws[6], p[5]);
876 word3_muladd(&w2, &w1, &w0, ws[7], p[4]);
877 word3_muladd(&w2, &w1, &w0, ws[8], p[3]);
878 word3_muladd(&w2, &w1, &w0, ws[9], p[2]);
879 word3_muladd(&w2, &w1, &w0, ws[10], p[1]);
880 word3_add(&w2, &w1, &w0, z[11]);
881 ws[11] = w0 * p_dash;
882 word3_muladd(&w2, &w1, &w0, ws[11], p[0]);
883 w0 = w1;
884 w1 = w2;
885 w2 = 0;
886 word3_muladd(&w2, &w1, &w0, ws[0], p[12]);
887 word3_muladd(&w2, &w1, &w0, ws[1], p[11]);
888 word3_muladd(&w2, &w1, &w0, ws[2], p[10]);
889 word3_muladd(&w2, &w1, &w0, ws[3], p[9]);
890 word3_muladd(&w2, &w1, &w0, ws[4], p[8]);
891 word3_muladd(&w2, &w1, &w0, ws[5], p[7]);
892 word3_muladd(&w2, &w1, &w0, ws[6], p[6]);
893 word3_muladd(&w2, &w1, &w0, ws[7], p[5]);
894 word3_muladd(&w2, &w1, &w0, ws[8], p[4]);
895 word3_muladd(&w2, &w1, &w0, ws[9], p[3]);
896 word3_muladd(&w2, &w1, &w0, ws[10], p[2]);
897 word3_muladd(&w2, &w1, &w0, ws[11], p[1]);
898 word3_add(&w2, &w1, &w0, z[12]);
899 ws[12] = w0 * p_dash;
900 word3_muladd(&w2, &w1, &w0, ws[12], p[0]);
901 w0 = w1;
902 w1 = w2;
903 w2 = 0;
904 word3_muladd(&w2, &w1, &w0, ws[0], p[13]);
905 word3_muladd(&w2, &w1, &w0, ws[1], p[12]);
906 word3_muladd(&w2, &w1, &w0, ws[2], p[11]);
907 word3_muladd(&w2, &w1, &w0, ws[3], p[10]);
908 word3_muladd(&w2, &w1, &w0, ws[4], p[9]);
909 word3_muladd(&w2, &w1, &w0, ws[5], p[8]);
910 word3_muladd(&w2, &w1, &w0, ws[6], p[7]);
911 word3_muladd(&w2, &w1, &w0, ws[7], p[6]);
912 word3_muladd(&w2, &w1, &w0, ws[8], p[5]);
913 word3_muladd(&w2, &w1, &w0, ws[9], p[4]);
914 word3_muladd(&w2, &w1, &w0, ws[10], p[3]);
915 word3_muladd(&w2, &w1, &w0, ws[11], p[2]);
916 word3_muladd(&w2, &w1, &w0, ws[12], p[1]);
917 word3_add(&w2, &w1, &w0, z[13]);
918 ws[13] = w0 * p_dash;
919 word3_muladd(&w2, &w1, &w0, ws[13], p[0]);
920 w0 = w1;
921 w1 = w2;
922 w2 = 0;
923 word3_muladd(&w2, &w1, &w0, ws[0], p[14]);
924 word3_muladd(&w2, &w1, &w0, ws[1], p[13]);
925 word3_muladd(&w2, &w1, &w0, ws[2], p[12]);
926 word3_muladd(&w2, &w1, &w0, ws[3], p[11]);
927 word3_muladd(&w2, &w1, &w0, ws[4], p[10]);
928 word3_muladd(&w2, &w1, &w0, ws[5], p[9]);
929 word3_muladd(&w2, &w1, &w0, ws[6], p[8]);
930 word3_muladd(&w2, &w1, &w0, ws[7], p[7]);
931 word3_muladd(&w2, &w1, &w0, ws[8], p[6]);
932 word3_muladd(&w2, &w1, &w0, ws[9], p[5]);
933 word3_muladd(&w2, &w1, &w0, ws[10], p[4]);
934 word3_muladd(&w2, &w1, &w0, ws[11], p[3]);
935 word3_muladd(&w2, &w1, &w0, ws[12], p[2]);
936 word3_muladd(&w2, &w1, &w0, ws[13], p[1]);
937 word3_add(&w2, &w1, &w0, z[14]);
938 ws[14] = w0 * p_dash;
939 word3_muladd(&w2, &w1, &w0, ws[14], p[0]);
940 w0 = w1;
941 w1 = w2;
942 w2 = 0;
943 word3_muladd(&w2, &w1, &w0, ws[0], p[15]);
944 word3_muladd(&w2, &w1, &w0, ws[1], p[14]);
945 word3_muladd(&w2, &w1, &w0, ws[2], p[13]);
946 word3_muladd(&w2, &w1, &w0, ws[3], p[12]);
947 word3_muladd(&w2, &w1, &w0, ws[4], p[11]);
948 word3_muladd(&w2, &w1, &w0, ws[5], p[10]);
949 word3_muladd(&w2, &w1, &w0, ws[6], p[9]);
950 word3_muladd(&w2, &w1, &w0, ws[7], p[8]);
951 word3_muladd(&w2, &w1, &w0, ws[8], p[7]);
952 word3_muladd(&w2, &w1, &w0, ws[9], p[6]);
953 word3_muladd(&w2, &w1, &w0, ws[10], p[5]);
954 word3_muladd(&w2, &w1, &w0, ws[11], p[4]);
955 word3_muladd(&w2, &w1, &w0, ws[12], p[3]);
956 word3_muladd(&w2, &w1, &w0, ws[13], p[2]);
957 word3_muladd(&w2, &w1, &w0, ws[14], p[1]);
958 word3_add(&w2, &w1, &w0, z[15]);
959 ws[15] = w0 * p_dash;
960 word3_muladd(&w2, &w1, &w0, ws[15], p[0]);
961 w0 = w1;
962 w1 = w2;
963 w2 = 0;
964 word3_muladd(&w2, &w1, &w0, ws[0], p[16]);
965 word3_muladd(&w2, &w1, &w0, ws[1], p[15]);
966 word3_muladd(&w2, &w1, &w0, ws[2], p[14]);
967 word3_muladd(&w2, &w1, &w0, ws[3], p[13]);
968 word3_muladd(&w2, &w1, &w0, ws[4], p[12]);
969 word3_muladd(&w2, &w1, &w0, ws[5], p[11]);
970 word3_muladd(&w2, &w1, &w0, ws[6], p[10]);
971 word3_muladd(&w2, &w1, &w0, ws[7], p[9]);
972 word3_muladd(&w2, &w1, &w0, ws[8], p[8]);
973 word3_muladd(&w2, &w1, &w0, ws[9], p[7]);
974 word3_muladd(&w2, &w1, &w0, ws[10], p[6]);
975 word3_muladd(&w2, &w1, &w0, ws[11], p[5]);
976 word3_muladd(&w2, &w1, &w0, ws[12], p[4]);
977 word3_muladd(&w2, &w1, &w0, ws[13], p[3]);
978 word3_muladd(&w2, &w1, &w0, ws[14], p[2]);
979 word3_muladd(&w2, &w1, &w0, ws[15], p[1]);
980 word3_add(&w2, &w1, &w0, z[16]);
981 ws[16] = w0 * p_dash;
982 word3_muladd(&w2, &w1, &w0, ws[16], p[0]);
983 w0 = w1;
984 w1 = w2;
985 w2 = 0;
986 word3_muladd(&w2, &w1, &w0, ws[0], p[17]);
987 word3_muladd(&w2, &w1, &w0, ws[1], p[16]);
988 word3_muladd(&w2, &w1, &w0, ws[2], p[15]);
989 word3_muladd(&w2, &w1, &w0, ws[3], p[14]);
990 word3_muladd(&w2, &w1, &w0, ws[4], p[13]);
991 word3_muladd(&w2, &w1, &w0, ws[5], p[12]);
992 word3_muladd(&w2, &w1, &w0, ws[6], p[11]);
993 word3_muladd(&w2, &w1, &w0, ws[7], p[10]);
994 word3_muladd(&w2, &w1, &w0, ws[8], p[9]);
995 word3_muladd(&w2, &w1, &w0, ws[9], p[8]);
996 word3_muladd(&w2, &w1, &w0, ws[10], p[7]);
997 word3_muladd(&w2, &w1, &w0, ws[11], p[6]);
998 word3_muladd(&w2, &w1, &w0, ws[12], p[5]);
999 word3_muladd(&w2, &w1, &w0, ws[13], p[4]);
1000 word3_muladd(&w2, &w1, &w0, ws[14], p[3]);
1001 word3_muladd(&w2, &w1, &w0, ws[15], p[2]);
1002 word3_muladd(&w2, &w1, &w0, ws[16], p[1]);
1003 word3_add(&w2, &w1, &w0, z[17]);
1004 ws[17] = w0 * p_dash;
1005 word3_muladd(&w2, &w1, &w0, ws[17], p[0]);
1006 w0 = w1;
1007 w1 = w2;
1008 w2 = 0;
1009 word3_muladd(&w2, &w1, &w0, ws[0], p[18]);
1010 word3_muladd(&w2, &w1, &w0, ws[1], p[17]);
1011 word3_muladd(&w2, &w1, &w0, ws[2], p[16]);
1012 word3_muladd(&w2, &w1, &w0, ws[3], p[15]);
1013 word3_muladd(&w2, &w1, &w0, ws[4], p[14]);
1014 word3_muladd(&w2, &w1, &w0, ws[5], p[13]);
1015 word3_muladd(&w2, &w1, &w0, ws[6], p[12]);
1016 word3_muladd(&w2, &w1, &w0, ws[7], p[11]);
1017 word3_muladd(&w2, &w1, &w0, ws[8], p[10]);
1018 word3_muladd(&w2, &w1, &w0, ws[9], p[9]);
1019 word3_muladd(&w2, &w1, &w0, ws[10], p[8]);
1020 word3_muladd(&w2, &w1, &w0, ws[11], p[7]);
1021 word3_muladd(&w2, &w1, &w0, ws[12], p[6]);
1022 word3_muladd(&w2, &w1, &w0, ws[13], p[5]);
1023 word3_muladd(&w2, &w1, &w0, ws[14], p[4]);
1024 word3_muladd(&w2, &w1, &w0, ws[15], p[3]);
1025 word3_muladd(&w2, &w1, &w0, ws[16], p[2]);
1026 word3_muladd(&w2, &w1, &w0, ws[17], p[1]);
1027 word3_add(&w2, &w1, &w0, z[18]);
1028 ws[18] = w0 * p_dash;
1029 word3_muladd(&w2, &w1, &w0, ws[18], p[0]);
1030 w0 = w1;
1031 w1 = w2;
1032 w2 = 0;
1033 word3_muladd(&w2, &w1, &w0, ws[0], p[19]);
1034 word3_muladd(&w2, &w1, &w0, ws[1], p[18]);
1035 word3_muladd(&w2, &w1, &w0, ws[2], p[17]);
1036 word3_muladd(&w2, &w1, &w0, ws[3], p[16]);
1037 word3_muladd(&w2, &w1, &w0, ws[4], p[15]);
1038 word3_muladd(&w2, &w1, &w0, ws[5], p[14]);
1039 word3_muladd(&w2, &w1, &w0, ws[6], p[13]);
1040 word3_muladd(&w2, &w1, &w0, ws[7], p[12]);
1041 word3_muladd(&w2, &w1, &w0, ws[8], p[11]);
1042 word3_muladd(&w2, &w1, &w0, ws[9], p[10]);
1043 word3_muladd(&w2, &w1, &w0, ws[10], p[9]);
1044 word3_muladd(&w2, &w1, &w0, ws[11], p[8]);
1045 word3_muladd(&w2, &w1, &w0, ws[12], p[7]);
1046 word3_muladd(&w2, &w1, &w0, ws[13], p[6]);
1047 word3_muladd(&w2, &w1, &w0, ws[14], p[5]);
1048 word3_muladd(&w2, &w1, &w0, ws[15], p[4]);
1049 word3_muladd(&w2, &w1, &w0, ws[16], p[3]);
1050 word3_muladd(&w2, &w1, &w0, ws[17], p[2]);
1051 word3_muladd(&w2, &w1, &w0, ws[18], p[1]);
1052 word3_add(&w2, &w1, &w0, z[19]);
1053 ws[19] = w0 * p_dash;
1054 word3_muladd(&w2, &w1, &w0, ws[19], p[0]);
1055 w0 = w1;
1056 w1 = w2;
1057 w2 = 0;
1058 word3_muladd(&w2, &w1, &w0, ws[0], p[20]);
1059 word3_muladd(&w2, &w1, &w0, ws[1], p[19]);
1060 word3_muladd(&w2, &w1, &w0, ws[2], p[18]);
1061 word3_muladd(&w2, &w1, &w0, ws[3], p[17]);
1062 word3_muladd(&w2, &w1, &w0, ws[4], p[16]);
1063 word3_muladd(&w2, &w1, &w0, ws[5], p[15]);
1064 word3_muladd(&w2, &w1, &w0, ws[6], p[14]);
1065 word3_muladd(&w2, &w1, &w0, ws[7], p[13]);
1066 word3_muladd(&w2, &w1, &w0, ws[8], p[12]);
1067 word3_muladd(&w2, &w1, &w0, ws[9], p[11]);
1068 word3_muladd(&w2, &w1, &w0, ws[10], p[10]);
1069 word3_muladd(&w2, &w1, &w0, ws[11], p[9]);
1070 word3_muladd(&w2, &w1, &w0, ws[12], p[8]);
1071 word3_muladd(&w2, &w1, &w0, ws[13], p[7]);
1072 word3_muladd(&w2, &w1, &w0, ws[14], p[6]);
1073 word3_muladd(&w2, &w1, &w0, ws[15], p[5]);
1074 word3_muladd(&w2, &w1, &w0, ws[16], p[4]);
1075 word3_muladd(&w2, &w1, &w0, ws[17], p[3]);
1076 word3_muladd(&w2, &w1, &w0, ws[18], p[2]);
1077 word3_muladd(&w2, &w1, &w0, ws[19], p[1]);
1078 word3_add(&w2, &w1, &w0, z[20]);
1079 ws[20] = w0 * p_dash;
1080 word3_muladd(&w2, &w1, &w0, ws[20], p[0]);
1081 w0 = w1;
1082 w1 = w2;
1083 w2 = 0;
1084 word3_muladd(&w2, &w1, &w0, ws[0], p[21]);
1085 word3_muladd(&w2, &w1, &w0, ws[1], p[20]);
1086 word3_muladd(&w2, &w1, &w0, ws[2], p[19]);
1087 word3_muladd(&w2, &w1, &w0, ws[3], p[18]);
1088 word3_muladd(&w2, &w1, &w0, ws[4], p[17]);
1089 word3_muladd(&w2, &w1, &w0, ws[5], p[16]);
1090 word3_muladd(&w2, &w1, &w0, ws[6], p[15]);
1091 word3_muladd(&w2, &w1, &w0, ws[7], p[14]);
1092 word3_muladd(&w2, &w1, &w0, ws[8], p[13]);
1093 word3_muladd(&w2, &w1, &w0, ws[9], p[12]);
1094 word3_muladd(&w2, &w1, &w0, ws[10], p[11]);
1095 word3_muladd(&w2, &w1, &w0, ws[11], p[10]);
1096 word3_muladd(&w2, &w1, &w0, ws[12], p[9]);
1097 word3_muladd(&w2, &w1, &w0, ws[13], p[8]);
1098 word3_muladd(&w2, &w1, &w0, ws[14], p[7]);
1099 word3_muladd(&w2, &w1, &w0, ws[15], p[6]);
1100 word3_muladd(&w2, &w1, &w0, ws[16], p[5]);
1101 word3_muladd(&w2, &w1, &w0, ws[17], p[4]);
1102 word3_muladd(&w2, &w1, &w0, ws[18], p[3]);
1103 word3_muladd(&w2, &w1, &w0, ws[19], p[2]);
1104 word3_muladd(&w2, &w1, &w0, ws[20], p[1]);
1105 word3_add(&w2, &w1, &w0, z[21]);
1106 ws[21] = w0 * p_dash;
1107 word3_muladd(&w2, &w1, &w0, ws[21], p[0]);
1108 w0 = w1;
1109 w1 = w2;
1110 w2 = 0;
1111 word3_muladd(&w2, &w1, &w0, ws[0], p[22]);
1112 word3_muladd(&w2, &w1, &w0, ws[1], p[21]);
1113 word3_muladd(&w2, &w1, &w0, ws[2], p[20]);
1114 word3_muladd(&w2, &w1, &w0, ws[3], p[19]);
1115 word3_muladd(&w2, &w1, &w0, ws[4], p[18]);
1116 word3_muladd(&w2, &w1, &w0, ws[5], p[17]);
1117 word3_muladd(&w2, &w1, &w0, ws[6], p[16]);
1118 word3_muladd(&w2, &w1, &w0, ws[7], p[15]);
1119 word3_muladd(&w2, &w1, &w0, ws[8], p[14]);
1120 word3_muladd(&w2, &w1, &w0, ws[9], p[13]);
1121 word3_muladd(&w2, &w1, &w0, ws[10], p[12]);
1122 word3_muladd(&w2, &w1, &w0, ws[11], p[11]);
1123 word3_muladd(&w2, &w1, &w0, ws[12], p[10]);
1124 word3_muladd(&w2, &w1, &w0, ws[13], p[9]);
1125 word3_muladd(&w2, &w1, &w0, ws[14], p[8]);
1126 word3_muladd(&w2, &w1, &w0, ws[15], p[7]);
1127 word3_muladd(&w2, &w1, &w0, ws[16], p[6]);
1128 word3_muladd(&w2, &w1, &w0, ws[17], p[5]);
1129 word3_muladd(&w2, &w1, &w0, ws[18], p[4]);
1130 word3_muladd(&w2, &w1, &w0, ws[19], p[3]);
1131 word3_muladd(&w2, &w1, &w0, ws[20], p[2]);
1132 word3_muladd(&w2, &w1, &w0, ws[21], p[1]);
1133 word3_add(&w2, &w1, &w0, z[22]);
1134 ws[22] = w0 * p_dash;
1135 word3_muladd(&w2, &w1, &w0, ws[22], p[0]);
1136 w0 = w1;
1137 w1 = w2;
1138 w2 = 0;
1139 word3_muladd(&w2, &w1, &w0, ws[0], p[23]);
1140 word3_muladd(&w2, &w1, &w0, ws[1], p[22]);
1141 word3_muladd(&w2, &w1, &w0, ws[2], p[21]);
1142 word3_muladd(&w2, &w1, &w0, ws[3], p[20]);
1143 word3_muladd(&w2, &w1, &w0, ws[4], p[19]);
1144 word3_muladd(&w2, &w1, &w0, ws[5], p[18]);
1145 word3_muladd(&w2, &w1, &w0, ws[6], p[17]);
1146 word3_muladd(&w2, &w1, &w0, ws[7], p[16]);
1147 word3_muladd(&w2, &w1, &w0, ws[8], p[15]);
1148 word3_muladd(&w2, &w1, &w0, ws[9], p[14]);
1149 word3_muladd(&w2, &w1, &w0, ws[10], p[13]);
1150 word3_muladd(&w2, &w1, &w0, ws[11], p[12]);
1151 word3_muladd(&w2, &w1, &w0, ws[12], p[11]);
1152 word3_muladd(&w2, &w1, &w0, ws[13], p[10]);
1153 word3_muladd(&w2, &w1, &w0, ws[14], p[9]);
1154 word3_muladd(&w2, &w1, &w0, ws[15], p[8]);
1155 word3_muladd(&w2, &w1, &w0, ws[16], p[7]);
1156 word3_muladd(&w2, &w1, &w0, ws[17], p[6]);
1157 word3_muladd(&w2, &w1, &w0, ws[18], p[5]);
1158 word3_muladd(&w2, &w1, &w0, ws[19], p[4]);
1159 word3_muladd(&w2, &w1, &w0, ws[20], p[3]);
1160 word3_muladd(&w2, &w1, &w0, ws[21], p[2]);
1161 word3_muladd(&w2, &w1, &w0, ws[22], p[1]);
1162 word3_add(&w2, &w1, &w0, z[23]);
1163 ws[23] = w0 * p_dash;
1164 word3_muladd(&w2, &w1, &w0, ws[23], p[0]);
1165 w0 = w1;
1166 w1 = w2;
1167 w2 = 0;
1168 word3_muladd(&w2, &w1, &w0, ws[1], p[23]);
1169 word3_muladd(&w2, &w1, &w0, ws[2], p[22]);
1170 word3_muladd(&w2, &w1, &w0, ws[3], p[21]);
1171 word3_muladd(&w2, &w1, &w0, ws[4], p[20]);
1172 word3_muladd(&w2, &w1, &w0, ws[5], p[19]);
1173 word3_muladd(&w2, &w1, &w0, ws[6], p[18]);
1174 word3_muladd(&w2, &w1, &w0, ws[7], p[17]);
1175 word3_muladd(&w2, &w1, &w0, ws[8], p[16]);
1176 word3_muladd(&w2, &w1, &w0, ws[9], p[15]);
1177 word3_muladd(&w2, &w1, &w0, ws[10], p[14]);
1178 word3_muladd(&w2, &w1, &w0, ws[11], p[13]);
1179 word3_muladd(&w2, &w1, &w0, ws[12], p[12]);
1180 word3_muladd(&w2, &w1, &w0, ws[13], p[11]);
1181 word3_muladd(&w2, &w1, &w0, ws[14], p[10]);
1182 word3_muladd(&w2, &w1, &w0, ws[15], p[9]);
1183 word3_muladd(&w2, &w1, &w0, ws[16], p[8]);
1184 word3_muladd(&w2, &w1, &w0, ws[17], p[7]);
1185 word3_muladd(&w2, &w1, &w0, ws[18], p[6]);
1186 word3_muladd(&w2, &w1, &w0, ws[19], p[5]);
1187 word3_muladd(&w2, &w1, &w0, ws[20], p[4]);
1188 word3_muladd(&w2, &w1, &w0, ws[21], p[3]);
1189 word3_muladd(&w2, &w1, &w0, ws[22], p[2]);
1190 word3_muladd(&w2, &w1, &w0, ws[23], p[1]);
1191 word3_add(&w2, &w1, &w0, z[24]);
1192 ws[0] = w0;
1193 w0 = w1;
1194 w1 = w2;
1195 w2 = 0;
1196 word3_muladd(&w2, &w1, &w0, ws[2], p[23]);
1197 word3_muladd(&w2, &w1, &w0, ws[3], p[22]);
1198 word3_muladd(&w2, &w1, &w0, ws[4], p[21]);
1199 word3_muladd(&w2, &w1, &w0, ws[5], p[20]);
1200 word3_muladd(&w2, &w1, &w0, ws[6], p[19]);
1201 word3_muladd(&w2, &w1, &w0, ws[7], p[18]);
1202 word3_muladd(&w2, &w1, &w0, ws[8], p[17]);
1203 word3_muladd(&w2, &w1, &w0, ws[9], p[16]);
1204 word3_muladd(&w2, &w1, &w0, ws[10], p[15]);
1205 word3_muladd(&w2, &w1, &w0, ws[11], p[14]);
1206 word3_muladd(&w2, &w1, &w0, ws[12], p[13]);
1207 word3_muladd(&w2, &w1, &w0, ws[13], p[12]);
1208 word3_muladd(&w2, &w1, &w0, ws[14], p[11]);
1209 word3_muladd(&w2, &w1, &w0, ws[15], p[10]);
1210 word3_muladd(&w2, &w1, &w0, ws[16], p[9]);
1211 word3_muladd(&w2, &w1, &w0, ws[17], p[8]);
1212 word3_muladd(&w2, &w1, &w0, ws[18], p[7]);
1213 word3_muladd(&w2, &w1, &w0, ws[19], p[6]);
1214 word3_muladd(&w2, &w1, &w0, ws[20], p[5]);
1215 word3_muladd(&w2, &w1, &w0, ws[21], p[4]);
1216 word3_muladd(&w2, &w1, &w0, ws[22], p[3]);
1217 word3_muladd(&w2, &w1, &w0, ws[23], p[2]);
1218 word3_add(&w2, &w1, &w0, z[25]);
1219 ws[1] = w0;
1220 w0 = w1;
1221 w1 = w2;
1222 w2 = 0;
1223 word3_muladd(&w2, &w1, &w0, ws[3], p[23]);
1224 word3_muladd(&w2, &w1, &w0, ws[4], p[22]);
1225 word3_muladd(&w2, &w1, &w0, ws[5], p[21]);
1226 word3_muladd(&w2, &w1, &w0, ws[6], p[20]);
1227 word3_muladd(&w2, &w1, &w0, ws[7], p[19]);
1228 word3_muladd(&w2, &w1, &w0, ws[8], p[18]);
1229 word3_muladd(&w2, &w1, &w0, ws[9], p[17]);
1230 word3_muladd(&w2, &w1, &w0, ws[10], p[16]);
1231 word3_muladd(&w2, &w1, &w0, ws[11], p[15]);
1232 word3_muladd(&w2, &w1, &w0, ws[12], p[14]);
1233 word3_muladd(&w2, &w1, &w0, ws[13], p[13]);
1234 word3_muladd(&w2, &w1, &w0, ws[14], p[12]);
1235 word3_muladd(&w2, &w1, &w0, ws[15], p[11]);
1236 word3_muladd(&w2, &w1, &w0, ws[16], p[10]);
1237 word3_muladd(&w2, &w1, &w0, ws[17], p[9]);
1238 word3_muladd(&w2, &w1, &w0, ws[18], p[8]);
1239 word3_muladd(&w2, &w1, &w0, ws[19], p[7]);
1240 word3_muladd(&w2, &w1, &w0, ws[20], p[6]);
1241 word3_muladd(&w2, &w1, &w0, ws[21], p[5]);
1242 word3_muladd(&w2, &w1, &w0, ws[22], p[4]);
1243 word3_muladd(&w2, &w1, &w0, ws[23], p[3]);
1244 word3_add(&w2, &w1, &w0, z[26]);
1245 ws[2] = w0;
1246 w0 = w1;
1247 w1 = w2;
1248 w2 = 0;
1249 word3_muladd(&w2, &w1, &w0, ws[4], p[23]);
1250 word3_muladd(&w2, &w1, &w0, ws[5], p[22]);
1251 word3_muladd(&w2, &w1, &w0, ws[6], p[21]);
1252 word3_muladd(&w2, &w1, &w0, ws[7], p[20]);
1253 word3_muladd(&w2, &w1, &w0, ws[8], p[19]);
1254 word3_muladd(&w2, &w1, &w0, ws[9], p[18]);
1255 word3_muladd(&w2, &w1, &w0, ws[10], p[17]);
1256 word3_muladd(&w2, &w1, &w0, ws[11], p[16]);
1257 word3_muladd(&w2, &w1, &w0, ws[12], p[15]);
1258 word3_muladd(&w2, &w1, &w0, ws[13], p[14]);
1259 word3_muladd(&w2, &w1, &w0, ws[14], p[13]);
1260 word3_muladd(&w2, &w1, &w0, ws[15], p[12]);
1261 word3_muladd(&w2, &w1, &w0, ws[16], p[11]);
1262 word3_muladd(&w2, &w1, &w0, ws[17], p[10]);
1263 word3_muladd(&w2, &w1, &w0, ws[18], p[9]);
1264 word3_muladd(&w2, &w1, &w0, ws[19], p[8]);
1265 word3_muladd(&w2, &w1, &w0, ws[20], p[7]);
1266 word3_muladd(&w2, &w1, &w0, ws[21], p[6]);
1267 word3_muladd(&w2, &w1, &w0, ws[22], p[5]);
1268 word3_muladd(&w2, &w1, &w0, ws[23], p[4]);
1269 word3_add(&w2, &w1, &w0, z[27]);
1270 ws[3] = w0;
1271 w0 = w1;
1272 w1 = w2;
1273 w2 = 0;
1274 word3_muladd(&w2, &w1, &w0, ws[5], p[23]);
1275 word3_muladd(&w2, &w1, &w0, ws[6], p[22]);
1276 word3_muladd(&w2, &w1, &w0, ws[7], p[21]);
1277 word3_muladd(&w2, &w1, &w0, ws[8], p[20]);
1278 word3_muladd(&w2, &w1, &w0, ws[9], p[19]);
1279 word3_muladd(&w2, &w1, &w0, ws[10], p[18]);
1280 word3_muladd(&w2, &w1, &w0, ws[11], p[17]);
1281 word3_muladd(&w2, &w1, &w0, ws[12], p[16]);
1282 word3_muladd(&w2, &w1, &w0, ws[13], p[15]);
1283 word3_muladd(&w2, &w1, &w0, ws[14], p[14]);
1284 word3_muladd(&w2, &w1, &w0, ws[15], p[13]);
1285 word3_muladd(&w2, &w1, &w0, ws[16], p[12]);
1286 word3_muladd(&w2, &w1, &w0, ws[17], p[11]);
1287 word3_muladd(&w2, &w1, &w0, ws[18], p[10]);
1288 word3_muladd(&w2, &w1, &w0, ws[19], p[9]);
1289 word3_muladd(&w2, &w1, &w0, ws[20], p[8]);
1290 word3_muladd(&w2, &w1, &w0, ws[21], p[7]);
1291 word3_muladd(&w2, &w1, &w0, ws[22], p[6]);
1292 word3_muladd(&w2, &w1, &w0, ws[23], p[5]);
1293 word3_add(&w2, &w1, &w0, z[28]);
1294 ws[4] = w0;
1295 w0 = w1;
1296 w1 = w2;
1297 w2 = 0;
1298 word3_muladd(&w2, &w1, &w0, ws[6], p[23]);
1299 word3_muladd(&w2, &w1, &w0, ws[7], p[22]);
1300 word3_muladd(&w2, &w1, &w0, ws[8], p[21]);
1301 word3_muladd(&w2, &w1, &w0, ws[9], p[20]);
1302 word3_muladd(&w2, &w1, &w0, ws[10], p[19]);
1303 word3_muladd(&w2, &w1, &w0, ws[11], p[18]);
1304 word3_muladd(&w2, &w1, &w0, ws[12], p[17]);
1305 word3_muladd(&w2, &w1, &w0, ws[13], p[16]);
1306 word3_muladd(&w2, &w1, &w0, ws[14], p[15]);
1307 word3_muladd(&w2, &w1, &w0, ws[15], p[14]);
1308 word3_muladd(&w2, &w1, &w0, ws[16], p[13]);
1309 word3_muladd(&w2, &w1, &w0, ws[17], p[12]);
1310 word3_muladd(&w2, &w1, &w0, ws[18], p[11]);
1311 word3_muladd(&w2, &w1, &w0, ws[19], p[10]);
1312 word3_muladd(&w2, &w1, &w0, ws[20], p[9]);
1313 word3_muladd(&w2, &w1, &w0, ws[21], p[8]);
1314 word3_muladd(&w2, &w1, &w0, ws[22], p[7]);
1315 word3_muladd(&w2, &w1, &w0, ws[23], p[6]);
1316 word3_add(&w2, &w1, &w0, z[29]);
1317 ws[5] = w0;
1318 w0 = w1;
1319 w1 = w2;
1320 w2 = 0;
1321 word3_muladd(&w2, &w1, &w0, ws[7], p[23]);
1322 word3_muladd(&w2, &w1, &w0, ws[8], p[22]);
1323 word3_muladd(&w2, &w1, &w0, ws[9], p[21]);
1324 word3_muladd(&w2, &w1, &w0, ws[10], p[20]);
1325 word3_muladd(&w2, &w1, &w0, ws[11], p[19]);
1326 word3_muladd(&w2, &w1, &w0, ws[12], p[18]);
1327 word3_muladd(&w2, &w1, &w0, ws[13], p[17]);
1328 word3_muladd(&w2, &w1, &w0, ws[14], p[16]);
1329 word3_muladd(&w2, &w1, &w0, ws[15], p[15]);
1330 word3_muladd(&w2, &w1, &w0, ws[16], p[14]);
1331 word3_muladd(&w2, &w1, &w0, ws[17], p[13]);
1332 word3_muladd(&w2, &w1, &w0, ws[18], p[12]);
1333 word3_muladd(&w2, &w1, &w0, ws[19], p[11]);
1334 word3_muladd(&w2, &w1, &w0, ws[20], p[10]);
1335 word3_muladd(&w2, &w1, &w0, ws[21], p[9]);
1336 word3_muladd(&w2, &w1, &w0, ws[22], p[8]);
1337 word3_muladd(&w2, &w1, &w0, ws[23], p[7]);
1338 word3_add(&w2, &w1, &w0, z[30]);
1339 ws[6] = w0;
1340 w0 = w1;
1341 w1 = w2;
1342 w2 = 0;
1343 word3_muladd(&w2, &w1, &w0, ws[8], p[23]);
1344 word3_muladd(&w2, &w1, &w0, ws[9], p[22]);
1345 word3_muladd(&w2, &w1, &w0, ws[10], p[21]);
1346 word3_muladd(&w2, &w1, &w0, ws[11], p[20]);
1347 word3_muladd(&w2, &w1, &w0, ws[12], p[19]);
1348 word3_muladd(&w2, &w1, &w0, ws[13], p[18]);
1349 word3_muladd(&w2, &w1, &w0, ws[14], p[17]);
1350 word3_muladd(&w2, &w1, &w0, ws[15], p[16]);
1351 word3_muladd(&w2, &w1, &w0, ws[16], p[15]);
1352 word3_muladd(&w2, &w1, &w0, ws[17], p[14]);
1353 word3_muladd(&w2, &w1, &w0, ws[18], p[13]);
1354 word3_muladd(&w2, &w1, &w0, ws[19], p[12]);
1355 word3_muladd(&w2, &w1, &w0, ws[20], p[11]);
1356 word3_muladd(&w2, &w1, &w0, ws[21], p[10]);
1357 word3_muladd(&w2, &w1, &w0, ws[22], p[9]);
1358 word3_muladd(&w2, &w1, &w0, ws[23], p[8]);
1359 word3_add(&w2, &w1, &w0, z[31]);
1360 ws[7] = w0;
1361 w0 = w1;
1362 w1 = w2;
1363 w2 = 0;
1364 word3_muladd(&w2, &w1, &w0, ws[9], p[23]);
1365 word3_muladd(&w2, &w1, &w0, ws[10], p[22]);
1366 word3_muladd(&w2, &w1, &w0, ws[11], p[21]);
1367 word3_muladd(&w2, &w1, &w0, ws[12], p[20]);
1368 word3_muladd(&w2, &w1, &w0, ws[13], p[19]);
1369 word3_muladd(&w2, &w1, &w0, ws[14], p[18]);
1370 word3_muladd(&w2, &w1, &w0, ws[15], p[17]);
1371 word3_muladd(&w2, &w1, &w0, ws[16], p[16]);
1372 word3_muladd(&w2, &w1, &w0, ws[17], p[15]);
1373 word3_muladd(&w2, &w1, &w0, ws[18], p[14]);
1374 word3_muladd(&w2, &w1, &w0, ws[19], p[13]);
1375 word3_muladd(&w2, &w1, &w0, ws[20], p[12]);
1376 word3_muladd(&w2, &w1, &w0, ws[21], p[11]);
1377 word3_muladd(&w2, &w1, &w0, ws[22], p[10]);
1378 word3_muladd(&w2, &w1, &w0, ws[23], p[9]);
1379 word3_add(&w2, &w1, &w0, z[32]);
1380 ws[8] = w0;
1381 w0 = w1;
1382 w1 = w2;
1383 w2 = 0;
1384 word3_muladd(&w2, &w1, &w0, ws[10], p[23]);
1385 word3_muladd(&w2, &w1, &w0, ws[11], p[22]);
1386 word3_muladd(&w2, &w1, &w0, ws[12], p[21]);
1387 word3_muladd(&w2, &w1, &w0, ws[13], p[20]);
1388 word3_muladd(&w2, &w1, &w0, ws[14], p[19]);
1389 word3_muladd(&w2, &w1, &w0, ws[15], p[18]);
1390 word3_muladd(&w2, &w1, &w0, ws[16], p[17]);
1391 word3_muladd(&w2, &w1, &w0, ws[17], p[16]);
1392 word3_muladd(&w2, &w1, &w0, ws[18], p[15]);
1393 word3_muladd(&w2, &w1, &w0, ws[19], p[14]);
1394 word3_muladd(&w2, &w1, &w0, ws[20], p[13]);
1395 word3_muladd(&w2, &w1, &w0, ws[21], p[12]);
1396 word3_muladd(&w2, &w1, &w0, ws[22], p[11]);
1397 word3_muladd(&w2, &w1, &w0, ws[23], p[10]);
1398 word3_add(&w2, &w1, &w0, z[33]);
1399 ws[9] = w0;
1400 w0 = w1;
1401 w1 = w2;
1402 w2 = 0;
1403 word3_muladd(&w2, &w1, &w0, ws[11], p[23]);
1404 word3_muladd(&w2, &w1, &w0, ws[12], p[22]);
1405 word3_muladd(&w2, &w1, &w0, ws[13], p[21]);
1406 word3_muladd(&w2, &w1, &w0, ws[14], p[20]);
1407 word3_muladd(&w2, &w1, &w0, ws[15], p[19]);
1408 word3_muladd(&w2, &w1, &w0, ws[16], p[18]);
1409 word3_muladd(&w2, &w1, &w0, ws[17], p[17]);
1410 word3_muladd(&w2, &w1, &w0, ws[18], p[16]);
1411 word3_muladd(&w2, &w1, &w0, ws[19], p[15]);
1412 word3_muladd(&w2, &w1, &w0, ws[20], p[14]);
1413 word3_muladd(&w2, &w1, &w0, ws[21], p[13]);
1414 word3_muladd(&w2, &w1, &w0, ws[22], p[12]);
1415 word3_muladd(&w2, &w1, &w0, ws[23], p[11]);
1416 word3_add(&w2, &w1, &w0, z[34]);
1417 ws[10] = w0;
1418 w0 = w1;
1419 w1 = w2;
1420 w2 = 0;
1421 word3_muladd(&w2, &w1, &w0, ws[12], p[23]);
1422 word3_muladd(&w2, &w1, &w0, ws[13], p[22]);
1423 word3_muladd(&w2, &w1, &w0, ws[14], p[21]);
1424 word3_muladd(&w2, &w1, &w0, ws[15], p[20]);
1425 word3_muladd(&w2, &w1, &w0, ws[16], p[19]);
1426 word3_muladd(&w2, &w1, &w0, ws[17], p[18]);
1427 word3_muladd(&w2, &w1, &w0, ws[18], p[17]);
1428 word3_muladd(&w2, &w1, &w0, ws[19], p[16]);
1429 word3_muladd(&w2, &w1, &w0, ws[20], p[15]);
1430 word3_muladd(&w2, &w1, &w0, ws[21], p[14]);
1431 word3_muladd(&w2, &w1, &w0, ws[22], p[13]);
1432 word3_muladd(&w2, &w1, &w0, ws[23], p[12]);
1433 word3_add(&w2, &w1, &w0, z[35]);
1434 ws[11] = w0;
1435 w0 = w1;
1436 w1 = w2;
1437 w2 = 0;
1438 word3_muladd(&w2, &w1, &w0, ws[13], p[23]);
1439 word3_muladd(&w2, &w1, &w0, ws[14], p[22]);
1440 word3_muladd(&w2, &w1, &w0, ws[15], p[21]);
1441 word3_muladd(&w2, &w1, &w0, ws[16], p[20]);
1442 word3_muladd(&w2, &w1, &w0, ws[17], p[19]);
1443 word3_muladd(&w2, &w1, &w0, ws[18], p[18]);
1444 word3_muladd(&w2, &w1, &w0, ws[19], p[17]);
1445 word3_muladd(&w2, &w1, &w0, ws[20], p[16]);
1446 word3_muladd(&w2, &w1, &w0, ws[21], p[15]);
1447 word3_muladd(&w2, &w1, &w0, ws[22], p[14]);
1448 word3_muladd(&w2, &w1, &w0, ws[23], p[13]);
1449 word3_add(&w2, &w1, &w0, z[36]);
1450 ws[12] = w0;
1451 w0 = w1;
1452 w1 = w2;
1453 w2 = 0;
1454 word3_muladd(&w2, &w1, &w0, ws[14], p[23]);
1455 word3_muladd(&w2, &w1, &w0, ws[15], p[22]);
1456 word3_muladd(&w2, &w1, &w0, ws[16], p[21]);
1457 word3_muladd(&w2, &w1, &w0, ws[17], p[20]);
1458 word3_muladd(&w2, &w1, &w0, ws[18], p[19]);
1459 word3_muladd(&w2, &w1, &w0, ws[19], p[18]);
1460 word3_muladd(&w2, &w1, &w0, ws[20], p[17]);
1461 word3_muladd(&w2, &w1, &w0, ws[21], p[16]);
1462 word3_muladd(&w2, &w1, &w0, ws[22], p[15]);
1463 word3_muladd(&w2, &w1, &w0, ws[23], p[14]);
1464 word3_add(&w2, &w1, &w0, z[37]);
1465 ws[13] = w0;
1466 w0 = w1;
1467 w1 = w2;
1468 w2 = 0;
1469 word3_muladd(&w2, &w1, &w0, ws[15], p[23]);
1470 word3_muladd(&w2, &w1, &w0, ws[16], p[22]);
1471 word3_muladd(&w2, &w1, &w0, ws[17], p[21]);
1472 word3_muladd(&w2, &w1, &w0, ws[18], p[20]);
1473 word3_muladd(&w2, &w1, &w0, ws[19], p[19]);
1474 word3_muladd(&w2, &w1, &w0, ws[20], p[18]);
1475 word3_muladd(&w2, &w1, &w0, ws[21], p[17]);
1476 word3_muladd(&w2, &w1, &w0, ws[22], p[16]);
1477 word3_muladd(&w2, &w1, &w0, ws[23], p[15]);
1478 word3_add(&w2, &w1, &w0, z[38]);
1479 ws[14] = w0;
1480 w0 = w1;
1481 w1 = w2;
1482 w2 = 0;
1483 word3_muladd(&w2, &w1, &w0, ws[16], p[23]);
1484 word3_muladd(&w2, &w1, &w0, ws[17], p[22]);
1485 word3_muladd(&w2, &w1, &w0, ws[18], p[21]);
1486 word3_muladd(&w2, &w1, &w0, ws[19], p[20]);
1487 word3_muladd(&w2, &w1, &w0, ws[20], p[19]);
1488 word3_muladd(&w2, &w1, &w0, ws[21], p[18]);
1489 word3_muladd(&w2, &w1, &w0, ws[22], p[17]);
1490 word3_muladd(&w2, &w1, &w0, ws[23], p[16]);
1491 word3_add(&w2, &w1, &w0, z[39]);
1492 ws[15] = w0;
1493 w0 = w1;
1494 w1 = w2;
1495 w2 = 0;
1496 word3_muladd(&w2, &w1, &w0, ws[17], p[23]);
1497 word3_muladd(&w2, &w1, &w0, ws[18], p[22]);
1498 word3_muladd(&w2, &w1, &w0, ws[19], p[21]);
1499 word3_muladd(&w2, &w1, &w0, ws[20], p[20]);
1500 word3_muladd(&w2, &w1, &w0, ws[21], p[19]);
1501 word3_muladd(&w2, &w1, &w0, ws[22], p[18]);
1502 word3_muladd(&w2, &w1, &w0, ws[23], p[17]);
1503 word3_add(&w2, &w1, &w0, z[40]);
1504 ws[16] = w0;
1505 w0 = w1;
1506 w1 = w2;
1507 w2 = 0;
1508 word3_muladd(&w2, &w1, &w0, ws[18], p[23]);
1509 word3_muladd(&w2, &w1, &w0, ws[19], p[22]);
1510 word3_muladd(&w2, &w1, &w0, ws[20], p[21]);
1511 word3_muladd(&w2, &w1, &w0, ws[21], p[20]);
1512 word3_muladd(&w2, &w1, &w0, ws[22], p[19]);
1513 word3_muladd(&w2, &w1, &w0, ws[23], p[18]);
1514 word3_add(&w2, &w1, &w0, z[41]);
1515 ws[17] = w0;
1516 w0 = w1;
1517 w1 = w2;
1518 w2 = 0;
1519 word3_muladd(&w2, &w1, &w0, ws[19], p[23]);
1520 word3_muladd(&w2, &w1, &w0, ws[20], p[22]);
1521 word3_muladd(&w2, &w1, &w0, ws[21], p[21]);
1522 word3_muladd(&w2, &w1, &w0, ws[22], p[20]);
1523 word3_muladd(&w2, &w1, &w0, ws[23], p[19]);
1524 word3_add(&w2, &w1, &w0, z[42]);
1525 ws[18] = w0;
1526 w0 = w1;
1527 w1 = w2;
1528 w2 = 0;
1529 word3_muladd(&w2, &w1, &w0, ws[20], p[23]);
1530 word3_muladd(&w2, &w1, &w0, ws[21], p[22]);
1531 word3_muladd(&w2, &w1, &w0, ws[22], p[21]);
1532 word3_muladd(&w2, &w1, &w0, ws[23], p[20]);
1533 word3_add(&w2, &w1, &w0, z[43]);
1534 ws[19] = w0;
1535 w0 = w1;
1536 w1 = w2;
1537 w2 = 0;
1538 word3_muladd(&w2, &w1, &w0, ws[21], p[23]);
1539 word3_muladd(&w2, &w1, &w0, ws[22], p[22]);
1540 word3_muladd(&w2, &w1, &w0, ws[23], p[21]);
1541 word3_add(&w2, &w1, &w0, z[44]);
1542 ws[20] = w0;
1543 w0 = w1;
1544 w1 = w2;
1545 w2 = 0;
1546 word3_muladd(&w2, &w1, &w0, ws[22], p[23]);
1547 word3_muladd(&w2, &w1, &w0, ws[23], p[22]);
1548 word3_add(&w2, &w1, &w0, z[45]);
1549 ws[21] = w0;
1550 w0 = w1;
1551 w1 = w2;
1552 w2 = 0;
1553 word3_muladd(&w2, &w1, &w0, ws[23], p[23]);
1554 word3_add(&w2, &w1, &w0, z[46]);
1555 ws[22] = w0;
1556 w0 = w1;
1557 w1 = w2;
1558 w2 = 0;
1559 word3_add(&w2, &w1, &w0, z[47]);
1560 ws[23] = w0;
1561 ws[24] = w1;
1562 word borrow = bigint_sub3(z, ws, 24 + 1, p, 24);
1563 CT::conditional_assign_mem(borrow, z, ws, 24);
1564 clear_mem(z + 24, 24);
1565}

References bigint_sub3(), clear_mem(), Botan::CT::conditional_assign_mem(), word3_add(), and word3_muladd().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_32()

void Botan::bigint_monty_redc_32 ( word z[64],
const word p[32],
word p_dash,
word ws[] )

Definition at line 1567 of file mp_monty_n.cpp.

1567 {
1568 word w2 = 0, w1 = 0, w0 = 0;
1569 w0 = z[0];
1570 ws[0] = w0 * p_dash;
1571 word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
1572 w0 = w1;
1573 w1 = w2;
1574 w2 = 0;
1575 word3_muladd(&w2, &w1, &w0, ws[0], p[1]);
1576 word3_add(&w2, &w1, &w0, z[1]);
1577 ws[1] = w0 * p_dash;
1578 word3_muladd(&w2, &w1, &w0, ws[1], p[0]);
1579 w0 = w1;
1580 w1 = w2;
1581 w2 = 0;
1582 word3_muladd(&w2, &w1, &w0, ws[0], p[2]);
1583 word3_muladd(&w2, &w1, &w0, ws[1], p[1]);
1584 word3_add(&w2, &w1, &w0, z[2]);
1585 ws[2] = w0 * p_dash;
1586 word3_muladd(&w2, &w1, &w0, ws[2], p[0]);
1587 w0 = w1;
1588 w1 = w2;
1589 w2 = 0;
1590 word3_muladd(&w2, &w1, &w0, ws[0], p[3]);
1591 word3_muladd(&w2, &w1, &w0, ws[1], p[2]);
1592 word3_muladd(&w2, &w1, &w0, ws[2], p[1]);
1593 word3_add(&w2, &w1, &w0, z[3]);
1594 ws[3] = w0 * p_dash;
1595 word3_muladd(&w2, &w1, &w0, ws[3], p[0]);
1596 w0 = w1;
1597 w1 = w2;
1598 w2 = 0;
1599 word3_muladd(&w2, &w1, &w0, ws[0], p[4]);
1600 word3_muladd(&w2, &w1, &w0, ws[1], p[3]);
1601 word3_muladd(&w2, &w1, &w0, ws[2], p[2]);
1602 word3_muladd(&w2, &w1, &w0, ws[3], p[1]);
1603 word3_add(&w2, &w1, &w0, z[4]);
1604 ws[4] = w0 * p_dash;
1605 word3_muladd(&w2, &w1, &w0, ws[4], p[0]);
1606 w0 = w1;
1607 w1 = w2;
1608 w2 = 0;
1609 word3_muladd(&w2, &w1, &w0, ws[0], p[5]);
1610 word3_muladd(&w2, &w1, &w0, ws[1], p[4]);
1611 word3_muladd(&w2, &w1, &w0, ws[2], p[3]);
1612 word3_muladd(&w2, &w1, &w0, ws[3], p[2]);
1613 word3_muladd(&w2, &w1, &w0, ws[4], p[1]);
1614 word3_add(&w2, &w1, &w0, z[5]);
1615 ws[5] = w0 * p_dash;
1616 word3_muladd(&w2, &w1, &w0, ws[5], p[0]);
1617 w0 = w1;
1618 w1 = w2;
1619 w2 = 0;
1620 word3_muladd(&w2, &w1, &w0, ws[0], p[6]);
1621 word3_muladd(&w2, &w1, &w0, ws[1], p[5]);
1622 word3_muladd(&w2, &w1, &w0, ws[2], p[4]);
1623 word3_muladd(&w2, &w1, &w0, ws[3], p[3]);
1624 word3_muladd(&w2, &w1, &w0, ws[4], p[2]);
1625 word3_muladd(&w2, &w1, &w0, ws[5], p[1]);
1626 word3_add(&w2, &w1, &w0, z[6]);
1627 ws[6] = w0 * p_dash;
1628 word3_muladd(&w2, &w1, &w0, ws[6], p[0]);
1629 w0 = w1;
1630 w1 = w2;
1631 w2 = 0;
1632 word3_muladd(&w2, &w1, &w0, ws[0], p[7]);
1633 word3_muladd(&w2, &w1, &w0, ws[1], p[6]);
1634 word3_muladd(&w2, &w1, &w0, ws[2], p[5]);
1635 word3_muladd(&w2, &w1, &w0, ws[3], p[4]);
1636 word3_muladd(&w2, &w1, &w0, ws[4], p[3]);
1637 word3_muladd(&w2, &w1, &w0, ws[5], p[2]);
1638 word3_muladd(&w2, &w1, &w0, ws[6], p[1]);
1639 word3_add(&w2, &w1, &w0, z[7]);
1640 ws[7] = w0 * p_dash;
1641 word3_muladd(&w2, &w1, &w0, ws[7], p[0]);
1642 w0 = w1;
1643 w1 = w2;
1644 w2 = 0;
1645 word3_muladd(&w2, &w1, &w0, ws[0], p[8]);
1646 word3_muladd(&w2, &w1, &w0, ws[1], p[7]);
1647 word3_muladd(&w2, &w1, &w0, ws[2], p[6]);
1648 word3_muladd(&w2, &w1, &w0, ws[3], p[5]);
1649 word3_muladd(&w2, &w1, &w0, ws[4], p[4]);
1650 word3_muladd(&w2, &w1, &w0, ws[5], p[3]);
1651 word3_muladd(&w2, &w1, &w0, ws[6], p[2]);
1652 word3_muladd(&w2, &w1, &w0, ws[7], p[1]);
1653 word3_add(&w2, &w1, &w0, z[8]);
1654 ws[8] = w0 * p_dash;
1655 word3_muladd(&w2, &w1, &w0, ws[8], p[0]);
1656 w0 = w1;
1657 w1 = w2;
1658 w2 = 0;
1659 word3_muladd(&w2, &w1, &w0, ws[0], p[9]);
1660 word3_muladd(&w2, &w1, &w0, ws[1], p[8]);
1661 word3_muladd(&w2, &w1, &w0, ws[2], p[7]);
1662 word3_muladd(&w2, &w1, &w0, ws[3], p[6]);
1663 word3_muladd(&w2, &w1, &w0, ws[4], p[5]);
1664 word3_muladd(&w2, &w1, &w0, ws[5], p[4]);
1665 word3_muladd(&w2, &w1, &w0, ws[6], p[3]);
1666 word3_muladd(&w2, &w1, &w0, ws[7], p[2]);
1667 word3_muladd(&w2, &w1, &w0, ws[8], p[1]);
1668 word3_add(&w2, &w1, &w0, z[9]);
1669 ws[9] = w0 * p_dash;
1670 word3_muladd(&w2, &w1, &w0, ws[9], p[0]);
1671 w0 = w1;
1672 w1 = w2;
1673 w2 = 0;
1674 word3_muladd(&w2, &w1, &w0, ws[0], p[10]);
1675 word3_muladd(&w2, &w1, &w0, ws[1], p[9]);
1676 word3_muladd(&w2, &w1, &w0, ws[2], p[8]);
1677 word3_muladd(&w2, &w1, &w0, ws[3], p[7]);
1678 word3_muladd(&w2, &w1, &w0, ws[4], p[6]);
1679 word3_muladd(&w2, &w1, &w0, ws[5], p[5]);
1680 word3_muladd(&w2, &w1, &w0, ws[6], p[4]);
1681 word3_muladd(&w2, &w1, &w0, ws[7], p[3]);
1682 word3_muladd(&w2, &w1, &w0, ws[8], p[2]);
1683 word3_muladd(&w2, &w1, &w0, ws[9], p[1]);
1684 word3_add(&w2, &w1, &w0, z[10]);
1685 ws[10] = w0 * p_dash;
1686 word3_muladd(&w2, &w1, &w0, ws[10], p[0]);
1687 w0 = w1;
1688 w1 = w2;
1689 w2 = 0;
1690 word3_muladd(&w2, &w1, &w0, ws[0], p[11]);
1691 word3_muladd(&w2, &w1, &w0, ws[1], p[10]);
1692 word3_muladd(&w2, &w1, &w0, ws[2], p[9]);
1693 word3_muladd(&w2, &w1, &w0, ws[3], p[8]);
1694 word3_muladd(&w2, &w1, &w0, ws[4], p[7]);
1695 word3_muladd(&w2, &w1, &w0, ws[5], p[6]);
1696 word3_muladd(&w2, &w1, &w0, ws[6], p[5]);
1697 word3_muladd(&w2, &w1, &w0, ws[7], p[4]);
1698 word3_muladd(&w2, &w1, &w0, ws[8], p[3]);
1699 word3_muladd(&w2, &w1, &w0, ws[9], p[2]);
1700 word3_muladd(&w2, &w1, &w0, ws[10], p[1]);
1701 word3_add(&w2, &w1, &w0, z[11]);
1702 ws[11] = w0 * p_dash;
1703 word3_muladd(&w2, &w1, &w0, ws[11], p[0]);
1704 w0 = w1;
1705 w1 = w2;
1706 w2 = 0;
1707 word3_muladd(&w2, &w1, &w0, ws[0], p[12]);
1708 word3_muladd(&w2, &w1, &w0, ws[1], p[11]);
1709 word3_muladd(&w2, &w1, &w0, ws[2], p[10]);
1710 word3_muladd(&w2, &w1, &w0, ws[3], p[9]);
1711 word3_muladd(&w2, &w1, &w0, ws[4], p[8]);
1712 word3_muladd(&w2, &w1, &w0, ws[5], p[7]);
1713 word3_muladd(&w2, &w1, &w0, ws[6], p[6]);
1714 word3_muladd(&w2, &w1, &w0, ws[7], p[5]);
1715 word3_muladd(&w2, &w1, &w0, ws[8], p[4]);
1716 word3_muladd(&w2, &w1, &w0, ws[9], p[3]);
1717 word3_muladd(&w2, &w1, &w0, ws[10], p[2]);
1718 word3_muladd(&w2, &w1, &w0, ws[11], p[1]);
1719 word3_add(&w2, &w1, &w0, z[12]);
1720 ws[12] = w0 * p_dash;
1721 word3_muladd(&w2, &w1, &w0, ws[12], p[0]);
1722 w0 = w1;
1723 w1 = w2;
1724 w2 = 0;
1725 word3_muladd(&w2, &w1, &w0, ws[0], p[13]);
1726 word3_muladd(&w2, &w1, &w0, ws[1], p[12]);
1727 word3_muladd(&w2, &w1, &w0, ws[2], p[11]);
1728 word3_muladd(&w2, &w1, &w0, ws[3], p[10]);
1729 word3_muladd(&w2, &w1, &w0, ws[4], p[9]);
1730 word3_muladd(&w2, &w1, &w0, ws[5], p[8]);
1731 word3_muladd(&w2, &w1, &w0, ws[6], p[7]);
1732 word3_muladd(&w2, &w1, &w0, ws[7], p[6]);
1733 word3_muladd(&w2, &w1, &w0, ws[8], p[5]);
1734 word3_muladd(&w2, &w1, &w0, ws[9], p[4]);
1735 word3_muladd(&w2, &w1, &w0, ws[10], p[3]);
1736 word3_muladd(&w2, &w1, &w0, ws[11], p[2]);
1737 word3_muladd(&w2, &w1, &w0, ws[12], p[1]);
1738 word3_add(&w2, &w1, &w0, z[13]);
1739 ws[13] = w0 * p_dash;
1740 word3_muladd(&w2, &w1, &w0, ws[13], p[0]);
1741 w0 = w1;
1742 w1 = w2;
1743 w2 = 0;
1744 word3_muladd(&w2, &w1, &w0, ws[0], p[14]);
1745 word3_muladd(&w2, &w1, &w0, ws[1], p[13]);
1746 word3_muladd(&w2, &w1, &w0, ws[2], p[12]);
1747 word3_muladd(&w2, &w1, &w0, ws[3], p[11]);
1748 word3_muladd(&w2, &w1, &w0, ws[4], p[10]);
1749 word3_muladd(&w2, &w1, &w0, ws[5], p[9]);
1750 word3_muladd(&w2, &w1, &w0, ws[6], p[8]);
1751 word3_muladd(&w2, &w1, &w0, ws[7], p[7]);
1752 word3_muladd(&w2, &w1, &w0, ws[8], p[6]);
1753 word3_muladd(&w2, &w1, &w0, ws[9], p[5]);
1754 word3_muladd(&w2, &w1, &w0, ws[10], p[4]);
1755 word3_muladd(&w2, &w1, &w0, ws[11], p[3]);
1756 word3_muladd(&w2, &w1, &w0, ws[12], p[2]);
1757 word3_muladd(&w2, &w1, &w0, ws[13], p[1]);
1758 word3_add(&w2, &w1, &w0, z[14]);
1759 ws[14] = w0 * p_dash;
1760 word3_muladd(&w2, &w1, &w0, ws[14], p[0]);
1761 w0 = w1;
1762 w1 = w2;
1763 w2 = 0;
1764 word3_muladd(&w2, &w1, &w0, ws[0], p[15]);
1765 word3_muladd(&w2, &w1, &w0, ws[1], p[14]);
1766 word3_muladd(&w2, &w1, &w0, ws[2], p[13]);
1767 word3_muladd(&w2, &w1, &w0, ws[3], p[12]);
1768 word3_muladd(&w2, &w1, &w0, ws[4], p[11]);
1769 word3_muladd(&w2, &w1, &w0, ws[5], p[10]);
1770 word3_muladd(&w2, &w1, &w0, ws[6], p[9]);
1771 word3_muladd(&w2, &w1, &w0, ws[7], p[8]);
1772 word3_muladd(&w2, &w1, &w0, ws[8], p[7]);
1773 word3_muladd(&w2, &w1, &w0, ws[9], p[6]);
1774 word3_muladd(&w2, &w1, &w0, ws[10], p[5]);
1775 word3_muladd(&w2, &w1, &w0, ws[11], p[4]);
1776 word3_muladd(&w2, &w1, &w0, ws[12], p[3]);
1777 word3_muladd(&w2, &w1, &w0, ws[13], p[2]);
1778 word3_muladd(&w2, &w1, &w0, ws[14], p[1]);
1779 word3_add(&w2, &w1, &w0, z[15]);
1780 ws[15] = w0 * p_dash;
1781 word3_muladd(&w2, &w1, &w0, ws[15], p[0]);
1782 w0 = w1;
1783 w1 = w2;
1784 w2 = 0;
1785 word3_muladd(&w2, &w1, &w0, ws[0], p[16]);
1786 word3_muladd(&w2, &w1, &w0, ws[1], p[15]);
1787 word3_muladd(&w2, &w1, &w0, ws[2], p[14]);
1788 word3_muladd(&w2, &w1, &w0, ws[3], p[13]);
1789 word3_muladd(&w2, &w1, &w0, ws[4], p[12]);
1790 word3_muladd(&w2, &w1, &w0, ws[5], p[11]);
1791 word3_muladd(&w2, &w1, &w0, ws[6], p[10]);
1792 word3_muladd(&w2, &w1, &w0, ws[7], p[9]);
1793 word3_muladd(&w2, &w1, &w0, ws[8], p[8]);
1794 word3_muladd(&w2, &w1, &w0, ws[9], p[7]);
1795 word3_muladd(&w2, &w1, &w0, ws[10], p[6]);
1796 word3_muladd(&w2, &w1, &w0, ws[11], p[5]);
1797 word3_muladd(&w2, &w1, &w0, ws[12], p[4]);
1798 word3_muladd(&w2, &w1, &w0, ws[13], p[3]);
1799 word3_muladd(&w2, &w1, &w0, ws[14], p[2]);
1800 word3_muladd(&w2, &w1, &w0, ws[15], p[1]);
1801 word3_add(&w2, &w1, &w0, z[16]);
1802 ws[16] = w0 * p_dash;
1803 word3_muladd(&w2, &w1, &w0, ws[16], p[0]);
1804 w0 = w1;
1805 w1 = w2;
1806 w2 = 0;
1807 word3_muladd(&w2, &w1, &w0, ws[0], p[17]);
1808 word3_muladd(&w2, &w1, &w0, ws[1], p[16]);
1809 word3_muladd(&w2, &w1, &w0, ws[2], p[15]);
1810 word3_muladd(&w2, &w1, &w0, ws[3], p[14]);
1811 word3_muladd(&w2, &w1, &w0, ws[4], p[13]);
1812 word3_muladd(&w2, &w1, &w0, ws[5], p[12]);
1813 word3_muladd(&w2, &w1, &w0, ws[6], p[11]);
1814 word3_muladd(&w2, &w1, &w0, ws[7], p[10]);
1815 word3_muladd(&w2, &w1, &w0, ws[8], p[9]);
1816 word3_muladd(&w2, &w1, &w0, ws[9], p[8]);
1817 word3_muladd(&w2, &w1, &w0, ws[10], p[7]);
1818 word3_muladd(&w2, &w1, &w0, ws[11], p[6]);
1819 word3_muladd(&w2, &w1, &w0, ws[12], p[5]);
1820 word3_muladd(&w2, &w1, &w0, ws[13], p[4]);
1821 word3_muladd(&w2, &w1, &w0, ws[14], p[3]);
1822 word3_muladd(&w2, &w1, &w0, ws[15], p[2]);
1823 word3_muladd(&w2, &w1, &w0, ws[16], p[1]);
1824 word3_add(&w2, &w1, &w0, z[17]);
1825 ws[17] = w0 * p_dash;
1826 word3_muladd(&w2, &w1, &w0, ws[17], p[0]);
1827 w0 = w1;
1828 w1 = w2;
1829 w2 = 0;
1830 word3_muladd(&w2, &w1, &w0, ws[0], p[18]);
1831 word3_muladd(&w2, &w1, &w0, ws[1], p[17]);
1832 word3_muladd(&w2, &w1, &w0, ws[2], p[16]);
1833 word3_muladd(&w2, &w1, &w0, ws[3], p[15]);
1834 word3_muladd(&w2, &w1, &w0, ws[4], p[14]);
1835 word3_muladd(&w2, &w1, &w0, ws[5], p[13]);
1836 word3_muladd(&w2, &w1, &w0, ws[6], p[12]);
1837 word3_muladd(&w2, &w1, &w0, ws[7], p[11]);
1838 word3_muladd(&w2, &w1, &w0, ws[8], p[10]);
1839 word3_muladd(&w2, &w1, &w0, ws[9], p[9]);
1840 word3_muladd(&w2, &w1, &w0, ws[10], p[8]);
1841 word3_muladd(&w2, &w1, &w0, ws[11], p[7]);
1842 word3_muladd(&w2, &w1, &w0, ws[12], p[6]);
1843 word3_muladd(&w2, &w1, &w0, ws[13], p[5]);
1844 word3_muladd(&w2, &w1, &w0, ws[14], p[4]);
1845 word3_muladd(&w2, &w1, &w0, ws[15], p[3]);
1846 word3_muladd(&w2, &w1, &w0, ws[16], p[2]);
1847 word3_muladd(&w2, &w1, &w0, ws[17], p[1]);
1848 word3_add(&w2, &w1, &w0, z[18]);
1849 ws[18] = w0 * p_dash;
1850 word3_muladd(&w2, &w1, &w0, ws[18], p[0]);
1851 w0 = w1;
1852 w1 = w2;
1853 w2 = 0;
1854 word3_muladd(&w2, &w1, &w0, ws[0], p[19]);
1855 word3_muladd(&w2, &w1, &w0, ws[1], p[18]);
1856 word3_muladd(&w2, &w1, &w0, ws[2], p[17]);
1857 word3_muladd(&w2, &w1, &w0, ws[3], p[16]);
1858 word3_muladd(&w2, &w1, &w0, ws[4], p[15]);
1859 word3_muladd(&w2, &w1, &w0, ws[5], p[14]);
1860 word3_muladd(&w2, &w1, &w0, ws[6], p[13]);
1861 word3_muladd(&w2, &w1, &w0, ws[7], p[12]);
1862 word3_muladd(&w2, &w1, &w0, ws[8], p[11]);
1863 word3_muladd(&w2, &w1, &w0, ws[9], p[10]);
1864 word3_muladd(&w2, &w1, &w0, ws[10], p[9]);
1865 word3_muladd(&w2, &w1, &w0, ws[11], p[8]);
1866 word3_muladd(&w2, &w1, &w0, ws[12], p[7]);
1867 word3_muladd(&w2, &w1, &w0, ws[13], p[6]);
1868 word3_muladd(&w2, &w1, &w0, ws[14], p[5]);
1869 word3_muladd(&w2, &w1, &w0, ws[15], p[4]);
1870 word3_muladd(&w2, &w1, &w0, ws[16], p[3]);
1871 word3_muladd(&w2, &w1, &w0, ws[17], p[2]);
1872 word3_muladd(&w2, &w1, &w0, ws[18], p[1]);
1873 word3_add(&w2, &w1, &w0, z[19]);
1874 ws[19] = w0 * p_dash;
1875 word3_muladd(&w2, &w1, &w0, ws[19], p[0]);
1876 w0 = w1;
1877 w1 = w2;
1878 w2 = 0;
1879 word3_muladd(&w2, &w1, &w0, ws[0], p[20]);
1880 word3_muladd(&w2, &w1, &w0, ws[1], p[19]);
1881 word3_muladd(&w2, &w1, &w0, ws[2], p[18]);
1882 word3_muladd(&w2, &w1, &w0, ws[3], p[17]);
1883 word3_muladd(&w2, &w1, &w0, ws[4], p[16]);
1884 word3_muladd(&w2, &w1, &w0, ws[5], p[15]);
1885 word3_muladd(&w2, &w1, &w0, ws[6], p[14]);
1886 word3_muladd(&w2, &w1, &w0, ws[7], p[13]);
1887 word3_muladd(&w2, &w1, &w0, ws[8], p[12]);
1888 word3_muladd(&w2, &w1, &w0, ws[9], p[11]);
1889 word3_muladd(&w2, &w1, &w0, ws[10], p[10]);
1890 word3_muladd(&w2, &w1, &w0, ws[11], p[9]);
1891 word3_muladd(&w2, &w1, &w0, ws[12], p[8]);
1892 word3_muladd(&w2, &w1, &w0, ws[13], p[7]);
1893 word3_muladd(&w2, &w1, &w0, ws[14], p[6]);
1894 word3_muladd(&w2, &w1, &w0, ws[15], p[5]);
1895 word3_muladd(&w2, &w1, &w0, ws[16], p[4]);
1896 word3_muladd(&w2, &w1, &w0, ws[17], p[3]);
1897 word3_muladd(&w2, &w1, &w0, ws[18], p[2]);
1898 word3_muladd(&w2, &w1, &w0, ws[19], p[1]);
1899 word3_add(&w2, &w1, &w0, z[20]);
1900 ws[20] = w0 * p_dash;
1901 word3_muladd(&w2, &w1, &w0, ws[20], p[0]);
1902 w0 = w1;
1903 w1 = w2;
1904 w2 = 0;
1905 word3_muladd(&w2, &w1, &w0, ws[0], p[21]);
1906 word3_muladd(&w2, &w1, &w0, ws[1], p[20]);
1907 word3_muladd(&w2, &w1, &w0, ws[2], p[19]);
1908 word3_muladd(&w2, &w1, &w0, ws[3], p[18]);
1909 word3_muladd(&w2, &w1, &w0, ws[4], p[17]);
1910 word3_muladd(&w2, &w1, &w0, ws[5], p[16]);
1911 word3_muladd(&w2, &w1, &w0, ws[6], p[15]);
1912 word3_muladd(&w2, &w1, &w0, ws[7], p[14]);
1913 word3_muladd(&w2, &w1, &w0, ws[8], p[13]);
1914 word3_muladd(&w2, &w1, &w0, ws[9], p[12]);
1915 word3_muladd(&w2, &w1, &w0, ws[10], p[11]);
1916 word3_muladd(&w2, &w1, &w0, ws[11], p[10]);
1917 word3_muladd(&w2, &w1, &w0, ws[12], p[9]);
1918 word3_muladd(&w2, &w1, &w0, ws[13], p[8]);
1919 word3_muladd(&w2, &w1, &w0, ws[14], p[7]);
1920 word3_muladd(&w2, &w1, &w0, ws[15], p[6]);
1921 word3_muladd(&w2, &w1, &w0, ws[16], p[5]);
1922 word3_muladd(&w2, &w1, &w0, ws[17], p[4]);
1923 word3_muladd(&w2, &w1, &w0, ws[18], p[3]);
1924 word3_muladd(&w2, &w1, &w0, ws[19], p[2]);
1925 word3_muladd(&w2, &w1, &w0, ws[20], p[1]);
1926 word3_add(&w2, &w1, &w0, z[21]);
1927 ws[21] = w0 * p_dash;
1928 word3_muladd(&w2, &w1, &w0, ws[21], p[0]);
1929 w0 = w1;
1930 w1 = w2;
1931 w2 = 0;
1932 word3_muladd(&w2, &w1, &w0, ws[0], p[22]);
1933 word3_muladd(&w2, &w1, &w0, ws[1], p[21]);
1934 word3_muladd(&w2, &w1, &w0, ws[2], p[20]);
1935 word3_muladd(&w2, &w1, &w0, ws[3], p[19]);
1936 word3_muladd(&w2, &w1, &w0, ws[4], p[18]);
1937 word3_muladd(&w2, &w1, &w0, ws[5], p[17]);
1938 word3_muladd(&w2, &w1, &w0, ws[6], p[16]);
1939 word3_muladd(&w2, &w1, &w0, ws[7], p[15]);
1940 word3_muladd(&w2, &w1, &w0, ws[8], p[14]);
1941 word3_muladd(&w2, &w1, &w0, ws[9], p[13]);
1942 word3_muladd(&w2, &w1, &w0, ws[10], p[12]);
1943 word3_muladd(&w2, &w1, &w0, ws[11], p[11]);
1944 word3_muladd(&w2, &w1, &w0, ws[12], p[10]);
1945 word3_muladd(&w2, &w1, &w0, ws[13], p[9]);
1946 word3_muladd(&w2, &w1, &w0, ws[14], p[8]);
1947 word3_muladd(&w2, &w1, &w0, ws[15], p[7]);
1948 word3_muladd(&w2, &w1, &w0, ws[16], p[6]);
1949 word3_muladd(&w2, &w1, &w0, ws[17], p[5]);
1950 word3_muladd(&w2, &w1, &w0, ws[18], p[4]);
1951 word3_muladd(&w2, &w1, &w0, ws[19], p[3]);
1952 word3_muladd(&w2, &w1, &w0, ws[20], p[2]);
1953 word3_muladd(&w2, &w1, &w0, ws[21], p[1]);
1954 word3_add(&w2, &w1, &w0, z[22]);
1955 ws[22] = w0 * p_dash;
1956 word3_muladd(&w2, &w1, &w0, ws[22], p[0]);
1957 w0 = w1;
1958 w1 = w2;
1959 w2 = 0;
1960 word3_muladd(&w2, &w1, &w0, ws[0], p[23]);
1961 word3_muladd(&w2, &w1, &w0, ws[1], p[22]);
1962 word3_muladd(&w2, &w1, &w0, ws[2], p[21]);
1963 word3_muladd(&w2, &w1, &w0, ws[3], p[20]);
1964 word3_muladd(&w2, &w1, &w0, ws[4], p[19]);
1965 word3_muladd(&w2, &w1, &w0, ws[5], p[18]);
1966 word3_muladd(&w2, &w1, &w0, ws[6], p[17]);
1967 word3_muladd(&w2, &w1, &w0, ws[7], p[16]);
1968 word3_muladd(&w2, &w1, &w0, ws[8], p[15]);
1969 word3_muladd(&w2, &w1, &w0, ws[9], p[14]);
1970 word3_muladd(&w2, &w1, &w0, ws[10], p[13]);
1971 word3_muladd(&w2, &w1, &w0, ws[11], p[12]);
1972 word3_muladd(&w2, &w1, &w0, ws[12], p[11]);
1973 word3_muladd(&w2, &w1, &w0, ws[13], p[10]);
1974 word3_muladd(&w2, &w1, &w0, ws[14], p[9]);
1975 word3_muladd(&w2, &w1, &w0, ws[15], p[8]);
1976 word3_muladd(&w2, &w1, &w0, ws[16], p[7]);
1977 word3_muladd(&w2, &w1, &w0, ws[17], p[6]);
1978 word3_muladd(&w2, &w1, &w0, ws[18], p[5]);
1979 word3_muladd(&w2, &w1, &w0, ws[19], p[4]);
1980 word3_muladd(&w2, &w1, &w0, ws[20], p[3]);
1981 word3_muladd(&w2, &w1, &w0, ws[21], p[2]);
1982 word3_muladd(&w2, &w1, &w0, ws[22], p[1]);
1983 word3_add(&w2, &w1, &w0, z[23]);
1984 ws[23] = w0 * p_dash;
1985 word3_muladd(&w2, &w1, &w0, ws[23], p[0]);
1986 w0 = w1;
1987 w1 = w2;
1988 w2 = 0;
1989 word3_muladd(&w2, &w1, &w0, ws[0], p[24]);
1990 word3_muladd(&w2, &w1, &w0, ws[1], p[23]);
1991 word3_muladd(&w2, &w1, &w0, ws[2], p[22]);
1992 word3_muladd(&w2, &w1, &w0, ws[3], p[21]);
1993 word3_muladd(&w2, &w1, &w0, ws[4], p[20]);
1994 word3_muladd(&w2, &w1, &w0, ws[5], p[19]);
1995 word3_muladd(&w2, &w1, &w0, ws[6], p[18]);
1996 word3_muladd(&w2, &w1, &w0, ws[7], p[17]);
1997 word3_muladd(&w2, &w1, &w0, ws[8], p[16]);
1998 word3_muladd(&w2, &w1, &w0, ws[9], p[15]);
1999 word3_muladd(&w2, &w1, &w0, ws[10], p[14]);
2000 word3_muladd(&w2, &w1, &w0, ws[11], p[13]);
2001 word3_muladd(&w2, &w1, &w0, ws[12], p[12]);
2002 word3_muladd(&w2, &w1, &w0, ws[13], p[11]);
2003 word3_muladd(&w2, &w1, &w0, ws[14], p[10]);
2004 word3_muladd(&w2, &w1, &w0, ws[15], p[9]);
2005 word3_muladd(&w2, &w1, &w0, ws[16], p[8]);
2006 word3_muladd(&w2, &w1, &w0, ws[17], p[7]);
2007 word3_muladd(&w2, &w1, &w0, ws[18], p[6]);
2008 word3_muladd(&w2, &w1, &w0, ws[19], p[5]);
2009 word3_muladd(&w2, &w1, &w0, ws[20], p[4]);
2010 word3_muladd(&w2, &w1, &w0, ws[21], p[3]);
2011 word3_muladd(&w2, &w1, &w0, ws[22], p[2]);
2012 word3_muladd(&w2, &w1, &w0, ws[23], p[1]);
2013 word3_add(&w2, &w1, &w0, z[24]);
2014 ws[24] = w0 * p_dash;
2015 word3_muladd(&w2, &w1, &w0, ws[24], p[0]);
2016 w0 = w1;
2017 w1 = w2;
2018 w2 = 0;
2019 word3_muladd(&w2, &w1, &w0, ws[0], p[25]);
2020 word3_muladd(&w2, &w1, &w0, ws[1], p[24]);
2021 word3_muladd(&w2, &w1, &w0, ws[2], p[23]);
2022 word3_muladd(&w2, &w1, &w0, ws[3], p[22]);
2023 word3_muladd(&w2, &w1, &w0, ws[4], p[21]);
2024 word3_muladd(&w2, &w1, &w0, ws[5], p[20]);
2025 word3_muladd(&w2, &w1, &w0, ws[6], p[19]);
2026 word3_muladd(&w2, &w1, &w0, ws[7], p[18]);
2027 word3_muladd(&w2, &w1, &w0, ws[8], p[17]);
2028 word3_muladd(&w2, &w1, &w0, ws[9], p[16]);
2029 word3_muladd(&w2, &w1, &w0, ws[10], p[15]);
2030 word3_muladd(&w2, &w1, &w0, ws[11], p[14]);
2031 word3_muladd(&w2, &w1, &w0, ws[12], p[13]);
2032 word3_muladd(&w2, &w1, &w0, ws[13], p[12]);
2033 word3_muladd(&w2, &w1, &w0, ws[14], p[11]);
2034 word3_muladd(&w2, &w1, &w0, ws[15], p[10]);
2035 word3_muladd(&w2, &w1, &w0, ws[16], p[9]);
2036 word3_muladd(&w2, &w1, &w0, ws[17], p[8]);
2037 word3_muladd(&w2, &w1, &w0, ws[18], p[7]);
2038 word3_muladd(&w2, &w1, &w0, ws[19], p[6]);
2039 word3_muladd(&w2, &w1, &w0, ws[20], p[5]);
2040 word3_muladd(&w2, &w1, &w0, ws[21], p[4]);
2041 word3_muladd(&w2, &w1, &w0, ws[22], p[3]);
2042 word3_muladd(&w2, &w1, &w0, ws[23], p[2]);
2043 word3_muladd(&w2, &w1, &w0, ws[24], p[1]);
2044 word3_add(&w2, &w1, &w0, z[25]);
2045 ws[25] = w0 * p_dash;
2046 word3_muladd(&w2, &w1, &w0, ws[25], p[0]);
2047 w0 = w1;
2048 w1 = w2;
2049 w2 = 0;
2050 word3_muladd(&w2, &w1, &w0, ws[0], p[26]);
2051 word3_muladd(&w2, &w1, &w0, ws[1], p[25]);
2052 word3_muladd(&w2, &w1, &w0, ws[2], p[24]);
2053 word3_muladd(&w2, &w1, &w0, ws[3], p[23]);
2054 word3_muladd(&w2, &w1, &w0, ws[4], p[22]);
2055 word3_muladd(&w2, &w1, &w0, ws[5], p[21]);
2056 word3_muladd(&w2, &w1, &w0, ws[6], p[20]);
2057 word3_muladd(&w2, &w1, &w0, ws[7], p[19]);
2058 word3_muladd(&w2, &w1, &w0, ws[8], p[18]);
2059 word3_muladd(&w2, &w1, &w0, ws[9], p[17]);
2060 word3_muladd(&w2, &w1, &w0, ws[10], p[16]);
2061 word3_muladd(&w2, &w1, &w0, ws[11], p[15]);
2062 word3_muladd(&w2, &w1, &w0, ws[12], p[14]);
2063 word3_muladd(&w2, &w1, &w0, ws[13], p[13]);
2064 word3_muladd(&w2, &w1, &w0, ws[14], p[12]);
2065 word3_muladd(&w2, &w1, &w0, ws[15], p[11]);
2066 word3_muladd(&w2, &w1, &w0, ws[16], p[10]);
2067 word3_muladd(&w2, &w1, &w0, ws[17], p[9]);
2068 word3_muladd(&w2, &w1, &w0, ws[18], p[8]);
2069 word3_muladd(&w2, &w1, &w0, ws[19], p[7]);
2070 word3_muladd(&w2, &w1, &w0, ws[20], p[6]);
2071 word3_muladd(&w2, &w1, &w0, ws[21], p[5]);
2072 word3_muladd(&w2, &w1, &w0, ws[22], p[4]);
2073 word3_muladd(&w2, &w1, &w0, ws[23], p[3]);
2074 word3_muladd(&w2, &w1, &w0, ws[24], p[2]);
2075 word3_muladd(&w2, &w1, &w0, ws[25], p[1]);
2076 word3_add(&w2, &w1, &w0, z[26]);
2077 ws[26] = w0 * p_dash;
2078 word3_muladd(&w2, &w1, &w0, ws[26], p[0]);
2079 w0 = w1;
2080 w1 = w2;
2081 w2 = 0;
2082 word3_muladd(&w2, &w1, &w0, ws[0], p[27]);
2083 word3_muladd(&w2, &w1, &w0, ws[1], p[26]);
2084 word3_muladd(&w2, &w1, &w0, ws[2], p[25]);
2085 word3_muladd(&w2, &w1, &w0, ws[3], p[24]);
2086 word3_muladd(&w2, &w1, &w0, ws[4], p[23]);
2087 word3_muladd(&w2, &w1, &w0, ws[5], p[22]);
2088 word3_muladd(&w2, &w1, &w0, ws[6], p[21]);
2089 word3_muladd(&w2, &w1, &w0, ws[7], p[20]);
2090 word3_muladd(&w2, &w1, &w0, ws[8], p[19]);
2091 word3_muladd(&w2, &w1, &w0, ws[9], p[18]);
2092 word3_muladd(&w2, &w1, &w0, ws[10], p[17]);
2093 word3_muladd(&w2, &w1, &w0, ws[11], p[16]);
2094 word3_muladd(&w2, &w1, &w0, ws[12], p[15]);
2095 word3_muladd(&w2, &w1, &w0, ws[13], p[14]);
2096 word3_muladd(&w2, &w1, &w0, ws[14], p[13]);
2097 word3_muladd(&w2, &w1, &w0, ws[15], p[12]);
2098 word3_muladd(&w2, &w1, &w0, ws[16], p[11]);
2099 word3_muladd(&w2, &w1, &w0, ws[17], p[10]);
2100 word3_muladd(&w2, &w1, &w0, ws[18], p[9]);
2101 word3_muladd(&w2, &w1, &w0, ws[19], p[8]);
2102 word3_muladd(&w2, &w1, &w0, ws[20], p[7]);
2103 word3_muladd(&w2, &w1, &w0, ws[21], p[6]);
2104 word3_muladd(&w2, &w1, &w0, ws[22], p[5]);
2105 word3_muladd(&w2, &w1, &w0, ws[23], p[4]);
2106 word3_muladd(&w2, &w1, &w0, ws[24], p[3]);
2107 word3_muladd(&w2, &w1, &w0, ws[25], p[2]);
2108 word3_muladd(&w2, &w1, &w0, ws[26], p[1]);
2109 word3_add(&w2, &w1, &w0, z[27]);
2110 ws[27] = w0 * p_dash;
2111 word3_muladd(&w2, &w1, &w0, ws[27], p[0]);
2112 w0 = w1;
2113 w1 = w2;
2114 w2 = 0;
2115 word3_muladd(&w2, &w1, &w0, ws[0], p[28]);
2116 word3_muladd(&w2, &w1, &w0, ws[1], p[27]);
2117 word3_muladd(&w2, &w1, &w0, ws[2], p[26]);
2118 word3_muladd(&w2, &w1, &w0, ws[3], p[25]);
2119 word3_muladd(&w2, &w1, &w0, ws[4], p[24]);
2120 word3_muladd(&w2, &w1, &w0, ws[5], p[23]);
2121 word3_muladd(&w2, &w1, &w0, ws[6], p[22]);
2122 word3_muladd(&w2, &w1, &w0, ws[7], p[21]);
2123 word3_muladd(&w2, &w1, &w0, ws[8], p[20]);
2124 word3_muladd(&w2, &w1, &w0, ws[9], p[19]);
2125 word3_muladd(&w2, &w1, &w0, ws[10], p[18]);
2126 word3_muladd(&w2, &w1, &w0, ws[11], p[17]);
2127 word3_muladd(&w2, &w1, &w0, ws[12], p[16]);
2128 word3_muladd(&w2, &w1, &w0, ws[13], p[15]);
2129 word3_muladd(&w2, &w1, &w0, ws[14], p[14]);
2130 word3_muladd(&w2, &w1, &w0, ws[15], p[13]);
2131 word3_muladd(&w2, &w1, &w0, ws[16], p[12]);
2132 word3_muladd(&w2, &w1, &w0, ws[17], p[11]);
2133 word3_muladd(&w2, &w1, &w0, ws[18], p[10]);
2134 word3_muladd(&w2, &w1, &w0, ws[19], p[9]);
2135 word3_muladd(&w2, &w1, &w0, ws[20], p[8]);
2136 word3_muladd(&w2, &w1, &w0, ws[21], p[7]);
2137 word3_muladd(&w2, &w1, &w0, ws[22], p[6]);
2138 word3_muladd(&w2, &w1, &w0, ws[23], p[5]);
2139 word3_muladd(&w2, &w1, &w0, ws[24], p[4]);
2140 word3_muladd(&w2, &w1, &w0, ws[25], p[3]);
2141 word3_muladd(&w2, &w1, &w0, ws[26], p[2]);
2142 word3_muladd(&w2, &w1, &w0, ws[27], p[1]);
2143 word3_add(&w2, &w1, &w0, z[28]);
2144 ws[28] = w0 * p_dash;
2145 word3_muladd(&w2, &w1, &w0, ws[28], p[0]);
2146 w0 = w1;
2147 w1 = w2;
2148 w2 = 0;
2149 word3_muladd(&w2, &w1, &w0, ws[0], p[29]);
2150 word3_muladd(&w2, &w1, &w0, ws[1], p[28]);
2151 word3_muladd(&w2, &w1, &w0, ws[2], p[27]);
2152 word3_muladd(&w2, &w1, &w0, ws[3], p[26]);
2153 word3_muladd(&w2, &w1, &w0, ws[4], p[25]);
2154 word3_muladd(&w2, &w1, &w0, ws[5], p[24]);
2155 word3_muladd(&w2, &w1, &w0, ws[6], p[23]);
2156 word3_muladd(&w2, &w1, &w0, ws[7], p[22]);
2157 word3_muladd(&w2, &w1, &w0, ws[8], p[21]);
2158 word3_muladd(&w2, &w1, &w0, ws[9], p[20]);
2159 word3_muladd(&w2, &w1, &w0, ws[10], p[19]);
2160 word3_muladd(&w2, &w1, &w0, ws[11], p[18]);
2161 word3_muladd(&w2, &w1, &w0, ws[12], p[17]);
2162 word3_muladd(&w2, &w1, &w0, ws[13], p[16]);
2163 word3_muladd(&w2, &w1, &w0, ws[14], p[15]);
2164 word3_muladd(&w2, &w1, &w0, ws[15], p[14]);
2165 word3_muladd(&w2, &w1, &w0, ws[16], p[13]);
2166 word3_muladd(&w2, &w1, &w0, ws[17], p[12]);
2167 word3_muladd(&w2, &w1, &w0, ws[18], p[11]);
2168 word3_muladd(&w2, &w1, &w0, ws[19], p[10]);
2169 word3_muladd(&w2, &w1, &w0, ws[20], p[9]);
2170 word3_muladd(&w2, &w1, &w0, ws[21], p[8]);
2171 word3_muladd(&w2, &w1, &w0, ws[22], p[7]);
2172 word3_muladd(&w2, &w1, &w0, ws[23], p[6]);
2173 word3_muladd(&w2, &w1, &w0, ws[24], p[5]);
2174 word3_muladd(&w2, &w1, &w0, ws[25], p[4]);
2175 word3_muladd(&w2, &w1, &w0, ws[26], p[3]);
2176 word3_muladd(&w2, &w1, &w0, ws[27], p[2]);
2177 word3_muladd(&w2, &w1, &w0, ws[28], p[1]);
2178 word3_add(&w2, &w1, &w0, z[29]);
2179 ws[29] = w0 * p_dash;
2180 word3_muladd(&w2, &w1, &w0, ws[29], p[0]);
2181 w0 = w1;
2182 w1 = w2;
2183 w2 = 0;
2184 word3_muladd(&w2, &w1, &w0, ws[0], p[30]);
2185 word3_muladd(&w2, &w1, &w0, ws[1], p[29]);
2186 word3_muladd(&w2, &w1, &w0, ws[2], p[28]);
2187 word3_muladd(&w2, &w1, &w0, ws[3], p[27]);
2188 word3_muladd(&w2, &w1, &w0, ws[4], p[26]);
2189 word3_muladd(&w2, &w1, &w0, ws[5], p[25]);
2190 word3_muladd(&w2, &w1, &w0, ws[6], p[24]);
2191 word3_muladd(&w2, &w1, &w0, ws[7], p[23]);
2192 word3_muladd(&w2, &w1, &w0, ws[8], p[22]);
2193 word3_muladd(&w2, &w1, &w0, ws[9], p[21]);
2194 word3_muladd(&w2, &w1, &w0, ws[10], p[20]);
2195 word3_muladd(&w2, &w1, &w0, ws[11], p[19]);
2196 word3_muladd(&w2, &w1, &w0, ws[12], p[18]);
2197 word3_muladd(&w2, &w1, &w0, ws[13], p[17]);
2198 word3_muladd(&w2, &w1, &w0, ws[14], p[16]);
2199 word3_muladd(&w2, &w1, &w0, ws[15], p[15]);
2200 word3_muladd(&w2, &w1, &w0, ws[16], p[14]);
2201 word3_muladd(&w2, &w1, &w0, ws[17], p[13]);
2202 word3_muladd(&w2, &w1, &w0, ws[18], p[12]);
2203 word3_muladd(&w2, &w1, &w0, ws[19], p[11]);
2204 word3_muladd(&w2, &w1, &w0, ws[20], p[10]);
2205 word3_muladd(&w2, &w1, &w0, ws[21], p[9]);
2206 word3_muladd(&w2, &w1, &w0, ws[22], p[8]);
2207 word3_muladd(&w2, &w1, &w0, ws[23], p[7]);
2208 word3_muladd(&w2, &w1, &w0, ws[24], p[6]);
2209 word3_muladd(&w2, &w1, &w0, ws[25], p[5]);
2210 word3_muladd(&w2, &w1, &w0, ws[26], p[4]);
2211 word3_muladd(&w2, &w1, &w0, ws[27], p[3]);
2212 word3_muladd(&w2, &w1, &w0, ws[28], p[2]);
2213 word3_muladd(&w2, &w1, &w0, ws[29], p[1]);
2214 word3_add(&w2, &w1, &w0, z[30]);
2215 ws[30] = w0 * p_dash;
2216 word3_muladd(&w2, &w1, &w0, ws[30], p[0]);
2217 w0 = w1;
2218 w1 = w2;
2219 w2 = 0;
2220 word3_muladd(&w2, &w1, &w0, ws[0], p[31]);
2221 word3_muladd(&w2, &w1, &w0, ws[1], p[30]);
2222 word3_muladd(&w2, &w1, &w0, ws[2], p[29]);
2223 word3_muladd(&w2, &w1, &w0, ws[3], p[28]);
2224 word3_muladd(&w2, &w1, &w0, ws[4], p[27]);
2225 word3_muladd(&w2, &w1, &w0, ws[5], p[26]);
2226 word3_muladd(&w2, &w1, &w0, ws[6], p[25]);
2227 word3_muladd(&w2, &w1, &w0, ws[7], p[24]);
2228 word3_muladd(&w2, &w1, &w0, ws[8], p[23]);
2229 word3_muladd(&w2, &w1, &w0, ws[9], p[22]);
2230 word3_muladd(&w2, &w1, &w0, ws[10], p[21]);
2231 word3_muladd(&w2, &w1, &w0, ws[11], p[20]);
2232 word3_muladd(&w2, &w1, &w0, ws[12], p[19]);
2233 word3_muladd(&w2, &w1, &w0, ws[13], p[18]);
2234 word3_muladd(&w2, &w1, &w0, ws[14], p[17]);
2235 word3_muladd(&w2, &w1, &w0, ws[15], p[16]);
2236 word3_muladd(&w2, &w1, &w0, ws[16], p[15]);
2237 word3_muladd(&w2, &w1, &w0, ws[17], p[14]);
2238 word3_muladd(&w2, &w1, &w0, ws[18], p[13]);
2239 word3_muladd(&w2, &w1, &w0, ws[19], p[12]);
2240 word3_muladd(&w2, &w1, &w0, ws[20], p[11]);
2241 word3_muladd(&w2, &w1, &w0, ws[21], p[10]);
2242 word3_muladd(&w2, &w1, &w0, ws[22], p[9]);
2243 word3_muladd(&w2, &w1, &w0, ws[23], p[8]);
2244 word3_muladd(&w2, &w1, &w0, ws[24], p[7]);
2245 word3_muladd(&w2, &w1, &w0, ws[25], p[6]);
2246 word3_muladd(&w2, &w1, &w0, ws[26], p[5]);
2247 word3_muladd(&w2, &w1, &w0, ws[27], p[4]);
2248 word3_muladd(&w2, &w1, &w0, ws[28], p[3]);
2249 word3_muladd(&w2, &w1, &w0, ws[29], p[2]);
2250 word3_muladd(&w2, &w1, &w0, ws[30], p[1]);
2251 word3_add(&w2, &w1, &w0, z[31]);
2252 ws[31] = w0 * p_dash;
2253 word3_muladd(&w2, &w1, &w0, ws[31], p[0]);
2254 w0 = w1;
2255 w1 = w2;
2256 w2 = 0;
2257 word3_muladd(&w2, &w1, &w0, ws[1], p[31]);
2258 word3_muladd(&w2, &w1, &w0, ws[2], p[30]);
2259 word3_muladd(&w2, &w1, &w0, ws[3], p[29]);
2260 word3_muladd(&w2, &w1, &w0, ws[4], p[28]);
2261 word3_muladd(&w2, &w1, &w0, ws[5], p[27]);
2262 word3_muladd(&w2, &w1, &w0, ws[6], p[26]);
2263 word3_muladd(&w2, &w1, &w0, ws[7], p[25]);
2264 word3_muladd(&w2, &w1, &w0, ws[8], p[24]);
2265 word3_muladd(&w2, &w1, &w0, ws[9], p[23]);
2266 word3_muladd(&w2, &w1, &w0, ws[10], p[22]);
2267 word3_muladd(&w2, &w1, &w0, ws[11], p[21]);
2268 word3_muladd(&w2, &w1, &w0, ws[12], p[20]);
2269 word3_muladd(&w2, &w1, &w0, ws[13], p[19]);
2270 word3_muladd(&w2, &w1, &w0, ws[14], p[18]);
2271 word3_muladd(&w2, &w1, &w0, ws[15], p[17]);
2272 word3_muladd(&w2, &w1, &w0, ws[16], p[16]);
2273 word3_muladd(&w2, &w1, &w0, ws[17], p[15]);
2274 word3_muladd(&w2, &w1, &w0, ws[18], p[14]);
2275 word3_muladd(&w2, &w1, &w0, ws[19], p[13]);
2276 word3_muladd(&w2, &w1, &w0, ws[20], p[12]);
2277 word3_muladd(&w2, &w1, &w0, ws[21], p[11]);
2278 word3_muladd(&w2, &w1, &w0, ws[22], p[10]);
2279 word3_muladd(&w2, &w1, &w0, ws[23], p[9]);
2280 word3_muladd(&w2, &w1, &w0, ws[24], p[8]);
2281 word3_muladd(&w2, &w1, &w0, ws[25], p[7]);
2282 word3_muladd(&w2, &w1, &w0, ws[26], p[6]);
2283 word3_muladd(&w2, &w1, &w0, ws[27], p[5]);
2284 word3_muladd(&w2, &w1, &w0, ws[28], p[4]);
2285 word3_muladd(&w2, &w1, &w0, ws[29], p[3]);
2286 word3_muladd(&w2, &w1, &w0, ws[30], p[2]);
2287 word3_muladd(&w2, &w1, &w0, ws[31], p[1]);
2288 word3_add(&w2, &w1, &w0, z[32]);
2289 ws[0] = w0;
2290 w0 = w1;
2291 w1 = w2;
2292 w2 = 0;
2293 word3_muladd(&w2, &w1, &w0, ws[2], p[31]);
2294 word3_muladd(&w2, &w1, &w0, ws[3], p[30]);
2295 word3_muladd(&w2, &w1, &w0, ws[4], p[29]);
2296 word3_muladd(&w2, &w1, &w0, ws[5], p[28]);
2297 word3_muladd(&w2, &w1, &w0, ws[6], p[27]);
2298 word3_muladd(&w2, &w1, &w0, ws[7], p[26]);
2299 word3_muladd(&w2, &w1, &w0, ws[8], p[25]);
2300 word3_muladd(&w2, &w1, &w0, ws[9], p[24]);
2301 word3_muladd(&w2, &w1, &w0, ws[10], p[23]);
2302 word3_muladd(&w2, &w1, &w0, ws[11], p[22]);
2303 word3_muladd(&w2, &w1, &w0, ws[12], p[21]);
2304 word3_muladd(&w2, &w1, &w0, ws[13], p[20]);
2305 word3_muladd(&w2, &w1, &w0, ws[14], p[19]);
2306 word3_muladd(&w2, &w1, &w0, ws[15], p[18]);
2307 word3_muladd(&w2, &w1, &w0, ws[16], p[17]);
2308 word3_muladd(&w2, &w1, &w0, ws[17], p[16]);
2309 word3_muladd(&w2, &w1, &w0, ws[18], p[15]);
2310 word3_muladd(&w2, &w1, &w0, ws[19], p[14]);
2311 word3_muladd(&w2, &w1, &w0, ws[20], p[13]);
2312 word3_muladd(&w2, &w1, &w0, ws[21], p[12]);
2313 word3_muladd(&w2, &w1, &w0, ws[22], p[11]);
2314 word3_muladd(&w2, &w1, &w0, ws[23], p[10]);
2315 word3_muladd(&w2, &w1, &w0, ws[24], p[9]);
2316 word3_muladd(&w2, &w1, &w0, ws[25], p[8]);
2317 word3_muladd(&w2, &w1, &w0, ws[26], p[7]);
2318 word3_muladd(&w2, &w1, &w0, ws[27], p[6]);
2319 word3_muladd(&w2, &w1, &w0, ws[28], p[5]);
2320 word3_muladd(&w2, &w1, &w0, ws[29], p[4]);
2321 word3_muladd(&w2, &w1, &w0, ws[30], p[3]);
2322 word3_muladd(&w2, &w1, &w0, ws[31], p[2]);
2323 word3_add(&w2, &w1, &w0, z[33]);
2324 ws[1] = w0;
2325 w0 = w1;
2326 w1 = w2;
2327 w2 = 0;
2328 word3_muladd(&w2, &w1, &w0, ws[3], p[31]);
2329 word3_muladd(&w2, &w1, &w0, ws[4], p[30]);
2330 word3_muladd(&w2, &w1, &w0, ws[5], p[29]);
2331 word3_muladd(&w2, &w1, &w0, ws[6], p[28]);
2332 word3_muladd(&w2, &w1, &w0, ws[7], p[27]);
2333 word3_muladd(&w2, &w1, &w0, ws[8], p[26]);
2334 word3_muladd(&w2, &w1, &w0, ws[9], p[25]);
2335 word3_muladd(&w2, &w1, &w0, ws[10], p[24]);
2336 word3_muladd(&w2, &w1, &w0, ws[11], p[23]);
2337 word3_muladd(&w2, &w1, &w0, ws[12], p[22]);
2338 word3_muladd(&w2, &w1, &w0, ws[13], p[21]);
2339 word3_muladd(&w2, &w1, &w0, ws[14], p[20]);
2340 word3_muladd(&w2, &w1, &w0, ws[15], p[19]);
2341 word3_muladd(&w2, &w1, &w0, ws[16], p[18]);
2342 word3_muladd(&w2, &w1, &w0, ws[17], p[17]);
2343 word3_muladd(&w2, &w1, &w0, ws[18], p[16]);
2344 word3_muladd(&w2, &w1, &w0, ws[19], p[15]);
2345 word3_muladd(&w2, &w1, &w0, ws[20], p[14]);
2346 word3_muladd(&w2, &w1, &w0, ws[21], p[13]);
2347 word3_muladd(&w2, &w1, &w0, ws[22], p[12]);
2348 word3_muladd(&w2, &w1, &w0, ws[23], p[11]);
2349 word3_muladd(&w2, &w1, &w0, ws[24], p[10]);
2350 word3_muladd(&w2, &w1, &w0, ws[25], p[9]);
2351 word3_muladd(&w2, &w1, &w0, ws[26], p[8]);
2352 word3_muladd(&w2, &w1, &w0, ws[27], p[7]);
2353 word3_muladd(&w2, &w1, &w0, ws[28], p[6]);
2354 word3_muladd(&w2, &w1, &w0, ws[29], p[5]);
2355 word3_muladd(&w2, &w1, &w0, ws[30], p[4]);
2356 word3_muladd(&w2, &w1, &w0, ws[31], p[3]);
2357 word3_add(&w2, &w1, &w0, z[34]);
2358 ws[2] = w0;
2359 w0 = w1;
2360 w1 = w2;
2361 w2 = 0;
2362 word3_muladd(&w2, &w1, &w0, ws[4], p[31]);
2363 word3_muladd(&w2, &w1, &w0, ws[5], p[30]);
2364 word3_muladd(&w2, &w1, &w0, ws[6], p[29]);
2365 word3_muladd(&w2, &w1, &w0, ws[7], p[28]);
2366 word3_muladd(&w2, &w1, &w0, ws[8], p[27]);
2367 word3_muladd(&w2, &w1, &w0, ws[9], p[26]);
2368 word3_muladd(&w2, &w1, &w0, ws[10], p[25]);
2369 word3_muladd(&w2, &w1, &w0, ws[11], p[24]);
2370 word3_muladd(&w2, &w1, &w0, ws[12], p[23]);
2371 word3_muladd(&w2, &w1, &w0, ws[13], p[22]);
2372 word3_muladd(&w2, &w1, &w0, ws[14], p[21]);
2373 word3_muladd(&w2, &w1, &w0, ws[15], p[20]);
2374 word3_muladd(&w2, &w1, &w0, ws[16], p[19]);
2375 word3_muladd(&w2, &w1, &w0, ws[17], p[18]);
2376 word3_muladd(&w2, &w1, &w0, ws[18], p[17]);
2377 word3_muladd(&w2, &w1, &w0, ws[19], p[16]);
2378 word3_muladd(&w2, &w1, &w0, ws[20], p[15]);
2379 word3_muladd(&w2, &w1, &w0, ws[21], p[14]);
2380 word3_muladd(&w2, &w1, &w0, ws[22], p[13]);
2381 word3_muladd(&w2, &w1, &w0, ws[23], p[12]);
2382 word3_muladd(&w2, &w1, &w0, ws[24], p[11]);
2383 word3_muladd(&w2, &w1, &w0, ws[25], p[10]);
2384 word3_muladd(&w2, &w1, &w0, ws[26], p[9]);
2385 word3_muladd(&w2, &w1, &w0, ws[27], p[8]);
2386 word3_muladd(&w2, &w1, &w0, ws[28], p[7]);
2387 word3_muladd(&w2, &w1, &w0, ws[29], p[6]);
2388 word3_muladd(&w2, &w1, &w0, ws[30], p[5]);
2389 word3_muladd(&w2, &w1, &w0, ws[31], p[4]);
2390 word3_add(&w2, &w1, &w0, z[35]);
2391 ws[3] = w0;
2392 w0 = w1;
2393 w1 = w2;
2394 w2 = 0;
2395 word3_muladd(&w2, &w1, &w0, ws[5], p[31]);
2396 word3_muladd(&w2, &w1, &w0, ws[6], p[30]);
2397 word3_muladd(&w2, &w1, &w0, ws[7], p[29]);
2398 word3_muladd(&w2, &w1, &w0, ws[8], p[28]);
2399 word3_muladd(&w2, &w1, &w0, ws[9], p[27]);
2400 word3_muladd(&w2, &w1, &w0, ws[10], p[26]);
2401 word3_muladd(&w2, &w1, &w0, ws[11], p[25]);
2402 word3_muladd(&w2, &w1, &w0, ws[12], p[24]);
2403 word3_muladd(&w2, &w1, &w0, ws[13], p[23]);
2404 word3_muladd(&w2, &w1, &w0, ws[14], p[22]);
2405 word3_muladd(&w2, &w1, &w0, ws[15], p[21]);
2406 word3_muladd(&w2, &w1, &w0, ws[16], p[20]);
2407 word3_muladd(&w2, &w1, &w0, ws[17], p[19]);
2408 word3_muladd(&w2, &w1, &w0, ws[18], p[18]);
2409 word3_muladd(&w2, &w1, &w0, ws[19], p[17]);
2410 word3_muladd(&w2, &w1, &w0, ws[20], p[16]);
2411 word3_muladd(&w2, &w1, &w0, ws[21], p[15]);
2412 word3_muladd(&w2, &w1, &w0, ws[22], p[14]);
2413 word3_muladd(&w2, &w1, &w0, ws[23], p[13]);
2414 word3_muladd(&w2, &w1, &w0, ws[24], p[12]);
2415 word3_muladd(&w2, &w1, &w0, ws[25], p[11]);
2416 word3_muladd(&w2, &w1, &w0, ws[26], p[10]);
2417 word3_muladd(&w2, &w1, &w0, ws[27], p[9]);
2418 word3_muladd(&w2, &w1, &w0, ws[28], p[8]);
2419 word3_muladd(&w2, &w1, &w0, ws[29], p[7]);
2420 word3_muladd(&w2, &w1, &w0, ws[30], p[6]);
2421 word3_muladd(&w2, &w1, &w0, ws[31], p[5]);
2422 word3_add(&w2, &w1, &w0, z[36]);
2423 ws[4] = w0;
2424 w0 = w1;
2425 w1 = w2;
2426 w2 = 0;
2427 word3_muladd(&w2, &w1, &w0, ws[6], p[31]);
2428 word3_muladd(&w2, &w1, &w0, ws[7], p[30]);
2429 word3_muladd(&w2, &w1, &w0, ws[8], p[29]);
2430 word3_muladd(&w2, &w1, &w0, ws[9], p[28]);
2431 word3_muladd(&w2, &w1, &w0, ws[10], p[27]);
2432 word3_muladd(&w2, &w1, &w0, ws[11], p[26]);
2433 word3_muladd(&w2, &w1, &w0, ws[12], p[25]);
2434 word3_muladd(&w2, &w1, &w0, ws[13], p[24]);
2435 word3_muladd(&w2, &w1, &w0, ws[14], p[23]);
2436 word3_muladd(&w2, &w1, &w0, ws[15], p[22]);
2437 word3_muladd(&w2, &w1, &w0, ws[16], p[21]);
2438 word3_muladd(&w2, &w1, &w0, ws[17], p[20]);
2439 word3_muladd(&w2, &w1, &w0, ws[18], p[19]);
2440 word3_muladd(&w2, &w1, &w0, ws[19], p[18]);
2441 word3_muladd(&w2, &w1, &w0, ws[20], p[17]);
2442 word3_muladd(&w2, &w1, &w0, ws[21], p[16]);
2443 word3_muladd(&w2, &w1, &w0, ws[22], p[15]);
2444 word3_muladd(&w2, &w1, &w0, ws[23], p[14]);
2445 word3_muladd(&w2, &w1, &w0, ws[24], p[13]);
2446 word3_muladd(&w2, &w1, &w0, ws[25], p[12]);
2447 word3_muladd(&w2, &w1, &w0, ws[26], p[11]);
2448 word3_muladd(&w2, &w1, &w0, ws[27], p[10]);
2449 word3_muladd(&w2, &w1, &w0, ws[28], p[9]);
2450 word3_muladd(&w2, &w1, &w0, ws[29], p[8]);
2451 word3_muladd(&w2, &w1, &w0, ws[30], p[7]);
2452 word3_muladd(&w2, &w1, &w0, ws[31], p[6]);
2453 word3_add(&w2, &w1, &w0, z[37]);
2454 ws[5] = w0;
2455 w0 = w1;
2456 w1 = w2;
2457 w2 = 0;
2458 word3_muladd(&w2, &w1, &w0, ws[7], p[31]);
2459 word3_muladd(&w2, &w1, &w0, ws[8], p[30]);
2460 word3_muladd(&w2, &w1, &w0, ws[9], p[29]);
2461 word3_muladd(&w2, &w1, &w0, ws[10], p[28]);
2462 word3_muladd(&w2, &w1, &w0, ws[11], p[27]);
2463 word3_muladd(&w2, &w1, &w0, ws[12], p[26]);
2464 word3_muladd(&w2, &w1, &w0, ws[13], p[25]);
2465 word3_muladd(&w2, &w1, &w0, ws[14], p[24]);
2466 word3_muladd(&w2, &w1, &w0, ws[15], p[23]);
2467 word3_muladd(&w2, &w1, &w0, ws[16], p[22]);
2468 word3_muladd(&w2, &w1, &w0, ws[17], p[21]);
2469 word3_muladd(&w2, &w1, &w0, ws[18], p[20]);
2470 word3_muladd(&w2, &w1, &w0, ws[19], p[19]);
2471 word3_muladd(&w2, &w1, &w0, ws[20], p[18]);
2472 word3_muladd(&w2, &w1, &w0, ws[21], p[17]);
2473 word3_muladd(&w2, &w1, &w0, ws[22], p[16]);
2474 word3_muladd(&w2, &w1, &w0, ws[23], p[15]);
2475 word3_muladd(&w2, &w1, &w0, ws[24], p[14]);
2476 word3_muladd(&w2, &w1, &w0, ws[25], p[13]);
2477 word3_muladd(&w2, &w1, &w0, ws[26], p[12]);
2478 word3_muladd(&w2, &w1, &w0, ws[27], p[11]);
2479 word3_muladd(&w2, &w1, &w0, ws[28], p[10]);
2480 word3_muladd(&w2, &w1, &w0, ws[29], p[9]);
2481 word3_muladd(&w2, &w1, &w0, ws[30], p[8]);
2482 word3_muladd(&w2, &w1, &w0, ws[31], p[7]);
2483 word3_add(&w2, &w1, &w0, z[38]);
2484 ws[6] = w0;
2485 w0 = w1;
2486 w1 = w2;
2487 w2 = 0;
2488 word3_muladd(&w2, &w1, &w0, ws[8], p[31]);
2489 word3_muladd(&w2, &w1, &w0, ws[9], p[30]);
2490 word3_muladd(&w2, &w1, &w0, ws[10], p[29]);
2491 word3_muladd(&w2, &w1, &w0, ws[11], p[28]);
2492 word3_muladd(&w2, &w1, &w0, ws[12], p[27]);
2493 word3_muladd(&w2, &w1, &w0, ws[13], p[26]);
2494 word3_muladd(&w2, &w1, &w0, ws[14], p[25]);
2495 word3_muladd(&w2, &w1, &w0, ws[15], p[24]);
2496 word3_muladd(&w2, &w1, &w0, ws[16], p[23]);
2497 word3_muladd(&w2, &w1, &w0, ws[17], p[22]);
2498 word3_muladd(&w2, &w1, &w0, ws[18], p[21]);
2499 word3_muladd(&w2, &w1, &w0, ws[19], p[20]);
2500 word3_muladd(&w2, &w1, &w0, ws[20], p[19]);
2501 word3_muladd(&w2, &w1, &w0, ws[21], p[18]);
2502 word3_muladd(&w2, &w1, &w0, ws[22], p[17]);
2503 word3_muladd(&w2, &w1, &w0, ws[23], p[16]);
2504 word3_muladd(&w2, &w1, &w0, ws[24], p[15]);
2505 word3_muladd(&w2, &w1, &w0, ws[25], p[14]);
2506 word3_muladd(&w2, &w1, &w0, ws[26], p[13]);
2507 word3_muladd(&w2, &w1, &w0, ws[27], p[12]);
2508 word3_muladd(&w2, &w1, &w0, ws[28], p[11]);
2509 word3_muladd(&w2, &w1, &w0, ws[29], p[10]);
2510 word3_muladd(&w2, &w1, &w0, ws[30], p[9]);
2511 word3_muladd(&w2, &w1, &w0, ws[31], p[8]);
2512 word3_add(&w2, &w1, &w0, z[39]);
2513 ws[7] = w0;
2514 w0 = w1;
2515 w1 = w2;
2516 w2 = 0;
2517 word3_muladd(&w2, &w1, &w0, ws[9], p[31]);
2518 word3_muladd(&w2, &w1, &w0, ws[10], p[30]);
2519 word3_muladd(&w2, &w1, &w0, ws[11], p[29]);
2520 word3_muladd(&w2, &w1, &w0, ws[12], p[28]);
2521 word3_muladd(&w2, &w1, &w0, ws[13], p[27]);
2522 word3_muladd(&w2, &w1, &w0, ws[14], p[26]);
2523 word3_muladd(&w2, &w1, &w0, ws[15], p[25]);
2524 word3_muladd(&w2, &w1, &w0, ws[16], p[24]);
2525 word3_muladd(&w2, &w1, &w0, ws[17], p[23]);
2526 word3_muladd(&w2, &w1, &w0, ws[18], p[22]);
2527 word3_muladd(&w2, &w1, &w0, ws[19], p[21]);
2528 word3_muladd(&w2, &w1, &w0, ws[20], p[20]);
2529 word3_muladd(&w2, &w1, &w0, ws[21], p[19]);
2530 word3_muladd(&w2, &w1, &w0, ws[22], p[18]);
2531 word3_muladd(&w2, &w1, &w0, ws[23], p[17]);
2532 word3_muladd(&w2, &w1, &w0, ws[24], p[16]);
2533 word3_muladd(&w2, &w1, &w0, ws[25], p[15]);
2534 word3_muladd(&w2, &w1, &w0, ws[26], p[14]);
2535 word3_muladd(&w2, &w1, &w0, ws[27], p[13]);
2536 word3_muladd(&w2, &w1, &w0, ws[28], p[12]);
2537 word3_muladd(&w2, &w1, &w0, ws[29], p[11]);
2538 word3_muladd(&w2, &w1, &w0, ws[30], p[10]);
2539 word3_muladd(&w2, &w1, &w0, ws[31], p[9]);
2540 word3_add(&w2, &w1, &w0, z[40]);
2541 ws[8] = w0;
2542 w0 = w1;
2543 w1 = w2;
2544 w2 = 0;
2545 word3_muladd(&w2, &w1, &w0, ws[10], p[31]);
2546 word3_muladd(&w2, &w1, &w0, ws[11], p[30]);
2547 word3_muladd(&w2, &w1, &w0, ws[12], p[29]);
2548 word3_muladd(&w2, &w1, &w0, ws[13], p[28]);
2549 word3_muladd(&w2, &w1, &w0, ws[14], p[27]);
2550 word3_muladd(&w2, &w1, &w0, ws[15], p[26]);
2551 word3_muladd(&w2, &w1, &w0, ws[16], p[25]);
2552 word3_muladd(&w2, &w1, &w0, ws[17], p[24]);
2553 word3_muladd(&w2, &w1, &w0, ws[18], p[23]);
2554 word3_muladd(&w2, &w1, &w0, ws[19], p[22]);
2555 word3_muladd(&w2, &w1, &w0, ws[20], p[21]);
2556 word3_muladd(&w2, &w1, &w0, ws[21], p[20]);
2557 word3_muladd(&w2, &w1, &w0, ws[22], p[19]);
2558 word3_muladd(&w2, &w1, &w0, ws[23], p[18]);
2559 word3_muladd(&w2, &w1, &w0, ws[24], p[17]);
2560 word3_muladd(&w2, &w1, &w0, ws[25], p[16]);
2561 word3_muladd(&w2, &w1, &w0, ws[26], p[15]);
2562 word3_muladd(&w2, &w1, &w0, ws[27], p[14]);
2563 word3_muladd(&w2, &w1, &w0, ws[28], p[13]);
2564 word3_muladd(&w2, &w1, &w0, ws[29], p[12]);
2565 word3_muladd(&w2, &w1, &w0, ws[30], p[11]);
2566 word3_muladd(&w2, &w1, &w0, ws[31], p[10]);
2567 word3_add(&w2, &w1, &w0, z[41]);
2568 ws[9] = w0;
2569 w0 = w1;
2570 w1 = w2;
2571 w2 = 0;
2572 word3_muladd(&w2, &w1, &w0, ws[11], p[31]);
2573 word3_muladd(&w2, &w1, &w0, ws[12], p[30]);
2574 word3_muladd(&w2, &w1, &w0, ws[13], p[29]);
2575 word3_muladd(&w2, &w1, &w0, ws[14], p[28]);
2576 word3_muladd(&w2, &w1, &w0, ws[15], p[27]);
2577 word3_muladd(&w2, &w1, &w0, ws[16], p[26]);
2578 word3_muladd(&w2, &w1, &w0, ws[17], p[25]);
2579 word3_muladd(&w2, &w1, &w0, ws[18], p[24]);
2580 word3_muladd(&w2, &w1, &w0, ws[19], p[23]);
2581 word3_muladd(&w2, &w1, &w0, ws[20], p[22]);
2582 word3_muladd(&w2, &w1, &w0, ws[21], p[21]);
2583 word3_muladd(&w2, &w1, &w0, ws[22], p[20]);
2584 word3_muladd(&w2, &w1, &w0, ws[23], p[19]);
2585 word3_muladd(&w2, &w1, &w0, ws[24], p[18]);
2586 word3_muladd(&w2, &w1, &w0, ws[25], p[17]);
2587 word3_muladd(&w2, &w1, &w0, ws[26], p[16]);
2588 word3_muladd(&w2, &w1, &w0, ws[27], p[15]);
2589 word3_muladd(&w2, &w1, &w0, ws[28], p[14]);
2590 word3_muladd(&w2, &w1, &w0, ws[29], p[13]);
2591 word3_muladd(&w2, &w1, &w0, ws[30], p[12]);
2592 word3_muladd(&w2, &w1, &w0, ws[31], p[11]);
2593 word3_add(&w2, &w1, &w0, z[42]);
2594 ws[10] = w0;
2595 w0 = w1;
2596 w1 = w2;
2597 w2 = 0;
2598 word3_muladd(&w2, &w1, &w0, ws[12], p[31]);
2599 word3_muladd(&w2, &w1, &w0, ws[13], p[30]);
2600 word3_muladd(&w2, &w1, &w0, ws[14], p[29]);
2601 word3_muladd(&w2, &w1, &w0, ws[15], p[28]);
2602 word3_muladd(&w2, &w1, &w0, ws[16], p[27]);
2603 word3_muladd(&w2, &w1, &w0, ws[17], p[26]);
2604 word3_muladd(&w2, &w1, &w0, ws[18], p[25]);
2605 word3_muladd(&w2, &w1, &w0, ws[19], p[24]);
2606 word3_muladd(&w2, &w1, &w0, ws[20], p[23]);
2607 word3_muladd(&w2, &w1, &w0, ws[21], p[22]);
2608 word3_muladd(&w2, &w1, &w0, ws[22], p[21]);
2609 word3_muladd(&w2, &w1, &w0, ws[23], p[20]);
2610 word3_muladd(&w2, &w1, &w0, ws[24], p[19]);
2611 word3_muladd(&w2, &w1, &w0, ws[25], p[18]);
2612 word3_muladd(&w2, &w1, &w0, ws[26], p[17]);
2613 word3_muladd(&w2, &w1, &w0, ws[27], p[16]);
2614 word3_muladd(&w2, &w1, &w0, ws[28], p[15]);
2615 word3_muladd(&w2, &w1, &w0, ws[29], p[14]);
2616 word3_muladd(&w2, &w1, &w0, ws[30], p[13]);
2617 word3_muladd(&w2, &w1, &w0, ws[31], p[12]);
2618 word3_add(&w2, &w1, &w0, z[43]);
2619 ws[11] = w0;
2620 w0 = w1;
2621 w1 = w2;
2622 w2 = 0;
2623 word3_muladd(&w2, &w1, &w0, ws[13], p[31]);
2624 word3_muladd(&w2, &w1, &w0, ws[14], p[30]);
2625 word3_muladd(&w2, &w1, &w0, ws[15], p[29]);
2626 word3_muladd(&w2, &w1, &w0, ws[16], p[28]);
2627 word3_muladd(&w2, &w1, &w0, ws[17], p[27]);
2628 word3_muladd(&w2, &w1, &w0, ws[18], p[26]);
2629 word3_muladd(&w2, &w1, &w0, ws[19], p[25]);
2630 word3_muladd(&w2, &w1, &w0, ws[20], p[24]);
2631 word3_muladd(&w2, &w1, &w0, ws[21], p[23]);
2632 word3_muladd(&w2, &w1, &w0, ws[22], p[22]);
2633 word3_muladd(&w2, &w1, &w0, ws[23], p[21]);
2634 word3_muladd(&w2, &w1, &w0, ws[24], p[20]);
2635 word3_muladd(&w2, &w1, &w0, ws[25], p[19]);
2636 word3_muladd(&w2, &w1, &w0, ws[26], p[18]);
2637 word3_muladd(&w2, &w1, &w0, ws[27], p[17]);
2638 word3_muladd(&w2, &w1, &w0, ws[28], p[16]);
2639 word3_muladd(&w2, &w1, &w0, ws[29], p[15]);
2640 word3_muladd(&w2, &w1, &w0, ws[30], p[14]);
2641 word3_muladd(&w2, &w1, &w0, ws[31], p[13]);
2642 word3_add(&w2, &w1, &w0, z[44]);
2643 ws[12] = w0;
2644 w0 = w1;
2645 w1 = w2;
2646 w2 = 0;
2647 word3_muladd(&w2, &w1, &w0, ws[14], p[31]);
2648 word3_muladd(&w2, &w1, &w0, ws[15], p[30]);
2649 word3_muladd(&w2, &w1, &w0, ws[16], p[29]);
2650 word3_muladd(&w2, &w1, &w0, ws[17], p[28]);
2651 word3_muladd(&w2, &w1, &w0, ws[18], p[27]);
2652 word3_muladd(&w2, &w1, &w0, ws[19], p[26]);
2653 word3_muladd(&w2, &w1, &w0, ws[20], p[25]);
2654 word3_muladd(&w2, &w1, &w0, ws[21], p[24]);
2655 word3_muladd(&w2, &w1, &w0, ws[22], p[23]);
2656 word3_muladd(&w2, &w1, &w0, ws[23], p[22]);
2657 word3_muladd(&w2, &w1, &w0, ws[24], p[21]);
2658 word3_muladd(&w2, &w1, &w0, ws[25], p[20]);
2659 word3_muladd(&w2, &w1, &w0, ws[26], p[19]);
2660 word3_muladd(&w2, &w1, &w0, ws[27], p[18]);
2661 word3_muladd(&w2, &w1, &w0, ws[28], p[17]);
2662 word3_muladd(&w2, &w1, &w0, ws[29], p[16]);
2663 word3_muladd(&w2, &w1, &w0, ws[30], p[15]);
2664 word3_muladd(&w2, &w1, &w0, ws[31], p[14]);
2665 word3_add(&w2, &w1, &w0, z[45]);
2666 ws[13] = w0;
2667 w0 = w1;
2668 w1 = w2;
2669 w2 = 0;
2670 word3_muladd(&w2, &w1, &w0, ws[15], p[31]);
2671 word3_muladd(&w2, &w1, &w0, ws[16], p[30]);
2672 word3_muladd(&w2, &w1, &w0, ws[17], p[29]);
2673 word3_muladd(&w2, &w1, &w0, ws[18], p[28]);
2674 word3_muladd(&w2, &w1, &w0, ws[19], p[27]);
2675 word3_muladd(&w2, &w1, &w0, ws[20], p[26]);
2676 word3_muladd(&w2, &w1, &w0, ws[21], p[25]);
2677 word3_muladd(&w2, &w1, &w0, ws[22], p[24]);
2678 word3_muladd(&w2, &w1, &w0, ws[23], p[23]);
2679 word3_muladd(&w2, &w1, &w0, ws[24], p[22]);
2680 word3_muladd(&w2, &w1, &w0, ws[25], p[21]);
2681 word3_muladd(&w2, &w1, &w0, ws[26], p[20]);
2682 word3_muladd(&w2, &w1, &w0, ws[27], p[19]);
2683 word3_muladd(&w2, &w1, &w0, ws[28], p[18]);
2684 word3_muladd(&w2, &w1, &w0, ws[29], p[17]);
2685 word3_muladd(&w2, &w1, &w0, ws[30], p[16]);
2686 word3_muladd(&w2, &w1, &w0, ws[31], p[15]);
2687 word3_add(&w2, &w1, &w0, z[46]);
2688 ws[14] = w0;
2689 w0 = w1;
2690 w1 = w2;
2691 w2 = 0;
2692 word3_muladd(&w2, &w1, &w0, ws[16], p[31]);
2693 word3_muladd(&w2, &w1, &w0, ws[17], p[30]);
2694 word3_muladd(&w2, &w1, &w0, ws[18], p[29]);
2695 word3_muladd(&w2, &w1, &w0, ws[19], p[28]);
2696 word3_muladd(&w2, &w1, &w0, ws[20], p[27]);
2697 word3_muladd(&w2, &w1, &w0, ws[21], p[26]);
2698 word3_muladd(&w2, &w1, &w0, ws[22], p[25]);
2699 word3_muladd(&w2, &w1, &w0, ws[23], p[24]);
2700 word3_muladd(&w2, &w1, &w0, ws[24], p[23]);
2701 word3_muladd(&w2, &w1, &w0, ws[25], p[22]);
2702 word3_muladd(&w2, &w1, &w0, ws[26], p[21]);
2703 word3_muladd(&w2, &w1, &w0, ws[27], p[20]);
2704 word3_muladd(&w2, &w1, &w0, ws[28], p[19]);
2705 word3_muladd(&w2, &w1, &w0, ws[29], p[18]);
2706 word3_muladd(&w2, &w1, &w0, ws[30], p[17]);
2707 word3_muladd(&w2, &w1, &w0, ws[31], p[16]);
2708 word3_add(&w2, &w1, &w0, z[47]);
2709 ws[15] = w0;
2710 w0 = w1;
2711 w1 = w2;
2712 w2 = 0;
2713 word3_muladd(&w2, &w1, &w0, ws[17], p[31]);
2714 word3_muladd(&w2, &w1, &w0, ws[18], p[30]);
2715 word3_muladd(&w2, &w1, &w0, ws[19], p[29]);
2716 word3_muladd(&w2, &w1, &w0, ws[20], p[28]);
2717 word3_muladd(&w2, &w1, &w0, ws[21], p[27]);
2718 word3_muladd(&w2, &w1, &w0, ws[22], p[26]);
2719 word3_muladd(&w2, &w1, &w0, ws[23], p[25]);
2720 word3_muladd(&w2, &w1, &w0, ws[24], p[24]);
2721 word3_muladd(&w2, &w1, &w0, ws[25], p[23]);
2722 word3_muladd(&w2, &w1, &w0, ws[26], p[22]);
2723 word3_muladd(&w2, &w1, &w0, ws[27], p[21]);
2724 word3_muladd(&w2, &w1, &w0, ws[28], p[20]);
2725 word3_muladd(&w2, &w1, &w0, ws[29], p[19]);
2726 word3_muladd(&w2, &w1, &w0, ws[30], p[18]);
2727 word3_muladd(&w2, &w1, &w0, ws[31], p[17]);
2728 word3_add(&w2, &w1, &w0, z[48]);
2729 ws[16] = w0;
2730 w0 = w1;
2731 w1 = w2;
2732 w2 = 0;
2733 word3_muladd(&w2, &w1, &w0, ws[18], p[31]);
2734 word3_muladd(&w2, &w1, &w0, ws[19], p[30]);
2735 word3_muladd(&w2, &w1, &w0, ws[20], p[29]);
2736 word3_muladd(&w2, &w1, &w0, ws[21], p[28]);
2737 word3_muladd(&w2, &w1, &w0, ws[22], p[27]);
2738 word3_muladd(&w2, &w1, &w0, ws[23], p[26]);
2739 word3_muladd(&w2, &w1, &w0, ws[24], p[25]);
2740 word3_muladd(&w2, &w1, &w0, ws[25], p[24]);
2741 word3_muladd(&w2, &w1, &w0, ws[26], p[23]);
2742 word3_muladd(&w2, &w1, &w0, ws[27], p[22]);
2743 word3_muladd(&w2, &w1, &w0, ws[28], p[21]);
2744 word3_muladd(&w2, &w1, &w0, ws[29], p[20]);
2745 word3_muladd(&w2, &w1, &w0, ws[30], p[19]);
2746 word3_muladd(&w2, &w1, &w0, ws[31], p[18]);
2747 word3_add(&w2, &w1, &w0, z[49]);
2748 ws[17] = w0;
2749 w0 = w1;
2750 w1 = w2;
2751 w2 = 0;
2752 word3_muladd(&w2, &w1, &w0, ws[19], p[31]);
2753 word3_muladd(&w2, &w1, &w0, ws[20], p[30]);
2754 word3_muladd(&w2, &w1, &w0, ws[21], p[29]);
2755 word3_muladd(&w2, &w1, &w0, ws[22], p[28]);
2756 word3_muladd(&w2, &w1, &w0, ws[23], p[27]);
2757 word3_muladd(&w2, &w1, &w0, ws[24], p[26]);
2758 word3_muladd(&w2, &w1, &w0, ws[25], p[25]);
2759 word3_muladd(&w2, &w1, &w0, ws[26], p[24]);
2760 word3_muladd(&w2, &w1, &w0, ws[27], p[23]);
2761 word3_muladd(&w2, &w1, &w0, ws[28], p[22]);
2762 word3_muladd(&w2, &w1, &w0, ws[29], p[21]);
2763 word3_muladd(&w2, &w1, &w0, ws[30], p[20]);
2764 word3_muladd(&w2, &w1, &w0, ws[31], p[19]);
2765 word3_add(&w2, &w1, &w0, z[50]);
2766 ws[18] = w0;
2767 w0 = w1;
2768 w1 = w2;
2769 w2 = 0;
2770 word3_muladd(&w2, &w1, &w0, ws[20], p[31]);
2771 word3_muladd(&w2, &w1, &w0, ws[21], p[30]);
2772 word3_muladd(&w2, &w1, &w0, ws[22], p[29]);
2773 word3_muladd(&w2, &w1, &w0, ws[23], p[28]);
2774 word3_muladd(&w2, &w1, &w0, ws[24], p[27]);
2775 word3_muladd(&w2, &w1, &w0, ws[25], p[26]);
2776 word3_muladd(&w2, &w1, &w0, ws[26], p[25]);
2777 word3_muladd(&w2, &w1, &w0, ws[27], p[24]);
2778 word3_muladd(&w2, &w1, &w0, ws[28], p[23]);
2779 word3_muladd(&w2, &w1, &w0, ws[29], p[22]);
2780 word3_muladd(&w2, &w1, &w0, ws[30], p[21]);
2781 word3_muladd(&w2, &w1, &w0, ws[31], p[20]);
2782 word3_add(&w2, &w1, &w0, z[51]);
2783 ws[19] = w0;
2784 w0 = w1;
2785 w1 = w2;
2786 w2 = 0;
2787 word3_muladd(&w2, &w1, &w0, ws[21], p[31]);
2788 word3_muladd(&w2, &w1, &w0, ws[22], p[30]);
2789 word3_muladd(&w2, &w1, &w0, ws[23], p[29]);
2790 word3_muladd(&w2, &w1, &w0, ws[24], p[28]);
2791 word3_muladd(&w2, &w1, &w0, ws[25], p[27]);
2792 word3_muladd(&w2, &w1, &w0, ws[26], p[26]);
2793 word3_muladd(&w2, &w1, &w0, ws[27], p[25]);
2794 word3_muladd(&w2, &w1, &w0, ws[28], p[24]);
2795 word3_muladd(&w2, &w1, &w0, ws[29], p[23]);
2796 word3_muladd(&w2, &w1, &w0, ws[30], p[22]);
2797 word3_muladd(&w2, &w1, &w0, ws[31], p[21]);
2798 word3_add(&w2, &w1, &w0, z[52]);
2799 ws[20] = w0;
2800 w0 = w1;
2801 w1 = w2;
2802 w2 = 0;
2803 word3_muladd(&w2, &w1, &w0, ws[22], p[31]);
2804 word3_muladd(&w2, &w1, &w0, ws[23], p[30]);
2805 word3_muladd(&w2, &w1, &w0, ws[24], p[29]);
2806 word3_muladd(&w2, &w1, &w0, ws[25], p[28]);
2807 word3_muladd(&w2, &w1, &w0, ws[26], p[27]);
2808 word3_muladd(&w2, &w1, &w0, ws[27], p[26]);
2809 word3_muladd(&w2, &w1, &w0, ws[28], p[25]);
2810 word3_muladd(&w2, &w1, &w0, ws[29], p[24]);
2811 word3_muladd(&w2, &w1, &w0, ws[30], p[23]);
2812 word3_muladd(&w2, &w1, &w0, ws[31], p[22]);
2813 word3_add(&w2, &w1, &w0, z[53]);
2814 ws[21] = w0;
2815 w0 = w1;
2816 w1 = w2;
2817 w2 = 0;
2818 word3_muladd(&w2, &w1, &w0, ws[23], p[31]);
2819 word3_muladd(&w2, &w1, &w0, ws[24], p[30]);
2820 word3_muladd(&w2, &w1, &w0, ws[25], p[29]);
2821 word3_muladd(&w2, &w1, &w0, ws[26], p[28]);
2822 word3_muladd(&w2, &w1, &w0, ws[27], p[27]);
2823 word3_muladd(&w2, &w1, &w0, ws[28], p[26]);
2824 word3_muladd(&w2, &w1, &w0, ws[29], p[25]);
2825 word3_muladd(&w2, &w1, &w0, ws[30], p[24]);
2826 word3_muladd(&w2, &w1, &w0, ws[31], p[23]);
2827 word3_add(&w2, &w1, &w0, z[54]);
2828 ws[22] = w0;
2829 w0 = w1;
2830 w1 = w2;
2831 w2 = 0;
2832 word3_muladd(&w2, &w1, &w0, ws[24], p[31]);
2833 word3_muladd(&w2, &w1, &w0, ws[25], p[30]);
2834 word3_muladd(&w2, &w1, &w0, ws[26], p[29]);
2835 word3_muladd(&w2, &w1, &w0, ws[27], p[28]);
2836 word3_muladd(&w2, &w1, &w0, ws[28], p[27]);
2837 word3_muladd(&w2, &w1, &w0, ws[29], p[26]);
2838 word3_muladd(&w2, &w1, &w0, ws[30], p[25]);
2839 word3_muladd(&w2, &w1, &w0, ws[31], p[24]);
2840 word3_add(&w2, &w1, &w0, z[55]);
2841 ws[23] = w0;
2842 w0 = w1;
2843 w1 = w2;
2844 w2 = 0;
2845 word3_muladd(&w2, &w1, &w0, ws[25], p[31]);
2846 word3_muladd(&w2, &w1, &w0, ws[26], p[30]);
2847 word3_muladd(&w2, &w1, &w0, ws[27], p[29]);
2848 word3_muladd(&w2, &w1, &w0, ws[28], p[28]);
2849 word3_muladd(&w2, &w1, &w0, ws[29], p[27]);
2850 word3_muladd(&w2, &w1, &w0, ws[30], p[26]);
2851 word3_muladd(&w2, &w1, &w0, ws[31], p[25]);
2852 word3_add(&w2, &w1, &w0, z[56]);
2853 ws[24] = w0;
2854 w0 = w1;
2855 w1 = w2;
2856 w2 = 0;
2857 word3_muladd(&w2, &w1, &w0, ws[26], p[31]);
2858 word3_muladd(&w2, &w1, &w0, ws[27], p[30]);
2859 word3_muladd(&w2, &w1, &w0, ws[28], p[29]);
2860 word3_muladd(&w2, &w1, &w0, ws[29], p[28]);
2861 word3_muladd(&w2, &w1, &w0, ws[30], p[27]);
2862 word3_muladd(&w2, &w1, &w0, ws[31], p[26]);
2863 word3_add(&w2, &w1, &w0, z[57]);
2864 ws[25] = w0;
2865 w0 = w1;
2866 w1 = w2;
2867 w2 = 0;
2868 word3_muladd(&w2, &w1, &w0, ws[27], p[31]);
2869 word3_muladd(&w2, &w1, &w0, ws[28], p[30]);
2870 word3_muladd(&w2, &w1, &w0, ws[29], p[29]);
2871 word3_muladd(&w2, &w1, &w0, ws[30], p[28]);
2872 word3_muladd(&w2, &w1, &w0, ws[31], p[27]);
2873 word3_add(&w2, &w1, &w0, z[58]);
2874 ws[26] = w0;
2875 w0 = w1;
2876 w1 = w2;
2877 w2 = 0;
2878 word3_muladd(&w2, &w1, &w0, ws[28], p[31]);
2879 word3_muladd(&w2, &w1, &w0, ws[29], p[30]);
2880 word3_muladd(&w2, &w1, &w0, ws[30], p[29]);
2881 word3_muladd(&w2, &w1, &w0, ws[31], p[28]);
2882 word3_add(&w2, &w1, &w0, z[59]);
2883 ws[27] = w0;
2884 w0 = w1;
2885 w1 = w2;
2886 w2 = 0;
2887 word3_muladd(&w2, &w1, &w0, ws[29], p[31]);
2888 word3_muladd(&w2, &w1, &w0, ws[30], p[30]);
2889 word3_muladd(&w2, &w1, &w0, ws[31], p[29]);
2890 word3_add(&w2, &w1, &w0, z[60]);
2891 ws[28] = w0;
2892 w0 = w1;
2893 w1 = w2;
2894 w2 = 0;
2895 word3_muladd(&w2, &w1, &w0, ws[30], p[31]);
2896 word3_muladd(&w2, &w1, &w0, ws[31], p[30]);
2897 word3_add(&w2, &w1, &w0, z[61]);
2898 ws[29] = w0;
2899 w0 = w1;
2900 w1 = w2;
2901 w2 = 0;
2902 word3_muladd(&w2, &w1, &w0, ws[31], p[31]);
2903 word3_add(&w2, &w1, &w0, z[62]);
2904 ws[30] = w0;
2905 w0 = w1;
2906 w1 = w2;
2907 w2 = 0;
2908 word3_add(&w2, &w1, &w0, z[63]);
2909 ws[31] = w0;
2910 ws[32] = w1;
2911 word borrow = bigint_sub3(z, ws, 32 + 1, p, 32);
2912 CT::conditional_assign_mem(borrow, z, ws, 32);
2913 clear_mem(z + 32, 32);
2914}

References bigint_sub3(), clear_mem(), Botan::CT::conditional_assign_mem(), word3_add(), and word3_muladd().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_4()

void Botan::bigint_monty_redc_4 ( word z[8],
const word p[4],
word p_dash,
word ws[] )

Definition at line 14 of file mp_monty_n.cpp.

14 {
15 word w2 = 0, w1 = 0, w0 = 0;
16 w0 = z[0];
17 ws[0] = w0 * p_dash;
18 word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
19 w0 = w1;
20 w1 = w2;
21 w2 = 0;
22 word3_muladd(&w2, &w1, &w0, ws[0], p[1]);
23 word3_add(&w2, &w1, &w0, z[1]);
24 ws[1] = w0 * p_dash;
25 word3_muladd(&w2, &w1, &w0, ws[1], p[0]);
26 w0 = w1;
27 w1 = w2;
28 w2 = 0;
29 word3_muladd(&w2, &w1, &w0, ws[0], p[2]);
30 word3_muladd(&w2, &w1, &w0, ws[1], p[1]);
31 word3_add(&w2, &w1, &w0, z[2]);
32 ws[2] = w0 * p_dash;
33 word3_muladd(&w2, &w1, &w0, ws[2], p[0]);
34 w0 = w1;
35 w1 = w2;
36 w2 = 0;
37 word3_muladd(&w2, &w1, &w0, ws[0], p[3]);
38 word3_muladd(&w2, &w1, &w0, ws[1], p[2]);
39 word3_muladd(&w2, &w1, &w0, ws[2], p[1]);
40 word3_add(&w2, &w1, &w0, z[3]);
41 ws[3] = w0 * p_dash;
42 word3_muladd(&w2, &w1, &w0, ws[3], p[0]);
43 w0 = w1;
44 w1 = w2;
45 w2 = 0;
46 word3_muladd(&w2, &w1, &w0, ws[1], p[3]);
47 word3_muladd(&w2, &w1, &w0, ws[2], p[2]);
48 word3_muladd(&w2, &w1, &w0, ws[3], p[1]);
49 word3_add(&w2, &w1, &w0, z[4]);
50 ws[0] = w0;
51 w0 = w1;
52 w1 = w2;
53 w2 = 0;
54 word3_muladd(&w2, &w1, &w0, ws[2], p[3]);
55 word3_muladd(&w2, &w1, &w0, ws[3], p[2]);
56 word3_add(&w2, &w1, &w0, z[5]);
57 ws[1] = w0;
58 w0 = w1;
59 w1 = w2;
60 w2 = 0;
61 word3_muladd(&w2, &w1, &w0, ws[3], p[3]);
62 word3_add(&w2, &w1, &w0, z[6]);
63 ws[2] = w0;
64 w0 = w1;
65 w1 = w2;
66 w2 = 0;
67 word3_add(&w2, &w1, &w0, z[7]);
68 ws[3] = w0;
69 ws[4] = w1;
70 word borrow = bigint_sub3(z, ws, 4 + 1, p, 4);
71 CT::conditional_assign_mem(borrow, z, ws, 4);
72 clear_mem(z + 4, 4);
73}

References bigint_sub3(), clear_mem(), Botan::CT::conditional_assign_mem(), word3_add(), and word3_muladd().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_6()

void Botan::bigint_monty_redc_6 ( word z[12],
const word p[6],
word p_dash,
word ws[] )

Definition at line 75 of file mp_monty_n.cpp.

75 {
76 word w2 = 0, w1 = 0, w0 = 0;
77 w0 = z[0];
78 ws[0] = w0 * p_dash;
79 word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
80 w0 = w1;
81 w1 = w2;
82 w2 = 0;
83 word3_muladd(&w2, &w1, &w0, ws[0], p[1]);
84 word3_add(&w2, &w1, &w0, z[1]);
85 ws[1] = w0 * p_dash;
86 word3_muladd(&w2, &w1, &w0, ws[1], p[0]);
87 w0 = w1;
88 w1 = w2;
89 w2 = 0;
90 word3_muladd(&w2, &w1, &w0, ws[0], p[2]);
91 word3_muladd(&w2, &w1, &w0, ws[1], p[1]);
92 word3_add(&w2, &w1, &w0, z[2]);
93 ws[2] = w0 * p_dash;
94 word3_muladd(&w2, &w1, &w0, ws[2], p[0]);
95 w0 = w1;
96 w1 = w2;
97 w2 = 0;
98 word3_muladd(&w2, &w1, &w0, ws[0], p[3]);
99 word3_muladd(&w2, &w1, &w0, ws[1], p[2]);
100 word3_muladd(&w2, &w1, &w0, ws[2], p[1]);
101 word3_add(&w2, &w1, &w0, z[3]);
102 ws[3] = w0 * p_dash;
103 word3_muladd(&w2, &w1, &w0, ws[3], p[0]);
104 w0 = w1;
105 w1 = w2;
106 w2 = 0;
107 word3_muladd(&w2, &w1, &w0, ws[0], p[4]);
108 word3_muladd(&w2, &w1, &w0, ws[1], p[3]);
109 word3_muladd(&w2, &w1, &w0, ws[2], p[2]);
110 word3_muladd(&w2, &w1, &w0, ws[3], p[1]);
111 word3_add(&w2, &w1, &w0, z[4]);
112 ws[4] = w0 * p_dash;
113 word3_muladd(&w2, &w1, &w0, ws[4], p[0]);
114 w0 = w1;
115 w1 = w2;
116 w2 = 0;
117 word3_muladd(&w2, &w1, &w0, ws[0], p[5]);
118 word3_muladd(&w2, &w1, &w0, ws[1], p[4]);
119 word3_muladd(&w2, &w1, &w0, ws[2], p[3]);
120 word3_muladd(&w2, &w1, &w0, ws[3], p[2]);
121 word3_muladd(&w2, &w1, &w0, ws[4], p[1]);
122 word3_add(&w2, &w1, &w0, z[5]);
123 ws[5] = w0 * p_dash;
124 word3_muladd(&w2, &w1, &w0, ws[5], p[0]);
125 w0 = w1;
126 w1 = w2;
127 w2 = 0;
128 word3_muladd(&w2, &w1, &w0, ws[1], p[5]);
129 word3_muladd(&w2, &w1, &w0, ws[2], p[4]);
130 word3_muladd(&w2, &w1, &w0, ws[3], p[3]);
131 word3_muladd(&w2, &w1, &w0, ws[4], p[2]);
132 word3_muladd(&w2, &w1, &w0, ws[5], p[1]);
133 word3_add(&w2, &w1, &w0, z[6]);
134 ws[0] = w0;
135 w0 = w1;
136 w1 = w2;
137 w2 = 0;
138 word3_muladd(&w2, &w1, &w0, ws[2], p[5]);
139 word3_muladd(&w2, &w1, &w0, ws[3], p[4]);
140 word3_muladd(&w2, &w1, &w0, ws[4], p[3]);
141 word3_muladd(&w2, &w1, &w0, ws[5], p[2]);
142 word3_add(&w2, &w1, &w0, z[7]);
143 ws[1] = w0;
144 w0 = w1;
145 w1 = w2;
146 w2 = 0;
147 word3_muladd(&w2, &w1, &w0, ws[3], p[5]);
148 word3_muladd(&w2, &w1, &w0, ws[4], p[4]);
149 word3_muladd(&w2, &w1, &w0, ws[5], p[3]);
150 word3_add(&w2, &w1, &w0, z[8]);
151 ws[2] = w0;
152 w0 = w1;
153 w1 = w2;
154 w2 = 0;
155 word3_muladd(&w2, &w1, &w0, ws[4], p[5]);
156 word3_muladd(&w2, &w1, &w0, ws[5], p[4]);
157 word3_add(&w2, &w1, &w0, z[9]);
158 ws[3] = w0;
159 w0 = w1;
160 w1 = w2;
161 w2 = 0;
162 word3_muladd(&w2, &w1, &w0, ws[5], p[5]);
163 word3_add(&w2, &w1, &w0, z[10]);
164 ws[4] = w0;
165 w0 = w1;
166 w1 = w2;
167 w2 = 0;
168 word3_add(&w2, &w1, &w0, z[11]);
169 ws[5] = w0;
170 ws[6] = w1;
171 word borrow = bigint_sub3(z, ws, 6 + 1, p, 6);
172 CT::conditional_assign_mem(borrow, z, ws, 6);
173 clear_mem(z + 6, 6);
174}

References bigint_sub3(), clear_mem(), Botan::CT::conditional_assign_mem(), word3_add(), and word3_muladd().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_8()

void Botan::bigint_monty_redc_8 ( word z[16],
const word p[8],
word p_dash,
word ws[] )

Definition at line 176 of file mp_monty_n.cpp.

176 {
177 word w2 = 0, w1 = 0, w0 = 0;
178 w0 = z[0];
179 ws[0] = w0 * p_dash;
180 word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
181 w0 = w1;
182 w1 = w2;
183 w2 = 0;
184 word3_muladd(&w2, &w1, &w0, ws[0], p[1]);
185 word3_add(&w2, &w1, &w0, z[1]);
186 ws[1] = w0 * p_dash;
187 word3_muladd(&w2, &w1, &w0, ws[1], p[0]);
188 w0 = w1;
189 w1 = w2;
190 w2 = 0;
191 word3_muladd(&w2, &w1, &w0, ws[0], p[2]);
192 word3_muladd(&w2, &w1, &w0, ws[1], p[1]);
193 word3_add(&w2, &w1, &w0, z[2]);
194 ws[2] = w0 * p_dash;
195 word3_muladd(&w2, &w1, &w0, ws[2], p[0]);
196 w0 = w1;
197 w1 = w2;
198 w2 = 0;
199 word3_muladd(&w2, &w1, &w0, ws[0], p[3]);
200 word3_muladd(&w2, &w1, &w0, ws[1], p[2]);
201 word3_muladd(&w2, &w1, &w0, ws[2], p[1]);
202 word3_add(&w2, &w1, &w0, z[3]);
203 ws[3] = w0 * p_dash;
204 word3_muladd(&w2, &w1, &w0, ws[3], p[0]);
205 w0 = w1;
206 w1 = w2;
207 w2 = 0;
208 word3_muladd(&w2, &w1, &w0, ws[0], p[4]);
209 word3_muladd(&w2, &w1, &w0, ws[1], p[3]);
210 word3_muladd(&w2, &w1, &w0, ws[2], p[2]);
211 word3_muladd(&w2, &w1, &w0, ws[3], p[1]);
212 word3_add(&w2, &w1, &w0, z[4]);
213 ws[4] = w0 * p_dash;
214 word3_muladd(&w2, &w1, &w0, ws[4], p[0]);
215 w0 = w1;
216 w1 = w2;
217 w2 = 0;
218 word3_muladd(&w2, &w1, &w0, ws[0], p[5]);
219 word3_muladd(&w2, &w1, &w0, ws[1], p[4]);
220 word3_muladd(&w2, &w1, &w0, ws[2], p[3]);
221 word3_muladd(&w2, &w1, &w0, ws[3], p[2]);
222 word3_muladd(&w2, &w1, &w0, ws[4], p[1]);
223 word3_add(&w2, &w1, &w0, z[5]);
224 ws[5] = w0 * p_dash;
225 word3_muladd(&w2, &w1, &w0, ws[5], p[0]);
226 w0 = w1;
227 w1 = w2;
228 w2 = 0;
229 word3_muladd(&w2, &w1, &w0, ws[0], p[6]);
230 word3_muladd(&w2, &w1, &w0, ws[1], p[5]);
231 word3_muladd(&w2, &w1, &w0, ws[2], p[4]);
232 word3_muladd(&w2, &w1, &w0, ws[3], p[3]);
233 word3_muladd(&w2, &w1, &w0, ws[4], p[2]);
234 word3_muladd(&w2, &w1, &w0, ws[5], p[1]);
235 word3_add(&w2, &w1, &w0, z[6]);
236 ws[6] = w0 * p_dash;
237 word3_muladd(&w2, &w1, &w0, ws[6], p[0]);
238 w0 = w1;
239 w1 = w2;
240 w2 = 0;
241 word3_muladd(&w2, &w1, &w0, ws[0], p[7]);
242 word3_muladd(&w2, &w1, &w0, ws[1], p[6]);
243 word3_muladd(&w2, &w1, &w0, ws[2], p[5]);
244 word3_muladd(&w2, &w1, &w0, ws[3], p[4]);
245 word3_muladd(&w2, &w1, &w0, ws[4], p[3]);
246 word3_muladd(&w2, &w1, &w0, ws[5], p[2]);
247 word3_muladd(&w2, &w1, &w0, ws[6], p[1]);
248 word3_add(&w2, &w1, &w0, z[7]);
249 ws[7] = w0 * p_dash;
250 word3_muladd(&w2, &w1, &w0, ws[7], p[0]);
251 w0 = w1;
252 w1 = w2;
253 w2 = 0;
254 word3_muladd(&w2, &w1, &w0, ws[1], p[7]);
255 word3_muladd(&w2, &w1, &w0, ws[2], p[6]);
256 word3_muladd(&w2, &w1, &w0, ws[3], p[5]);
257 word3_muladd(&w2, &w1, &w0, ws[4], p[4]);
258 word3_muladd(&w2, &w1, &w0, ws[5], p[3]);
259 word3_muladd(&w2, &w1, &w0, ws[6], p[2]);
260 word3_muladd(&w2, &w1, &w0, ws[7], p[1]);
261 word3_add(&w2, &w1, &w0, z[8]);
262 ws[0] = w0;
263 w0 = w1;
264 w1 = w2;
265 w2 = 0;
266 word3_muladd(&w2, &w1, &w0, ws[2], p[7]);
267 word3_muladd(&w2, &w1, &w0, ws[3], p[6]);
268 word3_muladd(&w2, &w1, &w0, ws[4], p[5]);
269 word3_muladd(&w2, &w1, &w0, ws[5], p[4]);
270 word3_muladd(&w2, &w1, &w0, ws[6], p[3]);
271 word3_muladd(&w2, &w1, &w0, ws[7], p[2]);
272 word3_add(&w2, &w1, &w0, z[9]);
273 ws[1] = w0;
274 w0 = w1;
275 w1 = w2;
276 w2 = 0;
277 word3_muladd(&w2, &w1, &w0, ws[3], p[7]);
278 word3_muladd(&w2, &w1, &w0, ws[4], p[6]);
279 word3_muladd(&w2, &w1, &w0, ws[5], p[5]);
280 word3_muladd(&w2, &w1, &w0, ws[6], p[4]);
281 word3_muladd(&w2, &w1, &w0, ws[7], p[3]);
282 word3_add(&w2, &w1, &w0, z[10]);
283 ws[2] = w0;
284 w0 = w1;
285 w1 = w2;
286 w2 = 0;
287 word3_muladd(&w2, &w1, &w0, ws[4], p[7]);
288 word3_muladd(&w2, &w1, &w0, ws[5], p[6]);
289 word3_muladd(&w2, &w1, &w0, ws[6], p[5]);
290 word3_muladd(&w2, &w1, &w0, ws[7], p[4]);
291 word3_add(&w2, &w1, &w0, z[11]);
292 ws[3] = w0;
293 w0 = w1;
294 w1 = w2;
295 w2 = 0;
296 word3_muladd(&w2, &w1, &w0, ws[5], p[7]);
297 word3_muladd(&w2, &w1, &w0, ws[6], p[6]);
298 word3_muladd(&w2, &w1, &w0, ws[7], p[5]);
299 word3_add(&w2, &w1, &w0, z[12]);
300 ws[4] = w0;
301 w0 = w1;
302 w1 = w2;
303 w2 = 0;
304 word3_muladd(&w2, &w1, &w0, ws[6], p[7]);
305 word3_muladd(&w2, &w1, &w0, ws[7], p[6]);
306 word3_add(&w2, &w1, &w0, z[13]);
307 ws[5] = w0;
308 w0 = w1;
309 w1 = w2;
310 w2 = 0;
311 word3_muladd(&w2, &w1, &w0, ws[7], p[7]);
312 word3_add(&w2, &w1, &w0, z[14]);
313 ws[6] = w0;
314 w0 = w1;
315 w1 = w2;
316 w2 = 0;
317 word3_add(&w2, &w1, &w0, z[15]);
318 ws[7] = w0;
319 ws[8] = w1;
320 word borrow = bigint_sub3(z, ws, 8 + 1, p, 8);
321 CT::conditional_assign_mem(borrow, z, ws, 8);
322 clear_mem(z + 8, 8);
323}

References bigint_sub3(), clear_mem(), Botan::CT::conditional_assign_mem(), word3_add(), and word3_muladd().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_generic()

void Botan::bigint_monty_redc_generic ( word z[],
size_t z_size,
const word p[],
size_t p_size,
word p_dash,
word ws[] )

Definition at line 31 of file mp_monty.cpp.

31 {
32 BOTAN_ARG_CHECK(z_size >= 2 * p_size && p_size > 0, "Invalid sizes for bigint_monty_redc_generic");
33
34 word w2 = 0, w1 = 0, w0 = 0;
35
36 w0 = z[0];
37
38 ws[0] = w0 * p_dash;
39
40 word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
41
42 w0 = w1;
43 w1 = w2;
44 w2 = 0;
45
46 for(size_t i = 1; i != p_size; ++i) {
47 for(size_t j = 0; j < i; ++j) {
48 word3_muladd(&w2, &w1, &w0, ws[j], p[i - j]);
49 }
50
51 word3_add(&w2, &w1, &w0, z[i]);
52
53 ws[i] = w0 * p_dash;
54
55 word3_muladd(&w2, &w1, &w0, ws[i], p[0]);
56
57 w0 = w1;
58 w1 = w2;
59 w2 = 0;
60 }
61
62 for(size_t i = 0; i != p_size - 1; ++i) {
63 for(size_t j = i + 1; j != p_size; ++j) {
64 word3_muladd(&w2, &w1, &w0, ws[j], p[p_size + i - j]);
65 }
66
67 word3_add(&w2, &w1, &w0, z[p_size + i]);
68
69 ws[i] = w0;
70
71 w0 = w1;
72 w1 = w2;
73 w2 = 0;
74 }
75
76 word3_add(&w2, &w1, &w0, z[2 * p_size - 1]);
77
78 ws[p_size - 1] = w0;
79 ws[p_size] = w1;
80
81 /*
82 * The result might need to be reduced mod p. To avoid a timing
83 * channel, always perform the subtraction. If in the compution
84 * of x - p a borrow is required then x was already < p.
85 *
86 * x starts at ws[0] and is p_size+1 bytes long.
87 * x - p starts at z[0] and is also p_size+1 bytes log
88 *
89 * If borrow was set then x was already < p and the subtraction
90 * was not needed. In that case overwrite z[0:p_size] with the
91 * original x in ws[0:p_size].
92 *
93 * We only copy out p_size in the final step because we know
94 * the Montgomery result is < P
95 */
96
97 word borrow = bigint_sub3(z, ws, p_size + 1, p, p_size);
98
99 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
100
101 CT::conditional_assign_mem(borrow, z, ws, p_size);
102 clear_mem(z + p_size, z_size - p_size);
103}

References bigint_sub3(), BOTAN_ARG_CHECK, BOTAN_DEBUG_ASSERT, clear_mem(), Botan::CT::conditional_assign_mem(), word3_add(), and word3_muladd().

Referenced by bigint_monty_redc().

◆ bigint_mul()

void Botan::bigint_mul ( word z[],
size_t z_size,
const word x[],
size_t x_size,
size_t x_sw,
const word y[],
size_t y_size,
size_t y_sw,
word workspace[],
size_t ws_size )

Definition at line 282 of file mp_karat.cpp.

291 {
292 clear_mem(z, z_size);
293
294 if(x_sw == 1) {
295 bigint_linmul3(z, y, y_sw, x[0]);
296 } else if(y_sw == 1) {
297 bigint_linmul3(z, x, x_sw, y[0]);
298 } else if(sized_for_comba_mul<4>(x_sw, x_size, y_sw, y_size, z_size)) {
299 bigint_comba_mul4(z, x, y);
300 } else if(sized_for_comba_mul<6>(x_sw, x_size, y_sw, y_size, z_size)) {
301 bigint_comba_mul6(z, x, y);
302 } else if(sized_for_comba_mul<8>(x_sw, x_size, y_sw, y_size, z_size)) {
303 bigint_comba_mul8(z, x, y);
304 } else if(sized_for_comba_mul<9>(x_sw, x_size, y_sw, y_size, z_size)) {
305 bigint_comba_mul9(z, x, y);
306 } else if(sized_for_comba_mul<16>(x_sw, x_size, y_sw, y_size, z_size)) {
307 bigint_comba_mul16(z, x, y);
308 } else if(sized_for_comba_mul<24>(x_sw, x_size, y_sw, y_size, z_size)) {
309 bigint_comba_mul24(z, x, y);
310 } else if(x_sw < KARATSUBA_MULTIPLY_THRESHOLD || y_sw < KARATSUBA_MULTIPLY_THRESHOLD || !workspace) {
311 basecase_mul(z, z_size, x, x_sw, y, y_sw);
312 } else {
313 const size_t N = karatsuba_size(z_size, x_size, x_sw, y_size, y_sw);
314
315 if(N && z_size >= 2 * N && ws_size >= 2 * N) {
316 karatsuba_mul(z, x, y, N, workspace);
317 } else {
318 basecase_mul(z, z_size, x, x_sw, y, y_sw);
319 }
320 }
321}
void bigint_linmul3(word z[], const word x[], size_t x_size, word y)
Definition mp_core.h:468
void bigint_comba_mul4(word z[8], const word x[4], const word y[4])
Definition mp_comba.cpp:54
void bigint_comba_mul16(word z[32], const word x[16], const word y[16])
Definition mp_comba.cpp:917
void bigint_comba_mul6(word z[12], const word x[6], const word y[6])
Definition mp_comba.cpp:159
void bigint_comba_mul9(word z[18], const word x[9], const word y[9])
Definition mp_comba.cpp:542
void bigint_comba_mul24(word z[48], const word x[24], const word y[24])
BOTAN_FUZZER_API void basecase_mul(word z[], size_t z_size, const word x[], size_t x_size, const word y[], size_t y_size)
Definition mp_karat.cpp:20
void bigint_comba_mul8(word z[16], const word x[8], const word y[8])
Definition mp_comba.cpp:323

References basecase_mul(), bigint_comba_mul16(), bigint_comba_mul24(), bigint_comba_mul4(), bigint_comba_mul6(), bigint_comba_mul8(), bigint_comba_mul9(), bigint_linmul3(), and clear_mem().

Referenced by Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul(), Botan::BigInt::mul(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::mul_by(), and operator*().

◆ bigint_shl1()

void Botan::bigint_shl1 ( word x[],
size_t x_size,
size_t x_words,
size_t word_shift,
size_t bit_shift )
inline

Definition at line 382 of file mp_core.h.

382 {
383 copy_mem(x + word_shift, x, x_words);
384 clear_mem(x, word_shift);
385
386 const auto carry_mask = CT::Mask<word>::expand(bit_shift);
387 const word carry_shift = carry_mask.if_set_return(BOTAN_MP_WORD_BITS - bit_shift);
388
389 word carry = 0;
390 for(size_t i = word_shift; i != x_size; ++i) {
391 const word w = x[i];
392 x[i] = (w << bit_shift) | carry;
393 carry = carry_mask.if_set_return(w >> carry_shift);
394 }
395}
uint64_t carry_shift(const donna128 &a, size_t shift)
Definition donna128.h:105
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:146

References BOTAN_MP_WORD_BITS, carry(), carry_shift(), clear_mem(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::operator<<=().

◆ bigint_shl2()

void Botan::bigint_shl2 ( word y[],
const word x[],
size_t x_size,
size_t word_shift,
size_t bit_shift )
inline

Definition at line 417 of file mp_core.h.

417 {
418 copy_mem(y + word_shift, x, x_size);
419
420 const auto carry_mask = CT::Mask<word>::expand(bit_shift);
421 const word carry_shift = carry_mask.if_set_return(BOTAN_MP_WORD_BITS - bit_shift);
422
423 word carry = 0;
424 for(size_t i = word_shift; i != x_size + word_shift + 1; ++i) {
425 const word w = y[i];
426 y[i] = (w << bit_shift) | carry;
427 carry = carry_mask.if_set_return(w >> carry_shift);
428 }
429}

References BOTAN_MP_WORD_BITS, carry(), carry_shift(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::ct_shift_left(), and operator<<().

◆ bigint_shr1()

void Botan::bigint_shr1 ( word x[],
size_t x_size,
size_t word_shift,
size_t bit_shift )
inline

Definition at line 397 of file mp_core.h.

397 {
398 const size_t top = x_size >= word_shift ? (x_size - word_shift) : 0;
399
400 if(top > 0) {
401 copy_mem(x, x + word_shift, top);
402 }
403 clear_mem(x + top, std::min(word_shift, x_size));
404
405 const auto carry_mask = CT::Mask<word>::expand(bit_shift);
406 const word carry_shift = carry_mask.if_set_return(BOTAN_MP_WORD_BITS - bit_shift);
407
408 word carry = 0;
409
410 for(size_t i = 0; i != top; ++i) {
411 const word w = x[top - i - 1];
412 x[top - i - 1] = (w >> bit_shift) | carry;
413 carry = carry_mask.if_set_return(w << carry_shift);
414 }
415}

References BOTAN_MP_WORD_BITS, carry(), carry_shift(), clear_mem(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::operator>>=().

◆ bigint_shr2()

void Botan::bigint_shr2 ( word y[],
const word x[],
size_t x_size,
size_t word_shift,
size_t bit_shift )
inline

Definition at line 431 of file mp_core.h.

431 {
432 const size_t new_size = x_size < word_shift ? 0 : (x_size - word_shift);
433
434 if(new_size > 0) {
435 copy_mem(y, x + word_shift, new_size);
436 }
437
438 const auto carry_mask = CT::Mask<word>::expand(bit_shift);
439 const word carry_shift = carry_mask.if_set_return(BOTAN_MP_WORD_BITS - bit_shift);
440
441 word carry = 0;
442 for(size_t i = new_size; i > 0; --i) {
443 word w = y[i - 1];
444 y[i - 1] = (w >> bit_shift) | carry;
445 carry = carry_mask.if_set_return(w << carry_shift);
446 }
447}

References BOTAN_MP_WORD_BITS, carry(), carry_shift(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by gcd(), operator>>(), and redc_p521().

◆ bigint_sqr()

void Botan::bigint_sqr ( word z[],
size_t z_size,
const word x[],
size_t x_size,
size_t x_sw,
word workspace[],
size_t ws_size )

Definition at line 326 of file mp_karat.cpp.

326 {
327 clear_mem(z, z_size);
328
329 BOTAN_ASSERT(z_size / 2 >= x_sw, "Output size is sufficient");
330
331 if(x_sw == 1) {
332 bigint_linmul3(z, x, x_sw, x[0]);
333 } else if(sized_for_comba_sqr<4>(x_sw, x_size, z_size)) {
334 bigint_comba_sqr4(z, x);
335 } else if(sized_for_comba_sqr<6>(x_sw, x_size, z_size)) {
336 bigint_comba_sqr6(z, x);
337 } else if(sized_for_comba_sqr<8>(x_sw, x_size, z_size)) {
338 bigint_comba_sqr8(z, x);
339 } else if(sized_for_comba_sqr<9>(x_sw, x_size, z_size)) {
340 bigint_comba_sqr9(z, x);
341 } else if(sized_for_comba_sqr<16>(x_sw, x_size, z_size)) {
342 bigint_comba_sqr16(z, x);
343 } else if(sized_for_comba_sqr<24>(x_sw, x_size, z_size)) {
344 bigint_comba_sqr24(z, x);
345 } else if(x_size < KARATSUBA_SQUARE_THRESHOLD || !workspace) {
346 basecase_sqr(z, z_size, x, x_sw);
347 } else {
348 const size_t N = karatsuba_size(z_size, x_size, x_sw);
349
350 if(N && z_size >= 2 * N && ws_size >= 2 * N) {
351 karatsuba_sqr(z, x, N, workspace);
352 } else {
353 basecase_sqr(z, z_size, x, x_sw);
354 }
355 }
356}
BOTAN_FUZZER_API void basecase_sqr(word z[], size_t z_size, const word x[], size_t x_size)
Definition mp_karat.cpp:46
void bigint_comba_sqr6(word z[12], const word x[6])
Definition mp_comba.cpp:98
void bigint_comba_sqr8(word z[16], const word x[8])
Definition mp_comba.cpp:235
void bigint_comba_sqr16(word z[32], const word x[16])
Definition mp_comba.cpp:681
void bigint_comba_sqr9(word z[18], const word x[9])
Definition mp_comba.cpp:439
void bigint_comba_sqr24(word z[48], const word x[24])

References basecase_sqr(), bigint_comba_sqr16(), bigint_comba_sqr24(), bigint_comba_sqr4(), bigint_comba_sqr6(), bigint_comba_sqr8(), bigint_comba_sqr9(), bigint_linmul3(), BOTAN_ASSERT, and clear_mem().

Referenced by Botan::Montgomery_Params::sqr(), Botan::BigInt::square(), and Botan::Montgomery_Params::square_this().

◆ bigint_sub2()

word Botan::bigint_sub2 ( word x[],
size_t x_size,
const word y[],
size_t y_size )
inline

Two operand subtraction

Definition at line 273 of file mp_core.h.

273 {
274 word borrow = 0;
275
276 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
277
278 const size_t blocks = y_size - (y_size % 8);
279
280 for(size_t i = 0; i != blocks; i += 8) {
281 borrow = word8_sub2(x + i, y + i, borrow);
282 }
283
284 for(size_t i = blocks; i != y_size; ++i) {
285 x[i] = word_sub(x[i], y[i], &borrow);
286 }
287
288 for(size_t i = y_size; i != x_size; ++i) {
289 x[i] = word_sub(x[i], 0, &borrow);
290 }
291
292 return borrow;
293}
word word8_sub2(word x[8], const word y[8], word carry)
Definition mp_asmi.h:353

References BOTAN_ASSERT, word8_sub2(), and word_sub().

Referenced by Botan::BigInt::add(), redc_p192(), redc_p224(), redc_p256(), and redc_p384().

◆ bigint_sub2_rev()

void Botan::bigint_sub2_rev ( word x[],
const word y[],
size_t y_size )
inline

Two operand subtraction, x = y - x; assumes y >= x

Definition at line 298 of file mp_core.h.

298 {
299 word borrow = 0;
300
301 const size_t blocks = y_size - (y_size % 8);
302
303 for(size_t i = 0; i != blocks; i += 8) {
304 borrow = word8_sub2_rev(x + i, y + i, borrow);
305 }
306
307 for(size_t i = blocks; i != y_size; ++i) {
308 x[i] = word_sub(y[i], x[i], &borrow);
309 }
310
311 BOTAN_ASSERT(borrow == 0, "y must be greater than x");
312}
word word8_sub2_rev(word x[8], const word y[8], word carry)
Definition mp_asmi.h:383

References BOTAN_ASSERT, word8_sub2_rev(), and word_sub().

Referenced by Botan::BigInt::add().

◆ bigint_sub3()

word Botan::bigint_sub3 ( word z[],
const word x[],
size_t x_size,
const word y[],
size_t y_size )
inline

Three operand subtraction

Expects that x_size >= y_size

Writes to z[0:x_size] and returns borrow

Definition at line 321 of file mp_core.h.

321 {
322 word borrow = 0;
323
324 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
325
326 const size_t blocks = y_size - (y_size % 8);
327
328 for(size_t i = 0; i != blocks; i += 8) {
329 borrow = word8_sub3(z + i, x + i, y + i, borrow);
330 }
331
332 for(size_t i = blocks; i != y_size; ++i) {
333 z[i] = word_sub(x[i], y[i], &borrow);
334 }
335
336 for(size_t i = y_size; i != x_size; ++i) {
337 z[i] = word_sub(x[i], 0, &borrow);
338 }
339
340 return borrow;
341}

References BOTAN_ASSERT, word8_sub3(), and word_sub().

Referenced by bigint_mod_sub(), bigint_mod_sub_n(), bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), bigint_monty_redc_generic(), bigint_sub_abs(), ct_divide(), ct_modulo(), Botan::BigInt::ct_reduce_below(), Botan::BigInt::mod_add(), and Botan::BigInt::reduce_below().

◆ bigint_sub_abs() [1/2]

CT::Mask< word > Botan::bigint_sub_abs ( word z[],
const word x[],
const word y[],
size_t N,
word ws[] )
inline

Return abs(x-y), ie if x >= y, then compute z = x - y Otherwise compute z = y - x No borrow is possible since the result is always >= 0

Returns ~0 if x >= y or 0 if x < y

Parameters
zoutput array of at least N words
xinput array of N words
yinput array of N words
Nlength of x and y
wsarray of at least 2*N words

Definition at line 355 of file mp_core.h.

355 {
356 // Subtract in both direction then conditional copy out the result
357
358 word* ws0 = ws;
359 word* ws1 = ws + N;
360
361 word borrow0 = 0;
362 word borrow1 = 0;
363
364 const size_t blocks = N - (N % 8);
365
366 for(size_t i = 0; i != blocks; i += 8) {
367 borrow0 = word8_sub3(ws0 + i, x + i, y + i, borrow0);
368 borrow1 = word8_sub3(ws1 + i, y + i, x + i, borrow1);
369 }
370
371 for(size_t i = blocks; i != N; ++i) {
372 ws0[i] = word_sub(x[i], y[i], &borrow0);
373 ws1[i] = word_sub(y[i], x[i], &borrow1);
374 }
375
376 return CT::conditional_copy_mem(borrow0, z, ws1, ws0, N);
377}

References Botan::CT::conditional_copy_mem(), word8_sub3(), and word_sub().

Referenced by Botan::BigInt::add2(), gcd(), and Botan::BigInt::rev_sub().

◆ bigint_sub_abs() [2/2]

int32_t Botan::bigint_sub_abs ( word z[],
const word x[],
size_t x_size,
const word y[],
size_t y_size )
inline

Set z to abs(x-y), ie if x >= y, then compute z = x - y Otherwise compute z = y - x No borrow is possible since the result is always >= 0

Return the relative size of x vs y (-1, 0, 1)

Parameters
zoutput array of max(x_size,y_size) words
xinput param
x_sizelength of x
yinput param
y_sizelength of y

Definition at line 604 of file mp_core.h.

604 {
605 const int32_t relative_size = bigint_cmp(x, x_size, y, y_size);
606
607 // Swap if relative_size == -1
608 const bool need_swap = relative_size < 0;
609 CT::conditional_swap_ptr(need_swap, x, y);
610 CT::conditional_swap(need_swap, x_size, y_size);
611
612 /*
613 * We know at this point that x >= y so if y_size is larger than
614 * x_size, we are guaranteed they are just leading zeros which can
615 * be ignored
616 */
617 y_size = std::min(x_size, y_size);
618
619 bigint_sub3(z, x, x_size, y, y_size);
620
621 return relative_size;
622}
int32_t bigint_cmp(const word x[], size_t x_size, const word y[], size_t y_size)
Definition mp_core.h:490

References bigint_cmp(), bigint_sub3(), Botan::CT::conditional_swap(), and Botan::CT::conditional_swap_ptr().

◆ bit_permute_step()

template<typename T >
constexpr T Botan::bit_permute_step ( T x,
T mask,
size_t shift )
inlineconstexpr

Definition at line 163 of file bit_ops.h.

163 {
164 /*
165 See https://reflectionsonsecurity.wordpress.com/2014/05/11/efficient-bit-permutation-using-delta-swaps/
166 and http://programming.sirrida.de/bit_perm.html
167 */
168 const T swap = ((x >> shift) ^ x) & mask;
169 return (x ^ swap) ^ (swap << shift);
170}
FE_25519 T
Definition ge.cpp:34

References T.

◆ bit_size_to_32bit_size()

size_t Botan::bit_size_to_32bit_size ( size_t bit_size)
inline

Definition at line 46 of file code_based_util.h.

46 {
47 return (bit_size - 1) / 32 + 1;
48}

Referenced by generate_mceliece_key(), mceliece_decrypt(), and Botan::McEliece_PrivateKey::McEliece_PrivateKey().

◆ bit_size_to_byte_size()

size_t Botan::bit_size_to_byte_size ( size_t bit_size)
inline

Definition at line 42 of file code_based_util.h.

42 {
43 return (bit_size - 1) / 8 + 1;
44}

Referenced by mceliece_decrypt().

◆ BOTAN_FUNC_ISA() [1/4]

Botan::BOTAN_FUNC_ISA ( "avx2" )

Definition at line 160 of file argon2_avx2.cpp.

160 {
161 for(size_t i = 0; i != 8; ++i) {
162 SIMD_4x64 A = SIMD_4x64::load_le(&N[16 * i + 4 * 0]);
163 SIMD_4x64 B = SIMD_4x64::load_le(&N[16 * i + 4 * 1]);
164 SIMD_4x64 C = SIMD_4x64::load_le(&N[16 * i + 4 * 2]);
165 SIMD_4x64 D = SIMD_4x64::load_le(&N[16 * i + 4 * 3]);
166
167 blamka_R(A, B, C, D);
168
169 A.store_le(&T[16 * i + 4 * 0]);
170 B.store_le(&T[16 * i + 4 * 1]);
171 C.store_le(&T[16 * i + 4 * 2]);
172 D.store_le(&T[16 * i + 4 * 3]);
173 }
174
175 for(size_t i = 0; i != 8; ++i) {
176 SIMD_4x64 A = SIMD_4x64::load_le2(&T[2 * i + 32 * 0], &T[2 * i + 32 * 0 + 16]);
177 SIMD_4x64 B = SIMD_4x64::load_le2(&T[2 * i + 32 * 1], &T[2 * i + 32 * 1 + 16]);
178 SIMD_4x64 C = SIMD_4x64::load_le2(&T[2 * i + 32 * 2], &T[2 * i + 32 * 2 + 16]);
179 SIMD_4x64 D = SIMD_4x64::load_le2(&T[2 * i + 32 * 3], &T[2 * i + 32 * 3 + 16]);
180
181 blamka_R(A, B, C, D);
182
183 A.store_le2(&T[2 * i + 32 * 0], &T[2 * i + 32 * 0 + 16]);
184 B.store_le2(&T[2 * i + 32 * 1], &T[2 * i + 32 * 1 + 16]);
185 C.store_le2(&T[2 * i + 32 * 2], &T[2 * i + 32 * 2 + 16]);
186 D.store_le2(&T[2 * i + 32 * 3], &T[2 * i + 32 * 3 + 16]);
187 }
188
189 for(size_t i = 0; i != 128 / 8; ++i) {
190 SIMD_4x64 n0 = SIMD_4x64::load_le(&N[8 * i]);
191 SIMD_4x64 n1 = SIMD_4x64::load_le(&N[8 * i + 4]);
192 SIMD_4x64 t0 = SIMD_4x64::load_le(&T[8 * i]);
193 SIMD_4x64 t1 = SIMD_4x64::load_le(&T[8 * i + 4]);
194
195 n0 ^= t0;
196 n1 ^= t1;
197 n0.store_le(&N[8 * i]);
198 n1.store_le(&N[8 * i + 4]);
199 }
200}

References T.

◆ BOTAN_FUNC_ISA() [2/4]

Botan::BOTAN_FUNC_ISA ( "sse2" )

Definition at line 126 of file idea_sse2.cpp.

126 {
127 CT::poison(in, 64);
128 CT::poison(out, 64);
129 CT::poison(EK, 52);
130
131 const __m128i* in_mm = reinterpret_cast<const __m128i*>(in);
132
133 __m128i B0 = _mm_loadu_si128(in_mm + 0);
134 __m128i B1 = _mm_loadu_si128(in_mm + 1);
135 __m128i B2 = _mm_loadu_si128(in_mm + 2);
136 __m128i B3 = _mm_loadu_si128(in_mm + 3);
137
138 transpose_in(B0, B1, B2, B3);
139
140 // byte swap
141 B0 = _mm_or_si128(_mm_slli_epi16(B0, 8), _mm_srli_epi16(B0, 8));
142 B1 = _mm_or_si128(_mm_slli_epi16(B1, 8), _mm_srli_epi16(B1, 8));
143 B2 = _mm_or_si128(_mm_slli_epi16(B2, 8), _mm_srli_epi16(B2, 8));
144 B3 = _mm_or_si128(_mm_slli_epi16(B3, 8), _mm_srli_epi16(B3, 8));
145
146 for(size_t i = 0; i != 8; ++i) {
147 B0 = mul(B0, EK[6 * i + 0]);
148 B1 = _mm_add_epi16(B1, _mm_set1_epi16(EK[6 * i + 1]));
149 B2 = _mm_add_epi16(B2, _mm_set1_epi16(EK[6 * i + 2]));
150 B3 = mul(B3, EK[6 * i + 3]);
151
152 __m128i T0 = B2;
153 B2 = _mm_xor_si128(B2, B0);
154 B2 = mul(B2, EK[6 * i + 4]);
155
156 __m128i T1 = B1;
157
158 B1 = _mm_xor_si128(B1, B3);
159 B1 = _mm_add_epi16(B1, B2);
160 B1 = mul(B1, EK[6 * i + 5]);
161
162 B2 = _mm_add_epi16(B2, B1);
163
164 B0 = _mm_xor_si128(B0, B1);
165 B1 = _mm_xor_si128(B1, T0);
166 B3 = _mm_xor_si128(B3, B2);
167 B2 = _mm_xor_si128(B2, T1);
168 }
169
170 B0 = mul(B0, EK[48]);
171 B1 = _mm_add_epi16(B1, _mm_set1_epi16(EK[50]));
172 B2 = _mm_add_epi16(B2, _mm_set1_epi16(EK[49]));
173 B3 = mul(B3, EK[51]);
174
175 // byte swap
176 B0 = _mm_or_si128(_mm_slli_epi16(B0, 8), _mm_srli_epi16(B0, 8));
177 B1 = _mm_or_si128(_mm_slli_epi16(B1, 8), _mm_srli_epi16(B1, 8));
178 B2 = _mm_or_si128(_mm_slli_epi16(B2, 8), _mm_srli_epi16(B2, 8));
179 B3 = _mm_or_si128(_mm_slli_epi16(B3, 8), _mm_srli_epi16(B3, 8));
180
181 transpose_out(B0, B2, B1, B3);
182
183 __m128i* out_mm = reinterpret_cast<__m128i*>(out);
184
185 _mm_storeu_si128(out_mm + 0, B0);
186 _mm_storeu_si128(out_mm + 1, B2);
187 _mm_storeu_si128(out_mm + 2, B1);
188 _mm_storeu_si128(out_mm + 3, B3);
189
190 CT::unpoison(in, 64);
191 CT::unpoison(out, 64);
192 CT::unpoison(EK, 52);
193}

References Botan::CT::poison(), and Botan::CT::unpoison().

◆ BOTAN_FUNC_ISA() [3/4]

Botan::BOTAN_FUNC_ISA ( " ssse3,
aes"  )

Definition at line 125 of file aes_ni.cpp.

125 {
126 const SIMD_4x32 K0 = SIMD_4x32::load_le(&m_EK[4 * 0]);
127 const SIMD_4x32 K1 = SIMD_4x32::load_le(&m_EK[4 * 1]);
128 const SIMD_4x32 K2 = SIMD_4x32::load_le(&m_EK[4 * 2]);
129 const SIMD_4x32 K3 = SIMD_4x32::load_le(&m_EK[4 * 3]);
130 const SIMD_4x32 K4 = SIMD_4x32::load_le(&m_EK[4 * 4]);
131 const SIMD_4x32 K5 = SIMD_4x32::load_le(&m_EK[4 * 5]);
132 const SIMD_4x32 K6 = SIMD_4x32::load_le(&m_EK[4 * 6]);
133 const SIMD_4x32 K7 = SIMD_4x32::load_le(&m_EK[4 * 7]);
134 const SIMD_4x32 K8 = SIMD_4x32::load_le(&m_EK[4 * 8]);
135 const SIMD_4x32 K9 = SIMD_4x32::load_le(&m_EK[4 * 9]);
136 const SIMD_4x32 K10 = SIMD_4x32::load_le(&m_EK[4 * 10]);
137
138 while(blocks >= 4) {
139 SIMD_4x32 B0 = SIMD_4x32::load_le(in + 16 * 0);
140 SIMD_4x32 B1 = SIMD_4x32::load_le(in + 16 * 1);
141 SIMD_4x32 B2 = SIMD_4x32::load_le(in + 16 * 2);
142 SIMD_4x32 B3 = SIMD_4x32::load_le(in + 16 * 3);
143
144 keyxor(K0, B0, B1, B2, B3);
145 aesenc(K1, B0, B1, B2, B3);
146 aesenc(K2, B0, B1, B2, B3);
147 aesenc(K3, B0, B1, B2, B3);
148 aesenc(K4, B0, B1, B2, B3);
149 aesenc(K5, B0, B1, B2, B3);
150 aesenc(K6, B0, B1, B2, B3);
151 aesenc(K7, B0, B1, B2, B3);
152 aesenc(K8, B0, B1, B2, B3);
153 aesenc(K9, B0, B1, B2, B3);
154 aesenclast(K10, B0, B1, B2, B3);
155
156 B0.store_le(out + 16 * 0);
157 B1.store_le(out + 16 * 1);
158 B2.store_le(out + 16 * 2);
159 B3.store_le(out + 16 * 3);
160
161 blocks -= 4;
162 in += 4 * 16;
163 out += 4 * 16;
164 }
165
166 for(size_t i = 0; i != blocks; ++i) {
167 SIMD_4x32 B0 = SIMD_4x32::load_le(in + 16 * i);
168
169 B0 ^= K0;
170 aesenc(K1, B0);
171 aesenc(K2, B0);
172 aesenc(K3, B0);
173 aesenc(K4, B0);
174 aesenc(K5, B0);
175 aesenc(K6, B0);
176 aesenc(K7, B0);
177 aesenc(K8, B0);
178 aesenc(K9, B0);
179 aesenclast(K10, B0);
180
181 B0.store_le(out + 16 * i);
182 }
183}
184
185/*
186* AES-128 Decryption
187*/
188BOTAN_FUNC_ISA("ssse3,aes") void AES_128::hw_aes_decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
189 const SIMD_4x32 K0 = SIMD_4x32::load_le(&m_DK[4 * 0]);
190 const SIMD_4x32 K1 = SIMD_4x32::load_le(&m_DK[4 * 1]);
191 const SIMD_4x32 K2 = SIMD_4x32::load_le(&m_DK[4 * 2]);
192 const SIMD_4x32 K3 = SIMD_4x32::load_le(&m_DK[4 * 3]);
193 const SIMD_4x32 K4 = SIMD_4x32::load_le(&m_DK[4 * 4]);
194 const SIMD_4x32 K5 = SIMD_4x32::load_le(&m_DK[4 * 5]);
195 const SIMD_4x32 K6 = SIMD_4x32::load_le(&m_DK[4 * 6]);
196 const SIMD_4x32 K7 = SIMD_4x32::load_le(&m_DK[4 * 7]);
197 const SIMD_4x32 K8 = SIMD_4x32::load_le(&m_DK[4 * 8]);
198 const SIMD_4x32 K9 = SIMD_4x32::load_le(&m_DK[4 * 9]);
199 const SIMD_4x32 K10 = SIMD_4x32::load_le(&m_DK[4 * 10]);
200
201 while(blocks >= 4) {
202 SIMD_4x32 B0 = SIMD_4x32::load_le(in + 16 * 0);
203 SIMD_4x32 B1 = SIMD_4x32::load_le(in + 16 * 1);
204 SIMD_4x32 B2 = SIMD_4x32::load_le(in + 16 * 2);
205 SIMD_4x32 B3 = SIMD_4x32::load_le(in + 16 * 3);
206
207 keyxor(K0, B0, B1, B2, B3);
208 aesdec(K1, B0, B1, B2, B3);
209 aesdec(K2, B0, B1, B2, B3);
210 aesdec(K3, B0, B1, B2, B3);
211 aesdec(K4, B0, B1, B2, B3);
212 aesdec(K5, B0, B1, B2, B3);
213 aesdec(K6, B0, B1, B2, B3);
214 aesdec(K7, B0, B1, B2, B3);
215 aesdec(K8, B0, B1, B2, B3);
216 aesdec(K9, B0, B1, B2, B3);
217 aesdeclast(K10, B0, B1, B2, B3);
218
219 B0.store_le(out + 16 * 0);
220 B1.store_le(out + 16 * 1);
221 B2.store_le(out + 16 * 2);
222 B3.store_le(out + 16 * 3);
223
224 blocks -= 4;
225 in += 4 * 16;
226 out += 4 * 16;
227 }
228
229 for(size_t i = 0; i != blocks; ++i) {
230 SIMD_4x32 B0 = SIMD_4x32::load_le(in + 16 * i);
231
232 B0 ^= K0;
233 aesdec(K1, B0);
234 aesdec(K2, B0);
235 aesdec(K3, B0);
236 aesdec(K4, B0);
237 aesdec(K5, B0);
238 aesdec(K6, B0);
239 aesdec(K7, B0);
240 aesdec(K8, B0);
241 aesdec(K9, B0);
242 aesdeclast(K10, B0);
243
244 B0.store_le(out + 16 * i);
245 }
246}
247
248/*
249* AES-128 Key Schedule
250*/
251BOTAN_FUNC_ISA("ssse3,aes") void AES_128::aesni_key_schedule(const uint8_t key[], size_t /*length*/) {
252 m_EK.resize(44);
253 m_DK.resize(44);
254
255 const __m128i K0 = _mm_loadu_si128(reinterpret_cast<const __m128i*>(key));
256 const __m128i K1 = aes_128_key_expansion<0x01>(K0, K0);
257 const __m128i K2 = aes_128_key_expansion<0x02>(K1, K1);
258 const __m128i K3 = aes_128_key_expansion<0x04>(K2, K2);
259 const __m128i K4 = aes_128_key_expansion<0x08>(K3, K3);
260 const __m128i K5 = aes_128_key_expansion<0x10>(K4, K4);
261 const __m128i K6 = aes_128_key_expansion<0x20>(K5, K5);
262 const __m128i K7 = aes_128_key_expansion<0x40>(K6, K6);
263 const __m128i K8 = aes_128_key_expansion<0x80>(K7, K7);
264 const __m128i K9 = aes_128_key_expansion<0x1B>(K8, K8);
265 const __m128i K10 = aes_128_key_expansion<0x36>(K9, K9);
266
267 __m128i* EK_mm = reinterpret_cast<__m128i*>(m_EK.data());
268 _mm_storeu_si128(EK_mm, K0);
269 _mm_storeu_si128(EK_mm + 1, K1);
270 _mm_storeu_si128(EK_mm + 2, K2);
271 _mm_storeu_si128(EK_mm + 3, K3);
272 _mm_storeu_si128(EK_mm + 4, K4);
273 _mm_storeu_si128(EK_mm + 5, K5);
274 _mm_storeu_si128(EK_mm + 6, K6);
275 _mm_storeu_si128(EK_mm + 7, K7);
276 _mm_storeu_si128(EK_mm + 8, K8);
277 _mm_storeu_si128(EK_mm + 9, K9);
278 _mm_storeu_si128(EK_mm + 10, K10);
279
280 // Now generate decryption keys
281
282 __m128i* DK_mm = reinterpret_cast<__m128i*>(m_DK.data());
283 _mm_storeu_si128(DK_mm, K10);
284 _mm_storeu_si128(DK_mm + 1, _mm_aesimc_si128(K9));
285 _mm_storeu_si128(DK_mm + 2, _mm_aesimc_si128(K8));
286 _mm_storeu_si128(DK_mm + 3, _mm_aesimc_si128(K7));
287 _mm_storeu_si128(DK_mm + 4, _mm_aesimc_si128(K6));
288 _mm_storeu_si128(DK_mm + 5, _mm_aesimc_si128(K5));
289 _mm_storeu_si128(DK_mm + 6, _mm_aesimc_si128(K4));
290 _mm_storeu_si128(DK_mm + 7, _mm_aesimc_si128(K3));
291 _mm_storeu_si128(DK_mm + 8, _mm_aesimc_si128(K2));
292 _mm_storeu_si128(DK_mm + 9, _mm_aesimc_si128(K1));
293 _mm_storeu_si128(DK_mm + 10, K0);
294}
void store_le(uint32_t out[4]) const noexcept
Definition simd_32.h:187
#define BOTAN_FUNC_ISA(isa)
Definition compiler.h:92
uint8x16_t uint8x16_t K2
Definition aes_armv8.cpp:32

References Botan::SIMD_4x32::load_le(), and Botan::SIMD_4x32::store_le().

◆ BOTAN_FUNC_ISA() [4/4]

Botan::BOTAN_FUNC_ISA ( BOTAN_VPERM_ISA )

Definition at line 483 of file zfec_vperm.cpp.

483 {
484 const auto mask = SIMD_4x32::splat_u8(0x0F);
485
486 // fetch the lookup tables for the given y
487 const auto t_lo = SIMD_4x32::load_le(GFTBL + 32 * y);
488 const auto t_hi = SIMD_4x32::load_le(GFTBL + 32 * y + 16);
489
490 const size_t orig_size = size;
491
492 while(size >= 16) {
493 const auto x_1 = SIMD_4x32::load_le(x);
494 auto z_1 = SIMD_4x32::load_le(z);
495
496 // mask to get LO nibble for LO LUT input
497 const auto x_lo = x_1 & mask;
498 // mask to get HI nibble for HI LUT input
499 const auto x_hi = x_1.shr<4>() & mask;
500
501 // 16x parallel lookups
502 const auto r_lo = table_lookup(t_lo, x_lo);
503 const auto r_hi = table_lookup(t_hi, x_hi);
504
505 // sum the outputs.
506 z_1 ^= r_lo;
507 z_1 ^= r_hi;
508
509 z_1.store_le(z);
510
511 x += 16;
512 z += 16;
513 size -= 16;
514 }
515
516 return orig_size - size;
517}

References Botan::SIMD_4x32::load_le(), and Botan::SIMD_4x32::splat_u8().

◆ buffer_insert() [1/2]

template<typename T , typename Alloc , typename Alloc2 >
size_t Botan::buffer_insert ( std::vector< T, Alloc > & buf,
size_t buf_offset,
const std::vector< T, Alloc2 > & input )

Definition at line 324 of file mem_ops.h.

324 {
325 BOTAN_ASSERT_NOMSG(buf_offset <= buf.size());
326 const size_t to_copy = std::min(input.size(), buf.size() - buf_offset);
327 if(to_copy > 0) {
328 copy_mem(&buf[buf_offset], input.data(), to_copy);
329 }
330 return to_copy;
331}
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59

References BOTAN_ASSERT_NOMSG, and copy_mem().

◆ buffer_insert() [2/2]

template<typename T , typename Alloc >
size_t Botan::buffer_insert ( std::vector< T, Alloc > & buf,
size_t buf_offset,
const T input[],
size_t input_length )

Definition at line 313 of file mem_ops.h.

313 {
314 BOTAN_ASSERT_NOMSG(buf_offset <= buf.size());
315 const size_t to_copy = std::min(input_length, buf.size() - buf_offset);
316 if(to_copy > 0) {
317 copy_mem(&buf[buf_offset], input, to_copy);
318 }
319 return to_copy;
320}

References BOTAN_ASSERT_NOMSG, and copy_mem().

◆ carry()

template<size_t S, int64_t MUL = 1>
requires (S > 0 && S < 64)
void Botan::carry ( int64_t & h0,
int64_t & h1 )
inline

◆ carry0() [1/2]

template<size_t S>
requires (S > 0 && S < 32)
void Botan::carry0 ( int32_t & h0,
int32_t & h1 )
inline

Definition at line 49 of file ed25519_internal.h.

51{
52 const int32_t X1 = (static_cast<int64_t>(1) << S);
53 int32_t c = h0 >> S;
54 h1 += c;
55 h0 -= c * X1;
56}

◆ carry0() [2/2]

template<size_t S>
requires (S > 0 && S < 64)
void Botan::carry0 ( int64_t & h0,
int64_t & h1 )
inline

Definition at line 39 of file ed25519_internal.h.

41{
42 const int64_t X1 = (static_cast<int64_t>(1) << S);
43 int64_t c = h0 >> S;
44 h1 += c;
45 h0 -= c * X1;
46}

◆ carry_shift()

uint64_t Botan::carry_shift ( const donna128 & a,
size_t shift )
inline

Definition at line 105 of file donna128.h.

105 {
106 return (a >> shift).lo();
107}

Referenced by bigint_shl1(), bigint_shl2(), bigint_shr1(), and bigint_shr2().

◆ cast_char_ptr_to_uint8() [1/2]

uint8_t * Botan::cast_char_ptr_to_uint8 ( char * s)
inline

Definition at line 280 of file mem_ops.h.

280 {
281 return reinterpret_cast<uint8_t*>(s);
282}

◆ cast_char_ptr_to_uint8() [2/2]

const uint8_t * Botan::cast_char_ptr_to_uint8 ( const char * s)
inline

◆ cast_uint8_ptr_to_char() [1/2]

const char * Botan::cast_uint8_ptr_to_char ( const uint8_t * b)
inline

◆ cast_uint8_ptr_to_char() [2/2]

char * Botan::cast_uint8_ptr_to_char ( uint8_t * b)
inline

Definition at line 284 of file mem_ops.h.

284 {
285 return reinterpret_cast<char*>(b);
286}

◆ ceil_log2()

template<typename T >
requires (std::is_integral<T>::value && sizeof(T) < 32)
constexpr uint8_t Botan::ceil_log2 ( T x)
constexpr

Definition at line 122 of file bit_ops.h.

124{
125 if(x >> (sizeof(T) * 8 - 1)) {
126 return sizeof(T) * 8;
127 }
128
129 uint8_t result = 0;
130 T compare = 1;
131
132 while(compare < x) {
133 compare <<= 1;
134 result++;
135 }
136
137 return result;
138}

References T.

Referenced by Botan::BigInt::ct_shift_left(), Botan::McEliece_PublicKey::get_message_word_bit_length(), Botan::McEliece_PrivateKey::McEliece_PrivateKey(), Botan::McEliece_PrivateKey::McEliece_PrivateKey(), and mceliece_work_factor().

◆ ceil_tobytes()

template<typename T >
requires (std::is_integral<T>::value)
constexpr T Botan::ceil_tobytes ( T bits)
inlineconstexpr

Return the number of bytes necessary to contain bits bits.

Definition at line 144 of file bit_ops.h.

146{
147 return (bits + 7) / 8;
148}

Referenced by Botan::FrodoMatrix::unpack().

◆ chain_lengths()

BOTAN_TEST_API std::vector< WotsHashIndex > Botan::chain_lengths ( const SphincsTreeNode & msg,
const Sphincs_Parameters & params )

Given a msg construct the lengths (amount of hashes for signature) for each WOTS+ chain, including the checksum.

Definition at line 85 of file sp_wots.cpp.

85 {
86 std::vector<WotsHashIndex> result(params.wots_len_1() + params.wots_len_2());
87
88 auto msg_base_w = std::span(result).first(params.wots_len_1());
89 auto checksum_base_w = std::span(result).last(params.wots_len_2());
90
91 base_w(msg_base_w, msg.get(), params);
92 wots_checksum(checksum_base_w, msg_base_w, params);
93
94 return result;
95}
uint32_t wots_len_2() const
uint32_t wots_len_1() const

References Botan::detail::Strong_Base< T >::get(), Botan::Sphincs_Parameters::wots_len_1(), and Botan::Sphincs_Parameters::wots_len_2().

Referenced by wots_public_key_from_signature(), and xmss_sign_and_pkgen().

◆ check_bcrypt()

bool Botan::check_bcrypt ( std::string_view password,
std::string_view hash )

Check a previously created password hash

Parameters
passwordthe password to check against
hashthe stored hash to check against

Definition at line 159 of file bcrypt.cpp.

159 {
160 if(hash.size() != 60 || hash[0] != '$' || hash[1] != '2' || hash[3] != '$' || hash[6] != '$') {
161 return false;
162 }
163
164 const char bcrypt_version = hash[2];
165
166 if(bcrypt_version != 'a' && bcrypt_version != 'b' && bcrypt_version != 'y') {
167 return false;
168 }
169
170 const uint16_t workfactor = to_uint16(hash.substr(4, 2));
171
172 const std::vector<uint8_t> salt = bcrypt_base64_decode(hash.substr(7, 22));
173 if(salt.size() != 16) {
174 return false;
175 }
176
177 const std::string compare = make_bcrypt(pass, salt, workfactor, bcrypt_version);
178
179 return CT::is_equal(cast_char_ptr_to_uint8(hash.data()), cast_char_ptr_to_uint8(compare.data()), compare.size())
180 .as_bool();
181}
uint16_t to_uint16(std::string_view str)
Definition parsing.cpp:22
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:272

References cast_char_ptr_to_uint8(), Botan::CT::is_equal(), and to_uint16().

Referenced by botan_bcrypt_is_valid().

◆ check_passhash9()

bool Botan::check_passhash9 ( std::string_view password,
std::string_view hash )

Check a previously created password hash

Parameters
passwordthe password to check against
hashthe stored hash to check against

Definition at line 75 of file passhash9.cpp.

75 {
76 const size_t BINARY_LENGTH = ALGID_BYTES + WORKFACTOR_BYTES + PASSHASH9_PBKDF_OUTPUT_LEN + SALT_BYTES;
77
78 const size_t BASE64_LENGTH = MAGIC_PREFIX.size() + (BINARY_LENGTH * 8) / 6;
79
80 if(hash.size() != BASE64_LENGTH) {
81 return false;
82 }
83
84 for(size_t i = 0; i != MAGIC_PREFIX.size(); ++i) {
85 if(hash[i] != MAGIC_PREFIX[i]) {
86 return false;
87 }
88 }
89
90 secure_vector<uint8_t> bin = base64_decode(hash.data() + MAGIC_PREFIX.size());
91
92 if(bin.size() != BINARY_LENGTH) {
93 return false;
94 }
95
96 uint8_t alg_id = bin[0];
97
98 const size_t work_factor = load_be<uint16_t>(&bin[ALGID_BYTES], 0);
99
100 // Bug in the format, bad states shouldn't be representable, but are...
101 if(work_factor == 0) {
102 return false;
103 }
104
105 if(work_factor > 512) {
106 throw Invalid_Argument("Requested passhash9 work factor " + std::to_string(work_factor) + " is too large");
107 }
108
109 const size_t kdf_iterations = WORK_FACTOR_SCALE * work_factor;
110
111 auto pbkdf_prf = get_pbkdf_prf(alg_id);
112
113 if(!pbkdf_prf) {
114 return false; // unknown algorithm, reject
115 }
116
117 PKCS5_PBKDF2 kdf(std::move(pbkdf_prf));
118
119 secure_vector<uint8_t> cmp =
120 kdf.derive_key(PASSHASH9_PBKDF_OUTPUT_LEN, pass, &bin[ALGID_BYTES + WORKFACTOR_BYTES], SALT_BYTES, kdf_iterations)
121 .bits_of();
122
123 const uint8_t* hashbytes = &bin[ALGID_BYTES + WORKFACTOR_BYTES + SALT_BYTES];
124
125 return CT::is_equal(cmp.data(), hashbytes, PASSHASH9_PBKDF_OUTPUT_LEN).as_bool();
126}

References base64_decode(), Botan::OctetString::bits_of(), Botan::PBKDF::derive_key(), and Botan::CT::is_equal().

◆ checked_add()

size_t Botan::checked_add ( size_t x,
size_t y,
const char * file,
int line )
inline

Definition at line 30 of file safeint.h.

30 {
31#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_add_overflow)
32 size_t z;
33 if(__builtin_add_overflow(x, y, &z)) [[unlikely]]
34#elif defined(_MSC_VER)
35 size_t z;
36 if(SizeTAdd(x, y, &z) != S_OK) [[unlikely]]
37#else
38 size_t z = x + y;
39 if(z < x) [[unlikely]]
40#endif
41 {
42 throw Integer_Overflow_Detected(file, line);
43 }
44 return z;
45}

◆ checked_cast_to()

template<typename RT , typename AT >
RT Botan::checked_cast_to ( AT i)

Definition at line 65 of file safeint.h.

65 {
66 RT c = static_cast<RT>(i);
67 if(i != static_cast<AT>(c)) {
68 throw Internal_Error("Error during integer conversion");
69 }
70 return c;
71}

◆ checked_mul()

std::optional< size_t > Botan::checked_mul ( size_t x,
size_t y )
inline

Definition at line 47 of file safeint.h.

47 {
48#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_add_overflow)
49 size_t z;
50 if(__builtin_mul_overflow(x, y, &z)) [[unlikely]]
51#elif defined(_MSC_VER)
52 size_t z;
53 if(SizeTMult(x, y, &z) != S_OK) [[unlikely]]
54#else
55 size_t z = x * y;
56 if(y && z / y != x) [[unlikely]]
57#endif
58 {
59 return std::nullopt;
60 }
61 return z;
62}

◆ choose()

template<typename T >
constexpr T Botan::choose ( T mask,
T a,
T b )
inlineconstexpr

Definition at line 180 of file bit_ops.h.

180 {
181 //return (mask & a) | (~mask & b);
182 return (b ^ (mask & (a ^ b)));
183}

Referenced by majority(), Botan::CT::Mask< T >::select(), SHA2_32_F(), and SHA2_64_F().

◆ clear_bytes()

constexpr void Botan::clear_bytes ( void * ptr,
size_t bytes )
inlineconstexpr

Zero out some bytes. Warning: use secure_scrub_memory instead if the memory is about to be freed or otherwise the compiler thinks it can elide the writes.

Parameters
ptra pointer to memory to zero
bytesthe number of bytes to zero in ptr

Definition at line 103 of file mem_ops.h.

103 {
104 if(bytes > 0) {
105 std::memset(ptr, 0, bytes);
106 }
107}

Referenced by clear_mem(), clear_mem(), and Botan::Memory_Pool::Memory_Pool().

◆ clear_mem() [1/2]

template<ranges::contiguous_output_range R>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<R>>
constexpr void Botan::clear_mem ( R && mem)
inlineconstexpr

Zero memory before use. This simply calls memset and should not be used in cases where the compiler cannot see the call as a side-effecting operation.

Parameters
mema contiguous range of Ts to zero

Definition at line 132 of file mem_ops.h.

134{
135 clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem));
136}
constexpr void clear_bytes(void *ptr, size_t bytes)
Definition mem_ops.h:103

References clear_bytes(), and Botan::ranges::size_bytes().

◆ clear_mem() [2/2]

template<typename T >
constexpr void Botan::clear_mem ( T * ptr,
size_t n )
inlineconstexpr

Zero memory before use. This simply calls memset and should not be used in cases where the compiler cannot see the call as a side-effecting operation (for example, if calling clear_mem before deallocating memory, the compiler would be allowed to omit the call to memset entirely under the as-if rule.)

Parameters
ptra pointer to an array of Ts to zero
nthe number of Ts pointed to by ptr

Definition at line 120 of file mem_ops.h.

120 {
121 clear_bytes(ptr, sizeof(T) * n);
122}

References clear_bytes(), and T.

Referenced by base_decode(), basecase_mul(), basecase_sqr(), bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), bigint_monty_redc_generic(), bigint_mul(), bigint_shl1(), bigint_shr1(), bigint_sqr(), Botan_FFI::botan_view_bin_bounce_fn(), Botan::AlignmentBuffer< T, BLOCK_SIZE, FINAL_BLOCK_STRATEGY >::clear(), Botan::Sodium::crypto_secretbox_xsalsa20poly1305(), Botan::Sodium::crypto_secretbox_xsalsa20poly1305_open(), Botan::BigInt::ct_reduce_below(), Botan::BigInt::ct_shift_left(), Botan::Bcrypt_PBKDF::derive_key(), Botan::ZFEC::encode_shares(), Botan::BigInt::encode_words(), Botan::FE_25519::FE_25519(), Botan::AlignmentBuffer< T, BLOCK_SIZE, FINAL_BLOCK_STRATEGY >::fill_up_with_zeros(), Botan::StreamCipher::generate_keystream(), hex_decode(), Botan::BLAKE2b::key_schedule(), Botan::PKCS11::MechanismWrapper::MechanismParameters::MechanismParameters(), Botan::EC_Point_Var_Point_Precompute::mul(), pbkdf2(), redc_p521(), Botan::Modular_Reducer::reduce(), Botan::BigInt::reduce_below(), Botan::BigInt::rev_sub(), Botan::polyn_gf2m::set_to_zero(), Botan::polyn_gf2m::sqmod_init(), Botan_FFI::write_output(), Botan::Zlib_Style_Stream< Stream, ByteType, StreamLenType >::Zlib_Style_Stream(), and Botan::Zlib_Style_Stream< Stream, ByteType, StreamLenType >::~Zlib_Style_Stream().

◆ combine_lower()

uint64_t Botan::combine_lower ( const donna128 & a,
size_t s1,
const donna128 & b,
size_t s2 )
inline

Definition at line 109 of file donna128.h.

109 {
110 donna128 z = (a >> s1) | (b << s2);
111 return z.lo();
112}
uint64_t lo() const
Definition donna128.h:69

References Botan::donna128::lo().

◆ commoncrypto_adjust_key_size()

void Botan::commoncrypto_adjust_key_size ( const uint8_t key[],
size_t length,
const CommonCryptor_Opts & opts,
secure_vector< uint8_t > & full_key )

Definition at line 134 of file commoncrypto_utils.cpp.

137 {
138 if(opts.algo == kCCAlgorithmBlowfish && length < 8) {
139 size_t repeat;
140 switch(length) {
141 case 1:
142 repeat = 8;
143 break;
144 case 2:
145 repeat = 4;
146 break;
147 case 3:
148 repeat = 3;
149 break;
150 default:
151 repeat = 2;
152 break;
153 }
154
155 full_key.resize(length * repeat);
156 for(size_t i = 0; i < repeat; i++) {
157 copy_mem(full_key.data() + i * length, key, length);
158 }
159 } else if(opts.algo == kCCAlgorithm3DES && length == 16) {
160 full_key += std::make_pair(key, 8);
161 }
162}

References Botan::CommonCryptor_Opts::algo, and copy_mem().

◆ commoncrypto_opts_from_algo()

CommonCryptor_Opts Botan::commoncrypto_opts_from_algo ( std::string_view algo)

Definition at line 96 of file commoncrypto_utils.cpp.

96 {
97 SCAN_Name spec(algo);
98
99 std::string algo_name = spec.algo_name();
100 std::string cipher_mode = spec.cipher_mode();
101 std::string cipher_mode_padding = spec.cipher_mode_pad();
102
104
105 //TODO add CFB and XTS support
106 if(cipher_mode.empty() || cipher_mode == "ECB") {
107 opts.mode = kCCModeECB;
108 } else if(cipher_mode == "CBC") {
109 opts.mode = kCCModeCBC;
110 } else if(cipher_mode == "CTR") {
111 opts.mode = kCCModeCTR;
112 } else if(cipher_mode == "OFB") {
113 opts.mode = kCCModeOFB;
114 } else {
115 throw CommonCrypto_Error("Unsupported cipher mode!");
116 }
117
118 if(cipher_mode_padding == "NoPadding") {
119 opts.padding = ccNoPadding;
120 }
121 /*
122 else if(cipher_mode_padding.empty() || cipher_mode_padding == "PKCS7")
123 {
124 opts.padding = ccPKCS7Padding;
125 }
126 */
127 else {
128 throw CommonCrypto_Error("Unsupported cipher mode padding!");
129 }
130
131 return opts;
132}
CommonCryptor_Opts commoncrypto_opts_from_algo_name(std::string_view algo_name)

References Botan::SCAN_Name::algo_name(), Botan::SCAN_Name::cipher_mode(), Botan::SCAN_Name::cipher_mode_pad(), commoncrypto_opts_from_algo_name(), Botan::CommonCryptor_Opts::mode, and Botan::CommonCryptor_Opts::padding.

Referenced by make_commoncrypto_cipher_mode().

◆ commoncrypto_opts_from_algo_name()

CommonCryptor_Opts Botan::commoncrypto_opts_from_algo_name ( std::string_view algo_name)

Definition at line 56 of file commoncrypto_utils.cpp.

56 {
58
59 if(algo_name.compare(0, 3, "AES") == 0) {
60 opts.algo = kCCAlgorithmAES;
61 opts.block_size = kCCBlockSizeAES128;
62 if(algo_name == "AES-128") {
63 opts.key_spec = Key_Length_Specification(kCCKeySizeAES128);
64 } else if(algo_name == "AES-192") {
65 opts.key_spec = Key_Length_Specification(kCCKeySizeAES192);
66 } else if(algo_name == "AES-256") {
67 opts.key_spec = Key_Length_Specification(kCCKeySizeAES256);
68 } else {
69 throw CommonCrypto_Error("Unknown AES algorithm");
70 }
71 } else if(algo_name == "DES") {
72 opts.algo = kCCAlgorithmDES;
73 opts.block_size = kCCBlockSizeDES;
74 opts.key_spec = Key_Length_Specification(kCCKeySizeDES);
75 } else if(algo_name == "TripleDES") {
76 opts.algo = kCCAlgorithm3DES;
77 opts.block_size = kCCBlockSize3DES;
78 opts.key_spec = Key_Length_Specification(16, kCCKeySize3DES, 8);
79 } else if(algo_name == "Blowfish") {
80 opts.algo = kCCAlgorithmBlowfish;
81 opts.block_size = kCCBlockSizeBlowfish;
82 opts.key_spec = Key_Length_Specification(1, kCCKeySizeMaxBlowfish, 1);
83 } else if(algo_name == "CAST-128") {
84 opts.algo = kCCAlgorithmCAST;
85 opts.block_size = kCCBlockSizeCAST;
86 // Botan's base implementation of CAST does not support shorter keys
87 // so we limit its minimum key size to 11 here.
88 opts.key_spec = Key_Length_Specification(11, kCCKeySizeMaxCAST, 1);
89 } else {
90 throw CommonCrypto_Error("Unsupported cipher");
91 }
92
93 return opts;
94}
Key_Length_Specification key_spec

References Botan::CommonCryptor_Opts::algo, Botan::CommonCryptor_Opts::block_size, and Botan::CommonCryptor_Opts::key_spec.

Referenced by commoncrypto_opts_from_algo(), and make_commoncrypto_block_cipher().

◆ compute_root()

BOTAN_TEST_API void Botan::compute_root ( StrongSpan< SphincsTreeNode > out,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes,
const SphincsTreeNode & leaf,
TreeNodeIndex leaf_idx,
uint32_t idx_offset,
StrongSpan< const SphincsAuthenticationPath > authentication_path,
uint32_t tree_height,
Sphincs_Address & tree_address )

Using a leaf node and the authentication path (neighbor nodes on the way from leaf to root), computes the the root node of the respective tree. This function is generic and used by FORS and XMSS in the SPHINCS+ verification logic.

Definition at line 111 of file sp_treehash.cpp.

119 {
120 BOTAN_ASSERT_NOMSG(out.size() == params.n());
121 BOTAN_ASSERT_NOMSG(authentication_path.size() == params.n() * total_tree_height);
122 BOTAN_ASSERT_NOMSG(leaf.size() == params.n());
123
124 // Use the `out` parameter as intermediate buffer for left/right nodes
125 // while traversing the tree.
126 copy_into(out, leaf);
127
128 // Views into either `auth_path` or `out` depending on the tree location.
131
132 BufferSlicer auth_path(authentication_path);
133
134 // The leaf is put in the left or right buffer, depending on its indexes parity.
135 // Same for the first node of the authentication path
136
137 for(TreeLayerIndex i(0); i < total_tree_height; i++) {
138 // The input of the hash function takes the current node and the node
139 // given in the authentication path. If the current node is a right node
140 // in the tree (i.e. its leaf index is uneven) the hash function inputs
141 // must be swapped.
142 left = out;
143 right = auth_path.take<SphincsTreeNode>(params.n());
144
145 if((leaf_idx & 1) == 1U) {
146 std::swap(left, right);
147 }
148
149 leaf_idx /= 2;
150 idx_offset /= 2;
151 tree_address.set_tree_height(i + 1).set_tree_index(leaf_idx + idx_offset);
152
153 hashes.T(out, tree_address, left, right);
154 }
155
156 BOTAN_ASSERT_NOMSG(auth_path.empty());
157}
Sphincs_Address & set_tree_height(TreeLayerIndex tree_height)
Definition sp_address.h:91
Sphincs_Address & set_tree_index(TreeNodeIndex tree_index)
Definition sp_address.h:96
void T(std::span< uint8_t > out, const Sphincs_Address &address, BufferTs &&... in)
Definition sp_hash.h:56
decltype(auto) size() const noexcept(noexcept(this->m_span.size()))

References BOTAN_ASSERT_NOMSG, Botan::BufferSlicer::empty(), Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_tree_height(), Botan::Sphincs_Address::set_tree_index(), Botan::StrongSpan< T >::size(), Botan::Sphincs_Hash_Functions::T(), and Botan::BufferSlicer::take().

Referenced by fors_public_key_from_signature(), and ht_verify().

◆ concat()

template<typename... Ts>
decltype(auto) Botan::concat ( Ts &&... buffers)

Concatenate an arbitrary number of buffers.

Returns
the concatenation of buffers as the container type of the first buffer

Definition at line 257 of file stl_util.h.

257 {
258 static_assert(sizeof...(buffers) > 0, "concat requires at least one buffer");
259
260 using result_t = std::remove_cvref_t<std::tuple_element_t<0, std::tuple<Ts...>>>;
261 result_t result;
262 result.reserve((buffers.size() + ...));
263 (result.insert(result.end(), buffers.begin(), buffers.end()), ...);
264 return result;
265}

Referenced by Botan::PKIX::check_ocsp(), concat_as(), Botan::Kyber_PrivateKey::private_key_bits(), Botan::SphincsPlus_PrivateKey::private_key_bits(), and Botan::TLS::Hybrid_KEM_PublicKey::public_value().

◆ concat_as()

template<typename ResultT , typename... Ts>
ResultT Botan::concat_as ( Ts &&... buffers)

Concatenate an arbitrary number of buffers and define the output buffer type as a mandatory template parameter.

Returns
the concatenation of buffers as the user-defined container type

Definition at line 273 of file stl_util.h.

273 {
274 return concat(ResultT(), std::forward<Ts>(buffers)...);
275}
decltype(auto) concat(Ts &&... buffers)
Definition stl_util.h:257

References concat().

◆ constant_time_compare() [1/2]

bool Botan::constant_time_compare ( const uint8_t x[],
const uint8_t y[],
size_t len )
inline

Memory comparison, input insensitive

Parameters
xa pointer to an array
ya pointer to another array
lenthe number of Ts in x and y
Returns
true iff x[i] == y[i] forall i in [0...n)

Definition at line 90 of file mem_ops.h.

90 {
91 // simply assumes that *x and *y point to len allocated bytes at least
92 return constant_time_compare({x, len}, {y, len});
93}
bool constant_time_compare(std::span< const uint8_t > x, std::span< const uint8_t > y)
Definition mem_ops.cpp:17

References constant_time_compare().

◆ constant_time_compare() [2/2]

bool Botan::constant_time_compare ( std::span< const uint8_t > x,
std::span< const uint8_t > y )

Memory comparison, input insensitive

Parameters
xa range of bytes
yanother range of bytes
Returns
true iff x and y have equal lengths and x[i] == y[i] forall i in [0...n)

Definition at line 17 of file mem_ops.cpp.

17 {
18 const auto min_size = CT::Mask<size_t>::is_lte(x.size(), y.size()).select(x.size(), y.size());
19 const auto equal_size = CT::Mask<size_t>::is_equal(x.size(), y.size());
20 const auto equal_content = CT::Mask<size_t>::expand(CT::is_equal(x.data(), y.data(), min_size));
21 return (equal_content & equal_size).as_bool();
22}

References Botan::CT::Mask< T >::expand(), Botan::CT::is_equal(), Botan::CT::Mask< T >::is_equal(), and Botan::CT::Mask< T >::is_lte().

Referenced by constant_time_compare().

◆ copy_mem() [1/2]

template<ranges::contiguous_output_range OutR, ranges::contiguous_range InR>
requires std::is_same_v<std::ranges::range_value_t<OutR>, std::ranges::range_value_t<InR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<InR>>
constexpr void Botan::copy_mem ( OutR && out,
InR && in )
inlineconstexpr

Copy memory

Parameters
outthe destination array
inthe source array

Definition at line 162 of file mem_ops.h.

162 {
163 ranges::assert_equal_byte_lengths(out, in);
164 if(ranges::size_bytes(out) > 0) {
165 std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out));
166 }
167}

References Botan::ranges::assert_equal_byte_lengths(), and Botan::ranges::size_bytes().

◆ copy_mem() [2/2]

template<typename T >
requires std::is_trivial<typename std::decay<T>::type>::value
constexpr void Botan::copy_mem ( T * out,
const T * in,
size_t n )
inlineconstexpr

Copy memory

Parameters
outthe destination array
inthe source array
nthe number of elements of in/out

Definition at line 146 of file mem_ops.h.

146 {
147 BOTAN_ASSERT_IMPLICATION(n > 0, in != nullptr && out != nullptr, "If n > 0 then args are not null");
148
149 if(in != nullptr && out != nullptr && n > 0) {
150 std::memmove(out, in, sizeof(T) * n);
151 }
152}
#define BOTAN_ASSERT_IMPLICATION(expr1, expr2, msg)
Definition assert.h:77

References BOTAN_ASSERT_IMPLICATION, and T.

Referenced by Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::TLS::Connection_Cipher_State::aead_nonce(), bigint_shl1(), bigint_shl2(), bigint_shr1(), bigint_shr2(), Botan::Argon2::blamka(), botan_privkey_ed25519_get_privkey(), botan_privkey_x25519_get_privkey(), botan_pubkey_ed25519_get_pubkey(), botan_pubkey_x25519_get_pubkey(), Botan_FFI::botan_view_bin_bounce_fn(), buffer_insert(), buffer_insert(), Botan::Ed25519_PublicKey::check_key(), commoncrypto_adjust_key_size(), Botan::Streebog::compress_64(), Botan::Sodium::crypto_auth_hmacsha512256(), Botan::Sodium::crypto_box_curve25519xsalsa20poly1305_seed_keypair(), curve25519_donna(), ed25519_gen_keypair(), Botan::BigInt::encode_words(), Botan::CryptoBox::encrypt(), expand_message_xmd(), Botan::FE_25519::FE_25519(), Botan::RawHashFunction::final_result(), Botan::TLS::Stream_Handshake_IO::format(), Botan::CCM_Mode::format_b0(), Botan::CCM_Mode::format_c0(), Botan::TPM_Context::gen_random(), Botan::BER_Decoder::get_next_value(), Botan::GHASH::ghash_update(), hkdf_expand_label(), Botan::HKDF_Extract::kdf(), Botan::HKDF_Expand::kdf(), Botan::KDF1::kdf(), Botan::KDF1_18033::kdf(), Botan::KDF2::kdf(), Botan::X942_PRF::kdf(), Botan::SP800_108_Counter::kdf(), Botan::SP800_108_Feedback::kdf(), Botan::SP800_108_Pipeline::kdf(), Botan::BLAKE2b::key_schedule(), mceliece_decrypt(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::mul_by(), nist_key_unwrap(), nist_key_unwrap_padded(), nist_key_wrap(), nist_key_wrap_padded(), operator^(), Botan::DataSource_Memory::peek(), Botan::DataSource_Memory::read(), Botan::Blowfish::salted_set_key(), Botan::CTR_BE::seek(), Botan::TLS::Session_Keys::Session_Keys(), Botan::CFB_Mode::shift_register(), Botan::RTSS_Share::split(), Botan::polyn_gf2m::sqmod_init(), Botan::Montgomery_Params::square_this(), Botan::Buffered_Filter::write(), Botan::Hex_Encoder::write(), Botan::Base64_Encoder::write(), Botan::Base64_Decoder::write(), Botan::Hex_Decoder::write(), and Botan_FFI::write_output().

◆ copy_out_be()

template<typename T >
void Botan::copy_out_be ( uint8_t out[],
size_t out_bytes,
const T in[] )

Definition at line 507 of file loadstor.h.

507 {
508 while(out_bytes >= sizeof(T)) {
509 store_be(in[0], out);
510 out += sizeof(T);
511 out_bytes -= sizeof(T);
512 in += 1;
513 }
514
515 for(size_t i = 0; i != out_bytes; ++i) {
516 out[i] = get_byte_var(i % 8, in[0]);
517 }
518}
constexpr void store_be(T in, OutR &&out_range)
Definition loadstor.h:358

References get_byte_var(), store_be(), and T.

Referenced by copy_out_vec_be().

◆ copy_out_le()

template<typename T >
void Botan::copy_out_le ( uint8_t out[],
size_t out_bytes,
const T in[] )

Definition at line 526 of file loadstor.h.

526 {
527 while(out_bytes >= sizeof(T)) {
528 store_le(in[0], out);
529 out += sizeof(T);
530 out_bytes -= sizeof(T);
531 in += 1;
532 }
533
534 for(size_t i = 0; i != out_bytes; ++i) {
535 out[i] = get_byte_var(sizeof(T) - 1 - (i % 8), in[0]);
536 }
537}
constexpr void store_le(T in, OutR &&out_range)
Definition loadstor.h:383

References get_byte_var(), store_le(), and T.

Referenced by copy_out_vec_le(), and Botan::Sodium::crypto_core_hsalsa20().

◆ copy_out_vec_be()

template<typename T , typename Alloc >
void Botan::copy_out_vec_be ( uint8_t out[],
size_t out_bytes,
const std::vector< T, Alloc > & in )

Definition at line 521 of file loadstor.h.

521 {
522 copy_out_be(out, out_bytes, in.data());
523}
void copy_out_be(uint8_t out[], size_t out_bytes, const T in[])
Definition loadstor.h:507

References copy_out_be().

◆ copy_out_vec_le()

template<typename T , typename Alloc >
void Botan::copy_out_vec_le ( uint8_t out[],
size_t out_bytes,
const std::vector< T, Alloc > & in )

Definition at line 540 of file loadstor.h.

540 {
541 copy_out_le(out, out_bytes, in.data());
542}
void copy_out_le(uint8_t out[], size_t out_bytes, const T in[])
Definition loadstor.h:526

References copy_out_le().

Referenced by Botan::BLAKE2b::final_result().

◆ create_aes_row_generator()

auto Botan::create_aes_row_generator ( const FrodoKEMConstants & constants,
StrongSpan< const FrodoSeedA > seed_a )
inline

Definition at line 25 of file frodo_aes_generator.h.

25 {
26 BOTAN_ASSERT_NOMSG(constants.mode().is_aes());
27
28 auto setup_aes = [](StrongSpan<const FrodoSeedA> seed) {
29 AES_128 aes;
30 aes.set_key(seed);
31 return aes;
32 };
33
34 return [n = constants.n(), aes = setup_aes(seed_a)](std::span<uint8_t> out, uint16_t i) {
35 BufferStuffer out_bs(out);
36
37 for(size_t j = 0; j < n; j += 8) {
38 // set up the to-be-encrypted 'b' value in the out variable
39 // for in-place encryption of the block cipher
40 auto out_coefs = out_bs.next(aes.block_size());
41
42 // b = i || j || 0000...
43 store_le(static_cast<uint16_t>(i), out_coefs.data());
44 store_le(static_cast<uint16_t>(j), out_coefs.data() + sizeof(uint16_t));
45 for(size_t ii = 4; ii < out_coefs.size(); ++ii) {
46 out_coefs[ii] = 0;
47 }
48
49 aes.encrypt(out_coefs);
50 }
51 };
52}
void encrypt(const uint8_t in[], uint8_t out[]) const
size_t block_size() const final
FrodoKEMMode mode() const
bool is_aes() const
Definition frodo_mode.h:61
void set_key(const SymmetricKey &key)
Definition sym_algo.h:113

References BOTAN_ASSERT_NOMSG, Botan::FrodoKEMMode::is_aes(), Botan::FrodoKEMConstants::mode(), Botan::FrodoKEMConstants::n(), Botan::BufferStuffer::next(), Botan::SymmetricAlgorithm::set_key(), and store_le().

◆ create_ec_private_key()

std::unique_ptr< Private_Key > Botan::create_ec_private_key ( std::string_view algo_name,
const EC_Group & group,
RandomNumberGenerator & rng )

Create a new ECC key

Definition at line 329 of file pk_algs.cpp.

331 {
332 // Potentially unused if all EC algorithms are disabled
333 BOTAN_UNUSED(alg_name, ec_group, rng);
334
335#if defined(BOTAN_HAS_ECDSA)
336 if(alg_name == "ECDSA") {
337 return std::make_unique<ECDSA_PrivateKey>(rng, ec_group);
338 }
339#endif
340
341#if defined(BOTAN_HAS_ECDH)
342 if(alg_name == "ECDH") {
343 return std::make_unique<ECDH_PrivateKey>(rng, ec_group);
344 }
345#endif
346
347#if defined(BOTAN_HAS_ECKCDSA)
348 if(alg_name == "ECKCDSA") {
349 return std::make_unique<ECKCDSA_PrivateKey>(rng, ec_group);
350 }
351#endif
352
353#if defined(BOTAN_HAS_GOST_34_10_2001)
354 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") {
355 return std::make_unique<GOST_3410_PrivateKey>(rng, ec_group);
356 }
357#endif
358
359#if defined(BOTAN_HAS_SM2)
360 if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") {
361 return std::make_unique<SM2_PrivateKey>(rng, ec_group);
362 }
363#endif
364
365#if defined(BOTAN_HAS_ECGDSA)
366 if(alg_name == "ECGDSA") {
367 return std::make_unique<ECGDSA_PrivateKey>(rng, ec_group);
368 }
369#endif
370
371 return nullptr;
372}

References BOTAN_UNUSED.

Referenced by create_private_key().

◆ create_hex_fingerprint() [1/2]

std::string Botan::create_hex_fingerprint ( const uint8_t bits[],
size_t bits_len,
std::string_view hash_name )

Definition at line 30 of file pk_keys.cpp.

30 {
31 auto hash_fn = HashFunction::create_or_throw(hash_name);
32 const std::string hex_hash = hex_encode(hash_fn->process(bits, bits_len));
33
34 std::string fprint;
35
36 for(size_t i = 0; i != hex_hash.size(); i += 2) {
37 if(i != 0) {
38 fprint.push_back(':');
39 }
40
41 fprint.push_back(hex_hash[i]);
42 fprint.push_back(hex_hash[i + 1]);
43 }
44
45 return fprint;
46}
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition hex.cpp:33

References Botan::HashFunction::create_or_throw(), and hex_encode().

Referenced by create_hex_fingerprint(), Botan::X509_Certificate::fingerprint(), Botan::Private_Key::fingerprint_private(), and Botan::Public_Key::fingerprint_public().

◆ create_hex_fingerprint() [2/2]

std::string Botan::create_hex_fingerprint ( std::span< const uint8_t > vec,
std::string_view hash_name )
inline

Definition at line 386 of file pk_keys.h.

386 {
387 return create_hex_fingerprint(vec.data(), vec.size(), hash_name);
388}
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, std::string_view hash_name)
Definition pk_keys.cpp:30

References create_hex_fingerprint().

◆ create_private_key()

std::unique_ptr< Private_Key > Botan::create_private_key ( std::string_view algo_name,
RandomNumberGenerator & rng,
std::string_view algo_params = "",
std::string_view provider = "" )

Create a new key For ECC keys, algo_params specifies EC group (eg, "secp256r1") For DH/DSA/ElGamal keys, algo_params is DL group (eg, "modp/ietf/2048") For RSA, algo_params is integer keylength For McEliece, algo_params is n,t If algo_params is left empty, suitable default parameters are chosen.

Definition at line 374 of file pk_algs.cpp.

377 {
378 /*
379 * Default paramaters are chosen for work factor > 2**128 where possible
380 */
381
382#if defined(BOTAN_HAS_CURVE_25519)
383 if(alg_name == "Curve25519") {
384 return std::make_unique<Curve25519_PrivateKey>(rng);
385 }
386#endif
387
388#if defined(BOTAN_HAS_RSA)
389 if(alg_name == "RSA") {
390 const size_t modulus_bits = params.empty() ? 3072 : to_u32bit(params);
391 return std::make_unique<RSA_PrivateKey>(rng, modulus_bits);
392 }
393#endif
394
395#if defined(BOTAN_HAS_MCELIECE)
396 if(alg_name == "McEliece") {
397 const auto [n, t] = [&]() -> std::pair<size_t, size_t> {
398 if(params.empty()) {
399 return {2960, 57};
400 }
401
402 const auto mce_params = split_on(params, ',');
403
404 if(mce_params.size() != 2) {
405 throw Invalid_Argument(fmt("create_private_key: invalid McEliece parameters '{}'", params));
406 }
407
408 const size_t mce_n = to_u32bit(mce_params[0]);
409 const size_t mce_t = to_u32bit(mce_params[1]);
410 return {mce_n, mce_t};
411 }();
412
413 return std::make_unique<McEliece_PrivateKey>(rng, n, t);
414 }
415#endif
416
417#if defined(BOTAN_HAS_FRODOKEM)
418 if(alg_name == "FrodoKEM") {
419 const auto mode = params.empty() ? FrodoKEMMode::FrodoKEM976_SHAKE : FrodoKEMMode(params);
420 return std::make_unique<FrodoKEM_PrivateKey>(rng, mode);
421 }
422#endif
423
424#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
425 if(alg_name == "Kyber") {
426 const auto mode = [&]() -> KyberMode {
427 if(params.empty()) {
428 return KyberMode::Kyber1024_R3;
429 }
430 return KyberMode(params);
431 }();
432
433 return std::make_unique<Kyber_PrivateKey>(rng, mode);
434 }
435#endif
436
437#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES)
438 if(alg_name == "Dilithium" || alg_name == "Dilithium-") {
439 const auto mode = [&]() -> DilithiumMode {
440 if(params.empty()) {
441 return DilithiumMode::Dilithium6x5;
442 }
443 return DilithiumMode(params);
444 }();
445
446 return std::make_unique<Dilithium_PrivateKey>(rng, mode);
447 }
448#endif
449
450#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
451 if(alg_name == "SPHINCS+" || alg_name == "SphincsPlus-") {
452 auto sphincs_params = Sphincs_Parameters::create(params);
453
454 return std::make_unique<SphincsPlus_PrivateKey>(rng, sphincs_params);
455 }
456#endif
457
458#if defined(BOTAN_HAS_XMSS_RFC8391)
459 if(alg_name == "XMSS") {
460 const auto xmss_oid = [&]() -> XMSS_Parameters::xmss_algorithm_t {
461 if(params.empty()) {
462 return XMSS_Parameters::XMSS_SHA2_10_512;
463 }
464 return XMSS_Parameters(params).oid();
465 }();
466
467 return std::make_unique<XMSS_PrivateKey>(xmss_oid, rng);
468 }
469#endif
470
471#if defined(BOTAN_HAS_ED25519)
472 if(alg_name == "Ed25519") {
473 return std::make_unique<Ed25519_PrivateKey>(rng);
474 }
475#endif
476
477 // ECC crypto
478#if defined(BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO)
479
480 if(alg_name == "ECDSA" || alg_name == "ECDH" || alg_name == "ECKCDSA" || alg_name == "ECGDSA" || alg_name == "SM2" ||
481 alg_name == "SM2_Sig" || alg_name == "SM2_Enc" || alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" ||
482 alg_name == "GOST-34.10-2012-512") {
483 const std::string group_id = [&]() -> std::string {
484 if(!params.empty()) {
485 return std::string(params);
486 }
487 if(alg_name == "SM2" || alg_name == "SM2_Enc" || alg_name == "SM2_Sig") {
488 return "sm2p256v1";
489 }
490 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256") {
491 return "gost_256A";
492 }
493 if(alg_name == "GOST-34.10-2012-512") {
494 return "gost_512A";
495 }
496 if(alg_name == "ECGDSA") {
497 return "brainpool256r1";
498 }
499 return "secp256r1";
500 }();
501
502 const EC_Group ec_group(group_id);
503 return create_ec_private_key(alg_name, ec_group, rng);
504 }
505#endif
506
507 // DL crypto
508#if defined(BOTAN_HAS_DL_GROUP)
509 if(alg_name == "DH" || alg_name == "DSA" || alg_name == "ElGamal") {
510 const std::string group_id = [&]() -> std::string {
511 if(!params.empty()) {
512 return std::string(params);
513 }
514 if(alg_name == "DSA") {
515 return "dsa/botan/2048";
516 }
517 return "modp/ietf/2048";
518 }();
519
520 DL_Group modp_group(group_id);
521
522 #if defined(BOTAN_HAS_DIFFIE_HELLMAN)
523 if(alg_name == "DH") {
524 return std::make_unique<DH_PrivateKey>(rng, modp_group);
525 }
526 #endif
527
528 #if defined(BOTAN_HAS_DSA)
529 if(alg_name == "DSA") {
530 return std::make_unique<DSA_PrivateKey>(rng, modp_group);
531 }
532 #endif
533
534 #if defined(BOTAN_HAS_ELGAMAL)
535 if(alg_name == "ElGamal") {
536 return std::make_unique<ElGamal_PrivateKey>(rng, modp_group);
537 }
538 #endif
539 }
540#endif
541
542 BOTAN_UNUSED(alg_name, rng, params, provider);
543
544 return std::unique_ptr<Private_Key>();
545}
std::unique_ptr< Private_Key > create_ec_private_key(std::string_view alg_name, const EC_Group &ec_group, RandomNumberGenerator &rng)
Definition pk_algs.cpp:329

References BOTAN_UNUSED, Botan::Sphincs_Parameters::create(), create_ec_private_key(), Botan::DilithiumMode::Dilithium6x5, fmt(), Botan::FrodoKEMMode::FrodoKEM976_SHAKE, Botan::KyberMode::Kyber1024_R3, Botan::XMSS_Parameters::oid(), split_on(), to_u32bit(), and Botan::XMSS_Parameters::XMSS_SHA2_10_512.

Referenced by botan_privkey_create(), and Botan::TLS::Hybrid_KEM_PrivateKey::generate_from_group().

◆ create_shake_row_generator()

auto Botan::create_shake_row_generator ( const FrodoKEMConstants & constants,
StrongSpan< const FrodoSeedA > seed_a )
inline

Definition at line 23 of file frodo_shake_generator.h.

23 {
24 BOTAN_ASSERT_NOMSG(constants.mode().is_shake());
25
26 return [xof = SHAKE_128_XOF(), a = FrodoSeedA(seed_a)](std::span<uint8_t> out, uint16_t i) mutable {
27 xof.clear();
28 // TODO: update that once #3707 is merged
29 // potentially add a new method: std::array<uint8_t, XX> as_le(uintXX_t)
30 std::array<uint8_t, 2> le;
31 store_le(i, le.data());
32 xof.update(le);
33 xof.update(a);
34 xof.output(out);
35 };
36}
bool is_shake() const
Definition frodo_mode.h:56

References BOTAN_ASSERT_NOMSG, Botan::FrodoKEMMode::is_shake(), Botan::FrodoKEMConstants::mode(), and store_le().

◆ ct_compare_u8()

uint8_t Botan::ct_compare_u8 ( const uint8_t x[],
const uint8_t y[],
size_t len )

Memory comparison, input insensitive

Parameters
xa pointer to an array
ya pointer to another array
lenthe number of Ts in x and y
Returns
0xFF iff x[i] == y[i] forall i in [0...n) or 0x00 otherwise

Definition at line 13 of file mem_ops.cpp.

13 {
14 return CT::is_equal(x, y, len).value();
15}

References Botan::CT::is_equal().

◆ ct_divide() [1/2]

BigInt Botan::ct_divide ( const BigInt & x,
const BigInt & y )
inline

BigInt division, const time variant

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leak the sizes of x and y.

Parameters
xan integer
ya non-zero integer
Returns
x/y with remainder discarded

Definition at line 49 of file divide.h.

49 {
50 BigInt q, r;
51 ct_divide(x, y, q, r);
52 return q;
53}
void ct_divide(const BigInt &x, const BigInt &y, BigInt &q_out, BigInt &r_out)
Definition divide.cpp:48

References ct_divide().

◆ ct_divide() [2/2]

BOTAN_TEST_API void Botan::ct_divide ( const BigInt & x,
const BigInt & y,
BigInt & q,
BigInt & r )

BigInt division, const time variant

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leak the sizes of x and y.

Parameters
xan integer
ya non-zero integer
qwill be set to x / y
rwill be set to x % y

Definition at line 48 of file divide.cpp.

48 {
49 if(y.is_zero()) {
50 throw Invalid_Argument("ct_divide: cannot divide by zero");
51 }
52
53 const size_t x_words = x.sig_words();
54 const size_t y_words = y.sig_words();
55
56 const size_t x_bits = x.bits();
57
58 BigInt q = BigInt::with_capacity(x_words);
59 BigInt r = BigInt::with_capacity(y_words);
60 BigInt t = BigInt::with_capacity(y_words); // a temporary
61
62 for(size_t i = 0; i != x_bits; ++i) {
63 const size_t b = x_bits - 1 - i;
64 const bool x_b = x.get_bit(b);
65
66 r *= 2;
67 r.conditionally_set_bit(0, x_b);
68
69 const bool r_gte_y = bigint_sub3(t.mutable_data(), r.data(), r.size(), y.data(), y_words) == 0;
70
71 q.conditionally_set_bit(b, r_gte_y);
72 r.ct_cond_swap(r_gte_y, t);
73 }
74
75 sign_fixup(x, y, q, r);
76 r_out = r;
77 q_out = q;
78}
size_t sig_words() const
Definition bigint.h:584
const word * data() const
Definition bigint.h:615
size_t bits() const
Definition bigint.cpp:290
bool is_zero() const
Definition bigint.h:428
bool get_bit(size_t n) const
Definition bigint.h:467

References bigint_sub3(), Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::BigInt::ct_cond_swap(), Botan::BigInt::data(), Botan::BigInt::get_bit(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), Botan::BigInt::size(), and Botan::BigInt::with_capacity().

Referenced by ct_divide(), Botan::FPE_FE1::decrypt(), Botan::FPE_FE1::encrypt(), lcm(), and Botan::Modular_Reducer::Modular_Reducer().

◆ ct_divide_word()

BOTAN_TEST_API void Botan::ct_divide_word ( const BigInt & x,
word y,
BigInt & q,
word & r )

BigInt division, const time variant

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leaks the size of x.

Parameters
xan integer
ya non-zero integer
qwill be set to x / y
rwill be set to x % y

Definition at line 80 of file divide.cpp.

80 {
81 if(y == 0) {
82 throw Invalid_Argument("ct_divide_word: cannot divide by zero");
83 }
84
85 const size_t x_words = x.sig_words();
86 const size_t x_bits = x.bits();
87
88 BigInt q = BigInt::with_capacity(x_words);
89 word r = 0;
90
91 for(size_t i = 0; i != x_bits; ++i) {
92 const size_t b = x_bits - 1 - i;
93 const bool x_b = x.get_bit(b);
94
95 const auto r_carry = CT::Mask<word>::expand(r >> (BOTAN_MP_WORD_BITS - 1));
96
97 r *= 2;
98 r += x_b;
99
100 const auto r_gte_y = CT::Mask<word>::is_gte(r, y) | r_carry;
101 q.conditionally_set_bit(b, r_gte_y.as_bool());
102 r = r_gte_y.select(r - y, r);
103 }
104
105 if(x.is_negative()) {
106 q.flip_sign();
107 if(r != 0) {
108 --q;
109 r = y - r;
110 }
111 }
112
113 r_out = r;
114 q_out = q;
115}
bool is_negative() const
Definition bigint.h:528

References Botan::BigInt::bits(), BOTAN_MP_WORD_BITS, Botan::BigInt::conditionally_set_bit(), Botan::CT::Mask< T >::expand(), Botan::BigInt::flip_sign(), Botan::BigInt::get_bit(), Botan::CT::Mask< T >::is_gte(), Botan::BigInt::is_negative(), Botan::BigInt::sig_words(), and Botan::BigInt::with_capacity().

Referenced by operator/(), and Botan::BigInt::to_dec_string().

◆ ct_is_zero()

template<typename T >
requires (std::is_integral<T>::value)
constexpr T Botan::ct_is_zero ( T x)
inlineconstexpr

If arg is zero, return ~0. Otherwise return 0

Definition at line 33 of file bit_ops.h.

35{
36 return expand_top_bit<T>(~x & (x - 1));
37}

Referenced by ctz(), and prefetch_array_raw().

◆ ct_modulo()

BOTAN_TEST_API BigInt Botan::ct_modulo ( const BigInt & x,
const BigInt & modulo )

BigInt modulo, const time variant

Using this function is (slightly) cheaper than calling ct_divide and using only the remainder.

Parameters
xa non-negative integer
moduloa positive integer
Returns
result x % modulo

Definition at line 117 of file divide.cpp.

117 {
118 if(y.is_negative() || y.is_zero()) {
119 throw Invalid_Argument("ct_modulo requires y > 0");
120 }
121
122 const size_t y_words = y.sig_words();
123
124 const size_t x_bits = x.bits();
125
126 BigInt r = BigInt::with_capacity(y_words);
127 BigInt t = BigInt::with_capacity(y_words);
128
129 for(size_t i = 0; i != x_bits; ++i) {
130 const size_t b = x_bits - 1 - i;
131 const bool x_b = x.get_bit(b);
132
133 r *= 2;
134 r.conditionally_set_bit(0, x_b);
135
136 const bool r_gte_y = bigint_sub3(t.mutable_data(), r.data(), r.size(), y.data(), y_words) == 0;
137
138 r.ct_cond_swap(r_gte_y, t);
139 }
140
141 if(x.is_negative()) {
142 if(r.is_nonzero()) {
143 r = y - r;
144 }
145 }
146
147 return r;
148}

References bigint_sub3(), Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::BigInt::ct_cond_swap(), Botan::BigInt::data(), Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::BigInt::is_nonzero(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), Botan::BigInt::size(), and Botan::BigInt::with_capacity().

Referenced by Botan::RSA_PrivateKey::check_key(), inverse_mod(), Botan::Modular_Reducer::reduce(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ ctz()

template<typename T >
requires (std::is_integral<T>::value)
constexpr size_t Botan::ctz ( T n)
inlineconstexpr

Count the trailing zero bits in n

Parameters
nan integer value
Returns
maximum x st 2^x divides n

Definition at line 102 of file bit_ops.h.

104{
105 /*
106 * If n == 0 then this function will compute 8*sizeof(T)-1, so
107 * initialize lb to 1 if n == 0 to produce the expected result.
108 */
109 size_t lb = ct_is_zero(n) & 1;
110
111 for(size_t s = 8 * sizeof(T) / 2; s > 0; s /= 2) {
112 const T mask = (static_cast<T>(1) << s) - 1;
113 const size_t z = s * (ct_is_zero(n & mask) & 1);
114 lb += z;
115 n >>= z;
116 }
117
118 return lb;
119}
constexpr T ct_is_zero(T x)
Definition bit_ops.h:33

References ct_is_zero(), and T.

Referenced by low_zero_bits().

◆ curve25519_basepoint()

void Botan::curve25519_basepoint ( uint8_t mypublic[32],
const uint8_t secret[32] )

Exponentiate by the x25519 base point

Parameters
mypublicoutput value
secretrandom scalar

Definition at line 18 of file curve25519.cpp.

18 {
19 const uint8_t basepoint[32] = {9};
20 curve25519_donna(mypublic, secret, basepoint);
21}

References curve25519_donna().

Referenced by Botan::Curve25519_PrivateKey::check_key(), Botan::Sodium::crypto_scalarmult_curve25519_base(), Botan::Curve25519_PrivateKey::Curve25519_PrivateKey(), Botan::Curve25519_PrivateKey::Curve25519_PrivateKey(), and Botan::Curve25519_PrivateKey::Curve25519_PrivateKey().

◆ curve25519_donna()

void Botan::curve25519_donna ( uint8_t mypublic[32],
const uint8_t secret[32],
const uint8_t basepoint[32] )

Definition at line 452 of file donna.cpp.

452 {
453 CT::poison(secret, 32);
454 CT::poison(basepoint, 32);
455
456 uint64_t bp[5], x[5], z[5], zmone[5];
457 uint8_t e[32];
458
459 copy_mem(e, secret, 32);
460 e[0] &= 248;
461 e[31] &= 127;
462 e[31] |= 64;
463
464 fexpand(bp, basepoint);
465 cmult(x, z, e, bp);
466 crecip(zmone, z);
467 fmul(z, x, zmone);
468 fcontract(mypublic, z);
469
470 CT::unpoison(secret, 32);
471 CT::unpoison(basepoint, 32);
472 CT::unpoison(mypublic, 32);
473}

References copy_mem(), Botan::CT::poison(), and Botan::CT::unpoison().

Referenced by Botan::Sodium::crypto_scalarmult_curve25519(), and curve25519_basepoint().

◆ deallocate_memory()

void Botan::deallocate_memory ( void * p,
size_t elems,
size_t elem_size )

Free a pointer returned by allocate_memory

Parameters
pthe pointer returned by allocate_memory
elemsthe number of elements, as passed to allocate_memory
elem_sizethe size of each element, as passed to allocate_memory

Definition at line 48 of file allocator.cpp.

48 {
49 if(p == nullptr) {
50 [[unlikely]] return;
51 }
52
53 secure_scrub_memory(p, elems * elem_size);
54
55#if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
56 if(mlock_allocator::instance().deallocate(p, elems, elem_size)) {
57 return;
58 }
59#endif
60
61 std::free(p); // NOLINT(*-no-malloc)
62}

References Botan::mlock_allocator::instance(), and secure_scrub_memory().

Referenced by Botan::secure_allocator< T >::deallocate().

◆ decode_gf2m()

gf2m Botan::decode_gf2m ( const uint8_t * mem)

Definition at line 101 of file gf2m_small_m.cpp.

101 {
102 gf2m result;
103 result = mem[0] << 8;
104 result |= mem[1];
105 return result;
106}
uint16_t gf2m

Referenced by Botan::polyn_gf2m::polyn_gf2m().

◆ dl_exponent_size()

size_t BOTAN_TEST_API Botan::dl_exponent_size ( size_t prime_group_size)

Return the appropriate exponent size to use for a particular prime group. This is twice the size of the estimated cost of breaking the key using an index calculus attack; the assumption is that if an arbitrary discrete log on a group of size bits would take about 2^n effort, and thus using an exponent of size 2^(2*n) implies that all available attacks are about as easy (as e.g Pollard's kangaroo algorithm can compute the DL in sqrt(x) operations) while minimizing the exponent size for performance reasons.

Definition at line 52 of file workfactor.cpp.

52 {
53 if(bits == 0) {
54 return 0;
55 }
56 if(bits <= 256) {
57 return bits - 1;
58 }
59 if(bits <= 1024) {
60 return 192;
61 }
62 if(bits <= 1536) {
63 return 224;
64 }
65 if(bits <= 2048) {
66 return 256;
67 }
68 if(bits <= 4096) {
69 return 384;
70 }
71 return 512;
72}

Referenced by Botan::DL_Group::DL_Group().

◆ dl_work_factor()

size_t BOTAN_TEST_API Botan::dl_work_factor ( size_t prime_group_size)

Estimate work factor for discrete logarithm

Parameters
prime_group_sizesize of the group in bits
Returns
estimated security level for this group

Definition at line 47 of file workfactor.cpp.

47 {
48 // Lacking better estimates...
49 return if_work_factor(bits);
50}
size_t if_work_factor(size_t bits)

References if_work_factor().

◆ do_throw_error()

template<typename E , typename... Args>
void Botan::do_throw_error ( const char * file,
int line,
const char * func,
Args... args )
inline

Definition at line 342 of file exceptn.h.

342 {
343 throw E(file, line, func, args...);
344}

◆ ecp_work_factor()

size_t Botan::ecp_work_factor ( size_t prime_group_size)

Estimate work factor for EC discrete logarithm

Parameters
prime_group_sizesize of the group in bits
Returns
estimated security level for this group

Definition at line 14 of file workfactor.cpp.

14 {
15 return bits / 2;
16}

Referenced by Botan::EC_PublicKey::estimated_strength().

◆ ed25519_gen_keypair() [1/2]

void Botan::ed25519_gen_keypair ( uint8_t * pk,
uint8_t * sk,
const uint8_t seed[32] )

Definition at line 20 of file ed25519.cpp.

20 {
21 uint8_t az[64];
22
23 SHA_512 sha;
24 sha.update(seed, 32);
25 sha.final(az);
26 az[0] &= 248;
27 az[31] &= 63;
28 az[31] |= 64;
29
30 ge_scalarmult_base(pk, az);
31
32 // todo copy_mem
33 copy_mem(sk, seed, 32);
34 copy_mem(sk + 32, pk, 32);
35}
void update(const uint8_t in[], size_t length)
Definition buf_comp.h:35
void final(uint8_t out[])
Definition buf_comp.h:70
void ge_scalarmult_base(uint8_t out[32], const uint8_t in[32])
Definition ge.cpp:2043

References copy_mem(), Botan::Buffered_Computation::final(), ge_scalarmult_base(), and Botan::Buffered_Computation::update().

Referenced by Botan::Sodium::crypto_sign_ed25519_seed_keypair(), Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(), Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(), and Botan::Ed25519_PrivateKey::Ed25519_PrivateKey().

◆ ed25519_gen_keypair() [2/2]

void Botan::ed25519_gen_keypair ( uint8_t pk[32],
uint8_t sk[64],
const uint8_t seed[32] )

◆ ed25519_sign()

void Botan::ed25519_sign ( uint8_t sig[64],
const uint8_t m[],
size_t mlen,
const uint8_t sk[64],
const uint8_t domain_sep[],
size_t domain_sep_len )

Definition at line 37 of file ed25519.cpp.

42 {
43 uint8_t az[64];
44 uint8_t nonce[64];
45 uint8_t hram[64];
46
47 SHA_512 sha;
48
49 sha.update(sk, 32);
50 sha.final(az);
51 az[0] &= 248;
52 az[31] &= 63;
53 az[31] |= 64;
54
55 sha.update(domain_sep, domain_sep_len);
56 sha.update(az + 32, 32);
57 sha.update(m, mlen);
58 sha.final(nonce);
59
60 sc_reduce(nonce);
61 ge_scalarmult_base(sig, nonce);
62
63 sha.update(domain_sep, domain_sep_len);
64 sha.update(sig, 32);
65 sha.update(sk + 32, 32);
66 sha.update(m, mlen);
67 sha.final(hram);
68
69 sc_reduce(hram);
70 sc_muladd(sig + 32, hram, az, nonce);
71}
void sc_reduce(uint8_t *)
Definition sc_reduce.cpp:25
void sc_muladd(uint8_t *, const uint8_t *, const uint8_t *, const uint8_t *)
Definition sc_muladd.cpp:26

References Botan::Buffered_Computation::final(), ge_scalarmult_base(), sc_muladd(), sc_reduce(), and Botan::Buffered_Computation::update().

Referenced by Botan::Sodium::crypto_sign_ed25519_detached().

◆ ed25519_verify() [1/2]

bool Botan::ed25519_verify ( const uint8_t * m,
size_t mlen,
const uint8_t sig[64],
const uint8_t * pk,
const uint8_t domain_sep[],
size_t domain_sep_len )

Definition at line 73 of file ed25519.cpp.

78 {
79 uint8_t h[64];
80 uint8_t rcheck[32];
81 ge_p3 A;
82 SHA_512 sha;
83
84 if(sig[63] & 224) {
85 return false;
86 }
87 if(ge_frombytes_negate_vartime(&A, pk) != 0) {
88 return false;
89 }
90
91 const uint64_t CURVE25519_ORDER[4] = {
92 0x1000000000000000,
93 0x0000000000000000,
94 0x14def9dea2f79cd6,
95 0x5812631a5cf5d3ed,
96 };
97
98 const uint64_t s[4] = {load_le<uint64_t>(sig + 32, 3),
99 load_le<uint64_t>(sig + 32, 2),
100 load_le<uint64_t>(sig + 32, 1),
101 load_le<uint64_t>(sig + 32, 0)};
102
103 // RFC 8032 adds the requirement that we verify that s < order in
104 // the signature; this did not exist in the original Ed25519 spec.
105 for(size_t i = 0; i != 4; ++i) {
106 if(s[i] > CURVE25519_ORDER[i]) {
107 return false;
108 }
109 if(s[i] < CURVE25519_ORDER[i]) {
110 break;
111 }
112 if(i == 3) { // here s == order
113 return false;
114 }
115 }
116
117 sha.update(domain_sep, domain_sep_len);
118 sha.update(sig, 32);
119 sha.update(pk, 32);
120 sha.update(m, mlen);
121 sha.final(h);
122 sc_reduce(h);
123
124 ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32);
125
126 return CT::is_equal(rcheck, sig, 32).as_bool();
127}
void ge_double_scalarmult_vartime(uint8_t out[32], const uint8_t a[], const ge_p3 *A, const uint8_t b[])

References Botan::Buffered_Computation::final(), ge_double_scalarmult_vartime(), ge_frombytes_negate_vartime(), Botan::CT::is_equal(), sc_reduce(), and Botan::Buffered_Computation::update().

Referenced by Botan::Sodium::crypto_sign_ed25519_verify_detached().

◆ ed25519_verify() [2/2]

bool Botan::ed25519_verify ( const uint8_t msg[],
size_t msg_len,
const uint8_t sig[64],
const uint8_t pk[32],
const uint8_t domain_sep[],
size_t domain_sep_len )

◆ encode_gf2m()

uint32_t Botan::encode_gf2m ( gf2m to_enc,
uint8_t * mem )

Definition at line 95 of file gf2m_small_m.cpp.

95 {
96 mem[0] = to_enc >> 8;
97 mem[1] = to_enc & 0xFF;
98 return sizeof(to_enc);
99}

◆ expand_mask_16bit()

template<typename T >
uint16_t Botan::expand_mask_16bit ( T tst)

Expand an input to a bit mask depending on it being being zero or non-zero

Parameters
tstthe input
Returns
the mask 0xFFFF if tst is non-zero and 0 otherwise

Definition at line 25 of file code_based_util.h.

25 {
26 const uint16_t result = (tst != 0);
27 return ~(result - 1);
28}

Referenced by Botan::polyn_gf2m::calc_degree_secure(), Botan::polyn_gf2m::eea_with_coefficients(), and Botan::polyn_gf2m::patchup_deg_secure().

◆ expand_message_xmd()

void BOTAN_TEST_API Botan::expand_message_xmd ( std::string_view hash_fn,
uint8_t output[],
size_t output_len,
const uint8_t input[],
size_t input_len,
const uint8_t domain_sep[],
size_t domain_sep_len )

expand_message_xmd

Definition at line 17 of file ec_h2c.cpp.

23 {
24 if(domain_sep_len > 0xFF) {
25 throw Invalid_Argument("expand_message_xmd domain seperator too long");
26 }
27
28 auto hash = HashFunction::create_or_throw(hash_fn);
29 const size_t block_size = hash->hash_block_size();
30 if(block_size == 0) {
31 throw Invalid_Argument(fmt("expand_message_xmd cannot be used with {}", hash_fn));
32 }
33
34 const size_t hash_output_size = hash->output_length();
35 if(output_len > 255 * hash_output_size || output_len > 0xFFFF) {
36 throw Invalid_Argument("expand_message_xmd requested output length too long");
37 }
38
39 // Compute b_0 = H(msg_prime) = H(Z_pad || msg || l_i_b_str || 0x00 || DST_prime)
40
41 hash->update(std::vector<uint8_t>(block_size));
42 hash->update(input, input_len);
43 hash->update_be(static_cast<uint16_t>(output_len));
44 hash->update(0x00);
45 hash->update(domain_sep, domain_sep_len);
46 hash->update(static_cast<uint8_t>(domain_sep_len));
47
48 const secure_vector<uint8_t> b_0 = hash->final();
49
50 // Compute b_1 = H(b_0 || 0x01 || DST_prime)
51
52 hash->update(b_0);
53 hash->update(0x01);
54 hash->update(domain_sep, domain_sep_len);
55 hash->update(static_cast<uint8_t>(domain_sep_len));
56
57 secure_vector<uint8_t> b_i = hash->final();
58
59 uint8_t cnt = 2;
60 while(output_len > 0) {
61 const size_t produced = std::min(output_len, hash_output_size);
62
63 copy_mem(output, b_i.data(), produced);
64 output += produced;
65 output_len -= produced;
66
67 // Now compute the next b_i
68
69 b_i ^= b_0;
70 hash->update(b_i);
71 hash->update(cnt);
72 hash->update(domain_sep, domain_sep_len);
73 hash->update(static_cast<uint8_t>(domain_sep_len));
74 hash->final(b_i.data());
75 cnt += 1;
76 }
77}

References copy_mem(), Botan::HashFunction::create_or_throw(), and fmt().

◆ expand_top_bit()

template<typename T >
requires (std::is_integral<T>::value)
constexpr T Botan::expand_top_bit ( T a)
inlineconstexpr

If top bit of arg is set, return ~0. Otherwise return 0.

Definition at line 23 of file bit_ops.h.

25{
26 return static_cast<T>(0) - (a >> (sizeof(T) * 8 - 1));
27}

References T.

Referenced by Botan::CT::Mask< T >::is_any_of(), and Botan::CT::Mask< T >::is_within_range().

◆ fe_0()

void Botan::fe_0 ( fe & x)
inline

Definition at line 170 of file ed25519_fe.h.

170 {
171 x = FE_25519();
172}

◆ fe_1()

void Botan::fe_1 ( fe & x)
inline

Definition at line 174 of file ed25519_fe.h.

174 {
175 x = FE_25519(1);
176}

Referenced by ge_frombytes_negate_vartime().

◆ fe_add()

void Botan::fe_add ( fe & x,
const fe & a,
const fe & b )
inline

Definition at line 178 of file ed25519_fe.h.

178 {
179 x = FE_25519::add(a, b);
180}

References Botan::FE_25519::add().

Referenced by ge_frombytes_negate_vartime().

◆ fe_copy()

void Botan::fe_copy ( fe & a,
const fe & b )
inline

Definition at line 158 of file ed25519_fe.h.

158 {
159 a = b;
160}

◆ fe_frombytes()

void Botan::fe_frombytes ( fe & x,
const uint8_t * b )
inline

Definition at line 150 of file ed25519_fe.h.

150 {
151 x.from_bytes(b);
152}
void from_bytes(const uint8_t b[32])

References Botan::FE_25519::from_bytes().

Referenced by ge_frombytes_negate_vartime().

◆ fe_invert()

void Botan::fe_invert ( fe & x,
const fe & z )
inline

Definition at line 206 of file ed25519_fe.h.

206 {
207 x = FE_25519::invert(z);
208}

References Botan::FE_25519::invert().

◆ fe_isnegative()

int Botan::fe_isnegative ( const fe & x)
inline

Definition at line 166 of file ed25519_fe.h.

166 {
167 return x.is_negative();
168}
bool is_negative() const
Definition ed25519_fe.h:91

References Botan::FE_25519::is_negative().

Referenced by ge_frombytes_negate_vartime().

◆ fe_isnonzero()

int Botan::fe_isnonzero ( const fe & x)
inline

Definition at line 162 of file ed25519_fe.h.

162 {
163 return x.is_zero() ? 0 : 1;
164}
bool is_zero() const
Definition ed25519_fe.h:75

References Botan::FE_25519::is_zero().

Referenced by ge_frombytes_negate_vartime().

◆ fe_mul()

void Botan::fe_mul ( fe & x,
const fe & a,
const fe & b )
inline

Definition at line 190 of file ed25519_fe.h.

190 {
191 x = FE_25519::mul(a, b);
192}

References Botan::FE_25519::mul().

Referenced by ge_frombytes_negate_vartime(), Botan::FE_25519::invert(), and Botan::FE_25519::pow_22523().

◆ fe_neg()

void Botan::fe_neg ( fe & x,
const fe & z )
inline

Definition at line 186 of file ed25519_fe.h.

186 {
187 x = FE_25519::negate(z);
188}

References Botan::FE_25519::negate().

Referenced by ge_frombytes_negate_vartime().

◆ fe_pow22523()

void Botan::fe_pow22523 ( fe & x,
const fe & y )
inline

Definition at line 210 of file ed25519_fe.h.

210 {
211 x = FE_25519::pow_22523(y);
212}

References Botan::FE_25519::pow_22523().

Referenced by ge_frombytes_negate_vartime().

◆ fe_sq()

void Botan::fe_sq ( fe & x,
const fe & z )
inline

Definition at line 194 of file ed25519_fe.h.

194 {
195 x = FE_25519::sqr(z);
196}

References Botan::FE_25519::sqr().

Referenced by ge_frombytes_negate_vartime(), Botan::FE_25519::invert(), and Botan::FE_25519::pow_22523().

◆ fe_sq2()

void Botan::fe_sq2 ( fe & x,
const fe & z )
inline

Definition at line 202 of file ed25519_fe.h.

202 {
203 x = FE_25519::sqr2(z);
204}

References Botan::FE_25519::sqr2().

◆ fe_sq_iter()

void Botan::fe_sq_iter ( fe & x,
const fe & z,
size_t iter )
inline

Definition at line 198 of file ed25519_fe.h.

198 {
199 x = FE_25519::sqr_iter(z, iter);
200}

References Botan::FE_25519::sqr_iter().

Referenced by Botan::FE_25519::invert(), and Botan::FE_25519::pow_22523().

◆ fe_sub()

void Botan::fe_sub ( fe & x,
const fe & a,
const fe & b )
inline

Definition at line 182 of file ed25519_fe.h.

182 {
183 x = FE_25519::sub(a, b);
184}

References Botan::FE_25519::sub().

Referenced by ge_frombytes_negate_vartime().

◆ fe_tobytes()

void Botan::fe_tobytes ( uint8_t * b,
const fe & x )
inline

Definition at line 154 of file ed25519_fe.h.

154 {
155 x.to_bytes(b);
156}
void to_bytes(uint8_t b[32]) const

References Botan::FE_25519::to_bytes().

◆ find_roots_gf2m_decomp()

secure_vector< gf2m > Botan::find_roots_gf2m_decomp ( const polyn_gf2m & polyn,
size_t code_length )

Find the roots of a polynomial over GF(2^m) using the method by Federenko et al.

Definition at line 254 of file gf2m_rootfind_dcmp.cpp.

254 {
255 gf2m_decomp_rootfind_state state(polyn, code_length);
256 return state.find_roots(polyn);
257}

References find_roots_gf2m_decomp().

Referenced by find_roots_gf2m_decomp().

◆ fmt()

template<typename... T>
std::string Botan::fmt ( std::string_view format,
const T &... args )

Simple formatter utility.

Should be replaced with std::format once that's available on all our supported compilers.

'{}' markers in the format string are replaced by the arguments. Unlike std::format, there is no support for escaping or for any kind of conversion flags.

Definition at line 53 of file fmt.h.

53 {
54 std::ostringstream oss;
55 oss.imbue(std::locale::classic());
56 fmt_detail::do_fmt(oss, format, args...);
57 return oss.str();
58}

References Botan::fmt_detail::do_fmt().

Referenced by Botan::GOST_3410_PublicKey::algo_name(), Botan::TLS::KEX_to_KEM_Adapter_PublicKey::algo_name(), argon2_generate_pwhash(), assert_unreachable(), Botan::TLS::auth_method_from_string(), Botan::CBC_Mode::CBC_Mode(), Botan::CCM_Mode::CCM_Mode(), Botan::CFB_Mode::CFB_Mode(), Botan::CMAC::CMAC(), Botan::Comb4P::Comb4P(), Botan::AES_256_CTR_XOF::copy_state(), Botan::KDF::create(), Botan::Private_Key::create_decryption_op(), Botan::PKCS11::MechanismWrapper::create_ecdh_mechanism(), Botan::PKCS11::MechanismWrapper::create_ecdsa_mechanism(), Botan::Public_Key::create_encryption_op(), Botan::Private_Key::create_kem_decryption_op(), Botan::Public_Key::create_kem_encryption_op(), Botan::Private_Key::create_key_agreement_op(), create_private_key(), Botan::Private_Key::create_signature_op(), Botan::Public_Key::create_verification_op(), Botan::Public_Key::create_x509_verification_op(), Botan::PEM_Code::decode(), Botan::PEM_Code::decode_check_label(), Botan::ASN1_String::decode_from(), Botan::DL_Group::DL_Group(), Botan::DL_Group::DL_Group(), Botan::EAX_Mode::EAX_Mode(), Botan::EC_Group::EC_Group(), Botan::PEM_Code::encode(), expand_message_xmd(), Botan::Stream_Decompression::finish(), Botan::PSS_Params::from_emsa_name(), Botan::OID::from_string(), Botan::GCM_Mode::GCM_Mode(), generate_dsa_primes(), Botan::GOST_28147_89_Params::GOST_28147_89_Params(), Botan::GOST_3410_PrivateKey::GOST_3410_PrivateKey(), Botan::GOST_3410_PublicKey::GOST_3410_PublicKey(), Botan::Sphincs_Parameters::hash_name(), hex_decode(), hkdf_expand_label(), Botan::HTTP::http_sync(), Botan::Keccak_1600::Keccak_1600(), Botan::TLS::kex_method_from_string(), Botan::Lion::Lion(), load_private_key(), load_public_key(), Botan::PEM_Code::matches(), Botan::CCM_Mode::name(), Botan::CBC_Mode::name(), Botan::CFB_Mode::name(), Botan::Cascade_Cipher::name(), Botan::Lion::name(), Botan::BLAKE2b::name(), Botan::BLAKE2s::name(), Botan::Comb4P::name(), Botan::Keccak_1600::name(), Botan::SHA_3::name(), Botan::SHAKE_128::name(), Botan::SHAKE_256::name(), Botan::Skein_512::name(), Botan::Streebog::name(), Botan::Truncated_Hash::name(), Botan::HKDF::name(), Botan::HKDF_Extract::name(), Botan::HKDF_Expand::name(), Botan::KDF1::name(), Botan::KDF1_18033::name(), Botan::KDF2::name(), Botan::TLS_12_PRF::name(), Botan::SP800_108_Counter::name(), Botan::SP800_108_Feedback::name(), Botan::SP800_108_Pipeline::name(), Botan::SP800_56A_Hash::name(), Botan::SP800_56A_HMAC::name(), Botan::SP800_56C::name(), Botan::CMAC::name(), Botan::GMAC::name(), Botan::HMAC::name(), Botan::KMAC128::name(), Botan::KMAC256::name(), Botan::SipHash::name(), Botan::FPE_FE1::name(), Botan::PBKDF2_Family::name(), Botan::PKCS5_PBKDF2::name(), Botan::RFC4880_S2K_Family::name(), Botan::HMAC_DRBG::name(), Botan::ChaCha::name(), Botan::CTR_BE::name(), Botan::OFB::name(), Botan::GCM_Mode::name(), Botan::Asymmetric_Key::object_identifier(), Botan::OID::OID(), pbes2_decrypt(), Botan::PK_Decryptor_EME::PK_Decryptor_EME(), Botan::PK_Encryptor_EME::PK_Encryptor_EME(), Botan::PK_KEM_Decryptor::PK_KEM_Decryptor(), Botan::PK_KEM_Encryptor::PK_KEM_Encryptor(), Botan::PK_Key_Agreement::PK_Key_Agreement(), Botan::PK_Signer::PK_Signer(), Botan::PK_Verifier::PK_Verifier(), Botan::PK_Verifier::PK_Verifier(), Botan::Credentials_Manager::psk(), Botan::Dynamically_Loaded_Library::resolve_symbol(), Botan::RFC6979_Nonce_Generator::RFC6979_Nonce_Generator(), Botan::Sqlite3_Database::row_count(), Botan::RSA_PrivateKey::RSA_PrivateKey(), runtime_version_check(), Botan::SHA_3::SHA_3(), Botan::SHAKE_128::SHAKE_128(), Botan::SHAKE_256::SHAKE_256(), split_on(), srp6_client_agree(), srp6_generate_verifier(), Botan::XOF::start(), Botan::SRP6_Server_Session::step1(), Botan::SRP6_Server_Session::step2(), Botan::Streebog::Streebog(), string_to_ipv4(), throw_invalid_argument(), throw_invalid_state(), Botan::ASN1_Time::to_string(), Botan::Sphincs_Parameters::to_string(), Botan::Argon2::to_string(), Botan::Bcrypt_PBKDF::to_string(), Botan::PBKDF2::to_string(), Botan::RFC4880_S2K::to_string(), Botan::Scrypt::to_string(), Botan::UUID::UUID(), Botan::TLS::Certificate_Type_Base::validate_selection(), Botan::PK_Ops::Verification_with_Hash::Verification_with_Hash(), Botan::XMSS_Hash::XMSS_Hash(), Botan::XMSS_Parameters::xmss_id_from_string(), Botan::XMSS_WOTS_Parameters::xmss_wots_id_from_string(), and Botan::XTS_Mode::XTS_Mode().

◆ format_char_for_display()

std::string Botan::format_char_for_display ( char c)

Return a string containing 'c', quoted and possibly escaped

This is used when creating an error message nothing an invalid character in some codex (for example during hex decoding)

Currently this function escapes tab, newlines and carriage return as "\t", "\n", and "\r", and also escapes characters > 0x7F as "\xHH" where HH is the hex code.

Definition at line 98 of file charset.cpp.

98 {
99 std::ostringstream oss;
100
101 oss << "'";
102
103 if(c == '\t') {
104 oss << "\\t";
105 } else if(c == '\n') {
106 oss << "\\n";
107 } else if(c == '\r') {
108 oss << "\\r";
109 } else if(static_cast<unsigned char>(c) >= 128) {
110 unsigned char z = static_cast<unsigned char>(c);
111 oss << "\\x" << std::hex << std::uppercase << static_cast<int>(z);
112 } else {
113 oss << c;
114 }
115
116 oss << "'";
117
118 return oss.str();
119}

Referenced by hex_decode().

◆ fors_public_key_from_signature()

BOTAN_TEST_API SphincsTreeNode Botan::fors_public_key_from_signature ( const SphincsHashedMessage & hashed_message,
StrongSpan< const ForsSignature > signature,
const Sphincs_Address & address,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hash )

Reconstructs the FORS public key from a given FORS signature and message. This is tailored for the use case in the SPHINCS+ implementation and is not meant for general usability.

Definition at line 112 of file sp_fors.cpp.

116 {
117 const auto indices = fors_message_to_indices(hashed_message, params);
118
119 auto fors_tree_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTree);
120
121 auto fors_pk_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTreeRootsCompression);
122
123 BufferSlicer s(signature);
124 std::vector<uint8_t> roots_buffer(params.k() * params.n());
125 BufferStuffer roots(roots_buffer);
126
127 // For each of the k FORS subtrees: Reconstruct the subtree's root node by using the
128 // leaf and the authentication path offered in the FORS signature.
129 BOTAN_ASSERT_NOMSG(indices.size() == params.k());
130 for(uint32_t i = 0; i < params.k(); ++i) {
131 uint32_t idx_offset = i * (1 << params.a());
132
133 // Compute the FORS leaf by using the secret leaf contained in the signature
134 fors_tree_addr.set_tree_height(TreeLayerIndex(0)).set_tree_index(indices[i] + idx_offset);
135 auto fors_leaf_secret = s.take<ForsLeafSecret>(params.n());
136 auto auth_path = s.take<SphincsAuthenticationPath>(params.n() * params.a());
137 auto leaf = hashes.T<SphincsTreeNode>(fors_tree_addr, fors_leaf_secret);
138
139 // Reconstruct the subtree's root using the authentication path
140 compute_root(roots.next<SphincsTreeNode>(params.n()),
141 params,
142 hashes,
143 leaf,
144 indices[i],
145 idx_offset,
146 auth_path,
147 params.a(),
148 fors_tree_addr);
149 }
150
151 BOTAN_ASSERT_NOMSG(roots.full());
152
153 // Reconstruct the public key the signature creates with the hash of the concatenation of all roots
154 // Only if the signature is valid, the pk is the correct FORS pk.
155 return hashes.T<SphincsTreeNode>(fors_pk_addr, roots_buffer);
156}
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition stl_util.h:199
void compute_root(StrongSpan< SphincsTreeNode > out, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, const SphincsTreeNode &leaf, TreeNodeIndex leaf_idx, uint32_t idx_offset, StrongSpan< const SphincsAuthenticationPath > authentication_path, uint32_t total_tree_height, Sphincs_Address &tree_address)

References Botan::Sphincs_Parameters::a(), Botan::Sphincs_Address::as_keypair_from(), BOTAN_ASSERT_NOMSG, compute_root(), Botan::BufferStuffer::full(), Botan::Sphincs_Parameters::k(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Address::set_type(), Botan::Sphincs_Hash_Functions::T(), and Botan::BufferSlicer::take().

◆ fors_sign_and_pkgen()

BOTAN_TEST_API SphincsTreeNode Botan::fors_sign_and_pkgen ( StrongSpan< ForsSignature > sig_out,
const SphincsHashedMessage & hashed_message,
const SphincsSecretSeed & secret_seed,
const Sphincs_Address & address,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

Implements a domain specific wrapper for the few-times signature scheme FORS (Forest of Random Subsets). It is meant to be used inside SPHINCS+ and does not aim to be applicable for other use cases.

Definition at line 46 of file sp_fors.cpp.

51 {
52 BOTAN_ASSERT_NOMSG(sig_out.size() == params.fors_signature_bytes());
53
54 const auto indices = fors_message_to_indices(hashed_message, params);
55
56 auto fors_tree_addr = Sphincs_Address::as_keypair_from(address);
57
58 auto fors_pk_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTreeRootsCompression);
59
60 std::vector<uint8_t> roots_buffer(params.k() * params.n());
61 BufferStuffer roots(roots_buffer);
62 BufferStuffer sig(sig_out);
63
64 // Buffer to hold the FORS leafs during tree traversal
65 // (Avoids a secure_vector allocation/deallocation in the hot path)
66 ForsLeafSecret fors_leaf_secret(params.n());
67
68 // For each of the k FORS subtrees: Compute the secret leaf, the authentication path
69 // and the trees' root and append the signature respectively
70 BOTAN_ASSERT_NOMSG(indices.size() == params.k());
71 for(uint32_t i = 0; i < params.k(); ++i) {
72 uint32_t idx_offset = i * (1 << params.a());
73
74 // Compute the secret leaf given by the chunk of the message and append it to the signature
75 fors_tree_addr.set_tree_height(TreeLayerIndex(0))
76 .set_tree_index(indices[i] + idx_offset)
77 .set_type(Sphincs_Address_Type::ForsKeyGeneration);
78
79 hashes.PRF(sig.next<ForsLeafSecret>(params.n()), secret_seed, fors_tree_addr);
80
81 // Compute the authentication path and root for this leaf node
82 fors_tree_addr.set_type(Sphincs_Address_Type::ForsTree);
83
84 GenerateLeafFunction fors_gen_leaf = [&](StrongSpan<SphincsTreeNode> out_root, TreeNodeIndex address_index) {
85 fors_tree_addr.set_tree_index(address_index);
86 fors_tree_addr.set_type(Sphincs_Address_Type::ForsKeyGeneration);
87
88 hashes.PRF(fors_leaf_secret, secret_seed, fors_tree_addr);
89
90 fors_tree_addr.set_type(Sphincs_Address_Type::ForsTree);
91 hashes.T(out_root, fors_tree_addr, fors_leaf_secret);
92 };
93
94 treehash(roots.next<SphincsTreeNode>(params.n()),
95 sig.next<SphincsAuthenticationPath>(params.a() * params.n()),
96 params,
97 hashes,
98 indices[i],
99 idx_offset,
100 params.a(),
101 fors_gen_leaf,
102 fors_tree_addr);
103 }
104
105 BOTAN_ASSERT_NOMSG(sig.full());
106 BOTAN_ASSERT_NOMSG(roots.full());
107
108 // Compute the public key by the hash of the concatenation of all roots
109 return hashes.T<SphincsTreeNode>(fors_pk_addr, roots_buffer);
110}
void PRF(StrongSpan< ForsLeafSecret > out, const SphincsSecretSeed &sk_seed, const Sphincs_Address &address)
Definition sp_hash.h:69
uint32_t fors_signature_bytes() const
Strong< std::vector< uint8_t >, struct SphincsTreeNode_ > SphincsTreeNode
Either an XMSS or FORS tree node or leaf.
Definition sp_types.h:56
std::function< void(StrongSpan< SphincsTreeNode >, TreeNodeIndex)> GenerateLeafFunction
Definition sp_treehash.h:25

References Botan::Sphincs_Parameters::a(), Botan::Sphincs_Address::as_keypair_from(), BOTAN_ASSERT_NOMSG, Botan::Sphincs_Parameters::fors_signature_bytes(), ForsKeyGeneration, ForsTree, Botan::BufferStuffer::full(), Botan::Sphincs_Parameters::k(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Hash_Functions::PRF(), Botan::Sphincs_Address::set_type(), Botan::StrongSpan< T >::size(), Botan::Sphincs_Hash_Functions::T(), and treehash().

◆ gamma()

void Botan::gamma ( SIMD_4x32 & A0,
SIMD_4x32 & A1,
SIMD_4x32 & A2,
SIMD_4x32 & A3 )
inline

Definition at line 44 of file noekeon_simd.cpp.

44 {
45 A1 ^= ~(A2 | A3);
46 A0 ^= A2 & A1;
47
48 SIMD_4x32 T = A3;
49 A3 = A0;
50 A0 = T;
51
52 A2 ^= A0 ^ A1 ^ A3;
53
54 A1 ^= ~(A2 | A3);
55 A0 ^= A2 & A1;
56}

References T.

Referenced by Botan::Noekeon::decrypt_n(), and Botan::Noekeon::encrypt_n().

◆ gcd()

BigInt Botan::gcd ( const BigInt & x,
const BigInt & y )

Compute the greatest common divisor

Parameters
xa positive integer
ya positive integer
Returns
gcd(x,y)

Definition at line 193 of file numthry.cpp.

193 {
194 if(a.is_zero()) {
195 return abs(b);
196 }
197 if(b.is_zero()) {
198 return abs(a);
199 }
200
201 const size_t sz = std::max(a.sig_words(), b.sig_words());
202 auto u = BigInt::with_capacity(sz);
203 auto v = BigInt::with_capacity(sz);
204 u += a;
205 v += b;
206
207 u.const_time_poison();
208 v.const_time_poison();
209
210 u.set_sign(BigInt::Positive);
211 v.set_sign(BigInt::Positive);
212
213 // In the worst case we have two fully populated big ints. After right
214 // shifting so many times, we'll have reached the result for sure.
215 const size_t loop_cnt = u.bits() + v.bits();
216
217 using WordMask = CT::Mask<word>;
218
219 // This temporary is big enough to hold all intermediate results of the
220 // algorithm. No reallocation will happen during the loop.
221 // Note however, that `ct_cond_assign()` will invalidate the 'sig_words'
222 // cache, which _does not_ shrink the capacity of the underlying buffer.
223 auto tmp = BigInt::with_capacity(sz);
224 size_t factors_of_two = 0;
225 for(size_t i = 0; i != loop_cnt; ++i) {
226 auto both_odd = WordMask::expand(u.is_odd()) & WordMask::expand(v.is_odd());
227
228 // Subtract the smaller from the larger if both are odd
229 auto u_gt_v = WordMask::expand(bigint_cmp(u.data(), u.size(), v.data(), v.size()) > 0);
230 bigint_sub_abs(tmp.mutable_data(), u.data(), sz, v.data(), sz);
231 u.ct_cond_assign((u_gt_v & both_odd).as_bool(), tmp);
232 v.ct_cond_assign((~u_gt_v & both_odd).as_bool(), tmp);
233
234 const auto u_is_even = WordMask::expand(u.is_even());
235 const auto v_is_even = WordMask::expand(v.is_even());
236 BOTAN_DEBUG_ASSERT((u_is_even | v_is_even).as_bool());
237
238 // When both are even, we're going to eliminate a factor of 2.
239 // We have to reapply this factor to the final result.
240 factors_of_two += (u_is_even & v_is_even).if_set_return(1);
241
242 // remove one factor of 2, if u is even
243 bigint_shr2(tmp.mutable_data(), u.data(), sz, 0, 1);
244 u.ct_cond_assign(u_is_even.as_bool(), tmp);
245
246 // remove one factor of 2, if v is even
247 bigint_shr2(tmp.mutable_data(), v.data(), sz, 0, 1);
248 v.ct_cond_assign(v_is_even.as_bool(), tmp);
249 }
250
251 // The GCD (without factors of two) is either in u or v, the other one is
252 // zero. The non-zero variable _must_ be odd, because all factors of two were
253 // removed in the loop iterations above.
254 BOTAN_DEBUG_ASSERT(u.is_zero() || v.is_zero());
255 BOTAN_DEBUG_ASSERT(u.is_odd() || v.is_odd());
256
257 // make sure that the GCD (without factors of two) is in u
258 u.ct_cond_assign(u.is_even() /* .is_zero() would not be constant time */, v);
259
260 // re-apply the factors of two
261 u.ct_shift_left(factors_of_two);
262
263 u.const_time_unpoison();
264 v.const_time_unpoison();
265
266 return u;
267}
BigInt abs(const BigInt &n)
Definition numthry.h:22
CT::Mask< word > bigint_sub_abs(word z[], const word x[], const word y[], size_t N, word ws[])
Definition mp_core.h:355
void bigint_shr2(word y[], const word x[], size_t x_size, size_t word_shift, size_t bit_shift)
Definition mp_core.h:431

References abs(), bigint_cmp(), bigint_shr2(), bigint_sub_abs(), BOTAN_DEBUG_ASSERT, Botan::BigInt::const_time_poison(), Botan::BigInt::is_zero(), Botan::BigInt::Positive, Botan::BigInt::sig_words(), and Botan::BigInt::with_capacity().

Referenced by botan_mp_gcd(), Botan::ECIES_Decryptor::ECIES_Decryptor(), generate_rsa_prime(), lcm(), and random_prime().

◆ ge_double_scalarmult_vartime() [1/2]

void Botan::ge_double_scalarmult_vartime ( uint8_t out[32],
const uint8_t * a,
const ge_p3 * A,
const uint8_t * b )

Definition at line 480 of file ge.cpp.

480 {
481 static const ge_precomp Bi[8] = {
482 {
483 {25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605},
484 {-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378},
485 {-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546},
486 },
487 {
488 {15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024},
489 {16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574},
490 {30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357},
491 },
492 {
493 {10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380},
494 {4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306},
495 {19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942},
496 },
497 {
498 {5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766},
499 {-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701},
500 {28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300},
501 },
502 {
503 {-22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, -1361450, -13062696, 13821877},
504 {-6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, -7212327, 18853322, -14220951},
505 {4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, -10431137, 2207753, -3209784},
506 },
507 {
508 {-25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, -663000, -31111463, -16132436},
509 {25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 15725684, 171356, 6466918},
510 {23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, -14088058, -30714912, 16193877},
511 },
512 {
513 {-33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 4729455, -18074513, 9256800},
514 {-25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 9761698, -19827198, 630305},
515 {-13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, -15960994, -2449256, -14291300},
516 },
517 {
518 {-3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 15033784, 25105118, -7894876},
519 {-24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 1573892, -2625887, 2198790, -15804619},
520 {-3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, -16236442, -32461234, -12290683},
521 },
522 };
523
524 int8_t aslide[256];
525 int8_t bslide[256];
526 ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
527 ge_p1p1 t;
528 ge_p3 u;
529 ge_p3 A2;
530 ge_p2 r;
531 int i;
532
533 slide(aslide, a);
534 slide(bslide, b);
535
536 ge_p3_to_cached(&Ai[0], A);
537 ge_p3_dbl(&t, A);
538 ge_p1p1_to_p3(&A2, &t);
539 ge_add(&t, &A2, &Ai[0]);
540 ge_p1p1_to_p3(&u, &t);
541 ge_p3_to_cached(&Ai[1], &u);
542 ge_add(&t, &A2, &Ai[1]);
543 ge_p1p1_to_p3(&u, &t);
544 ge_p3_to_cached(&Ai[2], &u);
545 ge_add(&t, &A2, &Ai[2]);
546 ge_p1p1_to_p3(&u, &t);
547 ge_p3_to_cached(&Ai[3], &u);
548 ge_add(&t, &A2, &Ai[3]);
549 ge_p1p1_to_p3(&u, &t);
550 ge_p3_to_cached(&Ai[4], &u);
551 ge_add(&t, &A2, &Ai[4]);
552 ge_p1p1_to_p3(&u, &t);
553 ge_p3_to_cached(&Ai[5], &u);
554 ge_add(&t, &A2, &Ai[5]);
555 ge_p1p1_to_p3(&u, &t);
556 ge_p3_to_cached(&Ai[6], &u);
557 ge_add(&t, &A2, &Ai[6]);
558 ge_p1p1_to_p3(&u, &t);
559 ge_p3_to_cached(&Ai[7], &u);
560
561 ge_p2_0(&r);
562
563 for(i = 255; i >= 0; --i) {
564 if(aslide[i] || bslide[i]) {
565 break;
566 }
567 }
568
569 for(; i >= 0; --i) {
570 ge_p2_dbl(&t, &r);
571
572 if(aslide[i] > 0) {
573 ge_p1p1_to_p3(&u, &t);
574 ge_add(&t, &u, &Ai[aslide[i] >> 1]);
575 } else if(aslide[i] < 0) {
576 ge_p1p1_to_p3(&u, &t);
577 ge_sub(&t, &u, &Ai[(-aslide[i]) >> 1]);
578 }
579
580 if(bslide[i] > 0) {
581 ge_p1p1_to_p3(&u, &t);
582 ge_madd(&t, &u, &Bi[bslide[i] >> 1]);
583 } else if(bslide[i] < 0) {
584 ge_p1p1_to_p3(&u, &t);
585 ge_msub(&t, &u, &Bi[(-bslide[i]) >> 1]);
586 }
587
588 ge_p1p1_to_p2(&r, &t);
589 }
590
591 ge_tobytes(out, &r);
592}

◆ ge_double_scalarmult_vartime() [2/2]

void Botan::ge_double_scalarmult_vartime ( uint8_t out[32],
const uint8_t a[],
const ge_p3 * A,
const uint8_t b[] )

◆ ge_frombytes_negate_vartime()

int Botan::ge_frombytes_negate_vartime ( ge_p3 * v,
const uint8_t * s )

Definition at line 425 of file ge.cpp.

425 {
426 static const FE_25519 d = {
427 -10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116};
428 static const FE_25519 sqrtm1 = {
429 -32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482};
430
431 FE_25519 u;
432 FE_25519 v;
433 FE_25519 v3;
434 FE_25519 vxx;
435 FE_25519 check;
436
437 fe_frombytes(h->Y, s);
438 fe_1(h->Z);
439 fe_sq(u, h->Y);
440 fe_mul(v, u, d);
441 fe_sub(u, u, h->Z); /* u = y^2-1 */
442 fe_add(v, v, h->Z); /* v = dy^2+1 */
443
444 fe_sq(v3, v);
445 fe_mul(v3, v3, v); /* v3 = v^3 */
446 fe_sq(h->X, v3);
447 fe_mul(h->X, h->X, v);
448 fe_mul(h->X, h->X, u); /* x = uv^7 */
449
450 fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
451 fe_mul(h->X, h->X, v3);
452 fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
453
454 fe_sq(vxx, h->X);
455 fe_mul(vxx, vxx, v);
456 fe_sub(check, vxx, u); /* vx^2-u */
457 if(fe_isnonzero(check)) {
458 fe_add(check, vxx, u); /* vx^2+u */
459 if(fe_isnonzero(check)) {
460 return -1;
461 }
462 fe_mul(h->X, h->X, sqrtm1);
463 }
464
465 if(fe_isnegative(h->X) == (s[31] >> 7)) {
466 fe_neg(h->X, h->X);
467 }
468
469 fe_mul(h->T, h->X, h->Y);
470 return 0;
471}
int fe_isnegative(const fe &x)
Definition ed25519_fe.h:166
int fe_isnonzero(const fe &x)
Definition ed25519_fe.h:162
void fe_1(fe &x)
Definition ed25519_fe.h:174
void fe_mul(fe &x, const fe &a, const fe &b)
Definition ed25519_fe.h:190
void fe_sq(fe &x, const fe &z)
Definition ed25519_fe.h:194
void fe_neg(fe &x, const fe &z)
Definition ed25519_fe.h:186
void fe_add(fe &x, const fe &a, const fe &b)
Definition ed25519_fe.h:178
void fe_sub(fe &x, const fe &a, const fe &b)
Definition ed25519_fe.h:182
void fe_pow22523(fe &x, const fe &y)
Definition ed25519_fe.h:210
void fe_frombytes(fe &x, const uint8_t *b)
Definition ed25519_fe.h:150

References fe_1(), fe_add(), fe_frombytes(), fe_isnegative(), fe_isnonzero(), fe_mul(), fe_neg(), fe_pow22523(), fe_sq(), fe_sub(), Botan::ge_p3::T, Botan::ge_p3::X, Botan::ge_p3::Y, and Botan::ge_p3::Z.

Referenced by Botan::Ed25519_PublicKey::check_key(), and ed25519_verify().

◆ ge_scalarmult_base()

void Botan::ge_scalarmult_base ( uint8_t out[32],
const uint8_t in[32] )

Definition at line 2043 of file ge.cpp.

2043 {
2044 int8_t e[64];
2045 int8_t carry;
2046 ge_p1p1 r;
2047 ge_p2 s;
2048 ge_p3 h;
2049 ge_precomp t;
2050 int i;
2051
2052 for(i = 0; i < 32; ++i) {
2053 e[2 * i + 0] = (a[i] >> 0) & 15;
2054 e[2 * i + 1] = (a[i] >> 4) & 15;
2055 }
2056 /* each e[i] is between 0 and 15 */
2057 /* e[63] is between 0 and 7 */
2058
2059 carry = 0;
2060 for(i = 0; i < 63; ++i) {
2061 e[i] += carry;
2062 carry = e[i] + 8;
2063 carry >>= 4;
2064 e[i] -= carry << 4;
2065 }
2066 e[63] += carry;
2067 /* each e[i] is between -8 and 8 */
2068
2069 ge_p3_0(&h);
2070 for(i = 1; i < 64; i += 2) {
2071 select(&t, B_precomp[i / 2], e[i]);
2072 ge_madd(&r, &h, &t);
2073 ge_p1p1_to_p3(&h, &r);
2074 }
2075
2076 ge_p3_dbl(&r, &h);
2077 ge_p1p1_to_p2(&s, &r);
2078 ge_p2_dbl(&r, &s);
2079 ge_p1p1_to_p2(&s, &r);
2080 ge_p2_dbl(&r, &s);
2081 ge_p1p1_to_p2(&s, &r);
2082 ge_p2_dbl(&r, &s);
2083 ge_p1p1_to_p3(&h, &r);
2084
2085 for(i = 0; i < 64; i += 2) {
2086 select(&t, B_precomp[i / 2], e[i]);
2087 ge_madd(&r, &h, &t);
2088 ge_p1p1_to_p3(&h, &r);
2089 }
2090
2091 ge_p3_tobytes(out, &h);
2092}

References carry().

Referenced by ed25519_gen_keypair(), and ed25519_sign().

◆ generalize_to() [1/2]

template<typename GeneralVariantT , typename SpecialT >
requires (std::is_constructible_v<GeneralVariantT, std::decay_t<SpecialT>>)
constexpr GeneralVariantT Botan::generalize_to ( SpecialT && specific)
constexprnoexcept

Converts a given variant into another variant-ish whose type states are a super set of the given variant.

This is useful to convert restricted variant types into more general variants types.

Definition at line 300 of file stl_util.h.

302{
303 return std::forward<SpecialT>(specific);
304}

◆ generalize_to() [2/2]

template<typename GeneralVariantT , typename... SpecialTs>
constexpr GeneralVariantT Botan::generalize_to ( std::variant< SpecialTs... > specific)
constexprnoexcept

Converts a given variant into another variant-ish whose type states are a super set of the given variant.

This is useful to convert restricted variant types into more general variants types.

Definition at line 314 of file stl_util.h.

314 {
315 static_assert(
316 is_generalizable_to<GeneralVariantT>(specific),
317 "Desired general type must be implicitly constructible by all types of the specialized std::variant<>");
318 return std::visit([](auto s) -> GeneralVariantT { return s; }, std::move(specific));
319}

◆ generate_bcrypt()

std::string Botan::generate_bcrypt ( std::string_view password,
RandomNumberGenerator & rng,
uint16_t work_factor = 12,
char version = 'a' )

Create a password hash using Bcrypt

Warning
The password is truncated at at most 72 characters; characters after that do not have any effect on the resulting hash. To support longer passwords, consider pre-hashing the password, for example by using the hex encoding of SHA-256 of the password as the input to bcrypt.
Parameters
passwordthe password.
rnga random number generator
work_factorhow much work to do to slow down guessing attacks
versionwhich version to emit (may be 'a', 'b', or 'y' all of which have identical behavior in this implementation).
See also
https://www.usenix.org/events/usenix99/provos/provos_html/

Definition at line 144 of file bcrypt.cpp.

144 {
145 /*
146 2a, 2b and 2y are identical for our purposes because our implementation of 2a
147 never had the truncation or signed char bugs in the first place.
148 */
149
150 if(version != 'a' && version != 'b' && version != 'y') {
151 throw Invalid_Argument("Unknown bcrypt version '" + std::string(1, version) + "'");
152 }
153
154 std::vector<uint8_t> salt;
155 rng.random_vec(salt, 16);
156 return make_bcrypt(pass, salt, work_factor, version);
157}
void random_vec(std::span< uint8_t > v)
Definition rng.h:179

References Botan::RandomNumberGenerator::random_vec().

Referenced by botan_bcrypt_generate().

◆ generate_dsa_primes() [1/2]

std::vector< uint8_t > Botan::generate_dsa_primes ( RandomNumberGenerator & rng,
BigInt & p_out,
BigInt & q_out,
size_t pbits,
size_t qbits )

Generate DSA parameters using the FIPS 186 kosherizer

Parameters
rnga random number generator
p_outwhere the prime p will be stored
q_outwhere the prime q will be stored
pbitshow long p will be in bits
qbitshow long q will be in bits
Returns
random seed used to generate this parameter set

Definition at line 134 of file dsa_gen.cpp.

134 {
135 while(true) {
136 std::vector<uint8_t> seed(qbits / 8);
137 rng.randomize(seed.data(), seed.size());
138
139 if(generate_dsa_primes(rng, p, q, pbits, qbits, seed)) {
140 return seed;
141 }
142 }
143}
bool generate_dsa_primes(RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits, const std::vector< uint8_t > &seed_c, size_t offset)
Definition dsa_gen.cpp:53

References generate_dsa_primes(), and Botan::RandomNumberGenerator::randomize().

◆ generate_dsa_primes() [2/2]

bool BOTAN_TEST_API Botan::generate_dsa_primes ( RandomNumberGenerator & rng,
BigInt & p_out,
BigInt & q_out,
size_t pbits,
size_t qbits,
const std::vector< uint8_t > & seed,
size_t offset = 0 )

Generate DSA parameters using the FIPS 186 kosherizer

Parameters
rnga random number generator
p_outwhere the prime p will be stored
q_outwhere the prime q will be stored
pbitshow long p will be in bits
qbitshow long q will be in bits
seedthe seed used to generate the parameters
offsetoptional offset from seed to start searching at
Returns
true if seed generated a valid DSA parameter set, otherwise false. p_out and q_out are only valid if true was returned.

Definition at line 53 of file dsa_gen.cpp.

59 {
60 if(!fips186_3_valid_size(pbits, qbits)) {
61 throw Invalid_Argument(fmt("FIPS 186-3 does not allow DSA domain parameters of {}/{} bits long", pbits, qbits));
62 }
63
64 if(seed_c.size() * 8 < qbits) {
65 throw Invalid_Argument(
66 fmt("Generating a DSA parameter set with a {} bit long q requires a seed at least as many bits long", qbits));
67 }
68
69 const std::string hash_name = hash_function_for(qbits);
70 auto hash = HashFunction::create_or_throw(hash_name);
71
72 const size_t HASH_SIZE = hash->output_length();
73
74 class Seed final {
75 public:
76 explicit Seed(const std::vector<uint8_t>& s) : m_seed(s) {}
77
78 const std::vector<uint8_t>& value() const { return m_seed; }
79
80 Seed& operator++() {
81 for(size_t j = m_seed.size(); j > 0; --j) {
82 if(++m_seed[j - 1]) {
83 break;
84 }
85 }
86 return (*this);
87 }
88
89 private:
90 std::vector<uint8_t> m_seed;
91 };
92
93 Seed seed(seed_c);
94
95 q.binary_decode(hash->process(seed.value()));
96 q.set_bit(qbits - 1);
97 q.set_bit(0);
98
99 if(!is_prime(q, rng, 128, true)) {
100 return false;
101 }
102
103 const size_t n = (pbits - 1) / (HASH_SIZE * 8), b = (pbits - 1) % (HASH_SIZE * 8);
104
105 BigInt X;
106 std::vector<uint8_t> V(HASH_SIZE * (n + 1));
107
108 Modular_Reducer mod_2q(2 * q);
109
110 for(size_t j = 0; j != 4 * pbits; ++j) {
111 for(size_t k = 0; k <= n; ++k) {
112 ++seed;
113 hash->update(seed.value());
114 hash->final(&V[HASH_SIZE * (n - k)]);
115 }
116
117 if(j >= offset) {
118 X.binary_decode(&V[HASH_SIZE - 1 - b / 8], V.size() - (HASH_SIZE - 1 - b / 8));
119 X.set_bit(pbits - 1);
120
121 p = X - (mod_2q.reduce(X) - 1);
122
123 if(p.bits() == pbits && is_prime(p, rng, 128, true)) {
124 return true;
125 }
126 }
127 }
128 return false;
129}
int(* final)(unsigned char *, CTX *)
FE_25519 X
Definition ge.cpp:25
constexpr auto operator++(Strong< T, Tags... > &a, int)
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition numthry.cpp:357

References Botan::BigInt::binary_decode(), Botan::BigInt::bits(), Botan::HashFunction::create_or_throw(), final, fmt(), is_prime(), operator++(), Botan::Modular_Reducer::reduce(), Botan::BigInt::set_bit(), and X.

Referenced by Botan::DL_Group::DL_Group(), Botan::DL_Group::DL_Group(), and generate_dsa_primes().

◆ generate_mceliece_key()

McEliece_PrivateKey Botan::generate_mceliece_key ( RandomNumberGenerator & rng,
size_t ext_deg,
size_t code_length,
size_t t )

Definition at line 184 of file code_based_key_gen.cpp.

184 {
185 const size_t codimension = t * ext_deg;
186
187 if(code_length <= codimension) {
188 throw Invalid_Argument("invalid McEliece parameters");
189 }
190
191 auto sp_field = std::make_shared<GF2m_Field>(ext_deg);
192
193 //pick the support.........
194 std::vector<gf2m> L(code_length);
195
196 for(size_t i = 0; i != L.size(); i++) {
197 L[i] = static_cast<gf2m>(i);
198 }
199 randomize_support(L, rng);
200 polyn_gf2m g(sp_field); // create as zero
201
202 bool success = false;
203 std::unique_ptr<binary_matrix> R;
204
205 do {
206 // create a random irreducible polynomial
207 g = polyn_gf2m(t, rng, sp_field);
208
209 try {
210 R = generate_R(L, &g, *sp_field, code_length, t);
211 success = true;
212 } catch(const Invalid_State&) {}
213 } while(!success);
214
215 std::vector<polyn_gf2m> sqrtmod = polyn_gf2m::sqrt_mod_init(g);
216 std::vector<polyn_gf2m> F = syndrome_init(g, L, static_cast<int>(code_length));
217
218 // Each F[i] is the (precomputed) syndrome of the error vector with
219 // a single '1' in i-th position.
220 // We do not store the F[i] as polynomials of degree t , but
221 // as binary vectors of length ext_deg * t (this will
222 // speed up the syndrome computation)
223 //
224 std::vector<uint32_t> H(bit_size_to_32bit_size(codimension) * code_length);
225 uint32_t* sk = H.data();
226 for(size_t i = 0; i < code_length; ++i) {
227 for(size_t l = 0; l < t; ++l) {
228 const size_t k = (l * ext_deg) / 32;
229 const uint8_t j = (l * ext_deg) % 32;
230 sk[k] ^= static_cast<uint32_t>(F[i].get_coef(l)) << j;
231 if(j + ext_deg > 32) {
232 sk[k + 1] ^= F[i].get_coef(l) >> (32 - j);
233 }
234 }
235 sk += bit_size_to_32bit_size(codimension);
236 }
237
238 // We need the support L for decoding (decryption). In fact the
239 // inverse is needed
240
241 std::vector<gf2m> Linv(code_length);
242 for(size_t i = 0; i != Linv.size(); ++i) {
243 Linv[L[i]] = static_cast<gf2m>(i);
244 }
245 std::vector<uint8_t> pubmat(R->elem().size() * 4);
246 for(size_t i = 0; i < R->elem().size(); i++) {
247 store_le(R->elem()[i], &pubmat[i * 4]);
248 }
249
250 return McEliece_PrivateKey(g, H, sqrtmod, Linv, pubmat);
251}
std::vector< polyn_gf2m > syndrome_init(const polyn_gf2m &generator, const std::vector< gf2m > &support, int n)
size_t bit_size_to_32bit_size(size_t bit_size)

References bit_size_to_32bit_size(), Botan::polyn_gf2m::sqrt_mod_init(), store_le(), and syndrome_init().

Referenced by Botan::McEliece_PrivateKey::McEliece_PrivateKey().

◆ generate_passhash9()

std::string Botan::generate_passhash9 ( std::string_view password,
RandomNumberGenerator & rng,
uint16_t work_factor = 15,
uint8_t alg_id = 4 )

Create a password hash using PBKDF2

Parameters
passwordthe password
rnga random number generator
work_factorhow much work to do to slow down guessing attacks
alg_idspecifies which PRF to use with PBKDF2 0 is HMAC(SHA-1) 1 is HMAC(SHA-256) 2 is CMAC(Blowfish) 3 is HMAC(SHA-384) 4 is HMAC(SHA-512) all other values are currently undefined

Definition at line 46 of file passhash9.cpp.

49 {
50 BOTAN_ARG_CHECK(work_factor > 0 && work_factor < 512, "Invalid Passhash9 work factor");
51
52 auto prf = get_pbkdf_prf(alg_id);
53
54 if(!prf) {
55 throw Invalid_Argument("Passhash9: Algorithm id " + std::to_string(alg_id) + " is not defined");
56 }
57
58 PKCS5_PBKDF2 kdf(std::move(prf));
59
60 secure_vector<uint8_t> salt(SALT_BYTES);
61 rng.randomize(salt.data(), salt.size());
62
63 const size_t kdf_iterations = WORK_FACTOR_SCALE * work_factor;
64
65 secure_vector<uint8_t> blob;
66 blob.push_back(alg_id);
67 blob.push_back(get_byte<0>(work_factor));
68 blob.push_back(get_byte<1>(work_factor));
69 blob += salt;
70 blob += kdf.derive_key(PASSHASH9_PBKDF_OUTPUT_LEN, pass, salt.data(), salt.size(), kdf_iterations).bits_of();
71
72 return MAGIC_PREFIX + base64_encode(blob);
73}

References base64_encode(), Botan::OctetString::bits_of(), BOTAN_ARG_CHECK, Botan::PBKDF::derive_key(), and Botan::RandomNumberGenerator::randomize().

◆ generate_rfc6979_nonce()

BOTAN_TEST_API BigInt Botan::generate_rfc6979_nonce ( const BigInt & x,
const BigInt & q,
const BigInt & h,
std::string_view hash )
Parameters
xthe secret (EC)DSA key
qthe group order
hthe message hash already reduced mod q
hashthe hash function used to generate h

Definition at line 43 of file rfc6979.cpp.

43 {
44 RFC6979_Nonce_Generator gen(hash, q, x);
45 BigInt k = gen.nonce_for(h);
46 return k;
47}

References Botan::RFC6979_Nonce_Generator::nonce_for().

◆ generate_rsa_prime()

BigInt Botan::generate_rsa_prime ( RandomNumberGenerator & keygen_rng,
RandomNumberGenerator & prime_test_rng,
size_t bits,
const BigInt & coprime,
size_t prob = 128 )

Generate a prime suitable for RSA p/q

Parameters
keygen_rnga random number generator
prime_test_rnga random number generator
bitshow large the resulting prime should be in bits (must be >= 512)
coprimea positive integer that (prime - 1) should be coprime to
probuse test so false positive is bounded by 1/2**prob
Returns
random prime with the specified criteria

Definition at line 211 of file make_prm.cpp.

215 {
216 if(bits < 512) {
217 throw Invalid_Argument("generate_rsa_prime bits too small");
218 }
219
220 /*
221 * The restriction on coprime <= 64 bits is arbitrary but generally speaking
222 * very large RSA public exponents are a bad idea both for performance and due
223 * to attacks on small d.
224 */
225 if(coprime <= 1 || coprime.is_even() || coprime.bits() > 64) {
226 throw Invalid_Argument("generate_rsa_prime coprime must be small odd positive integer");
227 }
228
229 const size_t MAX_ATTEMPTS = 32 * 1024;
230
231 const size_t mr_trials = miller_rabin_test_iterations(bits, prob, true);
232
233 while(true) {
234 BigInt p(keygen_rng, bits);
235
236 /*
237 Force high two bits so multiplication always results in expected n bit integer
238
239 Force the two low bits, and step by 4, so the generated prime is always == 3 (mod 4).
240 This way when we perform the inversion modulo phi(n) it is always of the form 2*o
241 with o odd, which allows a fastpath and avoids leaking any information about the
242 structure of the prime.
243 */
244 p.set_bit(bits - 1);
245 p.set_bit(bits - 2);
246 p.set_bit(1);
247 p.set_bit(0);
248
249 const word step = 4;
250
251 Prime_Sieve sieve(p, bits, step, false);
252
253 for(size_t attempt = 0; attempt <= MAX_ATTEMPTS; ++attempt) {
254 p += step;
255
256 if(!sieve.next()) {
257 continue;
258 }
259
260 BOTAN_DEBUG_ASSERT(no_small_multiples(p, sieve));
261
262 Modular_Reducer mod_p(p);
263
264 /*
265 * Do a single primality test first before checking coprimality, since
266 * currently a single Miller-Rabin test is faster than computing gcd,
267 * and this eliminates almost all wasted gcd computations.
268 */
269 if(is_miller_rabin_probable_prime(p, mod_p, prime_test_rng, 1) == false) {
270 continue;
271 }
272
273 /*
274 * Check if p - 1 and coprime are relatively prime.
275 */
276 if(gcd(p - 1, coprime) > 1) {
277 continue;
278 }
279
280 if(p.bits() > bits) {
281 break;
282 }
283
284 if(is_miller_rabin_probable_prime(p, mod_p, prime_test_rng, mr_trials) == true) {
285 return p;
286 }
287 }
288 }
289}
bool is_even() const
Definition bigint.h:410
bool is_miller_rabin_probable_prime(const BigInt &n, const Modular_Reducer &mod_n, RandomNumberGenerator &rng, size_t test_iterations)
BigInt gcd(const BigInt &a, const BigInt &b)
Definition numthry.cpp:193
size_t miller_rabin_test_iterations(size_t n_bits, size_t prob, bool random)

References Botan::BigInt::bits(), BOTAN_DEBUG_ASSERT, gcd(), Botan::BigInt::is_even(), is_miller_rabin_probable_prime(), miller_rabin_test_iterations(), and Botan::BigInt::set_bit().

Referenced by Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ get_aead()

AEAD_Mode * Botan::get_aead ( std::string_view name,
Cipher_Dir direction )
inline

Get an AEAD mode by name (eg "AES-128/GCM" or "Serpent/EAX")

Parameters
nameAEAD name
directionCipher_Dir::Encryption or Cipher_Dir::Decryption

Definition at line 144 of file aead.h.

144 {
145 return AEAD_Mode::create(name, direction, "").release();
146}
std::string name

References Botan::AEAD_Mode::create(), and name.

◆ get_byte()

template<size_t B, typename T >
requires (B < sizeof(T))
constexpr uint8_t Botan::get_byte ( T input)
inlineconstexpr

Byte extraction

Parameters
inputthe value to extract from
Returns
byte byte number B of input

Definition at line 37 of file loadstor.h.

39{
40 const size_t shift = ((~B) & (sizeof(T) - 1)) << 3;
41 return static_cast<uint8_t>((input >> shift) & 0xFF);
42}

References T.

Referenced by store_le().

◆ get_byte_var()

template<typename T >
constexpr uint8_t Botan::get_byte_var ( size_t byte_num,
T input )
inlineconstexpr

Byte extraction

Parameters
byte_numwhich byte to extract, 0 == highest byte
inputthe value to extract from
Returns
byte byte_num of input

Definition at line 27 of file loadstor.h.

27 {
28 return static_cast<uint8_t>(input >> (((~byte_num) & (sizeof(T) - 1)) << 3));
29}

References T.

Referenced by Botan::TLS::append_tls_length_value(), Botan::BigInt::binary_encode(), Botan::BigInt::byte_at(), copy_out_be(), copy_out_le(), Botan::CCM_Mode::encode_length(), Botan::TLS::Certificate_12::serialize(), and Botan::TLS::Certificate_Status::serialize().

◆ get_cipher() [1/3]

Keyed_Filter * Botan::get_cipher ( std::string_view algo_spec,
Cipher_Dir direction )
inline

Factory method for general symmetric cipher filters. No key will be set in the filter.

Parameters
algo_specthe name of the desired cipher
directiondetermines whether the filter will be an encrypting or decrypting filter
Returns
pointer to the encryption or decryption filter

Definition at line 201 of file filters.h.

201 {
202 auto c = Cipher_Mode::create_or_throw(algo_spec, direction);
203 return new Cipher_Mode_Filter(c.release());
204}

References Botan::Cipher_Mode::create_or_throw().

Referenced by get_cipher(), and get_cipher().

◆ get_cipher() [2/3]

Keyed_Filter * Botan::get_cipher ( std::string_view algo_spec,
const SymmetricKey & key,
Cipher_Dir direction )
inline

Factory method for general symmetric cipher filters.

Parameters
algo_specthe name of the desired cipher
keythe key to be used for encryption/decryption performed by the filter
directiondetermines whether the filter will be an encrypting or decrypting filter
Returns
pointer to the encryption or decryption filter

Definition at line 215 of file filters.h.

215 {
216 Keyed_Filter* cipher = get_cipher(algo_spec, direction);
217 cipher->set_key(key);
218 return cipher;
219}
virtual void set_key(const SymmetricKey &key)=0
Keyed_Filter * get_cipher(std::string_view algo_spec, Cipher_Dir direction)
Definition filters.h:201

References get_cipher(), and Botan::Keyed_Filter::set_key().

◆ get_cipher() [3/3]

Keyed_Filter * Botan::get_cipher ( std::string_view algo_spec,
const SymmetricKey & key,
const InitializationVector & iv,
Cipher_Dir direction )
inline

Factory method for general symmetric cipher filters.

Parameters
algo_specthe name of the desired cipher
keythe key to be used for encryption/decryption performed by the filter
ivthe initialization vector to be used
directiondetermines whether the filter will be an encrypting or decrypting filter
Returns
pointer to newly allocated encryption or decryption filter

Definition at line 231 of file filters.h.

234 {
235 Keyed_Filter* cipher = get_cipher(algo_spec, key, direction);
236 if(iv.length()) {
237 cipher->set_iv(iv);
238 }
239 return cipher;
240}
virtual void set_iv(const InitializationVector &iv)
Definition filters.h:129
size_t length() const
Definition symkey.h:27

References get_cipher(), Botan::OctetString::length(), and Botan::Keyed_Filter::set_iv().

◆ get_cipher_mode()

Cipher_Mode * Botan::get_cipher_mode ( std::string_view algo_spec,
Cipher_Dir direction,
std::string_view provider = "" )
inline

Get a cipher mode by name (eg "AES-128/CBC" or "Serpent/XTS")

Parameters
algo_speccipher name
directionCipher_Dir::Encryption or Cipher_Dir::Decryption
providerprovider implementation to choose

Definition at line 245 of file cipher_mode.h.

245 {
246 return Cipher_Mode::create(algo_spec, direction, provider).release();
247}

References Botan::Cipher_Mode::create().

◆ get_files_recursive()

BOTAN_TEST_API std::vector< std::string > Botan::get_files_recursive ( std::string_view dir)

Definition at line 121 of file filesystem.cpp.

121 {
122 std::vector<std::string> files;
123
124#if defined(BOTAN_TARGET_OS_HAS_POSIX1)
125 files = impl_readdir(dir);
126#elif defined(BOTAN_TARGET_OS_HAS_WIN32)
127 files = impl_win32(dir);
128#else
129 BOTAN_UNUSED(dir);
130 throw No_Filesystem_Access();
131#endif
132
133 std::sort(files.begin(), files.end());
134
135 return files;
136}

References BOTAN_UNUSED.

◆ get_kdf()

KDF * Botan::get_kdf ( std::string_view algo_spec)
inline

Factory method for KDF (key derivation function)

Parameters
algo_specthe name of the KDF to create
Returns
pointer to newly allocated object of that type

Prefer KDF::create

Definition at line 215 of file kdf.h.

215 {
216 auto kdf = KDF::create(algo_spec);
217 if(kdf) {
218 return kdf.release();
219 }
220
221 if(algo_spec == "Raw") {
222 return nullptr;
223 }
224
225 throw Algorithm_Not_Found(algo_spec);
226}

References Botan::KDF::create().

◆ get_pbkdf()

PBKDF * Botan::get_pbkdf ( std::string_view algo_spec,
std::string_view provider = "" )
inline

Password based key derivation function factory method

Parameters
algo_specthe name of the desired PBKDF algorithm
providerthe provider to use
Returns
pointer to newly allocated object of that type

Definition at line 242 of file pbkdf.h.

242 {
243 return PBKDF::create_or_throw(algo_spec, provider).release();
244}

◆ get_s2k()

PBKDF * Botan::get_s2k ( std::string_view algo_spec)
inline

Definition at line 248 of file pbkdf.h.

248 {
249 return PBKDF::create_or_throw(algo_spec).release();
250}

◆ gray_to_lex()

gf2m Botan::gray_to_lex ( gf2m gray)
inline

Definition at line 30 of file code_based_util.h.

30 {
31 gf2m result = gray ^ (gray >> 8);
32 result ^= (result >> 4);
33 result ^= (result >> 2);
34 result ^= (result >> 1);
35 return result;
36}

◆ has_filesystem_impl()

BOTAN_TEST_API bool Botan::has_filesystem_impl ( )

Definition at line 111 of file filesystem.cpp.

111 {
112#if defined(BOTAN_TARGET_OS_HAS_POSIX1)
113 return true;
114#elif defined(BOTAN_TARGET_OS_HAS_WIN32)
115 return true;
116#else
117 return false;
118#endif
119}

◆ hash_to_curve_sswu()

EC_Point Botan::hash_to_curve_sswu ( const EC_Group & group,
std::string_view hash_fn,
const uint8_t input[],
size_t input_len,
const uint8_t domain_sep[],
size_t domain_sep_len,
bool random_oracle )

Hash an input onto an elliptic curve point using the methods from RFC 9380

This method requires that the ECC group have (a*b) != 0 which excludes certain groups including secp256k1

Definition at line 184 of file ec_h2c.cpp.

190 {
191 const Modular_Reducer mod_p(group.get_p());
192
193 const uint8_t count = (random_oracle ? 2 : 1);
194
195 const auto u = hash_to_field(group, mod_p, hash_fn, count, input, input_len, domain_sep, domain_sep_len);
196
197 EC_Point pt = map_to_curve_sswu(group, mod_p, u[0]);
198
199 for(size_t i = 1; i != u.size(); ++i) {
200 pt += map_to_curve_sswu(group, mod_p, u[i]);
201 }
202
203 return pt;
204}
const BigInt & get_p() const
Definition ec_group.cpp:492

References Botan::EC_Group::get_p().

Referenced by Botan::EC_Group::hash_to_curve().

◆ hex_decode() [1/6]

std::vector< uint8_t > Botan::hex_decode ( const char input[],
size_t input_length,
bool ignore_ws = true )

Perform hex decoding

Parameters
inputsome hex input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 157 of file hex.cpp.

157 {
158 std::vector<uint8_t> bin(1 + input_length / 2);
159
160 size_t written = hex_decode(bin.data(), input, input_length, ignore_ws);
161
162 bin.resize(written);
163 return bin;
164}
size_t hex_decode(uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool ignore_ws)
Definition hex.cpp:81

References hex_decode().

◆ hex_decode() [2/6]

size_t Botan::hex_decode ( std::span< uint8_t > output,
std::string_view input,
bool ignore_ws = true )

Perform hex decoding

Parameters
outputa contiguous byte buffer of at least input_length/2 bytes
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 140 of file hex.cpp.

140 {
141 return hex_decode(output.data(), input.data(), input.length(), ignore_ws);
142}

References hex_decode().

◆ hex_decode() [3/6]

std::vector< uint8_t > Botan::hex_decode ( std::string_view input,
bool ignore_ws = true )

Perform hex decoding

Parameters
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 166 of file hex.cpp.

166 {
167 return hex_decode(input.data(), input.size(), ignore_ws);
168}

References hex_decode().

◆ hex_decode() [4/6]

size_t Botan::hex_decode ( uint8_t output[],
const char input[],
size_t input_length,
bool ignore_ws = true )

Perform hex decoding

Parameters
outputan array of at least input_length/2 bytes
inputsome hex input
input_lengthlength of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 125 of file hex.cpp.

125 {
126 size_t consumed = 0;
127 size_t written = hex_decode(output, input, input_length, consumed, ignore_ws);
128
129 if(consumed != input_length) {
130 throw Invalid_Argument("hex_decode: input did not have full bytes");
131 }
132
133 return written;
134}

References hex_decode().

◆ hex_decode() [5/6]

size_t Botan::hex_decode ( uint8_t output[],
const char input[],
size_t input_length,
size_t & input_consumed,
bool ignore_ws = true )

Perform hex decoding

Parameters
outputan array of at least input_length/2 bytes
inputsome hex input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 81 of file hex.cpp.

81 {
82 uint8_t* out_ptr = output;
83 bool top_nibble = true;
84
85 clear_mem(output, input_length / 2);
86
87 for(size_t i = 0; i != input_length; ++i) {
88 const uint8_t bin = hex_char_to_bin(input[i]);
89
90 if(bin >= 0x10) {
91 if(bin == 0x80 && ignore_ws) {
92 continue;
93 }
94
95 throw Invalid_Argument(fmt("hex_decode: invalid character '{}'", format_char_for_display(input[i])));
96 }
97
98 if(top_nibble) {
99 *out_ptr |= bin << 4;
100 } else {
101 *out_ptr |= bin;
102 }
103
104 top_nibble = !top_nibble;
105 if(top_nibble) {
106 ++out_ptr;
107 }
108 }
109
110 input_consumed = input_length;
111 size_t written = (out_ptr - output);
112
113 /*
114 * We only got half of a uint8_t at the end; zap the half-written
115 * output and mark it as unread
116 */
117 if(!top_nibble) {
118 *out_ptr = 0;
119 input_consumed -= 1;
120 }
121
122 return written;
123}

References clear_mem(), fmt(), and format_char_for_display().

Referenced by botan_hex_decode(), Botan::Hex_Decoder::end_msg(), Botan::TLS::Session_Manager_SQL::find_some(), hex_decode(), hex_decode(), hex_decode(), hex_decode(), hex_decode(), hex_decode_locked(), Botan::OctetString::OctetString(), Botan::UUID::UUID(), and Botan::Hex_Decoder::write().

◆ hex_decode() [6/6]

size_t Botan::hex_decode ( uint8_t output[],
std::string_view input,
bool ignore_ws = true )

Perform hex decoding

Parameters
outputan array of at least input_length/2 bytes
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 136 of file hex.cpp.

136 {
137 return hex_decode(output, input.data(), input.length(), ignore_ws);
138}

References hex_decode().

◆ hex_decode_locked() [1/2]

secure_vector< uint8_t > Botan::hex_decode_locked ( const char input[],
size_t input_length,
bool ignore_ws = true )

Perform hex decoding

Parameters
inputsome hex input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 144 of file hex.cpp.

144 {
145 secure_vector<uint8_t> bin(1 + input_length / 2);
146
147 size_t written = hex_decode(bin.data(), input, input_length, ignore_ws);
148
149 bin.resize(written);
150 return bin;
151}
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61

References hex_decode().

Referenced by Botan::BigInt::decode(), hex_decode_locked(), and Botan::RTSS_Share::RTSS_Share().

◆ hex_decode_locked() [2/2]

secure_vector< uint8_t > Botan::hex_decode_locked ( std::string_view input,
bool ignore_ws = true )

Perform hex decoding

Parameters
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 153 of file hex.cpp.

153 {
154 return hex_decode_locked(input.data(), input.size(), ignore_ws);
155}
secure_vector< uint8_t > hex_decode_locked(const char input[], size_t input_length, bool ignore_ws)
Definition hex.cpp:144

References hex_decode_locked().

◆ hex_encode() [1/3]

void Botan::hex_encode ( char output[],
const uint8_t input[],
size_t input_length,
bool uppercase = true )

Perform hex encoding

Parameters
outputan array of at least input_length*2 bytes
inputis some binary data
input_lengthlength of input in bytes
uppercaseshould output be upper or lower case?

Definition at line 33 of file hex.cpp.

33 {
34 for(size_t i = 0; i != input_length; ++i) {
35 const uint8_t n0 = (input[i] >> 4) & 0xF;
36 const uint8_t n1 = (input[i]) & 0xF;
37
38 output[2 * i] = hex_encode_nibble(n0, uppercase);
39 output[2 * i + 1] = hex_encode_nibble(n1, uppercase);
40 }
41}

Referenced by botan_hex_encode(), create_hex_fingerprint(), hex_encode(), hex_encode(), Botan::TLS::Session_Manager_SQL::remove(), Botan::TLS::Session_Manager_SQL::retrieve_one(), Botan::TLS::Session_Manager_SQL::store(), Botan::BigInt::to_hex_string(), Botan::OctetString::to_string(), Botan::RTSS_Share::to_string(), Botan::UUID::to_string(), Botan::X509_Certificate::to_string(), Botan::HTTP::url_encode(), and Botan::UUID::UUID().

◆ hex_encode() [2/3]

std::string Botan::hex_encode ( const uint8_t input[],
size_t input_length,
bool uppercase = true )

Perform hex encoding

Parameters
inputsome input
input_lengthlength of input in bytes
uppercaseshould output be upper or lower case?
Returns
hexadecimal representation of input

Definition at line 43 of file hex.cpp.

43 {
44 std::string output(2 * input_length, 0);
45
46 if(input_length) {
47 hex_encode(&output.front(), input, input_length, uppercase);
48 }
49
50 return output;
51}

References hex_encode().

◆ hex_encode() [3/3]

std::string Botan::hex_encode ( std::span< const uint8_t > input,
bool uppercase = true )
inline

Perform hex encoding

Parameters
inputsome input
uppercaseshould output be upper or lower case?
Returns
hexadecimal representation of input

Definition at line 43 of file hex.h.

43 {
44 return hex_encode(input.data(), input.size(), uppercase);
45}

References hex_encode().

◆ high_bit()

template<typename T >
requires (std::is_unsigned<T>::value)
constexpr size_t Botan::high_bit ( T n)
inlineconstexpr

Return the index of the highest set bit T is an unsigned integer type

Parameters
nan integer value
Returns
index of the highest set bit in n

Definition at line 58 of file bit_ops.h.

60{
61 size_t hb = 0;
62
63 for(size_t s = 8 * sizeof(T) / 2; s > 0; s /= 2) {
64 const size_t z = s * ((~ct_is_zero(n >> s)) & 1);
65 hb += z;
66 n >>= z;
67 }
68
69 hb += n;
70
71 return hb;
72}

References T.

Referenced by Botan::OID::encode_into(), random_prime(), and Botan::BigInt::top_bits_free().

◆ hkdf_expand_label()

secure_vector< uint8_t > BOTAN_TEST_API Botan::hkdf_expand_label ( std::string_view hash_fn,
const uint8_t secret[],
size_t secret_len,
std::string_view label,
const uint8_t hash_val[],
size_t hash_val_len,
size_t length )

HKDF-Expand-Label from TLS 1.3/QUIC

Parameters
hash_fnthe hash to use
secretthe secret bits
secret_lenthe length of secret
labelthe full label (no "TLS 1.3, " or "tls13 " prefix is applied)
hash_valthe previous hash value (used for chaining, may be empty)
hash_val_lenthe length of hash_val
lengththe desired output length

Definition at line 131 of file hkdf.cpp.

137 {
138 BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
139 BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
140 BOTAN_ARG_CHECK(hash_val_len <= 0xFF, "HKDF-Expand-Label hash too long");
141
142 const uint16_t length16 = static_cast<uint16_t>(length);
143
144 HKDF_Expand hkdf(MessageAuthenticationCode::create_or_throw(fmt("HMAC({})", hash_fn)));
145
146 secure_vector<uint8_t> output(length16);
147 std::vector<uint8_t> prefix(3 + label.size() + 1);
148
149 prefix[0] = get_byte<0>(length16);
150 prefix[1] = get_byte<1>(length16);
151 prefix[2] = static_cast<uint8_t>(label.size());
152
153 copy_mem(prefix.data() + 3, cast_char_ptr_to_uint8(label.data()), label.size());
154
155 prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len);
156
157 /*
158 * We do something a little dirty here to avoid copying the hash_val,
159 * making use of the fact that Botan's KDF interface supports label+salt,
160 * and knowing that our HKDF hashes first param label then param salt.
161 */
162 hkdf.kdf(output.data(), output.size(), secret, secret_len, hash_val, hash_val_len, prefix.data(), prefix.size());
163
164 return output;
165}

References BOTAN_ARG_CHECK, cast_char_ptr_to_uint8(), copy_mem(), Botan::MessageAuthenticationCode::create_or_throw(), fmt(), and Botan::HKDF_Expand::kdf().

◆ holds_any_of()

template<typename... Alts, typename... Ts>
constexpr bool Botan::holds_any_of ( const std::variant< Ts... > & v)
constexprnoexcept

Definition at line 278 of file stl_util.h.

278 {
279 return (std::holds_alternative<Alts>(v) || ...);
280}

Referenced by Botan::TLS::Channel_Impl_13::from_peer().

◆ host_wildcard_match()

BOTAN_TEST_API bool Botan::host_wildcard_match ( std::string_view wildcard,
std::string_view host )

Check if the given hostname is a match for the specified wildcard

Definition at line 207 of file parsing.cpp.

207 {
208 const std::string issued = tolower_string(issued_);
209 const std::string host = tolower_string(host_);
210
211 if(host.empty() || issued.empty()) {
212 return false;
213 }
214
215 /*
216 If there are embedded nulls in your issued name
217 Well I feel bad for you son
218 */
219 if(std::count(issued.begin(), issued.end(), char(0)) > 0) {
220 return false;
221 }
222
223 // If more than one wildcard, then issued name is invalid
224 const size_t stars = std::count(issued.begin(), issued.end(), '*');
225 if(stars > 1) {
226 return false;
227 }
228
229 // '*' is not a valid character in DNS names so should not appear on the host side
230 if(std::count(host.begin(), host.end(), '*') != 0) {
231 return false;
232 }
233
234 // Similarly a DNS name can't end in .
235 if(host[host.size() - 1] == '.') {
236 return false;
237 }
238
239 // And a host can't have an empty name component, so reject that
240 if(host.find("..") != std::string::npos) {
241 return false;
242 }
243
244 // Exact match: accept
245 if(issued == host) {
246 return true;
247 }
248
249 /*
250 Otherwise it might be a wildcard
251
252 If the issued size is strictly longer than the hostname size it
253 couldn't possibly be a match, even if the issued value is a
254 wildcard. The only exception is when the wildcard ends up empty
255 (eg www.example.com matches www*.example.com)
256 */
257 if(issued.size() > host.size() + 1) {
258 return false;
259 }
260
261 // If no * at all then not a wildcard, and so not a match
262 if(stars != 1) {
263 return false;
264 }
265
266 /*
267 Now walk through the issued string, making sure every character
268 matches. When we come to the (singular) '*', jump forward in the
269 hostname by the corresponding amount. We know exactly how much
270 space the wildcard takes because it must be exactly `len(host) -
271 len(issued) + 1 chars`.
272
273 We also verify that the '*' comes in the leftmost component, and
274 doesn't skip over any '.' in the hostname.
275 */
276 size_t dots_seen = 0;
277 size_t host_idx = 0;
278
279 for(size_t i = 0; i != issued.size(); ++i) {
280 dots_seen += (issued[i] == '.');
281
282 if(issued[i] == '*') {
283 // Fail: wildcard can only come in leftmost component
284 if(dots_seen > 0) {
285 return false;
286 }
287
288 /*
289 Since there is only one * we know the tail of the issued and
290 hostname must be an exact match. In this case advance host_idx
291 to match.
292 */
293 const size_t advance = (host.size() - issued.size() + 1);
294
295 if(host_idx + advance > host.size()) { // shouldn't happen
296 return false;
297 }
298
299 // Can't be any intervening .s that we would have skipped
300 if(std::count(host.begin() + host_idx, host.begin() + host_idx + advance, '.') != 0) {
301 return false;
302 }
303
304 host_idx += advance;
305 } else {
306 if(issued[i] != host[host_idx]) {
307 return false;
308 }
309
310 host_idx += 1;
311 }
312 }
313
314 // Wildcard issued name must have at least 3 components
315 if(dots_seen < 2) {
316 return false;
317 }
318
319 return true;
320}
std::string tolower_string(std::string_view in)
Definition parsing.cpp:196

References tolower_string().

Referenced by Botan::X509_Certificate::matches_dns_name().

◆ ht_sign()

void Botan::ht_sign ( StrongSpan< SphincsHypertreeSignature > out_sig,
const SphincsTreeNode & message_to_sign,
const SphincsSecretSeed & secret_seed,
XmssTreeIndexInLayer tree_index_in_layer,
TreeNodeIndex idx_leaf,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

Creates a SPHINCS+ XMSS hypertree signature of message_to_sign. The signature is written into the buffer defined by out_sig. tree_index_in_layer and idx_leaf define which XMSS tree of the hypertree and which leaf of this XMSS tree is used for signing.

Definition at line 21 of file sp_hypertree.cpp.

27 {
28 BOTAN_ASSERT_NOMSG(out_sig.size() == params.ht_signature_bytes());
29 BufferStuffer ht_signature(out_sig);
30
31 Sphincs_Address wots_addr(Sphincs_Address_Type::WotsHash);
32 wots_addr.set_tree(tree_index_in_layer).set_keypair(idx_leaf);
33
34 Sphincs_Address tree_addr(Sphincs_Address_Type::HashTree);
35
36 SphincsTreeNode xmss_root;
37 for(HypertreeLayerIndex layer_idx(0); layer_idx < params.d(); layer_idx++) {
38 // The first XMSS tree signs the message, the others their underlying XMSS tree root
39 const SphincsTreeNode& node_to_xmss_sign = (layer_idx == 0U) ? message_to_sign : xmss_root;
40
41 tree_addr.set_layer(layer_idx).set_tree(tree_index_in_layer);
42 wots_addr.copy_subtree_from(tree_addr).set_keypair(idx_leaf);
43
44 xmss_root = xmss_sign_and_pkgen(ht_signature.next<SphincsXmssSignature>(params.xmss_signature_bytes()),
45 node_to_xmss_sign,
46 secret_seed,
47 wots_addr,
48 tree_addr,
49 idx_leaf,
50 params,
51 hashes);
52
53 // Update the indices for the next layer.
54 idx_leaf = TreeNodeIndex(tree_index_in_layer.get() & ((1 << params.xmss_tree_height()) - 1));
55 tree_index_in_layer = tree_index_in_layer >> params.xmss_tree_height();
56 }
57
58 BOTAN_ASSERT_NOMSG(ht_signature.full());
59}
uint32_t xmss_tree_height() const
uint32_t ht_signature_bytes() const
uint32_t xmss_signature_bytes() const
SphincsTreeNode xmss_sign_and_pkgen(StrongSpan< SphincsXmssSignature > out_sig, const SphincsTreeNode &root, const SphincsSecretSeed &secret_seed, Sphincs_Address &wots_addr, Sphincs_Address &tree_addr, std::optional< TreeNodeIndex > idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
Definition sp_xmss.cpp:19

References BOTAN_ASSERT_NOMSG, Botan::Sphincs_Address::copy_subtree_from(), Botan::Sphincs_Parameters::d(), Botan::BufferStuffer::full(), Botan::detail::Strong_Base< T >::get(), HashTree, Botan::Sphincs_Parameters::ht_signature_bytes(), Botan::BufferStuffer::next(), Botan::Sphincs_Address::set_keypair(), Botan::Sphincs_Address::set_layer(), Botan::Sphincs_Address::set_tree(), Botan::StrongSpan< T >::size(), WotsHash, xmss_sign_and_pkgen(), Botan::Sphincs_Parameters::xmss_signature_bytes(), and Botan::Sphincs_Parameters::xmss_tree_height().

◆ ht_verify()

bool Botan::ht_verify ( const SphincsTreeNode & signed_msg,
StrongSpan< const SphincsHypertreeSignature > ht_sig,
const SphincsTreeNode & pk_root,
XmssTreeIndexInLayer tree_index_in_layer,
TreeNodeIndex idx_leaf,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

Given a message signed_msg the SPHINCS+ XMSS hypertree is reconstructed using a hypertree signature ht_sig. tree_index_in_layer and idx_leaf define which XMSS tree of the hypertree and which leaf of this XMSS tree was used for signing.

Returns
true iff the top-most reconstructed root equals pk_root

Definition at line 61 of file sp_hypertree.cpp.

67 {
68 BOTAN_ASSERT_NOMSG(ht_sig.size() == params.ht_signature_bytes());
69 BufferSlicer sig_s(ht_sig);
70
71 Sphincs_Address wots_addr(Sphincs_Address_Type::WotsHash);
72 Sphincs_Address tree_addr(Sphincs_Address_Type::HashTree);
73 Sphincs_Address wots_pk_addr(Sphincs_Address_Type::WotsPublicKeyCompression);
74
75 SphincsTreeNode reconstructed_root(params.n());
76
77 // Each iteration reconstructs the root of one XMSS tree of the hypertree
78 for(HypertreeLayerIndex layer_idx(0); layer_idx < params.d(); layer_idx++) {
79 // The first XMSS tree signs the message, the others their underlying XMSS tree root
80 const SphincsTreeNode& current_root = (layer_idx == 0U) ? signed_msg : reconstructed_root;
81
82 tree_addr.set_layer(layer_idx);
83 tree_addr.set_tree(tree_index_in_layer);
84
85 wots_addr.copy_subtree_from(tree_addr);
86 wots_addr.set_keypair(idx_leaf);
87
88 wots_pk_addr.copy_keypair_from(wots_addr);
89
90 const auto wots_pk = wots_public_key_from_signature(
91 current_root, sig_s.take<WotsSignature>(params.wots_bytes()), wots_addr, params, hashes);
92
93 // Compute the leaf node using the WOTS public key.
94 const auto leaf = hashes.T<SphincsTreeNode>(wots_pk_addr, wots_pk);
95
96 // Compute the root node of this subtree.
97 compute_root(StrongSpan<SphincsTreeNode>(reconstructed_root),
98 params,
99 hashes,
100 leaf,
101 idx_leaf,
102 0,
103 sig_s.take<SphincsAuthenticationPath>(params.xmss_tree_height() * params.n()),
104 params.xmss_tree_height(),
105 tree_addr);
106
107 // Update the indices for the next layer.
108 idx_leaf = TreeNodeIndex(tree_index_in_layer.get() & ((1 << params.xmss_tree_height()) - 1));
109 tree_index_in_layer = tree_index_in_layer >> params.xmss_tree_height();
110 }
111
112 BOTAN_ASSERT_NOMSG(sig_s.empty());
113
114 // Check if the root node equals the root node in the public key.
115 return reconstructed_root == pk_root;
116}
uint32_t wots_bytes() const
WotsPublicKey wots_public_key_from_signature(const SphincsTreeNode &hashed_message, StrongSpan< const WotsSignature > signature, Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
Definition sp_wots.cpp:97

References BOTAN_ASSERT_NOMSG, compute_root(), Botan::Sphincs_Address::copy_keypair_from(), Botan::Sphincs_Address::copy_subtree_from(), Botan::Sphincs_Parameters::d(), Botan::BufferSlicer::empty(), Botan::detail::Strong_Base< T >::get(), HashTree, Botan::Sphincs_Parameters::ht_signature_bytes(), Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_keypair(), Botan::Sphincs_Address::set_layer(), Botan::Sphincs_Address::set_tree(), Botan::StrongSpan< T >::size(), Botan::Sphincs_Hash_Functions::T(), Botan::BufferSlicer::take(), Botan::Sphincs_Parameters::wots_bytes(), wots_public_key_from_signature(), WotsHash, WotsPublicKeyCompression, and Botan::Sphincs_Parameters::xmss_tree_height().

◆ ieee1363_hash_id()

uint8_t Botan::ieee1363_hash_id ( std::string_view hash_name)

Return the IEEE 1363 hash identifier

Parameters
hash_namethe name of the hash function
Returns
uint8_t code identifying the hash, or 0 if not known

Definition at line 144 of file hash_id.cpp.

144 {
145 if(name == "SHA-1") {
146 return 0x33;
147 }
148
149 if(name == "SHA-224") {
150 return 0x38;
151 }
152 if(name == "SHA-256") {
153 return 0x34;
154 }
155 if(name == "SHA-384") {
156 return 0x36;
157 }
158 if(name == "SHA-512") {
159 return 0x35;
160 }
161
162 if(name == "RIPEMD-160") {
163 return 0x31;
164 }
165
166 if(name == "Whirlpool") {
167 return 0x37;
168 }
169
170 return 0;
171}

References name.

Referenced by Botan::EMSA_X931::EMSA_X931().

◆ if_work_factor()

size_t BOTAN_TEST_API Botan::if_work_factor ( size_t n_bits)

Estimate work factor for integer factorization

Parameters
n_bitssize of modulus in bits
Returns
estimated security level for this modulus

Definition at line 36 of file workfactor.cpp.

36 {
37 if(bits < 512) {
38 return 0;
39 }
40
41 // RFC 3766 estimates k at .02 and o(1) to be effectively zero for sizes of interest
42
43 const double log2_k = -5.6438; // log2(.02)
44 return nfs_workfactor(bits, log2_k);
45}

Referenced by dl_work_factor(), Botan::TPM_PrivateKey::estimated_strength(), and Botan::RSA_PublicKey::estimated_strength().

◆ ignore_param()

template<typename T >
void Botan::ignore_param ( T && )

Mark variable as unused.

Takes any number of arguments and marks all as unused, for instance BOTAN_UNUSED(a); or BOTAN_UNUSED(x, y, z);

Definition at line 111 of file assert.h.

111{}

Referenced by ignore_params().

◆ ignore_params()

template<typename... T>
void Botan::ignore_params ( T &&... args)

Definition at line 114 of file assert.h.

114 {
115 (ignore_param(args), ...);
116}
void ignore_param(T &&)
Definition assert.h:111

References ignore_param().

◆ initialize_allocator()

void BOTAN_UNSTABLE_API Botan::initialize_allocator ( )

Ensure the allocator is initialized

Definition at line 64 of file allocator.cpp.

64 {
65#if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
66 mlock_allocator::instance();
67#endif
68}

References Botan::mlock_allocator::instance().

Referenced by Botan::Allocator_Initializer::Allocator_Initializer().

◆ intersects()

bool Botan::intersects ( ASN1_Class x,
ASN1_Class y )
inline

Definition at line 70 of file asn1_obj.h.

70 {
71 return static_cast<uint32_t>(x) & static_cast<uint32_t>(y);
72}

◆ inverse_mod()

BigInt Botan::inverse_mod ( const BigInt & x,
const BigInt & modulus )

Modular inversion. This algorithm is const time with respect to x, as long as x is less than modulus. It also avoids leaking information about the modulus, except that it does leak which of 3 categories the modulus is in: an odd integer, a power of 2, or some other even number, and if the modulus is even, leaks the power of 2 which divides the modulus.

Parameters
xa positive integer
modulusa positive integer
Returns
y st (x*y) % modulus == 1 or 0 if no such value

Definition at line 178 of file mod_inv.cpp.

178 {
179 if(mod.is_zero()) {
180 throw Invalid_Argument("inverse_mod modulus cannot be zero");
181 }
182 if(mod.is_negative() || n.is_negative()) {
183 throw Invalid_Argument("inverse_mod: arguments must be non-negative");
184 }
185 if(n.is_zero() || (n.is_even() && mod.is_even())) {
186 return BigInt::zero();
187 }
188
189 if(mod.is_odd()) {
190 /*
191 Fastpath for common case. This leaks if n is greater than mod or
192 not, but we don't guarantee const time behavior in that case.
193 */
194 if(n < mod) {
195 return inverse_mod_odd_modulus(n, mod);
196 } else {
197 return inverse_mod_odd_modulus(ct_modulo(n, mod), mod);
198 }
199 }
200
201 // If n is even and mod is even we already returned 0
202 // If n is even and mod is odd we jumped directly to odd-modulus algo
203 BOTAN_DEBUG_ASSERT(n.is_odd());
204
205 const size_t mod_lz = low_zero_bits(mod);
206 BOTAN_ASSERT_NOMSG(mod_lz > 0);
207 const size_t mod_bits = mod.bits();
208 BOTAN_ASSERT_NOMSG(mod_bits > mod_lz);
209
210 if(mod_lz == mod_bits - 1) {
211 // In this case we are performing an inversion modulo 2^k
212 return inverse_mod_pow2(n, mod_lz);
213 }
214
215 if(mod_lz == 1) {
216 /*
217 Inversion modulo 2*o is an easier special case of CRT
218
219 This is exactly the main CRT flow below but taking advantage of
220 the fact that any odd number ^-1 modulo 2 is 1. As a result both
221 inv_2k and c can be taken to be 1, m2k is 2, and h is always
222 either 0 or 1, and its value depends only on the low bit of inv_o.
223
224 This is worth special casing because we generate RSA primes such
225 that phi(n) is of this form. However this only works for keys
226 that we generated in this way; pre-existing keys will typically
227 fall back to the general algorithm below.
228 */
229
230 const BigInt o = mod >> 1;
231 const BigInt n_redc = ct_modulo(n, o);
232 const BigInt inv_o = inverse_mod_odd_modulus(n_redc, o);
233
234 // No modular inverse in this case:
235 if(inv_o == 0) {
236 return BigInt::zero();
237 }
238
239 BigInt h = inv_o;
240 h.ct_cond_add(!inv_o.get_bit(0), o);
241 return h;
242 }
243
244 /*
245 * In this case we are performing an inversion modulo 2^k*o for
246 * some k >= 2 and some odd (not necessarily prime) integer.
247 * Compute the inversions modulo 2^k and modulo o, then combine them
248 * using CRT, which is possible because 2^k and o are relatively prime.
249 */
250
251 const BigInt o = mod >> mod_lz;
252 const BigInt n_redc = ct_modulo(n, o);
253 const BigInt inv_o = inverse_mod_odd_modulus(n_redc, o);
254 const BigInt inv_2k = inverse_mod_pow2(n, mod_lz);
255
256 // No modular inverse in this case:
257 if(inv_o == 0 || inv_2k == 0) {
258 return BigInt::zero();
259 }
260
261 const BigInt m2k = BigInt::power_of_2(mod_lz);
262 // Compute the CRT parameter
263 const BigInt c = inverse_mod_pow2(o, mod_lz);
264
265 // Compute h = c*(inv_2k-inv_o) mod 2^k
266 BigInt h = c * (inv_2k - inv_o);
267 const bool h_neg = h.is_negative();
268 h.set_sign(BigInt::Positive);
269 h.mask_bits(mod_lz);
270 const bool h_nonzero = h.is_nonzero();
271 h.ct_cond_assign(h_nonzero && h_neg, m2k - h);
272
273 // Return result inv_o + h * o
274 h *= o;
275 h += inv_o;
276 return h;
277}
size_t low_zero_bits(const BigInt &n)
Definition numthry.cpp:167
BigInt ct_modulo(const BigInt &x, const BigInt &y)
Definition divide.cpp:117

References Botan::BigInt::bits(), BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, Botan::BigInt::ct_cond_add(), Botan::BigInt::ct_cond_assign(), ct_modulo(), Botan::BigInt::get_bit(), Botan::BigInt::is_even(), Botan::BigInt::is_negative(), Botan::BigInt::is_nonzero(), Botan::BigInt::is_odd(), Botan::BigInt::is_zero(), low_zero_bits(), Botan::BigInt::mask_bits(), Botan::BigInt::Positive, Botan::BigInt::power_of_2(), Botan::BigInt::set_sign(), and Botan::BigInt::zero().

Referenced by botan_mp_mod_inverse(), Botan::RSA_PrivateKey::check_key(), Botan::Montgomery_Params::inv_mod_p(), Botan::DL_Group::inverse_mod_p(), Botan::DL_Group::inverse_mod_q(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ ipv4_to_string()

std::string Botan::ipv4_to_string ( uint32_t ip_addr)

Convert an IPv4 address to a string

Parameters
ip_addrthe IPv4 address to convert
Returns
string representation of the IPv4 address

Definition at line 181 of file parsing.cpp.

181 {
182 std::string str;
183 uint8_t bits[4];
184 store_be(ip, bits);
185
186 for(size_t i = 0; i != 4; ++i) {
187 if(i > 0) {
188 str += ".";
189 }
190 str += std::to_string(bits[i]);
191 }
192
193 return str;
194}

References store_be().

Referenced by Botan::AlternativeName::decode_from(), and Botan::GeneralName::decode_from().

◆ is_bailie_psw_probable_prime() [1/2]

bool Botan::is_bailie_psw_probable_prime ( const BigInt & n)

Perform Bailie-PSW primality test

This is a combination of Miller-Rabin with base 2 and a Lucas test. No known composite integer passes both tests, though it is conjectured that infinitely many composite counterexamples exist.

Parameters
nthe positive integer to test
Returns
true if n seems probably prime, false if n is composite

Definition at line 101 of file primality.cpp.

101 {
102 Modular_Reducer mod_n(n);
103 return is_bailie_psw_probable_prime(n, mod_n);
104}
bool is_bailie_psw_probable_prime(const BigInt &n, const Modular_Reducer &mod_n)
Definition primality.cpp:89

References is_bailie_psw_probable_prime().

◆ is_bailie_psw_probable_prime() [2/2]

bool BOTAN_TEST_API Botan::is_bailie_psw_probable_prime ( const BigInt & n,
const Modular_Reducer & mod_n )

Perform Bailie-PSW primality test

This is a combination of Miller-Rabin with base 2 and a Lucas test. No known composite integer passes both tests, though it is conjectured that infinitely many composite counterexamples exist.

Parameters
nthe positive integer to test
mod_na pre-created Modular_Reducer for n
Returns
true if n seems probably prime, false if n is composite

Definition at line 89 of file primality.cpp.

89 {
90 if(n == 2) {
91 return true;
92 } else if(n <= 1 || n.is_even()) {
93 return false;
94 }
95
96 auto monty_n = std::make_shared<Montgomery_Params>(n, mod_n);
97 const auto base = BigInt::from_word(2);
98 return passes_miller_rabin_test(n, mod_n, monty_n, base) && is_lucas_probable_prime(n, mod_n);
99}
bool passes_miller_rabin_test(const BigInt &n, const Modular_Reducer &mod_n, const std::shared_ptr< Montgomery_Params > &monty_n, const BigInt &a)
bool is_lucas_probable_prime(const BigInt &C, const Modular_Reducer &mod_C)
Definition primality.cpp:18

References Botan::BigInt::from_word(), Botan::BigInt::is_even(), is_lucas_probable_prime(), and passes_miller_rabin_test().

Referenced by is_bailie_psw_probable_prime(), and is_prime().

◆ is_generalizable_to() [1/2]

template<typename GeneralVariantT , typename SpecialT >
constexpr bool Botan::is_generalizable_to ( const SpecialT & )
constexprnoexcept

Definition at line 283 of file stl_util.h.

283 {
284 return std::is_constructible_v<GeneralVariantT, SpecialT>;
285}

◆ is_generalizable_to() [2/2]

template<typename GeneralVariantT , typename... SpecialTs>
constexpr bool Botan::is_generalizable_to ( const std::variant< SpecialTs... > & )
constexprnoexcept

Definition at line 288 of file stl_util.h.

288 {
289 return (std::is_constructible_v<GeneralVariantT, SpecialTs> && ...);
290}

◆ is_lucas_probable_prime()

bool BOTAN_TEST_API Botan::is_lucas_probable_prime ( const BigInt & n,
const Modular_Reducer & mod_n )

Perform Lucas primality test

See also
FIPS 186-4 C.3.3
Warning
it is possible to construct composite integers which pass this test alone.
Parameters
nthe positive integer to test
mod_na pre-created Modular_Reducer for n
Returns
true if n seems probably prime, false if n is composite

Definition at line 18 of file primality.cpp.

18 {
19 if(C == 2 || C == 3 || C == 5 || C == 7 || C == 11 || C == 13) {
20 return true;
21 }
22
23 if(C <= 1 || C.is_even()) {
24 return false;
25 }
26
27 BigInt D = BigInt::from_word(5);
28
29 for(;;) {
30 int32_t j = jacobi(D, C);
31 if(j == 0) {
32 return false;
33 }
34
35 if(j == -1) {
36 break;
37 }
38
39 // Check 5, -7, 9, -11, 13, -15, 17, ...
40 if(D.is_negative()) {
41 D.flip_sign();
42 D += 2;
43 } else {
44 D += 2;
45 D.flip_sign();
46 }
47
48 if(D == 17 && is_perfect_square(C).is_nonzero()) {
49 return false;
50 }
51 }
52
53 const BigInt K = C + 1;
54 const size_t K_bits = K.bits() - 1;
55
56 BigInt U = BigInt::one();
57 BigInt V = BigInt::one();
58
59 BigInt Ut, Vt, U2, V2;
60
61 for(size_t i = 0; i != K_bits; ++i) {
62 const bool k_bit = K.get_bit(K_bits - 1 - i);
63
64 Ut = mod_C.multiply(U, V);
65
66 Vt = mod_C.reduce(mod_C.square(V) + mod_C.multiply(D, mod_C.square(U)));
67 Vt.ct_cond_add(Vt.is_odd(), C);
68 Vt >>= 1;
69 Vt = mod_C.reduce(Vt);
70
71 U = Ut;
72 V = Vt;
73
74 U2 = mod_C.reduce(Ut + Vt);
75 U2.ct_cond_add(U2.is_odd(), C);
76 U2 >>= 1;
77
78 V2 = mod_C.reduce(Vt + Ut * D);
79 V2.ct_cond_add(V2.is_odd(), C);
80 V2 >>= 1;
81
82 U.ct_cond_assign(k_bit, U2);
83 V.ct_cond_assign(k_bit, V2);
84 }
85
86 return (U == 0);
87}
BigInt is_perfect_square(const BigInt &C)
Definition numthry.cpp:323
int32_t jacobi(const BigInt &a, const BigInt &n)
Definition numthry.cpp:116

References Botan::BigInt::ct_cond_add(), Botan::BigInt::ct_cond_assign(), Botan::BigInt::flip_sign(), Botan::BigInt::from_word(), Botan::BigInt::is_even(), Botan::BigInt::is_negative(), Botan::BigInt::is_odd(), is_perfect_square(), jacobi(), Botan::Modular_Reducer::multiply(), Botan::BigInt::one(), Botan::Modular_Reducer::reduce(), and Botan::Modular_Reducer::square().

Referenced by is_bailie_psw_probable_prime(), is_prime(), and random_prime().

◆ is_miller_rabin_probable_prime()

bool BOTAN_TEST_API Botan::is_miller_rabin_probable_prime ( const BigInt & n,
const Modular_Reducer & mod_n,
RandomNumberGenerator & rng,
size_t t )

Perform t iterations of a Miller-Rabin primality test with random bases

Parameters
nthe positive integer to test
mod_na pre-created Modular_Reducer for n
rnga random number generator
tnumber of tests to perform
Returns
result of primality test

Definition at line 150 of file primality.cpp.

153 {
154 if(n < 3 || n.is_even()) {
155 return false;
156 }
157
158 auto monty_n = std::make_shared<Montgomery_Params>(n, mod_n);
159
160 for(size_t i = 0; i != test_iterations; ++i) {
161 const BigInt a = BigInt::random_integer(rng, BigInt::from_word(2), n);
162
163 if(!passes_miller_rabin_test(n, mod_n, monty_n, a)) {
164 return false;
165 }
166 }
167
168 // Failed to find a counterexample
169 return true;
170}

References Botan::BigInt::from_word(), Botan::BigInt::is_even(), passes_miller_rabin_test(), and Botan::BigInt::random_integer().

Referenced by generate_rsa_prime(), is_prime(), and random_prime().

◆ is_passhash9_alg_supported()

bool Botan::is_passhash9_alg_supported ( uint8_t alg_id)

Check if the PRF used with PBKDF2 is supported

Parameters
alg_idalg_id used in generate_passhash9()

Definition at line 128 of file passhash9.cpp.

128 {
129 if(get_pbkdf_prf(alg_id)) {
130 return true;
131 }
132 return false;
133}

◆ is_perfect_square()

BigInt Botan::is_perfect_square ( const BigInt & x)

Test if the positive integer x is a perfect square ie if there exists some positive integer y st y*y == x See FIPS 186-4 sec C.4

Returns
0 if the integer is not a perfect square, otherwise returns the positive y st y*y == x

Definition at line 323 of file numthry.cpp.

323 {
324 if(C < 1) {
325 throw Invalid_Argument("is_perfect_square requires C >= 1");
326 }
327 if(C == 1) {
328 return BigInt::one();
329 }
330
331 const size_t n = C.bits();
332 const size_t m = (n + 1) / 2;
333 const BigInt B = C + BigInt::power_of_2(m);
334
335 BigInt X = BigInt::power_of_2(m) - 1;
336 BigInt X2 = (X * X);
337
338 for(;;) {
339 X = (X2 + C) / (2 * X);
340 X2 = (X * X);
341
342 if(X2 < B) {
343 break;
344 }
345 }
346
347 if(X2 == C) {
348 return X;
349 } else {
350 return BigInt::zero();
351 }
352}

References Botan::BigInt::bits(), Botan::BigInt::one(), Botan::BigInt::power_of_2(), X, and Botan::BigInt::zero().

Referenced by is_lucas_probable_prime().

◆ is_power_of_2()

template<typename T >
requires (std::is_unsigned<T>::value)
constexpr bool Botan::is_power_of_2 ( T arg)
inlineconstexpr

Power of 2 test. T should be an unsigned integer type

Parameters
argan integer value
Returns
true iff arg is 2^n for some n > 0

Definition at line 45 of file bit_ops.h.

47{
48 return (arg != 0) && (arg != 1) && ((arg & static_cast<T>(arg - 1)) == 0);
49}

References T.

Referenced by operator%(), Botan::BigInt::operator%=(), Botan::BigInt::operator/=(), Botan::Scrypt::Scrypt(), and Botan::CTR_BE::seek().

◆ is_prime()

bool Botan::is_prime ( const BigInt & n,
RandomNumberGenerator & rng,
size_t prob = 64,
bool is_random = false )

Check for primality

Parameters
na positive integer to test for primality
rnga random number generator
probchance of false positive is bounded by 1/2**prob
is_randomtrue if n was randomly chosen by us
Returns
true if all primality tests passed, otherwise false

Definition at line 357 of file numthry.cpp.

357 {
358 if(n == 2) {
359 return true;
360 }
361 if(n <= 1 || n.is_even()) {
362 return false;
363 }
364
365 const size_t n_bits = n.bits();
366
367 // Fast path testing for small numbers (<= 65521)
368 if(n_bits <= 16) {
369 const uint16_t num = static_cast<uint16_t>(n.word_at(0));
370
371 return std::binary_search(PRIMES, PRIMES + PRIME_TABLE_SIZE, num);
372 }
373
374 Modular_Reducer mod_n(n);
375
376 if(rng.is_seeded()) {
377 const size_t t = miller_rabin_test_iterations(n_bits, prob, is_random);
378
379 if(is_miller_rabin_probable_prime(n, mod_n, rng, t) == false) {
380 return false;
381 }
382
383 if(is_random) {
384 return true;
385 } else {
386 return is_lucas_probable_prime(n, mod_n);
387 }
388 } else {
389 return is_bailie_psw_probable_prime(n, mod_n);
390 }
391}
word word_at(size_t n) const
Definition bigint.h:518
virtual bool is_seeded() const =0

References Botan::BigInt::bits(), is_bailie_psw_probable_prime(), Botan::BigInt::is_even(), is_lucas_probable_prime(), is_miller_rabin_probable_prime(), Botan::RandomNumberGenerator::is_seeded(), miller_rabin_test_iterations(), PRIME_TABLE_SIZE, PRIMES, and Botan::BigInt::word_at().

Referenced by botan_mp_is_prime(), Botan::RSA_PrivateKey::check_key(), Botan::DL_Group::DL_Group(), generate_dsa_primes(), random_safe_prime(), Botan::EC_Group::verify_group(), and Botan::DL_Group::verify_group().

◆ jacobi()

int32_t Botan::jacobi ( const BigInt & a,
const BigInt & n )

Compute the Jacobi symbol. If n is prime, this is equivalent to the Legendre symbol.

See also
http://mathworld.wolfram.com/JacobiSymbol.html
Parameters
ais a non-negative integer
nis an odd integer > 1
Returns
(n / m)

Definition at line 116 of file numthry.cpp.

116 {
117 if(n.is_even() || n < 2) {
118 throw Invalid_Argument("jacobi: second argument must be odd and > 1");
119 }
120
121 BigInt x = a % n;
122 BigInt y = n;
123 int32_t J = 1;
124
125 while(y > 1) {
126 x %= y;
127 if(x > y / 2) {
128 x = y - x;
129 if(y % 4 == 3) {
130 J = -J;
131 }
132 }
133 if(x.is_zero()) {
134 return 0;
135 }
136
137 size_t shifts = low_zero_bits(x);
138 x >>= shifts;
139 if(shifts % 2) {
140 word y_mod_8 = y % 8;
141 if(y_mod_8 == 3 || y_mod_8 == 5) {
142 J = -J;
143 }
144 }
145
146 if(x % 4 == 3 && y % 4 == 3) {
147 J = -J;
148 }
149 std::swap(x, y);
150 }
151 return J;
152}

References Botan::BigInt::is_even(), Botan::BigInt::is_zero(), and low_zero_bits().

Referenced by Botan::DL_Group::DL_Group(), is_lucas_probable_prime(), and sqrt_modulo_prime().

◆ keccak_absorb_padded_strings_encoding()

template<absorbing_object T, typename... Ts>
requires (std::constructible_from<std::span<const uint8_t>, Ts> && ...)
size_t Botan::keccak_absorb_padded_strings_encoding ( T & sink,
size_t padding_mod,
Ts... byte_strings )

This is a combination of the functions encode_string() and bytepad() defined in NIST SP.800-185 Section 2.3. Additionally, the result is directly streamed into the provided XOF to avoid unneccessary memory allocation or a byte vector.

Parameters
sinkthe XOF or byte vector to absorb the byte_strings into
padding_modthe modulus value to create a padding for (NIST calls this 'w')
byte_stringsa variable-length list of byte strings to be encoded and absorbed into the given xof
Returns
the number of bytes absorbed into the xof

Definition at line 91 of file keccak_helpers.h.

91 {
92 BOTAN_ASSERT_NOMSG(padding_mod > 0);
93
94 // used as temporary storage for all integer encodings in this function
95 std::array<uint8_t, keccak_max_int_encoding_size()> int_encoding_buffer;
96
97 // absorbs byte strings and counts the number of absorbed bytes
98 size_t bytes_absorbed = 0;
99 auto absorb = [&](std::span<const uint8_t> bytes) {
100 if constexpr(updatable_object<T>) {
101 sink.update(bytes);
102 } else if constexpr(appendable_object<T>) {
103 sink.insert(sink.end(), bytes.begin(), bytes.end());
104 }
105 bytes_absorbed += bytes.size();
106 };
107
108 // encodes a given string and absorbs it into the XOF straight away
109 auto encode_string_and_absorb = [&](std::span<const uint8_t> bytes) {
110 absorb(keccak_int_left_encode(int_encoding_buffer, bytes.size() * 8));
111 absorb(bytes);
112 };
113
114 // absorbs as many zero-bytes as requested into the XOF
115 auto absorb_padding = [&](size_t padding_bytes) {
116 for(size_t i = 0; i < padding_bytes; ++i) {
117 const uint8_t zero_byte = 0;
118 absorb({&zero_byte, 1});
119 }
120 };
121
122 // implementation of bytepad(encode_string(Ts) || ...) that absorbs the result
123 // staight into the given xof
124 absorb(keccak_int_left_encode(int_encoding_buffer, padding_mod));
125 (encode_string_and_absorb(byte_strings), ...);
126 absorb_padding(padding_mod - (bytes_absorbed % padding_mod));
127
128 return bytes_absorbed;
129}
std::span< const uint8_t > keccak_int_left_encode(std::span< uint8_t > out, size_t x)
constexpr size_t keccak_max_int_encoding_size()

References BOTAN_ASSERT_NOMSG, keccak_int_left_encode(), and keccak_max_int_encoding_size().

◆ keccak_int_encoding_size()

BOTAN_TEST_API size_t Botan::keccak_int_encoding_size ( size_t x)
Returns
the required bytes for encodings of keccak_int_left_encode() or keccak_int_right_encode() given an integer x

Definition at line 54 of file keccak_helpers.cpp.

54 {
55 return int_encoding_size(x) + 1 /* the length tag */;
56}

◆ keccak_int_left_encode()

BOTAN_TEST_API std::span< const uint8_t > Botan::keccak_int_left_encode ( std::span< uint8_t > buffer,
size_t x )

Integer encoding defined in NIST SP.800-185 that can be unambiguously parsed from the beginning of the string.

This function does not allocate any memory and requires the caller to provide a sufficiently large buffer. For a given x, this will need exactly keccak_int_encoding_size() bytes. For an arbitrary x it will generate keccak_max_int_encoding_size() bytes at most.

Parameters
bufferbuffer to write the left-encoding of x to. It is assumed that the buffer will hold at least keccak_int_encoding_size() bytes.
xthe integer to be left-encoded
Returns
the byte span that represents the bytes written to buffer.

Definition at line 41 of file keccak_helpers.cpp.

41 {
42 BOTAN_ASSERT_NOMSG(!out.empty());
43 out[0] = encode(out.last(out.size() - 1), x);
44 return out.first(out[0] + 1 /* the length tag */);
45}

References BOTAN_ASSERT_NOMSG.

Referenced by keccak_absorb_padded_strings_encoding().

◆ keccak_int_right_encode()

BOTAN_TEST_API std::span< const uint8_t > Botan::keccak_int_right_encode ( std::span< uint8_t > out,
size_t x )

Integer encoding defined in NIST SP.800-185 that can be unambiguously parsed from the end of the string.

This function does not allocate any memory and requires the caller to provide a sufficiently large buffer. For a given x, this will need exactly keccak_int_encoding_size() bytes. For an arbitrary x it will generate keccak_max_int_encoding_size() bytes at most.

Parameters
outbuffer to write the right-encoding of x to. It is assumed that the buffer will hold at least keccak_int_encoding_size() bytes.
xthe integer to be right-encoded
Returns
the byte span that represents the bytes written to buffer.

Definition at line 47 of file keccak_helpers.cpp.

47 {
48 const auto bytes_needed = encode(out, x);
49 BOTAN_ASSERT_NOMSG(out.size() >= bytes_needed + size_t(1));
50 out[bytes_needed] = bytes_needed;
51 return out.first(bytes_needed + 1 /* the length tag */);
52}

References BOTAN_ASSERT_NOMSG.

◆ keccak_max_int_encoding_size()

constexpr size_t Botan::keccak_max_int_encoding_size ( )
constexpr
Returns
the maximum required bytes for encodings of keccak_int_left_encode() or keccak_int_right_encode()

Definition at line 65 of file keccak_helpers.h.

65 {
66 return sizeof(size_t) + 1 /* the length tag */;
67}

Referenced by keccak_absorb_padded_strings_encoding().

◆ Keccak_Permutation_round()

void Botan::Keccak_Permutation_round ( uint64_t T[25],
const uint64_t A[25],
uint64_t RC )
inline

Definition at line 15 of file keccak_perm_round.h.

15 {
16 const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20];
17 const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21];
18 const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22];
19 const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23];
20 const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24];
21
22 const uint64_t D0 = rotl<1>(C0) ^ C3;
23 const uint64_t D1 = rotl<1>(C1) ^ C4;
24 const uint64_t D2 = rotl<1>(C2) ^ C0;
25 const uint64_t D3 = rotl<1>(C3) ^ C1;
26 const uint64_t D4 = rotl<1>(C4) ^ C2;
27
28 const uint64_t B00 = A[0] ^ D1;
29 const uint64_t B01 = rotl<44>(A[6] ^ D2);
30 const uint64_t B02 = rotl<43>(A[12] ^ D3);
31 const uint64_t B03 = rotl<21>(A[18] ^ D4);
32 const uint64_t B04 = rotl<14>(A[24] ^ D0);
33 T[0] = B00 ^ (~B01 & B02) ^ RC;
34 T[1] = B01 ^ (~B02 & B03);
35 T[2] = B02 ^ (~B03 & B04);
36 T[3] = B03 ^ (~B04 & B00);
37 T[4] = B04 ^ (~B00 & B01);
38
39 const uint64_t B05 = rotl<28>(A[3] ^ D4);
40 const uint64_t B06 = rotl<20>(A[9] ^ D0);
41 const uint64_t B07 = rotl<3>(A[10] ^ D1);
42 const uint64_t B08 = rotl<45>(A[16] ^ D2);
43 const uint64_t B09 = rotl<61>(A[22] ^ D3);
44 T[5] = B05 ^ (~B06 & B07);
45 T[6] = B06 ^ (~B07 & B08);
46 T[7] = B07 ^ (~B08 & B09);
47 T[8] = B08 ^ (~B09 & B05);
48 T[9] = B09 ^ (~B05 & B06);
49
50 const uint64_t B10 = rotl<1>(A[1] ^ D2);
51 const uint64_t B11 = rotl<6>(A[7] ^ D3);
52 const uint64_t B12 = rotl<25>(A[13] ^ D4);
53 const uint64_t B13 = rotl<8>(A[19] ^ D0);
54 const uint64_t B14 = rotl<18>(A[20] ^ D1);
55 T[10] = B10 ^ (~B11 & B12);
56 T[11] = B11 ^ (~B12 & B13);
57 T[12] = B12 ^ (~B13 & B14);
58 T[13] = B13 ^ (~B14 & B10);
59 T[14] = B14 ^ (~B10 & B11);
60
61 const uint64_t B15 = rotl<27>(A[4] ^ D0);
62 const uint64_t B16 = rotl<36>(A[5] ^ D1);
63 const uint64_t B17 = rotl<10>(A[11] ^ D2);
64 const uint64_t B18 = rotl<15>(A[17] ^ D3);
65 const uint64_t B19 = rotl<56>(A[23] ^ D4);
66 T[15] = B15 ^ (~B16 & B17);
67 T[16] = B16 ^ (~B17 & B18);
68 T[17] = B17 ^ (~B18 & B19);
69 T[18] = B18 ^ (~B19 & B15);
70 T[19] = B19 ^ (~B15 & B16);
71
72 const uint64_t B20 = rotl<62>(A[2] ^ D3);
73 const uint64_t B21 = rotl<55>(A[8] ^ D4);
74 const uint64_t B22 = rotl<39>(A[14] ^ D0);
75 const uint64_t B23 = rotl<41>(A[15] ^ D1);
76 const uint64_t B24 = rotl<2>(A[21] ^ D2);
77 T[20] = B20 ^ (~B21 & B22);
78 T[21] = B21 ^ (~B22 & B23);
79 T[22] = B22 ^ (~B23 & B24);
80 T[23] = B23 ^ (~B24 & B20);
81 T[24] = B24 ^ (~B20 & B21);
82}

References T.

◆ key_constraints_to_string()

std::string Botan::key_constraints_to_string ( Key_Constraints c)
inline

Definition at line 30 of file pkix_types.h.

30 {
31 return c.to_string();
32}
std::string to_string() const

◆ latin1_to_utf8()

BOTAN_TEST_API std::string Botan::latin1_to_utf8 ( const uint8_t chars[],
size_t len )

Definition at line 89 of file charset.cpp.

89 {
90 std::string s;
91 for(size_t i = 0; i != len; ++i) {
92 const uint32_t c = static_cast<uint8_t>(chars[i]);
93 append_utf8_for(s, c);
94 }
95 return s;
96}

Referenced by Botan::ASN1_String::decode_from().

◆ lcm()

BigInt Botan::lcm ( const BigInt & x,
const BigInt & y )

Least common multiple

Parameters
xa positive integer
ya positive integer
Returns
z, smallest integer such that z % x == 0 and z % y == 0

Definition at line 272 of file numthry.cpp.

272 {
273 if(a == b) {
274 return a;
275 }
276
277 auto ab = a * b;
278 ab.set_sign(BigInt::Positive); // ignore the signs of a & b
279 const auto g = gcd(a, b);
280 return ct_divide(ab, g);
281}

References ct_divide(), gcd(), Botan::BigInt::Positive, and Botan::BigInt::set_sign().

Referenced by Botan::RSA_PrivateKey::check_key(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ lex_to_gray()

gf2m Botan::lex_to_gray ( gf2m lex)
inline

Definition at line 38 of file code_based_util.h.

38 {
39 return (lex >> 1) ^ lex;
40}

Referenced by syndrome_init().

◆ load_3()

uint64_t Botan::load_3 ( const uint8_t in[3])
inline

Definition at line 19 of file ed25519_internal.h.

19 {
20 return static_cast<uint64_t>(in[0]) | (static_cast<uint64_t>(in[1]) << 8) | (static_cast<uint64_t>(in[2]) << 16);
21}

Referenced by Botan::FE_25519::from_bytes(), sc_muladd(), and sc_reduce().

◆ load_4()

uint64_t Botan::load_4 ( const uint8_t * in)
inline

Definition at line 23 of file ed25519_internal.h.

23 {
24 return load_le<uint32_t>(in, 0);
25}

Referenced by Botan::FE_25519::from_bytes(), sc_muladd(), and sc_reduce().

◆ load_be() [1/6]

template<typename T >
constexpr T Botan::load_be ( const uint8_t in[],
size_t off )
inlineconstexpr

Load a big-endian word

Parameters
ina pointer to some bytes
offan offset into the array
Returns
off'th T of in, as a big-endian value

Load a big-endian unsigned integer

Parameters
ina pointer to some bytes
offan offset into the array
Returns
off'th unsigned integer of in, as a big-endian value

Definition at line 194 of file loadstor.h.

194 {
195 in += off * sizeof(T);
196 T out = 0;
197 for(size_t i = 0; i != sizeof(T); ++i) {
198 out = static_cast<T>((out << 8) | in[i]);
199 }
200 return out;
201}

References T.

◆ load_be() [2/6]

template<std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void Botan::load_be ( const uint8_t in[],
Ts &... outs )
inlineconstexpr

Load many big-endian unsigned integers

Parameters
ina pointer to some bytes
outsa arbitrary-length parameter list of unsigned integers to be loaded

Definition at line 284 of file loadstor.h.

284 {
285 constexpr auto bytes = (sizeof(outs) + ...);
286 // asserts that *in points to the correct amount of memory
287 load_be(std::span<const uint8_t, bytes>(in, bytes), outs...);
288}
constexpr T load_be(InR &&in_range)
Definition loadstor.h:92

References load_be().

◆ load_be() [3/6]

template<ranges::contiguous_range< uint8_t > InR, std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void Botan::load_be ( InR && in,
Ts &... outs )
inlineconstexpr

Load many big-endian unsigned integers

Parameters
ina fixed-length span to some bytes
outsa arbitrary-length parameter list of unsigned integers to be loaded

Definition at line 250 of file loadstor.h.

250 {
251 ranges::assert_exact_byte_length<(sizeof(Ts) + ...)>(in);
252 auto load_one = [off = 0]<typename T>(auto i, T& o) mutable {
253 o = load_be<T>(i.subspan(off).template first<sizeof(T)>());
254 off += sizeof(T);
255 };
256
257 (load_one(std::span{in}, outs), ...);
258}

References Botan::ranges::assert_exact_byte_length(), and T.

◆ load_be() [4/6]

template<std::unsigned_integral T, ranges::contiguous_range< uint8_t > InR>
constexpr T Botan::load_be ( InR && in_range)
inlineconstexpr

Load a big-endian unsigned integer

Parameters
in_rangea fixed-length span with some bytes
Returns
T loaded from in, as a big-endian value

Definition at line 92 of file loadstor.h.

92 {
93 ranges::assert_exact_byte_length<sizeof(T)>(in_range);
94 std::span in{in_range};
95 if constexpr(sizeof(T) == 1) {
96 return static_cast<T>(in[0]);
97 } else {
98#if defined(BOTAN_TARGET_CPU_IS_BIG_ENDIAN)
99 return typecast_copy<T>(in);
100#elif defined(BOTAN_TARGET_CPU_IS_LITTLE_ENDIAN)
101 return reverse_bytes(typecast_copy<T>(in));
102#else
103 return [&]<size_t... i>(std::index_sequence<i...>) {
104 return ((static_cast<T>(in[i]) << ((sizeof(T) - i - 1) * 8)) | ...);
105 }
106 (std::make_index_sequence<sizeof(T)>());
107#endif
108 }
109}
constexpr uint16_t reverse_bytes(uint16_t x)
Definition bswap.h:19

References reverse_bytes(), and T.

Referenced by Botan::SHA_1::compress_n(), Botan::Whirlpool::compress_n(), Botan::Blowfish::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::Blowfish::encrypt_n(), Botan::CAST_128::encrypt_n(), load_be(), and Botan::SIMD_4x32::load_be().

◆ load_be() [5/6]

template<ranges::contiguous_range< uint8_t > InR>
constexpr auto Botan::load_be ( InR && in_range)
inlineconstexpr

Load a big-endian unsigned integer, auto-detect the output type

Parameters
in_rangea statically-sized range with some bytes
Returns
T loaded from in, as a big-endian value

Definition at line 183 of file loadstor.h.

183 {
184 return load_be<decltype(details::default_load_type(in_range)), InR>(std::forward<InR>(in_range));
185}

◆ load_be() [6/6]

template<typename T >
constexpr void Botan::load_be ( T out[],
const uint8_t in[],
size_t count )
inlineconstexpr

Load a variable number of big-endian words

Parameters
outthe output array of words
inthe input array of bytes
counthow many words are in in

Definition at line 334 of file loadstor.h.

334 {
335 if(count > 0) {
336#if defined(BOTAN_TARGET_CPU_IS_BIG_ENDIAN)
337 typecast_copy(out, in, count);
338
339#elif defined(BOTAN_TARGET_CPU_IS_LITTLE_ENDIAN)
340 typecast_copy(out, in, count);
341
342 for(size_t i = 0; i != count; ++i) {
343 out[i] = reverse_bytes(out[i]);
344 }
345#else
346 for(size_t i = 0; i != count; ++i)
347 out[i] = load_be<T>(in, i);
348#endif
349 }
350}
constexpr void typecast_copy(ToR &&out, FromR &&in)
Definition mem_ops.h:176

References reverse_bytes(), and typecast_copy().

◆ load_le() [1/6]

template<typename T >
constexpr T Botan::load_le ( const uint8_t in[],
size_t off )
inlineconstexpr

Load a little-endian word

Parameters
ina pointer to some bytes
offan offset into the array
Returns
off'th T of in, as a litte-endian value

Load a little-endian unsigned integer

Parameters
ina pointer to some bytes
offan offset into the array
Returns
off'th unsigned integer of in, as a little-endian value

Definition at line 210 of file loadstor.h.

210 {
211 in += off * sizeof(T);
212 T out = 0;
213 for(size_t i = 0; i != sizeof(T); ++i) {
214 out = (out << 8) | in[sizeof(T) - 1 - i];
215 }
216 return out;
217}

References T.

◆ load_le() [2/6]

template<std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void Botan::load_le ( const uint8_t in[],
Ts &... outs )
inlineconstexpr

Load many little-endian unsigned integers

Parameters
ina pointer to some bytes
outsa arbitrary-length parameter list of unsigned integers to be loaded

Definition at line 297 of file loadstor.h.

297 {
298 constexpr auto bytes = (sizeof(outs) + ...);
299 // asserts that *in points to the correct amount of memory
300 load_le(std::span<const uint8_t, bytes>(in, bytes), outs...);
301}
constexpr T load_le(InR &&in_range)
Definition loadstor.h:117

References load_le().

◆ load_le() [3/6]

template<ranges::contiguous_range< uint8_t > InR, std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void Botan::load_le ( InR && in,
Ts &... outs )
inlineconstexpr

Load many little-endian unsigned integers

Parameters
ina fixed-length span to some bytes
outsa arbitrary-length parameter list of unsigned integers to be loaded

Definition at line 267 of file loadstor.h.

267 {
268 ranges::assert_exact_byte_length<(sizeof(Ts) + ...)>(in);
269 auto load_one = [off = 0]<typename T>(auto i, T& o) mutable {
270 o = load_le<T>(i.subspan(off).template first<sizeof(T)>());
271 off += sizeof(T);
272 };
273
274 (load_one(std::span{in}, outs), ...);
275}

References Botan::ranges::assert_exact_byte_length(), and T.

◆ load_le() [4/6]

template<std::unsigned_integral T, ranges::contiguous_range< uint8_t > InR>
constexpr T Botan::load_le ( InR && in_range)
inlineconstexpr

Load a little-endian unsigned integer

Parameters
in_rangea fixed-length span with some bytes
Returns
T loaded from in, as a little-endian value

Definition at line 117 of file loadstor.h.

117 {
118 ranges::assert_exact_byte_length<sizeof(T)>(in_range);
119 std::span in{in_range};
120 if constexpr(sizeof(T) == 1) {
121 return static_cast<T>(in[0]);
122 } else {
123#if defined(BOTAN_TARGET_CPU_IS_BIG_ENDIAN)
124 return reverse_bytes(typecast_copy<T>(in));
125#elif defined(BOTAN_TARGET_CPU_IS_LITTLE_ENDIAN)
126 return typecast_copy<T>(in);
127#else
128 return [&]<size_t... i>(std::index_sequence<i...>) {
129 return ((static_cast<T>(in[i]) << (i * 8)) | ...);
130 }
131 (std::make_index_sequence<sizeof(T)>());
132#endif
133 }
134}

References reverse_bytes(), and T.

Referenced by Botan::SIMD_8x32::BOTAN_FUNC_ISA(), Botan::SIMD_16x32::BOTAN_FUNC_ISA(), Botan::MD5::compress_n(), Botan::RIPEMD_160::compress_n(), Botan::Serpent::decrypt_n(), Botan::Threefish_512::decrypt_n(), Botan::Twofish::decrypt_n(), Botan::Serpent::encrypt_n(), Botan::Threefish_512::encrypt_n(), Botan::Twofish::encrypt_n(), load_le(), and Botan::SIMD_4x32::load_le().

◆ load_le() [5/6]

template<ranges::contiguous_range< uint8_t > InR>
constexpr auto Botan::load_le ( InR && in_range)
inlineconstexpr

Load a little-endian unsigned integer, auto-detect the output type

Parameters
in_rangea statically-sized range with some bytes
Returns
T loaded from in, as a little-endian value

Definition at line 173 of file loadstor.h.

173 {
174 return load_le<decltype(details::default_load_type(in_range)), InR>(std::forward<InR>(in_range));
175}

◆ load_le() [6/6]

template<typename T >
constexpr void Botan::load_le ( T out[],
const uint8_t in[],
size_t count )
inlineconstexpr

Load a variable number of little-endian words

Parameters
outthe output array of words
inthe input array of bytes
counthow many words are in in

Definition at line 310 of file loadstor.h.

310 {
311 if(count > 0) {
312#if defined(BOTAN_TARGET_CPU_IS_LITTLE_ENDIAN)
313 typecast_copy(out, in, count);
314
315#elif defined(BOTAN_TARGET_CPU_IS_BIG_ENDIAN)
316 typecast_copy(out, in, count);
317
318 for(size_t i = 0; i != count; ++i)
319 out[i] = reverse_bytes(out[i]);
320#else
321 for(size_t i = 0; i != count; ++i)
322 out[i] = load_le<T>(in, i);
323#endif
324 }
325}

References reverse_bytes(), and typecast_copy().

◆ load_private_key()

std::unique_ptr< Private_Key > Botan::load_private_key ( const AlgorithmIdentifier & alg_id,
std::span< const uint8_t > key_bits )

Definition at line 212 of file pk_algs.cpp.

213 {
214 const std::string oid_str = alg_id.oid().to_formatted_string();
215 const std::vector<std::string> alg_info = split_on(oid_str, '/');
216 std::string_view alg_name = alg_info[0];
217
218#if defined(BOTAN_HAS_RSA)
219 if(alg_name == "RSA") {
220 return std::make_unique<RSA_PrivateKey>(alg_id, key_bits);
221 }
222#endif
223
224#if defined(BOTAN_HAS_CURVE_25519)
225 if(alg_name == "Curve25519") {
226 return std::make_unique<Curve25519_PrivateKey>(alg_id, key_bits);
227 }
228#endif
229
230#if defined(BOTAN_HAS_ECDSA)
231 if(alg_name == "ECDSA") {
232 return std::make_unique<ECDSA_PrivateKey>(alg_id, key_bits);
233 }
234#endif
235
236#if defined(BOTAN_HAS_ECDH)
237 if(alg_name == "ECDH") {
238 return std::make_unique<ECDH_PrivateKey>(alg_id, key_bits);
239 }
240#endif
241
242#if defined(BOTAN_HAS_DIFFIE_HELLMAN)
243 if(alg_name == "DH") {
244 return std::make_unique<DH_PrivateKey>(alg_id, key_bits);
245 }
246#endif
247
248#if defined(BOTAN_HAS_DSA)
249 if(alg_name == "DSA") {
250 return std::make_unique<DSA_PrivateKey>(alg_id, key_bits);
251 }
252#endif
253
254#if defined(BOTAN_HAS_FRODOKEM)
255 if(alg_name == "FrodoKEM" || alg_name.starts_with("FrodoKEM-") || alg_name.starts_with("eFrodoKEM-")) {
256 return std::make_unique<FrodoKEM_PrivateKey>(alg_id, key_bits);
257 }
258#endif
259
260#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
261 if(alg_name == "Kyber" || alg_name.starts_with("Kyber-")) {
262 return std::make_unique<Kyber_PrivateKey>(alg_id, key_bits);
263 }
264#endif
265
266#if defined(BOTAN_HAS_MCELIECE)
267 if(alg_name == "McEliece") {
268 return std::make_unique<McEliece_PrivateKey>(key_bits);
269 }
270#endif
271
272#if defined(BOTAN_HAS_ECGDSA)
273 if(alg_name == "ECGDSA") {
274 return std::make_unique<ECGDSA_PrivateKey>(alg_id, key_bits);
275 }
276#endif
277
278#if defined(BOTAN_HAS_ECKCDSA)
279 if(alg_name == "ECKCDSA") {
280 return std::make_unique<ECKCDSA_PrivateKey>(alg_id, key_bits);
281 }
282#endif
283
284#if defined(BOTAN_HAS_ED25519)
285 if(alg_name == "Ed25519") {
286 return std::make_unique<Ed25519_PrivateKey>(alg_id, key_bits);
287 }
288#endif
289
290#if defined(BOTAN_HAS_GOST_34_10_2001)
291 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") {
292 return std::make_unique<GOST_3410_PrivateKey>(alg_id, key_bits);
293 }
294#endif
295
296#if defined(BOTAN_HAS_SM2)
297 if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") {
298 return std::make_unique<SM2_PrivateKey>(alg_id, key_bits);
299 }
300#endif
301
302#if defined(BOTAN_HAS_ELGAMAL)
303 if(alg_name == "ElGamal") {
304 return std::make_unique<ElGamal_PrivateKey>(alg_id, key_bits);
305 }
306#endif
307
308#if defined(BOTAN_HAS_XMSS_RFC8391)
309 if(alg_name == "XMSS") {
310 return std::make_unique<XMSS_PrivateKey>(key_bits);
311 }
312#endif
313
314#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES)
315 if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) {
316 return std::make_unique<Dilithium_PrivateKey>(alg_id, key_bits);
317 }
318#endif
319
320#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
321 if(alg_name == "SPHINCS+" || alg_name.starts_with("SphincsPlus-")) {
322 return std::make_unique<SphincsPlus_PrivateKey>(alg_id, key_bits);
323 }
324#endif
325
326 throw Decoding_Error(fmt("Unknown or unavailable public key algorithm '{}'", alg_name));
327}
const OID & oid() const
Definition asn1_obj.h:455
std::string to_formatted_string() const
Definition asn1_oid.cpp:114

References fmt(), Botan::AlgorithmIdentifier::oid(), split_on(), and Botan::OID::to_formatted_string().

◆ load_public_key()

std::unique_ptr< Public_Key > Botan::load_public_key ( const AlgorithmIdentifier & alg_id,
std::span< const uint8_t > key_bits )

Definition at line 95 of file pk_algs.cpp.

96 {
97 const std::string oid_str = alg_id.oid().to_formatted_string();
98 const std::vector<std::string> alg_info = split_on(oid_str, '/');
99 std::string_view alg_name = alg_info[0];
100
101#if defined(BOTAN_HAS_RSA)
102 if(alg_name == "RSA") {
103 return std::make_unique<RSA_PublicKey>(alg_id, key_bits);
104 }
105#endif
106
107#if defined(BOTAN_HAS_CURVE_25519)
108 if(alg_name == "Curve25519") {
109 return std::make_unique<Curve25519_PublicKey>(alg_id, key_bits);
110 }
111#endif
112
113#if defined(BOTAN_HAS_MCELIECE)
114 if(alg_name == "McEliece") {
115 return std::make_unique<McEliece_PublicKey>(key_bits);
116 }
117#endif
118
119#if defined(BOTAN_HAS_FRODOKEM)
120 if(alg_name == "FrodoKEM" || alg_name.starts_with("FrodoKEM-") || alg_name.starts_with("eFrodoKEM-")) {
121 return std::make_unique<FrodoKEM_PublicKey>(alg_id, key_bits);
122 }
123#endif
124
125#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
126 if(alg_name == "Kyber" || alg_name.starts_with("Kyber-")) {
127 return std::make_unique<Kyber_PublicKey>(alg_id, key_bits);
128 }
129#endif
130
131#if defined(BOTAN_HAS_ECDSA)
132 if(alg_name == "ECDSA") {
133 return std::make_unique<ECDSA_PublicKey>(alg_id, key_bits);
134 }
135#endif
136
137#if defined(BOTAN_HAS_ECDH)
138 if(alg_name == "ECDH") {
139 return std::make_unique<ECDH_PublicKey>(alg_id, key_bits);
140 }
141#endif
142
143#if defined(BOTAN_HAS_DIFFIE_HELLMAN)
144 if(alg_name == "DH") {
145 return std::make_unique<DH_PublicKey>(alg_id, key_bits);
146 }
147#endif
148
149#if defined(BOTAN_HAS_DSA)
150 if(alg_name == "DSA") {
151 return std::make_unique<DSA_PublicKey>(alg_id, key_bits);
152 }
153#endif
154
155#if defined(BOTAN_HAS_ELGAMAL)
156 if(alg_name == "ElGamal") {
157 return std::make_unique<ElGamal_PublicKey>(alg_id, key_bits);
158 }
159#endif
160
161#if defined(BOTAN_HAS_ECGDSA)
162 if(alg_name == "ECGDSA") {
163 return std::make_unique<ECGDSA_PublicKey>(alg_id, key_bits);
164 }
165#endif
166
167#if defined(BOTAN_HAS_ECKCDSA)
168 if(alg_name == "ECKCDSA") {
169 return std::make_unique<ECKCDSA_PublicKey>(alg_id, key_bits);
170 }
171#endif
172
173#if defined(BOTAN_HAS_ED25519)
174 if(alg_name == "Ed25519") {
175 return std::make_unique<Ed25519_PublicKey>(alg_id, key_bits);
176 }
177#endif
178
179#if defined(BOTAN_HAS_GOST_34_10_2001)
180 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") {
181 return std::make_unique<GOST_3410_PublicKey>(alg_id, key_bits);
182 }
183#endif
184
185#if defined(BOTAN_HAS_SM2)
186 if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") {
187 return std::make_unique<SM2_PublicKey>(alg_id, key_bits);
188 }
189#endif
190
191#if defined(BOTAN_HAS_XMSS_RFC8391)
192 if(alg_name == "XMSS") {
193 return std::make_unique<XMSS_PublicKey>(key_bits);
194 }
195#endif
196
197#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES)
198 if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) {
199 return std::make_unique<Dilithium_PublicKey>(alg_id, key_bits);
200 }
201#endif
202
203#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
204 if(alg_name == "SPHINCS+" || alg_name.starts_with("SphincsPlus-")) {
205 return std::make_unique<SphincsPlus_PublicKey>(alg_id, key_bits);
206 }
207#endif
208
209 throw Decoding_Error(fmt("Unknown or unavailable public key algorithm '{}'", alg_name));
210}

References fmt(), Botan::AlgorithmIdentifier::oid(), split_on(), and Botan::OID::to_formatted_string().

Referenced by Botan::TLS::Hybrid_KEM_PublicKey::load_for_group(), and Botan::X509::load_key().

◆ lock()

template<typename T >
secure_vector< T > Botan::lock ( const std::vector< T > & in)

◆ low_zero_bits()

size_t Botan::low_zero_bits ( const BigInt & x)
Parameters
xan integer
Returns
count of the low zero bits in x, or, equivalently, the largest value of n such that 2^n divides x evenly. Returns zero if x is equal to zero.

Definition at line 167 of file numthry.cpp.

167 {
168 size_t low_zero = 0;
169
170 auto seen_nonempty_word = CT::Mask<word>::cleared();
171
172 for(size_t i = 0; i != n.size(); ++i) {
173 const word x = n.word_at(i);
174
175 // ctz(0) will return sizeof(word)
176 const size_t tz_x = ctz(x);
177
178 // if x > 0 we want to count tz_x in total but not any
179 // further words, so set the mask after the addition
180 low_zero += seen_nonempty_word.if_not_set_return(tz_x);
181
182 seen_nonempty_word |= CT::Mask<word>::expand(x);
183 }
184
185 // if we saw no words with x > 0 then n == 0 and the value we have
186 // computed is meaningless. Instead return BigInt::zero() in that case.
187 return static_cast<size_t>(seen_nonempty_word.if_set_return(low_zero));
188}
constexpr size_t ctz(T n)
Definition bit_ops.h:102

References Botan::CT::Mask< T >::cleared(), ctz(), Botan::CT::Mask< T >::expand(), Botan::BigInt::size(), and Botan::BigInt::word_at().

Referenced by inverse_mod(), jacobi(), passes_miller_rabin_test(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and sqrt_modulo_prime().

◆ majority()

template<typename T >
constexpr T Botan::majority ( T a,
T b,
T c )
inlineconstexpr

Definition at line 186 of file bit_ops.h.

186 {
187 /*
188 Considering each bit of a, b, c individually
189
190 If a xor b is set, then c is the deciding vote.
191
192 If a xor b is not set then either a and b are both set or both unset.
193 In either case the value of c doesn't matter, and examining b (or a)
194 allows us to determine which case we are in.
195 */
196 return choose(a ^ b, c, b);
197}
constexpr T choose(T mask, T a, T b)
Definition bit_ops.h:180

References choose().

Referenced by SHA2_32_F(), and SHA2_64_F().

◆ make_commoncrypto_block_cipher()

std::unique_ptr< BlockCipher > Botan::make_commoncrypto_block_cipher ( std::string_view name)

Definition at line 133 of file commoncrypto_block.cpp.

133 {
134 try {
136 return std::make_unique<CommonCrypto_BlockCipher>(name, opts);
137 } catch(CommonCrypto_Error& e) {
138 return nullptr;
139 }
140}

References commoncrypto_opts_from_algo_name(), make_commoncrypto_block_cipher(), and name.

Referenced by Botan::BlockCipher::create(), and make_commoncrypto_block_cipher().

◆ make_commoncrypto_cipher_mode()

std::unique_ptr< Cipher_Mode > Botan::make_commoncrypto_cipher_mode ( std::string_view name,
Cipher_Dir direction )

Definition at line 212 of file commoncrypto_mode.cpp.

212 {
213 try {
215 return std::make_unique<CommonCrypto_Cipher_Mode>(name, direction, opts);
216 } catch(CommonCrypto_Error& e) {
217 return nullptr;
218 }
219}
CommonCryptor_Opts commoncrypto_opts_from_algo(std::string_view algo)

References commoncrypto_opts_from_algo(), make_commoncrypto_cipher_mode(), and name.

Referenced by Botan::Cipher_Mode::create(), and make_commoncrypto_cipher_mode().

◆ make_commoncrypto_hash()

std::unique_ptr< HashFunction > Botan::make_commoncrypto_hash ( std::string_view name)

Definition at line 80 of file commoncrypto_hash.cpp.

80 {
81#define MAKE_COMMONCRYPTO_HASH_3(name, hash, ctx) \
82 std::unique_ptr<HashFunction>(new CommonCrypto_HashFunction<CC_##ctx##_CTX>({std::string(name), \
83 CC_##hash##_DIGEST_LENGTH, \
84 CC_##hash##_BLOCK_BYTES, \
85 CC_##hash##_Init, \
86 CC_##hash##_Update, \
87 CC_##hash##_Final}));
88
89#define MAKE_COMMONCRYPTO_HASH_2(name, id) MAKE_COMMONCRYPTO_HASH_3(name, id, id)
90
91#define MAKE_COMMONCRYPTO_HASH_1(id) MAKE_COMMONCRYPTO_HASH_2(#id, id)
92
93#if defined(BOTAN_HAS_SHA2_32)
94 if(name == "SHA-224")
95 return MAKE_COMMONCRYPTO_HASH_3(name, SHA224, SHA256);
96 if(name == "SHA-256")
97 return MAKE_COMMONCRYPTO_HASH_2(name, SHA256);
98#endif
99#if defined(BOTAN_HAS_SHA2_64)
100 if(name == "SHA-384")
101 return MAKE_COMMONCRYPTO_HASH_3(name, SHA384, SHA512);
102 if(name == "SHA-512")
103 return MAKE_COMMONCRYPTO_HASH_2(name, SHA512);
104#endif
105
106#if defined(BOTAN_HAS_SHA1)
107 if(name == "SHA-1")
108 return MAKE_COMMONCRYPTO_HASH_2(name, SHA1);
109#endif
110
111 return nullptr;
112}
#define MAKE_COMMONCRYPTO_HASH_2(name, id)
#define MAKE_COMMONCRYPTO_HASH_3(name, hash, ctx)

References MAKE_COMMONCRYPTO_HASH_2, MAKE_COMMONCRYPTO_HASH_3, and name.

Referenced by Botan::HashFunction::create().

◆ make_compressor()

Compression_Algorithm * Botan::make_compressor ( std::string_view type)
inline

Definition at line 130 of file compression.h.

130 {
131 return Compression_Algorithm::create(type).release();
132}

References Botan::Compression_Algorithm::create().

◆ make_decompressor()

Decompression_Algorithm * Botan::make_decompressor ( std::string_view type)
inline

Definition at line 136 of file compression.h.

136 {
137 return Decompression_Algorithm::create(type).release();
138}

References Botan::Decompression_Algorithm::create().

◆ make_uint16()

constexpr uint16_t Botan::make_uint16 ( uint8_t i0,
uint8_t i1 )
inlineconstexpr

Make a uint16_t from two bytes

Parameters
i0the first byte
i1the second byte
Returns
i0 || i1

Definition at line 50 of file loadstor.h.

50 {
51 return static_cast<uint16_t>((static_cast<uint16_t>(i0) << 8) | i1);
52}

Referenced by Botan::TLS::Certificate_Request_12::Certificate_Request_12(), Botan::TLS::TLS_Data_Reader::get_uint16_t(), Botan::TLS::TLS_Data_Reader::peek_uint16_t(), random_gf2m(), Botan::RTSS_Share::reconstruct(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data_n().

◆ make_uint32()

constexpr uint32_t Botan::make_uint32 ( uint8_t i0,
uint8_t i1,
uint8_t i2,
uint8_t i3 )
inlineconstexpr

Make a uint32_t from four bytes

Parameters
i0the first byte
i1the second byte
i2the third byte
i3the fourth byte
Returns
i0 || i1 || i2 || i3

Definition at line 62 of file loadstor.h.

62 {
63 return ((static_cast<uint32_t>(i0) << 24) | (static_cast<uint32_t>(i1) << 16) | (static_cast<uint32_t>(i2) << 8) |
64 (static_cast<uint32_t>(i3)));
65}

Referenced by Botan::TLS::Certificate_12::Certificate_12(), Botan::TLS::Certificate_Status::Certificate_Status(), Botan::TLS::Stream_Handshake_IO::get_next_record(), Botan::TLS::TLS_Data_Reader::get_uint24_t(), Botan::TLS::TLS_Data_Reader::get_uint32_t(), and Botan::SIMD_4x32::splat_u8().

◆ make_uint64()

constexpr uint64_t Botan::make_uint64 ( uint8_t i0,
uint8_t i1,
uint8_t i2,
uint8_t i3,
uint8_t i4,
uint8_t i5,
uint8_t i6,
uint8_t i7 )
inlineconstexpr

Make a uint64_t from eight bytes

Parameters
i0the first byte
i1the second byte
i2the third byte
i3the fourth byte
i4the fifth byte
i5the sixth byte
i6the seventh byte
i7the eighth byte
Returns
i0 || i1 || i2 || i3 || i4 || i5 || i6 || i7

Definition at line 79 of file loadstor.h.

80 {
81 return ((static_cast<uint64_t>(i0) << 56) | (static_cast<uint64_t>(i1) << 48) | (static_cast<uint64_t>(i2) << 40) |
82 (static_cast<uint64_t>(i3) << 32) | (static_cast<uint64_t>(i4) << 24) | (static_cast<uint64_t>(i5) << 16) |
83 (static_cast<uint64_t>(i6) << 8) | (static_cast<uint64_t>(i7)));
84}

◆ map_keys_as_set() [1/2]

template<typename K , typename V >
std::set< K > Botan::map_keys_as_set ( const std::map< K, V > & kv)

Return the keys of a map as a std::set

Definition at line 60 of file stl_util.h.

60 {
61 std::set<K> s;
62 for(auto&& i : kv) {
63 s.insert(i.first);
64 }
65 return s;
66}

◆ map_keys_as_set() [2/2]

template<typename K , typename V >
std::set< K > Botan::map_keys_as_set ( const std::multimap< K, V > & kv)

Return the keys of a multimap as a std::set

Definition at line 72 of file stl_util.h.

72 {
73 std::set<K> s;
74 for(auto&& i : kv) {
75 s.insert(i.first);
76 }
77 return s;
78}

◆ map_remove_if()

template<typename T , typename Pred >
void Botan::map_remove_if ( Pred pred,
T & assoc )

Definition at line 127 of file stl_util.h.

127 {
128 auto i = assoc.begin();
129 while(i != assoc.end()) {
130 if(pred(i->first)) {
131 assoc.erase(i++);
132 } else {
133 i++;
134 }
135 }
136}

Referenced by Botan::TLS::Channel_Impl_12::activate_session().

◆ mceliece_decrypt() [1/3]

secure_vector< uint8_t > Botan::mceliece_decrypt ( secure_vector< gf2m > & error_pos,
const uint8_t * ciphertext,
size_t ciphertext_len,
const McEliece_PrivateKey & key )

p_err_pos_len must point to the available length of error_pos on input, the function will set it to the actual number of errors returned in the error_pos array

Definition at line 148 of file goppa_code.cpp.

151 {
152 const size_t dimension = key.get_dimension();
153 const size_t codimension = key.get_codimension();
154 const uint32_t t = key.get_goppa_polyn().get_degree();
155 polyn_gf2m syndrome_polyn(key.get_goppa_polyn().get_sp_field()); // init as zero polyn
156 const unsigned unused_pt_bits = dimension % 8;
157 const uint8_t unused_pt_bits_mask = (1 << unused_pt_bits) - 1;
158
159 if(ciphertext_len != (key.get_code_length() + 7) / 8) {
160 throw Invalid_Argument("wrong size of McEliece ciphertext");
161 }
162 const size_t cleartext_len = (key.get_message_word_bit_length() + 7) / 8;
163
164 if(cleartext_len != bit_size_to_byte_size(dimension)) {
165 throw Invalid_Argument("mce-decryption: wrong length of cleartext buffer");
166 }
167
168 secure_vector<uint32_t> syndrome_vec(bit_size_to_32bit_size(codimension));
169 matrix_arr_mul(key.get_H_coeffs(),
170 key.get_code_length(),
171 bit_size_to_32bit_size(codimension),
172 ciphertext,
173 syndrome_vec.data(),
174 syndrome_vec.size());
175
176 secure_vector<uint8_t> syndrome_byte_vec(bit_size_to_byte_size(codimension));
177 const size_t syndrome_byte_vec_size = syndrome_byte_vec.size();
178 for(size_t i = 0; i < syndrome_byte_vec_size; i++) {
179 syndrome_byte_vec[i] = static_cast<uint8_t>(syndrome_vec[i / 4] >> (8 * (i % 4)));
180 }
181
182 syndrome_polyn = polyn_gf2m(
183 t - 1, syndrome_byte_vec.data(), bit_size_to_byte_size(codimension), key.get_goppa_polyn().get_sp_field());
184
185 syndrome_polyn.get_degree();
186 error_pos = goppa_decode(syndrome_polyn, key.get_goppa_polyn(), key.get_sqrtmod(), key.get_Linv());
187
188 const size_t nb_err = error_pos.size();
189
190 secure_vector<uint8_t> cleartext(cleartext_len);
191 copy_mem(cleartext.data(), ciphertext, cleartext_len);
192
193 for(size_t i = 0; i < nb_err; i++) {
194 gf2m current = error_pos[i];
195
196 if(current >= cleartext_len * 8) {
197 // an invalid position, this shouldn't happen
198 continue;
199 }
200 cleartext[current / 8] ^= (1 << (current % 8));
201 }
202
203 if(unused_pt_bits) {
204 cleartext[cleartext_len - 1] &= unused_pt_bits_mask;
205 }
206
207 return cleartext;
208}
const std::vector< polyn_gf2m > & get_sqrtmod() const
Definition mceliece.h:120
size_t get_codimension() const
Definition mceliece.h:124
size_t get_dimension() const
Definition mceliece.h:122
const polyn_gf2m & get_goppa_polyn() const
const std::vector< gf2m > & get_Linv() const
Definition mceliece.h:118
const std::vector< uint32_t > & get_H_coeffs() const
Definition mceliece.h:116
size_t get_message_word_bit_length() const
size_t get_code_length() const
Definition mceliece.h:49
int get_degree() const
std::shared_ptr< GF2m_Field > get_sp_field() const
Definition polyn_gf2m.h:76
size_t bit_size_to_byte_size(size_t bit_size)

References bit_size_to_32bit_size(), bit_size_to_byte_size(), copy_mem(), Botan::McEliece_PublicKey::get_code_length(), Botan::McEliece_PrivateKey::get_codimension(), Botan::polyn_gf2m::get_degree(), Botan::McEliece_PrivateKey::get_dimension(), Botan::McEliece_PrivateKey::get_goppa_polyn(), Botan::McEliece_PrivateKey::get_H_coeffs(), Botan::McEliece_PrivateKey::get_Linv(), Botan::McEliece_PublicKey::get_message_word_bit_length(), Botan::polyn_gf2m::get_sp_field(), and Botan::McEliece_PrivateKey::get_sqrtmod().

◆ mceliece_decrypt() [2/3]

void Botan::mceliece_decrypt ( secure_vector< uint8_t > & plaintext,
secure_vector< uint8_t > & error_mask,
const uint8_t ciphertext[],
size_t ciphertext_len,
const McEliece_PrivateKey & key )

Definition at line 124 of file goppa_code.cpp.

128 {
129 secure_vector<gf2m> error_pos;
130 plaintext = mceliece_decrypt(error_pos, ciphertext, ciphertext_len, key);
131
132 const size_t code_length = key.get_code_length();
133 secure_vector<uint8_t> result((code_length + 7) / 8);
134 for(auto&& pos : error_pos) {
135 if(pos > code_length) {
136 throw Invalid_Argument("error position larger than code size");
137 }
138 result[pos / 8] |= (1 << (pos % 8));
139 }
140
141 error_mask = result;
142}
void mceliece_decrypt(secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)

References Botan::McEliece_PublicKey::get_code_length(), and mceliece_decrypt().

◆ mceliece_decrypt() [3/3]

void Botan::mceliece_decrypt ( secure_vector< uint8_t > & plaintext_out,
secure_vector< uint8_t > & error_mask_out,
const secure_vector< uint8_t > & ciphertext,
const McEliece_PrivateKey & key )

Definition at line 117 of file goppa_code.cpp.

120 {
121 mceliece_decrypt(plaintext_out, error_mask_out, ciphertext.data(), ciphertext.size(), key);
122}

References mceliece_decrypt().

Referenced by Botan::McEliece_PrivateKey::check_key(), mceliece_decrypt(), and mceliece_decrypt().

◆ mceliece_encrypt()

void Botan::mceliece_encrypt ( secure_vector< uint8_t > & ciphertext_out,
secure_vector< uint8_t > & error_mask_out,
const secure_vector< uint8_t > & plaintext,
const McEliece_PublicKey & key,
RandomNumberGenerator & rng )

Definition at line 109 of file mceliece.cpp.

113 {
114 const uint16_t code_length = static_cast<uint16_t>(key.get_code_length());
115
116 secure_vector<uint8_t> error_mask = create_random_error_vector(code_length, key.get_t(), rng);
117
118 secure_vector<uint8_t> ciphertext =
119 mult_by_pubkey(plaintext, key.get_public_matrix(), key.get_code_length(), key.get_t());
120
121 ciphertext ^= error_mask;
122
123 ciphertext_out.swap(ciphertext);
124 error_mask_out.swap(error_mask);
125}
size_t get_t() const
Definition mceliece.h:47
const std::vector< uint8_t > & get_public_matrix() const
Definition mceliece.h:53

References Botan::McEliece_PublicKey::get_code_length(), Botan::McEliece_PublicKey::get_public_matrix(), and Botan::McEliece_PublicKey::get_t().

Referenced by Botan::McEliece_PrivateKey::check_key().

◆ mceliece_work_factor()

size_t Botan::mceliece_work_factor ( size_t code_size,
size_t t )

Estimate work factor for McEliece

Returns
estimated security level for these key parameters

Definition at line 89 of file mce_workfactor.cpp.

89 {
90 const size_t k = n - ceil_log2(n) * t;
91
92 double min = cout_total(n, k, t, 0, 0); // correspond a p=1
93 for(size_t p = 0; p != t / 2; ++p) {
94 double lwf = best_wf(n, k + 1, t, p);
95 if(lwf < 0) {
96 break;
97 }
98
99 min = std::min(min, lwf);
100 }
101
102 return static_cast<size_t>(min);
103}
constexpr uint8_t ceil_log2(T x)
Definition bit_ops.h:122

References ceil_log2().

Referenced by Botan::McEliece_PublicKey::estimated_strength().

◆ mgf1_mask()

void Botan::mgf1_mask ( HashFunction & hash,
const uint8_t in[],
size_t in_len,
uint8_t out[],
size_t out_len )

MGF1 from PKCS #1 v2.0

Parameters
hashhash function to use
ininput buffer
in_lensize of the input buffer in bytes
outoutput buffer. The buffer is XORed with the output of MGF1.
out_lensize of the output buffer in bytes

Definition at line 15 of file mgf1.cpp.

15 {
16 uint32_t counter = 0;
17
18 std::vector<uint8_t> buffer(hash.output_length());
19 while(out_len) {
20 hash.update(in, in_len);
21 hash.update_be(counter);
22 hash.final(buffer.data());
23
24 const size_t xored = std::min<size_t>(buffer.size(), out_len);
25 xor_buf(out, buffer.data(), xored);
26 out += xored;
27 out_len -= xored;
28
29 ++counter;
30 }
31}
virtual size_t output_length() const =0
void update_be(uint16_t val)
Definition buf_comp.cpp:13
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:340

References Botan::Buffered_Computation::final(), Botan::Buffered_Computation::output_length(), Botan::Buffered_Computation::update(), Botan::Buffered_Computation::update_be(), and xor_buf().

◆ miller_rabin_test_iterations()

size_t Botan::miller_rabin_test_iterations ( size_t n_bits,
size_t prob,
bool random )

Return required number of Miller-Rabin tests in order to reach the specified probability of error.

Parameters
n_bitsthe bit-length of the integer being tested
probchance of false positive is bounded by 1/2**prob
randomis set if (and only if) the integer was randomly generated by us and thus cannot have been maliciously constructed.

Definition at line 172 of file primality.cpp.

172 {
173 const size_t base = (prob + 2) / 2; // worst case 4^-t error rate
174
175 /*
176 * If the candidate prime was maliciously constructed, we can't rely
177 * on arguments based on p being random.
178 */
179 if(random == false) {
180 return base;
181 }
182
183 /*
184 * For randomly chosen numbers we can use the estimates from
185 * http://www.math.dartmouth.edu/~carlp/PDF/paper88.pdf
186 *
187 * These values are derived from the inequality for p(k,t) given on
188 * the second page.
189 */
190 if(prob <= 128) {
191 if(n_bits >= 1536) {
192 return 4; // < 2^-133
193 }
194 if(n_bits >= 1024) {
195 return 6; // < 2^-133
196 }
197 if(n_bits >= 512) {
198 return 12; // < 2^-129
199 }
200 if(n_bits >= 256) {
201 return 29; // < 2^-128
202 }
203 }
204
205 /*
206 If the user desires a smaller error probability than we have
207 precomputed error estimates for, just fall back to using the worst
208 case error rate.
209 */
210 return base;
211}

Referenced by generate_rsa_prime(), is_prime(), and random_prime().

◆ monty_execute()

BigInt Botan::monty_execute ( const Montgomery_Exponentation_State & precomputed_state,
const BigInt & k,
size_t max_k_bits )

Definition at line 150 of file monty_exp.cpp.

150 {
151 return precomputed_state.exponentiation(k, max_k_bits);
152}

References monty_execute().

Referenced by monty_execute(), monty_exp(), and passes_miller_rabin_test().

◆ monty_execute_vartime()

BigInt Botan::monty_execute_vartime ( const Montgomery_Exponentation_State & precomputed_state,
const BigInt & k )

Definition at line 154 of file monty_exp.cpp.

154 {
155 return precomputed_state.exponentiation_vartime(k);
156}

References monty_execute_vartime().

Referenced by monty_execute_vartime(), and monty_exp_vartime().

◆ monty_exp()

BigInt Botan::monty_exp ( const std::shared_ptr< const Montgomery_Params > & params_p,
const BigInt & g,
const BigInt & k,
size_t max_k_bits )
inline

Definition at line 41 of file monty_exp.h.

44 {
45 auto precomputed = monty_precompute(params_p, g, 4, true);
46 return monty_execute(*precomputed, k, max_k_bits);
47}
BigInt monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(const std::shared_ptr< const Montgomery_Params > &params, const BigInt &g, size_t window_bits, bool const_time)

References monty_execute(), and monty_precompute().

Referenced by power_mod().

◆ monty_exp_vartime()

BigInt Botan::monty_exp_vartime ( const std::shared_ptr< const Montgomery_Params > & params_p,
const BigInt & g,
const BigInt & k )
inline

Definition at line 49 of file monty_exp.h.

51 {
52 auto precomputed = monty_precompute(params_p, g, 4, false);
53 return monty_execute_vartime(*precomputed, k);
54}
BigInt monty_execute_vartime(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)

References monty_execute_vartime(), and monty_precompute().

Referenced by sqrt_modulo_prime().

◆ monty_inverse()

word Botan::monty_inverse ( word a)

Definition at line 16 of file monty.cpp.

16 {
17 if(a % 2 == 0) {
18 throw Invalid_Argument("monty_inverse only valid for odd integers");
19 }
20
21 /*
22 * From "A New Algorithm for Inversion mod p^k" by Çetin Kaya Koç
23 * https://eprint.iacr.org/2017/411.pdf sections 5 and 7.
24 */
25
26 word b = 1;
27 word r = 0;
28
29 for(size_t i = 0; i != BOTAN_MP_WORD_BITS; ++i) {
30 const word bi = b % 2;
31 r >>= 1;
32 r += bi << (BOTAN_MP_WORD_BITS - 1);
33
34 b -= a * bi;
35 b >>= 1;
36 }
37
38 // Now invert in addition space
39 r = (MP_WORD_MAX - r) + 1;
40
41 return r;
42}
const word MP_WORD_MAX
Definition mp_core.h:22

References BOTAN_MP_WORD_BITS, and MP_WORD_MAX.

Referenced by Botan::Montgomery_Params::Montgomery_Params(), and Botan::Montgomery_Params::Montgomery_Params().

◆ monty_multi_exp()

BigInt Botan::monty_multi_exp ( const std::shared_ptr< const Montgomery_Params > & params_p,
const BigInt & x,
const BigInt & z1,
const BigInt & y,
const BigInt & z2 )

Return (x^z1 * y^z2) % p

Definition at line 158 of file monty_exp.cpp.

162 {
163 if(z1.is_negative() || z2.is_negative()) {
164 throw Invalid_Argument("multi_exponentiate exponents must be positive");
165 }
166
167 const size_t z_bits = round_up(std::max(z1.bits(), z2.bits()), 2);
168
169 secure_vector<word> ws;
170
171 const Montgomery_Int one(params_p, params_p->R1(), false);
172 //const Montgomery_Int one(params_p, 1);
173
174 const Montgomery_Int x1(params_p, x_bn);
175 const Montgomery_Int x2 = x1.square(ws);
176 const Montgomery_Int x3 = x2.mul(x1, ws);
177
178 const Montgomery_Int y1(params_p, y_bn);
179 const Montgomery_Int y2 = y1.square(ws);
180 const Montgomery_Int y3 = y2.mul(y1, ws);
181
182 const Montgomery_Int y1x1 = y1.mul(x1, ws);
183 const Montgomery_Int y1x2 = y1.mul(x2, ws);
184 const Montgomery_Int y1x3 = y1.mul(x3, ws);
185
186 const Montgomery_Int y2x1 = y2.mul(x1, ws);
187 const Montgomery_Int y2x2 = y2.mul(x2, ws);
188 const Montgomery_Int y2x3 = y2.mul(x3, ws);
189
190 const Montgomery_Int y3x1 = y3.mul(x1, ws);
191 const Montgomery_Int y3x2 = y3.mul(x2, ws);
192 const Montgomery_Int y3x3 = y3.mul(x3, ws);
193
194 const Montgomery_Int* M[16] = {&one,
195 &x1, // 0001
196 &x2, // 0010
197 &x3, // 0011
198 &y1, // 0100
199 &y1x1,
200 &y1x2,
201 &y1x3,
202 &y2, // 1000
203 &y2x1,
204 &y2x2,
205 &y2x3,
206 &y3, // 1100
207 &y3x1,
208 &y3x2,
209 &y3x3};
210
211 Montgomery_Int H = one;
212
213 for(size_t i = 0; i != z_bits; i += 2) {
214 if(i > 0) {
215 H.square_this(ws);
216 H.square_this(ws);
217 }
218
219 const uint32_t z1_b = z1.get_substring(z_bits - i - 2, 2);
220 const uint32_t z2_b = z2.get_substring(z_bits - i - 2, 2);
221
222 const uint32_t z12 = (4 * z2_b) + z1_b;
223
224 H.mul_by(*M[z12], ws);
225 }
226
227 return H.value();
228}
uint32_t get_substring(size_t offset, size_t length) const
Definition bigint.cpp:222

References Botan::BigInt::bits(), Botan::BigInt::get_substring(), Botan::BigInt::is_negative(), monty_multi_exp(), Botan::Montgomery_Int::mul(), Botan::Montgomery_Int::mul_by(), round_up(), Botan::Montgomery_Int::square(), Botan::Montgomery_Int::square_this(), and Botan::Montgomery_Int::value().

Referenced by monty_multi_exp(), and Botan::DL_Group::multi_exponentiate().

◆ monty_precompute()

std::shared_ptr< const Montgomery_Exponentation_State > Botan::monty_precompute ( const std::shared_ptr< const Montgomery_Params > & params,
const BigInt & g,
size_t window_bits,
bool const_time )

Definition at line 145 of file monty_exp.cpp.

146 {
147 return std::make_shared<const Montgomery_Exponentation_State>(params, g, window_bits, const_time);
148}

References monty_precompute().

Referenced by monty_exp(), monty_exp_vartime(), monty_precompute(), and passes_miller_rabin_test().

◆ mul64x64_128()

void Botan::mul64x64_128 ( uint64_t a,
uint64_t b,
uint64_t * lo,
uint64_t * hi )
inline

Perform a 64x64->128 bit multiplication

Definition at line 29 of file mul128.h.

29 {
30#if defined(BOTAN_TARGET_HAS_NATIVE_UINT128)
31
32 const uint128_t r = static_cast<uint128_t>(a) * b;
33 *hi = (r >> 64) & 0xFFFFFFFFFFFFFFFF;
34 *lo = (r)&0xFFFFFFFFFFFFFFFF;
35
36#elif defined(BOTAN_BUILD_COMPILER_IS_MSVC) && defined(BOTAN_TARGET_ARCH_IS_X86_64)
37 *lo = _umul128(a, b, hi);
38
39#elif defined(BOTAN_BUILD_COMPILER_IS_MSVC) && defined(BOTAN_TARGET_ARCH_IS_ARM64)
40 *lo = a * b;
41 *hi = __umulh(a, b);
42
43#elif defined(BOTAN_USE_GCC_INLINE_ASM) && defined(BOTAN_TARGET_ARCH_IS_X86_64)
44 asm("mulq %3" : "=d"(*hi), "=a"(*lo) : "a"(a), "rm"(b) : "cc");
45
46#elif defined(BOTAN_USE_GCC_INLINE_ASM) && defined(BOTAN_TARGET_ARCH_IS_PPC64)
47 asm("mulhdu %0,%1,%2" : "=r"(*hi) : "r"(a), "r"(b) : "cc");
48 *lo = a * b;
49
50#else
51
52 /*
53 * Do a 64x64->128 multiply using four 32x32->64 multiplies plus
54 * some adds and shifts. Last resort for CPUs like UltraSPARC (with
55 * 64-bit registers/ALU, but no 64x64->128 multiply) or 32-bit CPUs.
56 */
57 const size_t HWORD_BITS = 32;
58 const uint32_t HWORD_MASK = 0xFFFFFFFF;
59
60 const uint32_t a_hi = (a >> HWORD_BITS);
61 const uint32_t a_lo = (a & HWORD_MASK);
62 const uint32_t b_hi = (b >> HWORD_BITS);
63 const uint32_t b_lo = (b & HWORD_MASK);
64
65 uint64_t x0 = static_cast<uint64_t>(a_hi) * b_hi;
66 uint64_t x1 = static_cast<uint64_t>(a_lo) * b_hi;
67 uint64_t x2 = static_cast<uint64_t>(a_hi) * b_lo;
68 uint64_t x3 = static_cast<uint64_t>(a_lo) * b_lo;
69
70 // this cannot overflow as (2^32-1)^2 + 2^32-1 < 2^64-1
71 x2 += x3 >> HWORD_BITS;
72
73 // this one can overflow
74 x2 += x1;
75
76 // propagate the carry if any
77 x0 += static_cast<uint64_t>(static_cast<bool>(x2 < x1)) << HWORD_BITS;
78
79 *hi = x0 + (x2 >> HWORD_BITS);
80 *lo = ((x2 & HWORD_MASK) << HWORD_BITS) + (x3 & HWORD_MASK);
81#endif
82}

Referenced by operator*(), word_madd2(), and word_madd3().

◆ multi_exponentiate()

EC_Point Botan::multi_exponentiate ( const EC_Point & p1,
const BigInt & z1,
const EC_Point & p2,
const BigInt & z2 )

ECC point multiexponentiation - not constant time!

Parameters
p1a point
z1a scalar
p2a point
z2a scalar
Returns
(p1 * z1 + p2 * z2)

Definition at line 24 of file point_mul.cpp.

24 {
26 return xy_mul.multi_exp(z1, z2);
27}

References Botan::EC_Point_Multi_Point_Precompute::multi_exp().

◆ multimap_insert()

template<typename K , typename V >
void Botan::multimap_insert ( std::multimap< K, V > & multimap,
const K & key,
const V & value )

Definition at line 109 of file stl_util.h.

109 {
110 multimap.insert(std::make_pair(key, value));
111}

Referenced by Botan::AlternativeName::add_othername(), Botan::X509_DN::contents(), Botan::AlternativeName::contents(), and Botan::X509_DN::get_attributes().

◆ nist_key_unwrap()

secure_vector< uint8_t > Botan::nist_key_unwrap ( const uint8_t input[],
size_t input_len,
const BlockCipher & bc )
Parameters
inputthe value to be decrypted, output of nist_key_wrap
input_lenlength of input
bca keyed 128-bit block cipher that will be used to decrypt input
Returns
input decrypted under NIST key wrap algorithm Throws an exception if decryption fails.

Definition at line 116 of file nist_keywrap.cpp.

116 {
117 if(bc.block_size() != 16) {
118 throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
119 }
120
121 if(input_len < 16 || input_len % 8 != 0) {
122 throw Invalid_Argument("Bad input size for NIST key unwrap");
123 }
124
125 const uint64_t ICV = 0xA6A6A6A6A6A6A6A6;
126
127 uint64_t ICV_out = 0;
128 secure_vector<uint8_t> R;
129
130 if(input_len == 16) {
131 secure_vector<uint8_t> block(input, input + input_len);
132 bc.decrypt(block);
133
134 ICV_out = load_be<uint64_t>(block.data(), 0);
135 R.resize(8);
136 copy_mem(R.data(), block.data() + 8, 8);
137 } else {
138 R = raw_nist_key_unwrap(input, input_len, bc, ICV_out);
139 }
140
141 if(ICV_out != ICV) {
142 throw Invalid_Authentication_Tag("NIST key unwrap failed");
143 }
144
145 return R;
146}
void decrypt(const uint8_t in[], uint8_t out[]) const
virtual size_t block_size() const =0

References Botan::BlockCipher::block_size(), copy_mem(), and Botan::BlockCipher::decrypt().

Referenced by botan_nist_kw_dec(), and rfc3394_keyunwrap().

◆ nist_key_unwrap_padded()

secure_vector< uint8_t > Botan::nist_key_unwrap_padded ( const uint8_t input[],
size_t input_len,
const BlockCipher & bc )
Parameters
inputthe value to be decrypted, output of nist_key_wrap
input_lenlength of input
bca keyed 128-bit block cipher that will be used to decrypt input
Returns
input decrypted under NIST key wrap algorithm Throws an exception if decryption fails.

Definition at line 169 of file nist_keywrap.cpp.

169 {
170 if(bc.block_size() != 16) {
171 throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
172 }
173
174 if(input_len < 16 || input_len % 8 != 0) {
175 throw Invalid_Argument("Bad input size for NIST key unwrap");
176 }
177
178 uint64_t ICV_out = 0;
179 secure_vector<uint8_t> R;
180
181 if(input_len == 16) {
182 secure_vector<uint8_t> block(input, input + input_len);
183 bc.decrypt(block);
184
185 ICV_out = load_be<uint64_t>(block.data(), 0);
186 R.resize(8);
187 copy_mem(R.data(), block.data() + 8, 8);
188 } else {
189 R = raw_nist_key_unwrap(input, input_len, bc, ICV_out);
190 }
191
192 if((ICV_out >> 32) != 0xA65959A6) {
193 throw Invalid_Authentication_Tag("NIST key unwrap failed");
194 }
195
196 const size_t len = (ICV_out & 0xFFFFFFFF);
197
198 if(R.size() < 8 || len > R.size() || len <= R.size() - 8) {
199 throw Invalid_Authentication_Tag("NIST key unwrap failed");
200 }
201
202 const size_t padding = R.size() - len;
203
204 for(size_t i = 0; i != padding; ++i) {
205 if(R[R.size() - i - 1] != 0) {
206 throw Invalid_Authentication_Tag("NIST key unwrap failed");
207 }
208 }
209
210 R.resize(R.size() - padding);
211
212 return R;
213}

References Botan::BlockCipher::block_size(), copy_mem(), and Botan::BlockCipher::decrypt().

Referenced by botan_nist_kw_dec(), Botan::Encrypted_PSK_Database::get(), and Botan::Encrypted_PSK_Database::list_names().

◆ nist_key_wrap()

std::vector< uint8_t > Botan::nist_key_wrap ( const uint8_t input[],
size_t input_len,
const BlockCipher & bc )

Key wrap. See RFC 3394 and NIST SP800-38F

Parameters
inputthe value to be encrypted
input_lenlength of input, must be a multiple of 8
bca keyed 128-bit block cipher that will be used to encrypt input
Returns
input encrypted under NIST key wrap algorithm

Definition at line 90 of file nist_keywrap.cpp.

90 {
91 if(bc.block_size() != 16) {
92 throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
93 }
94
95 if(input_len % 8 != 0) {
96 throw Invalid_Argument("Bad input size for NIST key wrap");
97 }
98
99 const uint64_t ICV = 0xA6A6A6A6A6A6A6A6;
100
101 if(input_len == 8) {
102 /*
103 * Special case for small inputs: if input == 8 bytes just use ECB
104 * (see RFC 3394 Section 2)
105 */
106 std::vector<uint8_t> block(16);
107 store_be(ICV, block.data());
108 copy_mem(block.data() + 8, input, input_len);
109 bc.encrypt(block);
110 return block;
111 } else {
112 return raw_nist_key_wrap(input, input_len, bc, ICV);
113 }
114}

References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::encrypt(), and store_be().

Referenced by botan_nist_kw_enc(), and rfc3394_keywrap().

◆ nist_key_wrap_padded()

std::vector< uint8_t > Botan::nist_key_wrap_padded ( const uint8_t input[],
size_t input_len,
const BlockCipher & bc )

KWP (key wrap with padding). See RFC 5649 and NIST SP800-38F

Parameters
inputthe value to be encrypted
input_lenlength of input
bca keyed 128-bit block cipher that will be used to encrypt input
Returns
input encrypted under NIST key wrap algorithm

Definition at line 148 of file nist_keywrap.cpp.

148 {
149 if(bc.block_size() != 16) {
150 throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
151 }
152
153 const uint64_t ICV = 0xA65959A600000000 | static_cast<uint32_t>(input_len);
154
155 if(input_len <= 8) {
156 /*
157 * Special case for small inputs: if input <= 8 bytes just use ECB
158 */
159 std::vector<uint8_t> block(16);
160 store_be(ICV, block.data());
161 copy_mem(block.data() + 8, input, input_len);
162 bc.encrypt(block);
163 return block;
164 } else {
165 return raw_nist_key_wrap(input, input_len, bc, ICV);
166 }
167}

References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::encrypt(), and store_be().

Referenced by botan_nist_kw_enc(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::remove(), and Botan::Encrypted_PSK_Database::set().

◆ oaep_find_delim()

secure_vector< uint8_t > BOTAN_TEST_API Botan::oaep_find_delim ( uint8_t & valid_mask,
const uint8_t input[],
size_t input_len,
const secure_vector< uint8_t > & Phash )

Definition at line 88 of file oaep.cpp.

91 {
92 const size_t hlen = Phash.size();
93
94 // Too short to be valid, reject immediately
95 if(input_len < 1 + 2 * hlen) {
97 }
98
99 CT::poison(input, input_len);
100
101 size_t delim_idx = 2 * hlen;
102 CT::Mask<uint8_t> waiting_for_delim = CT::Mask<uint8_t>::set();
103 CT::Mask<uint8_t> bad_input_m = CT::Mask<uint8_t>::cleared();
104
105 for(size_t i = delim_idx; i < input_len; ++i) {
106 const auto zero_m = CT::Mask<uint8_t>::is_zero(input[i]);
107 const auto one_m = CT::Mask<uint8_t>::is_equal(input[i], 1);
108
109 const auto add_m = waiting_for_delim & zero_m;
110
111 bad_input_m |= waiting_for_delim & ~(zero_m | one_m);
112
113 delim_idx += add_m.if_set_return(1);
114
115 waiting_for_delim &= zero_m;
116 }
117
118 // If we never saw any non-zero byte, then it's not valid input
119 bad_input_m |= waiting_for_delim;
120
121 // If the P hash is wrong, then it's not valid
122 bad_input_m |= CT::is_not_equal(&input[hlen], Phash.data(), hlen);
123
124 delim_idx += 1;
125
126 valid_mask = (~bad_input_m).unpoisoned_value();
127 auto output = CT::copy_output(bad_input_m, input, input_len, delim_idx);
128
129 CT::unpoison(input, input_len);
130
131 return output;
132}

References Botan::CT::Mask< T >::cleared(), Botan::CT::copy_output(), Botan::CT::Mask< T >::is_equal(), Botan::CT::is_not_equal(), Botan::CT::Mask< T >::is_zero(), Botan::CT::poison(), Botan::CT::Mask< T >::set(), and Botan::CT::unpoison().

◆ operator!=() [1/13]

bool Botan::operator!= ( const AlgorithmIdentifier & a1,
const AlgorithmIdentifier & a2 )

Definition at line 69 of file alg_id.cpp.

69 {
70 return !(a1 == a2);
71}

◆ operator!=() [2/13]

bool Botan::operator!= ( const ASN1_Time & t1,
const ASN1_Time & t2 )

Definition at line 264 of file asn1_time.cpp.

264 {
265 return (t1.cmp(t2) != 0);
266}
int32_t cmp(const ASN1_Time &other) const
Compare this time against another.

References Botan::ASN1_Time::cmp().

◆ operator!=() [3/13]

bool Botan::operator!= ( const BigInt & a,
const BigInt & b )
inline

Definition at line 995 of file bigint.h.

995 {
996 return !a.is_equal(b);
997}
bool is_equal(const BigInt &n) const
Definition bigint.cpp:163

References Botan::BigInt::is_equal().

◆ operator!=() [4/13]

bool Botan::operator!= ( const BigInt & a,
word b )
inline

Definition at line 1019 of file bigint.h.

1019 {
1020 return (a.cmp_word(b) != 0);
1021}
int32_t cmp_word(word n) const
Definition bigint.cpp:129

References Botan::BigInt::cmp_word().

◆ operator!=() [5/13]

bool Botan::operator!= ( const CRL_Entry & ,
const CRL_Entry &  )

Test two CRL entries for inequality in at least one field.

Definition at line 58 of file crl_ent.cpp.

58 {
59 return !(a1 == a2);
60}

◆ operator!=() [6/13]

bool Botan::operator!= ( const CurveGFp & lhs,
const CurveGFp & rhs )
inline

Definition at line 203 of file curve_gfp.h.

203 {
204 return !(lhs == rhs);
205}

◆ operator!=() [7/13]

bool Botan::operator!= ( const EC_Group & lhs,
const EC_Group & rhs )
inline

Definition at line 402 of file ec_group.h.

402 {
403 return !(lhs == rhs);
404}

◆ operator!=() [8/13]

bool Botan::operator!= ( const EC_Point & lhs,
const EC_Point & rhs )
inline

Definition at line 352 of file ec_point.h.

352 {
353 return !(rhs == lhs);
354}

◆ operator!=() [9/13]

bool Botan::operator!= ( const OctetString & x,
const OctetString & y )

Compare two strings

Parameters
xan octet string
yan octet string
Returns
if x is not equal to y

Definition at line 92 of file symkey.cpp.

92 {
93 return !(s1 == s2);
94}

◆ operator!=() [10/13]

bool Botan::operator!= ( const OID & a,
const OID & b )
inline

Compare two OIDs.

Parameters
athe first OID
bthe second OID
Returns
true if a is not equal to b

Definition at line 326 of file asn1_obj.h.

326 {
327 return !(a == b);
328}

◆ operator!=() [11/13]

template<typename T , typename U >
bool Botan::operator!= ( const secure_allocator< T > & ,
const secure_allocator< U > &  )
inline

Definition at line 56 of file secmem.h.

56 {
57 return false;
58}

◆ operator!=() [12/13]

bool Botan::operator!= ( const X509_Certificate & cert1,
const X509_Certificate & cert2 )

Check two certificates for inequality

Parameters
cert1The first certificate
cert2The second certificate
Returns
true if the arguments represent different certificates, false if they are binary identical

Definition at line 633 of file x509cert.cpp.

633 {
634 return !(cert1 == cert2);
635}

◆ operator!=() [13/13]

bool Botan::operator!= ( const X509_DN & dn1,
const X509_DN & dn2 )

Definition at line 256 of file x509_dn.cpp.

256 {
257 return !(dn1 == dn2);
258}

◆ operator%() [1/2]

BigInt Botan::operator% ( const BigInt & n,
const BigInt & mod )

Definition at line 122 of file big_ops3.cpp.

122 {
123 if(mod.is_zero()) {
124 throw Invalid_Argument("BigInt::operator% divide by zero");
125 }
126 if(mod.is_negative()) {
127 throw Invalid_Argument("BigInt::operator% modulus must be > 0");
128 }
129 if(n.is_positive() && mod.is_positive() && n < mod) {
130 return n;
131 }
132
133 if(mod.sig_words() == 1) {
134 return BigInt::from_word(n % mod.word_at(0));
135 }
136
137 BigInt q, r;
138 vartime_divide(n, mod, q, r);
139 return r;
140}
bool is_positive() const
Definition bigint.h:534
void vartime_divide(const BigInt &x, const BigInt &y_arg, BigInt &q_out, BigInt &r_out)
Definition divide.cpp:155

References Botan::BigInt::from_word(), Botan::BigInt::is_negative(), Botan::BigInt::is_positive(), Botan::BigInt::is_zero(), Botan::BigInt::sig_words(), vartime_divide(), and Botan::BigInt::word_at().

◆ operator%() [2/2]

word Botan::operator% ( const BigInt & n,
word mod )

Definition at line 145 of file big_ops3.cpp.

145 {
146 if(mod == 0) {
147 throw Invalid_Argument("BigInt::operator% divide by zero");
148 }
149
150 if(mod == 1) {
151 return 0;
152 }
153
154 word remainder = 0;
155
156 if(is_power_of_2(mod)) {
157 remainder = (n.word_at(0) & (mod - 1));
158 } else {
159 const size_t sw = n.sig_words();
160 for(size_t i = sw; i > 0; --i) {
161 remainder = bigint_modop_vartime(remainder, n.word_at(i - 1), mod);
162 }
163 }
164
165 if(remainder && n.sign() == BigInt::Negative) {
166 return mod - remainder;
167 }
168 return remainder;
169}
Sign sign() const
Definition bigint.h:540
word bigint_modop_vartime(word n1, word n0, word d)
Definition mp_core.h:697
constexpr bool is_power_of_2(T arg)
Definition bit_ops.h:45

References bigint_modop_vartime(), is_power_of_2(), Botan::BigInt::Negative, Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::word_at().

◆ operator&() [1/4]

ECIES_Flags Botan::operator& ( ECIES_Flags a,
ECIES_Flags b )
inline

Definition at line 49 of file ecies.h.

49 {
50 return static_cast<ECIES_Flags>(static_cast<uint32_t>(a) & static_cast<uint32_t>(b));
51}
ECIES_Flags
Definition ecies.h:27

◆ operator&() [2/4]

template<std::integral T, typename... Tags>
constexpr decltype(auto) Botan::operator& ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 306 of file strong_type.h.

306 {
307 return Strong<T, Tags...>(a.get() & b.get());
308}

References Botan::detail::Strong_Base< T >::get(), and T.

◆ operator&() [3/4]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator& ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 301 of file strong_type.h.

301 {
302 return Strong<T1, Tags...>(a.get() & b);
303}

References Botan::detail::Strong_Base< T >::get().

◆ operator&() [4/4]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator& ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 295 of file strong_type.h.

295 {
296 return Strong<T2, Tags...>(a & b.get());
297}

References Botan::detail::Strong_Base< T >::get().

◆ operator&=() [1/2]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator&= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 434 of file strong_type.h.

434 {
435 a.get() &= b.get();
436 return a;
437}

References Botan::detail::Strong_Base< T >::get().

◆ operator&=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto Botan::operator&= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 428 of file strong_type.h.

428 {
429 a.get() &= b;
430 return a;
431}

References Botan::detail::Strong_Base< T >::get().

◆ operator*() [1/10]

EC_Point Botan::operator* ( const BigInt & scalar,
const EC_Point & point )

Point multiplication operator

Parameters
scalarthe scalar value
pointthe point value
Returns
scalar*point on the curve

Definition at line 363 of file ec_point.cpp.

363 {
365
366 const size_t scalar_bits = scalar.bits();
367
368 std::vector<BigInt> ws(EC_Point::WORKSPACE_SIZE);
369
370 EC_Point R[2] = {point.zero(), point};
371
372 for(size_t i = scalar_bits; i > 0; i--) {
373 const size_t b = scalar.get_bit(i - 1);
374 R[b ^ 1].add(R[b], ws);
375 R[b].mult2(ws);
376 }
377
378 if(scalar.is_negative()) {
379 R[0].negate();
380 }
381
382 BOTAN_DEBUG_ASSERT(R[0].on_the_curve());
383
384 return R[0];
385}
EC_Point & negate()
Definition ec_point.h:115
void add(const EC_Point &other, std::vector< BigInt > &workspace)
Definition ec_point.h:216
void mult2(std::vector< BigInt > &workspace)
Definition ec_point.cpp:256
bool on_the_curve() const
Definition ec_point.cpp:510
EC_Point zero() const
Definition ec_point.h:317

References Botan::EC_Point::add(), Botan::BigInt::bits(), BOTAN_DEBUG_ASSERT, Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::EC_Point::mult2(), Botan::EC_Point::negate(), Botan::EC_Point::on_the_curve(), Botan::EC_Point::WORKSPACE_SIZE, and Botan::EC_Point::zero().

◆ operator*() [2/10]

BigInt Botan::operator* ( const BigInt & x,
const BigInt & y )

Definition at line 46 of file big_ops3.cpp.

46 {
47 const size_t x_sw = x.sig_words();
48 const size_t y_sw = y.sig_words();
49
50 BigInt z = BigInt::with_capacity(x.size() + y.size());
51
52 if(x_sw == 1 && y_sw) {
53 bigint_linmul3(z.mutable_data(), y.data(), y_sw, x.word_at(0));
54 } else if(y_sw == 1 && x_sw) {
55 bigint_linmul3(z.mutable_data(), x.data(), x_sw, y.word_at(0));
56 } else if(x_sw && y_sw) {
57 secure_vector<word> workspace(z.size());
58
60 z.size(),
61 x.data(),
62 x.size(),
63 x_sw,
64 y.data(),
65 y.size(),
66 y_sw,
67 workspace.data(),
68 workspace.size());
69 }
70
71 z.cond_flip_sign(x_sw > 0 && y_sw > 0 && x.sign() != y.sign());
72
73 return z;
74}
word * mutable_data()
Definition bigint.h:609
size_t size() const
Definition bigint.h:578
void cond_flip_sign(bool predicate)
Definition bigint.cpp:475
void bigint_mul(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
Definition mp_karat.cpp:282

References bigint_linmul3(), bigint_mul(), Botan::BigInt::cond_flip_sign(), Botan::BigInt::data(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), Botan::BigInt::size(), Botan::BigInt::with_capacity(), and Botan::BigInt::word_at().

◆ operator*() [3/10]

BigInt Botan::operator* ( const BigInt & x,
word y )

Definition at line 79 of file big_ops3.cpp.

79 {
80 const size_t x_sw = x.sig_words();
81
82 BigInt z = BigInt::with_capacity(x_sw + 1);
83
84 if(x_sw && y) {
85 bigint_linmul3(z.mutable_data(), x.data(), x_sw, y);
86 z.set_sign(x.sign());
87 }
88
89 return z;
90}
void set_sign(Sign sign)
Definition bigint.h:561

References bigint_linmul3(), Botan::BigInt::data(), Botan::BigInt::mutable_data(), Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::with_capacity().

◆ operator*() [4/10]

donna128 Botan::operator* ( const donna128 & x,
uint64_t y )
inline

Definition at line 77 of file donna128.h.

77 {
78 BOTAN_ARG_CHECK(x.hi() == 0, "High 64 bits of donna128 set to zero during multiply");
79
80 uint64_t lo = 0, hi = 0;
81 mul64x64_128(x.lo(), y, &lo, &hi);
82 return donna128(lo, hi);
83}
uint64_t hi() const
Definition donna128.h:71
void mul64x64_128(uint64_t a, uint64_t b, uint64_t *lo, uint64_t *hi)
Definition mul128.h:29

References BOTAN_ARG_CHECK, Botan::donna128::hi(), Botan::donna128::lo(), and mul64x64_128().

◆ operator*() [5/10]

EC_Point Botan::operator* ( const EC_Point & point,
const BigInt & scalar )
inline

Definition at line 371 of file ec_point.h.

371 {
372 return scalar * point;
373}

◆ operator*() [6/10]

template<std::integral T, typename... Tags>
constexpr decltype(auto) Botan::operator* ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 255 of file strong_type.h.

255 {
256 return Strong<T, Tags...>(a.get() * b.get());
257}

References Botan::detail::Strong_Base< T >::get(), and T.

◆ operator*() [7/10]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator* ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 250 of file strong_type.h.

250 {
251 return Strong<T1, Tags...>(a.get() * b);
252}

References Botan::detail::Strong_Base< T >::get().

◆ operator*() [8/10]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator* ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 244 of file strong_type.h.

244 {
245 return Strong<T2, Tags...>(a * b.get());
246}

References Botan::detail::Strong_Base< T >::get().

◆ operator*() [9/10]

donna128 Botan::operator* ( uint64_t y,
const donna128 & x )
inline

Definition at line 85 of file donna128.h.

85 {
86 return x * y;
87}

◆ operator*() [10/10]

BigInt Botan::operator* ( word x,
const BigInt & y )
inline

Definition at line 977 of file bigint.h.

977 {
978 return y * x;
979}

◆ operator*=() [1/2]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator*= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 395 of file strong_type.h.

395 {
396 a.get() *= b.get();
397 return a;
398}

References Botan::detail::Strong_Base< T >::get().

◆ operator*=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto Botan::operator*= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 389 of file strong_type.h.

389 {
390 a.get() *= b;
391 return a;
392}

References Botan::detail::Strong_Base< T >::get().

◆ operator+() [1/10]

BigInt Botan::operator+ ( const BigInt & x,
const BigInt & y )
inline

Definition at line 954 of file bigint.h.

954 {
955 return BigInt::add2(x, y.data(), y.sig_words(), y.sign());
956}

References Botan::BigInt::add2(), Botan::BigInt::data(), Botan::BigInt::sig_words(), and Botan::BigInt::sign().

◆ operator+() [2/10]

BigInt Botan::operator+ ( const BigInt & x,
word y )
inline

Definition at line 958 of file bigint.h.

958 {
959 return BigInt::add2(x, &y, 1, BigInt::Positive);
960}

References Botan::BigInt::add2(), and Botan::BigInt::Positive.

◆ operator+() [3/10]

donna128 Botan::operator+ ( const donna128 & x,
const donna128 & y )
inline

Definition at line 89 of file donna128.h.

89 {
90 donna128 z = x;
91 z += y;
92 return z;
93}

◆ operator+() [4/10]

donna128 Botan::operator+ ( const donna128 & x,
uint64_t y )
inline

Definition at line 95 of file donna128.h.

95 {
96 donna128 z = x;
97 z += y;
98 return z;
99}

◆ operator+() [5/10]

EC_Point Botan::operator+ ( const EC_Point & lhs,
const EC_Point & rhs )
inline

Definition at line 361 of file ec_point.h.

361 {
362 EC_Point tmp(lhs);
363 return tmp += rhs;
364}

◆ operator+() [6/10]

OctetString Botan::operator+ ( const OctetString & x,
const OctetString & y )

Concatenate two strings

Parameters
xan octet string
yan octet string
Returns
x concatenated with y

Definition at line 99 of file symkey.cpp.

99 {
101 out += k1.bits_of();
102 out += k2.bits_of();
103 return OctetString(out);
104}

References Botan::OctetString::bits_of(), and OctetString.

◆ operator+() [7/10]

template<std::integral T, typename... Tags>
constexpr decltype(auto) Botan::operator+ ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 221 of file strong_type.h.

221 {
222 return Strong<T, Tags...>(a.get() + b.get());
223}

References Botan::detail::Strong_Base< T >::get(), and T.

◆ operator+() [8/10]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator+ ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 216 of file strong_type.h.

216 {
217 return Strong<T1, Tags...>(a.get() + b);
218}

References Botan::detail::Strong_Base< T >::get().

◆ operator+() [9/10]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator+ ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 210 of file strong_type.h.

210 {
211 return Strong<T2, Tags...>(a + b.get());
212}

References Botan::detail::Strong_Base< T >::get().

◆ operator+() [10/10]

BigInt Botan::operator+ ( word x,
const BigInt & y )
inline

Definition at line 962 of file bigint.h.

962 {
963 return y + x;
964}

◆ operator++() [1/2]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator++ ( Strong< T, Tags... > & a)
constexpr

Definition at line 486 of file strong_type.h.

486 {
487 ++a.get();
488 return a;
489}

References Botan::detail::Strong_Base< T >::get().

◆ operator++() [2/2]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator++ ( Strong< T, Tags... > & a,
int  )
constexpr

Definition at line 479 of file strong_type.h.

479 {
480 auto tmp = a;
481 ++a.get();
482 return tmp;
483}

References Botan::detail::Strong_Base< T >::get().

Referenced by generate_dsa_primes().

◆ operator+=() [1/6]

template<typename T , typename Alloc , typename L >
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
const std::pair< const T *, L > & in )

Definition at line 92 of file secmem.h.

92 {
93 out.insert(out.end(), in.first, in.first + in.second);
94 return out;
95}

◆ operator+=() [2/6]

template<typename T , typename Alloc , typename L >
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
const std::pair< T *, L > & in )

Definition at line 98 of file secmem.h.

98 {
99 out.insert(out.end(), in.first, in.first + in.second);
100 return out;
101}

◆ operator+=() [3/6]

template<typename T , typename Alloc , typename Alloc2 >
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
const std::vector< T, Alloc2 > & in )

Definition at line 80 of file secmem.h.

80 {
81 out.insert(out.end(), in.begin(), in.end());
82 return out;
83}

◆ operator+=() [4/6]

template<typename T , typename Alloc >
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
T in )

Definition at line 86 of file secmem.h.

86 {
87 out.push_back(in);
88 return out;
89}

◆ operator+=() [5/6]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator+= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 369 of file strong_type.h.

369 {
370 a.get() += b.get();
371 return a;
372}

References Botan::detail::Strong_Base< T >::get().

◆ operator+=() [6/6]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto Botan::operator+= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 363 of file strong_type.h.

363 {
364 a.get() += b;
365 return a;
366}

References Botan::detail::Strong_Base< T >::get().

◆ operator-() [1/7]

BigInt Botan::operator- ( const BigInt & x,
const BigInt & y )
inline

Definition at line 966 of file bigint.h.

966 {
967 return BigInt::add2(x, y.data(), y.sig_words(), y.reverse_sign());
968}
Sign reverse_sign() const
Definition bigint.h:545

References Botan::BigInt::add2(), Botan::BigInt::data(), Botan::BigInt::reverse_sign(), and Botan::BigInt::sig_words().

◆ operator-() [2/7]

BigInt Botan::operator- ( const BigInt & x,
word y )
inline

Definition at line 970 of file bigint.h.

970 {
971 return BigInt::add2(x, &y, 1, BigInt::Negative);
972}

References Botan::BigInt::add2(), and Botan::BigInt::Negative.

◆ operator-() [3/7]

EC_Point Botan::operator- ( const EC_Point & lhs)
inline

Definition at line 357 of file ec_point.h.

357 {
358 return EC_Point(lhs).negate();
359}

References Botan::EC_Point::negate().

◆ operator-() [4/7]

EC_Point Botan::operator- ( const EC_Point & lhs,
const EC_Point & rhs )
inline

Definition at line 366 of file ec_point.h.

366 {
367 EC_Point tmp(lhs);
368 return tmp -= rhs;
369}

◆ operator-() [5/7]

template<std::integral T, typename... Tags>
constexpr decltype(auto) Botan::operator- ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 238 of file strong_type.h.

238 {
239 return Strong<T, Tags...>(a.get() - b.get());
240}

References Botan::detail::Strong_Base< T >::get(), and T.

◆ operator-() [6/7]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator- ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 233 of file strong_type.h.

233 {
234 return Strong<T1, Tags...>(a.get() - b);
235}

References Botan::detail::Strong_Base< T >::get().

◆ operator-() [7/7]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator- ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 227 of file strong_type.h.

227 {
228 return Strong<T2, Tags...>(a - b.get());
229}

References Botan::detail::Strong_Base< T >::get().

◆ operator--() [1/2]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator-- ( Strong< T, Tags... > & a)
constexpr

Definition at line 499 of file strong_type.h.

499 {
500 --a.get();
501 return a;
502}

References Botan::detail::Strong_Base< T >::get().

◆ operator--() [2/2]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator-- ( Strong< T, Tags... > & a,
int  )
constexpr

Definition at line 492 of file strong_type.h.

492 {
493 auto tmp = a;
494 --a.get();
495 return tmp;
496}

References Botan::detail::Strong_Base< T >::get().

◆ operator-=() [1/2]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator-= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 382 of file strong_type.h.

382 {
383 a.get() -= b.get();
384 return a;
385}

References Botan::detail::Strong_Base< T >::get().

◆ operator-=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto Botan::operator-= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 376 of file strong_type.h.

376 {
377 a.get() -= b;
378 return a;
379}

References Botan::detail::Strong_Base< T >::get().

◆ operator/() [1/5]

BigInt Botan::operator/ ( const BigInt & x,
const BigInt & y )

Definition at line 95 of file big_ops3.cpp.

95 {
96 if(y.sig_words() == 1) {
97 return x / y.word_at(0);
98 }
99
100 BigInt q, r;
101 vartime_divide(x, y, q, r);
102 return q;
103}

References Botan::BigInt::sig_words(), vartime_divide(), and Botan::BigInt::word_at().

◆ operator/() [2/5]

BigInt Botan::operator/ ( const BigInt & x,
word y )

Definition at line 108 of file big_ops3.cpp.

108 {
109 if(y == 0) {
110 throw Invalid_Argument("BigInt::operator/ divide by zero");
111 }
112
113 BigInt q;
114 word r;
115 ct_divide_word(x, y, q, r);
116 return q;
117}

References ct_divide_word().

◆ operator/() [3/5]

template<std::integral T, typename... Tags>
constexpr decltype(auto) Botan::operator/ ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 272 of file strong_type.h.

272 {
273 return Strong<T, Tags...>(a.get() / b.get());
274}

References Botan::detail::Strong_Base< T >::get(), and T.

◆ operator/() [4/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator/ ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 267 of file strong_type.h.

267 {
268 return Strong<T1, Tags...>(a.get() / b);
269}

References Botan::detail::Strong_Base< T >::get().

◆ operator/() [5/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator/ ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 261 of file strong_type.h.

261 {
262 return Strong<T2, Tags...>(a / b.get());
263}

References Botan::detail::Strong_Base< T >::get().

◆ operator/=() [1/2]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator/= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 408 of file strong_type.h.

408 {
409 a.get() /= b.get();
410 return a;
411}

References Botan::detail::Strong_Base< T >::get().

◆ operator/=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto Botan::operator/= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 402 of file strong_type.h.

402 {
403 a.get() /= b;
404 return a;
405}

References Botan::detail::Strong_Base< T >::get().

◆ operator<() [1/5]

bool Botan::operator< ( const ASN1_Time & t1,
const ASN1_Time & t2 )

Definition at line 276 of file asn1_time.cpp.

276 {
277 return (t1.cmp(t2) < 0);
278}

References Botan::ASN1_Time::cmp().

◆ operator<() [2/5]

bool Botan::operator< ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1007 of file bigint.h.

1007 {
1008 return a.is_less_than(b);
1009}
bool is_less_than(const BigInt &n) const
Definition bigint.cpp:171

References Botan::BigInt::is_less_than().

◆ operator<() [3/5]

bool Botan::operator< ( const BigInt & a,
word b )
inline

Definition at line 1031 of file bigint.h.

1031 {
1032 return (a.cmp_word(b) < 0);
1033}

References Botan::BigInt::cmp_word().

◆ operator<() [4/5]

bool Botan::operator< ( const OID & a,
const OID & b )

Compare two OIDs.

Parameters
athe first OID
bthe second OID
Returns
true if a is lexicographically smaller than b

Definition at line 133 of file asn1_oid.cpp.

133 {
134 const std::vector<uint32_t>& oid1 = a.get_components();
135 const std::vector<uint32_t>& oid2 = b.get_components();
136
137 return std::lexicographical_compare(oid1.begin(), oid1.end(), oid2.begin(), oid2.end());
138}
const std::vector< uint32_t > & get_components() const
Definition asn1_obj.h:277

References Botan::OID::get_components().

◆ operator<() [5/5]

bool Botan::operator< ( const X509_DN & dn1,
const X509_DN & dn2 )

Definition at line 263 of file x509_dn.cpp.

263 {
264 auto attr1 = dn1.get_attributes();
265 auto attr2 = dn2.get_attributes();
266
267 // If they are not the same size, choose the smaller as the "lessor"
268 if(attr1.size() < attr2.size()) {
269 return true;
270 }
271 if(attr1.size() > attr2.size()) {
272 return false;
273 }
274
275 // We know they are the same # of elements, now compare the OIDs:
276 auto p1 = attr1.begin();
277 auto p2 = attr2.begin();
278
279 while(p1 != attr1.end() && p2 != attr2.end()) {
280 if(p1->first != p2->first) {
281 return (p1->first < p2->first);
282 }
283
284 ++p1;
285 ++p2;
286 }
287
288 // We know this is true because maps have the same size
289 BOTAN_ASSERT_NOMSG(p1 == attr1.end());
290 BOTAN_ASSERT_NOMSG(p2 == attr2.end());
291
292 // Now we know all elements have the same OIDs, compare
293 // their string values:
294
295 p1 = attr1.begin();
296 p2 = attr2.begin();
297 while(p1 != attr1.end() && p2 != attr2.end()) {
298 BOTAN_DEBUG_ASSERT(p1->first == p2->first);
299
300 // They may be binary different but same by X.500 rules, check this
301 if(!x500_name_cmp(p1->second, p2->second)) {
302 // If they are not (by X.500) the same string, pick the
303 // lexicographic first as the lessor
304 return (p1->second < p2->second);
305 }
306
307 ++p1;
308 ++p2;
309 }
310
311 // if we reach here, then the DNs should be identical
312 BOTAN_DEBUG_ASSERT(dn1 == dn2);
313 return false;
314}
std::multimap< OID, std::string > get_attributes() const
Definition x509_dn.cpp:112

References BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, and Botan::X509_DN::get_attributes().

◆ operator<<() [1/12]

BigInt Botan::operator<< ( const BigInt & x,
size_t shift )

Definition at line 174 of file big_ops3.cpp.

174 {
175 const size_t shift_words = shift / BOTAN_MP_WORD_BITS, shift_bits = shift % BOTAN_MP_WORD_BITS;
176
177 const size_t x_sw = x.sig_words();
178
179 BigInt y = BigInt::with_capacity(x_sw + shift_words + (shift_bits ? 1 : 0));
180 bigint_shl2(y.mutable_data(), x.data(), x_sw, shift_words, shift_bits);
181 y.set_sign(x.sign());
182 return y;
183}
void bigint_shl2(word y[], const word x[], size_t x_size, size_t word_shift, size_t bit_shift)
Definition mp_core.h:417

References bigint_shl2(), BOTAN_MP_WORD_BITS, Botan::BigInt::data(), Botan::BigInt::mutable_data(), Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::with_capacity().

◆ operator<<() [2/12]

int Botan::operator<< ( int out,
Pipe & pipe )

Stream output operator; dumps the results from pipe's default message to the output stream.

Parameters
outfile descriptor for an open output stream
pipethe pipe

Definition at line 18 of file fd_unix.cpp.

18 {
20 while(pipe.remaining()) {
21 size_t got = pipe.read(buffer.data(), buffer.size());
22 size_t position = 0;
23 while(got) {
24 ssize_t ret = ::write(fd, &buffer[position], got);
25 if(ret < 0) {
26 throw Stream_IO_Error("Pipe output operator (unixfd) has failed");
27 }
28
29 position += static_cast<size_t>(ret);
30 got -= static_cast<size_t>(ret);
31 }
32 }
33 return fd;
34}
size_t read(uint8_t output[], size_t length) override
Definition pipe_rw.cpp:79
size_t remaining(message_id msg=DEFAULT_MESSAGE) const
Definition pipe_rw.cpp:124
#define BOTAN_DEFAULT_BUFFER_SIZE
Definition build.h:385

References BOTAN_DEFAULT_BUFFER_SIZE, Botan::Pipe::read(), and Botan::Pipe::remaining().

◆ operator<<() [3/12]

std::ostream & Botan::operator<< ( std::ostream & os,
const GeneralName & gn )

Definition at line 180 of file name_constraint.cpp.

180 {
181 os << gn.type() << ":" << gn.name();
182 return os;
183}
const std::string & type() const
Definition pkix_types.h:209
const std::string & name() const
Definition pkix_types.h:214

References Botan::GeneralName::name(), and Botan::GeneralName::type().

◆ operator<<() [4/12]

std::ostream & Botan::operator<< ( std::ostream & os,
const GeneralSubtree & gs )

Definition at line 217 of file name_constraint.cpp.

217 {
218 os << gs.minimum() << "," << gs.maximum() << "," << gs.base();
219 return os;
220}
size_t maximum() const
Definition pkix_types.h:279
size_t minimum() const
Definition pkix_types.h:274
const GeneralName & base() const
Definition pkix_types.h:269

References Botan::GeneralSubtree::base(), Botan::GeneralSubtree::maximum(), and Botan::GeneralSubtree::minimum().

◆ operator<<() [5/12]

template<typename T , typename... Tags>
requires (concepts::streamable<T>)
decltype(auto) Botan::operator<< ( std::ostream & os,
const Strong< T, Tags... > & v )

Definition at line 171 of file strong_type.h.

172 {
173 return os << v.get();
174}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<() [6/12]

std::ostream & Botan::operator<< ( std::ostream & out,
const OID & oid )

Definition at line 140 of file asn1_oid.cpp.

140 {
141 const auto& val = oid.get_components();
142
143 for(size_t i = 0; i != val.size(); ++i) {
144 // avoid locale issues with integer formatting
145 out << std::to_string(val[i]);
146 if(i != val.size() - 1) {
147 out << ".";
148 }
149 }
150
151 return out;
152}

References Botan::OID::get_components().

◆ operator<<() [7/12]

std::ostream & Botan::operator<< ( std::ostream & out,
const X509_DN & dn )

Definition at line 408 of file x509_dn.cpp.

408 {
409 auto info = dn.dn_info();
410
411 for(size_t i = 0; i != info.size(); ++i) {
412 out << to_short_form(info[i].first) << "=\"";
413 for(char c : info[i].second.value()) {
414 if(c == '\\' || c == '\"') {
415 out << "\\";
416 }
417 out << c;
418 }
419 out << "\"";
420
421 if(i + 1 < info.size()) {
422 out << ",";
423 }
424 }
425 return out;
426}
const std::vector< std::pair< OID, ASN1_String > > & dn_info() const
Definition pkix_types.h:70

References Botan::X509_DN::dn_info().

◆ operator<<() [8/12]

std::ostream & Botan::operator<< ( std::ostream & out,
Pipe & pipe )

Stream output operator; dumps the results from pipe's default message to the output stream.

Parameters
outan output stream
pipethe pipe

Definition at line 19 of file pipe_io.cpp.

19 {
21 while(stream.good() && pipe.remaining()) {
22 const size_t got = pipe.read(buffer.data(), buffer.size());
23 stream.write(cast_uint8_ptr_to_char(buffer.data()), got);
24 }
25 if(!stream.good()) {
26 throw Stream_IO_Error("Pipe output operator (iostream) has failed");
27 }
28 return stream;
29}
const char * cast_uint8_ptr_to_char(const uint8_t *b)
Definition mem_ops.h:276

References BOTAN_DEFAULT_BUFFER_SIZE, cast_uint8_ptr_to_char(), Botan::Pipe::read(), and Botan::Pipe::remaining().

◆ operator<<() [9/12]

std::ostream & Botan::operator<< ( std::ostream & stream,
const BigInt & n )

Definition at line 17 of file big_io.cpp.

17 {
18 const auto stream_flags = stream.flags();
19 if(stream_flags & std::ios::oct) {
20 throw Invalid_Argument("Octal output of BigInt not supported");
21 }
22
23 const size_t base = (stream_flags & std::ios::hex) ? 16 : 10;
24
25 std::string enc;
26
27 if(base == 10) {
28 enc = n.to_dec_string();
29 } else {
30 enc = n.to_hex_string();
31 }
32
33 stream.write(enc.data(), enc.size());
34
35 if(!stream.good()) {
36 throw Stream_IO_Error("BigInt output operator has failed");
37 }
38 return stream;
39}
std::string to_dec_string() const
Definition big_code.cpp:15
std::string to_hex_string() const
Definition big_code.cpp:85

References Botan::BigInt::to_dec_string(), and Botan::BigInt::to_hex_string().

◆ operator<<() [10/12]

template<std::integral T, typename... Tags>
constexpr decltype(auto) Botan::operator<< ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 357 of file strong_type.h.

357 {
358 return Strong<T, Tags...>(a.get() << b.get());
359}

References Botan::detail::Strong_Base< T >::get(), and T.

◆ operator<<() [11/12]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator<< ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 352 of file strong_type.h.

352 {
353 return Strong<T1, Tags...>(a.get() << b);
354}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<() [12/12]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator<< ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 346 of file strong_type.h.

346 {
347 return Strong<T2, Tags...>(a << b.get());
348}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<=() [1/2]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator<<= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 473 of file strong_type.h.

473 {
474 a.get() <<= b.get();
475 return a;
476}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto Botan::operator<<= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 467 of file strong_type.h.

467 {
468 a.get() <<= b;
469 return a;
470}

References Botan::detail::Strong_Base< T >::get().

◆ operator<=() [1/3]

bool Botan::operator<= ( const ASN1_Time & t1,
const ASN1_Time & t2 )

Definition at line 268 of file asn1_time.cpp.

268 {
269 return (t1.cmp(t2) <= 0);
270}

References Botan::ASN1_Time::cmp().

◆ operator<=() [2/3]

bool Botan::operator<= ( const BigInt & a,
const BigInt & b )
inline

Definition at line 999 of file bigint.h.

999 {
1000 return (a.cmp(b) <= 0);
1001}
int32_t cmp(const BigInt &n, bool check_signs=true) const
Definition bigint.cpp:145

References Botan::BigInt::cmp().

◆ operator<=() [3/3]

bool Botan::operator<= ( const BigInt & a,
word b )
inline

Definition at line 1023 of file bigint.h.

1023 {
1024 return (a.cmp_word(b) <= 0);
1025}

References Botan::BigInt::cmp_word().

◆ operator<=>() [1/3]

template<typename T , typename... Tags>
requires (std::three_way_comparable<T>)
auto Botan::operator<=> ( const Strong< T, Tags... > & lhs,
const Strong< T, Tags... > & rhs )

Definition at line 184 of file strong_type.h.

184 {
185 return lhs.get() <=> rhs.get();
186}

References Botan::detail::Strong_Base< T >::get().

◆ operator<=>() [2/3]

template<std::integral T1, std::integral T2, typename... Tags>
auto Botan::operator<=> ( Strong< T1, Tags... > a,
T2 b )

Definition at line 194 of file strong_type.h.

194 {
195 return a.get() <=> b;
196}

References Botan::detail::Strong_Base< T >::get().

◆ operator<=>() [3/3]

template<std::integral T1, std::integral T2, typename... Tags>
auto Botan::operator<=> ( T1 a,
Strong< T2, Tags... > b )

Definition at line 189 of file strong_type.h.

189 {
190 return a <=> b.get();
191}

References Botan::detail::Strong_Base< T >::get().

◆ operator==() [1/11]

bool Botan::operator== ( const AlgorithmIdentifier & a1,
const AlgorithmIdentifier & a2 )

Definition at line 54 of file alg_id.cpp.

54 {
55 if(a1.oid() != a2.oid()) {
56 return false;
57 }
58
59 /*
60 * Treat NULL and empty as equivalent
61 */
63 return true;
64 }
65
66 return (a1.parameters() == a2.parameters());
67}
bool parameters_are_null_or_empty() const
Definition asn1_obj.h:471
const std::vector< uint8_t > & parameters() const
Definition asn1_obj.h:457

References Botan::AlgorithmIdentifier::oid(), Botan::AlgorithmIdentifier::parameters(), and Botan::AlgorithmIdentifier::parameters_are_null_or_empty().

◆ operator==() [2/11]

bool Botan::operator== ( const ASN1_Time & t1,
const ASN1_Time & t2 )

Definition at line 260 of file asn1_time.cpp.

260 {
261 return (t1.cmp(t2) == 0);
262}

References Botan::ASN1_Time::cmp().

◆ operator==() [3/11]

bool Botan::operator== ( const BigInt & a,
const BigInt & b )
inline

Definition at line 991 of file bigint.h.

991 {
992 return a.is_equal(b);
993}

References Botan::BigInt::is_equal().

◆ operator==() [4/11]

bool Botan::operator== ( const BigInt & a,
word b )
inline

Definition at line 1015 of file bigint.h.

1015 {
1016 return (a.cmp_word(b) == 0);
1017}

References Botan::BigInt::cmp_word().

◆ operator==() [5/11]

bool Botan::operator== ( const CRL_Entry & ,
const CRL_Entry &  )

Test two CRL entries for equality in all fields.

Definition at line 42 of file crl_ent.cpp.

42 {
43 if(a1.serial_number() != a2.serial_number()) {
44 return false;
45 }
46 if(a1.expire_time() != a2.expire_time()) {
47 return false;
48 }
49 if(a1.reason_code() != a2.reason_code()) {
50 return false;
51 }
52 return true;
53}
CRL_Code reason_code() const
Definition crl_ent.cpp:118
const X509_Time & expire_time() const
Definition crl_ent.cpp:114
const std::vector< uint8_t > & serial_number() const
Definition crl_ent.cpp:110

References Botan::CRL_Entry::expire_time(), Botan::CRL_Entry::reason_code(), and Botan::CRL_Entry::serial_number().

◆ operator==() [6/11]

bool Botan::operator== ( const OctetString & x,
const OctetString & y )

Compare two strings

Parameters
xan octet string
yan octet string
Returns
if x is equal to y

Definition at line 85 of file symkey.cpp.

85 {
86 return (s1.bits_of() == s2.bits_of());
87}

References Botan::OctetString::bits_of().

◆ operator==() [7/11]

template<typename T , typename U >
bool Botan::operator== ( const secure_allocator< T > & ,
const secure_allocator< U > &  )
inline

Definition at line 51 of file secmem.h.

51 {
52 return true;
53}

◆ operator==() [8/11]

template<typename T , typename... Tags>
requires (std::equality_comparable<T>)
bool Botan::operator== ( const Strong< T, Tags... > & lhs,
const Strong< T, Tags... > & rhs )

Definition at line 178 of file strong_type.h.

178 {
179 return lhs.get() == rhs.get();
180}

References Botan::detail::Strong_Base< T >::get().

◆ operator==() [9/11]

bool Botan::operator== ( const X509_DN & dn1,
const X509_DN & dn2 )

Definition at line 220 of file x509_dn.cpp.

220 {
221 auto attr1 = dn1.get_attributes();
222 auto attr2 = dn2.get_attributes();
223
224 if(attr1.size() != attr2.size()) {
225 return false;
226 }
227
228 auto p1 = attr1.begin();
229 auto p2 = attr2.begin();
230
231 while(true) {
232 if(p1 == attr1.end() && p2 == attr2.end()) {
233 break;
234 }
235 if(p1 == attr1.end()) {
236 return false;
237 }
238 if(p2 == attr2.end()) {
239 return false;
240 }
241 if(p1->first != p2->first) {
242 return false;
243 }
244 if(!x500_name_cmp(p1->second, p2->second)) {
245 return false;
246 }
247 ++p1;
248 ++p2;
249 }
250 return true;
251}

References Botan::X509_DN::get_attributes().

◆ operator==() [10/11]

template<std::integral T1, std::integral T2, typename... Tags>
auto Botan::operator== ( Strong< T1, Tags... > a,
T2 b )

Definition at line 204 of file strong_type.h.

204 {
205 return a.get() == b;
206}

References Botan::detail::Strong_Base< T >::get().

◆ operator==() [11/11]

template<std::integral T1, std::integral T2, typename... Tags>
auto Botan::operator== ( T1 a,
Strong< T2, Tags... > b )

Definition at line 199 of file strong_type.h.

199 {
200 return a == b.get();
201}

References Botan::detail::Strong_Base< T >::get().

◆ operator>() [1/3]

bool Botan::operator> ( const ASN1_Time & t1,
const ASN1_Time & t2 )

Definition at line 280 of file asn1_time.cpp.

280 {
281 return (t1.cmp(t2) > 0);
282}

References Botan::ASN1_Time::cmp().

◆ operator>() [2/3]

bool Botan::operator> ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1011 of file bigint.h.

1011 {
1012 return b.is_less_than(a);
1013}

References Botan::BigInt::is_less_than().

◆ operator>() [3/3]

bool Botan::operator> ( const BigInt & a,
word b )
inline

Definition at line 1035 of file bigint.h.

1035 {
1036 return (a.cmp_word(b) > 0);
1037}

References Botan::BigInt::cmp_word().

◆ operator>=() [1/3]

bool Botan::operator>= ( const ASN1_Time & t1,
const ASN1_Time & t2 )

Definition at line 272 of file asn1_time.cpp.

272 {
273 return (t1.cmp(t2) >= 0);
274}

References Botan::ASN1_Time::cmp().

◆ operator>=() [2/3]

bool Botan::operator>= ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1003 of file bigint.h.

1003 {
1004 return (a.cmp(b) >= 0);
1005}

References Botan::BigInt::cmp().

◆ operator>=() [3/3]

bool Botan::operator>= ( const BigInt & a,
word b )
inline

Definition at line 1027 of file bigint.h.

1027 {
1028 return (a.cmp_word(b) >= 0);
1029}

References Botan::BigInt::cmp_word().

◆ operator>>() [1/8]

BigInt Botan::operator>> ( const BigInt & x,
size_t shift )

Definition at line 188 of file big_ops3.cpp.

188 {
189 const size_t shift_words = shift / BOTAN_MP_WORD_BITS;
190 const size_t shift_bits = shift % BOTAN_MP_WORD_BITS;
191 const size_t x_sw = x.sig_words();
192
193 if(shift_words >= x_sw) {
194 return BigInt::zero();
195 }
196
197 BigInt y = BigInt::with_capacity(x_sw - shift_words);
198 bigint_shr2(y.mutable_data(), x.data(), x_sw, shift_words, shift_bits);
199
200 if(x.is_negative() && y.is_zero()) {
201 y.set_sign(BigInt::Positive);
202 } else {
203 y.set_sign(x.sign());
204 }
205
206 return y;
207}

References bigint_shr2(), BOTAN_MP_WORD_BITS, Botan::BigInt::data(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::Positive, Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), Botan::BigInt::with_capacity(), and Botan::BigInt::zero().

◆ operator>>() [2/8]

int Botan::operator>> ( int in,
Pipe & pipe )

File descriptor input operator; dumps the remaining bytes of input to the (assumed open) pipe message.

Parameters
infile descriptor for an open input stream
pipethe pipe

Definition at line 39 of file fd_unix.cpp.

39 {
41 while(true) {
42 ssize_t ret = ::read(fd, buffer.data(), buffer.size());
43 if(ret < 0) {
44 throw Stream_IO_Error("Pipe input operator (unixfd) has failed");
45 } else if(ret == 0) {
46 break;
47 }
48 pipe.write(buffer.data(), static_cast<size_t>(ret));
49 }
50 return fd;
51}
void write(const uint8_t in[], size_t length)
Definition pipe_rw.cpp:37

References BOTAN_DEFAULT_BUFFER_SIZE, and Botan::Pipe::write().

◆ operator>>() [3/8]

std::istream & Botan::operator>> ( std::istream & in,
Pipe & pipe )

Stream input operator; dumps the remaining bytes of input to the (assumed open) pipe message.

Parameters
inthe input stream
pipethe pipe

Definition at line 34 of file pipe_io.cpp.

34 {
36 while(stream.good()) {
37 stream.read(cast_uint8_ptr_to_char(buffer.data()), buffer.size());
38 const size_t got = static_cast<size_t>(stream.gcount());
39 pipe.write(buffer.data(), got);
40 }
41 if(stream.bad() || (stream.fail() && !stream.eof())) {
42 throw Stream_IO_Error("Pipe input operator (iostream) has failed");
43 }
44 return stream;
45}

References BOTAN_DEFAULT_BUFFER_SIZE, cast_uint8_ptr_to_char(), and Botan::Pipe::write().

◆ operator>>() [4/8]

std::istream & Botan::operator>> ( std::istream & in,
X509_DN & dn )

Definition at line 428 of file x509_dn.cpp.

428 {
429 in >> std::noskipws;
430 do {
431 std::string key;
432 std::string val;
433 char c;
434
435 while(in.good()) {
436 in >> c;
437
438 if(std::isspace(c) && key.empty()) {
439 continue;
440 } else if(!std::isspace(c)) {
441 key.push_back(c);
442 break;
443 } else {
444 break;
445 }
446 }
447
448 while(in.good()) {
449 in >> c;
450
451 if(!std::isspace(c) && c != '=') {
452 key.push_back(c);
453 } else if(c == '=') {
454 break;
455 } else {
456 throw Invalid_Argument("Ill-formed X.509 DN");
457 }
458 }
459
460 bool in_quotes = false;
461 while(in.good()) {
462 in >> c;
463
464 if(std::isspace(c)) {
465 if(!in_quotes && !val.empty()) {
466 break;
467 } else if(in_quotes) {
468 val.push_back(' ');
469 }
470 } else if(c == '"') {
471 in_quotes = !in_quotes;
472 } else if(c == '\\') {
473 if(in.good()) {
474 in >> c;
475 }
476 val.push_back(c);
477 } else if(c == ',' && !in_quotes) {
478 break;
479 } else {
480 val.push_back(c);
481 }
482 }
483
484 if(!key.empty() && !val.empty()) {
485 dn.add_attribute(X509_DN::deref_info_field(key), val);
486 } else {
487 break;
488 }
489 } while(in.good());
490 return in;
491}
void add_attribute(std::string_view key, std::string_view val)
Definition x509_dn.cpp:93

References Botan::X509_DN::add_attribute(), and Botan::X509_DN::deref_info_field().

◆ operator>>() [5/8]

std::istream & Botan::operator>> ( std::istream & stream,
BigInt & n )

Definition at line 44 of file big_io.cpp.

44 {
45 std::string str;
46 std::getline(stream, str);
47 if(stream.bad() || (stream.fail() && !stream.eof())) {
48 throw Stream_IO_Error("BigInt input operator has failed");
49 }
50 n = BigInt(str);
51 return stream;
52}

◆ operator>>() [6/8]

template<std::integral T, typename... Tags>
constexpr decltype(auto) Botan::operator>> ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 340 of file strong_type.h.

340 {
341 return Strong<T, Tags...>(a.get() >> b.get());
342}

References Botan::detail::Strong_Base< T >::get(), and T.

◆ operator>>() [7/8]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator>> ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 335 of file strong_type.h.

335 {
336 return Strong<T1, Tags...>(a.get() >> b);
337}

References Botan::detail::Strong_Base< T >::get().

◆ operator>>() [8/8]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator>> ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 329 of file strong_type.h.

329 {
330 return Strong<T2, Tags...>(a >> b.get());
331}

References Botan::detail::Strong_Base< T >::get().

◆ operator>>=() [1/2]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator>>= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 460 of file strong_type.h.

460 {
461 a.get() >>= b.get();
462 return a;
463}

References Botan::detail::Strong_Base< T >::get().

◆ operator>>=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto Botan::operator>>= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 454 of file strong_type.h.

454 {
455 a.get() >>= b;
456 return a;
457}

References Botan::detail::Strong_Base< T >::get().

◆ operator^() [1/4]

OctetString Botan::operator^ ( const OctetString & x,
const OctetString & y )

XOR two strings

Parameters
xan octet string
yan octet string
Returns
x XORed with y

Definition at line 109 of file symkey.cpp.

109 {
110 secure_vector<uint8_t> out(std::max(k1.length(), k2.length()));
111
112 copy_mem(out.data(), k1.begin(), k1.length());
113 xor_buf(out.data(), k2.begin(), k2.length());
114 return OctetString(out);
115}

References Botan::OctetString::begin(), copy_mem(), Botan::OctetString::length(), OctetString, and xor_buf().

◆ operator^() [2/4]

template<std::integral T, typename... Tags>
constexpr decltype(auto) Botan::operator^ ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 289 of file strong_type.h.

289 {
290 return Strong<T, Tags...>(a.get() ^ b.get());
291}

References Botan::detail::Strong_Base< T >::get(), and T.

◆ operator^() [3/4]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator^ ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 284 of file strong_type.h.

284 {
285 return Strong<T1, Tags...>(a.get() ^ b);
286}

References Botan::detail::Strong_Base< T >::get().

◆ operator^() [4/4]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator^ ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 278 of file strong_type.h.

278 {
279 return Strong<T2, Tags...>(a ^ b.get());
280}

References Botan::detail::Strong_Base< T >::get().

◆ operator^=() [1/3]

template<typename Alloc , typename Alloc2 >
std::vector< uint8_t, Alloc > & Botan::operator^= ( std::vector< uint8_t, Alloc > & out,
const std::vector< uint8_t, Alloc2 > & in )

Definition at line 444 of file mem_ops.h.

444 {
445 if(out.size() < in.size()) {
446 out.resize(in.size());
447 }
448
449 xor_buf(std::span{out}.first(in.size()), in);
450 return out;
451}

References xor_buf().

◆ operator^=() [2/3]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator^= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 421 of file strong_type.h.

421 {
422 a.get() ^= b.get();
423 return a;
424}

References Botan::detail::Strong_Base< T >::get().

◆ operator^=() [3/3]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto Botan::operator^= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 415 of file strong_type.h.

415 {
416 a.get() ^= b;
417 return a;
418}

References Botan::detail::Strong_Base< T >::get().

◆ operator|() [1/9]

ASN1_Class Botan::operator| ( ASN1_Class x,
ASN1_Class y )
inline

Definition at line 78 of file asn1_obj.h.

78 {
79 return static_cast<ASN1_Class>(static_cast<uint32_t>(x) | static_cast<uint32_t>(y));
80}
ASN1_Class
Definition asn1_obj.h:28

◆ operator|() [2/9]

uint32_t Botan::operator| ( ASN1_Class x,
ASN1_Type y )
inline

Definition at line 86 of file asn1_obj.h.

86 {
87 return static_cast<uint32_t>(x) | static_cast<uint32_t>(y);
88}

◆ operator|() [3/9]

uint32_t Botan::operator| ( ASN1_Type x,
ASN1_Class y )
inline

Definition at line 82 of file asn1_obj.h.

82 {
83 return static_cast<uint32_t>(x) | static_cast<uint32_t>(y);
84}

◆ operator|() [4/9]

ASN1_Type Botan::operator| ( ASN1_Type x,
ASN1_Type y )
inline

Definition at line 74 of file asn1_obj.h.

74 {
75 return static_cast<ASN1_Type>(static_cast<uint32_t>(x) | static_cast<uint32_t>(y));
76}
ASN1_Type
Definition asn1_obj.h:43

◆ operator|() [5/9]

donna128 Botan::operator| ( const donna128 & x,
const donna128 & y )
inline

Definition at line 101 of file donna128.h.

101 {
102 return donna128(x.lo() | y.lo(), x.hi() | y.hi());
103}

References Botan::donna128::hi(), and Botan::donna128::lo().

◆ operator|() [6/9]

ECIES_Flags Botan::operator| ( ECIES_Flags a,
ECIES_Flags b )
inline

Definition at line 45 of file ecies.h.

45 {
46 return static_cast<ECIES_Flags>(static_cast<uint32_t>(a) | static_cast<uint32_t>(b));
47}

◆ operator|() [7/9]

template<std::integral T, typename... Tags>
constexpr decltype(auto) Botan::operator| ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 323 of file strong_type.h.

323 {
324 return Strong<T, Tags...>(a.get() | b.get());
325}

References Botan::detail::Strong_Base< T >::get(), and T.

◆ operator|() [8/9]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator| ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 318 of file strong_type.h.

318 {
319 return Strong<T1, Tags...>(a.get() | b);
320}

References Botan::detail::Strong_Base< T >::get().

◆ operator|() [9/9]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) Botan::operator| ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 312 of file strong_type.h.

312 {
313 return Strong<T2, Tags...>(a | b.get());
314}

References Botan::detail::Strong_Base< T >::get().

◆ operator|=() [1/2]

template<std::integral T, typename... Tags>
constexpr auto Botan::operator|= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 447 of file strong_type.h.

447 {
448 a.get() |= b.get();
449 return a;
450}

References Botan::detail::Strong_Base< T >::get().

◆ operator|=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto Botan::operator|= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 441 of file strong_type.h.

441 {
442 a.get() |= b;
443 return a;
444}

References Botan::detail::Strong_Base< T >::get().

◆ OS2ECP() [1/3]

template<typename Alloc >
EC_Point Botan::OS2ECP ( const std::vector< uint8_t, Alloc > & data,
const CurveGFp & curve )

Definition at line 395 of file ec_point.h.

395 {
396 return OS2ECP(data.data(), data.size(), curve);
397}
EC_Point OS2ECP(const uint8_t data[], size_t data_len, const CurveGFp &curve)
Definition ec_point.cpp:627

References OS2ECP().

◆ OS2ECP() [2/3]

std::pair< BigInt, BigInt > BOTAN_UNSTABLE_API Botan::OS2ECP ( const uint8_t data[],
size_t data_len,
const BigInt & curve_p,
const BigInt & curve_a,
const BigInt & curve_b )

Perform point decoding Use EC_Group::OS2ECP instead

Parameters
datathe encoded point
data_lenlength of data in bytes
curve_pthe curve equation prime
curve_athe curve equation a parameter
curve_bthe curve equation b parameter

Definition at line 644 of file ec_point.cpp.

645 {
646 if(data_len <= 1) {
647 throw Decoding_Error("OS2ECP invalid point");
648 }
649
650 const uint8_t pc = data[0];
651
652 BigInt x, y;
653
654 if(pc == 2 || pc == 3) {
655 //compressed form
656 x = BigInt::decode(&data[1], data_len - 1);
657
658 const bool y_mod_2 = ((pc & 0x01) == 1);
659 y = decompress_point(y_mod_2, x, curve_p, curve_a, curve_b);
660 } else if(pc == 4) {
661 const size_t l = (data_len - 1) / 2;
662
663 // uncompressed form
664 x = BigInt::decode(&data[1], l);
665 y = BigInt::decode(&data[l + 1], l);
666 } else if(pc == 6 || pc == 7) {
667 const size_t l = (data_len - 1) / 2;
668
669 // hybrid form
670 x = BigInt::decode(&data[1], l);
671 y = BigInt::decode(&data[l + 1], l);
672
673 const bool y_mod_2 = ((pc & 0x01) == 1);
674
675 if(decompress_point(y_mod_2, x, curve_p, curve_a, curve_b) != y) {
676 throw Decoding_Error("OS2ECP: Decoding error in hybrid format");
677 }
678 } else {
679 throw Invalid_Argument("OS2ECP: Unknown format type " + std::to_string(pc));
680 }
681
682 return std::make_pair(x, y);
683}

References Botan::BigInt::decode().

◆ OS2ECP() [3/3]

EC_Point Botan::OS2ECP ( const uint8_t data[],
size_t data_len,
const CurveGFp & curve )

Perform point decoding Use EC_Group::OS2ECP instead

Definition at line 627 of file ec_point.cpp.

627 {
628 // Should we really be doing this?
629 if(data_len <= 1) {
630 return EC_Point(curve); // return zero
631 }
632
633 std::pair<BigInt, BigInt> xy = OS2ECP(data, data_len, curve.get_p(), curve.get_a(), curve.get_b());
634
635 EC_Point point(curve, xy.first, xy.second);
636
637 if(!point.on_the_curve()) {
638 throw Decoding_Error("OS2ECP: Decoded point was not on the curve");
639 }
640
641 return point;
642}
const BigInt & get_a() const
Definition curve_gfp.h:107
const BigInt & get_p() const
Definition curve_gfp.h:118
const BigInt & get_b() const
Definition curve_gfp.h:112

References Botan::CurveGFp::get_a(), Botan::CurveGFp::get_b(), Botan::CurveGFp::get_p(), Botan::EC_Point::on_the_curve(), and OS2ECP().

Referenced by OS2ECP(), Botan::EC_Group::OS2ECP(), OS2ECP(), and Botan::EC_Group::OS2ECP().

◆ overloaded()

template<class... Ts>
Botan::overloaded ( Ts... ) -> overloaded< Ts... >

◆ parse_algorithm_name()

std::vector< std::string > Botan::parse_algorithm_name ( std::string_view scan_name)

Parse a SCAN-style algorithm name

Parameters
scan_namethe name
Returns
the name components

Definition at line 57 of file parsing.cpp.

57 {
58 if(namex.find('(') == std::string::npos && namex.find(')') == std::string::npos) {
59 return {std::string(namex)};
60 }
61
62 std::string name(namex);
63 std::string substring;
64 std::vector<std::string> elems;
65 size_t level = 0;
66
67 elems.push_back(name.substr(0, name.find('(')));
68 name = name.substr(name.find('('));
69
70 for(auto i = name.begin(); i != name.end(); ++i) {
71 char c = *i;
72
73 if(c == '(') {
74 ++level;
75 }
76 if(c == ')') {
77 if(level == 1 && i == name.end() - 1) {
78 if(elems.size() == 1) {
79 elems.push_back(substring.substr(1));
80 } else {
81 elems.push_back(substring);
82 }
83 return elems;
84 }
85
86 if(level == 0 || (level == 1 && i != name.end() - 1)) {
87 throw Invalid_Algorithm_Name(namex);
88 }
89 --level;
90 }
91
92 if(c == ',' && level == 1) {
93 if(elems.size() == 1) {
94 elems.push_back(substring.substr(1));
95 } else {
96 elems.push_back(substring);
97 }
98 substring.clear();
99 } else {
100 substring += c;
101 }
102 }
103
104 if(!substring.empty()) {
105 throw Invalid_Algorithm_Name(namex);
106 }
107
108 return elems;
109}

References name.

Referenced by Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), and Botan::EME::create().

◆ passes_miller_rabin_test()

bool Botan::passes_miller_rabin_test ( const BigInt & n,
const Modular_Reducer & mod_n,
const std::shared_ptr< Montgomery_Params > & monty_n,
const BigInt & a )

Perform a single Miller-Rabin test with specified base

Parameters
nthe positive integer to test
mod_na pre-created Modular_Reducer for n
monty_nMontgomery parameters for n
athe base to check
Returns
result of primality test

Definition at line 106 of file primality.cpp.

109 {
110 if(n < 3 || n.is_even()) {
111 return false;
112 }
113
114 BOTAN_ASSERT_NOMSG(n > 1);
115
116 const BigInt n_minus_1 = n - 1;
117 const size_t s = low_zero_bits(n_minus_1);
118 const BigInt nm1_s = n_minus_1 >> s;
119 const size_t n_bits = n.bits();
120
121 const size_t powm_window = 4;
122
123 auto powm_a_n = monty_precompute(monty_n, a, powm_window);
124
125 BigInt y = monty_execute(*powm_a_n, nm1_s, n_bits);
126
127 if(y == 1 || y == n_minus_1) {
128 return true;
129 }
130
131 for(size_t i = 1; i != s; ++i) {
132 y = mod_n.square(y);
133
134 if(y == 1) { // found a non-trivial square root
135 return false;
136 }
137
138 /*
139 -1 is the trivial square root of unity, so ``a`` is not a
140 witness for this number - give up
141 */
142 if(y == n_minus_1) {
143 return true;
144 }
145 }
146
147 return false;
148}
BigInt square(const BigInt &x) const
Definition reducer.h:43

References Botan::BigInt::bits(), BOTAN_ASSERT_NOMSG, Botan::BigInt::is_even(), low_zero_bits(), monty_execute(), monty_precompute(), and Botan::Modular_Reducer::square().

Referenced by is_bailie_psw_probable_prime(), and is_miller_rabin_probable_prime().

◆ pbes2_decrypt()

secure_vector< uint8_t > Botan::pbes2_decrypt ( std::span< const uint8_t > key_bits,
std::string_view passphrase,
const std::vector< uint8_t > & params )

Decrypt a PKCS #5 v2.0 encrypted stream

Parameters
key_bitsthe input
passphrasethe passphrase to use for decryption
paramsthe PBES2 parameters

Definition at line 270 of file pbes2.cpp.

272 {
273 AlgorithmIdentifier kdf_algo, enc_algo;
274
275 BER_Decoder(params).start_sequence().decode(kdf_algo).decode(enc_algo).end_cons();
276
277 const std::string cipher = enc_algo.oid().human_name_or_empty();
278 const auto cipher_spec = split_on(cipher, '/');
279 if(cipher_spec.size() != 2 || !known_pbes_cipher_mode(cipher_spec[1])) {
280 throw Decoding_Error(fmt("PBE-PKCS5 v2.0: Unknown/invalid cipher OID {}", enc_algo.oid()));
281 }
282
283 secure_vector<uint8_t> iv;
284 BER_Decoder(enc_algo.parameters()).decode(iv, ASN1_Type::OctetString).verify_end();
285
286 auto dec = Cipher_Mode::create(cipher, Cipher_Dir::Decryption);
287 if(!dec) {
288 throw Decoding_Error(fmt("PBE-PKCS5 cannot decrypt no cipher '{}'", cipher));
289 }
290
291 dec->set_key(derive_key(passphrase, kdf_algo, dec->key_spec().maximum_keylength()));
292
293 dec->start(iv);
294
295 secure_vector<uint8_t> buf(key_bits.begin(), key_bits.end());
296 dec->finish(buf);
297
298 return buf;
299}
BER_Decoder & decode(bool &out)
Definition ber_dec.h:176
BER_Decoder & end_cons()
Definition ber_dec.cpp:295
BER_Decoder start_sequence()
Definition ber_dec.h:113
std::string human_name_or_empty() const
Definition asn1_oid.cpp:122

References Botan::Cipher_Mode::create(), Botan::BER_Decoder::decode(), Decryption, Botan::BER_Decoder::end_cons(), fmt(), Botan::OID::human_name_or_empty(), OctetString, Botan::AlgorithmIdentifier::oid(), Botan::AlgorithmIdentifier::parameters(), split_on(), Botan::BER_Decoder::start_sequence(), and Botan::BER_Decoder::verify_end().

◆ pbes2_encrypt()

std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt ( std::span< const uint8_t > key_bits,
std::string_view passphrase,
std::chrono::milliseconds msec,
std::string_view cipher,
std::string_view digest,
RandomNumberGenerator & rng )

Encrypt with PBES2 from PKCS #5 v2.0

Parameters
key_bitsthe input
passphrasethe passphrase to use for encryption
msechow many milliseconds to run PBKDF2
cipherspecifies the block cipher to use to encrypt
digestspecifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)")
rnga random number generator

Definition at line 232 of file pbes2.cpp.

237 {
238 size_t msec_in_iterations_out = static_cast<size_t>(msec.count());
239 return pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);
240 // return value msec_in_iterations_out discarded
241}

◆ pbes2_encrypt_iter()

std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt_iter ( std::span< const uint8_t > key_bits,
std::string_view passphrase,
size_t iterations,
std::string_view cipher,
std::string_view digest,
RandomNumberGenerator & rng )

Encrypt with PBES2 from PKCS #5 v2.0

Parameters
key_bitsthe input
passphrasethe passphrase to use for encryption
iterationshow many iterations to run PBKDF2
cipherspecifies the block cipher to use to encrypt
digestspecifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)")
rnga random number generator

Definition at line 261 of file pbes2.cpp.

266 {
267 return pbes2_encrypt_shared(key_bits, passphrase, nullptr, pbkdf_iter, cipher, digest, rng);
268}

Referenced by Botan::PKCS8::BER_encode_encrypted_pbkdf_iter().

◆ pbes2_encrypt_msec()

std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt_msec ( std::span< const uint8_t > key_bits,
std::string_view passphrase,
std::chrono::milliseconds msec,
size_t * out_iterations_if_nonnull,
std::string_view cipher,
std::string_view digest,
RandomNumberGenerator & rng )

Encrypt with PBES2 from PKCS #5 v2.0

Parameters
key_bitsthe input
passphrasethe passphrase to use for encryption
msechow many milliseconds to run PBKDF2
out_iterations_if_nonnullif not null, set to the number of PBKDF iterations used
cipherspecifies the block cipher to use to encrypt
digestspecifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)")
rnga random number generator

Definition at line 243 of file pbes2.cpp.

249 {
250 size_t msec_in_iterations_out = static_cast<size_t>(msec.count());
251
252 auto ret = pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);
253
254 if(out_iterations_if_nonnull) {
255 *out_iterations_if_nonnull = msec_in_iterations_out;
256 }
257
258 return ret;
259}

Referenced by Botan::PKCS8::BER_encode(), and Botan::PKCS8::BER_encode_encrypted_pbkdf_msec().

◆ pbkdf2() [1/2]

void Botan::pbkdf2 ( MessageAuthenticationCode & prf,
uint8_t out[],
size_t out_len,
const uint8_t salt[],
size_t salt_len,
size_t iterations )

Perform PBKDF2. The prf is assumed to be keyed already.

Definition at line 97 of file pbkdf2.cpp.

102 {
103 if(iterations == 0) {
104 throw Invalid_Argument("PBKDF2: Invalid iteration count");
105 }
106
107 clear_mem(out, out_len);
108
109 if(out_len == 0) {
110 return;
111 }
112
113 const size_t prf_sz = prf.output_length();
114 BOTAN_ASSERT_NOMSG(prf_sz > 0);
115
116 secure_vector<uint8_t> U(prf_sz);
117
118 uint32_t counter = 1;
119 while(out_len) {
120 const size_t prf_output = std::min<size_t>(prf_sz, out_len);
121
122 prf.update(salt, salt_len);
123 prf.update_be(counter++);
124 prf.final(U.data());
125
126 xor_buf(out, U.data(), prf_output);
127
128 for(size_t i = 1; i != iterations; ++i) {
129 prf.update(U);
130 prf.final(U.data());
131 xor_buf(out, U.data(), prf_output);
132 }
133
134 out_len -= prf_output;
135 out += prf_output;
136 }
137}

References BOTAN_ASSERT_NOMSG, clear_mem(), Botan::Buffered_Computation::final(), Botan::Buffered_Computation::output_length(), Botan::Buffered_Computation::update(), Botan::Buffered_Computation::update_be(), and xor_buf().

◆ pbkdf2() [2/2]

size_t Botan::pbkdf2 ( MessageAuthenticationCode & prf,
uint8_t out[],
size_t out_len,
std::string_view password,
const uint8_t salt[],
size_t salt_len,
size_t iterations,
std::chrono::milliseconds msec )

Definition at line 78 of file pbkdf2.cpp.

85 {
86 if(iterations == 0) {
87 iterations = tune_pbkdf2(prf, out_len, msec);
88 }
89
90 PBKDF2 pbkdf2(prf, iterations);
91
92 pbkdf2.derive_key(out, out_len, password.data(), password.size(), salt, salt_len);
93
94 return iterations;
95}

References pbkdf2().

Referenced by Botan::PBKDF2::derive_key(), Botan::Scrypt::derive_key(), Botan::PKCS5_PBKDF2::pbkdf(), and pbkdf2().

◆ pkcs_hash_id()

std::vector< uint8_t > BOTAN_TEST_API Botan::pkcs_hash_id ( std::string_view hash_name)

Return the PKCS #1 hash identifier

See also
RFC 3447 section 9.2
Parameters
hash_namethe name of the hash function
Returns
uint8_t sequence identifying the hash
Exceptions
Invalid_Argumentif the hash has no known PKCS #1 hash id

Definition at line 78 of file hash_id.cpp.

78 {
79 // Special case for SSL/TLS RSA signatures
80 if(name == "Parallel(MD5,SHA-1)") {
81 return std::vector<uint8_t>();
82 }
83
84 // If you add a value to this function, also update test_hash_id.cpp
85
86 if(name == "MD5") {
87 return std::vector<uint8_t>(MD5_PKCS_ID, MD5_PKCS_ID + sizeof(MD5_PKCS_ID));
88 }
89
90 if(name == "RIPEMD-160") {
91 return std::vector<uint8_t>(RIPEMD_160_PKCS_ID, RIPEMD_160_PKCS_ID + sizeof(RIPEMD_160_PKCS_ID));
92 }
93
94 if(name == "SHA-1") {
95 return std::vector<uint8_t>(SHA_1_PKCS_ID, SHA_1_PKCS_ID + sizeof(SHA_1_PKCS_ID));
96 }
97
98 if(name == "SHA-224") {
99 return std::vector<uint8_t>(SHA_224_PKCS_ID, SHA_224_PKCS_ID + sizeof(SHA_224_PKCS_ID));
100 }
101
102 if(name == "SHA-256") {
103 return std::vector<uint8_t>(SHA_256_PKCS_ID, SHA_256_PKCS_ID + sizeof(SHA_256_PKCS_ID));
104 }
105
106 if(name == "SHA-384") {
107 return std::vector<uint8_t>(SHA_384_PKCS_ID, SHA_384_PKCS_ID + sizeof(SHA_384_PKCS_ID));
108 }
109
110 if(name == "SHA-512") {
111 return std::vector<uint8_t>(SHA_512_PKCS_ID, SHA_512_PKCS_ID + sizeof(SHA_512_PKCS_ID));
112 }
113
114 if(name == "SHA-512-256") {
115 return std::vector<uint8_t>(SHA_512_256_PKCS_ID, SHA_512_256_PKCS_ID + sizeof(SHA_512_256_PKCS_ID));
116 }
117
118 if(name == "SHA-3(224)") {
119 return std::vector<uint8_t>(SHA3_224_PKCS_ID, SHA3_224_PKCS_ID + sizeof(SHA3_224_PKCS_ID));
120 }
121
122 if(name == "SHA-3(256)") {
123 return std::vector<uint8_t>(SHA3_256_PKCS_ID, SHA3_256_PKCS_ID + sizeof(SHA3_256_PKCS_ID));
124 }
125
126 if(name == "SHA-3(384)") {
127 return std::vector<uint8_t>(SHA3_384_PKCS_ID, SHA3_384_PKCS_ID + sizeof(SHA3_384_PKCS_ID));
128 }
129
130 if(name == "SHA-3(512)") {
131 return std::vector<uint8_t>(SHA3_512_PKCS_ID, SHA3_512_PKCS_ID + sizeof(SHA3_512_PKCS_ID));
132 }
133
134 if(name == "SM3") {
135 return std::vector<uint8_t>(SM3_PKCS_ID, SM3_PKCS_ID + sizeof(SM3_PKCS_ID));
136 }
137
138 throw Invalid_Argument("No PKCS #1 identifier for " + std::string(name));
139}

References name.

Referenced by botan_pkcs_hash_id(), Botan::EMSA_PKCS1v15::EMSA_PKCS1v15(), and Botan::EMSA_PKCS1v15_Raw::EMSA_PKCS1v15_Raw().

◆ poly_double_n() [1/2]

void Botan::poly_double_n ( uint8_t buf[],
size_t n )
inline

Definition at line 26 of file poly_dbl.h.

26 {
27 return poly_double_n(buf, buf, n);
28}
void poly_double_n(uint8_t out[], const uint8_t in[], size_t n)
Definition poly_dbl.cpp:74

References poly_double_n().

◆ poly_double_n() [2/2]

void BOTAN_TEST_API Botan::poly_double_n ( uint8_t out[],
const uint8_t in[],
size_t n )

Polynomial doubling in GF(2^n)

Definition at line 74 of file poly_dbl.cpp.

74 {
75 switch(n) {
76 case 8:
77 return poly_double<1, MinWeightPolynomial::P64>(out, in);
78 case 16:
79 return poly_double<2, MinWeightPolynomial::P128>(out, in);
80 case 24:
81 return poly_double<3, MinWeightPolynomial::P192>(out, in);
82 case 32:
83 return poly_double<4, MinWeightPolynomial::P256>(out, in);
84 case 64:
85 return poly_double<8, MinWeightPolynomial::P512>(out, in);
86 case 128:
87 return poly_double<16, MinWeightPolynomial::P1024>(out, in);
88 default:
89 throw Invalid_Argument("Unsupported size for poly_double_n");
90 }
91}

Referenced by poly_double_n(), and Botan::SIV_Mode::S2V().

◆ poly_double_n_le()

void BOTAN_TEST_API Botan::poly_double_n_le ( uint8_t out[],
const uint8_t in[],
size_t n )

Definition at line 93 of file poly_dbl.cpp.

93 {
94 switch(n) {
95 case 8:
96 return poly_double_le<1, MinWeightPolynomial::P64>(out, in);
97 case 16:
98 return poly_double_le<2, MinWeightPolynomial::P128>(out, in);
99 case 24:
100 return poly_double_le<3, MinWeightPolynomial::P192>(out, in);
101 case 32:
102 return poly_double_le<4, MinWeightPolynomial::P256>(out, in);
103 case 64:
104 return poly_double_le<8, MinWeightPolynomial::P512>(out, in);
105 case 128:
106 return poly_double_le<16, MinWeightPolynomial::P1024>(out, in);
107 default:
108 throw Invalid_Argument("Unsupported size for poly_double_n_le");
109 }
110}

Referenced by Botan::XTS_Mode::update_tweak().

◆ poly_double_supported_size()

bool Botan::poly_double_supported_size ( size_t n)
inline

Returns true iff poly_double_n is implemented for this size.

Definition at line 22 of file poly_dbl.h.

22 {
23 return (n == 8 || n == 16 || n == 24 || n == 32 || n == 64 || n == 128);
24}

Referenced by Botan::CMAC::CMAC(), and Botan::XTS_Mode::XTS_Mode().

◆ power_mod()

BigInt Botan::power_mod ( const BigInt & b,
const BigInt & x,
const BigInt & m )

Modular exponentation

Parameters
ban integer base
xa positive exponent
ma positive modulus
Returns
(b^x) % m

Definition at line 286 of file numthry.cpp.

286 {
287 if(mod.is_negative() || mod == 1) {
288 return BigInt::zero();
289 }
290
291 if(base.is_zero() || mod.is_zero()) {
292 if(exp.is_zero()) {
293 return BigInt::one();
294 }
295 return BigInt::zero();
296 }
297
298 Modular_Reducer reduce_mod(mod);
299
300 const size_t exp_bits = exp.bits();
301
302 if(mod.is_odd()) {
303 auto monty_params = std::make_shared<Montgomery_Params>(mod, reduce_mod);
304 return monty_exp(monty_params, reduce_mod.reduce(base), exp, exp_bits);
305 }
306
307 /*
308 Support for even modulus is just a convenience and not considered
309 cryptographically important, so this implementation is slow ...
310 */
311 BigInt accum = BigInt::one();
312 BigInt g = reduce_mod.reduce(base);
313 BigInt t;
314
315 for(size_t i = 0; i != exp_bits; ++i) {
316 t = reduce_mod.multiply(g, accum);
317 g = reduce_mod.square(g);
318 accum.ct_cond_assign(exp.get_bit(i), t);
319 }
320 return accum;
321}
BigInt monty_exp(const std::shared_ptr< const Montgomery_Params > &params_p, const BigInt &g, const BigInt &k, size_t max_k_bits)
Definition monty_exp.h:41

References Botan::BigInt::bits(), Botan::BigInt::ct_cond_assign(), Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::BigInt::is_odd(), Botan::BigInt::is_zero(), monty_exp(), Botan::Modular_Reducer::multiply(), Botan::BigInt::one(), Botan::Modular_Reducer::reduce(), Botan::Modular_Reducer::square(), and Botan::BigInt::zero().

Referenced by botan_mp_powmod().

◆ prefetch_array_raw()

uint64_t Botan::prefetch_array_raw ( size_t bytes,
const void * array )
noexcept

Prefetch an array

This function returns a uint64_t which is accumulated from values read from the array. This may help confuse the compiler sufficiently to not elide otherwise "useless" reads. The return value will always be zero.

Definition at line 14 of file prefetch.cpp.

14 {
15#if defined(__cpp_lib_hardware_interference_size)
16 const size_t cache_line_size = std::hardware_destructive_interference_size;
17#else
18 // We arbitrarily use a 64 byte cache line, which is by far the most
19 // common size.
20 //
21 // Runtime detection adds too much overhead to this function.
22 const size_t cache_line_size = 64;
23#endif
24
25 const uint8_t* array = static_cast<const uint8_t*>(arrayv);
26
27 volatile uint64_t combiner = 1;
28
29 for(size_t idx = 0; idx < bytes; idx += cache_line_size) {
30#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_prefetch)
31 // we have no way of knowing if the compiler will emit anything here
32 __builtin_prefetch(&array[idx]);
33#endif
34
35 combiner = combiner | array[idx];
36 }
37
38 /*
39 * The combiner variable is initialized with 1, and we accumulate using OR, so
40 * now combiner must be a value other than zero. This being the case we will
41 * always return zero here. Hopefully the compiler will not figure this out.
42 */
43 return ct_is_zero(combiner);
44}

References ct_is_zero().

Referenced by prefetch_arrays().

◆ prefetch_arrays()

template<typename T , size_t... Ns>
requires std::is_integral<T>::value
T Botan::prefetch_arrays ( T(&... arr) [Ns])
noexcept

Prefetch several arrays

This function returns a uint64_t which is accumulated from values read from the array. This may help confuse the compiler sufficiently to not elide otherwise "useless" reads. The return value will always be zero.

Definition at line 34 of file prefetch.h.

36{
37 return (static_cast<T>(prefetch_array_raw(sizeof(T) * Ns, arr)) & ...);
38}
uint64_t prefetch_array_raw(size_t bytes, const void *arrayv) noexcept
Definition prefetch.cpp:14

References prefetch_array_raw(), and T.

Referenced by Botan::SEED::decrypt_n(), and Botan::SEED::encrypt_n().

◆ prime_p192()

const BigInt & Botan::prime_p192 ( )

Return the P-192 prime

Definition at line 122 of file nistp_redc.cpp.

122 {
123 static const BigInt p192("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF");
124 return p192;
125}

◆ prime_p224()

const BigInt & Botan::prime_p224 ( )

Return the P-224 prime

Definition at line 217 of file nistp_redc.cpp.

217 {
218 static const BigInt p224("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001");
219 return p224;
220}

◆ prime_p256()

const BigInt & Botan::prime_p256 ( )

Return the P-256 prime

Definition at line 319 of file nistp_redc.cpp.

319 {
320 static const BigInt p256("0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF");
321 return p256;
322}

◆ prime_p384()

const BigInt & Botan::prime_p384 ( )

Return the P-384 prime

Definition at line 447 of file nistp_redc.cpp.

447 {
448 static const BigInt p384(
449 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF");
450 return p384;
451}

◆ prime_p521()

const BigInt & Botan::prime_p521 ( )

Return the P-521 prime

Definition at line 15 of file nistp_redc.cpp.

15 {
16 static const BigInt p521(
17 "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
18 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF");
19
20 return p521;
21}

◆ probe_provider_private_key()

std::vector< std::string > Botan::probe_provider_private_key ( std::string_view alg_name,
const std::vector< std::string > & possible )

Definition at line 547 of file pk_algs.cpp.

548 {
549 std::vector<std::string> providers;
550
551 for(auto&& prov : possible) {
552 if(prov == "base") {
553 providers.push_back(prov);
554 }
555 }
556
557 BOTAN_UNUSED(alg_name);
558
559 return providers;
560}

References BOTAN_UNUSED.

◆ probe_providers_of()

template<typename T >
std::vector< std::string > Botan::probe_providers_of ( std::string_view algo_spec,
const std::vector< std::string > & possible = {"base"} )

Definition at line 105 of file scan_name.h.

106 {"base"}) {
107 std::vector<std::string> providers;
108 for(auto&& prov : possible) {
109 auto o = T::create(algo_spec, prov);
110 if(o) {
111 providers.push_back(prov); // available
112 }
113 }
114 return providers;
115}

◆ random_code_element()

gf2m Botan::random_code_element ( uint16_t code_length,
RandomNumberGenerator & rng )

Definition at line 80 of file polyn_gf2m.cpp.

80 {
81 if(code_length == 0) {
82 throw Invalid_Argument("random_code_element() was supplied a code length of zero");
83 }
84 const unsigned nlz = nlz_16bit(code_length - 1);
85 const gf2m mask = (1 << (16 - nlz)) - 1;
86
87 gf2m result;
88
89 do {
90 result = random_gf2m(rng);
91 result &= mask;
92 } while(result >= code_length); // rejection sampling
93
94 return result;
95}

References random_gf2m().

Referenced by Botan::polyn_gf2m::polyn_gf2m().

◆ random_gf2m()

gf2m Botan::random_gf2m ( RandomNumberGenerator & rng)

Definition at line 74 of file polyn_gf2m.cpp.

74 {
75 uint8_t b[2];
76 rng.randomize(b, sizeof(b));
77 return make_uint16(b[1], b[0]);
78}
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition loadstor.h:50

References make_uint16(), and Botan::RandomNumberGenerator::randomize().

Referenced by random_code_element().

◆ random_prime()

BigInt Botan::random_prime ( RandomNumberGenerator & rng,
size_t bits,
const BigInt & coprime = BigInt::from_u64(0),
size_t equiv = 1,
size_t equiv_mod = 2,
size_t prob = 128 )

Randomly generate a prime suitable for discrete logarithm parameters

Parameters
rnga random number generator
bitshow large the resulting prime should be in bits
coprimea positive integer that (prime - 1) should be coprime to
equiva non-negative number that the result should be equivalent to modulo equiv_mod
equiv_modthe modulus equiv should be checked against
probuse test so false positive is bounded by 1/2**prob
Returns
random prime with the specified criteria

Definition at line 97 of file make_prm.cpp.

98 {
99 if(bits <= 1) {
100 throw Invalid_Argument("random_prime: Can't make a prime of " + std::to_string(bits) + " bits");
101 }
102 if(coprime.is_negative() || (!coprime.is_zero() && coprime.is_even()) || coprime.bits() >= bits) {
103 throw Invalid_Argument("random_prime: invalid coprime");
104 }
105 if(modulo == 0 || modulo >= 100000) {
106 throw Invalid_Argument("random_prime: Invalid modulo value");
107 }
108
109 equiv %= modulo;
110
111 if(equiv == 0) {
112 throw Invalid_Argument("random_prime Invalid value for equiv/modulo");
113 }
114
115 // Handle small values:
116
117 if(bits <= 16) {
118 if(equiv != 1 || modulo != 2 || coprime != 0) {
119 throw Not_Implemented("random_prime equiv/modulo/coprime options not usable for small primes");
120 }
121
122 if(bits == 2) {
123 return BigInt::from_word(((rng.next_byte() % 2) ? 2 : 3));
124 } else if(bits == 3) {
125 return BigInt::from_word(((rng.next_byte() % 2) ? 5 : 7));
126 } else if(bits == 4) {
127 return BigInt::from_word(((rng.next_byte() % 2) ? 11 : 13));
128 } else {
129 for(;;) {
130 // This is slightly biased, but for small primes it does not seem to matter
131 uint8_t b[4] = {0};
132 rng.randomize(b, 4);
133 const size_t idx = load_le<uint32_t>(b, 0) % PRIME_TABLE_SIZE;
134 const uint16_t small_prime = PRIMES[idx];
135
136 if(high_bit(small_prime) == bits) {
137 return BigInt::from_word(small_prime);
138 }
139 }
140 }
141 }
142
143 const size_t MAX_ATTEMPTS = 32 * 1024;
144
145 const size_t mr_trials = miller_rabin_test_iterations(bits, prob, true);
146
147 while(true) {
148 BigInt p(rng, bits);
149
150 // Force lowest and two top bits on
151 p.set_bit(bits - 1);
152 p.set_bit(bits - 2);
153 p.set_bit(0);
154
155 // Force p to be equal to equiv mod modulo
156 p += (modulo - (p % modulo)) + equiv;
157
158 Prime_Sieve sieve(p, bits, modulo, true);
159
160 for(size_t attempt = 0; attempt <= MAX_ATTEMPTS; ++attempt) {
161 p += modulo;
162
163 if(!sieve.next()) {
164 continue;
165 }
166
167 // here p can be even if modulo is odd, continue on in that case
168 if(p.is_even()) {
169 continue;
170 }
171
172 BOTAN_DEBUG_ASSERT(no_small_multiples(p, sieve));
173
174 Modular_Reducer mod_p(p);
175
176 if(coprime > 1) {
177 /*
178 First do a single M-R iteration to quickly elimate most non-primes,
179 before doing the coprimality check which is expensive
180 */
181 if(is_miller_rabin_probable_prime(p, mod_p, rng, 1) == false) {
182 continue;
183 }
184
185 /*
186 * Check if p - 1 and coprime are relatively prime, using gcd.
187 * The gcd computation is const-time
188 */
189 if(gcd(p - 1, coprime) > 1) {
190 continue;
191 }
192 }
193
194 if(p.bits() > bits) {
195 break;
196 }
197
198 if(is_miller_rabin_probable_prime(p, mod_p, rng, mr_trials) == false) {
199 continue;
200 }
201
202 if(prob > 32 && !is_lucas_probable_prime(p, mod_p)) {
203 continue;
204 }
205
206 return p;
207 }
208 }
209}
const uint16_t PRIMES[]
Definition primes.cpp:12
constexpr size_t high_bit(T n)
Definition bit_ops.h:58
const size_t PRIME_TABLE_SIZE
Definition numthry.h:167

References Botan::BigInt::bits(), BOTAN_DEBUG_ASSERT, Botan::BigInt::from_word(), gcd(), high_bit(), Botan::BigInt::is_even(), is_lucas_probable_prime(), is_miller_rabin_probable_prime(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), miller_rabin_test_iterations(), Botan::RandomNumberGenerator::next_byte(), PRIME_TABLE_SIZE, PRIMES, Botan::RandomNumberGenerator::randomize(), and Botan::BigInt::set_bit().

Referenced by Botan::DL_Group::DL_Group(), and random_safe_prime().

◆ random_safe_prime()

BigInt Botan::random_safe_prime ( RandomNumberGenerator & rng,
size_t bits )

Return a 'safe' prime, of the form p=2*q+1 with q prime

Parameters
rnga random number generator
bitsis how long the resulting prime should be
Returns
prime randomly chosen from safe primes of length bits

Definition at line 294 of file make_prm.cpp.

294 {
295 if(bits <= 64) {
296 throw Invalid_Argument("random_safe_prime: Can't make a prime of " + std::to_string(bits) + " bits");
297 }
298
299 const size_t error_bound = 128;
300
301 BigInt q, p;
302 for(;;) {
303 /*
304 Generate q == 2 (mod 3), since otherwise [in the case of q == 1 (mod 3)],
305 2*q+1 == 3 (mod 3) and so certainly not prime.
306 */
307 q = random_prime(rng, bits - 1, BigInt::zero(), 2, 3, error_bound);
308 p = (q << 1) + 1;
309
310 if(is_prime(p, rng, error_bound, true)) {
311 return p;
312 }
313 }
314}

References is_prime(), random_prime(), and Botan::BigInt::zero().

Referenced by Botan::DL_Group::DL_Group().

◆ read_cfg()

std::map< std::string, std::string > Botan::read_cfg ( std::istream & is)

Definition at line 34 of file read_cfg.cpp.

34 {
35 std::map<std::string, std::string> kv;
36 size_t line = 0;
37
38 while(is.good()) {
39 std::string s;
40
41 std::getline(is, s);
42
43 ++line;
44
45 if(s.empty() || s[0] == '#') {
46 continue;
47 }
48
49 s = clean_ws(s.substr(0, s.find('#')));
50
51 if(s.empty()) {
52 continue;
53 }
54
55 auto eq = s.find('=');
56
57 if(eq == std::string::npos || eq == 0 || eq == s.size() - 1) {
58 throw Decoding_Error("Bad read_cfg input '" + s + "' on line " + std::to_string(line));
59 }
60
61 const std::string key = clean_ws(s.substr(0, eq));
62 const std::string val = clean_ws(s.substr(eq + 1, std::string::npos));
63
64 kv[key] = val;
65 }
66
67 return kv;
68}

Referenced by Botan::TLS::Text_Policy::Text_Policy().

◆ read_kv()

std::map< std::string, std::string > Botan::read_kv ( std::string_view kv)

Accepts key value pairs deliminated by commas:

"" (returns empty map) "K=V" (returns map {'K': 'V'}) "K1=V1,K2=V2" "K1=V1,K2=V2,K3=V3" "K1=V1,K2=V2,K3=a_value\,with\,commas_and_\=equals"

Values may be empty, keys must be non-empty and unique. Duplicate keys cause an exception.

Within both key and value, comma and equals can be escaped with backslash. Backslash can also be escaped.

Definition at line 13 of file read_kv.cpp.

13 {
14 std::map<std::string, std::string> m;
15 if(kv.empty()) {
16 return m;
17 }
18
19 std::vector<std::string> parts;
20
21 try {
22 parts = split_on(kv, ',');
23 } catch(std::exception&) {
24 throw Invalid_Argument("Bad KV spec");
25 }
26
27 bool escaped = false;
28 bool reading_key = true;
29 std::string cur_key;
30 std::string cur_val;
31
32 for(char c : kv) {
33 if(c == '\\' && !escaped) {
34 escaped = true;
35 } else if(c == ',' && !escaped) {
36 if(cur_key.empty()) {
37 throw Invalid_Argument("Bad KV spec empty key");
38 }
39
40 if(m.find(cur_key) != m.end()) {
41 throw Invalid_Argument("Bad KV spec duplicated key");
42 }
43 m[cur_key] = cur_val;
44 cur_key = "";
45 cur_val = "";
46 reading_key = true;
47 } else if(c == '=' && !escaped) {
48 if(reading_key == false) {
49 throw Invalid_Argument("Bad KV spec unexpected equals sign");
50 }
51 reading_key = false;
52 } else {
53 if(reading_key) {
54 cur_key += c;
55 } else {
56 cur_val += c;
57 }
58
59 if(escaped) {
60 escaped = false;
61 }
62 }
63 }
64
65 if(!cur_key.empty()) {
66 if(reading_key == false) {
67 if(m.find(cur_key) != m.end()) {
68 throw Invalid_Argument("Bad KV spec duplicated key");
69 }
70 m[cur_key] = cur_val;
71 } else {
72 throw Invalid_Argument("Bad KV spec incomplete string");
73 }
74 }
75
76 return m;
77}

References split_on().

◆ redc_mul()

void Botan::redc_mul ( int64_t & s1,
int64_t & s2,
int64_t & s3,
int64_t & s4,
int64_t & s5,
int64_t & s6,
int64_t & X )
inline

Definition at line 58 of file ed25519_internal.h.

58 {
59 s1 += X * 666643;
60 s2 += X * 470296;
61 s3 += X * 654183;
62 s4 -= X * 997805;
63 s5 += X * 136657;
64 s6 -= X * 683901;
65 X = 0;
66}

References X.

Referenced by sc_muladd(), and sc_reduce().

◆ redc_p192()

void Botan::redc_p192 ( BigInt & x,
secure_vector< word > & ws )

Reduce an input modulo P-192

Input value x must be between 0 and p**2

Definition at line 127 of file nistp_redc.cpp.

127 {
129
130 BOTAN_UNUSED(ws);
131
132 static const size_t p192_limbs = 192 / BOTAN_MP_WORD_BITS;
133
134 x.grow_to(2 * p192_limbs);
135 word* xw = x.mutable_data();
136
137 const uint64_t X00 = get_uint32(xw, 0);
138 const uint64_t X01 = get_uint32(xw, 1);
139 const uint64_t X02 = get_uint32(xw, 2);
140 const uint64_t X03 = get_uint32(xw, 3);
141 const uint64_t X04 = get_uint32(xw, 4);
142 const uint64_t X05 = get_uint32(xw, 5);
143 const uint64_t X06 = get_uint32(xw, 6);
144 const uint64_t X07 = get_uint32(xw, 7);
145 const uint64_t X08 = get_uint32(xw, 8);
146 const uint64_t X09 = get_uint32(xw, 9);
147 const uint64_t X10 = get_uint32(xw, 10);
148 const uint64_t X11 = get_uint32(xw, 11);
149
150 const uint64_t S0 = X00 + X06 + X10;
151 const uint64_t S1 = X01 + X07 + X11;
152 const uint64_t S2 = X02 + X06 + X08 + X10;
153 const uint64_t S3 = X03 + X07 + X09 + X11;
154 const uint64_t S4 = X04 + X08 + X10;
155 const uint64_t S5 = X05 + X09 + X11;
156
157 uint64_t S = 0;
158 uint32_t R0 = 0, R1 = 0;
159
160 S += S0;
161 R0 = static_cast<uint32_t>(S);
162 S >>= 32;
163
164 S += S1;
165 R1 = static_cast<uint32_t>(S);
166 S >>= 32;
167
168 set_words(xw, 0, R0, R1);
169
170 S += S2;
171 R0 = static_cast<uint32_t>(S);
172 S >>= 32;
173
174 S += S3;
175 R1 = static_cast<uint32_t>(S);
176 S >>= 32;
177
178 set_words(xw, 2, R0, R1);
179
180 S += S4;
181 R0 = static_cast<uint32_t>(S);
182 S >>= 32;
183
184 S += S5;
185 R1 = static_cast<uint32_t>(S);
186 S >>= 32;
187
188 set_words(xw, 4, R0, R1);
189
190 // No underflow possible
191
192 /*
193 This is a table of (i*P-192) % 2**192 for i in 1...3
194 */
195 static const word p192_mults[3][p192_limbs] = {
196#if(BOTAN_MP_WORD_BITS == 64)
197 {0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFE, 0xFFFFFFFFFFFFFFFF},
198 {0xFFFFFFFFFFFFFFFE, 0xFFFFFFFFFFFFFFFD, 0xFFFFFFFFFFFFFFFF},
199 {0xFFFFFFFFFFFFFFFD, 0xFFFFFFFFFFFFFFFC, 0xFFFFFFFFFFFFFFFF},
200#else
201 {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
202 {0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
203 {0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
204#endif
205 };
206
207 CT::unpoison(S);
208 BOTAN_ASSERT(S <= 2, "Expected overflow");
209
210 BOTAN_ASSERT_NOMSG(x.size() >= p192_limbs + 1);
211 x.mask_bits(192);
212 word borrow = bigint_sub2(x.mutable_data(), p192_limbs + 1, p192_mults[S], p192_limbs);
213 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
214 bigint_cnd_add(borrow, x.mutable_data(), p192_limbs + 1, p192_mults[0], p192_limbs);
215}
void grow_to(size_t n) const
Definition bigint.h:631
void mask_bits(size_t n)
Definition bigint.h:460
word bigint_sub2(word x[], size_t x_size, const word y[], size_t y_size)
Definition mp_core.h:273

References bigint_cnd_add(), bigint_sub2(), BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_MP_WORD_BITS, BOTAN_UNUSED, Botan::BigInt::grow_to(), Botan::BigInt::is_positive(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::CT::unpoison().

◆ redc_p224()

void Botan::redc_p224 ( BigInt & x,
secure_vector< word > & ws )

Reduce an input modulo P-224

Input value x must be between 0 and p**2

Definition at line 222 of file nistp_redc.cpp.

222 {
224
225 static const size_t p224_limbs = (BOTAN_MP_WORD_BITS == 32) ? 7 : 4;
226
227 BOTAN_UNUSED(ws);
228
229 x.grow_to(2 * p224_limbs);
230 word* xw = x.mutable_data();
231
232 const int64_t X00 = get_uint32(xw, 0);
233 const int64_t X01 = get_uint32(xw, 1);
234 const int64_t X02 = get_uint32(xw, 2);
235 const int64_t X03 = get_uint32(xw, 3);
236 const int64_t X04 = get_uint32(xw, 4);
237 const int64_t X05 = get_uint32(xw, 5);
238 const int64_t X06 = get_uint32(xw, 6);
239 const int64_t X07 = get_uint32(xw, 7);
240 const int64_t X08 = get_uint32(xw, 8);
241 const int64_t X09 = get_uint32(xw, 9);
242 const int64_t X10 = get_uint32(xw, 10);
243 const int64_t X11 = get_uint32(xw, 11);
244 const int64_t X12 = get_uint32(xw, 12);
245 const int64_t X13 = get_uint32(xw, 13);
246
247 // One full copy of P224 is added, so the result is always positive
248
249 const int64_t S0 = 0x00000001 + X00 - X07 - X11;
250 const int64_t S1 = 0x00000000 + X01 - X08 - X12;
251 const int64_t S2 = 0x00000000 + X02 - X09 - X13;
252 const int64_t S3 = 0xFFFFFFFF + X03 + X07 + X11 - X10;
253 const int64_t S4 = 0xFFFFFFFF + X04 + X08 + X12 - X11;
254 const int64_t S5 = 0xFFFFFFFF + X05 + X09 + X13 - X12;
255 const int64_t S6 = 0xFFFFFFFF + X06 + X10 - X13;
256
257 int64_t S = 0;
258 uint32_t R0 = 0, R1 = 0;
259
260 S += S0;
261 R0 = static_cast<uint32_t>(S);
262 S >>= 32;
263
264 S += S1;
265 R1 = static_cast<uint32_t>(S);
266 S >>= 32;
267
268 set_words(xw, 0, R0, R1);
269
270 S += S2;
271 R0 = static_cast<uint32_t>(S);
272 S >>= 32;
273
274 S += S3;
275 R1 = static_cast<uint32_t>(S);
276 S >>= 32;
277
278 set_words(xw, 2, R0, R1);
279
280 S += S4;
281 R0 = static_cast<uint32_t>(S);
282 S >>= 32;
283
284 S += S5;
285 R1 = static_cast<uint32_t>(S);
286 S >>= 32;
287
288 set_words(xw, 4, R0, R1);
289
290 S += S6;
291 R0 = static_cast<uint32_t>(S);
292 S >>= 32;
293
294 set_words(xw, 6, R0, 0);
295
296 static const word p224_mults[3][p224_limbs] = {
297#if(BOTAN_MP_WORD_BITS == 64)
298 {0x0000000000000001, 0xFFFFFFFF00000000, 0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFF},
299 {0x0000000000000002, 0xFFFFFFFE00000000, 0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFF},
300 {0x0000000000000003, 0xFFFFFFFD00000000, 0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFF},
301#else
302 {0x00000001, 0x00000000, 0x00000000, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
303 {0x00000002, 0x00000000, 0x00000000, 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
304 {0x00000003, 0x00000000, 0x00000000, 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF}
305#endif
306
307 };
308
309 CT::unpoison(S);
310 BOTAN_ASSERT(S >= 0 && S <= 2, "Expected overflow");
311
312 BOTAN_ASSERT_NOMSG(x.size() >= p224_limbs + 1);
313 x.mask_bits(224);
314 word borrow = bigint_sub2(x.mutable_data(), p224_limbs + 1, p224_mults[S], p224_limbs);
315 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
316 bigint_cnd_add(borrow, x.mutable_data(), p224_limbs + 1, p224_mults[0], p224_limbs);
317}

References bigint_cnd_add(), bigint_sub2(), BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_MP_WORD_BITS, BOTAN_UNUSED, Botan::BigInt::grow_to(), Botan::BigInt::is_positive(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::CT::unpoison().

◆ redc_p256()

void Botan::redc_p256 ( BigInt & x,
secure_vector< word > & ws )

Reduce an input modulo P-256

Input value x must be between 0 and p**2

Definition at line 324 of file nistp_redc.cpp.

324 {
326
327 static const size_t p256_limbs = (BOTAN_MP_WORD_BITS == 32) ? 8 : 4;
328
329 BOTAN_UNUSED(ws);
330
331 x.grow_to(2 * p256_limbs);
332 word* xw = x.mutable_data();
333
334 const int64_t X00 = get_uint32(xw, 0);
335 const int64_t X01 = get_uint32(xw, 1);
336 const int64_t X02 = get_uint32(xw, 2);
337 const int64_t X03 = get_uint32(xw, 3);
338 const int64_t X04 = get_uint32(xw, 4);
339 const int64_t X05 = get_uint32(xw, 5);
340 const int64_t X06 = get_uint32(xw, 6);
341 const int64_t X07 = get_uint32(xw, 7);
342 const int64_t X08 = get_uint32(xw, 8);
343 const int64_t X09 = get_uint32(xw, 9);
344 const int64_t X10 = get_uint32(xw, 10);
345 const int64_t X11 = get_uint32(xw, 11);
346 const int64_t X12 = get_uint32(xw, 12);
347 const int64_t X13 = get_uint32(xw, 13);
348 const int64_t X14 = get_uint32(xw, 14);
349 const int64_t X15 = get_uint32(xw, 15);
350
351 // Adds 6 * P-256 to prevent underflow
352 const int64_t S0 = 0xFFFFFFFA + X00 + X08 + X09 - (X11 + X12 + X13) - X14;
353 const int64_t S1 = 0xFFFFFFFF + X01 + X09 + X10 - X12 - (X13 + X14 + X15);
354 const int64_t S2 = 0xFFFFFFFF + X02 + X10 + X11 - (X13 + X14 + X15);
355 const int64_t S3 = 0x00000005 + X03 + (X11 + X12) * 2 + X13 - X15 - X08 - X09;
356 const int64_t S4 = 0x00000000 + X04 + (X12 + X13) * 2 + X14 - X09 - X10;
357 const int64_t S5 = 0x00000000 + X05 + (X13 + X14) * 2 + X15 - X10 - X11;
358 const int64_t S6 = 0x00000006 + X06 + X13 + X14 * 3 + X15 * 2 - X08 - X09;
359 const int64_t S7 = 0xFFFFFFFA + X07 + X15 * 3 + X08 - X10 - (X11 + X12 + X13);
360
361 int64_t S = 0;
362
363 uint32_t R0 = 0, R1 = 0;
364
365 S += S0;
366 R0 = static_cast<uint32_t>(S);
367 S >>= 32;
368
369 S += S1;
370 R1 = static_cast<uint32_t>(S);
371 S >>= 32;
372
373 set_words(xw, 0, R0, R1);
374
375 S += S2;
376 R0 = static_cast<uint32_t>(S);
377 S >>= 32;
378
379 S += S3;
380 R1 = static_cast<uint32_t>(S);
381 S >>= 32;
382
383 set_words(xw, 2, R0, R1);
384
385 S += S4;
386 R0 = static_cast<uint32_t>(S);
387 S >>= 32;
388
389 S += S5;
390 R1 = static_cast<uint32_t>(S);
391 S >>= 32;
392
393 set_words(xw, 4, R0, R1);
394
395 S += S6;
396 R0 = static_cast<uint32_t>(S);
397 S >>= 32;
398
399 S += S7;
400 R1 = static_cast<uint32_t>(S);
401 S >>= 32;
402 set_words(xw, 6, R0, R1);
403
404 S += 5; // the top digits of 6*P-256
405
406 /*
407 This is a table of (i*P-256) % 2**256 for i in 1...10
408 */
409 static const word p256_mults[11][p256_limbs] = {
410#if(BOTAN_MP_WORD_BITS == 64)
411 {0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFF, 0x0000000000000000, 0xFFFFFFFF00000001},
412 {0xFFFFFFFFFFFFFFFE, 0x00000001FFFFFFFF, 0x0000000000000000, 0xFFFFFFFE00000002},
413 {0xFFFFFFFFFFFFFFFD, 0x00000002FFFFFFFF, 0x0000000000000000, 0xFFFFFFFD00000003},
414 {0xFFFFFFFFFFFFFFFC, 0x00000003FFFFFFFF, 0x0000000000000000, 0xFFFFFFFC00000004},
415 {0xFFFFFFFFFFFFFFFB, 0x00000004FFFFFFFF, 0x0000000000000000, 0xFFFFFFFB00000005},
416 {0xFFFFFFFFFFFFFFFA, 0x00000005FFFFFFFF, 0x0000000000000000, 0xFFFFFFFA00000006},
417 {0xFFFFFFFFFFFFFFF9, 0x00000006FFFFFFFF, 0x0000000000000000, 0xFFFFFFF900000007},
418 {0xFFFFFFFFFFFFFFF8, 0x00000007FFFFFFFF, 0x0000000000000000, 0xFFFFFFF800000008},
419 {0xFFFFFFFFFFFFFFF7, 0x00000008FFFFFFFF, 0x0000000000000000, 0xFFFFFFF700000009},
420 {0xFFFFFFFFFFFFFFF6, 0x00000009FFFFFFFF, 0x0000000000000000, 0xFFFFFFF60000000A},
421 {0xFFFFFFFFFFFFFFF5, 0x0000000AFFFFFFFF, 0x0000000000000000, 0xFFFFFFF50000000B},
422#else
423 {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0xFFFFFFFF},
424 {0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000001, 0x00000000, 0x00000000, 0x00000002, 0xFFFFFFFE},
425 {0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000002, 0x00000000, 0x00000000, 0x00000003, 0xFFFFFFFD},
426 {0xFFFFFFFC, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000003, 0x00000000, 0x00000000, 0x00000004, 0xFFFFFFFC},
427 {0xFFFFFFFB, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000004, 0x00000000, 0x00000000, 0x00000005, 0xFFFFFFFB},
428 {0xFFFFFFFA, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000005, 0x00000000, 0x00000000, 0x00000006, 0xFFFFFFFA},
429 {0xFFFFFFF9, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0xFFFFFFF9},
430 {0xFFFFFFF8, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000007, 0x00000000, 0x00000000, 0x00000008, 0xFFFFFFF8},
431 {0xFFFFFFF7, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000008, 0x00000000, 0x00000000, 0x00000009, 0xFFFFFFF7},
432 {0xFFFFFFF6, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000009, 0x00000000, 0x00000000, 0x0000000A, 0xFFFFFFF6},
433 {0xFFFFFFF5, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000000A, 0x00000000, 0x00000000, 0x0000000B, 0xFFFFFFF5},
434#endif
435 };
436
437 CT::unpoison(S);
438 BOTAN_ASSERT(S >= 0 && S <= 10, "Expected overflow");
439
440 BOTAN_ASSERT_NOMSG(x.size() >= p256_limbs + 1);
441 x.mask_bits(256);
442 word borrow = bigint_sub2(x.mutable_data(), p256_limbs + 1, p256_mults[S], p256_limbs);
443 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
444 bigint_cnd_add(borrow, x.mutable_data(), p256_limbs + 1, p256_mults[0], p256_limbs);
445}

References bigint_cnd_add(), bigint_sub2(), BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_MP_WORD_BITS, BOTAN_UNUSED, Botan::BigInt::grow_to(), Botan::BigInt::is_positive(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::CT::unpoison().

◆ redc_p384()

void Botan::redc_p384 ( BigInt & x,
secure_vector< word > & ws )

Reduce an input modulo P-384

Input value x must be between 0 and p**2

Definition at line 453 of file nistp_redc.cpp.

453 {
455
456 BOTAN_UNUSED(ws);
457
458 static const size_t p384_limbs = (BOTAN_MP_WORD_BITS == 32) ? 12 : 6;
459
460 x.grow_to(2 * p384_limbs);
461 word* xw = x.mutable_data();
462
463 const int64_t X00 = get_uint32(xw, 0);
464 const int64_t X01 = get_uint32(xw, 1);
465 const int64_t X02 = get_uint32(xw, 2);
466 const int64_t X03 = get_uint32(xw, 3);
467 const int64_t X04 = get_uint32(xw, 4);
468 const int64_t X05 = get_uint32(xw, 5);
469 const int64_t X06 = get_uint32(xw, 6);
470 const int64_t X07 = get_uint32(xw, 7);
471 const int64_t X08 = get_uint32(xw, 8);
472 const int64_t X09 = get_uint32(xw, 9);
473 const int64_t X10 = get_uint32(xw, 10);
474 const int64_t X11 = get_uint32(xw, 11);
475 const int64_t X12 = get_uint32(xw, 12);
476 const int64_t X13 = get_uint32(xw, 13);
477 const int64_t X14 = get_uint32(xw, 14);
478 const int64_t X15 = get_uint32(xw, 15);
479 const int64_t X16 = get_uint32(xw, 16);
480 const int64_t X17 = get_uint32(xw, 17);
481 const int64_t X18 = get_uint32(xw, 18);
482 const int64_t X19 = get_uint32(xw, 19);
483 const int64_t X20 = get_uint32(xw, 20);
484 const int64_t X21 = get_uint32(xw, 21);
485 const int64_t X22 = get_uint32(xw, 22);
486 const int64_t X23 = get_uint32(xw, 23);
487
488 // One copy of P-384 is added to prevent underflow
489 const int64_t S0 = 0xFFFFFFFF + X00 + X12 + X20 + X21 - X23;
490 const int64_t S1 = 0x00000000 + X01 + X13 + X22 + X23 - X12 - X20;
491 const int64_t S2 = 0x00000000 + X02 + X14 + X23 - X13 - X21;
492 const int64_t S3 = 0xFFFFFFFF + X03 + X12 + X15 + X20 + X21 - X14 - X22 - X23;
493 const int64_t S4 = 0xFFFFFFFE + X04 + X12 + X13 + X16 + X20 + X21 * 2 + X22 - X15 - X23 * 2;
494 const int64_t S5 = 0xFFFFFFFF + X05 + X13 + X14 + X17 + X21 + X22 * 2 + X23 - X16;
495 const int64_t S6 = 0xFFFFFFFF + X06 + X14 + X15 + X18 + X22 + X23 * 2 - X17;
496 const int64_t S7 = 0xFFFFFFFF + X07 + X15 + X16 + X19 + X23 - X18;
497 const int64_t S8 = 0xFFFFFFFF + X08 + X16 + X17 + X20 - X19;
498 const int64_t S9 = 0xFFFFFFFF + X09 + X17 + X18 + X21 - X20;
499 const int64_t SA = 0xFFFFFFFF + X10 + X18 + X19 + X22 - X21;
500 const int64_t SB = 0xFFFFFFFF + X11 + X19 + X20 + X23 - X22;
501
502 int64_t S = 0;
503
504 uint32_t R0 = 0, R1 = 0;
505
506 S += S0;
507 R0 = static_cast<uint32_t>(S);
508 S >>= 32;
509
510 S += S1;
511 R1 = static_cast<uint32_t>(S);
512 S >>= 32;
513
514 set_words(xw, 0, R0, R1);
515
516 S += S2;
517 R0 = static_cast<uint32_t>(S);
518 S >>= 32;
519
520 S += S3;
521 R1 = static_cast<uint32_t>(S);
522 S >>= 32;
523
524 set_words(xw, 2, R0, R1);
525
526 S += S4;
527 R0 = static_cast<uint32_t>(S);
528 S >>= 32;
529
530 S += S5;
531 R1 = static_cast<uint32_t>(S);
532 S >>= 32;
533
534 set_words(xw, 4, R0, R1);
535
536 S += S6;
537 R0 = static_cast<uint32_t>(S);
538 S >>= 32;
539
540 S += S7;
541 R1 = static_cast<uint32_t>(S);
542 S >>= 32;
543
544 set_words(xw, 6, R0, R1);
545
546 S += S8;
547 R0 = static_cast<uint32_t>(S);
548 S >>= 32;
549
550 S += S9;
551 R1 = static_cast<uint32_t>(S);
552 S >>= 32;
553
554 set_words(xw, 8, R0, R1);
555
556 S += SA;
557 R0 = static_cast<uint32_t>(S);
558 S >>= 32;
559
560 S += SB;
561 R1 = static_cast<uint32_t>(S);
562 S >>= 32;
563
564 set_words(xw, 10, R0, R1);
565
566 /*
567 This is a table of (i*P-384) % 2**384 for i in 1...4
568 */
569 static const word p384_mults[5][p384_limbs] = {
570#if(BOTAN_MP_WORD_BITS == 64)
571 {0x00000000FFFFFFFF,
572 0xFFFFFFFF00000000,
573 0xFFFFFFFFFFFFFFFE,
574 0xFFFFFFFFFFFFFFFF,
575 0xFFFFFFFFFFFFFFFF,
576 0xFFFFFFFFFFFFFFFF},
577 {0x00000001FFFFFFFE,
578 0xFFFFFFFE00000000,
579 0xFFFFFFFFFFFFFFFD,
580 0xFFFFFFFFFFFFFFFF,
581 0xFFFFFFFFFFFFFFFF,
582 0xFFFFFFFFFFFFFFFF},
583 {0x00000002FFFFFFFD,
584 0xFFFFFFFD00000000,
585 0xFFFFFFFFFFFFFFFC,
586 0xFFFFFFFFFFFFFFFF,
587 0xFFFFFFFFFFFFFFFF,
588 0xFFFFFFFFFFFFFFFF},
589 {0x00000003FFFFFFFC,
590 0xFFFFFFFC00000000,
591 0xFFFFFFFFFFFFFFFB,
592 0xFFFFFFFFFFFFFFFF,
593 0xFFFFFFFFFFFFFFFF,
594 0xFFFFFFFFFFFFFFFF},
595 {0x00000004FFFFFFFB,
596 0xFFFFFFFB00000000,
597 0xFFFFFFFFFFFFFFFA,
598 0xFFFFFFFFFFFFFFFF,
599 0xFFFFFFFFFFFFFFFF,
600 0xFFFFFFFFFFFFFFFF},
601
602#else
603 {0xFFFFFFFF,
604 0x00000000,
605 0x00000000,
606 0xFFFFFFFF,
607 0xFFFFFFFE,
608 0xFFFFFFFF,
609 0xFFFFFFFF,
610 0xFFFFFFFF,
611 0xFFFFFFFF,
612 0xFFFFFFFF,
613 0xFFFFFFFF,
614 0xFFFFFFFF},
615 {0xFFFFFFFE,
616 0x00000001,
617 0x00000000,
618 0xFFFFFFFE,
619 0xFFFFFFFD,
620 0xFFFFFFFF,
621 0xFFFFFFFF,
622 0xFFFFFFFF,
623 0xFFFFFFFF,
624 0xFFFFFFFF,
625 0xFFFFFFFF,
626 0xFFFFFFFF},
627 {0xFFFFFFFD,
628 0x00000002,
629 0x00000000,
630 0xFFFFFFFD,
631 0xFFFFFFFC,
632 0xFFFFFFFF,
633 0xFFFFFFFF,
634 0xFFFFFFFF,
635 0xFFFFFFFF,
636 0xFFFFFFFF,
637 0xFFFFFFFF,
638 0xFFFFFFFF},
639 {0xFFFFFFFC,
640 0x00000003,
641 0x00000000,
642 0xFFFFFFFC,
643 0xFFFFFFFB,
644 0xFFFFFFFF,
645 0xFFFFFFFF,
646 0xFFFFFFFF,
647 0xFFFFFFFF,
648 0xFFFFFFFF,
649 0xFFFFFFFF,
650 0xFFFFFFFF},
651 {0xFFFFFFFB,
652 0x00000004,
653 0x00000000,
654 0xFFFFFFFB,
655 0xFFFFFFFA,
656 0xFFFFFFFF,
657 0xFFFFFFFF,
658 0xFFFFFFFF,
659 0xFFFFFFFF,
660 0xFFFFFFFF,
661 0xFFFFFFFF,
662 0xFFFFFFFF},
663#endif
664 };
665
666 CT::unpoison(S);
667 BOTAN_ASSERT(S >= 0 && S <= 4, "Expected overflow");
668
669 BOTAN_ASSERT_NOMSG(x.size() >= p384_limbs + 1);
670 x.mask_bits(384);
671 word borrow = bigint_sub2(x.mutable_data(), p384_limbs + 1, p384_mults[S], p384_limbs);
672 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
673 bigint_cnd_add(borrow, x.mutable_data(), p384_limbs + 1, p384_mults[0], p384_limbs);
674}

References bigint_cnd_add(), bigint_sub2(), BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_MP_WORD_BITS, BOTAN_UNUSED, Botan::BigInt::grow_to(), Botan::BigInt::is_positive(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::CT::unpoison().

◆ redc_p521()

void Botan::redc_p521 ( BigInt & x,
secure_vector< word > & ws )

Reduce an input modulo P-521

Input value x must be between 0 and p**2

Definition at line 23 of file nistp_redc.cpp.

23 {
25
26 const size_t p_full_words = 521 / BOTAN_MP_WORD_BITS;
27 const size_t p_top_bits = 521 % BOTAN_MP_WORD_BITS;
28 const size_t p_words = p_full_words + 1;
29
30#if(BOTAN_MP_WORD_BITS == 64)
31 static const word p521_words[p_words] = {0xFFFFFFFFFFFFFFFF,
32 0xFFFFFFFFFFFFFFFF,
33 0xFFFFFFFFFFFFFFFF,
34 0xFFFFFFFFFFFFFFFF,
35 0xFFFFFFFFFFFFFFFF,
36 0xFFFFFFFFFFFFFFFF,
37 0xFFFFFFFFFFFFFFFF,
38 0xFFFFFFFFFFFFFFFF,
39 0x1FF};
40#else
41 static const word p521_words[p_words] = {0xFFFFFFFF,
42 0xFFFFFFFF,
43 0xFFFFFFFF,
44 0xFFFFFFFF,
45 0xFFFFFFFF,
46 0xFFFFFFFF,
47 0xFFFFFFFF,
48 0xFFFFFFFF,
49 0xFFFFFFFF,
50 0xFFFFFFFF,
51 0xFFFFFFFF,
52 0xFFFFFFFF,
53 0xFFFFFFFF,
54 0xFFFFFFFF,
55 0xFFFFFFFF,
56 0xFFFFFFFF,
57 0x1FF};
58#endif
59
60 if(ws.size() < p_words + 1) {
61 ws.resize(p_words + 1);
62 }
63
64 clear_mem(ws.data(), ws.size());
65 bigint_shr2(ws.data(), x.data(), std::min(x.size(), 2 * p_words), p_full_words, p_top_bits);
66
67 x.mask_bits(521);
68 x.grow_to(p_words);
69
70 // Word-level carry will be zero
71 word carry = bigint_add3_nc(x.mutable_data(), x.data(), p_words, ws.data(), p_words);
72 BOTAN_ASSERT_EQUAL(carry, 0, "Final carry in P-521 reduction");
73
74 const word top_word = x.word_at(p_full_words);
75
76 /*
77 * Check if we need to reduce modulo P
78 * There are two possible cases:
79 * - The result overflowed past 521 bits, in which case bit 522 will be set
80 * - The result is exactly 2**521 - 1
81 */
82 const auto bit_522_set = CT::Mask<word>::expand(top_word >> p_top_bits);
83
84 word and_512 = MP_WORD_MAX;
85 for(size_t i = 0; i != p_full_words; ++i) {
86 and_512 &= x.word_at(i);
87 }
88 const auto all_512_low_bits_set = CT::Mask<word>::is_equal(and_512, MP_WORD_MAX);
89 const auto has_p521_top_word = CT::Mask<word>::is_equal(top_word, 0x1FF);
90 const auto is_p521 = all_512_low_bits_set & has_p521_top_word;
91
92 const auto needs_reduction = is_p521 | bit_522_set;
93
94 bigint_cnd_sub(needs_reduction.value(), x.mutable_data(), p521_words, p_words);
95}

References bigint_add3_nc(), bigint_cnd_sub(), bigint_shr2(), BOTAN_ASSERT_EQUAL, BOTAN_DEBUG_ASSERT, BOTAN_MP_WORD_BITS, carry(), clear_mem(), Botan::BigInt::data(), Botan::CT::Mask< T >::expand(), Botan::BigInt::grow_to(), Botan::CT::Mask< T >::is_equal(), Botan::BigInt::is_positive(), Botan::BigInt::mask_bits(), MP_WORD_MAX, Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::BigInt::word_at().

◆ reduce()

template<typename RetT , typename KeyT , typename ReducerT >
requires std::is_convertible_v<ReducerT, std::function<RetT(RetT, const KeyT&)>>
RetT Botan::reduce ( const std::vector< KeyT > & keys,
RetT acc,
ReducerT reducer )

Reduce the values of keys into an accumulator initialized with acc using the reducer function reducer.

The reducer is a function taking the accumulator and a single key to return the new accumulator. Keys are consecutively reduced into the accumulator.

Returns
the accumulator containing the reduction of keys

Definition at line 47 of file stl_util.h.

49{
50 for(const KeyT& key : keys) {
51 acc = reducer(std::move(acc), key);
52 }
53 return acc;
54}

Referenced by Botan::TLS::Hybrid_KEM_PublicKey::check_key(), Botan::TLS::Hybrid_KEM_PrivateKey::check_key(), Botan::TLS::Hybrid_KEM_PublicKey::load_for_group(), Botan::Modular_Reducer::multiply(), Botan::TLS::Hybrid_KEM_PublicKey::public_value(), and Botan::Modular_Reducer::square().

◆ reverse_bytes() [1/3]

constexpr uint16_t Botan::reverse_bytes ( uint16_t x)
inlineconstexpr

Swap a 16 bit integer

Definition at line 19 of file bswap.h.

19 {
20#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap16)
21 return __builtin_bswap16(x);
22#else
23 return static_cast<uint16_t>((x << 8) | (x >> 8));
24#endif
25}

Referenced by load_be(), load_be(), load_le(), load_le(), reverse_bytes(), store_be(), and store_le().

◆ reverse_bytes() [2/3]

constexpr uint32_t Botan::reverse_bytes ( uint32_t x)
inlineconstexpr

Swap a 32 bit integer

We cannot use MSVC's _byteswap_ulong because it does not consider the builtin to be constexpr.

Definition at line 33 of file bswap.h.

33 {
34#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap32)
35 return __builtin_bswap32(x);
36#else
37 // MSVC at least recognizes this as a bswap
38 return ((x & 0x000000FF) << 24) | ((x & 0x0000FF00) << 8) | ((x & 0x00FF0000) >> 8) | ((x & 0xFF000000) >> 24);
39#endif
40}

◆ reverse_bytes() [3/3]

constexpr uint64_t Botan::reverse_bytes ( uint64_t x)
inlineconstexpr

Swap a 64 bit integer

We cannot use MSVC's _byteswap_uint64 because it does not consider the builtin to be constexpr.

Definition at line 48 of file bswap.h.

48 {
49#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap64)
50 return __builtin_bswap64(x);
51#else
52 uint32_t hi = static_cast<uint32_t>(x >> 32);
53 uint32_t lo = static_cast<uint32_t>(x);
54
55 hi = reverse_bytes(hi);
56 lo = reverse_bytes(lo);
57
58 return (static_cast<uint64_t>(lo) << 32) | hi;
59#endif
60}

References reverse_bytes().

◆ rfc3394_keyunwrap()

secure_vector< uint8_t > Botan::rfc3394_keyunwrap ( const secure_vector< uint8_t > & key,
const SymmetricKey & kek )

Decrypt a key under a key encryption key using the algorithm described in RFC 3394

Parameters
keythe encrypted key to decrypt
kekthe key encryption key
Returns
key decrypted under kek

Definition at line 26 of file rfc3394.cpp.

26 {
27 BOTAN_ARG_CHECK(kek.size() == 16 || kek.size() == 24 || kek.size() == 32, "Invalid KEK length for NIST key wrap");
28
29 BOTAN_ARG_CHECK(key.size() >= 16 && key.size() % 8 == 0, "Bad input key size for NIST key unwrap");
30
31 const std::string cipher_name = "AES-" + std::to_string(8 * kek.size());
32 auto aes = BlockCipher::create_or_throw(cipher_name);
33 aes->set_key(kek);
34
35 return nist_key_unwrap(key.data(), key.size(), *aes);
36}
size_t size() const
Definition symkey.h:29
secure_vector< uint8_t > nist_key_unwrap(const uint8_t input[], size_t input_len, const BlockCipher &bc)

References BOTAN_ARG_CHECK, Botan::BlockCipher::create_or_throw(), nist_key_unwrap(), and Botan::OctetString::size().

◆ rfc3394_keywrap()

secure_vector< uint8_t > Botan::rfc3394_keywrap ( const secure_vector< uint8_t > & key,
const SymmetricKey & kek )

Encrypt a key under a key encryption key using the algorithm described in RFC 3394

Parameters
keythe plaintext key to encrypt
kekthe key encryption key
Returns
key encrypted under kek

Definition at line 15 of file rfc3394.cpp.

15 {
16 BOTAN_ARG_CHECK(kek.size() == 16 || kek.size() == 24 || kek.size() == 32, "Invalid KEK length for NIST key wrap");
17
18 const std::string cipher_name = "AES-" + std::to_string(8 * kek.size());
19 auto aes = BlockCipher::create_or_throw(cipher_name);
20 aes->set_key(kek);
21
22 std::vector<uint8_t> wrapped = nist_key_wrap(key.data(), key.size(), *aes);
23 return secure_vector<uint8_t>(wrapped.begin(), wrapped.end());
24}
std::vector< uint8_t > nist_key_wrap(const uint8_t input[], size_t input_len, const BlockCipher &bc)

References BOTAN_ARG_CHECK, Botan::BlockCipher::create_or_throw(), nist_key_wrap(), and Botan::OctetString::size().

◆ RFC4880_decode_count()

size_t Botan::RFC4880_decode_count ( uint8_t encoded_iter)

Decode the iteration count from RFC 4880 encoding

Definition at line 61 of file rfc4880.cpp.

61 {
62 return OPENPGP_S2K_ITERS[iter];
63}

Referenced by Botan::OpenPGP_S2K::decode_count(), and RFC4880_round_iterations().

◆ RFC4880_encode_count()

uint8_t Botan::RFC4880_encode_count ( size_t iterations)

RFC 4880 encodes the iteration count to a single-byte value

Definition at line 47 of file rfc4880.cpp.

47 {
48 if(desired_iterations <= OPENPGP_S2K_ITERS[0]) {
49 return 0;
50 }
51
52 if(desired_iterations >= OPENPGP_S2K_ITERS[255]) {
53 return 255;
54 }
55
56 const uint32_t* i = std::lower_bound(OPENPGP_S2K_ITERS, OPENPGP_S2K_ITERS + 256, desired_iterations);
57
58 return static_cast<uint8_t>(i - OPENPGP_S2K_ITERS);
59}

Referenced by Botan::OpenPGP_S2K::encode_count(), and RFC4880_round_iterations().

◆ RFC4880_round_iterations()

size_t Botan::RFC4880_round_iterations ( size_t iterations)
inline

Round an arbitrary iteration count to next largest iteration count supported by RFC4880 encoding.

Definition at line 32 of file rfc4880.h.

32 {
34}
uint8_t RFC4880_encode_count(size_t desired_iterations)
Definition rfc4880.cpp:47
size_t RFC4880_decode_count(uint8_t iter)
Definition rfc4880.cpp:61

References RFC4880_decode_count(), and RFC4880_encode_count().

Referenced by Botan::RFC4880_S2K_Family::tune().

◆ rho()

template<size_t R1, size_t R2, size_t R3, typename T >
constexpr T Botan::rho ( T x)
inlineconstexpr

SHA-2 Sigma style function

Definition at line 51 of file rotate.h.

51 {
52 return rotr<R1>(x) ^ rotr<R2>(x) ^ rotr<R3>(x);
53}

Referenced by Botan::Dilithium_PrivateKey::Dilithium_PrivateKey(), and Botan::Dilithium::PolynomialMatrix::generate_matrix().

◆ rotl() [1/4]

template<size_t R>
SIMD_16x32 Botan::rotl ( SIMD_16x32 input)
inline

Definition at line 310 of file simd_avx512.h.

310 {
311 return input.rotl<R>();
312}

◆ rotl() [2/4]

template<size_t R>
SIMD_4x32 Botan::rotl ( SIMD_4x32 input)
inline

Definition at line 604 of file simd_32.h.

604 {
605 return input.rotl<R>();
606}
SIMD_4x32 rotl() const noexcept
Definition simd_32.h:279

References Botan::SIMD_4x32::rotl().

◆ rotl() [3/4]

template<size_t R>
SIMD_8x32 Botan::rotl ( SIMD_8x32 input)
inline

Definition at line 266 of file simd_avx2.h.

266 {
267 return input.rotl<R>();
268}

◆ rotl() [4/4]

template<size_t ROT, typename T >
requires (ROT > 0 && ROT < 8 * sizeof(T))
constexpr T Botan::rotl ( T input)
inlineconstexpr

Bit rotation left by a compile-time constant amount

Parameters
inputthe input word
Returns
input rotated left by ROT bits

Definition at line 21 of file rotate.h.

23{
24 return static_cast<T>((input << ROT) | (input >> (8 * sizeof(T) - ROT)));
25}

References T.

Referenced by Botan::SIMD_8x32::BOTAN_FUNC_ISA(), and Botan::SIMD_16x32::BOTAN_FUNC_ISA().

◆ rotl_var()

template<typename T >
constexpr T Botan::rotl_var ( T input,
size_t rot )
inlineconstexpr

Bit rotation left, variable rotation amount

Parameters
inputthe input word
rotthe number of bits to rotate, must be between 0 and sizeof(T)*8-1
Returns
input rotated left by rot bits

Definition at line 62 of file rotate.h.

62 {
63 return rot ? static_cast<T>((input << rot) | (input >> (sizeof(T) * 8 - rot))) : input;
64}

References T.

◆ rotr() [1/4]

template<size_t R>
SIMD_16x32 Botan::rotr ( SIMD_16x32 input)
inline

Definition at line 315 of file simd_avx512.h.

315 {
316 return input.rotr<R>();
317}

◆ rotr() [2/4]

template<size_t R>
SIMD_4x32 Botan::rotr ( SIMD_4x32 input)
inline

Definition at line 609 of file simd_32.h.

609 {
610 return input.rotr<R>();
611}
SIMD_4x32 rotr() const noexcept
Definition simd_32.h:314

References Botan::SIMD_4x32::rotr().

◆ rotr() [3/4]

template<size_t R>
SIMD_8x32 Botan::rotr ( SIMD_8x32 input)
inline

Definition at line 271 of file simd_avx2.h.

271 {
272 return input.rotr<R>();
273}

◆ rotr() [4/4]

template<size_t ROT, typename T >
requires (ROT > 0 && ROT < 8 * sizeof(T))
constexpr T Botan::rotr ( T input)
inlineconstexpr

Bit rotation right by a compile-time constant amount

Parameters
inputthe input word
Returns
input rotated right by ROT bits

Definition at line 33 of file rotate.h.

35{
36 return static_cast<T>((input >> ROT) | (input << (8 * sizeof(T) - ROT)));
37}

References T.

◆ rotr_var()

template<typename T >
constexpr T Botan::rotr_var ( T input,
size_t rot )
inlineconstexpr

Bit rotation right, variable rotation amount

Parameters
inputthe input word
rotthe number of bits to rotate, must be between 0 and sizeof(T)*8-1
Returns
input rotated right by rot bits

Definition at line 73 of file rotate.h.

73 {
74 return rot ? static_cast<T>((input >> rot) | (input << (sizeof(T) * 8 - rot))) : input;
75}

References T.

◆ round_down()

template<typename T >
constexpr T Botan::round_down ( T n,
T align_to )
inlineconstexpr

Round down

Parameters
nan integer
align_tothe alignment boundary
Returns
n rounded down to a multiple of align_to

Definition at line 37 of file rounding.h.

37 {
38 return (align_to == 0) ? n : (n - (n % align_to));
39}

Referenced by Botan::Buffered_Filter::write().

◆ round_up()

size_t Botan::round_up ( size_t n,
size_t align_to )
inline

Round up

Parameters
na non-negative integer
align_tothe alignment boundary
Returns
n rounded up to a multiple of align_to

Definition at line 21 of file rounding.h.

21 {
22 BOTAN_ARG_CHECK(align_to != 0, "align_to must not be 0");
23
24 if(n % align_to) {
25 n += align_to - (n % align_to);
26 }
27 return n;
28}

References BOTAN_ARG_CHECK.

Referenced by Botan::BigInt::binary_decode(), Botan::BigInt::bytes(), Botan::EC_Point_Base_Point_Precompute::EC_Point_Base_Point_Precompute(), monty_multi_exp(), Botan::EC_Point_Base_Point_Precompute::mul(), Botan::EC_Point_Var_Point_Precompute::mul(), Botan::EC_Point_Multi_Point_Precompute::multi_exp(), Botan::CBC_Encryption::output_length(), Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::output_length(), Botan::BigInt::randomize(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data_n().

◆ runtime_version_check()

std::string Botan::runtime_version_check ( uint32_t major,
uint32_t minor,
uint32_t patch )

Usable for checking that the DLL version loaded at runtime exactly matches the compile-time version. Call using BOTAN_VERSION_* macro values. Returns the empty string if an exact match, otherwise an appropriate message. Added with 1.11.26.

Definition at line 94 of file version.cpp.

94 {
95 if(major != version_major() || minor != version_minor() || patch != version_patch()) {
96 return fmt("Warning: linked version ({}) does not match version built against ({}.{}.{})\n",
98 major,
99 minor,
100 patch);
101 }
102
103 return "";
104}
uint32_t version_minor()
Definition version.cpp:86
const char * short_version_cstr()
Definition version.cpp:25
uint32_t version_major()
Definition version.cpp:82
uint32_t version_patch()
Definition version.cpp:90

References fmt(), short_version_cstr(), version_major(), version_minor(), and version_patch().

◆ same_mem()

template<typename T >
bool Botan::same_mem ( const T * p1,
const T * p2,
size_t n )
inline

Memory comparison, input insensitive

Parameters
p1a pointer to an array
p2a pointer to another array
nthe number of Ts in p1 and p2
Returns
true iff p1[i] == p2[i] forall i in [0...n)

Definition at line 298 of file mem_ops.h.

298 {
299 volatile T difference = 0;
300
301 for(size_t i = 0; i != n; ++i) {
302 difference = difference | (p1[i] ^ p2[i]);
303 }
304
305 return difference == 0;
306}

References T.

◆ SBoxD0()

BOTAN_FORCE_INLINE void Botan::SBoxD0 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 139 of file serpent_avx512.cpp.

139 {
140 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0x67>(c, d, b);
141 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x49>(b, d, c);
142 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0xac>(a, t0, t1);
143 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0xa9>(a, b, c);
144 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0x3c>(t2, d, t0);
145 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x4d>(a, b, d);
146 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x69>(t3, c, o0);
147 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0x56>(o3, o0, t2);
148 a = o0;
149 b = o1;
150 c = o2;
151 d = o3;
152}

Referenced by Botan::Serpent::decrypt_n().

◆ SBoxD1()

BOTAN_FORCE_INLINE void Botan::SBoxD1 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 154 of file serpent_avx512.cpp.

154 {
155 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0x73>(d, b, c);
156 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x68>(c, d, b);
157 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0xc5>(a, b, d);
158 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x2d>(a, b, d);
159 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0xac>(a, t0, t1);
160 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0x96>(t2, c, o0);
161 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0xd2>(t3, o0, o1);
162 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x99>(o0, t3, c);
163 a = o0;
164 b = o1;
165 c = o2;
166 d = o3;
167}

Referenced by Botan::Serpent::decrypt_n().

◆ SBoxD2()

BOTAN_FORCE_INLINE void Botan::SBoxD2 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 169 of file serpent_avx512.cpp.

169 {
170 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0xc6>(d, b, c);
171 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x9c>(d, c, b);
172 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0xe1>(a, b, c);
173 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0x87>(t2, d, t0);
174 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0xac>(a, t0, t1);
175 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0xd1>(t0, a, t1);
176 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x9b>(a, c, o2);
177 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x5b>(t3, b, d);
178 a = o0;
179 b = o1;
180 c = o2;
181 d = o3;
182}

Referenced by Botan::Serpent::decrypt_n().

◆ SBoxD3()

BOTAN_FORCE_INLINE void Botan::SBoxD3 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 184 of file serpent_avx512.cpp.

184 {
185 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0x94>(c, d, b);
186 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x99>(b, d, t0);
187 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0xac>(a, t0, t1);
188 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0x97>(a, b, d);
189 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0x4b>(t2, c, o0);
190 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x94>(c, d, t2);
191 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0x0e>(t3, b, t0);
192 const SIMD_16x32 t4 = SIMD_16x32::ternary_fn<0x1c>(a, b, t0);
193 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0xb4>(t4, c, d);
194 a = o0;
195 b = o1;
196 c = o2;
197 d = o3;
198}

Referenced by Botan::Serpent::decrypt_n().

◆ SBoxD4()

BOTAN_FORCE_INLINE void Botan::SBoxD4 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 200 of file serpent_avx512.cpp.

200 {
201 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0xa9>(d, c, b);
202 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0xa6>(d, b, c);
203 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0xb5>(a, b, d);
204 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x5e>(a, b, d);
205 const SIMD_16x32 t4 = SIMD_16x32::ternary_fn<0x50>(a, b, t0);
206 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0xac>(a, t0, t1);
207 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0x96>(t4, c, d);
208 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0x4b>(t3, c, t4);
209 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x5a>(t2, c, t0);
210 a = o0;
211 b = o1;
212 c = o2;
213 d = o3;
214}

Referenced by Botan::Serpent::decrypt_n().

◆ SBoxD5()

BOTAN_FORCE_INLINE void Botan::SBoxD5 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 216 of file serpent_avx512.cpp.

216 {
217 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0xc9>(a, b, c);
218 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x65>(a, b, c);
219 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0x25>(a, b, d);
220 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x63>(c, d, t0);
221 const SIMD_16x32 t4 = SIMD_16x32::ternary_fn<0x86>(a, b, t3);
222 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0x87>(t2, c, t0);
223 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0xc3>(t4, c, d);
224 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0x47>(t1, d, t0);
225 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0xac>(a, t0, t3);
226 a = o0;
227 b = o1;
228 c = o2;
229 d = o3;
230}

Referenced by Botan::Serpent::decrypt_n().

◆ SBoxD6()

BOTAN_FORCE_INLINE void Botan::SBoxD6 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 232 of file serpent_avx512.cpp.

232 {
233 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0x07>(d, b, c);
234 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x9e>(c, d, b);
235 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0xc6>(a, b, c);
236 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x34>(a, b, d);
237 const SIMD_16x32 t4 = SIMD_16x32::ternary_fn<0x2b>(a, c, d);
238 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0xac>(a, t0, t1);
239 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0xcb>(t2, d, t0);
240 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0x4b>(t3, c, t0);
241 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x69>(t4, b, o0);
242 a = o0;
243 b = o1;
244 c = o2;
245 d = o3;
246}

Referenced by Botan::Serpent::decrypt_n().

◆ SBoxD7()

BOTAN_FORCE_INLINE void Botan::SBoxD7 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 248 of file serpent_avx512.cpp.

248 {
249 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0x67>(b, d, c);
250 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x3e>(a, c, d);
251 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0x1c>(a, b, d);
252 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x87>(t0, d, b);
253 const SIMD_16x32 t4 = SIMD_16x32::ternary_fn<0x7d>(a, b, t1);
254 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0xac>(a, t0, t3);
255 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0x96>(t1, b, t0);
256 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0xd2>(t2, c, t1);
257 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x6d>(t4, c, d);
258 a = o0;
259 b = o1;
260 c = o2;
261 d = o3;
262}

Referenced by Botan::Serpent::decrypt_n().

◆ SBoxE0()

BOTAN_FORCE_INLINE void Botan::SBoxE0 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 13 of file serpent_avx512.cpp.

13 {
14 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0xb9>(b, d, c);
15 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0xe2>(a, b, d);
16 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0x36>(a, b, d);
17 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x26>(t0, d, b);
18 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0xac>(a, t0, t3);
19 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0x96>(t1, c, o0);
20 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0xa9>(o0, o1, t2);
21 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x3c>(t2, c, t0);
22 a = o0;
23 b = o1;
24 c = o2;
25 d = o3;
26}

Referenced by Botan::Serpent::encrypt_n().

◆ SBoxE1()

BOTAN_FORCE_INLINE void Botan::SBoxE1 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 28 of file serpent_avx512.cpp.

28 {
29 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0xe5>(d, b, c);
30 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x26>(c, d, b);
31 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0xa6>(a, b, c);
32 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x2b>(a, b, d);
33 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0xac>(a, t0, t1);
34 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0x83>(t2, d, t0);
35 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x69>(t3, c, o1);
36 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0x65>(o3, o1, t2);
37 a = o0;
38 b = o1;
39 c = o2;
40 d = o3;
41}

Referenced by Botan::Serpent::encrypt_n().

◆ SBoxE2()

BOTAN_FORCE_INLINE void Botan::SBoxE2 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 43 of file serpent_avx512.cpp.

43 {
44 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0x96>(c, b, d);
45 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0xda>(a, b, c);
46 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0x66>(d, t0, c);
47 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x94>(a, b, t0);
48 const SIMD_16x32 t4 = SIMD_16x32::ternary_fn<0xa1>(a, d, t0);
49 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0xac>(a, t0, t2);
50 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0xd2>(t3, d, o0);
51 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0x2d>(t4, b, c);
52 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x2d>(t1, d, t2);
53 a = o0;
54 b = o1;
55 c = o2;
56 d = o3;
57}

Referenced by Botan::Serpent::encrypt_n().

◆ SBoxE3()

BOTAN_FORCE_INLINE void Botan::SBoxE3 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 59 of file serpent_avx512.cpp.

59 {
60 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0x92>(d, c, b);
61 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x3b>(d, b, c);
62 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0xbc>(a, c, t0);
63 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0x68>(t2, d, t1);
64 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x6e>(a, c, o2);
65 const SIMD_16x32 t4 = SIMD_16x32::ternary_fn<0xb9>(a, d, t3);
66 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0xac>(a, t0, t1);
67 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0x6d>(t4, b, t2);
68 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x38>(t3, b, t0);
69 a = o0;
70 b = o1;
71 c = o2;
72 d = o3;
73}

Referenced by Botan::Serpent::encrypt_n().

◆ SBoxE4()

BOTAN_FORCE_INLINE void Botan::SBoxE4 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 75 of file serpent_avx512.cpp.

75 {
76 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0xc2>(c, b, d);
77 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x79>(b, c, d);
78 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0x71>(a, b, d);
79 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x6b>(a, b, d);
80 const SIMD_16x32 t4 = SIMD_16x32::ternary_fn<0xc2>(a, t0, t3);
81 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0xac>(a, t0, t1);
82 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0x3c>(t2, c, t0);
83 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x49>(t3, c, t0);
84 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0xd6>(t4, b, t1);
85 a = o0;
86 b = o1;
87 c = o2;
88 d = o3;
89}

Referenced by Botan::Serpent::encrypt_n().

◆ SBoxE5()

BOTAN_FORCE_INLINE void Botan::SBoxE5 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 91 of file serpent_avx512.cpp.

91 {
92 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0xa9>(b, d, c);
93 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x93>(b, c, d);
94 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0xc3>(a, b, c);
95 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x27>(a, b, d);
96 const SIMD_16x32 t4 = SIMD_16x32::ternary_fn<0x85>(a, c, t1);
97 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0xac>(a, t0, t1);
98 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0x2d>(t2, d, o0);
99 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0x7a>(t4, b, t0);
100 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x87>(t3, t0, o0);
101 a = o0;
102 b = o1;
103 c = o2;
104 d = o3;
105}

Referenced by Botan::Serpent::encrypt_n().

◆ SBoxE6()

BOTAN_FORCE_INLINE void Botan::SBoxE6 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 107 of file serpent_avx512.cpp.

107 {
108 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0x61>(d, c, b);
109 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x9c>(b, d, t0);
110 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0x93>(a, b, d);
111 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0xb5>(a, b, c);
112 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0xac>(a, t0, t1);
113 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0x3c>(t2, c, t0);
114 const SIMD_16x32 t4 = SIMD_16x32::ternary_fn<0x7c>(a, b, o1);
115 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0x1e>(t4, d, t0);
116 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x29>(t3, t0, t1);
117 a = o0;
118 b = o1;
119 c = o2;
120 d = o3;
121}

Referenced by Botan::Serpent::encrypt_n().

◆ SBoxE7()

BOTAN_FORCE_INLINE void Botan::SBoxE7 ( SIMD_16x32 & a,
SIMD_16x32 & b,
SIMD_16x32 & c,
SIMD_16x32 & d )

Definition at line 123 of file serpent_avx512.cpp.

123 {
124 const SIMD_16x32 t0 = SIMD_16x32::ternary_fn<0x9b>(b, c, d);
125 const SIMD_16x32 t1 = SIMD_16x32::ternary_fn<0x61>(c, b, d);
126 const SIMD_16x32 t2 = SIMD_16x32::ternary_fn<0xe3>(a, d, t1);
127 const SIMD_16x32 t3 = SIMD_16x32::ternary_fn<0x83>(b, c, d);
128 const SIMD_16x32 t4 = SIMD_16x32::ternary_fn<0x49>(a, b, c);
129 const SIMD_16x32 o0 = SIMD_16x32::ternary_fn<0xac>(a, t0, t1);
130 const SIMD_16x32 o1 = SIMD_16x32::ternary_fn<0xe1>(t2, b, c);
131 const SIMD_16x32 o2 = SIMD_16x32::ternary_fn<0xd1>(t3, a, t1);
132 const SIMD_16x32 o3 = SIMD_16x32::ternary_fn<0x87>(t4, d, t2);
133 a = o0;
134 b = o1;
135 c = o2;
136 d = o3;
137}

Referenced by Botan::Serpent::encrypt_n().

◆ sc_muladd()

void Botan::sc_muladd ( uint8_t * s,
const uint8_t * a,
const uint8_t * b,
const uint8_t * c )

Definition at line 26 of file sc_muladd.cpp.

26 {
27 const int32_t MASK = 0x1fffff;
28
29 const int64_t a0 = MASK & load_3(a);
30 const int64_t a1 = MASK & (load_4(a + 2) >> 5);
31 const int64_t a2 = MASK & (load_3(a + 5) >> 2);
32 const int64_t a3 = MASK & (load_4(a + 7) >> 7);
33 const int64_t a4 = MASK & (load_4(a + 10) >> 4);
34 const int64_t a5 = MASK & (load_3(a + 13) >> 1);
35 const int64_t a6 = MASK & (load_4(a + 15) >> 6);
36 const int64_t a7 = MASK & (load_3(a + 18) >> 3);
37 const int64_t a8 = MASK & load_3(a + 21);
38 const int64_t a9 = MASK & (load_4(a + 23) >> 5);
39 const int64_t a10 = MASK & (load_3(a + 26) >> 2);
40 const int64_t a11 = (load_4(a + 28) >> 7);
41 const int64_t b0 = MASK & load_3(b);
42 const int64_t b1 = MASK & (load_4(b + 2) >> 5);
43 const int64_t b2 = MASK & (load_3(b + 5) >> 2);
44 const int64_t b3 = MASK & (load_4(b + 7) >> 7);
45 const int64_t b4 = MASK & (load_4(b + 10) >> 4);
46 const int64_t b5 = MASK & (load_3(b + 13) >> 1);
47 const int64_t b6 = MASK & (load_4(b + 15) >> 6);
48 const int64_t b7 = MASK & (load_3(b + 18) >> 3);
49 const int64_t b8 = MASK & load_3(b + 21);
50 const int64_t b9 = MASK & (load_4(b + 23) >> 5);
51 const int64_t b10 = MASK & (load_3(b + 26) >> 2);
52 const int64_t b11 = (load_4(b + 28) >> 7);
53 const int64_t c0 = MASK & load_3(c);
54 const int64_t c1 = MASK & (load_4(c + 2) >> 5);
55 const int64_t c2 = MASK & (load_3(c + 5) >> 2);
56 const int64_t c3 = MASK & (load_4(c + 7) >> 7);
57 const int64_t c4 = MASK & (load_4(c + 10) >> 4);
58 const int64_t c5 = MASK & (load_3(c + 13) >> 1);
59 const int64_t c6 = MASK & (load_4(c + 15) >> 6);
60 const int64_t c7 = MASK & (load_3(c + 18) >> 3);
61 const int64_t c8 = MASK & load_3(c + 21);
62 const int64_t c9 = MASK & (load_4(c + 23) >> 5);
63 const int64_t c10 = MASK & (load_3(c + 26) >> 2);
64 const int64_t c11 = (load_4(c + 28) >> 7);
65
66 int64_t s0 = c0 + a0 * b0;
67 int64_t s1 = c1 + a0 * b1 + a1 * b0;
68 int64_t s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
69 int64_t s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
70 int64_t s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
71 int64_t s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
72 int64_t s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
73 int64_t s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0;
74 int64_t s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0;
75 int64_t s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
76 int64_t s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 +
77 a9 * b1 + a10 * b0;
78 int64_t s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 +
79 a9 * b2 + a10 * b1 + a11 * b0;
80 int64_t s12 =
81 a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
82 int64_t s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
83 int64_t s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3;
84 int64_t s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4;
85 int64_t s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
86 int64_t s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
87 int64_t s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
88 int64_t s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
89 int64_t s20 = a9 * b11 + a10 * b10 + a11 * b9;
90 int64_t s21 = a10 * b11 + a11 * b10;
91 int64_t s22 = a11 * b11;
92 int64_t s23 = 0;
93
94 carry<21>(s0, s1);
95 carry<21>(s2, s3);
96 carry<21>(s4, s5);
97 carry<21>(s6, s7);
98 carry<21>(s8, s9);
99 carry<21>(s10, s11);
100 carry<21>(s12, s13);
101 carry<21>(s14, s15);
102 carry<21>(s16, s17);
103 carry<21>(s18, s19);
104 carry<21>(s20, s21);
105 carry<21>(s22, s23);
106
107 carry<21>(s1, s2);
108 carry<21>(s3, s4);
109 carry<21>(s5, s6);
110 carry<21>(s7, s8);
111 carry<21>(s9, s10);
112 carry<21>(s11, s12);
113 carry<21>(s13, s14);
114 carry<21>(s15, s16);
115 carry<21>(s17, s18);
116 carry<21>(s19, s20);
117 carry<21>(s21, s22);
118
119 redc_mul(s11, s12, s13, s14, s15, s16, s23);
120 redc_mul(s10, s11, s12, s13, s14, s15, s22);
121 redc_mul(s9, s10, s11, s12, s13, s14, s21);
122 redc_mul(s8, s9, s10, s11, s12, s13, s20);
123 redc_mul(s7, s8, s9, s10, s11, s12, s19);
124 redc_mul(s6, s7, s8, s9, s10, s11, s18);
125
126 carry<21>(s6, s7);
127 carry<21>(s8, s9);
128 carry<21>(s10, s11);
129 carry<21>(s12, s13);
130 carry<21>(s14, s15);
131 carry<21>(s16, s17);
132
133 carry<21>(s7, s8);
134 carry<21>(s9, s10);
135 carry<21>(s11, s12);
136 carry<21>(s13, s14);
137 carry<21>(s15, s16);
138
139 redc_mul(s5, s6, s7, s8, s9, s10, s17);
140 redc_mul(s4, s5, s6, s7, s8, s9, s16);
141 redc_mul(s3, s4, s5, s6, s7, s8, s15);
142 redc_mul(s2, s3, s4, s5, s6, s7, s14);
143 redc_mul(s1, s2, s3, s4, s5, s6, s13);
144 redc_mul(s0, s1, s2, s3, s4, s5, s12);
145
146 carry<21>(s0, s1);
147 carry<21>(s2, s3);
148 carry<21>(s4, s5);
149 carry<21>(s6, s7);
150 carry<21>(s8, s9);
151 carry<21>(s10, s11);
152
153 carry<21>(s1, s2);
154 carry<21>(s3, s4);
155 carry<21>(s5, s6);
156 carry<21>(s7, s8);
157 carry<21>(s9, s10);
158 carry<21>(s11, s12);
159
160 redc_mul(s0, s1, s2, s3, s4, s5, s12);
161
162 carry0<21>(s0, s1);
163 carry0<21>(s1, s2);
164 carry0<21>(s2, s3);
165 carry0<21>(s3, s4);
166 carry0<21>(s4, s5);
167 carry0<21>(s5, s6);
168 carry0<21>(s6, s7);
169 carry0<21>(s7, s8);
170 carry0<21>(s8, s9);
171 carry0<21>(s9, s10);
172 carry0<21>(s10, s11);
173 carry0<21>(s11, s12);
174
175 redc_mul(s0, s1, s2, s3, s4, s5, s12);
176
177 carry0<21>(s0, s1);
178 carry0<21>(s1, s2);
179 carry0<21>(s2, s3);
180 carry0<21>(s3, s4);
181 carry0<21>(s4, s5);
182 carry0<21>(s5, s6);
183 carry0<21>(s6, s7);
184 carry0<21>(s7, s8);
185 carry0<21>(s8, s9);
186 carry0<21>(s9, s10);
187 carry0<21>(s10, s11);
188
189 s[0] = static_cast<uint8_t>(s0 >> 0);
190 s[1] = static_cast<uint8_t>(s0 >> 8);
191 s[2] = static_cast<uint8_t>((s0 >> 16) | (s1 << 5));
192 s[3] = static_cast<uint8_t>(s1 >> 3);
193 s[4] = static_cast<uint8_t>(s1 >> 11);
194 s[5] = static_cast<uint8_t>((s1 >> 19) | (s2 << 2));
195 s[6] = static_cast<uint8_t>(s2 >> 6);
196 s[7] = static_cast<uint8_t>((s2 >> 14) | (s3 << 7));
197 s[8] = static_cast<uint8_t>(s3 >> 1);
198 s[9] = static_cast<uint8_t>(s3 >> 9);
199 s[10] = static_cast<uint8_t>((s3 >> 17) | (s4 << 4));
200 s[11] = static_cast<uint8_t>(s4 >> 4);
201 s[12] = static_cast<uint8_t>(s4 >> 12);
202 s[13] = static_cast<uint8_t>((s4 >> 20) | (s5 << 1));
203 s[14] = static_cast<uint8_t>(s5 >> 7);
204 s[15] = static_cast<uint8_t>((s5 >> 15) | (s6 << 6));
205 s[16] = static_cast<uint8_t>(s6 >> 2);
206 s[17] = static_cast<uint8_t>(s6 >> 10);
207 s[18] = static_cast<uint8_t>((s6 >> 18) | (s7 << 3));
208 s[19] = static_cast<uint8_t>(s7 >> 5);
209 s[20] = static_cast<uint8_t>(s7 >> 13);
210 s[21] = static_cast<uint8_t>(s8 >> 0);
211 s[22] = static_cast<uint8_t>(s8 >> 8);
212 s[23] = static_cast<uint8_t>((s8 >> 16) | (s9 << 5));
213 s[24] = static_cast<uint8_t>(s9 >> 3);
214 s[25] = static_cast<uint8_t>(s9 >> 11);
215 s[26] = static_cast<uint8_t>((s9 >> 19) | (s10 << 2));
216 s[27] = static_cast<uint8_t>(s10 >> 6);
217 s[28] = static_cast<uint8_t>((s10 >> 14) | (s11 << 7));
218 s[29] = static_cast<uint8_t>(s11 >> 1);
219 s[30] = static_cast<uint8_t>(s11 >> 9);
220 s[31] = static_cast<uint8_t>(s11 >> 17);
221}
void redc_mul(int64_t &s1, int64_t &s2, int64_t &s3, int64_t &s4, int64_t &s5, int64_t &s6, int64_t &X)
uint64_t load_4(const uint8_t *in)
uint64_t load_3(const uint8_t in[3])

References load_3(), load_4(), and redc_mul().

Referenced by ed25519_sign().

◆ sc_reduce()

void Botan::sc_reduce ( uint8_t * s)

Definition at line 25 of file sc_reduce.cpp.

25 {
26 const uint32_t MASK = 0x1fffff;
27
28 int64_t s0 = MASK & load_3(s);
29 int64_t s1 = MASK & (load_4(s + 2) >> 5);
30 int64_t s2 = MASK & (load_3(s + 5) >> 2);
31 int64_t s3 = MASK & (load_4(s + 7) >> 7);
32 int64_t s4 = MASK & (load_4(s + 10) >> 4);
33 int64_t s5 = MASK & (load_3(s + 13) >> 1);
34 int64_t s6 = MASK & (load_4(s + 15) >> 6);
35 int64_t s7 = MASK & (load_3(s + 18) >> 3);
36 int64_t s8 = MASK & load_3(s + 21);
37 int64_t s9 = MASK & (load_4(s + 23) >> 5);
38 int64_t s10 = MASK & (load_3(s + 26) >> 2);
39 int64_t s11 = MASK & (load_4(s + 28) >> 7);
40 int64_t s12 = MASK & (load_4(s + 31) >> 4);
41 int64_t s13 = MASK & (load_3(s + 34) >> 1);
42 int64_t s14 = MASK & (load_4(s + 36) >> 6);
43 int64_t s15 = MASK & (load_3(s + 39) >> 3);
44 int64_t s16 = MASK & load_3(s + 42);
45 int64_t s17 = MASK & (load_4(s + 44) >> 5);
46 int64_t s18 = MASK & (load_3(s + 47) >> 2);
47 int64_t s19 = MASK & (load_4(s + 49) >> 7);
48 int64_t s20 = MASK & (load_4(s + 52) >> 4);
49 int64_t s21 = MASK & (load_3(s + 55) >> 1);
50 int64_t s22 = MASK & (load_4(s + 57) >> 6);
51 int64_t s23 = (load_4(s + 60) >> 3);
52
53 redc_mul(s11, s12, s13, s14, s15, s16, s23);
54 redc_mul(s10, s11, s12, s13, s14, s15, s22);
55 redc_mul(s9, s10, s11, s12, s13, s14, s21);
56 redc_mul(s8, s9, s10, s11, s12, s13, s20);
57 redc_mul(s7, s8, s9, s10, s11, s12, s19);
58 redc_mul(s6, s7, s8, s9, s10, s11, s18);
59
60 carry<21>(s6, s7);
61 carry<21>(s8, s9);
62 carry<21>(s10, s11);
63 carry<21>(s12, s13);
64 carry<21>(s14, s15);
65 carry<21>(s16, s17);
66
67 carry<21>(s7, s8);
68 carry<21>(s9, s10);
69 carry<21>(s11, s12);
70 carry<21>(s13, s14);
71 carry<21>(s15, s16);
72
73 redc_mul(s5, s6, s7, s8, s9, s10, s17);
74 redc_mul(s4, s5, s6, s7, s8, s9, s16);
75 redc_mul(s3, s4, s5, s6, s7, s8, s15);
76 redc_mul(s2, s3, s4, s5, s6, s7, s14);
77 redc_mul(s1, s2, s3, s4, s5, s6, s13);
78 redc_mul(s0, s1, s2, s3, s4, s5, s12);
79
80 carry<21>(s0, s1);
81 carry<21>(s2, s3);
82 carry<21>(s4, s5);
83 carry<21>(s6, s7);
84 carry<21>(s8, s9);
85 carry<21>(s10, s11);
86
87 carry<21>(s1, s2);
88 carry<21>(s3, s4);
89 carry<21>(s5, s6);
90 carry<21>(s7, s8);
91 carry<21>(s9, s10);
92 carry<21>(s11, s12);
93
94 redc_mul(s0, s1, s2, s3, s4, s5, s12);
95
96 carry0<21>(s0, s1);
97 carry0<21>(s1, s2);
98 carry0<21>(s2, s3);
99 carry0<21>(s3, s4);
100 carry0<21>(s4, s5);
101 carry0<21>(s5, s6);
102 carry0<21>(s6, s7);
103 carry0<21>(s7, s8);
104 carry0<21>(s8, s9);
105 carry0<21>(s9, s10);
106 carry0<21>(s10, s11);
107 carry0<21>(s11, s12);
108
109 redc_mul(s0, s1, s2, s3, s4, s5, s12);
110
111 carry0<21>(s0, s1);
112 carry0<21>(s1, s2);
113 carry0<21>(s2, s3);
114 carry0<21>(s3, s4);
115 carry0<21>(s4, s5);
116 carry0<21>(s5, s6);
117 carry0<21>(s6, s7);
118 carry0<21>(s7, s8);
119 carry0<21>(s8, s9);
120 carry0<21>(s9, s10);
121 carry0<21>(s10, s11);
122 carry0<21>(s11, s12);
123
124 s[0] = static_cast<uint8_t>(s0 >> 0);
125 s[1] = static_cast<uint8_t>(s0 >> 8);
126 s[2] = static_cast<uint8_t>((s0 >> 16) | (s1 << 5));
127 s[3] = static_cast<uint8_t>(s1 >> 3);
128 s[4] = static_cast<uint8_t>(s1 >> 11);
129 s[5] = static_cast<uint8_t>((s1 >> 19) | (s2 << 2));
130 s[6] = static_cast<uint8_t>(s2 >> 6);
131 s[7] = static_cast<uint8_t>((s2 >> 14) | (s3 << 7));
132 s[8] = static_cast<uint8_t>(s3 >> 1);
133 s[9] = static_cast<uint8_t>(s3 >> 9);
134 s[10] = static_cast<uint8_t>((s3 >> 17) | (s4 << 4));
135 s[11] = static_cast<uint8_t>(s4 >> 4);
136 s[12] = static_cast<uint8_t>(s4 >> 12);
137 s[13] = static_cast<uint8_t>((s4 >> 20) | (s5 << 1));
138 s[14] = static_cast<uint8_t>(s5 >> 7);
139 s[15] = static_cast<uint8_t>((s5 >> 15) | (s6 << 6));
140 s[16] = static_cast<uint8_t>(s6 >> 2);
141 s[17] = static_cast<uint8_t>(s6 >> 10);
142 s[18] = static_cast<uint8_t>((s6 >> 18) | (s7 << 3));
143 s[19] = static_cast<uint8_t>(s7 >> 5);
144 s[20] = static_cast<uint8_t>(s7 >> 13);
145 s[21] = static_cast<uint8_t>(s8 >> 0);
146 s[22] = static_cast<uint8_t>(s8 >> 8);
147 s[23] = static_cast<uint8_t>((s8 >> 16) | (s9 << 5));
148 s[24] = static_cast<uint8_t>(s9 >> 3);
149 s[25] = static_cast<uint8_t>(s9 >> 11);
150 s[26] = static_cast<uint8_t>((s9 >> 19) | (s10 << 2));
151 s[27] = static_cast<uint8_t>(s10 >> 6);
152 s[28] = static_cast<uint8_t>((s10 >> 14) | (s11 << 7));
153 s[29] = static_cast<uint8_t>(s11 >> 1);
154 s[30] = static_cast<uint8_t>(s11 >> 9);
155 s[31] = static_cast<uint8_t>(s11 >> 17);
156}

References load_3(), load_4(), and redc_mul().

Referenced by ed25519_sign(), and ed25519_verify().

◆ scrypt() [1/2]

void Botan::scrypt ( uint8_t output[],
size_t output_len,
const char * password,
size_t password_len,
const uint8_t salt[],
size_t salt_len,
size_t N,
size_t r,
size_t p )
inline

Scrypt key derivation function (RFC 7914)

Parameters
outputthe output will be placed here
output_lenlength of output
passwordthe user password
password_lenlength of password
saltthe salt
salt_lenlength of salt
Nthe CPU/Memory cost parameter, must be power of 2
rthe block size parameter
pthe parallelization parameter

Suitable parameters for most uses would be N = 32768, r = 8, p = 1

Scrypt uses approximately (p + N + 1) * 128 * r bytes of memory

Definition at line 87 of file scrypt.h.

95 {
96 auto pwdhash_fam = PasswordHashFamily::create_or_throw("Scrypt");
97 auto pwdhash = pwdhash_fam->from_params(N, r, p);
98 pwdhash->derive_key(output, output_len, password, password_len, salt, salt_len);
99}

◆ scrypt() [2/2]

void Botan::scrypt ( uint8_t output[],
size_t output_len,
std::string_view password,
const uint8_t salt[],
size_t salt_len,
size_t N,
size_t r,
size_t p )
inline

Scrypt key derivation function (RFC 7914) Before 2.8 this function was the primary interface for scrypt

Parameters
outputthe output will be placed here
output_lenlength of output
passwordthe user password
saltthe salt
salt_lenlength of salt
Nthe CPU/Memory cost parameter, must be power of 2
rthe block size parameter
pthe parallelization parameter

Suitable parameters for most uses would be N = 32768, r = 8, p = 1

Scrypt uses approximately (p + N + 1) * 128 * r bytes of memory

Definition at line 120 of file scrypt.h.

127 {
128 auto pwdhash_fam = PasswordHashFamily::create_or_throw("Scrypt");
129 auto pwdhash = pwdhash_fam->from_params(N, r, p);
130 pwdhash->derive_key(output, output_len, password.data(), password.size(), salt, salt_len);
131}

◆ search_map() [1/2]

template<typename K , typename V , typename R >
R Botan::search_map ( const std::map< K, V > & mapping,
const K & key,
const R & null_result,
const R & found_result )
inline

Definition at line 97 of file stl_util.h.

97 {
98 auto i = mapping.find(key);
99 if(i == mapping.end()) {
100 return null_result;
101 }
102 return found_result;
103}

◆ search_map() [2/2]

template<typename K , typename V >
V Botan::search_map ( const std::map< K, V > & mapping,
const K & key,
const V & null_result = V() )
inline

Definition at line 88 of file stl_util.h.

88 {
89 auto i = mapping.find(key);
90 if(i == mapping.end()) {
91 return null_result;
92 }
93 return i->second;
94}

Referenced by Botan::HTTP::http_sync().

◆ secure_scrub_memory() [1/2]

void Botan::secure_scrub_memory ( ranges::contiguous_output_range auto && data)

Scrub memory contents in a way that a compiler should not elide, using some system specific technique. Note that this function might not zero the memory.

Parameters
datathe data region to be scrubbed

Definition at line 57 of file mem_ops.h.

57 {
58 secure_scrub_memory(std::ranges::data(data), ranges::size_bytes(data));
59}
void secure_scrub_memory(void *ptr, size_t n)
Definition os_utils.cpp:87

References secure_scrub_memory(), and Botan::ranges::size_bytes().

◆ secure_scrub_memory() [2/2]

void Botan::secure_scrub_memory ( void * ptr,
size_t n )

Scrub memory contents in a way that a compiler should not elide, using some system specific technique. Note that this function might not zero the memory (for example, in some hypothetical implementation it might combine the memory contents with the output of a system PRNG), but if you can detect any difference in behavior at runtime then the clearing is side-effecting and you can just use clear_mem.

Use this function to scrub memory just before deallocating it, or on a stack buffer before returning from the function.

Parameters
ptra pointer to memory to scrub
nthe number of bytes pointed to by ptr

Definition at line 87 of file os_utils.cpp.

87 {
88#if defined(BOTAN_TARGET_OS_HAS_RTLSECUREZEROMEMORY)
89 ::RtlSecureZeroMemory(ptr, n);
90
91#elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_BZERO)
92 ::explicit_bzero(ptr, n);
93
94#elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_MEMSET)
95 (void)::explicit_memset(ptr, 0, n);
96
97#elif defined(BOTAN_USE_VOLATILE_MEMSET_FOR_ZERO) && (BOTAN_USE_VOLATILE_MEMSET_FOR_ZERO == 1)
98 /*
99 Call memset through a static volatile pointer, which the compiler
100 should not elide. This construct should be safe in conforming
101 compilers, but who knows. I did confirm that on x86-64 GCC 6.1 and
102 Clang 3.8 both create code that saves the memset address in the
103 data segment and unconditionally loads and jumps to that address.
104 */
105 static void* (*const volatile memset_ptr)(void*, int, size_t) = std::memset;
106 (memset_ptr)(ptr, 0, n);
107#else
108
109 volatile uint8_t* p = reinterpret_cast<volatile uint8_t*>(ptr);
110
111 for(size_t i = 0; i != n; ++i)
112 p[i] = 0;
113#endif
114}

Referenced by botan_scrub_mem(), Botan::Kuznyechik::clear(), deallocate_memory(), Botan::OS::free_locked_pages(), Botan::GHASH::ghash_update(), secure_scrub_memory(), Botan::Sodium::sodium_free(), Botan::Sodium::sodium_memzero(), Botan::AlignmentBuffer< T, BLOCK_SIZE, FINAL_BLOCK_STRATEGY >::~AlignmentBuffer(), Botan::BLAKE2s::~BLAKE2s(), and Botan::FE_25519::~FE_25519().

◆ set_mem()

constexpr void Botan::set_mem ( uint8_t * ptr,
size_t n,
uint8_t val )
inlineconstexpr

Set memory to a fixed value

Parameters
ptra pointer to an array of bytes
nthe number of Ts pointed to by ptr
valthe value to set each byte to

Definition at line 265 of file mem_ops.h.

265 {
266 if(n > 0) {
267 std::memset(ptr, val, n);
268 }
269}

◆ SHA2_32_F()

BOTAN_FORCE_INLINE void Botan::SHA2_32_F ( uint32_t A,
uint32_t B,
uint32_t C,
uint32_t & D,
uint32_t E,
uint32_t F,
uint32_t G,
uint32_t & H,
uint32_t & M1,
uint32_t M2,
uint32_t M3,
uint32_t M4,
uint32_t magic )

Definition at line 19 of file sha2_32_f.h.

31 {
32 uint32_t A_rho = rho<2, 13, 22>(A);
33 uint32_t E_rho = rho<6, 11, 25>(E);
34 uint32_t M2_sigma = sigma<17, 19, 10>(M2);
35 uint32_t M4_sigma = sigma<7, 18, 3>(M4);
36 H += magic + E_rho + choose(E, F, G) + M1;
37 D += H;
38 H += A_rho + majority(A, B, C);
39 M1 += M2_sigma + M3 + M4_sigma;
40}
constexpr T majority(T a, T b, T c)
Definition bit_ops.h:186

References choose(), and majority().

Referenced by Botan::SHA_256::compress_digest(), and Botan::SHA_256::compress_digest_x86_bmi2().

◆ SHA2_64_F()

BOTAN_FORCE_INLINE void Botan::SHA2_64_F ( uint64_t A,
uint64_t B,
uint64_t C,
uint64_t & D,
uint64_t E,
uint64_t F,
uint64_t G,
uint64_t & H,
uint64_t & M1,
uint64_t M2,
uint64_t M3,
uint64_t M4,
uint64_t magic )

Definition at line 19 of file sha2_64_f.h.

31 {
32 const uint64_t E_rho = rho<14, 18, 41>(E);
33 const uint64_t A_rho = rho<28, 34, 39>(A);
34 const uint64_t M2_sigma = sigma<19, 61, 6>(M2);
35 const uint64_t M4_sigma = sigma<1, 8, 7>(M4);
36 H += magic + E_rho + choose(E, F, G) + M1;
37 D += H;
38 H += A_rho + majority(A, B, C);
39 M1 += M2_sigma + M3 + M4_sigma;
40}

References choose(), and majority().

Referenced by Botan::SHA_512::compress_digest(), and Botan::SHA_512::compress_digest_bmi2().

◆ shl() [1/3]

template<size_t S>
SIMD_16x32 Botan::shl ( SIMD_16x32 input)
inline

Definition at line 321 of file simd_avx512.h.

321 {
322 return input.shl<S>();
323}

◆ shl() [2/3]

template<size_t S>
SIMD_4x32 Botan::shl ( SIMD_4x32 input)
inline

Definition at line 615 of file simd_32.h.

615 {
616 return input.shl<S>();
617}
SIMD_4x32 shl() const noexcept
Definition simd_32.h:416

References Botan::SIMD_4x32::shl().

◆ shl() [3/3]

template<size_t S>
SIMD_8x32 Botan::shl ( SIMD_8x32 input)
inline

Definition at line 277 of file simd_avx2.h.

277 {
278 return input.shl<S>();
279}

◆ short_version_cstr()

const char * Botan::short_version_cstr ( )

Same as version_short_string except returning a pointer to the string.

Definition at line 25 of file version.cpp.

25 {
27#if defined(BOTAN_VERSION_SUFFIX)
28 STR(BOTAN_VERSION_SUFFIX)
29#endif
30 ;
31}
#define BOTAN_VERSION_PATCH
Definition build.h:29
#define BOTAN_VERSION_MINOR
Definition build.h:28
#define BOTAN_VERSION_MAJOR
Definition build.h:27
#define STR(macro)
Definition version.cpp:23

References BOTAN_VERSION_MAJOR, BOTAN_VERSION_MINOR, BOTAN_VERSION_PATCH, and STR.

Referenced by runtime_version_check(), and short_version_string().

◆ short_version_string()

std::string Botan::short_version_string ( )

Return a version string of the form "MAJOR.MINOR.PATCH" where each of the values is an integer.

Definition at line 71 of file version.cpp.

71 {
72 return std::string(short_version_cstr());
73}

References short_version_cstr().

◆ sigma()

template<size_t R1, size_t R2, size_t S, typename T >
constexpr T Botan::sigma ( T x)
inlineconstexpr

SHA-2 Sigma style function

Definition at line 43 of file rotate.h.

43 {
44 return rotr<R1>(x) ^ rotr<R2>(x) ^ (x >> S);
45}

◆ significant_bytes()

template<typename T >
requires (std::is_integral<T>::value)
constexpr size_t Botan::significant_bytes ( T n)
inlineconstexpr

Return the number of significant bytes in n

Parameters
nan integer value
Returns
number of significant bytes in n

Definition at line 80 of file bit_ops.h.

82{
83 size_t b = 0;
84
85 for(size_t s = 8 * sizeof(n) / 2; s >= 8; s /= 2) {
86 const size_t z = s * (~ct_is_zero(n >> s) & 1);
87 b += z / 8;
88 n >>= z;
89 }
90
91 b += (n != 0);
92
93 return b;
94}

◆ sm2_compute_za()

std::vector< uint8_t > Botan::sm2_compute_za ( HashFunction & hash,
std::string_view user_id,
const EC_Group & domain,
const EC_Point & pubkey )

Definition at line 58 of file sm2.cpp.

61 {
62 if(user_id.size() >= 8192) {
63 throw Invalid_Argument("SM2 user id too long to represent");
64 }
65
66 const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());
67
68 hash.update(get_byte<0>(uid_len));
69 hash.update(get_byte<1>(uid_len));
70 hash.update(user_id);
71
72 const size_t p_bytes = domain.get_p_bytes();
73
74 hash.update(BigInt::encode_1363(domain.get_a(), p_bytes));
75 hash.update(BigInt::encode_1363(domain.get_b(), p_bytes));
76 hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes));
77 hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes));
78 hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes));
79 hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes));
80
81 std::vector<uint8_t> za(hash.output_length());
82 hash.final(za.data());
83
84 return za;
85}
const BigInt & get_b() const
Definition ec_group.cpp:500
const BigInt & get_a() const
Definition ec_group.cpp:496
const BigInt & get_g_y() const
Definition ec_group.cpp:516
const BigInt & get_g_x() const
Definition ec_group.cpp:512
size_t get_p_bytes() const
Definition ec_group.cpp:480
BigInt get_affine_x() const
Definition ec_point.cpp:469
BigInt get_affine_y() const
Definition ec_point.cpp:489

References Botan::BigInt::encode_1363(), Botan::Buffered_Computation::final(), Botan::EC_Group::get_a(), Botan::EC_Point::get_affine_x(), Botan::EC_Point::get_affine_y(), Botan::EC_Group::get_b(), Botan::EC_Group::get_g_x(), Botan::EC_Group::get_g_y(), Botan::EC_Group::get_p_bytes(), Botan::Buffered_Computation::output_length(), and Botan::Buffered_Computation::update().

Referenced by botan_pubkey_sm2_compute_za().

◆ split_on()

BOTAN_TEST_API std::vector< std::string > Botan::split_on ( std::string_view str,
char delim )

Split a string

Parameters
strthe input string
delimthe delimitor
Returns
string split by delim

Definition at line 111 of file parsing.cpp.

111 {
112 std::vector<std::string> elems;
113 if(str.empty()) {
114 return elems;
115 }
116
117 std::string substr;
118 for(auto i = str.begin(); i != str.end(); ++i) {
119 if(*i == delim) {
120 if(!substr.empty()) {
121 elems.push_back(substr);
122 }
123 substr.clear();
124 } else {
125 substr += *i;
126 }
127 }
128
129 if(substr.empty()) {
130 throw Invalid_Argument(fmt("Unable to split string '{}", str));
131 }
132 elems.push_back(substr);
133
134 return elems;
135}

References fmt().

Referenced by argon2_check_pwhash(), Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), Botan::PKCS11::MechanismWrapper::create_ecdh_mechanism(), create_private_key(), Botan::TLS::Text_Policy::get_list(), load_private_key(), load_public_key(), pbes2_decrypt(), Botan::TLS::Text_Policy::read_cert_type_list(), Botan::TLS::Text_Policy::read_group_list(), read_kv(), string_to_ipv4(), Botan::PK_Ops::Verification_with_Hash::Verification_with_Hash(), and Botan::X509_Cert_Options::X509_Cert_Options().

◆ sqrt_modulo_prime()

BigInt Botan::sqrt_modulo_prime ( const BigInt & x,
const BigInt & p )

Compute the square root of x modulo a prime using the Tonelli-Shanks algorithm. This algorithm is primarily used for EC point decompression which takes only public inputs, as a consequence it is not written to be constant-time and may leak side-channel information about its arguments.

Parameters
xthe input
pthe prime modulus
Returns
y such that (y*y)p == x, or -1 if no such integer

Definition at line 26 of file numthry.cpp.

26 {
27 BOTAN_ARG_CHECK(p > 1, "invalid prime");
28 BOTAN_ARG_CHECK(a < p, "value to solve for must be less than p");
29 BOTAN_ARG_CHECK(a >= 0, "value to solve for must not be negative");
30
31 // some very easy cases
32 if(p == 2 || a <= 1) {
33 return a;
34 }
35
36 BOTAN_ARG_CHECK(p.is_odd(), "invalid prime");
37
38 if(jacobi(a, p) != 1) { // not a quadratic residue
39 return BigInt::from_s32(-1);
40 }
41
42 Modular_Reducer mod_p(p);
43 auto monty_p = std::make_shared<Montgomery_Params>(p, mod_p);
44
45 // If p == 3 (mod 4) there is a simple solution
46 if(p % 4 == 3) {
47 return monty_exp_vartime(monty_p, a, ((p + 1) >> 2));
48 }
49
50 // Otherwise we have to use Shanks-Tonelli
51 size_t s = low_zero_bits(p - 1);
52 BigInt q = p >> s;
53
54 q -= 1;
55 q >>= 1;
56
57 BigInt r = monty_exp_vartime(monty_p, a, q);
58 BigInt n = mod_p.multiply(a, mod_p.square(r));
59 r = mod_p.multiply(r, a);
60
61 if(n == 1) {
62 return r;
63 }
64
65 // find random quadratic nonresidue z
66 word z = 2;
67 for(;;) {
68 if(jacobi(BigInt::from_word(z), p) == -1) { // found one
69 break;
70 }
71
72 z += 1; // try next z
73
74 /*
75 * The expected number of tests to find a non-residue modulo a
76 * prime is 2. If we have not found one after 256 then almost
77 * certainly we have been given a non-prime p.
78 */
79 if(z >= 256) {
80 return BigInt::from_s32(-1);
81 }
82 }
83
84 BigInt c = monty_exp_vartime(monty_p, BigInt::from_word(z), (q << 1) + 1);
85
86 while(n > 1) {
87 q = n;
88
89 size_t i = 0;
90 while(q != 1) {
91 q = mod_p.square(q);
92 ++i;
93
94 if(i >= s) {
95 return BigInt::from_s32(-1);
96 }
97 }
98
99 BOTAN_ASSERT_NOMSG(s >= (i + 1)); // No underflow!
100 c = monty_exp_vartime(monty_p, c, BigInt::power_of_2(s - i - 1));
101 r = mod_p.multiply(r, c);
102 c = mod_p.square(c);
103 n = mod_p.multiply(n, c);
104
105 // s decreases as the algorithm proceeds
106 BOTAN_ASSERT_NOMSG(s >= i);
107 s = i;
108 }
109
110 return r;
111}
bool is_odd() const
Definition bigint.h:416
BigInt monty_exp_vartime(const std::shared_ptr< const Montgomery_Params > &params_p, const BigInt &g, const BigInt &k)
Definition monty_exp.h:49

References BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::BigInt::from_s32(), Botan::BigInt::from_word(), Botan::BigInt::is_odd(), jacobi(), low_zero_bits(), monty_exp_vartime(), Botan::Modular_Reducer::multiply(), Botan::BigInt::power_of_2(), and Botan::Modular_Reducer::square().

◆ square()

BigInt Botan::square ( const BigInt & x)
Parameters
xan integer
Returns
(x*x)

Definition at line 157 of file numthry.cpp.

157 {
158 BigInt z = x;
160 z.square(ws);
161 return z;
162}
BigInt & square(secure_vector< word > &ws)
Definition big_ops2.cpp:183

References Botan::BigInt::square().

Referenced by Botan::Modular_Reducer::cube(), and Botan::Modular_Reducer::square().

◆ srp6_client_agree() [1/2]

std::pair< BigInt, SymmetricKey > Botan::srp6_client_agree ( std::string_view username,
std::string_view password,
const DL_Group & group,
std::string_view hash_id,
const std::vector< uint8_t > & salt,
const BigInt & B,
size_t a_bits,
RandomNumberGenerator & rng )

SRP6a Client side

Parameters
usernamethe username we are attempting login for
passwordthe password we are attempting to use
groupspecifies the shared SRP group
hash_idspecifies a secure hash function
saltis the salt value sent by the server
Bis the server's public value
a_bitssize of secret exponent in bits
rngis a random number generator
Returns
(A,K) the client public key and the shared secret key

Definition at line 78 of file srp6.cpp.

85 {
86 BOTAN_ARG_CHECK(a_bits <= group.p_bits(), "Invalid a_bits");
87
88 const BigInt& g = group.get_g();
89 const BigInt& p = group.get_p();
90
91 const size_t p_bytes = group.p_bytes();
92
93 if(B <= 0 || B >= p) {
94 throw Decoding_Error("Invalid SRP parameter from server");
95 }
96
97 auto hash_fn = HashFunction::create_or_throw(hash_id);
98 if(8 * hash_fn->output_length() >= group.p_bits()) {
99 throw Invalid_Argument(fmt("Hash function {} too large for SRP6 with this group", hash_fn->name()));
100 }
101
102 const BigInt k = hash_seq(*hash_fn, p_bytes, p, g);
103
104 const BigInt a(rng, a_bits);
105
106 const BigInt A = group.power_g_p(a, a_bits);
107
108 const BigInt u = hash_seq(*hash_fn, p_bytes, A, B);
109
110 const BigInt x = compute_x(*hash_fn, identifier, password, salt);
111
112 const BigInt g_x_p = group.power_g_p(x, hash_fn->output_length() * 8);
113
114 const BigInt B_k_g_x_p = group.mod_p(B - group.multiply_mod_p(k, g_x_p));
115
116 const BigInt a_ux = a + u * x;
117
118 const size_t max_aux_bits = std::max<size_t>(a_bits + 1, 2 * 8 * hash_fn->output_length());
119 BOTAN_ASSERT_NOMSG(max_aux_bits >= a_ux.bits());
120
121 const BigInt S = group.power_b_p(B_k_g_x_p, a_ux, max_aux_bits);
122
123 const SymmetricKey Sk(BigInt::encode_1363(S, p_bytes));
124
125 return std::make_pair(A, Sk);
126}
BigInt power_g_p(const BigInt &x) const
Definition dl_group.cpp:521
BigInt mod_p(const BigInt &x) const
Definition dl_group.cpp:483
BigInt multiply_mod_p(const BigInt &x, const BigInt &y) const
Definition dl_group.cpp:487
size_t p_bits() const
Definition dl_group.cpp:452
const BigInt & get_p() const
Definition dl_group.cpp:426
size_t p_bytes() const
Definition dl_group.cpp:456
BigInt power_b_p(const BigInt &b, const BigInt &x, size_t max_x_bits) const
Definition dl_group.cpp:533
const BigInt & get_g() const
Definition dl_group.cpp:433
OctetString SymmetricKey
Definition symkey.h:141

References Botan::BigInt::bits(), BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::HashFunction::create_or_throw(), Botan::BigInt::encode_1363(), fmt(), Botan::DL_Group::get_g(), Botan::DL_Group::get_p(), Botan::DL_Group::mod_p(), Botan::DL_Group::multiply_mod_p(), Botan::DL_Group::p_bits(), Botan::DL_Group::p_bytes(), Botan::DL_Group::power_b_p(), and Botan::DL_Group::power_g_p().

◆ srp6_client_agree() [2/2]

std::pair< BigInt, SymmetricKey > Botan::srp6_client_agree ( std::string_view username,
std::string_view password,
std::string_view group_id,
std::string_view hash_id,
const std::vector< uint8_t > & salt,
const BigInt & B,
RandomNumberGenerator & rng )

SRP6a Client side

Parameters
usernamethe username we are attempting login for
passwordthe password we are attempting to use
group_idspecifies the shared SRP group
hash_idspecifies a secure hash function
saltis the salt value sent by the server
Bis the server's public value
rngis a random number generator
Returns
(A,K) the client public key and the shared secret key

Definition at line 65 of file srp6.cpp.

71 {
72 DL_Group group(group_id);
73 const size_t a_bits = group.exponent_bits();
74
75 return srp6_client_agree(identifier, password, group, hash_id, salt, B, a_bits, rng);
76}
std::pair< BigInt, SymmetricKey > srp6_client_agree(std::string_view identifier, std::string_view password, std::string_view group_id, std::string_view hash_id, const std::vector< uint8_t > &salt, const BigInt &B, RandomNumberGenerator &rng)
Definition srp6.cpp:65

References Botan::DL_Group::exponent_bits(), and srp6_client_agree().

Referenced by botan_srp6_client_agree(), and srp6_client_agree().

◆ srp6_generate_verifier() [1/2]

BigInt Botan::srp6_generate_verifier ( std::string_view identifier,
std::string_view password,
const std::vector< uint8_t > & salt,
const DL_Group & group,
std::string_view hash_id )

Generate a new SRP-6 verifier

Parameters
identifiera username or other client identifier
passwordthe secret used to authenticate user
salta randomly chosen value, at least 128 bits long
groupspecifies the shared SRP group
hash_idspecifies a secure hash function

Definition at line 137 of file srp6.cpp.

141 {
142 auto hash_fn = HashFunction::create_or_throw(hash_id);
143 if(8 * hash_fn->output_length() >= group.p_bits()) {
144 throw Invalid_Argument(fmt("Hash function {} too large for SRP6 with this group", hash_fn->name()));
145 }
146
147 const BigInt x = compute_x(*hash_fn, identifier, password, salt);
148 return group.power_g_p(x, hash_fn->output_length() * 8);
149}

References Botan::HashFunction::create_or_throw(), fmt(), Botan::DL_Group::p_bits(), and Botan::DL_Group::power_g_p().

◆ srp6_generate_verifier() [2/2]

BigInt Botan::srp6_generate_verifier ( std::string_view identifier,
std::string_view password,
const std::vector< uint8_t > & salt,
std::string_view group_id,
std::string_view hash_id )

Generate a new SRP-6 verifier

Parameters
identifiera username or other client identifier
passwordthe secret used to authenticate user
salta randomly chosen value, at least 128 bits long
group_idspecifies the shared SRP group
hash_idspecifies a secure hash function

Definition at line 128 of file srp6.cpp.

132 {
133 DL_Group group(group_id);
134 return srp6_generate_verifier(identifier, password, salt, group, hash_id);
135}
BigInt srp6_generate_verifier(std::string_view identifier, std::string_view password, const std::vector< uint8_t > &salt, std::string_view group_id, std::string_view hash_id)
Definition srp6.cpp:128

References srp6_generate_verifier().

Referenced by botan_srp6_generate_verifier(), and srp6_generate_verifier().

◆ srp6_group_identifier()

std::string Botan::srp6_group_identifier ( const BigInt & N,
const BigInt & g )

Return the group id for this SRP param set, or else thrown an exception

Parameters
Nthe group modulus
gthe group generator
Returns
group identifier

Definition at line 46 of file srp6.cpp.

46 {
47 /*
48 This function assumes that only one 'standard' SRP parameter set has
49 been defined for a particular bitsize. As of this writing that is the case.
50 */
51 try {
52 std::string group_name = "modp/srp/" + std::to_string(N.bits());
53
54 DL_Group group(group_name);
55
56 if(group.get_p() == N && group.get_g() == g) {
57 return group_name;
58 }
59 } catch(...) {}
60
61 // If we didn't return, the group was unknown or did not match
62 throw Invalid_Argument("Invalid or unknown SRP group parameters");
63}

References Botan::BigInt::bits(), Botan::DL_Group::get_g(), and Botan::DL_Group::get_p().

◆ store_be() [1/5]

template<ranges::contiguous_output_range< uint8_t > OutR, std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void Botan::store_be ( OutR && out,
Ts... ins )
inlineconstexpr

Store many big-endian unsigned integers

Parameters
outa fixed-length span to some bytes
insa arbitrary-length parameter list of unsigned integers to be stored

Definition at line 429 of file loadstor.h.

429 {
430 ranges::assert_exact_byte_length<(sizeof(Ts) + ...)>(out);
431 auto store_one = [off = 0]<typename T>(auto o, T i) mutable {
432 store_be<T>(i, o.subspan(off).template first<sizeof(T)>());
433 off += sizeof(T);
434 };
435
436 (store_one(std::span{out}, ins), ...);
437}

References Botan::ranges::assert_exact_byte_length(), and T.

◆ store_be() [2/5]

template<std::unsigned_integral T>
constexpr auto Botan::store_be ( T in)
inlineconstexpr

Store a big-endian unsigned integer

Parameters
inthe input unsigned integer
Returns
a byte array holding the integer value in big-endian byte order

Definition at line 488 of file loadstor.h.

488 {
489 std::array<uint8_t, sizeof(T)> out;
490 store_be(in, out);
491 return out;
492}

References store_be(), and T.

◆ store_be() [3/5]

template<std::unsigned_integral T, ranges::contiguous_output_range< uint8_t > OutR>
constexpr void Botan::store_be ( T in,
OutR && out_range )
inlineconstexpr

Store a big-endian unsigned integer

Parameters
inthe input unsigned integer
out_rangethe fixed-length span to write to

Definition at line 358 of file loadstor.h.

358 {
359 ranges::assert_exact_byte_length<sizeof(T)>(out_range);
360 std::span out{out_range};
361 if constexpr(sizeof(T) == 1) {
362 out[0] = static_cast<uint8_t>(in);
363 } else {
364#if defined(BOTAN_TARGET_CPU_IS_BIG_ENDIAN)
365 typecast_copy(out, in);
366#elif defined(BOTAN_TARGET_CPU_IS_LITTLE_ENDIAN)
368#else
369 [&]<size_t... i>(std::index_sequence<i...>) {
370 ((out[i] = get_byte<i>(in)), ...);
371 }
372 (std::make_index_sequence<sizeof(T)>());
373#endif
374 }
375}

References reverse_bytes(), T, and typecast_copy().

Referenced by Botan::GHASH::add_final_block(), Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::BigInt::binary_encode(), copy_out_be(), Botan::FPE_FE1::decrypt(), Botan::Blowfish::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::DES::decrypt_n(), Botan::TripleDES::decrypt_n(), Botan::Noekeon::decrypt_n(), Botan::SEED::decrypt_n(), Botan::SHACAL2::decrypt_n(), Botan::SM4::decrypt_n(), Botan::FPE_FE1::encrypt(), Botan::TLS::Session::encrypt(), Botan::CryptoBox::encrypt(), Botan::Blowfish::encrypt_n(), Botan::CAST_128::encrypt_n(), Botan::DES::encrypt_n(), Botan::TripleDES::encrypt_n(), Botan::Noekeon::encrypt_n(), Botan::SEED::encrypt_n(), Botan::SHACAL2::encrypt_n(), Botan::SM4::encrypt_n(), Botan::TLS::Connection_Cipher_State::format_ad(), ipv4_to_string(), Botan::SP800_108_Counter::kdf(), Botan::SP800_108_Feedback::kdf(), Botan::SP800_108_Pipeline::kdf(), Botan::TLS::make_hello_random(), Botan::TLS::Cipher_State::next_ticket_nonce(), nist_key_wrap(), nist_key_wrap_padded(), Botan::CTR_BE::seek(), Botan::TLS::New_Session_Ticket_12::serialize(), Botan::TLS::New_Session_Ticket_13::serialize(), store_be(), store_be(), Botan::SIMD_4x32::store_be(), store_be(), Botan::Sphincs_Address::to_bytes(), Botan::Sphincs_Address::to_bytes_compressed(), Botan::Buffered_Computation::update_be(), Botan::Buffered_Computation::update_be(), and Botan::Buffered_Computation::update_be().

◆ store_be() [4/5]

template<std::unsigned_integral T>
constexpr void Botan::store_be ( T in,
uint8_t out[sizeof(T)] )
inlineconstexpr

Store a big-endian unsigned integer

Parameters
inthe input unsigned integer
outthe byte array to write to

Definition at line 408 of file loadstor.h.

408 {
409 store_be(in, std::span<uint8_t, sizeof(T)>(out, sizeof(T)));
410}

References store_be(), and T.

◆ store_be() [5/5]

template<std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void Botan::store_be ( uint8_t out[],
Ts... ins )
inlineconstexpr

Store many big-endian unsigned integers

Parameters
insa pointer to some bytes to be written
outa arbitrary-length parameter list of unsigned integers to be stored

Definition at line 463 of file loadstor.h.

463 {
464 constexpr auto bytes = (sizeof(ins) + ...);
465 // asserts that *out points to the correct amount of memory
466 store_be(std::span<uint8_t, bytes>(out, bytes), ins...);
467}

References store_be().

◆ store_le() [1/5]

template<ranges::contiguous_output_range< uint8_t > OutR, std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void Botan::store_le ( OutR && out,
Ts... ins )
inlineconstexpr

Store many little-endian unsigned integers

Parameters
outa fixed-length span to some bytes
insa arbitrary-length parameter list of unsigned integers to be stored

Definition at line 446 of file loadstor.h.

446 {
447 ranges::assert_exact_byte_length<(sizeof(Ts) + ...)>(out);
448 auto store_one = [off = 0]<typename T>(auto o, T i) mutable {
449 store_le<T>(i, o.subspan(off).template first<sizeof(T)>());
450 off += sizeof(T);
451 };
452
453 (store_one(std::span{out}, ins), ...);
454}

References Botan::ranges::assert_exact_byte_length(), and T.

◆ store_le() [2/5]

template<std::unsigned_integral T>
constexpr auto Botan::store_le ( T in)
inlineconstexpr

Store a little-endian unsigned integer

Parameters
inthe input unsigned integer
Returns
a byte array holding the integer value in little-endian byte order

Definition at line 500 of file loadstor.h.

500 {
501 std::array<uint8_t, sizeof(T)> out;
502 store_le(in, out);
503 return out;
504}

References store_le(), and T.

◆ store_le() [3/5]

template<std::unsigned_integral T, ranges::contiguous_output_range< uint8_t > OutR>
constexpr void Botan::store_le ( T in,
OutR && out_range )
inlineconstexpr

Store a little-endian unsigned integer

Parameters
inthe input unsigned integer
out_rangethe fixed-length span to write to

Definition at line 383 of file loadstor.h.

383 {
384 ranges::assert_exact_byte_length<sizeof(T)>(out_range);
385 std::span out{out_range};
386 if constexpr(sizeof(T) == 1) {
387 out[0] = static_cast<uint8_t>(in);
388 } else {
389#if defined(BOTAN_TARGET_CPU_IS_BIG_ENDIAN)
391#elif defined(BOTAN_TARGET_CPU_IS_LITTLE_ENDIAN)
392 typecast_copy(out, in);
393#else
394 [&]<size_t... i>(std::index_sequence<i...>) {
395 ((out[i] = get_byte<sizeof(T) - i - 1>(in)), ...);
396 }
397 (std::make_index_sequence<sizeof(T)>());
398#endif
399 }
400}
constexpr uint8_t get_byte(T input)
Definition loadstor.h:37

References get_byte(), reverse_bytes(), T, and typecast_copy().

Referenced by copy_out_le(), create_aes_row_generator(), create_shake_row_generator(), Botan::GOST_28147_89::decrypt_n(), Botan::Kuznyechik::decrypt_n(), Botan::Serpent::decrypt_n(), Botan::Threefish_512::decrypt_n(), Botan::Twofish::decrypt_n(), Botan::GOST_28147_89::encrypt_n(), Botan::Kuznyechik::encrypt_n(), Botan::Serpent::encrypt_n(), Botan::Threefish_512::encrypt_n(), Botan::Twofish::encrypt_n(), Botan::Streebog::final_result(), generate_mceliece_key(), Botan::RandomNumberGenerator::randomize_with_ts_input(), Botan::Salsa20::salsa_core(), Botan::ChaCha::seek(), Botan::Salsa20::seek(), Botan::FrodoMatrix::serialize(), Botan::Sodium::sodium_malloc(), Botan::Keccak_Permutation::squeeze(), store_le(), store_le(), Botan::SIMD_4x32::store_le(), store_le(), Botan::Buffered_Computation::update_le(), Botan::Buffered_Computation::update_le(), Botan::Buffered_Computation::update_le(), Botan::ChaCha20Poly1305_Mode::update_len(), and Botan::Dilithium_Common_Symmetric_Primitives::XOF().

◆ store_le() [4/5]

template<std::unsigned_integral T>
constexpr void Botan::store_le ( T in,
uint8_t out[sizeof(T)] )
inlineconstexpr

Store a little-endian unsigned integer

Parameters
inthe input unsigned integer
outthe byte array to write to

Definition at line 418 of file loadstor.h.

418 {
419 store_le(in, std::span<uint8_t, sizeof(T)>(out, sizeof(T)));
420}

References store_le(), and T.

◆ store_le() [5/5]

template<std::unsigned_integral... Ts>
requires (sizeof...(Ts) > 0) && all_same_v<Ts...>
constexpr void Botan::store_le ( uint8_t out[],
Ts... ins )
inlineconstexpr

Store many little-endian unsigned integers

Parameters
insa pointer to some bytes to be written
outa arbitrary-length parameter list of unsigned integers to be stored

Definition at line 476 of file loadstor.h.

476 {
477 constexpr auto bytes = (sizeof(ins) + ...);
478 // asserts that *out points to the correct amount of memory
479 store_le(std::span<uint8_t, bytes>(out, bytes), ins...);
480}

References store_le().

◆ string_join()

std::string Botan::string_join ( const std::vector< std::string > & strs,
char delim )

Join a string

Parameters
strsstrings to join
delimthe delimitor
Returns
string joined by delim

Definition at line 140 of file parsing.cpp.

140 {
141 std::ostringstream out;
142
143 for(size_t i = 0; i != strs.size(); ++i) {
144 if(i != 0) {
145 out << delim;
146 }
147 out << strs[i];
148 }
149
150 return out.str();
151}

Referenced by Botan::CPUID::to_string(), and Botan::Key_Constraints::to_string().

◆ string_to_ipv4()

uint32_t Botan::string_to_ipv4 ( std::string_view ip_str)

Convert a string representation of an IPv4 address to a number

Parameters
ip_strthe string representation
Returns
integer IPv4 address

Definition at line 156 of file parsing.cpp.

156 {
157 const auto parts = split_on(str, '.');
158
159 if(parts.size() != 4) {
160 throw Decoding_Error(fmt("Invalid IPv4 string '{}'", str));
161 }
162
163 uint32_t ip = 0;
164
165 for(auto part = parts.begin(); part != parts.end(); ++part) {
166 uint32_t octet = to_u32bit(*part);
167
168 if(octet > 255) {
169 throw Decoding_Error(fmt("Invalid IPv4 string '{}'", str));
170 }
171
172 ip = (ip << 8) | (octet & 0xFF);
173 }
174
175 return ip;
176}

References fmt(), split_on(), and to_u32bit().

◆ swap_bits()

template<typename T >
constexpr void Botan::swap_bits ( T & x,
T & y,
T mask,
size_t shift )
inlineconstexpr

Definition at line 173 of file bit_ops.h.

173 {
174 const T swap = ((x >> shift) ^ y) & mask;
175 x ^= swap << shift;
176 y ^= swap;
177}

References T.

◆ syndrome_init()

std::vector< polyn_gf2m > Botan::syndrome_init ( const polyn_gf2m & generator,
const std::vector< gf2m > & support,
int n )

Definition at line 608 of file polyn_gf2m.cpp.

608 {
609 int i, j, t;
610 gf2m a;
611
612 std::shared_ptr<GF2m_Field> m_sp_field = generator.get_sp_field();
613
614 std::vector<polyn_gf2m> result;
615 t = generator.get_degree();
616
617 //g(z)=g_t+g_(t-1).z^(t-1)+......+g_1.z+g_0
618 //f(z)=f_(t-1).z^(t-1)+......+f_1.z+f_0
619
620 for(j = 0; j < n; j++) {
621 result.push_back(polyn_gf2m(t - 1, m_sp_field));
622
623 (*&result[j]).set_coef(t - 1, 1);
624 for(i = t - 2; i >= 0; i--) {
625 (*&result[j]).set_coef(i, (generator)[i + 1] ^ m_sp_field->gf_mul(lex_to_gray(support[j]), result[j][i + 1]));
626 }
627 a = ((generator)[0] ^ m_sp_field->gf_mul(lex_to_gray(support[j]), result[j][0]));
628 for(i = 0; i < t; i++) {
629 (*&result[j]).set_coef(i, m_sp_field->gf_div(result[j][i], a));
630 }
631 }
632 return result;
633}
gf2m lex_to_gray(gf2m lex)

References Botan::polyn_gf2m::get_degree(), Botan::polyn_gf2m::get_sp_field(), and lex_to_gray().

Referenced by generate_mceliece_key().

◆ system_rng()

RandomNumberGenerator & Botan::system_rng ( )

Return a shared reference to a global PRNG instance provided by the operating system. For instance might be instantiated by /dev/urandom or CryptGenRandom.

Definition at line 368 of file system_rng.cpp.

368 {
369 static System_RNG_Impl g_system_rng;
370 return g_system_rng;
371}

Referenced by Botan::System_RNG::accepts_input(), botan_pk_op_decrypt_create(), botan_pk_op_encrypt_create(), botan_pk_op_kem_decrypt_create(), botan_pk_op_key_agreement_create(), botan_pk_op_sign_create(), botan_rng_reseed(), botan_system_rng_get(), Botan::System_RNG::clear(), Botan::System_RNG::fill_bytes_with_input(), Botan::System_RNG::is_seeded(), Botan::System_RNG::name(), Botan::Sodium::randombytes_buf(), and Botan::RandomNumberGenerator::randomize_with_ts_input().

◆ theta()

void Botan::theta ( SIMD_4x32 & A0,
SIMD_4x32 & A1,
SIMD_4x32 & A2,
SIMD_4x32 & A3,
const SIMD_4x32 & K0,
const SIMD_4x32 & K1,
const SIMD_4x32 & K2,
const SIMD_4x32 & K3 )
inline

Definition at line 17 of file noekeon_simd.cpp.

24 {
25 SIMD_4x32 T = A0 ^ A2;
26 T ^= T.rotl<8>() ^ T.rotr<8>();
27 A1 ^= T;
28 A3 ^= T;
29
30 A0 ^= K0;
31 A1 ^= K1;
32 A2 ^= K2;
33 A3 ^= K3;
34
35 T = A1 ^ A3;
36 T ^= T.rotl<8>() ^ T.rotr<8>();
37 A0 ^= T;
38 A2 ^= T;
39}

References T.

Referenced by Botan::Noekeon::decrypt_n(), and Botan::Noekeon::encrypt_n().

◆ throw_invalid_argument()

void BOTAN_UNSTABLE_API Botan::throw_invalid_argument ( const char * message,
const char * func,
const char * file )

Called when an invalid argument is used Throws Invalid_Argument

Definition at line 21 of file assert.cpp.

21 {
22 throw Invalid_Argument(fmt("{} in {}:{}", message, func, file));
23}

References fmt().

◆ throw_invalid_state()

void BOTAN_UNSTABLE_API Botan::throw_invalid_state ( const char * message,
const char * func,
const char * file )

Called when an invalid state is encountered Throws Invalid_State

Definition at line 25 of file assert.cpp.

25 {
26 throw Invalid_State(fmt("Invalid state: expr {} was false in {}:{}", expr, func, file));
27}

References fmt().

◆ to_byte_vector()

template<concepts::contiguous_container T = std::vector<uint8_t>>
T Botan::to_byte_vector ( std::string_view s)
inline

Definition at line 29 of file stl_util.h.

29 {
30 return T(s.cbegin(), s.cend());
31}

References T.

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and Botan::TLS::Channel_Impl_12::key_material_export().

◆ to_string() [1/3]

const char * Botan::to_string ( Certificate_Status_Code code)

Convert a status code to a human readable diagnostic message

Parameters
codethe certifcate status
Returns
string literal constant, or nullptr if code unknown

Definition at line 11 of file cert_status.cpp.

11 {
12 switch(code) {
13 case Certificate_Status_Code::VERIFIED:
14 return "Verified";
15 case Certificate_Status_Code::OCSP_RESPONSE_GOOD:
16 return "OCSP response accepted as affirming unrevoked status for certificate";
17 case Certificate_Status_Code::OCSP_SIGNATURE_OK:
18 return "Signature on OCSP response was found valid";
19 case Certificate_Status_Code::VALID_CRL_CHECKED:
20 return "Valid CRL examined";
21
22 case Certificate_Status_Code::CERT_SERIAL_NEGATIVE:
23 return "Certificate serial number is negative";
24 case Certificate_Status_Code::DN_TOO_LONG:
25 return "Distinguished name too long";
26 case Certificate_Status_Code::OCSP_NO_REVOCATION_URL:
27 return "OCSP URL not available";
28 case Certificate_Status_Code::OCSP_SERVER_NOT_AVAILABLE:
29 return "OCSP server not available";
30 case Certificate_Status_Code::OCSP_ISSUER_NOT_TRUSTED:
31 return "OCSP issuer is not trustworthy";
32
33 case Certificate_Status_Code::NO_REVOCATION_DATA:
34 return "No revocation data";
35 case Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK:
36 return "Signature method too weak";
37 case Certificate_Status_Code::UNTRUSTED_HASH:
38 return "Hash function used is considered too weak for security";
39
40 case Certificate_Status_Code::CERT_NOT_YET_VALID:
41 return "Certificate is not yet valid";
42 case Certificate_Status_Code::CERT_HAS_EXPIRED:
43 return "Certificate has expired";
44 case Certificate_Status_Code::OCSP_NOT_YET_VALID:
45 return "OCSP is not yet valid";
46 case Certificate_Status_Code::OCSP_HAS_EXPIRED:
47 return "OCSP response has expired";
48 case Certificate_Status_Code::OCSP_IS_TOO_OLD:
49 return "OCSP response is too old";
50 case Certificate_Status_Code::CRL_NOT_YET_VALID:
51 return "CRL response is not yet valid";
52 case Certificate_Status_Code::CRL_HAS_EXPIRED:
53 return "CRL has expired";
54
55 case Certificate_Status_Code::CERT_ISSUER_NOT_FOUND:
56 return "Certificate issuer not found";
57 case Certificate_Status_Code::CANNOT_ESTABLISH_TRUST:
58 return "Cannot establish trust";
59 case Certificate_Status_Code::CERT_CHAIN_LOOP:
60 return "Loop in certificate chain";
61 case Certificate_Status_Code::CHAIN_LACKS_TRUST_ROOT:
62 return "Certificate chain does not end in a CA certificate";
63 case Certificate_Status_Code::CHAIN_NAME_MISMATCH:
64 return "Certificate issuer does not match subject of issuing cert";
65
66 case Certificate_Status_Code::POLICY_ERROR:
67 return "Certificate policy error";
68 case Certificate_Status_Code::DUPLICATE_CERT_POLICY:
69 return "Certificate contains duplicate policy";
70 case Certificate_Status_Code::INVALID_USAGE:
71 return "Certificate does not allow the requested usage";
72 case Certificate_Status_Code::CERT_CHAIN_TOO_LONG:
73 return "Certificate chain too long";
74 case Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER:
75 return "CA certificate not allowed to issue certs";
76 case Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER:
77 return "CA certificate not allowed to issue CRLs";
78 case Certificate_Status_Code::NO_MATCHING_CRLDP:
79 return "No CRL with matching distribution point for certificate";
80 case Certificate_Status_Code::OCSP_CERT_NOT_LISTED:
81 return "OCSP cert not listed";
82 case Certificate_Status_Code::OCSP_BAD_STATUS:
83 return "OCSP bad status";
84 case Certificate_Status_Code::CERT_NAME_NOMATCH:
85 return "Certificate does not match provided name";
86 case Certificate_Status_Code::NAME_CONSTRAINT_ERROR:
87 return "Certificate does not pass name constraint";
88 case Certificate_Status_Code::UNKNOWN_CRITICAL_EXTENSION:
89 return "Unknown critical extension encountered";
90 case Certificate_Status_Code::DUPLICATE_CERT_EXTENSION:
91 return "Duplicate certificate extension encountered";
92 case Certificate_Status_Code::EXT_IN_V1_V2_CERT:
93 return "Encountered extension in certificate with version that does not allow it";
94 case Certificate_Status_Code::V2_IDENTIFIERS_IN_V1_CERT:
95 return "Encountered v2 identifiers in v1 certificate";
96 case Certificate_Status_Code::OCSP_SIGNATURE_ERROR:
97 return "OCSP signature error";
98 case Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND:
99 return "Unable to find certificate issusing OCSP response";
100 case Certificate_Status_Code::OCSP_RESPONSE_MISSING_KEYUSAGE:
101 return "OCSP issuer's keyusage prohibits OCSP";
102 case Certificate_Status_Code::OCSP_RESPONSE_INVALID:
103 return "OCSP parsing valid";
104 case Certificate_Status_Code::OCSP_NO_HTTP:
105 return "OCSP requests not available, no HTTP support compiled in";
106 case Certificate_Status_Code::CERT_IS_REVOKED:
107 return "Certificate is revoked";
108 case Certificate_Status_Code::CRL_BAD_SIGNATURE:
109 return "CRL bad signature";
110 case Certificate_Status_Code::SIGNATURE_ERROR:
111 return "Signature error";
112 case Certificate_Status_Code::CERT_PUBKEY_INVALID:
113 return "Certificate public key invalid";
114 case Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN:
115 return "Certificate signed with unknown/unavailable algorithm";
116 case Certificate_Status_Code::SIGNATURE_ALGO_BAD_PARAMS:
117 return "Certificate signature has invalid parameters";
118
119 // intentionally no default so we are warned if new enum values are added
120 }
121
122 return nullptr;
123}

References CA_CERT_NOT_FOR_CERT_ISSUER, CA_CERT_NOT_FOR_CRL_ISSUER, CANNOT_ESTABLISH_TRUST, CERT_CHAIN_LOOP, CERT_CHAIN_TOO_LONG, CERT_HAS_EXPIRED, CERT_IS_REVOKED, CERT_ISSUER_NOT_FOUND, CERT_NAME_NOMATCH, CERT_NOT_YET_VALID, CERT_PUBKEY_INVALID, CERT_SERIAL_NEGATIVE, CHAIN_LACKS_TRUST_ROOT, CHAIN_NAME_MISMATCH, CRL_BAD_SIGNATURE, CRL_HAS_EXPIRED, CRL_NOT_YET_VALID, DN_TOO_LONG, DUPLICATE_CERT_EXTENSION, DUPLICATE_CERT_POLICY, EXT_IN_V1_V2_CERT, INVALID_USAGE, NAME_CONSTRAINT_ERROR, NO_MATCHING_CRLDP, NO_REVOCATION_DATA, OCSP_BAD_STATUS, OCSP_CERT_NOT_LISTED, OCSP_HAS_EXPIRED, OCSP_IS_TOO_OLD, OCSP_ISSUER_NOT_FOUND, OCSP_ISSUER_NOT_TRUSTED, OCSP_NO_HTTP, OCSP_NO_REVOCATION_URL, OCSP_NOT_YET_VALID, OCSP_RESPONSE_GOOD, OCSP_RESPONSE_INVALID, OCSP_RESPONSE_MISSING_KEYUSAGE, OCSP_SERVER_NOT_AVAILABLE, OCSP_SIGNATURE_ERROR, OCSP_SIGNATURE_OK, POLICY_ERROR, SIGNATURE_ALGO_BAD_PARAMS, SIGNATURE_ALGO_UNKNOWN, SIGNATURE_ERROR, SIGNATURE_METHOD_TOO_WEAK, UNKNOWN_CRITICAL_EXTENSION, UNTRUSTED_HASH, V2_IDENTIFIERS_IN_V1_CERT, VALID_CRL_CHECKED, and VERIFIED.

◆ to_string() [2/3]

std::string Botan::to_string ( ErrorType type)

Convert an ErrorType to string.

Definition at line 13 of file exceptn.cpp.

13 {
14 switch(type) {
15 case ErrorType::Unknown:
16 return "Unknown";
17 case ErrorType::SystemError:
18 return "SystemError";
19 case ErrorType::NotImplemented:
20 return "NotImplemented";
21 case ErrorType::OutOfMemory:
22 return "OutOfMemory";
23 case ErrorType::InternalError:
24 return "InternalError";
25 case ErrorType::IoError:
26 return "IoError";
27 case ErrorType::InvalidObjectState:
28 return "InvalidObjectState";
29 case ErrorType::KeyNotSet:
30 return "KeyNotSet";
31 case ErrorType::InvalidArgument:
32 return "InvalidArgument";
33 case ErrorType::InvalidKeyLength:
34 return "InvalidKeyLength";
35 case ErrorType::InvalidNonceLength:
36 return "InvalidNonceLength";
37 case ErrorType::LookupError:
38 return "LookupError";
39 case ErrorType::EncodingFailure:
40 return "EncodingFailure";
41 case ErrorType::DecodingFailure:
42 return "DecodingFailure";
43 case ErrorType::TLSError:
44 return "TLSError";
45 case ErrorType::HttpError:
46 return "HttpError";
47 case ErrorType::InvalidTag:
48 return "InvalidTag";
49 case ErrorType::RoughtimeError:
50 return "RoughtimeError";
51 case ErrorType::CommonCryptoError:
52 return "CommonCryptoError";
53 case ErrorType::Pkcs11Error:
54 return "Pkcs11Error";
55 case ErrorType::TPMError:
56 return "TPMError";
57 case ErrorType::DatabaseError:
58 return "DatabaseError";
59 case ErrorType::ZlibError:
60 return "ZlibError";
61 case ErrorType::Bzip2Error:
62 return "Bzip2Error";
63 case ErrorType::LzmaError:
64 return "LzmaError";
65 }
66
67 // No default case in above switch so compiler warns
68 return "Unrecognized Botan error";
69}

References Bzip2Error, CommonCryptoError, DatabaseError, DecodingFailure, EncodingFailure, HttpError, InternalError, InvalidArgument, InvalidKeyLength, InvalidNonceLength, InvalidObjectState, InvalidTag, IoError, KeyNotSet, LookupError, LzmaError, NotImplemented, OutOfMemory, Pkcs11Error, RoughtimeError, SystemError, TLSError, TPMError, Unknown, and ZlibError.

Referenced by Botan::TLS::Server_Hello_13::basic_validation(), botan_x509_cert_validation_status(), Botan::TLS::PskIdentity::identity_as_string(), and Botan::Path_Validation_Result::status_string().

◆ to_string() [3/3]

std::string Botan::to_string ( std::span< const uint8_t > bytes)
inline

Definition at line 33 of file stl_util.h.

33 {
34 return std::string(bytes.begin(), bytes.end());
35}

◆ to_u32bit()

BOTAN_TEST_API uint32_t Botan::to_u32bit ( std::string_view str)

Convert a decimal string to a number

Parameters
strthe string to convert
Returns
number value of the string

Definition at line 32 of file parsing.cpp.

32 {
33 const std::string str(str_view);
34
35 // std::stoul is not strict enough. Ensure that str is digit only [0-9]*
36 for(const char chr : str) {
37 if(chr < '0' || chr > '9') {
38 throw Invalid_Argument("to_u32bit invalid decimal string '" + str + "'");
39 }
40 }
41
42 const unsigned long int x = std::stoul(str);
43
44 if constexpr(sizeof(unsigned long int) > 4) {
45 // x might be uint64
46 if(x > std::numeric_limits<uint32_t>::max()) {
47 throw Invalid_Argument("Integer value of " + str + " exceeds 32 bit range");
48 }
49 }
50
51 return static_cast<uint32_t>(x);
52}

Referenced by Botan::SCAN_Name::arg_as_integer(), Botan::SCAN_Name::arg_as_integer(), argon2_check_pwhash(), create_private_key(), Botan::TLS::Text_Policy::get_len(), Botan::HTTP::http_sync(), string_to_ipv4(), and to_uint16().

◆ to_uint16()

uint16_t Botan::to_uint16 ( std::string_view str)

Convert a decimal string to a number

Parameters
strthe string to convert
Returns
number value of the string

Definition at line 22 of file parsing.cpp.

22 {
23 const uint32_t x = to_u32bit(str);
24
25 if(x >> 16) {
26 throw Invalid_Argument("Integer value exceeds 16 bit range");
27 }
28
29 return static_cast<uint16_t>(x);
30}

References to_u32bit().

Referenced by check_bcrypt(), and Botan::TLS::Text_Policy::srtp_profiles().

◆ tolower_string()

std::string Botan::tolower_string ( std::string_view in)

Definition at line 196 of file parsing.cpp.

196 {
197 std::string s(in);
198 for(size_t i = 0; i != s.size(); ++i) {
199 const int cu = static_cast<unsigned char>(s[i]);
200 if(std::isalpha(cu)) {
201 s[i] = static_cast<char>(std::tolower(cu));
202 }
203 }
204 return s;
205}

Referenced by host_wildcard_match().

◆ treehash()

BOTAN_TEST_API void Botan::treehash ( StrongSpan< SphincsTreeNode > out_root,
StrongSpan< SphincsAuthenticationPath > out_auth_path,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes,
std::optional< TreeNodeIndex > leaf_idx,
uint32_t idx_offset,
uint32_t tree_height,
const GenerateLeafFunction & gen_leaf,
Sphincs_Address & tree_address )

Implements a generic Merkle tree hash. Will be used for both FORS and XMSS signatures. gen_leaf is used to create leaf nodes in the respective trees. Additionally XMSS uses the gen_leaf logic to store the WOTS Signature in the main Sphincs+ signature. The leaf_idx is the index of leaf to sign. If only the root node must be computed (without a signature), the leaf_idx is set to std::nullopt.

Definition at line 26 of file sp_treehash.cpp.

34 {
35 BOTAN_ASSERT_NOMSG(out_root.size() == params.n());
36 BOTAN_ASSERT_NOMSG(out_auth_path.size() == params.n() * total_tree_height);
37
38 const TreeNodeIndex max_idx(uint32_t((1 << total_tree_height) - 1));
39
40 std::vector<uint8_t> stack(total_tree_height * params.n());
41 SphincsTreeNode current_node(params.n()); // Current logical node
42
43 /* Traverse the tree from the left-most leaf, matching siblings and up until
44 * the root (Post-order traversal). Collect the adjacent nodes (A) to build
45 * the authentication path (X) along the way.
46 *
47 * 7R
48 * / \
49 * 3X 6A
50 * / \ / \
51 * 1X 2A 4 5
52 */
53 for(TreeNodeIndex idx(0); true; ++idx) {
54 tree_address.set_tree_height(TreeLayerIndex(0));
55 gen_leaf(current_node, idx + idx_offset);
56
57 // Now combine the freshly generated right node with previously generated
58 // left ones
59 uint32_t internal_idx_offset = idx_offset;
60 TreeNodeIndex internal_idx = idx;
61 auto internal_leaf = leaf_idx;
62
63 for(TreeLayerIndex h(0); true; ++h) {
64 // Check if we hit the top of the tree
65 if(h.get() == total_tree_height) {
66 copy_into(out_root, current_node);
67 return;
68 }
69
70 // Check if the node we have is a part of the authentication path; if
71 // it is, write it out. The XOR sum of both nodes (at internal_idx and internal_leaf)
72 // is 1 iff they have the same parent node in the FORS tree
73 if(internal_leaf.has_value() && (internal_idx ^ internal_leaf.value()) == 0x01U) {
74 auto auth_path_location = out_auth_path.get().subspan(h.get() * params.n(), params.n());
75 copy_into(auth_path_location, current_node);
76 }
77
78 // At this point we know that we'll need to use the stack. Get a
79 // reference to the correct location.
80 auto stack_location = std::span(stack).subspan(h.get() * params.n(), params.n());
81
82 // Check if we're at a left child; if so, stop going up the stack
83 // Exception: if we've reached the end of the tree, keep on going (so
84 // we combine the last 4 nodes into the one root node in two more
85 // iterations)
86 if((internal_idx & 1) == 0U && idx < max_idx) {
87 // We've hit a left child; save the current for when we get the
88 // corresponding right child.
89 copy_into(stack_location, current_node);
90 break;
91 }
92
93 // Ok, we're at a right node. Now combine the left and right logical
94 // nodes together.
95
96 // Set the address of the node we're creating.
97 internal_idx_offset /= 2;
98 tree_address.set_tree_height(h + 1);
99 tree_address.set_tree_index(internal_idx / 2 + internal_idx_offset);
100
101 hashes.T(current_node, tree_address, stack_location, current_node);
102
103 internal_idx /= 2;
104 if(internal_leaf.has_value()) {
105 internal_leaf.value() /= 2;
106 }
107 }
108 }
109}
underlying_span get() const

References BOTAN_ASSERT_NOMSG, Botan::StrongSpan< T >::get(), Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_tree_height(), Botan::Sphincs_Address::set_tree_index(), Botan::StrongSpan< T >::size(), and Botan::Sphincs_Hash_Functions::T().

Referenced by fors_sign_and_pkgen(), and xmss_sign_and_pkgen().

◆ typecast_copy() [1/9]

template<typename To >
requires std::is_trivial<To>::value
constexpr To Botan::typecast_copy ( const uint8_t src[])
inlineconstexprnoexcept

Definition at line 251 of file mem_ops.h.

251 {
252 // asserts that *src points to the correct amount of memory
253 return typecast_copy<To>(std::span<const uint8_t, sizeof(To)>(src, sizeof(To)));
254}

◆ typecast_copy() [2/9]

template<typename ToT , ranges::contiguous_range FromR>
requires std::is_trivial_v<ToT> && std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>>
constexpr ToT Botan::typecast_copy ( FromR && src)
inlineconstexprnoexcept

Create a trivial type by bit-casting a range of trivially copyable type with matching length into it.

Definition at line 209 of file mem_ops.h.

209 {
210 ToT dst;
211 typecast_copy(dst, src);
212 return dst;
213}

References typecast_copy().

◆ typecast_copy() [3/9]

template<typename T >
requires std::is_trivial<typename std::decay<T>::type>::value
constexpr void Botan::typecast_copy ( T & out,
const uint8_t in[] )
inlineconstexpr

Definition at line 243 of file mem_ops.h.

243 {
244 // asserts that *in points to the correct amount of memory
245 typecast_copy(out, std::span<const uint8_t, sizeof(T)>(in, sizeof(T)));
246}

References T, and typecast_copy().

◆ typecast_copy() [4/9]

template<typename T >
requires std::is_trivial<T>::value
constexpr void Botan::typecast_copy ( T out[],
const uint8_t in[],
size_t N )
inlineconstexpr

Definition at line 226 of file mem_ops.h.

228{
229 // asserts that *in and *out point to the correct amount of memory
230 typecast_copy(std::span<T>(out, N), std::span<const uint8_t>(in, N * sizeof(T)));
231}

References T, and typecast_copy().

◆ typecast_copy() [5/9]

template<ranges::contiguous_output_range ToR, typename FromT >
requires std::is_trivially_copyable_v<FromT> && (!std::ranges::range<FromT>) && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
constexpr void Botan::typecast_copy ( ToR && out,
const FromT & in )
inlineconstexpr

Copy an instance of trivially copyable type into a range of trivially copyable type with matching length.

Definition at line 199 of file mem_ops.h.

199 {
200 typecast_copy(out, std::span<const FromT, 1>(&in, 1));
201}

References typecast_copy().

◆ typecast_copy() [6/9]

template<ranges::contiguous_output_range ToR, ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
constexpr void Botan::typecast_copy ( ToR && out,
FromR && in )
inlineconstexpr

Copy a range of a trivially copyable type into another range of trivially copyable type of matching byte length.

Definition at line 176 of file mem_ops.h.

176 {
177 ranges::assert_equal_byte_lengths(out, in);
178 std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out));
179}

References Botan::ranges::assert_equal_byte_lengths(), and Botan::ranges::size_bytes().

Referenced by Botan::Roughtime::Response::from_bits(), load_be(), load_le(), store_be(), store_le(), typecast_copy(), typecast_copy(), typecast_copy(), typecast_copy(), typecast_copy(), typecast_copy(), typecast_copy(), xor_buf(), and xor_buf().

◆ typecast_copy() [7/9]

template<typename ToT , ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<ToT> && (!std::ranges::range<ToT>)
constexpr void Botan::typecast_copy ( ToT & out,
FromR && in )
inlineconstexprnoexcept

Copy a range of trivially copyable type into an instance of trivially copyable type with matching length.

Definition at line 188 of file mem_ops.h.

188 {
189 typecast_copy(std::span<ToT, 1>(&out, 1), in);
190}

References typecast_copy().

◆ typecast_copy() [8/9]

template<typename T >
constexpr void Botan::typecast_copy ( uint8_t out[],
const T & in )
inlineconstexpr

Definition at line 235 of file mem_ops.h.

235 {
236 // asserts that *out points to the correct amount of memory
237 typecast_copy(std::span<uint8_t, sizeof(T)>(out, sizeof(T)), in);
238}

References T, and typecast_copy().

◆ typecast_copy() [9/9]

template<typename T >
requires std::is_trivially_copyable<T>::value
constexpr void Botan::typecast_copy ( uint8_t out[],
T in[],
size_t N )
inlineconstexpr

Definition at line 217 of file mem_ops.h.

219{
220 // asserts that *in and *out point to the correct amount of memory
221 typecast_copy(std::span<uint8_t>(out, sizeof(T) * N), std::span<const T>(in, N));
222}

References T, and typecast_copy().

◆ ucs2_to_utf8()

BOTAN_TEST_API std::string Botan::ucs2_to_utf8 ( const uint8_t ucs2[],
size_t len )

Convert a sequence of UCS-2 (big endian) characters to a UTF-8 string This is used for ASN.1 BMPString type

Parameters
ucs2the sequence of UCS-2 characters
lenlength of ucs2 in bytes, must be a multiple of 2

Definition at line 54 of file charset.cpp.

54 {
55 if(len % 2 != 0) {
56 throw Decoding_Error("Invalid length for UCS-2 string");
57 }
58
59 const size_t chars = len / 2;
60
61 std::string s;
62 for(size_t i = 0; i != chars; ++i) {
63 const uint32_t c = load_be<uint16_t>(ucs2, i);
64 append_utf8_for(s, c);
65 }
66
67 return s;
68}

Referenced by Botan::ASN1_String::decode_from().

◆ ucs4_to_utf8()

BOTAN_TEST_API std::string Botan::ucs4_to_utf8 ( const uint8_t ucs4[],
size_t len )

Convert a sequence of UCS-4 (big endian) characters to a UTF-8 string This is used for ASN.1 UniversalString type

Parameters
ucs4the sequence of UCS-4 characters
lenlength of ucs4 in bytes, must be a multiple of 4

Definition at line 70 of file charset.cpp.

70 {
71 if(len % 4 != 0) {
72 throw Decoding_Error("Invalid length for UCS-4 string");
73 }
74
75 const size_t chars = len / 4;
76
77 std::string s;
78 for(size_t i = 0; i != chars; ++i) {
79 const uint32_t c = load_be<uint32_t>(ucs4, i);
80 append_utf8_for(s, c);
81 }
82
83 return s;
84}

Referenced by Botan::ASN1_String::decode_from().

◆ unlock()

template<typename T >
std::vector< T > Botan::unlock ( const secure_vector< T > & in)

◆ value_exists()

template<typename T , typename OT >
bool Botan::value_exists ( const std::vector< T > & vec,
const OT & val )

◆ var_ctz32()

constexpr size_t Botan::var_ctz32 ( uint32_t n)
inlineconstexpr

Definition at line 151 of file bit_ops.h.

151 {
152#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_ctz)
153 if(n == 0) {
154 return 32;
155 }
156 return __builtin_ctz(n);
157#else
158 return ctz<uint32_t>(n);
159#endif
160}

◆ vartime_divide()

BOTAN_TEST_API void Botan::vartime_divide ( const BigInt & x,
const BigInt & y,
BigInt & q,
BigInt & r )

BigInt Division

Parameters
xan integer
ya non-zero integer
qwill be set to x / y
rwill be set to x % y

Definition at line 155 of file divide.cpp.

155 {
156 if(y_arg.is_zero()) {
157 throw Invalid_Argument("vartime_divide: cannot divide by zero");
158 }
159
160 const size_t y_words = y_arg.sig_words();
161
162 BOTAN_ASSERT_NOMSG(y_words > 0);
163
164 BigInt y = y_arg;
165
166 BigInt r = x;
167 BigInt q = BigInt::zero();
168 secure_vector<word> ws;
169
170 r.set_sign(BigInt::Positive);
171 y.set_sign(BigInt::Positive);
172
173 // Calculate shifts needed to normalize y with high bit set
174 const size_t shifts = y.top_bits_free();
175
176 y <<= shifts;
177 r <<= shifts;
178
179 // we know y has not changed size, since we only shifted up to set high bit
180 const size_t t = y_words - 1;
181 const size_t n = std::max(y_words, r.sig_words()) - 1; // r may have changed size however
182
183 BOTAN_ASSERT_NOMSG(n >= t);
184
185 q.grow_to(n - t + 1);
186
187 word* q_words = q.mutable_data();
188
189 BigInt shifted_y = y << (BOTAN_MP_WORD_BITS * (n - t));
190
191 // Set q_{n-t} to number of times r > shifted_y
192 q_words[n - t] = r.reduce_below(shifted_y, ws);
193
194 const word y_t0 = y.word_at(t);
195 const word y_t1 = y.word_at(t - 1);
196 BOTAN_DEBUG_ASSERT((y_t0 >> (BOTAN_MP_WORD_BITS - 1)) == 1);
197
198 for(size_t j = n; j != t; --j) {
199 const word x_j0 = r.word_at(j);
200 const word x_j1 = r.word_at(j - 1);
201 const word x_j2 = r.word_at(j - 2);
202
203 word qjt = bigint_divop_vartime(x_j0, x_j1, y_t0);
204
205 qjt = CT::Mask<word>::is_equal(x_j0, y_t0).select(MP_WORD_MAX, qjt);
206
207 // Per HAC 14.23, this operation is required at most twice
208 qjt -= division_check(qjt, y_t0, y_t1, x_j0, x_j1, x_j2);
209 qjt -= division_check(qjt, y_t0, y_t1, x_j0, x_j1, x_j2);
210 BOTAN_DEBUG_ASSERT(division_check(qjt, y_t0, y_t1, x_j0, x_j1, x_j2) == false);
211
212 shifted_y >>= BOTAN_MP_WORD_BITS;
213 // Now shifted_y == y << (BOTAN_MP_WORD_BITS * (j-t-1))
214
215 // TODO this sequence could be better
216 r -= qjt * shifted_y;
217 qjt -= r.is_negative();
218 r += static_cast<word>(r.is_negative()) * shifted_y;
219
220 q_words[j - t - 1] = qjt;
221 }
222
223 r >>= shifts;
224
225 sign_fixup(x, y_arg, q, r);
226
227 r_out = r;
228 q_out = q;
229}

References bigint_divop_vartime(), BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_MP_WORD_BITS, Botan::BigInt::grow_to(), Botan::CT::Mask< T >::is_equal(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), MP_WORD_MAX, Botan::BigInt::mutable_data(), Botan::BigInt::Positive, Botan::BigInt::reduce_below(), Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::top_bits_free(), Botan::BigInt::word_at(), and Botan::BigInt::zero().

Referenced by botan_mp_div(), operator%(), and operator/().

◆ version_cstr()

const char * Botan::version_cstr ( )

Same as version_string() except returning a pointer to a statically allocated string.

Returns
version string

Definition at line 33 of file version.cpp.

33 {
34 /*
35 It is intentional that this string is a compile-time constant;
36 it makes it much easier to find in binaries.
37 */
38
40#if defined(BOTAN_VERSION_SUFFIX)
41 STR(BOTAN_VERSION_SUFFIX)
42#endif
43 " ("
44#if defined(BOTAN_UNSAFE_FUZZER_MODE) || defined(BOTAN_TERMINATE_ON_ASSERTS)
45 "UNSAFE "
46 #if defined(BOTAN_UNSAFE_FUZZER_MODE)
47 "FUZZER MODE "
48 #endif
49 #if defined(BOTAN_TERMINATE_ON_ASSERTS)
50 "TERMINATE ON ASSERTS "
51 #endif
52 "BUILD "
53#endif
55#if(BOTAN_VERSION_DATESTAMP != 0)
57#endif
58 ", revision " BOTAN_VERSION_VC_REVISION ", distribution " BOTAN_DISTRIBUTION_INFO ")";
59}
#define BOTAN_DISTRIBUTION_INFO
Definition build.h:37
#define BOTAN_VERSION_VC_REVISION
Definition build.h:35
#define BOTAN_VERSION_DATESTAMP
Definition build.h:30
#define BOTAN_VERSION_RELEASE_TYPE
Definition build.h:33

References BOTAN_DISTRIBUTION_INFO, BOTAN_VERSION_DATESTAMP, BOTAN_VERSION_MAJOR, BOTAN_VERSION_MINOR, BOTAN_VERSION_PATCH, BOTAN_VERSION_RELEASE_TYPE, BOTAN_VERSION_VC_REVISION, and STR.

Referenced by botan_version_string(), and version_string().

◆ version_datestamp()

uint32_t Botan::version_datestamp ( )

Return the date this version of botan was released, in an integer of the form YYYYMMDD. For instance a version released on May 21, 2013 would return the integer 20130521. If the currently running version is not an official release, this function will return 0 instead.

Returns
release date, or zero if unreleased

Definition at line 75 of file version.cpp.

75 {
77}

References BOTAN_VERSION_DATESTAMP.

Referenced by botan_version_datestamp().

◆ version_major()

uint32_t Botan::version_major ( )

Get the major version number.

Returns
major version number

Definition at line 82 of file version.cpp.

82 {
84}

References BOTAN_VERSION_MAJOR.

Referenced by botan_version_major(), and runtime_version_check().

◆ version_minor()

uint32_t Botan::version_minor ( )

Get the minor version number.

Returns
minor version number

Definition at line 86 of file version.cpp.

86 {
88}

References BOTAN_VERSION_MINOR.

Referenced by botan_version_minor(), and runtime_version_check().

◆ version_patch()

uint32_t Botan::version_patch ( )

Get the patch number.

Returns
patch number

Definition at line 90 of file version.cpp.

90 {
92}

References BOTAN_VERSION_PATCH.

Referenced by botan_version_patch(), and runtime_version_check().

◆ version_string()

std::string Botan::version_string ( )

Get a human-readable string identifying the version of Botan. No particular format should be assumed.

Returns
version string

Definition at line 67 of file version.cpp.

67 {
68 return std::string(version_cstr());
69}
const char * version_cstr()
Definition version.cpp:33

References version_cstr().

◆ word3_add()

void Botan::word3_add ( word * w2,
word * w1,
word * w0,
word x )
inline

Definition at line 569 of file mp_asmi.h.

569 {
570#if defined(BOTAN_MP_USE_X86_32_ASM)
571 asm(R"(
572 addl %[x],%[w0]
573 adcl $0,%[w1]
574 adcl $0,%[w2]
575 )"
576 : [w0] "=r"(*w0), [w1] "=r"(*w1), [w2] "=r"(*w2)
577 : [x] "r"(x), "0"(*w0), "1"(*w1), "2"(*w2)
578 : "cc");
579
580#elif defined(BOTAN_MP_USE_X86_64_ASM)
581 asm(R"(
582 addq %[x],%[w0]
583 adcq $0,%[w1]
584 adcq $0,%[w2]
585 )"
586 : [w0] "=r"(*w0), [w1] "=r"(*w1), [w2] "=r"(*w2)
587 : [x] "r"(x), "0"(*w0), "1"(*w1), "2"(*w2)
588 : "cc");
589
590#else
591 *w0 += x;
592 word c1 = (*w0 < x);
593 *w1 += c1;
594 word c2 = (*w1 < c1);
595 *w2 += c2;
596#endif
597}

Referenced by bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), and bigint_monty_redc_generic().

◆ word3_muladd()

void Botan::word3_muladd ( word * w2,
word * w1,
word * w0,
word x,
word y )
inline

Definition at line 528 of file mp_asmi.h.

528 {
529#if defined(BOTAN_MP_USE_X86_32_ASM)
530 word z0 = 0, z1 = 0;
531
532 asm("mull %[y]" : "=a"(z0), "=d"(z1) : "a"(x), [y] "rm"(y) : "cc");
533
534 asm(R"(
535 addl %[z0],%[w0]
536 adcl %[z1],%[w1]
537 adcl $0,%[w2]
538 )"
539 : [w0] "=r"(*w0), [w1] "=r"(*w1), [w2] "=r"(*w2)
540 : [z0] "r"(z0), [z1] "r"(z1), "0"(*w0), "1"(*w1), "2"(*w2)
541 : "cc");
542
543#elif defined(BOTAN_MP_USE_X86_64_ASM)
544 word z0 = 0, z1 = 0;
545
546 asm("mulq %[y]" : "=a"(z0), "=d"(z1) : "a"(x), [y] "rm"(y) : "cc");
547
548 asm(R"(
549 addq %[z0],%[w0]
550 adcq %[z1],%[w1]
551 adcq $0,%[w2]
552 )"
553 : [w0] "=r"(*w0), [w1] "=r"(*w1), [w2] "=r"(*w2)
554 : [z0] "r"(z0), [z1] "r"(z1), "0"(*w0), "1"(*w1), "2"(*w2)
555 : "cc");
556
557#else
558 word carry = *w0;
559 *w0 = word_madd2(x, y, &carry);
560 *w1 += carry;
561 *w2 += (*w1 < carry);
562#endif
563}
word word_madd2(word a, word b, word *c)
Definition mp_asmi.h:44

References carry(), and word_madd2().

Referenced by bigint_comba_mul16(), bigint_comba_mul24(), bigint_comba_mul4(), bigint_comba_mul6(), bigint_comba_mul8(), bigint_comba_mul9(), bigint_comba_sqr16(), bigint_comba_sqr24(), bigint_comba_sqr4(), bigint_comba_sqr6(), bigint_comba_sqr8(), bigint_comba_sqr9(), bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), and bigint_monty_redc_generic().

◆ word3_muladd_2()

void Botan::word3_muladd_2 ( word * w2,
word * w1,
word * w0,
word x,
word y )
inline

Definition at line 603 of file mp_asmi.h.

603 {
604#if defined(BOTAN_MP_USE_X86_32_ASM)
605 word z0 = 0, z1 = 0;
606
607 asm("mull %[y]" : "=a"(z0), "=d"(z1) : "a"(x), [y] "rm"(y) : "cc");
608
609 asm(R"(
610 addl %[z0],%[w0]
611 adcl %[z1],%[w1]
612 adcl $0,%[w2]
613
614 addl %[z0],%[w0]
615 adcl %[z1],%[w1]
616 adcl $0,%[w2]
617 )"
618 : [w0] "=r"(*w0), [w1] "=r"(*w1), [w2] "=r"(*w2)
619 : [z0] "r"(z0), [z1] "r"(z1), "0"(*w0), "1"(*w1), "2"(*w2)
620 : "cc");
621
622#elif defined(BOTAN_MP_USE_X86_64_ASM)
623 word z0 = 0, z1 = 0;
624
625 asm("mulq %[y]" : "=a"(z0), "=d"(z1) : "a"(x), [y] "rm"(y) : "cc");
626
627 asm(R"(
628 addq %[z0],%[w0]
629 adcq %[z1],%[w1]
630 adcq $0,%[w2]
631
632 addq %[z0],%[w0]
633 adcq %[z1],%[w1]
634 adcq $0,%[w2]
635 )"
636 : [w0] "=r"(*w0), [w1] "=r"(*w1), [w2] "=r"(*w2)
637 : [z0] "r"(z0), [z1] "r"(z1), "0"(*w0), "1"(*w1), "2"(*w2)
638 : "cc");
639
640#else
641 word carry = 0;
642 x = word_madd2(x, y, &carry);
643 y = carry;
644
645 word top = (y >> (BOTAN_MP_WORD_BITS - 1));
646 y <<= 1;
647 y |= (x >> (BOTAN_MP_WORD_BITS - 1));
648 x <<= 1;
649
650 carry = 0;
651 *w0 = word_add(*w0, x, &carry);
652 *w1 = word_add(*w1, y, &carry);
653 *w2 = word_add(*w2, top, &carry);
654#endif
655}

References BOTAN_MP_WORD_BITS, carry(), word_add(), and word_madd2().

Referenced by bigint_comba_sqr16(), bigint_comba_sqr24(), bigint_comba_sqr4(), bigint_comba_sqr6(), bigint_comba_sqr8(), and bigint_comba_sqr9().

◆ word8_add2()

word Botan::word8_add2 ( word x[8],
const word y[8],
word carry )
inline

Definition at line 265 of file mp_asmi.h.

265 {
266#if defined(BOTAN_MP_USE_X86_32_ASM)
267 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "adcl"))
268 : [carry] "=r"(carry)
269 : [x] "r"(x), [y] "r"(y), "0"(carry)
270 : "cc", "memory");
271
272#elif defined(BOTAN_MP_USE_X86_64_ASM)
273
274 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "adcq"))
275 : [carry] "=r"(carry)
276 : [x] "r"(x), [y] "r"(y), "0"(carry)
277 : "cc", "memory");
278
279#else
280 x[0] = word_add(x[0], y[0], &carry);
281 x[1] = word_add(x[1], y[1], &carry);
282 x[2] = word_add(x[2], y[2], &carry);
283 x[3] = word_add(x[3], y[3], &carry);
284 x[4] = word_add(x[4], y[4], &carry);
285 x[5] = word_add(x[5], y[5], &carry);
286 x[6] = word_add(x[6], y[6], &carry);
287 x[7] = word_add(x[7], y[7], &carry);
288#endif
289
290 return carry;
291}

References carry(), and word_add().

Referenced by bigint_add2_nc().

◆ word8_add3()

word Botan::word8_add3 ( word z[8],
const word x[8],
const word y[8],
word carry )
inline

Definition at line 296 of file mp_asmi.h.

296 {
297#if defined(BOTAN_MP_USE_X86_32_ASM)
298 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "adcl"))
299 : [carry] "=r"(carry)
300 : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry)
301 : "cc", "memory");
302
303#elif defined(BOTAN_MP_USE_X86_64_ASM)
304 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "adcq"))
305 : [carry] "=r"(carry)
306 : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry)
307 : "cc", "memory");
308
309#else
310 z[0] = word_add(x[0], y[0], &carry);
311 z[1] = word_add(x[1], y[1], &carry);
312 z[2] = word_add(x[2], y[2], &carry);
313 z[3] = word_add(x[3], y[3], &carry);
314 z[4] = word_add(x[4], y[4], &carry);
315 z[5] = word_add(x[5], y[5], &carry);
316 z[6] = word_add(x[6], y[6], &carry);
317 z[7] = word_add(x[7], y[7], &carry);
318#endif
319
320 return carry;
321}

References carry(), and word_add().

Referenced by bigint_add3_nc(), bigint_cnd_add(), bigint_cnd_add_or_sub(), and bigint_cnd_addsub().

◆ word8_linmul2()

word Botan::word8_linmul2 ( word x[8],
word y,
word carry )
inline

Definition at line 443 of file mp_asmi.h.

443 {
444#if defined(BOTAN_MP_USE_X86_32_ASM)
445 asm(DO_8_TIMES(LINMUL_OP, "x") : [carry] "=r"(carry) : [x] "r"(x), [y] "rm"(y), "0"(carry) : "cc", "%eax", "%edx");
446
447#elif defined(BOTAN_MP_USE_X86_64_ASM)
448 asm(DO_8_TIMES(LINMUL_OP, "x") : [carry] "=r"(carry) : [x] "r"(x), [y] "rm"(y), "0"(carry) : "cc", "%rax", "%rdx");
449
450#else
451 x[0] = word_madd2(x[0], y, &carry);
452 x[1] = word_madd2(x[1], y, &carry);
453 x[2] = word_madd2(x[2], y, &carry);
454 x[3] = word_madd2(x[3], y, &carry);
455 x[4] = word_madd2(x[4], y, &carry);
456 x[5] = word_madd2(x[5], y, &carry);
457 x[6] = word_madd2(x[6], y, &carry);
458 x[7] = word_madd2(x[7], y, &carry);
459#endif
460
461 return carry;
462}

References carry(), and word_madd2().

Referenced by bigint_linmul2().

◆ word8_linmul3()

word Botan::word8_linmul3 ( word z[8],
const word x[8],
word y,
word carry )
inline

Definition at line 467 of file mp_asmi.h.

467 {
468#if defined(BOTAN_MP_USE_X86_32_ASM)
469 asm(DO_8_TIMES(LINMUL_OP, "z")
470 : [carry] "=r"(carry)
471 : [z] "r"(z), [x] "r"(x), [y] "rm"(y), "0"(carry)
472 : "cc", "%eax", "%edx");
473
474#elif defined(BOTAN_MP_USE_X86_64_ASM)
475 asm(DO_8_TIMES(LINMUL_OP, "z")
476 : [carry] "=r"(carry)
477 : [z] "r"(z), [x] "r"(x), [y] "rm"(y), "0"(carry)
478 : "cc", "%rax", "%rdx");
479
480#else
481 z[0] = word_madd2(x[0], y, &carry);
482 z[1] = word_madd2(x[1], y, &carry);
483 z[2] = word_madd2(x[2], y, &carry);
484 z[3] = word_madd2(x[3], y, &carry);
485 z[4] = word_madd2(x[4], y, &carry);
486 z[5] = word_madd2(x[5], y, &carry);
487 z[6] = word_madd2(x[6], y, &carry);
488 z[7] = word_madd2(x[7], y, &carry);
489#endif
490
491 return carry;
492}

References carry(), and word_madd2().

Referenced by bigint_linmul3().

◆ word8_madd3()

word Botan::word8_madd3 ( word z[8],
const word x[8],
word y,
word carry )
inline

Definition at line 497 of file mp_asmi.h.

497 {
498#if defined(BOTAN_MP_USE_X86_32_ASM)
499 asm(DO_8_TIMES(MULADD_OP, "")
500 : [carry] "=r"(carry)
501 : [z] "r"(z), [x] "r"(x), [y] "rm"(y), "0"(carry)
502 : "cc", "%eax", "%edx");
503
504#elif defined(BOTAN_MP_USE_X86_64_ASM)
505 asm(DO_8_TIMES(MULADD_OP, "")
506 : [carry] "=r"(carry)
507 : [z] "r"(z), [x] "r"(x), [y] "rm"(y), "0"(carry)
508 : "cc", "%rax", "%rdx");
509
510#else
511 z[0] = word_madd3(x[0], y, z[0], &carry);
512 z[1] = word_madd3(x[1], y, z[1], &carry);
513 z[2] = word_madd3(x[2], y, z[2], &carry);
514 z[3] = word_madd3(x[3], y, z[3], &carry);
515 z[4] = word_madd3(x[4], y, z[4], &carry);
516 z[5] = word_madd3(x[5], y, z[5], &carry);
517 z[6] = word_madd3(x[6], y, z[6], &carry);
518 z[7] = word_madd3(x[7], y, z[7], &carry);
519#endif
520
521 return carry;
522}

References carry(), and word_madd3().

Referenced by basecase_mul(), and basecase_sqr().

◆ word8_sub2()

word Botan::word8_sub2 ( word x[8],
const word y[8],
word carry )
inline

Definition at line 353 of file mp_asmi.h.

353 {
354#if defined(BOTAN_MP_USE_X86_32_ASM)
355 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "sbbl"))
356 : [carry] "=r"(carry)
357 : [x] "r"(x), [y] "r"(y), "0"(carry)
358 : "cc", "memory");
359
360#elif defined(BOTAN_MP_USE_X86_64_ASM)
361 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "sbbq"))
362 : [carry] "=r"(carry)
363 : [x] "r"(x), [y] "r"(y), "0"(carry)
364 : "cc", "memory");
365
366#else
367 x[0] = word_sub(x[0], y[0], &carry);
368 x[1] = word_sub(x[1], y[1], &carry);
369 x[2] = word_sub(x[2], y[2], &carry);
370 x[3] = word_sub(x[3], y[3], &carry);
371 x[4] = word_sub(x[4], y[4], &carry);
372 x[5] = word_sub(x[5], y[5], &carry);
373 x[6] = word_sub(x[6], y[6], &carry);
374 x[7] = word_sub(x[7], y[7], &carry);
375#endif
376
377 return carry;
378}

References carry(), and word_sub().

Referenced by bigint_sub2().

◆ word8_sub2_rev()

word Botan::word8_sub2_rev ( word x[8],
const word y[8],
word carry )
inline

Definition at line 383 of file mp_asmi.h.

383 {
384#if defined(BOTAN_MP_USE_X86_32_ASM)
385 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbl"))
386 : [carry] "=r"(carry)
387 : [x] "r"(y), [y] "r"(x), [z] "r"(x), "0"(carry)
388 : "cc", "memory");
389
390#elif defined(BOTAN_MP_USE_X86_64_ASM)
391 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbq"))
392 : [carry] "=r"(carry)
393 : [x] "r"(y), [y] "r"(x), [z] "r"(x), "0"(carry)
394 : "cc", "memory");
395
396#else
397 x[0] = word_sub(y[0], x[0], &carry);
398 x[1] = word_sub(y[1], x[1], &carry);
399 x[2] = word_sub(y[2], x[2], &carry);
400 x[3] = word_sub(y[3], x[3], &carry);
401 x[4] = word_sub(y[4], x[4], &carry);
402 x[5] = word_sub(y[5], x[5], &carry);
403 x[6] = word_sub(y[6], x[6], &carry);
404 x[7] = word_sub(y[7], x[7], &carry);
405#endif
406
407 return carry;
408}

References carry(), and word_sub().

Referenced by bigint_sub2_rev().

◆ word8_sub3()

word Botan::word8_sub3 ( word z[8],
const word x[8],
const word y[8],
word carry )
inline

Definition at line 413 of file mp_asmi.h.

413 {
414#if defined(BOTAN_MP_USE_X86_32_ASM)
415 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbl"))
416 : [carry] "=r"(carry)
417 : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry)
418 : "cc", "memory");
419
420#elif defined(BOTAN_MP_USE_X86_64_ASM)
421 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbq"))
422 : [carry] "=r"(carry)
423 : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry)
424 : "cc", "memory");
425
426#else
427 z[0] = word_sub(x[0], y[0], &carry);
428 z[1] = word_sub(x[1], y[1], &carry);
429 z[2] = word_sub(x[2], y[2], &carry);
430 z[3] = word_sub(x[3], y[3], &carry);
431 z[4] = word_sub(x[4], y[4], &carry);
432 z[5] = word_sub(x[5], y[5], &carry);
433 z[6] = word_sub(x[6], y[6], &carry);
434 z[7] = word_sub(x[7], y[7], &carry);
435#endif
436
437 return carry;
438}

References carry(), and word_sub().

Referenced by bigint_cnd_add_or_sub(), bigint_cnd_addsub(), bigint_cnd_sub(), bigint_sub3(), and bigint_sub_abs().

◆ word_add()

word Botan::word_add ( word x,
word y,
word * carry )
inline

Definition at line 237 of file mp_asmi.h.

237 {
238#if defined(BOTAN_MP_USE_X86_32_ASM)
239 asm(ADD_OR_SUBTRACT(ASM("adcl %[y],%[x]"))
240 : [x] "=r"(x), [carry] "=r"(*carry)
241 : "0"(x), [y] "rm"(y), "1"(*carry)
242 : "cc");
243 return x;
244
245#elif defined(BOTAN_MP_USE_X86_64_ASM)
246
247 asm(ADD_OR_SUBTRACT(ASM("adcq %[y],%[x]"))
248 : [x] "=r"(x), [carry] "=r"(*carry)
249 : "0"(x), [y] "rm"(y), "1"(*carry)
250 : "cc");
251 return x;
252
253#else
254 word z = x + y;
255 word c1 = (z < x);
256 z += *carry;
257 *carry = c1 | (z < *carry);
258 return z;
259#endif
260}

References carry().

Referenced by bigint_add2_nc(), bigint_add3_nc(), bigint_cnd_abs(), bigint_cnd_add(), bigint_cnd_add_or_sub(), bigint_cnd_addsub(), word3_muladd_2(), word8_add2(), and word8_add3().

◆ word_madd2()

word Botan::word_madd2 ( word a,
word b,
word * c )
inline

Definition at line 44 of file mp_asmi.h.

44 {
45#if defined(BOTAN_MP_USE_X86_32_ASM)
46 asm(R"(
47 mull %[b]
48 addl %[c],%[a]
49 adcl $0,%[carry]
50 )"
51 : [a] "=a"(a), [b] "=rm"(b), [carry] "=&d"(*c)
52 : "0"(a), "1"(b), [c] "g"(*c)
53 : "cc");
54
55 return a;
56
57#elif defined(BOTAN_MP_USE_X86_64_ASM)
58 asm(R"(
59 mulq %[b]
60 addq %[c],%[a]
61 adcq $0,%[carry]
62 )"
63 : [a] "=a"(a), [b] "=rm"(b), [carry] "=&d"(*c)
64 : "0"(a), "1"(b), [c] "g"(*c)
65 : "cc");
66
67 return a;
68
69#elif defined(BOTAN_MP_DWORD)
70 const BOTAN_MP_DWORD s = static_cast<BOTAN_MP_DWORD>(a) * b + *c;
71 *c = static_cast<word>(s >> BOTAN_MP_WORD_BITS);
72 return static_cast<word>(s);
73#else
74 static_assert(BOTAN_MP_WORD_BITS == 64, "Unexpected word size");
75
76 word hi = 0, lo = 0;
77
78 mul64x64_128(a, b, &lo, &hi);
79
80 lo += *c;
81 hi += (lo < *c); // carry?
82
83 *c = hi;
84 return lo;
85#endif
86}

References BOTAN_MP_WORD_BITS, carry(), and mul64x64_128().

Referenced by bigint_linmul2(), bigint_linmul3(), bigint_modop_vartime(), word3_muladd(), word3_muladd_2(), word8_linmul2(), and word8_linmul3().

◆ word_madd3()

word Botan::word_madd3 ( word a,
word b,
word c,
word * d )
inline

Definition at line 91 of file mp_asmi.h.

91 {
92#if defined(BOTAN_MP_USE_X86_32_ASM)
93 asm(R"(
94 mull %[b]
95
96 addl %[c],%[a]
97 adcl $0,%[carry]
98
99 addl %[d],%[a]
100 adcl $0,%[carry]
101 )"
102 : [a] "=a"(a), [b] "=rm"(b), [carry] "=&d"(*d)
103 : "0"(a), "1"(b), [c] "g"(c), [d] "g"(*d)
104 : "cc");
105
106 return a;
107
108#elif defined(BOTAN_MP_USE_X86_64_ASM)
109 asm(R"(
110 mulq %[b]
111
112 addq %[c],%[a]
113 adcq $0,%[carry]
114
115 addq %[d],%[a]
116 adcq $0,%[carry]
117 )"
118 : [a] "=a"(a), [b] "=rm"(b), [carry] "=&d"(*d)
119 : "0"(a), "1"(b), [c] "g"(c), [d] "g"(*d)
120 : "cc");
121
122 return a;
123
124#elif defined(BOTAN_MP_DWORD)
125 const BOTAN_MP_DWORD s = static_cast<BOTAN_MP_DWORD>(a) * b + c + *d;
126 *d = static_cast<word>(s >> BOTAN_MP_WORD_BITS);
127 return static_cast<word>(s);
128#else
129 static_assert(BOTAN_MP_WORD_BITS == 64, "Unexpected word size");
130
131 word hi = 0, lo = 0;
132
133 mul64x64_128(a, b, &lo, &hi);
134
135 lo += c;
136 hi += (lo < c); // carry?
137
138 lo += *d;
139 hi += (lo < *d); // carry?
140
141 *d = hi;
142 return lo;
143#endif
144}

References BOTAN_MP_WORD_BITS, carry(), and mul64x64_128().

Referenced by basecase_mul(), basecase_sqr(), and word8_madd3().

◆ word_sub()

word Botan::word_sub ( word x,
word y,
word * carry )
inline

Definition at line 326 of file mp_asmi.h.

326 {
327#if defined(BOTAN_MP_USE_X86_32_ASM)
328 asm(ADD_OR_SUBTRACT(ASM("sbbl %[y],%[x]"))
329 : [x] "=r"(x), [carry] "=r"(*carry)
330 : "0"(x), [y] "rm"(y), "1"(*carry)
331 : "cc");
332 return x;
333
334#elif defined(BOTAN_MP_USE_X86_64_ASM)
335 asm(ADD_OR_SUBTRACT(ASM("sbbq %[y],%[x]"))
336 : [x] "=r"(x), [carry] "=r"(*carry)
337 : "0"(x), [y] "rm"(y), "1"(*carry)
338 : "cc");
339 return x;
340
341#else
342 word t0 = x - y;
343 word c1 = (t0 > x);
344 word z = t0 - *carry;
345 *carry = c1 | (z > t0);
346 return z;
347#endif
348}

References carry().

Referenced by bigint_cnd_add_or_sub(), bigint_cnd_addsub(), bigint_cnd_sub(), bigint_sub2(), bigint_sub2_rev(), bigint_sub3(), bigint_sub_abs(), word8_sub2(), word8_sub2_rev(), and word8_sub3().

◆ wots_public_key_from_signature()

BOTAN_TEST_API WotsPublicKey Botan::wots_public_key_from_signature ( const SphincsTreeNode & hashed_message,
StrongSpan< const WotsSignature > signature,
Sphincs_Address & address,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

Reconstructs the WOTS public key from a given WOTS signature and message. This is tailored for the use case in the SPHINCS+ implementation and is not meant for general usability.

Definition at line 97 of file sp_wots.cpp.

101 {
102 const std::vector<WotsHashIndex> lengths = chain_lengths(hashed_message, params);
103 WotsPublicKey pk_buffer(params.wots_len() * params.n());
104 BufferSlicer sig(signature);
105 BufferStuffer pk(pk_buffer);
106
107 for(WotsChainIndex i(0); i < params.wots_len(); i++) {
108 address.set_chain(i);
109
110 // params.w() can be one of {4, 8, 256}
111 const WotsHashIndex start_index = lengths[i.get()];
112 const uint8_t steps_to_take = static_cast<uint8_t>(params.w() - 1) - start_index.get();
113
114 gen_chain(pk.next<WotsPublicKeyNode>(params.n()),
115 sig.take<WotsNode>(params.n()),
116 start_index,
117 steps_to_take,
118 address,
119 hashes,
120 params);
121 }
122
123 return pk_buffer;
124}
Sphincs_Address & set_chain(WotsChainIndex chain)
Definition sp_address.h:79
uint32_t wots_len() const
std::vector< WotsHashIndex > chain_lengths(const SphincsTreeNode &msg, const Sphincs_Parameters &params)
Definition sp_wots.cpp:85

References chain_lengths(), Botan::detail::Strong_Base< T >::get(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Address::set_chain(), Botan::BufferSlicer::take(), Botan::Sphincs_Parameters::w(), and Botan::Sphincs_Parameters::wots_len().

Referenced by ht_verify().

◆ wots_sign_and_pkgen()

BOTAN_TEST_API void Botan::wots_sign_and_pkgen ( StrongSpan< WotsSignature > sig_out,
StrongSpan< SphincsTreeNode > leaf_out,
const SphincsSecretSeed & secret_seed,
TreeNodeIndex leaf_idx,
std::optional< TreeNodeIndex > sign_leaf_idx,
const std::vector< WotsHashIndex > & wots_steps,
Sphincs_Address & leaf_addr,
Sphincs_Address & pk_addr,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

Implements a domain specific wrapper for the one-time signature scheme WOTS+ (Winternitz OTS). It is meant to be used inside SPHINCS+ and does not aim to be applicable for other use cases. If this function is not used in a signing operation (i.e. sign_leaf_idx is not set), wots_steps may be empty.

Definition at line 126 of file sp_wots.cpp.

135 {
136 // `wots_steps` are needed only if `sign_leaf_idx` is set
137 BOTAN_ASSERT_NOMSG(!sign_leaf_idx.has_value() || wots_steps.size() == params.wots_len());
138 BOTAN_ASSERT_NOMSG(pk_addr.get_type() == Sphincs_Address_Type::WotsPublicKeyCompression);
139
140 secure_vector<uint8_t> wots_sig;
141 WotsPublicKey wots_pk_buffer(params.wots_bytes());
142
143 BufferStuffer wots_pk(wots_pk_buffer);
144 BufferStuffer sig(sig_out);
145
146 leaf_addr.set_keypair(leaf_idx);
147 pk_addr.set_keypair(leaf_idx);
148
149 for(WotsChainIndex i(0); i < params.wots_len(); i++) {
150 // If the current leaf is part of the signature wots_k stores the chain index
151 // of the value neccessary for the signature. Otherwise: nullopt (no signature)
152 const auto wots_k = [&]() -> std::optional<WotsHashIndex> {
153 if(sign_leaf_idx.has_value() && leaf_idx == sign_leaf_idx.value()) {
154 return wots_steps[i.get()];
155 } else {
156 return std::nullopt;
157 }
158 }();
159
160 // Start with the secret seed
161 leaf_addr.set_chain(i);
162 leaf_addr.set_hash(WotsHashIndex(0));
163 leaf_addr.set_type(Sphincs_Address_Type::WotsKeyGeneration);
164
165 auto buffer_s = wots_pk.next<WotsNode>(params.n());
166
167 hashes.PRF(buffer_s, secret_seed, leaf_addr);
168
169 leaf_addr.set_type(Sphincs_Address_Type::WotsHash);
170
171 // Iterates down the WOTS chain
172 for(WotsHashIndex k(0);; k++) {
173 // Check if this is the value that needs to be saved as a part of the WOTS signature
174 if(wots_k.has_value() && k == wots_k.value()) {
175 std::copy(buffer_s.begin(), buffer_s.end(), sig.next<WotsNode>(params.n()).begin());
176 }
177
178 // Check if the top of the chain was hit
179 if(k == params.w() - 1) {
180 break;
181 }
182
183 // Iterate one step on the chain
184 leaf_addr.set_hash(k);
185
186 hashes.T(buffer_s, leaf_addr, buffer_s);
187 }
188 }
189
190 // Do the final thash to generate the public keys
191 hashes.T(leaf_out, pk_addr, wots_pk_buffer);
192}
Sphincs_Address_Type get_type() const
Definition sp_address.h:132
Sphincs_Address & set_keypair(TreeNodeIndex keypair)
Definition sp_address.h:74
Sphincs_Address & set_hash(WotsHashIndex hash)
Definition sp_address.h:84
Sphincs_Address & set_type(Sphincs_Address_Type type)
Definition sp_address.h:67
Strong< uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber > WotsHashIndex
Index of a hash application inside a single WOTS chain (integers in "base_w")
Definition sp_types.h:84
Strong< secure_vector< uint8_t >, struct WotsNode_ > WotsNode
Start (or intermediate) node of a WOTS+ chain.
Definition sp_types.h:65

References Botan::detail::Strong_Adapter< T >::begin(), BOTAN_ASSERT_NOMSG, Botan::Sphincs_Address::get_type(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Hash_Functions::PRF(), Botan::Sphincs_Address::set_chain(), Botan::Sphincs_Address::set_hash(), Botan::Sphincs_Address::set_keypair(), Botan::Sphincs_Address::set_type(), Botan::Sphincs_Hash_Functions::T(), Botan::Sphincs_Parameters::w(), Botan::Sphincs_Parameters::wots_bytes(), Botan::Sphincs_Parameters::wots_len(), WotsHash, WotsKeyGeneration, and WotsPublicKeyCompression.

Referenced by xmss_sign_and_pkgen().

◆ x509_path_validate() [1/4]

Path_Validation_Result Botan::x509_path_validate ( const std::vector< X509_Certificate > & end_certs,
const Path_Validation_Restrictions & restrictions,
const Certificate_Store & store,
std::string_view hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::optional< OCSP::Response > > & ocsp_resp = {} )

PKIX Path Validation

Parameters
end_certscertificate chain to validate
restrictionspath validation restrictions
storestore that contains trusted certificates
hostnameif not empty, compared against the DNS name in end_certs[0]
usageif not set to UNSPECIFIED, compared against the key usage in end_certs[0]
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation

Definition at line 913 of file x509path.cpp.

920 {
921 std::vector<Certificate_Store*> trusted_roots;
922 trusted_roots.push_back(const_cast<Certificate_Store*>(&store));
923
924 return x509_path_validate(end_certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
925}
Path_Validation_Result x509_path_validate(const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point ref_time, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
Definition x509path.cpp:839

References x509_path_validate().

◆ x509_path_validate() [2/4]

Path_Validation_Result Botan::x509_path_validate ( const std::vector< X509_Certificate > & end_certs,
const Path_Validation_Restrictions & restrictions,
const std::vector< Certificate_Store * > & trusted_roots,
std::string_view hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::optional< OCSP::Response > > & ocsp_resp = {} )

PKIX Path Validation

Parameters
end_certscertificate chain to validate (with end entity certificate in end_certs[0])
restrictionspath validation restrictions
trusted_rootslist of certificate stores that contain trusted certificates
hostnameif not empty, compared against the DNS name in end_certs[0]
usageif not set to UNSPECIFIED, compared against the key usage in end_certs[0]
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation note: when enabled, OCSP check is softfail by default: if the OCSP server is not reachable, Path_Validation_Result::successful_validation() will return true. Hardfail OCSP check can be achieve by also calling Path_Validation_Result::no_warnings().

Definition at line 839 of file x509path.cpp.

846 {
847 if(end_certs.empty()) {
848 throw Invalid_Argument("x509_path_validate called with no subjects");
849 }
850
851 X509_Certificate end_entity = end_certs[0];
852 std::vector<X509_Certificate> end_entity_extra;
853 for(size_t i = 1; i < end_certs.size(); ++i) {
854 end_entity_extra.push_back(end_certs[i]);
855 }
856
857 std::vector<std::vector<X509_Certificate>> cert_paths;
858 Certificate_Status_Code path_building_result =
859 PKIX::build_all_certificate_paths(cert_paths, trusted_roots, end_entity, end_entity_extra);
860
861 // If we cannot successfully build a chain to a trusted self-signed root, stop now
862 if(path_building_result != Certificate_Status_Code::OK) {
863 return Path_Validation_Result(path_building_result);
864 }
865
866 std::vector<Path_Validation_Result> error_results;
867 // Try validating all the potentially valid paths and return the first one to validate properly
868 for(auto cert_path : cert_paths) {
869 CertificatePathStatusCodes status = PKIX::check_chain(cert_path, ref_time, hostname, usage, restrictions);
870
871 CertificatePathStatusCodes crl_status = PKIX::check_crl(cert_path, trusted_roots, ref_time);
872
873 CertificatePathStatusCodes ocsp_status;
874
875 if(!ocsp_resp.empty()) {
876 ocsp_status = PKIX::check_ocsp(cert_path, ocsp_resp, trusted_roots, ref_time, restrictions);
877 }
878
879 if(ocsp_status.empty() && ocsp_timeout != std::chrono::milliseconds(0)) {
880#if defined(BOTAN_TARGET_OS_HAS_THREADS) && defined(BOTAN_HAS_HTTP_UTIL)
881 ocsp_status = PKIX::check_ocsp_online(cert_path, trusted_roots, ref_time, ocsp_timeout, restrictions);
882#else
883 ocsp_status.resize(1);
884 ocsp_status[0].insert(Certificate_Status_Code::OCSP_NO_HTTP);
885#endif
886 }
887
888 PKIX::merge_revocation_status(status, crl_status, ocsp_status, restrictions);
889
890 Path_Validation_Result pvd(status, std::move(cert_path));
891 if(pvd.successful_validation()) {
892 return pvd;
893 } else {
894 error_results.push_back(std::move(pvd));
895 }
896 }
897 return error_results[0];
898}
std::vector< std::set< Certificate_Status_Code > > CertificatePathStatusCodes
Definition x509path.h:29
Certificate_Status_Code
Definition pkix_enums.h:20

References Botan::PKIX::build_all_certificate_paths(), Botan::PKIX::check_chain(), Botan::PKIX::check_crl(), Botan::PKIX::check_ocsp(), Botan::PKIX::merge_revocation_status(), OCSP_NO_HTTP, OK, and Botan::Path_Validation_Result::successful_validation().

Referenced by botan_x509_cert_verify(), botan_x509_cert_verify_with_crl(), Botan::TLS::Callbacks::tls_verify_cert_chain(), x509_path_validate(), x509_path_validate(), and x509_path_validate().

◆ x509_path_validate() [3/4]

Path_Validation_Result Botan::x509_path_validate ( const X509_Certificate & end_cert,
const Path_Validation_Restrictions & restrictions,
const Certificate_Store & store,
std::string_view hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::optional< OCSP::Response > > & ocsp_resp = {} )

PKIX Path Validation

Parameters
end_certcertificate to validate
restrictionspath validation restrictions
storestore that contains trusted certificates
hostnameif not empty, compared against the DNS name in end_cert
usageif not set to UNSPECIFIED, compared against the key usage in end_cert
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation

Definition at line 927 of file x509path.cpp.

934 {
935 std::vector<X509_Certificate> certs;
936 certs.push_back(end_cert);
937
938 std::vector<Certificate_Store*> trusted_roots;
939 trusted_roots.push_back(const_cast<Certificate_Store*>(&store));
940
941 return x509_path_validate(certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
942}

References x509_path_validate().

◆ x509_path_validate() [4/4]

Path_Validation_Result Botan::x509_path_validate ( const X509_Certificate & end_cert,
const Path_Validation_Restrictions & restrictions,
const std::vector< Certificate_Store * > & trusted_roots,
std::string_view hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::optional< OCSP::Response > > & ocsp_resp = {} )

PKIX Path Validation

Parameters
end_certcertificate to validate
restrictionspath validation restrictions
trusted_rootslist of stores that contain trusted certificates
hostnameif not empty, compared against the DNS name in end_cert
usageif not set to UNSPECIFIED, compared against the key usage in end_cert
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation

Definition at line 900 of file x509path.cpp.

907 {
908 std::vector<X509_Certificate> certs;
909 certs.push_back(end_cert);
910 return x509_path_validate(certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
911}

References x509_path_validate().

◆ xmss_gen_root()

SphincsTreeNode Botan::xmss_gen_root ( const Sphincs_Parameters & params,
const SphincsSecretSeed & secret_seed,
Sphincs_Hash_Functions & hashes )

Definition at line 58 of file sp_xmss.cpp.

60 {
61 // We do not need the a sig/auth path in key generation, but it simplifies the
62 // code to have just one treehash routine that computes both root and path
63 // in one function.
64 SphincsXmssSignature dummy_sig(params.xmss_tree_height() * params.n() + params.wots_bytes());
65 SphincsTreeNode dummy_root(params.n());
66
67 Sphincs_Address top_tree_addr(Sphincs_Address_Type::HashTree);
68 Sphincs_Address wots_addr(Sphincs_Address_Type::WotsPublicKeyCompression);
69
70 top_tree_addr.set_layer(HypertreeLayerIndex(params.d() - 1));
71 wots_addr.set_layer(HypertreeLayerIndex(params.d() - 1));
72
73 SphincsTreeNode root =
74 xmss_sign_and_pkgen(dummy_sig, dummy_root, secret_seed, wots_addr, top_tree_addr, std::nullopt, params, hashes);
75
76 return root;
77}

References Botan::Sphincs_Parameters::d(), HashTree, Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_layer(), Botan::Sphincs_Parameters::wots_bytes(), WotsPublicKeyCompression, xmss_sign_and_pkgen(), and Botan::Sphincs_Parameters::xmss_tree_height().

Referenced by Botan::SphincsPlus_PrivateKey::SphincsPlus_PrivateKey().

◆ xmss_sign_and_pkgen()

SphincsTreeNode Botan::xmss_sign_and_pkgen ( StrongSpan< SphincsXmssSignature > out_sig,
const SphincsTreeNode & root,
const SphincsSecretSeed & secret_seed,
Sphincs_Address & wots_addr,
Sphincs_Address & tree_addr,
std::optional< TreeNodeIndex > idx_leaf,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

This generates a Merkle signature of root. The Merkle authentication path logic is mostly hidden in treehash_spec. The WOTS signature followed by the Merkle authentication path are stored in out_sig, the new root of the Merkle tree is stored in out_root. Set idx_leaf to std::nullopt if no signature is desired.

Definition at line 19 of file sp_xmss.cpp.

26 {
27 BufferStuffer sig(out_sig);
28 auto wots_bytes_s = sig.next<WotsSignature>(params.wots_bytes());
29 auto auth_path_s = sig.next<SphincsAuthenticationPath>(sig.remaining_capacity());
30
31 const auto steps = [&]() -> std::vector<WotsHashIndex> {
32 // if `idx_leaf` is not set, we don't want to calculate a signature and
33 // therefore won't need to bother preparing the chain lengths either.
34 if(idx_leaf.has_value()) {
35 return chain_lengths(root, params);
36 } else {
37 return {};
38 };
39 }();
40
41 Sphincs_Address leaf_addr = Sphincs_Address::as_subtree_from(wots_addr);
42 Sphincs_Address pk_addr = Sphincs_Address::as_subtree_from(wots_addr);
43
44 pk_addr.set_type(Sphincs_Address_Type::WotsPublicKeyCompression);
45
46 GenerateLeafFunction xmss_gen_leaf = [&](StrongSpan<SphincsTreeNode> out_root, TreeNodeIndex address_index) {
48 wots_bytes_s, out_root, secret_seed, address_index, idx_leaf, steps, leaf_addr, pk_addr, params, hashes);
49 };
50
51 SphincsTreeNode next_root(params.n());
52 BOTAN_ASSERT_NOMSG(tree_addr.get_type() == Sphincs_Address_Type::HashTree);
53 treehash(next_root, auth_path_s, params, hashes, idx_leaf, 0, params.xmss_tree_height(), xmss_gen_leaf, tree_addr);
54
55 return next_root;
56}
void wots_sign_and_pkgen(StrongSpan< WotsSignature > sig_out, StrongSpan< SphincsTreeNode > leaf_out, const SphincsSecretSeed &secret_seed, TreeNodeIndex leaf_idx, std::optional< TreeNodeIndex > sign_leaf_idx, const std::vector< WotsHashIndex > &wots_steps, Sphincs_Address &leaf_addr, Sphincs_Address &pk_addr, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
Definition sp_wots.cpp:126
Strong< uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber > TreeNodeIndex
Index of an individual node inside an XMSS or FORS tree.
Definition sp_types.h:78
void treehash(StrongSpan< SphincsTreeNode > out_root, StrongSpan< SphincsAuthenticationPath > out_auth_path, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, std::optional< TreeNodeIndex > leaf_idx, uint32_t idx_offset, uint32_t total_tree_height, const GenerateLeafFunction &gen_leaf, Sphincs_Address &tree_address)

References Botan::Sphincs_Address::as_subtree_from(), BOTAN_ASSERT_NOMSG, chain_lengths(), Botan::Sphincs_Address::get_type(), HashTree, Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::BufferStuffer::remaining_capacity(), Botan::Sphincs_Address::set_type(), treehash(), Botan::Sphincs_Parameters::wots_bytes(), wots_sign_and_pkgen(), WotsPublicKeyCompression, and Botan::Sphincs_Parameters::xmss_tree_height().

Referenced by ht_sign(), and xmss_gen_root().

◆ xor_buf() [1/7]

constexpr void Botan::xor_buf ( ranges::contiguous_output_range< uint8_t > auto && out,
ranges::contiguous_range< uint8_t > auto && in )
inlineconstexpr

XOR arrays. Postcondition out[i] = in[i] ^ out[i] forall i = 0...length

Parameters
outthe input/output range
inthe read-only input range

Definition at line 340 of file mem_ops.h.

341 {
342 ranges::assert_equal_byte_lengths(out, in);
343
344 std::span o{out};
345 std::span i{in};
346
347 for(; o.size_bytes() >= 32; o = o.subspan(32), i = i.subspan(32)) {
348 auto x = typecast_copy<std::array<uint64_t, 4>>(o.template first<32>());
349 const auto y = typecast_copy<std::array<uint64_t, 4>>(i.template first<32>());
350
351 x[0] ^= y[0];
352 x[1] ^= y[1];
353 x[2] ^= y[2];
354 x[3] ^= y[3];
355
356 typecast_copy(o.template first<32>(), x);
357 }
358
359 for(size_t off = 0; off != o.size_bytes(); ++off) {
360 o[off] ^= i[off];
361 }
362}

References Botan::ranges::assert_equal_byte_lengths(), and typecast_copy().

Referenced by Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::Salsa20::cipher_bytes(), Botan::Lion::decrypt_n(), Botan::BlockCipher::decrypt_n_xex(), Botan::Block_Cipher_Fixed_Params< BS, KMIN, KMAX, KMOD, BaseClass >::decrypt_n_xex(), Botan::Lion::encrypt_n(), Botan::BlockCipher::encrypt_n_xex(), Botan::Block_Cipher_Fixed_Params< BS, KMIN, KMAX, KMOD, BaseClass >::encrypt_n_xex(), mgf1_mask(), operator^(), Botan::OctetString::operator^=(), operator^=(), pbkdf2(), Botan::SIV_Mode::S2V(), xor_buf(), xor_buf(), xor_buf(), xor_buf(), and xor_buf().

◆ xor_buf() [2/7]

constexpr void Botan::xor_buf ( ranges::contiguous_output_range< uint8_t > auto && out,
ranges::contiguous_range< uint8_t > auto && in1,
ranges::contiguous_range< uint8_t > auto && in2 )
inlineconstexpr

XOR arrays. Postcondition out[i] = in1[i] ^ in2[i] forall i = 0...length

Parameters
outthe output range
in1the first input range
in2the second input range

Definition at line 370 of file mem_ops.h.

372 {
373 ranges::assert_equal_byte_lengths(out, in1, in2);
374
375 std::span o{out};
376 std::span i1{in1};
377 std::span i2{in2};
378
379 for(; o.size_bytes() >= 32; o = o.subspan(32), i1 = i1.subspan(32), i2 = i2.subspan(32)) {
380 auto x = typecast_copy<std::array<uint64_t, 4>>(i1.template first<32>());
381 const auto y = typecast_copy<std::array<uint64_t, 4>>(i2.template first<32>());
382
383 x[0] ^= y[0];
384 x[1] ^= y[1];
385 x[2] ^= y[2];
386 x[3] ^= y[3];
387
388 typecast_copy(o.template first<32>(), x);
389 }
390
391 for(size_t off = 0; off != o.size_bytes(); ++off) {
392 o[off] = i1[off] ^ i2[off];
393 }
394}

References Botan::ranges::assert_equal_byte_lengths(), and typecast_copy().

◆ xor_buf() [3/7]

void Botan::xor_buf ( std::span< uint8_t > out,
std::span< const uint8_t > in,
size_t n )
inline

Definition at line 420 of file mem_ops.h.

420 {
421 BOTAN_ARG_CHECK(out.size() >= n, "output span is too small");
422 BOTAN_ARG_CHECK(in.size() >= n, "input span is too small");
423 xor_buf(out.first(n), in.first(n));
424}

References BOTAN_ARG_CHECK, and xor_buf().

◆ xor_buf() [4/7]

template<typename Alloc , typename Alloc2 >
void Botan::xor_buf ( std::vector< uint8_t, Alloc > & out,
const uint8_t * in,
const std::vector< uint8_t, Alloc2 > & in2,
size_t n )

Definition at line 436 of file mem_ops.h.

436 {
437 BOTAN_ARG_CHECK(out.size() >= n, "output vector is too small");
438 BOTAN_ARG_CHECK(in2.size() >= n, "input vector is too small");
439 // simply assumes that *in points to "n" allocated bytes at least
440 xor_buf(std::span{out}.first(n), std::span{in, n}, std::span{in2}.first(n));
441}

References BOTAN_ARG_CHECK, and xor_buf().

◆ xor_buf() [5/7]

template<typename Alloc >
void Botan::xor_buf ( std::vector< uint8_t, Alloc > & out,
const uint8_t * in,
size_t n )

Definition at line 428 of file mem_ops.h.

428 {
429 BOTAN_ARG_CHECK(out.size() >= n, "output vector is too small");
430 // simply assumes that *in points to "n" allocated bytes at least
431 xor_buf(std::span{out}.first(n), std::span{in, n});
432}

References BOTAN_ARG_CHECK, and xor_buf().

◆ xor_buf() [6/7]

void Botan::xor_buf ( uint8_t out[],
const uint8_t in[],
const uint8_t in2[],
size_t length )
inline

XOR arrays. Postcondition out[i] = in[i] ^ in2[i] forall i = 0...length

Parameters
outthe output buffer
inthe first input buffer
in2the second input buffer
lengththe length of the three buffers

Definition at line 414 of file mem_ops.h.

414 {
415 // simply assumes that *out, *in, and *in2 point to "length" allocated bytes at least
416 xor_buf(std::span{out, length}, std::span{in, length}, std::span{in2, length});
417}

References xor_buf().

◆ xor_buf() [7/7]

void Botan::xor_buf ( uint8_t out[],
const uint8_t in[],
size_t length )
inline

XOR arrays. Postcondition out[i] = in[i] ^ out[i] forall i = 0...length

Parameters
outthe input/output buffer
inthe read-only input buffer
lengththe length of the buffers

Definition at line 402 of file mem_ops.h.

402 {
403 // simply assumes that *out and *in point to "length" allocated bytes at least
404 xor_buf(std::span{out, length}, std::span{in, length});
405}

References xor_buf().

◆ zap()

template<typename T , typename Alloc >
void Botan::zap ( std::vector< T, Alloc > & vec)

◆ zeroise()

template<typename T , typename Alloc >
void Botan::zeroise ( std::vector< T, Alloc > & vec)

Variable Documentation

◆ BLAKE2B_BLOCKBYTES

constexpr size_t Botan::BLAKE2B_BLOCKBYTES = 128
constexpr

Definition at line 21 of file blake2b.h.

Referenced by Botan::BLAKE2b::add_data().

◆ HEX_CODEC_BUFFER_SIZE

const size_t Botan::HEX_CODEC_BUFFER_SIZE = 256

Size used for internal buffer in hex encoder/decoder

Definition at line 19 of file hex_filt.cpp.

Referenced by Botan::Hex_Decoder::Hex_Decoder(), Botan::Hex_Encoder::Hex_Encoder(), and Botan::Hex_Encoder::Hex_Encoder().

◆ is_strong_type_v

template<typename... Ts>
constexpr bool Botan::is_strong_type_v = is_strong_type<std::remove_const_t<Ts>...>::value
constexpr

Definition at line 34 of file concepts.h.

◆ MAX_EXT_DEG

const size_t Botan::MAX_EXT_DEG = 16

Definition at line 18 of file gf2m_small_m.cpp.

◆ MP_WORD_MAX

const word Botan::MP_WORD_MAX = ~static_cast<word>(0)

Definition at line 22 of file mp_core.h.

Referenced by monty_inverse(), redc_p521(), and vartime_divide().

◆ PRIME_TABLE_SIZE

const size_t Botan::PRIME_TABLE_SIZE = 6541

The size of the PRIMES[] array

Definition at line 167 of file numthry.h.

Referenced by Botan::DL_Group::DL_Group(), is_prime(), and random_prime().

◆ PRIMES

const uint16_t Botan::PRIMES

A const array of all odd primes less than 65535

Definition at line 12 of file primes.cpp.

12 {
13 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59,
14 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137,
15 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227,
16 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313,
17 317, 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, 419,
18 421, 431, 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509,
19 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601, 607, 613, 617,
20 619, 631, 641, 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709, 719, 727,
21 733, 739, 743, 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829,
22 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919, 929, 937, 941, 947,
23 953, 967, 971, 977, 983, 991, 997, 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, 1051,
24 1061, 1063, 1069, 1087, 1091, 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163, 1171,
25 1181, 1187, 1193, 1201, 1213, 1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, 1289,
26 1291, 1297, 1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, 1427,
27 1429, 1433, 1439, 1447, 1451, 1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, 1523,
28 1531, 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619, 1621,
29 1627, 1637, 1657, 1663, 1667, 1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, 1753,
30 1759, 1777, 1783, 1787, 1789, 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, 1879,
31 1889, 1901, 1907, 1913, 1931, 1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011,
32 2017, 2027, 2029, 2039, 2053, 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, 2131,
33 2137, 2141, 2143, 2153, 2161, 2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267, 2269,
34 2273, 2281, 2287, 2293, 2297, 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377, 2381,
35 2383, 2389, 2393, 2399, 2411, 2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, 2521,
36 2531, 2539, 2543, 2549, 2551, 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, 2659,
37 2663, 2671, 2677, 2683, 2687, 2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, 2749,
38 2753, 2767, 2777, 2789, 2791, 2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, 2879,
39 2887, 2897, 2903, 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011, 3019,
40 3023, 3037, 3041, 3049, 3061, 3067, 3079, 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, 3169,
41 3181, 3187, 3191, 3203, 3209, 3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301, 3307,
42 3313, 3319, 3323, 3329, 3331, 3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413, 3433,
43 3449, 3457, 3461, 3463, 3467, 3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541, 3547,
44 3557, 3559, 3571, 3581, 3583, 3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671, 3673,
45 3677, 3691, 3697, 3701, 3709, 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797, 3803,
46 3821, 3823, 3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923, 3929,
47 3931, 3943, 3947, 3967, 3989, 4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, 4073,
48 4079, 4091, 4093, 4099, 4111, 4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211, 4217,
49 4219, 4229, 4231, 4241, 4243, 4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, 4339,
50 4349, 4357, 4363, 4373, 4391, 4397, 4409, 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, 4483,
51 4493, 4507, 4513, 4517, 4519, 4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, 4637,
52 4639, 4643, 4649, 4651, 4657, 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751, 4759,
53 4783, 4787, 4789, 4793, 4799, 4801, 4813, 4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909, 4919,
54 4931, 4933, 4937, 4943, 4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011, 5021,
55 5023, 5039, 5051, 5059, 5077, 5081, 5087, 5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167, 5171,
56 5179, 5189, 5197, 5209, 5227, 5231, 5233, 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309, 5323,
57 5333, 5347, 5351, 5381, 5387, 5393, 5399, 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443, 5449,
58 5471, 5477, 5479, 5483, 5501, 5503, 5507, 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, 5581,
59 5591, 5623, 5639, 5641, 5647, 5651, 5653, 5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711, 5717,
60 5737, 5741, 5743, 5749, 5779, 5783, 5791, 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, 5851,
61 5857, 5861, 5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007, 6011,
62 6029, 6037, 6043, 6047, 6053, 6067, 6073, 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, 6143,
63 6151, 6163, 6173, 6197, 6199, 6203, 6211, 6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271, 6277,
64 6287, 6299, 6301, 6311, 6317, 6323, 6329, 6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379, 6389,
65 6397, 6421, 6427, 6449, 6451, 6469, 6473, 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, 6569,
66 6571, 6577, 6581, 6599, 6607, 6619, 6637, 6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701, 6703,
67 6709, 6719, 6733, 6737, 6761, 6763, 6779, 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833, 6841,
68 6857, 6863, 6869, 6871, 6883, 6899, 6907, 6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971, 6977,
69 6983, 6991, 6997, 7001, 7013, 7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, 7127,
70 7129, 7151, 7159, 7177, 7187, 7193, 7207, 7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253, 7283,
71 7297, 7307, 7309, 7321, 7331, 7333, 7349, 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, 7459,
72 7477, 7481, 7487, 7489, 7499, 7507, 7517, 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561, 7573,
73 7577, 7583, 7589, 7591, 7603, 7607, 7621, 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, 7699,
74 7703, 7717, 7723, 7727, 7741, 7753, 7757, 7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853, 7867,
75 7873, 7877, 7879, 7883, 7901, 7907, 7919, 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009, 8011,
76 8017, 8039, 8053, 8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161, 8167,
77 8171, 8179, 8191, 8209, 8219, 8221, 8231, 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291, 8293,
78 8297, 8311, 8317, 8329, 8353, 8363, 8369, 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443, 8447,
79 8461, 8467, 8501, 8513, 8521, 8527, 8537, 8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609, 8623,
80 8627, 8629, 8641, 8647, 8663, 8669, 8677, 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, 8737,
81 8741, 8747, 8753, 8761, 8779, 8783, 8803, 8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861, 8863,
82 8867, 8887, 8893, 8923, 8929, 8933, 8941, 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, 9013,
83 9029, 9041, 9043, 9049, 9059, 9067, 9091, 9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161, 9173,
84 9181, 9187, 9199, 9203, 9209, 9221, 9227, 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, 9319,
85 9323, 9337, 9341, 9343, 9349, 9371, 9377, 9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433, 9437,
86 9439, 9461, 9463, 9467, 9473, 9479, 9491, 9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587, 9601,
87 9613, 9619, 9623, 9629, 9631, 9643, 9649, 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733, 9739,
88 9743, 9749, 9767, 9769, 9781, 9787, 9791, 9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857, 9859,
89 9871, 9883, 9887, 9901, 9907, 9923, 9929, 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037, 10039,
90 10061, 10067, 10069, 10079, 10091, 10093, 10099, 10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163, 10169,
91 10177, 10181, 10193, 10211, 10223, 10243, 10247, 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, 10313,
92 10321, 10331, 10333, 10337, 10343, 10357, 10369, 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459, 10463,
93 10477, 10487, 10499, 10501, 10513, 10529, 10531, 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, 10631,
94 10639, 10651, 10657, 10663, 10667, 10687, 10691, 10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771, 10781,
95 10789, 10799, 10831, 10837, 10847, 10853, 10859, 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, 10939,
96 10949, 10957, 10973, 10979, 10987, 10993, 11003, 11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087, 11093,
97 11113, 11117, 11119, 11131, 11149, 11159, 11161, 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251, 11257,
98 11261, 11273, 11279, 11287, 11299, 11311, 11317, 11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399, 11411,
99 11423, 11437, 11443, 11447, 11467, 11471, 11483, 11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551, 11579,
100 11587, 11593, 11597, 11617, 11621, 11633, 11657, 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731, 11743,
101 11777, 11779, 11783, 11789, 11801, 11807, 11813, 11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887, 11897,
102 11903, 11909, 11923, 11927, 11933, 11939, 11941, 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, 12037,
103 12041, 12043, 12049, 12071, 12073, 12097, 12101, 12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161, 12163,
104 12197, 12203, 12211, 12227, 12239, 12241, 12251, 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, 12329,
105 12343, 12347, 12373, 12377, 12379, 12391, 12401, 12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473, 12479,
106 12487, 12491, 12497, 12503, 12511, 12517, 12527, 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, 12601,
107 12611, 12613, 12619, 12637, 12641, 12647, 12653, 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739, 12743,
108 12757, 12763, 12781, 12791, 12799, 12809, 12821, 12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907, 12911,
109 12917, 12919, 12923, 12941, 12953, 12959, 12967, 12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033, 13037,
110 13043, 13049, 13063, 13093, 13099, 13103, 13109, 13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177, 13183,
111 13187, 13217, 13219, 13229, 13241, 13249, 13259, 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337, 13339,
112 13367, 13381, 13397, 13399, 13411, 13417, 13421, 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499, 13513,
113 13523, 13537, 13553, 13567, 13577, 13591, 13597, 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, 13687,
114 13691, 13693, 13697, 13709, 13711, 13721, 13723, 13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799, 13807,
115 13829, 13831, 13841, 13859, 13873, 13877, 13879, 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, 13963,
116 13967, 13997, 13999, 14009, 14011, 14029, 14033, 14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143, 14149,
117 14153, 14159, 14173, 14177, 14197, 14207, 14221, 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, 14327,
118 14341, 14347, 14369, 14387, 14389, 14401, 14407, 14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461, 14479,
119 14489, 14503, 14519, 14533, 14537, 14543, 14549, 14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627, 14629,
120 14633, 14639, 14653, 14657, 14669, 14683, 14699, 14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753, 14759,
121 14767, 14771, 14779, 14783, 14797, 14813, 14821, 14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887, 14891,
122 14897, 14923, 14929, 14939, 14947, 14951, 14957, 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073, 15077,
123 15083, 15091, 15101, 15107, 15121, 15131, 15137, 15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217, 15227,
124 15233, 15241, 15259, 15263, 15269, 15271, 15277, 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, 15349,
125 15359, 15361, 15373, 15377, 15383, 15391, 15401, 15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473, 15493,
126 15497, 15511, 15527, 15541, 15551, 15559, 15569, 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, 15647,
127 15649, 15661, 15667, 15671, 15679, 15683, 15727, 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773, 15787,
128 15791, 15797, 15803, 15809, 15817, 15823, 15859, 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, 15923,
129 15937, 15959, 15971, 15973, 15991, 16001, 16007, 16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087, 16091,
130 16097, 16103, 16111, 16127, 16139, 16141, 16183, 16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249, 16253,
131 16267, 16273, 16301, 16319, 16333, 16339, 16349, 16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427, 16433,
132 16447, 16451, 16453, 16477, 16481, 16487, 16493, 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603, 16607,
133 16619, 16631, 16633, 16649, 16651, 16657, 16661, 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747, 16759,
134 16763, 16787, 16811, 16823, 16829, 16831, 16843, 16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927, 16931,
135 16937, 16943, 16963, 16979, 16981, 16987, 16993, 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, 17077,
136 17093, 17099, 17107, 17117, 17123, 17137, 17159, 17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231, 17239,
137 17257, 17291, 17293, 17299, 17317, 17321, 17327, 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, 17393,
138 17401, 17417, 17419, 17431, 17443, 17449, 17467, 17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519, 17539,
139 17551, 17569, 17573, 17579, 17581, 17597, 17599, 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, 17707,
140 17713, 17729, 17737, 17747, 17749, 17761, 17783, 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, 17881,
141 17891, 17903, 17909, 17911, 17921, 17923, 17929, 17939, 17957, 17959, 17971, 17977, 17981, 17987, 17989, 18013,
142 18041, 18043, 18047, 18049, 18059, 18061, 18077, 18089, 18097, 18119, 18121, 18127, 18131, 18133, 18143, 18149,
143 18169, 18181, 18191, 18199, 18211, 18217, 18223, 18229, 18233, 18251, 18253, 18257, 18269, 18287, 18289, 18301,
144 18307, 18311, 18313, 18329, 18341, 18353, 18367, 18371, 18379, 18397, 18401, 18413, 18427, 18433, 18439, 18443,
145 18451, 18457, 18461, 18481, 18493, 18503, 18517, 18521, 18523, 18539, 18541, 18553, 18583, 18587, 18593, 18617,
146 18637, 18661, 18671, 18679, 18691, 18701, 18713, 18719, 18731, 18743, 18749, 18757, 18773, 18787, 18793, 18797,
147 18803, 18839, 18859, 18869, 18899, 18911, 18913, 18917, 18919, 18947, 18959, 18973, 18979, 19001, 19009, 19013,
148 19031, 19037, 19051, 19069, 19073, 19079, 19081, 19087, 19121, 19139, 19141, 19157, 19163, 19181, 19183, 19207,
149 19211, 19213, 19219, 19231, 19237, 19249, 19259, 19267, 19273, 19289, 19301, 19309, 19319, 19333, 19373, 19379,
150 19381, 19387, 19391, 19403, 19417, 19421, 19423, 19427, 19429, 19433, 19441, 19447, 19457, 19463, 19469, 19471,
151 19477, 19483, 19489, 19501, 19507, 19531, 19541, 19543, 19553, 19559, 19571, 19577, 19583, 19597, 19603, 19609,
152 19661, 19681, 19687, 19697, 19699, 19709, 19717, 19727, 19739, 19751, 19753, 19759, 19763, 19777, 19793, 19801,
153 19813, 19819, 19841, 19843, 19853, 19861, 19867, 19889, 19891, 19913, 19919, 19927, 19937, 19949, 19961, 19963,
154 19973, 19979, 19991, 19993, 19997, 20011, 20021, 20023, 20029, 20047, 20051, 20063, 20071, 20089, 20101, 20107,
155 20113, 20117, 20123, 20129, 20143, 20147, 20149, 20161, 20173, 20177, 20183, 20201, 20219, 20231, 20233, 20249,
156 20261, 20269, 20287, 20297, 20323, 20327, 20333, 20341, 20347, 20353, 20357, 20359, 20369, 20389, 20393, 20399,
157 20407, 20411, 20431, 20441, 20443, 20477, 20479, 20483, 20507, 20509, 20521, 20533, 20543, 20549, 20551, 20563,
158 20593, 20599, 20611, 20627, 20639, 20641, 20663, 20681, 20693, 20707, 20717, 20719, 20731, 20743, 20747, 20749,
159 20753, 20759, 20771, 20773, 20789, 20807, 20809, 20849, 20857, 20873, 20879, 20887, 20897, 20899, 20903, 20921,
160 20929, 20939, 20947, 20959, 20963, 20981, 20983, 21001, 21011, 21013, 21017, 21019, 21023, 21031, 21059, 21061,
161 21067, 21089, 21101, 21107, 21121, 21139, 21143, 21149, 21157, 21163, 21169, 21179, 21187, 21191, 21193, 21211,
162 21221, 21227, 21247, 21269, 21277, 21283, 21313, 21317, 21319, 21323, 21341, 21347, 21377, 21379, 21383, 21391,
163 21397, 21401, 21407, 21419, 21433, 21467, 21481, 21487, 21491, 21493, 21499, 21503, 21517, 21521, 21523, 21529,
164 21557, 21559, 21563, 21569, 21577, 21587, 21589, 21599, 21601, 21611, 21613, 21617, 21647, 21649, 21661, 21673,
165 21683, 21701, 21713, 21727, 21737, 21739, 21751, 21757, 21767, 21773, 21787, 21799, 21803, 21817, 21821, 21839,
166 21841, 21851, 21859, 21863, 21871, 21881, 21893, 21911, 21929, 21937, 21943, 21961, 21977, 21991, 21997, 22003,
167 22013, 22027, 22031, 22037, 22039, 22051, 22063, 22067, 22073, 22079, 22091, 22093, 22109, 22111, 22123, 22129,
168 22133, 22147, 22153, 22157, 22159, 22171, 22189, 22193, 22229, 22247, 22259, 22271, 22273, 22277, 22279, 22283,
169 22291, 22303, 22307, 22343, 22349, 22367, 22369, 22381, 22391, 22397, 22409, 22433, 22441, 22447, 22453, 22469,
170 22481, 22483, 22501, 22511, 22531, 22541, 22543, 22549, 22567, 22571, 22573, 22613, 22619, 22621, 22637, 22639,
171 22643, 22651, 22669, 22679, 22691, 22697, 22699, 22709, 22717, 22721, 22727, 22739, 22741, 22751, 22769, 22777,
172 22783, 22787, 22807, 22811, 22817, 22853, 22859, 22861, 22871, 22877, 22901, 22907, 22921, 22937, 22943, 22961,
173 22963, 22973, 22993, 23003, 23011, 23017, 23021, 23027, 23029, 23039, 23041, 23053, 23057, 23059, 23063, 23071,
174 23081, 23087, 23099, 23117, 23131, 23143, 23159, 23167, 23173, 23189, 23197, 23201, 23203, 23209, 23227, 23251,
175 23269, 23279, 23291, 23293, 23297, 23311, 23321, 23327, 23333, 23339, 23357, 23369, 23371, 23399, 23417, 23431,
176 23447, 23459, 23473, 23497, 23509, 23531, 23537, 23539, 23549, 23557, 23561, 23563, 23567, 23581, 23593, 23599,
177 23603, 23609, 23623, 23627, 23629, 23633, 23663, 23669, 23671, 23677, 23687, 23689, 23719, 23741, 23743, 23747,
178 23753, 23761, 23767, 23773, 23789, 23801, 23813, 23819, 23827, 23831, 23833, 23857, 23869, 23873, 23879, 23887,
179 23893, 23899, 23909, 23911, 23917, 23929, 23957, 23971, 23977, 23981, 23993, 24001, 24007, 24019, 24023, 24029,
180 24043, 24049, 24061, 24071, 24077, 24083, 24091, 24097, 24103, 24107, 24109, 24113, 24121, 24133, 24137, 24151,
181 24169, 24179, 24181, 24197, 24203, 24223, 24229, 24239, 24247, 24251, 24281, 24317, 24329, 24337, 24359, 24371,
182 24373, 24379, 24391, 24407, 24413, 24419, 24421, 24439, 24443, 24469, 24473, 24481, 24499, 24509, 24517, 24527,
183 24533, 24547, 24551, 24571, 24593, 24611, 24623, 24631, 24659, 24671, 24677, 24683, 24691, 24697, 24709, 24733,
184 24749, 24763, 24767, 24781, 24793, 24799, 24809, 24821, 24841, 24847, 24851, 24859, 24877, 24889, 24907, 24917,
185 24919, 24923, 24943, 24953, 24967, 24971, 24977, 24979, 24989, 25013, 25031, 25033, 25037, 25057, 25073, 25087,
186 25097, 25111, 25117, 25121, 25127, 25147, 25153, 25163, 25169, 25171, 25183, 25189, 25219, 25229, 25237, 25243,
187 25247, 25253, 25261, 25301, 25303, 25307, 25309, 25321, 25339, 25343, 25349, 25357, 25367, 25373, 25391, 25409,
188 25411, 25423, 25439, 25447, 25453, 25457, 25463, 25469, 25471, 25523, 25537, 25541, 25561, 25577, 25579, 25583,
189 25589, 25601, 25603, 25609, 25621, 25633, 25639, 25643, 25657, 25667, 25673, 25679, 25693, 25703, 25717, 25733,
190 25741, 25747, 25759, 25763, 25771, 25793, 25799, 25801, 25819, 25841, 25847, 25849, 25867, 25873, 25889, 25903,
191 25913, 25919, 25931, 25933, 25939, 25943, 25951, 25969, 25981, 25997, 25999, 26003, 26017, 26021, 26029, 26041,
192 26053, 26083, 26099, 26107, 26111, 26113, 26119, 26141, 26153, 26161, 26171, 26177, 26183, 26189, 26203, 26209,
193 26227, 26237, 26249, 26251, 26261, 26263, 26267, 26293, 26297, 26309, 26317, 26321, 26339, 26347, 26357, 26371,
194 26387, 26393, 26399, 26407, 26417, 26423, 26431, 26437, 26449, 26459, 26479, 26489, 26497, 26501, 26513, 26539,
195 26557, 26561, 26573, 26591, 26597, 26627, 26633, 26641, 26647, 26669, 26681, 26683, 26687, 26693, 26699, 26701,
196 26711, 26713, 26717, 26723, 26729, 26731, 26737, 26759, 26777, 26783, 26801, 26813, 26821, 26833, 26839, 26849,
197 26861, 26863, 26879, 26881, 26891, 26893, 26903, 26921, 26927, 26947, 26951, 26953, 26959, 26981, 26987, 26993,
198 27011, 27017, 27031, 27043, 27059, 27061, 27067, 27073, 27077, 27091, 27103, 27107, 27109, 27127, 27143, 27179,
199 27191, 27197, 27211, 27239, 27241, 27253, 27259, 27271, 27277, 27281, 27283, 27299, 27329, 27337, 27361, 27367,
200 27397, 27407, 27409, 27427, 27431, 27437, 27449, 27457, 27479, 27481, 27487, 27509, 27527, 27529, 27539, 27541,
201 27551, 27581, 27583, 27611, 27617, 27631, 27647, 27653, 27673, 27689, 27691, 27697, 27701, 27733, 27737, 27739,
202 27743, 27749, 27751, 27763, 27767, 27773, 27779, 27791, 27793, 27799, 27803, 27809, 27817, 27823, 27827, 27847,
203 27851, 27883, 27893, 27901, 27917, 27919, 27941, 27943, 27947, 27953, 27961, 27967, 27983, 27997, 28001, 28019,
204 28027, 28031, 28051, 28057, 28069, 28081, 28087, 28097, 28099, 28109, 28111, 28123, 28151, 28163, 28181, 28183,
205 28201, 28211, 28219, 28229, 28277, 28279, 28283, 28289, 28297, 28307, 28309, 28319, 28349, 28351, 28387, 28393,
206 28403, 28409, 28411, 28429, 28433, 28439, 28447, 28463, 28477, 28493, 28499, 28513, 28517, 28537, 28541, 28547,
207 28549, 28559, 28571, 28573, 28579, 28591, 28597, 28603, 28607, 28619, 28621, 28627, 28631, 28643, 28649, 28657,
208 28661, 28663, 28669, 28687, 28697, 28703, 28711, 28723, 28729, 28751, 28753, 28759, 28771, 28789, 28793, 28807,
209 28813, 28817, 28837, 28843, 28859, 28867, 28871, 28879, 28901, 28909, 28921, 28927, 28933, 28949, 28961, 28979,
210 29009, 29017, 29021, 29023, 29027, 29033, 29059, 29063, 29077, 29101, 29123, 29129, 29131, 29137, 29147, 29153,
211 29167, 29173, 29179, 29191, 29201, 29207, 29209, 29221, 29231, 29243, 29251, 29269, 29287, 29297, 29303, 29311,
212 29327, 29333, 29339, 29347, 29363, 29383, 29387, 29389, 29399, 29401, 29411, 29423, 29429, 29437, 29443, 29453,
213 29473, 29483, 29501, 29527, 29531, 29537, 29567, 29569, 29573, 29581, 29587, 29599, 29611, 29629, 29633, 29641,
214 29663, 29669, 29671, 29683, 29717, 29723, 29741, 29753, 29759, 29761, 29789, 29803, 29819, 29833, 29837, 29851,
215 29863, 29867, 29873, 29879, 29881, 29917, 29921, 29927, 29947, 29959, 29983, 29989, 30011, 30013, 30029, 30047,
216 30059, 30071, 30089, 30091, 30097, 30103, 30109, 30113, 30119, 30133, 30137, 30139, 30161, 30169, 30181, 30187,
217 30197, 30203, 30211, 30223, 30241, 30253, 30259, 30269, 30271, 30293, 30307, 30313, 30319, 30323, 30341, 30347,
218 30367, 30389, 30391, 30403, 30427, 30431, 30449, 30467, 30469, 30491, 30493, 30497, 30509, 30517, 30529, 30539,
219 30553, 30557, 30559, 30577, 30593, 30631, 30637, 30643, 30649, 30661, 30671, 30677, 30689, 30697, 30703, 30707,
220 30713, 30727, 30757, 30763, 30773, 30781, 30803, 30809, 30817, 30829, 30839, 30841, 30851, 30853, 30859, 30869,
221 30871, 30881, 30893, 30911, 30931, 30937, 30941, 30949, 30971, 30977, 30983, 31013, 31019, 31033, 31039, 31051,
222 31063, 31069, 31079, 31081, 31091, 31121, 31123, 31139, 31147, 31151, 31153, 31159, 31177, 31181, 31183, 31189,
223 31193, 31219, 31223, 31231, 31237, 31247, 31249, 31253, 31259, 31267, 31271, 31277, 31307, 31319, 31321, 31327,
224 31333, 31337, 31357, 31379, 31387, 31391, 31393, 31397, 31469, 31477, 31481, 31489, 31511, 31513, 31517, 31531,
225 31541, 31543, 31547, 31567, 31573, 31583, 31601, 31607, 31627, 31643, 31649, 31657, 31663, 31667, 31687, 31699,
226 31721, 31723, 31727, 31729, 31741, 31751, 31769, 31771, 31793, 31799, 31817, 31847, 31849, 31859, 31873, 31883,
227 31891, 31907, 31957, 31963, 31973, 31981, 31991, 32003, 32009, 32027, 32029, 32051, 32057, 32059, 32063, 32069,
228 32077, 32083, 32089, 32099, 32117, 32119, 32141, 32143, 32159, 32173, 32183, 32189, 32191, 32203, 32213, 32233,
229 32237, 32251, 32257, 32261, 32297, 32299, 32303, 32309, 32321, 32323, 32327, 32341, 32353, 32359, 32363, 32369,
230 32371, 32377, 32381, 32401, 32411, 32413, 32423, 32429, 32441, 32443, 32467, 32479, 32491, 32497, 32503, 32507,
231 32531, 32533, 32537, 32561, 32563, 32569, 32573, 32579, 32587, 32603, 32609, 32611, 32621, 32633, 32647, 32653,
232 32687, 32693, 32707, 32713, 32717, 32719, 32749, 32771, 32779, 32783, 32789, 32797, 32801, 32803, 32831, 32833,
233 32839, 32843, 32869, 32887, 32909, 32911, 32917, 32933, 32939, 32941, 32957, 32969, 32971, 32983, 32987, 32993,
234 32999, 33013, 33023, 33029, 33037, 33049, 33053, 33071, 33073, 33083, 33091, 33107, 33113, 33119, 33149, 33151,
235 33161, 33179, 33181, 33191, 33199, 33203, 33211, 33223, 33247, 33287, 33289, 33301, 33311, 33317, 33329, 33331,
236 33343, 33347, 33349, 33353, 33359, 33377, 33391, 33403, 33409, 33413, 33427, 33457, 33461, 33469, 33479, 33487,
237 33493, 33503, 33521, 33529, 33533, 33547, 33563, 33569, 33577, 33581, 33587, 33589, 33599, 33601, 33613, 33617,
238 33619, 33623, 33629, 33637, 33641, 33647, 33679, 33703, 33713, 33721, 33739, 33749, 33751, 33757, 33767, 33769,
239 33773, 33791, 33797, 33809, 33811, 33827, 33829, 33851, 33857, 33863, 33871, 33889, 33893, 33911, 33923, 33931,
240 33937, 33941, 33961, 33967, 33997, 34019, 34031, 34033, 34039, 34057, 34061, 34123, 34127, 34129, 34141, 34147,
241 34157, 34159, 34171, 34183, 34211, 34213, 34217, 34231, 34253, 34259, 34261, 34267, 34273, 34283, 34297, 34301,
242 34303, 34313, 34319, 34327, 34337, 34351, 34361, 34367, 34369, 34381, 34403, 34421, 34429, 34439, 34457, 34469,
243 34471, 34483, 34487, 34499, 34501, 34511, 34513, 34519, 34537, 34543, 34549, 34583, 34589, 34591, 34603, 34607,
244 34613, 34631, 34649, 34651, 34667, 34673, 34679, 34687, 34693, 34703, 34721, 34729, 34739, 34747, 34757, 34759,
245 34763, 34781, 34807, 34819, 34841, 34843, 34847, 34849, 34871, 34877, 34883, 34897, 34913, 34919, 34939, 34949,
246 34961, 34963, 34981, 35023, 35027, 35051, 35053, 35059, 35069, 35081, 35083, 35089, 35099, 35107, 35111, 35117,
247 35129, 35141, 35149, 35153, 35159, 35171, 35201, 35221, 35227, 35251, 35257, 35267, 35279, 35281, 35291, 35311,
248 35317, 35323, 35327, 35339, 35353, 35363, 35381, 35393, 35401, 35407, 35419, 35423, 35437, 35447, 35449, 35461,
249 35491, 35507, 35509, 35521, 35527, 35531, 35533, 35537, 35543, 35569, 35573, 35591, 35593, 35597, 35603, 35617,
250 35671, 35677, 35729, 35731, 35747, 35753, 35759, 35771, 35797, 35801, 35803, 35809, 35831, 35837, 35839, 35851,
251 35863, 35869, 35879, 35897, 35899, 35911, 35923, 35933, 35951, 35963, 35969, 35977, 35983, 35993, 35999, 36007,
252 36011, 36013, 36017, 36037, 36061, 36067, 36073, 36083, 36097, 36107, 36109, 36131, 36137, 36151, 36161, 36187,
253 36191, 36209, 36217, 36229, 36241, 36251, 36263, 36269, 36277, 36293, 36299, 36307, 36313, 36319, 36341, 36343,
254 36353, 36373, 36383, 36389, 36433, 36451, 36457, 36467, 36469, 36473, 36479, 36493, 36497, 36523, 36527, 36529,
255 36541, 36551, 36559, 36563, 36571, 36583, 36587, 36599, 36607, 36629, 36637, 36643, 36653, 36671, 36677, 36683,
256 36691, 36697, 36709, 36713, 36721, 36739, 36749, 36761, 36767, 36779, 36781, 36787, 36791, 36793, 36809, 36821,
257 36833, 36847, 36857, 36871, 36877, 36887, 36899, 36901, 36913, 36919, 36923, 36929, 36931, 36943, 36947, 36973,
258 36979, 36997, 37003, 37013, 37019, 37021, 37039, 37049, 37057, 37061, 37087, 37097, 37117, 37123, 37139, 37159,
259 37171, 37181, 37189, 37199, 37201, 37217, 37223, 37243, 37253, 37273, 37277, 37307, 37309, 37313, 37321, 37337,
260 37339, 37357, 37361, 37363, 37369, 37379, 37397, 37409, 37423, 37441, 37447, 37463, 37483, 37489, 37493, 37501,
261 37507, 37511, 37517, 37529, 37537, 37547, 37549, 37561, 37567, 37571, 37573, 37579, 37589, 37591, 37607, 37619,
262 37633, 37643, 37649, 37657, 37663, 37691, 37693, 37699, 37717, 37747, 37781, 37783, 37799, 37811, 37813, 37831,
263 37847, 37853, 37861, 37871, 37879, 37889, 37897, 37907, 37951, 37957, 37963, 37967, 37987, 37991, 37993, 37997,
264 38011, 38039, 38047, 38053, 38069, 38083, 38113, 38119, 38149, 38153, 38167, 38177, 38183, 38189, 38197, 38201,
265 38219, 38231, 38237, 38239, 38261, 38273, 38281, 38287, 38299, 38303, 38317, 38321, 38327, 38329, 38333, 38351,
266 38371, 38377, 38393, 38431, 38447, 38449, 38453, 38459, 38461, 38501, 38543, 38557, 38561, 38567, 38569, 38593,
267 38603, 38609, 38611, 38629, 38639, 38651, 38653, 38669, 38671, 38677, 38693, 38699, 38707, 38711, 38713, 38723,
268 38729, 38737, 38747, 38749, 38767, 38783, 38791, 38803, 38821, 38833, 38839, 38851, 38861, 38867, 38873, 38891,
269 38903, 38917, 38921, 38923, 38933, 38953, 38959, 38971, 38977, 38993, 39019, 39023, 39041, 39043, 39047, 39079,
270 39089, 39097, 39103, 39107, 39113, 39119, 39133, 39139, 39157, 39161, 39163, 39181, 39191, 39199, 39209, 39217,
271 39227, 39229, 39233, 39239, 39241, 39251, 39293, 39301, 39313, 39317, 39323, 39341, 39343, 39359, 39367, 39371,
272 39373, 39383, 39397, 39409, 39419, 39439, 39443, 39451, 39461, 39499, 39503, 39509, 39511, 39521, 39541, 39551,
273 39563, 39569, 39581, 39607, 39619, 39623, 39631, 39659, 39667, 39671, 39679, 39703, 39709, 39719, 39727, 39733,
274 39749, 39761, 39769, 39779, 39791, 39799, 39821, 39827, 39829, 39839, 39841, 39847, 39857, 39863, 39869, 39877,
275 39883, 39887, 39901, 39929, 39937, 39953, 39971, 39979, 39983, 39989, 40009, 40013, 40031, 40037, 40039, 40063,
276 40087, 40093, 40099, 40111, 40123, 40127, 40129, 40151, 40153, 40163, 40169, 40177, 40189, 40193, 40213, 40231,
277 40237, 40241, 40253, 40277, 40283, 40289, 40343, 40351, 40357, 40361, 40387, 40423, 40427, 40429, 40433, 40459,
278 40471, 40483, 40487, 40493, 40499, 40507, 40519, 40529, 40531, 40543, 40559, 40577, 40583, 40591, 40597, 40609,
279 40627, 40637, 40639, 40693, 40697, 40699, 40709, 40739, 40751, 40759, 40763, 40771, 40787, 40801, 40813, 40819,
280 40823, 40829, 40841, 40847, 40849, 40853, 40867, 40879, 40883, 40897, 40903, 40927, 40933, 40939, 40949, 40961,
281 40973, 40993, 41011, 41017, 41023, 41039, 41047, 41051, 41057, 41077, 41081, 41113, 41117, 41131, 41141, 41143,
282 41149, 41161, 41177, 41179, 41183, 41189, 41201, 41203, 41213, 41221, 41227, 41231, 41233, 41243, 41257, 41263,
283 41269, 41281, 41299, 41333, 41341, 41351, 41357, 41381, 41387, 41389, 41399, 41411, 41413, 41443, 41453, 41467,
284 41479, 41491, 41507, 41513, 41519, 41521, 41539, 41543, 41549, 41579, 41593, 41597, 41603, 41609, 41611, 41617,
285 41621, 41627, 41641, 41647, 41651, 41659, 41669, 41681, 41687, 41719, 41729, 41737, 41759, 41761, 41771, 41777,
286 41801, 41809, 41813, 41843, 41849, 41851, 41863, 41879, 41887, 41893, 41897, 41903, 41911, 41927, 41941, 41947,
287 41953, 41957, 41959, 41969, 41981, 41983, 41999, 42013, 42017, 42019, 42023, 42043, 42061, 42071, 42073, 42083,
288 42089, 42101, 42131, 42139, 42157, 42169, 42179, 42181, 42187, 42193, 42197, 42209, 42221, 42223, 42227, 42239,
289 42257, 42281, 42283, 42293, 42299, 42307, 42323, 42331, 42337, 42349, 42359, 42373, 42379, 42391, 42397, 42403,
290 42407, 42409, 42433, 42437, 42443, 42451, 42457, 42461, 42463, 42467, 42473, 42487, 42491, 42499, 42509, 42533,
291 42557, 42569, 42571, 42577, 42589, 42611, 42641, 42643, 42649, 42667, 42677, 42683, 42689, 42697, 42701, 42703,
292 42709, 42719, 42727, 42737, 42743, 42751, 42767, 42773, 42787, 42793, 42797, 42821, 42829, 42839, 42841, 42853,
293 42859, 42863, 42899, 42901, 42923, 42929, 42937, 42943, 42953, 42961, 42967, 42979, 42989, 43003, 43013, 43019,
294 43037, 43049, 43051, 43063, 43067, 43093, 43103, 43117, 43133, 43151, 43159, 43177, 43189, 43201, 43207, 43223,
295 43237, 43261, 43271, 43283, 43291, 43313, 43319, 43321, 43331, 43391, 43397, 43399, 43403, 43411, 43427, 43441,
296 43451, 43457, 43481, 43487, 43499, 43517, 43541, 43543, 43573, 43577, 43579, 43591, 43597, 43607, 43609, 43613,
297 43627, 43633, 43649, 43651, 43661, 43669, 43691, 43711, 43717, 43721, 43753, 43759, 43777, 43781, 43783, 43787,
298 43789, 43793, 43801, 43853, 43867, 43889, 43891, 43913, 43933, 43943, 43951, 43961, 43963, 43969, 43973, 43987,
299 43991, 43997, 44017, 44021, 44027, 44029, 44041, 44053, 44059, 44071, 44087, 44089, 44101, 44111, 44119, 44123,
300 44129, 44131, 44159, 44171, 44179, 44189, 44201, 44203, 44207, 44221, 44249, 44257, 44263, 44267, 44269, 44273,
301 44279, 44281, 44293, 44351, 44357, 44371, 44381, 44383, 44389, 44417, 44449, 44453, 44483, 44491, 44497, 44501,
302 44507, 44519, 44531, 44533, 44537, 44543, 44549, 44563, 44579, 44587, 44617, 44621, 44623, 44633, 44641, 44647,
303 44651, 44657, 44683, 44687, 44699, 44701, 44711, 44729, 44741, 44753, 44771, 44773, 44777, 44789, 44797, 44809,
304 44819, 44839, 44843, 44851, 44867, 44879, 44887, 44893, 44909, 44917, 44927, 44939, 44953, 44959, 44963, 44971,
305 44983, 44987, 45007, 45013, 45053, 45061, 45077, 45083, 45119, 45121, 45127, 45131, 45137, 45139, 45161, 45179,
306 45181, 45191, 45197, 45233, 45247, 45259, 45263, 45281, 45289, 45293, 45307, 45317, 45319, 45329, 45337, 45341,
307 45343, 45361, 45377, 45389, 45403, 45413, 45427, 45433, 45439, 45481, 45491, 45497, 45503, 45523, 45533, 45541,
308 45553, 45557, 45569, 45587, 45589, 45599, 45613, 45631, 45641, 45659, 45667, 45673, 45677, 45691, 45697, 45707,
309 45737, 45751, 45757, 45763, 45767, 45779, 45817, 45821, 45823, 45827, 45833, 45841, 45853, 45863, 45869, 45887,
310 45893, 45943, 45949, 45953, 45959, 45971, 45979, 45989, 46021, 46027, 46049, 46051, 46061, 46073, 46091, 46093,
311 46099, 46103, 46133, 46141, 46147, 46153, 46171, 46181, 46183, 46187, 46199, 46219, 46229, 46237, 46261, 46271,
312 46273, 46279, 46301, 46307, 46309, 46327, 46337, 46349, 46351, 46381, 46399, 46411, 46439, 46441, 46447, 46451,
313 46457, 46471, 46477, 46489, 46499, 46507, 46511, 46523, 46549, 46559, 46567, 46573, 46589, 46591, 46601, 46619,
314 46633, 46639, 46643, 46649, 46663, 46679, 46681, 46687, 46691, 46703, 46723, 46727, 46747, 46751, 46757, 46769,
315 46771, 46807, 46811, 46817, 46819, 46829, 46831, 46853, 46861, 46867, 46877, 46889, 46901, 46919, 46933, 46957,
316 46993, 46997, 47017, 47041, 47051, 47057, 47059, 47087, 47093, 47111, 47119, 47123, 47129, 47137, 47143, 47147,
317 47149, 47161, 47189, 47207, 47221, 47237, 47251, 47269, 47279, 47287, 47293, 47297, 47303, 47309, 47317, 47339,
318 47351, 47353, 47363, 47381, 47387, 47389, 47407, 47417, 47419, 47431, 47441, 47459, 47491, 47497, 47501, 47507,
319 47513, 47521, 47527, 47533, 47543, 47563, 47569, 47581, 47591, 47599, 47609, 47623, 47629, 47639, 47653, 47657,
320 47659, 47681, 47699, 47701, 47711, 47713, 47717, 47737, 47741, 47743, 47777, 47779, 47791, 47797, 47807, 47809,
321 47819, 47837, 47843, 47857, 47869, 47881, 47903, 47911, 47917, 47933, 47939, 47947, 47951, 47963, 47969, 47977,
322 47981, 48017, 48023, 48029, 48049, 48073, 48079, 48091, 48109, 48119, 48121, 48131, 48157, 48163, 48179, 48187,
323 48193, 48197, 48221, 48239, 48247, 48259, 48271, 48281, 48299, 48311, 48313, 48337, 48341, 48353, 48371, 48383,
324 48397, 48407, 48409, 48413, 48437, 48449, 48463, 48473, 48479, 48481, 48487, 48491, 48497, 48523, 48527, 48533,
325 48539, 48541, 48563, 48571, 48589, 48593, 48611, 48619, 48623, 48647, 48649, 48661, 48673, 48677, 48679, 48731,
326 48733, 48751, 48757, 48761, 48767, 48779, 48781, 48787, 48799, 48809, 48817, 48821, 48823, 48847, 48857, 48859,
327 48869, 48871, 48883, 48889, 48907, 48947, 48953, 48973, 48989, 48991, 49003, 49009, 49019, 49031, 49033, 49037,
328 49043, 49057, 49069, 49081, 49103, 49109, 49117, 49121, 49123, 49139, 49157, 49169, 49171, 49177, 49193, 49199,
329 49201, 49207, 49211, 49223, 49253, 49261, 49277, 49279, 49297, 49307, 49331, 49333, 49339, 49363, 49367, 49369,
330 49391, 49393, 49409, 49411, 49417, 49429, 49433, 49451, 49459, 49463, 49477, 49481, 49499, 49523, 49529, 49531,
331 49537, 49547, 49549, 49559, 49597, 49603, 49613, 49627, 49633, 49639, 49663, 49667, 49669, 49681, 49697, 49711,
332 49727, 49739, 49741, 49747, 49757, 49783, 49787, 49789, 49801, 49807, 49811, 49823, 49831, 49843, 49853, 49871,
333 49877, 49891, 49919, 49921, 49927, 49937, 49939, 49943, 49957, 49991, 49993, 49999, 50021, 50023, 50033, 50047,
334 50051, 50053, 50069, 50077, 50087, 50093, 50101, 50111, 50119, 50123, 50129, 50131, 50147, 50153, 50159, 50177,
335 50207, 50221, 50227, 50231, 50261, 50263, 50273, 50287, 50291, 50311, 50321, 50329, 50333, 50341, 50359, 50363,
336 50377, 50383, 50387, 50411, 50417, 50423, 50441, 50459, 50461, 50497, 50503, 50513, 50527, 50539, 50543, 50549,
337 50551, 50581, 50587, 50591, 50593, 50599, 50627, 50647, 50651, 50671, 50683, 50707, 50723, 50741, 50753, 50767,
338 50773, 50777, 50789, 50821, 50833, 50839, 50849, 50857, 50867, 50873, 50891, 50893, 50909, 50923, 50929, 50951,
339 50957, 50969, 50971, 50989, 50993, 51001, 51031, 51043, 51047, 51059, 51061, 51071, 51109, 51131, 51133, 51137,
340 51151, 51157, 51169, 51193, 51197, 51199, 51203, 51217, 51229, 51239, 51241, 51257, 51263, 51283, 51287, 51307,
341 51329, 51341, 51343, 51347, 51349, 51361, 51383, 51407, 51413, 51419, 51421, 51427, 51431, 51437, 51439, 51449,
342 51461, 51473, 51479, 51481, 51487, 51503, 51511, 51517, 51521, 51539, 51551, 51563, 51577, 51581, 51593, 51599,
343 51607, 51613, 51631, 51637, 51647, 51659, 51673, 51679, 51683, 51691, 51713, 51719, 51721, 51749, 51767, 51769,
344 51787, 51797, 51803, 51817, 51827, 51829, 51839, 51853, 51859, 51869, 51871, 51893, 51899, 51907, 51913, 51929,
345 51941, 51949, 51971, 51973, 51977, 51991, 52009, 52021, 52027, 52051, 52057, 52067, 52069, 52081, 52103, 52121,
346 52127, 52147, 52153, 52163, 52177, 52181, 52183, 52189, 52201, 52223, 52237, 52249, 52253, 52259, 52267, 52289,
347 52291, 52301, 52313, 52321, 52361, 52363, 52369, 52379, 52387, 52391, 52433, 52453, 52457, 52489, 52501, 52511,
348 52517, 52529, 52541, 52543, 52553, 52561, 52567, 52571, 52579, 52583, 52609, 52627, 52631, 52639, 52667, 52673,
349 52691, 52697, 52709, 52711, 52721, 52727, 52733, 52747, 52757, 52769, 52783, 52807, 52813, 52817, 52837, 52859,
350 52861, 52879, 52883, 52889, 52901, 52903, 52919, 52937, 52951, 52957, 52963, 52967, 52973, 52981, 52999, 53003,
351 53017, 53047, 53051, 53069, 53077, 53087, 53089, 53093, 53101, 53113, 53117, 53129, 53147, 53149, 53161, 53171,
352 53173, 53189, 53197, 53201, 53231, 53233, 53239, 53267, 53269, 53279, 53281, 53299, 53309, 53323, 53327, 53353,
353 53359, 53377, 53381, 53401, 53407, 53411, 53419, 53437, 53441, 53453, 53479, 53503, 53507, 53527, 53549, 53551,
354 53569, 53591, 53593, 53597, 53609, 53611, 53617, 53623, 53629, 53633, 53639, 53653, 53657, 53681, 53693, 53699,
355 53717, 53719, 53731, 53759, 53773, 53777, 53783, 53791, 53813, 53819, 53831, 53849, 53857, 53861, 53881, 53887,
356 53891, 53897, 53899, 53917, 53923, 53927, 53939, 53951, 53959, 53987, 53993, 54001, 54011, 54013, 54037, 54049,
357 54059, 54083, 54091, 54101, 54121, 54133, 54139, 54151, 54163, 54167, 54181, 54193, 54217, 54251, 54269, 54277,
358 54287, 54293, 54311, 54319, 54323, 54331, 54347, 54361, 54367, 54371, 54377, 54401, 54403, 54409, 54413, 54419,
359 54421, 54437, 54443, 54449, 54469, 54493, 54497, 54499, 54503, 54517, 54521, 54539, 54541, 54547, 54559, 54563,
360 54577, 54581, 54583, 54601, 54617, 54623, 54629, 54631, 54647, 54667, 54673, 54679, 54709, 54713, 54721, 54727,
361 54751, 54767, 54773, 54779, 54787, 54799, 54829, 54833, 54851, 54869, 54877, 54881, 54907, 54917, 54919, 54941,
362 54949, 54959, 54973, 54979, 54983, 55001, 55009, 55021, 55049, 55051, 55057, 55061, 55073, 55079, 55103, 55109,
363 55117, 55127, 55147, 55163, 55171, 55201, 55207, 55213, 55217, 55219, 55229, 55243, 55249, 55259, 55291, 55313,
364 55331, 55333, 55337, 55339, 55343, 55351, 55373, 55381, 55399, 55411, 55439, 55441, 55457, 55469, 55487, 55501,
365 55511, 55529, 55541, 55547, 55579, 55589, 55603, 55609, 55619, 55621, 55631, 55633, 55639, 55661, 55663, 55667,
366 55673, 55681, 55691, 55697, 55711, 55717, 55721, 55733, 55763, 55787, 55793, 55799, 55807, 55813, 55817, 55819,
367 55823, 55829, 55837, 55843, 55849, 55871, 55889, 55897, 55901, 55903, 55921, 55927, 55931, 55933, 55949, 55967,
368 55987, 55997, 56003, 56009, 56039, 56041, 56053, 56081, 56087, 56093, 56099, 56101, 56113, 56123, 56131, 56149,
369 56167, 56171, 56179, 56197, 56207, 56209, 56237, 56239, 56249, 56263, 56267, 56269, 56299, 56311, 56333, 56359,
370 56369, 56377, 56383, 56393, 56401, 56417, 56431, 56437, 56443, 56453, 56467, 56473, 56477, 56479, 56489, 56501,
371 56503, 56509, 56519, 56527, 56531, 56533, 56543, 56569, 56591, 56597, 56599, 56611, 56629, 56633, 56659, 56663,
372 56671, 56681, 56687, 56701, 56711, 56713, 56731, 56737, 56747, 56767, 56773, 56779, 56783, 56807, 56809, 56813,
373 56821, 56827, 56843, 56857, 56873, 56891, 56893, 56897, 56909, 56911, 56921, 56923, 56929, 56941, 56951, 56957,
374 56963, 56983, 56989, 56993, 56999, 57037, 57041, 57047, 57059, 57073, 57077, 57089, 57097, 57107, 57119, 57131,
375 57139, 57143, 57149, 57163, 57173, 57179, 57191, 57193, 57203, 57221, 57223, 57241, 57251, 57259, 57269, 57271,
376 57283, 57287, 57301, 57329, 57331, 57347, 57349, 57367, 57373, 57383, 57389, 57397, 57413, 57427, 57457, 57467,
377 57487, 57493, 57503, 57527, 57529, 57557, 57559, 57571, 57587, 57593, 57601, 57637, 57641, 57649, 57653, 57667,
378 57679, 57689, 57697, 57709, 57713, 57719, 57727, 57731, 57737, 57751, 57773, 57781, 57787, 57791, 57793, 57803,
379 57809, 57829, 57839, 57847, 57853, 57859, 57881, 57899, 57901, 57917, 57923, 57943, 57947, 57973, 57977, 57991,
380 58013, 58027, 58031, 58043, 58049, 58057, 58061, 58067, 58073, 58099, 58109, 58111, 58129, 58147, 58151, 58153,
381 58169, 58171, 58189, 58193, 58199, 58207, 58211, 58217, 58229, 58231, 58237, 58243, 58271, 58309, 58313, 58321,
382 58337, 58363, 58367, 58369, 58379, 58391, 58393, 58403, 58411, 58417, 58427, 58439, 58441, 58451, 58453, 58477,
383 58481, 58511, 58537, 58543, 58549, 58567, 58573, 58579, 58601, 58603, 58613, 58631, 58657, 58661, 58679, 58687,
384 58693, 58699, 58711, 58727, 58733, 58741, 58757, 58763, 58771, 58787, 58789, 58831, 58889, 58897, 58901, 58907,
385 58909, 58913, 58921, 58937, 58943, 58963, 58967, 58979, 58991, 58997, 59009, 59011, 59021, 59023, 59029, 59051,
386 59053, 59063, 59069, 59077, 59083, 59093, 59107, 59113, 59119, 59123, 59141, 59149, 59159, 59167, 59183, 59197,
387 59207, 59209, 59219, 59221, 59233, 59239, 59243, 59263, 59273, 59281, 59333, 59341, 59351, 59357, 59359, 59369,
388 59377, 59387, 59393, 59399, 59407, 59417, 59419, 59441, 59443, 59447, 59453, 59467, 59471, 59473, 59497, 59509,
389 59513, 59539, 59557, 59561, 59567, 59581, 59611, 59617, 59621, 59627, 59629, 59651, 59659, 59663, 59669, 59671,
390 59693, 59699, 59707, 59723, 59729, 59743, 59747, 59753, 59771, 59779, 59791, 59797, 59809, 59833, 59863, 59879,
391 59887, 59921, 59929, 59951, 59957, 59971, 59981, 59999, 60013, 60017, 60029, 60037, 60041, 60077, 60083, 60089,
392 60091, 60101, 60103, 60107, 60127, 60133, 60139, 60149, 60161, 60167, 60169, 60209, 60217, 60223, 60251, 60257,
393 60259, 60271, 60289, 60293, 60317, 60331, 60337, 60343, 60353, 60373, 60383, 60397, 60413, 60427, 60443, 60449,
394 60457, 60493, 60497, 60509, 60521, 60527, 60539, 60589, 60601, 60607, 60611, 60617, 60623, 60631, 60637, 60647,
395 60649, 60659, 60661, 60679, 60689, 60703, 60719, 60727, 60733, 60737, 60757, 60761, 60763, 60773, 60779, 60793,
396 60811, 60821, 60859, 60869, 60887, 60889, 60899, 60901, 60913, 60917, 60919, 60923, 60937, 60943, 60953, 60961,
397 61001, 61007, 61027, 61031, 61043, 61051, 61057, 61091, 61099, 61121, 61129, 61141, 61151, 61153, 61169, 61211,
398 61223, 61231, 61253, 61261, 61283, 61291, 61297, 61331, 61333, 61339, 61343, 61357, 61363, 61379, 61381, 61403,
399 61409, 61417, 61441, 61463, 61469, 61471, 61483, 61487, 61493, 61507, 61511, 61519, 61543, 61547, 61553, 61559,
400 61561, 61583, 61603, 61609, 61613, 61627, 61631, 61637, 61643, 61651, 61657, 61667, 61673, 61681, 61687, 61703,
401 61717, 61723, 61729, 61751, 61757, 61781, 61813, 61819, 61837, 61843, 61861, 61871, 61879, 61909, 61927, 61933,
402 61949, 61961, 61967, 61979, 61981, 61987, 61991, 62003, 62011, 62017, 62039, 62047, 62053, 62057, 62071, 62081,
403 62099, 62119, 62129, 62131, 62137, 62141, 62143, 62171, 62189, 62191, 62201, 62207, 62213, 62219, 62233, 62273,
404 62297, 62299, 62303, 62311, 62323, 62327, 62347, 62351, 62383, 62401, 62417, 62423, 62459, 62467, 62473, 62477,
405 62483, 62497, 62501, 62507, 62533, 62539, 62549, 62563, 62581, 62591, 62597, 62603, 62617, 62627, 62633, 62639,
406 62653, 62659, 62683, 62687, 62701, 62723, 62731, 62743, 62753, 62761, 62773, 62791, 62801, 62819, 62827, 62851,
407 62861, 62869, 62873, 62897, 62903, 62921, 62927, 62929, 62939, 62969, 62971, 62981, 62983, 62987, 62989, 63029,
408 63031, 63059, 63067, 63073, 63079, 63097, 63103, 63113, 63127, 63131, 63149, 63179, 63197, 63199, 63211, 63241,
409 63247, 63277, 63281, 63299, 63311, 63313, 63317, 63331, 63337, 63347, 63353, 63361, 63367, 63377, 63389, 63391,
410 63397, 63409, 63419, 63421, 63439, 63443, 63463, 63467, 63473, 63487, 63493, 63499, 63521, 63527, 63533, 63541,
411 63559, 63577, 63587, 63589, 63599, 63601, 63607, 63611, 63617, 63629, 63647, 63649, 63659, 63667, 63671, 63689,
412 63691, 63697, 63703, 63709, 63719, 63727, 63737, 63743, 63761, 63773, 63781, 63793, 63799, 63803, 63809, 63823,
413 63839, 63841, 63853, 63857, 63863, 63901, 63907, 63913, 63929, 63949, 63977, 63997, 64007, 64013, 64019, 64033,
414 64037, 64063, 64067, 64081, 64091, 64109, 64123, 64151, 64153, 64157, 64171, 64187, 64189, 64217, 64223, 64231,
415 64237, 64271, 64279, 64283, 64301, 64303, 64319, 64327, 64333, 64373, 64381, 64399, 64403, 64433, 64439, 64451,
416 64453, 64483, 64489, 64499, 64513, 64553, 64567, 64577, 64579, 64591, 64601, 64609, 64613, 64621, 64627, 64633,
417 64661, 64663, 64667, 64679, 64693, 64709, 64717, 64747, 64763, 64781, 64783, 64793, 64811, 64817, 64849, 64853,
418 64871, 64877, 64879, 64891, 64901, 64919, 64921, 64927, 64937, 64951, 64969, 64997, 65003, 65011, 65027, 65029,
419 65033, 65053, 65063, 65071, 65089, 65099, 65101, 65111, 65119, 65123, 65129, 65141, 65147, 65167, 65171, 65173,
420 65179, 65183, 65203, 65213, 65239, 65257, 65267, 65269, 65287, 65293, 65309, 65323, 65327, 65353, 65357, 65371,
421 65381, 65393, 65407, 65413, 65419, 65423, 65437, 65447, 65449, 65479, 65497, 65519, 65521, 0};

Referenced by Botan::DL_Group::DL_Group(), is_prime(), and random_prime().

◆ STREEBOG_Ax

const uint64_t Botan::STREEBOG_Ax
extern

Definition at line 34 of file streebog_precalc.cpp.

34 {
35 {0xd01f715b5c7ef8e6, 0x16fa240980778325, 0xa8a42e857ee049c8, 0x6ac1068fa186465b, 0x6e417bd7a2e9320b,
36 0x665c8167a437daab, 0x7666681aa89617f6, 0x4b959163700bdcf5, 0xf14be6b78df36248, 0xc585bd689a625cff,
37 0x9557d7fca67d82cb, 0x89f0b969af6dd366, 0xb0833d48749f6c35, 0xa1998c23b1ecbc7c, 0x8d70c431ac02a736,
38 0xd6dfbc2fd0a8b69e, 0x37aeb3e551fa198b, 0x0b7d128a40b5cf9c, 0x5a8f2008b5780cbc, 0xedec882284e333e5,
39 0xd25fc177d3c7c2ce, 0x5e0f5d50b61778ec, 0x1d873683c0c24cb9, 0xad040bcbb45d208c, 0x2f89a0285b853c76,
40 0x5732fff6791b8d58, 0x3e9311439ef6ec3f, 0xc9183a809fd3c00f, 0x83adf3f5260a01ee, 0xa6791941f4e8ef10,
41 0x103ae97d0ca1cd5d, 0x2ce948121dee1b4a, 0x39738421dbf2bf53, 0x093da2a6cf0cf5b4, 0xcd9847d89cbcb45f,
42 0xf9561c078b2d8ae8, 0x9c6a755a6971777f, 0xbc1ebaa0712ef0c5, 0x72e61542abf963a6, 0x78bb5fde229eb12e,
43 0x14ba94250fceb90d, 0x844d6697630e5282, 0x98ea08026a1e032f, 0xf06bbea144217f5c, 0xdb6263d11ccb377a,
44 0x641c314b2b8ee083, 0x320e96ab9b4770cf, 0x1ee7deb986a96b85, 0xe96cf57a878c47b5, 0xfdd6615f8842feb8,
45 0xc83862965601dd1b, 0x2ea9f83e92572162, 0xf876441142ff97fc, 0xeb2c455608357d9d, 0x5612a7e0b0c9904c,
46 0x6c01cbfb2d500823, 0x4548a6a7fa037a2d, 0xabc4c6bf388b6ef4, 0xbade77d4fdf8bebd, 0x799b07c8eb4cac3a,
47 0x0c9d87e805b19cf0, 0xcb588aac106afa27, 0xea0c1d40c1e76089, 0x2869354a1e816f1a, 0xff96d17307fbc490,
48 0x9f0a9d602f1a5043, 0x96373fc6e016a5f7, 0x5292dab8b3a6e41c, 0x9b8ae0382c752413, 0x4f15ec3b7364a8a5,
49 0x3fb349555724f12b, 0xc7c50d4415db66d7, 0x92b7429ee379d1a7, 0xd37f99611a15dfda, 0x231427c05e34a086,
50 0xa439a96d7b51d538, 0xb403401077f01865, 0xdda2aea5901d7902, 0x0a5d4a9c8967d288, 0xc265280adf660f93,
51 0x8bb0094520d4e94e, 0x2a29856691385532, 0x42a833c5bf072941, 0x73c64d54622b7eb2, 0x07e095624504536c,
52 0x8a905153e906f45a, 0x6f6123c16b3b2f1f, 0xc6e55552dc097bc3, 0x4468feb133d16739, 0xe211e7f0c7398829,
53 0xa2f96419f7879b40, 0x19074bdbc3ad38e9, 0xf4ebc3f9474e0b0c, 0x43886bd376d53455, 0xd8028beb5aa01046,
54 0x51f23282f5cdc320, 0xe7b1c2be0d84e16d, 0x081dfab006dee8a0, 0x3b33340d544b857b, 0x7f5bcabc679ae242,
55 0x0edd37c48a08a6d8, 0x81ed43d9a9b33bc6, 0xb1a3655ebd4d7121, 0x69a1eeb5e7ed6167, 0xf6ab73d5c8f73124,
56 0x1a67a3e185c61fd5, 0x2dc91004d43c065e, 0x0240b02c8fb93a28, 0x90f7f2b26cc0eb8f, 0x3cd3a16f114fd617,
57 0xaae49ea9f15973e0, 0x06c0cd748cd64e78, 0xda423bc7d5192a6e, 0xc345701c16b41287, 0x6d2193ede4821537,
58 0xfcf639494190e3ac, 0x7c3b228621f1c57e, 0xfb16ac2b0494b0c0, 0xbf7e529a3745d7f9, 0x6881b6a32e3f7c73,
59 0xca78d2bad9b8e733, 0xbbfe2fc2342aa3a9, 0x0dbddffecc6381e4, 0x70a6a56e2440598e, 0xe4d12a844befc651,
60 0x8c509c2765d0ba22, 0xee8c6018c28814d9, 0x17da7c1f49a59e31, 0x609c4c1328e194d3, 0xb3e3d57232f44b09,
61 0x91d7aaa4a512f69b, 0x0ffd6fd243dabbcc, 0x50d26a943c1fde34, 0x6be15e9968545b4f, 0x94778fea6faf9fdf,
62 0x2b09dd7058ea4826, 0x677cd9716de5c7bf, 0x49d5214fffb2e6dd, 0x0360e83a466b273c, 0x1fc786af4f7b7691,
63 0xa0b9d435783ea168, 0xd49f0c035f118cb6, 0x01205816c9d21d14, 0xac2453dd7d8f3d98, 0x545217cc3f70aa64,
64 0x26b4028e9489c9c2, 0xdec2469fd6765e3e, 0x04807d58036f7450, 0xe5f17292823ddb45, 0xf30b569b024a5860,
65 0x62dcfc3fa758aefb, 0xe84cad6c4e5e5aa1, 0xccb81fce556ea94b, 0x53b282ae7a74f908, 0x1b47fbf74c1402c1,
66 0x368eebf39828049f, 0x7afbeff2ad278b06, 0xbe5e0a8cfe97caed, 0xcfd8f7f413058e77, 0xf78b2bc301252c30,
67 0x4d555c17fcdd928d, 0x5f2f05467fc565f8, 0x24f4b2a21b30f3ea, 0x860dd6bbecb768aa, 0x4c750401350f8f99,
68 0x0000000000000000, 0xecccd0344d312ef1, 0xb5231806be220571, 0xc105c030990d28af, 0x653c695de25cfd97,
69 0x159acc33c61ca419, 0xb89ec7f872418495, 0xa9847693b73254dc, 0x58cf90243ac13694, 0x59efc832f3132b80,
70 0x5c4fed7c39ae42c4, 0x828dabe3efd81cfa, 0xd13f294d95ace5f2, 0x7d1b7a90e823d86a, 0xb643f03cf849224d,
71 0x3df3f979d89dcb03, 0x7426d836272f2dde, 0xdfe21e891fa4432a, 0x3a136c1b9d99986f, 0xfa36f43dcd46add4,
72 0xc025982650df35bb, 0x856d3e81aadc4f96, 0xc4a5e57e53b041eb, 0x4708168b75ba4005, 0xaf44bbe73be41aa4,
73 0x971767d029c4b8e3, 0xb9be9feebb939981, 0x215497ecd18d9aae, 0x316e7e91dd2c57f3, 0xcef8afe2dad79363,
74 0x3853dc371220a247, 0x35ee03c9de4323a3, 0xe6919aa8c456fc79, 0xe05157dc4880b201, 0x7bdbb7e464f59612,
75 0x127a59518318f775, 0x332ecebd52956ddb, 0x8f30741d23bb9d1e, 0xd922d3fd93720d52, 0x7746300c61440ae2,
76 0x25d4eab4d2e2eefe, 0x75068020eefd30ca, 0x135a01474acaea61, 0x304e268714fe4ae7, 0xa519f17bb283c82c,
77 0xdc82f6b359cf6416, 0x5baf781e7caa11a8, 0xb2c38d64fb26561d, 0x34ce5bdf17913eb7, 0x5d6fb56af07c5fd0,
78 0x182713cd0a7f25fd, 0x9e2ac576e6c84d57, 0x9aaab82ee5a73907, 0xa3d93c0f3e558654, 0x7e7b92aaae48ff56,
79 0x872d8ead256575be, 0x41c8dbfff96c0e7d, 0x99ca5014a3cc1e3b, 0x40e883e930be1369, 0x1ca76e95091051ad,
80 0x4e35b42dbab6b5b1, 0x05a0254ecabd6944, 0xe1710fca8152af15, 0xf22b0e8dcb984574, 0xb763a82a319b3f59,
81 0x63fca4296e8ab3ef, 0x9d4a2d4ca0a36a6b, 0xe331bfe60eeb953d, 0xd5bf541596c391a2, 0xf5cb9bef8e9c1618,
82 0x46284e9dbc685d11, 0x2074cffa185f87ba, 0xbd3ee2b6b8fcedd1, 0xae64e3f1f23607b0, 0xfeb68965ce29d984,
83 0x55724fdaf6a2b770, 0x29496d5cd753720e, 0xa75941573d3af204, 0x8e102c0bea69800a, 0x111ab16bc573d049,
84 0xd7ffe439197aab8a, 0xefac380e0b5a09cd, 0x48f579593660fbc9, 0x22347fd697e6bd92, 0x61bc1405e13389c7,
85 0x4ab5c975b9d9c1e1, 0x80cd1bcf606126d2, 0x7186fd78ed92449a, 0x93971a882aabccb3, 0x88d0e17f66bfce72,
86 0x27945a985d5bd4d6},
87 {0xde553f8c05a811c8, 0x1906b59631b4f565, 0x436e70d6b1964ff7, 0x36d343cb8b1e9d85, 0x843dfacc858aab5a,
88 0xfdfc95c299bfc7f9, 0x0f634bdea1d51fa2, 0x6d458b3b76efb3cd, 0x85c3f77cf8593f80, 0x3c91315fbe737cb2,
89 0x2148b03366ace398, 0x18f8b8264c6761bf, 0xc830c1c495c9fb0f, 0x981a76102086a0aa, 0xaa16012142f35760,
90 0x35cc54060c763cf6, 0x42907d66cc45db2d, 0x8203d44b965af4bc, 0x3d6f3cefc3a0e868, 0xbc73ff69d292bda7,
91 0x8722ed0102e20a29, 0x8f8185e8cd34deb7, 0x9b0561dda7ee01d9, 0x5335a0193227fad6, 0xc9cecc74e81a6fd5,
92 0x54f5832e5c2431ea, 0x99e47ba05d553470, 0xf7bee756acd226ce, 0x384e05a5571816fd, 0xd1367452a47d0e6a,
93 0xf29fde1c386ad85b, 0x320c77316275f7ca, 0xd0c879e2d9ae9ab0, 0xdb7406c69110ef5d, 0x45505e51a2461011,
94 0xfc029872e46c5323, 0xfa3cb6f5f7bc0cc5, 0x031f17cd8768a173, 0xbd8df2d9af41297d, 0x9d3b4f5ab43e5e3f,
95 0x4071671b36feee84, 0x716207e7d3e3b83d, 0x48d20ff2f9283a1a, 0x27769eb4757cbc7e, 0x5c56ebc793f2e574,
96 0xa48b474f9ef5dc18, 0x52cbada94ff46e0c, 0x60c7da982d8199c6, 0x0e9d466edc068b78, 0x4eec2175eaf865fc,
97 0x550b8e9e21f7a530, 0x6b7ba5bc653fec2b, 0x5eb7f1ba6949d0dd, 0x57ea94e3db4c9099, 0xf640eae6d101b214,
98 0xdd4a284182c0b0bb, 0xff1d8fbf6304f250, 0xb8accb933bf9d7e8, 0xe8867c478eb68c4d, 0x3f8e2692391bddc1,
99 0xcb2fd60912a15a7c, 0xaec935dbab983d2f, 0xf55ffd2b56691367, 0x80e2ce366ce1c115, 0x179bf3f8edb27e1d,
100 0x01fe0db07dd394da, 0xda8a0b76ecc37b87, 0x44ae53e1df9584cb, 0xb310b4b77347a205, 0xdfab323c787b8512,
101 0x3b511268d070b78e, 0x65e6e3d2b9396753, 0x6864b271e2574d58, 0x259784c98fc789d7, 0x02e11a7dfabb35a9,
102 0x8841a6dfa337158b, 0x7ade78c39b5dcdd0, 0xb7cf804d9a2cc84a, 0x20b6bd831b7f7742, 0x75bd331d3a88d272,
103 0x418f6aab4b2d7a5e, 0xd9951cbb6babdaf4, 0xb6318dfde7ff5c90, 0x1f389b112264aa83, 0x492c024284fbaec0,
104 0xe33a0363c608f9a0, 0x2688930408af28a4, 0xc7538a1a341ce4ad, 0x5da8e677ee2171ae, 0x8c9e92254a5c7fc4,
105 0x63d8cd55aae938b5, 0x29ebd8daa97a3706, 0x959827b37be88aa1, 0x1484e4356adadf6e, 0xa7945082199d7d6b,
106 0xbf6ce8a455fa1cd4, 0x9cc542eac9edcae5, 0x79c16f0e1c356ca3, 0x89bfab6fdee48151, 0xd4174d1830c5f0ff,
107 0x9258048415eb419d, 0x6139d72850520d1c, 0x6a85a80c18ec78f1, 0xcd11f88e0171059a, 0xcceff53e7ca29140,
108 0xd229639f2315af19, 0x90b91ef9ef507434, 0x5977d28d074a1be1, 0x311360fce51d56b9, 0xc093a92d5a1f2f91,
109 0x1a19a25bb6dc5416, 0xeb996b8a09de2d3e, 0xfee3820f1ed7668a, 0xd7085ad5b7ad518c, 0x7fff41890fe53345,
110 0xec5948bd67dde602, 0x2fd5f65dbaaa68e0, 0xa5754affe32648c2, 0xf8ddac880d07396c, 0x6fa491468c548664,
111 0x0c7c5c1326bdbed1, 0x4a33158f03930fb3, 0x699abfc19f84d982, 0xe4fa2054a80b329c, 0x6707f9af438252fa,
112 0x08a368e9cfd6d49e, 0x47b1442c58fd25b8, 0xbbb3dc5ebc91769b, 0x1665fe489061eac7, 0x33f27a811fa66310,
113 0x93a609346838d547, 0x30ed6d4c98cec263, 0x1dd9816cd8df9f2a, 0x94662a03063b1e7b, 0x83fdd9fbeb896066,
114 0x7b207573e68e590a, 0x5f49fc0a149a4407, 0x343259b671a5a82c, 0xfbc2bb458a6f981f, 0xc272b350a0a41a38,
115 0x3aaf1fd8ada32354, 0x6cbb868b0b3c2717, 0xa2b569c88d2583fe, 0xf180c9d1bf027928, 0xaf37386bd64ba9f5,
116 0x12bacab2790a8088, 0x4c0d3b0810435055, 0xb2eeb9070e9436df, 0xc5b29067cea7d104, 0xdcb425f1ff132461,
117 0x4f122cc5972bf126, 0xac282fa651230886, 0xe7e537992f6393ef, 0xe61b3a2952b00735, 0x709c0a57ae302ce7,
118 0xe02514ae416058d3, 0xc44c9dd7b37445de, 0x5a68c5408022ba92, 0x1c278cdca50c0bf0, 0x6e5a9cf6f18712be,
119 0x86dce0b17f319ef3, 0x2d34ec2040115d49, 0x4bcd183f7e409b69, 0x2815d56ad4a9a3dc, 0x24698979f2141d0d,
120 0x0000000000000000, 0x1ec696a15fb73e59, 0xd86b110b16784e2e, 0x8e7f8858b0e74a6d, 0x063e2e8713d05fe6,
121 0xe2c40ed3bbdb6d7a, 0xb1f1aeca89fc97ac, 0xe1db191e3cb3cc09, 0x6418ee62c4eaf389, 0xc6ad87aa49cf7077,
122 0xd6f65765ca7ec556, 0x9afb6c6dda3d9503, 0x7ce05644888d9236, 0x8d609f95378feb1e, 0x23a9aa4e9c17d631,
123 0x6226c0e5d73aac6f, 0x56149953a69f0443, 0xeeb852c09d66d3ab, 0x2b0ac2a753c102af, 0x07c023376e03cb3c,
124 0x2ccae1903dc2c993, 0xd3d76e2f5ec63bc3, 0x9e2458973356ff4c, 0xa66a5d32644ee9b1, 0x0a427294356de137,
125 0x783f62be61e6f879, 0x1344c70204d91452, 0x5b96c8f0fdf12e48, 0xa90916ecc59bf613, 0xbe92e5142829880e,
126 0x727d102a548b194e, 0x1be7afebcb0fc0cc, 0x3e702b2244c8491b, 0xd5e940a84d166425, 0x66f9f41f3e51c620,
127 0xabe80c913f20c3ba, 0xf07ec461c2d1edf2, 0xf361d3ac45b94c81, 0x0521394a94b8fe95, 0xadd622162cf09c5c,
128 0xe97871f7f3651897, 0xf4a1f09b2bba87bd, 0x095d6559b2054044, 0x0bbc7f2448be75ed, 0x2af4cf172e129675,
129 0x157ae98517094bb4, 0x9fda55274e856b96, 0x914713499283e0ee, 0xb952c623462a4332, 0x74433ead475b46a8,
130 0x8b5eb112245fb4f8, 0xa34b6478f0f61724, 0x11a5dd7ffe6221fb, 0xc16da49d27ccbb4b, 0x76a224d0bde07301,
131 0x8aa0bca2598c2022, 0x4df336b86d90c48f, 0xea67663a740db9e4, 0xef465f70e0b54771, 0x39b008152acb8227,
132 0x7d1e5bf4f55e06ec, 0x105bd0cf83b1b521, 0x775c2960c033e7db, 0x7e014c397236a79f, 0x811cc386113255cf,
133 0xeda7450d1a0e72d8, 0x5889df3d7a998f3b, 0x2e2bfbedc779fc3a, 0xce0eef438619a4e9, 0x372d4e7bf6cd095f,
134 0x04df34fae96b6a4f, 0xf923a13870d4adb6, 0xa1aa7e050a4d228d, 0xa8f71b5cb84862c9, 0xb52e9a306097fde3,
135 0x0d8251a35b6e2a0b, 0x2257a7fee1c442eb, 0x73831d9a29588d94, 0x51d4ba64c89ccf7f, 0x502ab7d4b54f5ba5,
136 0x97793dce8153bf08, 0xe5042de4d5d8a646, 0x9687307efc802bd2, 0xa05473b5779eb657, 0xb4d097801d446939,
137 0xcff0e2f3fbca3033, 0xc38cbee0dd778ee2, 0x464f499c252eb162, 0xcad1dbb96f72cea6, 0xba4dd1eec142e241,
138 0xb00fa37af42f0376},
139 {0xcce4cd3aa968b245, 0x089d5484e80b7faf, 0x638246c1b3548304, 0xd2fe0ec8c2355492, 0xa7fbdf7ff2374eee,
140 0x4df1600c92337a16, 0x84e503ea523b12fb, 0x0790bbfd53ab0c4a, 0x198a780f38f6ea9d, 0x2ab30c8f55ec48cb,
141 0xe0f7fed6b2c49db5, 0xb6ecf3f422cadbdc, 0x409c9a541358df11, 0xd3ce8a56dfde3fe3, 0xc3e9224312c8c1a0,
142 0x0d6dfa58816ba507, 0xddf3e1b179952777, 0x04c02a42748bb1d9, 0x94c2abff9f2decb8, 0x4f91752da8f8acf4,
143 0x78682befb169bf7b, 0xe1c77a48af2ff6c4, 0x0c5d7ec69c80ce76, 0x4cc1e4928fd81167, 0xfeed3d24d9997b62,
144 0x518bb6dfc3a54a23, 0x6dbf2d26151f9b90, 0xb5bc624b05ea664f, 0xe86aaa525acfe21a, 0x4801ced0fb53a0be,
145 0xc91463e6c00868ed, 0x1027a815cd16fe43, 0xf67069a0319204cd, 0xb04ccc976c8abce7, 0xc0b9b3fc35e87c33,
146 0xf380c77c58f2de65, 0x50bb3241de4e2152, 0xdf93f490435ef195, 0xf1e0d25d62390887, 0xaf668bfb1a3c3141,
147 0xbc11b251f00a7291, 0x73a5eed47e427d47, 0x25bee3f6ee4c3b2e, 0x43cc0beb34786282, 0xc824e778dde3039c,
148 0xf97d86d98a327728, 0xf2b043e24519b514, 0xe297ebf7880f4b57, 0x3a94a49a98fab688, 0x868516cb68f0c419,
149 0xeffa11af0964ee50, 0xa4ab4ec0d517f37d, 0xa9c6b498547c567a, 0x8e18424f80fbbbb6, 0x0bcdc53bcf2bc23c,
150 0x137739aaea3643d0, 0x2c1333ec1bac2ff0, 0x8d48d3f0a7db0625, 0x1e1ac3f26b5de6d7, 0xf520f81f16b2b95e,
151 0x9f0f6ec450062e84, 0x0130849e1deb6b71, 0xd45e31ab8c7533a9, 0x652279a2fd14e43f, 0x3209f01e70f1c927,
152 0xbe71a770cac1a473, 0x0e3d6be7a64b1894, 0x7ec8148cff29d840, 0xcb7476c7fac3be0f, 0x72956a4a63a91636,
153 0x37f95ec21991138f, 0x9e3fea5a4ded45f5, 0x7b38ba50964902e8, 0x222e580bbde73764, 0x61e253e0899f55e6,
154 0xfc8d2805e352ad80, 0x35994be3235ac56d, 0x09add01af5e014de, 0x5e8659a6780539c6, 0xb17c48097161d796,
155 0x026015213acbd6e2, 0xd1ae9f77e515e901, 0xb7dc776a3f21b0ad, 0xaba6a1b96eb78098, 0x9bcf4486248d9f5d,
156 0x582666c536455efd, 0xfdbdac9bfeb9c6f1, 0xc47999be4163cdea, 0x765540081722a7ef, 0x3e548ed8ec710751,
157 0x3d041f67cb51bac2, 0x7958af71ac82d40a, 0x36c9da5c047a78fe, 0xed9a048e33af38b2, 0x26ee7249c96c86bd,
158 0x900281bdeba65d61, 0x11172c8bd0fd9532, 0xea0abf73600434f8, 0x42fc8f75299309f3, 0x34a9cf7d3eb1ae1c,
159 0x2b838811480723ba, 0x5ce64c8742ceef24, 0x1adae9b01fd6570e, 0x3c349bf9d6bad1b3, 0x82453c891c7b75c0,
160 0x97923a40b80d512b, 0x4a61dbf1c198765c, 0xb48ce6d518010d3e, 0xcfb45c858e480fd6, 0xd933cbf30d1e96ae,
161 0xd70ea014ab558e3a, 0xc189376228031742, 0x9262949cd16d8b83, 0xeb3a3bed7def5f89, 0x49314a4ee6b8cbcf,
162 0xdcc3652f647e4c06, 0xda635a4c2a3e2b3d, 0x470c21a940f3d35b, 0x315961a157d174b4, 0x6672e81dda3459ac,
163 0x5b76f77a1165e36e, 0x445cb01667d36ec8, 0xc5491d205c88a69b, 0x456c34887a3805b9, 0xffddb9bac4721013,
164 0x99af51a71e4649bf, 0xa15be01cbc7729d5, 0x52db2760e485f7b0, 0x8c78576eba306d54, 0xae560f6507d75a30,
165 0x95f22f6182c687c9, 0x71c5fbf54489aba5, 0xca44f259e728d57e, 0x88b87d2ccebbdc8d, 0xbab18d32be4a15aa,
166 0x8be8ec93e99b611e, 0x17b713e89ebdf209, 0xb31c5d284baa0174, 0xeeca9531148f8521, 0xb8d198138481c348,
167 0x8988f9b2d350b7fc, 0xb9e11c8d996aa839, 0x5a4673e40c8e881f, 0x1687977683569978, 0xbf4123eed72acf02,
168 0x4ea1f1b3b513c785, 0xe767452be16f91ff, 0x7505d1b730021a7c, 0xa59bca5ec8fc980c, 0xad069eda20f7e7a3,
169 0x38f4b1bba231606a, 0x60d2d77e94743e97, 0x9affc0183966f42c, 0x248e6768f3a7505f, 0xcdd449a4b483d934,
170 0x87b59255751baf68, 0x1bea6d2e023d3c7f, 0x6b1f12455b5ffcab, 0x743555292de9710d, 0xd8034f6d10f5fddf,
171 0xc6198c9f7ba81b08, 0xbb8109aca3a17edb, 0xfa2d1766ad12cabb, 0xc729080166437079, 0x9c5fff7b77269317,
172 0x0000000000000000, 0x15d706c9a47624eb, 0x6fdf38072fd44d72, 0x5fb6dd3865ee52b7, 0xa33bf53d86bcff37,
173 0xe657c1b5fc84fa8e, 0xaa962527735cebe9, 0x39c43525bfda0b1b, 0x204e4d2a872ce186, 0x7a083ece8ba26999,
174 0x554b9c9db72efbfa, 0xb22cd9b656416a05, 0x96a2bedea5e63a5a, 0x802529a826b0a322, 0x8115ad363b5bc853,
175 0x8375b81701901eb1, 0x3069e53f4a3a1fc5, 0xbd2136cfede119e0, 0x18bafc91251d81ec, 0x1d4a524d4c7d5b44,
176 0x05f0aedc6960daa8, 0x29e39d3072ccf558, 0x70f57f6b5962c0d4, 0x989fd53903ad22ce, 0xf84d024797d91c59,
177 0x547b1803aac5908b, 0xf0d056c37fd263f6, 0xd56eb535919e58d8, 0x1c7ad6d351963035, 0x2e7326cd2167f912,
178 0xac361a443d1c8cd2, 0x697f076461942a49, 0x4b515f6fdc731d2d, 0x8ad8680df4700a6f, 0x41ac1eca0eb3b460,
179 0x7d988533d80965d3, 0xa8f6300649973d0b, 0x7765c4960ac9cc9e, 0x7ca801adc5e20ea2, 0xdea3700e5eb59ae4,
180 0xa06b6482a19c42a4, 0x6a2f96db46b497da, 0x27def6d7d487edcc, 0x463ca5375d18b82a, 0xa6cb5be1efdc259f,
181 0x53eba3fef96e9cc1, 0xce84d81b93a364a7, 0xf4107c810b59d22f, 0x333974806d1aa256, 0x0f0def79bba073e5,
182 0x231edc95a00c5c15, 0xe437d494c64f2c6c, 0x91320523f64d3610, 0x67426c83c7df32dd, 0x6eefbc99323f2603,
183 0x9d6f7be56acdf866, 0x5916e25b2bae358c, 0x7ff89012e2c2b331, 0x035091bf2720bd93, 0x561b0d22900e4669,
184 0x28d319ae6f279e29, 0x2f43a2533c8c9263, 0xd09e1be9f8fe8270, 0xf740ed3e2c796fbc, 0xdb53ded237d5404c,
185 0x62b2c25faebfe875, 0x0afd41a5d2c0a94d, 0x6412fd3ce0ff8f4e, 0xe3a76f6995e42026, 0x6c8fa9b808f4f0e1,
186 0xc2d9a6dd0f23aad1, 0x8f28c6d19d10d0c7, 0x85d587744fd0798a, 0xa20b71a39b579446, 0x684f83fa7c7f4138,
187 0xe507500adba4471d, 0x3f640a46f19a6c20, 0x1247bd34f7dd28a1, 0x2d23b77206474481, 0x93521002cc86e0f2,
188 0x572b89bc8de52d18, 0xfb1d93f8b0f9a1ca, 0xe95a2ecc4724896b, 0x3ba420048511ddf9, 0xd63e248ab6bee54b,
189 0x5dd6c8195f258455, 0x06a03f634e40673b, 0x1f2a476c76b68da6, 0x217ec9b49ac78af7, 0xecaa80102e4453c3,
190 0x14e78257b99d4f9a},
191 {0x20329b2cc87bba05, 0x4f5eb6f86546a531, 0xd4f44775f751b6b1, 0x8266a47b850dfa8b, 0xbb986aa15a6ca985,
192 0xc979eb08f9ae0f99, 0x2da6f447a2375ea1, 0x1e74275dcd7d8576, 0xbc20180a800bc5f8, 0xb4a2f701b2dc65be,
193 0xe726946f981b6d66, 0x48e6c453bf21c94c, 0x42cad9930f0a4195, 0xefa47b64aacccd20, 0x71180a8960409a42,
194 0x8bb3329bf6a44e0c, 0xd34c35de2d36dacc, 0xa92f5b7cbc23dc96, 0xb31a85aa68bb09c3, 0x13e04836a73161d2,
195 0xb24dfc4129c51d02, 0x8ae44b70b7da5acd, 0xe671ed84d96579a7, 0xa4bb3417d66f3832, 0x4572ab38d56d2de8,
196 0xb1b47761ea47215c, 0xe81c09cf70aba15d, 0xffbdb872ce7f90ac, 0xa8782297fd5dc857, 0x0d946f6b6a4ce4a4,
197 0xe4df1f4f5b995138, 0x9ebc71edca8c5762, 0x0a2c1dc0b02b88d9, 0x3b503c115d9d7b91, 0xc64376a8111ec3a2,
198 0xcec199a323c963e4, 0xdc76a87ec58616f7, 0x09d596e073a9b487, 0x14583a9d7d560daf, 0xf4c6dc593f2a0cb4,
199 0xdd21d19584f80236, 0x4a4836983ddde1d3, 0xe58866a41ae745f9, 0xf591a5b27e541875, 0x891dc05074586693,
200 0x5b068c651810a89e, 0xa30346bc0c08544f, 0x3dbf3751c684032d, 0x2a1e86ec785032dc, 0xf73f5779fca830ea,
201 0xb60c05ca30204d21, 0x0cc316802b32f065, 0x8770241bdd96be69, 0xb861e18199ee95db, 0xf805cad91418fcd1,
202 0x29e70dccbbd20e82, 0xc7140f435060d763, 0x0f3a9da0e8b0cc3b, 0xa2543f574d76408e, 0xbd7761e1c175d139,
203 0x4b1f4f737ca3f512, 0x6dc2df1f2fc137ab, 0xf1d05c3967b14856, 0xa742bf3715ed046c, 0x654030141d1697ed,
204 0x07b872abda676c7d, 0x3ce84eba87fa17ec, 0xc1fb0403cb79afdf, 0x3e46bc7105063f73, 0x278ae987121cd678,
205 0xa1adb4778ef47cd0, 0x26dd906c5362c2b9, 0x05168060589b44e2, 0xfbfc41f9d79ac08f, 0x0e6de44ba9ced8fa,
206 0x9feb08068bf243a3, 0x7b341749d06b129b, 0x229c69e74a87929a, 0xe09ee6c4427c011b, 0x5692e30e725c4c3a,
207 0xda99a33e5e9f6e4b, 0x353dd85af453a36b, 0x25241b4c90e0fee7, 0x5de987258309d022, 0xe230140fc0802984,
208 0x93281e86a0c0b3c6, 0xf229d719a4337408, 0x6f6c2dd4ad3d1f34, 0x8ea5b2fbae3f0aee, 0x8331dd90c473ee4a,
209 0x346aa1b1b52db7aa, 0xdf8f235e06042aa9, 0xcc6f6b68a1354b7b, 0x6c95a6f46ebf236a, 0x52d31a856bb91c19,
210 0x1a35ded6d498d555, 0xf37eaef2e54d60c9, 0x72e181a9a3c2a61c, 0x98537aad51952fde, 0x16f6c856ffaa2530,
211 0xd960281e9d1d5215, 0x3a0745fa1ce36f50, 0x0b7b642bf1559c18, 0x59a87eae9aec8001, 0x5e100c05408bec7c,
212 0x0441f98b19e55023, 0xd70dcc5534d38aef, 0x927f676de1bea707, 0x9769e70db925e3e5, 0x7a636ea29115065a,
213 0x468b201816ef11b6, 0xab81a9b73edff409, 0xc0ac7de88a07bb1e, 0x1f235eb68c0391b7, 0x6056b074458dd30f,
214 0xbe8eeac102f7ed67, 0xcd381283e04b5fba, 0x5cbefecec277c4e3, 0xd21b4c356c48ce0d, 0x1019c31664b35d8c,
215 0x247362a7d19eea26, 0xebe582efb3299d03, 0x02aef2cb82fc289f, 0x86275df09ce8aaa8, 0x28b07427faac1a43,
216 0x38a9b7319e1f47cf, 0xc82e92e3b8d01b58, 0x06ef0b409b1978bc, 0x62f842bfc771fb90, 0x9904034610eb3b1f,
217 0xded85ab5477a3e68, 0x90d195a663428f98, 0x5384636e2ac708d8, 0xcbd719c37b522706, 0xae9729d76644b0eb,
218 0x7c8c65e20a0c7ee6, 0x80c856b007f1d214, 0x8c0b40302cc32271, 0xdbcedad51fe17a8a, 0x740e8ae938dbdea0,
219 0xa615c6dc549310ad, 0x19cc55f6171ae90b, 0x49b1bdb8fe5fdd8d, 0xed0a89af2830e5bf, 0x6a7aadb4f5a65bd6,
220 0x7e22972988f05679, 0xf952b3325566e810, 0x39fecedadf61530e, 0x6101c99f04f3c7ce, 0x2e5f7f6761b562ff,
221 0xf08725d226cf5c97, 0x63af3b54860fef51, 0x8ff2cb10ef411e2f, 0x884ab9bb35267252, 0x4df04433e7ba8dae,
222 0x9afd8866d3690741, 0x66b9bb34de94abb3, 0x9baaf18d92171380, 0x543c11c5f0a064a5, 0x17a1b1bdbed431f1,
223 0xb5f58eeaf3a2717f, 0xc355f6c849858740, 0xec5df044694ef17e, 0xd83751f5dc6346d4, 0xfc4433520dfdacf2,
224 0x0000000000000000, 0x5a51f58e596ebc5f, 0x3285aaf12e34cf16, 0x8d5c39db6dbd36b0, 0x12b731dde64f7513,
225 0x94906c2d7aa7dfbb, 0x302b583aacc8e789, 0x9d45facd090e6b3c, 0x2165e2c78905aec4, 0x68d45f7f775a7349,
226 0x189b2c1d5664fdca, 0xe1c99f2f030215da, 0x6983269436246788, 0x8489af3b1e148237, 0xe94b702431d5b59c,
227 0x33d2d31a6f4adbd7, 0xbfd9932a4389f9a6, 0xb0e30e8aab39359d, 0xd1e2c715afcaf253, 0x150f43763c28196e,
228 0xc4ed846393e2eb3d, 0x03f98b20c3823c5e, 0xfd134ab94c83b833, 0x556b682eb1de7064, 0x36c4537a37d19f35,
229 0x7559f30279a5ca61, 0x799ae58252973a04, 0x9c12832648707ffd, 0x78cd9c6913e92ec5, 0x1d8dac7d0effb928,
230 0x439da0784e745554, 0x413352b3cc887dcb, 0xbacf134a1b12bd44, 0x114ebafd25cd494d, 0x2f08068c20cb763e,
231 0x76a07822ba27f63f, 0xeab2fb04f25789c2, 0xe3676de481fe3d45, 0x1b62a73d95e6c194, 0x641749ff5c68832c,
232 0xa5ec4dfc97112cf3, 0xf6682e92bdd6242b, 0x3f11c59a44782bb2, 0x317c21d1edb6f348, 0xd65ab5be75ad9e2e,
233 0x6b2dd45fb4d84f17, 0xfaab381296e4d44e, 0xd0b5befeeeb4e692, 0x0882ef0b32d7a046, 0x512a91a5a83b2047,
234 0x963e9ee6f85bf724, 0x4e09cf132438b1f0, 0x77f701c9fb59e2fe, 0x7ddb1c094b726a27, 0x5f4775ee01f5f8bd,
235 0x9186ec4d223c9b59, 0xfeeac1998f01846d, 0xac39db1ce4b89874, 0xb75b7c21715e59e0, 0xafc0503c273aa42a,
236 0x6e3b543fec430bf5, 0x704f7362213e8e83, 0x58ff0745db9294c0, 0x67eec2df9feabf72, 0xa0facd9ccf8a6811,
237 0xb936986ad890811a, 0x95c715c63bd9cb7a, 0xca8060283a2c33c7, 0x507de84ee9453486, 0x85ded6d05f6a96f6,
238 0x1cdad5964f81ade9, 0xd5a33e9eb62fa270, 0x40642b588df6690a, 0x7f75eec2c98e42b8, 0x2cf18dace3494a60,
239 0x23cb100c0bf9865b, 0xeef3028febb2d9e1, 0x4425d2d394133929, 0xaad6d05c7fa1e0c8, 0xad6ea2f7a5c68cb5,
240 0xc2028f2308fb9381, 0x819f2f5b468fc6d5, 0xc5bafd88d29cfffc, 0x47dc59f357910577, 0x2b49ff07392e261d,
241 0x57c59ae5332258fb, 0x73b6f842e2bcb2dd, 0xcf96e04862b77725, 0x4ca73dd8a6c4996f, 0x015779eb417e14c1,
242 0x37932a9176af8bf4},
243 {0x190a2c9b249df23e, 0x2f62f8b62263e1e9, 0x7a7f754740993655, 0x330b7ba4d5564d9f, 0x4c17a16a46672582,
244 0xb22f08eb7d05f5b8, 0x535f47f40bc148cc, 0x3aec5d27d4883037, 0x10ed0a1825438f96, 0x516101f72c233d17,
245 0x13cc6f949fd04eae, 0x739853c441474bfd, 0x653793d90d3f5b1b, 0x5240647b96b0fc2f, 0x0c84890ad27623e0,
246 0xd7189b32703aaea3, 0x2685de3523bd9c41, 0x99317c5b11bffefa, 0x0d9baa854f079703, 0x70b93648fbd48ac5,
247 0xa80441fce30bc6be, 0x7287704bdc36ff1e, 0xb65384ed33dc1f13, 0xd36417343ee34408, 0x39cd38ab6e1bf10f,
248 0x5ab861770a1f3564, 0x0ebacf09f594563b, 0xd04572b884708530, 0x3cae9722bdb3af47, 0x4a556b6f2f5cbaf2,
249 0xe1704f1f76c4bd74, 0x5ec4ed7144c6dfcf, 0x16afc01d4c7810e6, 0x283f113cd629ca7a, 0xaf59a8761741ed2d,
250 0xeed5a3991e215fac, 0x3bf37ea849f984d4, 0xe413e096a56ce33c, 0x2c439d3a98f020d1, 0x637559dc6404c46b,
251 0x9e6c95d1e5f5d569, 0x24bb9836045fe99a, 0x44efa466dac8ecc9, 0xc6eab2a5c80895d6, 0x803b50c035220cc4,
252 0x0321658cba93c138, 0x8f9ebc465dc7ee1c, 0xd15a5137190131d3, 0x0fa5ec8668e5e2d8, 0x91c979578d1037b1,
253 0x0642ca05693b9f70, 0xefca80168350eb4f, 0x38d21b24f36a45ec, 0xbeab81e1af73d658, 0x8cbfd9cae7542f24,
254 0xfd19cc0d81f11102, 0x0ac6430fbb4dbc90, 0x1d76a09d6a441895, 0x2a01573ff1cbbfa1, 0xb572e161894fde2b,
255 0x8124734fa853b827, 0x614b1fdf43e6b1b0, 0x68ac395c4238cc18, 0x21d837bfd7f7b7d2, 0x20c714304a860331,
256 0x5cfaab726324aa14, 0x74c5ba4eb50d606e, 0xf3a3030474654739, 0x23e671bcf015c209, 0x45f087e947b9582a,
257 0xd8bd77b418df4c7b, 0xe06f6c90ebb50997, 0x0bd96080263c0873, 0x7e03f9410e40dcfe, 0xb8e94be4c6484928,
258 0xfb5b0608e8ca8e72, 0x1a2b49179e0e3306, 0x4e29e76961855059, 0x4f36c4e6fcf4e4ba, 0x49740ee395cf7bca,
259 0xc2963ea386d17f7d, 0x90d65ad810618352, 0x12d34c1b02a1fa4d, 0xfa44258775bb3a91, 0x18150f14b9ec46dd,
260 0x1491861e6b9a653d, 0x9a1019d7ab2c3fc2, 0x3668d42d06fe13d7, 0xdcc1fbb25606a6d0, 0x969490dd795a1c22,
261 0x3549b1a1bc6dd2ef, 0xc94f5e23a0ed770e, 0xb9f6686b5b39fdcb, 0xc4d4f4a6efeae00d, 0xe732851a1fff2204,
262 0x94aad6de5eb869f9, 0x3f8ff2ae07206e7f, 0xfe38a9813b62d03a, 0xa7a1ad7a8bee2466, 0x7b6056c8dde882b6,
263 0x302a1e286fc58ca7, 0x8da0fa457a259bc7, 0xb3302b64e074415b, 0x5402ae7eff8b635f, 0x08f8050c9cafc94b,
264 0xae468bf98a3059ce, 0x88c355cca98dc58f, 0xb10e6d67c7963480, 0xbad70de7e1aa3cf3, 0xbfb4a26e320262bb,
265 0xcb711820870f02d5, 0xce12b7a954a75c9d, 0x563ce87dd8691684, 0x9f73b65e7884618a, 0x2b1e74b06cba0b42,
266 0x47cec1ea605b2df1, 0x1c698312f735ac76, 0x5fdbcefed9b76b2c, 0x831a354c8fb1cdfc, 0x820516c312c0791f,
267 0xb74ca762aeadabf0, 0xfc06ef821c80a5e1, 0x5723cbf24518a267, 0x9d4df05d5f661451, 0x588627742dfd40bf,
268 0xda8331b73f3d39a0, 0x17b0e392d109a405, 0xf965400bcf28fba9, 0x7c3dbf4229a2a925, 0x023e460327e275db,
269 0x6cd0b55a0ce126b3, 0xe62da695828e96e7, 0x42ad6e63b3f373b9, 0xe50cc319381d57df, 0xc5cbd729729b54ee,
270 0x46d1e265fd2a9912, 0x6428b056904eeff8, 0x8be23040131e04b7, 0x6709d5da2add2ec0, 0x075de98af44a2b93,
271 0x8447dcc67bfbe66f, 0x6616f655b7ac9a23, 0xd607b8bded4b1a40, 0x0563af89d3a85e48, 0x3db1b4ad20c21ba4,
272 0x11f22997b8323b75, 0x292032b34b587e99, 0x7f1cdace9331681d, 0x8e819fc9c0b65aff, 0xa1e3677fe2d5bb16,
273 0xcd33d225ee349da5, 0xd9a2543b85aef898, 0x795e10cbfa0af76d, 0x25a4bbb9992e5d79, 0x78413344677b438e,
274 0xf0826688cef68601, 0xd27b34bba392f0eb, 0x551d8df162fad7bc, 0x1e57c511d0d7d9ad, 0xdeffbdb171e4d30b,
275 0xf4feea8e802f6caa, 0xa480c8f6317de55e, 0xa0fc44f07fa40ff5, 0x95b5f551c3c9dd1a, 0x22f952336d6476ea,
276 0x0000000000000000, 0xa6be8ef5169f9085, 0xcc2cf1aa73452946, 0x2e7ddb39bf12550a, 0xd526dd3157d8db78,
277 0x486b2d6c08becf29, 0x9b0f3a58365d8b21, 0xac78cdfaadd22c15, 0xbc95c7e28891a383, 0x6a927f5f65dab9c3,
278 0xc3891d2c1ba0cb9e, 0xeaa92f9f50f8b507, 0xcf0d9426c9d6e87e, 0xca6e3baf1a7eb636, 0xab25247059980786,
279 0x69b31ad3df4978fb, 0xe2512a93cc577c4c, 0xff278a0ea61364d9, 0x71a615c766a53e26, 0x89dc764334fc716c,
280 0xf87a638452594f4a, 0xf2bc208be914f3da, 0x8766b94ac1682757, 0xbbc82e687cdb8810, 0x626a7a53f9757088,
281 0xa2c202f358467a2e, 0x4d0882e5db169161, 0x09e7268301de7da8, 0xe897699c771ac0dc, 0xc8507dac3d9cc3ed,
282 0xc0a878a0a1330aa6, 0x978bb352e42ba8c1, 0xe9884a13ea6b743f, 0x279afdbabecc28a2, 0x047c8c064ed9eaab,
283 0x507e2278b15289f4, 0x599904fbb08cf45c, 0xbd8ae46d15e01760, 0x31353da7f2b43844, 0x8558ff49e68a528c,
284 0x76fbfc4d92ef15b5, 0x3456922e211c660c, 0x86799ac55c1993b4, 0x3e90d1219a51da9c, 0x2d5cbeb505819432,
285 0x982e5fd48cce4a19, 0xdb9c1238a24c8d43, 0xd439febecaa96f9b, 0x418c0bef0960b281, 0x158ea591f6ebd1de,
286 0x1f48e69e4da66d4e, 0x8afd13cf8e6fb054, 0xf5e1c9011d5ed849, 0xe34e091c5126c8af, 0xad67ee7530a398f6,
287 0x43b24dec2e82c75a, 0x75da99c1287cd48d, 0x92e81cdb3783f689, 0xa3dd217cc537cecd, 0x60543c50de970553,
288 0x93f73f54aaf2426a, 0xa91b62737e7a725d, 0xf19d4507538732e2, 0x77e4dfc20f9ea156, 0x7d229ccdb4d31dc6,
289 0x1b346a98037f87e5, 0xedf4c615a4b29e94, 0x4093286094110662, 0xb0114ee85ae78063, 0x6ff1d0d6b672e78b,
290 0x6dcf96d591909250, 0xdfe09e3eec9567e8, 0x3214582b4827f97c, 0xb46dc2ee143e6ac8, 0xf6c0ac8da7cd1971,
291 0xebb60c10cd8901e4, 0xf7df8f023abcad92, 0x9c52d3d2c217a0b2, 0x6b8d5cd0f8ab0d20, 0x3777f7a29b8fa734,
292 0x011f238f9d71b4e3, 0xc1b75b2f3c42be45, 0x5de588fdfe551ef7, 0x6eeef3592b035368, 0xaa3a07ffc4e9b365,
293 0xecebe59a39c32a77, 0x5ba742f8976e8187, 0x4b4a48e0b22d0e11, 0xddded83dcb771233, 0xa59feb79ac0c51bd,
294 0xc7f5912a55792135},
295 {0x6d6ae04668a9b08a, 0x3ab3f04b0be8c743, 0xe51e166b54b3c908, 0xbe90a9eb35c2f139, 0xb2c7066637f2bec1,
296 0xaa6945613392202c, 0x9a28c36f3b5201eb, 0xddce5a93ab536994, 0x0e34133ef6382827, 0x52a02ba1ec55048b,
297 0xa2f88f97c4b2a177, 0x8640e513ca2251a5, 0xcdf1d36258137622, 0xfe6cb708dedf8ddb, 0x8a174a9ec8121e5d,
298 0x679896036b81560e, 0x59ed033395795fee, 0x1dd778ab8b74edaf, 0xee533ef92d9f926d, 0x2a8c79baf8a8d8f5,
299 0x6bcf398e69b119f6, 0xe20491742fafdd95, 0x276488e0809c2aec, 0xea955b82d88f5cce, 0x7102c63a99d9e0c4,
300 0xf9763017a5c39946, 0x429fa2501f151b3d, 0x4659c72bea05d59e, 0x984b7fdccf5a6634, 0xf742232953fbb161,
301 0x3041860e08c021c7, 0x747bfd9616cd9386, 0x4bb1367192312787, 0x1b72a1638a6c44d3, 0x4a0e68a6e8359a66,
302 0x169a5039f258b6ca, 0xb98a2ef44edee5a4, 0xd9083fe85e43a737, 0x967f6ce239624e13, 0x8874f62d3c1a7982,
303 0x3c1629830af06e3f, 0x9165ebfd427e5a8e, 0xb5dd81794ceeaa5c, 0x0de8f15a7834f219, 0x70bd98ede3dd5d25,
304 0xaccc9ca9328a8950, 0x56664eda1945ca28, 0x221db34c0f8859ae, 0x26dbd637fa98970d, 0x1acdffb4f068f932,
305 0x4585254f64090fa0, 0x72de245e17d53afa, 0x1546b25d7c546cf4, 0x207e0ffffb803e71, 0xfaaad2732bcf4378,
306 0xb462dfae36ea17bd, 0xcf926fd1ac1b11fd, 0xe0672dc7dba7ba4a, 0xd3fa49ad5d6b41b3, 0x8ba81449b216a3bc,
307 0x14f9ec8a0650d115, 0x40fc1ee3eb1d7ce2, 0x23a2ed9b758ce44f, 0x782c521b14fddc7e, 0x1c68267cf170504e,
308 0xbcf31558c1ca96e6, 0xa781b43b4ba6d235, 0xf6fd7dfe29ff0c80, 0xb0a4bad5c3fad91e, 0xd199f51ea963266c,
309 0x414340349119c103, 0x5405f269ed4dadf7, 0xabd61bb649969dcd, 0x6813dbeae7bdc3c8, 0x65fb2ab09f8931d1,
310 0xf1e7fae152e3181d, 0xc1a67cef5a2339da, 0x7a4feea8e0f5bba1, 0x1e0b9acf05783791, 0x5b8ebf8061713831,
311 0x80e53cdbcb3af8d9, 0x7e898bd315e57502, 0xc6bcfbf0213f2d47, 0x95a38e86b76e942d, 0x092e94218d243cba,
312 0x8339debf453622e7, 0xb11be402b9fe64ff, 0x57d9100d634177c9, 0xcc4e8db52217cbc3, 0x3b0cae9c71ec7aa2,
313 0xfb158ca451cbfe99, 0x2b33276d82ac6514, 0x01bf5ed77a04bde1, 0xc5601994af33f779, 0x75c4a3416cc92e67,
314 0xf3844652a6eb7fc2, 0x3487e375fdd0ef64, 0x18ae430704609eed, 0x4d14efb993298efb, 0x815a620cb13e4538,
315 0x125c354207487869, 0x9eeea614ce42cf48, 0xce2d3106d61fac1c, 0xbbe99247bad6827b, 0x071a871f7b1c149d,
316 0x2e4a1cc10db81656, 0x77a71ff298c149b8, 0x06a5d9c80118a97c, 0xad73c27e488e34b1, 0x443a7b981e0db241,
317 0xe3bbcfa355ab6074, 0x0af276450328e684, 0x73617a896dd1871b, 0x58525de4ef7de20f, 0xb7be3dcab8e6cd83,
318 0x19111dd07e64230c, 0x842359a03e2a367a, 0x103f89f1f3401fb6, 0xdc710444d157d475, 0xb835702334da5845,
319 0x4320fc876511a6dc, 0xd026abc9d3679b8d, 0x17250eee885c0b2b, 0x90dab52a387ae76f, 0x31fed8d972c49c26,
320 0x89cba8fa461ec463, 0x2ff5421677bcabb7, 0x396f122f85e41d7d, 0xa09b332430bac6a8, 0xc888e8ced7070560,
321 0xaeaf201ac682ee8f, 0x1180d7268944a257, 0xf058a43628e7a5fc, 0xbd4c4b8fbbce2b07, 0xa1246df34abe7b49,
322 0x7d5569b79be9af3c, 0xa9b5a705bd9efa12, 0xdb6b835baa4bc0e8, 0x05793bac8f147342, 0x21c1512881848390,
323 0xfdb0556c50d357e5, 0x613d4fcb6a99ff72, 0x03dce2648e0cda3e, 0xe949b9e6568386f0, 0xfc0f0bbb2ad7ea04,
324 0x6a70675913b5a417, 0x7f36d5046fe1c8e3, 0x0c57af8d02304ff8, 0x32223abdfcc84618, 0x0891caf6f720815b,
325 0xa63eeaec31a26fd4, 0x2507345374944d33, 0x49d28ac266394058, 0xf5219f9aa7f3d6be, 0x2d96fea583b4cc68,
326 0x5a31e1571b7585d0, 0x8ed12fe53d02d0fe, 0xdfade6205f5b0e4b, 0x4cabb16ee92d331a, 0x04c6657bf510cea3,
327 0xd73c2cd6a87b8f10, 0xe1d87310a1a307ab, 0x6cd5be9112ad0d6b, 0x97c032354366f3f2, 0xd4e0ceb22677552e,
328 0x0000000000000000, 0x29509bde76a402cb, 0xc27a9e8bd42fe3e4, 0x5ef7842cee654b73, 0xaf107ecdbc86536e,
329 0x3fcacbe784fcb401, 0xd55f90655c73e8cf, 0xe6c2f40fdabf1336, 0xe8f6e7312c873b11, 0xeb2a0555a28be12f,
330 0xe4a148bc2eb774e9, 0x9b979db84156bc0a, 0x6eb60222e6a56ab4, 0x87ffbbc4b026ec44, 0xc703a5275b3b90a6,
331 0x47e699fc9001687f, 0x9c8d1aa73a4aa897, 0x7cea3760e1ed12dd, 0x4ec80ddd1d2554c5, 0x13e36b957d4cc588,
332 0x5d2b66486069914d, 0x92b90999cc7280b0, 0x517cc9c56259deb5, 0xc937b619ad03b881, 0xec30824ad997f5b2,
333 0xa45d565fc5aa080b, 0xd6837201d27f32f1, 0x635ef3789e9198ad, 0x531f75769651b96a, 0x4f77530a6721e924,
334 0x486dd4151c3dfdb9, 0x5f48dafb9461f692, 0x375b011173dc355a, 0x3da9775470f4d3de, 0x8d0dcd81b30e0ac0,
335 0x36e45fc609d888bb, 0x55baacbe97491016, 0x8cb29356c90ab721, 0x76184125e2c5f459, 0x99f4210bb55edbd5,
336 0x6f095cf59ca1d755, 0x9f51f8c3b44672a9, 0x3538bda287d45285, 0x50c39712185d6354, 0xf23b1885dcefc223,
337 0x79930ccc6ef9619f, 0xed8fdc9da3934853, 0xcb540aaa590bdf5e, 0x5c94389f1a6d2cac, 0xe77daad8a0bbaed7,
338 0x28efc5090ca0bf2a, 0xbf2ff73c4fc64cd8, 0xb37858b14df60320, 0xf8c96ec0dfc724a7, 0x828680683f329f06,
339 0x941cd051cd6a29cc, 0xc3c5c05cae2b5e05, 0xb601631dc2e27062, 0xc01922382027843b, 0x24b86a840e90f0d2,
340 0xd245177a276ffc52, 0x0f8b4de98c3c95c6, 0x3e759530fef809e0, 0x0b4d2892792c5b65, 0xc4df4743d5374a98,
341 0xa5e20888bfaeb5ea, 0xba56cc90c0d23f9a, 0x38d04cf8ffe0a09c, 0x62e1adafe495254c, 0x0263bcb3f40867df,
342 0xcaeb547d230f62bf, 0x6082111c109d4293, 0xdad4dd8cd04f7d09, 0xefec602e579b2f8c, 0x1fb4c4187f7c8a70,
343 0xffd3e9dfa4db303a, 0x7bf0b07f9af10640, 0xf49ec14dddf76b5f, 0x8f6e713247066d1f, 0x339d646a86ccfbf9,
344 0x64447467e58d8c30, 0x2c29a072f9b07189, 0xd8b7613f24471ad6, 0x6627c8d41185ebef, 0xa347d140beb61c96,
345 0xde12b8f7255fb3aa, 0x9d324470404e1576, 0x9306574eb6763d51, 0xa80af9d2c79a47f3, 0x859c0777442e8b9b,
346 0x69ac853d9db97e29},
347 {0xc3407dfc2de6377e, 0x5b9e93eea4256f77, 0xadb58fdd50c845e0, 0x5219ff11a75bed86, 0x356b61cfd90b1de9,
348 0xfb8f406e25abe037, 0x7a5a0231c0f60796, 0x9d3cd216e1f5020b, 0x0c6550fb6b48d8f3, 0xf57508c427ff1c62,
349 0x4ad35ffa71cb407d, 0x6290a2da1666aa6d, 0xe284ec2349355f9f, 0xb3c307c53d7c84ec, 0x05e23c0468365a02,
350 0x190bac4d6c9ebfa8, 0x94bbbee9e28b80fa, 0xa34fc777529cb9b5, 0xcc7b39f095bcd978, 0x2426addb0ce532e3,
351 0x7e79329312ce4fc7, 0xab09a72eebec2917, 0xf8d15499f6b9d6c2, 0x1a55b8babf8c895d, 0xdb8add17fb769a85,
352 0xb57f2f368658e81b, 0x8acd36f18f3f41f6, 0x5ce3b7bba50f11d3, 0x114dcc14d5ee2f0a, 0xb91a7fcded1030e8,
353 0x81d5425fe55de7a1, 0xb6213bc1554adeee, 0x80144ef95f53f5f2, 0x1e7688186db4c10c, 0x3b912965db5fe1bc,
354 0xc281715a97e8252d, 0x54a5d7e21c7f8171, 0x4b12535ccbc5522e, 0x1d289cefbea6f7f9, 0x6ef5f2217d2e729e,
355 0xe6a7dc819b0d17ce, 0x1b94b41c05829b0e, 0x33d7493c622f711e, 0xdcf7f942fa5ce421, 0x600fba8b7f7a8ecb,
356 0x46b60f011a83988e, 0x235b898e0dcf4c47, 0x957ab24f588592a9, 0x4354330572b5c28c, 0xa5f3ef84e9b8d542,
357 0x8c711e02341b2d01, 0x0b1874ae6a62a657, 0x1213d8e306fc19ff, 0xfe6d7c6a4d9dba35, 0x65ed868f174cd4c9,
358 0x88522ea0e6236550, 0x899322065c2d7703, 0xc01e690bfef4018b, 0x915982ed8abddaf8, 0xbe675b98ec3a4e4c,
359 0xa996bf7f82f00db1, 0xe1daf8d49a27696a, 0x2effd5d3dc8986e7, 0xd153a51f2b1a2e81, 0x18caa0ebd690adfb,
360 0x390e3134b243c51a, 0x2778b92cdff70416, 0x029f1851691c24a6, 0x5e7cafeacc133575, 0xfa4e4cc89fa5f264,
361 0x5a5f9f481e2b7d24, 0x484c47ab18d764db, 0x400a27f2a1a7f479, 0xaeeb9b2a83da7315, 0x721c626879869734,
362 0x042330a2d2384851, 0x85f672fd3765aff0, 0xba446b3a3e02061d, 0x73dd6ecec3888567, 0xffac70ccf793a866,
363 0xdfa9edb5294ed2d4, 0x6c6aea7014325638, 0x834a5a0e8c41c307, 0xcdba35562fb2cb2b, 0x0ad97808d06cb404,
364 0x0f3b440cb85aee06, 0xe5f9c876481f213b, 0x98deee1289c35809, 0x59018bbfcd394bd1, 0xe01bf47220297b39,
365 0xde68e1139340c087, 0x9fa3ca4788e926ad, 0xbb85679c840c144e, 0x53d8f3b71d55ffd5, 0x0da45c5dd146caa0,
366 0x6f34fe87c72060cd, 0x57fbc315cf6db784, 0xcee421a1fca0fdde, 0x3d2d0196607b8d4b, 0x642c8a29ad42c69a,
367 0x14aff010bdd87508, 0xac74837beac657b3, 0x3216459ad821634d, 0x3fb219c70967a9ed, 0x06bc28f3bb246cf7,
368 0xf2082c9126d562c6, 0x66b39278c45ee23c, 0xbd394f6f3f2878b9, 0xfd33689d9e8f8cc0, 0x37f4799eb017394f,
369 0x108cc0b26fe03d59, 0xda4bd1b1417888d6, 0xb09d1332ee6eb219, 0x2f3ed975668794b4, 0x58c0871977375982,
370 0x7561463d78ace990, 0x09876cff037e82f1, 0x7fb83e35a8c05d94, 0x26b9b58a65f91645, 0xef20b07e9873953f,
371 0x3148516d0b3355b8, 0x41cb2b541ba9e62a, 0x790416c613e43163, 0xa011d380818e8f40, 0x3a5025c36151f3ef,
372 0xd57095bdf92266d0, 0x498d4b0da2d97688, 0x8b0c3a57353153a5, 0x21c491df64d368e1, 0x8f2f0af5e7091bf4,
373 0x2da1c1240f9bb012, 0xc43d59a92ccc49da, 0xbfa6573e56345c1f, 0x828b56a8364fd154, 0x9a41f643e0df7caf,
374 0xbcf843c985266aea, 0x2b1de9d7b4bfdce5, 0x20059d79dedd7ab2, 0x6dabe6d6ae3c446b, 0x45e81bf6c991ae7b,
375 0x6351ae7cac68b83e, 0xa432e32253b6c711, 0xd092a9b991143cd2, 0xcac711032e98b58f, 0xd8d4c9e02864ac70,
376 0xc5fc550f96c25b89, 0xd7ef8dec903e4276, 0x67729ede7e50f06f, 0xeac28c7af045cf3d, 0xb15c1f945460a04a,
377 0x9cfddeb05bfb1058, 0x93c69abce3a1fe5e, 0xeb0380dc4a4bdd6e, 0xd20db1e8f8081874, 0x229a8528b7c15e14,
378 0x44291750739fbc28, 0xd3ccbd4e42060a27, 0xf62b1c33f4ed2a97, 0x86a8660ae4779905, 0xd62e814a2a305025,
379 0x477703a7a08d8add, 0x7b9b0e977af815c5, 0x78c51a60a9ea2330, 0xa6adfb733aaae3b7, 0x97e5aa1e3199b60f,
380 0x0000000000000000, 0xf4b404629df10e31, 0x5564db44a6719322, 0x9207961a59afec0d, 0x9624a6b88b97a45c,
381 0x363575380a192b1c, 0x2c60cd82b595a241, 0x7d272664c1dc7932, 0x7142769faa94a1c1, 0xa1d0df263b809d13,
382 0x1630e841d4c451ae, 0xc1df65ad44fa13d8, 0x13d2d445bcf20bac, 0xd915c546926abe23, 0x38cf3d92084dd749,
383 0xe766d0272103059d, 0xc7634d5effde7f2f, 0x077d2455012a7ea4, 0xedbfa82ff16fb199, 0xaf2a978c39d46146,
384 0x42953fa3c8bbd0df, 0xcb061da59496a7dc, 0x25e7a17db6eb20b0, 0x34aa6d6963050fba, 0xa76cf7d580a4f1e4,
385 0xf7ea10954ee338c4, 0xfcf2643b24819e93, 0xcf252d0746aeef8d, 0x4ef06f58a3f3082c, 0x563acfb37563a5d7,
386 0x5086e740ce47c920, 0x2982f186dda3f843, 0x87696aac5e798b56, 0x5d22bb1d1f010380, 0x035e14f7d31236f5,
387 0x3cec0d30da759f18, 0xf3c920379cdb7095, 0xb8db736b571e22bb, 0xdd36f5e44052f672, 0xaac8ab8851e23b44,
388 0xa857b3d938fe1fe2, 0x17f1e4e76eca43fd, 0xec7ea4894b61a3ca, 0x9e62c6e132e734fe, 0xd4b1991b432c7483,
389 0x6ad6c283af163acf, 0x1ce9904904a8e5aa, 0x5fbda34c761d2726, 0xf910583f4cb7c491, 0xc6a241f845d06d7c,
390 0x4f3163fe19fd1a7f, 0xe99c988d2357f9c8, 0x8eee06535d0709a7, 0x0efa48aa0254fc55, 0xb4be23903c56fa48,
391 0x763f52caabbedf65, 0xeee1bcd8227d876c, 0xe345e085f33b4dcc, 0x3e731561b369bbbe, 0x2843fd2067adea10,
392 0x2adce5710eb1ceb6, 0xb7e03767ef44ccbd, 0x8db012a48e153f52, 0x61ceb62dc5749c98, 0xe85d942b9959eb9b,
393 0x4c6f7709caef2c8a, 0x84377e5b8d6bbda3, 0x30895dcbb13d47eb, 0x74a04a9bc2a2fbc3, 0x6b17ce251518289c,
394 0xe438c4d0f2113368, 0x1fb784bed7bad35f, 0x9b80fae55ad16efc, 0x77fe5e6c11b0cd36, 0xc858095247849129,
395 0x08466059b97090a2, 0x01c10ca6ba0e1253, 0x6988d6747c040c3a, 0x6849dad2c60a1e69, 0x5147ebe67449db73,
396 0xc99905f4fd8a837a, 0x991fe2b433cd4a5a, 0xf09734c04fc94660, 0xa28ecbd1e892abe6, 0xf1563866f5c75433,
397 0x4dae7baf70e13ed9, 0x7ce62ac27bd26b61, 0x70837a39109ab392, 0x90988e4b30b3c8ab, 0xb2020b63877296bf,
398 0x156efcb607d6675b},
399 {0xe63f55ce97c331d0, 0x25b506b0015bba16, 0xc8706e29e6ad9ba8, 0x5b43d3775d521f6a, 0x0bfa3d577035106e,
400 0xab95fc172afb0e66, 0xf64b63979e7a3276, 0xf58b4562649dad4b, 0x48f7c3dbae0c83f1, 0xff31916642f5c8c5,
401 0xcbb048dc1c4a0495, 0x66b8f83cdf622989, 0x35c130e908e2b9b0, 0x7c761a61f0b34fa1, 0x3601161cf205268d,
402 0x9e54ccfe2219b7d6, 0x8b7d90a538940837, 0x9cd403588ea35d0b, 0xbc3c6fea9ccc5b5a, 0xe5ff733b6d24aeed,
403 0xceed22de0f7eb8d2, 0xec8581cab1ab545e, 0xb96105e88ff8e71d, 0x8ca03501871a5ead, 0x76ccce65d6db2a2f,
404 0x5883f582a7b58057, 0x3f7be4ed2e8adc3e, 0x0fe7be06355cd9c9, 0xee054e6c1d11be83, 0x1074365909b903a6,
405 0x5dde9f80b4813c10, 0x4a770c7d02b6692c, 0x5379c8d5d7809039, 0xb4067448161ed409, 0x5f5e5026183bd6cd,
406 0xe898029bf4c29df9, 0x7fb63c940a54d09c, 0xc5171f897f4ba8bc, 0xa6f28db7b31d3d72, 0x2e4f3be7716eaa78,
407 0x0d6771a099e63314, 0x82076254e41bf284, 0x2f0fd2b42733df98, 0x5c9e76d3e2dc49f0, 0x7aeb569619606cdb,
408 0x83478b07b2468764, 0xcfadcb8d5923cd32, 0x85dac7f05b95a41e, 0xb5469d1b4043a1e9, 0xb821ecbbd9a592fd,
409 0x1b8e0b0e798c13c8, 0x62a57b6d9a0be02e, 0xfcf1b793b81257f8, 0x9d94ea0bd8fe28eb, 0x4cea408aeb654a56,
410 0x23284a47e888996c, 0x2d8f1d128b893545, 0xf4cbac3132c0d8ab, 0xbd7c86b9ca912eba, 0x3a268eef3dbe6079,
411 0xf0d62f6077a9110c, 0x2735c916ade150cb, 0x89fd5f03942ee2ea, 0x1acee25d2fd16628, 0x90f39bab41181bff,
412 0x430dfe8cde39939f, 0xf70b8ac4c8274796, 0x1c53aeaac6024552, 0x13b410acf35e9c9b, 0xa532ab4249faa24f,
413 0x2b1251e5625a163f, 0xd7e3e676da4841c7, 0xa7b264e4e5404892, 0xda8497d643ae72d3, 0x861ae105a1723b23,
414 0x38a6414991048aa4, 0x6578dec92585b6b4, 0x0280cfa6acbaeadd, 0x88bdb650c273970a, 0x9333bd5ebbff84c2,
415 0x4e6a8f2c47dfa08b, 0x321c954db76cef2a, 0x418d312a72837942, 0xb29b38bfffcdf773, 0x6c022c38f90a4c07,
416 0x5a033a240b0f6a8a, 0x1f93885f3ce5da6f, 0xc38a537e96988bc6, 0x39e6a81ac759ff44, 0x29929e43cee0fce2,
417 0x40cdd87924de0ca2, 0xe9d8ebc8a29fe819, 0x0c2798f3cfbb46f4, 0x55e484223e53b343, 0x4650948ecd0d2fd8,
418 0x20e86cb2126f0651, 0x6d42c56baf5739e7, 0xa06fc1405ace1e08, 0x7babbfc54f3d193b, 0x424d17df8864e67f,
419 0xd8045870ef14980e, 0xc6d7397c85ac3781, 0x21a885e1443273b1, 0x67f8116f893f5c69, 0x24f5efe35706cff6,
420 0xd56329d076f2ab1a, 0x5e1eb9754e66a32d, 0x28d2771098bd8902, 0x8f6013f47dfdc190, 0x17a993fdb637553c,
421 0xe0a219397e1012aa, 0x786b9930b5da8606, 0x6e82e39e55b0a6da, 0x875a0856f72f4ec3, 0x3741ff4fa458536d,
422 0xac4859b3957558fc, 0x7ef6d5c75c09a57c, 0xc04a758b6c7f14fb, 0xf9acdd91ab26ebbf, 0x7391a467c5ef9668,
423 0x335c7c1ee1319aca, 0xa91533b18641e4bb, 0xe4bf9a683b79db0d, 0x8e20faa72ba0b470, 0x51f907737b3a7ae4,
424 0x2268a314bed5ec8c, 0xd944b123b949edee, 0x31dcb3b84d8b7017, 0xd3fe65279f218860, 0x097af2f1dc8ffab3,
425 0x9b09a6fc312d0b91, 0xcc6ded78a3c4520f, 0x3481d9ba5ebfcc50, 0x4f2a667f1182d56b, 0xdfd9fdd4509ace94,
426 0x26752045fbbc252b, 0xbffc491f662bc467, 0xdd593272fc202449, 0x3cbbc218d46d4303, 0x91b372f817456e1f,
427 0x681faf69bc6385a0, 0xb686bbeebaa43ed4, 0x1469b5084cd0ca01, 0x98c98009cbca94ac, 0x6438379a73d8c354,
428 0xc2caba2dc0c5fe26, 0x3e3b0dbe78d7a9de, 0x50b9ee202d670f04, 0x4590b27b37eab0e5, 0x6025b4cb36b10af3,
429 0xfb2c1237079c0162, 0xa12f28130c936be8, 0x4b37e52e54eb1ccc, 0x083a1ba28ad28f53, 0xc10a9cd83a22611b,
430 0x9f1425ad7444c236, 0x069d4cf7e9d3237a, 0xedc56899e7f621be, 0x778c273680865fcf, 0x309c5aeb1bd605f7,
431 0x8de0dc52d1472b4d, 0xf8ec34c2fd7b9e5f, 0xea18cd3d58787724, 0xaad515447ca67b86, 0x9989695a9d97e14c,
432 0x0000000000000000, 0xf196c63321f464ec, 0x71116bc169557cb5, 0xaf887f466f92c7c1, 0x972e3e0ffe964d65,
433 0x190ec4a8d536f915, 0x95aef1a9522ca7b8, 0xdc19db21aa7d51a9, 0x94ee18fa0471d258, 0x8087adf248a11859,
434 0xc457f6da2916dd5c, 0xfa6cfb6451c17482, 0xf256e0c6db13fbd1, 0x6a9f60cf10d96f7d, 0x4daaa9d9bd383fb6,
435 0x03c026f5fae79f3d, 0xde99148706c7bb74, 0x2a52b8b6340763df, 0x6fc20acd03edd33a, 0xd423c08320afdefa,
436 0xbbe1ca4e23420dc0, 0x966ed75ca8cb3885, 0xeb58246e0e2502c4, 0x055d6a021334bc47, 0xa47242111fa7d7af,
437 0xe3623fcc84f78d97, 0x81c744a11efc6db9, 0xaec8961539cfb221, 0xf31609958d4e8e31, 0x63e5923ecc5695ce,
438 0x47107ddd9b505a38, 0xa3afe7b5a0298135, 0x792b7063e387f3e6, 0x0140e953565d75e0, 0x12f4f9ffa503e97b,
439 0x750ce8902c3cb512, 0xdbc47e8515f30733, 0x1ed3610c6ab8af8f, 0x5239218681dde5d9, 0xe222d69fd2aaf877,
440 0xfe71783514a8bd25, 0xcaf0a18f4a177175, 0x61655d9860ec7f13, 0xe77fbc9dc19e4430, 0x2ccff441ddd440a5,
441 0x16e97aaee06a20dc, 0xa855dae2d01c915b, 0x1d1347f9905f30b2, 0xb7c652bdecf94b34, 0xd03e43d265c6175d,
442 0xfdb15ec0ee4f2218, 0x57644b8492e9599e, 0x07dda5a4bf8e569a, 0x54a46d71680ec6a3, 0x5624a2d7c4b42c7e,
443 0xbebca04c3076b187, 0x7d36f332a6ee3a41, 0x3b6667bc6be31599, 0x695f463aea3ef040, 0xad08b0e0c3282d1c,
444 0xb15b1e4a052a684e, 0x44d05b2861b7c505, 0x15295c5b1a8dbfe1, 0x744c01c37a61c0f2, 0x59c31cd1f1e8f5b7,
445 0xef45a73f4b4ccb63, 0x6bdf899c46841a9d, 0x3dfb2b4b823036e3, 0xa2ef0ee6f674f4d5, 0x184e2dfb836b8cf5,
446 0x1134df0a5fe47646, 0xbaa1231d751f7820, 0xd17eaa81339b62bd, 0xb01bf71953771dae, 0x849a2ea30dc8d1fe,
447 0x705182923f080955, 0x0ea757556301ac29, 0x041d83514569c9a7, 0x0abad4042668658e, 0x49b72a88f851f611,
448 0x8a3d79f66ec97dd7, 0xcd2d042bf59927ef, 0xc930877ab0f0ee48, 0x9273540deda2f122, 0xc797d02fd3f14261,
449 0xe1e2f06a284d674a, 0xd2be8c74c97cfd80, 0x9a494faf67707e71, 0xb3dbd1eca9908293, 0x72d14d3493b2e388,
450 0xd6a30f258c153427}};

◆ STREEBOG_C

const uint64_t Botan::STREEBOG_C
extern

Definition at line 452 of file streebog_precalc.cpp.

452 {{0xdd806559f2a64507,
453 0x05767436cc744d23,
454 0xa2422a08a460d315,
455 0x4b7ce09192676901,
456 0x714eb88d7585c4fc,
457 0x2f6a76432e45d016,
458 0xebcb2f81c0657c1f,
459 0xb1085bda1ecadae9},
460 {0xe679047021b19bb7,
461 0x55dda21bd7cbcd56,
462 0x5cb561c2db0aa7ca,
463 0x9ab5176b12d69958,
464 0x61d55e0f16b50131,
465 0xf3feea720a232b98,
466 0x4fe39d460f70b5d7,
467 0x6fa3b58aa99d2f1a},
468 {0x991e96f50aba0ab2,
469 0xc2b6f443867adb31,
470 0xc1c93a376062db09,
471 0xd3e20fe490359eb1,
472 0xf2ea7514b1297b7b,
473 0x06f15e5f529c1f8b,
474 0x0a39fc286a3d8435,
475 0xf574dcac2bce2fc7},
476 {0x220cbebc84e3d12e,
477 0x3453eaa193e837f1,
478 0xd8b71333935203be,
479 0xa9d72c82ed03d675,
480 0x9d721cad685e353f,
481 0x488e857e335c3c7d,
482 0xf948e1a05d71e4dd,
483 0xef1fdfb3e81566d2},
484 {0x601758fd7c6cfe57,
485 0x7a56a27ea9ea63f5,
486 0xdfff00b723271a16,
487 0xbfcd1747253af5a3,
488 0x359e35d7800fffbd,
489 0x7f151c1f1686104a,
490 0x9a3f410c6ca92363,
491 0x4bea6bacad474799},
492 {0xfa68407a46647d6e,
493 0xbf71c57236904f35,
494 0x0af21f66c2bec6b6,
495 0xcffaa6b71c9ab7b4,
496 0x187f9ab49af08ec6,
497 0x2d66c4f95142a46c,
498 0x6fa4c33b7a3039c0,
499 0xae4faeae1d3ad3d9},
500 {0x8886564d3a14d493,
501 0x3517454ca23c4af3,
502 0x06476983284a0504,
503 0x0992abc52d822c37,
504 0xd3473e33197a93c9,
505 0x399ec6c7e6bf87c9,
506 0x51ac86febf240954,
507 0xf4c70e16eeaac5ec},
508 {0xa47f0dd4bf02e71e,
509 0x36acc2355951a8d9,
510 0x69d18d2bd1a5c42f,
511 0xf4892bcb929b0690,
512 0x89b4443b4ddbc49a,
513 0x4eb7f8719c36de1e,
514 0x03e7aa020c6e4141,
515 0x9b1f5b424d93c9a7},
516 {0x7261445183235adb,
517 0x0e38dc92cb1f2a60,
518 0x7b2b8a9aa6079c54,
519 0x800a440bdbb2ceb1,
520 0x3cd955b7e00d0984,
521 0x3a7d3a1b25894224,
522 0x944c9ad8ec165fde,
523 0x378f5a541631229b},
524 {0x74b4c7fb98459ced,
525 0x3698fad1153bb6c3,
526 0x7a1e6c303b7652f4,
527 0x9fe76702af69334b,
528 0x1fffe18a1b336103,
529 0x8941e71cff8a78db,
530 0x382ae548b2e4f3f3,
531 0xabbedea680056f52},
532 {0x6bcaa4cd81f32d1b,
533 0xdea2594ac06fd85d,
534 0xefbacd1d7d476e98,
535 0x8a1d71efea48b9ca,
536 0x2001802114846679,
537 0xd8fa6bbbebab0761,
538 0x3002c6cd635afe94,
539 0x7bcd9ed0efc889fb},
540 {0x48bc924af11bd720,
541 0xfaf417d5d9b21b99,
542 0xe71da4aa88e12852,
543 0x5d80ef9d1891cc86,
544 0xf82012d430219f9b,
545 0xcda43c32bcdf1d77,
546 0xd21380b00449b17a,
547 0x378ee767f11631ba}};

Referenced by Botan::Streebog::compress_64().