Botan 3.8.1
Crypto and TLS for C&
Botan Namespace Reference

Namespaces

namespace  AES_AARCH64
 
namespace  ARIA_F
 
namespace  ASN1
 
namespace  Camellia_F
 
namespace  Cert_Extension
 
namespace  CMCE_CT
 
namespace  concepts
 
namespace  CryptoBox
 
namespace  CRYSTALS
 
namespace  CT
 
namespace  detail
 
namespace  Dilithium_Algos
 
namespace  fmt_detail
 
namespace  FPE
 
namespace  HTTP
 
namespace  KeyPair
 
namespace  Kuznyechik_F
 
namespace  Kyber_Algos
 
namespace  OCSP
 
namespace  OIDS
 
namespace  OS
 
namespace  PCurve
 
namespace  PEM_Code
 
namespace  PK_Ops
 
namespace  PKCS11
 
namespace  PKCS8
 
namespace  PKIX
 
namespace  ranges
 
namespace  Roughtime
 
namespace  Serpent_F
 
namespace  SHA1_F
 
namespace  SHA1_SIMD_F
 
namespace  Sodium
 
namespace  Threefish_F
 
namespace  TLS
 
namespace  TPM2
 
namespace  X509
 

Classes

class  Adler32
 
class  AEAD_Mode
 
class  AES_128
 
class  AES_192
 
class  AES_256
 
class  AES_256_CTR_XOF
 
class  AffinePointTable
 
class  Algorithm_Not_Found
 
class  AlgorithmIdentifier
 
class  AlignmentBuffer
 Alignment buffer helper. More...
 
struct  all_same
 
class  Allocator_Initializer
 
class  AlternativeName
 
class  ANSI_X919_MAC
 
class  ANSI_X923_Padding
 
class  Argon2
 
class  Argon2_Family
 
class  ARIA_128
 
class  ARIA_192
 
class  ARIA_256
 
class  ASN1_Formatter
 
class  ASN1_Object
 
class  ASN1_Pretty_Printer
 
class  ASN1_String
 
class  ASN1_Time
 
class  Asymmetric_Key
 
class  Atomic
 
class  Attribute
 
class  AutoSeeded_RNG
 
class  Barrett_Reduction
 
class  Barrier
 
class  Base64_Decoder
 
class  Base64_Encoder
 
class  Bcrypt_PBKDF
 
class  Bcrypt_PBKDF_Family
 
class  BER_Bad_Tag
 
class  BER_Decoder
 
class  BER_Decoding_Error
 
class  BER_Object
 
class  BigInt
 
class  BitBucket
 
class  bitvector_base
 
class  BLAKE2b
 
class  BLAKE2bMAC
 
class  BLAKE2s
 
class  Blinder
 
class  Block_Cipher_Fixed_Params
 
class  BlockCipher
 
class  BlockCipherModePaddingMethod
 
class  Blowfish
 
class  Buffered_Computation
 
class  Buffered_Filter
 
class  BufferSlicer
 
class  BufferStuffer
 Helper class to ease in-place marshalling of concatenated fixed-length values. More...
 
class  Bzip2_Compression
 
class  Bzip2_Decompression
 
class  calendar_point
 
class  Camellia_128
 
class  Camellia_192
 
class  Camellia_256
 
class  Cascade_Cipher
 
class  CAST_128
 
class  CBC_Decryption
 
class  CBC_Encryption
 
class  CBC_Mode
 
class  CCM_Decryption
 
class  CCM_Encryption
 
class  CCM_Mode
 
class  Certificate_Extension
 
class  Certificate_Store
 
class  Certificate_Store_In_Memory
 
class  Certificate_Store_In_SQL
 
class  Certificate_Store_In_SQLite
 
class  Certificate_Store_MacOS
 
class  Certificate_Store_Windows
 
class  CFB_Decryption
 
class  CFB_Encryption
 
class  CFB_Mode
 
class  ChaCha
 
class  ChaCha20Poly1305_Decryption
 
class  ChaCha20Poly1305_Encryption
 
class  ChaCha20Poly1305_Mode
 
class  ChaCha_RNG
 
class  Chain
 
class  Cipher_Mode
 
class  Cipher_Mode_Filter
 
class  Classic_McEliece_Decryptor
 
class  Classic_McEliece_Encryptor
 
class  Classic_McEliece_Field_Ordering
 Represents a field ordering for the Classic McEliece cryptosystem. More...
 
class  Classic_McEliece_GF
 Represents an element of the finite field GF(q) for q = 2^m. More...
 
struct  Classic_McEliece_KeyPair_Internal
 Representation of a Classic McEliece key pair. More...
 
class  Classic_McEliece_Matrix
 Representation of the binary Classic McEliece matrix H, with H = (I_mt | T). More...
 
class  Classic_McEliece_Minimal_Polynomial
 Representation of a minimal polynomial in GF(q)[y]. More...
 
class  Classic_McEliece_Parameter_Set
 
class  Classic_McEliece_Parameters
 
class  Classic_McEliece_Polynomial
 Representation of a Classic McEliece polynomial. More...
 
class  Classic_McEliece_Polynomial_Ring
 Represents the polynomial ring GF(q)[y]/F(y) where F(y) is the modulus polynomial in GF(q)[y] of degree t. More...
 
class  Classic_McEliece_PrivateKey
 
class  Classic_McEliece_PrivateKeyInternal
 Representation of a Classic McEliece private key. More...
 
class  Classic_McEliece_PublicKey
 
class  Classic_McEliece_PublicKeyInternal
 Representation of a Classic McEliece public key. More...
 
class  CMAC
 
class  Comb4P
 
class  CommonCrypto_Error
 
struct  CommonCryptor_Opts
 
class  Compression_Algorithm
 
class  Compression_Alloc_Info
 
class  Compression_Error
 
class  Compression_Stream
 
class  CPUFeature
 
class  CPUID
 
class  CRC24
 
class  CRC32
 
class  Credentials_Manager
 
class  CRL_Entry
 
class  cSHAKE_128_XOF
 
class  cSHAKE_256_XOF
 
class  cSHAKE_XOF
 
class  CTR_BE
 
class  CTS_Decryption
 
class  CTS_Encryption
 
class  CurveGFp
 
class  DataSink
 
class  DataSink_Stream
 
class  DataSource
 
class  DataSource_Memory
 
class  DataSource_Stream
 
class  Decoding_Error
 
class  Decompression_Algorithm
 
class  Deflate_Compression
 
class  Deflate_Decompression
 
class  DER_Encoder
 
class  DES
 
class  DH_PrivateKey
 
class  DH_PublicKey
 
class  Dilithium_AES_Symmetric_Primitives
 
class  Dilithium_Expanded_Keypair_Codec
 
class  Dilithium_Keypair_Codec
 
class  Dilithium_PrivateKey
 
class  Dilithium_PrivateKeyInternal
 
class  Dilithium_PublicKey
 
class  Dilithium_PublicKeyInternal
 
class  Dilithium_Round3_Symmetric_Primitives
 
class  Dilithium_Symmetric_Primitives
 
class  Dilithium_Symmetric_Primitives_Base
 
class  DilithiumConstants
 
class  DilithiumMessageHash
 
class  DilithiumMode
 
class  DilithiumPolyTraits
 
class  DilithiumShakeXOF
 
class  DilithiumXOF
 
class  DL_Group
 
class  DL_PrivateKey
 
class  DL_PublicKey
 
class  DLIES_Decryptor
 
class  DLIES_Encryptor
 
class  donna128
 
class  DSA_PrivateKey
 
class  DSA_PublicKey
 
class  Dynamically_Loaded_Library
 
class  EAX_Decryption
 
class  EAX_Encryption
 
class  EAX_Mode
 
class  EC_AffinePoint
 
class  EC_AffinePoint_Data
 
class  EC_AffinePoint_Data_BN
 
class  EC_AffinePoint_Data_PC
 
class  EC_Group
 
class  EC_Group_Data
 
class  EC_Mul2Table_Data
 
class  EC_Mul2Table_Data_BN
 
class  EC_Mul2Table_Data_PC
 
class  EC_Point
 
class  EC_Point_Base_Point_Precompute
 
class  EC_Point_Multi_Point_Precompute
 
class  EC_Point_Var_Point_Precompute
 
class  EC_PrivateKey
 
class  EC_PrivateKey_Data
 
class  EC_PublicKey
 
class  EC_PublicKey_Data
 
class  EC_Scalar
 
class  EC_Scalar_Data
 
class  EC_Scalar_Data_BN
 
class  EC_Scalar_Data_PC
 
class  ECDH_PrivateKey
 
class  ECDH_PublicKey
 
class  ECDSA_PrivateKey
 
class  ECDSA_PublicKey
 
class  ECGDSA_PrivateKey
 
class  ECGDSA_PublicKey
 
class  ECIES_Decryptor
 
class  ECIES_Encryptor
 
class  ECIES_KA_Operation
 
class  ECIES_KA_Params
 
class  ECIES_System_Params
 
class  ECKCDSA_PrivateKey
 
class  ECKCDSA_PublicKey
 
class  Ed25519_PrivateKey
 
class  Ed25519_PublicKey
 
class  Ed448_PrivateKey
 A private key for Ed448/Ed448ph according to RFC 8032. More...
 
class  Ed448_PublicKey
 A public key for Ed448/Ed448ph according to RFC 8032. More...
 
class  Ed448Point
 Representation of a point on the Ed448 curve. More...
 
struct  eea_result
 
class  ElGamal_PrivateKey
 
class  ElGamal_PublicKey
 
class  EME
 
class  EME_PKCS1v15
 
class  EME_Raw
 
class  EMSA
 
class  EMSA_PKCS1v15
 
class  EMSA_PKCS1v15_Raw
 
class  EMSA_Raw
 
class  EMSA_X931
 
struct  EnableArithmeticWithPlainNumber
 
class  Encoding_Error
 
class  Encrypted_PSK_Database
 
class  Encrypted_PSK_Database_SQL
 
class  Entropy_Source
 
class  Entropy_Sources
 
class  ESDM_RNG
 
class  ESP_Padding
 
class  Exception
 
class  Expanded_Keypair_Codec
 Codec for expanded private keys (as specified in FIPS 203) More...
 
class  Extensions
 
class  Fanout_Filter
 
class  FE_25519
 
class  Filter
 
class  Flatfile_Certificate_Store
 
class  Fork
 
class  FPE_FE1
 
class  FrodoKEM_PrivateKey
 
class  FrodoKEM_PublicKey
 
class  FrodoKEMConstants
 
class  FrodoKEMMode
 
class  FrodoMatrix
 
class  GCM_Decryption
 
class  GCM_Encryption
 
class  GCM_Mode
 
struct  ge_p3
 
class  GeneralName
 X.509 GeneralName Type. More...
 
class  GeneralSubtree
 A single Name Constraint. More...
 
class  Getentropy
 
class  GF2m_Field
 
class  Gf448Elem
 
class  GF_Mask
 Constant time mask wrapper for GF(q) elements. More...
 
class  GHASH
 
class  GMAC
 
class  GOST_28147_89
 
class  GOST_28147_89_Params
 
class  GOST_3410_PrivateKey
 
class  GOST_3410_PublicKey
 
class  GOST_34_11
 
class  Gzip_Compression
 
class  Gzip_Decompression
 
class  Hardware_RNG
 
class  HashFunction
 
class  Hex_Decoder
 
class  Hex_Encoder
 
class  HKDF
 
class  HKDF_Expand
 
class  HKDF_Extract
 
class  HMAC
 
class  HMAC_DRBG
 
class  HOTP
 
class  HSS_LMS_Params
 The HSS-LMS parameters. More...
 
class  HSS_LMS_PrivateKey
 An HSS/LMS private key. More...
 
class  HSS_LMS_PrivateKeyInternal
 The internal HSS-LMS private key. More...
 
class  HSS_LMS_PublicKey
 An HSS/LMS public key. More...
 
class  HSS_LMS_PublicKeyInternal
 The internal HSS-LMS public key. More...
 
class  HSS_Signature
 A HSS-LMS signature. More...
 
class  Hybrid_PrivateKey
 Abstraction for a combined KEM private key. More...
 
class  Hybrid_PublicKey
 Abstraction for a combined KEM public key. More...
 
class  IDEA
 
class  Intel_Rdseed
 
class  Internal_Error
 
class  Invalid_Algorithm_Name
 
class  Invalid_Argument
 
class  Invalid_Authentication_Tag
 
class  Invalid_IV_Length
 
class  Invalid_Key_Length
 
class  Invalid_State
 
struct  is_bitvector
 
struct  is_bitvector< bitvector_base< T > >
 
struct  is_strong_span
 
struct  is_strong_span< StrongSpan< T > >
 
struct  is_strong_type
 
struct  is_strong_type< Strong< Ts... > >
 
class  ISO_9796_DS2
 
class  ISO_9796_DS3
 
class  Jitter_RNG
 
class  KDF
 
class  KDF1
 
class  KDF1_18033
 
class  KDF2
 
class  Keccak_1600
 
class  Keccak_Permutation
 
class  KEM_Decryption_with_Combiner
 Abstract interface for a KEM decryption operation for KEM combiners. More...
 
class  KEM_Encapsulation
 
class  KEM_Encryption_with_Combiner
 Abstract interface for a KEM encryption operation for KEM combiners. More...
 
class  KEX_to_KEM_Adapter_PrivateKey
 
class  KEX_to_KEM_Adapter_PublicKey
 
class  Key_Constraints
 
class  Key_Length_Specification
 
class  Key_Not_Set
 
class  Keyed_Filter
 
class  KMAC
 
class  KMAC128
 
class  KMAC256
 
class  Kuznyechik
 
class  Kyber_90s_Symmetric_Primitives
 
class  Kyber_KEM_Decryptor
 
class  Kyber_KEM_Decryptor_Base
 
class  Kyber_KEM_Encryptor
 
class  Kyber_KEM_Encryptor_Base
 
class  Kyber_KEM_Operation_Base
 
class  Kyber_Keypair_Codec
 
class  Kyber_Modern_Symmetric_Primitives
 
class  Kyber_PrivateKey
 
class  Kyber_PrivateKeyInternal
 
class  Kyber_PublicKey
 
class  Kyber_PublicKeyInternal
 
class  Kyber_Symmetric_Primitives
 
class  KyberConstants
 
class  KyberMode
 
class  KyberPolyTraits
 
struct  KyberPrivateKeySeed
 
class  Lion
 
class  LMOTS_Params
 The LM-OTS parameters. More...
 
class  LMOTS_Private_Key
 Representation of an LMOTS private key. More...
 
class  LMOTS_Public_Key
 Representation of an OTS public key. More...
 
class  LMOTS_Signature
 Representation of a LM-OTS signature. More...
 
class  LMS_Instance
 Base class for LMS private and public key. Contains public data associated with this LMS instance. More...
 
class  LMS_Params
 The LMS parameters. More...
 
class  LMS_PrivateKey
 Representation of an LMS Private key. More...
 
class  LMS_PublicKey
 The LMS public key. More...
 
class  LMS_Signature
 Container for LMS Signature data. More...
 
class  lock_guard
 
class  Lookup_Error
 
class  LZMA_Compression
 
class  LZMA_Decompression
 
class  McEliece_PrivateKey
 
class  McEliece_PublicKey
 
class  MD4
 
class  MD5
 
class  Memory_Pool
 
class  MerkleDamgard_Hash
 
class  MessageAuthenticationCode
 
class  ML_DSA_Expanding_Keypair_Codec
 
class  ML_DSA_MessageHash
 
class  ML_DSA_Symmetric_Primitives
 
class  ML_KEM_Decryptor
 
class  ML_KEM_Encryptor
 
class  ML_KEM_Symmetric_Primitives
 
class  mlock_allocator
 
class  Modular_Reducer
 
class  Montgomery_Int
 
class  Montgomery_Params
 
class  NameConstraints
 Name Constraints. More...
 
class  No_Filesystem_Access
 
class  Noekeon
 
class  noop_mutex
 
class  Not_Implemented
 
class  Null_Padding
 
class  Null_RNG
 
class  OAEP
 
class  OCB_Decryption
 
class  OCB_Encryption
 
class  OCB_Mode
 
class  OctetString
 
class  OFB
 
class  OID
 
class  OID_Map
 
class  OneAndZeros_Padding
 
class  OpenPGP_S2K
 
class  OTS_Instance
 Base class for LMOTS private and public key. Contains the parameters for the specific OTS instance. More...
 
class  Output_Buffers
 
struct  overloaded
 
class  Parallel
 
class  PasswordHash
 
class  PasswordHashFamily
 
class  Path_Validation_Restrictions
 
class  Path_Validation_Result
 
class  PBKDF
 
class  PBKDF2
 
class  PBKDF2_Family
 
class  Pipe
 
class  PK_Decryptor
 
class  PK_Decryptor_EME
 
class  PK_Encryptor
 
class  PK_Encryptor_EME
 
class  PK_KEM_Decryptor
 
class  PK_KEM_Encryptor
 
class  PK_Key_Agreement
 
class  PK_Key_Agreement_Key
 
class  PK_Signer
 
class  PK_Verifier
 
class  PKCS10_Request
 
class  PKCS5_PBKDF2
 
class  PKCS7_Padding
 
class  PKCS8_Exception
 
class  Poly1305
 
class  polyn_gf2m
 
class  Private_Key
 
class  PRNG_Unseeded
 
class  Processor_RNG
 
class  Provider_Not_Found
 
class  PseudorandomKeyGeneration
 Helper class used to derive secret values based in the pseudorandom key generation described in RFC 8554 Appendix A. More...
 
class  PSK_Database
 
class  PSS_Params
 
class  PSSR
 
class  PSSR_Raw
 
class  Public_Key
 
class  RandomNumberGenerator
 
class  RawHashFunction
 
class  RC4
 
class  RFC4880_S2K
 
class  RFC4880_S2K_Family
 
class  RFC6979_Nonce_Generator
 
class  RIPEMD_160
 
class  RSA_PrivateKey
 
class  RSA_PublicKey
 
class  RTSS_Share
 
class  RWLock
 
class  Salsa20
 
class  Scalar448
 Representation of a scalar for X448. More...
 
class  SCAN_Name
 
class  scoped_cleanup
 Helper class to create a RAII-style cleanup callback. More...
 
class  Scrypt
 
class  Scrypt_Family
 
class  secure_allocator
 
class  SecureQueue
 
class  SEED
 
class  Seed_Expanding_Keypair_Codec
 Codec for private keys as 64-byte seeds: d || z. More...
 
class  Semaphore
 
class  Serpent
 
class  SHA_1
 
class  SHA_224
 
class  SHA_256
 
class  SHA_3
 
class  SHA_384
 
class  SHA_3_224
 
class  SHA_3_256
 
class  SHA_3_384
 
class  SHA_3_512
 
class  SHA_512
 
class  SHA_512_256
 
class  SHACAL2
 
class  SHAKE_128
 
class  SHAKE_128_Cipher
 
class  SHAKE_128_XOF
 
class  SHAKE_256
 
class  SHAKE_256_Cipher
 
class  SHAKE_256_XOF
 
class  SHAKE_Cipher
 
class  SHAKE_XOF
 
class  SIMD_16x32
 
class  SIMD_2x64
 
class  SIMD_4x32
 
class  SIMD_4x64
 
class  SIMD_8x32
 
class  SIMD_8x64
 
class  SipHash
 
class  SIV_Decryption
 
class  SIV_Encryption
 
class  SIV_Mode
 
class  Skein_512
 
class  SM2_PrivateKey
 
class  SM2_PublicKey
 
class  SM3
 
class  SM4
 
class  SolinasAccum
 
class  SP800_108_Counter
 
class  SP800_108_Feedback
 
class  SP800_108_Pipeline
 
class  SP800_56A_One_Step_KMAC_Abstract
 
class  SP800_56C_One_Step_Hash
 
class  SP800_56C_One_Step_HMAC
 
class  SP800_56C_One_Step_KMAC128
 
class  SP800_56C_One_Step_KMAC256
 
class  SP800_56C_Two_Step
 
class  Sphincs_Address
 
class  Sphincs_Hash_Functions
 
class  Sphincs_Hash_Functions_Sha2
 
class  Sphincs_Hash_Functions_Shake
 
class  Sphincs_Parameters
 
struct  SphincsMessageInternal
 M' representation of FIPS 205 (the input to slh_sign_internal and slh_verify_internal) More...
 
class  SphincsPlus_PrivateKey
 An SLH-DSA private key. More...
 
class  SphincsPlus_PublicKey
 An SLH-DSA (or SPHINCS+ Round 3.1) public key. More...
 
class  SQL_Database
 
class  Sqlite3_Database
 
class  SRP6_Server_Session
 
class  Stateful_RNG
 
class  Stream_Compression
 
class  Stream_Decompression
 
class  Stream_IO_Error
 
class  StreamCipher
 
class  Streebog
 
class  StringLiteral
 
class  Strong
 
class  StrongSpan
 
class  SymmetricAlgorithm
 
class  System_Certificate_Store
 
class  System_Error
 
class  System_RNG
 
class  Thread_Pool
 
class  Threefish_512
 
class  TLS_12_PRF
 
class  TOTP
 
class  TPM_Context
 
class  TPM_Error
 
class  TPM_PrivateKey
 
class  TPM_RNG
 
class  TripleDES
 
class  Truncated_Hash
 
class  Tweakable_Block_Cipher
 
class  Twofish
 
class  Unknown_PK_Field_Name
 
class  URI
 
class  UUID
 
class  Whirlpool
 
class  Win32_EntropySource
 
class  word3
 
struct  WordInfo
 
struct  WordInfo< uint32_t >
 
struct  WordInfo< uint64_t >
 
class  X25519_PrivateKey
 
class  X25519_PublicKey
 
class  X448_PrivateKey
 A private key for the X448 key agreement scheme according to RFC 7748. More...
 
class  X448_PublicKey
 A public key for the X448 key agreement scheme according to RFC 7748. More...
 
class  X509_CA
 
class  X509_Cert_Options
 
class  X509_Certificate
 
class  X509_CRL
 
class  X509_DN
 
class  X509_Object
 
class  X942_PRF
 
class  XMSS_Address
 
class  XMSS_Common_Ops
 
class  XMSS_Hash
 
class  XMSS_Index_Registry
 
class  XMSS_Parameters
 
class  XMSS_PrivateKey
 
class  XMSS_PublicKey
 
class  XMSS_Signature
 
class  XMSS_Signature_Operation
 
class  XMSS_Tools
 
class  XMSS_Verification_Operation
 
class  XMSS_WOTS_Base
 
class  XMSS_WOTS_Parameters
 
class  XMSS_WOTS_PrivateKey
 
class  XMSS_WOTS_PublicKey
 
class  XOF
 
class  XTS_Decryption
 
class  XTS_Encryption
 
class  XTS_Mode
 
class  ZFEC
 
class  Zlib_Compression
 
class  Zlib_Decompression
 
class  Zlib_Style_Stream
 

Concepts

concept  md_hash_implementation
 
concept  WordType
 
concept  curve_supports_fe_invert2
 
concept  updatable_object
 
concept  appendable_object
 
concept  absorbing_object
 
concept  bitvectorish
 

Typedefs

typedef __vector unsigned int Altivec32x4
 
typedef __vector unsigned long long Altivec64x2
 
typedef __vector unsigned char Altivec8x16
 
using bitvector = bitvector_base<std::allocator>
 
template<size_t bound>
using Bounded_XOF = detail::Bounded_XOF<XOF&, bound>
 
using byte = std::uint8_t
 
typedef int32_t CCCryptorStatus
 
typedef std::vector< std::set< Certificate_Status_Code > > CertificatePathStatusCodes
 
using CmceCodeWord = Strong<secure_bitvector, struct CmceCodeWord_>
 Represents C of decapsulation.
 
using CmceColumnSelection = Strong<secure_bitvector, struct CmceColumnSelection_>
 Represents c of private key.
 
using CmceErrorVector = Strong<secure_bitvector, struct CmceErrorVector_>
 Represents e of encapsulation.
 
using CmceGfElem = Strong<uint16_t, struct CmceGfElem_>
 Represents a GF(q) element.
 
using CmceGfMod = Strong<uint16_t, struct CmceGfMod_>
 Represents a GF(q) modulus.
 
using CmceInitialSeed = Strong<secure_vector<uint8_t>, struct CmceInitialSeed_>
 Represents initial delta of keygen.
 
using CmceIrreducibleBits = Strong<secure_vector<uint8_t>, struct CmceIrreducibleBits_>
 
using CmceKeyGenSeed = Strong<secure_vector<uint8_t>, struct CmceKeyGenSeed_>
 Represents a delta (can be altered; final value stored in private key)
 
using CmceOrderingBits = Strong<secure_vector<uint8_t>, struct CmceOrderingBits_>
 
using CmcePermutation = Strong<secure_vector<uint16_t>, struct CmcePermutation_>
 Represents a permutation (pi in spec). Used in field ordering creation.
 
using CmcePermutationElement = Strong<uint16_t, struct CmcePermutationElement_>
 Represents an element of a permuation (pi in spec). Used in field ordering creation.
 
using CmceRejectionSeed = Strong<secure_vector<uint8_t>, struct CmceRejectionSeed_>
 Represents s of private key.
 
typedef X25519_PrivateKey Curve25519_PrivateKey
 
typedef X25519_PublicKey Curve25519_PublicKey
 
using DilithiumCommitmentHash = Strong<std::vector<uint8_t>, struct DilithiumCommitmentHash_>
 Hash of the message representative and the signer's commitment.
 
using DilithiumHashedPublicKey = Strong<std::vector<uint8_t>, struct DilithiumHashedPublicKey_>
 
using DilithiumInternalKeypair
 Internal representation of a Dilithium key pair.
 
using DilithiumMessageRepresentative = Strong<std::vector<uint8_t>, struct DilithiumMessageRepresentative_>
 Representation of the message to be signed.
 
using DilithiumOptionalRandomness = Strong<secure_vector<uint8_t>, struct DilithiumOptionalRandomness_>
 Optional randomness 'rnd' used for rho prime computation in ML-DSA.
 
using DilithiumPoly = Botan::CRYSTALS::Polynomial<DilithiumPolyTraits, Botan::CRYSTALS::Domain::Normal>
 
using DilithiumPolyMatNTT = Botan::CRYSTALS::PolynomialMatrix<DilithiumPolyTraits>
 
using DilithiumPolyNTT = Botan::CRYSTALS::Polynomial<DilithiumPolyTraits, Botan::CRYSTALS::Domain::NTT>
 
using DilithiumPolyVec = Botan::CRYSTALS::PolynomialVector<DilithiumPolyTraits, Botan::CRYSTALS::Domain::Normal>
 
using DilithiumPolyVecNTT = Botan::CRYSTALS::PolynomialVector<DilithiumPolyTraits, Botan::CRYSTALS::Domain::NTT>
 
using DilithiumSeedRandomness = Strong<secure_vector<uint8_t>, struct DilithiumSeedRandomness_>
 Principal seed used to generate Dilithium key pairs.
 
using DilithiumSeedRho = Strong<std::vector<uint8_t>, struct DilithiumPublicSeed_>
 Public seed to sample the polynomial matrix A from.
 
using DilithiumSeedRhoPrime = Strong<secure_vector<uint8_t>, struct DilithiumSeedRhoPrime_>
 Private seed to sample the polynomial vectors s1 and s2 from.
 
using DilithiumSerializedCommitment = Strong<std::vector<uint8_t>, struct DilithiumSerializedCommitment_>
 Serialized representation of a commitment w1.
 
using DilithiumSerializedPrivateKey = Strong<secure_vector<uint8_t>, struct DilithiumSerializedPrivateKey_>
 Serialized private key data.
 
using DilithiumSerializedPublicKey = Strong<std::vector<uint8_t>, struct DilithiumSerializedPublicKey_>
 Serialized public key data (result of pkEncode(pk))
 
using DilithiumSerializedSignature = Strong<std::vector<uint8_t>, struct DilithiumSerializedSignature_>
 Serialized signature data.
 
using DilithiumSigningSeedK = Strong<secure_vector<uint8_t>, struct DilithiumSeedK_>
 Private seed K used during signing.
 
using ForsLeafSecret = Strong<secure_vector<uint8_t>, struct ForsLeafSecret_>
 
using ForsSignature = Strong<std::vector<uint8_t>, struct ForsSignature_>
 
using FrodoDomainSeparator = Strong<std::array<uint8_t, 1>, struct FrodoDoaminSeparator_>
 
using FrodoIntermediateSharedSecret = Strong<secure_vector<uint8_t>, struct FrodoIntermediateSharedSecret_>
 
using FrodoPackedMatrix = Strong<std::vector<uint8_t>, struct FrodoPackedMatrix_>
 
using FrodoPlaintext = Strong<secure_vector<uint8_t>, struct FrodoPlaintext_>
 
using FrodoPublicKeyHash = Strong<std::vector<uint8_t>, struct FrodoPublicKeyHash_>
 
using FrodoSalt = Strong<std::vector<uint8_t>, struct FrodoSalt_>
 
using FrodoSampleR = Strong<secure_vector<uint8_t>, struct FrodoSampleR_>
 
using FrodoSeedA = Strong<std::vector<uint8_t>, struct FrodoSeedA_>
 
using FrodoSeedS = Strong<secure_vector<uint8_t>, struct FrodoSeedS_>
 
using FrodoSeedSE = Strong<secure_vector<uint8_t>, struct FrodoSeedSE_>
 
using FrodoSeedZ = Strong<std::vector<uint8_t>, struct FrodoSeedZ_>
 
using FrodoSerializedMatrix = Strong<secure_vector<uint8_t>, struct FrodoSerializedMatrix_>
 
using GenerateLeafFunction = std::function<void(StrongSpan<SphincsTreeNode> , TreeNodeIndex)>
 
typedef uint16_t gf2m
 
using HSS_Level = Strong<uint32_t, struct HSS_Level_, EnableArithmeticWithPlainNumber>
 The HSS layer in the HSS multi tree starting at 0 from the root.
 
using HSS_Sig_Idx = Strong<uint64_t, struct HSS_Sig_Idx_, EnableArithmeticWithPlainNumber>
 The index of a node within a specific LMS tree layer.
 
using HypertreeLayerIndex = Strong<uint32_t, struct HypertreeLayerIndex_>
 Index of a layer in the XMSS hyper-tree.
 
using InitializationVector = OctetString
 
typedef Invalid_Authentication_Tag Integrity_Failure
 
using KyberCompressedCiphertext = Strong<std::vector<uint8_t>, struct KyberCompressedCiphertext_>
 Compressed and serialized ciphertext value.
 
using KyberEncryptionRandomness = Strong<secure_vector<uint8_t>, struct KyberEncryptionRandomness_>
 Random value used to generate the Kyber ciphertext.
 
using KyberHashedCiphertext = Strong<std::vector<uint8_t>, struct KyberHashedCiphertext_>
 
using KyberHashedPublicKey = Strong<std::vector<uint8_t>, struct KyberHashedPublicKey_>
 Hash value of the serialized public key.
 
using KyberImplicitRejectionValue = Strong<secure_vector<uint8_t>, struct KyberImplicitRejectionValue_>
 Secret random value (called Z in the spec), used for implicit rejection in the decapsulation.
 
using KyberInternalKeypair
 
using KyberMessage = Strong<secure_vector<uint8_t>, struct KyberMessage_>
 Random message value to be encrypted by the CPA-secure Kyber encryption scheme.
 
using KyberPoly = Botan::CRYSTALS::Polynomial<KyberPolyTraits, Botan::CRYSTALS::Domain::Normal>
 
using KyberPolyMat = Botan::CRYSTALS::PolynomialMatrix<KyberPolyTraits>
 
using KyberPolyNTT = Botan::CRYSTALS::Polynomial<KyberPolyTraits, Botan::CRYSTALS::Domain::NTT>
 
using KyberPolyVec = Botan::CRYSTALS::PolynomialVector<KyberPolyTraits, Botan::CRYSTALS::Domain::Normal>
 
using KyberPolyVecNTT = Botan::CRYSTALS::PolynomialVector<KyberPolyTraits, Botan::CRYSTALS::Domain::NTT>
 
using KyberSamplingRandomness = Strong<secure_vector<uint8_t>, struct KyberSamplingRandomness_>
 PRF value used for sampling of error polynomials.
 
using KyberSeedRandomness = Strong<secure_vector<uint8_t>, struct KyberSeedRandomness_>
 Principal seed used to generate Kyber key pairs.
 
using KyberSeedRho = Strong<std::vector<uint8_t>, struct KyberSeedRho_>
 Public seed value to generate the Kyber matrix A.
 
using KyberSeedSigma = Strong<secure_vector<uint8_t>, struct KyberSeedSigma_>
 Private seed used to generate polynomial vectors s and e during key generation.
 
using KyberSerializedPublicKey = Strong<std::vector<uint8_t>, struct KyberSerializedPublicKey_>
 Public key in serialized form (t || rho)
 
using KyberSharedSecret = Strong<secure_vector<uint8_t>, struct KyberSharedSecret_>
 Shared secret value generated during encapsulation and recovered during decapsulation.
 
using KyberSigmaOrEncryptionRandomness
 Variant value of either a KyberSeedSigma or a KyberEncryptionRandomness.
 
using LMOTS_K = Strong<std::vector<uint8_t>, struct LMOTS_K_>
 The K value from the LM-OTS public key.
 
using LMOTS_Node = Strong<secure_vector<uint8_t>, struct LMOTS_Node_>
 One node within one LM-OTS hash chain.
 
using LMOTS_Signature_Bytes = Strong<std::vector<uint8_t>, struct LMOTS_Signature_Bytes_>
 Byte vector of an LM-OTS signature.
 
using LMS_AuthenticationPath = Strong<std::vector<uint8_t>, struct LMS_AuthenticationPath_>
 The authentication path of an LMS signature.
 
using LMS_Identifier = Strong<std::vector<uint8_t>, struct LMS_Identifier_>
 The identifier of an LMS tree (I in RFC 8554)
 
using LMS_Message = Strong<std::vector<uint8_t>, struct LMS_Message_>
 A message that is signed with an LMS tree.
 
using LMS_Seed = Strong<secure_vector<uint8_t>, struct LMS_SEED_>
 Seed of the LMS tree, used to generate the LM-OTS private keys.
 
using LMS_Signature_Bytes = Strong<std::vector<uint8_t>, struct LMS_Signature_Bytes_>
 Raw bytes of an LMS signature.
 
using LMS_Tree_Node = Strong<std::vector<uint8_t>, struct LMS_Tree_Node_>
 A node with the LMS tree.
 
using LMS_Tree_Node_Idx = Strong<uint32_t, struct LMS_Tree_Node_Idx_, EnableArithmeticWithPlainNumber>
 The index of a node within a specific LMS tree layer.
 
template<typename T>
using lock_guard_type = lock_guard<T>
 
typedef MessageAuthenticationCode MAC
 
using ML_DSA_Mode = DilithiumMode
 
using ML_DSA_PrivateKey = Dilithium_PrivateKey
 
using ML_DSA_PublicKey = Dilithium_PublicKey
 
using ML_KEM_Mode = KyberMode
 
using ML_KEM_PrivateKey = Kyber_PrivateKey
 
using ML_KEM_PublicKey = Kyber_PublicKey
 
using mutex_type = noop_mutex
 
template<std::signed_integral T>
using next_longer_int_t
 
template<std::unsigned_integral T>
using next_longer_uint_t
 
using Point448 = Strong<std::array<uint8_t, X448_LEN>, struct Point448_>
 
typedef EC_Point PointGFp
 
using recursive_mutex_type = noop_mutex
 
typedef RandomNumberGenerator RNG
 
typedef PBKDF S2K
 
using s32bit = std::int32_t
 
using ScalarX448 = Strong<std::array<uint8_t, X448_LEN>, struct ScalarX448_>
 
using secure_bitvector = bitvector_base<secure_allocator>
 
template<typename T>
using secure_deque = std::deque<T, secure_allocator<T>>
 
template<typename T>
using secure_vector = std::vector<T, secure_allocator<T>>
 
template<typename T>
using SecureVector = secure_vector<T>
 
typedef SM2_PrivateKey SM2_Encryption_PrivateKey
 
typedef SM2_PublicKey SM2_Encryption_PublicKey
 
typedef SM2_PrivateKey SM2_Signature_PrivateKey
 
typedef SM2_PublicKey SM2_Signature_PublicKey
 
using SphincsAuthenticationPath = Strong<std::vector<uint8_t>, struct SphincsAuthenticationPath_>
 
using SphincsContext = Strong<std::vector<uint8_t>, struct SphincsContext_>
 
using SphincsHashedMessage = Strong<std::vector<uint8_t>, struct SphincsHashedMessage_>
 
using SphincsHypertreeSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_>
 
using SphincsInputMessage = Strong<std::vector<uint8_t>, struct SphincsInputMessage_>
 
using SphincsMessagePrefix = Strong<std::vector<uint8_t>, struct SphincsMessagePrefix_>
 
using SphincsMessageRandomness = Strong<secure_vector<uint8_t>, struct SphincsMessageRandomness_>
 
using SphincsOptionalRandomness = Strong<secure_vector<uint8_t>, struct SphincsOptionalRandomness_>
 
using SphincsPublicSeed = Strong<std::vector<uint8_t>, struct SphincsPublicSeed_>
 
using SphincsSecretPRF = Strong<secure_vector<uint8_t>, struct SphincsSecretPRF_>
 
using SphincsSecretSeed = Strong<secure_vector<uint8_t>, struct SphincsSecretSeed_>
 
using SphincsTreeNode = Strong<std::vector<uint8_t>, struct SphincsTreeNode_>
 Either an XMSS or FORS tree node or leaf.
 
using SphincsXmssSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_>
 
template<typename T>
using strong_type_wrapped_type = typename detail::wrapped_type_helper<std::remove_cvref_t<T>>::type
 Extracts the wrapped type from a strong type.
 
using SymmetricKey = OctetString
 
using TreeLayerIndex = Strong<uint32_t, struct TreeLayerIndex_, EnableArithmeticWithPlainNumber>
 Index of the layer within a FORS/XMSS tree.
 
using TreeNodeIndex = Strong<uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber>
 Index of an individual node inside an XMSS or FORS tree.
 
using u16bit = std::uint16_t
 
using u32bit = std::uint32_t
 
using u64bit = std::uint64_t
 
using word = std::conditional_t<HasNative64BitRegisters, std::uint64_t, uint32_t>
 
typedef std::vector< secure_vector< uint8_t > > wots_keysig_t
 
using WotsChainIndex = Strong<uint32_t, struct WotsChainIndex_>
 Index of a WOTS chain within a single usage of WOTS.
 
using WotsHashIndex = Strong<uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber>
 Index of a hash application inside a single WOTS chain (integers in "base_w")
 
using WotsNode = Strong<secure_vector<uint8_t>, struct WotsNode_>
 Start (or intermediate) node of a WOTS+ chain.
 
using WotsPublicKey = Strong<std::vector<uint8_t>, struct WotsPublicKey_>
 
using WotsPublicKeyNode = Strong<std::vector<uint8_t>, struct WotsPublicKeyNode_>
 End node of a WOTS+ chain (part of the WOTS+ public key)
 
using WotsSignature = Strong<secure_vector<uint8_t>, struct WotsSignature_>
 
typedef ASN1_Time X509_Time
 
using XmssTreeIndexInLayer = Strong<uint64_t, struct XmssTreeIndexInLayer_, EnableArithmeticWithPlainNumber>
 Index of an XMSS tree (unique for just the local hyper-tree layer)
 

Enumerations

enum class  AlignmentBufferFinalBlock : size_t { is_not_special = 0 , must_be_deferred = 1 }
 
enum class  ASN1_Class : uint32_t {
  Universal = 0b0000'0000 , Application = 0b0100'0000 , ContextSpecific = 0b1000'0000 , Private = 0b1100'0000 ,
  Constructed = 0b0010'0000 , ExplicitContextSpecific = Constructed | ContextSpecific , NoObject = 0xFF00
}
 
enum class  ASN1_Type : uint32_t {
  Eoc = 0x00 , Boolean = 0x01 , Integer = 0x02 , BitString = 0x03 ,
  OctetString = 0x04 , Null = 0x05 , ObjectId = 0x06 , Enumerated = 0x0A ,
  Sequence = 0x10 , Set = 0x11 , Utf8String = 0x0C , NumericString = 0x12 ,
  PrintableString = 0x13 , TeletexString = 0x14 , Ia5String = 0x16 , VisibleString = 0x1A ,
  UniversalString = 0x1C , BmpString = 0x1E , UtcTime = 0x17 , GeneralizedTime = 0x18 ,
  NoObject = 0xFF00
}
 
enum class  Certificate_Status_Code {
  OK = 0 , VERIFIED = 0 , OCSP_RESPONSE_GOOD = 1 , OCSP_SIGNATURE_OK = 2 ,
  VALID_CRL_CHECKED = 3 , OCSP_NO_HTTP = 4 , FIRST_WARNING_STATUS = 500 , CERT_SERIAL_NEGATIVE = 500 ,
  DN_TOO_LONG = 501 , OCSP_NO_REVOCATION_URL = 502 , OCSP_SERVER_NOT_AVAILABLE = 503 , TRUSTED_CERT_HAS_EXPIRED = 504 ,
  TRUSTED_CERT_NOT_YET_VALID = 505 , FIRST_ERROR_STATUS = 1000 , SIGNATURE_METHOD_TOO_WEAK = 1000 , UNTRUSTED_HASH = 1001 ,
  NO_REVOCATION_DATA = 1002 , NO_MATCHING_CRLDP = 1003 , OCSP_ISSUER_NOT_TRUSTED = 1004 , CERT_NOT_YET_VALID = 2000 ,
  CERT_HAS_EXPIRED = 2001 , OCSP_NOT_YET_VALID = 2002 , OCSP_HAS_EXPIRED = 2003 , CRL_NOT_YET_VALID = 2004 ,
  CRL_HAS_EXPIRED = 2005 , OCSP_IS_TOO_OLD = 2006 , CERT_ISSUER_NOT_FOUND = 3000 , CANNOT_ESTABLISH_TRUST = 3001 ,
  CERT_CHAIN_LOOP = 3002 , CHAIN_LACKS_TRUST_ROOT = 3003 , CHAIN_NAME_MISMATCH = 3004 , POLICY_ERROR = 4000 ,
  INVALID_USAGE = 4001 , CERT_CHAIN_TOO_LONG = 4002 , CA_CERT_NOT_FOR_CERT_ISSUER = 4003 , NAME_CONSTRAINT_ERROR = 4004 ,
  CA_CERT_NOT_FOR_CRL_ISSUER = 4005 , OCSP_CERT_NOT_LISTED = 4006 , OCSP_BAD_STATUS = 4007 , CERT_NAME_NOMATCH = 4008 ,
  UNKNOWN_CRITICAL_EXTENSION = 4009 , DUPLICATE_CERT_EXTENSION = 4010 , OCSP_SIGNATURE_ERROR = 4501 , OCSP_ISSUER_NOT_FOUND = 4502 ,
  OCSP_RESPONSE_MISSING_KEYUSAGE = 4503 , OCSP_RESPONSE_INVALID = 4504 , EXT_IN_V1_V2_CERT = 4505 , DUPLICATE_CERT_POLICY = 4506 ,
  V2_IDENTIFIERS_IN_V1_CERT = 4507 , CERT_IS_REVOKED = 5000 , CRL_BAD_SIGNATURE = 5001 , SIGNATURE_ERROR = 5002 ,
  CERT_PUBKEY_INVALID = 5003 , SIGNATURE_ALGO_UNKNOWN = 5004 , SIGNATURE_ALGO_BAD_PARAMS = 5005
}
 
enum class  Cipher_Dir : int { Encryption , Decryption , ENCRYPTION = Encryption , DECRYPTION = Decryption }
 
enum class  CRL_Code : uint32_t {
  Unspecified = 0 , KeyCompromise = 1 , CaCompromise = 2 , AffiliationChanged = 3 ,
  Superseded = 4 , CessationOfOperation = 5 , CertificateHold = 6 , RemoveFromCrl = 8 ,
  PrivilegeWithdrawn = 9 , AaCompromise = 10
}
 
enum  Decoder_Checking { NONE , IGNORE_WS , FULL_CHECK }
 
enum class  DL_Group_Format {
  ANSI_X9_42 , ANSI_X9_57 , PKCS_3 , DSA_PARAMETERS = ANSI_X9_57 ,
  DH_PARAMETERS = ANSI_X9_42 , ANSI_X9_42_DH_PARAMETERS = ANSI_X9_42 , PKCS3_DH_PARAMETERS = PKCS_3
}
 
enum class  DL_Group_Source { Builtin , RandomlyGenerated , ExternalSource }
 
enum class  EC_Group_Encoding {
  Explicit , ImplicitCA , NamedCurve , EC_DOMPAR_ENC_EXPLICIT = Explicit ,
  EC_DOMPAR_ENC_IMPLICITCA = ImplicitCA , EC_DOMPAR_ENC_OID = NamedCurve
}
 
enum class  EC_Group_Engine { Optimized , Generic , Legacy }
 
enum class  EC_Group_Source { Builtin , ExternalSource }
 
enum class  EC_Point_Format {
  Uncompressed = 0 , Compressed = 1 , UNCOMPRESSED = Uncompressed , COMPRESSED = Compressed ,
  Hybrid = 2 , HYBRID = 2
}
 
enum class  ECIES_Flags : uint32_t {
  None = 0 , SingleHashMode = 1 , CofactorMode = 2 , OldCofactorMode = 4 ,
  CheckMode = 8 , NONE = None , SINGLE_HASH_MODE = SingleHashMode , COFACTOR_MODE = CofactorMode ,
  OLD_COFACTOR_MODE = OldCofactorMode , CHECK_MODE = CheckMode
}
 
enum class  ErrorType {
  Unknown = 1 , SystemError , NotImplemented , OutOfMemory ,
  InternalError , IoError , InvalidObjectState = 100 , KeyNotSet ,
  InvalidArgument , InvalidKeyLength , InvalidNonceLength , LookupError ,
  EncodingFailure , DecodingFailure , TLSError , HttpError ,
  InvalidTag , RoughtimeError , CommonCryptoError = 201 , Pkcs11Error ,
  TPMError , DatabaseError , ZlibError = 300 , Bzip2Error ,
  LzmaError
}
 
enum class  LMOTS_Algorithm_Type : uint32_t {
  RESERVED = 0x00 , SHA256_N32_W1 = 0x01 , SHA256_N32_W2 = 0x02 , SHA256_N32_W4 = 0x03 ,
  SHA256_N32_W8 = 0x04 , SHA256_N24_W1 = 0x05 , SHA256_N24_W2 = 0x06 , SHA256_N24_W4 = 0x07 ,
  SHA256_N24_W8 = 0x08 , SHAKE_N32_W1 = 0x09 , SHAKE_N32_W2 = 0x0a , SHAKE_N32_W4 = 0x0b ,
  SHAKE_N32_W8 = 0x0c , SHAKE_N24_W1 = 0x0d , SHAKE_N24_W2 = 0x0e , SHAKE_N24_W4 = 0x0f ,
  SHAKE_N24_W8 = 0x10
}
 Enum of available LM-OTS algorithm types. More...
 
enum class  LMS_Algorithm_Type : uint32_t {
  RESERVED = 0x00 , SHA256_M32_H5 = 0x05 , SHA256_M32_H10 = 0x06 , SHA256_M32_H15 = 0x07 ,
  SHA256_M32_H20 = 0x08 , SHA256_M32_H25 = 0x09 , SHA256_M24_H5 = 0x0a , SHA256_M24_H10 = 0x0b ,
  SHA256_M24_H15 = 0x0c , SHA256_M24_H20 = 0x0d , SHA256_M24_H25 = 0x0e , SHAKE_M32_H5 = 0x0f ,
  SHAKE_M32_H10 = 0x10 , SHAKE_M32_H15 = 0x11 , SHAKE_M32_H20 = 0x12 , SHAKE_M32_H25 = 0x13 ,
  SHAKE_M24_H5 = 0x14 , SHAKE_M24_H10 = 0x15 , SHAKE_M24_H15 = 0x16 , SHAKE_M24_H20 = 0x17 ,
  SHAKE_M24_H25 = 0x18
}
 Enum of available LMS algorithm types. More...
 
enum class  MD_Endian { Little , Big }
 
enum class  MlPrivateKeyFormat { Seed , Expanded }
 Byte encoding format of ML-KEM and ML-DSA the private key. More...
 
enum class  PublicKeyOperation { Encryption , Signature , KeyEncapsulation , KeyAgreement }
 
enum class  Signature_Format { Standard , DerSequence , IEEE_1363 = Standard , DER_SEQUENCE = DerSequence }
 
enum class  Sphincs_Address_Type : uint32_t {
  WotsHash = 0 , WotsPublicKeyCompression = 1 , HashTree = 2 , ForsTree = 3 ,
  ForsTreeRootsCompression = 4 , WotsKeyGeneration = 5 , ForsKeyGeneration = 6
}
 
enum class  Sphincs_Hash_Type { Shake256 , Sha256 , Haraka }
 
enum class  Sphincs_Parameter_Set {
  Sphincs128Small , Sphincs128Fast , Sphincs192Small , Sphincs192Fast ,
  Sphincs256Small , Sphincs256Fast , SLHDSA128Small , SLHDSA128Fast ,
  SLHDSA192Small , SLHDSA192Fast , SLHDSA256Small , SLHDSA256Fast
}
 
enum class  TPM_Storage_Type { User , System }
 
enum class  Usage_Type {
  UNSPECIFIED , TLS_SERVER_AUTH , TLS_CLIENT_AUTH , CERTIFICATE_AUTHORITY ,
  OCSP_RESPONDER , ENCRYPTION
}
 
enum class  WOTS_Derivation_Method { Botan2x = 1 , NIST_SP800_208 = 2 }
 

Functions

BigInt abs (const BigInt &n)
 
BOTAN_MALLOC_FN void * allocate_memory (size_t elems, size_t elem_size)
 
void argon2 (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, const uint8_t key[], size_t key_len, const uint8_t ad[], size_t ad_len, uint8_t y, size_t p, size_t M, size_t t)
 
bool argon2_check_pwhash (const char *password, size_t password_len, std::string_view input_hash)
 
std::string argon2_generate_pwhash (const char *password, size_t password_len, RandomNumberGenerator &rng, size_t p, size_t M, size_t t, uint8_t y, size_t salt_len, size_t output_len)
 
std::string asn1_class_to_string (ASN1_Class type)
 
std::string asn1_tag_to_string (ASN1_Type type)
 
template<typename T>
assert_is_some (std::optional< T > v, const char *expr, const char *func, const char *file, int line)
 
void assert_unreachable (const char *file, int line)
 
void assertion_failure (const char *expr_str, const char *assertion_made, const char *func, const char *file, int line)
 
secure_vector< uint8_t > base32_decode (const char input[], size_t input_length, bool ignore_ws)
 
secure_vector< uint8_t > base32_decode (std::string_view input, bool ignore_ws)
 
size_t base32_decode (uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
 
size_t base32_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
 
size_t base32_decode (uint8_t output[], std::string_view input, bool ignore_ws)
 
size_t base32_decode_max_output (size_t input_length)
 
size_t base32_encode (char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
 
std::string base32_encode (const uint8_t input[], size_t input_length)
 
std::string base32_encode (std::span< const uint8_t > input)
 
size_t base32_encode_max_output (size_t input_length)
 
std::vector< uint8_t > base58_check_decode (const char input[], size_t input_length)
 
std::vector< uint8_t > base58_check_decode (std::string_view s)
 
std::string base58_check_encode (const uint8_t input[], size_t input_length)
 
std::string base58_check_encode (std::span< const uint8_t > vec)
 
std::vector< uint8_t > base58_decode (const char input[], size_t input_length)
 
std::vector< uint8_t > base58_decode (std::string_view s)
 
std::string base58_encode (const uint8_t input[], size_t input_length)
 
std::string base58_encode (std::span< const uint8_t > vec)
 
secure_vector< uint8_t > base64_decode (const char input[], size_t input_length, bool ignore_ws)
 
size_t base64_decode (std::span< uint8_t > output, std::string_view input, bool ignore_ws)
 
secure_vector< uint8_t > base64_decode (std::string_view input, bool ignore_ws)
 
size_t base64_decode (uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
 
size_t base64_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
 
size_t base64_decode (uint8_t output[], std::string_view input, bool ignore_ws)
 
size_t base64_decode_max_output (size_t input_length)
 
size_t base64_encode (char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
 
std::string base64_encode (const uint8_t input[], size_t input_length)
 
std::string base64_encode (std::span< const uint8_t > input)
 
size_t base64_encode_max_output (size_t input_length)
 
template<typename Base>
size_t base_decode (Base &&base, uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws=true)
 
template<typename Base>
size_t base_decode_full (Base &&base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
 
template<typename Vector, typename Base>
Vector base_decode_to_vec (Base &&base, const char input[], size_t input_length, bool ignore_ws)
 
template<class Base>
size_t base_encode (Base &&base, char output[], const uint8_t input[], size_t input_length, size_t &input_consumed, bool final_inputs)
 
template<typename Base>
std::string base_encode_to_string (Base &&base, const uint8_t input[], size_t input_length)
 
BOTAN_FUZZER_API void basecase_mul (word z[], size_t z_size, const word x[], size_t x_size, const word y[], size_t y_size)
 
BOTAN_FUZZER_API void basecase_sqr (word z[], size_t z_size, const word x[], size_t x_size)
 
template<typename C, size_t WindowBits, typename BlindedScalar>
C::ProjectivePoint basemul_exec (std::span< const typename C::AffinePoint > table, const BlindedScalar &scalar, RandomNumberGenerator &rng)
 
template<typename C, size_t WindowBits>
std::vector< typename C::AffinePoint > basemul_setup (const typename C::AffinePoint &p, size_t max_scalar_bits)
 
void bcrypt_pbkdf (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, size_t rounds)
 
template<WordType W>
constexpr void bigint_add2 (W x[], size_t x_size, const W y[], size_t y_size)
 
template<WordType W>
constexpr auto bigint_add2_nc (W x[], size_t x_size, const W y[], size_t y_size) -> W
 
template<WordType W>
constexpr void bigint_add3 (W z[], const W x[], size_t x_size, const W y[], size_t y_size)
 
template<WordType W>
constexpr auto bigint_add3_nc (W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
 
template<WordType W>
constexpr int32_t bigint_cmp (const W x[], size_t x_size, const W y[], size_t y_size)
 
template<WordType W>
constexpr void bigint_cnd_abs (W cnd, W x[], size_t size)
 
template<WordType W>
constexpr W bigint_cnd_add (W cnd, W x[], const W y[], size_t size)
 
template<WordType W>
constexpr W bigint_cnd_add (W cnd, W x[], size_t x_size, const W y[], size_t y_size)
 
template<WordType W>
constexpr void bigint_cnd_add_or_sub (CT::Mask< W > mask, W x[], const W y[], size_t size)
 
template<WordType W>
constexpr auto bigint_cnd_addsub (CT::Mask< W > mask, W x[], const W y[], const W z[], size_t size) -> W
 
template<WordType W>
constexpr auto bigint_cnd_sub (W cnd, W x[], const W y[], size_t size) -> W
 
template<WordType W>
constexpr auto bigint_cnd_sub (W cnd, W x[], size_t x_size, const W y[], size_t y_size) -> W
 
template<WordType W>
constexpr void bigint_cnd_swap (W cnd, W x[], W y[], size_t size)
 
void bigint_comba_mul16 (word z[32], const word x[16], const word y[16])
 
void bigint_comba_mul24 (word z[48], const word x[24], const word y[24])
 
void bigint_comba_mul4 (word z[8], const word x[4], const word y[4])
 
void bigint_comba_mul6 (word z[12], const word x[6], const word y[6])
 
void bigint_comba_mul7 (word z[14], const word x[7], const word y[7])
 
void bigint_comba_mul8 (word z[16], const word x[8], const word y[8])
 
void bigint_comba_mul9 (word z[18], const word x[9], const word y[9])
 
void bigint_comba_sqr16 (word z[32], const word x[16])
 
void bigint_comba_sqr24 (word z[48], const word x[24])
 
void bigint_comba_sqr4 (word z[8], const word x[4])
 
void bigint_comba_sqr6 (word z[12], const word x[6])
 
void bigint_comba_sqr7 (word z[14], const word x[7])
 
void bigint_comba_sqr8 (word z[16], const word x[8])
 
void bigint_comba_sqr9 (word z[18], const word x[9])
 
template<size_t N, WordType W>
constexpr void bigint_correct_redc (std::array< W, N > &r, const std::array< W, N > &P, const std::array< W, N > &C)
 
template<WordType W>
constexpr auto bigint_ct_is_eq (const W x[], size_t x_size, const W y[], size_t y_size) -> CT::Mask< W >
 
template<WordType W>
constexpr auto bigint_ct_is_lt (const W x[], size_t x_size, const W y[], size_t y_size, bool lt_or_equal=false) -> CT::Mask< W >
 
template<WordType W>
constexpr auto bigint_divop_vartime (W n1, W n0, W d) -> W
 
template<WordType W>
constexpr auto bigint_linmul2 (W x[], size_t x_size, W y) -> W
 
template<WordType W>
constexpr void bigint_linmul3 (W z[], const W x[], size_t x_size, W y)
 
template<WordType W>
constexpr void bigint_mod_sub (W t[], const W s[], const W mod[], size_t mod_sw, W ws[])
 
template<WordType W>
constexpr auto bigint_modop_vartime (W n1, W n0, W d) -> W
 
template<WordType W>
constexpr void bigint_monty_maybe_sub (size_t N, W z[], W x0, const W x[], const W p[])
 
template<size_t N, WordType W>
constexpr void bigint_monty_maybe_sub (W z[N], W x0, const W x[N], const W y[N])
 
void bigint_monty_redc (word r[], const word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size)
 
BOTAN_FUZZER_API void bigint_monty_redc_12 (word r[12], const word z[24], const word p[12], word p_dash, word ws[12])
 
BOTAN_FUZZER_API void bigint_monty_redc_16 (word r[16], const word z[32], const word p[16], word p_dash, word ws[16])
 
BOTAN_FUZZER_API void bigint_monty_redc_24 (word r[24], const word z[48], const word p[24], word p_dash, word ws[24])
 
BOTAN_FUZZER_API void bigint_monty_redc_32 (word r[32], const word z[64], const word p[32], word p_dash, word ws[32])
 
BOTAN_FUZZER_API void bigint_monty_redc_4 (word r[4], const word z[8], const word p[4], word p_dash, word ws[4])
 
BOTAN_FUZZER_API void bigint_monty_redc_6 (word r[6], const word z[12], const word p[6], word p_dash, word ws[6])
 
BOTAN_FUZZER_API void bigint_monty_redc_8 (word r[8], const word z[16], const word p[8], word p_dash, word ws[8])
 
BOTAN_FUZZER_API void bigint_monty_redc_generic (word r[], const word z[], size_t z_size, const word p[], size_t p_size, word p_dash, word ws[])
 
void bigint_monty_redc_inplace (word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size)
 
void bigint_mul (word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
 
template<WordType W>
constexpr void bigint_shl1 (W x[], size_t x_size, size_t x_words, size_t shift)
 
template<WordType W>
constexpr void bigint_shl2 (W y[], const W x[], size_t x_size, size_t shift)
 
template<WordType W>
constexpr void bigint_shr1 (W x[], size_t x_size, size_t shift)
 
template<WordType W>
constexpr void bigint_shr2 (W y[], const W x[], size_t x_size, size_t shift)
 
void bigint_sqr (word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, word workspace[], size_t ws_size)
 
template<WordType W>
constexpr auto bigint_sub2 (W x[], size_t x_size, const W y[], size_t y_size) -> W
 
template<WordType W>
constexpr void bigint_sub2_rev (W x[], const W y[], size_t y_size)
 
template<WordType W>
constexpr auto bigint_sub3 (W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
 
template<WordType W>
constexpr auto bigint_sub_abs (W z[], const W x[], const W y[], size_t N, W ws[]) -> CT::Mask< W >
 
template<WordType W>
constexpr int32_t bigint_sub_abs (W z[], const W x[], size_t x_size, const W y[], size_t y_size)
 
template<typename T>
constexpr T bit_permute_step (T x, T mask, size_t shift)
 
size_t bit_size_to_32bit_size (size_t bit_size)
 
size_t bit_size_to_byte_size (size_t bit_size)
 
constexpr auto bitlen (size_t x)
 
template<typename T, typename Alloc, typename Alloc2>
size_t buffer_insert (std::vector< T, Alloc > &buf, size_t buf_offset, const std::vector< T, Alloc2 > &input)
 
template<typename T, typename Alloc>
size_t buffer_insert (std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length)
 
template<size_t S, int64_t MUL = 1>
requires (S > 0 && S < 64)
void carry (int64_t &h0, int64_t &h1)
 
template<size_t S>
requires (S > 0 && S < 32)
void carry0 (int32_t &h0, int32_t &h1)
 
template<size_t S>
requires (S > 0 && S < 64)
void carry0 (int64_t &h0, int64_t &h1)
 
constexpr uint64_t carry_shift (const donna128 &a, size_t shift)
 
uint8_t * cast_char_ptr_to_uint8 (char *s)
 
const uint8_t * cast_char_ptr_to_uint8 (const char *s)
 
const char * cast_uint8_ptr_to_char (const uint8_t *b)
 
char * cast_uint8_ptr_to_char (uint8_t *b)
 
template<std::unsigned_integral T>
constexpr T ceil_division (T a, T b)
 
template<typename T>
requires (std::is_integral<T>::value && sizeof(T) < 32)
constexpr uint8_t ceil_log2 (T x)
 
template<typename T>
requires (std::is_integral<T>::value)
constexpr T ceil_tobytes (T bits)
 
std::vector< WotsHashIndexchain_lengths (const SphincsTreeNode &msg, const Sphincs_Parameters &params)
 
std::string check_and_canonicalize_dns_name (std::string_view name)
 
bool check_bcrypt (std::string_view pass, std::string_view hash)
 
bool check_passhash9 (std::string_view pass, std::string_view hash)
 
template<std::unsigned_integral T>
constexpr std::optional< T > checked_add (T a, T b)
 
template<std::unsigned_integral T, std::unsigned_integral... Ts>
requires all_same_v<T, Ts...>
constexpr std::optional< T > checked_add (T a, T b, Ts... rest)
 
template<typename RT, typename AT>
requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>>
constexpr RT checked_cast_to (AT i)
 
template<typename RT, typename ExceptionType, typename AT>
requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>>
constexpr RT checked_cast_to_or_throw (AT i, std::string_view error_msg_on_fail)
 
template<std::unsigned_integral T>
constexpr std::optional< T > checked_mul (T a, T b)
 
template<std::unsigned_integral T>
constexpr std::optional< T > checked_sub (T a, T b)
 
template<typename T>
constexpr T choose (T mask, T a, T b)
 
constexpr void clear_bytes (void *ptr, size_t bytes)
 
template<ranges::contiguous_output_range R>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<R>>
constexpr void clear_mem (R &&mem)
 
template<typename T>
constexpr void clear_mem (T *ptr, size_t n)
 
template<size_t N, WordType W>
constexpr void comba_mul (W z[2 *N], const W x[N], const W y[N])
 
template<size_t N, WordType W>
constexpr void comba_sqr (W z[2 *N], const W x[N])
 
constexpr uint64_t combine_lower (const donna128 &a, size_t s1, const donna128 &b, size_t s2)
 
void commoncrypto_adjust_key_size (const uint8_t key[], size_t length, const CommonCryptor_Opts &opts, secure_vector< uint8_t > &full_key)
 
CommonCryptor_Opts commoncrypto_opts_from_algo (std::string_view algo)
 
CommonCryptor_Opts commoncrypto_opts_from_algo_name (std::string_view algo_name)
 
void compute_root (StrongSpan< SphincsTreeNode > out, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, const SphincsTreeNode &leaf, TreeNodeIndex leaf_idx, uint32_t idx_offset, StrongSpan< const SphincsAuthenticationPath > authentication_path, uint32_t total_tree_height, Sphincs_Address &tree_address)
 
template<concepts::contiguous_strong_type TreeNode, concepts::strong_span AuthPathSS, concepts::tree_node_index TreeNodeIndex, concepts::tree_layer_index TreeLayerIndex, typename Address>
requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex>
void compute_root (StrongSpan< TreeNode > out_root, AuthPathSS authentication_path, TreeNodeIndex leaf_idx, StrongSpan< const TreeNode > leaf, size_t node_size, TreeLayerIndex total_tree_height, uint32_t idx_offset, concepts::tree_hash_node_pair< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto node_pair_hash, Address &tree_address)
 Uses an authentication path and a leaf node to reconstruct the root node of a merkle tree.
 
BigInt compute_rsa_secret_exponent (const BigInt &e, const BigInt &phi_n, const BigInt &p, const BigInt &q)
 
template<typename OutR = detail::AutoDetect, ranges::spanable_range... Rs>
requires (all_same_v<std::ranges::range_value_t<Rs>...>)
constexpr auto concat (Rs &&... ranges)
 
bool constant_time_compare (const uint8_t x[], const uint8_t y[], size_t len)
 
bool constant_time_compare (std::span< const uint8_t > x, std::span< const uint8_t > y)
 
template<ranges::contiguous_output_range OutR, ranges::contiguous_range InR>
requires std::is_same_v<std::ranges::range_value_t<OutR>, std::ranges::range_value_t<InR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<InR>>
constexpr void copy_mem (OutR &&out, InR &&in)
 
template<typename T>
requires std::is_trivial<typename std::decay<T>::type>::value
constexpr void copy_mem (T *out, const T *in, size_t n)
 
template<ranges::spanable_range InR>
void copy_out_be (std::span< uint8_t > out, InR &&in)
 
template<ranges::spanable_range InR>
void copy_out_le (std::span< uint8_t > out, InR &&in)
 
auto create_aes_row_generator (const FrodoKEMConstants &constants, StrongSpan< const FrodoSeedA > seed_a)
 
std::unique_ptr< Private_Keycreate_ec_private_key (std::string_view alg_name, const EC_Group &ec_group, RandomNumberGenerator &rng)
 
std::string create_hex_fingerprint (const uint8_t bits[], size_t bits_len, std::string_view hash_name)
 
std::string create_hex_fingerprint (std::span< const uint8_t > vec, std::string_view hash_name)
 
std::array< uint8_t, ED448_LENcreate_pk_from_sk (std::span< const uint8_t, ED448_LEN > sk)
 Create a public key point from a secret key (RFC 8032 5.2.5)
 
std::unique_ptr< Private_Keycreate_private_key (std::string_view alg_name, RandomNumberGenerator &rng, std::string_view params, std::string_view provider)
 
auto create_shake_row_generator (const FrodoKEMConstants &constants, StrongSpan< const FrodoSeedA > seed_a)
 
uint8_t ct_compare_u8 (const uint8_t x[], const uint8_t y[], size_t len)
 
BigInt ct_divide (const BigInt &x, const BigInt &y)
 
void ct_divide (const BigInt &x, const BigInt &y, BigInt &q_out, BigInt &r_out)
 
BigInt ct_divide_pow2k (size_t k, const BigInt &y)
 
BigInt ct_divide_word (const BigInt &x, word y)
 
void ct_divide_word (const BigInt &x, word y, BigInt &q_out, word &r_out)
 
template<typename T>
requires (std::is_integral<T>::value)
constexpr T ct_is_zero (T x)
 
word ct_mod_word (const BigInt &x, word y)
 
BigInt ct_modulo (const BigInt &x, const BigInt &y)
 
template<std::unsigned_integral T>
constexpr uint8_t ct_popcount (T x)
 
template<std::unsigned_integral T>
constexpr T ct_reverse_bits (T b)
 
template<typename T>
requires (std::is_integral<T>::value)
constexpr size_t ctz (T n)
 
void curve25519_basepoint (uint8_t mypublic[32], const uint8_t secret[32])
 
void curve25519_donna (uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32])
 
template<typename ProjectivePoint>
constexpr ProjectivePoint dbl_a_minus_3 (const ProjectivePoint &pt)
 
template<typename ProjectivePoint>
constexpr ProjectivePoint dbl_a_zero (const ProjectivePoint &pt)
 
template<typename ProjectivePoint, typename FieldElement>
constexpr ProjectivePoint dbl_generic (const ProjectivePoint &pt, const FieldElement &A)
 
template<typename ProjectivePoint>
constexpr ProjectivePoint dbl_n_a_minus_3 (const ProjectivePoint &pt, size_t n)
 
template<typename ProjectivePoint>
constexpr ProjectivePoint dbl_n_a_zero (const ProjectivePoint &pt, size_t n)
 
template<typename ProjectivePoint, typename FieldElement>
constexpr ProjectivePoint dbl_n_generic (const ProjectivePoint &pt, const FieldElement &A, size_t n)
 
void deallocate_memory (void *p, size_t elems, size_t elem_size)
 
gf2m decode_gf2m (const uint8_t *mem)
 
Point448 decode_point (std::span< const uint8_t > p_bytes)
 Decode a point from a byte array. RFC 7748 Section 5 (decodeUCoordinate)
 
ScalarX448 decode_scalar (std::span< const uint8_t > scalar_bytes)
 Decode a scalar from a byte array. RFC 7748 Section 5 (decodeScalar448)
 
size_t dl_exponent_size (size_t bits)
 
size_t dl_work_factor (size_t bits)
 
template<typename E, typename... Args>
void do_throw_error (const char *file, int line, const char *func, Args... args)
 
size_t ecp_work_factor (size_t bits)
 
void ed25519_gen_keypair (uint8_t *pk, uint8_t *sk, const uint8_t seed[32])
 
void ed25519_gen_keypair (uint8_t pk[32], uint8_t sk[64], const uint8_t seed[32])
 
void ed25519_sign (uint8_t sig[64], const uint8_t m[], size_t mlen, const uint8_t sk[64], const uint8_t domain_sep[], size_t domain_sep_len)
 
bool ed25519_verify (const uint8_t *m, size_t mlen, const uint8_t sig[64], const uint8_t *pk, const uint8_t domain_sep[], size_t domain_sep_len)
 
bool ed25519_verify (const uint8_t msg[], size_t msg_len, const uint8_t sig[64], const uint8_t pk[32], const uint8_t domain_sep[], size_t domain_sep_len)
 
uint32_t encode_gf2m (gf2m to_enc, uint8_t *mem)
 
secure_vector< uint8_t > encode_point (const Point448 &p)
 Encode a point to a 56 byte vector. RFC 7748 Section 5 (encodeUCoordinate)
 
RandomNumberGeneratoresdm_rng ()
 
template<typename T>
uint16_t expand_mask_16bit (T tst)
 
void expand_message_xmd (std::string_view hash_fn, std::span< uint8_t > output, std::span< const uint8_t > input, std::span< const uint8_t > domain_sep)
 
void expand_message_xmd (std::string_view hash_fn, std::span< uint8_t > output, std::string_view input_str, std::string_view domain_sep_str)
 
template<typename T>
requires (std::is_integral<T>::value)
constexpr T expand_top_bit (T a)
 
template<std::integral T>
consteval eea_result< T > extended_euclidean_algorithm (T a, T b)
 
void fe_0 (FE_25519 &x)
 
void fe_1 (FE_25519 &x)
 
void fe_add (FE_25519 &x, const FE_25519 &a, const FE_25519 &b)
 
void fe_copy (FE_25519 &a, const FE_25519 &b)
 
void fe_frombytes (FE_25519 &x, const uint8_t *b)
 
void fe_invert (FE_25519 &x, const FE_25519 &z)
 
int fe_isnegative (const FE_25519 &x)
 
int fe_isnonzero (const FE_25519 &x)
 
void fe_mul (FE_25519 &x, const FE_25519 &a, const FE_25519 &b)
 
void fe_neg (FE_25519 &x, const FE_25519 &z)
 
void fe_pow22523 (FE_25519 &x, const FE_25519 &y)
 
void fe_sq (FE_25519 &x, const FE_25519 &z)
 
void fe_sq2 (FE_25519 &x, const FE_25519 &z)
 
void fe_sq_iter (FE_25519 &x, const FE_25519 &z, size_t iter)
 
void fe_sub (FE_25519 &x, const FE_25519 &a, const FE_25519 &b)
 
void fe_tobytes (uint8_t *b, const FE_25519 &x)
 
secure_vector< gf2mfind_roots_gf2m_decomp (const polyn_gf2m &polyn, size_t code_length)
 
template<typename T>
requires (std::is_unsigned<T>::value)
constexpr T floor_log2 (T n)
 
template<typename... T>
std::string fmt (std::string_view format, const T &... args)
 
std::string format_char_for_display (char c)
 
SphincsTreeNode fors_public_key_from_signature (const SphincsHashedMessage &hashed_message, StrongSpan< const ForsSignature > signature, const Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hash)
 FIPS 205, Algorithm 17: fors_pkFromSig.
 
SphincsTreeNode fors_sign_and_pkgen (StrongSpan< ForsSignature > sig_out, const SphincsHashedMessage &hashed_message, const SphincsSecretSeed &secret_seed, const Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 FIPS 205, Algorithm 16: fors_sign (with simultaneous FORS pk generation)
 
BigInt gcd (const BigInt &a, const BigInt &b)
 
void ge_double_scalarmult_vartime (uint8_t out[32], const uint8_t *a, const ge_p3 *A, const uint8_t *b)
 
void ge_double_scalarmult_vartime (uint8_t out[32], const uint8_t a[], const ge_p3 *A, const uint8_t b[])
 
int ge_frombytes_negate_vartime (ge_p3 *v, const uint8_t *)
 
void ge_scalarmult_base (uint8_t out[32], const uint8_t in[32])
 
template<typename GeneralVariantT, typename SpecialT>
requires (std::is_constructible_v<GeneralVariantT, std::decay_t<SpecialT>>)
constexpr GeneralVariantT generalize_to (SpecialT &&specific) noexcept
 Converts a given variant into another variant-ish whose type states are a super set of the given variant.
 
template<typename GeneralVariantT, typename... SpecialTs>
constexpr GeneralVariantT generalize_to (std::variant< SpecialTs... > specific) noexcept
 Converts a given variant into another variant-ish whose type states are a super set of the given variant.
 
std::string generate_bcrypt (std::string_view pass, RandomNumberGenerator &rng, uint16_t work_factor, char version)
 
std::vector< uint8_t > generate_dsa_primes (RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits)
 
bool generate_dsa_primes (RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits, const std::vector< uint8_t > &seed_c, size_t offset)
 
McEliece_PrivateKey generate_mceliece_key (RandomNumberGenerator &rng, size_t ext_deg, size_t code_length, size_t t)
 
std::string generate_passhash9 (std::string_view pass, RandomNumberGenerator &rng, uint16_t work_factor, uint8_t alg_id)
 
BigInt generate_rfc6979_nonce (const BigInt &x, const BigInt &q, const BigInt &h, std::string_view hash)
 
BigInt generate_rsa_prime (RandomNumberGenerator &keygen_rng, RandomNumberGenerator &prime_test_rng, size_t bits, const BigInt &coprime, size_t prob)
 
AEAD_Modeget_aead (std::string_view name, Cipher_Dir direction)
 
template<size_t B, typename T>
requires (B < sizeof(T))
constexpr uint8_t get_byte (T input)
 
template<typename T>
constexpr uint8_t get_byte_var (size_t byte_num, T input)
 
Keyed_Filterget_cipher (std::string_view algo_spec, Cipher_Dir direction)
 
Keyed_Filterget_cipher (std::string_view algo_spec, const SymmetricKey &key, Cipher_Dir direction)
 
Keyed_Filterget_cipher (std::string_view algo_spec, const SymmetricKey &key, const InitializationVector &iv, Cipher_Dir direction)
 
Cipher_Modeget_cipher_mode (std::string_view algo_spec, Cipher_Dir direction, std::string_view provider="")
 
std::vector< std::string > get_files_recursive (std::string_view dir)
 
KDFget_kdf (std::string_view algo_spec)
 
PBKDFget_pbkdf (std::string_view algo_spec, std::string_view provider="")
 
PBKDFget_s2k (std::string_view algo_spec)
 
template<WordType W>
constexpr uint32_t get_uint32 (const W xw[], size_t i)
 
template<uint64_t A, uint8_t B>
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_GFNI SIMD_8x32 gf2p8affine (const SIMD_8x32 &x)
 
template<uint64_t A, uint8_t B>
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_GFNI SIMD_8x32 gf2p8affineinv (const SIMD_8x32 &x)
 
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_GFNI SIMD_8x32 gf2p8mul (const SIMD_8x32 &a, const SIMD_8x32 &b)
 
consteval uint64_t gfni_matrix (std::string_view s)
 
gf2m gray_to_lex (gf2m gray)
 
bool has_filesystem_impl ()
 
std::vector< uint8_t > hex_decode (const char input[], size_t input_length, bool ignore_ws)
 
size_t hex_decode (std::span< uint8_t > output, std::string_view input, bool ignore_ws)
 
std::vector< uint8_t > hex_decode (std::string_view input, bool ignore_ws)
 
size_t hex_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
 
size_t hex_decode (uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool ignore_ws)
 
size_t hex_decode (uint8_t output[], std::string_view input, bool ignore_ws)
 
secure_vector< uint8_t > hex_decode_locked (const char input[], size_t input_length, bool ignore_ws)
 
secure_vector< uint8_t > hex_decode_locked (std::string_view input, bool ignore_ws)
 
void hex_encode (char output[], const uint8_t input[], size_t input_length, bool uppercase)
 
std::string hex_encode (const uint8_t input[], size_t input_length, bool uppercase)
 
std::string hex_encode (std::span< const uint8_t > input, bool uppercase=true)
 
template<WordType W, size_t N>
constexpr auto hex_to_words (const char(&s)[N])
 
template<typename T>
requires (std::is_unsigned<T>::value)
constexpr size_t high_bit (T n)
 
secure_vector< uint8_t > hkdf_expand_label (std::string_view hash_fn, std::span< const uint8_t > secret, std::string_view label, std::span< const uint8_t > hash_val, size_t length)
 
template<typename... Alts, typename... Ts>
constexpr bool holds_any_of (const std::variant< Ts... > &v) noexcept
 
bool host_wildcard_match (std::string_view issued_, std::string_view host_)
 
void ht_sign (StrongSpan< SphincsHypertreeSignature > out_sig, const SphincsTreeNode &message_to_sign, const SphincsSecretSeed &secret_seed, XmssTreeIndexInLayer tree_index_in_layer, TreeNodeIndex idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 FIPS 205, Algorithm 12: ht_sign.
 
bool ht_verify (const SphincsTreeNode &signed_msg, StrongSpan< const SphincsHypertreeSignature > ht_sig, const SphincsTreeNode &pk_root, XmssTreeIndexInLayer tree_index_in_layer, TreeNodeIndex idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 FIPS 205, Algorithm 13: ht_verify.
 
uint8_t ieee1363_hash_id (std::string_view name)
 
size_t if_work_factor (size_t bits)
 
template<typename T>
constexpr void ignore_param (T &&)
 
template<typename... T>
constexpr void ignore_params (T &&... args)
 
template<std::unsigned_integral T>
constexpr size_t index_of_first_set_byte (T v)
 
void initialize_allocator ()
 
bool intersects (ASN1_Class x, ASN1_Class y)
 
BigInt inverse_mod (const BigInt &n, const BigInt &mod)
 
std::optional< BigIntinverse_mod_general (const BigInt &x, const BigInt &mod)
 
BigInt inverse_mod_public_prime (const BigInt &x, const BigInt &p)
 
BigInt inverse_mod_rsa_public_modulus (const BigInt &x, const BigInt &n)
 
BigInt inverse_mod_secret_prime (const BigInt &x, const BigInt &p)
 
template<typename C>
constexpr auto invert_field_element (const typename C::FieldElement &fe)
 
std::string ipv4_to_string (uint32_t ip)
 
bool is_bailie_psw_probable_prime (const BigInt &n, const Barrett_Reduction &mod_n)
 
template<typename GeneralVariantT, typename SpecialT>
constexpr bool is_generalizable_to (const SpecialT &) noexcept
 
template<typename GeneralVariantT, typename... SpecialTs>
constexpr bool is_generalizable_to (const std::variant< SpecialTs... > &) noexcept
 
bool is_lucas_probable_prime (const BigInt &C, const Barrett_Reduction &mod_C)
 
bool is_miller_rabin_probable_prime (const BigInt &n, const Barrett_Reduction &mod_n, RandomNumberGenerator &rng, size_t test_iterations)
 
bool is_passhash9_alg_supported (uint8_t alg_id)
 
BigInt is_perfect_square (const BigInt &C)
 
template<typename T>
requires (std::is_unsigned<T>::value)
constexpr bool is_power_of_2 (T arg)
 
bool is_prime (const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
 
std::optional< uint32_t > is_sub_element_of (const OID &oid, std::initializer_list< uint32_t > prefix)
 
int32_t jacobi (const BigInt &a, const BigInt &n)
 
template<absorbing_object T, typename... Ts>
requires (std::constructible_from<std::span<const uint8_t>, Ts> && ...)
size_t keccak_absorb_padded_strings_encoding (T &sink, size_t padding_mod, Ts... byte_strings)
 
size_t keccak_int_encoding_size (size_t x)
 
std::span< const uint8_t > keccak_int_left_encode (std::span< uint8_t > out, size_t x)
 
std::span< const uint8_t > keccak_int_right_encode (std::span< uint8_t > out, size_t x)
 
constexpr size_t keccak_max_int_encoding_size ()
 
void Keccak_Permutation_round (uint64_t T[25], const uint64_t A[25], uint64_t RC)
 
std::string key_constraints_to_string (Key_Constraints c)
 
std::string latin1_to_utf8 (const uint8_t chars[], size_t len)
 
BigInt lcm (const BigInt &a, const BigInt &b)
 
gf2m lex_to_gray (gf2m lex)
 
LMOTS_K lmots_compute_pubkey_from_sig (const LMOTS_Signature &sig, const LMS_Message &msg, const LMS_Identifier &identifier, LMS_Tree_Node_Idx q)
 Compute a public key candidate for an OTS-signature-message pair and the OTS instance parameters.
 
uint64_t load_3 (const uint8_t in[3])
 
uint64_t load_4 (const uint8_t *in)
 
template<typename OutT = detail::AutoDetect, typename... ParamTs>
constexpr auto load_be (ParamTs &&... params)
 
template<typename OutT = detail::AutoDetect, typename... ParamTs>
constexpr auto load_le (ParamTs &&... params)
 
std::unique_ptr< Private_Keyload_private_key (const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
 
std::unique_ptr< Public_Keyload_public_key (const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
 
template<typename T>
secure_vector< T > lock (const std::vector< T > &in)
 
size_t low_zero_bits (const BigInt &n)
 
template<typename T>
constexpr T majority (T a, T b, T c)
 
std::unique_ptr< BlockCiphermake_commoncrypto_block_cipher (std::string_view name)
 
std::unique_ptr< Cipher_Modemake_commoncrypto_cipher_mode (std::string_view name, Cipher_Dir direction)
 
std::unique_ptr< HashFunctionmake_commoncrypto_hash (std::string_view name)
 
Compression_Algorithmmake_compressor (std::string_view type)
 
Decompression_Algorithmmake_decompressor (std::string_view type)
 
constexpr uint16_t make_uint16 (uint8_t i0, uint8_t i1)
 
constexpr uint32_t make_uint32 (uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3)
 
constexpr uint64_t make_uint64 (uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3, uint8_t i4, uint8_t i5, uint8_t i6, uint8_t i7)
 
template<typename T, typename Pred>
void map_remove_if (Pred pred, T &assoc)
 
secure_vector< uint8_t > mceliece_decrypt (secure_vector< gf2m > &error_pos, const uint8_t *ciphertext, size_t ciphertext_len, const McEliece_PrivateKey &key)
 
void mceliece_decrypt (secure_vector< uint8_t > &plaintext, secure_vector< uint8_t > &error_mask, const uint8_t ciphertext[], size_t ciphertext_len, const McEliece_PrivateKey &key)
 
void mceliece_decrypt (secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)
 
void mceliece_encrypt (secure_vector< uint8_t > &ciphertext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &plaintext, const McEliece_PublicKey &key, RandomNumberGenerator &rng)
 
size_t mceliece_work_factor (size_t n, size_t t)
 
template<typename F>
uint64_t measure_cost (std::chrono::milliseconds trial_msec, F func)
 
void mgf1_mask (HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
 
void mgf1_mask (HashFunction &hash, std::span< const uint8_t > input, std::span< uint8_t > output)
 
size_t miller_rabin_test_iterations (size_t n_bits, size_t prob, bool random)
 
template<std::integral T, std::integral T2 = next_longer_int_t<T>>
requires (sizeof(T) <= 4)
consteval T modular_inverse (T q, T2 m=T2(1)<< sizeof(T) *8)
 
template<std::integral T>
requires (size_t(sizeof(T)) <= 4)
consteval T montgomery_R (T q)
 
template<std::integral T>
requires (size_t(sizeof(T)) <= 4)
consteval T montgomery_R2 (T q)
 
Montgomery_Int monty_execute (const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
 
Montgomery_Int monty_execute_vartime (const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)
 
Montgomery_Int monty_exp (const std::shared_ptr< const Montgomery_Params > &params_p, const BigInt &g, const BigInt &k, size_t max_k_bits)
 
Montgomery_Int monty_exp_vartime (const std::shared_ptr< const Montgomery_Params > &params_p, const BigInt &g, const BigInt &k)
 
template<WordType W>
constexpr auto monty_inverse (W a) -> W
 
Montgomery_Int monty_multi_exp (const std::shared_ptr< const Montgomery_Params > &params_p, const BigInt &x_bn, const BigInt &z1, const BigInt &y_bn, const BigInt &z2)
 
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute (const Montgomery_Int &g, size_t window_bits, bool const_time)
 
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute (const std::shared_ptr< const Montgomery_Params > &params, const BigInt &g, size_t window_bits, bool const_time)
 
template<typename C, size_t WindowBits, typename BlindedScalar>
C::ProjectivePoint mul2_exec (const AffinePointTable< C > &table, const BlindedScalar &x, const BlindedScalar &y, RandomNumberGenerator &rng)
 
template<typename C, size_t WindowBits>
std::vector< typename C::ProjectivePoint > mul2_setup (const typename C::AffinePoint &p, const typename C::AffinePoint &q)
 
constexpr void mul64x64_128 (uint64_t a, uint64_t b, uint64_t *lo, uint64_t *hi)
 
EC_Point multi_exponentiate (const EC_Point &p1, const BigInt &z1, const EC_Point &p2, const BigInt &z2)
 
secure_vector< uint8_t > nist_key_unwrap (const uint8_t input[], size_t input_len, const BlockCipher &bc)
 
secure_vector< uint8_t > nist_key_unwrap_padded (const uint8_t input[], size_t input_len, const BlockCipher &bc)
 
std::vector< uint8_t > nist_key_wrap (const uint8_t input[], size_t input_len, const BlockCipher &bc)
 
std::vector< uint8_t > nist_key_wrap_padded (const uint8_t input[], size_t input_len, const BlockCipher &bc)
 
CT::Option< size_t > oaep_find_delim (std::span< const uint8_t > input, std::span< const uint8_t > phash)
 
bool operator!= (const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
 
bool operator!= (const ASN1_Time &, const ASN1_Time &)
 
bool operator!= (const BigInt &a, const BigInt &b)
 
bool operator!= (const BigInt &a, word b)
 
bool operator!= (const CRL_Entry &a1, const CRL_Entry &a2)
 
bool operator!= (const EC_Group &lhs, const EC_Group &rhs)
 
bool operator!= (const OctetString &s1, const OctetString &s2)
 
bool operator!= (const OID &a, const OID &b)
 
template<typename T, typename U>
bool operator!= (const secure_allocator< T > &, const secure_allocator< U > &)
 
template<bitvectorish T1, bitvectorish T2>
bool operator!= (const T1 &lhs, const T2 &rhs)
 
bool operator!= (const X509_Certificate &cert1, const X509_Certificate &cert2)
 
bool operator!= (const X509_DN &dn1, const X509_DN &dn2)
 
BigInt operator% (const BigInt &n, const BigInt &mod)
 
word operator% (const BigInt &n, word mod)
 
template<bitvectorish T1, bitvectorish T2>
auto operator& (const T1 &lhs, const T2 &rhs)
 
ECIES_Flags operator& (ECIES_Flags a, ECIES_Flags b)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator& (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator& (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator& (T1 a, Strong< T2, Tags... > b)
 
template<std::integral T, typename... Tags>
constexpr auto operator&= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator&= (Strong< T1, Tags... > &a, T2 b)
 
EC_Point operator* (const BigInt &scalar, const EC_Point &point)
 
BigInt operator* (const BigInt &x, const BigInt &y)
 
BigInt operator* (const BigInt &x, word y)
 
template<std::unsigned_integral T>
constexpr donna128 operator* (const donna128 &x, T y)
 
EC_Point operator* (const EC_Point &point, const BigInt &scalar)
 
Ed448Point operator* (const Scalar448 &lhs, const Ed448Point &rhs)
 Syntax sugar for scalar multiplication.
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator* (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator* (Strong< T1, Tags... > a, T2 b)
 
template<std::unsigned_integral T>
constexpr donna128 operator* (T y, const donna128 &x)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator* (T1 a, Strong< T2, Tags... > b)
 
BigInt operator* (word x, const BigInt &y)
 
template<std::integral T, typename... Tags>
constexpr auto operator*= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator*= (Strong< T1, Tags... > &a, T2 b)
 
BigInt operator+ (const BigInt &x, const BigInt &y)
 
BigInt operator+ (const BigInt &x, word y)
 
constexpr donna128 operator+ (const donna128 &x, const donna128 &y)
 
constexpr donna128 operator+ (const donna128 &x, uint64_t y)
 
EC_Point operator+ (const EC_Point &lhs, const EC_Point &rhs)
 
OctetString operator+ (const OctetString &k1, const OctetString &k2)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator+ (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator+ (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator+ (T1 a, Strong< T2, Tags... > b)
 
BigInt operator+ (word x, const BigInt &y)
 
template<std::integral T, typename... Tags>
constexpr auto operator++ (Strong< T, Tags... > &a)
 
template<std::integral T, typename... Tags>
constexpr auto operator++ (Strong< T, Tags... > &a, int)
 
template<typename T, typename Alloc, typename L>
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, const std::pair< const T *, L > &in)
 
template<typename T, typename Alloc, typename L>
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, const std::pair< T *, L > &in)
 
template<typename T, typename Alloc, typename Alloc2>
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, const std::vector< T, Alloc2 > &in)
 
template<typename T, typename Alloc>
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, T in)
 
template<std::integral T, typename... Tags>
constexpr auto operator+= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator+= (Strong< T1, Tags... > &a, T2 b)
 
BigInt operator- (const BigInt &x, const BigInt &y)
 
BigInt operator- (const BigInt &x, word y)
 
EC_Point operator- (const EC_Point &lhs)
 
EC_Point operator- (const EC_Point &lhs, const EC_Point &rhs)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator- (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator- (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator- (T1 a, Strong< T2, Tags... > b)
 
template<std::integral T, typename... Tags>
constexpr auto operator-- (Strong< T, Tags... > &a)
 
template<std::integral T, typename... Tags>
constexpr auto operator-- (Strong< T, Tags... > &a, int)
 
template<std::integral T, typename... Tags>
constexpr auto operator-= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator-= (Strong< T1, Tags... > &a, T2 b)
 
BigInt operator/ (const BigInt &x, const BigInt &y)
 
BigInt operator/ (const BigInt &x, word y)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator/ (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator/ (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator/ (T1 a, Strong< T2, Tags... > b)
 
template<std::integral T, typename... Tags>
constexpr auto operator/= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator/= (Strong< T1, Tags... > &a, T2 b)
 
bool operator< (const ASN1_Time &, const ASN1_Time &)
 
bool operator< (const BigInt &a, const BigInt &b)
 
bool operator< (const BigInt &a, word b)
 
bool operator< (const OID &a, const OID &b)
 
bool operator< (const X509_DN &dn1, const X509_DN &dn2)
 
BigInt operator<< (const BigInt &x, size_t shift)
 
int operator<< (int fd, Pipe &pipe)
 
std::ostream & operator<< (std::ostream &os, const GeneralName &gn)
 
std::ostream & operator<< (std::ostream &os, const GeneralSubtree &gs)
 
template<typename T, typename... Tags>
requires (concepts::streamable<T>)
decltype(auto) operator<< (std::ostream &os, const Strong< T, Tags... > &v)
 
std::ostream & operator<< (std::ostream &out, const OID &oid)
 
std::ostream & operator<< (std::ostream &out, const X509_DN &dn)
 
std::ostream & operator<< (std::ostream &out, Pipe &pipe)
 
std::ostream & operator<< (std::ostream &stream, const BigInt &n)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator<< (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator<< (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator<< (T1 a, Strong< T2, Tags... > b)
 
template<std::integral T, typename... Tags>
constexpr auto operator<<= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator<<= (Strong< T1, Tags... > &a, T2 b)
 
bool operator<= (const ASN1_Time &, const ASN1_Time &)
 
bool operator<= (const BigInt &a, const BigInt &b)
 
bool operator<= (const BigInt &a, word b)
 
template<typename T, typename... Tags>
requires (std::three_way_comparable<T>)
auto operator<=> (const Strong< T, Tags... > &lhs, const Strong< T, Tags... > &rhs)
 
template<std::integral T1, std::integral T2, typename... Tags>
auto operator<=> (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
auto operator<=> (T1 a, Strong< T2, Tags... > b)
 
bool operator== (const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
 
bool operator== (const ASN1_Time &, const ASN1_Time &)
 
bool operator== (const BigInt &a, const BigInt &b)
 
bool operator== (const BigInt &a, word b)
 
bool operator== (const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient &lhs, const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient &rhs)
 
bool operator== (const CRL_Entry &a1, const CRL_Entry &a2)
 
bool operator== (const OctetString &s1, const OctetString &s2)
 
template<typename T, typename U>
bool operator== (const secure_allocator< T > &, const secure_allocator< U > &)
 
template<typename T, typename... Tags>
requires (std::equality_comparable<T>)
bool operator== (const Strong< T, Tags... > &lhs, const Strong< T, Tags... > &rhs)
 
template<bitvectorish T1, bitvectorish T2>
bool operator== (const T1 &lhs, const T2 &rhs)
 
bool operator== (const X509_DN &dn1, const X509_DN &dn2)
 
template<std::integral T1, std::integral T2, typename... Tags>
auto operator== (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
auto operator== (T1 a, Strong< T2, Tags... > b)
 
bool operator> (const ASN1_Time &, const ASN1_Time &)
 
bool operator> (const BigInt &a, const BigInt &b)
 
bool operator> (const BigInt &a, word b)
 
bool operator>= (const ASN1_Time &, const ASN1_Time &)
 
bool operator>= (const BigInt &a, const BigInt &b)
 
bool operator>= (const BigInt &a, word b)
 
BigInt operator>> (const BigInt &x, size_t shift)
 
int operator>> (int fd, Pipe &pipe)
 
std::istream & operator>> (std::istream &in, Pipe &pipe)
 
std::istream & operator>> (std::istream &in, X509_DN &dn)
 
std::istream & operator>> (std::istream &stream, BigInt &n)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator>> (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator>> (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator>> (T1 a, Strong< T2, Tags... > b)
 
template<std::integral T, typename... Tags>
constexpr auto operator>>= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator>>= (Strong< T1, Tags... > &a, T2 b)
 
OctetString operator^ (const OctetString &k1, const OctetString &k2)
 
template<bitvectorish T1, bitvectorish T2>
auto operator^ (const T1 &lhs, const T2 &rhs)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator^ (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator^ (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator^ (T1 a, Strong< T2, Tags... > b)
 
template<typename Alloc, typename Alloc2>
std::vector< uint8_t, Alloc > & operator^= (std::vector< uint8_t, Alloc > &out, const std::vector< uint8_t, Alloc2 > &in)
 
template<std::integral T, typename... Tags>
constexpr auto operator^= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator^= (Strong< T1, Tags... > &a, T2 b)
 
ASN1_Class operator| (ASN1_Class x, ASN1_Class y)
 
uint32_t operator| (ASN1_Class x, ASN1_Type y)
 
uint32_t operator| (ASN1_Type x, ASN1_Class y)
 
ASN1_Type operator| (ASN1_Type x, ASN1_Type y)
 
constexpr donna128 operator| (const donna128 &x, const donna128 &y)
 
constexpr donna128 operator| (const donna128 &x, uint64_t y)
 
template<bitvectorish T1, bitvectorish T2>
auto operator| (const T1 &lhs, const T2 &rhs)
 
ECIES_Flags operator| (ECIES_Flags a, ECIES_Flags b)
 
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator| (Strong< T, Tags... > a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator| (Strong< T1, Tags... > a, T2 b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator| (T1 a, Strong< T2, Tags... > b)
 
template<std::integral T, typename... Tags>
constexpr auto operator|= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
 
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator|= (Strong< T1, Tags... > &a, T2 b)
 
EC_Point OS2ECP (const uint8_t data[], size_t data_len, const CurveGFp &curve)
 
std::pair< BigInt, BigIntOS2ECP (const uint8_t pt[], size_t pt_len, const BigInt &p, const BigInt &a, const BigInt &b)
 
EC_Point OS2ECP (std::span< const uint8_t > data, const CurveGFp &curve)
 
template<typename T>
requires std::is_default_constructible_v<T>
constexpr auto out_opt (std::optional< T > &outopt) noexcept
 
template<typename T>
constexpr auto out_ptr (T &outptr) noexcept
 
template<class... Ts>
 overloaded (Ts...) -> overloaded< Ts... >
 
std::vector< std::string > parse_algorithm_name (std::string_view namex)
 
bool passes_miller_rabin_test (const BigInt &n, const Barrett_Reduction &mod_n, const std::shared_ptr< Montgomery_Params > &monty_n, const BigInt &a)
 
secure_vector< uint8_t > pbes2_decrypt (std::span< const uint8_t > key_bits, std::string_view passphrase, const std::vector< uint8_t > &params)
 
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt (std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
 
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_iter (std::span< const uint8_t > key_bits, std::string_view passphrase, size_t pbkdf_iter, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
 
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_msec (std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, size_t *out_iterations_if_nonnull, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
 
void pbkdf2 (MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, const uint8_t salt[], size_t salt_len, size_t iterations)
 
size_t pbkdf2 (MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec)
 
std::vector< uint8_t > pkcs_hash_id (std::string_view name)
 
template<typename ProjectivePoint, typename FieldElement>
constexpr ProjectivePoint point_add (const ProjectivePoint &a, const ProjectivePoint &b)
 
template<typename ProjectivePoint, typename AffinePoint, typename FieldElement>
constexpr ProjectivePoint point_add_mixed (const ProjectivePoint &a, const AffinePoint &b, const FieldElement &one)
 
template<typename ProjectivePoint, typename AffinePoint, typename FieldElement>
constexpr ProjectivePoint point_add_or_sub_mixed (const ProjectivePoint &a, const AffinePoint &b, CT::Choice sub, const FieldElement &one)
 
void poly_double_n (uint8_t buf[], size_t n)
 
void poly_double_n (uint8_t out[], const uint8_t in[], size_t n)
 
void poly_double_n_le (uint8_t out[], const uint8_t in[], size_t n)
 
bool poly_double_supported_size (size_t n)
 
BigInt power_mod (const BigInt &base, const BigInt &exp, const BigInt &mod)
 
uint64_t prefetch_array_raw (size_t bytes, const void *arrayv) noexcept
 
template<typename T, size_t... Ns>
requires std::is_integral<T>::value
prefetch_arrays (T(&... arr)[Ns]) noexcept
 
std::vector< std::string > probe_provider_private_key (std::string_view alg_name, const std::vector< std::string > &possible)
 
template<typename T>
std::vector< std::string > probe_providers_of (std::string_view algo_spec, const std::vector< std::string > &possible={"base"})
 
gf2m random_code_element (uint16_t code_length, RandomNumberGenerator &rng)
 
gf2m random_gf2m (RandomNumberGenerator &rng)
 
BigInt random_prime (RandomNumberGenerator &rng, size_t bits, const BigInt &coprime, size_t equiv, size_t modulo, size_t prob)
 
BigInt random_safe_prime (RandomNumberGenerator &rng, size_t bits)
 
std::map< std::string, std::string > read_cfg (std::istream &is)
 
BOTAN_TEST_API std::map< std::string, std::string > read_kv (std::string_view kv)
 
template<size_t WindowBits, typename W, size_t N>
constexpr size_t read_window_bits (std::span< const W, N > words, size_t offset)
 
template<WordType W, size_t N, W C>
constexpr std::array< W, N > redc_crandall (std::span< const W, 2 *N > z)
 
void redc_mul (int64_t &s1, int64_t &s2, int64_t &s3, int64_t &s4, int64_t &s5, int64_t &s6, int64_t &X)
 
template<typename RetT, typename KeyT, typename ReducerT>
requires std::is_convertible_v<ReducerT, std::function<RetT(RetT, const KeyT&)>>
RetT reduce (const std::vector< KeyT > &keys, RetT acc, ReducerT reducer)
 
template<std::unsigned_integral T>
requires (sizeof(T) == 1 || sizeof(T) == 2 || sizeof(T) == 4 || sizeof(T) == 8)
constexpr T reverse_bytes (T x)
 
secure_vector< uint8_t > rfc3394_keyunwrap (const secure_vector< uint8_t > &key, const SymmetricKey &kek)
 
secure_vector< uint8_t > rfc3394_keywrap (const secure_vector< uint8_t > &key, const SymmetricKey &kek)
 
size_t RFC4880_decode_count (uint8_t iter)
 
uint8_t RFC4880_encode_count (size_t desired_iterations)
 
size_t RFC4880_round_iterations (size_t iterations)
 
template<size_t R1, size_t R2, size_t R3, typename T>
constexpr T rho (T x)
 
Gf448Elem root (const Gf448Elem &elem)
 Compute the root of elem in the field.
 
template<size_t R>
SIMD_16x32 rotl (SIMD_16x32 input)
 
template<size_t R>
SIMD_4x32 BOTAN_FN_ISA_SIMD_4X32 rotl (SIMD_4x32 input)
 
template<size_t R>
SIMD_8x32 rotl (SIMD_8x32 input)
 
template<size_t ROT, typename T>
requires (ROT > 0 && ROT < 8 * sizeof(T))
constexpr T rotl (T input)
 
template<typename T>
constexpr T rotl_var (T input, size_t rot)
 
template<size_t R>
SIMD_16x32 rotr (SIMD_16x32 input)
 
template<size_t R>
SIMD_4x32 BOTAN_FN_ISA_SIMD_4X32 rotr (SIMD_4x32 input)
 
template<size_t R>
SIMD_8x32 rotr (SIMD_8x32 input)
 
template<size_t ROT, typename T>
requires (ROT > 0 && ROT < 8 * sizeof(T))
constexpr T rotr (T input)
 
template<typename T>
constexpr T rotr_var (T input, size_t rot)
 
constexpr size_t round_up (size_t n, size_t align_to)
 
std::string runtime_version_check (uint32_t major, uint32_t minor, uint32_t patch)
 
template<typename T>
bool same_mem (const T *p1, const T *p2, size_t n)
 
void sc_muladd (uint8_t *, const uint8_t *, const uint8_t *, const uint8_t *)
 
void sc_reduce (uint8_t *)
 
void scrypt (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, size_t N, size_t r, size_t p)
 
void scrypt (uint8_t output[], size_t output_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t N, size_t r, size_t p)
 
void secure_scrub_memory (ranges::contiguous_output_range auto &&data)
 
void secure_scrub_memory (void *ptr, size_t n)
 
constexpr void set_mem (uint8_t *ptr, size_t n, uint8_t val)
 
BOTAN_FORCE_INLINE void SHA2_32_F (uint32_t A, uint32_t B, uint32_t C, uint32_t &D, uint32_t E, uint32_t F, uint32_t G, uint32_t &H, uint32_t &M1, uint32_t M2, uint32_t M3, uint32_t M4, uint32_t magic)
 
BOTAN_FORCE_INLINE void SHA2_32_F (uint32_t A, uint32_t B, uint32_t C, uint32_t &D, uint32_t E, uint32_t F, uint32_t G, uint32_t &H, uint32_t M)
 
BOTAN_FORCE_INLINE void SHA2_64_F (uint64_t A, uint64_t B, uint64_t C, uint64_t &D, uint64_t E, uint64_t F, uint64_t G, uint64_t &H, uint64_t &M1, uint64_t M2, uint64_t M3, uint64_t M4, uint64_t magic)
 
BOTAN_FORCE_INLINE void SHA2_64_F (uint64_t A, uint64_t B, uint64_t C, uint64_t &D, uint64_t E, uint64_t F, uint64_t G, uint64_t &H, uint64_t M)
 
template<size_t S, WordType W, size_t N>
constexpr W shift_left (std::array< W, N > &x)
 
template<size_t S, WordType W, size_t N>
constexpr W shift_right (std::array< W, N > &x)
 
template<size_t S>
SIMD_16x32 shl (SIMD_16x32 input)
 
template<size_t S>
SIMD_4x32 shl (SIMD_4x32 input)
 
template<size_t S>
SIMD_8x32 shl (SIMD_8x32 input)
 
const char * short_version_cstr ()
 
std::string short_version_string ()
 
template<size_t R1, size_t R2, size_t S, typename T>
constexpr T sigma (T x)
 
std::array< uint8_t, 2 *ED448_LENsign_message (std::span< const uint8_t, ED448_LEN > sk, std::span< const uint8_t, ED448_LEN > pk, bool f, std::span< const uint8_t > context, std::span< const uint8_t > msg)
 Sign a message using a keypair (RFC 8032 5.2.6)
 
template<typename T>
requires (std::is_integral<T>::value)
constexpr size_t significant_bytes (T n)
 
std::vector< uint8_t > sm2_compute_za (HashFunction &hash, std::string_view user_id, const EC_Group &group, const EC_AffinePoint &pubkey)
 
std::vector< std::string > split_on (std::string_view str, char delim)
 
BigInt sqrt_modulo_prime (const BigInt &a, const BigInt &p)
 
BigInt square (const BigInt &x)
 
Gf448Elem square (const Gf448Elem &elem)
 Computes elem^2. Faster than operator*.
 
std::pair< BigInt, SymmetricKeysrp6_client_agree (std::string_view identifier, std::string_view password, const DL_Group &group, std::string_view hash_id, const std::vector< uint8_t > &salt, const BigInt &B, const size_t a_bits, RandomNumberGenerator &rng)
 
std::pair< BigInt, SymmetricKeysrp6_client_agree (std::string_view identifier, std::string_view password, std::string_view group_id, std::string_view hash_id, const std::vector< uint8_t > &salt, const BigInt &B, RandomNumberGenerator &rng)
 
BigInt srp6_generate_verifier (std::string_view identifier, std::string_view password, const std::vector< uint8_t > &salt, const DL_Group &group, std::string_view hash_id)
 
BigInt srp6_generate_verifier (std::string_view identifier, std::string_view password, const std::vector< uint8_t > &salt, std::string_view group_id, std::string_view hash_id)
 
std::string srp6_group_identifier (const BigInt &N, const BigInt &g)
 
template<typename ModifierT = detail::AutoDetect, typename... ParamTs>
constexpr auto store_be (ParamTs &&... params)
 
template<typename ModifierT = detail::AutoDetect, typename... ParamTs>
constexpr auto store_le (ParamTs &&... params)
 
std::string string_join (const std::vector< std::string > &strs, char delim)
 
std::optional< uint32_t > string_to_ipv4 (std::string_view str)
 
template<typename T>
constexpr void swap_bits (T &x, T &y, T mask, size_t shift)
 
template<std::unsigned_integral T>
constexpr T swar_in_range (T v, T lower, T upper)
 
template<std::unsigned_integral T>
constexpr T swar_lt (T a, T b)
 
std::vector< polyn_gf2msyndrome_init (const polyn_gf2m &generator, const std::vector< gf2m > &support, int n)
 
RandomNumberGeneratorsystem_rng ()
 
void throw_invalid_argument (const char *message, const char *func, const char *file)
 
void throw_invalid_state (const char *expr, const char *func, const char *file)
 
template<typename C>
constexpr auto to_affine (const typename C::ProjectivePoint &pt)
 
template<typename C>
auto to_affine_batch (std::span< const typename C::ProjectivePoint > projective)
 
template<typename C>
auto to_affine_x (const typename C::ProjectivePoint &pt)
 
template<concepts::contiguous_container T = std::vector<uint8_t>>
to_byte_vector (std::string_view s)
 
const char * to_string (Certificate_Status_Code code)
 
std::string to_string (ErrorType type)
 Convert an ErrorType to string.
 
std::string to_string (std::span< const uint8_t > bytes)
 
uint32_t to_u32bit (std::string_view str_view)
 
uint16_t to_uint16 (std::string_view str)
 
template<typename T>
requires std::is_enum_v<T>
auto to_underlying (T e) noexcept
 
std::string tolower_string (std::string_view in)
 
void treehash (StrongSpan< SphincsTreeNode > out_root, StrongSpan< SphincsAuthenticationPath > out_auth_path, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, std::optional< TreeNodeIndex > leaf_idx, uint32_t idx_offset, uint32_t total_tree_height, const GenerateLeafFunction &gen_leaf, Sphincs_Address &tree_address)
 
template<concepts::contiguous_strong_type TreeNode, concepts::strong_span AuthPathSS, concepts::tree_node_index TreeNodeIndex, concepts::tree_layer_index TreeLayerIndex, typename Address>
requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex>
void treehash (StrongSpan< TreeNode > out_root, std::optional< AuthPathSS > out_auth_path, std::optional< TreeNodeIndex > leaf_idx, size_t node_size, TreeLayerIndex total_tree_height, uint32_t idx_offset, concepts::tree_hash_node_pair< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto node_pair_hash, concepts::tree_gen_leaf< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto gen_leaf, Address &tree_address)
 Treehash logic to build up a merkle hash tree.
 
template<typename To>
requires std::is_trivial<To>::value
constexpr To typecast_copy (const uint8_t src[]) noexcept
 
template<typename ToT, ranges::contiguous_range FromR>
requires std::is_default_constructible_v<ToT> && std::is_trivially_copyable_v<ToT> && std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>>
constexpr ToT typecast_copy (FromR &&src) noexcept
 
template<typename T>
requires std::is_trivial<typename std::decay<T>::type>::value
constexpr void typecast_copy (T &out, const uint8_t in[])
 
template<typename T>
requires std::is_trivial<T>::value
constexpr void typecast_copy (T out[], const uint8_t in[], size_t N)
 
template<ranges::contiguous_output_range ToR, typename FromT>
requires std::is_trivially_copyable_v<FromT> && (!std::ranges::range<FromT>) && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
constexpr void typecast_copy (ToR &&out, const FromT &in)
 
template<ranges::contiguous_output_range ToR, ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
constexpr void typecast_copy (ToR &&out, FromR &&in)
 
template<typename ToT, ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<ToT> && (!std::ranges::range<ToT>)
constexpr void typecast_copy (ToT &out, FromR &&in) noexcept
 
template<typename T>
constexpr void typecast_copy (uint8_t out[], const T &in)
 
template<typename T>
requires std::is_trivially_copyable<T>::value
constexpr void typecast_copy (uint8_t out[], T in[], size_t N)
 
std::string ucs2_to_utf8 (const uint8_t ucs2[], size_t len)
 
std::string ucs4_to_utf8 (const uint8_t ucs4[], size_t len)
 
template<typename T>
std::vector< T > unlock (const secure_vector< T > &in)
 
bool unsafe_for_production_build ()
 
template<typename T>
constexpr decltype(auto) unwrap_strong_type (T &&t)
 Generically unwraps a strong type to its underlying type.
 
template<typename T, typename OT>
bool value_exists (const std::vector< T > &vec, const OT &val)
 
constexpr size_t var_ctz32 (uint32_t n)
 
template<typename C, size_t WindowBits, typename BlindedScalar>
C::ProjectivePoint varpoint_exec (const AffinePointTable< C > &table, const BlindedScalar &scalar, RandomNumberGenerator &rng)
 
template<typename C, size_t TableSize>
AffinePointTable< C > varpoint_setup (const typename C::AffinePoint &p)
 
void vartime_divide (const BigInt &x, const BigInt &y_arg, BigInt &q_out, BigInt &r_out)
 
bool verify_signature (std::span< const uint8_t, ED448_LEN > pk, bool phflag, std::span< const uint8_t > context, std::span< const uint8_t > sig, std::span< const uint8_t > msg)
 Verify a signature(RFC 8032 5.2.7)
 
const char * version_cstr ()
 
uint32_t version_datestamp ()
 
std::optional< std::string > version_distribution_info ()
 
uint32_t version_major ()
 
uint32_t version_minor ()
 
uint32_t version_patch ()
 
std::string version_string ()
 
std::optional< std::string > version_vc_revision ()
 
template<WordType W>
constexpr auto word8_add2 (W x[8], const W y[8], W carry) -> W
 
template<WordType W>
constexpr auto word8_add3 (W z[8], const W x[8], const W y[8], W carry) -> W
 
template<WordType W>
constexpr auto word8_linmul2 (W x[8], W y, W carry) -> W
 
template<WordType W>
constexpr auto word8_linmul3 (W z[8], const W x[8], W y, W carry) -> W
 
template<WordType W>
constexpr auto word8_madd3 (W z[8], const W x[8], W y, W carry) -> W
 
template<WordType W>
constexpr auto word8_sub2 (W x[8], const W y[8], W carry) -> W
 
template<WordType W>
constexpr auto word8_sub2_rev (W x[8], const W y[8], W carry) -> W
 
template<WordType W>
constexpr auto word8_sub3 (W z[8], const W x[8], const W y[8], W carry) -> W
 
template<WordType W>
constexpr auto word_add (W x, W y, W *carry) -> W
 
template<WordType W>
constexpr auto word_madd2 (W a, W b, W *c) -> W
 
template<WordType W>
constexpr auto word_madd3 (W a, W b, W c, W *d) -> W
 
template<WordType W>
constexpr auto word_sub (W x, W y, W *carry) -> W
 
constexpr size_t words_for_bits (size_t x)
 
WotsPublicKey wots_public_key_from_signature (const SphincsTreeNode &hashed_message, StrongSpan< const WotsSignature > signature, Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 FIPS 205, Algorithm 8: wots_pkFromSig.
 
void wots_sign_and_pkgen (StrongSpan< WotsSignature > sig_out, StrongSpan< SphincsTreeNode > leaf_out, const SphincsSecretSeed &secret_seed, TreeNodeIndex leaf_idx, std::optional< TreeNodeIndex > sign_leaf_idx, const std::vector< WotsHashIndex > &wots_steps, Sphincs_Address &leaf_addr, Sphincs_Address &pk_addr, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 FIPS 205, Algorithm 6 and 7: wots_pkGen and wots_sign.
 
template<typename T, typename ParamT>
requires std::constructible_from<T, ParamT> || (concepts::strong_type<T> && std::constructible_from<typename T::wrapped_type, ParamT>)
constexpr decltype(auto) wrap_strong_type (ParamT &&t)
 Wraps a value into a caller-defined (strong) type.
 
Point448 x448 (const ScalarX448 &k, const Point448 &u)
 Multiply a scalar k with a point u.
 
Point448 x448_basepoint (const ScalarX448 &k)
 Multiply a scalar with the base group element (5)
 
Path_Validation_Result x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
 
Path_Validation_Result x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point ref_time, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
 
Path_Validation_Result x509_path_validate (const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
 
Path_Validation_Result x509_path_validate (const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
 
SphincsTreeNode xmss_gen_root (const Sphincs_Parameters &params, const SphincsSecretSeed &secret_seed, Sphincs_Hash_Functions &hashes)
 
SphincsTreeNode xmss_sign_and_pkgen (StrongSpan< SphincsXmssSignature > out_sig, const SphincsTreeNode &message, const SphincsSecretSeed &secret_seed, Sphincs_Address &wots_addr, Sphincs_Address &tree_addr, std::optional< TreeNodeIndex > idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 FIPS 205, Algorithm 10: xmss_sign.
 
constexpr void xor_buf (ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
 
constexpr void xor_buf (ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in1, ranges::contiguous_range< uint8_t > auto &&in2)
 
void xor_buf (std::span< uint8_t > out, std::span< const uint8_t > in, size_t n)
 
template<typename Alloc, typename Alloc2>
void xor_buf (std::vector< uint8_t, Alloc > &out, const uint8_t *in, const std::vector< uint8_t, Alloc2 > &in2, size_t n)
 
template<typename Alloc>
void xor_buf (std::vector< uint8_t, Alloc > &out, const uint8_t *in, size_t n)
 
void xor_buf (uint8_t out[], const uint8_t in[], const uint8_t in2[], size_t length)
 
void xor_buf (uint8_t out[], const uint8_t in[], size_t length)
 
void xts_update_tweak_block (uint8_t tweak[], size_t BS, size_t blocks_in_tweak)
 
template<typename T, typename Alloc>
void zap (std::vector< T, Alloc > &vec)
 
template<typename T, typename Alloc>
void zeroise (std::vector< T, Alloc > &vec)
 

Variables

constexpr size_t BLAKE2B_BLOCKBYTES = 128
 
constexpr size_t BYTES_448 = ceil_tobytes(448)
 
constexpr size_t DefaultBufferSize = 4096
 
constexpr size_t ED448_LEN = 57
 
const size_t HEX_CODEC_BUFFER_SIZE = 256
 
template<typename T>
constexpr bool is_strong_span_v = is_strong_span<T>::value
 
template<typename... Ts>
constexpr bool is_strong_type_v = is_strong_type<std::remove_const_t<Ts>...>::value
 
constexpr size_t LMS_IDENTIFIER_LEN = 16
 The length in bytes of the LMS identifier (I).
 
const size_t MAX_EXT_DEG = 16
 
const size_t PRIME_TABLE_SIZE = 6541
 
const uint16_t PRIMES []
 
const uint64_t STREEBOG_Ax [8][256]
 
const uint64_t STREEBOG_C [12][8]
 
constexpr size_t WORDS_448 = 7
 
constexpr size_t X448_LEN = 56
 

Detailed Description

Wrapper for truncated hashes (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

(C) 2019 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018,2019,2021 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018,2019,2022 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018,2019 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2023 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2022 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018 Jack Lloyd (C) 2018 Ribose Inc

Botan is released under the Simplified BSD License (see license.txt)

Symmetric primitives for dilithium

(C) 2022-2023 Jack Lloyd (C) 2022-2023 Michael Boric, René Meusel - Rohde & Schwarz Cybersecurity (C) 2022 Manuel Glaser - Rohde & Schwarz Cybersecurity (C) 2024 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

HSS - Hierarchical Signatures System (RFC 8554) (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH

Botan is released under the Simplified BSD License (see license.txt)

HSS-LMS (C) 2023 Jack Lloyd 2023 Fabian Albert, René Meusel, Amos Treiber - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Utils for HSS/LMS (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH

Botan is released under the Simplified BSD License (see license.txt)

LM-OTS - Leighton-Micali One-Time Signatures (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH

Botan is released under the Simplified BSD License (see license.txt)

LM-OTS - Leighton-Micali One-Time Signatures (RFC 8554 Section 4) (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH

Botan is released under the Simplified BSD License (see license.txt)

LMS - Leighton-Micali Hash-Based Signatures (RFC 8554) (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH

Botan is released under the Simplified BSD License (see license.txt)

Abstraction for a combined KEM public and private key.

(C) 2024 Jack Lloyd 2024 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Abstraction for a combined KEM encryptors and decryptors.

(C) 2024 Jack Lloyd 2024 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Adapter that allows using a KEX key as a KEM, using an ephemeral key in the KEM encapsulation.

(C) 2023 Jack Lloyd 2023,2024 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Ordinary applications should never need to include or use this header. It is exposed only for specialized applications which want to implement new versions of public key crypto without merging them as changes to the library. One actual example of such usage is an application which creates RSA signatures using a custom TPM library. Unless you're doing something like that, you don't need anything here. Instead use pubkey.h which wraps these types safely and provides a stable application-oriented API.

Note: This header was accidentally pulled from the public API between Botan 3.0.0 and 3.2.0, and then restored in 3.3.0. If you are maintaining an application which used this header in Botan 2.x, you should make sure to use Botan 3.3.0 or later when migrating.

Hybrid Session Manager emitting both Tickets and storing sessions in Memory (C) 2023 Jack Lloyd (C) 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

TLS Session Manager in Memory (C) 2011 Jack Lloyd (C) 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

TLS Stateless Session Manager for stateless servers (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Useful concepts that are available throughout the library (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

(C) 2025 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

A wrapper class to implement strong types (C) 2022 Jack Lloyd 2022 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

(C) 2024 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

Treehash logic used for hash-based signatures (C) 2023 Jack Lloyd 2023 Fabian Albert, René Meusel, Amos Treiber, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH

Parts of this file have been adapted from https://github.com/sphincs/sphincsplus

Botan is released under the Simplified BSD License (see license.txt)

utilities for PKIX::build_all_certificate_paths

Typedef Documentation

◆ Altivec32x4

typedef __vector unsigned int Botan::Altivec32x4

Definition at line 24 of file aes_power8.cpp.

◆ Altivec64x2

typedef __vector unsigned long long Botan::Altivec64x2

Definition at line 23 of file aes_power8.cpp.

◆ Altivec8x16

typedef __vector unsigned char Botan::Altivec8x16

Definition at line 25 of file aes_power8.cpp.

◆ bitvector

using Botan::bitvector = bitvector_base<std::allocator>

Definition at line 1299 of file bitvector.h.

◆ Bounded_XOF

template<size_t bound>
using Botan::Bounded_XOF = detail::Bounded_XOF<XOF&, bound>

Definition at line 221 of file pqcrystals_helpers.h.

◆ byte

using Botan::byte = std::uint8_t

Definition at line 110 of file types.h.

◆ CCCryptorStatus

typedef int32_t Botan::CCCryptorStatus

Definition at line 24 of file commoncrypto.h.

◆ CertificatePathStatusCodes

This type represents the validation status of an entire certificate path. There is one set of status codes for each certificate in the path.

Definition at line 29 of file x509path.h.

◆ CmceCodeWord

using Botan::CmceCodeWord = Strong<secure_bitvector, struct CmceCodeWord_>

Represents C of decapsulation.

Definition at line 52 of file cmce_types.h.

◆ CmceColumnSelection

using Botan::CmceColumnSelection = Strong<secure_bitvector, struct CmceColumnSelection_>

Represents c of private key.

Definition at line 46 of file cmce_types.h.

◆ CmceErrorVector

using Botan::CmceErrorVector = Strong<secure_bitvector, struct CmceErrorVector_>

Represents e of encapsulation.

Definition at line 49 of file cmce_types.h.

◆ CmceGfElem

using Botan::CmceGfElem = Strong<uint16_t, struct CmceGfElem_>

Represents a GF(q) element.

Definition at line 19 of file cmce_types.h.

◆ CmceGfMod

using Botan::CmceGfMod = Strong<uint16_t, struct CmceGfMod_>

Represents a GF(q) modulus.

Definition at line 22 of file cmce_types.h.

◆ CmceInitialSeed

using Botan::CmceInitialSeed = Strong<secure_vector<uint8_t>, struct CmceInitialSeed_>

Represents initial delta of keygen.

Definition at line 31 of file cmce_types.h.

◆ CmceIrreducibleBits

using Botan::CmceIrreducibleBits = Strong<secure_vector<uint8_t>, struct CmceIrreducibleBits_>

Definition at line 40 of file cmce_types.h.

◆ CmceKeyGenSeed

using Botan::CmceKeyGenSeed = Strong<secure_vector<uint8_t>, struct CmceKeyGenSeed_>

Represents a delta (can be altered; final value stored in private key)

Definition at line 34 of file cmce_types.h.

◆ CmceOrderingBits

using Botan::CmceOrderingBits = Strong<secure_vector<uint8_t>, struct CmceOrderingBits_>

Definition at line 37 of file cmce_types.h.

◆ CmcePermutation

using Botan::CmcePermutation = Strong<secure_vector<uint16_t>, struct CmcePermutation_>

Represents a permutation (pi in spec). Used in field ordering creation.

Definition at line 28 of file cmce_types.h.

◆ CmcePermutationElement

using Botan::CmcePermutationElement = Strong<uint16_t, struct CmcePermutationElement_>

Represents an element of a permuation (pi in spec). Used in field ordering creation.

Definition at line 25 of file cmce_types.h.

◆ CmceRejectionSeed

using Botan::CmceRejectionSeed = Strong<secure_vector<uint8_t>, struct CmceRejectionSeed_>

Represents s of private key.

Definition at line 43 of file cmce_types.h.

◆ Curve25519_PrivateKey

Definition at line 18 of file curve25519.h.

◆ Curve25519_PublicKey

Definition at line 17 of file curve25519.h.

◆ DilithiumCommitmentHash

using Botan::DilithiumCommitmentHash = Strong<std::vector<uint8_t>, struct DilithiumCommitmentHash_>

Hash of the message representative and the signer's commitment.

Definition at line 64 of file dilithium_types.h.

◆ DilithiumHashedPublicKey

using Botan::DilithiumHashedPublicKey = Strong<std::vector<uint8_t>, struct DilithiumHashedPublicKey_>

Hash value of the serialized public key data (result of H(BytesToBits(pkEncode(pk)), also referred to as 'tr')

Definition at line 52 of file dilithium_types.h.

◆ DilithiumInternalKeypair

Initial value:
std::pair<std::shared_ptr<Dilithium_PublicKeyInternal>, std::shared_ptr<Dilithium_PrivateKeyInternal>>

Internal representation of a Dilithium key pair.

Definition at line 67 of file dilithium_types.h.

◆ DilithiumMessageRepresentative

using Botan::DilithiumMessageRepresentative = Strong<std::vector<uint8_t>, struct DilithiumMessageRepresentative_>

Representation of the message to be signed.

Definition at line 55 of file dilithium_types.h.

◆ DilithiumOptionalRandomness

using Botan::DilithiumOptionalRandomness = Strong<secure_vector<uint8_t>, struct DilithiumOptionalRandomness_>

Optional randomness 'rnd' used for rho prime computation in ML-DSA.

Definition at line 39 of file dilithium_types.h.

◆ DilithiumPoly

◆ DilithiumPolyMatNTT

◆ DilithiumPolyNTT

◆ DilithiumPolyVec

◆ DilithiumPolyVecNTT

◆ DilithiumSeedRandomness

using Botan::DilithiumSeedRandomness = Strong<secure_vector<uint8_t>, struct DilithiumSeedRandomness_>

Principal seed used to generate Dilithium key pairs.

Definition at line 30 of file dilithium_types.h.

◆ DilithiumSeedRho

using Botan::DilithiumSeedRho = Strong<std::vector<uint8_t>, struct DilithiumPublicSeed_>

Public seed to sample the polynomial matrix A from.

Definition at line 33 of file dilithium_types.h.

◆ DilithiumSeedRhoPrime

using Botan::DilithiumSeedRhoPrime = Strong<secure_vector<uint8_t>, struct DilithiumSeedRhoPrime_>

Private seed to sample the polynomial vectors s1 and s2 from.

Definition at line 36 of file dilithium_types.h.

◆ DilithiumSerializedCommitment

using Botan::DilithiumSerializedCommitment = Strong<std::vector<uint8_t>, struct DilithiumSerializedCommitment_>

Serialized representation of a commitment w1.

Definition at line 61 of file dilithium_types.h.

◆ DilithiumSerializedPrivateKey

using Botan::DilithiumSerializedPrivateKey = Strong<secure_vector<uint8_t>, struct DilithiumSerializedPrivateKey_>

Serialized private key data.

Definition at line 45 of file dilithium_types.h.

◆ DilithiumSerializedPublicKey

using Botan::DilithiumSerializedPublicKey = Strong<std::vector<uint8_t>, struct DilithiumSerializedPublicKey_>

Serialized public key data (result of pkEncode(pk))

Definition at line 48 of file dilithium_types.h.

◆ DilithiumSerializedSignature

using Botan::DilithiumSerializedSignature = Strong<std::vector<uint8_t>, struct DilithiumSerializedSignature_>

Serialized signature data.

Definition at line 58 of file dilithium_types.h.

◆ DilithiumSigningSeedK

using Botan::DilithiumSigningSeedK = Strong<secure_vector<uint8_t>, struct DilithiumSeedK_>

Private seed K used during signing.

Definition at line 42 of file dilithium_types.h.

◆ ForsLeafSecret

using Botan::ForsLeafSecret = Strong<secure_vector<uint8_t>, struct ForsLeafSecret_>

Definition at line 71 of file sp_types.h.

◆ ForsSignature

using Botan::ForsSignature = Strong<std::vector<uint8_t>, struct ForsSignature_>

Definition at line 72 of file sp_types.h.

◆ FrodoDomainSeparator

using Botan::FrodoDomainSeparator = Strong<std::array<uint8_t, 1>, struct FrodoDoaminSeparator_>

Definition at line 47 of file frodo_types.h.

◆ FrodoIntermediateSharedSecret

using Botan::FrodoIntermediateSharedSecret = Strong<secure_vector<uint8_t>, struct FrodoIntermediateSharedSecret_>

Definition at line 56 of file frodo_types.h.

◆ FrodoPackedMatrix

using Botan::FrodoPackedMatrix = Strong<std::vector<uint8_t>, struct FrodoPackedMatrix_>

Definition at line 41 of file frodo_types.h.

◆ FrodoPlaintext

using Botan::FrodoPlaintext = Strong<secure_vector<uint8_t>, struct FrodoPlaintext_>

Definition at line 50 of file frodo_types.h.

◆ FrodoPublicKeyHash

using Botan::FrodoPublicKeyHash = Strong<std::vector<uint8_t>, struct FrodoPublicKeyHash_>

Definition at line 38 of file frodo_types.h.

◆ FrodoSalt

using Botan::FrodoSalt = Strong<std::vector<uint8_t>, struct FrodoSalt_>

Definition at line 53 of file frodo_types.h.

◆ FrodoSampleR

using Botan::FrodoSampleR = Strong<secure_vector<uint8_t>, struct FrodoSampleR_>

Definition at line 35 of file frodo_types.h.

◆ FrodoSeedA

using Botan::FrodoSeedA = Strong<std::vector<uint8_t>, struct FrodoSeedA_>

Definition at line 23 of file frodo_types.h.

◆ FrodoSeedS

using Botan::FrodoSeedS = Strong<secure_vector<uint8_t>, struct FrodoSeedS_>

Definition at line 26 of file frodo_types.h.

◆ FrodoSeedSE

using Botan::FrodoSeedSE = Strong<secure_vector<uint8_t>, struct FrodoSeedSE_>

Definition at line 29 of file frodo_types.h.

◆ FrodoSeedZ

using Botan::FrodoSeedZ = Strong<std::vector<uint8_t>, struct FrodoSeedZ_>

Definition at line 32 of file frodo_types.h.

◆ FrodoSerializedMatrix

using Botan::FrodoSerializedMatrix = Strong<secure_vector<uint8_t>, struct FrodoSerializedMatrix_>

Definition at line 44 of file frodo_types.h.

◆ GenerateLeafFunction

Definition at line 25 of file sp_treehash.h.

◆ gf2m

typedef uint16_t Botan::gf2m

Definition at line 20 of file gf2m_small_m.h.

◆ HSS_Level

using Botan::HSS_Level = Strong<uint32_t, struct HSS_Level_, EnableArithmeticWithPlainNumber>

The HSS layer in the HSS multi tree starting at 0 from the root.

Definition at line 34 of file hss.h.

◆ HSS_Sig_Idx

using Botan::HSS_Sig_Idx = Strong<uint64_t, struct HSS_Sig_Idx_, EnableArithmeticWithPlainNumber>

The index of a node within a specific LMS tree layer.

Definition at line 29 of file hss.h.

◆ HypertreeLayerIndex

using Botan::HypertreeLayerIndex = Strong<uint32_t, struct HypertreeLayerIndex_>

Index of a layer in the XMSS hyper-tree.

Definition at line 86 of file sp_types.h.

◆ InitializationVector

Alternate name for octet string showing intent to use as an IV

Definition at line 145 of file symkey.h.

◆ Integrity_Failure

For compatibility with older versions

Definition at line 283 of file exceptn.h.

◆ KyberCompressedCiphertext

using Botan::KyberCompressedCiphertext = Strong<std::vector<uint8_t>, struct KyberCompressedCiphertext_>

Compressed and serialized ciphertext value.

Definition at line 63 of file kyber_types.h.

◆ KyberEncryptionRandomness

using Botan::KyberEncryptionRandomness = Strong<secure_vector<uint8_t>, struct KyberEncryptionRandomness_>

Random value used to generate the Kyber ciphertext.

Definition at line 48 of file kyber_types.h.

◆ KyberHashedCiphertext

using Botan::KyberHashedCiphertext = Strong<std::vector<uint8_t>, struct KyberHashedCiphertext_>

Hash of the compressed and serialized ciphertext value TODO: Remove this once Kyber-R3 is removed

Definition at line 67 of file kyber_types.h.

◆ KyberHashedPublicKey

using Botan::KyberHashedPublicKey = Strong<std::vector<uint8_t>, struct KyberHashedPublicKey_>

Hash value of the serialized public key.

Definition at line 60 of file kyber_types.h.

◆ KyberImplicitRejectionValue

using Botan::KyberImplicitRejectionValue = Strong<secure_vector<uint8_t>, struct KyberImplicitRejectionValue_>

Secret random value (called Z in the spec), used for implicit rejection in the decapsulation.

Definition at line 42 of file kyber_types.h.

◆ KyberInternalKeypair

Initial value:
std::pair<std::shared_ptr<Kyber_PublicKeyInternal>, std::shared_ptr<Kyber_PrivateKeyInternal>>

Definition at line 73 of file kyber_types.h.

◆ KyberMessage

using Botan::KyberMessage = Strong<secure_vector<uint8_t>, struct KyberMessage_>

Random message value to be encrypted by the CPA-secure Kyber encryption scheme.

Definition at line 45 of file kyber_types.h.

◆ KyberPoly

◆ KyberPolyMat

◆ KyberPolyNTT

◆ KyberPolyVec

◆ KyberPolyVecNTT

◆ KyberSamplingRandomness

using Botan::KyberSamplingRandomness = Strong<secure_vector<uint8_t>, struct KyberSamplingRandomness_>

PRF value used for sampling of error polynomials.

Definition at line 51 of file kyber_types.h.

◆ KyberSeedRandomness

using Botan::KyberSeedRandomness = Strong<secure_vector<uint8_t>, struct KyberSeedRandomness_>

Principal seed used to generate Kyber key pairs.

Definition at line 33 of file kyber_types.h.

◆ KyberSeedRho

using Botan::KyberSeedRho = Strong<std::vector<uint8_t>, struct KyberSeedRho_>

Public seed value to generate the Kyber matrix A.

Definition at line 36 of file kyber_types.h.

◆ KyberSeedSigma

using Botan::KyberSeedSigma = Strong<secure_vector<uint8_t>, struct KyberSeedSigma_>

Private seed used to generate polynomial vectors s and e during key generation.

Definition at line 39 of file kyber_types.h.

◆ KyberSerializedPublicKey

using Botan::KyberSerializedPublicKey = Strong<std::vector<uint8_t>, struct KyberSerializedPublicKey_>

Public key in serialized form (t || rho)

Definition at line 57 of file kyber_types.h.

◆ KyberSharedSecret

using Botan::KyberSharedSecret = Strong<secure_vector<uint8_t>, struct KyberSharedSecret_>

Shared secret value generated during encapsulation and recovered during decapsulation.

Definition at line 54 of file kyber_types.h.

◆ KyberSigmaOrEncryptionRandomness

Initial value:
std::variant<StrongSpan<const KyberSeedSigma>, StrongSpan<const KyberEncryptionRandomness>>

Variant value of either a KyberSeedSigma or a KyberEncryptionRandomness.

Definition at line 70 of file kyber_types.h.

◆ LMOTS_K

using Botan::LMOTS_K = Strong<std::vector<uint8_t>, struct LMOTS_K_>

The K value from the LM-OTS public key.

Definition at line 35 of file lm_ots.h.

◆ LMOTS_Node

using Botan::LMOTS_Node = Strong<secure_vector<uint8_t>, struct LMOTS_Node_>

One node within one LM-OTS hash chain.

Definition at line 30 of file lm_ots.h.

◆ LMOTS_Signature_Bytes

using Botan::LMOTS_Signature_Bytes = Strong<std::vector<uint8_t>, struct LMOTS_Signature_Bytes_>

Byte vector of an LM-OTS signature.

Definition at line 40 of file lm_ots.h.

◆ LMS_AuthenticationPath

using Botan::LMS_AuthenticationPath = Strong<std::vector<uint8_t>, struct LMS_AuthenticationPath_>

The authentication path of an LMS signature.

Definition at line 72 of file lms.h.

◆ LMS_Identifier

using Botan::LMS_Identifier = Strong<std::vector<uint8_t>, struct LMS_Identifier_>

The identifier of an LMS tree (I in RFC 8554)

Definition at line 50 of file lm_ots.h.

◆ LMS_Message

using Botan::LMS_Message = Strong<std::vector<uint8_t>, struct LMS_Message_>

A message that is signed with an LMS tree.

Definition at line 55 of file lm_ots.h.

◆ LMS_Seed

using Botan::LMS_Seed = Strong<secure_vector<uint8_t>, struct LMS_SEED_>

Seed of the LMS tree, used to generate the LM-OTS private keys.

Definition at line 25 of file lm_ots.h.

◆ LMS_Signature_Bytes

using Botan::LMS_Signature_Bytes = Strong<std::vector<uint8_t>, struct LMS_Signature_Bytes_>

Raw bytes of an LMS signature.

Definition at line 82 of file lms.h.

◆ LMS_Tree_Node

using Botan::LMS_Tree_Node = Strong<std::vector<uint8_t>, struct LMS_Tree_Node_>

A node with the LMS tree.

Definition at line 77 of file lms.h.

◆ LMS_Tree_Node_Idx

using Botan::LMS_Tree_Node_Idx = Strong<uint32_t, struct LMS_Tree_Node_Idx_, EnableArithmeticWithPlainNumber>

The index of a node within a specific LMS tree layer.

Definition at line 45 of file lm_ots.h.

◆ lock_guard_type

template<typename T>
using Botan::lock_guard_type = lock_guard<T>

Definition at line 55 of file mutex.h.

◆ MAC

Definition at line 133 of file mac.h.

◆ ML_DSA_Mode

Definition at line 21 of file ml_dsa.h.

◆ ML_DSA_PrivateKey

Definition at line 23 of file ml_dsa.h.

◆ ML_DSA_PublicKey

Definition at line 22 of file ml_dsa.h.

◆ ML_KEM_Mode

Definition at line 21 of file ml_kem.h.

◆ ML_KEM_PrivateKey

Definition at line 23 of file ml_kem.h.

◆ ML_KEM_PublicKey

Definition at line 22 of file ml_kem.h.

◆ mutex_type

Definition at line 37 of file mutex.h.

◆ next_longer_int_t

template<std::signed_integral T>
using Botan::next_longer_int_t
Initial value:
std::conditional_t<sizeof(T) == 1, int16_t,
std::conditional_t<sizeof(T) == 2, int32_t,
std::conditional_t<sizeof(T) == 4, int64_t, void>>>

Definition at line 35 of file pqcrystals_helpers.h.

◆ next_longer_uint_t

template<std::unsigned_integral T>
using Botan::next_longer_uint_t
Initial value:
std::conditional_t<sizeof(T) == 1, uint16_t,
std::conditional_t<sizeof(T) == 2, uint32_t,
std::conditional_t<sizeof(T) == 4, uint64_t, void>>>

Definition at line 28 of file pqcrystals_helpers.h.

◆ Point448

using Botan::Point448 = Strong<std::array<uint8_t, X448_LEN>, struct Point448_>

Definition at line 18 of file x448_internal.h.

◆ PointGFp

Definition at line 429 of file ec_point.h.

◆ recursive_mutex_type

Definition at line 38 of file mutex.h.

◆ RNG

Convenience typedef

Definition at line 285 of file rng.h.

◆ S2K

typedef PBKDF Botan::S2K

Definition at line 235 of file pbkdf.h.

◆ s32bit

using Botan::s32bit = std::int32_t

Definition at line 114 of file types.h.

◆ ScalarX448

using Botan::ScalarX448 = Strong<std::array<uint8_t, X448_LEN>, struct ScalarX448_>

Definition at line 24 of file x448_internal.h.

◆ secure_bitvector

◆ secure_deque

template<typename T>
using Botan::secure_deque = std::deque<T, secure_allocator<T>>

Definition at line 69 of file secmem.h.

◆ secure_vector

template<typename T>
using Botan::secure_vector = std::vector<T, secure_allocator<T>>

Definition at line 65 of file secmem.h.

◆ SecureVector

template<typename T>
using Botan::SecureVector = secure_vector<T>

Definition at line 74 of file secmem.h.

◆ SM2_Encryption_PrivateKey

Definition at line 166 of file sm2.h.

◆ SM2_Encryption_PublicKey

Definition at line 163 of file sm2.h.

◆ SM2_Signature_PrivateKey

Definition at line 165 of file sm2.h.

◆ SM2_Signature_PublicKey

Definition at line 162 of file sm2.h.

◆ SphincsAuthenticationPath

using Botan::SphincsAuthenticationPath = Strong<std::vector<uint8_t>, struct SphincsAuthenticationPath_>

Definition at line 67 of file sp_types.h.

◆ SphincsContext

using Botan::SphincsContext = Strong<std::vector<uint8_t>, struct SphincsContext_>

Definition at line 57 of file sp_types.h.

◆ SphincsHashedMessage

using Botan::SphincsHashedMessage = Strong<std::vector<uint8_t>, struct SphincsHashedMessage_>

Definition at line 59 of file sp_types.h.

◆ SphincsHypertreeSignature

using Botan::SphincsHypertreeSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_>

Definition at line 66 of file sp_types.h.

◆ SphincsInputMessage

using Botan::SphincsInputMessage = Strong<std::vector<uint8_t>, struct SphincsInputMessage_>

Definition at line 49 of file sp_types.h.

◆ SphincsMessagePrefix

using Botan::SphincsMessagePrefix = Strong<std::vector<uint8_t>, struct SphincsMessagePrefix_>

The prefix appended to the message in [hash_]slh_sign and slh_verify. E.g. for SLH-DSA (pure): 0x00 || |ctx| || ctx. Empty for SPHINCS+.

Definition at line 47 of file sp_types.h.

◆ SphincsMessageRandomness

using Botan::SphincsMessageRandomness = Strong<secure_vector<uint8_t>, struct SphincsMessageRandomness_>

Definition at line 64 of file sp_types.h.

◆ SphincsOptionalRandomness

using Botan::SphincsOptionalRandomness = Strong<secure_vector<uint8_t>, struct SphincsOptionalRandomness_>

Definition at line 63 of file sp_types.h.

◆ SphincsPublicSeed

using Botan::SphincsPublicSeed = Strong<std::vector<uint8_t>, struct SphincsPublicSeed_>

Definition at line 60 of file sp_types.h.

◆ SphincsSecretPRF

using Botan::SphincsSecretPRF = Strong<secure_vector<uint8_t>, struct SphincsSecretPRF_>

Definition at line 62 of file sp_types.h.

◆ SphincsSecretSeed

using Botan::SphincsSecretSeed = Strong<secure_vector<uint8_t>, struct SphincsSecretSeed_>

Definition at line 61 of file sp_types.h.

◆ SphincsTreeNode

using Botan::SphincsTreeNode = Strong<std::vector<uint8_t>, struct SphincsTreeNode_>

Either an XMSS or FORS tree node or leaf.

Definition at line 70 of file sp_types.h.

◆ SphincsXmssSignature

using Botan::SphincsXmssSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_>

Definition at line 65 of file sp_types.h.

◆ strong_type_wrapped_type

template<typename T>
using Botan::strong_type_wrapped_type = typename detail::wrapped_type_helper<std::remove_cvref_t<T>>::type

Extracts the wrapped type from a strong type.

If the provided type is not a strong type, it is returned as is.

Note
This is meant as a helper for generic code that needs to deal with both wrapped strong types and bare objects. Use the ordinary ::wrapped_type declaration if you know that you are dealing with a strong type.

Definition at line 287 of file strong_type.h.

◆ SymmetricKey

Alternate name for octet string showing intent to use as a key

Definition at line 140 of file symkey.h.

◆ TreeLayerIndex

using Botan::TreeLayerIndex = Strong<uint32_t, struct TreeLayerIndex_, EnableArithmeticWithPlainNumber>

Index of the layer within a FORS/XMSS tree.

Definition at line 83 of file sp_types.h.

◆ TreeNodeIndex

using Botan::TreeNodeIndex = Strong<uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber>

Index of an individual node inside an XMSS or FORS tree.

Definition at line 92 of file sp_types.h.

◆ u16bit

using Botan::u16bit = std::uint16_t

Definition at line 111 of file types.h.

◆ u32bit

using Botan::u32bit = std::uint32_t

Definition at line 112 of file types.h.

◆ u64bit

using Botan::u64bit = std::uint64_t

Definition at line 113 of file types.h.

◆ word

using Botan::word = std::conditional_t<HasNative64BitRegisters, std::uint64_t, uint32_t>

Definition at line 119 of file types.h.

◆ wots_keysig_t

typedef std::vector< secure_vector< uint8_t > > Botan::wots_keysig_t

Definition at line 20 of file xmss_common_ops.h.

◆ WotsChainIndex

using Botan::WotsChainIndex = Strong<uint32_t, struct WotsChainIndex_>

Index of a WOTS chain within a single usage of WOTS.

Definition at line 95 of file sp_types.h.

◆ WotsHashIndex

using Botan::WotsHashIndex = Strong<uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber>

Index of a hash application inside a single WOTS chain (integers in "base_w")

Definition at line 98 of file sp_types.h.

◆ WotsNode

using Botan::WotsNode = Strong<secure_vector<uint8_t>, struct WotsNode_>

Start (or intermediate) node of a WOTS+ chain.

Definition at line 79 of file sp_types.h.

◆ WotsPublicKey

using Botan::WotsPublicKey = Strong<std::vector<uint8_t>, struct WotsPublicKey_>

Definition at line 73 of file sp_types.h.

◆ WotsPublicKeyNode

using Botan::WotsPublicKeyNode = Strong<std::vector<uint8_t>, struct WotsPublicKeyNode_>

End node of a WOTS+ chain (part of the WOTS+ public key)

Definition at line 76 of file sp_types.h.

◆ WotsSignature

using Botan::WotsSignature = Strong<secure_vector<uint8_t>, struct WotsSignature_>

Definition at line 80 of file sp_types.h.

◆ X509_Time

Definition at line 417 of file asn1_obj.h.

◆ XmssTreeIndexInLayer

using Botan::XmssTreeIndexInLayer = Strong<uint64_t, struct XmssTreeIndexInLayer_, EnableArithmeticWithPlainNumber>

Index of an XMSS tree (unique for just the local hyper-tree layer)

Definition at line 89 of file sp_types.h.

Enumeration Type Documentation

◆ AlignmentBufferFinalBlock

enum class Botan::AlignmentBufferFinalBlock : size_t
strong

Defines the strategy for handling the final block of input data in the handle_unaligned_data() method of the AlignmentBuffer<>.

  • is_not_special: the final block is treated like any other block
  • must_be_deferred: the final block is not emitted while bulk processing (typically add_data()) but is deferred until manually consumed (typically final_result())

The AlignmentBuffer<> assumes data to be "the final block" if no further input data is available in the BufferSlicer<>. This might result in some performance overhead when using the must_be_deferred strategy.

Enumerator
is_not_special 
must_be_deferred 

Definition at line 34 of file alignment_buffer.h.

◆ ASN1_Class

enum class Botan::ASN1_Class : uint32_t
strong

ASN.1 Class Tags

Enumerator
Universal 
Application 
ContextSpecific 
Private 
Constructed 
ExplicitContextSpecific 
NoObject 

Definition at line 29 of file asn1_obj.h.

29 : uint32_t {
30 Universal = 0b0000'0000,
31 Application = 0b0100'0000,
32 ContextSpecific = 0b1000'0000,
33 Private = 0b1100'0000,
34
35 Constructed = 0b0010'0000,
37
38 NoObject = 0xFF00
39};

◆ ASN1_Type

enum class Botan::ASN1_Type : uint32_t
strong

ASN.1 Type Tags

Enumerator
Eoc 
Boolean 
Integer 
BitString 
OctetString 
Null 
ObjectId 
Enumerated 
Sequence 
Set 
Utf8String 
NumericString 
PrintableString 
TeletexString 
Ia5String 
VisibleString 
UniversalString 
BmpString 
UtcTime 
GeneralizedTime 
NoObject 

Definition at line 44 of file asn1_obj.h.

44 : uint32_t {
45 Eoc = 0x00,
46 Boolean = 0x01,
47 Integer = 0x02,
48 BitString = 0x03,
49 OctetString = 0x04,
50 Null = 0x05,
51 ObjectId = 0x06,
52 Enumerated = 0x0A,
53 Sequence = 0x10,
54 Set = 0x11,
55
56 Utf8String = 0x0C,
57 NumericString = 0x12,
58 PrintableString = 0x13,
59 TeletexString = 0x14,
60 Ia5String = 0x16,
61 VisibleString = 0x1A,
62 UniversalString = 0x1C,
63 BmpString = 0x1E,
64
65 UtcTime = 0x17,
66 GeneralizedTime = 0x18,
67
68 NoObject = 0xFF00,
69};

◆ Certificate_Status_Code

enum class Botan::Certificate_Status_Code
strong

Certificate validation status code

Enumerator
OK 
VERIFIED 
OCSP_RESPONSE_GOOD 
OCSP_SIGNATURE_OK 
VALID_CRL_CHECKED 
OCSP_NO_HTTP 
FIRST_WARNING_STATUS 
CERT_SERIAL_NEGATIVE 
DN_TOO_LONG 
OCSP_NO_REVOCATION_URL 
OCSP_SERVER_NOT_AVAILABLE 
TRUSTED_CERT_HAS_EXPIRED 
TRUSTED_CERT_NOT_YET_VALID 
FIRST_ERROR_STATUS 
SIGNATURE_METHOD_TOO_WEAK 
UNTRUSTED_HASH 
NO_REVOCATION_DATA 
NO_MATCHING_CRLDP 
OCSP_ISSUER_NOT_TRUSTED 
CERT_NOT_YET_VALID 
CERT_HAS_EXPIRED 
OCSP_NOT_YET_VALID 
OCSP_HAS_EXPIRED 
CRL_NOT_YET_VALID 
CRL_HAS_EXPIRED 
OCSP_IS_TOO_OLD 
CERT_ISSUER_NOT_FOUND 
CANNOT_ESTABLISH_TRUST 
CERT_CHAIN_LOOP 
CHAIN_LACKS_TRUST_ROOT 
CHAIN_NAME_MISMATCH 
POLICY_ERROR 
INVALID_USAGE 
CERT_CHAIN_TOO_LONG 
CA_CERT_NOT_FOR_CERT_ISSUER 
NAME_CONSTRAINT_ERROR 
CA_CERT_NOT_FOR_CRL_ISSUER 
OCSP_CERT_NOT_LISTED 
OCSP_BAD_STATUS 
CERT_NAME_NOMATCH 
UNKNOWN_CRITICAL_EXTENSION 
DUPLICATE_CERT_EXTENSION 
OCSP_SIGNATURE_ERROR 
OCSP_ISSUER_NOT_FOUND 
OCSP_RESPONSE_MISSING_KEYUSAGE 
OCSP_RESPONSE_INVALID 
EXT_IN_V1_V2_CERT 
DUPLICATE_CERT_POLICY 
V2_IDENTIFIERS_IN_V1_CERT 
CERT_IS_REVOKED 
CRL_BAD_SIGNATURE 
SIGNATURE_ERROR 
CERT_PUBKEY_INVALID 
SIGNATURE_ALGO_UNKNOWN 
SIGNATURE_ALGO_BAD_PARAMS 

Definition at line 20 of file pkix_enums.h.

20 {
21 OK = 0,
22 VERIFIED = 0,
23
24 // Revocation status
28 OCSP_NO_HTTP = 4,
29
30 // Warnings
33 DN_TOO_LONG = 501,
38
39 // Errors
40 FIRST_ERROR_STATUS = 1000,
41
43 UNTRUSTED_HASH = 1001,
44 NO_REVOCATION_DATA = 1002,
45 NO_MATCHING_CRLDP = 1003,
47
48 // Time problems
49 CERT_NOT_YET_VALID = 2000,
50 CERT_HAS_EXPIRED = 2001,
51 OCSP_NOT_YET_VALID = 2002,
52 OCSP_HAS_EXPIRED = 2003,
53 CRL_NOT_YET_VALID = 2004,
54 CRL_HAS_EXPIRED = 2005,
55 OCSP_IS_TOO_OLD = 2006,
56
57 // Chain generation problems
60 CERT_CHAIN_LOOP = 3002,
63
64 // Validation errors
65 POLICY_ERROR = 4000,
66 INVALID_USAGE = 4001,
70
71 // Revocation errors
74 OCSP_BAD_STATUS = 4007,
75
76 // Other problems
77 CERT_NAME_NOMATCH = 4008,
84 EXT_IN_V1_V2_CERT = 4505,
87
88 // Hard failures
89 CERT_IS_REVOKED = 5000,
90 CRL_BAD_SIGNATURE = 5001,
91 SIGNATURE_ERROR = 5002,
95};

◆ Cipher_Dir

enum class Botan::Cipher_Dir : int
strong

The two possible directions a Cipher_Mode can operate in

Enumerator
Encryption 
Decryption 
ENCRYPTION 
DECRYPTION 

Definition at line 26 of file cipher_mode.h.

26 : int {
29
30 ENCRYPTION BOTAN_DEPRECATED("Use Cipher_Dir::Encryption") = Encryption,
31 DECRYPTION BOTAN_DEPRECATED("Use Cipher_Dir::Decryption") = Decryption,
32};
#define BOTAN_DEPRECATED(msg)
Definition api.h:59

◆ CRL_Code

enum class Botan::CRL_Code : uint32_t
strong

X.509v2 CRL Reason Code.

Enumerator
Unspecified 
KeyCompromise 
CaCompromise 
AffiliationChanged 
Superseded 
CessationOfOperation 
CertificateHold 
RemoveFromCrl 
PrivilegeWithdrawn 
AaCompromise 

Definition at line 192 of file pkix_enums.h.

◆ Decoder_Checking

The type of checking to be performed by decoders: NONE - no checks, IGNORE_WS - perform checks, but ignore whitespaces, FULL_CHECK - perform checks, also complain about white spaces.

Enumerator
NONE 
IGNORE_WS 
FULL_CHECK 

Definition at line 164 of file filter.h.

@ FULL_CHECK
Definition filter.h:164
@ NONE
Definition filter.h:164
@ IGNORE_WS
Definition filter.h:164

◆ DL_Group_Format

enum class Botan::DL_Group_Format
strong

The DL group encoding format variants.

Enumerator
ANSI_X9_42 
ANSI_X9_57 
PKCS_3 
DSA_PARAMETERS 
DH_PARAMETERS 
ANSI_X9_42_DH_PARAMETERS 
PKCS3_DH_PARAMETERS 

Definition at line 30 of file dl_group.h.

◆ DL_Group_Source

enum class Botan::DL_Group_Source
strong
Enumerator
Builtin 
RandomlyGenerated 
ExternalSource 

Definition at line 21 of file dl_group.h.

◆ EC_Group_Encoding

enum class Botan::EC_Group_Encoding
strong

This enum indicates the method used to encode the EC parameters

Warning
All support for explicit or implicit domain encodings will be removed in Botan4. Only named curves will be supported.

TODO(Botan4) remove this enum

Enumerator
Explicit 
ImplicitCA 
NamedCurve 
EC_DOMPAR_ENC_EXPLICIT 
EC_DOMPAR_ENC_IMPLICITCA 
EC_DOMPAR_ENC_OID 

Definition at line 36 of file ec_group.h.

◆ EC_Group_Engine

enum class Botan::EC_Group_Engine
strong

Enum indicating the way the group in question is implemented

This is returned by EC_Group::engine

Enumerator
Optimized 

Using per curve implementation; fastest available.

Generic 

A generic implementation that handles many curves in one implementation.

Legacy 

The old implementation, used as a fallback if none of the other implementations can be used TODO(Botan4) remove this

Definition at line 66 of file ec_group.h.

66 {
67 /// Using per curve implementation; fastest available
69 /// A generic implementation that handles many curves in one implementation
70 Generic,
71 /// The old implementation, used as a fallback if none of the other
72 /// implementations can be used
73 /// TODO(Botan4) remove this
74 Legacy,
75};
@ Optimized
Using per curve implementation; fastest available.
Definition ec_group.h:68
@ Generic
A generic implementation that handles many curves in one implementation.
Definition ec_group.h:70

◆ EC_Group_Source

enum class Botan::EC_Group_Source
strong

This enum indicates the source of the elliptic curve parameters in use.

Builtin means the curve is a known standard one which was compiled in the library.

ExternalSource means the curve parameters came from either an explicit curve encoding or an application defined curve.

Enumerator
Builtin 
ExternalSource 

Definition at line 56 of file ec_group.h.

56 {
57 Builtin,
59};

◆ EC_Point_Format

enum class Botan::EC_Point_Format
strong
Enumerator
Uncompressed 
Compressed 
UNCOMPRESSED 
COMPRESSED 
Hybrid 
HYBRID 

Definition at line 21 of file ec_point_format.h.

21 {
22 Uncompressed = 0,
23 Compressed = 1,
24
25 UNCOMPRESSED BOTAN_DEPRECATED("Use EC_Point_Format::Uncompressed") = Uncompressed,
26 COMPRESSED BOTAN_DEPRECATED("Use EC_Point_Format::Compressed") = Compressed,
27
28 Hybrid BOTAN_DEPRECATED("Hybrid point encoding is deprecated") = 2,
29 HYBRID BOTAN_DEPRECATED("Hybrid point encoding is deprecated") = 2
30};

◆ ECIES_Flags

enum class Botan::ECIES_Flags : uint32_t
strong

Flags controlling ECIES operation

Two of the flags are related to how cofactors are handled. Support for cofactors is deprecated and will be removed in Botan4.

The CheckMode flag is completely ignored; we always check that the point is valid.

TODO(Botan4) remove this enum

Enumerator
None 
SingleHashMode 

if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key

CofactorMode 

(decryption only) if set: use cofactor multiplication during (ecdh) key agreement This only matters if the curve has a cofactor

OldCofactorMode 

if set: use ecdhc instead of ecdh. This only matters if the curve has a cofactor

CheckMode 

(decryption only) if set: test if the (ephemeral) public key is on the curve Note that we actually ignore this flag and always check the key

NONE 
SINGLE_HASH_MODE 
COFACTOR_MODE 
OLD_COFACTOR_MODE 
CHECK_MODE 

Definition at line 44 of file ecies.h.

44 : uint32_t {
45 None = 0,
46 /// if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key
48 /// (decryption only) if set: use cofactor multiplication during (ecdh) key agreement
49 /// This only matters if the curve has a cofactor
50 CofactorMode = 2,
51 /// if set: use ecdhc instead of ecdh.
52 /// This only matters if the curve has a cofactor
54 /// (decryption only) if set: test if the (ephemeral) public key is on the curve
55 /// Note that we actually ignore this flag and always check the key
56 CheckMode = 8,
57
58 NONE BOTAN_DEPRECATED("Use None") = None,
59 SINGLE_HASH_MODE BOTAN_DEPRECATED("Use SingleHashMode") = SingleHashMode,
60 COFACTOR_MODE BOTAN_DEPRECATED("Use CofactorMode") = CofactorMode,
61 OLD_COFACTOR_MODE BOTAN_DEPRECATED("Use OldCofactorMode") = OldCofactorMode,
62 CHECK_MODE BOTAN_DEPRECATED("Use CheckMode") = CheckMode,
63};
@ SingleHashMode
if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key
Definition ecies.h:47

◆ ErrorType

enum class Botan::ErrorType
strong

Different types of errors that might occur

Enumerator
Unknown 

Some unknown error

SystemError 

An error while calling a system interface

NotImplemented 

An operation seems valid, but not supported by the current version

OutOfMemory 

Memory allocation failure

InternalError 

An internal error occurred

IoError 

An I/O error occurred

InvalidObjectState 

Invalid object state

KeyNotSet 

A key was not set on an object when this is required

InvalidArgument 

The application provided an argument which is invalid

InvalidKeyLength 

A key with invalid length was provided

InvalidNonceLength 

A nonce with invalid length was provided

LookupError 

An object type was requested but cannot be found

EncodingFailure 

Encoding a message or datum failed

DecodingFailure 

Decoding a message or datum failed

TLSError 

A TLS error (error_code will be the alert type)

HttpError 

An error during an HTTP operation

InvalidTag 

A message with an invalid authentication tag was detected

RoughtimeError 

An error during Roughtime validation

CommonCryptoError 

An error when interacting with CommonCrypto API

Pkcs11Error 

An error when interacting with a PKCS11 device

TPMError 

An error when interacting with a TPM device

DatabaseError 

An error when interacting with a database

ZlibError 

An error when interacting with zlib

Bzip2Error 

An error when interacting with bzip2

LzmaError 

An error when interacting with lzma

Definition at line 20 of file exceptn.h.

20 {
21 /** Some unknown error */
22 Unknown = 1,
23 /** An error while calling a system interface */
25 /** An operation seems valid, but not supported by the current version */
27 /** Memory allocation failure */
29 /** An internal error occurred */
31 /** An I/O error occurred */
32 IoError,
33
34 /** Invalid object state */
36 /** A key was not set on an object when this is required */
38 /** The application provided an argument which is invalid */
40 /** A key with invalid length was provided */
42 /** A nonce with invalid length was provided */
44 /** An object type was requested but cannot be found */
46 /** Encoding a message or datum failed */
48 /** Decoding a message or datum failed */
50 /** A TLS error (error_code will be the alert type) */
52 /** An error during an HTTP operation */
54 /** A message with an invalid authentication tag was detected */
56 /** An error during Roughtime validation */
58
59 /** An error when interacting with CommonCrypto API */
61 /** An error when interacting with a PKCS11 device */
63 /** An error when interacting with a TPM device */
65 /** An error when interacting with a database */
67
68 /** An error when interacting with zlib */
69 ZlibError = 300,
70 /** An error when interacting with bzip2 */
72 /** An error when interacting with lzma */
74
75};

◆ LMOTS_Algorithm_Type

enum class Botan::LMOTS_Algorithm_Type : uint32_t
strong

Enum of available LM-OTS algorithm types.

The supported parameter sets are defined in RFC 8554 Section 4.1. and draft-fluhrer-lms-more-parm-sets-11 Section 4. HSS/LMS typecodes are introduced in RFC 8554 Section 3.2. and their format specified in Section 3.3.

Enumerator
RESERVED 
SHA256_N32_W1 
SHA256_N32_W2 
SHA256_N32_W4 
SHA256_N32_W8 
SHA256_N24_W1 
SHA256_N24_W2 
SHA256_N24_W4 
SHA256_N24_W8 
SHAKE_N32_W1 
SHAKE_N32_W2 
SHAKE_N32_W4 
SHAKE_N32_W8 
SHAKE_N24_W1 
SHAKE_N24_W2 
SHAKE_N24_W4 
SHAKE_N24_W8 

Definition at line 65 of file lm_ots.h.

65 : uint32_t {
66 // --- RFC 8554 ---
67 RESERVED = 0x00,
68
69 // SHA-256 based
70 SHA256_N32_W1 = 0x01,
71 SHA256_N32_W2 = 0x02,
72 SHA256_N32_W4 = 0x03,
73 SHA256_N32_W8 = 0x04,
74
75 // --- draft-fluhrer-lms-more-parm-sets-11 ---
76 // SHA-256/192 based
77 SHA256_N24_W1 = 0x05,
78 SHA256_N24_W2 = 0x06,
79 SHA256_N24_W4 = 0x07,
80 SHA256_N24_W8 = 0x08,
81
82 // SHAKE-256/256 based
83 SHAKE_N32_W1 = 0x09,
84 SHAKE_N32_W2 = 0x0a,
85 SHAKE_N32_W4 = 0x0b,
86 SHAKE_N32_W8 = 0x0c,
87
88 // SHAKE-256/192 based
89 SHAKE_N24_W1 = 0x0d,
90 SHAKE_N24_W2 = 0x0e,
91 SHAKE_N24_W4 = 0x0f,
92 SHAKE_N24_W8 = 0x10,
93};

◆ LMS_Algorithm_Type

enum class Botan::LMS_Algorithm_Type : uint32_t
strong

Enum of available LMS algorithm types.

The supported parameter sets are defined in RFC 8554 Section 5.1. and draft-fluhrer-lms-more-parm-sets-11 Section 5. HSS/LMS typecodes are introduced in RFC 8554 Section 3.2. and their format specified in Section 3.3.

Enumerator
RESERVED 
SHA256_M32_H5 
SHA256_M32_H10 
SHA256_M32_H15 
SHA256_M32_H20 
SHA256_M32_H25 
SHA256_M24_H5 
SHA256_M24_H10 
SHA256_M24_H15 
SHA256_M24_H20 
SHA256_M24_H25 
SHAKE_M32_H5 
SHAKE_M32_H10 
SHAKE_M32_H15 
SHAKE_M32_H20 
SHAKE_M32_H25 
SHAKE_M24_H5 
SHAKE_M24_H10 
SHAKE_M24_H15 
SHAKE_M24_H20 
SHAKE_M24_H25 

Definition at line 30 of file lms.h.

30 : uint32_t {
31 // --- RFC 8554 ---
32 RESERVED = 0x00,
33
34 // SHA-256 based
35 SHA256_M32_H5 = 0x05,
36 SHA256_M32_H10 = 0x06,
37 SHA256_M32_H15 = 0x07,
38 SHA256_M32_H20 = 0x08,
39 SHA256_M32_H25 = 0x09,
40
41 // --- draft-fluhrer-lms-more-parm-sets-11 ---
42 // SHA-256/192 based
43 SHA256_M24_H5 = 0x0a,
44 SHA256_M24_H10 = 0x0b,
45 SHA256_M24_H15 = 0x0c,
46 SHA256_M24_H20 = 0x0d,
47 SHA256_M24_H25 = 0x0e,
48
49 // SHAKE-256/256 based
50 SHAKE_M32_H5 = 0x0f,
51 SHAKE_M32_H10 = 0x10,
52 SHAKE_M32_H15 = 0x11,
53 SHAKE_M32_H20 = 0x12,
54 SHAKE_M32_H25 = 0x13,
55
56 // SHAKE-256/192 based
57 SHAKE_M24_H5 = 0x14,
58 SHAKE_M24_H10 = 0x15,
59 SHAKE_M24_H15 = 0x16,
60 SHAKE_M24_H20 = 0x17,
61 SHAKE_M24_H25 = 0x18
62};

◆ MD_Endian

enum class Botan::MD_Endian
strong
Enumerator
Little 
Big 

Definition at line 20 of file mdx_hash.h.

20 {
21 Little,
22 Big,
23};

◆ MlPrivateKeyFormat

enum class Botan::MlPrivateKeyFormat
strong

Byte encoding format of ML-KEM and ML-DSA the private key.

Enumerator
Seed 

Only supported for ML-KEM/ML-DSA keys:

  • ML-KEM: 64-byte seed: d || z
  • ML-DSA: 32-byte seed: xi (private_key_bits_with_format not yet yet supported for ML-DSA)
Expanded 

The expanded format, i.e., the format specified in FIPS-203/204.

Definition at line 81 of file kyber.h.

81 {
82 /// Only supported for ML-KEM/ML-DSA keys:
83 /// - ML-KEM: 64-byte seed: d || z
84 /// - ML-DSA: 32-byte seed: xi (private_key_bits_with_format not yet
85 /// yet supported for ML-DSA)
86 Seed,
87 /// The expanded format, i.e., the format specified in FIPS-203/204.
89};
@ Expanded
The expanded format, i.e., the format specified in FIPS-203/204.
Definition kyber.h:88

◆ PublicKeyOperation

enum class Botan::PublicKeyOperation
strong

Enumeration of possible operations a public key could be used for.

It is possible to query if a key supports a particular operation type using Asymmetric_Key::supports_operation()

Enumerator
Encryption 
Signature 
KeyEncapsulation 
KeyAgreement 

Definition at line 46 of file pk_keys.h.

◆ Signature_Format

enum class Botan::Signature_Format
strong

Enumeration specifying the signature format.

This is mostly used for requesting DER encoding of ECDSA signatures; most other algorithms only support "standard".

Enumerator
Standard 
DerSequence 
IEEE_1363 
DER_SEQUENCE 

Definition at line 32 of file pk_keys.h.

◆ Sphincs_Address_Type

enum class Botan::Sphincs_Address_Type : uint32_t
strong
Enumerator
WotsHash 
WotsPublicKeyCompression 
HashTree 
ForsTree 
ForsTreeRootsCompression 
WotsKeyGeneration 
ForsKeyGeneration 

Definition at line 20 of file sp_address.h.

◆ Sphincs_Hash_Type

enum class Botan::Sphincs_Hash_Type
strong
Enumerator
Shake256 
Sha256 
Haraka 

Haraka is currently not supported.

Definition at line 18 of file sp_parameters.h.

18 {
20 Sha256,
21 Haraka BOTAN_DEPRECATED("Haraka is not and will not be supported"), ///< Haraka is currently not supported
22};
@ Haraka
Haraka is currently not supported.

◆ Sphincs_Parameter_Set

enum class Botan::Sphincs_Parameter_Set
strong
Enumerator
Sphincs128Small 
Sphincs128Fast 
Sphincs192Small 
Sphincs192Fast 
Sphincs256Small 
Sphincs256Fast 
SLHDSA128Small 
SLHDSA128Fast 
SLHDSA192Small 
SLHDSA192Fast 
SLHDSA256Small 
SLHDSA256Fast 

Definition at line 24 of file sp_parameters.h.

◆ TPM_Storage_Type

enum class Botan::TPM_Storage_Type
strong
Enumerator
User 
System 

Definition at line 102 of file tpm.h.

◆ Usage_Type

enum class Botan::Usage_Type
strong
Enumerator
UNSPECIFIED 
TLS_SERVER_AUTH 
TLS_CLIENT_AUTH 
CERTIFICATE_AUTHORITY 
OCSP_RESPONDER 
ENCRYPTION 

Definition at line 22 of file x509cert.h.

◆ WOTS_Derivation_Method

enum class Botan::WOTS_Derivation_Method
strong

Determines how WOTS+ private keys are derived from the XMSS private key

Enumerator
Botan2x 

This roughly followed the suggestions in RFC 8391 but is vulnerable to a multi-target attack. For new private keys, we recommend using the derivation as suggested in NIST SP.800-208. Private keys generated with Botan 2.x will need to stay with this mode, otherwise they won't be able to generate valid signatures any longer.

NIST_SP800_208 

Derivation as specified in NIST SP.800-208 to avoid a multi-target attack on the WOTS+ key derivation suggested in RFC 8391. New private keys should use this mode.

Definition at line 138 of file xmss.h.

138 {
139 /// This roughly followed the suggestions in RFC 8391 but is vulnerable
140 /// to a multi-target attack. For new private keys, we recommend using
141 /// the derivation as suggested in NIST SP.800-208.
142 /// Private keys generated with Botan 2.x will need to stay with this mode,
143 /// otherwise they won't be able to generate valid signatures any longer.
144 Botan2x = 1,
145
146 /// Derivation as specified in NIST SP.800-208 to avoid a multi-target attack
147 /// on the WOTS+ key derivation suggested in RFC 8391. New private keys
148 /// should use this mode.
149 NIST_SP800_208 = 2,
150};

Function Documentation

◆ abs()

BigInt Botan::abs ( const BigInt & n)
inline

Return the absolute value

Parameters
nan integer
Returns
absolute value of n

Definition at line 24 of file numthry.h.

24 {
25 return n.abs();
26}
BigInt abs() const
Definition bigint.cpp:389

References abs(), and Botan::BigInt::abs().

Referenced by abs(), Botan::EC_Group::EC_Group(), gcd(), and Botan::EC_Group::verify_group().

◆ allocate_memory()

void * Botan::allocate_memory ( size_t elems,
size_t elem_size )

Allocate a memory buffer by some method. This should only be used for primitive types (uint8_t, uint32_t, etc).

Parameters
elemsthe number of elements
elem_sizethe size of each element
Returns
pointer to allocated and zeroed memory, or throw std::bad_alloc on failure

Definition at line 21 of file allocator.cpp.

21 {
22 if(elems == 0 || elem_size == 0) {
23 return nullptr;
24 }
25
26 // Some calloc implementations do not check for overflow (?!?)
27 if(!checked_mul(elems, elem_size).has_value()) {
28 throw std::bad_alloc();
29 }
30
31#if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
32 if(void* p = mlock_allocator::instance().allocate(elems, elem_size)) {
33 return p;
34 }
35#endif
36
37#if defined(BOTAN_TARGET_OS_HAS_ALLOC_CONCEAL)
38 void* ptr = ::calloc_conceal(elems, elem_size);
39#else
40 void* ptr = std::calloc(elems, elem_size); // NOLINT(*-no-malloc)
41#endif
42 if(!ptr) {
43 [[unlikely]] throw std::bad_alloc();
44 }
45 return ptr;
46}
static mlock_allocator & instance()
constexpr std::optional< T > checked_mul(T a, T b)
Definition int_utils.h:46

References BOTAN_MALLOC_FN, checked_mul(), and Botan::mlock_allocator::instance().

Referenced by Botan::secure_allocator< T >::allocate().

◆ argon2()

void Botan::argon2 ( uint8_t output[],
size_t output_len,
const char * password,
size_t password_len,
const uint8_t salt[],
size_t salt_len,
const uint8_t key[],
size_t key_len,
const uint8_t ad[],
size_t ad_len,
uint8_t y,
size_t p,
size_t M,
size_t t )
inline

Argon2 key derivation function

Parameters
outputthe output will be placed here
output_lenlength of output
passwordthe user password
password_lenthe length of password
saltthe salt
salt_lenlength of salt
keyan optional secret key
key_lenthe length of key
adan optional additional input
ad_lenthe length of ad
ythe Argon2 variant (0 = Argon2d, 1 = Argon2i, 2 = Argon2id)
pthe parallelization parameter
Mthe amount of memory to use in Kb
tthe number of iterations to use

Definition at line 144 of file argon2.h.

157 {
158 auto pwdhash_fam = PasswordHashFamily::create_or_throw([y] {
159 switch(y) {
160 case 0:
161 return "Argon2d";
162 case 1:
163 return "Argon2i";
164 case 2:
165 return "Argon2id";
166 default:
167 throw Not_Implemented("Unknown Argon2 family type");
168 }
169 }());
170 auto pwdhash = pwdhash_fam->from_params(M, t, p);
171 pwdhash->derive_key(output, output_len, password, password_len, salt, salt_len, ad, ad_len, key, key_len);
172}
static std::unique_ptr< PasswordHashFamily > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition pwdhash.cpp:110

References argon2(), and Botan::PasswordHashFamily::create_or_throw().

Referenced by argon2().

◆ argon2_check_pwhash()

bool Botan::argon2_check_pwhash ( const char * password,
size_t password_len,
std::string_view hash )

Check a previously created password hash

Verify an Argon2 password hash against the provided password. Returns false if the input hash seems malformed or if the computed hash does not match.

Parameters
passwordthe password to check against
password_lenthe length of password
hashthe stored hash to check against

Definition at line 77 of file argon2fmt.cpp.

77 {
78 const std::vector<std::string> parts = split_on(input_hash, '$');
79
80 if(parts.size() != 5) {
81 return false;
82 }
83
84 uint8_t family = 0;
85
86 if(parts[0] == "argon2d") {
87 family = 0;
88 } else if(parts[0] == "argon2i") {
89 family = 1;
90 } else if(parts[0] == "argon2id") {
91 family = 2;
92 } else {
93 return false;
94 }
95
96 if(parts[1] != "v=19") {
97 return false;
98 }
99
100 const std::vector<std::string> params = split_on(parts[2], ',');
101
102 if(params.size() != 3) {
103 return false;
104 }
105
106 size_t M = 0, t = 0, p = 0;
107
108 for(const auto& param_str : params) {
109 const std::vector<std::string> param = split_on(param_str, '=');
110
111 if(param.size() != 2) {
112 return false;
113 }
114
115 std::string_view key = param[0];
116 const size_t val = to_u32bit(param[1]);
117 if(key == "m") {
118 M = val;
119 } else if(key == "t") {
120 t = val;
121 } else if(key == "p") {
122 p = val;
123 } else {
124 return false;
125 }
126 }
127
128 std::vector<uint8_t> salt(base64_decode_max_output(parts[3].size()));
129 salt.resize(base64_decode(salt.data(), parts[3], false));
130
131 std::vector<uint8_t> hash(base64_decode_max_output(parts[4].size()));
132 hash.resize(base64_decode(hash.data(), parts[4], false));
133
134 if(hash.size() < 4) {
135 return false;
136 }
137
138 std::vector<uint8_t> generated(hash.size());
139 auto pwdhash_fam = PasswordHashFamily::create_or_throw(argon2_family(family));
140 auto pwdhash = pwdhash_fam->from_params(M, t, p);
141
142 pwdhash->derive_key(generated.data(), generated.size(), password, password_len, salt.data(), salt.size());
143
144 return CT::is_equal(generated.data(), hash.data(), generated.size()).as_bool();
145}
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:789
uint32_t to_u32bit(std::string_view str_view)
Definition parsing.cpp:32
std::vector< std::string > split_on(std::string_view str, char delim)
Definition parsing.cpp:111
size_t base64_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition base64.cpp:168
size_t base64_decode_max_output(size_t input_length)
Definition base64.cpp:200

References base64_decode(), base64_decode_max_output(), Botan::PasswordHashFamily::create_or_throw(), Botan::CT::is_equal(), split_on(), and to_u32bit().

◆ argon2_generate_pwhash()

std::string Botan::argon2_generate_pwhash ( const char * password,
size_t password_len,
RandomNumberGenerator & rng,
size_t p,
size_t M,
size_t t,
uint8_t y = 2,
size_t salt_len = 16,
size_t output_len = 32 )

Generate an Argon2 hash of the specified password. The y parameter specifies the variant: 0 for Argon2d, 1 for Argon2i, and 2 for Argon2id.

Definition at line 42 of file argon2fmt.cpp.

50 {
51 std::vector<uint8_t> salt(salt_len);
52 rng.randomize(salt.data(), salt.size());
53
54 std::vector<uint8_t> output(output_len);
55
56 auto pwdhash_fam = PasswordHashFamily::create_or_throw(argon2_family(y));
57 auto pwdhash = pwdhash_fam->from_params(M, t, p);
58
59 pwdhash->derive_key(output.data(), output.size(), password, password_len, salt.data(), salt.size());
60
61 const auto enc_salt = strip_padding(base64_encode(salt));
62 const auto enc_output = strip_padding(base64_encode(output));
63
64 const std::string argon2_mode = [&]() -> std::string {
65 if(y == 0) {
66 return "d";
67 } else if(y == 1) {
68 return "i";
69 } else {
70 return "id";
71 }
72 }();
73
74 return fmt("$argon2{}$v=19$m={},t={},p={}${}${}", argon2_mode, M, t, p, enc_salt, enc_output);
75}
void randomize(std::span< uint8_t > output)
Definition rng.h:68
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition base64.cpp:160

References base64_encode(), Botan::PasswordHashFamily::create_or_throw(), fmt(), and Botan::RandomNumberGenerator::randomize().

◆ asn1_class_to_string()

std::string BOTAN_UNSTABLE_API Botan::asn1_class_to_string ( ASN1_Class type)

Definition at line 74 of file asn1_obj.cpp.

74 {
75 switch(type) {
77 return "UNIVERSAL";
79 return "CONSTRUCTED";
81 return "CONTEXT_SPECIFIC";
83 return "APPLICATION";
85 return "PRIVATE";
87 return "NO_OBJECT";
88 default:
89 return "CLASS(" + std::to_string(static_cast<size_t>(type)) + ")";
90 }
91}

References Application, Constructed, ContextSpecific, NoObject, Private, and Universal.

Referenced by Botan::BER_Object::assert_is_a().

◆ asn1_tag_to_string()

std::string BOTAN_UNSTABLE_API Botan::asn1_tag_to_string ( ASN1_Type type)

Definition at line 93 of file asn1_obj.cpp.

93 {
94 switch(type) {
96 return "SEQUENCE";
97
98 case ASN1_Type::Set:
99 return "SET";
100
102 return "PRINTABLE STRING";
103
105 return "NUMERIC STRING";
106
108 return "IA5 STRING";
109
111 return "T61 STRING";
112
114 return "UTF8 STRING";
115
117 return "VISIBLE STRING";
118
120 return "BMP STRING";
121
123 return "UNIVERSAL STRING";
124
126 return "UTC TIME";
127
129 return "GENERALIZED TIME";
130
132 return "OCTET STRING";
133
135 return "BIT STRING";
136
138 return "ENUMERATED";
139
141 return "INTEGER";
142
143 case ASN1_Type::Null:
144 return "NULL";
145
147 return "OBJECT";
148
150 return "BOOLEAN";
151
153 return "NO_OBJECT";
154
155 default:
156 return "TAG(" + std::to_string(static_cast<uint32_t>(type)) + ")";
157 }
158}

References BitString, BmpString, Boolean, Enumerated, GeneralizedTime, Ia5String, Integer, NoObject, Null, NumericString, ObjectId, OctetString, PrintableString, Sequence, Set, TeletexString, UniversalString, UtcTime, Utf8String, and VisibleString.

Referenced by Botan::BER_Object::assert_is_a().

◆ assert_is_some()

template<typename T>
T Botan::assert_is_some ( std::optional< T > v,
const char * expr,
const char * func,
const char * file,
int line )

Define BOTAN_ASSERT_IS_SOME

Definition at line 391 of file stl_util.h.

391 {
392 if(v) {
393 return *v;
394 } else {
395 Botan::assertion_failure(expr, "optional had value", func, file, line);
396 }
397}
void assertion_failure(const char *expr_str, const char *assertion_made, const char *func, const char *file, int line)
Definition assert.cpp:30

References assertion_failure().

◆ assert_unreachable()

void BOTAN_UNSTABLE_API Botan::assert_unreachable ( const char * file,
int line )

Definition at line 55 of file assert.cpp.

55 {
56 const std::string msg = fmt("Codepath that was marked unreachable was reached @{}:{}", file, line);
57
58#if defined(BOTAN_TERMINATE_ON_ASSERTS)
59 std::cerr << msg << '\n';
60 std::abort();
61#else
62 throw Internal_Error(msg);
63#endif
64}

References fmt().

◆ assertion_failure()

void Botan::assertion_failure ( const char * expr_str,
const char * assertion_made,
const char * func,
const char * file,
int line )

Called when an assertion fails Throws an Exception object

Definition at line 30 of file assert.cpp.

30 {
31 std::ostringstream format;
32
33 format << "False assertion ";
34
35 if(assertion_made && assertion_made[0] != 0) {
36 format << "'" << assertion_made << "' (expression " << expr_str << ") ";
37 } else {
38 format << expr_str << " ";
39 }
40
41 if(func) {
42 format << "in " << func << " ";
43 }
44
45 format << "@" << file << ":" << line;
46
47#if defined(BOTAN_TERMINATE_ON_ASSERTS)
48 std::cerr << format.str() << '\n';
49 std::abort();
50#else
51 throw Internal_Error(format.str());
52#endif
53}

Referenced by assert_is_some().

◆ base32_decode() [1/5]

secure_vector< uint8_t > Botan::base32_decode ( const char input[],
size_t input_length,
bool ignore_ws = true )

Perform base32 decoding

Parameters
inputsome base32 input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base32 output

Definition at line 163 of file base32.cpp.

163 {
164 return base_decode_to_vec<secure_vector<uint8_t>>(Base32(), input, input_length, ignore_ws);
165}
Vector base_decode_to_vec(Base &&base, const char input[], size_t input_length, bool ignore_ws)
Definition codec_base.h:186

References base_decode_to_vec().

◆ base32_decode() [2/5]

secure_vector< uint8_t > Botan::base32_decode ( std::string_view input,
bool ignore_ws = true )

Perform base32 decoding

Parameters
inputsome base32 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base32 output

Definition at line 167 of file base32.cpp.

167 {
168 return base32_decode(input.data(), input.size(), ignore_ws);
169}
size_t base32_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition base32.cpp:150

References base32_decode().

◆ base32_decode() [3/5]

size_t Botan::base32_decode ( uint8_t output[],
const char input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs,
bool ignore_ws = true )

Perform base32 decoding

Parameters
outputan array of at least base32_decode_max_output bytes
inputsome base32 input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding is allowed
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 150 of file base32.cpp.

151 {
152 return base_decode(Base32(), out, in, input_length, input_consumed, final_inputs, ignore_ws);
153}
size_t base_decode(Base &&base, uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws=true)
Definition codec_base.h:114

References base_decode().

Referenced by base32_decode(), and base32_decode().

◆ base32_decode() [4/5]

size_t Botan::base32_decode ( uint8_t output[],
const char input[],
size_t input_length,
bool ignore_ws = true )

Perform base32 decoding

Parameters
outputan array of at least base32_decode_max_output bytes
inputsome base32 input
input_lengthlength of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 155 of file base32.cpp.

155 {
156 return base_decode_full(Base32(), output, input, input_length, ignore_ws);
157}
size_t base_decode_full(Base &&base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
Definition codec_base.h:174

References base_decode_full().

◆ base32_decode() [5/5]

size_t Botan::base32_decode ( uint8_t output[],
std::string_view input,
bool ignore_ws = true )

Perform base32 decoding

Parameters
outputan array of at least base32_decode_max_output bytes
inputsome base32 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 159 of file base32.cpp.

159 {
160 return base32_decode(output, input.data(), input.length(), ignore_ws);
161}

References base32_decode().

◆ base32_decode_max_output()

size_t Botan::base32_decode_max_output ( size_t input_length)

Calculate the size of output buffer for base32_decode

Parameters
input_lengththe length of input in bytes
Returns
the size of output buffer in bytes

Definition at line 175 of file base32.cpp.

175 {
176 return Base32::decode_max_output(input_length);
177}

◆ base32_encode() [1/3]

size_t Botan::base32_encode ( char output[],
const uint8_t input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs )

Perform base32 encoding

Parameters
outputan array of at least base32_encode_max_output bytes
inputis some binary data
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding chars will be applied if needed
Returns
number of bytes written to output

Definition at line 142 of file base32.cpp.

142 {
143 return base_encode(Base32(), out, in, input_length, input_consumed, final_inputs);
144}
size_t base_encode(Base &&base, char output[], const uint8_t input[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition codec_base.h:35

References base_encode().

Referenced by base32_encode().

◆ base32_encode() [2/3]

std::string Botan::base32_encode ( const uint8_t input[],
size_t input_length )

Perform base32 encoding

Parameters
inputsome input
input_lengthlength of input in bytes
Returns
base32 representation of input

Definition at line 146 of file base32.cpp.

146 {
147 return base_encode_to_string(Base32(), input, input_length);
148}
std::string base_encode_to_string(Base &&base, const uint8_t input[], size_t input_length)
Definition codec_base.h:80

References base_encode_to_string().

◆ base32_encode() [3/3]

std::string Botan::base32_encode ( std::span< const uint8_t > input)
inline

Perform base32 encoding

Parameters
inputsome input
Returns
base32 representation of input

Definition at line 47 of file base32.h.

47 {
48 return base32_encode(input.data(), input.size());
49}
size_t base32_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition base32.cpp:142

References base32_encode().

◆ base32_encode_max_output()

size_t Botan::base32_encode_max_output ( size_t input_length)

Calculate the size of output buffer for base32_encode

Parameters
input_lengththe length of input in bytes
Returns
the size of output buffer in bytes

Definition at line 171 of file base32.cpp.

171 {
172 return Base32::encode_max_output(input_length);
173}

◆ base58_check_decode() [1/2]

std::vector< uint8_t > Botan::base58_check_decode ( const char input[],
size_t input_length )

Perform base58 decoding with checksum

Definition at line 164 of file base58.cpp.

164 {
165 std::vector<uint8_t> dec = base58_decode(input, input_length);
166
167 if(dec.size() < 4) {
168 throw Decoding_Error("Invalid base58 too short for checksum");
169 }
170
171 const uint32_t computed_checksum = sha256_d_checksum(dec.data(), dec.size() - 4);
172 const uint32_t checksum = load_be<uint32_t>(&dec[dec.size() - 4], 0);
173
174 if(checksum != computed_checksum) {
175 throw Decoding_Error("Invalid base58 checksum");
176 }
177
178 dec.resize(dec.size() - 4);
179
180 return dec;
181}
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AES void dec(uint8x16_t &B, uint8x16_t K)
Definition aes_armv8.cpp:45
std::vector< uint8_t > base58_decode(const char input[], size_t input_length)
Definition base58.cpp:139
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:504

References base58_decode(), and load_be().

Referenced by base58_check_decode().

◆ base58_check_decode() [2/2]

std::vector< uint8_t > Botan::base58_check_decode ( std::string_view s)
inline

Definition at line 58 of file base58.h.

58 {
59 return base58_check_decode(s.data(), s.size());
60}
std::vector< uint8_t > base58_check_decode(const char input[], size_t input_length)
Definition base58.cpp:164

References base58_check_decode().

◆ base58_check_encode() [1/2]

std::string Botan::base58_check_encode ( const uint8_t input[],
size_t input_length )

Perform base58 encoding with checksum

Definition at line 132 of file base58.cpp.

132 {
133 BigInt v(input, input_length);
134 v <<= 32;
135 v += sha256_d_checksum(input, input_length);
136 return base58_encode(v, count_leading_zeros(input, input_length, 0));
137}
std::string base58_encode(const uint8_t input[], size_t input_length)
Definition base58.cpp:127

References base58_encode().

Referenced by base58_check_encode().

◆ base58_check_encode() [2/2]

std::string Botan::base58_check_encode ( std::span< const uint8_t > vec)
inline

Definition at line 50 of file base58.h.

50 {
51 return base58_check_encode(vec.data(), vec.size());
52}
std::string base58_check_encode(const uint8_t input[], size_t input_length)
Definition base58.cpp:132

References base58_check_encode().

◆ base58_decode() [1/2]

std::vector< uint8_t > Botan::base58_decode ( const char input[],
size_t input_length )

Perform base58 decoding

This is raw base58 encoding, without the checksum

Definition at line 139 of file base58.cpp.

139 {
140 const size_t leading_zeros = count_leading_zeros(input, input_length, '1');
141
142 BigInt v;
143
144 for(size_t i = leading_zeros; i != input_length; ++i) {
145 const char c = input[i];
146
147 if(c == ' ' || c == '\n') {
148 continue;
149 }
150
151 const uint8_t idx = base58_value_of(c);
152
153 if(idx == 0xFF) {
154 throw Decoding_Error("Invalid base58");
155 }
156
157 v *= 58;
158 v += idx;
159 }
160
161 return v.serialize(v.bytes() + leading_zeros);
162}
size_t bytes() const
Definition bigint.cpp:297
T serialize(size_t len) const
Definition bigint.h:711

References Botan::BigInt::bytes(), and Botan::BigInt::serialize().

Referenced by base58_check_decode(), and base58_decode().

◆ base58_decode() [2/2]

std::vector< uint8_t > Botan::base58_decode ( std::string_view s)
inline

Definition at line 54 of file base58.h.

54 {
55 return base58_decode(s.data(), s.size());
56}

References base58_decode().

◆ base58_encode() [1/2]

std::string Botan::base58_encode ( const uint8_t input[],
size_t input_length )

Perform base58 encoding

This is raw base58 encoding, without the checksum

Definition at line 127 of file base58.cpp.

127 {
128 BigInt v(input, input_length);
129 return base58_encode(v, count_leading_zeros(input, input_length, 0));
130}

References base58_encode().

Referenced by base58_check_encode(), base58_encode(), and base58_encode().

◆ base58_encode() [2/2]

std::string Botan::base58_encode ( std::span< const uint8_t > vec)
inline

Definition at line 46 of file base58.h.

46 {
47 return base58_encode(vec.data(), vec.size());
48}

References base58_encode().

◆ base64_decode() [1/6]

secure_vector< uint8_t > Botan::base64_decode ( const char input[],
size_t input_length,
bool ignore_ws = true )

Perform base64 decoding

Parameters
inputsome base64 input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base64 output

Definition at line 188 of file base64.cpp.

188 {
189 return base_decode_to_vec<secure_vector<uint8_t>>(Base64(), input, input_length, ignore_ws);
190}

References base_decode_to_vec().

◆ base64_decode() [2/6]

size_t Botan::base64_decode ( std::span< uint8_t > output,
std::string_view input,
bool ignore_ws = true )

Perform base64 decoding

Parameters
outputa contiguous byte buffer of at least base64_decode_max_output bytes
inputsome base64 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 181 of file base64.cpp.

181 {
182 if(output.size() < base64_decode_max_output(input.size())) {
183 throw Invalid_Argument("base64_decode: output buffer is too short");
184 }
185 return base64_decode(output.data(), input.data(), input.length(), ignore_ws);
186}

References base64_decode(), and base64_decode_max_output().

◆ base64_decode() [3/6]

secure_vector< uint8_t > Botan::base64_decode ( std::string_view input,
bool ignore_ws = true )

Perform base64 decoding

Parameters
inputsome base64 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base64 output

Definition at line 192 of file base64.cpp.

192 {
193 return base64_decode(input.data(), input.size(), ignore_ws);
194}

References base64_decode().

◆ base64_decode() [4/6]

size_t Botan::base64_decode ( uint8_t output[],
const char input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs,
bool ignore_ws = true )

Perform base64 decoding

Parameters
outputan array of at least base64_decode_max_output bytes
inputsome base64 input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding is allowed
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 168 of file base64.cpp.

169 {
170 return base_decode(Base64(), out, in, input_length, input_consumed, final_inputs, ignore_ws);
171}

References base_decode().

Referenced by argon2_check_pwhash(), base64_decode(), base64_decode(), base64_decode(), botan_base64_decode(), Botan::Roughtime::Chain::Chain(), check_passhash9(), Botan::PEM_Code::decode(), Botan::Base64_Decoder::end_msg(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::list_names(), Botan::Roughtime::servers_from_str(), and Botan::Base64_Decoder::write().

◆ base64_decode() [5/6]

size_t Botan::base64_decode ( uint8_t output[],
const char input[],
size_t input_length,
bool ignore_ws = true )

Perform base64 decoding

Parameters
outputan array of at least base64_decode_max_output bytes
inputsome base64 input
input_lengthlength of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 173 of file base64.cpp.

173 {
174 return base_decode_full(Base64(), output, input, input_length, ignore_ws);
175}

References base_decode_full().

◆ base64_decode() [6/6]

size_t Botan::base64_decode ( uint8_t output[],
std::string_view input,
bool ignore_ws = true )

Perform base64 decoding

Parameters
outputan array of at least base64_decode_max_output bytes
inputsome base64 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 177 of file base64.cpp.

177 {
178 return base64_decode(output, input.data(), input.length(), ignore_ws);
179}

References base64_decode().

◆ base64_decode_max_output()

size_t Botan::base64_decode_max_output ( size_t input_length)

Calculate the size of output buffer for base64_decode

Parameters
input_lengththe length of input in bytes
Returns
the size of output buffer in bytes

Definition at line 200 of file base64.cpp.

200 {
201 return Base64::decode_max_output(input_length);
202}

Referenced by argon2_check_pwhash(), base64_decode(), and botan_base64_decode().

◆ base64_encode() [1/3]

size_t Botan::base64_encode ( char output[],
const uint8_t input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs )

Perform base64 encoding

Parameters
outputan array of at least base64_encode_max_output bytes
inputis some binary data
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding chars will be applied if needed
Returns
number of bytes written to output

Definition at line 160 of file base64.cpp.

160 {
161 return base_encode(Base64(), out, in, input_length, input_consumed, final_inputs);
162}

References base_encode().

Referenced by argon2_generate_pwhash(), base64_encode(), Botan::OCSP::Request::base64_encode(), botan_base64_encode(), Botan::PEM_Code::encode(), generate_passhash9(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::remove(), Botan::Encrypted_PSK_Database::set(), and Botan::Roughtime::Chain::to_string().

◆ base64_encode() [2/3]

std::string Botan::base64_encode ( const uint8_t input[],
size_t input_length )

Perform base64 encoding

Parameters
inputsome input
input_lengthlength of input in bytes
Returns
base64adecimal representation of input

Definition at line 164 of file base64.cpp.

164 {
165 return base_encode_to_string(Base64(), input, input_length);
166}

References base_encode_to_string().

◆ base64_encode() [3/3]

std::string Botan::base64_encode ( std::span< const uint8_t > input)
inline

Perform base64 encoding

Parameters
inputsome input
Returns
base64adecimal representation of input

Definition at line 47 of file base64.h.

47 {
48 return base64_encode(input.data(), input.size());
49}

References base64_encode().

◆ base64_encode_max_output()

size_t Botan::base64_encode_max_output ( size_t input_length)

Calculate the size of output buffer for base64_encode

Parameters
input_lengththe length of input in bytes
Returns
the size of output buffer in bytes

Definition at line 196 of file base64.cpp.

196 {
197 return Base64::encode_max_output(input_length);
198}

◆ base_decode()

template<typename Base>
size_t Botan::base_decode ( Base && base,
uint8_t output[],
const char input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs,
bool ignore_ws = true )

Perform decoding using the base provided

Parameters
baseobject giving access to the encodings specifications
outputan array of at least Base::decode_max_output bytes
inputsome base input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding is allowed
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 114 of file codec_base.h.

120 {
121 // TODO(Botan4) Check if we can use just base. or Base:: here instead
122 constexpr size_t decoding_bytes_in = std::remove_reference_t<Base>::decoding_bytes_in();
123 constexpr size_t decoding_bytes_out = std::remove_reference_t<Base>::decoding_bytes_out();
124
125 uint8_t* out_ptr = output;
126 std::array<uint8_t, decoding_bytes_in> decode_buf{};
127 size_t decode_buf_pos = 0;
128 size_t final_truncate = 0;
129
130 clear_mem(output, base.decode_max_output(input_length));
131
132 for(size_t i = 0; i != input_length; ++i) {
133 const uint8_t bin = base.lookup_binary_value(input[i]);
134
135 // This call might throw Invalid_Argument
136 if(base.check_bad_char(bin, input[i], ignore_ws)) {
137 decode_buf[decode_buf_pos] = bin;
138 ++decode_buf_pos;
139 }
140
141 /*
142 * If we're at the end of the input, pad with 0s and truncate
143 */
144 if(final_inputs && (i == input_length - 1)) {
145 if(decode_buf_pos) {
146 for(size_t j = decode_buf_pos; j < decoding_bytes_in; ++j) {
147 decode_buf[j] = 0;
148 }
149
150 final_truncate = decoding_bytes_in - decode_buf_pos;
151 decode_buf_pos = decoding_bytes_in;
152 }
153 }
154
155 if(decode_buf_pos == decoding_bytes_in) {
156 base.decode(out_ptr, decode_buf.data());
157
158 out_ptr += decoding_bytes_out;
159 decode_buf_pos = 0;
160 input_consumed = i + 1;
161 }
162 }
163
164 while(input_consumed < input_length && base.lookup_binary_value(input[input_consumed]) == 0x80) {
165 ++input_consumed;
166 }
167
168 size_t written = (out_ptr - output) - base.bytes_to_remove(final_truncate);
169
170 return written;
171}
constexpr auto out_ptr(T &outptr) noexcept
Definition stl_util.h:421
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:123

References clear_mem(), and out_ptr().

Referenced by base32_decode(), base64_decode(), and base_decode_full().

◆ base_decode_full()

template<typename Base>
size_t Botan::base_decode_full ( Base && base,
uint8_t output[],
const char input[],
size_t input_length,
bool ignore_ws )

Definition at line 174 of file codec_base.h.

174 {
175 size_t consumed = 0;
176 const size_t written = base_decode(base, output, input, input_length, consumed, true, ignore_ws);
177
178 if(consumed != input_length) {
179 throw Invalid_Argument(base.name() + " decoding failed, input did not have full bytes");
180 }
181
182 return written;
183}

References base_decode().

Referenced by base32_decode(), base64_decode(), and base_decode_to_vec().

◆ base_decode_to_vec()

template<typename Vector, typename Base>
Vector Botan::base_decode_to_vec ( Base && base,
const char input[],
size_t input_length,
bool ignore_ws )

Definition at line 186 of file codec_base.h.

186 {
187 const size_t output_length = base.decode_max_output(input_length);
188 Vector bin(output_length);
189
190 const size_t written = base_decode_full(base, bin.data(), input, input_length, ignore_ws);
191
192 bin.resize(written);
193 return bin;
194}

References base_decode_full().

Referenced by base32_decode(), and base64_decode().

◆ base_encode()

template<class Base>
size_t Botan::base_encode ( Base && base,
char output[],
const uint8_t input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs )

Perform encoding using the base provided

Parameters
baseobject giving access to the encodings specifications
outputan array of at least base.encode_max_output bytes
inputis some binary data
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding chars will be applied if needed
Returns
number of bytes written to output

Definition at line 35 of file codec_base.h.

36 {
37 input_consumed = 0;
38
39 // TODO(Botan4) Check if we can use just base. or Base:: here instead
40 constexpr size_t encoding_bytes_in = std::remove_reference_t<Base>::encoding_bytes_in();
41 constexpr size_t encoding_bytes_out = std::remove_reference_t<Base>::encoding_bytes_out();
42
43 size_t input_remaining = input_length;
44 size_t output_produced = 0;
45
46 while(input_remaining >= encoding_bytes_in) {
47 base.encode(output + output_produced, input + input_consumed);
48
49 input_consumed += encoding_bytes_in;
50 output_produced += encoding_bytes_out;
51 input_remaining -= encoding_bytes_in;
52 }
53
54 if(final_inputs && input_remaining) {
55 std::array<uint8_t, encoding_bytes_in> remainder{};
56 for(size_t i = 0; i != input_remaining; ++i) {
57 remainder[i] = input[input_consumed + i];
58 }
59
60 base.encode(output + output_produced, remainder.data());
61
62 const size_t bits_consumed = base.bits_consumed();
63 const size_t remaining_bits_before_padding = base.remaining_bits_before_padding();
64
65 size_t empty_bits = 8 * (encoding_bytes_in - input_remaining);
66 size_t index = output_produced + encoding_bytes_out - 1;
67 while(empty_bits >= remaining_bits_before_padding) {
68 output[index--] = '=';
69 empty_bits -= bits_consumed;
70 }
71
72 input_consumed += input_remaining;
73 output_produced += encoding_bytes_out;
74 }
75
76 return output_produced;
77}

Referenced by base32_encode(), base64_encode(), and base_encode_to_string().

◆ base_encode_to_string()

template<typename Base>
std::string Botan::base_encode_to_string ( Base && base,
const uint8_t input[],
size_t input_length )

Definition at line 80 of file codec_base.h.

80 {
81 const size_t output_length = base.encode_max_output(input_length);
82 std::string output(output_length, 0);
83
84 size_t consumed = 0;
85 size_t produced = 0;
86
87 if(output_length > 0) {
88 produced = base_encode(base, &output.front(), input, input_length, consumed, true);
89 }
90
91 BOTAN_ASSERT_EQUAL(consumed, input_length, "Consumed the entire input");
92 BOTAN_ASSERT_EQUAL(produced, output.size(), "Produced expected size");
93
94 return output;
95}
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition assert.h:70

References base_encode(), and BOTAN_ASSERT_EQUAL.

Referenced by base32_encode(), and base64_encode().

◆ basecase_mul()

void Botan::basecase_mul ( word z[],
size_t z_size,
const word x[],
size_t x_size,
const word y[],
size_t y_size )

Basecase O(N^2) multiplication

Definition at line 20 of file mp_karat.cpp.

20 {
21 if(z_size < x_size + y_size) {
22 throw Invalid_Argument("basecase_mul z_size too small");
23 }
24
25 const size_t x_size_8 = x_size - (x_size % 8);
26
27 clear_mem(z, z_size);
28
29 for(size_t i = 0; i != y_size; ++i) {
30 const word y_i = y[i];
31
32 word carry = 0;
33
34 for(size_t j = 0; j != x_size_8; j += 8) {
35 carry = word8_madd3(z + i + j, x + j, y_i, carry);
36 }
37
38 for(size_t j = x_size_8; j != x_size; ++j) {
39 z[i + j] = word_madd3(x[j], y_i, z[i + j], &carry);
40 }
41
42 z[x_size + i] = carry;
43 }
44}
constexpr auto word8_madd3(W z[8], const W x[8], W y, W carry) -> W
Definition mp_asmi.h:433
void carry(int64_t &h0, int64_t &h1)
std::conditional_t< HasNative64BitRegisters, std::uint64_t, uint32_t > word
Definition types.h:119
constexpr auto word_madd3(W a, W b, W c, W *d) -> W
Definition mp_asmi.h:110

References carry(), clear_mem(), word8_madd3(), and word_madd3().

Referenced by bigint_mul().

◆ basecase_sqr()

void Botan::basecase_sqr ( word z[],
size_t z_size,
const word x[],
size_t x_size )

Basecase O(N^2) squaring

Definition at line 46 of file mp_karat.cpp.

46 {
47 if(z_size < 2 * x_size) {
48 throw Invalid_Argument("basecase_sqr z_size too small");
49 }
50
51 const size_t x_size_8 = x_size - (x_size % 8);
52
53 clear_mem(z, z_size);
54
55 for(size_t i = 0; i != x_size; ++i) {
56 const word x_i = x[i];
57
58 word carry = 0;
59
60 for(size_t j = 0; j != x_size_8; j += 8) {
61 carry = word8_madd3(z + i + j, x + j, x_i, carry);
62 }
63
64 for(size_t j = x_size_8; j != x_size; ++j) {
65 z[i + j] = word_madd3(x[j], x_i, z[i + j], &carry);
66 }
67
68 z[x_size + i] = carry;
69 }
70}

References carry(), clear_mem(), word8_madd3(), and word_madd3().

Referenced by bigint_sqr().

◆ basemul_exec()

template<typename C, size_t WindowBits, typename BlindedScalar>
C::ProjectivePoint Botan::basemul_exec ( std::span< const typename C::AffinePoint > table,
const BlindedScalar & scalar,
RandomNumberGenerator & rng )

Definition at line 174 of file pcurves_mul.h.

176 {
177 // 2^W elements, less the identity element
178 static constexpr size_t WindowElements = (1 << WindowBits) - 1;
179
180 // TODO: C++23 - use std::mdspan to access table?
181
182 auto accum = [&]() {
183 const size_t w_0 = scalar.get_window(0);
184 const auto tbl_0 = table.first(WindowElements);
185 auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, w_0));
186 CT::poison(pt);
187 pt.randomize_rep(rng);
188 return pt;
189 }();
190
191 const size_t windows = (scalar.bits() + WindowBits - 1) / WindowBits;
192
193 for(size_t i = 1; i != windows; ++i) {
194 const size_t w_i = scalar.get_window(WindowBits * i);
195 const auto tbl_i = table.subspan(WindowElements * i, WindowElements);
196
197 /*
198 None of these additions can be doublings, because in each iteration, the
199 discrete logarithms of the points we're selecting out of the table are
200 larger than the largest possible dlog of accum.
201 */
202 accum += C::AffinePoint::ct_select(tbl_i, w_i);
203
204 if(i <= 3) {
205 accum.randomize_rep(rng);
206 }
207 }
208
209 CT::unpoison(accum);
210 return accum;
211}
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:65
constexpr void poison(const T *p, size_t n)
Definition ct_utils.h:54

References Botan::CT::poison(), and Botan::CT::unpoison().

◆ basemul_setup()

template<typename C, size_t WindowBits>
std::vector< typename C::AffinePoint > Botan::basemul_setup ( const typename C::AffinePoint & p,
size_t max_scalar_bits )

Definition at line 141 of file pcurves_mul.h.

141 {
142 static_assert(WindowBits >= 1 && WindowBits <= 8);
143
144 // 2^W elements, less the identity element
145 constexpr size_t WindowElements = (1 << WindowBits) - 1;
146
147 const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits;
148
149 const size_t TableSize = Windows * WindowElements;
150
151 std::vector<typename C::ProjectivePoint> table;
152 table.reserve(TableSize);
153
154 auto accum = C::ProjectivePoint::from_affine(p);
155
156 for(size_t i = 0; i != TableSize; i += WindowElements) {
157 table.push_back(accum);
158
159 for(size_t j = 1; j != WindowElements; ++j) {
160 if(j % 2 == 1) {
161 table.emplace_back(table[i + j / 2].dbl());
162 } else {
163 table.emplace_back(table[i + j - 1] + table[i]);
164 }
165 }
166
167 accum = table[i + (WindowElements / 2)].dbl();
168 }
169
170 return to_affine_batch<C>(table);
171}
auto to_affine_batch(std::span< const typename C::ProjectivePoint > projective)

References to_affine_batch().

◆ bcrypt_pbkdf()

void Botan::bcrypt_pbkdf ( uint8_t output[],
size_t output_len,
const char * password,
size_t password_len,
const uint8_t salt[],
size_t salt_len,
size_t rounds )
inline

Bcrypt PBKDF compatible with OpenBSD bcrypt_pbkdf

Definition at line 74 of file bcrypt_pbkdf.h.

80 {
81 auto pwdhash_fam = PasswordHashFamily::create_or_throw("Bcrypt-PBKDF");
82 auto pwdhash = pwdhash_fam->from_params(rounds);
83 pwdhash->derive_key(output, output_len, password, password_len, salt, salt_len);
84}

References bcrypt_pbkdf(), and Botan::PasswordHashFamily::create_or_throw().

Referenced by bcrypt_pbkdf().

◆ bigint_add2()

template<WordType W>
void Botan::bigint_add2 ( W x[],
size_t x_size,
const W y[],
size_t y_size )
inlineconstexpr

Two operand addition

Parameters
xthe first operand (and output)
x_sizesize of x
ythe second operand
y_sizesize of y (must be <= x_size)

Definition at line 245 of file mp_core.h.

245 {
246 x[x_size] += bigint_add2_nc(x, x_size, y, y_size);
247}
constexpr auto bigint_add2_nc(W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:187

References bigint_add2_nc().

Referenced by Botan::BigInt::add().

◆ bigint_add2_nc()

template<WordType W>
auto Botan::bigint_add2_nc ( W x[],
size_t x_size,
const W y[],
size_t y_size ) -> W
inlineconstexpr

Two operand addition with carry out

Definition at line 187 of file mp_core.h.

187 {
188 W carry = 0;
189
190 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
191
192 const size_t blocks = y_size - (y_size % 8);
193
194 for(size_t i = 0; i != blocks; i += 8) {
195 carry = word8_add2(x + i, y + i, carry);
196 }
197
198 for(size_t i = blocks; i != y_size; ++i) {
199 x[i] = word_add(x[i], y[i], &carry);
200 }
201
202 for(size_t i = y_size; i != x_size; ++i) {
203 x[i] = word_add(x[i], static_cast<W>(0), &carry);
204 }
205
206 return carry;
207}
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:52
constexpr auto word_add(W x, W y, W *carry) -> W
Definition mp_asmi.h:189
constexpr auto word8_add2(W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:226

References BOTAN_ASSERT, carry(), word8_add2(), and word_add().

Referenced by bigint_add2(), and redc_crandall().

◆ bigint_add3()

template<WordType W>
void Botan::bigint_add3 ( W z[],
const W x[],
size_t x_size,
const W y[],
size_t y_size )
inlineconstexpr

Three operand addition

Definition at line 253 of file mp_core.h.

253 {
254 z[x_size > y_size ? x_size : y_size] += bigint_add3_nc(z, x, x_size, y, y_size);
255}
constexpr auto bigint_add3_nc(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:213

References bigint_add3_nc().

Referenced by Botan::BigInt::add2().

◆ bigint_add3_nc()

template<WordType W>
auto Botan::bigint_add3_nc ( W z[],
const W x[],
size_t x_size,
const W y[],
size_t y_size ) -> W
inlineconstexpr

Three operand addition with carry out

Definition at line 213 of file mp_core.h.

213 {
214 if(x_size < y_size) {
215 return bigint_add3_nc(z, y, y_size, x, x_size);
216 }
217
218 W carry = 0;
219
220 const size_t blocks = y_size - (y_size % 8);
221
222 for(size_t i = 0; i != blocks; i += 8) {
223 carry = word8_add3(z + i, x + i, y + i, carry);
224 }
225
226 for(size_t i = blocks; i != y_size; ++i) {
227 z[i] = word_add(x[i], y[i], &carry);
228 }
229
230 for(size_t i = y_size; i != x_size; ++i) {
231 z[i] = word_add(x[i], static_cast<W>(0), &carry);
232 }
233
234 return carry;
235}
constexpr auto word8_add3(W z[8], const W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:252

References bigint_add3_nc(), carry(), word8_add3(), and word_add().

Referenced by bigint_add3(), bigint_add3_nc(), and Botan::BigInt::mod_add().

◆ bigint_cmp()

template<WordType W>
int32_t Botan::bigint_cmp ( const W x[],
size_t x_size,
const W y[],
size_t y_size )
inlineconstexpr

Compare x and y Return -1 if x < y Return 0 if x == y Return 1 if x > y

Definition at line 551 of file mp_core.h.

551 {
552 static_assert(sizeof(W) >= sizeof(uint32_t), "Size assumption");
553
554 const W LT = static_cast<W>(-1);
555 const W EQ = 0;
556 const W GT = 1;
557
558 const size_t common_elems = std::min(x_size, y_size);
559
560 W result = EQ; // until found otherwise
561
562 for(size_t i = 0; i != common_elems; i++) {
563 const auto is_eq = CT::Mask<W>::is_equal(x[i], y[i]);
564 const auto is_lt = CT::Mask<W>::is_lt(x[i], y[i]);
565
566 result = is_eq.select(result, is_lt.select(LT, GT));
567 }
568
569 if(x_size < y_size) {
570 W mask = 0;
571 for(size_t i = x_size; i != y_size; i++) {
572 mask |= y[i];
573 }
574
575 // If any bits were set in high part of y, then x < y
576 result = CT::Mask<W>::is_zero(mask).select(result, LT);
577 } else if(y_size < x_size) {
578 W mask = 0;
579 for(size_t i = y_size; i != x_size; i++) {
580 mask |= x[i];
581 }
582
583 // If any bits were set in high part of x, then x > y
584 result = CT::Mask<W>::is_zero(mask).select(result, GT);
585 }
586
587 CT::unpoison(result);
588 BOTAN_DEBUG_ASSERT(result == LT || result == GT || result == EQ);
589 return static_cast<int32_t>(result);
590}
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:100
static constexpr Mask< T > is_equal(T x, T y)
Definition ct_utils.h:454
static constexpr Mask< T > is_lt(T x, T y)
Definition ct_utils.h:462
static constexpr Mask< T > is_zero(T x)
Definition ct_utils.h:449

References BOTAN_DEBUG_ASSERT, Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lt(), Botan::CT::Mask< T >::is_zero(), and Botan::CT::unpoison().

Referenced by Botan::BigInt::add(), bigint_sub_abs(), Botan::BigInt::cmp(), Botan::BigInt::cmp_word(), and gcd().

◆ bigint_cnd_abs()

template<WordType W>
void Botan::bigint_cnd_abs ( W cnd,
W x[],
size_t size )
inlineconstexpr

Definition at line 173 of file mp_core.h.

173 {
174 const auto mask = CT::Mask<W>::expand(cnd);
175
176 W carry = mask.if_set_return(1);
177 for(size_t i = 0; i != size; ++i) {
178 const W z = word_add(~x[i], static_cast<W>(0), &carry);
179 x[i] = mask.select(z, x[i]);
180 }
181}
static constexpr Mask< T > expand(T v)
Definition ct_utils.h:409

References carry(), Botan::CT::Mask< T >::expand(), and word_add().

◆ bigint_cnd_add() [1/2]

template<WordType W>
W Botan::bigint_cnd_add ( W cnd,
W x[],
const W y[],
size_t size )
inlineconstexpr

Definition at line 66 of file mp_core.h.

66 {
67 return bigint_cnd_add(cnd, x, size, y, size);
68}
constexpr W bigint_cnd_add(W cnd, W x[], size_t x_size, const W y[], size_t y_size)
Definition mp_core.h:43

References bigint_cnd_add().

◆ bigint_cnd_add() [2/2]

template<WordType W>
W Botan::bigint_cnd_add ( W cnd,
W x[],
size_t x_size,
const W y[],
size_t y_size )
inlineconstexpr

Definition at line 43 of file mp_core.h.

43 {
44 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
45
46 const auto mask = CT::Mask<W>::expand(cnd).value();
47
48 W carry = 0;
49
50 for(size_t i = 0; i != y_size; ++i) {
51 x[i] = word_add(x[i], y[i] & mask, &carry);
52 }
53
54 for(size_t i = y_size; i != x_size; ++i) {
55 x[i] = word_add(x[i], static_cast<W>(0), &carry);
56 }
57
58 return (mask & carry);
59}

References BOTAN_ASSERT, carry(), Botan::CT::Mask< T >::expand(), and word_add().

Referenced by bigint_cnd_add(), bigint_correct_redc(), bigint_mod_sub(), and Botan::BigInt::ct_cond_add().

◆ bigint_cnd_add_or_sub()

template<WordType W>
void Botan::bigint_cnd_add_or_sub ( CT::Mask< W > mask,
W x[],
const W y[],
size_t size )
inlineconstexpr

Definition at line 110 of file mp_core.h.

110 {
111 const size_t blocks = size - (size % 8);
112
113 W carry = 0;
114 W borrow = 0;
115
116 W t0[8] = {0};
117 W t1[8] = {0};
118
119 for(size_t i = 0; i != blocks; i += 8) {
120 carry = word8_add3(t0, x + i, y + i, carry);
121 borrow = word8_sub3(t1, x + i, y + i, borrow);
122 mask.select_n(x + i, t0, t1, 8);
123 }
124
125 for(size_t i = blocks; i != size; ++i) {
126 const W a = word_add(x[i], y[i], &carry);
127 const W s = word_sub(x[i], y[i], &borrow);
128
129 x[i] = mask.select(a, s);
130 }
131}
constexpr void select_n(T output[], const T x[], const T y[], size_t len) const
Definition ct_utils.h:577
constexpr T select(T x, T y) const
Definition ct_utils.h:560
constexpr auto word8_sub3(W z[8], const W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:355
constexpr auto word_sub(W x, W y, W *carry) -> W
Definition mp_asmi.h:278

References carry(), Botan::CT::Mask< T >::select(), Botan::CT::Mask< T >::select_n(), word8_add3(), word8_sub3(), word_add(), and word_sub().

◆ bigint_cnd_addsub()

template<WordType W>
auto Botan::bigint_cnd_addsub ( CT::Mask< W > mask,
W x[],
const W y[],
const W z[],
size_t size ) -> W
inlineconstexpr

Definition at line 143 of file mp_core.h.

143 {
144 const size_t blocks = size - (size % 8);
145
146 W carry = 0;
147 W borrow = 0;
148
149 W t0[8] = {0};
150 W t1[8] = {0};
151
152 for(size_t i = 0; i != blocks; i += 8) {
153 carry = word8_add3(t0, x + i, y + i, carry);
154 borrow = word8_sub3(t1, x + i, z + i, borrow);
155 mask.select_n(x + i, t0, t1, 8);
156 }
157
158 for(size_t i = blocks; i != size; ++i) {
159 t0[0] = word_add(x[i], y[i], &carry);
160 t1[0] = word_sub(x[i], z[i], &borrow);
161 x[i] = mask.select(t0[0], t1[0]);
162 }
163
164 return mask.select(carry, borrow);
165}

References carry(), word8_add3(), word8_sub3(), word_add(), and word_sub().

◆ bigint_cnd_sub() [1/2]

template<WordType W>
auto Botan::bigint_cnd_sub ( W cnd,
W x[],
const W y[],
size_t size ) -> W
inlineconstexpr

Definition at line 98 of file mp_core.h.

98 {
99 return bigint_cnd_sub(cnd, x, size, y, size);
100}
constexpr auto bigint_cnd_sub(W cnd, W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:75

References bigint_cnd_sub().

◆ bigint_cnd_sub() [2/2]

template<WordType W>
auto Botan::bigint_cnd_sub ( W cnd,
W x[],
size_t x_size,
const W y[],
size_t y_size ) -> W
inlineconstexpr

Definition at line 75 of file mp_core.h.

75 {
76 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
77
78 const auto mask = CT::Mask<W>::expand(cnd).value();
79
80 W carry = 0;
81
82 for(size_t i = 0; i != y_size; ++i) {
83 x[i] = word_sub(x[i], y[i] & mask, &carry);
84 }
85
86 for(size_t i = y_size; i != x_size; ++i) {
87 x[i] = word_sub(x[i], static_cast<W>(0), &carry);
88 }
89
90 return (mask & carry);
91}

References BOTAN_ASSERT, carry(), Botan::CT::Mask< T >::expand(), and word_sub().

Referenced by bigint_cnd_sub().

◆ bigint_cnd_swap()

template<WordType W>
void Botan::bigint_cnd_swap ( W cnd,
W x[],
W y[],
size_t size )
inlineconstexpr

Definition at line 31 of file mp_core.h.

31 {
32 const auto mask = CT::Mask<W>::expand(cnd);
33
34 for(size_t i = 0; i != size; ++i) {
35 const W a = x[i];
36 const W b = y[i];
37 x[i] = mask.select(b, a);
38 y[i] = mask.select(a, b);
39 }
40}

References Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::ct_cond_swap(), and ct_divide_pow2k().

◆ bigint_comba_mul16()

BOTAN_FUZZER_API void Botan::bigint_comba_mul16 ( word z[32],
const word x[16],
const word y[16] )

Definition at line 794 of file mp_comba.cpp.

794 {
795 word3<word> accum;
796
797 accum.mul(x[0], y[0]);
798 z[0] = accum.extract();
799 accum.mul(x[0], y[1]);
800 accum.mul(x[1], y[0]);
801 z[1] = accum.extract();
802 accum.mul(x[0], y[2]);
803 accum.mul(x[1], y[1]);
804 accum.mul(x[2], y[0]);
805 z[2] = accum.extract();
806 accum.mul(x[0], y[3]);
807 accum.mul(x[1], y[2]);
808 accum.mul(x[2], y[1]);
809 accum.mul(x[3], y[0]);
810 z[3] = accum.extract();
811 accum.mul(x[0], y[4]);
812 accum.mul(x[1], y[3]);
813 accum.mul(x[2], y[2]);
814 accum.mul(x[3], y[1]);
815 accum.mul(x[4], y[0]);
816 z[4] = accum.extract();
817 accum.mul(x[0], y[5]);
818 accum.mul(x[1], y[4]);
819 accum.mul(x[2], y[3]);
820 accum.mul(x[3], y[2]);
821 accum.mul(x[4], y[1]);
822 accum.mul(x[5], y[0]);
823 z[5] = accum.extract();
824 accum.mul(x[0], y[6]);
825 accum.mul(x[1], y[5]);
826 accum.mul(x[2], y[4]);
827 accum.mul(x[3], y[3]);
828 accum.mul(x[4], y[2]);
829 accum.mul(x[5], y[1]);
830 accum.mul(x[6], y[0]);
831 z[6] = accum.extract();
832 accum.mul(x[0], y[7]);
833 accum.mul(x[1], y[6]);
834 accum.mul(x[2], y[5]);
835 accum.mul(x[3], y[4]);
836 accum.mul(x[4], y[3]);
837 accum.mul(x[5], y[2]);
838 accum.mul(x[6], y[1]);
839 accum.mul(x[7], y[0]);
840 z[7] = accum.extract();
841 accum.mul(x[0], y[8]);
842 accum.mul(x[1], y[7]);
843 accum.mul(x[2], y[6]);
844 accum.mul(x[3], y[5]);
845 accum.mul(x[4], y[4]);
846 accum.mul(x[5], y[3]);
847 accum.mul(x[6], y[2]);
848 accum.mul(x[7], y[1]);
849 accum.mul(x[8], y[0]);
850 z[8] = accum.extract();
851 accum.mul(x[0], y[9]);
852 accum.mul(x[1], y[8]);
853 accum.mul(x[2], y[7]);
854 accum.mul(x[3], y[6]);
855 accum.mul(x[4], y[5]);
856 accum.mul(x[5], y[4]);
857 accum.mul(x[6], y[3]);
858 accum.mul(x[7], y[2]);
859 accum.mul(x[8], y[1]);
860 accum.mul(x[9], y[0]);
861 z[9] = accum.extract();
862 accum.mul(x[0], y[10]);
863 accum.mul(x[1], y[9]);
864 accum.mul(x[2], y[8]);
865 accum.mul(x[3], y[7]);
866 accum.mul(x[4], y[6]);
867 accum.mul(x[5], y[5]);
868 accum.mul(x[6], y[4]);
869 accum.mul(x[7], y[3]);
870 accum.mul(x[8], y[2]);
871 accum.mul(x[9], y[1]);
872 accum.mul(x[10], y[0]);
873 z[10] = accum.extract();
874 accum.mul(x[0], y[11]);
875 accum.mul(x[1], y[10]);
876 accum.mul(x[2], y[9]);
877 accum.mul(x[3], y[8]);
878 accum.mul(x[4], y[7]);
879 accum.mul(x[5], y[6]);
880 accum.mul(x[6], y[5]);
881 accum.mul(x[7], y[4]);
882 accum.mul(x[8], y[3]);
883 accum.mul(x[9], y[2]);
884 accum.mul(x[10], y[1]);
885 accum.mul(x[11], y[0]);
886 z[11] = accum.extract();
887 accum.mul(x[0], y[12]);
888 accum.mul(x[1], y[11]);
889 accum.mul(x[2], y[10]);
890 accum.mul(x[3], y[9]);
891 accum.mul(x[4], y[8]);
892 accum.mul(x[5], y[7]);
893 accum.mul(x[6], y[6]);
894 accum.mul(x[7], y[5]);
895 accum.mul(x[8], y[4]);
896 accum.mul(x[9], y[3]);
897 accum.mul(x[10], y[2]);
898 accum.mul(x[11], y[1]);
899 accum.mul(x[12], y[0]);
900 z[12] = accum.extract();
901 accum.mul(x[0], y[13]);
902 accum.mul(x[1], y[12]);
903 accum.mul(x[2], y[11]);
904 accum.mul(x[3], y[10]);
905 accum.mul(x[4], y[9]);
906 accum.mul(x[5], y[8]);
907 accum.mul(x[6], y[7]);
908 accum.mul(x[7], y[6]);
909 accum.mul(x[8], y[5]);
910 accum.mul(x[9], y[4]);
911 accum.mul(x[10], y[3]);
912 accum.mul(x[11], y[2]);
913 accum.mul(x[12], y[1]);
914 accum.mul(x[13], y[0]);
915 z[13] = accum.extract();
916 accum.mul(x[0], y[14]);
917 accum.mul(x[1], y[13]);
918 accum.mul(x[2], y[12]);
919 accum.mul(x[3], y[11]);
920 accum.mul(x[4], y[10]);
921 accum.mul(x[5], y[9]);
922 accum.mul(x[6], y[8]);
923 accum.mul(x[7], y[7]);
924 accum.mul(x[8], y[6]);
925 accum.mul(x[9], y[5]);
926 accum.mul(x[10], y[4]);
927 accum.mul(x[11], y[3]);
928 accum.mul(x[12], y[2]);
929 accum.mul(x[13], y[1]);
930 accum.mul(x[14], y[0]);
931 z[14] = accum.extract();
932 accum.mul(x[0], y[15]);
933 accum.mul(x[1], y[14]);
934 accum.mul(x[2], y[13]);
935 accum.mul(x[3], y[12]);
936 accum.mul(x[4], y[11]);
937 accum.mul(x[5], y[10]);
938 accum.mul(x[6], y[9]);
939 accum.mul(x[7], y[8]);
940 accum.mul(x[8], y[7]);
941 accum.mul(x[9], y[6]);
942 accum.mul(x[10], y[5]);
943 accum.mul(x[11], y[4]);
944 accum.mul(x[12], y[3]);
945 accum.mul(x[13], y[2]);
946 accum.mul(x[14], y[1]);
947 accum.mul(x[15], y[0]);
948 z[15] = accum.extract();
949 accum.mul(x[1], y[15]);
950 accum.mul(x[2], y[14]);
951 accum.mul(x[3], y[13]);
952 accum.mul(x[4], y[12]);
953 accum.mul(x[5], y[11]);
954 accum.mul(x[6], y[10]);
955 accum.mul(x[7], y[9]);
956 accum.mul(x[8], y[8]);
957 accum.mul(x[9], y[7]);
958 accum.mul(x[10], y[6]);
959 accum.mul(x[11], y[5]);
960 accum.mul(x[12], y[4]);
961 accum.mul(x[13], y[3]);
962 accum.mul(x[14], y[2]);
963 accum.mul(x[15], y[1]);
964 z[16] = accum.extract();
965 accum.mul(x[2], y[15]);
966 accum.mul(x[3], y[14]);
967 accum.mul(x[4], y[13]);
968 accum.mul(x[5], y[12]);
969 accum.mul(x[6], y[11]);
970 accum.mul(x[7], y[10]);
971 accum.mul(x[8], y[9]);
972 accum.mul(x[9], y[8]);
973 accum.mul(x[10], y[7]);
974 accum.mul(x[11], y[6]);
975 accum.mul(x[12], y[5]);
976 accum.mul(x[13], y[4]);
977 accum.mul(x[14], y[3]);
978 accum.mul(x[15], y[2]);
979 z[17] = accum.extract();
980 accum.mul(x[3], y[15]);
981 accum.mul(x[4], y[14]);
982 accum.mul(x[5], y[13]);
983 accum.mul(x[6], y[12]);
984 accum.mul(x[7], y[11]);
985 accum.mul(x[8], y[10]);
986 accum.mul(x[9], y[9]);
987 accum.mul(x[10], y[8]);
988 accum.mul(x[11], y[7]);
989 accum.mul(x[12], y[6]);
990 accum.mul(x[13], y[5]);
991 accum.mul(x[14], y[4]);
992 accum.mul(x[15], y[3]);
993 z[18] = accum.extract();
994 accum.mul(x[4], y[15]);
995 accum.mul(x[5], y[14]);
996 accum.mul(x[6], y[13]);
997 accum.mul(x[7], y[12]);
998 accum.mul(x[8], y[11]);
999 accum.mul(x[9], y[10]);
1000 accum.mul(x[10], y[9]);
1001 accum.mul(x[11], y[8]);
1002 accum.mul(x[12], y[7]);
1003 accum.mul(x[13], y[6]);
1004 accum.mul(x[14], y[5]);
1005 accum.mul(x[15], y[4]);
1006 z[19] = accum.extract();
1007 accum.mul(x[5], y[15]);
1008 accum.mul(x[6], y[14]);
1009 accum.mul(x[7], y[13]);
1010 accum.mul(x[8], y[12]);
1011 accum.mul(x[9], y[11]);
1012 accum.mul(x[10], y[10]);
1013 accum.mul(x[11], y[9]);
1014 accum.mul(x[12], y[8]);
1015 accum.mul(x[13], y[7]);
1016 accum.mul(x[14], y[6]);
1017 accum.mul(x[15], y[5]);
1018 z[20] = accum.extract();
1019 accum.mul(x[6], y[15]);
1020 accum.mul(x[7], y[14]);
1021 accum.mul(x[8], y[13]);
1022 accum.mul(x[9], y[12]);
1023 accum.mul(x[10], y[11]);
1024 accum.mul(x[11], y[10]);
1025 accum.mul(x[12], y[9]);
1026 accum.mul(x[13], y[8]);
1027 accum.mul(x[14], y[7]);
1028 accum.mul(x[15], y[6]);
1029 z[21] = accum.extract();
1030 accum.mul(x[7], y[15]);
1031 accum.mul(x[8], y[14]);
1032 accum.mul(x[9], y[13]);
1033 accum.mul(x[10], y[12]);
1034 accum.mul(x[11], y[11]);
1035 accum.mul(x[12], y[10]);
1036 accum.mul(x[13], y[9]);
1037 accum.mul(x[14], y[8]);
1038 accum.mul(x[15], y[7]);
1039 z[22] = accum.extract();
1040 accum.mul(x[8], y[15]);
1041 accum.mul(x[9], y[14]);
1042 accum.mul(x[10], y[13]);
1043 accum.mul(x[11], y[12]);
1044 accum.mul(x[12], y[11]);
1045 accum.mul(x[13], y[10]);
1046 accum.mul(x[14], y[9]);
1047 accum.mul(x[15], y[8]);
1048 z[23] = accum.extract();
1049 accum.mul(x[9], y[15]);
1050 accum.mul(x[10], y[14]);
1051 accum.mul(x[11], y[13]);
1052 accum.mul(x[12], y[12]);
1053 accum.mul(x[13], y[11]);
1054 accum.mul(x[14], y[10]);
1055 accum.mul(x[15], y[9]);
1056 z[24] = accum.extract();
1057 accum.mul(x[10], y[15]);
1058 accum.mul(x[11], y[14]);
1059 accum.mul(x[12], y[13]);
1060 accum.mul(x[13], y[12]);
1061 accum.mul(x[14], y[11]);
1062 accum.mul(x[15], y[10]);
1063 z[25] = accum.extract();
1064 accum.mul(x[11], y[15]);
1065 accum.mul(x[12], y[14]);
1066 accum.mul(x[13], y[13]);
1067 accum.mul(x[14], y[12]);
1068 accum.mul(x[15], y[11]);
1069 z[26] = accum.extract();
1070 accum.mul(x[12], y[15]);
1071 accum.mul(x[13], y[14]);
1072 accum.mul(x[14], y[13]);
1073 accum.mul(x[15], y[12]);
1074 z[27] = accum.extract();
1075 accum.mul(x[13], y[15]);
1076 accum.mul(x[14], y[14]);
1077 accum.mul(x[15], y[13]);
1078 z[28] = accum.extract();
1079 accum.mul(x[14], y[15]);
1080 accum.mul(x[15], y[14]);
1081 z[29] = accum.extract();
1082 accum.mul(x[15], y[15]);
1083 z[30] = accum.extract();
1084 z[31] = accum.extract();
1085}
constexpr W extract()
Definition mp_asmi.h:583
constexpr void mul(W x, W y)
Definition mp_asmi.h:509

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by bigint_mul(), and comba_mul().

◆ bigint_comba_mul24()

BOTAN_FUZZER_API void Botan::bigint_comba_mul24 ( word z[48],
const word x[24],
const word y[24] )

Definition at line 1446 of file mp_comba.cpp.

1446 {
1447 word3<word> accum;
1448
1449 accum.mul(x[0], y[0]);
1450 z[0] = accum.extract();
1451 accum.mul(x[0], y[1]);
1452 accum.mul(x[1], y[0]);
1453 z[1] = accum.extract();
1454 accum.mul(x[0], y[2]);
1455 accum.mul(x[1], y[1]);
1456 accum.mul(x[2], y[0]);
1457 z[2] = accum.extract();
1458 accum.mul(x[0], y[3]);
1459 accum.mul(x[1], y[2]);
1460 accum.mul(x[2], y[1]);
1461 accum.mul(x[3], y[0]);
1462 z[3] = accum.extract();
1463 accum.mul(x[0], y[4]);
1464 accum.mul(x[1], y[3]);
1465 accum.mul(x[2], y[2]);
1466 accum.mul(x[3], y[1]);
1467 accum.mul(x[4], y[0]);
1468 z[4] = accum.extract();
1469 accum.mul(x[0], y[5]);
1470 accum.mul(x[1], y[4]);
1471 accum.mul(x[2], y[3]);
1472 accum.mul(x[3], y[2]);
1473 accum.mul(x[4], y[1]);
1474 accum.mul(x[5], y[0]);
1475 z[5] = accum.extract();
1476 accum.mul(x[0], y[6]);
1477 accum.mul(x[1], y[5]);
1478 accum.mul(x[2], y[4]);
1479 accum.mul(x[3], y[3]);
1480 accum.mul(x[4], y[2]);
1481 accum.mul(x[5], y[1]);
1482 accum.mul(x[6], y[0]);
1483 z[6] = accum.extract();
1484 accum.mul(x[0], y[7]);
1485 accum.mul(x[1], y[6]);
1486 accum.mul(x[2], y[5]);
1487 accum.mul(x[3], y[4]);
1488 accum.mul(x[4], y[3]);
1489 accum.mul(x[5], y[2]);
1490 accum.mul(x[6], y[1]);
1491 accum.mul(x[7], y[0]);
1492 z[7] = accum.extract();
1493 accum.mul(x[0], y[8]);
1494 accum.mul(x[1], y[7]);
1495 accum.mul(x[2], y[6]);
1496 accum.mul(x[3], y[5]);
1497 accum.mul(x[4], y[4]);
1498 accum.mul(x[5], y[3]);
1499 accum.mul(x[6], y[2]);
1500 accum.mul(x[7], y[1]);
1501 accum.mul(x[8], y[0]);
1502 z[8] = accum.extract();
1503 accum.mul(x[0], y[9]);
1504 accum.mul(x[1], y[8]);
1505 accum.mul(x[2], y[7]);
1506 accum.mul(x[3], y[6]);
1507 accum.mul(x[4], y[5]);
1508 accum.mul(x[5], y[4]);
1509 accum.mul(x[6], y[3]);
1510 accum.mul(x[7], y[2]);
1511 accum.mul(x[8], y[1]);
1512 accum.mul(x[9], y[0]);
1513 z[9] = accum.extract();
1514 accum.mul(x[0], y[10]);
1515 accum.mul(x[1], y[9]);
1516 accum.mul(x[2], y[8]);
1517 accum.mul(x[3], y[7]);
1518 accum.mul(x[4], y[6]);
1519 accum.mul(x[5], y[5]);
1520 accum.mul(x[6], y[4]);
1521 accum.mul(x[7], y[3]);
1522 accum.mul(x[8], y[2]);
1523 accum.mul(x[9], y[1]);
1524 accum.mul(x[10], y[0]);
1525 z[10] = accum.extract();
1526 accum.mul(x[0], y[11]);
1527 accum.mul(x[1], y[10]);
1528 accum.mul(x[2], y[9]);
1529 accum.mul(x[3], y[8]);
1530 accum.mul(x[4], y[7]);
1531 accum.mul(x[5], y[6]);
1532 accum.mul(x[6], y[5]);
1533 accum.mul(x[7], y[4]);
1534 accum.mul(x[8], y[3]);
1535 accum.mul(x[9], y[2]);
1536 accum.mul(x[10], y[1]);
1537 accum.mul(x[11], y[0]);
1538 z[11] = accum.extract();
1539 accum.mul(x[0], y[12]);
1540 accum.mul(x[1], y[11]);
1541 accum.mul(x[2], y[10]);
1542 accum.mul(x[3], y[9]);
1543 accum.mul(x[4], y[8]);
1544 accum.mul(x[5], y[7]);
1545 accum.mul(x[6], y[6]);
1546 accum.mul(x[7], y[5]);
1547 accum.mul(x[8], y[4]);
1548 accum.mul(x[9], y[3]);
1549 accum.mul(x[10], y[2]);
1550 accum.mul(x[11], y[1]);
1551 accum.mul(x[12], y[0]);
1552 z[12] = accum.extract();
1553 accum.mul(x[0], y[13]);
1554 accum.mul(x[1], y[12]);
1555 accum.mul(x[2], y[11]);
1556 accum.mul(x[3], y[10]);
1557 accum.mul(x[4], y[9]);
1558 accum.mul(x[5], y[8]);
1559 accum.mul(x[6], y[7]);
1560 accum.mul(x[7], y[6]);
1561 accum.mul(x[8], y[5]);
1562 accum.mul(x[9], y[4]);
1563 accum.mul(x[10], y[3]);
1564 accum.mul(x[11], y[2]);
1565 accum.mul(x[12], y[1]);
1566 accum.mul(x[13], y[0]);
1567 z[13] = accum.extract();
1568 accum.mul(x[0], y[14]);
1569 accum.mul(x[1], y[13]);
1570 accum.mul(x[2], y[12]);
1571 accum.mul(x[3], y[11]);
1572 accum.mul(x[4], y[10]);
1573 accum.mul(x[5], y[9]);
1574 accum.mul(x[6], y[8]);
1575 accum.mul(x[7], y[7]);
1576 accum.mul(x[8], y[6]);
1577 accum.mul(x[9], y[5]);
1578 accum.mul(x[10], y[4]);
1579 accum.mul(x[11], y[3]);
1580 accum.mul(x[12], y[2]);
1581 accum.mul(x[13], y[1]);
1582 accum.mul(x[14], y[0]);
1583 z[14] = accum.extract();
1584 accum.mul(x[0], y[15]);
1585 accum.mul(x[1], y[14]);
1586 accum.mul(x[2], y[13]);
1587 accum.mul(x[3], y[12]);
1588 accum.mul(x[4], y[11]);
1589 accum.mul(x[5], y[10]);
1590 accum.mul(x[6], y[9]);
1591 accum.mul(x[7], y[8]);
1592 accum.mul(x[8], y[7]);
1593 accum.mul(x[9], y[6]);
1594 accum.mul(x[10], y[5]);
1595 accum.mul(x[11], y[4]);
1596 accum.mul(x[12], y[3]);
1597 accum.mul(x[13], y[2]);
1598 accum.mul(x[14], y[1]);
1599 accum.mul(x[15], y[0]);
1600 z[15] = accum.extract();
1601 accum.mul(x[0], y[16]);
1602 accum.mul(x[1], y[15]);
1603 accum.mul(x[2], y[14]);
1604 accum.mul(x[3], y[13]);
1605 accum.mul(x[4], y[12]);
1606 accum.mul(x[5], y[11]);
1607 accum.mul(x[6], y[10]);
1608 accum.mul(x[7], y[9]);
1609 accum.mul(x[8], y[8]);
1610 accum.mul(x[9], y[7]);
1611 accum.mul(x[10], y[6]);
1612 accum.mul(x[11], y[5]);
1613 accum.mul(x[12], y[4]);
1614 accum.mul(x[13], y[3]);
1615 accum.mul(x[14], y[2]);
1616 accum.mul(x[15], y[1]);
1617 accum.mul(x[16], y[0]);
1618 z[16] = accum.extract();
1619 accum.mul(x[0], y[17]);
1620 accum.mul(x[1], y[16]);
1621 accum.mul(x[2], y[15]);
1622 accum.mul(x[3], y[14]);
1623 accum.mul(x[4], y[13]);
1624 accum.mul(x[5], y[12]);
1625 accum.mul(x[6], y[11]);
1626 accum.mul(x[7], y[10]);
1627 accum.mul(x[8], y[9]);
1628 accum.mul(x[9], y[8]);
1629 accum.mul(x[10], y[7]);
1630 accum.mul(x[11], y[6]);
1631 accum.mul(x[12], y[5]);
1632 accum.mul(x[13], y[4]);
1633 accum.mul(x[14], y[3]);
1634 accum.mul(x[15], y[2]);
1635 accum.mul(x[16], y[1]);
1636 accum.mul(x[17], y[0]);
1637 z[17] = accum.extract();
1638 accum.mul(x[0], y[18]);
1639 accum.mul(x[1], y[17]);
1640 accum.mul(x[2], y[16]);
1641 accum.mul(x[3], y[15]);
1642 accum.mul(x[4], y[14]);
1643 accum.mul(x[5], y[13]);
1644 accum.mul(x[6], y[12]);
1645 accum.mul(x[7], y[11]);
1646 accum.mul(x[8], y[10]);
1647 accum.mul(x[9], y[9]);
1648 accum.mul(x[10], y[8]);
1649 accum.mul(x[11], y[7]);
1650 accum.mul(x[12], y[6]);
1651 accum.mul(x[13], y[5]);
1652 accum.mul(x[14], y[4]);
1653 accum.mul(x[15], y[3]);
1654 accum.mul(x[16], y[2]);
1655 accum.mul(x[17], y[1]);
1656 accum.mul(x[18], y[0]);
1657 z[18] = accum.extract();
1658 accum.mul(x[0], y[19]);
1659 accum.mul(x[1], y[18]);
1660 accum.mul(x[2], y[17]);
1661 accum.mul(x[3], y[16]);
1662 accum.mul(x[4], y[15]);
1663 accum.mul(x[5], y[14]);
1664 accum.mul(x[6], y[13]);
1665 accum.mul(x[7], y[12]);
1666 accum.mul(x[8], y[11]);
1667 accum.mul(x[9], y[10]);
1668 accum.mul(x[10], y[9]);
1669 accum.mul(x[11], y[8]);
1670 accum.mul(x[12], y[7]);
1671 accum.mul(x[13], y[6]);
1672 accum.mul(x[14], y[5]);
1673 accum.mul(x[15], y[4]);
1674 accum.mul(x[16], y[3]);
1675 accum.mul(x[17], y[2]);
1676 accum.mul(x[18], y[1]);
1677 accum.mul(x[19], y[0]);
1678 z[19] = accum.extract();
1679 accum.mul(x[0], y[20]);
1680 accum.mul(x[1], y[19]);
1681 accum.mul(x[2], y[18]);
1682 accum.mul(x[3], y[17]);
1683 accum.mul(x[4], y[16]);
1684 accum.mul(x[5], y[15]);
1685 accum.mul(x[6], y[14]);
1686 accum.mul(x[7], y[13]);
1687 accum.mul(x[8], y[12]);
1688 accum.mul(x[9], y[11]);
1689 accum.mul(x[10], y[10]);
1690 accum.mul(x[11], y[9]);
1691 accum.mul(x[12], y[8]);
1692 accum.mul(x[13], y[7]);
1693 accum.mul(x[14], y[6]);
1694 accum.mul(x[15], y[5]);
1695 accum.mul(x[16], y[4]);
1696 accum.mul(x[17], y[3]);
1697 accum.mul(x[18], y[2]);
1698 accum.mul(x[19], y[1]);
1699 accum.mul(x[20], y[0]);
1700 z[20] = accum.extract();
1701 accum.mul(x[0], y[21]);
1702 accum.mul(x[1], y[20]);
1703 accum.mul(x[2], y[19]);
1704 accum.mul(x[3], y[18]);
1705 accum.mul(x[4], y[17]);
1706 accum.mul(x[5], y[16]);
1707 accum.mul(x[6], y[15]);
1708 accum.mul(x[7], y[14]);
1709 accum.mul(x[8], y[13]);
1710 accum.mul(x[9], y[12]);
1711 accum.mul(x[10], y[11]);
1712 accum.mul(x[11], y[10]);
1713 accum.mul(x[12], y[9]);
1714 accum.mul(x[13], y[8]);
1715 accum.mul(x[14], y[7]);
1716 accum.mul(x[15], y[6]);
1717 accum.mul(x[16], y[5]);
1718 accum.mul(x[17], y[4]);
1719 accum.mul(x[18], y[3]);
1720 accum.mul(x[19], y[2]);
1721 accum.mul(x[20], y[1]);
1722 accum.mul(x[21], y[0]);
1723 z[21] = accum.extract();
1724 accum.mul(x[0], y[22]);
1725 accum.mul(x[1], y[21]);
1726 accum.mul(x[2], y[20]);
1727 accum.mul(x[3], y[19]);
1728 accum.mul(x[4], y[18]);
1729 accum.mul(x[5], y[17]);
1730 accum.mul(x[6], y[16]);
1731 accum.mul(x[7], y[15]);
1732 accum.mul(x[8], y[14]);
1733 accum.mul(x[9], y[13]);
1734 accum.mul(x[10], y[12]);
1735 accum.mul(x[11], y[11]);
1736 accum.mul(x[12], y[10]);
1737 accum.mul(x[13], y[9]);
1738 accum.mul(x[14], y[8]);
1739 accum.mul(x[15], y[7]);
1740 accum.mul(x[16], y[6]);
1741 accum.mul(x[17], y[5]);
1742 accum.mul(x[18], y[4]);
1743 accum.mul(x[19], y[3]);
1744 accum.mul(x[20], y[2]);
1745 accum.mul(x[21], y[1]);
1746 accum.mul(x[22], y[0]);
1747 z[22] = accum.extract();
1748 accum.mul(x[0], y[23]);
1749 accum.mul(x[1], y[22]);
1750 accum.mul(x[2], y[21]);
1751 accum.mul(x[3], y[20]);
1752 accum.mul(x[4], y[19]);
1753 accum.mul(x[5], y[18]);
1754 accum.mul(x[6], y[17]);
1755 accum.mul(x[7], y[16]);
1756 accum.mul(x[8], y[15]);
1757 accum.mul(x[9], y[14]);
1758 accum.mul(x[10], y[13]);
1759 accum.mul(x[11], y[12]);
1760 accum.mul(x[12], y[11]);
1761 accum.mul(x[13], y[10]);
1762 accum.mul(x[14], y[9]);
1763 accum.mul(x[15], y[8]);
1764 accum.mul(x[16], y[7]);
1765 accum.mul(x[17], y[6]);
1766 accum.mul(x[18], y[5]);
1767 accum.mul(x[19], y[4]);
1768 accum.mul(x[20], y[3]);
1769 accum.mul(x[21], y[2]);
1770 accum.mul(x[22], y[1]);
1771 accum.mul(x[23], y[0]);
1772 z[23] = accum.extract();
1773 accum.mul(x[1], y[23]);
1774 accum.mul(x[2], y[22]);
1775 accum.mul(x[3], y[21]);
1776 accum.mul(x[4], y[20]);
1777 accum.mul(x[5], y[19]);
1778 accum.mul(x[6], y[18]);
1779 accum.mul(x[7], y[17]);
1780 accum.mul(x[8], y[16]);
1781 accum.mul(x[9], y[15]);
1782 accum.mul(x[10], y[14]);
1783 accum.mul(x[11], y[13]);
1784 accum.mul(x[12], y[12]);
1785 accum.mul(x[13], y[11]);
1786 accum.mul(x[14], y[10]);
1787 accum.mul(x[15], y[9]);
1788 accum.mul(x[16], y[8]);
1789 accum.mul(x[17], y[7]);
1790 accum.mul(x[18], y[6]);
1791 accum.mul(x[19], y[5]);
1792 accum.mul(x[20], y[4]);
1793 accum.mul(x[21], y[3]);
1794 accum.mul(x[22], y[2]);
1795 accum.mul(x[23], y[1]);
1796 z[24] = accum.extract();
1797 accum.mul(x[2], y[23]);
1798 accum.mul(x[3], y[22]);
1799 accum.mul(x[4], y[21]);
1800 accum.mul(x[5], y[20]);
1801 accum.mul(x[6], y[19]);
1802 accum.mul(x[7], y[18]);
1803 accum.mul(x[8], y[17]);
1804 accum.mul(x[9], y[16]);
1805 accum.mul(x[10], y[15]);
1806 accum.mul(x[11], y[14]);
1807 accum.mul(x[12], y[13]);
1808 accum.mul(x[13], y[12]);
1809 accum.mul(x[14], y[11]);
1810 accum.mul(x[15], y[10]);
1811 accum.mul(x[16], y[9]);
1812 accum.mul(x[17], y[8]);
1813 accum.mul(x[18], y[7]);
1814 accum.mul(x[19], y[6]);
1815 accum.mul(x[20], y[5]);
1816 accum.mul(x[21], y[4]);
1817 accum.mul(x[22], y[3]);
1818 accum.mul(x[23], y[2]);
1819 z[25] = accum.extract();
1820 accum.mul(x[3], y[23]);
1821 accum.mul(x[4], y[22]);
1822 accum.mul(x[5], y[21]);
1823 accum.mul(x[6], y[20]);
1824 accum.mul(x[7], y[19]);
1825 accum.mul(x[8], y[18]);
1826 accum.mul(x[9], y[17]);
1827 accum.mul(x[10], y[16]);
1828 accum.mul(x[11], y[15]);
1829 accum.mul(x[12], y[14]);
1830 accum.mul(x[13], y[13]);
1831 accum.mul(x[14], y[12]);
1832 accum.mul(x[15], y[11]);
1833 accum.mul(x[16], y[10]);
1834 accum.mul(x[17], y[9]);
1835 accum.mul(x[18], y[8]);
1836 accum.mul(x[19], y[7]);
1837 accum.mul(x[20], y[6]);
1838 accum.mul(x[21], y[5]);
1839 accum.mul(x[22], y[4]);
1840 accum.mul(x[23], y[3]);
1841 z[26] = accum.extract();
1842 accum.mul(x[4], y[23]);
1843 accum.mul(x[5], y[22]);
1844 accum.mul(x[6], y[21]);
1845 accum.mul(x[7], y[20]);
1846 accum.mul(x[8], y[19]);
1847 accum.mul(x[9], y[18]);
1848 accum.mul(x[10], y[17]);
1849 accum.mul(x[11], y[16]);
1850 accum.mul(x[12], y[15]);
1851 accum.mul(x[13], y[14]);
1852 accum.mul(x[14], y[13]);
1853 accum.mul(x[15], y[12]);
1854 accum.mul(x[16], y[11]);
1855 accum.mul(x[17], y[10]);
1856 accum.mul(x[18], y[9]);
1857 accum.mul(x[19], y[8]);
1858 accum.mul(x[20], y[7]);
1859 accum.mul(x[21], y[6]);
1860 accum.mul(x[22], y[5]);
1861 accum.mul(x[23], y[4]);
1862 z[27] = accum.extract();
1863 accum.mul(x[5], y[23]);
1864 accum.mul(x[6], y[22]);
1865 accum.mul(x[7], y[21]);
1866 accum.mul(x[8], y[20]);
1867 accum.mul(x[9], y[19]);
1868 accum.mul(x[10], y[18]);
1869 accum.mul(x[11], y[17]);
1870 accum.mul(x[12], y[16]);
1871 accum.mul(x[13], y[15]);
1872 accum.mul(x[14], y[14]);
1873 accum.mul(x[15], y[13]);
1874 accum.mul(x[16], y[12]);
1875 accum.mul(x[17], y[11]);
1876 accum.mul(x[18], y[10]);
1877 accum.mul(x[19], y[9]);
1878 accum.mul(x[20], y[8]);
1879 accum.mul(x[21], y[7]);
1880 accum.mul(x[22], y[6]);
1881 accum.mul(x[23], y[5]);
1882 z[28] = accum.extract();
1883 accum.mul(x[6], y[23]);
1884 accum.mul(x[7], y[22]);
1885 accum.mul(x[8], y[21]);
1886 accum.mul(x[9], y[20]);
1887 accum.mul(x[10], y[19]);
1888 accum.mul(x[11], y[18]);
1889 accum.mul(x[12], y[17]);
1890 accum.mul(x[13], y[16]);
1891 accum.mul(x[14], y[15]);
1892 accum.mul(x[15], y[14]);
1893 accum.mul(x[16], y[13]);
1894 accum.mul(x[17], y[12]);
1895 accum.mul(x[18], y[11]);
1896 accum.mul(x[19], y[10]);
1897 accum.mul(x[20], y[9]);
1898 accum.mul(x[21], y[8]);
1899 accum.mul(x[22], y[7]);
1900 accum.mul(x[23], y[6]);
1901 z[29] = accum.extract();
1902 accum.mul(x[7], y[23]);
1903 accum.mul(x[8], y[22]);
1904 accum.mul(x[9], y[21]);
1905 accum.mul(x[10], y[20]);
1906 accum.mul(x[11], y[19]);
1907 accum.mul(x[12], y[18]);
1908 accum.mul(x[13], y[17]);
1909 accum.mul(x[14], y[16]);
1910 accum.mul(x[15], y[15]);
1911 accum.mul(x[16], y[14]);
1912 accum.mul(x[17], y[13]);
1913 accum.mul(x[18], y[12]);
1914 accum.mul(x[19], y[11]);
1915 accum.mul(x[20], y[10]);
1916 accum.mul(x[21], y[9]);
1917 accum.mul(x[22], y[8]);
1918 accum.mul(x[23], y[7]);
1919 z[30] = accum.extract();
1920 accum.mul(x[8], y[23]);
1921 accum.mul(x[9], y[22]);
1922 accum.mul(x[10], y[21]);
1923 accum.mul(x[11], y[20]);
1924 accum.mul(x[12], y[19]);
1925 accum.mul(x[13], y[18]);
1926 accum.mul(x[14], y[17]);
1927 accum.mul(x[15], y[16]);
1928 accum.mul(x[16], y[15]);
1929 accum.mul(x[17], y[14]);
1930 accum.mul(x[18], y[13]);
1931 accum.mul(x[19], y[12]);
1932 accum.mul(x[20], y[11]);
1933 accum.mul(x[21], y[10]);
1934 accum.mul(x[22], y[9]);
1935 accum.mul(x[23], y[8]);
1936 z[31] = accum.extract();
1937 accum.mul(x[9], y[23]);
1938 accum.mul(x[10], y[22]);
1939 accum.mul(x[11], y[21]);
1940 accum.mul(x[12], y[20]);
1941 accum.mul(x[13], y[19]);
1942 accum.mul(x[14], y[18]);
1943 accum.mul(x[15], y[17]);
1944 accum.mul(x[16], y[16]);
1945 accum.mul(x[17], y[15]);
1946 accum.mul(x[18], y[14]);
1947 accum.mul(x[19], y[13]);
1948 accum.mul(x[20], y[12]);
1949 accum.mul(x[21], y[11]);
1950 accum.mul(x[22], y[10]);
1951 accum.mul(x[23], y[9]);
1952 z[32] = accum.extract();
1953 accum.mul(x[10], y[23]);
1954 accum.mul(x[11], y[22]);
1955 accum.mul(x[12], y[21]);
1956 accum.mul(x[13], y[20]);
1957 accum.mul(x[14], y[19]);
1958 accum.mul(x[15], y[18]);
1959 accum.mul(x[16], y[17]);
1960 accum.mul(x[17], y[16]);
1961 accum.mul(x[18], y[15]);
1962 accum.mul(x[19], y[14]);
1963 accum.mul(x[20], y[13]);
1964 accum.mul(x[21], y[12]);
1965 accum.mul(x[22], y[11]);
1966 accum.mul(x[23], y[10]);
1967 z[33] = accum.extract();
1968 accum.mul(x[11], y[23]);
1969 accum.mul(x[12], y[22]);
1970 accum.mul(x[13], y[21]);
1971 accum.mul(x[14], y[20]);
1972 accum.mul(x[15], y[19]);
1973 accum.mul(x[16], y[18]);
1974 accum.mul(x[17], y[17]);
1975 accum.mul(x[18], y[16]);
1976 accum.mul(x[19], y[15]);
1977 accum.mul(x[20], y[14]);
1978 accum.mul(x[21], y[13]);
1979 accum.mul(x[22], y[12]);
1980 accum.mul(x[23], y[11]);
1981 z[34] = accum.extract();
1982 accum.mul(x[12], y[23]);
1983 accum.mul(x[13], y[22]);
1984 accum.mul(x[14], y[21]);
1985 accum.mul(x[15], y[20]);
1986 accum.mul(x[16], y[19]);
1987 accum.mul(x[17], y[18]);
1988 accum.mul(x[18], y[17]);
1989 accum.mul(x[19], y[16]);
1990 accum.mul(x[20], y[15]);
1991 accum.mul(x[21], y[14]);
1992 accum.mul(x[22], y[13]);
1993 accum.mul(x[23], y[12]);
1994 z[35] = accum.extract();
1995 accum.mul(x[13], y[23]);
1996 accum.mul(x[14], y[22]);
1997 accum.mul(x[15], y[21]);
1998 accum.mul(x[16], y[20]);
1999 accum.mul(x[17], y[19]);
2000 accum.mul(x[18], y[18]);
2001 accum.mul(x[19], y[17]);
2002 accum.mul(x[20], y[16]);
2003 accum.mul(x[21], y[15]);
2004 accum.mul(x[22], y[14]);
2005 accum.mul(x[23], y[13]);
2006 z[36] = accum.extract();
2007 accum.mul(x[14], y[23]);
2008 accum.mul(x[15], y[22]);
2009 accum.mul(x[16], y[21]);
2010 accum.mul(x[17], y[20]);
2011 accum.mul(x[18], y[19]);
2012 accum.mul(x[19], y[18]);
2013 accum.mul(x[20], y[17]);
2014 accum.mul(x[21], y[16]);
2015 accum.mul(x[22], y[15]);
2016 accum.mul(x[23], y[14]);
2017 z[37] = accum.extract();
2018 accum.mul(x[15], y[23]);
2019 accum.mul(x[16], y[22]);
2020 accum.mul(x[17], y[21]);
2021 accum.mul(x[18], y[20]);
2022 accum.mul(x[19], y[19]);
2023 accum.mul(x[20], y[18]);
2024 accum.mul(x[21], y[17]);
2025 accum.mul(x[22], y[16]);
2026 accum.mul(x[23], y[15]);
2027 z[38] = accum.extract();
2028 accum.mul(x[16], y[23]);
2029 accum.mul(x[17], y[22]);
2030 accum.mul(x[18], y[21]);
2031 accum.mul(x[19], y[20]);
2032 accum.mul(x[20], y[19]);
2033 accum.mul(x[21], y[18]);
2034 accum.mul(x[22], y[17]);
2035 accum.mul(x[23], y[16]);
2036 z[39] = accum.extract();
2037 accum.mul(x[17], y[23]);
2038 accum.mul(x[18], y[22]);
2039 accum.mul(x[19], y[21]);
2040 accum.mul(x[20], y[20]);
2041 accum.mul(x[21], y[19]);
2042 accum.mul(x[22], y[18]);
2043 accum.mul(x[23], y[17]);
2044 z[40] = accum.extract();
2045 accum.mul(x[18], y[23]);
2046 accum.mul(x[19], y[22]);
2047 accum.mul(x[20], y[21]);
2048 accum.mul(x[21], y[20]);
2049 accum.mul(x[22], y[19]);
2050 accum.mul(x[23], y[18]);
2051 z[41] = accum.extract();
2052 accum.mul(x[19], y[23]);
2053 accum.mul(x[20], y[22]);
2054 accum.mul(x[21], y[21]);
2055 accum.mul(x[22], y[20]);
2056 accum.mul(x[23], y[19]);
2057 z[42] = accum.extract();
2058 accum.mul(x[20], y[23]);
2059 accum.mul(x[21], y[22]);
2060 accum.mul(x[22], y[21]);
2061 accum.mul(x[23], y[20]);
2062 z[43] = accum.extract();
2063 accum.mul(x[21], y[23]);
2064 accum.mul(x[22], y[22]);
2065 accum.mul(x[23], y[21]);
2066 z[44] = accum.extract();
2067 accum.mul(x[22], y[23]);
2068 accum.mul(x[23], y[22]);
2069 z[45] = accum.extract();
2070 accum.mul(x[23], y[23]);
2071 z[46] = accum.extract();
2072 z[47] = accum.extract();
2073}

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by bigint_mul().

◆ bigint_comba_mul4()

BOTAN_FUZZER_API void Botan::bigint_comba_mul4 ( word z[8],
const word x[4],
const word y[4] )

Definition at line 42 of file mp_comba.cpp.

42 {
43 word3<word> accum;
44
45 accum.mul(x[0], y[0]);
46 z[0] = accum.extract();
47 accum.mul(x[0], y[1]);
48 accum.mul(x[1], y[0]);
49 z[1] = accum.extract();
50 accum.mul(x[0], y[2]);
51 accum.mul(x[1], y[1]);
52 accum.mul(x[2], y[0]);
53 z[2] = accum.extract();
54 accum.mul(x[0], y[3]);
55 accum.mul(x[1], y[2]);
56 accum.mul(x[2], y[1]);
57 accum.mul(x[3], y[0]);
58 z[3] = accum.extract();
59 accum.mul(x[1], y[3]);
60 accum.mul(x[2], y[2]);
61 accum.mul(x[3], y[1]);
62 z[4] = accum.extract();
63 accum.mul(x[2], y[3]);
64 accum.mul(x[3], y[2]);
65 z[5] = accum.extract();
66 accum.mul(x[3], y[3]);
67 z[6] = accum.extract();
68 z[7] = accum.extract();
69}

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by bigint_mul(), and comba_mul().

◆ bigint_comba_mul6()

BOTAN_FUZZER_API void Botan::bigint_comba_mul6 ( word z[12],
const word x[6],
const word y[6] )

Definition at line 115 of file mp_comba.cpp.

115 {
116 word3<word> accum;
117
118 accum.mul(x[0], y[0]);
119 z[0] = accum.extract();
120 accum.mul(x[0], y[1]);
121 accum.mul(x[1], y[0]);
122 z[1] = accum.extract();
123 accum.mul(x[0], y[2]);
124 accum.mul(x[1], y[1]);
125 accum.mul(x[2], y[0]);
126 z[2] = accum.extract();
127 accum.mul(x[0], y[3]);
128 accum.mul(x[1], y[2]);
129 accum.mul(x[2], y[1]);
130 accum.mul(x[3], y[0]);
131 z[3] = accum.extract();
132 accum.mul(x[0], y[4]);
133 accum.mul(x[1], y[3]);
134 accum.mul(x[2], y[2]);
135 accum.mul(x[3], y[1]);
136 accum.mul(x[4], y[0]);
137 z[4] = accum.extract();
138 accum.mul(x[0], y[5]);
139 accum.mul(x[1], y[4]);
140 accum.mul(x[2], y[3]);
141 accum.mul(x[3], y[2]);
142 accum.mul(x[4], y[1]);
143 accum.mul(x[5], y[0]);
144 z[5] = accum.extract();
145 accum.mul(x[1], y[5]);
146 accum.mul(x[2], y[4]);
147 accum.mul(x[3], y[3]);
148 accum.mul(x[4], y[2]);
149 accum.mul(x[5], y[1]);
150 z[6] = accum.extract();
151 accum.mul(x[2], y[5]);
152 accum.mul(x[3], y[4]);
153 accum.mul(x[4], y[3]);
154 accum.mul(x[5], y[2]);
155 z[7] = accum.extract();
156 accum.mul(x[3], y[5]);
157 accum.mul(x[4], y[4]);
158 accum.mul(x[5], y[3]);
159 z[8] = accum.extract();
160 accum.mul(x[4], y[5]);
161 accum.mul(x[5], y[4]);
162 z[9] = accum.extract();
163 accum.mul(x[5], y[5]);
164 z[10] = accum.extract();
165 z[11] = accum.extract();
166}

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by bigint_mul(), and comba_mul().

◆ bigint_comba_mul7()

BOTAN_FUZZER_API void Botan::bigint_comba_mul7 ( word z[14],
const word x[7],
const word y[7] )

Definition at line 221 of file mp_comba.cpp.

221 {
222 word3<word> accum;
223
224 accum.mul(x[0], y[0]);
225 z[0] = accum.extract();
226 accum.mul(x[0], y[1]);
227 accum.mul(x[1], y[0]);
228 z[1] = accum.extract();
229 accum.mul(x[0], y[2]);
230 accum.mul(x[1], y[1]);
231 accum.mul(x[2], y[0]);
232 z[2] = accum.extract();
233 accum.mul(x[0], y[3]);
234 accum.mul(x[1], y[2]);
235 accum.mul(x[2], y[1]);
236 accum.mul(x[3], y[0]);
237 z[3] = accum.extract();
238 accum.mul(x[0], y[4]);
239 accum.mul(x[1], y[3]);
240 accum.mul(x[2], y[2]);
241 accum.mul(x[3], y[1]);
242 accum.mul(x[4], y[0]);
243 z[4] = accum.extract();
244 accum.mul(x[0], y[5]);
245 accum.mul(x[1], y[4]);
246 accum.mul(x[2], y[3]);
247 accum.mul(x[3], y[2]);
248 accum.mul(x[4], y[1]);
249 accum.mul(x[5], y[0]);
250 z[5] = accum.extract();
251 accum.mul(x[0], y[6]);
252 accum.mul(x[1], y[5]);
253 accum.mul(x[2], y[4]);
254 accum.mul(x[3], y[3]);
255 accum.mul(x[4], y[2]);
256 accum.mul(x[5], y[1]);
257 accum.mul(x[6], y[0]);
258 z[6] = accum.extract();
259 accum.mul(x[1], y[6]);
260 accum.mul(x[2], y[5]);
261 accum.mul(x[3], y[4]);
262 accum.mul(x[4], y[3]);
263 accum.mul(x[5], y[2]);
264 accum.mul(x[6], y[1]);
265 z[7] = accum.extract();
266 accum.mul(x[2], y[6]);
267 accum.mul(x[3], y[5]);
268 accum.mul(x[4], y[4]);
269 accum.mul(x[5], y[3]);
270 accum.mul(x[6], y[2]);
271 z[8] = accum.extract();
272 accum.mul(x[3], y[6]);
273 accum.mul(x[4], y[5]);
274 accum.mul(x[5], y[4]);
275 accum.mul(x[6], y[3]);
276 z[9] = accum.extract();
277 accum.mul(x[4], y[6]);
278 accum.mul(x[5], y[5]);
279 accum.mul(x[6], y[4]);
280 z[10] = accum.extract();
281 accum.mul(x[5], y[6]);
282 accum.mul(x[6], y[5]);
283 z[11] = accum.extract();
284 accum.mul(x[6], y[6]);
285 z[12] = accum.extract();
286 z[13] = accum.extract();
287}

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by comba_mul().

◆ bigint_comba_mul8()

BOTAN_FUZZER_API void Botan::bigint_comba_mul8 ( word z[16],
const word x[8],
const word y[8] )

Definition at line 352 of file mp_comba.cpp.

352 {
353 word3<word> accum;
354
355 accum.mul(x[0], y[0]);
356 z[0] = accum.extract();
357 accum.mul(x[0], y[1]);
358 accum.mul(x[1], y[0]);
359 z[1] = accum.extract();
360 accum.mul(x[0], y[2]);
361 accum.mul(x[1], y[1]);
362 accum.mul(x[2], y[0]);
363 z[2] = accum.extract();
364 accum.mul(x[0], y[3]);
365 accum.mul(x[1], y[2]);
366 accum.mul(x[2], y[1]);
367 accum.mul(x[3], y[0]);
368 z[3] = accum.extract();
369 accum.mul(x[0], y[4]);
370 accum.mul(x[1], y[3]);
371 accum.mul(x[2], y[2]);
372 accum.mul(x[3], y[1]);
373 accum.mul(x[4], y[0]);
374 z[4] = accum.extract();
375 accum.mul(x[0], y[5]);
376 accum.mul(x[1], y[4]);
377 accum.mul(x[2], y[3]);
378 accum.mul(x[3], y[2]);
379 accum.mul(x[4], y[1]);
380 accum.mul(x[5], y[0]);
381 z[5] = accum.extract();
382 accum.mul(x[0], y[6]);
383 accum.mul(x[1], y[5]);
384 accum.mul(x[2], y[4]);
385 accum.mul(x[3], y[3]);
386 accum.mul(x[4], y[2]);
387 accum.mul(x[5], y[1]);
388 accum.mul(x[6], y[0]);
389 z[6] = accum.extract();
390 accum.mul(x[0], y[7]);
391 accum.mul(x[1], y[6]);
392 accum.mul(x[2], y[5]);
393 accum.mul(x[3], y[4]);
394 accum.mul(x[4], y[3]);
395 accum.mul(x[5], y[2]);
396 accum.mul(x[6], y[1]);
397 accum.mul(x[7], y[0]);
398 z[7] = accum.extract();
399 accum.mul(x[1], y[7]);
400 accum.mul(x[2], y[6]);
401 accum.mul(x[3], y[5]);
402 accum.mul(x[4], y[4]);
403 accum.mul(x[5], y[3]);
404 accum.mul(x[6], y[2]);
405 accum.mul(x[7], y[1]);
406 z[8] = accum.extract();
407 accum.mul(x[2], y[7]);
408 accum.mul(x[3], y[6]);
409 accum.mul(x[4], y[5]);
410 accum.mul(x[5], y[4]);
411 accum.mul(x[6], y[3]);
412 accum.mul(x[7], y[2]);
413 z[9] = accum.extract();
414 accum.mul(x[3], y[7]);
415 accum.mul(x[4], y[6]);
416 accum.mul(x[5], y[5]);
417 accum.mul(x[6], y[4]);
418 accum.mul(x[7], y[3]);
419 z[10] = accum.extract();
420 accum.mul(x[4], y[7]);
421 accum.mul(x[5], y[6]);
422 accum.mul(x[6], y[5]);
423 accum.mul(x[7], y[4]);
424 z[11] = accum.extract();
425 accum.mul(x[5], y[7]);
426 accum.mul(x[6], y[6]);
427 accum.mul(x[7], y[5]);
428 z[12] = accum.extract();
429 accum.mul(x[6], y[7]);
430 accum.mul(x[7], y[6]);
431 z[13] = accum.extract();
432 accum.mul(x[7], y[7]);
433 z[14] = accum.extract();
434 z[15] = accum.extract();
435}

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by bigint_mul(), and comba_mul().

◆ bigint_comba_mul9()

BOTAN_FUZZER_API void Botan::bigint_comba_mul9 ( word z[18],
const word x[9],
const word y[9] )

Definition at line 511 of file mp_comba.cpp.

511 {
512 word3<word> accum;
513
514 accum.mul(x[0], y[0]);
515 z[0] = accum.extract();
516 accum.mul(x[0], y[1]);
517 accum.mul(x[1], y[0]);
518 z[1] = accum.extract();
519 accum.mul(x[0], y[2]);
520 accum.mul(x[1], y[1]);
521 accum.mul(x[2], y[0]);
522 z[2] = accum.extract();
523 accum.mul(x[0], y[3]);
524 accum.mul(x[1], y[2]);
525 accum.mul(x[2], y[1]);
526 accum.mul(x[3], y[0]);
527 z[3] = accum.extract();
528 accum.mul(x[0], y[4]);
529 accum.mul(x[1], y[3]);
530 accum.mul(x[2], y[2]);
531 accum.mul(x[3], y[1]);
532 accum.mul(x[4], y[0]);
533 z[4] = accum.extract();
534 accum.mul(x[0], y[5]);
535 accum.mul(x[1], y[4]);
536 accum.mul(x[2], y[3]);
537 accum.mul(x[3], y[2]);
538 accum.mul(x[4], y[1]);
539 accum.mul(x[5], y[0]);
540 z[5] = accum.extract();
541 accum.mul(x[0], y[6]);
542 accum.mul(x[1], y[5]);
543 accum.mul(x[2], y[4]);
544 accum.mul(x[3], y[3]);
545 accum.mul(x[4], y[2]);
546 accum.mul(x[5], y[1]);
547 accum.mul(x[6], y[0]);
548 z[6] = accum.extract();
549 accum.mul(x[0], y[7]);
550 accum.mul(x[1], y[6]);
551 accum.mul(x[2], y[5]);
552 accum.mul(x[3], y[4]);
553 accum.mul(x[4], y[3]);
554 accum.mul(x[5], y[2]);
555 accum.mul(x[6], y[1]);
556 accum.mul(x[7], y[0]);
557 z[7] = accum.extract();
558 accum.mul(x[0], y[8]);
559 accum.mul(x[1], y[7]);
560 accum.mul(x[2], y[6]);
561 accum.mul(x[3], y[5]);
562 accum.mul(x[4], y[4]);
563 accum.mul(x[5], y[3]);
564 accum.mul(x[6], y[2]);
565 accum.mul(x[7], y[1]);
566 accum.mul(x[8], y[0]);
567 z[8] = accum.extract();
568 accum.mul(x[1], y[8]);
569 accum.mul(x[2], y[7]);
570 accum.mul(x[3], y[6]);
571 accum.mul(x[4], y[5]);
572 accum.mul(x[5], y[4]);
573 accum.mul(x[6], y[3]);
574 accum.mul(x[7], y[2]);
575 accum.mul(x[8], y[1]);
576 z[9] = accum.extract();
577 accum.mul(x[2], y[8]);
578 accum.mul(x[3], y[7]);
579 accum.mul(x[4], y[6]);
580 accum.mul(x[5], y[5]);
581 accum.mul(x[6], y[4]);
582 accum.mul(x[7], y[3]);
583 accum.mul(x[8], y[2]);
584 z[10] = accum.extract();
585 accum.mul(x[3], y[8]);
586 accum.mul(x[4], y[7]);
587 accum.mul(x[5], y[6]);
588 accum.mul(x[6], y[5]);
589 accum.mul(x[7], y[4]);
590 accum.mul(x[8], y[3]);
591 z[11] = accum.extract();
592 accum.mul(x[4], y[8]);
593 accum.mul(x[5], y[7]);
594 accum.mul(x[6], y[6]);
595 accum.mul(x[7], y[5]);
596 accum.mul(x[8], y[4]);
597 z[12] = accum.extract();
598 accum.mul(x[5], y[8]);
599 accum.mul(x[6], y[7]);
600 accum.mul(x[7], y[6]);
601 accum.mul(x[8], y[5]);
602 z[13] = accum.extract();
603 accum.mul(x[6], y[8]);
604 accum.mul(x[7], y[7]);
605 accum.mul(x[8], y[6]);
606 z[14] = accum.extract();
607 accum.mul(x[7], y[8]);
608 accum.mul(x[8], y[7]);
609 z[15] = accum.extract();
610 accum.mul(x[8], y[8]);
611 z[16] = accum.extract();
612 z[17] = accum.extract();
613}

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by bigint_mul(), and comba_mul().

◆ bigint_comba_sqr16()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr16 ( word z[32],
const word x[16] )

Definition at line 618 of file mp_comba.cpp.

618 {
619 word3<word> accum;
620
621 accum.mul(x[0], x[0]);
622 z[0] = accum.extract();
623 accum.mul_x2(x[0], x[1]);
624 z[1] = accum.extract();
625 accum.mul_x2(x[0], x[2]);
626 accum.mul(x[1], x[1]);
627 z[2] = accum.extract();
628 accum.mul_x2(x[0], x[3]);
629 accum.mul_x2(x[1], x[2]);
630 z[3] = accum.extract();
631 accum.mul_x2(x[0], x[4]);
632 accum.mul_x2(x[1], x[3]);
633 accum.mul(x[2], x[2]);
634 z[4] = accum.extract();
635 accum.mul_x2(x[0], x[5]);
636 accum.mul_x2(x[1], x[4]);
637 accum.mul_x2(x[2], x[3]);
638 z[5] = accum.extract();
639 accum.mul_x2(x[0], x[6]);
640 accum.mul_x2(x[1], x[5]);
641 accum.mul_x2(x[2], x[4]);
642 accum.mul(x[3], x[3]);
643 z[6] = accum.extract();
644 accum.mul_x2(x[0], x[7]);
645 accum.mul_x2(x[1], x[6]);
646 accum.mul_x2(x[2], x[5]);
647 accum.mul_x2(x[3], x[4]);
648 z[7] = accum.extract();
649 accum.mul_x2(x[0], x[8]);
650 accum.mul_x2(x[1], x[7]);
651 accum.mul_x2(x[2], x[6]);
652 accum.mul_x2(x[3], x[5]);
653 accum.mul(x[4], x[4]);
654 z[8] = accum.extract();
655 accum.mul_x2(x[0], x[9]);
656 accum.mul_x2(x[1], x[8]);
657 accum.mul_x2(x[2], x[7]);
658 accum.mul_x2(x[3], x[6]);
659 accum.mul_x2(x[4], x[5]);
660 z[9] = accum.extract();
661 accum.mul_x2(x[0], x[10]);
662 accum.mul_x2(x[1], x[9]);
663 accum.mul_x2(x[2], x[8]);
664 accum.mul_x2(x[3], x[7]);
665 accum.mul_x2(x[4], x[6]);
666 accum.mul(x[5], x[5]);
667 z[10] = accum.extract();
668 accum.mul_x2(x[0], x[11]);
669 accum.mul_x2(x[1], x[10]);
670 accum.mul_x2(x[2], x[9]);
671 accum.mul_x2(x[3], x[8]);
672 accum.mul_x2(x[4], x[7]);
673 accum.mul_x2(x[5], x[6]);
674 z[11] = accum.extract();
675 accum.mul_x2(x[0], x[12]);
676 accum.mul_x2(x[1], x[11]);
677 accum.mul_x2(x[2], x[10]);
678 accum.mul_x2(x[3], x[9]);
679 accum.mul_x2(x[4], x[8]);
680 accum.mul_x2(x[5], x[7]);
681 accum.mul(x[6], x[6]);
682 z[12] = accum.extract();
683 accum.mul_x2(x[0], x[13]);
684 accum.mul_x2(x[1], x[12]);
685 accum.mul_x2(x[2], x[11]);
686 accum.mul_x2(x[3], x[10]);
687 accum.mul_x2(x[4], x[9]);
688 accum.mul_x2(x[5], x[8]);
689 accum.mul_x2(x[6], x[7]);
690 z[13] = accum.extract();
691 accum.mul_x2(x[0], x[14]);
692 accum.mul_x2(x[1], x[13]);
693 accum.mul_x2(x[2], x[12]);
694 accum.mul_x2(x[3], x[11]);
695 accum.mul_x2(x[4], x[10]);
696 accum.mul_x2(x[5], x[9]);
697 accum.mul_x2(x[6], x[8]);
698 accum.mul(x[7], x[7]);
699 z[14] = accum.extract();
700 accum.mul_x2(x[0], x[15]);
701 accum.mul_x2(x[1], x[14]);
702 accum.mul_x2(x[2], x[13]);
703 accum.mul_x2(x[3], x[12]);
704 accum.mul_x2(x[4], x[11]);
705 accum.mul_x2(x[5], x[10]);
706 accum.mul_x2(x[6], x[9]);
707 accum.mul_x2(x[7], x[8]);
708 z[15] = accum.extract();
709 accum.mul_x2(x[1], x[15]);
710 accum.mul_x2(x[2], x[14]);
711 accum.mul_x2(x[3], x[13]);
712 accum.mul_x2(x[4], x[12]);
713 accum.mul_x2(x[5], x[11]);
714 accum.mul_x2(x[6], x[10]);
715 accum.mul_x2(x[7], x[9]);
716 accum.mul(x[8], x[8]);
717 z[16] = accum.extract();
718 accum.mul_x2(x[2], x[15]);
719 accum.mul_x2(x[3], x[14]);
720 accum.mul_x2(x[4], x[13]);
721 accum.mul_x2(x[5], x[12]);
722 accum.mul_x2(x[6], x[11]);
723 accum.mul_x2(x[7], x[10]);
724 accum.mul_x2(x[8], x[9]);
725 z[17] = accum.extract();
726 accum.mul_x2(x[3], x[15]);
727 accum.mul_x2(x[4], x[14]);
728 accum.mul_x2(x[5], x[13]);
729 accum.mul_x2(x[6], x[12]);
730 accum.mul_x2(x[7], x[11]);
731 accum.mul_x2(x[8], x[10]);
732 accum.mul(x[9], x[9]);
733 z[18] = accum.extract();
734 accum.mul_x2(x[4], x[15]);
735 accum.mul_x2(x[5], x[14]);
736 accum.mul_x2(x[6], x[13]);
737 accum.mul_x2(x[7], x[12]);
738 accum.mul_x2(x[8], x[11]);
739 accum.mul_x2(x[9], x[10]);
740 z[19] = accum.extract();
741 accum.mul_x2(x[5], x[15]);
742 accum.mul_x2(x[6], x[14]);
743 accum.mul_x2(x[7], x[13]);
744 accum.mul_x2(x[8], x[12]);
745 accum.mul_x2(x[9], x[11]);
746 accum.mul(x[10], x[10]);
747 z[20] = accum.extract();
748 accum.mul_x2(x[6], x[15]);
749 accum.mul_x2(x[7], x[14]);
750 accum.mul_x2(x[8], x[13]);
751 accum.mul_x2(x[9], x[12]);
752 accum.mul_x2(x[10], x[11]);
753 z[21] = accum.extract();
754 accum.mul_x2(x[7], x[15]);
755 accum.mul_x2(x[8], x[14]);
756 accum.mul_x2(x[9], x[13]);
757 accum.mul_x2(x[10], x[12]);
758 accum.mul(x[11], x[11]);
759 z[22] = accum.extract();
760 accum.mul_x2(x[8], x[15]);
761 accum.mul_x2(x[9], x[14]);
762 accum.mul_x2(x[10], x[13]);
763 accum.mul_x2(x[11], x[12]);
764 z[23] = accum.extract();
765 accum.mul_x2(x[9], x[15]);
766 accum.mul_x2(x[10], x[14]);
767 accum.mul_x2(x[11], x[13]);
768 accum.mul(x[12], x[12]);
769 z[24] = accum.extract();
770 accum.mul_x2(x[10], x[15]);
771 accum.mul_x2(x[11], x[14]);
772 accum.mul_x2(x[12], x[13]);
773 z[25] = accum.extract();
774 accum.mul_x2(x[11], x[15]);
775 accum.mul_x2(x[12], x[14]);
776 accum.mul(x[13], x[13]);
777 z[26] = accum.extract();
778 accum.mul_x2(x[12], x[15]);
779 accum.mul_x2(x[13], x[14]);
780 z[27] = accum.extract();
781 accum.mul_x2(x[13], x[15]);
782 accum.mul(x[14], x[14]);
783 z[28] = accum.extract();
784 accum.mul_x2(x[14], x[15]);
785 z[29] = accum.extract();
786 accum.mul(x[15], x[15]);
787 z[30] = accum.extract();
788 z[31] = accum.extract();
789}
constexpr void mul_x2(W x, W y)
Definition mp_asmi.h:536

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by bigint_sqr(), and comba_sqr().

◆ bigint_comba_sqr24()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr24 ( word z[48],
const word x[24] )

Definition at line 1090 of file mp_comba.cpp.

1090 {
1091 word3<word> accum;
1092
1093 accum.mul(x[0], x[0]);
1094 z[0] = accum.extract();
1095 accum.mul_x2(x[0], x[1]);
1096 z[1] = accum.extract();
1097 accum.mul_x2(x[0], x[2]);
1098 accum.mul(x[1], x[1]);
1099 z[2] = accum.extract();
1100 accum.mul_x2(x[0], x[3]);
1101 accum.mul_x2(x[1], x[2]);
1102 z[3] = accum.extract();
1103 accum.mul_x2(x[0], x[4]);
1104 accum.mul_x2(x[1], x[3]);
1105 accum.mul(x[2], x[2]);
1106 z[4] = accum.extract();
1107 accum.mul_x2(x[0], x[5]);
1108 accum.mul_x2(x[1], x[4]);
1109 accum.mul_x2(x[2], x[3]);
1110 z[5] = accum.extract();
1111 accum.mul_x2(x[0], x[6]);
1112 accum.mul_x2(x[1], x[5]);
1113 accum.mul_x2(x[2], x[4]);
1114 accum.mul(x[3], x[3]);
1115 z[6] = accum.extract();
1116 accum.mul_x2(x[0], x[7]);
1117 accum.mul_x2(x[1], x[6]);
1118 accum.mul_x2(x[2], x[5]);
1119 accum.mul_x2(x[3], x[4]);
1120 z[7] = accum.extract();
1121 accum.mul_x2(x[0], x[8]);
1122 accum.mul_x2(x[1], x[7]);
1123 accum.mul_x2(x[2], x[6]);
1124 accum.mul_x2(x[3], x[5]);
1125 accum.mul(x[4], x[4]);
1126 z[8] = accum.extract();
1127 accum.mul_x2(x[0], x[9]);
1128 accum.mul_x2(x[1], x[8]);
1129 accum.mul_x2(x[2], x[7]);
1130 accum.mul_x2(x[3], x[6]);
1131 accum.mul_x2(x[4], x[5]);
1132 z[9] = accum.extract();
1133 accum.mul_x2(x[0], x[10]);
1134 accum.mul_x2(x[1], x[9]);
1135 accum.mul_x2(x[2], x[8]);
1136 accum.mul_x2(x[3], x[7]);
1137 accum.mul_x2(x[4], x[6]);
1138 accum.mul(x[5], x[5]);
1139 z[10] = accum.extract();
1140 accum.mul_x2(x[0], x[11]);
1141 accum.mul_x2(x[1], x[10]);
1142 accum.mul_x2(x[2], x[9]);
1143 accum.mul_x2(x[3], x[8]);
1144 accum.mul_x2(x[4], x[7]);
1145 accum.mul_x2(x[5], x[6]);
1146 z[11] = accum.extract();
1147 accum.mul_x2(x[0], x[12]);
1148 accum.mul_x2(x[1], x[11]);
1149 accum.mul_x2(x[2], x[10]);
1150 accum.mul_x2(x[3], x[9]);
1151 accum.mul_x2(x[4], x[8]);
1152 accum.mul_x2(x[5], x[7]);
1153 accum.mul(x[6], x[6]);
1154 z[12] = accum.extract();
1155 accum.mul_x2(x[0], x[13]);
1156 accum.mul_x2(x[1], x[12]);
1157 accum.mul_x2(x[2], x[11]);
1158 accum.mul_x2(x[3], x[10]);
1159 accum.mul_x2(x[4], x[9]);
1160 accum.mul_x2(x[5], x[8]);
1161 accum.mul_x2(x[6], x[7]);
1162 z[13] = accum.extract();
1163 accum.mul_x2(x[0], x[14]);
1164 accum.mul_x2(x[1], x[13]);
1165 accum.mul_x2(x[2], x[12]);
1166 accum.mul_x2(x[3], x[11]);
1167 accum.mul_x2(x[4], x[10]);
1168 accum.mul_x2(x[5], x[9]);
1169 accum.mul_x2(x[6], x[8]);
1170 accum.mul(x[7], x[7]);
1171 z[14] = accum.extract();
1172 accum.mul_x2(x[0], x[15]);
1173 accum.mul_x2(x[1], x[14]);
1174 accum.mul_x2(x[2], x[13]);
1175 accum.mul_x2(x[3], x[12]);
1176 accum.mul_x2(x[4], x[11]);
1177 accum.mul_x2(x[5], x[10]);
1178 accum.mul_x2(x[6], x[9]);
1179 accum.mul_x2(x[7], x[8]);
1180 z[15] = accum.extract();
1181 accum.mul_x2(x[0], x[16]);
1182 accum.mul_x2(x[1], x[15]);
1183 accum.mul_x2(x[2], x[14]);
1184 accum.mul_x2(x[3], x[13]);
1185 accum.mul_x2(x[4], x[12]);
1186 accum.mul_x2(x[5], x[11]);
1187 accum.mul_x2(x[6], x[10]);
1188 accum.mul_x2(x[7], x[9]);
1189 accum.mul(x[8], x[8]);
1190 z[16] = accum.extract();
1191 accum.mul_x2(x[0], x[17]);
1192 accum.mul_x2(x[1], x[16]);
1193 accum.mul_x2(x[2], x[15]);
1194 accum.mul_x2(x[3], x[14]);
1195 accum.mul_x2(x[4], x[13]);
1196 accum.mul_x2(x[5], x[12]);
1197 accum.mul_x2(x[6], x[11]);
1198 accum.mul_x2(x[7], x[10]);
1199 accum.mul_x2(x[8], x[9]);
1200 z[17] = accum.extract();
1201 accum.mul_x2(x[0], x[18]);
1202 accum.mul_x2(x[1], x[17]);
1203 accum.mul_x2(x[2], x[16]);
1204 accum.mul_x2(x[3], x[15]);
1205 accum.mul_x2(x[4], x[14]);
1206 accum.mul_x2(x[5], x[13]);
1207 accum.mul_x2(x[6], x[12]);
1208 accum.mul_x2(x[7], x[11]);
1209 accum.mul_x2(x[8], x[10]);
1210 accum.mul(x[9], x[9]);
1211 z[18] = accum.extract();
1212 accum.mul_x2(x[0], x[19]);
1213 accum.mul_x2(x[1], x[18]);
1214 accum.mul_x2(x[2], x[17]);
1215 accum.mul_x2(x[3], x[16]);
1216 accum.mul_x2(x[4], x[15]);
1217 accum.mul_x2(x[5], x[14]);
1218 accum.mul_x2(x[6], x[13]);
1219 accum.mul_x2(x[7], x[12]);
1220 accum.mul_x2(x[8], x[11]);
1221 accum.mul_x2(x[9], x[10]);
1222 z[19] = accum.extract();
1223 accum.mul_x2(x[0], x[20]);
1224 accum.mul_x2(x[1], x[19]);
1225 accum.mul_x2(x[2], x[18]);
1226 accum.mul_x2(x[3], x[17]);
1227 accum.mul_x2(x[4], x[16]);
1228 accum.mul_x2(x[5], x[15]);
1229 accum.mul_x2(x[6], x[14]);
1230 accum.mul_x2(x[7], x[13]);
1231 accum.mul_x2(x[8], x[12]);
1232 accum.mul_x2(x[9], x[11]);
1233 accum.mul(x[10], x[10]);
1234 z[20] = accum.extract();
1235 accum.mul_x2(x[0], x[21]);
1236 accum.mul_x2(x[1], x[20]);
1237 accum.mul_x2(x[2], x[19]);
1238 accum.mul_x2(x[3], x[18]);
1239 accum.mul_x2(x[4], x[17]);
1240 accum.mul_x2(x[5], x[16]);
1241 accum.mul_x2(x[6], x[15]);
1242 accum.mul_x2(x[7], x[14]);
1243 accum.mul_x2(x[8], x[13]);
1244 accum.mul_x2(x[9], x[12]);
1245 accum.mul_x2(x[10], x[11]);
1246 z[21] = accum.extract();
1247 accum.mul_x2(x[0], x[22]);
1248 accum.mul_x2(x[1], x[21]);
1249 accum.mul_x2(x[2], x[20]);
1250 accum.mul_x2(x[3], x[19]);
1251 accum.mul_x2(x[4], x[18]);
1252 accum.mul_x2(x[5], x[17]);
1253 accum.mul_x2(x[6], x[16]);
1254 accum.mul_x2(x[7], x[15]);
1255 accum.mul_x2(x[8], x[14]);
1256 accum.mul_x2(x[9], x[13]);
1257 accum.mul_x2(x[10], x[12]);
1258 accum.mul(x[11], x[11]);
1259 z[22] = accum.extract();
1260 accum.mul_x2(x[0], x[23]);
1261 accum.mul_x2(x[1], x[22]);
1262 accum.mul_x2(x[2], x[21]);
1263 accum.mul_x2(x[3], x[20]);
1264 accum.mul_x2(x[4], x[19]);
1265 accum.mul_x2(x[5], x[18]);
1266 accum.mul_x2(x[6], x[17]);
1267 accum.mul_x2(x[7], x[16]);
1268 accum.mul_x2(x[8], x[15]);
1269 accum.mul_x2(x[9], x[14]);
1270 accum.mul_x2(x[10], x[13]);
1271 accum.mul_x2(x[11], x[12]);
1272 z[23] = accum.extract();
1273 accum.mul_x2(x[1], x[23]);
1274 accum.mul_x2(x[2], x[22]);
1275 accum.mul_x2(x[3], x[21]);
1276 accum.mul_x2(x[4], x[20]);
1277 accum.mul_x2(x[5], x[19]);
1278 accum.mul_x2(x[6], x[18]);
1279 accum.mul_x2(x[7], x[17]);
1280 accum.mul_x2(x[8], x[16]);
1281 accum.mul_x2(x[9], x[15]);
1282 accum.mul_x2(x[10], x[14]);
1283 accum.mul_x2(x[11], x[13]);
1284 accum.mul(x[12], x[12]);
1285 z[24] = accum.extract();
1286 accum.mul_x2(x[2], x[23]);
1287 accum.mul_x2(x[3], x[22]);
1288 accum.mul_x2(x[4], x[21]);
1289 accum.mul_x2(x[5], x[20]);
1290 accum.mul_x2(x[6], x[19]);
1291 accum.mul_x2(x[7], x[18]);
1292 accum.mul_x2(x[8], x[17]);
1293 accum.mul_x2(x[9], x[16]);
1294 accum.mul_x2(x[10], x[15]);
1295 accum.mul_x2(x[11], x[14]);
1296 accum.mul_x2(x[12], x[13]);
1297 z[25] = accum.extract();
1298 accum.mul_x2(x[3], x[23]);
1299 accum.mul_x2(x[4], x[22]);
1300 accum.mul_x2(x[5], x[21]);
1301 accum.mul_x2(x[6], x[20]);
1302 accum.mul_x2(x[7], x[19]);
1303 accum.mul_x2(x[8], x[18]);
1304 accum.mul_x2(x[9], x[17]);
1305 accum.mul_x2(x[10], x[16]);
1306 accum.mul_x2(x[11], x[15]);
1307 accum.mul_x2(x[12], x[14]);
1308 accum.mul(x[13], x[13]);
1309 z[26] = accum.extract();
1310 accum.mul_x2(x[4], x[23]);
1311 accum.mul_x2(x[5], x[22]);
1312 accum.mul_x2(x[6], x[21]);
1313 accum.mul_x2(x[7], x[20]);
1314 accum.mul_x2(x[8], x[19]);
1315 accum.mul_x2(x[9], x[18]);
1316 accum.mul_x2(x[10], x[17]);
1317 accum.mul_x2(x[11], x[16]);
1318 accum.mul_x2(x[12], x[15]);
1319 accum.mul_x2(x[13], x[14]);
1320 z[27] = accum.extract();
1321 accum.mul_x2(x[5], x[23]);
1322 accum.mul_x2(x[6], x[22]);
1323 accum.mul_x2(x[7], x[21]);
1324 accum.mul_x2(x[8], x[20]);
1325 accum.mul_x2(x[9], x[19]);
1326 accum.mul_x2(x[10], x[18]);
1327 accum.mul_x2(x[11], x[17]);
1328 accum.mul_x2(x[12], x[16]);
1329 accum.mul_x2(x[13], x[15]);
1330 accum.mul(x[14], x[14]);
1331 z[28] = accum.extract();
1332 accum.mul_x2(x[6], x[23]);
1333 accum.mul_x2(x[7], x[22]);
1334 accum.mul_x2(x[8], x[21]);
1335 accum.mul_x2(x[9], x[20]);
1336 accum.mul_x2(x[10], x[19]);
1337 accum.mul_x2(x[11], x[18]);
1338 accum.mul_x2(x[12], x[17]);
1339 accum.mul_x2(x[13], x[16]);
1340 accum.mul_x2(x[14], x[15]);
1341 z[29] = accum.extract();
1342 accum.mul_x2(x[7], x[23]);
1343 accum.mul_x2(x[8], x[22]);
1344 accum.mul_x2(x[9], x[21]);
1345 accum.mul_x2(x[10], x[20]);
1346 accum.mul_x2(x[11], x[19]);
1347 accum.mul_x2(x[12], x[18]);
1348 accum.mul_x2(x[13], x[17]);
1349 accum.mul_x2(x[14], x[16]);
1350 accum.mul(x[15], x[15]);
1351 z[30] = accum.extract();
1352 accum.mul_x2(x[8], x[23]);
1353 accum.mul_x2(x[9], x[22]);
1354 accum.mul_x2(x[10], x[21]);
1355 accum.mul_x2(x[11], x[20]);
1356 accum.mul_x2(x[12], x[19]);
1357 accum.mul_x2(x[13], x[18]);
1358 accum.mul_x2(x[14], x[17]);
1359 accum.mul_x2(x[15], x[16]);
1360 z[31] = accum.extract();
1361 accum.mul_x2(x[9], x[23]);
1362 accum.mul_x2(x[10], x[22]);
1363 accum.mul_x2(x[11], x[21]);
1364 accum.mul_x2(x[12], x[20]);
1365 accum.mul_x2(x[13], x[19]);
1366 accum.mul_x2(x[14], x[18]);
1367 accum.mul_x2(x[15], x[17]);
1368 accum.mul(x[16], x[16]);
1369 z[32] = accum.extract();
1370 accum.mul_x2(x[10], x[23]);
1371 accum.mul_x2(x[11], x[22]);
1372 accum.mul_x2(x[12], x[21]);
1373 accum.mul_x2(x[13], x[20]);
1374 accum.mul_x2(x[14], x[19]);
1375 accum.mul_x2(x[15], x[18]);
1376 accum.mul_x2(x[16], x[17]);
1377 z[33] = accum.extract();
1378 accum.mul_x2(x[11], x[23]);
1379 accum.mul_x2(x[12], x[22]);
1380 accum.mul_x2(x[13], x[21]);
1381 accum.mul_x2(x[14], x[20]);
1382 accum.mul_x2(x[15], x[19]);
1383 accum.mul_x2(x[16], x[18]);
1384 accum.mul(x[17], x[17]);
1385 z[34] = accum.extract();
1386 accum.mul_x2(x[12], x[23]);
1387 accum.mul_x2(x[13], x[22]);
1388 accum.mul_x2(x[14], x[21]);
1389 accum.mul_x2(x[15], x[20]);
1390 accum.mul_x2(x[16], x[19]);
1391 accum.mul_x2(x[17], x[18]);
1392 z[35] = accum.extract();
1393 accum.mul_x2(x[13], x[23]);
1394 accum.mul_x2(x[14], x[22]);
1395 accum.mul_x2(x[15], x[21]);
1396 accum.mul_x2(x[16], x[20]);
1397 accum.mul_x2(x[17], x[19]);
1398 accum.mul(x[18], x[18]);
1399 z[36] = accum.extract();
1400 accum.mul_x2(x[14], x[23]);
1401 accum.mul_x2(x[15], x[22]);
1402 accum.mul_x2(x[16], x[21]);
1403 accum.mul_x2(x[17], x[20]);
1404 accum.mul_x2(x[18], x[19]);
1405 z[37] = accum.extract();
1406 accum.mul_x2(x[15], x[23]);
1407 accum.mul_x2(x[16], x[22]);
1408 accum.mul_x2(x[17], x[21]);
1409 accum.mul_x2(x[18], x[20]);
1410 accum.mul(x[19], x[19]);
1411 z[38] = accum.extract();
1412 accum.mul_x2(x[16], x[23]);
1413 accum.mul_x2(x[17], x[22]);
1414 accum.mul_x2(x[18], x[21]);
1415 accum.mul_x2(x[19], x[20]);
1416 z[39] = accum.extract();
1417 accum.mul_x2(x[17], x[23]);
1418 accum.mul_x2(x[18], x[22]);
1419 accum.mul_x2(x[19], x[21]);
1420 accum.mul(x[20], x[20]);
1421 z[40] = accum.extract();
1422 accum.mul_x2(x[18], x[23]);
1423 accum.mul_x2(x[19], x[22]);
1424 accum.mul_x2(x[20], x[21]);
1425 z[41] = accum.extract();
1426 accum.mul_x2(x[19], x[23]);
1427 accum.mul_x2(x[20], x[22]);
1428 accum.mul(x[21], x[21]);
1429 z[42] = accum.extract();
1430 accum.mul_x2(x[20], x[23]);
1431 accum.mul_x2(x[21], x[22]);
1432 z[43] = accum.extract();
1433 accum.mul_x2(x[21], x[23]);
1434 accum.mul(x[22], x[22]);
1435 z[44] = accum.extract();
1436 accum.mul_x2(x[22], x[23]);
1437 z[45] = accum.extract();
1438 accum.mul(x[23], x[23]);
1439 z[46] = accum.extract();
1440 z[47] = accum.extract();
1441}

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by bigint_sqr().

◆ bigint_comba_sqr4()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr4 ( word z[8],
const word x[4] )

Definition at line 16 of file mp_comba.cpp.

16 {
17 word3<word> accum;
18
19 accum.mul(x[0], x[0]);
20 z[0] = accum.extract();
21 accum.mul_x2(x[0], x[1]);
22 z[1] = accum.extract();
23 accum.mul_x2(x[0], x[2]);
24 accum.mul(x[1], x[1]);
25 z[2] = accum.extract();
26 accum.mul_x2(x[0], x[3]);
27 accum.mul_x2(x[1], x[2]);
28 z[3] = accum.extract();
29 accum.mul_x2(x[1], x[3]);
30 accum.mul(x[2], x[2]);
31 z[4] = accum.extract();
32 accum.mul_x2(x[2], x[3]);
33 z[5] = accum.extract();
34 accum.mul(x[3], x[3]);
35 z[6] = accum.extract();
36 z[7] = accum.extract();
37}

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by bigint_sqr(), and comba_sqr().

◆ bigint_comba_sqr6()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr6 ( word z[12],
const word x[6] )

Definition at line 74 of file mp_comba.cpp.

74 {
75 word3<word> accum;
76
77 accum.mul(x[0], x[0]);
78 z[0] = accum.extract();
79 accum.mul_x2(x[0], x[1]);
80 z[1] = accum.extract();
81 accum.mul_x2(x[0], x[2]);
82 accum.mul(x[1], x[1]);
83 z[2] = accum.extract();
84 accum.mul_x2(x[0], x[3]);
85 accum.mul_x2(x[1], x[2]);
86 z[3] = accum.extract();
87 accum.mul_x2(x[0], x[4]);
88 accum.mul_x2(x[1], x[3]);
89 accum.mul(x[2], x[2]);
90 z[4] = accum.extract();
91 accum.mul_x2(x[0], x[5]);
92 accum.mul_x2(x[1], x[4]);
93 accum.mul_x2(x[2], x[3]);
94 z[5] = accum.extract();
95 accum.mul_x2(x[1], x[5]);
96 accum.mul_x2(x[2], x[4]);
97 accum.mul(x[3], x[3]);
98 z[6] = accum.extract();
99 accum.mul_x2(x[2], x[5]);
100 accum.mul_x2(x[3], x[4]);
101 z[7] = accum.extract();
102 accum.mul_x2(x[3], x[5]);
103 accum.mul(x[4], x[4]);
104 z[8] = accum.extract();
105 accum.mul_x2(x[4], x[5]);
106 z[9] = accum.extract();
107 accum.mul(x[5], x[5]);
108 z[10] = accum.extract();
109 z[11] = accum.extract();
110}

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by bigint_sqr(), and comba_sqr().

◆ bigint_comba_sqr7()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr7 ( word z[14],
const word x[7] )

Definition at line 171 of file mp_comba.cpp.

171 {
172 word3<word> accum;
173
174 accum.mul(x[0], x[0]);
175 z[0] = accum.extract();
176 accum.mul_x2(x[0], x[1]);
177 z[1] = accum.extract();
178 accum.mul_x2(x[0], x[2]);
179 accum.mul(x[1], x[1]);
180 z[2] = accum.extract();
181 accum.mul_x2(x[0], x[3]);
182 accum.mul_x2(x[1], x[2]);
183 z[3] = accum.extract();
184 accum.mul_x2(x[0], x[4]);
185 accum.mul_x2(x[1], x[3]);
186 accum.mul(x[2], x[2]);
187 z[4] = accum.extract();
188 accum.mul_x2(x[0], x[5]);
189 accum.mul_x2(x[1], x[4]);
190 accum.mul_x2(x[2], x[3]);
191 z[5] = accum.extract();
192 accum.mul_x2(x[0], x[6]);
193 accum.mul_x2(x[1], x[5]);
194 accum.mul_x2(x[2], x[4]);
195 accum.mul(x[3], x[3]);
196 z[6] = accum.extract();
197 accum.mul_x2(x[1], x[6]);
198 accum.mul_x2(x[2], x[5]);
199 accum.mul_x2(x[3], x[4]);
200 z[7] = accum.extract();
201 accum.mul_x2(x[2], x[6]);
202 accum.mul_x2(x[3], x[5]);
203 accum.mul(x[4], x[4]);
204 z[8] = accum.extract();
205 accum.mul_x2(x[3], x[6]);
206 accum.mul_x2(x[4], x[5]);
207 z[9] = accum.extract();
208 accum.mul_x2(x[4], x[6]);
209 accum.mul(x[5], x[5]);
210 z[10] = accum.extract();
211 accum.mul_x2(x[5], x[6]);
212 z[11] = accum.extract();
213 accum.mul(x[6], x[6]);
214 z[12] = accum.extract();
215 z[13] = accum.extract();
216}

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by comba_sqr().

◆ bigint_comba_sqr8()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr8 ( word z[16],
const word x[8] )

Definition at line 292 of file mp_comba.cpp.

292 {
293 word3<word> accum;
294
295 accum.mul(x[0], x[0]);
296 z[0] = accum.extract();
297 accum.mul_x2(x[0], x[1]);
298 z[1] = accum.extract();
299 accum.mul_x2(x[0], x[2]);
300 accum.mul(x[1], x[1]);
301 z[2] = accum.extract();
302 accum.mul_x2(x[0], x[3]);
303 accum.mul_x2(x[1], x[2]);
304 z[3] = accum.extract();
305 accum.mul_x2(x[0], x[4]);
306 accum.mul_x2(x[1], x[3]);
307 accum.mul(x[2], x[2]);
308 z[4] = accum.extract();
309 accum.mul_x2(x[0], x[5]);
310 accum.mul_x2(x[1], x[4]);
311 accum.mul_x2(x[2], x[3]);
312 z[5] = accum.extract();
313 accum.mul_x2(x[0], x[6]);
314 accum.mul_x2(x[1], x[5]);
315 accum.mul_x2(x[2], x[4]);
316 accum.mul(x[3], x[3]);
317 z[6] = accum.extract();
318 accum.mul_x2(x[0], x[7]);
319 accum.mul_x2(x[1], x[6]);
320 accum.mul_x2(x[2], x[5]);
321 accum.mul_x2(x[3], x[4]);
322 z[7] = accum.extract();
323 accum.mul_x2(x[1], x[7]);
324 accum.mul_x2(x[2], x[6]);
325 accum.mul_x2(x[3], x[5]);
326 accum.mul(x[4], x[4]);
327 z[8] = accum.extract();
328 accum.mul_x2(x[2], x[7]);
329 accum.mul_x2(x[3], x[6]);
330 accum.mul_x2(x[4], x[5]);
331 z[9] = accum.extract();
332 accum.mul_x2(x[3], x[7]);
333 accum.mul_x2(x[4], x[6]);
334 accum.mul(x[5], x[5]);
335 z[10] = accum.extract();
336 accum.mul_x2(x[4], x[7]);
337 accum.mul_x2(x[5], x[6]);
338 z[11] = accum.extract();
339 accum.mul_x2(x[5], x[7]);
340 accum.mul(x[6], x[6]);
341 z[12] = accum.extract();
342 accum.mul_x2(x[6], x[7]);
343 z[13] = accum.extract();
344 accum.mul(x[7], x[7]);
345 z[14] = accum.extract();
346 z[15] = accum.extract();
347}

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by bigint_sqr(), and comba_sqr().

◆ bigint_comba_sqr9()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr9 ( word z[18],
const word x[9] )

Definition at line 440 of file mp_comba.cpp.

440 {
441 word3<word> accum;
442
443 accum.mul(x[0], x[0]);
444 z[0] = accum.extract();
445 accum.mul_x2(x[0], x[1]);
446 z[1] = accum.extract();
447 accum.mul_x2(x[0], x[2]);
448 accum.mul(x[1], x[1]);
449 z[2] = accum.extract();
450 accum.mul_x2(x[0], x[3]);
451 accum.mul_x2(x[1], x[2]);
452 z[3] = accum.extract();
453 accum.mul_x2(x[0], x[4]);
454 accum.mul_x2(x[1], x[3]);
455 accum.mul(x[2], x[2]);
456 z[4] = accum.extract();
457 accum.mul_x2(x[0], x[5]);
458 accum.mul_x2(x[1], x[4]);
459 accum.mul_x2(x[2], x[3]);
460 z[5] = accum.extract();
461 accum.mul_x2(x[0], x[6]);
462 accum.mul_x2(x[1], x[5]);
463 accum.mul_x2(x[2], x[4]);
464 accum.mul(x[3], x[3]);
465 z[6] = accum.extract();
466 accum.mul_x2(x[0], x[7]);
467 accum.mul_x2(x[1], x[6]);
468 accum.mul_x2(x[2], x[5]);
469 accum.mul_x2(x[3], x[4]);
470 z[7] = accum.extract();
471 accum.mul_x2(x[0], x[8]);
472 accum.mul_x2(x[1], x[7]);
473 accum.mul_x2(x[2], x[6]);
474 accum.mul_x2(x[3], x[5]);
475 accum.mul(x[4], x[4]);
476 z[8] = accum.extract();
477 accum.mul_x2(x[1], x[8]);
478 accum.mul_x2(x[2], x[7]);
479 accum.mul_x2(x[3], x[6]);
480 accum.mul_x2(x[4], x[5]);
481 z[9] = accum.extract();
482 accum.mul_x2(x[2], x[8]);
483 accum.mul_x2(x[3], x[7]);
484 accum.mul_x2(x[4], x[6]);
485 accum.mul(x[5], x[5]);
486 z[10] = accum.extract();
487 accum.mul_x2(x[3], x[8]);
488 accum.mul_x2(x[4], x[7]);
489 accum.mul_x2(x[5], x[6]);
490 z[11] = accum.extract();
491 accum.mul_x2(x[4], x[8]);
492 accum.mul_x2(x[5], x[7]);
493 accum.mul(x[6], x[6]);
494 z[12] = accum.extract();
495 accum.mul_x2(x[5], x[8]);
496 accum.mul_x2(x[6], x[7]);
497 z[13] = accum.extract();
498 accum.mul_x2(x[6], x[8]);
499 accum.mul(x[7], x[7]);
500 z[14] = accum.extract();
501 accum.mul_x2(x[7], x[8]);
502 z[15] = accum.extract();
503 accum.mul(x[8], x[8]);
504 z[16] = accum.extract();
505 z[17] = accum.extract();
506}

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by bigint_sqr(), and comba_sqr().

◆ bigint_correct_redc()

template<size_t N, WordType W>
void Botan::bigint_correct_redc ( std::array< W, N > & r,
const std::array< W, N > & P,
const std::array< W, N > & C )
inlineconstexpr

Set r to r - C. Then if r < 0, add P to r

Definition at line 1137 of file mp_core.h.

1137 {
1138 // TODO look into combining the two operations for important values of N
1139 W borrow = bigint_sub2(r.data(), N, C.data(), N);
1140 bigint_cnd_add(borrow, r.data(), N, P.data(), N);
1141}
constexpr auto bigint_sub2(W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:261

References bigint_cnd_add(), and bigint_sub2().

◆ bigint_ct_is_eq()

template<WordType W>
auto Botan::bigint_ct_is_eq ( const W x[],
size_t x_size,
const W y[],
size_t y_size ) -> CT::Mask<W>
inlineconstexpr

Definition at line 631 of file mp_core.h.

631 {
632 const size_t common_elems = std::min(x_size, y_size);
633
634 W diff = 0;
635
636 for(size_t i = 0; i != common_elems; i++) {
637 diff |= (x[i] ^ y[i]);
638 }
639
640 // If any bits were set in high part of x/y, then they are not equal
641 if(x_size < y_size) {
642 for(size_t i = x_size; i != y_size; i++) {
643 diff |= y[i];
644 }
645 } else if(y_size < x_size) {
646 for(size_t i = y_size; i != x_size; i++) {
647 diff |= x[i];
648 }
649 }
650
651 return CT::Mask<W>::is_zero(diff);
652}

References Botan::CT::Mask< T >::is_zero().

Referenced by Botan::BigInt::is_equal().

◆ bigint_ct_is_lt()

template<WordType W>
auto Botan::bigint_ct_is_lt ( const W x[],
size_t x_size,
const W y[],
size_t y_size,
bool lt_or_equal = false ) -> CT::Mask<W>
inlineconstexpr

Compare x and y Return ~0 if x[0:x_size] < y[0:y_size] or 0 otherwise If lt_or_equal is true, returns ~0 also for x == y

Definition at line 598 of file mp_core.h.

599 {
600 const size_t common_elems = std::min(x_size, y_size);
601
602 auto is_lt = CT::Mask<W>::expand(lt_or_equal);
603
604 for(size_t i = 0; i != common_elems; i++) {
605 const auto eq = CT::Mask<W>::is_equal(x[i], y[i]);
606 const auto lt = CT::Mask<W>::is_lt(x[i], y[i]);
607 is_lt = eq.select_mask(is_lt, lt);
608 }
609
610 if(x_size < y_size) {
611 W mask = 0;
612 for(size_t i = x_size; i != y_size; i++) {
613 mask |= y[i];
614 }
615 // If any bits were set in high part of y, then is_lt should be forced true
616 is_lt |= CT::Mask<W>::expand(mask);
617 } else if(y_size < x_size) {
618 W mask = 0;
619 for(size_t i = y_size; i != x_size; i++) {
620 mask |= x[i];
621 }
622
623 // If any bits were set in high part of x, then is_lt should be false
624 is_lt &= CT::Mask<W>::is_zero(mask);
625 }
626
627 return is_lt;
628}

References Botan::CT::Mask< T >::expand(), Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lt(), and Botan::CT::Mask< T >::is_zero().

Referenced by Botan::BigInt::is_less_than(), Botan::PCurve::GenericPrimeOrderCurve::mul2_vartime_x_mod_order_eq(), and Botan::PCurve::PrimeOrderCurveImpl< C >::mul2_vartime_x_mod_order_eq().

◆ bigint_divop_vartime()

template<WordType W>
auto Botan::bigint_divop_vartime ( W n1,
W n0,
W d ) -> W
inlineconstexpr

Compute ((n1<<bits) + n0) / d

Definition at line 712 of file mp_core.h.

712 {
713 if(d == 0) {
714 throw Invalid_Argument("bigint_divop_vartime divide by zero");
715 }
716
717 if constexpr(WordInfo<W>::dword_is_native) {
718 typename WordInfo<W>::dword n = n1;
719 n <<= WordInfo<W>::bits;
720 n |= n0;
721 return static_cast<W>(n / d);
722 } else {
723 W high = n1 % d;
724 W quotient = 0;
725
726 for(size_t i = 0; i != WordInfo<W>::bits; ++i) {
727 const W high_top_bit = high >> (WordInfo<W>::bits - 1);
728
729 high <<= 1;
730 high |= (n0 >> (WordInfo<W>::bits - 1 - i)) & 1;
731 quotient <<= 1;
732
733 if(high_top_bit || high >= d) {
734 high -= d;
735 quotient |= 1;
736 }
737 }
738
739 return quotient;
740 }
741}

Referenced by bigint_modop_vartime(), and vartime_divide().

◆ bigint_linmul2()

template<WordType W>
auto Botan::bigint_linmul2 ( W x[],
size_t x_size,
W y ) -> W
inlinenodiscardconstexpr

Definition at line 511 of file mp_core.h.

511 {
512 const size_t blocks = x_size - (x_size % 8);
513
514 W carry = 0;
515
516 for(size_t i = 0; i != blocks; i += 8) {
517 carry = word8_linmul2(x + i, y, carry);
518 }
519
520 for(size_t i = blocks; i != x_size; ++i) {
521 x[i] = word_madd2(x[i], y, &carry);
522 }
523
524 return carry;
525}
constexpr auto word_madd2(W a, W b, W *c) -> W
Definition mp_asmi.h:84
constexpr auto word8_linmul2(W x[8], W y, W carry) -> W
Definition mp_asmi.h:381

References carry(), word8_linmul2(), and word_madd2().

Referenced by Botan::BigInt::mul(), and Botan::BigInt::operator*=().

◆ bigint_linmul3()

template<WordType W>
void Botan::bigint_linmul3 ( W z[],
const W x[],
size_t x_size,
W y )
inlineconstexpr

Definition at line 528 of file mp_core.h.

528 {
529 const size_t blocks = x_size - (x_size % 8);
530
531 W carry = 0;
532
533 for(size_t i = 0; i != blocks; i += 8) {
534 carry = word8_linmul3(z + i, x + i, y, carry);
535 }
536
537 for(size_t i = blocks; i != x_size; ++i) {
538 z[i] = word_madd2(x[i], y, &carry);
539 }
540
541 z[x_size] = carry;
542}
constexpr auto word8_linmul3(W z[8], const W x[8], W y, W carry) -> W
Definition mp_asmi.h:407

References carry(), word8_linmul3(), and word_madd2().

Referenced by bigint_mul(), bigint_sqr(), Botan::BigInt::mul(), operator*(), and operator*().

◆ bigint_mod_sub()

template<WordType W>
void Botan::bigint_mod_sub ( W t[],
const W s[],
const W mod[],
size_t mod_sw,
W ws[] )
inlineconstexpr

Set t to t-s modulo mod

Parameters
tfirst integer
ssecond integer
modthe modulus
mod_swsize of t, s, and mod
wsworkspace of size mod_sw

Definition at line 698 of file mp_core.h.

698 {
699 // ws = t - s
700 const W borrow = bigint_sub3(ws, t, mod_sw, s, mod_sw);
701
702 // Conditionally add back the modulus
703 bigint_cnd_add(borrow, ws, mod, mod_sw);
704
705 copy_mem(t, ws, mod_sw);
706}
constexpr auto bigint_sub3(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:311
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:149

References bigint_cnd_add(), bigint_sub3(), and copy_mem().

Referenced by Botan::BigInt::mod_sub().

◆ bigint_modop_vartime()

template<WordType W>
auto Botan::bigint_modop_vartime ( W n1,
W n0,
W d ) -> W
inlineconstexpr

Compute ((n1<<bits) + n0) % d

Definition at line 747 of file mp_core.h.

747 {
748 if(d == 0) {
749 throw Invalid_Argument("bigint_modop_vartime divide by zero");
750 }
751
752 W z = bigint_divop_vartime(n1, n0, d);
753 W carry = 0;
754 z = word_madd2(z, d, &carry);
755 return (n0 - z);
756}
constexpr auto bigint_divop_vartime(W n1, W n0, W d) -> W
Definition mp_core.h:712

References bigint_divop_vartime(), carry(), and word_madd2().

Referenced by operator%(), and Botan::BigInt::operator%=().

◆ bigint_monty_maybe_sub() [1/2]

template<WordType W>
void Botan::bigint_monty_maybe_sub ( size_t N,
W z[],
W x0,
const W x[],
const W p[] )
inlineconstexpr

Conditional subtraction for Montgomery reduction

This function assumes that (x0 || x) is less than 2*p

Computes z[0:N] = (x0 || x[0:N]) - p[0:N]

If z would be positive, returns z[0:N] Otherwise returns original input x

Definition at line 344 of file mp_core.h.

344 {
345 W borrow = 0;
346
347 const size_t blocks = N - (N % 8);
348
349 for(size_t i = 0; i != blocks; i += 8) {
350 borrow = word8_sub3(z + i, x + i, p + i, borrow);
351 }
352
353 for(size_t i = blocks; i != N; ++i) {
354 z[i] = word_sub(x[i], p[i], &borrow);
355 }
356
357 borrow = (x0 - borrow) > x0;
358
359 CT::conditional_assign_mem(borrow, z, x, N);
360}
constexpr Mask< T > conditional_assign_mem(T cnd, T *sink, const T *src, size_t elems)
Definition ct_utils.h:745

References Botan::CT::conditional_assign_mem(), word8_sub3(), and word_sub().

Referenced by bigint_monty_redc_12(), bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), and bigint_monty_redc_generic().

◆ bigint_monty_maybe_sub() [2/2]

template<size_t N, WordType W>
void Botan::bigint_monty_maybe_sub ( W z[N],
W x0,
const W x[N],
const W y[N] )
inlineconstexpr

Conditional subtraction for Montgomery reduction

This function assumes that (x0 || x) is less than 2*p

Computes z[0:N] = (x0 || x[0:N]) - p[0:N]

If z would be positive, returns z[0:N] Otherwise returns original input x

Definition at line 373 of file mp_core.h.

373 {
374 W borrow = 0;
375
376 for(size_t i = 0; i != N; ++i) {
377 z[i] = word_sub(x[i], y[i], &borrow);
378 }
379
380 borrow = (x0 - borrow) > x0;
381
382 CT::conditional_assign_mem(borrow, z, x, N);
383}

References Botan::CT::conditional_assign_mem(), and word_sub().

◆ bigint_monty_redc()

void Botan::bigint_monty_redc ( word r[],
const word z[],
const word p[],
size_t p_size,
word p_dash,
word ws[],
size_t ws_size )
inline

Montgomery Reduction

Parameters
rresult of exactly p_size words
zinteger to reduce, of size exactly 2*p_size.
pmodulus
p_sizesize of p
p_dashMontgomery value
wsarray of at least p_size words
ws_sizesize of ws in words

It is allowed to set &r[0] == &z[0] however in this case note that only the first p_size words of r will be written to and the high p_size words of r/z will still hold the original inputs, these must be cleared after use. See bigint_monty_redc_inplace

Definition at line 987 of file mp_core.h.

988 {
989 const size_t z_size = 2 * p_size;
990
991 BOTAN_ARG_CHECK(ws_size >= p_size, "Montgomery reduction workspace too small");
992
993 if(p_size == 4) {
994 bigint_monty_redc_4(r, z, p, p_dash, ws);
995 } else if(p_size == 6) {
996 bigint_monty_redc_6(r, z, p, p_dash, ws);
997 } else if(p_size == 8) {
998 bigint_monty_redc_8(r, z, p, p_dash, ws);
999 } else if(p_size == 12) {
1000 bigint_monty_redc_12(r, z, p, p_dash, ws);
1001 } else if(p_size == 16) {
1002 bigint_monty_redc_16(r, z, p, p_dash, ws);
1003 } else if(p_size == 24) {
1004 bigint_monty_redc_24(r, z, p, p_dash, ws);
1005 } else if(p_size == 32) {
1006 bigint_monty_redc_32(r, z, p, p_dash, ws);
1007 } else {
1008 bigint_monty_redc_generic(r, z, z_size, p, p_size, p_dash, ws);
1009 }
1010}
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:31
BOTAN_FUZZER_API void bigint_monty_redc_6(word r[6], const word z[12], const word p[6], word p_dash, word ws[6])
BOTAN_FUZZER_API void bigint_monty_redc_24(word r[24], const word z[48], const word p[24], word p_dash, word ws[24])
BOTAN_FUZZER_API void bigint_monty_redc_generic(word r[], const word z[], size_t z_size, const word p[], size_t p_size, word p_dash, word ws[])
Definition mp_monty.cpp:31
BOTAN_FUZZER_API void bigint_monty_redc_4(word r[4], const word z[8], const word p[4], word p_dash, word ws[4])
BOTAN_FUZZER_API void bigint_monty_redc_12(word r[12], const word z[24], const word p[12], word p_dash, word ws[12])
BOTAN_FUZZER_API void bigint_monty_redc_16(word r[16], const word z[32], const word p[16], word p_dash, word ws[16])
BOTAN_FUZZER_API void bigint_monty_redc_8(word r[8], const word z[16], const word p[8], word p_dash, word ws[8])
BOTAN_FUZZER_API void bigint_monty_redc_32(word r[32], const word z[64], const word p[32], word p_dash, word ws[32])

References bigint_monty_redc_12(), bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), bigint_monty_redc_generic(), and BOTAN_ARG_CHECK.

Referenced by bigint_monty_redc_inplace().

◆ bigint_monty_redc_12()

void Botan::bigint_monty_redc_12 ( word r[12],
const word z[24],
const word p[12],
word p_dash,
word ws[12] )

Definition at line 202 of file mp_monty_n.cpp.

202 {
203 word3<word> accum;
204 accum.add(z[0]);
205 ws[0] = accum.monty_step(p[0], p_dash);
206 accum.mul(ws[0], p[1]);
207 accum.add(z[1]);
208 ws[1] = accum.monty_step(p[0], p_dash);
209 accum.mul(ws[0], p[2]);
210 accum.mul(ws[1], p[1]);
211 accum.add(z[2]);
212 ws[2] = accum.monty_step(p[0], p_dash);
213 accum.mul(ws[0], p[3]);
214 accum.mul(ws[1], p[2]);
215 accum.mul(ws[2], p[1]);
216 accum.add(z[3]);
217 ws[3] = accum.monty_step(p[0], p_dash);
218 accum.mul(ws[0], p[4]);
219 accum.mul(ws[1], p[3]);
220 accum.mul(ws[2], p[2]);
221 accum.mul(ws[3], p[1]);
222 accum.add(z[4]);
223 ws[4] = accum.monty_step(p[0], p_dash);
224 accum.mul(ws[0], p[5]);
225 accum.mul(ws[1], p[4]);
226 accum.mul(ws[2], p[3]);
227 accum.mul(ws[3], p[2]);
228 accum.mul(ws[4], p[1]);
229 accum.add(z[5]);
230 ws[5] = accum.monty_step(p[0], p_dash);
231 accum.mul(ws[0], p[6]);
232 accum.mul(ws[1], p[5]);
233 accum.mul(ws[2], p[4]);
234 accum.mul(ws[3], p[3]);
235 accum.mul(ws[4], p[2]);
236 accum.mul(ws[5], p[1]);
237 accum.add(z[6]);
238 ws[6] = accum.monty_step(p[0], p_dash);
239 accum.mul(ws[0], p[7]);
240 accum.mul(ws[1], p[6]);
241 accum.mul(ws[2], p[5]);
242 accum.mul(ws[3], p[4]);
243 accum.mul(ws[4], p[3]);
244 accum.mul(ws[5], p[2]);
245 accum.mul(ws[6], p[1]);
246 accum.add(z[7]);
247 ws[7] = accum.monty_step(p[0], p_dash);
248 accum.mul(ws[0], p[8]);
249 accum.mul(ws[1], p[7]);
250 accum.mul(ws[2], p[6]);
251 accum.mul(ws[3], p[5]);
252 accum.mul(ws[4], p[4]);
253 accum.mul(ws[5], p[3]);
254 accum.mul(ws[6], p[2]);
255 accum.mul(ws[7], p[1]);
256 accum.add(z[8]);
257 ws[8] = accum.monty_step(p[0], p_dash);
258 accum.mul(ws[0], p[9]);
259 accum.mul(ws[1], p[8]);
260 accum.mul(ws[2], p[7]);
261 accum.mul(ws[3], p[6]);
262 accum.mul(ws[4], p[5]);
263 accum.mul(ws[5], p[4]);
264 accum.mul(ws[6], p[3]);
265 accum.mul(ws[7], p[2]);
266 accum.mul(ws[8], p[1]);
267 accum.add(z[9]);
268 ws[9] = accum.monty_step(p[0], p_dash);
269 accum.mul(ws[0], p[10]);
270 accum.mul(ws[1], p[9]);
271 accum.mul(ws[2], p[8]);
272 accum.mul(ws[3], p[7]);
273 accum.mul(ws[4], p[6]);
274 accum.mul(ws[5], p[5]);
275 accum.mul(ws[6], p[4]);
276 accum.mul(ws[7], p[3]);
277 accum.mul(ws[8], p[2]);
278 accum.mul(ws[9], p[1]);
279 accum.add(z[10]);
280 ws[10] = accum.monty_step(p[0], p_dash);
281 accum.mul(ws[0], p[11]);
282 accum.mul(ws[1], p[10]);
283 accum.mul(ws[2], p[9]);
284 accum.mul(ws[3], p[8]);
285 accum.mul(ws[4], p[7]);
286 accum.mul(ws[5], p[6]);
287 accum.mul(ws[6], p[5]);
288 accum.mul(ws[7], p[4]);
289 accum.mul(ws[8], p[3]);
290 accum.mul(ws[9], p[2]);
291 accum.mul(ws[10], p[1]);
292 accum.add(z[11]);
293 ws[11] = accum.monty_step(p[0], p_dash);
294 accum.mul(ws[1], p[11]);
295 accum.mul(ws[2], p[10]);
296 accum.mul(ws[3], p[9]);
297 accum.mul(ws[4], p[8]);
298 accum.mul(ws[5], p[7]);
299 accum.mul(ws[6], p[6]);
300 accum.mul(ws[7], p[5]);
301 accum.mul(ws[8], p[4]);
302 accum.mul(ws[9], p[3]);
303 accum.mul(ws[10], p[2]);
304 accum.mul(ws[11], p[1]);
305 accum.add(z[12]);
306 ws[0] = accum.extract();
307 accum.mul(ws[2], p[11]);
308 accum.mul(ws[3], p[10]);
309 accum.mul(ws[4], p[9]);
310 accum.mul(ws[5], p[8]);
311 accum.mul(ws[6], p[7]);
312 accum.mul(ws[7], p[6]);
313 accum.mul(ws[8], p[5]);
314 accum.mul(ws[9], p[4]);
315 accum.mul(ws[10], p[3]);
316 accum.mul(ws[11], p[2]);
317 accum.add(z[13]);
318 ws[1] = accum.extract();
319 accum.mul(ws[3], p[11]);
320 accum.mul(ws[4], p[10]);
321 accum.mul(ws[5], p[9]);
322 accum.mul(ws[6], p[8]);
323 accum.mul(ws[7], p[7]);
324 accum.mul(ws[8], p[6]);
325 accum.mul(ws[9], p[5]);
326 accum.mul(ws[10], p[4]);
327 accum.mul(ws[11], p[3]);
328 accum.add(z[14]);
329 ws[2] = accum.extract();
330 accum.mul(ws[4], p[11]);
331 accum.mul(ws[5], p[10]);
332 accum.mul(ws[6], p[9]);
333 accum.mul(ws[7], p[8]);
334 accum.mul(ws[8], p[7]);
335 accum.mul(ws[9], p[6]);
336 accum.mul(ws[10], p[5]);
337 accum.mul(ws[11], p[4]);
338 accum.add(z[15]);
339 ws[3] = accum.extract();
340 accum.mul(ws[5], p[11]);
341 accum.mul(ws[6], p[10]);
342 accum.mul(ws[7], p[9]);
343 accum.mul(ws[8], p[8]);
344 accum.mul(ws[9], p[7]);
345 accum.mul(ws[10], p[6]);
346 accum.mul(ws[11], p[5]);
347 accum.add(z[16]);
348 ws[4] = accum.extract();
349 accum.mul(ws[6], p[11]);
350 accum.mul(ws[7], p[10]);
351 accum.mul(ws[8], p[9]);
352 accum.mul(ws[9], p[8]);
353 accum.mul(ws[10], p[7]);
354 accum.mul(ws[11], p[6]);
355 accum.add(z[17]);
356 ws[5] = accum.extract();
357 accum.mul(ws[7], p[11]);
358 accum.mul(ws[8], p[10]);
359 accum.mul(ws[9], p[9]);
360 accum.mul(ws[10], p[8]);
361 accum.mul(ws[11], p[7]);
362 accum.add(z[18]);
363 ws[6] = accum.extract();
364 accum.mul(ws[8], p[11]);
365 accum.mul(ws[9], p[10]);
366 accum.mul(ws[10], p[9]);
367 accum.mul(ws[11], p[8]);
368 accum.add(z[19]);
369 ws[7] = accum.extract();
370 accum.mul(ws[9], p[11]);
371 accum.mul(ws[10], p[10]);
372 accum.mul(ws[11], p[9]);
373 accum.add(z[20]);
374 ws[8] = accum.extract();
375 accum.mul(ws[10], p[11]);
376 accum.mul(ws[11], p[10]);
377 accum.add(z[21]);
378 ws[9] = accum.extract();
379 accum.mul(ws[11], p[11]);
380 accum.add(z[22]);
381 ws[10] = accum.extract();
382 accum.add(z[23]);
383 ws[11] = accum.extract();
384 word w1 = accum.extract();
385 bigint_monty_maybe_sub<12>(r, w1, ws, p);
386}
constexpr void add(W x)
Definition mp_asmi.h:574
constexpr W monty_step(W p0, W p_dash)
Definition mp_asmi.h:591
constexpr void bigint_monty_maybe_sub(size_t N, W z[], W x0, const W x[], const W p[])
Definition mp_core.h:344

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_16()

void Botan::bigint_monty_redc_16 ( word r[16],
const word z[32],
const word p[16],
word p_dash,
word ws[16] )

Definition at line 388 of file mp_monty_n.cpp.

388 {
389 word3<word> accum;
390 accum.add(z[0]);
391 ws[0] = accum.monty_step(p[0], p_dash);
392 accum.mul(ws[0], p[1]);
393 accum.add(z[1]);
394 ws[1] = accum.monty_step(p[0], p_dash);
395 accum.mul(ws[0], p[2]);
396 accum.mul(ws[1], p[1]);
397 accum.add(z[2]);
398 ws[2] = accum.monty_step(p[0], p_dash);
399 accum.mul(ws[0], p[3]);
400 accum.mul(ws[1], p[2]);
401 accum.mul(ws[2], p[1]);
402 accum.add(z[3]);
403 ws[3] = accum.monty_step(p[0], p_dash);
404 accum.mul(ws[0], p[4]);
405 accum.mul(ws[1], p[3]);
406 accum.mul(ws[2], p[2]);
407 accum.mul(ws[3], p[1]);
408 accum.add(z[4]);
409 ws[4] = accum.monty_step(p[0], p_dash);
410 accum.mul(ws[0], p[5]);
411 accum.mul(ws[1], p[4]);
412 accum.mul(ws[2], p[3]);
413 accum.mul(ws[3], p[2]);
414 accum.mul(ws[4], p[1]);
415 accum.add(z[5]);
416 ws[5] = accum.monty_step(p[0], p_dash);
417 accum.mul(ws[0], p[6]);
418 accum.mul(ws[1], p[5]);
419 accum.mul(ws[2], p[4]);
420 accum.mul(ws[3], p[3]);
421 accum.mul(ws[4], p[2]);
422 accum.mul(ws[5], p[1]);
423 accum.add(z[6]);
424 ws[6] = accum.monty_step(p[0], p_dash);
425 accum.mul(ws[0], p[7]);
426 accum.mul(ws[1], p[6]);
427 accum.mul(ws[2], p[5]);
428 accum.mul(ws[3], p[4]);
429 accum.mul(ws[4], p[3]);
430 accum.mul(ws[5], p[2]);
431 accum.mul(ws[6], p[1]);
432 accum.add(z[7]);
433 ws[7] = accum.monty_step(p[0], p_dash);
434 accum.mul(ws[0], p[8]);
435 accum.mul(ws[1], p[7]);
436 accum.mul(ws[2], p[6]);
437 accum.mul(ws[3], p[5]);
438 accum.mul(ws[4], p[4]);
439 accum.mul(ws[5], p[3]);
440 accum.mul(ws[6], p[2]);
441 accum.mul(ws[7], p[1]);
442 accum.add(z[8]);
443 ws[8] = accum.monty_step(p[0], p_dash);
444 accum.mul(ws[0], p[9]);
445 accum.mul(ws[1], p[8]);
446 accum.mul(ws[2], p[7]);
447 accum.mul(ws[3], p[6]);
448 accum.mul(ws[4], p[5]);
449 accum.mul(ws[5], p[4]);
450 accum.mul(ws[6], p[3]);
451 accum.mul(ws[7], p[2]);
452 accum.mul(ws[8], p[1]);
453 accum.add(z[9]);
454 ws[9] = accum.monty_step(p[0], p_dash);
455 accum.mul(ws[0], p[10]);
456 accum.mul(ws[1], p[9]);
457 accum.mul(ws[2], p[8]);
458 accum.mul(ws[3], p[7]);
459 accum.mul(ws[4], p[6]);
460 accum.mul(ws[5], p[5]);
461 accum.mul(ws[6], p[4]);
462 accum.mul(ws[7], p[3]);
463 accum.mul(ws[8], p[2]);
464 accum.mul(ws[9], p[1]);
465 accum.add(z[10]);
466 ws[10] = accum.monty_step(p[0], p_dash);
467 accum.mul(ws[0], p[11]);
468 accum.mul(ws[1], p[10]);
469 accum.mul(ws[2], p[9]);
470 accum.mul(ws[3], p[8]);
471 accum.mul(ws[4], p[7]);
472 accum.mul(ws[5], p[6]);
473 accum.mul(ws[6], p[5]);
474 accum.mul(ws[7], p[4]);
475 accum.mul(ws[8], p[3]);
476 accum.mul(ws[9], p[2]);
477 accum.mul(ws[10], p[1]);
478 accum.add(z[11]);
479 ws[11] = accum.monty_step(p[0], p_dash);
480 accum.mul(ws[0], p[12]);
481 accum.mul(ws[1], p[11]);
482 accum.mul(ws[2], p[10]);
483 accum.mul(ws[3], p[9]);
484 accum.mul(ws[4], p[8]);
485 accum.mul(ws[5], p[7]);
486 accum.mul(ws[6], p[6]);
487 accum.mul(ws[7], p[5]);
488 accum.mul(ws[8], p[4]);
489 accum.mul(ws[9], p[3]);
490 accum.mul(ws[10], p[2]);
491 accum.mul(ws[11], p[1]);
492 accum.add(z[12]);
493 ws[12] = accum.monty_step(p[0], p_dash);
494 accum.mul(ws[0], p[13]);
495 accum.mul(ws[1], p[12]);
496 accum.mul(ws[2], p[11]);
497 accum.mul(ws[3], p[10]);
498 accum.mul(ws[4], p[9]);
499 accum.mul(ws[5], p[8]);
500 accum.mul(ws[6], p[7]);
501 accum.mul(ws[7], p[6]);
502 accum.mul(ws[8], p[5]);
503 accum.mul(ws[9], p[4]);
504 accum.mul(ws[10], p[3]);
505 accum.mul(ws[11], p[2]);
506 accum.mul(ws[12], p[1]);
507 accum.add(z[13]);
508 ws[13] = accum.monty_step(p[0], p_dash);
509 accum.mul(ws[0], p[14]);
510 accum.mul(ws[1], p[13]);
511 accum.mul(ws[2], p[12]);
512 accum.mul(ws[3], p[11]);
513 accum.mul(ws[4], p[10]);
514 accum.mul(ws[5], p[9]);
515 accum.mul(ws[6], p[8]);
516 accum.mul(ws[7], p[7]);
517 accum.mul(ws[8], p[6]);
518 accum.mul(ws[9], p[5]);
519 accum.mul(ws[10], p[4]);
520 accum.mul(ws[11], p[3]);
521 accum.mul(ws[12], p[2]);
522 accum.mul(ws[13], p[1]);
523 accum.add(z[14]);
524 ws[14] = accum.monty_step(p[0], p_dash);
525 accum.mul(ws[0], p[15]);
526 accum.mul(ws[1], p[14]);
527 accum.mul(ws[2], p[13]);
528 accum.mul(ws[3], p[12]);
529 accum.mul(ws[4], p[11]);
530 accum.mul(ws[5], p[10]);
531 accum.mul(ws[6], p[9]);
532 accum.mul(ws[7], p[8]);
533 accum.mul(ws[8], p[7]);
534 accum.mul(ws[9], p[6]);
535 accum.mul(ws[10], p[5]);
536 accum.mul(ws[11], p[4]);
537 accum.mul(ws[12], p[3]);
538 accum.mul(ws[13], p[2]);
539 accum.mul(ws[14], p[1]);
540 accum.add(z[15]);
541 ws[15] = accum.monty_step(p[0], p_dash);
542 accum.mul(ws[1], p[15]);
543 accum.mul(ws[2], p[14]);
544 accum.mul(ws[3], p[13]);
545 accum.mul(ws[4], p[12]);
546 accum.mul(ws[5], p[11]);
547 accum.mul(ws[6], p[10]);
548 accum.mul(ws[7], p[9]);
549 accum.mul(ws[8], p[8]);
550 accum.mul(ws[9], p[7]);
551 accum.mul(ws[10], p[6]);
552 accum.mul(ws[11], p[5]);
553 accum.mul(ws[12], p[4]);
554 accum.mul(ws[13], p[3]);
555 accum.mul(ws[14], p[2]);
556 accum.mul(ws[15], p[1]);
557 accum.add(z[16]);
558 ws[0] = accum.extract();
559 accum.mul(ws[2], p[15]);
560 accum.mul(ws[3], p[14]);
561 accum.mul(ws[4], p[13]);
562 accum.mul(ws[5], p[12]);
563 accum.mul(ws[6], p[11]);
564 accum.mul(ws[7], p[10]);
565 accum.mul(ws[8], p[9]);
566 accum.mul(ws[9], p[8]);
567 accum.mul(ws[10], p[7]);
568 accum.mul(ws[11], p[6]);
569 accum.mul(ws[12], p[5]);
570 accum.mul(ws[13], p[4]);
571 accum.mul(ws[14], p[3]);
572 accum.mul(ws[15], p[2]);
573 accum.add(z[17]);
574 ws[1] = accum.extract();
575 accum.mul(ws[3], p[15]);
576 accum.mul(ws[4], p[14]);
577 accum.mul(ws[5], p[13]);
578 accum.mul(ws[6], p[12]);
579 accum.mul(ws[7], p[11]);
580 accum.mul(ws[8], p[10]);
581 accum.mul(ws[9], p[9]);
582 accum.mul(ws[10], p[8]);
583 accum.mul(ws[11], p[7]);
584 accum.mul(ws[12], p[6]);
585 accum.mul(ws[13], p[5]);
586 accum.mul(ws[14], p[4]);
587 accum.mul(ws[15], p[3]);
588 accum.add(z[18]);
589 ws[2] = accum.extract();
590 accum.mul(ws[4], p[15]);
591 accum.mul(ws[5], p[14]);
592 accum.mul(ws[6], p[13]);
593 accum.mul(ws[7], p[12]);
594 accum.mul(ws[8], p[11]);
595 accum.mul(ws[9], p[10]);
596 accum.mul(ws[10], p[9]);
597 accum.mul(ws[11], p[8]);
598 accum.mul(ws[12], p[7]);
599 accum.mul(ws[13], p[6]);
600 accum.mul(ws[14], p[5]);
601 accum.mul(ws[15], p[4]);
602 accum.add(z[19]);
603 ws[3] = accum.extract();
604 accum.mul(ws[5], p[15]);
605 accum.mul(ws[6], p[14]);
606 accum.mul(ws[7], p[13]);
607 accum.mul(ws[8], p[12]);
608 accum.mul(ws[9], p[11]);
609 accum.mul(ws[10], p[10]);
610 accum.mul(ws[11], p[9]);
611 accum.mul(ws[12], p[8]);
612 accum.mul(ws[13], p[7]);
613 accum.mul(ws[14], p[6]);
614 accum.mul(ws[15], p[5]);
615 accum.add(z[20]);
616 ws[4] = accum.extract();
617 accum.mul(ws[6], p[15]);
618 accum.mul(ws[7], p[14]);
619 accum.mul(ws[8], p[13]);
620 accum.mul(ws[9], p[12]);
621 accum.mul(ws[10], p[11]);
622 accum.mul(ws[11], p[10]);
623 accum.mul(ws[12], p[9]);
624 accum.mul(ws[13], p[8]);
625 accum.mul(ws[14], p[7]);
626 accum.mul(ws[15], p[6]);
627 accum.add(z[21]);
628 ws[5] = accum.extract();
629 accum.mul(ws[7], p[15]);
630 accum.mul(ws[8], p[14]);
631 accum.mul(ws[9], p[13]);
632 accum.mul(ws[10], p[12]);
633 accum.mul(ws[11], p[11]);
634 accum.mul(ws[12], p[10]);
635 accum.mul(ws[13], p[9]);
636 accum.mul(ws[14], p[8]);
637 accum.mul(ws[15], p[7]);
638 accum.add(z[22]);
639 ws[6] = accum.extract();
640 accum.mul(ws[8], p[15]);
641 accum.mul(ws[9], p[14]);
642 accum.mul(ws[10], p[13]);
643 accum.mul(ws[11], p[12]);
644 accum.mul(ws[12], p[11]);
645 accum.mul(ws[13], p[10]);
646 accum.mul(ws[14], p[9]);
647 accum.mul(ws[15], p[8]);
648 accum.add(z[23]);
649 ws[7] = accum.extract();
650 accum.mul(ws[9], p[15]);
651 accum.mul(ws[10], p[14]);
652 accum.mul(ws[11], p[13]);
653 accum.mul(ws[12], p[12]);
654 accum.mul(ws[13], p[11]);
655 accum.mul(ws[14], p[10]);
656 accum.mul(ws[15], p[9]);
657 accum.add(z[24]);
658 ws[8] = accum.extract();
659 accum.mul(ws[10], p[15]);
660 accum.mul(ws[11], p[14]);
661 accum.mul(ws[12], p[13]);
662 accum.mul(ws[13], p[12]);
663 accum.mul(ws[14], p[11]);
664 accum.mul(ws[15], p[10]);
665 accum.add(z[25]);
666 ws[9] = accum.extract();
667 accum.mul(ws[11], p[15]);
668 accum.mul(ws[12], p[14]);
669 accum.mul(ws[13], p[13]);
670 accum.mul(ws[14], p[12]);
671 accum.mul(ws[15], p[11]);
672 accum.add(z[26]);
673 ws[10] = accum.extract();
674 accum.mul(ws[12], p[15]);
675 accum.mul(ws[13], p[14]);
676 accum.mul(ws[14], p[13]);
677 accum.mul(ws[15], p[12]);
678 accum.add(z[27]);
679 ws[11] = accum.extract();
680 accum.mul(ws[13], p[15]);
681 accum.mul(ws[14], p[14]);
682 accum.mul(ws[15], p[13]);
683 accum.add(z[28]);
684 ws[12] = accum.extract();
685 accum.mul(ws[14], p[15]);
686 accum.mul(ws[15], p[14]);
687 accum.add(z[29]);
688 ws[13] = accum.extract();
689 accum.mul(ws[15], p[15]);
690 accum.add(z[30]);
691 ws[14] = accum.extract();
692 accum.add(z[31]);
693 ws[15] = accum.extract();
694 word w1 = accum.extract();
695 bigint_monty_maybe_sub<16>(r, w1, ws, p);
696}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_24()

void Botan::bigint_monty_redc_24 ( word r[24],
const word z[48],
const word p[24],
word p_dash,
word ws[24] )

Definition at line 698 of file mp_monty_n.cpp.

698 {
699 word3<word> accum;
700 accum.add(z[0]);
701 ws[0] = accum.monty_step(p[0], p_dash);
702 accum.mul(ws[0], p[1]);
703 accum.add(z[1]);
704 ws[1] = accum.monty_step(p[0], p_dash);
705 accum.mul(ws[0], p[2]);
706 accum.mul(ws[1], p[1]);
707 accum.add(z[2]);
708 ws[2] = accum.monty_step(p[0], p_dash);
709 accum.mul(ws[0], p[3]);
710 accum.mul(ws[1], p[2]);
711 accum.mul(ws[2], p[1]);
712 accum.add(z[3]);
713 ws[3] = accum.monty_step(p[0], p_dash);
714 accum.mul(ws[0], p[4]);
715 accum.mul(ws[1], p[3]);
716 accum.mul(ws[2], p[2]);
717 accum.mul(ws[3], p[1]);
718 accum.add(z[4]);
719 ws[4] = accum.monty_step(p[0], p_dash);
720 accum.mul(ws[0], p[5]);
721 accum.mul(ws[1], p[4]);
722 accum.mul(ws[2], p[3]);
723 accum.mul(ws[3], p[2]);
724 accum.mul(ws[4], p[1]);
725 accum.add(z[5]);
726 ws[5] = accum.monty_step(p[0], p_dash);
727 accum.mul(ws[0], p[6]);
728 accum.mul(ws[1], p[5]);
729 accum.mul(ws[2], p[4]);
730 accum.mul(ws[3], p[3]);
731 accum.mul(ws[4], p[2]);
732 accum.mul(ws[5], p[1]);
733 accum.add(z[6]);
734 ws[6] = accum.monty_step(p[0], p_dash);
735 accum.mul(ws[0], p[7]);
736 accum.mul(ws[1], p[6]);
737 accum.mul(ws[2], p[5]);
738 accum.mul(ws[3], p[4]);
739 accum.mul(ws[4], p[3]);
740 accum.mul(ws[5], p[2]);
741 accum.mul(ws[6], p[1]);
742 accum.add(z[7]);
743 ws[7] = accum.monty_step(p[0], p_dash);
744 accum.mul(ws[0], p[8]);
745 accum.mul(ws[1], p[7]);
746 accum.mul(ws[2], p[6]);
747 accum.mul(ws[3], p[5]);
748 accum.mul(ws[4], p[4]);
749 accum.mul(ws[5], p[3]);
750 accum.mul(ws[6], p[2]);
751 accum.mul(ws[7], p[1]);
752 accum.add(z[8]);
753 ws[8] = accum.monty_step(p[0], p_dash);
754 accum.mul(ws[0], p[9]);
755 accum.mul(ws[1], p[8]);
756 accum.mul(ws[2], p[7]);
757 accum.mul(ws[3], p[6]);
758 accum.mul(ws[4], p[5]);
759 accum.mul(ws[5], p[4]);
760 accum.mul(ws[6], p[3]);
761 accum.mul(ws[7], p[2]);
762 accum.mul(ws[8], p[1]);
763 accum.add(z[9]);
764 ws[9] = accum.monty_step(p[0], p_dash);
765 accum.mul(ws[0], p[10]);
766 accum.mul(ws[1], p[9]);
767 accum.mul(ws[2], p[8]);
768 accum.mul(ws[3], p[7]);
769 accum.mul(ws[4], p[6]);
770 accum.mul(ws[5], p[5]);
771 accum.mul(ws[6], p[4]);
772 accum.mul(ws[7], p[3]);
773 accum.mul(ws[8], p[2]);
774 accum.mul(ws[9], p[1]);
775 accum.add(z[10]);
776 ws[10] = accum.monty_step(p[0], p_dash);
777 accum.mul(ws[0], p[11]);
778 accum.mul(ws[1], p[10]);
779 accum.mul(ws[2], p[9]);
780 accum.mul(ws[3], p[8]);
781 accum.mul(ws[4], p[7]);
782 accum.mul(ws[5], p[6]);
783 accum.mul(ws[6], p[5]);
784 accum.mul(ws[7], p[4]);
785 accum.mul(ws[8], p[3]);
786 accum.mul(ws[9], p[2]);
787 accum.mul(ws[10], p[1]);
788 accum.add(z[11]);
789 ws[11] = accum.monty_step(p[0], p_dash);
790 accum.mul(ws[0], p[12]);
791 accum.mul(ws[1], p[11]);
792 accum.mul(ws[2], p[10]);
793 accum.mul(ws[3], p[9]);
794 accum.mul(ws[4], p[8]);
795 accum.mul(ws[5], p[7]);
796 accum.mul(ws[6], p[6]);
797 accum.mul(ws[7], p[5]);
798 accum.mul(ws[8], p[4]);
799 accum.mul(ws[9], p[3]);
800 accum.mul(ws[10], p[2]);
801 accum.mul(ws[11], p[1]);
802 accum.add(z[12]);
803 ws[12] = accum.monty_step(p[0], p_dash);
804 accum.mul(ws[0], p[13]);
805 accum.mul(ws[1], p[12]);
806 accum.mul(ws[2], p[11]);
807 accum.mul(ws[3], p[10]);
808 accum.mul(ws[4], p[9]);
809 accum.mul(ws[5], p[8]);
810 accum.mul(ws[6], p[7]);
811 accum.mul(ws[7], p[6]);
812 accum.mul(ws[8], p[5]);
813 accum.mul(ws[9], p[4]);
814 accum.mul(ws[10], p[3]);
815 accum.mul(ws[11], p[2]);
816 accum.mul(ws[12], p[1]);
817 accum.add(z[13]);
818 ws[13] = accum.monty_step(p[0], p_dash);
819 accum.mul(ws[0], p[14]);
820 accum.mul(ws[1], p[13]);
821 accum.mul(ws[2], p[12]);
822 accum.mul(ws[3], p[11]);
823 accum.mul(ws[4], p[10]);
824 accum.mul(ws[5], p[9]);
825 accum.mul(ws[6], p[8]);
826 accum.mul(ws[7], p[7]);
827 accum.mul(ws[8], p[6]);
828 accum.mul(ws[9], p[5]);
829 accum.mul(ws[10], p[4]);
830 accum.mul(ws[11], p[3]);
831 accum.mul(ws[12], p[2]);
832 accum.mul(ws[13], p[1]);
833 accum.add(z[14]);
834 ws[14] = accum.monty_step(p[0], p_dash);
835 accum.mul(ws[0], p[15]);
836 accum.mul(ws[1], p[14]);
837 accum.mul(ws[2], p[13]);
838 accum.mul(ws[3], p[12]);
839 accum.mul(ws[4], p[11]);
840 accum.mul(ws[5], p[10]);
841 accum.mul(ws[6], p[9]);
842 accum.mul(ws[7], p[8]);
843 accum.mul(ws[8], p[7]);
844 accum.mul(ws[9], p[6]);
845 accum.mul(ws[10], p[5]);
846 accum.mul(ws[11], p[4]);
847 accum.mul(ws[12], p[3]);
848 accum.mul(ws[13], p[2]);
849 accum.mul(ws[14], p[1]);
850 accum.add(z[15]);
851 ws[15] = accum.monty_step(p[0], p_dash);
852 accum.mul(ws[0], p[16]);
853 accum.mul(ws[1], p[15]);
854 accum.mul(ws[2], p[14]);
855 accum.mul(ws[3], p[13]);
856 accum.mul(ws[4], p[12]);
857 accum.mul(ws[5], p[11]);
858 accum.mul(ws[6], p[10]);
859 accum.mul(ws[7], p[9]);
860 accum.mul(ws[8], p[8]);
861 accum.mul(ws[9], p[7]);
862 accum.mul(ws[10], p[6]);
863 accum.mul(ws[11], p[5]);
864 accum.mul(ws[12], p[4]);
865 accum.mul(ws[13], p[3]);
866 accum.mul(ws[14], p[2]);
867 accum.mul(ws[15], p[1]);
868 accum.add(z[16]);
869 ws[16] = accum.monty_step(p[0], p_dash);
870 accum.mul(ws[0], p[17]);
871 accum.mul(ws[1], p[16]);
872 accum.mul(ws[2], p[15]);
873 accum.mul(ws[3], p[14]);
874 accum.mul(ws[4], p[13]);
875 accum.mul(ws[5], p[12]);
876 accum.mul(ws[6], p[11]);
877 accum.mul(ws[7], p[10]);
878 accum.mul(ws[8], p[9]);
879 accum.mul(ws[9], p[8]);
880 accum.mul(ws[10], p[7]);
881 accum.mul(ws[11], p[6]);
882 accum.mul(ws[12], p[5]);
883 accum.mul(ws[13], p[4]);
884 accum.mul(ws[14], p[3]);
885 accum.mul(ws[15], p[2]);
886 accum.mul(ws[16], p[1]);
887 accum.add(z[17]);
888 ws[17] = accum.monty_step(p[0], p_dash);
889 accum.mul(ws[0], p[18]);
890 accum.mul(ws[1], p[17]);
891 accum.mul(ws[2], p[16]);
892 accum.mul(ws[3], p[15]);
893 accum.mul(ws[4], p[14]);
894 accum.mul(ws[5], p[13]);
895 accum.mul(ws[6], p[12]);
896 accum.mul(ws[7], p[11]);
897 accum.mul(ws[8], p[10]);
898 accum.mul(ws[9], p[9]);
899 accum.mul(ws[10], p[8]);
900 accum.mul(ws[11], p[7]);
901 accum.mul(ws[12], p[6]);
902 accum.mul(ws[13], p[5]);
903 accum.mul(ws[14], p[4]);
904 accum.mul(ws[15], p[3]);
905 accum.mul(ws[16], p[2]);
906 accum.mul(ws[17], p[1]);
907 accum.add(z[18]);
908 ws[18] = accum.monty_step(p[0], p_dash);
909 accum.mul(ws[0], p[19]);
910 accum.mul(ws[1], p[18]);
911 accum.mul(ws[2], p[17]);
912 accum.mul(ws[3], p[16]);
913 accum.mul(ws[4], p[15]);
914 accum.mul(ws[5], p[14]);
915 accum.mul(ws[6], p[13]);
916 accum.mul(ws[7], p[12]);
917 accum.mul(ws[8], p[11]);
918 accum.mul(ws[9], p[10]);
919 accum.mul(ws[10], p[9]);
920 accum.mul(ws[11], p[8]);
921 accum.mul(ws[12], p[7]);
922 accum.mul(ws[13], p[6]);
923 accum.mul(ws[14], p[5]);
924 accum.mul(ws[15], p[4]);
925 accum.mul(ws[16], p[3]);
926 accum.mul(ws[17], p[2]);
927 accum.mul(ws[18], p[1]);
928 accum.add(z[19]);
929 ws[19] = accum.monty_step(p[0], p_dash);
930 accum.mul(ws[0], p[20]);
931 accum.mul(ws[1], p[19]);
932 accum.mul(ws[2], p[18]);
933 accum.mul(ws[3], p[17]);
934 accum.mul(ws[4], p[16]);
935 accum.mul(ws[5], p[15]);
936 accum.mul(ws[6], p[14]);
937 accum.mul(ws[7], p[13]);
938 accum.mul(ws[8], p[12]);
939 accum.mul(ws[9], p[11]);
940 accum.mul(ws[10], p[10]);
941 accum.mul(ws[11], p[9]);
942 accum.mul(ws[12], p[8]);
943 accum.mul(ws[13], p[7]);
944 accum.mul(ws[14], p[6]);
945 accum.mul(ws[15], p[5]);
946 accum.mul(ws[16], p[4]);
947 accum.mul(ws[17], p[3]);
948 accum.mul(ws[18], p[2]);
949 accum.mul(ws[19], p[1]);
950 accum.add(z[20]);
951 ws[20] = accum.monty_step(p[0], p_dash);
952 accum.mul(ws[0], p[21]);
953 accum.mul(ws[1], p[20]);
954 accum.mul(ws[2], p[19]);
955 accum.mul(ws[3], p[18]);
956 accum.mul(ws[4], p[17]);
957 accum.mul(ws[5], p[16]);
958 accum.mul(ws[6], p[15]);
959 accum.mul(ws[7], p[14]);
960 accum.mul(ws[8], p[13]);
961 accum.mul(ws[9], p[12]);
962 accum.mul(ws[10], p[11]);
963 accum.mul(ws[11], p[10]);
964 accum.mul(ws[12], p[9]);
965 accum.mul(ws[13], p[8]);
966 accum.mul(ws[14], p[7]);
967 accum.mul(ws[15], p[6]);
968 accum.mul(ws[16], p[5]);
969 accum.mul(ws[17], p[4]);
970 accum.mul(ws[18], p[3]);
971 accum.mul(ws[19], p[2]);
972 accum.mul(ws[20], p[1]);
973 accum.add(z[21]);
974 ws[21] = accum.monty_step(p[0], p_dash);
975 accum.mul(ws[0], p[22]);
976 accum.mul(ws[1], p[21]);
977 accum.mul(ws[2], p[20]);
978 accum.mul(ws[3], p[19]);
979 accum.mul(ws[4], p[18]);
980 accum.mul(ws[5], p[17]);
981 accum.mul(ws[6], p[16]);
982 accum.mul(ws[7], p[15]);
983 accum.mul(ws[8], p[14]);
984 accum.mul(ws[9], p[13]);
985 accum.mul(ws[10], p[12]);
986 accum.mul(ws[11], p[11]);
987 accum.mul(ws[12], p[10]);
988 accum.mul(ws[13], p[9]);
989 accum.mul(ws[14], p[8]);
990 accum.mul(ws[15], p[7]);
991 accum.mul(ws[16], p[6]);
992 accum.mul(ws[17], p[5]);
993 accum.mul(ws[18], p[4]);
994 accum.mul(ws[19], p[3]);
995 accum.mul(ws[20], p[2]);
996 accum.mul(ws[21], p[1]);
997 accum.add(z[22]);
998 ws[22] = accum.monty_step(p[0], p_dash);
999 accum.mul(ws[0], p[23]);
1000 accum.mul(ws[1], p[22]);
1001 accum.mul(ws[2], p[21]);
1002 accum.mul(ws[3], p[20]);
1003 accum.mul(ws[4], p[19]);
1004 accum.mul(ws[5], p[18]);
1005 accum.mul(ws[6], p[17]);
1006 accum.mul(ws[7], p[16]);
1007 accum.mul(ws[8], p[15]);
1008 accum.mul(ws[9], p[14]);
1009 accum.mul(ws[10], p[13]);
1010 accum.mul(ws[11], p[12]);
1011 accum.mul(ws[12], p[11]);
1012 accum.mul(ws[13], p[10]);
1013 accum.mul(ws[14], p[9]);
1014 accum.mul(ws[15], p[8]);
1015 accum.mul(ws[16], p[7]);
1016 accum.mul(ws[17], p[6]);
1017 accum.mul(ws[18], p[5]);
1018 accum.mul(ws[19], p[4]);
1019 accum.mul(ws[20], p[3]);
1020 accum.mul(ws[21], p[2]);
1021 accum.mul(ws[22], p[1]);
1022 accum.add(z[23]);
1023 ws[23] = accum.monty_step(p[0], p_dash);
1024 accum.mul(ws[1], p[23]);
1025 accum.mul(ws[2], p[22]);
1026 accum.mul(ws[3], p[21]);
1027 accum.mul(ws[4], p[20]);
1028 accum.mul(ws[5], p[19]);
1029 accum.mul(ws[6], p[18]);
1030 accum.mul(ws[7], p[17]);
1031 accum.mul(ws[8], p[16]);
1032 accum.mul(ws[9], p[15]);
1033 accum.mul(ws[10], p[14]);
1034 accum.mul(ws[11], p[13]);
1035 accum.mul(ws[12], p[12]);
1036 accum.mul(ws[13], p[11]);
1037 accum.mul(ws[14], p[10]);
1038 accum.mul(ws[15], p[9]);
1039 accum.mul(ws[16], p[8]);
1040 accum.mul(ws[17], p[7]);
1041 accum.mul(ws[18], p[6]);
1042 accum.mul(ws[19], p[5]);
1043 accum.mul(ws[20], p[4]);
1044 accum.mul(ws[21], p[3]);
1045 accum.mul(ws[22], p[2]);
1046 accum.mul(ws[23], p[1]);
1047 accum.add(z[24]);
1048 ws[0] = accum.extract();
1049 accum.mul(ws[2], p[23]);
1050 accum.mul(ws[3], p[22]);
1051 accum.mul(ws[4], p[21]);
1052 accum.mul(ws[5], p[20]);
1053 accum.mul(ws[6], p[19]);
1054 accum.mul(ws[7], p[18]);
1055 accum.mul(ws[8], p[17]);
1056 accum.mul(ws[9], p[16]);
1057 accum.mul(ws[10], p[15]);
1058 accum.mul(ws[11], p[14]);
1059 accum.mul(ws[12], p[13]);
1060 accum.mul(ws[13], p[12]);
1061 accum.mul(ws[14], p[11]);
1062 accum.mul(ws[15], p[10]);
1063 accum.mul(ws[16], p[9]);
1064 accum.mul(ws[17], p[8]);
1065 accum.mul(ws[18], p[7]);
1066 accum.mul(ws[19], p[6]);
1067 accum.mul(ws[20], p[5]);
1068 accum.mul(ws[21], p[4]);
1069 accum.mul(ws[22], p[3]);
1070 accum.mul(ws[23], p[2]);
1071 accum.add(z[25]);
1072 ws[1] = accum.extract();
1073 accum.mul(ws[3], p[23]);
1074 accum.mul(ws[4], p[22]);
1075 accum.mul(ws[5], p[21]);
1076 accum.mul(ws[6], p[20]);
1077 accum.mul(ws[7], p[19]);
1078 accum.mul(ws[8], p[18]);
1079 accum.mul(ws[9], p[17]);
1080 accum.mul(ws[10], p[16]);
1081 accum.mul(ws[11], p[15]);
1082 accum.mul(ws[12], p[14]);
1083 accum.mul(ws[13], p[13]);
1084 accum.mul(ws[14], p[12]);
1085 accum.mul(ws[15], p[11]);
1086 accum.mul(ws[16], p[10]);
1087 accum.mul(ws[17], p[9]);
1088 accum.mul(ws[18], p[8]);
1089 accum.mul(ws[19], p[7]);
1090 accum.mul(ws[20], p[6]);
1091 accum.mul(ws[21], p[5]);
1092 accum.mul(ws[22], p[4]);
1093 accum.mul(ws[23], p[3]);
1094 accum.add(z[26]);
1095 ws[2] = accum.extract();
1096 accum.mul(ws[4], p[23]);
1097 accum.mul(ws[5], p[22]);
1098 accum.mul(ws[6], p[21]);
1099 accum.mul(ws[7], p[20]);
1100 accum.mul(ws[8], p[19]);
1101 accum.mul(ws[9], p[18]);
1102 accum.mul(ws[10], p[17]);
1103 accum.mul(ws[11], p[16]);
1104 accum.mul(ws[12], p[15]);
1105 accum.mul(ws[13], p[14]);
1106 accum.mul(ws[14], p[13]);
1107 accum.mul(ws[15], p[12]);
1108 accum.mul(ws[16], p[11]);
1109 accum.mul(ws[17], p[10]);
1110 accum.mul(ws[18], p[9]);
1111 accum.mul(ws[19], p[8]);
1112 accum.mul(ws[20], p[7]);
1113 accum.mul(ws[21], p[6]);
1114 accum.mul(ws[22], p[5]);
1115 accum.mul(ws[23], p[4]);
1116 accum.add(z[27]);
1117 ws[3] = accum.extract();
1118 accum.mul(ws[5], p[23]);
1119 accum.mul(ws[6], p[22]);
1120 accum.mul(ws[7], p[21]);
1121 accum.mul(ws[8], p[20]);
1122 accum.mul(ws[9], p[19]);
1123 accum.mul(ws[10], p[18]);
1124 accum.mul(ws[11], p[17]);
1125 accum.mul(ws[12], p[16]);
1126 accum.mul(ws[13], p[15]);
1127 accum.mul(ws[14], p[14]);
1128 accum.mul(ws[15], p[13]);
1129 accum.mul(ws[16], p[12]);
1130 accum.mul(ws[17], p[11]);
1131 accum.mul(ws[18], p[10]);
1132 accum.mul(ws[19], p[9]);
1133 accum.mul(ws[20], p[8]);
1134 accum.mul(ws[21], p[7]);
1135 accum.mul(ws[22], p[6]);
1136 accum.mul(ws[23], p[5]);
1137 accum.add(z[28]);
1138 ws[4] = accum.extract();
1139 accum.mul(ws[6], p[23]);
1140 accum.mul(ws[7], p[22]);
1141 accum.mul(ws[8], p[21]);
1142 accum.mul(ws[9], p[20]);
1143 accum.mul(ws[10], p[19]);
1144 accum.mul(ws[11], p[18]);
1145 accum.mul(ws[12], p[17]);
1146 accum.mul(ws[13], p[16]);
1147 accum.mul(ws[14], p[15]);
1148 accum.mul(ws[15], p[14]);
1149 accum.mul(ws[16], p[13]);
1150 accum.mul(ws[17], p[12]);
1151 accum.mul(ws[18], p[11]);
1152 accum.mul(ws[19], p[10]);
1153 accum.mul(ws[20], p[9]);
1154 accum.mul(ws[21], p[8]);
1155 accum.mul(ws[22], p[7]);
1156 accum.mul(ws[23], p[6]);
1157 accum.add(z[29]);
1158 ws[5] = accum.extract();
1159 accum.mul(ws[7], p[23]);
1160 accum.mul(ws[8], p[22]);
1161 accum.mul(ws[9], p[21]);
1162 accum.mul(ws[10], p[20]);
1163 accum.mul(ws[11], p[19]);
1164 accum.mul(ws[12], p[18]);
1165 accum.mul(ws[13], p[17]);
1166 accum.mul(ws[14], p[16]);
1167 accum.mul(ws[15], p[15]);
1168 accum.mul(ws[16], p[14]);
1169 accum.mul(ws[17], p[13]);
1170 accum.mul(ws[18], p[12]);
1171 accum.mul(ws[19], p[11]);
1172 accum.mul(ws[20], p[10]);
1173 accum.mul(ws[21], p[9]);
1174 accum.mul(ws[22], p[8]);
1175 accum.mul(ws[23], p[7]);
1176 accum.add(z[30]);
1177 ws[6] = accum.extract();
1178 accum.mul(ws[8], p[23]);
1179 accum.mul(ws[9], p[22]);
1180 accum.mul(ws[10], p[21]);
1181 accum.mul(ws[11], p[20]);
1182 accum.mul(ws[12], p[19]);
1183 accum.mul(ws[13], p[18]);
1184 accum.mul(ws[14], p[17]);
1185 accum.mul(ws[15], p[16]);
1186 accum.mul(ws[16], p[15]);
1187 accum.mul(ws[17], p[14]);
1188 accum.mul(ws[18], p[13]);
1189 accum.mul(ws[19], p[12]);
1190 accum.mul(ws[20], p[11]);
1191 accum.mul(ws[21], p[10]);
1192 accum.mul(ws[22], p[9]);
1193 accum.mul(ws[23], p[8]);
1194 accum.add(z[31]);
1195 ws[7] = accum.extract();
1196 accum.mul(ws[9], p[23]);
1197 accum.mul(ws[10], p[22]);
1198 accum.mul(ws[11], p[21]);
1199 accum.mul(ws[12], p[20]);
1200 accum.mul(ws[13], p[19]);
1201 accum.mul(ws[14], p[18]);
1202 accum.mul(ws[15], p[17]);
1203 accum.mul(ws[16], p[16]);
1204 accum.mul(ws[17], p[15]);
1205 accum.mul(ws[18], p[14]);
1206 accum.mul(ws[19], p[13]);
1207 accum.mul(ws[20], p[12]);
1208 accum.mul(ws[21], p[11]);
1209 accum.mul(ws[22], p[10]);
1210 accum.mul(ws[23], p[9]);
1211 accum.add(z[32]);
1212 ws[8] = accum.extract();
1213 accum.mul(ws[10], p[23]);
1214 accum.mul(ws[11], p[22]);
1215 accum.mul(ws[12], p[21]);
1216 accum.mul(ws[13], p[20]);
1217 accum.mul(ws[14], p[19]);
1218 accum.mul(ws[15], p[18]);
1219 accum.mul(ws[16], p[17]);
1220 accum.mul(ws[17], p[16]);
1221 accum.mul(ws[18], p[15]);
1222 accum.mul(ws[19], p[14]);
1223 accum.mul(ws[20], p[13]);
1224 accum.mul(ws[21], p[12]);
1225 accum.mul(ws[22], p[11]);
1226 accum.mul(ws[23], p[10]);
1227 accum.add(z[33]);
1228 ws[9] = accum.extract();
1229 accum.mul(ws[11], p[23]);
1230 accum.mul(ws[12], p[22]);
1231 accum.mul(ws[13], p[21]);
1232 accum.mul(ws[14], p[20]);
1233 accum.mul(ws[15], p[19]);
1234 accum.mul(ws[16], p[18]);
1235 accum.mul(ws[17], p[17]);
1236 accum.mul(ws[18], p[16]);
1237 accum.mul(ws[19], p[15]);
1238 accum.mul(ws[20], p[14]);
1239 accum.mul(ws[21], p[13]);
1240 accum.mul(ws[22], p[12]);
1241 accum.mul(ws[23], p[11]);
1242 accum.add(z[34]);
1243 ws[10] = accum.extract();
1244 accum.mul(ws[12], p[23]);
1245 accum.mul(ws[13], p[22]);
1246 accum.mul(ws[14], p[21]);
1247 accum.mul(ws[15], p[20]);
1248 accum.mul(ws[16], p[19]);
1249 accum.mul(ws[17], p[18]);
1250 accum.mul(ws[18], p[17]);
1251 accum.mul(ws[19], p[16]);
1252 accum.mul(ws[20], p[15]);
1253 accum.mul(ws[21], p[14]);
1254 accum.mul(ws[22], p[13]);
1255 accum.mul(ws[23], p[12]);
1256 accum.add(z[35]);
1257 ws[11] = accum.extract();
1258 accum.mul(ws[13], p[23]);
1259 accum.mul(ws[14], p[22]);
1260 accum.mul(ws[15], p[21]);
1261 accum.mul(ws[16], p[20]);
1262 accum.mul(ws[17], p[19]);
1263 accum.mul(ws[18], p[18]);
1264 accum.mul(ws[19], p[17]);
1265 accum.mul(ws[20], p[16]);
1266 accum.mul(ws[21], p[15]);
1267 accum.mul(ws[22], p[14]);
1268 accum.mul(ws[23], p[13]);
1269 accum.add(z[36]);
1270 ws[12] = accum.extract();
1271 accum.mul(ws[14], p[23]);
1272 accum.mul(ws[15], p[22]);
1273 accum.mul(ws[16], p[21]);
1274 accum.mul(ws[17], p[20]);
1275 accum.mul(ws[18], p[19]);
1276 accum.mul(ws[19], p[18]);
1277 accum.mul(ws[20], p[17]);
1278 accum.mul(ws[21], p[16]);
1279 accum.mul(ws[22], p[15]);
1280 accum.mul(ws[23], p[14]);
1281 accum.add(z[37]);
1282 ws[13] = accum.extract();
1283 accum.mul(ws[15], p[23]);
1284 accum.mul(ws[16], p[22]);
1285 accum.mul(ws[17], p[21]);
1286 accum.mul(ws[18], p[20]);
1287 accum.mul(ws[19], p[19]);
1288 accum.mul(ws[20], p[18]);
1289 accum.mul(ws[21], p[17]);
1290 accum.mul(ws[22], p[16]);
1291 accum.mul(ws[23], p[15]);
1292 accum.add(z[38]);
1293 ws[14] = accum.extract();
1294 accum.mul(ws[16], p[23]);
1295 accum.mul(ws[17], p[22]);
1296 accum.mul(ws[18], p[21]);
1297 accum.mul(ws[19], p[20]);
1298 accum.mul(ws[20], p[19]);
1299 accum.mul(ws[21], p[18]);
1300 accum.mul(ws[22], p[17]);
1301 accum.mul(ws[23], p[16]);
1302 accum.add(z[39]);
1303 ws[15] = accum.extract();
1304 accum.mul(ws[17], p[23]);
1305 accum.mul(ws[18], p[22]);
1306 accum.mul(ws[19], p[21]);
1307 accum.mul(ws[20], p[20]);
1308 accum.mul(ws[21], p[19]);
1309 accum.mul(ws[22], p[18]);
1310 accum.mul(ws[23], p[17]);
1311 accum.add(z[40]);
1312 ws[16] = accum.extract();
1313 accum.mul(ws[18], p[23]);
1314 accum.mul(ws[19], p[22]);
1315 accum.mul(ws[20], p[21]);
1316 accum.mul(ws[21], p[20]);
1317 accum.mul(ws[22], p[19]);
1318 accum.mul(ws[23], p[18]);
1319 accum.add(z[41]);
1320 ws[17] = accum.extract();
1321 accum.mul(ws[19], p[23]);
1322 accum.mul(ws[20], p[22]);
1323 accum.mul(ws[21], p[21]);
1324 accum.mul(ws[22], p[20]);
1325 accum.mul(ws[23], p[19]);
1326 accum.add(z[42]);
1327 ws[18] = accum.extract();
1328 accum.mul(ws[20], p[23]);
1329 accum.mul(ws[21], p[22]);
1330 accum.mul(ws[22], p[21]);
1331 accum.mul(ws[23], p[20]);
1332 accum.add(z[43]);
1333 ws[19] = accum.extract();
1334 accum.mul(ws[21], p[23]);
1335 accum.mul(ws[22], p[22]);
1336 accum.mul(ws[23], p[21]);
1337 accum.add(z[44]);
1338 ws[20] = accum.extract();
1339 accum.mul(ws[22], p[23]);
1340 accum.mul(ws[23], p[22]);
1341 accum.add(z[45]);
1342 ws[21] = accum.extract();
1343 accum.mul(ws[23], p[23]);
1344 accum.add(z[46]);
1345 ws[22] = accum.extract();
1346 accum.add(z[47]);
1347 ws[23] = accum.extract();
1348 word w1 = accum.extract();
1349 bigint_monty_maybe_sub<24>(r, w1, ws, p);
1350}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_32()

void Botan::bigint_monty_redc_32 ( word r[32],
const word z[64],
const word p[32],
word p_dash,
word ws[32] )

Definition at line 1352 of file mp_monty_n.cpp.

1352 {
1353 word3<word> accum;
1354 accum.add(z[0]);
1355 ws[0] = accum.monty_step(p[0], p_dash);
1356 accum.mul(ws[0], p[1]);
1357 accum.add(z[1]);
1358 ws[1] = accum.monty_step(p[0], p_dash);
1359 accum.mul(ws[0], p[2]);
1360 accum.mul(ws[1], p[1]);
1361 accum.add(z[2]);
1362 ws[2] = accum.monty_step(p[0], p_dash);
1363 accum.mul(ws[0], p[3]);
1364 accum.mul(ws[1], p[2]);
1365 accum.mul(ws[2], p[1]);
1366 accum.add(z[3]);
1367 ws[3] = accum.monty_step(p[0], p_dash);
1368 accum.mul(ws[0], p[4]);
1369 accum.mul(ws[1], p[3]);
1370 accum.mul(ws[2], p[2]);
1371 accum.mul(ws[3], p[1]);
1372 accum.add(z[4]);
1373 ws[4] = accum.monty_step(p[0], p_dash);
1374 accum.mul(ws[0], p[5]);
1375 accum.mul(ws[1], p[4]);
1376 accum.mul(ws[2], p[3]);
1377 accum.mul(ws[3], p[2]);
1378 accum.mul(ws[4], p[1]);
1379 accum.add(z[5]);
1380 ws[5] = accum.monty_step(p[0], p_dash);
1381 accum.mul(ws[0], p[6]);
1382 accum.mul(ws[1], p[5]);
1383 accum.mul(ws[2], p[4]);
1384 accum.mul(ws[3], p[3]);
1385 accum.mul(ws[4], p[2]);
1386 accum.mul(ws[5], p[1]);
1387 accum.add(z[6]);
1388 ws[6] = accum.monty_step(p[0], p_dash);
1389 accum.mul(ws[0], p[7]);
1390 accum.mul(ws[1], p[6]);
1391 accum.mul(ws[2], p[5]);
1392 accum.mul(ws[3], p[4]);
1393 accum.mul(ws[4], p[3]);
1394 accum.mul(ws[5], p[2]);
1395 accum.mul(ws[6], p[1]);
1396 accum.add(z[7]);
1397 ws[7] = accum.monty_step(p[0], p_dash);
1398 accum.mul(ws[0], p[8]);
1399 accum.mul(ws[1], p[7]);
1400 accum.mul(ws[2], p[6]);
1401 accum.mul(ws[3], p[5]);
1402 accum.mul(ws[4], p[4]);
1403 accum.mul(ws[5], p[3]);
1404 accum.mul(ws[6], p[2]);
1405 accum.mul(ws[7], p[1]);
1406 accum.add(z[8]);
1407 ws[8] = accum.monty_step(p[0], p_dash);
1408 accum.mul(ws[0], p[9]);
1409 accum.mul(ws[1], p[8]);
1410 accum.mul(ws[2], p[7]);
1411 accum.mul(ws[3], p[6]);
1412 accum.mul(ws[4], p[5]);
1413 accum.mul(ws[5], p[4]);
1414 accum.mul(ws[6], p[3]);
1415 accum.mul(ws[7], p[2]);
1416 accum.mul(ws[8], p[1]);
1417 accum.add(z[9]);
1418 ws[9] = accum.monty_step(p[0], p_dash);
1419 accum.mul(ws[0], p[10]);
1420 accum.mul(ws[1], p[9]);
1421 accum.mul(ws[2], p[8]);
1422 accum.mul(ws[3], p[7]);
1423 accum.mul(ws[4], p[6]);
1424 accum.mul(ws[5], p[5]);
1425 accum.mul(ws[6], p[4]);
1426 accum.mul(ws[7], p[3]);
1427 accum.mul(ws[8], p[2]);
1428 accum.mul(ws[9], p[1]);
1429 accum.add(z[10]);
1430 ws[10] = accum.monty_step(p[0], p_dash);
1431 accum.mul(ws[0], p[11]);
1432 accum.mul(ws[1], p[10]);
1433 accum.mul(ws[2], p[9]);
1434 accum.mul(ws[3], p[8]);
1435 accum.mul(ws[4], p[7]);
1436 accum.mul(ws[5], p[6]);
1437 accum.mul(ws[6], p[5]);
1438 accum.mul(ws[7], p[4]);
1439 accum.mul(ws[8], p[3]);
1440 accum.mul(ws[9], p[2]);
1441 accum.mul(ws[10], p[1]);
1442 accum.add(z[11]);
1443 ws[11] = accum.monty_step(p[0], p_dash);
1444 accum.mul(ws[0], p[12]);
1445 accum.mul(ws[1], p[11]);
1446 accum.mul(ws[2], p[10]);
1447 accum.mul(ws[3], p[9]);
1448 accum.mul(ws[4], p[8]);
1449 accum.mul(ws[5], p[7]);
1450 accum.mul(ws[6], p[6]);
1451 accum.mul(ws[7], p[5]);
1452 accum.mul(ws[8], p[4]);
1453 accum.mul(ws[9], p[3]);
1454 accum.mul(ws[10], p[2]);
1455 accum.mul(ws[11], p[1]);
1456 accum.add(z[12]);
1457 ws[12] = accum.monty_step(p[0], p_dash);
1458 accum.mul(ws[0], p[13]);
1459 accum.mul(ws[1], p[12]);
1460 accum.mul(ws[2], p[11]);
1461 accum.mul(ws[3], p[10]);
1462 accum.mul(ws[4], p[9]);
1463 accum.mul(ws[5], p[8]);
1464 accum.mul(ws[6], p[7]);
1465 accum.mul(ws[7], p[6]);
1466 accum.mul(ws[8], p[5]);
1467 accum.mul(ws[9], p[4]);
1468 accum.mul(ws[10], p[3]);
1469 accum.mul(ws[11], p[2]);
1470 accum.mul(ws[12], p[1]);
1471 accum.add(z[13]);
1472 ws[13] = accum.monty_step(p[0], p_dash);
1473 accum.mul(ws[0], p[14]);
1474 accum.mul(ws[1], p[13]);
1475 accum.mul(ws[2], p[12]);
1476 accum.mul(ws[3], p[11]);
1477 accum.mul(ws[4], p[10]);
1478 accum.mul(ws[5], p[9]);
1479 accum.mul(ws[6], p[8]);
1480 accum.mul(ws[7], p[7]);
1481 accum.mul(ws[8], p[6]);
1482 accum.mul(ws[9], p[5]);
1483 accum.mul(ws[10], p[4]);
1484 accum.mul(ws[11], p[3]);
1485 accum.mul(ws[12], p[2]);
1486 accum.mul(ws[13], p[1]);
1487 accum.add(z[14]);
1488 ws[14] = accum.monty_step(p[0], p_dash);
1489 accum.mul(ws[0], p[15]);
1490 accum.mul(ws[1], p[14]);
1491 accum.mul(ws[2], p[13]);
1492 accum.mul(ws[3], p[12]);
1493 accum.mul(ws[4], p[11]);
1494 accum.mul(ws[5], p[10]);
1495 accum.mul(ws[6], p[9]);
1496 accum.mul(ws[7], p[8]);
1497 accum.mul(ws[8], p[7]);
1498 accum.mul(ws[9], p[6]);
1499 accum.mul(ws[10], p[5]);
1500 accum.mul(ws[11], p[4]);
1501 accum.mul(ws[12], p[3]);
1502 accum.mul(ws[13], p[2]);
1503 accum.mul(ws[14], p[1]);
1504 accum.add(z[15]);
1505 ws[15] = accum.monty_step(p[0], p_dash);
1506 accum.mul(ws[0], p[16]);
1507 accum.mul(ws[1], p[15]);
1508 accum.mul(ws[2], p[14]);
1509 accum.mul(ws[3], p[13]);
1510 accum.mul(ws[4], p[12]);
1511 accum.mul(ws[5], p[11]);
1512 accum.mul(ws[6], p[10]);
1513 accum.mul(ws[7], p[9]);
1514 accum.mul(ws[8], p[8]);
1515 accum.mul(ws[9], p[7]);
1516 accum.mul(ws[10], p[6]);
1517 accum.mul(ws[11], p[5]);
1518 accum.mul(ws[12], p[4]);
1519 accum.mul(ws[13], p[3]);
1520 accum.mul(ws[14], p[2]);
1521 accum.mul(ws[15], p[1]);
1522 accum.add(z[16]);
1523 ws[16] = accum.monty_step(p[0], p_dash);
1524 accum.mul(ws[0], p[17]);
1525 accum.mul(ws[1], p[16]);
1526 accum.mul(ws[2], p[15]);
1527 accum.mul(ws[3], p[14]);
1528 accum.mul(ws[4], p[13]);
1529 accum.mul(ws[5], p[12]);
1530 accum.mul(ws[6], p[11]);
1531 accum.mul(ws[7], p[10]);
1532 accum.mul(ws[8], p[9]);
1533 accum.mul(ws[9], p[8]);
1534 accum.mul(ws[10], p[7]);
1535 accum.mul(ws[11], p[6]);
1536 accum.mul(ws[12], p[5]);
1537 accum.mul(ws[13], p[4]);
1538 accum.mul(ws[14], p[3]);
1539 accum.mul(ws[15], p[2]);
1540 accum.mul(ws[16], p[1]);
1541 accum.add(z[17]);
1542 ws[17] = accum.monty_step(p[0], p_dash);
1543 accum.mul(ws[0], p[18]);
1544 accum.mul(ws[1], p[17]);
1545 accum.mul(ws[2], p[16]);
1546 accum.mul(ws[3], p[15]);
1547 accum.mul(ws[4], p[14]);
1548 accum.mul(ws[5], p[13]);
1549 accum.mul(ws[6], p[12]);
1550 accum.mul(ws[7], p[11]);
1551 accum.mul(ws[8], p[10]);
1552 accum.mul(ws[9], p[9]);
1553 accum.mul(ws[10], p[8]);
1554 accum.mul(ws[11], p[7]);
1555 accum.mul(ws[12], p[6]);
1556 accum.mul(ws[13], p[5]);
1557 accum.mul(ws[14], p[4]);
1558 accum.mul(ws[15], p[3]);
1559 accum.mul(ws[16], p[2]);
1560 accum.mul(ws[17], p[1]);
1561 accum.add(z[18]);
1562 ws[18] = accum.monty_step(p[0], p_dash);
1563 accum.mul(ws[0], p[19]);
1564 accum.mul(ws[1], p[18]);
1565 accum.mul(ws[2], p[17]);
1566 accum.mul(ws[3], p[16]);
1567 accum.mul(ws[4], p[15]);
1568 accum.mul(ws[5], p[14]);
1569 accum.mul(ws[6], p[13]);
1570 accum.mul(ws[7], p[12]);
1571 accum.mul(ws[8], p[11]);
1572 accum.mul(ws[9], p[10]);
1573 accum.mul(ws[10], p[9]);
1574 accum.mul(ws[11], p[8]);
1575 accum.mul(ws[12], p[7]);
1576 accum.mul(ws[13], p[6]);
1577 accum.mul(ws[14], p[5]);
1578 accum.mul(ws[15], p[4]);
1579 accum.mul(ws[16], p[3]);
1580 accum.mul(ws[17], p[2]);
1581 accum.mul(ws[18], p[1]);
1582 accum.add(z[19]);
1583 ws[19] = accum.monty_step(p[0], p_dash);
1584 accum.mul(ws[0], p[20]);
1585 accum.mul(ws[1], p[19]);
1586 accum.mul(ws[2], p[18]);
1587 accum.mul(ws[3], p[17]);
1588 accum.mul(ws[4], p[16]);
1589 accum.mul(ws[5], p[15]);
1590 accum.mul(ws[6], p[14]);
1591 accum.mul(ws[7], p[13]);
1592 accum.mul(ws[8], p[12]);
1593 accum.mul(ws[9], p[11]);
1594 accum.mul(ws[10], p[10]);
1595 accum.mul(ws[11], p[9]);
1596 accum.mul(ws[12], p[8]);
1597 accum.mul(ws[13], p[7]);
1598 accum.mul(ws[14], p[6]);
1599 accum.mul(ws[15], p[5]);
1600 accum.mul(ws[16], p[4]);
1601 accum.mul(ws[17], p[3]);
1602 accum.mul(ws[18], p[2]);
1603 accum.mul(ws[19], p[1]);
1604 accum.add(z[20]);
1605 ws[20] = accum.monty_step(p[0], p_dash);
1606 accum.mul(ws[0], p[21]);
1607 accum.mul(ws[1], p[20]);
1608 accum.mul(ws[2], p[19]);
1609 accum.mul(ws[3], p[18]);
1610 accum.mul(ws[4], p[17]);
1611 accum.mul(ws[5], p[16]);
1612 accum.mul(ws[6], p[15]);
1613 accum.mul(ws[7], p[14]);
1614 accum.mul(ws[8], p[13]);
1615 accum.mul(ws[9], p[12]);
1616 accum.mul(ws[10], p[11]);
1617 accum.mul(ws[11], p[10]);
1618 accum.mul(ws[12], p[9]);
1619 accum.mul(ws[13], p[8]);
1620 accum.mul(ws[14], p[7]);
1621 accum.mul(ws[15], p[6]);
1622 accum.mul(ws[16], p[5]);
1623 accum.mul(ws[17], p[4]);
1624 accum.mul(ws[18], p[3]);
1625 accum.mul(ws[19], p[2]);
1626 accum.mul(ws[20], p[1]);
1627 accum.add(z[21]);
1628 ws[21] = accum.monty_step(p[0], p_dash);
1629 accum.mul(ws[0], p[22]);
1630 accum.mul(ws[1], p[21]);
1631 accum.mul(ws[2], p[20]);
1632 accum.mul(ws[3], p[19]);
1633 accum.mul(ws[4], p[18]);
1634 accum.mul(ws[5], p[17]);
1635 accum.mul(ws[6], p[16]);
1636 accum.mul(ws[7], p[15]);
1637 accum.mul(ws[8], p[14]);
1638 accum.mul(ws[9], p[13]);
1639 accum.mul(ws[10], p[12]);
1640 accum.mul(ws[11], p[11]);
1641 accum.mul(ws[12], p[10]);
1642 accum.mul(ws[13], p[9]);
1643 accum.mul(ws[14], p[8]);
1644 accum.mul(ws[15], p[7]);
1645 accum.mul(ws[16], p[6]);
1646 accum.mul(ws[17], p[5]);
1647 accum.mul(ws[18], p[4]);
1648 accum.mul(ws[19], p[3]);
1649 accum.mul(ws[20], p[2]);
1650 accum.mul(ws[21], p[1]);
1651 accum.add(z[22]);
1652 ws[22] = accum.monty_step(p[0], p_dash);
1653 accum.mul(ws[0], p[23]);
1654 accum.mul(ws[1], p[22]);
1655 accum.mul(ws[2], p[21]);
1656 accum.mul(ws[3], p[20]);
1657 accum.mul(ws[4], p[19]);
1658 accum.mul(ws[5], p[18]);
1659 accum.mul(ws[6], p[17]);
1660 accum.mul(ws[7], p[16]);
1661 accum.mul(ws[8], p[15]);
1662 accum.mul(ws[9], p[14]);
1663 accum.mul(ws[10], p[13]);
1664 accum.mul(ws[11], p[12]);
1665 accum.mul(ws[12], p[11]);
1666 accum.mul(ws[13], p[10]);
1667 accum.mul(ws[14], p[9]);
1668 accum.mul(ws[15], p[8]);
1669 accum.mul(ws[16], p[7]);
1670 accum.mul(ws[17], p[6]);
1671 accum.mul(ws[18], p[5]);
1672 accum.mul(ws[19], p[4]);
1673 accum.mul(ws[20], p[3]);
1674 accum.mul(ws[21], p[2]);
1675 accum.mul(ws[22], p[1]);
1676 accum.add(z[23]);
1677 ws[23] = accum.monty_step(p[0], p_dash);
1678 accum.mul(ws[0], p[24]);
1679 accum.mul(ws[1], p[23]);
1680 accum.mul(ws[2], p[22]);
1681 accum.mul(ws[3], p[21]);
1682 accum.mul(ws[4], p[20]);
1683 accum.mul(ws[5], p[19]);
1684 accum.mul(ws[6], p[18]);
1685 accum.mul(ws[7], p[17]);
1686 accum.mul(ws[8], p[16]);
1687 accum.mul(ws[9], p[15]);
1688 accum.mul(ws[10], p[14]);
1689 accum.mul(ws[11], p[13]);
1690 accum.mul(ws[12], p[12]);
1691 accum.mul(ws[13], p[11]);
1692 accum.mul(ws[14], p[10]);
1693 accum.mul(ws[15], p[9]);
1694 accum.mul(ws[16], p[8]);
1695 accum.mul(ws[17], p[7]);
1696 accum.mul(ws[18], p[6]);
1697 accum.mul(ws[19], p[5]);
1698 accum.mul(ws[20], p[4]);
1699 accum.mul(ws[21], p[3]);
1700 accum.mul(ws[22], p[2]);
1701 accum.mul(ws[23], p[1]);
1702 accum.add(z[24]);
1703 ws[24] = accum.monty_step(p[0], p_dash);
1704 accum.mul(ws[0], p[25]);
1705 accum.mul(ws[1], p[24]);
1706 accum.mul(ws[2], p[23]);
1707 accum.mul(ws[3], p[22]);
1708 accum.mul(ws[4], p[21]);
1709 accum.mul(ws[5], p[20]);
1710 accum.mul(ws[6], p[19]);
1711 accum.mul(ws[7], p[18]);
1712 accum.mul(ws[8], p[17]);
1713 accum.mul(ws[9], p[16]);
1714 accum.mul(ws[10], p[15]);
1715 accum.mul(ws[11], p[14]);
1716 accum.mul(ws[12], p[13]);
1717 accum.mul(ws[13], p[12]);
1718 accum.mul(ws[14], p[11]);
1719 accum.mul(ws[15], p[10]);
1720 accum.mul(ws[16], p[9]);
1721 accum.mul(ws[17], p[8]);
1722 accum.mul(ws[18], p[7]);
1723 accum.mul(ws[19], p[6]);
1724 accum.mul(ws[20], p[5]);
1725 accum.mul(ws[21], p[4]);
1726 accum.mul(ws[22], p[3]);
1727 accum.mul(ws[23], p[2]);
1728 accum.mul(ws[24], p[1]);
1729 accum.add(z[25]);
1730 ws[25] = accum.monty_step(p[0], p_dash);
1731 accum.mul(ws[0], p[26]);
1732 accum.mul(ws[1], p[25]);
1733 accum.mul(ws[2], p[24]);
1734 accum.mul(ws[3], p[23]);
1735 accum.mul(ws[4], p[22]);
1736 accum.mul(ws[5], p[21]);
1737 accum.mul(ws[6], p[20]);
1738 accum.mul(ws[7], p[19]);
1739 accum.mul(ws[8], p[18]);
1740 accum.mul(ws[9], p[17]);
1741 accum.mul(ws[10], p[16]);
1742 accum.mul(ws[11], p[15]);
1743 accum.mul(ws[12], p[14]);
1744 accum.mul(ws[13], p[13]);
1745 accum.mul(ws[14], p[12]);
1746 accum.mul(ws[15], p[11]);
1747 accum.mul(ws[16], p[10]);
1748 accum.mul(ws[17], p[9]);
1749 accum.mul(ws[18], p[8]);
1750 accum.mul(ws[19], p[7]);
1751 accum.mul(ws[20], p[6]);
1752 accum.mul(ws[21], p[5]);
1753 accum.mul(ws[22], p[4]);
1754 accum.mul(ws[23], p[3]);
1755 accum.mul(ws[24], p[2]);
1756 accum.mul(ws[25], p[1]);
1757 accum.add(z[26]);
1758 ws[26] = accum.monty_step(p[0], p_dash);
1759 accum.mul(ws[0], p[27]);
1760 accum.mul(ws[1], p[26]);
1761 accum.mul(ws[2], p[25]);
1762 accum.mul(ws[3], p[24]);
1763 accum.mul(ws[4], p[23]);
1764 accum.mul(ws[5], p[22]);
1765 accum.mul(ws[6], p[21]);
1766 accum.mul(ws[7], p[20]);
1767 accum.mul(ws[8], p[19]);
1768 accum.mul(ws[9], p[18]);
1769 accum.mul(ws[10], p[17]);
1770 accum.mul(ws[11], p[16]);
1771 accum.mul(ws[12], p[15]);
1772 accum.mul(ws[13], p[14]);
1773 accum.mul(ws[14], p[13]);
1774 accum.mul(ws[15], p[12]);
1775 accum.mul(ws[16], p[11]);
1776 accum.mul(ws[17], p[10]);
1777 accum.mul(ws[18], p[9]);
1778 accum.mul(ws[19], p[8]);
1779 accum.mul(ws[20], p[7]);
1780 accum.mul(ws[21], p[6]);
1781 accum.mul(ws[22], p[5]);
1782 accum.mul(ws[23], p[4]);
1783 accum.mul(ws[24], p[3]);
1784 accum.mul(ws[25], p[2]);
1785 accum.mul(ws[26], p[1]);
1786 accum.add(z[27]);
1787 ws[27] = accum.monty_step(p[0], p_dash);
1788 accum.mul(ws[0], p[28]);
1789 accum.mul(ws[1], p[27]);
1790 accum.mul(ws[2], p[26]);
1791 accum.mul(ws[3], p[25]);
1792 accum.mul(ws[4], p[24]);
1793 accum.mul(ws[5], p[23]);
1794 accum.mul(ws[6], p[22]);
1795 accum.mul(ws[7], p[21]);
1796 accum.mul(ws[8], p[20]);
1797 accum.mul(ws[9], p[19]);
1798 accum.mul(ws[10], p[18]);
1799 accum.mul(ws[11], p[17]);
1800 accum.mul(ws[12], p[16]);
1801 accum.mul(ws[13], p[15]);
1802 accum.mul(ws[14], p[14]);
1803 accum.mul(ws[15], p[13]);
1804 accum.mul(ws[16], p[12]);
1805 accum.mul(ws[17], p[11]);
1806 accum.mul(ws[18], p[10]);
1807 accum.mul(ws[19], p[9]);
1808 accum.mul(ws[20], p[8]);
1809 accum.mul(ws[21], p[7]);
1810 accum.mul(ws[22], p[6]);
1811 accum.mul(ws[23], p[5]);
1812 accum.mul(ws[24], p[4]);
1813 accum.mul(ws[25], p[3]);
1814 accum.mul(ws[26], p[2]);
1815 accum.mul(ws[27], p[1]);
1816 accum.add(z[28]);
1817 ws[28] = accum.monty_step(p[0], p_dash);
1818 accum.mul(ws[0], p[29]);
1819 accum.mul(ws[1], p[28]);
1820 accum.mul(ws[2], p[27]);
1821 accum.mul(ws[3], p[26]);
1822 accum.mul(ws[4], p[25]);
1823 accum.mul(ws[5], p[24]);
1824 accum.mul(ws[6], p[23]);
1825 accum.mul(ws[7], p[22]);
1826 accum.mul(ws[8], p[21]);
1827 accum.mul(ws[9], p[20]);
1828 accum.mul(ws[10], p[19]);
1829 accum.mul(ws[11], p[18]);
1830 accum.mul(ws[12], p[17]);
1831 accum.mul(ws[13], p[16]);
1832 accum.mul(ws[14], p[15]);
1833 accum.mul(ws[15], p[14]);
1834 accum.mul(ws[16], p[13]);
1835 accum.mul(ws[17], p[12]);
1836 accum.mul(ws[18], p[11]);
1837 accum.mul(ws[19], p[10]);
1838 accum.mul(ws[20], p[9]);
1839 accum.mul(ws[21], p[8]);
1840 accum.mul(ws[22], p[7]);
1841 accum.mul(ws[23], p[6]);
1842 accum.mul(ws[24], p[5]);
1843 accum.mul(ws[25], p[4]);
1844 accum.mul(ws[26], p[3]);
1845 accum.mul(ws[27], p[2]);
1846 accum.mul(ws[28], p[1]);
1847 accum.add(z[29]);
1848 ws[29] = accum.monty_step(p[0], p_dash);
1849 accum.mul(ws[0], p[30]);
1850 accum.mul(ws[1], p[29]);
1851 accum.mul(ws[2], p[28]);
1852 accum.mul(ws[3], p[27]);
1853 accum.mul(ws[4], p[26]);
1854 accum.mul(ws[5], p[25]);
1855 accum.mul(ws[6], p[24]);
1856 accum.mul(ws[7], p[23]);
1857 accum.mul(ws[8], p[22]);
1858 accum.mul(ws[9], p[21]);
1859 accum.mul(ws[10], p[20]);
1860 accum.mul(ws[11], p[19]);
1861 accum.mul(ws[12], p[18]);
1862 accum.mul(ws[13], p[17]);
1863 accum.mul(ws[14], p[16]);
1864 accum.mul(ws[15], p[15]);
1865 accum.mul(ws[16], p[14]);
1866 accum.mul(ws[17], p[13]);
1867 accum.mul(ws[18], p[12]);
1868 accum.mul(ws[19], p[11]);
1869 accum.mul(ws[20], p[10]);
1870 accum.mul(ws[21], p[9]);
1871 accum.mul(ws[22], p[8]);
1872 accum.mul(ws[23], p[7]);
1873 accum.mul(ws[24], p[6]);
1874 accum.mul(ws[25], p[5]);
1875 accum.mul(ws[26], p[4]);
1876 accum.mul(ws[27], p[3]);
1877 accum.mul(ws[28], p[2]);
1878 accum.mul(ws[29], p[1]);
1879 accum.add(z[30]);
1880 ws[30] = accum.monty_step(p[0], p_dash);
1881 accum.mul(ws[0], p[31]);
1882 accum.mul(ws[1], p[30]);
1883 accum.mul(ws[2], p[29]);
1884 accum.mul(ws[3], p[28]);
1885 accum.mul(ws[4], p[27]);
1886 accum.mul(ws[5], p[26]);
1887 accum.mul(ws[6], p[25]);
1888 accum.mul(ws[7], p[24]);
1889 accum.mul(ws[8], p[23]);
1890 accum.mul(ws[9], p[22]);
1891 accum.mul(ws[10], p[21]);
1892 accum.mul(ws[11], p[20]);
1893 accum.mul(ws[12], p[19]);
1894 accum.mul(ws[13], p[18]);
1895 accum.mul(ws[14], p[17]);
1896 accum.mul(ws[15], p[16]);
1897 accum.mul(ws[16], p[15]);
1898 accum.mul(ws[17], p[14]);
1899 accum.mul(ws[18], p[13]);
1900 accum.mul(ws[19], p[12]);
1901 accum.mul(ws[20], p[11]);
1902 accum.mul(ws[21], p[10]);
1903 accum.mul(ws[22], p[9]);
1904 accum.mul(ws[23], p[8]);
1905 accum.mul(ws[24], p[7]);
1906 accum.mul(ws[25], p[6]);
1907 accum.mul(ws[26], p[5]);
1908 accum.mul(ws[27], p[4]);
1909 accum.mul(ws[28], p[3]);
1910 accum.mul(ws[29], p[2]);
1911 accum.mul(ws[30], p[1]);
1912 accum.add(z[31]);
1913 ws[31] = accum.monty_step(p[0], p_dash);
1914 accum.mul(ws[1], p[31]);
1915 accum.mul(ws[2], p[30]);
1916 accum.mul(ws[3], p[29]);
1917 accum.mul(ws[4], p[28]);
1918 accum.mul(ws[5], p[27]);
1919 accum.mul(ws[6], p[26]);
1920 accum.mul(ws[7], p[25]);
1921 accum.mul(ws[8], p[24]);
1922 accum.mul(ws[9], p[23]);
1923 accum.mul(ws[10], p[22]);
1924 accum.mul(ws[11], p[21]);
1925 accum.mul(ws[12], p[20]);
1926 accum.mul(ws[13], p[19]);
1927 accum.mul(ws[14], p[18]);
1928 accum.mul(ws[15], p[17]);
1929 accum.mul(ws[16], p[16]);
1930 accum.mul(ws[17], p[15]);
1931 accum.mul(ws[18], p[14]);
1932 accum.mul(ws[19], p[13]);
1933 accum.mul(ws[20], p[12]);
1934 accum.mul(ws[21], p[11]);
1935 accum.mul(ws[22], p[10]);
1936 accum.mul(ws[23], p[9]);
1937 accum.mul(ws[24], p[8]);
1938 accum.mul(ws[25], p[7]);
1939 accum.mul(ws[26], p[6]);
1940 accum.mul(ws[27], p[5]);
1941 accum.mul(ws[28], p[4]);
1942 accum.mul(ws[29], p[3]);
1943 accum.mul(ws[30], p[2]);
1944 accum.mul(ws[31], p[1]);
1945 accum.add(z[32]);
1946 ws[0] = accum.extract();
1947 accum.mul(ws[2], p[31]);
1948 accum.mul(ws[3], p[30]);
1949 accum.mul(ws[4], p[29]);
1950 accum.mul(ws[5], p[28]);
1951 accum.mul(ws[6], p[27]);
1952 accum.mul(ws[7], p[26]);
1953 accum.mul(ws[8], p[25]);
1954 accum.mul(ws[9], p[24]);
1955 accum.mul(ws[10], p[23]);
1956 accum.mul(ws[11], p[22]);
1957 accum.mul(ws[12], p[21]);
1958 accum.mul(ws[13], p[20]);
1959 accum.mul(ws[14], p[19]);
1960 accum.mul(ws[15], p[18]);
1961 accum.mul(ws[16], p[17]);
1962 accum.mul(ws[17], p[16]);
1963 accum.mul(ws[18], p[15]);
1964 accum.mul(ws[19], p[14]);
1965 accum.mul(ws[20], p[13]);
1966 accum.mul(ws[21], p[12]);
1967 accum.mul(ws[22], p[11]);
1968 accum.mul(ws[23], p[10]);
1969 accum.mul(ws[24], p[9]);
1970 accum.mul(ws[25], p[8]);
1971 accum.mul(ws[26], p[7]);
1972 accum.mul(ws[27], p[6]);
1973 accum.mul(ws[28], p[5]);
1974 accum.mul(ws[29], p[4]);
1975 accum.mul(ws[30], p[3]);
1976 accum.mul(ws[31], p[2]);
1977 accum.add(z[33]);
1978 ws[1] = accum.extract();
1979 accum.mul(ws[3], p[31]);
1980 accum.mul(ws[4], p[30]);
1981 accum.mul(ws[5], p[29]);
1982 accum.mul(ws[6], p[28]);
1983 accum.mul(ws[7], p[27]);
1984 accum.mul(ws[8], p[26]);
1985 accum.mul(ws[9], p[25]);
1986 accum.mul(ws[10], p[24]);
1987 accum.mul(ws[11], p[23]);
1988 accum.mul(ws[12], p[22]);
1989 accum.mul(ws[13], p[21]);
1990 accum.mul(ws[14], p[20]);
1991 accum.mul(ws[15], p[19]);
1992 accum.mul(ws[16], p[18]);
1993 accum.mul(ws[17], p[17]);
1994 accum.mul(ws[18], p[16]);
1995 accum.mul(ws[19], p[15]);
1996 accum.mul(ws[20], p[14]);
1997 accum.mul(ws[21], p[13]);
1998 accum.mul(ws[22], p[12]);
1999 accum.mul(ws[23], p[11]);
2000 accum.mul(ws[24], p[10]);
2001 accum.mul(ws[25], p[9]);
2002 accum.mul(ws[26], p[8]);
2003 accum.mul(ws[27], p[7]);
2004 accum.mul(ws[28], p[6]);
2005 accum.mul(ws[29], p[5]);
2006 accum.mul(ws[30], p[4]);
2007 accum.mul(ws[31], p[3]);
2008 accum.add(z[34]);
2009 ws[2] = accum.extract();
2010 accum.mul(ws[4], p[31]);
2011 accum.mul(ws[5], p[30]);
2012 accum.mul(ws[6], p[29]);
2013 accum.mul(ws[7], p[28]);
2014 accum.mul(ws[8], p[27]);
2015 accum.mul(ws[9], p[26]);
2016 accum.mul(ws[10], p[25]);
2017 accum.mul(ws[11], p[24]);
2018 accum.mul(ws[12], p[23]);
2019 accum.mul(ws[13], p[22]);
2020 accum.mul(ws[14], p[21]);
2021 accum.mul(ws[15], p[20]);
2022 accum.mul(ws[16], p[19]);
2023 accum.mul(ws[17], p[18]);
2024 accum.mul(ws[18], p[17]);
2025 accum.mul(ws[19], p[16]);
2026 accum.mul(ws[20], p[15]);
2027 accum.mul(ws[21], p[14]);
2028 accum.mul(ws[22], p[13]);
2029 accum.mul(ws[23], p[12]);
2030 accum.mul(ws[24], p[11]);
2031 accum.mul(ws[25], p[10]);
2032 accum.mul(ws[26], p[9]);
2033 accum.mul(ws[27], p[8]);
2034 accum.mul(ws[28], p[7]);
2035 accum.mul(ws[29], p[6]);
2036 accum.mul(ws[30], p[5]);
2037 accum.mul(ws[31], p[4]);
2038 accum.add(z[35]);
2039 ws[3] = accum.extract();
2040 accum.mul(ws[5], p[31]);
2041 accum.mul(ws[6], p[30]);
2042 accum.mul(ws[7], p[29]);
2043 accum.mul(ws[8], p[28]);
2044 accum.mul(ws[9], p[27]);
2045 accum.mul(ws[10], p[26]);
2046 accum.mul(ws[11], p[25]);
2047 accum.mul(ws[12], p[24]);
2048 accum.mul(ws[13], p[23]);
2049 accum.mul(ws[14], p[22]);
2050 accum.mul(ws[15], p[21]);
2051 accum.mul(ws[16], p[20]);
2052 accum.mul(ws[17], p[19]);
2053 accum.mul(ws[18], p[18]);
2054 accum.mul(ws[19], p[17]);
2055 accum.mul(ws[20], p[16]);
2056 accum.mul(ws[21], p[15]);
2057 accum.mul(ws[22], p[14]);
2058 accum.mul(ws[23], p[13]);
2059 accum.mul(ws[24], p[12]);
2060 accum.mul(ws[25], p[11]);
2061 accum.mul(ws[26], p[10]);
2062 accum.mul(ws[27], p[9]);
2063 accum.mul(ws[28], p[8]);
2064 accum.mul(ws[29], p[7]);
2065 accum.mul(ws[30], p[6]);
2066 accum.mul(ws[31], p[5]);
2067 accum.add(z[36]);
2068 ws[4] = accum.extract();
2069 accum.mul(ws[6], p[31]);
2070 accum.mul(ws[7], p[30]);
2071 accum.mul(ws[8], p[29]);
2072 accum.mul(ws[9], p[28]);
2073 accum.mul(ws[10], p[27]);
2074 accum.mul(ws[11], p[26]);
2075 accum.mul(ws[12], p[25]);
2076 accum.mul(ws[13], p[24]);
2077 accum.mul(ws[14], p[23]);
2078 accum.mul(ws[15], p[22]);
2079 accum.mul(ws[16], p[21]);
2080 accum.mul(ws[17], p[20]);
2081 accum.mul(ws[18], p[19]);
2082 accum.mul(ws[19], p[18]);
2083 accum.mul(ws[20], p[17]);
2084 accum.mul(ws[21], p[16]);
2085 accum.mul(ws[22], p[15]);
2086 accum.mul(ws[23], p[14]);
2087 accum.mul(ws[24], p[13]);
2088 accum.mul(ws[25], p[12]);
2089 accum.mul(ws[26], p[11]);
2090 accum.mul(ws[27], p[10]);
2091 accum.mul(ws[28], p[9]);
2092 accum.mul(ws[29], p[8]);
2093 accum.mul(ws[30], p[7]);
2094 accum.mul(ws[31], p[6]);
2095 accum.add(z[37]);
2096 ws[5] = accum.extract();
2097 accum.mul(ws[7], p[31]);
2098 accum.mul(ws[8], p[30]);
2099 accum.mul(ws[9], p[29]);
2100 accum.mul(ws[10], p[28]);
2101 accum.mul(ws[11], p[27]);
2102 accum.mul(ws[12], p[26]);
2103 accum.mul(ws[13], p[25]);
2104 accum.mul(ws[14], p[24]);
2105 accum.mul(ws[15], p[23]);
2106 accum.mul(ws[16], p[22]);
2107 accum.mul(ws[17], p[21]);
2108 accum.mul(ws[18], p[20]);
2109 accum.mul(ws[19], p[19]);
2110 accum.mul(ws[20], p[18]);
2111 accum.mul(ws[21], p[17]);
2112 accum.mul(ws[22], p[16]);
2113 accum.mul(ws[23], p[15]);
2114 accum.mul(ws[24], p[14]);
2115 accum.mul(ws[25], p[13]);
2116 accum.mul(ws[26], p[12]);
2117 accum.mul(ws[27], p[11]);
2118 accum.mul(ws[28], p[10]);
2119 accum.mul(ws[29], p[9]);
2120 accum.mul(ws[30], p[8]);
2121 accum.mul(ws[31], p[7]);
2122 accum.add(z[38]);
2123 ws[6] = accum.extract();
2124 accum.mul(ws[8], p[31]);
2125 accum.mul(ws[9], p[30]);
2126 accum.mul(ws[10], p[29]);
2127 accum.mul(ws[11], p[28]);
2128 accum.mul(ws[12], p[27]);
2129 accum.mul(ws[13], p[26]);
2130 accum.mul(ws[14], p[25]);
2131 accum.mul(ws[15], p[24]);
2132 accum.mul(ws[16], p[23]);
2133 accum.mul(ws[17], p[22]);
2134 accum.mul(ws[18], p[21]);
2135 accum.mul(ws[19], p[20]);
2136 accum.mul(ws[20], p[19]);
2137 accum.mul(ws[21], p[18]);
2138 accum.mul(ws[22], p[17]);
2139 accum.mul(ws[23], p[16]);
2140 accum.mul(ws[24], p[15]);
2141 accum.mul(ws[25], p[14]);
2142 accum.mul(ws[26], p[13]);
2143 accum.mul(ws[27], p[12]);
2144 accum.mul(ws[28], p[11]);
2145 accum.mul(ws[29], p[10]);
2146 accum.mul(ws[30], p[9]);
2147 accum.mul(ws[31], p[8]);
2148 accum.add(z[39]);
2149 ws[7] = accum.extract();
2150 accum.mul(ws[9], p[31]);
2151 accum.mul(ws[10], p[30]);
2152 accum.mul(ws[11], p[29]);
2153 accum.mul(ws[12], p[28]);
2154 accum.mul(ws[13], p[27]);
2155 accum.mul(ws[14], p[26]);
2156 accum.mul(ws[15], p[25]);
2157 accum.mul(ws[16], p[24]);
2158 accum.mul(ws[17], p[23]);
2159 accum.mul(ws[18], p[22]);
2160 accum.mul(ws[19], p[21]);
2161 accum.mul(ws[20], p[20]);
2162 accum.mul(ws[21], p[19]);
2163 accum.mul(ws[22], p[18]);
2164 accum.mul(ws[23], p[17]);
2165 accum.mul(ws[24], p[16]);
2166 accum.mul(ws[25], p[15]);
2167 accum.mul(ws[26], p[14]);
2168 accum.mul(ws[27], p[13]);
2169 accum.mul(ws[28], p[12]);
2170 accum.mul(ws[29], p[11]);
2171 accum.mul(ws[30], p[10]);
2172 accum.mul(ws[31], p[9]);
2173 accum.add(z[40]);
2174 ws[8] = accum.extract();
2175 accum.mul(ws[10], p[31]);
2176 accum.mul(ws[11], p[30]);
2177 accum.mul(ws[12], p[29]);
2178 accum.mul(ws[13], p[28]);
2179 accum.mul(ws[14], p[27]);
2180 accum.mul(ws[15], p[26]);
2181 accum.mul(ws[16], p[25]);
2182 accum.mul(ws[17], p[24]);
2183 accum.mul(ws[18], p[23]);
2184 accum.mul(ws[19], p[22]);
2185 accum.mul(ws[20], p[21]);
2186 accum.mul(ws[21], p[20]);
2187 accum.mul(ws[22], p[19]);
2188 accum.mul(ws[23], p[18]);
2189 accum.mul(ws[24], p[17]);
2190 accum.mul(ws[25], p[16]);
2191 accum.mul(ws[26], p[15]);
2192 accum.mul(ws[27], p[14]);
2193 accum.mul(ws[28], p[13]);
2194 accum.mul(ws[29], p[12]);
2195 accum.mul(ws[30], p[11]);
2196 accum.mul(ws[31], p[10]);
2197 accum.add(z[41]);
2198 ws[9] = accum.extract();
2199 accum.mul(ws[11], p[31]);
2200 accum.mul(ws[12], p[30]);
2201 accum.mul(ws[13], p[29]);
2202 accum.mul(ws[14], p[28]);
2203 accum.mul(ws[15], p[27]);
2204 accum.mul(ws[16], p[26]);
2205 accum.mul(ws[17], p[25]);
2206 accum.mul(ws[18], p[24]);
2207 accum.mul(ws[19], p[23]);
2208 accum.mul(ws[20], p[22]);
2209 accum.mul(ws[21], p[21]);
2210 accum.mul(ws[22], p[20]);
2211 accum.mul(ws[23], p[19]);
2212 accum.mul(ws[24], p[18]);
2213 accum.mul(ws[25], p[17]);
2214 accum.mul(ws[26], p[16]);
2215 accum.mul(ws[27], p[15]);
2216 accum.mul(ws[28], p[14]);
2217 accum.mul(ws[29], p[13]);
2218 accum.mul(ws[30], p[12]);
2219 accum.mul(ws[31], p[11]);
2220 accum.add(z[42]);
2221 ws[10] = accum.extract();
2222 accum.mul(ws[12], p[31]);
2223 accum.mul(ws[13], p[30]);
2224 accum.mul(ws[14], p[29]);
2225 accum.mul(ws[15], p[28]);
2226 accum.mul(ws[16], p[27]);
2227 accum.mul(ws[17], p[26]);
2228 accum.mul(ws[18], p[25]);
2229 accum.mul(ws[19], p[24]);
2230 accum.mul(ws[20], p[23]);
2231 accum.mul(ws[21], p[22]);
2232 accum.mul(ws[22], p[21]);
2233 accum.mul(ws[23], p[20]);
2234 accum.mul(ws[24], p[19]);
2235 accum.mul(ws[25], p[18]);
2236 accum.mul(ws[26], p[17]);
2237 accum.mul(ws[27], p[16]);
2238 accum.mul(ws[28], p[15]);
2239 accum.mul(ws[29], p[14]);
2240 accum.mul(ws[30], p[13]);
2241 accum.mul(ws[31], p[12]);
2242 accum.add(z[43]);
2243 ws[11] = accum.extract();
2244 accum.mul(ws[13], p[31]);
2245 accum.mul(ws[14], p[30]);
2246 accum.mul(ws[15], p[29]);
2247 accum.mul(ws[16], p[28]);
2248 accum.mul(ws[17], p[27]);
2249 accum.mul(ws[18], p[26]);
2250 accum.mul(ws[19], p[25]);
2251 accum.mul(ws[20], p[24]);
2252 accum.mul(ws[21], p[23]);
2253 accum.mul(ws[22], p[22]);
2254 accum.mul(ws[23], p[21]);
2255 accum.mul(ws[24], p[20]);
2256 accum.mul(ws[25], p[19]);
2257 accum.mul(ws[26], p[18]);
2258 accum.mul(ws[27], p[17]);
2259 accum.mul(ws[28], p[16]);
2260 accum.mul(ws[29], p[15]);
2261 accum.mul(ws[30], p[14]);
2262 accum.mul(ws[31], p[13]);
2263 accum.add(z[44]);
2264 ws[12] = accum.extract();
2265 accum.mul(ws[14], p[31]);
2266 accum.mul(ws[15], p[30]);
2267 accum.mul(ws[16], p[29]);
2268 accum.mul(ws[17], p[28]);
2269 accum.mul(ws[18], p[27]);
2270 accum.mul(ws[19], p[26]);
2271 accum.mul(ws[20], p[25]);
2272 accum.mul(ws[21], p[24]);
2273 accum.mul(ws[22], p[23]);
2274 accum.mul(ws[23], p[22]);
2275 accum.mul(ws[24], p[21]);
2276 accum.mul(ws[25], p[20]);
2277 accum.mul(ws[26], p[19]);
2278 accum.mul(ws[27], p[18]);
2279 accum.mul(ws[28], p[17]);
2280 accum.mul(ws[29], p[16]);
2281 accum.mul(ws[30], p[15]);
2282 accum.mul(ws[31], p[14]);
2283 accum.add(z[45]);
2284 ws[13] = accum.extract();
2285 accum.mul(ws[15], p[31]);
2286 accum.mul(ws[16], p[30]);
2287 accum.mul(ws[17], p[29]);
2288 accum.mul(ws[18], p[28]);
2289 accum.mul(ws[19], p[27]);
2290 accum.mul(ws[20], p[26]);
2291 accum.mul(ws[21], p[25]);
2292 accum.mul(ws[22], p[24]);
2293 accum.mul(ws[23], p[23]);
2294 accum.mul(ws[24], p[22]);
2295 accum.mul(ws[25], p[21]);
2296 accum.mul(ws[26], p[20]);
2297 accum.mul(ws[27], p[19]);
2298 accum.mul(ws[28], p[18]);
2299 accum.mul(ws[29], p[17]);
2300 accum.mul(ws[30], p[16]);
2301 accum.mul(ws[31], p[15]);
2302 accum.add(z[46]);
2303 ws[14] = accum.extract();
2304 accum.mul(ws[16], p[31]);
2305 accum.mul(ws[17], p[30]);
2306 accum.mul(ws[18], p[29]);
2307 accum.mul(ws[19], p[28]);
2308 accum.mul(ws[20], p[27]);
2309 accum.mul(ws[21], p[26]);
2310 accum.mul(ws[22], p[25]);
2311 accum.mul(ws[23], p[24]);
2312 accum.mul(ws[24], p[23]);
2313 accum.mul(ws[25], p[22]);
2314 accum.mul(ws[26], p[21]);
2315 accum.mul(ws[27], p[20]);
2316 accum.mul(ws[28], p[19]);
2317 accum.mul(ws[29], p[18]);
2318 accum.mul(ws[30], p[17]);
2319 accum.mul(ws[31], p[16]);
2320 accum.add(z[47]);
2321 ws[15] = accum.extract();
2322 accum.mul(ws[17], p[31]);
2323 accum.mul(ws[18], p[30]);
2324 accum.mul(ws[19], p[29]);
2325 accum.mul(ws[20], p[28]);
2326 accum.mul(ws[21], p[27]);
2327 accum.mul(ws[22], p[26]);
2328 accum.mul(ws[23], p[25]);
2329 accum.mul(ws[24], p[24]);
2330 accum.mul(ws[25], p[23]);
2331 accum.mul(ws[26], p[22]);
2332 accum.mul(ws[27], p[21]);
2333 accum.mul(ws[28], p[20]);
2334 accum.mul(ws[29], p[19]);
2335 accum.mul(ws[30], p[18]);
2336 accum.mul(ws[31], p[17]);
2337 accum.add(z[48]);
2338 ws[16] = accum.extract();
2339 accum.mul(ws[18], p[31]);
2340 accum.mul(ws[19], p[30]);
2341 accum.mul(ws[20], p[29]);
2342 accum.mul(ws[21], p[28]);
2343 accum.mul(ws[22], p[27]);
2344 accum.mul(ws[23], p[26]);
2345 accum.mul(ws[24], p[25]);
2346 accum.mul(ws[25], p[24]);
2347 accum.mul(ws[26], p[23]);
2348 accum.mul(ws[27], p[22]);
2349 accum.mul(ws[28], p[21]);
2350 accum.mul(ws[29], p[20]);
2351 accum.mul(ws[30], p[19]);
2352 accum.mul(ws[31], p[18]);
2353 accum.add(z[49]);
2354 ws[17] = accum.extract();
2355 accum.mul(ws[19], p[31]);
2356 accum.mul(ws[20], p[30]);
2357 accum.mul(ws[21], p[29]);
2358 accum.mul(ws[22], p[28]);
2359 accum.mul(ws[23], p[27]);
2360 accum.mul(ws[24], p[26]);
2361 accum.mul(ws[25], p[25]);
2362 accum.mul(ws[26], p[24]);
2363 accum.mul(ws[27], p[23]);
2364 accum.mul(ws[28], p[22]);
2365 accum.mul(ws[29], p[21]);
2366 accum.mul(ws[30], p[20]);
2367 accum.mul(ws[31], p[19]);
2368 accum.add(z[50]);
2369 ws[18] = accum.extract();
2370 accum.mul(ws[20], p[31]);
2371 accum.mul(ws[21], p[30]);
2372 accum.mul(ws[22], p[29]);
2373 accum.mul(ws[23], p[28]);
2374 accum.mul(ws[24], p[27]);
2375 accum.mul(ws[25], p[26]);
2376 accum.mul(ws[26], p[25]);
2377 accum.mul(ws[27], p[24]);
2378 accum.mul(ws[28], p[23]);
2379 accum.mul(ws[29], p[22]);
2380 accum.mul(ws[30], p[21]);
2381 accum.mul(ws[31], p[20]);
2382 accum.add(z[51]);
2383 ws[19] = accum.extract();
2384 accum.mul(ws[21], p[31]);
2385 accum.mul(ws[22], p[30]);
2386 accum.mul(ws[23], p[29]);
2387 accum.mul(ws[24], p[28]);
2388 accum.mul(ws[25], p[27]);
2389 accum.mul(ws[26], p[26]);
2390 accum.mul(ws[27], p[25]);
2391 accum.mul(ws[28], p[24]);
2392 accum.mul(ws[29], p[23]);
2393 accum.mul(ws[30], p[22]);
2394 accum.mul(ws[31], p[21]);
2395 accum.add(z[52]);
2396 ws[20] = accum.extract();
2397 accum.mul(ws[22], p[31]);
2398 accum.mul(ws[23], p[30]);
2399 accum.mul(ws[24], p[29]);
2400 accum.mul(ws[25], p[28]);
2401 accum.mul(ws[26], p[27]);
2402 accum.mul(ws[27], p[26]);
2403 accum.mul(ws[28], p[25]);
2404 accum.mul(ws[29], p[24]);
2405 accum.mul(ws[30], p[23]);
2406 accum.mul(ws[31], p[22]);
2407 accum.add(z[53]);
2408 ws[21] = accum.extract();
2409 accum.mul(ws[23], p[31]);
2410 accum.mul(ws[24], p[30]);
2411 accum.mul(ws[25], p[29]);
2412 accum.mul(ws[26], p[28]);
2413 accum.mul(ws[27], p[27]);
2414 accum.mul(ws[28], p[26]);
2415 accum.mul(ws[29], p[25]);
2416 accum.mul(ws[30], p[24]);
2417 accum.mul(ws[31], p[23]);
2418 accum.add(z[54]);
2419 ws[22] = accum.extract();
2420 accum.mul(ws[24], p[31]);
2421 accum.mul(ws[25], p[30]);
2422 accum.mul(ws[26], p[29]);
2423 accum.mul(ws[27], p[28]);
2424 accum.mul(ws[28], p[27]);
2425 accum.mul(ws[29], p[26]);
2426 accum.mul(ws[30], p[25]);
2427 accum.mul(ws[31], p[24]);
2428 accum.add(z[55]);
2429 ws[23] = accum.extract();
2430 accum.mul(ws[25], p[31]);
2431 accum.mul(ws[26], p[30]);
2432 accum.mul(ws[27], p[29]);
2433 accum.mul(ws[28], p[28]);
2434 accum.mul(ws[29], p[27]);
2435 accum.mul(ws[30], p[26]);
2436 accum.mul(ws[31], p[25]);
2437 accum.add(z[56]);
2438 ws[24] = accum.extract();
2439 accum.mul(ws[26], p[31]);
2440 accum.mul(ws[27], p[30]);
2441 accum.mul(ws[28], p[29]);
2442 accum.mul(ws[29], p[28]);
2443 accum.mul(ws[30], p[27]);
2444 accum.mul(ws[31], p[26]);
2445 accum.add(z[57]);
2446 ws[25] = accum.extract();
2447 accum.mul(ws[27], p[31]);
2448 accum.mul(ws[28], p[30]);
2449 accum.mul(ws[29], p[29]);
2450 accum.mul(ws[30], p[28]);
2451 accum.mul(ws[31], p[27]);
2452 accum.add(z[58]);
2453 ws[26] = accum.extract();
2454 accum.mul(ws[28], p[31]);
2455 accum.mul(ws[29], p[30]);
2456 accum.mul(ws[30], p[29]);
2457 accum.mul(ws[31], p[28]);
2458 accum.add(z[59]);
2459 ws[27] = accum.extract();
2460 accum.mul(ws[29], p[31]);
2461 accum.mul(ws[30], p[30]);
2462 accum.mul(ws[31], p[29]);
2463 accum.add(z[60]);
2464 ws[28] = accum.extract();
2465 accum.mul(ws[30], p[31]);
2466 accum.mul(ws[31], p[30]);
2467 accum.add(z[61]);
2468 ws[29] = accum.extract();
2469 accum.mul(ws[31], p[31]);
2470 accum.add(z[62]);
2471 ws[30] = accum.extract();
2472 accum.add(z[63]);
2473 ws[31] = accum.extract();
2474 word w1 = accum.extract();
2475 bigint_monty_maybe_sub<32>(r, w1, ws, p);
2476}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_4()

void Botan::bigint_monty_redc_4 ( word r[4],
const word z[8],
const word p[4],
word p_dash,
word ws[4] )

Definition at line 14 of file mp_monty_n.cpp.

14 {
15 word3<word> accum;
16 accum.add(z[0]);
17 ws[0] = accum.monty_step(p[0], p_dash);
18 accum.mul(ws[0], p[1]);
19 accum.add(z[1]);
20 ws[1] = accum.monty_step(p[0], p_dash);
21 accum.mul(ws[0], p[2]);
22 accum.mul(ws[1], p[1]);
23 accum.add(z[2]);
24 ws[2] = accum.monty_step(p[0], p_dash);
25 accum.mul(ws[0], p[3]);
26 accum.mul(ws[1], p[2]);
27 accum.mul(ws[2], p[1]);
28 accum.add(z[3]);
29 ws[3] = accum.monty_step(p[0], p_dash);
30 accum.mul(ws[1], p[3]);
31 accum.mul(ws[2], p[2]);
32 accum.mul(ws[3], p[1]);
33 accum.add(z[4]);
34 ws[0] = accum.extract();
35 accum.mul(ws[2], p[3]);
36 accum.mul(ws[3], p[2]);
37 accum.add(z[5]);
38 ws[1] = accum.extract();
39 accum.mul(ws[3], p[3]);
40 accum.add(z[6]);
41 ws[2] = accum.extract();
42 accum.add(z[7]);
43 ws[3] = accum.extract();
44 word w1 = accum.extract();
45 bigint_monty_maybe_sub<4>(r, w1, ws, p);
46}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_6()

void Botan::bigint_monty_redc_6 ( word r[6],
const word z[12],
const word p[6],
word p_dash,
word ws[6] )

Definition at line 48 of file mp_monty_n.cpp.

48 {
49 word3<word> accum;
50 accum.add(z[0]);
51 ws[0] = accum.monty_step(p[0], p_dash);
52 accum.mul(ws[0], p[1]);
53 accum.add(z[1]);
54 ws[1] = accum.monty_step(p[0], p_dash);
55 accum.mul(ws[0], p[2]);
56 accum.mul(ws[1], p[1]);
57 accum.add(z[2]);
58 ws[2] = accum.monty_step(p[0], p_dash);
59 accum.mul(ws[0], p[3]);
60 accum.mul(ws[1], p[2]);
61 accum.mul(ws[2], p[1]);
62 accum.add(z[3]);
63 ws[3] = accum.monty_step(p[0], p_dash);
64 accum.mul(ws[0], p[4]);
65 accum.mul(ws[1], p[3]);
66 accum.mul(ws[2], p[2]);
67 accum.mul(ws[3], p[1]);
68 accum.add(z[4]);
69 ws[4] = accum.monty_step(p[0], p_dash);
70 accum.mul(ws[0], p[5]);
71 accum.mul(ws[1], p[4]);
72 accum.mul(ws[2], p[3]);
73 accum.mul(ws[3], p[2]);
74 accum.mul(ws[4], p[1]);
75 accum.add(z[5]);
76 ws[5] = accum.monty_step(p[0], p_dash);
77 accum.mul(ws[1], p[5]);
78 accum.mul(ws[2], p[4]);
79 accum.mul(ws[3], p[3]);
80 accum.mul(ws[4], p[2]);
81 accum.mul(ws[5], p[1]);
82 accum.add(z[6]);
83 ws[0] = accum.extract();
84 accum.mul(ws[2], p[5]);
85 accum.mul(ws[3], p[4]);
86 accum.mul(ws[4], p[3]);
87 accum.mul(ws[5], p[2]);
88 accum.add(z[7]);
89 ws[1] = accum.extract();
90 accum.mul(ws[3], p[5]);
91 accum.mul(ws[4], p[4]);
92 accum.mul(ws[5], p[3]);
93 accum.add(z[8]);
94 ws[2] = accum.extract();
95 accum.mul(ws[4], p[5]);
96 accum.mul(ws[5], p[4]);
97 accum.add(z[9]);
98 ws[3] = accum.extract();
99 accum.mul(ws[5], p[5]);
100 accum.add(z[10]);
101 ws[4] = accum.extract();
102 accum.add(z[11]);
103 ws[5] = accum.extract();
104 word w1 = accum.extract();
105 bigint_monty_maybe_sub<6>(r, w1, ws, p);
106}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_8()

void Botan::bigint_monty_redc_8 ( word r[8],
const word z[16],
const word p[8],
word p_dash,
word ws[8] )

Definition at line 108 of file mp_monty_n.cpp.

108 {
109 word3<word> accum;
110 accum.add(z[0]);
111 ws[0] = accum.monty_step(p[0], p_dash);
112 accum.mul(ws[0], p[1]);
113 accum.add(z[1]);
114 ws[1] = accum.monty_step(p[0], p_dash);
115 accum.mul(ws[0], p[2]);
116 accum.mul(ws[1], p[1]);
117 accum.add(z[2]);
118 ws[2] = accum.monty_step(p[0], p_dash);
119 accum.mul(ws[0], p[3]);
120 accum.mul(ws[1], p[2]);
121 accum.mul(ws[2], p[1]);
122 accum.add(z[3]);
123 ws[3] = accum.monty_step(p[0], p_dash);
124 accum.mul(ws[0], p[4]);
125 accum.mul(ws[1], p[3]);
126 accum.mul(ws[2], p[2]);
127 accum.mul(ws[3], p[1]);
128 accum.add(z[4]);
129 ws[4] = accum.monty_step(p[0], p_dash);
130 accum.mul(ws[0], p[5]);
131 accum.mul(ws[1], p[4]);
132 accum.mul(ws[2], p[3]);
133 accum.mul(ws[3], p[2]);
134 accum.mul(ws[4], p[1]);
135 accum.add(z[5]);
136 ws[5] = accum.monty_step(p[0], p_dash);
137 accum.mul(ws[0], p[6]);
138 accum.mul(ws[1], p[5]);
139 accum.mul(ws[2], p[4]);
140 accum.mul(ws[3], p[3]);
141 accum.mul(ws[4], p[2]);
142 accum.mul(ws[5], p[1]);
143 accum.add(z[6]);
144 ws[6] = accum.monty_step(p[0], p_dash);
145 accum.mul(ws[0], p[7]);
146 accum.mul(ws[1], p[6]);
147 accum.mul(ws[2], p[5]);
148 accum.mul(ws[3], p[4]);
149 accum.mul(ws[4], p[3]);
150 accum.mul(ws[5], p[2]);
151 accum.mul(ws[6], p[1]);
152 accum.add(z[7]);
153 ws[7] = accum.monty_step(p[0], p_dash);
154 accum.mul(ws[1], p[7]);
155 accum.mul(ws[2], p[6]);
156 accum.mul(ws[3], p[5]);
157 accum.mul(ws[4], p[4]);
158 accum.mul(ws[5], p[3]);
159 accum.mul(ws[6], p[2]);
160 accum.mul(ws[7], p[1]);
161 accum.add(z[8]);
162 ws[0] = accum.extract();
163 accum.mul(ws[2], p[7]);
164 accum.mul(ws[3], p[6]);
165 accum.mul(ws[4], p[5]);
166 accum.mul(ws[5], p[4]);
167 accum.mul(ws[6], p[3]);
168 accum.mul(ws[7], p[2]);
169 accum.add(z[9]);
170 ws[1] = accum.extract();
171 accum.mul(ws[3], p[7]);
172 accum.mul(ws[4], p[6]);
173 accum.mul(ws[5], p[5]);
174 accum.mul(ws[6], p[4]);
175 accum.mul(ws[7], p[3]);
176 accum.add(z[10]);
177 ws[2] = accum.extract();
178 accum.mul(ws[4], p[7]);
179 accum.mul(ws[5], p[6]);
180 accum.mul(ws[6], p[5]);
181 accum.mul(ws[7], p[4]);
182 accum.add(z[11]);
183 ws[3] = accum.extract();
184 accum.mul(ws[5], p[7]);
185 accum.mul(ws[6], p[6]);
186 accum.mul(ws[7], p[5]);
187 accum.add(z[12]);
188 ws[4] = accum.extract();
189 accum.mul(ws[6], p[7]);
190 accum.mul(ws[7], p[6]);
191 accum.add(z[13]);
192 ws[5] = accum.extract();
193 accum.mul(ws[7], p[7]);
194 accum.add(z[14]);
195 ws[6] = accum.extract();
196 accum.add(z[15]);
197 ws[7] = accum.extract();
198 word w1 = accum.extract();
199 bigint_monty_maybe_sub<8>(r, w1, ws, p);
200}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_generic()

void Botan::bigint_monty_redc_generic ( word r[],
const word z[],
size_t z_size,
const word p[],
size_t p_size,
word p_dash,
word ws[] )

Definition at line 31 of file mp_monty.cpp.

32 {
33 BOTAN_ARG_CHECK(z_size >= 2 * p_size && p_size > 0, "Invalid sizes for bigint_monty_redc_generic");
34
35 word3<word> accum;
36
37 accum.add(z[0]);
38
39 ws[0] = accum.monty_step(p[0], p_dash);
40
41 for(size_t i = 1; i != p_size; ++i) {
42 for(size_t j = 0; j < i; ++j) {
43 accum.mul(ws[j], p[i - j]);
44 }
45
46 accum.add(z[i]);
47 ws[i] = accum.monty_step(p[0], p_dash);
48 }
49
50 for(size_t i = 0; i != p_size - 1; ++i) {
51 for(size_t j = i + 1; j != p_size; ++j) {
52 accum.mul(ws[j], p[p_size + i - j]);
53 }
54
55 accum.add(z[p_size + i]);
56 ws[i] = accum.extract();
57 }
58
59 accum.add(z[2 * p_size - 1]);
60
61 ws[p_size - 1] = accum.extract();
62 // w1 is the final part, which is not stored in the workspace
63 const word w1 = accum.extract();
64
65 /*
66 * The result might need to be reduced mod p. To avoid a timing
67 * channel, always perform the subtraction. If in the compution
68 * of x - p a borrow is required then x was already < p.
69 *
70 * x starts at ws[0] and is p_size bytes long plus a possible high
71 * digit left over in w1.
72 *
73 * x - p starts at z[0] and is also p_size bytes long
74 *
75 * If borrow was set after the subtraction, then x was already less
76 * than p and the subtraction was not needed. In that case overwrite
77 * z[0:p_size] with the original x in ws[0:p_size].
78 *
79 * We only copy out p_size in the final step because we know
80 * the Montgomery result is < P
81 */
82
83 bigint_monty_maybe_sub(p_size, r, w1, ws, p);
84}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), BOTAN_ARG_CHECK, Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_inplace()

void Botan::bigint_monty_redc_inplace ( word z[],
const word p[],
size_t p_size,
word p_dash,
word ws[],
size_t ws_size )
inline

Definition at line 1012 of file mp_core.h.

1012 {
1013 bigint_monty_redc(z, z, p, p_size, p_dash, ws, ws_size);
1014 clear_mem(z + p_size, p_size);
1015}
void bigint_monty_redc(word r[], const word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size)
Definition mp_core.h:987

References bigint_monty_redc(), and clear_mem().

Referenced by Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::redc(), Botan::Montgomery_Params::sqr(), and Botan::Montgomery_Params::square_this().

◆ bigint_mul()

void Botan::bigint_mul ( word z[],
size_t z_size,
const word x[],
size_t x_size,
size_t x_sw,
const word y[],
size_t y_size,
size_t y_sw,
word workspace[],
size_t ws_size )

Definition at line 282 of file mp_karat.cpp.

291 {
292 clear_mem(z, z_size);
293
294 if(x_sw == 1) {
295 bigint_linmul3(z, y, y_sw, x[0]);
296 } else if(y_sw == 1) {
297 bigint_linmul3(z, x, x_sw, y[0]);
298 } else if(sized_for_comba_mul<4>(x_sw, x_size, y_sw, y_size, z_size)) {
299 bigint_comba_mul4(z, x, y);
300 } else if(sized_for_comba_mul<6>(x_sw, x_size, y_sw, y_size, z_size)) {
301 bigint_comba_mul6(z, x, y);
302 } else if(sized_for_comba_mul<8>(x_sw, x_size, y_sw, y_size, z_size)) {
303 bigint_comba_mul8(z, x, y);
304 } else if(sized_for_comba_mul<9>(x_sw, x_size, y_sw, y_size, z_size)) {
305 bigint_comba_mul9(z, x, y);
306 } else if(sized_for_comba_mul<16>(x_sw, x_size, y_sw, y_size, z_size)) {
307 bigint_comba_mul16(z, x, y);
308 } else if(sized_for_comba_mul<24>(x_sw, x_size, y_sw, y_size, z_size)) {
309 bigint_comba_mul24(z, x, y);
310 } else if(x_sw < KARATSUBA_MULTIPLY_THRESHOLD || y_sw < KARATSUBA_MULTIPLY_THRESHOLD || !workspace) {
311 basecase_mul(z, z_size, x, x_sw, y, y_sw);
312 } else {
313 const size_t N = karatsuba_size(z_size, x_size, x_sw, y_size, y_sw);
314
315 if(N && z_size >= 2 * N && ws_size >= 2 * N) {
316 karatsuba_mul(z, x, y, N, workspace);
317 } else {
318 basecase_mul(z, z_size, x, x_sw, y, y_sw);
319 }
320 }
321}
constexpr void bigint_linmul3(W z[], const W x[], size_t x_size, W y)
Definition mp_core.h:528
void bigint_comba_mul4(word z[8], const word x[4], const word y[4])
Definition mp_comba.cpp:42
void bigint_comba_mul16(word z[32], const word x[16], const word y[16])
Definition mp_comba.cpp:794
void bigint_comba_mul6(word z[12], const word x[6], const word y[6])
Definition mp_comba.cpp:115
void bigint_comba_mul9(word z[18], const word x[9], const word y[9])
Definition mp_comba.cpp:511
void bigint_comba_mul24(word z[48], const word x[24], const word y[24])
BOTAN_FUZZER_API void basecase_mul(word z[], size_t z_size, const word x[], size_t x_size, const word y[], size_t y_size)
Definition mp_karat.cpp:20
void bigint_comba_mul8(word z[16], const word x[8], const word y[8])
Definition mp_comba.cpp:352

References basecase_mul(), bigint_comba_mul16(), bigint_comba_mul24(), bigint_comba_mul4(), bigint_comba_mul6(), bigint_comba_mul8(), bigint_comba_mul9(), bigint_linmul3(), and clear_mem().

Referenced by Botan::BigInt::mul(), Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::mul_by(), Botan::Barrett_Reduction::multiply(), operator*(), and Botan::Scalar448::operator*().

◆ bigint_shl1()

template<WordType W>
void Botan::bigint_shl1 ( W x[],
size_t x_size,
size_t x_words,
size_t shift )
inlineconstexpr

Definition at line 426 of file mp_core.h.

426 {
427 const size_t word_shift = shift / WordInfo<W>::bits;
428 const size_t bit_shift = shift % WordInfo<W>::bits;
429
430 copy_mem(x + word_shift, x, x_words);
431 clear_mem(x, word_shift);
432
433 const auto carry_mask = CT::Mask<W>::expand(bit_shift);
434 const W carry_shift = carry_mask.if_set_return(WordInfo<W>::bits - bit_shift);
435
436 W carry = 0;
437 for(size_t i = word_shift; i != x_size; ++i) {
438 const W w = x[i];
439 x[i] = (w << bit_shift) | carry;
440 carry = carry_mask.if_set_return(w >> carry_shift);
441 }
442}
constexpr uint64_t carry_shift(const donna128 &a, size_t shift)
Definition donna128.h:133

References carry(), carry_shift(), clear_mem(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by ct_divide_pow2k(), and Botan::BigInt::operator<<=().

◆ bigint_shl2()

template<WordType W>
void Botan::bigint_shl2 ( W y[],
const W x[],
size_t x_size,
size_t shift )
inlineconstexpr

Definition at line 469 of file mp_core.h.

469 {
470 const size_t word_shift = shift / WordInfo<W>::bits;
471 const size_t bit_shift = shift % WordInfo<W>::bits;
472
473 copy_mem(y + word_shift, x, x_size);
474
475 const auto carry_mask = CT::Mask<W>::expand(bit_shift);
476 const W carry_shift = carry_mask.if_set_return(WordInfo<W>::bits - bit_shift);
477
478 W carry = 0;
479 for(size_t i = word_shift; i != x_size + word_shift + 1; ++i) {
480 const W w = y[i];
481 y[i] = (w << bit_shift) | carry;
482 carry = carry_mask.if_set_return(w >> carry_shift);
483 }
484}

References carry(), carry_shift(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::ct_shift_left(), and operator<<().

◆ bigint_shr1()

template<WordType W>
void Botan::bigint_shr1 ( W x[],
size_t x_size,
size_t shift )
inlineconstexpr

Definition at line 445 of file mp_core.h.

445 {
446 const size_t word_shift = shift / WordInfo<W>::bits;
447 const size_t bit_shift = shift % WordInfo<W>::bits;
448
449 const size_t top = x_size >= word_shift ? (x_size - word_shift) : 0;
450
451 if(top > 0) {
452 copy_mem(x, x + word_shift, top);
453 }
454 clear_mem(x + top, std::min(word_shift, x_size));
455
456 const auto carry_mask = CT::Mask<W>::expand(bit_shift);
457 const W carry_shift = carry_mask.if_set_return(WordInfo<W>::bits - bit_shift);
458
459 W carry = 0;
460
461 for(size_t i = 0; i != top; ++i) {
462 const W w = x[top - i - 1];
463 x[top - i - 1] = (w >> bit_shift) | carry;
464 carry = carry_mask.if_set_return(w << carry_shift);
465 }
466}

References carry(), carry_shift(), clear_mem(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::operator>>=().

◆ bigint_shr2()

template<WordType W>
void Botan::bigint_shr2 ( W y[],
const W x[],
size_t x_size,
size_t shift )
inlineconstexpr

Definition at line 487 of file mp_core.h.

487 {
488 const size_t word_shift = shift / WordInfo<W>::bits;
489 const size_t bit_shift = shift % WordInfo<W>::bits;
490 const size_t new_size = x_size < word_shift ? 0 : (x_size - word_shift);
491
492 if(new_size > 0) {
493 copy_mem(y, x + word_shift, new_size);
494 }
495
496 const auto carry_mask = CT::Mask<W>::expand(bit_shift);
497 const W carry_shift = carry_mask.if_set_return(WordInfo<W>::bits - bit_shift);
498
499 W carry = 0;
500 for(size_t i = new_size; i > 0; --i) {
501 W w = y[i - 1];
502 y[i - 1] = (w >> bit_shift) | carry;
503 carry = carry_mask.if_set_return(w << carry_shift);
504 }
505}

References carry(), carry_shift(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by gcd(), and operator>>().

◆ bigint_sqr()

void Botan::bigint_sqr ( word z[],
size_t z_size,
const word x[],
size_t x_size,
size_t x_sw,
word workspace[],
size_t ws_size )

Definition at line 326 of file mp_karat.cpp.

326 {
327 clear_mem(z, z_size);
328
329 BOTAN_ASSERT(z_size / 2 >= x_sw, "Output size is sufficient");
330
331 if(x_sw == 1) {
332 bigint_linmul3(z, x, x_sw, x[0]);
333 } else if(sized_for_comba_sqr<4>(x_sw, x_size, z_size)) {
334 bigint_comba_sqr4(z, x);
335 } else if(sized_for_comba_sqr<6>(x_sw, x_size, z_size)) {
336 bigint_comba_sqr6(z, x);
337 } else if(sized_for_comba_sqr<8>(x_sw, x_size, z_size)) {
338 bigint_comba_sqr8(z, x);
339 } else if(sized_for_comba_sqr<9>(x_sw, x_size, z_size)) {
340 bigint_comba_sqr9(z, x);
341 } else if(sized_for_comba_sqr<16>(x_sw, x_size, z_size)) {
342 bigint_comba_sqr16(z, x);
343 } else if(sized_for_comba_sqr<24>(x_sw, x_size, z_size)) {
344 bigint_comba_sqr24(z, x);
345 } else if(x_size < KARATSUBA_SQUARE_THRESHOLD || !workspace) {
346 basecase_sqr(z, z_size, x, x_sw);
347 } else {
348 const size_t N = karatsuba_size(z_size, x_size, x_sw);
349
350 if(N && z_size >= 2 * N && ws_size >= 2 * N) {
351 karatsuba_sqr(z, x, N, workspace);
352 } else {
353 basecase_sqr(z, z_size, x, x_sw);
354 }
355 }
356}
BOTAN_FUZZER_API void basecase_sqr(word z[], size_t z_size, const word x[], size_t x_size)
Definition mp_karat.cpp:46
void bigint_comba_sqr4(word z[8], const word x[4])
Definition mp_comba.cpp:16
void bigint_comba_sqr6(word z[12], const word x[6])
Definition mp_comba.cpp:74
void bigint_comba_sqr8(word z[16], const word x[8])
Definition mp_comba.cpp:292
void bigint_comba_sqr16(word z[32], const word x[16])
Definition mp_comba.cpp:618
void bigint_comba_sqr9(word z[18], const word x[9])
Definition mp_comba.cpp:440
void bigint_comba_sqr24(word z[48], const word x[24])

References basecase_sqr(), bigint_comba_sqr16(), bigint_comba_sqr24(), bigint_comba_sqr4(), bigint_comba_sqr6(), bigint_comba_sqr8(), bigint_comba_sqr9(), bigint_linmul3(), BOTAN_ASSERT, and clear_mem().

Referenced by Botan::Montgomery_Params::sqr(), Botan::Barrett_Reduction::square(), Botan::BigInt::square(), and Botan::Montgomery_Params::square_this().

◆ bigint_sub2()

template<WordType W>
auto Botan::bigint_sub2 ( W x[],
size_t x_size,
const W y[],
size_t y_size ) -> W
inlineconstexpr

Two operand subtraction

Definition at line 261 of file mp_core.h.

261 {
262 W borrow = 0;
263
264 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
265
266 const size_t blocks = y_size - (y_size % 8);
267
268 for(size_t i = 0; i != blocks; i += 8) {
269 borrow = word8_sub2(x + i, y + i, borrow);
270 }
271
272 for(size_t i = blocks; i != y_size; ++i) {
273 x[i] = word_sub(x[i], y[i], &borrow);
274 }
275
276 for(size_t i = y_size; i != x_size; ++i) {
277 x[i] = word_sub(x[i], static_cast<W>(0), &borrow);
278 }
279
280 return borrow;
281}
constexpr auto word8_sub2(W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:303

References BOTAN_ASSERT, word8_sub2(), and word_sub().

Referenced by Botan::BigInt::add(), and bigint_correct_redc().

◆ bigint_sub2_rev()

template<WordType W>
void Botan::bigint_sub2_rev ( W x[],
const W y[],
size_t y_size )
inlineconstexpr

Two operand subtraction, x = y - x; assumes y >= x

Definition at line 287 of file mp_core.h.

287 {
288 W borrow = 0;
289
290 const size_t blocks = y_size - (y_size % 8);
291
292 for(size_t i = 0; i != blocks; i += 8) {
293 borrow = word8_sub2_rev(x + i, y + i, borrow);
294 }
295
296 for(size_t i = blocks; i != y_size; ++i) {
297 x[i] = word_sub(y[i], x[i], &borrow);
298 }
299
300 BOTAN_ASSERT(borrow == 0, "y must be greater than x");
301}
constexpr auto word8_sub2_rev(W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:329

References BOTAN_ASSERT, word8_sub2_rev(), and word_sub().

Referenced by Botan::BigInt::add().

◆ bigint_sub3()

template<WordType W>
auto Botan::bigint_sub3 ( W z[],
const W x[],
size_t x_size,
const W y[],
size_t y_size ) -> W
inlineconstexpr

Three operand subtraction

Expects that x_size >= y_size

Writes to z[0:x_size] and returns borrow

Definition at line 311 of file mp_core.h.

311 {
312 W borrow = 0;
313
314 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
315
316 const size_t blocks = y_size - (y_size % 8);
317
318 for(size_t i = 0; i != blocks; i += 8) {
319 borrow = word8_sub3(z + i, x + i, y + i, borrow);
320 }
321
322 for(size_t i = blocks; i != y_size; ++i) {
323 z[i] = word_sub(x[i], y[i], &borrow);
324 }
325
326 for(size_t i = y_size; i != x_size; ++i) {
327 z[i] = word_sub(x[i], static_cast<W>(0), &borrow);
328 }
329
330 return borrow;
331}

References BOTAN_ASSERT, word8_sub3(), and word_sub().

Referenced by bigint_mod_sub(), bigint_sub_abs(), ct_divide(), ct_divide_pow2k(), ct_modulo(), Botan::BigInt::ct_reduce_below(), Botan::BigInt::mod_add(), and Botan::BigInt::reduce_below().

◆ bigint_sub_abs() [1/2]

template<WordType W>
auto Botan::bigint_sub_abs ( W z[],
const W x[],
const W y[],
size_t N,
W ws[] ) -> CT::Mask<W>
inlineconstexpr

Return abs(x-y), ie if x >= y, then compute z = x - y Otherwise compute z = y - x No borrow is possible since the result is always >= 0

Returns ~0 if x >= y or 0 if x < y

Parameters
zoutput array of at least N words
xinput array of N words
yinput array of N words
Nlength of x and y
wsarray of at least 2*N words

Definition at line 398 of file mp_core.h.

398 {
399 // Subtract in both direction then conditional copy out the result
400
401 W* ws0 = ws;
402 W* ws1 = ws + N;
403
404 W borrow0 = 0;
405 W borrow1 = 0;
406
407 const size_t blocks = N - (N % 8);
408
409 for(size_t i = 0; i != blocks; i += 8) {
410 borrow0 = word8_sub3(ws0 + i, x + i, y + i, borrow0);
411 borrow1 = word8_sub3(ws1 + i, y + i, x + i, borrow1);
412 }
413
414 for(size_t i = blocks; i != N; ++i) {
415 ws0[i] = word_sub(x[i], y[i], &borrow0);
416 ws1[i] = word_sub(y[i], x[i], &borrow1);
417 }
418
419 return CT::conditional_copy_mem(borrow0, z, ws1, ws0, N);
420}
constexpr Mask< T > conditional_copy_mem(Mask< T > mask, T *to, const T *from0, const T *from1, size_t elems)
Definition ct_utils.h:733

References Botan::CT::conditional_copy_mem(), word8_sub3(), and word_sub().

Referenced by Botan::BigInt::add2(), gcd(), and Botan::BigInt::rev_sub().

◆ bigint_sub_abs() [2/2]

template<WordType W>
int32_t Botan::bigint_sub_abs ( W z[],
const W x[],
size_t x_size,
const W y[],
size_t y_size )
inlineconstexpr

Set z to abs(x-y), ie if x >= y, then compute z = x - y Otherwise compute z = y - x No borrow is possible since the result is always >= 0

Return the relative size of x vs y (-1, 0, 1)

Parameters
zoutput array of max(x_size,y_size) words
xinput param
x_sizelength of x
yinput param
y_sizelength of y

Definition at line 668 of file mp_core.h.

668 {
669 const int32_t relative_size = bigint_cmp(x, x_size, y, y_size);
670
671 // Swap if relative_size == -1
672 const bool need_swap = relative_size < 0;
673 CT::conditional_swap_ptr(need_swap, x, y);
674 CT::conditional_swap(need_swap, x_size, y_size);
675
676 /*
677 * We know at this point that x >= y so if y_size is larger than
678 * x_size, we are guaranteed they are just leading zeros which can
679 * be ignored
680 */
681 y_size = std::min(x_size, y_size);
682
683 bigint_sub3(z, x, x_size, y, y_size);
684
685 return relative_size;
686}
constexpr void conditional_swap_ptr(bool cnd, T &x, T &y)
Definition ct_utils.h:765
constexpr void conditional_swap(bool cnd, T &x, T &y)
Definition ct_utils.h:759
constexpr int32_t bigint_cmp(const W x[], size_t x_size, const W y[], size_t y_size)
Definition mp_core.h:551

References bigint_cmp(), bigint_sub3(), Botan::CT::conditional_swap(), and Botan::CT::conditional_swap_ptr().

◆ bit_permute_step()

template<typename T>
T Botan::bit_permute_step ( T x,
T mask,
size_t shift )
inlineconstexpr

Definition at line 187 of file bit_ops.h.

187 {
188 /*
189 See https://reflectionsonsecurity.wordpress.com/2014/05/11/efficient-bit-permutation-using-delta-swaps/
190 and http://programming.sirrida.de/bit_perm.html
191 */
192 const T swap = ((x >> shift) ^ x) & mask;
193 return (x ^ swap) ^ (swap << shift);
194}

◆ bit_size_to_32bit_size()

size_t Botan::bit_size_to_32bit_size ( size_t bit_size)
inline

Definition at line 46 of file code_based_util.h.

46 {
47 return (bit_size - 1) / 32 + 1;
48}

Referenced by generate_mceliece_key(), mceliece_decrypt(), and Botan::McEliece_PrivateKey::McEliece_PrivateKey().

◆ bit_size_to_byte_size()

size_t Botan::bit_size_to_byte_size ( size_t bit_size)
inline

Definition at line 42 of file code_based_util.h.

42 {
43 return (bit_size - 1) / 8 + 1;
44}

Referenced by mceliece_decrypt().

◆ bitlen()

auto Botan::bitlen ( size_t x)
constexpr

Definition at line 98 of file pqcrystals_helpers.h.

98 {
99 return ceil_log2(x + 1);
100}
constexpr uint8_t ceil_log2(T x)
Definition bit_ops.h:133

References ceil_log2().

Referenced by Botan::DilithiumConstants::DilithiumConstants(), Botan::KyberConstants::KyberConstants(), and Botan::bitvector_base< secure_allocator >::subvector().

◆ buffer_insert() [1/2]

template<typename T, typename Alloc, typename Alloc2>
size_t Botan::buffer_insert ( std::vector< T, Alloc > & buf,
size_t buf_offset,
const std::vector< T, Alloc2 > & input )

Definition at line 328 of file mem_ops.h.

328 {
329 BOTAN_ASSERT_NOMSG(buf_offset <= buf.size());
330 const size_t to_copy = std::min(input.size(), buf.size() - buf_offset);
331 if(to_copy > 0) {
332 copy_mem(&buf[buf_offset], input.data(), to_copy);
333 }
334 return to_copy;
335}
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:61

References BOTAN_ASSERT_NOMSG, buffer_insert(), and copy_mem().

◆ buffer_insert() [2/2]

template<typename T, typename Alloc>
size_t Botan::buffer_insert ( std::vector< T, Alloc > & buf,
size_t buf_offset,
const T input[],
size_t input_length )

Definition at line 317 of file mem_ops.h.

317 {
318 BOTAN_ASSERT_NOMSG(buf_offset <= buf.size());
319 const size_t to_copy = std::min(input_length, buf.size() - buf_offset);
320 if(to_copy > 0) {
321 copy_mem(&buf[buf_offset], input, to_copy);
322 }
323 return to_copy;
324}

References BOTAN_ASSERT_NOMSG, buffer_insert(), and copy_mem().

Referenced by buffer_insert(), and buffer_insert().

◆ carry()

◆ carry0() [1/2]

template<size_t S>
requires (S > 0 && S < 32)
void Botan::carry0 ( int32_t & h0,
int32_t & h1 )
inline

Definition at line 49 of file ed25519_internal.h.

51{
52 const int32_t X1 = (static_cast<int64_t>(1) << S);
53 int32_t c = h0 >> S;
54 h1 += c;
55 h0 -= c * X1;
56}

◆ carry0() [2/2]

template<size_t S>
requires (S > 0 && S < 64)
void Botan::carry0 ( int64_t & h0,
int64_t & h1 )
inline

Definition at line 39 of file ed25519_internal.h.

41{
42 const int64_t X1 = (static_cast<int64_t>(1) << S);
43 int64_t c = h0 >> S;
44 h1 += c;
45 h0 -= c * X1;
46}

Referenced by sc_muladd(), sc_reduce(), and Botan::FE_25519::to_bytes().

◆ carry_shift()

uint64_t Botan::carry_shift ( const donna128 & a,
size_t shift )
inlineconstexpr

Definition at line 133 of file donna128.h.

133 {
134 return (a >> shift).lo();
135}

Referenced by bigint_shl1(), bigint_shl2(), bigint_shr1(), and bigint_shr2().

◆ cast_char_ptr_to_uint8() [1/2]

uint8_t * Botan::cast_char_ptr_to_uint8 ( char * s)
inline

Definition at line 284 of file mem_ops.h.

284 {
285 return reinterpret_cast<uint8_t*>(s);
286}

◆ cast_char_ptr_to_uint8() [2/2]

◆ cast_uint8_ptr_to_char() [1/2]

◆ cast_uint8_ptr_to_char() [2/2]

char * Botan::cast_uint8_ptr_to_char ( uint8_t * b)
inline

Definition at line 288 of file mem_ops.h.

288 {
289 return reinterpret_cast<char*>(b);
290}

◆ ceil_division()

template<std::unsigned_integral T>
T Botan::ceil_division ( T a,
T b )
inlineconstexpr

Ceil of an unsigned integer division. b must not be zero.

Parameters
adivident
bdivisor
Returns
ceil(a/b)

Definition at line 160 of file bit_ops.h.

160 {
161 return (a + b - 1) / b;
162}

Referenced by Botan::Classic_McEliece_Parameters::encode_out_size().

◆ ceil_log2()

template<typename T>
requires (std::is_integral<T>::value && sizeof(T) < 32)
uint8_t Botan::ceil_log2 ( T x)
constexpr

Definition at line 133 of file bit_ops.h.

135{
136 if(x >> (sizeof(T) * 8 - 1)) {
137 return sizeof(T) * 8;
138 }
139
140 uint8_t result = 0;
141 T compare = 1;
142
143 while(compare < x) {
144 compare <<= 1;
145 result++;
146 }
147
148 return result;
149}

Referenced by bitlen(), Botan::BigInt::ct_shift_left(), Botan::McEliece_PublicKey::get_message_word_bit_length(), Botan::McEliece_PrivateKey::McEliece_PrivateKey(), Botan::McEliece_PrivateKey::McEliece_PrivateKey(), and mceliece_work_factor().

◆ ceil_tobytes()

template<typename T>
requires (std::is_integral<T>::value)
T Botan::ceil_tobytes ( T bits)
inlineconstexpr

Return the number of bytes necessary to contain bits bits.

Definition at line 168 of file bit_ops.h.

170{
171 return (bits + 7) / 8;
172}

Referenced by Botan::Classic_McEliece_Encryptor::raw_kem_encrypt(), Botan::bitvector_base< secure_allocator >::to_bytes(), Botan::bitvector_base< secure_allocator >::to_bytes(), and Botan::FrodoMatrix::unpack().

◆ chain_lengths()

BOTAN_TEST_API std::vector< WotsHashIndex > Botan::chain_lengths ( const SphincsTreeNode & msg,
const Sphincs_Parameters & params )

Given a msg construct the lengths (amount of hashes for signature) for each WOTS+ chain, including the checksum.

Corresponds to FIPS 205, Algorithm 7 or 8, Step 1-7

Definition at line 91 of file sp_wots.cpp.

91 {
92 std::vector<WotsHashIndex> result(params.wots_len_1() + params.wots_len_2());
93
94 auto msg_base_w = std::span(result).first(params.wots_len_1());
95 auto checksum_base_w = std::span(result).last(params.wots_len_2());
96
97 base_2_b(msg_base_w, msg.get(), params);
98 wots_checksum(checksum_base_w, msg_base_w, params);
99
100 return result;
101}
uint32_t wots_len_2() const
uint32_t wots_len_1() const
constexpr T & get() &
Definition strong_type.h:51

References Botan::detail::Strong_Base< T >::get(), Botan::Sphincs_Parameters::wots_len_1(), and Botan::Sphincs_Parameters::wots_len_2().

Referenced by wots_public_key_from_signature(), and xmss_sign_and_pkgen().

◆ check_and_canonicalize_dns_name()

std::string Botan::check_and_canonicalize_dns_name ( std::string_view name)

If name is a valid DNS name, return it canonicalized

Otherwise throws Decoding_Error

Definition at line 367 of file parsing.cpp.

367 {
368 if(name.size() > 255) {
369 throw Decoding_Error("DNS name exceeds maximum allowed length");
370 }
371
372 if(name.empty()) {
373 throw Decoding_Error("DNS name cannot be empty");
374 }
375
376 if(name.starts_with(".")) {
377 throw Decoding_Error("DNS name cannot start with a dot");
378 }
379
380 /*
381 * Table mapping uppercase to lowercase and only including values for valid DNS names
382 * namely A-Z, a-z, 0-9, hypen, and dot, plus '*' for wildcarding.
383 */
384 // clang-format off
385 constexpr uint8_t DNS_CHAR_MAPPING[128] = {
386 '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0',
387 '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0',
388 '\0', '\0', '\0', '\0', '*', '\0', '\0', '-', '.', '\0', '0', '1', '2', '3', '4', '5', '6', '7', '8',
389 '9', '\0', '\0', '\0', '\0', '\0', '\0', '\0', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k',
390 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '\0', '\0', '\0', '\0',
391 '\0', '\0', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q',
392 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '\0', '\0', '\0', '\0', '\0',
393 };
394 // clang-format on
395
396 std::string canon;
397 canon.reserve(name.size());
398
399 for(size_t i = 0; i != name.size(); ++i) {
400 char c = name[i];
401
402 if(c == '.') {
403 if(name[i - 1] == '.') {
404 throw Decoding_Error("DNS name contains sequential period chars");
405 }
406 if(i == name.size() - 1) {
407 throw Decoding_Error("DNS name cannot end in a period");
408 }
409 }
410
411 const uint8_t cu = static_cast<uint8_t>(c);
412 if(cu >= 128) {
413 throw Decoding_Error("DNS name must not contain any extended ASCII code points");
414 }
415 const uint8_t mapped = DNS_CHAR_MAPPING[cu];
416 if(mapped == 0) {
417 throw Decoding_Error("DNS name includes invalid character");
418 }
419 // TODO check label lengths
420 canon.push_back(static_cast<char>(mapped));
421 }
422
423 return canon;
424}

Referenced by Botan::AlternativeName::decode_from().

◆ check_bcrypt()

bool Botan::check_bcrypt ( std::string_view password,
std::string_view hash )

Check a previously created password hash

Takes a password and a bcrypt hash and returns true if the password is the same as the one that was used to generate the bcrypt hash.

Parameters
passwordthe password to check against
hashthe stored hash to check against

Definition at line 160 of file bcrypt.cpp.

160 {
161 if(hash.size() != 60 || hash[0] != '$' || hash[1] != '2' || hash[3] != '$' || hash[6] != '$') {
162 return false;
163 }
164
165 const char bcrypt_version = hash[2];
166
167 if(bcrypt_version != 'a' && bcrypt_version != 'b' && bcrypt_version != 'y') {
168 return false;
169 }
170
171 const uint16_t workfactor = to_uint16(hash.substr(4, 2));
172
173 const std::vector<uint8_t> salt = bcrypt_base64_decode(hash.substr(7, 22));
174 if(salt.size() != 16) {
175 return false;
176 }
177
178 const std::string compare = make_bcrypt(pass, salt, workfactor, bcrypt_version);
179
180 return CT::is_equal(cast_char_ptr_to_uint8(hash.data()), cast_char_ptr_to_uint8(compare.data()), compare.size())
181 .as_bool();
182}
uint16_t to_uint16(std::string_view str)
Definition parsing.cpp:22
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:276

References cast_char_ptr_to_uint8(), Botan::CT::is_equal(), and to_uint16().

Referenced by botan_bcrypt_is_valid().

◆ check_passhash9()

bool Botan::check_passhash9 ( std::string_view password,
std::string_view hash )

Check a previously created password hash

Parameters
passwordthe password to check against
hashthe stored hash to check against

Definition at line 75 of file passhash9.cpp.

75 {
76 const size_t BINARY_LENGTH = ALGID_BYTES + WORKFACTOR_BYTES + PASSHASH9_PBKDF_OUTPUT_LEN + SALT_BYTES;
77
78 const size_t BASE64_LENGTH = MAGIC_PREFIX.size() + (BINARY_LENGTH * 8) / 6;
79
80 if(hash.size() != BASE64_LENGTH) {
81 return false;
82 }
83
84 for(size_t i = 0; i != MAGIC_PREFIX.size(); ++i) {
85 if(hash[i] != MAGIC_PREFIX[i]) {
86 return false;
87 }
88 }
89
90 secure_vector<uint8_t> bin = base64_decode(hash.data() + MAGIC_PREFIX.size());
91
92 if(bin.size() != BINARY_LENGTH) {
93 return false;
94 }
95
96 uint8_t alg_id = bin[0];
97
98 const size_t work_factor = load_be<uint16_t>(&bin[ALGID_BYTES], 0);
99
100 // Bug in the format, bad states shouldn't be representable, but are...
101 if(work_factor == 0) {
102 return false;
103 }
104
105 if(work_factor > 512) {
106 throw Invalid_Argument("Requested passhash9 work factor " + std::to_string(work_factor) + " is too large");
107 }
108
109 const size_t kdf_iterations = WORK_FACTOR_SCALE * work_factor;
110
111 auto pbkdf_prf = get_pbkdf_prf(alg_id);
112
113 if(!pbkdf_prf) {
114 return false; // unknown algorithm, reject
115 }
116
117 PKCS5_PBKDF2 kdf(std::move(pbkdf_prf));
118
120 kdf.derive_key(PASSHASH9_PBKDF_OUTPUT_LEN, pass, &bin[ALGID_BYTES + WORKFACTOR_BYTES], SALT_BYTES, kdf_iterations)
121 .bits_of();
122
123 const uint8_t* hashbytes = &bin[ALGID_BYTES + WORKFACTOR_BYTES + SALT_BYTES];
124
125 return CT::is_equal(cmp.data(), hashbytes, PASSHASH9_PBKDF_OUTPUT_LEN).as_bool();
126}
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:65

References base64_decode(), Botan::OctetString::bits_of(), Botan::PBKDF::derive_key(), Botan::CT::is_equal(), and load_be().

◆ checked_add() [1/2]

template<std::unsigned_integral T>
std::optional< T > Botan::checked_add ( T a,
T b )
inlineconstexpr

Definition at line 19 of file int_utils.h.

19 {
20 const T r = a + b;
21 if(r < a || r < b) {
22 return {};
23 }
24 return r;
25}

Referenced by checked_add(), Botan::AlternativeName::count(), and Botan::OID::encode_into().

◆ checked_add() [2/2]

template<std::unsigned_integral T, std::unsigned_integral... Ts>
requires all_same_v<T, Ts...>
std::optional< T > Botan::checked_add ( T a,
T b,
Ts... rest )
inlineconstexpr

Definition at line 37 of file int_utils.h.

37 {
38 if(auto r = checked_add(a, b)) {
39 return checked_add(r.value(), rest...);
40 } else {
41 return {};
42 }
43}
constexpr std::optional< T > checked_add(T a, T b)
Definition int_utils.h:19

References checked_add().

◆ checked_cast_to()

template<typename RT, typename AT>
requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>>
RT Botan::checked_cast_to ( AT i)
constexpr

Definition at line 74 of file int_utils.h.

74 {
75 return checked_cast_to_or_throw<RT, Internal_Error>(i, "Error during integer conversion");
76}
constexpr RT checked_cast_to_or_throw(AT i, std::string_view error_msg_on_fail)
Definition int_utils.h:61

References checked_cast_to_or_throw().

Referenced by Botan::HSS_LMS_Params::L(), Botan::ML_DSA_MessageHash::start(), and Botan::HSS_LMS_PublicKeyInternal::verify_signature().

◆ checked_cast_to_or_throw()

template<typename RT, typename ExceptionType, typename AT>
requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>>
RT Botan::checked_cast_to_or_throw ( AT i,
std::string_view error_msg_on_fail )
constexpr

Definition at line 61 of file int_utils.h.

61 {
62 const auto unwrapped_input = unwrap_strong_type(i);
63
64 const auto unwrapped_result = static_cast<strong_type_wrapped_type<RT>>(unwrapped_input);
65 if(unwrapped_input != static_cast<strong_type_wrapped_type<AT>>(unwrapped_result)) [[unlikely]] {
66 throw ExceptionType(error_msg_on_fail);
67 }
68
69 return wrap_strong_type<RT>(unwrapped_result);
70}
constexpr decltype(auto) unwrap_strong_type(T &&t)
Generically unwraps a strong type to its underlying type.
typename detail::wrapped_type_helper< std::remove_cvref_t< T > >::type strong_type_wrapped_type
Extracts the wrapped type from a strong type.
constexpr decltype(auto) wrap_strong_type(ParamT &&t)
Wraps a value into a caller-defined (strong) type.

References unwrap_strong_type(), and wrap_strong_type().

Referenced by checked_cast_to(), and Botan::HSS_LMS_Params::HSS_LMS_Params().

◆ checked_mul()

template<std::unsigned_integral T>
std::optional< T > Botan::checked_mul ( T a,
T b )
inlineconstexpr

Definition at line 46 of file int_utils.h.

46 {
47 // Multiplication by 1U is a hack to work around C's insane
48 // integer promotion rules.
49 // https://stackoverflow.com/questions/24795651
50 const T r = (1U * a) * b;
51 // If a == 0 then the multiply certainly did not overflow
52 // Otherwise r / a == b unless overflow occured
53 if(a != 0 && r / a != b) {
54 return {};
55 }
56 return r;
57}

Referenced by Botan::mlock_allocator::allocate(), allocate_memory(), and Botan::mlock_allocator::deallocate().

◆ checked_sub()

template<std::unsigned_integral T>
std::optional< T > Botan::checked_sub ( T a,
T b )
constexpr

Definition at line 28 of file int_utils.h.

28 {
29 if(b > a) {
30 return {};
31 }
32 return a - b;
33}

◆ choose()

template<typename T>
T Botan::choose ( T mask,
T a,
T b )
inlineconstexpr

Definition at line 204 of file bit_ops.h.

204 {
205 //return (mask & a) | (~mask & b);
206 return (b ^ (mask & (a ^ b)));
207}

Referenced by majority(), Botan::CT::Mask< T >::select(), Botan::CT::Mask< T >::select_n(), SHA2_32_F(), SHA2_32_F(), SHA2_64_F(), and SHA2_64_F().

◆ clear_bytes()

void Botan::clear_bytes ( void * ptr,
size_t bytes )
inlineconstexpr

Zero out some bytes. Warning: use secure_scrub_memory instead if the memory is about to be freed or otherwise the compiler thinks it can elide the writes.

Parameters
ptra pointer to memory to zero
bytesthe number of bytes to zero in ptr

Definition at line 106 of file mem_ops.h.

106 {
107 if(bytes > 0) {
108 std::memset(ptr, 0, bytes);
109 }
110}

Referenced by clear_mem(), clear_mem(), Botan::TPM2::init_with_size(), and Botan::Memory_Pool::Memory_Pool().

◆ clear_mem() [1/2]

template<ranges::contiguous_output_range R>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<R>>
void Botan::clear_mem ( R && mem)
inlineconstexpr

Zero memory before use. This simply calls memset and should not be used in cases where the compiler cannot see the call as a side-effecting operation.

Parameters
mema contiguous range of Ts to zero

Definition at line 135 of file mem_ops.h.

137{
138 clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem));
139}
constexpr size_t size_bytes(spanable_range auto &&r)
Definition concepts.h:95
constexpr void clear_bytes(void *ptr, size_t bytes)
Definition mem_ops.h:106

References clear_bytes(), and Botan::ranges::size_bytes().

◆ clear_mem() [2/2]

template<typename T>
void Botan::clear_mem ( T * ptr,
size_t n )
inlineconstexpr

Zero memory before use. This simply calls memset and should not be used in cases where the compiler cannot see the call as a side-effecting operation (for example, if calling clear_mem before deallocating memory, the compiler would be allowed to omit the call to memset entirely under the as-if rule.)

Parameters
ptra pointer to an array of Ts to zero
nthe number of Ts pointed to by ptr

Definition at line 123 of file mem_ops.h.

123 {
124 clear_bytes(ptr, sizeof(T) * n);
125}

References clear_bytes().

Referenced by base_decode(), basecase_mul(), basecase_sqr(), bigint_monty_redc_inplace(), bigint_mul(), bigint_shl1(), bigint_shr1(), bigint_sqr(), Botan_FFI::botan_view_bin_bounce_fn(), Botan::AlignmentBuffer< T, BLOCK_SIZE, FINAL_BLOCK_STRATEGY >::clear(), Botan::CT::copy_output(), create_aes_row_generator(), Botan::Sodium::crypto_secretbox_xsalsa20poly1305(), Botan::Sodium::crypto_secretbox_xsalsa20poly1305_open(), Botan::BigInt::ct_reduce_below(), Botan::BigInt::ct_shift_left(), Botan::Bcrypt_PBKDF::derive_key(), Botan::ZFEC::encode_shares(), Botan::BigInt::encode_words(), Botan::FE_25519::FE_25519(), Botan::AlignmentBuffer< T, BLOCK_SIZE, FINAL_BLOCK_STRATEGY >::fill_up_with_zeros(), Botan::StreamCipher::generate_keystream(), Botan::Gf448Elem::Gf448Elem(), hex_decode(), Botan::BLAKE2b::key_schedule(), Botan::EC_Point_Var_Point_Precompute::mul(), pbkdf2(), Botan::CRYSTALS::Trait_Base< ConstantsT, DerivedT >::polyvec_pointwise_acc_montgomery(), Botan::BigInt::reduce_below(), Botan::BigInt::rev_sub(), Botan::polyn_gf2m::set_to_zero(), Botan::polyn_gf2m::sqmod_init(), Botan::bitvector_base< secure_allocator >::to_bytes(), Botan_FFI::write_output(), Botan::Zlib_Style_Stream< Stream, ByteType, StreamLenType >::Zlib_Style_Stream(), and Botan::Zlib_Style_Stream< Stream, ByteType, StreamLenType >::~Zlib_Style_Stream().

◆ comba_mul()

template<size_t N, WordType W>
void Botan::comba_mul ( W z[2 *N],
const W x[N],
const W y[N] )
inlineconstexpr

Definition at line 882 of file mp_core.h.

882 {
883 if(!std::is_constant_evaluated()) {
884 if constexpr(std::same_as<W, word> && N == 4) {
885 return bigint_comba_mul4(z, x, y);
886 }
887 if constexpr(std::same_as<W, word> && N == 6) {
888 return bigint_comba_mul6(z, x, y);
889 }
890 if constexpr(std::same_as<W, word> && N == 7) {
891 return bigint_comba_mul7(z, x, y);
892 }
893 if constexpr(std::same_as<W, word> && N == 8) {
894 return bigint_comba_mul8(z, x, y);
895 }
896 if constexpr(std::same_as<W, word> && N == 9) {
897 return bigint_comba_mul9(z, x, y);
898 }
899 if constexpr(std::same_as<W, word> && N == 16) {
900 return bigint_comba_mul16(z, x, y);
901 }
902 }
903
904 word3<W> accum;
905
906 for(size_t i = 0; i != 2 * N; ++i) {
907 const size_t start = i + 1 < N ? 0 : i + 1 - N;
908 const size_t end = std::min(N, i + 1);
909
910 for(size_t j = start; j != end; ++j) {
911 accum.mul(x[j], y[i - j]);
912 }
913 z[i] = accum.extract();
914 }
915}
void bigint_comba_mul7(word z[14], const word x[7], const word y[7])
Definition mp_comba.cpp:221

References bigint_comba_mul16(), bigint_comba_mul4(), bigint_comba_mul6(), bigint_comba_mul7(), bigint_comba_mul8(), bigint_comba_mul9(), Botan::word3< W >::extract(), and Botan::word3< W >::mul().

◆ comba_sqr()

template<size_t N, WordType W>
void Botan::comba_sqr ( W z[2 *N],
const W x[N] )
inlineconstexpr

Definition at line 918 of file mp_core.h.

918 {
919 if(!std::is_constant_evaluated()) {
920 if constexpr(std::same_as<W, word> && N == 4) {
921 return bigint_comba_sqr4(z, x);
922 }
923 if constexpr(std::same_as<W, word> && N == 6) {
924 return bigint_comba_sqr6(z, x);
925 }
926 if constexpr(std::same_as<W, word> && N == 7) {
927 return bigint_comba_sqr7(z, x);
928 }
929 if constexpr(std::same_as<W, word> && N == 8) {
930 return bigint_comba_sqr8(z, x);
931 }
932 if constexpr(std::same_as<W, word> && N == 9) {
933 return bigint_comba_sqr9(z, x);
934 }
935 if constexpr(std::same_as<W, word> && N == 16) {
936 return bigint_comba_sqr16(z, x);
937 }
938 }
939
940 word3<W> accum;
941
942 for(size_t i = 0; i != 2 * N; ++i) {
943 const size_t start = i + 1 < N ? 0 : i + 1 - N;
944 const size_t end = std::min(N, i + 1);
945
946 for(size_t j = start; j != end; ++j) {
947 accum.mul(x[j], x[i - j]);
948 }
949 z[i] = accum.extract();
950 }
951}
void bigint_comba_sqr7(word z[14], const word x[7])
Definition mp_comba.cpp:171

References bigint_comba_sqr16(), bigint_comba_sqr4(), bigint_comba_sqr6(), bigint_comba_sqr7(), bigint_comba_sqr8(), bigint_comba_sqr9(), Botan::word3< W >::extract(), and Botan::word3< W >::mul().

◆ combine_lower()

uint64_t Botan::combine_lower ( const donna128 & a,
size_t s1,
const donna128 & b,
size_t s2 )
inlineconstexpr

Definition at line 137 of file donna128.h.

137 {
138 donna128 z = (a >> s1) | (b << s2);
139 return z.lo();
140}
constexpr uint64_t lo() const
Definition donna128.h:89

References Botan::donna128::lo().

◆ commoncrypto_adjust_key_size()

void Botan::commoncrypto_adjust_key_size ( const uint8_t key[],
size_t length,
const CommonCryptor_Opts & opts,
secure_vector< uint8_t > & full_key )

Definition at line 134 of file commoncrypto_utils.cpp.

137 {
138 if(opts.algo == kCCAlgorithmBlowfish && length < 8) {
139 size_t repeat;
140 switch(length) {
141 case 1:
142 repeat = 8;
143 break;
144 case 2:
145 repeat = 4;
146 break;
147 case 3:
148 repeat = 3;
149 break;
150 default:
151 repeat = 2;
152 break;
153 }
154
155 full_key.resize(length * repeat);
156 for(size_t i = 0; i < repeat; i++) {
157 copy_mem(full_key.data() + i * length, key, length);
158 }
159 } else if(opts.algo == kCCAlgorithm3DES && length == 16) {
160 full_key += std::make_pair(key, 8);
161 }
162}

References Botan::CommonCryptor_Opts::algo, and copy_mem().

◆ commoncrypto_opts_from_algo()

CommonCryptor_Opts Botan::commoncrypto_opts_from_algo ( std::string_view algo)

Definition at line 96 of file commoncrypto_utils.cpp.

96 {
97 SCAN_Name spec(algo);
98
99 std::string algo_name = spec.algo_name();
100 std::string cipher_mode = spec.cipher_mode();
101 std::string cipher_mode_padding = spec.cipher_mode_pad();
102
104
105 //TODO add CFB and XTS support
106 if(cipher_mode.empty() || cipher_mode == "ECB") {
107 opts.mode = kCCModeECB;
108 } else if(cipher_mode == "CBC") {
109 opts.mode = kCCModeCBC;
110 } else if(cipher_mode == "CTR") {
111 opts.mode = kCCModeCTR;
112 } else if(cipher_mode == "OFB") {
113 opts.mode = kCCModeOFB;
114 } else {
115 throw CommonCrypto_Error("Unsupported cipher mode!");
116 }
117
118 if(cipher_mode_padding == "NoPadding") {
119 opts.padding = ccNoPadding;
120 }
121 /*
122 else if(cipher_mode_padding.empty() || cipher_mode_padding == "PKCS7")
123 {
124 opts.padding = ccPKCS7Padding;
125 }
126 */
127 else {
128 throw CommonCrypto_Error("Unsupported cipher mode padding!");
129 }
130
131 return opts;
132}
CommonCryptor_Opts commoncrypto_opts_from_algo_name(std::string_view algo_name)

References Botan::SCAN_Name::algo_name(), Botan::SCAN_Name::cipher_mode(), Botan::SCAN_Name::cipher_mode_pad(), commoncrypto_opts_from_algo_name(), Botan::CommonCryptor_Opts::mode, and Botan::CommonCryptor_Opts::padding.

Referenced by make_commoncrypto_cipher_mode().

◆ commoncrypto_opts_from_algo_name()

CommonCryptor_Opts Botan::commoncrypto_opts_from_algo_name ( std::string_view algo_name)

Definition at line 56 of file commoncrypto_utils.cpp.

56 {
58
59 if(algo_name.compare(0, 3, "AES") == 0) {
60 opts.algo = kCCAlgorithmAES;
61 opts.block_size = kCCBlockSizeAES128;
62 if(algo_name == "AES-128") {
63 opts.key_spec = Key_Length_Specification(kCCKeySizeAES128);
64 } else if(algo_name == "AES-192") {
65 opts.key_spec = Key_Length_Specification(kCCKeySizeAES192);
66 } else if(algo_name == "AES-256") {
67 opts.key_spec = Key_Length_Specification(kCCKeySizeAES256);
68 } else {
69 throw CommonCrypto_Error("Unknown AES algorithm");
70 }
71 } else if(algo_name == "DES") {
72 opts.algo = kCCAlgorithmDES;
73 opts.block_size = kCCBlockSizeDES;
74 opts.key_spec = Key_Length_Specification(kCCKeySizeDES);
75 } else if(algo_name == "TripleDES") {
76 opts.algo = kCCAlgorithm3DES;
77 opts.block_size = kCCBlockSize3DES;
78 opts.key_spec = Key_Length_Specification(16, kCCKeySize3DES, 8);
79 } else if(algo_name == "Blowfish") {
80 opts.algo = kCCAlgorithmBlowfish;
81 opts.block_size = kCCBlockSizeBlowfish;
82 opts.key_spec = Key_Length_Specification(1, kCCKeySizeMaxBlowfish, 1);
83 } else if(algo_name == "CAST-128") {
84 opts.algo = kCCAlgorithmCAST;
85 opts.block_size = kCCBlockSizeCAST;
86 // Botan's base implementation of CAST does not support shorter keys
87 // so we limit its minimum key size to 11 here.
88 opts.key_spec = Key_Length_Specification(11, kCCKeySizeMaxCAST, 1);
89 } else {
90 throw CommonCrypto_Error("Unsupported cipher");
91 }
92
93 return opts;
94}
Key_Length_Specification key_spec

References Botan::CommonCryptor_Opts::algo, Botan::CommonCryptor_Opts::block_size, and Botan::CommonCryptor_Opts::key_spec.

Referenced by commoncrypto_opts_from_algo(), and make_commoncrypto_block_cipher().

◆ compute_root() [1/2]

BOTAN_TEST_API void Botan::compute_root ( StrongSpan< SphincsTreeNode > out,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes,
const SphincsTreeNode & leaf,
TreeNodeIndex leaf_idx,
uint32_t idx_offset,
StrongSpan< const SphincsAuthenticationPath > authentication_path,
uint32_t tree_height,
Sphincs_Address & tree_address )

Using a leaf node and the authentication path (neighbor nodes on the way from leaf to root), computes the the root node of the respective tree. This function is generic and used by FORS and XMSS in the SLH-DSA verification logic.

Definition at line 102 of file sp_treehash.cpp.

110 {
111 BOTAN_ASSERT_NOMSG(out.size() == params.n());
112 BOTAN_ASSERT_NOMSG(authentication_path.size() == params.n() * total_tree_height);
113 BOTAN_ASSERT_NOMSG(leaf.size() == params.n());
114
115 // Use the `out` parameter as intermediate buffer for left/right nodes
116 // while traversing the tree.
117 copy_mem(out, leaf);
118
119 // Views into either `auth_path` or `out` depending on the tree location.
122
123 BufferSlicer auth_path(authentication_path);
124
125 // The leaf is put in the left or right buffer, depending on its indexes parity.
126 // Same for the first node of the authentication path
127
128 for(TreeLayerIndex i(0); i < total_tree_height; i++) {
129 // The input of the hash function takes the current node and the node
130 // given in the authentication path. If the current node is a right node
131 // in the tree (i.e. its leaf index is uneven) the hash function inputs
132 // must be swapped.
133 left = out;
134 right = auth_path.take<SphincsTreeNode>(params.n());
135
136 if((leaf_idx & 1) == 1U) {
137 std::swap(left, right);
138 }
139
140 leaf_idx /= 2;
141 idx_offset /= 2;
142 tree_address.set_tree_height(i + 1).set_tree_index(leaf_idx + idx_offset);
143
144 hashes.T(out, tree_address, left, right);
145 }
146
147 BOTAN_ASSERT_NOMSG(auth_path.empty());
148}
Sphincs_Address & set_tree_height(TreeLayerIndex tree_height)
Definition sp_address.h:89
Sphincs_Address & set_tree_index(TreeNodeIndex tree_index)
Definition sp_address.h:99
void T(std::span< uint8_t > out, const Sphincs_Address &address, BufferTs &&... in)
Definition sp_hash.h:57
decltype(auto) size() const noexcept(noexcept(this->m_span.size()))
size_type size() const noexcept(noexcept(this->get().size()))
Strong< std::vector< uint8_t >, struct SphincsTreeNode_ > SphincsTreeNode
Either an XMSS or FORS tree node or leaf.
Definition sp_types.h:70
Strong< uint32_t, struct TreeLayerIndex_, EnableArithmeticWithPlainNumber > TreeLayerIndex
Index of the layer within a FORS/XMSS tree.
Definition sp_types.h:83

References BOTAN_ASSERT_NOMSG, copy_mem(), Botan::BufferSlicer::empty(), Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_tree_height(), Botan::Sphincs_Address::set_tree_index(), Botan::detail::Container_Strong_Adapter_Base< T >::size(), Botan::StrongSpan< T >::size(), Botan::Sphincs_Hash_Functions::T(), and Botan::BufferSlicer::take().

Referenced by fors_public_key_from_signature(), and ht_verify().

◆ compute_root() [2/2]

template<concepts::contiguous_strong_type TreeNode, concepts::strong_span AuthPathSS, concepts::tree_node_index TreeNodeIndex, concepts::tree_layer_index TreeLayerIndex, typename Address>
requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex>
void Botan::compute_root ( StrongSpan< TreeNode > out_root,
AuthPathSS authentication_path,
TreeNodeIndex leaf_idx,
StrongSpan< const TreeNode > leaf,
size_t node_size,
TreeLayerIndex total_tree_height,
uint32_t idx_offset,
concepts::tree_hash_node_pair< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto node_pair_hash,
Address & tree_address )
inline

Uses an authentication path and a leaf node to reconstruct the root node of a merkle tree.

Parameters
out_rootA output buffer for the root node of the merkle tree.
authentication_pathThe authentication path in one buffer (concatenated nodes).
leaf_idxThe index of the leaf used to sig in the bottom layer beginning with 0.
leafThe leaf node used to sig.
node_sizeThe size of each node in the tree.
total_tree_heightThe hight of the merkle tree to construct.
idx_offsetIf we compute a subtree this marks the index of the leftmost leaf node in the bottom layer.
node_pair_hashThe function to process two child nodes to compute their parent node.
tree_addressThe address that is passed to node_pair hash. This function will update the address accordings to the currently processed node. This object may contain further algorithm specific information, like the position of this merkle tree in a hypertree.

Definition at line 214 of file tree_hash.h.

223 {
224 BOTAN_ASSERT_NOMSG(out_root.size() == node_size);
225 BOTAN_ASSERT_NOMSG(authentication_path.size() == node_size * static_cast<size_t>(total_tree_height.get()));
226 BOTAN_ASSERT_NOMSG(leaf.size() == node_size);
227
228 // Use the `out` parameter as intermediate buffer for left/right nodes
229 // while traversing the tree.
230 copy_mem(out_root, leaf);
231
232 // Views into either `auth_path` or `out` depending on the tree location.
235
236 BufferSlicer auth_path(authentication_path);
237
238 // The leaf is put in the left or right buffer, depending on its indexes parity.
239 // Same for the first node of the authentication path
240
241 for(TreeLayerIndex i(0); i < total_tree_height; i++) {
242 // The input of the hash function takes the current node and the node
243 // given in the authentication path. If the current node is a right node
244 // in the tree (i.e. its leaf index is uneven) the hash function inputs
245 // must be swapped.
246 left = out_root;
247 right = auth_path.take<TreeNode>(node_size);
248
249 if((leaf_idx & 1) == 1U) {
250 std::swap(left, right);
251 }
252
253 leaf_idx /= 2;
254 idx_offset /= 2;
255 tree_address.set_address(i + 1, leaf_idx + idx_offset);
256
257 node_pair_hash(out_root, tree_address, left, right);
258 }
259
260 BOTAN_ASSERT_NOMSG(auth_path.empty());
261}

References BOTAN_ASSERT_NOMSG, copy_mem(), Botan::BufferSlicer::empty(), Botan::detail::Strong_Base< T >::get(), Botan::StrongSpan< T >::size(), and Botan::BufferSlicer::take().

◆ compute_rsa_secret_exponent()

BigInt BOTAN_TEST_API Botan::compute_rsa_secret_exponent ( const BigInt & e,
const BigInt & phi_n,
const BigInt & p,
const BigInt & q )

Compute the RSA private exponent d

This algorithm is constant time with respect to phi_n, p, and q, aside from leaking their lengths. It may leak the public exponent e.

Parameters
ethe public exponent
phi_nis lcm(p-1, q-1)
pis the first secret prime
qis the second secret prime
Returns
d inverse of e modulo phi_n

Definition at line 330 of file mod_inv.cpp.

330 {
331 /*
332 * Both p - 1 and q - 1 are chosen to be relatively prime to e. Thus
333 * phi(n), the least common multiple of p - 1 and q - 1, is also
334 * relatively prime to e.
335 */
336 BOTAN_DEBUG_ASSERT(gcd(e, phi_n) == 1);
337
338 if(e == 65537) {
339 /*
340 Arazi's algorithm for inversion of prime x modulo a non-prime
341
342 "GCD-Free Algorithms for Computing Modular Inverses"
343 Marc Joye and Pascal Paillier, CHES 2003 (LNCS 2779)
344 https://marcjoye.github.io/papers/JP03gcdfree.pdf
345
346 This could be extended to cover other cases such as e=3 or e=17 but
347 these days 65537 is the standard RSA public exponent
348 */
349
350 constexpr word e_w = 65537;
351
352 const word phi_mod_e = ct_mod_word(phi_n, e_w);
353 const word inv_phi_mod_e = inverse_mod_65537(phi_mod_e);
354 BOTAN_DEBUG_ASSERT((inv_phi_mod_e * phi_mod_e) % e_w == 1);
355 const word neg_inv_phi_mod_e = (e_w - inv_phi_mod_e);
356 return ct_divide_word((phi_n * neg_inv_phi_mod_e) + 1, e_w);
357 } else {
358 // TODO possibly do something else taking advantage of the special structure here
359
360 BOTAN_UNUSED(p, q);
361 if(auto d = inverse_mod_general(e, phi_n)) {
362 return *d;
363 } else {
364 throw Internal_Error("Failed to compute RSA secret exponent");
365 }
366 }
367}
#define BOTAN_UNUSED
Definition assert.h:120
word ct_mod_word(const BigInt &x, word y)
Definition divide.cpp:168
void ct_divide_word(const BigInt &x, word y, BigInt &q_out, word &r_out)
Definition divide.cpp:123
std::optional< BigInt > inverse_mod_general(const BigInt &x, const BigInt &mod)
Definition mod_inv.cpp:177
BigInt gcd(const BigInt &a, const BigInt &b)
Definition numthry.cpp:193

References BOTAN_DEBUG_ASSERT, BOTAN_UNUSED, ct_divide_word(), ct_mod_word(), gcd(), and inverse_mod_general().

Referenced by Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ concat()

template<typename OutR = detail::AutoDetect, ranges::spanable_range... Rs>
requires (all_same_v<std::ranges::range_value_t<Rs>...>)
auto Botan::concat ( Rs &&... ranges)
constexpr

Concatenate an arbitrary number of buffers. Performs range-checks as needed.

The output type can be auto-detected based on the input ranges, or explicitly specified by the caller. If all input ranges have a static extent, the total size is calculated at compile time and a statically sized std::array<> is used. Otherwise this tries to use the type of the first input range as output type.

Alternatively, the output container type can be specified explicitly.

Definition at line 264 of file stl_util.h.

266{
267 if constexpr(std::same_as<detail::AutoDetect, OutR>) {
268 // Try to auto-detect a reasonable output type given the input ranges
269 static_assert(sizeof...(Rs) > 0, "Cannot auto-detect the output type if not a single input range is provided.");
270 using candidate_result_t = std::remove_cvref_t<std::tuple_element_t<0, std::tuple<Rs...>>>;
271 using result_range_value_t = std::remove_cvref_t<std::ranges::range_value_t<candidate_result_t>>;
272
273 if constexpr((ranges::statically_spanable_range<Rs> && ...)) {
274 // If all input ranges have a static extent, we can calculate the total size at compile time
275 // and therefore can use a statically sized output container. This is constexpr.
276 constexpr size_t total_size = (decltype(std::span{ranges})::extent + ... + 0);
277 using out_array_t = std::array<result_range_value_t, total_size>;
278 return detail::concatenate<out_array_t>(std::forward<Rs>(ranges)...);
279 } else {
280 // If at least one input range has a dynamic extent, we must use a dynamically allocated output container.
281 // We assume that the user wants to use the first input range's container type as output type.
282 static_assert(
284 "First input range has static extent, but a dynamically allocated output range is required. Please explicitly specify a dynamically allocatable output type.");
285 return detail::concatenate<candidate_result_t>(std::forward<Rs>(ranges)...);
286 }
287 } else {
288 // The caller has explicitly specified the output type
289 return detail::concatenate<OutR>(std::forward<Rs>(ranges)...);
290 }
291}
constexpr OutR concatenate(Rs &&... ranges)
Definition stl_util.h:205

References Botan::detail::concatenate().

Referenced by Botan::PKIX::check_ocsp(), Botan::Classic_McEliece_Polynomial_Ring::compute_minimal_polynomial(), Botan::Expanded_Keypair_Codec::encode_keypair(), Botan::Seed_Expanding_Keypair_Codec::encode_keypair(), hkdf_expand_label(), Botan::Kyber_PublicKeyInternal::Kyber_PublicKeyInternal(), Botan::SphincsPlus_PrivateKey::private_key_bits(), Botan::FrodoKEM_PrivateKey::raw_private_key_bits(), Botan::FrodoKEM_PublicKey::raw_public_key_bits(), Botan::Hybrid_PublicKey::raw_public_key_bits(), Botan::TLS::Hybrid_KEM_PublicKey::raw_public_key_bits(), Botan::XMSS_PublicKey::raw_public_key_bits(), Botan::Classic_McEliece_PrivateKeyInternal::serialize(), Botan::HSS_LMS_PublicKeyInternal::to_bytes(), and Botan::LMS_PublicKey::to_bytes().

◆ constant_time_compare() [1/2]

bool Botan::constant_time_compare ( const uint8_t x[],
const uint8_t y[],
size_t len )
inline

Memory comparison, input insensitive

Parameters
xa pointer to an array
ya pointer to another array
lenthe number of Ts in x and y
Returns
true iff x[i] == y[i] forall i in [0...n)

Definition at line 93 of file mem_ops.h.

93 {
94 // simply assumes that *x and *y point to len allocated bytes at least
95 return constant_time_compare({x, len}, {y, len});
96}
bool constant_time_compare(std::span< const uint8_t > x, std::span< const uint8_t > y)
Definition mem_ops.cpp:17

References constant_time_compare().

◆ constant_time_compare() [2/2]

bool Botan::constant_time_compare ( std::span< const uint8_t > x,
std::span< const uint8_t > y )

Memory comparison, input insensitive

Parameters
xa range of bytes
yanother range of bytes
Returns
true iff x and y have equal lengths and x[i] == y[i] forall i in [0...n)

Definition at line 17 of file mem_ops.cpp.

17 {
18 const auto min_size = CT::Mask<size_t>::is_lte(x.size(), y.size()).select(x.size(), y.size());
19 const auto equal_size = CT::Mask<size_t>::is_equal(x.size(), y.size());
20 const auto equal_content = CT::Mask<size_t>::expand(CT::is_equal(x.data(), y.data(), min_size));
21 return (equal_content & equal_size).as_bool();
22}
static constexpr Mask< T > is_lte(T x, T y)
Definition ct_utils.h:475

References Botan::CT::Mask< T >::expand(), Botan::CT::is_equal(), Botan::CT::Mask< T >::is_equal(), and Botan::CT::Mask< T >::is_lte().

Referenced by constant_time_compare(), Botan::EMSA_PKCS1v15::verify(), and Botan::EMSA_PKCS1v15_Raw::verify().

◆ copy_mem() [1/2]

template<ranges::contiguous_output_range OutR, ranges::contiguous_range InR>
requires std::is_same_v<std::ranges::range_value_t<OutR>, std::ranges::range_value_t<InR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<InR>>
void Botan::copy_mem ( OutR && out,
InR && in )
inlineconstexpr

Copy memory

Parameters
outthe destination array
inthe source array

Definition at line 165 of file mem_ops.h.

165 {
167 if(std::is_constant_evaluated()) {
168 std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out));
169 } else if(ranges::size_bytes(out) > 0) {
170 std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out));
171 }
172}
constexpr void assert_equal_byte_lengths(R0 &&r0, Rs &&... rs)
Definition concepts.h:129

References Botan::ranges::assert_equal_byte_lengths(), and Botan::ranges::size_bytes().

◆ copy_mem() [2/2]

template<typename T>
requires std::is_trivial<typename std::decay<T>::type>::value
void Botan::copy_mem ( T * out,
const T * in,
size_t n )
inlineconstexpr

Copy memory

Parameters
outthe destination array
inthe source array
nthe number of elements of in/out

Definition at line 149 of file mem_ops.h.

149 {
150 BOTAN_ASSERT_IMPLICATION(n > 0, in != nullptr && out != nullptr, "If n > 0 then args are not null");
151
152 if(in != nullptr && out != nullptr && n > 0) {
153 std::memmove(out, in, sizeof(T) * n);
154 }
155}
#define BOTAN_ASSERT_IMPLICATION(expr1, expr2, msg)
Definition assert.h:79

References BOTAN_ASSERT_IMPLICATION.

Referenced by Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::TLS::Connection_Cipher_State::aead_nonce(), bigint_mod_sub(), bigint_shl1(), bigint_shl2(), bigint_shr1(), bigint_shr2(), Botan::Argon2::blamka(), botan_cipher_update(), botan_privkey_ed25519_get_privkey(), botan_privkey_ed448_get_privkey(), botan_privkey_x25519_get_privkey(), botan_privkey_x448_get_privkey(), botan_pubkey_ed25519_get_pubkey(), botan_pubkey_ed448_get_pubkey(), botan_pubkey_x25519_get_pubkey(), botan_pubkey_x448_get_pubkey(), Botan_FFI::botan_view_bin_bounce_fn(), buffer_insert(), buffer_insert(), Botan::Ed25519_PublicKey::check_key(), Botan::CRYSTALS::Polynomial< DilithiumPolyTraits, Botan::CRYSTALS::Domain::NTT >::clone(), Botan::CRYSTALS::PolynomialVector< DilithiumPolyTraits, Botan::CRYSTALS::Domain::NTT >::clone(), commoncrypto_adjust_key_size(), Botan::Streebog::compress_64(), compute_root(), compute_root(), Botan::TPM2::copy_into(), Botan::TPM2::copy_into(), Botan::Sodium::crypto_auth_hmacsha512256(), Botan::Sodium::crypto_box_curve25519xsalsa20poly1305_seed_keypair(), curve25519_donna(), ed25519_gen_keypair(), Botan::Ed448_PublicKey::Ed448_PublicKey(), Botan::ML_KEM_Encryptor::encapsulate(), Botan::BigInt::encode_words(), Botan::CryptoBox::encrypt(), expand_message_xmd(), Botan::FE_25519::FE_25519(), Botan::RawHashFunction::final_result(), Botan::TLS::Stream_Handshake_IO::format(), Botan::CCM_Mode::format_b0(), Botan::CCM_Mode::format_c0(), Botan::TPM_Context::gen_random(), Botan::Gf448Elem::Gf448Elem(), Botan::BLAKE2b::key_schedule(), mceliece_decrypt(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::mul_by(), nist_key_unwrap(), nist_key_unwrap_padded(), nist_key_wrap(), nist_key_wrap_padded(), operator^(), Botan::DataSource_Memory::peek(), Botan::PseudorandomKeyGeneration::PseudorandomKeyGeneration(), Botan::DataSource_Memory::read(), Botan::Blowfish::salted_set_key(), Botan::Scalar448::Scalar448(), Botan::CTR_BE::seek(), Botan::EC_AffinePoint_Data_PC::serialize_uncompressed_to(), Botan::EC_AffinePoint_Data_BN::serialize_x_to(), Botan::EC_AffinePoint_Data_PC::serialize_x_to(), Botan::EC_AffinePoint_Data_BN::serialize_xy_to(), Botan::EC_AffinePoint_Data_PC::serialize_xy_to(), Botan::EC_AffinePoint_Data_BN::serialize_y_to(), Botan::EC_AffinePoint_Data_PC::serialize_y_to(), Botan::TLS::Session_Keys::Session_Keys(), Botan::CFB_Mode::shift_register(), Botan::HSS_LMS_PrivateKeyInternal::sign(), Botan::RTSS_Share::split(), Botan::polyn_gf2m::sqmod_init(), Botan::Montgomery_Params::square_this(), Botan::GHASH::start(), Botan::bitvector_base< secure_allocator >::subvector(), treehash(), treehash(), Botan::Base64_Decoder::write(), Botan::Base64_Encoder::write(), Botan::Buffered_Filter::write(), Botan::Hex_Decoder::write(), Botan::Hex_Encoder::write(), Botan_FFI::write_output(), and Botan::X448_PublicKey::X448_PublicKey().

◆ copy_out_be()

template<ranges::spanable_range InR>
void Botan::copy_out_be ( std::span< uint8_t > out,
InR && in )
inline

Partially copy a subset of in into out using big-endian byte order.

Definition at line 773 of file loadstor.h.

773 {
774 using T = std::ranges::range_value_t<InR>;
775 std::span<const T> in_s{in};
776 const auto remaining_bytes = detail::copy_out_any_word_aligned_portion<std::endian::big>(out, in_s);
777
778 // copy remaining bytes as a partial word
779 for(size_t i = 0; i < remaining_bytes; ++i) {
780 out[i] = get_byte_var(i, in_s.front());
781 }
782}
size_t copy_out_any_word_aligned_portion(std::span< uint8_t > &out, std::span< const T > &in)
Definition loadstor.h:752
constexpr uint8_t get_byte_var(size_t byte_num, T input)
Definition loadstor.h:69

References Botan::detail::copy_out_any_word_aligned_portion(), and get_byte_var().

◆ copy_out_le()

template<ranges::spanable_range InR>
void Botan::copy_out_le ( std::span< uint8_t > out,
InR && in )
inline

Partially copy a subset of in into out using little-endian byte order.

Definition at line 789 of file loadstor.h.

789 {
790 using T = std::ranges::range_value_t<InR>;
791 std::span<const T> in_s{in};
792 const auto remaining_bytes = detail::copy_out_any_word_aligned_portion<std::endian::little>(out, in_s);
793
794 // copy remaining bytes as a partial word
795 for(size_t i = 0; i < remaining_bytes; ++i) {
796 out[i] = get_byte_var(sizeof(T) - 1 - i, in_s.front());
797 }
798}

References Botan::detail::copy_out_any_word_aligned_portion(), and get_byte_var().

Referenced by Botan::BLAKE2b::final_result(), and xts_update_tweak_block().

◆ create_aes_row_generator()

auto Botan::create_aes_row_generator ( const FrodoKEMConstants & constants,
StrongSpan< const FrodoSeedA > seed_a )
inline

Definition at line 25 of file frodo_aes_generator.h.

25 {
26 BOTAN_ASSERT_NOMSG(constants.mode().is_aes());
27
28 auto setup_aes = [](StrongSpan<const FrodoSeedA> seed) {
29 AES_128 aes;
30 aes.set_key(seed);
31 return aes;
32 };
33
34 return [n = static_cast<uint16_t>(constants.n()), aes = setup_aes(seed_a)](std::span<uint8_t> out, uint16_t i) {
35 BufferStuffer out_bs(out);
36
37 BOTAN_DEBUG_ASSERT(out_bs.remaining_capacity() % AES_128::BLOCK_SIZE == 0);
38
39 for(uint16_t j = 0; j < n; j += AES_128::BLOCK_SIZE / 2) {
40 // set up the to-be-encrypted 'b' value in the out variable
41 // for in-place encryption of the block cipher
42 // b = i || j || 0000...
43 out_bs.append(store_le(i, j));
44 clear_mem(out_bs.next<AES_128::BLOCK_SIZE - sizeof(i) - sizeof(j)>());
45 }
46
47 BOTAN_DEBUG_ASSERT(out_bs.full());
48
49 aes.encrypt(out);
50 };
51}
void encrypt(const uint8_t in[], uint8_t out[]) const
FrodoKEMMode mode() const
bool is_aes() const
Definition frodo_mode.h:61
void set_key(const OctetString &key)
Definition sym_algo.cpp:14
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:736

References Botan::BufferStuffer::append(), Botan::Block_Cipher_Fixed_Params< 16, 16 >::BLOCK_SIZE, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, clear_mem(), Botan::BufferStuffer::full(), Botan::FrodoKEMMode::is_aes(), Botan::FrodoKEMConstants::mode(), Botan::FrodoKEMConstants::n(), Botan::BufferStuffer::next(), Botan::BufferStuffer::remaining_capacity(), Botan::SymmetricAlgorithm::set_key(), and store_le().

◆ create_ec_private_key()

std::unique_ptr< Private_Key > Botan::create_ec_private_key ( std::string_view algo_name,
const EC_Group & group,
RandomNumberGenerator & rng )

Create a new ECC key

Definition at line 442 of file pk_algs.cpp.

444 {
445 // Potentially unused if all EC algorithms are disabled
446 BOTAN_UNUSED(alg_name, ec_group, rng);
447
448#if defined(BOTAN_HAS_ECDSA)
449 if(alg_name == "ECDSA") {
450 return std::make_unique<ECDSA_PrivateKey>(rng, ec_group);
451 }
452#endif
453
454#if defined(BOTAN_HAS_ECDH)
455 if(alg_name == "ECDH") {
456 return std::make_unique<ECDH_PrivateKey>(rng, ec_group);
457 }
458#endif
459
460#if defined(BOTAN_HAS_ECKCDSA)
461 if(alg_name == "ECKCDSA") {
462 return std::make_unique<ECKCDSA_PrivateKey>(rng, ec_group);
463 }
464#endif
465
466#if defined(BOTAN_HAS_GOST_34_10_2001)
467 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") {
468 return std::make_unique<GOST_3410_PrivateKey>(rng, ec_group);
469 }
470#endif
471
472#if defined(BOTAN_HAS_SM2)
473 if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") {
474 return std::make_unique<SM2_PrivateKey>(rng, ec_group);
475 }
476#endif
477
478#if defined(BOTAN_HAS_ECGDSA)
479 if(alg_name == "ECGDSA") {
480 return std::make_unique<ECGDSA_PrivateKey>(rng, ec_group);
481 }
482#endif
483
484 return nullptr;
485}

References BOTAN_UNUSED.

Referenced by botan_ec_privkey_create(), and create_private_key().

◆ create_hex_fingerprint() [1/2]

std::string Botan::create_hex_fingerprint ( const uint8_t bits[],
size_t bits_len,
std::string_view hash_name )

Definition at line 38 of file pk_keys.cpp.

38 {
39 auto hash_fn = HashFunction::create_or_throw(hash_name);
40 const std::string hex_hash = hex_encode(hash_fn->process(bits, bits_len));
41
42 std::string fprint;
43
44 for(size_t i = 0; i != hex_hash.size(); i += 2) {
45 if(i != 0) {
46 fprint.push_back(':');
47 }
48
49 fprint.push_back(hex_hash[i]);
50 fprint.push_back(hex_hash[i + 1]);
51 }
52
53 return fprint;
54}
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition hex.cpp:35

References Botan::HashFunction::create_or_throw(), and hex_encode().

Referenced by create_hex_fingerprint(), Botan::X509_Certificate::fingerprint(), Botan::Private_Key::fingerprint_private(), and Botan::Public_Key::fingerprint_public().

◆ create_hex_fingerprint() [2/2]

std::string Botan::create_hex_fingerprint ( std::span< const uint8_t > vec,
std::string_view hash_name )
inline

Definition at line 424 of file pk_keys.h.

424 {
425 return create_hex_fingerprint(vec.data(), vec.size(), hash_name);
426}
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, std::string_view hash_name)
Definition pk_keys.cpp:38

References create_hex_fingerprint().

◆ create_pk_from_sk()

BOTAN_TEST_API std::array< uint8_t, ED448_LEN > Botan::create_pk_from_sk ( std::span< const uint8_t, ED448_LEN > sk)

Create a public key point from a secret key (RFC 8032 5.2.5)

Definition at line 224 of file ed448_internal.cpp.

224 {
225 // 5.2.5. Key Generation
226 // The 57-byte public key is generated by the following steps:
227 auto shake_xof = SHAKE_256_XOF();
228 shake_xof.update(sk);
229
230 const Scalar448 s = scalar_from_xof(shake_xof);
231 // 3. Interpret the buffer as the little-endian integer, forming a
232 // secret scalar s. Perform a known-base-point scalar
233 // multiplication [s]B.
234 return (s * Ed448Point::base_point()).encode();
235}
static Ed448Point base_point()
Create the curve's base point ('B' in RFC 8032 5.2)
Representation of a scalar for X448.

References Botan::Ed448Point::base_point().

Referenced by Botan::Ed448_PrivateKey::Ed448_PrivateKey(), and Botan::Ed448_PrivateKey::Ed448_PrivateKey().

◆ create_private_key()

std::unique_ptr< Private_Key > Botan::create_private_key ( std::string_view algo_name,
RandomNumberGenerator & rng,
std::string_view algo_params = "",
std::string_view provider = "" )

Create a new key For ECC keys, algo_params specifies EC group (eg, "secp256r1") For DH/DSA/ElGamal keys, algo_params is DL group (eg, "modp/ietf/2048") For RSA, algo_params is integer keylength For McEliece, algo_params is n,t If algo_params is left empty, suitable default parameters are chosen.

Definition at line 487 of file pk_algs.cpp.

490 {
491 /*
492 * Default paramaters are chosen for work factor > 2**128 where possible
493 */
494
495#if defined(BOTAN_HAS_X25519)
496 if(alg_name == "X25519" || alg_name == "Curve25519") {
497 return std::make_unique<X25519_PrivateKey>(rng);
498 }
499#endif
500
501#if defined(BOTAN_HAS_X448)
502 if(alg_name == "X448") {
503 return std::make_unique<X448_PrivateKey>(rng);
504 }
505#endif
506
507#if defined(BOTAN_HAS_RSA)
508 if(alg_name == "RSA") {
509 const size_t modulus_bits = params.empty() ? 3072 : to_u32bit(params);
510 return std::make_unique<RSA_PrivateKey>(rng, modulus_bits);
511 }
512#endif
513
514#if defined(BOTAN_HAS_MCELIECE)
515 if(alg_name == "McEliece") {
516 const auto [n, t] = [&]() -> std::pair<size_t, size_t> {
517 if(params.empty()) {
518 return {2960, 57};
519 }
520
521 const auto mce_params = split_on(params, ',');
522
523 if(mce_params.size() != 2) {
524 throw Invalid_Argument(fmt("create_private_key: invalid McEliece parameters '{}'", params));
525 }
526
527 const size_t mce_n = to_u32bit(mce_params[0]);
528 const size_t mce_t = to_u32bit(mce_params[1]);
529 return {mce_n, mce_t};
530 }();
531
532 return std::make_unique<McEliece_PrivateKey>(rng, n, t);
533 }
534#endif
535#if defined(BOTAN_HAS_CLASSICMCELIECE)
536 if(alg_name == "ClassicMcEliece") {
537 auto cmce_params_set = params.empty() ? Classic_McEliece_Parameter_Set::ClassicMcEliece_6960119f
539 return std::make_unique<Classic_McEliece_PrivateKey>(rng, cmce_params_set);
540 }
541#endif
542
543#if defined(BOTAN_HAS_FRODOKEM)
544 if(alg_name == "FrodoKEM") {
545 const auto mode = params.empty() ? FrodoKEMMode::FrodoKEM976_SHAKE : FrodoKEMMode(params);
546 return std::make_unique<FrodoKEM_PrivateKey>(rng, mode);
547 }
548#endif
549
550#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
551 if(alg_name == "Kyber") {
552 const auto mode = [&]() -> KyberMode {
553 if(params.empty()) {
555 }
556 return KyberMode(params);
557 }();
558
559 return std::make_unique<Kyber_PrivateKey>(rng, mode);
560 }
561#endif
562
563#if defined(BOTAN_HAS_ML_KEM)
564 if(alg_name == "ML-KEM") {
565 const auto mode = [&]() -> ML_KEM_Mode {
566 if(params.empty()) {
568 }
569 return ML_KEM_Mode(params);
570 }();
571
572 return std::make_unique<ML_KEM_PrivateKey>(rng, mode);
573 }
574#endif
575
576#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES)
577 if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) {
578 const auto mode = [&]() -> DilithiumMode {
579 if(params.empty()) {
581 }
582 return DilithiumMode(params);
583 }();
584
585 return std::make_unique<Dilithium_PrivateKey>(rng, mode);
586 }
587#endif
588
589#if defined(BOTAN_HAS_ML_DSA)
590 if(alg_name == "ML-DSA") {
591 const auto mode = [&]() -> ML_DSA_Mode {
592 if(params.empty()) {
594 }
595 return ML_DSA_Mode(params);
596 }();
597
598 return std::make_unique<ML_DSA_PrivateKey>(rng, mode);
599 }
600#endif
601
602#if defined(BOTAN_HAS_HSS_LMS)
603 if(alg_name == "HSS-LMS") {
604 const auto hss_params = [&]() -> std::string {
605 if(params.empty()) {
606 return "SHA-256,HW(10,1)";
607 } else {
608 return std::string(params);
609 }
610 }();
611 return std::make_unique<HSS_LMS_PrivateKey>(rng, hss_params);
612 }
613#endif
614
615#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
616 if(alg_name == "SPHINCS+" || alg_name == "SphincsPlus") {
617 auto sphincs_params = Sphincs_Parameters::create(params);
618
619 return std::make_unique<SphincsPlus_PrivateKey>(rng, sphincs_params);
620 }
621#endif
622
623#if defined(BOTAN_HAS_SLH_DSA_WITH_SHA2) || defined(BOTAN_HAS_SLH_DSA_WITH_SHAKE)
624 if(alg_name == "SLH-DSA") {
625 auto slh_dsa_params = SLH_DSA_Parameters::create(params);
626
627 return std::make_unique<SLH_DSA_PrivateKey>(rng, slh_dsa_params);
628 }
629#endif
630
631#if defined(BOTAN_HAS_XMSS_RFC8391)
632 if(alg_name == "XMSS") {
633 const auto xmss_oid = [&]() -> XMSS_Parameters::xmss_algorithm_t {
634 if(params.empty()) {
636 }
637 return XMSS_Parameters(params).oid();
638 }();
639
640 return std::make_unique<XMSS_PrivateKey>(xmss_oid, rng);
641 }
642#endif
643
644#if defined(BOTAN_HAS_ED25519)
645 if(alg_name == "Ed25519") {
646 return std::make_unique<Ed25519_PrivateKey>(rng);
647 }
648#endif
649
650#if defined(BOTAN_HAS_ED448)
651 if(alg_name == "Ed448") {
652 return std::make_unique<Ed448_PrivateKey>(rng);
653 }
654#endif
655
656 // ECC crypto
657#if defined(BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO)
658
659 if(alg_name == "ECDSA" || alg_name == "ECDH" || alg_name == "ECKCDSA" || alg_name == "ECGDSA" || alg_name == "SM2" ||
660 alg_name == "SM2_Sig" || alg_name == "SM2_Enc" || alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" ||
661 alg_name == "GOST-34.10-2012-512") {
662 const std::string group_id = [&]() -> std::string {
663 if(!params.empty()) {
664 return std::string(params);
665 }
666 if(alg_name == "SM2" || alg_name == "SM2_Enc" || alg_name == "SM2_Sig") {
667 return "sm2p256v1";
668 }
669 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256") {
670 return "gost_256A";
671 }
672 if(alg_name == "GOST-34.10-2012-512") {
673 return "gost_512A";
674 }
675 if(alg_name == "ECGDSA") {
676 return "brainpool256r1";
677 }
678 return "secp256r1";
679 }();
680
681 if(EC_Group::supports_named_group(group_id)) {
682 auto ec_group = EC_Group::from_name(group_id);
683 return create_ec_private_key(alg_name, ec_group, rng);
684 } else {
685 return {};
686 }
687 }
688#endif
689
690 // DL crypto
691#if defined(BOTAN_HAS_DL_GROUP)
692 if(alg_name == "DH" || alg_name == "DSA" || alg_name == "ElGamal") {
693 const std::string group_id = [&]() -> std::string {
694 if(!params.empty()) {
695 return std::string(params);
696 }
697 if(alg_name == "DSA") {
698 return "dsa/botan/2048";
699 }
700 return "modp/ietf/2048";
701 }();
702
703 auto modp_group = DL_Group::from_name(group_id);
704
705 #if defined(BOTAN_HAS_DIFFIE_HELLMAN)
706 if(alg_name == "DH") {
707 return std::make_unique<DH_PrivateKey>(rng, modp_group);
708 }
709 #endif
710
711 #if defined(BOTAN_HAS_DSA)
712 if(alg_name == "DSA") {
713 return std::make_unique<DSA_PrivateKey>(rng, modp_group);
714 }
715 #endif
716
717 #if defined(BOTAN_HAS_ELGAMAL)
718 if(alg_name == "ElGamal") {
719 return std::make_unique<ElGamal_PrivateKey>(rng, modp_group);
720 }
721 #endif
722 }
723#endif
724
725 BOTAN_UNUSED(alg_name, rng, params, provider);
726
727 return std::unique_ptr<Private_Key>();
728}
static Classic_McEliece_Parameter_Set from_string(std::string_view param_name)
Get the parameter set for a given parameter set name.
static DL_Group from_name(std::string_view name)
Definition dl_group.cpp:212
static EC_Group from_name(std::string_view name)
Definition ec_group.cpp:371
static bool supports_named_group(std::string_view name)
Definition ec_group.cpp:346
static Sphincs_Parameters create(Sphincs_Parameter_Set set, Sphincs_Hash_Type hash)
xmss_algorithm_t oid() const
DilithiumMode ML_DSA_Mode
Definition ml_dsa.h:21
KyberMode ML_KEM_Mode
Definition ml_kem.h:21
std::unique_ptr< Private_Key > create_ec_private_key(std::string_view alg_name, const EC_Group &ec_group, RandomNumberGenerator &rng)
Definition pk_algs.cpp:442

References BOTAN_UNUSED, Botan::Classic_McEliece_Parameter_Set::ClassicMcEliece_6960119f, Botan::Sphincs_Parameters::create(), create_ec_private_key(), Botan::DilithiumMode::Dilithium6x5, fmt(), Botan::FrodoKEMMode::FrodoKEM976_SHAKE, Botan::DL_Group::from_name(), Botan::EC_Group::from_name(), Botan::Classic_McEliece_Parameter_Set::from_string(), Botan::KyberMode::Kyber1024_R3, Botan::DilithiumMode::ML_DSA_6x5, Botan::KyberMode::ML_KEM_768, Botan::XMSS_Parameters::oid(), split_on(), Botan::EC_Group::supports_named_group(), to_u32bit(), and Botan::XMSS_Parameters::XMSS_SHA2_10_512.

Referenced by botan_privkey_create(), and Botan::TLS::Hybrid_KEM_PrivateKey::generate_from_group().

◆ create_shake_row_generator()

auto Botan::create_shake_row_generator ( const FrodoKEMConstants & constants,
StrongSpan< const FrodoSeedA > seed_a )
inline

Definition at line 23 of file frodo_shake_generator.h.

23 {
24 BOTAN_ASSERT_NOMSG(constants.mode().is_shake());
25
26 return [xof = SHAKE_128_XOF(), a = FrodoSeedA(seed_a)](std::span<uint8_t> out, uint16_t i) mutable {
27 xof.clear();
28 xof.update(store_le(i));
29 xof.update(a);
30 xof.output(out);
31 };
32}
bool is_shake() const
Definition frodo_mode.h:56
Strong< std::vector< uint8_t >, struct FrodoSeedA_ > FrodoSeedA
Definition frodo_types.h:23

References BOTAN_ASSERT_NOMSG, Botan::FrodoKEMMode::is_shake(), Botan::FrodoKEMConstants::mode(), and store_le().

◆ ct_compare_u8()

uint8_t Botan::ct_compare_u8 ( const uint8_t x[],
const uint8_t y[],
size_t len )

Memory comparison, input insensitive

Parameters
xa pointer to an array
ya pointer to another array
lenthe number of Ts in x and y
Returns
0xFF iff x[i] == y[i] forall i in [0...n) or 0x00 otherwise

Definition at line 13 of file mem_ops.cpp.

13 {
14 return CT::is_equal(x, y, len).value();
15}

References Botan::CT::is_equal().

◆ ct_divide() [1/2]

BigInt Botan::ct_divide ( const BigInt & x,
const BigInt & y )
inline

BigInt division, const time variant

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leak the sizes of x and y.

Parameters
xan integer
ya non-zero integer
Returns
x/y with remainder discarded

Definition at line 63 of file divide.h.

63 {
64 BigInt q, r;
65 ct_divide(x, y, q, r);
66 return q;
67}
void ct_divide(const BigInt &x, const BigInt &y, BigInt &q_out, BigInt &r_out)
Definition divide.cpp:51

References ct_divide().

◆ ct_divide() [2/2]

BOTAN_TEST_API void Botan::ct_divide ( const BigInt & x,
const BigInt & y,
BigInt & q,
BigInt & r )

BigInt division, const time variant

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leak the sizes of x and y.

Parameters
xan integer
ya non-zero integer
qwill be set to x / y
rwill be set to x % y

Definition at line 51 of file divide.cpp.

51 {
52 if(y.is_zero()) {
53 throw Invalid_Argument("ct_divide: cannot divide by zero");
54 }
55
56 const size_t x_words = x.sig_words();
57 const size_t y_words = y.sig_words();
58
59 const size_t x_bits = x.bits();
60
61 BigInt q = BigInt::with_capacity(x_words);
62 BigInt r = BigInt::with_capacity(y_words);
63 BigInt t = BigInt::with_capacity(y_words); // a temporary
64
65 for(size_t i = 0; i != x_bits; ++i) {
66 const size_t b = x_bits - 1 - i;
67 const bool x_b = x.get_bit(b);
68
69 r <<= 1;
70 r.conditionally_set_bit(0, x_b);
71
72 const bool r_gte_y = bigint_sub3(t.mutable_data(), r._data(), r.size(), y._data(), y_words) == 0;
73
74 q.conditionally_set_bit(b, r_gte_y);
75 r.ct_cond_swap(r_gte_y, t);
76 }
77
78 sign_fixup(x, y, q, r);
79 r_out = r;
80 q_out = q;
81}
size_t sig_words() const
Definition bigint.h:615
size_t bits() const
Definition bigint.cpp:310
const word * _data() const
Definition bigint.h:936
bool is_zero() const
Definition bigint.h:457
bool get_bit(size_t n) const
Definition bigint.h:496
static BigInt with_capacity(size_t n)
Definition bigint.cpp:49

References Botan::BigInt::_data(), bigint_sub3(), Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::BigInt::ct_cond_swap(), Botan::BigInt::get_bit(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), Botan::BigInt::size(), and Botan::BigInt::with_capacity().

Referenced by ct_divide(), Botan::FPE_FE1::decrypt(), Botan::FPE_FE1::encrypt(), and lcm().

◆ ct_divide_pow2k()

BOTAN_TEST_API BigInt Botan::ct_divide_pow2k ( size_t k,
const BigInt & y )

BigInt division, const time variant, 2^k variant

This runs with control flow independent of the value of y. This function leaks the value of k and the length of y. If k < bits(y) this returns zero

Parameters
kan integer
ya positive integer
Returns
q equal to 2**k / y

Definition at line 83 of file divide.cpp.

83 {
84 BOTAN_ARG_CHECK(!y.is_zero(), "Cannot divide by zero");
85 BOTAN_ARG_CHECK(!y.is_negative(), "Negative divisor not supported");
86 BOTAN_ARG_CHECK(k > 1, "Invalid k");
87
88 const size_t x_bits = k + 1;
89 const size_t y_bits = y.bits();
90
91 if(x_bits < y_bits) {
92 return BigInt::zero();
93 }
94
95 BOTAN_ASSERT_NOMSG(y_bits >= 1);
96 const size_t x_words = (x_bits + WordInfo<word>::bits - 1) / WordInfo<word>::bits;
97 const size_t y_words = y.sig_words();
98
99 BigInt q = BigInt::with_capacity(x_words);
100 BigInt r = BigInt::with_capacity(y_words + 1);
101 BigInt t = BigInt::with_capacity(y_words + 1); // a temporary
102
103 r.set_bit(y_bits - 1);
104 for(size_t i = y_bits - 1; i != x_bits; ++i) {
105 const size_t b = x_bits - 1 - i;
106
107 if(i >= y_bits) {
108 bigint_shl1(r.mutable_data(), r.size(), r.size(), 1);
109 }
110
111 const bool r_gte_y = bigint_sub3(t.mutable_data(), r._data(), r.size(), y._data(), y_words) == 0;
112
113 q.conditionally_set_bit(b, r_gte_y);
114
115 bigint_cnd_swap(static_cast<word>(r_gte_y), r.mutable_data(), t.mutable_data(), y_words + 1);
116 }
117
118 // No need for sign fixup
119
120 return q;
121}
static BigInt zero()
Definition bigint.h:49
bool is_negative() const
Definition bigint.h:559
constexpr void bigint_cnd_swap(W cnd, W x[], W y[], size_t size)
Definition mp_core.h:31
constexpr void bigint_shl1(W x[], size_t x_size, size_t x_words, size_t shift)
Definition mp_core.h:426

References Botan::BigInt::_data(), bigint_cnd_swap(), bigint_shl1(), bigint_sub3(), Botan::BigInt::bits(), BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::BigInt::conditionally_set_bit(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::set_bit(), Botan::BigInt::sig_words(), Botan::BigInt::size(), Botan::BigInt::with_capacity(), and Botan::BigInt::zero().

Referenced by Botan::Barrett_Reduction::for_secret_modulus().

◆ ct_divide_word() [1/2]

BigInt Botan::ct_divide_word ( const BigInt & x,
word y )

Constant time division

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leaks the size of x.

Parameters
xan integer
ya non-zero word
Returns
quotient floor(x / y)

Definition at line 160 of file divide.cpp.

160 {
161 BigInt q;
162 word r;
163 ct_divide_word(x, y, q, r);
164 BOTAN_UNUSED(r);
165 return q;
166}

References BOTAN_UNUSED, and ct_divide_word().

◆ ct_divide_word() [2/2]

BOTAN_TEST_API void Botan::ct_divide_word ( const BigInt & x,
word y,
BigInt & q,
word & r )

Constant time division

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leaks the size of x.

Parameters
xan integer
ya non-zero integer
qwill be set to x / y
rwill be set to x % y

Definition at line 123 of file divide.cpp.

123 {
124 if(y == 0) {
125 throw Invalid_Argument("ct_divide_word: cannot divide by zero");
126 }
127
128 const size_t x_words = x.sig_words();
129 const size_t x_bits = x.bits();
130
131 BigInt q = BigInt::with_capacity(x_words);
132 word r = 0;
133
134 for(size_t i = 0; i != x_bits; ++i) {
135 const size_t b = x_bits - 1 - i;
136 const bool x_b = x.get_bit(b);
137
138 const auto r_carry = CT::Mask<word>::expand_top_bit(r);
139
140 r <<= 1;
141 r += x_b;
142
143 const auto r_gte_y = CT::Mask<word>::is_gte(r, y) | r_carry;
144 q.conditionally_set_bit(b, r_gte_y.as_bool());
145 r = r_gte_y.select(r - y, r);
146 }
147
148 if(x.is_negative()) {
149 q.flip_sign();
150 if(r != 0) {
151 --q;
152 r = y - r;
153 }
154 }
155
156 r_out = r;
157 q_out = q;
158}
static constexpr Mask< T > is_gte(T x, T y)
Definition ct_utils.h:480
static constexpr Mask< T > expand_top_bit(T v)
Definition ct_utils.h:427

References Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::CT::Mask< T >::expand_top_bit(), Botan::BigInt::flip_sign(), Botan::BigInt::get_bit(), Botan::CT::Mask< T >::is_gte(), Botan::BigInt::is_negative(), Botan::BigInt::sig_words(), and Botan::BigInt::with_capacity().

Referenced by compute_rsa_secret_exponent(), ct_divide_word(), operator/(), and Botan::BigInt::to_dec_string().

◆ ct_is_zero()

template<typename T>
requires (std::is_integral<T>::value)
T Botan::ct_is_zero ( T x)
inlineconstexpr

If arg is zero, return ~0. Otherwise return 0

Definition at line 36 of file bit_ops.h.

38{
39 return expand_top_bit<T>(~x & (x - 1));
40}
constexpr T expand_top_bit(T a)
Definition bit_ops.h:26

References expand_top_bit().

Referenced by ctz(), Botan::CT::Choice::from_int(), high_bit(), Botan::CT::Mask< T >::is_zero(), prefetch_array_raw(), and significant_bytes().

◆ ct_mod_word()

BOTAN_TEST_API word Botan::ct_mod_word ( const BigInt & x,
word y )

BigInt word modulo, const time variant

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leaks the size of x.

Parameters
xa positive integer
ya non-zero word
Returns
r the remainder of x divided by y

Definition at line 168 of file divide.cpp.

168 {
169 BOTAN_ARG_CHECK(x.is_positive(), "The argument x must be positive");
170 BOTAN_ARG_CHECK(y != 0, "Cannot divide by zero");
171
172 const size_t x_bits = x.bits();
173
174 word r = 0;
175
176 for(size_t i = 0; i != x_bits; ++i) {
177 const size_t b = x_bits - 1 - i;
178 const bool x_b = x.get_bit(b);
179
180 const auto r_carry = CT::Mask<word>::expand_top_bit(r);
181
182 r <<= 1;
183 r += x_b;
184
185 const auto r_gte_y = CT::Mask<word>::is_gte(r, y) | r_carry;
186 r = r_gte_y.select(r - y, r);
187 }
188
189 return r;
190}
bool is_positive() const
Definition bigint.h:565

References Botan::BigInt::bits(), BOTAN_ARG_CHECK, Botan::CT::Mask< T >::expand_top_bit(), Botan::BigInt::get_bit(), Botan::CT::Mask< T >::is_gte(), and Botan::BigInt::is_positive().

Referenced by compute_rsa_secret_exponent().

◆ ct_modulo()

BOTAN_TEST_API BigInt Botan::ct_modulo ( const BigInt & x,
const BigInt & modulo )

BigInt modulo, const time variant

Using this function is (slightly) cheaper than calling ct_divide and using only the remainder.

Parameters
xa non-negative integer
moduloa positive integer
Returns
result x % modulo

Definition at line 192 of file divide.cpp.

192 {
193 if(y.is_negative() || y.is_zero()) {
194 throw Invalid_Argument("ct_modulo requires y > 0");
195 }
196
197 const size_t y_words = y.sig_words();
198
199 const size_t x_bits = x.bits();
200
201 BigInt r = BigInt::with_capacity(y_words);
202 BigInt t = BigInt::with_capacity(y_words);
203
204 for(size_t i = 0; i != x_bits; ++i) {
205 const size_t b = x_bits - 1 - i;
206 const bool x_b = x.get_bit(b);
207
208 r <<= 1;
209 r.conditionally_set_bit(0, x_b);
210
211 const bool r_gte_y = bigint_sub3(t.mutable_data(), r._data(), r.size(), y._data(), y_words) == 0;
212
213 r.ct_cond_swap(r_gte_y, t);
214 }
215
216 if(x.is_negative()) {
217 if(r.is_nonzero()) {
218 r = y - r;
219 }
220 }
221
222 return r;
223}

References Botan::BigInt::_data(), bigint_sub3(), Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::BigInt::ct_cond_swap(), Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::BigInt::is_nonzero(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), Botan::BigInt::size(), and Botan::BigInt::with_capacity().

Referenced by Botan::RSA_PrivateKey::check_key(), Botan::FPE_FE1::decrypt(), Botan::FPE_FE1::encrypt(), inverse_mod(), inverse_mod_general(), power_mod(), Botan::Modular_Reducer::reduce(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ ct_popcount()

template<std::unsigned_integral T>
uint8_t Botan::ct_popcount ( T x)
inlineconstexpr

Calculates the number of 1-bits in an unsigned integer in constant-time. This operation is also known as "population count" or hamming weight.

Modern compilers will recognize this pattern and replace it by a hardware instruction, if available. This is the SWAR (SIMD within a register) algorithm. See: https://nimrod.blog/posts/algorithms-behind-popcount/#swar-algorithm

Note: C++20 provides std::popcount(), but there's no guarantee that this is implemented in constant-time.

Parameters
xan unsigned integer
Returns
the number of 1-bits in the provided value

Definition at line 261 of file bit_ops.h.

261 {
262 constexpr size_t s = sizeof(T);
263 static_assert(s <= 8, "T is not a suitable unsigned integer value");
264 if constexpr(s == 8) {
265 x = x - ((x >> 1) & 0x5555555555555555);
266 x = (x & 0x3333333333333333) + ((x >> 2) & 0x3333333333333333);
267 x = (x + (x >> 4)) & 0xF0F0F0F0F0F0F0F;
268 return (x * 0x101010101010101) >> 56;
269 } else if constexpr(s == 4) {
270 x = x - ((x >> 1) & 0x55555555);
271 x = (x & 0x33333333) + ((x >> 2) & 0x33333333);
272 x = (x + (x >> 4)) & 0x0F0F0F0F;
273 return (x * 0x01010101) >> 24;
274 } else {
275 // s < 4
276 return ct_popcount(static_cast<uint32_t>(x));
277 }
278}
constexpr uint8_t ct_popcount(T x)
Definition bit_ops.h:261

References ct_popcount().

Referenced by ct_popcount(), and Botan::bitvector_base< secure_allocator >::hamming_weight().

◆ ct_reverse_bits()

template<std::unsigned_integral T>
T Botan::ct_reverse_bits ( T b)
constexpr
Returns
the reversed bits in b.

Definition at line 227 of file bit_ops.h.

227 {
228 auto extend = [](uint8_t m) -> T {
229 T mask = 0;
230 for(size_t i = 0; i < sizeof(T); ++i) {
231 mask |= T(m) << i * 8;
232 }
233 return mask;
234 };
235
236 // First reverse bits in each byte...
237 // From: https://stackoverflow.com/a/2602885
238 b = (b & extend(0xF0)) >> 4 | (b & extend(0x0F)) << 4;
239 b = (b & extend(0xCC)) >> 2 | (b & extend(0x33)) << 2;
240 b = (b & extend(0xAA)) >> 1 | (b & extend(0x55)) << 1;
241
242 // ... then swap the bytes
243 return reverse_bytes(b);
244}
constexpr T reverse_bytes(T x)
Definition bswap.h:27

References reverse_bytes().

◆ ctz()

template<typename T>
requires (std::is_integral<T>::value)
size_t Botan::ctz ( T n)
inlineconstexpr

Count the trailing zero bits in n

Parameters
nan integer value
Returns
maximum x st 2^x divides n

Definition at line 105 of file bit_ops.h.

107{
108 /*
109 * If n == 0 then this function will compute 8*sizeof(T)-1, so
110 * initialize lb to 1 if n == 0 to produce the expected result.
111 */
112 size_t lb = ct_is_zero(n) & 1;
113
114 for(size_t s = 8 * sizeof(T) / 2; s > 0; s /= 2) {
115 const T mask = (static_cast<T>(1) << s) - 1;
116 const size_t z = s * (ct_is_zero(n & mask) & 1);
117 lb += z;
118 n >>= z;
119 }
120
121 return lb;
122}
constexpr T ct_is_zero(T x)
Definition bit_ops.h:36

References ct_is_zero().

Referenced by low_zero_bits(), and var_ctz32().

◆ curve25519_basepoint()

void Botan::curve25519_basepoint ( uint8_t mypublic[32],
const uint8_t secret[32] )

Exponentiate by the x25519 base point

Parameters
mypublicoutput value
secretrandom scalar

Definition at line 19 of file x25519.cpp.

19 {
20 const uint8_t basepoint[32] = {9};
21 curve25519_donna(mypublic, secret, basepoint);
22}
void curve25519_donna(uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32])
Definition donna.cpp:454

References curve25519_donna().

Referenced by Botan::X25519_PrivateKey::check_key(), Botan::Sodium::crypto_scalarmult_curve25519_base(), Botan::X25519_PrivateKey::X25519_PrivateKey(), Botan::X25519_PrivateKey::X25519_PrivateKey(), and Botan::X25519_PrivateKey::X25519_PrivateKey().

◆ curve25519_donna()

void Botan::curve25519_donna ( uint8_t mypublic[32],
const uint8_t secret[32],
const uint8_t basepoint[32] )

Definition at line 454 of file donna.cpp.

454 {
455 CT::poison(secret, 32);
456 CT::poison(basepoint, 32);
457
458 uint64_t bp[5], x[5], z[5], zmone[5];
459 uint8_t e[32];
460
461 copy_mem(e, secret, 32);
462 e[0] &= 248;
463 e[31] &= 127;
464 e[31] |= 64;
465
466 fexpand(bp, basepoint);
467 cmult(x, z, e, bp);
468 crecip(zmone, z);
469 fmul(z, x, zmone);
470 fcontract(mypublic, z);
471
472 CT::unpoison(secret, 32);
473 CT::unpoison(basepoint, 32);
474 CT::unpoison(mypublic, 32);
475}

References copy_mem(), Botan::CT::poison(), and Botan::CT::unpoison().

Referenced by Botan::Sodium::crypto_scalarmult_curve25519(), and curve25519_basepoint().

◆ dbl_a_minus_3()

template<typename ProjectivePoint>
ProjectivePoint Botan::dbl_a_minus_3 ( const ProjectivePoint & pt)
inlineconstexpr

Definition at line 309 of file pcurves_algos.h.

309 {
310 /*
311 if a == -3 then
312 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2)
313 */
314 const auto z2 = pt.z().square();
315 const auto m = (pt.x() - z2).mul3() * (pt.x() + z2);
316
317 // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8
318 const auto y2 = pt.y().square();
319 const auto s = pt.x().mul4() * y2;
320 const auto nx = m.square() - s.mul2();
321 const auto ny = m * (s - nx) - y2.square().mul8();
322 const auto nz = pt.y().mul2() * pt.z();
323
324 return ProjectivePoint(nx, ny, nz);
325}

◆ dbl_a_zero()

template<typename ProjectivePoint>
ProjectivePoint Botan::dbl_a_zero ( const ProjectivePoint & pt)
inlineconstexpr

Definition at line 328 of file pcurves_algos.h.

328 {
329 // If a == 0 then 3*x^2 + a*z^4 == 3*x^2
330 // Cost: 1S + 1*3
331 const auto m = pt.x().square().mul3();
332
333 // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8
334 const auto y2 = pt.y().square();
335 const auto s = pt.x().mul4() * y2;
336 const auto nx = m.square() - s.mul2();
337 const auto ny = m * (s - nx) - y2.square().mul8();
338 const auto nz = pt.y().mul2() * pt.z();
339
340 return ProjectivePoint(nx, ny, nz);
341}

◆ dbl_generic()

template<typename ProjectivePoint, typename FieldElement>
ProjectivePoint Botan::dbl_generic ( const ProjectivePoint & pt,
const FieldElement & A )
inlineconstexpr

Definition at line 344 of file pcurves_algos.h.

344 {
345 // Cost: 1M + 3S + 1A + 1*3
346 const auto z2 = pt.z().square();
347 const auto m = pt.x().square().mul3() + A * z2.square();
348
349 // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8
350 const auto y2 = pt.y().square();
351 const auto s = pt.x().mul4() * y2;
352 const auto nx = m.square() - s.mul2();
353 const auto ny = m * (s - nx) - y2.square().mul8();
354 const auto nz = pt.y().mul2() * pt.z();
355
356 return ProjectivePoint(nx, ny, nz);
357}

◆ dbl_n_a_minus_3()

template<typename ProjectivePoint>
ProjectivePoint Botan::dbl_n_a_minus_3 ( const ProjectivePoint & pt,
size_t n )
inlineconstexpr

Definition at line 377 of file pcurves_algos.h.

377 {
378 auto nx = pt.x();
379 auto ny = pt.y().mul2();
380 auto nz = pt.z();
381 auto w = nz.square().square();
382
383 while(n > 0) {
384 const auto ny2 = ny.square();
385 const auto ny4 = ny2.square();
386 const auto t1 = (nx.square() - w).mul3();
387 const auto t2 = nx * ny2;
388 nx = t1.square() - t2.mul2();
389 nz *= ny;
390 ny = t1 * (t2 - nx).mul2() - ny4;
391 n--;
392 if(n > 0) {
393 w *= ny4;
394 }
395 }
396 return ProjectivePoint(nx, ny.div2(), nz);
397}

◆ dbl_n_a_zero()

template<typename ProjectivePoint>
ProjectivePoint Botan::dbl_n_a_zero ( const ProjectivePoint & pt,
size_t n )
inlineconstexpr

Definition at line 400 of file pcurves_algos.h.

400 {
401 auto nx = pt.x();
402 auto ny = pt.y().mul2();
403 auto nz = pt.z();
404
405 while(n > 0) {
406 const auto ny2 = ny.square();
407 const auto ny4 = ny2.square();
408 const auto t1 = nx.square().mul3();
409 const auto t2 = nx * ny2;
410 nx = t1.square() - t2.mul2();
411 nz *= ny;
412 ny = t1 * (t2 - nx).mul2() - ny4;
413 n--;
414 }
415 return ProjectivePoint(nx, ny.div2(), nz);
416}

◆ dbl_n_generic()

template<typename ProjectivePoint, typename FieldElement>
ProjectivePoint Botan::dbl_n_generic ( const ProjectivePoint & pt,
const FieldElement & A,
size_t n )
inlineconstexpr

Definition at line 419 of file pcurves_algos.h.

419 {
420 auto nx = pt.x();
421 auto ny = pt.y().mul2();
422 auto nz = pt.z();
423 auto w = nz.square().square() * A;
424
425 while(n > 0) {
426 const auto ny2 = ny.square();
427 const auto ny4 = ny2.square();
428 const auto t1 = nx.square().mul3() + w;
429 const auto t2 = nx * ny2;
430 nx = t1.square() - t2.mul2();
431 nz *= ny;
432 ny = t1 * (t2 - nx).mul2() - ny4;
433 n--;
434 if(n > 0) {
435 w *= ny4;
436 }
437 }
438 return ProjectivePoint(nx, ny.div2(), nz);
439}

◆ deallocate_memory()

void Botan::deallocate_memory ( void * p,
size_t elems,
size_t elem_size )

Free a pointer returned by allocate_memory

Parameters
pthe pointer returned by allocate_memory
elemsthe number of elements, as passed to allocate_memory
elem_sizethe size of each element, as passed to allocate_memory

Definition at line 48 of file allocator.cpp.

48 {
49 if(p == nullptr) {
50 [[unlikely]] return;
51 }
52
53 secure_scrub_memory(p, elems * elem_size);
54
55#if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
56 if(mlock_allocator::instance().deallocate(p, elems, elem_size)) {
57 return;
58 }
59#endif
60
61 std::free(p); // NOLINT(*-no-malloc)
62}
void secure_scrub_memory(void *ptr, size_t n)
Definition mem_utils.cpp:24

References Botan::mlock_allocator::instance(), and secure_scrub_memory().

Referenced by Botan::secure_allocator< T >::deallocate().

◆ decode_gf2m()

gf2m Botan::decode_gf2m ( const uint8_t * mem)

Definition at line 101 of file gf2m_small_m.cpp.

101 {
102 gf2m result;
103 result = mem[0] << 8;
104 result |= mem[1];
105 return result;
106}
uint16_t gf2m

Referenced by Botan::polyn_gf2m::polyn_gf2m().

◆ decode_point()

Point448 Botan::decode_point ( std::span< const uint8_t > p_bytes)

Decode a point from a byte array. RFC 7748 Section 5 (decodeUCoordinate)

Definition at line 25 of file x448_internal.cpp.

25 {
26 BOTAN_ARG_CHECK(p_bytes.size() == X448_LEN, "Invalid size for X448 point");
27 return typecast_copy<Point448>(p_bytes);
28}
constexpr void typecast_copy(ToR &&out, FromR &&in)
Definition mem_ops.h:181
constexpr size_t X448_LEN

References BOTAN_ARG_CHECK, typecast_copy(), and X448_LEN.

◆ decode_scalar()

ScalarX448 Botan::decode_scalar ( std::span< const uint8_t > scalar_bytes)

Decode a scalar from a byte array. RFC 7748 Section 5 (decodeScalar448)

Definition at line 30 of file x448_internal.cpp.

30 {
31 BOTAN_ARG_CHECK(scalar_bytes.size() == X448_LEN, "Invalid size for X448 scalar");
32 auto buf = typecast_copy<ScalarX448>(scalar_bytes);
33
34 buf[0] &= 0xfc;
35 buf[55] |= 0x80;
36
37 return buf;
38}

References BOTAN_ARG_CHECK, typecast_copy(), and X448_LEN.

◆ dl_exponent_size()

size_t BOTAN_TEST_API Botan::dl_exponent_size ( size_t prime_group_size)

Return the appropriate exponent size to use for a particular prime group. This is twice the size of the estimated cost of breaking the key using an index calculus attack; the assumption is that if an arbitrary discrete log on a group of size bits would take about 2^n effort, and thus using an exponent of size 2^(2*n) implies that all available attacks are about as easy (as e.g Pollard's kangaroo algorithm can compute the DL in sqrt(x) operations) while minimizing the exponent size for performance reasons.

Definition at line 51 of file workfactor.cpp.

51 {
52 if(bits == 0) {
53 return 0;
54 }
55 if(bits <= 256) {
56 return bits - 1;
57 }
58 if(bits <= 1024) {
59 return 192;
60 }
61 if(bits <= 1536) {
62 return 224;
63 }
64 if(bits <= 2048) {
65 return 256;
66 }
67 if(bits <= 4096) {
68 return 384;
69 }
70 return 512;
71}

Referenced by Botan::DL_Group::DL_Group().

◆ dl_work_factor()

size_t BOTAN_TEST_API Botan::dl_work_factor ( size_t prime_group_size)

Estimate work factor for discrete logarithm

Parameters
prime_group_sizesize of the group in bits
Returns
estimated security level for this group

Definition at line 46 of file workfactor.cpp.

46 {
47 // Lacking better estimates...
48 return if_work_factor(bits);
49}
size_t if_work_factor(size_t bits)

References if_work_factor().

◆ do_throw_error()

template<typename E, typename... Args>
void Botan::do_throw_error ( const char * file,
int line,
const char * func,
Args... args )
inline

Definition at line 342 of file exceptn.h.

342 {
343 throw E(file, line, func, args...);
344}

◆ ecp_work_factor()

size_t Botan::ecp_work_factor ( size_t prime_group_size)

Estimate work factor for EC discrete logarithm

Parameters
prime_group_sizesize of the group in bits
Returns
estimated security level for this group

Definition at line 14 of file workfactor.cpp.

14 {
15 return bits / 2;
16}

Referenced by Botan::EC_PublicKey::estimated_strength().

◆ ed25519_gen_keypair() [1/2]

void Botan::ed25519_gen_keypair ( uint8_t * pk,
uint8_t * sk,
const uint8_t seed[32] )

Definition at line 20 of file ed25519.cpp.

20 {
21 uint8_t az[64];
22
23 SHA_512 sha;
24 sha.update(seed, 32);
25 sha.final(az);
26 az[0] &= 248;
27 az[31] &= 63;
28 az[31] |= 64;
29
30 ge_scalarmult_base(pk, az);
31
32 // todo copy_mem
33 copy_mem(sk, seed, 32);
34 copy_mem(sk + 32, pk, 32);
35}
void update(const uint8_t in[], size_t length)
Definition buf_comp.h:34
void final(uint8_t out[])
Definition buf_comp.h:69
void ge_scalarmult_base(uint8_t out[32], const uint8_t in[32])
Definition ge.cpp:2043

References copy_mem(), Botan::Buffered_Computation::final(), ge_scalarmult_base(), and Botan::Buffered_Computation::update().

Referenced by Botan::Sodium::crypto_sign_ed25519_seed_keypair(), ed25519_gen_keypair(), Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(), Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(), and Botan::Ed25519_PrivateKey::Ed25519_PrivateKey().

◆ ed25519_gen_keypair() [2/2]

void Botan::ed25519_gen_keypair ( uint8_t pk[32],
uint8_t sk[64],
const uint8_t seed[32] )

◆ ed25519_sign()

void Botan::ed25519_sign ( uint8_t sig[64],
const uint8_t m[],
size_t mlen,
const uint8_t sk[64],
const uint8_t domain_sep[],
size_t domain_sep_len )

Definition at line 37 of file ed25519.cpp.

42 {
43 uint8_t az[64];
44 uint8_t nonce[64];
45 uint8_t hram[64];
46
47 SHA_512 sha;
48
49 sha.update(sk, 32);
50 sha.final(az);
51 az[0] &= 248;
52 az[31] &= 63;
53 az[31] |= 64;
54
55 sha.update(domain_sep, domain_sep_len);
56 sha.update(az + 32, 32);
57 sha.update(m, mlen);
58 sha.final(nonce);
59
60 sc_reduce(nonce);
61 ge_scalarmult_base(sig, nonce);
62
63 sha.update(domain_sep, domain_sep_len);
64 sha.update(sig, 32);
65 sha.update(sk + 32, 32);
66 sha.update(m, mlen);
67 sha.final(hram);
68
69 sc_reduce(hram);
70 sc_muladd(sig + 32, hram, az, nonce);
71}
void sc_reduce(uint8_t *)
Definition sc_reduce.cpp:25
void sc_muladd(uint8_t *, const uint8_t *, const uint8_t *, const uint8_t *)
Definition sc_muladd.cpp:26

References Botan::Buffered_Computation::final(), ge_scalarmult_base(), sc_muladd(), sc_reduce(), and Botan::Buffered_Computation::update().

Referenced by Botan::Sodium::crypto_sign_ed25519_detached(), and ed25519_gen_keypair().

◆ ed25519_verify() [1/2]

bool Botan::ed25519_verify ( const uint8_t * m,
size_t mlen,
const uint8_t sig[64],
const uint8_t * pk,
const uint8_t domain_sep[],
size_t domain_sep_len )

Definition at line 73 of file ed25519.cpp.

78 {
79 uint8_t h[64];
80 uint8_t rcheck[32];
81 ge_p3 A;
82 SHA_512 sha;
83
84 if(sig[63] & 224) {
85 return false;
86 }
87 if(ge_frombytes_negate_vartime(&A, pk) != 0) {
88 return false;
89 }
90
91 const uint64_t CURVE25519_ORDER[4] = {
92 0x1000000000000000,
93 0x0000000000000000,
94 0x14def9dea2f79cd6,
95 0x5812631a5cf5d3ed,
96 };
97
98 const uint64_t s[4] = {load_le<uint64_t>(sig + 32, 3),
99 load_le<uint64_t>(sig + 32, 2),
100 load_le<uint64_t>(sig + 32, 1),
101 load_le<uint64_t>(sig + 32, 0)};
102
103 // RFC 8032 adds the requirement that we verify that s < order in
104 // the signature; this did not exist in the original Ed25519 spec.
105 for(size_t i = 0; i != 4; ++i) {
106 if(s[i] > CURVE25519_ORDER[i]) {
107 return false;
108 }
109 if(s[i] < CURVE25519_ORDER[i]) {
110 break;
111 }
112 if(i == 3) { // here s == order
113 return false;
114 }
115 }
116
117 sha.update(domain_sep, domain_sep_len);
118 sha.update(sig, 32);
119 sha.update(pk, 32);
120 sha.update(m, mlen);
121 sha.final(h);
122 sc_reduce(h);
123
124 ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32);
125
126 return CT::is_equal(rcheck, sig, 32).as_bool();
127}
int ge_frombytes_negate_vartime(ge_p3 *v, const uint8_t *)
Definition ge.cpp:425
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:495
void ge_double_scalarmult_vartime(uint8_t out[32], const uint8_t a[], const ge_p3 *A, const uint8_t b[])

References Botan::Buffered_Computation::final(), ge_double_scalarmult_vartime(), ge_frombytes_negate_vartime(), Botan::CT::is_equal(), load_le(), sc_reduce(), and Botan::Buffered_Computation::update().

Referenced by Botan::Sodium::crypto_sign_ed25519_verify_detached(), and ed25519_verify().

◆ ed25519_verify() [2/2]

bool Botan::ed25519_verify ( const uint8_t msg[],
size_t msg_len,
const uint8_t sig[64],
const uint8_t pk[32],
const uint8_t domain_sep[],
size_t domain_sep_len )

References ed25519_verify().

◆ encode_gf2m()

uint32_t Botan::encode_gf2m ( gf2m to_enc,
uint8_t * mem )

Definition at line 95 of file gf2m_small_m.cpp.

95 {
96 mem[0] = to_enc >> 8;
97 mem[1] = to_enc & 0xFF;
98 return sizeof(to_enc);
99}

◆ encode_point()

secure_vector< uint8_t > Botan::encode_point ( const Point448 & p)

Encode a point to a 56 byte vector. RFC 7748 Section 5 (encodeUCoordinate)

Definition at line 21 of file x448_internal.cpp.

21 {
22 return {p.begin(), p.end()};
23}
decltype(auto) begin() noexcept(noexcept(this->get().begin()))
Definition strong_type.h:91
decltype(auto) end() noexcept(noexcept(this->get().end()))
Definition strong_type.h:95

References Botan::detail::Container_Strong_Adapter_Base< T >::begin(), and Botan::detail::Container_Strong_Adapter_Base< T >::end().

◆ esdm_rng()

RandomNumberGenerator & Botan::esdm_rng ( )

Return a shared reference to a global PRNG instance provided by ESDM

Definition at line 99 of file esdm_rng.cpp.

99 {
100 static ESDM_RNG g_esdm_rng;
101 return g_esdm_rng;
102}

◆ expand_mask_16bit()

template<typename T>
uint16_t Botan::expand_mask_16bit ( T tst)

Expand an input to a bit mask depending on it being being zero or non-zero

Parameters
tstthe input
Returns
the mask 0xFFFF if tst is non-zero and 0 otherwise

Definition at line 25 of file code_based_util.h.

25 {
26 const uint16_t result = (tst != 0);
27 return ~(result - 1);
28}

Referenced by Botan::polyn_gf2m::calc_degree_secure(), Botan::polyn_gf2m::eea_with_coefficients(), and Botan::polyn_gf2m::patchup_deg_secure().

◆ expand_message_xmd() [1/2]

void BOTAN_TEST_API Botan::expand_message_xmd ( std::string_view hash_fn,
std::span< uint8_t > output,
std::span< const uint8_t > input,
std::span< const uint8_t > domain_sep )

XMD hash function from RFC 9380

This is only used internally to implement hash2curve so is not exposed to end users.

Definition at line 17 of file xmd.cpp.

20 {
21 if(domain_sep.size() > 0xFF) {
22 // RFC 9380 has a specification for handling this
23 throw Not_Implemented("XMD does not currently implement oversize DST handling");
24 }
25
26 const uint8_t domain_sep_len = static_cast<uint8_t>(domain_sep.size());
27
28 auto hash = HashFunction::create_or_throw(hash_fn);
29 const size_t block_size = hash->hash_block_size();
30 if(block_size == 0) {
31 throw Invalid_Argument(fmt("expand_message_xmd cannot be used with {}", hash_fn));
32 }
33
34 const size_t hash_output_size = hash->output_length();
35 if(output.size() > 255 * hash_output_size || output.size() > 0xFFFF) {
36 throw Invalid_Argument("expand_message_xmd requested output length too long");
37 }
38
39 // Compute b_0 = H(msg_prime) = H(Z_pad || msg || l_i_b_str || 0x00 || DST_prime)
40
41 hash->update(std::vector<uint8_t>(block_size));
42 hash->update(input);
43 hash->update_be(static_cast<uint16_t>(output.size()));
44 hash->update(0x00);
45 hash->update(domain_sep);
46 hash->update(domain_sep_len);
47
48 const secure_vector<uint8_t> b_0 = hash->final();
49
50 // Compute b_1 = H(b_0 || 0x01 || DST_prime)
51
52 hash->update(b_0);
53 hash->update(0x01);
54 hash->update(domain_sep);
55 hash->update(domain_sep_len);
56
57 secure_vector<uint8_t> b_i = hash->final();
58
59 uint8_t cnt = 2;
60 for(;;) {
61 const size_t produced = std::min(output.size(), hash_output_size);
62
63 copy_mem(&output[0], b_i.data(), produced);
64 output = output.subspan(produced);
65
66 if(output.empty()) {
67 break;
68 }
69
70 // Now compute the next b_i if needed
71
72 b_i ^= b_0;
73 hash->update(b_i);
74 hash->update(cnt);
75 hash->update(domain_sep);
76 hash->update(domain_sep_len);
77 hash->final(b_i);
78 cnt += 1;
79 }
80}

References copy_mem(), Botan::HashFunction::create_or_throw(), and fmt().

Referenced by expand_message_xmd().

◆ expand_message_xmd() [2/2]

void Botan::expand_message_xmd ( std::string_view hash_fn,
std::span< uint8_t > output,
std::string_view input_str,
std::string_view domain_sep_str )
inline

Definition at line 27 of file xmd.h.

30 {
31 std::span<const uint8_t> input(reinterpret_cast<const uint8_t*>(input_str.data()), input_str.size());
32
33 std::span<const uint8_t> domain_sep(reinterpret_cast<const uint8_t*>(domain_sep_str.data()), domain_sep_str.size());
34
35 expand_message_xmd(hash_fn, output, input, domain_sep);
36}
void expand_message_xmd(std::string_view hash_fn, std::span< uint8_t > output, std::span< const uint8_t > input, std::span< const uint8_t > domain_sep)
Definition xmd.cpp:17

References expand_message_xmd().

◆ expand_top_bit()

template<typename T>
requires (std::is_integral<T>::value)
T Botan::expand_top_bit ( T a)
inlineconstexpr

If top bit of arg is set, return ~0. Otherwise return 0.

Definition at line 26 of file bit_ops.h.

28{
29 return static_cast<T>(0) - (a >> (sizeof(T) * 8 - 1));
30}

Referenced by ct_is_zero(), and Botan::CT::Mask< T >::expand_top_bit().

◆ extended_euclidean_algorithm()

template<std::integral T>
eea_result< T > Botan::extended_euclidean_algorithm ( T a,
T b )
consteval

Run the extended Euclidean algorithm to find the greatest common divisor of a and b and the Bézout coefficients, u and v.

Definition at line 69 of file pqcrystals_helpers.h.

69 {
70 if(a > b) {
71 std::swap(a, b);
72 }
73
74 T u1 = 0, v1 = 1, u2 = 1, v2 = 0;
75
76 if(a != b) {
77 while(a != 0) {
78 const T q = b / a;
79 std::tie(a, b) = std::make_tuple(static_cast<T>(b - q * a), a);
80 std::tie(u1, v1, u2, v2) = std::make_tuple(u2, v2, static_cast<T>(u1 - q * u2), static_cast<T>(v1 - q * v2));
81 }
82 }
83
84 return {.gcd = b, .u = u1, .v = v1};
85}

Referenced by modular_inverse().

◆ fe_0()

void Botan::fe_0 ( FE_25519 & x)
inline

Definition at line 168 of file ed25519_fe.h.

168 {
169 x = FE_25519();
170}

◆ fe_1()

void Botan::fe_1 ( FE_25519 & x)
inline

Definition at line 172 of file ed25519_fe.h.

172 {
173 x = FE_25519(1);
174}

Referenced by ge_frombytes_negate_vartime().

◆ fe_add()

void Botan::fe_add ( FE_25519 & x,
const FE_25519 & a,
const FE_25519 & b )
inline

Definition at line 176 of file ed25519_fe.h.

176 {
177 x = FE_25519::add(a, b);
178}
static FE_25519 add(const FE_25519 &a, const FE_25519 &b)
Definition ed25519_fe.h:98

References Botan::FE_25519::add().

Referenced by ge_frombytes_negate_vartime().

◆ fe_copy()

void Botan::fe_copy ( FE_25519 & a,
const FE_25519 & b )
inline

Definition at line 156 of file ed25519_fe.h.

156 {
157 a = b;
158}

◆ fe_frombytes()

void Botan::fe_frombytes ( FE_25519 & x,
const uint8_t * b )
inline

Definition at line 148 of file ed25519_fe.h.

148 {
149 x.from_bytes(b);
150}
void from_bytes(const uint8_t b[32])

References Botan::FE_25519::from_bytes().

Referenced by ge_frombytes_negate_vartime().

◆ fe_invert()

void Botan::fe_invert ( FE_25519 & x,
const FE_25519 & z )
inline

Definition at line 204 of file ed25519_fe.h.

204 {
205 x = FE_25519::invert(z);
206}
static FE_25519 invert(const FE_25519 &a)

References Botan::FE_25519::invert().

◆ fe_isnegative()

int Botan::fe_isnegative ( const FE_25519 & x)
inline

Definition at line 164 of file ed25519_fe.h.

164 {
165 return x.is_negative();
166}
bool is_negative() const
Definition ed25519_fe.h:91

References Botan::FE_25519::is_negative().

Referenced by ge_frombytes_negate_vartime().

◆ fe_isnonzero()

int Botan::fe_isnonzero ( const FE_25519 & x)
inline

Definition at line 160 of file ed25519_fe.h.

160 {
161 return x.is_zero() ? 0 : 1;
162}
bool is_zero() const
Definition ed25519_fe.h:75

References Botan::FE_25519::is_zero().

Referenced by ge_frombytes_negate_vartime().

◆ fe_mul()

◆ fe_neg()

void Botan::fe_neg ( FE_25519 & x,
const FE_25519 & z )
inline

Definition at line 184 of file ed25519_fe.h.

184 {
185 x = FE_25519::negate(z);
186}
static FE_25519 negate(const FE_25519 &a)
Definition ed25519_fe.h:114

References Botan::FE_25519::negate().

Referenced by ge_frombytes_negate_vartime().

◆ fe_pow22523()

void Botan::fe_pow22523 ( FE_25519 & x,
const FE_25519 & y )
inline

Definition at line 208 of file ed25519_fe.h.

208 {
209 x = FE_25519::pow_22523(y);
210}
static FE_25519 pow_22523(const FE_25519 &a)

References Botan::FE_25519::pow_22523().

Referenced by ge_frombytes_negate_vartime().

◆ fe_sq()

void Botan::fe_sq ( FE_25519 & x,
const FE_25519 & z )
inline

Definition at line 192 of file ed25519_fe.h.

192 {
193 x = FE_25519::sqr(z);
194}
static FE_25519 sqr(const FE_25519 &a)
Definition ed25519_fe.h:125

References Botan::FE_25519::sqr().

Referenced by ge_frombytes_negate_vartime(), Botan::FE_25519::invert(), and Botan::FE_25519::pow_22523().

◆ fe_sq2()

void Botan::fe_sq2 ( FE_25519 & x,
const FE_25519 & z )
inline

Definition at line 200 of file ed25519_fe.h.

200 {
201 x = FE_25519::sqr2(z);
202}
static FE_25519 sqr2(const FE_25519 &a)

References Botan::FE_25519::sqr2().

◆ fe_sq_iter()

void Botan::fe_sq_iter ( FE_25519 & x,
const FE_25519 & z,
size_t iter )
inline

Definition at line 196 of file ed25519_fe.h.

196 {
197 x = FE_25519::sqr_iter(z, iter);
198}
static FE_25519 sqr_iter(const FE_25519 &a, size_t iter)

References Botan::FE_25519::sqr_iter().

Referenced by Botan::FE_25519::invert(), and Botan::FE_25519::pow_22523().

◆ fe_sub()

void Botan::fe_sub ( FE_25519 & x,
const FE_25519 & a,
const FE_25519 & b )
inline

Definition at line 180 of file ed25519_fe.h.

180 {
181 x = FE_25519::sub(a, b);
182}
static FE_25519 sub(const FE_25519 &a, const FE_25519 &b)
Definition ed25519_fe.h:106

References Botan::FE_25519::sub().

Referenced by ge_frombytes_negate_vartime().

◆ fe_tobytes()

void Botan::fe_tobytes ( uint8_t * b,
const FE_25519 & x )
inline

Definition at line 152 of file ed25519_fe.h.

152 {
153 x.to_bytes(b);
154}
void to_bytes(uint8_t b[32]) const

References Botan::FE_25519::to_bytes().

◆ find_roots_gf2m_decomp()

secure_vector< gf2m > Botan::find_roots_gf2m_decomp ( const polyn_gf2m & polyn,
size_t code_length )

Find the roots of a polynomial over GF(2^m) using the method by Federenko et al.

Definition at line 255 of file gf2m_rootfind_dcmp.cpp.

255 {
256 gf2m_decomp_rootfind_state state(polyn, code_length);
257 return state.find_roots(polyn);
258}

References find_roots_gf2m_decomp().

Referenced by find_roots_gf2m_decomp().

◆ floor_log2()

template<typename T>
requires (std::is_unsigned<T>::value)
T Botan::floor_log2 ( T n)
inlineconstexpr

Definition at line 125 of file bit_ops.h.

127{
128 BOTAN_ARG_CHECK(n != 0, "log2(0) is not defined");
129 return static_cast<T>(high_bit(n) - 1);
130}
constexpr size_t high_bit(T n)
Definition bit_ops.h:61

References BOTAN_ARG_CHECK, and high_bit().

Referenced by Botan::Classic_McEliece_GF::log_q_from_mod(), and Botan::Classic_McEliece_Parameters::tau().

◆ fmt()

template<typename... T>
std::string Botan::fmt ( std::string_view format,
const T &... args )

Simple formatter utility.

Should be replaced with std::format once that's available on all our supported compilers.

'{}' markers in the format string are replaced by the arguments. Unlike std::format, there is no support for escaping or for any kind of conversion flags.

Definition at line 53 of file fmt.h.

53 {
54 std::ostringstream oss;
55 oss.imbue(std::locale::classic());
56 fmt_detail::do_fmt(oss, format, args...);
57 return oss.str();
58}
void do_fmt(std::ostringstream &oss, std::string_view format)
Definition fmt.h:20

References Botan::fmt_detail::do_fmt().

Referenced by Botan::AlternativeName::add_attribute(), Botan::GOST_3410_PublicKey::algo_name(), Botan::KEX_to_KEM_Adapter_PublicKey::algo_name(), Botan::Algorithm_Not_Found::Algorithm_Not_Found(), Botan::AlternativeName::AlternativeName(), argon2_generate_pwhash(), assert_unreachable(), Botan::TLS::auth_method_from_string(), Botan::BER_Bad_Tag::BER_Bad_Tag(), Botan::BER_Decoding_Error::BER_Decoding_Error(), Botan::CFB_Mode::CFB_Mode(), Botan::TPM2::cipher_tss2_to_botan(), Botan::CMAC::CMAC(), Botan::CommonCrypto_Error::CommonCrypto_Error(), Botan::Compression_Error::Compression_Error(), Botan::AES_256_CTR_XOF::copy_state(), Botan::KDF::create(), Botan::TPM2::PrivateKey::create(), Botan::TPM2::PublicKey::create(), Botan::Private_Key::create_decryption_op(), Botan::PKCS11::MechanismWrapper::create_ecdh_mechanism(), Botan::PKCS11::MechanismWrapper::create_ecdsa_mechanism(), Botan::Public_Key::create_encryption_op(), Botan::Private_Key::create_kem_decryption_op(), Botan::Public_Key::create_kem_encryption_op(), Botan::Private_Key::create_key_agreement_op(), create_private_key(), Botan::Private_Key::create_signature_op(), Botan::Public_Key::create_verification_op(), Botan::Public_Key::create_x509_verification_op(), Botan::PEM_Code::decode(), Botan::PEM_Code::decode_check_label(), Botan::ASN1_String::decode_from(), Botan::Cert_Extension::TNAuthList::Entry::decode_from(), Botan::Decoding_Error::Decoding_Error(), Botan::DL_Group::DL_Group(), Botan::DL_Group::DL_Group(), Botan::EC_Group::EC_Group(), Botan::PEM_Code::encode(), Botan::TPM2::Error::Error(), Botan::Exception::Exception(), Botan::Exception::Exception(), expand_message_xmd(), Botan::Stream_Decompression::finish(), Botan::PSS_Params::from_emsa_name(), Botan::DL_Group::from_name(), Botan::EC_Group::from_name(), Botan::EC_Group::from_OID(), Botan::Classic_McEliece_Parameter_Set::from_string(), Botan::OID::from_string(), generate_dsa_primes(), Botan::EC_PublicKey::get_int_field(), Botan::TPM2::get_raw_rc(), Botan::GOST_28147_89::GOST_28147_89(), Botan::GOST_28147_89_Params::GOST_28147_89_Params(), Botan::Sphincs_Parameters::hash_name(), hex_decode(), hkdf_expand_label(), Botan::HMAC_DRBG::HMAC_DRBG(), Botan::HSS_LMS_Params::HSS_LMS_Params(), Botan::HTTP::http_sync(), Botan::Hybrid_PublicKey::Hybrid_PublicKey(), Botan::Invalid_Algorithm_Name::Invalid_Algorithm_Name(), Botan::Invalid_Argument::Invalid_Argument(), Botan::Invalid_IV_Length::Invalid_IV_Length(), Botan::Invalid_Key_Length::Invalid_Key_Length(), Botan::Pipe::Invalid_Message_Number::Invalid_Message_Number(), Botan::Keccak_1600::Keccak_1600(), Botan::TLS::kex_method_from_string(), Botan::Key_Not_Set::Key_Not_Set(), Botan::Lion::Lion(), load_private_key(), load_public_key(), Botan::PEM_Code::matches(), Botan::BLAKE2b::name(), Botan::BLAKE2s::name(), Botan::Cascade_Cipher::name(), Botan::CBC_Mode::name(), Botan::CCM_Mode::name(), Botan::CFB_Mode::name(), Botan::ChaCha::name(), Botan::CMAC::name(), Botan::Comb4P::name(), Botan::CTR_BE::name(), Botan::DilithiumMessageHash::name(), Botan::EMSA_Raw::name(), Botan::EMSA_X931::name(), Botan::FPE_FE1::name(), Botan::GCM_Mode::name(), Botan::GeneralName::name(), Botan::GMAC::name(), Botan::HKDF::name(), Botan::HKDF_Expand::name(), Botan::HKDF_Extract::name(), Botan::HMAC::name(), Botan::HMAC_DRBG::name(), Botan::ISO_9796_DS2::name(), Botan::ISO_9796_DS3::name(), Botan::KDF1::name(), Botan::KDF1_18033::name(), Botan::KDF2::name(), Botan::Keccak_1600::name(), Botan::KMAC128::name(), Botan::KMAC256::name(), Botan::Lion::name(), Botan::OFB::name(), Botan::PBKDF2_Family::name(), Botan::PKCS5_PBKDF2::name(), Botan::PSSR::name(), Botan::PSSR_Raw::name(), Botan::RFC4880_S2K_Family::name(), Botan::SHA_3::name(), Botan::SHAKE_128::name(), Botan::SHAKE_256::name(), Botan::SipHash::name(), Botan::Skein_512::name(), Botan::SP800_108_Counter::name(), Botan::SP800_108_Feedback::name(), Botan::SP800_108_Pipeline::name(), Botan::SP800_56C_One_Step_Hash::name(), Botan::SP800_56C_One_Step_HMAC::name(), Botan::SP800_56C_Two_Step::name(), Botan::Streebog::name(), Botan::TLS_12_PRF::name(), Botan::Truncated_Hash::name(), Botan::Asymmetric_Key::object_identifier(), pbes2_decrypt(), Botan::PK_Decryptor_EME::PK_Decryptor_EME(), Botan::PK_Encryptor_EME::PK_Encryptor_EME(), Botan::PK_KEM_Decryptor::PK_KEM_Decryptor(), Botan::PK_KEM_Encryptor::PK_KEM_Encryptor(), Botan::PK_Key_Agreement::PK_Key_Agreement(), Botan::PK_Signer::PK_Signer(), Botan::PK_Verifier::PK_Verifier(), Botan::PK_Verifier::PK_Verifier(), Botan::PRNG_Unseeded::PRNG_Unseeded(), Botan::Provider_Not_Found::Provider_Not_Found(), Botan::Credentials_Manager::psk(), Botan::Dynamically_Loaded_Library::resolve_symbol(), Botan::RFC6979_Nonce_Generator::RFC6979_Nonce_Generator(), Botan::Sqlite3_Database::row_count(), Botan::RSA_PrivateKey::RSA_PrivateKey(), runtime_version_check(), Botan::SHA_3::SHA_3(), Botan::SHAKE_128::SHAKE_128(), Botan::SHAKE_256::SHAKE_256(), split_on(), srp6_client_agree(), srp6_generate_verifier(), Botan::XOF::start(), Botan::SRP6_Server_Session::step1(), Botan::SRP6_Server_Session::step2(), Botan::Streebog::Streebog(), Botan::System_Error::System_Error(), throw_invalid_argument(), throw_invalid_state(), Botan::Argon2::to_string(), Botan::ASN1_Time::to_string(), Botan::Bcrypt_PBKDF::to_string(), Botan::PBKDF2::to_string(), Botan::RFC4880_S2K::to_string(), Botan::Scrypt::to_string(), Botan::Unknown_PK_Field_Name::Unknown_PK_Field_Name(), Botan::TLS::Cipher_State::update_read_keys(), Botan::TLS::Cipher_State::update_write_keys(), Botan::UUID::UUID(), Botan::TLS::Certificate_Type_Base::validate_selection(), Botan::PK_Ops::Verification_with_Hash::Verification_with_Hash(), Botan::XMSS_Hash::XMSS_Hash(), Botan::XMSS_Parameters::xmss_id_from_string(), Botan::XMSS_WOTS_Parameters::xmss_wots_id_from_string(), and Botan::XTS_Mode::XTS_Mode().

◆ format_char_for_display()

std::string Botan::format_char_for_display ( char c)

Return a string containing 'c', quoted and possibly escaped

This is used when creating an error message nothing an invalid character in some codex (for example during hex decoding)

Currently this function escapes tab, newlines and carriage return as "\t", "\n", and "\r", and also escapes characters > 0x7F as "\xHH" where HH is the hex code.

Definition at line 98 of file charset.cpp.

98 {
99 std::ostringstream oss;
100
101 oss << "'";
102
103 if(c == '\t') {
104 oss << "\\t";
105 } else if(c == '\n') {
106 oss << "\\n";
107 } else if(c == '\r') {
108 oss << "\\r";
109 } else if(static_cast<unsigned char>(c) >= 128) {
110 unsigned char z = static_cast<unsigned char>(c);
111 oss << "\\x" << std::hex << std::uppercase << static_cast<int>(z);
112 } else {
113 oss << c;
114 }
115
116 oss << "'";
117
118 return oss.str();
119}

Referenced by hex_decode().

◆ fors_public_key_from_signature()

BOTAN_TEST_API SphincsTreeNode Botan::fors_public_key_from_signature ( const SphincsHashedMessage & hashed_message,
StrongSpan< const ForsSignature > signature,
const Sphincs_Address & address,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hash )

FIPS 205, Algorithm 17: fors_pkFromSig.

Reconstructs the FORS public key from a given FORS signature and message. This is tailored for the use case in the SLH-DSA implementation and is not meant for general usability.

Definition at line 129 of file sp_fors.cpp.

133 {
134 const auto indices = fors_message_to_indices(hashed_message, params);
135
136 auto fors_tree_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTree);
137
138 auto fors_pk_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTreeRootsCompression);
139
140 BufferSlicer s(signature);
141 std::vector<uint8_t> roots_buffer(params.k() * params.n());
142 BufferStuffer roots(roots_buffer);
143
144 // For each of the k FORS subtrees: Reconstruct the subtree's root node by using the
145 // leaf and the authentication path offered in the FORS signature.
146 BOTAN_ASSERT_NOMSG(indices.size() == params.k());
147 for(uint32_t i = 0; i < params.k(); ++i) {
148 uint32_t idx_offset = i * (1 << params.a());
149
150 // Compute the FORS leaf by using the secret leaf contained in the signature
151 fors_tree_addr.set_tree_height(TreeLayerIndex(0)).set_tree_index(indices[i] + idx_offset);
152 auto fors_leaf_secret = s.take<ForsLeafSecret>(params.n());
153 auto auth_path = s.take<SphincsAuthenticationPath>(params.n() * params.a());
154 auto leaf = hashes.T<SphincsTreeNode>(fors_tree_addr, fors_leaf_secret);
155
156 // Reconstruct the subtree's root using the authentication path
157 compute_root(roots.next<SphincsTreeNode>(params.n()),
158 params,
159 hashes,
160 leaf,
161 indices[i],
162 idx_offset,
163 auth_path,
164 params.a(),
165 fors_tree_addr);
166 }
167
168 BOTAN_ASSERT_NOMSG(roots.full());
169
170 // Reconstruct the public key the signature creates with the hash of the concatenation of all roots
171 // Only if the signature is valid, the pk is the correct FORS pk.
172 return hashes.T<SphincsTreeNode>(fors_pk_addr, roots_buffer);
173}
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition stl_util.h:143
Sphincs_Address & set_type(Sphincs_Address_Type type)
Definition sp_address.h:74
static Sphincs_Address as_keypair_from(const Sphincs_Address &other)
Definition sp_address.h:131
Strong< secure_vector< uint8_t >, struct ForsLeafSecret_ > ForsLeafSecret
Definition sp_types.h:71
Strong< std::vector< uint8_t >, struct SphincsAuthenticationPath_ > SphincsAuthenticationPath
Definition sp_types.h:67
void compute_root(StrongSpan< SphincsTreeNode > out, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, const SphincsTreeNode &leaf, TreeNodeIndex leaf_idx, uint32_t idx_offset, StrongSpan< const SphincsAuthenticationPath > authentication_path, uint32_t total_tree_height, Sphincs_Address &tree_address)

References Botan::Sphincs_Parameters::a(), Botan::Sphincs_Address::as_keypair_from(), BOTAN_ASSERT_NOMSG, compute_root(), Botan::BufferStuffer::full(), Botan::Sphincs_Parameters::k(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Address::set_type(), Botan::Sphincs_Hash_Functions::T(), and Botan::BufferSlicer::take().

◆ fors_sign_and_pkgen()

BOTAN_TEST_API SphincsTreeNode Botan::fors_sign_and_pkgen ( StrongSpan< ForsSignature > sig_out,
const SphincsHashedMessage & hashed_message,
const SphincsSecretSeed & secret_seed,
const Sphincs_Address & address,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

FIPS 205, Algorithm 16: fors_sign (with simultaneous FORS pk generation)

Implements a domain specific wrapper for the few-times signature scheme FORS (Forest of Random Subsets). It is meant to be used inside SLH-DSA and does not aim to be applicable for other use cases.

Definition at line 63 of file sp_fors.cpp.

68 {
69 BOTAN_ASSERT_NOMSG(sig_out.size() == params.fors_signature_bytes());
70
71 const auto indices = fors_message_to_indices(hashed_message, params);
72
73 auto fors_tree_addr = Sphincs_Address::as_keypair_from(address);
74
75 auto fors_pk_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTreeRootsCompression);
76
77 std::vector<uint8_t> roots_buffer(params.k() * params.n());
78 BufferStuffer roots(roots_buffer);
79 BufferStuffer sig(sig_out);
80
81 // Buffer to hold the FORS leafs during tree traversal
82 // (Avoids a secure_vector allocation/deallocation in the hot path)
83 ForsLeafSecret fors_leaf_secret(params.n());
84
85 // For each of the k FORS subtrees: Compute the secret leaf, the authentication path
86 // and the trees' root and append the signature respectively
87 BOTAN_ASSERT_NOMSG(indices.size() == params.k());
88 for(uint32_t i = 0; i < params.k(); ++i) {
89 uint32_t idx_offset = i * (1 << params.a());
90
91 // Compute the secret leaf given by the chunk of the message and append it to the signature
92 fors_tree_addr.set_type(Sphincs_Address_Type::ForsKeyGeneration)
93 .set_tree_height(TreeLayerIndex(0))
94 .set_tree_index(indices[i] + idx_offset);
95
96 hashes.PRF(sig.next<ForsLeafSecret>(params.n()), secret_seed, fors_tree_addr);
97
98 // Compute the authentication path and root for this leaf node
99 fors_tree_addr.set_type(Sphincs_Address_Type::ForsTree);
100
101 GenerateLeafFunction fors_gen_leaf = [&](StrongSpan<SphincsTreeNode> out_root, TreeNodeIndex address_index) {
102 fors_tree_addr.set_tree_index(address_index);
103 fors_tree_addr.set_type(Sphincs_Address_Type::ForsKeyGeneration);
104
105 hashes.PRF(fors_leaf_secret, secret_seed, fors_tree_addr);
106
107 fors_tree_addr.set_type(Sphincs_Address_Type::ForsTree);
108 hashes.T(out_root, fors_tree_addr, fors_leaf_secret);
109 };
110
111 treehash(roots.next<SphincsTreeNode>(params.n()),
112 sig.next<SphincsAuthenticationPath>(params.a() * params.n()),
113 params,
114 hashes,
115 indices[i],
116 idx_offset,
117 params.a(),
118 fors_gen_leaf,
119 fors_tree_addr);
120 }
121
122 BOTAN_ASSERT_NOMSG(sig.full());
123 BOTAN_ASSERT_NOMSG(roots.full());
124
125 // Compute the public key by the hash of the concatenation of all roots
126 return hashes.T<SphincsTreeNode>(fors_pk_addr, roots_buffer);
127}
void PRF(StrongSpan< ForsLeafSecret > out, const SphincsSecretSeed &sk_seed, const Sphincs_Address &address)
Definition sp_hash.h:70
uint32_t fors_signature_bytes() const
std::function< void(StrongSpan< SphincsTreeNode >, TreeNodeIndex)> GenerateLeafFunction
Definition sp_treehash.h:25
Strong< uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber > TreeNodeIndex
Index of an individual node inside an XMSS or FORS tree.
Definition sp_types.h:92
void treehash(StrongSpan< SphincsTreeNode > out_root, StrongSpan< SphincsAuthenticationPath > out_auth_path, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, std::optional< TreeNodeIndex > leaf_idx, uint32_t idx_offset, uint32_t total_tree_height, const GenerateLeafFunction &gen_leaf, Sphincs_Address &tree_address)

References Botan::Sphincs_Parameters::a(), Botan::Sphincs_Address::as_keypair_from(), BOTAN_ASSERT_NOMSG, Botan::Sphincs_Parameters::fors_signature_bytes(), ForsKeyGeneration, ForsTree, Botan::BufferStuffer::full(), Botan::Sphincs_Parameters::k(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Hash_Functions::PRF(), Botan::Sphincs_Address::set_type(), Botan::StrongSpan< T >::size(), Botan::Sphincs_Hash_Functions::T(), and treehash().

◆ gcd()

BigInt Botan::gcd ( const BigInt & x,
const BigInt & y )

Compute the greatest common divisor

Parameters
xa positive integer
ya positive integer
Returns
gcd(x,y)

Definition at line 193 of file numthry.cpp.

193 {
194 if(a.is_zero()) {
195 return abs(b);
196 }
197 if(b.is_zero()) {
198 return abs(a);
199 }
200
201 const size_t sz = std::max(a.sig_words(), b.sig_words());
202 auto u = BigInt::with_capacity(sz);
203 auto v = BigInt::with_capacity(sz);
204 u += a;
205 v += b;
206
207 CT::poison_all(u, v);
208
209 u.set_sign(BigInt::Positive);
210 v.set_sign(BigInt::Positive);
211
212 // In the worst case we have two fully populated big ints. After right
213 // shifting so many times, we'll have reached the result for sure.
214 const size_t loop_cnt = u.bits() + v.bits();
215
216 using WordMask = CT::Mask<word>;
217
218 // This temporary is big enough to hold all intermediate results of the
219 // algorithm. No reallocation will happen during the loop.
220 // Note however, that `ct_cond_assign()` will invalidate the 'sig_words'
221 // cache, which _does not_ shrink the capacity of the underlying buffer.
222 auto tmp = BigInt::with_capacity(sz);
223 size_t factors_of_two = 0;
224 for(size_t i = 0; i != loop_cnt; ++i) {
225 auto both_odd = WordMask::expand(u.is_odd()) & WordMask::expand(v.is_odd());
226
227 // Subtract the smaller from the larger if both are odd
228 auto u_gt_v = WordMask::expand(bigint_cmp(u._data(), u.size(), v._data(), v.size()) > 0);
229 bigint_sub_abs(tmp.mutable_data(), u._data(), sz, v._data(), sz);
230 u.ct_cond_assign((u_gt_v & both_odd).as_bool(), tmp);
231 v.ct_cond_assign((~u_gt_v & both_odd).as_bool(), tmp);
232
233 const auto u_is_even = WordMask::expand(u.is_even());
234 const auto v_is_even = WordMask::expand(v.is_even());
235 BOTAN_DEBUG_ASSERT((u_is_even | v_is_even).as_bool());
236
237 // When both are even, we're going to eliminate a factor of 2.
238 // We have to reapply this factor to the final result.
239 factors_of_two += (u_is_even & v_is_even).if_set_return(1);
240
241 // remove one factor of 2, if u is even
242 bigint_shr2(tmp.mutable_data(), u._data(), sz, 1);
243 u.ct_cond_assign(u_is_even.as_bool(), tmp);
244
245 // remove one factor of 2, if v is even
246 bigint_shr2(tmp.mutable_data(), v._data(), sz, 1);
247 v.ct_cond_assign(v_is_even.as_bool(), tmp);
248 }
249
250 // The GCD (without factors of two) is either in u or v, the other one is
251 // zero. The non-zero variable _must_ be odd, because all factors of two were
252 // removed in the loop iterations above.
253 BOTAN_DEBUG_ASSERT(u.is_zero() || v.is_zero());
254 BOTAN_DEBUG_ASSERT(u.is_odd() || v.is_odd());
255
256 // make sure that the GCD (without factors of two) is in u
257 u.ct_cond_assign(u.is_even() /* .is_zero() would not be constant time */, v);
258
259 // re-apply the factors of two
260 u.ct_shift_left(factors_of_two);
261
262 CT::unpoison_all(u, v);
263
264 return u;
265}
constexpr void unpoison_all(Ts &&... ts)
Definition ct_utils.h:202
constexpr void poison_all(Ts &&... ts)
Definition ct_utils.h:196
constexpr void bigint_shr2(W y[], const W x[], size_t x_size, size_t shift)
Definition mp_core.h:487
BigInt abs(const BigInt &n)
Definition numthry.h:24
constexpr auto bigint_sub_abs(W z[], const W x[], const W y[], size_t N, W ws[]) -> CT::Mask< W >
Definition mp_core.h:398

References abs(), bigint_cmp(), bigint_shr2(), bigint_sub_abs(), BOTAN_DEBUG_ASSERT, Botan::BigInt::is_zero(), Botan::CT::poison_all(), Botan::BigInt::Positive, Botan::BigInt::sig_words(), Botan::CT::unpoison_all(), and Botan::BigInt::with_capacity().

Referenced by botan_mp_gcd(), compute_rsa_secret_exponent(), generate_rsa_prime(), lcm(), and random_prime().

◆ ge_double_scalarmult_vartime() [1/2]

void Botan::ge_double_scalarmult_vartime ( uint8_t out[32],
const uint8_t * a,
const ge_p3 * A,
const uint8_t * b )

Definition at line 480 of file ge.cpp.

480 {
481 static const ge_precomp Bi[8] = {
482 {
483 {25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605},
484 {-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378},
485 {-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546},
486 },
487 {
488 {15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024},
489 {16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574},
490 {30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357},
491 },
492 {
493 {10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380},
494 {4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306},
495 {19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942},
496 },
497 {
498 {5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766},
499 {-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701},
500 {28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300},
501 },
502 {
503 {-22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, -1361450, -13062696, 13821877},
504 {-6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, -7212327, 18853322, -14220951},
505 {4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, -10431137, 2207753, -3209784},
506 },
507 {
508 {-25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, -663000, -31111463, -16132436},
509 {25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 15725684, 171356, 6466918},
510 {23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, -14088058, -30714912, 16193877},
511 },
512 {
513 {-33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 4729455, -18074513, 9256800},
514 {-25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 9761698, -19827198, 630305},
515 {-13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, -15960994, -2449256, -14291300},
516 },
517 {
518 {-3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 15033784, 25105118, -7894876},
519 {-24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 1573892, -2625887, 2198790, -15804619},
520 {-3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, -16236442, -32461234, -12290683},
521 },
522 };
523
524 int8_t aslide[256];
525 int8_t bslide[256];
526 ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
527 ge_p1p1 t;
528 ge_p3 u;
529 ge_p3 A2;
530 ge_p2 r;
531 int i;
532
533 slide(aslide, a);
534 slide(bslide, b);
535
536 ge_p3_to_cached(&Ai[0], A);
537 ge_p3_dbl(&t, A);
538 ge_p1p1_to_p3(&A2, &t);
539 ge_add(&t, &A2, &Ai[0]);
540 ge_p1p1_to_p3(&u, &t);
541 ge_p3_to_cached(&Ai[1], &u);
542 ge_add(&t, &A2, &Ai[1]);
543 ge_p1p1_to_p3(&u, &t);
544 ge_p3_to_cached(&Ai[2], &u);
545 ge_add(&t, &A2, &Ai[2]);
546 ge_p1p1_to_p3(&u, &t);
547 ge_p3_to_cached(&Ai[3], &u);
548 ge_add(&t, &A2, &Ai[3]);
549 ge_p1p1_to_p3(&u, &t);
550 ge_p3_to_cached(&Ai[4], &u);
551 ge_add(&t, &A2, &Ai[4]);
552 ge_p1p1_to_p3(&u, &t);
553 ge_p3_to_cached(&Ai[5], &u);
554 ge_add(&t, &A2, &Ai[5]);
555 ge_p1p1_to_p3(&u, &t);
556 ge_p3_to_cached(&Ai[6], &u);
557 ge_add(&t, &A2, &Ai[6]);
558 ge_p1p1_to_p3(&u, &t);
559 ge_p3_to_cached(&Ai[7], &u);
560
561 ge_p2_0(&r);
562
563 for(i = 255; i >= 0; --i) {
564 if(aslide[i] || bslide[i]) {
565 break;
566 }
567 }
568
569 for(; i >= 0; --i) {
570 ge_p2_dbl(&t, &r);
571
572 if(aslide[i] > 0) {
573 ge_p1p1_to_p3(&u, &t);
574 ge_add(&t, &u, &Ai[aslide[i] >> 1]);
575 } else if(aslide[i] < 0) {
576 ge_p1p1_to_p3(&u, &t);
577 ge_sub(&t, &u, &Ai[(-aslide[i]) >> 1]);
578 }
579
580 if(bslide[i] > 0) {
581 ge_p1p1_to_p3(&u, &t);
582 ge_madd(&t, &u, &Bi[bslide[i] >> 1]);
583 } else if(bslide[i] < 0) {
584 ge_p1p1_to_p3(&u, &t);
585 ge_msub(&t, &u, &Bi[(-bslide[i]) >> 1]);
586 }
587
588 ge_p1p1_to_p2(&r, &t);
589 }
590
591 ge_tobytes(out, &r);
592}

◆ ge_double_scalarmult_vartime() [2/2]

void Botan::ge_double_scalarmult_vartime ( uint8_t out[32],
const uint8_t a[],
const ge_p3 * A,
const uint8_t b[] )

◆ ge_frombytes_negate_vartime()

int Botan::ge_frombytes_negate_vartime ( ge_p3 * v,
const uint8_t * s )

Definition at line 425 of file ge.cpp.

425 {
426 static const FE_25519 d = {
427 -10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116};
428 static const FE_25519 sqrtm1 = {
429 -32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482};
430
431 FE_25519 u;
432 FE_25519 v;
433 FE_25519 v3;
434 FE_25519 vxx;
435 FE_25519 check;
436
437 fe_frombytes(h->Y, s);
438 fe_1(h->Z);
439 fe_sq(u, h->Y);
440 fe_mul(v, u, d);
441 fe_sub(u, u, h->Z); /* u = y^2-1 */
442 fe_add(v, v, h->Z); /* v = dy^2+1 */
443
444 fe_sq(v3, v);
445 fe_mul(v3, v3, v); /* v3 = v^3 */
446 fe_sq(h->X, v3);
447 fe_mul(h->X, h->X, v);
448 fe_mul(h->X, h->X, u); /* x = uv^7 */
449
450 fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
451 fe_mul(h->X, h->X, v3);
452 fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
453
454 fe_sq(vxx, h->X);
455 fe_mul(vxx, vxx, v);
456 fe_sub(check, vxx, u); /* vx^2-u */
457 if(fe_isnonzero(check)) {
458 fe_add(check, vxx, u); /* vx^2+u */
459 if(fe_isnonzero(check)) {
460 return -1;
461 }
462 fe_mul(h->X, h->X, sqrtm1);
463 }
464
465 if(fe_isnegative(h->X) == (s[31] >> 7)) {
466 fe_neg(h->X, h->X);
467 }
468
469 fe_mul(h->T, h->X, h->Y);
470 return 0;
471}
void fe_1(FE_25519 &x)
Definition ed25519_fe.h:172
void fe_pow22523(FE_25519 &x, const FE_25519 &y)
Definition ed25519_fe.h:208
void fe_sq(FE_25519 &x, const FE_25519 &z)
Definition ed25519_fe.h:192
int fe_isnonzero(const FE_25519 &x)
Definition ed25519_fe.h:160
void fe_add(FE_25519 &x, const FE_25519 &a, const FE_25519 &b)
Definition ed25519_fe.h:176
void fe_sub(FE_25519 &x, const FE_25519 &a, const FE_25519 &b)
Definition ed25519_fe.h:180
int fe_isnegative(const FE_25519 &x)
Definition ed25519_fe.h:164
void fe_mul(FE_25519 &x, const FE_25519 &a, const FE_25519 &b)
Definition ed25519_fe.h:188
void fe_frombytes(FE_25519 &x, const uint8_t *b)
Definition ed25519_fe.h:148
void fe_neg(FE_25519 &x, const FE_25519 &z)
Definition ed25519_fe.h:184

References fe_1(), fe_add(), fe_frombytes(), fe_isnegative(), fe_isnonzero(), fe_mul(), fe_neg(), fe_pow22523(), fe_sq(), fe_sub(), Botan::ge_p3::T, Botan::ge_p3::X, Botan::ge_p3::Y, and Botan::ge_p3::Z.

Referenced by Botan::Ed25519_PublicKey::check_key(), and ed25519_verify().

◆ ge_scalarmult_base()

void Botan::ge_scalarmult_base ( uint8_t out[32],
const uint8_t in[32] )

Definition at line 2043 of file ge.cpp.

2043 {
2044 int8_t e[64];
2045 int8_t carry;
2046 ge_p1p1 r;
2047 ge_p2 s;
2048 ge_p3 h;
2049 ge_precomp t;
2050 int i;
2051
2052 for(i = 0; i < 32; ++i) {
2053 e[2 * i + 0] = (a[i] >> 0) & 15;
2054 e[2 * i + 1] = (a[i] >> 4) & 15;
2055 }
2056 /* each e[i] is between 0 and 15 */
2057 /* e[63] is between 0 and 7 */
2058
2059 carry = 0;
2060 for(i = 0; i < 63; ++i) {
2061 e[i] += carry;
2062 carry = e[i] + 8;
2063 carry >>= 4;
2064 e[i] -= carry << 4;
2065 }
2066 e[63] += carry;
2067 /* each e[i] is between -8 and 8 */
2068
2069 ge_p3_0(&h);
2070 for(i = 1; i < 64; i += 2) {
2071 select(&t, B_precomp[i / 2], e[i]);
2072 ge_madd(&r, &h, &t);
2073 ge_p1p1_to_p3(&h, &r);
2074 }
2075
2076 ge_p3_dbl(&r, &h);
2077 ge_p1p1_to_p2(&s, &r);
2078 ge_p2_dbl(&r, &s);
2079 ge_p1p1_to_p2(&s, &r);
2080 ge_p2_dbl(&r, &s);
2081 ge_p1p1_to_p2(&s, &r);
2082 ge_p2_dbl(&r, &s);
2083 ge_p1p1_to_p3(&h, &r);
2084
2085 for(i = 0; i < 64; i += 2) {
2086 select(&t, B_precomp[i / 2], e[i]);
2087 ge_madd(&r, &h, &t);
2088 ge_p1p1_to_p3(&h, &r);
2089 }
2090
2091 ge_p3_tobytes(out, &h);
2092}

References carry().

Referenced by ed25519_gen_keypair(), and ed25519_sign().

◆ generalize_to() [1/2]

template<typename GeneralVariantT, typename SpecialT>
requires (std::is_constructible_v<GeneralVariantT, std::decay_t<SpecialT>>)
GeneralVariantT Botan::generalize_to ( SpecialT && specific)
constexprnoexcept

Converts a given variant into another variant-ish whose type states are a super set of the given variant.

This is useful to convert restricted variant types into more general variants types.

Definition at line 316 of file stl_util.h.

318{
319 return std::forward<SpecialT>(specific);
320}

Referenced by Botan::TLS::Channel_Impl_13::send_handshake_message(), and Botan::TLS::Channel_Impl_13::send_handshake_message().

◆ generalize_to() [2/2]

template<typename GeneralVariantT, typename... SpecialTs>
GeneralVariantT Botan::generalize_to ( std::variant< SpecialTs... > specific)
constexprnoexcept

Converts a given variant into another variant-ish whose type states are a super set of the given variant.

This is useful to convert restricted variant types into more general variants types.

Definition at line 330 of file stl_util.h.

330 {
331 static_assert(
333 "Desired general type must be implicitly constructible by all types of the specialized std::variant<>");
334 return std::visit([](auto s) -> GeneralVariantT { return s; }, std::move(specific));
335}
constexpr bool is_generalizable_to(const SpecialT &) noexcept
Definition stl_util.h:299

References is_generalizable_to().

◆ generate_bcrypt()

std::string Botan::generate_bcrypt ( std::string_view password,
RandomNumberGenerator & rng,
uint16_t work_factor = 12,
char version = 'a' )

Create a password hash using Bcrypt

Takes the password to hash, a rng, and a work_factor. The resulting password hash is returned as a string.

Higher work factors increase the amount of time the algorithm runs, increasing the cost of cracking attempts. The increase is exponential, so a work factor of 12 takes roughly twice as long as work factor 11. The default work factor was set to 10 up until the 2.8.0 release.

It is recommended to set the work factor as high as your system can tolerate (from a performance and latency perspective) since higher work factors greatly improve the security against GPU-based attacks. For example, for protecting high value administrator passwords, consider using work factor 15 or 16; at these work factors each bcrypt computation takes several seconds. Since admin logins will be relatively uncommon, it might be acceptable for each login attempt to take some time. As of 2018, a good password cracking rig (with 8 NVIDIA 1080 cards) can attempt about 1 billion bcrypt computations per month for work factor 13. For work factor 12, it can do twice as many. For work factor 15, it can do only one quarter as many attempts.

Due to bugs affecting various implementations of bcrypt, several different variants of the algorithm are defined. As of 2.7.0 Botan supports generating (or checking) the 2a, 2b, and 2y variants. Since Botan has never been affected by any of the bugs which necessitated these version upgrades, all three versions are identical beyond the version identifier. Which variant to use is controlled by the version argument.

The bcrypt work_factor must be at least 4 (though at this work factor bcrypt is not very secure). The bcrypt format allows up to 31, but Botan currently rejects all work factors greater than 18 since even that work factor requires roughly 15 seconds of computation on a fast machine.

Warning
The password is truncated at at most 72 characters; characters after that do not have any effect on the resulting hash. To support longer passwords, consider pre-hashing the password, for example by using the hex encoding of SHA-256 of the password as the input to bcrypt.
Parameters
passwordthe password.
rnga random number generator
work_factorhow much work to do to slow down guessing attacks
versionwhich version to emit (may be 'a', 'b', or 'y' all of which have identical behavior in this implementation).
See also
https://www.usenix.org/events/usenix99/provos/provos_html/

TODO(Botan4) Convert work_factor to a size_t

Definition at line 145 of file bcrypt.cpp.

145 {
146 /*
147 2a, 2b and 2y are identical for our purposes because our implementation of 2a
148 never had the truncation or signed char bugs in the first place.
149 */
150
151 if(version != 'a' && version != 'b' && version != 'y') {
152 throw Invalid_Argument("Unknown bcrypt version '" + std::string(1, version) + "'");
153 }
154
155 std::vector<uint8_t> salt;
156 rng.random_vec(salt, 16);
157 return make_bcrypt(pass, salt, work_factor, version);
158}
void random_vec(std::span< uint8_t > v)
Definition rng.h:196

References Botan::RandomNumberGenerator::random_vec().

Referenced by botan_bcrypt_generate().

◆ generate_dsa_primes() [1/2]

std::vector< uint8_t > Botan::generate_dsa_primes ( RandomNumberGenerator & rng,
BigInt & p_out,
BigInt & q_out,
size_t pbits,
size_t qbits )

Generate DSA parameters using the FIPS 186 kosherizer

Parameters
rnga random number generator
p_outwhere the prime p will be stored
q_outwhere the prime q will be stored
pbitshow long p will be in bits
qbitshow long q will be in bits
Returns
random seed used to generate this parameter set

Definition at line 136 of file dsa_gen.cpp.

136 {
137 while(true) {
138 std::vector<uint8_t> seed(qbits / 8);
139 rng.randomize(seed.data(), seed.size());
140
141 if(generate_dsa_primes(rng, p, q, pbits, qbits, seed)) {
142 return seed;
143 }
144 }
145}
bool generate_dsa_primes(RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits, const std::vector< uint8_t > &seed_c, size_t offset)
Definition dsa_gen.cpp:54

References generate_dsa_primes(), and Botan::RandomNumberGenerator::randomize().

◆ generate_dsa_primes() [2/2]

bool BOTAN_TEST_API Botan::generate_dsa_primes ( RandomNumberGenerator & rng,
BigInt & p_out,
BigInt & q_out,
size_t pbits,
size_t qbits,
const std::vector< uint8_t > & seed,
size_t offset = 0 )

Generate DSA parameters using the FIPS 186 kosherizer

Parameters
rnga random number generator
p_outwhere the prime p will be stored
q_outwhere the prime q will be stored
pbitshow long p will be in bits
qbitshow long q will be in bits
seedthe seed used to generate the parameters
offsetoptional offset from seed to start searching at
Returns
true if seed generated a valid DSA parameter set, otherwise false. p_out and q_out are only valid if true was returned.

Definition at line 54 of file dsa_gen.cpp.

60 {
61 if(!fips186_3_valid_size(pbits, qbits)) {
62 throw Invalid_Argument(fmt("FIPS 186-3 does not allow DSA domain parameters of {}/{} bits long", pbits, qbits));
63 }
64
65 if(seed_c.size() * 8 < qbits) {
66 throw Invalid_Argument(
67 fmt("Generating a DSA parameter set with a {} bit long q requires a seed at least as many bits long", qbits));
68 }
69
70 const std::string hash_name = hash_function_for(qbits);
71 auto hash = HashFunction::create_or_throw(hash_name);
72
73 const size_t HASH_SIZE = hash->output_length();
74
75 class Seed final {
76 public:
77 explicit Seed(const std::vector<uint8_t>& s) : m_seed(s) {}
78
79 const std::vector<uint8_t>& value() const { return m_seed; }
80
81 Seed& operator++() {
82 for(size_t j = m_seed.size(); j > 0; --j) {
83 if(++m_seed[j - 1]) {
84 break;
85 }
86 }
87 return (*this);
88 }
89
90 private:
91 std::vector<uint8_t> m_seed;
92 };
93
94 Seed seed(seed_c);
95
96 q._assign_from_bytes(hash->process(seed.value()));
97 q.set_bit(qbits - 1);
98 q.set_bit(0);
99
100 if(!is_prime(q, rng, 128, true)) {
101 return false;
102 }
103
104 const size_t n = (pbits - 1) / (HASH_SIZE * 8), b = (pbits - 1) % (HASH_SIZE * 8);
105
106 BigInt X;
107 std::vector<uint8_t> V(HASH_SIZE * (n + 1));
108
109 const BigInt q2 = 2 * q;
110
111 for(size_t j = 0; j != 4 * pbits; ++j) {
112 for(size_t k = 0; k <= n; ++k) {
113 ++seed;
114 hash->update(seed.value());
115 hash->final(&V[HASH_SIZE * (n - k)]);
116 }
117
118 if(j >= offset) {
119 X._assign_from_bytes(std::span{V}.subspan(HASH_SIZE - 1 - b / 8));
120 X.set_bit(pbits - 1);
121
122 // Variable time division is OK here since DSA primes are public anyway
123 p = X - ((X % q2) - 1);
124
125 if(p.bits() == pbits && is_prime(p, rng, 128, true)) {
126 return true;
127 }
128 }
129 }
130 return false;
131}
constexpr auto operator++(Strong< T, Tags... > &a, int)
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition numthry.cpp:355

References Botan::BigInt::_assign_from_bytes(), Botan::BigInt::bits(), Botan::HashFunction::create_or_throw(), fmt(), is_prime(), operator++(), Seed, and Botan::BigInt::set_bit().

Referenced by Botan::DL_Group::DL_Group(), Botan::DL_Group::DL_Group(), and generate_dsa_primes().

◆ generate_mceliece_key()

McEliece_PrivateKey Botan::generate_mceliece_key ( RandomNumberGenerator & rng,
size_t ext_deg,
size_t code_length,
size_t t )

Definition at line 184 of file code_based_key_gen.cpp.

184 {
185 const size_t codimension = t * ext_deg;
186
187 if(code_length <= codimension) {
188 throw Invalid_Argument("invalid McEliece parameters");
189 }
190
191 auto sp_field = std::make_shared<GF2m_Field>(ext_deg);
192
193 //pick the support.........
194 std::vector<gf2m> L(code_length);
195
196 for(size_t i = 0; i != L.size(); i++) {
197 L[i] = static_cast<gf2m>(i);
198 }
199 randomize_support(L, rng);
200 polyn_gf2m g(sp_field); // create as zero
201
202 bool success = false;
203 std::unique_ptr<binary_matrix> R;
204
205 do {
206 // create a random irreducible polynomial
207 g = polyn_gf2m(t, rng, sp_field);
208
209 try {
210 R = generate_R(L, &g, *sp_field, code_length, t);
211 success = true;
212 } catch(const Invalid_State&) {}
213 } while(!success);
214
215 std::vector<polyn_gf2m> sqrtmod = polyn_gf2m::sqrt_mod_init(g);
216 std::vector<polyn_gf2m> F = syndrome_init(g, L, static_cast<int>(code_length));
217
218 // Each F[i] is the (precomputed) syndrome of the error vector with
219 // a single '1' in i-th position.
220 // We do not store the F[i] as polynomials of degree t , but
221 // as binary vectors of length ext_deg * t (this will
222 // speed up the syndrome computation)
223 //
224 const size_t co32 = bit_size_to_32bit_size(codimension);
225 std::vector<uint32_t> H(co32 * code_length);
226 uint32_t* sk = H.data();
227 for(size_t i = 0; i < code_length; ++i) {
228 for(size_t l = 0; l < t; ++l) {
229 const size_t k = (l * ext_deg) / 32;
230 const size_t j = (l * ext_deg) % 32;
231 sk[k] ^= static_cast<uint32_t>(F[i].get_coef(l)) << j;
232 if(j + ext_deg > 32) {
233 if(j > 0) {
234 sk[k + 1] ^= F[i].get_coef(l) >> (32 - j);
235 }
236 }
237 }
238 sk += co32;
239 }
240
241 // We need the support L for decoding (decryption). In fact the
242 // inverse is needed
243
244 std::vector<gf2m> Linv(code_length);
245 for(size_t i = 0; i != Linv.size(); ++i) {
246 Linv[L[i]] = static_cast<gf2m>(i);
247 }
248 std::vector<uint8_t> pubmat(R->elem().size() * 4);
249 for(size_t i = 0; i < R->elem().size(); i++) {
250 store_le(R->elem()[i], &pubmat[i * 4]);
251 }
252
253 return McEliece_PrivateKey(g, H, sqrtmod, Linv, pubmat);
254}
static std::vector< polyn_gf2m > sqrt_mod_init(const polyn_gf2m &g)
std::vector< polyn_gf2m > syndrome_init(const polyn_gf2m &generator, const std::vector< gf2m > &support, int n)
size_t bit_size_to_32bit_size(size_t bit_size)

References bit_size_to_32bit_size(), Botan::polyn_gf2m::sqrt_mod_init(), store_le(), and syndrome_init().

Referenced by Botan::McEliece_PrivateKey::McEliece_PrivateKey().

◆ generate_passhash9()

std::string Botan::generate_passhash9 ( std::string_view password,
RandomNumberGenerator & rng,
uint16_t work_factor = 15,
uint8_t alg_id = 4 )

Create a password hash using PBKDF2

Functions much like generate_bcrypt(). The last parameter, alg_id, specifies which PRF to use. Currently defined values are:

  • 0: HMAC(SHA-1)
  • 1: HMAC(SHA-256)
  • 2: CMAC(Blowfish)
  • 3: HMAC(SHA-384)
  • 4: HMAC(SHA-512)

The work_factor must be greater than zero and less than 512. This performs 10000 * work_factor PBKDF2 iterations, using 96 bits of salt taken from rng. Using work factor of 10 or more is recommended.

Parameters
passwordthe password
rnga random number generator
work_factorhow much work to do to slow down guessing attacks
alg_idspecifies which PRF to use with PBKDF2 0 is HMAC(SHA-1) 1 is HMAC(SHA-256) 2 is CMAC(Blowfish) 3 is HMAC(SHA-384) 4 is HMAC(SHA-512) all other values are currently undefined

Definition at line 46 of file passhash9.cpp.

49 {
50 BOTAN_ARG_CHECK(work_factor > 0 && work_factor < 512, "Invalid Passhash9 work factor");
51
52 auto prf = get_pbkdf_prf(alg_id);
53
54 if(!prf) {
55 throw Invalid_Argument("Passhash9: Algorithm id " + std::to_string(alg_id) + " is not defined");
56 }
57
58 PKCS5_PBKDF2 kdf(std::move(prf));
59
60 secure_vector<uint8_t> salt(SALT_BYTES);
61 rng.randomize(salt.data(), salt.size());
62
63 const size_t kdf_iterations = WORK_FACTOR_SCALE * work_factor;
64
66 blob.push_back(alg_id);
67 blob.push_back(get_byte<0>(work_factor));
68 blob.push_back(get_byte<1>(work_factor));
69 blob += salt;
70 blob += kdf.derive_key(PASSHASH9_PBKDF_OUTPUT_LEN, pass, salt.data(), salt.size(), kdf_iterations).bits_of();
71
72 return MAGIC_PREFIX + base64_encode(blob);
73}
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79

References base64_encode(), Botan::OctetString::bits_of(), BOTAN_ARG_CHECK, Botan::PBKDF::derive_key(), get_byte(), and Botan::RandomNumberGenerator::randomize().

◆ generate_rfc6979_nonce()

BigInt Botan::generate_rfc6979_nonce ( const BigInt & x,
const BigInt & q,
const BigInt & h,
std::string_view hash )
inline
Parameters
xthe secret (EC)DSA key
qthe group order
hthe message hash already reduced mod q
hashthe hash function used to generate h

Definition at line 52 of file rfc6979.h.

52 {
53 RFC6979_Nonce_Generator gen(hash, q.bits(), x);
54 return gen.nonce_for(q, h);
55}

References Botan::BigInt::bits(), and Botan::RFC6979_Nonce_Generator::nonce_for().

◆ generate_rsa_prime()

BigInt Botan::generate_rsa_prime ( RandomNumberGenerator & keygen_rng,
RandomNumberGenerator & prime_test_rng,
size_t bits,
const BigInt & coprime,
size_t prob = 128 )

Generate a prime suitable for RSA p/q

Parameters
keygen_rnga random number generator
prime_test_rnga random number generator
bitshow large the resulting prime should be in bits (must be >= 512)
coprimea positive integer that (prime - 1) should be coprime to
probuse test so false positive is bounded by 1/2**prob
Returns
random prime with the specified criteria

Definition at line 211 of file make_prm.cpp.

215 {
216 if(bits < 512) {
217 throw Invalid_Argument("generate_rsa_prime bits too small");
218 }
219
220 /*
221 * The restriction on coprime <= 64 bits is arbitrary but generally speaking
222 * very large RSA public exponents are a bad idea both for performance and due
223 * to attacks on small d.
224 */
225 if(coprime <= 1 || coprime.is_even() || coprime.bits() > 64) {
226 throw Invalid_Argument("generate_rsa_prime coprime must be small odd positive integer");
227 }
228
229 const size_t MAX_ATTEMPTS = 32 * 1024;
230
231 const size_t mr_trials = miller_rabin_test_iterations(bits, prob, true);
232
233 while(true) {
234 BigInt p(keygen_rng, bits);
235
236 /*
237 Force high two bits so multiplication always results in expected n bit integer
238
239 Force the two low bits, and step by 4, so the generated prime is always == 3 (mod 4).
240 This way when we perform the inversion modulo phi(n) it is always of the form 2*o
241 with o odd, which allows a fastpath and avoids leaking any information about the
242 structure of the prime.
243 */
244 p.set_bit(bits - 1);
245 p.set_bit(bits - 2);
246 p.set_bit(1);
247 p.set_bit(0);
248
249 const word step = 4;
250
251 Prime_Sieve sieve(p, bits, step, false);
252
253 for(size_t attempt = 0; attempt <= MAX_ATTEMPTS; ++attempt) {
254 p += step;
255
256 if(!sieve.next()) {
257 continue;
258 }
259
260 BOTAN_DEBUG_ASSERT(no_small_multiples(p, sieve));
261
263
264 /*
265 * Do a single primality test first before checking coprimality, since
266 * currently a single Miller-Rabin test is faster than computing gcd,
267 * and this eliminates almost all wasted gcd computations.
268 */
269 if(is_miller_rabin_probable_prime(p, mod_p, prime_test_rng, 1) == false) {
270 continue;
271 }
272
273 /*
274 * Check if p - 1 and coprime are relatively prime.
275 */
276 if(gcd(p - 1, coprime) > 1) {
277 continue;
278 }
279
280 if(p.bits() > bits) {
281 break;
282 }
283
284 if(is_miller_rabin_probable_prime(p, mod_p, prime_test_rng, mr_trials) == true) {
285 return p;
286 }
287 }
288 }
289}
static Barrett_Reduction for_secret_modulus(const BigInt &m)
Definition barrett.cpp:22
bool is_even() const
Definition bigint.h:439
size_t miller_rabin_test_iterations(size_t n_bits, size_t prob, bool random)
bool is_miller_rabin_probable_prime(const BigInt &n, const Barrett_Reduction &mod_n, RandomNumberGenerator &rng, size_t test_iterations)

References Botan::BigInt::bits(), BOTAN_DEBUG_ASSERT, Botan::Barrett_Reduction::for_secret_modulus(), gcd(), Botan::BigInt::is_even(), is_miller_rabin_probable_prime(), miller_rabin_test_iterations(), and Botan::BigInt::set_bit().

Referenced by Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ get_aead()

AEAD_Mode * Botan::get_aead ( std::string_view name,
Cipher_Dir direction )
inline

Get an AEAD mode by name (eg "AES-128/GCM" or "Serpent/EAX")

Parameters
nameAEAD name
directionCipher_Dir::Encryption or Cipher_Dir::Decryption

Definition at line 140 of file aead.h.

140 {
141 return AEAD_Mode::create(name, direction, "").release();
142}
static std::unique_ptr< AEAD_Mode > create(std::string_view algo, Cipher_Dir direction, std::string_view provider="")
Definition aead.cpp:54

References Botan::AEAD_Mode::create(), and get_aead().

Referenced by get_aead().

◆ get_byte()

◆ get_byte_var()

template<typename T>
uint8_t Botan::get_byte_var ( size_t byte_num,
T input )
inlineconstexpr

Byte extraction

Parameters
byte_numwhich byte to extract, 0 == highest byte
inputthe value to extract from
Returns
byte byte_num of input

Definition at line 69 of file loadstor.h.

69 {
70 return static_cast<uint8_t>(input >> (((~byte_num) & (sizeof(T) - 1)) << 3));
71}

Referenced by Botan::TLS::append_tls_length_value(), Botan::BigInt::binary_encode(), Botan::BigInt::byte_at(), copy_out_be(), copy_out_le(), Botan::CCM_Mode::encode_length(), Botan::TLS::Certificate_12::serialize(), and Botan::TLS::Certificate_Status::serialize().

◆ get_cipher() [1/3]

Keyed_Filter * Botan::get_cipher ( std::string_view algo_spec,
Cipher_Dir direction )
inline

Factory method for general symmetric cipher filters. No key will be set in the filter.

Parameters
algo_specthe name of the desired cipher
directiondetermines whether the filter will be an encrypting or decrypting filter
Returns
pointer to the encryption or decryption filter

Definition at line 201 of file filters.h.

201 {
202 auto c = Cipher_Mode::create_or_throw(algo_spec, direction);
203 return new Cipher_Mode_Filter(c.release());
204}
static std::unique_ptr< Cipher_Mode > create_or_throw(std::string_view algo, Cipher_Dir direction, std::string_view provider="")

References Botan::Cipher_Mode::create_or_throw().

Referenced by get_cipher(), and get_cipher().

◆ get_cipher() [2/3]

Keyed_Filter * Botan::get_cipher ( std::string_view algo_spec,
const SymmetricKey & key,
Cipher_Dir direction )
inline

Factory method for general symmetric cipher filters.

Parameters
algo_specthe name of the desired cipher
keythe key to be used for encryption/decryption performed by the filter
directiondetermines whether the filter will be an encrypting or decrypting filter
Returns
pointer to the encryption or decryption filter

Definition at line 215 of file filters.h.

215 {
216 Keyed_Filter* cipher = get_cipher(algo_spec, direction);
217 cipher->set_key(key);
218 return cipher;
219}
virtual void set_key(const SymmetricKey &key)=0
Keyed_Filter * get_cipher(std::string_view algo_spec, Cipher_Dir direction)
Definition filters.h:201

References get_cipher(), and Botan::Keyed_Filter::set_key().

◆ get_cipher() [3/3]

Keyed_Filter * Botan::get_cipher ( std::string_view algo_spec,
const SymmetricKey & key,
const InitializationVector & iv,
Cipher_Dir direction )
inline

Factory method for general symmetric cipher filters.

Parameters
algo_specthe name of the desired cipher
keythe key to be used for encryption/decryption performed by the filter
ivthe initialization vector to be used
directiondetermines whether the filter will be an encrypting or decrypting filter
Returns
pointer to newly allocated encryption or decryption filter

Definition at line 231 of file filters.h.

234 {
235 Keyed_Filter* cipher = get_cipher(algo_spec, key, direction);
236 if(iv.length()) {
237 cipher->set_iv(iv);
238 }
239 return cipher;
240}
virtual void set_iv(const InitializationVector &iv)
Definition filters.h:129
size_t length() const
Definition symkey.h:27

References get_cipher(), Botan::OctetString::length(), and Botan::Keyed_Filter::set_iv().

◆ get_cipher_mode()

Cipher_Mode * Botan::get_cipher_mode ( std::string_view algo_spec,
Cipher_Dir direction,
std::string_view provider = "" )
inline

Get a cipher mode by name (eg "AES-128/CBC" or "Serpent/XTS")

Parameters
algo_speccipher name
directionCipher_Dir::Encryption or Cipher_Dir::Decryption
providerprovider implementation to choose

Definition at line 284 of file cipher_mode.h.

284 {
285 return Cipher_Mode::create(algo_spec, direction, provider).release();
286}
static std::unique_ptr< Cipher_Mode > create(std::string_view algo, Cipher_Dir direction, std::string_view provider="")

References Botan::Cipher_Mode::create(), and get_cipher_mode().

Referenced by get_cipher_mode().

◆ get_files_recursive()

BOTAN_TEST_API std::vector< std::string > Botan::get_files_recursive ( std::string_view dir)

Definition at line 123 of file filesystem.cpp.

123 {
124 std::vector<std::string> files;
125
126#if defined(BOTAN_TARGET_OS_HAS_POSIX1)
127 files = impl_readdir(dir);
128#elif defined(BOTAN_TARGET_OS_HAS_WIN32)
129 files = impl_win32(dir);
130#else
131 BOTAN_UNUSED(dir);
132 throw No_Filesystem_Access();
133#endif
134
135 std::sort(files.begin(), files.end());
136
137 return files;
138}

References BOTAN_UNUSED.

◆ get_kdf()

KDF * Botan::get_kdf ( std::string_view algo_spec)
inline

Factory method for KDF (key derivation function)

Parameters
algo_specthe name of the KDF to create
Returns
pointer to newly allocated object of that type

Prefer KDF::create

Definition at line 276 of file kdf.h.

276 {
277 if(algo_spec == "Raw") {
278 return nullptr;
279 }
280
281 return KDF::create_or_throw(algo_spec).release();
282}
static std::unique_ptr< KDF > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition kdf.cpp:203

References Botan::KDF::create_or_throw(), and get_kdf().

Referenced by get_kdf().

◆ get_pbkdf()

PBKDF * Botan::get_pbkdf ( std::string_view algo_spec,
std::string_view provider = "" )
inline

Password based key derivation function factory method

Parameters
algo_specthe name of the desired PBKDF algorithm
providerthe provider to use
Returns
pointer to newly allocated object of that type

Definition at line 244 of file pbkdf.h.

244 {
245 return PBKDF::create_or_throw(algo_spec, provider).release();
246}
static std::unique_ptr< PBKDF > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition pbkdf.cpp:57

References Botan::PBKDF::create_or_throw(), and get_pbkdf().

Referenced by get_pbkdf().

◆ get_s2k()

PBKDF * Botan::get_s2k ( std::string_view algo_spec)
inline

Definition at line 248 of file pbkdf.h.

248 {
249 return PBKDF::create_or_throw(algo_spec).release();
250}

References Botan::PBKDF::create_or_throw(), and get_s2k().

Referenced by get_s2k().

◆ get_uint32()

template<WordType W>
uint32_t Botan::get_uint32 ( const W xw[],
size_t i )
constexpr

Definition at line 33 of file pcurves_solinas.h.

33 {
34 static_assert(WordInfo<W>::bits == 32 || WordInfo<W>::bits == 64);
35
36 if constexpr(WordInfo<W>::bits == 32) {
37 return xw[i];
38 } else {
39 return static_cast<uint32_t>(xw[i / 2] >> ((i % 2) * 32));
40 }
41}

◆ gf2p8affine()

template<uint64_t A, uint8_t B>
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_GFNI SIMD_8x32 Botan::gf2p8affine ( const SIMD_8x32 & x)

Definition at line 52 of file simd_avx2_gfni.h.

52 {
53 return SIMD_8x32(_mm256_gf2p8affine_epi64_epi8(x.raw(), _mm256_set1_epi64x(A), B));
54}
__m256i BOTAN_FN_ISA_AVX2 raw() const noexcept
Definition simd_avx2.h:314

References BOTAN_FORCE_INLINE, and Botan::SIMD_8x32::raw().

◆ gf2p8affineinv()

template<uint64_t A, uint8_t B>
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_GFNI SIMD_8x32 Botan::gf2p8affineinv ( const SIMD_8x32 & x)

Definition at line 57 of file simd_avx2_gfni.h.

57 {
58 return SIMD_8x32(_mm256_gf2p8affineinv_epi64_epi8(x.raw(), _mm256_set1_epi64x(A), B));
59}

References BOTAN_FORCE_INLINE, and Botan::SIMD_8x32::raw().

◆ gf2p8mul()

BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_GFNI SIMD_8x32 Botan::gf2p8mul ( const SIMD_8x32 & a,
const SIMD_8x32 & b )

Definition at line 61 of file simd_avx2_gfni.h.

61 {
62 return SIMD_8x32(_mm256_gf2p8mul_epi8(a.raw(), b.raw()));
63}

References BOTAN_FORCE_INLINE, and Botan::SIMD_8x32::raw().

◆ gfni_matrix()

uint64_t Botan::gfni_matrix ( std::string_view s)
consteval

Definition at line 19 of file simd_avx2_gfni.h.

19 {
20 uint64_t matrix = 0;
21 size_t bit_cnt = 0;
22 uint8_t row = 0;
23
24 for(char c : s) {
25 if(c == ' ' || c == '\n') {
26 continue;
27 }
28 if(c != '0' && c != '1') {
29 throw std::runtime_error("gfni_matrix: invalid bit value");
30 }
31
32 if(c == '1') {
33 row |= 0x80 >> (7 - bit_cnt % 8);
34 }
35 bit_cnt++;
36
37 if(bit_cnt % 8 == 0) {
38 matrix <<= 8;
39 matrix |= row;
40 row = 0;
41 }
42 }
43
44 if(bit_cnt != 64) {
45 throw std::runtime_error("gfni_matrix: invalid bit count");
46 }
47
48 return matrix;
49}

◆ gray_to_lex()

gf2m Botan::gray_to_lex ( gf2m gray)
inline

Definition at line 30 of file code_based_util.h.

30 {
31 gf2m result = gray ^ (gray >> 8);
32 result ^= (result >> 4);
33 result ^= (result >> 2);
34 result ^= (result >> 1);
35 return result;
36}

◆ has_filesystem_impl()

BOTAN_TEST_API bool Botan::has_filesystem_impl ( )

Definition at line 113 of file filesystem.cpp.

113 {
114#if defined(BOTAN_TARGET_OS_HAS_POSIX1)
115 return true;
116#elif defined(BOTAN_TARGET_OS_HAS_WIN32)
117 return true;
118#else
119 return false;
120#endif
121}

◆ hex_decode() [1/6]

std::vector< uint8_t > Botan::hex_decode ( const char input[],
size_t input_length,
bool ignore_ws = true )

Perform hex decoding

Parameters
inputsome hex input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 149 of file hex.cpp.

149 {
150 std::vector<uint8_t> bin(1 + input_length / 2);
151
152 size_t written = hex_decode(bin.data(), input, input_length, ignore_ws);
153
154 bin.resize(written);
155 return bin;
156}
size_t hex_decode(uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool ignore_ws)
Definition hex.cpp:73

References hex_decode().

◆ hex_decode() [2/6]

size_t Botan::hex_decode ( std::span< uint8_t > output,
std::string_view input,
bool ignore_ws = true )

Perform hex decoding

Parameters
outputa contiguous byte buffer of at least input_length/2 bytes
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 132 of file hex.cpp.

132 {
133 return hex_decode(output.data(), input.data(), input.length(), ignore_ws);
134}

References hex_decode().

◆ hex_decode() [3/6]

std::vector< uint8_t > Botan::hex_decode ( std::string_view input,
bool ignore_ws = true )

Perform hex decoding

Parameters
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 158 of file hex.cpp.

158 {
159 return hex_decode(input.data(), input.size(), ignore_ws);
160}

References hex_decode().

◆ hex_decode() [4/6]

size_t Botan::hex_decode ( uint8_t output[],
const char input[],
size_t input_length,
bool ignore_ws = true )

Perform hex decoding

Parameters
outputan array of at least input_length/2 bytes
inputsome hex input
input_lengthlength of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 117 of file hex.cpp.

117 {
118 size_t consumed = 0;
119 size_t written = hex_decode(output, input, input_length, consumed, ignore_ws);
120
121 if(consumed != input_length) {
122 throw Invalid_Argument("hex_decode: input did not have full bytes");
123 }
124
125 return written;
126}

References hex_decode().

◆ hex_decode() [5/6]

size_t Botan::hex_decode ( uint8_t output[],
const char input[],
size_t input_length,
size_t & input_consumed,
bool ignore_ws = true )

Perform hex decoding

Parameters
outputan array of at least input_length/2 bytes
inputsome hex input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 73 of file hex.cpp.

73 {
74 uint8_t* out_ptr = output;
75 bool top_nibble = true;
76
77 clear_mem(output, input_length / 2);
78
79 for(size_t i = 0; i != input_length; ++i) {
80 const uint8_t bin = hex_char_to_bin(input[i]);
81
82 if(bin >= 0x10) {
83 if(bin == 0x80 && ignore_ws) {
84 continue;
85 }
86
87 throw Invalid_Argument(fmt("hex_decode: invalid character '{}'", format_char_for_display(input[i])));
88 }
89
90 if(top_nibble) {
91 *out_ptr |= bin << 4;
92 } else {
93 *out_ptr |= bin;
94 }
95
96 top_nibble = !top_nibble;
97 if(top_nibble) {
98 ++out_ptr;
99 }
100 }
101
102 input_consumed = input_length;
103 size_t written = (out_ptr - output);
104
105 /*
106 * We only got half of a uint8_t at the end; zap the half-written
107 * output and mark it as unread
108 */
109 if(!top_nibble) {
110 *out_ptr = 0;
111 input_consumed -= 1;
112 }
113
114 return written;
115}
std::string format_char_for_display(char c)
Definition charset.cpp:98

References clear_mem(), fmt(), format_char_for_display(), and out_ptr().

Referenced by botan_hex_decode(), Botan::Hex_Decoder::end_msg(), Botan::TLS::Session_Manager_SQL::find_some(), hex_decode(), hex_decode(), hex_decode(), hex_decode(), hex_decode(), hex_decode_locked(), Botan::OctetString::OctetString(), Botan::UUID::UUID(), and Botan::Hex_Decoder::write().

◆ hex_decode() [6/6]

size_t Botan::hex_decode ( uint8_t output[],
std::string_view input,
bool ignore_ws = true )

Perform hex decoding

Parameters
outputan array of at least input_length/2 bytes
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 128 of file hex.cpp.

128 {
129 return hex_decode(output, input.data(), input.length(), ignore_ws);
130}

References hex_decode().

◆ hex_decode_locked() [1/2]

secure_vector< uint8_t > Botan::hex_decode_locked ( const char input[],
size_t input_length,
bool ignore_ws = true )

Perform hex decoding

Parameters
inputsome hex input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 136 of file hex.cpp.

136 {
137 secure_vector<uint8_t> bin(1 + input_length / 2);
138
139 size_t written = hex_decode(bin.data(), input, input_length, ignore_ws);
140
141 bin.resize(written);
142 return bin;
143}

References hex_decode().

Referenced by Botan::BigInt::decode(), hex_decode_locked(), and Botan::RTSS_Share::RTSS_Share().

◆ hex_decode_locked() [2/2]

secure_vector< uint8_t > Botan::hex_decode_locked ( std::string_view input,
bool ignore_ws = true )

Perform hex decoding

Parameters
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 145 of file hex.cpp.

145 {
146 return hex_decode_locked(input.data(), input.size(), ignore_ws);
147}
secure_vector< uint8_t > hex_decode_locked(const char input[], size_t input_length, bool ignore_ws)
Definition hex.cpp:136

References hex_decode_locked().

◆ hex_encode() [1/3]

void Botan::hex_encode ( char output[],
const uint8_t input[],
size_t input_length,
bool uppercase = true )

Perform hex encoding

Parameters
outputan array of at least input_length*2 bytes
inputis some binary data
input_lengthlength of input in bytes
uppercaseshould output be upper or lower case?

Definition at line 35 of file hex.cpp.

35 {
36 for(size_t i = 0; i != input_length; ++i) {
37 const uint16_t h = hex_encode_2nibble(input[i], uppercase);
38 output[2 * i] = get_byte<0>(h);
39 output[2 * i + 1] = get_byte<1>(h);
40 }
41}

References get_byte().

Referenced by botan_hex_encode(), create_hex_fingerprint(), hex_encode(), hex_encode(), Botan::TLS::Session_Manager_SQL::remove(), Botan::TLS::Session_Manager_SQL::retrieve_one(), Botan::TLS::Session_Manager_SQL::store(), Botan::BigInt::to_hex_string(), Botan::OctetString::to_string(), Botan::RTSS_Share::to_string(), Botan::UUID::to_string(), Botan::X509_Certificate::to_string(), Botan::HTTP::url_encode(), and Botan::UUID::UUID().

◆ hex_encode() [2/3]

std::string Botan::hex_encode ( const uint8_t input[],
size_t input_length,
bool uppercase = true )

Perform hex encoding

Parameters
inputsome input
input_lengthlength of input in bytes
uppercaseshould output be upper or lower case?
Returns
hexadecimal representation of input

Definition at line 43 of file hex.cpp.

43 {
44 std::string output(2 * input_length, 0);
45
46 if(input_length) {
47 hex_encode(&output.front(), input, input_length, uppercase);
48 }
49
50 return output;
51}

References hex_encode().

◆ hex_encode() [3/3]

std::string Botan::hex_encode ( std::span< const uint8_t > input,
bool uppercase = true )
inline

Perform hex encoding

Parameters
inputsome input
uppercaseshould output be upper or lower case?
Returns
hexadecimal representation of input

Definition at line 43 of file hex.h.

43 {
44 return hex_encode(input.data(), input.size(), uppercase);
45}

References hex_encode().

◆ hex_to_words()

template<WordType W, size_t N>
auto Botan::hex_to_words ( const char(&) s[N])
constexpr

Definition at line 824 of file mp_core.h.

824 {
825 // Char count includes null terminator which we ignore
826 const constexpr size_t C = N - 1;
827
828 // Number of nibbles that a word can hold
829 const constexpr size_t NPW = (WordInfo<W>::bits / 4);
830
831 // Round up to the next number of words that will fit the input
832 const constexpr size_t S = (C + NPW - 1) / NPW;
833
834 auto hex2int = [](char c) -> int8_t {
835 if(c >= '0' && c <= '9') {
836 return static_cast<int8_t>(c - '0');
837 } else if(c >= 'a' && c <= 'f') {
838 return static_cast<int8_t>(c - 'a' + 10);
839 } else if(c >= 'A' && c <= 'F') {
840 return static_cast<int8_t>(c - 'A' + 10);
841 } else {
842 return -1;
843 }
844 };
845
846 std::array<W, S> r = {0};
847
848 for(size_t i = 0; i != C; ++i) {
849 const int8_t c = hex2int(s[i]);
850 if(c >= 0) {
851 shift_left<4>(r);
852 r[0] += c;
853 }
854 }
855
856 return r;
857}
constexpr W shift_left(std::array< W, N > &x)
Definition mp_core.h:795

References shift_left().

◆ high_bit()

template<typename T>
requires (std::is_unsigned<T>::value)
size_t Botan::high_bit ( T n)
inlineconstexpr

Return the index of the highest set bit T is an unsigned integer type

Parameters
nan integer value
Returns
index of the highest set bit in n

Definition at line 61 of file bit_ops.h.

63{
64 size_t hb = 0;
65
66 for(size_t s = 8 * sizeof(T) / 2; s > 0; s /= 2) {
67 const size_t z = s * ((~ct_is_zero(n >> s)) & 1);
68 hb += z;
69 n >>= z;
70 }
71
72 hb += n;
73
74 return hb;
75}

References ct_is_zero().

Referenced by Botan::OID::encode_into(), floor_log2(), random_prime(), and Botan::BigInt::top_bits_free().

◆ hkdf_expand_label()

secure_vector< uint8_t > BOTAN_TEST_API Botan::hkdf_expand_label ( std::string_view hash_fn,
std::span< const uint8_t > secret,
std::string_view label,
std::span< const uint8_t > hash_val,
size_t length )

HKDF-Expand-Label from TLS 1.3/QUIC

Parameters
hash_fnthe hash to use
secretthe secret bits
labelthe full label (no "TLS 1.3, " or "tls13 " prefix is applied)
hash_valthe previous hash value (used for chaining, may be empty)
lengththe desired output length

Definition at line 118 of file hkdf.cpp.

122 {
123 BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
124 BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
125 BOTAN_ARG_CHECK(hash_val.size() <= 0xFF, "HKDF-Expand-Label hash too long");
126
128
129 const auto prefix = concat<std::vector<uint8_t>>(store_be(static_cast<uint16_t>(length)),
130 store_be(static_cast<uint8_t>(label.size())),
131 std::span{cast_char_ptr_to_uint8(label.data()), label.size()},
132 store_be(static_cast<uint8_t>(hash_val.size())));
133
134 /*
135 * We do something a little dirty here to avoid copying the hash_val,
136 * making use of the fact that Botan's KDF interface supports label+salt,
137 * and knowing that our HKDF hashes first param label then param salt.
138 */
139 return hkdf.derive_key(length, secret, hash_val, prefix);
140}
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition mac.cpp:148
constexpr auto concat(Rs &&... ranges)
Definition stl_util.h:264
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745

References BOTAN_ARG_CHECK, cast_char_ptr_to_uint8(), concat(), Botan::MessageAuthenticationCode::create_or_throw(), Botan::KDF::derive_key(), fmt(), and store_be().

◆ holds_any_of()

template<typename... Alts, typename... Ts>
bool Botan::holds_any_of ( const std::variant< Ts... > & v)
constexprnoexcept

Definition at line 294 of file stl_util.h.

294 {
295 return (std::holds_alternative<Alts>(v) || ...);
296}

Referenced by Botan::TLS::Channel_Impl_13::from_peer().

◆ host_wildcard_match()

BOTAN_TEST_API bool Botan::host_wildcard_match ( std::string_view wildcard,
std::string_view host )

Check if the given hostname is a match for the specified wildcard

Definition at line 252 of file parsing.cpp.

252 {
253 const std::string issued = tolower_string(issued_);
254 const std::string host = tolower_string(host_);
255
256 if(host.empty() || issued.empty()) {
257 return false;
258 }
259
260 /*
261 If there are embedded nulls in your issued name
262 Well I feel bad for you son
263 */
264 if(std::count(issued.begin(), issued.end(), char(0)) > 0) {
265 return false;
266 }
267
268 // If more than one wildcard, then issued name is invalid
269 const size_t stars = std::count(issued.begin(), issued.end(), '*');
270 if(stars > 1) {
271 return false;
272 }
273
274 // '*' is not a valid character in DNS names so should not appear on the host side
275 if(std::count(host.begin(), host.end(), '*') != 0) {
276 return false;
277 }
278
279 // Similarly a DNS name can't end in .
280 if(host[host.size() - 1] == '.') {
281 return false;
282 }
283
284 // And a host can't have an empty name component, so reject that
285 if(host.find("..") != std::string::npos) {
286 return false;
287 }
288
289 // Exact match: accept
290 if(issued == host) {
291 return true;
292 }
293
294 /*
295 Otherwise it might be a wildcard
296
297 If the issued size is strictly longer than the hostname size it
298 couldn't possibly be a match, even if the issued value is a
299 wildcard. The only exception is when the wildcard ends up empty
300 (eg www.example.com matches www*.example.com)
301 */
302 if(issued.size() > host.size() + 1) {
303 return false;
304 }
305
306 // If no * at all then not a wildcard, and so not a match
307 if(stars != 1) {
308 return false;
309 }
310
311 /*
312 Now walk through the issued string, making sure every character
313 matches. When we come to the (singular) '*', jump forward in the
314 hostname by the corresponding amount. We know exactly how much
315 space the wildcard takes because it must be exactly `len(host) -
316 len(issued) + 1 chars`.
317
318 We also verify that the '*' comes in the leftmost component, and
319 doesn't skip over any '.' in the hostname.
320 */
321 size_t dots_seen = 0;
322 size_t host_idx = 0;
323
324 for(size_t i = 0; i != issued.size(); ++i) {
325 dots_seen += (issued[i] == '.');
326
327 if(issued[i] == '*') {
328 // Fail: wildcard can only come in leftmost component
329 if(dots_seen > 0) {
330 return false;
331 }
332
333 /*
334 Since there is only one * we know the tail of the issued and
335 hostname must be an exact match. In this case advance host_idx
336 to match.
337 */
338 const size_t advance = (host.size() - issued.size() + 1);
339
340 if(host_idx + advance > host.size()) { // shouldn't happen
341 return false;
342 }
343
344 // Can't be any intervening .s that we would have skipped
345 if(std::count(host.begin() + host_idx, host.begin() + host_idx + advance, '.') != 0) {
346 return false;
347 }
348
349 host_idx += advance;
350 } else {
351 if(issued[i] != host[host_idx]) {
352 return false;
353 }
354
355 host_idx += 1;
356 }
357 }
358
359 // Wildcard issued name must have at least 3 components
360 if(dots_seen < 2) {
361 return false;
362 }
363
364 return true;
365}
std::string tolower_string(std::string_view in)
Definition parsing.cpp:241

References tolower_string().

Referenced by Botan::X509_Certificate::matches_dns_name().

◆ ht_sign()

void Botan::ht_sign ( StrongSpan< SphincsHypertreeSignature > out_sig,
const SphincsTreeNode & message_to_sign,
const SphincsSecretSeed & secret_seed,
XmssTreeIndexInLayer tree_index_in_layer,
TreeNodeIndex idx_leaf,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

FIPS 205, Algorithm 12: ht_sign.

Creates a SLH-DSA XMSS hypertree signature of message_to_sign. The signature is written into the buffer defined by out_sig. tree_index_in_layer and idx_leaf define which XMSS tree of the hypertree and which leaf of this XMSS tree is used for signing.

Definition at line 21 of file sp_hypertree.cpp.

27 {
28 BOTAN_ASSERT_NOMSG(out_sig.size() == params.ht_signature_bytes());
29 BufferStuffer ht_signature(out_sig);
30
32 wots_addr.set_tree_address(tree_index_in_layer).set_keypair_address(idx_leaf);
33
35
36 SphincsTreeNode xmss_root;
37 for(HypertreeLayerIndex layer_idx(0); layer_idx < params.d(); layer_idx++) {
38 // The first XMSS tree signs the message, the others their underlying XMSS tree root
39 const SphincsTreeNode& node_to_xmss_sign = (layer_idx == 0U) ? message_to_sign : xmss_root;
40
41 tree_addr.set_layer_address(layer_idx).set_tree_address(tree_index_in_layer);
42 wots_addr.copy_subtree_from(tree_addr).set_keypair_address(idx_leaf);
43
44 xmss_root = xmss_sign_and_pkgen(ht_signature.next<SphincsXmssSignature>(params.xmss_signature_bytes()),
45 node_to_xmss_sign,
46 secret_seed,
47 wots_addr,
48 tree_addr,
49 idx_leaf,
50 params,
51 hashes);
52
53 // Update the indices for the next layer.
54 idx_leaf = TreeNodeIndex(tree_index_in_layer.get() & ((1 << params.xmss_tree_height()) - 1));
55 tree_index_in_layer = tree_index_in_layer >> params.xmss_tree_height();
56 }
57
58 BOTAN_ASSERT_NOMSG(ht_signature.full());
59}
uint32_t xmss_tree_height() const
uint32_t ht_signature_bytes() const
uint32_t xmss_signature_bytes() const
Strong< std::vector< uint8_t >, struct SphincsXmssSignature_ > SphincsXmssSignature
Definition sp_types.h:65
SphincsTreeNode xmss_sign_and_pkgen(StrongSpan< SphincsXmssSignature > out_sig, const SphincsTreeNode &message, const SphincsSecretSeed &secret_seed, Sphincs_Address &wots_addr, Sphincs_Address &tree_addr, std::optional< TreeNodeIndex > idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 10: xmss_sign.
Definition sp_xmss.cpp:19
Strong< uint32_t, struct HypertreeLayerIndex_ > HypertreeLayerIndex
Index of a layer in the XMSS hyper-tree.
Definition sp_types.h:86

References BOTAN_ASSERT_NOMSG, Botan::Sphincs_Address::copy_subtree_from(), Botan::Sphincs_Parameters::d(), Botan::BufferStuffer::full(), Botan::detail::Strong_Base< T >::get(), HashTree, Botan::Sphincs_Parameters::ht_signature_bytes(), Botan::BufferStuffer::next(), Botan::Sphincs_Address::set_keypair_address(), Botan::Sphincs_Address::set_layer_address(), Botan::Sphincs_Address::set_tree_address(), Botan::StrongSpan< T >::size(), WotsHash, xmss_sign_and_pkgen(), Botan::Sphincs_Parameters::xmss_signature_bytes(), and Botan::Sphincs_Parameters::xmss_tree_height().

◆ ht_verify()

bool Botan::ht_verify ( const SphincsTreeNode & signed_msg,
StrongSpan< const SphincsHypertreeSignature > ht_sig,
const SphincsTreeNode & pk_root,
XmssTreeIndexInLayer tree_index_in_layer,
TreeNodeIndex idx_leaf,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

FIPS 205, Algorithm 13: ht_verify.

Given a message signed_msg the SLH-DSA XMSS hypertree is reconstructed using a hypertree signature ht_sig. tree_index_in_layer and idx_leaf define which XMSS tree of the hypertree and which leaf of this XMSS tree was used for signing.

Returns
true iff the top-most reconstructed root equals pk_root

Definition at line 61 of file sp_hypertree.cpp.

67 {
68 BOTAN_ASSERT_NOMSG(ht_sig.size() == params.ht_signature_bytes());
69 BufferSlicer sig_s(ht_sig);
70
74
75 SphincsTreeNode reconstructed_root(params.n());
76
77 // Each iteration reconstructs the root of one XMSS tree of the hypertree
78 for(HypertreeLayerIndex layer_idx(0); layer_idx < params.d(); layer_idx++) {
79 // The first XMSS tree signs the message, the others their underlying XMSS tree root
80 const SphincsTreeNode& current_root = (layer_idx == 0U) ? signed_msg : reconstructed_root;
81
82 tree_addr.set_layer_address(layer_idx);
83 tree_addr.set_tree_address(tree_index_in_layer);
84
85 wots_addr.copy_subtree_from(tree_addr);
86 wots_addr.set_keypair_address(idx_leaf);
87
88 wots_pk_addr.copy_keypair_from(wots_addr);
89
90 const auto wots_pk = wots_public_key_from_signature(
91 current_root, sig_s.take<WotsSignature>(params.wots_bytes()), wots_addr, params, hashes);
92
93 // Compute the leaf node using the WOTS public key.
94 const auto leaf = hashes.T<SphincsTreeNode>(wots_pk_addr, wots_pk);
95
96 // Compute the root node of this subtree.
97 compute_root(StrongSpan<SphincsTreeNode>(reconstructed_root),
98 params,
99 hashes,
100 leaf,
101 idx_leaf,
102 0,
103 sig_s.take<SphincsAuthenticationPath>(params.xmss_tree_height() * params.n()),
104 params.xmss_tree_height(),
105 tree_addr);
106
107 // Update the indices for the next layer.
108 idx_leaf = TreeNodeIndex(tree_index_in_layer.get() & ((1 << params.xmss_tree_height()) - 1));
109 tree_index_in_layer = tree_index_in_layer >> params.xmss_tree_height();
110 }
111
112 BOTAN_ASSERT_NOMSG(sig_s.empty());
113
114 // Check if the root node equals the root node in the public key.
115 return reconstructed_root == pk_root;
116}
uint32_t wots_bytes() const
WotsPublicKey wots_public_key_from_signature(const SphincsTreeNode &hashed_message, StrongSpan< const WotsSignature > signature, Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 8: wots_pkFromSig.
Definition sp_wots.cpp:103
Strong< secure_vector< uint8_t >, struct WotsSignature_ > WotsSignature
Definition sp_types.h:80

References BOTAN_ASSERT_NOMSG, compute_root(), Botan::Sphincs_Address::copy_keypair_from(), Botan::Sphincs_Address::copy_subtree_from(), Botan::Sphincs_Parameters::d(), Botan::BufferSlicer::empty(), Botan::detail::Strong_Base< T >::get(), HashTree, Botan::Sphincs_Parameters::ht_signature_bytes(), Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_keypair_address(), Botan::Sphincs_Address::set_layer_address(), Botan::Sphincs_Address::set_tree_address(), Botan::StrongSpan< T >::size(), Botan::Sphincs_Hash_Functions::T(), Botan::BufferSlicer::take(), Botan::Sphincs_Parameters::wots_bytes(), wots_public_key_from_signature(), WotsHash, WotsPublicKeyCompression, and Botan::Sphincs_Parameters::xmss_tree_height().

◆ ieee1363_hash_id()

uint8_t Botan::ieee1363_hash_id ( std::string_view hash_name)

Return the IEEE 1363 hash identifier

Parameters
hash_namethe name of the hash function
Returns
uint8_t code identifying the hash, or 0 if not known

Definition at line 144 of file hash_id.cpp.

144 {
145 if(name == "SHA-1") {
146 return 0x33;
147 }
148
149 if(name == "SHA-224") {
150 return 0x38;
151 }
152 if(name == "SHA-256") {
153 return 0x34;
154 }
155 if(name == "SHA-384") {
156 return 0x36;
157 }
158 if(name == "SHA-512") {
159 return 0x35;
160 }
161
162 if(name == "RIPEMD-160") {
163 return 0x31;
164 }
165
166 if(name == "Whirlpool") {
167 return 0x37;
168 }
169
170 return 0;
171}

Referenced by Botan::EMSA_X931::EMSA_X931().

◆ if_work_factor()

size_t BOTAN_TEST_API Botan::if_work_factor ( size_t n_bits)

Estimate work factor for integer factorization

Parameters
n_bitssize of modulus in bits
Returns
estimated security level for this modulus

Definition at line 35 of file workfactor.cpp.

35 {
36 if(bits < 512) {
37 return 0;
38 }
39
40 // RFC 3766 estimates k at .02 and o(1) to be effectively zero for sizes of interest
41
42 const double log2_k = -5.6438; // log2(.02)
43 return nfs_workfactor(bits, log2_k);
44}

Referenced by dl_work_factor(), Botan::RSA_PublicKey::estimated_strength(), and Botan::TPM_PrivateKey::estimated_strength().

◆ ignore_param()

template<typename T>
void Botan::ignore_param ( T && )
constexpr

Mark variable as unused.

Takes any number of arguments and marks all as unused, for instance BOTAN_UNUSED(a); or BOTAN_UNUSED(x, y, z);

Definition at line 113 of file assert.h.

113{}

References ignore_param().

Referenced by ignore_param(), and ignore_params().

◆ ignore_params()

template<typename... T>
void Botan::ignore_params ( T &&... args)
constexpr

Definition at line 116 of file assert.h.

116 {
117 (ignore_param(args), ...);
118}
constexpr void ignore_param(T &&)
Definition assert.h:113

References ignore_param(), and ignore_params().

Referenced by ignore_params().

◆ index_of_first_set_byte()

template<std::unsigned_integral T>
size_t Botan::index_of_first_set_byte ( T v)
constexpr

Return the index of the first byte with the high bit set

Definition at line 130 of file int_utils.h.

130 {
131 // The constant 0x010101... as a T
132 constexpr T lo1 = (static_cast<T>(-1) / 255);
133 // The constant 0x808080... as a T
134 constexpr T hi1 = lo1 << 7;
135 // How many bits to shift in order to get the top byte
136 constexpr size_t bits = (sizeof(T) * 8) - 8;
137
138 return static_cast<size_t>((((((v & hi1) - 1) & lo1) * lo1) >> bits) - 1);
139}

◆ initialize_allocator()

void BOTAN_UNSTABLE_API Botan::initialize_allocator ( )

Ensure the allocator is initialized

Definition at line 64 of file allocator.cpp.

64 {
65#if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
67#endif
68}

References Botan::mlock_allocator::instance().

Referenced by Botan::Allocator_Initializer::Allocator_Initializer().

◆ intersects()

bool Botan::intersects ( ASN1_Class x,
ASN1_Class y )
inline

Definition at line 71 of file asn1_obj.h.

71 {
72 return static_cast<uint32_t>(x) & static_cast<uint32_t>(y);
73}

◆ inverse_mod()

BigInt Botan::inverse_mod ( const BigInt & x,
const BigInt & modulus )

Modular inversion. This algorithm is const time with respect to x, as long as x is less than modulus. It also avoids leaking information about the modulus, except that it does leak which of 3 categories the modulus is in: an odd integer, a power of 2, or some other even number, and if the modulus is even, leaks the power of 2 which divides the modulus.

Parameters
xa positive integer
modulusa positive integer
Returns
y st (x*y) % modulus == 1 or 0 if no such value

Definition at line 369 of file mod_inv.cpp.

369 {
370 BOTAN_ARG_CHECK(!mod.is_zero(), "modulus cannot be zero");
371 BOTAN_ARG_CHECK(!mod.is_negative(), "modulus cannot be negative");
372 BOTAN_ARG_CHECK(!n.is_negative(), "value cannot be negative");
373
374 if(n.is_zero() || (n.is_even() && mod.is_even())) {
375 return BigInt::zero();
376 }
377
378 if(n >= mod) {
379 return inverse_mod(ct_modulo(n, mod), mod);
380 }
381
382 return inverse_mod_general(n, mod).value_or(BigInt::zero());
383}
BigInt ct_modulo(const BigInt &x, const BigInt &y)
Definition divide.cpp:192
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
Definition mod_inv.cpp:369

References BOTAN_ARG_CHECK, ct_modulo(), inverse_mod(), inverse_mod_general(), Botan::BigInt::is_even(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), and Botan::BigInt::zero().

Referenced by inverse_mod().

◆ inverse_mod_general()

std::optional< BigInt > BOTAN_TEST_API Botan::inverse_mod_general ( const BigInt & x,
const BigInt & m )

Compute the inverse of x modulo some integer m

Returns nullopt if no such integer exists eg if gcd(x, m) > 1

This algorithm is const time with respect to x, aside from its length. It also avoids leaking information about the modulus m, except that it does leak which of 3 categories the modulus is in:

  • An odd integer
  • A power of 2
  • Some even number not a power of 2

And if the modulus is even, it leaks the power of 2 which divides the modulus.

Parameters
xa positive integer less than m
ma positive integer

Throws Invalid_Argument if x or m are negative

Definition at line 177 of file mod_inv.cpp.

177 {
178 BOTAN_ARG_CHECK(x > 0, "x must be greater than zero");
179 BOTAN_ARG_CHECK(mod > 0, "mod must be greater than zero");
180 BOTAN_ARG_CHECK(x < mod, "x must be less than m");
181
182 // Easy case where gcd > 1 so no inverse exists
183 if(x.is_even() && mod.is_even()) {
184 return std::nullopt;
185 }
186
187 if(mod.is_odd()) {
188 BigInt z = inverse_mod_odd_modulus(x, mod);
189 if(z.is_zero()) {
190 return std::nullopt;
191 } else {
192 return z;
193 }
194 }
195
196 // If x is even and mod is even we already returned 0
197 // If x is even and mod is odd we jumped directly to odd-modulus algo
199
200 const size_t mod_lz = low_zero_bits(mod);
201 BOTAN_ASSERT_NOMSG(mod_lz > 0);
202 const size_t mod_bits = mod.bits();
203 BOTAN_ASSERT_NOMSG(mod_bits > mod_lz);
204
205 if(mod_lz == mod_bits - 1) {
206 // In this case we are performing an inversion modulo 2^k
207 auto z = inverse_mod_pow2(x, mod_lz);
208 if(z.is_zero()) {
209 return std::nullopt;
210 } else {
211 return z;
212 }
213 }
214
215 if(mod_lz == 1) {
216 /*
217 Inversion modulo 2*o is an easier special case of CRT
218
219 This is exactly the main CRT flow below but taking advantage of
220 the fact that any odd number ^-1 modulo 2 is 1. As a result both
221 inv_2k and c can be taken to be 1, m2k is 2, and h is always
222 either 0 or 1, and its value depends only on the low bit of inv_o.
223
224 This is worth special casing because we generate RSA primes such
225 that phi(n) is of this form. However this only works for keys
226 that we generated in this way; pre-existing keys will typically
227 fall back to the general algorithm below.
228 */
229
230 const BigInt o = mod >> 1;
231 const BigInt inv_o = inverse_mod_odd_modulus(ct_modulo(x, o), o);
232
233 // No modular inverse in this case:
234 if(inv_o == 0) {
235 return std::nullopt;
236 }
237
238 BigInt h = inv_o;
239 h.ct_cond_add(!inv_o.get_bit(0), o);
240 return h;
241 }
242
243 /*
244 * In this case we are performing an inversion modulo 2^k*o for
245 * some k >= 2 and some odd (not necessarily prime) integer.
246 * Compute the inversions modulo 2^k and modulo o, then combine them
247 * using CRT, which is possible because 2^k and o are relatively prime.
248 */
249
250 const BigInt o = mod >> mod_lz;
251 const BigInt inv_o = inverse_mod_odd_modulus(ct_modulo(x, o), o);
252 const BigInt inv_2k = inverse_mod_pow2(x, mod_lz);
253
254 // No modular inverse in this case:
255 if(inv_o == 0 || inv_2k == 0) {
256 return std::nullopt;
257 }
258
259 const BigInt m2k = BigInt::power_of_2(mod_lz);
260 // Compute the CRT parameter
261 const BigInt c = inverse_mod_pow2(o, mod_lz);
262
263 // This should never happen; o is odd so gcd is 1 and inverse mod 2^k exists
264 BOTAN_ASSERT_NOMSG(!c.is_zero());
265
266 // Compute h = c*(inv_2k-inv_o) mod 2^k
267 BigInt h = c * (inv_2k - inv_o);
268 const bool h_neg = h.is_negative();
269 h.set_sign(BigInt::Positive);
270 h.mask_bits(mod_lz);
271 const bool h_nonzero = h.is_nonzero();
272 h.ct_cond_assign(h_nonzero && h_neg, m2k - h);
273
274 // Return result inv_o + h * o
275 h *= o;
276 h += inv_o;
277 return h;
278}
void ct_cond_add(bool predicate, const BigInt &value)
Definition bigint.cpp:452
bool is_odd() const
Definition bigint.h:445
static BigInt power_of_2(size_t n)
Definition bigint.h:820
size_t low_zero_bits(const BigInt &n)
Definition numthry.cpp:167

References Botan::BigInt::bits(), BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::BigInt::ct_cond_add(), Botan::BigInt::ct_cond_assign(), ct_modulo(), Botan::BigInt::get_bit(), Botan::BigInt::is_even(), Botan::BigInt::is_negative(), Botan::BigInt::is_nonzero(), Botan::BigInt::is_odd(), Botan::BigInt::is_zero(), low_zero_bits(), Botan::BigInt::mask_bits(), Botan::BigInt::Positive, Botan::BigInt::power_of_2(), and Botan::BigInt::set_sign().

Referenced by botan_mp_mod_inverse(), compute_rsa_secret_exponent(), and inverse_mod().

◆ inverse_mod_public_prime()

BigInt BOTAN_TEST_API Botan::inverse_mod_public_prime ( const BigInt & x,
const BigInt & p )

Compute the inverse of x modulo a public prime p

This algorithm is constant time with respect to x. The prime p is assumed to be public.

Parameters
xa positive integer less than p
pan odd prime
Returns
y such that (x*y) % p == 1

This always returns a result since any integer in [1,p) has an inverse modulo a prime p.

This function assumes as a precondition that p truly is prime; the results may not be correct if this does not hold.

Throws Invalid_Argument if x is less than or equal to zero, or if p is even or less than 3.

Definition at line 291 of file mod_inv.cpp.

291 {
292 return inverse_mod_secret_prime(x, p);
293}
BigInt inverse_mod_secret_prime(const BigInt &x, const BigInt &p)
Definition mod_inv.cpp:280

References inverse_mod_secret_prime().

Referenced by Botan::DL_Group::inverse_mod_p(), Botan::DL_Group::inverse_mod_q(), Botan::EC_Scalar_Data_BN::invert(), and Botan::EC_Scalar_Data_BN::invert_vartime().

◆ inverse_mod_rsa_public_modulus()

BigInt Botan::inverse_mod_rsa_public_modulus ( const BigInt & x,
const BigInt & n )

Compute the inverse of x modulo a public RSA modulus n

This algorithm is constant time with respect to x. The RSA modulus is assumed to be public.

Parameters
xa positive integer less than n
na RSA public modulus
Returns
y such that (x*y) % n == 1

This always returns a result since any integer in [1,n) has an inverse modulo a RSA public modulus n, unless you have happened to guess one of the factors at random. In the unlikely event of this occuring, Internal_Error will be thrown.

Definition at line 295 of file mod_inv.cpp.

295 {
296 BOTAN_ARG_CHECK(n.is_positive() && n.is_odd(), "RSA public modulus must be odd and positive");
297 BOTAN_ARG_CHECK(x.is_positive() && x < n, "Input must be positive and less than RSA modulus");
298 BigInt z = inverse_mod_odd_modulus(x, n);
299 BOTAN_ASSERT(!z.is_zero(), "Accidentally factored the public modulus"); // whoops
300 return z;
301}

References BOTAN_ARG_CHECK, BOTAN_ASSERT, Botan::BigInt::is_odd(), Botan::BigInt::is_positive(), and Botan::BigInt::is_zero().

◆ inverse_mod_secret_prime()

BigInt BOTAN_TEST_API Botan::inverse_mod_secret_prime ( const BigInt & x,
const BigInt & p )

Compute the inverse of x modulo a secret prime p

This algorithm is constant time with respect to x and p, aside from leaking the length of p. (In particular it should not leak the length of x, if x is shorter)

Parameters
xa positive integer less than p
pan odd prime
Returns
y such that (x*y) % p == 1

This always returns a result since any integer in [1,p) has an inverse modulo a prime p.

This function assumes as a precondition that p truly is prime; the results may not be correct if this does not hold.

Throws Invalid_Argument if x is less than or equal to zero, or if p is even or less than 3.

Definition at line 280 of file mod_inv.cpp.

280 {
281 BOTAN_ARG_CHECK(x.is_positive() && p.is_positive(), "Parameters must be positive");
282 BOTAN_ARG_CHECK(x < p, "x must be less than p");
283 BOTAN_ARG_CHECK(p.is_odd() and p > 1, "Primes are odd integers greater than 1");
284
285 // TODO possibly use FLT, or the algorithm presented for this case in
286 // Handbook of Elliptic and Hyperelliptic Curve Cryptography
287
288 return inverse_mod_odd_modulus(x, p);
289}

References BOTAN_ARG_CHECK, Botan::BigInt::is_odd(), and Botan::BigInt::is_positive().

Referenced by Botan::RSA_PrivateKey::check_key(), inverse_mod_public_prime(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ invert_field_element()

template<typename C>
auto Botan::invert_field_element ( const typename C::FieldElement & fe)
inlineconstexpr

Field inversion

Uses the specialized fe_invert2 if available, or otherwise the standard (FLT-based) field inversion.

Definition at line 34 of file pcurves_algos.h.

34 {
35 if constexpr(curve_supports_fe_invert2<C>) {
36 return C::fe_invert2(fe) * fe;
37 } else {
38 return fe.invert();
39 }
40}

Referenced by to_affine(), to_affine_batch(), and to_affine_x().

◆ ipv4_to_string()

std::string BOTAN_TEST_API Botan::ipv4_to_string ( uint32_t ip_addr)

Convert an IPv4 address to a string

Parameters
ip_addrthe IPv4 address to convert
Returns
string representation of the IPv4 address

Definition at line 225 of file parsing.cpp.

225 {
226 uint8_t bits[4];
227 store_be(ip, bits);
228
229 std::string str;
230
231 for(size_t i = 0; i != 4; ++i) {
232 if(i > 0) {
233 str += ".";
234 }
235 str += std::to_string(bits[i]);
236 }
237
238 return str;
239}

References store_be().

Referenced by Botan::AlternativeName::contents(), Botan::AlternativeName::get_attribute(), and Botan::GeneralName::name().

◆ is_bailie_psw_probable_prime()

bool BOTAN_TEST_API Botan::is_bailie_psw_probable_prime ( const BigInt & n,
const Barrett_Reduction & mod_n )

Perform Bailie-PSW primality test

This is a combination of Miller-Rabin with base 2 and a Lucas test. No known composite integer passes both tests, though it is conjectured that infinitely many composite counterexamples exist.

Parameters
nthe positive integer to test
mod_na pre-created Barrett_Reduction for n
Returns
true if n seems probably prime, false if n is composite

Definition at line 96 of file primality.cpp.

96 {
97 if(n == 2) {
98 return true;
99 } else if(n <= 1 || n.is_even()) {
100 return false;
101 }
102
103 auto monty_n = std::make_shared<Montgomery_Params>(n, mod_n);
104 const auto base = BigInt::from_word(2);
105 return passes_miller_rabin_test(n, mod_n, monty_n, base) && is_lucas_probable_prime(n, mod_n);
106}
static BigInt from_word(word n)
Definition bigint.cpp:33
bool is_lucas_probable_prime(const BigInt &C, const Barrett_Reduction &mod_C)
Definition primality.cpp:19
bool passes_miller_rabin_test(const BigInt &n, const Barrett_Reduction &mod_n, const std::shared_ptr< Montgomery_Params > &monty_n, const BigInt &a)

References Botan::BigInt::from_word(), Botan::BigInt::is_even(), is_lucas_probable_prime(), and passes_miller_rabin_test().

Referenced by Botan::EC_Group::EC_Group(), and is_prime().

◆ is_generalizable_to() [1/2]

template<typename GeneralVariantT, typename SpecialT>
bool Botan::is_generalizable_to ( const SpecialT & )
constexprnoexcept

Definition at line 299 of file stl_util.h.

299 {
300 return std::is_constructible_v<GeneralVariantT, SpecialT>;
301}

Referenced by generalize_to(), and Botan::TLS::Handshake_State_13< Connection_Side::Client, Client_Handshake_13_Message, Server_Handshake_13_Message, Server_Post_Handshake_13_Message >::sending().

◆ is_generalizable_to() [2/2]

template<typename GeneralVariantT, typename... SpecialTs>
bool Botan::is_generalizable_to ( const std::variant< SpecialTs... > & )
constexprnoexcept

Definition at line 304 of file stl_util.h.

304 {
305 return (std::is_constructible_v<GeneralVariantT, SpecialTs> && ...);
306}

◆ is_lucas_probable_prime()

bool BOTAN_TEST_API Botan::is_lucas_probable_prime ( const BigInt & n,
const Barrett_Reduction & mod_n )

Perform Lucas primality test

See also
FIPS 186-4 C.3.3
Warning
it is possible to construct composite integers which pass this test alone.
Parameters
nthe positive integer to test
mod_na pre-created Barrett_Reduction for n
Returns
true if n seems probably prime, false if n is composite

Definition at line 19 of file primality.cpp.

19 {
20 BOTAN_ARG_CHECK(C.is_positive(), "Argument should be a positive integer");
21
22 if(C == 2 || C == 3 || C == 5 || C == 7 || C == 11 || C == 13) {
23 return true;
24 }
25
26 if(C <= 1 || C.is_even()) {
27 return false;
28 }
29
31
32 for(;;) {
33 int32_t j = jacobi(D, C);
34 if(j == 0) {
35 return false;
36 }
37
38 if(j == -1) {
39 break;
40 }
41
42 // Check 5, -7, 9, -11, 13, -15, 17, ...
43 if(D.is_negative()) {
44 D.flip_sign();
45 D += 2;
46 } else {
47 D += 2;
48 D.flip_sign();
49 }
50
51 if(D == 17 && is_perfect_square(C).is_nonzero()) {
52 return false;
53 }
54 }
55
56 if(D.is_negative()) {
57 D += C;
58 }
59
60 const BigInt K = C + 1;
61 const size_t K_bits = K.bits() - 1;
62
63 BigInt U = BigInt::one();
64 BigInt V = BigInt::one();
65
66 BigInt Ut, Vt, U2, V2;
67
68 for(size_t i = 0; i != K_bits; ++i) {
69 const bool k_bit = K.get_bit(K_bits - 1 - i);
70
71 Ut = mod_C.multiply(U, V);
72
73 Vt = mod_C.reduce(mod_C.square(V) + mod_C.multiply(D, mod_C.square(U)));
74 Vt.ct_cond_add(Vt.is_odd(), C);
75 Vt >>= 1;
76 Vt = mod_C.reduce(Vt);
77
78 U = Ut;
79 V = Vt;
80
81 U2 = mod_C.reduce(Ut + Vt);
82 U2.ct_cond_add(U2.is_odd(), C);
83 U2 >>= 1;
84
85 V2 = mod_C.reduce(Vt + mod_C.multiply(Ut, D));
86 V2.ct_cond_add(V2.is_odd(), C);
87 V2 >>= 1;
88
89 U.ct_cond_assign(k_bit, U2);
90 V.ct_cond_assign(k_bit, V2);
91 }
92
93 return (U == 0);
94}
static BigInt one()
Definition bigint.h:54
BigInt is_perfect_square(const BigInt &C)
Definition numthry.cpp:321
int32_t jacobi(const BigInt &a, const BigInt &n)
Definition numthry.cpp:116

References Botan::BigInt::bits(), BOTAN_ARG_CHECK, Botan::BigInt::ct_cond_add(), Botan::BigInt::ct_cond_assign(), Botan::BigInt::flip_sign(), Botan::BigInt::from_word(), Botan::BigInt::get_bit(), Botan::BigInt::is_even(), Botan::BigInt::is_negative(), Botan::BigInt::is_odd(), is_perfect_square(), Botan::BigInt::is_positive(), jacobi(), Botan::Barrett_Reduction::multiply(), Botan::BigInt::one(), Botan::Barrett_Reduction::reduce(), and Botan::Barrett_Reduction::square().

Referenced by is_bailie_psw_probable_prime(), is_prime(), and random_prime().

◆ is_miller_rabin_probable_prime()

bool BOTAN_TEST_API Botan::is_miller_rabin_probable_prime ( const BigInt & n,
const Barrett_Reduction & mod_n,
RandomNumberGenerator & rng,
size_t t )

Perform t iterations of a Miller-Rabin primality test with random bases

Parameters
nthe positive integer to test
mod_na pre-created Barrett_Reduction for n
rnga random number generator
tnumber of tests to perform
Returns
result of primality test

Definition at line 152 of file primality.cpp.

155 {
156 if(n < 3 || n.is_even()) {
157 return false;
158 }
159
160 auto monty_n = std::make_shared<Montgomery_Params>(n, mod_n);
161
162 for(size_t i = 0; i != test_iterations; ++i) {
163 const BigInt a = BigInt::random_integer(rng, BigInt::from_word(2), n);
164
165 if(!passes_miller_rabin_test(n, mod_n, monty_n, a)) {
166 return false;
167 }
168 }
169
170 // Failed to find a counterexample
171 return true;
172}
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
Definition big_rand.cpp:43

References Botan::BigInt::from_word(), Botan::BigInt::is_even(), passes_miller_rabin_test(), and Botan::BigInt::random_integer().

Referenced by generate_rsa_prime(), is_prime(), and random_prime().

◆ is_passhash9_alg_supported()

bool Botan::is_passhash9_alg_supported ( uint8_t alg_id)

Check if the PRF used with PBKDF2 is supported

Parameters
alg_idalg_id used in generate_passhash9()

Definition at line 128 of file passhash9.cpp.

128 {
129 if(get_pbkdf_prf(alg_id)) {
130 return true;
131 }
132 return false;
133}

◆ is_perfect_square()

BigInt Botan::is_perfect_square ( const BigInt & x)

Test if the positive integer x is a perfect square ie if there exists some positive integer y st y*y == x See FIPS 186-4 sec C.4

Returns
0 if the integer is not a perfect square, otherwise returns the positive y st y*y == x

Definition at line 321 of file numthry.cpp.

321 {
322 if(C < 1) {
323 throw Invalid_Argument("is_perfect_square requires C >= 1");
324 }
325 if(C == 1) {
326 return BigInt::one();
327 }
328
329 const size_t n = C.bits();
330 const size_t m = (n + 1) / 2;
331 const BigInt B = C + BigInt::power_of_2(m);
332
333 BigInt X = BigInt::power_of_2(m) - 1;
334 BigInt X2 = (X * X);
335
336 for(;;) {
337 X = (X2 + C) / (2 * X);
338 X2 = (X * X);
339
340 if(X2 < B) {
341 break;
342 }
343 }
344
345 if(X2 == C) {
346 return X;
347 } else {
348 return BigInt::zero();
349 }
350}

References Botan::BigInt::bits(), Botan::BigInt::one(), Botan::BigInt::power_of_2(), and Botan::BigInt::zero().

Referenced by is_lucas_probable_prime().

◆ is_power_of_2()

template<typename T>
requires (std::is_unsigned<T>::value)
bool Botan::is_power_of_2 ( T arg)
inlineconstexpr

Power of 2 test. T should be an unsigned integer type

Parameters
argan integer value
Returns
true iff arg is 2^n for some n > 0

Definition at line 48 of file bit_ops.h.

50{
51 return (arg != 0) && (arg != 1) && ((arg & static_cast<T>(arg - 1)) == 0);
52}

Referenced by operator%(), Botan::BigInt::operator%=(), Botan::BigInt::operator/=(), Botan::Scrypt::Scrypt(), and Botan::CTR_BE::seek().

◆ is_prime()

bool Botan::is_prime ( const BigInt & n,
RandomNumberGenerator & rng,
size_t prob = 64,
bool is_random = false )

Check for primality

This uses probabilistic algorithms - there is some non-zero (but very low) probability that this function will return true even if n is actually composite.

Parameters
na positive integer to test for primality
rnga random number generator
probchance of false positive is bounded by 1/2**prob
is_randomtrue if n was randomly chosen by us
Returns
true if all primality tests passed, otherwise false

Definition at line 355 of file numthry.cpp.

355 {
356 if(n == 2) {
357 return true;
358 }
359 if(n <= 1 || n.is_even()) {
360 return false;
361 }
362
363 const size_t n_bits = n.bits();
364
365 // Fast path testing for small numbers (<= 65521)
366 if(n_bits <= 16) {
367 const uint16_t num = static_cast<uint16_t>(n.word_at(0));
368
369 return std::binary_search(PRIMES, PRIMES + PRIME_TABLE_SIZE, num);
370 }
371
373
374 if(rng.is_seeded()) {
375 const size_t t = miller_rabin_test_iterations(n_bits, prob, is_random);
376
377 if(is_miller_rabin_probable_prime(n, mod_n, rng, t) == false) {
378 return false;
379 }
380
381 if(is_random) {
382 return true;
383 } else {
384 return is_lucas_probable_prime(n, mod_n);
385 }
386 } else {
387 return is_bailie_psw_probable_prime(n, mod_n);
388 }
389}
word word_at(size_t n) const
Definition bigint.h:547
virtual bool is_seeded() const =0
const uint16_t PRIMES[]
Definition primes.cpp:12
const size_t PRIME_TABLE_SIZE
Definition numthry.h:174
bool is_bailie_psw_probable_prime(const BigInt &n, const Barrett_Reduction &mod_n)
Definition primality.cpp:96

References Botan::BigInt::bits(), Botan::Barrett_Reduction::for_secret_modulus(), is_bailie_psw_probable_prime(), Botan::BigInt::is_even(), is_lucas_probable_prime(), is_miller_rabin_probable_prime(), Botan::RandomNumberGenerator::is_seeded(), miller_rabin_test_iterations(), PRIME_TABLE_SIZE, PRIMES, and Botan::BigInt::word_at().

Referenced by botan_mp_is_prime(), Botan::RSA_PrivateKey::check_key(), Botan::DL_Group::DL_Group(), generate_dsa_primes(), random_safe_prime(), Botan::DL_Group::verify_group(), and Botan::EC_Group::verify_group().

◆ is_sub_element_of()

std::optional< uint32_t > Botan::is_sub_element_of ( const OID & oid,
std::initializer_list< uint32_t > prefix )
inline

Definition at line 16 of file x509_utils.h.

16 {
17 const auto& c = oid.get_components();
18
19 if(c.size() != prefix.size() + 1) {
20 return {};
21 }
22
23 if(!std::equal(c.begin(), c.end() - 1, prefix.begin(), prefix.end())) {
24 return {};
25 }
26
27 return c[c.size() - 1];
28}
const std::vector< uint32_t > & get_components() const
Definition asn1_obj.h:317

References Botan::OID::get_components().

Referenced by Botan::X509_DN::lookup_ub().

◆ jacobi()

int32_t Botan::jacobi ( const BigInt & a,
const BigInt & n )

Compute the Jacobi symbol. If n is prime, this is equivalent to the Legendre symbol.

See also
http://mathworld.wolfram.com/JacobiSymbol.html
Parameters
ais a non-negative integer
nis an odd integer > 1
Returns
(n / m)

Definition at line 116 of file numthry.cpp.

116 {
117 if(n.is_even() || n < 2) {
118 throw Invalid_Argument("jacobi: second argument must be odd and > 1");
119 }
120
121 BigInt x = a % n;
122 BigInt y = n;
123 int32_t J = 1;
124
125 while(y > 1) {
126 x %= y;
127 if(x > y / 2) {
128 x = y - x;
129 if(y % 4 == 3) {
130 J = -J;
131 }
132 }
133 if(x.is_zero()) {
134 return 0;
135 }
136
137 size_t shifts = low_zero_bits(x);
138 x >>= shifts;
139 if(shifts % 2) {
140 word y_mod_8 = y % 8;
141 if(y_mod_8 == 3 || y_mod_8 == 5) {
142 J = -J;
143 }
144 }
145
146 if(x % 4 == 3 && y % 4 == 3) {
147 J = -J;
148 }
149 std::swap(x, y);
150 }
151 return J;
152}

References Botan::BigInt::is_even(), Botan::BigInt::is_zero(), and low_zero_bits().

Referenced by Botan::DL_Group::DL_Group(), is_lucas_probable_prime(), and sqrt_modulo_prime().

◆ keccak_absorb_padded_strings_encoding()

template<absorbing_object T, typename... Ts>
requires (std::constructible_from<std::span<const uint8_t>, Ts> && ...)
size_t Botan::keccak_absorb_padded_strings_encoding ( T & sink,
size_t padding_mod,
Ts... byte_strings )

This is a combination of the functions encode_string() and bytepad() defined in NIST SP.800-185 Section 2.3. Additionally, the result is directly streamed into the provided XOF to avoid unneccessary memory allocation or a byte vector.

Parameters
sinkthe XOF or byte vector to absorb the byte_strings into
padding_modthe modulus value to create a padding for (NIST calls this 'w')
byte_stringsa variable-length list of byte strings to be encoded and absorbed into the given xof
Returns
the number of bytes absorbed into the xof

Definition at line 91 of file keccak_helpers.h.

91 {
92 BOTAN_ASSERT_NOMSG(padding_mod > 0);
93
94 // used as temporary storage for all integer encodings in this function
95 std::array<uint8_t, keccak_max_int_encoding_size()> int_encoding_buffer;
96
97 // absorbs byte strings and counts the number of absorbed bytes
98 size_t bytes_absorbed = 0;
99 auto absorb = [&](std::span<const uint8_t> bytes) {
100 if constexpr(updatable_object<T>) {
101 sink.update(bytes);
102 } else if constexpr(appendable_object<T>) {
103 sink.insert(sink.end(), bytes.begin(), bytes.end());
104 }
105 bytes_absorbed += bytes.size();
106 };
107
108 // encodes a given string and absorbs it into the XOF straight away
109 auto encode_string_and_absorb = [&](std::span<const uint8_t> bytes) {
110 absorb(keccak_int_left_encode(int_encoding_buffer, bytes.size() * 8));
111 absorb(bytes);
112 };
113
114 // absorbs as many zero-bytes as requested into the XOF
115 auto absorb_padding = [&](size_t padding_bytes) {
116 for(size_t i = 0; i < padding_bytes; ++i) {
117 const uint8_t zero_byte = 0;
118 absorb({&zero_byte, 1});
119 }
120 };
121
122 // implementation of bytepad(encode_string(Ts) || ...) that absorbs the result
123 // staight into the given xof
124 absorb(keccak_int_left_encode(int_encoding_buffer, padding_mod));
125 (encode_string_and_absorb(byte_strings), ...);
126 absorb_padding(padding_mod - (bytes_absorbed % padding_mod));
127
128 return bytes_absorbed;
129}
std::span< const uint8_t > keccak_int_left_encode(std::span< uint8_t > out, size_t x)
constexpr size_t keccak_max_int_encoding_size()

References BOTAN_ASSERT_NOMSG, keccak_absorb_padded_strings_encoding(), keccak_int_left_encode(), and keccak_max_int_encoding_size().

Referenced by keccak_absorb_padded_strings_encoding().

◆ keccak_int_encoding_size()

BOTAN_TEST_API size_t Botan::keccak_int_encoding_size ( size_t x)
Returns
the required bytes for encodings of keccak_int_left_encode() or keccak_int_right_encode() given an integer x

Definition at line 54 of file keccak_helpers.cpp.

54 {
55 return int_encoding_size(x) + 1 /* the length tag */;
56}

◆ keccak_int_left_encode()

BOTAN_TEST_API std::span< const uint8_t > Botan::keccak_int_left_encode ( std::span< uint8_t > buffer,
size_t x )

Integer encoding defined in NIST SP.800-185 that can be unambiguously parsed from the beginning of the string.

This function does not allocate any memory and requires the caller to provide a sufficiently large buffer. For a given x, this will need exactly keccak_int_encoding_size() bytes. For an arbitrary x it will generate keccak_max_int_encoding_size() bytes at most.

Parameters
bufferbuffer to write the left-encoding of x to. It is assumed that the buffer will hold at least keccak_int_encoding_size() bytes.
xthe integer to be left-encoded
Returns
the byte span that represents the bytes written to buffer.

Definition at line 41 of file keccak_helpers.cpp.

41 {
42 BOTAN_ASSERT_NOMSG(!out.empty());
43 out[0] = encode(out.last(out.size() - 1), x);
44 return out.first(out[0] + 1 /* the length tag */);
45}

References BOTAN_ASSERT_NOMSG.

Referenced by keccak_absorb_padded_strings_encoding().

◆ keccak_int_right_encode()

BOTAN_TEST_API std::span< const uint8_t > Botan::keccak_int_right_encode ( std::span< uint8_t > out,
size_t x )

Integer encoding defined in NIST SP.800-185 that can be unambiguously parsed from the end of the string.

This function does not allocate any memory and requires the caller to provide a sufficiently large buffer. For a given x, this will need exactly keccak_int_encoding_size() bytes. For an arbitrary x it will generate keccak_max_int_encoding_size() bytes at most.

Parameters
outbuffer to write the right-encoding of x to. It is assumed that the buffer will hold at least keccak_int_encoding_size() bytes.
xthe integer to be right-encoded
Returns
the byte span that represents the bytes written to buffer.

Definition at line 47 of file keccak_helpers.cpp.

47 {
48 const auto bytes_needed = encode(out, x);
49 BOTAN_ASSERT_NOMSG(out.size() >= bytes_needed + size_t(1));
50 out[bytes_needed] = bytes_needed;
51 return out.first(bytes_needed + 1 /* the length tag */);
52}

References BOTAN_ASSERT_NOMSG.

◆ keccak_max_int_encoding_size()

size_t Botan::keccak_max_int_encoding_size ( )
constexpr
Returns
the maximum required bytes for encodings of keccak_int_left_encode() or keccak_int_right_encode()

Definition at line 65 of file keccak_helpers.h.

65 {
66 return sizeof(size_t) + 1 /* the length tag */;
67}

Referenced by keccak_absorb_padded_strings_encoding().

◆ Keccak_Permutation_round()

void Botan::Keccak_Permutation_round ( uint64_t T[25],
const uint64_t A[25],
uint64_t RC )
inline

Definition at line 15 of file keccak_perm_round.h.

15 {
16 const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20];
17 const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21];
18 const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22];
19 const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23];
20 const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24];
21
22 const uint64_t D0 = rotl<1>(C0) ^ C3;
23 const uint64_t D1 = rotl<1>(C1) ^ C4;
24 const uint64_t D2 = rotl<1>(C2) ^ C0;
25 const uint64_t D3 = rotl<1>(C3) ^ C1;
26 const uint64_t D4 = rotl<1>(C4) ^ C2;
27
28 const uint64_t B00 = A[0] ^ D1;
29 const uint64_t B01 = rotl<44>(A[6] ^ D2);
30 const uint64_t B02 = rotl<43>(A[12] ^ D3);
31 const uint64_t B03 = rotl<21>(A[18] ^ D4);
32 const uint64_t B04 = rotl<14>(A[24] ^ D0);
33 T[0] = B00 ^ (~B01 & B02) ^ RC;
34 T[1] = B01 ^ (~B02 & B03);
35 T[2] = B02 ^ (~B03 & B04);
36 T[3] = B03 ^ (~B04 & B00);
37 T[4] = B04 ^ (~B00 & B01);
38
39 const uint64_t B05 = rotl<28>(A[3] ^ D4);
40 const uint64_t B06 = rotl<20>(A[9] ^ D0);
41 const uint64_t B07 = rotl<3>(A[10] ^ D1);
42 const uint64_t B08 = rotl<45>(A[16] ^ D2);
43 const uint64_t B09 = rotl<61>(A[22] ^ D3);
44 T[5] = B05 ^ (~B06 & B07);
45 T[6] = B06 ^ (~B07 & B08);
46 T[7] = B07 ^ (~B08 & B09);
47 T[8] = B08 ^ (~B09 & B05);
48 T[9] = B09 ^ (~B05 & B06);
49
50 const uint64_t B10 = rotl<1>(A[1] ^ D2);
51 const uint64_t B11 = rotl<6>(A[7] ^ D3);
52 const uint64_t B12 = rotl<25>(A[13] ^ D4);
53 const uint64_t B13 = rotl<8>(A[19] ^ D0);
54 const uint64_t B14 = rotl<18>(A[20] ^ D1);
55 T[10] = B10 ^ (~B11 & B12);
56 T[11] = B11 ^ (~B12 & B13);
57 T[12] = B12 ^ (~B13 & B14);
58 T[13] = B13 ^ (~B14 & B10);
59 T[14] = B14 ^ (~B10 & B11);
60
61 const uint64_t B15 = rotl<27>(A[4] ^ D0);
62 const uint64_t B16 = rotl<36>(A[5] ^ D1);
63 const uint64_t B17 = rotl<10>(A[11] ^ D2);
64 const uint64_t B18 = rotl<15>(A[17] ^ D3);
65 const uint64_t B19 = rotl<56>(A[23] ^ D4);
66 T[15] = B15 ^ (~B16 & B17);
67 T[16] = B16 ^ (~B17 & B18);
68 T[17] = B17 ^ (~B18 & B19);
69 T[18] = B18 ^ (~B19 & B15);
70 T[19] = B19 ^ (~B15 & B16);
71
72 const uint64_t B20 = rotl<62>(A[2] ^ D3);
73 const uint64_t B21 = rotl<55>(A[8] ^ D4);
74 const uint64_t B22 = rotl<39>(A[14] ^ D0);
75 const uint64_t B23 = rotl<41>(A[15] ^ D1);
76 const uint64_t B24 = rotl<2>(A[21] ^ D2);
77 T[20] = B20 ^ (~B21 & B22);
78 T[21] = B21 ^ (~B22 & B23);
79 T[22] = B22 ^ (~B23 & B24);
80 T[23] = B23 ^ (~B24 & B20);
81 T[24] = B24 ^ (~B20 & B21);
82}
constexpr T rotl(T input)
Definition rotate.h:21

References rotl().

◆ key_constraints_to_string()

std::string Botan::key_constraints_to_string ( Key_Constraints c)
inline

Definition at line 33 of file pkix_types.h.

33 {
34 return c.to_string();
35}
std::string to_string() const

References key_constraints_to_string().

Referenced by key_constraints_to_string().

◆ latin1_to_utf8()

BOTAN_TEST_API std::string Botan::latin1_to_utf8 ( const uint8_t chars[],
size_t len )

Definition at line 89 of file charset.cpp.

89 {
90 std::string s;
91 for(size_t i = 0; i != len; ++i) {
92 const uint32_t c = static_cast<uint8_t>(chars[i]);
93 append_utf8_for(s, c);
94 }
95 return s;
96}

Referenced by Botan::ASN1_String::decode_from().

◆ lcm()

BigInt Botan::lcm ( const BigInt & x,
const BigInt & y )

Least common multiple

Parameters
xa positive integer
ya positive integer
Returns
z, smallest integer such that z % x == 0 and z % y == 0

Definition at line 270 of file numthry.cpp.

270 {
271 if(a == b) {
272 return a;
273 }
274
275 auto ab = a * b;
276 ab.set_sign(BigInt::Positive); // ignore the signs of a & b
277 const auto g = gcd(a, b);
278 return ct_divide(ab, g);
279}

References ct_divide(), gcd(), Botan::BigInt::Positive, and Botan::BigInt::set_sign().

Referenced by Botan::Cascade_Cipher::Cascade_Cipher(), Botan::RSA_PrivateKey::check_key(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ lex_to_gray()

gf2m Botan::lex_to_gray ( gf2m lex)
inline

Definition at line 38 of file code_based_util.h.

38 {
39 return (lex >> 1) ^ lex;
40}

Referenced by syndrome_init().

◆ lmots_compute_pubkey_from_sig()

BOTAN_TEST_API LMOTS_K Botan::lmots_compute_pubkey_from_sig ( const LMOTS_Signature & sig,
const LMS_Message & msg,
const LMS_Identifier & identifier,
LMS_Tree_Node_Idx q )

Compute a public key candidate for an OTS-signature-message pair and the OTS instance parameters.

Defined in RFC 8554 4.6 - Algorithm 4b

Definition at line 327 of file lm_ots.cpp.

330 {
332
333 // Alg. 4b 3.
334
335 const auto Q_with_cksm = gen_Q_with_cksm(params, identifier, q, sig.C(), msg);
336
337 // Prefill the final hash object
338 const auto pk_hash = params.hash();
339 pk_hash->update(identifier);
340 pk_hash->update(store_be(q));
341 pk_hash->update(store_be(D_PBLC));
342
343 Chain_Generator chain_gen(identifier, q);
344 const auto hash = params.hash();
345 LMOTS_Node tmp(params.n());
346 for(uint16_t i = 0; i < params.p(); ++i) {
347 const uint8_t a = coef(Q_with_cksm, i, params);
348 chain_gen.process(*hash, i, a, params.coef_max(), sig.y(i), tmp);
349 pk_hash->update(tmp);
350 }
351 // Alg. 4b 4.
352 return pk_hash->final<LMOTS_K>();
353}
static LMOTS_Params create_or_throw(LMOTS_Algorithm_Type type)
Create the LM-OTS parameters from a known algorithm type.
Definition lm_ots.cpp:100
StrongSpan< const LMOTS_Node > y(uint16_t chain_idx) const
Returns the part of the signature for chain_idx.
Definition lm_ots.h:202
LMOTS_Algorithm_Type algorithm_type() const
Returns the LM-OTS algorithm type.
Definition lm_ots.h:192
std::span< const uint8_t > C() const
The n-byte randomizer of the signature.
Definition lm_ots.h:197
Strong< std::vector< uint8_t >, struct LMOTS_K_ > LMOTS_K
The K value from the LM-OTS public key.
Definition lm_ots.h:35
Strong< secure_vector< uint8_t >, struct LMOTS_Node_ > LMOTS_Node
One node within one LM-OTS hash chain.
Definition lm_ots.h:30

References Botan::LMOTS_Signature::algorithm_type(), Botan::LMOTS_Signature::C(), Botan::LMOTS_Params::create_or_throw(), store_be(), and Botan::LMOTS_Signature::y().

◆ load_3()

uint64_t Botan::load_3 ( const uint8_t in[3])
inline

Definition at line 19 of file ed25519_internal.h.

19 {
20 return static_cast<uint64_t>(in[0]) | (static_cast<uint64_t>(in[1]) << 8) | (static_cast<uint64_t>(in[2]) << 16);
21}

Referenced by Botan::FE_25519::from_bytes(), sc_muladd(), and sc_reduce().

◆ load_4()

uint64_t Botan::load_4 ( const uint8_t * in)
inline

Definition at line 23 of file ed25519_internal.h.

23 {
24 return load_le<uint32_t>(in, 0);
25}

References load_le().

Referenced by Botan::FE_25519::from_bytes(), sc_muladd(), and sc_reduce().

◆ load_be()

template<typename OutT = detail::AutoDetect, typename... ParamTs>
auto Botan::load_be ( ParamTs &&... params)
inlineconstexpr

Load "something" in big endian byte order See the documentation of this file for more details.

Definition at line 504 of file loadstor.h.

504 {
505 return detail::load_any<std::endian::big, OutT>(std::forward<ParamTs>(params)...);
506}
constexpr WrappedOutT load_any(InR &&in_range)
Definition loadstor.h:278

References Botan::detail::load_any().

Referenced by Botan::TLS::Datagram_Handshake_IO::add_record(), base58_check_decode(), check_passhash9(), Botan::SHA_256::compress_digest(), Botan::SHA_512::compress_digest(), Botan::SHA_1::compress_n(), Botan::SM3::compress_n(), Botan::Whirlpool::compress_n(), Botan::AlternativeName::decode_from(), Botan::GeneralName::decode_from(), Botan::TLS::Session::decrypt(), Botan::CryptoBox::decrypt_bin(), Botan::Blowfish::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::DES::decrypt_n(), Botan::Noekeon::decrypt_n(), Botan::SEED::decrypt_n(), Botan::SHACAL2::decrypt_n(), Botan::SM4::decrypt_n(), Botan::TripleDES::decrypt_n(), Botan::Blowfish::encrypt_n(), Botan::CAST_128::encrypt_n(), Botan::DES::encrypt_n(), Botan::Noekeon::encrypt_n(), Botan::SEED::encrypt_n(), Botan::SHACAL2::encrypt_n(), Botan::SM4::encrypt_n(), Botan::TripleDES::encrypt_n(), Botan::HSS_LMS_PrivateKeyInternal::from_bytes_or_throw(), Botan::HSS_LMS_PublicKeyInternal::from_bytes_or_throw(), Botan::HSS_Signature::from_bytes_or_throw(), Botan::LMOTS_Signature::from_bytes_or_throw(), Botan::LMS_PublicKey::from_bytes_or_throw(), Botan::LMS_Signature::from_bytes_or_throw(), Botan::HOTP::generate_hotp(), Botan::TLS::TLS_Data_Reader::get_elem(), Botan::SIMD_4x32::load_be(), nist_key_unwrap(), nist_key_unwrap_padded(), Botan::TLS::Server_Hello_12::random_signals_downgrade(), Botan::TLS::Server_Hello_13::random_signals_downgrade(), Botan::CTR_BE::seek(), Botan::TLS::Session::Session(), ucs2_to_utf8(), and ucs4_to_utf8().

◆ load_le()

template<typename OutT = detail::AutoDetect, typename... ParamTs>
auto Botan::load_le ( ParamTs &&... params)
inlineconstexpr

Load "something" in little endian byte order See the documentation of this file for more details.

Definition at line 495 of file loadstor.h.

495 {
496 return detail::load_any<std::endian::little, OutT>(std::forward<ParamTs>(params)...);
497}

References Botan::detail::load_any().

Referenced by Botan::Keccak_Permutation::absorb(), Botan::Gf448Elem::bytes_are_canonical_representation(), Botan::MD4::compress_n(), Botan::MD5::compress_n(), Botan::RIPEMD_160::compress_n(), Botan::Classic_McEliece_Field_Ordering::create_field_ordering(), Botan::Sodium::crypto_core_hsalsa20(), Botan::GOST_28147_89::decrypt_n(), Botan::Kuznyechik::decrypt_n(), Botan::Serpent::decrypt_n(), Botan::Threefish_512::decrypt_n(), Botan::Twofish::decrypt_n(), Botan::FrodoMatrix::deserialize(), ed25519_verify(), Botan::GOST_28147_89::encrypt_n(), Botan::Kuznyechik::encrypt_n(), Botan::Serpent::encrypt_n(), Botan::Threefish_512::encrypt_n(), Botan::Twofish::encrypt_n(), Botan::Dilithium_Algos::expand_A(), Botan::Classic_McEliece_Minimal_Polynomial::from_bytes(), Botan::Gf448Elem::Gf448Elem(), load_4(), Botan::SIMD_4x32::load_le(), Botan::Kyber_Algos::load_le3(), Botan::FrodoMatrix::mul_add_as_plus_e(), Botan::FrodoMatrix::mul_add_sa_plus_e(), random_prime(), Botan::FrodoMatrix::sample(), Botan::Dilithium_Algos::sample_in_ball(), Botan::ChaCha::seek(), Botan::Salsa20::seek(), Botan::Salsa20::set_iv_bytes(), Botan::Threefish_512::set_tweak(), Botan::Sodium::sodium_free(), Botan::bitvector_base< secure_allocator >::subvector(), Botan::CRYSTALS::unpack(), and xts_update_tweak_block().

◆ load_private_key()

std::unique_ptr< Private_Key > Botan::load_private_key ( const AlgorithmIdentifier & alg_id,
std::span< const uint8_t > key_bits )

Definition at line 283 of file pk_algs.cpp.

284 {
285 const std::string oid_str = alg_id.oid().to_formatted_string();
286 const std::vector<std::string> alg_info = split_on(oid_str, '/');
287 std::string_view alg_name = alg_info[0];
288
289#if defined(BOTAN_HAS_RSA)
290 if(alg_name == "RSA") {
291 return std::make_unique<RSA_PrivateKey>(alg_id, key_bits);
292 }
293#endif
294
295#if defined(BOTAN_HAS_X25519)
296 if(alg_name == "X25519" || alg_name == "Curve25519") {
297 return std::make_unique<X25519_PrivateKey>(alg_id, key_bits);
298 }
299#endif
300
301#if defined(BOTAN_HAS_X448)
302 if(alg_name == "X448") {
303 return std::make_unique<X448_PrivateKey>(alg_id, key_bits);
304 }
305#endif
306
307#if defined(BOTAN_HAS_ECDSA)
308 if(alg_name == "ECDSA") {
309 return std::make_unique<ECDSA_PrivateKey>(alg_id, key_bits);
310 }
311#endif
312
313#if defined(BOTAN_HAS_ECDH)
314 if(alg_name == "ECDH") {
315 return std::make_unique<ECDH_PrivateKey>(alg_id, key_bits);
316 }
317#endif
318
319#if defined(BOTAN_HAS_DIFFIE_HELLMAN)
320 if(alg_name == "DH") {
321 return std::make_unique<DH_PrivateKey>(alg_id, key_bits);
322 }
323#endif
324
325#if defined(BOTAN_HAS_DSA)
326 if(alg_name == "DSA") {
327 return std::make_unique<DSA_PrivateKey>(alg_id, key_bits);
328 }
329#endif
330
331#if defined(BOTAN_HAS_FRODOKEM)
332 if(alg_name == "FrodoKEM" || alg_name.starts_with("FrodoKEM-") || alg_name.starts_with("eFrodoKEM-")) {
333 return std::make_unique<FrodoKEM_PrivateKey>(alg_id, key_bits);
334 }
335#endif
336
337#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
338 if(alg_name == "Kyber" || alg_name.starts_with("Kyber-")) {
339 return std::make_unique<Kyber_PrivateKey>(alg_id, key_bits);
340 }
341#endif
342
343#if defined(BOTAN_HAS_ML_KEM)
344 if(alg_name.starts_with("ML-KEM-")) {
345 return std::make_unique<ML_KEM_PrivateKey>(alg_id, key_bits);
346 }
347#endif
348
349#if defined(BOTAN_HAS_MCELIECE)
350 if(alg_name == "McEliece") {
351 return std::make_unique<McEliece_PrivateKey>(key_bits);
352 }
353#endif
354
355#if defined(BOTAN_HAS_ECGDSA)
356 if(alg_name == "ECGDSA") {
357 return std::make_unique<ECGDSA_PrivateKey>(alg_id, key_bits);
358 }
359#endif
360
361#if defined(BOTAN_HAS_ECKCDSA)
362 if(alg_name == "ECKCDSA") {
363 return std::make_unique<ECKCDSA_PrivateKey>(alg_id, key_bits);
364 }
365#endif
366
367#if defined(BOTAN_HAS_ED25519)
368 if(alg_name == "Ed25519") {
369 return std::make_unique<Ed25519_PrivateKey>(alg_id, key_bits);
370 }
371#endif
372
373#if defined(BOTAN_HAS_ED448)
374 if(alg_name == "Ed448") {
375 return std::make_unique<Ed448_PrivateKey>(alg_id, key_bits);
376 }
377#endif
378
379#if defined(BOTAN_HAS_GOST_34_10_2001)
380 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") {
381 return std::make_unique<GOST_3410_PrivateKey>(alg_id, key_bits);
382 }
383#endif
384
385#if defined(BOTAN_HAS_SM2)
386 if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") {
387 return std::make_unique<SM2_PrivateKey>(alg_id, key_bits);
388 }
389#endif
390
391#if defined(BOTAN_HAS_ELGAMAL)
392 if(alg_name == "ElGamal") {
393 return std::make_unique<ElGamal_PrivateKey>(alg_id, key_bits);
394 }
395#endif
396
397#if defined(BOTAN_HAS_XMSS_RFC8391)
398 if(alg_name == "XMSS") {
399 return std::make_unique<XMSS_PrivateKey>(key_bits);
400 }
401#endif
402
403#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES)
404 if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) {
405 return std::make_unique<Dilithium_PrivateKey>(alg_id, key_bits);
406 }
407#endif
408
409#if defined(BOTAN_HAS_ML_DSA)
410 if(alg_name.starts_with("ML-DSA-")) {
411 return std::make_unique<ML_DSA_PrivateKey>(alg_id, key_bits);
412 }
413#endif
414
415#if defined(BOTAN_HAS_HSS_LMS)
416 if(alg_name == "HSS-LMS-Private-Key") {
417 return std::make_unique<HSS_LMS_PrivateKey>(key_bits);
418 }
419#endif
420
421#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
422 if(alg_name == "SPHINCS+" || alg_name.starts_with("SphincsPlus-")) {
423 return std::make_unique<SphincsPlus_PrivateKey>(alg_id, key_bits);
424 }
425#endif
426
427#if defined(BOTAN_HAS_SLH_DSA_WITH_SHA2) || defined(BOTAN_HAS_SLH_DSA_WITH_SHAKE)
428 if(alg_name.starts_with("SLH-DSA-") || alg_name.starts_with("Hash-SLH-DSA-")) {
429 return std::make_unique<SLH_DSA_PrivateKey>(alg_id, key_bits);
430 }
431#endif
432
433#if defined(BOTAN_HAS_CLASSICMCELIECE)
434 if(alg_name.starts_with("ClassicMcEliece")) {
435 return std::make_unique<Classic_McEliece_PrivateKey>(alg_id, key_bits);
436 }
437#endif
438
439 throw Decoding_Error(fmt("Unknown or unavailable public key algorithm '{}'", alg_name));
440}
const OID & oid() const
Definition asn1_obj.h:472
std::string to_formatted_string() const
Definition asn1_oid.cpp:139

References fmt(), Botan::AlgorithmIdentifier::oid(), split_on(), and Botan::OID::to_formatted_string().

◆ load_public_key()

std::unique_ptr< Public_Key > Botan::load_public_key ( const AlgorithmIdentifier & alg_id,
std::span< const uint8_t > key_bits )

Definition at line 124 of file pk_algs.cpp.

125 {
126 const std::string oid_str = alg_id.oid().to_formatted_string();
127 const std::vector<std::string> alg_info = split_on(oid_str, '/');
128 std::string_view alg_name = alg_info[0];
129
130#if defined(BOTAN_HAS_RSA)
131 if(alg_name == "RSA") {
132 return std::make_unique<RSA_PublicKey>(alg_id, key_bits);
133 }
134#endif
135
136#if defined(BOTAN_HAS_X25519)
137 if(alg_name == "X25519" || alg_name == "Curve25519") {
138 return std::make_unique<X25519_PublicKey>(alg_id, key_bits);
139 }
140#endif
141
142#if defined(BOTAN_HAS_X448)
143 if(alg_name == "X448") {
144 return std::make_unique<X448_PublicKey>(alg_id, key_bits);
145 }
146#endif
147
148#if defined(BOTAN_HAS_MCELIECE)
149 if(alg_name == "McEliece") {
150 return std::make_unique<McEliece_PublicKey>(key_bits);
151 }
152#endif
153
154#if defined(BOTAN_HAS_FRODOKEM)
155 if(alg_name == "FrodoKEM" || alg_name.starts_with("FrodoKEM-") || alg_name.starts_with("eFrodoKEM-")) {
156 return std::make_unique<FrodoKEM_PublicKey>(alg_id, key_bits);
157 }
158#endif
159
160#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
161 if(alg_name == "Kyber" || alg_name.starts_with("Kyber-")) {
162 return std::make_unique<Kyber_PublicKey>(alg_id, key_bits);
163 }
164#endif
165
166#if defined(BOTAN_HAS_ML_KEM)
167 if(alg_name.starts_with("ML-KEM-")) {
168 return std::make_unique<ML_KEM_PublicKey>(alg_id, key_bits);
169 }
170#endif
171
172#if defined(BOTAN_HAS_ECDSA)
173 if(alg_name == "ECDSA") {
174 return std::make_unique<ECDSA_PublicKey>(alg_id, key_bits);
175 }
176#endif
177
178#if defined(BOTAN_HAS_ECDH)
179 if(alg_name == "ECDH") {
180 return std::make_unique<ECDH_PublicKey>(alg_id, key_bits);
181 }
182#endif
183
184#if defined(BOTAN_HAS_DIFFIE_HELLMAN)
185 if(alg_name == "DH") {
186 return std::make_unique<DH_PublicKey>(alg_id, key_bits);
187 }
188#endif
189
190#if defined(BOTAN_HAS_DSA)
191 if(alg_name == "DSA") {
192 return std::make_unique<DSA_PublicKey>(alg_id, key_bits);
193 }
194#endif
195
196#if defined(BOTAN_HAS_ELGAMAL)
197 if(alg_name == "ElGamal") {
198 return std::make_unique<ElGamal_PublicKey>(alg_id, key_bits);
199 }
200#endif
201
202#if defined(BOTAN_HAS_ECGDSA)
203 if(alg_name == "ECGDSA") {
204 return std::make_unique<ECGDSA_PublicKey>(alg_id, key_bits);
205 }
206#endif
207
208#if defined(BOTAN_HAS_ECKCDSA)
209 if(alg_name == "ECKCDSA") {
210 return std::make_unique<ECKCDSA_PublicKey>(alg_id, key_bits);
211 }
212#endif
213
214#if defined(BOTAN_HAS_ED25519)
215 if(alg_name == "Ed25519") {
216 return std::make_unique<Ed25519_PublicKey>(alg_id, key_bits);
217 }
218#endif
219
220#if defined(BOTAN_HAS_ED448)
221 if(alg_name == "Ed448") {
222 return std::make_unique<Ed448_PublicKey>(alg_id, key_bits);
223 }
224#endif
225
226#if defined(BOTAN_HAS_GOST_34_10_2001)
227 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") {
228 return std::make_unique<GOST_3410_PublicKey>(alg_id, key_bits);
229 }
230#endif
231
232#if defined(BOTAN_HAS_SM2)
233 if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") {
234 return std::make_unique<SM2_PublicKey>(alg_id, key_bits);
235 }
236#endif
237
238#if defined(BOTAN_HAS_XMSS_RFC8391)
239 if(alg_name == "XMSS") {
240 return std::make_unique<XMSS_PublicKey>(key_bits);
241 }
242#endif
243
244#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES)
245 if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) {
246 return std::make_unique<Dilithium_PublicKey>(alg_id, key_bits);
247 }
248#endif
249
250#if defined(BOTAN_HAS_ML_DSA)
251 if(alg_name.starts_with("ML-DSA-")) {
252 return std::make_unique<ML_DSA_PublicKey>(alg_id, key_bits);
253 }
254#endif
255
256#if defined(BOTAN_HAS_HSS_LMS)
257 if(alg_name == "HSS-LMS") {
258 return std::make_unique<HSS_LMS_PublicKey>(key_bits);
259 }
260#endif
261
262#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
263 if(alg_name == "SPHINCS+" || alg_name.starts_with("SphincsPlus-")) {
264 return std::make_unique<SphincsPlus_PublicKey>(alg_id, key_bits);
265 }
266#endif
267
268#if defined(BOTAN_HAS_SLH_DSA_WITH_SHA2) || defined(BOTAN_HAS_SLH_DSA_WITH_SHAKE)
269 if(alg_name.starts_with("SLH-DSA-") || alg_name.starts_with("Hash-SLH-DSA-")) {
270 return std::make_unique<SLH_DSA_PublicKey>(alg_id, key_bits);
271 }
272#endif
273
274#if defined(BOTAN_HAS_CLASSICMCELIECE)
275 if(alg_name.starts_with("ClassicMcEliece")) {
276 return std::make_unique<Classic_McEliece_PublicKey>(alg_id, key_bits);
277 }
278#endif
279
280 throw Decoding_Error(fmt("Unknown or unavailable public key algorithm '{}'", alg_name));
281}

References fmt(), Botan::AlgorithmIdentifier::oid(), split_on(), and Botan::OID::to_formatted_string().

Referenced by Botan::TLS::Hybrid_KEM_PublicKey::load_for_group(), and Botan::X509::load_key().

◆ lock()

◆ low_zero_bits()

size_t Botan::low_zero_bits ( const BigInt & x)
Parameters
xan integer
Returns
count of the low zero bits in x, or, equivalently, the largest value of n such that 2^n divides x evenly. Returns zero if x is equal to zero.

Definition at line 167 of file numthry.cpp.

167 {
168 size_t low_zero = 0;
169
170 auto seen_nonempty_word = CT::Mask<word>::cleared();
171
172 for(size_t i = 0; i != n.size(); ++i) {
173 const word x = n.word_at(i);
174
175 // ctz(0) will return sizeof(word)
176 const size_t tz_x = ctz(x);
177
178 // if x > 0 we want to count tz_x in total but not any
179 // further words, so set the mask after the addition
180 low_zero += seen_nonempty_word.if_not_set_return(tz_x);
181
182 seen_nonempty_word |= CT::Mask<word>::expand(x);
183 }
184
185 // if we saw no words with x > 0 then n == 0 and the value we have
186 // computed is meaningless. Instead return BigInt::zero() in that case.
187 return static_cast<size_t>(seen_nonempty_word.if_set_return(low_zero));
188}
static constexpr Mask< T > cleared()
Definition ct_utils.h:404
constexpr size_t ctz(T n)
Definition bit_ops.h:105

References Botan::CT::Mask< T >::cleared(), ctz(), Botan::CT::Mask< T >::expand(), Botan::BigInt::size(), and Botan::BigInt::word_at().

Referenced by inverse_mod_general(), jacobi(), passes_miller_rabin_test(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and sqrt_modulo_prime().

◆ majority()

template<typename T>
T Botan::majority ( T a,
T b,
T c )
inlineconstexpr

Definition at line 210 of file bit_ops.h.

210 {
211 /*
212 Considering each bit of a, b, c individually
213
214 If a xor b is set, then c is the deciding vote.
215
216 If a xor b is not set then either a and b are both set or both unset.
217 In either case the value of c doesn't matter, and examining b (or a)
218 allows us to determine which case we are in.
219 */
220 return choose(a ^ b, c, b);
221}
constexpr T choose(T mask, T a, T b)
Definition bit_ops.h:204

References choose().

Referenced by SHA2_32_F(), SHA2_32_F(), SHA2_64_F(), and SHA2_64_F().

◆ make_commoncrypto_block_cipher()

std::unique_ptr< BlockCipher > Botan::make_commoncrypto_block_cipher ( std::string_view name)

Definition at line 133 of file commoncrypto_block.cpp.

133 {
134 try {
136 return std::make_unique<CommonCrypto_BlockCipher>(name, opts);
137 } catch(CommonCrypto_Error& e) {
138 return nullptr;
139 }
140}

References commoncrypto_opts_from_algo_name(), and make_commoncrypto_block_cipher().

Referenced by Botan::BlockCipher::create(), and make_commoncrypto_block_cipher().

◆ make_commoncrypto_cipher_mode()

std::unique_ptr< Cipher_Mode > Botan::make_commoncrypto_cipher_mode ( std::string_view name,
Cipher_Dir direction )

Definition at line 213 of file commoncrypto_mode.cpp.

213 {
214 try {
216 return std::make_unique<CommonCrypto_Cipher_Mode>(name, direction, opts);
217 } catch(CommonCrypto_Error& e) {
218 return nullptr;
219 }
220}
CommonCryptor_Opts commoncrypto_opts_from_algo(std::string_view algo)

References commoncrypto_opts_from_algo(), and make_commoncrypto_cipher_mode().

Referenced by Botan::Cipher_Mode::create(), and make_commoncrypto_cipher_mode().

◆ make_commoncrypto_hash()

std::unique_ptr< HashFunction > Botan::make_commoncrypto_hash ( std::string_view name)

Definition at line 80 of file commoncrypto_hash.cpp.

80 {
81#define MAKE_COMMONCRYPTO_HASH_3(name, hash, ctx) \
82 std::unique_ptr<HashFunction>(new CommonCrypto_HashFunction<CC_##ctx##_CTX>({std::string(name), \
83 CC_##hash##_DIGEST_LENGTH, \
84 CC_##hash##_BLOCK_BYTES, \
85 CC_##hash##_Init, \
86 CC_##hash##_Update, \
87 CC_##hash##_Final}));
88
89#define MAKE_COMMONCRYPTO_HASH_2(name, id) MAKE_COMMONCRYPTO_HASH_3(name, id, id)
90
91#define MAKE_COMMONCRYPTO_HASH_1(id) MAKE_COMMONCRYPTO_HASH_2(#id, id)
92
93#if defined(BOTAN_HAS_SHA2_32)
94 if(name == "SHA-224")
95 return MAKE_COMMONCRYPTO_HASH_3(name, SHA224, SHA256);
96 if(name == "SHA-256")
97 return MAKE_COMMONCRYPTO_HASH_2(name, SHA256);
98#endif
99#if defined(BOTAN_HAS_SHA2_64)
100 if(name == "SHA-384")
101 return MAKE_COMMONCRYPTO_HASH_3(name, SHA384, SHA512);
102 if(name == "SHA-512")
103 return MAKE_COMMONCRYPTO_HASH_2(name, SHA512);
104#endif
105
106#if defined(BOTAN_HAS_SHA1)
107 if(name == "SHA-1")
108 return MAKE_COMMONCRYPTO_HASH_2(name, SHA1);
109#endif
110
111 return nullptr;
112}
#define MAKE_COMMONCRYPTO_HASH_2(name, id)
#define MAKE_COMMONCRYPTO_HASH_3(name, hash, ctx)

References MAKE_COMMONCRYPTO_HASH_2, and MAKE_COMMONCRYPTO_HASH_3.

Referenced by Botan::HashFunction::create().

◆ make_compressor()

Compression_Algorithm * Botan::make_compressor ( std::string_view type)
inline

Definition at line 154 of file compression.h.

154 {
155 return Compression_Algorithm::create(type).release();
156}
static std::unique_ptr< Compression_Algorithm > create(std::string_view algo_spec)

References Botan::Compression_Algorithm::create(), and make_compressor().

Referenced by make_compressor().

◆ make_decompressor()

Decompression_Algorithm * Botan::make_decompressor ( std::string_view type)
inline

Definition at line 160 of file compression.h.

160 {
161 return Decompression_Algorithm::create(type).release();
162}
static std::unique_ptr< Decompression_Algorithm > create(std::string_view algo_spec)

References Botan::Decompression_Algorithm::create(), and make_decompressor().

Referenced by make_decompressor().

◆ make_uint16()

uint16_t Botan::make_uint16 ( uint8_t i0,
uint8_t i1 )
inlineconstexpr

◆ make_uint32()

uint32_t Botan::make_uint32 ( uint8_t i0,
uint8_t i1,
uint8_t i2,
uint8_t i3 )
inlineconstexpr

Make a uint32_t from four bytes

Parameters
i0the first byte
i1the second byte
i2the third byte
i3the fourth byte
Returns
i0 || i1 || i2 || i3

Definition at line 104 of file loadstor.h.

104 {
105 return ((static_cast<uint32_t>(i0) << 24) | (static_cast<uint32_t>(i1) << 16) | (static_cast<uint32_t>(i2) << 8) |
106 (static_cast<uint32_t>(i3)));
107}

Referenced by Botan::TLS::Certificate_12::Certificate_12(), Botan::TLS::Certificate_Status::Certificate_Status(), Botan::TLS::Stream_Handshake_IO::get_next_record(), Botan::TLS::TLS_Data_Reader::get_uint24_t(), Botan::TLS::TLS_Data_Reader::get_uint32_t(), and Botan::SIMD_4x32::splat_u8().

◆ make_uint64()

uint64_t Botan::make_uint64 ( uint8_t i0,
uint8_t i1,
uint8_t i2,
uint8_t i3,
uint8_t i4,
uint8_t i5,
uint8_t i6,
uint8_t i7 )
inlineconstexpr

Make a uint64_t from eight bytes

Parameters
i0the first byte
i1the second byte
i2the third byte
i3the fourth byte
i4the fifth byte
i5the sixth byte
i6the seventh byte
i7the eighth byte
Returns
i0 || i1 || i2 || i3 || i4 || i5 || i6 || i7

Definition at line 121 of file loadstor.h.

122 {
123 return ((static_cast<uint64_t>(i0) << 56) | (static_cast<uint64_t>(i1) << 48) | (static_cast<uint64_t>(i2) << 40) |
124 (static_cast<uint64_t>(i3) << 32) | (static_cast<uint64_t>(i4) << 24) | (static_cast<uint64_t>(i5) << 16) |
125 (static_cast<uint64_t>(i6) << 8) | (static_cast<uint64_t>(i7)));
126}

◆ map_remove_if()

template<typename T, typename Pred>
void Botan::map_remove_if ( Pred pred,
T & assoc )

Definition at line 71 of file stl_util.h.

71 {
72 auto i = assoc.begin();
73 while(i != assoc.end()) {
74 if(pred(i->first)) {
75 assoc.erase(i++);
76 } else {
77 i++;
78 }
79 }
80}

Referenced by Botan::TLS::Channel_Impl_12::activate_session().

◆ mceliece_decrypt() [1/3]

secure_vector< uint8_t > Botan::mceliece_decrypt ( secure_vector< gf2m > & error_pos,
const uint8_t * ciphertext,
size_t ciphertext_len,
const McEliece_PrivateKey & key )

p_err_pos_len must point to the available length of error_pos on input, the function will set it to the actual number of errors returned in the error_pos array

Definition at line 148 of file goppa_code.cpp.

151 {
152 const size_t dimension = key.get_dimension();
153 const size_t codimension = key.get_codimension();
154 const uint32_t t = key.get_goppa_polyn().get_degree();
155 polyn_gf2m syndrome_polyn(key.get_goppa_polyn().get_sp_field()); // init as zero polyn
156 const unsigned unused_pt_bits = dimension % 8;
157 const uint8_t unused_pt_bits_mask = (1 << unused_pt_bits) - 1;
158
159 if(ciphertext_len != (key.get_code_length() + 7) / 8) {
160 throw Invalid_Argument("wrong size of McEliece ciphertext");
161 }
162 const size_t cleartext_len = (key.get_message_word_bit_length() + 7) / 8;
163
164 if(cleartext_len != bit_size_to_byte_size(dimension)) {
165 throw Invalid_Argument("mce-decryption: wrong length of cleartext buffer");
166 }
167
168 secure_vector<uint32_t> syndrome_vec(bit_size_to_32bit_size(codimension));
169 matrix_arr_mul(key.get_H_coeffs(),
170 key.get_code_length(),
171 bit_size_to_32bit_size(codimension),
172 ciphertext,
173 syndrome_vec.data(),
174 syndrome_vec.size());
175
176 secure_vector<uint8_t> syndrome_byte_vec(bit_size_to_byte_size(codimension));
177 const size_t syndrome_byte_vec_size = syndrome_byte_vec.size();
178 for(size_t i = 0; i < syndrome_byte_vec_size; i++) {
179 syndrome_byte_vec[i] = static_cast<uint8_t>(syndrome_vec[i / 4] >> (8 * (i % 4)));
180 }
181
182 syndrome_polyn = polyn_gf2m(
183 t - 1, syndrome_byte_vec.data(), bit_size_to_byte_size(codimension), key.get_goppa_polyn().get_sp_field());
184
185 syndrome_polyn.get_degree();
186 error_pos = goppa_decode(syndrome_polyn, key.get_goppa_polyn(), key.get_sqrtmod(), key.get_Linv());
187
188 const size_t nb_err = error_pos.size();
189
190 secure_vector<uint8_t> cleartext(cleartext_len);
191 copy_mem(cleartext.data(), ciphertext, cleartext_len);
192
193 for(size_t i = 0; i < nb_err; i++) {
194 gf2m current = error_pos[i];
195
196 if(current >= cleartext_len * 8) {
197 // an invalid position, this shouldn't happen
198 continue;
199 }
200 cleartext[current / 8] ^= (1 << (current % 8));
201 }
202
203 if(unused_pt_bits) {
204 cleartext[cleartext_len - 1] &= unused_pt_bits_mask;
205 }
206
207 return cleartext;
208}
const std::vector< polyn_gf2m > & get_sqrtmod() const
Definition mceliece.h:123
size_t get_codimension() const
Definition mceliece.h:127
size_t get_dimension() const
Definition mceliece.h:125
const polyn_gf2m & get_goppa_polyn() const
const std::vector< gf2m > & get_Linv() const
Definition mceliece.h:121
const std::vector< uint32_t > & get_H_coeffs() const
Definition mceliece.h:119
size_t get_message_word_bit_length() const
size_t get_code_length() const
Definition mceliece.h:52
int get_degree() const
std::shared_ptr< GF2m_Field > get_sp_field() const
Definition polyn_gf2m.h:77
size_t bit_size_to_byte_size(size_t bit_size)

References bit_size_to_32bit_size(), bit_size_to_byte_size(), copy_mem(), Botan::McEliece_PublicKey::get_code_length(), Botan::McEliece_PrivateKey::get_codimension(), Botan::polyn_gf2m::get_degree(), Botan::McEliece_PrivateKey::get_dimension(), Botan::McEliece_PrivateKey::get_goppa_polyn(), Botan::McEliece_PrivateKey::get_H_coeffs(), Botan::McEliece_PrivateKey::get_Linv(), Botan::McEliece_PublicKey::get_message_word_bit_length(), Botan::polyn_gf2m::get_sp_field(), and Botan::McEliece_PrivateKey::get_sqrtmod().

◆ mceliece_decrypt() [2/3]

void Botan::mceliece_decrypt ( secure_vector< uint8_t > & plaintext,
secure_vector< uint8_t > & error_mask,
const uint8_t ciphertext[],
size_t ciphertext_len,
const McEliece_PrivateKey & key )

Definition at line 124 of file goppa_code.cpp.

128 {
129 secure_vector<gf2m> error_pos;
130 plaintext = mceliece_decrypt(error_pos, ciphertext, ciphertext_len, key);
131
132 const size_t code_length = key.get_code_length();
133 secure_vector<uint8_t> result((code_length + 7) / 8);
134 for(auto&& pos : error_pos) {
135 if(pos > code_length) {
136 throw Invalid_Argument("error position larger than code size");
137 }
138 result[pos / 8] |= (1 << (pos % 8));
139 }
140
141 error_mask = result;
142}
void mceliece_decrypt(secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)

References Botan::McEliece_PublicKey::get_code_length(), and mceliece_decrypt().

◆ mceliece_decrypt() [3/3]

void Botan::mceliece_decrypt ( secure_vector< uint8_t > & plaintext_out,
secure_vector< uint8_t > & error_mask_out,
const secure_vector< uint8_t > & ciphertext,
const McEliece_PrivateKey & key )

Definition at line 117 of file goppa_code.cpp.

120 {
121 mceliece_decrypt(plaintext_out, error_mask_out, ciphertext.data(), ciphertext.size(), key);
122}

References mceliece_decrypt().

Referenced by Botan::McEliece_PrivateKey::check_key(), mceliece_decrypt(), and mceliece_decrypt().

◆ mceliece_encrypt()

void Botan::mceliece_encrypt ( secure_vector< uint8_t > & ciphertext_out,
secure_vector< uint8_t > & error_mask_out,
const secure_vector< uint8_t > & plaintext,
const McEliece_PublicKey & key,
RandomNumberGenerator & rng )

Definition at line 109 of file mceliece.cpp.

113 {
114 const uint16_t code_length = static_cast<uint16_t>(key.get_code_length());
115
116 secure_vector<uint8_t> error_mask = create_random_error_vector(code_length, key.get_t(), rng);
117
118 secure_vector<uint8_t> ciphertext =
119 mult_by_pubkey(plaintext, key.get_public_matrix(), key.get_code_length(), key.get_t());
120
121 ciphertext ^= error_mask;
122
123 ciphertext_out.swap(ciphertext);
124 error_mask_out.swap(error_mask);
125}
size_t get_t() const
Definition mceliece.h:50
const std::vector< uint8_t > & get_public_matrix() const
Definition mceliece.h:56

References Botan::McEliece_PublicKey::get_code_length(), Botan::McEliece_PublicKey::get_public_matrix(), and Botan::McEliece_PublicKey::get_t().

Referenced by Botan::McEliece_PrivateKey::check_key().

◆ mceliece_work_factor()

size_t Botan::mceliece_work_factor ( size_t code_size,
size_t t )

Estimate work factor for McEliece

Returns
estimated security level for these key parameters

Definition at line 90 of file mce_workfactor.cpp.

90 {
91 const size_t k = n - ceil_log2(n) * t;
92
93 double min = cout_total(n, k, t, 0, 0); // correspond a p=1
94 for(size_t p = 0; p != t / 2; ++p) {
95 double lwf = best_wf(n, k + 1, t, p);
96 if(lwf < 0) {
97 break;
98 }
99
100 min = std::min(min, lwf);
101 }
102
103 return static_cast<size_t>(min);
104}

References ceil_log2().

Referenced by Botan::McEliece_PublicKey::estimated_strength().

◆ measure_cost()

template<typename F>
uint64_t Botan::measure_cost ( std::chrono::milliseconds trial_msec,
F func )

Definition at line 21 of file time_utils.h.

21 {
22#if defined(BOTAN_HAS_OS_UTILS)
23 const uint64_t trial_nsec = std::chrono::duration_cast<std::chrono::nanoseconds>(trial_msec).count();
24
25 uint64_t total_nsec = 0;
26 uint64_t trials = 0;
27
28 auto trial_start = OS::get_system_timestamp_ns();
29
30 for(;;) {
31 const auto start = OS::get_system_timestamp_ns();
32 func();
33 const auto end = OS::get_system_timestamp_ns();
34
35 if(end >= start) {
36 total_nsec += (end - start);
37 trials += 1;
38
39 if((end - trial_start) >= trial_nsec) {
40 return (total_nsec / trials);
41 }
42 }
43 }
44
45#else
46 BOTAN_UNUSED(trial_msec, func);
47 throw Not_Implemented("No system clock available");
48#endif
49}
uint64_t BOTAN_TEST_API get_system_timestamp_ns()
Definition os_utils.cpp:318

References BOTAN_UNUSED, and Botan::OS::get_system_timestamp_ns().

Referenced by Botan::Argon2_Family::tune(), Botan::Bcrypt_PBKDF_Family::tune(), Botan::RFC4880_S2K_Family::tune(), and Botan::Scrypt_Family::tune().

◆ mgf1_mask() [1/2]

void Botan::mgf1_mask ( HashFunction & hash,
const uint8_t in[],
size_t in_len,
uint8_t out[],
size_t out_len )

MGF1 from PKCS #1 v2.0

Parameters
hashhash function to use
ininput buffer
in_lensize of the input buffer in bytes
outoutput buffer. The buffer is XORed with the output of MGF1.
out_lensize of the output buffer in bytes

Definition at line 16 of file mgf1.cpp.

16 {
17 uint32_t counter = 0;
18
19 std::vector<uint8_t> buffer(hash.output_length());
20 while(out_len) {
21 hash.update(in, in_len);
22 hash.update_be(counter);
23 hash.final(buffer.data());
24
25 const size_t xored = std::min<size_t>(buffer.size(), out_len);
26 xor_buf(out, buffer.data(), xored);
27 out += xored;
28 out_len -= xored;
29
30 ++counter;
31 }
32}
virtual size_t output_length() const =0
void update_be(uint16_t val)
Definition buf_comp.cpp:17
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:344

References Botan::Buffered_Computation::final(), Botan::Buffered_Computation::output_length(), Botan::Buffered_Computation::update(), Botan::Buffered_Computation::update_be(), and xor_buf().

Referenced by mgf1_mask().

◆ mgf1_mask() [2/2]

void Botan::mgf1_mask ( HashFunction & hash,
std::span< const uint8_t > input,
std::span< uint8_t > output )
inline

Definition at line 28 of file mgf1.h.

28 {
29 mgf1_mask(hash, input.data(), input.size(), output.data(), output.size());
30}
void mgf1_mask(HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
Definition mgf1.cpp:16

References mgf1_mask().

◆ miller_rabin_test_iterations()

size_t Botan::miller_rabin_test_iterations ( size_t n_bits,
size_t prob,
bool random )

Return required number of Miller-Rabin tests in order to reach the specified probability of error.

Parameters
n_bitsthe bit-length of the integer being tested
probchance of false positive is bounded by 1/2**prob
randomis set if (and only if) the integer was randomly generated by us and thus cannot have been maliciously constructed.

Definition at line 174 of file primality.cpp.

174 {
175 const size_t base = (prob + 2) / 2; // worst case 4^-t error rate
176
177 /*
178 * If the candidate prime was maliciously constructed, we can't rely
179 * on arguments based on p being random.
180 */
181 if(random == false) {
182 return base;
183 }
184
185 /*
186 * For randomly chosen numbers we can use the estimates from
187 * http://www.math.dartmouth.edu/~carlp/PDF/paper88.pdf
188 *
189 * These values are derived from the inequality for p(k,t) given on
190 * the second page.
191 */
192 if(prob <= 128) {
193 if(n_bits >= 1536) {
194 return 4; // < 2^-133
195 }
196 if(n_bits >= 1024) {
197 return 6; // < 2^-133
198 }
199 if(n_bits >= 512) {
200 return 12; // < 2^-129
201 }
202 if(n_bits >= 256) {
203 return 29; // < 2^-128
204 }
205 }
206
207 /*
208 If the user desires a smaller error probability than we have
209 precomputed error estimates for, just fall back to using the worst
210 case error rate.
211 */
212 return base;
213}

Referenced by generate_rsa_prime(), is_prime(), and random_prime().

◆ modular_inverse()

template<std::integral T, std::integral T2 = next_longer_int_t<T>>
requires (sizeof(T) <= 4)
T Botan::modular_inverse ( T q,
T2 m = T2(1) << sizeof(T) * 8 )
consteval

Calculate the modular multiplacative inverse of q modulo m. By default, this assumes m to be 2^bitlength of T for application in a Montgomery reduction.

Definition at line 94 of file pqcrystals_helpers.h.

94 {
95 return static_cast<T>(extended_euclidean_algorithm<T2>(q, m).u);
96}
consteval eea_result< T > extended_euclidean_algorithm(T a, T b)

References extended_euclidean_algorithm().

◆ montgomery_R()

template<std::integral T>
requires (size_t(sizeof(T)) <= 4)
T Botan::montgomery_R ( T q)
consteval

Definition at line 44 of file pqcrystals_helpers.h.

44 {
45 using T_unsigned = std::make_unsigned_t<T>;
47 return (T2(1) << (sizeof(T) * 8)) % q;
48}
std::conditional_t< sizeof(T)==1, uint16_t, std::conditional_t< sizeof(T)==2, uint32_t, std::conditional_t< sizeof(T)==4, uint64_t, void > > > next_longer_uint_t

Referenced by montgomery_R2().

◆ montgomery_R2()

template<std::integral T>
requires (size_t(sizeof(T)) <= 4)
T Botan::montgomery_R2 ( T q)
consteval

Definition at line 52 of file pqcrystals_helpers.h.

52 {
53 using T2 = next_longer_int_t<T>;
54 return (static_cast<T2>(montgomery_R(q)) * static_cast<T2>(montgomery_R(q))) % q;
55}
std::conditional_t< sizeof(T)==1, int16_t, std::conditional_t< sizeof(T)==2, int32_t, std::conditional_t< sizeof(T)==4, int64_t, void > > > next_longer_int_t
consteval T montgomery_R(T q)

References montgomery_R().

◆ monty_execute()

Montgomery_Int Botan::monty_execute ( const Montgomery_Exponentation_State & precomputed_state,
const BigInt & k,
size_t max_k_bits )

Definition at line 152 of file monty_exp.cpp.

154 {
155 return precomputed_state.exponentiation(k, max_k_bits);
156}

References monty_execute().

Referenced by monty_execute(), monty_exp(), and passes_miller_rabin_test().

◆ monty_execute_vartime()

Montgomery_Int Botan::monty_execute_vartime ( const Montgomery_Exponentation_State & precomputed_state,
const BigInt & k )

Definition at line 158 of file monty_exp.cpp.

158 {
159 return precomputed_state.exponentiation_vartime(k);
160}

References monty_execute_vartime().

Referenced by monty_execute_vartime(), and monty_exp_vartime().

◆ monty_exp()

Montgomery_Int Botan::monty_exp ( const std::shared_ptr< const Montgomery_Params > & params_p,
const BigInt & g,
const BigInt & k,
size_t max_k_bits )
inline

Definition at line 48 of file monty_exp.h.

51 {
52 auto precomputed = monty_precompute(params_p, g, 4, true);
53 return monty_execute(*precomputed, k, max_k_bits);
54}
Montgomery_Int monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(const Montgomery_Int &g, size_t window_bits, bool const_time)

References monty_execute(), and monty_precompute().

Referenced by power_mod().

◆ monty_exp_vartime()

Montgomery_Int Botan::monty_exp_vartime ( const std::shared_ptr< const Montgomery_Params > & params_p,
const BigInt & g,
const BigInt & k )
inline

Definition at line 56 of file monty_exp.h.

58 {
59 auto precomputed = monty_precompute(params_p, g, 4, false);
60 return monty_execute_vartime(*precomputed, k);
61}
Montgomery_Int monty_execute_vartime(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)

References monty_execute_vartime(), and monty_precompute().

Referenced by sqrt_modulo_prime().

◆ monty_inverse()

template<WordType W>
auto Botan::monty_inverse ( W a) -> W
inlineconstexpr

Definition at line 766 of file mp_core.h.

766 {
767 if(a % 2 == 0) {
768 throw Invalid_Argument("monty_inverse only valid for odd integers");
769 }
770
771 /*
772 * From "A New Algorithm for Inversion mod p^k" by Çetin Kaya Koç
773 * https://eprint.iacr.org/2017/411.pdf sections 5 and 7.
774 */
775
776 W b = 1;
777 W r = 0;
778
779 for(size_t i = 0; i != WordInfo<W>::bits; ++i) {
780 const W bi = b % 2;
781 r >>= 1;
782 r += bi << (WordInfo<W>::bits - 1);
783
784 b -= a * bi;
785 b >>= 1;
786 }
787
788 // Now invert in addition space
789 r = (WordInfo<W>::max - r) + 1;
790
791 return r;
792}

Referenced by Botan::Montgomery_Params::Montgomery_Params(), and Botan::Montgomery_Params::Montgomery_Params().

◆ monty_multi_exp()

Montgomery_Int Botan::monty_multi_exp ( const std::shared_ptr< const Montgomery_Params > & params_p,
const BigInt & x,
const BigInt & z1,
const BigInt & y,
const BigInt & z2 )

Return (x^z1 * y^z2) % p

Definition at line 162 of file monty_exp.cpp.

166 {
167 if(z1.is_negative() || z2.is_negative()) {
168 throw Invalid_Argument("multi_exponentiate exponents must be positive");
169 }
170
171 const size_t z_bits = round_up(std::max(z1.bits(), z2.bits()), 2);
172
174
175 const Montgomery_Int one(params_p, params_p->R1(), false);
176 //const Montgomery_Int one(params_p, 1);
177
178 const Montgomery_Int x1(params_p, x_bn);
179 const Montgomery_Int x2 = x1.square(ws);
180 const Montgomery_Int x3 = x2.mul(x1, ws);
181
182 const Montgomery_Int y1(params_p, y_bn);
183 const Montgomery_Int y2 = y1.square(ws);
184 const Montgomery_Int y3 = y2.mul(y1, ws);
185
186 const Montgomery_Int y1x1 = y1.mul(x1, ws);
187 const Montgomery_Int y1x2 = y1.mul(x2, ws);
188 const Montgomery_Int y1x3 = y1.mul(x3, ws);
189
190 const Montgomery_Int y2x1 = y2.mul(x1, ws);
191 const Montgomery_Int y2x2 = y2.mul(x2, ws);
192 const Montgomery_Int y2x3 = y2.mul(x3, ws);
193
194 const Montgomery_Int y3x1 = y3.mul(x1, ws);
195 const Montgomery_Int y3x2 = y3.mul(x2, ws);
196 const Montgomery_Int y3x3 = y3.mul(x3, ws);
197
198 const Montgomery_Int* M[16] = {&one,
199 &x1, // 0001
200 &x2, // 0010
201 &x3, // 0011
202 &y1, // 0100
203 &y1x1,
204 &y1x2,
205 &y1x3,
206 &y2, // 1000
207 &y2x1,
208 &y2x2,
209 &y2x3,
210 &y3, // 1100
211 &y3x1,
212 &y3x2,
213 &y3x3};
214
215 Montgomery_Int H = one;
216
217 for(size_t i = 0; i != z_bits; i += 2) {
218 if(i > 0) {
219 H.square_this(ws);
220 H.square_this(ws);
221 }
222
223 const uint32_t z1_b = z1.get_substring(z_bits - i - 2, 2);
224 const uint32_t z2_b = z2.get_substring(z_bits - i - 2, 2);
225
226 const uint32_t z12 = (4 * z2_b) + z1_b;
227
228 H.mul_by(*M[z12], ws);
229 }
230
231 return H;
232}
uint32_t get_substring(size_t offset, size_t length) const
Definition bigint.cpp:242
constexpr size_t round_up(size_t n, size_t align_to)
Definition rounding.h:26

References Botan::BigInt::bits(), Botan::BigInt::get_substring(), Botan::BigInt::is_negative(), monty_multi_exp(), Botan::Montgomery_Int::mul(), Botan::Montgomery_Int::mul_by(), round_up(), Botan::Montgomery_Int::square(), and Botan::Montgomery_Int::square_this().

Referenced by monty_multi_exp(), and Botan::DL_Group::multi_exponentiate().

◆ monty_precompute() [1/2]

std::shared_ptr< const Montgomery_Exponentation_State > Botan::monty_precompute ( const Montgomery_Int & g,
size_t window_bits,
bool const_time )

Definition at line 139 of file monty_exp.cpp.

141 {
142 return std::make_shared<const Montgomery_Exponentation_State>(g, window_bits, const_time);
143}

References monty_precompute().

Referenced by monty_exp(), monty_exp_vartime(), monty_precompute(), monty_precompute(), and passes_miller_rabin_test().

◆ monty_precompute() [2/2]

std::shared_ptr< const Montgomery_Exponentation_State > Botan::monty_precompute ( const std::shared_ptr< const Montgomery_Params > & params,
const BigInt & g,
size_t window_bits,
bool const_time )

Definition at line 145 of file monty_exp.cpp.

146 {
147 BOTAN_ARG_CHECK(g < params->p(), "Montgomery base too big");
148 Montgomery_Int monty_g(params, g);
149 return monty_precompute(monty_g, window_bits, const_time);
150}

References BOTAN_ARG_CHECK, and monty_precompute().

◆ mul2_exec()

template<typename C, size_t WindowBits, typename BlindedScalar>
C::ProjectivePoint Botan::mul2_exec ( const AffinePointTable< C > & table,
const BlindedScalar & x,
const BlindedScalar & y,
RandomNumberGenerator & rng )

Definition at line 372 of file pcurves_mul.h.

375 {
376 const size_t Windows = (x.bits() + WindowBits - 1) / WindowBits;
377
378 auto accum = [&]() {
379 const size_t w_1 = x.get_window((Windows - 1) * WindowBits);
380 const size_t w_2 = y.get_window((Windows - 1) * WindowBits);
381 const size_t window = w_1 + (w_2 << WindowBits);
382 auto pt = C::ProjectivePoint::from_affine(table.ct_select(window));
383 CT::poison(pt);
384 pt.randomize_rep(rng);
385 return pt;
386 }();
387
388 for(size_t i = 1; i != Windows; ++i) {
389 accum = accum.dbl_n(WindowBits);
390
391 const size_t w_1 = x.get_window((Windows - i - 1) * WindowBits);
392 const size_t w_2 = y.get_window((Windows - i - 1) * WindowBits);
393 const size_t window = w_1 + (w_2 << WindowBits);
394 accum += table.ct_select(window);
395
396 if(i <= 3) {
397 accum.randomize_rep(rng);
398 }
399 }
400
401 CT::unpoison(accum);
402 return accum;
403}
AffinePoint ct_select(size_t idx) const
Definition pcurves_mul.h:60

References Botan::AffinePointTable< C, R >::ct_select(), Botan::CT::poison(), and Botan::CT::unpoison().

◆ mul2_setup()

template<typename C, size_t WindowBits>
std::vector< typename C::ProjectivePoint > Botan::mul2_setup ( const typename C::AffinePoint & p,
const typename C::AffinePoint & q )

Definition at line 312 of file pcurves_mul.h.

313 {
314 static_assert(WindowBits >= 1 && WindowBits <= 4);
315
316 // 2^(2*W) elements, less the identity element
317 constexpr size_t TableSize = (1 << (2 * WindowBits)) - 1;
318 constexpr size_t WindowSize = (1 << WindowBits);
319
320 std::vector<typename C::ProjectivePoint> table;
321 table.reserve(TableSize);
322
323 for(size_t i = 0; i != TableSize; ++i) {
324 const size_t t_i = (i + 1);
325 const size_t p_i = t_i % WindowSize;
326 const size_t q_i = (t_i >> WindowBits) % WindowSize;
327
328 // Returns x_i * x + y_i * y
329 auto next_tbl_e = [&]() {
330 if(p_i % 2 == 0 && q_i % 2 == 0) {
331 // Where possible using doubling (eg indices 1, 7, 9 in
332 // the table above)
333 return table[(t_i / 2) - 1].dbl();
334 } else if(p_i > 0 && q_i > 0) {
335 // A combination of p and q
336 if(p_i == 1) {
337 return p + table[(q_i << WindowBits) - 1];
338 } else if(q_i == 1) {
339 return table[p_i - 1] + q;
340 } else {
341 return table[p_i - 1] + table[(q_i << WindowBits) - 1];
342 }
343 } else if(p_i > 0 && q_i == 0) {
344 // A multiple of p without a q component
345 if(p_i == 1) {
346 // Just p
347 return C::ProjectivePoint::from_affine(p);
348 } else {
349 // p * p_{i-1}
350 return p + table[p_i - 1 - 1];
351 }
352 } else if(p_i == 0 && q_i > 0) {
353 if(q_i == 1) {
354 // Just q
355 return C::ProjectivePoint::from_affine(q);
356 } else {
357 // q * q_{i-1}
358 return q + table[((q_i - 1) << WindowBits) - 1];
359 }
360 } else {
362 }
363 };
364
365 table.emplace_back(next_tbl_e());
366 }
367
368 return table;
369}
#define BOTAN_ASSERT_UNREACHABLE()
Definition assert.h:139

References BOTAN_ASSERT_UNREACHABLE.

◆ mul64x64_128()

void Botan::mul64x64_128 ( uint64_t a,
uint64_t b,
uint64_t * lo,
uint64_t * hi )
inlineconstexpr

Perform a 64x64->128 bit multiplication

Definition at line 24 of file mul128.h.

24 {
25 if(!std::is_constant_evaluated()) {
26#if defined(BOTAN_BUILD_COMPILER_IS_MSVC) && defined(BOTAN_TARGET_ARCH_IS_X86_64)
27 *lo = _umul128(a, b, hi);
28 return;
29
30#elif defined(BOTAN_BUILD_COMPILER_IS_MSVC) && defined(BOTAN_TARGET_ARCH_IS_ARM64)
31 *lo = a * b;
32 *hi = __umulh(a, b);
33 return;
34#endif
35 }
36
37#if defined(BOTAN_TARGET_HAS_NATIVE_UINT128)
38 const uint128_t r = static_cast<uint128_t>(a) * b;
39 *hi = (r >> 64) & 0xFFFFFFFFFFFFFFFF;
40 *lo = (r) & 0xFFFFFFFFFFFFFFFF;
41#else
42
43 /*
44 * Do a 64x64->128 multiply using four 32x32->64 multiplies plus
45 * some adds and shifts.
46 */
47 const size_t HWORD_BITS = 32;
48 const uint32_t HWORD_MASK = 0xFFFFFFFF;
49
50 const uint32_t a_hi = (a >> HWORD_BITS);
51 const uint32_t a_lo = (a & HWORD_MASK);
52 const uint32_t b_hi = (b >> HWORD_BITS);
53 const uint32_t b_lo = (b & HWORD_MASK);
54
55 const uint64_t x0 = static_cast<uint64_t>(a_hi) * b_hi;
56 const uint64_t x1 = static_cast<uint64_t>(a_lo) * b_hi;
57 const uint64_t x2 = static_cast<uint64_t>(a_hi) * b_lo;
58 const uint64_t x3 = static_cast<uint64_t>(a_lo) * b_lo;
59
60 // this cannot overflow as (2^32-1)^2 + 2^32-1 + 2^32-1 = 2^64-1
61 const uint64_t middle = x2 + (x3 >> HWORD_BITS) + (x1 & HWORD_MASK);
62
63 // likewise these cannot overflow
64 *hi = x0 + (middle >> HWORD_BITS) + (x1 >> HWORD_BITS);
65 *lo = (middle << HWORD_BITS) + (x3 & HWORD_MASK);
66#endif
67}

Referenced by operator*().

◆ multi_exponentiate()

EC_Point Botan::multi_exponentiate ( const EC_Point & p1,
const BigInt & z1,
const EC_Point & p2,
const BigInt & z2 )

ECC point multiexponentiation - not constant time!

Parameters
p1a point
z1a scalar
p2a point
z2a scalar
Returns
(p1 * z1 + p2 * z2)

Definition at line 35 of file point_mul.cpp.

35 {
37 return xy_mul.multi_exp(z1, z2);
38}

References Botan::EC_Point_Multi_Point_Precompute::multi_exp().

◆ nist_key_unwrap()

secure_vector< uint8_t > Botan::nist_key_unwrap ( const uint8_t input[],
size_t input_len,
const BlockCipher & bc )
Parameters
inputthe value to be decrypted, output of nist_key_wrap
input_lenlength of input
bca keyed 128-bit block cipher that will be used to decrypt input
Returns
input decrypted under NIST key wrap algorithm Throws an exception if decryption fails.

Definition at line 116 of file nist_keywrap.cpp.

116 {
117 if(bc.block_size() != 16) {
118 throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
119 }
120
121 if(input_len < 16 || input_len % 8 != 0) {
122 throw Invalid_Argument("Bad input size for NIST key unwrap");
123 }
124
125 const uint64_t ICV = 0xA6A6A6A6A6A6A6A6;
126
127 uint64_t ICV_out = 0;
129
130 if(input_len == 16) {
131 secure_vector<uint8_t> block(input, input + input_len);
132 bc.decrypt(block);
133
134 ICV_out = load_be<uint64_t>(block.data(), 0);
135 R.resize(8);
136 copy_mem(R.data(), block.data() + 8, 8);
137 } else {
138 R = raw_nist_key_unwrap(input, input_len, bc, ICV_out);
139 }
140
141 if(ICV_out != ICV) {
142 throw Invalid_Authentication_Tag("NIST key unwrap failed");
143 }
144
145 return R;
146}
void decrypt(const uint8_t in[], uint8_t out[]) const
virtual size_t block_size() const =0

References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::decrypt(), and load_be().

Referenced by botan_nist_kw_dec(), and rfc3394_keyunwrap().

◆ nist_key_unwrap_padded()

secure_vector< uint8_t > Botan::nist_key_unwrap_padded ( const uint8_t input[],
size_t input_len,
const BlockCipher & bc )
Parameters
inputthe value to be decrypted, output of nist_key_wrap
input_lenlength of input
bca keyed 128-bit block cipher that will be used to decrypt input
Returns
input decrypted under NIST key wrap algorithm Throws an exception if decryption fails.

Definition at line 169 of file nist_keywrap.cpp.

169 {
170 if(bc.block_size() != 16) {
171 throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
172 }
173
174 if(input_len < 16 || input_len % 8 != 0) {
175 throw Invalid_Argument("Bad input size for NIST key unwrap");
176 }
177
178 uint64_t ICV_out = 0;
180
181 if(input_len == 16) {
182 secure_vector<uint8_t> block(input, input + input_len);
183 bc.decrypt(block);
184
185 ICV_out = load_be<uint64_t>(block.data(), 0);
186 R.resize(8);
187 copy_mem(R.data(), block.data() + 8, 8);
188 } else {
189 R = raw_nist_key_unwrap(input, input_len, bc, ICV_out);
190 }
191
192 if((ICV_out >> 32) != 0xA65959A6) {
193 throw Invalid_Authentication_Tag("NIST key unwrap failed");
194 }
195
196 const size_t len = (ICV_out & 0xFFFFFFFF);
197
198 if(R.size() < 8 || len > R.size() || len <= R.size() - 8) {
199 throw Invalid_Authentication_Tag("NIST key unwrap failed");
200 }
201
202 const size_t padding = R.size() - len;
203
204 for(size_t i = 0; i != padding; ++i) {
205 if(R[R.size() - i - 1] != 0) {
206 throw Invalid_Authentication_Tag("NIST key unwrap failed");
207 }
208 }
209
210 R.resize(R.size() - padding);
211
212 return R;
213}

References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::decrypt(), and load_be().

Referenced by botan_nist_kw_dec(), Botan::Encrypted_PSK_Database::get(), and Botan::Encrypted_PSK_Database::list_names().

◆ nist_key_wrap()

std::vector< uint8_t > Botan::nist_key_wrap ( const uint8_t input[],
size_t input_len,
const BlockCipher & bc )

Key wrap. See RFC 3394 and NIST SP800-38F

Parameters
inputthe value to be encrypted
input_lenlength of input, must be a multiple of 8
bca keyed 128-bit block cipher that will be used to encrypt input
Returns
input encrypted under NIST key wrap algorithm

Definition at line 90 of file nist_keywrap.cpp.

90 {
91 if(bc.block_size() != 16) {
92 throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
93 }
94
95 if(input_len % 8 != 0) {
96 throw Invalid_Argument("Bad input size for NIST key wrap");
97 }
98
99 const uint64_t ICV = 0xA6A6A6A6A6A6A6A6;
100
101 if(input_len == 8) {
102 /*
103 * Special case for small inputs: if input == 8 bytes just use ECB
104 * (see RFC 3394 Section 2)
105 */
106 std::vector<uint8_t> block(16);
107 store_be(ICV, block.data());
108 copy_mem(block.data() + 8, input, input_len);
109 bc.encrypt(block);
110 return block;
111 } else {
112 return raw_nist_key_wrap(input, input_len, bc, ICV);
113 }
114}

References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::encrypt(), and store_be().

Referenced by botan_nist_kw_enc(), and rfc3394_keywrap().

◆ nist_key_wrap_padded()

std::vector< uint8_t > Botan::nist_key_wrap_padded ( const uint8_t input[],
size_t input_len,
const BlockCipher & bc )

KWP (key wrap with padding). See RFC 5649 and NIST SP800-38F

Parameters
inputthe value to be encrypted
input_lenlength of input
bca keyed 128-bit block cipher that will be used to encrypt input
Returns
input encrypted under NIST key wrap algorithm

Definition at line 148 of file nist_keywrap.cpp.

148 {
149 if(bc.block_size() != 16) {
150 throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
151 }
152
153 const uint64_t ICV = 0xA65959A600000000 | static_cast<uint32_t>(input_len);
154
155 if(input_len <= 8) {
156 /*
157 * Special case for small inputs: if input <= 8 bytes just use ECB
158 */
159 std::vector<uint8_t> block(16);
160 store_be(ICV, block.data());
161 copy_mem(block.data() + 8, input, input_len);
162 bc.encrypt(block);
163 return block;
164 } else {
165 return raw_nist_key_wrap(input, input_len, bc, ICV);
166 }
167}

References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::encrypt(), and store_be().

Referenced by botan_nist_kw_enc(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::remove(), and Botan::Encrypted_PSK_Database::set().

◆ oaep_find_delim()

BOTAN_FUZZER_API CT::Option< size_t > Botan::oaep_find_delim ( std::span< const uint8_t > input,
std::span< const uint8_t > phash )

Definition at line 102 of file oaep.cpp.

102 {
103 // Too short to be valid, reject immediately
104 if(input.size() < 1 + 2 * phash.size()) {
105 return {};
106 }
107
108 size_t delim_idx = 2 * phash.size();
109 CT::Mask<uint8_t> waiting_for_delim = CT::Mask<uint8_t>::set();
111
112 for(uint8_t ib : input.subspan(2 * phash.size())) {
113 const auto zero_m = CT::Mask<uint8_t>::is_zero(ib);
114 const auto one_m = CT::Mask<uint8_t>::is_equal(ib, 1);
115
116 const auto add_m = waiting_for_delim & zero_m;
117
118 bad_input_m |= waiting_for_delim & ~(zero_m | one_m);
119
120 delim_idx += add_m.if_set_return(1);
121
122 waiting_for_delim &= zero_m;
123 }
124
125 // If we never saw any non-zero byte, then it's not valid input
126 bad_input_m |= waiting_for_delim;
127
128 // If the P hash is wrong, then it's not valid
129 bad_input_m |= CT::is_not_equal(&input[phash.size()], phash.data(), phash.size());
130
131 delim_idx += 1;
132
133 const auto accept = !(bad_input_m.as_choice());
134
135 return CT::Option(delim_idx, accept);
136}
static constexpr Mask< T > set()
Definition ct_utils.h:399
constexpr CT::Mask< T > is_not_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:814

References Botan::CT::Mask< T >::as_choice(), Botan::CT::Mask< T >::cleared(), Botan::CT::Mask< T >::if_set_return(), Botan::CT::Mask< T >::is_equal(), Botan::CT::is_not_equal(), Botan::CT::Mask< T >::is_zero(), and Botan::CT::Mask< T >::set().

◆ operator!=() [1/12]

bool Botan::operator!= ( const AlgorithmIdentifier & a1,
const AlgorithmIdentifier & a2 )

Definition at line 69 of file alg_id.cpp.

69 {
70 return !(a1 == a2);
71}

◆ operator!=() [2/12]

bool Botan::operator!= ( const ASN1_Time & t1,
const ASN1_Time & t2 )

Definition at line 264 of file asn1_time.cpp.

264 {
265 return (t1.cmp(t2) != 0);
266}
int32_t cmp(const ASN1_Time &other) const
Compare this time against another.

References Botan::ASN1_Time::cmp().

◆ operator!=() [3/12]

bool Botan::operator!= ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1124 of file bigint.h.

1124 {
1125 return !a.is_equal(b);
1126}
bool is_equal(const BigInt &n) const
Definition bigint.cpp:159

References Botan::BigInt::is_equal().

◆ operator!=() [4/12]

bool Botan::operator!= ( const BigInt & a,
word b )
inline

Definition at line 1148 of file bigint.h.

1148 {
1149 return (a.cmp_word(b) != 0);
1150}
int32_t cmp_word(word n) const
Definition bigint.cpp:125

References Botan::BigInt::cmp_word().

◆ operator!=() [5/12]

bool Botan::operator!= ( const CRL_Entry & ,
const CRL_Entry &  )

Test two CRL entries for inequality in at least one field.

Definition at line 58 of file crl_ent.cpp.

58 {
59 return !(a1 == a2);
60}

◆ operator!=() [6/12]

bool Botan::operator!= ( const EC_Group & lhs,
const EC_Group & rhs )
inline

Definition at line 730 of file ec_group.h.

730 {
731 return !(lhs == rhs);
732}

◆ operator!=() [7/12]

bool Botan::operator!= ( const OctetString & x,
const OctetString & y )

Compare two strings

Parameters
xan octet string
yan octet string
Returns
if x is not equal to y

Definition at line 92 of file symkey.cpp.

92 {
93 return !(s1 == s2);
94}

◆ operator!=() [8/12]

bool Botan::operator!= ( const OID & a,
const OID & b )
inline

Compare two OIDs.

Parameters
athe first OID
bthe second OID
Returns
true if a is not equal to b

Definition at line 341 of file asn1_obj.h.

341 {
342 return !(a == b);
343}

◆ operator!=() [9/12]

template<typename T, typename U>
bool Botan::operator!= ( const secure_allocator< T > & ,
const secure_allocator< U > &  )
inline

Definition at line 60 of file secmem.h.

60 {
61 return false;
62}

◆ operator!=() [10/12]

template<bitvectorish T1, bitvectorish T2>
bool Botan::operator!= ( const T1 & lhs,
const T2 & rhs )

Definition at line 1348 of file bitvector.h.

1348 {
1349 return lhs.equals_vartime(rhs);
1350}

◆ operator!=() [11/12]

bool Botan::operator!= ( const X509_Certificate & cert1,
const X509_Certificate & cert2 )

Check two certificates for inequality

Parameters
cert1The first certificate
cert2The second certificate
Returns
true if the arguments represent different certificates, false if they are binary identical

Definition at line 695 of file x509cert.cpp.

695 {
696 return !(cert1 == cert2);
697}

◆ operator!=() [12/12]

bool Botan::operator!= ( const X509_DN & dn1,
const X509_DN & dn2 )

Definition at line 256 of file x509_dn.cpp.

256 {
257 return !(dn1 == dn2);
258}

◆ operator%() [1/2]

BigInt Botan::operator% ( const BigInt & n,
const BigInt & mod )

Definition at line 122 of file big_ops3.cpp.

122 {
123 if(mod.is_zero()) {
124 throw Invalid_Argument("BigInt::operator% divide by zero");
125 }
126 if(mod.is_negative()) {
127 throw Invalid_Argument("BigInt::operator% modulus must be > 0");
128 }
129 if(n.is_positive() && mod.is_positive() && n < mod) {
130 return n;
131 }
132
133 if(mod.sig_words() == 1) {
134 return BigInt::from_word(n % mod.word_at(0));
135 }
136
137 BigInt q, r;
138 vartime_divide(n, mod, q, r);
139 return r;
140}
void vartime_divide(const BigInt &x, const BigInt &y_arg, BigInt &q_out, BigInt &r_out)
Definition divide.cpp:230

References Botan::BigInt::from_word(), Botan::BigInt::is_negative(), Botan::BigInt::is_positive(), Botan::BigInt::is_zero(), Botan::BigInt::sig_words(), vartime_divide(), and Botan::BigInt::word_at().

◆ operator%() [2/2]

word Botan::operator% ( const BigInt & n,
word mod )

Definition at line 145 of file big_ops3.cpp.

145 {
146 if(mod == 0) {
147 throw Invalid_Argument("BigInt::operator% divide by zero");
148 }
149
150 if(mod == 1) {
151 return 0;
152 }
153
154 word remainder = 0;
155
156 if(is_power_of_2(mod)) {
157 remainder = (n.word_at(0) & (mod - 1));
158 } else {
159 const size_t sw = n.sig_words();
160 for(size_t i = sw; i > 0; --i) {
161 remainder = bigint_modop_vartime(remainder, n.word_at(i - 1), mod);
162 }
163 }
164
165 if(remainder && n.sign() == BigInt::Negative) {
166 return mod - remainder;
167 }
168 return remainder;
169}
Sign sign() const
Definition bigint.h:571
constexpr bool is_power_of_2(T arg)
Definition bit_ops.h:48
constexpr auto bigint_modop_vartime(W n1, W n0, W d) -> W
Definition mp_core.h:747

References bigint_modop_vartime(), is_power_of_2(), Botan::BigInt::Negative, Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::word_at().

◆ operator&() [1/5]

template<bitvectorish T1, bitvectorish T2>
auto Botan::operator& ( const T1 & lhs,
const T2 & rhs )

Definition at line 1329 of file bitvector.h.

1329 {
1330 auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
1331 res &= rhs;
1332 return res;
1333}
constexpr auto copy_lhs_allocator_aware(const T1 &lhs, const T2 &)
Definition bitvector.h:1308

References Botan::detail::copy_lhs_allocator_aware().

◆ operator&() [2/5]

ECIES_Flags Botan::operator& ( ECIES_Flags a,
ECIES_Flags b )
inline

Definition at line 70 of file ecies.h.

70 {
71 return static_cast<ECIES_Flags>(static_cast<uint32_t>(a) & static_cast<uint32_t>(b));
72}
ECIES_Flags
Definition ecies.h:44

◆ operator&() [3/5]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator& ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 425 of file strong_type.h.

425 {
426 return Strong<T, Tags...>(a.get() & b.get());
427}

References Botan::detail::Strong_Base< T >::get().

◆ operator&() [4/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator& ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 420 of file strong_type.h.

420 {
421 return Strong<T1, Tags...>(a.get() & b);
422}

References Botan::detail::Strong_Base< T >::get().

◆ operator&() [5/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator& ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 414 of file strong_type.h.

414 {
415 return Strong<T2, Tags...>(a & b.get());
416}

References Botan::detail::Strong_Base< T >::get().

◆ operator&=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator&= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 553 of file strong_type.h.

553 {
554 a.get() &= b.get();
555 return a;
556}

References Botan::detail::Strong_Base< T >::get().

◆ operator&=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator&= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 547 of file strong_type.h.

547 {
548 a.get() &= b;
549 return a;
550}

References Botan::detail::Strong_Base< T >::get().

◆ operator*() [1/11]

EC_Point Botan::operator* ( const BigInt & scalar,
const EC_Point & point )
inline

Definition at line 398 of file ec_point.h.

398 {
399 return point.mul(scalar);
400}
EC_Point mul(const BigInt &scalar) const
Definition ec_point.cpp:491

References Botan::EC_Point::mul().

◆ operator*() [2/11]

BigInt Botan::operator* ( const BigInt & x,
const BigInt & y )

Definition at line 46 of file big_ops3.cpp.

46 {
47 const size_t x_sw = x.sig_words();
48 const size_t y_sw = y.sig_words();
49
51
52 if(x_sw == 1 && y_sw) {
53 bigint_linmul3(z.mutable_data(), y._data(), y_sw, x.word_at(0));
54 } else if(y_sw == 1 && x_sw) {
55 bigint_linmul3(z.mutable_data(), x._data(), x_sw, y.word_at(0));
56 } else if(x_sw && y_sw) {
57 secure_vector<word> workspace(z.size());
58
60 z.size(),
61 x._data(),
62 x.size(),
63 x_sw,
64 y._data(),
65 y.size(),
66 y_sw,
67 workspace.data(),
68 workspace.size());
69 }
70
71 z.cond_flip_sign(x_sw > 0 && y_sw > 0 && x.sign() != y.sign());
72
73 return z;
74}
word * mutable_data()
Definition bigint.h:640
size_t size() const
Definition bigint.h:609
void cond_flip_sign(bool predicate)
Definition bigint.cpp:503
void bigint_mul(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
Definition mp_karat.cpp:282

References Botan::BigInt::_data(), bigint_linmul3(), bigint_mul(), Botan::BigInt::cond_flip_sign(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), Botan::BigInt::size(), Botan::BigInt::with_capacity(), and Botan::BigInt::word_at().

◆ operator*() [3/11]

BigInt Botan::operator* ( const BigInt & x,
word y )

Definition at line 79 of file big_ops3.cpp.

79 {
80 const size_t x_sw = x.sig_words();
81
82 BigInt z = BigInt::with_capacity(x_sw + 1);
83
84 if(x_sw && y) {
85 bigint_linmul3(z.mutable_data(), x._data(), x_sw, y);
86 z.set_sign(x.sign());
87 }
88
89 return z;
90}
void set_sign(Sign sign)
Definition bigint.h:592

References Botan::BigInt::_data(), bigint_linmul3(), Botan::BigInt::mutable_data(), Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::with_capacity().

◆ operator*() [4/11]

template<std::unsigned_integral T>
donna128 Botan::operator* ( const donna128 & x,
T y )
inlineconstexpr

Definition at line 100 of file donna128.h.

100 {
101 BOTAN_ARG_CHECK(x.hi() == 0, "High 64 bits of donna128 set to zero during multiply");
102
103 uint64_t lo = 0, hi = 0;
104 mul64x64_128(x.lo(), static_cast<uint64_t>(y), &lo, &hi);
105 return donna128(lo, hi);
106}
constexpr uint64_t hi() const
Definition donna128.h:91
constexpr void mul64x64_128(uint64_t a, uint64_t b, uint64_t *lo, uint64_t *hi)
Definition mul128.h:24

References BOTAN_ARG_CHECK, Botan::donna128::hi(), Botan::donna128::lo(), and mul64x64_128().

◆ operator*() [5/11]

EC_Point Botan::operator* ( const EC_Point & point,
const BigInt & scalar )
inline

Definition at line 394 of file ec_point.h.

394 {
395 return point.mul(scalar);
396}

References Botan::EC_Point::mul().

◆ operator*() [6/11]

Ed448Point Botan::operator* ( const Scalar448 & lhs,
const Ed448Point & rhs )

Syntax sugar for scalar multiplication.

Definition at line 220 of file ed448_internal.cpp.

220 {
221 return rhs.scalar_mul(lhs);
222}
Ed448Point scalar_mul(const Scalar448 &scalar) const
Scalar multiplication.

References Botan::Ed448Point::scalar_mul().

◆ operator*() [7/11]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator* ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 374 of file strong_type.h.

374 {
375 return Strong<T, Tags...>(a.get() * b.get());
376}

References Botan::detail::Strong_Base< T >::get().

◆ operator*() [8/11]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator* ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 369 of file strong_type.h.

369 {
370 return Strong<T1, Tags...>(a.get() * b);
371}

References Botan::detail::Strong_Base< T >::get().

◆ operator*() [9/11]

template<std::unsigned_integral T>
donna128 Botan::operator* ( T y,
const donna128 & x )
inlineconstexpr

Definition at line 109 of file donna128.h.

109 {
110 return x * y;
111}

◆ operator*() [10/11]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator* ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 363 of file strong_type.h.

363 {
364 return Strong<T2, Tags...>(a * b.get());
365}

References Botan::detail::Strong_Base< T >::get().

◆ operator*() [11/11]

BigInt Botan::operator* ( word x,
const BigInt & y )
inline

Definition at line 1106 of file bigint.h.

1106 {
1107 return y * x;
1108}

◆ operator*=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator*= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 514 of file strong_type.h.

514 {
515 a.get() *= b.get();
516 return a;
517}

References Botan::detail::Strong_Base< T >::get().

◆ operator*=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator*= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 508 of file strong_type.h.

508 {
509 a.get() *= b;
510 return a;
511}

References Botan::detail::Strong_Base< T >::get().

◆ operator+() [1/10]

BigInt Botan::operator+ ( const BigInt & x,
const BigInt & y )
inline

Definition at line 1083 of file bigint.h.

1083 {
1084 return BigInt::add2(x, y._data(), y.sig_words(), y.sign());
1085}
static BigInt add2(const BigInt &x, const word y[], size_t y_words, Sign y_sign)
Definition big_ops3.cpp:19

References Botan::BigInt::_data(), Botan::BigInt::add2(), Botan::BigInt::sig_words(), and Botan::BigInt::sign().

◆ operator+() [2/10]

BigInt Botan::operator+ ( const BigInt & x,
word y )
inline

Definition at line 1087 of file bigint.h.

1087 {
1088 return BigInt::add2(x, &y, 1, BigInt::Positive);
1089}

References Botan::BigInt::add2(), and Botan::BigInt::Positive.

◆ operator+() [3/10]

donna128 Botan::operator+ ( const donna128 & x,
const donna128 & y )
inlineconstexpr

Definition at line 113 of file donna128.h.

113 {
114 donna128 z = x;
115 z += y;
116 return z;
117}

◆ operator+() [4/10]

donna128 Botan::operator+ ( const donna128 & x,
uint64_t y )
inlineconstexpr

Definition at line 119 of file donna128.h.

119 {
120 donna128 z = x;
121 z += y;
122 return z;
123}

◆ operator+() [5/10]

EC_Point Botan::operator+ ( const EC_Point & lhs,
const EC_Point & rhs )
inline

Definition at line 384 of file ec_point.h.

384 {
385 EC_Point tmp(lhs);
386 return tmp += rhs;
387}

◆ operator+() [6/10]

OctetString Botan::operator+ ( const OctetString & x,
const OctetString & y )

Concatenate two strings

Parameters
xan octet string
yan octet string
Returns
x concatenated with y

Definition at line 99 of file symkey.cpp.

99 {
101 out += k1.bits_of();
102 out += k2.bits_of();
103 return OctetString(out);
104}

References Botan::OctetString::bits_of(), and OctetString.

◆ operator+() [7/10]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator+ ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 340 of file strong_type.h.

340 {
341 return Strong<T, Tags...>(a.get() + b.get());
342}

References Botan::detail::Strong_Base< T >::get().

◆ operator+() [8/10]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator+ ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 335 of file strong_type.h.

335 {
336 return Strong<T1, Tags...>(a.get() + b);
337}

References Botan::detail::Strong_Base< T >::get().

◆ operator+() [9/10]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator+ ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 329 of file strong_type.h.

329 {
330 return Strong<T2, Tags...>(a + b.get());
331}

References Botan::detail::Strong_Base< T >::get().

◆ operator+() [10/10]

BigInt Botan::operator+ ( word x,
const BigInt & y )
inline

Definition at line 1091 of file bigint.h.

1091 {
1092 return y + x;
1093}

◆ operator++() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator++ ( Strong< T, Tags... > & a)
constexpr

Definition at line 605 of file strong_type.h.

605 {
606 ++a.get();
607 return a;
608}

References Botan::detail::Strong_Base< T >::get().

◆ operator++() [2/2]

template<std::integral T, typename... Tags>
auto Botan::operator++ ( Strong< T, Tags... > & a,
int  )
constexpr

Definition at line 598 of file strong_type.h.

598 {
599 auto tmp = a;
600 ++a.get();
601 return tmp;
602}

References Botan::detail::Strong_Base< T >::get().

Referenced by generate_dsa_primes().

◆ operator+=() [1/6]

template<typename T, typename Alloc, typename L>
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
const std::pair< const T *, L > & in )

Definition at line 99 of file secmem.h.

99 {
100 out.insert(out.end(), in.first, in.first + in.second);
101 return out;
102}

◆ operator+=() [2/6]

template<typename T, typename Alloc, typename L>
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
const std::pair< T *, L > & in )

Definition at line 105 of file secmem.h.

105 {
106 out.insert(out.end(), in.first, in.first + in.second);
107 return out;
108}

◆ operator+=() [3/6]

template<typename T, typename Alloc, typename Alloc2>
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
const std::vector< T, Alloc2 > & in )

Definition at line 87 of file secmem.h.

87 {
88 out.insert(out.end(), in.begin(), in.end());
89 return out;
90}

◆ operator+=() [4/6]

template<typename T, typename Alloc>
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
T in )

Definition at line 93 of file secmem.h.

93 {
94 out.push_back(in);
95 return out;
96}

◆ operator+=() [5/6]

template<std::integral T, typename... Tags>
auto Botan::operator+= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 488 of file strong_type.h.

488 {
489 a.get() += b.get();
490 return a;
491}

References Botan::detail::Strong_Base< T >::get().

◆ operator+=() [6/6]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator+= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 482 of file strong_type.h.

482 {
483 a.get() += b;
484 return a;
485}

References Botan::detail::Strong_Base< T >::get().

◆ operator-() [1/7]

BigInt Botan::operator- ( const BigInt & x,
const BigInt & y )
inline

Definition at line 1095 of file bigint.h.

1095 {
1096 return BigInt::add2(x, y._data(), y.sig_words(), y.reverse_sign());
1097}
Sign reverse_sign() const
Definition bigint.h:576

References Botan::BigInt::_data(), Botan::BigInt::add2(), Botan::BigInt::reverse_sign(), and Botan::BigInt::sig_words().

◆ operator-() [2/7]

BigInt Botan::operator- ( const BigInt & x,
word y )
inline

Definition at line 1099 of file bigint.h.

1099 {
1100 return BigInt::add2(x, &y, 1, BigInt::Negative);
1101}

References Botan::BigInt::add2(), and Botan::BigInt::Negative.

◆ operator-() [3/7]

EC_Point Botan::operator- ( const EC_Point & lhs)
inline

Definition at line 380 of file ec_point.h.

380 {
381 return EC_Point(lhs).negate();
382}
EC_Point & negate()
Definition ec_point.h:132

References Botan::EC_Point::negate().

◆ operator-() [4/7]

EC_Point Botan::operator- ( const EC_Point & lhs,
const EC_Point & rhs )
inline

Definition at line 389 of file ec_point.h.

389 {
390 EC_Point tmp(lhs);
391 return tmp -= rhs;
392}

◆ operator-() [5/7]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator- ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 357 of file strong_type.h.

357 {
358 return Strong<T, Tags...>(a.get() - b.get());
359}

References Botan::detail::Strong_Base< T >::get().

◆ operator-() [6/7]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator- ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 352 of file strong_type.h.

352 {
353 return Strong<T1, Tags...>(a.get() - b);
354}

References Botan::detail::Strong_Base< T >::get().

◆ operator-() [7/7]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator- ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 346 of file strong_type.h.

346 {
347 return Strong<T2, Tags...>(a - b.get());
348}

References Botan::detail::Strong_Base< T >::get().

◆ operator--() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator-- ( Strong< T, Tags... > & a)
constexpr

Definition at line 618 of file strong_type.h.

618 {
619 --a.get();
620 return a;
621}

References Botan::detail::Strong_Base< T >::get().

◆ operator--() [2/2]

template<std::integral T, typename... Tags>
auto Botan::operator-- ( Strong< T, Tags... > & a,
int  )
constexpr

Definition at line 611 of file strong_type.h.

611 {
612 auto tmp = a;
613 --a.get();
614 return tmp;
615}

References Botan::detail::Strong_Base< T >::get().

◆ operator-=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator-= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 501 of file strong_type.h.

501 {
502 a.get() -= b.get();
503 return a;
504}

References Botan::detail::Strong_Base< T >::get().

◆ operator-=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator-= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 495 of file strong_type.h.

495 {
496 a.get() -= b;
497 return a;
498}

References Botan::detail::Strong_Base< T >::get().

◆ operator/() [1/5]

BigInt Botan::operator/ ( const BigInt & x,
const BigInt & y )

Definition at line 95 of file big_ops3.cpp.

95 {
96 if(y.sig_words() == 1) {
97 return x / y.word_at(0);
98 }
99
100 BigInt q, r;
101 vartime_divide(x, y, q, r);
102 return q;
103}

References Botan::BigInt::sig_words(), vartime_divide(), and Botan::BigInt::word_at().

◆ operator/() [2/5]

BigInt Botan::operator/ ( const BigInt & x,
word y )

Definition at line 108 of file big_ops3.cpp.

108 {
109 if(y == 0) {
110 throw Invalid_Argument("BigInt::operator/ divide by zero");
111 }
112
113 BigInt q;
114 word r;
115 ct_divide_word(x, y, q, r);
116 return q;
117}

References ct_divide_word().

◆ operator/() [3/5]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator/ ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 391 of file strong_type.h.

391 {
392 return Strong<T, Tags...>(a.get() / b.get());
393}

References Botan::detail::Strong_Base< T >::get().

◆ operator/() [4/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator/ ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 386 of file strong_type.h.

386 {
387 return Strong<T1, Tags...>(a.get() / b);
388}

References Botan::detail::Strong_Base< T >::get().

◆ operator/() [5/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator/ ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 380 of file strong_type.h.

380 {
381 return Strong<T2, Tags...>(a / b.get());
382}

References Botan::detail::Strong_Base< T >::get().

◆ operator/=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator/= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 527 of file strong_type.h.

527 {
528 a.get() /= b.get();
529 return a;
530}

References Botan::detail::Strong_Base< T >::get().

◆ operator/=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator/= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 521 of file strong_type.h.

521 {
522 a.get() /= b;
523 return a;
524}

References Botan::detail::Strong_Base< T >::get().

◆ operator<() [1/5]

bool Botan::operator< ( const ASN1_Time & t1,
const ASN1_Time & t2 )

Definition at line 276 of file asn1_time.cpp.

276 {
277 return (t1.cmp(t2) < 0);
278}

References Botan::ASN1_Time::cmp().

◆ operator<() [2/5]

bool Botan::operator< ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1136 of file bigint.h.

1136 {
1137 return a.is_less_than(b);
1138}
bool is_less_than(const BigInt &n) const
Definition bigint.cpp:167

References Botan::BigInt::is_less_than().

◆ operator<() [3/5]

bool Botan::operator< ( const BigInt & a,
word b )
inline

Definition at line 1160 of file bigint.h.

1160 {
1161 return (a.cmp_word(b) < 0);
1162}

References Botan::BigInt::cmp_word().

◆ operator<() [4/5]

bool Botan::operator< ( const OID & a,
const OID & b )

Compare two OIDs.

Parameters
athe first OID
bthe second OID
Returns
true if a is lexicographically smaller than b

Definition at line 167 of file asn1_oid.cpp.

167 {
168 const std::vector<uint32_t>& oid1 = a.get_components();
169 const std::vector<uint32_t>& oid2 = b.get_components();
170
171 return std::lexicographical_compare(oid1.begin(), oid1.end(), oid2.begin(), oid2.end());
172}

References Botan::OID::get_components().

◆ operator<() [5/5]

bool Botan::operator< ( const X509_DN & dn1,
const X509_DN & dn2 )

Definition at line 263 of file x509_dn.cpp.

263 {
264 auto attr1 = dn1.get_attributes();
265 auto attr2 = dn2.get_attributes();
266
267 // If they are not the same size, choose the smaller as the "lessor"
268 if(attr1.size() < attr2.size()) {
269 return true;
270 }
271 if(attr1.size() > attr2.size()) {
272 return false;
273 }
274
275 // We know they are the same # of elements, now compare the OIDs:
276 auto p1 = attr1.begin();
277 auto p2 = attr2.begin();
278
279 while(p1 != attr1.end() && p2 != attr2.end()) {
280 if(p1->first != p2->first) {
281 return (p1->first < p2->first);
282 }
283
284 ++p1;
285 ++p2;
286 }
287
288 // We know this is true because maps have the same size
289 BOTAN_ASSERT_NOMSG(p1 == attr1.end());
290 BOTAN_ASSERT_NOMSG(p2 == attr2.end());
291
292 // Now we know all elements have the same OIDs, compare
293 // their string values:
294
295 p1 = attr1.begin();
296 p2 = attr2.begin();
297 while(p1 != attr1.end() && p2 != attr2.end()) {
298 BOTAN_DEBUG_ASSERT(p1->first == p2->first);
299
300 // They may be binary different but same by X.500 rules, check this
301 if(!x500_name_cmp(p1->second, p2->second)) {
302 // If they are not (by X.500) the same string, pick the
303 // lexicographic first as the lessor
304 return (p1->second < p2->second);
305 }
306
307 ++p1;
308 ++p2;
309 }
310
311 // if we reach here, then the DNs should be identical
312 BOTAN_DEBUG_ASSERT(dn1 == dn2);
313 return false;
314}
std::multimap< OID, std::string > get_attributes() const
Definition x509_dn.cpp:112

References BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, and Botan::X509_DN::get_attributes().

◆ operator<<() [1/12]

BigInt Botan::operator<< ( const BigInt & x,
size_t shift )

Definition at line 174 of file big_ops3.cpp.

174 {
175 const size_t x_sw = x.sig_words();
176
177 const size_t new_size = x_sw + (shift + WordInfo<word>::bits - 1) / WordInfo<word>::bits;
178 BigInt y = BigInt::with_capacity(new_size);
179 bigint_shl2(y.mutable_data(), x._data(), x_sw, shift);
180 y.set_sign(x.sign());
181 return y;
182}
constexpr void bigint_shl2(W y[], const W x[], size_t x_size, size_t shift)
Definition mp_core.h:469

References Botan::BigInt::_data(), bigint_shl2(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::with_capacity().

◆ operator<<() [2/12]

int Botan::operator<< ( int out,
Pipe & pipe )

Stream output operator; dumps the results from pipe's default message to the output stream.

Parameters
outfile descriptor for an open output stream
pipethe pipe

Definition at line 18 of file fd_unix.cpp.

18 {
20 while(pipe.remaining()) {
21 size_t got = pipe.read(buffer.data(), buffer.size());
22 size_t position = 0;
23 while(got) {
24 ssize_t ret = ::write(fd, &buffer[position], got);
25 if(ret < 0) {
26 throw Stream_IO_Error("Pipe output operator (unixfd) has failed");
27 }
28
29 position += static_cast<size_t>(ret);
30 got -= static_cast<size_t>(ret);
31 }
32 }
33 return fd;
34}
size_t read(uint8_t output[], size_t length) override
Definition pipe_rw.cpp:79
size_t remaining(message_id msg=DEFAULT_MESSAGE) const
Definition pipe_rw.cpp:124
constexpr size_t DefaultBufferSize
Definition types.h:137

References DefaultBufferSize, Botan::Pipe::read(), and Botan::Pipe::remaining().

◆ operator<<() [3/12]

std::ostream & Botan::operator<< ( std::ostream & os,
const GeneralName & gn )

Definition at line 260 of file name_constraint.cpp.

260 {
261 os << gn.type() << ":" << gn.name();
262 return os;
263}
std::string type() const
std::string name() const

References Botan::GeneralName::name(), and Botan::GeneralName::type().

◆ operator<<() [4/12]

std::ostream & Botan::operator<< ( std::ostream & os,
const GeneralSubtree & gs )

Definition at line 284 of file name_constraint.cpp.

284 {
285 os << gs.base();
286 return os;
287}
const GeneralName & base() const
Definition pkix_types.h:347

References Botan::GeneralSubtree::base().

◆ operator<<() [5/12]

template<typename T, typename... Tags>
requires (concepts::streamable<T>)
decltype(auto) Botan::operator<< ( std::ostream & os,
const Strong< T, Tags... > & v )

Definition at line 291 of file strong_type.h.

291 {
292 return os << v.get();
293}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<() [6/12]

std::ostream & Botan::operator<< ( std::ostream & out,
const OID & oid )
inline

Definition at line 330 of file asn1_obj.h.

330 {
331 out << oid.to_string();
332 return out;
333}
std::string to_string() const
Definition asn1_oid.cpp:125

References Botan::OID::to_string().

◆ operator<<() [7/12]

std::ostream & Botan::operator<< ( std::ostream & out,
const X509_DN & dn )

Definition at line 408 of file x509_dn.cpp.

408 {
409 const auto& info = dn.dn_info();
410
411 for(size_t i = 0; i != info.size(); ++i) {
412 out << to_short_form(info[i].first) << "=\"";
413 for(char c : info[i].second.value()) {
414 if(c == '\\' || c == '\"') {
415 out << "\\";
416 }
417 out << c;
418 }
419 out << "\"";
420
421 if(i + 1 < info.size()) {
422 out << ",";
423 }
424 }
425 return out;
426}
const std::vector< std::pair< OID, ASN1_String > > & dn_info() const
Definition pkix_types.h:75

References Botan::X509_DN::dn_info().

◆ operator<<() [8/12]

std::ostream & Botan::operator<< ( std::ostream & out,
Pipe & pipe )

Stream output operator; dumps the results from pipe's default message to the output stream.

Parameters
outan output stream
pipethe pipe

Definition at line 19 of file pipe_io.cpp.

19 {
21 while(stream.good() && pipe.remaining()) {
22 const size_t got = pipe.read(buffer.data(), buffer.size());
23 stream.write(cast_uint8_ptr_to_char(buffer.data()), got);
24 }
25 if(!stream.good()) {
26 throw Stream_IO_Error("Pipe output operator (iostream) has failed");
27 }
28 return stream;
29}
const char * cast_uint8_ptr_to_char(const uint8_t *b)
Definition mem_ops.h:280

References cast_uint8_ptr_to_char(), DefaultBufferSize, Botan::Pipe::read(), and Botan::Pipe::remaining().

◆ operator<<() [9/12]

std::ostream & Botan::operator<< ( std::ostream & stream,
const BigInt & n )

Definition at line 17 of file big_io.cpp.

17 {
18 const auto stream_flags = stream.flags();
19 // NOLINTNEXTLINE(*-non-zero-enum-to-bool-conversion)
20 if(stream_flags & std::ios::oct) {
21 throw Invalid_Argument("Octal output of BigInt not supported");
22 }
23
24 // NOLINTNEXTLINE(*-non-zero-enum-to-bool-conversion)
25 const size_t base = (stream_flags & std::ios::hex) ? 16 : 10;
26
27 if(base == 10) {
28 stream << n.to_dec_string();
29 } else {
30 stream << n.to_hex_string();
31 }
32
33 if(!stream.good()) {
34 throw Stream_IO_Error("BigInt output operator has failed");
35 }
36 return stream;
37}
std::string to_dec_string() const
Definition big_code.cpp:37
std::string to_hex_string() const
Definition big_code.cpp:102

References Botan::BigInt::to_dec_string(), and Botan::BigInt::to_hex_string().

◆ operator<<() [10/12]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator<< ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 476 of file strong_type.h.

476 {
477 return Strong<T, Tags...>(a.get() << b.get());
478}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<() [11/12]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator<< ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 471 of file strong_type.h.

471 {
472 return Strong<T1, Tags...>(a.get() << b);
473}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<() [12/12]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator<< ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 465 of file strong_type.h.

465 {
466 return Strong<T2, Tags...>(a << b.get());
467}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator<<= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 592 of file strong_type.h.

592 {
593 a.get() <<= b.get();
594 return a;
595}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator<<= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 586 of file strong_type.h.

586 {
587 a.get() <<= b;
588 return a;
589}

References Botan::detail::Strong_Base< T >::get().

◆ operator<=() [1/3]

bool Botan::operator<= ( const ASN1_Time & t1,
const ASN1_Time & t2 )

Definition at line 268 of file asn1_time.cpp.

268 {
269 return (t1.cmp(t2) <= 0);
270}

References Botan::ASN1_Time::cmp().

◆ operator<=() [2/3]

bool Botan::operator<= ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1128 of file bigint.h.

1128 {
1129 return (a.cmp(b) <= 0);
1130}
int32_t cmp(const BigInt &n, bool check_signs=true) const
Definition bigint.cpp:141

References Botan::BigInt::cmp().

◆ operator<=() [3/3]

bool Botan::operator<= ( const BigInt & a,
word b )
inline

Definition at line 1152 of file bigint.h.

1152 {
1153 return (a.cmp_word(b) <= 0);
1154}

References Botan::BigInt::cmp_word().

◆ operator<=>() [1/3]

template<typename T, typename... Tags>
requires (std::three_way_comparable<T>)
auto Botan::operator<=> ( const Strong< T, Tags... > & lhs,
const Strong< T, Tags... > & rhs )

Definition at line 303 of file strong_type.h.

303 {
304 return lhs.get() <=> rhs.get();
305}

References Botan::detail::Strong_Base< T >::get(), and operator<=>().

Referenced by operator<=>().

◆ operator<=>() [2/3]

template<std::integral T1, std::integral T2, typename... Tags>
auto Botan::operator<=> ( Strong< T1, Tags... > a,
T2 b )

Definition at line 313 of file strong_type.h.

313 {
314 return a.get() <=> b;
315}

References Botan::detail::Strong_Base< T >::get().

◆ operator<=>() [3/3]

template<std::integral T1, std::integral T2, typename... Tags>
auto Botan::operator<=> ( T1 a,
Strong< T2, Tags... > b )

Definition at line 308 of file strong_type.h.

308 {
309 return a <=> b.get();
310}

References Botan::detail::Strong_Base< T >::get().

◆ operator==() [1/13]

bool Botan::operator== ( const AlgorithmIdentifier & a1,
const AlgorithmIdentifier & a2 )

Definition at line 54 of file alg_id.cpp.

54 {
55 if(a1.oid() != a2.oid()) {
56 return false;
57 }
58
59 /*
60 * Treat NULL and empty as equivalent
61 */
63 return true;
64 }
65
66 return (a1.parameters() == a2.parameters());
67}
bool parameters_are_null_or_empty() const
Definition asn1_obj.h:486
const std::vector< uint8_t > & parameters() const
Definition asn1_obj.h:474

References Botan::AlgorithmIdentifier::oid(), Botan::AlgorithmIdentifier::parameters(), and Botan::AlgorithmIdentifier::parameters_are_null_or_empty().

◆ operator==() [2/13]

bool Botan::operator== ( const ASN1_Time & t1,
const ASN1_Time & t2 )

Definition at line 260 of file asn1_time.cpp.

260 {
261 return (t1.cmp(t2) == 0);
262}

References Botan::ASN1_Time::cmp().

◆ operator==() [3/13]

bool Botan::operator== ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1120 of file bigint.h.

1120 {
1121 return a.is_equal(b);
1122}

◆ operator==() [4/13]

bool Botan::operator== ( const BigInt & a,
word b )
inline

Definition at line 1144 of file bigint.h.

1144 {
1145 return (a.cmp_word(b) == 0);
1146}

References Botan::BigInt::cmp_word().

◆ operator==() [5/13]

◆ operator==() [6/13]

bool Botan::operator== ( const CRL_Entry & ,
const CRL_Entry &  )

Test two CRL entries for equality in all fields.

Definition at line 42 of file crl_ent.cpp.

42 {
43 if(a1.serial_number() != a2.serial_number()) {
44 return false;
45 }
46 if(a1.expire_time() != a2.expire_time()) {
47 return false;
48 }
49 if(a1.reason_code() != a2.reason_code()) {
50 return false;
51 }
52 return true;
53}
CRL_Code reason_code() const
Definition crl_ent.cpp:143
const X509_Time & expire_time() const
Definition crl_ent.cpp:139
const std::vector< uint8_t > & serial_number() const
Definition crl_ent.cpp:135

References Botan::CRL_Entry::expire_time(), Botan::CRL_Entry::reason_code(), and Botan::CRL_Entry::serial_number().

◆ operator==() [7/13]

bool Botan::operator== ( const OctetString & x,
const OctetString & y )

Compare two strings

Parameters
xan octet string
yan octet string
Returns
if x is equal to y

Definition at line 85 of file symkey.cpp.

85 {
86 return (s1.bits_of() == s2.bits_of());
87}

References Botan::OctetString::bits_of().

◆ operator==() [8/13]

template<typename T, typename U>
bool Botan::operator== ( const secure_allocator< T > & ,
const secure_allocator< U > &  )
inline

Definition at line 55 of file secmem.h.

55 {
56 return true;
57}

◆ operator==() [9/13]

template<typename T, typename... Tags>
requires (std::equality_comparable<T>)
bool Botan::operator== ( const Strong< T, Tags... > & lhs,
const Strong< T, Tags... > & rhs )

Definition at line 297 of file strong_type.h.

297 {
298 return lhs.get() == rhs.get();
299}

References Botan::detail::Strong_Base< T >::get().

◆ operator==() [10/13]

template<bitvectorish T1, bitvectorish T2>
bool Botan::operator== ( const T1 & lhs,
const T2 & rhs )

Definition at line 1343 of file bitvector.h.

1343 {
1344 return lhs.equals_vartime(rhs);
1345}

◆ operator==() [11/13]

bool Botan::operator== ( const X509_DN & dn1,
const X509_DN & dn2 )

Definition at line 220 of file x509_dn.cpp.

220 {
221 auto attr1 = dn1.get_attributes();
222 auto attr2 = dn2.get_attributes();
223
224 if(attr1.size() != attr2.size()) {
225 return false;
226 }
227
228 auto p1 = attr1.begin();
229 auto p2 = attr2.begin();
230
231 while(true) {
232 if(p1 == attr1.end() && p2 == attr2.end()) {
233 break;
234 }
235 if(p1 == attr1.end()) {
236 return false;
237 }
238 if(p2 == attr2.end()) {
239 return false;
240 }
241 if(p1->first != p2->first) {
242 return false;
243 }
244 if(!x500_name_cmp(p1->second, p2->second)) {
245 return false;
246 }
247 ++p1;
248 ++p2;
249 }
250 return true;
251}

References Botan::X509_DN::get_attributes().

◆ operator==() [12/13]

template<std::integral T1, std::integral T2, typename... Tags>
auto Botan::operator== ( Strong< T1, Tags... > a,
T2 b )

Definition at line 323 of file strong_type.h.

323 {
324 return a.get() == b;
325}

References Botan::detail::Strong_Base< T >::get().

◆ operator==() [13/13]

template<std::integral T1, std::integral T2, typename... Tags>
auto Botan::operator== ( T1 a,
Strong< T2, Tags... > b )

Definition at line 318 of file strong_type.h.

318 {
319 return a == b.get();
320}

References Botan::detail::Strong_Base< T >::get().

◆ operator>() [1/3]

bool Botan::operator> ( const ASN1_Time & t1,
const ASN1_Time & t2 )

Definition at line 280 of file asn1_time.cpp.

280 {
281 return (t1.cmp(t2) > 0);
282}

References Botan::ASN1_Time::cmp().

◆ operator>() [2/3]

bool Botan::operator> ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1140 of file bigint.h.

1140 {
1141 return b.is_less_than(a);
1142}

References Botan::BigInt::is_less_than().

◆ operator>() [3/3]

bool Botan::operator> ( const BigInt & a,
word b )
inline

Definition at line 1164 of file bigint.h.

1164 {
1165 return (a.cmp_word(b) > 0);
1166}

References Botan::BigInt::cmp_word().

◆ operator>=() [1/3]

bool Botan::operator>= ( const ASN1_Time & t1,
const ASN1_Time & t2 )

Definition at line 272 of file asn1_time.cpp.

272 {
273 return (t1.cmp(t2) >= 0);
274}

References Botan::ASN1_Time::cmp().

◆ operator>=() [2/3]

bool Botan::operator>= ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1132 of file bigint.h.

1132 {
1133 return (a.cmp(b) >= 0);
1134}

References Botan::BigInt::cmp().

◆ operator>=() [3/3]

bool Botan::operator>= ( const BigInt & a,
word b )
inline

Definition at line 1156 of file bigint.h.

1156 {
1157 return (a.cmp_word(b) >= 0);
1158}

References Botan::BigInt::cmp_word().

◆ operator>>() [1/8]

BigInt Botan::operator>> ( const BigInt & x,
size_t shift )

Definition at line 187 of file big_ops3.cpp.

187 {
188 const size_t shift_words = shift / WordInfo<word>::bits;
189 const size_t x_sw = x.sig_words();
190
191 if(shift_words >= x_sw) {
192 return BigInt::zero();
193 }
194
195 BigInt y = BigInt::with_capacity(x_sw - shift_words);
196 bigint_shr2(y.mutable_data(), x._data(), x_sw, shift);
197
198 if(x.is_negative() && y.is_zero()) {
199 y.set_sign(BigInt::Positive);
200 } else {
201 y.set_sign(x.sign());
202 }
203
204 return y;
205}

References Botan::BigInt::_data(), bigint_shr2(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::Positive, Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), Botan::BigInt::with_capacity(), and Botan::BigInt::zero().

◆ operator>>() [2/8]

int Botan::operator>> ( int in,
Pipe & pipe )

File descriptor input operator; dumps the remaining bytes of input to the (assumed open) pipe message.

Parameters
infile descriptor for an open input stream
pipethe pipe

Definition at line 39 of file fd_unix.cpp.

39 {
41 while(true) {
42 ssize_t ret = ::read(fd, buffer.data(), buffer.size());
43 if(ret < 0) {
44 throw Stream_IO_Error("Pipe input operator (unixfd) has failed");
45 } else if(ret == 0) {
46 break;
47 }
48 pipe.write(buffer.data(), static_cast<size_t>(ret));
49 }
50 return fd;
51}
void write(const uint8_t in[], size_t length)
Definition pipe_rw.cpp:37

References DefaultBufferSize, and Botan::Pipe::write().

◆ operator>>() [3/8]

std::istream & Botan::operator>> ( std::istream & in,
Pipe & pipe )

Stream input operator; dumps the remaining bytes of input to the (assumed open) pipe message.

Parameters
inthe input stream
pipethe pipe

Definition at line 34 of file pipe_io.cpp.

34 {
36 while(stream.good()) {
37 stream.read(cast_uint8_ptr_to_char(buffer.data()), buffer.size());
38 const size_t got = static_cast<size_t>(stream.gcount());
39 pipe.write(buffer.data(), got);
40 }
41 if(stream.bad() || (stream.fail() && !stream.eof())) {
42 throw Stream_IO_Error("Pipe input operator (iostream) has failed");
43 }
44 return stream;
45}

References cast_uint8_ptr_to_char(), DefaultBufferSize, and Botan::Pipe::write().

◆ operator>>() [4/8]

std::istream & Botan::operator>> ( std::istream & in,
X509_DN & dn )

Definition at line 428 of file x509_dn.cpp.

428 {
429 in >> std::noskipws;
430 do {
431 std::string key;
432 std::string val;
433 char c;
434
435 while(in.good()) {
436 in >> c;
437
438 if(std::isspace(c) && key.empty()) {
439 continue;
440 } else if(!std::isspace(c)) {
441 key.push_back(c);
442 break;
443 } else {
444 break;
445 }
446 }
447
448 while(in.good()) {
449 in >> c;
450
451 if(!std::isspace(c) && c != '=') {
452 key.push_back(c);
453 } else if(c == '=') {
454 break;
455 } else {
456 throw Invalid_Argument("Ill-formed X.509 DN");
457 }
458 }
459
460 bool in_quotes = false;
461 while(in.good()) {
462 in >> c;
463
464 if(std::isspace(c)) {
465 if(!in_quotes && !val.empty()) {
466 break;
467 } else if(in_quotes) {
468 val.push_back(' ');
469 }
470 } else if(c == '"') {
471 in_quotes = !in_quotes;
472 } else if(c == '\\') {
473 if(in.good()) {
474 in >> c;
475 }
476 val.push_back(c);
477 } else if(c == ',' && !in_quotes) {
478 break;
479 } else {
480 val.push_back(c);
481 }
482 }
483
484 if(!key.empty() && !val.empty()) {
486 } else {
487 break;
488 }
489 } while(in.good());
490 return in;
491}
void add_attribute(std::string_view key, std::string_view val)
Definition x509_dn.cpp:93
static std::string deref_info_field(std::string_view key)
Definition x509_dn.cpp:189

References Botan::X509_DN::add_attribute(), and Botan::X509_DN::deref_info_field().

◆ operator>>() [5/8]

std::istream & Botan::operator>> ( std::istream & stream,
BigInt & n )

Definition at line 42 of file big_io.cpp.

42 {
43 std::string str;
44 std::getline(stream, str);
45 if(stream.bad() || (stream.fail() && !stream.eof())) {
46 throw Stream_IO_Error("BigInt input operator has failed");
47 }
48 n = BigInt(str);
49 return stream;
50}

◆ operator>>() [6/8]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator>> ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 459 of file strong_type.h.

459 {
460 return Strong<T, Tags...>(a.get() >> b.get());
461}

References Botan::detail::Strong_Base< T >::get().

◆ operator>>() [7/8]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator>> ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 454 of file strong_type.h.

454 {
455 return Strong<T1, Tags...>(a.get() >> b);
456}

References Botan::detail::Strong_Base< T >::get().

◆ operator>>() [8/8]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator>> ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 448 of file strong_type.h.

448 {
449 return Strong<T2, Tags...>(a >> b.get());
450}

References Botan::detail::Strong_Base< T >::get().

◆ operator>>=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator>>= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 579 of file strong_type.h.

579 {
580 a.get() >>= b.get();
581 return a;
582}

References Botan::detail::Strong_Base< T >::get().

◆ operator>>=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator>>= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 573 of file strong_type.h.

573 {
574 a.get() >>= b;
575 return a;
576}

References Botan::detail::Strong_Base< T >::get().

◆ operator^() [1/5]

OctetString Botan::operator^ ( const OctetString & x,
const OctetString & y )

XOR two strings

Parameters
xan octet string
yan octet string
Returns
x XORed with y

Definition at line 109 of file symkey.cpp.

109 {
110 secure_vector<uint8_t> out(std::max(k1.length(), k2.length()));
111
112 copy_mem(out.data(), k1.begin(), k1.length());
113 xor_buf(out.data(), k2.begin(), k2.length());
114 return OctetString(out);
115}

References Botan::OctetString::begin(), copy_mem(), Botan::OctetString::length(), OctetString, and xor_buf().

◆ operator^() [2/5]

template<bitvectorish T1, bitvectorish T2>
auto Botan::operator^ ( const T1 & lhs,
const T2 & rhs )

Definition at line 1336 of file bitvector.h.

1336 {
1337 auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
1338 res ^= rhs;
1339 return res;
1340}

References Botan::detail::copy_lhs_allocator_aware().

◆ operator^() [3/5]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator^ ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 408 of file strong_type.h.

408 {
409 return Strong<T, Tags...>(a.get() ^ b.get());
410}

References Botan::detail::Strong_Base< T >::get().

◆ operator^() [4/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator^ ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 403 of file strong_type.h.

403 {
404 return Strong<T1, Tags...>(a.get() ^ b);
405}

References Botan::detail::Strong_Base< T >::get().

◆ operator^() [5/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator^ ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 397 of file strong_type.h.

397 {
398 return Strong<T2, Tags...>(a ^ b.get());
399}

References Botan::detail::Strong_Base< T >::get().

◆ operator^=() [1/3]

template<typename Alloc, typename Alloc2>
std::vector< uint8_t, Alloc > & Botan::operator^= ( std::vector< uint8_t, Alloc > & out,
const std::vector< uint8_t, Alloc2 > & in )

Definition at line 448 of file mem_ops.h.

448 {
449 if(out.size() < in.size()) {
450 out.resize(in.size());
451 }
452
453 xor_buf(std::span{out}.first(in.size()), in);
454 return out;
455}

References xor_buf().

◆ operator^=() [2/3]

template<std::integral T, typename... Tags>
auto Botan::operator^= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 540 of file strong_type.h.

540 {
541 a.get() ^= b.get();
542 return a;
543}

References Botan::detail::Strong_Base< T >::get().

◆ operator^=() [3/3]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator^= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 534 of file strong_type.h.

534 {
535 a.get() ^= b;
536 return a;
537}

References Botan::detail::Strong_Base< T >::get().

◆ operator|() [1/11]

ASN1_Class Botan::operator| ( ASN1_Class x,
ASN1_Class y )
inline

Definition at line 79 of file asn1_obj.h.

79 {
80 return static_cast<ASN1_Class>(static_cast<uint32_t>(x) | static_cast<uint32_t>(y));
81}
ASN1_Class
Definition asn1_obj.h:29

◆ operator|() [2/11]

uint32_t Botan::operator| ( ASN1_Class x,
ASN1_Type y )
inline

Definition at line 87 of file asn1_obj.h.

87 {
88 return static_cast<uint32_t>(x) | static_cast<uint32_t>(y);
89}

◆ operator|() [3/11]

uint32_t Botan::operator| ( ASN1_Type x,
ASN1_Class y )
inline

Definition at line 83 of file asn1_obj.h.

83 {
84 return static_cast<uint32_t>(x) | static_cast<uint32_t>(y);
85}

◆ operator|() [4/11]

ASN1_Type Botan::operator| ( ASN1_Type x,
ASN1_Type y )
inline

Definition at line 75 of file asn1_obj.h.

75 {
76 return static_cast<ASN1_Type>(static_cast<uint32_t>(x) | static_cast<uint32_t>(y));
77}
ASN1_Type
Definition asn1_obj.h:44

◆ operator|() [5/11]

donna128 Botan::operator| ( const donna128 & x,
const donna128 & y )
inlineconstexpr

Definition at line 125 of file donna128.h.

125 {
126 return donna128(x.lo() | y.lo(), x.hi() | y.hi());
127}

References Botan::donna128::hi(), and Botan::donna128::lo().

◆ operator|() [6/11]

donna128 Botan::operator| ( const donna128 & x,
uint64_t y )
inlineconstexpr

Definition at line 129 of file donna128.h.

129 {
130 return donna128(x.lo() | y, x.hi());
131}

References Botan::donna128::hi(), and Botan::donna128::lo().

◆ operator|() [7/11]

template<bitvectorish T1, bitvectorish T2>
auto Botan::operator| ( const T1 & lhs,
const T2 & rhs )

Definition at line 1322 of file bitvector.h.

1322 {
1323 auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
1324 res |= rhs;
1325 return res;
1326}

References Botan::detail::copy_lhs_allocator_aware().

◆ operator|() [8/11]

ECIES_Flags Botan::operator| ( ECIES_Flags a,
ECIES_Flags b )
inline

Definition at line 65 of file ecies.h.

65 {
66 // NOLINTNEXTLINE(clang-analyzer-optin.core.EnumCastOutOfRange)
67 return static_cast<ECIES_Flags>(static_cast<uint32_t>(a) | static_cast<uint32_t>(b));
68}

◆ operator|() [9/11]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator| ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 442 of file strong_type.h.

442 {
443 return Strong<T, Tags...>(a.get() | b.get());
444}

References Botan::detail::Strong_Base< T >::get().

◆ operator|() [10/11]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator| ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 437 of file strong_type.h.

437 {
438 return Strong<T1, Tags...>(a.get() | b);
439}

References Botan::detail::Strong_Base< T >::get().

◆ operator|() [11/11]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator| ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 431 of file strong_type.h.

431 {
432 return Strong<T2, Tags...>(a | b.get());
433}

References Botan::detail::Strong_Base< T >::get().

◆ operator|=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator|= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 566 of file strong_type.h.

566 {
567 a.get() |= b.get();
568 return a;
569}

References Botan::detail::Strong_Base< T >::get().

◆ operator|=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator|= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 560 of file strong_type.h.

560 {
561 a.get() |= b;
562 return a;
563}

References Botan::detail::Strong_Base< T >::get().

◆ OS2ECP() [1/3]

EC_Point Botan::OS2ECP ( const uint8_t data[],
size_t data_len,
const CurveGFp & curve )

Perform point decoding Use EC_Group::OS2ECP instead

Definition at line 850 of file ec_point.cpp.

850 {
851 if(data_len == 1 && data[0] == 0) {
852 // SEC1 standard representation of the point at infinity
853 return EC_Point(curve);
854 }
855
856 const auto [g_x, g_y] = OS2ECP(data, data_len, curve.get_p(), curve.get_a(), curve.get_b());
857
858 EC_Point point(curve, g_x, g_y);
859
860 if(!point.on_the_curve()) {
861 throw Decoding_Error("OS2ECP: Decoded point was not on the curve");
862 }
863
864 return point;
865}
const BigInt & get_a() const
Definition ec_point.cpp:37
const BigInt & get_p() const
Definition ec_point.cpp:45
const BigInt & get_b() const
Definition ec_point.cpp:41
EC_Point OS2ECP(std::span< const uint8_t > data, const CurveGFp &curve)
Definition ec_point.cpp:846

References Botan::CurveGFp::get_a(), Botan::CurveGFp::get_b(), Botan::CurveGFp::get_p(), Botan::EC_Point::on_the_curve(), and OS2ECP().

◆ OS2ECP() [2/3]

std::pair< BigInt, BigInt > BOTAN_UNSTABLE_API Botan::OS2ECP ( const uint8_t data[],
size_t data_len,
const BigInt & curve_p,
const BigInt & curve_a,
const BigInt & curve_b )

Perform point decoding

This is an internal function which was accidentally made public. Do not use it; it will be removed in Botan4.

Parameters
datathe encoded point
data_lenlength of data in bytes
curve_pthe curve equation prime
curve_athe curve equation a parameter
curve_bthe curve equation b parameter

Definition at line 867 of file ec_point.cpp.

867 {
868 if(pt_len <= 1) {
869 throw Decoding_Error("OS2ECP invalid point encoding");
870 }
871
872 const uint8_t pc = pt[0];
873 const size_t p_bytes = p.bytes();
874
875 BigInt x, y;
876
877 if(pc == 2 || pc == 3) {
878 if(pt_len != 1 + p_bytes) {
879 throw Decoding_Error("OS2ECP invalid point encoding");
880 }
881 x = BigInt::decode(&pt[1], pt_len - 1);
882
883 const bool y_mod_2 = ((pc & 0x01) == 1);
884 y = decompress_point(y_mod_2, x, p, a, b);
885 } else if(pc == 4) {
886 if(pt_len != 1 + 2 * p_bytes) {
887 throw Decoding_Error("OS2ECP invalid point encoding");
888 }
889
890 x = BigInt::decode(&pt[1], p_bytes);
891 y = BigInt::decode(&pt[p_bytes + 1], p_bytes);
892 } else if(pc == 6 || pc == 7) {
893 if(pt_len != 1 + 2 * p_bytes) {
894 throw Decoding_Error("OS2ECP invalid point encoding");
895 }
896
897 x = BigInt::decode(&pt[1], p_bytes);
898 y = BigInt::decode(&pt[p_bytes + 1], p_bytes);
899
900 const bool y_mod_2 = ((pc & 0x01) == 1);
901
902 if(decompress_point(y_mod_2, x, p, a, b) != y) {
903 throw Decoding_Error("OS2ECP: Decoding error in hybrid format");
904 }
905 } else {
906 throw Decoding_Error("OS2ECP: Unknown format type " + std::to_string(static_cast<int>(pc)));
907 }
908
909 if(x >= p || y >= p) {
910 throw Decoding_Error("OS2ECP invalid point encoding");
911 }
912
913 return std::make_pair(x, y);
914}
static BigInt decode(const uint8_t buf[], size_t length)
Definition bigint.h:857

References Botan::BigInt::bytes(), and Botan::BigInt::decode().

◆ OS2ECP() [3/3]

EC_Point BOTAN_UNSTABLE_API Botan::OS2ECP ( std::span< const uint8_t > data,
const CurveGFp & curve )

Definition at line 846 of file ec_point.cpp.

846 {
847 return OS2ECP(data.data(), data.size(), curve);
848}

References OS2ECP().

Referenced by OS2ECP(), OS2ECP(), and Botan::EC_Group_Data::point_deserialize().

◆ out_opt()

template<typename T>
requires std::is_default_constructible_v<T>
auto Botan::out_opt ( std::optional< T > & outopt)
nodiscardconstexprnoexcept

Definition at line 448 of file stl_util.h.

448 {
449 class out_opt_t {
450 public:
451 constexpr ~out_opt_t() noexcept { m_opt = m_raw; }
452
453 constexpr out_opt_t(std::optional<T>& outopt) noexcept : m_opt(outopt) {}
454
455 out_opt_t(const out_opt_t&) = delete;
456 out_opt_t(out_opt_t&&) = delete;
457 out_opt_t& operator=(const out_opt_t&) = delete;
458 out_opt_t& operator=(out_opt_t&&) = delete;
459
460 [[nodiscard]] constexpr operator T*() && noexcept { return &m_raw; }
461
462 private:
463 std::optional<T>& m_opt;
464 T m_raw;
465 };
466
467 return out_opt_t{outopt};
468}

◆ out_ptr()

template<typename T>
auto Botan::out_ptr ( T & outptr)
nodiscardconstexprnoexcept

Definition at line 421 of file stl_util.h.

421 {
422 class out_ptr_t {
423 public:
424 constexpr ~out_ptr_t() noexcept {
425 m_ptr.reset(m_rawptr);
426 m_rawptr = nullptr;
427 }
428
429 constexpr out_ptr_t(T& outptr) noexcept : m_ptr(outptr), m_rawptr(nullptr) {}
430
431 out_ptr_t(const out_ptr_t&) = delete;
432 out_ptr_t(out_ptr_t&&) = delete;
433 out_ptr_t& operator=(const out_ptr_t&) = delete;
434 out_ptr_t& operator=(out_ptr_t&&) = delete;
435
436 [[nodiscard]] constexpr operator typename T::element_type **() && noexcept { return &m_rawptr; }
437
438 private:
439 T& m_ptr;
440 typename T::element_type* m_rawptr;
441 };
442
443 return out_ptr_t{outptr};
444}

Referenced by Botan::TPM2::Object::_public_info(), base_decode(), Botan::TPM2::PrivateKey::create_transient_from_template(), Botan::TPM2::HashFunction::final_with_ticket(), hex_decode(), Botan::TPM2::Signature_Operation::sign(), Botan::TLS::Extensions::take(), and Botan::TPM2::Session::tpm_nonce().

◆ overloaded()

template<class... Ts>
Botan::overloaded ( Ts... ) -> overloaded< Ts... >

◆ parse_algorithm_name()

std::vector< std::string > Botan::parse_algorithm_name ( std::string_view scan_name)

Parse a SCAN-style algorithm name

Parameters
scan_namethe name
Returns
the name components

Definition at line 57 of file parsing.cpp.

57 {
58 if(namex.find('(') == std::string::npos && namex.find(')') == std::string::npos) {
59 return {std::string(namex)};
60 }
61
62 std::string name(namex);
63 std::string substring;
64 std::vector<std::string> elems;
65 size_t level = 0;
66
67 elems.push_back(name.substr(0, name.find('(')));
68 name = name.substr(name.find('('));
69
70 for(auto i = name.begin(); i != name.end(); ++i) {
71 char c = *i;
72
73 if(c == '(') {
74 ++level;
75 }
76 if(c == ')') {
77 if(level == 1 && i == name.end() - 1) {
78 if(elems.size() == 1) {
79 elems.push_back(substring.substr(1));
80 } else {
81 elems.push_back(substring);
82 }
83 return elems;
84 }
85
86 if(level == 0 || (level == 1 && i != name.end() - 1)) {
87 throw Invalid_Algorithm_Name(namex);
88 }
89 --level;
90 }
91
92 if(c == ',' && level == 1) {
93 if(elems.size() == 1) {
94 elems.push_back(substring.substr(1));
95 } else {
96 elems.push_back(substring);
97 }
98 substring.clear();
99 } else {
100 substring += c;
101 }
102 }
103
104 if(!substring.empty()) {
105 throw Invalid_Algorithm_Name(namex);
106 }
107
108 return elems;
109}

Referenced by Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), and Botan::EME::create().

◆ passes_miller_rabin_test()

bool Botan::passes_miller_rabin_test ( const BigInt & n,
const Barrett_Reduction & mod_n,
const std::shared_ptr< Montgomery_Params > & monty_n,
const BigInt & a )

Perform a single Miller-Rabin test with specified base

Parameters
nthe positive integer to test
mod_na pre-created Barrett_Reduction for n
monty_nMontgomery parameters for n
athe base to check
Returns
result of primality test

Definition at line 108 of file primality.cpp.

111 {
112 if(n < 3 || n.is_even()) {
113 return false;
114 }
115
116 BOTAN_ASSERT_NOMSG(n > 1);
117
118 const BigInt n_minus_1 = n - 1;
119 const size_t s = low_zero_bits(n_minus_1);
120 const BigInt nm1_s = n_minus_1 >> s;
121 const size_t n_bits = n.bits();
122
123 const size_t powm_window = 4;
124
125 auto powm_a_n = monty_precompute(monty_n, a, powm_window);
126
127 BigInt y = monty_execute(*powm_a_n, nm1_s, n_bits).value();
128
129 if(y == 1 || y == n_minus_1) {
130 return true;
131 }
132
133 for(size_t i = 1; i != s; ++i) {
134 y = mod_n.square(y);
135
136 if(y == 1) { // found a non-trivial square root
137 return false;
138 }
139
140 /*
141 -1 is the trivial square root of unity, so ``a`` is not a
142 witness for this number - give up
143 */
144 if(y == n_minus_1) {
145 return true;
146 }
147 }
148
149 return false;
150}
BigInt square(const BigInt &x) const
Definition barrett.cpp:179
BigInt value() const
Definition monty.cpp:323

References Botan::BigInt::bits(), BOTAN_ASSERT_NOMSG, Botan::BigInt::is_even(), low_zero_bits(), monty_execute(), monty_precompute(), Botan::Barrett_Reduction::square(), and Botan::Montgomery_Int::value().

Referenced by is_bailie_psw_probable_prime(), and is_miller_rabin_probable_prime().

◆ pbes2_decrypt()

secure_vector< uint8_t > Botan::pbes2_decrypt ( std::span< const uint8_t > key_bits,
std::string_view passphrase,
const std::vector< uint8_t > & params )

Decrypt a PKCS #5 v2.0 encrypted stream

Parameters
key_bitsthe input
passphrasethe passphrase to use for decryption
paramsthe PBES2 parameters

Definition at line 280 of file pbes2.cpp.

282 {
283 AlgorithmIdentifier kdf_algo, enc_algo;
284
285 BER_Decoder(params).start_sequence().decode(kdf_algo).decode(enc_algo).end_cons();
286
287 const std::string cipher = enc_algo.oid().human_name_or_empty();
288 const auto cipher_spec = split_on(cipher, '/');
289 if(cipher_spec.size() != 2 || !known_pbes_cipher_mode(cipher_spec[1])) {
290 throw Decoding_Error(fmt("PBE-PKCS5 v2.0: Unknown/invalid cipher OID {}", enc_algo.oid()));
291 }
292
294 BER_Decoder(enc_algo.parameters()).decode(iv, ASN1_Type::OctetString).verify_end();
295
297 if(!dec) {
298 throw Decoding_Error(fmt("PBE-PKCS5 cannot decrypt no cipher '{}'", cipher));
299 }
300
301 dec->set_key(derive_key(passphrase, kdf_algo, dec->key_spec().maximum_keylength()));
302
303 dec->start(iv);
304
305 secure_vector<uint8_t> buf(key_bits.begin(), key_bits.end());
306 dec->finish(buf);
307
308 return buf;
309}
BER_Decoder & decode(bool &out)
Definition ber_dec.h:185
BER_Decoder & end_cons()
Definition ber_dec.cpp:309
BER_Decoder start_sequence()
Definition ber_dec.h:122
std::string human_name_or_empty() const
Definition asn1_oid.cpp:147

References Botan::Cipher_Mode::create(), Botan::BER_Decoder::decode(), Decryption, Botan::BER_Decoder::end_cons(), fmt(), Botan::OID::human_name_or_empty(), OctetString, Botan::AlgorithmIdentifier::oid(), Botan::AlgorithmIdentifier::parameters(), split_on(), Botan::BER_Decoder::start_sequence(), and Botan::BER_Decoder::verify_end().

◆ pbes2_encrypt()

std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt ( std::span< const uint8_t > key_bits,
std::string_view passphrase,
std::chrono::milliseconds msec,
std::string_view cipher,
std::string_view digest,
RandomNumberGenerator & rng )

Encrypt with PBES2 from PKCS #5 v2.0

Parameters
key_bitsthe input
passphrasethe passphrase to use for encryption
msechow many milliseconds to run PBKDF2
cipherspecifies the block cipher to use to encrypt
digestspecifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)")
rnga random number generator

Definition at line 242 of file pbes2.cpp.

247 {
248 size_t msec_in_iterations_out = static_cast<size_t>(msec.count());
249 return pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);
250 // return value msec_in_iterations_out discarded
251}

◆ pbes2_encrypt_iter()

std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt_iter ( std::span< const uint8_t > key_bits,
std::string_view passphrase,
size_t iterations,
std::string_view cipher,
std::string_view digest,
RandomNumberGenerator & rng )

Encrypt with PBES2 from PKCS #5 v2.0

Parameters
key_bitsthe input
passphrasethe passphrase to use for encryption
iterationshow many iterations to run PBKDF2
cipherspecifies the block cipher to use to encrypt
digestspecifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)")
rnga random number generator

Definition at line 271 of file pbes2.cpp.

276 {
277 return pbes2_encrypt_shared(key_bits, passphrase, nullptr, pbkdf_iter, cipher, digest, rng);
278}

Referenced by Botan::PKCS8::BER_encode_encrypted_pbkdf_iter().

◆ pbes2_encrypt_msec()

std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt_msec ( std::span< const uint8_t > key_bits,
std::string_view passphrase,
std::chrono::milliseconds msec,
size_t * out_iterations_if_nonnull,
std::string_view cipher,
std::string_view digest,
RandomNumberGenerator & rng )

Encrypt with PBES2 from PKCS #5 v2.0

Parameters
key_bitsthe input
passphrasethe passphrase to use for encryption
msechow many milliseconds to run PBKDF2
out_iterations_if_nonnullif not null, set to the number of PBKDF iterations used
cipherspecifies the block cipher to use to encrypt
digestspecifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)")
rnga random number generator

Definition at line 253 of file pbes2.cpp.

259 {
260 size_t msec_in_iterations_out = static_cast<size_t>(msec.count());
261
262 auto ret = pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);
263
264 if(out_iterations_if_nonnull) {
265 *out_iterations_if_nonnull = msec_in_iterations_out;
266 }
267
268 return ret;
269}

Referenced by Botan::PKCS8::BER_encode(), and Botan::PKCS8::BER_encode_encrypted_pbkdf_msec().

◆ pbkdf2() [1/2]

void Botan::pbkdf2 ( MessageAuthenticationCode & prf,
uint8_t out[],
size_t out_len,
const uint8_t salt[],
size_t salt_len,
size_t iterations )

Perform PBKDF2. The prf is assumed to be keyed already.

Definition at line 90 of file pbkdf2.cpp.

95 {
96 if(iterations == 0) {
97 throw Invalid_Argument("PBKDF2: Invalid iteration count");
98 }
99
100 clear_mem(out, out_len);
101
102 if(out_len == 0) {
103 return;
104 }
105
106 const size_t prf_sz = prf.output_length();
107 BOTAN_ASSERT_NOMSG(prf_sz > 0);
108
109 secure_vector<uint8_t> U(prf_sz);
110
111 uint32_t counter = 1;
112 while(out_len) {
113 const size_t prf_output = std::min<size_t>(prf_sz, out_len);
114
115 prf.update(salt, salt_len);
116 prf.update_be(counter++);
117 prf.final(U.data());
118
119 xor_buf(out, U.data(), prf_output);
120
121 for(size_t i = 1; i != iterations; ++i) {
122 prf.update(U);
123 prf.final(U.data());
124 xor_buf(out, U.data(), prf_output);
125 }
126
127 out_len -= prf_output;
128 out += prf_output;
129 }
130}

References BOTAN_ASSERT_NOMSG, clear_mem(), Botan::Buffered_Computation::final(), Botan::Buffered_Computation::output_length(), Botan::Buffered_Computation::update(), Botan::Buffered_Computation::update_be(), and xor_buf().

◆ pbkdf2() [2/2]

size_t Botan::pbkdf2 ( MessageAuthenticationCode & prf,
uint8_t out[],
size_t out_len,
std::string_view password,
const uint8_t salt[],
size_t salt_len,
size_t iterations,
std::chrono::milliseconds msec )

Definition at line 71 of file pbkdf2.cpp.

78 {
79 if(iterations == 0) {
80 iterations = tune_pbkdf2(prf, out_len, msec);
81 }
82
83 PBKDF2 pbkdf2(prf, iterations);
84
85 pbkdf2.derive_key(out, out_len, password.data(), password.size(), salt, salt_len);
86
87 return iterations;
88}
size_t pbkdf2(MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec)
Definition pbkdf2.cpp:71

References pbkdf2().

Referenced by Botan::PBKDF2::derive_key(), Botan::Scrypt::derive_key(), Botan::PKCS5_PBKDF2::pbkdf(), and pbkdf2().

◆ pkcs_hash_id()

std::vector< uint8_t > BOTAN_TEST_API Botan::pkcs_hash_id ( std::string_view hash_name)

Return the PKCS #1 hash identifier

See also
RFC 3447 section 9.2
Parameters
hash_namethe name of the hash function
Returns
uint8_t sequence identifying the hash
Exceptions
Invalid_Argumentif the hash has no known PKCS #1 hash id

Definition at line 78 of file hash_id.cpp.

78 {
79 // Special case for SSL/TLS RSA signatures
80 if(name == "Parallel(MD5,SHA-1)") {
81 return std::vector<uint8_t>();
82 }
83
84 // If you add a value to this function, also update test_hash_id.cpp
85
86 if(name == "MD5") {
87 return std::vector<uint8_t>(MD5_PKCS_ID, MD5_PKCS_ID + sizeof(MD5_PKCS_ID));
88 }
89
90 if(name == "RIPEMD-160") {
91 return std::vector<uint8_t>(RIPEMD_160_PKCS_ID, RIPEMD_160_PKCS_ID + sizeof(RIPEMD_160_PKCS_ID));
92 }
93
94 if(name == "SHA-1") {
95 return std::vector<uint8_t>(SHA_1_PKCS_ID, SHA_1_PKCS_ID + sizeof(SHA_1_PKCS_ID));
96 }
97
98 if(name == "SHA-224") {
99 return std::vector<uint8_t>(SHA_224_PKCS_ID, SHA_224_PKCS_ID + sizeof(SHA_224_PKCS_ID));
100 }
101
102 if(name == "SHA-256") {
103 return std::vector<uint8_t>(SHA_256_PKCS_ID, SHA_256_PKCS_ID + sizeof(SHA_256_PKCS_ID));
104 }
105
106 if(name == "SHA-384") {
107 return std::vector<uint8_t>(SHA_384_PKCS_ID, SHA_384_PKCS_ID + sizeof(SHA_384_PKCS_ID));
108 }
109
110 if(name == "SHA-512") {
111 return std::vector<uint8_t>(SHA_512_PKCS_ID, SHA_512_PKCS_ID + sizeof(SHA_512_PKCS_ID));
112 }
113
114 if(name == "SHA-512-256") {
115 return std::vector<uint8_t>(SHA_512_256_PKCS_ID, SHA_512_256_PKCS_ID + sizeof(SHA_512_256_PKCS_ID));
116 }
117
118 if(name == "SHA-3(224)") {
119 return std::vector<uint8_t>(SHA3_224_PKCS_ID, SHA3_224_PKCS_ID + sizeof(SHA3_224_PKCS_ID));
120 }
121
122 if(name == "SHA-3(256)") {
123 return std::vector<uint8_t>(SHA3_256_PKCS_ID, SHA3_256_PKCS_ID + sizeof(SHA3_256_PKCS_ID));
124 }
125
126 if(name == "SHA-3(384)") {
127 return std::vector<uint8_t>(SHA3_384_PKCS_ID, SHA3_384_PKCS_ID + sizeof(SHA3_384_PKCS_ID));
128 }
129
130 if(name == "SHA-3(512)") {
131 return std::vector<uint8_t>(SHA3_512_PKCS_ID, SHA3_512_PKCS_ID + sizeof(SHA3_512_PKCS_ID));
132 }
133
134 if(name == "SM3") {
135 return std::vector<uint8_t>(SM3_PKCS_ID, SM3_PKCS_ID + sizeof(SM3_PKCS_ID));
136 }
137
138 throw Invalid_Argument("No PKCS #1 identifier for " + std::string(name));
139}

Referenced by botan_pkcs_hash_id(), Botan::EMSA_PKCS1v15::EMSA_PKCS1v15(), and Botan::EMSA_PKCS1v15_Raw::EMSA_PKCS1v15_Raw().

◆ point_add()

template<typename ProjectivePoint, typename FieldElement>
ProjectivePoint Botan::point_add ( const ProjectivePoint & a,
const ProjectivePoint & b )
inlineconstexpr

Definition at line 145 of file pcurves_algos.h.

145 {
146 const auto a_is_identity = a.is_identity();
147 const auto b_is_identity = b.is_identity();
148
149 if((a_is_identity && b_is_identity).as_bool()) {
150 return a;
151 }
152
153 const auto Z1Z1 = a.z().square();
154 const auto Z2Z2 = b.z().square();
155 const auto U1 = a.x() * Z2Z2;
156 const auto U2 = b.x() * Z1Z1;
157 const auto S1 = a.y() * b.z() * Z2Z2;
158 const auto S2 = b.y() * a.z() * Z1Z1;
159 const auto H = U2 - U1;
160 const auto r = S2 - S1;
161
162 // If a == -b then H == 0 && r != 0, in which case
163 // at the end we'll set z = a.z * b.z * H = 0, resulting
164 // in the correct output (point at infinity)
165 if((r.is_zero() && H.is_zero()).as_bool()) {
166 return a.dbl();
167 }
168
169 const auto HH = H.square();
170 const auto HHH = H * HH;
171 const auto V = U1 * HH;
172 const auto t2 = r.square();
173 const auto t3 = V + V;
174 const auto t4 = t2 - HHH;
175 auto X3 = t4 - t3;
176 const auto t5 = V - X3;
177 const auto t6 = S1 * HHH;
178 const auto t7 = r * t5;
179 auto Y3 = t7 - t6;
180 const auto t8 = b.z() * H;
181 auto Z3 = a.z() * t8;
182
183 // if a is identity then return b
184 FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z());
185
186 // if b is identity then return a
187 FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z());
188
189 return ProjectivePoint(X3, Y3, Z3);
190}

◆ point_add_mixed()

template<typename ProjectivePoint, typename AffinePoint, typename FieldElement>
ProjectivePoint Botan::point_add_mixed ( const ProjectivePoint & a,
const AffinePoint & b,
const FieldElement & one )
inlineconstexpr

Definition at line 193 of file pcurves_algos.h.

195 {
196 const auto a_is_identity = a.is_identity();
197 const auto b_is_identity = b.is_identity();
198 if((a_is_identity && b_is_identity).as_bool()) {
199 return a;
200 }
201
202 /*
203 https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
204
205 Cost: 8M + 3S + 6add + 1*2
206 */
207
208 const auto Z1Z1 = a.z().square();
209 const auto U2 = b.x() * Z1Z1;
210 const auto S2 = b.y() * a.z() * Z1Z1;
211 const auto H = U2 - a.x();
212 const auto r = S2 - a.y();
213
214 // If r == H == 0 then we are in the doubling case
215 // For a == -b we compute the correct result because
216 // H will be zero, leading to Z3 being zero also
217 if((r.is_zero() && H.is_zero()).as_bool()) {
218 return a.dbl();
219 }
220
221 const auto HH = H.square();
222 const auto HHH = H * HH;
223 const auto V = a.x() * HH;
224 const auto t2 = r.square();
225 const auto t3 = V + V;
226 const auto t4 = t2 - HHH;
227 auto X3 = t4 - t3;
228 const auto t5 = V - X3;
229 const auto t6 = a.y() * HHH;
230 const auto t7 = r * t5;
231 auto Y3 = t7 - t6;
232 auto Z3 = a.z() * H;
233
234 // if a is identity then return b
235 FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), one);
236
237 // if b is identity then return a
238 FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z());
239
240 return ProjectivePoint(X3, Y3, Z3);
241}

◆ point_add_or_sub_mixed()

template<typename ProjectivePoint, typename AffinePoint, typename FieldElement>
ProjectivePoint Botan::point_add_or_sub_mixed ( const ProjectivePoint & a,
const AffinePoint & b,
CT::Choice sub,
const FieldElement & one )
inlineconstexpr

Definition at line 244 of file pcurves_algos.h.

247 {
248 const auto a_is_identity = a.is_identity();
249 const auto b_is_identity = b.is_identity();
250 if((a_is_identity && b_is_identity).as_bool()) {
251 return a;
252 }
253
254 /*
255 https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
256
257 Cost: 8M + 3S + 6add + 1*2
258 */
259
260 auto by = b.y();
261 by.conditional_assign(sub, by.negate());
262
263 const auto Z1Z1 = a.z().square();
264 const auto U2 = b.x() * Z1Z1;
265 const auto S2 = by * a.z() * Z1Z1;
266 const auto H = U2 - a.x();
267 const auto r = S2 - a.y();
268
269 // If r == H == 0 then we are in the doubling case
270 // For a == -b we compute the correct result because
271 // H will be zero, leading to Z3 being zero also
272 if((r.is_zero() && H.is_zero()).as_bool()) {
273 return a.dbl();
274 }
275
276 const auto HH = H.square();
277 const auto HHH = H * HH;
278 const auto V = a.x() * HH;
279 const auto t2 = r.square();
280 const auto t3 = V + V;
281 const auto t4 = t2 - HHH;
282 auto X3 = t4 - t3;
283 const auto t5 = V - X3;
284 const auto t6 = a.y() * HHH;
285 const auto t7 = r * t5;
286 auto Y3 = t7 - t6;
287 auto Z3 = a.z() * H;
288
289 // if a is identity then return b
290 FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one);
291
292 // if b is identity then return a
293 FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z());
294
295 return ProjectivePoint(X3, Y3, Z3);
296}

◆ poly_double_n() [1/2]

void Botan::poly_double_n ( uint8_t buf[],
size_t n )
inline

Definition at line 26 of file poly_dbl.h.

26 {
27 return poly_double_n(buf, buf, n);
28}
void poly_double_n(uint8_t out[], const uint8_t in[], size_t n)
Definition poly_dbl.cpp:81

References poly_double_n().

◆ poly_double_n() [2/2]

void BOTAN_TEST_API Botan::poly_double_n ( uint8_t out[],
const uint8_t in[],
size_t n )

Polynomial doubling in GF(2^n)

Definition at line 81 of file poly_dbl.cpp.

81 {
82 switch(n) {
83 case 8:
84 return poly_double<1, MinWeightPolynomial::P64>(out, in);
85 case 16:
86 return poly_double<2, MinWeightPolynomial::P128>(out, in);
87 case 24:
88 return poly_double<3, MinWeightPolynomial::P192>(out, in);
89 case 32:
90 return poly_double<4, MinWeightPolynomial::P256>(out, in);
91 case 64:
92 return poly_double<8, MinWeightPolynomial::P512>(out, in);
93 case 128:
94 return poly_double<16, MinWeightPolynomial::P1024>(out, in);
95 default:
96 throw Invalid_Argument("Unsupported size for poly_double_n");
97 }
98}

Referenced by poly_double_n(), and Botan::SIV_Mode::S2V().

◆ poly_double_n_le()

void BOTAN_TEST_API Botan::poly_double_n_le ( uint8_t out[],
const uint8_t in[],
size_t n )

Definition at line 100 of file poly_dbl.cpp.

100 {
101 switch(n) {
102 case 8:
103 return poly_double_le<1, MinWeightPolynomial::P64>(out, in);
104 case 16:
105 return poly_double_le<2, MinWeightPolynomial::P128>(out, in);
106 case 24:
107 return poly_double_le<3, MinWeightPolynomial::P192>(out, in);
108 case 32:
109 return poly_double_le<4, MinWeightPolynomial::P256>(out, in);
110 case 64:
111 return poly_double_le<8, MinWeightPolynomial::P512>(out, in);
112 case 128:
113 return poly_double_le<16, MinWeightPolynomial::P1024>(out, in);
114 default:
115 throw Invalid_Argument("Unsupported size for poly_double_n_le");
116 }
117}

Referenced by Botan::XTS_Mode::update_tweak(), and xts_update_tweak_block().

◆ poly_double_supported_size()

bool Botan::poly_double_supported_size ( size_t n)
inline

Returns true iff poly_double_n is implemented for this size.

Definition at line 22 of file poly_dbl.h.

22 {
23 return (n == 8 || n == 16 || n == 24 || n == 32 || n == 64 || n == 128);
24}

Referenced by Botan::CMAC::CMAC(), and Botan::XTS_Mode::XTS_Mode().

◆ power_mod()

BigInt Botan::power_mod ( const BigInt & b,
const BigInt & x,
const BigInt & m )

Modular exponentation

Parameters
ban integer base
xa positive exponent
ma positive modulus
Returns
(b^x) % m

Definition at line 284 of file numthry.cpp.

284 {
285 if(mod.is_negative() || mod == 1) {
286 return BigInt::zero();
287 }
288
289 if(base.is_zero() || mod.is_zero()) {
290 if(exp.is_zero()) {
291 return BigInt::one();
292 }
293 return BigInt::zero();
294 }
295
296 auto reduce_mod = Barrett_Reduction::for_secret_modulus(mod);
297
298 const size_t exp_bits = exp.bits();
299
300 if(mod.is_odd()) {
301 auto monty_params = std::make_shared<Montgomery_Params>(mod, reduce_mod);
302 return monty_exp(monty_params, ct_modulo(base, mod), exp, exp_bits).value();
303 }
304
305 /*
306 Support for even modulus is just a convenience and not considered
307 cryptographically important, so this implementation is slow ...
308 */
309 BigInt accum = BigInt::one();
310 BigInt g = ct_modulo(base, mod);
311 BigInt t;
312
313 for(size_t i = 0; i != exp_bits; ++i) {
314 t = reduce_mod.multiply(g, accum);
315 g = reduce_mod.square(g);
316 accum.ct_cond_assign(exp.get_bit(i), t);
317 }
318 return accum;
319}
Montgomery_Int monty_exp(const std::shared_ptr< const Montgomery_Params > &params_p, const BigInt &g, const BigInt &k, size_t max_k_bits)
Definition monty_exp.h:48

References Botan::BigInt::bits(), Botan::BigInt::ct_cond_assign(), ct_modulo(), Botan::Barrett_Reduction::for_secret_modulus(), Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::BigInt::is_odd(), Botan::BigInt::is_zero(), monty_exp(), Botan::BigInt::one(), Botan::BigInt::square(), Botan::Montgomery_Int::value(), and Botan::BigInt::zero().

Referenced by botan_mp_powmod().

◆ prefetch_array_raw()

uint64_t Botan::prefetch_array_raw ( size_t bytes,
const void * array )
noexcept

Prefetch an array

This function returns a uint64_t which is accumulated from values read from the array. This may help confuse the compiler sufficiently to not elide otherwise "useless" reads. The return value will always be zero.

Definition at line 14 of file prefetch.cpp.

14 {
15#if defined(__cpp_lib_hardware_interference_size)
16 const size_t cache_line_size = std::hardware_destructive_interference_size;
17#else
18 // We arbitrarily use a 64 byte cache line, which is by far the most
19 // common size.
20 //
21 // Runtime detection adds too much overhead to this function.
22 const size_t cache_line_size = 64;
23#endif
24
25 const uint8_t* array = static_cast<const uint8_t*>(arrayv);
26
27 volatile uint64_t combiner = 1;
28
29 for(size_t idx = 0; idx < bytes; idx += cache_line_size) {
30#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_prefetch)
31 // we have no way of knowing if the compiler will emit anything here
32 __builtin_prefetch(&array[idx]);
33#endif
34
35 combiner = combiner | array[idx];
36 }
37
38 /*
39 * The combiner variable is initialized with 1, and we accumulate using OR, so
40 * now combiner must be a value other than zero. This being the case we will
41 * always return zero here. Hopefully the compiler will not figure this out.
42 */
43 return ct_is_zero(combiner);
44}

References ct_is_zero().

Referenced by prefetch_arrays().

◆ prefetch_arrays()

template<typename T, size_t... Ns>
requires std::is_integral<T>::value
T Botan::prefetch_arrays ( T(&... arr) [Ns])
noexcept

Prefetch several arrays

This function returns a uint64_t which is accumulated from values read from the array. This may help confuse the compiler sufficiently to not elide otherwise "useless" reads. The return value will always be zero.

Definition at line 34 of file prefetch.h.

36{
37 return (static_cast<T>(prefetch_array_raw(sizeof(T) * Ns, arr)) & ...);
38}
uint64_t prefetch_array_raw(size_t bytes, const void *arrayv) noexcept
Definition prefetch.cpp:14

References prefetch_array_raw().

Referenced by Botan::SEED::decrypt_n(), and Botan::SEED::encrypt_n().

◆ probe_provider_private_key()

std::vector< std::string > Botan::probe_provider_private_key ( std::string_view alg_name,
const std::vector< std::string > & possible )

Definition at line 730 of file pk_algs.cpp.

731 {
732 std::vector<std::string> providers;
733
734 for(auto&& prov : possible) {
735 if(prov == "base") {
736 providers.push_back(prov);
737 }
738 }
739
740 BOTAN_UNUSED(alg_name);
741
742 return providers;
743}

References BOTAN_UNUSED.

◆ probe_providers_of()

template<typename T>
std::vector< std::string > Botan::probe_providers_of ( std::string_view algo_spec,
const std::vector< std::string > & possible = {"base"} )

Definition at line 105 of file scan_name.h.

106 {"base"}) {
107 std::vector<std::string> providers;
108 for(auto&& prov : possible) {
109 auto o = T::create(algo_spec, prov);
110 if(o) {
111 providers.push_back(prov); // available
112 }
113 }
114 return providers;
115}

Referenced by Botan::BlockCipher::providers(), Botan::HashFunction::providers(), Botan::KDF::providers(), Botan::MessageAuthenticationCode::providers(), Botan::PasswordHashFamily::providers(), Botan::PBKDF::providers(), Botan::StreamCipher::providers(), and Botan::XOF::providers().

◆ random_code_element()

gf2m Botan::random_code_element ( uint16_t code_length,
RandomNumberGenerator & rng )

Definition at line 80 of file polyn_gf2m.cpp.

80 {
81 if(code_length == 0) {
82 throw Invalid_Argument("random_code_element() was supplied a code length of zero");
83 }
84 const unsigned nlz = nlz_16bit(code_length - 1);
85 const gf2m mask = (1 << (16 - nlz)) - 1;
86
87 gf2m result;
88
89 do {
90 result = random_gf2m(rng);
91 result &= mask;
92 } while(result >= code_length); // rejection sampling
93
94 return result;
95}
gf2m random_gf2m(RandomNumberGenerator &rng)

References random_gf2m().

Referenced by Botan::polyn_gf2m::polyn_gf2m().

◆ random_gf2m()

gf2m Botan::random_gf2m ( RandomNumberGenerator & rng)

Definition at line 74 of file polyn_gf2m.cpp.

74 {
75 uint8_t b[2];
76 rng.randomize(b, sizeof(b));
77 return make_uint16(b[1], b[0]);
78}
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition loadstor.h:92

References make_uint16(), and Botan::RandomNumberGenerator::randomize().

Referenced by random_code_element().

◆ random_prime()

BigInt Botan::random_prime ( RandomNumberGenerator & rng,
size_t bits,
const BigInt & coprime = BigInt::from_u64(0),
size_t equiv = 1,
size_t equiv_mod = 2,
size_t prob = 128 )

Randomly generate a prime suitable for discrete logarithm parameters

Parameters
rnga random number generator
bitshow large the resulting prime should be in bits
coprimea positive integer that (prime - 1) should be coprime to
equiva non-negative number that the result should be equivalent to modulo equiv_mod
equiv_modthe modulus equiv should be checked against
probuse test so false positive is bounded by 1/2**prob
Returns
random prime with the specified criteria

Definition at line 97 of file make_prm.cpp.

98 {
99 if(bits <= 1) {
100 throw Invalid_Argument("random_prime: Can't make a prime of " + std::to_string(bits) + " bits");
101 }
102 if(coprime.is_negative() || (!coprime.is_zero() && coprime.is_even()) || coprime.bits() >= bits) {
103 throw Invalid_Argument("random_prime: invalid coprime");
104 }
105 if(modulo == 0 || modulo >= 100000) {
106 throw Invalid_Argument("random_prime: Invalid modulo value");
107 }
108
109 equiv %= modulo;
110
111 if(equiv == 0) {
112 throw Invalid_Argument("random_prime Invalid value for equiv/modulo");
113 }
114
115 // Handle small values:
116
117 if(bits <= 16) {
118 if(equiv != 1 || modulo != 2 || coprime != 0) {
119 throw Not_Implemented("random_prime equiv/modulo/coprime options not usable for small primes");
120 }
121
122 if(bits == 2) {
123 return BigInt::from_word(((rng.next_byte() % 2) ? 2 : 3));
124 } else if(bits == 3) {
125 return BigInt::from_word(((rng.next_byte() % 2) ? 5 : 7));
126 } else if(bits == 4) {
127 return BigInt::from_word(((rng.next_byte() % 2) ? 11 : 13));
128 } else {
129 for(;;) {
130 // This is slightly biased, but for small primes it does not seem to matter
131 uint8_t b[4] = {0};
132 rng.randomize(b, 4);
133 const size_t idx = load_le<uint32_t>(b, 0) % PRIME_TABLE_SIZE;
134 const uint16_t small_prime = PRIMES[idx];
135
136 if(high_bit(small_prime) == bits) {
137 return BigInt::from_word(small_prime);
138 }
139 }
140 }
141 }
142
143 const size_t MAX_ATTEMPTS = 32 * 1024;
144
145 const size_t mr_trials = miller_rabin_test_iterations(bits, prob, true);
146
147 while(true) {
148 BigInt p(rng, bits);
149
150 // Force lowest and two top bits on
151 p.set_bit(bits - 1);
152 p.set_bit(bits - 2);
153 p.set_bit(0);
154
155 // Force p to be equal to equiv mod modulo
156 p += (modulo - (p % modulo)) + equiv;
157
158 Prime_Sieve sieve(p, bits, modulo, true);
159
160 for(size_t attempt = 0; attempt <= MAX_ATTEMPTS; ++attempt) {
161 p += modulo;
162
163 if(!sieve.next()) {
164 continue;
165 }
166
167 // here p can be even if modulo is odd, continue on in that case
168 if(p.is_even()) {
169 continue;
170 }
171
172 BOTAN_DEBUG_ASSERT(no_small_multiples(p, sieve));
173
175
176 if(coprime > 1) {
177 /*
178 First do a single M-R iteration to quickly elimate most non-primes,
179 before doing the coprimality check which is expensive
180 */
181 if(is_miller_rabin_probable_prime(p, mod_p, rng, 1) == false) {
182 continue;
183 }
184
185 /*
186 * Check if p - 1 and coprime are relatively prime, using gcd.
187 * The gcd computation is const-time
188 */
189 if(gcd(p - 1, coprime) > 1) {
190 continue;
191 }
192 }
193
194 if(p.bits() > bits) {
195 break;
196 }
197
198 if(is_miller_rabin_probable_prime(p, mod_p, rng, mr_trials) == false) {
199 continue;
200 }
201
202 if(prob > 32 && !is_lucas_probable_prime(p, mod_p)) {
203 continue;
204 }
205
206 return p;
207 }
208 }
209}

References Botan::BigInt::bits(), BOTAN_DEBUG_ASSERT, Botan::Barrett_Reduction::for_secret_modulus(), Botan::BigInt::from_word(), gcd(), high_bit(), Botan::BigInt::is_even(), is_lucas_probable_prime(), is_miller_rabin_probable_prime(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), load_le(), miller_rabin_test_iterations(), Botan::RandomNumberGenerator::next_byte(), PRIME_TABLE_SIZE, PRIMES, Botan::RandomNumberGenerator::randomize(), and Botan::BigInt::set_bit().

Referenced by Botan::DL_Group::DL_Group(), and random_safe_prime().

◆ random_safe_prime()

BigInt Botan::random_safe_prime ( RandomNumberGenerator & rng,
size_t bits )

Return a 'safe' prime, of the form p=2*q+1 with q prime

Parameters
rnga random number generator
bitsis how long the resulting prime should be
Returns
prime randomly chosen from safe primes of length bits

Definition at line 294 of file make_prm.cpp.

294 {
295 if(bits <= 64) {
296 throw Invalid_Argument("random_safe_prime: Can't make a prime of " + std::to_string(bits) + " bits");
297 }
298
299 const size_t error_bound = 128;
300
301 BigInt q, p;
302 for(;;) {
303 /*
304 Generate q == 2 (mod 3), since otherwise [in the case of q == 1 (mod 3)],
305 2*q+1 == 3 (mod 3) and so certainly not prime.
306 */
307 q = random_prime(rng, bits - 1, BigInt::zero(), 2, 3, error_bound);
308 p = (q << 1) + 1;
309
310 if(is_prime(p, rng, error_bound, true)) {
311 return p;
312 }
313 }
314}
BigInt random_prime(RandomNumberGenerator &rng, size_t bits, const BigInt &coprime, size_t equiv, size_t modulo, size_t prob)
Definition make_prm.cpp:97

References is_prime(), random_prime(), and Botan::BigInt::zero().

Referenced by Botan::DL_Group::DL_Group().

◆ read_cfg()

std::map< std::string, std::string > Botan::read_cfg ( std::istream & is)

Definition at line 34 of file read_cfg.cpp.

34 {
35 std::map<std::string, std::string> kv;
36 size_t line = 0;
37
38 while(is.good()) {
39 std::string s;
40
41 std::getline(is, s);
42
43 ++line;
44
45 if(s.empty() || s[0] == '#') {
46 continue;
47 }
48
49 s = clean_ws(s.substr(0, s.find('#')));
50
51 if(s.empty()) {
52 continue;
53 }
54
55 auto eq = s.find('=');
56
57 if(eq == std::string::npos || eq == 0 || eq == s.size() - 1) {
58 throw Decoding_Error("Bad read_cfg input '" + s + "' on line " + std::to_string(line));
59 }
60
61 const std::string key = clean_ws(s.substr(0, eq));
62 const std::string val = clean_ws(s.substr(eq + 1, std::string::npos));
63
64 kv[key] = val;
65 }
66
67 return kv;
68}

Referenced by Botan::TLS::Text_Policy::Text_Policy(), and Botan::TLS::Text_Policy::Text_Policy().

◆ read_kv()

std::map< std::string, std::string > Botan::read_kv ( std::string_view kv)

Accepts key value pairs deliminated by commas:

"" (returns empty map) "K=V" (returns map {'K': 'V'}) "K1=V1,K2=V2" "K1=V1,K2=V2,K3=V3" "K1=V1,K2=V2,K3=a_value\,with\,commas_and_\=equals"

Values may be empty, keys must be non-empty and unique. Duplicate keys cause an exception.

Within both key and value, comma and equals can be escaped with backslash. Backslash can also be escaped.

Definition at line 13 of file read_kv.cpp.

13 {
14 std::map<std::string, std::string> m;
15 if(kv.empty()) {
16 return m;
17 }
18
19 std::vector<std::string> parts;
20
21 try {
22 parts = split_on(kv, ',');
23 } catch(std::exception&) {
24 throw Invalid_Argument("Bad KV spec");
25 }
26
27 bool escaped = false;
28 bool reading_key = true;
29 std::string cur_key;
30 std::string cur_val;
31
32 for(char c : kv) {
33 if(c == '\\' && !escaped) {
34 escaped = true;
35 } else if(c == ',' && !escaped) {
36 if(cur_key.empty()) {
37 throw Invalid_Argument("Bad KV spec empty key");
38 }
39
40 if(m.find(cur_key) != m.end()) {
41 throw Invalid_Argument("Bad KV spec duplicated key");
42 }
43 m[cur_key] = cur_val;
44 cur_key = "";
45 cur_val = "";
46 reading_key = true;
47 } else if(c == '=' && !escaped) {
48 if(reading_key == false) {
49 throw Invalid_Argument("Bad KV spec unexpected equals sign");
50 }
51 reading_key = false;
52 } else {
53 if(reading_key) {
54 cur_key += c;
55 } else {
56 cur_val += c;
57 }
58
59 if(escaped) {
60 escaped = false;
61 }
62 }
63 }
64
65 if(!cur_key.empty()) {
66 if(reading_key == false) {
67 if(m.find(cur_key) != m.end()) {
68 throw Invalid_Argument("Bad KV spec duplicated key");
69 }
70 m[cur_key] = cur_val;
71 } else {
72 throw Invalid_Argument("Bad KV spec incomplete string");
73 }
74 }
75
76 return m;
77}

References split_on().

◆ read_window_bits()

template<size_t WindowBits, typename W, size_t N>
size_t Botan::read_window_bits ( std::span< const W, N > words,
size_t offset )
constexpr

Definition at line 1145 of file mp_core.h.

1145 {
1146 static_assert(WindowBits >= 1 && WindowBits <= 7);
1147
1148 constexpr uint8_t WindowMask = static_cast<uint8_t>(1 << WindowBits) - 1;
1149
1150 constexpr size_t W_bits = sizeof(W) * 8;
1151 const auto bit_shift = offset % W_bits;
1152 const auto word_offset = words.size() - 1 - (offset / W_bits);
1153
1154 const bool single_byte_window = bit_shift <= (W_bits - WindowBits) || word_offset == 0;
1155
1156 const auto w0 = words[word_offset];
1157
1158 if(single_byte_window) {
1159 return (w0 >> bit_shift) & WindowMask;
1160 } else {
1161 // Otherwise we must join two words and extract the result
1162 const auto w1 = words[word_offset - 1];
1163 const auto combined = ((w0 >> bit_shift) | (w1 << (W_bits - bit_shift)));
1164 return combined & WindowMask;
1165 }
1166}

◆ redc_crandall()

template<WordType W, size_t N, W C>
std::array< W, N > Botan::redc_crandall ( std::span< const W, 2 *N > z)
constexpr

Reduce z modulo p = 2**B - C where C is small

z is assumed to be at most (p-1)**2

For details on the algorithm see

  • Handbook of Applied Cryptography, Algorithm 14.47
  • Guide to Elliptic Curve Cryptography, Algorithm 2.54 and Note 2.55

Definition at line 1056 of file mp_core.h.

1056 {
1057 static_assert(N >= 2);
1058
1059 std::array<W, N> hi = {};
1060
1061 // hi = hi * c + lo
1062
1063 W carry = 0;
1064 for(size_t i = 0; i != N; ++i) {
1065 hi[i] = word_madd3(z[i + N], C, z[i], &carry);
1066 }
1067
1068 // hi += carry * C
1069 word carry_c[2] = {0};
1070 carry_c[0] = word_madd2(carry, C, &carry_c[1]);
1071
1072 carry = bigint_add2_nc(hi.data(), N, carry_c, 2);
1073
1074 constexpr W P0 = WordInfo<W>::max - (C - 1);
1075
1076 std::array<W, N> r = {};
1077
1078 W borrow = 0;
1079
1080 /*
1081 * For undetermined reasons, on GCC (only) removing this asm block causes
1082 * massive (up to 20%) performance regressions in secp256k1.
1083 *
1084 * The generated code without the asm seems quite reasonable, and timing
1085 * repeated calls to redc_crandall with the cycle counter show that GCC
1086 * computes it in about the same number of cycles with or without the asm.
1087 *
1088 * So the cause of the regression is unclear. But it is reproducible across
1089 * machines and GCC versions.
1090 */
1091#if defined(BOTAN_MP_USE_X86_64_ASM) && defined(__GNUC__) && !defined(__clang__)
1092 if constexpr(N == 4 && std::same_as<W, uint64_t>) {
1093 if(!std::is_constant_evaluated()) {
1094 asm volatile(R"(
1095 movq 0(%[x]), %[borrow]
1096 subq %[p0], %[borrow]
1097 movq %[borrow], 0(%[r])
1098 movq 16(%[x]), %[borrow]
1099 sbbq $-1, %[borrow]
1100 movq %[borrow], 8(%[r])
1101 movq 16(%[x]), %[borrow]
1102 sbbq $-1, %[borrow]
1103 movq %[borrow], 16(%[r])
1104 movq 24(%[x]), %[borrow]
1105 sbbq $-1, %[borrow]
1106 movq %[borrow], 24(%[r])
1107 sbbq %[borrow],%[borrow]
1108 negq %[borrow]
1109 )"
1110 : [borrow] "=r"(borrow)
1111 : [x] "r"(hi.data()), [p0] "r"(P0), [r] "r"(r.data()), "0"(borrow)
1112 : "cc", "memory");
1113 }
1114
1115 borrow = (carry - borrow) > carry;
1116 CT::conditional_assign_mem(borrow, r.data(), hi.data(), N);
1117 return r;
1118 }
1119#endif
1120
1121 r[0] = word_sub(hi[0], P0, &borrow);
1122 for(size_t i = 1; i != N; ++i) {
1123 r[i] = word_sub(hi[i], WordInfo<W>::max, &borrow);
1124 }
1125
1126 borrow = (carry - borrow) > carry;
1127
1128 CT::conditional_assign_mem(borrow, r.data(), hi.data(), N);
1129
1130 return r;
1131}

References bigint_add2_nc(), carry(), Botan::CT::conditional_assign_mem(), word_madd2(), word_madd3(), and word_sub().

◆ redc_mul()

void Botan::redc_mul ( int64_t & s1,
int64_t & s2,
int64_t & s3,
int64_t & s4,
int64_t & s5,
int64_t & s6,
int64_t & X )
inline

Definition at line 58 of file ed25519_internal.h.

58 {
59 s1 += X * 666643;
60 s2 += X * 470296;
61 s3 += X * 654183;
62 s4 -= X * 997805;
63 s5 += X * 136657;
64 s6 -= X * 683901;
65 X = 0;
66}

Referenced by sc_muladd(), and sc_reduce().

◆ reduce()

template<typename RetT, typename KeyT, typename ReducerT>
requires std::is_convertible_v<ReducerT, std::function<RetT(RetT, const KeyT&)>>
RetT Botan::reduce ( const std::vector< KeyT > & keys,
RetT acc,
ReducerT reducer )

Reduce the values of keys into an accumulator initialized with acc using the reducer function reducer.

The reducer is a function taking the accumulator and a single key to return the new accumulator. Keys are consecutively reduced into the accumulator.

Returns
the accumulator containing the reduction of keys

Definition at line 48 of file stl_util.h.

50{
51 for(const KeyT& key : keys) {
52 acc = reducer(std::move(acc), key);
53 }
54 return acc;
55}

Referenced by Botan::Hybrid_PrivateKey::check_key(), Botan::Hybrid_PublicKey::check_key(), Botan::TLS::Hybrid_KEM_PublicKey::load_for_group(), Botan::Hybrid_PublicKey::raw_public_key_bits(), and Botan::TLS::Hybrid_KEM_PublicKey::raw_public_key_bits().

◆ reverse_bytes()

template<std::unsigned_integral T>
requires (sizeof(T) == 1 || sizeof(T) == 2 || sizeof(T) == 4 || sizeof(T) == 8)
T Botan::reverse_bytes ( T x)
inlineconstexpr

Swap the byte order of an unsigned integer

Definition at line 27 of file bswap.h.

27 {
28 if constexpr(sizeof(T) == 1) {
29 return x;
30 } else if constexpr(sizeof(T) == 2) {
31#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap16)
32 return static_cast<T>(__builtin_bswap16(x));
33#else
34 return static_cast<T>((x << 8) | (x >> 8));
35#endif
36 } else if constexpr(sizeof(T) == 4) {
37#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap32)
38 return static_cast<T>(__builtin_bswap32(x));
39#else
40 // MSVC at least recognizes this as a bswap
41 return static_cast<T>(((x & 0x000000FF) << 24) | ((x & 0x0000FF00) << 8) | ((x & 0x00FF0000) >> 8) |
42 ((x & 0xFF000000) >> 24));
43#endif
44 } else if constexpr(sizeof(T) == 8) {
45#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap64)
46 return static_cast<T>(__builtin_bswap64(x));
47#else
48 uint32_t hi = static_cast<uint32_t>(x >> 32);
49 uint32_t lo = static_cast<uint32_t>(x);
50
51 hi = reverse_bytes(hi);
52 lo = reverse_bytes(lo);
53
54 return (static_cast<T>(lo) << 32) | hi;
55#endif
56 }
57}

References reverse_bytes().

Referenced by ct_reverse_bits(), Botan::detail::load_any(), reverse_bytes(), and Botan::detail::store_any().

◆ rfc3394_keyunwrap()

secure_vector< uint8_t > Botan::rfc3394_keyunwrap ( const secure_vector< uint8_t > & key,
const SymmetricKey & kek )

Decrypt a key under a key encryption key using the algorithm described in RFC 3394

Parameters
keythe encrypted key to decrypt
kekthe key encryption key
Returns
key decrypted under kek

Definition at line 27 of file rfc3394.cpp.

27 {
28 BOTAN_ARG_CHECK(kek.size() == 16 || kek.size() == 24 || kek.size() == 32, "Invalid KEK length for NIST key wrap");
29
30 BOTAN_ARG_CHECK(key.size() >= 16 && key.size() % 8 == 0, "Bad input key size for NIST key unwrap");
31
32 const std::string cipher_name = "AES-" + std::to_string(8 * kek.size());
33 auto aes = BlockCipher::create_or_throw(cipher_name);
34 aes->set_key(kek);
35
36 return nist_key_unwrap(key.data(), key.size(), *aes);
37}
static std::unique_ptr< BlockCipher > create_or_throw(std::string_view algo_spec, std::string_view provider="")
size_t size() const
Definition symkey.h:29
secure_vector< uint8_t > nist_key_unwrap(const uint8_t input[], size_t input_len, const BlockCipher &bc)

References BOTAN_ARG_CHECK, Botan::BlockCipher::create_or_throw(), nist_key_unwrap(), and Botan::OctetString::size().

◆ rfc3394_keywrap()

secure_vector< uint8_t > Botan::rfc3394_keywrap ( const secure_vector< uint8_t > & key,
const SymmetricKey & kek )

Encrypt a key under a key encryption key using the algorithm described in RFC 3394

Parameters
keythe plaintext key to encrypt
kekthe key encryption key
Returns
key encrypted under kek

Definition at line 16 of file rfc3394.cpp.

16 {
17 BOTAN_ARG_CHECK(kek.size() == 16 || kek.size() == 24 || kek.size() == 32, "Invalid KEK length for NIST key wrap");
18
19 const std::string cipher_name = "AES-" + std::to_string(8 * kek.size());
20 auto aes = BlockCipher::create_or_throw(cipher_name);
21 aes->set_key(kek);
22
23 std::vector<uint8_t> wrapped = nist_key_wrap(key.data(), key.size(), *aes);
24 return secure_vector<uint8_t>(wrapped.begin(), wrapped.end());
25}
std::vector< uint8_t > nist_key_wrap(const uint8_t input[], size_t input_len, const BlockCipher &bc)

References BOTAN_ARG_CHECK, Botan::BlockCipher::create_or_throw(), nist_key_wrap(), and Botan::OctetString::size().

◆ RFC4880_decode_count()

size_t Botan::RFC4880_decode_count ( uint8_t encoded_iter)

Decode the iteration count from RFC 4880 encoding

Definition at line 61 of file rfc4880.cpp.

61 {
62 return OPENPGP_S2K_ITERS[iter];
63}

Referenced by Botan::OpenPGP_S2K::decode_count(), and RFC4880_round_iterations().

◆ RFC4880_encode_count()

uint8_t Botan::RFC4880_encode_count ( size_t iterations)

RFC 4880 encodes the iteration count to a single-byte value

Definition at line 47 of file rfc4880.cpp.

47 {
48 if(desired_iterations <= OPENPGP_S2K_ITERS[0]) {
49 return 0;
50 }
51
52 if(desired_iterations >= OPENPGP_S2K_ITERS[255]) {
53 return 255;
54 }
55
56 const uint32_t* i = std::lower_bound(OPENPGP_S2K_ITERS, OPENPGP_S2K_ITERS + 256, desired_iterations);
57
58 return static_cast<uint8_t>(i - OPENPGP_S2K_ITERS);
59}

Referenced by Botan::OpenPGP_S2K::encode_count(), and RFC4880_round_iterations().

◆ RFC4880_round_iterations()

size_t Botan::RFC4880_round_iterations ( size_t iterations)
inline

Round an arbitrary iteration count to next largest iteration count supported by RFC4880 encoding.

Definition at line 32 of file rfc4880.h.

32 {
34}
uint8_t RFC4880_encode_count(size_t desired_iterations)
Definition rfc4880.cpp:47
size_t RFC4880_decode_count(uint8_t iter)
Definition rfc4880.cpp:61

References RFC4880_decode_count(), RFC4880_encode_count(), and RFC4880_round_iterations().

Referenced by RFC4880_round_iterations(), and Botan::RFC4880_S2K_Family::tune().

◆ rho()

◆ root()

Gf448Elem Botan::root ( const Gf448Elem & elem)

Compute the root of elem in the field.

The root of a in GF(p) is computed as r = a^((p+1)/4) mod p. Note that the root is not unique, i.e. r and p-r are both roots.

Returns
GfPElem The root of this element.

Definition at line 354 of file curve448_gf.cpp.

354 {
355 Gf448Elem res(1);
356
357 // (P-3)/4 is an 445 bit integer with one zero bits at 222. All others are one.
358 for(int16_t t = 445; t >= 0; --t) {
359 gf_square(res.words(), res.words());
360 if(t != 222) {
361 gf_mul(res.words(), res.words(), elem.words());
362 }
363 }
364
365 return res;
366}
std::span< uint64_t, WORDS_448 > words()
Accessor to the internal words of the GF element.

References Botan::Gf448Elem::words().

Referenced by Botan::Ed448Point::decode(), Botan::Sphincs_Hash_Functions::H_msg(), Botan::XMSS_Hash::h_msg(), Botan::Sphincs_Hash_Functions::H_msg_digest(), Botan::XMSS_Hash::h_msg_init(), Botan::SphincsPlus_PrivateKey::SphincsPlus_PrivateKey(), xmss_gen_root(), and Botan::Sphincs_Hash_Functions::~Sphincs_Hash_Functions().

◆ rotl() [1/4]

template<size_t R>
SIMD_16x32 Botan::rotl ( SIMD_16x32 input)
inline

Definition at line 310 of file simd_avx512.h.

310 {
311 return input.rotl<R>();
312}
BOTAN_FN_ISA_AVX512 SIMD_16x32 rotl() const
Definition simd_avx512.h:69

References Botan::SIMD_16x32::rotl().

◆ rotl() [2/4]

template<size_t R>
SIMD_4x32 BOTAN_FN_ISA_SIMD_4X32 Botan::rotl ( SIMD_4x32 input)
inline

Definition at line 763 of file simd_4x32.h.

763 {
764 return input.rotl<R>();
765}
BOTAN_FN_ISA_SIMD_4X32 SIMD_4x32 rotl() const noexcept
Definition simd_4x32.h:288

References Botan::SIMD_4x32::rotl().

◆ rotl() [3/4]

template<size_t R>
SIMD_8x32 Botan::rotl ( SIMD_8x32 input)
inline

Definition at line 332 of file simd_avx2.h.

332 {
333 return input.rotl<R>();
334}
BOTAN_FN_ISA_AVX2 SIMD_8x32 rotl() const noexcept
Definition simd_avx2.h:108

References Botan::SIMD_8x32::rotl().

◆ rotl() [4/4]

template<size_t ROT, typename T>
requires (ROT > 0 && ROT < 8 * sizeof(T))
T Botan::rotl ( T input)
inlineconstexpr

Bit rotation left by a compile-time constant amount

Parameters
inputthe input word
Returns
input rotated left by ROT bits

Definition at line 21 of file rotate.h.

23{
24 return static_cast<T>((input << ROT) | (input >> (8 * sizeof(T) - ROT)));
25}

Referenced by Botan::SHA_1::compress_n(), Botan::Noekeon::decrypt_n(), Botan::Noekeon::encrypt_n(), Botan::GOST_28147_89::GOST_28147_89(), Keccak_Permutation_round(), and Botan::Serpent_F::transform().

◆ rotl_var()

template<typename T>
T Botan::rotl_var ( T input,
size_t rot )
inlineconstexpr

Bit rotation left, variable rotation amount

Parameters
inputthe input word
rotthe number of bits to rotate, must be between 0 and sizeof(T)*8-1
Returns
input rotated left by rot bits

Definition at line 62 of file rotate.h.

62 {
63 return rot ? static_cast<T>((input << rot) | (input >> (sizeof(T) * 8 - rot))) : input;
64}

◆ rotr() [1/4]

template<size_t R>
SIMD_16x32 Botan::rotr ( SIMD_16x32 input)
inline

Definition at line 315 of file simd_avx512.h.

315 {
316 return input.rotr<R>();
317}
BOTAN_FN_ISA_AVX512 SIMD_16x32 rotr() const
Definition simd_avx512.h:76

References Botan::SIMD_16x32::rotr().

◆ rotr() [2/4]

template<size_t R>
SIMD_4x32 BOTAN_FN_ISA_SIMD_4X32 Botan::rotr ( SIMD_4x32 input)
inline

Definition at line 768 of file simd_4x32.h.

768 {
769 return input.rotr<R>();
770}
SIMD_4x32 rotr() const noexcept
Definition simd_4x32.h:335

References Botan::SIMD_4x32::rotr().

◆ rotr() [3/4]

template<size_t R>
SIMD_8x32 Botan::rotr ( SIMD_8x32 input)
inline

Definition at line 337 of file simd_avx2.h.

337 {
338 return input.rotr<R>();
339}
BOTAN_FN_ISA_AVX2 SIMD_8x32 rotr() const noexcept
Definition simd_avx2.h:137

References Botan::SIMD_8x32::rotr().

◆ rotr() [4/4]

template<size_t ROT, typename T>
requires (ROT > 0 && ROT < 8 * sizeof(T))
T Botan::rotr ( T input)
inlineconstexpr

Bit rotation right by a compile-time constant amount

Parameters
inputthe input word
Returns
input rotated right by ROT bits

Definition at line 33 of file rotate.h.

35{
36 return static_cast<T>((input >> ROT) | (input << (8 * sizeof(T) - ROT)));
37}

Referenced by Botan::Noekeon::decrypt_n(), Botan::Noekeon::encrypt_n(), Botan::Serpent_F::i_transform(), rho(), and sigma().

◆ rotr_var()

template<typename T>
T Botan::rotr_var ( T input,
size_t rot )
inlineconstexpr

Bit rotation right, variable rotation amount

Parameters
inputthe input word
rotthe number of bits to rotate, must be between 0 and sizeof(T)*8-1
Returns
input rotated right by rot bits

Definition at line 73 of file rotate.h.

73 {
74 return rot ? static_cast<T>((input >> rot) | (input << (sizeof(T) * 8 - rot))) : input;
75}

◆ round_up()

size_t Botan::round_up ( size_t n,
size_t align_to )
inlineconstexpr

Integer rounding

Returns an integer z such that n <= z <= n + align_to and z % align_to == 0

Parameters
nan integer
align_tothe alignment boundary
Returns
n rounded up to a multiple of align_to

Definition at line 26 of file rounding.h.

26 {
27 // Arguably returning n in this case would also be sensible
28 BOTAN_ARG_CHECK(align_to != 0, "align_to must not be 0");
29
30 if(n % align_to > 0) {
31 const size_t adj = align_to - (n % align_to);
32 BOTAN_ARG_CHECK(n + adj >= n, "Integer overflow during rounding");
33 n += adj;
34 }
35 return n;
36}

References BOTAN_ARG_CHECK.

Referenced by Botan::BigInt::bytes(), Botan::EC_Point_Base_Point_Precompute::EC_Point_Base_Point_Precompute(), monty_multi_exp(), Botan::EC_Point_Base_Point_Precompute::mul(), Botan::EC_Point_Var_Point_Precompute::mul(), Botan::EC_Point_Multi_Point_Precompute::multi_exp(), Botan::CBC_Encryption::output_length(), Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::output_length(), Botan::BigInt::randomize(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data_n().

◆ runtime_version_check()

std::string Botan::runtime_version_check ( uint32_t major,
uint32_t minor,
uint32_t patch )

Usable for checking that the DLL version loaded at runtime exactly matches the compile-time version. Call using BOTAN_VERSION_* macro values, like so:

#define BOTAN_VERSION_PATCH
Definition build.h:32
#define BOTAN_VERSION_MINOR
Definition build.h:27
#define BOTAN_VERSION_MAJOR
Definition build.h:22
std::string runtime_version_check(uint32_t major, uint32_t minor, uint32_t patch)
Definition version.cpp:75

It will return an empty string if the versions match, or otherwise an error message indicating the discrepancy. This only is useful in dynamic libraries, where it is possible to compile and run against different versions.

Definition at line 75 of file version.cpp.

75 {
76 if(major != version_major() || minor != version_minor() || patch != version_patch()) {
77 return fmt("Warning: linked version ({}) does not match version built against ({}.{}.{})\n",
79 major,
80 minor,
81 patch);
82 }
83
84 return "";
85}
uint32_t version_minor()
Definition version.cpp:59
const char * short_version_cstr()
Definition version.cpp:16
uint32_t version_major()
Definition version.cpp:55
uint32_t version_patch()
Definition version.cpp:63

References fmt(), short_version_cstr(), version_major(), version_minor(), and version_patch().

◆ same_mem()

template<typename T>
bool Botan::same_mem ( const T * p1,
const T * p2,
size_t n )
inline

Memory comparison, input insensitive

Parameters
p1a pointer to an array
p2a pointer to another array
nthe number of Ts in p1 and p2
Returns
true iff p1[i] == p2[i] forall i in [0...n)

Definition at line 302 of file mem_ops.h.

302 {
303 volatile T difference = 0;
304
305 for(size_t i = 0; i != n; ++i) {
306 difference = difference | (p1[i] ^ p2[i]);
307 }
308
309 return difference == 0;
310}

References same_mem().

Referenced by same_mem().

◆ sc_muladd()

void Botan::sc_muladd ( uint8_t * s,
const uint8_t * a,
const uint8_t * b,
const uint8_t * c )

Definition at line 26 of file sc_muladd.cpp.

26 {
27 const int32_t MASK = 0x1fffff;
28
29 const int64_t a0 = MASK & load_3(a);
30 const int64_t a1 = MASK & (load_4(a + 2) >> 5);
31 const int64_t a2 = MASK & (load_3(a + 5) >> 2);
32 const int64_t a3 = MASK & (load_4(a + 7) >> 7);
33 const int64_t a4 = MASK & (load_4(a + 10) >> 4);
34 const int64_t a5 = MASK & (load_3(a + 13) >> 1);
35 const int64_t a6 = MASK & (load_4(a + 15) >> 6);
36 const int64_t a7 = MASK & (load_3(a + 18) >> 3);
37 const int64_t a8 = MASK & load_3(a + 21);
38 const int64_t a9 = MASK & (load_4(a + 23) >> 5);
39 const int64_t a10 = MASK & (load_3(a + 26) >> 2);
40 const int64_t a11 = (load_4(a + 28) >> 7);
41 const int64_t b0 = MASK & load_3(b);
42 const int64_t b1 = MASK & (load_4(b + 2) >> 5);
43 const int64_t b2 = MASK & (load_3(b + 5) >> 2);
44 const int64_t b3 = MASK & (load_4(b + 7) >> 7);
45 const int64_t b4 = MASK & (load_4(b + 10) >> 4);
46 const int64_t b5 = MASK & (load_3(b + 13) >> 1);
47 const int64_t b6 = MASK & (load_4(b + 15) >> 6);
48 const int64_t b7 = MASK & (load_3(b + 18) >> 3);
49 const int64_t b8 = MASK & load_3(b + 21);
50 const int64_t b9 = MASK & (load_4(b + 23) >> 5);
51 const int64_t b10 = MASK & (load_3(b + 26) >> 2);
52 const int64_t b11 = (load_4(b + 28) >> 7);
53 const int64_t c0 = MASK & load_3(c);
54 const int64_t c1 = MASK & (load_4(c + 2) >> 5);
55 const int64_t c2 = MASK & (load_3(c + 5) >> 2);
56 const int64_t c3 = MASK & (load_4(c + 7) >> 7);
57 const int64_t c4 = MASK & (load_4(c + 10) >> 4);
58 const int64_t c5 = MASK & (load_3(c + 13) >> 1);
59 const int64_t c6 = MASK & (load_4(c + 15) >> 6);
60 const int64_t c7 = MASK & (load_3(c + 18) >> 3);
61 const int64_t c8 = MASK & load_3(c + 21);
62 const int64_t c9 = MASK & (load_4(c + 23) >> 5);
63 const int64_t c10 = MASK & (load_3(c + 26) >> 2);
64 const int64_t c11 = (load_4(c + 28) >> 7);
65
66 int64_t s0 = c0 + a0 * b0;
67 int64_t s1 = c1 + a0 * b1 + a1 * b0;
68 int64_t s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
69 int64_t s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
70 int64_t s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
71 int64_t s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
72 int64_t s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
73 int64_t s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0;
74 int64_t s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0;
75 int64_t s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
76 int64_t s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 +
77 a9 * b1 + a10 * b0;
78 int64_t s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 +
79 a9 * b2 + a10 * b1 + a11 * b0;
80 int64_t s12 =
81 a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
82 int64_t s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
83 int64_t s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3;
84 int64_t s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4;
85 int64_t s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
86 int64_t s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
87 int64_t s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
88 int64_t s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
89 int64_t s20 = a9 * b11 + a10 * b10 + a11 * b9;
90 int64_t s21 = a10 * b11 + a11 * b10;
91 int64_t s22 = a11 * b11;
92 int64_t s23 = 0;
93
94 carry<21>(s0, s1);
95 carry<21>(s2, s3);
96 carry<21>(s4, s5);
97 carry<21>(s6, s7);
98 carry<21>(s8, s9);
99 carry<21>(s10, s11);
100 carry<21>(s12, s13);
101 carry<21>(s14, s15);
102 carry<21>(s16, s17);
103 carry<21>(s18, s19);
104 carry<21>(s20, s21);
105 carry<21>(s22, s23);
106
107 carry<21>(s1, s2);
108 carry<21>(s3, s4);
109 carry<21>(s5, s6);
110 carry<21>(s7, s8);
111 carry<21>(s9, s10);
112 carry<21>(s11, s12);
113 carry<21>(s13, s14);
114 carry<21>(s15, s16);
115 carry<21>(s17, s18);
116 carry<21>(s19, s20);
117 carry<21>(s21, s22);
118
119 redc_mul(s11, s12, s13, s14, s15, s16, s23);
120 redc_mul(s10, s11, s12, s13, s14, s15, s22);
121 redc_mul(s9, s10, s11, s12, s13, s14, s21);
122 redc_mul(s8, s9, s10, s11, s12, s13, s20);
123 redc_mul(s7, s8, s9, s10, s11, s12, s19);
124 redc_mul(s6, s7, s8, s9, s10, s11, s18);
125
126 carry<21>(s6, s7);
127 carry<21>(s8, s9);
128 carry<21>(s10, s11);
129 carry<21>(s12, s13);
130 carry<21>(s14, s15);
131 carry<21>(s16, s17);
132
133 carry<21>(s7, s8);
134 carry<21>(s9, s10);
135 carry<21>(s11, s12);
136 carry<21>(s13, s14);
137 carry<21>(s15, s16);
138
139 redc_mul(s5, s6, s7, s8, s9, s10, s17);
140 redc_mul(s4, s5, s6, s7, s8, s9, s16);
141 redc_mul(s3, s4, s5, s6, s7, s8, s15);
142 redc_mul(s2, s3, s4, s5, s6, s7, s14);
143 redc_mul(s1, s2, s3, s4, s5, s6, s13);
144 redc_mul(s0, s1, s2, s3, s4, s5, s12);
145
146 carry<21>(s0, s1);
147 carry<21>(s2, s3);
148 carry<21>(s4, s5);
149 carry<21>(s6, s7);
150 carry<21>(s8, s9);
151 carry<21>(s10, s11);
152
153 carry<21>(s1, s2);
154 carry<21>(s3, s4);
155 carry<21>(s5, s6);
156 carry<21>(s7, s8);
157 carry<21>(s9, s10);
158 carry<21>(s11, s12);
159
160 redc_mul(s0, s1, s2, s3, s4, s5, s12);
161
162 carry0<21>(s0, s1);
163 carry0<21>(s1, s2);
164 carry0<21>(s2, s3);
165 carry0<21>(s3, s4);
166 carry0<21>(s4, s5);
167 carry0<21>(s5, s6);
168 carry0<21>(s6, s7);
169 carry0<21>(s7, s8);
170 carry0<21>(s8, s9);
171 carry0<21>(s9, s10);
172 carry0<21>(s10, s11);
173 carry0<21>(s11, s12);
174
175 redc_mul(s0, s1, s2, s3, s4, s5, s12);
176
177 carry0<21>(s0, s1);
178 carry0<21>(s1, s2);
179 carry0<21>(s2, s3);
180 carry0<21>(s3, s4);
181 carry0<21>(s4, s5);
182 carry0<21>(s5, s6);
183 carry0<21>(s6, s7);
184 carry0<21>(s7, s8);
185 carry0<21>(s8, s9);
186 carry0<21>(s9, s10);
187 carry0<21>(s10, s11);
188
189 s[0] = static_cast<uint8_t>(s0 >> 0);
190 s[1] = static_cast<uint8_t>(s0 >> 8);
191 s[2] = static_cast<uint8_t>((s0 >> 16) | (s1 << 5));
192 s[3] = static_cast<uint8_t>(s1 >> 3);
193 s[4] = static_cast<uint8_t>(s1 >> 11);
194 s[5] = static_cast<uint8_t>((s1 >> 19) | (s2 << 2));
195 s[6] = static_cast<uint8_t>(s2 >> 6);
196 s[7] = static_cast<uint8_t>((s2 >> 14) | (s3 << 7));
197 s[8] = static_cast<uint8_t>(s3 >> 1);
198 s[9] = static_cast<uint8_t>(s3 >> 9);
199 s[10] = static_cast<uint8_t>((s3 >> 17) | (s4 << 4));
200 s[11] = static_cast<uint8_t>(s4 >> 4);
201 s[12] = static_cast<uint8_t>(s4 >> 12);
202 s[13] = static_cast<uint8_t>((s4 >> 20) | (s5 << 1));
203 s[14] = static_cast<uint8_t>(s5 >> 7);
204 s[15] = static_cast<uint8_t>((s5 >> 15) | (s6 << 6));
205 s[16] = static_cast<uint8_t>(s6 >> 2);
206 s[17] = static_cast<uint8_t>(s6 >> 10);
207 s[18] = static_cast<uint8_t>((s6 >> 18) | (s7 << 3));
208 s[19] = static_cast<uint8_t>(s7 >> 5);
209 s[20] = static_cast<uint8_t>(s7 >> 13);
210 s[21] = static_cast<uint8_t>(s8 >> 0);
211 s[22] = static_cast<uint8_t>(s8 >> 8);
212 s[23] = static_cast<uint8_t>((s8 >> 16) | (s9 << 5));
213 s[24] = static_cast<uint8_t>(s9 >> 3);
214 s[25] = static_cast<uint8_t>(s9 >> 11);
215 s[26] = static_cast<uint8_t>((s9 >> 19) | (s10 << 2));
216 s[27] = static_cast<uint8_t>(s10 >> 6);
217 s[28] = static_cast<uint8_t>((s10 >> 14) | (s11 << 7));
218 s[29] = static_cast<uint8_t>(s11 >> 1);
219 s[30] = static_cast<uint8_t>(s11 >> 9);
220 s[31] = static_cast<uint8_t>(s11 >> 17);
221}
void redc_mul(int64_t &s1, int64_t &s2, int64_t &s3, int64_t &s4, int64_t &s5, int64_t &s6, int64_t &X)
uint64_t load_4(const uint8_t *in)
void carry0(int64_t &h0, int64_t &h1)
uint64_t load_3(const uint8_t in[3])

References carry(), carry0(), load_3(), load_4(), and redc_mul().

Referenced by ed25519_sign().

◆ sc_reduce()

void Botan::sc_reduce ( uint8_t * s)

Definition at line 25 of file sc_reduce.cpp.

25 {
26 const uint32_t MASK = 0x1fffff;
27
28 int64_t s0 = MASK & load_3(s);
29 int64_t s1 = MASK & (load_4(s + 2) >> 5);
30 int64_t s2 = MASK & (load_3(s + 5) >> 2);
31 int64_t s3 = MASK & (load_4(s + 7) >> 7);
32 int64_t s4 = MASK & (load_4(s + 10) >> 4);
33 int64_t s5 = MASK & (load_3(s + 13) >> 1);
34 int64_t s6 = MASK & (load_4(s + 15) >> 6);
35 int64_t s7 = MASK & (load_3(s + 18) >> 3);
36 int64_t s8 = MASK & load_3(s + 21);
37 int64_t s9 = MASK & (load_4(s + 23) >> 5);
38 int64_t s10 = MASK & (load_3(s + 26) >> 2);
39 int64_t s11 = MASK & (load_4(s + 28) >> 7);
40 int64_t s12 = MASK & (load_4(s + 31) >> 4);
41 int64_t s13 = MASK & (load_3(s + 34) >> 1);
42 int64_t s14 = MASK & (load_4(s + 36) >> 6);
43 int64_t s15 = MASK & (load_3(s + 39) >> 3);
44 int64_t s16 = MASK & load_3(s + 42);
45 int64_t s17 = MASK & (load_4(s + 44) >> 5);
46 int64_t s18 = MASK & (load_3(s + 47) >> 2);
47 int64_t s19 = MASK & (load_4(s + 49) >> 7);
48 int64_t s20 = MASK & (load_4(s + 52) >> 4);
49 int64_t s21 = MASK & (load_3(s + 55) >> 1);
50 int64_t s22 = MASK & (load_4(s + 57) >> 6);
51 int64_t s23 = (load_4(s + 60) >> 3);
52
53 redc_mul(s11, s12, s13, s14, s15, s16, s23);
54 redc_mul(s10, s11, s12, s13, s14, s15, s22);
55 redc_mul(s9, s10, s11, s12, s13, s14, s21);
56 redc_mul(s8, s9, s10, s11, s12, s13, s20);
57 redc_mul(s7, s8, s9, s10, s11, s12, s19);
58 redc_mul(s6, s7, s8, s9, s10, s11, s18);
59
60 carry<21>(s6, s7);
61 carry<21>(s8, s9);
62 carry<21>(s10, s11);
63 carry<21>(s12, s13);
64 carry<21>(s14, s15);
65 carry<21>(s16, s17);
66
67 carry<21>(s7, s8);
68 carry<21>(s9, s10);
69 carry<21>(s11, s12);
70 carry<21>(s13, s14);
71 carry<21>(s15, s16);
72
73 redc_mul(s5, s6, s7, s8, s9, s10, s17);
74 redc_mul(s4, s5, s6, s7, s8, s9, s16);
75 redc_mul(s3, s4, s5, s6, s7, s8, s15);
76 redc_mul(s2, s3, s4, s5, s6, s7, s14);
77 redc_mul(s1, s2, s3, s4, s5, s6, s13);
78 redc_mul(s0, s1, s2, s3, s4, s5, s12);
79
80 carry<21>(s0, s1);
81 carry<21>(s2, s3);
82 carry<21>(s4, s5);
83 carry<21>(s6, s7);
84 carry<21>(s8, s9);
85 carry<21>(s10, s11);
86
87 carry<21>(s1, s2);
88 carry<21>(s3, s4);
89 carry<21>(s5, s6);
90 carry<21>(s7, s8);
91 carry<21>(s9, s10);
92 carry<21>(s11, s12);
93
94 redc_mul(s0, s1, s2, s3, s4, s5, s12);
95
96 carry0<21>(s0, s1);
97 carry0<21>(s1, s2);
98 carry0<21>(s2, s3);
99 carry0<21>(s3, s4);
100 carry0<21>(s4, s5);
101 carry0<21>(s5, s6);
102 carry0<21>(s6, s7);
103 carry0<21>(s7, s8);
104 carry0<21>(s8, s9);
105 carry0<21>(s9, s10);
106 carry0<21>(s10, s11);
107 carry0<21>(s11, s12);
108
109 redc_mul(s0, s1, s2, s3, s4, s5, s12);
110
111 carry0<21>(s0, s1);
112 carry0<21>(s1, s2);
113 carry0<21>(s2, s3);
114 carry0<21>(s3, s4);
115 carry0<21>(s4, s5);
116 carry0<21>(s5, s6);
117 carry0<21>(s6, s7);
118 carry0<21>(s7, s8);
119 carry0<21>(s8, s9);
120 carry0<21>(s9, s10);
121 carry0<21>(s10, s11);
122 carry0<21>(s11, s12);
123
124 s[0] = static_cast<uint8_t>(s0 >> 0);
125 s[1] = static_cast<uint8_t>(s0 >> 8);
126 s[2] = static_cast<uint8_t>((s0 >> 16) | (s1 << 5));
127 s[3] = static_cast<uint8_t>(s1 >> 3);
128 s[4] = static_cast<uint8_t>(s1 >> 11);
129 s[5] = static_cast<uint8_t>((s1 >> 19) | (s2 << 2));
130 s[6] = static_cast<uint8_t>(s2 >> 6);
131 s[7] = static_cast<uint8_t>((s2 >> 14) | (s3 << 7));
132 s[8] = static_cast<uint8_t>(s3 >> 1);
133 s[9] = static_cast<uint8_t>(s3 >> 9);
134 s[10] = static_cast<uint8_t>((s3 >> 17) | (s4 << 4));
135 s[11] = static_cast<uint8_t>(s4 >> 4);
136 s[12] = static_cast<uint8_t>(s4 >> 12);
137 s[13] = static_cast<uint8_t>((s4 >> 20) | (s5 << 1));
138 s[14] = static_cast<uint8_t>(s5 >> 7);
139 s[15] = static_cast<uint8_t>((s5 >> 15) | (s6 << 6));
140 s[16] = static_cast<uint8_t>(s6 >> 2);
141 s[17] = static_cast<uint8_t>(s6 >> 10);
142 s[18] = static_cast<uint8_t>((s6 >> 18) | (s7 << 3));
143 s[19] = static_cast<uint8_t>(s7 >> 5);
144 s[20] = static_cast<uint8_t>(s7 >> 13);
145 s[21] = static_cast<uint8_t>(s8 >> 0);
146 s[22] = static_cast<uint8_t>(s8 >> 8);
147 s[23] = static_cast<uint8_t>((s8 >> 16) | (s9 << 5));
148 s[24] = static_cast<uint8_t>(s9 >> 3);
149 s[25] = static_cast<uint8_t>(s9 >> 11);
150 s[26] = static_cast<uint8_t>((s9 >> 19) | (s10 << 2));
151 s[27] = static_cast<uint8_t>(s10 >> 6);
152 s[28] = static_cast<uint8_t>((s10 >> 14) | (s11 << 7));
153 s[29] = static_cast<uint8_t>(s11 >> 1);
154 s[30] = static_cast<uint8_t>(s11 >> 9);
155 s[31] = static_cast<uint8_t>(s11 >> 17);
156}

References carry(), carry0(), load_3(), load_4(), and redc_mul().

Referenced by ed25519_sign(), and ed25519_verify().

◆ scrypt() [1/2]

void Botan::scrypt ( uint8_t output[],
size_t output_len,
const char * password,
size_t password_len,
const uint8_t salt[],
size_t salt_len,
size_t N,
size_t r,
size_t p )
inline

Scrypt key derivation function (RFC 7914)

Parameters
outputthe output will be placed here
output_lenlength of output
passwordthe user password
password_lenlength of password
saltthe salt
salt_lenlength of salt
Nthe CPU/Memory cost parameter, must be power of 2
rthe block size parameter
pthe parallelization parameter

Suitable parameters for most uses would be N = 32768, r = 8, p = 1

Scrypt uses approximately (p + N + 1) * 128 * r bytes of memory

Definition at line 86 of file scrypt.h.

94 {
95 auto pwdhash_fam = PasswordHashFamily::create_or_throw("Scrypt");
96 auto pwdhash = pwdhash_fam->from_params(N, r, p);
97 pwdhash->derive_key(output, output_len, password, password_len, salt, salt_len);
98}

References Botan::PasswordHashFamily::create_or_throw(), and scrypt().

Referenced by scrypt(), and scrypt().

◆ scrypt() [2/2]

void Botan::scrypt ( uint8_t output[],
size_t output_len,
std::string_view password,
const uint8_t salt[],
size_t salt_len,
size_t N,
size_t r,
size_t p )
inline

Scrypt key derivation function (RFC 7914) Before 2.8 this function was the primary interface for scrypt

Parameters
outputthe output will be placed here
output_lenlength of output
passwordthe user password
saltthe salt
salt_lenlength of salt
Nthe CPU/Memory cost parameter, must be power of 2
rthe block size parameter
pthe parallelization parameter

Suitable parameters for most uses would be N = 32768, r = 8, p = 1

Scrypt uses approximately (p + N + 1) * 128 * r bytes of memory

Definition at line 118 of file scrypt.h.

125 {
126 auto pwdhash_fam = PasswordHashFamily::create_or_throw("Scrypt");
127 auto pwdhash = pwdhash_fam->from_params(N, r, p);
128 pwdhash->derive_key(output, output_len, password.data(), password.size(), salt, salt_len);
129}

References Botan::PasswordHashFamily::create_or_throw(), and scrypt().

◆ secure_scrub_memory() [1/2]

void Botan::secure_scrub_memory ( ranges::contiguous_output_range auto && data)

Scrub memory contents in a way that a compiler should not elide, using some system specific technique. Note that this function might not zero the memory.

Parameters
datathe data region to be scrubbed

Definition at line 60 of file mem_ops.h.

60 {
61 secure_scrub_memory(std::ranges::data(data), ranges::size_bytes(data));
62}

References secure_scrub_memory(), and Botan::ranges::size_bytes().

◆ secure_scrub_memory() [2/2]

void Botan::secure_scrub_memory ( void * ptr,
size_t n )

Scrub memory contents in a way that a compiler should not elide, using some system specific technique. Note that this function might not zero the memory (for example, in some hypothetical implementation it might combine the memory contents with the output of a system PRNG), but if you can detect any difference in behavior at runtime then the clearing is side-effecting and you can just use clear_mem.

Use this function to scrub memory just before deallocating it, or on a stack buffer before returning from the function.

Parameters
ptra pointer to memory to scrub
nthe number of bytes pointed to by ptr

Definition at line 24 of file mem_utils.cpp.

24 {
25#if defined(BOTAN_TARGET_OS_HAS_RTLSECUREZEROMEMORY)
26 ::RtlSecureZeroMemory(ptr, n);
27
28#elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_BZERO)
29 ::explicit_bzero(ptr, n);
30
31#elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_MEMSET)
32 (void)::explicit_memset(ptr, 0, n);
33
34#else
35 /*
36 * Call memset through a static volatile pointer, which the compiler should
37 * not elide. This construct should be safe in conforming compilers, but who
38 * knows. This has been checked to generate the expected code, which saves the
39 * memset address in the data segment and unconditionally loads and jumps to
40 * that address, with the following targets:
41 *
42 * x86-64: Clang 19, GCC 6, 11, 13, 14
43 * riscv64: GCC 14
44 * aarch64: GCC 14
45 * armv7: GCC 14
46 *
47 * Actually all of them generated the expected jump even without marking the
48 * function pointer as volatile. However this seems worth including as an
49 * additional precaution.
50 */
51 static void* (*const volatile memset_ptr)(void*, int, size_t) = std::memset;
52 (memset_ptr)(ptr, 0, n);
53#endif
54}

Referenced by botan_scrub_mem(), Botan::Kuznyechik::clear(), deallocate_memory(), Botan::GHASH::final(), Botan::OS::free_locked_pages(), Botan::GHASH::reset(), secure_scrub_memory(), Botan::Sodium::sodium_free(), Botan::Sodium::sodium_memzero(), Botan::AlignmentBuffer< T, BLOCK_SIZE, FINAL_BLOCK_STRATEGY >::~AlignmentBuffer(), Botan::BLAKE2s::~BLAKE2s(), and Botan::FE_25519::~FE_25519().

◆ set_mem()

void Botan::set_mem ( uint8_t * ptr,
size_t n,
uint8_t val )
inlineconstexpr

Set memory to a fixed value

Parameters
ptra pointer to an array of bytes
nthe number of Ts pointed to by ptr
valthe value to set each byte to

Definition at line 269 of file mem_ops.h.

269 {
270 if(n > 0) {
271 std::memset(ptr, val, n);
272 }
273}

References set_mem().

Referenced by set_mem().

◆ SHA2_32_F() [1/2]

BOTAN_FORCE_INLINE void Botan::SHA2_32_F ( uint32_t A,
uint32_t B,
uint32_t C,
uint32_t & D,
uint32_t E,
uint32_t F,
uint32_t G,
uint32_t & H,
uint32_t & M1,
uint32_t M2,
uint32_t M3,
uint32_t M4,
uint32_t magic )

Definition at line 19 of file sha2_32_f.h.

31 {
32 uint32_t A_rho = rho<2, 13, 22>(A);
33 uint32_t E_rho = rho<6, 11, 25>(E);
34 uint32_t M2_sigma = sigma<17, 19, 10>(M2);
35 uint32_t M4_sigma = sigma<7, 18, 3>(M4);
36 H += magic + E_rho + choose(E, F, G) + M1;
37 D += H;
38 H += A_rho + majority(A, B, C);
39 M1 += M2_sigma + M3 + M4_sigma;
40}
constexpr T rho(T x)
Definition rotate.h:51
constexpr T sigma(T x)
Definition rotate.h:43
constexpr T majority(T a, T b, T c)
Definition bit_ops.h:210

References BOTAN_FORCE_INLINE, choose(), majority(), rho(), and sigma().

Referenced by Botan::SHA_256::compress_digest().

◆ SHA2_32_F() [2/2]

BOTAN_FORCE_INLINE void Botan::SHA2_32_F ( uint32_t A,
uint32_t B,
uint32_t C,
uint32_t & D,
uint32_t E,
uint32_t F,
uint32_t G,
uint32_t & H,
uint32_t M )

Definition at line 45 of file sha2_32_f.h.

46 {
47 uint32_t A_rho = rho<2, 13, 22>(A);
48 uint32_t E_rho = rho<6, 11, 25>(E);
49 H += E_rho + choose(E, F, G) + M;
50 D += H;
51 H += A_rho + majority(A, B, C);
52}

References BOTAN_FORCE_INLINE, choose(), majority(), and rho().

◆ SHA2_64_F() [1/2]

BOTAN_FORCE_INLINE void Botan::SHA2_64_F ( uint64_t A,
uint64_t B,
uint64_t C,
uint64_t & D,
uint64_t E,
uint64_t F,
uint64_t G,
uint64_t & H,
uint64_t & M1,
uint64_t M2,
uint64_t M3,
uint64_t M4,
uint64_t magic )

Definition at line 19 of file sha2_64_f.h.

31 {
32 const uint64_t E_rho = rho<14, 18, 41>(E);
33 const uint64_t A_rho = rho<28, 34, 39>(A);
34 const uint64_t M2_sigma = sigma<19, 61, 6>(M2);
35 const uint64_t M4_sigma = sigma<1, 8, 7>(M4);
36 H += magic + E_rho + choose(E, F, G) + M1;
37 D += H;
38 H += A_rho + majority(A, B, C);
39 M1 += M2_sigma + M3 + M4_sigma;
40}

References BOTAN_FORCE_INLINE, choose(), majority(), rho(), and sigma().

Referenced by Botan::SHA_512::compress_digest().

◆ SHA2_64_F() [2/2]

BOTAN_FORCE_INLINE void Botan::SHA2_64_F ( uint64_t A,
uint64_t B,
uint64_t C,
uint64_t & D,
uint64_t E,
uint64_t F,
uint64_t G,
uint64_t & H,
uint64_t M )

Definition at line 45 of file sha2_64_f.h.

46 {
47 const uint64_t E_rho = rho<14, 18, 41>(E);
48 const uint64_t A_rho = rho<28, 34, 39>(A);
49 H += E_rho + choose(E, F, G) + M;
50 D += H;
51 H += A_rho + majority(A, B, C);
52}

References BOTAN_FORCE_INLINE, choose(), majority(), and rho().

◆ shift_left()

template<size_t S, WordType W, size_t N>
W Botan::shift_left ( std::array< W, N > & x)
inlineconstexpr

Definition at line 795 of file mp_core.h.

795 {
796 static_assert(S < WordInfo<W>::bits, "Shift too large");
797
798 W carry = 0;
799 for(size_t i = 0; i != N; ++i) {
800 const W w = x[i];
801 x[i] = (w << S) | carry;
802 carry = w >> (WordInfo<W>::bits - S);
803 }
804
805 return carry;
806}

References carry().

Referenced by hex_to_words().

◆ shift_right()

template<size_t S, WordType W, size_t N>
W Botan::shift_right ( std::array< W, N > & x)
inlineconstexpr

Definition at line 809 of file mp_core.h.

809 {
810 static_assert(S < WordInfo<W>::bits, "Shift too large");
811
812 W carry = 0;
813 for(size_t i = 0; i != N; ++i) {
814 const W w = x[N - 1 - i];
815 x[N - 1 - i] = (w >> S) | carry;
816 carry = w << (WordInfo<W>::bits - S);
817 }
818
819 return carry;
820}

References carry().

◆ shl() [1/3]

template<size_t S>
SIMD_16x32 Botan::shl ( SIMD_16x32 input)
inline

Definition at line 321 of file simd_avx512.h.

321 {
322 return input.shl<S>();
323}
BOTAN_FN_ISA_AVX512 SIMD_16x32 shl() const

References Botan::SIMD_16x32::shl().

◆ shl() [2/3]

template<size_t S>
SIMD_4x32 Botan::shl ( SIMD_4x32 input)
inline

Definition at line 774 of file simd_4x32.h.

774 {
775 return input.shl<S>();
776}
SIMD_4x32 shl() const noexcept
Definition simd_4x32.h:447

References Botan::SIMD_4x32::shl().

◆ shl() [3/3]

template<size_t S>
SIMD_8x32 Botan::shl ( SIMD_8x32 input)
inline

Definition at line 343 of file simd_avx2.h.

343 {
344 return input.shl<S>();
345}
BOTAN_FN_ISA_AVX2 SIMD_8x32 shl() const noexcept
Definition simd_avx2.h:209

References Botan::SIMD_8x32::shl().

◆ short_version_cstr()

const char * Botan::short_version_cstr ( )

Same as version_short_string except returning a pointer to the string.

Definition at line 16 of file version.cpp.

16 {
17 return BOTAN_SHORT_VERSION_STRING;
18}

Referenced by runtime_version_check(), and short_version_string().

◆ short_version_string()

std::string Botan::short_version_string ( )

Return a version string of the form "MAJOR.MINOR.PATCH" where each of the values is an integer.

Definition at line 28 of file version.cpp.

28 {
29 return std::string(short_version_cstr());
30}

References short_version_cstr().

◆ sigma()

template<size_t R1, size_t R2, size_t S, typename T>
T Botan::sigma ( T x)
inlineconstexpr

SHA-2 Sigma style function

Definition at line 43 of file rotate.h.

43 {
44 return rotr<R1>(x) ^ rotr<R2>(x) ^ (x >> S);
45}

References rotr().

Referenced by Botan::Kyber_Algos::expand_keypair(), SHA2_32_F(), and SHA2_64_F().

◆ sign_message()

std::array< uint8_t, 114 > Botan::sign_message ( std::span< const uint8_t, ED448_LEN > sk,
std::span< const uint8_t, ED448_LEN > pk,
bool f,
std::span< const uint8_t > context,
std::span< const uint8_t > msg )

Sign a message using a keypair (RFC 8032 5.2.6)

Parameters
skthe secret key
pkthe public key
fthe prehash flag (true iff using Ed448ph)
contextthe context string
msgthe message to sign
Returns
the signature

Definition at line 237 of file ed448_internal.cpp.

241 {
242 // 5.2.6. Signature Generation
243 // The inputs to the signing procedure is the private key, a 57-octet
244 // string, a flag F, which is 0 for Ed448, 1 for Ed448ph, context C of
245 // at most 255 octets, and a message M of arbitrary size.
246 // 1. Hash the private key, 57 octets, using SHAKE256(x, 114). Let h
247 // denote the resulting digest. Construct the secret scalar s from
248 // the first half of the digest, and the corresponding public key A,
249 // as described in the previous section. Let prefix denote the
250 // second half of the hash digest, h[57],...,h[113].
251 auto shake_xof = SHAKE_256_XOF();
252 shake_xof.update(sk);
253 const Scalar448 s = scalar_from_xof(shake_xof);
254 std::array<uint8_t, ED448_LEN> prefix;
255 shake_xof.output(prefix);
256 // 2. Compute SHAKE256(dom4(F, C) || prefix || PH(M), 114), where M is
257 // the message to be signed, F is 1 for Ed448ph, 0 for Ed448, and C
258 // is the context to use. Interpret the 114-octet digest as a
259 // little-endian integer r.
260 const Scalar448 r(shake(pgflag, context, prefix, msg));
261 // 3. Compute the point [r]B. For efficiency, do this by first
262 // reducing r modulo L, the group order of B. Let the string R be
263 // the encoding of this point.
264 const auto big_r = (r * Ed448Point::base_point()).encode();
265 // 4. Compute SHAKE256(dom4(F, C) || R || A || PH(M), 114), and
266 // interpret the 114-octet digest as a little-endian integer k.
267 const Scalar448 k(shake(pgflag, context, big_r, pk, msg));
268 // 5. Compute S = (r + k * s) mod L. For efficiency, again reduce k
269 // modulo L first.
270 const auto big_s = r + k * s; //r_plus_ks_mod_L(r, k, s);
271 // 6. Form the signature of the concatenation of R (57 octets) and the
272 // little-endian encoding of S (57 octets; the ten most significant
273 // bits of the final octets are always zero).
274 std::array<uint8_t, 2 * ED448_LEN> sig;
275 BufferStuffer stuf(sig);
276 stuf.append(big_r);
277 stuf.append(big_s.to_bytes<ED448_LEN>());
278 BOTAN_ASSERT(stuf.full(), "Buffer is full");
279
280 return sig;
281}
constexpr size_t ED448_LEN

References Botan::BufferStuffer::append(), Botan::Ed448Point::base_point(), BOTAN_ASSERT, ED448_LEN, and Botan::BufferStuffer::full().

◆ significant_bytes()

template<typename T>
requires (std::is_integral<T>::value)
size_t Botan::significant_bytes ( T n)
inlineconstexpr

Return the number of significant bytes in n

Parameters
nan integer value
Returns
number of significant bytes in n

Definition at line 83 of file bit_ops.h.

85{
86 size_t b = 0;
87
88 for(size_t s = 8 * sizeof(n) / 2; s >= 8; s /= 2) {
89 const size_t z = s * (~ct_is_zero(n >> s) & 1);
90 b += z / 8;
91 n >>= z;
92 }
93
94 b += (n != 0);
95
96 return b;
97}

References ct_is_zero().

◆ sm2_compute_za()

std::vector< uint8_t > Botan::sm2_compute_za ( HashFunction & hash,
std::string_view user_id,
const EC_Group & group,
const EC_AffinePoint & pubkey )

Definition at line 68 of file sm2.cpp.

71 {
72 if(user_id.size() >= 8192) {
73 throw Invalid_Argument("SM2 user id too long to represent");
74 }
75
76 const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());
77
78 hash.update(get_byte<0>(uid_len));
79 hash.update(get_byte<1>(uid_len));
80 hash.update(user_id);
81
82 const size_t p_bytes = group.get_p_bytes();
83
84 hash.update(group.get_a().serialize(p_bytes));
85 hash.update(group.get_b().serialize(p_bytes));
86 hash.update(group.get_g_x().serialize(p_bytes));
87 hash.update(group.get_g_y().serialize(p_bytes));
88 hash.update(pubkey.xy_bytes());
89
90 return hash.final<std::vector<uint8_t>>();
91}
const BigInt & get_b() const
Definition ec_group.cpp:544
const BigInt & get_a() const
Definition ec_group.cpp:540
const BigInt & get_g_y() const
Definition ec_group.cpp:592
const BigInt & get_g_x() const
Definition ec_group.cpp:588
size_t get_p_bytes() const
Definition ec_group.cpp:524

References Botan::Buffered_Computation::final(), Botan::EC_Group::get_a(), Botan::EC_Group::get_b(), get_byte(), Botan::EC_Group::get_g_x(), Botan::EC_Group::get_g_y(), Botan::EC_Group::get_p_bytes(), Botan::BigInt::serialize(), Botan::Buffered_Computation::update(), and Botan::EC_AffinePoint::xy_bytes().

Referenced by botan_pubkey_sm2_compute_za().

◆ split_on()

BOTAN_TEST_API std::vector< std::string > Botan::split_on ( std::string_view str,
char delim )

Split a string

Parameters
strthe input string
delimthe delimitor
Returns
string split by delim

Definition at line 111 of file parsing.cpp.

111 {
112 std::vector<std::string> elems;
113 if(str.empty()) {
114 return elems;
115 }
116
117 std::string substr;
118 for(auto i = str.begin(); i != str.end(); ++i) {
119 if(*i == delim) {
120 if(!substr.empty()) {
121 elems.push_back(substr);
122 }
123 substr.clear();
124 } else {
125 substr += *i;
126 }
127 }
128
129 if(substr.empty()) {
130 throw Invalid_Argument(fmt("Unable to split string '{}", str));
131 }
132 elems.push_back(substr);
133
134 return elems;
135}

References fmt().

Referenced by argon2_check_pwhash(), Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), Botan::PKCS11::MechanismWrapper::create_ecdh_mechanism(), create_private_key(), Botan::TLS::Text_Policy::get_list(), load_private_key(), load_public_key(), pbes2_decrypt(), Botan::TLS::Text_Policy::read_cert_type_list(), Botan::TLS::Text_Policy::read_group_list(), read_kv(), Botan::PK_Ops::Verification_with_Hash::Verification_with_Hash(), and Botan::X509_Cert_Options::X509_Cert_Options().

◆ sqrt_modulo_prime()

BigInt Botan::sqrt_modulo_prime ( const BigInt & x,
const BigInt & p )

Compute the square root of x modulo a prime using the Tonelli-Shanks algorithm. This algorithm is primarily used for EC point decompression which takes only public inputs, as a consequence it is not written to be constant-time and may leak side-channel information about its arguments.

Parameters
xthe input
pthe prime modulus
Returns
y such that (y*y)p == x, or -1 if no such integer

Definition at line 26 of file numthry.cpp.

26 {
27 BOTAN_ARG_CHECK(p > 1, "invalid prime");
28 BOTAN_ARG_CHECK(a < p, "value to solve for must be less than p");
29 BOTAN_ARG_CHECK(a >= 0, "value to solve for must not be negative");
30
31 // some very easy cases
32 if(p == 2 || a <= 1) {
33 return a;
34 }
35
36 BOTAN_ARG_CHECK(p.is_odd(), "invalid prime");
37
38 if(jacobi(a, p) != 1) { // not a quadratic residue
39 return BigInt::from_s32(-1);
40 }
41
43 auto monty_p = std::make_shared<Montgomery_Params>(p, mod_p);
44
45 // If p == 3 (mod 4) there is a simple solution
46 if(p % 4 == 3) {
47 return monty_exp_vartime(monty_p, a, ((p + 1) >> 2)).value();
48 }
49
50 // Otherwise we have to use Shanks-Tonelli
51 size_t s = low_zero_bits(p - 1);
52 BigInt q = p >> s;
53
54 q -= 1;
55 q >>= 1;
56
57 BigInt r = monty_exp_vartime(monty_p, a, q).value();
58 BigInt n = mod_p.multiply(a, mod_p.square(r));
59 r = mod_p.multiply(r, a);
60
61 if(n == 1) {
62 return r;
63 }
64
65 // find random quadratic nonresidue z
66 word z = 2;
67 for(;;) {
68 if(jacobi(BigInt::from_word(z), p) == -1) { // found one
69 break;
70 }
71
72 z += 1; // try next z
73
74 /*
75 * The expected number of tests to find a non-residue modulo a
76 * prime is 2. If we have not found one after 256 then almost
77 * certainly we have been given a non-prime p.
78 */
79 if(z >= 256) {
80 return BigInt::from_s32(-1);
81 }
82 }
83
84 BigInt c = monty_exp_vartime(monty_p, BigInt::from_word(z), (q << 1) + 1).value();
85
86 while(n > 1) {
87 q = n;
88
89 size_t i = 0;
90 while(q != 1) {
91 q = mod_p.square(q);
92 ++i;
93
94 if(i >= s) {
95 return BigInt::from_s32(-1);
96 }
97 }
98
99 BOTAN_ASSERT_NOMSG(s >= (i + 1)); // No underflow!
100 c = monty_exp_vartime(monty_p, c, BigInt::power_of_2(s - i - 1)).value();
101 r = mod_p.multiply(r, c);
102 c = mod_p.square(c);
103 n = mod_p.multiply(n, c);
104
105 // s decreases as the algorithm proceeds
106 BOTAN_ASSERT_NOMSG(s >= i);
107 s = i;
108 }
109
110 return r;
111}
static Barrett_Reduction for_public_modulus(const BigInt &m)
Definition barrett.cpp:33
static BigInt from_s32(int32_t n)
Definition bigint.cpp:40
BigInt & square(secure_vector< word > &ws)
Definition big_ops2.cpp:179
Montgomery_Int monty_exp_vartime(const std::shared_ptr< const Montgomery_Params > &params_p, const BigInt &g, const BigInt &k)
Definition monty_exp.h:56

References BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::Barrett_Reduction::for_public_modulus(), Botan::BigInt::from_s32(), Botan::BigInt::from_word(), Botan::BigInt::is_odd(), jacobi(), low_zero_bits(), monty_exp_vartime(), Botan::BigInt::power_of_2(), Botan::BigInt::square(), and Botan::Montgomery_Int::value().

◆ square() [1/2]

BigInt Botan::square ( const BigInt & x)

◆ square() [2/2]

Gf448Elem Botan::square ( const Gf448Elem & elem)

Computes elem^2. Faster than operator*.

Definition at line 348 of file curve448_gf.cpp.

348 {
349 Gf448Elem res(0);
350 gf_square(res.words(), elem.words());
351 return res;
352}

References Botan::Gf448Elem::words().

◆ srp6_client_agree() [1/2]

std::pair< BigInt, SymmetricKey > Botan::srp6_client_agree ( std::string_view username,
std::string_view password,
const DL_Group & group,
std::string_view hash_id,
const std::vector< uint8_t > & salt,
const BigInt & B,
size_t a_bits,
RandomNumberGenerator & rng )

SRP6a Client side

Parameters
usernamethe username we are attempting login for
passwordthe password we are attempting to use
groupspecifies the shared SRP group
hash_idspecifies a secure hash function
saltis the salt value sent by the server
Bis the server's public value
a_bitssize of secret exponent in bits
rngis a random number generator
Returns
(A,K) the client public key and the shared secret key

Definition at line 78 of file srp6.cpp.

85 {
86 BOTAN_ARG_CHECK(a_bits <= group.p_bits(), "Invalid a_bits");
87
88 const BigInt& g = group.get_g();
89 const BigInt& p = group.get_p();
90
91 const size_t p_bytes = group.p_bytes();
92
93 if(B <= 0 || B >= p) {
94 throw Decoding_Error("Invalid SRP parameter from server");
95 }
96
97 auto hash_fn = HashFunction::create_or_throw(hash_id);
98 if(8 * hash_fn->output_length() >= group.p_bits()) {
99 throw Invalid_Argument(fmt("Hash function {} too large for SRP6 with this group", hash_fn->name()));
100 }
101
102 const BigInt k = hash_seq(*hash_fn, p_bytes, p, g);
103
104 const BigInt a(rng, a_bits);
105
106 const BigInt A = group.power_g_p(a, a_bits);
107
108 const BigInt u = hash_seq(*hash_fn, p_bytes, A, B);
109
110 const BigInt x = compute_x(*hash_fn, identifier, password, salt);
111
112 const BigInt g_x_p = group.power_g_p(x, hash_fn->output_length() * 8);
113
114 const BigInt B_k_g_x_p = group.mod_p(B + group.mod_p(p - group.multiply_mod_p(k, g_x_p)));
115
116 const BigInt a_ux = a + u * x;
117
118 const size_t max_aux_bits = std::max<size_t>(a_bits + 1, 2 * 8 * hash_fn->output_length());
119 BOTAN_ASSERT_NOMSG(max_aux_bits >= a_ux.bits());
120
121 const BigInt S = group.power_b_p(B_k_g_x_p, a_ux, max_aux_bits);
122
123 const SymmetricKey Sk(S.serialize<secure_vector<uint8_t>>(p_bytes));
124
125 return std::make_pair(A, Sk);
126}
BigInt power_g_p(const BigInt &x) const
Definition dl_group.h:263
BigInt mod_p(const BigInt &x) const
Definition dl_group.cpp:523
BigInt multiply_mod_p(const BigInt &x, const BigInt &y) const
Definition dl_group.cpp:527
size_t p_bits() const
Definition dl_group.cpp:492
const BigInt & get_p() const
Definition dl_group.cpp:466
size_t p_bytes() const
Definition dl_group.cpp:496
BigInt power_b_p(const BigInt &b, const BigInt &x, size_t max_x_bits) const
Definition dl_group.cpp:573
const BigInt & get_g() const
Definition dl_group.cpp:473
OctetString SymmetricKey
Definition symkey.h:140

References Botan::BigInt::bits(), BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::HashFunction::create_or_throw(), fmt(), Botan::DL_Group::get_g(), Botan::DL_Group::get_p(), Botan::DL_Group::mod_p(), Botan::DL_Group::multiply_mod_p(), Botan::DL_Group::p_bits(), Botan::DL_Group::p_bytes(), Botan::DL_Group::power_b_p(), Botan::DL_Group::power_g_p(), and Botan::BigInt::serialize().

◆ srp6_client_agree() [2/2]

std::pair< BigInt, SymmetricKey > Botan::srp6_client_agree ( std::string_view username,
std::string_view password,
std::string_view group_id,
std::string_view hash_id,
const std::vector< uint8_t > & salt,
const BigInt & B,
RandomNumberGenerator & rng )

SRP6a Client side

Parameters
usernamethe username we are attempting login for
passwordthe password we are attempting to use
group_idspecifies the shared SRP group
hash_idspecifies a secure hash function
saltis the salt value sent by the server
Bis the server's public value
rngis a random number generator
Returns
(A,K) the client public key and the shared secret key

Definition at line 65 of file srp6.cpp.

71 {
72 auto group = DL_Group::from_name(group_id);
73 const size_t a_bits = group.exponent_bits();
74
75 return srp6_client_agree(identifier, password, group, hash_id, salt, B, a_bits, rng);
76}
std::pair< BigInt, SymmetricKey > srp6_client_agree(std::string_view identifier, std::string_view password, std::string_view group_id, std::string_view hash_id, const std::vector< uint8_t > &salt, const BigInt &B, RandomNumberGenerator &rng)
Definition srp6.cpp:65

References Botan::DL_Group::from_name(), and srp6_client_agree().

Referenced by botan_srp6_client_agree(), and srp6_client_agree().

◆ srp6_generate_verifier() [1/2]

BigInt Botan::srp6_generate_verifier ( std::string_view identifier,
std::string_view password,
const std::vector< uint8_t > & salt,
const DL_Group & group,
std::string_view hash_id )

Generate a new SRP-6 verifier

Parameters
identifiera username or other client identifier
passwordthe secret used to authenticate user
salta randomly chosen value, at least 128 bits long
groupspecifies the shared SRP group
hash_idspecifies a secure hash function

Definition at line 137 of file srp6.cpp.

141 {
142 auto hash_fn = HashFunction::create_or_throw(hash_id);
143 if(8 * hash_fn->output_length() >= group.p_bits()) {
144 throw Invalid_Argument(fmt("Hash function {} too large for SRP6 with this group", hash_fn->name()));
145 }
146
147 const BigInt x = compute_x(*hash_fn, identifier, password, salt);
148 return group.power_g_p(x, hash_fn->output_length() * 8);
149}

References Botan::HashFunction::create_or_throw(), fmt(), Botan::DL_Group::p_bits(), and Botan::DL_Group::power_g_p().

◆ srp6_generate_verifier() [2/2]

BigInt Botan::srp6_generate_verifier ( std::string_view identifier,
std::string_view password,
const std::vector< uint8_t > & salt,
std::string_view group_id,
std::string_view hash_id )

Generate a new SRP-6 verifier

Parameters
identifiera username or other client identifier
passwordthe secret used to authenticate user
salta randomly chosen value, at least 128 bits long
group_idspecifies the shared SRP group
hash_idspecifies a secure hash function

Definition at line 128 of file srp6.cpp.

132 {
133 auto group = DL_Group::from_name(group_id);
134 return srp6_generate_verifier(identifier, password, salt, group, hash_id);
135}
BigInt srp6_generate_verifier(std::string_view identifier, std::string_view password, const std::vector< uint8_t > &salt, std::string_view group_id, std::string_view hash_id)
Definition srp6.cpp:128

References Botan::DL_Group::from_name(), and srp6_generate_verifier().

Referenced by botan_srp6_generate_verifier(), and srp6_generate_verifier().

◆ srp6_group_identifier()

std::string Botan::srp6_group_identifier ( const BigInt & N,
const BigInt & g )

Return the group id for this SRP param set, or else thrown an exception

Parameters
Nthe group modulus
gthe group generator
Returns
group identifier

Definition at line 46 of file srp6.cpp.

46 {
47 /*
48 This function assumes that only one 'standard' SRP parameter set has
49 been defined for a particular bitsize. As of this writing that is the case.
50 */
51 try {
52 const std::string group_name = "modp/srp/" + std::to_string(N.bits());
53
54 auto group = DL_Group::from_name(group_name);
55
56 if(group.get_p() == N && group.get_g() == g) {
57 return group_name;
58 }
59 } catch(...) {}
60
61 // If we didn't return, the group was unknown or did not match
62 throw Invalid_Argument("Invalid or unknown SRP group parameters");
63}

References Botan::BigInt::bits(), and Botan::DL_Group::from_name().

◆ store_be()

template<typename ModifierT = detail::AutoDetect, typename... ParamTs>
auto Botan::store_be ( ParamTs &&... params)
inlineconstexpr

Store "something" in big endian byte order See the documentation of this file for more details.

Definition at line 745 of file loadstor.h.

745 {
746 return detail::store_any<std::endian::big, ModifierT>(std::forward<ParamTs>(params)...);
747}
constexpr void store_any(WrappedInT wrapped_in, OutR &&out_range)
Definition loadstor.h:525

References Botan::detail::store_any().

Referenced by Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::BigInt::binary_encode(), Botan::FPE_FE1::decrypt(), Botan::Blowfish::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::DES::decrypt_n(), Botan::Noekeon::decrypt_n(), Botan::SEED::decrypt_n(), Botan::SHACAL2::decrypt_n(), Botan::SM4::decrypt_n(), Botan::TripleDES::decrypt_n(), Botan::AlternativeName::encode_into(), Botan::CryptoBox::encrypt(), Botan::FPE_FE1::encrypt(), Botan::TLS::Session::encrypt(), Botan::Blowfish::encrypt_n(), Botan::CAST_128::encrypt_n(), Botan::DES::encrypt_n(), Botan::Noekeon::encrypt_n(), Botan::SEED::encrypt_n(), Botan::SHACAL2::encrypt_n(), Botan::SM4::encrypt_n(), Botan::TripleDES::encrypt_n(), Botan::TLS::Connection_Cipher_State::format_ad(), Botan::Kyber_Modern_Symmetric_Primitives::get_PRF(), Botan::ML_KEM_Symmetric_Primitives::get_PRF(), Botan::Kyber_Modern_Symmetric_Primitives::get_XOF(), Botan::ML_KEM_Symmetric_Primitives::get_XOF(), hkdf_expand_label(), ipv4_to_string(), lmots_compute_pubkey_from_sig(), Botan::LMOTS_Public_Key::LMOTS_Public_Key(), Botan::TLS::make_hello_random(), Botan::TPM2::Context::manufacturer(), Botan::TLS::Cipher_State::next_ticket_nonce(), nist_key_wrap(), nist_key_wrap_padded(), Botan::XMSS_PublicKey::raw_public_key_bits(), Botan::CTR_BE::seek(), Botan::TLS::New_Session_Ticket_12::serialize(), Botan::TLS::New_Session_Ticket_13::serialize(), Botan::PseudorandomKeyGeneration::set_i(), Botan::PseudorandomKeyGeneration::set_j(), Botan::PseudorandomKeyGeneration::set_q(), Botan::HSS_LMS_PrivateKeyInternal::sign(), Botan::LMOTS_Private_Key::sign(), Botan::LMS_PrivateKey::sign_and_get_pk(), Botan::SIMD_4x32::store_be(), Botan::HSS_LMS_PrivateKeyInternal::to_bytes(), Botan::HSS_LMS_PublicKeyInternal::to_bytes(), Botan::LMS_PublicKey::to_bytes(), Botan::Sphincs_Address::to_bytes(), Botan::Sphincs_Address::to_bytes_compressed(), Botan::Buffered_Computation::update_be(), Botan::Buffered_Computation::update_be(), Botan::Buffered_Computation::update_be(), and Botan::TPM2::Context::vendor().

◆ store_le()

template<typename ModifierT = detail::AutoDetect, typename... ParamTs>
auto Botan::store_le ( ParamTs &&... params)
inlineconstexpr

◆ string_join()

std::string Botan::string_join ( const std::vector< std::string > & strs,
char delim )

Join a string

Parameters
strsstrings to join
delimthe delimitor
Returns
string joined by delim

Definition at line 140 of file parsing.cpp.

140 {
141 std::ostringstream out;
142
143 for(size_t i = 0; i != strs.size(); ++i) {
144 if(i != 0) {
145 out << delim;
146 }
147 out << strs[i];
148 }
149
150 return out.str();
151}

Referenced by Botan::CPUID::to_string(), and Botan::Key_Constraints::to_string().

◆ string_to_ipv4()

std::optional< uint32_t > BOTAN_TEST_API Botan::string_to_ipv4 ( std::string_view ip_str)

Convert a string representation of an IPv4 address to a number

Parameters
ip_strthe string representation
Returns
integer IPv4 address

Definition at line 156 of file parsing.cpp.

156 {
157 // At least 3 dots + 4 1-digit integers
158 // At most 3 dots + 4 3-digit integers
159 if(str.size() < 3 + 4 * 1 || str.size() > 3 + 4 * 3) {
160 return {};
161 }
162
163 // the final result
164 uint32_t ip = 0;
165 // the number of '.' seen so far
166 size_t dots = 0;
167 // accumulates one quad (range 0-255)
168 uint32_t accum = 0;
169 // # of digits pushed to accum since last dot
170 size_t cur_digits = 0;
171
172 for(char c : str) {
173 if(c == '.') {
174 // . without preceding digit is invalid
175 if(cur_digits == 0) {
176 return {};
177 }
178 dots += 1;
179 // too many dots
180 if(dots > 3) {
181 return {};
182 }
183
184 cur_digits = 0;
185 ip = (ip << 8) | accum;
186 accum = 0;
187 } else if(c >= '0' && c <= '9') {
188 const auto d = static_cast<uint8_t>(c - '0');
189
190 // prohibit leading zero in quad (used for octal)
191 if(cur_digits > 0 && accum == 0) {
192 return {};
193 }
194 accum = (accum * 10) + d;
195
196 if(accum > 255) {
197 return {};
198 }
199
200 cur_digits++;
201 BOTAN_ASSERT_NOMSG(cur_digits <= 3);
202 } else {
203 return {};
204 }
205 }
206
207 // no trailing digits?
208 if(cur_digits == 0) {
209 return {};
210 }
211
212 // insufficient # of dots
213 if(dots != 3) {
214 return {};
215 }
216
217 ip = (ip << 8) | accum;
218
219 return ip;
220}

References BOTAN_ASSERT_NOMSG.

Referenced by Botan::AlternativeName::add_attribute(), Botan::AlternativeName::AlternativeName(), Botan::NameConstraints::is_excluded(), Botan::NameConstraints::is_permitted(), Botan::GeneralName::matches(), and Botan::X509_Certificate::matches_dns_name().

◆ swap_bits()

template<typename T>
void Botan::swap_bits ( T & x,
T & y,
T mask,
size_t shift )
inlineconstexpr

Definition at line 197 of file bit_ops.h.

197 {
198 const T swap = ((x >> shift) ^ y) & mask;
199 x ^= swap << shift;
200 y ^= swap;
201}

◆ swar_in_range()

template<std::unsigned_integral T>
T Botan::swar_in_range ( T v,
T lower,
T upper )
constexpr

SWAR (SIMD within a word) byte-by-byte comparison

This individually compares each byte of the provided words. It returns a mask which contains, for each byte, 0x80 if the byte in a was less than the byte in b. Otherwise the mask is 00.

This implementation assumes that the high bits of each byte in both lower and upper are clear! It is possible to support the full range of bytes, but this requires additional comparisons.

Definition at line 114 of file int_utils.h.

114 {
115 // The constant 0x808080... as a T
116 constexpr T hi1 = (static_cast<T>(-1) / 255) << 7;
117 // The constant 0x7F7F7F... as a T
118 constexpr T lo7 = ~hi1;
119
120 const T sub = ((v | hi1) - (lower & lo7)) ^ ((v ^ (~lower)) & hi1);
121 const T a_lo = sub & lo7;
122 const T a_hi = sub & hi1;
123 return (lo7 - a_lo + upper) & hi1 & ~a_hi;
124}

◆ swar_lt()

template<std::unsigned_integral T>
T Botan::swar_lt ( T a,
T b )
constexpr

SWAR (SIMD within a word) byte-by-byte comparison

This individually compares each byte of the provided words. It returns a mask which contains, for each byte, 0xFF if the byte in a was less than the byte in b. Otherwise the mask is 00.

This implementation assumes that the high bits of each byte in both a and b are clear! It is possible to support the full range of bytes, but this requires additional comparisons.

Definition at line 91 of file int_utils.h.

91 {
92 // The constant 0x808080... as a T
93 constexpr T hi1 = (static_cast<T>(-1) / 255) << 7;
94 // The constant 0x7F7F7F... as a T
95 constexpr T lo7 = static_cast<T>(~hi1);
96 T r = (lo7 - a + b) & hi1;
97 // Currently the mask is 80 if lt, otherwise 00. Convert to FF/00
98 return (r << 1) - (r >> 7);
99}

◆ syndrome_init()

std::vector< polyn_gf2m > Botan::syndrome_init ( const polyn_gf2m & generator,
const std::vector< gf2m > & support,
int n )

Definition at line 608 of file polyn_gf2m.cpp.

608 {
609 int i, j, t;
610 gf2m a;
611
612 std::shared_ptr<GF2m_Field> m_sp_field = generator.get_sp_field();
613
614 std::vector<polyn_gf2m> result;
615 t = generator.get_degree();
616
617 //g(z)=g_t+g_(t-1).z^(t-1)+......+g_1.z+g_0
618 //f(z)=f_(t-1).z^(t-1)+......+f_1.z+f_0
619
620 for(j = 0; j < n; j++) {
621 result.push_back(polyn_gf2m(t - 1, m_sp_field));
622
623 (*&result[j]).set_coef(t - 1, 1);
624 for(i = t - 2; i >= 0; i--) {
625 (*&result[j]).set_coef(i, (generator)[i + 1] ^ m_sp_field->gf_mul(lex_to_gray(support[j]), result[j][i + 1]));
626 }
627 a = ((generator)[0] ^ m_sp_field->gf_mul(lex_to_gray(support[j]), result[j][0]));
628 for(i = 0; i < t; i++) {
629 (*&result[j]).set_coef(i, m_sp_field->gf_div(result[j][i], a));
630 }
631 }
632 return result;
633}
gf2m lex_to_gray(gf2m lex)

References Botan::polyn_gf2m::get_degree(), Botan::polyn_gf2m::get_sp_field(), and lex_to_gray().

Referenced by generate_mceliece_key().

◆ system_rng()

◆ throw_invalid_argument()

void BOTAN_UNSTABLE_API Botan::throw_invalid_argument ( const char * message,
const char * func,
const char * file )

Called when an invalid argument is used Throws Invalid_Argument

Definition at line 22 of file assert.cpp.

22 {
23 throw Invalid_Argument(fmt("{} in {}:{}", message, func, file));
24}

References fmt().

◆ throw_invalid_state()

void BOTAN_UNSTABLE_API Botan::throw_invalid_state ( const char * message,
const char * func,
const char * file )

Called when an invalid state is encountered Throws Invalid_State

Definition at line 26 of file assert.cpp.

26 {
27 throw Invalid_State(fmt("Invalid state: expr {} was false in {}:{}", expr, func, file));
28}

References fmt().

◆ to_affine()

template<typename C>
auto Botan::to_affine ( const typename C::ProjectivePoint & pt)
inlineconstexpr

Convert a projective point into affine

Definition at line 46 of file pcurves_algos.h.

46 {
47 // Not strictly required right? - default should work as long
48 // as (0,0) is identity and invert returns 0 on 0
49
50 if constexpr(curve_supports_fe_invert2<C>) {
51 const auto z2_inv = C::fe_invert2(pt.z());
52 const auto z3_inv = z2_inv.square() * pt.z();
53 return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv);
54 } else {
55 const auto z_inv = invert_field_element<C>(pt.z());
56 const auto z2_inv = z_inv.square();
57 const auto z3_inv = z_inv * z2_inv;
58 return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv);
59 }
60}
constexpr auto invert_field_element(const typename C::FieldElement &fe)

References invert_field_element().

Referenced by Botan::PCurve::GenericPrimeOrderCurve::point_to_affine(), Botan::PCurve::PrimeOrderCurveImpl< C >::point_to_affine(), and to_affine_batch().

◆ to_affine_batch()

template<typename C>
auto Botan::to_affine_batch ( std::span< const typename C::ProjectivePoint > projective)

Definition at line 77 of file pcurves_algos.h.

77 {
78 using AffinePoint = typename C::AffinePoint;
79
80 const size_t N = projective.size();
81 std::vector<AffinePoint> affine;
82 affine.reserve(N);
83
84 CT::Choice any_identity = CT::Choice::no();
85
86 for(const auto& pt : projective) {
87 any_identity = any_identity || pt.is_identity();
88 }
89
90 if(N <= 2 || any_identity.as_bool()) {
91 // If there are identity elements, using the batch inversion gets
92 // tricky. It can be done, but this should be a rare situation so
93 // just punt to the serial conversion if it occurs
94 for(size_t i = 0; i != N; ++i) {
95 affine.push_back(to_affine<C>(projective[i]));
96 }
97 } else {
98 std::vector<typename C::FieldElement> c;
99 c.reserve(N);
100
101 /*
102 Batch projective->affine using Montgomery's trick
103
104 See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography"
105 (Hankerson, Menezes, Vanstone)
106 */
107
108 c.push_back(projective[0].z());
109 for(size_t i = 1; i != N; ++i) {
110 c.push_back(c[i - 1] * projective[i].z());
111 }
112
113 auto s_inv = invert_field_element<C>(c[N - 1]);
114
115 for(size_t i = N - 1; i > 0; --i) {
116 const auto& p = projective[i];
117
118 const auto z_inv = s_inv * c[i - 1];
119 const auto z2_inv = z_inv.square();
120 const auto z3_inv = z_inv * z2_inv;
121
122 s_inv = s_inv * p.z();
123
124 affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv));
125 }
126
127 const auto z2_inv = s_inv.square();
128 const auto z3_inv = s_inv * z2_inv;
129 affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv));
130 std::reverse(affine.begin(), affine.end());
131 return affine;
132 }
133
134 return affine;
135}
static constexpr Choice no()
Definition ct_utils.h:328
constexpr bool as_bool() const
Definition ct_utils.h:350
constexpr auto to_affine(const typename C::ProjectivePoint &pt)

References Botan::CT::Choice::as_bool(), invert_field_element(), Botan::CT::Choice::no(), and to_affine().

Referenced by Botan::AffinePointTable< C, R >::AffinePointTable(), and basemul_setup().

◆ to_affine_x()

template<typename C>
auto Botan::to_affine_x ( const typename C::ProjectivePoint & pt)

Convert a projective point into affine and return x coordinate only

Definition at line 66 of file pcurves_algos.h.

66 {
67 if constexpr(curve_supports_fe_invert2<C>) {
68 return pt.x() * C::fe_invert2(pt.z());
69 } else {
70 const auto z_inv = invert_field_element<C>(pt.z());
71 const auto z2_inv = z_inv.square();
72 return pt.x() * z2_inv;
73 }
74}

References invert_field_element().

Referenced by Botan::PCurve::GenericPrimeOrderCurve::base_point_mul_x_mod_order(), Botan::PCurve::PrimeOrderCurveImpl< C >::base_point_mul_x_mod_order(), Botan::PCurve::GenericPrimeOrderCurve::mul_x_only(), and Botan::PCurve::PrimeOrderCurveImpl< C >::mul_x_only().

◆ to_byte_vector()

template<concepts::contiguous_container T = std::vector<uint8_t>>
T Botan::to_byte_vector ( std::string_view s)
inline

◆ to_string() [1/3]

const char * Botan::to_string ( Certificate_Status_Code code)

Convert a status code to a human readable diagnostic message

Parameters
codethe certifcate status
Returns
string literal constant, or nullptr if code unknown

Definition at line 11 of file cert_status.cpp.

11 {
12 switch(code) {
14 return "Verified";
16 return "OCSP response accepted as affirming unrevoked status for certificate";
18 return "Signature on OCSP response was found valid";
20 return "Valid CRL examined";
21
23 return "Certificate serial number is negative";
25 return "Distinguished name too long";
27 return "OCSP URL not available";
29 return "OCSP server not available";
31 return "Trusted certificate is not yet valid";
33 return "Trusted certificate has expired";
35 return "OCSP issuer is not trustworthy";
36
38 return "No revocation data";
40 return "Signature method too weak";
42 return "Hash function used is considered too weak for security";
43
45 return "Certificate is not yet valid";
47 return "Certificate has expired";
49 return "OCSP is not yet valid";
51 return "OCSP response has expired";
53 return "OCSP response is too old";
55 return "CRL response is not yet valid";
57 return "CRL has expired";
58
60 return "Certificate issuer not found";
62 return "Cannot establish trust";
64 return "Loop in certificate chain";
66 return "Certificate chain does not end in a CA certificate";
68 return "Certificate issuer does not match subject of issuing cert";
69
71 return "Certificate policy error";
73 return "Certificate contains duplicate policy";
75 return "Certificate does not allow the requested usage";
77 return "Certificate chain too long";
79 return "CA certificate not allowed to issue certs";
81 return "CA certificate not allowed to issue CRLs";
83 return "No CRL with matching distribution point for certificate";
85 return "OCSP cert not listed";
87 return "OCSP bad status";
89 return "Certificate does not match provided name";
91 return "Certificate does not pass name constraint";
93 return "Unknown critical extension encountered";
95 return "Duplicate certificate extension encountered";
97 return "Encountered extension in certificate with version that does not allow it";
99 return "Encountered v2 identifiers in v1 certificate";
101 return "OCSP signature error";
103 return "Unable to find certificate issusing OCSP response";
105 return "OCSP issuer's keyusage prohibits OCSP";
107 return "OCSP parsing valid";
109 return "OCSP requests not available, no HTTP support compiled in";
111 return "Certificate is revoked";
113 return "CRL bad signature";
115 return "Signature error";
117 return "Certificate public key invalid";
119 return "Certificate signed with unknown/unavailable algorithm";
121 return "Certificate signature has invalid parameters";
122
123 // intentionally no default so we are warned if new enum values are added
124 }
125
126 return nullptr;
127}

References CA_CERT_NOT_FOR_CERT_ISSUER, CA_CERT_NOT_FOR_CRL_ISSUER, CANNOT_ESTABLISH_TRUST, CERT_CHAIN_LOOP, CERT_CHAIN_TOO_LONG, CERT_HAS_EXPIRED, CERT_IS_REVOKED, CERT_ISSUER_NOT_FOUND, CERT_NAME_NOMATCH, CERT_NOT_YET_VALID, CERT_PUBKEY_INVALID, CERT_SERIAL_NEGATIVE, CHAIN_LACKS_TRUST_ROOT, CHAIN_NAME_MISMATCH, CRL_BAD_SIGNATURE, CRL_HAS_EXPIRED, CRL_NOT_YET_VALID, DN_TOO_LONG, DUPLICATE_CERT_EXTENSION, DUPLICATE_CERT_POLICY, EXT_IN_V1_V2_CERT, INVALID_USAGE, NAME_CONSTRAINT_ERROR, NO_MATCHING_CRLDP, NO_REVOCATION_DATA, OCSP_BAD_STATUS, OCSP_CERT_NOT_LISTED, OCSP_HAS_EXPIRED, OCSP_IS_TOO_OLD, OCSP_ISSUER_NOT_FOUND, OCSP_ISSUER_NOT_TRUSTED, OCSP_NO_HTTP, OCSP_NO_REVOCATION_URL, OCSP_NOT_YET_VALID, OCSP_RESPONSE_GOOD, OCSP_RESPONSE_INVALID, OCSP_RESPONSE_MISSING_KEYUSAGE, OCSP_SERVER_NOT_AVAILABLE, OCSP_SIGNATURE_ERROR, OCSP_SIGNATURE_OK, POLICY_ERROR, SIGNATURE_ALGO_BAD_PARAMS, SIGNATURE_ALGO_UNKNOWN, SIGNATURE_ERROR, SIGNATURE_METHOD_TOO_WEAK, TRUSTED_CERT_HAS_EXPIRED, TRUSTED_CERT_NOT_YET_VALID, UNKNOWN_CRITICAL_EXTENSION, UNTRUSTED_HASH, V2_IDENTIFIERS_IN_V1_CERT, VALID_CRL_CHECKED, and VERIFIED.

◆ to_string() [2/3]

std::string Botan::to_string ( ErrorType type)

Convert an ErrorType to string.

Definition at line 13 of file exceptn.cpp.

13 {
14 switch(type) {
16 return "Unknown";
18 return "SystemError";
20 return "NotImplemented";
22 return "OutOfMemory";
24 return "InternalError";
26 return "IoError";
28 return "InvalidObjectState";
30 return "KeyNotSet";
32 return "InvalidArgument";
34 return "InvalidKeyLength";
36 return "InvalidNonceLength";
38 return "LookupError";
40 return "EncodingFailure";
42 return "DecodingFailure";
44 return "TLSError";
46 return "HttpError";
48 return "InvalidTag";
50 return "RoughtimeError";
52 return "CommonCryptoError";
54 return "Pkcs11Error";
56 return "TPMError";
58 return "DatabaseError";
60 return "ZlibError";
62 return "Bzip2Error";
64 return "LzmaError";
65 }
66
67 // No default case in above switch so compiler warns
68 return "Unrecognized Botan error";
69}

References Bzip2Error, CommonCryptoError, DatabaseError, DecodingFailure, EncodingFailure, HttpError, InternalError, InvalidArgument, InvalidKeyLength, InvalidNonceLength, InvalidObjectState, InvalidTag, IoError, KeyNotSet, LookupError, LzmaError, NotImplemented, OutOfMemory, Pkcs11Error, RoughtimeError, SystemError, TLSError, TPMError, Unknown, and ZlibError.

Referenced by Botan::TLS::Server_Hello_13::basic_validation(), botan_x509_cert_validation_status(), Botan::TLS::PskIdentity::identity_as_string(), Botan::PKCS11::PKCS11_ReturnError::PKCS11_ReturnError(), and Botan::Path_Validation_Result::status_string().

◆ to_string() [3/3]

std::string Botan::to_string ( std::span< const uint8_t > bytes)
inline

Definition at line 34 of file stl_util.h.

34 {
35 return std::string(bytes.begin(), bytes.end());
36}

◆ to_u32bit()

BOTAN_TEST_API uint32_t Botan::to_u32bit ( std::string_view str)

Convert a decimal string to a number

Parameters
strthe string to convert
Returns
number value of the string

Definition at line 32 of file parsing.cpp.

32 {
33 const std::string str(str_view);
34
35 // std::stoul is not strict enough. Ensure that str is digit only [0-9]*
36 for(const char chr : str) {
37 if(chr < '0' || chr > '9') {
38 throw Invalid_Argument("to_u32bit invalid decimal string '" + str + "'");
39 }
40 }
41
42 const unsigned long int x = std::stoul(str);
43
44 if constexpr(sizeof(unsigned long int) > 4) {
45 // x might be uint64
46 if(x > std::numeric_limits<uint32_t>::max()) {
47 throw Invalid_Argument("Integer value of " + str + " exceeds 32 bit range");
48 }
49 }
50
51 return static_cast<uint32_t>(x);
52}

Referenced by Botan::SCAN_Name::arg_as_integer(), Botan::SCAN_Name::arg_as_integer(), argon2_check_pwhash(), create_private_key(), Botan::TLS::Text_Policy::get_len(), Botan::HTTP::http_sync(), and to_uint16().

◆ to_uint16()

uint16_t Botan::to_uint16 ( std::string_view str)

Convert a decimal string to a number

Parameters
strthe string to convert
Returns
number value of the string

Definition at line 22 of file parsing.cpp.

22 {
23 const uint32_t x = to_u32bit(str);
24
25 if(x >> 16) {
26 throw Invalid_Argument("Integer value exceeds 16 bit range");
27 }
28
29 return static_cast<uint16_t>(x);
30}

References to_u32bit().

Referenced by check_bcrypt(), and Botan::TLS::Text_Policy::srtp_profiles().

◆ to_underlying()

template<typename T>
requires std::is_enum_v<T>
auto Botan::to_underlying ( T e)
noexcept

Definition at line 415 of file stl_util.h.

415 {
416 return static_cast<std::underlying_type_t<T>>(e);
417}

◆ tolower_string()

std::string Botan::tolower_string ( std::string_view in)

Definition at line 241 of file parsing.cpp.

241 {
242 std::string s(in);
243 for(size_t i = 0; i != s.size(); ++i) {
244 const int cu = static_cast<unsigned char>(s[i]);
245 if(std::isalpha(cu)) {
246 s[i] = static_cast<char>(std::tolower(cu));
247 }
248 }
249 return s;
250}

Referenced by Botan::AlternativeName::add_dns(), Botan::GeneralName::decode_from(), and host_wildcard_match().

◆ treehash() [1/2]

BOTAN_TEST_API void Botan::treehash ( StrongSpan< SphincsTreeNode > out_root,
StrongSpan< SphincsAuthenticationPath > out_auth_path,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes,
std::optional< TreeNodeIndex > leaf_idx,
uint32_t idx_offset,
uint32_t tree_height,
const GenerateLeafFunction & gen_leaf,
Sphincs_Address & tree_address )

Implements a generic Merkle tree hash. Will be used for both FORS and XMSS signatures. gen_leaf is used to create leaf nodes in the respective trees. Additionally XMSS uses the gen_leaf logic to store the WOTS Signature in the main SLH-DSA signature. The leaf_idx is the index of leaf to sign. If only the root node must be computed (without a signature), the leaf_idx is set to std::nullopt.

Definition at line 17 of file sp_treehash.cpp.

25 {
26 BOTAN_ASSERT_NOMSG(out_root.size() == params.n());
27 BOTAN_ASSERT_NOMSG(out_auth_path.size() == params.n() * total_tree_height);
28
29 const TreeNodeIndex max_idx(uint32_t((1 << total_tree_height) - 1));
30
31 std::vector<uint8_t> stack(total_tree_height * params.n());
32 SphincsTreeNode current_node(params.n()); // Current logical node
33
34 /* Traverse the tree from the left-most leaf, matching siblings and up until
35 * the root (Post-order traversal). Collect the adjacent nodes (A) to build
36 * the authentication path (X) along the way.
37 *
38 * 7R
39 * / \
40 * 3X 6A
41 * / \ / \
42 * 1X 2A 4 5
43 */
44 for(TreeNodeIndex idx(0); true; ++idx) {
45 tree_address.set_tree_height(TreeLayerIndex(0));
46 gen_leaf(current_node, idx + idx_offset);
47
48 // Now combine the freshly generated right node with previously generated
49 // left ones
50 uint32_t internal_idx_offset = idx_offset;
51 TreeNodeIndex internal_idx = idx;
52 auto internal_leaf = leaf_idx;
53
54 for(TreeLayerIndex h(0); true; ++h) {
55 // Check if we hit the top of the tree
56 if(h.get() == total_tree_height) {
57 copy_mem(out_root, current_node);
58 return;
59 }
60
61 // Check if the node we have is a part of the authentication path; if
62 // it is, write it out. The XOR sum of both nodes (at internal_idx and internal_leaf)
63 // is 1 iff they have the same parent node in the FORS tree
64 if(internal_leaf.has_value() && (internal_idx ^ internal_leaf.value()) == 0x01U) {
65 auto auth_path_location = out_auth_path.get().subspan(h.get() * params.n(), params.n());
66 copy_mem(auth_path_location, current_node);
67 }
68
69 // At this point we know that we'll need to use the stack. Get a
70 // reference to the correct location.
71 auto stack_location = std::span(stack).subspan(h.get() * params.n(), params.n());
72
73 // Check if we're at a left child; if so, stop going up the stack
74 // Exception: if we've reached the end of the tree, keep on going (so
75 // we combine the last 4 nodes into the one root node in two more
76 // iterations)
77 if((internal_idx & 1) == 0U && idx < max_idx) {
78 // We've hit a left child; save the current for when we get the
79 // corresponding right child.
80 copy_mem(stack_location, current_node);
81 break;
82 }
83
84 // Ok, we're at a right node. Now combine the left and right logical
85 // nodes together.
86
87 // Set the address of the node we're creating.
88 internal_idx_offset /= 2;
89 tree_address.set_tree_height(h + 1);
90 tree_address.set_tree_index(internal_idx / 2 + internal_idx_offset);
91
92 hashes.T(current_node, tree_address, stack_location, current_node);
93
94 internal_idx /= 2;
95 if(internal_leaf.has_value()) {
96 internal_leaf.value() /= 2;
97 }
98 }
99 }
100}
underlying_span get() const

References BOTAN_ASSERT_NOMSG, copy_mem(), Botan::StrongSpan< T >::get(), Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_tree_height(), Botan::Sphincs_Address::set_tree_index(), Botan::StrongSpan< T >::size(), and Botan::Sphincs_Hash_Functions::T().

Referenced by fors_sign_and_pkgen(), and xmss_sign_and_pkgen().

◆ treehash() [2/2]

template<concepts::contiguous_strong_type TreeNode, concepts::strong_span AuthPathSS, concepts::tree_node_index TreeNodeIndex, concepts::tree_layer_index TreeLayerIndex, typename Address>
requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex>
void Botan::treehash ( StrongSpan< TreeNode > out_root,
std::optional< AuthPathSS > out_auth_path,
std::optional< TreeNodeIndex > leaf_idx,
size_t node_size,
TreeLayerIndex total_tree_height,
uint32_t idx_offset,
concepts::tree_hash_node_pair< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto node_pair_hash,
concepts::tree_gen_leaf< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto gen_leaf,
Address & tree_address )
inline

Treehash logic to build up a merkle hash tree.

Computes the root of the merkle tree. Can also output an authentication path necessary for a hash based signature.

Given the following tree: Layer: 2 7R / \ 1 3X 6A / \ / \ 0 1X 2A 4 5

The treehash logic traverses the tree (Post-order traversal), i.e., the nodes are discovered in order 1,2,3,...,7. If we want to create a signature using leaf node 1, the authentication path is (Node 2, Node 6), since we need those to compute the root.

Parameters
out_rootAn output buffer to store the root node in (size: node_size ).
out_auth_pathOptional buffer to store the authentication path in (size: node_size * total_tree_height).
leaf_idxThe optional index of the leaf used to sign in the bottom tree layer beginning with index 0. nullopt if no node is signed, so we need no auth path.
node_sizeThe size of each node in the tree.
total_tree_heightThe hight of the merkle tree to construct.
idx_offsetIf we compute a subtree this marks the index of the leftmost leaf node in the bottom layer
node_pair_hashThe function to process two child nodes to compute their parent node.
gen_leafThe logic to create a leaf node given the address in the tree. Probably this function creates a one-time/few-time-signature's public key which is hashed to be the leaf node.
tree_addressThe address that is passed to gen_leaf or node_pair hash. This function will update the address accordings to the currently processed node. This object may contain further algorithm specific information, like the position of this merkle tree in a hypertree.

Definition at line 114 of file tree_hash.h.

123 {
124 BOTAN_ASSERT_NOMSG(out_root.size() == node_size);
125 BOTAN_ASSERT(out_auth_path.has_value() == leaf_idx.has_value(),
126 "Both leaf index and auth path buffer is given or neither.");
127 const bool is_signing = leaf_idx.has_value();
128 BOTAN_ASSERT_NOMSG(!is_signing || out_auth_path.value().size() == node_size * total_tree_height.get());
129
130 const TreeNodeIndex max_idx(uint32_t((1 << total_tree_height.get()) - 1));
131
132 std::vector<TreeNode> last_visited_left_child_at_layer(total_tree_height.get(), TreeNode(node_size));
133
134 TreeNode current_node(node_size); // Current logical node
135
136 // Traverse the tree from the left-most leaf, matching siblings and up until
137 // the root (Post-order traversal). Collect the adjacent nodes to build
138 // the authentication path along the way.
139 for(TreeNodeIndex idx(0); true; ++idx) {
140 tree_address.set_address(TreeLayerIndex(0), idx + idx_offset);
141 gen_leaf(StrongSpan<TreeNode>(current_node), tree_address);
142
143 // Now combine the freshly generated right node with previously generated
144 // left ones
145 uint32_t internal_idx_offset = idx_offset;
146 TreeNodeIndex internal_idx = idx;
147 auto internal_leaf = leaf_idx;
148
149 for(TreeLayerIndex h(0); true; ++h) {
150 // Check if we hit the top of the tree
151 if(h == total_tree_height) {
152 copy_mem(out_root, current_node);
153 return;
154 }
155
156 // Check if the node we have is a part of the authentication path; if
157 // it is, write it out. The XOR sum of both nodes (at internal_idx and internal_leaf)
158 // is 1 iff they have the same parent node in the FORS tree
159 if(is_signing && (internal_idx ^ internal_leaf.value()) == 0x01U) {
160 auto auth_path_location = out_auth_path.value().get().subspan(h.get() * node_size, node_size);
161 copy_mem(auth_path_location, current_node);
162 }
163
164 // Check if we're at a left child; if so, stop going up the tree
165 // Exception: if we've reached the end of the tree, keep on going (so
166 // we combine the last 4 nodes into the one root node in two more
167 // iterations)
168 if((internal_idx & 1) == 0U && idx < max_idx) {
169 // We've hit a left child; save the current for when we get the
170 // corresponding right child.
171 copy_mem(last_visited_left_child_at_layer.at(h.get()), current_node);
172 break;
173 }
174
175 // Ok, we're at a right node. Now combine the left and right logical
176 // nodes together.
177
178 // Set the address of the node we're creating.
179 internal_idx_offset /= 2;
180 tree_address.set_address(h + 1, internal_idx / 2 + internal_idx_offset);
181
182 node_pair_hash(current_node, tree_address, last_visited_left_child_at_layer.at(h.get()), current_node);
183
184 internal_idx /= 2;
185 if(internal_leaf.has_value()) {
186 internal_leaf.value() /= 2;
187 }
188 }
189 }
190}

References BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, copy_mem(), Botan::detail::Strong_Base< T >::get(), and Botan::StrongSpan< T >::size().

◆ typecast_copy() [1/9]

template<typename To>
requires std::is_trivial<To>::value
To Botan::typecast_copy ( const uint8_t src[])
inlineconstexprnoexcept

Definition at line 257 of file mem_ops.h.

257 {
258 // asserts that *src points to the correct amount of memory
259 return typecast_copy<To>(std::span<const uint8_t, sizeof(To)>(src, sizeof(To)));
260}

References typecast_copy().

◆ typecast_copy() [2/9]

template<typename ToT, ranges::contiguous_range FromR>
requires std::is_default_constructible_v<ToT> && std::is_trivially_copyable_v<ToT> && std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>>
ToT Botan::typecast_copy ( FromR && src)
inlineconstexprnoexcept

Create a trivial type by bit-casting a range of trivially copyable type with matching length into it.

Definition at line 215 of file mem_ops.h.

215 {
216 ToT dst;
217 typecast_copy(dst, src);
218 return dst;
219}

References typecast_copy().

◆ typecast_copy() [3/9]

template<typename T>
requires std::is_trivial<typename std::decay<T>::type>::value
void Botan::typecast_copy ( T & out,
const uint8_t in[] )
inlineconstexpr

Definition at line 249 of file mem_ops.h.

249 {
250 // asserts that *in points to the correct amount of memory
251 typecast_copy(out, std::span<const uint8_t, sizeof(T)>(in, sizeof(T)));
252}

References typecast_copy().

◆ typecast_copy() [4/9]

template<typename T>
requires std::is_trivial<T>::value
void Botan::typecast_copy ( T out[],
const uint8_t in[],
size_t N )
inlineconstexpr

Definition at line 232 of file mem_ops.h.

234{
235 // asserts that *in and *out point to the correct amount of memory
236 typecast_copy(std::span<T>(out, N), std::span<const uint8_t>(in, N * sizeof(T)));
237}

References typecast_copy().

◆ typecast_copy() [5/9]

template<ranges::contiguous_output_range ToR, typename FromT>
requires std::is_trivially_copyable_v<FromT> && (!std::ranges::range<FromT>) && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
void Botan::typecast_copy ( ToR && out,
const FromT & in )
inlineconstexpr

Copy an instance of trivially copyable type into a range of trivially copyable type with matching length.

Definition at line 204 of file mem_ops.h.

204 {
205 typecast_copy(out, std::span<const FromT, 1>(&in, 1));
206}

References typecast_copy().

◆ typecast_copy() [6/9]

template<ranges::contiguous_output_range ToR, ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
void Botan::typecast_copy ( ToR && out,
FromR && in )
inlineconstexpr

◆ typecast_copy() [7/9]

template<typename ToT, ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<ToT> && (!std::ranges::range<ToT>)
void Botan::typecast_copy ( ToT & out,
FromR && in )
inlineconstexprnoexcept

Copy a range of trivially copyable type into an instance of trivially copyable type with matching length.

Definition at line 193 of file mem_ops.h.

193 {
194 typecast_copy(std::span<ToT, 1>(&out, 1), in);
195}

References typecast_copy().

◆ typecast_copy() [8/9]

template<typename T>
void Botan::typecast_copy ( uint8_t out[],
const T & in )
inlineconstexpr

Definition at line 241 of file mem_ops.h.

241 {
242 // asserts that *out points to the correct amount of memory
243 typecast_copy(std::span<uint8_t, sizeof(T)>(out, sizeof(T)), in);
244}

References typecast_copy().

◆ typecast_copy() [9/9]

template<typename T>
requires std::is_trivially_copyable<T>::value
void Botan::typecast_copy ( uint8_t out[],
T in[],
size_t N )
inlineconstexpr

Definition at line 223 of file mem_ops.h.

225{
226 // asserts that *in and *out point to the correct amount of memory
227 typecast_copy(std::span<uint8_t>(out, sizeof(T) * N), std::span<const T>(in, N));
228}

References typecast_copy().

◆ ucs2_to_utf8()

BOTAN_TEST_API std::string Botan::ucs2_to_utf8 ( const uint8_t ucs2[],
size_t len )

Convert a sequence of UCS-2 (big endian) characters to a UTF-8 string This is used for ASN.1 BMPString type

Parameters
ucs2the sequence of UCS-2 characters
lenlength of ucs2 in bytes, must be a multiple of 2

Definition at line 54 of file charset.cpp.

54 {
55 if(len % 2 != 0) {
56 throw Decoding_Error("Invalid length for UCS-2 string");
57 }
58
59 const size_t chars = len / 2;
60
61 std::string s;
62 for(size_t i = 0; i != chars; ++i) {
63 const uint32_t c = load_be<uint16_t>(ucs2, i);
64 append_utf8_for(s, c);
65 }
66
67 return s;
68}

References load_be().

Referenced by Botan::ASN1_String::decode_from().

◆ ucs4_to_utf8()

BOTAN_TEST_API std::string Botan::ucs4_to_utf8 ( const uint8_t ucs4[],
size_t len )

Convert a sequence of UCS-4 (big endian) characters to a UTF-8 string This is used for ASN.1 UniversalString type

Parameters
ucs4the sequence of UCS-4 characters
lenlength of ucs4 in bytes, must be a multiple of 4

Definition at line 70 of file charset.cpp.

70 {
71 if(len % 4 != 0) {
72 throw Decoding_Error("Invalid length for UCS-4 string");
73 }
74
75 const size_t chars = len / 4;
76
77 std::string s;
78 for(size_t i = 0; i != chars; ++i) {
79 const uint32_t c = load_be<uint32_t>(ucs4, i);
80 append_utf8_for(s, c);
81 }
82
83 return s;
84}

References load_be().

Referenced by Botan::ASN1_String::decode_from().

◆ unlock()

template<typename T>
std::vector< T > Botan::unlock ( const secure_vector< T > & in)

◆ unsafe_for_production_build()

bool Botan::unsafe_for_production_build ( )

Certain build-time options, used for testing, result in a binary which is not safe for use in a production system. This function can be used to test for such a configuration at runtime.

Currently these unsafe conditions include:

  • Unsafe fuzzer mode (–unsafe-fuzzer-mode) which intentionally disables various checks in order to improve the effectiveness of fuzzing.
  • Terminate on asserts (–unsafe-terminate-on-asserts) which intentionally aborts if any internal assertion failure occurs, rather than throwing an exception.

Definition at line 67 of file version.cpp.

67 {
68#if defined(BOTAN_UNSAFE_FUZZER_MODE) || defined(BOTAN_TERMINATE_ON_ASSERTS)
69 return true;
70#else
71 return false;
72#endif
73}

◆ unwrap_strong_type()

template<typename T>
decltype(auto) Botan::unwrap_strong_type ( T && t)
nodiscardconstexpr

Generically unwraps a strong type to its underlying type.

If the provided type is not a strong type, it is returned as is.

Note
This is meant as a helper for generic code that needs to deal with both wrapped strong types and bare objects. Use the ordinary get() method if you know that you are dealing with a strong type.
Parameters
tvalue to be unwrapped
Returns
the unwrapped value

Definition at line 223 of file strong_type.h.

223 {
225 // If the parameter type isn't a strong type, return it as is.
226 return std::forward<T>(t);
227 } else {
228 // Unwrap the strong type and return the underlying value.
229 return std::forward<T>(t).get();
230 }
231}

Referenced by checked_cast_to_or_throw(), Botan::detail::concatenate(), Botan::bitvector_base< secure_allocator >::ct_conditional_xor(), Botan::bitvector_base< secure_allocator >::equals_vartime(), Botan::bitvector_base< secure_allocator >::operator&=(), Botan::bitvector_base< secure_allocator >::operator^=(), Botan::bitvector_base< secure_allocator >::operator|=(), Botan::bitvector_base< secure_allocator >::subvector(), Botan::bitvector_base< secure_allocator >::subvector_replace(), and Botan::detail::unwrap_strong_type_or_enum().

◆ value_exists()

◆ var_ctz32()

size_t Botan::var_ctz32 ( uint32_t n)
inlineconstexpr

Definition at line 175 of file bit_ops.h.

175 {
176#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_ctz)
177 if(n == 0) {
178 return 32;
179 }
180 return __builtin_ctz(n);
181#else
182 return ctz<uint32_t>(n);
183#endif
184}

References ctz().

◆ varpoint_exec()

template<typename C, size_t WindowBits, typename BlindedScalar>
C::ProjectivePoint Botan::varpoint_exec ( const AffinePointTable< C > & table,
const BlindedScalar & scalar,
RandomNumberGenerator & rng )

Definition at line 236 of file pcurves_mul.h.

238 {
239 const size_t windows = (scalar.bits() + WindowBits - 1) / WindowBits;
240
241 auto accum = [&]() {
242 const size_t w_0 = scalar.get_window((windows - 1) * WindowBits);
243 auto pt = C::ProjectivePoint::from_affine(table.ct_select(w_0));
244 CT::poison(pt);
245 pt.randomize_rep(rng);
246 return pt;
247 }();
248
249 for(size_t i = 1; i != windows; ++i) {
250 accum = accum.dbl_n(WindowBits);
251 auto w_i = scalar.get_window((windows - i - 1) * WindowBits);
252
253 /*
254 This point addition cannot be a doubling (except once)
255
256 Consider the sequence of points that are operated on, and specifically
257 their discrete logarithms. We start out at the point at infinity
258 (dlog 0) and then add the initial window which is precisely P*w_0
259
260 We then perform WindowBits doublings, so accum's dlog at the point
261 of the addition in the first iteration of the loop (when i == 1) is
262 at least 2^W * w_0.
263
264 Since we know w_0 > 0, then in every iteration of the loop, accums
265 dlog will always be greater than the dlog of the table element we
266 just looked up (something between 0 and 2^W-1), and thus the
267 addition into accum cannot be a doubling.
268
269 However due to blinding this argument fails, since we perform
270 multiplications using a scalar that is larger than the group
271 order. In this case it's possible that the dlog of accum becomes
272 `order + x` (or, effectively, `x`) and `x` is smaller than 2^W.
273 In this case, a doubling may occur. Future iterations of the loop
274 cannot be doublings by the same argument above. Since the blinding
275 factor is always less than the group order (substantially so),
276 it is not possible for the dlog of accum to overflow a second time.
277 */
278
279 accum += table.ct_select(w_i);
280
281 if(i <= 3) {
282 accum.randomize_rep(rng);
283 }
284 }
285
286 CT::unpoison(accum);
287 return accum;
288}

References Botan::AffinePointTable< C, R >::ct_select(), Botan::CT::poison(), and Botan::CT::unpoison().

◆ varpoint_setup()

template<typename C, size_t TableSize>
AffinePointTable< C > Botan::varpoint_setup ( const typename C::AffinePoint & p)

Definition at line 217 of file pcurves_mul.h.

217 {
218 static_assert(TableSize > 2);
219
220 std::vector<typename C::ProjectivePoint> table;
221 table.reserve(TableSize);
222 table.push_back(C::ProjectivePoint::from_affine(p));
223
224 for(size_t i = 1; i != TableSize; ++i) {
225 if(i % 2 == 1) {
226 table.push_back(table[i / 2].dbl());
227 } else {
228 table.push_back(table[i - 1] + p);
229 }
230 }
231
232 return AffinePointTable<C>(table);
233}

◆ vartime_divide()

BOTAN_TEST_API void Botan::vartime_divide ( const BigInt & x,
const BigInt & y,
BigInt & q,
BigInt & r )

BigInt Division

Parameters
xan integer
ya non-zero integer
qwill be set to x / y
rwill be set to x % y

Definition at line 230 of file divide.cpp.

230 {
231 if(y_arg.is_zero()) {
232 throw Invalid_Argument("vartime_divide: cannot divide by zero");
233 }
234
235 const size_t y_words = y_arg.sig_words();
236
237 BOTAN_ASSERT_NOMSG(y_words > 0);
238
239 BigInt y = y_arg;
240
241 BigInt r = x;
242 BigInt q = BigInt::zero();
244
245 r.set_sign(BigInt::Positive);
246 y.set_sign(BigInt::Positive);
247
248 // Calculate shifts needed to normalize y with high bit set
249 const size_t shifts = y.top_bits_free();
250
251 if(shifts > 0) {
252 y <<= shifts;
253 r <<= shifts;
254 }
255
256 // we know y has not changed size, since we only shifted up to set high bit
257 const size_t t = y_words - 1;
258 const size_t n = std::max(y_words, r.sig_words()) - 1; // r may have changed size however
259
260 BOTAN_ASSERT_NOMSG(n >= t);
261
262 q.grow_to(n - t + 1);
263
264 word* q_words = q.mutable_data();
265
266 BigInt shifted_y = y << (WordInfo<word>::bits * (n - t));
267
268 // Set q_{n-t} to number of times r > shifted_y
269 q_words[n - t] = r.reduce_below(shifted_y, ws);
270
271 const word y_t0 = y.word_at(t);
272 const word y_t1 = y.word_at(t - 1);
273 BOTAN_DEBUG_ASSERT((y_t0 >> (WordInfo<word>::bits - 1)) == 1);
274
275 for(size_t j = n; j != t; --j) {
276 const word x_j0 = r.word_at(j);
277 const word x_j1 = r.word_at(j - 1);
278 const word x_j2 = r.word_at(j - 2);
279
280 word qjt = (x_j0 == y_t0) ? WordInfo<word>::max : bigint_divop_vartime(x_j0, x_j1, y_t0);
281
282 // Per HAC 14.23, this operation is required at most twice
283 for(size_t k = 0; k != 2; ++k) {
284 if(division_check_vartime(qjt, y_t0, y_t1, x_j0, x_j1, x_j2)) {
285 qjt--;
286 } else {
287 break;
288 }
289 }
290
291 shifted_y >>= WordInfo<word>::bits;
292 // Now shifted_y == y << (WordInfo<word>::bits * (j-t-1))
293
294 // TODO this sequence could be better
295 r -= qjt * shifted_y;
296 if(r.is_negative()) {
297 qjt--;
298 r += shifted_y;
299 BOTAN_DEBUG_ASSERT(r.is_positive());
300 }
301
302 q_words[j - t - 1] = qjt;
303 }
304
305 if(shifts > 0) {
306 r >>= shifts;
307 }
308
309 sign_fixup(x, y_arg, q, r);
310
311 r_out = r;
312 q_out = q;
313}
size_t reduce_below(const BigInt &mod, secure_vector< word > &ws)
Definition bigint.cpp:332

References bigint_divop_vartime(), BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, Botan::BigInt::grow_to(), Botan::BigInt::is_negative(), Botan::BigInt::is_positive(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::Positive, Botan::BigInt::reduce_below(), Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::top_bits_free(), Botan::BigInt::word_at(), and Botan::BigInt::zero().

Referenced by botan_mp_div(), operator%(), and operator/().

◆ verify_signature()

bool Botan::verify_signature ( std::span< const uint8_t, ED448_LEN > pk,
bool phflag,
std::span< const uint8_t > context,
std::span< const uint8_t > sig,
std::span< const uint8_t > msg )

Verify a signature(RFC 8032 5.2.7)

Parameters
pkthe public key
phflagthe prehash flag (true iff using Ed448ph)
contextthe context string
sigthe signature
msgthe message to verify
Exceptions
Decoding_Errorif the public key or signature is malformed
Returns
true if the signature is valid

Definition at line 283 of file ed448_internal.cpp.

287 {
288 // RFC 8032 5.2.7. Verify
289 // 1. To verify a signature on a message M using context C and public
290 // key A, with F being 0 for Ed448 and 1 for Ed448ph, first split
291 // the signature into two 57-octet halves. Decode the first half as
292 // a point R, and the second half as an integer S, in the range 0 <=
293 // s < L. Decode the public key A as point A’. If any of the
294 // decodings fail (including S being out of range), the signature is
295 // invalid.
296 if(sig.size() != 2 * ED448_LEN) {
297 // Wrong signature size
298 throw Decoding_Error("Ed448 signature has wrong size");
299 }
300 const auto [big_r_bytes, big_s_bytes] = split(sig.first<2 * ED448_LEN>());
301 const auto big_r = Ed448Point::decode(big_r_bytes);
302 if(!Scalar448::bytes_are_reduced(big_s_bytes)) {
303 // S not in range 0 <= s < L
304 throw Decoding_Error("Ed448 signature has invalid S");
305 }
306 const Scalar448 big_s(big_s_bytes);
307 // 2. Compute SHAKE256(dom4(F, C) || R || A || PH(M), 114), and
308 // interpret the 114-octet digest as a little-endian integer k.
309 const Scalar448 k(shake(phflag, context, big_r_bytes, pk, msg));
310 // 3. Check the group equation [4][S]B = [4]R + [4][k]A’. It’s
311 // sufficient, but not required, to instead check [S]B = R + [k]A’.
312 return (big_s * Ed448Point::base_point()) == (big_r + k * Ed448Point::decode(pk));
313}
static Ed448Point decode(std::span< const uint8_t, ED448_LEN > enc)
Decode a point from its 57-byte encoding (RFC 8032 5.2.3)
static bool bytes_are_reduced(std::span< const uint8_t > x)

References Botan::Ed448Point::base_point(), Botan::Scalar448::bytes_are_reduced(), Botan::Ed448Point::decode(), and ED448_LEN.

Referenced by Botan::Roughtime::Response::from_bits().

◆ version_cstr()

const char * Botan::version_cstr ( )

Same as version_string() except returning a pointer to a statically allocated string.

Returns
version string

Definition at line 20 of file version.cpp.

20 {
21 return BOTAN_FULL_VERSION_STRING;
22}

Referenced by botan_version_string(), and version_string().

◆ version_datestamp()

uint32_t Botan::version_datestamp ( )

Return the date this version of botan was released, in an integer of the form YYYYMMDD. For instance a version released on May 21, 2013 would return the integer 20130521. If the currently running version is not an official release, this function will return 0 instead.

Returns
release date, or zero if unreleased

Definition at line 32 of file version.cpp.

32 {
34}
#define BOTAN_VERSION_DATESTAMP
Definition build.h:43

References BOTAN_VERSION_DATESTAMP.

Referenced by botan_version_datestamp().

◆ version_distribution_info()

std::optional< std::string > Botan::version_distribution_info ( )

Return any string that is set at build time using the --distribution-info option. It allows a packager of the library to specify any distribution-specific patches. If no value is given at build time, returns nullopt.

Returns
distribution info

Definition at line 44 of file version.cpp.

44 {
45#if defined(BOTAN_DISTRIBUTION_INFO_STRING)
46 return std::string(BOTAN_DISTRIBUTION_INFO_STRING);
47#else
48 return std::nullopt;
49#endif
50}

◆ version_major()

uint32_t Botan::version_major ( )

Get the major version number.

Returns
major version number

Definition at line 55 of file version.cpp.

55 {
57}

References BOTAN_VERSION_MAJOR.

Referenced by botan_version_major(), and runtime_version_check().

◆ version_minor()

uint32_t Botan::version_minor ( )

Get the minor version number.

Returns
minor version number

Definition at line 59 of file version.cpp.

59 {
61}

References BOTAN_VERSION_MINOR.

Referenced by botan_version_minor(), and runtime_version_check().

◆ version_patch()

uint32_t Botan::version_patch ( )

Get the patch number.

Returns
patch number

Definition at line 63 of file version.cpp.

63 {
65}

References BOTAN_VERSION_PATCH.

Referenced by botan_version_patch(), and runtime_version_check().

◆ version_string()

std::string Botan::version_string ( )

Get a human-readable single-line string identifying the version of Botan. No particular format should be assumed.

Returns
version string

Definition at line 24 of file version.cpp.

24 {
25 return std::string(version_cstr());
26}
const char * version_cstr()
Definition version.cpp:20

References version_cstr().

◆ version_vc_revision()

std::optional< std::string > Botan::version_vc_revision ( )

Returns a string that is set to a revision identifier corresponding to the source, or nullopt if this could not be determined. It is set for all official releases, and for builds that originated from within a git checkout.

Returns
VC revision

Definition at line 36 of file version.cpp.

36 {
37#if defined(BOTAN_VC_REVISION)
38 return std::string(BOTAN_VC_REVISION);
39#else
40 return std::nullopt;
41#endif
42}

◆ word8_add2()

template<WordType W>
auto Botan::word8_add2 ( W x[8],
const W y[8],
W carry ) -> W
inlineconstexpr

Definition at line 226 of file mp_asmi.h.

226 {
227#if defined(BOTAN_MP_USE_X86_64_ASM)
228 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
229 asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "adcq"))
230 : [carry] "=r"(carry)
231 : [x] "r"(x), [y] "r"(y), "0"(carry)
232 : "cc", "memory");
233 return carry;
234 }
235#endif
236
237 x[0] = word_add(x[0], y[0], &carry);
238 x[1] = word_add(x[1], y[1], &carry);
239 x[2] = word_add(x[2], y[2], &carry);
240 x[3] = word_add(x[3], y[3], &carry);
241 x[4] = word_add(x[4], y[4], &carry);
242 x[5] = word_add(x[5], y[5], &carry);
243 x[6] = word_add(x[6], y[6], &carry);
244 x[7] = word_add(x[7], y[7], &carry);
245 return carry;
246}

References carry(), and word_add().

Referenced by bigint_add2_nc().

◆ word8_add3()

template<WordType W>
auto Botan::word8_add3 ( W z[8],
const W x[8],
const W y[8],
W carry ) -> W
inlineconstexpr

Definition at line 252 of file mp_asmi.h.

252 {
253#if defined(BOTAN_MP_USE_X86_64_ASM)
254 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
255 asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "adcq"))
256 : [carry] "=r"(carry)
257 : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry)
258 : "cc", "memory");
259 return carry;
260 }
261#endif
262
263 z[0] = word_add(x[0], y[0], &carry);
264 z[1] = word_add(x[1], y[1], &carry);
265 z[2] = word_add(x[2], y[2], &carry);
266 z[3] = word_add(x[3], y[3], &carry);
267 z[4] = word_add(x[4], y[4], &carry);
268 z[5] = word_add(x[5], y[5], &carry);
269 z[6] = word_add(x[6], y[6], &carry);
270 z[7] = word_add(x[7], y[7], &carry);
271 return carry;
272}

References carry(), and word_add().

Referenced by bigint_add3_nc(), bigint_cnd_add_or_sub(), and bigint_cnd_addsub().

◆ word8_linmul2()

template<WordType W>
auto Botan::word8_linmul2 ( W x[8],
W y,
W carry ) -> W
inlineconstexpr

Definition at line 381 of file mp_asmi.h.

381 {
382#if defined(BOTAN_MP_USE_X86_64_ASM)
383 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
384 asm(DO_8_TIMES(LINMUL_OP, "x")
385 : [carry] "=r"(carry)
386 : [x] "r"(x), [y] "rm"(y), "0"(carry)
387 : "cc", "%rax", "%rdx");
388 return carry;
389 }
390#endif
391
392 x[0] = word_madd2(x[0], y, &carry);
393 x[1] = word_madd2(x[1], y, &carry);
394 x[2] = word_madd2(x[2], y, &carry);
395 x[3] = word_madd2(x[3], y, &carry);
396 x[4] = word_madd2(x[4], y, &carry);
397 x[5] = word_madd2(x[5], y, &carry);
398 x[6] = word_madd2(x[6], y, &carry);
399 x[7] = word_madd2(x[7], y, &carry);
400 return carry;
401}

References carry(), and word_madd2().

Referenced by bigint_linmul2().

◆ word8_linmul3()

template<WordType W>
auto Botan::word8_linmul3 ( W z[8],
const W x[8],
W y,
W carry ) -> W
inlineconstexpr

Definition at line 407 of file mp_asmi.h.

407 {
408#if defined(BOTAN_MP_USE_X86_64_ASM)
409 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
410 asm(DO_8_TIMES(LINMUL_OP, "z")
411 : [carry] "=r"(carry)
412 : [z] "r"(z), [x] "r"(x), [y] "rm"(y), "0"(carry)
413 : "cc", "%rax", "%rdx");
414 return carry;
415 }
416#endif
417
418 z[0] = word_madd2(x[0], y, &carry);
419 z[1] = word_madd2(x[1], y, &carry);
420 z[2] = word_madd2(x[2], y, &carry);
421 z[3] = word_madd2(x[3], y, &carry);
422 z[4] = word_madd2(x[4], y, &carry);
423 z[5] = word_madd2(x[5], y, &carry);
424 z[6] = word_madd2(x[6], y, &carry);
425 z[7] = word_madd2(x[7], y, &carry);
426 return carry;
427}

References carry(), and word_madd2().

Referenced by bigint_linmul3().

◆ word8_madd3()

template<WordType W>
auto Botan::word8_madd3 ( W z[8],
const W x[8],
W y,
W carry ) -> W
inlineconstexpr

Definition at line 433 of file mp_asmi.h.

433 {
434#if defined(BOTAN_MP_USE_X86_64_ASM)
435 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
436 asm(DO_8_TIMES(MULADD_OP, "")
437 : [carry] "=r"(carry)
438 : [z] "r"(z), [x] "r"(x), [y] "rm"(y), "0"(carry)
439 : "cc", "%rax", "%rdx");
440 return carry;
441 }
442#endif
443
444 z[0] = word_madd3(x[0], y, z[0], &carry);
445 z[1] = word_madd3(x[1], y, z[1], &carry);
446 z[2] = word_madd3(x[2], y, z[2], &carry);
447 z[3] = word_madd3(x[3], y, z[3], &carry);
448 z[4] = word_madd3(x[4], y, z[4], &carry);
449 z[5] = word_madd3(x[5], y, z[5], &carry);
450 z[6] = word_madd3(x[6], y, z[6], &carry);
451 z[7] = word_madd3(x[7], y, z[7], &carry);
452 return carry;
453}

References carry(), and word_madd3().

Referenced by basecase_mul(), and basecase_sqr().

◆ word8_sub2()

template<WordType W>
auto Botan::word8_sub2 ( W x[8],
const W y[8],
W carry ) -> W
inlineconstexpr

Definition at line 303 of file mp_asmi.h.

303 {
304#if defined(BOTAN_MP_USE_X86_64_ASM)
305 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
306 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "sbbq"))
307 : [carry] "=r"(carry)
308 : [x] "r"(x), [y] "r"(y), "0"(carry)
309 : "cc", "memory");
310 return carry;
311 }
312#endif
313
314 x[0] = word_sub(x[0], y[0], &carry);
315 x[1] = word_sub(x[1], y[1], &carry);
316 x[2] = word_sub(x[2], y[2], &carry);
317 x[3] = word_sub(x[3], y[3], &carry);
318 x[4] = word_sub(x[4], y[4], &carry);
319 x[5] = word_sub(x[5], y[5], &carry);
320 x[6] = word_sub(x[6], y[6], &carry);
321 x[7] = word_sub(x[7], y[7], &carry);
322 return carry;
323}

References carry(), and word_sub().

Referenced by bigint_sub2().

◆ word8_sub2_rev()

template<WordType W>
auto Botan::word8_sub2_rev ( W x[8],
const W y[8],
W carry ) -> W
inlineconstexpr

Definition at line 329 of file mp_asmi.h.

329 {
330#if defined(BOTAN_MP_USE_X86_64_ASM)
331 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
332 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbq"))
333 : [carry] "=r"(carry)
334 : [x] "r"(y), [y] "r"(x), [z] "r"(x), "0"(carry)
335 : "cc", "memory");
336 return carry;
337 }
338#endif
339
340 x[0] = word_sub(y[0], x[0], &carry);
341 x[1] = word_sub(y[1], x[1], &carry);
342 x[2] = word_sub(y[2], x[2], &carry);
343 x[3] = word_sub(y[3], x[3], &carry);
344 x[4] = word_sub(y[4], x[4], &carry);
345 x[5] = word_sub(y[5], x[5], &carry);
346 x[6] = word_sub(y[6], x[6], &carry);
347 x[7] = word_sub(y[7], x[7], &carry);
348 return carry;
349}

References carry(), and word_sub().

Referenced by bigint_sub2_rev().

◆ word8_sub3()

template<WordType W>
auto Botan::word8_sub3 ( W z[8],
const W x[8],
const W y[8],
W carry ) -> W
inlineconstexpr

Definition at line 355 of file mp_asmi.h.

355 {
356#if defined(BOTAN_MP_USE_X86_64_ASM)
357 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
358 asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbq"))
359 : [carry] "=r"(carry)
360 : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry)
361 : "cc", "memory");
362 return carry;
363 }
364#endif
365
366 z[0] = word_sub(x[0], y[0], &carry);
367 z[1] = word_sub(x[1], y[1], &carry);
368 z[2] = word_sub(x[2], y[2], &carry);
369 z[3] = word_sub(x[3], y[3], &carry);
370 z[4] = word_sub(x[4], y[4], &carry);
371 z[5] = word_sub(x[5], y[5], &carry);
372 z[6] = word_sub(x[6], y[6], &carry);
373 z[7] = word_sub(x[7], y[7], &carry);
374 return carry;
375}

References carry(), and word_sub().

Referenced by bigint_cnd_add_or_sub(), bigint_cnd_addsub(), bigint_monty_maybe_sub(), bigint_sub3(), and bigint_sub_abs().

◆ word_add()

template<WordType W>
auto Botan::word_add ( W x,
W y,
W * carry ) -> W
inlineconstexpr

Definition at line 189 of file mp_asmi.h.

189 {
190#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_addc)
191 if(!std::is_constant_evaluated()) {
192 if constexpr(std::same_as<W, unsigned int>) {
193 return __builtin_addc(x, y, *carry & 1, carry);
194 } else if constexpr(std::same_as<W, unsigned long>) {
195 return __builtin_addcl(x, y, *carry & 1, carry);
196 } else if constexpr(std::same_as<W, unsigned long long>) {
197 return __builtin_addcll(x, y, *carry & 1, carry);
198 }
199 }
200#endif
201
202 if constexpr(WordInfo<W>::dword_is_native && use_dword_for_word_add) {
203 /*
204 TODO(Botan4) this is largely a performance hack for GCCs that don't
205 support __builtin_addc, if we increase the minimum supported version of
206 GCC to GCC 14 then we can remove this and not worry about it
207 */
208 const W cb = *carry & 1;
209 const auto s = typename WordInfo<W>::dword(x) + y + cb;
210 *carry = static_cast<W>(s >> WordInfo<W>::bits);
211 return static_cast<W>(s);
212 } else {
213 const W cb = *carry & 1;
214 W z = x + y;
215 W c1 = (z < x);
216 z += cb;
217 *carry = c1 | (z < cb);
218 return z;
219 }
220}

References carry().

Referenced by Botan::word3< W >::add(), bigint_add2_nc(), bigint_add3_nc(), bigint_cnd_abs(), bigint_cnd_add(), bigint_cnd_add_or_sub(), bigint_cnd_addsub(), Botan::word3< W >::mul_x2(), word8_add2(), and word8_add3().

◆ word_madd2()

template<WordType W>
auto Botan::word_madd2 ( W a,
W b,
W * c ) -> W
inlineconstexpr

Definition at line 84 of file mp_asmi.h.

84 {
85#if defined(BOTAN_MP_USE_X86_64_ASM)
86 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
87 asm(R"(
88 mulq %[b]
89 addq %[c],%[a]
90 adcq $0,%[carry]
91 )"
92 : [a] "=a"(a), [b] "=rm"(b), [carry] "=&d"(*c)
93 : "0"(a), "1"(b), [c] "g"(*c)
94 : "cc");
95
96 return a;
97 }
98#endif
99
100 typedef typename WordInfo<W>::dword dword;
101 const dword s = dword(a) * b + *c;
102 *c = static_cast<W>(s >> WordInfo<W>::bits);
103 return static_cast<W>(s);
104}

References carry().

Referenced by bigint_linmul2(), bigint_linmul3(), bigint_modop_vartime(), Botan::word3< W >::mul_x2(), redc_crandall(), word8_linmul2(), and word8_linmul3().

◆ word_madd3()

template<WordType W>
auto Botan::word_madd3 ( W a,
W b,
W c,
W * d ) -> W
inlineconstexpr

Definition at line 110 of file mp_asmi.h.

110 {
111#if defined(BOTAN_MP_USE_X86_64_ASM)
112 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
113 asm(R"(
114 mulq %[b]
115
116 addq %[c],%[a]
117 adcq $0,%[carry]
118
119 addq %[d],%[a]
120 adcq $0,%[carry]
121 )"
122 : [a] "=a"(a), [b] "=rm"(b), [carry] "=&d"(*d)
123 : "0"(a), "1"(b), [c] "g"(c), [d] "g"(*d)
124 : "cc");
125
126 return a;
127 }
128#endif
129
130 typedef typename WordInfo<W>::dword dword;
131 const dword s = dword(a) * b + c + *d;
132 *d = static_cast<W>(s >> WordInfo<W>::bits);
133 return static_cast<W>(s);
134}

References carry().

Referenced by basecase_mul(), basecase_sqr(), redc_crandall(), and word8_madd3().

◆ word_sub()

template<WordType W>
auto Botan::word_sub ( W x,
W y,
W * carry ) -> W
inlineconstexpr

Definition at line 278 of file mp_asmi.h.

278 {
279#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_subc)
280 if(!std::is_constant_evaluated()) {
281 if constexpr(std::same_as<W, unsigned int>) {
282 return __builtin_subc(x, y, *carry & 1, carry);
283 } else if constexpr(std::same_as<W, unsigned long>) {
284 return __builtin_subcl(x, y, *carry & 1, carry);
285 } else if constexpr(std::same_as<W, unsigned long long>) {
286 return __builtin_subcll(x, y, *carry & 1, carry);
287 }
288 }
289#endif
290
291 const W cb = *carry & 1;
292 W t0 = x - y;
293 W c1 = (t0 > x);
294 W z = t0 - cb;
295 *carry = c1 | (z > t0);
296 return z;
297}

References carry().

Referenced by bigint_cnd_add_or_sub(), bigint_cnd_addsub(), bigint_cnd_sub(), bigint_monty_maybe_sub(), bigint_monty_maybe_sub(), bigint_sub2(), bigint_sub2_rev(), bigint_sub3(), bigint_sub_abs(), redc_crandall(), word8_sub2(), word8_sub2_rev(), and word8_sub3().

◆ words_for_bits()

size_t Botan::words_for_bits ( size_t x)
constexpr

Definition at line 18 of file curve448_scalar.h.

18 {
19 constexpr size_t word_bits = sizeof(word) * 8;
20 return (x + word_bits - 1) / word_bits;
21}

◆ wots_public_key_from_signature()

BOTAN_TEST_API WotsPublicKey Botan::wots_public_key_from_signature ( const SphincsTreeNode & hashed_message,
StrongSpan< const WotsSignature > signature,
Sphincs_Address & address,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

FIPS 205, Algorithm 8: wots_pkFromSig.

Reconstructs the WOTS public key from a given WOTS signature and message. This is tailored for the use case in the SLH-DSA implementation and is not meant for general usability in non SLH-DSA algorithms.

Definition at line 103 of file sp_wots.cpp.

107 {
108 const std::vector<WotsHashIndex> lengths = chain_lengths(hashed_message, params);
109 WotsPublicKey pk_buffer(params.wots_len() * params.n());
110 BufferSlicer sig(signature);
111 BufferStuffer pk(pk_buffer);
112
113 for(WotsChainIndex i(0); i < params.wots_len(); i++) {
114 address.set_chain_address(i);
115
116 // params.w() can be one of {4, 8, 256}
117 const WotsHashIndex start_index = lengths[i.get()];
118 const uint8_t steps_to_take = static_cast<uint8_t>(params.w() - 1) - start_index.get();
119
120 chain(pk.next<WotsPublicKeyNode>(params.n()),
121 sig.take<WotsNode>(params.n()),
122 start_index,
123 steps_to_take,
124 address,
125 hashes,
126 params);
127 }
128
129 return pk_buffer;
130}
Sphincs_Address & set_chain_address(WotsChainIndex chain)
Definition sp_address.h:84
uint32_t wots_len() const
Strong< uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber > WotsHashIndex
Index of a hash application inside a single WOTS chain (integers in "base_w")
Definition sp_types.h:98
Strong< secure_vector< uint8_t >, struct WotsNode_ > WotsNode
Start (or intermediate) node of a WOTS+ chain.
Definition sp_types.h:79
Strong< std::vector< uint8_t >, struct WotsPublicKey_ > WotsPublicKey
Definition sp_types.h:73
Strong< uint32_t, struct WotsChainIndex_ > WotsChainIndex
Index of a WOTS chain within a single usage of WOTS.
Definition sp_types.h:95
Strong< std::vector< uint8_t >, struct WotsPublicKeyNode_ > WotsPublicKeyNode
End node of a WOTS+ chain (part of the WOTS+ public key)
Definition sp_types.h:76
std::vector< WotsHashIndex > chain_lengths(const SphincsTreeNode &msg, const Sphincs_Parameters &params)
Definition sp_wots.cpp:91

References chain_lengths(), Botan::detail::Strong_Base< T >::get(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Address::set_chain_address(), Botan::BufferSlicer::take(), Botan::Sphincs_Parameters::w(), and Botan::Sphincs_Parameters::wots_len().

Referenced by ht_verify().

◆ wots_sign_and_pkgen()

BOTAN_TEST_API void Botan::wots_sign_and_pkgen ( StrongSpan< WotsSignature > sig_out,
StrongSpan< SphincsTreeNode > leaf_out,
const SphincsSecretSeed & secret_seed,
TreeNodeIndex leaf_idx,
std::optional< TreeNodeIndex > sign_leaf_idx,
const std::vector< WotsHashIndex > & wots_steps,
Sphincs_Address & leaf_addr,
Sphincs_Address & pk_addr,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

FIPS 205, Algorithm 6 and 7: wots_pkGen and wots_sign.

Implements a domain specific wrapper for the one-time signature scheme WOTS+ (Winternitz OTS). It is meant to be used inside SLH-DSA and does not aim to be applicable for other use cases. If this function is not used in a signing operation (i.e. sign_leaf_idx is not set), wots_steps may be empty.

Definition at line 132 of file sp_wots.cpp.

141 {
142 // `wots_steps` are needed only if `sign_leaf_idx` is set
143 BOTAN_ASSERT_NOMSG(!sign_leaf_idx.has_value() || wots_steps.size() == params.wots_len());
145
146 secure_vector<uint8_t> wots_sig;
147 WotsPublicKey wots_pk_buffer(params.wots_bytes());
148
149 BufferStuffer wots_pk(wots_pk_buffer);
150 BufferStuffer sig(sig_out);
151
152 leaf_addr.set_keypair_address(leaf_idx);
153 pk_addr.set_keypair_address(leaf_idx);
154
155 for(WotsChainIndex i(0); i < params.wots_len(); i++) {
156 // If the current leaf is part of the signature wots_k stores the chain index
157 // of the value neccessary for the signature. Otherwise: nullopt (no signature)
158 const auto wots_k = [&]() -> std::optional<WotsHashIndex> {
159 if(sign_leaf_idx.has_value() && leaf_idx == sign_leaf_idx.value()) {
160 return wots_steps[i.get()];
161 } else {
162 return std::nullopt;
163 }
164 }();
165
166 // Start with the secret seed
167 leaf_addr.set_chain_address(i);
168 leaf_addr.set_hash_address(WotsHashIndex(0));
170
171 auto buffer_s = wots_pk.next<WotsNode>(params.n());
172
173 hashes.PRF(buffer_s, secret_seed, leaf_addr);
174
176
177 // Iterates down the WOTS chain
178 for(WotsHashIndex k(0);; k++) {
179 // Check if this is the value that needs to be saved as a part of the WOTS signature
180 if(wots_k.has_value() && k == wots_k.value()) {
181 std::copy(buffer_s.begin(), buffer_s.end(), sig.next<WotsNode>(params.n()).begin());
182 }
183
184 // Check if the top of the chain was hit
185 if(k == params.w() - 1) {
186 break;
187 }
188
189 // Iterate one step on the chain
190 leaf_addr.set_hash_address(k);
191
192 hashes.T(buffer_s, leaf_addr, buffer_s);
193 }
194 }
195
196 // Do the final thash to generate the public keys
197 hashes.T(leaf_out, pk_addr, wots_pk_buffer);
198}
Sphincs_Address_Type get_type() const
Definition sp_address.h:137
Sphincs_Address & set_hash_address(WotsHashIndex hash)
Definition sp_address.h:94
Sphincs_Address & set_keypair_address(TreeNodeIndex keypair)
Definition sp_address.h:79

References BOTAN_ASSERT_NOMSG, Botan::Sphincs_Address::get_type(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Hash_Functions::PRF(), Botan::Sphincs_Address::set_chain_address(), Botan::Sphincs_Address::set_hash_address(), Botan::Sphincs_Address::set_keypair_address(), Botan::Sphincs_Address::set_type(), Botan::Sphincs_Hash_Functions::T(), Botan::Sphincs_Parameters::w(), Botan::Sphincs_Parameters::wots_bytes(), Botan::Sphincs_Parameters::wots_len(), WotsHash, WotsKeyGeneration, and WotsPublicKeyCompression.

Referenced by xmss_sign_and_pkgen().

◆ wrap_strong_type()

template<typename T, typename ParamT>
requires std::constructible_from<T, ParamT> || (concepts::strong_type<T> && std::constructible_from<typename T::wrapped_type, ParamT>)
decltype(auto) Botan::wrap_strong_type ( ParamT && t)
nodiscardconstexpr

Wraps a value into a caller-defined (strong) type.

If the provided object t is already of type T, it is returned as is.

Note
This is meant as a helper for generic code that needs to deal with both wrapped strong types and bare objects. Use the ordinary constructor if you know that you are dealing with a bare value type.
Parameters
tvalue to be wrapped
Returns
the wrapped value

Definition at line 248 of file strong_type.h.

248 {
249 if constexpr(std::same_as<std::remove_cvref_t<ParamT>, T>) {
250 // Noop, if the parameter type already is the desired return type.
251 return std::forward<ParamT>(t);
252 } else if constexpr(std::constructible_from<T, ParamT>) {
253 // Implicit conversion from the parameter type to the return type.
254 return T{std::forward<ParamT>(t)};
255 } else {
256 // Explicitly calling the wrapped type's constructor to support
257 // implicit conversions on types that mark their constructors as explicit.
258 static_assert(concepts::strong_type<T> && std::constructible_from<typename T::wrapped_type, ParamT>);
259 return T{typename T::wrapped_type{std::forward<ParamT>(t)}};
260 }
261}

Referenced by checked_cast_to_or_throw(), Botan::detail::load_any(), Botan::bitvector_base< secure_allocator >::subvector(), and Botan::detail::wrap_strong_type_or_enum().

◆ x448()

Point448 Botan::x448 ( const ScalarX448 & k,
const Point448 & u )

Multiply a scalar k with a point u.

Parameters
kscalar
upoint on curve
Returns
k * u

Definition at line 48 of file x448_internal.cpp.

48 {
49 const Gf448Elem a24 = 39081;
50
51 Gf448Elem x_1 = Gf448Elem(u.get());
52 Gf448Elem x_2 = 1;
53 Gf448Elem z_2 = 0;
54 Gf448Elem x_3 = Gf448Elem(u.get());
55 Gf448Elem z_3 = 1;
56 auto swap = CT::Mask<uint64_t>::cleared();
57
58 for(int16_t t = 448 - 1; t >= 0; --t) {
59 auto k_t = CT::Mask<uint64_t>::expand(get_bit(k, t));
60 swap ^= k_t;
61
62 x_2.ct_cond_swap(swap.as_bool(), x_3);
63 z_2.ct_cond_swap(swap.as_bool(), z_3);
64 swap = k_t;
65
66 const auto A = x_2 + z_2;
67 const auto AA = square(A);
68 const auto B = x_2 - z_2;
69 const auto BB = square(B);
70 const auto E = AA - BB;
71 const auto C = x_3 + z_3;
72 const auto D = x_3 - z_3;
73 const auto DA = D * A;
74 const auto CB = C * B;
75 x_3 = square(DA + CB);
76 z_3 = x_1 * square(DA - CB);
77 x_2 = AA * BB;
78 z_2 = E * (AA + a24 * E);
79 }
80
81 x_2.ct_cond_swap(swap.as_bool(), x_3);
82 z_2.ct_cond_swap(swap.as_bool(), z_3);
83
84 const auto res = x_2 / z_2;
85
86 return Point448(res.to_bytes());
87}
void ct_cond_swap(bool b, Gf448Elem &other)
Swap this and other if b == true. Constant time for any b.
BigInt square(const BigInt &x)
Definition numthry.cpp:157
Strong< std::array< uint8_t, X448_LEN >, struct Point448_ > Point448

References Botan::CT::Mask< T >::cleared(), Botan::Gf448Elem::ct_cond_swap(), Botan::CT::Mask< T >::expand(), Botan::detail::Strong_Base< T >::get(), and square().

Referenced by x448_basepoint().

◆ x448_basepoint()

Point448 Botan::x448_basepoint ( const ScalarX448 & k)

Multiply a scalar with the base group element (5)

Multiply a scalar with the standard group element (5)

Parameters
kscalar
Returns
encoded point

Definition at line 41 of file x448_internal.cpp.

41 {
42 const Point448 u({5});
43 return x448(k, u);
44}
Point448 x448(const ScalarX448 &k, const Point448 &u)
Multiply a scalar k with a point u.

References x448().

◆ x509_path_validate() [1/4]

Path_Validation_Result Botan::x509_path_validate ( const std::vector< X509_Certificate > & end_certs,
const Path_Validation_Restrictions & restrictions,
const Certificate_Store & store,
std::string_view hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::optional< OCSP::Response > > & ocsp_resp = {} )

PKIX Path Validation

Parameters
end_certscertificate chain to validate
restrictionspath validation restrictions
storestore that contains trusted certificates
hostnameif not empty, compared against the DNS name in end_certs[0]
usageif not set to UNSPECIFIED, compared against the key usage in end_certs[0]
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation

Definition at line 956 of file x509path.cpp.

963 {
964 std::vector<Certificate_Store*> trusted_roots;
965 trusted_roots.push_back(const_cast<Certificate_Store*>(&store));
966
967 return x509_path_validate(end_certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
968}
Path_Validation_Result x509_path_validate(const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point ref_time, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
Definition x509path.cpp:882

References x509_path_validate().

◆ x509_path_validate() [2/4]

Path_Validation_Result Botan::x509_path_validate ( const std::vector< X509_Certificate > & end_certs,
const Path_Validation_Restrictions & restrictions,
const std::vector< Certificate_Store * > & trusted_roots,
std::string_view hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::optional< OCSP::Response > > & ocsp_resp = {} )

PKIX Path Validation

Parameters
end_certscertificate chain to validate (with end entity certificate in end_certs[0])
restrictionspath validation restrictions
trusted_rootslist of certificate stores that contain trusted certificates
hostnameif not empty, compared against the DNS name in end_certs[0]
usageif not set to UNSPECIFIED, compared against the key usage in end_certs[0]
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation note: when enabled, OCSP check is softfail by default: if the OCSP server is not reachable, Path_Validation_Result::successful_validation() will return true. Hardfail OCSP check can be achieve by also calling Path_Validation_Result::no_warnings().

Definition at line 882 of file x509path.cpp.

889 {
890 if(end_certs.empty()) {
891 throw Invalid_Argument("x509_path_validate called with no subjects");
892 }
893
894 X509_Certificate end_entity = end_certs[0];
895 std::vector<X509_Certificate> end_entity_extra;
896 for(size_t i = 1; i < end_certs.size(); ++i) {
897 end_entity_extra.push_back(end_certs[i]);
898 }
899
900 std::vector<std::vector<X509_Certificate>> cert_paths;
901 Certificate_Status_Code path_building_result =
902 PKIX::build_all_certificate_paths(cert_paths, trusted_roots, end_entity, end_entity_extra);
903
904 // If we cannot successfully build a chain to a trusted self-signed root, stop now
905 if(path_building_result != Certificate_Status_Code::OK) {
906 return Path_Validation_Result(path_building_result);
907 }
908
909 std::vector<Path_Validation_Result> error_results;
910 // Try validating all the potentially valid paths and return the first one to validate properly
911 for(auto cert_path : cert_paths) {
912 CertificatePathStatusCodes status = PKIX::check_chain(cert_path, ref_time, hostname, usage, restrictions);
913
914 CertificatePathStatusCodes crl_status = PKIX::check_crl(cert_path, trusted_roots, ref_time);
915
916 CertificatePathStatusCodes ocsp_status;
917
918 if(!ocsp_resp.empty()) {
919 ocsp_status = PKIX::check_ocsp(cert_path, ocsp_resp, trusted_roots, ref_time, restrictions);
920 }
921
922 if(ocsp_status.empty() && ocsp_timeout != std::chrono::milliseconds(0)) {
923#if defined(BOTAN_TARGET_OS_HAS_THREADS) && defined(BOTAN_HAS_HTTP_UTIL)
924 ocsp_status = PKIX::check_ocsp_online(cert_path, trusted_roots, ref_time, ocsp_timeout, restrictions);
925#else
926 ocsp_status.resize(1);
927 ocsp_status[0].insert(Certificate_Status_Code::OCSP_NO_HTTP);
928#endif
929 }
930
931 PKIX::merge_revocation_status(status, crl_status, ocsp_status, restrictions);
932
933 Path_Validation_Result pvd(status, std::move(cert_path));
934 if(pvd.successful_validation()) {
935 return pvd;
936 } else {
937 error_results.push_back(std::move(pvd));
938 }
939 }
940 return error_results[0];
941}
void merge_revocation_status(CertificatePathStatusCodes &chain_status, const CertificatePathStatusCodes &crl_status, const CertificatePathStatusCodes &ocsp_status, const Path_Validation_Restrictions &restrictions)
Definition x509path.cpp:820
CertificatePathStatusCodes check_ocsp(const std::vector< X509_Certificate > &cert_path, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &certstores, std::chrono::system_clock::time_point ref_time, const Path_Validation_Restrictions &restrictions)
Definition x509path.cpp:307
Certificate_Status_Code build_all_certificate_paths(std::vector< std::vector< X509_Certificate > > &cert_paths, const std::vector< Certificate_Store * > &trusted_certstores, const std::optional< X509_Certificate > &end_entity, const std::vector< X509_Certificate > &end_entity_extra)
Definition x509path.cpp:696
CertificatePathStatusCodes check_chain(const std::vector< X509_Certificate > &cert_path, std::chrono::system_clock::time_point ref_time, std::string_view hostname, Usage_Type usage, const Path_Validation_Restrictions &restrictions)
Definition x509path.cpp:36
CertificatePathStatusCodes check_crl(const std::vector< X509_Certificate > &cert_path, const std::vector< std::optional< X509_CRL > > &crls, std::chrono::system_clock::time_point ref_time)
Definition x509path.cpp:362
std::vector< std::set< Certificate_Status_Code > > CertificatePathStatusCodes
Definition x509path.h:29
Certificate_Status_Code
Definition pkix_enums.h:20

References Botan::PKIX::build_all_certificate_paths(), Botan::PKIX::check_chain(), Botan::PKIX::check_crl(), Botan::PKIX::check_ocsp(), Botan::PKIX::merge_revocation_status(), OCSP_NO_HTTP, OK, and Botan::Path_Validation_Result::successful_validation().

Referenced by botan_x509_cert_verify(), botan_x509_cert_verify_with_crl(), Botan::TLS::Callbacks::tls_verify_cert_chain(), x509_path_validate(), x509_path_validate(), and x509_path_validate().

◆ x509_path_validate() [3/4]

Path_Validation_Result Botan::x509_path_validate ( const X509_Certificate & end_cert,
const Path_Validation_Restrictions & restrictions,
const Certificate_Store & store,
std::string_view hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::optional< OCSP::Response > > & ocsp_resp = {} )

PKIX Path Validation

Parameters
end_certcertificate to validate
restrictionspath validation restrictions
storestore that contains trusted certificates
hostnameif not empty, compared against the DNS name in end_cert
usageif not set to UNSPECIFIED, compared against the key usage in end_cert
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation

Definition at line 970 of file x509path.cpp.

977 {
978 std::vector<X509_Certificate> certs;
979 certs.push_back(end_cert);
980
981 std::vector<Certificate_Store*> trusted_roots;
982 trusted_roots.push_back(const_cast<Certificate_Store*>(&store));
983
984 return x509_path_validate(certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
985}

References x509_path_validate().

◆ x509_path_validate() [4/4]

Path_Validation_Result Botan::x509_path_validate ( const X509_Certificate & end_cert,
const Path_Validation_Restrictions & restrictions,
const std::vector< Certificate_Store * > & trusted_roots,
std::string_view hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::optional< OCSP::Response > > & ocsp_resp = {} )

PKIX Path Validation

Parameters
end_certcertificate to validate
restrictionspath validation restrictions
trusted_rootslist of stores that contain trusted certificates
hostnameif not empty, compared against the DNS name in end_cert
usageif not set to UNSPECIFIED, compared against the key usage in end_cert
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation

Definition at line 943 of file x509path.cpp.

950 {
951 std::vector<X509_Certificate> certs;
952 certs.push_back(end_cert);
953 return x509_path_validate(certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
954}

References x509_path_validate().

◆ xmss_gen_root()

SphincsTreeNode Botan::xmss_gen_root ( const Sphincs_Parameters & params,
const SphincsSecretSeed & secret_seed,
Sphincs_Hash_Functions & hashes )

Compute the XMSS public key (root node) of the top-most subtree. Contains logic of FIPS 205, Algorithm 18: slh_keygen_internal

Definition at line 58 of file sp_xmss.cpp.

60 {
61 // We do not need the a sig/auth path in key generation, but it simplifies the
62 // code to have just one treehash routine that computes both root and path
63 // in one function.
64 SphincsXmssSignature dummy_sig(params.xmss_tree_height() * params.n() + params.wots_bytes());
65 SphincsTreeNode dummy_root(params.n());
66
69
70 top_tree_addr.set_layer_address(HypertreeLayerIndex(params.d() - 1));
71 wots_addr.set_layer_address(HypertreeLayerIndex(params.d() - 1));
72
74 xmss_sign_and_pkgen(dummy_sig, dummy_root, secret_seed, wots_addr, top_tree_addr, std::nullopt, params, hashes);
75
76 return root;
77}
Gf448Elem root(const Gf448Elem &elem)
Compute the root of elem in the field.

References Botan::Sphincs_Parameters::d(), HashTree, Botan::Sphincs_Parameters::n(), root(), Botan::Sphincs_Address::set_layer_address(), Botan::Sphincs_Parameters::wots_bytes(), WotsPublicKeyCompression, xmss_sign_and_pkgen(), and Botan::Sphincs_Parameters::xmss_tree_height().

Referenced by Botan::SphincsPlus_PrivateKey::SphincsPlus_PrivateKey().

◆ xmss_sign_and_pkgen()

SphincsTreeNode Botan::xmss_sign_and_pkgen ( StrongSpan< SphincsXmssSignature > out_sig,
const SphincsTreeNode & message,
const SphincsSecretSeed & secret_seed,
Sphincs_Address & wots_addr,
Sphincs_Address & tree_addr,
std::optional< TreeNodeIndex > idx_leaf,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

FIPS 205, Algorithm 10: xmss_sign.

This generates a Merkle signature of message (i.e. a FORS public key (bottom layer) or an XMSS root node). The Merkle authentication path logic is mostly hidden in treehash_spec. The WOTS signature followed by the Merkle authentication path are stored in out_sig. Set idx_leaf to std::nullopt if no signature is desired.

Returns
the XMSS public key (i.e. the root of the XMSS merkle tree)

Definition at line 19 of file sp_xmss.cpp.

26 {
27 BufferStuffer sig(out_sig);
28 auto wots_bytes_s = sig.next<WotsSignature>(params.wots_bytes());
29 auto auth_path_s = sig.next<SphincsAuthenticationPath>(sig.remaining_capacity());
30
31 const auto steps = [&]() -> std::vector<WotsHashIndex> {
32 // if `idx_leaf` is not set, we don't want to calculate a signature and
33 // therefore won't need to bother preparing the chain lengths either.
34 if(idx_leaf.has_value()) {
35 return chain_lengths(message, params);
36 } else {
37 return {};
38 };
39 }();
40
43
45
46 GenerateLeafFunction xmss_gen_leaf = [&](StrongSpan<SphincsTreeNode> out_root, TreeNodeIndex address_index) {
48 wots_bytes_s, out_root, secret_seed, address_index, idx_leaf, steps, leaf_addr, pk_addr, params, hashes);
49 };
50
51 SphincsTreeNode next_root(params.n());
53 treehash(next_root, auth_path_s, params, hashes, idx_leaf, 0, params.xmss_tree_height(), xmss_gen_leaf, tree_addr);
54
55 return next_root;
56}
static Sphincs_Address as_subtree_from(const Sphincs_Address &other)
Definition sp_address.h:115
void wots_sign_and_pkgen(StrongSpan< WotsSignature > sig_out, StrongSpan< SphincsTreeNode > leaf_out, const SphincsSecretSeed &secret_seed, TreeNodeIndex leaf_idx, std::optional< TreeNodeIndex > sign_leaf_idx, const std::vector< WotsHashIndex > &wots_steps, Sphincs_Address &leaf_addr, Sphincs_Address &pk_addr, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 6 and 7: wots_pkGen and wots_sign.
Definition sp_wots.cpp:132

References Botan::Sphincs_Address::as_subtree_from(), BOTAN_ASSERT_NOMSG, chain_lengths(), Botan::Sphincs_Address::get_type(), HashTree, Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::BufferStuffer::remaining_capacity(), Botan::Sphincs_Address::set_type(), treehash(), Botan::Sphincs_Parameters::wots_bytes(), wots_sign_and_pkgen(), WotsPublicKeyCompression, and Botan::Sphincs_Parameters::xmss_tree_height().

Referenced by ht_sign(), and xmss_gen_root().

◆ xor_buf() [1/7]

void Botan::xor_buf ( ranges::contiguous_output_range< uint8_t > auto && out,
ranges::contiguous_range< uint8_t > auto && in )
inlineconstexpr

XOR arrays. Postcondition out[i] = in[i] ^ out[i] forall i = 0...length

Parameters
outthe input/output range
inthe read-only input range

Definition at line 344 of file mem_ops.h.

345 {
347
348 std::span<uint8_t> o(out);
349 std::span<const uint8_t> i(in);
350
351 for(; o.size_bytes() >= 32; o = o.subspan(32), i = i.subspan(32)) {
352 auto x = typecast_copy<std::array<uint64_t, 4>>(o.template first<32>());
353 const auto y = typecast_copy<std::array<uint64_t, 4>>(i.template first<32>());
354
355 x[0] ^= y[0];
356 x[1] ^= y[1];
357 x[2] ^= y[2];
358 x[3] ^= y[3];
359
360 typecast_copy(o.template first<32>(), x);
361 }
362
363 for(size_t off = 0; off != o.size_bytes(); ++off) {
364 o[off] ^= i[off];
365 }
366}

References Botan::ranges::assert_equal_byte_lengths(), and typecast_copy().

Referenced by Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::Salsa20::cipher_bytes(), Botan::Lion::decrypt_n(), Botan::Lion::encrypt_n(), Botan::GHASH::final(), mgf1_mask(), operator^(), Botan::OctetString::operator^=(), operator^=(), pbkdf2(), Botan::SIV_Mode::S2V(), xor_buf(), xor_buf(), xor_buf(), xor_buf(), and xor_buf().

◆ xor_buf() [2/7]

void Botan::xor_buf ( ranges::contiguous_output_range< uint8_t > auto && out,
ranges::contiguous_range< uint8_t > auto && in1,
ranges::contiguous_range< uint8_t > auto && in2 )
inlineconstexpr

XOR arrays. Postcondition out[i] = in1[i] ^ in2[i] forall i = 0...length

Parameters
outthe output range
in1the first input range
in2the second input range

Definition at line 374 of file mem_ops.h.

376 {
378
379 std::span o{out};
380 std::span i1{in1};
381 std::span i2{in2};
382
383 for(; o.size_bytes() >= 32; o = o.subspan(32), i1 = i1.subspan(32), i2 = i2.subspan(32)) {
384 auto x = typecast_copy<std::array<uint64_t, 4>>(i1.template first<32>());
385 const auto y = typecast_copy<std::array<uint64_t, 4>>(i2.template first<32>());
386
387 x[0] ^= y[0];
388 x[1] ^= y[1];
389 x[2] ^= y[2];
390 x[3] ^= y[3];
391
392 typecast_copy(o.template first<32>(), x);
393 }
394
395 for(size_t off = 0; off != o.size_bytes(); ++off) {
396 o[off] = i1[off] ^ i2[off];
397 }
398}

References Botan::ranges::assert_equal_byte_lengths(), and typecast_copy().

◆ xor_buf() [3/7]

void Botan::xor_buf ( std::span< uint8_t > out,
std::span< const uint8_t > in,
size_t n )
inline

Definition at line 424 of file mem_ops.h.

424 {
425 BOTAN_ARG_CHECK(out.size() >= n, "output span is too small");
426 BOTAN_ARG_CHECK(in.size() >= n, "input span is too small");
427 xor_buf(out.first(n), in.first(n));
428}

References BOTAN_ARG_CHECK, and xor_buf().

◆ xor_buf() [4/7]

template<typename Alloc, typename Alloc2>
void Botan::xor_buf ( std::vector< uint8_t, Alloc > & out,
const uint8_t * in,
const std::vector< uint8_t, Alloc2 > & in2,
size_t n )

Definition at line 440 of file mem_ops.h.

440 {
441 BOTAN_ARG_CHECK(out.size() >= n, "output vector is too small");
442 BOTAN_ARG_CHECK(in2.size() >= n, "input vector is too small");
443 // simply assumes that *in points to "n" allocated bytes at least
444 xor_buf(std::span{out}.first(n), std::span{in, n}, std::span{in2}.first(n));
445}

References BOTAN_ARG_CHECK, and xor_buf().

◆ xor_buf() [5/7]

template<typename Alloc>
void Botan::xor_buf ( std::vector< uint8_t, Alloc > & out,
const uint8_t * in,
size_t n )

Definition at line 432 of file mem_ops.h.

432 {
433 BOTAN_ARG_CHECK(out.size() >= n, "output vector is too small");
434 // simply assumes that *in points to "n" allocated bytes at least
435 xor_buf(std::span{out}.first(n), std::span{in, n});
436}

References BOTAN_ARG_CHECK, and xor_buf().

◆ xor_buf() [6/7]

void Botan::xor_buf ( uint8_t out[],
const uint8_t in[],
const uint8_t in2[],
size_t length )
inline

XOR arrays. Postcondition out[i] = in[i] ^ in2[i] forall i = 0...length

Parameters
outthe output buffer
inthe first input buffer
in2the second input buffer
lengththe length of the three buffers

Definition at line 418 of file mem_ops.h.

418 {
419 // simply assumes that *out, *in, and *in2 point to "length" allocated bytes at least
420 xor_buf(std::span{out, length}, std::span{in, length}, std::span{in2, length});
421}

References xor_buf().

◆ xor_buf() [7/7]

void Botan::xor_buf ( uint8_t out[],
const uint8_t in[],
size_t length )
inline

XOR arrays. Postcondition out[i] = in[i] ^ out[i] forall i = 0...length

Parameters
outthe input/output buffer
inthe read-only input buffer
lengththe length of the buffers

Definition at line 406 of file mem_ops.h.

406 {
407 // simply assumes that *out and *in point to "length" allocated bytes at least
408 xor_buf(std::span{out, length}, std::span{in, length});
409}

References xor_buf().

◆ xts_update_tweak_block()

void Botan::xts_update_tweak_block ( uint8_t tweak[],
size_t BS,
size_t blocks_in_tweak )

Definition at line 119 of file poly_dbl.cpp.

119 {
120 if(BS == 16) {
121 constexpr size_t LIMBS = 2;
122
123 uint64_t W[LIMBS];
124 load_le(W, &tweak[0], LIMBS);
125
126 for(size_t i = 1; i < blocks_in_tweak; ++i) {
127 const uint64_t carry = return_carry<MinWeightPolynomial::P128>(W[1]);
128 W[1] = (W[1] << 1) ^ (W[0] >> 63);
129 W[0] = (W[0] << 1) ^ carry;
130 copy_out_le(std::span(&tweak[i * BS], 2 * 8), W);
131 }
132 } else {
133 for(size_t i = 1; i < blocks_in_tweak; ++i) {
134 const uint8_t* prev = &tweak[(i - 1) * BS];
135 uint8_t* cur = &tweak[i * BS];
136 poly_double_n_le(cur, prev, BS);
137 }
138 }
139}
void poly_double_n_le(uint8_t out[], const uint8_t in[], size_t n)
Definition poly_dbl.cpp:100
void copy_out_le(std::span< uint8_t > out, InR &&in)
Definition loadstor.h:789

References carry(), copy_out_le(), load_le(), and poly_double_n_le().

Referenced by Botan::XTS_Mode::update_tweak().

◆ zap()

◆ zeroise()

template<typename T, typename Alloc>
void Botan::zeroise ( std::vector< T, Alloc > & vec)

Variable Documentation

◆ BLAKE2B_BLOCKBYTES

size_t Botan::BLAKE2B_BLOCKBYTES = 128
constexpr

Definition at line 21 of file blake2b.h.

Referenced by Botan::BLAKE2b::add_data().

◆ BYTES_448

size_t Botan::BYTES_448 = ceil_tobytes(448)
constexpr

Definition at line 20 of file curve448_gf.h.

◆ DefaultBufferSize

size_t Botan::DefaultBufferSize = 4096
constexpr

How much to allocate for a buffer of no particular size

Definition at line 137 of file types.h.

Referenced by operator<<(), operator<<(), operator>>(), operator>>(), Botan::Pipe::read_all_as_string(), and Botan::Pipe::write().

◆ ED448_LEN

◆ HEX_CODEC_BUFFER_SIZE

const size_t Botan::HEX_CODEC_BUFFER_SIZE = 256

Size used for internal buffer in hex encoder/decoder

Definition at line 20 of file hex_filt.cpp.

Referenced by Botan::Hex_Decoder::Hex_Decoder(), Botan::Hex_Encoder::Hex_Encoder(), and Botan::Hex_Encoder::Hex_Encoder().

◆ is_strong_span_v

template<typename T>
bool Botan::is_strong_span_v = is_strong_span<T>::value
constexpr

Definition at line 713 of file strong_type.h.

◆ is_strong_type_v

template<typename... Ts>
bool Botan::is_strong_type_v = is_strong_type<std::remove_const_t<Ts>...>::value
constexpr

Definition at line 33 of file concepts.h.

◆ LMS_IDENTIFIER_LEN

◆ MAX_EXT_DEG

const size_t Botan::MAX_EXT_DEG = 16

Definition at line 18 of file gf2m_small_m.cpp.

◆ PRIME_TABLE_SIZE

const size_t Botan::PRIME_TABLE_SIZE = 6541

The size of the PRIMES[] array

Definition at line 174 of file numthry.h.

Referenced by is_prime(), and random_prime().

◆ PRIMES

const uint16_t Botan::PRIMES

A const array of all odd primes less than 65535

Definition at line 12 of file primes.cpp.

12 {
13 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59,
14 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137,
15 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227,
16 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313,
17 317, 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, 419,
18 421, 431, 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509,
19 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601, 607, 613, 617,
20 619, 631, 641, 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709, 719, 727,
21 733, 739, 743, 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829,
22 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919, 929, 937, 941, 947,
23 953, 967, 971, 977, 983, 991, 997, 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, 1051,
24 1061, 1063, 1069, 1087, 1091, 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163, 1171,
25 1181, 1187, 1193, 1201, 1213, 1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, 1289,
26 1291, 1297, 1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, 1427,
27 1429, 1433, 1439, 1447, 1451, 1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, 1523,
28 1531, 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619, 1621,
29 1627, 1637, 1657, 1663, 1667, 1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, 1753,
30 1759, 1777, 1783, 1787, 1789, 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, 1879,
31 1889, 1901, 1907, 1913, 1931, 1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011,
32 2017, 2027, 2029, 2039, 2053, 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, 2131,
33 2137, 2141, 2143, 2153, 2161, 2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267, 2269,
34 2273, 2281, 2287, 2293, 2297, 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377, 2381,
35 2383, 2389, 2393, 2399, 2411, 2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, 2521,
36 2531, 2539, 2543, 2549, 2551, 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, 2659,
37 2663, 2671, 2677, 2683, 2687, 2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, 2749,
38 2753, 2767, 2777, 2789, 2791, 2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, 2879,
39 2887, 2897, 2903, 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011, 3019,
40 3023, 3037, 3041, 3049, 3061, 3067, 3079, 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, 3169,
41 3181, 3187, 3191, 3203, 3209, 3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301, 3307,
42 3313, 3319, 3323, 3329, 3331, 3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413, 3433,
43 3449, 3457, 3461, 3463, 3467, 3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541, 3547,
44 3557, 3559, 3571, 3581, 3583, 3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671, 3673,
45 3677, 3691, 3697, 3701, 3709, 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797, 3803,
46 3821, 3823, 3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923, 3929,
47 3931, 3943, 3947, 3967, 3989, 4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, 4073,
48 4079, 4091, 4093, 4099, 4111, 4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211, 4217,
49 4219, 4229, 4231, 4241, 4243, 4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, 4339,
50 4349, 4357, 4363, 4373, 4391, 4397, 4409, 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, 4483,
51 4493, 4507, 4513, 4517, 4519, 4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, 4637,
52 4639, 4643, 4649, 4651, 4657, 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751, 4759,
53 4783, 4787, 4789, 4793, 4799, 4801, 4813, 4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909, 4919,
54 4931, 4933, 4937, 4943, 4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011, 5021,
55 5023, 5039, 5051, 5059, 5077, 5081, 5087, 5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167, 5171,
56 5179, 5189, 5197, 5209, 5227, 5231, 5233, 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309, 5323,
57 5333, 5347, 5351, 5381, 5387, 5393, 5399, 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443, 5449,
58 5471, 5477, 5479, 5483, 5501, 5503, 5507, 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, 5581,
59 5591, 5623, 5639, 5641, 5647, 5651, 5653, 5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711, 5717,
60 5737, 5741, 5743, 5749, 5779, 5783, 5791, 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, 5851,
61 5857, 5861, 5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007, 6011,
62 6029, 6037, 6043, 6047, 6053, 6067, 6073, 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, 6143,
63 6151, 6163, 6173, 6197, 6199, 6203, 6211, 6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271, 6277,
64 6287, 6299, 6301, 6311, 6317, 6323, 6329, 6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379, 6389,
65 6397, 6421, 6427, 6449, 6451, 6469, 6473, 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, 6569,
66 6571, 6577, 6581, 6599, 6607, 6619, 6637, 6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701, 6703,
67 6709, 6719, 6733, 6737, 6761, 6763, 6779, 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833, 6841,
68 6857, 6863, 6869, 6871, 6883, 6899, 6907, 6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971, 6977,
69 6983, 6991, 6997, 7001, 7013, 7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, 7127,
70 7129, 7151, 7159, 7177, 7187, 7193, 7207, 7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253, 7283,
71 7297, 7307, 7309, 7321, 7331, 7333, 7349, 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, 7459,
72 7477, 7481, 7487, 7489, 7499, 7507, 7517, 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561, 7573,
73 7577, 7583, 7589, 7591, 7603, 7607, 7621, 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, 7699,
74 7703, 7717, 7723, 7727, 7741, 7753, 7757, 7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853, 7867,
75 7873, 7877, 7879, 7883, 7901, 7907, 7919, 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009, 8011,
76 8017, 8039, 8053, 8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161, 8167,
77 8171, 8179, 8191, 8209, 8219, 8221, 8231, 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291, 8293,
78 8297, 8311, 8317, 8329, 8353, 8363, 8369, 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443, 8447,
79 8461, 8467, 8501, 8513, 8521, 8527, 8537, 8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609, 8623,
80 8627, 8629, 8641, 8647, 8663, 8669, 8677, 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, 8737,
81 8741, 8747, 8753, 8761, 8779, 8783, 8803, 8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861, 8863,
82 8867, 8887, 8893, 8923, 8929, 8933, 8941, 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, 9013,
83 9029, 9041, 9043, 9049, 9059, 9067, 9091, 9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161, 9173,
84 9181, 9187, 9199, 9203, 9209, 9221, 9227, 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, 9319,
85 9323, 9337, 9341, 9343, 9349, 9371, 9377, 9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433, 9437,
86 9439, 9461, 9463, 9467, 9473, 9479, 9491, 9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587, 9601,
87 9613, 9619, 9623, 9629, 9631, 9643, 9649, 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733, 9739,
88 9743, 9749, 9767, 9769, 9781, 9787, 9791, 9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857, 9859,
89 9871, 9883, 9887, 9901, 9907, 9923, 9929, 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037, 10039,
90 10061, 10067, 10069, 10079, 10091, 10093, 10099, 10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163, 10169,
91 10177, 10181, 10193, 10211, 10223, 10243, 10247, 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, 10313,
92 10321, 10331, 10333, 10337, 10343, 10357, 10369, 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459, 10463,
93 10477, 10487, 10499, 10501, 10513, 10529, 10531, 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, 10631,
94 10639, 10651, 10657, 10663, 10667, 10687, 10691, 10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771, 10781,
95 10789, 10799, 10831, 10837, 10847, 10853, 10859, 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, 10939,
96 10949, 10957, 10973, 10979, 10987, 10993, 11003, 11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087, 11093,
97 11113, 11117, 11119, 11131, 11149, 11159, 11161, 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251, 11257,
98 11261, 11273, 11279, 11287, 11299, 11311, 11317, 11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399, 11411,
99 11423, 11437, 11443, 11447, 11467, 11471, 11483, 11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551, 11579,
100 11587, 11593, 11597, 11617, 11621, 11633, 11657, 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731, 11743,
101 11777, 11779, 11783, 11789, 11801, 11807, 11813, 11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887, 11897,
102 11903, 11909, 11923, 11927, 11933, 11939, 11941, 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, 12037,
103 12041, 12043, 12049, 12071, 12073, 12097, 12101, 12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161, 12163,
104 12197, 12203, 12211, 12227, 12239, 12241, 12251, 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, 12329,
105 12343, 12347, 12373, 12377, 12379, 12391, 12401, 12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473, 12479,
106 12487, 12491, 12497, 12503, 12511, 12517, 12527, 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, 12601,
107 12611, 12613, 12619, 12637, 12641, 12647, 12653, 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739, 12743,
108 12757, 12763, 12781, 12791, 12799, 12809, 12821, 12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907, 12911,
109 12917, 12919, 12923, 12941, 12953, 12959, 12967, 12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033, 13037,
110 13043, 13049, 13063, 13093, 13099, 13103, 13109, 13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177, 13183,
111 13187, 13217, 13219, 13229, 13241, 13249, 13259, 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337, 13339,
112 13367, 13381, 13397, 13399, 13411, 13417, 13421, 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499, 13513,
113 13523, 13537, 13553, 13567, 13577, 13591, 13597, 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, 13687,
114 13691, 13693, 13697, 13709, 13711, 13721, 13723, 13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799, 13807,
115 13829, 13831, 13841, 13859, 13873, 13877, 13879, 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, 13963,
116 13967, 13997, 13999, 14009, 14011, 14029, 14033, 14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143, 14149,
117 14153, 14159, 14173, 14177, 14197, 14207, 14221, 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, 14327,
118 14341, 14347, 14369, 14387, 14389, 14401, 14407, 14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461, 14479,
119 14489, 14503, 14519, 14533, 14537, 14543, 14549, 14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627, 14629,
120 14633, 14639, 14653, 14657, 14669, 14683, 14699, 14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753, 14759,
121 14767, 14771, 14779, 14783, 14797, 14813, 14821, 14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887, 14891,
122 14897, 14923, 14929, 14939, 14947, 14951, 14957, 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073, 15077,
123 15083, 15091, 15101, 15107, 15121, 15131, 15137, 15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217, 15227,
124 15233, 15241, 15259, 15263, 15269, 15271, 15277, 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, 15349,
125 15359, 15361, 15373, 15377, 15383, 15391, 15401, 15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473, 15493,
126 15497, 15511, 15527, 15541, 15551, 15559, 15569, 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, 15647,
127 15649, 15661, 15667, 15671, 15679, 15683, 15727, 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773, 15787,
128 15791, 15797, 15803, 15809, 15817, 15823, 15859, 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, 15923,
129 15937, 15959, 15971, 15973, 15991, 16001, 16007, 16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087, 16091,
130 16097, 16103, 16111, 16127, 16139, 16141, 16183, 16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249, 16253,
131 16267, 16273, 16301, 16319, 16333, 16339, 16349, 16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427, 16433,
132 16447, 16451, 16453, 16477, 16481, 16487, 16493, 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603, 16607,
133 16619, 16631, 16633, 16649, 16651, 16657, 16661, 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747, 16759,
134 16763, 16787, 16811, 16823, 16829, 16831, 16843, 16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927, 16931,
135 16937, 16943, 16963, 16979, 16981, 16987, 16993, 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, 17077,
136 17093, 17099, 17107, 17117, 17123, 17137, 17159, 17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231, 17239,
137 17257, 17291, 17293, 17299, 17317, 17321, 17327, 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, 17393,
138 17401, 17417, 17419, 17431, 17443, 17449, 17467, 17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519, 17539,
139 17551, 17569, 17573, 17579, 17581, 17597, 17599, 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, 17707,
140 17713, 17729, 17737, 17747, 17749, 17761, 17783, 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, 17881,
141 17891, 17903, 17909, 17911, 17921, 17923, 17929, 17939, 17957, 17959, 17971, 17977, 17981, 17987, 17989, 18013,
142 18041, 18043, 18047, 18049, 18059, 18061, 18077, 18089, 18097, 18119, 18121, 18127, 18131, 18133, 18143, 18149,
143 18169, 18181, 18191, 18199, 18211, 18217, 18223, 18229, 18233, 18251, 18253, 18257, 18269, 18287, 18289, 18301,
144 18307, 18311, 18313, 18329, 18341, 18353, 18367, 18371, 18379, 18397, 18401, 18413, 18427, 18433, 18439, 18443,
145 18451, 18457, 18461, 18481, 18493, 18503, 18517, 18521, 18523, 18539, 18541, 18553, 18583, 18587, 18593, 18617,
146 18637, 18661, 18671, 18679, 18691, 18701, 18713, 18719, 18731, 18743, 18749, 18757, 18773, 18787, 18793, 18797,
147 18803, 18839, 18859, 18869, 18899, 18911, 18913, 18917, 18919, 18947, 18959, 18973, 18979, 19001, 19009, 19013,
148 19031, 19037, 19051, 19069, 19073, 19079, 19081, 19087, 19121, 19139, 19141, 19157, 19163, 19181, 19183, 19207,
149 19211, 19213, 19219, 19231, 19237, 19249, 19259, 19267, 19273, 19289, 19301, 19309, 19319, 19333, 19373, 19379,
150 19381, 19387, 19391, 19403, 19417, 19421, 19423, 19427, 19429, 19433, 19441, 19447, 19457, 19463, 19469, 19471,
151 19477, 19483, 19489, 19501, 19507, 19531, 19541, 19543, 19553, 19559, 19571, 19577, 19583, 19597, 19603, 19609,
152 19661, 19681, 19687, 19697, 19699, 19709, 19717, 19727, 19739, 19751, 19753, 19759, 19763, 19777, 19793, 19801,
153 19813, 19819, 19841, 19843, 19853, 19861, 19867, 19889, 19891, 19913, 19919, 19927, 19937, 19949, 19961, 19963,
154 19973, 19979, 19991, 19993, 19997, 20011, 20021, 20023, 20029, 20047, 20051, 20063, 20071, 20089, 20101, 20107,
155 20113, 20117, 20123, 20129, 20143, 20147, 20149, 20161, 20173, 20177, 20183, 20201, 20219, 20231, 20233, 20249,
156 20261, 20269, 20287, 20297, 20323, 20327, 20333, 20341, 20347, 20353, 20357, 20359, 20369, 20389, 20393, 20399,
157 20407, 20411, 20431, 20441, 20443, 20477, 20479, 20483, 20507, 20509, 20521, 20533, 20543, 20549, 20551, 20563,
158 20593, 20599, 20611, 20627, 20639, 20641, 20663, 20681, 20693, 20707, 20717, 20719, 20731, 20743, 20747, 20749,
159 20753, 20759, 20771, 20773, 20789, 20807, 20809, 20849, 20857, 20873, 20879, 20887, 20897, 20899, 20903, 20921,
160 20929, 20939, 20947, 20959, 20963, 20981, 20983, 21001, 21011, 21013, 21017, 21019, 21023, 21031, 21059, 21061,
161 21067, 21089, 21101, 21107, 21121, 21139, 21143, 21149, 21157, 21163, 21169, 21179, 21187, 21191, 21193, 21211,
162 21221, 21227, 21247, 21269, 21277, 21283, 21313, 21317, 21319, 21323, 21341, 21347, 21377, 21379, 21383, 21391,
163 21397, 21401, 21407, 21419, 21433, 21467, 21481, 21487, 21491, 21493, 21499, 21503, 21517, 21521, 21523, 21529,
164 21557, 21559, 21563, 21569, 21577, 21587, 21589, 21599, 21601, 21611, 21613, 21617, 21647, 21649, 21661, 21673,
165 21683, 21701, 21713, 21727, 21737, 21739, 21751, 21757, 21767, 21773, 21787, 21799, 21803, 21817, 21821, 21839,
166 21841, 21851, 21859, 21863, 21871, 21881, 21893, 21911, 21929, 21937, 21943, 21961, 21977, 21991, 21997, 22003,
167 22013, 22027, 22031, 22037, 22039, 22051, 22063, 22067, 22073, 22079, 22091, 22093, 22109, 22111, 22123, 22129,
168 22133, 22147, 22153, 22157, 22159, 22171, 22189, 22193, 22229, 22247, 22259, 22271, 22273, 22277, 22279, 22283,
169 22291, 22303, 22307, 22343, 22349, 22367, 22369, 22381, 22391, 22397, 22409, 22433, 22441, 22447, 22453, 22469,
170 22481, 22483, 22501, 22511, 22531, 22541, 22543, 22549, 22567, 22571, 22573, 22613, 22619, 22621, 22637, 22639,
171 22643, 22651, 22669, 22679, 22691, 22697, 22699, 22709, 22717, 22721, 22727, 22739, 22741, 22751, 22769, 22777,
172 22783, 22787, 22807, 22811, 22817, 22853, 22859, 22861, 22871, 22877, 22901, 22907, 22921, 22937, 22943, 22961,
173 22963, 22973, 22993, 23003, 23011, 23017, 23021, 23027, 23029, 23039, 23041, 23053, 23057, 23059, 23063, 23071,
174 23081, 23087, 23099, 23117, 23131, 23143, 23159, 23167, 23173, 23189, 23197, 23201, 23203, 23209, 23227, 23251,
175 23269, 23279, 23291, 23293, 23297, 23311, 23321, 23327, 23333, 23339, 23357, 23369, 23371, 23399, 23417, 23431,
176 23447, 23459, 23473, 23497, 23509, 23531, 23537, 23539, 23549, 23557, 23561, 23563, 23567, 23581, 23593, 23599,
177 23603, 23609, 23623, 23627, 23629, 23633, 23663, 23669, 23671, 23677, 23687, 23689, 23719, 23741, 23743, 23747,
178 23753, 23761, 23767, 23773, 23789, 23801, 23813, 23819, 23827, 23831, 23833, 23857, 23869, 23873, 23879, 23887,
179 23893, 23899, 23909, 23911, 23917, 23929, 23957, 23971, 23977, 23981, 23993, 24001, 24007, 24019, 24023, 24029,
180 24043, 24049, 24061, 24071, 24077, 24083, 24091, 24097, 24103, 24107, 24109, 24113, 24121, 24133, 24137, 24151,
181 24169, 24179, 24181, 24197, 24203, 24223, 24229, 24239, 24247, 24251, 24281, 24317, 24329, 24337, 24359, 24371,
182 24373, 24379, 24391, 24407, 24413, 24419, 24421, 24439, 24443, 24469, 24473, 24481, 24499, 24509, 24517, 24527,
183 24533, 24547, 24551, 24571, 24593, 24611, 24623, 24631, 24659, 24671, 24677, 24683, 24691, 24697, 24709, 24733,
184 24749, 24763, 24767, 24781, 24793, 24799, 24809, 24821, 24841, 24847, 24851, 24859, 24877, 24889, 24907, 24917,
185 24919, 24923, 24943, 24953, 24967, 24971, 24977, 24979, 24989, 25013, 25031, 25033, 25037, 25057, 25073, 25087,
186 25097, 25111, 25117, 25121, 25127, 25147, 25153, 25163, 25169, 25171, 25183, 25189, 25219, 25229, 25237, 25243,
187 25247, 25253, 25261, 25301, 25303, 25307, 25309, 25321, 25339, 25343, 25349, 25357, 25367, 25373, 25391, 25409,
188 25411, 25423, 25439, 25447, 25453, 25457, 25463, 25469, 25471, 25523, 25537, 25541, 25561, 25577, 25579, 25583,
189 25589, 25601, 25603, 25609, 25621, 25633, 25639, 25643, 25657, 25667, 25673, 25679, 25693, 25703, 25717, 25733,
190 25741, 25747, 25759, 25763, 25771, 25793, 25799, 25801, 25819, 25841, 25847, 25849, 25867, 25873, 25889, 25903,
191 25913, 25919, 25931, 25933, 25939, 25943, 25951, 25969, 25981, 25997, 25999, 26003, 26017, 26021, 26029, 26041,
192 26053, 26083, 26099, 26107, 26111, 26113, 26119, 26141, 26153, 26161, 26171, 26177, 26183, 26189, 26203, 26209,
193 26227, 26237, 26249, 26251, 26261, 26263, 26267, 26293, 26297, 26309, 26317, 26321, 26339, 26347, 26357, 26371,
194 26387, 26393, 26399, 26407, 26417, 26423, 26431, 26437, 26449, 26459, 26479, 26489, 26497, 26501, 26513, 26539,
195 26557, 26561, 26573, 26591, 26597, 26627, 26633, 26641, 26647, 26669, 26681, 26683, 26687, 26693, 26699, 26701,
196 26711, 26713, 26717, 26723, 26729, 26731, 26737, 26759, 26777, 26783, 26801, 26813, 26821, 26833, 26839, 26849,
197 26861, 26863, 26879, 26881, 26891, 26893, 26903, 26921, 26927, 26947, 26951, 26953, 26959, 26981, 26987, 26993,
198 27011, 27017, 27031, 27043, 27059, 27061, 27067, 27073, 27077, 27091, 27103, 27107, 27109, 27127, 27143, 27179,
199 27191, 27197, 27211, 27239, 27241, 27253, 27259, 27271, 27277, 27281, 27283, 27299, 27329, 27337, 27361, 27367,
200 27397, 27407, 27409, 27427, 27431, 27437, 27449, 27457, 27479, 27481, 27487, 27509, 27527, 27529, 27539, 27541,
201 27551, 27581, 27583, 27611, 27617, 27631, 27647, 27653, 27673, 27689, 27691, 27697, 27701, 27733, 27737, 27739,
202 27743, 27749, 27751, 27763, 27767, 27773, 27779, 27791, 27793, 27799, 27803, 27809, 27817, 27823, 27827, 27847,
203 27851, 27883, 27893, 27901, 27917, 27919, 27941, 27943, 27947, 27953, 27961, 27967, 27983, 27997, 28001, 28019,
204 28027, 28031, 28051, 28057, 28069, 28081, 28087, 28097, 28099, 28109, 28111, 28123, 28151, 28163, 28181, 28183,
205 28201, 28211, 28219, 28229, 28277, 28279, 28283, 28289, 28297, 28307, 28309, 28319, 28349, 28351, 28387, 28393,
206 28403, 28409, 28411, 28429, 28433, 28439, 28447, 28463, 28477, 28493, 28499, 28513, 28517, 28537, 28541, 28547,
207 28549, 28559, 28571, 28573, 28579, 28591, 28597, 28603, 28607, 28619, 28621, 28627, 28631, 28643, 28649, 28657,
208 28661, 28663, 28669, 28687, 28697, 28703, 28711, 28723, 28729, 28751, 28753, 28759, 28771, 28789, 28793, 28807,
209 28813, 28817, 28837, 28843, 28859, 28867, 28871, 28879, 28901, 28909, 28921, 28927, 28933, 28949, 28961, 28979,
210 29009, 29017, 29021, 29023, 29027, 29033, 29059, 29063, 29077, 29101, 29123, 29129, 29131, 29137, 29147, 29153,
211 29167, 29173, 29179, 29191, 29201, 29207, 29209, 29221, 29231, 29243, 29251, 29269, 29287, 29297, 29303, 29311,
212 29327, 29333, 29339, 29347, 29363, 29383, 29387, 29389, 29399, 29401, 29411, 29423, 29429, 29437, 29443, 29453,
213 29473, 29483, 29501, 29527, 29531, 29537, 29567, 29569, 29573, 29581, 29587, 29599, 29611, 29629, 29633, 29641,
214 29663, 29669, 29671, 29683, 29717, 29723, 29741, 29753, 29759, 29761, 29789, 29803, 29819, 29833, 29837, 29851,
215 29863, 29867, 29873, 29879, 29881, 29917, 29921, 29927, 29947, 29959, 29983, 29989, 30011, 30013, 30029, 30047,
216 30059, 30071, 30089, 30091, 30097, 30103, 30109, 30113, 30119, 30133, 30137, 30139, 30161, 30169, 30181, 30187,
217 30197, 30203, 30211, 30223, 30241, 30253, 30259, 30269, 30271, 30293, 30307, 30313, 30319, 30323, 30341, 30347,
218 30367, 30389, 30391, 30403, 30427, 30431, 30449, 30467, 30469, 30491, 30493, 30497, 30509, 30517, 30529, 30539,
219 30553, 30557, 30559, 30577, 30593, 30631, 30637, 30643, 30649, 30661, 30671, 30677, 30689, 30697, 30703, 30707,
220 30713, 30727, 30757, 30763, 30773, 30781, 30803, 30809, 30817, 30829, 30839, 30841, 30851, 30853, 30859, 30869,
221 30871, 30881, 30893, 30911, 30931, 30937, 30941, 30949, 30971, 30977, 30983, 31013, 31019, 31033, 31039, 31051,
222 31063, 31069, 31079, 31081, 31091, 31121, 31123, 31139, 31147, 31151, 31153, 31159, 31177, 31181, 31183, 31189,
223 31193, 31219, 31223, 31231, 31237, 31247, 31249, 31253, 31259, 31267, 31271, 31277, 31307, 31319, 31321, 31327,
224 31333, 31337, 31357, 31379, 31387, 31391, 31393, 31397, 31469, 31477, 31481, 31489, 31511, 31513, 31517, 31531,
225 31541, 31543, 31547, 31567, 31573, 31583, 31601, 31607, 31627, 31643, 31649, 31657, 31663, 31667, 31687, 31699,
226 31721, 31723, 31727, 31729, 31741, 31751, 31769, 31771, 31793, 31799, 31817, 31847, 31849, 31859, 31873, 31883,
227 31891, 31907, 31957, 31963, 31973, 31981, 31991, 32003, 32009, 32027, 32029, 32051, 32057, 32059, 32063, 32069,
228 32077, 32083, 32089, 32099, 32117, 32119, 32141, 32143, 32159, 32173, 32183, 32189, 32191, 32203, 32213, 32233,
229 32237, 32251, 32257, 32261, 32297, 32299, 32303, 32309, 32321, 32323, 32327, 32341, 32353, 32359, 32363, 32369,
230 32371, 32377, 32381, 32401, 32411, 32413, 32423, 32429, 32441, 32443, 32467, 32479, 32491, 32497, 32503, 32507,
231 32531, 32533, 32537, 32561, 32563, 32569, 32573, 32579, 32587, 32603, 32609, 32611, 32621, 32633, 32647, 32653,
232 32687, 32693, 32707, 32713, 32717, 32719, 32749, 32771, 32779, 32783, 32789, 32797, 32801, 32803, 32831, 32833,
233 32839, 32843, 32869, 32887, 32909, 32911, 32917, 32933, 32939, 32941, 32957, 32969, 32971, 32983, 32987, 32993,
234 32999, 33013, 33023, 33029, 33037, 33049, 33053, 33071, 33073, 33083, 33091, 33107, 33113, 33119, 33149, 33151,
235 33161, 33179, 33181, 33191, 33199, 33203, 33211, 33223, 33247, 33287, 33289, 33301, 33311, 33317, 33329, 33331,
236 33343, 33347, 33349, 33353, 33359, 33377, 33391, 33403, 33409, 33413, 33427, 33457, 33461, 33469, 33479, 33487,
237 33493, 33503, 33521, 33529, 33533, 33547, 33563, 33569, 33577, 33581, 33587, 33589, 33599, 33601, 33613, 33617,
238 33619, 33623, 33629, 33637, 33641, 33647, 33679, 33703, 33713, 33721, 33739, 33749, 33751, 33757, 33767, 33769,
239 33773, 33791, 33797, 33809, 33811, 33827, 33829, 33851, 33857, 33863, 33871, 33889, 33893, 33911, 33923, 33931,
240 33937, 33941, 33961, 33967, 33997, 34019, 34031, 34033, 34039, 34057, 34061, 34123, 34127, 34129, 34141, 34147,
241 34157, 34159, 34171, 34183, 34211, 34213, 34217, 34231, 34253, 34259, 34261, 34267, 34273, 34283, 34297, 34301,
242 34303, 34313, 34319, 34327, 34337, 34351, 34361, 34367, 34369, 34381, 34403, 34421, 34429, 34439, 34457, 34469,
243 34471, 34483, 34487, 34499, 34501, 34511, 34513, 34519, 34537, 34543, 34549, 34583, 34589, 34591, 34603, 34607,
244 34613, 34631, 34649, 34651, 34667, 34673, 34679, 34687, 34693, 34703, 34721, 34729, 34739, 34747, 34757, 34759,
245 34763, 34781, 34807, 34819, 34841, 34843, 34847, 34849, 34871, 34877, 34883, 34897, 34913, 34919, 34939, 34949,
246 34961, 34963, 34981, 35023, 35027, 35051, 35053, 35059, 35069, 35081, 35083, 35089, 35099, 35107, 35111, 35117,
247 35129, 35141, 35149, 35153, 35159, 35171, 35201, 35221, 35227, 35251, 35257, 35267, 35279, 35281, 35291, 35311,
248 35317, 35323, 35327, 35339, 35353, 35363, 35381, 35393, 35401, 35407, 35419, 35423, 35437, 35447, 35449, 35461,
249 35491, 35507, 35509, 35521, 35527, 35531, 35533, 35537, 35543, 35569, 35573, 35591, 35593, 35597, 35603, 35617,
250 35671, 35677, 35729, 35731, 35747, 35753, 35759, 35771, 35797, 35801, 35803, 35809, 35831, 35837, 35839, 35851,
251 35863, 35869, 35879, 35897, 35899, 35911, 35923, 35933, 35951, 35963, 35969, 35977, 35983, 35993, 35999, 36007,
252 36011, 36013, 36017, 36037, 36061, 36067, 36073, 36083, 36097, 36107, 36109, 36131, 36137, 36151, 36161, 36187,
253 36191, 36209, 36217, 36229, 36241, 36251, 36263, 36269, 36277, 36293, 36299, 36307, 36313, 36319, 36341, 36343,
254 36353, 36373, 36383, 36389, 36433, 36451, 36457, 36467, 36469, 36473, 36479, 36493, 36497, 36523, 36527, 36529,
255 36541, 36551, 36559, 36563, 36571, 36583, 36587, 36599, 36607, 36629, 36637, 36643, 36653, 36671, 36677, 36683,
256 36691, 36697, 36709, 36713, 36721, 36739, 36749, 36761, 36767, 36779, 36781, 36787, 36791, 36793, 36809, 36821,
257 36833, 36847, 36857, 36871, 36877, 36887, 36899, 36901, 36913, 36919, 36923, 36929, 36931, 36943, 36947, 36973,
258 36979, 36997, 37003, 37013, 37019, 37021, 37039, 37049, 37057, 37061, 37087, 37097, 37117, 37123, 37139, 37159,
259 37171, 37181, 37189, 37199, 37201, 37217, 37223, 37243, 37253, 37273, 37277, 37307, 37309, 37313, 37321, 37337,
260 37339, 37357, 37361, 37363, 37369, 37379, 37397, 37409, 37423, 37441, 37447, 37463, 37483, 37489, 37493, 37501,
261 37507, 37511, 37517, 37529, 37537, 37547, 37549, 37561, 37567, 37571, 37573, 37579, 37589, 37591, 37607, 37619,
262 37633, 37643, 37649, 37657, 37663, 37691, 37693, 37699, 37717, 37747, 37781, 37783, 37799, 37811, 37813, 37831,
263 37847, 37853, 37861, 37871, 37879, 37889, 37897, 37907, 37951, 37957, 37963, 37967, 37987, 37991, 37993, 37997,
264 38011, 38039, 38047, 38053, 38069, 38083, 38113, 38119, 38149, 38153, 38167, 38177, 38183, 38189, 38197, 38201,
265 38219, 38231, 38237, 38239, 38261, 38273, 38281, 38287, 38299, 38303, 38317, 38321, 38327, 38329, 38333, 38351,
266 38371, 38377, 38393, 38431, 38447, 38449, 38453, 38459, 38461, 38501, 38543, 38557, 38561, 38567, 38569, 38593,
267 38603, 38609, 38611, 38629, 38639, 38651, 38653, 38669, 38671, 38677, 38693, 38699, 38707, 38711, 38713, 38723,
268 38729, 38737, 38747, 38749, 38767, 38783, 38791, 38803, 38821, 38833, 38839, 38851, 38861, 38867, 38873, 38891,
269 38903, 38917, 38921, 38923, 38933, 38953, 38959, 38971, 38977, 38993, 39019, 39023, 39041, 39043, 39047, 39079,
270 39089, 39097, 39103, 39107, 39113, 39119, 39133, 39139, 39157, 39161, 39163, 39181, 39191, 39199, 39209, 39217,
271 39227, 39229, 39233, 39239, 39241, 39251, 39293, 39301, 39313, 39317, 39323, 39341, 39343, 39359, 39367, 39371,
272 39373, 39383, 39397, 39409, 39419, 39439, 39443, 39451, 39461, 39499, 39503, 39509, 39511, 39521, 39541, 39551,
273 39563, 39569, 39581, 39607, 39619, 39623, 39631, 39659, 39667, 39671, 39679, 39703, 39709, 39719, 39727, 39733,
274 39749, 39761, 39769, 39779, 39791, 39799, 39821, 39827, 39829, 39839, 39841, 39847, 39857, 39863, 39869, 39877,
275 39883, 39887, 39901, 39929, 39937, 39953, 39971, 39979, 39983, 39989, 40009, 40013, 40031, 40037, 40039, 40063,
276 40087, 40093, 40099, 40111, 40123, 40127, 40129, 40151, 40153, 40163, 40169, 40177, 40189, 40193, 40213, 40231,
277 40237, 40241, 40253, 40277, 40283, 40289, 40343, 40351, 40357, 40361, 40387, 40423, 40427, 40429, 40433, 40459,
278 40471, 40483, 40487, 40493, 40499, 40507, 40519, 40529, 40531, 40543, 40559, 40577, 40583, 40591, 40597, 40609,
279 40627, 40637, 40639, 40693, 40697, 40699, 40709, 40739, 40751, 40759, 40763, 40771, 40787, 40801, 40813, 40819,
280 40823, 40829, 40841, 40847, 40849, 40853, 40867, 40879, 40883, 40897, 40903, 40927, 40933, 40939, 40949, 40961,
281 40973, 40993, 41011, 41017, 41023, 41039, 41047, 41051, 41057, 41077, 41081, 41113, 41117, 41131, 41141, 41143,
282 41149, 41161, 41177, 41179, 41183, 41189, 41201, 41203, 41213, 41221, 41227, 41231, 41233, 41243, 41257, 41263,
283 41269, 41281, 41299, 41333, 41341, 41351, 41357, 41381, 41387, 41389, 41399, 41411, 41413, 41443, 41453, 41467,
284 41479, 41491, 41507, 41513, 41519, 41521, 41539, 41543, 41549, 41579, 41593, 41597, 41603, 41609, 41611, 41617,
285 41621, 41627, 41641, 41647, 41651, 41659, 41669, 41681, 41687, 41719, 41729, 41737, 41759, 41761, 41771, 41777,
286 41801, 41809, 41813, 41843, 41849, 41851, 41863, 41879, 41887, 41893, 41897, 41903, 41911, 41927, 41941, 41947,
287 41953, 41957, 41959, 41969, 41981, 41983, 41999, 42013, 42017, 42019, 42023, 42043, 42061, 42071, 42073, 42083,
288 42089, 42101, 42131, 42139, 42157, 42169, 42179, 42181, 42187, 42193, 42197, 42209, 42221, 42223, 42227, 42239,
289 42257, 42281, 42283, 42293, 42299, 42307, 42323, 42331, 42337, 42349, 42359, 42373, 42379, 42391, 42397, 42403,
290 42407, 42409, 42433, 42437, 42443, 42451, 42457, 42461, 42463, 42467, 42473, 42487, 42491, 42499, 42509, 42533,
291 42557, 42569, 42571, 42577, 42589, 42611, 42641, 42643, 42649, 42667, 42677, 42683, 42689, 42697, 42701, 42703,
292 42709, 42719, 42727, 42737, 42743, 42751, 42767, 42773, 42787, 42793, 42797, 42821, 42829, 42839, 42841, 42853,
293 42859, 42863, 42899, 42901, 42923, 42929, 42937, 42943, 42953, 42961, 42967, 42979, 42989, 43003, 43013, 43019,
294 43037, 43049, 43051, 43063, 43067, 43093, 43103, 43117, 43133, 43151, 43159, 43177, 43189, 43201, 43207, 43223,
295 43237, 43261, 43271, 43283, 43291, 43313, 43319, 43321, 43331, 43391, 43397, 43399, 43403, 43411, 43427, 43441,
296 43451, 43457, 43481, 43487, 43499, 43517, 43541, 43543, 43573, 43577, 43579, 43591, 43597, 43607, 43609, 43613,
297 43627, 43633, 43649, 43651, 43661, 43669, 43691, 43711, 43717, 43721, 43753, 43759, 43777, 43781, 43783, 43787,
298 43789, 43793, 43801, 43853, 43867, 43889, 43891, 43913, 43933, 43943, 43951, 43961, 43963, 43969, 43973, 43987,
299 43991, 43997, 44017, 44021, 44027, 44029, 44041, 44053, 44059, 44071, 44087, 44089, 44101, 44111, 44119, 44123,
300 44129, 44131, 44159, 44171, 44179, 44189, 44201, 44203, 44207, 44221, 44249, 44257, 44263, 44267, 44269, 44273,
301 44279, 44281, 44293, 44351, 44357, 44371, 44381, 44383, 44389, 44417, 44449, 44453, 44483, 44491, 44497, 44501,
302 44507, 44519, 44531, 44533, 44537, 44543, 44549, 44563, 44579, 44587, 44617, 44621, 44623, 44633, 44641, 44647,
303 44651, 44657, 44683, 44687, 44699, 44701, 44711, 44729, 44741, 44753, 44771, 44773, 44777, 44789, 44797, 44809,
304 44819, 44839, 44843, 44851, 44867, 44879, 44887, 44893, 44909, 44917, 44927, 44939, 44953, 44959, 44963, 44971,
305 44983, 44987, 45007, 45013, 45053, 45061, 45077, 45083, 45119, 45121, 45127, 45131, 45137, 45139, 45161, 45179,
306 45181, 45191, 45197, 45233, 45247, 45259, 45263, 45281, 45289, 45293, 45307, 45317, 45319, 45329, 45337, 45341,
307 45343, 45361, 45377, 45389, 45403, 45413, 45427, 45433, 45439, 45481, 45491, 45497, 45503, 45523, 45533, 45541,
308 45553, 45557, 45569, 45587, 45589, 45599, 45613, 45631, 45641, 45659, 45667, 45673, 45677, 45691, 45697, 45707,
309 45737, 45751, 45757, 45763, 45767, 45779, 45817, 45821, 45823, 45827, 45833, 45841, 45853, 45863, 45869, 45887,
310 45893, 45943, 45949, 45953, 45959, 45971, 45979, 45989, 46021, 46027, 46049, 46051, 46061, 46073, 46091, 46093,
311 46099, 46103, 46133, 46141, 46147, 46153, 46171, 46181, 46183, 46187, 46199, 46219, 46229, 46237, 46261, 46271,
312 46273, 46279, 46301, 46307, 46309, 46327, 46337, 46349, 46351, 46381, 46399, 46411, 46439, 46441, 46447, 46451,
313 46457, 46471, 46477, 46489, 46499, 46507, 46511, 46523, 46549, 46559, 46567, 46573, 46589, 46591, 46601, 46619,
314 46633, 46639, 46643, 46649, 46663, 46679, 46681, 46687, 46691, 46703, 46723, 46727, 46747, 46751, 46757, 46769,
315 46771, 46807, 46811, 46817, 46819, 46829, 46831, 46853, 46861, 46867, 46877, 46889, 46901, 46919, 46933, 46957,
316 46993, 46997, 47017, 47041, 47051, 47057, 47059, 47087, 47093, 47111, 47119, 47123, 47129, 47137, 47143, 47147,
317 47149, 47161, 47189, 47207, 47221, 47237, 47251, 47269, 47279, 47287, 47293, 47297, 47303, 47309, 47317, 47339,
318 47351, 47353, 47363, 47381, 47387, 47389, 47407, 47417, 47419, 47431, 47441, 47459, 47491, 47497, 47501, 47507,
319 47513, 47521, 47527, 47533, 47543, 47563, 47569, 47581, 47591, 47599, 47609, 47623, 47629, 47639, 47653, 47657,
320 47659, 47681, 47699, 47701, 47711, 47713, 47717, 47737, 47741, 47743, 47777, 47779, 47791, 47797, 47807, 47809,
321 47819, 47837, 47843, 47857, 47869, 47881, 47903, 47911, 47917, 47933, 47939, 47947, 47951, 47963, 47969, 47977,
322 47981, 48017, 48023, 48029, 48049, 48073, 48079, 48091, 48109, 48119, 48121, 48131, 48157, 48163, 48179, 48187,
323 48193, 48197, 48221, 48239, 48247, 48259, 48271, 48281, 48299, 48311, 48313, 48337, 48341, 48353, 48371, 48383,
324 48397, 48407, 48409, 48413, 48437, 48449, 48463, 48473, 48479, 48481, 48487, 48491, 48497, 48523, 48527, 48533,
325 48539, 48541, 48563, 48571, 48589, 48593, 48611, 48619, 48623, 48647, 48649, 48661, 48673, 48677, 48679, 48731,
326 48733, 48751, 48757, 48761, 48767, 48779, 48781, 48787, 48799, 48809, 48817, 48821, 48823, 48847, 48857, 48859,
327 48869, 48871, 48883, 48889, 48907, 48947, 48953, 48973, 48989, 48991, 49003, 49009, 49019, 49031, 49033, 49037,
328 49043, 49057, 49069, 49081, 49103, 49109, 49117, 49121, 49123, 49139, 49157, 49169, 49171, 49177, 49193, 49199,
329 49201, 49207, 49211, 49223, 49253, 49261, 49277, 49279, 49297, 49307, 49331, 49333, 49339, 49363, 49367, 49369,
330 49391, 49393, 49409, 49411, 49417, 49429, 49433, 49451, 49459, 49463, 49477, 49481, 49499, 49523, 49529, 49531,
331 49537, 49547, 49549, 49559, 49597, 49603, 49613, 49627, 49633, 49639, 49663, 49667, 49669, 49681, 49697, 49711,
332 49727, 49739, 49741, 49747, 49757, 49783, 49787, 49789, 49801, 49807, 49811, 49823, 49831, 49843, 49853, 49871,
333 49877, 49891, 49919, 49921, 49927, 49937, 49939, 49943, 49957, 49991, 49993, 49999, 50021, 50023, 50033, 50047,
334 50051, 50053, 50069, 50077, 50087, 50093, 50101, 50111, 50119, 50123, 50129, 50131, 50147, 50153, 50159, 50177,
335 50207, 50221, 50227, 50231, 50261, 50263, 50273, 50287, 50291, 50311, 50321, 50329, 50333, 50341, 50359, 50363,
336 50377, 50383, 50387, 50411, 50417, 50423, 50441, 50459, 50461, 50497, 50503, 50513, 50527, 50539, 50543, 50549,
337 50551, 50581, 50587, 50591, 50593, 50599, 50627, 50647, 50651, 50671, 50683, 50707, 50723, 50741, 50753, 50767,
338 50773, 50777, 50789, 50821, 50833, 50839, 50849, 50857, 50867, 50873, 50891, 50893, 50909, 50923, 50929, 50951,
339 50957, 50969, 50971, 50989, 50993, 51001, 51031, 51043, 51047, 51059, 51061, 51071, 51109, 51131, 51133, 51137,
340 51151, 51157, 51169, 51193, 51197, 51199, 51203, 51217, 51229, 51239, 51241, 51257, 51263, 51283, 51287, 51307,
341 51329, 51341, 51343, 51347, 51349, 51361, 51383, 51407, 51413, 51419, 51421, 51427, 51431, 51437, 51439, 51449,
342 51461, 51473, 51479, 51481, 51487, 51503, 51511, 51517, 51521, 51539, 51551, 51563, 51577, 51581, 51593, 51599,
343 51607, 51613, 51631, 51637, 51647, 51659, 51673, 51679, 51683, 51691, 51713, 51719, 51721, 51749, 51767, 51769,
344 51787, 51797, 51803, 51817, 51827, 51829, 51839, 51853, 51859, 51869, 51871, 51893, 51899, 51907, 51913, 51929,
345 51941, 51949, 51971, 51973, 51977, 51991, 52009, 52021, 52027, 52051, 52057, 52067, 52069, 52081, 52103, 52121,
346 52127, 52147, 52153, 52163, 52177, 52181, 52183, 52189, 52201, 52223, 52237, 52249, 52253, 52259, 52267, 52289,
347 52291, 52301, 52313, 52321, 52361, 52363, 52369, 52379, 52387, 52391, 52433, 52453, 52457, 52489, 52501, 52511,
348 52517, 52529, 52541, 52543, 52553, 52561, 52567, 52571, 52579, 52583, 52609, 52627, 52631, 52639, 52667, 52673,
349 52691, 52697, 52709, 52711, 52721, 52727, 52733, 52747, 52757, 52769, 52783, 52807, 52813, 52817, 52837, 52859,
350 52861, 52879, 52883, 52889, 52901, 52903, 52919, 52937, 52951, 52957, 52963, 52967, 52973, 52981, 52999, 53003,
351 53017, 53047, 53051, 53069, 53077, 53087, 53089, 53093, 53101, 53113, 53117, 53129, 53147, 53149, 53161, 53171,
352 53173, 53189, 53197, 53201, 53231, 53233, 53239, 53267, 53269, 53279, 53281, 53299, 53309, 53323, 53327, 53353,
353 53359, 53377, 53381, 53401, 53407, 53411, 53419, 53437, 53441, 53453, 53479, 53503, 53507, 53527, 53549, 53551,
354 53569, 53591, 53593, 53597, 53609, 53611, 53617, 53623, 53629, 53633, 53639, 53653, 53657, 53681, 53693, 53699,
355 53717, 53719, 53731, 53759, 53773, 53777, 53783, 53791, 53813, 53819, 53831, 53849, 53857, 53861, 53881, 53887,
356 53891, 53897, 53899, 53917, 53923, 53927, 53939, 53951, 53959, 53987, 53993, 54001, 54011, 54013, 54037, 54049,
357 54059, 54083, 54091, 54101, 54121, 54133, 54139, 54151, 54163, 54167, 54181, 54193, 54217, 54251, 54269, 54277,
358 54287, 54293, 54311, 54319, 54323, 54331, 54347, 54361, 54367, 54371, 54377, 54401, 54403, 54409, 54413, 54419,
359 54421, 54437, 54443, 54449, 54469, 54493, 54497, 54499, 54503, 54517, 54521, 54539, 54541, 54547, 54559, 54563,
360 54577, 54581, 54583, 54601, 54617, 54623, 54629, 54631, 54647, 54667, 54673, 54679, 54709, 54713, 54721, 54727,
361 54751, 54767, 54773, 54779, 54787, 54799, 54829, 54833, 54851, 54869, 54877, 54881, 54907, 54917, 54919, 54941,
362 54949, 54959, 54973, 54979, 54983, 55001, 55009, 55021, 55049, 55051, 55057, 55061, 55073, 55079, 55103, 55109,
363 55117, 55127, 55147, 55163, 55171, 55201, 55207, 55213, 55217, 55219, 55229, 55243, 55249, 55259, 55291, 55313,
364 55331, 55333, 55337, 55339, 55343, 55351, 55373, 55381, 55399, 55411, 55439, 55441, 55457, 55469, 55487, 55501,
365 55511, 55529, 55541, 55547, 55579, 55589, 55603, 55609, 55619, 55621, 55631, 55633, 55639, 55661, 55663, 55667,
366 55673, 55681, 55691, 55697, 55711, 55717, 55721, 55733, 55763, 55787, 55793, 55799, 55807, 55813, 55817, 55819,
367 55823, 55829, 55837, 55843, 55849, 55871, 55889, 55897, 55901, 55903, 55921, 55927, 55931, 55933, 55949, 55967,
368 55987, 55997, 56003, 56009, 56039, 56041, 56053, 56081, 56087, 56093, 56099, 56101, 56113, 56123, 56131, 56149,
369 56167, 56171, 56179, 56197, 56207, 56209, 56237, 56239, 56249, 56263, 56267, 56269, 56299, 56311, 56333, 56359,
370 56369, 56377, 56383, 56393, 56401, 56417, 56431, 56437, 56443, 56453, 56467, 56473, 56477, 56479, 56489, 56501,
371 56503, 56509, 56519, 56527, 56531, 56533, 56543, 56569, 56591, 56597, 56599, 56611, 56629, 56633, 56659, 56663,
372 56671, 56681, 56687, 56701, 56711, 56713, 56731, 56737, 56747, 56767, 56773, 56779, 56783, 56807, 56809, 56813,
373 56821, 56827, 56843, 56857, 56873, 56891, 56893, 56897, 56909, 56911, 56921, 56923, 56929, 56941, 56951, 56957,
374 56963, 56983, 56989, 56993, 56999, 57037, 57041, 57047, 57059, 57073, 57077, 57089, 57097, 57107, 57119, 57131,
375 57139, 57143, 57149, 57163, 57173, 57179, 57191, 57193, 57203, 57221, 57223, 57241, 57251, 57259, 57269, 57271,
376 57283, 57287, 57301, 57329, 57331, 57347, 57349, 57367, 57373, 57383, 57389, 57397, 57413, 57427, 57457, 57467,
377 57487, 57493, 57503, 57527, 57529, 57557, 57559, 57571, 57587, 57593, 57601, 57637, 57641, 57649, 57653, 57667,
378 57679, 57689, 57697, 57709, 57713, 57719, 57727, 57731, 57737, 57751, 57773, 57781, 57787, 57791, 57793, 57803,
379 57809, 57829, 57839, 57847, 57853, 57859, 57881, 57899, 57901, 57917, 57923, 57943, 57947, 57973, 57977, 57991,
380 58013, 58027, 58031, 58043, 58049, 58057, 58061, 58067, 58073, 58099, 58109, 58111, 58129, 58147, 58151, 58153,
381 58169, 58171, 58189, 58193, 58199, 58207, 58211, 58217, 58229, 58231, 58237, 58243, 58271, 58309, 58313, 58321,
382 58337, 58363, 58367, 58369, 58379, 58391, 58393, 58403, 58411, 58417, 58427, 58439, 58441, 58451, 58453, 58477,
383 58481, 58511, 58537, 58543, 58549, 58567, 58573, 58579, 58601, 58603, 58613, 58631, 58657, 58661, 58679, 58687,
384 58693, 58699, 58711, 58727, 58733, 58741, 58757, 58763, 58771, 58787, 58789, 58831, 58889, 58897, 58901, 58907,
385 58909, 58913, 58921, 58937, 58943, 58963, 58967, 58979, 58991, 58997, 59009, 59011, 59021, 59023, 59029, 59051,
386 59053, 59063, 59069, 59077, 59083, 59093, 59107, 59113, 59119, 59123, 59141, 59149, 59159, 59167, 59183, 59197,
387 59207, 59209, 59219, 59221, 59233, 59239, 59243, 59263, 59273, 59281, 59333, 59341, 59351, 59357, 59359, 59369,
388 59377, 59387, 59393, 59399, 59407, 59417, 59419, 59441, 59443, 59447, 59453, 59467, 59471, 59473, 59497, 59509,
389 59513, 59539, 59557, 59561, 59567, 59581, 59611, 59617, 59621, 59627, 59629, 59651, 59659, 59663, 59669, 59671,
390 59693, 59699, 59707, 59723, 59729, 59743, 59747, 59753, 59771, 59779, 59791, 59797, 59809, 59833, 59863, 59879,
391 59887, 59921, 59929, 59951, 59957, 59971, 59981, 59999, 60013, 60017, 60029, 60037, 60041, 60077, 60083, 60089,
392 60091, 60101, 60103, 60107, 60127, 60133, 60139, 60149, 60161, 60167, 60169, 60209, 60217, 60223, 60251, 60257,
393 60259, 60271, 60289, 60293, 60317, 60331, 60337, 60343, 60353, 60373, 60383, 60397, 60413, 60427, 60443, 60449,
394 60457, 60493, 60497, 60509, 60521, 60527, 60539, 60589, 60601, 60607, 60611, 60617, 60623, 60631, 60637, 60647,
395 60649, 60659, 60661, 60679, 60689, 60703, 60719, 60727, 60733, 60737, 60757, 60761, 60763, 60773, 60779, 60793,
396 60811, 60821, 60859, 60869, 60887, 60889, 60899, 60901, 60913, 60917, 60919, 60923, 60937, 60943, 60953, 60961,
397 61001, 61007, 61027, 61031, 61043, 61051, 61057, 61091, 61099, 61121, 61129, 61141, 61151, 61153, 61169, 61211,
398 61223, 61231, 61253, 61261, 61283, 61291, 61297, 61331, 61333, 61339, 61343, 61357, 61363, 61379, 61381, 61403,
399 61409, 61417, 61441, 61463, 61469, 61471, 61483, 61487, 61493, 61507, 61511, 61519, 61543, 61547, 61553, 61559,
400 61561, 61583, 61603, 61609, 61613, 61627, 61631, 61637, 61643, 61651, 61657, 61667, 61673, 61681, 61687, 61703,
401 61717, 61723, 61729, 61751, 61757, 61781, 61813, 61819, 61837, 61843, 61861, 61871, 61879, 61909, 61927, 61933,
402 61949, 61961, 61967, 61979, 61981, 61987, 61991, 62003, 62011, 62017, 62039, 62047, 62053, 62057, 62071, 62081,
403 62099, 62119, 62129, 62131, 62137, 62141, 62143, 62171, 62189, 62191, 62201, 62207, 62213, 62219, 62233, 62273,
404 62297, 62299, 62303, 62311, 62323, 62327, 62347, 62351, 62383, 62401, 62417, 62423, 62459, 62467, 62473, 62477,
405 62483, 62497, 62501, 62507, 62533, 62539, 62549, 62563, 62581, 62591, 62597, 62603, 62617, 62627, 62633, 62639,
406 62653, 62659, 62683, 62687, 62701, 62723, 62731, 62743, 62753, 62761, 62773, 62791, 62801, 62819, 62827, 62851,
407 62861, 62869, 62873, 62897, 62903, 62921, 62927, 62929, 62939, 62969, 62971, 62981, 62983, 62987, 62989, 63029,
408 63031, 63059, 63067, 63073, 63079, 63097, 63103, 63113, 63127, 63131, 63149, 63179, 63197, 63199, 63211, 63241,
409 63247, 63277, 63281, 63299, 63311, 63313, 63317, 63331, 63337, 63347, 63353, 63361, 63367, 63377, 63389, 63391,
410 63397, 63409, 63419, 63421, 63439, 63443, 63463, 63467, 63473, 63487, 63493, 63499, 63521, 63527, 63533, 63541,
411 63559, 63577, 63587, 63589, 63599, 63601, 63607, 63611, 63617, 63629, 63647, 63649, 63659, 63667, 63671, 63689,
412 63691, 63697, 63703, 63709, 63719, 63727, 63737, 63743, 63761, 63773, 63781, 63793, 63799, 63803, 63809, 63823,
413 63839, 63841, 63853, 63857, 63863, 63901, 63907, 63913, 63929, 63949, 63977, 63997, 64007, 64013, 64019, 64033,
414 64037, 64063, 64067, 64081, 64091, 64109, 64123, 64151, 64153, 64157, 64171, 64187, 64189, 64217, 64223, 64231,
415 64237, 64271, 64279, 64283, 64301, 64303, 64319, 64327, 64333, 64373, 64381, 64399, 64403, 64433, 64439, 64451,
416 64453, 64483, 64489, 64499, 64513, 64553, 64567, 64577, 64579, 64591, 64601, 64609, 64613, 64621, 64627, 64633,
417 64661, 64663, 64667, 64679, 64693, 64709, 64717, 64747, 64763, 64781, 64783, 64793, 64811, 64817, 64849, 64853,
418 64871, 64877, 64879, 64891, 64901, 64919, 64921, 64927, 64937, 64951, 64969, 64997, 65003, 65011, 65027, 65029,
419 65033, 65053, 65063, 65071, 65089, 65099, 65101, 65111, 65119, 65123, 65129, 65141, 65147, 65167, 65171, 65173,
420 65179, 65183, 65203, 65213, 65239, 65257, 65267, 65269, 65287, 65293, 65309, 65323, 65327, 65353, 65357, 65371,
421 65381, 65393, 65407, 65413, 65419, 65423, 65437, 65447, 65449, 65479, 65497, 65519, 65521, 0};

Referenced by is_prime(), and random_prime().

◆ STREEBOG_Ax

const uint64_t Botan::STREEBOG_Ax
extern

Definition at line 34 of file streebog_precalc.cpp.

34 {
35 {0xd01f715b5c7ef8e6, 0x16fa240980778325, 0xa8a42e857ee049c8, 0x6ac1068fa186465b, 0x6e417bd7a2e9320b,
36 0x665c8167a437daab, 0x7666681aa89617f6, 0x4b959163700bdcf5, 0xf14be6b78df36248, 0xc585bd689a625cff,
37 0x9557d7fca67d82cb, 0x89f0b969af6dd366, 0xb0833d48749f6c35, 0xa1998c23b1ecbc7c, 0x8d70c431ac02a736,
38 0xd6dfbc2fd0a8b69e, 0x37aeb3e551fa198b, 0x0b7d128a40b5cf9c, 0x5a8f2008b5780cbc, 0xedec882284e333e5,
39 0xd25fc177d3c7c2ce, 0x5e0f5d50b61778ec, 0x1d873683c0c24cb9, 0xad040bcbb45d208c, 0x2f89a0285b853c76,
40 0x5732fff6791b8d58, 0x3e9311439ef6ec3f, 0xc9183a809fd3c00f, 0x83adf3f5260a01ee, 0xa6791941f4e8ef10,
41 0x103ae97d0ca1cd5d, 0x2ce948121dee1b4a, 0x39738421dbf2bf53, 0x093da2a6cf0cf5b4, 0xcd9847d89cbcb45f,
42 0xf9561c078b2d8ae8, 0x9c6a755a6971777f, 0xbc1ebaa0712ef0c5, 0x72e61542abf963a6, 0x78bb5fde229eb12e,
43 0x14ba94250fceb90d, 0x844d6697630e5282, 0x98ea08026a1e032f, 0xf06bbea144217f5c, 0xdb6263d11ccb377a,
44 0x641c314b2b8ee083, 0x320e96ab9b4770cf, 0x1ee7deb986a96b85, 0xe96cf57a878c47b5, 0xfdd6615f8842feb8,
45 0xc83862965601dd1b, 0x2ea9f83e92572162, 0xf876441142ff97fc, 0xeb2c455608357d9d, 0x5612a7e0b0c9904c,
46 0x6c01cbfb2d500823, 0x4548a6a7fa037a2d, 0xabc4c6bf388b6ef4, 0xbade77d4fdf8bebd, 0x799b07c8eb4cac3a,
47 0x0c9d87e805b19cf0, 0xcb588aac106afa27, 0xea0c1d40c1e76089, 0x2869354a1e816f1a, 0xff96d17307fbc490,
48 0x9f0a9d602f1a5043, 0x96373fc6e016a5f7, 0x5292dab8b3a6e41c, 0x9b8ae0382c752413, 0x4f15ec3b7364a8a5,
49 0x3fb349555724f12b, 0xc7c50d4415db66d7, 0x92b7429ee379d1a7, 0xd37f99611a15dfda, 0x231427c05e34a086,
50 0xa439a96d7b51d538, 0xb403401077f01865, 0xdda2aea5901d7902, 0x0a5d4a9c8967d288, 0xc265280adf660f93,
51 0x8bb0094520d4e94e, 0x2a29856691385532, 0x42a833c5bf072941, 0x73c64d54622b7eb2, 0x07e095624504536c,
52 0x8a905153e906f45a, 0x6f6123c16b3b2f1f, 0xc6e55552dc097bc3, 0x4468feb133d16739, 0xe211e7f0c7398829,
53 0xa2f96419f7879b40, 0x19074bdbc3ad38e9, 0xf4ebc3f9474e0b0c, 0x43886bd376d53455, 0xd8028beb5aa01046,
54 0x51f23282f5cdc320, 0xe7b1c2be0d84e16d, 0x081dfab006dee8a0, 0x3b33340d544b857b, 0x7f5bcabc679ae242,
55 0x0edd37c48a08a6d8, 0x81ed43d9a9b33bc6, 0xb1a3655ebd4d7121, 0x69a1eeb5e7ed6167, 0xf6ab73d5c8f73124,
56 0x1a67a3e185c61fd5, 0x2dc91004d43c065e, 0x0240b02c8fb93a28, 0x90f7f2b26cc0eb8f, 0x3cd3a16f114fd617,
57 0xaae49ea9f15973e0, 0x06c0cd748cd64e78, 0xda423bc7d5192a6e, 0xc345701c16b41287, 0x6d2193ede4821537,
58 0xfcf639494190e3ac, 0x7c3b228621f1c57e, 0xfb16ac2b0494b0c0, 0xbf7e529a3745d7f9, 0x6881b6a32e3f7c73,
59 0xca78d2bad9b8e733, 0xbbfe2fc2342aa3a9, 0x0dbddffecc6381e4, 0x70a6a56e2440598e, 0xe4d12a844befc651,
60 0x8c509c2765d0ba22, 0xee8c6018c28814d9, 0x17da7c1f49a59e31, 0x609c4c1328e194d3, 0xb3e3d57232f44b09,
61 0x91d7aaa4a512f69b, 0x0ffd6fd243dabbcc, 0x50d26a943c1fde34, 0x6be15e9968545b4f, 0x94778fea6faf9fdf,
62 0x2b09dd7058ea4826, 0x677cd9716de5c7bf, 0x49d5214fffb2e6dd, 0x0360e83a466b273c, 0x1fc786af4f7b7691,
63 0xa0b9d435783ea168, 0xd49f0c035f118cb6, 0x01205816c9d21d14, 0xac2453dd7d8f3d98, 0x545217cc3f70aa64,
64 0x26b4028e9489c9c2, 0xdec2469fd6765e3e, 0x04807d58036f7450, 0xe5f17292823ddb45, 0xf30b569b024a5860,
65 0x62dcfc3fa758aefb, 0xe84cad6c4e5e5aa1, 0xccb81fce556ea94b, 0x53b282ae7a74f908, 0x1b47fbf74c1402c1,
66 0x368eebf39828049f, 0x7afbeff2ad278b06, 0xbe5e0a8cfe97caed, 0xcfd8f7f413058e77, 0xf78b2bc301252c30,
67 0x4d555c17fcdd928d, 0x5f2f05467fc565f8, 0x24f4b2a21b30f3ea, 0x860dd6bbecb768aa, 0x4c750401350f8f99,
68 0x0000000000000000, 0xecccd0344d312ef1, 0xb5231806be220571, 0xc105c030990d28af, 0x653c695de25cfd97,
69 0x159acc33c61ca419, 0xb89ec7f872418495, 0xa9847693b73254dc, 0x58cf90243ac13694, 0x59efc832f3132b80,
70 0x5c4fed7c39ae42c4, 0x828dabe3efd81cfa, 0xd13f294d95ace5f2, 0x7d1b7a90e823d86a, 0xb643f03cf849224d,
71 0x3df3f979d89dcb03, 0x7426d836272f2dde, 0xdfe21e891fa4432a, 0x3a136c1b9d99986f, 0xfa36f43dcd46add4,
72 0xc025982650df35bb, 0x856d3e81aadc4f96, 0xc4a5e57e53b041eb, 0x4708168b75ba4005, 0xaf44bbe73be41aa4,
73 0x971767d029c4b8e3, 0xb9be9feebb939981, 0x215497ecd18d9aae, 0x316e7e91dd2c57f3, 0xcef8afe2dad79363,
74 0x3853dc371220a247, 0x35ee03c9de4323a3, 0xe6919aa8c456fc79, 0xe05157dc4880b201, 0x7bdbb7e464f59612,
75 0x127a59518318f775, 0x332ecebd52956ddb, 0x8f30741d23bb9d1e, 0xd922d3fd93720d52, 0x7746300c61440ae2,
76 0x25d4eab4d2e2eefe, 0x75068020eefd30ca, 0x135a01474acaea61, 0x304e268714fe4ae7, 0xa519f17bb283c82c,
77 0xdc82f6b359cf6416, 0x5baf781e7caa11a8, 0xb2c38d64fb26561d, 0x34ce5bdf17913eb7, 0x5d6fb56af07c5fd0,
78 0x182713cd0a7f25fd, 0x9e2ac576e6c84d57, 0x9aaab82ee5a73907, 0xa3d93c0f3e558654, 0x7e7b92aaae48ff56,
79 0x872d8ead256575be, 0x41c8dbfff96c0e7d, 0x99ca5014a3cc1e3b, 0x40e883e930be1369, 0x1ca76e95091051ad,
80 0x4e35b42dbab6b5b1, 0x05a0254ecabd6944, 0xe1710fca8152af15, 0xf22b0e8dcb984574, 0xb763a82a319b3f59,
81 0x63fca4296e8ab3ef, 0x9d4a2d4ca0a36a6b, 0xe331bfe60eeb953d, 0xd5bf541596c391a2, 0xf5cb9bef8e9c1618,
82 0x46284e9dbc685d11, 0x2074cffa185f87ba, 0xbd3ee2b6b8fcedd1, 0xae64e3f1f23607b0, 0xfeb68965ce29d984,
83 0x55724fdaf6a2b770, 0x29496d5cd753720e, 0xa75941573d3af204, 0x8e102c0bea69800a, 0x111ab16bc573d049,
84 0xd7ffe439197aab8a, 0xefac380e0b5a09cd, 0x48f579593660fbc9, 0x22347fd697e6bd92, 0x61bc1405e13389c7,
85 0x4ab5c975b9d9c1e1, 0x80cd1bcf606126d2, 0x7186fd78ed92449a, 0x93971a882aabccb3, 0x88d0e17f66bfce72,
86 0x27945a985d5bd4d6},
87 {0xde553f8c05a811c8, 0x1906b59631b4f565, 0x436e70d6b1964ff7, 0x36d343cb8b1e9d85, 0x843dfacc858aab5a,
88 0xfdfc95c299bfc7f9, 0x0f634bdea1d51fa2, 0x6d458b3b76efb3cd, 0x85c3f77cf8593f80, 0x3c91315fbe737cb2,
89 0x2148b03366ace398, 0x18f8b8264c6761bf, 0xc830c1c495c9fb0f, 0x981a76102086a0aa, 0xaa16012142f35760,
90 0x35cc54060c763cf6, 0x42907d66cc45db2d, 0x8203d44b965af4bc, 0x3d6f3cefc3a0e868, 0xbc73ff69d292bda7,
91 0x8722ed0102e20a29, 0x8f8185e8cd34deb7, 0x9b0561dda7ee01d9, 0x5335a0193227fad6, 0xc9cecc74e81a6fd5,
92 0x54f5832e5c2431ea, 0x99e47ba05d553470, 0xf7bee756acd226ce, 0x384e05a5571816fd, 0xd1367452a47d0e6a,
93 0xf29fde1c386ad85b, 0x320c77316275f7ca, 0xd0c879e2d9ae9ab0, 0xdb7406c69110ef5d, 0x45505e51a2461011,
94 0xfc029872e46c5323, 0xfa3cb6f5f7bc0cc5, 0x031f17cd8768a173, 0xbd8df2d9af41297d, 0x9d3b4f5ab43e5e3f,
95 0x4071671b36feee84, 0x716207e7d3e3b83d, 0x48d20ff2f9283a1a, 0x27769eb4757cbc7e, 0x5c56ebc793f2e574,
96 0xa48b474f9ef5dc18, 0x52cbada94ff46e0c, 0x60c7da982d8199c6, 0x0e9d466edc068b78, 0x4eec2175eaf865fc,
97 0x550b8e9e21f7a530, 0x6b7ba5bc653fec2b, 0x5eb7f1ba6949d0dd, 0x57ea94e3db4c9099, 0xf640eae6d101b214,
98 0xdd4a284182c0b0bb, 0xff1d8fbf6304f250, 0xb8accb933bf9d7e8, 0xe8867c478eb68c4d, 0x3f8e2692391bddc1,
99 0xcb2fd60912a15a7c, 0xaec935dbab983d2f, 0xf55ffd2b56691367, 0x80e2ce366ce1c115, 0x179bf3f8edb27e1d,
100 0x01fe0db07dd394da, 0xda8a0b76ecc37b87, 0x44ae53e1df9584cb, 0xb310b4b77347a205, 0xdfab323c787b8512,
101 0x3b511268d070b78e, 0x65e6e3d2b9396753, 0x6864b271e2574d58, 0x259784c98fc789d7, 0x02e11a7dfabb35a9,
102 0x8841a6dfa337158b, 0x7ade78c39b5dcdd0, 0xb7cf804d9a2cc84a, 0x20b6bd831b7f7742, 0x75bd331d3a88d272,
103 0x418f6aab4b2d7a5e, 0xd9951cbb6babdaf4, 0xb6318dfde7ff5c90, 0x1f389b112264aa83, 0x492c024284fbaec0,
104 0xe33a0363c608f9a0, 0x2688930408af28a4, 0xc7538a1a341ce4ad, 0x5da8e677ee2171ae, 0x8c9e92254a5c7fc4,
105 0x63d8cd55aae938b5, 0x29ebd8daa97a3706, 0x959827b37be88aa1, 0x1484e4356adadf6e, 0xa7945082199d7d6b,
106 0xbf6ce8a455fa1cd4, 0x9cc542eac9edcae5, 0x79c16f0e1c356ca3, 0x89bfab6fdee48151, 0xd4174d1830c5f0ff,
107 0x9258048415eb419d, 0x6139d72850520d1c, 0x6a85a80c18ec78f1, 0xcd11f88e0171059a, 0xcceff53e7ca29140,
108 0xd229639f2315af19, 0x90b91ef9ef507434, 0x5977d28d074a1be1, 0x311360fce51d56b9, 0xc093a92d5a1f2f91,
109 0x1a19a25bb6dc5416, 0xeb996b8a09de2d3e, 0xfee3820f1ed7668a, 0xd7085ad5b7ad518c, 0x7fff41890fe53345,
110 0xec5948bd67dde602, 0x2fd5f65dbaaa68e0, 0xa5754affe32648c2, 0xf8ddac880d07396c, 0x6fa491468c548664,
111 0x0c7c5c1326bdbed1, 0x4a33158f03930fb3, 0x699abfc19f84d982, 0xe4fa2054a80b329c, 0x6707f9af438252fa,
112 0x08a368e9cfd6d49e, 0x47b1442c58fd25b8, 0xbbb3dc5ebc91769b, 0x1665fe489061eac7, 0x33f27a811fa66310,
113 0x93a609346838d547, 0x30ed6d4c98cec263, 0x1dd9816cd8df9f2a, 0x94662a03063b1e7b, 0x83fdd9fbeb896066,
114 0x7b207573e68e590a, 0x5f49fc0a149a4407, 0x343259b671a5a82c, 0xfbc2bb458a6f981f, 0xc272b350a0a41a38,
115 0x3aaf1fd8ada32354, 0x6cbb868b0b3c2717, 0xa2b569c88d2583fe, 0xf180c9d1bf027928, 0xaf37386bd64ba9f5,
116 0x12bacab2790a8088, 0x4c0d3b0810435055, 0xb2eeb9070e9436df, 0xc5b29067cea7d104, 0xdcb425f1ff132461,
117 0x4f122cc5972bf126, 0xac282fa651230886, 0xe7e537992f6393ef, 0xe61b3a2952b00735, 0x709c0a57ae302ce7,
118 0xe02514ae416058d3, 0xc44c9dd7b37445de, 0x5a68c5408022ba92, 0x1c278cdca50c0bf0, 0x6e5a9cf6f18712be,
119 0x86dce0b17f319ef3, 0x2d34ec2040115d49, 0x4bcd183f7e409b69, 0x2815d56ad4a9a3dc, 0x24698979f2141d0d,
120 0x0000000000000000, 0x1ec696a15fb73e59, 0xd86b110b16784e2e, 0x8e7f8858b0e74a6d, 0x063e2e8713d05fe6,
121 0xe2c40ed3bbdb6d7a, 0xb1f1aeca89fc97ac, 0xe1db191e3cb3cc09, 0x6418ee62c4eaf389, 0xc6ad87aa49cf7077,
122 0xd6f65765ca7ec556, 0x9afb6c6dda3d9503, 0x7ce05644888d9236, 0x8d609f95378feb1e, 0x23a9aa4e9c17d631,
123 0x6226c0e5d73aac6f, 0x56149953a69f0443, 0xeeb852c09d66d3ab, 0x2b0ac2a753c102af, 0x07c023376e03cb3c,
124 0x2ccae1903dc2c993, 0xd3d76e2f5ec63bc3, 0x9e2458973356ff4c, 0xa66a5d32644ee9b1, 0x0a427294356de137,
125 0x783f62be61e6f879, 0x1344c70204d91452, 0x5b96c8f0fdf12e48, 0xa90916ecc59bf613, 0xbe92e5142829880e,
126 0x727d102a548b194e, 0x1be7afebcb0fc0cc, 0x3e702b2244c8491b, 0xd5e940a84d166425, 0x66f9f41f3e51c620,
127 0xabe80c913f20c3ba, 0xf07ec461c2d1edf2, 0xf361d3ac45b94c81, 0x0521394a94b8fe95, 0xadd622162cf09c5c,
128 0xe97871f7f3651897, 0xf4a1f09b2bba87bd, 0x095d6559b2054044, 0x0bbc7f2448be75ed, 0x2af4cf172e129675,
129 0x157ae98517094bb4, 0x9fda55274e856b96, 0x914713499283e0ee, 0xb952c623462a4332, 0x74433ead475b46a8,
130 0x8b5eb112245fb4f8, 0xa34b6478f0f61724, 0x11a5dd7ffe6221fb, 0xc16da49d27ccbb4b, 0x76a224d0bde07301,
131 0x8aa0bca2598c2022, 0x4df336b86d90c48f, 0xea67663a740db9e4, 0xef465f70e0b54771, 0x39b008152acb8227,
132 0x7d1e5bf4f55e06ec, 0x105bd0cf83b1b521, 0x775c2960c033e7db, 0x7e014c397236a79f, 0x811cc386113255cf,
133 0xeda7450d1a0e72d8, 0x5889df3d7a998f3b, 0x2e2bfbedc779fc3a, 0xce0eef438619a4e9, 0x372d4e7bf6cd095f,
134 0x04df34fae96b6a4f, 0xf923a13870d4adb6, 0xa1aa7e050a4d228d, 0xa8f71b5cb84862c9, 0xb52e9a306097fde3,
135 0x0d8251a35b6e2a0b, 0x2257a7fee1c442eb, 0x73831d9a29588d94, 0x51d4ba64c89ccf7f, 0x502ab7d4b54f5ba5,
136 0x97793dce8153bf08, 0xe5042de4d5d8a646, 0x9687307efc802bd2, 0xa05473b5779eb657, 0xb4d097801d446939,
137 0xcff0e2f3fbca3033, 0xc38cbee0dd778ee2, 0x464f499c252eb162, 0xcad1dbb96f72cea6, 0xba4dd1eec142e241,
138 0xb00fa37af42f0376},
139 {0xcce4cd3aa968b245, 0x089d5484e80b7faf, 0x638246c1b3548304, 0xd2fe0ec8c2355492, 0xa7fbdf7ff2374eee,
140 0x4df1600c92337a16, 0x84e503ea523b12fb, 0x0790bbfd53ab0c4a, 0x198a780f38f6ea9d, 0x2ab30c8f55ec48cb,
141 0xe0f7fed6b2c49db5, 0xb6ecf3f422cadbdc, 0x409c9a541358df11, 0xd3ce8a56dfde3fe3, 0xc3e9224312c8c1a0,
142 0x0d6dfa58816ba507, 0xddf3e1b179952777, 0x04c02a42748bb1d9, 0x94c2abff9f2decb8, 0x4f91752da8f8acf4,
143 0x78682befb169bf7b, 0xe1c77a48af2ff6c4, 0x0c5d7ec69c80ce76, 0x4cc1e4928fd81167, 0xfeed3d24d9997b62,
144 0x518bb6dfc3a54a23, 0x6dbf2d26151f9b90, 0xb5bc624b05ea664f, 0xe86aaa525acfe21a, 0x4801ced0fb53a0be,
145 0xc91463e6c00868ed, 0x1027a815cd16fe43, 0xf67069a0319204cd, 0xb04ccc976c8abce7, 0xc0b9b3fc35e87c33,
146 0xf380c77c58f2de65, 0x50bb3241de4e2152, 0xdf93f490435ef195, 0xf1e0d25d62390887, 0xaf668bfb1a3c3141,
147 0xbc11b251f00a7291, 0x73a5eed47e427d47, 0x25bee3f6ee4c3b2e, 0x43cc0beb34786282, 0xc824e778dde3039c,
148 0xf97d86d98a327728, 0xf2b043e24519b514, 0xe297ebf7880f4b57, 0x3a94a49a98fab688, 0x868516cb68f0c419,
149 0xeffa11af0964ee50, 0xa4ab4ec0d517f37d, 0xa9c6b498547c567a, 0x8e18424f80fbbbb6, 0x0bcdc53bcf2bc23c,
150 0x137739aaea3643d0, 0x2c1333ec1bac2ff0, 0x8d48d3f0a7db0625, 0x1e1ac3f26b5de6d7, 0xf520f81f16b2b95e,
151 0x9f0f6ec450062e84, 0x0130849e1deb6b71, 0xd45e31ab8c7533a9, 0x652279a2fd14e43f, 0x3209f01e70f1c927,
152 0xbe71a770cac1a473, 0x0e3d6be7a64b1894, 0x7ec8148cff29d840, 0xcb7476c7fac3be0f, 0x72956a4a63a91636,
153 0x37f95ec21991138f, 0x9e3fea5a4ded45f5, 0x7b38ba50964902e8, 0x222e580bbde73764, 0x61e253e0899f55e6,
154 0xfc8d2805e352ad80, 0x35994be3235ac56d, 0x09add01af5e014de, 0x5e8659a6780539c6, 0xb17c48097161d796,
155 0x026015213acbd6e2, 0xd1ae9f77e515e901, 0xb7dc776a3f21b0ad, 0xaba6a1b96eb78098, 0x9bcf4486248d9f5d,
156 0x582666c536455efd, 0xfdbdac9bfeb9c6f1, 0xc47999be4163cdea, 0x765540081722a7ef, 0x3e548ed8ec710751,
157 0x3d041f67cb51bac2, 0x7958af71ac82d40a, 0x36c9da5c047a78fe, 0xed9a048e33af38b2, 0x26ee7249c96c86bd,
158 0x900281bdeba65d61, 0x11172c8bd0fd9532, 0xea0abf73600434f8, 0x42fc8f75299309f3, 0x34a9cf7d3eb1ae1c,
159 0x2b838811480723ba, 0x5ce64c8742ceef24, 0x1adae9b01fd6570e, 0x3c349bf9d6bad1b3, 0x82453c891c7b75c0,
160 0x97923a40b80d512b, 0x4a61dbf1c198765c, 0xb48ce6d518010d3e, 0xcfb45c858e480fd6, 0xd933cbf30d1e96ae,
161 0xd70ea014ab558e3a, 0xc189376228031742, 0x9262949cd16d8b83, 0xeb3a3bed7def5f89, 0x49314a4ee6b8cbcf,
162 0xdcc3652f647e4c06, 0xda635a4c2a3e2b3d, 0x470c21a940f3d35b, 0x315961a157d174b4, 0x6672e81dda3459ac,
163 0x5b76f77a1165e36e, 0x445cb01667d36ec8, 0xc5491d205c88a69b, 0x456c34887a3805b9, 0xffddb9bac4721013,
164 0x99af51a71e4649bf, 0xa15be01cbc7729d5, 0x52db2760e485f7b0, 0x8c78576eba306d54, 0xae560f6507d75a30,
165 0x95f22f6182c687c9, 0x71c5fbf54489aba5, 0xca44f259e728d57e, 0x88b87d2ccebbdc8d, 0xbab18d32be4a15aa,
166 0x8be8ec93e99b611e, 0x17b713e89ebdf209, 0xb31c5d284baa0174, 0xeeca9531148f8521, 0xb8d198138481c348,
167 0x8988f9b2d350b7fc, 0xb9e11c8d996aa839, 0x5a4673e40c8e881f, 0x1687977683569978, 0xbf4123eed72acf02,
168 0x4ea1f1b3b513c785, 0xe767452be16f91ff, 0x7505d1b730021a7c, 0xa59bca5ec8fc980c, 0xad069eda20f7e7a3,
169 0x38f4b1bba231606a, 0x60d2d77e94743e97, 0x9affc0183966f42c, 0x248e6768f3a7505f, 0xcdd449a4b483d934,
170 0x87b59255751baf68, 0x1bea6d2e023d3c7f, 0x6b1f12455b5ffcab, 0x743555292de9710d, 0xd8034f6d10f5fddf,
171 0xc6198c9f7ba81b08, 0xbb8109aca3a17edb, 0xfa2d1766ad12cabb, 0xc729080166437079, 0x9c5fff7b77269317,
172 0x0000000000000000, 0x15d706c9a47624eb, 0x6fdf38072fd44d72, 0x5fb6dd3865ee52b7, 0xa33bf53d86bcff37,
173 0xe657c1b5fc84fa8e, 0xaa962527735cebe9, 0x39c43525bfda0b1b, 0x204e4d2a872ce186, 0x7a083ece8ba26999,
174 0x554b9c9db72efbfa, 0xb22cd9b656416a05, 0x96a2bedea5e63a5a, 0x802529a826b0a322, 0x8115ad363b5bc853,
175 0x8375b81701901eb1, 0x3069e53f4a3a1fc5, 0xbd2136cfede119e0, 0x18bafc91251d81ec, 0x1d4a524d4c7d5b44,
176 0x05f0aedc6960daa8, 0x29e39d3072ccf558, 0x70f57f6b5962c0d4, 0x989fd53903ad22ce, 0xf84d024797d91c59,
177 0x547b1803aac5908b, 0xf0d056c37fd263f6, 0xd56eb535919e58d8, 0x1c7ad6d351963035, 0x2e7326cd2167f912,
178 0xac361a443d1c8cd2, 0x697f076461942a49, 0x4b515f6fdc731d2d, 0x8ad8680df4700a6f, 0x41ac1eca0eb3b460,
179 0x7d988533d80965d3, 0xa8f6300649973d0b, 0x7765c4960ac9cc9e, 0x7ca801adc5e20ea2, 0xdea3700e5eb59ae4,
180 0xa06b6482a19c42a4, 0x6a2f96db46b497da, 0x27def6d7d487edcc, 0x463ca5375d18b82a, 0xa6cb5be1efdc259f,
181 0x53eba3fef96e9cc1, 0xce84d81b93a364a7, 0xf4107c810b59d22f, 0x333974806d1aa256, 0x0f0def79bba073e5,
182 0x231edc95a00c5c15, 0xe437d494c64f2c6c, 0x91320523f64d3610, 0x67426c83c7df32dd, 0x6eefbc99323f2603,
183 0x9d6f7be56acdf866, 0x5916e25b2bae358c, 0x7ff89012e2c2b331, 0x035091bf2720bd93, 0x561b0d22900e4669,
184 0x28d319ae6f279e29, 0x2f43a2533c8c9263, 0xd09e1be9f8fe8270, 0xf740ed3e2c796fbc, 0xdb53ded237d5404c,
185 0x62b2c25faebfe875, 0x0afd41a5d2c0a94d, 0x6412fd3ce0ff8f4e, 0xe3a76f6995e42026, 0x6c8fa9b808f4f0e1,
186 0xc2d9a6dd0f23aad1, 0x8f28c6d19d10d0c7, 0x85d587744fd0798a, 0xa20b71a39b579446, 0x684f83fa7c7f4138,
187 0xe507500adba4471d, 0x3f640a46f19a6c20, 0x1247bd34f7dd28a1, 0x2d23b77206474481, 0x93521002cc86e0f2,
188 0x572b89bc8de52d18, 0xfb1d93f8b0f9a1ca, 0xe95a2ecc4724896b, 0x3ba420048511ddf9, 0xd63e248ab6bee54b,
189 0x5dd6c8195f258455, 0x06a03f634e40673b, 0x1f2a476c76b68da6, 0x217ec9b49ac78af7, 0xecaa80102e4453c3,
190 0x14e78257b99d4f9a},
191 {0x20329b2cc87bba05, 0x4f5eb6f86546a531, 0xd4f44775f751b6b1, 0x8266a47b850dfa8b, 0xbb986aa15a6ca985,
192 0xc979eb08f9ae0f99, 0x2da6f447a2375ea1, 0x1e74275dcd7d8576, 0xbc20180a800bc5f8, 0xb4a2f701b2dc65be,
193 0xe726946f981b6d66, 0x48e6c453bf21c94c, 0x42cad9930f0a4195, 0xefa47b64aacccd20, 0x71180a8960409a42,
194 0x8bb3329bf6a44e0c, 0xd34c35de2d36dacc, 0xa92f5b7cbc23dc96, 0xb31a85aa68bb09c3, 0x13e04836a73161d2,
195 0xb24dfc4129c51d02, 0x8ae44b70b7da5acd, 0xe671ed84d96579a7, 0xa4bb3417d66f3832, 0x4572ab38d56d2de8,
196 0xb1b47761ea47215c, 0xe81c09cf70aba15d, 0xffbdb872ce7f90ac, 0xa8782297fd5dc857, 0x0d946f6b6a4ce4a4,
197 0xe4df1f4f5b995138, 0x9ebc71edca8c5762, 0x0a2c1dc0b02b88d9, 0x3b503c115d9d7b91, 0xc64376a8111ec3a2,
198 0xcec199a323c963e4, 0xdc76a87ec58616f7, 0x09d596e073a9b487, 0x14583a9d7d560daf, 0xf4c6dc593f2a0cb4,
199 0xdd21d19584f80236, 0x4a4836983ddde1d3, 0xe58866a41ae745f9, 0xf591a5b27e541875, 0x891dc05074586693,
200 0x5b068c651810a89e, 0xa30346bc0c08544f, 0x3dbf3751c684032d, 0x2a1e86ec785032dc, 0xf73f5779fca830ea,
201 0xb60c05ca30204d21, 0x0cc316802b32f065, 0x8770241bdd96be69, 0xb861e18199ee95db, 0xf805cad91418fcd1,
202 0x29e70dccbbd20e82, 0xc7140f435060d763, 0x0f3a9da0e8b0cc3b, 0xa2543f574d76408e, 0xbd7761e1c175d139,
203 0x4b1f4f737ca3f512, 0x6dc2df1f2fc137ab, 0xf1d05c3967b14856, 0xa742bf3715ed046c, 0x654030141d1697ed,
204 0x07b872abda676c7d, 0x3ce84eba87fa17ec, 0xc1fb0403cb79afdf, 0x3e46bc7105063f73, 0x278ae987121cd678,
205 0xa1adb4778ef47cd0, 0x26dd906c5362c2b9, 0x05168060589b44e2, 0xfbfc41f9d79ac08f, 0x0e6de44ba9ced8fa,
206 0x9feb08068bf243a3, 0x7b341749d06b129b, 0x229c69e74a87929a, 0xe09ee6c4427c011b, 0x5692e30e725c4c3a,
207 0xda99a33e5e9f6e4b, 0x353dd85af453a36b, 0x25241b4c90e0fee7, 0x5de987258309d022, 0xe230140fc0802984,
208 0x93281e86a0c0b3c6, 0xf229d719a4337408, 0x6f6c2dd4ad3d1f34, 0x8ea5b2fbae3f0aee, 0x8331dd90c473ee4a,
209 0x346aa1b1b52db7aa, 0xdf8f235e06042aa9, 0xcc6f6b68a1354b7b, 0x6c95a6f46ebf236a, 0x52d31a856bb91c19,
210 0x1a35ded6d498d555, 0xf37eaef2e54d60c9, 0x72e181a9a3c2a61c, 0x98537aad51952fde, 0x16f6c856ffaa2530,
211 0xd960281e9d1d5215, 0x3a0745fa1ce36f50, 0x0b7b642bf1559c18, 0x59a87eae9aec8001, 0x5e100c05408bec7c,
212 0x0441f98b19e55023, 0xd70dcc5534d38aef, 0x927f676de1bea707, 0x9769e70db925e3e5, 0x7a636ea29115065a,
213 0x468b201816ef11b6, 0xab81a9b73edff409, 0xc0ac7de88a07bb1e, 0x1f235eb68c0391b7, 0x6056b074458dd30f,
214 0xbe8eeac102f7ed67, 0xcd381283e04b5fba, 0x5cbefecec277c4e3, 0xd21b4c356c48ce0d, 0x1019c31664b35d8c,
215 0x247362a7d19eea26, 0xebe582efb3299d03, 0x02aef2cb82fc289f, 0x86275df09ce8aaa8, 0x28b07427faac1a43,
216 0x38a9b7319e1f47cf, 0xc82e92e3b8d01b58, 0x06ef0b409b1978bc, 0x62f842bfc771fb90, 0x9904034610eb3b1f,
217 0xded85ab5477a3e68, 0x90d195a663428f98, 0x5384636e2ac708d8, 0xcbd719c37b522706, 0xae9729d76644b0eb,
218 0x7c8c65e20a0c7ee6, 0x80c856b007f1d214, 0x8c0b40302cc32271, 0xdbcedad51fe17a8a, 0x740e8ae938dbdea0,
219 0xa615c6dc549310ad, 0x19cc55f6171ae90b, 0x49b1bdb8fe5fdd8d, 0xed0a89af2830e5bf, 0x6a7aadb4f5a65bd6,
220 0x7e22972988f05679, 0xf952b3325566e810, 0x39fecedadf61530e, 0x6101c99f04f3c7ce, 0x2e5f7f6761b562ff,
221 0xf08725d226cf5c97, 0x63af3b54860fef51, 0x8ff2cb10ef411e2f, 0x884ab9bb35267252, 0x4df04433e7ba8dae,
222 0x9afd8866d3690741, 0x66b9bb34de94abb3, 0x9baaf18d92171380, 0x543c11c5f0a064a5, 0x17a1b1bdbed431f1,
223 0xb5f58eeaf3a2717f, 0xc355f6c849858740, 0xec5df044694ef17e, 0xd83751f5dc6346d4, 0xfc4433520dfdacf2,
224 0x0000000000000000, 0x5a51f58e596ebc5f, 0x3285aaf12e34cf16, 0x8d5c39db6dbd36b0, 0x12b731dde64f7513,
225 0x94906c2d7aa7dfbb, 0x302b583aacc8e789, 0x9d45facd090e6b3c, 0x2165e2c78905aec4, 0x68d45f7f775a7349,
226 0x189b2c1d5664fdca, 0xe1c99f2f030215da, 0x6983269436246788, 0x8489af3b1e148237, 0xe94b702431d5b59c,
227 0x33d2d31a6f4adbd7, 0xbfd9932a4389f9a6, 0xb0e30e8aab39359d, 0xd1e2c715afcaf253, 0x150f43763c28196e,
228 0xc4ed846393e2eb3d, 0x03f98b20c3823c5e, 0xfd134ab94c83b833, 0x556b682eb1de7064, 0x36c4537a37d19f35,
229 0x7559f30279a5ca61, 0x799ae58252973a04, 0x9c12832648707ffd, 0x78cd9c6913e92ec5, 0x1d8dac7d0effb928,
230 0x439da0784e745554, 0x413352b3cc887dcb, 0xbacf134a1b12bd44, 0x114ebafd25cd494d, 0x2f08068c20cb763e,
231 0x76a07822ba27f63f, 0xeab2fb04f25789c2, 0xe3676de481fe3d45, 0x1b62a73d95e6c194, 0x641749ff5c68832c,
232 0xa5ec4dfc97112cf3, 0xf6682e92bdd6242b, 0x3f11c59a44782bb2, 0x317c21d1edb6f348, 0xd65ab5be75ad9e2e,
233 0x6b2dd45fb4d84f17, 0xfaab381296e4d44e, 0xd0b5befeeeb4e692, 0x0882ef0b32d7a046, 0x512a91a5a83b2047,
234 0x963e9ee6f85bf724, 0x4e09cf132438b1f0, 0x77f701c9fb59e2fe, 0x7ddb1c094b726a27, 0x5f4775ee01f5f8bd,
235 0x9186ec4d223c9b59, 0xfeeac1998f01846d, 0xac39db1ce4b89874, 0xb75b7c21715e59e0, 0xafc0503c273aa42a,
236 0x6e3b543fec430bf5, 0x704f7362213e8e83, 0x58ff0745db9294c0, 0x67eec2df9feabf72, 0xa0facd9ccf8a6811,
237 0xb936986ad890811a, 0x95c715c63bd9cb7a, 0xca8060283a2c33c7, 0x507de84ee9453486, 0x85ded6d05f6a96f6,
238 0x1cdad5964f81ade9, 0xd5a33e9eb62fa270, 0x40642b588df6690a, 0x7f75eec2c98e42b8, 0x2cf18dace3494a60,
239 0x23cb100c0bf9865b, 0xeef3028febb2d9e1, 0x4425d2d394133929, 0xaad6d05c7fa1e0c8, 0xad6ea2f7a5c68cb5,
240 0xc2028f2308fb9381, 0x819f2f5b468fc6d5, 0xc5bafd88d29cfffc, 0x47dc59f357910577, 0x2b49ff07392e261d,
241 0x57c59ae5332258fb, 0x73b6f842e2bcb2dd, 0xcf96e04862b77725, 0x4ca73dd8a6c4996f, 0x015779eb417e14c1,
242 0x37932a9176af8bf4},
243 {0x190a2c9b249df23e, 0x2f62f8b62263e1e9, 0x7a7f754740993655, 0x330b7ba4d5564d9f, 0x4c17a16a46672582,
244 0xb22f08eb7d05f5b8, 0x535f47f40bc148cc, 0x3aec5d27d4883037, 0x10ed0a1825438f96, 0x516101f72c233d17,
245 0x13cc6f949fd04eae, 0x739853c441474bfd, 0x653793d90d3f5b1b, 0x5240647b96b0fc2f, 0x0c84890ad27623e0,
246 0xd7189b32703aaea3, 0x2685de3523bd9c41, 0x99317c5b11bffefa, 0x0d9baa854f079703, 0x70b93648fbd48ac5,
247 0xa80441fce30bc6be, 0x7287704bdc36ff1e, 0xb65384ed33dc1f13, 0xd36417343ee34408, 0x39cd38ab6e1bf10f,
248 0x5ab861770a1f3564, 0x0ebacf09f594563b, 0xd04572b884708530, 0x3cae9722bdb3af47, 0x4a556b6f2f5cbaf2,
249 0xe1704f1f76c4bd74, 0x5ec4ed7144c6dfcf, 0x16afc01d4c7810e6, 0x283f113cd629ca7a, 0xaf59a8761741ed2d,
250 0xeed5a3991e215fac, 0x3bf37ea849f984d4, 0xe413e096a56ce33c, 0x2c439d3a98f020d1, 0x637559dc6404c46b,
251 0x9e6c95d1e5f5d569, 0x24bb9836045fe99a, 0x44efa466dac8ecc9, 0xc6eab2a5c80895d6, 0x803b50c035220cc4,
252 0x0321658cba93c138, 0x8f9ebc465dc7ee1c, 0xd15a5137190131d3, 0x0fa5ec8668e5e2d8, 0x91c979578d1037b1,
253 0x0642ca05693b9f70, 0xefca80168350eb4f, 0x38d21b24f36a45ec, 0xbeab81e1af73d658, 0x8cbfd9cae7542f24,
254 0xfd19cc0d81f11102, 0x0ac6430fbb4dbc90, 0x1d76a09d6a441895, 0x2a01573ff1cbbfa1, 0xb572e161894fde2b,
255 0x8124734fa853b827, 0x614b1fdf43e6b1b0, 0x68ac395c4238cc18, 0x21d837bfd7f7b7d2, 0x20c714304a860331,
256 0x5cfaab726324aa14, 0x74c5ba4eb50d606e, 0xf3a3030474654739, 0x23e671bcf015c209, 0x45f087e947b9582a,
257 0xd8bd77b418df4c7b, 0xe06f6c90ebb50997, 0x0bd96080263c0873, 0x7e03f9410e40dcfe, 0xb8e94be4c6484928,
258 0xfb5b0608e8ca8e72, 0x1a2b49179e0e3306, 0x4e29e76961855059, 0x4f36c4e6fcf4e4ba, 0x49740ee395cf7bca,
259 0xc2963ea386d17f7d, 0x90d65ad810618352, 0x12d34c1b02a1fa4d, 0xfa44258775bb3a91, 0x18150f14b9ec46dd,
260 0x1491861e6b9a653d, 0x9a1019d7ab2c3fc2, 0x3668d42d06fe13d7, 0xdcc1fbb25606a6d0, 0x969490dd795a1c22,
261 0x3549b1a1bc6dd2ef, 0xc94f5e23a0ed770e, 0xb9f6686b5b39fdcb, 0xc4d4f4a6efeae00d, 0xe732851a1fff2204,
262 0x94aad6de5eb869f9, 0x3f8ff2ae07206e7f, 0xfe38a9813b62d03a, 0xa7a1ad7a8bee2466, 0x7b6056c8dde882b6,
263 0x302a1e286fc58ca7, 0x8da0fa457a259bc7, 0xb3302b64e074415b, 0x5402ae7eff8b635f, 0x08f8050c9cafc94b,
264 0xae468bf98a3059ce, 0x88c355cca98dc58f, 0xb10e6d67c7963480, 0xbad70de7e1aa3cf3, 0xbfb4a26e320262bb,
265 0xcb711820870f02d5, 0xce12b7a954a75c9d, 0x563ce87dd8691684, 0x9f73b65e7884618a, 0x2b1e74b06cba0b42,
266 0x47cec1ea605b2df1, 0x1c698312f735ac76, 0x5fdbcefed9b76b2c, 0x831a354c8fb1cdfc, 0x820516c312c0791f,
267 0xb74ca762aeadabf0, 0xfc06ef821c80a5e1, 0x5723cbf24518a267, 0x9d4df05d5f661451, 0x588627742dfd40bf,
268 0xda8331b73f3d39a0, 0x17b0e392d109a405, 0xf965400bcf28fba9, 0x7c3dbf4229a2a925, 0x023e460327e275db,
269 0x6cd0b55a0ce126b3, 0xe62da695828e96e7, 0x42ad6e63b3f373b9, 0xe50cc319381d57df, 0xc5cbd729729b54ee,
270 0x46d1e265fd2a9912, 0x6428b056904eeff8, 0x8be23040131e04b7, 0x6709d5da2add2ec0, 0x075de98af44a2b93,
271 0x8447dcc67bfbe66f, 0x6616f655b7ac9a23, 0xd607b8bded4b1a40, 0x0563af89d3a85e48, 0x3db1b4ad20c21ba4,
272 0x11f22997b8323b75, 0x292032b34b587e99, 0x7f1cdace9331681d, 0x8e819fc9c0b65aff, 0xa1e3677fe2d5bb16,
273 0xcd33d225ee349da5, 0xd9a2543b85aef898, 0x795e10cbfa0af76d, 0x25a4bbb9992e5d79, 0x78413344677b438e,
274 0xf0826688cef68601, 0xd27b34bba392f0eb, 0x551d8df162fad7bc, 0x1e57c511d0d7d9ad, 0xdeffbdb171e4d30b,
275 0xf4feea8e802f6caa, 0xa480c8f6317de55e, 0xa0fc44f07fa40ff5, 0x95b5f551c3c9dd1a, 0x22f952336d6476ea,
276 0x0000000000000000, 0xa6be8ef5169f9085, 0xcc2cf1aa73452946, 0x2e7ddb39bf12550a, 0xd526dd3157d8db78,
277 0x486b2d6c08becf29, 0x9b0f3a58365d8b21, 0xac78cdfaadd22c15, 0xbc95c7e28891a383, 0x6a927f5f65dab9c3,
278 0xc3891d2c1ba0cb9e, 0xeaa92f9f50f8b507, 0xcf0d9426c9d6e87e, 0xca6e3baf1a7eb636, 0xab25247059980786,
279 0x69b31ad3df4978fb, 0xe2512a93cc577c4c, 0xff278a0ea61364d9, 0x71a615c766a53e26, 0x89dc764334fc716c,
280 0xf87a638452594f4a, 0xf2bc208be914f3da, 0x8766b94ac1682757, 0xbbc82e687cdb8810, 0x626a7a53f9757088,
281 0xa2c202f358467a2e, 0x4d0882e5db169161, 0x09e7268301de7da8, 0xe897699c771ac0dc, 0xc8507dac3d9cc3ed,
282 0xc0a878a0a1330aa6, 0x978bb352e42ba8c1, 0xe9884a13ea6b743f, 0x279afdbabecc28a2, 0x047c8c064ed9eaab,
283 0x507e2278b15289f4, 0x599904fbb08cf45c, 0xbd8ae46d15e01760, 0x31353da7f2b43844, 0x8558ff49e68a528c,
284 0x76fbfc4d92ef15b5, 0x3456922e211c660c, 0x86799ac55c1993b4, 0x3e90d1219a51da9c, 0x2d5cbeb505819432,
285 0x982e5fd48cce4a19, 0xdb9c1238a24c8d43, 0xd439febecaa96f9b, 0x418c0bef0960b281, 0x158ea591f6ebd1de,
286 0x1f48e69e4da66d4e, 0x8afd13cf8e6fb054, 0xf5e1c9011d5ed849, 0xe34e091c5126c8af, 0xad67ee7530a398f6,
287 0x43b24dec2e82c75a, 0x75da99c1287cd48d, 0x92e81cdb3783f689, 0xa3dd217cc537cecd, 0x60543c50de970553,
288 0x93f73f54aaf2426a, 0xa91b62737e7a725d, 0xf19d4507538732e2, 0x77e4dfc20f9ea156, 0x7d229ccdb4d31dc6,
289 0x1b346a98037f87e5, 0xedf4c615a4b29e94, 0x4093286094110662, 0xb0114ee85ae78063, 0x6ff1d0d6b672e78b,
290 0x6dcf96d591909250, 0xdfe09e3eec9567e8, 0x3214582b4827f97c, 0xb46dc2ee143e6ac8, 0xf6c0ac8da7cd1971,
291 0xebb60c10cd8901e4, 0xf7df8f023abcad92, 0x9c52d3d2c217a0b2, 0x6b8d5cd0f8ab0d20, 0x3777f7a29b8fa734,
292 0x011f238f9d71b4e3, 0xc1b75b2f3c42be45, 0x5de588fdfe551ef7, 0x6eeef3592b035368, 0xaa3a07ffc4e9b365,
293 0xecebe59a39c32a77, 0x5ba742f8976e8187, 0x4b4a48e0b22d0e11, 0xddded83dcb771233, 0xa59feb79ac0c51bd,
294 0xc7f5912a55792135},
295 {0x6d6ae04668a9b08a, 0x3ab3f04b0be8c743, 0xe51e166b54b3c908, 0xbe90a9eb35c2f139, 0xb2c7066637f2bec1,
296 0xaa6945613392202c, 0x9a28c36f3b5201eb, 0xddce5a93ab536994, 0x0e34133ef6382827, 0x52a02ba1ec55048b,
297 0xa2f88f97c4b2a177, 0x8640e513ca2251a5, 0xcdf1d36258137622, 0xfe6cb708dedf8ddb, 0x8a174a9ec8121e5d,
298 0x679896036b81560e, 0x59ed033395795fee, 0x1dd778ab8b74edaf, 0xee533ef92d9f926d, 0x2a8c79baf8a8d8f5,
299 0x6bcf398e69b119f6, 0xe20491742fafdd95, 0x276488e0809c2aec, 0xea955b82d88f5cce, 0x7102c63a99d9e0c4,
300 0xf9763017a5c39946, 0x429fa2501f151b3d, 0x4659c72bea05d59e, 0x984b7fdccf5a6634, 0xf742232953fbb161,
301 0x3041860e08c021c7, 0x747bfd9616cd9386, 0x4bb1367192312787, 0x1b72a1638a6c44d3, 0x4a0e68a6e8359a66,
302 0x169a5039f258b6ca, 0xb98a2ef44edee5a4, 0xd9083fe85e43a737, 0x967f6ce239624e13, 0x8874f62d3c1a7982,
303 0x3c1629830af06e3f, 0x9165ebfd427e5a8e, 0xb5dd81794ceeaa5c, 0x0de8f15a7834f219, 0x70bd98ede3dd5d25,
304 0xaccc9ca9328a8950, 0x56664eda1945ca28, 0x221db34c0f8859ae, 0x26dbd637fa98970d, 0x1acdffb4f068f932,
305 0x4585254f64090fa0, 0x72de245e17d53afa, 0x1546b25d7c546cf4, 0x207e0ffffb803e71, 0xfaaad2732bcf4378,
306 0xb462dfae36ea17bd, 0xcf926fd1ac1b11fd, 0xe0672dc7dba7ba4a, 0xd3fa49ad5d6b41b3, 0x8ba81449b216a3bc,
307 0x14f9ec8a0650d115, 0x40fc1ee3eb1d7ce2, 0x23a2ed9b758ce44f, 0x782c521b14fddc7e, 0x1c68267cf170504e,
308 0xbcf31558c1ca96e6, 0xa781b43b4ba6d235, 0xf6fd7dfe29ff0c80, 0xb0a4bad5c3fad91e, 0xd199f51ea963266c,
309 0x414340349119c103, 0x5405f269ed4dadf7, 0xabd61bb649969dcd, 0x6813dbeae7bdc3c8, 0x65fb2ab09f8931d1,
310 0xf1e7fae152e3181d, 0xc1a67cef5a2339da, 0x7a4feea8e0f5bba1, 0x1e0b9acf05783791, 0x5b8ebf8061713831,
311 0x80e53cdbcb3af8d9, 0x7e898bd315e57502, 0xc6bcfbf0213f2d47, 0x95a38e86b76e942d, 0x092e94218d243cba,
312 0x8339debf453622e7, 0xb11be402b9fe64ff, 0x57d9100d634177c9, 0xcc4e8db52217cbc3, 0x3b0cae9c71ec7aa2,
313 0xfb158ca451cbfe99, 0x2b33276d82ac6514, 0x01bf5ed77a04bde1, 0xc5601994af33f779, 0x75c4a3416cc92e67,
314 0xf3844652a6eb7fc2, 0x3487e375fdd0ef64, 0x18ae430704609eed, 0x4d14efb993298efb, 0x815a620cb13e4538,
315 0x125c354207487869, 0x9eeea614ce42cf48, 0xce2d3106d61fac1c, 0xbbe99247bad6827b, 0x071a871f7b1c149d,
316 0x2e4a1cc10db81656, 0x77a71ff298c149b8, 0x06a5d9c80118a97c, 0xad73c27e488e34b1, 0x443a7b981e0db241,
317 0xe3bbcfa355ab6074, 0x0af276450328e684, 0x73617a896dd1871b, 0x58525de4ef7de20f, 0xb7be3dcab8e6cd83,
318 0x19111dd07e64230c, 0x842359a03e2a367a, 0x103f89f1f3401fb6, 0xdc710444d157d475, 0xb835702334da5845,
319 0x4320fc876511a6dc, 0xd026abc9d3679b8d, 0x17250eee885c0b2b, 0x90dab52a387ae76f, 0x31fed8d972c49c26,
320 0x89cba8fa461ec463, 0x2ff5421677bcabb7, 0x396f122f85e41d7d, 0xa09b332430bac6a8, 0xc888e8ced7070560,
321 0xaeaf201ac682ee8f, 0x1180d7268944a257, 0xf058a43628e7a5fc, 0xbd4c4b8fbbce2b07, 0xa1246df34abe7b49,
322 0x7d5569b79be9af3c, 0xa9b5a705bd9efa12, 0xdb6b835baa4bc0e8, 0x05793bac8f147342, 0x21c1512881848390,
323 0xfdb0556c50d357e5, 0x613d4fcb6a99ff72, 0x03dce2648e0cda3e, 0xe949b9e6568386f0, 0xfc0f0bbb2ad7ea04,
324 0x6a70675913b5a417, 0x7f36d5046fe1c8e3, 0x0c57af8d02304ff8, 0x32223abdfcc84618, 0x0891caf6f720815b,
325 0xa63eeaec31a26fd4, 0x2507345374944d33, 0x49d28ac266394058, 0xf5219f9aa7f3d6be, 0x2d96fea583b4cc68,
326 0x5a31e1571b7585d0, 0x8ed12fe53d02d0fe, 0xdfade6205f5b0e4b, 0x4cabb16ee92d331a, 0x04c6657bf510cea3,
327 0xd73c2cd6a87b8f10, 0xe1d87310a1a307ab, 0x6cd5be9112ad0d6b, 0x97c032354366f3f2, 0xd4e0ceb22677552e,
328 0x0000000000000000, 0x29509bde76a402cb, 0xc27a9e8bd42fe3e4, 0x5ef7842cee654b73, 0xaf107ecdbc86536e,
329 0x3fcacbe784fcb401, 0xd55f90655c73e8cf, 0xe6c2f40fdabf1336, 0xe8f6e7312c873b11, 0xeb2a0555a28be12f,
330 0xe4a148bc2eb774e9, 0x9b979db84156bc0a, 0x6eb60222e6a56ab4, 0x87ffbbc4b026ec44, 0xc703a5275b3b90a6,
331 0x47e699fc9001687f, 0x9c8d1aa73a4aa897, 0x7cea3760e1ed12dd, 0x4ec80ddd1d2554c5, 0x13e36b957d4cc588,
332 0x5d2b66486069914d, 0x92b90999cc7280b0, 0x517cc9c56259deb5, 0xc937b619ad03b881, 0xec30824ad997f5b2,
333 0xa45d565fc5aa080b, 0xd6837201d27f32f1, 0x635ef3789e9198ad, 0x531f75769651b96a, 0x4f77530a6721e924,
334 0x486dd4151c3dfdb9, 0x5f48dafb9461f692, 0x375b011173dc355a, 0x3da9775470f4d3de, 0x8d0dcd81b30e0ac0,
335 0x36e45fc609d888bb, 0x55baacbe97491016, 0x8cb29356c90ab721, 0x76184125e2c5f459, 0x99f4210bb55edbd5,
336 0x6f095cf59ca1d755, 0x9f51f8c3b44672a9, 0x3538bda287d45285, 0x50c39712185d6354, 0xf23b1885dcefc223,
337 0x79930ccc6ef9619f, 0xed8fdc9da3934853, 0xcb540aaa590bdf5e, 0x5c94389f1a6d2cac, 0xe77daad8a0bbaed7,
338 0x28efc5090ca0bf2a, 0xbf2ff73c4fc64cd8, 0xb37858b14df60320, 0xf8c96ec0dfc724a7, 0x828680683f329f06,
339 0x941cd051cd6a29cc, 0xc3c5c05cae2b5e05, 0xb601631dc2e27062, 0xc01922382027843b, 0x24b86a840e90f0d2,
340 0xd245177a276ffc52, 0x0f8b4de98c3c95c6, 0x3e759530fef809e0, 0x0b4d2892792c5b65, 0xc4df4743d5374a98,
341 0xa5e20888bfaeb5ea, 0xba56cc90c0d23f9a, 0x38d04cf8ffe0a09c, 0x62e1adafe495254c, 0x0263bcb3f40867df,
342 0xcaeb547d230f62bf, 0x6082111c109d4293, 0xdad4dd8cd04f7d09, 0xefec602e579b2f8c, 0x1fb4c4187f7c8a70,
343 0xffd3e9dfa4db303a, 0x7bf0b07f9af10640, 0xf49ec14dddf76b5f, 0x8f6e713247066d1f, 0x339d646a86ccfbf9,
344 0x64447467e58d8c30, 0x2c29a072f9b07189, 0xd8b7613f24471ad6, 0x6627c8d41185ebef, 0xa347d140beb61c96,
345 0xde12b8f7255fb3aa, 0x9d324470404e1576, 0x9306574eb6763d51, 0xa80af9d2c79a47f3, 0x859c0777442e8b9b,
346 0x69ac853d9db97e29},
347 {0xc3407dfc2de6377e, 0x5b9e93eea4256f77, 0xadb58fdd50c845e0, 0x5219ff11a75bed86, 0x356b61cfd90b1de9,
348 0xfb8f406e25abe037, 0x7a5a0231c0f60796, 0x9d3cd216e1f5020b, 0x0c6550fb6b48d8f3, 0xf57508c427ff1c62,
349 0x4ad35ffa71cb407d, 0x6290a2da1666aa6d, 0xe284ec2349355f9f, 0xb3c307c53d7c84ec, 0x05e23c0468365a02,
350 0x190bac4d6c9ebfa8, 0x94bbbee9e28b80fa, 0xa34fc777529cb9b5, 0xcc7b39f095bcd978, 0x2426addb0ce532e3,
351 0x7e79329312ce4fc7, 0xab09a72eebec2917, 0xf8d15499f6b9d6c2, 0x1a55b8babf8c895d, 0xdb8add17fb769a85,
352 0xb57f2f368658e81b, 0x8acd36f18f3f41f6, 0x5ce3b7bba50f11d3, 0x114dcc14d5ee2f0a, 0xb91a7fcded1030e8,
353 0x81d5425fe55de7a1, 0xb6213bc1554adeee, 0x80144ef95f53f5f2, 0x1e7688186db4c10c, 0x3b912965db5fe1bc,
354 0xc281715a97e8252d, 0x54a5d7e21c7f8171, 0x4b12535ccbc5522e, 0x1d289cefbea6f7f9, 0x6ef5f2217d2e729e,
355 0xe6a7dc819b0d17ce, 0x1b94b41c05829b0e, 0x33d7493c622f711e, 0xdcf7f942fa5ce421, 0x600fba8b7f7a8ecb,
356 0x46b60f011a83988e, 0x235b898e0dcf4c47, 0x957ab24f588592a9, 0x4354330572b5c28c, 0xa5f3ef84e9b8d542,
357 0x8c711e02341b2d01, 0x0b1874ae6a62a657, 0x1213d8e306fc19ff, 0xfe6d7c6a4d9dba35, 0x65ed868f174cd4c9,
358 0x88522ea0e6236550, 0x899322065c2d7703, 0xc01e690bfef4018b, 0x915982ed8abddaf8, 0xbe675b98ec3a4e4c,
359 0xa996bf7f82f00db1, 0xe1daf8d49a27696a, 0x2effd5d3dc8986e7, 0xd153a51f2b1a2e81, 0x18caa0ebd690adfb,
360 0x390e3134b243c51a, 0x2778b92cdff70416, 0x029f1851691c24a6, 0x5e7cafeacc133575, 0xfa4e4cc89fa5f264,
361 0x5a5f9f481e2b7d24, 0x484c47ab18d764db, 0x400a27f2a1a7f479, 0xaeeb9b2a83da7315, 0x721c626879869734,
362 0x042330a2d2384851, 0x85f672fd3765aff0, 0xba446b3a3e02061d, 0x73dd6ecec3888567, 0xffac70ccf793a866,
363 0xdfa9edb5294ed2d4, 0x6c6aea7014325638, 0x834a5a0e8c41c307, 0xcdba35562fb2cb2b, 0x0ad97808d06cb404,
364 0x0f3b440cb85aee06, 0xe5f9c876481f213b, 0x98deee1289c35809, 0x59018bbfcd394bd1, 0xe01bf47220297b39,
365 0xde68e1139340c087, 0x9fa3ca4788e926ad, 0xbb85679c840c144e, 0x53d8f3b71d55ffd5, 0x0da45c5dd146caa0,
366 0x6f34fe87c72060cd, 0x57fbc315cf6db784, 0xcee421a1fca0fdde, 0x3d2d0196607b8d4b, 0x642c8a29ad42c69a,
367 0x14aff010bdd87508, 0xac74837beac657b3, 0x3216459ad821634d, 0x3fb219c70967a9ed, 0x06bc28f3bb246cf7,
368 0xf2082c9126d562c6, 0x66b39278c45ee23c, 0xbd394f6f3f2878b9, 0xfd33689d9e8f8cc0, 0x37f4799eb017394f,
369 0x108cc0b26fe03d59, 0xda4bd1b1417888d6, 0xb09d1332ee6eb219, 0x2f3ed975668794b4, 0x58c0871977375982,
370 0x7561463d78ace990, 0x09876cff037e82f1, 0x7fb83e35a8c05d94, 0x26b9b58a65f91645, 0xef20b07e9873953f,
371 0x3148516d0b3355b8, 0x41cb2b541ba9e62a, 0x790416c613e43163, 0xa011d380818e8f40, 0x3a5025c36151f3ef,
372 0xd57095bdf92266d0, 0x498d4b0da2d97688, 0x8b0c3a57353153a5, 0x21c491df64d368e1, 0x8f2f0af5e7091bf4,
373 0x2da1c1240f9bb012, 0xc43d59a92ccc49da, 0xbfa6573e56345c1f, 0x828b56a8364fd154, 0x9a41f643e0df7caf,
374 0xbcf843c985266aea, 0x2b1de9d7b4bfdce5, 0x20059d79dedd7ab2, 0x6dabe6d6ae3c446b, 0x45e81bf6c991ae7b,
375 0x6351ae7cac68b83e, 0xa432e32253b6c711, 0xd092a9b991143cd2, 0xcac711032e98b58f, 0xd8d4c9e02864ac70,
376 0xc5fc550f96c25b89, 0xd7ef8dec903e4276, 0x67729ede7e50f06f, 0xeac28c7af045cf3d, 0xb15c1f945460a04a,
377 0x9cfddeb05bfb1058, 0x93c69abce3a1fe5e, 0xeb0380dc4a4bdd6e, 0xd20db1e8f8081874, 0x229a8528b7c15e14,
378 0x44291750739fbc28, 0xd3ccbd4e42060a27, 0xf62b1c33f4ed2a97, 0x86a8660ae4779905, 0xd62e814a2a305025,
379 0x477703a7a08d8add, 0x7b9b0e977af815c5, 0x78c51a60a9ea2330, 0xa6adfb733aaae3b7, 0x97e5aa1e3199b60f,
380 0x0000000000000000, 0xf4b404629df10e31, 0x5564db44a6719322, 0x9207961a59afec0d, 0x9624a6b88b97a45c,
381 0x363575380a192b1c, 0x2c60cd82b595a241, 0x7d272664c1dc7932, 0x7142769faa94a1c1, 0xa1d0df263b809d13,
382 0x1630e841d4c451ae, 0xc1df65ad44fa13d8, 0x13d2d445bcf20bac, 0xd915c546926abe23, 0x38cf3d92084dd749,
383 0xe766d0272103059d, 0xc7634d5effde7f2f, 0x077d2455012a7ea4, 0xedbfa82ff16fb199, 0xaf2a978c39d46146,
384 0x42953fa3c8bbd0df, 0xcb061da59496a7dc, 0x25e7a17db6eb20b0, 0x34aa6d6963050fba, 0xa76cf7d580a4f1e4,
385 0xf7ea10954ee338c4, 0xfcf2643b24819e93, 0xcf252d0746aeef8d, 0x4ef06f58a3f3082c, 0x563acfb37563a5d7,
386 0x5086e740ce47c920, 0x2982f186dda3f843, 0x87696aac5e798b56, 0x5d22bb1d1f010380, 0x035e14f7d31236f5,
387 0x3cec0d30da759f18, 0xf3c920379cdb7095, 0xb8db736b571e22bb, 0xdd36f5e44052f672, 0xaac8ab8851e23b44,
388 0xa857b3d938fe1fe2, 0x17f1e4e76eca43fd, 0xec7ea4894b61a3ca, 0x9e62c6e132e734fe, 0xd4b1991b432c7483,
389 0x6ad6c283af163acf, 0x1ce9904904a8e5aa, 0x5fbda34c761d2726, 0xf910583f4cb7c491, 0xc6a241f845d06d7c,
390 0x4f3163fe19fd1a7f, 0xe99c988d2357f9c8, 0x8eee06535d0709a7, 0x0efa48aa0254fc55, 0xb4be23903c56fa48,
391 0x763f52caabbedf65, 0xeee1bcd8227d876c, 0xe345e085f33b4dcc, 0x3e731561b369bbbe, 0x2843fd2067adea10,
392 0x2adce5710eb1ceb6, 0xb7e03767ef44ccbd, 0x8db012a48e153f52, 0x61ceb62dc5749c98, 0xe85d942b9959eb9b,
393 0x4c6f7709caef2c8a, 0x84377e5b8d6bbda3, 0x30895dcbb13d47eb, 0x74a04a9bc2a2fbc3, 0x6b17ce251518289c,
394 0xe438c4d0f2113368, 0x1fb784bed7bad35f, 0x9b80fae55ad16efc, 0x77fe5e6c11b0cd36, 0xc858095247849129,
395 0x08466059b97090a2, 0x01c10ca6ba0e1253, 0x6988d6747c040c3a, 0x6849dad2c60a1e69, 0x5147ebe67449db73,
396 0xc99905f4fd8a837a, 0x991fe2b433cd4a5a, 0xf09734c04fc94660, 0xa28ecbd1e892abe6, 0xf1563866f5c75433,
397 0x4dae7baf70e13ed9, 0x7ce62ac27bd26b61, 0x70837a39109ab392, 0x90988e4b30b3c8ab, 0xb2020b63877296bf,
398 0x156efcb607d6675b},
399 {0xe63f55ce97c331d0, 0x25b506b0015bba16, 0xc8706e29e6ad9ba8, 0x5b43d3775d521f6a, 0x0bfa3d577035106e,
400 0xab95fc172afb0e66, 0xf64b63979e7a3276, 0xf58b4562649dad4b, 0x48f7c3dbae0c83f1, 0xff31916642f5c8c5,
401 0xcbb048dc1c4a0495, 0x66b8f83cdf622989, 0x35c130e908e2b9b0, 0x7c761a61f0b34fa1, 0x3601161cf205268d,
402 0x9e54ccfe2219b7d6, 0x8b7d90a538940837, 0x9cd403588ea35d0b, 0xbc3c6fea9ccc5b5a, 0xe5ff733b6d24aeed,
403 0xceed22de0f7eb8d2, 0xec8581cab1ab545e, 0xb96105e88ff8e71d, 0x8ca03501871a5ead, 0x76ccce65d6db2a2f,
404 0x5883f582a7b58057, 0x3f7be4ed2e8adc3e, 0x0fe7be06355cd9c9, 0xee054e6c1d11be83, 0x1074365909b903a6,
405 0x5dde9f80b4813c10, 0x4a770c7d02b6692c, 0x5379c8d5d7809039, 0xb4067448161ed409, 0x5f5e5026183bd6cd,
406 0xe898029bf4c29df9, 0x7fb63c940a54d09c, 0xc5171f897f4ba8bc, 0xa6f28db7b31d3d72, 0x2e4f3be7716eaa78,
407 0x0d6771a099e63314, 0x82076254e41bf284, 0x2f0fd2b42733df98, 0x5c9e76d3e2dc49f0, 0x7aeb569619606cdb,
408 0x83478b07b2468764, 0xcfadcb8d5923cd32, 0x85dac7f05b95a41e, 0xb5469d1b4043a1e9, 0xb821ecbbd9a592fd,
409 0x1b8e0b0e798c13c8, 0x62a57b6d9a0be02e, 0xfcf1b793b81257f8, 0x9d94ea0bd8fe28eb, 0x4cea408aeb654a56,
410 0x23284a47e888996c, 0x2d8f1d128b893545, 0xf4cbac3132c0d8ab, 0xbd7c86b9ca912eba, 0x3a268eef3dbe6079,
411 0xf0d62f6077a9110c, 0x2735c916ade150cb, 0x89fd5f03942ee2ea, 0x1acee25d2fd16628, 0x90f39bab41181bff,
412 0x430dfe8cde39939f, 0xf70b8ac4c8274796, 0x1c53aeaac6024552, 0x13b410acf35e9c9b, 0xa532ab4249faa24f,
413 0x2b1251e5625a163f, 0xd7e3e676da4841c7, 0xa7b264e4e5404892, 0xda8497d643ae72d3, 0x861ae105a1723b23,
414 0x38a6414991048aa4, 0x6578dec92585b6b4, 0x0280cfa6acbaeadd, 0x88bdb650c273970a, 0x9333bd5ebbff84c2,
415 0x4e6a8f2c47dfa08b, 0x321c954db76cef2a, 0x418d312a72837942, 0xb29b38bfffcdf773, 0x6c022c38f90a4c07,
416 0x5a033a240b0f6a8a, 0x1f93885f3ce5da6f, 0xc38a537e96988bc6, 0x39e6a81ac759ff44, 0x29929e43cee0fce2,
417 0x40cdd87924de0ca2, 0xe9d8ebc8a29fe819, 0x0c2798f3cfbb46f4, 0x55e484223e53b343, 0x4650948ecd0d2fd8,
418 0x20e86cb2126f0651, 0x6d42c56baf5739e7, 0xa06fc1405ace1e08, 0x7babbfc54f3d193b, 0x424d17df8864e67f,
419 0xd8045870ef14980e, 0xc6d7397c85ac3781, 0x21a885e1443273b1, 0x67f8116f893f5c69, 0x24f5efe35706cff6,
420 0xd56329d076f2ab1a, 0x5e1eb9754e66a32d, 0x28d2771098bd8902, 0x8f6013f47dfdc190, 0x17a993fdb637553c,
421 0xe0a219397e1012aa, 0x786b9930b5da8606, 0x6e82e39e55b0a6da, 0x875a0856f72f4ec3, 0x3741ff4fa458536d,
422 0xac4859b3957558fc, 0x7ef6d5c75c09a57c, 0xc04a758b6c7f14fb, 0xf9acdd91ab26ebbf, 0x7391a467c5ef9668,
423 0x335c7c1ee1319aca, 0xa91533b18641e4bb, 0xe4bf9a683b79db0d, 0x8e20faa72ba0b470, 0x51f907737b3a7ae4,
424 0x2268a314bed5ec8c, 0xd944b123b949edee, 0x31dcb3b84d8b7017, 0xd3fe65279f218860, 0x097af2f1dc8ffab3,
425 0x9b09a6fc312d0b91, 0xcc6ded78a3c4520f, 0x3481d9ba5ebfcc50, 0x4f2a667f1182d56b, 0xdfd9fdd4509ace94,
426 0x26752045fbbc252b, 0xbffc491f662bc467, 0xdd593272fc202449, 0x3cbbc218d46d4303, 0x91b372f817456e1f,
427 0x681faf69bc6385a0, 0xb686bbeebaa43ed4, 0x1469b5084cd0ca01, 0x98c98009cbca94ac, 0x6438379a73d8c354,
428 0xc2caba2dc0c5fe26, 0x3e3b0dbe78d7a9de, 0x50b9ee202d670f04, 0x4590b27b37eab0e5, 0x6025b4cb36b10af3,
429 0xfb2c1237079c0162, 0xa12f28130c936be8, 0x4b37e52e54eb1ccc, 0x083a1ba28ad28f53, 0xc10a9cd83a22611b,
430 0x9f1425ad7444c236, 0x069d4cf7e9d3237a, 0xedc56899e7f621be, 0x778c273680865fcf, 0x309c5aeb1bd605f7,
431 0x8de0dc52d1472b4d, 0xf8ec34c2fd7b9e5f, 0xea18cd3d58787724, 0xaad515447ca67b86, 0x9989695a9d97e14c,
432 0x0000000000000000, 0xf196c63321f464ec, 0x71116bc169557cb5, 0xaf887f466f92c7c1, 0x972e3e0ffe964d65,
433 0x190ec4a8d536f915, 0x95aef1a9522ca7b8, 0xdc19db21aa7d51a9, 0x94ee18fa0471d258, 0x8087adf248a11859,
434 0xc457f6da2916dd5c, 0xfa6cfb6451c17482, 0xf256e0c6db13fbd1, 0x6a9f60cf10d96f7d, 0x4daaa9d9bd383fb6,
435 0x03c026f5fae79f3d, 0xde99148706c7bb74, 0x2a52b8b6340763df, 0x6fc20acd03edd33a, 0xd423c08320afdefa,
436 0xbbe1ca4e23420dc0, 0x966ed75ca8cb3885, 0xeb58246e0e2502c4, 0x055d6a021334bc47, 0xa47242111fa7d7af,
437 0xe3623fcc84f78d97, 0x81c744a11efc6db9, 0xaec8961539cfb221, 0xf31609958d4e8e31, 0x63e5923ecc5695ce,
438 0x47107ddd9b505a38, 0xa3afe7b5a0298135, 0x792b7063e387f3e6, 0x0140e953565d75e0, 0x12f4f9ffa503e97b,
439 0x750ce8902c3cb512, 0xdbc47e8515f30733, 0x1ed3610c6ab8af8f, 0x5239218681dde5d9, 0xe222d69fd2aaf877,
440 0xfe71783514a8bd25, 0xcaf0a18f4a177175, 0x61655d9860ec7f13, 0xe77fbc9dc19e4430, 0x2ccff441ddd440a5,
441 0x16e97aaee06a20dc, 0xa855dae2d01c915b, 0x1d1347f9905f30b2, 0xb7c652bdecf94b34, 0xd03e43d265c6175d,
442 0xfdb15ec0ee4f2218, 0x57644b8492e9599e, 0x07dda5a4bf8e569a, 0x54a46d71680ec6a3, 0x5624a2d7c4b42c7e,
443 0xbebca04c3076b187, 0x7d36f332a6ee3a41, 0x3b6667bc6be31599, 0x695f463aea3ef040, 0xad08b0e0c3282d1c,
444 0xb15b1e4a052a684e, 0x44d05b2861b7c505, 0x15295c5b1a8dbfe1, 0x744c01c37a61c0f2, 0x59c31cd1f1e8f5b7,
445 0xef45a73f4b4ccb63, 0x6bdf899c46841a9d, 0x3dfb2b4b823036e3, 0xa2ef0ee6f674f4d5, 0x184e2dfb836b8cf5,
446 0x1134df0a5fe47646, 0xbaa1231d751f7820, 0xd17eaa81339b62bd, 0xb01bf71953771dae, 0x849a2ea30dc8d1fe,
447 0x705182923f080955, 0x0ea757556301ac29, 0x041d83514569c9a7, 0x0abad4042668658e, 0x49b72a88f851f611,
448 0x8a3d79f66ec97dd7, 0xcd2d042bf59927ef, 0xc930877ab0f0ee48, 0x9273540deda2f122, 0xc797d02fd3f14261,
449 0xe1e2f06a284d674a, 0xd2be8c74c97cfd80, 0x9a494faf67707e71, 0xb3dbd1eca9908293, 0x72d14d3493b2e388,
450 0xd6a30f258c153427}};

◆ STREEBOG_C

const uint64_t Botan::STREEBOG_C
extern

Definition at line 452 of file streebog_precalc.cpp.

452 {{0xdd806559f2a64507,
453 0x05767436cc744d23,
454 0xa2422a08a460d315,
455 0x4b7ce09192676901,
456 0x714eb88d7585c4fc,
457 0x2f6a76432e45d016,
458 0xebcb2f81c0657c1f,
459 0xb1085bda1ecadae9},
460 {0xe679047021b19bb7,
461 0x55dda21bd7cbcd56,
462 0x5cb561c2db0aa7ca,
463 0x9ab5176b12d69958,
464 0x61d55e0f16b50131,
465 0xf3feea720a232b98,
466 0x4fe39d460f70b5d7,
467 0x6fa3b58aa99d2f1a},
468 {0x991e96f50aba0ab2,
469 0xc2b6f443867adb31,
470 0xc1c93a376062db09,
471 0xd3e20fe490359eb1,
472 0xf2ea7514b1297b7b,
473 0x06f15e5f529c1f8b,
474 0x0a39fc286a3d8435,
475 0xf574dcac2bce2fc7},
476 {0x220cbebc84e3d12e,
477 0x3453eaa193e837f1,
478 0xd8b71333935203be,
479 0xa9d72c82ed03d675,
480 0x9d721cad685e353f,
481 0x488e857e335c3c7d,
482 0xf948e1a05d71e4dd,
483 0xef1fdfb3e81566d2},
484 {0x601758fd7c6cfe57,
485 0x7a56a27ea9ea63f5,
486 0xdfff00b723271a16,
487 0xbfcd1747253af5a3,
488 0x359e35d7800fffbd,
489 0x7f151c1f1686104a,
490 0x9a3f410c6ca92363,
491 0x4bea6bacad474799},
492 {0xfa68407a46647d6e,
493 0xbf71c57236904f35,
494 0x0af21f66c2bec6b6,
495 0xcffaa6b71c9ab7b4,
496 0x187f9ab49af08ec6,
497 0x2d66c4f95142a46c,
498 0x6fa4c33b7a3039c0,
499 0xae4faeae1d3ad3d9},
500 {0x8886564d3a14d493,
501 0x3517454ca23c4af3,
502 0x06476983284a0504,
503 0x0992abc52d822c37,
504 0xd3473e33197a93c9,
505 0x399ec6c7e6bf87c9,
506 0x51ac86febf240954,
507 0xf4c70e16eeaac5ec},
508 {0xa47f0dd4bf02e71e,
509 0x36acc2355951a8d9,
510 0x69d18d2bd1a5c42f,
511 0xf4892bcb929b0690,
512 0x89b4443b4ddbc49a,
513 0x4eb7f8719c36de1e,
514 0x03e7aa020c6e4141,
515 0x9b1f5b424d93c9a7},
516 {0x7261445183235adb,
517 0x0e38dc92cb1f2a60,
518 0x7b2b8a9aa6079c54,
519 0x800a440bdbb2ceb1,
520 0x3cd955b7e00d0984,
521 0x3a7d3a1b25894224,
522 0x944c9ad8ec165fde,
523 0x378f5a541631229b},
524 {0x74b4c7fb98459ced,
525 0x3698fad1153bb6c3,
526 0x7a1e6c303b7652f4,
527 0x9fe76702af69334b,
528 0x1fffe18a1b336103,
529 0x8941e71cff8a78db,
530 0x382ae548b2e4f3f3,
531 0xabbedea680056f52},
532 {0x6bcaa4cd81f32d1b,
533 0xdea2594ac06fd85d,
534 0xefbacd1d7d476e98,
535 0x8a1d71efea48b9ca,
536 0x2001802114846679,
537 0xd8fa6bbbebab0761,
538 0x3002c6cd635afe94,
539 0x7bcd9ed0efc889fb},
540 {0x48bc924af11bd720,
541 0xfaf417d5d9b21b99,
542 0xe71da4aa88e12852,
543 0x5d80ef9d1891cc86,
544 0xf82012d430219f9b,
545 0xcda43c32bcdf1d77,
546 0xd21380b00449b17a,
547 0x378ee767f11631ba}};

Referenced by Botan::Streebog::compress_64().

◆ WORDS_448

◆ X448_LEN