Botan 3.9.0
Crypto and TLS for C&
Botan Namespace Reference

Namespaces

namespace  AES_AARCH64
namespace  ARIA_F
namespace  ASN1
namespace  Camellia_F
namespace  Camellia_GFNI
namespace  Cert_Extension
namespace  CMCE_CT
namespace  concepts
namespace  CryptoBox
namespace  CRYSTALS
namespace  CT
namespace  detail
namespace  Dilithium_Algos
namespace  fmt_detail
namespace  FPE
namespace  HTTP
namespace  KeyPair
namespace  Kuznyechik_F
namespace  Kyber_Algos
namespace  OCSP
namespace  OIDS
namespace  OS
namespace  PCurve
namespace  PEM_Code
namespace  PK_Ops
namespace  PKCS11
namespace  PKCS8
namespace  PKIX
namespace  ranges
namespace  Roughtime
namespace  Serpent_F
namespace  SHA1_F
namespace  SHACAL2_AVX2_F
namespace  SHACAL2_AVX512_F
namespace  Sodium
namespace  Threefish_F
namespace  TLS
namespace  TPM2
namespace  X509

Classes

class  Adler32
class  AEAD_Mode
class  AES_128
class  AES_192
class  AES_256
class  AES_256_CTR_XOF
class  AffineCurvePoint
class  AffinePointTable
class  Algorithm_Not_Found
class  AlgorithmIdentifier
class  AlignmentBuffer
 Alignment buffer helper. More...
struct  all_same
class  Allocator_Initializer
class  AlternativeName
class  ANSI_X919_MAC
class  ANSI_X923_Padding
class  Argon2
class  Argon2_Family
class  ARIA_128
class  ARIA_192
class  ARIA_256
class  ASN1_Formatter
class  ASN1_Object
class  ASN1_Pretty_Printer
class  ASN1_String
class  ASN1_Time
class  Asymmetric_Key
class  Atomic
class  Attribute
class  AutoSeeded_RNG
class  Barrett_Reduction
class  Barrier
class  Base64_Decoder
class  Base64_Encoder
class  Bcrypt_PBKDF
class  Bcrypt_PBKDF_Family
class  BER_Bad_Tag
class  BER_Decoder
class  BER_Decoding_Error
class  BER_Object
class  BigInt
class  BitBucket
class  bitvector_base
class  BLAKE2b
class  BLAKE2bMAC
class  BLAKE2s
class  BlindedScalarBits
class  Blinder
class  Block_Cipher_Fixed_Params
class  BlockCipher
class  BlockCipherModePaddingMethod
class  Blowfish
class  Buffered_Computation
class  Buffered_Filter
class  BufferSlicer
class  BufferStuffer
 Helper class to ease in-place marshalling of concatenated fixed-length values. More...
class  Bzip2_Compression
class  Bzip2_Decompression
class  calendar_point
class  Camellia_128
class  Camellia_192
class  Camellia_256
class  Cascade_Cipher
class  CAST_128
class  CBC_Decryption
class  CBC_Encryption
class  CBC_Mode
class  CCM_Decryption
class  CCM_Encryption
class  CCM_Mode
class  Certificate_Extension
class  Certificate_Store
class  Certificate_Store_In_Memory
class  Certificate_Store_In_SQL
class  Certificate_Store_In_SQLite
class  Certificate_Store_MacOS
class  Certificate_Store_Windows
class  CFB_Decryption
class  CFB_Encryption
class  CFB_Mode
class  ChaCha
class  ChaCha20Poly1305_Decryption
class  ChaCha20Poly1305_Encryption
class  ChaCha20Poly1305_Mode
class  ChaCha_RNG
class  Chain
class  Cipher_Mode
class  Cipher_Mode_Filter
class  Classic_McEliece_Decryptor
class  Classic_McEliece_Encryptor
class  Classic_McEliece_Field_Ordering
 Represents a field ordering for the Classic McEliece cryptosystem. More...
class  Classic_McEliece_GF
 Represents an element of the finite field GF(q) for q = 2^m. More...
struct  Classic_McEliece_KeyPair_Internal
 Representation of a Classic McEliece key pair. More...
class  Classic_McEliece_Matrix
 Representation of the binary Classic McEliece matrix H, with H = (I_mt | T). More...
class  Classic_McEliece_Minimal_Polynomial
 Representation of a minimal polynomial in GF(q)[y]. More...
class  Classic_McEliece_Parameter_Set
class  Classic_McEliece_Parameters
class  Classic_McEliece_Polynomial
 Representation of a Classic McEliece polynomial. More...
class  Classic_McEliece_Polynomial_Ring
 Represents the polynomial ring GF(q)[y]/F(y) where F(y) is the modulus polynomial in GF(q)[y] of degree t. More...
class  Classic_McEliece_PrivateKey
class  Classic_McEliece_PrivateKeyInternal
 Representation of a Classic McEliece private key. More...
class  Classic_McEliece_PublicKey
class  Classic_McEliece_PublicKeyInternal
 Representation of a Classic McEliece public key. More...
class  CMAC
class  Comb4P
class  CommonCrypto_Error
struct  CommonCryptor_Opts
class  Compression_Algorithm
class  Compression_Alloc_Info
class  Compression_Error
class  Compression_Stream
class  CPUFeature
class  CPUID
class  CRC24
class  CRC32
class  Credentials_Manager
class  CRL_Entry
class  cSHAKE_128_XOF
class  cSHAKE_256_XOF
class  cSHAKE_XOF
class  CTR_BE
class  CTS_Decryption
class  CTS_Encryption
class  CurveGFp
class  DataSink
class  DataSink_Stream
class  DataSource
class  DataSource_Memory
class  DataSource_Stream
class  Decoding_Error
class  Decompression_Algorithm
class  Deflate_Compression
class  Deflate_Decompression
class  DER_Encoder
class  DES
class  DH_PrivateKey
class  DH_PublicKey
class  Dilithium_AES_Symmetric_Primitives
class  Dilithium_Expanded_Keypair_Codec
class  Dilithium_Keypair_Codec
class  Dilithium_PrivateKey
class  Dilithium_PrivateKeyInternal
class  Dilithium_PublicKey
class  Dilithium_PublicKeyInternal
class  Dilithium_Round3_Symmetric_Primitives
class  Dilithium_Symmetric_Primitives
class  Dilithium_Symmetric_Primitives_Base
class  DilithiumConstants
class  DilithiumMessageHash
class  DilithiumMode
class  DilithiumPolyTraits
class  DilithiumShakeXOF
class  DilithiumXOF
class  DL_Group
class  DL_PrivateKey
class  DL_PublicKey
class  DLIES_Decryptor
class  DLIES_Encryptor
class  donna128
class  DSA_PrivateKey
class  DSA_PublicKey
class  Dynamically_Loaded_Library
class  EAX_Decryption
class  EAX_Encryption
class  EAX_Mode
class  EC_AffinePoint
class  EC_AffinePoint_Data
class  EC_AffinePoint_Data_BN
class  EC_AffinePoint_Data_PC
class  EC_Group
class  EC_Group_Data
class  EC_Mul2Table_Data
class  EC_Mul2Table_Data_BN
class  EC_Mul2Table_Data_PC
class  EC_Point
class  EC_Point_Base_Point_Precompute
class  EC_Point_Multi_Point_Precompute
class  EC_Point_Var_Point_Precompute
class  EC_PrivateKey
class  EC_PrivateKey_Data
class  EC_PublicKey
class  EC_PublicKey_Data
class  EC_Scalar
class  EC_Scalar_Data
class  EC_Scalar_Data_BN
class  EC_Scalar_Data_PC
class  ECDH_PrivateKey
class  ECDH_PublicKey
class  ECDSA_PrivateKey
class  ECDSA_PublicKey
class  ECGDSA_PrivateKey
class  ECGDSA_PublicKey
class  ECIES_Decryptor
class  ECIES_Encryptor
class  ECIES_KA_Operation
class  ECIES_KA_Params
class  ECIES_System_Params
class  ECKCDSA_PrivateKey
class  ECKCDSA_PublicKey
class  Ed25519_FieldElement
class  Ed25519_PrivateKey
class  Ed25519_PublicKey
class  Ed448_PrivateKey
 A private key for Ed448/Ed448ph according to RFC 8032. More...
class  Ed448_PublicKey
 A public key for Ed448/Ed448ph according to RFC 8032. More...
class  Ed448Point
 Representation of a point on the Ed448 curve. More...
struct  eea_result
class  ElGamal_PrivateKey
class  ElGamal_PublicKey
class  EllipticCurve
class  EllipticCurveParameters
class  EME
class  EME_PKCS1v15
class  EME_Raw
struct  EnableArithmeticWithPlainNumber
class  Encoding_Error
class  Encrypted_PSK_Database
class  Encrypted_PSK_Database_SQL
class  Entropy_Source
class  Entropy_Sources
class  ESDM_RNG
class  ESP_Padding
class  Exception
class  Expanded_Keypair_Codec
 Codec for expanded private keys (as specified in FIPS 203) More...
class  Extensions
class  Fanout_Filter
class  Filter
class  Flatfile_Certificate_Store
class  Fork
class  FPE_FE1
class  FrodoKEM_PrivateKey
class  FrodoKEM_PublicKey
class  FrodoKEMConstants
class  FrodoKEMMode
class  FrodoMatrix
class  GCM_Decryption
class  GCM_Encryption
class  GCM_Mode
class  GeneralName
 X.509 GeneralName Type. More...
class  GeneralSubtree
 A single Name Constraint. More...
class  Getentropy
class  GF2m_Field
class  Gf448Elem
class  GF_Mask
 Constant time mask wrapper for GF(q) elements. More...
class  GHASH
class  GMAC
class  GOST_28147_89
class  GOST_28147_89_Params
class  GOST_3410_PrivateKey
class  GOST_3410_PublicKey
class  GOST_34_11
class  Gzip_Compression
class  Gzip_Decompression
class  Hardware_RNG
class  HashFunction
class  Hex_Decoder
class  Hex_Encoder
class  HKDF
class  HKDF_Expand
class  HKDF_Extract
class  HMAC
class  HMAC_DRBG
class  HOTP
class  HSS_LMS_Params
 The HSS-LMS parameters. More...
class  HSS_LMS_PrivateKey
 An HSS/LMS private key. More...
class  HSS_LMS_PrivateKeyInternal
 The internal HSS-LMS private key. More...
class  HSS_LMS_PublicKey
 An HSS/LMS public key. More...
class  HSS_LMS_PublicKeyInternal
 The internal HSS-LMS public key. More...
class  HSS_Signature
 A HSS-LMS signature. More...
class  Hybrid_PrivateKey
 Abstraction for a combined KEM private key. More...
class  Hybrid_PublicKey
 Abstraction for a combined KEM public key. More...
class  IDEA
class  Intel_Rdseed
class  Internal_Error
class  IntMod
struct  IntParams
class  Invalid_Algorithm_Name
class  Invalid_Argument
class  Invalid_Authentication_Tag
class  Invalid_IV_Length
class  Invalid_Key_Length
class  Invalid_State
struct  is_bitvector
struct  is_bitvector< bitvector_base< T > >
struct  is_strong_span
struct  is_strong_span< StrongSpan< T > >
struct  is_strong_type
struct  is_strong_type< Strong< Ts... > >
class  ISO_9796_DS2
class  ISO_9796_DS3
class  Jitter_RNG
class  KDF
class  KDF1
class  KDF1_18033
class  KDF2
class  Keccak_1600
class  Keccak_Permutation
class  KEM_Decryption_with_Combiner
 Abstract interface for a KEM decryption operation for KEM combiners. More...
class  KEM_Encapsulation
class  KEM_Encryption_with_Combiner
 Abstract interface for a KEM encryption operation for KEM combiners. More...
class  KEX_to_KEM_Adapter_PrivateKey
class  KEX_to_KEM_Adapter_PublicKey
class  Key_Constraints
class  Key_Length_Specification
class  Key_Not_Set
class  Keyed_Filter
class  KMAC
class  KMAC128
class  KMAC256
class  Kuznyechik
class  Kyber_90s_Symmetric_Primitives
class  Kyber_KEM_Decryptor
class  Kyber_KEM_Decryptor_Base
class  Kyber_KEM_Encryptor
class  Kyber_KEM_Encryptor_Base
class  Kyber_KEM_Operation_Base
class  Kyber_Keypair_Codec
class  Kyber_Modern_Symmetric_Primitives
class  Kyber_PrivateKey
class  Kyber_PrivateKeyInternal
class  Kyber_PublicKey
class  Kyber_PublicKeyInternal
class  Kyber_Symmetric_Primitives
class  KyberConstants
class  KyberMode
class  KyberPolyTraits
struct  KyberPrivateKeySeed
class  Lion
class  LMOTS_Params
 The LM-OTS parameters. More...
class  LMOTS_Private_Key
 Representation of an LMOTS private key. More...
class  LMOTS_Public_Key
 Representation of an OTS public key. More...
class  LMOTS_Signature
 Representation of a LM-OTS signature. More...
class  LMS_Instance
 Base class for LMS private and public key. Contains public data associated with this LMS instance. More...
class  LMS_Params
 The LMS parameters. More...
class  LMS_PrivateKey
 Representation of an LMS Private key. More...
class  LMS_PublicKey
 The LMS public key. More...
class  LMS_Signature
 Container for LMS Signature data. More...
class  lock_guard
class  Lookup_Error
class  LZMA_Compression
class  LZMA_Decompression
class  McEliece_PrivateKey
class  McEliece_PublicKey
class  MD4
class  MD5
class  Memory_Pool
class  MerkleDamgard_Hash
class  MessageAuthenticationCode
class  ML_DSA_Expanding_Keypair_Codec
class  ML_DSA_MessageHash
class  ML_DSA_Symmetric_Primitives
class  ML_KEM_Decryptor
class  ML_KEM_Encryptor
class  ML_KEM_Symmetric_Primitives
class  mlock_allocator
class  Modular_Reducer
class  Montgomery_Int
class  Montgomery_Params
class  MontgomeryRep
class  NameConstraints
 Name Constraints. More...
class  No_Filesystem_Access
class  Noekeon
class  noop_mutex
class  Not_Implemented
class  Null_Padding
class  Null_RNG
class  OAEP
class  OCB_Decryption
class  OCB_Encryption
class  OCB_Mode
class  OctetString
class  OFB
class  OID
class  OID_Map
class  OneAndZeros_Padding
class  OpenPGP_S2K
class  OTS_Instance
 Base class for LMOTS private and public key. Contains the parameters for the specific OTS instance. More...
class  Output_Buffers
struct  overloaded
class  Parallel
class  PasswordHash
class  PasswordHashFamily
class  Path_Validation_Restrictions
class  Path_Validation_Result
class  PBKDF
class  PBKDF2
class  PBKDF2_Family
class  Pipe
class  PK_Decryptor
class  PK_Decryptor_EME
class  PK_Encryptor
class  PK_Encryptor_EME
class  PK_KEM_Decryptor
class  PK_KEM_Encryptor
class  PK_Key_Agreement
class  PK_Key_Agreement_Key
class  PK_Signer
class  PK_Verifier
class  PKCS10_Request
class  PKCS1v15_Raw_SignaturePaddingScheme
class  PKCS1v15_SignaturePaddingScheme
class  PKCS5_PBKDF2
class  PKCS7_Padding
class  PKCS8_Exception
class  Poly1305
class  polyn_gf2m
class  PrecomputedBaseMulTable
class  Private_Key
class  PRNG_Unseeded
class  Processor_RNG
class  ProjectiveCurvePoint
class  Provider_Not_Found
class  PseudorandomKeyGeneration
 Helper class used to derive secret values based in the pseudorandom key generation described in RFC 8554 Appendix A. More...
class  PSK_Database
class  PSS_Params
class  PSS_Raw
class  PSSR
class  Public_Key
class  RandomNumberGenerator
class  RawHashFunction
class  RC4
class  RFC4880_S2K
class  RFC4880_S2K_Family
class  RFC6979_Nonce_Generator
class  RIPEMD_160
class  RSA_PrivateKey
class  RSA_PublicKey
class  RTSS_Share
class  RWLock
class  Salsa20
class  Scalar448
 Representation of a scalar for X448. More...
class  SCAN_Name
class  scoped_cleanup
 Helper class to create a RAII-style cleanup callback. More...
class  Scrypt
class  Scrypt_Family
class  secure_allocator
class  SecureQueue
class  SEED
class  Seed_Expanding_Keypair_Codec
 Codec for private keys as 64-byte seeds: d || z. More...
class  Semaphore
class  Serpent
class  SHA_1
class  SHA_224
class  SHA_256
class  SHA_3
class  SHA_384
class  SHA_3_224
class  SHA_3_256
class  SHA_3_384
class  SHA_3_512
class  SHA_512
class  SHA_512_256
class  SHACAL2
class  SHAKE_128
class  SHAKE_128_Cipher
class  SHAKE_128_XOF
class  SHAKE_256
class  SHAKE_256_Cipher
class  SHAKE_256_XOF
class  SHAKE_Cipher
class  SHAKE_XOF
class  SignaturePaddingScheme
class  SignRawBytes
class  SIMD_16x32
class  SIMD_2x64
class  SIMD_4x32
class  SIMD_4x64
class  SIMD_8x32
class  SIMD_8x64
class  SipHash
class  SIV_Decryption
class  SIV_Encryption
class  SIV_Mode
class  Skein_512
class  SM2_PrivateKey
class  SM2_PublicKey
class  SM3
class  SM4
class  SolinasAccum
class  SP800_108_Counter
class  SP800_108_Feedback
class  SP800_108_Pipeline
class  SP800_56A_One_Step_KMAC_Abstract
class  SP800_56C_One_Step_Hash
class  SP800_56C_One_Step_HMAC
class  SP800_56C_One_Step_KMAC128
class  SP800_56C_One_Step_KMAC256
class  SP800_56C_Two_Step
class  Sphincs_Address
class  Sphincs_Hash_Functions
class  Sphincs_Hash_Functions_Sha2
class  Sphincs_Hash_Functions_Shake
class  Sphincs_Parameters
struct  SphincsMessageInternal
 M' representation of FIPS 205 (the input to slh_sign_internal and slh_verify_internal) More...
class  SphincsPlus_PrivateKey
 An SLH-DSA private key. More...
class  SphincsPlus_PublicKey
 An SLH-DSA (or SPHINCS+ Round 3.1) public key. More...
class  SQL_Database
class  Sqlite3_Database
class  SRP6_Server_Session
class  Stateful_RNG
class  Stream_Compression
class  Stream_Decompression
class  Stream_IO_Error
class  StreamCipher
class  Streebog
class  StringLiteral
class  Strong
class  StrongSpan
class  SymmetricAlgorithm
class  System_Certificate_Store
class  System_Error
class  System_RNG
class  Thread_Pool
class  Threefish_512
class  TLS_12_PRF
class  TOTP
class  TPM_Context
class  TPM_Error
class  TPM_PrivateKey
class  TPM_RNG
class  TripleDES
class  Truncated_Hash
class  Tweakable_Block_Cipher
class  Twofish
class  UnblindedScalarBits
class  Unknown_PK_Field_Name
class  URI
class  UUID
class  VartimeMul2Table
class  Whirlpool
class  Win32_EntropySource
class  WindowedBoothMulTable
class  WindowedMul2Table
class  WindowedMulTable
class  word3
struct  WordInfo
struct  WordInfo< uint32_t >
struct  WordInfo< uint64_t >
class  X25519_PrivateKey
class  X25519_PublicKey
class  X448_PrivateKey
 A private key for the X448 key agreement scheme according to RFC 7748. More...
class  X448_PublicKey
 A public key for the X448 key agreement scheme according to RFC 7748. More...
class  X509_CA
class  X509_Cert_Options
class  X509_Certificate
class  X509_CRL
class  X509_DN
class  X509_Object
class  X931_SignaturePadding
class  X942_PRF
class  XMSS_Address
class  XMSS_Common_Ops
class  XMSS_Hash
class  XMSS_Index_Registry
class  XMSS_Parameters
class  XMSS_PrivateKey
class  XMSS_PublicKey
class  XMSS_Signature
class  XMSS_Signature_Operation
class  XMSS_Verification_Operation
class  XMSS_WOTS_Base
class  XMSS_WOTS_Parameters
class  XMSS_WOTS_PrivateKey
class  XMSS_WOTS_PublicKey
class  XOF
class  XTS_Decryption
class  XTS_Encryption
class  XTS_Mode
class  ZFEC
class  Zlib_Compression
class  Zlib_Decompression
class  Zlib_Style_Stream

Concepts

concept  md_hash_implementation
concept  WordType
concept  curve_supports_fe_invert2
concept  curve_supports_fe_sqrt
concept  updatable_object
concept  appendable_object
concept  absorbing_object
concept  bitvectorish

Typedefs

typedef __vector unsigned int Altivec32x4
typedef __vector unsigned long long Altivec64x2
typedef __vector unsigned char Altivec8x16
using bitvector = bitvector_base<std::allocator>
template<size_t bound>
using Bounded_XOF = detail::Bounded_XOF<XOF&, bound>
using byte = std::uint8_t
typedef int32_t CCCryptorStatus
typedef std::vector< std::set< Certificate_Status_Code > > CertificatePathStatusCodes
using CmceCodeWord = Strong<secure_bitvector, struct CmceCodeWord_>
 Represents C of decapsulation.
using CmceColumnSelection = Strong<secure_bitvector, struct CmceColumnSelection_>
 Represents c of private key.
using CmceErrorVector = Strong<secure_bitvector, struct CmceErrorVector_>
 Represents e of encapsulation.
using CmceGfElem = Strong<uint16_t, struct CmceGfElem_>
 Represents a GF(q) element.
using CmceGfMod = Strong<uint16_t, struct CmceGfMod_>
 Represents a GF(q) modulus.
using CmceInitialSeed = Strong<secure_vector<uint8_t>, struct CmceInitialSeed_>
 Represents initial delta of keygen.
using CmceIrreducibleBits = Strong<secure_vector<uint8_t>, struct CmceIrreducibleBits_>
using CmceKeyGenSeed = Strong<secure_vector<uint8_t>, struct CmceKeyGenSeed_>
 Represents a delta (can be altered; final value stored in private key)
using CmceOrderingBits = Strong<secure_vector<uint8_t>, struct CmceOrderingBits_>
using CmcePermutation = Strong<secure_vector<uint16_t>, struct CmcePermutation_>
 Represents a permutation (pi in spec). Used in field ordering creation.
using CmcePermutationElement = Strong<uint16_t, struct CmcePermutationElement_>
 Represents an element of a permuation (pi in spec). Used in field ordering creation.
using CmceRejectionSeed = Strong<secure_vector<uint8_t>, struct CmceRejectionSeed_>
 Represents s of private key.
typedef X25519_PrivateKey Curve25519_PrivateKey
typedef X25519_PublicKey Curve25519_PublicKey
using DilithiumCommitmentHash = Strong<std::vector<uint8_t>, struct DilithiumCommitmentHash_>
 Hash of the message representative and the signer's commitment.
using DilithiumHashedPublicKey = Strong<std::vector<uint8_t>, struct DilithiumHashedPublicKey_>
using DilithiumInternalKeypair
 Internal representation of a Dilithium key pair.
using DilithiumMessageRepresentative = Strong<std::vector<uint8_t>, struct DilithiumMessageRepresentative_>
 Representation of the message to be signed.
using DilithiumOptionalRandomness = Strong<secure_vector<uint8_t>, struct DilithiumOptionalRandomness_>
 Optional randomness 'rnd' used for rho prime computation in ML-DSA.
using DilithiumPoly = Botan::CRYSTALS::Polynomial<DilithiumPolyTraits, Botan::CRYSTALS::Domain::Normal>
using DilithiumPolyMatNTT = Botan::CRYSTALS::PolynomialMatrix<DilithiumPolyTraits>
using DilithiumPolyNTT = Botan::CRYSTALS::Polynomial<DilithiumPolyTraits, Botan::CRYSTALS::Domain::NTT>
using DilithiumPolyVec = Botan::CRYSTALS::PolynomialVector<DilithiumPolyTraits, Botan::CRYSTALS::Domain::Normal>
using DilithiumPolyVecNTT = Botan::CRYSTALS::PolynomialVector<DilithiumPolyTraits, Botan::CRYSTALS::Domain::NTT>
using DilithiumSeedRandomness = Strong<secure_vector<uint8_t>, struct DilithiumSeedRandomness_>
 Principal seed used to generate Dilithium key pairs.
using DilithiumSeedRho = Strong<std::vector<uint8_t>, struct DilithiumPublicSeed_>
 Public seed to sample the polynomial matrix A from.
using DilithiumSeedRhoPrime = Strong<secure_vector<uint8_t>, struct DilithiumSeedRhoPrime_>
 Private seed to sample the polynomial vectors s1 and s2 from.
using DilithiumSerializedCommitment = Strong<std::vector<uint8_t>, struct DilithiumSerializedCommitment_>
 Serialized representation of a commitment w1.
using DilithiumSerializedPrivateKey = Strong<secure_vector<uint8_t>, struct DilithiumSerializedPrivateKey_>
 Serialized private key data.
using DilithiumSerializedPublicKey = Strong<std::vector<uint8_t>, struct DilithiumSerializedPublicKey_>
 Serialized public key data (result of pkEncode(pk))
using DilithiumSerializedSignature = Strong<std::vector<uint8_t>, struct DilithiumSerializedSignature_>
 Serialized signature data.
using DilithiumSigningSeedK = Strong<secure_vector<uint8_t>, struct DilithiumSeedK_>
 Private seed K used during signing.
using ForsLeafSecret = Strong<secure_vector<uint8_t>, struct ForsLeafSecret_>
using ForsSignature = Strong<std::vector<uint8_t>, struct ForsSignature_>
using FrodoDomainSeparator = Strong<std::array<uint8_t, 1>, struct FrodoDoaminSeparator_>
using FrodoIntermediateSharedSecret = Strong<secure_vector<uint8_t>, struct FrodoIntermediateSharedSecret_>
using FrodoPackedMatrix = Strong<std::vector<uint8_t>, struct FrodoPackedMatrix_>
using FrodoPlaintext = Strong<secure_vector<uint8_t>, struct FrodoPlaintext_>
using FrodoPublicKeyHash = Strong<std::vector<uint8_t>, struct FrodoPublicKeyHash_>
using FrodoSalt = Strong<std::vector<uint8_t>, struct FrodoSalt_>
using FrodoSampleR = Strong<secure_vector<uint8_t>, struct FrodoSampleR_>
using FrodoSeedA = Strong<std::vector<uint8_t>, struct FrodoSeedA_>
using FrodoSeedS = Strong<secure_vector<uint8_t>, struct FrodoSeedS_>
using FrodoSeedSE = Strong<secure_vector<uint8_t>, struct FrodoSeedSE_>
using FrodoSeedZ = Strong<std::vector<uint8_t>, struct FrodoSeedZ_>
using FrodoSerializedMatrix = Strong<secure_vector<uint8_t>, struct FrodoSerializedMatrix_>
using GenerateLeafFunction = std::function<void(StrongSpan<SphincsTreeNode> , TreeNodeIndex)>
typedef uint16_t gf2m
using HSS_Level = Strong<uint32_t, struct HSS_Level_, EnableArithmeticWithPlainNumber>
 The HSS layer in the HSS multi tree starting at 0 from the root.
using HSS_Sig_Idx = Strong<uint64_t, struct HSS_Sig_Idx_, EnableArithmeticWithPlainNumber>
 The index of a node within a specific LMS tree layer.
using HypertreeLayerIndex = Strong<uint32_t, struct HypertreeLayerIndex_>
 Index of a layer in the XMSS hyper-tree.
using InitializationVector = OctetString
typedef Invalid_Authentication_Tag Integrity_Failure
using KyberCompressedCiphertext = Strong<std::vector<uint8_t>, struct KyberCompressedCiphertext_>
 Compressed and serialized ciphertext value.
using KyberEncryptionRandomness = Strong<secure_vector<uint8_t>, struct KyberEncryptionRandomness_>
 Random value used to generate the Kyber ciphertext.
using KyberHashedCiphertext = Strong<std::vector<uint8_t>, struct KyberHashedCiphertext_>
using KyberHashedPublicKey = Strong<std::vector<uint8_t>, struct KyberHashedPublicKey_>
 Hash value of the serialized public key.
using KyberImplicitRejectionValue = Strong<secure_vector<uint8_t>, struct KyberImplicitRejectionValue_>
 Secret random value (called Z in the spec), used for implicit rejection in the decapsulation.
using KyberInternalKeypair
using KyberMessage = Strong<secure_vector<uint8_t>, struct KyberMessage_>
 Random message value to be encrypted by the CPA-secure Kyber encryption scheme.
using KyberPoly = Botan::CRYSTALS::Polynomial<KyberPolyTraits, Botan::CRYSTALS::Domain::Normal>
using KyberPolyMat = Botan::CRYSTALS::PolynomialMatrix<KyberPolyTraits>
using KyberPolyNTT = Botan::CRYSTALS::Polynomial<KyberPolyTraits, Botan::CRYSTALS::Domain::NTT>
using KyberPolyVec = Botan::CRYSTALS::PolynomialVector<KyberPolyTraits, Botan::CRYSTALS::Domain::Normal>
using KyberPolyVecNTT = Botan::CRYSTALS::PolynomialVector<KyberPolyTraits, Botan::CRYSTALS::Domain::NTT>
using KyberSamplingRandomness = Strong<secure_vector<uint8_t>, struct KyberSamplingRandomness_>
 PRF value used for sampling of error polynomials.
using KyberSeedRandomness = Strong<secure_vector<uint8_t>, struct KyberSeedRandomness_>
 Principal seed used to generate Kyber key pairs.
using KyberSeedRho = Strong<std::vector<uint8_t>, struct KyberSeedRho_>
 Public seed value to generate the Kyber matrix A.
using KyberSeedSigma = Strong<secure_vector<uint8_t>, struct KyberSeedSigma_>
 Private seed used to generate polynomial vectors s and e during key generation.
using KyberSerializedPublicKey = Strong<std::vector<uint8_t>, struct KyberSerializedPublicKey_>
 Public key in serialized form (t || rho)
using KyberSharedSecret = Strong<secure_vector<uint8_t>, struct KyberSharedSecret_>
 Shared secret value generated during encapsulation and recovered during decapsulation.
using KyberSigmaOrEncryptionRandomness
 Variant value of either a KyberSeedSigma or a KyberEncryptionRandomness.
using LMOTS_K = Strong<std::vector<uint8_t>, struct LMOTS_K_>
 The K value from the LM-OTS public key.
using LMOTS_Node = Strong<secure_vector<uint8_t>, struct LMOTS_Node_>
 One node within one LM-OTS hash chain.
using LMOTS_Signature_Bytes = Strong<std::vector<uint8_t>, struct LMOTS_Signature_Bytes_>
 Byte vector of an LM-OTS signature.
using LMS_AuthenticationPath = Strong<std::vector<uint8_t>, struct LMS_AuthenticationPath_>
 The authentication path of an LMS signature.
using LMS_Identifier = Strong<std::vector<uint8_t>, struct LMS_Identifier_>
 The identifier of an LMS tree (I in RFC 8554)
using LMS_Message = Strong<std::vector<uint8_t>, struct LMS_Message_>
 A message that is signed with an LMS tree.
using LMS_Seed = Strong<secure_vector<uint8_t>, struct LMS_SEED_>
 Seed of the LMS tree, used to generate the LM-OTS private keys.
using LMS_Signature_Bytes = Strong<std::vector<uint8_t>, struct LMS_Signature_Bytes_>
 Raw bytes of an LMS signature.
using LMS_Tree_Node = Strong<std::vector<uint8_t>, struct LMS_Tree_Node_>
 A node with the LMS tree.
using LMS_Tree_Node_Idx = Strong<uint32_t, struct LMS_Tree_Node_Idx_, EnableArithmeticWithPlainNumber>
 The index of a node within a specific LMS tree layer.
template<typename T>
using lock_guard_type = lock_guard<T>
typedef MessageAuthenticationCode MAC
using ML_DSA_Mode = DilithiumMode
using ML_DSA_PrivateKey = Dilithium_PrivateKey
using ML_DSA_PublicKey = Dilithium_PublicKey
using ML_KEM_Mode = KyberMode
using ML_KEM_PrivateKey = Kyber_PrivateKey
using ML_KEM_PublicKey = Kyber_PublicKey
using mutex_type = noop_mutex
template<std::signed_integral T>
using next_longer_int_t
template<std::unsigned_integral T>
using next_longer_uint_t
using Point448 = Strong<std::array<uint8_t, X448_LEN>, struct Point448_>
typedef EC_Point PointGFp
using recursive_mutex_type = noop_mutex
typedef RandomNumberGenerator RNG
typedef PBKDF S2K
using s32bit = std::int32_t
using ScalarX448 = Strong<std::array<uint8_t, X448_LEN>, struct ScalarX448_>
using secure_bitvector = bitvector_base<secure_allocator>
template<typename T>
using secure_deque = std::deque<T, secure_allocator<T>>
template<typename T>
using secure_vector = std::vector<T, secure_allocator<T>>
template<typename T>
using SecureVector = secure_vector<T>
typedef SM2_PrivateKey SM2_Encryption_PrivateKey
typedef SM2_PublicKey SM2_Encryption_PublicKey
typedef SM2_PrivateKey SM2_Signature_PrivateKey
typedef SM2_PublicKey SM2_Signature_PublicKey
using SphincsAuthenticationPath = Strong<std::vector<uint8_t>, struct SphincsAuthenticationPath_>
using SphincsContext = Strong<std::vector<uint8_t>, struct SphincsContext_>
using SphincsHashedMessage = Strong<std::vector<uint8_t>, struct SphincsHashedMessage_>
using SphincsHypertreeSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_>
using SphincsInputMessage = Strong<std::vector<uint8_t>, struct SphincsInputMessage_>
using SphincsMessagePrefix = Strong<std::vector<uint8_t>, struct SphincsMessagePrefix_>
using SphincsMessageRandomness = Strong<secure_vector<uint8_t>, struct SphincsMessageRandomness_>
using SphincsOptionalRandomness = Strong<secure_vector<uint8_t>, struct SphincsOptionalRandomness_>
using SphincsPublicSeed = Strong<std::vector<uint8_t>, struct SphincsPublicSeed_>
using SphincsSecretPRF = Strong<secure_vector<uint8_t>, struct SphincsSecretPRF_>
using SphincsSecretSeed = Strong<secure_vector<uint8_t>, struct SphincsSecretSeed_>
using SphincsTreeNode = Strong<std::vector<uint8_t>, struct SphincsTreeNode_>
 Either an XMSS or FORS tree node or leaf.
using SphincsXmssSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_>
template<typename T>
using strong_type_wrapped_type = typename detail::wrapped_type_helper<std::remove_cvref_t<T>>::type
 Extracts the wrapped type from a strong type.
using SymmetricKey = OctetString
using TreeLayerIndex = Strong<uint32_t, struct TreeLayerIndex_, EnableArithmeticWithPlainNumber>
 Index of the layer within a FORS/XMSS tree.
using TreeNodeIndex = Strong<uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber>
 Index of an individual node inside an XMSS or FORS tree.
using u16bit = std::uint16_t
using u32bit = std::uint32_t
using u64bit = std::uint64_t
using word = std::conditional_t<HasNative64BitRegisters, std::uint64_t, uint32_t>
typedef std::vector< secure_vector< uint8_t > > wots_keysig_t
using WotsChainIndex = Strong<uint32_t, struct WotsChainIndex_>
 Index of a WOTS chain within a single usage of WOTS.
using WotsHashIndex = Strong<uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber>
 Index of a hash application inside a single WOTS chain (integers in "base_w")
using WotsNode = Strong<secure_vector<uint8_t>, struct WotsNode_>
 Start (or intermediate) node of a WOTS+ chain.
using WotsPublicKey = Strong<std::vector<uint8_t>, struct WotsPublicKey_>
using WotsPublicKeyNode = Strong<std::vector<uint8_t>, struct WotsPublicKeyNode_>
 End node of a WOTS+ chain (part of the WOTS+ public key)
using WotsSignature = Strong<secure_vector<uint8_t>, struct WotsSignature_>
typedef ASN1_Time X509_Time
using XmssTreeIndexInLayer = Strong<uint64_t, struct XmssTreeIndexInLayer_, EnableArithmeticWithPlainNumber>
 Index of an XMSS tree (unique for just the local hyper-tree layer)

Enumerations

enum class  AlignmentBufferFinalBlock : uint8_t { is_not_special = 0 , must_be_deferred = 1 }
enum class  ASN1_Class : uint32_t {
  Universal = 0b0000'0000 , Application = 0b0100'0000 , ContextSpecific = 0b1000'0000 , Private = 0b1100'0000 ,
  Constructed = 0b0010'0000 , ExplicitContextSpecific = Constructed | ContextSpecific , NoObject = 0xFF00
}
enum class  ASN1_Type : uint32_t {
  Eoc = 0x00 , Boolean = 0x01 , Integer = 0x02 , BitString = 0x03 ,
  OctetString = 0x04 , Null = 0x05 , ObjectId = 0x06 , Enumerated = 0x0A ,
  Sequence = 0x10 , Set = 0x11 , Utf8String = 0x0C , NumericString = 0x12 ,
  PrintableString = 0x13 , TeletexString = 0x14 , Ia5String = 0x16 , VisibleString = 0x1A ,
  UniversalString = 0x1C , BmpString = 0x1E , UtcTime = 0x17 , GeneralizedTime = 0x18 ,
  NoObject = 0xFF00
}
enum class  Certificate_Status_Code : uint16_t {
  OK = 0 , VERIFIED = 0 , OCSP_RESPONSE_GOOD = 1 , OCSP_SIGNATURE_OK = 2 ,
  VALID_CRL_CHECKED = 3 , OCSP_NO_HTTP = 4 , FIRST_WARNING_STATUS = 500 , CERT_SERIAL_NEGATIVE = 500 ,
  DN_TOO_LONG = 501 , OCSP_NO_REVOCATION_URL = 502 , OCSP_SERVER_NOT_AVAILABLE = 503 , TRUSTED_CERT_HAS_EXPIRED = 504 ,
  TRUSTED_CERT_NOT_YET_VALID = 505 , FIRST_ERROR_STATUS = 1000 , SIGNATURE_METHOD_TOO_WEAK = 1000 , UNTRUSTED_HASH = 1001 ,
  NO_REVOCATION_DATA = 1002 , NO_MATCHING_CRLDP = 1003 , OCSP_ISSUER_NOT_TRUSTED = 1004 , CERT_NOT_YET_VALID = 2000 ,
  CERT_HAS_EXPIRED = 2001 , OCSP_NOT_YET_VALID = 2002 , OCSP_HAS_EXPIRED = 2003 , CRL_NOT_YET_VALID = 2004 ,
  CRL_HAS_EXPIRED = 2005 , OCSP_IS_TOO_OLD = 2006 , CERT_ISSUER_NOT_FOUND = 3000 , CANNOT_ESTABLISH_TRUST = 3001 ,
  CERT_CHAIN_LOOP = 3002 , CHAIN_LACKS_TRUST_ROOT = 3003 , CHAIN_NAME_MISMATCH = 3004 , POLICY_ERROR = 4000 ,
  INVALID_USAGE = 4001 , CERT_CHAIN_TOO_LONG = 4002 , CA_CERT_NOT_FOR_CERT_ISSUER = 4003 , NAME_CONSTRAINT_ERROR = 4004 ,
  IPADDR_BLOCKS_ERROR = 4011 , AS_BLOCKS_ERROR = 4012 , CA_CERT_NOT_FOR_CRL_ISSUER = 4005 , OCSP_CERT_NOT_LISTED = 4006 ,
  OCSP_BAD_STATUS = 4007 , CERT_NAME_NOMATCH = 4008 , UNKNOWN_CRITICAL_EXTENSION = 4009 , DUPLICATE_CERT_EXTENSION = 4010 ,
  OCSP_SIGNATURE_ERROR = 4501 , OCSP_ISSUER_NOT_FOUND = 4502 , OCSP_RESPONSE_MISSING_KEYUSAGE = 4503 , OCSP_RESPONSE_INVALID = 4504 ,
  EXT_IN_V1_V2_CERT = 4505 , DUPLICATE_CERT_POLICY = 4506 , V2_IDENTIFIERS_IN_V1_CERT = 4507 , CERT_IS_REVOKED = 5000 ,
  CRL_BAD_SIGNATURE = 5001 , SIGNATURE_ERROR = 5002 , CERT_PUBKEY_INVALID = 5003 , SIGNATURE_ALGO_UNKNOWN = 5004 ,
  SIGNATURE_ALGO_BAD_PARAMS = 5005
}
enum class  Cipher_Dir : uint8_t { Encryption = 0 , Decryption = 1 , ENCRYPTION = Encryption , DECRYPTION = Decryption }
enum class  CRL_Code : uint8_t {
  Unspecified = 0 , KeyCompromise = 1 , CaCompromise = 2 , AffiliationChanged = 3 ,
  Superseded = 4 , CessationOfOperation = 5 , CertificateHold = 6 , RemoveFromCrl = 8 ,
  PrivilegeWithdrawn = 9 , AaCompromise = 10
}
enum  Decoder_Checking : uint8_t { NONE , IGNORE_WS , FULL_CHECK }
enum class  DL_Group_Format : uint8_t {
  ANSI_X9_42 = 0 , ANSI_X9_57 = 1 , PKCS_3 = 2 , DSA_PARAMETERS = ANSI_X9_57 ,
  DH_PARAMETERS = ANSI_X9_42 , ANSI_X9_42_DH_PARAMETERS = ANSI_X9_42 , PKCS3_DH_PARAMETERS = PKCS_3
}
enum class  DL_Group_Source : uint8_t { Builtin , RandomlyGenerated , ExternalSource }
enum class  EC_Group_Encoding : uint8_t {
  Explicit = 0 , ImplicitCA = 1 , NamedCurve = 2 , EC_DOMPAR_ENC_EXPLICIT = Explicit ,
  EC_DOMPAR_ENC_IMPLICITCA = ImplicitCA , EC_DOMPAR_ENC_OID = NamedCurve
}
enum class  EC_Group_Engine : uint8_t { Optimized , Generic , Legacy }
enum class  EC_Group_Source : uint8_t { Builtin , ExternalSource }
enum class  EC_Point_Format : uint8_t {
  Uncompressed = 0 , Compressed = 1 , UNCOMPRESSED = Uncompressed , COMPRESSED = Compressed ,
  Hybrid = 2 , HYBRID = 2
}
enum class  ECIES_Flags : uint8_t {
  None = 0 , SingleHashMode = 1 , CofactorMode = 2 , OldCofactorMode = 4 ,
  CheckMode = 8 , NONE = None , SINGLE_HASH_MODE = SingleHashMode , COFACTOR_MODE = CofactorMode ,
  OLD_COFACTOR_MODE = OldCofactorMode , CHECK_MODE = CheckMode
}
enum class  ErrorType : uint16_t {
  Unknown = 1 , SystemError = 2 , NotImplemented = 3 , OutOfMemory = 4 ,
  InternalError = 5 , IoError = 6 , InvalidObjectState = 100 , KeyNotSet = 101 ,
  InvalidArgument = 102 , InvalidKeyLength = 103 , InvalidNonceLength = 104 , LookupError = 105 ,
  EncodingFailure = 106 , DecodingFailure = 107 , TLSError = 108 , HttpError = 109 ,
  InvalidTag = 110 , RoughtimeError = 111 , CommonCryptoError = 201 , Pkcs11Error = 202 ,
  TPMError = 203 , DatabaseError = 204 , ZlibError = 300 , Bzip2Error = 301 ,
  LzmaError = 302
}
enum class  LMOTS_Algorithm_Type : uint32_t {
  RESERVED = 0x00 , SHA256_N32_W1 = 0x01 , SHA256_N32_W2 = 0x02 , SHA256_N32_W4 = 0x03 ,
  SHA256_N32_W8 = 0x04 , SHA256_N24_W1 = 0x05 , SHA256_N24_W2 = 0x06 , SHA256_N24_W4 = 0x07 ,
  SHA256_N24_W8 = 0x08 , SHAKE_N32_W1 = 0x09 , SHAKE_N32_W2 = 0x0a , SHAKE_N32_W4 = 0x0b ,
  SHAKE_N32_W8 = 0x0c , SHAKE_N24_W1 = 0x0d , SHAKE_N24_W2 = 0x0e , SHAKE_N24_W4 = 0x0f ,
  SHAKE_N24_W8 = 0x10
}
 Enum of available LM-OTS algorithm types. More...
enum class  LMS_Algorithm_Type : uint32_t {
  RESERVED = 0x00 , SHA256_M32_H5 = 0x05 , SHA256_M32_H10 = 0x06 , SHA256_M32_H15 = 0x07 ,
  SHA256_M32_H20 = 0x08 , SHA256_M32_H25 = 0x09 , SHA256_M24_H5 = 0x0a , SHA256_M24_H10 = 0x0b ,
  SHA256_M24_H15 = 0x0c , SHA256_M24_H20 = 0x0d , SHA256_M24_H25 = 0x0e , SHAKE_M32_H5 = 0x0f ,
  SHAKE_M32_H10 = 0x10 , SHAKE_M32_H15 = 0x11 , SHAKE_M32_H20 = 0x12 , SHAKE_M32_H25 = 0x13 ,
  SHAKE_M24_H5 = 0x14 , SHAKE_M24_H10 = 0x15 , SHAKE_M24_H15 = 0x16 , SHAKE_M24_H20 = 0x17 ,
  SHAKE_M24_H25 = 0x18
}
 Enum of available LMS algorithm types. More...
enum class  MD_Endian : uint8_t { Little , Big }
enum class  MlPrivateKeyFormat : uint8_t { Seed , Expanded }
 Byte encoding format of ML-KEM and ML-DSA the private key. More...
enum class  PublicKeyOperation : uint8_t { Encryption , Signature , KeyEncapsulation , KeyAgreement }
enum class  Signature_Format : uint8_t { Standard = 0 , DerSequence = 1 , IEEE_1363 = Standard , DER_SEQUENCE = DerSequence }
enum class  Sphincs_Address_Type : uint32_t {
  WotsHash = 0 , WotsPublicKeyCompression = 1 , HashTree = 2 , ForsTree = 3 ,
  ForsTreeRootsCompression = 4 , WotsKeyGeneration = 5 , ForsKeyGeneration = 6
}
enum class  Sphincs_Hash_Type : uint8_t { Shake256 , Sha256 , Haraka }
enum class  Sphincs_Parameter_Set : uint8_t {
  Sphincs128Small , Sphincs128Fast , Sphincs192Small , Sphincs192Fast ,
  Sphincs256Small , Sphincs256Fast , SLHDSA128Small , SLHDSA128Fast ,
  SLHDSA192Small , SLHDSA192Fast , SLHDSA256Small , SLHDSA256Fast
}
enum class  TPM_Storage_Type { User , System }
enum class  Usage_Type : uint8_t {
  UNSPECIFIED , TLS_SERVER_AUTH , TLS_CLIENT_AUTH , CERTIFICATE_AUTHORITY ,
  OCSP_RESPONDER , ENCRYPTION
}
enum class  WOTS_Derivation_Method : uint8_t { Botan2x = 1 , NIST_SP800_208 = 2 }

Functions

BigInt abs (const BigInt &n)
BOTAN_MALLOC_FN void * allocate_memory (size_t elems, size_t elem_size)
template<typename... Ptrs>
bool any_null_pointers (Ptrs... ptr)
void argon2 (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, const uint8_t key[], size_t key_len, const uint8_t ad[], size_t ad_len, uint8_t y, size_t p, size_t M, size_t t)
bool argon2_check_pwhash (const char *password, size_t password_len, std::string_view input_hash)
std::string argon2_generate_pwhash (const char *password, size_t password_len, RandomNumberGenerator &rng, size_t p, size_t M, size_t t, uint8_t y, size_t salt_len, size_t output_len)
std::span< const uint8_t > as_span_of_bytes (const char *s, size_t len)
std::span< const uint8_t > as_span_of_bytes (const std::string &s)
std::span< const uint8_t > as_span_of_bytes (std::string_view s)
std::string asn1_class_to_string (ASN1_Class type)
std::string asn1_tag_to_string (ASN1_Type type)
template<typename T>
assert_is_some (std::optional< T > v, const char *expr, const char *func, const char *file, int line)
void assert_unreachable (const char *file, int line)
void assertion_failure (const char *expr_str, const char *assertion_made, const char *func, const char *file, int line)
secure_vector< uint8_t > base32_decode (const char input[], size_t input_length, bool ignore_ws)
secure_vector< uint8_t > base32_decode (std::string_view input, bool ignore_ws)
size_t base32_decode (uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
size_t base32_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
size_t base32_decode (uint8_t output[], std::string_view input, bool ignore_ws)
size_t base32_decode_max_output (size_t input_length)
size_t base32_encode (char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
std::string base32_encode (const uint8_t input[], size_t input_length)
std::string base32_encode (std::span< const uint8_t > input)
size_t base32_encode_max_output (size_t input_length)
std::vector< uint8_t > base58_check_decode (const char input[], size_t input_length)
std::vector< uint8_t > base58_check_decode (std::string_view s)
std::string base58_check_encode (const uint8_t input[], size_t input_length)
std::string base58_check_encode (std::span< const uint8_t > vec)
std::vector< uint8_t > base58_decode (const char input[], size_t input_length)
std::vector< uint8_t > base58_decode (std::string_view s)
std::string base58_encode (const uint8_t input[], size_t input_length)
std::string base58_encode (std::span< const uint8_t > vec)
secure_vector< uint8_t > base64_decode (const char input[], size_t input_length, bool ignore_ws)
size_t base64_decode (std::span< uint8_t > output, std::string_view input, bool ignore_ws)
secure_vector< uint8_t > base64_decode (std::string_view input, bool ignore_ws)
size_t base64_decode (uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
size_t base64_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
size_t base64_decode (uint8_t output[], std::string_view input, bool ignore_ws)
size_t base64_decode_max_output (size_t input_length)
size_t base64_encode (char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
std::string base64_encode (const uint8_t input[], size_t input_length)
std::string base64_encode (std::span< const uint8_t > input)
size_t base64_encode_max_output (size_t input_length)
template<typename Base>
size_t base_decode (const Base &base, uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws=true)
template<typename Base>
size_t base_decode_full (const Base &base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
template<typename Vector, typename Base>
Vector base_decode_to_vec (const Base &base, const char input[], size_t input_length, bool ignore_ws)
template<class Base>
size_t base_encode (const Base &base, char output[], const uint8_t input[], size_t input_length, size_t &input_consumed, bool final_inputs)
template<typename Base>
std::string base_encode_to_string (const Base &base, const uint8_t input[], size_t input_length)
BOTAN_FUZZER_API void basecase_mul (word z[], size_t z_size, const word x[], size_t x_size, const word y[], size_t y_size)
BOTAN_FUZZER_API void basecase_sqr (word z[], size_t z_size, const word x[], size_t x_size)
template<typename C, size_t WindowBits, typename BlindedScalar>
C::ProjectivePoint basemul_exec (std::span< const typename C::AffinePoint > table, const BlindedScalar &scalar, RandomNumberGenerator &rng)
template<typename C, size_t WindowBits>
std::vector< typename C::AffinePoint > basemul_setup (const typename C::AffinePoint &p, size_t max_scalar_bits)
void bcrypt_pbkdf (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, size_t rounds)
template<WordType W>
constexpr auto bigint_add2 (W x[], size_t x_size, const W y[], size_t y_size) -> W
template<WordType W>
constexpr auto bigint_add3 (W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
template<WordType W>
constexpr int32_t bigint_cmp (const W x[], size_t x_size, const W y[], size_t y_size)
template<WordType W>
constexpr void bigint_cnd_abs (W cnd, W x[], size_t size)
template<WordType W>
constexpr W bigint_cnd_add (W cnd, W x[], const W y[], size_t size)
template<WordType W>
constexpr auto bigint_cnd_sub (W cnd, W x[], const W y[], size_t size) -> W
template<WordType W>
constexpr void bigint_cnd_swap (W cnd, W x[], W y[], size_t size)
void bigint_comba_mul16 (word z[32], const word x[16], const word y[16])
void bigint_comba_mul24 (word z[48], const word x[24], const word y[24])
void bigint_comba_mul4 (word z[8], const word x[4], const word y[4])
void bigint_comba_mul6 (word z[12], const word x[6], const word y[6])
void bigint_comba_mul7 (word z[14], const word x[7], const word y[7])
void bigint_comba_mul8 (word z[16], const word x[8], const word y[8])
void bigint_comba_mul9 (word z[18], const word x[9], const word y[9])
void bigint_comba_sqr16 (word z[32], const word x[16])
void bigint_comba_sqr24 (word z[48], const word x[24])
void bigint_comba_sqr4 (word z[8], const word x[4])
void bigint_comba_sqr6 (word z[12], const word x[6])
void bigint_comba_sqr7 (word z[14], const word x[7])
void bigint_comba_sqr8 (word z[16], const word x[8])
void bigint_comba_sqr9 (word z[18], const word x[9])
template<WordType W>
constexpr auto bigint_ct_is_eq (const W x[], size_t x_size, const W y[], size_t y_size) -> CT::Mask< W >
template<WordType W>
constexpr auto bigint_ct_is_lt (const W x[], size_t x_size, const W y[], size_t y_size, bool lt_or_equal=false) -> CT::Mask< W >
template<WordType W>
constexpr auto bigint_divop_vartime (W n1, W n0, W d) -> W
template<WordType W>
constexpr auto bigint_linmul2 (W x[], size_t x_size, W y) -> W
template<WordType W>
constexpr void bigint_linmul3 (W z[], const W x[], size_t x_size, W y)
template<WordType W>
constexpr auto bigint_modop_vartime (W n1, W n0, W d) -> W
template<WordType W>
constexpr void bigint_monty_maybe_sub (size_t N, W z[], W x0, const W x[], const W p[])
template<size_t N, WordType W>
constexpr void bigint_monty_maybe_sub (W z[N], W x0, const W x[N], const W y[N])
void bigint_monty_redc (word r[], const word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size)
BOTAN_FUZZER_API void bigint_monty_redc_12 (word r[12], const word z[24], const word p[12], word p_dash, word ws[12])
BOTAN_FUZZER_API void bigint_monty_redc_16 (word r[16], const word z[32], const word p[16], word p_dash, word ws[16])
BOTAN_FUZZER_API void bigint_monty_redc_24 (word r[24], const word z[48], const word p[24], word p_dash, word ws[24])
BOTAN_FUZZER_API void bigint_monty_redc_32 (word r[32], const word z[64], const word p[32], word p_dash, word ws[32])
BOTAN_FUZZER_API void bigint_monty_redc_4 (word r[4], const word z[8], const word p[4], word p_dash, word ws[4])
BOTAN_FUZZER_API void bigint_monty_redc_6 (word r[6], const word z[12], const word p[6], word p_dash, word ws[6])
BOTAN_FUZZER_API void bigint_monty_redc_8 (word r[8], const word z[16], const word p[8], word p_dash, word ws[8])
BOTAN_FUZZER_API void bigint_monty_redc_generic (word r[], const word z[], size_t z_size, const word p[], size_t p_size, word p_dash, word ws[])
void bigint_monty_redc_inplace (word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size)
void bigint_mul (word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
template<WordType W>
constexpr void bigint_shl1 (W x[], size_t x_size, size_t x_words, size_t shift)
template<WordType W>
constexpr void bigint_shl2 (W y[], const W x[], size_t x_size, size_t shift)
template<WordType W>
constexpr void bigint_shr1 (W x[], size_t x_size, size_t shift)
template<WordType W>
constexpr void bigint_shr2 (W y[], const W x[], size_t x_size, size_t shift)
void bigint_sqr (word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, word workspace[], size_t ws_size)
template<WordType W>
constexpr auto bigint_sub2 (W x[], size_t x_size, const W y[], size_t y_size) -> W
template<WordType W>
constexpr void bigint_sub2_rev (W x[], const W y[], size_t y_size)
template<WordType W>
constexpr auto bigint_sub3 (W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
template<WordType W>
constexpr auto bigint_sub_abs (W z[], const W x[], const W y[], size_t N, W ws[]) -> CT::Mask< W >
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T bit_permute_step (T x, T mask, size_t shift)
size_t bit_size_to_32bit_size (size_t bit_size)
size_t bit_size_to_byte_size (size_t bit_size)
constexpr auto bitlen (size_t x)
template<typename T, typename Alloc, typename Alloc2>
size_t buffer_insert (std::vector< T, Alloc > &buf, size_t buf_offset, const std::vector< T, Alloc2 > &input)
template<typename T, typename Alloc>
size_t buffer_insert (std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length)
std::string bytes_to_string (std::span< const uint8_t > bytes)
template<WordType W, size_t N, size_t L>
constexpr auto bytes_to_words (std::span< const uint8_t, L > bytes)
BOTAN_FN_ISA_AVX2_GFNI void camellia_gfni_decrypt12 (const uint8_t in[], uint8_t out[], size_t blocks, std::span< const uint64_t > SK)
BOTAN_FN_ISA_AVX2_GFNI void camellia_gfni_decrypt9 (const uint8_t in[], uint8_t out[], size_t blocks, std::span< const uint64_t > SK)
BOTAN_FN_ISA_AVX2_GFNI void camellia_gfni_encrypt12 (const uint8_t in[], uint8_t out[], size_t blocks, std::span< const uint64_t > SK)
BOTAN_FN_ISA_AVX2_GFNI void camellia_gfni_encrypt9 (const uint8_t in[], uint8_t out[], size_t blocks, std::span< const uint64_t > SK)
template<size_t S, int64_t MUL = 1>
requires (S > 0 && S < 64)
void carry (int64_t &h0, int64_t &h1)
template<size_t S>
requires (S > 0 && S < 32)
void carry0 (int32_t &h0, int32_t &h1)
template<size_t S>
requires (S > 0 && S < 64)
void carry0 (int64_t &h0, int64_t &h1)
constexpr uint64_t carry_shift (const donna128 &a, size_t shift)
uint8_t * cast_char_ptr_to_uint8 (char *s)
const uint8_t * cast_char_ptr_to_uint8 (const char *s)
const char * cast_uint8_ptr_to_char (const uint8_t *b)
char * cast_uint8_ptr_to_char (uint8_t *b)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T ceil_division (T a, T b)
template<std::unsigned_integral T>
requires (sizeof(T) < 32)
constexpr uint8_t ceil_log2 (T x)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T ceil_tobytes (T bits)
std::vector< WotsHashIndexchain_lengths (const SphincsTreeNode &msg, const Sphincs_Parameters &params)
std::string check_and_canonicalize_dns_name (std::string_view name)
bool check_bcrypt (std::string_view pass, std::string_view hash)
bool check_passhash9 (std::string_view pass, std::string_view hash)
template<std::unsigned_integral T>
constexpr std::optional< T > checked_add (T a, T b)
template<std::unsigned_integral T, std::unsigned_integral... Ts>
requires all_same_v<T, Ts...>
constexpr std::optional< T > checked_add (T a, T b, Ts... rest)
template<typename RT, typename AT>
requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>>
constexpr RT checked_cast_to (AT i)
template<typename RT, typename ExceptionType, typename AT>
requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>>
constexpr RT checked_cast_to_or_throw (AT i, std::string_view error_msg_on_fail)
template<std::unsigned_integral T>
constexpr std::optional< T > checked_mul (T a, T b)
template<std::unsigned_integral T>
constexpr std::optional< T > checked_sub (T a, T b)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T choose (T mask, T a, T b)
constexpr void clear_bytes (void *ptr, size_t bytes)
template<ranges::contiguous_output_range R>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<R>>
constexpr void clear_mem (R &&mem)
template<typename T>
constexpr void clear_mem (T *ptr, size_t n)
template<size_t N, WordType W>
constexpr void comba_mul (W z[2 *N], const W x[N], const W y[N])
template<size_t N, WordType W>
constexpr void comba_sqr (W z[2 *N], const W x[N])
constexpr uint64_t combine_lower (const donna128 &a, size_t s1, const donna128 &b, size_t s2)
void commoncrypto_adjust_key_size (const uint8_t key[], size_t length, const CommonCryptor_Opts &opts, secure_vector< uint8_t > &full_key)
CommonCryptor_Opts commoncrypto_opts_from_algo (std::string_view algo)
CommonCryptor_Opts commoncrypto_opts_from_algo_name (std::string_view algo_name)
void compute_root (StrongSpan< SphincsTreeNode > out, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, const SphincsTreeNode &leaf, TreeNodeIndex leaf_idx, uint32_t idx_offset, StrongSpan< const SphincsAuthenticationPath > authentication_path, uint32_t total_tree_height, Sphincs_Address &tree_address)
template<concepts::contiguous_strong_type TreeNode, concepts::strong_span AuthPathSS, concepts::tree_node_index TreeNodeIndex, concepts::tree_layer_index TreeLayerIndex, typename Address>
requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex>
void compute_root (StrongSpan< TreeNode > out_root, AuthPathSS authentication_path, TreeNodeIndex leaf_idx, StrongSpan< const TreeNode > leaf, size_t node_size, TreeLayerIndex total_tree_height, uint32_t idx_offset, concepts::tree_hash_node_pair< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto node_pair_hash, Address &tree_address)
 Uses an authentication path and a leaf node to reconstruct the root node of a merkle tree.
BigInt compute_rsa_secret_exponent (const BigInt &e, const BigInt &phi_n, const BigInt &p, const BigInt &q)
template<typename OutR = detail::AutoDetect, ranges::spanable_range... Rs>
requires (all_same_v<std::ranges::range_value_t<Rs>...>)
constexpr auto concat (Rs &&... ranges)
bool constant_time_compare (const uint8_t x[], const uint8_t y[], size_t len)
bool constant_time_compare (std::span< const uint8_t > x, std::span< const uint8_t > y)
template<ranges::contiguous_output_range OutR, ranges::contiguous_range InR>
requires std::is_same_v<std::ranges::range_value_t<OutR>, std::ranges::range_value_t<InR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<InR>>
constexpr void copy_mem (OutR &&out, const InR &in)
template<typename T>
requires std::is_trivial_v<std::decay_t<T>>
constexpr void copy_mem (T *out, const T *in, size_t n)
template<ranges::spanable_range InR>
void copy_out_be (std::span< uint8_t > out, const InR &in)
template<ranges::spanable_range InR>
void copy_out_le (std::span< uint8_t > out, const InR &in)
template<WordType W, size_t N>
consteval size_t count_bits (const std::array< W, N > &p)
auto create_aes_row_generator (const FrodoKEMConstants &constants, StrongSpan< const FrodoSeedA > seed_a)
std::unique_ptr< Private_Keycreate_ec_private_key (std::string_view alg_name, const EC_Group &ec_group, RandomNumberGenerator &rng)
std::string create_hex_fingerprint (const uint8_t bits[], size_t bits_len, std::string_view hash_name)
std::string create_hex_fingerprint (std::span< const uint8_t > vec, std::string_view hash_name)
std::array< uint8_t, ED448_LENcreate_pk_from_sk (std::span< const uint8_t, ED448_LEN > sk)
 Create a public key point from a secret key (RFC 8032 5.2.5)
std::unique_ptr< Private_Keycreate_private_key (std::string_view alg_name, RandomNumberGenerator &rng, std::string_view params, std::string_view provider)
auto create_shake_row_generator (const FrodoKEMConstants &constants, StrongSpan< const FrodoSeedA > seed_a)
std::span< const uint8_t > cstr_as_span_of_bytes (const char *s)
uint8_t ct_compare_u8 (const uint8_t x[], const uint8_t y[], size_t len)
BigInt ct_divide (const BigInt &x, const BigInt &y)
void ct_divide (const BigInt &x, const BigInt &y, BigInt &q_out, BigInt &r_out)
BigInt ct_divide_pow2k (size_t k, const BigInt &y)
BigInt ct_divide_word (const BigInt &x, word y)
void ct_divide_word (const BigInt &x, word y, BigInt &q_out, word &r_out)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T ct_is_zero (T x)
word ct_mod_word (const BigInt &x, word y)
BigInt ct_modulo (const BigInt &x, const BigInt &y)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr uint8_t ct_popcount (T x)
template<std::unsigned_integral T>
constexpr T ct_reverse_bits (T b)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr size_t ctz (T n)
void curve25519_basepoint (uint8_t mypublic[32], const uint8_t secret[32])
void curve25519_donna (uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32])
template<typename ProjectivePoint>
constexpr ProjectivePoint dbl_a_minus_3 (const ProjectivePoint &pt)
template<typename ProjectivePoint>
constexpr ProjectivePoint dbl_a_zero (const ProjectivePoint &pt)
template<typename ProjectivePoint, typename FieldElement>
constexpr ProjectivePoint dbl_generic (const ProjectivePoint &pt, const FieldElement &A)
template<typename ProjectivePoint>
constexpr ProjectivePoint dbl_n_a_minus_3 (const ProjectivePoint &pt, size_t n)
template<typename ProjectivePoint>
constexpr ProjectivePoint dbl_n_a_zero (const ProjectivePoint &pt, size_t n)
template<typename ProjectivePoint, typename FieldElement>
constexpr ProjectivePoint dbl_n_generic (const ProjectivePoint &pt, const FieldElement &A, size_t n)
void deallocate_memory (void *p, size_t elems, size_t elem_size)
gf2m decode_gf2m (const uint8_t *mem)
Point448 decode_point (std::span< const uint8_t > p_bytes)
 Decode a point from a byte array. RFC 7748 Section 5 (decodeUCoordinate)
ScalarX448 decode_scalar (std::span< const uint8_t > scalar_bytes)
 Decode a scalar from a byte array. RFC 7748 Section 5 (decodeScalar448)
size_t dl_exponent_size (size_t bits)
size_t dl_work_factor (size_t bits)
template<typename E, typename... Args>
void do_throw_error (const char *file, int line, const char *func, Args... args)
size_t ecp_work_factor (size_t bits)
void ed25519_basepoint_mul (std::span< uint8_t, 32 > out, const uint8_t in[32])
void ed25519_gen_keypair (uint8_t pk[32], uint8_t sk[64], const uint8_t seed[32])
void ed25519_sign (uint8_t sig[64], const uint8_t m[], size_t mlen, const uint8_t sk[64], const uint8_t domain_sep[], size_t domain_sep_len)
bool ed25519_verify (const uint8_t *m, size_t mlen, const uint8_t sig[64], const uint8_t *pk, const uint8_t domain_sep[], size_t domain_sep_len)
bool ed25519_verify (const uint8_t msg[], size_t msg_len, const uint8_t sig[64], const uint8_t pk[32], const uint8_t domain_sep[], size_t domain_sep_len)
uint32_t encode_gf2m (gf2m to_enc, uint8_t *mem)
secure_vector< uint8_t > encode_point (const Point448 &p)
 Encode a point to a 56 byte vector. RFC 7748 Section 5 (encodeUCoordinate)
RandomNumberGeneratoresdm_rng ()
template<typename T>
uint16_t expand_mask_16bit (T tst)
void expand_message_xmd (std::string_view hash_fn, std::span< uint8_t > output, std::span< const uint8_t > input, std::span< const uint8_t > domain_sep)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T expand_top_bit (T a)
template<std::integral T>
consteval eea_result< T > extended_euclidean_algorithm (T a, T b)
secure_vector< gf2mfind_roots_gf2m_decomp (const polyn_gf2m &polyn, size_t code_length)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T floor_log2 (T n)
template<typename... T>
std::string fmt (std::string_view format, const T &... args)
std::string format_char_for_display (char c)
SphincsTreeNode fors_public_key_from_signature (const SphincsHashedMessage &hashed_message, StrongSpan< const ForsSignature > signature, const Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hash)
 FIPS 205, Algorithm 17: fors_pkFromSig.
SphincsTreeNode fors_sign_and_pkgen (StrongSpan< ForsSignature > sig_out, const SphincsHashedMessage &hashed_message, const SphincsSecretSeed &secret_seed, const Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 FIPS 205, Algorithm 16: fors_sign (with simultaneous FORS pk generation)
BigInt gcd (const BigInt &a, const BigInt &b)
template<typename GeneralVariantT, typename SpecialT>
requires (std::is_constructible_v<GeneralVariantT, std::decay_t<SpecialT>>)
constexpr GeneralVariantT generalize_to (SpecialT &&specific)
 Converts a given variant into another variant-ish whose type states are a super set of the given variant.
template<typename GeneralVariantT, typename... SpecialTs>
constexpr GeneralVariantT generalize_to (std::variant< SpecialTs... > specific)
 Converts a given variant into another variant-ish whose type states are a super set of the given variant.
std::string generate_bcrypt (std::string_view pass, RandomNumberGenerator &rng, uint16_t work_factor, char version)
std::vector< uint8_t > generate_dsa_primes (RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits)
bool generate_dsa_primes (RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits, const std::vector< uint8_t > &seed_c, size_t offset)
McEliece_PrivateKey generate_mceliece_key (RandomNumberGenerator &rng, size_t ext_deg, size_t code_length, size_t t)
std::string generate_passhash9 (std::string_view pass, RandomNumberGenerator &rng, uint16_t work_factor, uint8_t alg_id)
BigInt generate_rfc6979_nonce (const BigInt &x, const BigInt &q, const BigInt &h, std::string_view hash)
BigInt generate_rsa_prime (RandomNumberGenerator &keygen_rng, RandomNumberGenerator &prime_test_rng, size_t bits, const BigInt &coprime, size_t prob)
AEAD_Modeget_aead (std::string_view name, Cipher_Dir direction)
template<size_t B, typename T>
requires (B < sizeof(T))
constexpr uint8_t get_byte (T input)
template<typename T>
constexpr uint8_t get_byte_var (size_t byte_num, T input)
Keyed_Filterget_cipher (std::string_view algo_spec, Cipher_Dir direction)
Keyed_Filterget_cipher (std::string_view algo_spec, const SymmetricKey &key, Cipher_Dir direction)
Keyed_Filterget_cipher (std::string_view algo_spec, const SymmetricKey &key, const InitializationVector &iv, Cipher_Dir direction)
Cipher_Modeget_cipher_mode (std::string_view algo_spec, Cipher_Dir direction, std::string_view provider="")
std::vector< std::string > get_files_recursive (std::string_view dir)
KDFget_kdf (std::string_view algo_spec)
PBKDFget_pbkdf (std::string_view algo_spec, std::string_view provider="")
PBKDFget_s2k (std::string_view algo_spec)
template<WordType W>
constexpr uint32_t get_uint32 (const W xw[], size_t i)
template<uint64_t A, uint8_t B>
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_GFNI SIMD_8x32 gf2p8affine (const SIMD_8x32 &x)
template<uint64_t A, uint8_t B>
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_GFNI SIMD_8x32 gf2p8affineinv (const SIMD_8x32 &x)
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_GFNI SIMD_8x32 gf2p8mul (const SIMD_8x32 &a, const SIMD_8x32 &b)
consteval uint64_t gfni_matrix (std::string_view s)
gf2m gray_to_lex (gf2m gray)
bool has_filesystem_impl ()
template<typename C, bool RO, std::invocable< std::span< uint8_t > > ExpandMsg>
requires C::ValidForSswuHash
auto hash_to_curve_sswu (const ExpandMsg &expand_message) -> std::conditional_t< RO, typename C::ProjectivePoint, typename C::AffinePoint >
std::vector< uint8_t > hex_decode (const char input[], size_t input_length, bool ignore_ws)
size_t hex_decode (std::span< uint8_t > output, std::string_view input, bool ignore_ws)
std::vector< uint8_t > hex_decode (std::string_view input, bool ignore_ws)
size_t hex_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
size_t hex_decode (uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool ignore_ws)
size_t hex_decode (uint8_t output[], std::string_view input, bool ignore_ws)
secure_vector< uint8_t > hex_decode_locked (const char input[], size_t input_length, bool ignore_ws)
secure_vector< uint8_t > hex_decode_locked (std::string_view input, bool ignore_ws)
void hex_encode (char output[], const uint8_t input[], size_t input_length, bool uppercase)
std::string hex_encode (const uint8_t input[], size_t input_length, bool uppercase)
std::string hex_encode (std::span< const uint8_t > input, bool uppercase=true)
template<WordType W, size_t N>
constexpr auto hex_to_words (const char(&s)[N])
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr size_t high_bit (T n)
secure_vector< uint8_t > hkdf_expand_label (std::string_view hash_fn, std::span< const uint8_t > secret, std::string_view label, std::span< const uint8_t > hash_val, size_t length)
template<typename... Alts, typename... Ts>
constexpr bool holds_any_of (const std::variant< Ts... > &v) noexcept
bool host_wildcard_match (std::string_view issued_, std::string_view host_)
void ht_sign (StrongSpan< SphincsHypertreeSignature > out_sig, const SphincsTreeNode &message_to_sign, const SphincsSecretSeed &secret_seed, XmssTreeIndexInLayer tree_index_in_layer, TreeNodeIndex idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 FIPS 205, Algorithm 12: ht_sign.
bool ht_verify (const SphincsTreeNode &signed_msg, StrongSpan< const SphincsHypertreeSignature > ht_sig, const SphincsTreeNode &pk_root, XmssTreeIndexInLayer tree_index_in_layer, TreeNodeIndex idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 FIPS 205, Algorithm 13: ht_verify.
uint8_t ieee1363_hash_id (std::string_view name)
size_t if_work_factor (size_t bits)
template<typename... T>
constexpr void ignore_params (const T &... args)
template<std::unsigned_integral T>
constexpr size_t index_of_first_set_byte (T v)
void initialize_allocator ()
bool intersects (ASN1_Class x, ASN1_Class y)
BigInt inverse_mod (const BigInt &n, const BigInt &mod)
std::optional< BigIntinverse_mod_general (const BigInt &x, const BigInt &mod)
BigInt inverse_mod_public_prime (const BigInt &x, const BigInt &p)
BigInt inverse_mod_rsa_public_modulus (const BigInt &x, const BigInt &n)
BigInt inverse_mod_secret_prime (const BigInt &x, const BigInt &p)
template<typename C>
constexpr auto invert_field_element (const typename C::FieldElement &fe)
std::string ipv4_to_string (uint32_t ip)
bool is_bailie_psw_probable_prime (const BigInt &n, const Barrett_Reduction &mod_n)
template<typename GeneralVariantT, typename SpecialT>
constexpr bool is_generalizable_to (const SpecialT &) noexcept
template<typename GeneralVariantT, typename... SpecialTs>
constexpr bool is_generalizable_to (const std::variant< SpecialTs... > &) noexcept
bool is_lucas_probable_prime (const BigInt &C, const Barrett_Reduction &mod_C)
bool is_miller_rabin_probable_prime (const BigInt &n, const Barrett_Reduction &mod_n, RandomNumberGenerator &rng, size_t test_iterations)
bool is_passhash9_alg_supported (uint8_t alg_id)
BigInt is_perfect_square (const BigInt &C)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr bool is_power_of_2 (T arg)
bool is_prime (const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
std::optional< uint32_t > is_sub_element_of (const OID &oid, std::initializer_list< uint32_t > prefix)
int32_t jacobi (const BigInt &a, const BigInt &n)
template<absorbing_object T, typename... Ts>
requires (std::constructible_from<std::span<const uint8_t>, Ts> && ...)
size_t keccak_absorb_padded_strings_encoding (T &sink, size_t padding_mod, Ts... byte_strings)
size_t keccak_int_encoding_size (size_t x)
std::span< const uint8_t > keccak_int_left_encode (std::span< uint8_t > out, size_t x)
std::span< const uint8_t > keccak_int_right_encode (std::span< uint8_t > out, size_t x)
constexpr size_t keccak_max_int_encoding_size ()
void Keccak_Permutation_round (uint64_t T[25], const uint64_t A[25], uint64_t RC)
std::string key_constraints_to_string (Key_Constraints c)
std::string latin1_to_utf8 (const uint8_t chars[], size_t len)
BigInt lcm (const BigInt &a, const BigInt &b)
gf2m lex_to_gray (gf2m lex)
LMOTS_K lmots_compute_pubkey_from_sig (const LMOTS_Signature &sig, const LMS_Message &msg, const LMS_Identifier &identifier, LMS_Tree_Node_Idx q)
 Compute a public key candidate for an OTS-signature-message pair and the OTS instance parameters.
uint32_t load_3 (const uint8_t in[3])
uint32_t load_4 (const uint8_t *in)
template<typename OutT = detail::AutoDetect, typename... ParamTs>
constexpr auto load_be (ParamTs &&... params)
template<typename OutT = detail::AutoDetect, typename... ParamTs>
constexpr auto load_le (ParamTs &&... params)
std::unique_ptr< Private_Keyload_private_key (const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
std::unique_ptr< Public_Keyload_public_key (const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits)
template<typename T>
secure_vector< T > lock (const std::vector< T > &in)
size_t low_zero_bits (const BigInt &n)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T majority (T a, T b, T c)
std::unique_ptr< BlockCiphermake_commoncrypto_block_cipher (std::string_view name)
std::unique_ptr< Cipher_Modemake_commoncrypto_cipher_mode (std::string_view name, Cipher_Dir direction)
std::unique_ptr< HashFunctionmake_commoncrypto_hash (std::string_view name)
Compression_Algorithmmake_compressor (std::string_view type)
Decompression_Algorithmmake_decompressor (std::string_view type)
constexpr uint16_t make_uint16 (uint8_t i0, uint8_t i1)
constexpr uint32_t make_uint32 (uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3)
constexpr uint64_t make_uint64 (uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3, uint8_t i4, uint8_t i5, uint8_t i6, uint8_t i7)
template<typename T, typename Pred>
void map_remove_if (Pred pred, T &assoc)
template<typename C>
auto map_to_curve_sswu (const typename C::FieldElement &u) -> typename C::AffinePoint
secure_vector< uint8_t > mceliece_decrypt (secure_vector< gf2m > &error_pos, const uint8_t *ciphertext, size_t ciphertext_len, const McEliece_PrivateKey &key)
void mceliece_decrypt (secure_vector< uint8_t > &plaintext, secure_vector< uint8_t > &error_mask, const uint8_t ciphertext[], size_t ciphertext_len, const McEliece_PrivateKey &key)
void mceliece_decrypt (secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)
void mceliece_encrypt (secure_vector< uint8_t > &ciphertext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &plaintext, const McEliece_PublicKey &key, RandomNumberGenerator &rng)
size_t mceliece_work_factor (size_t n, size_t t)
template<typename F>
uint64_t measure_cost (std::chrono::milliseconds trial_msec, F func)
void mgf1_mask (HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
void mgf1_mask (HashFunction &hash, std::span< const uint8_t > input, std::span< uint8_t > output)
size_t miller_rabin_test_iterations (size_t n_bits, size_t prob, bool random)
template<std::integral T, std::integral T2 = next_longer_int_t<T>>
requires (sizeof(T) <= 4)
consteval T modular_inverse (T q, T2 m=T2(1)<< sizeof(T) *8)
template<std::integral T>
requires (size_t(sizeof(T)) <= 4)
consteval T montgomery_R (T q)
template<std::integral T>
requires (size_t(sizeof(T)) <= 4)
consteval T montgomery_R2 (T q)
Montgomery_Int monty_execute (const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
Montgomery_Int monty_execute_vartime (const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)
Montgomery_Int monty_exp (const Montgomery_Params &params_p, const BigInt &g, const BigInt &k, size_t max_k_bits)
Montgomery_Int monty_exp_vartime (const Montgomery_Params &params_p, const BigInt &g, const BigInt &k)
template<WordType W>
constexpr auto monty_inverse (W a) -> W
Montgomery_Int monty_multi_exp (const Montgomery_Params &params_p, const BigInt &x_bn, const BigInt &z1, const BigInt &y_bn, const BigInt &z2)
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute (const Montgomery_Int &g, size_t window_bits, bool const_time)
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute (const Montgomery_Params &params, const BigInt &g, size_t window_bits, bool const_time)
template<WordType W, size_t N>
constexpr auto monty_redc (const std::array< W, 2 *N > &z, const std::array< W, N > &p, W p_dash) -> std::array< W, N >
template<WordType W, size_t N>
constexpr auto monty_redc_pdash1 (const std::array< W, 2 *N > &z, const std::array< W, N > &p) -> std::array< W, N >
template<WordType W, size_t N>
consteval std::array< W, N > montygomery_r (const std::array< W, N > &p)
template<typename C, size_t WindowBits, typename BlindedScalar>
C::ProjectivePoint mul2_exec (const AffinePointTable< C > &table, const BlindedScalar &x, const BlindedScalar &y, RandomNumberGenerator &rng)
template<typename C, size_t WindowBits>
std::vector< typename C::ProjectivePoint > mul2_setup (const typename C::AffinePoint &p, const typename C::AffinePoint &q)
constexpr void mul64x64_128 (uint64_t a, uint64_t b, uint64_t *lo, uint64_t *hi)
template<WordType W, size_t N>
consteval std::array< W, N > mul_mod (const std::array< W, N > &x, const std::array< W, N > &y, const std::array< W, N > &p)
EC_Point multi_exponentiate (const EC_Point &p1, const BigInt &z1, const EC_Point &p2, const BigInt &z2)
secure_vector< uint8_t > nist_key_unwrap (const uint8_t input[], size_t input_len, const BlockCipher &bc)
secure_vector< uint8_t > nist_key_unwrap (std::span< const uint8_t > input, const BlockCipher &bc)
secure_vector< uint8_t > nist_key_unwrap_padded (const uint8_t input[], size_t input_len, const BlockCipher &bc)
secure_vector< uint8_t > nist_key_unwrap_padded (std::span< const uint8_t > input, const BlockCipher &bc)
std::vector< uint8_t > nist_key_wrap (const uint8_t input[], size_t input_len, const BlockCipher &bc)
std::vector< uint8_t > nist_key_wrap (std::span< const uint8_t > input, const BlockCipher &bc)
std::vector< uint8_t > nist_key_wrap_padded (const uint8_t input[], size_t input_len, const BlockCipher &bc)
std::vector< uint8_t > nist_key_wrap_padded (std::span< const uint8_t > input, const BlockCipher &bc)
CT::Option< size_t > oaep_find_delim (std::span< const uint8_t > input, std::span< const uint8_t > phash)
bool operator!= (const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
bool operator!= (const ASN1_Time &x, const ASN1_Time &y)
bool operator!= (const BigInt &a, const BigInt &b)
bool operator!= (const BigInt &a, word b)
bool operator!= (const CRL_Entry &a1, const CRL_Entry &a2)
bool operator!= (const EC_Group &lhs, const EC_Group &rhs)
bool operator!= (const OctetString &s1, const OctetString &s2)
bool operator!= (const OID &a, const OID &b)
template<typename T, typename U>
bool operator!= (const secure_allocator< T > &, const secure_allocator< U > &)
template<bitvectorish T1, bitvectorish T2>
bool operator!= (const T1 &lhs, const T2 &rhs)
bool operator!= (const X509_Certificate &cert1, const X509_Certificate &cert2)
bool operator!= (const X509_DN &dn1, const X509_DN &dn2)
BigInt operator% (const BigInt &n, const BigInt &mod)
word operator% (const BigInt &n, word mod)
template<bitvectorish T1, bitvectorish T2>
auto operator& (const T1 &lhs, const T2 &rhs)
ECIES_Flags operator& (ECIES_Flags a, ECIES_Flags b)
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator& (Strong< T, Tags... > a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator& (Strong< T1, Tags... > a, T2 b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator& (T1 a, Strong< T2, Tags... > b)
template<std::integral T, typename... Tags>
constexpr auto operator&= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator&= (Strong< T1, Tags... > &a, T2 b)
EC_Point operator* (const BigInt &scalar, const EC_Point &point)
BigInt operator* (const BigInt &x, const BigInt &y)
BigInt operator* (const BigInt &x, word y)
template<std::integral T>
constexpr donna128 operator* (const donna128 &x, T y)
EC_Point operator* (const EC_Point &point, const BigInt &scalar)
Ed25519_FieldElement operator* (const Ed25519_FieldElement &x, const Ed25519_FieldElement &y)
Ed448Point operator* (const Scalar448 &lhs, const Ed448Point &rhs)
 Syntax sugar for scalar multiplication.
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator* (Strong< T, Tags... > a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator* (Strong< T1, Tags... > a, T2 b)
template<std::integral T>
constexpr donna128 operator* (T y, const donna128 &x)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator* (T1 a, Strong< T2, Tags... > b)
BigInt operator* (word x, const BigInt &y)
template<std::integral T, typename... Tags>
constexpr auto operator*= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator*= (Strong< T1, Tags... > &a, T2 b)
BigInt operator+ (const BigInt &x, const BigInt &y)
BigInt operator+ (const BigInt &x, word y)
constexpr donna128 operator+ (const donna128 &x, const donna128 &y)
constexpr donna128 operator+ (const donna128 &x, uint64_t y)
EC_Point operator+ (const EC_Point &lhs, const EC_Point &rhs)
Ed25519_FieldElement operator+ (const Ed25519_FieldElement &x, const Ed25519_FieldElement &y)
OctetString operator+ (const OctetString &k1, const OctetString &k2)
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator+ (Strong< T, Tags... > a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator+ (Strong< T1, Tags... > a, T2 b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator+ (T1 a, Strong< T2, Tags... > b)
BigInt operator+ (word x, const BigInt &y)
template<std::integral T, typename... Tags>
constexpr auto operator++ (Strong< T, Tags... > &a)
template<std::integral T, typename... Tags>
constexpr auto operator++ (Strong< T, Tags... > &a, int)
template<typename T, typename Alloc, typename L>
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, const std::pair< const T *, L > &in)
template<typename T, typename Alloc, typename L>
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, const std::pair< T *, L > &in)
template<typename T, typename Alloc, typename Alloc2>
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, const std::vector< T, Alloc2 > &in)
template<typename T, typename Alloc>
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, std::span< const T > in)
template<typename T, typename Alloc>
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, T in)
template<std::integral T, typename... Tags>
constexpr auto operator+= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator+= (Strong< T1, Tags... > &a, T2 b)
BigInt operator- (const BigInt &x, const BigInt &y)
BigInt operator- (const BigInt &x, word y)
EC_Point operator- (const EC_Point &lhs)
EC_Point operator- (const EC_Point &lhs, const EC_Point &rhs)
Ed25519_FieldElement operator- (const Ed25519_FieldElement &x)
Ed25519_FieldElement operator- (const Ed25519_FieldElement &x, const Ed25519_FieldElement &y)
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator- (Strong< T, Tags... > a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator- (Strong< T1, Tags... > a, T2 b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator- (T1 a, Strong< T2, Tags... > b)
template<std::integral T, typename... Tags>
constexpr auto operator-- (Strong< T, Tags... > &a)
template<std::integral T, typename... Tags>
constexpr auto operator-- (Strong< T, Tags... > &a, int)
template<std::integral T, typename... Tags>
constexpr auto operator-= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator-= (Strong< T1, Tags... > &a, T2 b)
BigInt operator/ (const BigInt &x, const BigInt &y)
BigInt operator/ (const BigInt &x, word y)
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator/ (Strong< T, Tags... > a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator/ (Strong< T1, Tags... > a, T2 b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator/ (T1 a, Strong< T2, Tags... > b)
template<std::integral T, typename... Tags>
constexpr auto operator/= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator/= (Strong< T1, Tags... > &a, T2 b)
bool operator< (const ASN1_Time &x, const ASN1_Time &y)
bool operator< (const BigInt &a, const BigInt &b)
bool operator< (const BigInt &a, word b)
bool operator< (const OID &a, const OID &b)
bool operator< (const X509_DN &dn1, const X509_DN &dn2)
BigInt operator<< (const BigInt &x, size_t shift)
int operator<< (int fd, Pipe &pipe)
std::ostream & operator<< (std::ostream &os, const GeneralName &gn)
std::ostream & operator<< (std::ostream &os, const GeneralSubtree &gs)
template<typename T, typename... Tags>
requires (concepts::streamable<T>)
decltype(auto) operator<< (std::ostream &os, const Strong< T, Tags... > &v)
std::ostream & operator<< (std::ostream &out, const OID &oid)
std::ostream & operator<< (std::ostream &out, const X509_DN &dn)
std::ostream & operator<< (std::ostream &out, Pipe &pipe)
std::ostream & operator<< (std::ostream &stream, const BigInt &n)
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator<< (Strong< T, Tags... > a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator<< (Strong< T1, Tags... > a, T2 b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator<< (T1 a, Strong< T2, Tags... > b)
template<std::integral T, typename... Tags>
constexpr auto operator<<= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator<<= (Strong< T1, Tags... > &a, T2 b)
bool operator<= (const ASN1_Time &x, const ASN1_Time &y)
bool operator<= (const BigInt &a, const BigInt &b)
bool operator<= (const BigInt &a, word b)
template<typename T, typename... Tags>
requires (std::three_way_comparable<T>)
auto operator<=> (const Strong< T, Tags... > &lhs, const Strong< T, Tags... > &rhs)
template<std::integral T1, std::integral T2, typename... Tags>
auto operator<=> (Strong< T1, Tags... > a, T2 b)
template<std::integral T1, std::integral T2, typename... Tags>
auto operator<=> (T1 a, Strong< T2, Tags... > b)
bool operator== (const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
bool operator== (const ASN1_Time &x, const ASN1_Time &y)
bool operator== (const BigInt &a, const BigInt &b)
bool operator== (const BigInt &a, word b)
bool operator== (const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient &lhs, const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient &rhs)
bool operator== (const CRL_Entry &a1, const CRL_Entry &a2)
bool operator== (const OctetString &s1, const OctetString &s2)
template<typename T, typename U>
bool operator== (const secure_allocator< T > &, const secure_allocator< U > &)
template<typename T, typename... Tags>
requires (std::equality_comparable<T>)
bool operator== (const Strong< T, Tags... > &lhs, const Strong< T, Tags... > &rhs)
template<bitvectorish T1, bitvectorish T2>
bool operator== (const T1 &lhs, const T2 &rhs)
bool operator== (const X509_DN &dn1, const X509_DN &dn2)
template<std::integral T1, std::integral T2, typename... Tags>
auto operator== (Strong< T1, Tags... > a, T2 b)
template<std::integral T1, std::integral T2, typename... Tags>
auto operator== (T1 a, Strong< T2, Tags... > b)
bool operator> (const ASN1_Time &x, const ASN1_Time &y)
bool operator> (const BigInt &a, const BigInt &b)
bool operator> (const BigInt &a, word b)
bool operator>= (const ASN1_Time &x, const ASN1_Time &y)
bool operator>= (const BigInt &a, const BigInt &b)
bool operator>= (const BigInt &a, word b)
BigInt operator>> (const BigInt &x, size_t shift)
int operator>> (int fd, Pipe &pipe)
std::istream & operator>> (std::istream &in, Pipe &pipe)
std::istream & operator>> (std::istream &in, X509_DN &dn)
std::istream & operator>> (std::istream &stream, BigInt &n)
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator>> (Strong< T, Tags... > a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator>> (Strong< T1, Tags... > a, T2 b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator>> (T1 a, Strong< T2, Tags... > b)
template<std::integral T, typename... Tags>
constexpr auto operator>>= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator>>= (Strong< T1, Tags... > &a, T2 b)
OctetString operator^ (const OctetString &k1, const OctetString &k2)
template<bitvectorish T1, bitvectorish T2>
auto operator^ (const T1 &lhs, const T2 &rhs)
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator^ (Strong< T, Tags... > a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator^ (Strong< T1, Tags... > a, T2 b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator^ (T1 a, Strong< T2, Tags... > b)
template<typename Alloc, typename Alloc2>
std::vector< uint8_t, Alloc > & operator^= (std::vector< uint8_t, Alloc > &out, const std::vector< uint8_t, Alloc2 > &in)
template<std::integral T, typename... Tags>
constexpr auto operator^= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator^= (Strong< T1, Tags... > &a, T2 b)
ASN1_Class operator| (ASN1_Class x, ASN1_Class y)
uint32_t operator| (ASN1_Class x, ASN1_Type y)
uint32_t operator| (ASN1_Type x, ASN1_Class y)
ASN1_Type operator| (ASN1_Type x, ASN1_Type y)
constexpr donna128 operator| (const donna128 &x, const donna128 &y)
constexpr donna128 operator| (const donna128 &x, uint64_t y)
template<bitvectorish T1, bitvectorish T2>
auto operator| (const T1 &lhs, const T2 &rhs)
ECIES_Flags operator| (ECIES_Flags a, ECIES_Flags b)
template<std::integral T, typename... Tags>
constexpr decltype(auto) operator| (Strong< T, Tags... > a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator| (Strong< T1, Tags... > a, T2 b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr decltype(auto) operator| (T1 a, Strong< T2, Tags... > b)
template<std::integral T, typename... Tags>
constexpr auto operator|= (Strong< T, Tags... > &a, Strong< T, Tags... > b)
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
constexpr auto operator|= (Strong< T1, Tags... > &a, T2 b)
EC_Point OS2ECP (const uint8_t data[], size_t data_len, const CurveGFp &curve)
std::pair< BigInt, BigIntOS2ECP (const uint8_t pt[], size_t pt_len, const BigInt &p, const BigInt &a, const BigInt &b)
EC_Point OS2ECP (std::span< const uint8_t > data, const CurveGFp &curve)
template<typename T>
requires std::is_default_constructible_v<T>
constexpr auto out_opt (std::optional< T > &outopt) noexcept
template<typename T>
constexpr auto out_ptr (T &outptr) noexcept
template<class... Ts>
 overloaded (Ts...) -> overloaded< Ts... >
template<WordType W, size_t N>
consteval std::array< W, N > p_div_2_plus_1 (const std::array< W, N > &p)
template<uint8_t X, WordType W, size_t N>
consteval std::array< W, N > p_minus (const std::array< W, N > &p)
template<WordType W, size_t N>
consteval std::array< W, N > p_minus_1_over_2 (const std::array< W, N > &p)
template<WordType W, size_t N>
consteval std::array< W, N > p_plus_1_over_4 (const std::array< W, N > &p)
std::vector< std::string > parse_algorithm_name (std::string_view namex)
bool passes_miller_rabin_test (const BigInt &n, const Barrett_Reduction &mod_n, const Montgomery_Params &monty_n, const BigInt &a)
secure_vector< uint8_t > pbes2_decrypt (std::span< const uint8_t > key_bits, std::string_view passphrase, const std::vector< uint8_t > &params)
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt (std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_iter (std::span< const uint8_t > key_bits, std::string_view passphrase, size_t pbkdf_iter, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_msec (std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, size_t *out_iterations_if_nonnull, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng)
void pbkdf2 (MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, const uint8_t salt[], size_t salt_len, size_t iterations)
size_t pbkdf2 (MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec)
std::vector< uint8_t > pkcs_hash_id (std::string_view name)
template<typename ProjectivePoint, typename FieldElement>
constexpr ProjectivePoint point_add (const ProjectivePoint &a, const ProjectivePoint &b)
template<typename ProjectivePoint, typename AffinePoint, typename FieldElement>
constexpr ProjectivePoint point_add_mixed (const ProjectivePoint &a, const AffinePoint &b, const FieldElement &one)
template<typename ProjectivePoint, typename AffinePoint, typename FieldElement>
constexpr ProjectivePoint point_add_or_sub_mixed (const ProjectivePoint &a, const AffinePoint &b, CT::Choice sub, const FieldElement &one)
void poly_double_n (uint8_t buf[], size_t n)
void poly_double_n (uint8_t out[], const uint8_t in[], size_t n)
void poly_double_n_le (uint8_t out[], const uint8_t in[], size_t n)
bool poly_double_supported_size (size_t n)
BigInt power_mod (const BigInt &base, const BigInt &exp, const BigInt &mod)
uint64_t prefetch_array_raw (size_t bytes, const void *arrayv) noexcept
template<std::unsigned_integral T, size_t... Ns>
prefetch_arrays (T(&... arr)[Ns]) noexcept
std::vector< std::string > probe_provider_private_key (std::string_view alg_name, const std::vector< std::string > &possible)
template<typename T>
std::vector< std::string > probe_providers_of (std::string_view algo_spec, const std::vector< std::string > &possible={"base"})
gf2m random_code_element (uint16_t code_length, RandomNumberGenerator &rng)
gf2m random_gf2m (RandomNumberGenerator &rng)
BigInt random_prime (RandomNumberGenerator &rng, size_t bits, const BigInt &coprime, size_t equiv, size_t modulo, size_t prob)
BigInt random_safe_prime (RandomNumberGenerator &rng, size_t bits)
std::map< std::string, std::string > read_cfg (std::istream &is)
BOTAN_TEST_API std::map< std::string, std::string > read_kv (std::string_view kv)
template<size_t WindowBits, typename W, size_t N>
constexpr size_t read_window_bits (std::span< const W, N > words, size_t offset)
template<WordType W, size_t N, W C>
constexpr std::array< W, N > redc_crandall (std::span< const W, 2 *N > z)
void redc_mul (int64_t &s1, int64_t &s2, int64_t &s3, int64_t &s4, int64_t &s5, int64_t &s6, int64_t &X)
template<typename RetT, typename KeyT, typename ReducerT>
requires std::is_convertible_v<ReducerT, std::function<RetT(RetT, const KeyT&)>>
RetT reduce (const std::vector< KeyT > &keys, RetT acc, ReducerT reducer)
template<WordType W, size_t N, size_t XN>
consteval std::array< W, N > reduce_mod (const std::array< W, XN > &x, const std::array< W, N > &p)
template<std::unsigned_integral T>
requires (sizeof(T) == 1 || sizeof(T) == 2 || sizeof(T) == 4 || sizeof(T) == 8)
constexpr T reverse_bytes (T x)
secure_vector< uint8_t > rfc3394_keyunwrap (const secure_vector< uint8_t > &key, const SymmetricKey &kek)
secure_vector< uint8_t > rfc3394_keywrap (const secure_vector< uint8_t > &key, const SymmetricKey &kek)
size_t RFC4880_decode_count (uint8_t iter)
uint8_t RFC4880_encode_count (size_t desired_iterations)
size_t RFC4880_round_iterations (size_t iterations)
template<size_t R1, size_t R2, size_t R3, std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T rho (T x)
Gf448Elem root (const Gf448Elem &elem)
 Compute the root of elem in the field.
template<size_t R>
SIMD_16x32 rotl (SIMD_16x32 input)
template<size_t R>
SIMD_4x32 BOTAN_FN_ISA_SIMD_4X32 rotl (SIMD_4x32 input)
template<size_t R>
SIMD_8x32 rotl (SIMD_8x32 input)
template<size_t ROT, std::unsigned_integral T>
requires (ROT > 0 && ROT < 8 * sizeof(T))
BOTAN_FORCE_INLINE constexpr T rotl (T input)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T rotl_var (T input, size_t rot)
template<size_t R>
SIMD_16x32 rotr (SIMD_16x32 input)
template<size_t R>
SIMD_4x32 BOTAN_FN_ISA_SIMD_4X32 rotr (SIMD_4x32 input)
template<size_t R>
SIMD_8x32 rotr (SIMD_8x32 input)
template<size_t ROT, std::unsigned_integral T>
requires (ROT > 0 && ROT < 8 * sizeof(T))
BOTAN_FORCE_INLINE constexpr T rotr (T input)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T rotr_var (T input, size_t rot)
constexpr size_t round_up (size_t n, size_t align_to)
std::string runtime_version_check (uint32_t major, uint32_t minor, uint32_t patch)
template<typename T>
bool same_mem (const T *p1, const T *p2, size_t n)
void sc_muladd (uint8_t *s, const uint8_t *a, const uint8_t *b, const uint8_t *c)
void sc_reduce (uint8_t *s)
void scrypt (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, size_t N, size_t r, size_t p)
void scrypt (uint8_t output[], size_t output_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t N, size_t r, size_t p)
void secure_scrub_memory (ranges::contiguous_output_range auto &&data)
void secure_scrub_memory (void *ptr, size_t n)
constexpr void set_mem (uint8_t *ptr, size_t n, uint8_t val)
BOTAN_FORCE_INLINE void SHA2_32_F (uint32_t A, uint32_t B, uint32_t C, uint32_t &D, uint32_t E, uint32_t F, uint32_t G, uint32_t &H, uint32_t &M1, uint32_t M2, uint32_t M3, uint32_t M4, uint32_t magic)
BOTAN_FORCE_INLINE void SHA2_32_F (uint32_t A, uint32_t B, uint32_t C, uint32_t &D, uint32_t E, uint32_t F, uint32_t G, uint32_t &H, uint32_t M)
BOTAN_FORCE_INLINE void SHA2_64_F (uint64_t A, uint64_t B, uint64_t C, uint64_t &D, uint64_t E, uint64_t F, uint64_t G, uint64_t &H, uint64_t &M1, uint64_t M2, uint64_t M3, uint64_t M4, uint64_t magic)
BOTAN_FORCE_INLINE void SHA2_64_F (uint64_t A, uint64_t B, uint64_t C, uint64_t &D, uint64_t E, uint64_t F, uint64_t G, uint64_t &H, uint64_t M)
template<WordType W, size_t N>
consteval std::pair< size_t, std::array< W, N > > shanks_tonelli_c1c2 (const std::array< W, N > &p)
template<WordType W, size_t N>
consteval std::array< W, N > shanks_tonelli_c3 (const std::array< W, N > &c2)
template<typename Z, WordType W, size_t N>
consteval auto shanks_tonelli_c4 (const std::array< W, N > &p_minus_1_over_2) -> Z
template<size_t S, WordType W, size_t N>
constexpr W shift_left (std::array< W, N > &x)
template<size_t S, WordType W, size_t N>
constexpr W shift_right (std::array< W, N > &x)
template<size_t S>
SIMD_16x32 shl (SIMD_16x32 input)
template<size_t S>
SIMD_4x32 shl (SIMD_4x32 input)
template<size_t S>
SIMD_8x32 shl (SIMD_8x32 input)
const char * short_version_cstr ()
std::string short_version_string ()
template<size_t R1, size_t R2, size_t S, std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T sigma (T x)
std::array< uint8_t, 2 *ED448_LENsign_message (std::span< const uint8_t, ED448_LEN > sk, std::span< const uint8_t, ED448_LEN > pk, bool f, std::span< const uint8_t > context, std::span< const uint8_t > msg)
 Sign a message using a keypair (RFC 8032 5.2.6)
bool signature_check (std::span< const uint8_t, 32 > pk, const uint8_t h[32], const uint8_t r[32], const uint8_t s[32])
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr size_t significant_bytes (T n)
std::vector< uint8_t > sm2_compute_za (HashFunction &hash, std::string_view user_id, const EC_Group &group, const EC_AffinePoint &pubkey)
template<size_t N, WordType W>
constexpr void solinas_correct_redc (std::array< W, N > &r, const std::array< W, N > &P, const std::array< W, N > &C)
std::vector< std::string > split_on (std::string_view str, char delim)
template<typename C>
constexpr CT::Option< typename C::FieldElement > sqrt_field_element (const typename C::FieldElement &fe)
BigInt sqrt_modulo_prime (const BigInt &a, const BigInt &p)
BigInt square (const BigInt &x)
Gf448Elem square (const Gf448Elem &elem)
 Computes elem^2. Faster than operator*.
std::pair< BigInt, SymmetricKeysrp6_client_agree (std::string_view identifier, std::string_view password, const DL_Group &group, std::string_view hash_id, const std::vector< uint8_t > &salt, const BigInt &B, const size_t a_bits, RandomNumberGenerator &rng)
std::pair< BigInt, SymmetricKeysrp6_client_agree (std::string_view identifier, std::string_view password, std::string_view group_id, std::string_view hash_id, const std::vector< uint8_t > &salt, const BigInt &B, RandomNumberGenerator &rng)
BigInt srp6_generate_verifier (std::string_view identifier, std::string_view password, const std::vector< uint8_t > &salt, const DL_Group &group, std::string_view hash_id)
BigInt srp6_generate_verifier (std::string_view identifier, std::string_view password, const std::vector< uint8_t > &salt, std::string_view group_id, std::string_view hash_id)
std::string srp6_group_identifier (const BigInt &N, const BigInt &g)
template<typename C>
requires C::ValidForSswuHash
const auto & SSWU_C1 ()
template<typename C>
requires C::ValidForSswuHash
const auto & SSWU_C2 ()
template<typename ModifierT = detail::AutoDetect, typename... ParamTs>
constexpr auto store_be (ParamTs &&... params)
template<typename ModifierT = detail::AutoDetect, typename... ParamTs>
constexpr auto store_le (ParamTs &&... params)
std::string string_join (const std::vector< std::string > &strs, char delim)
std::optional< uint32_t > string_to_ipv4 (std::string_view str)
template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr void swap_bits (T &x, T &y, T mask, size_t shift)
template<std::unsigned_integral T>
constexpr T swar_in_range (T v, T lower, T upper)
template<std::unsigned_integral T>
constexpr T swar_lt (T a, T b)
std::vector< polyn_gf2msyndrome_init (const polyn_gf2m &generator, const std::vector< gf2m > &support, int n)
RandomNumberGeneratorsystem_rng ()
void throw_invalid_argument (const char *message, const char *func, const char *file)
void throw_invalid_state (const char *expr, const char *func, const char *file)
template<typename C>
constexpr auto to_affine (const typename C::ProjectivePoint &pt)
template<typename C>
auto to_affine_batch (std::span< const typename C::ProjectivePoint > projective)
template<typename C>
auto to_affine_x (const typename C::ProjectivePoint &pt)
const char * to_string (Certificate_Status_Code code)
std::string to_string (ErrorType type)
 Convert an ErrorType to string.
uint32_t to_u32bit (std::string_view str_view)
uint16_t to_uint16 (std::string_view str)
template<typename T>
requires std::is_enum_v<T>
auto to_underlying (T e) noexcept
std::string tolower_string (std::string_view in)
void treehash (StrongSpan< SphincsTreeNode > out_root, StrongSpan< SphincsAuthenticationPath > out_auth_path, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, std::optional< TreeNodeIndex > leaf_idx, uint32_t idx_offset, uint32_t total_tree_height, const GenerateLeafFunction &gen_leaf, Sphincs_Address &tree_address)
template<concepts::contiguous_strong_type TreeNode, concepts::strong_span AuthPathSS, concepts::tree_node_index TreeNodeIndex, concepts::tree_layer_index TreeLayerIndex, typename Address>
requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex>
void treehash (StrongSpan< TreeNode > out_root, std::optional< AuthPathSS > out_auth_path, std::optional< TreeNodeIndex > leaf_idx, size_t node_size, TreeLayerIndex total_tree_height, uint32_t idx_offset, concepts::tree_hash_node_pair< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto node_pair_hash, concepts::tree_gen_leaf< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto gen_leaf, Address &tree_address)
 Treehash logic to build up a merkle hash tree.
template<typename ToT, ranges::contiguous_range FromR>
requires std::is_default_constructible_v<ToT> && std::is_trivially_copyable_v<ToT> && std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>>
constexpr ToT typecast_copy (const FromR &src)
template<typename To>
requires std::is_trivial_v<To>
constexpr To typecast_copy (const uint8_t src[]) noexcept
template<typename T>
requires std::is_trivial_v<std::decay_t<T>>
constexpr void typecast_copy (T &out, const uint8_t in[])
template<typename T>
requires std::is_trivial_v<T>
constexpr void typecast_copy (T out[], const uint8_t in[], size_t N)
template<ranges::contiguous_output_range ToR, ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
constexpr void typecast_copy (ToR &&out, const FromR &in)
template<ranges::contiguous_output_range ToR, typename FromT>
requires std::is_trivially_copyable_v<FromT> && (!std::ranges::range<FromT>) && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
constexpr void typecast_copy (ToR &&out, const FromT &in)
template<typename ToT, ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<ToT> && (!std::ranges::range<ToT>)
constexpr void typecast_copy (ToT &out, const FromR &in)
template<typename T>
constexpr void typecast_copy (uint8_t out[], const T &in)
template<typename T>
requires std::is_trivially_copyable_v<T>
constexpr void typecast_copy (uint8_t out[], T in[], size_t N)
std::string ucs2_to_utf8 (const uint8_t ucs2[], size_t len)
std::string ucs4_to_utf8 (const uint8_t ucs4[], size_t len)
template<typename T>
std::vector< T > unlock (const secure_vector< T > &in)
bool unsafe_for_production_build ()
template<typename T>
constexpr decltype(auto) unwrap_strong_type (T &&t)
 Generically unwraps a strong type to its underlying type.
template<typename T, typename OT>
bool value_exists (const std::vector< T > &vec, const OT &val)
BOTAN_FORCE_INLINE constexpr size_t var_ctz32 (uint32_t n)
template<typename C, size_t WindowBits, typename BlindedScalar>
C::ProjectivePoint varpoint_exec (const AffinePointTable< C > &table, const BlindedScalar &scalar, RandomNumberGenerator &rng)
template<typename C, size_t TableSize>
AffinePointTable< C > varpoint_setup (const typename C::AffinePoint &p)
void vartime_divide (const BigInt &x, const BigInt &y_arg, BigInt &q_out, BigInt &r_out)
bool verify_signature (std::span< const uint8_t, ED448_LEN > pk, bool phflag, std::span< const uint8_t > context, std::span< const uint8_t > sig, std::span< const uint8_t > msg)
 Verify a signature(RFC 8032 5.2.7)
const char * version_cstr ()
uint32_t version_datestamp ()
std::optional< std::string > version_distribution_info ()
uint32_t version_major ()
uint32_t version_minor ()
uint32_t version_patch ()
std::string version_string ()
std::optional< std::string > version_vc_revision ()
template<WordType W>
constexpr auto word8_add2 (W x[8], const W y[8], W carry) -> W
template<WordType W>
constexpr auto word8_add3 (W z[8], const W x[8], const W y[8], W carry) -> W
template<WordType W>
constexpr auto word8_linmul3 (W z[8], const W x[8], W y, W carry) -> W
template<WordType W>
constexpr auto word8_madd3 (W z[8], const W x[8], W y, W carry) -> W
template<WordType W>
constexpr auto word8_sub2 (W x[8], const W y[8], W carry) -> W
template<WordType W>
constexpr auto word8_sub3 (W z[8], const W x[8], const W y[8], W carry) -> W
template<WordType W>
constexpr auto word_add (W x, W y, W *carry) -> W
template<WordType W>
constexpr auto word_madd2 (W a, W b, W *c) -> W
template<WordType W>
constexpr auto word_madd3 (W a, W b, W c, W *d) -> W
template<WordType W>
constexpr auto word_sub (W x, W y, W *carry) -> W
constexpr size_t words_for_bits (size_t x)
WotsPublicKey wots_public_key_from_signature (const SphincsTreeNode &hashed_message, StrongSpan< const WotsSignature > signature, Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 FIPS 205, Algorithm 8: wots_pkFromSig.
void wots_sign_and_pkgen (StrongSpan< WotsSignature > sig_out, StrongSpan< SphincsTreeNode > leaf_out, const SphincsSecretSeed &secret_seed, TreeNodeIndex leaf_idx, std::optional< TreeNodeIndex > sign_leaf_idx, const std::vector< WotsHashIndex > &wots_steps, Sphincs_Address &leaf_addr, Sphincs_Address &pk_addr, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 FIPS 205, Algorithm 6 and 7: wots_pkGen and wots_sign.
template<typename T, typename ParamT>
requires std::constructible_from<T, ParamT> || (concepts::strong_type<T> && std::constructible_from<typename T::wrapped_type, ParamT>)
constexpr decltype(auto) wrap_strong_type (ParamT &&t)
 Wraps a value into a caller-defined (strong) type.
Point448 x448 (const ScalarX448 &k, const Point448 &u)
 Multiply a scalar k with a point u.
Point448 x448_basepoint (const ScalarX448 &k)
 Multiply a scalar with the base group element (5)
Path_Validation_Result x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
Path_Validation_Result x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point ref_time, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
Path_Validation_Result x509_path_validate (const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
Path_Validation_Result x509_path_validate (const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
template<std::unsigned_integral T>
void xmss_concat (secure_vector< uint8_t > &target, const T &src)
template<std::unsigned_integral T>
void xmss_concat (secure_vector< uint8_t > &target, const T &src, size_t len)
SphincsTreeNode xmss_gen_root (const Sphincs_Parameters &params, const SphincsSecretSeed &secret_seed, Sphincs_Hash_Functions &hashes)
SphincsTreeNode xmss_sign_and_pkgen (StrongSpan< SphincsXmssSignature > out_sig, const SphincsTreeNode &message, const SphincsSecretSeed &secret_seed, Sphincs_Address &wots_addr, Sphincs_Address &tree_addr, std::optional< TreeNodeIndex > idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
 FIPS 205, Algorithm 10: xmss_sign.
constexpr void xor_buf (ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
constexpr void xor_buf (ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in1, ranges::contiguous_range< uint8_t > auto &&in2)
void xor_buf (std::span< uint8_t > out, std::span< const uint8_t > in, size_t n)
template<typename Alloc, typename Alloc2>
void xor_buf (std::vector< uint8_t, Alloc > &out, const uint8_t *in, const std::vector< uint8_t, Alloc2 > &in2, size_t n)
template<typename Alloc>
void xor_buf (std::vector< uint8_t, Alloc > &out, const uint8_t *in, size_t n)
void xor_buf (uint8_t out[], const uint8_t in[], const uint8_t in2[], size_t length)
void xor_buf (uint8_t out[], const uint8_t in[], size_t length)
void xts_update_tweak_block (uint8_t tweak[], size_t BS, size_t blocks_in_tweak)
template<typename T, typename Alloc>
void zap (std::vector< T, Alloc > &vec)
template<typename T, typename Alloc>
void zeroise (std::vector< T, Alloc > &vec)

Variables

constexpr size_t BLAKE2B_BLOCKBYTES = 128
constexpr size_t BYTES_448 = ceil_tobytes<size_t>(448)
constexpr size_t DefaultBufferSize = 4096
constexpr size_t ED448_LEN = 57
const size_t HEX_CODEC_BUFFER_SIZE = 256
template<typename T>
constexpr bool is_strong_span_v = is_strong_span<T>::value
template<typename... Ts>
constexpr bool is_strong_type_v = is_strong_type<std::remove_const_t<Ts>...>::value
constexpr size_t LMS_IDENTIFIER_LEN = 16
 The length in bytes of the LMS identifier (I).
const size_t MAX_EXT_DEG = 16
const size_t PRIME_TABLE_SIZE = 6541
const uint16_t PRIMES []
const uint64_t STREEBOG_Ax [8][256]
const uint64_t STREEBOG_C [12][8]
constexpr size_t WORDS_448 = 7
constexpr size_t X448_LEN = 56

Detailed Description

Wrapper for truncated hashes (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

(C) 2019 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018,2019,2021 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018,2019,2022 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018,2019 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2023 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2022 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018 Jack Lloyd (C) 2018 Ribose Inc

Botan is released under the Simplified BSD License (see license.txt)

Symmetric primitives for dilithium

(C) 2022-2023 Jack Lloyd (C) 2022-2023 Michael Boric, René Meusel - Rohde & Schwarz Cybersecurity (C) 2022 Manuel Glaser - Rohde & Schwarz Cybersecurity (C) 2024 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

HSS - Hierarchical Signatures System (RFC 8554) (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH

Botan is released under the Simplified BSD License (see license.txt)

HSS-LMS (C) 2023 Jack Lloyd 2023 Fabian Albert, René Meusel, Amos Treiber - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Utils for HSS/LMS (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH

Botan is released under the Simplified BSD License (see license.txt)

LM-OTS - Leighton-Micali One-Time Signatures (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH

Botan is released under the Simplified BSD License (see license.txt)

LM-OTS - Leighton-Micali One-Time Signatures (RFC 8554 Section 4) (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH

Botan is released under the Simplified BSD License (see license.txt)

LMS - Leighton-Micali Hash-Based Signatures (RFC 8554) (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH

Botan is released under the Simplified BSD License (see license.txt)

Abstraction for a combined KEM public and private key.

(C) 2024 Jack Lloyd 2024 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Abstraction for a combined KEM encryptors and decryptors.

(C) 2024 Jack Lloyd 2024 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Adapter that allows using a KEX key as a KEM, using an ephemeral key in the KEM encapsulation.

(C) 2023 Jack Lloyd 2023,2024 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Ordinary applications should never need to include or use this header. It is exposed only for specialized applications which want to implement new versions of public key crypto without merging them as changes to the library. One actual example of such usage is an application which creates RSA signatures using a custom TPM library. Unless you're doing something like that, you don't need anything here. Instead use pubkey.h which wraps these types safely and provides a stable application-oriented API.

Note: This header was accidentally pulled from the public API between Botan 3.0.0 and 3.2.0, and then restored in 3.3.0. If you are maintaining an application which used this header in Botan 2.x, you should make sure to use Botan 3.3.0 or later when migrating.

Hybrid Session Manager emitting both Tickets and storing sessions in Memory (C) 2023 Jack Lloyd (C) 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

TLS Session Manager in Memory (C) 2011 Jack Lloyd (C) 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

TLS Stateless Session Manager for stateless servers (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Useful concepts that are available throughout the library (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

(C) 2025 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

A wrapper class to implement strong types (C) 2022 Jack Lloyd 2022 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

(C) 2024 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

Treehash logic used for hash-based signatures (C) 2023 Jack Lloyd 2023 Fabian Albert, René Meusel, Amos Treiber, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH

Parts of this file have been adapted from https://github.com/sphincs/sphincsplus

Botan is released under the Simplified BSD License (see license.txt)

utilities for PKIX::build_all_certificate_paths

Typedef Documentation

◆ Altivec32x4

typedef __vector unsigned int Botan::Altivec32x4

Definition at line 26 of file aes_power8.cpp.

◆ Altivec64x2

typedef __vector unsigned long long Botan::Altivec64x2

Definition at line 25 of file aes_power8.cpp.

◆ Altivec8x16

typedef __vector unsigned char Botan::Altivec8x16

Definition at line 27 of file aes_power8.cpp.

◆ bitvector

using Botan::bitvector = bitvector_base<std::allocator>

Definition at line 1304 of file bitvector.h.

◆ Bounded_XOF

template<size_t bound>
using Botan::Bounded_XOF = detail::Bounded_XOF<XOF&, bound>

Definition at line 224 of file pqcrystals_helpers.h.

◆ byte

using Botan::byte = std::uint8_t

Definition at line 110 of file types.h.

◆ CCCryptorStatus

typedef int32_t Botan::CCCryptorStatus

Definition at line 24 of file commoncrypto.h.

◆ CertificatePathStatusCodes

This type represents the validation status of an entire certificate path. There is one set of status codes for each certificate in the path.

Definition at line 29 of file x509path.h.

◆ CmceCodeWord

using Botan::CmceCodeWord = Strong<secure_bitvector, struct CmceCodeWord_>

Represents C of decapsulation.

Definition at line 52 of file cmce_types.h.

◆ CmceColumnSelection

using Botan::CmceColumnSelection = Strong<secure_bitvector, struct CmceColumnSelection_>

Represents c of private key.

Definition at line 46 of file cmce_types.h.

◆ CmceErrorVector

using Botan::CmceErrorVector = Strong<secure_bitvector, struct CmceErrorVector_>

Represents e of encapsulation.

Definition at line 49 of file cmce_types.h.

◆ CmceGfElem

using Botan::CmceGfElem = Strong<uint16_t, struct CmceGfElem_>

Represents a GF(q) element.

Definition at line 19 of file cmce_types.h.

◆ CmceGfMod

using Botan::CmceGfMod = Strong<uint16_t, struct CmceGfMod_>

Represents a GF(q) modulus.

Definition at line 22 of file cmce_types.h.

◆ CmceInitialSeed

using Botan::CmceInitialSeed = Strong<secure_vector<uint8_t>, struct CmceInitialSeed_>

Represents initial delta of keygen.

Definition at line 31 of file cmce_types.h.

◆ CmceIrreducibleBits

using Botan::CmceIrreducibleBits = Strong<secure_vector<uint8_t>, struct CmceIrreducibleBits_>

Definition at line 40 of file cmce_types.h.

◆ CmceKeyGenSeed

using Botan::CmceKeyGenSeed = Strong<secure_vector<uint8_t>, struct CmceKeyGenSeed_>

Represents a delta (can be altered; final value stored in private key)

Definition at line 34 of file cmce_types.h.

◆ CmceOrderingBits

using Botan::CmceOrderingBits = Strong<secure_vector<uint8_t>, struct CmceOrderingBits_>

Definition at line 37 of file cmce_types.h.

◆ CmcePermutation

using Botan::CmcePermutation = Strong<secure_vector<uint16_t>, struct CmcePermutation_>

Represents a permutation (pi in spec). Used in field ordering creation.

Definition at line 28 of file cmce_types.h.

◆ CmcePermutationElement

using Botan::CmcePermutationElement = Strong<uint16_t, struct CmcePermutationElement_>

Represents an element of a permuation (pi in spec). Used in field ordering creation.

Definition at line 25 of file cmce_types.h.

◆ CmceRejectionSeed

using Botan::CmceRejectionSeed = Strong<secure_vector<uint8_t>, struct CmceRejectionSeed_>

Represents s of private key.

Definition at line 43 of file cmce_types.h.

◆ Curve25519_PrivateKey

Definition at line 18 of file curve25519.h.

◆ Curve25519_PublicKey

Definition at line 17 of file curve25519.h.

◆ DilithiumCommitmentHash

using Botan::DilithiumCommitmentHash = Strong<std::vector<uint8_t>, struct DilithiumCommitmentHash_>

Hash of the message representative and the signer's commitment.

Definition at line 64 of file dilithium_types.h.

◆ DilithiumHashedPublicKey

using Botan::DilithiumHashedPublicKey = Strong<std::vector<uint8_t>, struct DilithiumHashedPublicKey_>

Hash value of the serialized public key data (result of H(BytesToBits(pkEncode(pk)), also referred to as 'tr')

Definition at line 52 of file dilithium_types.h.

◆ DilithiumInternalKeypair

Initial value:
std::pair<std::shared_ptr<Dilithium_PublicKeyInternal>, std::shared_ptr<Dilithium_PrivateKeyInternal>>

Internal representation of a Dilithium key pair.

Definition at line 67 of file dilithium_types.h.

◆ DilithiumMessageRepresentative

using Botan::DilithiumMessageRepresentative = Strong<std::vector<uint8_t>, struct DilithiumMessageRepresentative_>

Representation of the message to be signed.

Definition at line 55 of file dilithium_types.h.

◆ DilithiumOptionalRandomness

using Botan::DilithiumOptionalRandomness = Strong<secure_vector<uint8_t>, struct DilithiumOptionalRandomness_>

Optional randomness 'rnd' used for rho prime computation in ML-DSA.

Definition at line 39 of file dilithium_types.h.

◆ DilithiumPoly

◆ DilithiumPolyMatNTT

◆ DilithiumPolyNTT

◆ DilithiumPolyVec

◆ DilithiumPolyVecNTT

◆ DilithiumSeedRandomness

using Botan::DilithiumSeedRandomness = Strong<secure_vector<uint8_t>, struct DilithiumSeedRandomness_>

Principal seed used to generate Dilithium key pairs.

Definition at line 30 of file dilithium_types.h.

◆ DilithiumSeedRho

using Botan::DilithiumSeedRho = Strong<std::vector<uint8_t>, struct DilithiumPublicSeed_>

Public seed to sample the polynomial matrix A from.

Definition at line 33 of file dilithium_types.h.

◆ DilithiumSeedRhoPrime

using Botan::DilithiumSeedRhoPrime = Strong<secure_vector<uint8_t>, struct DilithiumSeedRhoPrime_>

Private seed to sample the polynomial vectors s1 and s2 from.

Definition at line 36 of file dilithium_types.h.

◆ DilithiumSerializedCommitment

using Botan::DilithiumSerializedCommitment = Strong<std::vector<uint8_t>, struct DilithiumSerializedCommitment_>

Serialized representation of a commitment w1.

Definition at line 61 of file dilithium_types.h.

◆ DilithiumSerializedPrivateKey

using Botan::DilithiumSerializedPrivateKey = Strong<secure_vector<uint8_t>, struct DilithiumSerializedPrivateKey_>

Serialized private key data.

Definition at line 45 of file dilithium_types.h.

◆ DilithiumSerializedPublicKey

using Botan::DilithiumSerializedPublicKey = Strong<std::vector<uint8_t>, struct DilithiumSerializedPublicKey_>

Serialized public key data (result of pkEncode(pk))

Definition at line 48 of file dilithium_types.h.

◆ DilithiumSerializedSignature

using Botan::DilithiumSerializedSignature = Strong<std::vector<uint8_t>, struct DilithiumSerializedSignature_>

Serialized signature data.

Definition at line 58 of file dilithium_types.h.

◆ DilithiumSigningSeedK

using Botan::DilithiumSigningSeedK = Strong<secure_vector<uint8_t>, struct DilithiumSeedK_>

Private seed K used during signing.

Definition at line 42 of file dilithium_types.h.

◆ ForsLeafSecret

using Botan::ForsLeafSecret = Strong<secure_vector<uint8_t>, struct ForsLeafSecret_>

Definition at line 71 of file sp_types.h.

◆ ForsSignature

using Botan::ForsSignature = Strong<std::vector<uint8_t>, struct ForsSignature_>

Definition at line 72 of file sp_types.h.

◆ FrodoDomainSeparator

using Botan::FrodoDomainSeparator = Strong<std::array<uint8_t, 1>, struct FrodoDoaminSeparator_>

Definition at line 47 of file frodo_types.h.

◆ FrodoIntermediateSharedSecret

using Botan::FrodoIntermediateSharedSecret = Strong<secure_vector<uint8_t>, struct FrodoIntermediateSharedSecret_>

Definition at line 56 of file frodo_types.h.

◆ FrodoPackedMatrix

using Botan::FrodoPackedMatrix = Strong<std::vector<uint8_t>, struct FrodoPackedMatrix_>

Definition at line 41 of file frodo_types.h.

◆ FrodoPlaintext

using Botan::FrodoPlaintext = Strong<secure_vector<uint8_t>, struct FrodoPlaintext_>

Definition at line 50 of file frodo_types.h.

◆ FrodoPublicKeyHash

using Botan::FrodoPublicKeyHash = Strong<std::vector<uint8_t>, struct FrodoPublicKeyHash_>

Definition at line 38 of file frodo_types.h.

◆ FrodoSalt

using Botan::FrodoSalt = Strong<std::vector<uint8_t>, struct FrodoSalt_>

Definition at line 53 of file frodo_types.h.

◆ FrodoSampleR

using Botan::FrodoSampleR = Strong<secure_vector<uint8_t>, struct FrodoSampleR_>

Definition at line 35 of file frodo_types.h.

◆ FrodoSeedA

using Botan::FrodoSeedA = Strong<std::vector<uint8_t>, struct FrodoSeedA_>

Definition at line 23 of file frodo_types.h.

◆ FrodoSeedS

using Botan::FrodoSeedS = Strong<secure_vector<uint8_t>, struct FrodoSeedS_>

Definition at line 26 of file frodo_types.h.

◆ FrodoSeedSE

using Botan::FrodoSeedSE = Strong<secure_vector<uint8_t>, struct FrodoSeedSE_>

Definition at line 29 of file frodo_types.h.

◆ FrodoSeedZ

using Botan::FrodoSeedZ = Strong<std::vector<uint8_t>, struct FrodoSeedZ_>

Definition at line 32 of file frodo_types.h.

◆ FrodoSerializedMatrix

using Botan::FrodoSerializedMatrix = Strong<secure_vector<uint8_t>, struct FrodoSerializedMatrix_>

Definition at line 44 of file frodo_types.h.

◆ GenerateLeafFunction

Definition at line 25 of file sp_treehash.h.

◆ gf2m

typedef uint16_t Botan::gf2m

Definition at line 20 of file gf2m_small_m.h.

◆ HSS_Level

using Botan::HSS_Level = Strong<uint32_t, struct HSS_Level_, EnableArithmeticWithPlainNumber>

The HSS layer in the HSS multi tree starting at 0 from the root.

Definition at line 34 of file hss.h.

◆ HSS_Sig_Idx

using Botan::HSS_Sig_Idx = Strong<uint64_t, struct HSS_Sig_Idx_, EnableArithmeticWithPlainNumber>

The index of a node within a specific LMS tree layer.

Definition at line 29 of file hss.h.

◆ HypertreeLayerIndex

using Botan::HypertreeLayerIndex = Strong<uint32_t, struct HypertreeLayerIndex_>

Index of a layer in the XMSS hyper-tree.

Definition at line 86 of file sp_types.h.

◆ InitializationVector

Alternate name for octet string showing intent to use as an IV

Definition at line 145 of file symkey.h.

◆ Integrity_Failure

For compatibility with older versions

Definition at line 283 of file exceptn.h.

◆ KyberCompressedCiphertext

using Botan::KyberCompressedCiphertext = Strong<std::vector<uint8_t>, struct KyberCompressedCiphertext_>

Compressed and serialized ciphertext value.

Definition at line 63 of file kyber_types.h.

◆ KyberEncryptionRandomness

using Botan::KyberEncryptionRandomness = Strong<secure_vector<uint8_t>, struct KyberEncryptionRandomness_>

Random value used to generate the Kyber ciphertext.

Definition at line 48 of file kyber_types.h.

◆ KyberHashedCiphertext

using Botan::KyberHashedCiphertext = Strong<std::vector<uint8_t>, struct KyberHashedCiphertext_>

Hash of the compressed and serialized ciphertext value TODO: Remove this once Kyber-R3 is removed

Definition at line 67 of file kyber_types.h.

◆ KyberHashedPublicKey

using Botan::KyberHashedPublicKey = Strong<std::vector<uint8_t>, struct KyberHashedPublicKey_>

Hash value of the serialized public key.

Definition at line 60 of file kyber_types.h.

◆ KyberImplicitRejectionValue

using Botan::KyberImplicitRejectionValue = Strong<secure_vector<uint8_t>, struct KyberImplicitRejectionValue_>

Secret random value (called Z in the spec), used for implicit rejection in the decapsulation.

Definition at line 42 of file kyber_types.h.

◆ KyberInternalKeypair

Initial value:
std::pair<std::shared_ptr<Kyber_PublicKeyInternal>, std::shared_ptr<Kyber_PrivateKeyInternal>>

Definition at line 73 of file kyber_types.h.

◆ KyberMessage

using Botan::KyberMessage = Strong<secure_vector<uint8_t>, struct KyberMessage_>

Random message value to be encrypted by the CPA-secure Kyber encryption scheme.

Definition at line 45 of file kyber_types.h.

◆ KyberPoly

◆ KyberPolyMat

◆ KyberPolyNTT

◆ KyberPolyVec

◆ KyberPolyVecNTT

◆ KyberSamplingRandomness

using Botan::KyberSamplingRandomness = Strong<secure_vector<uint8_t>, struct KyberSamplingRandomness_>

PRF value used for sampling of error polynomials.

Definition at line 51 of file kyber_types.h.

◆ KyberSeedRandomness

using Botan::KyberSeedRandomness = Strong<secure_vector<uint8_t>, struct KyberSeedRandomness_>

Principal seed used to generate Kyber key pairs.

Definition at line 33 of file kyber_types.h.

◆ KyberSeedRho

using Botan::KyberSeedRho = Strong<std::vector<uint8_t>, struct KyberSeedRho_>

Public seed value to generate the Kyber matrix A.

Definition at line 36 of file kyber_types.h.

◆ KyberSeedSigma

using Botan::KyberSeedSigma = Strong<secure_vector<uint8_t>, struct KyberSeedSigma_>

Private seed used to generate polynomial vectors s and e during key generation.

Definition at line 39 of file kyber_types.h.

◆ KyberSerializedPublicKey

using Botan::KyberSerializedPublicKey = Strong<std::vector<uint8_t>, struct KyberSerializedPublicKey_>

Public key in serialized form (t || rho)

Definition at line 57 of file kyber_types.h.

◆ KyberSharedSecret

using Botan::KyberSharedSecret = Strong<secure_vector<uint8_t>, struct KyberSharedSecret_>

Shared secret value generated during encapsulation and recovered during decapsulation.

Definition at line 54 of file kyber_types.h.

◆ KyberSigmaOrEncryptionRandomness

Initial value:
std::variant<StrongSpan<const KyberSeedSigma>, StrongSpan<const KyberEncryptionRandomness>>

Variant value of either a KyberSeedSigma or a KyberEncryptionRandomness.

Definition at line 70 of file kyber_types.h.

◆ LMOTS_K

using Botan::LMOTS_K = Strong<std::vector<uint8_t>, struct LMOTS_K_>

The K value from the LM-OTS public key.

Definition at line 35 of file lm_ots.h.

◆ LMOTS_Node

using Botan::LMOTS_Node = Strong<secure_vector<uint8_t>, struct LMOTS_Node_>

One node within one LM-OTS hash chain.

Definition at line 30 of file lm_ots.h.

◆ LMOTS_Signature_Bytes

using Botan::LMOTS_Signature_Bytes = Strong<std::vector<uint8_t>, struct LMOTS_Signature_Bytes_>

Byte vector of an LM-OTS signature.

Definition at line 40 of file lm_ots.h.

◆ LMS_AuthenticationPath

using Botan::LMS_AuthenticationPath = Strong<std::vector<uint8_t>, struct LMS_AuthenticationPath_>

The authentication path of an LMS signature.

Definition at line 72 of file lms.h.

◆ LMS_Identifier

using Botan::LMS_Identifier = Strong<std::vector<uint8_t>, struct LMS_Identifier_>

The identifier of an LMS tree (I in RFC 8554)

Definition at line 50 of file lm_ots.h.

◆ LMS_Message

using Botan::LMS_Message = Strong<std::vector<uint8_t>, struct LMS_Message_>

A message that is signed with an LMS tree.

Definition at line 55 of file lm_ots.h.

◆ LMS_Seed

using Botan::LMS_Seed = Strong<secure_vector<uint8_t>, struct LMS_SEED_>

Seed of the LMS tree, used to generate the LM-OTS private keys.

Definition at line 25 of file lm_ots.h.

◆ LMS_Signature_Bytes

using Botan::LMS_Signature_Bytes = Strong<std::vector<uint8_t>, struct LMS_Signature_Bytes_>

Raw bytes of an LMS signature.

Definition at line 82 of file lms.h.

◆ LMS_Tree_Node

using Botan::LMS_Tree_Node = Strong<std::vector<uint8_t>, struct LMS_Tree_Node_>

A node with the LMS tree.

Definition at line 77 of file lms.h.

◆ LMS_Tree_Node_Idx

using Botan::LMS_Tree_Node_Idx = Strong<uint32_t, struct LMS_Tree_Node_Idx_, EnableArithmeticWithPlainNumber>

The index of a node within a specific LMS tree layer.

Definition at line 45 of file lm_ots.h.

◆ lock_guard_type

template<typename T>
using Botan::lock_guard_type = lock_guard<T>

Definition at line 55 of file mutex.h.

◆ MAC

Definition at line 131 of file mac.h.

◆ ML_DSA_Mode

Definition at line 21 of file ml_dsa.h.

◆ ML_DSA_PrivateKey

Definition at line 23 of file ml_dsa.h.

◆ ML_DSA_PublicKey

Definition at line 22 of file ml_dsa.h.

◆ ML_KEM_Mode

Definition at line 21 of file ml_kem.h.

◆ ML_KEM_PrivateKey

Definition at line 23 of file ml_kem.h.

◆ ML_KEM_PublicKey

Definition at line 22 of file ml_kem.h.

◆ mutex_type

Definition at line 37 of file mutex.h.

◆ next_longer_int_t

template<std::signed_integral T>
using Botan::next_longer_int_t
Initial value:
std::conditional_t<sizeof(T) == 1, int16_t,
std::conditional_t<sizeof(T) == 2, int32_t,
std::conditional_t<sizeof(T) == 4, int64_t, void>>>

Definition at line 35 of file pqcrystals_helpers.h.

◆ next_longer_uint_t

template<std::unsigned_integral T>
using Botan::next_longer_uint_t
Initial value:
std::conditional_t<sizeof(T) == 1, uint16_t,
std::conditional_t<sizeof(T) == 2, uint32_t,
std::conditional_t<sizeof(T) == 4, uint64_t, void>>>

Definition at line 28 of file pqcrystals_helpers.h.

◆ Point448

using Botan::Point448 = Strong<std::array<uint8_t, X448_LEN>, struct Point448_>

Definition at line 18 of file x448_internal.h.

◆ PointGFp

Definition at line 431 of file ec_point.h.

◆ recursive_mutex_type

Definition at line 38 of file mutex.h.

◆ RNG

Convenience typedef

Definition at line 288 of file rng.h.

◆ S2K

typedef PBKDF Botan::S2K

Definition at line 237 of file pbkdf.h.

◆ s32bit

using Botan::s32bit = std::int32_t

Definition at line 114 of file types.h.

◆ ScalarX448

using Botan::ScalarX448 = Strong<std::array<uint8_t, X448_LEN>, struct ScalarX448_>

Definition at line 24 of file x448_internal.h.

◆ secure_bitvector

◆ secure_deque

template<typename T>
using Botan::secure_deque = std::deque<T, secure_allocator<T>>

Definition at line 73 of file secmem.h.

◆ secure_vector

template<typename T>
using Botan::secure_vector = std::vector<T, secure_allocator<T>>

Definition at line 69 of file secmem.h.

◆ SecureVector

template<typename T>
using Botan::SecureVector = secure_vector<T>

Definition at line 78 of file secmem.h.

◆ SM2_Encryption_PrivateKey

Definition at line 166 of file sm2.h.

◆ SM2_Encryption_PublicKey

Definition at line 163 of file sm2.h.

◆ SM2_Signature_PrivateKey

Definition at line 165 of file sm2.h.

◆ SM2_Signature_PublicKey

Definition at line 162 of file sm2.h.

◆ SphincsAuthenticationPath

using Botan::SphincsAuthenticationPath = Strong<std::vector<uint8_t>, struct SphincsAuthenticationPath_>

Definition at line 67 of file sp_types.h.

◆ SphincsContext

using Botan::SphincsContext = Strong<std::vector<uint8_t>, struct SphincsContext_>

Definition at line 57 of file sp_types.h.

◆ SphincsHashedMessage

using Botan::SphincsHashedMessage = Strong<std::vector<uint8_t>, struct SphincsHashedMessage_>

Definition at line 59 of file sp_types.h.

◆ SphincsHypertreeSignature

using Botan::SphincsHypertreeSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_>

Definition at line 66 of file sp_types.h.

◆ SphincsInputMessage

using Botan::SphincsInputMessage = Strong<std::vector<uint8_t>, struct SphincsInputMessage_>

Definition at line 49 of file sp_types.h.

◆ SphincsMessagePrefix

using Botan::SphincsMessagePrefix = Strong<std::vector<uint8_t>, struct SphincsMessagePrefix_>

The prefix appended to the message in [hash_]slh_sign and slh_verify. E.g. for SLH-DSA (pure): 0x00 || |ctx| || ctx. Empty for SPHINCS+.

Definition at line 47 of file sp_types.h.

◆ SphincsMessageRandomness

using Botan::SphincsMessageRandomness = Strong<secure_vector<uint8_t>, struct SphincsMessageRandomness_>

Definition at line 64 of file sp_types.h.

◆ SphincsOptionalRandomness

using Botan::SphincsOptionalRandomness = Strong<secure_vector<uint8_t>, struct SphincsOptionalRandomness_>

Definition at line 63 of file sp_types.h.

◆ SphincsPublicSeed

using Botan::SphincsPublicSeed = Strong<std::vector<uint8_t>, struct SphincsPublicSeed_>

Definition at line 60 of file sp_types.h.

◆ SphincsSecretPRF

using Botan::SphincsSecretPRF = Strong<secure_vector<uint8_t>, struct SphincsSecretPRF_>

Definition at line 62 of file sp_types.h.

◆ SphincsSecretSeed

using Botan::SphincsSecretSeed = Strong<secure_vector<uint8_t>, struct SphincsSecretSeed_>

Definition at line 61 of file sp_types.h.

◆ SphincsTreeNode

using Botan::SphincsTreeNode = Strong<std::vector<uint8_t>, struct SphincsTreeNode_>

Either an XMSS or FORS tree node or leaf.

Definition at line 70 of file sp_types.h.

◆ SphincsXmssSignature

using Botan::SphincsXmssSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_>

Definition at line 65 of file sp_types.h.

◆ strong_type_wrapped_type

template<typename T>
using Botan::strong_type_wrapped_type = typename detail::wrapped_type_helper<std::remove_cvref_t<T>>::type

Extracts the wrapped type from a strong type.

If the provided type is not a strong type, it is returned as is.

Note
This is meant as a helper for generic code that needs to deal with both wrapped strong types and bare objects. Use the ordinary ::wrapped_type declaration if you know that you are dealing with a strong type.

Definition at line 288 of file strong_type.h.

◆ SymmetricKey

Alternate name for octet string showing intent to use as a key

Definition at line 140 of file symkey.h.

◆ TreeLayerIndex

using Botan::TreeLayerIndex = Strong<uint32_t, struct TreeLayerIndex_, EnableArithmeticWithPlainNumber>

Index of the layer within a FORS/XMSS tree.

Definition at line 83 of file sp_types.h.

◆ TreeNodeIndex

using Botan::TreeNodeIndex = Strong<uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber>

Index of an individual node inside an XMSS or FORS tree.

Definition at line 92 of file sp_types.h.

◆ u16bit

using Botan::u16bit = std::uint16_t

Definition at line 111 of file types.h.

◆ u32bit

using Botan::u32bit = std::uint32_t

Definition at line 112 of file types.h.

◆ u64bit

using Botan::u64bit = std::uint64_t

Definition at line 113 of file types.h.

◆ word

using Botan::word = std::conditional_t<HasNative64BitRegisters, std::uint64_t, uint32_t>

Definition at line 119 of file types.h.

◆ wots_keysig_t

typedef std::vector< secure_vector< uint8_t > > Botan::wots_keysig_t

Definition at line 20 of file xmss_common_ops.h.

◆ WotsChainIndex

using Botan::WotsChainIndex = Strong<uint32_t, struct WotsChainIndex_>

Index of a WOTS chain within a single usage of WOTS.

Definition at line 95 of file sp_types.h.

◆ WotsHashIndex

using Botan::WotsHashIndex = Strong<uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber>

Index of a hash application inside a single WOTS chain (integers in "base_w")

Definition at line 98 of file sp_types.h.

◆ WotsNode

using Botan::WotsNode = Strong<secure_vector<uint8_t>, struct WotsNode_>

Start (or intermediate) node of a WOTS+ chain.

Definition at line 79 of file sp_types.h.

◆ WotsPublicKey

using Botan::WotsPublicKey = Strong<std::vector<uint8_t>, struct WotsPublicKey_>

Definition at line 73 of file sp_types.h.

◆ WotsPublicKeyNode

using Botan::WotsPublicKeyNode = Strong<std::vector<uint8_t>, struct WotsPublicKeyNode_>

End node of a WOTS+ chain (part of the WOTS+ public key)

Definition at line 76 of file sp_types.h.

◆ WotsSignature

using Botan::WotsSignature = Strong<secure_vector<uint8_t>, struct WotsSignature_>

Definition at line 80 of file sp_types.h.

◆ X509_Time

Definition at line 424 of file asn1_obj.h.

◆ XmssTreeIndexInLayer

using Botan::XmssTreeIndexInLayer = Strong<uint64_t, struct XmssTreeIndexInLayer_, EnableArithmeticWithPlainNumber>

Index of an XMSS tree (unique for just the local hyper-tree layer)

Definition at line 89 of file sp_types.h.

Enumeration Type Documentation

◆ AlignmentBufferFinalBlock

enum class Botan::AlignmentBufferFinalBlock : uint8_t
strong

Defines the strategy for handling the final block of input data in the handle_unaligned_data() method of the AlignmentBuffer<>.

  • is_not_special: the final block is treated like any other block
  • must_be_deferred: the final block is not emitted while bulk processing (typically add_data()) but is deferred until manually consumed (typically final_result())

The AlignmentBuffer<> assumes data to be "the final block" if no further input data is available in the BufferSlicer<>. This might result in some performance overhead when using the must_be_deferred strategy.

Enumerator
is_not_special 
must_be_deferred 

Definition at line 34 of file alignment_buffer.h.

◆ ASN1_Class

enum class Botan::ASN1_Class : uint32_t
strong

ASN.1 Class Tags

Enumerator
Universal 
Application 
ContextSpecific 
Private 
Constructed 
ExplicitContextSpecific 
NoObject 

Definition at line 28 of file asn1_obj.h.

28 : uint32_t /* NOLINT(performance-enum-size) */ {
29 Universal = 0b0000'0000,
30 Application = 0b0100'0000,
31 ContextSpecific = 0b1000'0000,
32 Private = 0b1100'0000,
33
34 Constructed = 0b0010'0000,
36
37 NoObject = 0xFF00
38};

◆ ASN1_Type

enum class Botan::ASN1_Type : uint32_t
strong

ASN.1 Type Tags

Enumerator
Eoc 
Boolean 
Integer 
BitString 
OctetString 
Null 
ObjectId 
Enumerated 
Sequence 
Set 
Utf8String 
NumericString 
PrintableString 
TeletexString 
Ia5String 
VisibleString 
UniversalString 
BmpString 
UtcTime 
GeneralizedTime 
NoObject 

Definition at line 43 of file asn1_obj.h.

43 : uint32_t /* NOLINT(performance-enum-size) */ {
44 Eoc = 0x00,
45 Boolean = 0x01,
46 Integer = 0x02,
47 BitString = 0x03,
48 OctetString = 0x04,
49 Null = 0x05,
50 ObjectId = 0x06,
51 Enumerated = 0x0A,
52 Sequence = 0x10,
53 Set = 0x11,
54
55 Utf8String = 0x0C,
56 NumericString = 0x12,
57 PrintableString = 0x13,
58 TeletexString = 0x14,
59 Ia5String = 0x16,
60 VisibleString = 0x1A,
61 UniversalString = 0x1C,
62 BmpString = 0x1E,
63
64 UtcTime = 0x17,
65 GeneralizedTime = 0x18,
66
67 NoObject = 0xFF00,
68};

◆ Certificate_Status_Code

enum class Botan::Certificate_Status_Code : uint16_t
strong

Certificate validation status code

Enumerator
OK 
VERIFIED 
OCSP_RESPONSE_GOOD 
OCSP_SIGNATURE_OK 
VALID_CRL_CHECKED 
OCSP_NO_HTTP 
FIRST_WARNING_STATUS 
CERT_SERIAL_NEGATIVE 
DN_TOO_LONG 
OCSP_NO_REVOCATION_URL 
OCSP_SERVER_NOT_AVAILABLE 
TRUSTED_CERT_HAS_EXPIRED 
TRUSTED_CERT_NOT_YET_VALID 
FIRST_ERROR_STATUS 
SIGNATURE_METHOD_TOO_WEAK 
UNTRUSTED_HASH 
NO_REVOCATION_DATA 
NO_MATCHING_CRLDP 
OCSP_ISSUER_NOT_TRUSTED 
CERT_NOT_YET_VALID 
CERT_HAS_EXPIRED 
OCSP_NOT_YET_VALID 
OCSP_HAS_EXPIRED 
CRL_NOT_YET_VALID 
CRL_HAS_EXPIRED 
OCSP_IS_TOO_OLD 
CERT_ISSUER_NOT_FOUND 
CANNOT_ESTABLISH_TRUST 
CERT_CHAIN_LOOP 
CHAIN_LACKS_TRUST_ROOT 
CHAIN_NAME_MISMATCH 
POLICY_ERROR 
INVALID_USAGE 
CERT_CHAIN_TOO_LONG 
CA_CERT_NOT_FOR_CERT_ISSUER 
NAME_CONSTRAINT_ERROR 
IPADDR_BLOCKS_ERROR 
AS_BLOCKS_ERROR 
CA_CERT_NOT_FOR_CRL_ISSUER 
OCSP_CERT_NOT_LISTED 
OCSP_BAD_STATUS 
CERT_NAME_NOMATCH 
UNKNOWN_CRITICAL_EXTENSION 
DUPLICATE_CERT_EXTENSION 
OCSP_SIGNATURE_ERROR 
OCSP_ISSUER_NOT_FOUND 
OCSP_RESPONSE_MISSING_KEYUSAGE 
OCSP_RESPONSE_INVALID 
EXT_IN_V1_V2_CERT 
DUPLICATE_CERT_POLICY 
V2_IDENTIFIERS_IN_V1_CERT 
CERT_IS_REVOKED 
CRL_BAD_SIGNATURE 
SIGNATURE_ERROR 
CERT_PUBKEY_INVALID 
SIGNATURE_ALGO_UNKNOWN 
SIGNATURE_ALGO_BAD_PARAMS 

Definition at line 20 of file pkix_enums.h.

20 : uint16_t {
21 // TODO(Botan4) renumber this, e.g. Validation Errors -> IP_ADDR_BLOCKS_ERROR
22
23 OK = 0,
24 VERIFIED = 0,
25
26 // Revocation status
30 OCSP_NO_HTTP = 4,
31
32 // Warnings
35 DN_TOO_LONG = 501,
40
41 // Errors
42 FIRST_ERROR_STATUS = 1000,
43
45 UNTRUSTED_HASH = 1001,
46 NO_REVOCATION_DATA = 1002,
47 NO_MATCHING_CRLDP = 1003,
49
50 // Time problems
51 CERT_NOT_YET_VALID = 2000,
52 CERT_HAS_EXPIRED = 2001,
53 OCSP_NOT_YET_VALID = 2002,
54 OCSP_HAS_EXPIRED = 2003,
55 CRL_NOT_YET_VALID = 2004,
56 CRL_HAS_EXPIRED = 2005,
57 OCSP_IS_TOO_OLD = 2006,
58
59 // Chain generation problems
62 CERT_CHAIN_LOOP = 3002,
65
66 // Validation errors
67 POLICY_ERROR = 4000,
68 INVALID_USAGE = 4001,
73 AS_BLOCKS_ERROR = 4012,
74
75 // Revocation errors
78 OCSP_BAD_STATUS = 4007,
79
80 // Other problems
81 CERT_NAME_NOMATCH = 4008,
88 EXT_IN_V1_V2_CERT = 4505,
91
92 // Hard failures
93 CERT_IS_REVOKED = 5000,
94 CRL_BAD_SIGNATURE = 5001,
95 SIGNATURE_ERROR = 5002,
99};

◆ Cipher_Dir

enum class Botan::Cipher_Dir : uint8_t
strong

The two possible directions a Cipher_Mode can operate in

Enumerator
Encryption 
Decryption 
ENCRYPTION 
DECRYPTION 

Definition at line 26 of file cipher_mode.h.

26 : uint8_t {
27 Encryption = 0,
28 Decryption = 1,
29
30 ENCRYPTION BOTAN_DEPRECATED("Use Cipher_Dir::Encryption") = Encryption,
31 DECRYPTION BOTAN_DEPRECATED("Use Cipher_Dir::Decryption") = Decryption,
32};
#define BOTAN_DEPRECATED(msg)
Definition api.h:73

◆ CRL_Code

enum class Botan::CRL_Code : uint8_t
strong

X.509v2 CRL Reason Code.

Enumerator
Unspecified 
KeyCompromise 
CaCompromise 
AffiliationChanged 
Superseded 
CessationOfOperation 
CertificateHold 
RemoveFromCrl 
PrivilegeWithdrawn 
AaCompromise 

Definition at line 198 of file pkix_enums.h.

◆ Decoder_Checking

enum Botan::Decoder_Checking : uint8_t

The type of checking to be performed by decoders: NONE - no checks, IGNORE_WS - perform checks, but ignore whitespaces, FULL_CHECK - perform checks, also complain about white spaces.

Enumerator
NONE 
IGNORE_WS 
FULL_CHECK 

Definition at line 167 of file filter.h.

167: uint8_t { NONE, IGNORE_WS, FULL_CHECK };
@ FULL_CHECK
Definition filter.h:167
@ NONE
Definition filter.h:167
@ IGNORE_WS
Definition filter.h:167

◆ DL_Group_Format

enum class Botan::DL_Group_Format : uint8_t
strong

The DL group encoding format variants.

Enumerator
ANSI_X9_42 
ANSI_X9_57 
PKCS_3 
DSA_PARAMETERS 
DH_PARAMETERS 
ANSI_X9_42_DH_PARAMETERS 
PKCS3_DH_PARAMETERS 

Definition at line 30 of file dl_group.h.

◆ DL_Group_Source

enum class Botan::DL_Group_Source : uint8_t
strong
Enumerator
Builtin 
RandomlyGenerated 
ExternalSource 

Definition at line 21 of file dl_group.h.

◆ EC_Group_Encoding

enum class Botan::EC_Group_Encoding : uint8_t
strong

This enum indicates the method used to encode the EC parameters

Warning
All support for explicit or implicit domain encodings will be removed in Botan4. Only named curves will be supported.

TODO(Botan4) remove this enum

Enumerator
Explicit 
ImplicitCA 
NamedCurve 
EC_DOMPAR_ENC_EXPLICIT 
EC_DOMPAR_ENC_IMPLICITCA 
EC_DOMPAR_ENC_OID 

Definition at line 36 of file ec_group.h.

◆ EC_Group_Engine

enum class Botan::EC_Group_Engine : uint8_t
strong

Enum indicating the way the group in question is implemented

This is returned by EC_Group::engine

Enumerator
Optimized 

Using per curve implementation; fastest available.

Generic 

A generic implementation that handles many curves in one implementation.

Legacy 

The old implementation, used as a fallback if none of the other implementations can be used TODO(Botan4) remove this

Definition at line 66 of file ec_group.h.

66 : uint8_t {
67 /// Using per curve implementation; fastest available
69 /// A generic implementation that handles many curves in one implementation
70 Generic,
71 /// The old implementation, used as a fallback if none of the other
72 /// implementations can be used
73 /// TODO(Botan4) remove this
74 Legacy,
75};
@ Optimized
Using per curve implementation; fastest available.
Definition ec_group.h:68
@ Generic
A generic implementation that handles many curves in one implementation.
Definition ec_group.h:70

◆ EC_Group_Source

enum class Botan::EC_Group_Source : uint8_t
strong

This enum indicates the source of the elliptic curve parameters in use.

Builtin means the curve is a known standard one which was compiled in the library.

ExternalSource means the curve parameters came from either an explicit curve encoding or an application defined curve.

Enumerator
Builtin 
ExternalSource 

Definition at line 56 of file ec_group.h.

56 : uint8_t {
57 Builtin,
59};

◆ EC_Point_Format

enum class Botan::EC_Point_Format : uint8_t
strong
Enumerator
Uncompressed 
Compressed 
UNCOMPRESSED 
COMPRESSED 
Hybrid 
HYBRID 

Definition at line 21 of file ec_point_format.h.

21 : uint8_t {
22 Uncompressed = 0,
23 Compressed = 1,
24
25 UNCOMPRESSED BOTAN_DEPRECATED("Use EC_Point_Format::Uncompressed") = Uncompressed,
26 COMPRESSED BOTAN_DEPRECATED("Use EC_Point_Format::Compressed") = Compressed,
27
28 Hybrid BOTAN_DEPRECATED("Hybrid point encoding is deprecated") = 2,
29 HYBRID BOTAN_DEPRECATED("Hybrid point encoding is deprecated") = 2
30};

◆ ECIES_Flags

enum class Botan::ECIES_Flags : uint8_t
strong

Flags controlling ECIES operation

Two of the flags are related to how cofactors are handled. Support for cofactors is deprecated and will be removed in Botan4.

The CheckMode flag is completely ignored; we always check that the point is valid.

TODO(Botan4) remove this enum

Enumerator
None 
SingleHashMode 

if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key

CofactorMode 

(decryption only) if set: use cofactor multiplication during (ecdh) key agreement This only matters if the curve has a cofactor

OldCofactorMode 

if set: use ecdhc instead of ecdh. This only matters if the curve has a cofactor

CheckMode 

(decryption only) if set: test if the (ephemeral) public key is on the curve Note that we actually ignore this flag and always check the key

NONE 
SINGLE_HASH_MODE 
COFACTOR_MODE 
OLD_COFACTOR_MODE 
CHECK_MODE 

Definition at line 44 of file ecies.h.

44 : uint8_t {
45 None = 0,
46 /// if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key
48 /// (decryption only) if set: use cofactor multiplication during (ecdh) key agreement
49 /// This only matters if the curve has a cofactor
50 CofactorMode = 2,
51 /// if set: use ecdhc instead of ecdh.
52 /// This only matters if the curve has a cofactor
54 /// (decryption only) if set: test if the (ephemeral) public key is on the curve
55 /// Note that we actually ignore this flag and always check the key
56 CheckMode = 8,
57
58 NONE BOTAN_DEPRECATED("Use None") = None,
59 SINGLE_HASH_MODE BOTAN_DEPRECATED("Use SingleHashMode") = SingleHashMode,
60 COFACTOR_MODE BOTAN_DEPRECATED("Use CofactorMode") = CofactorMode,
61 OLD_COFACTOR_MODE BOTAN_DEPRECATED("Use OldCofactorMode") = OldCofactorMode,
62 CHECK_MODE BOTAN_DEPRECATED("Use CheckMode") = CheckMode,
63};
@ SingleHashMode
if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key
Definition ecies.h:47

◆ ErrorType

enum class Botan::ErrorType : uint16_t
strong

Different types of errors that might occur

Enumerator
Unknown 

Some unknown error

SystemError 

An error while calling a system interface

NotImplemented 

An operation seems valid, but not supported by the current version

OutOfMemory 

Memory allocation failure

InternalError 

An internal error occurred

IoError 

An I/O error occurred

InvalidObjectState 

Invalid object state

KeyNotSet 

A key was not set on an object when this is required

InvalidArgument 

The application provided an argument which is invalid

InvalidKeyLength 

A key with invalid length was provided

InvalidNonceLength 

A nonce with invalid length was provided

LookupError 

An object type was requested but cannot be found

EncodingFailure 

Encoding a message or datum failed

DecodingFailure 

Decoding a message or datum failed

TLSError 

A TLS error (error_code will be the alert type)

HttpError 

An error during an HTTP operation

InvalidTag 

A message with an invalid authentication tag was detected

RoughtimeError 

An error during Roughtime validation

CommonCryptoError 

An error when interacting with CommonCrypto API

Pkcs11Error 

An error when interacting with a PKCS11 device

TPMError 

An error when interacting with a TPM device

DatabaseError 

An error when interacting with a database

ZlibError 

An error when interacting with zlib

Bzip2Error 

An error when interacting with bzip2

LzmaError 

An error when interacting with lzma

Definition at line 20 of file exceptn.h.

20 : uint16_t {
21 /** Some unknown error */
22 Unknown = 1,
23 /** An error while calling a system interface */
24 SystemError = 2,
25 /** An operation seems valid, but not supported by the current version */
27 /** Memory allocation failure */
28 OutOfMemory = 4,
29 /** An internal error occurred */
30 InternalError = 5,
31 /** An I/O error occurred */
32 IoError = 6,
33
34 /** Invalid object state */
36 /** A key was not set on an object when this is required */
37 KeyNotSet = 101,
38 /** The application provided an argument which is invalid */
39 InvalidArgument = 102,
40 /** A key with invalid length was provided */
41 InvalidKeyLength = 103,
42 /** A nonce with invalid length was provided */
44 /** An object type was requested but cannot be found */
45 LookupError = 105,
46 /** Encoding a message or datum failed */
47 EncodingFailure = 106,
48 /** Decoding a message or datum failed */
49 DecodingFailure = 107,
50 /** A TLS error (error_code will be the alert type) */
51 TLSError = 108,
52 /** An error during an HTTP operation */
53 HttpError = 109,
54 /** A message with an invalid authentication tag was detected */
55 InvalidTag = 110,
56 /** An error during Roughtime validation */
57 RoughtimeError = 111,
58
59 /** An error when interacting with CommonCrypto API */
61 /** An error when interacting with a PKCS11 device */
62 Pkcs11Error = 202,
63 /** An error when interacting with a TPM device */
64 TPMError = 203,
65 /** An error when interacting with a database */
66 DatabaseError = 204,
67
68 /** An error when interacting with zlib */
69 ZlibError = 300,
70 /** An error when interacting with bzip2 */
71 Bzip2Error = 301,
72 /** An error when interacting with lzma */
73 LzmaError = 302,
74
75};

◆ LMOTS_Algorithm_Type

enum class Botan::LMOTS_Algorithm_Type : uint32_t
strong

Enum of available LM-OTS algorithm types.

The supported parameter sets are defined in RFC 8554 Section 4.1. and draft-fluhrer-lms-more-parm-sets-11 Section 4. HSS/LMS typecodes are introduced in RFC 8554 Section 3.2. and their format specified in Section 3.3.

Enumerator
RESERVED 
SHA256_N32_W1 
SHA256_N32_W2 
SHA256_N32_W4 
SHA256_N32_W8 
SHA256_N24_W1 
SHA256_N24_W2 
SHA256_N24_W4 
SHA256_N24_W8 
SHAKE_N32_W1 
SHAKE_N32_W2 
SHAKE_N32_W4 
SHAKE_N32_W8 
SHAKE_N24_W1 
SHAKE_N24_W2 
SHAKE_N24_W4 
SHAKE_N24_W8 

Definition at line 65 of file lm_ots.h.

65 : uint32_t /* NOLINT(*-enum-size) */ {
66 // --- RFC 8554 ---
67 RESERVED = 0x00,
68
69 // SHA-256 based
70 SHA256_N32_W1 = 0x01,
71 SHA256_N32_W2 = 0x02,
72 SHA256_N32_W4 = 0x03,
73 SHA256_N32_W8 = 0x04,
74
75 // --- draft-fluhrer-lms-more-parm-sets-11 ---
76 // SHA-256/192 based
77 SHA256_N24_W1 = 0x05,
78 SHA256_N24_W2 = 0x06,
79 SHA256_N24_W4 = 0x07,
80 SHA256_N24_W8 = 0x08,
81
82 // SHAKE-256/256 based
83 SHAKE_N32_W1 = 0x09,
84 SHAKE_N32_W2 = 0x0a,
85 SHAKE_N32_W4 = 0x0b,
86 SHAKE_N32_W8 = 0x0c,
87
88 // SHAKE-256/192 based
89 SHAKE_N24_W1 = 0x0d,
90 SHAKE_N24_W2 = 0x0e,
91 SHAKE_N24_W4 = 0x0f,
92 SHAKE_N24_W8 = 0x10,
93};

◆ LMS_Algorithm_Type

enum class Botan::LMS_Algorithm_Type : uint32_t
strong

Enum of available LMS algorithm types.

The supported parameter sets are defined in RFC 8554 Section 5.1. and draft-fluhrer-lms-more-parm-sets-11 Section 5. HSS/LMS typecodes are introduced in RFC 8554 Section 3.2. and their format specified in Section 3.3.

Enumerator
RESERVED 
SHA256_M32_H5 
SHA256_M32_H10 
SHA256_M32_H15 
SHA256_M32_H20 
SHA256_M32_H25 
SHA256_M24_H5 
SHA256_M24_H10 
SHA256_M24_H15 
SHA256_M24_H20 
SHA256_M24_H25 
SHAKE_M32_H5 
SHAKE_M32_H10 
SHAKE_M32_H15 
SHAKE_M32_H20 
SHAKE_M32_H25 
SHAKE_M24_H5 
SHAKE_M24_H10 
SHAKE_M24_H15 
SHAKE_M24_H20 
SHAKE_M24_H25 

Definition at line 30 of file lms.h.

30 : uint32_t /* NOLINT(*-enum-size) */ {
31 // --- RFC 8554 ---
32 RESERVED = 0x00,
33
34 // SHA-256 based
35 SHA256_M32_H5 = 0x05,
36 SHA256_M32_H10 = 0x06,
37 SHA256_M32_H15 = 0x07,
38 SHA256_M32_H20 = 0x08,
39 SHA256_M32_H25 = 0x09,
40
41 // --- draft-fluhrer-lms-more-parm-sets-11 ---
42 // SHA-256/192 based
43 SHA256_M24_H5 = 0x0a,
44 SHA256_M24_H10 = 0x0b,
45 SHA256_M24_H15 = 0x0c,
46 SHA256_M24_H20 = 0x0d,
47 SHA256_M24_H25 = 0x0e,
48
49 // SHAKE-256/256 based
50 SHAKE_M32_H5 = 0x0f,
51 SHAKE_M32_H10 = 0x10,
52 SHAKE_M32_H15 = 0x11,
53 SHAKE_M32_H20 = 0x12,
54 SHAKE_M32_H25 = 0x13,
55
56 // SHAKE-256/192 based
57 SHAKE_M24_H5 = 0x14,
58 SHAKE_M24_H10 = 0x15,
59 SHAKE_M24_H15 = 0x16,
60 SHAKE_M24_H20 = 0x17,
61 SHAKE_M24_H25 = 0x18
62};

◆ MD_Endian

enum class Botan::MD_Endian : uint8_t
strong
Enumerator
Little 
Big 

Definition at line 20 of file mdx_hash.h.

20 : uint8_t {
21 Little,
22 Big,
23};

◆ MlPrivateKeyFormat

enum class Botan::MlPrivateKeyFormat : uint8_t
strong

Byte encoding format of ML-KEM and ML-DSA the private key.

Enumerator
Seed 

Only supported for ML-KEM/ML-DSA keys:

  • ML-KEM: 64-byte seed: d || z
  • ML-DSA: 32-byte seed: xi (private_key_bits_with_format not yet yet supported for ML-DSA)
Expanded 

The expanded format, i.e., the format specified in FIPS-203/204.

Definition at line 83 of file kyber.h.

83 : uint8_t {
84 /// Only supported for ML-KEM/ML-DSA keys:
85 /// - ML-KEM: 64-byte seed: d || z
86 /// - ML-DSA: 32-byte seed: xi (private_key_bits_with_format not yet
87 /// yet supported for ML-DSA)
88 Seed,
89 /// The expanded format, i.e., the format specified in FIPS-203/204.
91};
@ Expanded
The expanded format, i.e., the format specified in FIPS-203/204.
Definition kyber.h:90

◆ PublicKeyOperation

enum class Botan::PublicKeyOperation : uint8_t
strong

Enumeration of possible operations a public key could be used for.

It is possible to query if a key supports a particular operation type using Asymmetric_Key::supports_operation()

Enumerator
Encryption 
Signature 
KeyEncapsulation 
KeyAgreement 

Definition at line 46 of file pk_keys.h.

◆ Signature_Format

enum class Botan::Signature_Format : uint8_t
strong

Enumeration specifying the signature format.

This is mostly used for requesting DER encoding of ECDSA signatures; most other algorithms only support "standard".

Enumerator
Standard 
DerSequence 
IEEE_1363 
DER_SEQUENCE 

Definition at line 32 of file pk_keys.h.

32 : uint8_t {
33 Standard = 0,
34 DerSequence = 1,
35
36 IEEE_1363 BOTAN_DEPRECATED("Use Standard") = Standard,
37 DER_SEQUENCE BOTAN_DEPRECATED("Use DerSequence") = DerSequence,
38};

◆ Sphincs_Address_Type

enum class Botan::Sphincs_Address_Type : uint32_t
strong
Enumerator
WotsHash 
WotsPublicKeyCompression 
HashTree 
ForsTree 
ForsTreeRootsCompression 
WotsKeyGeneration 
ForsKeyGeneration 

Definition at line 20 of file sp_address.h.

◆ Sphincs_Hash_Type

enum class Botan::Sphincs_Hash_Type : uint8_t
strong
Enumerator
Shake256 
Sha256 
Haraka 

Haraka is currently not supported.

Definition at line 18 of file sp_parameters.h.

18 : uint8_t {
20 Sha256,
21 Haraka BOTAN_DEPRECATED("Haraka is not and will not be supported"), ///< Haraka is currently not supported
22};
@ Haraka
Haraka is currently not supported.

◆ Sphincs_Parameter_Set

enum class Botan::Sphincs_Parameter_Set : uint8_t
strong
Enumerator
Sphincs128Small 
Sphincs128Fast 
Sphincs192Small 
Sphincs192Fast 
Sphincs256Small 
Sphincs256Fast 
SLHDSA128Small 
SLHDSA128Fast 
SLHDSA192Small 
SLHDSA192Fast 
SLHDSA256Small 
SLHDSA256Fast 

Definition at line 24 of file sp_parameters.h.

◆ TPM_Storage_Type

enum class Botan::TPM_Storage_Type
strong
Enumerator
User 
System 

Definition at line 102 of file tpm.h.

◆ Usage_Type

enum class Botan::Usage_Type : uint8_t
strong
Enumerator
UNSPECIFIED 
TLS_SERVER_AUTH 
TLS_CLIENT_AUTH 
CERTIFICATE_AUTHORITY 
OCSP_RESPONDER 
ENCRYPTION 

Definition at line 22 of file x509cert.h.

22 : uint8_t {
23 UNSPECIFIED, // no restrictions
29};

◆ WOTS_Derivation_Method

enum class Botan::WOTS_Derivation_Method : uint8_t
strong

Determines how WOTS+ private keys are derived from the XMSS private key

Enumerator
Botan2x 

This roughly followed the suggestions in RFC 8391 but is vulnerable to a multi-target attack. For new private keys, we recommend using the derivation as suggested in NIST SP.800-208. Private keys generated with Botan 2.x will need to stay with this mode, otherwise they won't be able to generate valid signatures any longer.

NIST_SP800_208 

Derivation as specified in NIST SP.800-208 to avoid a multi-target attack on the WOTS+ key derivation suggested in RFC 8391. New private keys should use this mode.

Definition at line 138 of file xmss.h.

138 : uint8_t {
139 /// This roughly followed the suggestions in RFC 8391 but is vulnerable
140 /// to a multi-target attack. For new private keys, we recommend using
141 /// the derivation as suggested in NIST SP.800-208.
142 /// Private keys generated with Botan 2.x will need to stay with this mode,
143 /// otherwise they won't be able to generate valid signatures any longer.
144 Botan2x = 1,
145
146 /// Derivation as specified in NIST SP.800-208 to avoid a multi-target attack
147 /// on the WOTS+ key derivation suggested in RFC 8391. New private keys
148 /// should use this mode.
149 NIST_SP800_208 = 2,
150};

Function Documentation

◆ abs()

BigInt Botan::abs ( const BigInt & n)
inline

Return the absolute value

Parameters
nan integer
Returns
absolute value of n

Definition at line 24 of file numthry.h.

24 {
25 return n.abs();
26}
BigInt abs() const
Definition bigint.cpp:390

References abs(), and Botan::BigInt::abs().

Referenced by abs(), Botan::EC_Group::EC_Group(), gcd(), and Botan::EC_Group::verify_group().

◆ allocate_memory()

void * Botan::allocate_memory ( size_t elems,
size_t elem_size )

Allocate a memory buffer by some method. This should only be used for primitive types (uint8_t, uint32_t, etc).

Parameters
elemsthe number of elements
elem_sizethe size of each element
Returns
pointer to allocated and zeroed memory, or throw std::bad_alloc on failure

Definition at line 21 of file allocator.cpp.

21 {
22 if(elems == 0 || elem_size == 0) {
23 return nullptr;
24 }
25
26 // Some calloc implementations do not check for overflow (?!?)
27 if(!checked_mul(elems, elem_size).has_value()) {
28 throw std::bad_alloc();
29 }
30
31#if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
32 if(void* p = mlock_allocator::instance().allocate(elems, elem_size)) {
33 return p;
34 }
35#endif
36
37#if defined(BOTAN_TARGET_OS_HAS_ALLOC_CONCEAL)
38 void* ptr = ::calloc_conceal(elems, elem_size);
39#else
40 void* ptr = std::calloc(elems, elem_size); // NOLINT(*-no-malloc,*-owning-memory)
41#endif
42 if(ptr == nullptr) {
43 [[unlikely]] throw std::bad_alloc();
44 }
45 return ptr;
46}
static mlock_allocator & instance() noexcept
constexpr std::optional< T > checked_mul(T a, T b)
Definition int_utils.h:46

References BOTAN_MALLOC_FN, checked_mul(), and Botan::mlock_allocator::instance().

Referenced by Botan::secure_allocator< T >::allocate().

◆ any_null_pointers()

template<typename... Ptrs>
bool Botan::any_null_pointers ( Ptrs... ptr)

Return true if any of the provided arguments are null

Definition at line 23 of file mem_utils.h.

23 {
24 static_assert((... && std::is_pointer_v<Ptrs>), "All arguments must be pointers");
25 return (... || (ptr == nullptr));
26}

◆ argon2()

void Botan::argon2 ( uint8_t output[],
size_t output_len,
const char * password,
size_t password_len,
const uint8_t salt[],
size_t salt_len,
const uint8_t key[],
size_t key_len,
const uint8_t ad[],
size_t ad_len,
uint8_t y,
size_t p,
size_t M,
size_t t )
inline

Argon2 key derivation function

Parameters
outputthe output will be placed here
output_lenlength of output
passwordthe user password
password_lenthe length of password
saltthe salt
salt_lenlength of salt
keyan optional secret key
key_lenthe length of key
adan optional additional input
ad_lenthe length of ad
ythe Argon2 variant (0 = Argon2d, 1 = Argon2i, 2 = Argon2id)
pthe parallelization parameter
Mthe amount of memory to use in Kb
tthe number of iterations to use

Definition at line 141 of file argon2.h.

154 {
155 auto pwdhash_fam = PasswordHashFamily::create_or_throw([y] {
156 switch(y) {
157 case 0:
158 return "Argon2d";
159 case 1:
160 return "Argon2i";
161 case 2:
162 return "Argon2id";
163 default:
164 throw Not_Implemented("Unknown Argon2 family type");
165 }
166 }());
167 auto pwdhash = pwdhash_fam->from_params(M, t, p);
168 pwdhash->derive_key(output, output_len, password, password_len, salt, salt_len, ad, ad_len, key, key_len);
169}
static std::unique_ptr< PasswordHashFamily > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition pwdhash.cpp:110

References argon2(), and Botan::PasswordHashFamily::create_or_throw().

Referenced by argon2().

◆ argon2_check_pwhash()

bool Botan::argon2_check_pwhash ( const char * password,
size_t password_len,
std::string_view hash )

Check a previously created password hash

Verify an Argon2 password hash against the provided password. Returns false if the input hash seems malformed or if the computed hash does not match.

Parameters
passwordthe password to check against
password_lenthe length of password
hashthe stored hash to check against

Definition at line 77 of file argon2fmt.cpp.

77 {
78 const std::vector<std::string> parts = split_on(input_hash, '$');
79
80 if(parts.size() != 5) {
81 return false;
82 }
83
84 uint8_t family = 0;
85
86 if(parts[0] == "argon2d") {
87 family = 0;
88 } else if(parts[0] == "argon2i") {
89 family = 1;
90 } else if(parts[0] == "argon2id") {
91 family = 2;
92 } else {
93 return false;
94 }
95
96 if(parts[1] != "v=19") {
97 return false;
98 }
99
100 const std::vector<std::string> params = split_on(parts[2], ',');
101
102 if(params.size() != 3) {
103 return false;
104 }
105
106 size_t M = 0;
107 size_t t = 0;
108 size_t p = 0;
109
110 for(const auto& param_str : params) {
111 const std::vector<std::string> param = split_on(param_str, '=');
112
113 if(param.size() != 2) {
114 return false;
115 }
116
117 std::string_view key = param[0];
118 const size_t val = to_u32bit(param[1]);
119 if(key == "m") {
120 M = val;
121 } else if(key == "t") {
122 t = val;
123 } else if(key == "p") {
124 p = val;
125 } else {
126 return false;
127 }
128 }
129
130 std::vector<uint8_t> salt(base64_decode_max_output(parts[3].size()));
131 salt.resize(base64_decode(salt.data(), parts[3], false));
132
133 std::vector<uint8_t> hash(base64_decode_max_output(parts[4].size()));
134 hash.resize(base64_decode(hash.data(), parts[4], false));
135
136 if(hash.size() < 4) {
137 return false;
138 }
139
140 std::vector<uint8_t> generated(hash.size());
141 auto pwdhash_fam = PasswordHashFamily::create_or_throw(argon2_family(family));
142 auto pwdhash = pwdhash_fam->from_params(M, t, p);
143
144 pwdhash->derive_key(generated.data(), generated.size(), password, password_len, salt.data(), salt.size());
145
146 return CT::is_equal(generated.data(), hash.data(), generated.size()).as_bool();
147}
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:826
uint32_t to_u32bit(std::string_view str_view)
Definition parsing.cpp:32
std::vector< std::string > split_on(std::string_view str, char delim)
Definition parsing.cpp:111
size_t base64_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition base64.cpp:168
size_t base64_decode_max_output(size_t input_length)
Definition base64.cpp:200

References base64_decode(), base64_decode_max_output(), Botan::PasswordHashFamily::create_or_throw(), Botan::CT::is_equal(), split_on(), and to_u32bit().

◆ argon2_generate_pwhash()

std::string Botan::argon2_generate_pwhash ( const char * password,
size_t password_len,
RandomNumberGenerator & rng,
size_t p,
size_t M,
size_t t,
uint8_t y = 2,
size_t salt_len = 16,
size_t output_len = 32 )

Generate an Argon2 hash of the specified password. The y parameter specifies the variant: 0 for Argon2d, 1 for Argon2i, and 2 for Argon2id.

Definition at line 42 of file argon2fmt.cpp.

50 {
51 std::vector<uint8_t> salt(salt_len);
52 rng.randomize(salt.data(), salt.size());
53
54 std::vector<uint8_t> output(output_len);
55
56 auto pwdhash_fam = PasswordHashFamily::create_or_throw(argon2_family(y));
57 auto pwdhash = pwdhash_fam->from_params(M, t, p);
58
59 pwdhash->derive_key(output.data(), output.size(), password, password_len, salt.data(), salt.size());
60
61 const auto enc_salt = strip_padding(base64_encode(salt));
62 const auto enc_output = strip_padding(base64_encode(output));
63
64 const std::string argon2_mode = [&]() -> std::string {
65 if(y == 0) {
66 return "d";
67 } else if(y == 1) {
68 return "i";
69 } else {
70 return "id";
71 }
72 }();
73
74 return fmt("$argon2{}$v=19$m={},t={},p={}${}${}", argon2_mode, M, t, p, enc_salt, enc_output);
75}
void randomize(std::span< uint8_t > output)
Definition rng.h:71
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition base64.cpp:160

References base64_encode(), Botan::PasswordHashFamily::create_or_throw(), fmt(), and Botan::RandomNumberGenerator::randomize().

◆ as_span_of_bytes() [1/3]

◆ as_span_of_bytes() [2/3]

std::span< const uint8_t > Botan::as_span_of_bytes ( const std::string & s)
inline

Definition at line 33 of file mem_utils.h.

33 {
34 return as_span_of_bytes(s.data(), s.size());
35}
std::span< const uint8_t > as_span_of_bytes(const char *s, size_t len)
Definition mem_utils.h:28

References as_span_of_bytes().

◆ as_span_of_bytes() [3/3]

std::span< const uint8_t > Botan::as_span_of_bytes ( std::string_view s)
inline

Definition at line 37 of file mem_utils.h.

37 {
38 return as_span_of_bytes(s.data(), s.size());
39}

References as_span_of_bytes().

◆ asn1_class_to_string()

std::string BOTAN_UNSTABLE_API Botan::asn1_class_to_string ( ASN1_Class type)

Definition at line 74 of file asn1_obj.cpp.

74 {
75 switch(type) {
77 return "UNIVERSAL";
79 return "CONSTRUCTED";
81 return "CONTEXT_SPECIFIC";
83 return "APPLICATION";
85 return "PRIVATE";
87 return "NO_OBJECT";
88 default:
89 return "CLASS(" + std::to_string(static_cast<size_t>(type)) + ")";
90 }
91}

References Application, Constructed, ContextSpecific, NoObject, Private, and Universal.

Referenced by Botan::BER_Object::assert_is_a().

◆ asn1_tag_to_string()

std::string BOTAN_UNSTABLE_API Botan::asn1_tag_to_string ( ASN1_Type type)

Definition at line 93 of file asn1_obj.cpp.

93 {
94 switch(type) {
96 return "SEQUENCE";
97
98 case ASN1_Type::Set:
99 return "SET";
100
102 return "PRINTABLE STRING";
103
105 return "NUMERIC STRING";
106
108 return "IA5 STRING";
109
111 return "T61 STRING";
112
114 return "UTF8 STRING";
115
117 return "VISIBLE STRING";
118
120 return "BMP STRING";
121
123 return "UNIVERSAL STRING";
124
126 return "UTC TIME";
127
129 return "GENERALIZED TIME";
130
132 return "OCTET STRING";
133
135 return "BIT STRING";
136
138 return "ENUMERATED";
139
141 return "INTEGER";
142
143 case ASN1_Type::Null:
144 return "NULL";
145
147 return "OBJECT";
148
150 return "BOOLEAN";
151
153 return "NO_OBJECT";
154
155 default:
156 return "TAG(" + std::to_string(static_cast<uint32_t>(type)) + ")";
157 }
158}

References BitString, BmpString, Boolean, Enumerated, GeneralizedTime, Ia5String, Integer, NoObject, Null, NumericString, ObjectId, OctetString, PrintableString, Sequence, Set, TeletexString, UniversalString, UtcTime, Utf8String, and VisibleString.

Referenced by Botan::BER_Object::assert_is_a().

◆ assert_is_some()

template<typename T>
T Botan::assert_is_some ( std::optional< T > v,
const char * expr,
const char * func,
const char * file,
int line )

Define BOTAN_ASSERT_IS_SOME

Definition at line 382 of file stl_util.h.

382 {
383 if(v) {
384 return *v;
385 } else {
386 Botan::assertion_failure(expr, "optional had value", func, file, line);
387 }
388}
void assertion_failure(const char *expr_str, const char *assertion_made, const char *func, const char *file, int line)
Definition assert.cpp:30

References assertion_failure().

◆ assert_unreachable()

void BOTAN_UNSTABLE_API Botan::assert_unreachable ( const char * file,
int line )

Definition at line 55 of file assert.cpp.

55 {
56 const std::string msg = fmt("Codepath that was marked unreachable was reached @{}:{}", file, line);
57
58#if defined(BOTAN_TERMINATE_ON_ASSERTS)
59 std::cerr << msg << '\n';
60 std::abort();
61#else
62 throw Internal_Error(msg);
63#endif
64}

References fmt().

◆ assertion_failure()

void Botan::assertion_failure ( const char * expr_str,
const char * assertion_made,
const char * func,
const char * file,
int line )

Called when an assertion fails Throws an Exception object

Definition at line 30 of file assert.cpp.

30 {
31 std::ostringstream format;
32
33 format << "False assertion ";
34
35 if(assertion_made != nullptr && assertion_made[0] != 0) {
36 format << "'" << assertion_made << "' (expression " << expr_str << ") ";
37 } else {
38 format << expr_str << " ";
39 }
40
41 if(func != nullptr) {
42 format << "in " << func << " ";
43 }
44
45 format << "@" << file << ":" << line;
46
47#if defined(BOTAN_TERMINATE_ON_ASSERTS)
48 std::cerr << format.str() << '\n';
49 std::abort();
50#else
51 throw Internal_Error(format.str());
52#endif
53}

Referenced by assert_is_some().

◆ base32_decode() [1/5]

secure_vector< uint8_t > Botan::base32_decode ( const char input[],
size_t input_length,
bool ignore_ws = true )

Perform base32 decoding

Parameters
inputsome base32 input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base32 output

Definition at line 165 of file base32.cpp.

165 {
166 return base_decode_to_vec<secure_vector<uint8_t>>(Base32(), input, input_length, ignore_ws);
167}
Vector base_decode_to_vec(const Base &base, const char input[], size_t input_length, bool ignore_ws)
Definition codec_base.h:190

References base_decode_to_vec().

◆ base32_decode() [2/5]

secure_vector< uint8_t > Botan::base32_decode ( std::string_view input,
bool ignore_ws = true )

Perform base32 decoding

Parameters
inputsome base32 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base32 output

Definition at line 169 of file base32.cpp.

169 {
170 return base32_decode(input.data(), input.size(), ignore_ws);
171}
size_t base32_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition base32.cpp:152

References base32_decode().

◆ base32_decode() [3/5]

size_t Botan::base32_decode ( uint8_t output[],
const char input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs,
bool ignore_ws = true )

Perform base32 decoding

Parameters
outputan array of at least base32_decode_max_output bytes
inputsome base32 input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding is allowed
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 152 of file base32.cpp.

153 {
154 return base_decode(Base32(), out, in, input_length, input_consumed, final_inputs, ignore_ws);
155}
size_t base_decode(const Base &base, uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws=true)
Definition codec_base.h:118

References base_decode().

Referenced by base32_decode(), and base32_decode().

◆ base32_decode() [4/5]

size_t Botan::base32_decode ( uint8_t output[],
const char input[],
size_t input_length,
bool ignore_ws = true )

Perform base32 decoding

Parameters
outputan array of at least base32_decode_max_output bytes
inputsome base32 input
input_lengthlength of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 157 of file base32.cpp.

157 {
158 return base_decode_full(Base32(), output, input, input_length, ignore_ws);
159}
size_t base_decode_full(const Base &base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
Definition codec_base.h:178

References base_decode_full().

◆ base32_decode() [5/5]

size_t Botan::base32_decode ( uint8_t output[],
std::string_view input,
bool ignore_ws = true )

Perform base32 decoding

Parameters
outputan array of at least base32_decode_max_output bytes
inputsome base32 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 161 of file base32.cpp.

161 {
162 return base32_decode(output, input.data(), input.length(), ignore_ws);
163}

References base32_decode().

◆ base32_decode_max_output()

size_t Botan::base32_decode_max_output ( size_t input_length)

Calculate the size of output buffer for base32_decode

Parameters
input_lengththe length of input in bytes
Returns
the size of output buffer in bytes

Definition at line 177 of file base32.cpp.

177 {
178 return Base32::decode_max_output(input_length);
179}

◆ base32_encode() [1/3]

size_t Botan::base32_encode ( char output[],
const uint8_t input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs )

Perform base32 encoding

Parameters
outputan array of at least base32_encode_max_output bytes
inputis some binary data
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding chars will be applied if needed
Returns
number of bytes written to output

Definition at line 144 of file base32.cpp.

144 {
145 return base_encode(Base32(), out, in, input_length, input_consumed, final_inputs);
146}
size_t base_encode(const Base &base, char output[], const uint8_t input[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition codec_base.h:35

References base_encode().

Referenced by base32_encode().

◆ base32_encode() [2/3]

std::string Botan::base32_encode ( const uint8_t input[],
size_t input_length )

Perform base32 encoding

Parameters
inputsome input
input_lengthlength of input in bytes
Returns
base32 representation of input

Definition at line 148 of file base32.cpp.

148 {
149 return base_encode_to_string(Base32(), input, input_length);
150}
std::string base_encode_to_string(const Base &base, const uint8_t input[], size_t input_length)
Definition codec_base.h:84

References base_encode_to_string().

◆ base32_encode() [3/3]

std::string Botan::base32_encode ( std::span< const uint8_t > input)
inline

Perform base32 encoding

Parameters
inputsome input
Returns
base32 representation of input

Definition at line 47 of file base32.h.

47 {
48 return base32_encode(input.data(), input.size());
49}
size_t base32_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition base32.cpp:144

References base32_encode().

◆ base32_encode_max_output()

size_t Botan::base32_encode_max_output ( size_t input_length)

Calculate the size of output buffer for base32_encode

Parameters
input_lengththe length of input in bytes
Returns
the size of output buffer in bytes

Definition at line 173 of file base32.cpp.

173 {
174 return Base32::encode_max_output(input_length);
175}

◆ base58_check_decode() [1/2]

std::vector< uint8_t > Botan::base58_check_decode ( const char input[],
size_t input_length )

Perform base58 decoding with checksum

Definition at line 164 of file base58.cpp.

164 {
165 std::vector<uint8_t> dec = base58_decode(input, input_length);
166
167 if(dec.size() < 4) {
168 throw Decoding_Error("Invalid base58 too short for checksum");
169 }
170
171 const uint32_t computed_checksum = sha256_d_checksum(dec.data(), dec.size() - 4);
172 const uint32_t checksum = load_be<uint32_t>(&dec[dec.size() - 4], 0);
173
174 if(checksum != computed_checksum) {
175 throw Decoding_Error("Invalid base58 checksum");
176 }
177
178 dec.resize(dec.size() - 4);
179
180 return dec;
181}
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AES void dec(uint8x16_t &B, uint8x16_t K)
Definition aes_armv8.cpp:45
std::vector< uint8_t > base58_decode(const char input[], size_t input_length)
Definition base58.cpp:139
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:504

References base58_decode(), and load_be().

Referenced by base58_check_decode().

◆ base58_check_decode() [2/2]

std::vector< uint8_t > Botan::base58_check_decode ( std::string_view s)
inline

Definition at line 58 of file base58.h.

58 {
59 return base58_check_decode(s.data(), s.size());
60}
std::vector< uint8_t > base58_check_decode(const char input[], size_t input_length)
Definition base58.cpp:164

References base58_check_decode().

◆ base58_check_encode() [1/2]

std::string Botan::base58_check_encode ( const uint8_t input[],
size_t input_length )

Perform base58 encoding with checksum

Definition at line 132 of file base58.cpp.

132 {
133 BigInt v(input, input_length);
134 v <<= 32;
135 v += sha256_d_checksum(input, input_length);
136 return base58_encode(v, count_leading_zeros(input, input_length, 0));
137}
std::string base58_encode(const uint8_t input[], size_t input_length)
Definition base58.cpp:127

References base58_encode().

Referenced by base58_check_encode().

◆ base58_check_encode() [2/2]

std::string Botan::base58_check_encode ( std::span< const uint8_t > vec)
inline

Definition at line 50 of file base58.h.

50 {
51 return base58_check_encode(vec.data(), vec.size());
52}
std::string base58_check_encode(const uint8_t input[], size_t input_length)
Definition base58.cpp:132

References base58_check_encode().

◆ base58_decode() [1/2]

std::vector< uint8_t > Botan::base58_decode ( const char input[],
size_t input_length )

Perform base58 decoding

This is raw base58 encoding, without the checksum

Definition at line 139 of file base58.cpp.

139 {
140 const size_t leading_zeros = count_leading_zeros(input, input_length, '1');
141
142 BigInt v;
143
144 for(size_t i = leading_zeros; i != input_length; ++i) {
145 const char c = input[i];
146
147 if(c == ' ' || c == '\n') {
148 continue;
149 }
150
151 const uint8_t idx = base58_value_of(c);
152
153 if(idx == 0xFF) {
154 throw Decoding_Error("Invalid base58");
155 }
156
157 v *= 58;
158 v += idx;
159 }
160
161 return v.serialize(v.bytes() + leading_zeros);
162}
size_t bytes() const
Definition bigint.cpp:298
T serialize(size_t len) const
Definition bigint.h:711

References Botan::BigInt::bytes(), and Botan::BigInt::serialize().

Referenced by base58_check_decode(), and base58_decode().

◆ base58_decode() [2/2]

std::vector< uint8_t > Botan::base58_decode ( std::string_view s)
inline

Definition at line 54 of file base58.h.

54 {
55 return base58_decode(s.data(), s.size());
56}

References base58_decode().

◆ base58_encode() [1/2]

std::string Botan::base58_encode ( const uint8_t input[],
size_t input_length )

Perform base58 encoding

This is raw base58 encoding, without the checksum

Definition at line 127 of file base58.cpp.

127 {
128 BigInt v(input, input_length);
129 return base58_encode(v, count_leading_zeros(input, input_length, 0));
130}

References base58_encode().

Referenced by base58_check_encode(), base58_encode(), and base58_encode().

◆ base58_encode() [2/2]

std::string Botan::base58_encode ( std::span< const uint8_t > vec)
inline

Definition at line 46 of file base58.h.

46 {
47 return base58_encode(vec.data(), vec.size());
48}

References base58_encode().

◆ base64_decode() [1/6]

secure_vector< uint8_t > Botan::base64_decode ( const char input[],
size_t input_length,
bool ignore_ws = true )

Perform base64 decoding

Parameters
inputsome base64 input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base64 output

Definition at line 188 of file base64.cpp.

188 {
189 return base_decode_to_vec<secure_vector<uint8_t>>(Base64(), input, input_length, ignore_ws);
190}

References base_decode_to_vec().

◆ base64_decode() [2/6]

size_t Botan::base64_decode ( std::span< uint8_t > output,
std::string_view input,
bool ignore_ws = true )

Perform base64 decoding

Parameters
outputa contiguous byte buffer of at least base64_decode_max_output bytes
inputsome base64 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 181 of file base64.cpp.

181 {
182 if(output.size() < base64_decode_max_output(input.size())) {
183 throw Invalid_Argument("base64_decode: output buffer is too short");
184 }
185 return base64_decode(output.data(), input.data(), input.length(), ignore_ws);
186}

References base64_decode(), and base64_decode_max_output().

◆ base64_decode() [3/6]

secure_vector< uint8_t > Botan::base64_decode ( std::string_view input,
bool ignore_ws = true )

Perform base64 decoding

Parameters
inputsome base64 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base64 output

Definition at line 192 of file base64.cpp.

192 {
193 return base64_decode(input.data(), input.size(), ignore_ws);
194}

References base64_decode().

◆ base64_decode() [4/6]

size_t Botan::base64_decode ( uint8_t output[],
const char input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs,
bool ignore_ws = true )

Perform base64 decoding

Parameters
outputan array of at least base64_decode_max_output bytes
inputsome base64 input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding is allowed
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 168 of file base64.cpp.

169 {
170 return base_decode(Base64(), out, in, input_length, input_consumed, final_inputs, ignore_ws);
171}

References base_decode().

Referenced by argon2_check_pwhash(), base64_decode(), base64_decode(), base64_decode(), botan_base64_decode(), Botan::Roughtime::Chain::Chain(), check_passhash9(), Botan::PEM_Code::decode(), Botan::Base64_Decoder::end_msg(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::list_names(), Botan::Roughtime::servers_from_str(), and Botan::Base64_Decoder::write().

◆ base64_decode() [5/6]

size_t Botan::base64_decode ( uint8_t output[],
const char input[],
size_t input_length,
bool ignore_ws = true )

Perform base64 decoding

Parameters
outputan array of at least base64_decode_max_output bytes
inputsome base64 input
input_lengthlength of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 173 of file base64.cpp.

173 {
174 return base_decode_full(Base64(), output, input, input_length, ignore_ws);
175}

References base_decode_full().

◆ base64_decode() [6/6]

size_t Botan::base64_decode ( uint8_t output[],
std::string_view input,
bool ignore_ws = true )

Perform base64 decoding

Parameters
outputan array of at least base64_decode_max_output bytes
inputsome base64 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 177 of file base64.cpp.

177 {
178 return base64_decode(output, input.data(), input.length(), ignore_ws);
179}

References base64_decode().

◆ base64_decode_max_output()

size_t Botan::base64_decode_max_output ( size_t input_length)

Calculate the size of output buffer for base64_decode

Parameters
input_lengththe length of input in bytes
Returns
the size of output buffer in bytes

Definition at line 200 of file base64.cpp.

200 {
201 return Base64::decode_max_output(input_length);
202}

Referenced by argon2_check_pwhash(), base64_decode(), and botan_base64_decode().

◆ base64_encode() [1/3]

size_t Botan::base64_encode ( char output[],
const uint8_t input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs )

Perform base64 encoding

Parameters
outputan array of at least base64_encode_max_output bytes
inputis some binary data
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding chars will be applied if needed
Returns
number of bytes written to output

Definition at line 160 of file base64.cpp.

160 {
161 return base_encode(Base64(), out, in, input_length, input_consumed, final_inputs);
162}

References base_encode().

Referenced by argon2_generate_pwhash(), base64_encode(), Botan::OCSP::Request::base64_encode(), botan_base64_encode(), Botan::PEM_Code::encode(), generate_passhash9(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::remove(), Botan::Encrypted_PSK_Database::set(), and Botan::Roughtime::Chain::to_string().

◆ base64_encode() [2/3]

std::string Botan::base64_encode ( const uint8_t input[],
size_t input_length )

Perform base64 encoding

Parameters
inputsome input
input_lengthlength of input in bytes
Returns
base64adecimal representation of input

Definition at line 164 of file base64.cpp.

164 {
165 return base_encode_to_string(Base64(), input, input_length);
166}

References base_encode_to_string().

◆ base64_encode() [3/3]

std::string Botan::base64_encode ( std::span< const uint8_t > input)
inline

Perform base64 encoding

Parameters
inputsome input
Returns
base64adecimal representation of input

Definition at line 47 of file base64.h.

47 {
48 return base64_encode(input.data(), input.size());
49}

References base64_encode().

◆ base64_encode_max_output()

size_t Botan::base64_encode_max_output ( size_t input_length)

Calculate the size of output buffer for base64_encode

Parameters
input_lengththe length of input in bytes
Returns
the size of output buffer in bytes

Definition at line 196 of file base64.cpp.

196 {
197 return Base64::encode_max_output(input_length);
198}

◆ base_decode()

template<typename Base>
size_t Botan::base_decode ( const Base & base,
uint8_t output[],
const char input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs,
bool ignore_ws = true )

Perform decoding using the base provided

Parameters
baseobject giving access to the encodings specifications
outputan array of at least Base::decode_max_output bytes
inputsome base input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding is allowed
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 118 of file codec_base.h.

124 {
125 // TODO(Botan4) Check if we can use just base. or Base:: here instead
126 constexpr size_t decoding_bytes_in = std::remove_reference_t<Base>::decoding_bytes_in();
127 constexpr size_t decoding_bytes_out = std::remove_reference_t<Base>::decoding_bytes_out();
128
129 uint8_t* out_ptr = output;
130 std::array<uint8_t, decoding_bytes_in> decode_buf{};
131 size_t decode_buf_pos = 0;
132 size_t final_truncate = 0;
133
134 clear_mem(output, base.decode_max_output(input_length));
135
136 for(size_t i = 0; i != input_length; ++i) {
137 const uint8_t bin = base.lookup_binary_value(input[i]);
138
139 // This call might throw Invalid_Argument
140 if(base.check_bad_char(bin, input[i], ignore_ws)) {
141 decode_buf[decode_buf_pos] = bin;
142 ++decode_buf_pos;
143 }
144
145 /*
146 * If we're at the end of the input, pad with 0s and truncate
147 */
148 if(final_inputs && (i == input_length - 1)) {
149 if(decode_buf_pos) {
150 for(size_t j = decode_buf_pos; j < decoding_bytes_in; ++j) {
151 decode_buf[j] = 0;
152 }
153
154 final_truncate = decoding_bytes_in - decode_buf_pos;
155 decode_buf_pos = decoding_bytes_in;
156 }
157 }
158
159 if(decode_buf_pos == decoding_bytes_in) {
160 base.decode(out_ptr, decode_buf.data());
161
162 out_ptr += decoding_bytes_out;
163 decode_buf_pos = 0;
164 input_consumed = i + 1;
165 }
166 }
167
168 while(input_consumed < input_length && base.lookup_binary_value(input[input_consumed]) == 0x80) {
169 ++input_consumed;
170 }
171
172 size_t written = (out_ptr - output) - base.bytes_to_remove(final_truncate);
173
174 return written;
175}
constexpr auto out_ptr(T &outptr) noexcept
Definition stl_util.h:415
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:119

References clear_mem(), and out_ptr().

Referenced by base32_decode(), base64_decode(), and base_decode_full().

◆ base_decode_full()

template<typename Base>
size_t Botan::base_decode_full ( const Base & base,
uint8_t output[],
const char input[],
size_t input_length,
bool ignore_ws )

Definition at line 178 of file codec_base.h.

178 {
179 size_t consumed = 0;
180 const size_t written = base_decode(base, output, input, input_length, consumed, true, ignore_ws);
181
182 if(consumed != input_length) {
183 throw Invalid_Argument(base.name() + " decoding failed, input did not have full bytes");
184 }
185
186 return written;
187}

References base_decode().

Referenced by base32_decode(), base64_decode(), and base_decode_to_vec().

◆ base_decode_to_vec()

template<typename Vector, typename Base>
Vector Botan::base_decode_to_vec ( const Base & base,
const char input[],
size_t input_length,
bool ignore_ws )

Definition at line 190 of file codec_base.h.

190 {
191 const size_t output_length = base.decode_max_output(input_length);
192 Vector bin(output_length);
193
194 const size_t written = base_decode_full(base, bin.data(), input, input_length, ignore_ws);
195
196 bin.resize(written);
197 return bin;
198}

References base_decode_full().

Referenced by base32_decode(), and base64_decode().

◆ base_encode()

template<class Base>
size_t Botan::base_encode ( const Base & base,
char output[],
const uint8_t input[],
size_t input_length,
size_t & input_consumed,
bool final_inputs )

Perform encoding using the base provided

Parameters
baseobject giving access to the encodings specifications
outputan array of at least base.encode_max_output bytes
inputis some binary data
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding chars will be applied if needed
Returns
number of bytes written to output

Definition at line 35 of file codec_base.h.

40 {
41 input_consumed = 0;
42
43 // TODO(Botan4) Check if we can use just base. or Base:: here instead
44 constexpr size_t encoding_bytes_in = std::remove_reference_t<Base>::encoding_bytes_in();
45 constexpr size_t encoding_bytes_out = std::remove_reference_t<Base>::encoding_bytes_out();
46
47 size_t input_remaining = input_length;
48 size_t output_produced = 0;
49
50 while(input_remaining >= encoding_bytes_in) {
51 base.encode(output + output_produced, input + input_consumed);
52
53 input_consumed += encoding_bytes_in;
54 output_produced += encoding_bytes_out;
55 input_remaining -= encoding_bytes_in;
56 }
57
58 if(final_inputs && input_remaining) {
59 std::array<uint8_t, encoding_bytes_in> remainder{};
60 for(size_t i = 0; i != input_remaining; ++i) {
61 remainder[i] = input[input_consumed + i];
62 }
63
64 base.encode(output + output_produced, remainder.data());
65
66 const size_t bits_consumed = base.bits_consumed();
67 const size_t remaining_bits_before_padding = base.remaining_bits_before_padding();
68
69 size_t empty_bits = 8 * (encoding_bytes_in - input_remaining);
70 size_t index = output_produced + encoding_bytes_out - 1;
71 while(empty_bits >= remaining_bits_before_padding) {
72 output[index--] = '=';
73 empty_bits -= bits_consumed;
74 }
75
76 input_consumed += input_remaining;
77 output_produced += encoding_bytes_out;
78 }
79
80 return output_produced;
81}

Referenced by base32_encode(), base64_encode(), and base_encode_to_string().

◆ base_encode_to_string()

template<typename Base>
std::string Botan::base_encode_to_string ( const Base & base,
const uint8_t input[],
size_t input_length )

Definition at line 84 of file codec_base.h.

84 {
85 const size_t output_length = base.encode_max_output(input_length);
86 std::string output(output_length, 0);
87
88 size_t consumed = 0;
89 size_t produced = 0;
90
91 if(output_length > 0) {
92 produced = base_encode(base, &output.front(), input, input_length, consumed, true);
93 }
94
95 BOTAN_ASSERT_EQUAL(consumed, input_length, "Consumed the entire input");
96 BOTAN_ASSERT_EQUAL(produced, output.size(), "Produced expected size");
97
98 return output;
99}
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition assert.h:88

References base_encode(), and BOTAN_ASSERT_EQUAL.

Referenced by base32_encode(), and base64_encode().

◆ basecase_mul()

void Botan::basecase_mul ( word z[],
size_t z_size,
const word x[],
size_t x_size,
const word y[],
size_t y_size )

Basecase O(N^2) multiplication

Definition at line 20 of file mp_karat.cpp.

20 {
21 if(z_size < x_size + y_size) {
22 throw Invalid_Argument("basecase_mul z_size too small");
23 }
24
25 const size_t x_size_8 = x_size - (x_size % 8);
26
27 clear_mem(z, z_size);
28
29 for(size_t i = 0; i != y_size; ++i) {
30 const word y_i = y[i];
31
32 word carry = 0;
33
34 for(size_t j = 0; j != x_size_8; j += 8) {
35 carry = word8_madd3(z + i + j, x + j, y_i, carry);
36 }
37
38 for(size_t j = x_size_8; j != x_size; ++j) {
39 z[i + j] = word_madd3(x[j], y_i, z[i + j], &carry);
40 }
41
42 z[x_size + i] = carry;
43 }
44}
constexpr auto word8_madd3(W z[8], const W x[8], W y, W carry) -> W
Definition mp_asmi.h:383
void carry(int64_t &h0, int64_t &h1)
std::conditional_t< HasNative64BitRegisters, std::uint64_t, uint32_t > word
Definition types.h:119
constexpr auto word_madd3(W a, W b, W c, W *d) -> W
Definition mp_asmi.h:112

References carry(), clear_mem(), word8_madd3(), and word_madd3().

Referenced by bigint_mul().

◆ basecase_sqr()

void Botan::basecase_sqr ( word z[],
size_t z_size,
const word x[],
size_t x_size )

Basecase O(N^2) squaring

Definition at line 46 of file mp_karat.cpp.

46 {
47 if(z_size < 2 * x_size) {
48 throw Invalid_Argument("basecase_sqr z_size too small");
49 }
50
51 const size_t x_size_8 = x_size - (x_size % 8);
52
53 clear_mem(z, z_size);
54
55 for(size_t i = 0; i != x_size; ++i) {
56 const word x_i = x[i];
57
58 word carry = 0;
59
60 for(size_t j = 0; j != x_size_8; j += 8) {
61 carry = word8_madd3(z + i + j, x + j, x_i, carry);
62 }
63
64 for(size_t j = x_size_8; j != x_size; ++j) {
65 z[i + j] = word_madd3(x[j], x_i, z[i + j], &carry);
66 }
67
68 z[x_size + i] = carry;
69 }
70}

References carry(), clear_mem(), word8_madd3(), and word_madd3().

Referenced by bigint_sqr().

◆ basemul_exec()

template<typename C, size_t WindowBits, typename BlindedScalar>
C::ProjectivePoint Botan::basemul_exec ( std::span< const typename C::AffinePoint > table,
const BlindedScalar & scalar,
RandomNumberGenerator & rng )

Definition at line 175 of file pcurves_mul.h.

177 {
178 // 2^W elements, less the identity element
179 static constexpr size_t WindowElements = (1 << WindowBits) - 1;
180
181 // TODO: C++23 - use std::mdspan to access table?
182
183 auto accum = [&]() {
184 const size_t w_0 = scalar.get_window(0);
185 const auto tbl_0 = table.first(WindowElements);
186 auto pt = C::ProjectivePoint::from_affine(C::AffinePoint::ct_select(tbl_0, w_0));
187 CT::poison(pt);
188 pt.randomize_rep(rng);
189 return pt;
190 }();
191
192 const size_t windows = (scalar.bits() + WindowBits - 1) / WindowBits;
193
194 for(size_t i = 1; i != windows; ++i) {
195 const size_t w_i = scalar.get_window(WindowBits * i);
196 const auto tbl_i = table.subspan(WindowElements * i, WindowElements);
197
198 /*
199 None of these additions can be doublings, because in each iteration, the
200 discrete logarithms of the points we're selecting out of the table are
201 larger than the largest possible dlog of accum.
202 */
203 accum += C::AffinePoint::ct_select(tbl_i, w_i);
204
205 // Conditional ok: loop iteration count is public
206 if(i <= 3) {
207 accum.randomize_rep(rng);
208 }
209 }
210
211 CT::unpoison(accum);
212 return accum;
213}
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:65
constexpr void poison(const T *p, size_t n)
Definition ct_utils.h:54

References Botan::CT::poison(), and Botan::CT::unpoison().

Referenced by Botan::PrecomputedBaseMulTable< C, W >::mul().

◆ basemul_setup()

template<typename C, size_t WindowBits>
std::vector< typename C::AffinePoint > Botan::basemul_setup ( const typename C::AffinePoint & p,
size_t max_scalar_bits )

Definition at line 141 of file pcurves_mul.h.

141 {
142 static_assert(WindowBits >= 1 && WindowBits <= 8);
143
144 // 2^W elements, less the identity element
145 constexpr size_t WindowElements = (1 << WindowBits) - 1;
146
147 const size_t Windows = (max_scalar_bits + WindowBits - 1) / WindowBits;
148
149 const size_t TableSize = Windows * WindowElements;
150
151 std::vector<typename C::ProjectivePoint> table;
152 table.reserve(TableSize);
153
154 auto accum = C::ProjectivePoint::from_affine(p);
155
156 for(size_t i = 0; i != TableSize; i += WindowElements) {
157 table.push_back(accum);
158
159 for(size_t j = 1; j != WindowElements; ++j) {
160 // Conditional ok: loop iteration count is public
161 if(j % 2 == 1) {
162 table.emplace_back(table[i + j / 2].dbl());
163 } else {
164 table.emplace_back(table[i + j - 1] + table[i]);
165 }
166 }
167
168 accum = table[i + (WindowElements / 2)].dbl();
169 }
170
171 return to_affine_batch<C>(table);
172}
auto to_affine_batch(std::span< const typename C::ProjectivePoint > projective)

References to_affine_batch().

Referenced by Botan::PrecomputedBaseMulTable< C, W >::PrecomputedBaseMulTable().

◆ bcrypt_pbkdf()

void Botan::bcrypt_pbkdf ( uint8_t output[],
size_t output_len,
const char * password,
size_t password_len,
const uint8_t salt[],
size_t salt_len,
size_t rounds )
inline

Bcrypt PBKDF compatible with OpenBSD bcrypt_pbkdf

Definition at line 71 of file bcrypt_pbkdf.h.

77 {
78 auto pwdhash_fam = PasswordHashFamily::create_or_throw("Bcrypt-PBKDF");
79 auto pwdhash = pwdhash_fam->from_params(rounds);
80 pwdhash->derive_key(output, output_len, password, password_len, salt, salt_len);
81}

References bcrypt_pbkdf(), and Botan::PasswordHashFamily::create_or_throw().

Referenced by bcrypt_pbkdf().

◆ bigint_add2()

template<WordType W>
auto Botan::bigint_add2 ( W x[],
size_t x_size,
const W y[],
size_t y_size ) -> W
inlineconstexpr

Two operand addition with carry out

Definition at line 96 of file mp_core.h.

96 {
97 W carry = 0;
98
99 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
100
101 const size_t blocks = y_size - (y_size % 8);
102
103 for(size_t i = 0; i != blocks; i += 8) {
104 carry = word8_add2(x + i, y + i, carry);
105 }
106
107 for(size_t i = blocks; i != y_size; ++i) {
108 x[i] = word_add(x[i], y[i], &carry);
109 }
110
111 for(size_t i = y_size; i != x_size; ++i) {
112 x[i] = word_add(x[i], static_cast<W>(0), &carry);
113 }
114
115 return carry;
116}
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
constexpr auto word_add(W x, W y, W *carry) -> W
Definition mp_asmi.h:191
constexpr auto word8_add2(W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:228

References BOTAN_ASSERT, carry(), word8_add2(), and word_add().

Referenced by Botan::IntMod< MontgomeryRep< ScalarParams > >::_invert_vartime_div2_helper(), Botan::BigInt::add(), Botan::BlindedScalarBits< C, WindowBits+1 >::BlindedScalarBits(), p_div_2_plus_1(), and redc_crandall().

◆ bigint_add3()

template<WordType W>
auto Botan::bigint_add3 ( W z[],
const W x[],
size_t x_size,
const W y[],
size_t y_size ) -> W
inlineconstexpr

Three operand addition with carry out

Definition at line 122 of file mp_core.h.

122 {
123 if(x_size < y_size) {
124 return bigint_add3(z, y, y_size, x, x_size);
125 }
126
127 W carry = 0;
128
129 const size_t blocks = y_size - (y_size % 8);
130
131 for(size_t i = 0; i != blocks; i += 8) {
132 carry = word8_add3(z + i, x + i, y + i, carry);
133 }
134
135 for(size_t i = blocks; i != y_size; ++i) {
136 z[i] = word_add(x[i], y[i], &carry);
137 }
138
139 for(size_t i = y_size; i != x_size; ++i) {
140 z[i] = word_add(x[i], static_cast<W>(0), &carry);
141 }
142
143 return carry;
144}
constexpr auto bigint_add3(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:122
constexpr auto word8_add3(W z[8], const W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:254

References bigint_add3(), carry(), word8_add3(), and word_add().

Referenced by Botan::BigInt::add2(), bigint_add3(), Botan::BigInt::mod_add(), Botan::Montgomery_Int::operator+(), and p_plus_1_over_4().

◆ bigint_cmp()

template<WordType W>
int32_t Botan::bigint_cmp ( const W x[],
size_t x_size,
const W y[],
size_t y_size )
inlineconstexpr

Compare x and y Return -1 if x < y Return 0 if x == y Return 1 if x > y

Definition at line 428 of file mp_core.h.

428 {
429 static_assert(sizeof(W) >= sizeof(uint32_t), "Size assumption");
430
431 const W LT = static_cast<W>(-1);
432 const W EQ = 0;
433 const W GT = 1;
434
435 const size_t common_elems = std::min(x_size, y_size);
436
437 W result = EQ; // until found otherwise
438
439 for(size_t i = 0; i != common_elems; i++) {
440 const auto is_eq = CT::Mask<W>::is_equal(x[i], y[i]);
441 const auto is_lt = CT::Mask<W>::is_lt(x[i], y[i]);
442
443 result = is_eq.select(result, is_lt.select(LT, GT));
444 }
445
446 if(x_size < y_size) {
447 W mask = 0;
448 for(size_t i = x_size; i != y_size; i++) {
449 mask |= y[i];
450 }
451
452 // If any bits were set in high part of y, then x < y
453 result = CT::Mask<W>::is_zero(mask).select(result, LT);
454 } else if(y_size < x_size) {
455 W mask = 0;
456 for(size_t i = y_size; i != x_size; i++) {
457 mask |= x[i];
458 }
459
460 // If any bits were set in high part of x, then x > y
461 result = CT::Mask<W>::is_zero(mask).select(result, GT);
462 }
463
464 CT::unpoison(result);
465 BOTAN_DEBUG_ASSERT(result == LT || result == GT || result == EQ);
466 return static_cast<int32_t>(result);
467}
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:129
static constexpr Mask< T > is_equal(T x, T y)
Definition ct_utils.h:470
static constexpr Mask< T > is_lt(T x, T y)
Definition ct_utils.h:478
static constexpr Mask< T > is_zero(T x)
Definition ct_utils.h:465

References BOTAN_DEBUG_ASSERT, Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lt(), Botan::CT::Mask< T >::is_zero(), and Botan::CT::unpoison().

Referenced by Botan::BigInt::add(), Botan::BigInt::add2(), Botan::BigInt::cmp(), Botan::BigInt::cmp_word(), and gcd().

◆ bigint_cnd_abs()

template<WordType W>
void Botan::bigint_cnd_abs ( W cnd,
W x[],
size_t size )
inlineconstexpr

Definition at line 82 of file mp_core.h.

82 {
83 const auto mask = CT::Mask<W>::expand(cnd);
84
85 W carry = mask.if_set_return(1);
86 for(size_t i = 0; i != size; ++i) {
87 const W z = word_add(~x[i], static_cast<W>(0), &carry);
88 x[i] = mask.select(z, x[i]);
89 }
90}
static constexpr Mask< T > expand(T v)
Definition ct_utils.h:420

References carry(), Botan::CT::Mask< T >::expand(), and word_add().

◆ bigint_cnd_add()

template<WordType W>
W Botan::bigint_cnd_add ( W cnd,
W x[],
const W y[],
size_t size )
inlineconstexpr

Definition at line 47 of file mp_core.h.

47 {
48 const auto mask = CT::Mask<W>::expand(cnd).value();
49
50 W carry = 0;
51
52 for(size_t i = 0; i != size; ++i) {
53 x[i] = word_add(x[i], y[i] & mask, &carry);
54 }
55
56 return (mask & carry);
57}

References carry(), Botan::CT::Mask< T >::expand(), and word_add().

Referenced by Botan::IntMod< MontgomeryRep< ScalarParams > >::div2(), Botan::BigInt::mod_sub(), Botan::IntMod< MontgomeryRep< ScalarParams > >::operator-, and Botan::Montgomery_Int::operator-().

◆ bigint_cnd_sub()

template<WordType W>
auto Botan::bigint_cnd_sub ( W cnd,
W x[],
const W y[],
size_t size ) -> W
inlineconstexpr

Definition at line 64 of file mp_core.h.

64 {
65 const auto mask = CT::Mask<W>::expand(cnd).value();
66
67 W carry = 0;
68
69 for(size_t i = 0; i != size; ++i) {
70 x[i] = word_sub(x[i], y[i] & mask, &carry);
71 }
72
73 return (mask & carry);
74}
constexpr auto word_sub(W x, W y, W *carry) -> W
Definition mp_asmi.h:280

References carry(), Botan::CT::Mask< T >::expand(), and word_sub().

◆ bigint_cnd_swap()

template<WordType W>
void Botan::bigint_cnd_swap ( W cnd,
W x[],
W y[],
size_t size )
inlineconstexpr

Definition at line 31 of file mp_core.h.

31 {
32 const auto mask = CT::Mask<W>::expand(cnd);
33
34 for(size_t i = 0; i != size; ++i) {
35 const W a = x[i];
36 const W b = y[i];
37 x[i] = mask.select(b, a);
38 y[i] = mask.select(a, b);
39 }
40}

References Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::ct_cond_swap(), and ct_divide_pow2k().

◆ bigint_comba_mul16()

BOTAN_FUZZER_API void Botan::bigint_comba_mul16 ( word z[32],
const word x[16],
const word y[16] )

Definition at line 794 of file mp_comba.cpp.

794 {
795 word3<word> accum;
796
797 accum.mul(x[0], y[0]);
798 z[0] = accum.extract();
799 accum.mul(x[0], y[1]);
800 accum.mul(x[1], y[0]);
801 z[1] = accum.extract();
802 accum.mul(x[0], y[2]);
803 accum.mul(x[1], y[1]);
804 accum.mul(x[2], y[0]);
805 z[2] = accum.extract();
806 accum.mul(x[0], y[3]);
807 accum.mul(x[1], y[2]);
808 accum.mul(x[2], y[1]);
809 accum.mul(x[3], y[0]);
810 z[3] = accum.extract();
811 accum.mul(x[0], y[4]);
812 accum.mul(x[1], y[3]);
813 accum.mul(x[2], y[2]);
814 accum.mul(x[3], y[1]);
815 accum.mul(x[4], y[0]);
816 z[4] = accum.extract();
817 accum.mul(x[0], y[5]);
818 accum.mul(x[1], y[4]);
819 accum.mul(x[2], y[3]);
820 accum.mul(x[3], y[2]);
821 accum.mul(x[4], y[1]);
822 accum.mul(x[5], y[0]);
823 z[5] = accum.extract();
824 accum.mul(x[0], y[6]);
825 accum.mul(x[1], y[5]);
826 accum.mul(x[2], y[4]);
827 accum.mul(x[3], y[3]);
828 accum.mul(x[4], y[2]);
829 accum.mul(x[5], y[1]);
830 accum.mul(x[6], y[0]);
831 z[6] = accum.extract();
832 accum.mul(x[0], y[7]);
833 accum.mul(x[1], y[6]);
834 accum.mul(x[2], y[5]);
835 accum.mul(x[3], y[4]);
836 accum.mul(x[4], y[3]);
837 accum.mul(x[5], y[2]);
838 accum.mul(x[6], y[1]);
839 accum.mul(x[7], y[0]);
840 z[7] = accum.extract();
841 accum.mul(x[0], y[8]);
842 accum.mul(x[1], y[7]);
843 accum.mul(x[2], y[6]);
844 accum.mul(x[3], y[5]);
845 accum.mul(x[4], y[4]);
846 accum.mul(x[5], y[3]);
847 accum.mul(x[6], y[2]);
848 accum.mul(x[7], y[1]);
849 accum.mul(x[8], y[0]);
850 z[8] = accum.extract();
851 accum.mul(x[0], y[9]);
852 accum.mul(x[1], y[8]);
853 accum.mul(x[2], y[7]);
854 accum.mul(x[3], y[6]);
855 accum.mul(x[4], y[5]);
856 accum.mul(x[5], y[4]);
857 accum.mul(x[6], y[3]);
858 accum.mul(x[7], y[2]);
859 accum.mul(x[8], y[1]);
860 accum.mul(x[9], y[0]);
861 z[9] = accum.extract();
862 accum.mul(x[0], y[10]);
863 accum.mul(x[1], y[9]);
864 accum.mul(x[2], y[8]);
865 accum.mul(x[3], y[7]);
866 accum.mul(x[4], y[6]);
867 accum.mul(x[5], y[5]);
868 accum.mul(x[6], y[4]);
869 accum.mul(x[7], y[3]);
870 accum.mul(x[8], y[2]);
871 accum.mul(x[9], y[1]);
872 accum.mul(x[10], y[0]);
873 z[10] = accum.extract();
874 accum.mul(x[0], y[11]);
875 accum.mul(x[1], y[10]);
876 accum.mul(x[2], y[9]);
877 accum.mul(x[3], y[8]);
878 accum.mul(x[4], y[7]);
879 accum.mul(x[5], y[6]);
880 accum.mul(x[6], y[5]);
881 accum.mul(x[7], y[4]);
882 accum.mul(x[8], y[3]);
883 accum.mul(x[9], y[2]);
884 accum.mul(x[10], y[1]);
885 accum.mul(x[11], y[0]);
886 z[11] = accum.extract();
887 accum.mul(x[0], y[12]);
888 accum.mul(x[1], y[11]);
889 accum.mul(x[2], y[10]);
890 accum.mul(x[3], y[9]);
891 accum.mul(x[4], y[8]);
892 accum.mul(x[5], y[7]);
893 accum.mul(x[6], y[6]);
894 accum.mul(x[7], y[5]);
895 accum.mul(x[8], y[4]);
896 accum.mul(x[9], y[3]);
897 accum.mul(x[10], y[2]);
898 accum.mul(x[11], y[1]);
899 accum.mul(x[12], y[0]);
900 z[12] = accum.extract();
901 accum.mul(x[0], y[13]);
902 accum.mul(x[1], y[12]);
903 accum.mul(x[2], y[11]);
904 accum.mul(x[3], y[10]);
905 accum.mul(x[4], y[9]);
906 accum.mul(x[5], y[8]);
907 accum.mul(x[6], y[7]);
908 accum.mul(x[7], y[6]);
909 accum.mul(x[8], y[5]);
910 accum.mul(x[9], y[4]);
911 accum.mul(x[10], y[3]);
912 accum.mul(x[11], y[2]);
913 accum.mul(x[12], y[1]);
914 accum.mul(x[13], y[0]);
915 z[13] = accum.extract();
916 accum.mul(x[0], y[14]);
917 accum.mul(x[1], y[13]);
918 accum.mul(x[2], y[12]);
919 accum.mul(x[3], y[11]);
920 accum.mul(x[4], y[10]);
921 accum.mul(x[5], y[9]);
922 accum.mul(x[6], y[8]);
923 accum.mul(x[7], y[7]);
924 accum.mul(x[8], y[6]);
925 accum.mul(x[9], y[5]);
926 accum.mul(x[10], y[4]);
927 accum.mul(x[11], y[3]);
928 accum.mul(x[12], y[2]);
929 accum.mul(x[13], y[1]);
930 accum.mul(x[14], y[0]);
931 z[14] = accum.extract();
932 accum.mul(x[0], y[15]);
933 accum.mul(x[1], y[14]);
934 accum.mul(x[2], y[13]);
935 accum.mul(x[3], y[12]);
936 accum.mul(x[4], y[11]);
937 accum.mul(x[5], y[10]);
938 accum.mul(x[6], y[9]);
939 accum.mul(x[7], y[8]);
940 accum.mul(x[8], y[7]);
941 accum.mul(x[9], y[6]);
942 accum.mul(x[10], y[5]);
943 accum.mul(x[11], y[4]);
944 accum.mul(x[12], y[3]);
945 accum.mul(x[13], y[2]);
946 accum.mul(x[14], y[1]);
947 accum.mul(x[15], y[0]);
948 z[15] = accum.extract();
949 accum.mul(x[1], y[15]);
950 accum.mul(x[2], y[14]);
951 accum.mul(x[3], y[13]);
952 accum.mul(x[4], y[12]);
953 accum.mul(x[5], y[11]);
954 accum.mul(x[6], y[10]);
955 accum.mul(x[7], y[9]);
956 accum.mul(x[8], y[8]);
957 accum.mul(x[9], y[7]);
958 accum.mul(x[10], y[6]);
959 accum.mul(x[11], y[5]);
960 accum.mul(x[12], y[4]);
961 accum.mul(x[13], y[3]);
962 accum.mul(x[14], y[2]);
963 accum.mul(x[15], y[1]);
964 z[16] = accum.extract();
965 accum.mul(x[2], y[15]);
966 accum.mul(x[3], y[14]);
967 accum.mul(x[4], y[13]);
968 accum.mul(x[5], y[12]);
969 accum.mul(x[6], y[11]);
970 accum.mul(x[7], y[10]);
971 accum.mul(x[8], y[9]);
972 accum.mul(x[9], y[8]);
973 accum.mul(x[10], y[7]);
974 accum.mul(x[11], y[6]);
975 accum.mul(x[12], y[5]);
976 accum.mul(x[13], y[4]);
977 accum.mul(x[14], y[3]);
978 accum.mul(x[15], y[2]);
979 z[17] = accum.extract();
980 accum.mul(x[3], y[15]);
981 accum.mul(x[4], y[14]);
982 accum.mul(x[5], y[13]);
983 accum.mul(x[6], y[12]);
984 accum.mul(x[7], y[11]);
985 accum.mul(x[8], y[10]);
986 accum.mul(x[9], y[9]);
987 accum.mul(x[10], y[8]);
988 accum.mul(x[11], y[7]);
989 accum.mul(x[12], y[6]);
990 accum.mul(x[13], y[5]);
991 accum.mul(x[14], y[4]);
992 accum.mul(x[15], y[3]);
993 z[18] = accum.extract();
994 accum.mul(x[4], y[15]);
995 accum.mul(x[5], y[14]);
996 accum.mul(x[6], y[13]);
997 accum.mul(x[7], y[12]);
998 accum.mul(x[8], y[11]);
999 accum.mul(x[9], y[10]);
1000 accum.mul(x[10], y[9]);
1001 accum.mul(x[11], y[8]);
1002 accum.mul(x[12], y[7]);
1003 accum.mul(x[13], y[6]);
1004 accum.mul(x[14], y[5]);
1005 accum.mul(x[15], y[4]);
1006 z[19] = accum.extract();
1007 accum.mul(x[5], y[15]);
1008 accum.mul(x[6], y[14]);
1009 accum.mul(x[7], y[13]);
1010 accum.mul(x[8], y[12]);
1011 accum.mul(x[9], y[11]);
1012 accum.mul(x[10], y[10]);
1013 accum.mul(x[11], y[9]);
1014 accum.mul(x[12], y[8]);
1015 accum.mul(x[13], y[7]);
1016 accum.mul(x[14], y[6]);
1017 accum.mul(x[15], y[5]);
1018 z[20] = accum.extract();
1019 accum.mul(x[6], y[15]);
1020 accum.mul(x[7], y[14]);
1021 accum.mul(x[8], y[13]);
1022 accum.mul(x[9], y[12]);
1023 accum.mul(x[10], y[11]);
1024 accum.mul(x[11], y[10]);
1025 accum.mul(x[12], y[9]);
1026 accum.mul(x[13], y[8]);
1027 accum.mul(x[14], y[7]);
1028 accum.mul(x[15], y[6]);
1029 z[21] = accum.extract();
1030 accum.mul(x[7], y[15]);
1031 accum.mul(x[8], y[14]);
1032 accum.mul(x[9], y[13]);
1033 accum.mul(x[10], y[12]);
1034 accum.mul(x[11], y[11]);
1035 accum.mul(x[12], y[10]);
1036 accum.mul(x[13], y[9]);
1037 accum.mul(x[14], y[8]);
1038 accum.mul(x[15], y[7]);
1039 z[22] = accum.extract();
1040 accum.mul(x[8], y[15]);
1041 accum.mul(x[9], y[14]);
1042 accum.mul(x[10], y[13]);
1043 accum.mul(x[11], y[12]);
1044 accum.mul(x[12], y[11]);
1045 accum.mul(x[13], y[10]);
1046 accum.mul(x[14], y[9]);
1047 accum.mul(x[15], y[8]);
1048 z[23] = accum.extract();
1049 accum.mul(x[9], y[15]);
1050 accum.mul(x[10], y[14]);
1051 accum.mul(x[11], y[13]);
1052 accum.mul(x[12], y[12]);
1053 accum.mul(x[13], y[11]);
1054 accum.mul(x[14], y[10]);
1055 accum.mul(x[15], y[9]);
1056 z[24] = accum.extract();
1057 accum.mul(x[10], y[15]);
1058 accum.mul(x[11], y[14]);
1059 accum.mul(x[12], y[13]);
1060 accum.mul(x[13], y[12]);
1061 accum.mul(x[14], y[11]);
1062 accum.mul(x[15], y[10]);
1063 z[25] = accum.extract();
1064 accum.mul(x[11], y[15]);
1065 accum.mul(x[12], y[14]);
1066 accum.mul(x[13], y[13]);
1067 accum.mul(x[14], y[12]);
1068 accum.mul(x[15], y[11]);
1069 z[26] = accum.extract();
1070 accum.mul(x[12], y[15]);
1071 accum.mul(x[13], y[14]);
1072 accum.mul(x[14], y[13]);
1073 accum.mul(x[15], y[12]);
1074 z[27] = accum.extract();
1075 accum.mul(x[13], y[15]);
1076 accum.mul(x[14], y[14]);
1077 accum.mul(x[15], y[13]);
1078 z[28] = accum.extract();
1079 accum.mul(x[14], y[15]);
1080 accum.mul(x[15], y[14]);
1081 z[29] = accum.extract();
1082 accum.mul(x[15], y[15]);
1083 z[30] = accum.extract();
1084 z[31] = accum.extract();
1085}
constexpr W extract()
Definition mp_asmi.h:529
constexpr void mul(W x, W y)
Definition mp_asmi.h:455

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by bigint_mul(), and comba_mul().

◆ bigint_comba_mul24()

BOTAN_FUZZER_API void Botan::bigint_comba_mul24 ( word z[48],
const word x[24],
const word y[24] )

Definition at line 1446 of file mp_comba.cpp.

1446 {
1447 word3<word> accum;
1448
1449 accum.mul(x[0], y[0]);
1450 z[0] = accum.extract();
1451 accum.mul(x[0], y[1]);
1452 accum.mul(x[1], y[0]);
1453 z[1] = accum.extract();
1454 accum.mul(x[0], y[2]);
1455 accum.mul(x[1], y[1]);
1456 accum.mul(x[2], y[0]);
1457 z[2] = accum.extract();
1458 accum.mul(x[0], y[3]);
1459 accum.mul(x[1], y[2]);
1460 accum.mul(x[2], y[1]);
1461 accum.mul(x[3], y[0]);
1462 z[3] = accum.extract();
1463 accum.mul(x[0], y[4]);
1464 accum.mul(x[1], y[3]);
1465 accum.mul(x[2], y[2]);
1466 accum.mul(x[3], y[1]);
1467 accum.mul(x[4], y[0]);
1468 z[4] = accum.extract();
1469 accum.mul(x[0], y[5]);
1470 accum.mul(x[1], y[4]);
1471 accum.mul(x[2], y[3]);
1472 accum.mul(x[3], y[2]);
1473 accum.mul(x[4], y[1]);
1474 accum.mul(x[5], y[0]);
1475 z[5] = accum.extract();
1476 accum.mul(x[0], y[6]);
1477 accum.mul(x[1], y[5]);
1478 accum.mul(x[2], y[4]);
1479 accum.mul(x[3], y[3]);
1480 accum.mul(x[4], y[2]);
1481 accum.mul(x[5], y[1]);
1482 accum.mul(x[6], y[0]);
1483 z[6] = accum.extract();
1484 accum.mul(x[0], y[7]);
1485 accum.mul(x[1], y[6]);
1486 accum.mul(x[2], y[5]);
1487 accum.mul(x[3], y[4]);
1488 accum.mul(x[4], y[3]);
1489 accum.mul(x[5], y[2]);
1490 accum.mul(x[6], y[1]);
1491 accum.mul(x[7], y[0]);
1492 z[7] = accum.extract();
1493 accum.mul(x[0], y[8]);
1494 accum.mul(x[1], y[7]);
1495 accum.mul(x[2], y[6]);
1496 accum.mul(x[3], y[5]);
1497 accum.mul(x[4], y[4]);
1498 accum.mul(x[5], y[3]);
1499 accum.mul(x[6], y[2]);
1500 accum.mul(x[7], y[1]);
1501 accum.mul(x[8], y[0]);
1502 z[8] = accum.extract();
1503 accum.mul(x[0], y[9]);
1504 accum.mul(x[1], y[8]);
1505 accum.mul(x[2], y[7]);
1506 accum.mul(x[3], y[6]);
1507 accum.mul(x[4], y[5]);
1508 accum.mul(x[5], y[4]);
1509 accum.mul(x[6], y[3]);
1510 accum.mul(x[7], y[2]);
1511 accum.mul(x[8], y[1]);
1512 accum.mul(x[9], y[0]);
1513 z[9] = accum.extract();
1514 accum.mul(x[0], y[10]);
1515 accum.mul(x[1], y[9]);
1516 accum.mul(x[2], y[8]);
1517 accum.mul(x[3], y[7]);
1518 accum.mul(x[4], y[6]);
1519 accum.mul(x[5], y[5]);
1520 accum.mul(x[6], y[4]);
1521 accum.mul(x[7], y[3]);
1522 accum.mul(x[8], y[2]);
1523 accum.mul(x[9], y[1]);
1524 accum.mul(x[10], y[0]);
1525 z[10] = accum.extract();
1526 accum.mul(x[0], y[11]);
1527 accum.mul(x[1], y[10]);
1528 accum.mul(x[2], y[9]);
1529 accum.mul(x[3], y[8]);
1530 accum.mul(x[4], y[7]);
1531 accum.mul(x[5], y[6]);
1532 accum.mul(x[6], y[5]);
1533 accum.mul(x[7], y[4]);
1534 accum.mul(x[8], y[3]);
1535 accum.mul(x[9], y[2]);
1536 accum.mul(x[10], y[1]);
1537 accum.mul(x[11], y[0]);
1538 z[11] = accum.extract();
1539 accum.mul(x[0], y[12]);
1540 accum.mul(x[1], y[11]);
1541 accum.mul(x[2], y[10]);
1542 accum.mul(x[3], y[9]);
1543 accum.mul(x[4], y[8]);
1544 accum.mul(x[5], y[7]);
1545 accum.mul(x[6], y[6]);
1546 accum.mul(x[7], y[5]);
1547 accum.mul(x[8], y[4]);
1548 accum.mul(x[9], y[3]);
1549 accum.mul(x[10], y[2]);
1550 accum.mul(x[11], y[1]);
1551 accum.mul(x[12], y[0]);
1552 z[12] = accum.extract();
1553 accum.mul(x[0], y[13]);
1554 accum.mul(x[1], y[12]);
1555 accum.mul(x[2], y[11]);
1556 accum.mul(x[3], y[10]);
1557 accum.mul(x[4], y[9]);
1558 accum.mul(x[5], y[8]);
1559 accum.mul(x[6], y[7]);
1560 accum.mul(x[7], y[6]);
1561 accum.mul(x[8], y[5]);
1562 accum.mul(x[9], y[4]);
1563 accum.mul(x[10], y[3]);
1564 accum.mul(x[11], y[2]);
1565 accum.mul(x[12], y[1]);
1566 accum.mul(x[13], y[0]);
1567 z[13] = accum.extract();
1568 accum.mul(x[0], y[14]);
1569 accum.mul(x[1], y[13]);
1570 accum.mul(x[2], y[12]);
1571 accum.mul(x[3], y[11]);
1572 accum.mul(x[4], y[10]);
1573 accum.mul(x[5], y[9]);
1574 accum.mul(x[6], y[8]);
1575 accum.mul(x[7], y[7]);
1576 accum.mul(x[8], y[6]);
1577 accum.mul(x[9], y[5]);
1578 accum.mul(x[10], y[4]);
1579 accum.mul(x[11], y[3]);
1580 accum.mul(x[12], y[2]);
1581 accum.mul(x[13], y[1]);
1582 accum.mul(x[14], y[0]);
1583 z[14] = accum.extract();
1584 accum.mul(x[0], y[15]);
1585 accum.mul(x[1], y[14]);
1586 accum.mul(x[2], y[13]);
1587 accum.mul(x[3], y[12]);
1588 accum.mul(x[4], y[11]);
1589 accum.mul(x[5], y[10]);
1590 accum.mul(x[6], y[9]);
1591 accum.mul(x[7], y[8]);
1592 accum.mul(x[8], y[7]);
1593 accum.mul(x[9], y[6]);
1594 accum.mul(x[10], y[5]);
1595 accum.mul(x[11], y[4]);
1596 accum.mul(x[12], y[3]);
1597 accum.mul(x[13], y[2]);
1598 accum.mul(x[14], y[1]);
1599 accum.mul(x[15], y[0]);
1600 z[15] = accum.extract();
1601 accum.mul(x[0], y[16]);
1602 accum.mul(x[1], y[15]);
1603 accum.mul(x[2], y[14]);
1604 accum.mul(x[3], y[13]);
1605 accum.mul(x[4], y[12]);
1606 accum.mul(x[5], y[11]);
1607 accum.mul(x[6], y[10]);
1608 accum.mul(x[7], y[9]);
1609 accum.mul(x[8], y[8]);
1610 accum.mul(x[9], y[7]);
1611 accum.mul(x[10], y[6]);
1612 accum.mul(x[11], y[5]);
1613 accum.mul(x[12], y[4]);
1614 accum.mul(x[13], y[3]);
1615 accum.mul(x[14], y[2]);
1616 accum.mul(x[15], y[1]);
1617 accum.mul(x[16], y[0]);
1618 z[16] = accum.extract();
1619 accum.mul(x[0], y[17]);
1620 accum.mul(x[1], y[16]);
1621 accum.mul(x[2], y[15]);
1622 accum.mul(x[3], y[14]);
1623 accum.mul(x[4], y[13]);
1624 accum.mul(x[5], y[12]);
1625 accum.mul(x[6], y[11]);
1626 accum.mul(x[7], y[10]);
1627 accum.mul(x[8], y[9]);
1628 accum.mul(x[9], y[8]);
1629 accum.mul(x[10], y[7]);
1630 accum.mul(x[11], y[6]);
1631 accum.mul(x[12], y[5]);
1632 accum.mul(x[13], y[4]);
1633 accum.mul(x[14], y[3]);
1634 accum.mul(x[15], y[2]);
1635 accum.mul(x[16], y[1]);
1636 accum.mul(x[17], y[0]);
1637 z[17] = accum.extract();
1638 accum.mul(x[0], y[18]);
1639 accum.mul(x[1], y[17]);
1640 accum.mul(x[2], y[16]);
1641 accum.mul(x[3], y[15]);
1642 accum.mul(x[4], y[14]);
1643 accum.mul(x[5], y[13]);
1644 accum.mul(x[6], y[12]);
1645 accum.mul(x[7], y[11]);
1646 accum.mul(x[8], y[10]);
1647 accum.mul(x[9], y[9]);
1648 accum.mul(x[10], y[8]);
1649 accum.mul(x[11], y[7]);
1650 accum.mul(x[12], y[6]);
1651 accum.mul(x[13], y[5]);
1652 accum.mul(x[14], y[4]);
1653 accum.mul(x[15], y[3]);
1654 accum.mul(x[16], y[2]);
1655 accum.mul(x[17], y[1]);
1656 accum.mul(x[18], y[0]);
1657 z[18] = accum.extract();
1658 accum.mul(x[0], y[19]);
1659 accum.mul(x[1], y[18]);
1660 accum.mul(x[2], y[17]);
1661 accum.mul(x[3], y[16]);
1662 accum.mul(x[4], y[15]);
1663 accum.mul(x[5], y[14]);
1664 accum.mul(x[6], y[13]);
1665 accum.mul(x[7], y[12]);
1666 accum.mul(x[8], y[11]);
1667 accum.mul(x[9], y[10]);
1668 accum.mul(x[10], y[9]);
1669 accum.mul(x[11], y[8]);
1670 accum.mul(x[12], y[7]);
1671 accum.mul(x[13], y[6]);
1672 accum.mul(x[14], y[5]);
1673 accum.mul(x[15], y[4]);
1674 accum.mul(x[16], y[3]);
1675 accum.mul(x[17], y[2]);
1676 accum.mul(x[18], y[1]);
1677 accum.mul(x[19], y[0]);
1678 z[19] = accum.extract();
1679 accum.mul(x[0], y[20]);
1680 accum.mul(x[1], y[19]);
1681 accum.mul(x[2], y[18]);
1682 accum.mul(x[3], y[17]);
1683 accum.mul(x[4], y[16]);
1684 accum.mul(x[5], y[15]);
1685 accum.mul(x[6], y[14]);
1686 accum.mul(x[7], y[13]);
1687 accum.mul(x[8], y[12]);
1688 accum.mul(x[9], y[11]);
1689 accum.mul(x[10], y[10]);
1690 accum.mul(x[11], y[9]);
1691 accum.mul(x[12], y[8]);
1692 accum.mul(x[13], y[7]);
1693 accum.mul(x[14], y[6]);
1694 accum.mul(x[15], y[5]);
1695 accum.mul(x[16], y[4]);
1696 accum.mul(x[17], y[3]);
1697 accum.mul(x[18], y[2]);
1698 accum.mul(x[19], y[1]);
1699 accum.mul(x[20], y[0]);
1700 z[20] = accum.extract();
1701 accum.mul(x[0], y[21]);
1702 accum.mul(x[1], y[20]);
1703 accum.mul(x[2], y[19]);
1704 accum.mul(x[3], y[18]);
1705 accum.mul(x[4], y[17]);
1706 accum.mul(x[5], y[16]);
1707 accum.mul(x[6], y[15]);
1708 accum.mul(x[7], y[14]);
1709 accum.mul(x[8], y[13]);
1710 accum.mul(x[9], y[12]);
1711 accum.mul(x[10], y[11]);
1712 accum.mul(x[11], y[10]);
1713 accum.mul(x[12], y[9]);
1714 accum.mul(x[13], y[8]);
1715 accum.mul(x[14], y[7]);
1716 accum.mul(x[15], y[6]);
1717 accum.mul(x[16], y[5]);
1718 accum.mul(x[17], y[4]);
1719 accum.mul(x[18], y[3]);
1720 accum.mul(x[19], y[2]);
1721 accum.mul(x[20], y[1]);
1722 accum.mul(x[21], y[0]);
1723 z[21] = accum.extract();
1724 accum.mul(x[0], y[22]);
1725 accum.mul(x[1], y[21]);
1726 accum.mul(x[2], y[20]);
1727 accum.mul(x[3], y[19]);
1728 accum.mul(x[4], y[18]);
1729 accum.mul(x[5], y[17]);
1730 accum.mul(x[6], y[16]);
1731 accum.mul(x[7], y[15]);
1732 accum.mul(x[8], y[14]);
1733 accum.mul(x[9], y[13]);
1734 accum.mul(x[10], y[12]);
1735 accum.mul(x[11], y[11]);
1736 accum.mul(x[12], y[10]);
1737 accum.mul(x[13], y[9]);
1738 accum.mul(x[14], y[8]);
1739 accum.mul(x[15], y[7]);
1740 accum.mul(x[16], y[6]);
1741 accum.mul(x[17], y[5]);
1742 accum.mul(x[18], y[4]);
1743 accum.mul(x[19], y[3]);
1744 accum.mul(x[20], y[2]);
1745 accum.mul(x[21], y[1]);
1746 accum.mul(x[22], y[0]);
1747 z[22] = accum.extract();
1748 accum.mul(x[0], y[23]);
1749 accum.mul(x[1], y[22]);
1750 accum.mul(x[2], y[21]);
1751 accum.mul(x[3], y[20]);
1752 accum.mul(x[4], y[19]);
1753 accum.mul(x[5], y[18]);
1754 accum.mul(x[6], y[17]);
1755 accum.mul(x[7], y[16]);
1756 accum.mul(x[8], y[15]);
1757 accum.mul(x[9], y[14]);
1758 accum.mul(x[10], y[13]);
1759 accum.mul(x[11], y[12]);
1760 accum.mul(x[12], y[11]);
1761 accum.mul(x[13], y[10]);
1762 accum.mul(x[14], y[9]);
1763 accum.mul(x[15], y[8]);
1764 accum.mul(x[16], y[7]);
1765 accum.mul(x[17], y[6]);
1766 accum.mul(x[18], y[5]);
1767 accum.mul(x[19], y[4]);
1768 accum.mul(x[20], y[3]);
1769 accum.mul(x[21], y[2]);
1770 accum.mul(x[22], y[1]);
1771 accum.mul(x[23], y[0]);
1772 z[23] = accum.extract();
1773 accum.mul(x[1], y[23]);
1774 accum.mul(x[2], y[22]);
1775 accum.mul(x[3], y[21]);
1776 accum.mul(x[4], y[20]);
1777 accum.mul(x[5], y[19]);
1778 accum.mul(x[6], y[18]);
1779 accum.mul(x[7], y[17]);
1780 accum.mul(x[8], y[16]);
1781 accum.mul(x[9], y[15]);
1782 accum.mul(x[10], y[14]);
1783 accum.mul(x[11], y[13]);
1784 accum.mul(x[12], y[12]);
1785 accum.mul(x[13], y[11]);
1786 accum.mul(x[14], y[10]);
1787 accum.mul(x[15], y[9]);
1788 accum.mul(x[16], y[8]);
1789 accum.mul(x[17], y[7]);
1790 accum.mul(x[18], y[6]);
1791 accum.mul(x[19], y[5]);
1792 accum.mul(x[20], y[4]);
1793 accum.mul(x[21], y[3]);
1794 accum.mul(x[22], y[2]);
1795 accum.mul(x[23], y[1]);
1796 z[24] = accum.extract();
1797 accum.mul(x[2], y[23]);
1798 accum.mul(x[3], y[22]);
1799 accum.mul(x[4], y[21]);
1800 accum.mul(x[5], y[20]);
1801 accum.mul(x[6], y[19]);
1802 accum.mul(x[7], y[18]);
1803 accum.mul(x[8], y[17]);
1804 accum.mul(x[9], y[16]);
1805 accum.mul(x[10], y[15]);
1806 accum.mul(x[11], y[14]);
1807 accum.mul(x[12], y[13]);
1808 accum.mul(x[13], y[12]);
1809 accum.mul(x[14], y[11]);
1810 accum.mul(x[15], y[10]);
1811 accum.mul(x[16], y[9]);
1812 accum.mul(x[17], y[8]);
1813 accum.mul(x[18], y[7]);
1814 accum.mul(x[19], y[6]);
1815 accum.mul(x[20], y[5]);
1816 accum.mul(x[21], y[4]);
1817 accum.mul(x[22], y[3]);
1818 accum.mul(x[23], y[2]);
1819 z[25] = accum.extract();
1820 accum.mul(x[3], y[23]);
1821 accum.mul(x[4], y[22]);
1822 accum.mul(x[5], y[21]);
1823 accum.mul(x[6], y[20]);
1824 accum.mul(x[7], y[19]);
1825 accum.mul(x[8], y[18]);
1826 accum.mul(x[9], y[17]);
1827 accum.mul(x[10], y[16]);
1828 accum.mul(x[11], y[15]);
1829 accum.mul(x[12], y[14]);
1830 accum.mul(x[13], y[13]);
1831 accum.mul(x[14], y[12]);
1832 accum.mul(x[15], y[11]);
1833 accum.mul(x[16], y[10]);
1834 accum.mul(x[17], y[9]);
1835 accum.mul(x[18], y[8]);
1836 accum.mul(x[19], y[7]);
1837 accum.mul(x[20], y[6]);
1838 accum.mul(x[21], y[5]);
1839 accum.mul(x[22], y[4]);
1840 accum.mul(x[23], y[3]);
1841 z[26] = accum.extract();
1842 accum.mul(x[4], y[23]);
1843 accum.mul(x[5], y[22]);
1844 accum.mul(x[6], y[21]);
1845 accum.mul(x[7], y[20]);
1846 accum.mul(x[8], y[19]);
1847 accum.mul(x[9], y[18]);
1848 accum.mul(x[10], y[17]);
1849 accum.mul(x[11], y[16]);
1850 accum.mul(x[12], y[15]);
1851 accum.mul(x[13], y[14]);
1852 accum.mul(x[14], y[13]);
1853 accum.mul(x[15], y[12]);
1854 accum.mul(x[16], y[11]);
1855 accum.mul(x[17], y[10]);
1856 accum.mul(x[18], y[9]);
1857 accum.mul(x[19], y[8]);
1858 accum.mul(x[20], y[7]);
1859 accum.mul(x[21], y[6]);
1860 accum.mul(x[22], y[5]);
1861 accum.mul(x[23], y[4]);
1862 z[27] = accum.extract();
1863 accum.mul(x[5], y[23]);
1864 accum.mul(x[6], y[22]);
1865 accum.mul(x[7], y[21]);
1866 accum.mul(x[8], y[20]);
1867 accum.mul(x[9], y[19]);
1868 accum.mul(x[10], y[18]);
1869 accum.mul(x[11], y[17]);
1870 accum.mul(x[12], y[16]);
1871 accum.mul(x[13], y[15]);
1872 accum.mul(x[14], y[14]);
1873 accum.mul(x[15], y[13]);
1874 accum.mul(x[16], y[12]);
1875 accum.mul(x[17], y[11]);
1876 accum.mul(x[18], y[10]);
1877 accum.mul(x[19], y[9]);
1878 accum.mul(x[20], y[8]);
1879 accum.mul(x[21], y[7]);
1880 accum.mul(x[22], y[6]);
1881 accum.mul(x[23], y[5]);
1882 z[28] = accum.extract();
1883 accum.mul(x[6], y[23]);
1884 accum.mul(x[7], y[22]);
1885 accum.mul(x[8], y[21]);
1886 accum.mul(x[9], y[20]);
1887 accum.mul(x[10], y[19]);
1888 accum.mul(x[11], y[18]);
1889 accum.mul(x[12], y[17]);
1890 accum.mul(x[13], y[16]);
1891 accum.mul(x[14], y[15]);
1892 accum.mul(x[15], y[14]);
1893 accum.mul(x[16], y[13]);
1894 accum.mul(x[17], y[12]);
1895 accum.mul(x[18], y[11]);
1896 accum.mul(x[19], y[10]);
1897 accum.mul(x[20], y[9]);
1898 accum.mul(x[21], y[8]);
1899 accum.mul(x[22], y[7]);
1900 accum.mul(x[23], y[6]);
1901 z[29] = accum.extract();
1902 accum.mul(x[7], y[23]);
1903 accum.mul(x[8], y[22]);
1904 accum.mul(x[9], y[21]);
1905 accum.mul(x[10], y[20]);
1906 accum.mul(x[11], y[19]);
1907 accum.mul(x[12], y[18]);
1908 accum.mul(x[13], y[17]);
1909 accum.mul(x[14], y[16]);
1910 accum.mul(x[15], y[15]);
1911 accum.mul(x[16], y[14]);
1912 accum.mul(x[17], y[13]);
1913 accum.mul(x[18], y[12]);
1914 accum.mul(x[19], y[11]);
1915 accum.mul(x[20], y[10]);
1916 accum.mul(x[21], y[9]);
1917 accum.mul(x[22], y[8]);
1918 accum.mul(x[23], y[7]);
1919 z[30] = accum.extract();
1920 accum.mul(x[8], y[23]);
1921 accum.mul(x[9], y[22]);
1922 accum.mul(x[10], y[21]);
1923 accum.mul(x[11], y[20]);
1924 accum.mul(x[12], y[19]);
1925 accum.mul(x[13], y[18]);
1926 accum.mul(x[14], y[17]);
1927 accum.mul(x[15], y[16]);
1928 accum.mul(x[16], y[15]);
1929 accum.mul(x[17], y[14]);
1930 accum.mul(x[18], y[13]);
1931 accum.mul(x[19], y[12]);
1932 accum.mul(x[20], y[11]);
1933 accum.mul(x[21], y[10]);
1934 accum.mul(x[22], y[9]);
1935 accum.mul(x[23], y[8]);
1936 z[31] = accum.extract();
1937 accum.mul(x[9], y[23]);
1938 accum.mul(x[10], y[22]);
1939 accum.mul(x[11], y[21]);
1940 accum.mul(x[12], y[20]);
1941 accum.mul(x[13], y[19]);
1942 accum.mul(x[14], y[18]);
1943 accum.mul(x[15], y[17]);
1944 accum.mul(x[16], y[16]);
1945 accum.mul(x[17], y[15]);
1946 accum.mul(x[18], y[14]);
1947 accum.mul(x[19], y[13]);
1948 accum.mul(x[20], y[12]);
1949 accum.mul(x[21], y[11]);
1950 accum.mul(x[22], y[10]);
1951 accum.mul(x[23], y[9]);
1952 z[32] = accum.extract();
1953 accum.mul(x[10], y[23]);
1954 accum.mul(x[11], y[22]);
1955 accum.mul(x[12], y[21]);
1956 accum.mul(x[13], y[20]);
1957 accum.mul(x[14], y[19]);
1958 accum.mul(x[15], y[18]);
1959 accum.mul(x[16], y[17]);
1960 accum.mul(x[17], y[16]);
1961 accum.mul(x[18], y[15]);
1962 accum.mul(x[19], y[14]);
1963 accum.mul(x[20], y[13]);
1964 accum.mul(x[21], y[12]);
1965 accum.mul(x[22], y[11]);
1966 accum.mul(x[23], y[10]);
1967 z[33] = accum.extract();
1968 accum.mul(x[11], y[23]);
1969 accum.mul(x[12], y[22]);
1970 accum.mul(x[13], y[21]);
1971 accum.mul(x[14], y[20]);
1972 accum.mul(x[15], y[19]);
1973 accum.mul(x[16], y[18]);
1974 accum.mul(x[17], y[17]);
1975 accum.mul(x[18], y[16]);
1976 accum.mul(x[19], y[15]);
1977 accum.mul(x[20], y[14]);
1978 accum.mul(x[21], y[13]);
1979 accum.mul(x[22], y[12]);
1980 accum.mul(x[23], y[11]);
1981 z[34] = accum.extract();
1982 accum.mul(x[12], y[23]);
1983 accum.mul(x[13], y[22]);
1984 accum.mul(x[14], y[21]);
1985 accum.mul(x[15], y[20]);
1986 accum.mul(x[16], y[19]);
1987 accum.mul(x[17], y[18]);
1988 accum.mul(x[18], y[17]);
1989 accum.mul(x[19], y[16]);
1990 accum.mul(x[20], y[15]);
1991 accum.mul(x[21], y[14]);
1992 accum.mul(x[22], y[13]);
1993 accum.mul(x[23], y[12]);
1994 z[35] = accum.extract();
1995 accum.mul(x[13], y[23]);
1996 accum.mul(x[14], y[22]);
1997 accum.mul(x[15], y[21]);
1998 accum.mul(x[16], y[20]);
1999 accum.mul(x[17], y[19]);
2000 accum.mul(x[18], y[18]);
2001 accum.mul(x[19], y[17]);
2002 accum.mul(x[20], y[16]);
2003 accum.mul(x[21], y[15]);
2004 accum.mul(x[22], y[14]);
2005 accum.mul(x[23], y[13]);
2006 z[36] = accum.extract();
2007 accum.mul(x[14], y[23]);
2008 accum.mul(x[15], y[22]);
2009 accum.mul(x[16], y[21]);
2010 accum.mul(x[17], y[20]);
2011 accum.mul(x[18], y[19]);
2012 accum.mul(x[19], y[18]);
2013 accum.mul(x[20], y[17]);
2014 accum.mul(x[21], y[16]);
2015 accum.mul(x[22], y[15]);
2016 accum.mul(x[23], y[14]);
2017 z[37] = accum.extract();
2018 accum.mul(x[15], y[23]);
2019 accum.mul(x[16], y[22]);
2020 accum.mul(x[17], y[21]);
2021 accum.mul(x[18], y[20]);
2022 accum.mul(x[19], y[19]);
2023 accum.mul(x[20], y[18]);
2024 accum.mul(x[21], y[17]);
2025 accum.mul(x[22], y[16]);
2026 accum.mul(x[23], y[15]);
2027 z[38] = accum.extract();
2028 accum.mul(x[16], y[23]);
2029 accum.mul(x[17], y[22]);
2030 accum.mul(x[18], y[21]);
2031 accum.mul(x[19], y[20]);
2032 accum.mul(x[20], y[19]);
2033 accum.mul(x[21], y[18]);
2034 accum.mul(x[22], y[17]);
2035 accum.mul(x[23], y[16]);
2036 z[39] = accum.extract();
2037 accum.mul(x[17], y[23]);
2038 accum.mul(x[18], y[22]);
2039 accum.mul(x[19], y[21]);
2040 accum.mul(x[20], y[20]);
2041 accum.mul(x[21], y[19]);
2042 accum.mul(x[22], y[18]);
2043 accum.mul(x[23], y[17]);
2044 z[40] = accum.extract();
2045 accum.mul(x[18], y[23]);
2046 accum.mul(x[19], y[22]);
2047 accum.mul(x[20], y[21]);
2048 accum.mul(x[21], y[20]);
2049 accum.mul(x[22], y[19]);
2050 accum.mul(x[23], y[18]);
2051 z[41] = accum.extract();
2052 accum.mul(x[19], y[23]);
2053 accum.mul(x[20], y[22]);
2054 accum.mul(x[21], y[21]);
2055 accum.mul(x[22], y[20]);
2056 accum.mul(x[23], y[19]);
2057 z[42] = accum.extract();
2058 accum.mul(x[20], y[23]);
2059 accum.mul(x[21], y[22]);
2060 accum.mul(x[22], y[21]);
2061 accum.mul(x[23], y[20]);
2062 z[43] = accum.extract();
2063 accum.mul(x[21], y[23]);
2064 accum.mul(x[22], y[22]);
2065 accum.mul(x[23], y[21]);
2066 z[44] = accum.extract();
2067 accum.mul(x[22], y[23]);
2068 accum.mul(x[23], y[22]);
2069 z[45] = accum.extract();
2070 accum.mul(x[23], y[23]);
2071 z[46] = accum.extract();
2072 z[47] = accum.extract();
2073}

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by bigint_mul().

◆ bigint_comba_mul4()

BOTAN_FUZZER_API void Botan::bigint_comba_mul4 ( word z[8],
const word x[4],
const word y[4] )

Definition at line 42 of file mp_comba.cpp.

42 {
43 word3<word> accum;
44
45 accum.mul(x[0], y[0]);
46 z[0] = accum.extract();
47 accum.mul(x[0], y[1]);
48 accum.mul(x[1], y[0]);
49 z[1] = accum.extract();
50 accum.mul(x[0], y[2]);
51 accum.mul(x[1], y[1]);
52 accum.mul(x[2], y[0]);
53 z[2] = accum.extract();
54 accum.mul(x[0], y[3]);
55 accum.mul(x[1], y[2]);
56 accum.mul(x[2], y[1]);
57 accum.mul(x[3], y[0]);
58 z[3] = accum.extract();
59 accum.mul(x[1], y[3]);
60 accum.mul(x[2], y[2]);
61 accum.mul(x[3], y[1]);
62 z[4] = accum.extract();
63 accum.mul(x[2], y[3]);
64 accum.mul(x[3], y[2]);
65 z[5] = accum.extract();
66 accum.mul(x[3], y[3]);
67 z[6] = accum.extract();
68 z[7] = accum.extract();
69}

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by bigint_mul(), and comba_mul().

◆ bigint_comba_mul6()

BOTAN_FUZZER_API void Botan::bigint_comba_mul6 ( word z[12],
const word x[6],
const word y[6] )

Definition at line 115 of file mp_comba.cpp.

115 {
116 word3<word> accum;
117
118 accum.mul(x[0], y[0]);
119 z[0] = accum.extract();
120 accum.mul(x[0], y[1]);
121 accum.mul(x[1], y[0]);
122 z[1] = accum.extract();
123 accum.mul(x[0], y[2]);
124 accum.mul(x[1], y[1]);
125 accum.mul(x[2], y[0]);
126 z[2] = accum.extract();
127 accum.mul(x[0], y[3]);
128 accum.mul(x[1], y[2]);
129 accum.mul(x[2], y[1]);
130 accum.mul(x[3], y[0]);
131 z[3] = accum.extract();
132 accum.mul(x[0], y[4]);
133 accum.mul(x[1], y[3]);
134 accum.mul(x[2], y[2]);
135 accum.mul(x[3], y[1]);
136 accum.mul(x[4], y[0]);
137 z[4] = accum.extract();
138 accum.mul(x[0], y[5]);
139 accum.mul(x[1], y[4]);
140 accum.mul(x[2], y[3]);
141 accum.mul(x[3], y[2]);
142 accum.mul(x[4], y[1]);
143 accum.mul(x[5], y[0]);
144 z[5] = accum.extract();
145 accum.mul(x[1], y[5]);
146 accum.mul(x[2], y[4]);
147 accum.mul(x[3], y[3]);
148 accum.mul(x[4], y[2]);
149 accum.mul(x[5], y[1]);
150 z[6] = accum.extract();
151 accum.mul(x[2], y[5]);
152 accum.mul(x[3], y[4]);
153 accum.mul(x[4], y[3]);
154 accum.mul(x[5], y[2]);
155 z[7] = accum.extract();
156 accum.mul(x[3], y[5]);
157 accum.mul(x[4], y[4]);
158 accum.mul(x[5], y[3]);
159 z[8] = accum.extract();
160 accum.mul(x[4], y[5]);
161 accum.mul(x[5], y[4]);
162 z[9] = accum.extract();
163 accum.mul(x[5], y[5]);
164 z[10] = accum.extract();
165 z[11] = accum.extract();
166}

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by bigint_mul(), and comba_mul().

◆ bigint_comba_mul7()

BOTAN_FUZZER_API void Botan::bigint_comba_mul7 ( word z[14],
const word x[7],
const word y[7] )

Definition at line 221 of file mp_comba.cpp.

221 {
222 word3<word> accum;
223
224 accum.mul(x[0], y[0]);
225 z[0] = accum.extract();
226 accum.mul(x[0], y[1]);
227 accum.mul(x[1], y[0]);
228 z[1] = accum.extract();
229 accum.mul(x[0], y[2]);
230 accum.mul(x[1], y[1]);
231 accum.mul(x[2], y[0]);
232 z[2] = accum.extract();
233 accum.mul(x[0], y[3]);
234 accum.mul(x[1], y[2]);
235 accum.mul(x[2], y[1]);
236 accum.mul(x[3], y[0]);
237 z[3] = accum.extract();
238 accum.mul(x[0], y[4]);
239 accum.mul(x[1], y[3]);
240 accum.mul(x[2], y[2]);
241 accum.mul(x[3], y[1]);
242 accum.mul(x[4], y[0]);
243 z[4] = accum.extract();
244 accum.mul(x[0], y[5]);
245 accum.mul(x[1], y[4]);
246 accum.mul(x[2], y[3]);
247 accum.mul(x[3], y[2]);
248 accum.mul(x[4], y[1]);
249 accum.mul(x[5], y[0]);
250 z[5] = accum.extract();
251 accum.mul(x[0], y[6]);
252 accum.mul(x[1], y[5]);
253 accum.mul(x[2], y[4]);
254 accum.mul(x[3], y[3]);
255 accum.mul(x[4], y[2]);
256 accum.mul(x[5], y[1]);
257 accum.mul(x[6], y[0]);
258 z[6] = accum.extract();
259 accum.mul(x[1], y[6]);
260 accum.mul(x[2], y[5]);
261 accum.mul(x[3], y[4]);
262 accum.mul(x[4], y[3]);
263 accum.mul(x[5], y[2]);
264 accum.mul(x[6], y[1]);
265 z[7] = accum.extract();
266 accum.mul(x[2], y[6]);
267 accum.mul(x[3], y[5]);
268 accum.mul(x[4], y[4]);
269 accum.mul(x[5], y[3]);
270 accum.mul(x[6], y[2]);
271 z[8] = accum.extract();
272 accum.mul(x[3], y[6]);
273 accum.mul(x[4], y[5]);
274 accum.mul(x[5], y[4]);
275 accum.mul(x[6], y[3]);
276 z[9] = accum.extract();
277 accum.mul(x[4], y[6]);
278 accum.mul(x[5], y[5]);
279 accum.mul(x[6], y[4]);
280 z[10] = accum.extract();
281 accum.mul(x[5], y[6]);
282 accum.mul(x[6], y[5]);
283 z[11] = accum.extract();
284 accum.mul(x[6], y[6]);
285 z[12] = accum.extract();
286 z[13] = accum.extract();
287}

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by comba_mul().

◆ bigint_comba_mul8()

BOTAN_FUZZER_API void Botan::bigint_comba_mul8 ( word z[16],
const word x[8],
const word y[8] )

Definition at line 352 of file mp_comba.cpp.

352 {
353 word3<word> accum;
354
355 accum.mul(x[0], y[0]);
356 z[0] = accum.extract();
357 accum.mul(x[0], y[1]);
358 accum.mul(x[1], y[0]);
359 z[1] = accum.extract();
360 accum.mul(x[0], y[2]);
361 accum.mul(x[1], y[1]);
362 accum.mul(x[2], y[0]);
363 z[2] = accum.extract();
364 accum.mul(x[0], y[3]);
365 accum.mul(x[1], y[2]);
366 accum.mul(x[2], y[1]);
367 accum.mul(x[3], y[0]);
368 z[3] = accum.extract();
369 accum.mul(x[0], y[4]);
370 accum.mul(x[1], y[3]);
371 accum.mul(x[2], y[2]);
372 accum.mul(x[3], y[1]);
373 accum.mul(x[4], y[0]);
374 z[4] = accum.extract();
375 accum.mul(x[0], y[5]);
376 accum.mul(x[1], y[4]);
377 accum.mul(x[2], y[3]);
378 accum.mul(x[3], y[2]);
379 accum.mul(x[4], y[1]);
380 accum.mul(x[5], y[0]);
381 z[5] = accum.extract();
382 accum.mul(x[0], y[6]);
383 accum.mul(x[1], y[5]);
384 accum.mul(x[2], y[4]);
385 accum.mul(x[3], y[3]);
386 accum.mul(x[4], y[2]);
387 accum.mul(x[5], y[1]);
388 accum.mul(x[6], y[0]);
389 z[6] = accum.extract();
390 accum.mul(x[0], y[7]);
391 accum.mul(x[1], y[6]);
392 accum.mul(x[2], y[5]);
393 accum.mul(x[3], y[4]);
394 accum.mul(x[4], y[3]);
395 accum.mul(x[5], y[2]);
396 accum.mul(x[6], y[1]);
397 accum.mul(x[7], y[0]);
398 z[7] = accum.extract();
399 accum.mul(x[1], y[7]);
400 accum.mul(x[2], y[6]);
401 accum.mul(x[3], y[5]);
402 accum.mul(x[4], y[4]);
403 accum.mul(x[5], y[3]);
404 accum.mul(x[6], y[2]);
405 accum.mul(x[7], y[1]);
406 z[8] = accum.extract();
407 accum.mul(x[2], y[7]);
408 accum.mul(x[3], y[6]);
409 accum.mul(x[4], y[5]);
410 accum.mul(x[5], y[4]);
411 accum.mul(x[6], y[3]);
412 accum.mul(x[7], y[2]);
413 z[9] = accum.extract();
414 accum.mul(x[3], y[7]);
415 accum.mul(x[4], y[6]);
416 accum.mul(x[5], y[5]);
417 accum.mul(x[6], y[4]);
418 accum.mul(x[7], y[3]);
419 z[10] = accum.extract();
420 accum.mul(x[4], y[7]);
421 accum.mul(x[5], y[6]);
422 accum.mul(x[6], y[5]);
423 accum.mul(x[7], y[4]);
424 z[11] = accum.extract();
425 accum.mul(x[5], y[7]);
426 accum.mul(x[6], y[6]);
427 accum.mul(x[7], y[5]);
428 z[12] = accum.extract();
429 accum.mul(x[6], y[7]);
430 accum.mul(x[7], y[6]);
431 z[13] = accum.extract();
432 accum.mul(x[7], y[7]);
433 z[14] = accum.extract();
434 z[15] = accum.extract();
435}

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by bigint_mul(), and comba_mul().

◆ bigint_comba_mul9()

BOTAN_FUZZER_API void Botan::bigint_comba_mul9 ( word z[18],
const word x[9],
const word y[9] )

Definition at line 511 of file mp_comba.cpp.

511 {
512 word3<word> accum;
513
514 accum.mul(x[0], y[0]);
515 z[0] = accum.extract();
516 accum.mul(x[0], y[1]);
517 accum.mul(x[1], y[0]);
518 z[1] = accum.extract();
519 accum.mul(x[0], y[2]);
520 accum.mul(x[1], y[1]);
521 accum.mul(x[2], y[0]);
522 z[2] = accum.extract();
523 accum.mul(x[0], y[3]);
524 accum.mul(x[1], y[2]);
525 accum.mul(x[2], y[1]);
526 accum.mul(x[3], y[0]);
527 z[3] = accum.extract();
528 accum.mul(x[0], y[4]);
529 accum.mul(x[1], y[3]);
530 accum.mul(x[2], y[2]);
531 accum.mul(x[3], y[1]);
532 accum.mul(x[4], y[0]);
533 z[4] = accum.extract();
534 accum.mul(x[0], y[5]);
535 accum.mul(x[1], y[4]);
536 accum.mul(x[2], y[3]);
537 accum.mul(x[3], y[2]);
538 accum.mul(x[4], y[1]);
539 accum.mul(x[5], y[0]);
540 z[5] = accum.extract();
541 accum.mul(x[0], y[6]);
542 accum.mul(x[1], y[5]);
543 accum.mul(x[2], y[4]);
544 accum.mul(x[3], y[3]);
545 accum.mul(x[4], y[2]);
546 accum.mul(x[5], y[1]);
547 accum.mul(x[6], y[0]);
548 z[6] = accum.extract();
549 accum.mul(x[0], y[7]);
550 accum.mul(x[1], y[6]);
551 accum.mul(x[2], y[5]);
552 accum.mul(x[3], y[4]);
553 accum.mul(x[4], y[3]);
554 accum.mul(x[5], y[2]);
555 accum.mul(x[6], y[1]);
556 accum.mul(x[7], y[0]);
557 z[7] = accum.extract();
558 accum.mul(x[0], y[8]);
559 accum.mul(x[1], y[7]);
560 accum.mul(x[2], y[6]);
561 accum.mul(x[3], y[5]);
562 accum.mul(x[4], y[4]);
563 accum.mul(x[5], y[3]);
564 accum.mul(x[6], y[2]);
565 accum.mul(x[7], y[1]);
566 accum.mul(x[8], y[0]);
567 z[8] = accum.extract();
568 accum.mul(x[1], y[8]);
569 accum.mul(x[2], y[7]);
570 accum.mul(x[3], y[6]);
571 accum.mul(x[4], y[5]);
572 accum.mul(x[5], y[4]);
573 accum.mul(x[6], y[3]);
574 accum.mul(x[7], y[2]);
575 accum.mul(x[8], y[1]);
576 z[9] = accum.extract();
577 accum.mul(x[2], y[8]);
578 accum.mul(x[3], y[7]);
579 accum.mul(x[4], y[6]);
580 accum.mul(x[5], y[5]);
581 accum.mul(x[6], y[4]);
582 accum.mul(x[7], y[3]);
583 accum.mul(x[8], y[2]);
584 z[10] = accum.extract();
585 accum.mul(x[3], y[8]);
586 accum.mul(x[4], y[7]);
587 accum.mul(x[5], y[6]);
588 accum.mul(x[6], y[5]);
589 accum.mul(x[7], y[4]);
590 accum.mul(x[8], y[3]);
591 z[11] = accum.extract();
592 accum.mul(x[4], y[8]);
593 accum.mul(x[5], y[7]);
594 accum.mul(x[6], y[6]);
595 accum.mul(x[7], y[5]);
596 accum.mul(x[8], y[4]);
597 z[12] = accum.extract();
598 accum.mul(x[5], y[8]);
599 accum.mul(x[6], y[7]);
600 accum.mul(x[7], y[6]);
601 accum.mul(x[8], y[5]);
602 z[13] = accum.extract();
603 accum.mul(x[6], y[8]);
604 accum.mul(x[7], y[7]);
605 accum.mul(x[8], y[6]);
606 z[14] = accum.extract();
607 accum.mul(x[7], y[8]);
608 accum.mul(x[8], y[7]);
609 z[15] = accum.extract();
610 accum.mul(x[8], y[8]);
611 z[16] = accum.extract();
612 z[17] = accum.extract();
613}

References Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by bigint_mul(), and comba_mul().

◆ bigint_comba_sqr16()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr16 ( word z[32],
const word x[16] )

Definition at line 618 of file mp_comba.cpp.

618 {
619 word3<word> accum;
620
621 accum.mul(x[0], x[0]);
622 z[0] = accum.extract();
623 accum.mul_x2(x[0], x[1]);
624 z[1] = accum.extract();
625 accum.mul_x2(x[0], x[2]);
626 accum.mul(x[1], x[1]);
627 z[2] = accum.extract();
628 accum.mul_x2(x[0], x[3]);
629 accum.mul_x2(x[1], x[2]);
630 z[3] = accum.extract();
631 accum.mul_x2(x[0], x[4]);
632 accum.mul_x2(x[1], x[3]);
633 accum.mul(x[2], x[2]);
634 z[4] = accum.extract();
635 accum.mul_x2(x[0], x[5]);
636 accum.mul_x2(x[1], x[4]);
637 accum.mul_x2(x[2], x[3]);
638 z[5] = accum.extract();
639 accum.mul_x2(x[0], x[6]);
640 accum.mul_x2(x[1], x[5]);
641 accum.mul_x2(x[2], x[4]);
642 accum.mul(x[3], x[3]);
643 z[6] = accum.extract();
644 accum.mul_x2(x[0], x[7]);
645 accum.mul_x2(x[1], x[6]);
646 accum.mul_x2(x[2], x[5]);
647 accum.mul_x2(x[3], x[4]);
648 z[7] = accum.extract();
649 accum.mul_x2(x[0], x[8]);
650 accum.mul_x2(x[1], x[7]);
651 accum.mul_x2(x[2], x[6]);
652 accum.mul_x2(x[3], x[5]);
653 accum.mul(x[4], x[4]);
654 z[8] = accum.extract();
655 accum.mul_x2(x[0], x[9]);
656 accum.mul_x2(x[1], x[8]);
657 accum.mul_x2(x[2], x[7]);
658 accum.mul_x2(x[3], x[6]);
659 accum.mul_x2(x[4], x[5]);
660 z[9] = accum.extract();
661 accum.mul_x2(x[0], x[10]);
662 accum.mul_x2(x[1], x[9]);
663 accum.mul_x2(x[2], x[8]);
664 accum.mul_x2(x[3], x[7]);
665 accum.mul_x2(x[4], x[6]);
666 accum.mul(x[5], x[5]);
667 z[10] = accum.extract();
668 accum.mul_x2(x[0], x[11]);
669 accum.mul_x2(x[1], x[10]);
670 accum.mul_x2(x[2], x[9]);
671 accum.mul_x2(x[3], x[8]);
672 accum.mul_x2(x[4], x[7]);
673 accum.mul_x2(x[5], x[6]);
674 z[11] = accum.extract();
675 accum.mul_x2(x[0], x[12]);
676 accum.mul_x2(x[1], x[11]);
677 accum.mul_x2(x[2], x[10]);
678 accum.mul_x2(x[3], x[9]);
679 accum.mul_x2(x[4], x[8]);
680 accum.mul_x2(x[5], x[7]);
681 accum.mul(x[6], x[6]);
682 z[12] = accum.extract();
683 accum.mul_x2(x[0], x[13]);
684 accum.mul_x2(x[1], x[12]);
685 accum.mul_x2(x[2], x[11]);
686 accum.mul_x2(x[3], x[10]);
687 accum.mul_x2(x[4], x[9]);
688 accum.mul_x2(x[5], x[8]);
689 accum.mul_x2(x[6], x[7]);
690 z[13] = accum.extract();
691 accum.mul_x2(x[0], x[14]);
692 accum.mul_x2(x[1], x[13]);
693 accum.mul_x2(x[2], x[12]);
694 accum.mul_x2(x[3], x[11]);
695 accum.mul_x2(x[4], x[10]);
696 accum.mul_x2(x[5], x[9]);
697 accum.mul_x2(x[6], x[8]);
698 accum.mul(x[7], x[7]);
699 z[14] = accum.extract();
700 accum.mul_x2(x[0], x[15]);
701 accum.mul_x2(x[1], x[14]);
702 accum.mul_x2(x[2], x[13]);
703 accum.mul_x2(x[3], x[12]);
704 accum.mul_x2(x[4], x[11]);
705 accum.mul_x2(x[5], x[10]);
706 accum.mul_x2(x[6], x[9]);
707 accum.mul_x2(x[7], x[8]);
708 z[15] = accum.extract();
709 accum.mul_x2(x[1], x[15]);
710 accum.mul_x2(x[2], x[14]);
711 accum.mul_x2(x[3], x[13]);
712 accum.mul_x2(x[4], x[12]);
713 accum.mul_x2(x[5], x[11]);
714 accum.mul_x2(x[6], x[10]);
715 accum.mul_x2(x[7], x[9]);
716 accum.mul(x[8], x[8]);
717 z[16] = accum.extract();
718 accum.mul_x2(x[2], x[15]);
719 accum.mul_x2(x[3], x[14]);
720 accum.mul_x2(x[4], x[13]);
721 accum.mul_x2(x[5], x[12]);
722 accum.mul_x2(x[6], x[11]);
723 accum.mul_x2(x[7], x[10]);
724 accum.mul_x2(x[8], x[9]);
725 z[17] = accum.extract();
726 accum.mul_x2(x[3], x[15]);
727 accum.mul_x2(x[4], x[14]);
728 accum.mul_x2(x[5], x[13]);
729 accum.mul_x2(x[6], x[12]);
730 accum.mul_x2(x[7], x[11]);
731 accum.mul_x2(x[8], x[10]);
732 accum.mul(x[9], x[9]);
733 z[18] = accum.extract();
734 accum.mul_x2(x[4], x[15]);
735 accum.mul_x2(x[5], x[14]);
736 accum.mul_x2(x[6], x[13]);
737 accum.mul_x2(x[7], x[12]);
738 accum.mul_x2(x[8], x[11]);
739 accum.mul_x2(x[9], x[10]);
740 z[19] = accum.extract();
741 accum.mul_x2(x[5], x[15]);
742 accum.mul_x2(x[6], x[14]);
743 accum.mul_x2(x[7], x[13]);
744 accum.mul_x2(x[8], x[12]);
745 accum.mul_x2(x[9], x[11]);
746 accum.mul(x[10], x[10]);
747 z[20] = accum.extract();
748 accum.mul_x2(x[6], x[15]);
749 accum.mul_x2(x[7], x[14]);
750 accum.mul_x2(x[8], x[13]);
751 accum.mul_x2(x[9], x[12]);
752 accum.mul_x2(x[10], x[11]);
753 z[21] = accum.extract();
754 accum.mul_x2(x[7], x[15]);
755 accum.mul_x2(x[8], x[14]);
756 accum.mul_x2(x[9], x[13]);
757 accum.mul_x2(x[10], x[12]);
758 accum.mul(x[11], x[11]);
759 z[22] = accum.extract();
760 accum.mul_x2(x[8], x[15]);
761 accum.mul_x2(x[9], x[14]);
762 accum.mul_x2(x[10], x[13]);
763 accum.mul_x2(x[11], x[12]);
764 z[23] = accum.extract();
765 accum.mul_x2(x[9], x[15]);
766 accum.mul_x2(x[10], x[14]);
767 accum.mul_x2(x[11], x[13]);
768 accum.mul(x[12], x[12]);
769 z[24] = accum.extract();
770 accum.mul_x2(x[10], x[15]);
771 accum.mul_x2(x[11], x[14]);
772 accum.mul_x2(x[12], x[13]);
773 z[25] = accum.extract();
774 accum.mul_x2(x[11], x[15]);
775 accum.mul_x2(x[12], x[14]);
776 accum.mul(x[13], x[13]);
777 z[26] = accum.extract();
778 accum.mul_x2(x[12], x[15]);
779 accum.mul_x2(x[13], x[14]);
780 z[27] = accum.extract();
781 accum.mul_x2(x[13], x[15]);
782 accum.mul(x[14], x[14]);
783 z[28] = accum.extract();
784 accum.mul_x2(x[14], x[15]);
785 z[29] = accum.extract();
786 accum.mul(x[15], x[15]);
787 z[30] = accum.extract();
788 z[31] = accum.extract();
789}
constexpr void mul_x2(W x, W y)
Definition mp_asmi.h:482

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by bigint_sqr(), and comba_sqr().

◆ bigint_comba_sqr24()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr24 ( word z[48],
const word x[24] )

Definition at line 1090 of file mp_comba.cpp.

1090 {
1091 word3<word> accum;
1092
1093 accum.mul(x[0], x[0]);
1094 z[0] = accum.extract();
1095 accum.mul_x2(x[0], x[1]);
1096 z[1] = accum.extract();
1097 accum.mul_x2(x[0], x[2]);
1098 accum.mul(x[1], x[1]);
1099 z[2] = accum.extract();
1100 accum.mul_x2(x[0], x[3]);
1101 accum.mul_x2(x[1], x[2]);
1102 z[3] = accum.extract();
1103 accum.mul_x2(x[0], x[4]);
1104 accum.mul_x2(x[1], x[3]);
1105 accum.mul(x[2], x[2]);
1106 z[4] = accum.extract();
1107 accum.mul_x2(x[0], x[5]);
1108 accum.mul_x2(x[1], x[4]);
1109 accum.mul_x2(x[2], x[3]);
1110 z[5] = accum.extract();
1111 accum.mul_x2(x[0], x[6]);
1112 accum.mul_x2(x[1], x[5]);
1113 accum.mul_x2(x[2], x[4]);
1114 accum.mul(x[3], x[3]);
1115 z[6] = accum.extract();
1116 accum.mul_x2(x[0], x[7]);
1117 accum.mul_x2(x[1], x[6]);
1118 accum.mul_x2(x[2], x[5]);
1119 accum.mul_x2(x[3], x[4]);
1120 z[7] = accum.extract();
1121 accum.mul_x2(x[0], x[8]);
1122 accum.mul_x2(x[1], x[7]);
1123 accum.mul_x2(x[2], x[6]);
1124 accum.mul_x2(x[3], x[5]);
1125 accum.mul(x[4], x[4]);
1126 z[8] = accum.extract();
1127 accum.mul_x2(x[0], x[9]);
1128 accum.mul_x2(x[1], x[8]);
1129 accum.mul_x2(x[2], x[7]);
1130 accum.mul_x2(x[3], x[6]);
1131 accum.mul_x2(x[4], x[5]);
1132 z[9] = accum.extract();
1133 accum.mul_x2(x[0], x[10]);
1134 accum.mul_x2(x[1], x[9]);
1135 accum.mul_x2(x[2], x[8]);
1136 accum.mul_x2(x[3], x[7]);
1137 accum.mul_x2(x[4], x[6]);
1138 accum.mul(x[5], x[5]);
1139 z[10] = accum.extract();
1140 accum.mul_x2(x[0], x[11]);
1141 accum.mul_x2(x[1], x[10]);
1142 accum.mul_x2(x[2], x[9]);
1143 accum.mul_x2(x[3], x[8]);
1144 accum.mul_x2(x[4], x[7]);
1145 accum.mul_x2(x[5], x[6]);
1146 z[11] = accum.extract();
1147 accum.mul_x2(x[0], x[12]);
1148 accum.mul_x2(x[1], x[11]);
1149 accum.mul_x2(x[2], x[10]);
1150 accum.mul_x2(x[3], x[9]);
1151 accum.mul_x2(x[4], x[8]);
1152 accum.mul_x2(x[5], x[7]);
1153 accum.mul(x[6], x[6]);
1154 z[12] = accum.extract();
1155 accum.mul_x2(x[0], x[13]);
1156 accum.mul_x2(x[1], x[12]);
1157 accum.mul_x2(x[2], x[11]);
1158 accum.mul_x2(x[3], x[10]);
1159 accum.mul_x2(x[4], x[9]);
1160 accum.mul_x2(x[5], x[8]);
1161 accum.mul_x2(x[6], x[7]);
1162 z[13] = accum.extract();
1163 accum.mul_x2(x[0], x[14]);
1164 accum.mul_x2(x[1], x[13]);
1165 accum.mul_x2(x[2], x[12]);
1166 accum.mul_x2(x[3], x[11]);
1167 accum.mul_x2(x[4], x[10]);
1168 accum.mul_x2(x[5], x[9]);
1169 accum.mul_x2(x[6], x[8]);
1170 accum.mul(x[7], x[7]);
1171 z[14] = accum.extract();
1172 accum.mul_x2(x[0], x[15]);
1173 accum.mul_x2(x[1], x[14]);
1174 accum.mul_x2(x[2], x[13]);
1175 accum.mul_x2(x[3], x[12]);
1176 accum.mul_x2(x[4], x[11]);
1177 accum.mul_x2(x[5], x[10]);
1178 accum.mul_x2(x[6], x[9]);
1179 accum.mul_x2(x[7], x[8]);
1180 z[15] = accum.extract();
1181 accum.mul_x2(x[0], x[16]);
1182 accum.mul_x2(x[1], x[15]);
1183 accum.mul_x2(x[2], x[14]);
1184 accum.mul_x2(x[3], x[13]);
1185 accum.mul_x2(x[4], x[12]);
1186 accum.mul_x2(x[5], x[11]);
1187 accum.mul_x2(x[6], x[10]);
1188 accum.mul_x2(x[7], x[9]);
1189 accum.mul(x[8], x[8]);
1190 z[16] = accum.extract();
1191 accum.mul_x2(x[0], x[17]);
1192 accum.mul_x2(x[1], x[16]);
1193 accum.mul_x2(x[2], x[15]);
1194 accum.mul_x2(x[3], x[14]);
1195 accum.mul_x2(x[4], x[13]);
1196 accum.mul_x2(x[5], x[12]);
1197 accum.mul_x2(x[6], x[11]);
1198 accum.mul_x2(x[7], x[10]);
1199 accum.mul_x2(x[8], x[9]);
1200 z[17] = accum.extract();
1201 accum.mul_x2(x[0], x[18]);
1202 accum.mul_x2(x[1], x[17]);
1203 accum.mul_x2(x[2], x[16]);
1204 accum.mul_x2(x[3], x[15]);
1205 accum.mul_x2(x[4], x[14]);
1206 accum.mul_x2(x[5], x[13]);
1207 accum.mul_x2(x[6], x[12]);
1208 accum.mul_x2(x[7], x[11]);
1209 accum.mul_x2(x[8], x[10]);
1210 accum.mul(x[9], x[9]);
1211 z[18] = accum.extract();
1212 accum.mul_x2(x[0], x[19]);
1213 accum.mul_x2(x[1], x[18]);
1214 accum.mul_x2(x[2], x[17]);
1215 accum.mul_x2(x[3], x[16]);
1216 accum.mul_x2(x[4], x[15]);
1217 accum.mul_x2(x[5], x[14]);
1218 accum.mul_x2(x[6], x[13]);
1219 accum.mul_x2(x[7], x[12]);
1220 accum.mul_x2(x[8], x[11]);
1221 accum.mul_x2(x[9], x[10]);
1222 z[19] = accum.extract();
1223 accum.mul_x2(x[0], x[20]);
1224 accum.mul_x2(x[1], x[19]);
1225 accum.mul_x2(x[2], x[18]);
1226 accum.mul_x2(x[3], x[17]);
1227 accum.mul_x2(x[4], x[16]);
1228 accum.mul_x2(x[5], x[15]);
1229 accum.mul_x2(x[6], x[14]);
1230 accum.mul_x2(x[7], x[13]);
1231 accum.mul_x2(x[8], x[12]);
1232 accum.mul_x2(x[9], x[11]);
1233 accum.mul(x[10], x[10]);
1234 z[20] = accum.extract();
1235 accum.mul_x2(x[0], x[21]);
1236 accum.mul_x2(x[1], x[20]);
1237 accum.mul_x2(x[2], x[19]);
1238 accum.mul_x2(x[3], x[18]);
1239 accum.mul_x2(x[4], x[17]);
1240 accum.mul_x2(x[5], x[16]);
1241 accum.mul_x2(x[6], x[15]);
1242 accum.mul_x2(x[7], x[14]);
1243 accum.mul_x2(x[8], x[13]);
1244 accum.mul_x2(x[9], x[12]);
1245 accum.mul_x2(x[10], x[11]);
1246 z[21] = accum.extract();
1247 accum.mul_x2(x[0], x[22]);
1248 accum.mul_x2(x[1], x[21]);
1249 accum.mul_x2(x[2], x[20]);
1250 accum.mul_x2(x[3], x[19]);
1251 accum.mul_x2(x[4], x[18]);
1252 accum.mul_x2(x[5], x[17]);
1253 accum.mul_x2(x[6], x[16]);
1254 accum.mul_x2(x[7], x[15]);
1255 accum.mul_x2(x[8], x[14]);
1256 accum.mul_x2(x[9], x[13]);
1257 accum.mul_x2(x[10], x[12]);
1258 accum.mul(x[11], x[11]);
1259 z[22] = accum.extract();
1260 accum.mul_x2(x[0], x[23]);
1261 accum.mul_x2(x[1], x[22]);
1262 accum.mul_x2(x[2], x[21]);
1263 accum.mul_x2(x[3], x[20]);
1264 accum.mul_x2(x[4], x[19]);
1265 accum.mul_x2(x[5], x[18]);
1266 accum.mul_x2(x[6], x[17]);
1267 accum.mul_x2(x[7], x[16]);
1268 accum.mul_x2(x[8], x[15]);
1269 accum.mul_x2(x[9], x[14]);
1270 accum.mul_x2(x[10], x[13]);
1271 accum.mul_x2(x[11], x[12]);
1272 z[23] = accum.extract();
1273 accum.mul_x2(x[1], x[23]);
1274 accum.mul_x2(x[2], x[22]);
1275 accum.mul_x2(x[3], x[21]);
1276 accum.mul_x2(x[4], x[20]);
1277 accum.mul_x2(x[5], x[19]);
1278 accum.mul_x2(x[6], x[18]);
1279 accum.mul_x2(x[7], x[17]);
1280 accum.mul_x2(x[8], x[16]);
1281 accum.mul_x2(x[9], x[15]);
1282 accum.mul_x2(x[10], x[14]);
1283 accum.mul_x2(x[11], x[13]);
1284 accum.mul(x[12], x[12]);
1285 z[24] = accum.extract();
1286 accum.mul_x2(x[2], x[23]);
1287 accum.mul_x2(x[3], x[22]);
1288 accum.mul_x2(x[4], x[21]);
1289 accum.mul_x2(x[5], x[20]);
1290 accum.mul_x2(x[6], x[19]);
1291 accum.mul_x2(x[7], x[18]);
1292 accum.mul_x2(x[8], x[17]);
1293 accum.mul_x2(x[9], x[16]);
1294 accum.mul_x2(x[10], x[15]);
1295 accum.mul_x2(x[11], x[14]);
1296 accum.mul_x2(x[12], x[13]);
1297 z[25] = accum.extract();
1298 accum.mul_x2(x[3], x[23]);
1299 accum.mul_x2(x[4], x[22]);
1300 accum.mul_x2(x[5], x[21]);
1301 accum.mul_x2(x[6], x[20]);
1302 accum.mul_x2(x[7], x[19]);
1303 accum.mul_x2(x[8], x[18]);
1304 accum.mul_x2(x[9], x[17]);
1305 accum.mul_x2(x[10], x[16]);
1306 accum.mul_x2(x[11], x[15]);
1307 accum.mul_x2(x[12], x[14]);
1308 accum.mul(x[13], x[13]);
1309 z[26] = accum.extract();
1310 accum.mul_x2(x[4], x[23]);
1311 accum.mul_x2(x[5], x[22]);
1312 accum.mul_x2(x[6], x[21]);
1313 accum.mul_x2(x[7], x[20]);
1314 accum.mul_x2(x[8], x[19]);
1315 accum.mul_x2(x[9], x[18]);
1316 accum.mul_x2(x[10], x[17]);
1317 accum.mul_x2(x[11], x[16]);
1318 accum.mul_x2(x[12], x[15]);
1319 accum.mul_x2(x[13], x[14]);
1320 z[27] = accum.extract();
1321 accum.mul_x2(x[5], x[23]);
1322 accum.mul_x2(x[6], x[22]);
1323 accum.mul_x2(x[7], x[21]);
1324 accum.mul_x2(x[8], x[20]);
1325 accum.mul_x2(x[9], x[19]);
1326 accum.mul_x2(x[10], x[18]);
1327 accum.mul_x2(x[11], x[17]);
1328 accum.mul_x2(x[12], x[16]);
1329 accum.mul_x2(x[13], x[15]);
1330 accum.mul(x[14], x[14]);
1331 z[28] = accum.extract();
1332 accum.mul_x2(x[6], x[23]);
1333 accum.mul_x2(x[7], x[22]);
1334 accum.mul_x2(x[8], x[21]);
1335 accum.mul_x2(x[9], x[20]);
1336 accum.mul_x2(x[10], x[19]);
1337 accum.mul_x2(x[11], x[18]);
1338 accum.mul_x2(x[12], x[17]);
1339 accum.mul_x2(x[13], x[16]);
1340 accum.mul_x2(x[14], x[15]);
1341 z[29] = accum.extract();
1342 accum.mul_x2(x[7], x[23]);
1343 accum.mul_x2(x[8], x[22]);
1344 accum.mul_x2(x[9], x[21]);
1345 accum.mul_x2(x[10], x[20]);
1346 accum.mul_x2(x[11], x[19]);
1347 accum.mul_x2(x[12], x[18]);
1348 accum.mul_x2(x[13], x[17]);
1349 accum.mul_x2(x[14], x[16]);
1350 accum.mul(x[15], x[15]);
1351 z[30] = accum.extract();
1352 accum.mul_x2(x[8], x[23]);
1353 accum.mul_x2(x[9], x[22]);
1354 accum.mul_x2(x[10], x[21]);
1355 accum.mul_x2(x[11], x[20]);
1356 accum.mul_x2(x[12], x[19]);
1357 accum.mul_x2(x[13], x[18]);
1358 accum.mul_x2(x[14], x[17]);
1359 accum.mul_x2(x[15], x[16]);
1360 z[31] = accum.extract();
1361 accum.mul_x2(x[9], x[23]);
1362 accum.mul_x2(x[10], x[22]);
1363 accum.mul_x2(x[11], x[21]);
1364 accum.mul_x2(x[12], x[20]);
1365 accum.mul_x2(x[13], x[19]);
1366 accum.mul_x2(x[14], x[18]);
1367 accum.mul_x2(x[15], x[17]);
1368 accum.mul(x[16], x[16]);
1369 z[32] = accum.extract();
1370 accum.mul_x2(x[10], x[23]);
1371 accum.mul_x2(x[11], x[22]);
1372 accum.mul_x2(x[12], x[21]);
1373 accum.mul_x2(x[13], x[20]);
1374 accum.mul_x2(x[14], x[19]);
1375 accum.mul_x2(x[15], x[18]);
1376 accum.mul_x2(x[16], x[17]);
1377 z[33] = accum.extract();
1378 accum.mul_x2(x[11], x[23]);
1379 accum.mul_x2(x[12], x[22]);
1380 accum.mul_x2(x[13], x[21]);
1381 accum.mul_x2(x[14], x[20]);
1382 accum.mul_x2(x[15], x[19]);
1383 accum.mul_x2(x[16], x[18]);
1384 accum.mul(x[17], x[17]);
1385 z[34] = accum.extract();
1386 accum.mul_x2(x[12], x[23]);
1387 accum.mul_x2(x[13], x[22]);
1388 accum.mul_x2(x[14], x[21]);
1389 accum.mul_x2(x[15], x[20]);
1390 accum.mul_x2(x[16], x[19]);
1391 accum.mul_x2(x[17], x[18]);
1392 z[35] = accum.extract();
1393 accum.mul_x2(x[13], x[23]);
1394 accum.mul_x2(x[14], x[22]);
1395 accum.mul_x2(x[15], x[21]);
1396 accum.mul_x2(x[16], x[20]);
1397 accum.mul_x2(x[17], x[19]);
1398 accum.mul(x[18], x[18]);
1399 z[36] = accum.extract();
1400 accum.mul_x2(x[14], x[23]);
1401 accum.mul_x2(x[15], x[22]);
1402 accum.mul_x2(x[16], x[21]);
1403 accum.mul_x2(x[17], x[20]);
1404 accum.mul_x2(x[18], x[19]);
1405 z[37] = accum.extract();
1406 accum.mul_x2(x[15], x[23]);
1407 accum.mul_x2(x[16], x[22]);
1408 accum.mul_x2(x[17], x[21]);
1409 accum.mul_x2(x[18], x[20]);
1410 accum.mul(x[19], x[19]);
1411 z[38] = accum.extract();
1412 accum.mul_x2(x[16], x[23]);
1413 accum.mul_x2(x[17], x[22]);
1414 accum.mul_x2(x[18], x[21]);
1415 accum.mul_x2(x[19], x[20]);
1416 z[39] = accum.extract();
1417 accum.mul_x2(x[17], x[23]);
1418 accum.mul_x2(x[18], x[22]);
1419 accum.mul_x2(x[19], x[21]);
1420 accum.mul(x[20], x[20]);
1421 z[40] = accum.extract();
1422 accum.mul_x2(x[18], x[23]);
1423 accum.mul_x2(x[19], x[22]);
1424 accum.mul_x2(x[20], x[21]);
1425 z[41] = accum.extract();
1426 accum.mul_x2(x[19], x[23]);
1427 accum.mul_x2(x[20], x[22]);
1428 accum.mul(x[21], x[21]);
1429 z[42] = accum.extract();
1430 accum.mul_x2(x[20], x[23]);
1431 accum.mul_x2(x[21], x[22]);
1432 z[43] = accum.extract();
1433 accum.mul_x2(x[21], x[23]);
1434 accum.mul(x[22], x[22]);
1435 z[44] = accum.extract();
1436 accum.mul_x2(x[22], x[23]);
1437 z[45] = accum.extract();
1438 accum.mul(x[23], x[23]);
1439 z[46] = accum.extract();
1440 z[47] = accum.extract();
1441}

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by bigint_sqr().

◆ bigint_comba_sqr4()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr4 ( word z[8],
const word x[4] )

Definition at line 16 of file mp_comba.cpp.

16 {
17 word3<word> accum;
18
19 accum.mul(x[0], x[0]);
20 z[0] = accum.extract();
21 accum.mul_x2(x[0], x[1]);
22 z[1] = accum.extract();
23 accum.mul_x2(x[0], x[2]);
24 accum.mul(x[1], x[1]);
25 z[2] = accum.extract();
26 accum.mul_x2(x[0], x[3]);
27 accum.mul_x2(x[1], x[2]);
28 z[3] = accum.extract();
29 accum.mul_x2(x[1], x[3]);
30 accum.mul(x[2], x[2]);
31 z[4] = accum.extract();
32 accum.mul_x2(x[2], x[3]);
33 z[5] = accum.extract();
34 accum.mul(x[3], x[3]);
35 z[6] = accum.extract();
36 z[7] = accum.extract();
37}

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by bigint_sqr(), and comba_sqr().

◆ bigint_comba_sqr6()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr6 ( word z[12],
const word x[6] )

Definition at line 74 of file mp_comba.cpp.

74 {
75 word3<word> accum;
76
77 accum.mul(x[0], x[0]);
78 z[0] = accum.extract();
79 accum.mul_x2(x[0], x[1]);
80 z[1] = accum.extract();
81 accum.mul_x2(x[0], x[2]);
82 accum.mul(x[1], x[1]);
83 z[2] = accum.extract();
84 accum.mul_x2(x[0], x[3]);
85 accum.mul_x2(x[1], x[2]);
86 z[3] = accum.extract();
87 accum.mul_x2(x[0], x[4]);
88 accum.mul_x2(x[1], x[3]);
89 accum.mul(x[2], x[2]);
90 z[4] = accum.extract();
91 accum.mul_x2(x[0], x[5]);
92 accum.mul_x2(x[1], x[4]);
93 accum.mul_x2(x[2], x[3]);
94 z[5] = accum.extract();
95 accum.mul_x2(x[1], x[5]);
96 accum.mul_x2(x[2], x[4]);
97 accum.mul(x[3], x[3]);
98 z[6] = accum.extract();
99 accum.mul_x2(x[2], x[5]);
100 accum.mul_x2(x[3], x[4]);
101 z[7] = accum.extract();
102 accum.mul_x2(x[3], x[5]);
103 accum.mul(x[4], x[4]);
104 z[8] = accum.extract();
105 accum.mul_x2(x[4], x[5]);
106 z[9] = accum.extract();
107 accum.mul(x[5], x[5]);
108 z[10] = accum.extract();
109 z[11] = accum.extract();
110}

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by bigint_sqr(), and comba_sqr().

◆ bigint_comba_sqr7()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr7 ( word z[14],
const word x[7] )

Definition at line 171 of file mp_comba.cpp.

171 {
172 word3<word> accum;
173
174 accum.mul(x[0], x[0]);
175 z[0] = accum.extract();
176 accum.mul_x2(x[0], x[1]);
177 z[1] = accum.extract();
178 accum.mul_x2(x[0], x[2]);
179 accum.mul(x[1], x[1]);
180 z[2] = accum.extract();
181 accum.mul_x2(x[0], x[3]);
182 accum.mul_x2(x[1], x[2]);
183 z[3] = accum.extract();
184 accum.mul_x2(x[0], x[4]);
185 accum.mul_x2(x[1], x[3]);
186 accum.mul(x[2], x[2]);
187 z[4] = accum.extract();
188 accum.mul_x2(x[0], x[5]);
189 accum.mul_x2(x[1], x[4]);
190 accum.mul_x2(x[2], x[3]);
191 z[5] = accum.extract();
192 accum.mul_x2(x[0], x[6]);
193 accum.mul_x2(x[1], x[5]);
194 accum.mul_x2(x[2], x[4]);
195 accum.mul(x[3], x[3]);
196 z[6] = accum.extract();
197 accum.mul_x2(x[1], x[6]);
198 accum.mul_x2(x[2], x[5]);
199 accum.mul_x2(x[3], x[4]);
200 z[7] = accum.extract();
201 accum.mul_x2(x[2], x[6]);
202 accum.mul_x2(x[3], x[5]);
203 accum.mul(x[4], x[4]);
204 z[8] = accum.extract();
205 accum.mul_x2(x[3], x[6]);
206 accum.mul_x2(x[4], x[5]);
207 z[9] = accum.extract();
208 accum.mul_x2(x[4], x[6]);
209 accum.mul(x[5], x[5]);
210 z[10] = accum.extract();
211 accum.mul_x2(x[5], x[6]);
212 z[11] = accum.extract();
213 accum.mul(x[6], x[6]);
214 z[12] = accum.extract();
215 z[13] = accum.extract();
216}

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by comba_sqr().

◆ bigint_comba_sqr8()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr8 ( word z[16],
const word x[8] )

Definition at line 292 of file mp_comba.cpp.

292 {
293 word3<word> accum;
294
295 accum.mul(x[0], x[0]);
296 z[0] = accum.extract();
297 accum.mul_x2(x[0], x[1]);
298 z[1] = accum.extract();
299 accum.mul_x2(x[0], x[2]);
300 accum.mul(x[1], x[1]);
301 z[2] = accum.extract();
302 accum.mul_x2(x[0], x[3]);
303 accum.mul_x2(x[1], x[2]);
304 z[3] = accum.extract();
305 accum.mul_x2(x[0], x[4]);
306 accum.mul_x2(x[1], x[3]);
307 accum.mul(x[2], x[2]);
308 z[4] = accum.extract();
309 accum.mul_x2(x[0], x[5]);
310 accum.mul_x2(x[1], x[4]);
311 accum.mul_x2(x[2], x[3]);
312 z[5] = accum.extract();
313 accum.mul_x2(x[0], x[6]);
314 accum.mul_x2(x[1], x[5]);
315 accum.mul_x2(x[2], x[4]);
316 accum.mul(x[3], x[3]);
317 z[6] = accum.extract();
318 accum.mul_x2(x[0], x[7]);
319 accum.mul_x2(x[1], x[6]);
320 accum.mul_x2(x[2], x[5]);
321 accum.mul_x2(x[3], x[4]);
322 z[7] = accum.extract();
323 accum.mul_x2(x[1], x[7]);
324 accum.mul_x2(x[2], x[6]);
325 accum.mul_x2(x[3], x[5]);
326 accum.mul(x[4], x[4]);
327 z[8] = accum.extract();
328 accum.mul_x2(x[2], x[7]);
329 accum.mul_x2(x[3], x[6]);
330 accum.mul_x2(x[4], x[5]);
331 z[9] = accum.extract();
332 accum.mul_x2(x[3], x[7]);
333 accum.mul_x2(x[4], x[6]);
334 accum.mul(x[5], x[5]);
335 z[10] = accum.extract();
336 accum.mul_x2(x[4], x[7]);
337 accum.mul_x2(x[5], x[6]);
338 z[11] = accum.extract();
339 accum.mul_x2(x[5], x[7]);
340 accum.mul(x[6], x[6]);
341 z[12] = accum.extract();
342 accum.mul_x2(x[6], x[7]);
343 z[13] = accum.extract();
344 accum.mul(x[7], x[7]);
345 z[14] = accum.extract();
346 z[15] = accum.extract();
347}

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by bigint_sqr(), and comba_sqr().

◆ bigint_comba_sqr9()

BOTAN_FUZZER_API void Botan::bigint_comba_sqr9 ( word z[18],
const word x[9] )

Definition at line 440 of file mp_comba.cpp.

440 {
441 word3<word> accum;
442
443 accum.mul(x[0], x[0]);
444 z[0] = accum.extract();
445 accum.mul_x2(x[0], x[1]);
446 z[1] = accum.extract();
447 accum.mul_x2(x[0], x[2]);
448 accum.mul(x[1], x[1]);
449 z[2] = accum.extract();
450 accum.mul_x2(x[0], x[3]);
451 accum.mul_x2(x[1], x[2]);
452 z[3] = accum.extract();
453 accum.mul_x2(x[0], x[4]);
454 accum.mul_x2(x[1], x[3]);
455 accum.mul(x[2], x[2]);
456 z[4] = accum.extract();
457 accum.mul_x2(x[0], x[5]);
458 accum.mul_x2(x[1], x[4]);
459 accum.mul_x2(x[2], x[3]);
460 z[5] = accum.extract();
461 accum.mul_x2(x[0], x[6]);
462 accum.mul_x2(x[1], x[5]);
463 accum.mul_x2(x[2], x[4]);
464 accum.mul(x[3], x[3]);
465 z[6] = accum.extract();
466 accum.mul_x2(x[0], x[7]);
467 accum.mul_x2(x[1], x[6]);
468 accum.mul_x2(x[2], x[5]);
469 accum.mul_x2(x[3], x[4]);
470 z[7] = accum.extract();
471 accum.mul_x2(x[0], x[8]);
472 accum.mul_x2(x[1], x[7]);
473 accum.mul_x2(x[2], x[6]);
474 accum.mul_x2(x[3], x[5]);
475 accum.mul(x[4], x[4]);
476 z[8] = accum.extract();
477 accum.mul_x2(x[1], x[8]);
478 accum.mul_x2(x[2], x[7]);
479 accum.mul_x2(x[3], x[6]);
480 accum.mul_x2(x[4], x[5]);
481 z[9] = accum.extract();
482 accum.mul_x2(x[2], x[8]);
483 accum.mul_x2(x[3], x[7]);
484 accum.mul_x2(x[4], x[6]);
485 accum.mul(x[5], x[5]);
486 z[10] = accum.extract();
487 accum.mul_x2(x[3], x[8]);
488 accum.mul_x2(x[4], x[7]);
489 accum.mul_x2(x[5], x[6]);
490 z[11] = accum.extract();
491 accum.mul_x2(x[4], x[8]);
492 accum.mul_x2(x[5], x[7]);
493 accum.mul(x[6], x[6]);
494 z[12] = accum.extract();
495 accum.mul_x2(x[5], x[8]);
496 accum.mul_x2(x[6], x[7]);
497 z[13] = accum.extract();
498 accum.mul_x2(x[6], x[8]);
499 accum.mul(x[7], x[7]);
500 z[14] = accum.extract();
501 accum.mul_x2(x[7], x[8]);
502 z[15] = accum.extract();
503 accum.mul(x[8], x[8]);
504 z[16] = accum.extract();
505 z[17] = accum.extract();
506}

References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().

Referenced by bigint_sqr(), and comba_sqr().

◆ bigint_ct_is_eq()

template<WordType W>
auto Botan::bigint_ct_is_eq ( const W x[],
size_t x_size,
const W y[],
size_t y_size ) -> CT::Mask<W>
inlineconstexpr

Definition at line 508 of file mp_core.h.

508 {
509 const size_t common_elems = std::min(x_size, y_size);
510
511 W diff = 0;
512
513 for(size_t i = 0; i != common_elems; i++) {
514 diff |= (x[i] ^ y[i]);
515 }
516
517 // If any bits were set in high part of x/y, then they are not equal
518 if(x_size < y_size) {
519 for(size_t i = x_size; i != y_size; i++) {
520 diff |= y[i];
521 }
522 } else if(y_size < x_size) {
523 for(size_t i = y_size; i != x_size; i++) {
524 diff |= x[i];
525 }
526 }
527
528 return CT::Mask<W>::is_zero(diff);
529}

References Botan::CT::Mask< T >::is_zero().

Referenced by Botan::BigInt::is_equal().

◆ bigint_ct_is_lt()

template<WordType W>
auto Botan::bigint_ct_is_lt ( const W x[],
size_t x_size,
const W y[],
size_t y_size,
bool lt_or_equal = false ) -> CT::Mask<W>
inlineconstexpr

Compare x and y Returns a Mask: |1| if x[0:x_size] < y[0:y_size] or |0| otherwise If lt_or_equal is true, returns |1| also for x == y

Definition at line 475 of file mp_core.h.

476 {
477 const size_t common_elems = std::min(x_size, y_size);
478
479 auto is_lt = CT::Mask<W>::expand(lt_or_equal);
480
481 for(size_t i = 0; i != common_elems; i++) {
482 const auto eq = CT::Mask<W>::is_equal(x[i], y[i]);
483 const auto lt = CT::Mask<W>::is_lt(x[i], y[i]);
484 is_lt = eq.select_mask(is_lt, lt);
485 }
486
487 if(x_size < y_size) {
488 W mask = 0;
489 for(size_t i = x_size; i != y_size; i++) {
490 mask |= y[i];
491 }
492 // If any bits were set in high part of y, then is_lt should be forced true
493 is_lt |= CT::Mask<W>::expand(mask);
494 } else if(y_size < x_size) {
495 W mask = 0;
496 for(size_t i = y_size; i != x_size; i++) {
497 mask |= x[i];
498 }
499
500 // If any bits were set in high part of x, then is_lt should be false
501 is_lt &= CT::Mask<W>::is_zero(mask);
502 }
503
504 return is_lt;
505}

References Botan::CT::Mask< T >::expand(), Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lt(), and Botan::CT::Mask< T >::is_zero().

Referenced by Botan::IntMod< MontgomeryRep< ScalarParams > >::deserialize(), Botan::BigInt::is_less_than(), Botan::PCurve::GenericPrimeOrderCurve::mul2_vartime_x_mod_order_eq(), and Botan::PCurve::PrimeOrderCurveImpl< C >::mul2_vartime_x_mod_order_eq().

◆ bigint_divop_vartime()

template<WordType W>
auto Botan::bigint_divop_vartime ( W n1,
W n0,
W d ) -> W
inlineconstexpr

Compute ((n1<<bits) + n0) / d

Definition at line 535 of file mp_core.h.

535 {
536 BOTAN_ARG_CHECK(d != 0, "Division by zero");
537
538 if constexpr(WordInfo<W>::dword_is_native) {
539 typename WordInfo<W>::dword n = n1;
540 n <<= WordInfo<W>::bits;
541 n |= n0;
542 return static_cast<W>(n / d);
543 } else {
544 W high = n1 % d;
545 W quotient = 0;
546
547 for(size_t i = 0; i != WordInfo<W>::bits; ++i) {
548 const W high_top_bit = high >> (WordInfo<W>::bits - 1);
549
550 high <<= 1;
551 high |= (n0 >> (WordInfo<W>::bits - 1 - i)) & 1;
552 quotient <<= 1;
553
554 if(high_top_bit || high >= d) {
555 high -= d;
556 quotient |= 1;
557 }
558 }
559
560 return quotient;
561 }
562}
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33

References BOTAN_ARG_CHECK.

Referenced by bigint_modop_vartime(), and vartime_divide().

◆ bigint_linmul2()

template<WordType W>
auto Botan::bigint_linmul2 ( W x[],
size_t x_size,
W y ) -> W
inlinenodiscardconstexpr

Definition at line 394 of file mp_core.h.

394 {
395 W carry = 0;
396
397 for(size_t i = 0; i != x_size; ++i) {
398 x[i] = word_madd2(x[i], y, &carry);
399 }
400
401 return carry;
402}
constexpr auto word_madd2(W a, W b, W *c) -> W
Definition mp_asmi.h:86

References carry(), and word_madd2().

Referenced by Botan::BigInt::operator*=().

◆ bigint_linmul3()

template<WordType W>
void Botan::bigint_linmul3 ( W z[],
const W x[],
size_t x_size,
W y )
inlineconstexpr

Definition at line 405 of file mp_core.h.

405 {
406 const size_t blocks = x_size - (x_size % 8);
407
408 W carry = 0;
409
410 for(size_t i = 0; i != blocks; i += 8) {
411 carry = word8_linmul3(z + i, x + i, y, carry);
412 }
413
414 for(size_t i = blocks; i != x_size; ++i) {
415 z[i] = word_madd2(x[i], y, &carry);
416 }
417
418 z[x_size] = carry;
419}
constexpr auto word8_linmul3(W z[8], const W x[8], W y, W carry) -> W
Definition mp_asmi.h:357

References carry(), word8_linmul3(), and word_madd2().

Referenced by bigint_mul(), bigint_sqr(), Botan::BigInt::mul(), operator*(), and operator*().

◆ bigint_modop_vartime()

template<WordType W>
auto Botan::bigint_modop_vartime ( W n1,
W n0,
W d ) -> W
inlineconstexpr

Compute ((n1<<bits) + n0) % d

Definition at line 568 of file mp_core.h.

568 {
569 BOTAN_ARG_CHECK(d != 0, "Division by zero");
570
571 W z = bigint_divop_vartime(n1, n0, d);
572 W carry = 0;
573 z = word_madd2(z, d, &carry);
574 return (n0 - z);
575}
constexpr auto bigint_divop_vartime(W n1, W n0, W d) -> W
Definition mp_core.h:535

References bigint_divop_vartime(), BOTAN_ARG_CHECK, carry(), and word_madd2().

Referenced by operator%(), and Botan::BigInt::operator%=().

◆ bigint_monty_maybe_sub() [1/2]

template<WordType W>
void Botan::bigint_monty_maybe_sub ( size_t N,
W z[],
W x0,
const W x[],
const W p[] )
inlineconstexpr

Conditional subtraction for Montgomery reduction

This function assumes that (x0 || x) is less than 2*p

Computes z[0:N] = (x0 || x[0:N]) - p[0:N]

If z would be positive, returns z[0:N] Otherwise returns original input x

Definition at line 227 of file mp_core.h.

227 {
228 W borrow = 0;
229
230 const size_t blocks = N - (N % 8);
231
232 for(size_t i = 0; i != blocks; i += 8) {
233 borrow = word8_sub3(z + i, x + i, p + i, borrow);
234 }
235
236 for(size_t i = blocks; i != N; ++i) {
237 z[i] = word_sub(x[i], p[i], &borrow);
238 }
239
240 borrow = (x0 - borrow) > x0;
241
242 CT::conditional_assign_mem(borrow, z, x, N);
243}
constexpr Mask< T > conditional_assign_mem(T cnd, T *dest, const T *src, size_t elems)
Definition ct_utils.h:777
constexpr auto word8_sub3(W z[8], const W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:331

References Botan::CT::conditional_assign_mem(), word8_sub3(), and word_sub().

Referenced by bigint_monty_redc_12(), bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), bigint_monty_redc_generic(), monty_redc(), monty_redc_pdash1(), Botan::IntMod< MontgomeryRep< ScalarParams > >::mul2(), Botan::IntMod< MontgomeryRep< ScalarParams > >::operator+, and Botan::Montgomery_Int::operator+().

◆ bigint_monty_maybe_sub() [2/2]

template<size_t N, WordType W>
void Botan::bigint_monty_maybe_sub ( W z[N],
W x0,
const W x[N],
const W y[N] )
inlineconstexpr

Conditional subtraction for Montgomery reduction

This function assumes that (x0 || x) is less than 2*p

Computes z[0:N] = (x0 || x[0:N]) - p[0:N]

If z would be positive, returns z[0:N] Otherwise returns original input x

Definition at line 256 of file mp_core.h.

256 {
257 W borrow = 0;
258
259 for(size_t i = 0; i != N; ++i) {
260 z[i] = word_sub(x[i], y[i], &borrow);
261 }
262
263 borrow = (x0 - borrow) > x0;
264
265 CT::conditional_assign_mem(borrow, z, x, N);
266}

References Botan::CT::conditional_assign_mem(), and word_sub().

◆ bigint_monty_redc()

void Botan::bigint_monty_redc ( word r[],
const word z[],
const word p[],
size_t p_size,
word p_dash,
word ws[],
size_t ws_size )
inline

Montgomery Reduction

Parameters
rresult of exactly p_size words
zinteger to reduce, of size exactly 2*p_size.
pmodulus
p_sizesize of p
p_dashMontgomery value
wsarray of at least p_size words
ws_sizesize of ws in words

It is allowed to set &r[0] == &z[0] however in this case note that only the first p_size words of r will be written to and the high p_size words of r/z will still hold the original inputs, these must be cleared after use. See bigint_monty_redc_inplace

Definition at line 804 of file mp_core.h.

805 {
806 const size_t z_size = 2 * p_size;
807
808 BOTAN_ARG_CHECK(ws_size >= p_size, "Montgomery reduction workspace too small");
809
810 if(p_size == 4) {
811 bigint_monty_redc_4(r, z, p, p_dash, ws);
812 } else if(p_size == 6) {
813 bigint_monty_redc_6(r, z, p, p_dash, ws);
814 } else if(p_size == 8) {
815 bigint_monty_redc_8(r, z, p, p_dash, ws);
816 } else if(p_size == 12) {
817 bigint_monty_redc_12(r, z, p, p_dash, ws);
818 } else if(p_size == 16) {
819 bigint_monty_redc_16(r, z, p, p_dash, ws);
820 } else if(p_size == 24) {
821 bigint_monty_redc_24(r, z, p, p_dash, ws);
822 } else if(p_size == 32) {
823 bigint_monty_redc_32(r, z, p, p_dash, ws);
824 } else {
825 bigint_monty_redc_generic(r, z, z_size, p, p_size, p_dash, ws);
826 }
827}
BOTAN_FUZZER_API void bigint_monty_redc_6(word r[6], const word z[12], const word p[6], word p_dash, word ws[6])
BOTAN_FUZZER_API void bigint_monty_redc_24(word r[24], const word z[48], const word p[24], word p_dash, word ws[24])
BOTAN_FUZZER_API void bigint_monty_redc_generic(word r[], const word z[], size_t z_size, const word p[], size_t p_size, word p_dash, word ws[])
Definition mp_monty.cpp:31
BOTAN_FUZZER_API void bigint_monty_redc_4(word r[4], const word z[8], const word p[4], word p_dash, word ws[4])
BOTAN_FUZZER_API void bigint_monty_redc_12(word r[12], const word z[24], const word p[12], word p_dash, word ws[12])
BOTAN_FUZZER_API void bigint_monty_redc_16(word r[16], const word z[32], const word p[16], word p_dash, word ws[16])
BOTAN_FUZZER_API void bigint_monty_redc_8(word r[8], const word z[16], const word p[8], word p_dash, word ws[8])
BOTAN_FUZZER_API void bigint_monty_redc_32(word r[32], const word z[64], const word p[32], word p_dash, word ws[32])

References bigint_monty_redc_12(), bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), bigint_monty_redc_generic(), and BOTAN_ARG_CHECK.

Referenced by bigint_monty_redc_inplace().

◆ bigint_monty_redc_12()

void Botan::bigint_monty_redc_12 ( word r[12],
const word z[24],
const word p[12],
word p_dash,
word ws[12] )

Definition at line 202 of file mp_monty_n.cpp.

202 {
203 word3<word> accum;
204 accum.add(z[0]);
205 ws[0] = accum.monty_step(p[0], p_dash);
206 accum.mul(ws[0], p[1]);
207 accum.add(z[1]);
208 ws[1] = accum.monty_step(p[0], p_dash);
209 accum.mul(ws[0], p[2]);
210 accum.mul(ws[1], p[1]);
211 accum.add(z[2]);
212 ws[2] = accum.monty_step(p[0], p_dash);
213 accum.mul(ws[0], p[3]);
214 accum.mul(ws[1], p[2]);
215 accum.mul(ws[2], p[1]);
216 accum.add(z[3]);
217 ws[3] = accum.monty_step(p[0], p_dash);
218 accum.mul(ws[0], p[4]);
219 accum.mul(ws[1], p[3]);
220 accum.mul(ws[2], p[2]);
221 accum.mul(ws[3], p[1]);
222 accum.add(z[4]);
223 ws[4] = accum.monty_step(p[0], p_dash);
224 accum.mul(ws[0], p[5]);
225 accum.mul(ws[1], p[4]);
226 accum.mul(ws[2], p[3]);
227 accum.mul(ws[3], p[2]);
228 accum.mul(ws[4], p[1]);
229 accum.add(z[5]);
230 ws[5] = accum.monty_step(p[0], p_dash);
231 accum.mul(ws[0], p[6]);
232 accum.mul(ws[1], p[5]);
233 accum.mul(ws[2], p[4]);
234 accum.mul(ws[3], p[3]);
235 accum.mul(ws[4], p[2]);
236 accum.mul(ws[5], p[1]);
237 accum.add(z[6]);
238 ws[6] = accum.monty_step(p[0], p_dash);
239 accum.mul(ws[0], p[7]);
240 accum.mul(ws[1], p[6]);
241 accum.mul(ws[2], p[5]);
242 accum.mul(ws[3], p[4]);
243 accum.mul(ws[4], p[3]);
244 accum.mul(ws[5], p[2]);
245 accum.mul(ws[6], p[1]);
246 accum.add(z[7]);
247 ws[7] = accum.monty_step(p[0], p_dash);
248 accum.mul(ws[0], p[8]);
249 accum.mul(ws[1], p[7]);
250 accum.mul(ws[2], p[6]);
251 accum.mul(ws[3], p[5]);
252 accum.mul(ws[4], p[4]);
253 accum.mul(ws[5], p[3]);
254 accum.mul(ws[6], p[2]);
255 accum.mul(ws[7], p[1]);
256 accum.add(z[8]);
257 ws[8] = accum.monty_step(p[0], p_dash);
258 accum.mul(ws[0], p[9]);
259 accum.mul(ws[1], p[8]);
260 accum.mul(ws[2], p[7]);
261 accum.mul(ws[3], p[6]);
262 accum.mul(ws[4], p[5]);
263 accum.mul(ws[5], p[4]);
264 accum.mul(ws[6], p[3]);
265 accum.mul(ws[7], p[2]);
266 accum.mul(ws[8], p[1]);
267 accum.add(z[9]);
268 ws[9] = accum.monty_step(p[0], p_dash);
269 accum.mul(ws[0], p[10]);
270 accum.mul(ws[1], p[9]);
271 accum.mul(ws[2], p[8]);
272 accum.mul(ws[3], p[7]);
273 accum.mul(ws[4], p[6]);
274 accum.mul(ws[5], p[5]);
275 accum.mul(ws[6], p[4]);
276 accum.mul(ws[7], p[3]);
277 accum.mul(ws[8], p[2]);
278 accum.mul(ws[9], p[1]);
279 accum.add(z[10]);
280 ws[10] = accum.monty_step(p[0], p_dash);
281 accum.mul(ws[0], p[11]);
282 accum.mul(ws[1], p[10]);
283 accum.mul(ws[2], p[9]);
284 accum.mul(ws[3], p[8]);
285 accum.mul(ws[4], p[7]);
286 accum.mul(ws[5], p[6]);
287 accum.mul(ws[6], p[5]);
288 accum.mul(ws[7], p[4]);
289 accum.mul(ws[8], p[3]);
290 accum.mul(ws[9], p[2]);
291 accum.mul(ws[10], p[1]);
292 accum.add(z[11]);
293 ws[11] = accum.monty_step(p[0], p_dash);
294 accum.mul(ws[1], p[11]);
295 accum.mul(ws[2], p[10]);
296 accum.mul(ws[3], p[9]);
297 accum.mul(ws[4], p[8]);
298 accum.mul(ws[5], p[7]);
299 accum.mul(ws[6], p[6]);
300 accum.mul(ws[7], p[5]);
301 accum.mul(ws[8], p[4]);
302 accum.mul(ws[9], p[3]);
303 accum.mul(ws[10], p[2]);
304 accum.mul(ws[11], p[1]);
305 accum.add(z[12]);
306 ws[0] = accum.extract();
307 accum.mul(ws[2], p[11]);
308 accum.mul(ws[3], p[10]);
309 accum.mul(ws[4], p[9]);
310 accum.mul(ws[5], p[8]);
311 accum.mul(ws[6], p[7]);
312 accum.mul(ws[7], p[6]);
313 accum.mul(ws[8], p[5]);
314 accum.mul(ws[9], p[4]);
315 accum.mul(ws[10], p[3]);
316 accum.mul(ws[11], p[2]);
317 accum.add(z[13]);
318 ws[1] = accum.extract();
319 accum.mul(ws[3], p[11]);
320 accum.mul(ws[4], p[10]);
321 accum.mul(ws[5], p[9]);
322 accum.mul(ws[6], p[8]);
323 accum.mul(ws[7], p[7]);
324 accum.mul(ws[8], p[6]);
325 accum.mul(ws[9], p[5]);
326 accum.mul(ws[10], p[4]);
327 accum.mul(ws[11], p[3]);
328 accum.add(z[14]);
329 ws[2] = accum.extract();
330 accum.mul(ws[4], p[11]);
331 accum.mul(ws[5], p[10]);
332 accum.mul(ws[6], p[9]);
333 accum.mul(ws[7], p[8]);
334 accum.mul(ws[8], p[7]);
335 accum.mul(ws[9], p[6]);
336 accum.mul(ws[10], p[5]);
337 accum.mul(ws[11], p[4]);
338 accum.add(z[15]);
339 ws[3] = accum.extract();
340 accum.mul(ws[5], p[11]);
341 accum.mul(ws[6], p[10]);
342 accum.mul(ws[7], p[9]);
343 accum.mul(ws[8], p[8]);
344 accum.mul(ws[9], p[7]);
345 accum.mul(ws[10], p[6]);
346 accum.mul(ws[11], p[5]);
347 accum.add(z[16]);
348 ws[4] = accum.extract();
349 accum.mul(ws[6], p[11]);
350 accum.mul(ws[7], p[10]);
351 accum.mul(ws[8], p[9]);
352 accum.mul(ws[9], p[8]);
353 accum.mul(ws[10], p[7]);
354 accum.mul(ws[11], p[6]);
355 accum.add(z[17]);
356 ws[5] = accum.extract();
357 accum.mul(ws[7], p[11]);
358 accum.mul(ws[8], p[10]);
359 accum.mul(ws[9], p[9]);
360 accum.mul(ws[10], p[8]);
361 accum.mul(ws[11], p[7]);
362 accum.add(z[18]);
363 ws[6] = accum.extract();
364 accum.mul(ws[8], p[11]);
365 accum.mul(ws[9], p[10]);
366 accum.mul(ws[10], p[9]);
367 accum.mul(ws[11], p[8]);
368 accum.add(z[19]);
369 ws[7] = accum.extract();
370 accum.mul(ws[9], p[11]);
371 accum.mul(ws[10], p[10]);
372 accum.mul(ws[11], p[9]);
373 accum.add(z[20]);
374 ws[8] = accum.extract();
375 accum.mul(ws[10], p[11]);
376 accum.mul(ws[11], p[10]);
377 accum.add(z[21]);
378 ws[9] = accum.extract();
379 accum.mul(ws[11], p[11]);
380 accum.add(z[22]);
381 ws[10] = accum.extract();
382 accum.add(z[23]);
383 ws[11] = accum.extract();
384 word w1 = accum.extract();
385 bigint_monty_maybe_sub<12>(r, w1, ws, p);
386}
constexpr void add(W x)
Definition mp_asmi.h:520
constexpr W monty_step(W p0, W p_dash)
Definition mp_asmi.h:537
constexpr void bigint_monty_maybe_sub(size_t N, W z[], W x0, const W x[], const W p[])
Definition mp_core.h:227

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc(), and monty_redc().

◆ bigint_monty_redc_16()

void Botan::bigint_monty_redc_16 ( word r[16],
const word z[32],
const word p[16],
word p_dash,
word ws[16] )

Definition at line 388 of file mp_monty_n.cpp.

388 {
389 word3<word> accum;
390 accum.add(z[0]);
391 ws[0] = accum.monty_step(p[0], p_dash);
392 accum.mul(ws[0], p[1]);
393 accum.add(z[1]);
394 ws[1] = accum.monty_step(p[0], p_dash);
395 accum.mul(ws[0], p[2]);
396 accum.mul(ws[1], p[1]);
397 accum.add(z[2]);
398 ws[2] = accum.monty_step(p[0], p_dash);
399 accum.mul(ws[0], p[3]);
400 accum.mul(ws[1], p[2]);
401 accum.mul(ws[2], p[1]);
402 accum.add(z[3]);
403 ws[3] = accum.monty_step(p[0], p_dash);
404 accum.mul(ws[0], p[4]);
405 accum.mul(ws[1], p[3]);
406 accum.mul(ws[2], p[2]);
407 accum.mul(ws[3], p[1]);
408 accum.add(z[4]);
409 ws[4] = accum.monty_step(p[0], p_dash);
410 accum.mul(ws[0], p[5]);
411 accum.mul(ws[1], p[4]);
412 accum.mul(ws[2], p[3]);
413 accum.mul(ws[3], p[2]);
414 accum.mul(ws[4], p[1]);
415 accum.add(z[5]);
416 ws[5] = accum.monty_step(p[0], p_dash);
417 accum.mul(ws[0], p[6]);
418 accum.mul(ws[1], p[5]);
419 accum.mul(ws[2], p[4]);
420 accum.mul(ws[3], p[3]);
421 accum.mul(ws[4], p[2]);
422 accum.mul(ws[5], p[1]);
423 accum.add(z[6]);
424 ws[6] = accum.monty_step(p[0], p_dash);
425 accum.mul(ws[0], p[7]);
426 accum.mul(ws[1], p[6]);
427 accum.mul(ws[2], p[5]);
428 accum.mul(ws[3], p[4]);
429 accum.mul(ws[4], p[3]);
430 accum.mul(ws[5], p[2]);
431 accum.mul(ws[6], p[1]);
432 accum.add(z[7]);
433 ws[7] = accum.monty_step(p[0], p_dash);
434 accum.mul(ws[0], p[8]);
435 accum.mul(ws[1], p[7]);
436 accum.mul(ws[2], p[6]);
437 accum.mul(ws[3], p[5]);
438 accum.mul(ws[4], p[4]);
439 accum.mul(ws[5], p[3]);
440 accum.mul(ws[6], p[2]);
441 accum.mul(ws[7], p[1]);
442 accum.add(z[8]);
443 ws[8] = accum.monty_step(p[0], p_dash);
444 accum.mul(ws[0], p[9]);
445 accum.mul(ws[1], p[8]);
446 accum.mul(ws[2], p[7]);
447 accum.mul(ws[3], p[6]);
448 accum.mul(ws[4], p[5]);
449 accum.mul(ws[5], p[4]);
450 accum.mul(ws[6], p[3]);
451 accum.mul(ws[7], p[2]);
452 accum.mul(ws[8], p[1]);
453 accum.add(z[9]);
454 ws[9] = accum.monty_step(p[0], p_dash);
455 accum.mul(ws[0], p[10]);
456 accum.mul(ws[1], p[9]);
457 accum.mul(ws[2], p[8]);
458 accum.mul(ws[3], p[7]);
459 accum.mul(ws[4], p[6]);
460 accum.mul(ws[5], p[5]);
461 accum.mul(ws[6], p[4]);
462 accum.mul(ws[7], p[3]);
463 accum.mul(ws[8], p[2]);
464 accum.mul(ws[9], p[1]);
465 accum.add(z[10]);
466 ws[10] = accum.monty_step(p[0], p_dash);
467 accum.mul(ws[0], p[11]);
468 accum.mul(ws[1], p[10]);
469 accum.mul(ws[2], p[9]);
470 accum.mul(ws[3], p[8]);
471 accum.mul(ws[4], p[7]);
472 accum.mul(ws[5], p[6]);
473 accum.mul(ws[6], p[5]);
474 accum.mul(ws[7], p[4]);
475 accum.mul(ws[8], p[3]);
476 accum.mul(ws[9], p[2]);
477 accum.mul(ws[10], p[1]);
478 accum.add(z[11]);
479 ws[11] = accum.monty_step(p[0], p_dash);
480 accum.mul(ws[0], p[12]);
481 accum.mul(ws[1], p[11]);
482 accum.mul(ws[2], p[10]);
483 accum.mul(ws[3], p[9]);
484 accum.mul(ws[4], p[8]);
485 accum.mul(ws[5], p[7]);
486 accum.mul(ws[6], p[6]);
487 accum.mul(ws[7], p[5]);
488 accum.mul(ws[8], p[4]);
489 accum.mul(ws[9], p[3]);
490 accum.mul(ws[10], p[2]);
491 accum.mul(ws[11], p[1]);
492 accum.add(z[12]);
493 ws[12] = accum.monty_step(p[0], p_dash);
494 accum.mul(ws[0], p[13]);
495 accum.mul(ws[1], p[12]);
496 accum.mul(ws[2], p[11]);
497 accum.mul(ws[3], p[10]);
498 accum.mul(ws[4], p[9]);
499 accum.mul(ws[5], p[8]);
500 accum.mul(ws[6], p[7]);
501 accum.mul(ws[7], p[6]);
502 accum.mul(ws[8], p[5]);
503 accum.mul(ws[9], p[4]);
504 accum.mul(ws[10], p[3]);
505 accum.mul(ws[11], p[2]);
506 accum.mul(ws[12], p[1]);
507 accum.add(z[13]);
508 ws[13] = accum.monty_step(p[0], p_dash);
509 accum.mul(ws[0], p[14]);
510 accum.mul(ws[1], p[13]);
511 accum.mul(ws[2], p[12]);
512 accum.mul(ws[3], p[11]);
513 accum.mul(ws[4], p[10]);
514 accum.mul(ws[5], p[9]);
515 accum.mul(ws[6], p[8]);
516 accum.mul(ws[7], p[7]);
517 accum.mul(ws[8], p[6]);
518 accum.mul(ws[9], p[5]);
519 accum.mul(ws[10], p[4]);
520 accum.mul(ws[11], p[3]);
521 accum.mul(ws[12], p[2]);
522 accum.mul(ws[13], p[1]);
523 accum.add(z[14]);
524 ws[14] = accum.monty_step(p[0], p_dash);
525 accum.mul(ws[0], p[15]);
526 accum.mul(ws[1], p[14]);
527 accum.mul(ws[2], p[13]);
528 accum.mul(ws[3], p[12]);
529 accum.mul(ws[4], p[11]);
530 accum.mul(ws[5], p[10]);
531 accum.mul(ws[6], p[9]);
532 accum.mul(ws[7], p[8]);
533 accum.mul(ws[8], p[7]);
534 accum.mul(ws[9], p[6]);
535 accum.mul(ws[10], p[5]);
536 accum.mul(ws[11], p[4]);
537 accum.mul(ws[12], p[3]);
538 accum.mul(ws[13], p[2]);
539 accum.mul(ws[14], p[1]);
540 accum.add(z[15]);
541 ws[15] = accum.monty_step(p[0], p_dash);
542 accum.mul(ws[1], p[15]);
543 accum.mul(ws[2], p[14]);
544 accum.mul(ws[3], p[13]);
545 accum.mul(ws[4], p[12]);
546 accum.mul(ws[5], p[11]);
547 accum.mul(ws[6], p[10]);
548 accum.mul(ws[7], p[9]);
549 accum.mul(ws[8], p[8]);
550 accum.mul(ws[9], p[7]);
551 accum.mul(ws[10], p[6]);
552 accum.mul(ws[11], p[5]);
553 accum.mul(ws[12], p[4]);
554 accum.mul(ws[13], p[3]);
555 accum.mul(ws[14], p[2]);
556 accum.mul(ws[15], p[1]);
557 accum.add(z[16]);
558 ws[0] = accum.extract();
559 accum.mul(ws[2], p[15]);
560 accum.mul(ws[3], p[14]);
561 accum.mul(ws[4], p[13]);
562 accum.mul(ws[5], p[12]);
563 accum.mul(ws[6], p[11]);
564 accum.mul(ws[7], p[10]);
565 accum.mul(ws[8], p[9]);
566 accum.mul(ws[9], p[8]);
567 accum.mul(ws[10], p[7]);
568 accum.mul(ws[11], p[6]);
569 accum.mul(ws[12], p[5]);
570 accum.mul(ws[13], p[4]);
571 accum.mul(ws[14], p[3]);
572 accum.mul(ws[15], p[2]);
573 accum.add(z[17]);
574 ws[1] = accum.extract();
575 accum.mul(ws[3], p[15]);
576 accum.mul(ws[4], p[14]);
577 accum.mul(ws[5], p[13]);
578 accum.mul(ws[6], p[12]);
579 accum.mul(ws[7], p[11]);
580 accum.mul(ws[8], p[10]);
581 accum.mul(ws[9], p[9]);
582 accum.mul(ws[10], p[8]);
583 accum.mul(ws[11], p[7]);
584 accum.mul(ws[12], p[6]);
585 accum.mul(ws[13], p[5]);
586 accum.mul(ws[14], p[4]);
587 accum.mul(ws[15], p[3]);
588 accum.add(z[18]);
589 ws[2] = accum.extract();
590 accum.mul(ws[4], p[15]);
591 accum.mul(ws[5], p[14]);
592 accum.mul(ws[6], p[13]);
593 accum.mul(ws[7], p[12]);
594 accum.mul(ws[8], p[11]);
595 accum.mul(ws[9], p[10]);
596 accum.mul(ws[10], p[9]);
597 accum.mul(ws[11], p[8]);
598 accum.mul(ws[12], p[7]);
599 accum.mul(ws[13], p[6]);
600 accum.mul(ws[14], p[5]);
601 accum.mul(ws[15], p[4]);
602 accum.add(z[19]);
603 ws[3] = accum.extract();
604 accum.mul(ws[5], p[15]);
605 accum.mul(ws[6], p[14]);
606 accum.mul(ws[7], p[13]);
607 accum.mul(ws[8], p[12]);
608 accum.mul(ws[9], p[11]);
609 accum.mul(ws[10], p[10]);
610 accum.mul(ws[11], p[9]);
611 accum.mul(ws[12], p[8]);
612 accum.mul(ws[13], p[7]);
613 accum.mul(ws[14], p[6]);
614 accum.mul(ws[15], p[5]);
615 accum.add(z[20]);
616 ws[4] = accum.extract();
617 accum.mul(ws[6], p[15]);
618 accum.mul(ws[7], p[14]);
619 accum.mul(ws[8], p[13]);
620 accum.mul(ws[9], p[12]);
621 accum.mul(ws[10], p[11]);
622 accum.mul(ws[11], p[10]);
623 accum.mul(ws[12], p[9]);
624 accum.mul(ws[13], p[8]);
625 accum.mul(ws[14], p[7]);
626 accum.mul(ws[15], p[6]);
627 accum.add(z[21]);
628 ws[5] = accum.extract();
629 accum.mul(ws[7], p[15]);
630 accum.mul(ws[8], p[14]);
631 accum.mul(ws[9], p[13]);
632 accum.mul(ws[10], p[12]);
633 accum.mul(ws[11], p[11]);
634 accum.mul(ws[12], p[10]);
635 accum.mul(ws[13], p[9]);
636 accum.mul(ws[14], p[8]);
637 accum.mul(ws[15], p[7]);
638 accum.add(z[22]);
639 ws[6] = accum.extract();
640 accum.mul(ws[8], p[15]);
641 accum.mul(ws[9], p[14]);
642 accum.mul(ws[10], p[13]);
643 accum.mul(ws[11], p[12]);
644 accum.mul(ws[12], p[11]);
645 accum.mul(ws[13], p[10]);
646 accum.mul(ws[14], p[9]);
647 accum.mul(ws[15], p[8]);
648 accum.add(z[23]);
649 ws[7] = accum.extract();
650 accum.mul(ws[9], p[15]);
651 accum.mul(ws[10], p[14]);
652 accum.mul(ws[11], p[13]);
653 accum.mul(ws[12], p[12]);
654 accum.mul(ws[13], p[11]);
655 accum.mul(ws[14], p[10]);
656 accum.mul(ws[15], p[9]);
657 accum.add(z[24]);
658 ws[8] = accum.extract();
659 accum.mul(ws[10], p[15]);
660 accum.mul(ws[11], p[14]);
661 accum.mul(ws[12], p[13]);
662 accum.mul(ws[13], p[12]);
663 accum.mul(ws[14], p[11]);
664 accum.mul(ws[15], p[10]);
665 accum.add(z[25]);
666 ws[9] = accum.extract();
667 accum.mul(ws[11], p[15]);
668 accum.mul(ws[12], p[14]);
669 accum.mul(ws[13], p[13]);
670 accum.mul(ws[14], p[12]);
671 accum.mul(ws[15], p[11]);
672 accum.add(z[26]);
673 ws[10] = accum.extract();
674 accum.mul(ws[12], p[15]);
675 accum.mul(ws[13], p[14]);
676 accum.mul(ws[14], p[13]);
677 accum.mul(ws[15], p[12]);
678 accum.add(z[27]);
679 ws[11] = accum.extract();
680 accum.mul(ws[13], p[15]);
681 accum.mul(ws[14], p[14]);
682 accum.mul(ws[15], p[13]);
683 accum.add(z[28]);
684 ws[12] = accum.extract();
685 accum.mul(ws[14], p[15]);
686 accum.mul(ws[15], p[14]);
687 accum.add(z[29]);
688 ws[13] = accum.extract();
689 accum.mul(ws[15], p[15]);
690 accum.add(z[30]);
691 ws[14] = accum.extract();
692 accum.add(z[31]);
693 ws[15] = accum.extract();
694 word w1 = accum.extract();
695 bigint_monty_maybe_sub<16>(r, w1, ws, p);
696}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc(), and monty_redc().

◆ bigint_monty_redc_24()

void Botan::bigint_monty_redc_24 ( word r[24],
const word z[48],
const word p[24],
word p_dash,
word ws[24] )

Definition at line 698 of file mp_monty_n.cpp.

698 {
699 word3<word> accum;
700 accum.add(z[0]);
701 ws[0] = accum.monty_step(p[0], p_dash);
702 accum.mul(ws[0], p[1]);
703 accum.add(z[1]);
704 ws[1] = accum.monty_step(p[0], p_dash);
705 accum.mul(ws[0], p[2]);
706 accum.mul(ws[1], p[1]);
707 accum.add(z[2]);
708 ws[2] = accum.monty_step(p[0], p_dash);
709 accum.mul(ws[0], p[3]);
710 accum.mul(ws[1], p[2]);
711 accum.mul(ws[2], p[1]);
712 accum.add(z[3]);
713 ws[3] = accum.monty_step(p[0], p_dash);
714 accum.mul(ws[0], p[4]);
715 accum.mul(ws[1], p[3]);
716 accum.mul(ws[2], p[2]);
717 accum.mul(ws[3], p[1]);
718 accum.add(z[4]);
719 ws[4] = accum.monty_step(p[0], p_dash);
720 accum.mul(ws[0], p[5]);
721 accum.mul(ws[1], p[4]);
722 accum.mul(ws[2], p[3]);
723 accum.mul(ws[3], p[2]);
724 accum.mul(ws[4], p[1]);
725 accum.add(z[5]);
726 ws[5] = accum.monty_step(p[0], p_dash);
727 accum.mul(ws[0], p[6]);
728 accum.mul(ws[1], p[5]);
729 accum.mul(ws[2], p[4]);
730 accum.mul(ws[3], p[3]);
731 accum.mul(ws[4], p[2]);
732 accum.mul(ws[5], p[1]);
733 accum.add(z[6]);
734 ws[6] = accum.monty_step(p[0], p_dash);
735 accum.mul(ws[0], p[7]);
736 accum.mul(ws[1], p[6]);
737 accum.mul(ws[2], p[5]);
738 accum.mul(ws[3], p[4]);
739 accum.mul(ws[4], p[3]);
740 accum.mul(ws[5], p[2]);
741 accum.mul(ws[6], p[1]);
742 accum.add(z[7]);
743 ws[7] = accum.monty_step(p[0], p_dash);
744 accum.mul(ws[0], p[8]);
745 accum.mul(ws[1], p[7]);
746 accum.mul(ws[2], p[6]);
747 accum.mul(ws[3], p[5]);
748 accum.mul(ws[4], p[4]);
749 accum.mul(ws[5], p[3]);
750 accum.mul(ws[6], p[2]);
751 accum.mul(ws[7], p[1]);
752 accum.add(z[8]);
753 ws[8] = accum.monty_step(p[0], p_dash);
754 accum.mul(ws[0], p[9]);
755 accum.mul(ws[1], p[8]);
756 accum.mul(ws[2], p[7]);
757 accum.mul(ws[3], p[6]);
758 accum.mul(ws[4], p[5]);
759 accum.mul(ws[5], p[4]);
760 accum.mul(ws[6], p[3]);
761 accum.mul(ws[7], p[2]);
762 accum.mul(ws[8], p[1]);
763 accum.add(z[9]);
764 ws[9] = accum.monty_step(p[0], p_dash);
765 accum.mul(ws[0], p[10]);
766 accum.mul(ws[1], p[9]);
767 accum.mul(ws[2], p[8]);
768 accum.mul(ws[3], p[7]);
769 accum.mul(ws[4], p[6]);
770 accum.mul(ws[5], p[5]);
771 accum.mul(ws[6], p[4]);
772 accum.mul(ws[7], p[3]);
773 accum.mul(ws[8], p[2]);
774 accum.mul(ws[9], p[1]);
775 accum.add(z[10]);
776 ws[10] = accum.monty_step(p[0], p_dash);
777 accum.mul(ws[0], p[11]);
778 accum.mul(ws[1], p[10]);
779 accum.mul(ws[2], p[9]);
780 accum.mul(ws[3], p[8]);
781 accum.mul(ws[4], p[7]);
782 accum.mul(ws[5], p[6]);
783 accum.mul(ws[6], p[5]);
784 accum.mul(ws[7], p[4]);
785 accum.mul(ws[8], p[3]);
786 accum.mul(ws[9], p[2]);
787 accum.mul(ws[10], p[1]);
788 accum.add(z[11]);
789 ws[11] = accum.monty_step(p[0], p_dash);
790 accum.mul(ws[0], p[12]);
791 accum.mul(ws[1], p[11]);
792 accum.mul(ws[2], p[10]);
793 accum.mul(ws[3], p[9]);
794 accum.mul(ws[4], p[8]);
795 accum.mul(ws[5], p[7]);
796 accum.mul(ws[6], p[6]);
797 accum.mul(ws[7], p[5]);
798 accum.mul(ws[8], p[4]);
799 accum.mul(ws[9], p[3]);
800 accum.mul(ws[10], p[2]);
801 accum.mul(ws[11], p[1]);
802 accum.add(z[12]);
803 ws[12] = accum.monty_step(p[0], p_dash);
804 accum.mul(ws[0], p[13]);
805 accum.mul(ws[1], p[12]);
806 accum.mul(ws[2], p[11]);
807 accum.mul(ws[3], p[10]);
808 accum.mul(ws[4], p[9]);
809 accum.mul(ws[5], p[8]);
810 accum.mul(ws[6], p[7]);
811 accum.mul(ws[7], p[6]);
812 accum.mul(ws[8], p[5]);
813 accum.mul(ws[9], p[4]);
814 accum.mul(ws[10], p[3]);
815 accum.mul(ws[11], p[2]);
816 accum.mul(ws[12], p[1]);
817 accum.add(z[13]);
818 ws[13] = accum.monty_step(p[0], p_dash);
819 accum.mul(ws[0], p[14]);
820 accum.mul(ws[1], p[13]);
821 accum.mul(ws[2], p[12]);
822 accum.mul(ws[3], p[11]);
823 accum.mul(ws[4], p[10]);
824 accum.mul(ws[5], p[9]);
825 accum.mul(ws[6], p[8]);
826 accum.mul(ws[7], p[7]);
827 accum.mul(ws[8], p[6]);
828 accum.mul(ws[9], p[5]);
829 accum.mul(ws[10], p[4]);
830 accum.mul(ws[11], p[3]);
831 accum.mul(ws[12], p[2]);
832 accum.mul(ws[13], p[1]);
833 accum.add(z[14]);
834 ws[14] = accum.monty_step(p[0], p_dash);
835 accum.mul(ws[0], p[15]);
836 accum.mul(ws[1], p[14]);
837 accum.mul(ws[2], p[13]);
838 accum.mul(ws[3], p[12]);
839 accum.mul(ws[4], p[11]);
840 accum.mul(ws[5], p[10]);
841 accum.mul(ws[6], p[9]);
842 accum.mul(ws[7], p[8]);
843 accum.mul(ws[8], p[7]);
844 accum.mul(ws[9], p[6]);
845 accum.mul(ws[10], p[5]);
846 accum.mul(ws[11], p[4]);
847 accum.mul(ws[12], p[3]);
848 accum.mul(ws[13], p[2]);
849 accum.mul(ws[14], p[1]);
850 accum.add(z[15]);
851 ws[15] = accum.monty_step(p[0], p_dash);
852 accum.mul(ws[0], p[16]);
853 accum.mul(ws[1], p[15]);
854 accum.mul(ws[2], p[14]);
855 accum.mul(ws[3], p[13]);
856 accum.mul(ws[4], p[12]);
857 accum.mul(ws[5], p[11]);
858 accum.mul(ws[6], p[10]);
859 accum.mul(ws[7], p[9]);
860 accum.mul(ws[8], p[8]);
861 accum.mul(ws[9], p[7]);
862 accum.mul(ws[10], p[6]);
863 accum.mul(ws[11], p[5]);
864 accum.mul(ws[12], p[4]);
865 accum.mul(ws[13], p[3]);
866 accum.mul(ws[14], p[2]);
867 accum.mul(ws[15], p[1]);
868 accum.add(z[16]);
869 ws[16] = accum.monty_step(p[0], p_dash);
870 accum.mul(ws[0], p[17]);
871 accum.mul(ws[1], p[16]);
872 accum.mul(ws[2], p[15]);
873 accum.mul(ws[3], p[14]);
874 accum.mul(ws[4], p[13]);
875 accum.mul(ws[5], p[12]);
876 accum.mul(ws[6], p[11]);
877 accum.mul(ws[7], p[10]);
878 accum.mul(ws[8], p[9]);
879 accum.mul(ws[9], p[8]);
880 accum.mul(ws[10], p[7]);
881 accum.mul(ws[11], p[6]);
882 accum.mul(ws[12], p[5]);
883 accum.mul(ws[13], p[4]);
884 accum.mul(ws[14], p[3]);
885 accum.mul(ws[15], p[2]);
886 accum.mul(ws[16], p[1]);
887 accum.add(z[17]);
888 ws[17] = accum.monty_step(p[0], p_dash);
889 accum.mul(ws[0], p[18]);
890 accum.mul(ws[1], p[17]);
891 accum.mul(ws[2], p[16]);
892 accum.mul(ws[3], p[15]);
893 accum.mul(ws[4], p[14]);
894 accum.mul(ws[5], p[13]);
895 accum.mul(ws[6], p[12]);
896 accum.mul(ws[7], p[11]);
897 accum.mul(ws[8], p[10]);
898 accum.mul(ws[9], p[9]);
899 accum.mul(ws[10], p[8]);
900 accum.mul(ws[11], p[7]);
901 accum.mul(ws[12], p[6]);
902 accum.mul(ws[13], p[5]);
903 accum.mul(ws[14], p[4]);
904 accum.mul(ws[15], p[3]);
905 accum.mul(ws[16], p[2]);
906 accum.mul(ws[17], p[1]);
907 accum.add(z[18]);
908 ws[18] = accum.monty_step(p[0], p_dash);
909 accum.mul(ws[0], p[19]);
910 accum.mul(ws[1], p[18]);
911 accum.mul(ws[2], p[17]);
912 accum.mul(ws[3], p[16]);
913 accum.mul(ws[4], p[15]);
914 accum.mul(ws[5], p[14]);
915 accum.mul(ws[6], p[13]);
916 accum.mul(ws[7], p[12]);
917 accum.mul(ws[8], p[11]);
918 accum.mul(ws[9], p[10]);
919 accum.mul(ws[10], p[9]);
920 accum.mul(ws[11], p[8]);
921 accum.mul(ws[12], p[7]);
922 accum.mul(ws[13], p[6]);
923 accum.mul(ws[14], p[5]);
924 accum.mul(ws[15], p[4]);
925 accum.mul(ws[16], p[3]);
926 accum.mul(ws[17], p[2]);
927 accum.mul(ws[18], p[1]);
928 accum.add(z[19]);
929 ws[19] = accum.monty_step(p[0], p_dash);
930 accum.mul(ws[0], p[20]);
931 accum.mul(ws[1], p[19]);
932 accum.mul(ws[2], p[18]);
933 accum.mul(ws[3], p[17]);
934 accum.mul(ws[4], p[16]);
935 accum.mul(ws[5], p[15]);
936 accum.mul(ws[6], p[14]);
937 accum.mul(ws[7], p[13]);
938 accum.mul(ws[8], p[12]);
939 accum.mul(ws[9], p[11]);
940 accum.mul(ws[10], p[10]);
941 accum.mul(ws[11], p[9]);
942 accum.mul(ws[12], p[8]);
943 accum.mul(ws[13], p[7]);
944 accum.mul(ws[14], p[6]);
945 accum.mul(ws[15], p[5]);
946 accum.mul(ws[16], p[4]);
947 accum.mul(ws[17], p[3]);
948 accum.mul(ws[18], p[2]);
949 accum.mul(ws[19], p[1]);
950 accum.add(z[20]);
951 ws[20] = accum.monty_step(p[0], p_dash);
952 accum.mul(ws[0], p[21]);
953 accum.mul(ws[1], p[20]);
954 accum.mul(ws[2], p[19]);
955 accum.mul(ws[3], p[18]);
956 accum.mul(ws[4], p[17]);
957 accum.mul(ws[5], p[16]);
958 accum.mul(ws[6], p[15]);
959 accum.mul(ws[7], p[14]);
960 accum.mul(ws[8], p[13]);
961 accum.mul(ws[9], p[12]);
962 accum.mul(ws[10], p[11]);
963 accum.mul(ws[11], p[10]);
964 accum.mul(ws[12], p[9]);
965 accum.mul(ws[13], p[8]);
966 accum.mul(ws[14], p[7]);
967 accum.mul(ws[15], p[6]);
968 accum.mul(ws[16], p[5]);
969 accum.mul(ws[17], p[4]);
970 accum.mul(ws[18], p[3]);
971 accum.mul(ws[19], p[2]);
972 accum.mul(ws[20], p[1]);
973 accum.add(z[21]);
974 ws[21] = accum.monty_step(p[0], p_dash);
975 accum.mul(ws[0], p[22]);
976 accum.mul(ws[1], p[21]);
977 accum.mul(ws[2], p[20]);
978 accum.mul(ws[3], p[19]);
979 accum.mul(ws[4], p[18]);
980 accum.mul(ws[5], p[17]);
981 accum.mul(ws[6], p[16]);
982 accum.mul(ws[7], p[15]);
983 accum.mul(ws[8], p[14]);
984 accum.mul(ws[9], p[13]);
985 accum.mul(ws[10], p[12]);
986 accum.mul(ws[11], p[11]);
987 accum.mul(ws[12], p[10]);
988 accum.mul(ws[13], p[9]);
989 accum.mul(ws[14], p[8]);
990 accum.mul(ws[15], p[7]);
991 accum.mul(ws[16], p[6]);
992 accum.mul(ws[17], p[5]);
993 accum.mul(ws[18], p[4]);
994 accum.mul(ws[19], p[3]);
995 accum.mul(ws[20], p[2]);
996 accum.mul(ws[21], p[1]);
997 accum.add(z[22]);
998 ws[22] = accum.monty_step(p[0], p_dash);
999 accum.mul(ws[0], p[23]);
1000 accum.mul(ws[1], p[22]);
1001 accum.mul(ws[2], p[21]);
1002 accum.mul(ws[3], p[20]);
1003 accum.mul(ws[4], p[19]);
1004 accum.mul(ws[5], p[18]);
1005 accum.mul(ws[6], p[17]);
1006 accum.mul(ws[7], p[16]);
1007 accum.mul(ws[8], p[15]);
1008 accum.mul(ws[9], p[14]);
1009 accum.mul(ws[10], p[13]);
1010 accum.mul(ws[11], p[12]);
1011 accum.mul(ws[12], p[11]);
1012 accum.mul(ws[13], p[10]);
1013 accum.mul(ws[14], p[9]);
1014 accum.mul(ws[15], p[8]);
1015 accum.mul(ws[16], p[7]);
1016 accum.mul(ws[17], p[6]);
1017 accum.mul(ws[18], p[5]);
1018 accum.mul(ws[19], p[4]);
1019 accum.mul(ws[20], p[3]);
1020 accum.mul(ws[21], p[2]);
1021 accum.mul(ws[22], p[1]);
1022 accum.add(z[23]);
1023 ws[23] = accum.monty_step(p[0], p_dash);
1024 accum.mul(ws[1], p[23]);
1025 accum.mul(ws[2], p[22]);
1026 accum.mul(ws[3], p[21]);
1027 accum.mul(ws[4], p[20]);
1028 accum.mul(ws[5], p[19]);
1029 accum.mul(ws[6], p[18]);
1030 accum.mul(ws[7], p[17]);
1031 accum.mul(ws[8], p[16]);
1032 accum.mul(ws[9], p[15]);
1033 accum.mul(ws[10], p[14]);
1034 accum.mul(ws[11], p[13]);
1035 accum.mul(ws[12], p[12]);
1036 accum.mul(ws[13], p[11]);
1037 accum.mul(ws[14], p[10]);
1038 accum.mul(ws[15], p[9]);
1039 accum.mul(ws[16], p[8]);
1040 accum.mul(ws[17], p[7]);
1041 accum.mul(ws[18], p[6]);
1042 accum.mul(ws[19], p[5]);
1043 accum.mul(ws[20], p[4]);
1044 accum.mul(ws[21], p[3]);
1045 accum.mul(ws[22], p[2]);
1046 accum.mul(ws[23], p[1]);
1047 accum.add(z[24]);
1048 ws[0] = accum.extract();
1049 accum.mul(ws[2], p[23]);
1050 accum.mul(ws[3], p[22]);
1051 accum.mul(ws[4], p[21]);
1052 accum.mul(ws[5], p[20]);
1053 accum.mul(ws[6], p[19]);
1054 accum.mul(ws[7], p[18]);
1055 accum.mul(ws[8], p[17]);
1056 accum.mul(ws[9], p[16]);
1057 accum.mul(ws[10], p[15]);
1058 accum.mul(ws[11], p[14]);
1059 accum.mul(ws[12], p[13]);
1060 accum.mul(ws[13], p[12]);
1061 accum.mul(ws[14], p[11]);
1062 accum.mul(ws[15], p[10]);
1063 accum.mul(ws[16], p[9]);
1064 accum.mul(ws[17], p[8]);
1065 accum.mul(ws[18], p[7]);
1066 accum.mul(ws[19], p[6]);
1067 accum.mul(ws[20], p[5]);
1068 accum.mul(ws[21], p[4]);
1069 accum.mul(ws[22], p[3]);
1070 accum.mul(ws[23], p[2]);
1071 accum.add(z[25]);
1072 ws[1] = accum.extract();
1073 accum.mul(ws[3], p[23]);
1074 accum.mul(ws[4], p[22]);
1075 accum.mul(ws[5], p[21]);
1076 accum.mul(ws[6], p[20]);
1077 accum.mul(ws[7], p[19]);
1078 accum.mul(ws[8], p[18]);
1079 accum.mul(ws[9], p[17]);
1080 accum.mul(ws[10], p[16]);
1081 accum.mul(ws[11], p[15]);
1082 accum.mul(ws[12], p[14]);
1083 accum.mul(ws[13], p[13]);
1084 accum.mul(ws[14], p[12]);
1085 accum.mul(ws[15], p[11]);
1086 accum.mul(ws[16], p[10]);
1087 accum.mul(ws[17], p[9]);
1088 accum.mul(ws[18], p[8]);
1089 accum.mul(ws[19], p[7]);
1090 accum.mul(ws[20], p[6]);
1091 accum.mul(ws[21], p[5]);
1092 accum.mul(ws[22], p[4]);
1093 accum.mul(ws[23], p[3]);
1094 accum.add(z[26]);
1095 ws[2] = accum.extract();
1096 accum.mul(ws[4], p[23]);
1097 accum.mul(ws[5], p[22]);
1098 accum.mul(ws[6], p[21]);
1099 accum.mul(ws[7], p[20]);
1100 accum.mul(ws[8], p[19]);
1101 accum.mul(ws[9], p[18]);
1102 accum.mul(ws[10], p[17]);
1103 accum.mul(ws[11], p[16]);
1104 accum.mul(ws[12], p[15]);
1105 accum.mul(ws[13], p[14]);
1106 accum.mul(ws[14], p[13]);
1107 accum.mul(ws[15], p[12]);
1108 accum.mul(ws[16], p[11]);
1109 accum.mul(ws[17], p[10]);
1110 accum.mul(ws[18], p[9]);
1111 accum.mul(ws[19], p[8]);
1112 accum.mul(ws[20], p[7]);
1113 accum.mul(ws[21], p[6]);
1114 accum.mul(ws[22], p[5]);
1115 accum.mul(ws[23], p[4]);
1116 accum.add(z[27]);
1117 ws[3] = accum.extract();
1118 accum.mul(ws[5], p[23]);
1119 accum.mul(ws[6], p[22]);
1120 accum.mul(ws[7], p[21]);
1121 accum.mul(ws[8], p[20]);
1122 accum.mul(ws[9], p[19]);
1123 accum.mul(ws[10], p[18]);
1124 accum.mul(ws[11], p[17]);
1125 accum.mul(ws[12], p[16]);
1126 accum.mul(ws[13], p[15]);
1127 accum.mul(ws[14], p[14]);
1128 accum.mul(ws[15], p[13]);
1129 accum.mul(ws[16], p[12]);
1130 accum.mul(ws[17], p[11]);
1131 accum.mul(ws[18], p[10]);
1132 accum.mul(ws[19], p[9]);
1133 accum.mul(ws[20], p[8]);
1134 accum.mul(ws[21], p[7]);
1135 accum.mul(ws[22], p[6]);
1136 accum.mul(ws[23], p[5]);
1137 accum.add(z[28]);
1138 ws[4] = accum.extract();
1139 accum.mul(ws[6], p[23]);
1140 accum.mul(ws[7], p[22]);
1141 accum.mul(ws[8], p[21]);
1142 accum.mul(ws[9], p[20]);
1143 accum.mul(ws[10], p[19]);
1144 accum.mul(ws[11], p[18]);
1145 accum.mul(ws[12], p[17]);
1146 accum.mul(ws[13], p[16]);
1147 accum.mul(ws[14], p[15]);
1148 accum.mul(ws[15], p[14]);
1149 accum.mul(ws[16], p[13]);
1150 accum.mul(ws[17], p[12]);
1151 accum.mul(ws[18], p[11]);
1152 accum.mul(ws[19], p[10]);
1153 accum.mul(ws[20], p[9]);
1154 accum.mul(ws[21], p[8]);
1155 accum.mul(ws[22], p[7]);
1156 accum.mul(ws[23], p[6]);
1157 accum.add(z[29]);
1158 ws[5] = accum.extract();
1159 accum.mul(ws[7], p[23]);
1160 accum.mul(ws[8], p[22]);
1161 accum.mul(ws[9], p[21]);
1162 accum.mul(ws[10], p[20]);
1163 accum.mul(ws[11], p[19]);
1164 accum.mul(ws[12], p[18]);
1165 accum.mul(ws[13], p[17]);
1166 accum.mul(ws[14], p[16]);
1167 accum.mul(ws[15], p[15]);
1168 accum.mul(ws[16], p[14]);
1169 accum.mul(ws[17], p[13]);
1170 accum.mul(ws[18], p[12]);
1171 accum.mul(ws[19], p[11]);
1172 accum.mul(ws[20], p[10]);
1173 accum.mul(ws[21], p[9]);
1174 accum.mul(ws[22], p[8]);
1175 accum.mul(ws[23], p[7]);
1176 accum.add(z[30]);
1177 ws[6] = accum.extract();
1178 accum.mul(ws[8], p[23]);
1179 accum.mul(ws[9], p[22]);
1180 accum.mul(ws[10], p[21]);
1181 accum.mul(ws[11], p[20]);
1182 accum.mul(ws[12], p[19]);
1183 accum.mul(ws[13], p[18]);
1184 accum.mul(ws[14], p[17]);
1185 accum.mul(ws[15], p[16]);
1186 accum.mul(ws[16], p[15]);
1187 accum.mul(ws[17], p[14]);
1188 accum.mul(ws[18], p[13]);
1189 accum.mul(ws[19], p[12]);
1190 accum.mul(ws[20], p[11]);
1191 accum.mul(ws[21], p[10]);
1192 accum.mul(ws[22], p[9]);
1193 accum.mul(ws[23], p[8]);
1194 accum.add(z[31]);
1195 ws[7] = accum.extract();
1196 accum.mul(ws[9], p[23]);
1197 accum.mul(ws[10], p[22]);
1198 accum.mul(ws[11], p[21]);
1199 accum.mul(ws[12], p[20]);
1200 accum.mul(ws[13], p[19]);
1201 accum.mul(ws[14], p[18]);
1202 accum.mul(ws[15], p[17]);
1203 accum.mul(ws[16], p[16]);
1204 accum.mul(ws[17], p[15]);
1205 accum.mul(ws[18], p[14]);
1206 accum.mul(ws[19], p[13]);
1207 accum.mul(ws[20], p[12]);
1208 accum.mul(ws[21], p[11]);
1209 accum.mul(ws[22], p[10]);
1210 accum.mul(ws[23], p[9]);
1211 accum.add(z[32]);
1212 ws[8] = accum.extract();
1213 accum.mul(ws[10], p[23]);
1214 accum.mul(ws[11], p[22]);
1215 accum.mul(ws[12], p[21]);
1216 accum.mul(ws[13], p[20]);
1217 accum.mul(ws[14], p[19]);
1218 accum.mul(ws[15], p[18]);
1219 accum.mul(ws[16], p[17]);
1220 accum.mul(ws[17], p[16]);
1221 accum.mul(ws[18], p[15]);
1222 accum.mul(ws[19], p[14]);
1223 accum.mul(ws[20], p[13]);
1224 accum.mul(ws[21], p[12]);
1225 accum.mul(ws[22], p[11]);
1226 accum.mul(ws[23], p[10]);
1227 accum.add(z[33]);
1228 ws[9] = accum.extract();
1229 accum.mul(ws[11], p[23]);
1230 accum.mul(ws[12], p[22]);
1231 accum.mul(ws[13], p[21]);
1232 accum.mul(ws[14], p[20]);
1233 accum.mul(ws[15], p[19]);
1234 accum.mul(ws[16], p[18]);
1235 accum.mul(ws[17], p[17]);
1236 accum.mul(ws[18], p[16]);
1237 accum.mul(ws[19], p[15]);
1238 accum.mul(ws[20], p[14]);
1239 accum.mul(ws[21], p[13]);
1240 accum.mul(ws[22], p[12]);
1241 accum.mul(ws[23], p[11]);
1242 accum.add(z[34]);
1243 ws[10] = accum.extract();
1244 accum.mul(ws[12], p[23]);
1245 accum.mul(ws[13], p[22]);
1246 accum.mul(ws[14], p[21]);
1247 accum.mul(ws[15], p[20]);
1248 accum.mul(ws[16], p[19]);
1249 accum.mul(ws[17], p[18]);
1250 accum.mul(ws[18], p[17]);
1251 accum.mul(ws[19], p[16]);
1252 accum.mul(ws[20], p[15]);
1253 accum.mul(ws[21], p[14]);
1254 accum.mul(ws[22], p[13]);
1255 accum.mul(ws[23], p[12]);
1256 accum.add(z[35]);
1257 ws[11] = accum.extract();
1258 accum.mul(ws[13], p[23]);
1259 accum.mul(ws[14], p[22]);
1260 accum.mul(ws[15], p[21]);
1261 accum.mul(ws[16], p[20]);
1262 accum.mul(ws[17], p[19]);
1263 accum.mul(ws[18], p[18]);
1264 accum.mul(ws[19], p[17]);
1265 accum.mul(ws[20], p[16]);
1266 accum.mul(ws[21], p[15]);
1267 accum.mul(ws[22], p[14]);
1268 accum.mul(ws[23], p[13]);
1269 accum.add(z[36]);
1270 ws[12] = accum.extract();
1271 accum.mul(ws[14], p[23]);
1272 accum.mul(ws[15], p[22]);
1273 accum.mul(ws[16], p[21]);
1274 accum.mul(ws[17], p[20]);
1275 accum.mul(ws[18], p[19]);
1276 accum.mul(ws[19], p[18]);
1277 accum.mul(ws[20], p[17]);
1278 accum.mul(ws[21], p[16]);
1279 accum.mul(ws[22], p[15]);
1280 accum.mul(ws[23], p[14]);
1281 accum.add(z[37]);
1282 ws[13] = accum.extract();
1283 accum.mul(ws[15], p[23]);
1284 accum.mul(ws[16], p[22]);
1285 accum.mul(ws[17], p[21]);
1286 accum.mul(ws[18], p[20]);
1287 accum.mul(ws[19], p[19]);
1288 accum.mul(ws[20], p[18]);
1289 accum.mul(ws[21], p[17]);
1290 accum.mul(ws[22], p[16]);
1291 accum.mul(ws[23], p[15]);
1292 accum.add(z[38]);
1293 ws[14] = accum.extract();
1294 accum.mul(ws[16], p[23]);
1295 accum.mul(ws[17], p[22]);
1296 accum.mul(ws[18], p[21]);
1297 accum.mul(ws[19], p[20]);
1298 accum.mul(ws[20], p[19]);
1299 accum.mul(ws[21], p[18]);
1300 accum.mul(ws[22], p[17]);
1301 accum.mul(ws[23], p[16]);
1302 accum.add(z[39]);
1303 ws[15] = accum.extract();
1304 accum.mul(ws[17], p[23]);
1305 accum.mul(ws[18], p[22]);
1306 accum.mul(ws[19], p[21]);
1307 accum.mul(ws[20], p[20]);
1308 accum.mul(ws[21], p[19]);
1309 accum.mul(ws[22], p[18]);
1310 accum.mul(ws[23], p[17]);
1311 accum.add(z[40]);
1312 ws[16] = accum.extract();
1313 accum.mul(ws[18], p[23]);
1314 accum.mul(ws[19], p[22]);
1315 accum.mul(ws[20], p[21]);
1316 accum.mul(ws[21], p[20]);
1317 accum.mul(ws[22], p[19]);
1318 accum.mul(ws[23], p[18]);
1319 accum.add(z[41]);
1320 ws[17] = accum.extract();
1321 accum.mul(ws[19], p[23]);
1322 accum.mul(ws[20], p[22]);
1323 accum.mul(ws[21], p[21]);
1324 accum.mul(ws[22], p[20]);
1325 accum.mul(ws[23], p[19]);
1326 accum.add(z[42]);
1327 ws[18] = accum.extract();
1328 accum.mul(ws[20], p[23]);
1329 accum.mul(ws[21], p[22]);
1330 accum.mul(ws[22], p[21]);
1331 accum.mul(ws[23], p[20]);
1332 accum.add(z[43]);
1333 ws[19] = accum.extract();
1334 accum.mul(ws[21], p[23]);
1335 accum.mul(ws[22], p[22]);
1336 accum.mul(ws[23], p[21]);
1337 accum.add(z[44]);
1338 ws[20] = accum.extract();
1339 accum.mul(ws[22], p[23]);
1340 accum.mul(ws[23], p[22]);
1341 accum.add(z[45]);
1342 ws[21] = accum.extract();
1343 accum.mul(ws[23], p[23]);
1344 accum.add(z[46]);
1345 ws[22] = accum.extract();
1346 accum.add(z[47]);
1347 ws[23] = accum.extract();
1348 word w1 = accum.extract();
1349 bigint_monty_maybe_sub<24>(r, w1, ws, p);
1350}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_32()

void Botan::bigint_monty_redc_32 ( word r[32],
const word z[64],
const word p[32],
word p_dash,
word ws[32] )

Definition at line 1352 of file mp_monty_n.cpp.

1352 {
1353 word3<word> accum;
1354 accum.add(z[0]);
1355 ws[0] = accum.monty_step(p[0], p_dash);
1356 accum.mul(ws[0], p[1]);
1357 accum.add(z[1]);
1358 ws[1] = accum.monty_step(p[0], p_dash);
1359 accum.mul(ws[0], p[2]);
1360 accum.mul(ws[1], p[1]);
1361 accum.add(z[2]);
1362 ws[2] = accum.monty_step(p[0], p_dash);
1363 accum.mul(ws[0], p[3]);
1364 accum.mul(ws[1], p[2]);
1365 accum.mul(ws[2], p[1]);
1366 accum.add(z[3]);
1367 ws[3] = accum.monty_step(p[0], p_dash);
1368 accum.mul(ws[0], p[4]);
1369 accum.mul(ws[1], p[3]);
1370 accum.mul(ws[2], p[2]);
1371 accum.mul(ws[3], p[1]);
1372 accum.add(z[4]);
1373 ws[4] = accum.monty_step(p[0], p_dash);
1374 accum.mul(ws[0], p[5]);
1375 accum.mul(ws[1], p[4]);
1376 accum.mul(ws[2], p[3]);
1377 accum.mul(ws[3], p[2]);
1378 accum.mul(ws[4], p[1]);
1379 accum.add(z[5]);
1380 ws[5] = accum.monty_step(p[0], p_dash);
1381 accum.mul(ws[0], p[6]);
1382 accum.mul(ws[1], p[5]);
1383 accum.mul(ws[2], p[4]);
1384 accum.mul(ws[3], p[3]);
1385 accum.mul(ws[4], p[2]);
1386 accum.mul(ws[5], p[1]);
1387 accum.add(z[6]);
1388 ws[6] = accum.monty_step(p[0], p_dash);
1389 accum.mul(ws[0], p[7]);
1390 accum.mul(ws[1], p[6]);
1391 accum.mul(ws[2], p[5]);
1392 accum.mul(ws[3], p[4]);
1393 accum.mul(ws[4], p[3]);
1394 accum.mul(ws[5], p[2]);
1395 accum.mul(ws[6], p[1]);
1396 accum.add(z[7]);
1397 ws[7] = accum.monty_step(p[0], p_dash);
1398 accum.mul(ws[0], p[8]);
1399 accum.mul(ws[1], p[7]);
1400 accum.mul(ws[2], p[6]);
1401 accum.mul(ws[3], p[5]);
1402 accum.mul(ws[4], p[4]);
1403 accum.mul(ws[5], p[3]);
1404 accum.mul(ws[6], p[2]);
1405 accum.mul(ws[7], p[1]);
1406 accum.add(z[8]);
1407 ws[8] = accum.monty_step(p[0], p_dash);
1408 accum.mul(ws[0], p[9]);
1409 accum.mul(ws[1], p[8]);
1410 accum.mul(ws[2], p[7]);
1411 accum.mul(ws[3], p[6]);
1412 accum.mul(ws[4], p[5]);
1413 accum.mul(ws[5], p[4]);
1414 accum.mul(ws[6], p[3]);
1415 accum.mul(ws[7], p[2]);
1416 accum.mul(ws[8], p[1]);
1417 accum.add(z[9]);
1418 ws[9] = accum.monty_step(p[0], p_dash);
1419 accum.mul(ws[0], p[10]);
1420 accum.mul(ws[1], p[9]);
1421 accum.mul(ws[2], p[8]);
1422 accum.mul(ws[3], p[7]);
1423 accum.mul(ws[4], p[6]);
1424 accum.mul(ws[5], p[5]);
1425 accum.mul(ws[6], p[4]);
1426 accum.mul(ws[7], p[3]);
1427 accum.mul(ws[8], p[2]);
1428 accum.mul(ws[9], p[1]);
1429 accum.add(z[10]);
1430 ws[10] = accum.monty_step(p[0], p_dash);
1431 accum.mul(ws[0], p[11]);
1432 accum.mul(ws[1], p[10]);
1433 accum.mul(ws[2], p[9]);
1434 accum.mul(ws[3], p[8]);
1435 accum.mul(ws[4], p[7]);
1436 accum.mul(ws[5], p[6]);
1437 accum.mul(ws[6], p[5]);
1438 accum.mul(ws[7], p[4]);
1439 accum.mul(ws[8], p[3]);
1440 accum.mul(ws[9], p[2]);
1441 accum.mul(ws[10], p[1]);
1442 accum.add(z[11]);
1443 ws[11] = accum.monty_step(p[0], p_dash);
1444 accum.mul(ws[0], p[12]);
1445 accum.mul(ws[1], p[11]);
1446 accum.mul(ws[2], p[10]);
1447 accum.mul(ws[3], p[9]);
1448 accum.mul(ws[4], p[8]);
1449 accum.mul(ws[5], p[7]);
1450 accum.mul(ws[6], p[6]);
1451 accum.mul(ws[7], p[5]);
1452 accum.mul(ws[8], p[4]);
1453 accum.mul(ws[9], p[3]);
1454 accum.mul(ws[10], p[2]);
1455 accum.mul(ws[11], p[1]);
1456 accum.add(z[12]);
1457 ws[12] = accum.monty_step(p[0], p_dash);
1458 accum.mul(ws[0], p[13]);
1459 accum.mul(ws[1], p[12]);
1460 accum.mul(ws[2], p[11]);
1461 accum.mul(ws[3], p[10]);
1462 accum.mul(ws[4], p[9]);
1463 accum.mul(ws[5], p[8]);
1464 accum.mul(ws[6], p[7]);
1465 accum.mul(ws[7], p[6]);
1466 accum.mul(ws[8], p[5]);
1467 accum.mul(ws[9], p[4]);
1468 accum.mul(ws[10], p[3]);
1469 accum.mul(ws[11], p[2]);
1470 accum.mul(ws[12], p[1]);
1471 accum.add(z[13]);
1472 ws[13] = accum.monty_step(p[0], p_dash);
1473 accum.mul(ws[0], p[14]);
1474 accum.mul(ws[1], p[13]);
1475 accum.mul(ws[2], p[12]);
1476 accum.mul(ws[3], p[11]);
1477 accum.mul(ws[4], p[10]);
1478 accum.mul(ws[5], p[9]);
1479 accum.mul(ws[6], p[8]);
1480 accum.mul(ws[7], p[7]);
1481 accum.mul(ws[8], p[6]);
1482 accum.mul(ws[9], p[5]);
1483 accum.mul(ws[10], p[4]);
1484 accum.mul(ws[11], p[3]);
1485 accum.mul(ws[12], p[2]);
1486 accum.mul(ws[13], p[1]);
1487 accum.add(z[14]);
1488 ws[14] = accum.monty_step(p[0], p_dash);
1489 accum.mul(ws[0], p[15]);
1490 accum.mul(ws[1], p[14]);
1491 accum.mul(ws[2], p[13]);
1492 accum.mul(ws[3], p[12]);
1493 accum.mul(ws[4], p[11]);
1494 accum.mul(ws[5], p[10]);
1495 accum.mul(ws[6], p[9]);
1496 accum.mul(ws[7], p[8]);
1497 accum.mul(ws[8], p[7]);
1498 accum.mul(ws[9], p[6]);
1499 accum.mul(ws[10], p[5]);
1500 accum.mul(ws[11], p[4]);
1501 accum.mul(ws[12], p[3]);
1502 accum.mul(ws[13], p[2]);
1503 accum.mul(ws[14], p[1]);
1504 accum.add(z[15]);
1505 ws[15] = accum.monty_step(p[0], p_dash);
1506 accum.mul(ws[0], p[16]);
1507 accum.mul(ws[1], p[15]);
1508 accum.mul(ws[2], p[14]);
1509 accum.mul(ws[3], p[13]);
1510 accum.mul(ws[4], p[12]);
1511 accum.mul(ws[5], p[11]);
1512 accum.mul(ws[6], p[10]);
1513 accum.mul(ws[7], p[9]);
1514 accum.mul(ws[8], p[8]);
1515 accum.mul(ws[9], p[7]);
1516 accum.mul(ws[10], p[6]);
1517 accum.mul(ws[11], p[5]);
1518 accum.mul(ws[12], p[4]);
1519 accum.mul(ws[13], p[3]);
1520 accum.mul(ws[14], p[2]);
1521 accum.mul(ws[15], p[1]);
1522 accum.add(z[16]);
1523 ws[16] = accum.monty_step(p[0], p_dash);
1524 accum.mul(ws[0], p[17]);
1525 accum.mul(ws[1], p[16]);
1526 accum.mul(ws[2], p[15]);
1527 accum.mul(ws[3], p[14]);
1528 accum.mul(ws[4], p[13]);
1529 accum.mul(ws[5], p[12]);
1530 accum.mul(ws[6], p[11]);
1531 accum.mul(ws[7], p[10]);
1532 accum.mul(ws[8], p[9]);
1533 accum.mul(ws[9], p[8]);
1534 accum.mul(ws[10], p[7]);
1535 accum.mul(ws[11], p[6]);
1536 accum.mul(ws[12], p[5]);
1537 accum.mul(ws[13], p[4]);
1538 accum.mul(ws[14], p[3]);
1539 accum.mul(ws[15], p[2]);
1540 accum.mul(ws[16], p[1]);
1541 accum.add(z[17]);
1542 ws[17] = accum.monty_step(p[0], p_dash);
1543 accum.mul(ws[0], p[18]);
1544 accum.mul(ws[1], p[17]);
1545 accum.mul(ws[2], p[16]);
1546 accum.mul(ws[3], p[15]);
1547 accum.mul(ws[4], p[14]);
1548 accum.mul(ws[5], p[13]);
1549 accum.mul(ws[6], p[12]);
1550 accum.mul(ws[7], p[11]);
1551 accum.mul(ws[8], p[10]);
1552 accum.mul(ws[9], p[9]);
1553 accum.mul(ws[10], p[8]);
1554 accum.mul(ws[11], p[7]);
1555 accum.mul(ws[12], p[6]);
1556 accum.mul(ws[13], p[5]);
1557 accum.mul(ws[14], p[4]);
1558 accum.mul(ws[15], p[3]);
1559 accum.mul(ws[16], p[2]);
1560 accum.mul(ws[17], p[1]);
1561 accum.add(z[18]);
1562 ws[18] = accum.monty_step(p[0], p_dash);
1563 accum.mul(ws[0], p[19]);
1564 accum.mul(ws[1], p[18]);
1565 accum.mul(ws[2], p[17]);
1566 accum.mul(ws[3], p[16]);
1567 accum.mul(ws[4], p[15]);
1568 accum.mul(ws[5], p[14]);
1569 accum.mul(ws[6], p[13]);
1570 accum.mul(ws[7], p[12]);
1571 accum.mul(ws[8], p[11]);
1572 accum.mul(ws[9], p[10]);
1573 accum.mul(ws[10], p[9]);
1574 accum.mul(ws[11], p[8]);
1575 accum.mul(ws[12], p[7]);
1576 accum.mul(ws[13], p[6]);
1577 accum.mul(ws[14], p[5]);
1578 accum.mul(ws[15], p[4]);
1579 accum.mul(ws[16], p[3]);
1580 accum.mul(ws[17], p[2]);
1581 accum.mul(ws[18], p[1]);
1582 accum.add(z[19]);
1583 ws[19] = accum.monty_step(p[0], p_dash);
1584 accum.mul(ws[0], p[20]);
1585 accum.mul(ws[1], p[19]);
1586 accum.mul(ws[2], p[18]);
1587 accum.mul(ws[3], p[17]);
1588 accum.mul(ws[4], p[16]);
1589 accum.mul(ws[5], p[15]);
1590 accum.mul(ws[6], p[14]);
1591 accum.mul(ws[7], p[13]);
1592 accum.mul(ws[8], p[12]);
1593 accum.mul(ws[9], p[11]);
1594 accum.mul(ws[10], p[10]);
1595 accum.mul(ws[11], p[9]);
1596 accum.mul(ws[12], p[8]);
1597 accum.mul(ws[13], p[7]);
1598 accum.mul(ws[14], p[6]);
1599 accum.mul(ws[15], p[5]);
1600 accum.mul(ws[16], p[4]);
1601 accum.mul(ws[17], p[3]);
1602 accum.mul(ws[18], p[2]);
1603 accum.mul(ws[19], p[1]);
1604 accum.add(z[20]);
1605 ws[20] = accum.monty_step(p[0], p_dash);
1606 accum.mul(ws[0], p[21]);
1607 accum.mul(ws[1], p[20]);
1608 accum.mul(ws[2], p[19]);
1609 accum.mul(ws[3], p[18]);
1610 accum.mul(ws[4], p[17]);
1611 accum.mul(ws[5], p[16]);
1612 accum.mul(ws[6], p[15]);
1613 accum.mul(ws[7], p[14]);
1614 accum.mul(ws[8], p[13]);
1615 accum.mul(ws[9], p[12]);
1616 accum.mul(ws[10], p[11]);
1617 accum.mul(ws[11], p[10]);
1618 accum.mul(ws[12], p[9]);
1619 accum.mul(ws[13], p[8]);
1620 accum.mul(ws[14], p[7]);
1621 accum.mul(ws[15], p[6]);
1622 accum.mul(ws[16], p[5]);
1623 accum.mul(ws[17], p[4]);
1624 accum.mul(ws[18], p[3]);
1625 accum.mul(ws[19], p[2]);
1626 accum.mul(ws[20], p[1]);
1627 accum.add(z[21]);
1628 ws[21] = accum.monty_step(p[0], p_dash);
1629 accum.mul(ws[0], p[22]);
1630 accum.mul(ws[1], p[21]);
1631 accum.mul(ws[2], p[20]);
1632 accum.mul(ws[3], p[19]);
1633 accum.mul(ws[4], p[18]);
1634 accum.mul(ws[5], p[17]);
1635 accum.mul(ws[6], p[16]);
1636 accum.mul(ws[7], p[15]);
1637 accum.mul(ws[8], p[14]);
1638 accum.mul(ws[9], p[13]);
1639 accum.mul(ws[10], p[12]);
1640 accum.mul(ws[11], p[11]);
1641 accum.mul(ws[12], p[10]);
1642 accum.mul(ws[13], p[9]);
1643 accum.mul(ws[14], p[8]);
1644 accum.mul(ws[15], p[7]);
1645 accum.mul(ws[16], p[6]);
1646 accum.mul(ws[17], p[5]);
1647 accum.mul(ws[18], p[4]);
1648 accum.mul(ws[19], p[3]);
1649 accum.mul(ws[20], p[2]);
1650 accum.mul(ws[21], p[1]);
1651 accum.add(z[22]);
1652 ws[22] = accum.monty_step(p[0], p_dash);
1653 accum.mul(ws[0], p[23]);
1654 accum.mul(ws[1], p[22]);
1655 accum.mul(ws[2], p[21]);
1656 accum.mul(ws[3], p[20]);
1657 accum.mul(ws[4], p[19]);
1658 accum.mul(ws[5], p[18]);
1659 accum.mul(ws[6], p[17]);
1660 accum.mul(ws[7], p[16]);
1661 accum.mul(ws[8], p[15]);
1662 accum.mul(ws[9], p[14]);
1663 accum.mul(ws[10], p[13]);
1664 accum.mul(ws[11], p[12]);
1665 accum.mul(ws[12], p[11]);
1666 accum.mul(ws[13], p[10]);
1667 accum.mul(ws[14], p[9]);
1668 accum.mul(ws[15], p[8]);
1669 accum.mul(ws[16], p[7]);
1670 accum.mul(ws[17], p[6]);
1671 accum.mul(ws[18], p[5]);
1672 accum.mul(ws[19], p[4]);
1673 accum.mul(ws[20], p[3]);
1674 accum.mul(ws[21], p[2]);
1675 accum.mul(ws[22], p[1]);
1676 accum.add(z[23]);
1677 ws[23] = accum.monty_step(p[0], p_dash);
1678 accum.mul(ws[0], p[24]);
1679 accum.mul(ws[1], p[23]);
1680 accum.mul(ws[2], p[22]);
1681 accum.mul(ws[3], p[21]);
1682 accum.mul(ws[4], p[20]);
1683 accum.mul(ws[5], p[19]);
1684 accum.mul(ws[6], p[18]);
1685 accum.mul(ws[7], p[17]);
1686 accum.mul(ws[8], p[16]);
1687 accum.mul(ws[9], p[15]);
1688 accum.mul(ws[10], p[14]);
1689 accum.mul(ws[11], p[13]);
1690 accum.mul(ws[12], p[12]);
1691 accum.mul(ws[13], p[11]);
1692 accum.mul(ws[14], p[10]);
1693 accum.mul(ws[15], p[9]);
1694 accum.mul(ws[16], p[8]);
1695 accum.mul(ws[17], p[7]);
1696 accum.mul(ws[18], p[6]);
1697 accum.mul(ws[19], p[5]);
1698 accum.mul(ws[20], p[4]);
1699 accum.mul(ws[21], p[3]);
1700 accum.mul(ws[22], p[2]);
1701 accum.mul(ws[23], p[1]);
1702 accum.add(z[24]);
1703 ws[24] = accum.monty_step(p[0], p_dash);
1704 accum.mul(ws[0], p[25]);
1705 accum.mul(ws[1], p[24]);
1706 accum.mul(ws[2], p[23]);
1707 accum.mul(ws[3], p[22]);
1708 accum.mul(ws[4], p[21]);
1709 accum.mul(ws[5], p[20]);
1710 accum.mul(ws[6], p[19]);
1711 accum.mul(ws[7], p[18]);
1712 accum.mul(ws[8], p[17]);
1713 accum.mul(ws[9], p[16]);
1714 accum.mul(ws[10], p[15]);
1715 accum.mul(ws[11], p[14]);
1716 accum.mul(ws[12], p[13]);
1717 accum.mul(ws[13], p[12]);
1718 accum.mul(ws[14], p[11]);
1719 accum.mul(ws[15], p[10]);
1720 accum.mul(ws[16], p[9]);
1721 accum.mul(ws[17], p[8]);
1722 accum.mul(ws[18], p[7]);
1723 accum.mul(ws[19], p[6]);
1724 accum.mul(ws[20], p[5]);
1725 accum.mul(ws[21], p[4]);
1726 accum.mul(ws[22], p[3]);
1727 accum.mul(ws[23], p[2]);
1728 accum.mul(ws[24], p[1]);
1729 accum.add(z[25]);
1730 ws[25] = accum.monty_step(p[0], p_dash);
1731 accum.mul(ws[0], p[26]);
1732 accum.mul(ws[1], p[25]);
1733 accum.mul(ws[2], p[24]);
1734 accum.mul(ws[3], p[23]);
1735 accum.mul(ws[4], p[22]);
1736 accum.mul(ws[5], p[21]);
1737 accum.mul(ws[6], p[20]);
1738 accum.mul(ws[7], p[19]);
1739 accum.mul(ws[8], p[18]);
1740 accum.mul(ws[9], p[17]);
1741 accum.mul(ws[10], p[16]);
1742 accum.mul(ws[11], p[15]);
1743 accum.mul(ws[12], p[14]);
1744 accum.mul(ws[13], p[13]);
1745 accum.mul(ws[14], p[12]);
1746 accum.mul(ws[15], p[11]);
1747 accum.mul(ws[16], p[10]);
1748 accum.mul(ws[17], p[9]);
1749 accum.mul(ws[18], p[8]);
1750 accum.mul(ws[19], p[7]);
1751 accum.mul(ws[20], p[6]);
1752 accum.mul(ws[21], p[5]);
1753 accum.mul(ws[22], p[4]);
1754 accum.mul(ws[23], p[3]);
1755 accum.mul(ws[24], p[2]);
1756 accum.mul(ws[25], p[1]);
1757 accum.add(z[26]);
1758 ws[26] = accum.monty_step(p[0], p_dash);
1759 accum.mul(ws[0], p[27]);
1760 accum.mul(ws[1], p[26]);
1761 accum.mul(ws[2], p[25]);
1762 accum.mul(ws[3], p[24]);
1763 accum.mul(ws[4], p[23]);
1764 accum.mul(ws[5], p[22]);
1765 accum.mul(ws[6], p[21]);
1766 accum.mul(ws[7], p[20]);
1767 accum.mul(ws[8], p[19]);
1768 accum.mul(ws[9], p[18]);
1769 accum.mul(ws[10], p[17]);
1770 accum.mul(ws[11], p[16]);
1771 accum.mul(ws[12], p[15]);
1772 accum.mul(ws[13], p[14]);
1773 accum.mul(ws[14], p[13]);
1774 accum.mul(ws[15], p[12]);
1775 accum.mul(ws[16], p[11]);
1776 accum.mul(ws[17], p[10]);
1777 accum.mul(ws[18], p[9]);
1778 accum.mul(ws[19], p[8]);
1779 accum.mul(ws[20], p[7]);
1780 accum.mul(ws[21], p[6]);
1781 accum.mul(ws[22], p[5]);
1782 accum.mul(ws[23], p[4]);
1783 accum.mul(ws[24], p[3]);
1784 accum.mul(ws[25], p[2]);
1785 accum.mul(ws[26], p[1]);
1786 accum.add(z[27]);
1787 ws[27] = accum.monty_step(p[0], p_dash);
1788 accum.mul(ws[0], p[28]);
1789 accum.mul(ws[1], p[27]);
1790 accum.mul(ws[2], p[26]);
1791 accum.mul(ws[3], p[25]);
1792 accum.mul(ws[4], p[24]);
1793 accum.mul(ws[5], p[23]);
1794 accum.mul(ws[6], p[22]);
1795 accum.mul(ws[7], p[21]);
1796 accum.mul(ws[8], p[20]);
1797 accum.mul(ws[9], p[19]);
1798 accum.mul(ws[10], p[18]);
1799 accum.mul(ws[11], p[17]);
1800 accum.mul(ws[12], p[16]);
1801 accum.mul(ws[13], p[15]);
1802 accum.mul(ws[14], p[14]);
1803 accum.mul(ws[15], p[13]);
1804 accum.mul(ws[16], p[12]);
1805 accum.mul(ws[17], p[11]);
1806 accum.mul(ws[18], p[10]);
1807 accum.mul(ws[19], p[9]);
1808 accum.mul(ws[20], p[8]);
1809 accum.mul(ws[21], p[7]);
1810 accum.mul(ws[22], p[6]);
1811 accum.mul(ws[23], p[5]);
1812 accum.mul(ws[24], p[4]);
1813 accum.mul(ws[25], p[3]);
1814 accum.mul(ws[26], p[2]);
1815 accum.mul(ws[27], p[1]);
1816 accum.add(z[28]);
1817 ws[28] = accum.monty_step(p[0], p_dash);
1818 accum.mul(ws[0], p[29]);
1819 accum.mul(ws[1], p[28]);
1820 accum.mul(ws[2], p[27]);
1821 accum.mul(ws[3], p[26]);
1822 accum.mul(ws[4], p[25]);
1823 accum.mul(ws[5], p[24]);
1824 accum.mul(ws[6], p[23]);
1825 accum.mul(ws[7], p[22]);
1826 accum.mul(ws[8], p[21]);
1827 accum.mul(ws[9], p[20]);
1828 accum.mul(ws[10], p[19]);
1829 accum.mul(ws[11], p[18]);
1830 accum.mul(ws[12], p[17]);
1831 accum.mul(ws[13], p[16]);
1832 accum.mul(ws[14], p[15]);
1833 accum.mul(ws[15], p[14]);
1834 accum.mul(ws[16], p[13]);
1835 accum.mul(ws[17], p[12]);
1836 accum.mul(ws[18], p[11]);
1837 accum.mul(ws[19], p[10]);
1838 accum.mul(ws[20], p[9]);
1839 accum.mul(ws[21], p[8]);
1840 accum.mul(ws[22], p[7]);
1841 accum.mul(ws[23], p[6]);
1842 accum.mul(ws[24], p[5]);
1843 accum.mul(ws[25], p[4]);
1844 accum.mul(ws[26], p[3]);
1845 accum.mul(ws[27], p[2]);
1846 accum.mul(ws[28], p[1]);
1847 accum.add(z[29]);
1848 ws[29] = accum.monty_step(p[0], p_dash);
1849 accum.mul(ws[0], p[30]);
1850 accum.mul(ws[1], p[29]);
1851 accum.mul(ws[2], p[28]);
1852 accum.mul(ws[3], p[27]);
1853 accum.mul(ws[4], p[26]);
1854 accum.mul(ws[5], p[25]);
1855 accum.mul(ws[6], p[24]);
1856 accum.mul(ws[7], p[23]);
1857 accum.mul(ws[8], p[22]);
1858 accum.mul(ws[9], p[21]);
1859 accum.mul(ws[10], p[20]);
1860 accum.mul(ws[11], p[19]);
1861 accum.mul(ws[12], p[18]);
1862 accum.mul(ws[13], p[17]);
1863 accum.mul(ws[14], p[16]);
1864 accum.mul(ws[15], p[15]);
1865 accum.mul(ws[16], p[14]);
1866 accum.mul(ws[17], p[13]);
1867 accum.mul(ws[18], p[12]);
1868 accum.mul(ws[19], p[11]);
1869 accum.mul(ws[20], p[10]);
1870 accum.mul(ws[21], p[9]);
1871 accum.mul(ws[22], p[8]);
1872 accum.mul(ws[23], p[7]);
1873 accum.mul(ws[24], p[6]);
1874 accum.mul(ws[25], p[5]);
1875 accum.mul(ws[26], p[4]);
1876 accum.mul(ws[27], p[3]);
1877 accum.mul(ws[28], p[2]);
1878 accum.mul(ws[29], p[1]);
1879 accum.add(z[30]);
1880 ws[30] = accum.monty_step(p[0], p_dash);
1881 accum.mul(ws[0], p[31]);
1882 accum.mul(ws[1], p[30]);
1883 accum.mul(ws[2], p[29]);
1884 accum.mul(ws[3], p[28]);
1885 accum.mul(ws[4], p[27]);
1886 accum.mul(ws[5], p[26]);
1887 accum.mul(ws[6], p[25]);
1888 accum.mul(ws[7], p[24]);
1889 accum.mul(ws[8], p[23]);
1890 accum.mul(ws[9], p[22]);
1891 accum.mul(ws[10], p[21]);
1892 accum.mul(ws[11], p[20]);
1893 accum.mul(ws[12], p[19]);
1894 accum.mul(ws[13], p[18]);
1895 accum.mul(ws[14], p[17]);
1896 accum.mul(ws[15], p[16]);
1897 accum.mul(ws[16], p[15]);
1898 accum.mul(ws[17], p[14]);
1899 accum.mul(ws[18], p[13]);
1900 accum.mul(ws[19], p[12]);
1901 accum.mul(ws[20], p[11]);
1902 accum.mul(ws[21], p[10]);
1903 accum.mul(ws[22], p[9]);
1904 accum.mul(ws[23], p[8]);
1905 accum.mul(ws[24], p[7]);
1906 accum.mul(ws[25], p[6]);
1907 accum.mul(ws[26], p[5]);
1908 accum.mul(ws[27], p[4]);
1909 accum.mul(ws[28], p[3]);
1910 accum.mul(ws[29], p[2]);
1911 accum.mul(ws[30], p[1]);
1912 accum.add(z[31]);
1913 ws[31] = accum.monty_step(p[0], p_dash);
1914 accum.mul(ws[1], p[31]);
1915 accum.mul(ws[2], p[30]);
1916 accum.mul(ws[3], p[29]);
1917 accum.mul(ws[4], p[28]);
1918 accum.mul(ws[5], p[27]);
1919 accum.mul(ws[6], p[26]);
1920 accum.mul(ws[7], p[25]);
1921 accum.mul(ws[8], p[24]);
1922 accum.mul(ws[9], p[23]);
1923 accum.mul(ws[10], p[22]);
1924 accum.mul(ws[11], p[21]);
1925 accum.mul(ws[12], p[20]);
1926 accum.mul(ws[13], p[19]);
1927 accum.mul(ws[14], p[18]);
1928 accum.mul(ws[15], p[17]);
1929 accum.mul(ws[16], p[16]);
1930 accum.mul(ws[17], p[15]);
1931 accum.mul(ws[18], p[14]);
1932 accum.mul(ws[19], p[13]);
1933 accum.mul(ws[20], p[12]);
1934 accum.mul(ws[21], p[11]);
1935 accum.mul(ws[22], p[10]);
1936 accum.mul(ws[23], p[9]);
1937 accum.mul(ws[24], p[8]);
1938 accum.mul(ws[25], p[7]);
1939 accum.mul(ws[26], p[6]);
1940 accum.mul(ws[27], p[5]);
1941 accum.mul(ws[28], p[4]);
1942 accum.mul(ws[29], p[3]);
1943 accum.mul(ws[30], p[2]);
1944 accum.mul(ws[31], p[1]);
1945 accum.add(z[32]);
1946 ws[0] = accum.extract();
1947 accum.mul(ws[2], p[31]);
1948 accum.mul(ws[3], p[30]);
1949 accum.mul(ws[4], p[29]);
1950 accum.mul(ws[5], p[28]);
1951 accum.mul(ws[6], p[27]);
1952 accum.mul(ws[7], p[26]);
1953 accum.mul(ws[8], p[25]);
1954 accum.mul(ws[9], p[24]);
1955 accum.mul(ws[10], p[23]);
1956 accum.mul(ws[11], p[22]);
1957 accum.mul(ws[12], p[21]);
1958 accum.mul(ws[13], p[20]);
1959 accum.mul(ws[14], p[19]);
1960 accum.mul(ws[15], p[18]);
1961 accum.mul(ws[16], p[17]);
1962 accum.mul(ws[17], p[16]);
1963 accum.mul(ws[18], p[15]);
1964 accum.mul(ws[19], p[14]);
1965 accum.mul(ws[20], p[13]);
1966 accum.mul(ws[21], p[12]);
1967 accum.mul(ws[22], p[11]);
1968 accum.mul(ws[23], p[10]);
1969 accum.mul(ws[24], p[9]);
1970 accum.mul(ws[25], p[8]);
1971 accum.mul(ws[26], p[7]);
1972 accum.mul(ws[27], p[6]);
1973 accum.mul(ws[28], p[5]);
1974 accum.mul(ws[29], p[4]);
1975 accum.mul(ws[30], p[3]);
1976 accum.mul(ws[31], p[2]);
1977 accum.add(z[33]);
1978 ws[1] = accum.extract();
1979 accum.mul(ws[3], p[31]);
1980 accum.mul(ws[4], p[30]);
1981 accum.mul(ws[5], p[29]);
1982 accum.mul(ws[6], p[28]);
1983 accum.mul(ws[7], p[27]);
1984 accum.mul(ws[8], p[26]);
1985 accum.mul(ws[9], p[25]);
1986 accum.mul(ws[10], p[24]);
1987 accum.mul(ws[11], p[23]);
1988 accum.mul(ws[12], p[22]);
1989 accum.mul(ws[13], p[21]);
1990 accum.mul(ws[14], p[20]);
1991 accum.mul(ws[15], p[19]);
1992 accum.mul(ws[16], p[18]);
1993 accum.mul(ws[17], p[17]);
1994 accum.mul(ws[18], p[16]);
1995 accum.mul(ws[19], p[15]);
1996 accum.mul(ws[20], p[14]);
1997 accum.mul(ws[21], p[13]);
1998 accum.mul(ws[22], p[12]);
1999 accum.mul(ws[23], p[11]);
2000 accum.mul(ws[24], p[10]);
2001 accum.mul(ws[25], p[9]);
2002 accum.mul(ws[26], p[8]);
2003 accum.mul(ws[27], p[7]);
2004 accum.mul(ws[28], p[6]);
2005 accum.mul(ws[29], p[5]);
2006 accum.mul(ws[30], p[4]);
2007 accum.mul(ws[31], p[3]);
2008 accum.add(z[34]);
2009 ws[2] = accum.extract();
2010 accum.mul(ws[4], p[31]);
2011 accum.mul(ws[5], p[30]);
2012 accum.mul(ws[6], p[29]);
2013 accum.mul(ws[7], p[28]);
2014 accum.mul(ws[8], p[27]);
2015 accum.mul(ws[9], p[26]);
2016 accum.mul(ws[10], p[25]);
2017 accum.mul(ws[11], p[24]);
2018 accum.mul(ws[12], p[23]);
2019 accum.mul(ws[13], p[22]);
2020 accum.mul(ws[14], p[21]);
2021 accum.mul(ws[15], p[20]);
2022 accum.mul(ws[16], p[19]);
2023 accum.mul(ws[17], p[18]);
2024 accum.mul(ws[18], p[17]);
2025 accum.mul(ws[19], p[16]);
2026 accum.mul(ws[20], p[15]);
2027 accum.mul(ws[21], p[14]);
2028 accum.mul(ws[22], p[13]);
2029 accum.mul(ws[23], p[12]);
2030 accum.mul(ws[24], p[11]);
2031 accum.mul(ws[25], p[10]);
2032 accum.mul(ws[26], p[9]);
2033 accum.mul(ws[27], p[8]);
2034 accum.mul(ws[28], p[7]);
2035 accum.mul(ws[29], p[6]);
2036 accum.mul(ws[30], p[5]);
2037 accum.mul(ws[31], p[4]);
2038 accum.add(z[35]);
2039 ws[3] = accum.extract();
2040 accum.mul(ws[5], p[31]);
2041 accum.mul(ws[6], p[30]);
2042 accum.mul(ws[7], p[29]);
2043 accum.mul(ws[8], p[28]);
2044 accum.mul(ws[9], p[27]);
2045 accum.mul(ws[10], p[26]);
2046 accum.mul(ws[11], p[25]);
2047 accum.mul(ws[12], p[24]);
2048 accum.mul(ws[13], p[23]);
2049 accum.mul(ws[14], p[22]);
2050 accum.mul(ws[15], p[21]);
2051 accum.mul(ws[16], p[20]);
2052 accum.mul(ws[17], p[19]);
2053 accum.mul(ws[18], p[18]);
2054 accum.mul(ws[19], p[17]);
2055 accum.mul(ws[20], p[16]);
2056 accum.mul(ws[21], p[15]);
2057 accum.mul(ws[22], p[14]);
2058 accum.mul(ws[23], p[13]);
2059 accum.mul(ws[24], p[12]);
2060 accum.mul(ws[25], p[11]);
2061 accum.mul(ws[26], p[10]);
2062 accum.mul(ws[27], p[9]);
2063 accum.mul(ws[28], p[8]);
2064 accum.mul(ws[29], p[7]);
2065 accum.mul(ws[30], p[6]);
2066 accum.mul(ws[31], p[5]);
2067 accum.add(z[36]);
2068 ws[4] = accum.extract();
2069 accum.mul(ws[6], p[31]);
2070 accum.mul(ws[7], p[30]);
2071 accum.mul(ws[8], p[29]);
2072 accum.mul(ws[9], p[28]);
2073 accum.mul(ws[10], p[27]);
2074 accum.mul(ws[11], p[26]);
2075 accum.mul(ws[12], p[25]);
2076 accum.mul(ws[13], p[24]);
2077 accum.mul(ws[14], p[23]);
2078 accum.mul(ws[15], p[22]);
2079 accum.mul(ws[16], p[21]);
2080 accum.mul(ws[17], p[20]);
2081 accum.mul(ws[18], p[19]);
2082 accum.mul(ws[19], p[18]);
2083 accum.mul(ws[20], p[17]);
2084 accum.mul(ws[21], p[16]);
2085 accum.mul(ws[22], p[15]);
2086 accum.mul(ws[23], p[14]);
2087 accum.mul(ws[24], p[13]);
2088 accum.mul(ws[25], p[12]);
2089 accum.mul(ws[26], p[11]);
2090 accum.mul(ws[27], p[10]);
2091 accum.mul(ws[28], p[9]);
2092 accum.mul(ws[29], p[8]);
2093 accum.mul(ws[30], p[7]);
2094 accum.mul(ws[31], p[6]);
2095 accum.add(z[37]);
2096 ws[5] = accum.extract();
2097 accum.mul(ws[7], p[31]);
2098 accum.mul(ws[8], p[30]);
2099 accum.mul(ws[9], p[29]);
2100 accum.mul(ws[10], p[28]);
2101 accum.mul(ws[11], p[27]);
2102 accum.mul(ws[12], p[26]);
2103 accum.mul(ws[13], p[25]);
2104 accum.mul(ws[14], p[24]);
2105 accum.mul(ws[15], p[23]);
2106 accum.mul(ws[16], p[22]);
2107 accum.mul(ws[17], p[21]);
2108 accum.mul(ws[18], p[20]);
2109 accum.mul(ws[19], p[19]);
2110 accum.mul(ws[20], p[18]);
2111 accum.mul(ws[21], p[17]);
2112 accum.mul(ws[22], p[16]);
2113 accum.mul(ws[23], p[15]);
2114 accum.mul(ws[24], p[14]);
2115 accum.mul(ws[25], p[13]);
2116 accum.mul(ws[26], p[12]);
2117 accum.mul(ws[27], p[11]);
2118 accum.mul(ws[28], p[10]);
2119 accum.mul(ws[29], p[9]);
2120 accum.mul(ws[30], p[8]);
2121 accum.mul(ws[31], p[7]);
2122 accum.add(z[38]);
2123 ws[6] = accum.extract();
2124 accum.mul(ws[8], p[31]);
2125 accum.mul(ws[9], p[30]);
2126 accum.mul(ws[10], p[29]);
2127 accum.mul(ws[11], p[28]);
2128 accum.mul(ws[12], p[27]);
2129 accum.mul(ws[13], p[26]);
2130 accum.mul(ws[14], p[25]);
2131 accum.mul(ws[15], p[24]);
2132 accum.mul(ws[16], p[23]);
2133 accum.mul(ws[17], p[22]);
2134 accum.mul(ws[18], p[21]);
2135 accum.mul(ws[19], p[20]);
2136 accum.mul(ws[20], p[19]);
2137 accum.mul(ws[21], p[18]);
2138 accum.mul(ws[22], p[17]);
2139 accum.mul(ws[23], p[16]);
2140 accum.mul(ws[24], p[15]);
2141 accum.mul(ws[25], p[14]);
2142 accum.mul(ws[26], p[13]);
2143 accum.mul(ws[27], p[12]);
2144 accum.mul(ws[28], p[11]);
2145 accum.mul(ws[29], p[10]);
2146 accum.mul(ws[30], p[9]);
2147 accum.mul(ws[31], p[8]);
2148 accum.add(z[39]);
2149 ws[7] = accum.extract();
2150 accum.mul(ws[9], p[31]);
2151 accum.mul(ws[10], p[30]);
2152 accum.mul(ws[11], p[29]);
2153 accum.mul(ws[12], p[28]);
2154 accum.mul(ws[13], p[27]);
2155 accum.mul(ws[14], p[26]);
2156 accum.mul(ws[15], p[25]);
2157 accum.mul(ws[16], p[24]);
2158 accum.mul(ws[17], p[23]);
2159 accum.mul(ws[18], p[22]);
2160 accum.mul(ws[19], p[21]);
2161 accum.mul(ws[20], p[20]);
2162 accum.mul(ws[21], p[19]);
2163 accum.mul(ws[22], p[18]);
2164 accum.mul(ws[23], p[17]);
2165 accum.mul(ws[24], p[16]);
2166 accum.mul(ws[25], p[15]);
2167 accum.mul(ws[26], p[14]);
2168 accum.mul(ws[27], p[13]);
2169 accum.mul(ws[28], p[12]);
2170 accum.mul(ws[29], p[11]);
2171 accum.mul(ws[30], p[10]);
2172 accum.mul(ws[31], p[9]);
2173 accum.add(z[40]);
2174 ws[8] = accum.extract();
2175 accum.mul(ws[10], p[31]);
2176 accum.mul(ws[11], p[30]);
2177 accum.mul(ws[12], p[29]);
2178 accum.mul(ws[13], p[28]);
2179 accum.mul(ws[14], p[27]);
2180 accum.mul(ws[15], p[26]);
2181 accum.mul(ws[16], p[25]);
2182 accum.mul(ws[17], p[24]);
2183 accum.mul(ws[18], p[23]);
2184 accum.mul(ws[19], p[22]);
2185 accum.mul(ws[20], p[21]);
2186 accum.mul(ws[21], p[20]);
2187 accum.mul(ws[22], p[19]);
2188 accum.mul(ws[23], p[18]);
2189 accum.mul(ws[24], p[17]);
2190 accum.mul(ws[25], p[16]);
2191 accum.mul(ws[26], p[15]);
2192 accum.mul(ws[27], p[14]);
2193 accum.mul(ws[28], p[13]);
2194 accum.mul(ws[29], p[12]);
2195 accum.mul(ws[30], p[11]);
2196 accum.mul(ws[31], p[10]);
2197 accum.add(z[41]);
2198 ws[9] = accum.extract();
2199 accum.mul(ws[11], p[31]);
2200 accum.mul(ws[12], p[30]);
2201 accum.mul(ws[13], p[29]);
2202 accum.mul(ws[14], p[28]);
2203 accum.mul(ws[15], p[27]);
2204 accum.mul(ws[16], p[26]);
2205 accum.mul(ws[17], p[25]);
2206 accum.mul(ws[18], p[24]);
2207 accum.mul(ws[19], p[23]);
2208 accum.mul(ws[20], p[22]);
2209 accum.mul(ws[21], p[21]);
2210 accum.mul(ws[22], p[20]);
2211 accum.mul(ws[23], p[19]);
2212 accum.mul(ws[24], p[18]);
2213 accum.mul(ws[25], p[17]);
2214 accum.mul(ws[26], p[16]);
2215 accum.mul(ws[27], p[15]);
2216 accum.mul(ws[28], p[14]);
2217 accum.mul(ws[29], p[13]);
2218 accum.mul(ws[30], p[12]);
2219 accum.mul(ws[31], p[11]);
2220 accum.add(z[42]);
2221 ws[10] = accum.extract();
2222 accum.mul(ws[12], p[31]);
2223 accum.mul(ws[13], p[30]);
2224 accum.mul(ws[14], p[29]);
2225 accum.mul(ws[15], p[28]);
2226 accum.mul(ws[16], p[27]);
2227 accum.mul(ws[17], p[26]);
2228 accum.mul(ws[18], p[25]);
2229 accum.mul(ws[19], p[24]);
2230 accum.mul(ws[20], p[23]);
2231 accum.mul(ws[21], p[22]);
2232 accum.mul(ws[22], p[21]);
2233 accum.mul(ws[23], p[20]);
2234 accum.mul(ws[24], p[19]);
2235 accum.mul(ws[25], p[18]);
2236 accum.mul(ws[26], p[17]);
2237 accum.mul(ws[27], p[16]);
2238 accum.mul(ws[28], p[15]);
2239 accum.mul(ws[29], p[14]);
2240 accum.mul(ws[30], p[13]);
2241 accum.mul(ws[31], p[12]);
2242 accum.add(z[43]);
2243 ws[11] = accum.extract();
2244 accum.mul(ws[13], p[31]);
2245 accum.mul(ws[14], p[30]);
2246 accum.mul(ws[15], p[29]);
2247 accum.mul(ws[16], p[28]);
2248 accum.mul(ws[17], p[27]);
2249 accum.mul(ws[18], p[26]);
2250 accum.mul(ws[19], p[25]);
2251 accum.mul(ws[20], p[24]);
2252 accum.mul(ws[21], p[23]);
2253 accum.mul(ws[22], p[22]);
2254 accum.mul(ws[23], p[21]);
2255 accum.mul(ws[24], p[20]);
2256 accum.mul(ws[25], p[19]);
2257 accum.mul(ws[26], p[18]);
2258 accum.mul(ws[27], p[17]);
2259 accum.mul(ws[28], p[16]);
2260 accum.mul(ws[29], p[15]);
2261 accum.mul(ws[30], p[14]);
2262 accum.mul(ws[31], p[13]);
2263 accum.add(z[44]);
2264 ws[12] = accum.extract();
2265 accum.mul(ws[14], p[31]);
2266 accum.mul(ws[15], p[30]);
2267 accum.mul(ws[16], p[29]);
2268 accum.mul(ws[17], p[28]);
2269 accum.mul(ws[18], p[27]);
2270 accum.mul(ws[19], p[26]);
2271 accum.mul(ws[20], p[25]);
2272 accum.mul(ws[21], p[24]);
2273 accum.mul(ws[22], p[23]);
2274 accum.mul(ws[23], p[22]);
2275 accum.mul(ws[24], p[21]);
2276 accum.mul(ws[25], p[20]);
2277 accum.mul(ws[26], p[19]);
2278 accum.mul(ws[27], p[18]);
2279 accum.mul(ws[28], p[17]);
2280 accum.mul(ws[29], p[16]);
2281 accum.mul(ws[30], p[15]);
2282 accum.mul(ws[31], p[14]);
2283 accum.add(z[45]);
2284 ws[13] = accum.extract();
2285 accum.mul(ws[15], p[31]);
2286 accum.mul(ws[16], p[30]);
2287 accum.mul(ws[17], p[29]);
2288 accum.mul(ws[18], p[28]);
2289 accum.mul(ws[19], p[27]);
2290 accum.mul(ws[20], p[26]);
2291 accum.mul(ws[21], p[25]);
2292 accum.mul(ws[22], p[24]);
2293 accum.mul(ws[23], p[23]);
2294 accum.mul(ws[24], p[22]);
2295 accum.mul(ws[25], p[21]);
2296 accum.mul(ws[26], p[20]);
2297 accum.mul(ws[27], p[19]);
2298 accum.mul(ws[28], p[18]);
2299 accum.mul(ws[29], p[17]);
2300 accum.mul(ws[30], p[16]);
2301 accum.mul(ws[31], p[15]);
2302 accum.add(z[46]);
2303 ws[14] = accum.extract();
2304 accum.mul(ws[16], p[31]);
2305 accum.mul(ws[17], p[30]);
2306 accum.mul(ws[18], p[29]);
2307 accum.mul(ws[19], p[28]);
2308 accum.mul(ws[20], p[27]);
2309 accum.mul(ws[21], p[26]);
2310 accum.mul(ws[22], p[25]);
2311 accum.mul(ws[23], p[24]);
2312 accum.mul(ws[24], p[23]);
2313 accum.mul(ws[25], p[22]);
2314 accum.mul(ws[26], p[21]);
2315 accum.mul(ws[27], p[20]);
2316 accum.mul(ws[28], p[19]);
2317 accum.mul(ws[29], p[18]);
2318 accum.mul(ws[30], p[17]);
2319 accum.mul(ws[31], p[16]);
2320 accum.add(z[47]);
2321 ws[15] = accum.extract();
2322 accum.mul(ws[17], p[31]);
2323 accum.mul(ws[18], p[30]);
2324 accum.mul(ws[19], p[29]);
2325 accum.mul(ws[20], p[28]);
2326 accum.mul(ws[21], p[27]);
2327 accum.mul(ws[22], p[26]);
2328 accum.mul(ws[23], p[25]);
2329 accum.mul(ws[24], p[24]);
2330 accum.mul(ws[25], p[23]);
2331 accum.mul(ws[26], p[22]);
2332 accum.mul(ws[27], p[21]);
2333 accum.mul(ws[28], p[20]);
2334 accum.mul(ws[29], p[19]);
2335 accum.mul(ws[30], p[18]);
2336 accum.mul(ws[31], p[17]);
2337 accum.add(z[48]);
2338 ws[16] = accum.extract();
2339 accum.mul(ws[18], p[31]);
2340 accum.mul(ws[19], p[30]);
2341 accum.mul(ws[20], p[29]);
2342 accum.mul(ws[21], p[28]);
2343 accum.mul(ws[22], p[27]);
2344 accum.mul(ws[23], p[26]);
2345 accum.mul(ws[24], p[25]);
2346 accum.mul(ws[25], p[24]);
2347 accum.mul(ws[26], p[23]);
2348 accum.mul(ws[27], p[22]);
2349 accum.mul(ws[28], p[21]);
2350 accum.mul(ws[29], p[20]);
2351 accum.mul(ws[30], p[19]);
2352 accum.mul(ws[31], p[18]);
2353 accum.add(z[49]);
2354 ws[17] = accum.extract();
2355 accum.mul(ws[19], p[31]);
2356 accum.mul(ws[20], p[30]);
2357 accum.mul(ws[21], p[29]);
2358 accum.mul(ws[22], p[28]);
2359 accum.mul(ws[23], p[27]);
2360 accum.mul(ws[24], p[26]);
2361 accum.mul(ws[25], p[25]);
2362 accum.mul(ws[26], p[24]);
2363 accum.mul(ws[27], p[23]);
2364 accum.mul(ws[28], p[22]);
2365 accum.mul(ws[29], p[21]);
2366 accum.mul(ws[30], p[20]);
2367 accum.mul(ws[31], p[19]);
2368 accum.add(z[50]);
2369 ws[18] = accum.extract();
2370 accum.mul(ws[20], p[31]);
2371 accum.mul(ws[21], p[30]);
2372 accum.mul(ws[22], p[29]);
2373 accum.mul(ws[23], p[28]);
2374 accum.mul(ws[24], p[27]);
2375 accum.mul(ws[25], p[26]);
2376 accum.mul(ws[26], p[25]);
2377 accum.mul(ws[27], p[24]);
2378 accum.mul(ws[28], p[23]);
2379 accum.mul(ws[29], p[22]);
2380 accum.mul(ws[30], p[21]);
2381 accum.mul(ws[31], p[20]);
2382 accum.add(z[51]);
2383 ws[19] = accum.extract();
2384 accum.mul(ws[21], p[31]);
2385 accum.mul(ws[22], p[30]);
2386 accum.mul(ws[23], p[29]);
2387 accum.mul(ws[24], p[28]);
2388 accum.mul(ws[25], p[27]);
2389 accum.mul(ws[26], p[26]);
2390 accum.mul(ws[27], p[25]);
2391 accum.mul(ws[28], p[24]);
2392 accum.mul(ws[29], p[23]);
2393 accum.mul(ws[30], p[22]);
2394 accum.mul(ws[31], p[21]);
2395 accum.add(z[52]);
2396 ws[20] = accum.extract();
2397 accum.mul(ws[22], p[31]);
2398 accum.mul(ws[23], p[30]);
2399 accum.mul(ws[24], p[29]);
2400 accum.mul(ws[25], p[28]);
2401 accum.mul(ws[26], p[27]);
2402 accum.mul(ws[27], p[26]);
2403 accum.mul(ws[28], p[25]);
2404 accum.mul(ws[29], p[24]);
2405 accum.mul(ws[30], p[23]);
2406 accum.mul(ws[31], p[22]);
2407 accum.add(z[53]);
2408 ws[21] = accum.extract();
2409 accum.mul(ws[23], p[31]);
2410 accum.mul(ws[24], p[30]);
2411 accum.mul(ws[25], p[29]);
2412 accum.mul(ws[26], p[28]);
2413 accum.mul(ws[27], p[27]);
2414 accum.mul(ws[28], p[26]);
2415 accum.mul(ws[29], p[25]);
2416 accum.mul(ws[30], p[24]);
2417 accum.mul(ws[31], p[23]);
2418 accum.add(z[54]);
2419 ws[22] = accum.extract();
2420 accum.mul(ws[24], p[31]);
2421 accum.mul(ws[25], p[30]);
2422 accum.mul(ws[26], p[29]);
2423 accum.mul(ws[27], p[28]);
2424 accum.mul(ws[28], p[27]);
2425 accum.mul(ws[29], p[26]);
2426 accum.mul(ws[30], p[25]);
2427 accum.mul(ws[31], p[24]);
2428 accum.add(z[55]);
2429 ws[23] = accum.extract();
2430 accum.mul(ws[25], p[31]);
2431 accum.mul(ws[26], p[30]);
2432 accum.mul(ws[27], p[29]);
2433 accum.mul(ws[28], p[28]);
2434 accum.mul(ws[29], p[27]);
2435 accum.mul(ws[30], p[26]);
2436 accum.mul(ws[31], p[25]);
2437 accum.add(z[56]);
2438 ws[24] = accum.extract();
2439 accum.mul(ws[26], p[31]);
2440 accum.mul(ws[27], p[30]);
2441 accum.mul(ws[28], p[29]);
2442 accum.mul(ws[29], p[28]);
2443 accum.mul(ws[30], p[27]);
2444 accum.mul(ws[31], p[26]);
2445 accum.add(z[57]);
2446 ws[25] = accum.extract();
2447 accum.mul(ws[27], p[31]);
2448 accum.mul(ws[28], p[30]);
2449 accum.mul(ws[29], p[29]);
2450 accum.mul(ws[30], p[28]);
2451 accum.mul(ws[31], p[27]);
2452 accum.add(z[58]);
2453 ws[26] = accum.extract();
2454 accum.mul(ws[28], p[31]);
2455 accum.mul(ws[29], p[30]);
2456 accum.mul(ws[30], p[29]);
2457 accum.mul(ws[31], p[28]);
2458 accum.add(z[59]);
2459 ws[27] = accum.extract();
2460 accum.mul(ws[29], p[31]);
2461 accum.mul(ws[30], p[30]);
2462 accum.mul(ws[31], p[29]);
2463 accum.add(z[60]);
2464 ws[28] = accum.extract();
2465 accum.mul(ws[30], p[31]);
2466 accum.mul(ws[31], p[30]);
2467 accum.add(z[61]);
2468 ws[29] = accum.extract();
2469 accum.mul(ws[31], p[31]);
2470 accum.add(z[62]);
2471 ws[30] = accum.extract();
2472 accum.add(z[63]);
2473 ws[31] = accum.extract();
2474 word w1 = accum.extract();
2475 bigint_monty_maybe_sub<32>(r, w1, ws, p);
2476}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_4()

void Botan::bigint_monty_redc_4 ( word r[4],
const word z[8],
const word p[4],
word p_dash,
word ws[4] )

Definition at line 14 of file mp_monty_n.cpp.

14 {
15 word3<word> accum;
16 accum.add(z[0]);
17 ws[0] = accum.monty_step(p[0], p_dash);
18 accum.mul(ws[0], p[1]);
19 accum.add(z[1]);
20 ws[1] = accum.monty_step(p[0], p_dash);
21 accum.mul(ws[0], p[2]);
22 accum.mul(ws[1], p[1]);
23 accum.add(z[2]);
24 ws[2] = accum.monty_step(p[0], p_dash);
25 accum.mul(ws[0], p[3]);
26 accum.mul(ws[1], p[2]);
27 accum.mul(ws[2], p[1]);
28 accum.add(z[3]);
29 ws[3] = accum.monty_step(p[0], p_dash);
30 accum.mul(ws[1], p[3]);
31 accum.mul(ws[2], p[2]);
32 accum.mul(ws[3], p[1]);
33 accum.add(z[4]);
34 ws[0] = accum.extract();
35 accum.mul(ws[2], p[3]);
36 accum.mul(ws[3], p[2]);
37 accum.add(z[5]);
38 ws[1] = accum.extract();
39 accum.mul(ws[3], p[3]);
40 accum.add(z[6]);
41 ws[2] = accum.extract();
42 accum.add(z[7]);
43 ws[3] = accum.extract();
44 word w1 = accum.extract();
45 bigint_monty_maybe_sub<4>(r, w1, ws, p);
46}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc(), and monty_redc().

◆ bigint_monty_redc_6()

void Botan::bigint_monty_redc_6 ( word r[6],
const word z[12],
const word p[6],
word p_dash,
word ws[6] )

Definition at line 48 of file mp_monty_n.cpp.

48 {
49 word3<word> accum;
50 accum.add(z[0]);
51 ws[0] = accum.monty_step(p[0], p_dash);
52 accum.mul(ws[0], p[1]);
53 accum.add(z[1]);
54 ws[1] = accum.monty_step(p[0], p_dash);
55 accum.mul(ws[0], p[2]);
56 accum.mul(ws[1], p[1]);
57 accum.add(z[2]);
58 ws[2] = accum.monty_step(p[0], p_dash);
59 accum.mul(ws[0], p[3]);
60 accum.mul(ws[1], p[2]);
61 accum.mul(ws[2], p[1]);
62 accum.add(z[3]);
63 ws[3] = accum.monty_step(p[0], p_dash);
64 accum.mul(ws[0], p[4]);
65 accum.mul(ws[1], p[3]);
66 accum.mul(ws[2], p[2]);
67 accum.mul(ws[3], p[1]);
68 accum.add(z[4]);
69 ws[4] = accum.monty_step(p[0], p_dash);
70 accum.mul(ws[0], p[5]);
71 accum.mul(ws[1], p[4]);
72 accum.mul(ws[2], p[3]);
73 accum.mul(ws[3], p[2]);
74 accum.mul(ws[4], p[1]);
75 accum.add(z[5]);
76 ws[5] = accum.monty_step(p[0], p_dash);
77 accum.mul(ws[1], p[5]);
78 accum.mul(ws[2], p[4]);
79 accum.mul(ws[3], p[3]);
80 accum.mul(ws[4], p[2]);
81 accum.mul(ws[5], p[1]);
82 accum.add(z[6]);
83 ws[0] = accum.extract();
84 accum.mul(ws[2], p[5]);
85 accum.mul(ws[3], p[4]);
86 accum.mul(ws[4], p[3]);
87 accum.mul(ws[5], p[2]);
88 accum.add(z[7]);
89 ws[1] = accum.extract();
90 accum.mul(ws[3], p[5]);
91 accum.mul(ws[4], p[4]);
92 accum.mul(ws[5], p[3]);
93 accum.add(z[8]);
94 ws[2] = accum.extract();
95 accum.mul(ws[4], p[5]);
96 accum.mul(ws[5], p[4]);
97 accum.add(z[9]);
98 ws[3] = accum.extract();
99 accum.mul(ws[5], p[5]);
100 accum.add(z[10]);
101 ws[4] = accum.extract();
102 accum.add(z[11]);
103 ws[5] = accum.extract();
104 word w1 = accum.extract();
105 bigint_monty_maybe_sub<6>(r, w1, ws, p);
106}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc(), and monty_redc().

◆ bigint_monty_redc_8()

void Botan::bigint_monty_redc_8 ( word r[8],
const word z[16],
const word p[8],
word p_dash,
word ws[8] )

Definition at line 108 of file mp_monty_n.cpp.

108 {
109 word3<word> accum;
110 accum.add(z[0]);
111 ws[0] = accum.monty_step(p[0], p_dash);
112 accum.mul(ws[0], p[1]);
113 accum.add(z[1]);
114 ws[1] = accum.monty_step(p[0], p_dash);
115 accum.mul(ws[0], p[2]);
116 accum.mul(ws[1], p[1]);
117 accum.add(z[2]);
118 ws[2] = accum.monty_step(p[0], p_dash);
119 accum.mul(ws[0], p[3]);
120 accum.mul(ws[1], p[2]);
121 accum.mul(ws[2], p[1]);
122 accum.add(z[3]);
123 ws[3] = accum.monty_step(p[0], p_dash);
124 accum.mul(ws[0], p[4]);
125 accum.mul(ws[1], p[3]);
126 accum.mul(ws[2], p[2]);
127 accum.mul(ws[3], p[1]);
128 accum.add(z[4]);
129 ws[4] = accum.monty_step(p[0], p_dash);
130 accum.mul(ws[0], p[5]);
131 accum.mul(ws[1], p[4]);
132 accum.mul(ws[2], p[3]);
133 accum.mul(ws[3], p[2]);
134 accum.mul(ws[4], p[1]);
135 accum.add(z[5]);
136 ws[5] = accum.monty_step(p[0], p_dash);
137 accum.mul(ws[0], p[6]);
138 accum.mul(ws[1], p[5]);
139 accum.mul(ws[2], p[4]);
140 accum.mul(ws[3], p[3]);
141 accum.mul(ws[4], p[2]);
142 accum.mul(ws[5], p[1]);
143 accum.add(z[6]);
144 ws[6] = accum.monty_step(p[0], p_dash);
145 accum.mul(ws[0], p[7]);
146 accum.mul(ws[1], p[6]);
147 accum.mul(ws[2], p[5]);
148 accum.mul(ws[3], p[4]);
149 accum.mul(ws[4], p[3]);
150 accum.mul(ws[5], p[2]);
151 accum.mul(ws[6], p[1]);
152 accum.add(z[7]);
153 ws[7] = accum.monty_step(p[0], p_dash);
154 accum.mul(ws[1], p[7]);
155 accum.mul(ws[2], p[6]);
156 accum.mul(ws[3], p[5]);
157 accum.mul(ws[4], p[4]);
158 accum.mul(ws[5], p[3]);
159 accum.mul(ws[6], p[2]);
160 accum.mul(ws[7], p[1]);
161 accum.add(z[8]);
162 ws[0] = accum.extract();
163 accum.mul(ws[2], p[7]);
164 accum.mul(ws[3], p[6]);
165 accum.mul(ws[4], p[5]);
166 accum.mul(ws[5], p[4]);
167 accum.mul(ws[6], p[3]);
168 accum.mul(ws[7], p[2]);
169 accum.add(z[9]);
170 ws[1] = accum.extract();
171 accum.mul(ws[3], p[7]);
172 accum.mul(ws[4], p[6]);
173 accum.mul(ws[5], p[5]);
174 accum.mul(ws[6], p[4]);
175 accum.mul(ws[7], p[3]);
176 accum.add(z[10]);
177 ws[2] = accum.extract();
178 accum.mul(ws[4], p[7]);
179 accum.mul(ws[5], p[6]);
180 accum.mul(ws[6], p[5]);
181 accum.mul(ws[7], p[4]);
182 accum.add(z[11]);
183 ws[3] = accum.extract();
184 accum.mul(ws[5], p[7]);
185 accum.mul(ws[6], p[6]);
186 accum.mul(ws[7], p[5]);
187 accum.add(z[12]);
188 ws[4] = accum.extract();
189 accum.mul(ws[6], p[7]);
190 accum.mul(ws[7], p[6]);
191 accum.add(z[13]);
192 ws[5] = accum.extract();
193 accum.mul(ws[7], p[7]);
194 accum.add(z[14]);
195 ws[6] = accum.extract();
196 accum.add(z[15]);
197 ws[7] = accum.extract();
198 word w1 = accum.extract();
199 bigint_monty_maybe_sub<8>(r, w1, ws, p);
200}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc(), and monty_redc().

◆ bigint_monty_redc_generic()

void Botan::bigint_monty_redc_generic ( word r[],
const word z[],
size_t z_size,
const word p[],
size_t p_size,
word p_dash,
word ws[] )

Definition at line 31 of file mp_monty.cpp.

32 {
33 BOTAN_ARG_CHECK(z_size >= 2 * p_size && p_size > 0, "Invalid sizes for bigint_monty_redc_generic");
34
35 word3<word> accum;
36
37 accum.add(z[0]);
38
39 ws[0] = accum.monty_step(p[0], p_dash);
40
41 for(size_t i = 1; i != p_size; ++i) {
42 for(size_t j = 0; j < i; ++j) {
43 accum.mul(ws[j], p[i - j]);
44 }
45
46 accum.add(z[i]);
47 ws[i] = accum.monty_step(p[0], p_dash);
48 }
49
50 for(size_t i = 0; i != p_size - 1; ++i) {
51 for(size_t j = i + 1; j != p_size; ++j) {
52 accum.mul(ws[j], p[p_size + i - j]);
53 }
54
55 accum.add(z[p_size + i]);
56 ws[i] = accum.extract();
57 }
58
59 accum.add(z[2 * p_size - 1]);
60
61 ws[p_size - 1] = accum.extract();
62 // w1 is the final part, which is not stored in the workspace
63 const word w1 = accum.extract();
64
65 /*
66 * The result might need to be reduced mod p. To avoid a timing
67 * channel, always perform the subtraction. If in the compution
68 * of x - p a borrow is required then x was already < p.
69 *
70 * x starts at ws[0] and is p_size bytes long plus a possible high
71 * digit left over in w1.
72 *
73 * x - p starts at z[0] and is also p_size bytes long
74 *
75 * If borrow was set after the subtraction, then x was already less
76 * than p and the subtraction was not needed. In that case overwrite
77 * z[0:p_size] with the original x in ws[0:p_size].
78 *
79 * We only copy out p_size in the final step because we know
80 * the Montgomery result is < P
81 */
82
83 bigint_monty_maybe_sub(p_size, r, w1, ws, p);
84}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), BOTAN_ARG_CHECK, Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by bigint_monty_redc().

◆ bigint_monty_redc_inplace()

void Botan::bigint_monty_redc_inplace ( word z[],
const word p[],
size_t p_size,
word p_dash,
word ws[],
size_t ws_size )
inline

Definition at line 829 of file mp_core.h.

829 {
830 bigint_monty_redc(z, z, p, p_size, p_dash, ws, ws_size);
831 clear_mem(z + p_size, p_size);
832}
void bigint_monty_redc(word r[], const word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size)
Definition mp_core.h:804

References bigint_monty_redc(), and clear_mem().

Referenced by Botan::Montgomery_Int::mul(), Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul(), Botan::Montgomery_Int::mul_by(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::redc(), Botan::Montgomery_Params::sqr(), Botan::Montgomery_Int::square_this_n_times(), and Botan::Montgomery_Int::value().

◆ bigint_mul()

void Botan::bigint_mul ( word z[],
size_t z_size,
const word x[],
size_t x_size,
size_t x_sw,
const word y[],
size_t y_size,
size_t y_sw,
word workspace[],
size_t ws_size )

Definition at line 283 of file mp_karat.cpp.

292 {
293 clear_mem(z, z_size);
294
295 if(x_sw == 1) {
296 bigint_linmul3(z, y, y_sw, x[0]);
297 } else if(y_sw == 1) {
298 bigint_linmul3(z, x, x_sw, y[0]);
299 } else if(sized_for_comba_mul<4>(x_sw, x_size, y_sw, y_size, z_size)) {
300 bigint_comba_mul4(z, x, y);
301 } else if(sized_for_comba_mul<6>(x_sw, x_size, y_sw, y_size, z_size)) {
302 bigint_comba_mul6(z, x, y);
303 } else if(sized_for_comba_mul<8>(x_sw, x_size, y_sw, y_size, z_size)) {
304 bigint_comba_mul8(z, x, y);
305 } else if(sized_for_comba_mul<9>(x_sw, x_size, y_sw, y_size, z_size)) {
306 bigint_comba_mul9(z, x, y);
307 } else if(sized_for_comba_mul<16>(x_sw, x_size, y_sw, y_size, z_size)) {
308 bigint_comba_mul16(z, x, y);
309 } else if(sized_for_comba_mul<24>(x_sw, x_size, y_sw, y_size, z_size)) {
310 bigint_comba_mul24(z, x, y);
311 } else if(x_sw < KARATSUBA_MULTIPLY_THRESHOLD || y_sw < KARATSUBA_MULTIPLY_THRESHOLD || workspace == nullptr) {
312 basecase_mul(z, z_size, x, x_sw, y, y_sw);
313 } else {
314 const size_t N = karatsuba_size(z_size, x_size, x_sw, y_size, y_sw);
315
316 if(N > 0 && z_size >= 2 * N && ws_size >= 2 * N) {
317 karatsuba_mul(z, x, y, N, workspace);
318 } else {
319 basecase_mul(z, z_size, x, x_sw, y, y_sw);
320 }
321 }
322}
constexpr void bigint_linmul3(W z[], const W x[], size_t x_size, W y)
Definition mp_core.h:405
void bigint_comba_mul4(word z[8], const word x[4], const word y[4])
Definition mp_comba.cpp:42
void bigint_comba_mul16(word z[32], const word x[16], const word y[16])
Definition mp_comba.cpp:794
void bigint_comba_mul6(word z[12], const word x[6], const word y[6])
Definition mp_comba.cpp:115
void bigint_comba_mul9(word z[18], const word x[9], const word y[9])
Definition mp_comba.cpp:511
void bigint_comba_mul24(word z[48], const word x[24], const word y[24])
BOTAN_FUZZER_API void basecase_mul(word z[], size_t z_size, const word x[], size_t x_size, const word y[], size_t y_size)
Definition mp_karat.cpp:20
void bigint_comba_mul8(word z[16], const word x[8], const word y[8])
Definition mp_comba.cpp:352

References basecase_mul(), bigint_comba_mul16(), bigint_comba_mul24(), bigint_comba_mul4(), bigint_comba_mul6(), bigint_comba_mul8(), bigint_comba_mul9(), bigint_linmul3(), and clear_mem().

Referenced by Botan::BigInt::mul(), Botan::Montgomery_Int::mul(), Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul(), Botan::Montgomery_Int::mul_by(), Botan::Montgomery_Params::mul_by(), Botan::Barrett_Reduction::multiply(), operator*(), and Botan::Scalar448::operator*().

◆ bigint_shl1()

template<WordType W>
void Botan::bigint_shl1 ( W x[],
size_t x_size,
size_t x_words,
size_t shift )
inlineconstexpr

Definition at line 309 of file mp_core.h.

309 {
310 const size_t word_shift = shift / WordInfo<W>::bits;
311 const size_t bit_shift = shift % WordInfo<W>::bits;
312
313 copy_mem(x + word_shift, x, x_words);
314 clear_mem(x, word_shift);
315
316 const auto carry_mask = CT::Mask<W>::expand(bit_shift);
317 const W carry_shift = carry_mask.if_set_return(WordInfo<W>::bits - bit_shift);
318
319 W carry = 0;
320 for(size_t i = word_shift; i != x_size; ++i) {
321 const W w = x[i];
322 x[i] = (w << bit_shift) | carry;
323 carry = carry_mask.if_set_return(w >> carry_shift);
324 }
325}
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145
constexpr uint64_t carry_shift(const donna128 &a, size_t shift)
Definition donna128.h:129

References carry(), carry_shift(), clear_mem(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by ct_divide_pow2k(), and Botan::BigInt::operator<<=().

◆ bigint_shl2()

template<WordType W>
void Botan::bigint_shl2 ( W y[],
const W x[],
size_t x_size,
size_t shift )
inlineconstexpr

Definition at line 352 of file mp_core.h.

352 {
353 const size_t word_shift = shift / WordInfo<W>::bits;
354 const size_t bit_shift = shift % WordInfo<W>::bits;
355
356 copy_mem(y + word_shift, x, x_size);
357
358 const auto carry_mask = CT::Mask<W>::expand(bit_shift);
359 const W carry_shift = carry_mask.if_set_return(WordInfo<W>::bits - bit_shift);
360
361 W carry = 0;
362 for(size_t i = word_shift; i != x_size + word_shift + 1; ++i) {
363 const W w = y[i];
364 y[i] = (w << bit_shift) | carry;
365 carry = carry_mask.if_set_return(w >> carry_shift);
366 }
367}

References carry(), carry_shift(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::ct_shift_left(), and operator<<().

◆ bigint_shr1()

template<WordType W>
void Botan::bigint_shr1 ( W x[],
size_t x_size,
size_t shift )
inlineconstexpr

Definition at line 328 of file mp_core.h.

328 {
329 const size_t word_shift = shift / WordInfo<W>::bits;
330 const size_t bit_shift = shift % WordInfo<W>::bits;
331
332 const size_t top = x_size >= word_shift ? (x_size - word_shift) : 0;
333
334 if(top > 0) {
335 copy_mem(x, x + word_shift, top);
336 }
337 clear_mem(x + top, std::min(word_shift, x_size));
338
339 const auto carry_mask = CT::Mask<W>::expand(bit_shift);
340 const W carry_shift = carry_mask.if_set_return(WordInfo<W>::bits - bit_shift);
341
342 W carry = 0;
343
344 for(size_t i = 0; i != top; ++i) {
345 const W w = x[top - i - 1];
346 x[top - i - 1] = (w >> bit_shift) | carry;
347 carry = carry_mask.if_set_return(w << carry_shift);
348 }
349}

References carry(), carry_shift(), clear_mem(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::operator>>=().

◆ bigint_shr2()

template<WordType W>
void Botan::bigint_shr2 ( W y[],
const W x[],
size_t x_size,
size_t shift )
inlineconstexpr

Definition at line 370 of file mp_core.h.

370 {
371 const size_t word_shift = shift / WordInfo<W>::bits;
372 const size_t bit_shift = shift % WordInfo<W>::bits;
373 const size_t new_size = x_size < word_shift ? 0 : (x_size - word_shift);
374
375 if(new_size > 0) {
376 copy_mem(y, x + word_shift, new_size);
377 }
378
379 const auto carry_mask = CT::Mask<W>::expand(bit_shift);
380 const W carry_shift = carry_mask.if_set_return(WordInfo<W>::bits - bit_shift);
381
382 W carry = 0;
383 for(size_t i = new_size; i > 0; --i) {
384 W w = y[i - 1];
385 y[i - 1] = (w >> bit_shift) | carry;
386 carry = carry_mask.if_set_return(w << carry_shift);
387 }
388}

References carry(), carry_shift(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by gcd(), and operator>>().

◆ bigint_sqr()

void Botan::bigint_sqr ( word z[],
size_t z_size,
const word x[],
size_t x_size,
size_t x_sw,
word workspace[],
size_t ws_size )

Definition at line 327 of file mp_karat.cpp.

327 {
328 clear_mem(z, z_size);
329
330 BOTAN_ASSERT(z_size / 2 >= x_sw, "Output size is sufficient");
331
332 if(x_sw == 1) {
333 bigint_linmul3(z, x, x_sw, x[0]);
334 } else if(sized_for_comba_sqr<4>(x_sw, x_size, z_size)) {
335 bigint_comba_sqr4(z, x);
336 } else if(sized_for_comba_sqr<6>(x_sw, x_size, z_size)) {
337 bigint_comba_sqr6(z, x);
338 } else if(sized_for_comba_sqr<8>(x_sw, x_size, z_size)) {
339 bigint_comba_sqr8(z, x);
340 } else if(sized_for_comba_sqr<9>(x_sw, x_size, z_size)) {
341 bigint_comba_sqr9(z, x);
342 } else if(sized_for_comba_sqr<16>(x_sw, x_size, z_size)) {
343 bigint_comba_sqr16(z, x);
344 } else if(sized_for_comba_sqr<24>(x_sw, x_size, z_size)) {
345 bigint_comba_sqr24(z, x);
346 } else if(x_size < KARATSUBA_SQUARE_THRESHOLD || workspace == nullptr) {
347 basecase_sqr(z, z_size, x, x_sw);
348 } else {
349 const size_t N = karatsuba_size(z_size, x_size, x_sw);
350
351 if(N > 0 && z_size >= 2 * N && ws_size >= 2 * N) {
352 karatsuba_sqr(z, x, N, workspace);
353 } else {
354 basecase_sqr(z, z_size, x, x_sw);
355 }
356 }
357}
BOTAN_FUZZER_API void basecase_sqr(word z[], size_t z_size, const word x[], size_t x_size)
Definition mp_karat.cpp:46
void bigint_comba_sqr4(word z[8], const word x[4])
Definition mp_comba.cpp:16
void bigint_comba_sqr6(word z[12], const word x[6])
Definition mp_comba.cpp:74
void bigint_comba_sqr8(word z[16], const word x[8])
Definition mp_comba.cpp:292
void bigint_comba_sqr16(word z[32], const word x[16])
Definition mp_comba.cpp:618
void bigint_comba_sqr9(word z[18], const word x[9])
Definition mp_comba.cpp:440
void bigint_comba_sqr24(word z[48], const word x[24])

References basecase_sqr(), bigint_comba_sqr16(), bigint_comba_sqr24(), bigint_comba_sqr4(), bigint_comba_sqr6(), bigint_comba_sqr8(), bigint_comba_sqr9(), bigint_linmul3(), BOTAN_ASSERT, and clear_mem().

Referenced by Botan::Montgomery_Params::sqr(), Botan::Barrett_Reduction::square(), Botan::BigInt::square(), and Botan::Montgomery_Int::square_this_n_times().

◆ bigint_sub2()

template<WordType W>
auto Botan::bigint_sub2 ( W x[],
size_t x_size,
const W y[],
size_t y_size ) -> W
inlineconstexpr

Two operand subtraction

Definition at line 150 of file mp_core.h.

150 {
151 W borrow = 0;
152
153 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
154
155 const size_t blocks = y_size - (y_size % 8);
156
157 for(size_t i = 0; i != blocks; i += 8) {
158 borrow = word8_sub2(x + i, y + i, borrow);
159 }
160
161 for(size_t i = blocks; i != y_size; ++i) {
162 x[i] = word_sub(x[i], y[i], &borrow);
163 }
164
165 for(size_t i = y_size; i != x_size; ++i) {
166 x[i] = word_sub(x[i], static_cast<W>(0), &borrow);
167 }
168
169 return borrow;
170}
constexpr auto word8_sub2(W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:305

References BOTAN_ASSERT, word8_sub2(), and word_sub().

Referenced by Botan::BigInt::add().

◆ bigint_sub2_rev()

template<WordType W>
void Botan::bigint_sub2_rev ( W x[],
const W y[],
size_t y_size )
inlineconstexpr

Two operand subtraction, x = y - x; assumes y >= x

Definition at line 176 of file mp_core.h.

176 {
177 W borrow = 0;
178
179 for(size_t i = 0; i != y_size; ++i) {
180 x[i] = word_sub(y[i], x[i], &borrow);
181 }
182
183 BOTAN_ASSERT(borrow == 0, "y must be greater than x");
184}

References BOTAN_ASSERT, and word_sub().

Referenced by Botan::BigInt::add().

◆ bigint_sub3()

template<WordType W>
auto Botan::bigint_sub3 ( W z[],
const W x[],
size_t x_size,
const W y[],
size_t y_size ) -> W
inlineconstexpr

Three operand subtraction

Expects that x_size >= y_size

Writes to z[0:x_size] and returns borrow

Definition at line 194 of file mp_core.h.

194 {
195 W borrow = 0;
196
197 BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
198
199 const size_t blocks = y_size - (y_size % 8);
200
201 for(size_t i = 0; i != blocks; i += 8) {
202 borrow = word8_sub3(z + i, x + i, y + i, borrow);
203 }
204
205 for(size_t i = blocks; i != y_size; ++i) {
206 z[i] = word_sub(x[i], y[i], &borrow);
207 }
208
209 for(size_t i = y_size; i != x_size; ++i) {
210 z[i] = word_sub(x[i], static_cast<W>(0), &borrow);
211 }
212
213 return borrow;
214}

References BOTAN_ASSERT, word8_sub3(), and word_sub().

Referenced by Botan::BigInt::add2(), ct_divide(), ct_divide_pow2k(), ct_modulo(), Botan::BigInt::ct_reduce_below(), Botan::IntMod< MontgomeryRep< ScalarParams > >::invert_vartime(), Botan::BigInt::mod_add(), Botan::BigInt::mod_sub(), Botan::Montgomery_Int::operator-(), p_minus(), p_minus_1_over_2(), Botan::BigInt::reduce_below(), and reduce_mod().

◆ bigint_sub_abs()

template<WordType W>
auto Botan::bigint_sub_abs ( W z[],
const W x[],
const W y[],
size_t N,
W ws[] ) -> CT::Mask<W>
inlineconstexpr

Return abs(x-y), ie if x >= y, then compute z = x - y Otherwise compute z = y - x No borrow is possible since the result is always >= 0

Returns a Mask: |1| if x >= y or |0| if x < y

Parameters
zoutput array of at least N words
xinput array of N words
yinput array of N words
Nlength of x and y
wsarray of at least 2*N words

Definition at line 281 of file mp_core.h.

281 {
282 // Subtract in both direction then conditional copy out the result
283
284 W* ws0 = ws;
285 W* ws1 = ws + N;
286
287 W borrow0 = 0;
288 W borrow1 = 0;
289
290 const size_t blocks = N - (N % 8);
291
292 for(size_t i = 0; i != blocks; i += 8) {
293 borrow0 = word8_sub3(ws0 + i, x + i, y + i, borrow0);
294 borrow1 = word8_sub3(ws1 + i, y + i, x + i, borrow1);
295 }
296
297 for(size_t i = blocks; i != N; ++i) {
298 ws0[i] = word_sub(x[i], y[i], &borrow0);
299 ws1[i] = word_sub(y[i], x[i], &borrow1);
300 }
301
302 return CT::conditional_copy_mem(borrow0, z, ws1, ws0, N);
303}
constexpr Mask< T > conditional_copy_mem(Mask< T > mask, T *dest, const T *if_set, const T *if_unset, size_t elems)
Definition ct_utils.h:760

References Botan::CT::conditional_copy_mem(), word8_sub3(), and word_sub().

Referenced by gcd().

◆ bit_permute_step()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T Botan::bit_permute_step ( T x,
T mask,
size_t shift )
constexpr

Definition at line 172 of file bit_ops.h.

172 {
173 /*
174 See https://reflectionsonsecurity.wordpress.com/2014/05/11/efficient-bit-permutation-using-delta-swaps/
175 and http://programming.sirrida.de/bit_perm.html
176 */
177 const T swap = ((x >> shift) ^ x) & mask;
178 return (x ^ swap) ^ (swap << shift);
179}

References BOTAN_FORCE_INLINE.

◆ bit_size_to_32bit_size()

size_t Botan::bit_size_to_32bit_size ( size_t bit_size)
inline

Definition at line 46 of file code_based_util.h.

46 {
47 return (bit_size - 1) / 32 + 1;
48}

Referenced by generate_mceliece_key(), mceliece_decrypt(), and Botan::McEliece_PrivateKey::McEliece_PrivateKey().

◆ bit_size_to_byte_size()

size_t Botan::bit_size_to_byte_size ( size_t bit_size)
inline

Definition at line 42 of file code_based_util.h.

42 {
43 return (bit_size - 1) / 8 + 1;
44}

Referenced by mceliece_decrypt().

◆ bitlen()

auto Botan::bitlen ( size_t x)
constexpr

Definition at line 101 of file pqcrystals_helpers.h.

101 {
102 return ceil_log2(x + 1);
103}
constexpr uint8_t ceil_log2(T x)
Definition bit_ops.h:120

References ceil_log2().

Referenced by Botan::DilithiumConstants::DilithiumConstants(), Botan::KyberConstants::KyberConstants(), and Botan::bitvector_base< secure_allocator >::subvector().

◆ buffer_insert() [1/2]

template<typename T, typename Alloc, typename Alloc2>
size_t Botan::buffer_insert ( std::vector< T, Alloc > & buf,
size_t buf_offset,
const std::vector< T, Alloc2 > & input )

Definition at line 326 of file mem_ops.h.

326 {
327 BOTAN_ASSERT_NOMSG(buf_offset <= buf.size());
328 const size_t to_copy = std::min(input.size(), buf.size() - buf_offset);
329 if(to_copy > 0) {
330 copy_mem(&buf[buf_offset], input.data(), to_copy);
331 }
332 return to_copy;
333}
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75

References BOTAN_ASSERT_NOMSG, buffer_insert(), and copy_mem().

◆ buffer_insert() [2/2]

template<typename T, typename Alloc>
size_t Botan::buffer_insert ( std::vector< T, Alloc > & buf,
size_t buf_offset,
const T input[],
size_t input_length )

Definition at line 315 of file mem_ops.h.

315 {
316 BOTAN_ASSERT_NOMSG(buf_offset <= buf.size());
317 const size_t to_copy = std::min(input_length, buf.size() - buf_offset);
318 if(to_copy > 0) {
319 copy_mem(&buf[buf_offset], input, to_copy);
320 }
321 return to_copy;
322}

References BOTAN_ASSERT_NOMSG, buffer_insert(), and copy_mem().

Referenced by buffer_insert(), and buffer_insert().

◆ bytes_to_string()

std::string Botan::bytes_to_string ( std::span< const uint8_t > bytes)
inline

Definition at line 45 of file mem_utils.h.

45 {
46 return std::string(reinterpret_cast<const char*>(bytes.data()), bytes.size());
47}

Referenced by Botan::CryptoBox::decrypt(), Botan::PSK_Database::get_str(), Botan::TLS::TLS_Data_Reader::get_string(), Botan::TLS::PskIdentity::identity_as_string(), Botan::Encrypted_PSK_Database::list_names(), and Botan::ASN1::to_string().

◆ bytes_to_words()

template<WordType W, size_t N, size_t L>
auto Botan::bytes_to_words ( std::span< const uint8_t, L > bytes)
inlineconstexpr

Definition at line 287 of file pcurves_util.h.

287 {
288 static_assert(L <= WordInfo<W>::bytes * N);
289
290 std::array<W, N> r = {};
291
292 constexpr size_t full_words = L / WordInfo<W>::bytes;
293 constexpr size_t extra_bytes = L % WordInfo<W>::bytes;
294
295 static_assert(full_words + (extra_bytes ? 1 : 0) <= N);
296
297 for(size_t i = 0; i != full_words; ++i) {
298 r[i] = load_be<W>(bytes.data(), full_words - 1 - i);
299 }
300
301 if constexpr(extra_bytes > 0) {
302 constexpr size_t shift = extra_bytes * 8;
304
305 for(size_t i = 0; i != extra_bytes; ++i) {
306 const W b0 = bytes[WordInfo<W>::bytes * full_words + i];
307 r[0] |= (b0 << (8 * (extra_bytes - 1 - i)));
308 }
309 }
310
311 return r;
312}
constexpr W shift_left(std::array< W, N > &x)
Definition mp_core.h:612

References load_be(), and shift_left().

Referenced by Botan::Scalar448::bytes_are_reduced(), Botan::IntMod< MontgomeryRep< ScalarParams > >::deserialize(), Botan::IntMod< MontgomeryRep< ScalarParams > >::from_wide_bytes(), Botan::IntMod< MontgomeryRep< ScalarParams > >::from_wide_bytes_varlen(), and Botan::Scalar448::Scalar448().

◆ camellia_gfni_decrypt12()

void Botan::camellia_gfni_decrypt12 ( const uint8_t in[],
uint8_t out[],
size_t blocks,
std::span< const uint64_t > SK )

Definition at line 285 of file camellia_gfni.cpp.

288 {
289 using namespace Camellia_GFNI;
290
291 for(size_t i = 0; i < blocks; ++i) {
292 uint64_t D1 = load_be<uint64_t>(in, 2 * i + 0);
293 uint64_t D2 = load_be<uint64_t>(in, 2 * i + 1);
294
295 D2 ^= SK[33];
296 D1 ^= SK[32];
297
298 D2 ^= F(D1 ^ SK[31]);
299 D1 ^= F(D2 ^ SK[30]);
300
301 D2 ^= F(D1 ^ SK[29]);
302 D1 ^= F(D2 ^ SK[28]);
303
304 D2 ^= F(D1 ^ SK[27]);
305 D1 ^= F(D2 ^ SK[26]);
306
307 D1 = FL(D1, SK[25]);
308 D2 = FLINV(D2, SK[24]);
309 D2 ^= F(D1 ^ SK[23]);
310 D1 ^= F(D2 ^ SK[22]);
311 D2 ^= F(D1 ^ SK[21]);
312 D1 ^= F(D2 ^ SK[20]);
313 D2 ^= F(D1 ^ SK[19]);
314 D1 ^= F(D2 ^ SK[18]);
315
316 D1 = FL(D1, SK[17]);
317 D2 = FLINV(D2, SK[16]);
318 D2 ^= F(D1 ^ SK[15]);
319 D1 ^= F(D2 ^ SK[14]);
320 D2 ^= F(D1 ^ SK[13]);
321 D1 ^= F(D2 ^ SK[12]);
322 D2 ^= F(D1 ^ SK[11]);
323 D1 ^= F(D2 ^ SK[10]);
324
325 D1 = FL(D1, SK[9]);
326 D2 = FLINV(D2, SK[8]);
327 D2 ^= F(D1 ^ SK[7]);
328 D1 ^= F(D2 ^ SK[6]);
329 D2 ^= F(D1 ^ SK[5]);
330 D1 ^= F(D2 ^ SK[4]);
331 D2 ^= F(D1 ^ SK[3]);
332 D1 ^= F(D2 ^ SK[2]);
333
334 D1 ^= SK[1];
335 D2 ^= SK[0];
336
337 store_be(out + 16 * i, D2, D1);
338 }
339}
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745

References load_be(), and store_be().

Referenced by Botan::Camellia_192::decrypt_n(), and Botan::Camellia_256::decrypt_n().

◆ camellia_gfni_decrypt9()

void Botan::camellia_gfni_decrypt9 ( const uint8_t in[],
uint8_t out[],
size_t blocks,
std::span< const uint64_t > SK )

Definition at line 179 of file camellia_gfni.cpp.

182 {
183 using namespace Camellia_GFNI;
184
185 for(size_t i = 0; i < blocks; ++i) {
186 uint64_t D1 = load_be<uint64_t>(in, 2 * i + 0);
187 uint64_t D2 = load_be<uint64_t>(in, 2 * i + 1);
188
189 D2 ^= SK[25];
190 D1 ^= SK[24];
191
192 D2 ^= F(D1 ^ SK[23]);
193 D1 ^= F(D2 ^ SK[22]);
194
195 D2 ^= F(D1 ^ SK[21]);
196 D1 ^= F(D2 ^ SK[20]);
197
198 D2 ^= F(D1 ^ SK[19]);
199 D1 ^= F(D2 ^ SK[18]);
200
201 D1 = FL(D1, SK[17]);
202 D2 = FLINV(D2, SK[16]);
203
204 D2 ^= F(D1 ^ SK[15]);
205 D1 ^= F(D2 ^ SK[14]);
206 D2 ^= F(D1 ^ SK[13]);
207 D1 ^= F(D2 ^ SK[12]);
208 D2 ^= F(D1 ^ SK[11]);
209 D1 ^= F(D2 ^ SK[10]);
210
211 D1 = FL(D1, SK[9]);
212 D2 = FLINV(D2, SK[8]);
213
214 D2 ^= F(D1 ^ SK[7]);
215 D1 ^= F(D2 ^ SK[6]);
216 D2 ^= F(D1 ^ SK[5]);
217 D1 ^= F(D2 ^ SK[4]);
218 D2 ^= F(D1 ^ SK[3]);
219 D1 ^= F(D2 ^ SK[2]);
220
221 D1 ^= SK[1];
222 D2 ^= SK[0];
223
224 store_be(out + 16 * i, D2, D1);
225 }
226}

References load_be(), and store_be().

Referenced by Botan::Camellia_128::decrypt_n().

◆ camellia_gfni_encrypt12()

void Botan::camellia_gfni_encrypt12 ( const uint8_t in[],
uint8_t out[],
size_t blocks,
std::span< const uint64_t > SK )

Definition at line 228 of file camellia_gfni.cpp.

231 {
232 using namespace Camellia_GFNI;
233
234 for(size_t i = 0; i < blocks; ++i) {
235 uint64_t D1 = load_be<uint64_t>(in, 2 * i + 0);
236 uint64_t D2 = load_be<uint64_t>(in, 2 * i + 1);
237
238 D1 ^= SK[0];
239 D2 ^= SK[1];
240
241 D2 ^= F(D1 ^ SK[2]);
242 D1 ^= F(D2 ^ SK[3]);
243 D2 ^= F(D1 ^ SK[4]);
244 D1 ^= F(D2 ^ SK[5]);
245 D2 ^= F(D1 ^ SK[6]);
246 D1 ^= F(D2 ^ SK[7]);
247
248 D1 = FL(D1, SK[8]);
249 D2 = FLINV(D2, SK[9]);
250
251 D2 ^= F(D1 ^ SK[10]);
252 D1 ^= F(D2 ^ SK[11]);
253 D2 ^= F(D1 ^ SK[12]);
254 D1 ^= F(D2 ^ SK[13]);
255 D2 ^= F(D1 ^ SK[14]);
256 D1 ^= F(D2 ^ SK[15]);
257
258 D1 = FL(D1, SK[16]);
259 D2 = FLINV(D2, SK[17]);
260
261 D2 ^= F(D1 ^ SK[18]);
262 D1 ^= F(D2 ^ SK[19]);
263 D2 ^= F(D1 ^ SK[20]);
264 D1 ^= F(D2 ^ SK[21]);
265 D2 ^= F(D1 ^ SK[22]);
266 D1 ^= F(D2 ^ SK[23]);
267
268 D1 = FL(D1, SK[24]);
269 D2 = FLINV(D2, SK[25]);
270
271 D2 ^= F(D1 ^ SK[26]);
272 D1 ^= F(D2 ^ SK[27]);
273 D2 ^= F(D1 ^ SK[28]);
274 D1 ^= F(D2 ^ SK[29]);
275 D2 ^= F(D1 ^ SK[30]);
276 D1 ^= F(D2 ^ SK[31]);
277
278 D2 ^= SK[32];
279 D1 ^= SK[33];
280
281 store_be(out + 16 * i, D2, D1);
282 }
283}

References load_be(), and store_be().

Referenced by Botan::Camellia_192::encrypt_n(), and Botan::Camellia_256::encrypt_n().

◆ camellia_gfni_encrypt9()

void Botan::camellia_gfni_encrypt9 ( const uint8_t in[],
uint8_t out[],
size_t blocks,
std::span< const uint64_t > SK )

Definition at line 132 of file camellia_gfni.cpp.

135 {
136 using namespace Camellia_GFNI;
137
138 for(size_t i = 0; i < blocks; ++i) {
139 uint64_t D1 = load_be<uint64_t>(in, 2 * i + 0);
140 uint64_t D2 = load_be<uint64_t>(in, 2 * i + 1);
141
142 D1 ^= SK[0];
143 D2 ^= SK[1];
144
145 D2 ^= F(D1 ^ SK[2]);
146 D1 ^= F(D2 ^ SK[3]);
147 D2 ^= F(D1 ^ SK[4]);
148 D1 ^= F(D2 ^ SK[5]);
149 D2 ^= F(D1 ^ SK[6]);
150 D1 ^= F(D2 ^ SK[7]);
151
152 D1 = FL(D1, SK[8]);
153 D2 = FLINV(D2, SK[9]);
154
155 D2 ^= F(D1 ^ SK[10]);
156 D1 ^= F(D2 ^ SK[11]);
157 D2 ^= F(D1 ^ SK[12]);
158 D1 ^= F(D2 ^ SK[13]);
159 D2 ^= F(D1 ^ SK[14]);
160 D1 ^= F(D2 ^ SK[15]);
161
162 D1 = FL(D1, SK[16]);
163 D2 = FLINV(D2, SK[17]);
164
165 D2 ^= F(D1 ^ SK[18]);
166 D1 ^= F(D2 ^ SK[19]);
167 D2 ^= F(D1 ^ SK[20]);
168 D1 ^= F(D2 ^ SK[21]);
169 D2 ^= F(D1 ^ SK[22]);
170 D1 ^= F(D2 ^ SK[23]);
171
172 D2 ^= SK[24];
173 D1 ^= SK[25];
174
175 store_be(out + 16 * i, D2, D1);
176 }
177}

References load_be(), and store_be().

Referenced by Botan::Camellia_128::encrypt_n().

◆ carry()

template<size_t S, int64_t MUL = 1>
requires (S > 0 && S < 64)
void Botan::carry ( int64_t & h0,
int64_t & h1 )
inline

Definition at line 27 of file ed25519_internal.h.

29{
30 const int64_t X1 = (static_cast<int64_t>(1) << S);
31 const int64_t X2 = (static_cast<int64_t>(1) << (S - 1));
32 int64_t c = (h0 + X2) >> S;
33 h1 += c * MUL;
34 h0 -= c * X1;
35}

Referenced by Botan::BigInt::add(), Botan::word3< W >::add(), Botan::BigInt::add2(), basecase_mul(), basecase_sqr(), bigint_add2(), bigint_add3(), bigint_cnd_abs(), bigint_cnd_add(), bigint_cnd_sub(), bigint_linmul2(), bigint_linmul3(), bigint_modop_vartime(), bigint_shl1(), bigint_shl2(), bigint_shr1(), bigint_shr2(), Botan::Streebog::compress_64(), Botan::BigInt::ct_cond_add(), Botan::Ed25519_FieldElement::deserialize(), ed25519_basepoint_mul(), Botan::IntMod< MontgomeryRep< ScalarParams > >::invert_vartime(), Botan::Ed25519_FieldElement::mul(), Botan::word3< W >::mul(), Botan::IntMod< MontgomeryRep< ScalarParams > >::mul2(), Botan::word3< W >::mul_x2(), Botan::IntMod< MontgomeryRep< ScalarParams > >::negate(), Botan::BigInt::operator*=(), Botan::IntMod< MontgomeryRep< ScalarParams > >::operator+, Botan::Montgomery_Int::operator+(), Botan::donna128::operator+=(), Botan::donna128::operator+=(), Botan::IntMod< MontgomeryRep< ScalarParams > >::operator-, Botan::donna128::operator<<, Botan::donna128::operator>>, redc_crandall(), reduce_mod(), sc_muladd(), sc_reduce(), Botan::EC_Group_Data::scalar_from_bytes_with_trunc(), shift_left(), shift_right(), Botan::Sodium::sodium_add(), Botan::Sodium::sodium_increment(), solinas_correct_redc(), Botan::Ed25519_FieldElement::sqr2(), Botan::Ed25519_FieldElement::sqr_iter(), word8_add2(), word8_add3(), word8_linmul3(), word8_madd3(), word8_sub2(), word8_sub3(), word_add(), word_madd2(), word_madd3(), word_sub(), and xts_update_tweak_block().

◆ carry0() [1/2]

template<size_t S>
requires (S > 0 && S < 32)
void Botan::carry0 ( int32_t & h0,
int32_t & h1 )
inline

Definition at line 48 of file ed25519_internal.h.

50{
51 const int32_t X1 = (static_cast<int64_t>(1) << S);
52 int32_t c = h0 >> S;
53 h1 += c;
54 h0 -= c * X1;
55}

◆ carry0() [2/2]

template<size_t S>
requires (S > 0 && S < 64)
void Botan::carry0 ( int64_t & h0,
int64_t & h1 )
inline

Definition at line 38 of file ed25519_internal.h.

40{
41 const int64_t X1 = (static_cast<int64_t>(1) << S);
42 int64_t c = h0 >> S;
43 h1 += c;
44 h0 -= c * X1;
45}

Referenced by sc_muladd(), sc_reduce(), and Botan::Ed25519_FieldElement::serialize_to().

◆ carry_shift()

uint64_t Botan::carry_shift ( const donna128 & a,
size_t shift )
inlineconstexpr

Definition at line 129 of file donna128.h.

129 {
130 return (a >> shift).lo();
131}

Referenced by bigint_shl1(), bigint_shl2(), bigint_shr1(), and bigint_shr2().

◆ cast_char_ptr_to_uint8() [1/2]

uint8_t * Botan::cast_char_ptr_to_uint8 ( char * s)
inline

Definition at line 277 of file mem_ops.h.

277 {
278 return reinterpret_cast<uint8_t*>(s);
279}

◆ cast_char_ptr_to_uint8() [2/2]

const uint8_t * Botan::cast_char_ptr_to_uint8 ( const char * s)
inline

Definition at line 273 of file mem_ops.h.

273 {
274 return reinterpret_cast<const uint8_t*>(s);
275}

◆ cast_uint8_ptr_to_char() [1/2]

◆ cast_uint8_ptr_to_char() [2/2]

char * Botan::cast_uint8_ptr_to_char ( uint8_t * b)
inline

Definition at line 286 of file mem_ops.h.

286 {
287 return reinterpret_cast<char*>(b);
288}

◆ ceil_division()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T Botan::ceil_division ( T a,
T b )
constexpr

Ceil of an unsigned integer division. b must not be zero.

Parameters
adivident
bdivisor
Returns
ceil(a/b)

Definition at line 147 of file bit_ops.h.

147 {
148 return (a + b - 1) / b;
149}

References BOTAN_FORCE_INLINE.

Referenced by Botan::Classic_McEliece_Parameters::encode_out_size().

◆ ceil_log2()

template<std::unsigned_integral T>
requires (sizeof(T) < 32)
uint8_t Botan::ceil_log2 ( T x)
constexpr

Definition at line 120 of file bit_ops.h.

122{
123 if(x >> (sizeof(T) * 8 - 1)) {
124 return sizeof(T) * 8;
125 }
126
127 uint8_t result = 0;
128 T compare = 1;
129
130 while(compare < x) {
131 compare <<= 1;
132 result++;
133 }
134
135 return result;
136}

Referenced by bitlen(), Botan::BigInt::ct_shift_left(), Botan::McEliece_PublicKey::get_message_word_bit_length(), Botan::McEliece_PrivateKey::McEliece_PrivateKey(), Botan::McEliece_PrivateKey::McEliece_PrivateKey(), and mceliece_work_factor().

◆ ceil_tobytes()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T Botan::ceil_tobytes ( T bits)
constexpr

Return the number of bytes necessary to contain bits bits.

Definition at line 155 of file bit_ops.h.

155 {
156 return (bits + 7) / 8;
157}

References BOTAN_FORCE_INLINE.

Referenced by Botan::Classic_McEliece_Encryptor::raw_kem_encrypt(), Botan::bitvector_base< secure_allocator >::to_bytes(), Botan::bitvector_base< secure_allocator >::to_bytes(), and Botan::FrodoMatrix::unpack().

◆ chain_lengths()

BOTAN_TEST_API std::vector< WotsHashIndex > Botan::chain_lengths ( const SphincsTreeNode & msg,
const Sphincs_Parameters & params )

Given a msg construct the lengths (amount of hashes for signature) for each WOTS+ chain, including the checksum.

Corresponds to FIPS 205, Algorithm 7 or 8, Step 1-7

Definition at line 91 of file sp_wots.cpp.

91 {
92 std::vector<WotsHashIndex> result(params.wots_len_1() + params.wots_len_2());
93
94 auto msg_base_w = std::span(result).first(params.wots_len_1());
95 auto checksum_base_w = std::span(result).last(params.wots_len_2());
96
97 base_2_b(msg_base_w, msg.get(), params);
98 wots_checksum(checksum_base_w, msg_base_w, params);
99
100 return result;
101}
uint32_t wots_len_2() const
uint32_t wots_len_1() const
constexpr T & get() &
Definition strong_type.h:52

References Botan::detail::Strong_Base< T >::get(), Botan::Sphincs_Parameters::wots_len_1(), and Botan::Sphincs_Parameters::wots_len_2().

Referenced by wots_public_key_from_signature(), and xmss_sign_and_pkgen().

◆ check_and_canonicalize_dns_name()

BOTAN_TEST_API std::string Botan::check_and_canonicalize_dns_name ( std::string_view name)

If name is a valid DNS name, return it canonicalized

Otherwise throws Decoding_Error

Definition at line 369 of file parsing.cpp.

369 {
370 if(name.size() > 255) {
371 throw Decoding_Error("DNS name exceeds maximum allowed length");
372 }
373
374 if(name.empty()) {
375 throw Decoding_Error("DNS name cannot be empty");
376 }
377
378 if(name.starts_with(".") || name.ends_with(".")) {
379 throw Decoding_Error("DNS name cannot start or end with a dot");
380 }
381
382 /*
383 * Table mapping uppercase to lowercase and only including values for valid DNS names
384 * namely A-Z, a-z, 0-9, hyphen, and dot, plus '*' for wildcarding. (RFC 1035)
385 */
386 // clang-format off
387 constexpr uint8_t DNS_CHAR_MAPPING[128] = {
388 '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0',
389 '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0', '\0',
390 '\0', '\0', '\0', '\0', '*', '\0', '\0', '-', '.', '\0', '0', '1', '2', '3', '4', '5', '6', '7', '8',
391 '9', '\0', '\0', '\0', '\0', '\0', '\0', '\0', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k',
392 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '\0', '\0', '\0', '\0',
393 '\0', '\0', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q',
394 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '\0', '\0', '\0', '\0', '\0',
395 };
396 // clang-format on
397
398 std::string canon;
399 canon.reserve(name.size());
400
401 // RFC 1035: DNS labels must not exceed 63 characters
402 size_t current_label_length = 0;
403
404 for(size_t i = 0; i != name.size(); ++i) {
405 char c = name[i];
406
407 if(c == '.') {
408 if(i > 0 && name[i - 1] == '.') {
409 throw Decoding_Error("DNS name contains sequential period chars");
410 }
411
412 if(current_label_length == 0) {
413 throw Decoding_Error("DNS name contains empty label");
414 }
415 current_label_length = 0; // Reset for next label
416 } else {
417 current_label_length++;
418
419 if(current_label_length > 63) { // RFC 1035 Maximum DNS label length
420 throw Decoding_Error("DNS name label exceeds maximum length of 63 characters");
421 }
422 }
423
424 const uint8_t cu = static_cast<uint8_t>(c);
425 if(cu >= 128) {
426 throw Decoding_Error("DNS name must not contain any extended ASCII code points");
427 }
428 const uint8_t mapped = DNS_CHAR_MAPPING[cu];
429 if(mapped == 0) {
430 throw Decoding_Error("DNS name includes invalid character");
431 }
432
433 if(mapped == '-') {
434 if(i == 0 || (i > 0 && name[i - 1] == '.')) {
435 throw Decoding_Error("DNS name has label with leading hyphen");
436 } else if(i == name.size() - 1 || (i < name.size() - 1 && name[i + 1] == '.')) {
437 throw Decoding_Error("DNS name has label with trailing hyphen");
438 }
439 }
440 canon.push_back(static_cast<char>(mapped));
441 }
442
443 if(current_label_length == 0) {
444 throw Decoding_Error("DNS name contains empty label");
445 }
446 return canon;
447}

Referenced by Botan::AlternativeName::decode_from().

◆ check_bcrypt()

bool Botan::check_bcrypt ( std::string_view password,
std::string_view hash )

Check a previously created password hash

Takes a password and a bcrypt hash and returns true if the password is the same as the one that was used to generate the bcrypt hash.

Parameters
passwordthe password to check against
hashthe stored hash to check against

Definition at line 160 of file bcrypt.cpp.

160 {
161 if(hash.size() != 60 || hash[0] != '$' || hash[1] != '2' || hash[3] != '$' || hash[6] != '$') {
162 return false;
163 }
164
165 const char bcrypt_version = hash[2];
166
167 if(bcrypt_version != 'a' && bcrypt_version != 'b' && bcrypt_version != 'y') {
168 return false;
169 }
170
171 const uint16_t workfactor = to_uint16(hash.substr(4, 2));
172
173 const std::vector<uint8_t> salt = bcrypt_base64_decode(hash.substr(7, 22));
174 if(salt.size() != 16) {
175 return false;
176 }
177
178 const std::string compare = make_bcrypt(pass, salt, workfactor, bcrypt_version);
179
180 return CT::is_equal(as_span_of_bytes(hash), as_span_of_bytes(compare)).as_bool();
181}
uint16_t to_uint16(std::string_view str)
Definition parsing.cpp:22

References as_span_of_bytes(), Botan::CT::is_equal(), and to_uint16().

Referenced by botan_bcrypt_is_valid().

◆ check_passhash9()

bool Botan::check_passhash9 ( std::string_view password,
std::string_view hash )

Check a previously created password hash

Parameters
passwordthe password to check against
hashthe stored hash to check against

Definition at line 75 of file passhash9.cpp.

75 {
76 const size_t BINARY_LENGTH = ALGID_BYTES + WORKFACTOR_BYTES + PASSHASH9_PBKDF_OUTPUT_LEN + SALT_BYTES;
77
78 const size_t BASE64_LENGTH = MAGIC_PREFIX.size() + (BINARY_LENGTH * 8) / 6;
79
80 if(hash.size() != BASE64_LENGTH) {
81 return false;
82 }
83
84 for(size_t i = 0; i != MAGIC_PREFIX.size(); ++i) {
85 if(hash[i] != MAGIC_PREFIX[i]) {
86 return false;
87 }
88 }
89
90 secure_vector<uint8_t> bin = base64_decode(hash.data() + MAGIC_PREFIX.size());
91
92 if(bin.size() != BINARY_LENGTH) {
93 return false;
94 }
95
96 uint8_t alg_id = bin[0];
97
98 const size_t work_factor = load_be<uint16_t>(&bin[ALGID_BYTES], 0);
99
100 // Bug in the format, bad states shouldn't be representable, but are...
101 if(work_factor == 0) {
102 return false;
103 }
104
105 if(work_factor > 512) {
106 throw Invalid_Argument("Requested passhash9 work factor " + std::to_string(work_factor) + " is too large");
107 }
108
109 const size_t kdf_iterations = WORK_FACTOR_SCALE * work_factor;
110
111 auto pbkdf_prf = get_pbkdf_prf(alg_id);
112
113 if(!pbkdf_prf) {
114 return false; // unknown algorithm, reject
115 }
116
117 PKCS5_PBKDF2 kdf(std::move(pbkdf_prf));
118
120 kdf.derive_key(PASSHASH9_PBKDF_OUTPUT_LEN, pass, &bin[ALGID_BYTES + WORKFACTOR_BYTES], SALT_BYTES, kdf_iterations)
121 .bits_of();
122
123 const uint8_t* hashbytes = &bin[ALGID_BYTES + WORKFACTOR_BYTES + SALT_BYTES];
124
125 return CT::is_equal(cmp.data(), hashbytes, PASSHASH9_PBKDF_OUTPUT_LEN).as_bool();
126}
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69

References base64_decode(), Botan::OctetString::bits_of(), Botan::PBKDF::derive_key(), Botan::CT::is_equal(), and load_be().

◆ checked_add() [1/2]

template<std::unsigned_integral T>
std::optional< T > Botan::checked_add ( T a,
T b )
inlineconstexpr

Definition at line 19 of file int_utils.h.

19 {
20 const T r = a + b;
21 if(r < a || r < b) {
22 return {};
23 }
24 return r;
25}

Referenced by checked_add(), Botan::AlternativeName::count(), and Botan::OID::encode_into().

◆ checked_add() [2/2]

template<std::unsigned_integral T, std::unsigned_integral... Ts>
requires all_same_v<T, Ts...>
std::optional< T > Botan::checked_add ( T a,
T b,
Ts... rest )
inlineconstexpr

Definition at line 37 of file int_utils.h.

37 {
38 if(auto r = checked_add(a, b)) {
39 return checked_add(r.value(), rest...);
40 } else {
41 return {};
42 }
43}
constexpr std::optional< T > checked_add(T a, T b)
Definition int_utils.h:19

References checked_add().

◆ checked_cast_to()

template<typename RT, typename AT>
requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>>
RT Botan::checked_cast_to ( AT i)
constexpr

Definition at line 74 of file int_utils.h.

74 {
75 return checked_cast_to_or_throw<RT, Internal_Error>(i, "Error during integer conversion");
76}
constexpr RT checked_cast_to_or_throw(AT i, std::string_view error_msg_on_fail)
Definition int_utils.h:61

References checked_cast_to_or_throw().

Referenced by Botan::Cert_Extension::ASBlocks::ASIdOrRange::decode_from(), Botan::HSS_LMS_Params::L(), Botan::ML_DSA_MessageHash::start(), and Botan::HSS_LMS_PublicKeyInternal::verify_signature().

◆ checked_cast_to_or_throw()

template<typename RT, typename ExceptionType, typename AT>
requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>>
RT Botan::checked_cast_to_or_throw ( AT i,
std::string_view error_msg_on_fail )
constexpr

Definition at line 61 of file int_utils.h.

61 {
62 const auto unwrapped_input = unwrap_strong_type(i);
63
64 const auto unwrapped_result = static_cast<strong_type_wrapped_type<RT>>(unwrapped_input);
65 if(unwrapped_input != static_cast<strong_type_wrapped_type<AT>>(unwrapped_result)) [[unlikely]] {
66 throw ExceptionType(error_msg_on_fail);
67 }
68
69 return wrap_strong_type<RT>(unwrapped_result);
70}
constexpr decltype(auto) unwrap_strong_type(T &&t)
Generically unwraps a strong type to its underlying type.
typename detail::wrapped_type_helper< std::remove_cvref_t< T > >::type strong_type_wrapped_type
Extracts the wrapped type from a strong type.
constexpr decltype(auto) wrap_strong_type(ParamT &&t)
Wraps a value into a caller-defined (strong) type.

References unwrap_strong_type(), and wrap_strong_type().

Referenced by checked_cast_to(), and Botan::HSS_LMS_Params::HSS_LMS_Params().

◆ checked_mul()

template<std::unsigned_integral T>
std::optional< T > Botan::checked_mul ( T a,
T b )
inlineconstexpr

Definition at line 46 of file int_utils.h.

46 {
47 // Multiplication by 1U is a hack to work around C's insane
48 // integer promotion rules.
49 // https://stackoverflow.com/questions/24795651
50 const T r = (1U * a) * b;
51 // If a == 0 then the multiply certainly did not overflow
52 // Otherwise r / a == b unless overflow occured
53 if(a != 0 && r / a != b) {
54 return {};
55 }
56 return r;
57}

Referenced by Botan::mlock_allocator::allocate(), allocate_memory(), and Botan::mlock_allocator::deallocate().

◆ checked_sub()

template<std::unsigned_integral T>
std::optional< T > Botan::checked_sub ( T a,
T b )
constexpr

Definition at line 28 of file int_utils.h.

28 {
29 if(b > a) {
30 return {};
31 }
32 return a - b;
33}

◆ choose()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T Botan::choose ( T mask,
T a,
T b )
constexpr

Bitwise selection

If mask is |1| returns a If mask is |0| returns b If mask is some other value returns a or b depending on the bit

Definition at line 196 of file bit_ops.h.

196 {
197 //return (mask & a) | (~mask & b);
198 return (b ^ (mask & (a ^ b)));
199}

References BOTAN_FORCE_INLINE.

Referenced by Botan::IntMod< MontgomeryRep< ScalarParams > >::conditional_assign(), Botan::IntMod< MontgomeryRep< ScalarParams > >::conditional_assign(), Botan::IntMod< MontgomeryRep< ScalarParams > >::conditional_assign(), Botan::IntMod< MontgomeryRep< ScalarParams > >::conditional_swap(), Botan::SHA1_F::F1(), majority(), Botan::CT::Mask< T >::select(), Botan::CT::Mask< T >::select_n(), SHA2_32_F(), SHA2_32_F(), SHA2_64_F(), and SHA2_64_F().

◆ clear_bytes()

void Botan::clear_bytes ( void * ptr,
size_t bytes )
inlineconstexpr

Zero out some bytes. Warning: use secure_scrub_memory instead if the memory is about to be freed or otherwise the compiler thinks it can elide the writes.

Parameters
ptra pointer to memory to zero
bytesthe number of bytes to zero in ptr

Definition at line 102 of file mem_ops.h.

102 {
103 if(bytes > 0) {
104 std::memset(ptr, 0, bytes);
105 }
106}

Referenced by clear_mem(), clear_mem(), Botan::TPM2::init_with_size(), and Botan::Memory_Pool::Memory_Pool().

◆ clear_mem() [1/2]

template<ranges::contiguous_output_range R>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<R>>
void Botan::clear_mem ( R && mem)
inlineconstexpr

Zero memory before use. This simply calls memset and should not be used in cases where the compiler cannot see the call as a side-effecting operation.

Parameters
mema contiguous range of Ts to zero

Definition at line 131 of file mem_ops.h.

133{
134 clear_bytes(std::ranges::data(mem), ranges::size_bytes(mem));
135}
constexpr size_t size_bytes(const spanable_range auto &r)
Definition concepts.h:94
constexpr void clear_bytes(void *ptr, size_t bytes)
Definition mem_ops.h:102

References clear_bytes(), and Botan::ranges::size_bytes().

◆ clear_mem() [2/2]

template<typename T>
void Botan::clear_mem ( T * ptr,
size_t n )
inlineconstexpr

Zero memory before use. This simply calls memset and should not be used in cases where the compiler cannot see the call as a side-effecting operation (for example, if calling clear_mem before deallocating memory, the compiler would be allowed to omit the call to memset entirely under the as-if rule.)

Parameters
ptra pointer to an array of Ts to zero
nthe number of Ts pointed to by ptr

Definition at line 119 of file mem_ops.h.

119 {
120 clear_bytes(ptr, sizeof(T) * n);
121}

References clear_bytes().

Referenced by base_decode(), basecase_mul(), basecase_sqr(), bigint_monty_redc_inplace(), bigint_mul(), bigint_shl1(), bigint_shr1(), bigint_sqr(), Botan_FFI::botan_view_bin_bounce_fn(), Botan::AlignmentBuffer< T, BLOCK_SIZE, FINAL_BLOCK_STRATEGY >::clear(), Botan::CT::copy_output(), create_aes_row_generator(), Botan::Sodium::crypto_secretbox_xsalsa20poly1305(), Botan::Sodium::crypto_secretbox_xsalsa20poly1305_open(), Botan::BigInt::ct_reduce_below(), Botan::BigInt::ct_shift_left(), Botan::Bcrypt_PBKDF::derive_key(), Botan::ZFEC::encode_shares(), Botan::BigInt::encode_words(), Botan::AlignmentBuffer< T, BLOCK_SIZE, FINAL_BLOCK_STRATEGY >::fill_up_with_zeros(), Botan::StreamCipher::generate_keystream(), Botan::Gf448Elem::Gf448Elem(), hex_decode(), Botan::BLAKE2b::key_schedule(), Botan::EC_Point_Var_Point_Precompute::mul(), pbkdf2(), Botan::CRYSTALS::Trait_Base< ConstantsT, DerivedT >::polyvec_pointwise_acc_montgomery(), Botan::BigInt::reduce_below(), Botan::polyn_gf2m::set_to_zero(), Botan::polyn_gf2m::sqmod_init(), Botan::bitvector_base< secure_allocator >::to_bytes(), Botan_FFI::write_output(), Botan::Zlib_Style_Stream< Stream, ByteType, StreamLenType >::Zlib_Style_Stream(), and Botan::Zlib_Style_Stream< Stream, ByteType, StreamLenType >::~Zlib_Style_Stream().

◆ comba_mul()

template<size_t N, WordType W>
void Botan::comba_mul ( W z[2 *N],
const W x[N],
const W y[N] )
inlineconstexpr

Definition at line 699 of file mp_core.h.

699 {
700 if(!std::is_constant_evaluated()) {
701 if constexpr(std::same_as<W, word> && N == 4) {
702 return bigint_comba_mul4(z, x, y);
703 }
704 if constexpr(std::same_as<W, word> && N == 6) {
705 return bigint_comba_mul6(z, x, y);
706 }
707 if constexpr(std::same_as<W, word> && N == 7) {
708 return bigint_comba_mul7(z, x, y);
709 }
710 if constexpr(std::same_as<W, word> && N == 8) {
711 return bigint_comba_mul8(z, x, y);
712 }
713 if constexpr(std::same_as<W, word> && N == 9) {
714 return bigint_comba_mul9(z, x, y);
715 }
716 if constexpr(std::same_as<W, word> && N == 16) {
717 return bigint_comba_mul16(z, x, y);
718 }
719 }
720
721 word3<W> accum;
722
723 for(size_t i = 0; i != 2 * N; ++i) {
724 const size_t start = i + 1 < N ? 0 : i + 1 - N;
725 const size_t end = std::min(N, i + 1);
726
727 for(size_t j = start; j != end; ++j) {
728 accum.mul(x[j], y[i - j]);
729 }
730 z[i] = accum.extract();
731 }
732}
void bigint_comba_mul7(word z[14], const word x[7], const word y[7])
Definition mp_comba.cpp:221

References bigint_comba_mul16(), bigint_comba_mul4(), bigint_comba_mul6(), bigint_comba_mul7(), bigint_comba_mul8(), bigint_comba_mul9(), Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by Botan::BlindedScalarBits< C, WindowBits+1 >::BlindedScalarBits(), mul_mod(), Botan::IntMod< MontgomeryRep< ScalarParams > >::operator*, Botan::IntMod< MontgomeryRep< ScalarParams > >::operator*=(), Botan::MontgomeryRep< Params >::to_rep(), and Botan::MontgomeryRep< Params >::wide_to_rep().

◆ comba_sqr()

template<size_t N, WordType W>
void Botan::comba_sqr ( W z[2 *N],
const W x[N] )
inlineconstexpr

Definition at line 735 of file mp_core.h.

735 {
736 if(!std::is_constant_evaluated()) {
737 if constexpr(std::same_as<W, word> && N == 4) {
738 return bigint_comba_sqr4(z, x);
739 }
740 if constexpr(std::same_as<W, word> && N == 6) {
741 return bigint_comba_sqr6(z, x);
742 }
743 if constexpr(std::same_as<W, word> && N == 7) {
744 return bigint_comba_sqr7(z, x);
745 }
746 if constexpr(std::same_as<W, word> && N == 8) {
747 return bigint_comba_sqr8(z, x);
748 }
749 if constexpr(std::same_as<W, word> && N == 9) {
750 return bigint_comba_sqr9(z, x);
751 }
752 if constexpr(std::same_as<W, word> && N == 16) {
753 return bigint_comba_sqr16(z, x);
754 }
755 }
756
757 word3<W> accum;
758
759 for(size_t i = 0; i != 2 * N; ++i) {
760 const size_t start = i + 1 < N ? 0 : i + 1 - N;
761 const size_t end = std::min(N, i + 1);
762
763 for(size_t j = start; j != end; ++j) {
764 accum.mul(x[j], x[i - j]);
765 }
766 z[i] = accum.extract();
767 }
768}
void bigint_comba_sqr7(word z[14], const word x[7])
Definition mp_comba.cpp:171

References bigint_comba_sqr16(), bigint_comba_sqr4(), bigint_comba_sqr6(), bigint_comba_sqr7(), bigint_comba_sqr8(), bigint_comba_sqr9(), Botan::word3< W >::extract(), and Botan::word3< W >::mul().

Referenced by Botan::IntMod< MontgomeryRep< ScalarParams > >::square(), and Botan::IntMod< MontgomeryRep< ScalarParams > >::square_n().

◆ combine_lower()

uint64_t Botan::combine_lower ( const donna128 & a,
size_t s1,
const donna128 & b,
size_t s2 )
inlineconstexpr

Definition at line 133 of file donna128.h.

133 {
134 donna128 z = (a >> s1) | (b << s2);
135 return z.lo();
136}
constexpr uint64_t lo() const
Definition donna128.h:83

References Botan::donna128::lo().

◆ commoncrypto_adjust_key_size()

void Botan::commoncrypto_adjust_key_size ( const uint8_t key[],
size_t length,
const CommonCryptor_Opts & opts,
secure_vector< uint8_t > & full_key )

Definition at line 134 of file commoncrypto_utils.cpp.

137 {
138 if(opts.algo == kCCAlgorithmBlowfish && length < 8) {
139 size_t repeat;
140 switch(length) {
141 case 1:
142 repeat = 8;
143 break;
144 case 2:
145 repeat = 4;
146 break;
147 case 3:
148 repeat = 3;
149 break;
150 default:
151 repeat = 2;
152 break;
153 }
154
155 full_key.resize(length * repeat);
156 for(size_t i = 0; i < repeat; i++) {
157 copy_mem(full_key.data() + i * length, key, length);
158 }
159 } else if(opts.algo == kCCAlgorithm3DES && length == 16) {
160 full_key += std::make_pair(key, 8);
161 }
162}

References Botan::CommonCryptor_Opts::algo, and copy_mem().

◆ commoncrypto_opts_from_algo()

CommonCryptor_Opts Botan::commoncrypto_opts_from_algo ( std::string_view algo)

Definition at line 96 of file commoncrypto_utils.cpp.

96 {
97 SCAN_Name spec(algo);
98
99 std::string algo_name = spec.algo_name();
100 std::string cipher_mode = spec.cipher_mode();
101 std::string cipher_mode_padding = spec.cipher_mode_pad();
102
104
105 //TODO add CFB and XTS support
106 if(cipher_mode.empty() || cipher_mode == "ECB") {
107 opts.mode = kCCModeECB;
108 } else if(cipher_mode == "CBC") {
109 opts.mode = kCCModeCBC;
110 } else if(cipher_mode == "CTR") {
111 opts.mode = kCCModeCTR;
112 } else if(cipher_mode == "OFB") {
113 opts.mode = kCCModeOFB;
114 } else {
115 throw CommonCrypto_Error("Unsupported cipher mode!");
116 }
117
118 if(cipher_mode_padding == "NoPadding") {
119 opts.padding = ccNoPadding;
120 }
121 /*
122 else if(cipher_mode_padding.empty() || cipher_mode_padding == "PKCS7")
123 {
124 opts.padding = ccPKCS7Padding;
125 }
126 */
127 else {
128 throw CommonCrypto_Error("Unsupported cipher mode padding!");
129 }
130
131 return opts;
132}
CommonCryptor_Opts commoncrypto_opts_from_algo_name(std::string_view algo_name)

References Botan::SCAN_Name::algo_name(), Botan::SCAN_Name::cipher_mode(), Botan::SCAN_Name::cipher_mode_pad(), commoncrypto_opts_from_algo_name(), Botan::CommonCryptor_Opts::mode, and Botan::CommonCryptor_Opts::padding.

Referenced by make_commoncrypto_cipher_mode().

◆ commoncrypto_opts_from_algo_name()

CommonCryptor_Opts Botan::commoncrypto_opts_from_algo_name ( std::string_view algo_name)

Definition at line 56 of file commoncrypto_utils.cpp.

56 {
58
59 if(algo_name.compare(0, 3, "AES") == 0) {
60 opts.algo = kCCAlgorithmAES;
61 opts.block_size = kCCBlockSizeAES128;
62 if(algo_name == "AES-128") {
63 opts.key_spec = Key_Length_Specification(kCCKeySizeAES128);
64 } else if(algo_name == "AES-192") {
65 opts.key_spec = Key_Length_Specification(kCCKeySizeAES192);
66 } else if(algo_name == "AES-256") {
67 opts.key_spec = Key_Length_Specification(kCCKeySizeAES256);
68 } else {
69 throw CommonCrypto_Error("Unknown AES algorithm");
70 }
71 } else if(algo_name == "DES") {
72 opts.algo = kCCAlgorithmDES;
73 opts.block_size = kCCBlockSizeDES;
74 opts.key_spec = Key_Length_Specification(kCCKeySizeDES);
75 } else if(algo_name == "TripleDES") {
76 opts.algo = kCCAlgorithm3DES;
77 opts.block_size = kCCBlockSize3DES;
78 opts.key_spec = Key_Length_Specification(16, kCCKeySize3DES, 8);
79 } else if(algo_name == "Blowfish") {
80 opts.algo = kCCAlgorithmBlowfish;
81 opts.block_size = kCCBlockSizeBlowfish;
82 opts.key_spec = Key_Length_Specification(1, kCCKeySizeMaxBlowfish, 1);
83 } else if(algo_name == "CAST-128") {
84 opts.algo = kCCAlgorithmCAST;
85 opts.block_size = kCCBlockSizeCAST;
86 // Botan's base implementation of CAST does not support shorter keys
87 // so we limit its minimum key size to 11 here.
88 opts.key_spec = Key_Length_Specification(11, kCCKeySizeMaxCAST, 1);
89 } else {
90 throw CommonCrypto_Error("Unsupported cipher");
91 }
92
93 return opts;
94}
Key_Length_Specification key_spec

References Botan::CommonCryptor_Opts::algo, Botan::CommonCryptor_Opts::block_size, and Botan::CommonCryptor_Opts::key_spec.

Referenced by commoncrypto_opts_from_algo(), and make_commoncrypto_block_cipher().

◆ compute_root() [1/2]

BOTAN_TEST_API void Botan::compute_root ( StrongSpan< SphincsTreeNode > out,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes,
const SphincsTreeNode & leaf,
TreeNodeIndex leaf_idx,
uint32_t idx_offset,
StrongSpan< const SphincsAuthenticationPath > authentication_path,
uint32_t tree_height,
Sphincs_Address & tree_address )

Using a leaf node and the authentication path (neighbor nodes on the way from leaf to root), computes the the root node of the respective tree. This function is generic and used by FORS and XMSS in the SLH-DSA verification logic.

Definition at line 102 of file sp_treehash.cpp.

110 {
111 BOTAN_ASSERT_NOMSG(out.size() == params.n());
112 BOTAN_ASSERT_NOMSG(authentication_path.size() == params.n() * total_tree_height);
113 BOTAN_ASSERT_NOMSG(leaf.size() == params.n());
114
115 // Use the `out` parameter as intermediate buffer for left/right nodes
116 // while traversing the tree.
117 copy_mem(out, leaf);
118
119 // Views into either `auth_path` or `out` depending on the tree location.
122
123 BufferSlicer auth_path(authentication_path);
124
125 // The leaf is put in the left or right buffer, depending on its indexes parity.
126 // Same for the first node of the authentication path
127
128 for(TreeLayerIndex i(0); i < total_tree_height; i++) {
129 // The input of the hash function takes the current node and the node
130 // given in the authentication path. If the current node is a right node
131 // in the tree (i.e. its leaf index is uneven) the hash function inputs
132 // must be swapped.
133 left = out;
134 right = auth_path.take<SphincsTreeNode>(params.n());
135
136 if((leaf_idx & 1) == 1U) {
137 std::swap(left, right);
138 }
139
140 leaf_idx /= 2;
141 idx_offset /= 2;
142 tree_address.set_tree_height(i + 1).set_tree_index(leaf_idx + idx_offset);
143
144 hashes.T(out, tree_address, left, right);
145 }
146
147 BOTAN_ASSERT_NOMSG(auth_path.empty());
148}
Sphincs_Address & set_tree_height(TreeLayerIndex tree_height)
Definition sp_address.h:88
Sphincs_Address & set_tree_index(TreeNodeIndex tree_index)
Definition sp_address.h:98
void T(std::span< uint8_t > out, const Sphincs_Address &address, const BufferTs &... in)
Definition sp_hash.h:57
decltype(auto) size() const noexcept(noexcept(this->m_span.size()))
size_type size() const noexcept(noexcept(this->get().size()))
Strong< std::vector< uint8_t >, struct SphincsTreeNode_ > SphincsTreeNode
Either an XMSS or FORS tree node or leaf.
Definition sp_types.h:70
Strong< uint32_t, struct TreeLayerIndex_, EnableArithmeticWithPlainNumber > TreeLayerIndex
Index of the layer within a FORS/XMSS tree.
Definition sp_types.h:83

References BOTAN_ASSERT_NOMSG, copy_mem(), Botan::BufferSlicer::empty(), Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_tree_height(), Botan::Sphincs_Address::set_tree_index(), Botan::detail::Container_Strong_Adapter_Base< T >::size(), Botan::StrongSpan< T >::size(), Botan::Sphincs_Hash_Functions::T(), and Botan::BufferSlicer::take().

Referenced by fors_public_key_from_signature(), and ht_verify().

◆ compute_root() [2/2]

template<concepts::contiguous_strong_type TreeNode, concepts::strong_span AuthPathSS, concepts::tree_node_index TreeNodeIndex, concepts::tree_layer_index TreeLayerIndex, typename Address>
requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex>
void Botan::compute_root ( StrongSpan< TreeNode > out_root,
AuthPathSS authentication_path,
TreeNodeIndex leaf_idx,
StrongSpan< const TreeNode > leaf,
size_t node_size,
TreeLayerIndex total_tree_height,
uint32_t idx_offset,
concepts::tree_hash_node_pair< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto node_pair_hash,
Address & tree_address )
inline

Uses an authentication path and a leaf node to reconstruct the root node of a merkle tree.

Parameters
out_rootA output buffer for the root node of the merkle tree.
authentication_pathThe authentication path in one buffer (concatenated nodes).
leaf_idxThe index of the leaf used to sig in the bottom layer beginning with 0.
leafThe leaf node used to sig.
node_sizeThe size of each node in the tree.
total_tree_heightThe hight of the merkle tree to construct.
idx_offsetIf we compute a subtree this marks the index of the leftmost leaf node in the bottom layer.
node_pair_hashThe function to process two child nodes to compute their parent node.
tree_addressThe address that is passed to node_pair hash. This function will update the address accordings to the currently processed node. This object may contain further algorithm specific information, like the position of this merkle tree in a hypertree.

Definition at line 214 of file tree_hash.h.

223 {
224 BOTAN_ASSERT_NOMSG(out_root.size() == node_size);
225 BOTAN_ASSERT_NOMSG(authentication_path.size() == node_size * static_cast<size_t>(total_tree_height.get()));
226 BOTAN_ASSERT_NOMSG(leaf.size() == node_size);
227
228 // Use the `out` parameter as intermediate buffer for left/right nodes
229 // while traversing the tree.
230 copy_mem(out_root, leaf);
231
232 // Views into either `auth_path` or `out` depending on the tree location.
235
236 BufferSlicer auth_path(authentication_path);
237
238 // The leaf is put in the left or right buffer, depending on its indexes parity.
239 // Same for the first node of the authentication path
240
241 for(TreeLayerIndex i(0); i < total_tree_height; i++) {
242 // The input of the hash function takes the current node and the node
243 // given in the authentication path. If the current node is a right node
244 // in the tree (i.e. its leaf index is uneven) the hash function inputs
245 // must be swapped.
246 left = out_root;
247 right = auth_path.take<TreeNode>(node_size);
248
249 if((leaf_idx & 1) == 1U) {
250 std::swap(left, right);
251 }
252
253 leaf_idx /= 2;
254 idx_offset /= 2;
255 tree_address.set_address(i + 1, leaf_idx + idx_offset);
256
257 node_pair_hash(out_root, tree_address, left, right);
258 }
259
260 BOTAN_ASSERT_NOMSG(auth_path.empty());
261}

References BOTAN_ASSERT_NOMSG, copy_mem(), Botan::BufferSlicer::empty(), Botan::detail::Strong_Base< T >::get(), Botan::StrongSpan< T >::size(), and Botan::BufferSlicer::take().

◆ compute_rsa_secret_exponent()

BigInt BOTAN_TEST_API Botan::compute_rsa_secret_exponent ( const BigInt & e,
const BigInt & phi_n,
const BigInt & p,
const BigInt & q )

Compute the RSA private exponent d

This algorithm is constant time with respect to phi_n, p, and q, aside from leaking their lengths. It may leak the public exponent e.

Parameters
ethe public exponent
phi_nis lcm(p-1, q-1)
pis the first secret prime
qis the second secret prime
Returns
d inverse of e modulo phi_n

Definition at line 330 of file mod_inv.cpp.

330 {
331 /*
332 * Both p - 1 and q - 1 are chosen to be relatively prime to e. Thus
333 * phi(n), the least common multiple of p - 1 and q - 1, is also
334 * relatively prime to e.
335 */
336 BOTAN_DEBUG_ASSERT(gcd(e, phi_n) == 1);
337
338 if(e == 65537) {
339 /*
340 Arazi's algorithm for inversion of prime x modulo a non-prime
341
342 "GCD-Free Algorithms for Computing Modular Inverses"
343 Marc Joye and Pascal Paillier, CHES 2003 (LNCS 2779)
344 https://marcjoye.github.io/papers/JP03gcdfree.pdf
345
346 This could be extended to cover other cases such as e=3 or e=17 but
347 these days 65537 is the standard RSA public exponent
348 */
349
350 constexpr word e_w = 65537;
351
352 const word phi_mod_e = ct_mod_word(phi_n, e_w);
353 const word inv_phi_mod_e = inverse_mod_65537(phi_mod_e);
354 BOTAN_DEBUG_ASSERT((inv_phi_mod_e * phi_mod_e) % e_w == 1);
355 const word neg_inv_phi_mod_e = (e_w - inv_phi_mod_e);
356 return ct_divide_word((phi_n * neg_inv_phi_mod_e) + 1, e_w);
357 } else {
358 // TODO possibly do something else taking advantage of the special structure here
359
360 BOTAN_UNUSED(p, q);
361 if(auto d = inverse_mod_general(e, phi_n)) {
362 return *d;
363 } else {
364 throw Internal_Error("Failed to compute RSA secret exponent");
365 }
366 }
367}
#define BOTAN_UNUSED
Definition assert.h:144
word ct_mod_word(const BigInt &x, word y)
Definition divide.cpp:168
void ct_divide_word(const BigInt &x, word y, BigInt &q_out, word &r_out)
Definition divide.cpp:123
std::optional< BigInt > inverse_mod_general(const BigInt &x, const BigInt &mod)
Definition mod_inv.cpp:177
BigInt gcd(const BigInt &a, const BigInt &b)
Definition numthry.cpp:193

References BOTAN_DEBUG_ASSERT, BOTAN_UNUSED, ct_divide_word(), ct_mod_word(), gcd(), and inverse_mod_general().

Referenced by Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ concat()

template<typename OutR = detail::AutoDetect, ranges::spanable_range... Rs>
requires (all_same_v<std::ranges::range_value_t<Rs>...>)
auto Botan::concat ( Rs &&... ranges)
constexpr

Concatenate an arbitrary number of buffers. Performs range-checks as needed.

The output type can be auto-detected based on the input ranges, or explicitly specified by the caller. If all input ranges have a static extent, the total size is calculated at compile time and a statically sized std::array<> is used. Otherwise this tries to use the type of the first input range as output type.

Alternatively, the output container type can be specified explicitly.

Definition at line 255 of file stl_util.h.

257{
258 if constexpr(std::same_as<detail::AutoDetect, OutR>) {
259 // Try to auto-detect a reasonable output type given the input ranges
260 static_assert(sizeof...(Rs) > 0, "Cannot auto-detect the output type if not a single input range is provided.");
261 using candidate_result_t = std::remove_cvref_t<std::tuple_element_t<0, std::tuple<Rs...>>>;
262 using result_range_value_t = std::remove_cvref_t<std::ranges::range_value_t<candidate_result_t>>;
263
264 if constexpr((ranges::statically_spanable_range<Rs> && ...)) {
265 // If all input ranges have a static extent, we can calculate the total size at compile time
266 // and therefore can use a statically sized output container. This is constexpr.
267 constexpr size_t total_size = (decltype(std::span{ranges})::extent + ... + 0);
268 using out_array_t = std::array<result_range_value_t, total_size>;
269 return detail::concatenate<out_array_t>(std::forward<Rs>(ranges)...);
270 } else {
271 // If at least one input range has a dynamic extent, we must use a dynamically allocated output container.
272 // We assume that the user wants to use the first input range's container type as output type.
273 static_assert(
275 "First input range has static extent, but a dynamically allocated output range is required. Please explicitly specify a dynamically allocatable output type.");
276 return detail::concatenate<candidate_result_t>(std::forward<Rs>(ranges)...);
277 }
278 } else {
279 // The caller has explicitly specified the output type
280 return detail::concatenate<OutR>(std::forward<Rs>(ranges)...);
281 }
282}
constexpr OutR concatenate(Rs &&... ranges)
Definition stl_util.h:196

References Botan::detail::concatenate().

Referenced by Botan::PKIX::check_ocsp(), Botan::Classic_McEliece_Polynomial_Ring::compute_minimal_polynomial(), Botan::Expanded_Keypair_Codec::encode_keypair(), Botan::Seed_Expanding_Keypair_Codec::encode_keypair(), hkdf_expand_label(), Botan::Kyber_PublicKeyInternal::Kyber_PublicKeyInternal(), Botan::SphincsPlus_PrivateKey::private_key_bits(), Botan::FrodoKEM_PrivateKey::raw_private_key_bits(), Botan::FrodoKEM_PublicKey::raw_public_key_bits(), Botan::Hybrid_PublicKey::raw_public_key_bits(), Botan::TLS::Hybrid_KEM_PublicKey::raw_public_key_bits(), Botan::XMSS_PublicKey::raw_public_key_bits(), Botan::Classic_McEliece_PrivateKeyInternal::serialize(), Botan::HSS_LMS_PublicKeyInternal::to_bytes(), and Botan::LMS_PublicKey::to_bytes().

◆ constant_time_compare() [1/2]

bool Botan::constant_time_compare ( const uint8_t x[],
const uint8_t y[],
size_t len )
inline

Memory comparison, input insensitive

Parameters
xa pointer to an array
ya pointer to another array
lenthe number of Ts in x and y
Returns
true iff x[i] == y[i] forall i in [0...n)

Definition at line 89 of file mem_ops.h.

89 {
90 // simply assumes that *x and *y point to len allocated bytes at least
91 return constant_time_compare({x, len}, {y, len});
92}
bool constant_time_compare(std::span< const uint8_t > x, std::span< const uint8_t > y)
Definition mem_ops.cpp:17

References constant_time_compare().

◆ constant_time_compare() [2/2]

bool Botan::constant_time_compare ( std::span< const uint8_t > x,
std::span< const uint8_t > y )

Memory comparison, input insensitive

Parameters
xa range of bytes
yanother range of bytes
Returns
true iff x and y have equal lengths and x[i] == y[i] forall i in [0...n)

Definition at line 17 of file mem_ops.cpp.

17 {
18 const auto min_size = CT::Mask<size_t>::is_lte(x.size(), y.size()).select(x.size(), y.size());
19 const auto equal_size = CT::Mask<size_t>::is_equal(x.size(), y.size());
20 const auto equal_content = CT::Mask<size_t>::expand(CT::is_equal(x.data(), y.data(), min_size));
21 return (equal_content & equal_size).as_bool();
22}
static constexpr Mask< T > is_lte(T x, T y)
Definition ct_utils.h:491

References Botan::CT::Mask< T >::expand(), Botan::CT::is_equal(), Botan::CT::Mask< T >::is_equal(), and Botan::CT::Mask< T >::is_lte().

Referenced by constant_time_compare(), Botan::PKCS1v15_Raw_SignaturePaddingScheme::verify(), and Botan::PKCS1v15_SignaturePaddingScheme::verify().

◆ copy_mem() [1/2]

template<ranges::contiguous_output_range OutR, ranges::contiguous_range InR>
requires std::is_same_v<std::ranges::range_value_t<OutR>, std::ranges::range_value_t<InR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<InR>>
void Botan::copy_mem ( OutR && out,
const InR & in )
inlineconstexpr

Copy memory

Parameters
outthe destination array
inthe source array

Definition at line 161 of file mem_ops.h.

161 {
163 if(std::is_constant_evaluated()) {
164 std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out));
165 } else if(ranges::size_bytes(out) > 0) {
166 std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out));
167 }
168}
constexpr void assert_equal_byte_lengths(const R0 &r0, const Rs &... rs)
Definition concepts.h:128

References Botan::ranges::assert_equal_byte_lengths(), and Botan::ranges::size_bytes().

◆ copy_mem() [2/2]

template<typename T>
requires std::is_trivial_v<std::decay_t<T>>
void Botan::copy_mem ( T * out,
const T * in,
size_t n )
inlineconstexpr

Copy memory

Parameters
outthe destination array
inthe source array
nthe number of elements of in/out

Definition at line 145 of file mem_ops.h.

145 {
146 BOTAN_ASSERT_IMPLICATION(n > 0, in != nullptr && out != nullptr, "If n > 0 then args are not null");
147
148 if(in != nullptr && out != nullptr && n > 0) {
149 std::memmove(out, in, sizeof(T) * n);
150 }
151}
#define BOTAN_ASSERT_IMPLICATION(expr1, expr2, msg)
Definition assert.h:101

References BOTAN_ASSERT_IMPLICATION.

Referenced by Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::TLS::Connection_Cipher_State::aead_nonce(), bigint_shl1(), bigint_shl2(), bigint_shr1(), bigint_shr2(), Botan::Argon2::blamka(), botan_cipher_update(), botan_privkey_ed25519_get_privkey(), botan_privkey_ed448_get_privkey(), botan_privkey_x25519_get_privkey(), botan_privkey_x448_get_privkey(), botan_pubkey_ed25519_get_pubkey(), botan_pubkey_ed448_get_pubkey(), botan_pubkey_x25519_get_pubkey(), botan_pubkey_x448_get_pubkey(), Botan_FFI::botan_view_bin_bounce_fn(), buffer_insert(), buffer_insert(), Botan::Ed25519_PublicKey::check_key(), Botan::CRYSTALS::Polynomial< DilithiumPolyTraits, Botan::CRYSTALS::Domain::NTT >::clone(), Botan::CRYSTALS::PolynomialVector< DilithiumPolyTraits, Botan::CRYSTALS::Domain::NTT >::clone(), commoncrypto_adjust_key_size(), Botan::Streebog::compress_64(), compute_root(), compute_root(), Botan::TPM2::copy_into(), Botan::TPM2::copy_into(), Botan::Sodium::crypto_auth_hmacsha512256(), Botan::Sodium::crypto_box_curve25519xsalsa20poly1305_seed_keypair(), curve25519_donna(), Botan::Ed25519_FieldElement::Ed25519_FieldElement(), ed25519_gen_keypair(), Botan::Ed448_PublicKey::Ed448_PublicKey(), Botan::ML_KEM_Encryptor::encapsulate(), Botan::BigInt::encode_words(), Botan::CryptoBox::encrypt(), expand_message_xmd(), Botan::RawHashFunction::final_result(), Botan::TLS::Stream_Handshake_IO::format(), Botan::CCM_Mode::format_b0(), Botan::CCM_Mode::format_c0(), Botan::MontgomeryRep< Params >::from_rep(), Botan::IntMod< MontgomeryRep< ScalarParams > >::from_wide_bytes(), Botan::IntMod< MontgomeryRep< ScalarParams > >::from_wide_bytes_varlen(), Botan::IntMod< MontgomeryRep< ScalarParams > >::from_words(), Botan::TPM_Context::gen_random(), Botan::Gf448Elem::Gf448Elem(), Botan::BLAKE2b::key_schedule(), mceliece_decrypt(), Botan::BigInt::mod_sub(), Botan::Montgomery_Int::Montgomery_Int(), Botan::Montgomery_Int::mul_by(), Botan::Montgomery_Params::mul_by(), nist_key_unwrap(), nist_key_unwrap_padded(), nist_key_wrap(), nist_key_wrap_padded(), operator^(), Botan::DataSource_Memory::peek(), Botan::PseudorandomKeyGeneration::PseudorandomKeyGeneration(), Botan::DataSource_Memory::read(), reduce_mod(), Botan::Blowfish::salted_set_key(), Botan::Scalar448::Scalar448(), Botan::CTR_BE::seek(), Botan::IntMod< MontgomeryRep< ScalarParams > >::serialize_to(), Botan::EC_AffinePoint_Data_PC::serialize_uncompressed_to(), Botan::EC_AffinePoint_Data_BN::serialize_x_to(), Botan::EC_AffinePoint_Data_PC::serialize_x_to(), Botan::EC_AffinePoint_Data_BN::serialize_xy_to(), Botan::EC_AffinePoint_Data_PC::serialize_xy_to(), Botan::EC_AffinePoint_Data_BN::serialize_y_to(), Botan::EC_AffinePoint_Data_PC::serialize_y_to(), Botan::TLS::Session_Keys::Session_Keys(), Botan::CFB_Mode::shift_register(), Botan::HSS_LMS_PrivateKeyInternal::sign(), Botan::RTSS_Share::split(), Botan::polyn_gf2m::sqmod_init(), Botan::Montgomery_Int::square_this_n_times(), Botan::GHASH::start(), Botan::bitvector_base< secure_allocator >::subvector(), treehash(), treehash(), Botan::Base64_Decoder::write(), Botan::Base64_Encoder::write(), Botan::Buffered_Filter::write(), Botan::Hex_Decoder::write(), Botan::Hex_Encoder::write(), Botan_FFI::write_output(), and Botan::X448_PublicKey::X448_PublicKey().

◆ copy_out_be()

template<ranges::spanable_range InR>
void Botan::copy_out_be ( std::span< uint8_t > out,
const InR & in )
inline

Partially copy a subset of in into out using big-endian byte order.

Definition at line 773 of file loadstor.h.

773 {
774 using T = std::ranges::range_value_t<InR>;
775 std::span<const T> in_s{in};
776 const auto remaining_bytes = detail::copy_out_any_word_aligned_portion<std::endian::big>(out, in_s);
777
778 // copy remaining bytes as a partial word
779 for(size_t i = 0; i < remaining_bytes; ++i) {
780 out[i] = get_byte_var(i, in_s.front());
781 }
782}
size_t copy_out_any_word_aligned_portion(std::span< uint8_t > &out, std::span< const T > &in)
Definition loadstor.h:752
constexpr uint8_t get_byte_var(size_t byte_num, T input)
Definition loadstor.h:69

References Botan::detail::copy_out_any_word_aligned_portion(), and get_byte_var().

◆ copy_out_le()

template<ranges::spanable_range InR>
void Botan::copy_out_le ( std::span< uint8_t > out,
const InR & in )
inline

Partially copy a subset of in into out using little-endian byte order.

Definition at line 789 of file loadstor.h.

789 {
790 using T = std::ranges::range_value_t<InR>;
791 std::span<const T> in_s{in};
792 const auto remaining_bytes = detail::copy_out_any_word_aligned_portion<std::endian::little>(out, in_s);
793
794 // copy remaining bytes as a partial word
795 for(size_t i = 0; i < remaining_bytes; ++i) {
796 out[i] = get_byte_var(sizeof(T) - 1 - i, in_s.front());
797 }
798}

References Botan::detail::copy_out_any_word_aligned_portion(), and get_byte_var().

Referenced by Botan::BLAKE2b::final_result(), and xts_update_tweak_block().

◆ count_bits()

template<WordType W, size_t N>
size_t Botan::count_bits ( const std::array< W, N > & p)
inlineconsteval

Definition at line 269 of file pcurves_util.h.

269 {
270 auto get_bit = [&](size_t i) {
271 const size_t w = i / WordInfo<W>::bits;
272 const size_t b = i % WordInfo<W>::bits;
273 return static_cast<uint8_t>((p[w] >> b) & 0x01);
274 };
275
276 size_t b = WordInfo<W>::bits * N;
277
278 // Conditional ok: this function is consteval
279 while(get_bit(b - 1) == 0) {
280 b -= 1;
281 }
282
283 return b;
284}

◆ create_aes_row_generator()

auto Botan::create_aes_row_generator ( const FrodoKEMConstants & constants,
StrongSpan< const FrodoSeedA > seed_a )
inline

Definition at line 25 of file frodo_aes_generator.h.

25 {
26 BOTAN_ASSERT_NOMSG(constants.mode().is_aes());
27
28 auto setup_aes = [](StrongSpan<const FrodoSeedA> seed) {
29 AES_128 aes;
30 aes.set_key(seed);
31 return aes;
32 };
33
34 return [n = static_cast<uint16_t>(constants.n()), aes = setup_aes(seed_a)](std::span<uint8_t> out, uint16_t i) {
35 BufferStuffer out_bs(out);
36
37 BOTAN_DEBUG_ASSERT(out_bs.remaining_capacity() % AES_128::BLOCK_SIZE == 0);
38
39 for(uint16_t j = 0; j < n; j += AES_128::BLOCK_SIZE / 2) {
40 // set up the to-be-encrypted 'b' value in the out variable
41 // for in-place encryption of the block cipher
42 // b = i || j || 0000...
43 out_bs.append(store_le(i, j));
44 clear_mem(out_bs.next<AES_128::BLOCK_SIZE - sizeof(i) - sizeof(j)>());
45 }
46
47 BOTAN_DEBUG_ASSERT(out_bs.full());
48
49 aes.encrypt(out);
50 };
51}
void encrypt(const uint8_t in[], uint8_t out[]) const
FrodoKEMMode mode() const
bool is_aes() const
Definition frodo_mode.h:63
void set_key(const OctetString &key)
Definition sym_algo.cpp:14
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:736

References Botan::BufferStuffer::append(), Botan::Block_Cipher_Fixed_Params< 16, 16 >::BLOCK_SIZE, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, clear_mem(), Botan::BufferStuffer::full(), Botan::FrodoKEMMode::is_aes(), Botan::FrodoKEMConstants::mode(), Botan::FrodoKEMConstants::n(), Botan::BufferStuffer::next(), Botan::BufferStuffer::remaining_capacity(), Botan::SymmetricAlgorithm::set_key(), and store_le().

◆ create_ec_private_key()

std::unique_ptr< Private_Key > Botan::create_ec_private_key ( std::string_view algo_name,
const EC_Group & group,
RandomNumberGenerator & rng )

Create a new ECC key

Definition at line 442 of file pk_algs.cpp.

444 {
445 // Potentially unused if all EC algorithms are disabled
446 BOTAN_UNUSED(alg_name, ec_group, rng);
447
448#if defined(BOTAN_HAS_ECDSA)
449 if(alg_name == "ECDSA") {
450 return std::make_unique<ECDSA_PrivateKey>(rng, ec_group);
451 }
452#endif
453
454#if defined(BOTAN_HAS_ECDH)
455 if(alg_name == "ECDH") {
456 return std::make_unique<ECDH_PrivateKey>(rng, ec_group);
457 }
458#endif
459
460#if defined(BOTAN_HAS_ECKCDSA)
461 if(alg_name == "ECKCDSA") {
462 return std::make_unique<ECKCDSA_PrivateKey>(rng, ec_group);
463 }
464#endif
465
466#if defined(BOTAN_HAS_GOST_34_10_2001)
467 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") {
468 return std::make_unique<GOST_3410_PrivateKey>(rng, ec_group);
469 }
470#endif
471
472#if defined(BOTAN_HAS_SM2)
473 if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") {
474 return std::make_unique<SM2_PrivateKey>(rng, ec_group);
475 }
476#endif
477
478#if defined(BOTAN_HAS_ECGDSA)
479 if(alg_name == "ECGDSA") {
480 return std::make_unique<ECGDSA_PrivateKey>(rng, ec_group);
481 }
482#endif
483
484 return nullptr;
485}

References BOTAN_UNUSED.

Referenced by botan_ec_privkey_create(), and create_private_key().

◆ create_hex_fingerprint() [1/2]

std::string Botan::create_hex_fingerprint ( const uint8_t bits[],
size_t bits_len,
std::string_view hash_name )

Definition at line 38 of file pk_keys.cpp.

38 {
39 auto hash_fn = HashFunction::create_or_throw(hash_name);
40 const std::string hex_hash = hex_encode(hash_fn->process(bits, bits_len));
41
42 std::string fprint;
43
44 for(size_t i = 0; i != hex_hash.size(); i += 2) {
45 if(i != 0) {
46 fprint.push_back(':');
47 }
48
49 fprint.push_back(hex_hash[i]);
50 fprint.push_back(hex_hash[i + 1]);
51 }
52
53 return fprint;
54}
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition hex.cpp:35

References Botan::HashFunction::create_or_throw(), and hex_encode().

Referenced by create_hex_fingerprint(), Botan::X509_Certificate::fingerprint(), Botan::Private_Key::fingerprint_private(), and Botan::Public_Key::fingerprint_public().

◆ create_hex_fingerprint() [2/2]

std::string Botan::create_hex_fingerprint ( std::span< const uint8_t > vec,
std::string_view hash_name )
inline

Definition at line 425 of file pk_keys.h.

425 {
426 return create_hex_fingerprint(vec.data(), vec.size(), hash_name);
427}
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, std::string_view hash_name)
Definition pk_keys.cpp:38

References create_hex_fingerprint().

◆ create_pk_from_sk()

BOTAN_TEST_API std::array< uint8_t, ED448_LEN > Botan::create_pk_from_sk ( std::span< const uint8_t, ED448_LEN > sk)

Create a public key point from a secret key (RFC 8032 5.2.5)

Definition at line 224 of file ed448_internal.cpp.

224 {
225 // 5.2.5. Key Generation
226 // The 57-byte public key is generated by the following steps:
227 auto shake_xof = SHAKE_256_XOF();
228 shake_xof.update(sk);
229
230 const Scalar448 s = scalar_from_xof(shake_xof);
231 // 3. Interpret the buffer as the little-endian integer, forming a
232 // secret scalar s. Perform a known-base-point scalar
233 // multiplication [s]B.
234 return (s * Ed448Point::base_point()).encode();
235}
static Ed448Point base_point()
Create the curve's base point ('B' in RFC 8032 5.2)
Representation of a scalar for X448.

References Botan::Ed448Point::base_point().

Referenced by Botan::Ed448_PrivateKey::Ed448_PrivateKey(), and Botan::Ed448_PrivateKey::Ed448_PrivateKey().

◆ create_private_key()

std::unique_ptr< Private_Key > Botan::create_private_key ( std::string_view algo_name,
RandomNumberGenerator & rng,
std::string_view algo_params = "",
std::string_view provider = "" )

Create a new key For ECC keys, algo_params specifies EC group (eg, "secp256r1") For DH/DSA/ElGamal keys, algo_params is DL group (eg, "modp/ietf/2048") For RSA, algo_params is integer keylength For McEliece, algo_params is n,t If algo_params is left empty, suitable default parameters are chosen.

Definition at line 487 of file pk_algs.cpp.

490 {
491 /*
492 * Default paramaters are chosen for work factor > 2**128 where possible
493 */
494
495#if defined(BOTAN_HAS_X25519)
496 if(alg_name == "X25519" || alg_name == "Curve25519") {
497 return std::make_unique<X25519_PrivateKey>(rng);
498 }
499#endif
500
501#if defined(BOTAN_HAS_X448)
502 if(alg_name == "X448") {
503 return std::make_unique<X448_PrivateKey>(rng);
504 }
505#endif
506
507#if defined(BOTAN_HAS_RSA)
508 if(alg_name == "RSA") {
509 const size_t modulus_bits = params.empty() ? 3072 : to_u32bit(params);
510 return std::make_unique<RSA_PrivateKey>(rng, modulus_bits);
511 }
512#endif
513
514#if defined(BOTAN_HAS_MCELIECE)
515 if(alg_name == "McEliece") {
516 const auto [n, t] = [&]() -> std::pair<size_t, size_t> {
517 if(params.empty()) {
518 return {2960, 57};
519 }
520
521 const auto mce_params = split_on(params, ',');
522
523 if(mce_params.size() != 2) {
524 throw Invalid_Argument(fmt("create_private_key: invalid McEliece parameters '{}'", params));
525 }
526
527 const size_t mce_n = to_u32bit(mce_params[0]);
528 const size_t mce_t = to_u32bit(mce_params[1]);
529 return {mce_n, mce_t};
530 }();
531
532 return std::make_unique<McEliece_PrivateKey>(rng, n, t);
533 }
534#endif
535#if defined(BOTAN_HAS_CLASSICMCELIECE)
536 if(alg_name == "ClassicMcEliece") {
537 auto cmce_params_set = params.empty() ? Classic_McEliece_Parameter_Set::ClassicMcEliece_6960119f
539 return std::make_unique<Classic_McEliece_PrivateKey>(rng, cmce_params_set);
540 }
541#endif
542
543#if defined(BOTAN_HAS_FRODOKEM)
544 if(alg_name == "FrodoKEM") {
545 const auto mode = params.empty() ? FrodoKEMMode::FrodoKEM976_SHAKE : FrodoKEMMode(params);
546 return std::make_unique<FrodoKEM_PrivateKey>(rng, mode);
547 }
548#endif
549
550#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
551 if(alg_name == "Kyber") {
552 const auto mode = [&]() -> KyberMode {
553 if(params.empty()) {
555 }
556 return KyberMode(params);
557 }();
558
559 return std::make_unique<Kyber_PrivateKey>(rng, mode);
560 }
561#endif
562
563#if defined(BOTAN_HAS_ML_KEM)
564 if(alg_name == "ML-KEM") {
565 const auto mode = [&]() -> ML_KEM_Mode {
566 if(params.empty()) {
568 }
569 return ML_KEM_Mode(params);
570 }();
571
572 return std::make_unique<ML_KEM_PrivateKey>(rng, mode);
573 }
574#endif
575
576#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES)
577 if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) {
578 const auto mode = [&]() -> DilithiumMode {
579 if(params.empty()) {
581 }
582 return DilithiumMode(params);
583 }();
584
585 return std::make_unique<Dilithium_PrivateKey>(rng, mode);
586 }
587#endif
588
589#if defined(BOTAN_HAS_ML_DSA)
590 if(alg_name == "ML-DSA") {
591 const auto mode = [&]() -> ML_DSA_Mode {
592 if(params.empty()) {
594 }
595 return ML_DSA_Mode(params);
596 }();
597
598 return std::make_unique<ML_DSA_PrivateKey>(rng, mode);
599 }
600#endif
601
602#if defined(BOTAN_HAS_HSS_LMS)
603 if(alg_name == "HSS-LMS") {
604 const auto hss_params = [&]() -> std::string {
605 if(params.empty()) {
606 return "SHA-256,HW(10,1)";
607 } else {
608 return std::string(params);
609 }
610 }();
611 return std::make_unique<HSS_LMS_PrivateKey>(rng, hss_params);
612 }
613#endif
614
615#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
616 if(alg_name == "SPHINCS+" || alg_name == "SphincsPlus") {
617 auto sphincs_params = Sphincs_Parameters::create(params);
618
619 return std::make_unique<SphincsPlus_PrivateKey>(rng, sphincs_params);
620 }
621#endif
622
623#if defined(BOTAN_HAS_SLH_DSA_WITH_SHA2) || defined(BOTAN_HAS_SLH_DSA_WITH_SHAKE)
624 if(alg_name == "SLH-DSA") {
625 auto slh_dsa_params = SLH_DSA_Parameters::create(params);
626
627 return std::make_unique<SLH_DSA_PrivateKey>(rng, slh_dsa_params);
628 }
629#endif
630
631#if defined(BOTAN_HAS_XMSS_RFC8391)
632 if(alg_name == "XMSS") {
633 const auto xmss_oid = [&]() -> XMSS_Parameters::xmss_algorithm_t {
634 if(params.empty()) {
636 }
637 return XMSS_Parameters(params).oid();
638 }();
639
640 return std::make_unique<XMSS_PrivateKey>(xmss_oid, rng);
641 }
642#endif
643
644#if defined(BOTAN_HAS_ED25519)
645 if(alg_name == "Ed25519") {
646 return std::make_unique<Ed25519_PrivateKey>(rng);
647 }
648#endif
649
650#if defined(BOTAN_HAS_ED448)
651 if(alg_name == "Ed448") {
652 return std::make_unique<Ed448_PrivateKey>(rng);
653 }
654#endif
655
656 // ECC crypto
657#if defined(BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO)
658
659 if(alg_name == "ECDSA" || alg_name == "ECDH" || alg_name == "ECKCDSA" || alg_name == "ECGDSA" || alg_name == "SM2" ||
660 alg_name == "SM2_Sig" || alg_name == "SM2_Enc" || alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" ||
661 alg_name == "GOST-34.10-2012-512") {
662 const std::string group_id = [&]() -> std::string {
663 if(!params.empty()) {
664 return std::string(params);
665 }
666 if(alg_name == "SM2" || alg_name == "SM2_Enc" || alg_name == "SM2_Sig") {
667 return "sm2p256v1";
668 }
669 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256") {
670 return "gost_256A";
671 }
672 if(alg_name == "GOST-34.10-2012-512") {
673 return "gost_512A";
674 }
675 if(alg_name == "ECGDSA") {
676 return "brainpool256r1";
677 }
678 return "secp256r1";
679 }();
680
681 if(EC_Group::supports_named_group(group_id)) {
682 auto ec_group = EC_Group::from_name(group_id);
683 return create_ec_private_key(alg_name, ec_group, rng);
684 } else {
685 return {};
686 }
687 }
688#endif
689
690 // DL crypto
691#if defined(BOTAN_HAS_DL_GROUP)
692 if(alg_name == "DH" || alg_name == "DSA" || alg_name == "ElGamal") {
693 const std::string group_id = [&]() -> std::string {
694 if(!params.empty()) {
695 return std::string(params);
696 }
697 if(alg_name == "DSA") {
698 return "dsa/botan/2048";
699 }
700 return "modp/ietf/2048";
701 }();
702
703 auto modp_group = DL_Group::from_name(group_id);
704
705 #if defined(BOTAN_HAS_DIFFIE_HELLMAN)
706 if(alg_name == "DH") {
707 return std::make_unique<DH_PrivateKey>(rng, modp_group);
708 }
709 #endif
710
711 #if defined(BOTAN_HAS_DSA)
712 if(alg_name == "DSA") {
713 return std::make_unique<DSA_PrivateKey>(rng, modp_group);
714 }
715 #endif
716
717 #if defined(BOTAN_HAS_ELGAMAL)
718 if(alg_name == "ElGamal") {
719 return std::make_unique<ElGamal_PrivateKey>(rng, modp_group);
720 }
721 #endif
722 }
723#endif
724
725 BOTAN_UNUSED(alg_name, rng, params, provider);
726
727 return std::unique_ptr<Private_Key>();
728}
static Classic_McEliece_Parameter_Set from_string(std::string_view param_name)
Get the parameter set for a given parameter set name.
static DL_Group from_name(std::string_view name)
Definition dl_group.cpp:217
static EC_Group from_name(std::string_view name)
Definition ec_group.cpp:384
static bool supports_named_group(std::string_view name)
Definition ec_group.cpp:350
static Sphincs_Parameters create(Sphincs_Parameter_Set set, Sphincs_Hash_Type hash)
xmss_algorithm_t oid() const
DilithiumMode ML_DSA_Mode
Definition ml_dsa.h:21
KyberMode ML_KEM_Mode
Definition ml_kem.h:21
std::unique_ptr< Private_Key > create_ec_private_key(std::string_view alg_name, const EC_Group &ec_group, RandomNumberGenerator &rng)
Definition pk_algs.cpp:442

References BOTAN_UNUSED, Botan::Classic_McEliece_Parameter_Set::ClassicMcEliece_6960119f, Botan::Sphincs_Parameters::create(), create_ec_private_key(), Botan::DilithiumMode::Dilithium6x5, fmt(), Botan::FrodoKEMMode::FrodoKEM976_SHAKE, Botan::DL_Group::from_name(), Botan::EC_Group::from_name(), Botan::Classic_McEliece_Parameter_Set::from_string(), Botan::KyberMode::Kyber1024_R3, Botan::DilithiumMode::ML_DSA_6x5, Botan::KyberMode::ML_KEM_768, Botan::XMSS_Parameters::oid(), split_on(), Botan::EC_Group::supports_named_group(), to_u32bit(), and Botan::XMSS_Parameters::XMSS_SHA2_10_512.

Referenced by botan_privkey_create(), and Botan::TLS::Hybrid_KEM_PrivateKey::generate_from_group().

◆ create_shake_row_generator()

auto Botan::create_shake_row_generator ( const FrodoKEMConstants & constants,
StrongSpan< const FrodoSeedA > seed_a )
inline

Definition at line 23 of file frodo_shake_generator.h.

23 {
24 BOTAN_ASSERT_NOMSG(constants.mode().is_shake());
25
26 return [xof = SHAKE_128_XOF(), a = FrodoSeedA(seed_a)](std::span<uint8_t> out, uint16_t i) mutable {
27 xof.clear();
28 xof.update(store_le(i));
29 xof.update(a);
30 xof.output(out);
31 };
32}
bool is_shake() const
Definition frodo_mode.h:58
Strong< std::vector< uint8_t >, struct FrodoSeedA_ > FrodoSeedA
Definition frodo_types.h:23

References BOTAN_ASSERT_NOMSG, Botan::FrodoKEMMode::is_shake(), Botan::FrodoKEMConstants::mode(), and store_le().

◆ cstr_as_span_of_bytes()

std::span< const uint8_t > Botan::cstr_as_span_of_bytes ( const char * s)
inline

Definition at line 41 of file mem_utils.h.

41 {
42 return as_span_of_bytes(s, std::strlen(s));
43}

References as_span_of_bytes().

Referenced by botan_mp_set_from_radix_str().

◆ ct_compare_u8()

uint8_t Botan::ct_compare_u8 ( const uint8_t x[],
const uint8_t y[],
size_t len )

Memory comparison, input insensitive

Parameters
xa pointer to an array
ya pointer to another array
lenthe number of Ts in x and y
Returns
0xFF iff x[i] == y[i] forall i in [0...n) or 0x00 otherwise

Definition at line 13 of file mem_ops.cpp.

13 {
14 return CT::is_equal(x, y, len).value();
15}

References Botan::CT::is_equal().

◆ ct_divide() [1/2]

BigInt Botan::ct_divide ( const BigInt & x,
const BigInt & y )
inline

BigInt division, const time variant

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leak the sizes of x and y.

Parameters
xan integer
ya non-zero integer
Returns
x/y with remainder discarded

Definition at line 63 of file divide.h.

63 {
64 BigInt q;
65 BigInt r;
66 ct_divide(x, y, q, r);
67 return q;
68}
void ct_divide(const BigInt &x, const BigInt &y, BigInt &q_out, BigInt &r_out)
Definition divide.cpp:51

References ct_divide().

◆ ct_divide() [2/2]

BOTAN_TEST_API void Botan::ct_divide ( const BigInt & x,
const BigInt & y,
BigInt & q,
BigInt & r )

BigInt division, const time variant

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leak the sizes of x and y.

Parameters
xan integer
ya non-zero integer
qwill be set to x / y
rwill be set to x % y

Definition at line 51 of file divide.cpp.

51 {
52 if(y.is_zero()) {
53 throw Invalid_Argument("ct_divide: cannot divide by zero");
54 }
55
56 const size_t x_words = x.sig_words();
57 const size_t y_words = y.sig_words();
58
59 const size_t x_bits = x.bits();
60
61 BigInt q = BigInt::with_capacity(x_words);
62 BigInt r = BigInt::with_capacity(y_words);
63 BigInt t = BigInt::with_capacity(y_words); // a temporary
64
65 for(size_t i = 0; i != x_bits; ++i) {
66 const size_t b = x_bits - 1 - i;
67 const bool x_b = x.get_bit(b);
68
69 r <<= 1;
70 r.conditionally_set_bit(0, x_b);
71
72 const bool r_gte_y = bigint_sub3(t.mutable_data(), r._data(), r.size(), y._data(), y_words) == 0;
73
74 q.conditionally_set_bit(b, r_gte_y);
75 r.ct_cond_swap(r_gte_y, t);
76 }
77
78 sign_fixup(x, y, q, r);
79 r_out = r;
80 q_out = q;
81}
size_t sig_words() const
Definition bigint.h:615
size_t bits() const
Definition bigint.cpp:311
const word * _data() const
Definition bigint.h:936
bool is_zero() const
Definition bigint.h:457
bool get_bit(size_t n) const
Definition bigint.h:496
static BigInt with_capacity(size_t n)
Definition bigint.cpp:50
constexpr auto bigint_sub3(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:194

References Botan::BigInt::_data(), bigint_sub3(), Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::BigInt::ct_cond_swap(), Botan::BigInt::get_bit(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), Botan::BigInt::size(), and Botan::BigInt::with_capacity().

Referenced by ct_divide(), Botan::FPE_FE1::decrypt(), Botan::FPE_FE1::encrypt(), and lcm().

◆ ct_divide_pow2k()

BOTAN_TEST_API BigInt Botan::ct_divide_pow2k ( size_t k,
const BigInt & y )

BigInt division, const time variant, 2^k variant

This runs with control flow independent of the value of y. This function leaks the value of k and the length of y. If k < bits(y) this returns zero

Parameters
kan integer
ya positive integer
Returns
q equal to 2**k / y

Definition at line 83 of file divide.cpp.

83 {
84 BOTAN_ARG_CHECK(!y.is_zero(), "Cannot divide by zero");
85 BOTAN_ARG_CHECK(!y.is_negative(), "Negative divisor not supported");
86 BOTAN_ARG_CHECK(k > 1, "Invalid k");
87
88 const size_t x_bits = k + 1;
89 const size_t y_bits = y.bits();
90
91 if(x_bits < y_bits) {
92 return BigInt::zero();
93 }
94
95 BOTAN_ASSERT_NOMSG(y_bits >= 1);
96 const size_t x_words = (x_bits + WordInfo<word>::bits - 1) / WordInfo<word>::bits;
97 const size_t y_words = y.sig_words();
98
99 BigInt q = BigInt::with_capacity(x_words);
100 BigInt r = BigInt::with_capacity(y_words + 1);
101 BigInt t = BigInt::with_capacity(y_words + 1); // a temporary
102
103 r.set_bit(y_bits - 1);
104 for(size_t i = y_bits - 1; i != x_bits; ++i) {
105 const size_t b = x_bits - 1 - i;
106
107 if(i >= y_bits) {
108 bigint_shl1(r.mutable_data(), r.size(), r.size(), 1);
109 }
110
111 const bool r_gte_y = bigint_sub3(t.mutable_data(), r._data(), r.size(), y._data(), y_words) == 0;
112
113 q.conditionally_set_bit(b, r_gte_y);
114
115 bigint_cnd_swap(static_cast<word>(r_gte_y), r.mutable_data(), t.mutable_data(), y_words + 1);
116 }
117
118 // No need for sign fixup
119
120 return q;
121}
static BigInt zero()
Definition bigint.h:49
bool is_negative() const
Definition bigint.h:559
constexpr void bigint_cnd_swap(W cnd, W x[], W y[], size_t size)
Definition mp_core.h:31
constexpr void bigint_shl1(W x[], size_t x_size, size_t x_words, size_t shift)
Definition mp_core.h:309

References Botan::BigInt::_data(), bigint_cnd_swap(), bigint_shl1(), bigint_sub3(), Botan::BigInt::bits(), BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::BigInt::conditionally_set_bit(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::set_bit(), Botan::BigInt::sig_words(), Botan::BigInt::size(), Botan::BigInt::with_capacity(), and Botan::BigInt::zero().

Referenced by Botan::Barrett_Reduction::for_secret_modulus().

◆ ct_divide_word() [1/2]

BigInt Botan::ct_divide_word ( const BigInt & x,
word y )

Constant time division

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leaks the size of x.

Parameters
xan integer
ya non-zero word
Returns
quotient floor(x / y)

Definition at line 160 of file divide.cpp.

160 {
161 BigInt q;
162 word r = 0;
163 ct_divide_word(x, y, q, r);
164 BOTAN_UNUSED(r);
165 return q;
166}

References BOTAN_UNUSED, and ct_divide_word().

◆ ct_divide_word() [2/2]

BOTAN_TEST_API void Botan::ct_divide_word ( const BigInt & x,
word y,
BigInt & q,
word & r )

Constant time division

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leaks the size of x.

Parameters
xan integer
ya non-zero integer
qwill be set to x / y
rwill be set to x % y

Definition at line 123 of file divide.cpp.

123 {
124 if(y == 0) {
125 throw Invalid_Argument("ct_divide_word: cannot divide by zero");
126 }
127
128 const size_t x_words = x.sig_words();
129 const size_t x_bits = x.bits();
130
131 BigInt q = BigInt::with_capacity(x_words);
132 word r = 0;
133
134 for(size_t i = 0; i != x_bits; ++i) {
135 const size_t b = x_bits - 1 - i;
136 const bool x_b = x.get_bit(b);
137
138 const auto r_carry = CT::Mask<word>::expand_top_bit(r);
139
140 r <<= 1;
141 r += static_cast<word>(x_b);
142
143 const auto r_gte_y = CT::Mask<word>::is_gte(r, y) | r_carry;
144 q.conditionally_set_bit(b, r_gte_y.as_bool());
145 r = r_gte_y.select(r - y, r);
146 }
147
148 if(x.is_negative()) {
149 q.flip_sign();
150 if(r != 0) {
151 --q;
152 r = y - r;
153 }
154 }
155
156 r_out = r;
157 q_out = q;
158}
static constexpr Mask< T > is_gte(T x, T y)
Definition ct_utils.h:496
static constexpr Mask< T > expand_top_bit(T v)
Definition ct_utils.h:443

References Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::CT::Mask< T >::expand_top_bit(), Botan::BigInt::flip_sign(), Botan::BigInt::get_bit(), Botan::CT::Mask< T >::is_gte(), Botan::BigInt::is_negative(), Botan::BigInt::sig_words(), and Botan::BigInt::with_capacity().

Referenced by compute_rsa_secret_exponent(), ct_divide_word(), operator/(), and Botan::BigInt::to_dec_string().

◆ ct_is_zero()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T Botan::ct_is_zero ( T x)
constexpr

If arg is zero, return ~0. Otherwise return 0

Definition at line 35 of file bit_ops.h.

35 {
36 return expand_top_bit<T>(~x & (x - 1));
37}
BOTAN_FORCE_INLINE constexpr T expand_top_bit(T a)
Definition bit_ops.h:27

References BOTAN_FORCE_INLINE, and expand_top_bit().

Referenced by ctz(), Botan::CT::Choice::from_int(), high_bit(), Botan::CT::Mask< T >::is_zero(), prefetch_array_raw(), and significant_bytes().

◆ ct_mod_word()

BOTAN_TEST_API word Botan::ct_mod_word ( const BigInt & x,
word y )

BigInt word modulo, const time variant

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leaks the size of x.

Parameters
xa positive integer
ya non-zero word
Returns
r the remainder of x divided by y

Definition at line 168 of file divide.cpp.

168 {
169 BOTAN_ARG_CHECK(x.is_positive(), "The argument x must be positive");
170 BOTAN_ARG_CHECK(y != 0, "Cannot divide by zero");
171
172 const size_t x_bits = x.bits();
173
174 word r = 0;
175
176 for(size_t i = 0; i != x_bits; ++i) {
177 const size_t b = x_bits - 1 - i;
178 const bool x_b = x.get_bit(b);
179
180 const auto r_carry = CT::Mask<word>::expand_top_bit(r);
181
182 r <<= 1;
183 r += static_cast<word>(x_b);
184
185 const auto r_gte_y = CT::Mask<word>::is_gte(r, y) | r_carry;
186 r = r_gte_y.select(r - y, r);
187 }
188
189 return r;
190}
bool is_positive() const
Definition bigint.h:565

References Botan::BigInt::bits(), BOTAN_ARG_CHECK, Botan::CT::Mask< T >::expand_top_bit(), Botan::BigInt::get_bit(), Botan::CT::Mask< T >::is_gte(), and Botan::BigInt::is_positive().

Referenced by compute_rsa_secret_exponent().

◆ ct_modulo()

BOTAN_TEST_API BigInt Botan::ct_modulo ( const BigInt & x,
const BigInt & modulo )

BigInt modulo, const time variant

Using this function is (slightly) cheaper than calling ct_divide and using only the remainder.

Parameters
xa non-negative integer
moduloa positive integer
Returns
result x % modulo

Definition at line 192 of file divide.cpp.

192 {
193 if(y.is_negative() || y.is_zero()) {
194 throw Invalid_Argument("ct_modulo requires y > 0");
195 }
196
197 const size_t y_words = y.sig_words();
198
199 const size_t x_bits = x.bits();
200
201 BigInt r = BigInt::with_capacity(y_words);
202 BigInt t = BigInt::with_capacity(y_words);
203
204 for(size_t i = 0; i != x_bits; ++i) {
205 const size_t b = x_bits - 1 - i;
206 const bool x_b = x.get_bit(b);
207
208 r <<= 1;
209 r.conditionally_set_bit(0, x_b);
210
211 const bool r_gte_y = bigint_sub3(t.mutable_data(), r._data(), r.size(), y._data(), y_words) == 0;
212
213 r.ct_cond_swap(r_gte_y, t);
214 }
215
216 if(x.is_negative()) {
217 if(r.is_nonzero()) {
218 r = y - r;
219 }
220 }
221
222 return r;
223}

References Botan::BigInt::_data(), bigint_sub3(), Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::BigInt::ct_cond_swap(), Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::BigInt::is_nonzero(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), Botan::BigInt::size(), and Botan::BigInt::with_capacity().

Referenced by Botan::RSA_PrivateKey::check_key(), Botan::FPE_FE1::decrypt(), Botan::FPE_FE1::encrypt(), inverse_mod(), inverse_mod_general(), power_mod(), Botan::Modular_Reducer::reduce(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ ct_popcount()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr uint8_t Botan::ct_popcount ( T x)
constexpr

Calculates the number of 1-bits in an unsigned integer in constant-time. This operation is also known as "population count" or hamming weight.

Modern compilers will recognize this pattern and replace it by a hardware instruction, if available. This is the SWAR (SIMD within a register) algorithm. See: https://nimrod.blog/posts/algorithms-behind-popcount/#swar-algorithm

Note: C++20 provides std::popcount(), but there's no guarantee that this is implemented in constant-time.

Parameters
xan unsigned integer
Returns
the number of 1-bits in the provided value

Definition at line 253 of file bit_ops.h.

253 {
254 constexpr size_t s = sizeof(T);
255 static_assert(s <= 8, "T is not a suitable unsigned integer value");
256 if constexpr(s == 8) {
257 x = x - ((x >> 1) & 0x5555555555555555);
258 x = (x & 0x3333333333333333) + ((x >> 2) & 0x3333333333333333);
259 x = (x + (x >> 4)) & 0xF0F0F0F0F0F0F0F;
260 return (x * 0x101010101010101) >> 56;
261 } else if constexpr(s == 4) {
262 x = x - ((x >> 1) & 0x55555555);
263 x = (x & 0x33333333) + ((x >> 2) & 0x33333333);
264 x = (x + (x >> 4)) & 0x0F0F0F0F;
265 return (x * 0x01010101) >> 24;
266 } else {
267 // s < 4
268 return ct_popcount(static_cast<uint32_t>(x));
269 }
270}
BOTAN_FORCE_INLINE constexpr uint8_t ct_popcount(T x)
Definition bit_ops.h:253

References BOTAN_FORCE_INLINE, and ct_popcount().

Referenced by ct_popcount(), and Botan::bitvector_base< secure_allocator >::hamming_weight().

◆ ct_reverse_bits()

template<std::unsigned_integral T>
T Botan::ct_reverse_bits ( T b)
inlineconstexpr
Returns
the reversed bits in b.

Definition at line 219 of file bit_ops.h.

219 {
220 auto extend = [](uint8_t m) -> T {
221 T mask = 0;
222 for(size_t i = 0; i < sizeof(T); ++i) {
223 mask |= T(m) << i * 8;
224 }
225 return mask;
226 };
227
228 // First reverse bits in each byte...
229 // From: https://stackoverflow.com/a/2602885
230 b = (b & extend(0xF0)) >> 4 | (b & extend(0x0F)) << 4;
231 b = (b & extend(0xCC)) >> 2 | (b & extend(0x33)) << 2;
232 b = (b & extend(0xAA)) >> 1 | (b & extend(0x55)) << 1;
233
234 // ... then swap the bytes
235 return reverse_bytes(b);
236}
constexpr T reverse_bytes(T x)
Definition bswap.h:27

References reverse_bytes().

◆ ctz()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr size_t Botan::ctz ( T n)
constexpr

Count the trailing zero bits in n

Parameters
nan integer value
Returns
maximum x st 2^x divides n

Definition at line 96 of file bit_ops.h.

96 {
97 /*
98 * If n == 0 then this function will compute 8*sizeof(T)-1, so
99 * initialize lb to 1 if n == 0 to produce the expected result.
100 */
101 size_t lb = ct_is_zero(n) & 1;
102
103 for(size_t s = 8 * sizeof(T) / 2; s > 0; s /= 2) {
104 const T mask = (static_cast<T>(1) << s) - 1;
105 const size_t z = s * (ct_is_zero(n & mask) & 1);
106 lb += z;
107 n >>= z;
108 }
109
110 return lb;
111}
BOTAN_FORCE_INLINE constexpr T ct_is_zero(T x)
Definition bit_ops.h:35

References BOTAN_FORCE_INLINE, and ct_is_zero().

Referenced by low_zero_bits(), and var_ctz32().

◆ curve25519_basepoint()

void Botan::curve25519_basepoint ( uint8_t mypublic[32],
const uint8_t secret[32] )

Exponentiate by the x25519 base point

Parameters
mypublicoutput value
secretrandom scalar

Definition at line 19 of file x25519.cpp.

19 {
20 const uint8_t basepoint[32] = {9};
21 curve25519_donna(mypublic, secret, basepoint);
22}
void curve25519_donna(uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32])
Definition donna.cpp:454

References curve25519_donna().

Referenced by Botan::X25519_PrivateKey::check_key(), Botan::Sodium::crypto_scalarmult_curve25519_base(), Botan::X25519_PrivateKey::X25519_PrivateKey(), Botan::X25519_PrivateKey::X25519_PrivateKey(), and Botan::X25519_PrivateKey::X25519_PrivateKey().

◆ curve25519_donna()

void Botan::curve25519_donna ( uint8_t mypublic[32],
const uint8_t secret[32],
const uint8_t basepoint[32] )

Definition at line 454 of file donna.cpp.

454 {
455 CT::poison(secret, 32);
456 CT::poison(basepoint, 32);
457
458 uint64_t bp[5];
459 uint64_t x[5];
460 uint64_t z[5];
461 uint64_t zmone[5];
462 uint8_t e[32];
463
464 copy_mem(e, secret, 32);
465 e[0] &= 248;
466 e[31] &= 127;
467 e[31] |= 64;
468
469 fexpand(bp, basepoint);
470 cmult(x, z, e, bp);
471 crecip(zmone, z);
472 fmul(z, x, zmone);
473 fcontract(mypublic, z);
474
475 CT::unpoison(secret, 32);
476 CT::unpoison(basepoint, 32);
477 CT::unpoison(mypublic, 32);
478}

References copy_mem(), Botan::CT::poison(), and Botan::CT::unpoison().

Referenced by Botan::Sodium::crypto_scalarmult_curve25519(), and curve25519_basepoint().

◆ dbl_a_minus_3()

template<typename ProjectivePoint>
ProjectivePoint Botan::dbl_a_minus_3 ( const ProjectivePoint & pt)
inlineconstexpr

Definition at line 355 of file pcurves_algos.h.

355 {
356 /*
357 if a == -3 then
358 3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2)
359 */
360 const auto z2 = pt.z().square();
361 const auto m = (pt.x() - z2).mul3() * (pt.x() + z2);
362
363 // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8
364 const auto y2 = pt.y().square();
365 const auto s = pt.x().mul4() * y2;
366 const auto nx = m.square() - s.mul2();
367 const auto ny = m * (s - nx) - y2.square().mul8();
368 const auto nz = pt.y().mul2() * pt.z();
369
370 return ProjectivePoint(nx, ny, nz);
371}

Referenced by Botan::ProjectiveCurvePoint< FieldElement, Params >::dbl().

◆ dbl_a_zero()

template<typename ProjectivePoint>
ProjectivePoint Botan::dbl_a_zero ( const ProjectivePoint & pt)
inlineconstexpr

Definition at line 374 of file pcurves_algos.h.

374 {
375 // If a == 0 then 3*x^2 + a*z^4 == 3*x^2
376 // Cost: 1S + 1*3
377 const auto m = pt.x().square().mul3();
378
379 // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8
380 const auto y2 = pt.y().square();
381 const auto s = pt.x().mul4() * y2;
382 const auto nx = m.square() - s.mul2();
383 const auto ny = m * (s - nx) - y2.square().mul8();
384 const auto nz = pt.y().mul2() * pt.z();
385
386 return ProjectivePoint(nx, ny, nz);
387}

Referenced by Botan::ProjectiveCurvePoint< FieldElement, Params >::dbl().

◆ dbl_generic()

template<typename ProjectivePoint, typename FieldElement>
ProjectivePoint Botan::dbl_generic ( const ProjectivePoint & pt,
const FieldElement & A )
inlineconstexpr

Definition at line 390 of file pcurves_algos.h.

390 {
391 // Cost: 1M + 3S + 1A + 1*3
392 const auto z2 = pt.z().square();
393 const auto m = pt.x().square().mul3() + A * z2.square();
394
395 // Remaining cost: 3M + 3S + 3A + 2*2 + 1*4 + 1*8
396 const auto y2 = pt.y().square();
397 const auto s = pt.x().mul4() * y2;
398 const auto nx = m.square() - s.mul2();
399 const auto ny = m * (s - nx) - y2.square().mul8();
400 const auto nz = pt.y().mul2() * pt.z();
401
402 return ProjectivePoint(nx, ny, nz);
403}

Referenced by Botan::ProjectiveCurvePoint< FieldElement, Params >::dbl().

◆ dbl_n_a_minus_3()

template<typename ProjectivePoint>
ProjectivePoint Botan::dbl_n_a_minus_3 ( const ProjectivePoint & pt,
size_t n )
inlineconstexpr

Definition at line 425 of file pcurves_algos.h.

425 {
426 auto nx = pt.x();
427 auto ny = pt.y().mul2();
428 auto nz = pt.z();
429 auto w = nz.square().square();
430
431 // Conditional ok: loop iteration count is public
432 while(n > 0) {
433 const auto ny2 = ny.square();
434 const auto ny4 = ny2.square();
435 const auto t1 = (nx.square() - w).mul3();
436 const auto t2 = nx * ny2;
437 nx = t1.square() - t2.mul2();
438 nz *= ny;
439 ny = t1 * (t2 - nx).mul2() - ny4;
440 n--;
441 // Conditional ok: loop iteration count is public
442 if(n > 0) {
443 w *= ny4;
444 }
445 }
446 return ProjectivePoint(nx, ny.div2(), nz);
447}

Referenced by Botan::ProjectiveCurvePoint< FieldElement, Params >::dbl_n().

◆ dbl_n_a_zero()

template<typename ProjectivePoint>
ProjectivePoint Botan::dbl_n_a_zero ( const ProjectivePoint & pt,
size_t n )
inlineconstexpr

Definition at line 450 of file pcurves_algos.h.

450 {
451 auto nx = pt.x();
452 auto ny = pt.y().mul2();
453 auto nz = pt.z();
454
455 // Conditional ok: loop iteration count is public
456 while(n > 0) {
457 const auto ny2 = ny.square();
458 const auto ny4 = ny2.square();
459 const auto t1 = nx.square().mul3();
460 const auto t2 = nx * ny2;
461 nx = t1.square() - t2.mul2();
462 nz *= ny;
463 ny = t1 * (t2 - nx).mul2() - ny4;
464 n--;
465 }
466 return ProjectivePoint(nx, ny.div2(), nz);
467}

Referenced by Botan::ProjectiveCurvePoint< FieldElement, Params >::dbl_n().

◆ dbl_n_generic()

template<typename ProjectivePoint, typename FieldElement>
ProjectivePoint Botan::dbl_n_generic ( const ProjectivePoint & pt,
const FieldElement & A,
size_t n )
inlineconstexpr

Definition at line 470 of file pcurves_algos.h.

470 {
471 auto nx = pt.x();
472 auto ny = pt.y().mul2();
473 auto nz = pt.z();
474 auto w = nz.square().square() * A;
475
476 // Conditional ok: loop iteration count is public
477 while(n > 0) {
478 const auto ny2 = ny.square();
479 const auto ny4 = ny2.square();
480 const auto t1 = nx.square().mul3() + w;
481 const auto t2 = nx * ny2;
482 nx = t1.square() - t2.mul2();
483 nz *= ny;
484 ny = t1 * (t2 - nx).mul2() - ny4;
485 n--;
486 // Conditional ok: loop iteration count is public
487 if(n > 0) {
488 w *= ny4;
489 }
490 }
491 return ProjectivePoint(nx, ny.div2(), nz);
492}

Referenced by Botan::ProjectiveCurvePoint< FieldElement, Params >::dbl_n().

◆ deallocate_memory()

void Botan::deallocate_memory ( void * p,
size_t elems,
size_t elem_size )

Free a pointer returned by allocate_memory

Parameters
pthe pointer returned by allocate_memory
elemsthe number of elements, as passed to allocate_memory
elem_sizethe size of each element, as passed to allocate_memory

Definition at line 48 of file allocator.cpp.

48 {
49 if(p == nullptr) {
50 [[unlikely]] return;
51 }
52
53 secure_scrub_memory(p, elems * elem_size);
54
55#if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
56 if(mlock_allocator::instance().deallocate(p, elems, elem_size)) {
57 return;
58 }
59#endif
60
61 std::free(p); // NOLINT(*-no-malloc,*-owning-memory)
62}
void secure_scrub_memory(void *ptr, size_t n)
Definition mem_utils.cpp:24

References Botan::mlock_allocator::instance(), and secure_scrub_memory().

Referenced by Botan::secure_allocator< T >::deallocate().

◆ decode_gf2m()

gf2m Botan::decode_gf2m ( const uint8_t * mem)

Definition at line 102 of file gf2m_small_m.cpp.

102 {
103 gf2m result = mem[0] << 8;
104 result |= mem[1];
105 return result;
106}
uint16_t gf2m

Referenced by Botan::polyn_gf2m::polyn_gf2m().

◆ decode_point()

Point448 Botan::decode_point ( std::span< const uint8_t > p_bytes)

Decode a point from a byte array. RFC 7748 Section 5 (decodeUCoordinate)

Definition at line 25 of file x448_internal.cpp.

25 {
26 BOTAN_ARG_CHECK(p_bytes.size() == X448_LEN, "Invalid size for X448 point");
27 return typecast_copy<Point448>(p_bytes);
28}
constexpr size_t X448_LEN
constexpr void typecast_copy(ToR &&out, const FromR &in)
Definition mem_ops.h:177

References BOTAN_ARG_CHECK, typecast_copy(), and X448_LEN.

◆ decode_scalar()

ScalarX448 Botan::decode_scalar ( std::span< const uint8_t > scalar_bytes)

Decode a scalar from a byte array. RFC 7748 Section 5 (decodeScalar448)

Definition at line 30 of file x448_internal.cpp.

30 {
31 BOTAN_ARG_CHECK(scalar_bytes.size() == X448_LEN, "Invalid size for X448 scalar");
32 auto buf = typecast_copy<ScalarX448>(scalar_bytes);
33
34 buf[0] &= 0xfc;
35 buf[55] |= 0x80;
36
37 return buf;
38}

References BOTAN_ARG_CHECK, typecast_copy(), and X448_LEN.

◆ dl_exponent_size()

size_t BOTAN_TEST_API Botan::dl_exponent_size ( size_t prime_group_size)

Return the appropriate exponent size to use for a particular prime group. This is twice the size of the estimated cost of breaking the key using an index calculus attack; the assumption is that if an arbitrary discrete log on a group of size bits would take about 2^n effort, and thus using an exponent of size 2^(2*n) implies that all available attacks are about as easy (as e.g Pollard's kangaroo algorithm can compute the DL in sqrt(x) operations) while minimizing the exponent size for performance reasons.

Definition at line 51 of file workfactor.cpp.

51 {
52 if(bits == 0) {
53 return 0;
54 }
55 if(bits <= 256) {
56 return bits - 1;
57 }
58 if(bits <= 1024) {
59 return 192;
60 }
61 if(bits <= 1536) {
62 return 224;
63 }
64 if(bits <= 2048) {
65 return 256;
66 }
67 if(bits <= 4096) {
68 return 384;
69 }
70 return 512;
71}

Referenced by Botan::DL_Group::DL_Group().

◆ dl_work_factor()

size_t BOTAN_TEST_API Botan::dl_work_factor ( size_t prime_group_size)

Estimate work factor for discrete logarithm

Parameters
prime_group_sizesize of the group in bits
Returns
estimated security level for this group

Definition at line 46 of file workfactor.cpp.

46 {
47 // Lacking better estimates...
48 return if_work_factor(bits);
49}
size_t if_work_factor(size_t bits)

References if_work_factor().

◆ do_throw_error()

template<typename E, typename... Args>
void Botan::do_throw_error ( const char * file,
int line,
const char * func,
Args... args )
inline

Definition at line 342 of file exceptn.h.

342 {
343 throw E(file, line, func, args...);
344}

◆ ecp_work_factor()

size_t Botan::ecp_work_factor ( size_t prime_group_size)

Estimate work factor for EC discrete logarithm

Parameters
prime_group_sizesize of the group in bits
Returns
estimated security level for this group

Definition at line 14 of file workfactor.cpp.

14 {
15 return bits / 2;
16}

Referenced by Botan::EC_PublicKey::estimated_strength().

◆ ed25519_basepoint_mul()

void Botan::ed25519_basepoint_mul ( std::span< uint8_t, 32 > out,
const uint8_t in[32] )

Definition at line 1863 of file ge.cpp.

1863 {
1864 std::array<int8_t, 64> e{};
1865
1866 CT::poison(a, 32);
1867
1868 // each e[i] is between 0 and 15 except e[63] which is between 0 and 7
1869 for(size_t i = 0; i != 32; ++i) {
1870 e[2 * i + 0] = (a[i] >> 0) & 0x0F;
1871 e[2 * i + 1] = (a[i] >> 4) & 0x0F;
1872 }
1873
1874 int8_t carry = 0;
1875 for(size_t i = 0; i < 63; ++i) {
1876 e[i] += carry;
1877 carry = e[i] + 8;
1878 carry >>= 4;
1879 e[i] -= carry << 4;
1880 }
1881 e[63] += carry;
1882 /* each e[i] is between -8 and 8 */
1883
1884 auto h = Ed25519_Point_Extended::identity();
1885 for(size_t i = 1; i < 64; i += 2) {
1886 h = Ed25519_Point_Extended::from(h + select(B_precomp[i / 2], e[i]));
1887 }
1888
1889 auto s = Ed25519_Point_Projective::from(h.dbl());
1890 s = Ed25519_Point_Projective::from(s.dbl());
1891 s = Ed25519_Point_Projective::from(s.dbl());
1892 h = Ed25519_Point_Extended::from(s.dbl());
1893
1894 for(size_t i = 0; i != 64; i += 2) {
1895 h = Ed25519_Point_Extended::from(h + select(B_precomp[i / 2], e[i]));
1896 }
1897
1898 h.serialize_to(out);
1899
1900 CT::unpoison(a, 32);
1901 CT::unpoison(out);
1902}

References carry(), Botan::CT::poison(), and Botan::CT::unpoison().

Referenced by ed25519_gen_keypair(), and ed25519_sign().

◆ ed25519_gen_keypair()

void Botan::ed25519_gen_keypair ( uint8_t pk[32],
uint8_t sk[64],
const uint8_t seed[32] )

Definition at line 20 of file ed25519.cpp.

20 {
21 uint8_t az[64];
22
23 auto sha512 = HashFunction::create_or_throw("SHA-512");
24 sha512->update(seed, 32);
25 sha512->final(az);
26 az[0] &= 248;
27 az[31] &= 63;
28 az[31] |= 64;
29
30 ed25519_basepoint_mul(std::span<uint8_t, 32>{pk, 32}, az);
31
32 copy_mem(sk, seed, 32);
33 copy_mem(sk + 32, pk, 32);
34}
void ed25519_basepoint_mul(std::span< uint8_t, 32 > out, const uint8_t in[32])
Definition ge.cpp:1863

References copy_mem(), Botan::HashFunction::create_or_throw(), and ed25519_basepoint_mul().

Referenced by Botan::Sodium::crypto_sign_ed25519_seed_keypair(), Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(), Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(), and Botan::Ed25519_PrivateKey::Ed25519_PrivateKey().

◆ ed25519_sign()

void Botan::ed25519_sign ( uint8_t sig[64],
const uint8_t m[],
size_t mlen,
const uint8_t sk[64],
const uint8_t domain_sep[],
size_t domain_sep_len )

Definition at line 36 of file ed25519.cpp.

41 {
42 uint8_t az[64];
43 uint8_t nonce[64];
44 uint8_t hram[64];
45
46 auto sha512 = HashFunction::create_or_throw("SHA-512");
47
48 sha512->update(sk, 32);
49 sha512->final(az);
50 az[0] &= 248;
51 az[31] &= 63;
52 az[31] |= 64;
53
54 sha512->update(domain_sep, domain_sep_len);
55 sha512->update(az + 32, 32);
56 sha512->update(m, mlen);
57 sha512->final(nonce);
58
59 sc_reduce(nonce);
60 ed25519_basepoint_mul(std::span<uint8_t, 32>{sig, 32}, nonce);
61
62 sha512->update(domain_sep, domain_sep_len);
63 sha512->update(sig, 32);
64 sha512->update(sk + 32, 32);
65 sha512->update(m, mlen);
66 sha512->final(hram);
67
68 sc_reduce(hram);
69 sc_muladd(sig + 32, hram, az, nonce);
70}
void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, const uint8_t *c)
Definition sc_muladd.cpp:26
void sc_reduce(uint8_t *s)
Definition sc_reduce.cpp:25

References Botan::HashFunction::create_or_throw(), ed25519_basepoint_mul(), sc_muladd(), and sc_reduce().

Referenced by Botan::Sodium::crypto_sign_ed25519_detached().

◆ ed25519_verify() [1/2]

bool Botan::ed25519_verify ( const uint8_t * m,
size_t mlen,
const uint8_t sig[64],
const uint8_t * pk,
const uint8_t domain_sep[],
size_t domain_sep_len )

Definition at line 72 of file ed25519.cpp.

77 {
78 if((sig[63] & 0xE0) != 0x00) {
79 return false;
80 }
81
82 const uint64_t CURVE25519_ORDER[4] = {
83 0x1000000000000000,
84 0x0000000000000000,
85 0x14def9dea2f79cd6,
86 0x5812631a5cf5d3ed,
87 };
88
89 const uint64_t s[4] = {load_le<uint64_t>(sig + 32, 3),
90 load_le<uint64_t>(sig + 32, 2),
91 load_le<uint64_t>(sig + 32, 1),
92 load_le<uint64_t>(sig + 32, 0)};
93
94 // RFC 8032 adds the requirement that we verify that s < order in
95 // the signature; this did not exist in the original Ed25519 spec.
96 for(size_t i = 0; i != 4; ++i) {
97 if(s[i] > CURVE25519_ORDER[i]) {
98 return false;
99 }
100 if(s[i] < CURVE25519_ORDER[i]) {
101 break;
102 }
103 if(i == 3) { // here s == order
104 return false;
105 }
106 }
107
108 uint8_t h[64];
109 auto sha512 = HashFunction::create_or_throw("SHA-512");
110
111 sha512->update(domain_sep, domain_sep_len);
112 sha512->update(sig, 32);
113 sha512->update(pk, 32);
114 sha512->update(m, mlen);
115 sha512->final(h);
116 sc_reduce(h);
117
118 return signature_check(std::span<const uint8_t, 32>{pk, 32}, h, sig, sig + 32);
119}
bool signature_check(std::span< const uint8_t, 32 > pk, const uint8_t h[32], const uint8_t r[32], const uint8_t s[32])
Definition ge.cpp:1904
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:495

References Botan::HashFunction::create_or_throw(), load_le(), sc_reduce(), and signature_check().

Referenced by Botan::Sodium::crypto_sign_ed25519_verify_detached(), and ed25519_verify().

◆ ed25519_verify() [2/2]

bool Botan::ed25519_verify ( const uint8_t msg[],
size_t msg_len,
const uint8_t sig[64],
const uint8_t pk[32],
const uint8_t domain_sep[],
size_t domain_sep_len )

References ed25519_verify().

◆ encode_gf2m()

uint32_t Botan::encode_gf2m ( gf2m to_enc,
uint8_t * mem )

Definition at line 96 of file gf2m_small_m.cpp.

96 {
97 mem[0] = to_enc >> 8;
98 mem[1] = to_enc & 0xFF;
99 return sizeof(to_enc);
100}

◆ encode_point()

secure_vector< uint8_t > Botan::encode_point ( const Point448 & p)

Encode a point to a 56 byte vector. RFC 7748 Section 5 (encodeUCoordinate)

Definition at line 21 of file x448_internal.cpp.

21 {
22 return {p.begin(), p.end()};
23}
decltype(auto) begin() noexcept(noexcept(this->get().begin()))
Definition strong_type.h:92
decltype(auto) end() noexcept(noexcept(this->get().end()))
Definition strong_type.h:96

References Botan::detail::Container_Strong_Adapter_Base< T >::begin(), and Botan::detail::Container_Strong_Adapter_Base< T >::end().

◆ esdm_rng()

RandomNumberGenerator & Botan::esdm_rng ( )

Return a shared reference to a global PRNG instance provided by ESDM

Definition at line 99 of file esdm_rng.cpp.

99 {
100 static ESDM_RNG g_esdm_rng;
101 return g_esdm_rng;
102}

◆ expand_mask_16bit()

template<typename T>
uint16_t Botan::expand_mask_16bit ( T tst)

Expand an input to a bit mask depending on it being being zero or non-zero

Parameters
tstthe input
Returns
the mask 0xFFFF if tst is non-zero and 0 otherwise

Definition at line 25 of file code_based_util.h.

25 {
26 const uint16_t result = (tst != 0);
27 return ~(result - 1);
28}

Referenced by Botan::polyn_gf2m::calc_degree_secure(), Botan::polyn_gf2m::eea_with_coefficients(), and Botan::polyn_gf2m::patchup_deg_secure().

◆ expand_message_xmd()

void BOTAN_TEST_API Botan::expand_message_xmd ( std::string_view hash_fn,
std::span< uint8_t > output,
std::span< const uint8_t > input,
std::span< const uint8_t > domain_sep )

XMD hash function from RFC 9380

This is only used internally to implement hash2curve so is not exposed to end users.

Definition at line 17 of file xmd.cpp.

20 {
21 if(domain_sep.size() > 0xFF) {
22 // RFC 9380 has a specification for handling this
23 throw Not_Implemented("XMD does not currently implement oversize DST handling");
24 }
25
26 const uint8_t domain_sep_len = static_cast<uint8_t>(domain_sep.size());
27
28 auto hash = HashFunction::create_or_throw(hash_fn);
29 const size_t block_size = hash->hash_block_size();
30 if(block_size == 0) {
31 throw Invalid_Argument(fmt("expand_message_xmd cannot be used with {}", hash_fn));
32 }
33
34 const size_t hash_output_size = hash->output_length();
35 if(output.size() > 255 * hash_output_size || output.size() > 0xFFFF) {
36 throw Invalid_Argument("expand_message_xmd requested output length too long");
37 }
38
39 // Compute b_0 = H(msg_prime) = H(Z_pad || msg || l_i_b_str || 0x00 || DST_prime)
40
41 hash->update(std::vector<uint8_t>(block_size));
42 hash->update(input);
43 hash->update_be(static_cast<uint16_t>(output.size()));
44 hash->update(0x00);
45 hash->update(domain_sep);
46 hash->update(domain_sep_len);
47
48 const secure_vector<uint8_t> b_0 = hash->final();
49
50 // Compute b_1 = H(b_0 || 0x01 || DST_prime)
51
52 hash->update(b_0);
53 hash->update(0x01);
54 hash->update(domain_sep);
55 hash->update(domain_sep_len);
56
57 secure_vector<uint8_t> b_i = hash->final();
58
59 uint8_t cnt = 2;
60 for(;;) {
61 const size_t produced = std::min(output.size(), hash_output_size);
62
63 copy_mem(output.data(), b_i.data(), produced);
64 output = output.subspan(produced);
65
66 if(output.empty()) {
67 break;
68 }
69
70 // Now compute the next b_i if needed
71
72 b_i ^= b_0;
73 hash->update(b_i);
74 hash->update(cnt);
75 hash->update(domain_sep);
76 hash->update(domain_sep_len);
77 hash->final(b_i);
78 cnt += 1;
79 }
80}

References copy_mem(), Botan::HashFunction::create_or_throw(), and fmt().

Referenced by Botan::EC_Scalar::hash().

◆ expand_top_bit()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T Botan::expand_top_bit ( T a)
constexpr

If top bit of arg is set, return ~0. Otherwise return 0.

Definition at line 27 of file bit_ops.h.

27 {
28 return static_cast<T>(0) - (a >> (sizeof(T) * 8 - 1));
29}

References BOTAN_FORCE_INLINE.

Referenced by ct_is_zero(), and Botan::CT::Mask< T >::expand_top_bit().

◆ extended_euclidean_algorithm()

template<std::integral T>
eea_result< T > Botan::extended_euclidean_algorithm ( T a,
T b )
consteval

Run the extended Euclidean algorithm to find the greatest common divisor of a and b and the Bézout coefficients, u and v.

Definition at line 69 of file pqcrystals_helpers.h.

69 {
70 if(a > b) {
71 std::swap(a, b);
72 }
73
74 T u1 = 0;
75 T v1 = 1;
76 T u2 = 1;
77 T v2 = 0;
78
79 if(a != b) {
80 while(a != 0) {
81 const T q = b / a;
82 std::tie(a, b) = std::make_tuple(static_cast<T>(b - q * a), a);
83 std::tie(u1, v1, u2, v2) = std::make_tuple(u2, v2, static_cast<T>(u1 - q * u2), static_cast<T>(v1 - q * v2));
84 }
85 }
86
87 return {.gcd = b, .u = u1, .v = v1};
88}

Referenced by modular_inverse().

◆ find_roots_gf2m_decomp()

secure_vector< gf2m > Botan::find_roots_gf2m_decomp ( const polyn_gf2m & polyn,
size_t code_length )

Find the roots of a polynomial over GF(2^m) using the method by Federenko et al.

Definition at line 241 of file gf2m_rootfind_dcmp.cpp.

241 {
242 gf2m_decomp_rootfind_state state(polyn, code_length);
243 return state.find_roots(polyn);
244}

References find_roots_gf2m_decomp().

Referenced by find_roots_gf2m_decomp().

◆ floor_log2()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T Botan::floor_log2 ( T n)
constexpr

Definition at line 114 of file bit_ops.h.

114 {
115 BOTAN_ARG_CHECK(n != 0, "log2(0) is not defined");
116 return static_cast<T>(high_bit(n) - 1);
117}
BOTAN_FORCE_INLINE constexpr size_t high_bit(T n)
Definition bit_ops.h:56

References BOTAN_ARG_CHECK, BOTAN_FORCE_INLINE, and high_bit().

Referenced by Botan::Classic_McEliece_GF::log_q_from_mod(), and Botan::Classic_McEliece_Parameters::tau().

◆ fmt()

template<typename... T>
std::string Botan::fmt ( std::string_view format,
const T &... args )

Simple formatter utility.

Should be replaced with std::format once that's available on all our supported compilers.

'{}' markers in the format string are replaced by the arguments. Unlike std::format, there is no support for escaping or for any kind of conversion flags.

Definition at line 53 of file fmt.h.

53 {
54 std::ostringstream oss;
55 oss.imbue(std::locale::classic());
56 fmt_detail::do_fmt(oss, format, args...);
57 return oss.str();
58}
void do_fmt(std::ostringstream &oss, std::string_view format)
Definition fmt.h:20

References Botan::fmt_detail::do_fmt().

Referenced by Botan::AlternativeName::add_attribute(), Botan::GOST_3410_PublicKey::algo_name(), Botan::KEX_to_KEM_Adapter_PublicKey::algo_name(), Botan::Algorithm_Not_Found::Algorithm_Not_Found(), Botan::AlternativeName::AlternativeName(), argon2_generate_pwhash(), assert_unreachable(), Botan::TLS::auth_method_from_string(), Botan::BER_Bad_Tag::BER_Bad_Tag(), Botan::BER_Decoding_Error::BER_Decoding_Error(), Botan::CFB_Mode::CFB_Mode(), Botan::TPM2::cipher_tss2_to_botan(), Botan::CMAC::CMAC(), Botan::CommonCrypto_Error::CommonCrypto_Error(), Botan::Compression_Error::Compression_Error(), Botan::TLS::Connection_Cipher_State::Connection_Cipher_State(), Botan::AES_256_CTR_XOF::copy_state(), Botan::KDF::create(), Botan::TPM2::PrivateKey::create(), Botan::TPM2::PublicKey::create(), Botan::Private_Key::create_decryption_op(), Botan::PKCS11::MechanismWrapper::create_ecdh_mechanism(), Botan::PKCS11::MechanismWrapper::create_ecdsa_mechanism(), Botan::Public_Key::create_encryption_op(), Botan::Private_Key::create_kem_decryption_op(), Botan::Public_Key::create_kem_encryption_op(), Botan::Private_Key::create_key_agreement_op(), create_private_key(), Botan::PKCS11::MechanismWrapper::create_rsa_crypt_mechanism(), Botan::PKCS11::MechanismWrapper::create_rsa_sign_mechanism(), Botan::Private_Key::create_signature_op(), Botan::Public_Key::create_verification_op(), Botan::Public_Key::create_x509_verification_op(), Botan::PEM_Code::decode(), Botan::PEM_Code::decode_check_label(), Botan::ASN1_String::decode_from(), Botan::Cert_Extension::ASBlocks::ASIdentifierChoice::decode_from(), Botan::Cert_Extension::ASBlocks::ASIdentifiers::decode_from(), Botan::Cert_Extension::ASBlocks::ASIdOrRange::decode_from(), Botan::Cert_Extension::IPAddressBlocks::IPAddressChoice< V >::decode_from(), Botan::Cert_Extension::IPAddressBlocks::IPAddressFamily::decode_from(), Botan::Cert_Extension::IPAddressBlocks::IPAddressOrRange< V >::decode_from(), Botan::Cert_Extension::TNAuthList::Entry::decode_from(), Botan::Decoding_Error::Decoding_Error(), Botan::DL_Group::DL_Group(), Botan::DL_Group::DL_Group(), Botan::EC_Group::EC_Group(), Botan::PEM_Code::encode(), Botan::TPM2::Error::Error(), Botan::Exception::Exception(), Botan::Exception::Exception(), expand_message_xmd(), Botan::Stream_Decompression::finish(), Botan::DL_Group::from_name(), Botan::EC_Group::from_name(), Botan::EC_Group::from_OID(), Botan::PSS_Params::from_padding_name(), Botan::Classic_McEliece_Parameter_Set::from_string(), Botan::OID::from_string(), generate_dsa_primes(), Botan::EC_PublicKey::get_int_field(), Botan::TPM2::get_raw_rc(), Botan::GOST_28147_89::GOST_28147_89(), Botan::GOST_28147_89_Params::GOST_28147_89_Params(), Botan::Sphincs_Parameters::hash_name(), hex_decode(), hkdf_expand_label(), Botan::HMAC_DRBG::HMAC_DRBG(), Botan::HSS_LMS_Params::HSS_LMS_Params(), Botan::HTTP::http_sync(), Botan::Hybrid_PublicKey::Hybrid_PublicKey(), Botan::Invalid_Algorithm_Name::Invalid_Algorithm_Name(), Botan::Invalid_Argument::Invalid_Argument(), Botan::Invalid_IV_Length::Invalid_IV_Length(), Botan::Invalid_Key_Length::Invalid_Key_Length(), Botan::Pipe::Invalid_Message_Number::Invalid_Message_Number(), Botan::Keccak_1600::Keccak_1600(), Botan::TLS::kex_method_from_string(), Botan::Key_Not_Set::Key_Not_Set(), Botan::Lion::Lion(), load_private_key(), load_public_key(), Botan::PEM_Code::matches(), Botan::BLAKE2b::name(), Botan::BLAKE2s::name(), Botan::Cascade_Cipher::name(), Botan::CBC_Mode::name(), Botan::CCM_Mode::name(), Botan::CFB_Mode::name(), Botan::ChaCha::name(), Botan::CMAC::name(), Botan::Comb4P::name(), Botan::CTR_BE::name(), Botan::DilithiumMessageHash::name(), Botan::FPE_FE1::name(), Botan::GCM_Mode::name(), Botan::GeneralName::name(), Botan::GMAC::name(), Botan::HKDF::name(), Botan::HKDF_Expand::name(), Botan::HKDF_Extract::name(), Botan::HMAC::name(), Botan::HMAC_DRBG::name(), Botan::ISO_9796_DS2::name(), Botan::ISO_9796_DS3::name(), Botan::KDF1::name(), Botan::KDF1_18033::name(), Botan::KDF2::name(), Botan::Keccak_1600::name(), Botan::KMAC128::name(), Botan::KMAC256::name(), Botan::Lion::name(), Botan::OFB::name(), Botan::PBKDF2_Family::name(), Botan::PKCS1v15_Raw_SignaturePaddingScheme::name(), Botan::PKCS1v15_SignaturePaddingScheme::name(), Botan::PKCS5_PBKDF2::name(), Botan::PSS_Raw::name(), Botan::PSSR::name(), Botan::RFC4880_S2K_Family::name(), Botan::SHA_3::name(), Botan::SHAKE_128::name(), Botan::SHAKE_256::name(), Botan::SignRawBytes::name(), Botan::SipHash::name(), Botan::Skein_512::name(), Botan::SP800_108_Counter::name(), Botan::SP800_108_Feedback::name(), Botan::SP800_108_Pipeline::name(), Botan::SP800_56C_One_Step_Hash::name(), Botan::SP800_56C_One_Step_HMAC::name(), Botan::SP800_56C_Two_Step::name(), Botan::Streebog::name(), Botan::TLS::TLS_NULL_HMAC_AEAD_Mode::name(), Botan::TLS_12_PRF::name(), Botan::Truncated_Hash::name(), Botan::X931_SignaturePadding::name(), Botan::Asymmetric_Key::object_identifier(), pbes2_decrypt(), Botan::PK_Decryptor_EME::PK_Decryptor_EME(), Botan::PK_Encryptor_EME::PK_Encryptor_EME(), Botan::PK_KEM_Decryptor::PK_KEM_Decryptor(), Botan::PK_KEM_Encryptor::PK_KEM_Encryptor(), Botan::PK_Key_Agreement::PK_Key_Agreement(), Botan::PK_Signer::PK_Signer(), Botan::PK_Verifier::PK_Verifier(), Botan::PK_Verifier::PK_Verifier(), Botan::PRNG_Unseeded::PRNG_Unseeded(), Botan::Provider_Not_Found::Provider_Not_Found(), Botan::Credentials_Manager::psk(), Botan::Dynamically_Loaded_Library::resolve_symbol(), Botan::RFC6979_Nonce_Generator::RFC6979_Nonce_Generator(), Botan::Sqlite3_Database::row_count(), Botan::RSA_PrivateKey::RSA_PrivateKey(), runtime_version_check(), Botan::SHA_3::SHA_3(), Botan::SHAKE_128::SHAKE_128(), Botan::SHAKE_256::SHAKE_256(), split_on(), srp6_client_agree(), srp6_generate_verifier(), Botan::XOF::start(), Botan::SRP6_Server_Session::step1(), Botan::SRP6_Server_Session::step2(), Botan::Streebog::Streebog(), Botan::System_Error::System_Error(), throw_invalid_argument(), throw_invalid_state(), Botan::Argon2::to_string(), Botan::ASN1_Time::to_string(), Botan::Bcrypt_PBKDF::to_string(), Botan::PBKDF2::to_string(), Botan::RFC4880_S2K::to_string(), Botan::Scrypt::to_string(), Botan::Unknown_PK_Field_Name::Unknown_PK_Field_Name(), Botan::TLS::Cipher_State::update_read_keys(), Botan::TLS::Cipher_State::update_write_keys(), Botan::UUID::UUID(), Botan::TLS::Certificate_Type_Base::validate_selection(), Botan::PK_Ops::Verification_with_Hash::Verification_with_Hash(), Botan::XMSS_Hash::XMSS_Hash(), Botan::XMSS_Parameters::xmss_id_from_string(), Botan::XMSS_WOTS_Parameters::xmss_wots_id_from_string(), and Botan::XTS_Mode::XTS_Mode().

◆ format_char_for_display()

std::string Botan::format_char_for_display ( char c)

Return a string containing 'c', quoted and possibly escaped

This is used when creating an error message nothing an invalid character in some codex (for example during hex decoding)

Currently this function escapes tab, newlines and carriage return as "\t", "\n", and "\r", and also escapes characters > 0x7F as "\xHH" where HH is the hex code.

Definition at line 98 of file charset.cpp.

98 {
99 std::ostringstream oss;
100
101 oss << "'";
102
103 if(c == '\t') {
104 oss << "\\t";
105 } else if(c == '\n') {
106 oss << "\\n";
107 } else if(c == '\r') {
108 oss << "\\r";
109 } else if(static_cast<unsigned char>(c) >= 128) {
110 unsigned char z = static_cast<unsigned char>(c);
111 oss << "\\x" << std::hex << std::uppercase << static_cast<int>(z);
112 } else {
113 oss << c;
114 }
115
116 oss << "'";
117
118 return oss.str();
119}

Referenced by hex_decode().

◆ fors_public_key_from_signature()

BOTAN_TEST_API SphincsTreeNode Botan::fors_public_key_from_signature ( const SphincsHashedMessage & hashed_message,
StrongSpan< const ForsSignature > signature,
const Sphincs_Address & address,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hash )

FIPS 205, Algorithm 17: fors_pkFromSig.

Reconstructs the FORS public key from a given FORS signature and message. This is tailored for the use case in the SLH-DSA implementation and is not meant for general usability.

Definition at line 129 of file sp_fors.cpp.

133 {
134 const auto indices = fors_message_to_indices(hashed_message, params);
135
136 auto fors_tree_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTree);
137
138 auto fors_pk_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTreeRootsCompression);
139
140 BufferSlicer s(signature);
141 std::vector<uint8_t> roots_buffer(params.k() * params.n());
142 BufferStuffer roots(roots_buffer);
143
144 // For each of the k FORS subtrees: Reconstruct the subtree's root node by using the
145 // leaf and the authentication path offered in the FORS signature.
146 BOTAN_ASSERT_NOMSG(indices.size() == params.k());
147 for(uint32_t i = 0; i < params.k(); ++i) {
148 uint32_t idx_offset = i * (1 << params.a());
149
150 // Compute the FORS leaf by using the secret leaf contained in the signature
151 fors_tree_addr.set_tree_height(TreeLayerIndex(0)).set_tree_index(indices[i] + idx_offset);
152 auto fors_leaf_secret = s.take<ForsLeafSecret>(params.n());
153 auto auth_path = s.take<SphincsAuthenticationPath>(params.n() * params.a());
154 auto leaf = hashes.T<SphincsTreeNode>(fors_tree_addr, fors_leaf_secret);
155
156 // Reconstruct the subtree's root using the authentication path
157 compute_root(roots.next<SphincsTreeNode>(params.n()),
158 params,
159 hashes,
160 leaf,
161 indices[i],
162 idx_offset,
163 auth_path,
164 params.a(),
165 fors_tree_addr);
166 }
167
168 BOTAN_ASSERT_NOMSG(roots.full());
169
170 // Reconstruct the public key the signature creates with the hash of the concatenation of all roots
171 // Only if the signature is valid, the pk is the correct FORS pk.
172 return hashes.T<SphincsTreeNode>(fors_pk_addr, roots_buffer);
173}
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition stl_util.h:134
Sphincs_Address & set_type(Sphincs_Address_Type type)
Definition sp_address.h:73
static Sphincs_Address as_keypair_from(const Sphincs_Address &other)
Definition sp_address.h:130
Strong< secure_vector< uint8_t >, struct ForsLeafSecret_ > ForsLeafSecret
Definition sp_types.h:71
Strong< std::vector< uint8_t >, struct SphincsAuthenticationPath_ > SphincsAuthenticationPath
Definition sp_types.h:67
void compute_root(StrongSpan< SphincsTreeNode > out, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, const SphincsTreeNode &leaf, TreeNodeIndex leaf_idx, uint32_t idx_offset, StrongSpan< const SphincsAuthenticationPath > authentication_path, uint32_t total_tree_height, Sphincs_Address &tree_address)

References Botan::Sphincs_Parameters::a(), Botan::Sphincs_Address::as_keypair_from(), BOTAN_ASSERT_NOMSG, compute_root(), Botan::BufferStuffer::full(), Botan::Sphincs_Parameters::k(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Address::set_type(), Botan::Sphincs_Hash_Functions::T(), and Botan::BufferSlicer::take().

◆ fors_sign_and_pkgen()

BOTAN_TEST_API SphincsTreeNode Botan::fors_sign_and_pkgen ( StrongSpan< ForsSignature > sig_out,
const SphincsHashedMessage & hashed_message,
const SphincsSecretSeed & secret_seed,
const Sphincs_Address & address,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

FIPS 205, Algorithm 16: fors_sign (with simultaneous FORS pk generation)

Implements a domain specific wrapper for the few-times signature scheme FORS (Forest of Random Subsets). It is meant to be used inside SLH-DSA and does not aim to be applicable for other use cases.

Definition at line 63 of file sp_fors.cpp.

68 {
69 BOTAN_ASSERT_NOMSG(sig_out.size() == params.fors_signature_bytes());
70
71 const auto indices = fors_message_to_indices(hashed_message, params);
72
73 auto fors_tree_addr = Sphincs_Address::as_keypair_from(address);
74
75 auto fors_pk_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTreeRootsCompression);
76
77 std::vector<uint8_t> roots_buffer(params.k() * params.n());
78 BufferStuffer roots(roots_buffer);
79 BufferStuffer sig(sig_out);
80
81 // Buffer to hold the FORS leafs during tree traversal
82 // (Avoids a secure_vector allocation/deallocation in the hot path)
83 ForsLeafSecret fors_leaf_secret(params.n());
84
85 // For each of the k FORS subtrees: Compute the secret leaf, the authentication path
86 // and the trees' root and append the signature respectively
87 BOTAN_ASSERT_NOMSG(indices.size() == params.k());
88 for(uint32_t i = 0; i < params.k(); ++i) {
89 uint32_t idx_offset = i * (1 << params.a());
90
91 // Compute the secret leaf given by the chunk of the message and append it to the signature
92 fors_tree_addr.set_type(Sphincs_Address_Type::ForsKeyGeneration)
93 .set_tree_height(TreeLayerIndex(0))
94 .set_tree_index(indices[i] + idx_offset);
95
96 hashes.PRF(sig.next<ForsLeafSecret>(params.n()), secret_seed, fors_tree_addr);
97
98 // Compute the authentication path and root for this leaf node
99 fors_tree_addr.set_type(Sphincs_Address_Type::ForsTree);
100
101 GenerateLeafFunction fors_gen_leaf = [&](StrongSpan<SphincsTreeNode> out_root, TreeNodeIndex address_index) {
102 fors_tree_addr.set_tree_index(address_index);
103 fors_tree_addr.set_type(Sphincs_Address_Type::ForsKeyGeneration);
104
105 hashes.PRF(fors_leaf_secret, secret_seed, fors_tree_addr);
106
107 fors_tree_addr.set_type(Sphincs_Address_Type::ForsTree);
108 hashes.T(out_root, fors_tree_addr, fors_leaf_secret);
109 };
110
111 treehash(roots.next<SphincsTreeNode>(params.n()),
112 sig.next<SphincsAuthenticationPath>(params.a() * params.n()),
113 params,
114 hashes,
115 indices[i],
116 idx_offset,
117 params.a(),
118 fors_gen_leaf,
119 fors_tree_addr);
120 }
121
122 BOTAN_ASSERT_NOMSG(sig.full());
123 BOTAN_ASSERT_NOMSG(roots.full());
124
125 // Compute the public key by the hash of the concatenation of all roots
126 return hashes.T<SphincsTreeNode>(fors_pk_addr, roots_buffer);
127}
void PRF(StrongSpan< ForsLeafSecret > out, const SphincsSecretSeed &sk_seed, const Sphincs_Address &address)
Definition sp_hash.h:70
uint32_t fors_signature_bytes() const
std::function< void(StrongSpan< SphincsTreeNode >, TreeNodeIndex)> GenerateLeafFunction
Definition sp_treehash.h:25
Strong< uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber > TreeNodeIndex
Index of an individual node inside an XMSS or FORS tree.
Definition sp_types.h:92
void treehash(StrongSpan< SphincsTreeNode > out_root, StrongSpan< SphincsAuthenticationPath > out_auth_path, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, std::optional< TreeNodeIndex > leaf_idx, uint32_t idx_offset, uint32_t total_tree_height, const GenerateLeafFunction &gen_leaf, Sphincs_Address &tree_address)

References Botan::Sphincs_Parameters::a(), Botan::Sphincs_Address::as_keypair_from(), BOTAN_ASSERT_NOMSG, Botan::Sphincs_Parameters::fors_signature_bytes(), ForsKeyGeneration, ForsTree, Botan::BufferStuffer::full(), Botan::Sphincs_Parameters::k(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Hash_Functions::PRF(), Botan::Sphincs_Address::set_type(), Botan::StrongSpan< T >::size(), Botan::Sphincs_Hash_Functions::T(), and treehash().

◆ gcd()

BigInt Botan::gcd ( const BigInt & x,
const BigInt & y )

Compute the greatest common divisor

Parameters
xa positive integer
ya positive integer
Returns
gcd(x,y)

Definition at line 193 of file numthry.cpp.

193 {
194 if(a.is_zero()) {
195 return abs(b);
196 }
197 if(b.is_zero()) {
198 return abs(a);
199 }
200
201 const size_t sz = std::max(a.sig_words(), b.sig_words());
202 auto u = BigInt::with_capacity(sz);
203 auto v = BigInt::with_capacity(sz);
204 u += a;
205 v += b;
206
207 CT::poison_all(u, v);
208
209 u.set_sign(BigInt::Positive);
210 v.set_sign(BigInt::Positive);
211
212 // In the worst case we have two fully populated big ints. After right
213 // shifting so many times, we'll have reached the result for sure.
214 const size_t loop_cnt = u.bits() + v.bits();
215
216 // This temporary is big enough to hold all intermediate results of the
217 // algorithm. No reallocation will happen during the loop.
218 // Note however, that `ct_cond_assign()` will invalidate the 'sig_words'
219 // cache, which _does not_ shrink the capacity of the underlying buffer.
220 auto tmp = BigInt::with_capacity(sz);
221 secure_vector<word> ws(sz * 2);
222 size_t factors_of_two = 0;
223 for(size_t i = 0; i != loop_cnt; ++i) {
224 auto both_odd = CT::Mask<word>::expand_bool(u.is_odd()) & CT::Mask<word>::expand_bool(v.is_odd());
225
226 // Subtract the smaller from the larger if both are odd
227 auto u_gt_v = CT::Mask<word>::expand_bool(bigint_cmp(u._data(), u.size(), v._data(), v.size()) > 0);
228 bigint_sub_abs(tmp.mutable_data(), u._data(), v._data(), sz, ws.data());
229 u.ct_cond_assign((u_gt_v & both_odd).as_bool(), tmp);
230 v.ct_cond_assign((~u_gt_v & both_odd).as_bool(), tmp);
231
232 const auto u_is_even = CT::Mask<word>::expand_bool(u.is_even());
233 const auto v_is_even = CT::Mask<word>::expand_bool(v.is_even());
234 BOTAN_DEBUG_ASSERT((u_is_even | v_is_even).as_bool());
235
236 // When both are even, we're going to eliminate a factor of 2.
237 // We have to reapply this factor to the final result.
238 factors_of_two += (u_is_even & v_is_even).if_set_return(1);
239
240 // remove one factor of 2, if u is even
241 bigint_shr2(tmp.mutable_data(), u._data(), sz, 1);
242 u.ct_cond_assign(u_is_even.as_bool(), tmp);
243
244 // remove one factor of 2, if v is even
245 bigint_shr2(tmp.mutable_data(), v._data(), sz, 1);
246 v.ct_cond_assign(v_is_even.as_bool(), tmp);
247 }
248
249 // The GCD (without factors of two) is either in u or v, the other one is
250 // zero. The non-zero variable _must_ be odd, because all factors of two were
251 // removed in the loop iterations above.
252 BOTAN_DEBUG_ASSERT(u.is_zero() || v.is_zero());
253 BOTAN_DEBUG_ASSERT(u.is_odd() || v.is_odd());
254
255 // make sure that the GCD (without factors of two) is in u
256 u.ct_cond_assign(u.is_even() /* .is_zero() would not be constant time */, v);
257
258 // re-apply the factors of two
259 u.ct_shift_left(factors_of_two);
260
261 CT::unpoison_all(u, v);
262
263 return u;
264}
static constexpr Mask< T > expand_bool(bool v)
Definition ct_utils.h:425
constexpr void poison_all(const Ts &... ts)
Definition ct_utils.h:199
constexpr void unpoison_all(const Ts &... ts)
Definition ct_utils.h:205
constexpr void bigint_shr2(W y[], const W x[], size_t x_size, size_t shift)
Definition mp_core.h:370
BigInt abs(const BigInt &n)
Definition numthry.h:24
constexpr int32_t bigint_cmp(const W x[], size_t x_size, const W y[], size_t y_size)
Definition mp_core.h:428
constexpr auto bigint_sub_abs(W z[], const W x[], const W y[], size_t N, W ws[]) -> CT::Mask< W >
Definition mp_core.h:281

References abs(), bigint_cmp(), bigint_shr2(), bigint_sub_abs(), BOTAN_DEBUG_ASSERT, Botan::CT::Mask< T >::expand_bool(), Botan::BigInt::is_zero(), Botan::CT::poison_all(), Botan::BigInt::Positive, Botan::BigInt::sig_words(), Botan::CT::unpoison_all(), and Botan::BigInt::with_capacity().

Referenced by botan_mp_gcd(), compute_rsa_secret_exponent(), generate_rsa_prime(), lcm(), and random_prime().

◆ generalize_to() [1/2]

template<typename GeneralVariantT, typename SpecialT>
requires (std::is_constructible_v<GeneralVariantT, std::decay_t<SpecialT>>)
GeneralVariantT Botan::generalize_to ( SpecialT && specific)
constexpr

Converts a given variant into another variant-ish whose type states are a super set of the given variant.

This is useful to convert restricted variant types into more general variants types.

Definition at line 307 of file stl_util.h.

309{
310 return std::forward<SpecialT>(specific);
311}

Referenced by Botan::TLS::Channel_Impl_13::send_handshake_message(), and Botan::TLS::Channel_Impl_13::send_handshake_message().

◆ generalize_to() [2/2]

template<typename GeneralVariantT, typename... SpecialTs>
GeneralVariantT Botan::generalize_to ( std::variant< SpecialTs... > specific)
constexpr

Converts a given variant into another variant-ish whose type states are a super set of the given variant.

This is useful to convert restricted variant types into more general variants types.

Definition at line 321 of file stl_util.h.

321 {
322 static_assert(
324 "Desired general type must be implicitly constructible by all types of the specialized std::variant<>");
325 return std::visit([](auto s) -> GeneralVariantT { return s; }, std::move(specific));
326}
constexpr bool is_generalizable_to(const SpecialT &) noexcept
Definition stl_util.h:290

References is_generalizable_to().

◆ generate_bcrypt()

std::string Botan::generate_bcrypt ( std::string_view password,
RandomNumberGenerator & rng,
uint16_t work_factor = 12,
char version = 'a' )

Create a password hash using Bcrypt

Takes the password to hash, a rng, and a work_factor. The resulting password hash is returned as a string.

Higher work factors increase the amount of time the algorithm runs, increasing the cost of cracking attempts. The increase is exponential, so a work factor of 12 takes roughly twice as long as work factor 11. The default work factor was set to 10 up until the 2.8.0 release.

It is recommended to set the work factor as high as your system can tolerate (from a performance and latency perspective) since higher work factors greatly improve the security against GPU-based attacks. For example, for protecting high value administrator passwords, consider using work factor 15 or 16; at these work factors each bcrypt computation takes several seconds. Since admin logins will be relatively uncommon, it might be acceptable for each login attempt to take some time. As of 2018, a good password cracking rig (with 8 NVIDIA 1080 cards) can attempt about 1 billion bcrypt computations per month for work factor 13. For work factor 12, it can do twice as many. For work factor 15, it can do only one quarter as many attempts.

Due to bugs affecting various implementations of bcrypt, several different variants of the algorithm are defined. As of 2.7.0 Botan supports generating (or checking) the 2a, 2b, and 2y variants. Since Botan has never been affected by any of the bugs which necessitated these version upgrades, all three versions are identical beyond the version identifier. Which variant to use is controlled by the version argument.

The bcrypt work_factor must be at least 4 (though at this work factor bcrypt is not very secure). The bcrypt format allows up to 31, but Botan currently rejects all work factors greater than 18 since even that work factor requires roughly 15 seconds of computation on a fast machine.

Warning
The password is truncated at at most 72 characters; characters after that do not have any effect on the resulting hash. To support longer passwords, consider pre-hashing the password, for example by using the hex encoding of SHA-256 of the password as the input to bcrypt.
Parameters
passwordthe password.
rnga random number generator
work_factorhow much work to do to slow down guessing attacks
versionwhich version to emit (may be 'a', 'b', or 'y' all of which have identical behavior in this implementation).
See also
https://www.usenix.org/events/usenix99/provos/provos_html/

TODO(Botan4) Convert work_factor to a size_t

Definition at line 145 of file bcrypt.cpp.

145 {
146 /*
147 2a, 2b and 2y are identical for our purposes because our implementation of 2a
148 never had the truncation or signed char bugs in the first place.
149 */
150
151 if(version != 'a' && version != 'b' && version != 'y') {
152 throw Invalid_Argument("Unknown bcrypt version '" + std::string(1, version) + "'");
153 }
154
155 std::vector<uint8_t> salt;
156 rng.random_vec(salt, 16);
157 return make_bcrypt(pass, salt, work_factor, version);
158}
void random_vec(std::span< uint8_t > v)
Definition rng.h:199

References Botan::RandomNumberGenerator::random_vec().

Referenced by botan_bcrypt_generate().

◆ generate_dsa_primes() [1/2]

std::vector< uint8_t > Botan::generate_dsa_primes ( RandomNumberGenerator & rng,
BigInt & p_out,
BigInt & q_out,
size_t pbits,
size_t qbits )

Generate DSA parameters using the FIPS 186 kosherizer

Parameters
rnga random number generator
p_outwhere the prime p will be stored
q_outwhere the prime q will be stored
pbitshow long p will be in bits
qbitshow long q will be in bits
Returns
random seed used to generate this parameter set

Definition at line 138 of file dsa_gen.cpp.

138 {
139 while(true) {
140 std::vector<uint8_t> seed(qbits / 8);
141 rng.randomize(seed.data(), seed.size());
142
143 if(generate_dsa_primes(rng, p, q, pbits, qbits, seed)) {
144 return seed;
145 }
146 }
147}
bool generate_dsa_primes(RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits, const std::vector< uint8_t > &seed_c, size_t offset)
Definition dsa_gen.cpp:54

References generate_dsa_primes(), and Botan::RandomNumberGenerator::randomize().

◆ generate_dsa_primes() [2/2]

bool BOTAN_TEST_API Botan::generate_dsa_primes ( RandomNumberGenerator & rng,
BigInt & p_out,
BigInt & q_out,
size_t pbits,
size_t qbits,
const std::vector< uint8_t > & seed,
size_t offset = 0 )

Generate DSA parameters using the FIPS 186 kosherizer

Parameters
rnga random number generator
p_outwhere the prime p will be stored
q_outwhere the prime q will be stored
pbitshow long p will be in bits
qbitshow long q will be in bits
seedthe seed used to generate the parameters
offsetoptional offset from seed to start searching at
Returns
true if seed generated a valid DSA parameter set, otherwise false. p_out and q_out are only valid if true was returned.

Definition at line 54 of file dsa_gen.cpp.

60 {
61 if(!fips186_3_valid_size(pbits, qbits)) {
62 throw Invalid_Argument(fmt("FIPS 186-3 does not allow DSA domain parameters of {}/{} bits long", pbits, qbits));
63 }
64
65 if(seed_c.size() * 8 < qbits) {
66 throw Invalid_Argument(
67 fmt("Generating a DSA parameter set with a {} bit long q requires a seed at least as many bits long", qbits));
68 }
69
70 const std::string hash_name = hash_function_for(qbits);
71 auto hash = HashFunction::create_or_throw(hash_name);
72
73 const size_t HASH_SIZE = hash->output_length();
74
75 class Seed final {
76 public:
77 explicit Seed(const std::vector<uint8_t>& s) : m_seed(s) {}
78
79 const std::vector<uint8_t>& value() const { return m_seed; }
80
81 Seed& operator++() {
82 for(size_t j = m_seed.size(); j > 0; --j) {
83 m_seed[j - 1] += 1;
84 if(m_seed[j - 1] != 0) {
85 break;
86 }
87 }
88 return (*this);
89 }
90
91 private:
92 std::vector<uint8_t> m_seed;
93 };
94
95 Seed seed(seed_c);
96
97 q._assign_from_bytes(hash->process(seed.value()));
98 q.set_bit(qbits - 1);
99 q.set_bit(0);
100
101 if(!is_prime(q, rng, 128, true)) {
102 return false;
103 }
104
105 const size_t n = (pbits - 1) / (HASH_SIZE * 8);
106 const size_t b = (pbits - 1) % (HASH_SIZE * 8);
107
108 BigInt X;
109 std::vector<uint8_t> V(HASH_SIZE * (n + 1));
110
111 const BigInt q2 = 2 * q;
112
113 for(size_t j = 0; j != 4 * pbits; ++j) {
114 for(size_t k = 0; k <= n; ++k) {
115 ++seed;
116 hash->update(seed.value());
117 hash->final(&V[HASH_SIZE * (n - k)]);
118 }
119
120 if(j >= offset) {
121 X._assign_from_bytes(std::span{V}.subspan(HASH_SIZE - 1 - b / 8));
122 X.set_bit(pbits - 1);
123
124 // Variable time division is OK here since DSA primes are public anyway
125 p = X - ((X % q2) - 1);
126
127 if(p.bits() == pbits && is_prime(p, rng, 128, true)) {
128 return true;
129 }
130 }
131 }
132 return false;
133}
constexpr auto operator++(Strong< T, Tags... > &a, int)
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition numthry.cpp:354

References Botan::BigInt::_assign_from_bytes(), Botan::BigInt::bits(), Botan::HashFunction::create_or_throw(), fmt(), is_prime(), operator++(), Seed, and Botan::BigInt::set_bit().

Referenced by Botan::DL_Group::DL_Group(), Botan::DL_Group::DL_Group(), and generate_dsa_primes().

◆ generate_mceliece_key()

McEliece_PrivateKey Botan::generate_mceliece_key ( RandomNumberGenerator & rng,
size_t ext_deg,
size_t code_length,
size_t t )

Definition at line 181 of file code_based_key_gen.cpp.

181 {
182 const size_t codimension = t * ext_deg;
183
184 if(code_length <= codimension) {
185 throw Invalid_Argument("invalid McEliece parameters");
186 }
187
188 auto sp_field = std::make_shared<GF2m_Field>(ext_deg);
189
190 //pick the support.........
191 std::vector<gf2m> L(code_length);
192
193 for(size_t i = 0; i != L.size(); i++) {
194 L[i] = static_cast<gf2m>(i);
195 }
196 randomize_support(L, rng);
197 polyn_gf2m g(sp_field); // create as zero
198
199 bool success = false;
200 std::unique_ptr<binary_matrix> R;
201
202 // NOLINTNEXTLINE(*-avoid-do-while)
203 do {
204 // create a random irreducible polynomial
205 g = polyn_gf2m(t, rng, sp_field);
206
207 try {
208 R = generate_R(L, &g, *sp_field, code_length, t);
209 success = true;
210 } catch(const Invalid_State&) {}
211 } while(!success);
212
213 std::vector<polyn_gf2m> sqrtmod = polyn_gf2m::sqrt_mod_init(g);
214 std::vector<polyn_gf2m> F = syndrome_init(g, L, static_cast<int>(code_length));
215
216 // Each F[i] is the (precomputed) syndrome of the error vector with
217 // a single '1' in i-th position.
218 // We do not store the F[i] as polynomials of degree t , but
219 // as binary vectors of length ext_deg * t (this will
220 // speed up the syndrome computation)
221 //
222 const size_t co32 = bit_size_to_32bit_size(codimension);
223 std::vector<uint32_t> H(co32 * code_length);
224 uint32_t* sk = H.data();
225 for(size_t i = 0; i < code_length; ++i) {
226 for(size_t l = 0; l < t; ++l) {
227 const size_t k = (l * ext_deg) / 32;
228 const size_t j = (l * ext_deg) % 32;
229 sk[k] ^= static_cast<uint32_t>(F[i].get_coef(l)) << j;
230 if(j + ext_deg > 32) {
231 if(j > 0) {
232 sk[k + 1] ^= F[i].get_coef(l) >> (32 - j);
233 }
234 }
235 }
236 sk += co32;
237 }
238
239 // We need the support L for decoding (decryption). In fact the
240 // inverse is needed
241
242 std::vector<gf2m> Linv(code_length);
243 for(size_t i = 0; i != Linv.size(); ++i) {
244 Linv[L[i]] = static_cast<gf2m>(i);
245 }
246 std::vector<uint8_t> pubmat(R->elem().size() * 4);
247 for(size_t i = 0; i < R->elem().size(); i++) {
248 store_le(R->elem()[i], &pubmat[i * 4]);
249 }
250
251 return McEliece_PrivateKey(g, H, sqrtmod, Linv, pubmat);
252}
static std::vector< polyn_gf2m > sqrt_mod_init(const polyn_gf2m &g)
std::vector< polyn_gf2m > syndrome_init(const polyn_gf2m &generator, const std::vector< gf2m > &support, int n)
size_t bit_size_to_32bit_size(size_t bit_size)

References bit_size_to_32bit_size(), generate_mceliece_key(), Botan::polyn_gf2m::sqrt_mod_init(), store_le(), and syndrome_init().

Referenced by generate_mceliece_key(), and Botan::McEliece_PrivateKey::McEliece_PrivateKey().

◆ generate_passhash9()

std::string Botan::generate_passhash9 ( std::string_view password,
RandomNumberGenerator & rng,
uint16_t work_factor = 15,
uint8_t alg_id = 4 )

Create a password hash using PBKDF2

Functions much like generate_bcrypt(). The last parameter, alg_id, specifies which PRF to use. Currently defined values are:

  • 0: HMAC(SHA-1)
  • 1: HMAC(SHA-256)
  • 2: CMAC(Blowfish)
  • 3: HMAC(SHA-384)
  • 4: HMAC(SHA-512)

The work_factor must be greater than zero and less than 512. This performs 10000 * work_factor PBKDF2 iterations, using 96 bits of salt taken from rng. Using work factor of 10 or more is recommended.

Parameters
passwordthe password
rnga random number generator
work_factorhow much work to do to slow down guessing attacks
alg_idspecifies which PRF to use with PBKDF2 0 is HMAC(SHA-1) 1 is HMAC(SHA-256) 2 is CMAC(Blowfish) 3 is HMAC(SHA-384) 4 is HMAC(SHA-512) all other values are currently undefined

Definition at line 46 of file passhash9.cpp.

49 {
50 BOTAN_ARG_CHECK(work_factor > 0 && work_factor < 512, "Invalid Passhash9 work factor");
51
52 auto prf = get_pbkdf_prf(alg_id);
53
54 if(!prf) {
55 throw Invalid_Argument("Passhash9: Algorithm id " + std::to_string(alg_id) + " is not defined");
56 }
57
58 PKCS5_PBKDF2 kdf(std::move(prf));
59
60 secure_vector<uint8_t> salt(SALT_BYTES);
61 rng.randomize(salt.data(), salt.size());
62
63 const size_t kdf_iterations = WORK_FACTOR_SCALE * work_factor;
64
66 blob.push_back(alg_id);
67 blob.push_back(get_byte<0>(work_factor));
68 blob.push_back(get_byte<1>(work_factor));
69 blob += salt;
70 blob += kdf.derive_key(PASSHASH9_PBKDF_OUTPUT_LEN, pass, salt.data(), salt.size(), kdf_iterations).bits_of();
71
72 return std::string(MAGIC_PREFIX) + base64_encode(blob);
73}
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79

References base64_encode(), Botan::OctetString::bits_of(), BOTAN_ARG_CHECK, Botan::PBKDF::derive_key(), get_byte(), and Botan::RandomNumberGenerator::randomize().

◆ generate_rfc6979_nonce()

BigInt Botan::generate_rfc6979_nonce ( const BigInt & x,
const BigInt & q,
const BigInt & h,
std::string_view hash )
inline
Parameters
xthe secret (EC)DSA key
qthe group order
hthe message hash already reduced mod q
hashthe hash function used to generate h

Definition at line 57 of file rfc6979.h.

57 {
58 RFC6979_Nonce_Generator gen(hash, q.bits(), x);
59 return gen.nonce_for(q, h);
60}

References Botan::BigInt::bits(), and Botan::RFC6979_Nonce_Generator::nonce_for().

◆ generate_rsa_prime()

BigInt Botan::generate_rsa_prime ( RandomNumberGenerator & keygen_rng,
RandomNumberGenerator & prime_test_rng,
size_t bits,
const BigInt & coprime,
size_t prob = 128 )

Generate a prime suitable for RSA p/q

Parameters
keygen_rnga random number generator
prime_test_rnga random number generator
bitshow large the resulting prime should be in bits (must be >= 512)
coprimea positive integer that (prime - 1) should be coprime to
probuse test so false positive is bounded by 1/2**prob
Returns
random prime with the specified criteria

Definition at line 211 of file make_prm.cpp.

215 {
216 if(bits < 512) {
217 throw Invalid_Argument("generate_rsa_prime bits too small");
218 }
219
220 /*
221 * The restriction on coprime <= 64 bits is arbitrary but generally speaking
222 * very large RSA public exponents are a bad idea both for performance and due
223 * to attacks on small d.
224 */
225 if(coprime <= 1 || coprime.is_even() || coprime.bits() > 64) {
226 throw Invalid_Argument("generate_rsa_prime coprime must be small odd positive integer");
227 }
228
229 const size_t MAX_ATTEMPTS = 32 * 1024;
230
231 const size_t mr_trials = miller_rabin_test_iterations(bits, prob, true);
232
233 while(true) {
234 BigInt p(keygen_rng, bits);
235
236 /*
237 Force high two bits so multiplication always results in expected n bit integer
238
239 Force the two low bits, and step by 4, so the generated prime is always == 3 (mod 4).
240 This way when we perform the inversion modulo phi(n) it is always of the form 2*o
241 with o odd, which allows a fastpath and avoids leaking any information about the
242 structure of the prime.
243 */
244 p.set_bit(bits - 1);
245 p.set_bit(bits - 2);
246 p.set_bit(1);
247 p.set_bit(0);
248
249 const word step = 4;
250
251 Prime_Sieve sieve(p, bits, step, false);
252
253 for(size_t attempt = 0; attempt <= MAX_ATTEMPTS; ++attempt) {
254 p += step;
255
256 if(!sieve.next()) {
257 continue;
258 }
259
260 BOTAN_DEBUG_ASSERT(no_small_multiples(p, sieve));
261
263
264 /*
265 * Do a single primality test first before checking coprimality, since
266 * currently a single Miller-Rabin test is faster than computing gcd,
267 * and this eliminates almost all wasted gcd computations.
268 */
269 if(!is_miller_rabin_probable_prime(p, mod_p, prime_test_rng, 1)) {
270 continue;
271 }
272
273 /*
274 * Check if p - 1 and coprime are relatively prime.
275 */
276 if(gcd(p - 1, coprime) > 1) {
277 continue;
278 }
279
280 if(p.bits() > bits) {
281 break;
282 }
283
284 if(is_miller_rabin_probable_prime(p, mod_p, prime_test_rng, mr_trials)) {
285 return p;
286 }
287 }
288 }
289}
static Barrett_Reduction for_secret_modulus(const BigInt &m)
Definition barrett.cpp:22
bool is_even() const
Definition bigint.h:439
size_t miller_rabin_test_iterations(size_t n_bits, size_t prob, bool random)
bool is_miller_rabin_probable_prime(const BigInt &n, const Barrett_Reduction &mod_n, RandomNumberGenerator &rng, size_t test_iterations)

References Botan::BigInt::bits(), BOTAN_DEBUG_ASSERT, Botan::Barrett_Reduction::for_secret_modulus(), gcd(), Botan::BigInt::is_even(), is_miller_rabin_probable_prime(), miller_rabin_test_iterations(), and Botan::BigInt::set_bit().

Referenced by Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ get_aead()

AEAD_Mode * Botan::get_aead ( std::string_view name,
Cipher_Dir direction )
inline

Get an AEAD mode by name (eg "AES-128/GCM" or "Serpent/EAX")

Parameters
nameAEAD name
directionCipher_Dir::Encryption or Cipher_Dir::Decryption

Definition at line 138 of file aead.h.

138 {
139 return AEAD_Mode::create(name, direction, "").release();
140}
static std::unique_ptr< AEAD_Mode > create(std::string_view algo, Cipher_Dir direction, std::string_view provider="")
Definition aead.cpp:54

References Botan::AEAD_Mode::create(), and get_aead().

Referenced by get_aead().

◆ get_byte()

◆ get_byte_var()

template<typename T>
uint8_t Botan::get_byte_var ( size_t byte_num,
T input )
inlineconstexpr

Byte extraction

Parameters
byte_numwhich byte to extract, 0 == highest byte
inputthe value to extract from
Returns
byte byte_num of input

Definition at line 69 of file loadstor.h.

69 {
70 return static_cast<uint8_t>(input >> (((~byte_num) & (sizeof(T) - 1)) << 3));
71}

Referenced by Botan::TLS::append_tls_length_value(), Botan::BigInt::binary_encode(), Botan::BigInt::byte_at(), copy_out_be(), copy_out_le(), Botan::CCM_Mode::encode_length(), Botan::TLS::Certificate_12::serialize(), and Botan::TLS::Certificate_Status::serialize().

◆ get_cipher() [1/3]

Keyed_Filter * Botan::get_cipher ( std::string_view algo_spec,
Cipher_Dir direction )
inline

Factory method for general symmetric cipher filters. No key will be set in the filter.

Parameters
algo_specthe name of the desired cipher
directiondetermines whether the filter will be an encrypting or decrypting filter
Returns
pointer to the encryption or decryption filter

Definition at line 201 of file filters.h.

201 {
202 auto c = Cipher_Mode::create_or_throw(algo_spec, direction);
203 // NOLINTNEXTLINE(*-owning-memory)
204 return new Cipher_Mode_Filter(c.release());
205}
static std::unique_ptr< Cipher_Mode > create_or_throw(std::string_view algo, Cipher_Dir direction, std::string_view provider="")

References Botan::Cipher_Mode::create_or_throw().

Referenced by get_cipher(), and get_cipher().

◆ get_cipher() [2/3]

Keyed_Filter * Botan::get_cipher ( std::string_view algo_spec,
const SymmetricKey & key,
Cipher_Dir direction )
inline

Factory method for general symmetric cipher filters.

Parameters
algo_specthe name of the desired cipher
keythe key to be used for encryption/decryption performed by the filter
directiondetermines whether the filter will be an encrypting or decrypting filter
Returns
pointer to the encryption or decryption filter

Definition at line 216 of file filters.h.

216 {
217 Keyed_Filter* cipher = get_cipher(algo_spec, direction);
218 cipher->set_key(key);
219 return cipher;
220}
virtual void set_key(const SymmetricKey &key)=0
Keyed_Filter * get_cipher(std::string_view algo_spec, Cipher_Dir direction)
Definition filters.h:201

References get_cipher(), and Botan::Keyed_Filter::set_key().

◆ get_cipher() [3/3]

Keyed_Filter * Botan::get_cipher ( std::string_view algo_spec,
const SymmetricKey & key,
const InitializationVector & iv,
Cipher_Dir direction )
inline

Factory method for general symmetric cipher filters.

Parameters
algo_specthe name of the desired cipher
keythe key to be used for encryption/decryption performed by the filter
ivthe initialization vector to be used
directiondetermines whether the filter will be an encrypting or decrypting filter
Returns
pointer to newly allocated encryption or decryption filter

Definition at line 232 of file filters.h.

235 {
236 Keyed_Filter* cipher = get_cipher(algo_spec, key, direction);
237 if(!iv.empty()) {
238 cipher->set_iv(iv);
239 }
240 return cipher;
241}
virtual void set_iv(const InitializationVector &iv)
Definition filters.h:129
bool empty() const
Definition symkey.h:31

References Botan::OctetString::empty(), get_cipher(), and Botan::Keyed_Filter::set_iv().

◆ get_cipher_mode()

Cipher_Mode * Botan::get_cipher_mode ( std::string_view algo_spec,
Cipher_Dir direction,
std::string_view provider = "" )
inline

Get a cipher mode by name (eg "AES-128/CBC" or "Serpent/XTS")

Parameters
algo_speccipher name
directionCipher_Dir::Encryption or Cipher_Dir::Decryption
providerprovider implementation to choose

Definition at line 284 of file cipher_mode.h.

284 {
285 return Cipher_Mode::create(algo_spec, direction, provider).release();
286}
static std::unique_ptr< Cipher_Mode > create(std::string_view algo, Cipher_Dir direction, std::string_view provider="")

References Botan::Cipher_Mode::create(), and get_cipher_mode().

Referenced by get_cipher_mode().

◆ get_files_recursive()

BOTAN_TEST_API std::vector< std::string > Botan::get_files_recursive ( std::string_view dir)

Definition at line 123 of file filesystem.cpp.

123 {
124 std::vector<std::string> files;
125
126#if defined(BOTAN_TARGET_OS_HAS_POSIX1)
127 files = impl_readdir(dir);
128#elif defined(BOTAN_TARGET_OS_HAS_WIN32)
129 files = impl_win32(dir);
130#else
131 BOTAN_UNUSED(dir);
132 throw No_Filesystem_Access();
133#endif
134
135 std::sort(files.begin(), files.end());
136
137 return files;
138}

References BOTAN_UNUSED.

◆ get_kdf()

KDF * Botan::get_kdf ( std::string_view algo_spec)
inline

Factory method for KDF (key derivation function)

Parameters
algo_specthe name of the KDF to create
Returns
pointer to newly allocated object of that type

Prefer KDF::create

Definition at line 274 of file kdf.h.

274 {
275 if(algo_spec == "Raw") {
276 return nullptr;
277 }
278
279 return KDF::create_or_throw(algo_spec).release();
280}
static std::unique_ptr< KDF > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition kdf.cpp:204

References Botan::KDF::create_or_throw(), and get_kdf().

Referenced by get_kdf().

◆ get_pbkdf()

PBKDF * Botan::get_pbkdf ( std::string_view algo_spec,
std::string_view provider = "" )
inline

Password based key derivation function factory method

Parameters
algo_specthe name of the desired PBKDF algorithm
providerthe provider to use
Returns
pointer to newly allocated object of that type

Definition at line 246 of file pbkdf.h.

246 {
247 return PBKDF::create_or_throw(algo_spec, provider).release();
248}
static std::unique_ptr< PBKDF > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition pbkdf.cpp:57

References Botan::PBKDF::create_or_throw(), and get_pbkdf().

Referenced by get_pbkdf().

◆ get_s2k()

PBKDF * Botan::get_s2k ( std::string_view algo_spec)
inline

Definition at line 250 of file pbkdf.h.

250 {
251 return PBKDF::create_or_throw(algo_spec).release();
252}

References Botan::PBKDF::create_or_throw(), and get_s2k().

Referenced by get_s2k().

◆ get_uint32()

template<WordType W>
uint32_t Botan::get_uint32 ( const W xw[],
size_t i )
constexpr

Definition at line 33 of file pcurves_solinas.h.

33 {
34 static_assert(WordInfo<W>::bits == 32 || WordInfo<W>::bits == 64);
35
36 if constexpr(WordInfo<W>::bits == 32) {
37 return xw[i];
38 } else {
39 return static_cast<uint32_t>(xw[i / 2] >> ((i % 2) * 32));
40 }
41}

◆ gf2p8affine()

template<uint64_t A, uint8_t B>
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_GFNI SIMD_8x32 Botan::gf2p8affine ( const SIMD_8x32 & x)

Definition at line 52 of file simd_avx2_gfni.h.

52 {
53 return SIMD_8x32(_mm256_gf2p8affine_epi64_epi8(x.raw(), _mm256_set1_epi64x(A), B));
54}
__m256i BOTAN_FN_ISA_AVX2 raw() const noexcept
Definition simd_avx2.h:322

References BOTAN_FORCE_INLINE, and Botan::SIMD_8x32::raw().

◆ gf2p8affineinv()

template<uint64_t A, uint8_t B>
BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_GFNI SIMD_8x32 Botan::gf2p8affineinv ( const SIMD_8x32 & x)

Definition at line 57 of file simd_avx2_gfni.h.

57 {
58 return SIMD_8x32(_mm256_gf2p8affineinv_epi64_epi8(x.raw(), _mm256_set1_epi64x(A), B));
59}

References BOTAN_FORCE_INLINE, and Botan::SIMD_8x32::raw().

◆ gf2p8mul()

BOTAN_FORCE_INLINE BOTAN_FN_ISA_AVX2_GFNI SIMD_8x32 Botan::gf2p8mul ( const SIMD_8x32 & a,
const SIMD_8x32 & b )

Definition at line 61 of file simd_avx2_gfni.h.

61 {
62 return SIMD_8x32(_mm256_gf2p8mul_epi8(a.raw(), b.raw()));
63}

References BOTAN_FORCE_INLINE, and Botan::SIMD_8x32::raw().

◆ gfni_matrix()

uint64_t Botan::gfni_matrix ( std::string_view s)
consteval

Definition at line 19 of file simd_avx2_gfni.h.

19 {
20 uint64_t matrix = 0;
21 size_t bit_cnt = 0;
22 uint8_t row = 0;
23
24 for(char c : s) {
25 if(c == ' ' || c == '\n') {
26 continue;
27 }
28 if(c != '0' && c != '1') {
29 throw std::runtime_error("gfni_matrix: invalid bit value");
30 }
31
32 if(c == '1') {
33 row |= 0x80 >> (7 - bit_cnt % 8);
34 }
35 bit_cnt++;
36
37 if(bit_cnt % 8 == 0) {
38 matrix <<= 8;
39 matrix |= row;
40 row = 0;
41 }
42 }
43
44 if(bit_cnt != 64) {
45 throw std::runtime_error("gfni_matrix: invalid bit count");
46 }
47
48 return matrix;
49}

◆ gray_to_lex()

gf2m Botan::gray_to_lex ( gf2m gray)
inline

Definition at line 30 of file code_based_util.h.

30 {
31 gf2m result = gray ^ (gray >> 8);
32 result ^= (result >> 4);
33 result ^= (result >> 2);
34 result ^= (result >> 1);
35 return result;
36}

◆ has_filesystem_impl()

BOTAN_TEST_API bool Botan::has_filesystem_impl ( )

Definition at line 113 of file filesystem.cpp.

113 {
114#if defined(BOTAN_TARGET_OS_HAS_POSIX1)
115 return true;
116#elif defined(BOTAN_TARGET_OS_HAS_WIN32)
117 return true;
118#else
119 return false;
120#endif
121}

◆ hash_to_curve_sswu()

template<typename C, bool RO, std::invocable< std::span< uint8_t > > ExpandMsg>
requires C::ValidForSswuHash
auto Botan::hash_to_curve_sswu ( const ExpandMsg & expand_message) -> std::conditional_t<RO, typename C::ProjectivePoint, typename C::AffinePoint>
inline

Hash to curve (SSWU); RFC 9380

This is the Simplified Shallue-van de Woestijne-Ulas (SSWU) map.

The parameter expand_message models the function of RFC 9380 and is provided by higher levels. For the curves implemented here it will typically be XMD, but could also be an XOF (expand_message_xof) or a MHF like Argon2.

For details see RFC 9380 sections 3, 5.2 and 6.6.2.

Definition at line 1720 of file pcurves_impl.h.

1721 {
1722 constexpr size_t SecurityLevel = (C::OrderBits + 1) / 2;
1723 constexpr size_t L = (C::PrimeFieldBits + SecurityLevel + 7) / 8;
1724 constexpr size_t Cnt = RO ? 2 : 1;
1725
1726 std::array<uint8_t, L * Cnt> uniform_bytes = {};
1727 expand_message(uniform_bytes);
1728
1729 if constexpr(RO) {
1730 const auto u0 = C::FieldElement::from_wide_bytes(std::span<const uint8_t, L>(uniform_bytes.data(), L));
1731 const auto u1 = C::FieldElement::from_wide_bytes(std::span<const uint8_t, L>(uniform_bytes.data() + L, L));
1732
1733 auto accum = C::ProjectivePoint::from_affine(map_to_curve_sswu<C>(u0));
1734 accum += map_to_curve_sswu<C>(u1);
1735 return accum;
1736 } else {
1737 const auto u = C::FieldElement::from_wide_bytes(std::span<const uint8_t, L>(uniform_bytes.data(), L));
1738 return map_to_curve_sswu<C>(u);
1739 }
1740}
auto map_to_curve_sswu(const typename C::FieldElement &u) -> typename C::AffinePoint

References map_to_curve_sswu().

Referenced by Botan::PCurve::PrimeOrderCurveImpl< C >::hash_to_curve_nu(), and Botan::PCurve::PrimeOrderCurveImpl< C >::hash_to_curve_ro().

◆ hex_decode() [1/6]

std::vector< uint8_t > Botan::hex_decode ( const char input[],
size_t input_length,
bool ignore_ws = true )

Perform hex decoding

Parameters
inputsome hex input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 149 of file hex.cpp.

149 {
150 std::vector<uint8_t> bin(1 + input_length / 2);
151
152 size_t written = hex_decode(bin.data(), input, input_length, ignore_ws);
153
154 bin.resize(written);
155 return bin;
156}
size_t hex_decode(uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool ignore_ws)
Definition hex.cpp:73

References hex_decode().

◆ hex_decode() [2/6]

size_t Botan::hex_decode ( std::span< uint8_t > output,
std::string_view input,
bool ignore_ws = true )

Perform hex decoding

Parameters
outputa contiguous byte buffer of at least input_length/2 bytes
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 132 of file hex.cpp.

132 {
133 return hex_decode(output.data(), input.data(), input.length(), ignore_ws);
134}

References hex_decode().

◆ hex_decode() [3/6]

std::vector< uint8_t > Botan::hex_decode ( std::string_view input,
bool ignore_ws = true )

Perform hex decoding

Parameters
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 158 of file hex.cpp.

158 {
159 return hex_decode(input.data(), input.size(), ignore_ws);
160}

References hex_decode().

◆ hex_decode() [4/6]

size_t Botan::hex_decode ( uint8_t output[],
const char input[],
size_t input_length,
bool ignore_ws = true )

Perform hex decoding

Parameters
outputan array of at least input_length/2 bytes
inputsome hex input
input_lengthlength of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 117 of file hex.cpp.

117 {
118 size_t consumed = 0;
119 size_t written = hex_decode(output, input, input_length, consumed, ignore_ws);
120
121 if(consumed != input_length) {
122 throw Invalid_Argument("hex_decode: input did not have full bytes");
123 }
124
125 return written;
126}

References hex_decode().

◆ hex_decode() [5/6]

size_t Botan::hex_decode ( uint8_t output[],
const char input[],
size_t input_length,
size_t & input_consumed,
bool ignore_ws = true )

Perform hex decoding

Parameters
outputan array of at least input_length/2 bytes
inputsome hex input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 73 of file hex.cpp.

73 {
74 uint8_t* out_ptr = output;
75 bool top_nibble = true;
76
77 clear_mem(output, input_length / 2);
78
79 for(size_t i = 0; i != input_length; ++i) {
80 const uint8_t bin = hex_char_to_bin(input[i]);
81
82 if(bin >= 0x10) {
83 if(bin == 0x80 && ignore_ws) {
84 continue;
85 }
86
87 throw Invalid_Argument(fmt("hex_decode: invalid character '{}'", format_char_for_display(input[i])));
88 }
89
90 if(top_nibble) {
91 *out_ptr |= bin << 4;
92 } else {
93 *out_ptr |= bin;
94 }
95
96 top_nibble = !top_nibble;
97 if(top_nibble) {
98 ++out_ptr;
99 }
100 }
101
102 input_consumed = input_length;
103 size_t written = (out_ptr - output);
104
105 /*
106 * We only got half of a uint8_t at the end; zap the half-written
107 * output and mark it as unread
108 */
109 if(!top_nibble) {
110 *out_ptr = 0;
111 input_consumed -= 1;
112 }
113
114 return written;
115}
std::string format_char_for_display(char c)
Definition charset.cpp:98

References clear_mem(), fmt(), format_char_for_display(), and out_ptr().

Referenced by botan_hex_decode(), Botan::Hex_Decoder::end_msg(), Botan::TLS::Session_Manager_SQL::find_some(), hex_decode(), hex_decode(), hex_decode(), hex_decode(), hex_decode(), hex_decode_locked(), Botan::OctetString::OctetString(), Botan::UUID::UUID(), and Botan::Hex_Decoder::write().

◆ hex_decode() [6/6]

size_t Botan::hex_decode ( uint8_t output[],
std::string_view input,
bool ignore_ws = true )

Perform hex decoding

Parameters
outputan array of at least input_length/2 bytes
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 128 of file hex.cpp.

128 {
129 return hex_decode(output, input.data(), input.length(), ignore_ws);
130}

References hex_decode().

◆ hex_decode_locked() [1/2]

secure_vector< uint8_t > Botan::hex_decode_locked ( const char input[],
size_t input_length,
bool ignore_ws = true )

Perform hex decoding

Parameters
inputsome hex input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 136 of file hex.cpp.

136 {
137 secure_vector<uint8_t> bin(1 + input_length / 2);
138
139 size_t written = hex_decode(bin.data(), input, input_length, ignore_ws);
140
141 bin.resize(written);
142 return bin;
143}

References hex_decode().

Referenced by Botan::BigInt::decode(), hex_decode_locked(), and Botan::RTSS_Share::RTSS_Share().

◆ hex_decode_locked() [2/2]

secure_vector< uint8_t > Botan::hex_decode_locked ( std::string_view input,
bool ignore_ws = true )

Perform hex decoding

Parameters
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 145 of file hex.cpp.

145 {
146 return hex_decode_locked(input.data(), input.size(), ignore_ws);
147}
secure_vector< uint8_t > hex_decode_locked(const char input[], size_t input_length, bool ignore_ws)
Definition hex.cpp:136

References hex_decode_locked().

◆ hex_encode() [1/3]

void Botan::hex_encode ( char output[],
const uint8_t input[],
size_t input_length,
bool uppercase = true )

Perform hex encoding

Parameters
outputan array of at least input_length*2 bytes
inputis some binary data
input_lengthlength of input in bytes
uppercaseshould output be upper or lower case?

Definition at line 35 of file hex.cpp.

35 {
36 for(size_t i = 0; i != input_length; ++i) {
37 const uint16_t h = hex_encode_2nibble(input[i], uppercase);
38 output[2 * i] = get_byte<0>(h);
39 output[2 * i + 1] = get_byte<1>(h);
40 }
41}

References get_byte().

Referenced by botan_hex_encode(), create_hex_fingerprint(), hex_encode(), hex_encode(), Botan::TLS::Session_Manager_SQL::remove(), Botan::TLS::Session_Manager_SQL::retrieve_one(), Botan::TLS::Session_Manager_SQL::store(), Botan::BigInt::to_hex_string(), Botan::OctetString::to_string(), Botan::RTSS_Share::to_string(), Botan::UUID::to_string(), Botan::X509_Certificate::to_string(), and Botan::UUID::UUID().

◆ hex_encode() [2/3]

std::string Botan::hex_encode ( const uint8_t input[],
size_t input_length,
bool uppercase = true )

Perform hex encoding

Parameters
inputsome input
input_lengthlength of input in bytes
uppercaseshould output be upper or lower case?
Returns
hexadecimal representation of input

Definition at line 43 of file hex.cpp.

43 {
44 std::string output(2 * input_length, 0);
45
46 if(input_length > 0) {
47 hex_encode(&output.front(), input, input_length, uppercase);
48 }
49
50 return output;
51}

References hex_encode().

◆ hex_encode() [3/3]

std::string Botan::hex_encode ( std::span< const uint8_t > input,
bool uppercase = true )
inline

Perform hex encoding

Parameters
inputsome input
uppercaseshould output be upper or lower case?
Returns
hexadecimal representation of input

Definition at line 43 of file hex.h.

43 {
44 return hex_encode(input.data(), input.size(), uppercase);
45}

References hex_encode().

◆ hex_to_words()

template<WordType W, size_t N>
auto Botan::hex_to_words ( const char(&) s[N])
constexpr

Definition at line 641 of file mp_core.h.

641 {
642 // Char count includes null terminator which we ignore
643 const constexpr size_t C = N - 1;
644
645 // Number of nibbles that a word can hold
646 const constexpr size_t NPW = (WordInfo<W>::bits / 4);
647
648 // Round up to the next number of words that will fit the input
649 const constexpr size_t S = (C + NPW - 1) / NPW;
650
651 auto hex2int = [](char c) -> int8_t {
652 if(c >= '0' && c <= '9') {
653 return static_cast<int8_t>(c - '0');
654 } else if(c >= 'a' && c <= 'f') {
655 return static_cast<int8_t>(c - 'a' + 10);
656 } else if(c >= 'A' && c <= 'F') {
657 return static_cast<int8_t>(c - 'A' + 10);
658 } else {
659 return -1;
660 }
661 };
662
663 std::array<W, S> r = {0};
664
665 for(size_t i = 0; i != C; ++i) {
666 const int8_t c = hex2int(s[i]);
667 if(c >= 0) {
668 shift_left<4>(r);
669 r[0] += c;
670 }
671 }
672
673 return r;
674}

References shift_left().

◆ high_bit()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr size_t Botan::high_bit ( T n)
constexpr

Return the index of the highest set bit T is an unsigned integer type

Parameters
nan integer value
Returns
index of the highest set bit in n

Definition at line 56 of file bit_ops.h.

56 {
57 size_t hb = 0;
58
59 for(size_t s = 8 * sizeof(T) / 2; s > 0; s /= 2) {
60 const size_t z = s * ((~ct_is_zero<T>(n >> s)) & 1);
61 hb += z;
62 n >>= z;
63 }
64
65 hb += n;
66
67 return hb;
68}

References BOTAN_FORCE_INLINE, and ct_is_zero().

Referenced by Botan::OID::encode_into(), floor_log2(), random_prime(), and Botan::BigInt::top_bits_free().

◆ hkdf_expand_label()

secure_vector< uint8_t > BOTAN_TEST_API Botan::hkdf_expand_label ( std::string_view hash_fn,
std::span< const uint8_t > secret,
std::string_view label,
std::span< const uint8_t > hash_val,
size_t length )

HKDF-Expand-Label from TLS 1.3/QUIC

Parameters
hash_fnthe hash to use
secretthe secret bits
labelthe full label (no "TLS 1.3, " or "tls13 " prefix is applied)
hash_valthe previous hash value (used for chaining, may be empty)
lengththe desired output length

Definition at line 119 of file hkdf.cpp.

123 {
124 BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
125 BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
126 BOTAN_ARG_CHECK(hash_val.size() <= 0xFF, "HKDF-Expand-Label hash too long");
127
129
130 const auto prefix = concat<std::vector<uint8_t>>(store_be(static_cast<uint16_t>(length)),
131 store_be(static_cast<uint8_t>(label.size())),
132 as_span_of_bytes(label),
133 store_be(static_cast<uint8_t>(hash_val.size())));
134
135 /*
136 * We do something a little dirty here to avoid copying the hash_val,
137 * making use of the fact that Botan's KDF interface supports label+salt,
138 * and knowing that our HKDF hashes first param label then param salt.
139 */
140 return hkdf.derive_key(length, secret, hash_val, prefix);
141}
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition mac.cpp:148
constexpr auto concat(Rs &&... ranges)
Definition stl_util.h:255

References as_span_of_bytes(), BOTAN_ARG_CHECK, concat(), Botan::MessageAuthenticationCode::create_or_throw(), Botan::KDF::derive_key(), fmt(), and store_be().

◆ holds_any_of()

template<typename... Alts, typename... Ts>
bool Botan::holds_any_of ( const std::variant< Ts... > & v)
constexprnoexcept

Definition at line 285 of file stl_util.h.

285 {
286 return (std::holds_alternative<Alts>(v) || ...);
287}

Referenced by Botan::TLS::Channel_Impl_13::from_peer().

◆ host_wildcard_match()

BOTAN_TEST_API bool Botan::host_wildcard_match ( std::string_view wildcard,
std::string_view host )

Check if the given hostname is a match for the specified wildcard

Definition at line 252 of file parsing.cpp.

252 {
253 const std::string issued = tolower_string(issued_);
254 const std::string host = tolower_string(host_);
255
256 if(host.empty() || issued.empty()) {
257 return false;
258 }
259
260 /*
261 If there are embedded nulls in your issued name
262 Well I feel bad for you son
263 */
264 if(std::count(issued.begin(), issued.end(), char(0)) > 0) {
265 return false;
266 }
267
268 // If more than one wildcard, then issued name is invalid
269 const size_t stars = std::count(issued.begin(), issued.end(), '*');
270 if(stars > 1) {
271 return false;
272 }
273
274 // '*' is not a valid character in DNS names so should not appear on the host side
275 if(std::count(host.begin(), host.end(), '*') != 0) {
276 return false;
277 }
278
279 // Similarly a DNS name can't end in .
280 if(host[host.size() - 1] == '.') {
281 return false;
282 }
283
284 // And a host can't have an empty name component, so reject that
285 if(host.find("..") != std::string::npos) {
286 return false;
287 }
288
289 // Exact match: accept
290 if(issued == host) {
291 return true;
292 }
293
294 /*
295 Otherwise it might be a wildcard
296
297 If the issued size is strictly longer than the hostname size it
298 couldn't possibly be a match, even if the issued value is a
299 wildcard. The only exception is when the wildcard ends up empty
300 (eg www.example.com matches www*.example.com)
301 */
302 if(issued.size() > host.size() + 1) {
303 return false;
304 }
305
306 // If no * at all then not a wildcard, and so not a match
307 if(stars != 1) {
308 return false;
309 }
310
311 /*
312 Now walk through the issued string, making sure every character
313 matches. When we come to the (singular) '*', jump forward in the
314 hostname by the corresponding amount. We know exactly how much
315 space the wildcard takes because it must be exactly `len(host) -
316 len(issued) + 1 chars`.
317
318 We also verify that the '*' comes in the leftmost component, and
319 doesn't skip over any '.' in the hostname.
320 */
321 size_t dots_seen = 0;
322 size_t host_idx = 0;
323
324 for(size_t i = 0; i != issued.size(); ++i) {
325 if(issued[i] == '.') {
326 dots_seen += 1;
327 }
328
329 if(issued[i] == '*') {
330 // Fail: wildcard can only come in leftmost component
331 if(dots_seen > 0) {
332 return false;
333 }
334
335 /*
336 Since there is only one * we know the tail of the issued and
337 hostname must be an exact match. In this case advance host_idx
338 to match.
339 */
340 const size_t advance = (host.size() - issued.size() + 1);
341
342 if(host_idx + advance > host.size()) { // shouldn't happen
343 return false;
344 }
345
346 // Can't be any intervening .s that we would have skipped
347 if(std::count(host.begin() + host_idx, host.begin() + host_idx + advance, '.') != 0) {
348 return false;
349 }
350
351 host_idx += advance;
352 } else {
353 if(issued[i] != host[host_idx]) {
354 return false;
355 }
356
357 host_idx += 1;
358 }
359 }
360
361 // Wildcard issued name must have at least 3 components
362 if(dots_seen < 2) {
363 return false;
364 }
365
366 return true;
367}
std::string tolower_string(std::string_view in)
Definition parsing.cpp:241

References tolower_string().

Referenced by Botan::X509_Certificate::matches_dns_name().

◆ ht_sign()

void Botan::ht_sign ( StrongSpan< SphincsHypertreeSignature > out_sig,
const SphincsTreeNode & message_to_sign,
const SphincsSecretSeed & secret_seed,
XmssTreeIndexInLayer tree_index_in_layer,
TreeNodeIndex idx_leaf,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

FIPS 205, Algorithm 12: ht_sign.

Creates a SLH-DSA XMSS hypertree signature of message_to_sign. The signature is written into the buffer defined by out_sig. tree_index_in_layer and idx_leaf define which XMSS tree of the hypertree and which leaf of this XMSS tree is used for signing.

Definition at line 21 of file sp_hypertree.cpp.

27 {
28 BOTAN_ASSERT_NOMSG(out_sig.size() == params.ht_signature_bytes());
29 BufferStuffer ht_signature(out_sig);
30
32 wots_addr.set_tree_address(tree_index_in_layer).set_keypair_address(idx_leaf);
33
35
36 SphincsTreeNode xmss_root;
37 for(HypertreeLayerIndex layer_idx(0); layer_idx < params.d(); layer_idx++) {
38 // The first XMSS tree signs the message, the others their underlying XMSS tree root
39 const SphincsTreeNode& node_to_xmss_sign = (layer_idx == 0U) ? message_to_sign : xmss_root;
40
41 tree_addr.set_layer_address(layer_idx).set_tree_address(tree_index_in_layer);
42 wots_addr.copy_subtree_from(tree_addr).set_keypair_address(idx_leaf);
43
44 xmss_root = xmss_sign_and_pkgen(ht_signature.next<SphincsXmssSignature>(params.xmss_signature_bytes()),
45 node_to_xmss_sign,
46 secret_seed,
47 wots_addr,
48 tree_addr,
49 idx_leaf,
50 params,
51 hashes);
52
53 // Update the indices for the next layer.
54 idx_leaf = TreeNodeIndex(tree_index_in_layer.get() & ((1 << params.xmss_tree_height()) - 1));
55 tree_index_in_layer = tree_index_in_layer >> params.xmss_tree_height();
56 }
57
58 BOTAN_ASSERT_NOMSG(ht_signature.full());
59}
uint32_t xmss_tree_height() const
uint32_t ht_signature_bytes() const
uint32_t xmss_signature_bytes() const
Strong< std::vector< uint8_t >, struct SphincsXmssSignature_ > SphincsXmssSignature
Definition sp_types.h:65
SphincsTreeNode xmss_sign_and_pkgen(StrongSpan< SphincsXmssSignature > out_sig, const SphincsTreeNode &message, const SphincsSecretSeed &secret_seed, Sphincs_Address &wots_addr, Sphincs_Address &tree_addr, std::optional< TreeNodeIndex > idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 10: xmss_sign.
Definition sp_xmss.cpp:19
Strong< uint32_t, struct HypertreeLayerIndex_ > HypertreeLayerIndex
Index of a layer in the XMSS hyper-tree.
Definition sp_types.h:86

References BOTAN_ASSERT_NOMSG, Botan::Sphincs_Address::copy_subtree_from(), Botan::Sphincs_Parameters::d(), Botan::BufferStuffer::full(), Botan::detail::Strong_Base< T >::get(), HashTree, Botan::Sphincs_Parameters::ht_signature_bytes(), Botan::BufferStuffer::next(), Botan::Sphincs_Address::set_keypair_address(), Botan::Sphincs_Address::set_layer_address(), Botan::Sphincs_Address::set_tree_address(), Botan::StrongSpan< T >::size(), WotsHash, xmss_sign_and_pkgen(), Botan::Sphincs_Parameters::xmss_signature_bytes(), and Botan::Sphincs_Parameters::xmss_tree_height().

◆ ht_verify()

bool Botan::ht_verify ( const SphincsTreeNode & signed_msg,
StrongSpan< const SphincsHypertreeSignature > ht_sig,
const SphincsTreeNode & pk_root,
XmssTreeIndexInLayer tree_index_in_layer,
TreeNodeIndex idx_leaf,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

FIPS 205, Algorithm 13: ht_verify.

Given a message signed_msg the SLH-DSA XMSS hypertree is reconstructed using a hypertree signature ht_sig. tree_index_in_layer and idx_leaf define which XMSS tree of the hypertree and which leaf of this XMSS tree was used for signing.

Returns
true iff the top-most reconstructed root equals pk_root

Definition at line 61 of file sp_hypertree.cpp.

67 {
68 BOTAN_ASSERT_NOMSG(ht_sig.size() == params.ht_signature_bytes());
69 BufferSlicer sig_s(ht_sig);
70
74
75 SphincsTreeNode reconstructed_root(params.n());
76
77 // Each iteration reconstructs the root of one XMSS tree of the hypertree
78 for(HypertreeLayerIndex layer_idx(0); layer_idx < params.d(); layer_idx++) {
79 // The first XMSS tree signs the message, the others their underlying XMSS tree root
80 const SphincsTreeNode& current_root = (layer_idx == 0U) ? signed_msg : reconstructed_root;
81
82 tree_addr.set_layer_address(layer_idx);
83 tree_addr.set_tree_address(tree_index_in_layer);
84
85 wots_addr.copy_subtree_from(tree_addr);
86 wots_addr.set_keypair_address(idx_leaf);
87
88 wots_pk_addr.copy_keypair_from(wots_addr);
89
90 const auto wots_pk = wots_public_key_from_signature(
91 current_root, sig_s.take<WotsSignature>(params.wots_bytes()), wots_addr, params, hashes);
92
93 // Compute the leaf node using the WOTS public key.
94 const auto leaf = hashes.T<SphincsTreeNode>(wots_pk_addr, wots_pk);
95
96 // Compute the root node of this subtree.
97 compute_root(StrongSpan<SphincsTreeNode>(reconstructed_root),
98 params,
99 hashes,
100 leaf,
101 idx_leaf,
102 0,
103 sig_s.take<SphincsAuthenticationPath>(params.xmss_tree_height() * params.n()),
104 params.xmss_tree_height(),
105 tree_addr);
106
107 // Update the indices for the next layer.
108 idx_leaf = TreeNodeIndex(tree_index_in_layer.get() & ((1 << params.xmss_tree_height()) - 1));
109 tree_index_in_layer = tree_index_in_layer >> params.xmss_tree_height();
110 }
111
112 BOTAN_ASSERT_NOMSG(sig_s.empty());
113
114 // Check if the root node equals the root node in the public key.
115 return reconstructed_root == pk_root;
116}
uint32_t wots_bytes() const
WotsPublicKey wots_public_key_from_signature(const SphincsTreeNode &hashed_message, StrongSpan< const WotsSignature > signature, Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 8: wots_pkFromSig.
Definition sp_wots.cpp:103
Strong< secure_vector< uint8_t >, struct WotsSignature_ > WotsSignature
Definition sp_types.h:80

References BOTAN_ASSERT_NOMSG, compute_root(), Botan::Sphincs_Address::copy_keypair_from(), Botan::Sphincs_Address::copy_subtree_from(), Botan::Sphincs_Parameters::d(), Botan::BufferSlicer::empty(), Botan::detail::Strong_Base< T >::get(), HashTree, Botan::Sphincs_Parameters::ht_signature_bytes(), Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_keypair_address(), Botan::Sphincs_Address::set_layer_address(), Botan::Sphincs_Address::set_tree_address(), Botan::StrongSpan< T >::size(), Botan::Sphincs_Hash_Functions::T(), Botan::BufferSlicer::take(), Botan::Sphincs_Parameters::wots_bytes(), wots_public_key_from_signature(), WotsHash, WotsPublicKeyCompression, and Botan::Sphincs_Parameters::xmss_tree_height().

◆ ieee1363_hash_id()

uint8_t Botan::ieee1363_hash_id ( std::string_view hash_name)

Return the IEEE 1363 hash identifier

Parameters
hash_namethe name of the hash function
Returns
uint8_t code identifying the hash, or 0 if not known

Definition at line 144 of file hash_id.cpp.

144 {
145 if(name == "SHA-1") {
146 return 0x33;
147 }
148
149 if(name == "SHA-224") {
150 return 0x38;
151 }
152 if(name == "SHA-256") {
153 return 0x34;
154 }
155 if(name == "SHA-384") {
156 return 0x36;
157 }
158 if(name == "SHA-512") {
159 return 0x35;
160 }
161
162 if(name == "RIPEMD-160") {
163 return 0x31;
164 }
165
166 if(name == "Whirlpool") {
167 return 0x37;
168 }
169
170 return 0;
171}

Referenced by Botan::X931_SignaturePadding::X931_SignaturePadding().

◆ if_work_factor()

size_t BOTAN_TEST_API Botan::if_work_factor ( size_t n_bits)

Estimate work factor for integer factorization

Parameters
n_bitssize of modulus in bits
Returns
estimated security level for this modulus

Definition at line 35 of file workfactor.cpp.

35 {
36 if(bits < 512) {
37 return 0;
38 }
39
40 // RFC 3766 estimates k at .02 and o(1) to be effectively zero for sizes of interest
41
42 const double log2_k = -5.6438; // log2(.02)
43 return nfs_workfactor(bits, log2_k);
44}

Referenced by dl_work_factor(), Botan::RSA_PublicKey::estimated_strength(), and Botan::TPM_PrivateKey::estimated_strength().

◆ ignore_params()

template<typename... T>
void Botan::ignore_params ( const T &... args)
constexpr

Mark variable as unused.

Takes any number of arguments and marks all as unused, for instance BOTAN_UNUSED(a); or BOTAN_UNUSED(x, y, z);

Definition at line 142 of file assert.h.

142{}

References ignore_params().

Referenced by ignore_params().

◆ index_of_first_set_byte()

template<std::unsigned_integral T>
size_t Botan::index_of_first_set_byte ( T v)
constexpr

Return the index of the first byte with the high bit set

Definition at line 130 of file int_utils.h.

130 {
131 // The constant 0x010101... as a T
132 constexpr T lo1 = (static_cast<T>(-1) / 255);
133 // The constant 0x808080... as a T
134 constexpr T hi1 = lo1 << 7;
135 // How many bits to shift in order to get the top byte
136 constexpr size_t bits = (sizeof(T) * 8) - 8;
137
138 return static_cast<size_t>((((((v & hi1) - 1) & lo1) * lo1) >> bits) - 1);
139}

◆ initialize_allocator()

void BOTAN_UNSTABLE_API Botan::initialize_allocator ( )

Ensure the allocator is initialized

Definition at line 64 of file allocator.cpp.

64 {
65#if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
67#endif
68}

References Botan::mlock_allocator::instance().

Referenced by Botan::Allocator_Initializer::Allocator_Initializer().

◆ intersects()

bool Botan::intersects ( ASN1_Class x,
ASN1_Class y )
inline

Definition at line 70 of file asn1_obj.h.

70 {
71 return (static_cast<uint32_t>(x) & static_cast<uint32_t>(y)) != 0;
72}

◆ inverse_mod()

BigInt Botan::inverse_mod ( const BigInt & x,
const BigInt & modulus )

Modular inversion. This algorithm is const time with respect to x, as long as x is less than modulus. It also avoids leaking information about the modulus, except that it does leak which of 3 categories the modulus is in: an odd integer, a power of 2, or some other even number, and if the modulus is even, leaks the power of 2 which divides the modulus.

Parameters
xa positive integer
modulusa positive integer
Returns
y st (x*y) % modulus == 1 or 0 if no such value

Definition at line 369 of file mod_inv.cpp.

369 {
370 BOTAN_ARG_CHECK(!mod.is_zero(), "modulus cannot be zero");
371 BOTAN_ARG_CHECK(!mod.is_negative(), "modulus cannot be negative");
372 BOTAN_ARG_CHECK(!n.is_negative(), "value cannot be negative");
373
374 if(n.is_zero() || (n.is_even() && mod.is_even())) {
375 return BigInt::zero();
376 }
377
378 if(n >= mod) {
379 return inverse_mod(ct_modulo(n, mod), mod);
380 }
381
382 return inverse_mod_general(n, mod).value_or(BigInt::zero());
383}
BigInt ct_modulo(const BigInt &x, const BigInt &y)
Definition divide.cpp:192
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
Definition mod_inv.cpp:369

References BOTAN_ARG_CHECK, ct_modulo(), inverse_mod(), inverse_mod_general(), Botan::BigInt::is_even(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), and Botan::BigInt::zero().

Referenced by inverse_mod().

◆ inverse_mod_general()

std::optional< BigInt > BOTAN_TEST_API Botan::inverse_mod_general ( const BigInt & x,
const BigInt & m )

Compute the inverse of x modulo some integer m

Returns nullopt if no such integer exists eg if gcd(x, m) > 1

This algorithm is const time with respect to x, aside from its length. It also avoids leaking information about the modulus m, except that it does leak which of 3 categories the modulus is in:

  • An odd integer
  • A power of 2
  • Some even number not a power of 2

And if the modulus is even, it leaks the power of 2 which divides the modulus.

Parameters
xa positive integer less than m
ma positive integer

Throws Invalid_Argument if x or m are negative

Definition at line 177 of file mod_inv.cpp.

177 {
178 BOTAN_ARG_CHECK(x > 0, "x must be greater than zero");
179 BOTAN_ARG_CHECK(mod > 0, "mod must be greater than zero");
180 BOTAN_ARG_CHECK(x < mod, "x must be less than m");
181
182 // Easy case where gcd > 1 so no inverse exists
183 if(x.is_even() && mod.is_even()) {
184 return std::nullopt;
185 }
186
187 if(mod.is_odd()) {
188 BigInt z = inverse_mod_odd_modulus(x, mod);
189 if(z.is_zero()) {
190 return std::nullopt;
191 } else {
192 return z;
193 }
194 }
195
196 // If x is even and mod is even we already returned 0
197 // If x is even and mod is odd we jumped directly to odd-modulus algo
199
200 const size_t mod_lz = low_zero_bits(mod);
201 BOTAN_ASSERT_NOMSG(mod_lz > 0);
202 const size_t mod_bits = mod.bits();
203 BOTAN_ASSERT_NOMSG(mod_bits > mod_lz);
204
205 if(mod_lz == mod_bits - 1) {
206 // In this case we are performing an inversion modulo 2^k
207 auto z = inverse_mod_pow2(x, mod_lz);
208 if(z.is_zero()) {
209 return std::nullopt;
210 } else {
211 return z;
212 }
213 }
214
215 if(mod_lz == 1) {
216 /*
217 Inversion modulo 2*o is an easier special case of CRT
218
219 This is exactly the main CRT flow below but taking advantage of
220 the fact that any odd number ^-1 modulo 2 is 1. As a result both
221 inv_2k and c can be taken to be 1, m2k is 2, and h is always
222 either 0 or 1, and its value depends only on the low bit of inv_o.
223
224 This is worth special casing because we generate RSA primes such
225 that phi(n) is of this form. However this only works for keys
226 that we generated in this way; pre-existing keys will typically
227 fall back to the general algorithm below.
228 */
229
230 const BigInt o = mod >> 1;
231 const BigInt inv_o = inverse_mod_odd_modulus(ct_modulo(x, o), o);
232
233 // No modular inverse in this case:
234 if(inv_o == 0) {
235 return std::nullopt;
236 }
237
238 BigInt h = inv_o;
239 h.ct_cond_add(!inv_o.get_bit(0), o);
240 return h;
241 }
242
243 /*
244 * In this case we are performing an inversion modulo 2^k*o for
245 * some k >= 2 and some odd (not necessarily prime) integer.
246 * Compute the inversions modulo 2^k and modulo o, then combine them
247 * using CRT, which is possible because 2^k and o are relatively prime.
248 */
249
250 const BigInt o = mod >> mod_lz;
251 const BigInt inv_o = inverse_mod_odd_modulus(ct_modulo(x, o), o);
252 const BigInt inv_2k = inverse_mod_pow2(x, mod_lz);
253
254 // No modular inverse in this case:
255 if(inv_o == 0 || inv_2k == 0) {
256 return std::nullopt;
257 }
258
259 const BigInt m2k = BigInt::power_of_2(mod_lz);
260 // Compute the CRT parameter
261 const BigInt c = inverse_mod_pow2(o, mod_lz);
262
263 // This should never happen; o is odd so gcd is 1 and inverse mod 2^k exists
264 BOTAN_ASSERT_NOMSG(!c.is_zero());
265
266 // Compute h = c*(inv_2k-inv_o) mod 2^k
267 BigInt h = c * (inv_2k - inv_o);
268 const bool h_neg = h.is_negative();
269 h.set_sign(BigInt::Positive);
270 h.mask_bits(mod_lz);
271 const bool h_nonzero = h.is_nonzero();
272 h.ct_cond_assign(h_nonzero && h_neg, m2k - h);
273
274 // Return result inv_o + h * o
275 h *= o;
276 h += inv_o;
277 return h;
278}
void ct_cond_add(bool predicate, const BigInt &value)
Definition bigint.cpp:453
bool is_odd() const
Definition bigint.h:445
static BigInt power_of_2(size_t n)
Definition bigint.h:820
size_t low_zero_bits(const BigInt &n)
Definition numthry.cpp:167

References Botan::BigInt::bits(), BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::BigInt::ct_cond_add(), Botan::BigInt::ct_cond_assign(), ct_modulo(), Botan::BigInt::get_bit(), Botan::BigInt::is_even(), Botan::BigInt::is_negative(), Botan::BigInt::is_nonzero(), Botan::BigInt::is_odd(), Botan::BigInt::is_zero(), low_zero_bits(), Botan::BigInt::mask_bits(), Botan::BigInt::Positive, Botan::BigInt::power_of_2(), and Botan::BigInt::set_sign().

Referenced by botan_mp_mod_inverse(), compute_rsa_secret_exponent(), and inverse_mod().

◆ inverse_mod_public_prime()

BigInt BOTAN_TEST_API Botan::inverse_mod_public_prime ( const BigInt & x,
const BigInt & p )

Compute the inverse of x modulo a public prime p

This algorithm is constant time with respect to x. The prime p is assumed to be public.

Parameters
xa positive integer less than p
pan odd prime
Returns
y such that (x*y) % p == 1

This always returns a result since any integer in [1,p) has an inverse modulo a prime p.

This function assumes as a precondition that p truly is prime; the results may not be correct if this does not hold.

Throws Invalid_Argument if x is less than or equal to zero, or if p is even or less than 3.

Definition at line 291 of file mod_inv.cpp.

291 {
292 return inverse_mod_secret_prime(x, p);
293}
BigInt inverse_mod_secret_prime(const BigInt &x, const BigInt &p)
Definition mod_inv.cpp:280

References inverse_mod_secret_prime().

Referenced by Botan::DL_Group::inverse_mod_p(), Botan::DL_Group::inverse_mod_q(), Botan::EC_Scalar_Data_BN::invert(), and Botan::EC_Scalar_Data_BN::invert_vartime().

◆ inverse_mod_rsa_public_modulus()

BigInt Botan::inverse_mod_rsa_public_modulus ( const BigInt & x,
const BigInt & n )

Compute the inverse of x modulo a public RSA modulus n

This algorithm is constant time with respect to x. The RSA modulus is assumed to be public.

Parameters
xa positive integer less than n
na RSA public modulus
Returns
y such that (x*y) % n == 1

This always returns a result since any integer in [1,n) has an inverse modulo a RSA public modulus n, unless you have happened to guess one of the factors at random. In the unlikely event of this occuring, Internal_Error will be thrown.

Definition at line 295 of file mod_inv.cpp.

295 {
296 BOTAN_ARG_CHECK(n.is_positive() && n.is_odd(), "RSA public modulus must be odd and positive");
297 BOTAN_ARG_CHECK(x.is_positive() && x < n, "Input must be positive and less than RSA modulus");
298 BigInt z = inverse_mod_odd_modulus(x, n);
299 BOTAN_ASSERT(!z.is_zero(), "Accidentally factored the public modulus"); // whoops
300 return z;
301}

References BOTAN_ARG_CHECK, BOTAN_ASSERT, Botan::BigInt::is_odd(), Botan::BigInt::is_positive(), and Botan::BigInt::is_zero().

◆ inverse_mod_secret_prime()

BigInt BOTAN_TEST_API Botan::inverse_mod_secret_prime ( const BigInt & x,
const BigInt & p )

Compute the inverse of x modulo a secret prime p

This algorithm is constant time with respect to x and p, aside from leaking the length of p. (In particular it should not leak the length of x, if x is shorter)

Parameters
xa positive integer less than p
pan odd prime
Returns
y such that (x*y) % p == 1

This always returns a result since any integer in [1,p) has an inverse modulo a prime p.

This function assumes as a precondition that p truly is prime; the results may not be correct if this does not hold.

Throws Invalid_Argument if x is less than or equal to zero, or if p is even or less than 3.

Definition at line 280 of file mod_inv.cpp.

280 {
281 BOTAN_ARG_CHECK(x.is_positive() && p.is_positive(), "Parameters must be positive");
282 BOTAN_ARG_CHECK(x < p, "x must be less than p");
283 BOTAN_ARG_CHECK(p.is_odd() && p > 1, "Primes are odd integers greater than 1");
284
285 // TODO possibly use FLT, or the algorithm presented for this case in
286 // Handbook of Elliptic and Hyperelliptic Curve Cryptography
287
288 return inverse_mod_odd_modulus(x, p);
289}

References BOTAN_ARG_CHECK, Botan::BigInt::is_odd(), and Botan::BigInt::is_positive().

Referenced by Botan::RSA_PrivateKey::check_key(), inverse_mod_public_prime(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ invert_field_element()

template<typename C>
auto Botan::invert_field_element ( const typename C::FieldElement & fe)
inlineconstexpr

Field inversion

Uses the specialized fe_invert2 if available, or otherwise the standard (FLT-based) field inversion.

Definition at line 34 of file pcurves_algos.h.

34 {
35 if constexpr(curve_supports_fe_invert2<C>) {
36 return C::fe_invert2(fe) * fe;
37 } else {
38 return fe.invert();
39 }
40}

Referenced by map_to_curve_sswu(), SSWU_C2(), to_affine(), to_affine_batch(), and to_affine_x().

◆ ipv4_to_string()

std::string BOTAN_TEST_API Botan::ipv4_to_string ( uint32_t ip_addr)

Convert an IPv4 address to a string

Parameters
ip_addrthe IPv4 address to convert
Returns
string representation of the IPv4 address

Definition at line 225 of file parsing.cpp.

225 {
226 uint8_t bits[4];
227 store_be(ip, bits);
228
229 std::string str;
230
231 for(size_t i = 0; i != 4; ++i) {
232 if(i > 0) {
233 str += ".";
234 }
235 str += std::to_string(bits[i]);
236 }
237
238 return str;
239}

References store_be().

Referenced by Botan::AlternativeName::contents(), Botan::AlternativeName::get_attribute(), and Botan::GeneralName::name().

◆ is_bailie_psw_probable_prime()

bool BOTAN_TEST_API Botan::is_bailie_psw_probable_prime ( const BigInt & n,
const Barrett_Reduction & mod_n )

Perform Bailie-PSW primality test

This is a combination of Miller-Rabin with base 2 and a Lucas test. No known composite integer passes both tests, though it is conjectured that infinitely many composite counterexamples exist.

Parameters
nthe positive integer to test
mod_na pre-created Barrett_Reduction for n
Returns
true if n seems probably prime, false if n is composite

Definition at line 98 of file primality.cpp.

98 {
99 if(n == 2) {
100 return true;
101 } else if(n <= 1 || n.is_even()) {
102 return false;
103 }
104
105 Montgomery_Params monty_n(n, mod_n);
106 const auto base = BigInt::from_word(2);
107 return passes_miller_rabin_test(n, mod_n, monty_n, base) && is_lucas_probable_prime(n, mod_n);
108}
static BigInt from_word(word n)
Definition bigint.cpp:34
bool is_lucas_probable_prime(const BigInt &C, const Barrett_Reduction &mod_C)
Definition primality.cpp:18
bool passes_miller_rabin_test(const BigInt &n, const Barrett_Reduction &mod_n, const Montgomery_Params &monty_n, const BigInt &a)

References Botan::BigInt::from_word(), Botan::BigInt::is_even(), is_lucas_probable_prime(), and passes_miller_rabin_test().

Referenced by Botan::EC_Group::EC_Group(), and is_prime().

◆ is_generalizable_to() [1/2]

template<typename GeneralVariantT, typename SpecialT>
bool Botan::is_generalizable_to ( const SpecialT & )
constexprnoexcept

Definition at line 290 of file stl_util.h.

290 {
291 return std::is_constructible_v<GeneralVariantT, SpecialT>;
292}

Referenced by generalize_to(), and Botan::TLS::Handshake_State_13< Connection_Side::Client, Client_Handshake_13_Message, Server_Handshake_13_Message, Server_Post_Handshake_13_Message >::sending().

◆ is_generalizable_to() [2/2]

template<typename GeneralVariantT, typename... SpecialTs>
bool Botan::is_generalizable_to ( const std::variant< SpecialTs... > & )
constexprnoexcept

Definition at line 295 of file stl_util.h.

295 {
296 return (std::is_constructible_v<GeneralVariantT, SpecialTs> && ...);
297}

◆ is_lucas_probable_prime()

bool BOTAN_TEST_API Botan::is_lucas_probable_prime ( const BigInt & n,
const Barrett_Reduction & mod_n )

Perform Lucas primality test

See also
FIPS 186-4 C.3.3
Warning
it is possible to construct composite integers which pass this test alone.
Parameters
nthe positive integer to test
mod_na pre-created Barrett_Reduction for n
Returns
true if n seems probably prime, false if n is composite

Definition at line 18 of file primality.cpp.

18 {
19 BOTAN_ARG_CHECK(C.is_positive(), "Argument should be a positive integer");
20
21 if(C == 2 || C == 3 || C == 5 || C == 7 || C == 11 || C == 13) {
22 return true;
23 }
24
25 if(C <= 1 || C.is_even()) {
26 return false;
27 }
28
30
31 for(;;) {
32 int32_t j = jacobi(D, C);
33 if(j == 0) {
34 return false;
35 }
36
37 if(j == -1) {
38 break;
39 }
40
41 // Check 5, -7, 9, -11, 13, -15, 17, ...
42 if(D.is_negative()) {
43 D.flip_sign();
44 D += 2;
45 } else {
46 D += 2;
47 D.flip_sign();
48 }
49
50 if(D == 17 && is_perfect_square(C).is_nonzero()) {
51 return false;
52 }
53 }
54
55 if(D.is_negative()) {
56 D += C;
57 }
58
59 const BigInt K = C + 1;
60 const size_t K_bits = K.bits() - 1;
61
62 BigInt U = BigInt::one();
63 BigInt V = BigInt::one();
64
65 BigInt Ut;
66 BigInt Vt;
67 BigInt U2;
68 BigInt V2;
69
70 for(size_t i = 0; i != K_bits; ++i) {
71 const bool k_bit = K.get_bit(K_bits - 1 - i);
72
73 Ut = mod_C.multiply(U, V);
74
75 Vt = mod_C.reduce(mod_C.square(V) + mod_C.multiply(D, mod_C.square(U)));
76 Vt.ct_cond_add(Vt.is_odd(), C);
77 Vt >>= 1;
78 Vt = mod_C.reduce(Vt);
79
80 U = Ut;
81 V = Vt;
82
83 U2 = mod_C.reduce(Ut + Vt);
84 U2.ct_cond_add(U2.is_odd(), C);
85 U2 >>= 1;
86
87 V2 = mod_C.reduce(Vt + mod_C.multiply(Ut, D));
88 V2.ct_cond_add(V2.is_odd(), C);
89 V2 >>= 1;
90
91 U.ct_cond_assign(k_bit, U2);
92 V.ct_cond_assign(k_bit, V2);
93 }
94
95 return (U == 0);
96}
static BigInt one()
Definition bigint.h:54
BigInt is_perfect_square(const BigInt &C)
Definition numthry.cpp:320
int32_t jacobi(const BigInt &a, const BigInt &n)
Definition numthry.cpp:116

References Botan::BigInt::bits(), BOTAN_ARG_CHECK, Botan::BigInt::ct_cond_add(), Botan::BigInt::ct_cond_assign(), Botan::BigInt::flip_sign(), Botan::BigInt::from_word(), Botan::BigInt::get_bit(), Botan::BigInt::is_even(), Botan::BigInt::is_negative(), Botan::BigInt::is_odd(), is_perfect_square(), Botan::BigInt::is_positive(), jacobi(), Botan::Barrett_Reduction::multiply(), Botan::BigInt::one(), Botan::Barrett_Reduction::reduce(), and Botan::Barrett_Reduction::square().

Referenced by is_bailie_psw_probable_prime(), is_prime(), and random_prime().

◆ is_miller_rabin_probable_prime()

bool BOTAN_TEST_API Botan::is_miller_rabin_probable_prime ( const BigInt & n,
const Barrett_Reduction & mod_n,
RandomNumberGenerator & rng,
size_t t )

Perform t iterations of a Miller-Rabin primality test with random bases

Parameters
nthe positive integer to test
mod_na pre-created Barrett_Reduction for n
rnga random number generator
tnumber of tests to perform
Returns
result of primality test

Definition at line 154 of file primality.cpp.

157 {
158 if(n < 3 || n.is_even()) {
159 return false;
160 }
161
162 Montgomery_Params monty_n(n, mod_n);
163
164 for(size_t i = 0; i != test_iterations; ++i) {
165 const BigInt a = BigInt::random_integer(rng, BigInt::from_word(2), n);
166
167 if(!passes_miller_rabin_test(n, mod_n, monty_n, a)) {
168 return false;
169 }
170 }
171
172 // Failed to find a counterexample
173 return true;
174}
static BigInt random_integer(RandomNumberGenerator &rng, const BigInt &min, const BigInt &max)
Definition big_rand.cpp:43

References Botan::BigInt::from_word(), Botan::BigInt::is_even(), passes_miller_rabin_test(), and Botan::BigInt::random_integer().

Referenced by generate_rsa_prime(), is_prime(), and random_prime().

◆ is_passhash9_alg_supported()

bool Botan::is_passhash9_alg_supported ( uint8_t alg_id)

Check if the PRF used with PBKDF2 is supported

Parameters
alg_idalg_id used in generate_passhash9()

Definition at line 128 of file passhash9.cpp.

128 {
129 if(get_pbkdf_prf(alg_id)) {
130 return true;
131 }
132 return false;
133}

◆ is_perfect_square()

BigInt Botan::is_perfect_square ( const BigInt & x)

Test if the positive integer x is a perfect square ie if there exists some positive integer y st y*y == x See FIPS 186-4 sec C.4

Returns
0 if the integer is not a perfect square, otherwise returns the positive y st y*y == x

Definition at line 320 of file numthry.cpp.

320 {
321 if(C < 1) {
322 throw Invalid_Argument("is_perfect_square requires C >= 1");
323 }
324 if(C == 1) {
325 return BigInt::one();
326 }
327
328 const size_t n = C.bits();
329 const size_t m = (n + 1) / 2;
330 const BigInt B = C + BigInt::power_of_2(m);
331
332 BigInt X = BigInt::power_of_2(m) - 1;
333 BigInt X2 = (X * X);
334
335 for(;;) {
336 X = (X2 + C) / (2 * X);
337 X2 = (X * X);
338
339 if(X2 < B) {
340 break;
341 }
342 }
343
344 if(X2 == C) {
345 return X;
346 } else {
347 return BigInt::zero();
348 }
349}

References Botan::BigInt::bits(), Botan::BigInt::one(), Botan::BigInt::power_of_2(), and Botan::BigInt::zero().

Referenced by is_lucas_probable_prime().

◆ is_power_of_2()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr bool Botan::is_power_of_2 ( T arg)
constexpr

Power of 2 test. T should be an unsigned integer type

Parameters
argan integer value
Returns
true iff arg is 2^n for some n > 0

Definition at line 45 of file bit_ops.h.

45 {
46 return (arg != 0) && (arg != 1) && ((arg & static_cast<T>(arg - 1)) == 0);
47}

References BOTAN_FORCE_INLINE.

Referenced by operator%(), Botan::BigInt::operator%=(), Botan::BigInt::operator/=(), Botan::Scrypt::Scrypt(), and Botan::CTR_BE::seek().

◆ is_prime()

bool Botan::is_prime ( const BigInt & n,
RandomNumberGenerator & rng,
size_t prob = 64,
bool is_random = false )

Check for primality

This uses probabilistic algorithms - there is some non-zero (but very low) probability that this function will return true even if n is actually composite.

Parameters
na positive integer to test for primality
rnga random number generator
probchance of false positive is bounded by 1/2**prob
is_randomtrue if n was randomly chosen by us
Returns
true if all primality tests passed, otherwise false

Definition at line 354 of file numthry.cpp.

354 {
355 if(n == 2) {
356 return true;
357 }
358 if(n <= 1 || n.is_even()) {
359 return false;
360 }
361
362 const size_t n_bits = n.bits();
363
364 // Fast path testing for small numbers (<= 65521)
365 if(n_bits <= 16) {
366 const uint16_t num = static_cast<uint16_t>(n.word_at(0));
367
368 return std::binary_search(PRIMES, PRIMES + PRIME_TABLE_SIZE, num);
369 }
370
372
373 if(rng.is_seeded()) {
374 const size_t t = miller_rabin_test_iterations(n_bits, prob, is_random);
375
376 if(!is_miller_rabin_probable_prime(n, mod_n, rng, t)) {
377 return false;
378 }
379
380 if(is_random) {
381 return true;
382 } else {
383 return is_lucas_probable_prime(n, mod_n);
384 }
385 } else {
386 return is_bailie_psw_probable_prime(n, mod_n);
387 }
388}
word word_at(size_t n) const
Definition bigint.h:547
virtual bool is_seeded() const =0
const uint16_t PRIMES[]
Definition primes.cpp:12
const size_t PRIME_TABLE_SIZE
Definition numthry.h:174
bool is_bailie_psw_probable_prime(const BigInt &n, const Barrett_Reduction &mod_n)
Definition primality.cpp:98

References Botan::BigInt::bits(), Botan::Barrett_Reduction::for_secret_modulus(), is_bailie_psw_probable_prime(), Botan::BigInt::is_even(), is_lucas_probable_prime(), is_miller_rabin_probable_prime(), Botan::RandomNumberGenerator::is_seeded(), miller_rabin_test_iterations(), PRIME_TABLE_SIZE, PRIMES, and Botan::BigInt::word_at().

Referenced by botan_mp_is_prime(), Botan::RSA_PrivateKey::check_key(), Botan::DL_Group::DL_Group(), generate_dsa_primes(), random_safe_prime(), Botan::DL_Group::verify_group(), and Botan::EC_Group::verify_group().

◆ is_sub_element_of()

std::optional< uint32_t > Botan::is_sub_element_of ( const OID & oid,
std::initializer_list< uint32_t > prefix )
inline

Definition at line 16 of file x509_utils.h.

16 {
17 const auto& c = oid.get_components();
18
19 if(c.size() != prefix.size() + 1) {
20 return {};
21 }
22
23 if(!std::equal(c.begin(), c.end() - 1, prefix.begin(), prefix.end())) {
24 return {};
25 }
26
27 return c[c.size() - 1];
28}
const std::vector< uint32_t > & get_components() const
Definition asn1_obj.h:321

References Botan::OID::get_components().

Referenced by Botan::X509_DN::lookup_ub().

◆ jacobi()

int32_t Botan::jacobi ( const BigInt & a,
const BigInt & n )

Compute the Jacobi symbol. If n is prime, this is equivalent to the Legendre symbol.

See also
http://mathworld.wolfram.com/JacobiSymbol.html
Parameters
ais a non-negative integer
nis an odd integer > 1
Returns
(n / m)

Definition at line 116 of file numthry.cpp.

116 {
117 if(n.is_even() || n < 2) {
118 throw Invalid_Argument("jacobi: second argument must be odd and > 1");
119 }
120
121 BigInt x = a % n;
122 BigInt y = n;
123 int32_t J = 1;
124
125 while(y > 1) {
126 x %= y;
127 if(x > y / 2) {
128 x = y - x;
129 if(y % 4 == 3) {
130 J = -J;
131 }
132 }
133 if(x.is_zero()) {
134 return 0;
135 }
136
137 size_t shifts = low_zero_bits(x);
138 x >>= shifts;
139 if(shifts % 2 == 1) {
140 word y_mod_8 = y % 8;
141 if(y_mod_8 == 3 || y_mod_8 == 5) {
142 J = -J;
143 }
144 }
145
146 if(x % 4 == 3 && y % 4 == 3) {
147 J = -J;
148 }
149 std::swap(x, y);
150 }
151 return J;
152}

References Botan::BigInt::is_even(), Botan::BigInt::is_zero(), and low_zero_bits().

Referenced by Botan::DL_Group::DL_Group(), is_lucas_probable_prime(), and sqrt_modulo_prime().

◆ keccak_absorb_padded_strings_encoding()

template<absorbing_object T, typename... Ts>
requires (std::constructible_from<std::span<const uint8_t>, Ts> && ...)
size_t Botan::keccak_absorb_padded_strings_encoding ( T & sink,
size_t padding_mod,
Ts... byte_strings )

This is a combination of the functions encode_string() and bytepad() defined in NIST SP.800-185 Section 2.3. Additionally, the result is directly streamed into the provided XOF to avoid unneccessary memory allocation or a byte vector.

Parameters
sinkthe XOF or byte vector to absorb the byte_strings into
padding_modthe modulus value to create a padding for (NIST calls this 'w')
byte_stringsa variable-length list of byte strings to be encoded and absorbed into the given xof
Returns
the number of bytes absorbed into the xof

Definition at line 91 of file keccak_helpers.h.

91 {
92 BOTAN_ASSERT_NOMSG(padding_mod > 0);
93
94 // used as temporary storage for all integer encodings in this function
95 std::array<uint8_t, keccak_max_int_encoding_size()> int_encoding_buffer{};
96
97 // absorbs byte strings and counts the number of absorbed bytes
98 size_t bytes_absorbed = 0;
99 auto absorb = [&](std::span<const uint8_t> bytes) {
100 if constexpr(updatable_object<T>) {
101 sink.update(bytes);
102 } else if constexpr(appendable_object<T>) {
103 sink.insert(sink.end(), bytes.begin(), bytes.end());
104 }
105 bytes_absorbed += bytes.size();
106 };
107
108 // encodes a given string and absorbs it into the XOF straight away
109 auto encode_string_and_absorb = [&](std::span<const uint8_t> bytes) {
110 absorb(keccak_int_left_encode(int_encoding_buffer, bytes.size() * 8));
111 absorb(bytes);
112 };
113
114 // absorbs as many zero-bytes as requested into the XOF
115 auto absorb_padding = [&](size_t padding_bytes) {
116 for(size_t i = 0; i < padding_bytes; ++i) {
117 const uint8_t zero_byte = 0;
118 absorb({&zero_byte, 1});
119 }
120 };
121
122 // implementation of bytepad(encode_string(Ts) || ...) that absorbs the result
123 // staight into the given xof
124 absorb(keccak_int_left_encode(int_encoding_buffer, padding_mod));
125 (encode_string_and_absorb(byte_strings), ...);
126 absorb_padding(padding_mod - (bytes_absorbed % padding_mod));
127
128 return bytes_absorbed;
129}
std::span< const uint8_t > keccak_int_left_encode(std::span< uint8_t > out, size_t x)
constexpr size_t keccak_max_int_encoding_size()

References BOTAN_ASSERT_NOMSG, keccak_absorb_padded_strings_encoding(), keccak_int_left_encode(), and keccak_max_int_encoding_size().

Referenced by keccak_absorb_padded_strings_encoding().

◆ keccak_int_encoding_size()

BOTAN_TEST_API size_t Botan::keccak_int_encoding_size ( size_t x)
Returns
the required bytes for encodings of keccak_int_left_encode() or keccak_int_right_encode() given an integer x

Definition at line 55 of file keccak_helpers.cpp.

55 {
56 return int_encoding_size(x) + 1 /* the length tag */;
57}

◆ keccak_int_left_encode()

BOTAN_TEST_API std::span< const uint8_t > Botan::keccak_int_left_encode ( std::span< uint8_t > buffer,
size_t x )

Integer encoding defined in NIST SP.800-185 that can be unambiguously parsed from the beginning of the string.

This function does not allocate any memory and requires the caller to provide a sufficiently large buffer. For a given x, this will need exactly keccak_int_encoding_size() bytes. For an arbitrary x it will generate keccak_max_int_encoding_size() bytes at most.

Parameters
bufferbuffer to write the left-encoding of x to. It is assumed that the buffer will hold at least keccak_int_encoding_size() bytes.
xthe integer to be left-encoded
Returns
the byte span that represents the bytes written to buffer.

Definition at line 42 of file keccak_helpers.cpp.

42 {
43 BOTAN_ASSERT_NOMSG(!out.empty());
44 out[0] = encode(out.last(out.size() - 1), x);
45 return out.first(out[0] + 1 /* the length tag */);
46}

References BOTAN_ASSERT_NOMSG.

Referenced by keccak_absorb_padded_strings_encoding().

◆ keccak_int_right_encode()

BOTAN_TEST_API std::span< const uint8_t > Botan::keccak_int_right_encode ( std::span< uint8_t > out,
size_t x )

Integer encoding defined in NIST SP.800-185 that can be unambiguously parsed from the end of the string.

This function does not allocate any memory and requires the caller to provide a sufficiently large buffer. For a given x, this will need exactly keccak_int_encoding_size() bytes. For an arbitrary x it will generate keccak_max_int_encoding_size() bytes at most.

Parameters
outbuffer to write the right-encoding of x to. It is assumed that the buffer will hold at least keccak_int_encoding_size() bytes.
xthe integer to be right-encoded
Returns
the byte span that represents the bytes written to buffer.

Definition at line 48 of file keccak_helpers.cpp.

48 {
49 const auto bytes_needed = encode(out, x);
50 BOTAN_ASSERT_NOMSG(out.size() >= bytes_needed + size_t(1));
51 out[bytes_needed] = bytes_needed;
52 return out.first(bytes_needed + 1 /* the length tag */);
53}

References BOTAN_ASSERT_NOMSG.

◆ keccak_max_int_encoding_size()

size_t Botan::keccak_max_int_encoding_size ( )
constexpr
Returns
the maximum required bytes for encodings of keccak_int_left_encode() or keccak_int_right_encode()

Definition at line 65 of file keccak_helpers.h.

65 {
66 return sizeof(size_t) + 1 /* the length tag */;
67}

Referenced by keccak_absorb_padded_strings_encoding().

◆ Keccak_Permutation_round()

void Botan::Keccak_Permutation_round ( uint64_t T[25],
const uint64_t A[25],
uint64_t RC )
inline

Definition at line 15 of file keccak_perm_round.h.

15 {
16 const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20];
17 const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21];
18 const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22];
19 const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23];
20 const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24];
21
22 const uint64_t D0 = rotl<1>(C0) ^ C3;
23 const uint64_t D1 = rotl<1>(C1) ^ C4;
24 const uint64_t D2 = rotl<1>(C2) ^ C0;
25 const uint64_t D3 = rotl<1>(C3) ^ C1;
26 const uint64_t D4 = rotl<1>(C4) ^ C2;
27
28 const uint64_t B00 = A[0] ^ D1;
29 const uint64_t B01 = rotl<44>(A[6] ^ D2);
30 const uint64_t B02 = rotl<43>(A[12] ^ D3);
31 const uint64_t B03 = rotl<21>(A[18] ^ D4);
32 const uint64_t B04 = rotl<14>(A[24] ^ D0);
33 T[0] = B00 ^ (~B01 & B02) ^ RC;
34 T[1] = B01 ^ (~B02 & B03);
35 T[2] = B02 ^ (~B03 & B04);
36 T[3] = B03 ^ (~B04 & B00);
37 T[4] = B04 ^ (~B00 & B01);
38
39 const uint64_t B05 = rotl<28>(A[3] ^ D4);
40 const uint64_t B06 = rotl<20>(A[9] ^ D0);
41 const uint64_t B07 = rotl<3>(A[10] ^ D1);
42 const uint64_t B08 = rotl<45>(A[16] ^ D2);
43 const uint64_t B09 = rotl<61>(A[22] ^ D3);
44 T[5] = B05 ^ (~B06 & B07);
45 T[6] = B06 ^ (~B07 & B08);
46 T[7] = B07 ^ (~B08 & B09);
47 T[8] = B08 ^ (~B09 & B05);
48 T[9] = B09 ^ (~B05 & B06);
49
50 const uint64_t B10 = rotl<1>(A[1] ^ D2);
51 const uint64_t B11 = rotl<6>(A[7] ^ D3);
52 const uint64_t B12 = rotl<25>(A[13] ^ D4);
53 const uint64_t B13 = rotl<8>(A[19] ^ D0);
54 const uint64_t B14 = rotl<18>(A[20] ^ D1);
55 T[10] = B10 ^ (~B11 & B12);
56 T[11] = B11 ^ (~B12 & B13);
57 T[12] = B12 ^ (~B13 & B14);
58 T[13] = B13 ^ (~B14 & B10);
59 T[14] = B14 ^ (~B10 & B11);
60
61 const uint64_t B15 = rotl<27>(A[4] ^ D0);
62 const uint64_t B16 = rotl<36>(A[5] ^ D1);
63 const uint64_t B17 = rotl<10>(A[11] ^ D2);
64 const uint64_t B18 = rotl<15>(A[17] ^ D3);
65 const uint64_t B19 = rotl<56>(A[23] ^ D4);
66 T[15] = B15 ^ (~B16 & B17);
67 T[16] = B16 ^ (~B17 & B18);
68 T[17] = B17 ^ (~B18 & B19);
69 T[18] = B18 ^ (~B19 & B15);
70 T[19] = B19 ^ (~B15 & B16);
71
72 const uint64_t B20 = rotl<62>(A[2] ^ D3);
73 const uint64_t B21 = rotl<55>(A[8] ^ D4);
74 const uint64_t B22 = rotl<39>(A[14] ^ D0);
75 const uint64_t B23 = rotl<41>(A[15] ^ D1);
76 const uint64_t B24 = rotl<2>(A[21] ^ D2);
77 T[20] = B20 ^ (~B21 & B22);
78 T[21] = B21 ^ (~B22 & B23);
79 T[22] = B22 ^ (~B23 & B24);
80 T[23] = B23 ^ (~B24 & B20);
81 T[24] = B24 ^ (~B20 & B21);
82}
BOTAN_FORCE_INLINE constexpr T rotl(T input)
Definition rotate.h:23

References rotl().

◆ key_constraints_to_string()

std::string Botan::key_constraints_to_string ( Key_Constraints c)
inline

Definition at line 34 of file pkix_types.h.

34 {
35 return c.to_string();
36}
std::string to_string() const

References key_constraints_to_string().

Referenced by key_constraints_to_string().

◆ latin1_to_utf8()

BOTAN_TEST_API std::string Botan::latin1_to_utf8 ( const uint8_t chars[],
size_t len )

Definition at line 89 of file charset.cpp.

89 {
90 std::string s;
91 for(size_t i = 0; i != len; ++i) {
92 const uint32_t c = static_cast<uint8_t>(chars[i]);
93 append_utf8_for(s, c);
94 }
95 return s;
96}

Referenced by Botan::ASN1_String::decode_from().

◆ lcm()

BigInt Botan::lcm ( const BigInt & x,
const BigInt & y )

Least common multiple

Parameters
xa positive integer
ya positive integer
Returns
z, smallest integer such that z % x == 0 and z % y == 0

Definition at line 269 of file numthry.cpp.

269 {
270 if(a == b) {
271 return a;
272 }
273
274 auto ab = a * b;
275 ab.set_sign(BigInt::Positive); // ignore the signs of a & b
276 const auto g = gcd(a, b);
277 return ct_divide(ab, g);
278}

References ct_divide(), gcd(), Botan::BigInt::Positive, and Botan::BigInt::set_sign().

Referenced by Botan::Cascade_Cipher::Cascade_Cipher(), Botan::RSA_PrivateKey::check_key(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

◆ lex_to_gray()

gf2m Botan::lex_to_gray ( gf2m lex)
inline

Definition at line 38 of file code_based_util.h.

38 {
39 return (lex >> 1) ^ lex;
40}

Referenced by syndrome_init().

◆ lmots_compute_pubkey_from_sig()

BOTAN_TEST_API LMOTS_K Botan::lmots_compute_pubkey_from_sig ( const LMOTS_Signature & sig,
const LMS_Message & msg,
const LMS_Identifier & identifier,
LMS_Tree_Node_Idx q )

Compute a public key candidate for an OTS-signature-message pair and the OTS instance parameters.

Defined in RFC 8554 4.6 - Algorithm 4b

Definition at line 327 of file lm_ots.cpp.

330 {
332
333 // Alg. 4b 3.
334
335 const auto Q_with_cksm = gen_Q_with_cksm(params, identifier, q, sig.C(), msg);
336
337 // Prefill the final hash object
338 const auto pk_hash = params.hash();
339 pk_hash->update(identifier);
340 pk_hash->update(store_be(q));
341 pk_hash->update(store_be(D_PBLC));
342
343 Chain_Generator chain_gen(identifier, q);
344 const auto hash = params.hash();
345 LMOTS_Node tmp(params.n());
346 for(uint16_t i = 0; i < params.p(); ++i) {
347 const uint8_t a = coef(Q_with_cksm, i, params);
348 chain_gen.process(*hash, i, a, params.coef_max(), sig.y(i), tmp);
349 pk_hash->update(tmp);
350 }
351 // Alg. 4b 4.
352 return pk_hash->final<LMOTS_K>();
353}
static LMOTS_Params create_or_throw(LMOTS_Algorithm_Type type)
Create the LM-OTS parameters from a known algorithm type.
Definition lm_ots.cpp:100
StrongSpan< const LMOTS_Node > y(uint16_t chain_idx) const
Returns the part of the signature for chain_idx.
Definition lm_ots.h:202
LMOTS_Algorithm_Type algorithm_type() const
Returns the LM-OTS algorithm type.
Definition lm_ots.h:192
std::span< const uint8_t > C() const
The n-byte randomizer of the signature.
Definition lm_ots.h:197
Strong< std::vector< uint8_t >, struct LMOTS_K_ > LMOTS_K
The K value from the LM-OTS public key.
Definition lm_ots.h:35
Strong< secure_vector< uint8_t >, struct LMOTS_Node_ > LMOTS_Node
One node within one LM-OTS hash chain.
Definition lm_ots.h:30

References Botan::LMOTS_Signature::algorithm_type(), Botan::LMOTS_Signature::C(), Botan::LMOTS_Params::create_or_throw(), store_be(), and Botan::LMOTS_Signature::y().

◆ load_3()

uint32_t Botan::load_3 ( const uint8_t in[3])
inline

Definition at line 18 of file ed25519_internal.h.

18 {
19 return static_cast<uint32_t>(in[0]) | (static_cast<uint32_t>(in[1]) << 8) | (static_cast<uint32_t>(in[2]) << 16);
20}

Referenced by Botan::Ed25519_FieldElement::deserialize(), sc_muladd(), and sc_reduce().

◆ load_4()

uint32_t Botan::load_4 ( const uint8_t * in)
inline

Definition at line 22 of file ed25519_internal.h.

22 {
23 return load_le<uint32_t>(in, 0);
24}

References load_le().

Referenced by Botan::Ed25519_FieldElement::deserialize(), sc_muladd(), and sc_reduce().

◆ load_be()

template<typename OutT = detail::AutoDetect, typename... ParamTs>
auto Botan::load_be ( ParamTs &&... params)
inlineconstexpr

Load "something" in big endian byte order See the documentation of this file for more details.

Definition at line 504 of file loadstor.h.

504 {
505 return detail::load_any<std::endian::big, OutT>(std::forward<ParamTs>(params)...);
506}
constexpr WrappedOutT load_any(InR &&in_range)
Definition loadstor.h:278

References Botan::detail::load_any().

Referenced by Botan::TLS::Datagram_Handshake_IO::add_record(), base58_check_decode(), bytes_to_words(), camellia_gfni_decrypt12(), camellia_gfni_decrypt9(), camellia_gfni_encrypt12(), camellia_gfni_encrypt9(), check_passhash9(), Botan::SHA_256::compress_digest(), Botan::SHA_512::compress_digest(), Botan::SHA_1::compress_n(), Botan::SM3::compress_n(), Botan::Whirlpool::compress_n(), Botan::AlternativeName::decode_from(), Botan::GeneralName::decode_from(), Botan::TLS::Session::decrypt(), Botan::CryptoBox::decrypt_bin(), Botan::Blowfish::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::DES::decrypt_n(), Botan::Noekeon::decrypt_n(), Botan::SEED::decrypt_n(), Botan::SHACAL2::decrypt_n(), Botan::SM4::decrypt_n(), Botan::TripleDES::decrypt_n(), Botan::Blowfish::encrypt_n(), Botan::CAST_128::encrypt_n(), Botan::DES::encrypt_n(), Botan::Noekeon::encrypt_n(), Botan::SEED::encrypt_n(), Botan::SHACAL2::encrypt_n(), Botan::SM4::encrypt_n(), Botan::TripleDES::encrypt_n(), Botan::HSS_LMS_PrivateKeyInternal::from_bytes_or_throw(), Botan::HSS_LMS_PublicKeyInternal::from_bytes_or_throw(), Botan::HSS_Signature::from_bytes_or_throw(), Botan::LMOTS_Signature::from_bytes_or_throw(), Botan::LMS_PublicKey::from_bytes_or_throw(), Botan::LMS_Signature::from_bytes_or_throw(), Botan::HOTP::generate_hotp(), Botan::TLS::TLS_Data_Reader::get_elem(), Botan::SIMD_4x32::load_be(), nist_key_unwrap(), nist_key_unwrap_padded(), Botan::TLS::Server_Hello_12::random_signals_downgrade(), Botan::TLS::Server_Hello_13::random_signals_downgrade(), Botan::CTR_BE::seek(), Botan::TLS::Session::Session(), ucs2_to_utf8(), and ucs4_to_utf8().

◆ load_le()

template<typename OutT = detail::AutoDetect, typename... ParamTs>
auto Botan::load_le ( ParamTs &&... params)
inlineconstexpr

Load "something" in little endian byte order See the documentation of this file for more details.

Definition at line 495 of file loadstor.h.

495 {
496 return detail::load_any<std::endian::little, OutT>(std::forward<ParamTs>(params)...);
497}

References Botan::detail::load_any().

Referenced by Botan::Keccak_Permutation::absorb(), Botan::BlindedScalarBits< C, WindowBits+1 >::BlindedScalarBits(), Botan::Gf448Elem::bytes_are_canonical_representation(), Botan::MD4::compress_n(), Botan::MD5::compress_n(), Botan::RIPEMD_160::compress_n(), Botan::Classic_McEliece_Field_Ordering::create_field_ordering(), Botan::Sodium::crypto_core_hsalsa20(), Botan::GOST_28147_89::decrypt_n(), Botan::Kuznyechik::decrypt_n(), Botan::Serpent::decrypt_n(), Botan::Threefish_512::decrypt_n(), Botan::Twofish::decrypt_n(), Botan::FrodoMatrix::deserialize(), ed25519_verify(), Botan::GOST_28147_89::encrypt_n(), Botan::Kuznyechik::encrypt_n(), Botan::Serpent::encrypt_n(), Botan::Threefish_512::encrypt_n(), Botan::Twofish::encrypt_n(), Botan::Dilithium_Algos::expand_A(), Botan::Classic_McEliece_Minimal_Polynomial::from_bytes(), Botan::Gf448Elem::Gf448Elem(), load_4(), Botan::SIMD_4x32::load_le(), Botan::Kyber_Algos::load_le3(), Botan::FrodoMatrix::mul_add_as_plus_e(), Botan::FrodoMatrix::mul_add_sa_plus_e(), random_prime(), Botan::FrodoMatrix::sample(), Botan::Dilithium_Algos::sample_in_ball(), Botan::ChaCha::seek(), Botan::Salsa20::seek(), Botan::Salsa20::set_iv_bytes(), Botan::Threefish_512::set_tweak(), Botan::Sodium::sodium_free(), Botan::bitvector_base< secure_allocator >::subvector(), Botan::CRYSTALS::unpack(), and xts_update_tweak_block().

◆ load_private_key()

std::unique_ptr< Private_Key > Botan::load_private_key ( const AlgorithmIdentifier & alg_id,
std::span< const uint8_t > key_bits )

Definition at line 283 of file pk_algs.cpp.

284 {
285 const std::string oid_str = alg_id.oid().to_formatted_string();
286 const std::vector<std::string> alg_info = split_on(oid_str, '/');
287 std::string_view alg_name = alg_info[0];
288
289#if defined(BOTAN_HAS_RSA)
290 if(alg_name == "RSA") {
291 return std::make_unique<RSA_PrivateKey>(alg_id, key_bits);
292 }
293#endif
294
295#if defined(BOTAN_HAS_X25519)
296 if(alg_name == "X25519" || alg_name == "Curve25519") {
297 return std::make_unique<X25519_PrivateKey>(alg_id, key_bits);
298 }
299#endif
300
301#if defined(BOTAN_HAS_X448)
302 if(alg_name == "X448") {
303 return std::make_unique<X448_PrivateKey>(alg_id, key_bits);
304 }
305#endif
306
307#if defined(BOTAN_HAS_ECDSA)
308 if(alg_name == "ECDSA") {
309 return std::make_unique<ECDSA_PrivateKey>(alg_id, key_bits);
310 }
311#endif
312
313#if defined(BOTAN_HAS_ECDH)
314 if(alg_name == "ECDH") {
315 return std::make_unique<ECDH_PrivateKey>(alg_id, key_bits);
316 }
317#endif
318
319#if defined(BOTAN_HAS_DIFFIE_HELLMAN)
320 if(alg_name == "DH") {
321 return std::make_unique<DH_PrivateKey>(alg_id, key_bits);
322 }
323#endif
324
325#if defined(BOTAN_HAS_DSA)
326 if(alg_name == "DSA") {
327 return std::make_unique<DSA_PrivateKey>(alg_id, key_bits);
328 }
329#endif
330
331#if defined(BOTAN_HAS_FRODOKEM)
332 if(alg_name == "FrodoKEM" || alg_name.starts_with("FrodoKEM-") || alg_name.starts_with("eFrodoKEM-")) {
333 return std::make_unique<FrodoKEM_PrivateKey>(alg_id, key_bits);
334 }
335#endif
336
337#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
338 if(alg_name == "Kyber" || alg_name.starts_with("Kyber-")) {
339 return std::make_unique<Kyber_PrivateKey>(alg_id, key_bits);
340 }
341#endif
342
343#if defined(BOTAN_HAS_ML_KEM)
344 if(alg_name.starts_with("ML-KEM-")) {
345 return std::make_unique<ML_KEM_PrivateKey>(alg_id, key_bits);
346 }
347#endif
348
349#if defined(BOTAN_HAS_MCELIECE)
350 if(alg_name == "McEliece") {
351 return std::make_unique<McEliece_PrivateKey>(key_bits);
352 }
353#endif
354
355#if defined(BOTAN_HAS_ECGDSA)
356 if(alg_name == "ECGDSA") {
357 return std::make_unique<ECGDSA_PrivateKey>(alg_id, key_bits);
358 }
359#endif
360
361#if defined(BOTAN_HAS_ECKCDSA)
362 if(alg_name == "ECKCDSA") {
363 return std::make_unique<ECKCDSA_PrivateKey>(alg_id, key_bits);
364 }
365#endif
366
367#if defined(BOTAN_HAS_ED25519)
368 if(alg_name == "Ed25519") {
369 return std::make_unique<Ed25519_PrivateKey>(alg_id, key_bits);
370 }
371#endif
372
373#if defined(BOTAN_HAS_ED448)
374 if(alg_name == "Ed448") {
375 return std::make_unique<Ed448_PrivateKey>(alg_id, key_bits);
376 }
377#endif
378
379#if defined(BOTAN_HAS_GOST_34_10_2001)
380 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") {
381 return std::make_unique<GOST_3410_PrivateKey>(alg_id, key_bits);
382 }
383#endif
384
385#if defined(BOTAN_HAS_SM2)
386 if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") {
387 return std::make_unique<SM2_PrivateKey>(alg_id, key_bits);
388 }
389#endif
390
391#if defined(BOTAN_HAS_ELGAMAL)
392 if(alg_name == "ElGamal") {
393 return std::make_unique<ElGamal_PrivateKey>(alg_id, key_bits);
394 }
395#endif
396
397#if defined(BOTAN_HAS_XMSS_RFC8391)
398 if(alg_name == "XMSS") {
399 return std::make_unique<XMSS_PrivateKey>(key_bits);
400 }
401#endif
402
403#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES)
404 if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) {
405 return std::make_unique<Dilithium_PrivateKey>(alg_id, key_bits);
406 }
407#endif
408
409#if defined(BOTAN_HAS_ML_DSA)
410 if(alg_name.starts_with("ML-DSA-")) {
411 return std::make_unique<ML_DSA_PrivateKey>(alg_id, key_bits);
412 }
413#endif
414
415#if defined(BOTAN_HAS_HSS_LMS)
416 if(alg_name == "HSS-LMS-Private-Key") {
417 return std::make_unique<HSS_LMS_PrivateKey>(key_bits);
418 }
419#endif
420
421#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
422 if(alg_name == "SPHINCS+" || alg_name.starts_with("SphincsPlus-")) {
423 return std::make_unique<SphincsPlus_PrivateKey>(alg_id, key_bits);
424 }
425#endif
426
427#if defined(BOTAN_HAS_SLH_DSA_WITH_SHA2) || defined(BOTAN_HAS_SLH_DSA_WITH_SHAKE)
428 if(alg_name.starts_with("SLH-DSA-") || alg_name.starts_with("Hash-SLH-DSA-")) {
429 return std::make_unique<SLH_DSA_PrivateKey>(alg_id, key_bits);
430 }
431#endif
432
433#if defined(BOTAN_HAS_CLASSICMCELIECE)
434 if(alg_name.starts_with("ClassicMcEliece")) {
435 return std::make_unique<Classic_McEliece_PrivateKey>(alg_id, key_bits);
436 }
437#endif
438
439 throw Decoding_Error(fmt("Unknown or unavailable public key algorithm '{}'", alg_name));
440}
const OID & oid() const
Definition asn1_obj.h:479
std::string to_formatted_string() const
Definition asn1_oid.cpp:139

References fmt(), Botan::AlgorithmIdentifier::oid(), split_on(), and Botan::OID::to_formatted_string().

◆ load_public_key()

std::unique_ptr< Public_Key > Botan::load_public_key ( const AlgorithmIdentifier & alg_id,
std::span< const uint8_t > key_bits )

Definition at line 124 of file pk_algs.cpp.

125 {
126 const std::string oid_str = alg_id.oid().to_formatted_string();
127 const std::vector<std::string> alg_info = split_on(oid_str, '/');
128 std::string_view alg_name = alg_info[0];
129
130#if defined(BOTAN_HAS_RSA)
131 if(alg_name == "RSA") {
132 return std::make_unique<RSA_PublicKey>(alg_id, key_bits);
133 }
134#endif
135
136#if defined(BOTAN_HAS_X25519)
137 if(alg_name == "X25519" || alg_name == "Curve25519") {
138 return std::make_unique<X25519_PublicKey>(alg_id, key_bits);
139 }
140#endif
141
142#if defined(BOTAN_HAS_X448)
143 if(alg_name == "X448") {
144 return std::make_unique<X448_PublicKey>(alg_id, key_bits);
145 }
146#endif
147
148#if defined(BOTAN_HAS_MCELIECE)
149 if(alg_name == "McEliece") {
150 return std::make_unique<McEliece_PublicKey>(key_bits);
151 }
152#endif
153
154#if defined(BOTAN_HAS_FRODOKEM)
155 if(alg_name == "FrodoKEM" || alg_name.starts_with("FrodoKEM-") || alg_name.starts_with("eFrodoKEM-")) {
156 return std::make_unique<FrodoKEM_PublicKey>(alg_id, key_bits);
157 }
158#endif
159
160#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
161 if(alg_name == "Kyber" || alg_name.starts_with("Kyber-")) {
162 return std::make_unique<Kyber_PublicKey>(alg_id, key_bits);
163 }
164#endif
165
166#if defined(BOTAN_HAS_ML_KEM)
167 if(alg_name.starts_with("ML-KEM-")) {
168 return std::make_unique<ML_KEM_PublicKey>(alg_id, key_bits);
169 }
170#endif
171
172#if defined(BOTAN_HAS_ECDSA)
173 if(alg_name == "ECDSA") {
174 return std::make_unique<ECDSA_PublicKey>(alg_id, key_bits);
175 }
176#endif
177
178#if defined(BOTAN_HAS_ECDH)
179 if(alg_name == "ECDH") {
180 return std::make_unique<ECDH_PublicKey>(alg_id, key_bits);
181 }
182#endif
183
184#if defined(BOTAN_HAS_DIFFIE_HELLMAN)
185 if(alg_name == "DH") {
186 return std::make_unique<DH_PublicKey>(alg_id, key_bits);
187 }
188#endif
189
190#if defined(BOTAN_HAS_DSA)
191 if(alg_name == "DSA") {
192 return std::make_unique<DSA_PublicKey>(alg_id, key_bits);
193 }
194#endif
195
196#if defined(BOTAN_HAS_ELGAMAL)
197 if(alg_name == "ElGamal") {
198 return std::make_unique<ElGamal_PublicKey>(alg_id, key_bits);
199 }
200#endif
201
202#if defined(BOTAN_HAS_ECGDSA)
203 if(alg_name == "ECGDSA") {
204 return std::make_unique<ECGDSA_PublicKey>(alg_id, key_bits);
205 }
206#endif
207
208#if defined(BOTAN_HAS_ECKCDSA)
209 if(alg_name == "ECKCDSA") {
210 return std::make_unique<ECKCDSA_PublicKey>(alg_id, key_bits);
211 }
212#endif
213
214#if defined(BOTAN_HAS_ED25519)
215 if(alg_name == "Ed25519") {
216 return std::make_unique<Ed25519_PublicKey>(alg_id, key_bits);
217 }
218#endif
219
220#if defined(BOTAN_HAS_ED448)
221 if(alg_name == "Ed448") {
222 return std::make_unique<Ed448_PublicKey>(alg_id, key_bits);
223 }
224#endif
225
226#if defined(BOTAN_HAS_GOST_34_10_2001)
227 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") {
228 return std::make_unique<GOST_3410_PublicKey>(alg_id, key_bits);
229 }
230#endif
231
232#if defined(BOTAN_HAS_SM2)
233 if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") {
234 return std::make_unique<SM2_PublicKey>(alg_id, key_bits);
235 }
236#endif
237
238#if defined(BOTAN_HAS_XMSS_RFC8391)
239 if(alg_name == "XMSS") {
240 return std::make_unique<XMSS_PublicKey>(key_bits);
241 }
242#endif
243
244#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES)
245 if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) {
246 return std::make_unique<Dilithium_PublicKey>(alg_id, key_bits);
247 }
248#endif
249
250#if defined(BOTAN_HAS_ML_DSA)
251 if(alg_name.starts_with("ML-DSA-")) {
252 return std::make_unique<ML_DSA_PublicKey>(alg_id, key_bits);
253 }
254#endif
255
256#if defined(BOTAN_HAS_HSS_LMS)
257 if(alg_name == "HSS-LMS") {
258 return std::make_unique<HSS_LMS_PublicKey>(key_bits);
259 }
260#endif
261
262#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
263 if(alg_name == "SPHINCS+" || alg_name.starts_with("SphincsPlus-")) {
264 return std::make_unique<SphincsPlus_PublicKey>(alg_id, key_bits);
265 }
266#endif
267
268#if defined(BOTAN_HAS_SLH_DSA_WITH_SHA2) || defined(BOTAN_HAS_SLH_DSA_WITH_SHAKE)
269 if(alg_name.starts_with("SLH-DSA-") || alg_name.starts_with("Hash-SLH-DSA-")) {
270 return std::make_unique<SLH_DSA_PublicKey>(alg_id, key_bits);
271 }
272#endif
273
274#if defined(BOTAN_HAS_CLASSICMCELIECE)
275 if(alg_name.starts_with("ClassicMcEliece")) {
276 return std::make_unique<Classic_McEliece_PublicKey>(alg_id, key_bits);
277 }
278#endif
279
280 throw Decoding_Error(fmt("Unknown or unavailable public key algorithm '{}'", alg_name));
281}

References fmt(), Botan::AlgorithmIdentifier::oid(), split_on(), and Botan::OID::to_formatted_string().

Referenced by Botan::TLS::Hybrid_KEM_PublicKey::load_for_group(), and Botan::X509::load_key().

◆ lock()

◆ low_zero_bits()

size_t Botan::low_zero_bits ( const BigInt & x)
Parameters
xan integer
Returns
count of the low zero bits in x, or, equivalently, the largest value of n such that 2^n divides x evenly. Returns zero if x is equal to zero.

Definition at line 167 of file numthry.cpp.

167 {
168 size_t low_zero = 0;
169
170 auto seen_nonempty_word = CT::Mask<word>::cleared();
171
172 for(size_t i = 0; i != n.size(); ++i) {
173 const word x = n.word_at(i);
174
175 // ctz(0) will return sizeof(word)
176 const size_t tz_x = ctz(x);
177
178 // if x > 0 we want to count tz_x in total but not any
179 // further words, so set the mask after the addition
180 low_zero += seen_nonempty_word.if_not_set_return(tz_x);
181
182 seen_nonempty_word |= CT::Mask<word>::expand(x);
183 }
184
185 // if we saw no words with x > 0 then n == 0 and the value we have
186 // computed is meaningless. Instead return BigInt::zero() in that case.
187 return static_cast<size_t>(seen_nonempty_word.if_set_return(low_zero));
188}
static constexpr Mask< T > cleared()
Definition ct_utils.h:415
BOTAN_FORCE_INLINE constexpr size_t ctz(T n)
Definition bit_ops.h:96

References Botan::CT::Mask< T >::cleared(), ctz(), Botan::CT::Mask< T >::expand(), Botan::BigInt::size(), and Botan::BigInt::word_at().

Referenced by inverse_mod_general(), jacobi(), passes_miller_rabin_test(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and sqrt_modulo_prime().

◆ majority()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T Botan::majority ( T a,
T b,
T c )
constexpr

Definition at line 202 of file bit_ops.h.

202 {
203 /*
204 Considering each bit of a, b, c individually
205
206 If a xor b is set, then c is the deciding vote.
207
208 If a xor b is not set then either a and b are both set or both unset.
209 In either case the value of c doesn't matter, and examining b (or a)
210 allows us to determine which case we are in.
211 */
212 return choose(a ^ b, c, b);
213}
BOTAN_FORCE_INLINE constexpr T choose(T mask, T a, T b)
Definition bit_ops.h:196

References BOTAN_FORCE_INLINE, and choose().

Referenced by Botan::SHA1_F::F3(), SHA2_32_F(), SHA2_32_F(), SHA2_64_F(), and SHA2_64_F().

◆ make_commoncrypto_block_cipher()

std::unique_ptr< BlockCipher > Botan::make_commoncrypto_block_cipher ( std::string_view name)

Definition at line 133 of file commoncrypto_block.cpp.

133 {
134 try {
136 return std::make_unique<CommonCrypto_BlockCipher>(name, opts);
137 } catch(CommonCrypto_Error& e) {
138 return nullptr;
139 }
140}

References commoncrypto_opts_from_algo_name(), and make_commoncrypto_block_cipher().

Referenced by Botan::BlockCipher::create(), and make_commoncrypto_block_cipher().

◆ make_commoncrypto_cipher_mode()

std::unique_ptr< Cipher_Mode > Botan::make_commoncrypto_cipher_mode ( std::string_view name,
Cipher_Dir direction )

Definition at line 214 of file commoncrypto_mode.cpp.

214 {
215 try {
217 return std::make_unique<CommonCrypto_Cipher_Mode>(name, direction, opts);
218 } catch(CommonCrypto_Error& e) {
219 return nullptr;
220 }
221}
CommonCryptor_Opts commoncrypto_opts_from_algo(std::string_view algo)

References commoncrypto_opts_from_algo(), and make_commoncrypto_cipher_mode().

Referenced by Botan::Cipher_Mode::create(), and make_commoncrypto_cipher_mode().

◆ make_commoncrypto_hash()

std::unique_ptr< HashFunction > Botan::make_commoncrypto_hash ( std::string_view name)

Definition at line 80 of file commoncrypto_hash.cpp.

80 {
81#define MAKE_COMMONCRYPTO_HASH_3(name, hash, ctx) \
82 std::unique_ptr<HashFunction>(new CommonCrypto_HashFunction<CC_##ctx##_CTX>({std::string(name), \
83 CC_##hash##_DIGEST_LENGTH, \
84 CC_##hash##_BLOCK_BYTES, \
85 CC_##hash##_Init, \
86 CC_##hash##_Update, \
87 CC_##hash##_Final}));
88
89#define MAKE_COMMONCRYPTO_HASH_2(name, id) MAKE_COMMONCRYPTO_HASH_3(name, id, id)
90
91#define MAKE_COMMONCRYPTO_HASH_1(id) MAKE_COMMONCRYPTO_HASH_2(#id, id)
92
93#if defined(BOTAN_HAS_SHA2_32)
94 if(name == "SHA-224")
95 return MAKE_COMMONCRYPTO_HASH_3(name, SHA224, SHA256);
96 if(name == "SHA-256")
97 return MAKE_COMMONCRYPTO_HASH_2(name, SHA256);
98#endif
99#if defined(BOTAN_HAS_SHA2_64)
100 if(name == "SHA-384")
101 return MAKE_COMMONCRYPTO_HASH_3(name, SHA384, SHA512);
102 if(name == "SHA-512")
103 return MAKE_COMMONCRYPTO_HASH_2(name, SHA512);
104#endif
105
106#if defined(BOTAN_HAS_SHA1)
107 if(name == "SHA-1")
108 return MAKE_COMMONCRYPTO_HASH_2(name, SHA1);
109#endif
110
111 return nullptr;
112}
#define MAKE_COMMONCRYPTO_HASH_2(name, id)
#define MAKE_COMMONCRYPTO_HASH_3(name, hash, ctx)

References MAKE_COMMONCRYPTO_HASH_2, and MAKE_COMMONCRYPTO_HASH_3.

Referenced by Botan::HashFunction::create().

◆ make_compressor()

Compression_Algorithm * Botan::make_compressor ( std::string_view type)
inline

Definition at line 154 of file compression.h.

154 {
155 return Compression_Algorithm::create(type).release();
156}
static std::unique_ptr< Compression_Algorithm > create(std::string_view algo_spec)

References Botan::Compression_Algorithm::create(), and make_compressor().

Referenced by make_compressor().

◆ make_decompressor()

Decompression_Algorithm * Botan::make_decompressor ( std::string_view type)
inline

Definition at line 160 of file compression.h.

160 {
161 return Decompression_Algorithm::create(type).release();
162}
static std::unique_ptr< Decompression_Algorithm > create(std::string_view algo_spec)

References Botan::Decompression_Algorithm::create(), and make_decompressor().

Referenced by make_decompressor().

◆ make_uint16()

uint16_t Botan::make_uint16 ( uint8_t i0,
uint8_t i1 )
inlineconstexpr

◆ make_uint32()

uint32_t Botan::make_uint32 ( uint8_t i0,
uint8_t i1,
uint8_t i2,
uint8_t i3 )
inlineconstexpr

Make a uint32_t from four bytes

Parameters
i0the first byte
i1the second byte
i2the third byte
i3the fourth byte
Returns
i0 || i1 || i2 || i3

Definition at line 104 of file loadstor.h.

104 {
105 return ((static_cast<uint32_t>(i0) << 24) | (static_cast<uint32_t>(i1) << 16) | (static_cast<uint32_t>(i2) << 8) |
106 (static_cast<uint32_t>(i3)));
107}

Referenced by Botan::TLS::Certificate_12::Certificate_12(), Botan::TLS::Certificate_Status::Certificate_Status(), Botan::TLS::Stream_Handshake_IO::get_next_record(), Botan::TLS::TLS_Data_Reader::get_uint24_t(), Botan::TLS::TLS_Data_Reader::get_uint32_t(), and Botan::SIMD_4x32::splat_u8().

◆ make_uint64()

uint64_t Botan::make_uint64 ( uint8_t i0,
uint8_t i1,
uint8_t i2,
uint8_t i3,
uint8_t i4,
uint8_t i5,
uint8_t i6,
uint8_t i7 )
inlineconstexpr

Make a uint64_t from eight bytes

Parameters
i0the first byte
i1the second byte
i2the third byte
i3the fourth byte
i4the fifth byte
i5the sixth byte
i6the seventh byte
i7the eighth byte
Returns
i0 || i1 || i2 || i3 || i4 || i5 || i6 || i7

Definition at line 121 of file loadstor.h.

122 {
123 return ((static_cast<uint64_t>(i0) << 56) | (static_cast<uint64_t>(i1) << 48) | (static_cast<uint64_t>(i2) << 40) |
124 (static_cast<uint64_t>(i3) << 32) | (static_cast<uint64_t>(i4) << 24) | (static_cast<uint64_t>(i5) << 16) |
125 (static_cast<uint64_t>(i6) << 8) | (static_cast<uint64_t>(i7)));
126}

◆ map_remove_if()

template<typename T, typename Pred>
void Botan::map_remove_if ( Pred pred,
T & assoc )

Definition at line 62 of file stl_util.h.

62 {
63 auto i = assoc.begin();
64 while(i != assoc.end()) {
65 if(pred(i->first)) {
66 assoc.erase(i++);
67 } else {
68 i++;
69 }
70 }
71}

Referenced by Botan::TLS::Channel_Impl_12::activate_session().

◆ map_to_curve_sswu()

template<typename C>
auto Botan::map_to_curve_sswu ( const typename C::FieldElement & u) -> typename C::AffinePoint
inline

Map to curve (SSWU)

See RFC 9380 ("Hashing to Elliptic Curves") section 6.6.2

Definition at line 1683 of file pcurves_impl.h.

1683 {
1684 CT::poison(u);
1685 const auto z_u2 = C::SSWU_Z * u.square(); // z * u^2
1686 const auto z2_u4 = z_u2.square();
1687 const auto tv1 = invert_field_element<C>(z2_u4 + z_u2);
1688 auto x1 = SSWU_C1<C>() * (C::FieldElement::one() + tv1);
1689 x1.conditional_assign(tv1.is_zero(), SSWU_C2<C>());
1690 const auto x2 = z_u2 * x1;
1691
1692 // By design one of gx1 and gx2 must be a quadratic residue
1695
1696 const auto use_y1 = y1.has_value();
1697
1698 auto x = C::FieldElement::choose(use_y1, x1, x2);
1699 auto y = C::FieldElement::choose(use_y1, y1.value_or(C::FieldElement::zero()), y2.value_or(C::FieldElement::zero()));
1700
1701 auto pt = typename C::AffinePoint(x, y.correct_sign(u.is_even()));
1702
1703 CT::unpoison(pt);
1704 return pt;
1705}
constexpr Choice has_value() const
Return true if this Option contains a value.
Definition ct_utils.h:692
constexpr T value_or(T other) const
Definition ct_utils.h:716
constexpr CT::Option< typename C::FieldElement > sqrt_field_element(const typename C::FieldElement &fe)
const auto & SSWU_C1()
constexpr auto invert_field_element(const typename C::FieldElement &fe)
const auto & SSWU_C2()

References Botan::CT::Option< T >::has_value(), invert_field_element(), Botan::CT::poison(), sqrt_field_element(), SSWU_C1(), SSWU_C2(), Botan::CT::unpoison(), and Botan::CT::Option< T >::value_or().

Referenced by hash_to_curve_sswu().

◆ mceliece_decrypt() [1/3]

secure_vector< uint8_t > Botan::mceliece_decrypt ( secure_vector< gf2m > & error_pos,
const uint8_t * ciphertext,
size_t ciphertext_len,
const McEliece_PrivateKey & key )

p_err_pos_len must point to the available length of error_pos on input, the function will set it to the actual number of errors returned in the error_pos array

Definition at line 146 of file goppa_code.cpp.

149 {
150 const size_t dimension = key.get_dimension();
151 const size_t codimension = key.get_codimension();
152 const uint32_t t = key.get_goppa_polyn().get_degree();
153 polyn_gf2m syndrome_polyn(key.get_goppa_polyn().get_sp_field()); // init as zero polyn
154 const unsigned unused_pt_bits = dimension % 8;
155 const uint8_t unused_pt_bits_mask = (1 << unused_pt_bits) - 1;
156
157 if(ciphertext_len != (key.get_code_length() + 7) / 8) {
158 throw Invalid_Argument("wrong size of McEliece ciphertext");
159 }
160 const size_t cleartext_len = (key.get_message_word_bit_length() + 7) / 8;
161
162 if(cleartext_len != bit_size_to_byte_size(dimension)) {
163 throw Invalid_Argument("mce-decryption: wrong length of cleartext buffer");
164 }
165
166 secure_vector<uint32_t> syndrome_vec(bit_size_to_32bit_size(codimension));
167 matrix_arr_mul(key.get_H_coeffs(),
168 key.get_code_length(),
169 bit_size_to_32bit_size(codimension),
170 ciphertext,
171 syndrome_vec.data(),
172 syndrome_vec.size());
173
174 secure_vector<uint8_t> syndrome_byte_vec(bit_size_to_byte_size(codimension));
175 const size_t syndrome_byte_vec_size = syndrome_byte_vec.size();
176 for(size_t i = 0; i < syndrome_byte_vec_size; i++) {
177 syndrome_byte_vec[i] = static_cast<uint8_t>(syndrome_vec[i / 4] >> (8 * (i % 4)));
178 }
179
180 syndrome_polyn = polyn_gf2m(
181 t - 1, syndrome_byte_vec.data(), bit_size_to_byte_size(codimension), key.get_goppa_polyn().get_sp_field());
182
183 syndrome_polyn.get_degree();
184 error_pos = goppa_decode(syndrome_polyn, key.get_goppa_polyn(), key.get_sqrtmod(), key.get_Linv());
185
186 const size_t nb_err = error_pos.size();
187
188 secure_vector<uint8_t> cleartext(cleartext_len);
189 copy_mem(cleartext.data(), ciphertext, cleartext_len);
190
191 for(size_t i = 0; i < nb_err; i++) {
192 gf2m current = error_pos[i];
193
194 if(current >= cleartext_len * 8) {
195 // an invalid position, this shouldn't happen
196 continue;
197 }
198 cleartext[current / 8] ^= (1 << (current % 8));
199 }
200
201 if(unused_pt_bits > 0) {
202 cleartext[cleartext_len - 1] &= unused_pt_bits_mask;
203 }
204
205 return cleartext;
206}
const std::vector< polyn_gf2m > & get_sqrtmod() const
Definition mceliece.h:123
size_t get_codimension() const
Definition mceliece.h:127
size_t get_dimension() const
Definition mceliece.h:125
const polyn_gf2m & get_goppa_polyn() const
const std::vector< gf2m > & get_Linv() const
Definition mceliece.h:121
const std::vector< uint32_t > & get_H_coeffs() const
Definition mceliece.h:119
size_t get_message_word_bit_length() const
size_t get_code_length() const
Definition mceliece.h:52
int get_degree() const
std::shared_ptr< GF2m_Field > get_sp_field() const
Definition polyn_gf2m.h:79
size_t bit_size_to_byte_size(size_t bit_size)

References bit_size_to_32bit_size(), bit_size_to_byte_size(), copy_mem(), Botan::McEliece_PublicKey::get_code_length(), Botan::McEliece_PrivateKey::get_codimension(), Botan::polyn_gf2m::get_degree(), Botan::McEliece_PrivateKey::get_dimension(), Botan::McEliece_PrivateKey::get_goppa_polyn(), Botan::McEliece_PrivateKey::get_H_coeffs(), Botan::McEliece_PrivateKey::get_Linv(), Botan::McEliece_PublicKey::get_message_word_bit_length(), Botan::polyn_gf2m::get_sp_field(), and Botan::McEliece_PrivateKey::get_sqrtmod().

◆ mceliece_decrypt() [2/3]

void Botan::mceliece_decrypt ( secure_vector< uint8_t > & plaintext,
secure_vector< uint8_t > & error_mask,
const uint8_t ciphertext[],
size_t ciphertext_len,
const McEliece_PrivateKey & key )

Definition at line 122 of file goppa_code.cpp.

126 {
127 secure_vector<gf2m> error_pos;
128 plaintext = mceliece_decrypt(error_pos, ciphertext, ciphertext_len, key);
129
130 const size_t code_length = key.get_code_length();
131 secure_vector<uint8_t> result((code_length + 7) / 8);
132 for(auto&& pos : error_pos) {
133 if(pos > code_length) {
134 throw Invalid_Argument("error position larger than code size");
135 }
136 result[pos / 8] |= (1 << (pos % 8));
137 }
138
139 error_mask = result;
140}
void mceliece_decrypt(secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)

References Botan::McEliece_PublicKey::get_code_length(), and mceliece_decrypt().

◆ mceliece_decrypt() [3/3]

void Botan::mceliece_decrypt ( secure_vector< uint8_t > & plaintext_out,
secure_vector< uint8_t > & error_mask_out,
const secure_vector< uint8_t > & ciphertext,
const McEliece_PrivateKey & key )

Definition at line 115 of file goppa_code.cpp.

118 {
119 mceliece_decrypt(plaintext_out, error_mask_out, ciphertext.data(), ciphertext.size(), key);
120}

References mceliece_decrypt().

Referenced by Botan::McEliece_PrivateKey::check_key(), mceliece_decrypt(), and mceliece_decrypt().

◆ mceliece_encrypt()

void Botan::mceliece_encrypt ( secure_vector< uint8_t > & ciphertext_out,
secure_vector< uint8_t > & error_mask_out,
const secure_vector< uint8_t > & plaintext,
const McEliece_PublicKey & key,
RandomNumberGenerator & rng )

Definition at line 109 of file mceliece.cpp.

113 {
114 const uint16_t code_length = static_cast<uint16_t>(key.get_code_length());
115
116 secure_vector<uint8_t> error_mask = create_random_error_vector(code_length, key.get_t(), rng);
117
118 secure_vector<uint8_t> ciphertext =
119 mult_by_pubkey(plaintext, key.get_public_matrix(), key.get_code_length(), key.get_t());
120
121 ciphertext ^= error_mask;
122
123 ciphertext_out.swap(ciphertext);
124 error_mask_out.swap(error_mask);
125}
size_t get_t() const
Definition mceliece.h:50
const std::vector< uint8_t > & get_public_matrix() const
Definition mceliece.h:56

References Botan::McEliece_PublicKey::get_code_length(), Botan::McEliece_PublicKey::get_public_matrix(), and Botan::McEliece_PublicKey::get_t().

Referenced by Botan::McEliece_PrivateKey::check_key().

◆ mceliece_work_factor()

size_t Botan::mceliece_work_factor ( size_t code_size,
size_t t )

Estimate work factor for McEliece

Returns
estimated security level for these key parameters

Definition at line 90 of file mce_workfactor.cpp.

90 {
91 const size_t k = n - ceil_log2(n) * t;
92
93 double min = cout_total(n, k, t, 0, 0); // correspond a p=1
94 for(size_t p = 0; p != t / 2; ++p) {
95 double lwf = best_wf(n, k + 1, t, p);
96 if(lwf < 0) {
97 break;
98 }
99
100 min = std::min(min, lwf);
101 }
102
103 return static_cast<size_t>(min);
104}

References ceil_log2().

Referenced by Botan::McEliece_PublicKey::estimated_strength().

◆ measure_cost()

template<typename F>
uint64_t Botan::measure_cost ( std::chrono::milliseconds trial_msec,
F func )

Definition at line 21 of file time_utils.h.

21 {
22#if defined(BOTAN_HAS_OS_UTILS)
23 const uint64_t trial_nsec = std::chrono::duration_cast<std::chrono::nanoseconds>(trial_msec).count();
24
25 uint64_t total_nsec = 0;
26 uint64_t trials = 0;
27
28 auto trial_start = OS::get_system_timestamp_ns();
29
30 for(;;) {
31 const auto start = OS::get_system_timestamp_ns();
32 func();
33 const auto end = OS::get_system_timestamp_ns();
34
35 if(end >= start) {
36 total_nsec += (end - start);
37 trials += 1;
38
39 if((end - trial_start) >= trial_nsec) {
40 return (total_nsec / trials);
41 }
42 }
43 }
44
45#else
46 BOTAN_UNUSED(trial_msec, func);
47 throw Not_Implemented("No system clock available");
48#endif
49}
uint64_t BOTAN_TEST_API get_system_timestamp_ns()
Definition os_utils.cpp:323

References BOTAN_UNUSED, and Botan::OS::get_system_timestamp_ns().

Referenced by Botan::Argon2_Family::tune(), Botan::Bcrypt_PBKDF_Family::tune(), Botan::RFC4880_S2K_Family::tune(), and Botan::Scrypt_Family::tune().

◆ mgf1_mask() [1/2]

void Botan::mgf1_mask ( HashFunction & hash,
const uint8_t in[],
size_t in_len,
uint8_t out[],
size_t out_len )

MGF1 from PKCS #1 v2.0

Parameters
hashhash function to use
ininput buffer
in_lensize of the input buffer in bytes
outoutput buffer. The buffer is XORed with the output of MGF1.
out_lensize of the output buffer in bytes

Definition at line 16 of file mgf1.cpp.

16 {
17 uint32_t counter = 0;
18
19 std::vector<uint8_t> buffer(hash.output_length());
20 while(out_len > 0) {
21 hash.update(in, in_len);
22 hash.update_be(counter);
23 hash.final(buffer.data());
24
25 const size_t xored = std::min<size_t>(buffer.size(), out_len);
26 xor_buf(out, buffer.data(), xored);
27 out += xored;
28 out_len -= xored;
29
30 ++counter;
31 }
32}
void update(const uint8_t in[], size_t length)
Definition buf_comp.h:34
virtual size_t output_length() const =0
void update_be(uint16_t val)
Definition buf_comp.cpp:18
void final(uint8_t out[])
Definition buf_comp.h:69
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:342

References Botan::Buffered_Computation::final(), Botan::Buffered_Computation::output_length(), Botan::Buffered_Computation::update(), Botan::Buffered_Computation::update_be(), and xor_buf().

Referenced by mgf1_mask().

◆ mgf1_mask() [2/2]

void Botan::mgf1_mask ( HashFunction & hash,
std::span< const uint8_t > input,
std::span< uint8_t > output )
inline

Definition at line 28 of file mgf1.h.

28 {
29 mgf1_mask(hash, input.data(), input.size(), output.data(), output.size());
30}
void mgf1_mask(HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
Definition mgf1.cpp:16

References mgf1_mask().

◆ miller_rabin_test_iterations()

size_t Botan::miller_rabin_test_iterations ( size_t n_bits,
size_t prob,
bool random )

Return required number of Miller-Rabin tests in order to reach the specified probability of error.

Parameters
n_bitsthe bit-length of the integer being tested
probchance of false positive is bounded by 1/2**prob
randomis set if (and only if) the integer was randomly generated by us and thus cannot have been maliciously constructed.

Definition at line 176 of file primality.cpp.

176 {
177 const size_t base = (prob + 2) / 2; // worst case 4^-t error rate
178
179 /*
180 * If the candidate prime was maliciously constructed, we can't rely
181 * on arguments based on p being random.
182 */
183 if(!random) {
184 return base;
185 }
186
187 /*
188 * For randomly chosen numbers we can use the estimates from
189 * http://www.math.dartmouth.edu/~carlp/PDF/paper88.pdf
190 *
191 * These values are derived from the inequality for p(k,t) given on
192 * the second page.
193 */
194 if(prob <= 128) {
195 if(n_bits >= 1536) {
196 return 4; // < 2^-133
197 }
198 if(n_bits >= 1024) {
199 return 6; // < 2^-133
200 }
201 if(n_bits >= 512) {
202 return 12; // < 2^-129
203 }
204 if(n_bits >= 256) {
205 return 29; // < 2^-128
206 }
207 }
208
209 /*
210 If the user desires a smaller error probability than we have
211 precomputed error estimates for, just fall back to using the worst
212 case error rate.
213 */
214 return base;
215}

Referenced by generate_rsa_prime(), is_prime(), and random_prime().

◆ modular_inverse()

template<std::integral T, std::integral T2 = next_longer_int_t<T>>
requires (sizeof(T) <= 4)
T Botan::modular_inverse ( T q,
T2 m = T2(1) << sizeof(T) * 8 )
consteval

Calculate the modular multiplacative inverse of q modulo m. By default, this assumes m to be 2^bitlength of T for application in a Montgomery reduction.

Definition at line 97 of file pqcrystals_helpers.h.

97 {
98 return static_cast<T>(extended_euclidean_algorithm<T2>(q, m).u);
99}
consteval eea_result< T > extended_euclidean_algorithm(T a, T b)

References extended_euclidean_algorithm().

◆ montgomery_R()

template<std::integral T>
requires (size_t(sizeof(T)) <= 4)
T Botan::montgomery_R ( T q)
consteval

Definition at line 44 of file pqcrystals_helpers.h.

44 {
45 using T_unsigned = std::make_unsigned_t<T>;
47 return (T2(1) << (sizeof(T) * 8)) % q;
48}
std::conditional_t< sizeof(T)==1, uint16_t, std::conditional_t< sizeof(T)==2, uint32_t, std::conditional_t< sizeof(T)==4, uint64_t, void > > > next_longer_uint_t

Referenced by montgomery_R2().

◆ montgomery_R2()

template<std::integral T>
requires (size_t(sizeof(T)) <= 4)
T Botan::montgomery_R2 ( T q)
consteval

Definition at line 52 of file pqcrystals_helpers.h.

52 {
53 using T2 = next_longer_int_t<T>;
54 return (static_cast<T2>(montgomery_R(q)) * static_cast<T2>(montgomery_R(q))) % q;
55}
std::conditional_t< sizeof(T)==1, int16_t, std::conditional_t< sizeof(T)==2, int32_t, std::conditional_t< sizeof(T)==4, int64_t, void > > > next_longer_int_t
consteval T montgomery_R(T q)

References montgomery_R().

◆ monty_execute()

Montgomery_Int Botan::monty_execute ( const Montgomery_Exponentation_State & precomputed_state,
const BigInt & k,
size_t max_k_bits )

Definition at line 151 of file monty_exp.cpp.

153 {
154 return precomputed_state.exponentiation(k, max_k_bits);
155}

References monty_execute().

Referenced by monty_execute(), monty_exp(), and passes_miller_rabin_test().

◆ monty_execute_vartime()

Montgomery_Int Botan::monty_execute_vartime ( const Montgomery_Exponentation_State & precomputed_state,
const BigInt & k )

Definition at line 157 of file monty_exp.cpp.

157 {
158 return precomputed_state.exponentiation_vartime(k);
159}

References monty_execute_vartime().

Referenced by monty_execute_vartime(), and monty_exp_vartime().

◆ monty_exp()

Montgomery_Int Botan::monty_exp ( const Montgomery_Params & params_p,
const BigInt & g,
const BigInt & k,
size_t max_k_bits )
inline

Definition at line 47 of file monty_exp.h.

50 {
51 auto precomputed = monty_precompute(params_p, g, 4, true);
52 return monty_execute(*precomputed, k, max_k_bits);
53}
Montgomery_Int monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(const Montgomery_Int &g, size_t window_bits, bool const_time)

References monty_execute(), and monty_precompute().

Referenced by power_mod().

◆ monty_exp_vartime()

Montgomery_Int Botan::monty_exp_vartime ( const Montgomery_Params & params_p,
const BigInt & g,
const BigInt & k )
inline

Definition at line 55 of file monty_exp.h.

55 {
56 auto precomputed = monty_precompute(params_p, g, 4, false);
57 return monty_execute_vartime(*precomputed, k);
58}
Montgomery_Int monty_execute_vartime(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)

References monty_execute_vartime(), and monty_precompute().

Referenced by sqrt_modulo_prime().

◆ monty_inverse()

template<WordType W>
auto Botan::monty_inverse ( W a) -> W
inlineconstexpr

Definition at line 585 of file mp_core.h.

585 {
586 BOTAN_ARG_CHECK(a % 2 == 1, "Cannot compute Montgomery inverse of an even integer");
587
588 /*
589 * From "A New Algorithm for Inversion mod p^k" by Çetin Kaya Koç
590 * https://eprint.iacr.org/2017/411.pdf sections 5 and 7.
591 */
592
593 W b = 1;
594 W r = 0;
595
596 for(size_t i = 0; i != WordInfo<W>::bits; ++i) {
597 const W bi = b % 2;
598 r >>= 1;
599 r += bi << (WordInfo<W>::bits - 1);
600
601 b -= a * bi;
602 b >>= 1;
603 }
604
605 // Now invert in addition space
606 r = (WordInfo<W>::max - r) + 1;
607
608 return r;
609}

References BOTAN_ARG_CHECK.

◆ monty_multi_exp()

Montgomery_Int Botan::monty_multi_exp ( const Montgomery_Params & params_p,
const BigInt & x,
const BigInt & z1,
const BigInt & y,
const BigInt & z2 )

Return (x^z1 * y^z2) % p

Definition at line 161 of file monty_exp.cpp.

162 {
163 if(z1.is_negative() || z2.is_negative()) {
164 throw Invalid_Argument("multi_exponentiate exponents must be positive");
165 }
166
167 const size_t z_bits = round_up(std::max(z1.bits(), z2.bits()), 2);
168
169 secure_vector<word> ws(2 * params_p.p_words());
170
171 const Montgomery_Int one = Montgomery_Int::one(params_p);
172
173 const Montgomery_Int x1(params_p, x_bn);
174 const Montgomery_Int x2 = x1.square(ws);
175 const Montgomery_Int x3 = x2.mul(x1, ws);
176
177 const Montgomery_Int y1(params_p, y_bn);
178 const Montgomery_Int y2 = y1.square(ws);
179 const Montgomery_Int y3 = y2.mul(y1, ws);
180
181 const Montgomery_Int y1x1 = y1.mul(x1, ws);
182 const Montgomery_Int y1x2 = y1.mul(x2, ws);
183 const Montgomery_Int y1x3 = y1.mul(x3, ws);
184
185 const Montgomery_Int y2x1 = y2.mul(x1, ws);
186 const Montgomery_Int y2x2 = y2.mul(x2, ws);
187 const Montgomery_Int y2x3 = y2.mul(x3, ws);
188
189 const Montgomery_Int y3x1 = y3.mul(x1, ws);
190 const Montgomery_Int y3x2 = y3.mul(x2, ws);
191 const Montgomery_Int y3x3 = y3.mul(x3, ws);
192
193 const Montgomery_Int* M[16] = {&one,
194 &x1, // 0001
195 &x2, // 0010
196 &x3, // 0011
197 &y1, // 0100
198 &y1x1,
199 &y1x2,
200 &y1x3,
201 &y2, // 1000
202 &y2x1,
203 &y2x2,
204 &y2x3,
205 &y3, // 1100
206 &y3x1,
207 &y3x2,
208 &y3x3};
209
210 Montgomery_Int H = one;
211
212 for(size_t i = 0; i != z_bits; i += 2) {
213 if(i > 0) {
214 H.square_this_n_times(ws, 2);
215 }
216
217 const uint32_t z1_b = z1.get_substring(z_bits - i - 2, 2);
218 const uint32_t z2_b = z2.get_substring(z_bits - i - 2, 2);
219
220 const uint32_t z12 = (4 * z2_b) + z1_b;
221
222 if(z12 > 0) {
223 H.mul_by(*M[z12], ws);
224 }
225 }
226
227 return H;
228}
uint32_t get_substring(size_t offset, size_t length) const
Definition bigint.cpp:243
static Montgomery_Int one(const Montgomery_Params &params)
Definition monty.cpp:203
size_t p_words() const
Definition monty.h:51
constexpr size_t round_up(size_t n, size_t align_to)
Definition rounding.h:26

References Botan::BigInt::bits(), Botan::BigInt::get_substring(), Botan::BigInt::is_negative(), monty_multi_exp(), Botan::Montgomery_Int::mul(), Botan::Montgomery_Int::mul_by(), Botan::Montgomery_Int::one(), Botan::Montgomery_Params::p_words(), round_up(), Botan::Montgomery_Int::square(), and Botan::Montgomery_Int::square_this_n_times().

Referenced by monty_multi_exp(), and Botan::DL_Group::multi_exponentiate().

◆ monty_precompute() [1/2]

std::shared_ptr< const Montgomery_Exponentation_State > Botan::monty_precompute ( const Montgomery_Int & g,
size_t window_bits,
bool const_time )

Definition at line 136 of file monty_exp.cpp.

138 {
139 return std::make_shared<const Montgomery_Exponentation_State>(g, window_bits, const_time);
140}

References monty_precompute().

Referenced by monty_exp(), monty_exp_vartime(), monty_precompute(), monty_precompute(), and passes_miller_rabin_test().

◆ monty_precompute() [2/2]

std::shared_ptr< const Montgomery_Exponentation_State > Botan::monty_precompute ( const Montgomery_Params & params,
const BigInt & g,
size_t window_bits,
bool const_time )

Definition at line 142 of file monty_exp.cpp.

145 {
146 BOTAN_ARG_CHECK(g < params.p(), "Montgomery base too big");
147 Montgomery_Int monty_g(params, g);
148 return monty_precompute(monty_g, window_bits, const_time);
149}
const BigInt & p() const
Definition monty.h:41

References BOTAN_ARG_CHECK, monty_precompute(), and Botan::Montgomery_Params::p().

◆ monty_redc()

template<WordType W, size_t N>
auto Botan::monty_redc ( const std::array< W, 2 *N > & z,
const std::array< W, N > & p,
W p_dash ) -> std::array<W, N>
inlineconstexpr

Definition at line 109 of file pcurves_util.h.

110 {
111 static_assert(N >= 1);
112
113 std::array<W, N> ws; // NOLINT(*-member-init)
114 std::array<W, N> r; // NOLINT(*-member-init)
115
116 // Conditional ok: the parameter size is public
117 if(!std::is_constant_evaluated()) {
118 // This range ensures we cover fields of 256, 384 and 512 bits for both 32 and 64 bit words
119 if constexpr(N == 4) {
120 bigint_monty_redc_4(r.data(), z.data(), p.data(), p_dash, ws.data());
121 return r;
122 } else if constexpr(N == 6) {
123 bigint_monty_redc_6(r.data(), z.data(), p.data(), p_dash, ws.data());
124 return r;
125 } else if constexpr(N == 8) {
126 bigint_monty_redc_8(r.data(), z.data(), p.data(), p_dash, ws.data());
127 return r;
128 } else if constexpr(N == 12) {
129 bigint_monty_redc_12(r.data(), z.data(), p.data(), p_dash, ws.data());
130 return r;
131 } else if constexpr(N == 16) {
132 bigint_monty_redc_16(r.data(), z.data(), p.data(), p_dash, ws.data());
133 return r;
134 }
135 }
136
137 word3<W> accum;
138
139 accum.add(z[0]);
140
141 ws[0] = accum.monty_step(p[0], p_dash);
142
143 for(size_t i = 1; i != N; ++i) {
144 for(size_t j = 0; j < i; ++j) {
145 accum.mul(ws[j], p[i - j]);
146 }
147
148 accum.add(z[i]);
149
150 ws[i] = accum.monty_step(p[0], p_dash);
151 }
152
153 for(size_t i = 0; i != N - 1; ++i) {
154 for(size_t j = i + 1; j != N; ++j) {
155 accum.mul(ws[j], p[N + i - j]);
156 }
157
158 accum.add(z[N + i]);
159
160 ws[i] = accum.extract();
161 }
162
163 accum.add(z[2 * N - 1]);
164
165 ws[N - 1] = accum.extract();
166 // w1 is the final part, which is not stored in the workspace
167 const W w1 = accum.extract();
168
169 bigint_monty_maybe_sub<N>(r.data(), w1, ws.data(), p.data());
170
171 return r;
172}

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), bigint_monty_redc_12(), bigint_monty_redc_16(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().

Referenced by Botan::MontgomeryRep< Params >::redc().

◆ monty_redc_pdash1()

template<WordType W, size_t N>
auto Botan::monty_redc_pdash1 ( const std::array< W, 2 *N > & z,
const std::array< W, N > & p ) -> std::array<W, N>
inlineconstexpr

Definition at line 65 of file pcurves_util.h.

65 {
66 static_assert(N >= 1);
67
68 std::array<W, N> ws; // NOLINT(*-member-init);
69 std::array<W, N> r; // NOLINT(*-member-init)
70
71 word3<W> accum;
72
73 accum.add(z[0]);
74
75 ws[0] = accum.monty_step_pdash1();
76
77 for(size_t i = 1; i != N; ++i) {
78 for(size_t j = 0; j < i; ++j) {
79 accum.mul(ws[j], p[i - j]);
80 }
81
82 accum.add(z[i]);
83
84 ws[i] = accum.monty_step_pdash1();
85 }
86
87 for(size_t i = 0; i != N - 1; ++i) {
88 for(size_t j = i + 1; j != N; ++j) {
89 accum.mul(ws[j], p[N + i - j]);
90 }
91
92 accum.add(z[N + i]);
93
94 ws[i] = accum.extract();
95 }
96
97 accum.add(z[2 * N - 1]);
98
99 ws[N - 1] = accum.extract();
100 // w1 is the final part, which is not stored in the workspace
101 const W w1 = accum.extract();
102
103 bigint_monty_maybe_sub<N>(r.data(), w1, ws.data(), p.data());
104
105 return r;
106}
constexpr W monty_step_pdash1()
Definition mp_asmi.h:546

References Botan::word3< W >::add(), bigint_monty_maybe_sub(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step_pdash1(), and Botan::word3< W >::mul().

Referenced by Botan::MontgomeryRep< Params >::redc().

◆ montygomery_r()

template<WordType W, size_t N>
std::array< W, N > Botan::montygomery_r ( const std::array< W, N > & p)
inlineconsteval

Definition at line 49 of file pcurves_util.h.

49 {
50 std::array<W, N + 1> x = {};
51 x[N] = 1;
52 return reduce_mod(x, p);
53}
consteval std::array< W, N > reduce_mod(const std::array< W, XN > &x, const std::array< W, N > &p)

References reduce_mod().

◆ mul2_exec()

template<typename C, size_t WindowBits, typename BlindedScalar>
C::ProjectivePoint Botan::mul2_exec ( const AffinePointTable< C > & table,
const BlindedScalar & x,
const BlindedScalar & y,
RandomNumberGenerator & rng )

Definition at line 378 of file pcurves_mul.h.

381 {
382 const size_t Windows = (x.bits() + WindowBits - 1) / WindowBits;
383
384 auto accum = [&]() {
385 const size_t w_1 = x.get_window((Windows - 1) * WindowBits);
386 const size_t w_2 = y.get_window((Windows - 1) * WindowBits);
387 const size_t window = w_1 + (w_2 << WindowBits);
388 auto pt = C::ProjectivePoint::from_affine(table.ct_select(window));
389 CT::poison(pt);
390 pt.randomize_rep(rng);
391 return pt;
392 }();
393
394 for(size_t i = 1; i != Windows; ++i) {
395 accum = accum.dbl_n(WindowBits);
396
397 const size_t w_1 = x.get_window((Windows - i - 1) * WindowBits);
398 const size_t w_2 = y.get_window((Windows - i - 1) * WindowBits);
399 const size_t window = w_1 + (w_2 << WindowBits);
400 accum += table.ct_select(window);
401
402 // Conditional ok: loop iteration count is public
403 if(i <= 3) {
404 accum.randomize_rep(rng);
405 }
406 }
407
408 CT::unpoison(accum);
409 return accum;
410}
AffinePoint ct_select(size_t idx) const
Definition pcurves_mul.h:60

References Botan::AffinePointTable< C, R >::ct_select(), Botan::CT::poison(), and Botan::CT::unpoison().

Referenced by Botan::WindowedMul2Table< C, W >::mul2().

◆ mul2_setup()

template<typename C, size_t WindowBits>
std::vector< typename C::ProjectivePoint > Botan::mul2_setup ( const typename C::AffinePoint & p,
const typename C::AffinePoint & q )

Definition at line 316 of file pcurves_mul.h.

317 {
318 static_assert(WindowBits >= 1 && WindowBits <= 4);
319
320 // 2^(2*W) elements, less the identity element
321 constexpr size_t TableSize = (1 << (2 * WindowBits)) - 1;
322 constexpr size_t WindowSize = (1 << WindowBits);
323
324 std::vector<typename C::ProjectivePoint> table;
325 table.reserve(TableSize);
326
327 for(size_t i = 0; i != TableSize; ++i) {
328 const size_t t_i = (i + 1);
329 const size_t p_i = t_i % WindowSize;
330 const size_t q_i = (t_i >> WindowBits) % WindowSize;
331
332 // Conditionals ok: all based on t_i/p_i/q_i which in turn are derived from public i
333
334 // Returns x_i * x + y_i * y
335 auto next_tbl_e = [&]() {
336 if(p_i % 2 == 0 && q_i % 2 == 0) {
337 // Where possible using doubling (eg indices 1, 7, 9 in
338 // the table above)
339 return table[(t_i / 2) - 1].dbl();
340 } else if(p_i > 0 && q_i > 0) {
341 // A combination of p and q
342 if(p_i == 1) {
343 return p + table[(q_i << WindowBits) - 1];
344 } else if(q_i == 1) {
345 return table[p_i - 1] + q;
346 } else {
347 return table[p_i - 1] + table[(q_i << WindowBits) - 1];
348 }
349 } else if(p_i > 0 && q_i == 0) {
350 // A multiple of p without a q component
351 if(p_i == 1) {
352 // Just p
353 return C::ProjectivePoint::from_affine(p);
354 } else {
355 // p * p_{i-1}
356 return p + table[p_i - 1 - 1];
357 }
358 } else if(p_i == 0 && q_i > 0) {
359 if(q_i == 1) {
360 // Just q
361 return C::ProjectivePoint::from_affine(q);
362 } else {
363 // q * q_{i-1}
364 return q + table[((q_i - 1) << WindowBits) - 1];
365 }
366 } else {
368 }
369 };
370
371 table.emplace_back(next_tbl_e());
372 }
373
374 return table;
375}
#define BOTAN_ASSERT_UNREACHABLE()
Definition assert.h:163

References BOTAN_ASSERT_UNREACHABLE.

Referenced by Botan::VartimeMul2Table< C, W >::VartimeMul2Table(), and Botan::WindowedMul2Table< C, W >::WindowedMul2Table().

◆ mul64x64_128()

void Botan::mul64x64_128 ( uint64_t a,
uint64_t b,
uint64_t * lo,
uint64_t * hi )
inlineconstexpr

Perform a 64x64->128 bit multiplication

Definition at line 24 of file mul128.h.

24 {
25 if(!std::is_constant_evaluated()) {
26#if defined(BOTAN_BUILD_COMPILER_IS_MSVC) && defined(BOTAN_TARGET_ARCH_IS_X86_64)
27 *lo = _umul128(a, b, hi);
28 return;
29
30#elif defined(BOTAN_BUILD_COMPILER_IS_MSVC) && defined(BOTAN_TARGET_ARCH_IS_ARM64)
31 *lo = a * b;
32 *hi = __umulh(a, b);
33 return;
34#endif
35 }
36
37#if defined(BOTAN_TARGET_HAS_NATIVE_UINT128)
38 const uint128_t r = static_cast<uint128_t>(a) * b;
39 *hi = (r >> 64) & 0xFFFFFFFFFFFFFFFF;
40 *lo = (r) & 0xFFFFFFFFFFFFFFFF;
41#else
42
43 /*
44 * Do a 64x64->128 multiply using four 32x32->64 multiplies plus
45 * some adds and shifts.
46 */
47 const size_t HWORD_BITS = 32;
48 const uint32_t HWORD_MASK = 0xFFFFFFFF;
49
50 const uint32_t a_hi = (a >> HWORD_BITS);
51 const uint32_t a_lo = (a & HWORD_MASK);
52 const uint32_t b_hi = (b >> HWORD_BITS);
53 const uint32_t b_lo = (b & HWORD_MASK);
54
55 const uint64_t x0 = static_cast<uint64_t>(a_hi) * b_hi;
56 const uint64_t x1 = static_cast<uint64_t>(a_lo) * b_hi;
57 const uint64_t x2 = static_cast<uint64_t>(a_hi) * b_lo;
58 const uint64_t x3 = static_cast<uint64_t>(a_lo) * b_lo;
59
60 // this cannot overflow as (2^32-1)^2 + 2^32-1 + 2^32-1 = 2^64-1
61 const uint64_t middle = x2 + (x3 >> HWORD_BITS) + (x1 & HWORD_MASK);
62
63 // likewise these cannot overflow
64 *hi = x0 + (middle >> HWORD_BITS) + (x1 >> HWORD_BITS);
65 *lo = (middle << HWORD_BITS) + (x3 & HWORD_MASK);
66#endif
67}

Referenced by operator*().

◆ mul_mod()

template<WordType W, size_t N>
std::array< W, N > Botan::mul_mod ( const std::array< W, N > & x,
const std::array< W, N > & y,
const std::array< W, N > & p )
inlineconsteval

Definition at line 56 of file pcurves_util.h.

58 {
59 std::array<W, 2 * N> z = {};
60 comba_mul<N>(z.data(), x.data(), y.data());
61 return reduce_mod(z, p);
62}
constexpr void comba_mul(W z[2 *N], const W x[N], const W y[N])
Definition mp_core.h:699

References comba_mul(), and reduce_mod().

◆ multi_exponentiate()

EC_Point Botan::multi_exponentiate ( const EC_Point & p1,
const BigInt & z1,
const EC_Point & p2,
const BigInt & z2 )

ECC point multiexponentiation - not constant time!

Parameters
p1a point
z1a scalar
p2a point
z2a scalar
Returns
(p1 * z1 + p2 * z2)

Definition at line 35 of file point_mul.cpp.

35 {
37 return xy_mul.multi_exp(z1, z2);
38}

References Botan::EC_Point_Multi_Point_Precompute::multi_exp().

◆ nist_key_unwrap() [1/2]

secure_vector< uint8_t > Botan::nist_key_unwrap ( const uint8_t input[],
size_t input_len,
const BlockCipher & bc )
Parameters
inputthe value to be decrypted, output of nist_key_wrap
input_lenlength of input
bca keyed 128-bit block cipher that will be used to decrypt input
Returns
input decrypted under NIST key wrap algorithm Throws an exception if decryption fails.

Definition at line 116 of file nist_keywrap.cpp.

116 {
117 if(bc.block_size() != 16) {
118 throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
119 }
120
121 if(input_len < 16 || input_len % 8 != 0) {
122 throw Invalid_Argument("Bad input size for NIST key unwrap");
123 }
124
125 const uint64_t ICV = 0xA6A6A6A6A6A6A6A6;
126
127 uint64_t ICV_out = 0;
129
130 if(input_len == 16) {
131 secure_vector<uint8_t> block(input, input + input_len);
132 bc.decrypt(block);
133
134 ICV_out = load_be<uint64_t>(block.data(), 0);
135 R.resize(8);
136 copy_mem(R.data(), block.data() + 8, 8);
137 } else {
138 R = raw_nist_key_unwrap(input, input_len, bc, ICV_out);
139 }
140
141 if(ICV_out != ICV) {
142 throw Invalid_Authentication_Tag("NIST key unwrap failed");
143 }
144
145 return R;
146}
void decrypt(const uint8_t in[], uint8_t out[]) const
virtual size_t block_size() const =0

References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::decrypt(), and load_be().

Referenced by botan_nist_kw_dec(), nist_key_unwrap(), and rfc3394_keyunwrap().

◆ nist_key_unwrap() [2/2]

secure_vector< uint8_t > Botan::nist_key_unwrap ( std::span< const uint8_t > input,
const BlockCipher & bc )
inline
Parameters
inputthe value to be decrypted, output of nist_key_wrap
bca keyed 128-bit block cipher that will be used to decrypt input
Returns
input decrypted under NIST key wrap algorithm Throws an exception if decryption fails.

Definition at line 53 of file nist_keywrap.h.

53 {
54 return nist_key_unwrap(input.data(), input.size(), bc);
55}
secure_vector< uint8_t > nist_key_unwrap(const uint8_t input[], size_t input_len, const BlockCipher &bc)

References nist_key_unwrap().

◆ nist_key_unwrap_padded() [1/2]

secure_vector< uint8_t > Botan::nist_key_unwrap_padded ( const uint8_t input[],
size_t input_len,
const BlockCipher & bc )
Parameters
inputthe value to be decrypted, output of nist_key_wrap
input_lenlength of input
bca keyed 128-bit block cipher that will be used to decrypt input
Returns
input decrypted under NIST key wrap algorithm Throws an exception if decryption fails.

Definition at line 169 of file nist_keywrap.cpp.

169 {
170 if(bc.block_size() != 16) {
171 throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
172 }
173
174 if(input_len < 16 || input_len % 8 != 0) {
175 throw Invalid_Argument("Bad input size for NIST key unwrap");
176 }
177
178 uint64_t ICV_out = 0;
180
181 if(input_len == 16) {
182 secure_vector<uint8_t> block(input, input + input_len);
183 bc.decrypt(block);
184
185 ICV_out = load_be<uint64_t>(block.data(), 0);
186 R.resize(8);
187 copy_mem(R.data(), block.data() + 8, 8);
188 } else {
189 R = raw_nist_key_unwrap(input, input_len, bc, ICV_out);
190 }
191
192 if((ICV_out >> 32) != 0xA65959A6) {
193 throw Invalid_Authentication_Tag("NIST key unwrap failed");
194 }
195
196 const size_t len = (ICV_out & 0xFFFFFFFF);
197
198 if(R.size() < 8 || len > R.size() || len <= R.size() - 8) {
199 throw Invalid_Authentication_Tag("NIST key unwrap failed");
200 }
201
202 const size_t padding = R.size() - len;
203
204 for(size_t i = 0; i != padding; ++i) {
205 if(R[R.size() - i - 1] != 0) {
206 throw Invalid_Authentication_Tag("NIST key unwrap failed");
207 }
208 }
209
210 R.resize(R.size() - padding);
211
212 return R;
213}

References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::decrypt(), and load_be().

Referenced by botan_nist_kw_dec(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::list_names(), and nist_key_unwrap_padded().

◆ nist_key_unwrap_padded() [2/2]

secure_vector< uint8_t > Botan::nist_key_unwrap_padded ( std::span< const uint8_t > input,
const BlockCipher & bc )
inline
Parameters
inputthe value to be decrypted, output of nist_key_wrap
bca keyed 128-bit block cipher that will be used to decrypt input
Returns
input decrypted under NIST key wrap algorithm Throws an exception if decryption fails.

Definition at line 93 of file nist_keywrap.h.

93 {
94 return nist_key_unwrap_padded(input.data(), input.size(), bc);
95}
secure_vector< uint8_t > nist_key_unwrap_padded(const uint8_t input[], size_t input_len, const BlockCipher &bc)

References nist_key_unwrap_padded().

◆ nist_key_wrap() [1/2]

std::vector< uint8_t > Botan::nist_key_wrap ( const uint8_t input[],
size_t input_len,
const BlockCipher & bc )

Key wrap. See RFC 3394 and NIST SP800-38F

Parameters
inputthe value to be encrypted
input_lenlength of input, must be a multiple of 8
bca keyed 128-bit block cipher that will be used to encrypt input
Returns
input encrypted under NIST key wrap algorithm

Definition at line 90 of file nist_keywrap.cpp.

90 {
91 if(bc.block_size() != 16) {
92 throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
93 }
94
95 if(input_len % 8 != 0) {
96 throw Invalid_Argument("Bad input size for NIST key wrap");
97 }
98
99 const uint64_t ICV = 0xA6A6A6A6A6A6A6A6;
100
101 if(input_len == 8) {
102 /*
103 * Special case for small inputs: if input == 8 bytes just use ECB
104 * (see RFC 3394 Section 2)
105 */
106 std::vector<uint8_t> block(16);
107 store_be(ICV, block.data());
108 copy_mem(block.data() + 8, input, input_len);
109 bc.encrypt(block);
110 return block;
111 } else {
112 return raw_nist_key_wrap(input, input_len, bc, ICV);
113 }
114}

References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::encrypt(), and store_be().

Referenced by botan_nist_kw_enc(), nist_key_wrap(), and rfc3394_keywrap().

◆ nist_key_wrap() [2/2]

std::vector< uint8_t > Botan::nist_key_wrap ( std::span< const uint8_t > input,
const BlockCipher & bc )
inline

Key wrap. See RFC 3394 and NIST SP800-38F

Parameters
inputthe value to be encrypted
bca keyed 128-bit block cipher that will be used to encrypt input
Returns
input encrypted under NIST key wrap algorithm

Definition at line 33 of file nist_keywrap.h.

33 {
34 return nist_key_wrap(input.data(), input.size(), bc);
35}
std::vector< uint8_t > nist_key_wrap(const uint8_t input[], size_t input_len, const BlockCipher &bc)

References nist_key_wrap().

◆ nist_key_wrap_padded() [1/2]

std::vector< uint8_t > Botan::nist_key_wrap_padded ( const uint8_t input[],
size_t input_len,
const BlockCipher & bc )

KWP (key wrap with padding). See RFC 5649 and NIST SP800-38F

Parameters
inputthe value to be encrypted
input_lenlength of input
bca keyed 128-bit block cipher that will be used to encrypt input
Returns
input encrypted under NIST key wrap algorithm

Definition at line 148 of file nist_keywrap.cpp.

148 {
149 if(bc.block_size() != 16) {
150 throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
151 }
152
153 const uint64_t ICV = 0xA65959A600000000 | static_cast<uint32_t>(input_len);
154
155 if(input_len <= 8) {
156 /*
157 * Special case for small inputs: if input <= 8 bytes just use ECB
158 */
159 std::vector<uint8_t> block(16);
160 store_be(ICV, block.data());
161 copy_mem(block.data() + 8, input, input_len);
162 bc.encrypt(block);
163 return block;
164 } else {
165 return raw_nist_key_wrap(input, input_len, bc, ICV);
166 }
167}

References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::encrypt(), and store_be().

Referenced by botan_nist_kw_enc(), Botan::Encrypted_PSK_Database::get(), nist_key_wrap_padded(), Botan::Encrypted_PSK_Database::remove(), and Botan::Encrypted_PSK_Database::set().

◆ nist_key_wrap_padded() [2/2]

std::vector< uint8_t > Botan::nist_key_wrap_padded ( std::span< const uint8_t > input,
const BlockCipher & bc )
inline

KWP (key wrap with padding). See RFC 5649 and NIST SP800-38F

Parameters
inputthe value to be encrypted
bca keyed 128-bit block cipher that will be used to encrypt input
Returns
input encrypted under NIST key wrap algorithm

Definition at line 73 of file nist_keywrap.h.

73 {
74 return nist_key_wrap_padded(input.data(), input.size(), bc);
75}
std::vector< uint8_t > nist_key_wrap_padded(const uint8_t input[], size_t input_len, const BlockCipher &bc)

References nist_key_wrap_padded().

◆ oaep_find_delim()

BOTAN_FUZZER_API CT::Option< size_t > Botan::oaep_find_delim ( std::span< const uint8_t > input,
std::span< const uint8_t > phash )

Definition at line 102 of file oaep.cpp.

102 {
103 // Too short to be valid, reject immediately
104 if(input.size() < 1 + 2 * phash.size()) {
105 return {};
106 }
107
108 size_t delim_idx = 2 * phash.size();
109 CT::Mask<uint8_t> waiting_for_delim = CT::Mask<uint8_t>::set();
111
112 for(uint8_t ib : input.subspan(2 * phash.size())) {
113 const auto zero_m = CT::Mask<uint8_t>::is_zero(ib);
114 const auto one_m = CT::Mask<uint8_t>::is_equal(ib, 1);
115
116 const auto add_m = waiting_for_delim & zero_m;
117
118 bad_input_m |= waiting_for_delim & ~(zero_m | one_m);
119
120 delim_idx += add_m.if_set_return(1);
121
122 waiting_for_delim &= zero_m;
123 }
124
125 // If we never saw any non-zero byte, then it's not valid input
126 bad_input_m |= waiting_for_delim;
127
128 // If the P hash is wrong, then it's not valid
129 bad_input_m |= CT::is_not_equal(&input[phash.size()], phash.data(), phash.size());
130
131 delim_idx += 1;
132
133 const auto accept = !(bad_input_m.as_choice());
134
135 return CT::Option(delim_idx, accept);
136}
static constexpr Mask< T > set()
Definition ct_utils.h:410
constexpr CT::Mask< T > is_not_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:866

References Botan::CT::Mask< T >::as_choice(), Botan::CT::Mask< T >::cleared(), Botan::CT::Mask< T >::if_set_return(), Botan::CT::Mask< T >::is_equal(), Botan::CT::is_not_equal(), Botan::CT::Mask< T >::is_zero(), and Botan::CT::Mask< T >::set().

◆ operator!=() [1/12]

bool Botan::operator!= ( const AlgorithmIdentifier & a1,
const AlgorithmIdentifier & a2 )

Definition at line 68 of file alg_id.cpp.

68 {
69 return !(a1 == a2);
70}

◆ operator!=() [2/12]

bool Botan::operator!= ( const ASN1_Time & x,
const ASN1_Time & y )

Definition at line 271 of file asn1_time.cpp.

271 {
272 return (t1.cmp(t2) != 0);
273}

References Botan::ASN1_Time::cmp().

◆ operator!=() [3/12]

bool Botan::operator!= ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1124 of file bigint.h.

1124 {
1125 return !a.is_equal(b);
1126}
bool is_equal(const BigInt &n) const
Definition bigint.cpp:160

References Botan::BigInt::is_equal().

◆ operator!=() [4/12]

bool Botan::operator!= ( const BigInt & a,
word b )
inline

Definition at line 1148 of file bigint.h.

1148 {
1149 return (a.cmp_word(b) != 0);
1150}
int32_t cmp_word(word n) const
Definition bigint.cpp:126

References Botan::BigInt::cmp_word().

◆ operator!=() [5/12]

bool Botan::operator!= ( const CRL_Entry & lhs,
const CRL_Entry & rhs )

Test two CRL entries for inequality in at least one field.

Definition at line 58 of file crl_ent.cpp.

58 {
59 return !(a1 == a2);
60}

◆ operator!=() [6/12]

bool Botan::operator!= ( const EC_Group & lhs,
const EC_Group & rhs )
inline

Definition at line 744 of file ec_group.h.

744 {
745 return !(lhs == rhs);
746}

◆ operator!=() [7/12]

bool Botan::operator!= ( const OctetString & x,
const OctetString & y )

Compare two strings

Parameters
xan octet string
yan octet string
Returns
if x is not equal to y

Definition at line 92 of file symkey.cpp.

92 {
93 return !(s1 == s2);
94}

◆ operator!=() [8/12]

bool Botan::operator!= ( const OID & a,
const OID & b )
inline

Compare two OIDs.

Parameters
athe first OID
bthe second OID
Returns
true if a is not equal to b

Definition at line 345 of file asn1_obj.h.

345 {
346 return !(a == b);
347}

◆ operator!=() [9/12]

template<typename T, typename U>
bool Botan::operator!= ( const secure_allocator< T > & ,
const secure_allocator< U > &  )
inline

Definition at line 64 of file secmem.h.

64 {
65 return false;
66}

◆ operator!=() [10/12]

template<bitvectorish T1, bitvectorish T2>
bool Botan::operator!= ( const T1 & lhs,
const T2 & rhs )

Definition at line 1353 of file bitvector.h.

1353 {
1354 return lhs.equals_vartime(rhs);
1355}

◆ operator!=() [11/12]

bool Botan::operator!= ( const X509_Certificate & cert1,
const X509_Certificate & cert2 )

Check two certificates for inequality

Parameters
cert1The first certificate
cert2The second certificate
Returns
true if the arguments represent different certificates, false if they are binary identical

Definition at line 701 of file x509cert.cpp.

701 {
702 return !(cert1 == cert2);
703}

◆ operator!=() [12/12]

bool Botan::operator!= ( const X509_DN & dn1,
const X509_DN & dn2 )

Definition at line 263 of file x509_dn.cpp.

263 {
264 return !(dn1 == dn2);
265}

◆ operator%() [1/2]

BigInt Botan::operator% ( const BigInt & n,
const BigInt & mod )

Definition at line 133 of file big_ops3.cpp.

133 {
134 if(mod.is_zero()) {
135 throw Invalid_Argument("BigInt::operator% divide by zero");
136 }
137 if(mod.is_negative()) {
138 throw Invalid_Argument("BigInt::operator% modulus must be > 0");
139 }
140 if(n.is_positive() && mod.is_positive() && n < mod) {
141 return n;
142 }
143
144 if(mod.sig_words() == 1) {
145 return BigInt::from_word(n % mod.word_at(0));
146 }
147
148 BigInt q;
149 BigInt r;
150 vartime_divide(n, mod, q, r);
151 return r;
152}
void vartime_divide(const BigInt &x, const BigInt &y_arg, BigInt &q_out, BigInt &r_out)
Definition divide.cpp:230

References Botan::BigInt::from_word(), Botan::BigInt::is_negative(), Botan::BigInt::is_positive(), Botan::BigInt::is_zero(), Botan::BigInt::sig_words(), vartime_divide(), and Botan::BigInt::word_at().

◆ operator%() [2/2]

word Botan::operator% ( const BigInt & n,
word mod )

Definition at line 157 of file big_ops3.cpp.

157 {
158 if(mod == 0) {
159 throw Invalid_Argument("BigInt::operator% divide by zero");
160 }
161
162 if(mod == 1) {
163 return 0;
164 }
165
166 word remainder = 0;
167
168 if(is_power_of_2(mod)) {
169 remainder = (n.word_at(0) & (mod - 1));
170 } else {
171 const size_t sw = n.sig_words();
172 for(size_t i = sw; i > 0; --i) {
173 remainder = bigint_modop_vartime(remainder, n.word_at(i - 1), mod);
174 }
175 }
176
177 if(remainder != 0 && n.sign() == BigInt::Negative) {
178 return mod - remainder;
179 }
180 return remainder;
181}
Sign sign() const
Definition bigint.h:571
BOTAN_FORCE_INLINE constexpr bool is_power_of_2(T arg)
Definition bit_ops.h:45
constexpr auto bigint_modop_vartime(W n1, W n0, W d) -> W
Definition mp_core.h:568

References bigint_modop_vartime(), is_power_of_2(), Botan::BigInt::Negative, Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::word_at().

◆ operator&() [1/5]

template<bitvectorish T1, bitvectorish T2>
auto Botan::operator& ( const T1 & lhs,
const T2 & rhs )

Definition at line 1334 of file bitvector.h.

1334 {
1335 auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
1336 res &= rhs;
1337 return res;
1338}
constexpr auto copy_lhs_allocator_aware(const T1 &lhs, const T2 &)
Definition bitvector.h:1313

References Botan::detail::copy_lhs_allocator_aware().

◆ operator&() [2/5]

ECIES_Flags Botan::operator& ( ECIES_Flags a,
ECIES_Flags b )
inline

Definition at line 70 of file ecies.h.

70 {
71 return static_cast<ECIES_Flags>(static_cast<uint32_t>(a) & static_cast<uint32_t>(b));
72}
ECIES_Flags
Definition ecies.h:44

◆ operator&() [3/5]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator& ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 426 of file strong_type.h.

426 {
427 return Strong<T, Tags...>(a.get() & b.get());
428}

References Botan::detail::Strong_Base< T >::get().

◆ operator&() [4/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator& ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 421 of file strong_type.h.

421 {
422 return Strong<T1, Tags...>(a.get() & b);
423}

References Botan::detail::Strong_Base< T >::get().

◆ operator&() [5/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator& ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 415 of file strong_type.h.

415 {
416 return Strong<T2, Tags...>(a & b.get());
417}

References Botan::detail::Strong_Base< T >::get().

◆ operator&=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator&= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 554 of file strong_type.h.

554 {
555 a.get() &= b.get();
556 return a;
557}

References Botan::detail::Strong_Base< T >::get().

◆ operator&=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator&= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 548 of file strong_type.h.

548 {
549 a.get() &= b;
550 return a;
551}

References Botan::detail::Strong_Base< T >::get().

◆ operator*() [1/12]

EC_Point Botan::operator* ( const BigInt & scalar,
const EC_Point & point )
inline

Definition at line 400 of file ec_point.h.

400 {
401 return point.mul(scalar);
402}
EC_Point mul(const BigInt &scalar) const
Definition ec_point.cpp:497

References Botan::EC_Point::mul().

◆ operator*() [2/12]

BigInt Botan::operator* ( const BigInt & x,
const BigInt & y )

Definition at line 56 of file big_ops3.cpp.

56 {
57 const size_t x_sw = x.sig_words();
58 const size_t y_sw = y.sig_words();
59
61
62 if(x_sw == 1 && y_sw > 0) {
63 bigint_linmul3(z.mutable_data(), y._data(), y_sw, x.word_at(0));
64 } else if(y_sw == 1 && x_sw > 0) {
65 bigint_linmul3(z.mutable_data(), x._data(), x_sw, y.word_at(0));
66 } else if(x_sw > 0 && y_sw > 0) {
67 secure_vector<word> workspace(z.size());
68
70 z.size(),
71 x._data(),
72 x.size(),
73 x_sw,
74 y._data(),
75 y.size(),
76 y_sw,
77 workspace.data(),
78 workspace.size());
79 }
80
81 z.cond_flip_sign(x_sw > 0 && y_sw > 0 && x.sign() != y.sign());
82
83 return z;
84}
word * mutable_data()
Definition bigint.h:640
size_t size() const
Definition bigint.h:609
void cond_flip_sign(bool predicate)
Definition bigint.cpp:519
void bigint_mul(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
Definition mp_karat.cpp:283

References Botan::BigInt::_data(), bigint_linmul3(), bigint_mul(), Botan::BigInt::cond_flip_sign(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), Botan::BigInt::size(), Botan::BigInt::with_capacity(), and Botan::BigInt::word_at().

◆ operator*() [3/12]

BigInt Botan::operator* ( const BigInt & x,
word y )

Definition at line 89 of file big_ops3.cpp.

89 {
90 const size_t x_sw = x.sig_words();
91
92 BigInt z = BigInt::with_capacity(x_sw + 1);
93
94 if(x_sw > 0 && y > 0) {
95 bigint_linmul3(z.mutable_data(), x._data(), x_sw, y);
96 z.set_sign(x.sign());
97 }
98
99 return z;
100}
void set_sign(Sign sign)
Definition bigint.h:592

References Botan::BigInt::_data(), bigint_linmul3(), Botan::BigInt::mutable_data(), Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::with_capacity().

◆ operator*() [4/12]

template<std::integral T>
donna128 Botan::operator* ( const donna128 & x,
T y )
inlineconstexpr

Definition at line 95 of file donna128.h.

95 {
96 BOTAN_ARG_CHECK(x.hi() == 0, "High 64 bits of donna128 set to zero during multiply");
97
98 uint64_t lo = 0;
99 uint64_t hi = 0;
100 mul64x64_128(x.lo(), static_cast<uint64_t>(y), &lo, &hi);
101 return donna128(lo, hi);
102}
constexpr uint64_t hi() const
Definition donna128.h:85
constexpr void mul64x64_128(uint64_t a, uint64_t b, uint64_t *lo, uint64_t *hi)
Definition mul128.h:24

References BOTAN_ARG_CHECK, Botan::donna128::hi(), Botan::donna128::lo(), and mul64x64_128().

◆ operator*() [5/12]

EC_Point Botan::operator* ( const EC_Point & point,
const BigInt & scalar )
inline

Definition at line 396 of file ec_point.h.

396 {
397 return point.mul(scalar);
398}

References Botan::EC_Point::mul().

◆ operator*() [6/12]

Ed25519_FieldElement Botan::operator* ( const Ed25519_FieldElement & x,
const Ed25519_FieldElement & y )
inline

Definition at line 145 of file ed25519_fe.h.

145 {
146 return Ed25519_FieldElement::mul(x, y);
147}
static Ed25519_FieldElement mul(const Ed25519_FieldElement &a, const Ed25519_FieldElement &b)

References Botan::Ed25519_FieldElement::mul().

◆ operator*() [7/12]

Ed448Point Botan::operator* ( const Scalar448 & lhs,
const Ed448Point & rhs )

Syntax sugar for scalar multiplication.

Definition at line 220 of file ed448_internal.cpp.

220 {
221 return rhs.scalar_mul(lhs);
222}
Ed448Point scalar_mul(const Scalar448 &scalar) const
Scalar multiplication.

References Botan::Ed448Point::scalar_mul().

◆ operator*() [8/12]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator* ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 375 of file strong_type.h.

375 {
376 return Strong<T, Tags...>(a.get() * b.get());
377}

References Botan::detail::Strong_Base< T >::get().

◆ operator*() [9/12]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator* ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 370 of file strong_type.h.

370 {
371 return Strong<T1, Tags...>(a.get() * b);
372}

References Botan::detail::Strong_Base< T >::get().

◆ operator*() [10/12]

template<std::integral T>
donna128 Botan::operator* ( T y,
const donna128 & x )
inlineconstexpr

Definition at line 105 of file donna128.h.

105 {
106 return x * y;
107}

◆ operator*() [11/12]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator* ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 364 of file strong_type.h.

364 {
365 return Strong<T2, Tags...>(a * b.get());
366}

References Botan::detail::Strong_Base< T >::get().

◆ operator*() [12/12]

BigInt Botan::operator* ( word x,
const BigInt & y )
inline

Definition at line 1106 of file bigint.h.

1106 {
1107 return y * x;
1108}

◆ operator*=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator*= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 515 of file strong_type.h.

515 {
516 a.get() *= b.get();
517 return a;
518}

References Botan::detail::Strong_Base< T >::get().

◆ operator*=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator*= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 509 of file strong_type.h.

509 {
510 a.get() *= b;
511 return a;
512}

References Botan::detail::Strong_Base< T >::get().

◆ operator+() [1/11]

BigInt Botan::operator+ ( const BigInt & x,
const BigInt & y )
inline

Definition at line 1083 of file bigint.h.

1083 {
1084 return BigInt::add2(x, y._data(), y.sig_words(), y.sign());
1085}
static BigInt add2(const BigInt &x, const word y[], size_t y_words, Sign y_sign)
Definition big_ops3.cpp:19

References Botan::BigInt::_data(), Botan::BigInt::add2(), Botan::BigInt::sig_words(), and Botan::BigInt::sign().

◆ operator+() [2/11]

BigInt Botan::operator+ ( const BigInt & x,
word y )
inline

Definition at line 1087 of file bigint.h.

1087 {
1088 return BigInt::add2(x, &y, 1, BigInt::Positive);
1089}

References Botan::BigInt::add2(), and Botan::BigInt::Positive.

◆ operator+() [3/11]

donna128 Botan::operator+ ( const donna128 & x,
const donna128 & y )
inlineconstexpr

Definition at line 109 of file donna128.h.

109 {
110 donna128 z = x;
111 z += y;
112 return z;
113}

◆ operator+() [4/11]

donna128 Botan::operator+ ( const donna128 & x,
uint64_t y )
inlineconstexpr

Definition at line 115 of file donna128.h.

115 {
116 donna128 z = x;
117 z += y;
118 return z;
119}

◆ operator+() [5/11]

EC_Point Botan::operator+ ( const EC_Point & lhs,
const EC_Point & rhs )
inline

Definition at line 386 of file ec_point.h.

386 {
387 EC_Point tmp(lhs);
388 return tmp += rhs;
389}

◆ operator+() [6/11]

Ed25519_FieldElement Botan::operator+ ( const Ed25519_FieldElement & x,
const Ed25519_FieldElement & y )
inline

Definition at line 137 of file ed25519_fe.h.

137 {
138 return Ed25519_FieldElement::add(x, y);
139}
static Ed25519_FieldElement add(const Ed25519_FieldElement &a, const Ed25519_FieldElement &b)
Definition ed25519_fe.h:91

References Botan::Ed25519_FieldElement::add().

◆ operator+() [7/11]

OctetString Botan::operator+ ( const OctetString & x,
const OctetString & y )

Concatenate two strings

Parameters
xan octet string
yan octet string
Returns
x concatenated with y

Definition at line 99 of file symkey.cpp.

99 {
101 out += k1.bits_of();
102 out += k2.bits_of();
103 return OctetString(out);
104}

References Botan::OctetString::bits_of(), and OctetString.

◆ operator+() [8/11]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator+ ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 341 of file strong_type.h.

341 {
342 return Strong<T, Tags...>(a.get() + b.get());
343}

References Botan::detail::Strong_Base< T >::get().

◆ operator+() [9/11]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator+ ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 336 of file strong_type.h.

336 {
337 return Strong<T1, Tags...>(a.get() + b);
338}

References Botan::detail::Strong_Base< T >::get().

◆ operator+() [10/11]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator+ ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 330 of file strong_type.h.

330 {
331 return Strong<T2, Tags...>(a + b.get());
332}

References Botan::detail::Strong_Base< T >::get().

◆ operator+() [11/11]

BigInt Botan::operator+ ( word x,
const BigInt & y )
inline

Definition at line 1091 of file bigint.h.

1091 {
1092 return y + x;
1093}

◆ operator++() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator++ ( Strong< T, Tags... > & a)
constexpr

Definition at line 606 of file strong_type.h.

606 {
607 ++a.get();
608 return a;
609}

References Botan::detail::Strong_Base< T >::get().

◆ operator++() [2/2]

template<std::integral T, typename... Tags>
auto Botan::operator++ ( Strong< T, Tags... > & a,
int  )
constexpr

Definition at line 599 of file strong_type.h.

599 {
600 auto tmp = a;
601 ++a.get();
602 return tmp;
603}

References Botan::detail::Strong_Base< T >::get().

Referenced by generate_dsa_primes().

◆ operator+=() [1/7]

template<typename T, typename Alloc, typename L>
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
const std::pair< const T *, L > & in )

Definition at line 109 of file secmem.h.

109 {
110 out.insert(out.end(), in.first, in.first + in.second);
111 return out;
112}

◆ operator+=() [2/7]

template<typename T, typename Alloc, typename L>
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
const std::pair< T *, L > & in )

Definition at line 115 of file secmem.h.

115 {
116 out.insert(out.end(), in.first, in.first + in.second);
117 return out;
118}

◆ operator+=() [3/7]

template<typename T, typename Alloc, typename Alloc2>
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
const std::vector< T, Alloc2 > & in )

Definition at line 91 of file secmem.h.

91 {
92 out.insert(out.end(), in.begin(), in.end());
93 return out;
94}

◆ operator+=() [4/7]

template<typename T, typename Alloc>
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
std::span< const T > in )

Definition at line 97 of file secmem.h.

97 {
98 out.insert(out.end(), in.begin(), in.end());
99 return out;
100}

◆ operator+=() [5/7]

template<typename T, typename Alloc>
std::vector< T, Alloc > & Botan::operator+= ( std::vector< T, Alloc > & out,
T in )

Definition at line 103 of file secmem.h.

103 {
104 out.push_back(in);
105 return out;
106}

◆ operator+=() [6/7]

template<std::integral T, typename... Tags>
auto Botan::operator+= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 489 of file strong_type.h.

489 {
490 a.get() += b.get();
491 return a;
492}

References Botan::detail::Strong_Base< T >::get().

◆ operator+=() [7/7]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator+= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 483 of file strong_type.h.

483 {
484 a.get() += b;
485 return a;
486}

References Botan::detail::Strong_Base< T >::get().

◆ operator-() [1/9]

BigInt Botan::operator- ( const BigInt & x,
const BigInt & y )
inline

Definition at line 1095 of file bigint.h.

1095 {
1096 return BigInt::add2(x, y._data(), y.sig_words(), y.reverse_sign());
1097}
Sign reverse_sign() const
Definition bigint.h:576

References Botan::BigInt::_data(), Botan::BigInt::add2(), Botan::BigInt::reverse_sign(), and Botan::BigInt::sig_words().

◆ operator-() [2/9]

BigInt Botan::operator- ( const BigInt & x,
word y )
inline

Definition at line 1099 of file bigint.h.

1099 {
1100 return BigInt::add2(x, &y, 1, BigInt::Negative);
1101}

References Botan::BigInt::add2(), and Botan::BigInt::Negative.

◆ operator-() [3/9]

EC_Point Botan::operator- ( const EC_Point & lhs)
inline

Definition at line 382 of file ec_point.h.

382 {
383 return EC_Point(lhs).negate();
384}
EC_Point & negate()
Definition ec_point.h:134

References Botan::EC_Point::negate().

◆ operator-() [4/9]

EC_Point Botan::operator- ( const EC_Point & lhs,
const EC_Point & rhs )
inline

Definition at line 391 of file ec_point.h.

391 {
392 EC_Point tmp(lhs);
393 return tmp -= rhs;
394}

◆ operator-() [5/9]

Ed25519_FieldElement Botan::operator- ( const Ed25519_FieldElement & x)
inline

Definition at line 149 of file ed25519_fe.h.

149 {
151}
static Ed25519_FieldElement negate(const Ed25519_FieldElement &a)
Definition ed25519_fe.h:107

References Botan::Ed25519_FieldElement::negate().

◆ operator-() [6/9]

Ed25519_FieldElement Botan::operator- ( const Ed25519_FieldElement & x,
const Ed25519_FieldElement & y )
inline

Definition at line 141 of file ed25519_fe.h.

141 {
142 return Ed25519_FieldElement::sub(x, y);
143}
static Ed25519_FieldElement sub(const Ed25519_FieldElement &a, const Ed25519_FieldElement &b)
Definition ed25519_fe.h:99

References Botan::Ed25519_FieldElement::sub().

◆ operator-() [7/9]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator- ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 358 of file strong_type.h.

358 {
359 return Strong<T, Tags...>(a.get() - b.get());
360}

References Botan::detail::Strong_Base< T >::get().

◆ operator-() [8/9]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator- ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 353 of file strong_type.h.

353 {
354 return Strong<T1, Tags...>(a.get() - b);
355}

References Botan::detail::Strong_Base< T >::get().

◆ operator-() [9/9]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator- ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 347 of file strong_type.h.

347 {
348 return Strong<T2, Tags...>(a - b.get());
349}

References Botan::detail::Strong_Base< T >::get().

◆ operator--() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator-- ( Strong< T, Tags... > & a)
constexpr

Definition at line 619 of file strong_type.h.

619 {
620 --a.get();
621 return a;
622}

References Botan::detail::Strong_Base< T >::get().

◆ operator--() [2/2]

template<std::integral T, typename... Tags>
auto Botan::operator-- ( Strong< T, Tags... > & a,
int  )
constexpr

Definition at line 612 of file strong_type.h.

612 {
613 auto tmp = a;
614 --a.get();
615 return tmp;
616}

References Botan::detail::Strong_Base< T >::get().

◆ operator-=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator-= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 502 of file strong_type.h.

502 {
503 a.get() -= b.get();
504 return a;
505}

References Botan::detail::Strong_Base< T >::get().

◆ operator-=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator-= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 496 of file strong_type.h.

496 {
497 a.get() -= b;
498 return a;
499}

References Botan::detail::Strong_Base< T >::get().

◆ operator/() [1/5]

BigInt Botan::operator/ ( const BigInt & x,
const BigInt & y )

Definition at line 105 of file big_ops3.cpp.

105 {
106 if(y.sig_words() == 1) {
107 return x / y.word_at(0);
108 }
109
110 BigInt q;
111 BigInt r;
112 vartime_divide(x, y, q, r);
113 return q;
114}

References Botan::BigInt::sig_words(), vartime_divide(), and Botan::BigInt::word_at().

◆ operator/() [2/5]

BigInt Botan::operator/ ( const BigInt & x,
word y )

Definition at line 119 of file big_ops3.cpp.

119 {
120 if(y == 0) {
121 throw Invalid_Argument("BigInt::operator/ divide by zero");
122 }
123
124 BigInt q;
125 word r = 0;
126 ct_divide_word(x, y, q, r);
127 return q;
128}

References ct_divide_word().

◆ operator/() [3/5]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator/ ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 392 of file strong_type.h.

392 {
393 return Strong<T, Tags...>(a.get() / b.get());
394}

References Botan::detail::Strong_Base< T >::get().

◆ operator/() [4/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator/ ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 387 of file strong_type.h.

387 {
388 return Strong<T1, Tags...>(a.get() / b);
389}

References Botan::detail::Strong_Base< T >::get().

◆ operator/() [5/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator/ ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 381 of file strong_type.h.

381 {
382 return Strong<T2, Tags...>(a / b.get());
383}

References Botan::detail::Strong_Base< T >::get().

◆ operator/=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator/= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 528 of file strong_type.h.

528 {
529 a.get() /= b.get();
530 return a;
531}

References Botan::detail::Strong_Base< T >::get().

◆ operator/=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator/= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 522 of file strong_type.h.

522 {
523 a.get() /= b;
524 return a;
525}

References Botan::detail::Strong_Base< T >::get().

◆ operator<() [1/5]

bool Botan::operator< ( const ASN1_Time & x,
const ASN1_Time & y )

Definition at line 283 of file asn1_time.cpp.

283 {
284 return (t1.cmp(t2) < 0);
285}

References Botan::ASN1_Time::cmp().

◆ operator<() [2/5]

bool Botan::operator< ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1136 of file bigint.h.

1136 {
1137 return a.is_less_than(b);
1138}
bool is_less_than(const BigInt &n) const
Definition bigint.cpp:168

References Botan::BigInt::is_less_than().

◆ operator<() [3/5]

bool Botan::operator< ( const BigInt & a,
word b )
inline

Definition at line 1160 of file bigint.h.

1160 {
1161 return (a.cmp_word(b) < 0);
1162}

References Botan::BigInt::cmp_word().

◆ operator<() [4/5]

bool Botan::operator< ( const OID & a,
const OID & b )

Compare two OIDs.

Parameters
athe first OID
bthe second OID
Returns
true if a is lexicographically smaller than b

Definition at line 173 of file asn1_oid.cpp.

173 {
174 const std::vector<uint32_t>& oid1 = a.get_components();
175 const std::vector<uint32_t>& oid2 = b.get_components();
176
177 return std::lexicographical_compare(oid1.begin(), oid1.end(), oid2.begin(), oid2.end());
178}

References Botan::OID::get_components().

◆ operator<() [5/5]

bool Botan::operator< ( const X509_DN & dn1,
const X509_DN & dn2 )

Definition at line 270 of file x509_dn.cpp.

270 {
271 auto attr1 = dn1.get_attributes();
272 auto attr2 = dn2.get_attributes();
273
274 // If they are not the same size, choose the smaller as the "lessor"
275 if(attr1.size() < attr2.size()) {
276 return true;
277 }
278 if(attr1.size() > attr2.size()) {
279 return false;
280 }
281
282 // We know they are the same # of elements, now compare the OIDs:
283 auto p1 = attr1.begin();
284 auto p2 = attr2.begin();
285
286 while(p1 != attr1.end() && p2 != attr2.end()) {
287 if(p1->first != p2->first) {
288 return (p1->first < p2->first);
289 }
290
291 ++p1;
292 ++p2;
293 }
294
295 // We know this is true because maps have the same size
296 BOTAN_ASSERT_NOMSG(p1 == attr1.end());
297 BOTAN_ASSERT_NOMSG(p2 == attr2.end());
298
299 // Now we know all elements have the same OIDs, compare
300 // their string values:
301
302 p1 = attr1.begin();
303 p2 = attr2.begin();
304 while(p1 != attr1.end() && p2 != attr2.end()) {
305 BOTAN_DEBUG_ASSERT(p1->first == p2->first);
306
307 // They may be binary different but same by X.500 rules, check this
308 if(!x500_name_cmp(p1->second, p2->second)) {
309 // If they are not (by X.500) the same string, pick the
310 // lexicographic first as the lessor
311 return (p1->second < p2->second);
312 }
313
314 ++p1;
315 ++p2;
316 }
317
318 // if we reach here, then the DNs should be identical
319 BOTAN_DEBUG_ASSERT(dn1 == dn2);
320 return false;
321}
std::multimap< OID, std::string > get_attributes() const
Definition x509_dn.cpp:119

References BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, and Botan::X509_DN::get_attributes().

◆ operator<<() [1/12]

BigInt Botan::operator<< ( const BigInt & x,
size_t shift )

Definition at line 186 of file big_ops3.cpp.

186 {
187 const size_t x_sw = x.sig_words();
188
189 const size_t new_size = x_sw + (shift + WordInfo<word>::bits - 1) / WordInfo<word>::bits;
190 BigInt y = BigInt::with_capacity(new_size);
191 bigint_shl2(y.mutable_data(), x._data(), x_sw, shift);
192 y.set_sign(x.sign());
193 return y;
194}
constexpr void bigint_shl2(W y[], const W x[], size_t x_size, size_t shift)
Definition mp_core.h:352

References Botan::BigInt::_data(), bigint_shl2(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::with_capacity().

◆ operator<<() [2/12]

int Botan::operator<< ( int out,
Pipe & pipe )

Stream output operator; dumps the results from pipe's default message to the output stream.

Parameters
outfile descriptor for an open output stream
pipethe pipe

Definition at line 18 of file fd_unix.cpp.

18 {
20 while(pipe.remaining() > 0) {
21 size_t got = pipe.read(buffer.data(), buffer.size());
22 size_t position = 0;
23 while(got > 0) {
24 ssize_t ret = ::write(fd, &buffer[position], got);
25 if(ret < 0) {
26 throw Stream_IO_Error("Pipe output operator (unixfd) has failed");
27 }
28
29 position += static_cast<size_t>(ret);
30 got -= static_cast<size_t>(ret);
31 }
32 }
33 return fd;
34}
size_t read(uint8_t output[], size_t length) override
Definition pipe_rw.cpp:84
size_t remaining(message_id msg=DEFAULT_MESSAGE) const
Definition pipe_rw.cpp:129
constexpr size_t DefaultBufferSize
Definition types.h:137

References DefaultBufferSize, Botan::Pipe::read(), and Botan::Pipe::remaining().

◆ operator<<() [3/12]

std::ostream & Botan::operator<< ( std::ostream & os,
const GeneralName & gn )

Definition at line 260 of file name_constraint.cpp.

260 {
261 os << gn.type() << ":" << gn.name();
262 return os;
263}
std::string type() const
std::string name() const

References Botan::GeneralName::name(), and Botan::GeneralName::type().

◆ operator<<() [4/12]

std::ostream & Botan::operator<< ( std::ostream & os,
const GeneralSubtree & gs )

Definition at line 284 of file name_constraint.cpp.

284 {
285 os << gs.base();
286 return os;
287}
const GeneralName & base() const
Definition pkix_types.h:354

References Botan::GeneralSubtree::base().

◆ operator<<() [5/12]

template<typename T, typename... Tags>
requires (concepts::streamable<T>)
decltype(auto) Botan::operator<< ( std::ostream & os,
const Strong< T, Tags... > & v )

Definition at line 292 of file strong_type.h.

292 {
293 return os << v.get();
294}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<() [6/12]

std::ostream & Botan::operator<< ( std::ostream & out,
const OID & oid )
inline

Definition at line 334 of file asn1_obj.h.

334 {
335 out << oid.to_string();
336 return out;
337}
std::string to_string() const
Definition asn1_oid.cpp:125

References Botan::OID::to_string().

◆ operator<<() [7/12]

std::ostream & Botan::operator<< ( std::ostream & out,
const X509_DN & dn )

Definition at line 415 of file x509_dn.cpp.

415 {
416 const auto& info = dn.dn_info();
417
418 for(size_t i = 0; i != info.size(); ++i) {
419 out << to_short_form(info[i].first) << "=\"";
420 for(char c : info[i].second.value()) {
421 if(c == '\\' || c == '\"') {
422 out << "\\";
423 }
424 out << c;
425 }
426 out << "\"";
427
428 if(i + 1 < info.size()) {
429 out << ",";
430 }
431 }
432 return out;
433}
const std::vector< std::pair< OID, ASN1_String > > & dn_info() const
Definition pkix_types.h:82

References Botan::X509_DN::dn_info().

◆ operator<<() [8/12]

std::ostream & Botan::operator<< ( std::ostream & out,
Pipe & pipe )

Stream output operator; dumps the results from pipe's default message to the output stream.

Parameters
outan output stream
pipethe pipe

Definition at line 19 of file pipe_io.cpp.

19 {
21 while(stream.good() && pipe.remaining() > 0) {
22 const size_t got = pipe.read(buffer.data(), buffer.size());
23 stream.write(cast_uint8_ptr_to_char(buffer.data()), static_cast<std::streamsize>(got));
24 }
25 if(!stream.good()) {
26 throw Stream_IO_Error("Pipe output operator (iostream) has failed");
27 }
28 return stream;
29}
const char * cast_uint8_ptr_to_char(const uint8_t *b)
Definition mem_ops.h:282

References cast_uint8_ptr_to_char(), DefaultBufferSize, Botan::Pipe::read(), and Botan::Pipe::remaining().

◆ operator<<() [9/12]

std::ostream & Botan::operator<< ( std::ostream & stream,
const BigInt & n )

Definition at line 17 of file big_io.cpp.

17 {
18 const auto stream_flags = stream.flags();
19 if((stream_flags & std::ios::oct) != 0) {
20 throw Invalid_Argument("Octal output of BigInt not supported");
21 }
22
23 const size_t base = (stream_flags & std::ios::hex) != 0 ? 16 : 10;
24
25 if(base == 10) {
26 stream << n.to_dec_string();
27 } else {
28 stream << n.to_hex_string();
29 }
30
31 if(!stream.good()) {
32 throw Stream_IO_Error("BigInt output operator has failed");
33 }
34 return stream;
35}
std::string to_dec_string() const
Definition big_code.cpp:37
std::string to_hex_string() const
Definition big_code.cpp:104

References Botan::BigInt::to_dec_string(), and Botan::BigInt::to_hex_string().

◆ operator<<() [10/12]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator<< ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 477 of file strong_type.h.

477 {
478 return Strong<T, Tags...>(a.get() << b.get());
479}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<() [11/12]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator<< ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 472 of file strong_type.h.

472 {
473 return Strong<T1, Tags...>(a.get() << b);
474}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<() [12/12]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator<< ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 466 of file strong_type.h.

466 {
467 return Strong<T2, Tags...>(a << b.get());
468}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator<<= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 593 of file strong_type.h.

593 {
594 a.get() <<= b.get();
595 return a;
596}

References Botan::detail::Strong_Base< T >::get().

◆ operator<<=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator<<= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 587 of file strong_type.h.

587 {
588 a.get() <<= b;
589 return a;
590}

References Botan::detail::Strong_Base< T >::get().

◆ operator<=() [1/3]

bool Botan::operator<= ( const ASN1_Time & x,
const ASN1_Time & y )

Definition at line 275 of file asn1_time.cpp.

275 {
276 return (t1.cmp(t2) <= 0);
277}

References Botan::ASN1_Time::cmp().

◆ operator<=() [2/3]

bool Botan::operator<= ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1128 of file bigint.h.

1128 {
1129 return (a.cmp(b) <= 0);
1130}
int32_t cmp(const BigInt &n, bool check_signs=true) const
Definition bigint.cpp:142

References Botan::BigInt::cmp().

◆ operator<=() [3/3]

bool Botan::operator<= ( const BigInt & a,
word b )
inline

Definition at line 1152 of file bigint.h.

1152 {
1153 return (a.cmp_word(b) <= 0);
1154}

References Botan::BigInt::cmp_word().

◆ operator<=>() [1/3]

template<typename T, typename... Tags>
requires (std::three_way_comparable<T>)
auto Botan::operator<=> ( const Strong< T, Tags... > & lhs,
const Strong< T, Tags... > & rhs )

Definition at line 304 of file strong_type.h.

304 {
305 return lhs.get() <=> rhs.get();
306}

References Botan::detail::Strong_Base< T >::get(), and operator<=>().

Referenced by operator<=>().

◆ operator<=>() [2/3]

template<std::integral T1, std::integral T2, typename... Tags>
auto Botan::operator<=> ( Strong< T1, Tags... > a,
T2 b )

Definition at line 314 of file strong_type.h.

314 {
315 return a.get() <=> b;
316}

References Botan::detail::Strong_Base< T >::get().

◆ operator<=>() [3/3]

template<std::integral T1, std::integral T2, typename... Tags>
auto Botan::operator<=> ( T1 a,
Strong< T2, Tags... > b )

Definition at line 309 of file strong_type.h.

309 {
310 return a <=> b.get();
311}

References Botan::detail::Strong_Base< T >::get().

◆ operator==() [1/13]

bool Botan::operator== ( const AlgorithmIdentifier & a1,
const AlgorithmIdentifier & a2 )

Definition at line 53 of file alg_id.cpp.

53 {
54 if(a1.oid() != a2.oid()) {
55 return false;
56 }
57
58 /*
59 * Treat NULL and empty as equivalent
60 */
62 return true;
63 }
64
65 return (a1.parameters() == a2.parameters());
66}
bool parameters_are_null_or_empty() const
Definition asn1_obj.h:493
const std::vector< uint8_t > & parameters() const
Definition asn1_obj.h:481

References Botan::AlgorithmIdentifier::oid(), Botan::AlgorithmIdentifier::parameters(), and Botan::AlgorithmIdentifier::parameters_are_null_or_empty().

◆ operator==() [2/13]

bool Botan::operator== ( const ASN1_Time & x,
const ASN1_Time & y )

Definition at line 267 of file asn1_time.cpp.

267 {
268 return (t1.cmp(t2) == 0);
269}

References Botan::ASN1_Time::cmp().

◆ operator==() [3/13]

bool Botan::operator== ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1120 of file bigint.h.

1120 {
1121 return a.is_equal(b);
1122}

◆ operator==() [4/13]

bool Botan::operator== ( const BigInt & a,
word b )
inline

Definition at line 1144 of file bigint.h.

1144 {
1145 return (a.cmp_word(b) == 0);
1146}

References Botan::BigInt::cmp_word().

◆ operator==() [5/13]

◆ operator==() [6/13]

bool Botan::operator== ( const CRL_Entry & lhs,
const CRL_Entry & rhs )

Test two CRL entries for equality in all fields.

Definition at line 42 of file crl_ent.cpp.

42 {
43 if(a1.serial_number() != a2.serial_number()) {
44 return false;
45 }
46 if(a1.expire_time() != a2.expire_time()) {
47 return false;
48 }
49 if(a1.reason_code() != a2.reason_code()) {
50 return false;
51 }
52 return true;
53}

References Botan::CRL_Entry::expire_time(), Botan::CRL_Entry::reason_code(), and Botan::CRL_Entry::serial_number().

◆ operator==() [7/13]

bool Botan::operator== ( const OctetString & x,
const OctetString & y )

Compare two strings

Parameters
xan octet string
yan octet string
Returns
if x is equal to y

Definition at line 85 of file symkey.cpp.

85 {
86 return (s1.bits_of() == s2.bits_of());
87}

References Botan::OctetString::bits_of().

◆ operator==() [8/13]

template<typename T, typename U>
bool Botan::operator== ( const secure_allocator< T > & ,
const secure_allocator< U > &  )
inline

Definition at line 59 of file secmem.h.

59 {
60 return true;
61}

◆ operator==() [9/13]

template<typename T, typename... Tags>
requires (std::equality_comparable<T>)
bool Botan::operator== ( const Strong< T, Tags... > & lhs,
const Strong< T, Tags... > & rhs )

Definition at line 298 of file strong_type.h.

298 {
299 return lhs.get() == rhs.get();
300}

References Botan::detail::Strong_Base< T >::get().

◆ operator==() [10/13]

template<bitvectorish T1, bitvectorish T2>
bool Botan::operator== ( const T1 & lhs,
const T2 & rhs )

Definition at line 1348 of file bitvector.h.

1348 {
1349 return lhs.equals_vartime(rhs);
1350}

◆ operator==() [11/13]

bool Botan::operator== ( const X509_DN & dn1,
const X509_DN & dn2 )

Definition at line 227 of file x509_dn.cpp.

227 {
228 auto attr1 = dn1.get_attributes();
229 auto attr2 = dn2.get_attributes();
230
231 if(attr1.size() != attr2.size()) {
232 return false;
233 }
234
235 auto p1 = attr1.begin();
236 auto p2 = attr2.begin();
237
238 while(true) {
239 if(p1 == attr1.end() && p2 == attr2.end()) {
240 break;
241 }
242 if(p1 == attr1.end()) {
243 return false;
244 }
245 if(p2 == attr2.end()) {
246 return false;
247 }
248 if(p1->first != p2->first) {
249 return false;
250 }
251 if(!x500_name_cmp(p1->second, p2->second)) {
252 return false;
253 }
254 ++p1;
255 ++p2;
256 }
257 return true;
258}

References Botan::X509_DN::get_attributes().

◆ operator==() [12/13]

template<std::integral T1, std::integral T2, typename... Tags>
auto Botan::operator== ( Strong< T1, Tags... > a,
T2 b )

Definition at line 324 of file strong_type.h.

324 {
325 return a.get() == b;
326}

References Botan::detail::Strong_Base< T >::get().

◆ operator==() [13/13]

template<std::integral T1, std::integral T2, typename... Tags>
auto Botan::operator== ( T1 a,
Strong< T2, Tags... > b )

Definition at line 319 of file strong_type.h.

319 {
320 return a == b.get();
321}

References Botan::detail::Strong_Base< T >::get().

◆ operator>() [1/3]

bool Botan::operator> ( const ASN1_Time & x,
const ASN1_Time & y )

Definition at line 287 of file asn1_time.cpp.

287 {
288 return (t1.cmp(t2) > 0);
289}

References Botan::ASN1_Time::cmp().

◆ operator>() [2/3]

bool Botan::operator> ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1140 of file bigint.h.

1140 {
1141 return b.is_less_than(a);
1142}

References Botan::BigInt::is_less_than().

◆ operator>() [3/3]

bool Botan::operator> ( const BigInt & a,
word b )
inline

Definition at line 1164 of file bigint.h.

1164 {
1165 return (a.cmp_word(b) > 0);
1166}

References Botan::BigInt::cmp_word().

◆ operator>=() [1/3]

bool Botan::operator>= ( const ASN1_Time & x,
const ASN1_Time & y )

Definition at line 279 of file asn1_time.cpp.

279 {
280 return (t1.cmp(t2) >= 0);
281}

References Botan::ASN1_Time::cmp().

◆ operator>=() [2/3]

bool Botan::operator>= ( const BigInt & a,
const BigInt & b )
inline

Definition at line 1132 of file bigint.h.

1132 {
1133 return (a.cmp(b) >= 0);
1134}

References Botan::BigInt::cmp().

◆ operator>=() [3/3]

bool Botan::operator>= ( const BigInt & a,
word b )
inline

Definition at line 1156 of file bigint.h.

1156 {
1157 return (a.cmp_word(b) >= 0);
1158}

References Botan::BigInt::cmp_word().

◆ operator>>() [1/8]

BigInt Botan::operator>> ( const BigInt & x,
size_t shift )

Definition at line 199 of file big_ops3.cpp.

199 {
200 const size_t shift_words = shift / WordInfo<word>::bits;
201 const size_t x_sw = x.sig_words();
202
203 if(shift_words >= x_sw) {
204 return BigInt::zero();
205 }
206
207 BigInt y = BigInt::with_capacity(x_sw - shift_words);
208 bigint_shr2(y.mutable_data(), x._data(), x_sw, shift);
209
210 if(x.is_negative() && y.is_zero()) {
211 y.set_sign(BigInt::Positive);
212 } else {
213 y.set_sign(x.sign());
214 }
215
216 return y;
217}

References Botan::BigInt::_data(), bigint_shr2(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::Positive, Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), Botan::BigInt::with_capacity(), and Botan::BigInt::zero().

◆ operator>>() [2/8]

int Botan::operator>> ( int in,
Pipe & pipe )

File descriptor input operator; dumps the remaining bytes of input to the (assumed open) pipe message.

Parameters
infile descriptor for an open input stream
pipethe pipe

Definition at line 39 of file fd_unix.cpp.

39 {
41 while(true) {
42 ssize_t ret = ::read(fd, buffer.data(), buffer.size());
43 if(ret < 0) {
44 throw Stream_IO_Error("Pipe input operator (unixfd) has failed");
45 } else if(ret == 0) {
46 break;
47 }
48 pipe.write(buffer.data(), static_cast<size_t>(ret));
49 }
50 return fd;
51}
void write(const uint8_t in[], size_t length)
Definition pipe_rw.cpp:42

References DefaultBufferSize, and Botan::Pipe::write().

◆ operator>>() [3/8]

std::istream & Botan::operator>> ( std::istream & in,
Pipe & pipe )

Stream input operator; dumps the remaining bytes of input to the (assumed open) pipe message.

Parameters
inthe input stream
pipethe pipe

Definition at line 34 of file pipe_io.cpp.

34 {
36 while(stream.good()) {
37 stream.read(cast_uint8_ptr_to_char(buffer.data()), static_cast<std::streamsize>(buffer.size()));
38 const size_t got = static_cast<size_t>(stream.gcount());
39 pipe.write(buffer.data(), got);
40 }
41 if(stream.bad() || (stream.fail() && !stream.eof())) {
42 throw Stream_IO_Error("Pipe input operator (iostream) has failed");
43 }
44 return stream;
45}

References cast_uint8_ptr_to_char(), DefaultBufferSize, and Botan::Pipe::write().

◆ operator>>() [4/8]

std::istream & Botan::operator>> ( std::istream & in,
X509_DN & dn )

Definition at line 435 of file x509_dn.cpp.

435 {
436 in >> std::noskipws;
437 // NOLINTNEXTLINE(*-avoid-do-while)
438 do {
439 std::string key;
440 std::string val;
441 char c = 0;
442
443 while(in.good()) {
444 in >> c;
445
446 if(is_space(c) && key.empty()) {
447 continue;
448 } else if(!is_space(c)) {
449 key.push_back(c);
450 break;
451 } else {
452 break;
453 }
454 }
455
456 while(in.good()) {
457 in >> c;
458
459 if(!is_space(c) && c != '=') {
460 key.push_back(c);
461 } else if(c == '=') {
462 break;
463 } else {
464 throw Invalid_Argument("Ill-formed X.509 DN");
465 }
466 }
467
468 bool in_quotes = false;
469 while(in.good()) {
470 in >> c;
471
472 if(is_space(c)) {
473 if(!in_quotes && !val.empty()) {
474 break;
475 } else if(in_quotes) {
476 val.push_back(' ');
477 }
478 } else if(c == '"') {
479 in_quotes = !in_quotes;
480 } else if(c == '\\') {
481 if(in.good()) {
482 in >> c;
483 }
484 val.push_back(c);
485 } else if(c == ',' && !in_quotes) {
486 break;
487 } else {
488 val.push_back(c);
489 }
490 }
491
492 if(!key.empty() && !val.empty()) {
494 } else {
495 break;
496 }
497 } while(in.good());
498 return in;
499}
void add_attribute(std::string_view key, std::string_view val)
Definition x509_dn.cpp:100
static std::string deref_info_field(std::string_view key)
Definition x509_dn.cpp:196

References Botan::X509_DN::add_attribute(), and Botan::X509_DN::deref_info_field().

◆ operator>>() [5/8]

std::istream & Botan::operator>> ( std::istream & stream,
BigInt & n )

Definition at line 40 of file big_io.cpp.

40 {
41 std::string str;
42 std::getline(stream, str);
43 if(stream.bad() || (stream.fail() && !stream.eof())) {
44 throw Stream_IO_Error("BigInt input operator has failed");
45 }
46 n = BigInt(str);
47 return stream;
48}

◆ operator>>() [6/8]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator>> ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 460 of file strong_type.h.

460 {
461 return Strong<T, Tags...>(a.get() >> b.get());
462}

References Botan::detail::Strong_Base< T >::get().

◆ operator>>() [7/8]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator>> ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 455 of file strong_type.h.

455 {
456 return Strong<T1, Tags...>(a.get() >> b);
457}

References Botan::detail::Strong_Base< T >::get().

◆ operator>>() [8/8]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator>> ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 449 of file strong_type.h.

449 {
450 return Strong<T2, Tags...>(a >> b.get());
451}

References Botan::detail::Strong_Base< T >::get().

◆ operator>>=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator>>= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 580 of file strong_type.h.

580 {
581 a.get() >>= b.get();
582 return a;
583}

References Botan::detail::Strong_Base< T >::get().

◆ operator>>=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator>>= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 574 of file strong_type.h.

574 {
575 a.get() >>= b;
576 return a;
577}

References Botan::detail::Strong_Base< T >::get().

◆ operator^() [1/5]

OctetString Botan::operator^ ( const OctetString & x,
const OctetString & y )

XOR two strings

Parameters
xan octet string
yan octet string
Returns
x XORed with y

Definition at line 109 of file symkey.cpp.

109 {
110 secure_vector<uint8_t> out(std::max(k1.length(), k2.length()));
111
112 copy_mem(out.data(), k1.begin(), k1.length());
113 xor_buf(out.data(), k2.begin(), k2.length());
114 return OctetString(out);
115}

References Botan::OctetString::begin(), copy_mem(), Botan::OctetString::length(), OctetString, and xor_buf().

◆ operator^() [2/5]

template<bitvectorish T1, bitvectorish T2>
auto Botan::operator^ ( const T1 & lhs,
const T2 & rhs )

Definition at line 1341 of file bitvector.h.

1341 {
1342 auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
1343 res ^= rhs;
1344 return res;
1345}

References Botan::detail::copy_lhs_allocator_aware().

◆ operator^() [3/5]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator^ ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 409 of file strong_type.h.

409 {
410 return Strong<T, Tags...>(a.get() ^ b.get());
411}

References Botan::detail::Strong_Base< T >::get().

◆ operator^() [4/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator^ ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 404 of file strong_type.h.

404 {
405 return Strong<T1, Tags...>(a.get() ^ b);
406}

References Botan::detail::Strong_Base< T >::get().

◆ operator^() [5/5]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator^ ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 398 of file strong_type.h.

398 {
399 return Strong<T2, Tags...>(a ^ b.get());
400}

References Botan::detail::Strong_Base< T >::get().

◆ operator^=() [1/3]

template<typename Alloc, typename Alloc2>
std::vector< uint8_t, Alloc > & Botan::operator^= ( std::vector< uint8_t, Alloc > & out,
const std::vector< uint8_t, Alloc2 > & in )

Definition at line 446 of file mem_ops.h.

446 {
447 if(out.size() < in.size()) {
448 out.resize(in.size());
449 }
450
451 xor_buf(std::span{out}.first(in.size()), in);
452 return out;
453}

References xor_buf().

◆ operator^=() [2/3]

template<std::integral T, typename... Tags>
auto Botan::operator^= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 541 of file strong_type.h.

541 {
542 a.get() ^= b.get();
543 return a;
544}

References Botan::detail::Strong_Base< T >::get().

◆ operator^=() [3/3]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator^= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 535 of file strong_type.h.

535 {
536 a.get() ^= b;
537 return a;
538}

References Botan::detail::Strong_Base< T >::get().

◆ operator|() [1/11]

ASN1_Class Botan::operator| ( ASN1_Class x,
ASN1_Class y )
inline

Definition at line 78 of file asn1_obj.h.

78 {
79 return static_cast<ASN1_Class>(static_cast<uint32_t>(x) | static_cast<uint32_t>(y));
80}
ASN1_Class
Definition asn1_obj.h:28

◆ operator|() [2/11]

uint32_t Botan::operator| ( ASN1_Class x,
ASN1_Type y )
inline

Definition at line 86 of file asn1_obj.h.

86 {
87 return static_cast<uint32_t>(x) | static_cast<uint32_t>(y);
88}

◆ operator|() [3/11]

uint32_t Botan::operator| ( ASN1_Type x,
ASN1_Class y )
inline

Definition at line 82 of file asn1_obj.h.

82 {
83 return static_cast<uint32_t>(x) | static_cast<uint32_t>(y);
84}

◆ operator|() [4/11]

ASN1_Type Botan::operator| ( ASN1_Type x,
ASN1_Type y )
inline

Definition at line 74 of file asn1_obj.h.

74 {
75 return static_cast<ASN1_Type>(static_cast<uint32_t>(x) | static_cast<uint32_t>(y));
76}
ASN1_Type
Definition asn1_obj.h:43

◆ operator|() [5/11]

donna128 Botan::operator| ( const donna128 & x,
const donna128 & y )
inlineconstexpr

Definition at line 121 of file donna128.h.

121 {
122 return donna128(x.lo() | y.lo(), x.hi() | y.hi());
123}

References Botan::donna128::hi(), and Botan::donna128::lo().

◆ operator|() [6/11]

donna128 Botan::operator| ( const donna128 & x,
uint64_t y )
inlineconstexpr

Definition at line 125 of file donna128.h.

125 {
126 return donna128(x.lo() | y, x.hi());
127}

References Botan::donna128::hi(), and Botan::donna128::lo().

◆ operator|() [7/11]

template<bitvectorish T1, bitvectorish T2>
auto Botan::operator| ( const T1 & lhs,
const T2 & rhs )

Definition at line 1327 of file bitvector.h.

1327 {
1328 auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
1329 res |= rhs;
1330 return res;
1331}

References Botan::detail::copy_lhs_allocator_aware().

◆ operator|() [8/11]

ECIES_Flags Botan::operator| ( ECIES_Flags a,
ECIES_Flags b )
inline

Definition at line 65 of file ecies.h.

65 {
66 // NOLINTNEXTLINE(clang-analyzer-optin.core.EnumCastOutOfRange)
67 return static_cast<ECIES_Flags>(static_cast<uint32_t>(a) | static_cast<uint32_t>(b));
68}

◆ operator|() [9/11]

template<std::integral T, typename... Tags>
decltype(auto) Botan::operator| ( Strong< T, Tags... > a,
Strong< T, Tags... > b )
constexpr

Definition at line 443 of file strong_type.h.

443 {
444 return Strong<T, Tags...>(a.get() | b.get());
445}

References Botan::detail::Strong_Base< T >::get().

◆ operator|() [10/11]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator| ( Strong< T1, Tags... > a,
T2 b )
constexpr

Definition at line 438 of file strong_type.h.

438 {
439 return Strong<T1, Tags...>(a.get() | b);
440}

References Botan::detail::Strong_Base< T >::get().

◆ operator|() [11/11]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
decltype(auto) Botan::operator| ( T1 a,
Strong< T2, Tags... > b )
constexpr

Definition at line 432 of file strong_type.h.

432 {
433 return Strong<T2, Tags...>(a | b.get());
434}

References Botan::detail::Strong_Base< T >::get().

◆ operator|=() [1/2]

template<std::integral T, typename... Tags>
auto Botan::operator|= ( Strong< T, Tags... > & a,
Strong< T, Tags... > b )
constexpr

Definition at line 567 of file strong_type.h.

567 {
568 a.get() |= b.get();
569 return a;
570}

References Botan::detail::Strong_Base< T >::get().

◆ operator|=() [2/2]

template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
auto Botan::operator|= ( Strong< T1, Tags... > & a,
T2 b )
constexpr

Definition at line 561 of file strong_type.h.

561 {
562 a.get() |= b;
563 return a;
564}

References Botan::detail::Strong_Base< T >::get().

◆ OS2ECP() [1/3]

EC_Point Botan::OS2ECP ( const uint8_t data[],
size_t data_len,
const CurveGFp & curve )

Perform point decoding Use EC_Group::OS2ECP instead

Definition at line 859 of file ec_point.cpp.

859 {
860 if(data_len == 1 && data[0] == 0) {
861 // SEC1 standard representation of the point at infinity
862 return EC_Point(curve);
863 }
864
865 const auto [g_x, g_y] = OS2ECP(data, data_len, curve.get_p(), curve.get_a(), curve.get_b());
866
867 EC_Point point(curve, g_x, g_y);
868
869 if(!point.on_the_curve()) {
870 throw Decoding_Error("OS2ECP: Decoded point was not on the curve");
871 }
872
873 return point;
874}
const BigInt & get_a() const
Definition ec_point.cpp:37
const BigInt & get_p() const
Definition ec_point.cpp:45
const BigInt & get_b() const
Definition ec_point.cpp:41
EC_Point OS2ECP(std::span< const uint8_t > data, const CurveGFp &curve)
Definition ec_point.cpp:855

References Botan::CurveGFp::get_a(), Botan::CurveGFp::get_b(), Botan::CurveGFp::get_p(), Botan::EC_Point::on_the_curve(), and OS2ECP().

◆ OS2ECP() [2/3]

std::pair< BigInt, BigInt > BOTAN_UNSTABLE_API Botan::OS2ECP ( const uint8_t data[],
size_t data_len,
const BigInt & curve_p,
const BigInt & curve_a,
const BigInt & curve_b )

Perform point decoding

This is an internal function which was accidentally made public. Do not use it; it will be removed in Botan4.

Parameters
datathe encoded point
data_lenlength of data in bytes
curve_pthe curve equation prime
curve_athe curve equation a parameter
curve_bthe curve equation b parameter

Definition at line 876 of file ec_point.cpp.

876 {
877 if(pt_len <= 1) {
878 throw Decoding_Error("OS2ECP invalid point encoding");
879 }
880
881 const uint8_t pc = pt[0];
882 const size_t p_bytes = p.bytes();
883
884 BigInt x;
885 BigInt y;
886
887 if(pc == 2 || pc == 3) {
888 if(pt_len != 1 + p_bytes) {
889 throw Decoding_Error("OS2ECP invalid point encoding");
890 }
891 x = BigInt::decode(&pt[1], pt_len - 1);
892
893 const bool y_mod_2 = ((pc & 0x01) == 1);
894 y = decompress_point(y_mod_2, x, p, a, b);
895 } else if(pc == 4) {
896 if(pt_len != 1 + 2 * p_bytes) {
897 throw Decoding_Error("OS2ECP invalid point encoding");
898 }
899
900 x = BigInt::decode(&pt[1], p_bytes);
901 y = BigInt::decode(&pt[p_bytes + 1], p_bytes);
902 } else if(pc == 6 || pc == 7) {
903 if(pt_len != 1 + 2 * p_bytes) {
904 throw Decoding_Error("OS2ECP invalid point encoding");
905 }
906
907 x = BigInt::decode(&pt[1], p_bytes);
908 y = BigInt::decode(&pt[p_bytes + 1], p_bytes);
909
910 const bool y_mod_2 = ((pc & 0x01) == 1);
911
912 if(decompress_point(y_mod_2, x, p, a, b) != y) {
913 throw Decoding_Error("OS2ECP: Decoding error in hybrid format");
914 }
915 } else {
916 throw Decoding_Error("OS2ECP: Unknown format type " + std::to_string(static_cast<int>(pc)));
917 }
918
919 if(x >= p || y >= p) {
920 throw Decoding_Error("OS2ECP invalid point encoding");
921 }
922
923 return std::make_pair(x, y);
924}
static BigInt decode(const uint8_t buf[], size_t length)
Definition bigint.h:857

References Botan::BigInt::bytes(), and Botan::BigInt::decode().

◆ OS2ECP() [3/3]

EC_Point BOTAN_UNSTABLE_API Botan::OS2ECP ( std::span< const uint8_t > data,
const CurveGFp & curve )

Definition at line 855 of file ec_point.cpp.

855 {
856 return OS2ECP(data.data(), data.size(), curve);
857}

References OS2ECP().

Referenced by OS2ECP(), OS2ECP(), and Botan::EC_Group_Data::point_deserialize().

◆ out_opt()

template<typename T>
requires std::is_default_constructible_v<T>
auto Botan::out_opt ( std::optional< T > & outopt)
nodiscardconstexprnoexcept

Definition at line 444 of file stl_util.h.

444 {
445 class out_opt_t {
446 public:
447 constexpr ~out_opt_t() noexcept { m_opt = m_raw; }
448
449 // NOLINTNEXTLINE(*-explicit-conversions) FIXME
450 constexpr out_opt_t(std::optional<T>& outopt) noexcept : m_opt(outopt) {}
451
452 out_opt_t(const out_opt_t&) = delete;
453 out_opt_t(out_opt_t&&) = delete;
454 out_opt_t& operator=(const out_opt_t&) = delete;
455 out_opt_t& operator=(out_opt_t&&) = delete;
456
457 // NOLINTNEXTLINE(*-explicit-conversions) FIXME
458 [[nodiscard]] constexpr operator T*() && noexcept { return &m_raw; }
459
460 private:
461 std::optional<T>& m_opt;
462 T m_raw;
463 };
464
465 return out_opt_t{outopt};
466}

◆ out_ptr()

template<typename T>
auto Botan::out_ptr ( T & outptr)
nodiscardconstexprnoexcept

Definition at line 415 of file stl_util.h.

415 {
416 class out_ptr_t {
417 public:
418 constexpr ~out_ptr_t() noexcept {
419 m_ptr.reset(m_rawptr);
420 m_rawptr = nullptr;
421 }
422
423 // NOLINTNEXTLINE(*-explicit-conversions) FIXME
424 constexpr out_ptr_t(T& outptr) noexcept : m_ptr(outptr), m_rawptr(nullptr) {}
425
426 out_ptr_t(const out_ptr_t&) = delete;
427 out_ptr_t(out_ptr_t&&) = delete;
428 out_ptr_t& operator=(const out_ptr_t&) = delete;
429 out_ptr_t& operator=(out_ptr_t&&) = delete;
430
431 // NOLINTNEXTLINE(*-explicit-conversions) FIXME
432 [[nodiscard]] constexpr operator typename T::element_type **() && noexcept { return &m_rawptr; }
433
434 private:
435 T& m_ptr;
436 typename T::element_type* m_rawptr;
437 };
438
439 return out_ptr_t{outptr};
440}

Referenced by Botan::TPM2::Object::_public_info(), base_decode(), Botan::TPM2::PrivateKey::create_transient_from_template(), Botan::TPM2::HashFunction::final_with_ticket(), hex_decode(), Botan::TPM2::Signature_Operation::sign(), Botan::TLS::Extensions::take(), and Botan::TPM2::Session::tpm_nonce().

◆ overloaded()

template<class... Ts>
Botan::overloaded ( Ts... ) -> overloaded< Ts... >

◆ p_div_2_plus_1()

template<WordType W, size_t N>
std::array< W, N > Botan::p_div_2_plus_1 ( const std::array< W, N > & p)
inlineconsteval

Definition at line 206 of file pcurves_util.h.

206 {
207 const W one = 1;
208 std::array<W, N> r = p;
210 bigint_add2(r.data(), N, &one, 1);
211 return r;
212}
constexpr auto bigint_add2(W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:96
constexpr W shift_right(std::array< W, N > &x)
Definition mp_core.h:626

References bigint_add2(), and shift_right().

Referenced by Botan::IntMod< MontgomeryRep< ScalarParams > >::_invert_vartime_div2_helper(), and Botan::IntMod< MontgomeryRep< ScalarParams > >::div2().

◆ p_minus()

template<uint8_t X, WordType W, size_t N>
std::array< W, N > Botan::p_minus ( const std::array< W, N > & p)
inlineconsteval

Definition at line 175 of file pcurves_util.h.

175 {
176 // TODO combine into p_plus_x_over_y<-1, 1>
177 static_assert(X > 0);
178 std::array<W, N> r{};
179 W x = X;
180 bigint_sub3(r.data(), p.data(), N, &x, 1);
181 std::reverse(r.begin(), r.end());
182 return r;
183}

References bigint_sub3().

◆ p_minus_1_over_2()

template<WordType W, size_t N>
std::array< W, N > Botan::p_minus_1_over_2 ( const std::array< W, N > & p)
inlineconsteval

Definition at line 196 of file pcurves_util.h.

196 {
197 const W one = 1;
198 std::array<W, N> r{};
199 bigint_sub3(r.data(), p.data(), N, &one, 1);
201 std::reverse(r.begin(), r.end());
202 return r;
203}

References bigint_sub3(), and shift_right().

Referenced by shanks_tonelli_c4(), and Botan::IntMod< MontgomeryRep< ScalarParams > >::sqrt().

◆ p_plus_1_over_4()

template<WordType W, size_t N>
std::array< W, N > Botan::p_plus_1_over_4 ( const std::array< W, N > & p)
inlineconsteval

Definition at line 186 of file pcurves_util.h.

186 {
187 const W one = 1;
188 std::array<W, N> r{};
189 bigint_add3(r.data(), p.data(), N, &one, 1);
191 std::reverse(r.begin(), r.end());
192 return r;
193}

References bigint_add3(), and shift_right().

Referenced by Botan::IntMod< MontgomeryRep< ScalarParams > >::sqrt().

◆ parse_algorithm_name()

std::vector< std::string > Botan::parse_algorithm_name ( std::string_view scan_name)

Parse a SCAN-style algorithm name

Parameters
scan_namethe name
Returns
the name components

Definition at line 57 of file parsing.cpp.

57 {
58 if(namex.find('(') == std::string::npos && namex.find(')') == std::string::npos) {
59 return {std::string(namex)};
60 }
61
62 std::string name(namex);
63 std::string substring;
64 std::vector<std::string> elems;
65 size_t level = 0;
66
67 elems.push_back(name.substr(0, name.find('(')));
68 name = name.substr(name.find('('));
69
70 for(auto i = name.begin(); i != name.end(); ++i) {
71 char c = *i;
72
73 if(c == '(') {
74 ++level;
75 }
76 if(c == ')') {
77 if(level == 1 && i == name.end() - 1) {
78 if(elems.size() == 1) {
79 elems.push_back(substring.substr(1));
80 } else {
81 elems.push_back(substring);
82 }
83 return elems;
84 }
85
86 if(level == 0 || (level == 1 && i != name.end() - 1)) {
87 throw Invalid_Algorithm_Name(namex);
88 }
89 --level;
90 }
91
92 if(c == ',' && level == 1) {
93 if(elems.size() == 1) {
94 elems.push_back(substring.substr(1));
95 } else {
96 elems.push_back(substring);
97 }
98 substring.clear();
99 } else {
100 substring += c;
101 }
102 }
103
104 if(!substring.empty()) {
105 throw Invalid_Algorithm_Name(namex);
106 }
107
108 return elems;
109}

Referenced by Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), and Botan::EME::create().

◆ passes_miller_rabin_test()

bool Botan::passes_miller_rabin_test ( const BigInt & n,
const Barrett_Reduction & mod_n,
const Montgomery_Params & monty_n,
const BigInt & a )

Perform a single Miller-Rabin test with specified base

Parameters
nthe positive integer to test
mod_na pre-created Barrett_Reduction for n
monty_nMontgomery parameters for n
athe base to check
Returns
result of primality test

Definition at line 110 of file primality.cpp.

113 {
114 if(n < 3 || n.is_even()) {
115 return false;
116 }
117
118 BOTAN_ASSERT_NOMSG(n > 1);
119
120 const BigInt n_minus_1 = n - 1;
121 const size_t s = low_zero_bits(n_minus_1);
122 const BigInt nm1_s = n_minus_1 >> s;
123 const size_t n_bits = n.bits();
124
125 const size_t powm_window = 4;
126
127 auto powm_a_n = monty_precompute(monty_n, a, powm_window);
128
129 BigInt y = monty_execute(*powm_a_n, nm1_s, n_bits).value();
130
131 if(y == 1 || y == n_minus_1) {
132 return true;
133 }
134
135 for(size_t i = 1; i != s; ++i) {
136 y = mod_n.square(y);
137
138 if(y == 1) { // found a non-trivial square root
139 return false;
140 }
141
142 /*
143 -1 is the trivial square root of unity, so ``a`` is not a
144 witness for this number - give up
145 */
146 if(y == n_minus_1) {
147 return true;
148 }
149 }
150
151 return false;
152}
BigInt square(const BigInt &x) const
Definition barrett.cpp:183
BigInt value() const
Definition monty.cpp:245

References Botan::BigInt::bits(), BOTAN_ASSERT_NOMSG, Botan::BigInt::is_even(), low_zero_bits(), monty_execute(), monty_precompute(), Botan::Barrett_Reduction::square(), and Botan::Montgomery_Int::value().

Referenced by is_bailie_psw_probable_prime(), and is_miller_rabin_probable_prime().

◆ pbes2_decrypt()

secure_vector< uint8_t > Botan::pbes2_decrypt ( std::span< const uint8_t > key_bits,
std::string_view passphrase,
const std::vector< uint8_t > & params )

Decrypt a PKCS #5 v2.0 encrypted stream

Parameters
key_bitsthe input
passphrasethe passphrase to use for decryption
paramsthe PBES2 parameters

Definition at line 283 of file pbes2.cpp.

285 {
286 AlgorithmIdentifier kdf_algo;
287 AlgorithmIdentifier enc_algo;
288
289 BER_Decoder(params).start_sequence().decode(kdf_algo).decode(enc_algo).end_cons();
290
291 const std::string cipher = enc_algo.oid().human_name_or_empty();
292 const auto cipher_spec = split_on(cipher, '/');
293 if(cipher_spec.size() != 2 || !known_pbes_cipher_mode(cipher_spec[1])) {
294 throw Decoding_Error(fmt("PBE-PKCS5 v2.0: Unknown/invalid cipher OID {}", enc_algo.oid()));
295 }
296
298 BER_Decoder(enc_algo.parameters()).decode(iv, ASN1_Type::OctetString).verify_end();
299
301 if(!dec) {
302 throw Decoding_Error(fmt("PBE-PKCS5 cannot decrypt no cipher '{}'", cipher));
303 }
304
305 dec->set_key(derive_key(passphrase, kdf_algo, dec->key_spec().maximum_keylength()));
306
307 dec->start(iv);
308
309 secure_vector<uint8_t> buf(key_bits.begin(), key_bits.end());
310 dec->finish(buf);
311
312 return buf;
313}
BER_Decoder & decode(bool &out)
Definition ber_dec.h:188
BER_Decoder & end_cons()
Definition ber_dec.cpp:312
BER_Decoder start_sequence()
Definition ber_dec.h:125
std::string human_name_or_empty() const
Definition asn1_oid.cpp:147

References Botan::Cipher_Mode::create(), Botan::BER_Decoder::decode(), Decryption, Botan::BER_Decoder::end_cons(), fmt(), Botan::OID::human_name_or_empty(), OctetString, Botan::AlgorithmIdentifier::oid(), Botan::AlgorithmIdentifier::parameters(), split_on(), Botan::BER_Decoder::start_sequence(), and Botan::BER_Decoder::verify_end().

◆ pbes2_encrypt()

std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt ( std::span< const uint8_t > key_bits,
std::string_view passphrase,
std::chrono::milliseconds msec,
std::string_view cipher,
std::string_view digest,
RandomNumberGenerator & rng )

Encrypt with PBES2 from PKCS #5 v2.0

Parameters
key_bitsthe input
passphrasethe passphrase to use for encryption
msechow many milliseconds to run PBKDF2
cipherspecifies the block cipher to use to encrypt
digestspecifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)")
rnga random number generator

Definition at line 245 of file pbes2.cpp.

250 {
251 size_t msec_in_iterations_out = static_cast<size_t>(msec.count());
252 return pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);
253 // return value msec_in_iterations_out discarded
254}

◆ pbes2_encrypt_iter()

std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt_iter ( std::span< const uint8_t > key_bits,
std::string_view passphrase,
size_t iterations,
std::string_view cipher,
std::string_view digest,
RandomNumberGenerator & rng )

Encrypt with PBES2 from PKCS #5 v2.0

Parameters
key_bitsthe input
passphrasethe passphrase to use for encryption
iterationshow many iterations to run PBKDF2
cipherspecifies the block cipher to use to encrypt
digestspecifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)")
rnga random number generator

Definition at line 274 of file pbes2.cpp.

279 {
280 return pbes2_encrypt_shared(key_bits, passphrase, nullptr, pbkdf_iter, cipher, digest, rng);
281}

Referenced by Botan::PKCS8::BER_encode_encrypted_pbkdf_iter().

◆ pbes2_encrypt_msec()

std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt_msec ( std::span< const uint8_t > key_bits,
std::string_view passphrase,
std::chrono::milliseconds msec,
size_t * out_iterations_if_nonnull,
std::string_view cipher,
std::string_view digest,
RandomNumberGenerator & rng )

Encrypt with PBES2 from PKCS #5 v2.0

Parameters
key_bitsthe input
passphrasethe passphrase to use for encryption
msechow many milliseconds to run PBKDF2
out_iterations_if_nonnullif not null, set to the number of PBKDF iterations used
cipherspecifies the block cipher to use to encrypt
digestspecifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)")
rnga random number generator

Definition at line 256 of file pbes2.cpp.

262 {
263 size_t msec_in_iterations_out = static_cast<size_t>(msec.count());
264
265 auto ret = pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);
266
267 if(out_iterations_if_nonnull != nullptr) {
268 *out_iterations_if_nonnull = msec_in_iterations_out;
269 }
270
271 return ret;
272}

Referenced by Botan::PKCS8::BER_encode(), and Botan::PKCS8::BER_encode_encrypted_pbkdf_msec().

◆ pbkdf2() [1/2]

void Botan::pbkdf2 ( MessageAuthenticationCode & prf,
uint8_t out[],
size_t out_len,
const uint8_t salt[],
size_t salt_len,
size_t iterations )

Perform PBKDF2. The prf is assumed to be keyed already.

Definition at line 91 of file pbkdf2.cpp.

96 {
97 if(iterations == 0) {
98 throw Invalid_Argument("PBKDF2: Invalid iteration count");
99 }
100
101 clear_mem(out, out_len);
102
103 if(out_len == 0) {
104 return;
105 }
106
107 const size_t prf_sz = prf.output_length();
108 BOTAN_ASSERT_NOMSG(prf_sz > 0);
109
110 secure_vector<uint8_t> U(prf_sz);
111
112 uint32_t counter = 1;
113 while(out_len > 0) {
114 const size_t prf_output = std::min<size_t>(prf_sz, out_len);
115
116 prf.update(salt, salt_len);
117 prf.update_be(counter++);
118 prf.final(U.data());
119
120 xor_buf(out, U.data(), prf_output);
121
122 for(size_t i = 1; i != iterations; ++i) {
123 prf.update(U);
124 prf.final(U.data());
125 xor_buf(out, U.data(), prf_output);
126 }
127
128 out_len -= prf_output;
129 out += prf_output;
130 }
131}

References BOTAN_ASSERT_NOMSG, clear_mem(), Botan::Buffered_Computation::final(), Botan::Buffered_Computation::output_length(), Botan::Buffered_Computation::update(), Botan::Buffered_Computation::update_be(), and xor_buf().

◆ pbkdf2() [2/2]

size_t Botan::pbkdf2 ( MessageAuthenticationCode & prf,
uint8_t out[],
size_t out_len,
std::string_view password,
const uint8_t salt[],
size_t salt_len,
size_t iterations,
std::chrono::milliseconds msec )

Definition at line 72 of file pbkdf2.cpp.

79 {
80 if(iterations == 0) {
81 iterations = tune_pbkdf2(prf, out_len, msec);
82 }
83
84 PBKDF2 pbkdf2(prf, iterations);
85
86 pbkdf2.derive_key(out, out_len, password.data(), password.size(), salt, salt_len);
87
88 return iterations;
89}
size_t pbkdf2(MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec)
Definition pbkdf2.cpp:72

References pbkdf2().

Referenced by Botan::PBKDF2::derive_key(), Botan::Scrypt::derive_key(), Botan::PKCS5_PBKDF2::pbkdf(), and pbkdf2().

◆ pkcs_hash_id()

std::vector< uint8_t > BOTAN_TEST_API Botan::pkcs_hash_id ( std::string_view hash_name)

Return the PKCS #1 hash identifier

See also
RFC 3447 section 9.2
Parameters
hash_namethe name of the hash function
Returns
uint8_t sequence identifying the hash
Exceptions
Invalid_Argumentif the hash has no known PKCS #1 hash id

Definition at line 78 of file hash_id.cpp.

78 {
79 // Special case for SSL/TLS RSA signatures
80 if(name == "Parallel(MD5,SHA-1)") {
81 return std::vector<uint8_t>();
82 }
83
84 // If you add a value to this function, also update test_hash_id.cpp
85
86 if(name == "MD5") {
87 return std::vector<uint8_t>(MD5_PKCS_ID, MD5_PKCS_ID + sizeof(MD5_PKCS_ID));
88 }
89
90 if(name == "RIPEMD-160") {
91 return std::vector<uint8_t>(RIPEMD_160_PKCS_ID, RIPEMD_160_PKCS_ID + sizeof(RIPEMD_160_PKCS_ID));
92 }
93
94 if(name == "SHA-1") {
95 return std::vector<uint8_t>(SHA_1_PKCS_ID, SHA_1_PKCS_ID + sizeof(SHA_1_PKCS_ID));
96 }
97
98 if(name == "SHA-224") {
99 return std::vector<uint8_t>(SHA_224_PKCS_ID, SHA_224_PKCS_ID + sizeof(SHA_224_PKCS_ID));
100 }
101
102 if(name == "SHA-256") {
103 return std::vector<uint8_t>(SHA_256_PKCS_ID, SHA_256_PKCS_ID + sizeof(SHA_256_PKCS_ID));
104 }
105
106 if(name == "SHA-384") {
107 return std::vector<uint8_t>(SHA_384_PKCS_ID, SHA_384_PKCS_ID + sizeof(SHA_384_PKCS_ID));
108 }
109
110 if(name == "SHA-512") {
111 return std::vector<uint8_t>(SHA_512_PKCS_ID, SHA_512_PKCS_ID + sizeof(SHA_512_PKCS_ID));
112 }
113
114 if(name == "SHA-512-256") {
115 return std::vector<uint8_t>(SHA_512_256_PKCS_ID, SHA_512_256_PKCS_ID + sizeof(SHA_512_256_PKCS_ID));
116 }
117
118 if(name == "SHA-3(224)") {
119 return std::vector<uint8_t>(SHA3_224_PKCS_ID, SHA3_224_PKCS_ID + sizeof(SHA3_224_PKCS_ID));
120 }
121
122 if(name == "SHA-3(256)") {
123 return std::vector<uint8_t>(SHA3_256_PKCS_ID, SHA3_256_PKCS_ID + sizeof(SHA3_256_PKCS_ID));
124 }
125
126 if(name == "SHA-3(384)") {
127 return std::vector<uint8_t>(SHA3_384_PKCS_ID, SHA3_384_PKCS_ID + sizeof(SHA3_384_PKCS_ID));
128 }
129
130 if(name == "SHA-3(512)") {
131 return std::vector<uint8_t>(SHA3_512_PKCS_ID, SHA3_512_PKCS_ID + sizeof(SHA3_512_PKCS_ID));
132 }
133
134 if(name == "SM3") {
135 return std::vector<uint8_t>(SM3_PKCS_ID, SM3_PKCS_ID + sizeof(SM3_PKCS_ID));
136 }
137
138 throw Invalid_Argument("No PKCS #1 identifier for " + std::string(name));
139}

Referenced by botan_pkcs_hash_id(), Botan::PKCS1v15_Raw_SignaturePaddingScheme::PKCS1v15_Raw_SignaturePaddingScheme(), and Botan::PKCS1v15_SignaturePaddingScheme::PKCS1v15_SignaturePaddingScheme().

◆ point_add()

template<typename ProjectivePoint, typename FieldElement>
ProjectivePoint Botan::point_add ( const ProjectivePoint & a,
const ProjectivePoint & b )
inlineconstexpr

Definition at line 180 of file pcurves_algos.h.

180 {
181 const auto a_is_identity = a.is_identity();
182 const auto b_is_identity = b.is_identity();
183
184 const auto Z1Z1 = a.z().square();
185 const auto Z2Z2 = b.z().square();
186 const auto U1 = a.x() * Z2Z2;
187 const auto U2 = b.x() * Z1Z1;
188 const auto S1 = a.y() * b.z() * Z2Z2;
189 const auto S2 = b.y() * a.z() * Z1Z1;
190 const auto H = U2 - U1;
191 const auto r = S2 - S1;
192
193 /* Risky conditional
194 *
195 * This implementation uses projective coordinates, which do not have an efficient complete
196 * addition formula. We rely on the design of the multiplication algorithms to avoid doublings.
197 *
198 * This conditional only comes into play for the actual doubling case, not x + (-x) which
199 * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0,
200 * in which case at the end we'll set z to a.z * b.z * H = 0, resulting in the correct
201 * output (the identity element)
202 */
203 if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) {
204 return a.dbl();
205 }
206
207 const auto HH = H.square();
208 const auto HHH = H * HH;
209 const auto V = U1 * HH;
210 const auto t2 = r.square();
211 const auto t3 = V + V;
212 const auto t4 = t2 - HHH;
213 auto X3 = t4 - t3;
214 const auto t5 = V - X3;
215 const auto t6 = S1 * HHH;
216 const auto t7 = r * t5;
217 auto Y3 = t7 - t6;
218 const auto t8 = b.z() * H;
219 auto Z3 = a.z() * t8;
220
221 // if a is identity then return b
222 FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), b.z());
223
224 // if b is identity then return a
225 FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z());
226
227 return ProjectivePoint(X3, Y3, Z3);
228}

Referenced by Botan::ProjectiveCurvePoint< FieldElement, Params >::add().

◆ point_add_mixed()

template<typename ProjectivePoint, typename AffinePoint, typename FieldElement>
ProjectivePoint Botan::point_add_mixed ( const ProjectivePoint & a,
const AffinePoint & b,
const FieldElement & one )
inlineconstexpr

Definition at line 231 of file pcurves_algos.h.

233 {
234 const auto a_is_identity = a.is_identity();
235 const auto b_is_identity = b.is_identity();
236
237 /*
238 https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
239
240 Cost: 8M + 3S + 6add + 1*2
241 */
242
243 const auto Z1Z1 = a.z().square();
244 const auto U2 = b.x() * Z1Z1;
245 const auto S2 = b.y() * a.z() * Z1Z1;
246 const auto H = U2 - a.x();
247 const auto r = S2 - a.y();
248
249 /* Risky conditional
250 *
251 * This implementation uses projective coordinates, which do not have an efficient complete
252 * addition formula. We rely on the design of the multiplication algorithms to avoid doublings.
253 *
254 * This conditional only comes into play for the actual doubling case, not x + (-x) which
255 * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0,
256 * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output
257 * (the identity element)
258 */
259 if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) {
260 return a.dbl();
261 }
262
263 const auto HH = H.square();
264 const auto HHH = H * HH;
265 const auto V = a.x() * HH;
266 const auto t2 = r.square();
267 const auto t3 = V + V;
268 const auto t4 = t2 - HHH;
269 auto X3 = t4 - t3;
270 const auto t5 = V - X3;
271 const auto t6 = a.y() * HHH;
272 const auto t7 = r * t5;
273 auto Y3 = t7 - t6;
274 auto Z3 = a.z() * H;
275
276 // if a is identity then return b
277 FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), b.y(), one);
278
279 // if b is identity then return a
280 FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z());
281
282 return ProjectivePoint(X3, Y3, Z3);
283}

Referenced by Botan::ProjectiveCurvePoint< FieldElement, Params >::add_mixed().

◆ point_add_or_sub_mixed()

template<typename ProjectivePoint, typename AffinePoint, typename FieldElement>
ProjectivePoint Botan::point_add_or_sub_mixed ( const ProjectivePoint & a,
const AffinePoint & b,
CT::Choice sub,
const FieldElement & one )
inlineconstexpr

Definition at line 286 of file pcurves_algos.h.

289 {
290 const auto a_is_identity = a.is_identity();
291 const auto b_is_identity = b.is_identity();
292
293 /*
294 https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
295
296 Cost: 8M + 3S + 6add + 1*2
297 */
298
299 auto by = b.y();
300 by.conditional_assign(sub, by.negate());
301
302 const auto Z1Z1 = a.z().square();
303 const auto U2 = b.x() * Z1Z1;
304 const auto S2 = by * a.z() * Z1Z1;
305 const auto H = U2 - a.x();
306 const auto r = S2 - a.y();
307
308 /* Risky conditional
309 *
310 * This implementation uses projective coordinates, which do not have an efficient complete
311 * addition formula. We rely on the design of the multiplication algorithms to avoid doublings.
312 *
313 * This conditional only comes into play for the actual doubling case, not x + (-x) which
314 * is another exceptional case in some circumstances. Here if a == -b then H == 0 && r != 0,
315 * in which case at the end we'll set z to a.z * H = 0, resulting in the correct output
316 * (the identity element)
317 */
318 if((r.is_zero() && H.is_zero() && !(a_is_identity && b_is_identity)).as_bool()) {
319 return a.dbl();
320 }
321
322 const auto HH = H.square();
323 const auto HHH = H * HH;
324 const auto V = a.x() * HH;
325 const auto t2 = r.square();
326 const auto t3 = V + V;
327 const auto t4 = t2 - HHH;
328 auto X3 = t4 - t3;
329 const auto t5 = V - X3;
330 const auto t6 = a.y() * HHH;
331 const auto t7 = r * t5;
332 auto Y3 = t7 - t6;
333 auto Z3 = a.z() * H;
334
335 // if a is identity then return b
336 FieldElement::conditional_assign(X3, Y3, Z3, a_is_identity, b.x(), by, one);
337
338 // if b is identity then return a
339 FieldElement::conditional_assign(X3, Y3, Z3, b_is_identity, a.x(), a.y(), a.z());
340
341 return ProjectivePoint(X3, Y3, Z3);
342}

Referenced by Botan::ProjectiveCurvePoint< FieldElement, Params >::add_or_sub().

◆ poly_double_n() [1/2]

void Botan::poly_double_n ( uint8_t buf[],
size_t n )
inline

Definition at line 26 of file poly_dbl.h.

26 {
27 return poly_double_n(buf, buf, n);
28}
void poly_double_n(uint8_t out[], const uint8_t in[], size_t n)
Definition poly_dbl.cpp:81

References poly_double_n().

◆ poly_double_n() [2/2]

void BOTAN_TEST_API Botan::poly_double_n ( uint8_t out[],
const uint8_t in[],
size_t n )

Polynomial doubling in GF(2^n)

Definition at line 81 of file poly_dbl.cpp.

81 {
82 switch(n) {
83 case 8:
84 return poly_double<1, MinWeightPolynomial::P64>(out, in);
85 case 16:
86 return poly_double<2, MinWeightPolynomial::P128>(out, in);
87 case 24:
88 return poly_double<3, MinWeightPolynomial::P192>(out, in);
89 case 32:
90 return poly_double<4, MinWeightPolynomial::P256>(out, in);
91 case 64:
92 return poly_double<8, MinWeightPolynomial::P512>(out, in);
93 case 128:
94 return poly_double<16, MinWeightPolynomial::P1024>(out, in);
95 default:
96 throw Invalid_Argument("Unsupported size for poly_double_n");
97 }
98}

Referenced by poly_double_n(), and Botan::SIV_Mode::S2V().

◆ poly_double_n_le()

void BOTAN_TEST_API Botan::poly_double_n_le ( uint8_t out[],
const uint8_t in[],
size_t n )

Definition at line 100 of file poly_dbl.cpp.

100 {
101 switch(n) {
102 case 8:
103 return poly_double_le<1, MinWeightPolynomial::P64>(out, in);
104 case 16:
105 return poly_double_le<2, MinWeightPolynomial::P128>(out, in);
106 case 24:
107 return poly_double_le<3, MinWeightPolynomial::P192>(out, in);
108 case 32:
109 return poly_double_le<4, MinWeightPolynomial::P256>(out, in);
110 case 64:
111 return poly_double_le<8, MinWeightPolynomial::P512>(out, in);
112 case 128:
113 return poly_double_le<16, MinWeightPolynomial::P1024>(out, in);
114 default:
115 throw Invalid_Argument("Unsupported size for poly_double_n_le");
116 }
117}

Referenced by Botan::XTS_Mode::update_tweak(), and xts_update_tweak_block().

◆ poly_double_supported_size()

bool Botan::poly_double_supported_size ( size_t n)
inline

Returns true iff poly_double_n is implemented for this size.

Definition at line 22 of file poly_dbl.h.

22 {
23 return (n == 8 || n == 16 || n == 24 || n == 32 || n == 64 || n == 128);
24}

Referenced by Botan::CMAC::CMAC(), and Botan::XTS_Mode::XTS_Mode().

◆ power_mod()

BigInt Botan::power_mod ( const BigInt & b,
const BigInt & x,
const BigInt & m )

Modular exponentation

Parameters
ban integer base
xa positive exponent
ma positive modulus
Returns
(b^x) % m

Definition at line 283 of file numthry.cpp.

283 {
284 if(mod.is_negative() || mod == 1) {
285 return BigInt::zero();
286 }
287
288 if(base.is_zero() || mod.is_zero()) {
289 if(exp.is_zero()) {
290 return BigInt::one();
291 }
292 return BigInt::zero();
293 }
294
296
297 const size_t exp_bits = exp.bits();
298
299 if(mod.is_odd()) {
300 const Montgomery_Params monty_params(mod, reduce_mod);
301 return monty_exp(monty_params, ct_modulo(base, mod), exp, exp_bits).value();
302 }
303
304 /*
305 Support for even modulus is just a convenience and not considered
306 cryptographically important, so this implementation is slow ...
307 */
308 BigInt accum = BigInt::one();
309 BigInt g = ct_modulo(base, mod);
310 BigInt t;
311
312 for(size_t i = 0; i != exp_bits; ++i) {
313 t = reduce_mod.multiply(g, accum);
314 g = reduce_mod.square(g);
315 accum.ct_cond_assign(exp.get_bit(i), t);
316 }
317 return accum;
318}
Montgomery_Int monty_exp(const Montgomery_Params &params_p, const BigInt &g, const BigInt &k, size_t max_k_bits)
Definition monty_exp.h:47

References Botan::BigInt::bits(), Botan::BigInt::ct_cond_assign(), ct_modulo(), Botan::Barrett_Reduction::for_secret_modulus(), Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::BigInt::is_odd(), Botan::BigInt::is_zero(), monty_exp(), Botan::BigInt::one(), reduce_mod(), Botan::Montgomery_Int::value(), and Botan::BigInt::zero().

Referenced by botan_mp_powmod().

◆ prefetch_array_raw()

uint64_t Botan::prefetch_array_raw ( size_t bytes,
const void * array )
noexcept

Prefetch an array

This function returns a uint64_t which is accumulated from values read from the array. This may help confuse the compiler sufficiently to not elide otherwise "useless" reads. The return value will always be zero.

Definition at line 14 of file prefetch.cpp.

14 {
15#if defined(__cpp_lib_hardware_interference_size)
16 const size_t cache_line_size = std::hardware_destructive_interference_size;
17#else
18 // We arbitrarily use a 64 byte cache line, which is by far the most
19 // common size.
20 //
21 // Runtime detection adds too much overhead to this function.
22 const size_t cache_line_size = 64;
23#endif
24
25 const uint8_t* array = static_cast<const uint8_t*>(arrayv);
26
27 volatile uint64_t combiner = 1;
28
29 for(size_t idx = 0; idx < bytes; idx += cache_line_size) {
30#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_prefetch)
31 // we have no way of knowing if the compiler will emit anything here
32 __builtin_prefetch(&array[idx]);
33#endif
34
35 combiner = combiner | array[idx];
36 }
37
38 /*
39 * The combiner variable is initialized with 1, and we accumulate using OR, so
40 * now combiner must be a value other than zero. This being the case we will
41 * always return zero here. Hopefully the compiler will not figure this out.
42 */
43 return ct_is_zero(combiner);
44}

References ct_is_zero().

Referenced by prefetch_arrays().

◆ prefetch_arrays()

template<std::unsigned_integral T, size_t... Ns>
T Botan::prefetch_arrays ( T(&... arr) [Ns])
noexcept

Prefetch several arrays

This function returns a uint64_t which is accumulated from values read from the array. This may help confuse the compiler sufficiently to not elide otherwise "useless" reads. The return value will always be zero.

Definition at line 35 of file prefetch.h.

35 {
36 return (static_cast<T>(prefetch_array_raw(sizeof(T) * Ns, arr)) & ...);
37}
uint64_t prefetch_array_raw(size_t bytes, const void *arrayv) noexcept
Definition prefetch.cpp:14

References prefetch_array_raw().

Referenced by Botan::SEED::decrypt_n(), and Botan::SEED::encrypt_n().

◆ probe_provider_private_key()

std::vector< std::string > Botan::probe_provider_private_key ( std::string_view alg_name,
const std::vector< std::string > & possible )

Definition at line 730 of file pk_algs.cpp.

731 {
732 std::vector<std::string> providers;
733
734 for(auto&& prov : possible) {
735 if(prov == "base") {
736 providers.push_back(prov);
737 }
738 }
739
740 BOTAN_UNUSED(alg_name);
741
742 return providers;
743}

References BOTAN_UNUSED.

◆ probe_providers_of()

template<typename T>
std::vector< std::string > Botan::probe_providers_of ( std::string_view algo_spec,
const std::vector< std::string > & possible = {"base"} )

Definition at line 105 of file scan_name.h.

106 {"base"}) {
107 std::vector<std::string> providers;
108 for(auto&& prov : possible) {
109 auto o = T::create(algo_spec, prov);
110 if(o) {
111 providers.push_back(prov); // available
112 }
113 }
114 return providers;
115}

Referenced by Botan::BlockCipher::providers(), Botan::HashFunction::providers(), Botan::KDF::providers(), Botan::MessageAuthenticationCode::providers(), Botan::PasswordHashFamily::providers(), Botan::PBKDF::providers(), Botan::StreamCipher::providers(), and Botan::XOF::providers().

◆ random_code_element()

gf2m Botan::random_code_element ( uint16_t code_length,
RandomNumberGenerator & rng )

Definition at line 82 of file polyn_gf2m.cpp.

82 {
83 if(code_length == 0) {
84 throw Invalid_Argument("random_code_element() was supplied a code length of zero");
85 }
86 const unsigned nlz = nlz_16bit(code_length - 1);
87 const gf2m mask = (1 << (16 - nlz)) - 1;
88
89 gf2m result = random_gf2m(rng) & mask;
90
91 while(result >= code_length) {
92 // rejection sampling
93 result = random_gf2m(rng) & mask;
94 }
95
96 return result;
97}
gf2m random_gf2m(RandomNumberGenerator &rng)

References random_gf2m().

Referenced by Botan::polyn_gf2m::polyn_gf2m().

◆ random_gf2m()

gf2m Botan::random_gf2m ( RandomNumberGenerator & rng)

Definition at line 76 of file polyn_gf2m.cpp.

76 {
77 uint8_t b[2];
78 rng.randomize(b, sizeof(b));
79 return make_uint16(b[1], b[0]);
80}
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition loadstor.h:92

References make_uint16(), and Botan::RandomNumberGenerator::randomize().

Referenced by random_code_element().

◆ random_prime()

BigInt Botan::random_prime ( RandomNumberGenerator & rng,
size_t bits,
const BigInt & coprime = BigInt::from_u64(0),
size_t equiv = 1,
size_t equiv_mod = 2,
size_t prob = 128 )

Randomly generate a prime suitable for discrete logarithm parameters

Parameters
rnga random number generator
bitshow large the resulting prime should be in bits
coprimea positive integer that (prime - 1) should be coprime to
equiva non-negative number that the result should be equivalent to modulo equiv_mod
equiv_modthe modulus equiv should be checked against
probuse test so false positive is bounded by 1/2**prob
Returns
random prime with the specified criteria

Definition at line 97 of file make_prm.cpp.

98 {
99 if(bits <= 1) {
100 throw Invalid_Argument("random_prime: Can't make a prime of " + std::to_string(bits) + " bits");
101 }
102 if(coprime.is_negative() || (!coprime.is_zero() && coprime.is_even()) || coprime.bits() >= bits) {
103 throw Invalid_Argument("random_prime: invalid coprime");
104 }
105 if(modulo == 0 || modulo >= 100000) {
106 throw Invalid_Argument("random_prime: Invalid modulo value");
107 }
108
109 equiv %= modulo;
110
111 if(equiv == 0) {
112 throw Invalid_Argument("random_prime Invalid value for equiv/modulo");
113 }
114
115 // Handle small values:
116
117 if(bits <= 16) {
118 if(equiv != 1 || modulo != 2 || coprime != 0) {
119 throw Not_Implemented("random_prime equiv/modulo/coprime options not usable for small primes");
120 }
121
122 if(bits == 2) {
123 return BigInt::from_word(((rng.next_byte() % 2) == 0 ? 2 : 3));
124 } else if(bits == 3) {
125 return BigInt::from_word(((rng.next_byte() % 2) == 0 ? 5 : 7));
126 } else if(bits == 4) {
127 return BigInt::from_word(((rng.next_byte() % 2) == 0 ? 11 : 13));
128 } else {
129 for(;;) {
130 // This is slightly biased, but for small primes it does not seem to matter
131 uint8_t b[4] = {0};
132 rng.randomize(b, 4);
133 const size_t idx = load_le<uint32_t>(b, 0) % PRIME_TABLE_SIZE;
134 const uint16_t small_prime = PRIMES[idx];
135
136 if(high_bit(small_prime) == bits) {
137 return BigInt::from_word(small_prime);
138 }
139 }
140 }
141 }
142
143 const size_t MAX_ATTEMPTS = 32 * 1024;
144
145 const size_t mr_trials = miller_rabin_test_iterations(bits, prob, true);
146
147 while(true) {
148 BigInt p(rng, bits);
149
150 // Force lowest and two top bits on
151 p.set_bit(bits - 1);
152 p.set_bit(bits - 2);
153 p.set_bit(0);
154
155 // Force p to be equal to equiv mod modulo
156 p += (modulo - (p % modulo)) + equiv;
157
158 Prime_Sieve sieve(p, bits, modulo, true);
159
160 for(size_t attempt = 0; attempt <= MAX_ATTEMPTS; ++attempt) {
161 p += modulo;
162
163 if(!sieve.next()) {
164 continue;
165 }
166
167 // here p can be even if modulo is odd, continue on in that case
168 if(p.is_even()) {
169 continue;
170 }
171
172 BOTAN_DEBUG_ASSERT(no_small_multiples(p, sieve));
173
175
176 if(coprime > 1) {
177 /*
178 First do a single M-R iteration to quickly elimate most non-primes,
179 before doing the coprimality check which is expensive
180 */
181 if(!is_miller_rabin_probable_prime(p, mod_p, rng, 1)) {
182 continue;
183 }
184
185 /*
186 * Check if p - 1 and coprime are relatively prime, using gcd.
187 * The gcd computation is const-time
188 */
189 if(gcd(p - 1, coprime) > 1) {
190 continue;
191 }
192 }
193
194 if(p.bits() > bits) {
195 break;
196 }
197
198 if(!is_miller_rabin_probable_prime(p, mod_p, rng, mr_trials)) {
199 continue;
200 }
201
202 if(prob > 32 && !is_lucas_probable_prime(p, mod_p)) {
203 continue;
204 }
205
206 return p;
207 }
208 }
209}

References Botan::BigInt::bits(), BOTAN_DEBUG_ASSERT, Botan::Barrett_Reduction::for_secret_modulus(), Botan::BigInt::from_word(), gcd(), high_bit(), Botan::BigInt::is_even(), is_lucas_probable_prime(), is_miller_rabin_probable_prime(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), load_le(), miller_rabin_test_iterations(), Botan::RandomNumberGenerator::next_byte(), PRIME_TABLE_SIZE, PRIMES, Botan::RandomNumberGenerator::randomize(), and Botan::BigInt::set_bit().

Referenced by Botan::DL_Group::DL_Group(), and random_safe_prime().

◆ random_safe_prime()

BigInt Botan::random_safe_prime ( RandomNumberGenerator & rng,
size_t bits )

Return a 'safe' prime, of the form p=2*q+1 with q prime

Parameters
rnga random number generator
bitsis how long the resulting prime should be
Returns
prime randomly chosen from safe primes of length bits

Definition at line 294 of file make_prm.cpp.

294 {
295 if(bits <= 64) {
296 throw Invalid_Argument("random_safe_prime: Can't make a prime of " + std::to_string(bits) + " bits");
297 }
298
299 const size_t error_bound = 128;
300
301 BigInt q;
302 BigInt p;
303 for(;;) {
304 /*
305 Generate q == 2 (mod 3), since otherwise [in the case of q == 1 (mod 3)],
306 2*q+1 == 3 (mod 3) and so certainly not prime.
307 */
308 q = random_prime(rng, bits - 1, BigInt::zero(), 2, 3, error_bound);
309 p = (q << 1) + 1;
310
311 if(is_prime(p, rng, error_bound, true)) {
312 return p;
313 }
314 }
315}
BigInt random_prime(RandomNumberGenerator &rng, size_t bits, const BigInt &coprime, size_t equiv, size_t modulo, size_t prob)
Definition make_prm.cpp:97

References is_prime(), random_prime(), and Botan::BigInt::zero().

Referenced by Botan::DL_Group::DL_Group().

◆ read_cfg()

std::map< std::string, std::string > Botan::read_cfg ( std::istream & is)

Definition at line 34 of file read_cfg.cpp.

34 {
35 std::map<std::string, std::string> kv;
36 size_t line = 0;
37
38 while(is.good()) {
39 std::string s;
40
41 std::getline(is, s);
42
43 ++line;
44
45 if(s.empty() || s[0] == '#') {
46 continue;
47 }
48
49 s = clean_ws(s.substr(0, s.find('#')));
50
51 if(s.empty()) {
52 continue;
53 }
54
55 auto eq = s.find('=');
56
57 if(eq == std::string::npos || eq == 0 || eq == s.size() - 1) {
58 throw Decoding_Error("Bad read_cfg input '" + s + "' on line " + std::to_string(line));
59 }
60
61 const std::string key = clean_ws(s.substr(0, eq));
62 const std::string val = clean_ws(s.substr(eq + 1, std::string::npos));
63
64 kv[key] = val;
65 }
66
67 return kv;
68}

Referenced by Botan::TLS::Text_Policy::Text_Policy(), and Botan::TLS::Text_Policy::Text_Policy().

◆ read_kv()

std::map< std::string, std::string > Botan::read_kv ( std::string_view kv)

Accepts key value pairs deliminated by commas:

"" (returns empty map) "K=V" (returns map {'K': 'V'}) "K1=V1,K2=V2" "K1=V1,K2=V2,K3=V3" "K1=V1,K2=V2,K3=a_value\,with\,commas_and_\=equals"

Values may be empty, keys must be non-empty and unique. Duplicate keys cause an exception.

Within both key and value, comma and equals can be escaped with backslash. Backslash can also be escaped.

Definition at line 13 of file read_kv.cpp.

13 {
14 std::map<std::string, std::string> m;
15 if(kv.empty()) {
16 return m;
17 }
18
19 std::vector<std::string> parts;
20
21 try {
22 parts = split_on(kv, ',');
23 } catch(std::exception&) {
24 throw Invalid_Argument("Bad KV spec");
25 }
26
27 bool escaped = false;
28 bool reading_key = true;
29 std::string cur_key;
30 std::string cur_val;
31
32 for(char c : kv) {
33 if(c == '\\' && !escaped) {
34 escaped = true;
35 } else if(c == ',' && !escaped) {
36 if(cur_key.empty()) {
37 throw Invalid_Argument("Bad KV spec empty key");
38 }
39
40 if(m.contains(cur_key)) {
41 throw Invalid_Argument("Bad KV spec duplicated key");
42 }
43 m[cur_key] = cur_val;
44 cur_key = "";
45 cur_val = "";
46 reading_key = true;
47 } else if(c == '=' && !escaped) {
48 if(!reading_key) {
49 throw Invalid_Argument("Bad KV spec unexpected equals sign");
50 }
51 reading_key = false;
52 } else {
53 if(reading_key) {
54 cur_key += c;
55 } else {
56 cur_val += c;
57 }
58
59 if(escaped) {
60 escaped = false;
61 }
62 }
63 }
64
65 if(!cur_key.empty()) {
66 if(!reading_key) {
67 if(m.contains(cur_key)) {
68 throw Invalid_Argument("Bad KV spec duplicated key");
69 }
70 m[cur_key] = cur_val;
71 } else {
72 throw Invalid_Argument("Bad KV spec incomplete string");
73 }
74 }
75
76 return m;
77}

References split_on().

◆ read_window_bits()

template<size_t WindowBits, typename W, size_t N>
size_t Botan::read_window_bits ( std::span< const W, N > words,
size_t offset )
constexpr

Definition at line 952 of file mp_core.h.

952 {
953 static_assert(WindowBits >= 1 && WindowBits <= 7);
954
955 constexpr uint8_t WindowMask = static_cast<uint8_t>(1 << WindowBits) - 1;
956
957 constexpr size_t W_bits = sizeof(W) * 8;
958 const auto bit_shift = offset % W_bits;
959 const auto word_offset = words.size() - 1 - (offset / W_bits);
960
961 const bool single_byte_window = bit_shift <= (W_bits - WindowBits) || word_offset == 0;
962
963 const auto w0 = words[word_offset];
964
965 if(single_byte_window) {
966 return (w0 >> bit_shift) & WindowMask;
967 } else {
968 // Otherwise we must join two words and extract the result
969 const auto w1 = words[word_offset - 1];
970 const auto combined = ((w0 >> bit_shift) | (w1 << (W_bits - bit_shift)));
971 return combined & WindowMask;
972 }
973}

Referenced by Botan::BlindedScalarBits< C, WindowBits+1 >::get_window(), Botan::UnblindedScalarBits< C, WindowBits >::get_window(), and Botan::IntMod< MontgomeryRep< ScalarParams > >::pow_vartime().

◆ redc_crandall()

template<WordType W, size_t N, W C>
std::array< W, N > Botan::redc_crandall ( std::span< const W, 2 *N > z)
constexpr

Reduce z modulo p = 2**B - C where C is small

z is assumed to be at most (p-1)**2

For details on the algorithm see

  • Handbook of Applied Cryptography, Algorithm 14.47
  • Guide to Elliptic Curve Cryptography, Algorithm 2.54 and Note 2.55

Definition at line 873 of file mp_core.h.

873 {
874 static_assert(N >= 2);
875
876 std::array<W, N> hi = {};
877
878 // hi = hi * c + lo
879
880 W carry = 0;
881 for(size_t i = 0; i != N; ++i) {
882 hi[i] = word_madd3(z[i + N], C, z[i], &carry);
883 }
884
885 // hi += carry * C
886 word carry_c[2] = {0};
887 carry_c[0] = word_madd2(carry, C, &carry_c[1]);
888
889 carry = bigint_add2(hi.data(), N, carry_c, 2);
890
891 constexpr W P0 = WordInfo<W>::max - (C - 1);
892
893 std::array<W, N> r = {};
894
895 W borrow = 0;
896
897 /*
898 * For undetermined reasons, on GCC (only) removing this asm block causes
899 * massive (up to 20%) performance regressions in secp256k1.
900 *
901 * The generated code without the asm seems quite reasonable, and timing
902 * repeated calls to redc_crandall with the cycle counter show that GCC
903 * computes it in about the same number of cycles with or without the asm.
904 *
905 * So the cause of the regression is unclear. But it is reproducible across
906 * machines and GCC versions.
907 */
908#if defined(BOTAN_MP_USE_X86_64_ASM) && defined(__GNUC__) && !defined(__clang__)
909 if constexpr(N == 4 && std::same_as<W, uint64_t>) {
910 if(!std::is_constant_evaluated()) {
911 asm volatile(R"(
912 movq 0(%[x]), %[borrow]
913 subq %[p0], %[borrow]
914 movq %[borrow], 0(%[r])
915 movq 16(%[x]), %[borrow]
916 sbbq $-1, %[borrow]
917 movq %[borrow], 8(%[r])
918 movq 16(%[x]), %[borrow]
919 sbbq $-1, %[borrow]
920 movq %[borrow], 16(%[r])
921 movq 24(%[x]), %[borrow]
922 sbbq $-1, %[borrow]
923 movq %[borrow], 24(%[r])
924 sbbq %[borrow],%[borrow]
925 negq %[borrow]
926 )"
927 : [borrow] "=r"(borrow)
928 : [x] "r"(hi.data()), [p0] "r"(P0), [r] "r"(r.data()), "0"(borrow)
929 : "cc", "memory");
930 }
931
932 borrow = (carry - borrow) > carry;
933 CT::conditional_assign_mem(borrow, r.data(), hi.data(), N);
934 return r;
935 }
936#endif
937
938 r[0] = word_sub(hi[0], P0, &borrow);
939 for(size_t i = 1; i != N; ++i) {
940 r[i] = word_sub(hi[i], WordInfo<W>::max, &borrow);
941 }
942
943 borrow = (carry - borrow) > carry;
944
945 CT::conditional_assign_mem(borrow, r.data(), hi.data(), N);
946
947 return r;
948}

References bigint_add2(), carry(), Botan::CT::conditional_assign_mem(), word_madd2(), word_madd3(), and word_sub().

◆ redc_mul()

void Botan::redc_mul ( int64_t & s1,
int64_t & s2,
int64_t & s3,
int64_t & s4,
int64_t & s5,
int64_t & s6,
int64_t & X )
inline

Definition at line 57 of file ed25519_internal.h.

57 {
58 s1 += X * 666643;
59 s2 += X * 470296;
60 s3 += X * 654183;
61 s4 -= X * 997805;
62 s5 += X * 136657;
63 s6 -= X * 683901;
64 X = 0;
65}

Referenced by sc_muladd(), and sc_reduce().

◆ reduce()

template<typename RetT, typename KeyT, typename ReducerT>
requires std::is_convertible_v<ReducerT, std::function<RetT(RetT, const KeyT&)>>
RetT Botan::reduce ( const std::vector< KeyT > & keys,
RetT acc,
ReducerT reducer )

Reduce the values of keys into an accumulator initialized with acc using the reducer function reducer.

The reducer is a function taking the accumulator and a single key to return the new accumulator. Keys are consecutively reduced into the accumulator.

Returns
the accumulator containing the reduction of keys

Definition at line 39 of file stl_util.h.

41{
42 for(const KeyT& key : keys) {
43 acc = reducer(std::move(acc), key);
44 }
45 return acc;
46}

Referenced by Botan::Hybrid_PrivateKey::check_key(), Botan::Hybrid_PublicKey::check_key(), Botan::TLS::Hybrid_KEM_PublicKey::load_for_group(), Botan::Hybrid_PublicKey::raw_public_key_bits(), and Botan::TLS::Hybrid_KEM_PublicKey::raw_public_key_bits().

◆ reduce_mod()

template<WordType W, size_t N, size_t XN>
std::array< W, N > Botan::reduce_mod ( const std::array< W, XN > & x,
const std::array< W, N > & p )
inlineconsteval

Definition at line 16 of file pcurves_util.h.

16 {
17 std::array<W, N + 1> r = {0};
18 std::array<W, N + 1> t = {0};
19
20 const size_t x_bits = XN * WordInfo<W>::bits;
21
22 for(size_t i = 0; i != x_bits; ++i) {
23 const size_t b = x_bits - 1 - i;
24
25 const size_t b_word = b / WordInfo<W>::bits;
26 const size_t b_bit = b % WordInfo<W>::bits;
27 const bool x_b = (x[b_word] >> b_bit) & 1;
28
30 // Conditional ok: this function is consteval
31 if(x_b) {
32 r[0] += 1;
33 }
34
35 const W carry = bigint_sub3(t.data(), r.data(), N + 1, p.data(), N);
36
37 // Conditional ok: this function is consteval
38 if(carry == 0) {
39 std::swap(r, t);
40 }
41 }
42
43 std::array<W, N> rs = {};
44 copy_mem(rs, std::span{r}.template first<N>());
45 return rs;
46}

References bigint_sub3(), carry(), copy_mem(), and shift_left().

Referenced by montygomery_r(), mul_mod(), and power_mod().

◆ reverse_bytes()

template<std::unsigned_integral T>
requires (sizeof(T) == 1 || sizeof(T) == 2 || sizeof(T) == 4 || sizeof(T) == 8)
T Botan::reverse_bytes ( T x)
inlineconstexpr

Swap the byte order of an unsigned integer

Definition at line 27 of file bswap.h.

27 {
28 if constexpr(sizeof(T) == 1) {
29 return x;
30 } else if constexpr(sizeof(T) == 2) {
31#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap16)
32 return static_cast<T>(__builtin_bswap16(x));
33#else
34 return static_cast<T>((x << 8) | (x >> 8));
35#endif
36 } else if constexpr(sizeof(T) == 4) {
37#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap32)
38 return static_cast<T>(__builtin_bswap32(x));
39#else
40 // MSVC at least recognizes this as a bswap
41 return static_cast<T>(((x & 0x000000FF) << 24) | ((x & 0x0000FF00) << 8) | ((x & 0x00FF0000) >> 8) |
42 ((x & 0xFF000000) >> 24));
43#endif
44 } else if constexpr(sizeof(T) == 8) {
45#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap64)
46 return static_cast<T>(__builtin_bswap64(x));
47#else
48 uint32_t hi = static_cast<uint32_t>(x >> 32);
49 uint32_t lo = static_cast<uint32_t>(x);
50
51 hi = reverse_bytes(hi);
52 lo = reverse_bytes(lo);
53
54 return (static_cast<T>(lo) << 32) | hi;
55#endif
56 }
57}

References reverse_bytes().

Referenced by ct_reverse_bits(), Botan::detail::load_any(), reverse_bytes(), and Botan::detail::store_any().

◆ rfc3394_keyunwrap()

secure_vector< uint8_t > Botan::rfc3394_keyunwrap ( const secure_vector< uint8_t > & key,
const SymmetricKey & kek )

Decrypt a key under a key encryption key using the algorithm described in RFC 3394

Parameters
keythe encrypted key to decrypt
kekthe key encryption key
Returns
key decrypted under kek

Definition at line 27 of file rfc3394.cpp.

27 {
28 BOTAN_ARG_CHECK(kek.size() == 16 || kek.size() == 24 || kek.size() == 32, "Invalid KEK length for NIST key wrap");
29
30 BOTAN_ARG_CHECK(key.size() >= 16 && key.size() % 8 == 0, "Bad input key size for NIST key unwrap");
31
32 const std::string cipher_name = "AES-" + std::to_string(8 * kek.size());
33 auto aes = BlockCipher::create_or_throw(cipher_name);
34 aes->set_key(kek);
35
36 return nist_key_unwrap(key.data(), key.size(), *aes);
37}
static std::unique_ptr< BlockCipher > create_or_throw(std::string_view algo_spec, std::string_view provider="")
size_t size() const
Definition symkey.h:29

References BOTAN_ARG_CHECK, Botan::BlockCipher::create_or_throw(), nist_key_unwrap(), and Botan::OctetString::size().

◆ rfc3394_keywrap()

secure_vector< uint8_t > Botan::rfc3394_keywrap ( const secure_vector< uint8_t > & key,
const SymmetricKey & kek )

Encrypt a key under a key encryption key using the algorithm described in RFC 3394

Parameters
keythe plaintext key to encrypt
kekthe key encryption key
Returns
key encrypted under kek

Definition at line 16 of file rfc3394.cpp.

16 {
17 BOTAN_ARG_CHECK(kek.size() == 16 || kek.size() == 24 || kek.size() == 32, "Invalid KEK length for NIST key wrap");
18
19 const std::string cipher_name = "AES-" + std::to_string(8 * kek.size());
20 auto aes = BlockCipher::create_or_throw(cipher_name);
21 aes->set_key(kek);
22
23 std::vector<uint8_t> wrapped = nist_key_wrap(key.data(), key.size(), *aes);
24 return secure_vector<uint8_t>(wrapped.begin(), wrapped.end());
25}

References BOTAN_ARG_CHECK, Botan::BlockCipher::create_or_throw(), nist_key_wrap(), and Botan::OctetString::size().

◆ RFC4880_decode_count()

size_t Botan::RFC4880_decode_count ( uint8_t encoded_iter)

Decode the iteration count from RFC 4880 encoding

Definition at line 61 of file rfc4880.cpp.

61 {
62 return OPENPGP_S2K_ITERS[iter];
63}

Referenced by Botan::OpenPGP_S2K::decode_count(), and RFC4880_round_iterations().

◆ RFC4880_encode_count()

uint8_t Botan::RFC4880_encode_count ( size_t iterations)

RFC 4880 encodes the iteration count to a single-byte value

Definition at line 47 of file rfc4880.cpp.

47 {
48 if(desired_iterations <= OPENPGP_S2K_ITERS[0]) {
49 return 0;
50 }
51
52 if(desired_iterations >= OPENPGP_S2K_ITERS[255]) {
53 return 255;
54 }
55
56 const uint32_t* i = std::lower_bound(OPENPGP_S2K_ITERS, OPENPGP_S2K_ITERS + 256, desired_iterations);
57
58 return static_cast<uint8_t>(i - OPENPGP_S2K_ITERS);
59}

Referenced by Botan::OpenPGP_S2K::encode_count(), and RFC4880_round_iterations().

◆ RFC4880_round_iterations()

size_t Botan::RFC4880_round_iterations ( size_t iterations)
inline

Round an arbitrary iteration count to next largest iteration count supported by RFC4880 encoding.

Definition at line 32 of file rfc4880.h.

32 {
34}
uint8_t RFC4880_encode_count(size_t desired_iterations)
Definition rfc4880.cpp:47
size_t RFC4880_decode_count(uint8_t iter)
Definition rfc4880.cpp:61

References RFC4880_decode_count(), RFC4880_encode_count(), and RFC4880_round_iterations().

Referenced by RFC4880_round_iterations(), and Botan::RFC4880_S2K_Family::tune().

◆ rho()

◆ root()

Gf448Elem Botan::root ( const Gf448Elem & elem)

Compute the root of elem in the field.

The root of a in GF(p) is computed as r = a^((p+1)/4) mod p. Note that the root is not unique, i.e. r and p-r are both roots.

Returns
GfPElem The root of this element.

Definition at line 317 of file curve448_gf.cpp.

317 {
318 Gf448Elem res(1);
319
320 // (P-3)/4 is an 445 bit integer with one zero bits at 222. All others are one.
321 for(int16_t t = 445; t >= 0; --t) {
322 gf_square(res.words(), res.words());
323 if(t != 222) {
324 gf_mul(res.words(), res.words(), elem.words());
325 }
326 }
327
328 return res;
329}
std::span< uint64_t, WORDS_448 > words()
Accessor to the internal words of the GF element.

References Botan::Gf448Elem::words().

Referenced by Botan::Ed448Point::decode(), Botan::Sphincs_Hash_Functions::H_msg(), Botan::XMSS_Hash::h_msg(), Botan::Sphincs_Hash_Functions::H_msg_digest(), Botan::XMSS_Hash::h_msg_init(), Botan::SphincsPlus_PrivateKey::SphincsPlus_PrivateKey(), xmss_gen_root(), and Botan::Sphincs_Hash_Functions::~Sphincs_Hash_Functions().

◆ rotl() [1/4]

template<size_t R>
SIMD_16x32 Botan::rotl ( SIMD_16x32 input)
inline

Definition at line 320 of file simd_avx512.h.

320 {
321 return input.rotl<R>();
322}
BOTAN_FN_ISA_AVX512 SIMD_16x32 rotl() const
Definition simd_avx512.h:77

References Botan::SIMD_16x32::rotl().

◆ rotl() [2/4]

template<size_t R>
SIMD_4x32 BOTAN_FN_ISA_SIMD_4X32 Botan::rotl ( SIMD_4x32 input)
inline

Definition at line 779 of file simd_4x32.h.

779 {
780 return input.rotl<R>();
781}
BOTAN_FN_ISA_SIMD_4X32 SIMD_4x32 rotl() const noexcept
Definition simd_4x32.h:302

References Botan::SIMD_4x32::rotl().

◆ rotl() [3/4]

template<size_t R>
SIMD_8x32 Botan::rotl ( SIMD_8x32 input)
inline

Definition at line 342 of file simd_avx2.h.

342 {
343 return input.rotl<R>();
344}
BOTAN_FN_ISA_AVX2 SIMD_8x32 rotl() const noexcept
Definition simd_avx2.h:116

References Botan::SIMD_8x32::rotl().

◆ rotl() [4/4]

template<size_t ROT, std::unsigned_integral T>
requires (ROT > 0 && ROT < 8 * sizeof(T))
BOTAN_FORCE_INLINE constexpr T Botan::rotl ( T input)
constexpr

Bit rotation left by a compile-time constant amount

Parameters
inputthe input word
Returns
input rotated left by ROT bits

Definition at line 23 of file rotate.h.

25{
26 return static_cast<T>((input << ROT) | (input >> (8 * sizeof(T) - ROT)));
27}

References BOTAN_FORCE_INLINE.

Referenced by Botan::SHA_1::compress_n(), Botan::Noekeon::decrypt_n(), Botan::Noekeon::encrypt_n(), Botan::SHA1_F::F1(), Botan::SHA1_F::F2(), Botan::SHA1_F::F3(), Botan::SHA1_F::F4(), Botan::GOST_28147_89::GOST_28147_89(), Keccak_Permutation_round(), and Botan::Serpent_F::transform().

◆ rotl_var()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T Botan::rotl_var ( T input,
size_t rot )
constexpr

Bit rotation left, variable rotation amount

Parameters
inputthe input word
rotthe number of bits to rotate, must be between 0 and sizeof(T)*8-1
Returns
input rotated left by rot bits

Definition at line 64 of file rotate.h.

64 {
65 return rot ? static_cast<T>((input << rot) | (input >> (sizeof(T) * 8 - rot))) : input;
66}

References BOTAN_FORCE_INLINE.

◆ rotr() [1/4]

template<size_t R>
SIMD_16x32 Botan::rotr ( SIMD_16x32 input)
inline

Definition at line 325 of file simd_avx512.h.

325 {
326 return input.rotr<R>();
327}
BOTAN_FN_ISA_AVX512 SIMD_16x32 rotr() const
Definition simd_avx512.h:84

References Botan::SIMD_16x32::rotr().

◆ rotr() [2/4]

template<size_t R>
SIMD_4x32 BOTAN_FN_ISA_SIMD_4X32 Botan::rotr ( SIMD_4x32 input)
inline

Definition at line 784 of file simd_4x32.h.

784 {
785 return input.rotr<R>();
786}
SIMD_4x32 rotr() const noexcept
Definition simd_4x32.h:349

References Botan::SIMD_4x32::rotr().

◆ rotr() [3/4]

template<size_t R>
SIMD_8x32 Botan::rotr ( SIMD_8x32 input)
inline

Definition at line 347 of file simd_avx2.h.

347 {
348 return input.rotr<R>();
349}
BOTAN_FN_ISA_AVX2 SIMD_8x32 rotr() const noexcept
Definition simd_avx2.h:145

References Botan::SIMD_8x32::rotr().

◆ rotr() [4/4]

template<size_t ROT, std::unsigned_integral T>
requires (ROT > 0 && ROT < 8 * sizeof(T))
BOTAN_FORCE_INLINE constexpr T Botan::rotr ( T input)
constexpr

Bit rotation right by a compile-time constant amount

Parameters
inputthe input word
Returns
input rotated right by ROT bits

Definition at line 35 of file rotate.h.

37{
38 return static_cast<T>((input >> ROT) | (input << (8 * sizeof(T) - ROT)));
39}

References BOTAN_FORCE_INLINE.

Referenced by Botan::Noekeon::decrypt_n(), Botan::Noekeon::encrypt_n(), Botan::Serpent_F::i_transform(), rho(), and sigma().

◆ rotr_var()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T Botan::rotr_var ( T input,
size_t rot )
constexpr

Bit rotation right, variable rotation amount

Parameters
inputthe input word
rotthe number of bits to rotate, must be between 0 and sizeof(T)*8-1
Returns
input rotated right by rot bits

Definition at line 75 of file rotate.h.

75 {
76 return rot ? static_cast<T>((input >> rot) | (input << (sizeof(T) * 8 - rot))) : input;
77}

References BOTAN_FORCE_INLINE.

◆ round_up()

size_t Botan::round_up ( size_t n,
size_t align_to )
inlineconstexpr

Integer rounding

Returns an integer z such that n <= z <= n + align_to and z % align_to == 0

Parameters
nan integer
align_tothe alignment boundary
Returns
n rounded up to a multiple of align_to

Definition at line 26 of file rounding.h.

26 {
27 // Arguably returning n in this case would also be sensible
28 BOTAN_ARG_CHECK(align_to != 0, "align_to must not be 0");
29
30 if(n % align_to > 0) {
31 const size_t adj = align_to - (n % align_to);
32 BOTAN_ARG_CHECK(n + adj >= n, "Integer overflow during rounding");
33 n += adj;
34 }
35 return n;
36}

References BOTAN_ARG_CHECK.

Referenced by Botan::BigInt::bytes(), Botan::EC_Point_Base_Point_Precompute::EC_Point_Base_Point_Precompute(), monty_multi_exp(), Botan::EC_Point_Base_Point_Precompute::mul(), Botan::EC_Point_Var_Point_Precompute::mul(), Botan::EC_Point_Multi_Point_Precompute::multi_exp(), Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::output_length(), Botan::BigInt::randomize(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data_n().

◆ runtime_version_check()

std::string Botan::runtime_version_check ( uint32_t major,
uint32_t minor,
uint32_t patch )

Usable for checking that the DLL version loaded at runtime exactly matches the compile-time version. Call using BOTAN_VERSION_* macro values, like so:

#define BOTAN_VERSION_PATCH
Definition build.h:34
#define BOTAN_VERSION_MINOR
Definition build.h:29
#define BOTAN_VERSION_MAJOR
Definition build.h:24
std::string runtime_version_check(uint32_t major, uint32_t minor, uint32_t patch)
Definition version.cpp:75

It will return an empty string if the versions match, or otherwise an error message indicating the discrepancy. This only is useful in dynamic libraries, where it is possible to compile and run against different versions.

Definition at line 75 of file version.cpp.

75 {
76 if(major != version_major() || minor != version_minor() || patch != version_patch()) {
77 return fmt("Warning: linked version ({}) does not match version built against ({}.{}.{})\n",
79 major,
80 minor,
81 patch);
82 }
83
84 return "";
85}
uint32_t version_minor()
Definition version.cpp:59
const char * short_version_cstr()
Definition version.cpp:16
uint32_t version_major()
Definition version.cpp:55
uint32_t version_patch()
Definition version.cpp:63

References fmt(), short_version_cstr(), version_major(), version_minor(), and version_patch().

◆ same_mem()

template<typename T>
bool Botan::same_mem ( const T * p1,
const T * p2,
size_t n )
inline

Memory comparison, input insensitive

Parameters
p1a pointer to an array
p2a pointer to another array
nthe number of Ts in p1 and p2
Returns
true iff p1[i] == p2[i] forall i in [0...n)

Definition at line 300 of file mem_ops.h.

300 {
301 volatile T difference = 0;
302
303 for(size_t i = 0; i != n; ++i) {
304 difference = difference | (p1[i] ^ p2[i]);
305 }
306
307 return difference == 0;
308}

References same_mem().

Referenced by same_mem().

◆ sc_muladd()

void Botan::sc_muladd ( uint8_t * s,
const uint8_t * a,
const uint8_t * b,
const uint8_t * c )

Definition at line 26 of file sc_muladd.cpp.

26 {
27 const int32_t MASK = 0x1fffff;
28
29 const int64_t a0 = MASK & load_3(a);
30 const int64_t a1 = MASK & (load_4(a + 2) >> 5);
31 const int64_t a2 = MASK & (load_3(a + 5) >> 2);
32 const int64_t a3 = MASK & (load_4(a + 7) >> 7);
33 const int64_t a4 = MASK & (load_4(a + 10) >> 4);
34 const int64_t a5 = MASK & (load_3(a + 13) >> 1);
35 const int64_t a6 = MASK & (load_4(a + 15) >> 6);
36 const int64_t a7 = MASK & (load_3(a + 18) >> 3);
37 const int64_t a8 = MASK & load_3(a + 21);
38 const int64_t a9 = MASK & (load_4(a + 23) >> 5);
39 const int64_t a10 = MASK & (load_3(a + 26) >> 2);
40 const int64_t a11 = (load_4(a + 28) >> 7);
41 const int64_t b0 = MASK & load_3(b);
42 const int64_t b1 = MASK & (load_4(b + 2) >> 5);
43 const int64_t b2 = MASK & (load_3(b + 5) >> 2);
44 const int64_t b3 = MASK & (load_4(b + 7) >> 7);
45 const int64_t b4 = MASK & (load_4(b + 10) >> 4);
46 const int64_t b5 = MASK & (load_3(b + 13) >> 1);
47 const int64_t b6 = MASK & (load_4(b + 15) >> 6);
48 const int64_t b7 = MASK & (load_3(b + 18) >> 3);
49 const int64_t b8 = MASK & load_3(b + 21);
50 const int64_t b9 = MASK & (load_4(b + 23) >> 5);
51 const int64_t b10 = MASK & (load_3(b + 26) >> 2);
52 const int64_t b11 = (load_4(b + 28) >> 7);
53 const int64_t c0 = MASK & load_3(c);
54 const int64_t c1 = MASK & (load_4(c + 2) >> 5);
55 const int64_t c2 = MASK & (load_3(c + 5) >> 2);
56 const int64_t c3 = MASK & (load_4(c + 7) >> 7);
57 const int64_t c4 = MASK & (load_4(c + 10) >> 4);
58 const int64_t c5 = MASK & (load_3(c + 13) >> 1);
59 const int64_t c6 = MASK & (load_4(c + 15) >> 6);
60 const int64_t c7 = MASK & (load_3(c + 18) >> 3);
61 const int64_t c8 = MASK & load_3(c + 21);
62 const int64_t c9 = MASK & (load_4(c + 23) >> 5);
63 const int64_t c10 = MASK & (load_3(c + 26) >> 2);
64 const int64_t c11 = (load_4(c + 28) >> 7);
65
66 int64_t s0 = c0 + a0 * b0;
67 int64_t s1 = c1 + a0 * b1 + a1 * b0;
68 int64_t s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
69 int64_t s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
70 int64_t s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
71 int64_t s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
72 int64_t s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
73 int64_t s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0;
74 int64_t s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0;
75 int64_t s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
76 int64_t s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 +
77 a9 * b1 + a10 * b0;
78 int64_t s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 +
79 a9 * b2 + a10 * b1 + a11 * b0;
80 int64_t s12 =
81 a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
82 int64_t s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
83 int64_t s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3;
84 int64_t s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4;
85 int64_t s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
86 int64_t s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
87 int64_t s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
88 int64_t s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
89 int64_t s20 = a9 * b11 + a10 * b10 + a11 * b9;
90 int64_t s21 = a10 * b11 + a11 * b10;
91 int64_t s22 = a11 * b11;
92 int64_t s23 = 0;
93
94 carry<21>(s0, s1);
95 carry<21>(s2, s3);
96 carry<21>(s4, s5);
97 carry<21>(s6, s7);
98 carry<21>(s8, s9);
99 carry<21>(s10, s11);
100 carry<21>(s12, s13);
101 carry<21>(s14, s15);
102 carry<21>(s16, s17);
103 carry<21>(s18, s19);
104 carry<21>(s20, s21);
105 carry<21>(s22, s23);
106
107 carry<21>(s1, s2);
108 carry<21>(s3, s4);
109 carry<21>(s5, s6);
110 carry<21>(s7, s8);
111 carry<21>(s9, s10);
112 carry<21>(s11, s12);
113 carry<21>(s13, s14);
114 carry<21>(s15, s16);
115 carry<21>(s17, s18);
116 carry<21>(s19, s20);
117 carry<21>(s21, s22);
118
119 redc_mul(s11, s12, s13, s14, s15, s16, s23);
120 redc_mul(s10, s11, s12, s13, s14, s15, s22);
121 redc_mul(s9, s10, s11, s12, s13, s14, s21);
122 redc_mul(s8, s9, s10, s11, s12, s13, s20);
123 redc_mul(s7, s8, s9, s10, s11, s12, s19);
124 redc_mul(s6, s7, s8, s9, s10, s11, s18);
125
126 carry<21>(s6, s7);
127 carry<21>(s8, s9);
128 carry<21>(s10, s11);
129 carry<21>(s12, s13);
130 carry<21>(s14, s15);
131 carry<21>(s16, s17);
132
133 carry<21>(s7, s8);
134 carry<21>(s9, s10);
135 carry<21>(s11, s12);
136 carry<21>(s13, s14);
137 carry<21>(s15, s16);
138
139 redc_mul(s5, s6, s7, s8, s9, s10, s17);
140 redc_mul(s4, s5, s6, s7, s8, s9, s16);
141 redc_mul(s3, s4, s5, s6, s7, s8, s15);
142 redc_mul(s2, s3, s4, s5, s6, s7, s14);
143 redc_mul(s1, s2, s3, s4, s5, s6, s13);
144 redc_mul(s0, s1, s2, s3, s4, s5, s12);
145
146 carry<21>(s0, s1);
147 carry<21>(s2, s3);
148 carry<21>(s4, s5);
149 carry<21>(s6, s7);
150 carry<21>(s8, s9);
151 carry<21>(s10, s11);
152
153 carry<21>(s1, s2);
154 carry<21>(s3, s4);
155 carry<21>(s5, s6);
156 carry<21>(s7, s8);
157 carry<21>(s9, s10);
158 carry<21>(s11, s12);
159
160 redc_mul(s0, s1, s2, s3, s4, s5, s12);
161
162 carry0<21>(s0, s1);
163 carry0<21>(s1, s2);
164 carry0<21>(s2, s3);
165 carry0<21>(s3, s4);
166 carry0<21>(s4, s5);
167 carry0<21>(s5, s6);
168 carry0<21>(s6, s7);
169 carry0<21>(s7, s8);
170 carry0<21>(s8, s9);
171 carry0<21>(s9, s10);
172 carry0<21>(s10, s11);
173 carry0<21>(s11, s12);
174
175 redc_mul(s0, s1, s2, s3, s4, s5, s12);
176
177 carry0<21>(s0, s1);
178 carry0<21>(s1, s2);
179 carry0<21>(s2, s3);
180 carry0<21>(s3, s4);
181 carry0<21>(s4, s5);
182 carry0<21>(s5, s6);
183 carry0<21>(s6, s7);
184 carry0<21>(s7, s8);
185 carry0<21>(s8, s9);
186 carry0<21>(s9, s10);
187 carry0<21>(s10, s11);
188
189 s[0] = static_cast<uint8_t>(s0 >> 0);
190 s[1] = static_cast<uint8_t>(s0 >> 8);
191 s[2] = static_cast<uint8_t>((s0 >> 16) | (s1 << 5));
192 s[3] = static_cast<uint8_t>(s1 >> 3);
193 s[4] = static_cast<uint8_t>(s1 >> 11);
194 s[5] = static_cast<uint8_t>((s1 >> 19) | (s2 << 2));
195 s[6] = static_cast<uint8_t>(s2 >> 6);
196 s[7] = static_cast<uint8_t>((s2 >> 14) | (s3 << 7));
197 s[8] = static_cast<uint8_t>(s3 >> 1);
198 s[9] = static_cast<uint8_t>(s3 >> 9);
199 s[10] = static_cast<uint8_t>((s3 >> 17) | (s4 << 4));
200 s[11] = static_cast<uint8_t>(s4 >> 4);
201 s[12] = static_cast<uint8_t>(s4 >> 12);
202 s[13] = static_cast<uint8_t>((s4 >> 20) | (s5 << 1));
203 s[14] = static_cast<uint8_t>(s5 >> 7);
204 s[15] = static_cast<uint8_t>((s5 >> 15) | (s6 << 6));
205 s[16] = static_cast<uint8_t>(s6 >> 2);
206 s[17] = static_cast<uint8_t>(s6 >> 10);
207 s[18] = static_cast<uint8_t>((s6 >> 18) | (s7 << 3));
208 s[19] = static_cast<uint8_t>(s7 >> 5);
209 s[20] = static_cast<uint8_t>(s7 >> 13);
210 s[21] = static_cast<uint8_t>(s8 >> 0);
211 s[22] = static_cast<uint8_t>(s8 >> 8);
212 s[23] = static_cast<uint8_t>((s8 >> 16) | (s9 << 5));
213 s[24] = static_cast<uint8_t>(s9 >> 3);
214 s[25] = static_cast<uint8_t>(s9 >> 11);
215 s[26] = static_cast<uint8_t>((s9 >> 19) | (s10 << 2));
216 s[27] = static_cast<uint8_t>(s10 >> 6);
217 s[28] = static_cast<uint8_t>((s10 >> 14) | (s11 << 7));
218 s[29] = static_cast<uint8_t>(s11 >> 1);
219 s[30] = static_cast<uint8_t>(s11 >> 9);
220 s[31] = static_cast<uint8_t>(s11 >> 17);
221}
void redc_mul(int64_t &s1, int64_t &s2, int64_t &s3, int64_t &s4, int64_t &s5, int64_t &s6, int64_t &X)
void carry0(int64_t &h0, int64_t &h1)
uint32_t load_3(const uint8_t in[3])
uint32_t load_4(const uint8_t *in)

References carry(), carry0(), load_3(), load_4(), and redc_mul().

Referenced by ed25519_sign().

◆ sc_reduce()

void Botan::sc_reduce ( uint8_t * s)

Definition at line 25 of file sc_reduce.cpp.

25 {
26 const uint32_t MASK = 0x1fffff;
27
28 int64_t s0 = MASK & load_3(s);
29 int64_t s1 = MASK & (load_4(s + 2) >> 5);
30 int64_t s2 = MASK & (load_3(s + 5) >> 2);
31 int64_t s3 = MASK & (load_4(s + 7) >> 7);
32 int64_t s4 = MASK & (load_4(s + 10) >> 4);
33 int64_t s5 = MASK & (load_3(s + 13) >> 1);
34 int64_t s6 = MASK & (load_4(s + 15) >> 6);
35 int64_t s7 = MASK & (load_3(s + 18) >> 3);
36 int64_t s8 = MASK & load_3(s + 21);
37 int64_t s9 = MASK & (load_4(s + 23) >> 5);
38 int64_t s10 = MASK & (load_3(s + 26) >> 2);
39 int64_t s11 = MASK & (load_4(s + 28) >> 7);
40 int64_t s12 = MASK & (load_4(s + 31) >> 4);
41 int64_t s13 = MASK & (load_3(s + 34) >> 1);
42 int64_t s14 = MASK & (load_4(s + 36) >> 6);
43 int64_t s15 = MASK & (load_3(s + 39) >> 3);
44 int64_t s16 = MASK & load_3(s + 42);
45 int64_t s17 = MASK & (load_4(s + 44) >> 5);
46 int64_t s18 = MASK & (load_3(s + 47) >> 2);
47 int64_t s19 = MASK & (load_4(s + 49) >> 7);
48 int64_t s20 = MASK & (load_4(s + 52) >> 4);
49 int64_t s21 = MASK & (load_3(s + 55) >> 1);
50 int64_t s22 = MASK & (load_4(s + 57) >> 6);
51 int64_t s23 = (load_4(s + 60) >> 3);
52
53 redc_mul(s11, s12, s13, s14, s15, s16, s23);
54 redc_mul(s10, s11, s12, s13, s14, s15, s22);
55 redc_mul(s9, s10, s11, s12, s13, s14, s21);
56 redc_mul(s8, s9, s10, s11, s12, s13, s20);
57 redc_mul(s7, s8, s9, s10, s11, s12, s19);
58 redc_mul(s6, s7, s8, s9, s10, s11, s18);
59
60 carry<21>(s6, s7);
61 carry<21>(s8, s9);
62 carry<21>(s10, s11);
63 carry<21>(s12, s13);
64 carry<21>(s14, s15);
65 carry<21>(s16, s17);
66
67 carry<21>(s7, s8);
68 carry<21>(s9, s10);
69 carry<21>(s11, s12);
70 carry<21>(s13, s14);
71 carry<21>(s15, s16);
72
73 redc_mul(s5, s6, s7, s8, s9, s10, s17);
74 redc_mul(s4, s5, s6, s7, s8, s9, s16);
75 redc_mul(s3, s4, s5, s6, s7, s8, s15);
76 redc_mul(s2, s3, s4, s5, s6, s7, s14);
77 redc_mul(s1, s2, s3, s4, s5, s6, s13);
78 redc_mul(s0, s1, s2, s3, s4, s5, s12);
79
80 carry<21>(s0, s1);
81 carry<21>(s2, s3);
82 carry<21>(s4, s5);
83 carry<21>(s6, s7);
84 carry<21>(s8, s9);
85 carry<21>(s10, s11);
86
87 carry<21>(s1, s2);
88 carry<21>(s3, s4);
89 carry<21>(s5, s6);
90 carry<21>(s7, s8);
91 carry<21>(s9, s10);
92 carry<21>(s11, s12);
93
94 redc_mul(s0, s1, s2, s3, s4, s5, s12);
95
96 carry0<21>(s0, s1);
97 carry0<21>(s1, s2);
98 carry0<21>(s2, s3);
99 carry0<21>(s3, s4);
100 carry0<21>(s4, s5);
101 carry0<21>(s5, s6);
102 carry0<21>(s6, s7);
103 carry0<21>(s7, s8);
104 carry0<21>(s8, s9);
105 carry0<21>(s9, s10);
106 carry0<21>(s10, s11);
107 carry0<21>(s11, s12);
108
109 redc_mul(s0, s1, s2, s3, s4, s5, s12);
110
111 carry0<21>(s0, s1);
112 carry0<21>(s1, s2);
113 carry0<21>(s2, s3);
114 carry0<21>(s3, s4);
115 carry0<21>(s4, s5);
116 carry0<21>(s5, s6);
117 carry0<21>(s6, s7);
118 carry0<21>(s7, s8);
119 carry0<21>(s8, s9);
120 carry0<21>(s9, s10);
121 carry0<21>(s10, s11);
122 carry0<21>(s11, s12);
123
124 s[0] = static_cast<uint8_t>(s0 >> 0);
125 s[1] = static_cast<uint8_t>(s0 >> 8);
126 s[2] = static_cast<uint8_t>((s0 >> 16) | (s1 << 5));
127 s[3] = static_cast<uint8_t>(s1 >> 3);
128 s[4] = static_cast<uint8_t>(s1 >> 11);
129 s[5] = static_cast<uint8_t>((s1 >> 19) | (s2 << 2));
130 s[6] = static_cast<uint8_t>(s2 >> 6);
131 s[7] = static_cast<uint8_t>((s2 >> 14) | (s3 << 7));
132 s[8] = static_cast<uint8_t>(s3 >> 1);
133 s[9] = static_cast<uint8_t>(s3 >> 9);
134 s[10] = static_cast<uint8_t>((s3 >> 17) | (s4 << 4));
135 s[11] = static_cast<uint8_t>(s4 >> 4);
136 s[12] = static_cast<uint8_t>(s4 >> 12);
137 s[13] = static_cast<uint8_t>((s4 >> 20) | (s5 << 1));
138 s[14] = static_cast<uint8_t>(s5 >> 7);
139 s[15] = static_cast<uint8_t>((s5 >> 15) | (s6 << 6));
140 s[16] = static_cast<uint8_t>(s6 >> 2);
141 s[17] = static_cast<uint8_t>(s6 >> 10);
142 s[18] = static_cast<uint8_t>((s6 >> 18) | (s7 << 3));
143 s[19] = static_cast<uint8_t>(s7 >> 5);
144 s[20] = static_cast<uint8_t>(s7 >> 13);
145 s[21] = static_cast<uint8_t>(s8 >> 0);
146 s[22] = static_cast<uint8_t>(s8 >> 8);
147 s[23] = static_cast<uint8_t>((s8 >> 16) | (s9 << 5));
148 s[24] = static_cast<uint8_t>(s9 >> 3);
149 s[25] = static_cast<uint8_t>(s9 >> 11);
150 s[26] = static_cast<uint8_t>((s9 >> 19) | (s10 << 2));
151 s[27] = static_cast<uint8_t>(s10 >> 6);
152 s[28] = static_cast<uint8_t>((s10 >> 14) | (s11 << 7));
153 s[29] = static_cast<uint8_t>(s11 >> 1);
154 s[30] = static_cast<uint8_t>(s11 >> 9);
155 s[31] = static_cast<uint8_t>(s11 >> 17);
156}

References carry(), carry0(), load_3(), load_4(), and redc_mul().

Referenced by ed25519_sign(), and ed25519_verify().

◆ scrypt() [1/2]

void Botan::scrypt ( uint8_t output[],
size_t output_len,
const char * password,
size_t password_len,
const uint8_t salt[],
size_t salt_len,
size_t N,
size_t r,
size_t p )
inline

Scrypt key derivation function (RFC 7914)

Parameters
outputthe output will be placed here
output_lenlength of output
passwordthe user password
password_lenlength of password
saltthe salt
salt_lenlength of salt
Nthe CPU/Memory cost parameter, must be power of 2
rthe block size parameter
pthe parallelization parameter

Suitable parameters for most uses would be N = 32768, r = 8, p = 1

Scrypt uses approximately (p + N + 1) * 128 * r bytes of memory

Definition at line 83 of file scrypt.h.

91 {
92 auto pwdhash_fam = PasswordHashFamily::create_or_throw("Scrypt");
93 auto pwdhash = pwdhash_fam->from_params(N, r, p);
94 pwdhash->derive_key(output, output_len, password, password_len, salt, salt_len);
95}

References Botan::PasswordHashFamily::create_or_throw(), and scrypt().

Referenced by scrypt(), and scrypt().

◆ scrypt() [2/2]

void Botan::scrypt ( uint8_t output[],
size_t output_len,
std::string_view password,
const uint8_t salt[],
size_t salt_len,
size_t N,
size_t r,
size_t p )
inline

Scrypt key derivation function (RFC 7914) Before 2.8 this function was the primary interface for scrypt

Parameters
outputthe output will be placed here
output_lenlength of output
passwordthe user password
saltthe salt
salt_lenlength of salt
Nthe CPU/Memory cost parameter, must be power of 2
rthe block size parameter
pthe parallelization parameter

Suitable parameters for most uses would be N = 32768, r = 8, p = 1

Scrypt uses approximately (p + N + 1) * 128 * r bytes of memory

Definition at line 115 of file scrypt.h.

122 {
123 auto pwdhash_fam = PasswordHashFamily::create_or_throw("Scrypt");
124 auto pwdhash = pwdhash_fam->from_params(N, r, p);
125 pwdhash->derive_key(output, output_len, password.data(), password.size(), salt, salt_len);
126}

References Botan::PasswordHashFamily::create_or_throw(), and scrypt().

◆ secure_scrub_memory() [1/2]

void Botan::secure_scrub_memory ( ranges::contiguous_output_range auto && data)

Scrub memory contents in a way that a compiler should not elide, using some system specific technique. Note that this function might not zero the memory.

Parameters
datathe data region to be scrubbed

Definition at line 60 of file mem_ops.h.

60 {
61 secure_scrub_memory(std::ranges::data(data), ranges::size_bytes(data));
62}

References secure_scrub_memory(), and Botan::ranges::size_bytes().

◆ secure_scrub_memory() [2/2]

void Botan::secure_scrub_memory ( void * ptr,
size_t n )

Scrub memory contents in a way that a compiler should not elide, using some system specific technique. Note that this function might not zero the memory (for example, in some hypothetical implementation it might combine the memory contents with the output of a system PRNG), but if you can detect any difference in behavior at runtime then the clearing is side-effecting and you can just use clear_mem.

Use this function to scrub memory just before deallocating it, or on a stack buffer before returning from the function.

Parameters
ptra pointer to memory to scrub
nthe number of bytes pointed to by ptr

Definition at line 24 of file mem_utils.cpp.

24 {
25#if defined(BOTAN_TARGET_OS_HAS_RTLSECUREZEROMEMORY)
26 ::RtlSecureZeroMemory(ptr, n);
27
28#elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_BZERO)
29 ::explicit_bzero(ptr, n);
30
31#elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_MEMSET)
32 (void)::explicit_memset(ptr, 0, n);
33
34#else
35 /*
36 * Call memset through a static volatile pointer, which the compiler should
37 * not elide. This construct should be safe in conforming compilers, but who
38 * knows. This has been checked to generate the expected code, which saves the
39 * memset address in the data segment and unconditionally loads and jumps to
40 * that address, with the following targets:
41 *
42 * x86-64: Clang 19, GCC 6, 11, 13, 14
43 * riscv64: GCC 14
44 * aarch64: GCC 14
45 * armv7: GCC 14
46 *
47 * Actually all of them generated the expected jump even without marking the
48 * function pointer as volatile. However this seems worth including as an
49 * additional precaution.
50 */
51 static void* (*const volatile memset_ptr)(void*, int, size_t) = std::memset;
52 (memset_ptr)(ptr, 0, n);
53#endif
54}

Referenced by Botan::PCurve::PrimeOrderCurve::Scalar::_zeroize(), botan_scrub_mem(), deallocate_memory(), Botan::GHASH::final(), Botan::OS::free_locked_pages(), Botan::GHASH::reset(), secure_scrub_memory(), Botan::Sodium::sodium_free(), Botan::Sodium::sodium_memzero(), Botan::AlignmentBuffer< T, BLOCK_SIZE, FINAL_BLOCK_STRATEGY >::~AlignmentBuffer(), Botan::BLAKE2s::~BLAKE2s(), and Botan::BlindedScalarBits< C, WindowBits+1 >::~BlindedScalarBits().

◆ set_mem()

void Botan::set_mem ( uint8_t * ptr,
size_t n,
uint8_t val )
inlineconstexpr

Set memory to a fixed value

Parameters
ptra pointer to an array of bytes
nthe number of Ts pointed to by ptr
valthe value to set each byte to

Definition at line 265 of file mem_ops.h.

265 {
266 if(n > 0) {
267 std::memset(ptr, val, n);
268 }
269}

References set_mem().

Referenced by set_mem().

◆ SHA2_32_F() [1/2]

BOTAN_FORCE_INLINE void Botan::SHA2_32_F ( uint32_t A,
uint32_t B,
uint32_t C,
uint32_t & D,
uint32_t E,
uint32_t F,
uint32_t G,
uint32_t & H,
uint32_t & M1,
uint32_t M2,
uint32_t M3,
uint32_t M4,
uint32_t magic )

Definition at line 19 of file sha2_32_f.h.

31 {
32 uint32_t A_rho = rho<2, 13, 22>(A);
33 uint32_t E_rho = rho<6, 11, 25>(E);
34 uint32_t M2_sigma = sigma<17, 19, 10>(M2);
35 uint32_t M4_sigma = sigma<7, 18, 3>(M4);
36 H += magic + E_rho + choose(E, F, G) + M1;
37 D += H;
38 H += A_rho + majority(A, B, C);
39 M1 += M2_sigma + M3 + M4_sigma;
40}
BOTAN_FORCE_INLINE constexpr T majority(T a, T b, T c)
Definition bit_ops.h:202
BOTAN_FORCE_INLINE constexpr T rho(T x)
Definition rotate.h:53
BOTAN_FORCE_INLINE constexpr T sigma(T x)
Definition rotate.h:45

References BOTAN_FORCE_INLINE, choose(), majority(), rho(), and sigma().

Referenced by Botan::SHA_256::compress_digest().

◆ SHA2_32_F() [2/2]

BOTAN_FORCE_INLINE void Botan::SHA2_32_F ( uint32_t A,
uint32_t B,
uint32_t C,
uint32_t & D,
uint32_t E,
uint32_t F,
uint32_t G,
uint32_t & H,
uint32_t M )

Definition at line 45 of file sha2_32_f.h.

46 {
47 uint32_t A_rho = rho<2, 13, 22>(A);
48 uint32_t E_rho = rho<6, 11, 25>(E);
49 H += E_rho + choose(E, F, G) + M;
50 D += H;
51 H += A_rho + majority(A, B, C);
52}

References BOTAN_FORCE_INLINE, choose(), majority(), and rho().

◆ SHA2_64_F() [1/2]

BOTAN_FORCE_INLINE void Botan::SHA2_64_F ( uint64_t A,
uint64_t B,
uint64_t C,
uint64_t & D,
uint64_t E,
uint64_t F,
uint64_t G,
uint64_t & H,
uint64_t & M1,
uint64_t M2,
uint64_t M3,
uint64_t M4,
uint64_t magic )

Definition at line 19 of file sha2_64_f.h.

31 {
32 const uint64_t E_rho = rho<14, 18, 41>(E);
33 const uint64_t A_rho = rho<28, 34, 39>(A);
34 const uint64_t M2_sigma = sigma<19, 61, 6>(M2);
35 const uint64_t M4_sigma = sigma<1, 8, 7>(M4);
36 H += magic + E_rho + choose(E, F, G) + M1;
37 D += H;
38 H += A_rho + majority(A, B, C);
39 M1 += M2_sigma + M3 + M4_sigma;
40}

References BOTAN_FORCE_INLINE, choose(), majority(), rho(), and sigma().

Referenced by Botan::SHA_512::compress_digest().

◆ SHA2_64_F() [2/2]

BOTAN_FORCE_INLINE void Botan::SHA2_64_F ( uint64_t A,
uint64_t B,
uint64_t C,
uint64_t & D,
uint64_t E,
uint64_t F,
uint64_t G,
uint64_t & H,
uint64_t M )

Definition at line 45 of file sha2_64_f.h.

46 {
47 const uint64_t E_rho = rho<14, 18, 41>(E);
48 const uint64_t A_rho = rho<28, 34, 39>(A);
49 H += E_rho + choose(E, F, G) + M;
50 D += H;
51 H += A_rho + majority(A, B, C);
52}

References BOTAN_FORCE_INLINE, choose(), majority(), and rho().

◆ shanks_tonelli_c1c2()

template<WordType W, size_t N>
std::pair< size_t, std::array< W, N > > Botan::shanks_tonelli_c1c2 ( const std::array< W, N > & p)
inlineconsteval

Definition at line 215 of file pcurves_util.h.

215 {
216 size_t c1 = 0;
217 auto c2 = p;
218
219 // This assumes p % 2 == 1
220 shift_right<1>(c2);
221 c1++;
222
223 for(;;) {
224 // If we found another one bit past the first, stop
225 // Conditional ok: this function is consteval
226 if(c2[0] % 2 == 1) {
227 break;
228 }
229 shift_right<1>(c2);
230 c1++;
231 }
232
233 std::reverse(c2.begin(), c2.end());
234 return {c1, c2};
235}

References shift_right().

Referenced by Botan::IntMod< MontgomeryRep< ScalarParams > >::sqrt().

◆ shanks_tonelli_c3()

template<WordType W, size_t N>
std::array< W, N > Botan::shanks_tonelli_c3 ( const std::array< W, N > & c2)
inlineconsteval

Definition at line 238 of file pcurves_util.h.

238 {
239 auto c3 = c2;
240 std::reverse(c3.begin(), c3.end());
241 shift_right<1>(c3);
242 std::reverse(c3.begin(), c3.end());
243 return c3;
244}

References shift_right().

Referenced by Botan::IntMod< MontgomeryRep< ScalarParams > >::sqrt().

◆ shanks_tonelli_c4()

template<typename Z, WordType W, size_t N>
auto Botan::shanks_tonelli_c4 ( const std::array< W, N > & p_minus_1_over_2) -> Z
consteval

Definition at line 247 of file pcurves_util.h.

247 {
248 const auto one = Z::one();
249
250 // This is a silly performance hack; the first non-quadratic root in P-224
251 // is 11 so if we start the search there we save a little time.
252 auto z = Z::constant(11);
253
254 for(;;) {
255 auto c = z.pow_vartime(p_minus_1_over_2);
256
257 auto is_square = c.is_zero() || c.is_one();
258
259 // Conditional ok: this function is consteval
260 if(!is_square.as_bool()) {
261 return z;
262 }
263
264 z = z + one;
265 }
266}
consteval std::array< W, N > p_minus_1_over_2(const std::array< W, N > &p)

References p_minus_1_over_2().

Referenced by Botan::IntMod< MontgomeryRep< ScalarParams > >::sqrt().

◆ shift_left()

template<size_t S, WordType W, size_t N>
W Botan::shift_left ( std::array< W, N > & x)
inlineconstexpr

Definition at line 612 of file mp_core.h.

612 {
613 static_assert(S < WordInfo<W>::bits, "Shift too large");
614
615 W carry = 0;
616 for(size_t i = 0; i != N; ++i) {
617 const W w = x[i];
618 x[i] = (w << S) | carry;
619 carry = w >> (WordInfo<W>::bits - S);
620 }
621
622 return carry;
623}

References carry().

Referenced by bytes_to_words(), hex_to_words(), Botan::IntMod< MontgomeryRep< ScalarParams > >::mul2(), and reduce_mod().

◆ shift_right()

template<size_t S, WordType W, size_t N>
W Botan::shift_right ( std::array< W, N > & x)
inlineconstexpr

Definition at line 626 of file mp_core.h.

626 {
627 static_assert(S < WordInfo<W>::bits, "Shift too large");
628
629 W carry = 0;
630 for(size_t i = 0; i != N; ++i) {
631 const W w = x[N - 1 - i];
632 x[N - 1 - i] = (w >> S) | carry;
633 carry = w << (WordInfo<W>::bits - S);
634 }
635
636 return carry;
637}

References carry().

Referenced by Botan::IntMod< MontgomeryRep< ScalarParams > >::_invert_vartime_div2_helper(), Botan::IntMod< MontgomeryRep< ScalarParams > >::div2(), p_div_2_plus_1(), p_minus_1_over_2(), p_plus_1_over_4(), shanks_tonelli_c1c2(), and shanks_tonelli_c3().

◆ shl() [1/3]

template<size_t S>
SIMD_16x32 Botan::shl ( SIMD_16x32 input)
inline

Definition at line 331 of file simd_avx512.h.

331 {
332 return input.shl<S>();
333}
BOTAN_FN_ISA_AVX512 SIMD_16x32 shl() const

References Botan::SIMD_16x32::shl().

◆ shl() [2/3]

template<size_t S>
SIMD_4x32 Botan::shl ( SIMD_4x32 input)
inline

Definition at line 790 of file simd_4x32.h.

790 {
791 return input.shl<S>();
792}
SIMD_4x32 shl() const noexcept
Definition simd_4x32.h:461

References Botan::SIMD_4x32::shl().

◆ shl() [3/3]

template<size_t S>
SIMD_8x32 Botan::shl ( SIMD_8x32 input)
inline

Definition at line 353 of file simd_avx2.h.

353 {
354 return input.shl<S>();
355}
BOTAN_FN_ISA_AVX2 SIMD_8x32 shl() const noexcept
Definition simd_avx2.h:217

References Botan::SIMD_8x32::shl().

◆ short_version_cstr()

const char * Botan::short_version_cstr ( )

Same as version_short_string except returning a pointer to the string.

Definition at line 16 of file version.cpp.

16 {
17 return BOTAN_SHORT_VERSION_STRING;
18}

Referenced by runtime_version_check(), and short_version_string().

◆ short_version_string()

std::string Botan::short_version_string ( )

Return a version string of the form "MAJOR.MINOR.PATCH" where each of the values is an integer.

Definition at line 28 of file version.cpp.

28 {
29 return std::string(short_version_cstr());
30}

References short_version_cstr().

◆ sigma()

template<size_t R1, size_t R2, size_t S, std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr T Botan::sigma ( T x)
constexpr

SHA-2 Sigma style function

Definition at line 45 of file rotate.h.

45 {
46 return rotr<R1>(x) ^ rotr<R2>(x) ^ (x >> S);
47}

References BOTAN_FORCE_INLINE, and rotr().

Referenced by Botan::Kyber_Algos::expand_keypair(), SHA2_32_F(), and SHA2_64_F().

◆ sign_message()

std::array< uint8_t, 114 > Botan::sign_message ( std::span< const uint8_t, ED448_LEN > sk,
std::span< const uint8_t, ED448_LEN > pk,
bool f,
std::span< const uint8_t > context,
std::span< const uint8_t > msg )

Sign a message using a keypair (RFC 8032 5.2.6)

Parameters
skthe secret key
pkthe public key
fthe prehash flag (true iff using Ed448ph)
contextthe context string
msgthe message to sign
Returns
the signature

Definition at line 237 of file ed448_internal.cpp.

241 {
242 // 5.2.6. Signature Generation
243 // The inputs to the signing procedure is the private key, a 57-octet
244 // string, a flag F, which is 0 for Ed448, 1 for Ed448ph, context C of
245 // at most 255 octets, and a message M of arbitrary size.
246 // 1. Hash the private key, 57 octets, using SHAKE256(x, 114). Let h
247 // denote the resulting digest. Construct the secret scalar s from
248 // the first half of the digest, and the corresponding public key A,
249 // as described in the previous section. Let prefix denote the
250 // second half of the hash digest, h[57],...,h[113].
251 auto shake_xof = SHAKE_256_XOF();
252 shake_xof.update(sk);
253 const Scalar448 s = scalar_from_xof(shake_xof);
254 std::array<uint8_t, ED448_LEN> prefix{};
255 shake_xof.output(prefix);
256 // 2. Compute SHAKE256(dom4(F, C) || prefix || PH(M), 114), where M is
257 // the message to be signed, F is 1 for Ed448ph, 0 for Ed448, and C
258 // is the context to use. Interpret the 114-octet digest as a
259 // little-endian integer r.
260 const Scalar448 r(shake(pgflag, context, prefix, msg));
261 // 3. Compute the point [r]B. For efficiency, do this by first
262 // reducing r modulo L, the group order of B. Let the string R be
263 // the encoding of this point.
264 const auto big_r = (r * Ed448Point::base_point()).encode();
265 // 4. Compute SHAKE256(dom4(F, C) || R || A || PH(M), 114), and
266 // interpret the 114-octet digest as a little-endian integer k.
267 const Scalar448 k(shake(pgflag, context, big_r, pk, msg));
268 // 5. Compute S = (r + k * s) mod L. For efficiency, again reduce k
269 // modulo L first.
270 const auto big_s = r + k * s; //r_plus_ks_mod_L(r, k, s);
271 // 6. Form the signature of the concatenation of R (57 octets) and the
272 // little-endian encoding of S (57 octets; the ten most significant
273 // bits of the final octets are always zero).
274 std::array<uint8_t, 2 * ED448_LEN> sig{};
275 BufferStuffer stuf(sig);
276 stuf.append(big_r);
277 stuf.append(big_s.to_bytes<ED448_LEN>());
278 BOTAN_ASSERT(stuf.full(), "Buffer is full");
279
280 return sig;
281}
constexpr size_t ED448_LEN

References Botan::BufferStuffer::append(), Botan::Ed448Point::base_point(), BOTAN_ASSERT, ED448_LEN, and Botan::BufferStuffer::full().

◆ signature_check()

bool Botan::signature_check ( std::span< const uint8_t, 32 > pk,
const uint8_t h[32],
const uint8_t r[32],
const uint8_t s[32] )

Definition at line 1904 of file ge.cpp.

1904 {
1905 if(auto A = frombytes_negate_vartime(pk)) {
1906 std::array<uint8_t, 32> rcheck{};
1907 ge_double_scalarmult_vartime(rcheck, h, *A, s);
1908 return CT::is_equal(rcheck.data(), r, 32).as_bool();
1909 }
1910 return false;
1911}

References Botan::CT::is_equal().

Referenced by Botan::Ed25519_PublicKey::check_key(), and ed25519_verify().

◆ significant_bytes()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr size_t Botan::significant_bytes ( T n)
constexpr

Return the number of significant bytes in n

Parameters
nan integer value
Returns
number of significant bytes in n

Definition at line 76 of file bit_ops.h.

76 {
77 size_t b = 0;
78
79 for(size_t s = 8 * sizeof(T) / 2; s >= 8; s /= 2) {
80 const size_t z = s * (~ct_is_zero(n >> s) & 1);
81 b += z / 8;
82 n >>= z;
83 }
84
85 b += (n != 0);
86
87 return b;
88}

References BOTAN_FORCE_INLINE, and ct_is_zero().

◆ sm2_compute_za()

std::vector< uint8_t > Botan::sm2_compute_za ( HashFunction & hash,
std::string_view user_id,
const EC_Group & group,
const EC_AffinePoint & pubkey )

Definition at line 68 of file sm2.cpp.

71 {
72 if(user_id.size() >= 8192) {
73 throw Invalid_Argument("SM2 user id too long to represent");
74 }
75
76 const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());
77
78 hash.update(get_byte<0>(uid_len));
79 hash.update(get_byte<1>(uid_len));
80 hash.update(user_id);
81
82 const size_t p_bytes = group.get_p_bytes();
83
84 hash.update(group.get_a().serialize(p_bytes));
85 hash.update(group.get_b().serialize(p_bytes));
86 hash.update(group.get_g_x().serialize(p_bytes));
87 hash.update(group.get_g_y().serialize(p_bytes));
88 hash.update(pubkey.xy_bytes());
89
90 return hash.final<std::vector<uint8_t>>();
91}
const BigInt & get_b() const
Definition ec_group.cpp:558
const BigInt & get_a() const
Definition ec_group.cpp:554
const BigInt & get_g_y() const
Definition ec_group.cpp:606
const BigInt & get_g_x() const
Definition ec_group.cpp:602
size_t get_p_bytes() const
Definition ec_group.cpp:538

References Botan::Buffered_Computation::final(), Botan::EC_Group::get_a(), Botan::EC_Group::get_b(), get_byte(), Botan::EC_Group::get_g_x(), Botan::EC_Group::get_g_y(), Botan::EC_Group::get_p_bytes(), Botan::BigInt::serialize(), Botan::Buffered_Computation::update(), and Botan::EC_AffinePoint::xy_bytes().

Referenced by botan_pubkey_sm2_compute_za().

◆ solinas_correct_redc()

template<size_t N, WordType W>
void Botan::solinas_correct_redc ( std::array< W, N > & r,
const std::array< W, N > & P,
const std::array< W, N > & C )
inlineconstexpr

Set r to r - C. Then if r < 0, add P to r

Definition at line 84 of file pcurves_solinas.h.

84 {
85 W borrow = 0;
86 for(size_t i = 0; i != N; ++i) {
87 r[i] = word_sub(r[i], C[i], &borrow);
88 }
89
90 const auto mask = CT::Mask<W>::expand(borrow).value();
91
92 W carry = 0;
93
94 for(size_t i = 0; i != N; ++i) {
95 r[i] = word_add(r[i], P[i] & mask, &carry);
96 }
97}

References carry(), Botan::CT::Mask< T >::expand(), word_add(), and word_sub().

◆ split_on()

BOTAN_TEST_API std::vector< std::string > Botan::split_on ( std::string_view str,
char delim )

Split a string

Parameters
strthe input string
delimthe delimitor
Returns
string split by delim

Definition at line 111 of file parsing.cpp.

111 {
112 std::vector<std::string> elems;
113 if(str.empty()) {
114 return elems;
115 }
116
117 std::string substr;
118 for(char c : str) {
119 if(c == delim) {
120 if(!substr.empty()) {
121 elems.push_back(substr);
122 }
123 substr.clear();
124 } else {
125 substr += c;
126 }
127 }
128
129 if(substr.empty()) {
130 throw Invalid_Argument(fmt("Unable to split string '{}", str));
131 }
132 elems.push_back(substr);
133
134 return elems;
135}

References fmt().

Referenced by argon2_check_pwhash(), Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), Botan::PKCS11::MechanismWrapper::create_ecdh_mechanism(), create_private_key(), Botan::TLS::Text_Policy::get_list(), load_private_key(), load_public_key(), pbes2_decrypt(), Botan::TLS::Text_Policy::read_cert_type_list(), Botan::TLS::Text_Policy::read_group_list(), read_kv(), Botan::PK_Ops::Verification_with_Hash::Verification_with_Hash(), and Botan::X509_Cert_Options::X509_Cert_Options().

◆ sqrt_field_element()

template<typename C>
CT::Option< typename C::FieldElement > Botan::sqrt_field_element ( const typename C::FieldElement & fe)
inlineconstexpr

Field square root

Uses the specialized fe_sqrt if available, or otherwise the standard square root

Definition at line 59 of file pcurves_algos.h.

59 {
60 if constexpr(curve_supports_fe_sqrt<C>) {
61 auto z = C::fe_sqrt(fe);
62 // Zero out the return value if it would otherwise be incorrect
63 const CT::Choice correct = (z.square() == fe);
64 z.conditional_assign(!correct, C::FieldElement::zero());
65 return CT::Option(z, correct);
66 } else {
67 return fe.sqrt();
68 }
69}

Referenced by Botan::PCurve::PrimeOrderCurveImpl< C >::deserialize_point(), and map_to_curve_sswu().

◆ sqrt_modulo_prime()

BigInt Botan::sqrt_modulo_prime ( const BigInt & x,
const BigInt & p )

Compute the square root of x modulo a prime using the Tonelli-Shanks algorithm. This algorithm is primarily used for EC point decompression which takes only public inputs, as a consequence it is not written to be constant-time and may leak side-channel information about its arguments.

Parameters
xthe input
pthe prime modulus
Returns
y such that (y*y)p == x, or -1 if no such integer

Definition at line 26 of file numthry.cpp.

26 {
27 BOTAN_ARG_CHECK(p > 1, "invalid prime");
28 BOTAN_ARG_CHECK(a < p, "value to solve for must be less than p");
29 BOTAN_ARG_CHECK(a >= 0, "value to solve for must not be negative");
30
31 // some very easy cases
32 if(p == 2 || a <= 1) {
33 return a;
34 }
35
36 BOTAN_ARG_CHECK(p.is_odd(), "invalid prime");
37
38 if(jacobi(a, p) != 1) { // not a quadratic residue
39 return BigInt::from_s32(-1);
40 }
41
43 const Montgomery_Params monty_p(p, mod_p);
44
45 // If p == 3 (mod 4) there is a simple solution
46 if(p % 4 == 3) {
47 return monty_exp_vartime(monty_p, a, ((p + 1) >> 2)).value();
48 }
49
50 // Otherwise we have to use Shanks-Tonelli
51 size_t s = low_zero_bits(p - 1);
52 BigInt q = p >> s;
53
54 q -= 1;
55 q >>= 1;
56
57 BigInt r = monty_exp_vartime(monty_p, a, q).value();
58 BigInt n = mod_p.multiply(a, mod_p.square(r));
59 r = mod_p.multiply(r, a);
60
61 if(n == 1) {
62 return r;
63 }
64
65 // find random quadratic nonresidue z
66 word z = 2;
67 for(;;) {
68 if(jacobi(BigInt::from_word(z), p) == -1) { // found one
69 break;
70 }
71
72 z += 1; // try next z
73
74 /*
75 * The expected number of tests to find a non-residue modulo a
76 * prime is 2. If we have not found one after 256 then almost
77 * certainly we have been given a non-prime p.
78 */
79 if(z >= 256) {
80 return BigInt::from_s32(-1);
81 }
82 }
83
84 BigInt c = monty_exp_vartime(monty_p, BigInt::from_word(z), (q << 1) + 1).value();
85
86 while(n > 1) {
87 q = n;
88
89 size_t i = 0;
90 while(q != 1) {
91 q = mod_p.square(q);
92 ++i;
93
94 if(i >= s) {
95 return BigInt::from_s32(-1);
96 }
97 }
98
99 BOTAN_ASSERT_NOMSG(s >= (i + 1)); // No underflow!
100 c = monty_exp_vartime(monty_p, c, BigInt::power_of_2(s - i - 1)).value();
101 r = mod_p.multiply(r, c);
102 c = mod_p.square(c);
103 n = mod_p.multiply(n, c);
104
105 // s decreases as the algorithm proceeds
106 BOTAN_ASSERT_NOMSG(s >= i);
107 s = i;
108 }
109
110 return r;
111}
static Barrett_Reduction for_public_modulus(const BigInt &m)
Definition barrett.cpp:33
static BigInt from_s32(int32_t n)
Definition bigint.cpp:41
BigInt & square(secure_vector< word > &ws)
Definition big_ops2.cpp:175
Montgomery_Int monty_exp_vartime(const Montgomery_Params &params_p, const BigInt &g, const BigInt &k)
Definition monty_exp.h:55

References BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::Barrett_Reduction::for_public_modulus(), Botan::BigInt::from_s32(), Botan::BigInt::from_word(), Botan::BigInt::is_odd(), jacobi(), low_zero_bits(), monty_exp_vartime(), Botan::BigInt::power_of_2(), Botan::BigInt::square(), and Botan::Montgomery_Int::value().

◆ square() [1/2]

BigInt Botan::square ( const BigInt & x)

◆ square() [2/2]

Gf448Elem Botan::square ( const Gf448Elem & elem)

Computes elem^2. Faster than operator*.

Definition at line 311 of file curve448_gf.cpp.

311 {
312 Gf448Elem res(0);
313 gf_square(res.words(), elem.words());
314 return res;
315}

References Botan::Gf448Elem::words().

◆ srp6_client_agree() [1/2]

std::pair< BigInt, SymmetricKey > Botan::srp6_client_agree ( std::string_view username,
std::string_view password,
const DL_Group & group,
std::string_view hash_id,
const std::vector< uint8_t > & salt,
const BigInt & B,
size_t a_bits,
RandomNumberGenerator & rng )

SRP6a Client side

Parameters
usernamethe username we are attempting login for
passwordthe password we are attempting to use
groupspecifies the shared SRP group
hash_idspecifies a secure hash function
saltis the salt value sent by the server
Bis the server's public value
a_bitssize of secret exponent in bits
rngis a random number generator
Returns
(A,K) the client public key and the shared secret key

Definition at line 78 of file srp6.cpp.

85 {
86 BOTAN_ARG_CHECK(a_bits <= group.p_bits(), "Invalid a_bits");
87
88 const BigInt& g = group.get_g();
89 const BigInt& p = group.get_p();
90
91 const size_t p_bytes = group.p_bytes();
92
93 if(B <= 0 || B >= p) {
94 throw Decoding_Error("Invalid SRP parameter from server");
95 }
96
97 auto hash_fn = HashFunction::create_or_throw(hash_id);
98 if(8 * hash_fn->output_length() >= group.p_bits()) {
99 throw Invalid_Argument(fmt("Hash function {} too large for SRP6 with this group", hash_fn->name()));
100 }
101
102 const BigInt k = hash_seq(*hash_fn, p_bytes, p, g);
103
104 const BigInt a(rng, a_bits);
105
106 const BigInt A = group.power_g_p(a, a_bits);
107
108 const BigInt u = hash_seq(*hash_fn, p_bytes, A, B);
109
110 const BigInt x = compute_x(*hash_fn, identifier, password, salt);
111
112 const BigInt g_x_p = group.power_g_p(x, hash_fn->output_length() * 8);
113
114 const BigInt B_k_g_x_p = group.mod_p(B + group.mod_p(p - group.multiply_mod_p(k, g_x_p)));
115
116 const BigInt a_ux = a + u * x;
117
118 const size_t max_aux_bits = std::max<size_t>(a_bits + 1, 2 * 8 * hash_fn->output_length());
119 BOTAN_ASSERT_NOMSG(max_aux_bits >= a_ux.bits());
120
121 const BigInt S = group.power_b_p(B_k_g_x_p, a_ux, max_aux_bits);
122
123 const SymmetricKey Sk(S.serialize<secure_vector<uint8_t>>(p_bytes));
124
125 return std::make_pair(A, Sk);
126}
BigInt power_g_p(const BigInt &x) const
Definition dl_group.h:263
BigInt mod_p(const BigInt &x) const
Definition dl_group.cpp:531
BigInt multiply_mod_p(const BigInt &x, const BigInt &y) const
Definition dl_group.cpp:535
size_t p_bits() const
Definition dl_group.cpp:500
const BigInt & get_p() const
Definition dl_group.cpp:474
size_t p_bytes() const
Definition dl_group.cpp:504
BigInt power_b_p(const BigInt &b, const BigInt &x, size_t max_x_bits) const
Definition dl_group.cpp:581
const BigInt & get_g() const
Definition dl_group.cpp:481
OctetString SymmetricKey
Definition symkey.h:140

References Botan::BigInt::bits(), BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::HashFunction::create_or_throw(), fmt(), Botan::DL_Group::get_g(), Botan::DL_Group::get_p(), Botan::DL_Group::mod_p(), Botan::DL_Group::multiply_mod_p(), Botan::DL_Group::p_bits(), Botan::DL_Group::p_bytes(), Botan::DL_Group::power_b_p(), Botan::DL_Group::power_g_p(), and Botan::BigInt::serialize().

◆ srp6_client_agree() [2/2]

std::pair< BigInt, SymmetricKey > Botan::srp6_client_agree ( std::string_view username,
std::string_view password,
std::string_view group_id,
std::string_view hash_id,
const std::vector< uint8_t > & salt,
const BigInt & B,
RandomNumberGenerator & rng )

SRP6a Client side

Parameters
usernamethe username we are attempting login for
passwordthe password we are attempting to use
group_idspecifies the shared SRP group
hash_idspecifies a secure hash function
saltis the salt value sent by the server
Bis the server's public value
rngis a random number generator
Returns
(A,K) the client public key and the shared secret key

Definition at line 65 of file srp6.cpp.

71 {
72 auto group = DL_Group::from_name(group_id);
73 const size_t a_bits = group.exponent_bits();
74
75 return srp6_client_agree(identifier, password, group, hash_id, salt, B, a_bits, rng);
76}
std::pair< BigInt, SymmetricKey > srp6_client_agree(std::string_view identifier, std::string_view password, std::string_view group_id, std::string_view hash_id, const std::vector< uint8_t > &salt, const BigInt &B, RandomNumberGenerator &rng)
Definition srp6.cpp:65

References Botan::DL_Group::from_name(), and srp6_client_agree().

Referenced by botan_srp6_client_agree(), and srp6_client_agree().

◆ srp6_generate_verifier() [1/2]

BigInt Botan::srp6_generate_verifier ( std::string_view identifier,
std::string_view password,
const std::vector< uint8_t > & salt,
const DL_Group & group,
std::string_view hash_id )

Generate a new SRP-6 verifier

Parameters
identifiera username or other client identifier
passwordthe secret used to authenticate user
salta randomly chosen value, at least 128 bits long
groupspecifies the shared SRP group
hash_idspecifies a secure hash function

Definition at line 137 of file srp6.cpp.

141 {
142 auto hash_fn = HashFunction::create_or_throw(hash_id);
143 if(8 * hash_fn->output_length() >= group.p_bits()) {
144 throw Invalid_Argument(fmt("Hash function {} too large for SRP6 with this group", hash_fn->name()));
145 }
146
147 const BigInt x = compute_x(*hash_fn, identifier, password, salt);
148 return group.power_g_p(x, hash_fn->output_length() * 8);
149}

References Botan::HashFunction::create_or_throw(), fmt(), Botan::DL_Group::p_bits(), and Botan::DL_Group::power_g_p().

◆ srp6_generate_verifier() [2/2]

BigInt Botan::srp6_generate_verifier ( std::string_view identifier,
std::string_view password,
const std::vector< uint8_t > & salt,
std::string_view group_id,
std::string_view hash_id )

Generate a new SRP-6 verifier

Parameters
identifiera username or other client identifier
passwordthe secret used to authenticate user
salta randomly chosen value, at least 128 bits long
group_idspecifies the shared SRP group
hash_idspecifies a secure hash function

Definition at line 128 of file srp6.cpp.

132 {
133 auto group = DL_Group::from_name(group_id);
134 return srp6_generate_verifier(identifier, password, salt, group, hash_id);
135}
BigInt srp6_generate_verifier(std::string_view identifier, std::string_view password, const std::vector< uint8_t > &salt, std::string_view group_id, std::string_view hash_id)
Definition srp6.cpp:128

References Botan::DL_Group::from_name(), and srp6_generate_verifier().

Referenced by botan_srp6_generate_verifier(), and srp6_generate_verifier().

◆ srp6_group_identifier()

std::string Botan::srp6_group_identifier ( const BigInt & N,
const BigInt & g )

Return the group id for this SRP param set, or else thrown an exception

Parameters
Nthe group modulus
gthe group generator
Returns
group identifier

Definition at line 46 of file srp6.cpp.

46 {
47 /*
48 This function assumes that only one 'standard' SRP parameter set has
49 been defined for a particular bitsize. As of this writing that is the case.
50 */
51 try {
52 const std::string group_name = "modp/srp/" + std::to_string(N.bits());
53
54 auto group = DL_Group::from_name(group_name);
55
56 if(group.get_p() == N && group.get_g() == g) {
57 return group_name;
58 }
59 } catch(...) {}
60
61 // If we didn't return, the group was unknown or did not match
62 throw Invalid_Argument("Invalid or unknown SRP group parameters");
63}

References Botan::BigInt::bits(), and Botan::DL_Group::from_name().

◆ SSWU_C1()

template<typename C>
requires C::ValidForSswuHash
const auto & Botan::SSWU_C1 ( )

SSWU constant C1 - (-B / A)

See RFC 9380 section 6.6.2

Definition at line 1668 of file pcurves_impl.h.

1670{
1671 // TODO(Botan4) Make this a constexpr
1672 // We derive it from C2 to avoid a second inversion
1673 static const typename C::FieldElement C1 = (SSWU_C2<C>() * C::SSWU_Z).negate();
1674 return C1;
1675}

References SSWU_C2().

Referenced by map_to_curve_sswu().

◆ SSWU_C2()

template<typename C>
requires C::ValidForSswuHash
const auto & Botan::SSWU_C2 ( )

SSWU constant C2 - (B / (Z * A))

See RFC 9380 section 6.6.2

Definition at line 1654 of file pcurves_impl.h.

1656{
1657 // TODO(Botan4) Make this a constexpr once compilers have caught up
1658 static const typename C::FieldElement C2 = C::B * invert_field_element<C>(C::SSWU_Z * C::A);
1659 return C2;
1660}

References invert_field_element().

Referenced by map_to_curve_sswu(), and SSWU_C1().

◆ store_be()

template<typename ModifierT = detail::AutoDetect, typename... ParamTs>
auto Botan::store_be ( ParamTs &&... params)
inlineconstexpr

Store "something" in big endian byte order See the documentation of this file for more details.

Definition at line 745 of file loadstor.h.

745 {
746 return detail::store_any<std::endian::big, ModifierT>(std::forward<ParamTs>(params)...);
747}
constexpr void store_any(WrappedInT wrapped_in, OutR &&out_range)
Definition loadstor.h:525

References Botan::detail::store_any().

Referenced by Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::BigInt::binary_encode(), Botan::BlindedScalarBits< C, WindowBits+1 >::BlindedScalarBits(), camellia_gfni_decrypt12(), camellia_gfni_decrypt9(), camellia_gfni_encrypt12(), camellia_gfni_encrypt9(), Botan::FPE_FE1::decrypt(), Botan::Blowfish::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::DES::decrypt_n(), Botan::Noekeon::decrypt_n(), Botan::SEED::decrypt_n(), Botan::SHACAL2::decrypt_n(), Botan::SM4::decrypt_n(), Botan::TripleDES::decrypt_n(), Botan::AlternativeName::encode_into(), Botan::CryptoBox::encrypt(), Botan::FPE_FE1::encrypt(), Botan::TLS::Session::encrypt(), Botan::Blowfish::encrypt_n(), Botan::CAST_128::encrypt_n(), Botan::DES::encrypt_n(), Botan::Noekeon::encrypt_n(), Botan::SEED::encrypt_n(), Botan::SHACAL2::encrypt_n(), Botan::SM4::encrypt_n(), Botan::TripleDES::encrypt_n(), Botan::TLS::Connection_Cipher_State::format_ad(), Botan::Kyber_Modern_Symmetric_Primitives::get_PRF(), Botan::ML_KEM_Symmetric_Primitives::get_PRF(), Botan::Kyber_Modern_Symmetric_Primitives::get_XOF(), Botan::ML_KEM_Symmetric_Primitives::get_XOF(), hkdf_expand_label(), ipv4_to_string(), lmots_compute_pubkey_from_sig(), Botan::LMOTS_Public_Key::LMOTS_Public_Key(), Botan::TLS::make_hello_random(), Botan::TPM2::Context::manufacturer(), Botan::TLS::Cipher_State::next_ticket_nonce(), nist_key_wrap(), nist_key_wrap_padded(), Botan::XMSS_PublicKey::raw_public_key_bits(), Botan::CTR_BE::seek(), Botan::TLS::New_Session_Ticket_12::serialize(), Botan::TLS::New_Session_Ticket_13::serialize(), Botan::IntMod< MontgomeryRep< ScalarParams > >::serialize_to(), Botan::PseudorandomKeyGeneration::set_i(), Botan::PseudorandomKeyGeneration::set_j(), Botan::PseudorandomKeyGeneration::set_q(), Botan::HSS_LMS_PrivateKeyInternal::sign(), Botan::LMOTS_Private_Key::sign(), Botan::LMS_PrivateKey::sign_and_get_pk(), Botan::SIMD_4x32::store_be(), Botan::HSS_LMS_PrivateKeyInternal::to_bytes(), Botan::HSS_LMS_PublicKeyInternal::to_bytes(), Botan::LMS_PublicKey::to_bytes(), Botan::Sphincs_Address::to_bytes(), Botan::Sphincs_Address::to_bytes_compressed(), Botan::Buffered_Computation::update_be(), Botan::Buffered_Computation::update_be(), Botan::Buffered_Computation::update_be(), and Botan::TPM2::Context::vendor().

◆ store_le()

template<typename ModifierT = detail::AutoDetect, typename... ParamTs>
auto Botan::store_le ( ParamTs &&... params)
inlineconstexpr

◆ string_join()

std::string Botan::string_join ( const std::vector< std::string > & strs,
char delim )

Join a string

Parameters
strsstrings to join
delimthe delimitor
Returns
string joined by delim

Definition at line 140 of file parsing.cpp.

140 {
141 std::ostringstream out;
142
143 for(size_t i = 0; i != strs.size(); ++i) {
144 if(i != 0) {
145 out << delim;
146 }
147 out << strs[i];
148 }
149
150 return out.str();
151}

Referenced by Botan::CPUID::to_string(), and Botan::Key_Constraints::to_string().

◆ string_to_ipv4()

std::optional< uint32_t > BOTAN_TEST_API Botan::string_to_ipv4 ( std::string_view ip_str)

Convert a string representation of an IPv4 address to a number

Parameters
ip_strthe string representation
Returns
integer IPv4 address

Definition at line 156 of file parsing.cpp.

156 {
157 // At least 3 dots + 4 1-digit integers
158 // At most 3 dots + 4 3-digit integers
159 if(str.size() < 3 + 4 * 1 || str.size() > 3 + 4 * 3) {
160 return {};
161 }
162
163 // the final result
164 uint32_t ip = 0;
165 // the number of '.' seen so far
166 size_t dots = 0;
167 // accumulates one quad (range 0-255)
168 uint32_t accum = 0;
169 // # of digits pushed to accum since last dot
170 size_t cur_digits = 0;
171
172 for(char c : str) {
173 if(c == '.') {
174 // . without preceding digit is invalid
175 if(cur_digits == 0) {
176 return {};
177 }
178 dots += 1;
179 // too many dots
180 if(dots > 3) {
181 return {};
182 }
183
184 cur_digits = 0;
185 ip = (ip << 8) | accum;
186 accum = 0;
187 } else if(c >= '0' && c <= '9') {
188 const auto d = static_cast<uint8_t>(c - '0');
189
190 // prohibit leading zero in quad (used for octal)
191 if(cur_digits > 0 && accum == 0) {
192 return {};
193 }
194 accum = (accum * 10) + d;
195
196 if(accum > 255) {
197 return {};
198 }
199
200 cur_digits++;
201 BOTAN_ASSERT_NOMSG(cur_digits <= 3);
202 } else {
203 return {};
204 }
205 }
206
207 // no trailing digits?
208 if(cur_digits == 0) {
209 return {};
210 }
211
212 // insufficient # of dots
213 if(dots != 3) {
214 return {};
215 }
216
217 ip = (ip << 8) | accum;
218
219 return ip;
220}

References BOTAN_ASSERT_NOMSG.

Referenced by Botan::AlternativeName::add_attribute(), Botan::AlternativeName::AlternativeName(), Botan::NameConstraints::is_excluded(), Botan::NameConstraints::is_permitted(), Botan::GeneralName::matches(), and Botan::X509_Certificate::matches_dns_name().

◆ swap_bits()

template<std::unsigned_integral T>
BOTAN_FORCE_INLINE constexpr void Botan::swap_bits ( T & x,
T & y,
T mask,
size_t shift )
constexpr

Definition at line 182 of file bit_ops.h.

182 {
183 const T swap = ((x >> shift) ^ y) & mask;
184 x ^= swap << shift;
185 y ^= swap;
186}

References BOTAN_FORCE_INLINE.

◆ swar_in_range()

template<std::unsigned_integral T>
T Botan::swar_in_range ( T v,
T lower,
T upper )
constexpr

SWAR (SIMD within a word) byte-by-byte comparison

This individually compares each byte of the provided words. It returns a mask which contains, for each byte, 0x80 if the byte in a was less than the byte in b. Otherwise the mask is 00.

This implementation assumes that the high bits of each byte in both lower and upper are clear! It is possible to support the full range of bytes, but this requires additional comparisons.

Definition at line 114 of file int_utils.h.

114 {
115 // The constant 0x808080... as a T
116 constexpr T hi1 = (static_cast<T>(-1) / 255) << 7;
117 // The constant 0x7F7F7F... as a T
118 constexpr T lo7 = ~hi1;
119
120 const T sub = ((v | hi1) - (lower & lo7)) ^ ((v ^ (~lower)) & hi1);
121 const T a_lo = sub & lo7;
122 const T a_hi = sub & hi1;
123 return (lo7 - a_lo + upper) & hi1 & ~a_hi;
124}

◆ swar_lt()

template<std::unsigned_integral T>
T Botan::swar_lt ( T a,
T b )
constexpr

SWAR (SIMD within a word) byte-by-byte comparison

This individually compares each byte of the provided words. It returns a mask which contains, for each byte, 0xFF if the byte in a was less than the byte in b. Otherwise the mask is 00.

This implementation assumes that the high bits of each byte in both a and b are clear! It is possible to support the full range of bytes, but this requires additional comparisons.

Definition at line 91 of file int_utils.h.

91 {
92 // The constant 0x808080... as a T
93 constexpr T hi1 = (static_cast<T>(-1) / 255) << 7;
94 // The constant 0x7F7F7F... as a T
95 constexpr T lo7 = static_cast<T>(~hi1);
96 T r = (lo7 - a + b) & hi1;
97 // Currently the mask is 80 if lt, otherwise 00. Convert to FF/00
98 return (r << 1) - (r >> 7);
99}

◆ syndrome_init()

std::vector< polyn_gf2m > Botan::syndrome_init ( const polyn_gf2m & generator,
const std::vector< gf2m > & support,
int n )

Definition at line 606 of file polyn_gf2m.cpp.

606 {
607 int i = 0;
608 int j = 0;
609 int t = 0;
610 gf2m a = 0;
611
612 std::shared_ptr<GF2m_Field> m_sp_field = generator.get_sp_field();
613
614 std::vector<polyn_gf2m> result;
615 t = generator.get_degree();
616
617 //g(z)=g_t+g_(t-1).z^(t-1)+......+g_1.z+g_0
618 //f(z)=f_(t-1).z^(t-1)+......+f_1.z+f_0
619
620 for(j = 0; j < n; j++) {
621 result.push_back(polyn_gf2m(t - 1, m_sp_field));
622
623 (*&result[j]).set_coef(t - 1, 1);
624 for(i = t - 2; i >= 0; i--) {
625 (*&result[j]).set_coef(i, (generator)[i + 1] ^ m_sp_field->gf_mul(lex_to_gray(support[j]), result[j][i + 1]));
626 }
627 a = ((generator)[0] ^ m_sp_field->gf_mul(lex_to_gray(support[j]), result[j][0]));
628 for(i = 0; i < t; i++) {
629 (*&result[j]).set_coef(i, m_sp_field->gf_div(result[j][i], a));
630 }
631 }
632 return result;
633}
gf2m lex_to_gray(gf2m lex)

References Botan::polyn_gf2m::get_degree(), Botan::polyn_gf2m::get_sp_field(), and lex_to_gray().

Referenced by generate_mceliece_key().

◆ system_rng()

◆ throw_invalid_argument()

void BOTAN_UNSTABLE_API Botan::throw_invalid_argument ( const char * message,
const char * func,
const char * file )

Called when an invalid argument is used Throws Invalid_Argument

Definition at line 22 of file assert.cpp.

22 {
23 throw Invalid_Argument(fmt("{} in {}:{}", message, func, file));
24}

References fmt().

◆ throw_invalid_state()

void BOTAN_UNSTABLE_API Botan::throw_invalid_state ( const char * message,
const char * func,
const char * file )

Called when an invalid state is encountered Throws Invalid_State

Definition at line 26 of file assert.cpp.

26 {
27 throw Invalid_State(fmt("Invalid state: expr {} was false in {}:{}", expr, func, file));
28}

References fmt().

◆ to_affine()

template<typename C>
auto Botan::to_affine ( const typename C::ProjectivePoint & pt)
inlineconstexpr

Convert a projective point into affine

Definition at line 75 of file pcurves_algos.h.

75 {
76 // Not strictly required right? - default should work as long
77 // as (0,0) is identity and invert returns 0 on 0
78
79 if constexpr(curve_supports_fe_invert2<C>) {
80 const auto z2_inv = C::fe_invert2(pt.z());
81 const auto z3_inv = z2_inv.square() * pt.z();
82 return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv);
83 } else {
84 const auto z_inv = invert_field_element<C>(pt.z());
85 const auto z2_inv = z_inv.square();
86 const auto z3_inv = z_inv * z2_inv;
87 return typename C::AffinePoint(pt.x() * z2_inv, pt.y() * z3_inv);
88 }
89}

References invert_field_element().

Referenced by Botan::PCurve::GenericPrimeOrderCurve::point_to_affine(), Botan::PCurve::PrimeOrderCurveImpl< C >::point_to_affine(), and to_affine_batch().

◆ to_affine_batch()

template<typename C>
auto Botan::to_affine_batch ( std::span< const typename C::ProjectivePoint > projective)

Definition at line 106 of file pcurves_algos.h.

106 {
107 using AffinePoint = typename C::AffinePoint;
108
109 const size_t N = projective.size();
110 std::vector<AffinePoint> affine;
111 affine.reserve(N);
112
113 CT::Choice any_identity = CT::Choice::no();
114
115 for(const auto& pt : projective) {
116 any_identity = any_identity || pt.is_identity();
117 }
118
119 // Conditional acceptable: N is public. State of points is not necessarily
120 // public, but we don't leak which point was the identity. In practice with
121 // the algorithms currently in use, the only time an identity can occur is
122 // during mul2 where the two points g/h have a small relation (ie h = g*k for
123 // some k < 16)
124
125 if(N <= 2 || any_identity.as_bool()) {
126 // If there are identity elements, using the batch inversion gets
127 // tricky. It can be done, but this should be a rare situation so
128 // just punt to the serial conversion if it occurs
129 for(size_t i = 0; i != N; ++i) {
130 affine.push_back(to_affine<C>(projective[i]));
131 }
132 } else {
133 std::vector<typename C::FieldElement> c;
134 c.reserve(N);
135
136 /*
137 Batch projective->affine using Montgomery's trick
138
139 See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography"
140 (Hankerson, Menezes, Vanstone)
141 */
142
143 c.push_back(projective[0].z());
144 for(size_t i = 1; i != N; ++i) {
145 c.push_back(c[i - 1] * projective[i].z());
146 }
147
148 auto s_inv = invert_field_element<C>(c[N - 1]);
149
150 for(size_t i = N - 1; i > 0; --i) {
151 const auto& p = projective[i];
152
153 const auto z_inv = s_inv * c[i - 1];
154 const auto z2_inv = z_inv.square();
155 const auto z3_inv = z_inv * z2_inv;
156
157 s_inv = s_inv * p.z();
158
159 affine.push_back(AffinePoint(p.x() * z2_inv, p.y() * z3_inv));
160 }
161
162 const auto z2_inv = s_inv.square();
163 const auto z3_inv = s_inv * z2_inv;
164 affine.push_back(AffinePoint(projective[0].x() * z2_inv, projective[0].y() * z3_inv));
165 std::reverse(affine.begin(), affine.end());
166 return affine;
167 }
168
169 return affine;
170}
static constexpr Choice no()
Definition ct_utils.h:335
constexpr bool as_bool() const
Definition ct_utils.h:357
constexpr auto to_affine(const typename C::ProjectivePoint &pt)

References Botan::CT::Choice::as_bool(), invert_field_element(), Botan::CT::Choice::no(), and to_affine().

Referenced by Botan::AffinePointTable< C, R >::AffinePointTable(), basemul_setup(), and Botan::VartimeMul2Table< C, W >::VartimeMul2Table().

◆ to_affine_x()

template<typename C>
auto Botan::to_affine_x ( const typename C::ProjectivePoint & pt)

Convert a projective point into affine and return x coordinate only

Definition at line 95 of file pcurves_algos.h.

95 {
96 if constexpr(curve_supports_fe_invert2<C>) {
97 return pt.x() * C::fe_invert2(pt.z());
98 } else {
99 const auto z_inv = invert_field_element<C>(pt.z());
100 const auto z2_inv = z_inv.square();
101 return pt.x() * z2_inv;
102 }
103}

References invert_field_element().

Referenced by Botan::PCurve::GenericPrimeOrderCurve::base_point_mul_x_mod_order(), Botan::PCurve::PrimeOrderCurveImpl< C >::base_point_mul_x_mod_order(), Botan::PCurve::GenericPrimeOrderCurve::mul_x_only(), and Botan::PCurve::PrimeOrderCurveImpl< C >::mul_x_only().

◆ to_string() [1/2]

const char * Botan::to_string ( Certificate_Status_Code code)

Convert a status code to a human readable diagnostic message

Parameters
codethe certifcate status
Returns
string literal constant, or nullptr if code unknown

Definition at line 11 of file cert_status.cpp.

11 {
12 switch(code) {
14 return "Verified";
16 return "OCSP response accepted as affirming unrevoked status for certificate";
18 return "Signature on OCSP response was found valid";
20 return "Valid CRL examined";
21
23 return "Certificate serial number is negative";
25 return "Distinguished name too long";
27 return "OCSP URL not available";
29 return "OCSP server not available";
31 return "Trusted certificate is not yet valid";
33 return "Trusted certificate has expired";
35 return "OCSP issuer is not trustworthy";
36
38 return "No revocation data";
40 return "Signature method too weak";
42 return "Hash function used is considered too weak for security";
43
45 return "Certificate is not yet valid";
47 return "Certificate has expired";
49 return "OCSP is not yet valid";
51 return "OCSP response has expired";
53 return "OCSP response is too old";
55 return "CRL response is not yet valid";
57 return "CRL has expired";
58
60 return "Certificate issuer not found";
62 return "Cannot establish trust";
64 return "Loop in certificate chain";
66 return "Certificate chain does not end in a CA certificate";
68 return "Certificate issuer does not match subject of issuing cert";
69
71 return "Certificate policy error";
73 return "Certificate contains duplicate policy";
75 return "Certificate does not allow the requested usage";
77 return "Certificate chain too long";
79 return "CA certificate not allowed to issue certs";
81 return "CA certificate not allowed to issue CRLs";
83 return "No CRL with matching distribution point for certificate";
85 return "OCSP cert not listed";
87 return "OCSP bad status";
89 return "Certificate does not match provided name";
91 return "Certificate does not pass name constraint";
93 return "IP Address Blocks extension invalid";
95 return "AS Number Blocks extension invalid";
97 return "Unknown critical extension encountered";
99 return "Duplicate certificate extension encountered";
101 return "Encountered extension in certificate with version that does not allow it";
103 return "Encountered v2 identifiers in v1 certificate";
105 return "OCSP signature error";
107 return "Unable to find certificate issusing OCSP response";
109 return "OCSP issuer's keyusage prohibits OCSP";
111 return "OCSP parsing valid";
113 return "OCSP requests not available, no HTTP support compiled in";
115 return "Certificate is revoked";
117 return "CRL bad signature";
119 return "Signature error";
121 return "Certificate public key invalid";
123 return "Certificate signed with unknown/unavailable algorithm";
125 return "Certificate signature has invalid parameters";
126
127 // intentionally no default so we are warned if new enum values are added
128 }
129
130 return nullptr;
131}

References AS_BLOCKS_ERROR, CA_CERT_NOT_FOR_CERT_ISSUER, CA_CERT_NOT_FOR_CRL_ISSUER, CANNOT_ESTABLISH_TRUST, CERT_CHAIN_LOOP, CERT_CHAIN_TOO_LONG, CERT_HAS_EXPIRED, CERT_IS_REVOKED, CERT_ISSUER_NOT_FOUND, CERT_NAME_NOMATCH, CERT_NOT_YET_VALID, CERT_PUBKEY_INVALID, CERT_SERIAL_NEGATIVE, CHAIN_LACKS_TRUST_ROOT, CHAIN_NAME_MISMATCH, CRL_BAD_SIGNATURE, CRL_HAS_EXPIRED, CRL_NOT_YET_VALID, DN_TOO_LONG, DUPLICATE_CERT_EXTENSION, DUPLICATE_CERT_POLICY, EXT_IN_V1_V2_CERT, INVALID_USAGE, IPADDR_BLOCKS_ERROR, NAME_CONSTRAINT_ERROR, NO_MATCHING_CRLDP, NO_REVOCATION_DATA, OCSP_BAD_STATUS, OCSP_CERT_NOT_LISTED, OCSP_HAS_EXPIRED, OCSP_IS_TOO_OLD, OCSP_ISSUER_NOT_FOUND, OCSP_ISSUER_NOT_TRUSTED, OCSP_NO_HTTP, OCSP_NO_REVOCATION_URL, OCSP_NOT_YET_VALID, OCSP_RESPONSE_GOOD, OCSP_RESPONSE_INVALID, OCSP_RESPONSE_MISSING_KEYUSAGE, OCSP_SERVER_NOT_AVAILABLE, OCSP_SIGNATURE_ERROR, OCSP_SIGNATURE_OK, POLICY_ERROR, SIGNATURE_ALGO_BAD_PARAMS, SIGNATURE_ALGO_UNKNOWN, SIGNATURE_ERROR, SIGNATURE_METHOD_TOO_WEAK, TRUSTED_CERT_HAS_EXPIRED, TRUSTED_CERT_NOT_YET_VALID, UNKNOWN_CRITICAL_EXTENSION, UNTRUSTED_HASH, V2_IDENTIFIERS_IN_V1_CERT, VALID_CRL_CHECKED, and VERIFIED.

◆ to_string() [2/2]

std::string Botan::to_string ( ErrorType type)

Convert an ErrorType to string.

Definition at line 13 of file exceptn.cpp.

13 {
14 switch(type) {
16 return "Unknown";
18 return "SystemError";
20 return "NotImplemented";
22 return "OutOfMemory";
24 return "InternalError";
26 return "IoError";
28 return "InvalidObjectState";
30 return "KeyNotSet";
32 return "InvalidArgument";
34 return "InvalidKeyLength";
36 return "InvalidNonceLength";
38 return "LookupError";
40 return "EncodingFailure";
42 return "DecodingFailure";
44 return "TLSError";
46 return "HttpError";
48 return "InvalidTag";
50 return "RoughtimeError";
52 return "CommonCryptoError";
54 return "Pkcs11Error";
56 return "TPMError";
58 return "DatabaseError";
60 return "ZlibError";
62 return "Bzip2Error";
64 return "LzmaError";
65 }
66
67 // No default case in above switch so compiler warns
68 return "Unrecognized Botan error";
69}

References Bzip2Error, CommonCryptoError, DatabaseError, DecodingFailure, EncodingFailure, HttpError, InternalError, InvalidArgument, InvalidKeyLength, InvalidNonceLength, InvalidObjectState, InvalidTag, IoError, KeyNotSet, LookupError, LzmaError, NotImplemented, OutOfMemory, Pkcs11Error, RoughtimeError, SystemError, TLSError, TPMError, Unknown, and ZlibError.

Referenced by Botan::TLS::Server_Hello_13::basic_validation(), botan_x509_cert_validation_status(), Botan::PKCS11::PKCS11_ReturnError::PKCS11_ReturnError(), and Botan::Path_Validation_Result::status_string().

◆ to_u32bit()

BOTAN_TEST_API uint32_t Botan::to_u32bit ( std::string_view str)

Convert a decimal string to a number

Parameters
strthe string to convert
Returns
number value of the string

Definition at line 32 of file parsing.cpp.

32 {
33 const std::string str(str_view);
34
35 // std::stoul is not strict enough. Ensure that str is digit only [0-9]*
36 for(const char chr : str) {
37 if(chr < '0' || chr > '9') {
38 throw Invalid_Argument("to_u32bit invalid decimal string '" + str + "'");
39 }
40 }
41
42 const unsigned long int x = std::stoul(str);
43
44 if constexpr(sizeof(unsigned long int) > 4) {
45 // x might be uint64
46 if(x > std::numeric_limits<uint32_t>::max()) {
47 throw Invalid_Argument("Integer value of " + str + " exceeds 32 bit range");
48 }
49 }
50
51 return static_cast<uint32_t>(x);
52}

Referenced by Botan::SCAN_Name::arg_as_integer(), Botan::SCAN_Name::arg_as_integer(), argon2_check_pwhash(), create_private_key(), Botan::TLS::Text_Policy::get_len(), Botan::HTTP::http_sync(), and to_uint16().

◆ to_uint16()

uint16_t Botan::to_uint16 ( std::string_view str)

Convert a decimal string to a number

Parameters
strthe string to convert
Returns
number value of the string

Definition at line 22 of file parsing.cpp.

22 {
23 const uint32_t x = to_u32bit(str);
24
25 if(x != static_cast<uint16_t>(x)) {
26 throw Invalid_Argument("Integer value exceeds 16 bit range");
27 }
28
29 return static_cast<uint16_t>(x);
30}

References to_u32bit().

Referenced by check_bcrypt(), and Botan::TLS::Text_Policy::srtp_profiles().

◆ to_underlying()

template<typename T>
requires std::is_enum_v<T>
auto Botan::to_underlying ( T e)
noexcept

Definition at line 409 of file stl_util.h.

409 {
410 return static_cast<std::underlying_type_t<T>>(e);
411}

◆ tolower_string()

std::string Botan::tolower_string ( std::string_view in)

Definition at line 241 of file parsing.cpp.

241 {
242 std::string s(in);
243 for(char& c : s) {
244 const int cu = static_cast<unsigned char>(c);
245 if(std::isalpha(cu) != 0) {
246 c = static_cast<char>(std::tolower(cu));
247 }
248 }
249 return s;
250}

Referenced by Botan::AlternativeName::add_dns(), Botan::GeneralName::decode_from(), and host_wildcard_match().

◆ treehash() [1/2]

BOTAN_TEST_API void Botan::treehash ( StrongSpan< SphincsTreeNode > out_root,
StrongSpan< SphincsAuthenticationPath > out_auth_path,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes,
std::optional< TreeNodeIndex > leaf_idx,
uint32_t idx_offset,
uint32_t tree_height,
const GenerateLeafFunction & gen_leaf,
Sphincs_Address & tree_address )

Implements a generic Merkle tree hash. Will be used for both FORS and XMSS signatures. gen_leaf is used to create leaf nodes in the respective trees. Additionally XMSS uses the gen_leaf logic to store the WOTS Signature in the main SLH-DSA signature. The leaf_idx is the index of leaf to sign. If only the root node must be computed (without a signature), the leaf_idx is set to std::nullopt.

Definition at line 17 of file sp_treehash.cpp.

25 {
26 BOTAN_ASSERT_NOMSG(out_root.size() == params.n());
27 BOTAN_ASSERT_NOMSG(out_auth_path.size() == params.n() * total_tree_height);
28
29 const TreeNodeIndex max_idx(uint32_t((1 << total_tree_height) - 1));
30
31 std::vector<uint8_t> stack(total_tree_height * params.n());
32 SphincsTreeNode current_node(params.n()); // Current logical node
33
34 /* Traverse the tree from the left-most leaf, matching siblings and up until
35 * the root (Post-order traversal). Collect the adjacent nodes (A) to build
36 * the authentication path (X) along the way.
37 *
38 * 7R
39 * / \
40 * 3X 6A
41 * / \ / \
42 * 1X 2A 4 5
43 */
44 for(TreeNodeIndex idx(0); true; ++idx) {
45 tree_address.set_tree_height(TreeLayerIndex(0));
46 gen_leaf(current_node, idx + idx_offset);
47
48 // Now combine the freshly generated right node with previously generated
49 // left ones
50 uint32_t internal_idx_offset = idx_offset;
51 TreeNodeIndex internal_idx = idx;
52 auto internal_leaf = leaf_idx;
53
54 for(TreeLayerIndex h(0); true; ++h) {
55 // Check if we hit the top of the tree
56 if(h.get() == total_tree_height) {
57 copy_mem(out_root, current_node);
58 return;
59 }
60
61 // Check if the node we have is a part of the authentication path; if
62 // it is, write it out. The XOR sum of both nodes (at internal_idx and internal_leaf)
63 // is 1 iff they have the same parent node in the FORS tree
64 if(internal_leaf.has_value() && (internal_idx ^ internal_leaf.value()) == 0x01U) {
65 auto auth_path_location = out_auth_path.get().subspan(h.get() * params.n(), params.n());
66 copy_mem(auth_path_location, current_node);
67 }
68
69 // At this point we know that we'll need to use the stack. Get a
70 // reference to the correct location.
71 auto stack_location = std::span(stack).subspan(h.get() * params.n(), params.n());
72
73 // Check if we're at a left child; if so, stop going up the stack
74 // Exception: if we've reached the end of the tree, keep on going (so
75 // we combine the last 4 nodes into the one root node in two more
76 // iterations)
77 if((internal_idx & 1) == 0U && idx < max_idx) {
78 // We've hit a left child; save the current for when we get the
79 // corresponding right child.
80 copy_mem(stack_location, current_node);
81 break;
82 }
83
84 // Ok, we're at a right node. Now combine the left and right logical
85 // nodes together.
86
87 // Set the address of the node we're creating.
88 internal_idx_offset /= 2;
89 tree_address.set_tree_height(h + 1);
90 tree_address.set_tree_index(internal_idx / 2 + internal_idx_offset);
91
92 hashes.T(current_node, tree_address, stack_location, current_node);
93
94 internal_idx /= 2;
95 if(internal_leaf.has_value()) {
96 internal_leaf.value() /= 2;
97 }
98 }
99 }
100}
underlying_span get() const

References BOTAN_ASSERT_NOMSG, copy_mem(), Botan::StrongSpan< T >::get(), Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_tree_height(), Botan::Sphincs_Address::set_tree_index(), Botan::StrongSpan< T >::size(), and Botan::Sphincs_Hash_Functions::T().

Referenced by fors_sign_and_pkgen(), and xmss_sign_and_pkgen().

◆ treehash() [2/2]

template<concepts::contiguous_strong_type TreeNode, concepts::strong_span AuthPathSS, concepts::tree_node_index TreeNodeIndex, concepts::tree_layer_index TreeLayerIndex, typename Address>
requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex>
void Botan::treehash ( StrongSpan< TreeNode > out_root,
std::optional< AuthPathSS > out_auth_path,
std::optional< TreeNodeIndex > leaf_idx,
size_t node_size,
TreeLayerIndex total_tree_height,
uint32_t idx_offset,
concepts::tree_hash_node_pair< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto node_pair_hash,
concepts::tree_gen_leaf< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto gen_leaf,
Address & tree_address )
inline

Treehash logic to build up a merkle hash tree.

Computes the root of the merkle tree. Can also output an authentication path necessary for a hash based signature.

Given the following tree: Layer: 2 7R / \ 1 3X 6A / \ / \ 0 1X 2A 4 5

The treehash logic traverses the tree (Post-order traversal), i.e., the nodes are discovered in order 1,2,3,...,7. If we want to create a signature using leaf node 1, the authentication path is (Node 2, Node 6), since we need those to compute the root.

Parameters
out_rootAn output buffer to store the root node in (size: node_size ).
out_auth_pathOptional buffer to store the authentication path in (size: node_size * total_tree_height).
leaf_idxThe optional index of the leaf used to sign in the bottom tree layer beginning with index 0. nullopt if no node is signed, so we need no auth path.
node_sizeThe size of each node in the tree.
total_tree_heightThe hight of the merkle tree to construct.
idx_offsetIf we compute a subtree this marks the index of the leftmost leaf node in the bottom layer
node_pair_hashThe function to process two child nodes to compute their parent node.
gen_leafThe logic to create a leaf node given the address in the tree. Probably this function creates a one-time/few-time-signature's public key which is hashed to be the leaf node.
tree_addressThe address that is passed to gen_leaf or node_pair hash. This function will update the address accordings to the currently processed node. This object may contain further algorithm specific information, like the position of this merkle tree in a hypertree.

Definition at line 114 of file tree_hash.h.

123 {
124 BOTAN_ASSERT_NOMSG(out_root.size() == node_size);
125 BOTAN_ASSERT(out_auth_path.has_value() == leaf_idx.has_value(),
126 "Both leaf index and auth path buffer is given or neither.");
127 const bool is_signing = leaf_idx.has_value();
128 BOTAN_ASSERT_NOMSG(!is_signing || out_auth_path.value().size() == node_size * total_tree_height.get());
129
130 const TreeNodeIndex max_idx(uint32_t((1 << total_tree_height.get()) - 1));
131
132 std::vector<TreeNode> last_visited_left_child_at_layer(total_tree_height.get(), TreeNode(node_size));
133
134 TreeNode current_node(node_size); // Current logical node
135
136 // Traverse the tree from the left-most leaf, matching siblings and up until
137 // the root (Post-order traversal). Collect the adjacent nodes to build
138 // the authentication path along the way.
139 for(TreeNodeIndex idx(0); true; ++idx) {
140 tree_address.set_address(TreeLayerIndex(0), idx + idx_offset);
141 gen_leaf(StrongSpan<TreeNode>(current_node), tree_address);
142
143 // Now combine the freshly generated right node with previously generated
144 // left ones
145 uint32_t internal_idx_offset = idx_offset;
146 TreeNodeIndex internal_idx = idx;
147 auto internal_leaf = leaf_idx;
148
149 for(TreeLayerIndex h(0); true; ++h) {
150 // Check if we hit the top of the tree
151 if(h == total_tree_height) {
152 copy_mem(out_root, current_node);
153 return;
154 }
155
156 // Check if the node we have is a part of the authentication path; if
157 // it is, write it out. The XOR sum of both nodes (at internal_idx and internal_leaf)
158 // is 1 iff they have the same parent node in the FORS tree
159 if(is_signing && (internal_idx ^ internal_leaf.value()) == 0x01U) {
160 auto auth_path_location = out_auth_path.value().get().subspan(h.get() * node_size, node_size);
161 copy_mem(auth_path_location, current_node);
162 }
163
164 // Check if we're at a left child; if so, stop going up the tree
165 // Exception: if we've reached the end of the tree, keep on going (so
166 // we combine the last 4 nodes into the one root node in two more
167 // iterations)
168 if((internal_idx & 1) == 0U && idx < max_idx) {
169 // We've hit a left child; save the current for when we get the
170 // corresponding right child.
171 copy_mem(last_visited_left_child_at_layer.at(h.get()), current_node);
172 break;
173 }
174
175 // Ok, we're at a right node. Now combine the left and right logical
176 // nodes together.
177
178 // Set the address of the node we're creating.
179 internal_idx_offset /= 2;
180 tree_address.set_address(h + 1, internal_idx / 2 + internal_idx_offset);
181
182 node_pair_hash(current_node, tree_address, last_visited_left_child_at_layer.at(h.get()), current_node);
183
184 internal_idx /= 2;
185 if(internal_leaf.has_value()) {
186 internal_leaf.value() /= 2;
187 }
188 }
189 }
190}

References BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, copy_mem(), Botan::detail::Strong_Base< T >::get(), and Botan::StrongSpan< T >::size().

◆ typecast_copy() [1/9]

template<typename ToT, ranges::contiguous_range FromR>
requires std::is_default_constructible_v<ToT> && std::is_trivially_copyable_v<ToT> && std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>>
ToT Botan::typecast_copy ( const FromR & src)
inlineconstexpr

Create a trivial type by bit-casting a range of trivially copyable type with matching length into it.

Definition at line 211 of file mem_ops.h.

211 {
212 ToT dst; // NOLINT(*-member-init)
213 typecast_copy(dst, src);
214 return dst;
215}

References typecast_copy().

◆ typecast_copy() [2/9]

template<typename To>
requires std::is_trivial_v<To>
To Botan::typecast_copy ( const uint8_t src[])
inlineconstexprnoexcept

Definition at line 253 of file mem_ops.h.

253 {
254 // asserts that *src points to the correct amount of memory
255 return typecast_copy<To>(std::span<const uint8_t, sizeof(To)>(src, sizeof(To)));
256}

References typecast_copy().

◆ typecast_copy() [3/9]

template<typename T>
requires std::is_trivial_v<std::decay_t<T>>
void Botan::typecast_copy ( T & out,
const uint8_t in[] )
inlineconstexpr

Definition at line 245 of file mem_ops.h.

245 {
246 // asserts that *in points to the correct amount of memory
247 typecast_copy(out, std::span<const uint8_t, sizeof(T)>(in, sizeof(T)));
248}

References typecast_copy().

◆ typecast_copy() [4/9]

template<typename T>
requires std::is_trivial_v<T>
void Botan::typecast_copy ( T out[],
const uint8_t in[],
size_t N )
inlineconstexpr

Definition at line 228 of file mem_ops.h.

230{
231 // asserts that *in and *out point to the correct amount of memory
232 typecast_copy(std::span<T>(out, N), std::span<const uint8_t>(in, N * sizeof(T)));
233}

References typecast_copy().

◆ typecast_copy() [5/9]

template<ranges::contiguous_output_range ToR, ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
void Botan::typecast_copy ( ToR && out,
const FromR & in )
inlineconstexpr

◆ typecast_copy() [6/9]

template<ranges::contiguous_output_range ToR, typename FromT>
requires std::is_trivially_copyable_v<FromT> && (!std::ranges::range<FromT>) && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
void Botan::typecast_copy ( ToR && out,
const FromT & in )
inlineconstexpr

Copy an instance of trivially copyable type into a range of trivially copyable type with matching length.

Definition at line 200 of file mem_ops.h.

200 {
201 typecast_copy(out, std::span<const FromT, 1>(&in, 1));
202}

References typecast_copy().

◆ typecast_copy() [7/9]

template<typename ToT, ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<ToT> && (!std::ranges::range<ToT>)
void Botan::typecast_copy ( ToT & out,
const FromR & in )
inlineconstexpr

Copy a range of trivially copyable type into an instance of trivially copyable type with matching length.

Definition at line 189 of file mem_ops.h.

189 {
190 typecast_copy(std::span<ToT, 1>(&out, 1), in);
191}

References typecast_copy().

◆ typecast_copy() [8/9]

template<typename T>
void Botan::typecast_copy ( uint8_t out[],
const T & in )
inlineconstexpr

Definition at line 237 of file mem_ops.h.

237 {
238 // asserts that *out points to the correct amount of memory
239 typecast_copy(std::span<uint8_t, sizeof(T)>(out, sizeof(T)), in);
240}

References typecast_copy().

◆ typecast_copy() [9/9]

template<typename T>
requires std::is_trivially_copyable_v<T>
void Botan::typecast_copy ( uint8_t out[],
T in[],
size_t N )
inlineconstexpr

Definition at line 219 of file mem_ops.h.

221{
222 // asserts that *in and *out point to the correct amount of memory
223 typecast_copy(std::span<uint8_t>(out, sizeof(T) * N), std::span<const T>(in, N));
224}

References typecast_copy().

◆ ucs2_to_utf8()

BOTAN_TEST_API std::string Botan::ucs2_to_utf8 ( const uint8_t ucs2[],
size_t len )

Convert a sequence of UCS-2 (big endian) characters to a UTF-8 string This is used for ASN.1 BMPString type

Parameters
ucs2the sequence of UCS-2 characters
lenlength of ucs2 in bytes, must be a multiple of 2

Definition at line 54 of file charset.cpp.

54 {
55 if(len % 2 != 0) {
56 throw Decoding_Error("Invalid length for UCS-2 string");
57 }
58
59 const size_t chars = len / 2;
60
61 std::string s;
62 for(size_t i = 0; i != chars; ++i) {
63 const uint32_t c = load_be<uint16_t>(ucs2, i);
64 append_utf8_for(s, c);
65 }
66
67 return s;
68}

References load_be().

Referenced by Botan::ASN1_String::decode_from().

◆ ucs4_to_utf8()

BOTAN_TEST_API std::string Botan::ucs4_to_utf8 ( const uint8_t ucs4[],
size_t len )

Convert a sequence of UCS-4 (big endian) characters to a UTF-8 string This is used for ASN.1 UniversalString type

Parameters
ucs4the sequence of UCS-4 characters
lenlength of ucs4 in bytes, must be a multiple of 4

Definition at line 70 of file charset.cpp.

70 {
71 if(len % 4 != 0) {
72 throw Decoding_Error("Invalid length for UCS-4 string");
73 }
74
75 const size_t chars = len / 4;
76
77 std::string s;
78 for(size_t i = 0; i != chars; ++i) {
79 const uint32_t c = load_be<uint32_t>(ucs4, i);
80 append_utf8_for(s, c);
81 }
82
83 return s;
84}

References load_be().

Referenced by Botan::ASN1_String::decode_from().

◆ unlock()

template<typename T>
std::vector< T > Botan::unlock ( const secure_vector< T > & in)

◆ unsafe_for_production_build()

bool Botan::unsafe_for_production_build ( )

Certain build-time options, used for testing, result in a binary which is not safe for use in a production system. This function can be used to test for such a configuration at runtime.

Currently these unsafe conditions include:

  • Unsafe fuzzer mode (–unsafe-fuzzer-mode) which intentionally disables various checks in order to improve the effectiveness of fuzzing.
  • Terminate on asserts (–unsafe-terminate-on-asserts) which intentionally aborts if any internal assertion failure occurs, rather than throwing an exception.

Definition at line 67 of file version.cpp.

67 {
68#if defined(BOTAN_UNSAFE_FUZZER_MODE) || defined(BOTAN_TERMINATE_ON_ASSERTS)
69 return true;
70#else
71 return false;
72#endif
73}

◆ unwrap_strong_type()

template<typename T>
decltype(auto) Botan::unwrap_strong_type ( T && t)
nodiscardconstexpr

Generically unwraps a strong type to its underlying type.

If the provided type is not a strong type, it is returned as is.

Note
This is meant as a helper for generic code that needs to deal with both wrapped strong types and bare objects. Use the ordinary get() method if you know that you are dealing with a strong type.
Parameters
tvalue to be unwrapped
Returns
the unwrapped value

Definition at line 224 of file strong_type.h.

224 {
226 // If the parameter type isn't a strong type, return it as is.
227 return std::forward<T>(t);
228 } else {
229 // Unwrap the strong type and return the underlying value.
230 return std::forward<T>(t).get();
231 }
232}

Referenced by checked_cast_to_or_throw(), Botan::detail::concatenate(), Botan::bitvector_base< secure_allocator >::ct_conditional_xor(), Botan::bitvector_base< secure_allocator >::equals_vartime(), Botan::bitvector_base< secure_allocator >::operator&=(), Botan::bitvector_base< secure_allocator >::operator^=(), Botan::bitvector_base< secure_allocator >::operator|=(), Botan::bitvector_base< secure_allocator >::subvector(), Botan::bitvector_base< secure_allocator >::subvector_replace(), and Botan::detail::unwrap_strong_type_or_enum().

◆ value_exists()

◆ var_ctz32()

BOTAN_FORCE_INLINE constexpr size_t Botan::var_ctz32 ( uint32_t n)
constexpr

Definition at line 160 of file bit_ops.h.

160 {
161#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_ctz)
162 if(n == 0) {
163 return 32;
164 }
165 return __builtin_ctz(n);
166#else
167 return ctz<uint32_t>(n);
168#endif
169}

References BOTAN_FORCE_INLINE, and ctz().

◆ varpoint_exec()

template<typename C, size_t WindowBits, typename BlindedScalar>
C::ProjectivePoint Botan::varpoint_exec ( const AffinePointTable< C > & table,
const BlindedScalar & scalar,
RandomNumberGenerator & rng )

Definition at line 239 of file pcurves_mul.h.

241 {
242 const size_t windows = (scalar.bits() + WindowBits - 1) / WindowBits;
243
244 auto accum = [&]() {
245 const size_t w_0 = scalar.get_window((windows - 1) * WindowBits);
246 auto pt = C::ProjectivePoint::from_affine(table.ct_select(w_0));
247 CT::poison(pt);
248 pt.randomize_rep(rng);
249 return pt;
250 }();
251
252 for(size_t i = 1; i != windows; ++i) {
253 accum = accum.dbl_n(WindowBits);
254 auto w_i = scalar.get_window((windows - i - 1) * WindowBits);
255
256 /*
257 This point addition cannot be a doubling (except once)
258
259 Consider the sequence of points that are operated on, and specifically
260 their discrete logarithms. We start out at the point at infinity
261 (dlog 0) and then add the initial window which is precisely P*w_0
262
263 We then perform WindowBits doublings, so accum's dlog at the point
264 of the addition in the first iteration of the loop (when i == 1) is
265 at least 2^W * w_0.
266
267 Since we know w_0 > 0, then in every iteration of the loop, accums
268 dlog will always be greater than the dlog of the table element we
269 just looked up (something between 0 and 2^W-1), and thus the
270 addition into accum cannot be a doubling.
271
272 However due to blinding this argument fails, since we perform
273 multiplications using a scalar that is larger than the group
274 order. In this case it's possible that the dlog of accum becomes
275 `order + x` (or, effectively, `x`) and `x` is smaller than 2^W.
276 In this case, a doubling may occur. Future iterations of the loop
277 cannot be doublings by the same argument above. Since the blinding
278 factor is always less than the group order (substantially so),
279 it is not possible for the dlog of accum to overflow a second time.
280 */
281
282 accum += table.ct_select(w_i);
283
284 // Conditional ok: loop iteration count is public
285 if(i <= 3) {
286 accum.randomize_rep(rng);
287 }
288 }
289
290 CT::unpoison(accum);
291 return accum;
292}

References Botan::AffinePointTable< C, R >::ct_select(), Botan::CT::poison(), and Botan::CT::unpoison().

Referenced by Botan::WindowedMulTable< C, W >::mul().

◆ varpoint_setup()

template<typename C, size_t TableSize>
AffinePointTable< C > Botan::varpoint_setup ( const typename C::AffinePoint & p)

Definition at line 219 of file pcurves_mul.h.

219 {
220 static_assert(TableSize > 2);
221
222 std::vector<typename C::ProjectivePoint> table;
223 table.reserve(TableSize);
224 table.push_back(C::ProjectivePoint::from_affine(p));
225
226 for(size_t i = 1; i != TableSize; ++i) {
227 // Conditional ok: loop iteration count is public
228 if(i % 2 == 1) {
229 table.push_back(table[i / 2].dbl());
230 } else {
231 table.push_back(table[i - 1] + p);
232 }
233 }
234
235 return AffinePointTable<C>(table);
236}

Referenced by Botan::WindowedBoothMulTable< C, W >::WindowedBoothMulTable(), and Botan::WindowedMulTable< C, W >::WindowedMulTable().

◆ vartime_divide()

BOTAN_TEST_API void Botan::vartime_divide ( const BigInt & x,
const BigInt & y,
BigInt & q,
BigInt & r )

BigInt Division

Parameters
xan integer
ya non-zero integer
qwill be set to x / y
rwill be set to x % y

Definition at line 230 of file divide.cpp.

230 {
231 if(y_arg.is_zero()) {
232 throw Invalid_Argument("vartime_divide: cannot divide by zero");
233 }
234
235 const size_t y_words = y_arg.sig_words();
236
237 BOTAN_ASSERT_NOMSG(y_words > 0);
238
239 BigInt y = y_arg;
240
241 BigInt r = x;
242 BigInt q = BigInt::zero();
244
245 r.set_sign(BigInt::Positive);
246 y.set_sign(BigInt::Positive);
247
248 // Calculate shifts needed to normalize y with high bit set
249 const size_t shifts = y.top_bits_free();
250
251 if(shifts > 0) {
252 y <<= shifts;
253 r <<= shifts;
254 }
255
256 // we know y has not changed size, since we only shifted up to set high bit
257 const size_t t = y_words - 1;
258 const size_t n = std::max(y_words, r.sig_words()) - 1; // r may have changed size however
259
260 BOTAN_ASSERT_NOMSG(n >= t);
261
262 q.grow_to(n - t + 1);
263
264 word* q_words = q.mutable_data();
265
266 BigInt shifted_y = y << (WordInfo<word>::bits * (n - t));
267
268 // Set q_{n-t} to number of times r > shifted_y
269 q_words[n - t] = r.reduce_below(shifted_y, ws);
270
271 const word y_t0 = y.word_at(t);
272 const word y_t1 = y.word_at(t - 1);
273 BOTAN_DEBUG_ASSERT((y_t0 >> (WordInfo<word>::bits - 1)) == 1);
274
275 for(size_t j = n; j != t; --j) {
276 const word x_j0 = r.word_at(j);
277 const word x_j1 = r.word_at(j - 1);
278 const word x_j2 = r.word_at(j - 2);
279
280 word qjt = (x_j0 == y_t0) ? WordInfo<word>::max : bigint_divop_vartime(x_j0, x_j1, y_t0);
281
282 // Per HAC 14.23, this operation is required at most twice
283 for(size_t k = 0; k != 2; ++k) {
284 if(division_check_vartime(qjt, y_t0, y_t1, x_j0, x_j1, x_j2)) {
285 qjt--;
286 } else {
287 break;
288 }
289 }
290
291 shifted_y >>= WordInfo<word>::bits;
292 // Now shifted_y == y << (WordInfo<word>::bits * (j-t-1))
293
294 // TODO this sequence could be better
295 r -= qjt * shifted_y;
296 if(r.is_negative()) {
297 qjt--;
298 r += shifted_y;
299 BOTAN_ASSERT_NOMSG(r.is_positive());
300 }
301
302 q_words[j - t - 1] = qjt;
303 }
304
305 if(shifts > 0) {
306 r >>= shifts;
307 }
308
309 sign_fixup(x, y_arg, q, r);
310
311 r_out = r;
312 q_out = q;
313}
size_t reduce_below(const BigInt &mod, secure_vector< word > &ws)
Definition bigint.cpp:333

References bigint_divop_vartime(), BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, Botan::BigInt::grow_to(), Botan::BigInt::is_negative(), Botan::BigInt::is_positive(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::Positive, Botan::BigInt::reduce_below(), Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::top_bits_free(), Botan::BigInt::word_at(), and Botan::BigInt::zero().

Referenced by botan_mp_div(), operator%(), and operator/().

◆ verify_signature()

bool Botan::verify_signature ( std::span< const uint8_t, ED448_LEN > pk,
bool phflag,
std::span< const uint8_t > context,
std::span< const uint8_t > sig,
std::span< const uint8_t > msg )

Verify a signature(RFC 8032 5.2.7)

Parameters
pkthe public key
phflagthe prehash flag (true iff using Ed448ph)
contextthe context string
sigthe signature
msgthe message to verify
Exceptions
Decoding_Errorif the public key or signature is malformed
Returns
true if the signature is valid

Definition at line 283 of file ed448_internal.cpp.

287 {
288 // RFC 8032 5.2.7. Verify
289 // 1. To verify a signature on a message M using context C and public
290 // key A, with F being 0 for Ed448 and 1 for Ed448ph, first split
291 // the signature into two 57-octet halves. Decode the first half as
292 // a point R, and the second half as an integer S, in the range 0 <=
293 // s < L. Decode the public key A as point A’. If any of the
294 // decodings fail (including S being out of range), the signature is
295 // invalid.
296 if(sig.size() != 2 * ED448_LEN) {
297 // Wrong signature size
298 throw Decoding_Error("Ed448 signature has wrong size");
299 }
300 const auto [big_r_bytes, big_s_bytes] = split(sig.first<2 * ED448_LEN>());
301 const auto big_r = Ed448Point::decode(big_r_bytes);
302 if(!Scalar448::bytes_are_reduced(big_s_bytes)) {
303 // S not in range 0 <= s < L
304 throw Decoding_Error("Ed448 signature has invalid S");
305 }
306 const Scalar448 big_s(big_s_bytes);
307 // 2. Compute SHAKE256(dom4(F, C) || R || A || PH(M), 114), and
308 // interpret the 114-octet digest as a little-endian integer k.
309 const Scalar448 k(shake(phflag, context, big_r_bytes, pk, msg));
310 // 3. Check the group equation [4][S]B = [4]R + [4][k]A’. It’s
311 // sufficient, but not required, to instead check [S]B = R + [k]A’.
312 return (big_s * Ed448Point::base_point()) == (big_r + k * Ed448Point::decode(pk));
313}
static Ed448Point decode(std::span< const uint8_t, ED448_LEN > enc)
Decode a point from its 57-byte encoding (RFC 8032 5.2.3)
static bool bytes_are_reduced(std::span< const uint8_t > x)

References Botan::Ed448Point::base_point(), Botan::Scalar448::bytes_are_reduced(), Botan::Ed448Point::decode(), and ED448_LEN.

Referenced by Botan::Roughtime::Response::from_bits().

◆ version_cstr()

const char * Botan::version_cstr ( )

Same as version_string() except returning a pointer to a statically allocated string.

Returns
version string

Definition at line 20 of file version.cpp.

20 {
21 return BOTAN_FULL_VERSION_STRING;
22}

Referenced by botan_version_string(), and version_string().

◆ version_datestamp()

uint32_t Botan::version_datestamp ( )

Return the date this version of botan was released, in an integer of the form YYYYMMDD. For instance a version released on May 21, 2013 would return the integer 20130521. If the currently running version is not an official release, this function will return 0 instead.

Returns
release date, or zero if unreleased

Definition at line 32 of file version.cpp.

32 {
34}
#define BOTAN_VERSION_DATESTAMP
Definition build.h:45

References BOTAN_VERSION_DATESTAMP.

Referenced by botan_version_datestamp().

◆ version_distribution_info()

std::optional< std::string > Botan::version_distribution_info ( )

Return any string that is set at build time using the --distribution-info option. It allows a packager of the library to specify any distribution-specific patches. If no value is given at build time, returns nullopt.

Returns
distribution info

Definition at line 44 of file version.cpp.

44 {
45#if defined(BOTAN_DISTRIBUTION_INFO_STRING)
46 return std::string(BOTAN_DISTRIBUTION_INFO_STRING);
47#else
48 return std::nullopt;
49#endif
50}

◆ version_major()

uint32_t Botan::version_major ( )

Get the major version number.

Returns
major version number

Definition at line 55 of file version.cpp.

55 {
57}

References BOTAN_VERSION_MAJOR.

Referenced by botan_version_major(), and runtime_version_check().

◆ version_minor()

uint32_t Botan::version_minor ( )

Get the minor version number.

Returns
minor version number

Definition at line 59 of file version.cpp.

59 {
61}

References BOTAN_VERSION_MINOR.

Referenced by botan_version_minor(), and runtime_version_check().

◆ version_patch()

uint32_t Botan::version_patch ( )

Get the patch number.

Returns
patch number

Definition at line 63 of file version.cpp.

63 {
65}

References BOTAN_VERSION_PATCH.

Referenced by botan_version_patch(), and runtime_version_check().

◆ version_string()

std::string Botan::version_string ( )

Get a human-readable single-line string identifying the version of Botan. No particular format should be assumed.

Returns
version string

Definition at line 24 of file version.cpp.

24 {
25 return std::string(version_cstr());
26}
const char * version_cstr()
Definition version.cpp:20

References version_cstr().

◆ version_vc_revision()

std::optional< std::string > Botan::version_vc_revision ( )

Returns a string that is set to a revision identifier corresponding to the source, or nullopt if this could not be determined. It is set for all official releases, and for builds that originated from within a git checkout.

Returns
VC revision

Definition at line 36 of file version.cpp.

36 {
37#if defined(BOTAN_VC_REVISION)
38 return std::string(BOTAN_VC_REVISION);
39#else
40 return std::nullopt;
41#endif
42}

◆ word8_add2()

template<WordType W>
auto Botan::word8_add2 ( W x[8],
const W y[8],
W carry ) -> W
inlineconstexpr

Definition at line 228 of file mp_asmi.h.

228 {
229#if defined(BOTAN_MP_USE_X86_64_ASM)
230 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
231 asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "adcq"))
232 : [carry] "=r"(carry)
233 : [x] "r"(x), [y] "r"(y), "0"(carry)
234 : "cc", "memory");
235 return carry;
236 }
237#endif
238
239 x[0] = word_add(x[0], y[0], &carry);
240 x[1] = word_add(x[1], y[1], &carry);
241 x[2] = word_add(x[2], y[2], &carry);
242 x[3] = word_add(x[3], y[3], &carry);
243 x[4] = word_add(x[4], y[4], &carry);
244 x[5] = word_add(x[5], y[5], &carry);
245 x[6] = word_add(x[6], y[6], &carry);
246 x[7] = word_add(x[7], y[7], &carry);
247 return carry;
248}

References carry(), and word_add().

Referenced by bigint_add2().

◆ word8_add3()

template<WordType W>
auto Botan::word8_add3 ( W z[8],
const W x[8],
const W y[8],
W carry ) -> W
inlineconstexpr

Definition at line 254 of file mp_asmi.h.

254 {
255#if defined(BOTAN_MP_USE_X86_64_ASM)
256 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
257 asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "adcq"))
258 : [carry] "=r"(carry)
259 : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry)
260 : "cc", "memory");
261 return carry;
262 }
263#endif
264
265 z[0] = word_add(x[0], y[0], &carry);
266 z[1] = word_add(x[1], y[1], &carry);
267 z[2] = word_add(x[2], y[2], &carry);
268 z[3] = word_add(x[3], y[3], &carry);
269 z[4] = word_add(x[4], y[4], &carry);
270 z[5] = word_add(x[5], y[5], &carry);
271 z[6] = word_add(x[6], y[6], &carry);
272 z[7] = word_add(x[7], y[7], &carry);
273 return carry;
274}

References carry(), and word_add().

Referenced by bigint_add3().

◆ word8_linmul3()

template<WordType W>
auto Botan::word8_linmul3 ( W z[8],
const W x[8],
W y,
W carry ) -> W
inlineconstexpr

Definition at line 357 of file mp_asmi.h.

357 {
358#if defined(BOTAN_MP_USE_X86_64_ASM)
359 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
360 asm(DO_8_TIMES(LINMUL_OP, "z")
361 : [carry] "=r"(carry)
362 : [z] "r"(z), [x] "r"(x), [y] "rm"(y), "0"(carry)
363 : "cc", "%rax", "%rdx");
364 return carry;
365 }
366#endif
367
368 z[0] = word_madd2(x[0], y, &carry);
369 z[1] = word_madd2(x[1], y, &carry);
370 z[2] = word_madd2(x[2], y, &carry);
371 z[3] = word_madd2(x[3], y, &carry);
372 z[4] = word_madd2(x[4], y, &carry);
373 z[5] = word_madd2(x[5], y, &carry);
374 z[6] = word_madd2(x[6], y, &carry);
375 z[7] = word_madd2(x[7], y, &carry);
376 return carry;
377}

References carry(), and word_madd2().

Referenced by bigint_linmul3().

◆ word8_madd3()

template<WordType W>
auto Botan::word8_madd3 ( W z[8],
const W x[8],
W y,
W carry ) -> W
inlineconstexpr

Definition at line 383 of file mp_asmi.h.

383 {
384#if defined(BOTAN_MP_USE_X86_64_ASM)
385 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
386 asm(DO_8_TIMES(MULADD_OP, "")
387 : [carry] "=r"(carry)
388 : [z] "r"(z), [x] "r"(x), [y] "rm"(y), "0"(carry)
389 : "cc", "%rax", "%rdx");
390 return carry;
391 }
392#endif
393
394 z[0] = word_madd3(x[0], y, z[0], &carry);
395 z[1] = word_madd3(x[1], y, z[1], &carry);
396 z[2] = word_madd3(x[2], y, z[2], &carry);
397 z[3] = word_madd3(x[3], y, z[3], &carry);
398 z[4] = word_madd3(x[4], y, z[4], &carry);
399 z[5] = word_madd3(x[5], y, z[5], &carry);
400 z[6] = word_madd3(x[6], y, z[6], &carry);
401 z[7] = word_madd3(x[7], y, z[7], &carry);
402 return carry;
403}

References carry(), and word_madd3().

Referenced by basecase_mul(), and basecase_sqr().

◆ word8_sub2()

template<WordType W>
auto Botan::word8_sub2 ( W x[8],
const W y[8],
W carry ) -> W
inlineconstexpr

Definition at line 305 of file mp_asmi.h.

305 {
306#if defined(BOTAN_MP_USE_X86_64_ASM)
307 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
308 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "sbbq"))
309 : [carry] "=r"(carry)
310 : [x] "r"(x), [y] "r"(y), "0"(carry)
311 : "cc", "memory");
312 return carry;
313 }
314#endif
315
316 x[0] = word_sub(x[0], y[0], &carry);
317 x[1] = word_sub(x[1], y[1], &carry);
318 x[2] = word_sub(x[2], y[2], &carry);
319 x[3] = word_sub(x[3], y[3], &carry);
320 x[4] = word_sub(x[4], y[4], &carry);
321 x[5] = word_sub(x[5], y[5], &carry);
322 x[6] = word_sub(x[6], y[6], &carry);
323 x[7] = word_sub(x[7], y[7], &carry);
324 return carry;
325}

References carry(), and word_sub().

Referenced by bigint_sub2().

◆ word8_sub3()

template<WordType W>
auto Botan::word8_sub3 ( W z[8],
const W x[8],
const W y[8],
W carry ) -> W
inlineconstexpr

Definition at line 331 of file mp_asmi.h.

331 {
332#if defined(BOTAN_MP_USE_X86_64_ASM)
333 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
334 asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbq"))
335 : [carry] "=r"(carry)
336 : [x] "r"(x), [y] "r"(y), [z] "r"(z), "0"(carry)
337 : "cc", "memory");
338 return carry;
339 }
340#endif
341
342 z[0] = word_sub(x[0], y[0], &carry);
343 z[1] = word_sub(x[1], y[1], &carry);
344 z[2] = word_sub(x[2], y[2], &carry);
345 z[3] = word_sub(x[3], y[3], &carry);
346 z[4] = word_sub(x[4], y[4], &carry);
347 z[5] = word_sub(x[5], y[5], &carry);
348 z[6] = word_sub(x[6], y[6], &carry);
349 z[7] = word_sub(x[7], y[7], &carry);
350 return carry;
351}

References carry(), and word_sub().

Referenced by bigint_monty_maybe_sub(), bigint_sub3(), and bigint_sub_abs().

◆ word_add()

template<WordType W>
auto Botan::word_add ( W x,
W y,
W * carry ) -> W
inlineconstexpr

Definition at line 191 of file mp_asmi.h.

191 {
192#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_addc)
193 if(!std::is_constant_evaluated()) {
194 if constexpr(std::same_as<W, unsigned int>) {
195 return __builtin_addc(x, y, *carry & 1, carry);
196 } else if constexpr(std::same_as<W, unsigned long>) {
197 return __builtin_addcl(x, y, *carry & 1, carry);
198 } else if constexpr(std::same_as<W, unsigned long long>) {
199 return __builtin_addcll(x, y, *carry & 1, carry);
200 }
201 }
202#endif
203
204 if constexpr(WordInfo<W>::dword_is_native && use_dword_for_word_add) {
205 /*
206 TODO(Botan4) this is largely a performance hack for GCCs that don't
207 support __builtin_addc, if we increase the minimum supported version of
208 GCC to GCC 14 then we can remove this and not worry about it
209 */
210 const W cb = *carry & 1;
211 const auto s = typename WordInfo<W>::dword(x) + y + cb;
212 *carry = static_cast<W>(s >> WordInfo<W>::bits);
213 return static_cast<W>(s);
214 } else {
215 const W cb = *carry & 1;
216 W z = x + y;
217 W c1 = (z < x);
218 z += cb;
219 *carry = c1 | (z < cb);
220 return z;
221 }
222}

References carry().

Referenced by Botan::word3< W >::add(), bigint_add2(), bigint_add3(), bigint_cnd_abs(), bigint_cnd_add(), Botan::BigInt::ct_cond_add(), Botan::word3< W >::mul_x2(), Botan::IntMod< MontgomeryRep< ScalarParams > >::operator+, solinas_correct_redc(), word8_add2(), and word8_add3().

◆ word_madd2()

template<WordType W>
auto Botan::word_madd2 ( W a,
W b,
W * c ) -> W
inlineconstexpr

Definition at line 86 of file mp_asmi.h.

86 {
87#if defined(BOTAN_MP_USE_X86_64_ASM)
88 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
89 asm(R"(
90 mulq %[b]
91 addq %[c],%[a]
92 adcq $0,%[carry]
93 )"
94 : [a] "=a"(a), [b] "=rm"(b), [carry] "=&d"(*c)
95 : "0"(a), "1"(b), [c] "g"(*c)
96 : "cc");
97
98 return a;
99 }
100#endif
101
102 typedef typename WordInfo<W>::dword dword;
103 const dword s = dword(a) * b + *c;
104 *c = static_cast<W>(s >> WordInfo<W>::bits);
105 return static_cast<W>(s);
106}

References carry().

Referenced by bigint_linmul2(), bigint_linmul3(), bigint_modop_vartime(), Botan::word3< W >::mul_x2(), redc_crandall(), and word8_linmul3().

◆ word_madd3()

template<WordType W>
auto Botan::word_madd3 ( W a,
W b,
W c,
W * d ) -> W
inlineconstexpr

Definition at line 112 of file mp_asmi.h.

112 {
113#if defined(BOTAN_MP_USE_X86_64_ASM)
114 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
115 asm(R"(
116 mulq %[b]
117
118 addq %[c],%[a]
119 adcq $0,%[carry]
120
121 addq %[d],%[a]
122 adcq $0,%[carry]
123 )"
124 : [a] "=a"(a), [b] "=rm"(b), [carry] "=&d"(*d)
125 : "0"(a), "1"(b), [c] "g"(c), [d] "g"(*d)
126 : "cc");
127
128 return a;
129 }
130#endif
131
132 typedef typename WordInfo<W>::dword dword;
133 const dword s = dword(a) * b + c + *d;
134 *d = static_cast<W>(s >> WordInfo<W>::bits);
135 return static_cast<W>(s);
136}

References carry().

Referenced by basecase_mul(), basecase_sqr(), redc_crandall(), and word8_madd3().

◆ word_sub()

template<WordType W>
auto Botan::word_sub ( W x,
W y,
W * carry ) -> W
inlineconstexpr

Definition at line 280 of file mp_asmi.h.

280 {
281#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_subc)
282 if(!std::is_constant_evaluated()) {
283 if constexpr(std::same_as<W, unsigned int>) {
284 return __builtin_subc(x, y, *carry & 1, carry);
285 } else if constexpr(std::same_as<W, unsigned long>) {
286 return __builtin_subcl(x, y, *carry & 1, carry);
287 } else if constexpr(std::same_as<W, unsigned long long>) {
288 return __builtin_subcll(x, y, *carry & 1, carry);
289 }
290 }
291#endif
292
293 const W cb = *carry & 1;
294 W t0 = x - y;
295 W c1 = (t0 > x);
296 W z = t0 - cb;
297 *carry = c1 | (z > t0);
298 return z;
299}

References carry().

Referenced by bigint_cnd_sub(), bigint_monty_maybe_sub(), bigint_monty_maybe_sub(), bigint_sub2(), bigint_sub2_rev(), bigint_sub3(), bigint_sub_abs(), Botan::IntMod< MontgomeryRep< ScalarParams > >::negate(), Botan::IntMod< MontgomeryRep< ScalarParams > >::operator-, redc_crandall(), solinas_correct_redc(), word8_sub2(), and word8_sub3().

◆ words_for_bits()

size_t Botan::words_for_bits ( size_t x)
constexpr

Definition at line 18 of file curve448_scalar.h.

18 {
19 constexpr size_t word_bits = sizeof(word) * 8;
20 return (x + word_bits - 1) / word_bits;
21}

◆ wots_public_key_from_signature()

BOTAN_TEST_API WotsPublicKey Botan::wots_public_key_from_signature ( const SphincsTreeNode & hashed_message,
StrongSpan< const WotsSignature > signature,
Sphincs_Address & address,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

FIPS 205, Algorithm 8: wots_pkFromSig.

Reconstructs the WOTS public key from a given WOTS signature and message. This is tailored for the use case in the SLH-DSA implementation and is not meant for general usability in non SLH-DSA algorithms.

Definition at line 103 of file sp_wots.cpp.

107 {
108 const std::vector<WotsHashIndex> lengths = chain_lengths(hashed_message, params);
109 WotsPublicKey pk_buffer(params.wots_len() * params.n());
110 BufferSlicer sig(signature);
111 BufferStuffer pk(pk_buffer);
112
113 for(WotsChainIndex i(0); i < params.wots_len(); i++) {
114 address.set_chain_address(i);
115
116 // params.w() can be one of {4, 8, 256}
117 const WotsHashIndex start_index = lengths[i.get()];
118 const uint8_t steps_to_take = static_cast<uint8_t>(params.w() - 1) - start_index.get();
119
120 chain(pk.next<WotsPublicKeyNode>(params.n()),
121 sig.take<WotsNode>(params.n()),
122 start_index,
123 steps_to_take,
124 address,
125 hashes,
126 params);
127 }
128
129 return pk_buffer;
130}
Sphincs_Address & set_chain_address(WotsChainIndex chain)
Definition sp_address.h:83
uint32_t wots_len() const
Strong< uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber > WotsHashIndex
Index of a hash application inside a single WOTS chain (integers in "base_w")
Definition sp_types.h:98
Strong< secure_vector< uint8_t >, struct WotsNode_ > WotsNode
Start (or intermediate) node of a WOTS+ chain.
Definition sp_types.h:79
Strong< std::vector< uint8_t >, struct WotsPublicKey_ > WotsPublicKey
Definition sp_types.h:73
Strong< uint32_t, struct WotsChainIndex_ > WotsChainIndex
Index of a WOTS chain within a single usage of WOTS.
Definition sp_types.h:95
Strong< std::vector< uint8_t >, struct WotsPublicKeyNode_ > WotsPublicKeyNode
End node of a WOTS+ chain (part of the WOTS+ public key)
Definition sp_types.h:76
std::vector< WotsHashIndex > chain_lengths(const SphincsTreeNode &msg, const Sphincs_Parameters &params)
Definition sp_wots.cpp:91

References chain_lengths(), Botan::detail::Strong_Base< T >::get(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Address::set_chain_address(), Botan::BufferSlicer::take(), Botan::Sphincs_Parameters::w(), and Botan::Sphincs_Parameters::wots_len().

Referenced by ht_verify().

◆ wots_sign_and_pkgen()

BOTAN_TEST_API void Botan::wots_sign_and_pkgen ( StrongSpan< WotsSignature > sig_out,
StrongSpan< SphincsTreeNode > leaf_out,
const SphincsSecretSeed & secret_seed,
TreeNodeIndex leaf_idx,
std::optional< TreeNodeIndex > sign_leaf_idx,
const std::vector< WotsHashIndex > & wots_steps,
Sphincs_Address & leaf_addr,
Sphincs_Address & pk_addr,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

FIPS 205, Algorithm 6 and 7: wots_pkGen and wots_sign.

Implements a domain specific wrapper for the one-time signature scheme WOTS+ (Winternitz OTS). It is meant to be used inside SLH-DSA and does not aim to be applicable for other use cases. If this function is not used in a signing operation (i.e. sign_leaf_idx is not set), wots_steps may be empty.

Definition at line 132 of file sp_wots.cpp.

141 {
142 // `wots_steps` are needed only if `sign_leaf_idx` is set
143 BOTAN_ASSERT_NOMSG(!sign_leaf_idx.has_value() || wots_steps.size() == params.wots_len());
145
146 secure_vector<uint8_t> wots_sig;
147 WotsPublicKey wots_pk_buffer(params.wots_bytes());
148
149 BufferStuffer wots_pk(wots_pk_buffer);
150 BufferStuffer sig(sig_out);
151
152 leaf_addr.set_keypair_address(leaf_idx);
153 pk_addr.set_keypair_address(leaf_idx);
154
155 for(WotsChainIndex i(0); i < params.wots_len(); i++) {
156 // If the current leaf is part of the signature wots_k stores the chain index
157 // of the value neccessary for the signature. Otherwise: nullopt (no signature)
158 const auto wots_k = [&]() -> std::optional<WotsHashIndex> {
159 if(sign_leaf_idx.has_value() && leaf_idx == sign_leaf_idx.value()) {
160 return wots_steps[i.get()];
161 } else {
162 return std::nullopt;
163 }
164 }();
165
166 // Start with the secret seed
167 leaf_addr.set_chain_address(i);
168 leaf_addr.set_hash_address(WotsHashIndex(0));
170
171 auto buffer_s = wots_pk.next<WotsNode>(params.n());
172
173 hashes.PRF(buffer_s, secret_seed, leaf_addr);
174
176
177 // Iterates down the WOTS chain
178 for(WotsHashIndex k(0);; k++) {
179 // Check if this is the value that needs to be saved as a part of the WOTS signature
180 if(wots_k.has_value() && k == wots_k.value()) {
181 std::copy(buffer_s.begin(), buffer_s.end(), sig.next<WotsNode>(params.n()).begin());
182 }
183
184 // Check if the top of the chain was hit
185 if(k == params.w() - 1) {
186 break;
187 }
188
189 // Iterate one step on the chain
190 leaf_addr.set_hash_address(k);
191
192 hashes.T(buffer_s, leaf_addr, buffer_s);
193 }
194 }
195
196 // Do the final thash to generate the public keys
197 hashes.T(leaf_out, pk_addr, wots_pk_buffer);
198}
Sphincs_Address_Type get_type() const
Definition sp_address.h:136
Sphincs_Address & set_hash_address(WotsHashIndex hash)
Definition sp_address.h:93
Sphincs_Address & set_keypair_address(TreeNodeIndex keypair)
Definition sp_address.h:78

References BOTAN_ASSERT_NOMSG, Botan::Sphincs_Address::get_type(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Hash_Functions::PRF(), Botan::Sphincs_Address::set_chain_address(), Botan::Sphincs_Address::set_hash_address(), Botan::Sphincs_Address::set_keypair_address(), Botan::Sphincs_Address::set_type(), Botan::Sphincs_Hash_Functions::T(), Botan::Sphincs_Parameters::w(), Botan::Sphincs_Parameters::wots_bytes(), Botan::Sphincs_Parameters::wots_len(), WotsHash, WotsKeyGeneration, and WotsPublicKeyCompression.

Referenced by xmss_sign_and_pkgen().

◆ wrap_strong_type()

template<typename T, typename ParamT>
requires std::constructible_from<T, ParamT> || (concepts::strong_type<T> && std::constructible_from<typename T::wrapped_type, ParamT>)
decltype(auto) Botan::wrap_strong_type ( ParamT && t)
nodiscardconstexpr

Wraps a value into a caller-defined (strong) type.

If the provided object t is already of type T, it is returned as is.

Note
This is meant as a helper for generic code that needs to deal with both wrapped strong types and bare objects. Use the ordinary constructor if you know that you are dealing with a bare value type.
Parameters
tvalue to be wrapped
Returns
the wrapped value

Definition at line 249 of file strong_type.h.

249 {
250 if constexpr(std::same_as<std::remove_cvref_t<ParamT>, T>) {
251 // Noop, if the parameter type already is the desired return type.
252 return std::forward<ParamT>(t);
253 } else if constexpr(std::constructible_from<T, ParamT>) {
254 // Implicit conversion from the parameter type to the return type.
255 return T{std::forward<ParamT>(t)};
256 } else {
257 // Explicitly calling the wrapped type's constructor to support
258 // implicit conversions on types that mark their constructors as explicit.
259 static_assert(concepts::strong_type<T> && std::constructible_from<typename T::wrapped_type, ParamT>);
260 return T{typename T::wrapped_type{std::forward<ParamT>(t)}};
261 }
262}

Referenced by checked_cast_to_or_throw(), Botan::detail::load_any(), Botan::bitvector_base< secure_allocator >::subvector(), and Botan::detail::wrap_strong_type_or_enum().

◆ x448()

Point448 Botan::x448 ( const ScalarX448 & k,
const Point448 & u )

Multiply a scalar k with a point u.

Parameters
kscalar
upoint on curve
Returns
k * u

Definition at line 48 of file x448_internal.cpp.

48 {
49 const auto a24 = Gf448Elem(39081);
50
51 Gf448Elem x_1 = Gf448Elem(u.get());
54 Gf448Elem x_3 = Gf448Elem(u.get());
56 auto swap = CT::Mask<uint64_t>::cleared();
57
58 for(int16_t t = 448 - 1; t >= 0; --t) {
59 auto k_t = CT::Mask<uint64_t>::expand(get_bit(k, t));
60 swap ^= k_t;
61
62 x_2.ct_cond_swap(swap.as_bool(), x_3);
63 z_2.ct_cond_swap(swap.as_bool(), z_3);
64 swap = k_t;
65
66 const auto A = x_2 + z_2;
67 const auto AA = square(A);
68 const auto B = x_2 - z_2;
69 const auto BB = square(B);
70 const auto E = AA - BB;
71 const auto C = x_3 + z_3;
72 const auto D = x_3 - z_3;
73 const auto DA = D * A;
74 const auto CB = C * B;
75 x_3 = square(DA + CB);
76 z_3 = x_1 * square(DA - CB);
77 x_2 = AA * BB;
78 z_2 = E * (AA + a24 * E);
79 }
80
81 x_2.ct_cond_swap(swap.as_bool(), x_3);
82 z_2.ct_cond_swap(swap.as_bool(), z_3);
83
84 const auto res = x_2 / z_2;
85
86 return Point448(res.to_bytes());
87}
static Gf448Elem zero()
Definition curve448_gf.h:58
void ct_cond_swap(bool b, Gf448Elem &other)
Swap this and other if b == true. Constant time for any b.
static Gf448Elem one()
Definition curve448_gf.h:63
BigInt square(const BigInt &x)
Definition numthry.cpp:157
Strong< std::array< uint8_t, X448_LEN >, struct Point448_ > Point448

References Botan::CT::Mask< T >::cleared(), Botan::Gf448Elem::ct_cond_swap(), Botan::CT::Mask< T >::expand(), Botan::detail::Strong_Base< T >::get(), Botan::Gf448Elem::one(), square(), and Botan::Gf448Elem::zero().

Referenced by x448_basepoint().

◆ x448_basepoint()

Point448 Botan::x448_basepoint ( const ScalarX448 & k)

Multiply a scalar with the base group element (5)

Multiply a scalar with the standard group element (5)

Parameters
kscalar
Returns
encoded point

Definition at line 41 of file x448_internal.cpp.

41 {
42 const Point448 u({5});
43 return x448(k, u);
44}
Point448 x448(const ScalarX448 &k, const Point448 &u)
Multiply a scalar k with a point u.

References x448().

◆ x509_path_validate() [1/4]

Path_Validation_Result Botan::x509_path_validate ( const std::vector< X509_Certificate > & end_certs,
const Path_Validation_Restrictions & restrictions,
const Certificate_Store & store,
std::string_view hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::optional< OCSP::Response > > & ocsp_resp = {} )

PKIX Path Validation

Parameters
end_certscertificate chain to validate
restrictionspath validation restrictions
storestore that contains trusted certificates
hostnameif not empty, compared against the DNS name in end_certs[0]
usageif not set to UNSPECIFIED, compared against the key usage in end_certs[0]
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation

Definition at line 957 of file x509path.cpp.

964 {
965 std::vector<Certificate_Store*> trusted_roots;
966 trusted_roots.push_back(const_cast<Certificate_Store*>(&store));
967
968 return x509_path_validate(end_certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
969}
Path_Validation_Result x509_path_validate(const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point ref_time, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
Definition x509path.cpp:883

References x509_path_validate().

◆ x509_path_validate() [2/4]

Path_Validation_Result Botan::x509_path_validate ( const std::vector< X509_Certificate > & end_certs,
const Path_Validation_Restrictions & restrictions,
const std::vector< Certificate_Store * > & trusted_roots,
std::string_view hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::optional< OCSP::Response > > & ocsp_resp = {} )

PKIX Path Validation

Parameters
end_certscertificate chain to validate (with end entity certificate in end_certs[0])
restrictionspath validation restrictions
trusted_rootslist of certificate stores that contain trusted certificates
hostnameif not empty, compared against the DNS name in end_certs[0]
usageif not set to UNSPECIFIED, compared against the key usage in end_certs[0]
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation note: when enabled, OCSP check is softfail by default: if the OCSP server is not reachable, Path_Validation_Result::successful_validation() will return true. Hardfail OCSP check can be achieve by also calling Path_Validation_Result::no_warnings().

Definition at line 883 of file x509path.cpp.

890 {
891 if(end_certs.empty()) {
892 throw Invalid_Argument("x509_path_validate called with no subjects");
893 }
894
895 X509_Certificate end_entity = end_certs[0];
896 std::vector<X509_Certificate> end_entity_extra;
897 for(size_t i = 1; i < end_certs.size(); ++i) {
898 end_entity_extra.push_back(end_certs[i]);
899 }
900
901 std::vector<std::vector<X509_Certificate>> cert_paths;
902 Certificate_Status_Code path_building_result =
903 PKIX::build_all_certificate_paths(cert_paths, trusted_roots, end_entity, end_entity_extra);
904
905 // If we cannot successfully build a chain to a trusted self-signed root, stop now
906 if(path_building_result != Certificate_Status_Code::OK) {
907 return Path_Validation_Result(path_building_result);
908 }
909
910 std::vector<Path_Validation_Result> error_results;
911 // Try validating all the potentially valid paths and return the first one to validate properly
912 for(auto cert_path : cert_paths) {
913 CertificatePathStatusCodes status = PKIX::check_chain(cert_path, ref_time, hostname, usage, restrictions);
914
915 CertificatePathStatusCodes crl_status = PKIX::check_crl(cert_path, trusted_roots, ref_time);
916
917 CertificatePathStatusCodes ocsp_status;
918
919 if(!ocsp_resp.empty()) {
920 ocsp_status = PKIX::check_ocsp(cert_path, ocsp_resp, trusted_roots, ref_time, restrictions);
921 }
922
923 if(ocsp_status.empty() && ocsp_timeout != std::chrono::milliseconds(0)) {
924#if defined(BOTAN_TARGET_OS_HAS_THREADS) && defined(BOTAN_HAS_HTTP_UTIL)
925 ocsp_status = PKIX::check_ocsp_online(cert_path, trusted_roots, ref_time, ocsp_timeout, restrictions);
926#else
927 ocsp_status.resize(1);
928 ocsp_status[0].insert(Certificate_Status_Code::OCSP_NO_HTTP);
929#endif
930 }
931
932 PKIX::merge_revocation_status(status, crl_status, ocsp_status, restrictions);
933
934 Path_Validation_Result pvd(status, std::move(cert_path));
935 if(pvd.successful_validation()) {
936 return pvd;
937 } else {
938 error_results.push_back(std::move(pvd));
939 }
940 }
941 return error_results[0];
942}
void merge_revocation_status(CertificatePathStatusCodes &chain_status, const CertificatePathStatusCodes &crl_status, const CertificatePathStatusCodes &ocsp_status, const Path_Validation_Restrictions &restrictions)
Definition x509path.cpp:820
CertificatePathStatusCodes check_ocsp(const std::vector< X509_Certificate > &cert_path, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &certstores, std::chrono::system_clock::time_point ref_time, const Path_Validation_Restrictions &restrictions)
Definition x509path.cpp:307
Certificate_Status_Code build_all_certificate_paths(std::vector< std::vector< X509_Certificate > > &cert_paths, const std::vector< Certificate_Store * > &trusted_certstores, const std::optional< X509_Certificate > &end_entity, const std::vector< X509_Certificate > &end_entity_extra)
Definition x509path.cpp:696
CertificatePathStatusCodes check_chain(const std::vector< X509_Certificate > &cert_path, std::chrono::system_clock::time_point ref_time, std::string_view hostname, Usage_Type usage, const Path_Validation_Restrictions &restrictions)
Definition x509path.cpp:36
CertificatePathStatusCodes check_crl(const std::vector< X509_Certificate > &cert_path, const std::vector< std::optional< X509_CRL > > &crls, std::chrono::system_clock::time_point ref_time)
Definition x509path.cpp:362
std::vector< std::set< Certificate_Status_Code > > CertificatePathStatusCodes
Definition x509path.h:29
Certificate_Status_Code
Definition pkix_enums.h:20

References Botan::PKIX::build_all_certificate_paths(), Botan::PKIX::check_chain(), Botan::PKIX::check_crl(), Botan::PKIX::check_ocsp(), Botan::PKIX::merge_revocation_status(), OCSP_NO_HTTP, OK, and Botan::Path_Validation_Result::successful_validation().

Referenced by botan_x509_cert_verify(), botan_x509_cert_verify_with_crl(), Botan::TLS::Callbacks::tls_verify_cert_chain(), x509_path_validate(), x509_path_validate(), and x509_path_validate().

◆ x509_path_validate() [3/4]

Path_Validation_Result Botan::x509_path_validate ( const X509_Certificate & end_cert,
const Path_Validation_Restrictions & restrictions,
const Certificate_Store & store,
std::string_view hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::optional< OCSP::Response > > & ocsp_resp = {} )

PKIX Path Validation

Parameters
end_certcertificate to validate
restrictionspath validation restrictions
storestore that contains trusted certificates
hostnameif not empty, compared against the DNS name in end_cert
usageif not set to UNSPECIFIED, compared against the key usage in end_cert
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation

Definition at line 971 of file x509path.cpp.

978 {
979 std::vector<X509_Certificate> certs;
980 certs.push_back(end_cert);
981
982 std::vector<Certificate_Store*> trusted_roots;
983 trusted_roots.push_back(const_cast<Certificate_Store*>(&store));
984
985 return x509_path_validate(certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
986}

References x509_path_validate().

◆ x509_path_validate() [4/4]

Path_Validation_Result Botan::x509_path_validate ( const X509_Certificate & end_cert,
const Path_Validation_Restrictions & restrictions,
const std::vector< Certificate_Store * > & trusted_roots,
std::string_view hostname = "",
Usage_Type usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::optional< OCSP::Response > > & ocsp_resp = {} )

PKIX Path Validation

Parameters
end_certcertificate to validate
restrictionspath validation restrictions
trusted_rootslist of stores that contain trusted certificates
hostnameif not empty, compared against the DNS name in end_cert
usageif not set to UNSPECIFIED, compared against the key usage in end_cert
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation

Definition at line 944 of file x509path.cpp.

951 {
952 std::vector<X509_Certificate> certs;
953 certs.push_back(end_cert);
954 return x509_path_validate(certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
955}

References x509_path_validate().

◆ xmss_concat() [1/2]

template<std::unsigned_integral T>
void Botan::xmss_concat ( secure_vector< uint8_t > & target,
const T & src )

Concatenates the byte representation in big-endian order of any integral value to a secure_vector.

Parameters
targetVector to concatenate the byte representation of the integral value to.
srcintegral value to concatenate.

Definition at line 28 of file xmss_tools.h.

28 {
29 const uint8_t* src_bytes = reinterpret_cast<const uint8_t*>(&src);
30 if constexpr(std::endian::native == std::endian::little) {
31 std::reverse_copy(src_bytes, src_bytes + sizeof(src), std::back_inserter(target));
32 } else {
33 std::copy(src_bytes, src_bytes + sizeof(src), std::back_inserter(target));
34 }
35}

Referenced by Botan::XMSS_WOTS_Parameters::base_w().

◆ xmss_concat() [2/2]

template<std::unsigned_integral T>
void Botan::xmss_concat ( secure_vector< uint8_t > & target,
const T & src,
size_t len )

Concatenates the last n bytes of the byte representation in big-endian order of any integral value to a to a secure_vector.

Parameters
targetVector to concatenate the byte representation of the integral value to.
srcIntegral value to concatenate.
lennumber of bytes to concatenate. This value must be smaller or equal to the size of type T.

Definition at line 48 of file xmss_tools.h.

48 {
49 size_t c = static_cast<size_t>(std::min(len, sizeof(src)));
50 if(len > sizeof(src)) {
51 target.resize(target.size() + len - sizeof(src), 0);
52 }
53
54 const uint8_t* src_bytes = reinterpret_cast<const uint8_t*>(&src);
55 if constexpr(std::endian::native == std::endian::little) {
56 std::reverse_copy(src_bytes, src_bytes + c, std::back_inserter(target));
57 } else {
58 std::copy(src_bytes + sizeof(src) - c, src_bytes + sizeof(src), std::back_inserter(target));
59 }
60}

◆ xmss_gen_root()

SphincsTreeNode Botan::xmss_gen_root ( const Sphincs_Parameters & params,
const SphincsSecretSeed & secret_seed,
Sphincs_Hash_Functions & hashes )

Compute the XMSS public key (root node) of the top-most subtree. Contains logic of FIPS 205, Algorithm 18: slh_keygen_internal

Definition at line 58 of file sp_xmss.cpp.

60 {
61 // We do not need the a sig/auth path in key generation, but it simplifies the
62 // code to have just one treehash routine that computes both root and path
63 // in one function.
64 SphincsXmssSignature dummy_sig(params.xmss_tree_height() * params.n() + params.wots_bytes());
65 SphincsTreeNode dummy_root(params.n());
66
69
70 top_tree_addr.set_layer_address(HypertreeLayerIndex(params.d() - 1));
71 wots_addr.set_layer_address(HypertreeLayerIndex(params.d() - 1));
72
74 xmss_sign_and_pkgen(dummy_sig, dummy_root, secret_seed, wots_addr, top_tree_addr, std::nullopt, params, hashes);
75
76 return root;
77}
Gf448Elem root(const Gf448Elem &elem)
Compute the root of elem in the field.

References Botan::Sphincs_Parameters::d(), HashTree, Botan::Sphincs_Parameters::n(), root(), Botan::Sphincs_Address::set_layer_address(), Botan::Sphincs_Parameters::wots_bytes(), WotsPublicKeyCompression, xmss_sign_and_pkgen(), and Botan::Sphincs_Parameters::xmss_tree_height().

Referenced by Botan::SphincsPlus_PrivateKey::SphincsPlus_PrivateKey().

◆ xmss_sign_and_pkgen()

SphincsTreeNode Botan::xmss_sign_and_pkgen ( StrongSpan< SphincsXmssSignature > out_sig,
const SphincsTreeNode & message,
const SphincsSecretSeed & secret_seed,
Sphincs_Address & wots_addr,
Sphincs_Address & tree_addr,
std::optional< TreeNodeIndex > idx_leaf,
const Sphincs_Parameters & params,
Sphincs_Hash_Functions & hashes )

FIPS 205, Algorithm 10: xmss_sign.

This generates a Merkle signature of message (i.e. a FORS public key (bottom layer) or an XMSS root node). The Merkle authentication path logic is mostly hidden in treehash_spec. The WOTS signature followed by the Merkle authentication path are stored in out_sig. Set idx_leaf to std::nullopt if no signature is desired.

Returns
the XMSS public key (i.e. the root of the XMSS merkle tree)

Definition at line 19 of file sp_xmss.cpp.

26 {
27 BufferStuffer sig(out_sig);
28 auto wots_bytes_s = sig.next<WotsSignature>(params.wots_bytes());
29 auto auth_path_s = sig.next<SphincsAuthenticationPath>(sig.remaining_capacity());
30
31 const auto steps = [&]() -> std::vector<WotsHashIndex> {
32 // if `idx_leaf` is not set, we don't want to calculate a signature and
33 // therefore won't need to bother preparing the chain lengths either.
34 if(idx_leaf.has_value()) {
35 return chain_lengths(message, params);
36 } else {
37 return {};
38 };
39 }();
40
43
45
46 GenerateLeafFunction xmss_gen_leaf = [&](StrongSpan<SphincsTreeNode> out_root, TreeNodeIndex address_index) {
48 wots_bytes_s, out_root, secret_seed, address_index, idx_leaf, steps, leaf_addr, pk_addr, params, hashes);
49 };
50
51 SphincsTreeNode next_root(params.n());
53 treehash(next_root, auth_path_s, params, hashes, idx_leaf, 0, params.xmss_tree_height(), xmss_gen_leaf, tree_addr);
54
55 return next_root;
56}
static Sphincs_Address as_subtree_from(const Sphincs_Address &other)
Definition sp_address.h:114
void wots_sign_and_pkgen(StrongSpan< WotsSignature > sig_out, StrongSpan< SphincsTreeNode > leaf_out, const SphincsSecretSeed &secret_seed, TreeNodeIndex leaf_idx, std::optional< TreeNodeIndex > sign_leaf_idx, const std::vector< WotsHashIndex > &wots_steps, Sphincs_Address &leaf_addr, Sphincs_Address &pk_addr, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 6 and 7: wots_pkGen and wots_sign.
Definition sp_wots.cpp:132

References Botan::Sphincs_Address::as_subtree_from(), BOTAN_ASSERT_NOMSG, chain_lengths(), Botan::Sphincs_Address::get_type(), HashTree, Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::BufferStuffer::remaining_capacity(), Botan::Sphincs_Address::set_type(), treehash(), Botan::Sphincs_Parameters::wots_bytes(), wots_sign_and_pkgen(), WotsPublicKeyCompression, and Botan::Sphincs_Parameters::xmss_tree_height().

Referenced by ht_sign(), and xmss_gen_root().

◆ xor_buf() [1/7]

void Botan::xor_buf ( ranges::contiguous_output_range< uint8_t > auto && out,
ranges::contiguous_range< uint8_t > auto && in )
inlineconstexpr

XOR arrays. Postcondition out[i] = in[i] ^ out[i] forall i = 0...length

Parameters
outthe input/output range
inthe read-only input range

Definition at line 342 of file mem_ops.h.

343 {
345
346 std::span<uint8_t> o(out);
347 std::span<const uint8_t> i(in);
348
349 for(; o.size_bytes() >= 32; o = o.subspan(32), i = i.subspan(32)) {
350 auto x = typecast_copy<std::array<uint64_t, 4>>(o.template first<32>());
351 const auto y = typecast_copy<std::array<uint64_t, 4>>(i.template first<32>());
352
353 x[0] ^= y[0];
354 x[1] ^= y[1];
355 x[2] ^= y[2];
356 x[3] ^= y[3];
357
358 typecast_copy(o.template first<32>(), x);
359 }
360
361 for(size_t off = 0; off != o.size_bytes(); ++off) {
362 o[off] ^= i[off];
363 }
364}

References Botan::ranges::assert_equal_byte_lengths(), and typecast_copy().

Referenced by Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::Salsa20::cipher_bytes(), Botan::Lion::decrypt_n(), Botan::Lion::encrypt_n(), Botan::GHASH::final(), mgf1_mask(), operator^(), Botan::OctetString::operator^=(), operator^=(), pbkdf2(), Botan::SIV_Mode::S2V(), xor_buf(), xor_buf(), xor_buf(), xor_buf(), and xor_buf().

◆ xor_buf() [2/7]

void Botan::xor_buf ( ranges::contiguous_output_range< uint8_t > auto && out,
ranges::contiguous_range< uint8_t > auto && in1,
ranges::contiguous_range< uint8_t > auto && in2 )
inlineconstexpr

XOR arrays. Postcondition out[i] = in1[i] ^ in2[i] forall i = 0...length

Parameters
outthe output range
in1the first input range
in2the second input range

Definition at line 372 of file mem_ops.h.

374 {
376
377 std::span o{out};
378 std::span i1{in1};
379 std::span i2{in2};
380
381 for(; o.size_bytes() >= 32; o = o.subspan(32), i1 = i1.subspan(32), i2 = i2.subspan(32)) {
382 auto x = typecast_copy<std::array<uint64_t, 4>>(i1.template first<32>());
383 const auto y = typecast_copy<std::array<uint64_t, 4>>(i2.template first<32>());
384
385 x[0] ^= y[0];
386 x[1] ^= y[1];
387 x[2] ^= y[2];
388 x[3] ^= y[3];
389
390 typecast_copy(o.template first<32>(), x);
391 }
392
393 for(size_t off = 0; off != o.size_bytes(); ++off) {
394 o[off] = i1[off] ^ i2[off];
395 }
396}

References Botan::ranges::assert_equal_byte_lengths(), and typecast_copy().

◆ xor_buf() [3/7]

void Botan::xor_buf ( std::span< uint8_t > out,
std::span< const uint8_t > in,
size_t n )
inline

Definition at line 422 of file mem_ops.h.

422 {
423 BOTAN_ARG_CHECK(out.size() >= n, "output span is too small");
424 BOTAN_ARG_CHECK(in.size() >= n, "input span is too small");
425 xor_buf(out.first(n), in.first(n));
426}

References BOTAN_ARG_CHECK, and xor_buf().

◆ xor_buf() [4/7]

template<typename Alloc, typename Alloc2>
void Botan::xor_buf ( std::vector< uint8_t, Alloc > & out,
const uint8_t * in,
const std::vector< uint8_t, Alloc2 > & in2,
size_t n )

Definition at line 438 of file mem_ops.h.

438 {
439 BOTAN_ARG_CHECK(out.size() >= n, "output vector is too small");
440 BOTAN_ARG_CHECK(in2.size() >= n, "input vector is too small");
441 // simply assumes that *in points to "n" allocated bytes at least
442 xor_buf(std::span{out}.first(n), std::span{in, n}, std::span{in2}.first(n));
443}

References BOTAN_ARG_CHECK, and xor_buf().

◆ xor_buf() [5/7]

template<typename Alloc>
void Botan::xor_buf ( std::vector< uint8_t, Alloc > & out,
const uint8_t * in,
size_t n )

Definition at line 430 of file mem_ops.h.

430 {
431 BOTAN_ARG_CHECK(out.size() >= n, "output vector is too small");
432 // simply assumes that *in points to "n" allocated bytes at least
433 xor_buf(std::span{out}.first(n), std::span{in, n});
434}

References BOTAN_ARG_CHECK, and xor_buf().

◆ xor_buf() [6/7]

void Botan::xor_buf ( uint8_t out[],
const uint8_t in[],
const uint8_t in2[],
size_t length )
inline

XOR arrays. Postcondition out[i] = in[i] ^ in2[i] forall i = 0...length

Parameters
outthe output buffer
inthe first input buffer
in2the second input buffer
lengththe length of the three buffers

Definition at line 416 of file mem_ops.h.

416 {
417 // simply assumes that *out, *in, and *in2 point to "length" allocated bytes at least
418 xor_buf(std::span{out, length}, std::span{in, length}, std::span{in2, length});
419}

References xor_buf().

◆ xor_buf() [7/7]

void Botan::xor_buf ( uint8_t out[],
const uint8_t in[],
size_t length )
inline

XOR arrays. Postcondition out[i] = in[i] ^ out[i] forall i = 0...length

Parameters
outthe input/output buffer
inthe read-only input buffer
lengththe length of the buffers

Definition at line 404 of file mem_ops.h.

404 {
405 // simply assumes that *out and *in point to "length" allocated bytes at least
406 xor_buf(std::span{out, length}, std::span{in, length});
407}

References xor_buf().

◆ xts_update_tweak_block()

void Botan::xts_update_tweak_block ( uint8_t tweak[],
size_t BS,
size_t blocks_in_tweak )

Definition at line 119 of file poly_dbl.cpp.

119 {
120 if(BS == 16) {
121 constexpr size_t LIMBS = 2;
122
123 uint64_t W[LIMBS];
124 load_le(W, &tweak[0], LIMBS);
125
126 for(size_t i = 1; i < blocks_in_tweak; ++i) {
127 const uint64_t carry = return_carry<MinWeightPolynomial::P128>(W[1]);
128 W[1] = (W[1] << 1) ^ (W[0] >> 63);
129 W[0] = (W[0] << 1) ^ carry;
130 copy_out_le(std::span(&tweak[i * BS], 2 * 8), W);
131 }
132 } else {
133 for(size_t i = 1; i < blocks_in_tweak; ++i) {
134 const uint8_t* prev = &tweak[(i - 1) * BS];
135 uint8_t* cur = &tweak[i * BS];
136 poly_double_n_le(cur, prev, BS);
137 }
138 }
139}
void copy_out_le(std::span< uint8_t > out, const InR &in)
Definition loadstor.h:789
void poly_double_n_le(uint8_t out[], const uint8_t in[], size_t n)
Definition poly_dbl.cpp:100

References carry(), copy_out_le(), load_le(), and poly_double_n_le().

Referenced by Botan::XTS_Mode::update_tweak().

◆ zap()

template<typename T, typename Alloc>
void Botan::zap ( std::vector< T, Alloc > & vec)

◆ zeroise()

template<typename T, typename Alloc>
void Botan::zeroise ( std::vector< T, Alloc > & vec)

Variable Documentation

◆ BLAKE2B_BLOCKBYTES

size_t Botan::BLAKE2B_BLOCKBYTES = 128
constexpr

Definition at line 21 of file blake2b.h.

Referenced by Botan::BLAKE2b::add_data().

◆ BYTES_448

size_t Botan::BYTES_448 = ceil_tobytes<size_t>(448)
constexpr

Definition at line 20 of file curve448_gf.h.

◆ DefaultBufferSize

size_t Botan::DefaultBufferSize = 4096
constexpr

How much to allocate for a buffer of no particular size

Definition at line 137 of file types.h.

Referenced by operator<<(), operator<<(), operator>>(), operator>>(), Botan::Pipe::read_all_as_string(), and Botan::Pipe::write().

◆ ED448_LEN

◆ HEX_CODEC_BUFFER_SIZE

const size_t Botan::HEX_CODEC_BUFFER_SIZE = 256

Size used for internal buffer in hex encoder/decoder

Definition at line 20 of file hex_filt.cpp.

Referenced by Botan::Hex_Decoder::Hex_Decoder(), Botan::Hex_Encoder::Hex_Encoder(), and Botan::Hex_Encoder::Hex_Encoder().

◆ is_strong_span_v

template<typename T>
bool Botan::is_strong_span_v = is_strong_span<T>::value
constexpr

Definition at line 720 of file strong_type.h.

◆ is_strong_type_v

template<typename... Ts>
bool Botan::is_strong_type_v = is_strong_type<std::remove_const_t<Ts>...>::value
constexpr

Definition at line 32 of file concepts.h.

◆ LMS_IDENTIFIER_LEN

◆ MAX_EXT_DEG

const size_t Botan::MAX_EXT_DEG = 16

Definition at line 19 of file gf2m_small_m.cpp.

◆ PRIME_TABLE_SIZE

const size_t Botan::PRIME_TABLE_SIZE = 6541

The size of the PRIMES[] array

Definition at line 174 of file numthry.h.

Referenced by is_prime(), and random_prime().

◆ PRIMES

const uint16_t Botan::PRIMES

A const array of all odd primes less than 65535

Definition at line 12 of file primes.cpp.

12 {
13 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59,
14 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137,
15 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227,
16 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313,
17 317, 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, 419,
18 421, 431, 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509,
19 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601, 607, 613, 617,
20 619, 631, 641, 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709, 719, 727,
21 733, 739, 743, 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829,
22 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919, 929, 937, 941, 947,
23 953, 967, 971, 977, 983, 991, 997, 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, 1051,
24 1061, 1063, 1069, 1087, 1091, 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163, 1171,
25 1181, 1187, 1193, 1201, 1213, 1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, 1289,
26 1291, 1297, 1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, 1427,
27 1429, 1433, 1439, 1447, 1451, 1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, 1523,
28 1531, 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619, 1621,
29 1627, 1637, 1657, 1663, 1667, 1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, 1753,
30 1759, 1777, 1783, 1787, 1789, 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, 1879,
31 1889, 1901, 1907, 1913, 1931, 1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011,
32 2017, 2027, 2029, 2039, 2053, 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, 2131,
33 2137, 2141, 2143, 2153, 2161, 2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267, 2269,
34 2273, 2281, 2287, 2293, 2297, 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377, 2381,
35 2383, 2389, 2393, 2399, 2411, 2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, 2521,
36 2531, 2539, 2543, 2549, 2551, 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, 2659,
37 2663, 2671, 2677, 2683, 2687, 2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, 2749,
38 2753, 2767, 2777, 2789, 2791, 2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, 2879,
39 2887, 2897, 2903, 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011, 3019,
40 3023, 3037, 3041, 3049, 3061, 3067, 3079, 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, 3169,
41 3181, 3187, 3191, 3203, 3209, 3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301, 3307,
42 3313, 3319, 3323, 3329, 3331, 3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413, 3433,
43 3449, 3457, 3461, 3463, 3467, 3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541, 3547,
44 3557, 3559, 3571, 3581, 3583, 3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671, 3673,
45 3677, 3691, 3697, 3701, 3709, 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797, 3803,
46 3821, 3823, 3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923, 3929,
47 3931, 3943, 3947, 3967, 3989, 4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, 4073,
48 4079, 4091, 4093, 4099, 4111, 4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211, 4217,
49 4219, 4229, 4231, 4241, 4243, 4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, 4339,
50 4349, 4357, 4363, 4373, 4391, 4397, 4409, 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, 4483,
51 4493, 4507, 4513, 4517, 4519, 4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, 4637,
52 4639, 4643, 4649, 4651, 4657, 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751, 4759,
53 4783, 4787, 4789, 4793, 4799, 4801, 4813, 4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909, 4919,
54 4931, 4933, 4937, 4943, 4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011, 5021,
55 5023, 5039, 5051, 5059, 5077, 5081, 5087, 5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167, 5171,
56 5179, 5189, 5197, 5209, 5227, 5231, 5233, 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309, 5323,
57 5333, 5347, 5351, 5381, 5387, 5393, 5399, 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443, 5449,
58 5471, 5477, 5479, 5483, 5501, 5503, 5507, 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, 5581,
59 5591, 5623, 5639, 5641, 5647, 5651, 5653, 5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711, 5717,
60 5737, 5741, 5743, 5749, 5779, 5783, 5791, 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, 5851,
61 5857, 5861, 5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007, 6011,
62 6029, 6037, 6043, 6047, 6053, 6067, 6073, 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, 6143,
63 6151, 6163, 6173, 6197, 6199, 6203, 6211, 6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271, 6277,
64 6287, 6299, 6301, 6311, 6317, 6323, 6329, 6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379, 6389,
65 6397, 6421, 6427, 6449, 6451, 6469, 6473, 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, 6569,
66 6571, 6577, 6581, 6599, 6607, 6619, 6637, 6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701, 6703,
67 6709, 6719, 6733, 6737, 6761, 6763, 6779, 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833, 6841,
68 6857, 6863, 6869, 6871, 6883, 6899, 6907, 6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971, 6977,
69 6983, 6991, 6997, 7001, 7013, 7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, 7127,
70 7129, 7151, 7159, 7177, 7187, 7193, 7207, 7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253, 7283,
71 7297, 7307, 7309, 7321, 7331, 7333, 7349, 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, 7459,
72 7477, 7481, 7487, 7489, 7499, 7507, 7517, 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561, 7573,
73 7577, 7583, 7589, 7591, 7603, 7607, 7621, 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, 7699,
74 7703, 7717, 7723, 7727, 7741, 7753, 7757, 7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853, 7867,
75 7873, 7877, 7879, 7883, 7901, 7907, 7919, 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009, 8011,
76 8017, 8039, 8053, 8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161, 8167,
77 8171, 8179, 8191, 8209, 8219, 8221, 8231, 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291, 8293,
78 8297, 8311, 8317, 8329, 8353, 8363, 8369, 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443, 8447,
79 8461, 8467, 8501, 8513, 8521, 8527, 8537, 8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609, 8623,
80 8627, 8629, 8641, 8647, 8663, 8669, 8677, 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, 8737,
81 8741, 8747, 8753, 8761, 8779, 8783, 8803, 8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861, 8863,
82 8867, 8887, 8893, 8923, 8929, 8933, 8941, 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, 9013,
83 9029, 9041, 9043, 9049, 9059, 9067, 9091, 9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161, 9173,
84 9181, 9187, 9199, 9203, 9209, 9221, 9227, 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, 9319,
85 9323, 9337, 9341, 9343, 9349, 9371, 9377, 9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433, 9437,
86 9439, 9461, 9463, 9467, 9473, 9479, 9491, 9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587, 9601,
87 9613, 9619, 9623, 9629, 9631, 9643, 9649, 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733, 9739,
88 9743, 9749, 9767, 9769, 9781, 9787, 9791, 9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857, 9859,
89 9871, 9883, 9887, 9901, 9907, 9923, 9929, 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037, 10039,
90 10061, 10067, 10069, 10079, 10091, 10093, 10099, 10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163, 10169,
91 10177, 10181, 10193, 10211, 10223, 10243, 10247, 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, 10313,
92 10321, 10331, 10333, 10337, 10343, 10357, 10369, 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459, 10463,
93 10477, 10487, 10499, 10501, 10513, 10529, 10531, 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, 10631,
94 10639, 10651, 10657, 10663, 10667, 10687, 10691, 10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771, 10781,
95 10789, 10799, 10831, 10837, 10847, 10853, 10859, 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, 10939,
96 10949, 10957, 10973, 10979, 10987, 10993, 11003, 11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087, 11093,
97 11113, 11117, 11119, 11131, 11149, 11159, 11161, 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251, 11257,
98 11261, 11273, 11279, 11287, 11299, 11311, 11317, 11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399, 11411,
99 11423, 11437, 11443, 11447, 11467, 11471, 11483, 11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551, 11579,
100 11587, 11593, 11597, 11617, 11621, 11633, 11657, 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731, 11743,
101 11777, 11779, 11783, 11789, 11801, 11807, 11813, 11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887, 11897,
102 11903, 11909, 11923, 11927, 11933, 11939, 11941, 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, 12037,
103 12041, 12043, 12049, 12071, 12073, 12097, 12101, 12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161, 12163,
104 12197, 12203, 12211, 12227, 12239, 12241, 12251, 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, 12329,
105 12343, 12347, 12373, 12377, 12379, 12391, 12401, 12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473, 12479,
106 12487, 12491, 12497, 12503, 12511, 12517, 12527, 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, 12601,
107 12611, 12613, 12619, 12637, 12641, 12647, 12653, 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739, 12743,
108 12757, 12763, 12781, 12791, 12799, 12809, 12821, 12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907, 12911,
109 12917, 12919, 12923, 12941, 12953, 12959, 12967, 12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033, 13037,
110 13043, 13049, 13063, 13093, 13099, 13103, 13109, 13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177, 13183,
111 13187, 13217, 13219, 13229, 13241, 13249, 13259, 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337, 13339,
112 13367, 13381, 13397, 13399, 13411, 13417, 13421, 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499, 13513,
113 13523, 13537, 13553, 13567, 13577, 13591, 13597, 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, 13687,
114 13691, 13693, 13697, 13709, 13711, 13721, 13723, 13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799, 13807,
115 13829, 13831, 13841, 13859, 13873, 13877, 13879, 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, 13963,
116 13967, 13997, 13999, 14009, 14011, 14029, 14033, 14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143, 14149,
117 14153, 14159, 14173, 14177, 14197, 14207, 14221, 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, 14327,
118 14341, 14347, 14369, 14387, 14389, 14401, 14407, 14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461, 14479,
119 14489, 14503, 14519, 14533, 14537, 14543, 14549, 14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627, 14629,
120 14633, 14639, 14653, 14657, 14669, 14683, 14699, 14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753, 14759,
121 14767, 14771, 14779, 14783, 14797, 14813, 14821, 14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887, 14891,
122 14897, 14923, 14929, 14939, 14947, 14951, 14957, 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073, 15077,
123 15083, 15091, 15101, 15107, 15121, 15131, 15137, 15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217, 15227,
124 15233, 15241, 15259, 15263, 15269, 15271, 15277, 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, 15349,
125 15359, 15361, 15373, 15377, 15383, 15391, 15401, 15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473, 15493,
126 15497, 15511, 15527, 15541, 15551, 15559, 15569, 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, 15647,
127 15649, 15661, 15667, 15671, 15679, 15683, 15727, 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773, 15787,
128 15791, 15797, 15803, 15809, 15817, 15823, 15859, 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, 15923,
129 15937, 15959, 15971, 15973, 15991, 16001, 16007, 16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087, 16091,
130 16097, 16103, 16111, 16127, 16139, 16141, 16183, 16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249, 16253,
131 16267, 16273, 16301, 16319, 16333, 16339, 16349, 16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427, 16433,
132 16447, 16451, 16453, 16477, 16481, 16487, 16493, 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603, 16607,
133 16619, 16631, 16633, 16649, 16651, 16657, 16661, 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747, 16759,
134 16763, 16787, 16811, 16823, 16829, 16831, 16843, 16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927, 16931,
135 16937, 16943, 16963, 16979, 16981, 16987, 16993, 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, 17077,
136 17093, 17099, 17107, 17117, 17123, 17137, 17159, 17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231, 17239,
137 17257, 17291, 17293, 17299, 17317, 17321, 17327, 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, 17393,
138 17401, 17417, 17419, 17431, 17443, 17449, 17467, 17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519, 17539,
139 17551, 17569, 17573, 17579, 17581, 17597, 17599, 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, 17707,
140 17713, 17729, 17737, 17747, 17749, 17761, 17783, 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, 17881,
141 17891, 17903, 17909, 17911, 17921, 17923, 17929, 17939, 17957, 17959, 17971, 17977, 17981, 17987, 17989, 18013,
142 18041, 18043, 18047, 18049, 18059, 18061, 18077, 18089, 18097, 18119, 18121, 18127, 18131, 18133, 18143, 18149,
143 18169, 18181, 18191, 18199, 18211, 18217, 18223, 18229, 18233, 18251, 18253, 18257, 18269, 18287, 18289, 18301,
144 18307, 18311, 18313, 18329, 18341, 18353, 18367, 18371, 18379, 18397, 18401, 18413, 18427, 18433, 18439, 18443,
145 18451, 18457, 18461, 18481, 18493, 18503, 18517, 18521, 18523, 18539, 18541, 18553, 18583, 18587, 18593, 18617,
146 18637, 18661, 18671, 18679, 18691, 18701, 18713, 18719, 18731, 18743, 18749, 18757, 18773, 18787, 18793, 18797,
147 18803, 18839, 18859, 18869, 18899, 18911, 18913, 18917, 18919, 18947, 18959, 18973, 18979, 19001, 19009, 19013,
148 19031, 19037, 19051, 19069, 19073, 19079, 19081, 19087, 19121, 19139, 19141, 19157, 19163, 19181, 19183, 19207,
149 19211, 19213, 19219, 19231, 19237, 19249, 19259, 19267, 19273, 19289, 19301, 19309, 19319, 19333, 19373, 19379,
150 19381, 19387, 19391, 19403, 19417, 19421, 19423, 19427, 19429, 19433, 19441, 19447, 19457, 19463, 19469, 19471,
151 19477, 19483, 19489, 19501, 19507, 19531, 19541, 19543, 19553, 19559, 19571, 19577, 19583, 19597, 19603, 19609,
152 19661, 19681, 19687, 19697, 19699, 19709, 19717, 19727, 19739, 19751, 19753, 19759, 19763, 19777, 19793, 19801,
153 19813, 19819, 19841, 19843, 19853, 19861, 19867, 19889, 19891, 19913, 19919, 19927, 19937, 19949, 19961, 19963,
154 19973, 19979, 19991, 19993, 19997, 20011, 20021, 20023, 20029, 20047, 20051, 20063, 20071, 20089, 20101, 20107,
155 20113, 20117, 20123, 20129, 20143, 20147, 20149, 20161, 20173, 20177, 20183, 20201, 20219, 20231, 20233, 20249,
156 20261, 20269, 20287, 20297, 20323, 20327, 20333, 20341, 20347, 20353, 20357, 20359, 20369, 20389, 20393, 20399,
157 20407, 20411, 20431, 20441, 20443, 20477, 20479, 20483, 20507, 20509, 20521, 20533, 20543, 20549, 20551, 20563,
158 20593, 20599, 20611, 20627, 20639, 20641, 20663, 20681, 20693, 20707, 20717, 20719, 20731, 20743, 20747, 20749,
159 20753, 20759, 20771, 20773, 20789, 20807, 20809, 20849, 20857, 20873, 20879, 20887, 20897, 20899, 20903, 20921,
160 20929, 20939, 20947, 20959, 20963, 20981, 20983, 21001, 21011, 21013, 21017, 21019, 21023, 21031, 21059, 21061,
161 21067, 21089, 21101, 21107, 21121, 21139, 21143, 21149, 21157, 21163, 21169, 21179, 21187, 21191, 21193, 21211,
162 21221, 21227, 21247, 21269, 21277, 21283, 21313, 21317, 21319, 21323, 21341, 21347, 21377, 21379, 21383, 21391,
163 21397, 21401, 21407, 21419, 21433, 21467, 21481, 21487, 21491, 21493, 21499, 21503, 21517, 21521, 21523, 21529,
164 21557, 21559, 21563, 21569, 21577, 21587, 21589, 21599, 21601, 21611, 21613, 21617, 21647, 21649, 21661, 21673,
165 21683, 21701, 21713, 21727, 21737, 21739, 21751, 21757, 21767, 21773, 21787, 21799, 21803, 21817, 21821, 21839,
166 21841, 21851, 21859, 21863, 21871, 21881, 21893, 21911, 21929, 21937, 21943, 21961, 21977, 21991, 21997, 22003,
167 22013, 22027, 22031, 22037, 22039, 22051, 22063, 22067, 22073, 22079, 22091, 22093, 22109, 22111, 22123, 22129,
168 22133, 22147, 22153, 22157, 22159, 22171, 22189, 22193, 22229, 22247, 22259, 22271, 22273, 22277, 22279, 22283,
169 22291, 22303, 22307, 22343, 22349, 22367, 22369, 22381, 22391, 22397, 22409, 22433, 22441, 22447, 22453, 22469,
170 22481, 22483, 22501, 22511, 22531, 22541, 22543, 22549, 22567, 22571, 22573, 22613, 22619, 22621, 22637, 22639,
171 22643, 22651, 22669, 22679, 22691, 22697, 22699, 22709, 22717, 22721, 22727, 22739, 22741, 22751, 22769, 22777,
172 22783, 22787, 22807, 22811, 22817, 22853, 22859, 22861, 22871, 22877, 22901, 22907, 22921, 22937, 22943, 22961,
173 22963, 22973, 22993, 23003, 23011, 23017, 23021, 23027, 23029, 23039, 23041, 23053, 23057, 23059, 23063, 23071,
174 23081, 23087, 23099, 23117, 23131, 23143, 23159, 23167, 23173, 23189, 23197, 23201, 23203, 23209, 23227, 23251,
175 23269, 23279, 23291, 23293, 23297, 23311, 23321, 23327, 23333, 23339, 23357, 23369, 23371, 23399, 23417, 23431,
176 23447, 23459, 23473, 23497, 23509, 23531, 23537, 23539, 23549, 23557, 23561, 23563, 23567, 23581, 23593, 23599,
177 23603, 23609, 23623, 23627, 23629, 23633, 23663, 23669, 23671, 23677, 23687, 23689, 23719, 23741, 23743, 23747,
178 23753, 23761, 23767, 23773, 23789, 23801, 23813, 23819, 23827, 23831, 23833, 23857, 23869, 23873, 23879, 23887,
179 23893, 23899, 23909, 23911, 23917, 23929, 23957, 23971, 23977, 23981, 23993, 24001, 24007, 24019, 24023, 24029,
180 24043, 24049, 24061, 24071, 24077, 24083, 24091, 24097, 24103, 24107, 24109, 24113, 24121, 24133, 24137, 24151,
181 24169, 24179, 24181, 24197, 24203, 24223, 24229, 24239, 24247, 24251, 24281, 24317, 24329, 24337, 24359, 24371,
182 24373, 24379, 24391, 24407, 24413, 24419, 24421, 24439, 24443, 24469, 24473, 24481, 24499, 24509, 24517, 24527,
183 24533, 24547, 24551, 24571, 24593, 24611, 24623, 24631, 24659, 24671, 24677, 24683, 24691, 24697, 24709, 24733,
184 24749, 24763, 24767, 24781, 24793, 24799, 24809, 24821, 24841, 24847, 24851, 24859, 24877, 24889, 24907, 24917,
185 24919, 24923, 24943, 24953, 24967, 24971, 24977, 24979, 24989, 25013, 25031, 25033, 25037, 25057, 25073, 25087,
186 25097, 25111, 25117, 25121, 25127, 25147, 25153, 25163, 25169, 25171, 25183, 25189, 25219, 25229, 25237, 25243,
187 25247, 25253, 25261, 25301, 25303, 25307, 25309, 25321, 25339, 25343, 25349, 25357, 25367, 25373, 25391, 25409,
188 25411, 25423, 25439, 25447, 25453, 25457, 25463, 25469, 25471, 25523, 25537, 25541, 25561, 25577, 25579, 25583,
189 25589, 25601, 25603, 25609, 25621, 25633, 25639, 25643, 25657, 25667, 25673, 25679, 25693, 25703, 25717, 25733,
190 25741, 25747, 25759, 25763, 25771, 25793, 25799, 25801, 25819, 25841, 25847, 25849, 25867, 25873, 25889, 25903,
191 25913, 25919, 25931, 25933, 25939, 25943, 25951, 25969, 25981, 25997, 25999, 26003, 26017, 26021, 26029, 26041,
192 26053, 26083, 26099, 26107, 26111, 26113, 26119, 26141, 26153, 26161, 26171, 26177, 26183, 26189, 26203, 26209,
193 26227, 26237, 26249, 26251, 26261, 26263, 26267, 26293, 26297, 26309, 26317, 26321, 26339, 26347, 26357, 26371,
194 26387, 26393, 26399, 26407, 26417, 26423, 26431, 26437, 26449, 26459, 26479, 26489, 26497, 26501, 26513, 26539,
195 26557, 26561, 26573, 26591, 26597, 26627, 26633, 26641, 26647, 26669, 26681, 26683, 26687, 26693, 26699, 26701,
196 26711, 26713, 26717, 26723, 26729, 26731, 26737, 26759, 26777, 26783, 26801, 26813, 26821, 26833, 26839, 26849,
197 26861, 26863, 26879, 26881, 26891, 26893, 26903, 26921, 26927, 26947, 26951, 26953, 26959, 26981, 26987, 26993,
198 27011, 27017, 27031, 27043, 27059, 27061, 27067, 27073, 27077, 27091, 27103, 27107, 27109, 27127, 27143, 27179,
199 27191, 27197, 27211, 27239, 27241, 27253, 27259, 27271, 27277, 27281, 27283, 27299, 27329, 27337, 27361, 27367,
200 27397, 27407, 27409, 27427, 27431, 27437, 27449, 27457, 27479, 27481, 27487, 27509, 27527, 27529, 27539, 27541,
201 27551, 27581, 27583, 27611, 27617, 27631, 27647, 27653, 27673, 27689, 27691, 27697, 27701, 27733, 27737, 27739,
202 27743, 27749, 27751, 27763, 27767, 27773, 27779, 27791, 27793, 27799, 27803, 27809, 27817, 27823, 27827, 27847,
203 27851, 27883, 27893, 27901, 27917, 27919, 27941, 27943, 27947, 27953, 27961, 27967, 27983, 27997, 28001, 28019,
204 28027, 28031, 28051, 28057, 28069, 28081, 28087, 28097, 28099, 28109, 28111, 28123, 28151, 28163, 28181, 28183,
205 28201, 28211, 28219, 28229, 28277, 28279, 28283, 28289, 28297, 28307, 28309, 28319, 28349, 28351, 28387, 28393,
206 28403, 28409, 28411, 28429, 28433, 28439, 28447, 28463, 28477, 28493, 28499, 28513, 28517, 28537, 28541, 28547,
207 28549, 28559, 28571, 28573, 28579, 28591, 28597, 28603, 28607, 28619, 28621, 28627, 28631, 28643, 28649, 28657,
208 28661, 28663, 28669, 28687, 28697, 28703, 28711, 28723, 28729, 28751, 28753, 28759, 28771, 28789, 28793, 28807,
209 28813, 28817, 28837, 28843, 28859, 28867, 28871, 28879, 28901, 28909, 28921, 28927, 28933, 28949, 28961, 28979,
210 29009, 29017, 29021, 29023, 29027, 29033, 29059, 29063, 29077, 29101, 29123, 29129, 29131, 29137, 29147, 29153,
211 29167, 29173, 29179, 29191, 29201, 29207, 29209, 29221, 29231, 29243, 29251, 29269, 29287, 29297, 29303, 29311,
212 29327, 29333, 29339, 29347, 29363, 29383, 29387, 29389, 29399, 29401, 29411, 29423, 29429, 29437, 29443, 29453,
213 29473, 29483, 29501, 29527, 29531, 29537, 29567, 29569, 29573, 29581, 29587, 29599, 29611, 29629, 29633, 29641,
214 29663, 29669, 29671, 29683, 29717, 29723, 29741, 29753, 29759, 29761, 29789, 29803, 29819, 29833, 29837, 29851,
215 29863, 29867, 29873, 29879, 29881, 29917, 29921, 29927, 29947, 29959, 29983, 29989, 30011, 30013, 30029, 30047,
216 30059, 30071, 30089, 30091, 30097, 30103, 30109, 30113, 30119, 30133, 30137, 30139, 30161, 30169, 30181, 30187,
217 30197, 30203, 30211, 30223, 30241, 30253, 30259, 30269, 30271, 30293, 30307, 30313, 30319, 30323, 30341, 30347,
218 30367, 30389, 30391, 30403, 30427, 30431, 30449, 30467, 30469, 30491, 30493, 30497, 30509, 30517, 30529, 30539,
219 30553, 30557, 30559, 30577, 30593, 30631, 30637, 30643, 30649, 30661, 30671, 30677, 30689, 30697, 30703, 30707,
220 30713, 30727, 30757, 30763, 30773, 30781, 30803, 30809, 30817, 30829, 30839, 30841, 30851, 30853, 30859, 30869,
221 30871, 30881, 30893, 30911, 30931, 30937, 30941, 30949, 30971, 30977, 30983, 31013, 31019, 31033, 31039, 31051,
222 31063, 31069, 31079, 31081, 31091, 31121, 31123, 31139, 31147, 31151, 31153, 31159, 31177, 31181, 31183, 31189,
223 31193, 31219, 31223, 31231, 31237, 31247, 31249, 31253, 31259, 31267, 31271, 31277, 31307, 31319, 31321, 31327,
224 31333, 31337, 31357, 31379, 31387, 31391, 31393, 31397, 31469, 31477, 31481, 31489, 31511, 31513, 31517, 31531,
225 31541, 31543, 31547, 31567, 31573, 31583, 31601, 31607, 31627, 31643, 31649, 31657, 31663, 31667, 31687, 31699,
226 31721, 31723, 31727, 31729, 31741, 31751, 31769, 31771, 31793, 31799, 31817, 31847, 31849, 31859, 31873, 31883,
227 31891, 31907, 31957, 31963, 31973, 31981, 31991, 32003, 32009, 32027, 32029, 32051, 32057, 32059, 32063, 32069,
228 32077, 32083, 32089, 32099, 32117, 32119, 32141, 32143, 32159, 32173, 32183, 32189, 32191, 32203, 32213, 32233,
229 32237, 32251, 32257, 32261, 32297, 32299, 32303, 32309, 32321, 32323, 32327, 32341, 32353, 32359, 32363, 32369,
230 32371, 32377, 32381, 32401, 32411, 32413, 32423, 32429, 32441, 32443, 32467, 32479, 32491, 32497, 32503, 32507,
231 32531, 32533, 32537, 32561, 32563, 32569, 32573, 32579, 32587, 32603, 32609, 32611, 32621, 32633, 32647, 32653,
232 32687, 32693, 32707, 32713, 32717, 32719, 32749, 32771, 32779, 32783, 32789, 32797, 32801, 32803, 32831, 32833,
233 32839, 32843, 32869, 32887, 32909, 32911, 32917, 32933, 32939, 32941, 32957, 32969, 32971, 32983, 32987, 32993,
234 32999, 33013, 33023, 33029, 33037, 33049, 33053, 33071, 33073, 33083, 33091, 33107, 33113, 33119, 33149, 33151,
235 33161, 33179, 33181, 33191, 33199, 33203, 33211, 33223, 33247, 33287, 33289, 33301, 33311, 33317, 33329, 33331,
236 33343, 33347, 33349, 33353, 33359, 33377, 33391, 33403, 33409, 33413, 33427, 33457, 33461, 33469, 33479, 33487,
237 33493, 33503, 33521, 33529, 33533, 33547, 33563, 33569, 33577, 33581, 33587, 33589, 33599, 33601, 33613, 33617,
238 33619, 33623, 33629, 33637, 33641, 33647, 33679, 33703, 33713, 33721, 33739, 33749, 33751, 33757, 33767, 33769,
239 33773, 33791, 33797, 33809, 33811, 33827, 33829, 33851, 33857, 33863, 33871, 33889, 33893, 33911, 33923, 33931,
240 33937, 33941, 33961, 33967, 33997, 34019, 34031, 34033, 34039, 34057, 34061, 34123, 34127, 34129, 34141, 34147,
241 34157, 34159, 34171, 34183, 34211, 34213, 34217, 34231, 34253, 34259, 34261, 34267, 34273, 34283, 34297, 34301,
242 34303, 34313, 34319, 34327, 34337, 34351, 34361, 34367, 34369, 34381, 34403, 34421, 34429, 34439, 34457, 34469,
243 34471, 34483, 34487, 34499, 34501, 34511, 34513, 34519, 34537, 34543, 34549, 34583, 34589, 34591, 34603, 34607,
244 34613, 34631, 34649, 34651, 34667, 34673, 34679, 34687, 34693, 34703, 34721, 34729, 34739, 34747, 34757, 34759,
245 34763, 34781, 34807, 34819, 34841, 34843, 34847, 34849, 34871, 34877, 34883, 34897, 34913, 34919, 34939, 34949,
246 34961, 34963, 34981, 35023, 35027, 35051, 35053, 35059, 35069, 35081, 35083, 35089, 35099, 35107, 35111, 35117,
247 35129, 35141, 35149, 35153, 35159, 35171, 35201, 35221, 35227, 35251, 35257, 35267, 35279, 35281, 35291, 35311,
248 35317, 35323, 35327, 35339, 35353, 35363, 35381, 35393, 35401, 35407, 35419, 35423, 35437, 35447, 35449, 35461,
249 35491, 35507, 35509, 35521, 35527, 35531, 35533, 35537, 35543, 35569, 35573, 35591, 35593, 35597, 35603, 35617,
250 35671, 35677, 35729, 35731, 35747, 35753, 35759, 35771, 35797, 35801, 35803, 35809, 35831, 35837, 35839, 35851,
251 35863, 35869, 35879, 35897, 35899, 35911, 35923, 35933, 35951, 35963, 35969, 35977, 35983, 35993, 35999, 36007,
252 36011, 36013, 36017, 36037, 36061, 36067, 36073, 36083, 36097, 36107, 36109, 36131, 36137, 36151, 36161, 36187,
253 36191, 36209, 36217, 36229, 36241, 36251, 36263, 36269, 36277, 36293, 36299, 36307, 36313, 36319, 36341, 36343,
254 36353, 36373, 36383, 36389, 36433, 36451, 36457, 36467, 36469, 36473, 36479, 36493, 36497, 36523, 36527, 36529,
255 36541, 36551, 36559, 36563, 36571, 36583, 36587, 36599, 36607, 36629, 36637, 36643, 36653, 36671, 36677, 36683,
256 36691, 36697, 36709, 36713, 36721, 36739, 36749, 36761, 36767, 36779, 36781, 36787, 36791, 36793, 36809, 36821,
257 36833, 36847, 36857, 36871, 36877, 36887, 36899, 36901, 36913, 36919, 36923, 36929, 36931, 36943, 36947, 36973,
258 36979, 36997, 37003, 37013, 37019, 37021, 37039, 37049, 37057, 37061, 37087, 37097, 37117, 37123, 37139, 37159,
259 37171, 37181, 37189, 37199, 37201, 37217, 37223, 37243, 37253, 37273, 37277, 37307, 37309, 37313, 37321, 37337,
260 37339, 37357, 37361, 37363, 37369, 37379, 37397, 37409, 37423, 37441, 37447, 37463, 37483, 37489, 37493, 37501,
261 37507, 37511, 37517, 37529, 37537, 37547, 37549, 37561, 37567, 37571, 37573, 37579, 37589, 37591, 37607, 37619,
262 37633, 37643, 37649, 37657, 37663, 37691, 37693, 37699, 37717, 37747, 37781, 37783, 37799, 37811, 37813, 37831,
263 37847, 37853, 37861, 37871, 37879, 37889, 37897, 37907, 37951, 37957, 37963, 37967, 37987, 37991, 37993, 37997,
264 38011, 38039, 38047, 38053, 38069, 38083, 38113, 38119, 38149, 38153, 38167, 38177, 38183, 38189, 38197, 38201,
265 38219, 38231, 38237, 38239, 38261, 38273, 38281, 38287, 38299, 38303, 38317, 38321, 38327, 38329, 38333, 38351,
266 38371, 38377, 38393, 38431, 38447, 38449, 38453, 38459, 38461, 38501, 38543, 38557, 38561, 38567, 38569, 38593,
267 38603, 38609, 38611, 38629, 38639, 38651, 38653, 38669, 38671, 38677, 38693, 38699, 38707, 38711, 38713, 38723,
268 38729, 38737, 38747, 38749, 38767, 38783, 38791, 38803, 38821, 38833, 38839, 38851, 38861, 38867, 38873, 38891,
269 38903, 38917, 38921, 38923, 38933, 38953, 38959, 38971, 38977, 38993, 39019, 39023, 39041, 39043, 39047, 39079,
270 39089, 39097, 39103, 39107, 39113, 39119, 39133, 39139, 39157, 39161, 39163, 39181, 39191, 39199, 39209, 39217,
271 39227, 39229, 39233, 39239, 39241, 39251, 39293, 39301, 39313, 39317, 39323, 39341, 39343, 39359, 39367, 39371,
272 39373, 39383, 39397, 39409, 39419, 39439, 39443, 39451, 39461, 39499, 39503, 39509, 39511, 39521, 39541, 39551,
273 39563, 39569, 39581, 39607, 39619, 39623, 39631, 39659, 39667, 39671, 39679, 39703, 39709, 39719, 39727, 39733,
274 39749, 39761, 39769, 39779, 39791, 39799, 39821, 39827, 39829, 39839, 39841, 39847, 39857, 39863, 39869, 39877,
275 39883, 39887, 39901, 39929, 39937, 39953, 39971, 39979, 39983, 39989, 40009, 40013, 40031, 40037, 40039, 40063,
276 40087, 40093, 40099, 40111, 40123, 40127, 40129, 40151, 40153, 40163, 40169, 40177, 40189, 40193, 40213, 40231,
277 40237, 40241, 40253, 40277, 40283, 40289, 40343, 40351, 40357, 40361, 40387, 40423, 40427, 40429, 40433, 40459,
278 40471, 40483, 40487, 40493, 40499, 40507, 40519, 40529, 40531, 40543, 40559, 40577, 40583, 40591, 40597, 40609,
279 40627, 40637, 40639, 40693, 40697, 40699, 40709, 40739, 40751, 40759, 40763, 40771, 40787, 40801, 40813, 40819,
280 40823, 40829, 40841, 40847, 40849, 40853, 40867, 40879, 40883, 40897, 40903, 40927, 40933, 40939, 40949, 40961,
281 40973, 40993, 41011, 41017, 41023, 41039, 41047, 41051, 41057, 41077, 41081, 41113, 41117, 41131, 41141, 41143,
282 41149, 41161, 41177, 41179, 41183, 41189, 41201, 41203, 41213, 41221, 41227, 41231, 41233, 41243, 41257, 41263,
283 41269, 41281, 41299, 41333, 41341, 41351, 41357, 41381, 41387, 41389, 41399, 41411, 41413, 41443, 41453, 41467,
284 41479, 41491, 41507, 41513, 41519, 41521, 41539, 41543, 41549, 41579, 41593, 41597, 41603, 41609, 41611, 41617,
285 41621, 41627, 41641, 41647, 41651, 41659, 41669, 41681, 41687, 41719, 41729, 41737, 41759, 41761, 41771, 41777,
286 41801, 41809, 41813, 41843, 41849, 41851, 41863, 41879, 41887, 41893, 41897, 41903, 41911, 41927, 41941, 41947,
287 41953, 41957, 41959, 41969, 41981, 41983, 41999, 42013, 42017, 42019, 42023, 42043, 42061, 42071, 42073, 42083,
288 42089, 42101, 42131, 42139, 42157, 42169, 42179, 42181, 42187, 42193, 42197, 42209, 42221, 42223, 42227, 42239,
289 42257, 42281, 42283, 42293, 42299, 42307, 42323, 42331, 42337, 42349, 42359, 42373, 42379, 42391, 42397, 42403,
290 42407, 42409, 42433, 42437, 42443, 42451, 42457, 42461, 42463, 42467, 42473, 42487, 42491, 42499, 42509, 42533,
291 42557, 42569, 42571, 42577, 42589, 42611, 42641, 42643, 42649, 42667, 42677, 42683, 42689, 42697, 42701, 42703,
292 42709, 42719, 42727, 42737, 42743, 42751, 42767, 42773, 42787, 42793, 42797, 42821, 42829, 42839, 42841, 42853,
293 42859, 42863, 42899, 42901, 42923, 42929, 42937, 42943, 42953, 42961, 42967, 42979, 42989, 43003, 43013, 43019,
294 43037, 43049, 43051, 43063, 43067, 43093, 43103, 43117, 43133, 43151, 43159, 43177, 43189, 43201, 43207, 43223,
295 43237, 43261, 43271, 43283, 43291, 43313, 43319, 43321, 43331, 43391, 43397, 43399, 43403, 43411, 43427, 43441,
296 43451, 43457, 43481, 43487, 43499, 43517, 43541, 43543, 43573, 43577, 43579, 43591, 43597, 43607, 43609, 43613,
297 43627, 43633, 43649, 43651, 43661, 43669, 43691, 43711, 43717, 43721, 43753, 43759, 43777, 43781, 43783, 43787,
298 43789, 43793, 43801, 43853, 43867, 43889, 43891, 43913, 43933, 43943, 43951, 43961, 43963, 43969, 43973, 43987,
299 43991, 43997, 44017, 44021, 44027, 44029, 44041, 44053, 44059, 44071, 44087, 44089, 44101, 44111, 44119, 44123,
300 44129, 44131, 44159, 44171, 44179, 44189, 44201, 44203, 44207, 44221, 44249, 44257, 44263, 44267, 44269, 44273,
301 44279, 44281, 44293, 44351, 44357, 44371, 44381, 44383, 44389, 44417, 44449, 44453, 44483, 44491, 44497, 44501,
302 44507, 44519, 44531, 44533, 44537, 44543, 44549, 44563, 44579, 44587, 44617, 44621, 44623, 44633, 44641, 44647,
303 44651, 44657, 44683, 44687, 44699, 44701, 44711, 44729, 44741, 44753, 44771, 44773, 44777, 44789, 44797, 44809,
304 44819, 44839, 44843, 44851, 44867, 44879, 44887, 44893, 44909, 44917, 44927, 44939, 44953, 44959, 44963, 44971,
305 44983, 44987, 45007, 45013, 45053, 45061, 45077, 45083, 45119, 45121, 45127, 45131, 45137, 45139, 45161, 45179,
306 45181, 45191, 45197, 45233, 45247, 45259, 45263, 45281, 45289, 45293, 45307, 45317, 45319, 45329, 45337, 45341,
307 45343, 45361, 45377, 45389, 45403, 45413, 45427, 45433, 45439, 45481, 45491, 45497, 45503, 45523, 45533, 45541,
308 45553, 45557, 45569, 45587, 45589, 45599, 45613, 45631, 45641, 45659, 45667, 45673, 45677, 45691, 45697, 45707,
309 45737, 45751, 45757, 45763, 45767, 45779, 45817, 45821, 45823, 45827, 45833, 45841, 45853, 45863, 45869, 45887,
310 45893, 45943, 45949, 45953, 45959, 45971, 45979, 45989, 46021, 46027, 46049, 46051, 46061, 46073, 46091, 46093,
311 46099, 46103, 46133, 46141, 46147, 46153, 46171, 46181, 46183, 46187, 46199, 46219, 46229, 46237, 46261, 46271,
312 46273, 46279, 46301, 46307, 46309, 46327, 46337, 46349, 46351, 46381, 46399, 46411, 46439, 46441, 46447, 46451,
313 46457, 46471, 46477, 46489, 46499, 46507, 46511, 46523, 46549, 46559, 46567, 46573, 46589, 46591, 46601, 46619,
314 46633, 46639, 46643, 46649, 46663, 46679, 46681, 46687, 46691, 46703, 46723, 46727, 46747, 46751, 46757, 46769,
315 46771, 46807, 46811, 46817, 46819, 46829, 46831, 46853, 46861, 46867, 46877, 46889, 46901, 46919, 46933, 46957,
316 46993, 46997, 47017, 47041, 47051, 47057, 47059, 47087, 47093, 47111, 47119, 47123, 47129, 47137, 47143, 47147,
317 47149, 47161, 47189, 47207, 47221, 47237, 47251, 47269, 47279, 47287, 47293, 47297, 47303, 47309, 47317, 47339,
318 47351, 47353, 47363, 47381, 47387, 47389, 47407, 47417, 47419, 47431, 47441, 47459, 47491, 47497, 47501, 47507,
319 47513, 47521, 47527, 47533, 47543, 47563, 47569, 47581, 47591, 47599, 47609, 47623, 47629, 47639, 47653, 47657,
320 47659, 47681, 47699, 47701, 47711, 47713, 47717, 47737, 47741, 47743, 47777, 47779, 47791, 47797, 47807, 47809,
321 47819, 47837, 47843, 47857, 47869, 47881, 47903, 47911, 47917, 47933, 47939, 47947, 47951, 47963, 47969, 47977,
322 47981, 48017, 48023, 48029, 48049, 48073, 48079, 48091, 48109, 48119, 48121, 48131, 48157, 48163, 48179, 48187,
323 48193, 48197, 48221, 48239, 48247, 48259, 48271, 48281, 48299, 48311, 48313, 48337, 48341, 48353, 48371, 48383,
324 48397, 48407, 48409, 48413, 48437, 48449, 48463, 48473, 48479, 48481, 48487, 48491, 48497, 48523, 48527, 48533,
325 48539, 48541, 48563, 48571, 48589, 48593, 48611, 48619, 48623, 48647, 48649, 48661, 48673, 48677, 48679, 48731,
326 48733, 48751, 48757, 48761, 48767, 48779, 48781, 48787, 48799, 48809, 48817, 48821, 48823, 48847, 48857, 48859,
327 48869, 48871, 48883, 48889, 48907, 48947, 48953, 48973, 48989, 48991, 49003, 49009, 49019, 49031, 49033, 49037,
328 49043, 49057, 49069, 49081, 49103, 49109, 49117, 49121, 49123, 49139, 49157, 49169, 49171, 49177, 49193, 49199,
329 49201, 49207, 49211, 49223, 49253, 49261, 49277, 49279, 49297, 49307, 49331, 49333, 49339, 49363, 49367, 49369,
330 49391, 49393, 49409, 49411, 49417, 49429, 49433, 49451, 49459, 49463, 49477, 49481, 49499, 49523, 49529, 49531,
331 49537, 49547, 49549, 49559, 49597, 49603, 49613, 49627, 49633, 49639, 49663, 49667, 49669, 49681, 49697, 49711,
332 49727, 49739, 49741, 49747, 49757, 49783, 49787, 49789, 49801, 49807, 49811, 49823, 49831, 49843, 49853, 49871,
333 49877, 49891, 49919, 49921, 49927, 49937, 49939, 49943, 49957, 49991, 49993, 49999, 50021, 50023, 50033, 50047,
334 50051, 50053, 50069, 50077, 50087, 50093, 50101, 50111, 50119, 50123, 50129, 50131, 50147, 50153, 50159, 50177,
335 50207, 50221, 50227, 50231, 50261, 50263, 50273, 50287, 50291, 50311, 50321, 50329, 50333, 50341, 50359, 50363,
336 50377, 50383, 50387, 50411, 50417, 50423, 50441, 50459, 50461, 50497, 50503, 50513, 50527, 50539, 50543, 50549,
337 50551, 50581, 50587, 50591, 50593, 50599, 50627, 50647, 50651, 50671, 50683, 50707, 50723, 50741, 50753, 50767,
338 50773, 50777, 50789, 50821, 50833, 50839, 50849, 50857, 50867, 50873, 50891, 50893, 50909, 50923, 50929, 50951,
339 50957, 50969, 50971, 50989, 50993, 51001, 51031, 51043, 51047, 51059, 51061, 51071, 51109, 51131, 51133, 51137,
340 51151, 51157, 51169, 51193, 51197, 51199, 51203, 51217, 51229, 51239, 51241, 51257, 51263, 51283, 51287, 51307,
341 51329, 51341, 51343, 51347, 51349, 51361, 51383, 51407, 51413, 51419, 51421, 51427, 51431, 51437, 51439, 51449,
342 51461, 51473, 51479, 51481, 51487, 51503, 51511, 51517, 51521, 51539, 51551, 51563, 51577, 51581, 51593, 51599,
343 51607, 51613, 51631, 51637, 51647, 51659, 51673, 51679, 51683, 51691, 51713, 51719, 51721, 51749, 51767, 51769,
344 51787, 51797, 51803, 51817, 51827, 51829, 51839, 51853, 51859, 51869, 51871, 51893, 51899, 51907, 51913, 51929,
345 51941, 51949, 51971, 51973, 51977, 51991, 52009, 52021, 52027, 52051, 52057, 52067, 52069, 52081, 52103, 52121,
346 52127, 52147, 52153, 52163, 52177, 52181, 52183, 52189, 52201, 52223, 52237, 52249, 52253, 52259, 52267, 52289,
347 52291, 52301, 52313, 52321, 52361, 52363, 52369, 52379, 52387, 52391, 52433, 52453, 52457, 52489, 52501, 52511,
348 52517, 52529, 52541, 52543, 52553, 52561, 52567, 52571, 52579, 52583, 52609, 52627, 52631, 52639, 52667, 52673,
349 52691, 52697, 52709, 52711, 52721, 52727, 52733, 52747, 52757, 52769, 52783, 52807, 52813, 52817, 52837, 52859,
350 52861, 52879, 52883, 52889, 52901, 52903, 52919, 52937, 52951, 52957, 52963, 52967, 52973, 52981, 52999, 53003,
351 53017, 53047, 53051, 53069, 53077, 53087, 53089, 53093, 53101, 53113, 53117, 53129, 53147, 53149, 53161, 53171,
352 53173, 53189, 53197, 53201, 53231, 53233, 53239, 53267, 53269, 53279, 53281, 53299, 53309, 53323, 53327, 53353,
353 53359, 53377, 53381, 53401, 53407, 53411, 53419, 53437, 53441, 53453, 53479, 53503, 53507, 53527, 53549, 53551,
354 53569, 53591, 53593, 53597, 53609, 53611, 53617, 53623, 53629, 53633, 53639, 53653, 53657, 53681, 53693, 53699,
355 53717, 53719, 53731, 53759, 53773, 53777, 53783, 53791, 53813, 53819, 53831, 53849, 53857, 53861, 53881, 53887,
356 53891, 53897, 53899, 53917, 53923, 53927, 53939, 53951, 53959, 53987, 53993, 54001, 54011, 54013, 54037, 54049,
357 54059, 54083, 54091, 54101, 54121, 54133, 54139, 54151, 54163, 54167, 54181, 54193, 54217, 54251, 54269, 54277,
358 54287, 54293, 54311, 54319, 54323, 54331, 54347, 54361, 54367, 54371, 54377, 54401, 54403, 54409, 54413, 54419,
359 54421, 54437, 54443, 54449, 54469, 54493, 54497, 54499, 54503, 54517, 54521, 54539, 54541, 54547, 54559, 54563,
360 54577, 54581, 54583, 54601, 54617, 54623, 54629, 54631, 54647, 54667, 54673, 54679, 54709, 54713, 54721, 54727,
361 54751, 54767, 54773, 54779, 54787, 54799, 54829, 54833, 54851, 54869, 54877, 54881, 54907, 54917, 54919, 54941,
362 54949, 54959, 54973, 54979, 54983, 55001, 55009, 55021, 55049, 55051, 55057, 55061, 55073, 55079, 55103, 55109,
363 55117, 55127, 55147, 55163, 55171, 55201, 55207, 55213, 55217, 55219, 55229, 55243, 55249, 55259, 55291, 55313,
364 55331, 55333, 55337, 55339, 55343, 55351, 55373, 55381, 55399, 55411, 55439, 55441, 55457, 55469, 55487, 55501,
365 55511, 55529, 55541, 55547, 55579, 55589, 55603, 55609, 55619, 55621, 55631, 55633, 55639, 55661, 55663, 55667,
366 55673, 55681, 55691, 55697, 55711, 55717, 55721, 55733, 55763, 55787, 55793, 55799, 55807, 55813, 55817, 55819,
367 55823, 55829, 55837, 55843, 55849, 55871, 55889, 55897, 55901, 55903, 55921, 55927, 55931, 55933, 55949, 55967,
368 55987, 55997, 56003, 56009, 56039, 56041, 56053, 56081, 56087, 56093, 56099, 56101, 56113, 56123, 56131, 56149,
369 56167, 56171, 56179, 56197, 56207, 56209, 56237, 56239, 56249, 56263, 56267, 56269, 56299, 56311, 56333, 56359,
370 56369, 56377, 56383, 56393, 56401, 56417, 56431, 56437, 56443, 56453, 56467, 56473, 56477, 56479, 56489, 56501,
371 56503, 56509, 56519, 56527, 56531, 56533, 56543, 56569, 56591, 56597, 56599, 56611, 56629, 56633, 56659, 56663,
372 56671, 56681, 56687, 56701, 56711, 56713, 56731, 56737, 56747, 56767, 56773, 56779, 56783, 56807, 56809, 56813,
373 56821, 56827, 56843, 56857, 56873, 56891, 56893, 56897, 56909, 56911, 56921, 56923, 56929, 56941, 56951, 56957,
374 56963, 56983, 56989, 56993, 56999, 57037, 57041, 57047, 57059, 57073, 57077, 57089, 57097, 57107, 57119, 57131,
375 57139, 57143, 57149, 57163, 57173, 57179, 57191, 57193, 57203, 57221, 57223, 57241, 57251, 57259, 57269, 57271,
376 57283, 57287, 57301, 57329, 57331, 57347, 57349, 57367, 57373, 57383, 57389, 57397, 57413, 57427, 57457, 57467,
377 57487, 57493, 57503, 57527, 57529, 57557, 57559, 57571, 57587, 57593, 57601, 57637, 57641, 57649, 57653, 57667,
378 57679, 57689, 57697, 57709, 57713, 57719, 57727, 57731, 57737, 57751, 57773, 57781, 57787, 57791, 57793, 57803,
379 57809, 57829, 57839, 57847, 57853, 57859, 57881, 57899, 57901, 57917, 57923, 57943, 57947, 57973, 57977, 57991,
380 58013, 58027, 58031, 58043, 58049, 58057, 58061, 58067, 58073, 58099, 58109, 58111, 58129, 58147, 58151, 58153,
381 58169, 58171, 58189, 58193, 58199, 58207, 58211, 58217, 58229, 58231, 58237, 58243, 58271, 58309, 58313, 58321,
382 58337, 58363, 58367, 58369, 58379, 58391, 58393, 58403, 58411, 58417, 58427, 58439, 58441, 58451, 58453, 58477,
383 58481, 58511, 58537, 58543, 58549, 58567, 58573, 58579, 58601, 58603, 58613, 58631, 58657, 58661, 58679, 58687,
384 58693, 58699, 58711, 58727, 58733, 58741, 58757, 58763, 58771, 58787, 58789, 58831, 58889, 58897, 58901, 58907,
385 58909, 58913, 58921, 58937, 58943, 58963, 58967, 58979, 58991, 58997, 59009, 59011, 59021, 59023, 59029, 59051,
386 59053, 59063, 59069, 59077, 59083, 59093, 59107, 59113, 59119, 59123, 59141, 59149, 59159, 59167, 59183, 59197,
387 59207, 59209, 59219, 59221, 59233, 59239, 59243, 59263, 59273, 59281, 59333, 59341, 59351, 59357, 59359, 59369,
388 59377, 59387, 59393, 59399, 59407, 59417, 59419, 59441, 59443, 59447, 59453, 59467, 59471, 59473, 59497, 59509,
389 59513, 59539, 59557, 59561, 59567, 59581, 59611, 59617, 59621, 59627, 59629, 59651, 59659, 59663, 59669, 59671,
390 59693, 59699, 59707, 59723, 59729, 59743, 59747, 59753, 59771, 59779, 59791, 59797, 59809, 59833, 59863, 59879,
391 59887, 59921, 59929, 59951, 59957, 59971, 59981, 59999, 60013, 60017, 60029, 60037, 60041, 60077, 60083, 60089,
392 60091, 60101, 60103, 60107, 60127, 60133, 60139, 60149, 60161, 60167, 60169, 60209, 60217, 60223, 60251, 60257,
393 60259, 60271, 60289, 60293, 60317, 60331, 60337, 60343, 60353, 60373, 60383, 60397, 60413, 60427, 60443, 60449,
394 60457, 60493, 60497, 60509, 60521, 60527, 60539, 60589, 60601, 60607, 60611, 60617, 60623, 60631, 60637, 60647,
395 60649, 60659, 60661, 60679, 60689, 60703, 60719, 60727, 60733, 60737, 60757, 60761, 60763, 60773, 60779, 60793,
396 60811, 60821, 60859, 60869, 60887, 60889, 60899, 60901, 60913, 60917, 60919, 60923, 60937, 60943, 60953, 60961,
397 61001, 61007, 61027, 61031, 61043, 61051, 61057, 61091, 61099, 61121, 61129, 61141, 61151, 61153, 61169, 61211,
398 61223, 61231, 61253, 61261, 61283, 61291, 61297, 61331, 61333, 61339, 61343, 61357, 61363, 61379, 61381, 61403,
399 61409, 61417, 61441, 61463, 61469, 61471, 61483, 61487, 61493, 61507, 61511, 61519, 61543, 61547, 61553, 61559,
400 61561, 61583, 61603, 61609, 61613, 61627, 61631, 61637, 61643, 61651, 61657, 61667, 61673, 61681, 61687, 61703,
401 61717, 61723, 61729, 61751, 61757, 61781, 61813, 61819, 61837, 61843, 61861, 61871, 61879, 61909, 61927, 61933,
402 61949, 61961, 61967, 61979, 61981, 61987, 61991, 62003, 62011, 62017, 62039, 62047, 62053, 62057, 62071, 62081,
403 62099, 62119, 62129, 62131, 62137, 62141, 62143, 62171, 62189, 62191, 62201, 62207, 62213, 62219, 62233, 62273,
404 62297, 62299, 62303, 62311, 62323, 62327, 62347, 62351, 62383, 62401, 62417, 62423, 62459, 62467, 62473, 62477,
405 62483, 62497, 62501, 62507, 62533, 62539, 62549, 62563, 62581, 62591, 62597, 62603, 62617, 62627, 62633, 62639,
406 62653, 62659, 62683, 62687, 62701, 62723, 62731, 62743, 62753, 62761, 62773, 62791, 62801, 62819, 62827, 62851,
407 62861, 62869, 62873, 62897, 62903, 62921, 62927, 62929, 62939, 62969, 62971, 62981, 62983, 62987, 62989, 63029,
408 63031, 63059, 63067, 63073, 63079, 63097, 63103, 63113, 63127, 63131, 63149, 63179, 63197, 63199, 63211, 63241,
409 63247, 63277, 63281, 63299, 63311, 63313, 63317, 63331, 63337, 63347, 63353, 63361, 63367, 63377, 63389, 63391,
410 63397, 63409, 63419, 63421, 63439, 63443, 63463, 63467, 63473, 63487, 63493, 63499, 63521, 63527, 63533, 63541,
411 63559, 63577, 63587, 63589, 63599, 63601, 63607, 63611, 63617, 63629, 63647, 63649, 63659, 63667, 63671, 63689,
412 63691, 63697, 63703, 63709, 63719, 63727, 63737, 63743, 63761, 63773, 63781, 63793, 63799, 63803, 63809, 63823,
413 63839, 63841, 63853, 63857, 63863, 63901, 63907, 63913, 63929, 63949, 63977, 63997, 64007, 64013, 64019, 64033,
414 64037, 64063, 64067, 64081, 64091, 64109, 64123, 64151, 64153, 64157, 64171, 64187, 64189, 64217, 64223, 64231,
415 64237, 64271, 64279, 64283, 64301, 64303, 64319, 64327, 64333, 64373, 64381, 64399, 64403, 64433, 64439, 64451,
416 64453, 64483, 64489, 64499, 64513, 64553, 64567, 64577, 64579, 64591, 64601, 64609, 64613, 64621, 64627, 64633,
417 64661, 64663, 64667, 64679, 64693, 64709, 64717, 64747, 64763, 64781, 64783, 64793, 64811, 64817, 64849, 64853,
418 64871, 64877, 64879, 64891, 64901, 64919, 64921, 64927, 64937, 64951, 64969, 64997, 65003, 65011, 65027, 65029,
419 65033, 65053, 65063, 65071, 65089, 65099, 65101, 65111, 65119, 65123, 65129, 65141, 65147, 65167, 65171, 65173,
420 65179, 65183, 65203, 65213, 65239, 65257, 65267, 65269, 65287, 65293, 65309, 65323, 65327, 65353, 65357, 65371,
421 65381, 65393, 65407, 65413, 65419, 65423, 65437, 65447, 65449, 65479, 65497, 65519, 65521, 0};

Referenced by is_prime(), and random_prime().

◆ STREEBOG_Ax

const uint64_t Botan::STREEBOG_Ax
extern

Definition at line 34 of file streebog_precalc.cpp.

34 {
35 {0xd01f715b5c7ef8e6, 0x16fa240980778325, 0xa8a42e857ee049c8, 0x6ac1068fa186465b, 0x6e417bd7a2e9320b,
36 0x665c8167a437daab, 0x7666681aa89617f6, 0x4b959163700bdcf5, 0xf14be6b78df36248, 0xc585bd689a625cff,
37 0x9557d7fca67d82cb, 0x89f0b969af6dd366, 0xb0833d48749f6c35, 0xa1998c23b1ecbc7c, 0x8d70c431ac02a736,
38 0xd6dfbc2fd0a8b69e, 0x37aeb3e551fa198b, 0x0b7d128a40b5cf9c, 0x5a8f2008b5780cbc, 0xedec882284e333e5,
39 0xd25fc177d3c7c2ce, 0x5e0f5d50b61778ec, 0x1d873683c0c24cb9, 0xad040bcbb45d208c, 0x2f89a0285b853c76,
40 0x5732fff6791b8d58, 0x3e9311439ef6ec3f, 0xc9183a809fd3c00f, 0x83adf3f5260a01ee, 0xa6791941f4e8ef10,
41 0x103ae97d0ca1cd5d, 0x2ce948121dee1b4a, 0x39738421dbf2bf53, 0x093da2a6cf0cf5b4, 0xcd9847d89cbcb45f,
42 0xf9561c078b2d8ae8, 0x9c6a755a6971777f, 0xbc1ebaa0712ef0c5, 0x72e61542abf963a6, 0x78bb5fde229eb12e,
43 0x14ba94250fceb90d, 0x844d6697630e5282, 0x98ea08026a1e032f, 0xf06bbea144217f5c, 0xdb6263d11ccb377a,
44 0x641c314b2b8ee083, 0x320e96ab9b4770cf, 0x1ee7deb986a96b85, 0xe96cf57a878c47b5, 0xfdd6615f8842feb8,
45 0xc83862965601dd1b, 0x2ea9f83e92572162, 0xf876441142ff97fc, 0xeb2c455608357d9d, 0x5612a7e0b0c9904c,
46 0x6c01cbfb2d500823, 0x4548a6a7fa037a2d, 0xabc4c6bf388b6ef4, 0xbade77d4fdf8bebd, 0x799b07c8eb4cac3a,
47 0x0c9d87e805b19cf0, 0xcb588aac106afa27, 0xea0c1d40c1e76089, 0x2869354a1e816f1a, 0xff96d17307fbc490,
48 0x9f0a9d602f1a5043, 0x96373fc6e016a5f7, 0x5292dab8b3a6e41c, 0x9b8ae0382c752413, 0x4f15ec3b7364a8a5,
49 0x3fb349555724f12b, 0xc7c50d4415db66d7, 0x92b7429ee379d1a7, 0xd37f99611a15dfda, 0x231427c05e34a086,
50 0xa439a96d7b51d538, 0xb403401077f01865, 0xdda2aea5901d7902, 0x0a5d4a9c8967d288, 0xc265280adf660f93,
51 0x8bb0094520d4e94e, 0x2a29856691385532, 0x42a833c5bf072941, 0x73c64d54622b7eb2, 0x07e095624504536c,
52 0x8a905153e906f45a, 0x6f6123c16b3b2f1f, 0xc6e55552dc097bc3, 0x4468feb133d16739, 0xe211e7f0c7398829,
53 0xa2f96419f7879b40, 0x19074bdbc3ad38e9, 0xf4ebc3f9474e0b0c, 0x43886bd376d53455, 0xd8028beb5aa01046,
54 0x51f23282f5cdc320, 0xe7b1c2be0d84e16d, 0x081dfab006dee8a0, 0x3b33340d544b857b, 0x7f5bcabc679ae242,
55 0x0edd37c48a08a6d8, 0x81ed43d9a9b33bc6, 0xb1a3655ebd4d7121, 0x69a1eeb5e7ed6167, 0xf6ab73d5c8f73124,
56 0x1a67a3e185c61fd5, 0x2dc91004d43c065e, 0x0240b02c8fb93a28, 0x90f7f2b26cc0eb8f, 0x3cd3a16f114fd617,
57 0xaae49ea9f15973e0, 0x06c0cd748cd64e78, 0xda423bc7d5192a6e, 0xc345701c16b41287, 0x6d2193ede4821537,
58 0xfcf639494190e3ac, 0x7c3b228621f1c57e, 0xfb16ac2b0494b0c0, 0xbf7e529a3745d7f9, 0x6881b6a32e3f7c73,
59 0xca78d2bad9b8e733, 0xbbfe2fc2342aa3a9, 0x0dbddffecc6381e4, 0x70a6a56e2440598e, 0xe4d12a844befc651,
60 0x8c509c2765d0ba22, 0xee8c6018c28814d9, 0x17da7c1f49a59e31, 0x609c4c1328e194d3, 0xb3e3d57232f44b09,
61 0x91d7aaa4a512f69b, 0x0ffd6fd243dabbcc, 0x50d26a943c1fde34, 0x6be15e9968545b4f, 0x94778fea6faf9fdf,
62 0x2b09dd7058ea4826, 0x677cd9716de5c7bf, 0x49d5214fffb2e6dd, 0x0360e83a466b273c, 0x1fc786af4f7b7691,
63 0xa0b9d435783ea168, 0xd49f0c035f118cb6, 0x01205816c9d21d14, 0xac2453dd7d8f3d98, 0x545217cc3f70aa64,
64 0x26b4028e9489c9c2, 0xdec2469fd6765e3e, 0x04807d58036f7450, 0xe5f17292823ddb45, 0xf30b569b024a5860,
65 0x62dcfc3fa758aefb, 0xe84cad6c4e5e5aa1, 0xccb81fce556ea94b, 0x53b282ae7a74f908, 0x1b47fbf74c1402c1,
66 0x368eebf39828049f, 0x7afbeff2ad278b06, 0xbe5e0a8cfe97caed, 0xcfd8f7f413058e77, 0xf78b2bc301252c30,
67 0x4d555c17fcdd928d, 0x5f2f05467fc565f8, 0x24f4b2a21b30f3ea, 0x860dd6bbecb768aa, 0x4c750401350f8f99,
68 0x0000000000000000, 0xecccd0344d312ef1, 0xb5231806be220571, 0xc105c030990d28af, 0x653c695de25cfd97,
69 0x159acc33c61ca419, 0xb89ec7f872418495, 0xa9847693b73254dc, 0x58cf90243ac13694, 0x59efc832f3132b80,
70 0x5c4fed7c39ae42c4, 0x828dabe3efd81cfa, 0xd13f294d95ace5f2, 0x7d1b7a90e823d86a, 0xb643f03cf849224d,
71 0x3df3f979d89dcb03, 0x7426d836272f2dde, 0xdfe21e891fa4432a, 0x3a136c1b9d99986f, 0xfa36f43dcd46add4,
72 0xc025982650df35bb, 0x856d3e81aadc4f96, 0xc4a5e57e53b041eb, 0x4708168b75ba4005, 0xaf44bbe73be41aa4,
73 0x971767d029c4b8e3, 0xb9be9feebb939981, 0x215497ecd18d9aae, 0x316e7e91dd2c57f3, 0xcef8afe2dad79363,
74 0x3853dc371220a247, 0x35ee03c9de4323a3, 0xe6919aa8c456fc79, 0xe05157dc4880b201, 0x7bdbb7e464f59612,
75 0x127a59518318f775, 0x332ecebd52956ddb, 0x8f30741d23bb9d1e, 0xd922d3fd93720d52, 0x7746300c61440ae2,
76 0x25d4eab4d2e2eefe, 0x75068020eefd30ca, 0x135a01474acaea61, 0x304e268714fe4ae7, 0xa519f17bb283c82c,
77 0xdc82f6b359cf6416, 0x5baf781e7caa11a8, 0xb2c38d64fb26561d, 0x34ce5bdf17913eb7, 0x5d6fb56af07c5fd0,
78 0x182713cd0a7f25fd, 0x9e2ac576e6c84d57, 0x9aaab82ee5a73907, 0xa3d93c0f3e558654, 0x7e7b92aaae48ff56,
79 0x872d8ead256575be, 0x41c8dbfff96c0e7d, 0x99ca5014a3cc1e3b, 0x40e883e930be1369, 0x1ca76e95091051ad,
80 0x4e35b42dbab6b5b1, 0x05a0254ecabd6944, 0xe1710fca8152af15, 0xf22b0e8dcb984574, 0xb763a82a319b3f59,
81 0x63fca4296e8ab3ef, 0x9d4a2d4ca0a36a6b, 0xe331bfe60eeb953d, 0xd5bf541596c391a2, 0xf5cb9bef8e9c1618,
82 0x46284e9dbc685d11, 0x2074cffa185f87ba, 0xbd3ee2b6b8fcedd1, 0xae64e3f1f23607b0, 0xfeb68965ce29d984,
83 0x55724fdaf6a2b770, 0x29496d5cd753720e, 0xa75941573d3af204, 0x8e102c0bea69800a, 0x111ab16bc573d049,
84 0xd7ffe439197aab8a, 0xefac380e0b5a09cd, 0x48f579593660fbc9, 0x22347fd697e6bd92, 0x61bc1405e13389c7,
85 0x4ab5c975b9d9c1e1, 0x80cd1bcf606126d2, 0x7186fd78ed92449a, 0x93971a882aabccb3, 0x88d0e17f66bfce72,
86 0x27945a985d5bd4d6},
87 {0xde553f8c05a811c8, 0x1906b59631b4f565, 0x436e70d6b1964ff7, 0x36d343cb8b1e9d85, 0x843dfacc858aab5a,
88 0xfdfc95c299bfc7f9, 0x0f634bdea1d51fa2, 0x6d458b3b76efb3cd, 0x85c3f77cf8593f80, 0x3c91315fbe737cb2,
89 0x2148b03366ace398, 0x18f8b8264c6761bf, 0xc830c1c495c9fb0f, 0x981a76102086a0aa, 0xaa16012142f35760,
90 0x35cc54060c763cf6, 0x42907d66cc45db2d, 0x8203d44b965af4bc, 0x3d6f3cefc3a0e868, 0xbc73ff69d292bda7,
91 0x8722ed0102e20a29, 0x8f8185e8cd34deb7, 0x9b0561dda7ee01d9, 0x5335a0193227fad6, 0xc9cecc74e81a6fd5,
92 0x54f5832e5c2431ea, 0x99e47ba05d553470, 0xf7bee756acd226ce, 0x384e05a5571816fd, 0xd1367452a47d0e6a,
93 0xf29fde1c386ad85b, 0x320c77316275f7ca, 0xd0c879e2d9ae9ab0, 0xdb7406c69110ef5d, 0x45505e51a2461011,
94 0xfc029872e46c5323, 0xfa3cb6f5f7bc0cc5, 0x031f17cd8768a173, 0xbd8df2d9af41297d, 0x9d3b4f5ab43e5e3f,
95 0x4071671b36feee84, 0x716207e7d3e3b83d, 0x48d20ff2f9283a1a, 0x27769eb4757cbc7e, 0x5c56ebc793f2e574,
96 0xa48b474f9ef5dc18, 0x52cbada94ff46e0c, 0x60c7da982d8199c6, 0x0e9d466edc068b78, 0x4eec2175eaf865fc,
97 0x550b8e9e21f7a530, 0x6b7ba5bc653fec2b, 0x5eb7f1ba6949d0dd, 0x57ea94e3db4c9099, 0xf640eae6d101b214,
98 0xdd4a284182c0b0bb, 0xff1d8fbf6304f250, 0xb8accb933bf9d7e8, 0xe8867c478eb68c4d, 0x3f8e2692391bddc1,
99 0xcb2fd60912a15a7c, 0xaec935dbab983d2f, 0xf55ffd2b56691367, 0x80e2ce366ce1c115, 0x179bf3f8edb27e1d,
100 0x01fe0db07dd394da, 0xda8a0b76ecc37b87, 0x44ae53e1df9584cb, 0xb310b4b77347a205, 0xdfab323c787b8512,
101 0x3b511268d070b78e, 0x65e6e3d2b9396753, 0x6864b271e2574d58, 0x259784c98fc789d7, 0x02e11a7dfabb35a9,
102 0x8841a6dfa337158b, 0x7ade78c39b5dcdd0, 0xb7cf804d9a2cc84a, 0x20b6bd831b7f7742, 0x75bd331d3a88d272,
103 0x418f6aab4b2d7a5e, 0xd9951cbb6babdaf4, 0xb6318dfde7ff5c90, 0x1f389b112264aa83, 0x492c024284fbaec0,
104 0xe33a0363c608f9a0, 0x2688930408af28a4, 0xc7538a1a341ce4ad, 0x5da8e677ee2171ae, 0x8c9e92254a5c7fc4,
105 0x63d8cd55aae938b5, 0x29ebd8daa97a3706, 0x959827b37be88aa1, 0x1484e4356adadf6e, 0xa7945082199d7d6b,
106 0xbf6ce8a455fa1cd4, 0x9cc542eac9edcae5, 0x79c16f0e1c356ca3, 0x89bfab6fdee48151, 0xd4174d1830c5f0ff,
107 0x9258048415eb419d, 0x6139d72850520d1c, 0x6a85a80c18ec78f1, 0xcd11f88e0171059a, 0xcceff53e7ca29140,
108 0xd229639f2315af19, 0x90b91ef9ef507434, 0x5977d28d074a1be1, 0x311360fce51d56b9, 0xc093a92d5a1f2f91,
109 0x1a19a25bb6dc5416, 0xeb996b8a09de2d3e, 0xfee3820f1ed7668a, 0xd7085ad5b7ad518c, 0x7fff41890fe53345,
110 0xec5948bd67dde602, 0x2fd5f65dbaaa68e0, 0xa5754affe32648c2, 0xf8ddac880d07396c, 0x6fa491468c548664,
111 0x0c7c5c1326bdbed1, 0x4a33158f03930fb3, 0x699abfc19f84d982, 0xe4fa2054a80b329c, 0x6707f9af438252fa,
112 0x08a368e9cfd6d49e, 0x47b1442c58fd25b8, 0xbbb3dc5ebc91769b, 0x1665fe489061eac7, 0x33f27a811fa66310,
113 0x93a609346838d547, 0x30ed6d4c98cec263, 0x1dd9816cd8df9f2a, 0x94662a03063b1e7b, 0x83fdd9fbeb896066,
114 0x7b207573e68e590a, 0x5f49fc0a149a4407, 0x343259b671a5a82c, 0xfbc2bb458a6f981f, 0xc272b350a0a41a38,
115 0x3aaf1fd8ada32354, 0x6cbb868b0b3c2717, 0xa2b569c88d2583fe, 0xf180c9d1bf027928, 0xaf37386bd64ba9f5,
116 0x12bacab2790a8088, 0x4c0d3b0810435055, 0xb2eeb9070e9436df, 0xc5b29067cea7d104, 0xdcb425f1ff132461,
117 0x4f122cc5972bf126, 0xac282fa651230886, 0xe7e537992f6393ef, 0xe61b3a2952b00735, 0x709c0a57ae302ce7,
118 0xe02514ae416058d3, 0xc44c9dd7b37445de, 0x5a68c5408022ba92, 0x1c278cdca50c0bf0, 0x6e5a9cf6f18712be,
119 0x86dce0b17f319ef3, 0x2d34ec2040115d49, 0x4bcd183f7e409b69, 0x2815d56ad4a9a3dc, 0x24698979f2141d0d,
120 0x0000000000000000, 0x1ec696a15fb73e59, 0xd86b110b16784e2e, 0x8e7f8858b0e74a6d, 0x063e2e8713d05fe6,
121 0xe2c40ed3bbdb6d7a, 0xb1f1aeca89fc97ac, 0xe1db191e3cb3cc09, 0x6418ee62c4eaf389, 0xc6ad87aa49cf7077,
122 0xd6f65765ca7ec556, 0x9afb6c6dda3d9503, 0x7ce05644888d9236, 0x8d609f95378feb1e, 0x23a9aa4e9c17d631,
123 0x6226c0e5d73aac6f, 0x56149953a69f0443, 0xeeb852c09d66d3ab, 0x2b0ac2a753c102af, 0x07c023376e03cb3c,
124 0x2ccae1903dc2c993, 0xd3d76e2f5ec63bc3, 0x9e2458973356ff4c, 0xa66a5d32644ee9b1, 0x0a427294356de137,
125 0x783f62be61e6f879, 0x1344c70204d91452, 0x5b96c8f0fdf12e48, 0xa90916ecc59bf613, 0xbe92e5142829880e,
126 0x727d102a548b194e, 0x1be7afebcb0fc0cc, 0x3e702b2244c8491b, 0xd5e940a84d166425, 0x66f9f41f3e51c620,
127 0xabe80c913f20c3ba, 0xf07ec461c2d1edf2, 0xf361d3ac45b94c81, 0x0521394a94b8fe95, 0xadd622162cf09c5c,
128 0xe97871f7f3651897, 0xf4a1f09b2bba87bd, 0x095d6559b2054044, 0x0bbc7f2448be75ed, 0x2af4cf172e129675,
129 0x157ae98517094bb4, 0x9fda55274e856b96, 0x914713499283e0ee, 0xb952c623462a4332, 0x74433ead475b46a8,
130 0x8b5eb112245fb4f8, 0xa34b6478f0f61724, 0x11a5dd7ffe6221fb, 0xc16da49d27ccbb4b, 0x76a224d0bde07301,
131 0x8aa0bca2598c2022, 0x4df336b86d90c48f, 0xea67663a740db9e4, 0xef465f70e0b54771, 0x39b008152acb8227,
132 0x7d1e5bf4f55e06ec, 0x105bd0cf83b1b521, 0x775c2960c033e7db, 0x7e014c397236a79f, 0x811cc386113255cf,
133 0xeda7450d1a0e72d8, 0x5889df3d7a998f3b, 0x2e2bfbedc779fc3a, 0xce0eef438619a4e9, 0x372d4e7bf6cd095f,
134 0x04df34fae96b6a4f, 0xf923a13870d4adb6, 0xa1aa7e050a4d228d, 0xa8f71b5cb84862c9, 0xb52e9a306097fde3,
135 0x0d8251a35b6e2a0b, 0x2257a7fee1c442eb, 0x73831d9a29588d94, 0x51d4ba64c89ccf7f, 0x502ab7d4b54f5ba5,
136 0x97793dce8153bf08, 0xe5042de4d5d8a646, 0x9687307efc802bd2, 0xa05473b5779eb657, 0xb4d097801d446939,
137 0xcff0e2f3fbca3033, 0xc38cbee0dd778ee2, 0x464f499c252eb162, 0xcad1dbb96f72cea6, 0xba4dd1eec142e241,
138 0xb00fa37af42f0376},
139 {0xcce4cd3aa968b245, 0x089d5484e80b7faf, 0x638246c1b3548304, 0xd2fe0ec8c2355492, 0xa7fbdf7ff2374eee,
140 0x4df1600c92337a16, 0x84e503ea523b12fb, 0x0790bbfd53ab0c4a, 0x198a780f38f6ea9d, 0x2ab30c8f55ec48cb,
141 0xe0f7fed6b2c49db5, 0xb6ecf3f422cadbdc, 0x409c9a541358df11, 0xd3ce8a56dfde3fe3, 0xc3e9224312c8c1a0,
142 0x0d6dfa58816ba507, 0xddf3e1b179952777, 0x04c02a42748bb1d9, 0x94c2abff9f2decb8, 0x4f91752da8f8acf4,
143 0x78682befb169bf7b, 0xe1c77a48af2ff6c4, 0x0c5d7ec69c80ce76, 0x4cc1e4928fd81167, 0xfeed3d24d9997b62,
144 0x518bb6dfc3a54a23, 0x6dbf2d26151f9b90, 0xb5bc624b05ea664f, 0xe86aaa525acfe21a, 0x4801ced0fb53a0be,
145 0xc91463e6c00868ed, 0x1027a815cd16fe43, 0xf67069a0319204cd, 0xb04ccc976c8abce7, 0xc0b9b3fc35e87c33,
146 0xf380c77c58f2de65, 0x50bb3241de4e2152, 0xdf93f490435ef195, 0xf1e0d25d62390887, 0xaf668bfb1a3c3141,
147 0xbc11b251f00a7291, 0x73a5eed47e427d47, 0x25bee3f6ee4c3b2e, 0x43cc0beb34786282, 0xc824e778dde3039c,
148 0xf97d86d98a327728, 0xf2b043e24519b514, 0xe297ebf7880f4b57, 0x3a94a49a98fab688, 0x868516cb68f0c419,
149 0xeffa11af0964ee50, 0xa4ab4ec0d517f37d, 0xa9c6b498547c567a, 0x8e18424f80fbbbb6, 0x0bcdc53bcf2bc23c,
150 0x137739aaea3643d0, 0x2c1333ec1bac2ff0, 0x8d48d3f0a7db0625, 0x1e1ac3f26b5de6d7, 0xf520f81f16b2b95e,
151 0x9f0f6ec450062e84, 0x0130849e1deb6b71, 0xd45e31ab8c7533a9, 0x652279a2fd14e43f, 0x3209f01e70f1c927,
152 0xbe71a770cac1a473, 0x0e3d6be7a64b1894, 0x7ec8148cff29d840, 0xcb7476c7fac3be0f, 0x72956a4a63a91636,
153 0x37f95ec21991138f, 0x9e3fea5a4ded45f5, 0x7b38ba50964902e8, 0x222e580bbde73764, 0x61e253e0899f55e6,
154 0xfc8d2805e352ad80, 0x35994be3235ac56d, 0x09add01af5e014de, 0x5e8659a6780539c6, 0xb17c48097161d796,
155 0x026015213acbd6e2, 0xd1ae9f77e515e901, 0xb7dc776a3f21b0ad, 0xaba6a1b96eb78098, 0x9bcf4486248d9f5d,
156 0x582666c536455efd, 0xfdbdac9bfeb9c6f1, 0xc47999be4163cdea, 0x765540081722a7ef, 0x3e548ed8ec710751,
157 0x3d041f67cb51bac2, 0x7958af71ac82d40a, 0x36c9da5c047a78fe, 0xed9a048e33af38b2, 0x26ee7249c96c86bd,
158 0x900281bdeba65d61, 0x11172c8bd0fd9532, 0xea0abf73600434f8, 0x42fc8f75299309f3, 0x34a9cf7d3eb1ae1c,
159 0x2b838811480723ba, 0x5ce64c8742ceef24, 0x1adae9b01fd6570e, 0x3c349bf9d6bad1b3, 0x82453c891c7b75c0,
160 0x97923a40b80d512b, 0x4a61dbf1c198765c, 0xb48ce6d518010d3e, 0xcfb45c858e480fd6, 0xd933cbf30d1e96ae,
161 0xd70ea014ab558e3a, 0xc189376228031742, 0x9262949cd16d8b83, 0xeb3a3bed7def5f89, 0x49314a4ee6b8cbcf,
162 0xdcc3652f647e4c06, 0xda635a4c2a3e2b3d, 0x470c21a940f3d35b, 0x315961a157d174b4, 0x6672e81dda3459ac,
163 0x5b76f77a1165e36e, 0x445cb01667d36ec8, 0xc5491d205c88a69b, 0x456c34887a3805b9, 0xffddb9bac4721013,
164 0x99af51a71e4649bf, 0xa15be01cbc7729d5, 0x52db2760e485f7b0, 0x8c78576eba306d54, 0xae560f6507d75a30,
165 0x95f22f6182c687c9, 0x71c5fbf54489aba5, 0xca44f259e728d57e, 0x88b87d2ccebbdc8d, 0xbab18d32be4a15aa,
166 0x8be8ec93e99b611e, 0x17b713e89ebdf209, 0xb31c5d284baa0174, 0xeeca9531148f8521, 0xb8d198138481c348,
167 0x8988f9b2d350b7fc, 0xb9e11c8d996aa839, 0x5a4673e40c8e881f, 0x1687977683569978, 0xbf4123eed72acf02,
168 0x4ea1f1b3b513c785, 0xe767452be16f91ff, 0x7505d1b730021a7c, 0xa59bca5ec8fc980c, 0xad069eda20f7e7a3,
169 0x38f4b1bba231606a, 0x60d2d77e94743e97, 0x9affc0183966f42c, 0x248e6768f3a7505f, 0xcdd449a4b483d934,
170 0x87b59255751baf68, 0x1bea6d2e023d3c7f, 0x6b1f12455b5ffcab, 0x743555292de9710d, 0xd8034f6d10f5fddf,
171 0xc6198c9f7ba81b08, 0xbb8109aca3a17edb, 0xfa2d1766ad12cabb, 0xc729080166437079, 0x9c5fff7b77269317,
172 0x0000000000000000, 0x15d706c9a47624eb, 0x6fdf38072fd44d72, 0x5fb6dd3865ee52b7, 0xa33bf53d86bcff37,
173 0xe657c1b5fc84fa8e, 0xaa962527735cebe9, 0x39c43525bfda0b1b, 0x204e4d2a872ce186, 0x7a083ece8ba26999,
174 0x554b9c9db72efbfa, 0xb22cd9b656416a05, 0x96a2bedea5e63a5a, 0x802529a826b0a322, 0x8115ad363b5bc853,
175 0x8375b81701901eb1, 0x3069e53f4a3a1fc5, 0xbd2136cfede119e0, 0x18bafc91251d81ec, 0x1d4a524d4c7d5b44,
176 0x05f0aedc6960daa8, 0x29e39d3072ccf558, 0x70f57f6b5962c0d4, 0x989fd53903ad22ce, 0xf84d024797d91c59,
177 0x547b1803aac5908b, 0xf0d056c37fd263f6, 0xd56eb535919e58d8, 0x1c7ad6d351963035, 0x2e7326cd2167f912,
178 0xac361a443d1c8cd2, 0x697f076461942a49, 0x4b515f6fdc731d2d, 0x8ad8680df4700a6f, 0x41ac1eca0eb3b460,
179 0x7d988533d80965d3, 0xa8f6300649973d0b, 0x7765c4960ac9cc9e, 0x7ca801adc5e20ea2, 0xdea3700e5eb59ae4,
180 0xa06b6482a19c42a4, 0x6a2f96db46b497da, 0x27def6d7d487edcc, 0x463ca5375d18b82a, 0xa6cb5be1efdc259f,
181 0x53eba3fef96e9cc1, 0xce84d81b93a364a7, 0xf4107c810b59d22f, 0x333974806d1aa256, 0x0f0def79bba073e5,
182 0x231edc95a00c5c15, 0xe437d494c64f2c6c, 0x91320523f64d3610, 0x67426c83c7df32dd, 0x6eefbc99323f2603,
183 0x9d6f7be56acdf866, 0x5916e25b2bae358c, 0x7ff89012e2c2b331, 0x035091bf2720bd93, 0x561b0d22900e4669,
184 0x28d319ae6f279e29, 0x2f43a2533c8c9263, 0xd09e1be9f8fe8270, 0xf740ed3e2c796fbc, 0xdb53ded237d5404c,
185 0x62b2c25faebfe875, 0x0afd41a5d2c0a94d, 0x6412fd3ce0ff8f4e, 0xe3a76f6995e42026, 0x6c8fa9b808f4f0e1,
186 0xc2d9a6dd0f23aad1, 0x8f28c6d19d10d0c7, 0x85d587744fd0798a, 0xa20b71a39b579446, 0x684f83fa7c7f4138,
187 0xe507500adba4471d, 0x3f640a46f19a6c20, 0x1247bd34f7dd28a1, 0x2d23b77206474481, 0x93521002cc86e0f2,
188 0x572b89bc8de52d18, 0xfb1d93f8b0f9a1ca, 0xe95a2ecc4724896b, 0x3ba420048511ddf9, 0xd63e248ab6bee54b,
189 0x5dd6c8195f258455, 0x06a03f634e40673b, 0x1f2a476c76b68da6, 0x217ec9b49ac78af7, 0xecaa80102e4453c3,
190 0x14e78257b99d4f9a},
191 {0x20329b2cc87bba05, 0x4f5eb6f86546a531, 0xd4f44775f751b6b1, 0x8266a47b850dfa8b, 0xbb986aa15a6ca985,
192 0xc979eb08f9ae0f99, 0x2da6f447a2375ea1, 0x1e74275dcd7d8576, 0xbc20180a800bc5f8, 0xb4a2f701b2dc65be,
193 0xe726946f981b6d66, 0x48e6c453bf21c94c, 0x42cad9930f0a4195, 0xefa47b64aacccd20, 0x71180a8960409a42,
194 0x8bb3329bf6a44e0c, 0xd34c35de2d36dacc, 0xa92f5b7cbc23dc96, 0xb31a85aa68bb09c3, 0x13e04836a73161d2,
195 0xb24dfc4129c51d02, 0x8ae44b70b7da5acd, 0xe671ed84d96579a7, 0xa4bb3417d66f3832, 0x4572ab38d56d2de8,
196 0xb1b47761ea47215c, 0xe81c09cf70aba15d, 0xffbdb872ce7f90ac, 0xa8782297fd5dc857, 0x0d946f6b6a4ce4a4,
197 0xe4df1f4f5b995138, 0x9ebc71edca8c5762, 0x0a2c1dc0b02b88d9, 0x3b503c115d9d7b91, 0xc64376a8111ec3a2,
198 0xcec199a323c963e4, 0xdc76a87ec58616f7, 0x09d596e073a9b487, 0x14583a9d7d560daf, 0xf4c6dc593f2a0cb4,
199 0xdd21d19584f80236, 0x4a4836983ddde1d3, 0xe58866a41ae745f9, 0xf591a5b27e541875, 0x891dc05074586693,
200 0x5b068c651810a89e, 0xa30346bc0c08544f, 0x3dbf3751c684032d, 0x2a1e86ec785032dc, 0xf73f5779fca830ea,
201 0xb60c05ca30204d21, 0x0cc316802b32f065, 0x8770241bdd96be69, 0xb861e18199ee95db, 0xf805cad91418fcd1,
202 0x29e70dccbbd20e82, 0xc7140f435060d763, 0x0f3a9da0e8b0cc3b, 0xa2543f574d76408e, 0xbd7761e1c175d139,
203 0x4b1f4f737ca3f512, 0x6dc2df1f2fc137ab, 0xf1d05c3967b14856, 0xa742bf3715ed046c, 0x654030141d1697ed,
204 0x07b872abda676c7d, 0x3ce84eba87fa17ec, 0xc1fb0403cb79afdf, 0x3e46bc7105063f73, 0x278ae987121cd678,
205 0xa1adb4778ef47cd0, 0x26dd906c5362c2b9, 0x05168060589b44e2, 0xfbfc41f9d79ac08f, 0x0e6de44ba9ced8fa,
206 0x9feb08068bf243a3, 0x7b341749d06b129b, 0x229c69e74a87929a, 0xe09ee6c4427c011b, 0x5692e30e725c4c3a,
207 0xda99a33e5e9f6e4b, 0x353dd85af453a36b, 0x25241b4c90e0fee7, 0x5de987258309d022, 0xe230140fc0802984,
208 0x93281e86a0c0b3c6, 0xf229d719a4337408, 0x6f6c2dd4ad3d1f34, 0x8ea5b2fbae3f0aee, 0x8331dd90c473ee4a,
209 0x346aa1b1b52db7aa, 0xdf8f235e06042aa9, 0xcc6f6b68a1354b7b, 0x6c95a6f46ebf236a, 0x52d31a856bb91c19,
210 0x1a35ded6d498d555, 0xf37eaef2e54d60c9, 0x72e181a9a3c2a61c, 0x98537aad51952fde, 0x16f6c856ffaa2530,
211 0xd960281e9d1d5215, 0x3a0745fa1ce36f50, 0x0b7b642bf1559c18, 0x59a87eae9aec8001, 0x5e100c05408bec7c,
212 0x0441f98b19e55023, 0xd70dcc5534d38aef, 0x927f676de1bea707, 0x9769e70db925e3e5, 0x7a636ea29115065a,
213 0x468b201816ef11b6, 0xab81a9b73edff409, 0xc0ac7de88a07bb1e, 0x1f235eb68c0391b7, 0x6056b074458dd30f,
214 0xbe8eeac102f7ed67, 0xcd381283e04b5fba, 0x5cbefecec277c4e3, 0xd21b4c356c48ce0d, 0x1019c31664b35d8c,
215 0x247362a7d19eea26, 0xebe582efb3299d03, 0x02aef2cb82fc289f, 0x86275df09ce8aaa8, 0x28b07427faac1a43,
216 0x38a9b7319e1f47cf, 0xc82e92e3b8d01b58, 0x06ef0b409b1978bc, 0x62f842bfc771fb90, 0x9904034610eb3b1f,
217 0xded85ab5477a3e68, 0x90d195a663428f98, 0x5384636e2ac708d8, 0xcbd719c37b522706, 0xae9729d76644b0eb,
218 0x7c8c65e20a0c7ee6, 0x80c856b007f1d214, 0x8c0b40302cc32271, 0xdbcedad51fe17a8a, 0x740e8ae938dbdea0,
219 0xa615c6dc549310ad, 0x19cc55f6171ae90b, 0x49b1bdb8fe5fdd8d, 0xed0a89af2830e5bf, 0x6a7aadb4f5a65bd6,
220 0x7e22972988f05679, 0xf952b3325566e810, 0x39fecedadf61530e, 0x6101c99f04f3c7ce, 0x2e5f7f6761b562ff,
221 0xf08725d226cf5c97, 0x63af3b54860fef51, 0x8ff2cb10ef411e2f, 0x884ab9bb35267252, 0x4df04433e7ba8dae,
222 0x9afd8866d3690741, 0x66b9bb34de94abb3, 0x9baaf18d92171380, 0x543c11c5f0a064a5, 0x17a1b1bdbed431f1,
223 0xb5f58eeaf3a2717f, 0xc355f6c849858740, 0xec5df044694ef17e, 0xd83751f5dc6346d4, 0xfc4433520dfdacf2,
224 0x0000000000000000, 0x5a51f58e596ebc5f, 0x3285aaf12e34cf16, 0x8d5c39db6dbd36b0, 0x12b731dde64f7513,
225 0x94906c2d7aa7dfbb, 0x302b583aacc8e789, 0x9d45facd090e6b3c, 0x2165e2c78905aec4, 0x68d45f7f775a7349,
226 0x189b2c1d5664fdca, 0xe1c99f2f030215da, 0x6983269436246788, 0x8489af3b1e148237, 0xe94b702431d5b59c,
227 0x33d2d31a6f4adbd7, 0xbfd9932a4389f9a6, 0xb0e30e8aab39359d, 0xd1e2c715afcaf253, 0x150f43763c28196e,
228 0xc4ed846393e2eb3d, 0x03f98b20c3823c5e, 0xfd134ab94c83b833, 0x556b682eb1de7064, 0x36c4537a37d19f35,
229 0x7559f30279a5ca61, 0x799ae58252973a04, 0x9c12832648707ffd, 0x78cd9c6913e92ec5, 0x1d8dac7d0effb928,
230 0x439da0784e745554, 0x413352b3cc887dcb, 0xbacf134a1b12bd44, 0x114ebafd25cd494d, 0x2f08068c20cb763e,
231 0x76a07822ba27f63f, 0xeab2fb04f25789c2, 0xe3676de481fe3d45, 0x1b62a73d95e6c194, 0x641749ff5c68832c,
232 0xa5ec4dfc97112cf3, 0xf6682e92bdd6242b, 0x3f11c59a44782bb2, 0x317c21d1edb6f348, 0xd65ab5be75ad9e2e,
233 0x6b2dd45fb4d84f17, 0xfaab381296e4d44e, 0xd0b5befeeeb4e692, 0x0882ef0b32d7a046, 0x512a91a5a83b2047,
234 0x963e9ee6f85bf724, 0x4e09cf132438b1f0, 0x77f701c9fb59e2fe, 0x7ddb1c094b726a27, 0x5f4775ee01f5f8bd,
235 0x9186ec4d223c9b59, 0xfeeac1998f01846d, 0xac39db1ce4b89874, 0xb75b7c21715e59e0, 0xafc0503c273aa42a,
236 0x6e3b543fec430bf5, 0x704f7362213e8e83, 0x58ff0745db9294c0, 0x67eec2df9feabf72, 0xa0facd9ccf8a6811,
237 0xb936986ad890811a, 0x95c715c63bd9cb7a, 0xca8060283a2c33c7, 0x507de84ee9453486, 0x85ded6d05f6a96f6,
238 0x1cdad5964f81ade9, 0xd5a33e9eb62fa270, 0x40642b588df6690a, 0x7f75eec2c98e42b8, 0x2cf18dace3494a60,
239 0x23cb100c0bf9865b, 0xeef3028febb2d9e1, 0x4425d2d394133929, 0xaad6d05c7fa1e0c8, 0xad6ea2f7a5c68cb5,
240 0xc2028f2308fb9381, 0x819f2f5b468fc6d5, 0xc5bafd88d29cfffc, 0x47dc59f357910577, 0x2b49ff07392e261d,
241 0x57c59ae5332258fb, 0x73b6f842e2bcb2dd, 0xcf96e04862b77725, 0x4ca73dd8a6c4996f, 0x015779eb417e14c1,
242 0x37932a9176af8bf4},
243 {0x190a2c9b249df23e, 0x2f62f8b62263e1e9, 0x7a7f754740993655, 0x330b7ba4d5564d9f, 0x4c17a16a46672582,
244 0xb22f08eb7d05f5b8, 0x535f47f40bc148cc, 0x3aec5d27d4883037, 0x10ed0a1825438f96, 0x516101f72c233d17,
245 0x13cc6f949fd04eae, 0x739853c441474bfd, 0x653793d90d3f5b1b, 0x5240647b96b0fc2f, 0x0c84890ad27623e0,
246 0xd7189b32703aaea3, 0x2685de3523bd9c41, 0x99317c5b11bffefa, 0x0d9baa854f079703, 0x70b93648fbd48ac5,
247 0xa80441fce30bc6be, 0x7287704bdc36ff1e, 0xb65384ed33dc1f13, 0xd36417343ee34408, 0x39cd38ab6e1bf10f,
248 0x5ab861770a1f3564, 0x0ebacf09f594563b, 0xd04572b884708530, 0x3cae9722bdb3af47, 0x4a556b6f2f5cbaf2,
249 0xe1704f1f76c4bd74, 0x5ec4ed7144c6dfcf, 0x16afc01d4c7810e6, 0x283f113cd629ca7a, 0xaf59a8761741ed2d,
250 0xeed5a3991e215fac, 0x3bf37ea849f984d4, 0xe413e096a56ce33c, 0x2c439d3a98f020d1, 0x637559dc6404c46b,
251 0x9e6c95d1e5f5d569, 0x24bb9836045fe99a, 0x44efa466dac8ecc9, 0xc6eab2a5c80895d6, 0x803b50c035220cc4,
252 0x0321658cba93c138, 0x8f9ebc465dc7ee1c, 0xd15a5137190131d3, 0x0fa5ec8668e5e2d8, 0x91c979578d1037b1,
253 0x0642ca05693b9f70, 0xefca80168350eb4f, 0x38d21b24f36a45ec, 0xbeab81e1af73d658, 0x8cbfd9cae7542f24,
254 0xfd19cc0d81f11102, 0x0ac6430fbb4dbc90, 0x1d76a09d6a441895, 0x2a01573ff1cbbfa1, 0xb572e161894fde2b,
255 0x8124734fa853b827, 0x614b1fdf43e6b1b0, 0x68ac395c4238cc18, 0x21d837bfd7f7b7d2, 0x20c714304a860331,
256 0x5cfaab726324aa14, 0x74c5ba4eb50d606e, 0xf3a3030474654739, 0x23e671bcf015c209, 0x45f087e947b9582a,
257 0xd8bd77b418df4c7b, 0xe06f6c90ebb50997, 0x0bd96080263c0873, 0x7e03f9410e40dcfe, 0xb8e94be4c6484928,
258 0xfb5b0608e8ca8e72, 0x1a2b49179e0e3306, 0x4e29e76961855059, 0x4f36c4e6fcf4e4ba, 0x49740ee395cf7bca,
259 0xc2963ea386d17f7d, 0x90d65ad810618352, 0x12d34c1b02a1fa4d, 0xfa44258775bb3a91, 0x18150f14b9ec46dd,
260 0x1491861e6b9a653d, 0x9a1019d7ab2c3fc2, 0x3668d42d06fe13d7, 0xdcc1fbb25606a6d0, 0x969490dd795a1c22,
261 0x3549b1a1bc6dd2ef, 0xc94f5e23a0ed770e, 0xb9f6686b5b39fdcb, 0xc4d4f4a6efeae00d, 0xe732851a1fff2204,
262 0x94aad6de5eb869f9, 0x3f8ff2ae07206e7f, 0xfe38a9813b62d03a, 0xa7a1ad7a8bee2466, 0x7b6056c8dde882b6,
263 0x302a1e286fc58ca7, 0x8da0fa457a259bc7, 0xb3302b64e074415b, 0x5402ae7eff8b635f, 0x08f8050c9cafc94b,
264 0xae468bf98a3059ce, 0x88c355cca98dc58f, 0xb10e6d67c7963480, 0xbad70de7e1aa3cf3, 0xbfb4a26e320262bb,
265 0xcb711820870f02d5, 0xce12b7a954a75c9d, 0x563ce87dd8691684, 0x9f73b65e7884618a, 0x2b1e74b06cba0b42,
266 0x47cec1ea605b2df1, 0x1c698312f735ac76, 0x5fdbcefed9b76b2c, 0x831a354c8fb1cdfc, 0x820516c312c0791f,
267 0xb74ca762aeadabf0, 0xfc06ef821c80a5e1, 0x5723cbf24518a267, 0x9d4df05d5f661451, 0x588627742dfd40bf,
268 0xda8331b73f3d39a0, 0x17b0e392d109a405, 0xf965400bcf28fba9, 0x7c3dbf4229a2a925, 0x023e460327e275db,
269 0x6cd0b55a0ce126b3, 0xe62da695828e96e7, 0x42ad6e63b3f373b9, 0xe50cc319381d57df, 0xc5cbd729729b54ee,
270 0x46d1e265fd2a9912, 0x6428b056904eeff8, 0x8be23040131e04b7, 0x6709d5da2add2ec0, 0x075de98af44a2b93,
271 0x8447dcc67bfbe66f, 0x6616f655b7ac9a23, 0xd607b8bded4b1a40, 0x0563af89d3a85e48, 0x3db1b4ad20c21ba4,
272 0x11f22997b8323b75, 0x292032b34b587e99, 0x7f1cdace9331681d, 0x8e819fc9c0b65aff, 0xa1e3677fe2d5bb16,
273 0xcd33d225ee349da5, 0xd9a2543b85aef898, 0x795e10cbfa0af76d, 0x25a4bbb9992e5d79, 0x78413344677b438e,
274 0xf0826688cef68601, 0xd27b34bba392f0eb, 0x551d8df162fad7bc, 0x1e57c511d0d7d9ad, 0xdeffbdb171e4d30b,
275 0xf4feea8e802f6caa, 0xa480c8f6317de55e, 0xa0fc44f07fa40ff5, 0x95b5f551c3c9dd1a, 0x22f952336d6476ea,
276 0x0000000000000000, 0xa6be8ef5169f9085, 0xcc2cf1aa73452946, 0x2e7ddb39bf12550a, 0xd526dd3157d8db78,
277 0x486b2d6c08becf29, 0x9b0f3a58365d8b21, 0xac78cdfaadd22c15, 0xbc95c7e28891a383, 0x6a927f5f65dab9c3,
278 0xc3891d2c1ba0cb9e, 0xeaa92f9f50f8b507, 0xcf0d9426c9d6e87e, 0xca6e3baf1a7eb636, 0xab25247059980786,
279 0x69b31ad3df4978fb, 0xe2512a93cc577c4c, 0xff278a0ea61364d9, 0x71a615c766a53e26, 0x89dc764334fc716c,
280 0xf87a638452594f4a, 0xf2bc208be914f3da, 0x8766b94ac1682757, 0xbbc82e687cdb8810, 0x626a7a53f9757088,
281 0xa2c202f358467a2e, 0x4d0882e5db169161, 0x09e7268301de7da8, 0xe897699c771ac0dc, 0xc8507dac3d9cc3ed,
282 0xc0a878a0a1330aa6, 0x978bb352e42ba8c1, 0xe9884a13ea6b743f, 0x279afdbabecc28a2, 0x047c8c064ed9eaab,
283 0x507e2278b15289f4, 0x599904fbb08cf45c, 0xbd8ae46d15e01760, 0x31353da7f2b43844, 0x8558ff49e68a528c,
284 0x76fbfc4d92ef15b5, 0x3456922e211c660c, 0x86799ac55c1993b4, 0x3e90d1219a51da9c, 0x2d5cbeb505819432,
285 0x982e5fd48cce4a19, 0xdb9c1238a24c8d43, 0xd439febecaa96f9b, 0x418c0bef0960b281, 0x158ea591f6ebd1de,
286 0x1f48e69e4da66d4e, 0x8afd13cf8e6fb054, 0xf5e1c9011d5ed849, 0xe34e091c5126c8af, 0xad67ee7530a398f6,
287 0x43b24dec2e82c75a, 0x75da99c1287cd48d, 0x92e81cdb3783f689, 0xa3dd217cc537cecd, 0x60543c50de970553,
288 0x93f73f54aaf2426a, 0xa91b62737e7a725d, 0xf19d4507538732e2, 0x77e4dfc20f9ea156, 0x7d229ccdb4d31dc6,
289 0x1b346a98037f87e5, 0xedf4c615a4b29e94, 0x4093286094110662, 0xb0114ee85ae78063, 0x6ff1d0d6b672e78b,
290 0x6dcf96d591909250, 0xdfe09e3eec9567e8, 0x3214582b4827f97c, 0xb46dc2ee143e6ac8, 0xf6c0ac8da7cd1971,
291 0xebb60c10cd8901e4, 0xf7df8f023abcad92, 0x9c52d3d2c217a0b2, 0x6b8d5cd0f8ab0d20, 0x3777f7a29b8fa734,
292 0x011f238f9d71b4e3, 0xc1b75b2f3c42be45, 0x5de588fdfe551ef7, 0x6eeef3592b035368, 0xaa3a07ffc4e9b365,
293 0xecebe59a39c32a77, 0x5ba742f8976e8187, 0x4b4a48e0b22d0e11, 0xddded83dcb771233, 0xa59feb79ac0c51bd,
294 0xc7f5912a55792135},
295 {0x6d6ae04668a9b08a, 0x3ab3f04b0be8c743, 0xe51e166b54b3c908, 0xbe90a9eb35c2f139, 0xb2c7066637f2bec1,
296 0xaa6945613392202c, 0x9a28c36f3b5201eb, 0xddce5a93ab536994, 0x0e34133ef6382827, 0x52a02ba1ec55048b,
297 0xa2f88f97c4b2a177, 0x8640e513ca2251a5, 0xcdf1d36258137622, 0xfe6cb708dedf8ddb, 0x8a174a9ec8121e5d,
298 0x679896036b81560e, 0x59ed033395795fee, 0x1dd778ab8b74edaf, 0xee533ef92d9f926d, 0x2a8c79baf8a8d8f5,
299 0x6bcf398e69b119f6, 0xe20491742fafdd95, 0x276488e0809c2aec, 0xea955b82d88f5cce, 0x7102c63a99d9e0c4,
300 0xf9763017a5c39946, 0x429fa2501f151b3d, 0x4659c72bea05d59e, 0x984b7fdccf5a6634, 0xf742232953fbb161,
301 0x3041860e08c021c7, 0x747bfd9616cd9386, 0x4bb1367192312787, 0x1b72a1638a6c44d3, 0x4a0e68a6e8359a66,
302 0x169a5039f258b6ca, 0xb98a2ef44edee5a4, 0xd9083fe85e43a737, 0x967f6ce239624e13, 0x8874f62d3c1a7982,
303 0x3c1629830af06e3f, 0x9165ebfd427e5a8e, 0xb5dd81794ceeaa5c, 0x0de8f15a7834f219, 0x70bd98ede3dd5d25,
304 0xaccc9ca9328a8950, 0x56664eda1945ca28, 0x221db34c0f8859ae, 0x26dbd637fa98970d, 0x1acdffb4f068f932,
305 0x4585254f64090fa0, 0x72de245e17d53afa, 0x1546b25d7c546cf4, 0x207e0ffffb803e71, 0xfaaad2732bcf4378,
306 0xb462dfae36ea17bd, 0xcf926fd1ac1b11fd, 0xe0672dc7dba7ba4a, 0xd3fa49ad5d6b41b3, 0x8ba81449b216a3bc,
307 0x14f9ec8a0650d115, 0x40fc1ee3eb1d7ce2, 0x23a2ed9b758ce44f, 0x782c521b14fddc7e, 0x1c68267cf170504e,
308 0xbcf31558c1ca96e6, 0xa781b43b4ba6d235, 0xf6fd7dfe29ff0c80, 0xb0a4bad5c3fad91e, 0xd199f51ea963266c,
309 0x414340349119c103, 0x5405f269ed4dadf7, 0xabd61bb649969dcd, 0x6813dbeae7bdc3c8, 0x65fb2ab09f8931d1,
310 0xf1e7fae152e3181d, 0xc1a67cef5a2339da, 0x7a4feea8e0f5bba1, 0x1e0b9acf05783791, 0x5b8ebf8061713831,
311 0x80e53cdbcb3af8d9, 0x7e898bd315e57502, 0xc6bcfbf0213f2d47, 0x95a38e86b76e942d, 0x092e94218d243cba,
312 0x8339debf453622e7, 0xb11be402b9fe64ff, 0x57d9100d634177c9, 0xcc4e8db52217cbc3, 0x3b0cae9c71ec7aa2,
313 0xfb158ca451cbfe99, 0x2b33276d82ac6514, 0x01bf5ed77a04bde1, 0xc5601994af33f779, 0x75c4a3416cc92e67,
314 0xf3844652a6eb7fc2, 0x3487e375fdd0ef64, 0x18ae430704609eed, 0x4d14efb993298efb, 0x815a620cb13e4538,
315 0x125c354207487869, 0x9eeea614ce42cf48, 0xce2d3106d61fac1c, 0xbbe99247bad6827b, 0x071a871f7b1c149d,
316 0x2e4a1cc10db81656, 0x77a71ff298c149b8, 0x06a5d9c80118a97c, 0xad73c27e488e34b1, 0x443a7b981e0db241,
317 0xe3bbcfa355ab6074, 0x0af276450328e684, 0x73617a896dd1871b, 0x58525de4ef7de20f, 0xb7be3dcab8e6cd83,
318 0x19111dd07e64230c, 0x842359a03e2a367a, 0x103f89f1f3401fb6, 0xdc710444d157d475, 0xb835702334da5845,
319 0x4320fc876511a6dc, 0xd026abc9d3679b8d, 0x17250eee885c0b2b, 0x90dab52a387ae76f, 0x31fed8d972c49c26,
320 0x89cba8fa461ec463, 0x2ff5421677bcabb7, 0x396f122f85e41d7d, 0xa09b332430bac6a8, 0xc888e8ced7070560,
321 0xaeaf201ac682ee8f, 0x1180d7268944a257, 0xf058a43628e7a5fc, 0xbd4c4b8fbbce2b07, 0xa1246df34abe7b49,
322 0x7d5569b79be9af3c, 0xa9b5a705bd9efa12, 0xdb6b835baa4bc0e8, 0x05793bac8f147342, 0x21c1512881848390,
323 0xfdb0556c50d357e5, 0x613d4fcb6a99ff72, 0x03dce2648e0cda3e, 0xe949b9e6568386f0, 0xfc0f0bbb2ad7ea04,
324 0x6a70675913b5a417, 0x7f36d5046fe1c8e3, 0x0c57af8d02304ff8, 0x32223abdfcc84618, 0x0891caf6f720815b,
325 0xa63eeaec31a26fd4, 0x2507345374944d33, 0x49d28ac266394058, 0xf5219f9aa7f3d6be, 0x2d96fea583b4cc68,
326 0x5a31e1571b7585d0, 0x8ed12fe53d02d0fe, 0xdfade6205f5b0e4b, 0x4cabb16ee92d331a, 0x04c6657bf510cea3,
327 0xd73c2cd6a87b8f10, 0xe1d87310a1a307ab, 0x6cd5be9112ad0d6b, 0x97c032354366f3f2, 0xd4e0ceb22677552e,
328 0x0000000000000000, 0x29509bde76a402cb, 0xc27a9e8bd42fe3e4, 0x5ef7842cee654b73, 0xaf107ecdbc86536e,
329 0x3fcacbe784fcb401, 0xd55f90655c73e8cf, 0xe6c2f40fdabf1336, 0xe8f6e7312c873b11, 0xeb2a0555a28be12f,
330 0xe4a148bc2eb774e9, 0x9b979db84156bc0a, 0x6eb60222e6a56ab4, 0x87ffbbc4b026ec44, 0xc703a5275b3b90a6,
331 0x47e699fc9001687f, 0x9c8d1aa73a4aa897, 0x7cea3760e1ed12dd, 0x4ec80ddd1d2554c5, 0x13e36b957d4cc588,
332 0x5d2b66486069914d, 0x92b90999cc7280b0, 0x517cc9c56259deb5, 0xc937b619ad03b881, 0xec30824ad997f5b2,
333 0xa45d565fc5aa080b, 0xd6837201d27f32f1, 0x635ef3789e9198ad, 0x531f75769651b96a, 0x4f77530a6721e924,
334 0x486dd4151c3dfdb9, 0x5f48dafb9461f692, 0x375b011173dc355a, 0x3da9775470f4d3de, 0x8d0dcd81b30e0ac0,
335 0x36e45fc609d888bb, 0x55baacbe97491016, 0x8cb29356c90ab721, 0x76184125e2c5f459, 0x99f4210bb55edbd5,
336 0x6f095cf59ca1d755, 0x9f51f8c3b44672a9, 0x3538bda287d45285, 0x50c39712185d6354, 0xf23b1885dcefc223,
337 0x79930ccc6ef9619f, 0xed8fdc9da3934853, 0xcb540aaa590bdf5e, 0x5c94389f1a6d2cac, 0xe77daad8a0bbaed7,
338 0x28efc5090ca0bf2a, 0xbf2ff73c4fc64cd8, 0xb37858b14df60320, 0xf8c96ec0dfc724a7, 0x828680683f329f06,
339 0x941cd051cd6a29cc, 0xc3c5c05cae2b5e05, 0xb601631dc2e27062, 0xc01922382027843b, 0x24b86a840e90f0d2,
340 0xd245177a276ffc52, 0x0f8b4de98c3c95c6, 0x3e759530fef809e0, 0x0b4d2892792c5b65, 0xc4df4743d5374a98,
341 0xa5e20888bfaeb5ea, 0xba56cc90c0d23f9a, 0x38d04cf8ffe0a09c, 0x62e1adafe495254c, 0x0263bcb3f40867df,
342 0xcaeb547d230f62bf, 0x6082111c109d4293, 0xdad4dd8cd04f7d09, 0xefec602e579b2f8c, 0x1fb4c4187f7c8a70,
343 0xffd3e9dfa4db303a, 0x7bf0b07f9af10640, 0xf49ec14dddf76b5f, 0x8f6e713247066d1f, 0x339d646a86ccfbf9,
344 0x64447467e58d8c30, 0x2c29a072f9b07189, 0xd8b7613f24471ad6, 0x6627c8d41185ebef, 0xa347d140beb61c96,
345 0xde12b8f7255fb3aa, 0x9d324470404e1576, 0x9306574eb6763d51, 0xa80af9d2c79a47f3, 0x859c0777442e8b9b,
346 0x69ac853d9db97e29},
347 {0xc3407dfc2de6377e, 0x5b9e93eea4256f77, 0xadb58fdd50c845e0, 0x5219ff11a75bed86, 0x356b61cfd90b1de9,
348 0xfb8f406e25abe037, 0x7a5a0231c0f60796, 0x9d3cd216e1f5020b, 0x0c6550fb6b48d8f3, 0xf57508c427ff1c62,
349 0x4ad35ffa71cb407d, 0x6290a2da1666aa6d, 0xe284ec2349355f9f, 0xb3c307c53d7c84ec, 0x05e23c0468365a02,
350 0x190bac4d6c9ebfa8, 0x94bbbee9e28b80fa, 0xa34fc777529cb9b5, 0xcc7b39f095bcd978, 0x2426addb0ce532e3,
351 0x7e79329312ce4fc7, 0xab09a72eebec2917, 0xf8d15499f6b9d6c2, 0x1a55b8babf8c895d, 0xdb8add17fb769a85,
352 0xb57f2f368658e81b, 0x8acd36f18f3f41f6, 0x5ce3b7bba50f11d3, 0x114dcc14d5ee2f0a, 0xb91a7fcded1030e8,
353 0x81d5425fe55de7a1, 0xb6213bc1554adeee, 0x80144ef95f53f5f2, 0x1e7688186db4c10c, 0x3b912965db5fe1bc,
354 0xc281715a97e8252d, 0x54a5d7e21c7f8171, 0x4b12535ccbc5522e, 0x1d289cefbea6f7f9, 0x6ef5f2217d2e729e,
355 0xe6a7dc819b0d17ce, 0x1b94b41c05829b0e, 0x33d7493c622f711e, 0xdcf7f942fa5ce421, 0x600fba8b7f7a8ecb,
356 0x46b60f011a83988e, 0x235b898e0dcf4c47, 0x957ab24f588592a9, 0x4354330572b5c28c, 0xa5f3ef84e9b8d542,
357 0x8c711e02341b2d01, 0x0b1874ae6a62a657, 0x1213d8e306fc19ff, 0xfe6d7c6a4d9dba35, 0x65ed868f174cd4c9,
358 0x88522ea0e6236550, 0x899322065c2d7703, 0xc01e690bfef4018b, 0x915982ed8abddaf8, 0xbe675b98ec3a4e4c,
359 0xa996bf7f82f00db1, 0xe1daf8d49a27696a, 0x2effd5d3dc8986e7, 0xd153a51f2b1a2e81, 0x18caa0ebd690adfb,
360 0x390e3134b243c51a, 0x2778b92cdff70416, 0x029f1851691c24a6, 0x5e7cafeacc133575, 0xfa4e4cc89fa5f264,
361 0x5a5f9f481e2b7d24, 0x484c47ab18d764db, 0x400a27f2a1a7f479, 0xaeeb9b2a83da7315, 0x721c626879869734,
362 0x042330a2d2384851, 0x85f672fd3765aff0, 0xba446b3a3e02061d, 0x73dd6ecec3888567, 0xffac70ccf793a866,
363 0xdfa9edb5294ed2d4, 0x6c6aea7014325638, 0x834a5a0e8c41c307, 0xcdba35562fb2cb2b, 0x0ad97808d06cb404,
364 0x0f3b440cb85aee06, 0xe5f9c876481f213b, 0x98deee1289c35809, 0x59018bbfcd394bd1, 0xe01bf47220297b39,
365 0xde68e1139340c087, 0x9fa3ca4788e926ad, 0xbb85679c840c144e, 0x53d8f3b71d55ffd5, 0x0da45c5dd146caa0,
366 0x6f34fe87c72060cd, 0x57fbc315cf6db784, 0xcee421a1fca0fdde, 0x3d2d0196607b8d4b, 0x642c8a29ad42c69a,
367 0x14aff010bdd87508, 0xac74837beac657b3, 0x3216459ad821634d, 0x3fb219c70967a9ed, 0x06bc28f3bb246cf7,
368 0xf2082c9126d562c6, 0x66b39278c45ee23c, 0xbd394f6f3f2878b9, 0xfd33689d9e8f8cc0, 0x37f4799eb017394f,
369 0x108cc0b26fe03d59, 0xda4bd1b1417888d6, 0xb09d1332ee6eb219, 0x2f3ed975668794b4, 0x58c0871977375982,
370 0x7561463d78ace990, 0x09876cff037e82f1, 0x7fb83e35a8c05d94, 0x26b9b58a65f91645, 0xef20b07e9873953f,
371 0x3148516d0b3355b8, 0x41cb2b541ba9e62a, 0x790416c613e43163, 0xa011d380818e8f40, 0x3a5025c36151f3ef,
372 0xd57095bdf92266d0, 0x498d4b0da2d97688, 0x8b0c3a57353153a5, 0x21c491df64d368e1, 0x8f2f0af5e7091bf4,
373 0x2da1c1240f9bb012, 0xc43d59a92ccc49da, 0xbfa6573e56345c1f, 0x828b56a8364fd154, 0x9a41f643e0df7caf,
374 0xbcf843c985266aea, 0x2b1de9d7b4bfdce5, 0x20059d79dedd7ab2, 0x6dabe6d6ae3c446b, 0x45e81bf6c991ae7b,
375 0x6351ae7cac68b83e, 0xa432e32253b6c711, 0xd092a9b991143cd2, 0xcac711032e98b58f, 0xd8d4c9e02864ac70,
376 0xc5fc550f96c25b89, 0xd7ef8dec903e4276, 0x67729ede7e50f06f, 0xeac28c7af045cf3d, 0xb15c1f945460a04a,
377 0x9cfddeb05bfb1058, 0x93c69abce3a1fe5e, 0xeb0380dc4a4bdd6e, 0xd20db1e8f8081874, 0x229a8528b7c15e14,
378 0x44291750739fbc28, 0xd3ccbd4e42060a27, 0xf62b1c33f4ed2a97, 0x86a8660ae4779905, 0xd62e814a2a305025,
379 0x477703a7a08d8add, 0x7b9b0e977af815c5, 0x78c51a60a9ea2330, 0xa6adfb733aaae3b7, 0x97e5aa1e3199b60f,
380 0x0000000000000000, 0xf4b404629df10e31, 0x5564db44a6719322, 0x9207961a59afec0d, 0x9624a6b88b97a45c,
381 0x363575380a192b1c, 0x2c60cd82b595a241, 0x7d272664c1dc7932, 0x7142769faa94a1c1, 0xa1d0df263b809d13,
382 0x1630e841d4c451ae, 0xc1df65ad44fa13d8, 0x13d2d445bcf20bac, 0xd915c546926abe23, 0x38cf3d92084dd749,
383 0xe766d0272103059d, 0xc7634d5effde7f2f, 0x077d2455012a7ea4, 0xedbfa82ff16fb199, 0xaf2a978c39d46146,
384 0x42953fa3c8bbd0df, 0xcb061da59496a7dc, 0x25e7a17db6eb20b0, 0x34aa6d6963050fba, 0xa76cf7d580a4f1e4,
385 0xf7ea10954ee338c4, 0xfcf2643b24819e93, 0xcf252d0746aeef8d, 0x4ef06f58a3f3082c, 0x563acfb37563a5d7,
386 0x5086e740ce47c920, 0x2982f186dda3f843, 0x87696aac5e798b56, 0x5d22bb1d1f010380, 0x035e14f7d31236f5,
387 0x3cec0d30da759f18, 0xf3c920379cdb7095, 0xb8db736b571e22bb, 0xdd36f5e44052f672, 0xaac8ab8851e23b44,
388 0xa857b3d938fe1fe2, 0x17f1e4e76eca43fd, 0xec7ea4894b61a3ca, 0x9e62c6e132e734fe, 0xd4b1991b432c7483,
389 0x6ad6c283af163acf, 0x1ce9904904a8e5aa, 0x5fbda34c761d2726, 0xf910583f4cb7c491, 0xc6a241f845d06d7c,
390 0x4f3163fe19fd1a7f, 0xe99c988d2357f9c8, 0x8eee06535d0709a7, 0x0efa48aa0254fc55, 0xb4be23903c56fa48,
391 0x763f52caabbedf65, 0xeee1bcd8227d876c, 0xe345e085f33b4dcc, 0x3e731561b369bbbe, 0x2843fd2067adea10,
392 0x2adce5710eb1ceb6, 0xb7e03767ef44ccbd, 0x8db012a48e153f52, 0x61ceb62dc5749c98, 0xe85d942b9959eb9b,
393 0x4c6f7709caef2c8a, 0x84377e5b8d6bbda3, 0x30895dcbb13d47eb, 0x74a04a9bc2a2fbc3, 0x6b17ce251518289c,
394 0xe438c4d0f2113368, 0x1fb784bed7bad35f, 0x9b80fae55ad16efc, 0x77fe5e6c11b0cd36, 0xc858095247849129,
395 0x08466059b97090a2, 0x01c10ca6ba0e1253, 0x6988d6747c040c3a, 0x6849dad2c60a1e69, 0x5147ebe67449db73,
396 0xc99905f4fd8a837a, 0x991fe2b433cd4a5a, 0xf09734c04fc94660, 0xa28ecbd1e892abe6, 0xf1563866f5c75433,
397 0x4dae7baf70e13ed9, 0x7ce62ac27bd26b61, 0x70837a39109ab392, 0x90988e4b30b3c8ab, 0xb2020b63877296bf,
398 0x156efcb607d6675b},
399 {0xe63f55ce97c331d0, 0x25b506b0015bba16, 0xc8706e29e6ad9ba8, 0x5b43d3775d521f6a, 0x0bfa3d577035106e,
400 0xab95fc172afb0e66, 0xf64b63979e7a3276, 0xf58b4562649dad4b, 0x48f7c3dbae0c83f1, 0xff31916642f5c8c5,
401 0xcbb048dc1c4a0495, 0x66b8f83cdf622989, 0x35c130e908e2b9b0, 0x7c761a61f0b34fa1, 0x3601161cf205268d,
402 0x9e54ccfe2219b7d6, 0x8b7d90a538940837, 0x9cd403588ea35d0b, 0xbc3c6fea9ccc5b5a, 0xe5ff733b6d24aeed,
403 0xceed22de0f7eb8d2, 0xec8581cab1ab545e, 0xb96105e88ff8e71d, 0x8ca03501871a5ead, 0x76ccce65d6db2a2f,
404 0x5883f582a7b58057, 0x3f7be4ed2e8adc3e, 0x0fe7be06355cd9c9, 0xee054e6c1d11be83, 0x1074365909b903a6,
405 0x5dde9f80b4813c10, 0x4a770c7d02b6692c, 0x5379c8d5d7809039, 0xb4067448161ed409, 0x5f5e5026183bd6cd,
406 0xe898029bf4c29df9, 0x7fb63c940a54d09c, 0xc5171f897f4ba8bc, 0xa6f28db7b31d3d72, 0x2e4f3be7716eaa78,
407 0x0d6771a099e63314, 0x82076254e41bf284, 0x2f0fd2b42733df98, 0x5c9e76d3e2dc49f0, 0x7aeb569619606cdb,
408 0x83478b07b2468764, 0xcfadcb8d5923cd32, 0x85dac7f05b95a41e, 0xb5469d1b4043a1e9, 0xb821ecbbd9a592fd,
409 0x1b8e0b0e798c13c8, 0x62a57b6d9a0be02e, 0xfcf1b793b81257f8, 0x9d94ea0bd8fe28eb, 0x4cea408aeb654a56,
410 0x23284a47e888996c, 0x2d8f1d128b893545, 0xf4cbac3132c0d8ab, 0xbd7c86b9ca912eba, 0x3a268eef3dbe6079,
411 0xf0d62f6077a9110c, 0x2735c916ade150cb, 0x89fd5f03942ee2ea, 0x1acee25d2fd16628, 0x90f39bab41181bff,
412 0x430dfe8cde39939f, 0xf70b8ac4c8274796, 0x1c53aeaac6024552, 0x13b410acf35e9c9b, 0xa532ab4249faa24f,
413 0x2b1251e5625a163f, 0xd7e3e676da4841c7, 0xa7b264e4e5404892, 0xda8497d643ae72d3, 0x861ae105a1723b23,
414 0x38a6414991048aa4, 0x6578dec92585b6b4, 0x0280cfa6acbaeadd, 0x88bdb650c273970a, 0x9333bd5ebbff84c2,
415 0x4e6a8f2c47dfa08b, 0x321c954db76cef2a, 0x418d312a72837942, 0xb29b38bfffcdf773, 0x6c022c38f90a4c07,
416 0x5a033a240b0f6a8a, 0x1f93885f3ce5da6f, 0xc38a537e96988bc6, 0x39e6a81ac759ff44, 0x29929e43cee0fce2,
417 0x40cdd87924de0ca2, 0xe9d8ebc8a29fe819, 0x0c2798f3cfbb46f4, 0x55e484223e53b343, 0x4650948ecd0d2fd8,
418 0x20e86cb2126f0651, 0x6d42c56baf5739e7, 0xa06fc1405ace1e08, 0x7babbfc54f3d193b, 0x424d17df8864e67f,
419 0xd8045870ef14980e, 0xc6d7397c85ac3781, 0x21a885e1443273b1, 0x67f8116f893f5c69, 0x24f5efe35706cff6,
420 0xd56329d076f2ab1a, 0x5e1eb9754e66a32d, 0x28d2771098bd8902, 0x8f6013f47dfdc190, 0x17a993fdb637553c,
421 0xe0a219397e1012aa, 0x786b9930b5da8606, 0x6e82e39e55b0a6da, 0x875a0856f72f4ec3, 0x3741ff4fa458536d,
422 0xac4859b3957558fc, 0x7ef6d5c75c09a57c, 0xc04a758b6c7f14fb, 0xf9acdd91ab26ebbf, 0x7391a467c5ef9668,
423 0x335c7c1ee1319aca, 0xa91533b18641e4bb, 0xe4bf9a683b79db0d, 0x8e20faa72ba0b470, 0x51f907737b3a7ae4,
424 0x2268a314bed5ec8c, 0xd944b123b949edee, 0x31dcb3b84d8b7017, 0xd3fe65279f218860, 0x097af2f1dc8ffab3,
425 0x9b09a6fc312d0b91, 0xcc6ded78a3c4520f, 0x3481d9ba5ebfcc50, 0x4f2a667f1182d56b, 0xdfd9fdd4509ace94,
426 0x26752045fbbc252b, 0xbffc491f662bc467, 0xdd593272fc202449, 0x3cbbc218d46d4303, 0x91b372f817456e1f,
427 0x681faf69bc6385a0, 0xb686bbeebaa43ed4, 0x1469b5084cd0ca01, 0x98c98009cbca94ac, 0x6438379a73d8c354,
428 0xc2caba2dc0c5fe26, 0x3e3b0dbe78d7a9de, 0x50b9ee202d670f04, 0x4590b27b37eab0e5, 0x6025b4cb36b10af3,
429 0xfb2c1237079c0162, 0xa12f28130c936be8, 0x4b37e52e54eb1ccc, 0x083a1ba28ad28f53, 0xc10a9cd83a22611b,
430 0x9f1425ad7444c236, 0x069d4cf7e9d3237a, 0xedc56899e7f621be, 0x778c273680865fcf, 0x309c5aeb1bd605f7,
431 0x8de0dc52d1472b4d, 0xf8ec34c2fd7b9e5f, 0xea18cd3d58787724, 0xaad515447ca67b86, 0x9989695a9d97e14c,
432 0x0000000000000000, 0xf196c63321f464ec, 0x71116bc169557cb5, 0xaf887f466f92c7c1, 0x972e3e0ffe964d65,
433 0x190ec4a8d536f915, 0x95aef1a9522ca7b8, 0xdc19db21aa7d51a9, 0x94ee18fa0471d258, 0x8087adf248a11859,
434 0xc457f6da2916dd5c, 0xfa6cfb6451c17482, 0xf256e0c6db13fbd1, 0x6a9f60cf10d96f7d, 0x4daaa9d9bd383fb6,
435 0x03c026f5fae79f3d, 0xde99148706c7bb74, 0x2a52b8b6340763df, 0x6fc20acd03edd33a, 0xd423c08320afdefa,
436 0xbbe1ca4e23420dc0, 0x966ed75ca8cb3885, 0xeb58246e0e2502c4, 0x055d6a021334bc47, 0xa47242111fa7d7af,
437 0xe3623fcc84f78d97, 0x81c744a11efc6db9, 0xaec8961539cfb221, 0xf31609958d4e8e31, 0x63e5923ecc5695ce,
438 0x47107ddd9b505a38, 0xa3afe7b5a0298135, 0x792b7063e387f3e6, 0x0140e953565d75e0, 0x12f4f9ffa503e97b,
439 0x750ce8902c3cb512, 0xdbc47e8515f30733, 0x1ed3610c6ab8af8f, 0x5239218681dde5d9, 0xe222d69fd2aaf877,
440 0xfe71783514a8bd25, 0xcaf0a18f4a177175, 0x61655d9860ec7f13, 0xe77fbc9dc19e4430, 0x2ccff441ddd440a5,
441 0x16e97aaee06a20dc, 0xa855dae2d01c915b, 0x1d1347f9905f30b2, 0xb7c652bdecf94b34, 0xd03e43d265c6175d,
442 0xfdb15ec0ee4f2218, 0x57644b8492e9599e, 0x07dda5a4bf8e569a, 0x54a46d71680ec6a3, 0x5624a2d7c4b42c7e,
443 0xbebca04c3076b187, 0x7d36f332a6ee3a41, 0x3b6667bc6be31599, 0x695f463aea3ef040, 0xad08b0e0c3282d1c,
444 0xb15b1e4a052a684e, 0x44d05b2861b7c505, 0x15295c5b1a8dbfe1, 0x744c01c37a61c0f2, 0x59c31cd1f1e8f5b7,
445 0xef45a73f4b4ccb63, 0x6bdf899c46841a9d, 0x3dfb2b4b823036e3, 0xa2ef0ee6f674f4d5, 0x184e2dfb836b8cf5,
446 0x1134df0a5fe47646, 0xbaa1231d751f7820, 0xd17eaa81339b62bd, 0xb01bf71953771dae, 0x849a2ea30dc8d1fe,
447 0x705182923f080955, 0x0ea757556301ac29, 0x041d83514569c9a7, 0x0abad4042668658e, 0x49b72a88f851f611,
448 0x8a3d79f66ec97dd7, 0xcd2d042bf59927ef, 0xc930877ab0f0ee48, 0x9273540deda2f122, 0xc797d02fd3f14261,
449 0xe1e2f06a284d674a, 0xd2be8c74c97cfd80, 0x9a494faf67707e71, 0xb3dbd1eca9908293, 0x72d14d3493b2e388,
450 0xd6a30f258c153427}};

◆ STREEBOG_C

const uint64_t Botan::STREEBOG_C
extern

Definition at line 452 of file streebog_precalc.cpp.

452 {{0xdd806559f2a64507,
453 0x05767436cc744d23,
454 0xa2422a08a460d315,
455 0x4b7ce09192676901,
456 0x714eb88d7585c4fc,
457 0x2f6a76432e45d016,
458 0xebcb2f81c0657c1f,
459 0xb1085bda1ecadae9},
460 {0xe679047021b19bb7,
461 0x55dda21bd7cbcd56,
462 0x5cb561c2db0aa7ca,
463 0x9ab5176b12d69958,
464 0x61d55e0f16b50131,
465 0xf3feea720a232b98,
466 0x4fe39d460f70b5d7,
467 0x6fa3b58aa99d2f1a},
468 {0x991e96f50aba0ab2,
469 0xc2b6f443867adb31,
470 0xc1c93a376062db09,
471 0xd3e20fe490359eb1,
472 0xf2ea7514b1297b7b,
473 0x06f15e5f529c1f8b,
474 0x0a39fc286a3d8435,
475 0xf574dcac2bce2fc7},
476 {0x220cbebc84e3d12e,
477 0x3453eaa193e837f1,
478 0xd8b71333935203be,
479 0xa9d72c82ed03d675,
480 0x9d721cad685e353f,
481 0x488e857e335c3c7d,
482 0xf948e1a05d71e4dd,
483 0xef1fdfb3e81566d2},
484 {0x601758fd7c6cfe57,
485 0x7a56a27ea9ea63f5,
486 0xdfff00b723271a16,
487 0xbfcd1747253af5a3,
488 0x359e35d7800fffbd,
489 0x7f151c1f1686104a,
490 0x9a3f410c6ca92363,
491 0x4bea6bacad474799},
492 {0xfa68407a46647d6e,
493 0xbf71c57236904f35,
494 0x0af21f66c2bec6b6,
495 0xcffaa6b71c9ab7b4,
496 0x187f9ab49af08ec6,
497 0x2d66c4f95142a46c,
498 0x6fa4c33b7a3039c0,
499 0xae4faeae1d3ad3d9},
500 {0x8886564d3a14d493,
501 0x3517454ca23c4af3,
502 0x06476983284a0504,
503 0x0992abc52d822c37,
504 0xd3473e33197a93c9,
505 0x399ec6c7e6bf87c9,
506 0x51ac86febf240954,
507 0xf4c70e16eeaac5ec},
508 {0xa47f0dd4bf02e71e,
509 0x36acc2355951a8d9,
510 0x69d18d2bd1a5c42f,
511 0xf4892bcb929b0690,
512 0x89b4443b4ddbc49a,
513 0x4eb7f8719c36de1e,
514 0x03e7aa020c6e4141,
515 0x9b1f5b424d93c9a7},
516 {0x7261445183235adb,
517 0x0e38dc92cb1f2a60,
518 0x7b2b8a9aa6079c54,
519 0x800a440bdbb2ceb1,
520 0x3cd955b7e00d0984,
521 0x3a7d3a1b25894224,
522 0x944c9ad8ec165fde,
523 0x378f5a541631229b},
524 {0x74b4c7fb98459ced,
525 0x3698fad1153bb6c3,
526 0x7a1e6c303b7652f4,
527 0x9fe76702af69334b,
528 0x1fffe18a1b336103,
529 0x8941e71cff8a78db,
530 0x382ae548b2e4f3f3,
531 0xabbedea680056f52},
532 {0x6bcaa4cd81f32d1b,
533 0xdea2594ac06fd85d,
534 0xefbacd1d7d476e98,
535 0x8a1d71efea48b9ca,
536 0x2001802114846679,
537 0xd8fa6bbbebab0761,
538 0x3002c6cd635afe94,
539 0x7bcd9ed0efc889fb},
540 {0x48bc924af11bd720,
541 0xfaf417d5d9b21b99,
542 0xe71da4aa88e12852,
543 0x5d80ef9d1891cc86,
544 0xf82012d430219f9b,
545 0xcda43c32bcdf1d77,
546 0xd21380b00449b17a,
547 0x378ee767f11631ba}};

Referenced by Botan::Streebog::compress_64().

◆ WORDS_448

◆ X448_LEN