Botan  2.19.1
Crypto and TLS for C++11
Namespaces | Classes | Typedefs | Enumerations | Functions | Variables
Botan Namespace Reference

Namespaces

 ARIA_F
 
 ASN1
 
 Camellia_F
 
 Cert_Extension
 
 Charset
 
 CryptoBox
 
 CT
 
 FPE
 
 HTTP
 
 KeyPair
 
 OCSP
 
 OIDS
 
 OS
 
 PEM_Code
 
 PK_Ops
 
 PKCS11
 
 PKCS8
 
 PKIX
 
 Roughtime
 
 SHA1_F
 
 SHA1_SSE2_F
 
 Sodium
 
 stlCompatibilityDetails
 
 TLS
 
 X509
 

Classes

class  Adler32
 
class  AEAD_Mode
 
class  AES_128
 
class  AES_192
 
class  AES_256
 
class  Algorithm_Not_Found
 
class  AlgorithmIdentifier
 
class  Allocator_Initializer
 
class  AlternativeName
 
class  ANSI_X919_MAC
 
class  ANSI_X923_Padding
 
class  Argon2
 
class  Argon2_Family
 
class  ARIA_128
 
class  ARIA_192
 
class  ARIA_256
 
class  ASN1_Formatter
 
class  ASN1_Object
 
class  ASN1_Pretty_Printer
 
class  ASN1_String
 
class  ASN1_Time
 
class  Atomic
 
class  Attribute
 
class  AutoSeeded_RNG
 
class  Barrier
 
class  Base64_Decoder
 
class  Base64_Encoder
 
class  Bcrypt_PBKDF
 
class  Bcrypt_PBKDF_Family
 
class  BER_Bad_Tag
 
class  BER_Decoder
 
class  BER_Decoding_Error
 
class  BER_Object
 
class  BigInt
 
class  BitBucket
 
class  BLAKE2b
 
class  Blinded_Point_Multiply
 
class  Blinder
 
class  Block_Cipher_Fixed_Params
 
class  BlockCipher
 
class  BlockCipherModePaddingMethod
 
class  Blowfish
 
struct  BotanErrorCategory
 An error category for errors from Botan (other than TLS alerts) More...
 
class  Buffered_Computation
 
class  Buffered_Filter
 
class  Bzip2_Compression
 
class  Bzip2_Decompression
 
class  calendar_point
 
class  Camellia_128
 
class  Camellia_192
 
class  Camellia_256
 
class  Cascade_Cipher
 
class  CAST_128
 
class  CAST_256
 
class  CBC_Decryption
 
class  CBC_Encryption
 
class  CBC_MAC
 
class  CBC_Mode
 
class  CCM_Decryption
 
class  CCM_Encryption
 
class  CCM_Mode
 
class  CECPQ1_key
 
class  Certificate_Extension
 
class  Certificate_Store
 
class  Certificate_Store_In_Memory
 
class  Certificate_Store_In_SQL
 
class  Certificate_Store_In_SQLite
 
class  Certificate_Store_MacOS
 
class  Certificate_Store_Windows
 
class  CFB_Decryption
 
class  CFB_Encryption
 
class  CFB_Mode
 
class  ChaCha
 
class  ChaCha20Poly1305_Decryption
 
class  ChaCha20Poly1305_Encryption
 
class  ChaCha20Poly1305_Mode
 
class  ChaCha_RNG
 
class  Chain
 
class  Cipher_Mode
 
class  Cipher_Mode_Filter
 
class  CMAC
 
class  Comb4P
 
class  CommonCrypto_Error
 
struct  CommonCryptor_Opts
 
class  Compression_Algorithm
 
class  Compression_Alloc_Info
 
class  Compression_Error
 
class  Compression_Stream
 
class  CPUID
 
class  CRC24
 
class  CRC32
 
class  Credentials_Manager
 
class  CRL_Entry
 
class  CTR_BE
 
class  CTS_Decryption
 
class  CTS_Encryption
 
class  Curve25519_PrivateKey
 
class  Curve25519_PublicKey
 
class  CurveGFp
 
class  CurveGFp_Repr
 
class  Data_Store
 
class  DataSink
 
class  DataSink_Stream
 
class  DataSource
 
class  DataSource_Memory
 
class  DataSource_Stream
 
class  Decoding_Error
 
class  Decompression_Algorithm
 
class  Deflate_Compression
 
class  Deflate_Decompression
 
class  DER_Encoder
 
class  DES
 
class  DESX
 
class  Device_EntropySource
 
class  DH_PrivateKey
 
class  DH_PublicKey
 
class  DL_Group
 
class  DL_Scheme_PrivateKey
 
class  DL_Scheme_PublicKey
 
class  DLIES_Decryptor
 
class  DLIES_Encryptor
 
class  donna128
 
class  DSA_PrivateKey
 
class  DSA_PublicKey
 
class  Dynamically_Loaded_Library
 
class  EAX_Decryption
 
class  EAX_Encryption
 
class  EAX_Mode
 
class  EC_Group
 
class  EC_PrivateKey
 
class  EC_PublicKey
 
class  ECDH_PrivateKey
 
class  ECDH_PublicKey
 
class  ECDSA_PrivateKey
 
class  ECDSA_PublicKey
 
class  ECGDSA_PrivateKey
 
class  ECGDSA_PublicKey
 
class  ECIES_Decryptor
 
class  ECIES_Encryptor
 
class  ECIES_KA_Operation
 
class  ECIES_KA_Params
 
class  ECIES_System_Params
 
class  ECKCDSA_PrivateKey
 
class  ECKCDSA_PublicKey
 
class  Ed25519_PrivateKey
 
class  Ed25519_PublicKey
 
class  ElGamal_PrivateKey
 
class  ElGamal_PublicKey
 
class  EME
 
class  EME_PKCS1v15
 
class  EME_Raw
 
class  EMSA
 
class  EMSA1
 
class  EMSA_PKCS1v15
 
class  EMSA_PKCS1v15_Raw
 
class  EMSA_Raw
 
class  EMSA_X931
 
class  Encoding_Error
 
class  Encrypted_PSK_Database
 
class  Encrypted_PSK_Database_SQL
 
class  Entropy_Source
 
class  Entropy_Sources
 
class  ESP_Padding
 
class  Exception
 
class  Extensions
 
class  Fanout_Filter
 
class  FE_25519
 
class  File_Descriptor_Source
 
class  Filter
 
class  Fixed_Base_Power_Mod
 
class  Fixed_Exponent_Power_Mod
 
class  Flatfile_Certificate_Store
 
class  Fork
 
class  FPE_FE1
 
class  GCM_Decryption
 
class  GCM_Encryption
 
class  GCM_Mode
 
struct  ge_p3
 
class  GeneralName
 X.509 GeneralName Type. More...
 
class  GeneralSubtree
 A single Name Constraint. More...
 
class  Getentropy
 
class  GF2m_Field
 
class  GHASH
 
class  GMAC
 
class  GOST_28147_89
 
class  GOST_28147_89_Params
 
class  GOST_3410_PrivateKey
 
class  GOST_3410_PublicKey
 
class  GOST_34_11
 
class  Gzip_Compression
 
class  Gzip_Decompression
 
class  Hardware_RNG
 
class  HashFunction
 
class  Hex_Decoder
 
class  Hex_Encoder
 
class  HKDF
 
class  HKDF_Expand
 
class  HKDF_Extract
 
class  HMAC
 
class  HMAC_DRBG
 
class  HOTP
 
class  IDEA
 
class  Illegal_Point
 
class  Illegal_Transformation
 
class  Integer_Overflow_Detected
 
class  Intel_Rdseed
 
class  Internal_Error
 
class  Invalid_Algorithm_Name
 
class  Invalid_Argument
 
class  Invalid_Authentication_Tag
 
class  Invalid_IV_Length
 
class  Invalid_Key_Length
 
class  Invalid_OID
 
class  Invalid_State
 
class  ISO_9796_DS2
 
class  ISO_9796_DS3
 
class  KASUMI
 
class  KDF
 
class  KDF1
 
class  KDF1_18033
 
class  KDF2
 
class  Keccak_1600
 
class  Key_Length_Specification
 
class  Key_Not_Set
 
class  Keyed_Filter
 
class  LibraryInitializer
 
class  Lion
 
class  lock_guard
 
class  Lookup_Error
 
class  LZMA_Compression
 
class  LZMA_Decompression
 
class  McEliece_PrivateKey
 
class  McEliece_PublicKey
 
class  MD4
 
class  MD5
 
class  MDx_HashFunction
 
class  Memory_Pool
 
class  MessageAuthenticationCode
 
class  MISTY1
 
class  mlock_allocator
 
class  Modular_Reducer
 
class  Montgomery_Int
 
class  Montgomery_Params
 
class  NameConstraints
 Name Constraints. More...
 
class  newhope_poly
 
class  No_Filesystem_Access
 
class  No_Provider_Found
 
class  Noekeon
 
class  noop_mutex
 
class  Not_Implemented
 
class  Null_Padding
 
class  Null_RNG
 
class  OAEP
 
class  OCB_Decryption
 
class  OCB_Encryption
 
class  OCB_Mode
 
class  OctetString
 
class  OFB
 
class  OID
 
class  OneAndZeros_Padding
 
class  OpenPGP_S2K
 
class  OpenSSL_Error
 
class  Output_Buffers
 
class  Parallel
 
class  PasswordHash
 
class  PasswordHashFamily
 
class  Path_Validation_Restrictions
 
class  Path_Validation_Result
 
class  PBKDF
 
class  PBKDF2
 
class  PBKDF2_Family
 
class  Pipe
 
class  PK_Decryptor
 
class  PK_Decryptor_EME
 
class  PK_Encryptor
 
class  PK_Encryptor_EME
 
class  PK_KEM_Decryptor
 
class  PK_KEM_Encryptor
 
class  PK_Key_Agreement
 
class  PK_Key_Agreement_Key
 
class  PK_Signer
 
class  PK_Verifier
 
class  PKCS10_Request
 
class  PKCS5_PBKDF1
 
class  PKCS5_PBKDF2
 
class  PKCS7_Padding
 
class  PKCS8_Exception
 
class  PointGFp
 
class  PointGFp_Base_Point_Precompute
 
class  PointGFp_Multi_Point_Precompute
 
class  PointGFp_Var_Point_Precompute
 
class  Policy_Violation
 
class  Poly1305
 
class  polyn_gf2m
 
class  Power_Mod
 
class  Private_Key
 
class  PRNG_Unseeded
 
class  Processor_RNG
 
class  ProcWalking_EntropySource
 
class  Provider_Not_Found
 
class  PSK_Database
 
class  PSSR
 
class  PSSR_Raw
 
class  Public_Key
 
class  RandomNumberGenerator
 
class  RC4
 
class  RDRAND_RNG
 
class  RFC4880_S2K
 
class  RFC4880_S2K_Family
 
class  RFC6979_Nonce_Generator
 
class  RIPEMD_160
 
class  RSA_PrivateKey
 
class  RSA_PublicKey
 
class  RTSS_Share
 
class  RWLock
 
class  Salsa20
 
class  SCAN_Name
 
class  Scrypt
 
class  Scrypt_Family
 
class  secure_allocator
 
class  SecureQueue
 
class  SEED
 
class  Self_Test_Failure
 
class  Semaphore
 
class  Serpent
 
class  SHA_160
 
class  SHA_224
 
class  SHA_256
 
class  SHA_3
 
class  SHA_384
 
class  SHA_3_224
 
class  SHA_3_256
 
class  SHA_3_384
 
class  SHA_3_512
 
class  SHA_512
 
class  SHA_512_256
 
class  SHACAL2
 
class  SHAKE_128
 
class  SHAKE_128_Cipher
 
class  SHAKE_256
 
class  SIMD_4x32
 
class  SIMD_8x32
 
class  SipHash
 
class  SIV_Decryption
 
class  SIV_Encryption
 
class  SIV_Mode
 
class  Skein_512
 
class  SM2_PrivateKey
 
class  SM2_PublicKey
 
class  SM3
 
class  SM4
 
class  SP800_108_Counter
 
class  SP800_108_Feedback
 
class  SP800_108_Pipeline
 
class  SP800_56A_Hash
 
class  SP800_56A_HMAC
 
class  SP800_56C
 
class  SQL_Database
 
class  Sqlite3_Database
 
class  SRP6_Server_Session
 
class  Stateful_RNG
 
class  Stream_Compression
 
class  Stream_Decompression
 
class  Stream_IO_Error
 
class  StreamCipher
 
class  Streebog
 
class  Streebog_256
 
class  Streebog_512
 
class  SymmetricAlgorithm
 
class  System_Certificate_Store
 
class  System_Error
 
class  System_RNG
 
class  Thread_Pool
 
class  Threefish_512
 
class  Tiger
 
class  Timer
 
class  TLS_12_PRF
 
class  TLS_PRF
 
class  TOTP
 
class  TPM_Context
 
class  TPM_Error
 
class  TPM_PrivateKey
 
class  TPM_RNG
 
class  TripleDES
 
class  Tweakable_Block_Cipher
 
class  Twofish
 
class  Unsupported_Argument
 
struct  URI
 
class  UUID
 
class  Whirlpool
 
class  Win32_EntropySource
 
class  X509_CA
 
class  X509_Cert_Options
 
class  X509_Certificate
 
class  X509_CRL
 
class  X509_DN
 
class  X509_Object
 
class  X942_PRF
 
class  XMSS_Address
 
class  XMSS_Common_Ops
 
class  XMSS_Hash
 
class  XMSS_Index_Registry
 
class  XMSS_Key_Pair
 
class  XMSS_Parameters
 
class  XMSS_PrivateKey
 
class  XMSS_PublicKey
 
class  XMSS_Signature
 
class  XMSS_Signature_Operation
 
class  XMSS_Tools
 
class  XMSS_Verification_Operation
 
class  XMSS_WOTS_Addressed_PrivateKey
 
class  XMSS_WOTS_Addressed_PublicKey
 
class  XMSS_WOTS_Parameters
 
class  XMSS_WOTS_PrivateKey
 
class  XMSS_WOTS_PublicKey
 
class  XTEA
 
class  XTS_Decryption
 
class  XTS_Encryption
 
class  XTS_Mode
 
class  ZFEC
 
class  Zlib_Compression
 
class  Zlib_Decompression
 
class  Zlib_Style_Stream
 

Typedefs

typedef __vector unsigned int Altivec32x4
 
typedef __vector unsigned long long Altivec64x2
 
typedef __vector unsigned char Altivec8x16
 
typedef BLAKE2b Blake2b
 
using byte = std::uint8_t
 
typedef std::vector< std::set< Certificate_Status_Code > > CertificatePathStatusCodes
 
typedef EC_Group EC_Domain_Params
 
typedef FE_25519 fe
 
typedef uint16_t gf2m
 
using InitializationVector = OctetString
 
typedef Invalid_Authentication_Tag Integrity_Failure
 
template<typename T >
using lock_guard_type = lock_guard< T >
 
typedef MessageAuthenticationCode MAC
 
typedef noop_mutex mutex_type
 
typedef PK_Key_Agreement_Key PK_KA_Key
 
typedef Private_Key PKCS8_PrivateKey
 
typedef newhope_poly poly
 
typedef noop_mutex recursive_mutex_type
 
typedef RandomNumberGenerator RNG
 
typedef PBKDF S2K
 
using s32bit = std::int32_t
 
template<typename T >
using secure_deque = std::deque< T, secure_allocator< T >>
 
template<typename T >
using secure_vector = std::vector< T, secure_allocator< T >>
 
template<typename T >
using SecureVector = secure_vector< T >
 
typedef SHA_160 SHA_1
 
typedef SM2_PrivateKey SM2_Encryption_PrivateKey
 
typedef SM2_PublicKey SM2_Encryption_PublicKey
 
typedef SM2_PrivateKey SM2_Signature_PrivateKey
 
typedef SM2_PublicKey SM2_Signature_PublicKey
 
using SymmetricKey = OctetString
 
typedef Cipher_Mode_Filter Transform_Filter
 
typedef Transform_Filter Transformation_Filter
 
using u16bit = std::uint16_t
 
using u32bit = std::uint32_t
 
using u64bit = std::uint64_t
 
typedef std::vector< secure_vector< uint8_t > > wots_keysig_t
 
typedef Curve25519_PrivateKey X25519_PrivateKey
 
typedef Curve25519_PublicKey X25519_PublicKey
 
typedef Public_Key X509_PublicKey
 
typedef ASN1_Time X509_Time
 

Enumerations

enum  { SM3_BLOCK_BYTES = 64, SM3_DIGEST_BYTES = 32 }
 
enum  ASN1_Tag : uint32_t {
  UNIVERSAL = 0x00, APPLICATION = 0x40, CONTEXT_SPECIFIC = 0x80, CONSTRUCTED = 0x20,
  PRIVATE = CONSTRUCTED | CONTEXT_SPECIFIC, EOC = 0x00, BOOLEAN = 0x01, INTEGER = 0x02,
  BIT_STRING = 0x03, OCTET_STRING = 0x04, NULL_TAG = 0x05, OBJECT_ID = 0x06,
  ENUMERATED = 0x0A, SEQUENCE = 0x10, SET = 0x11, UTF8_STRING = 0x0C,
  NUMERIC_STRING = 0x12, PRINTABLE_STRING = 0x13, T61_STRING = 0x14, IA5_STRING = 0x16,
  VISIBLE_STRING = 0x1A, UNIVERSAL_STRING = 0x1C, BMP_STRING = 0x1E, UTC_TIME = 0x17,
  GENERALIZED_TIME = 0x18, UTC_OR_GENERALIZED_TIME = 0x19, NO_OBJECT = 0xFF00, DIRECTORY_STRING = 0xFF01
}
 
enum  Certificate_Status_Code {
  Certificate_Status_Code::OK = 0, Certificate_Status_Code::VERIFIED = 0, Certificate_Status_Code::OCSP_RESPONSE_GOOD = 1, Certificate_Status_Code::OCSP_SIGNATURE_OK = 2,
  Certificate_Status_Code::VALID_CRL_CHECKED = 3, Certificate_Status_Code::OCSP_NO_HTTP = 4, Certificate_Status_Code::FIRST_WARNING_STATUS = 500, Certificate_Status_Code::CERT_SERIAL_NEGATIVE = 500,
  Certificate_Status_Code::DN_TOO_LONG = 501, Certificate_Status_Code::OCSP_NO_REVOCATION_URL = 502, Certificate_Status_Code::OCSP_SERVER_NOT_AVAILABLE = 503, Certificate_Status_Code::OSCP_NO_REVOCATION_URL = 502,
  Certificate_Status_Code::OSCP_SERVER_NOT_AVAILABLE = 503, Certificate_Status_Code::FIRST_ERROR_STATUS = 1000, Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK = 1000, Certificate_Status_Code::UNTRUSTED_HASH = 1001,
  Certificate_Status_Code::NO_REVOCATION_DATA = 1002, Certificate_Status_Code::NO_MATCHING_CRLDP = 1003, Certificate_Status_Code::CERT_NOT_YET_VALID = 2000, Certificate_Status_Code::CERT_HAS_EXPIRED = 2001,
  Certificate_Status_Code::OCSP_NOT_YET_VALID = 2002, Certificate_Status_Code::OCSP_HAS_EXPIRED = 2003, Certificate_Status_Code::CRL_NOT_YET_VALID = 2004, Certificate_Status_Code::CRL_HAS_EXPIRED = 2005,
  Certificate_Status_Code::OCSP_IS_TOO_OLD = 2006, Certificate_Status_Code::CERT_ISSUER_NOT_FOUND = 3000, Certificate_Status_Code::CANNOT_ESTABLISH_TRUST = 3001, Certificate_Status_Code::CERT_CHAIN_LOOP = 3002,
  Certificate_Status_Code::CHAIN_LACKS_TRUST_ROOT = 3003, Certificate_Status_Code::CHAIN_NAME_MISMATCH = 3004, Certificate_Status_Code::POLICY_ERROR = 4000, Certificate_Status_Code::INVALID_USAGE = 4001,
  Certificate_Status_Code::CERT_CHAIN_TOO_LONG = 4002, Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER = 4003, Certificate_Status_Code::NAME_CONSTRAINT_ERROR = 4004, Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER = 4005,
  Certificate_Status_Code::OCSP_CERT_NOT_LISTED = 4006, Certificate_Status_Code::OCSP_BAD_STATUS = 4007, Certificate_Status_Code::CERT_NAME_NOMATCH = 4008, Certificate_Status_Code::UNKNOWN_CRITICAL_EXTENSION = 4009,
  Certificate_Status_Code::DUPLICATE_CERT_EXTENSION = 4010, Certificate_Status_Code::OCSP_SIGNATURE_ERROR = 4501, Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND = 4502, Certificate_Status_Code::OCSP_RESPONSE_MISSING_KEYUSAGE = 4503,
  Certificate_Status_Code::OCSP_RESPONSE_INVALID = 4504, Certificate_Status_Code::EXT_IN_V1_V2_CERT = 4505, Certificate_Status_Code::DUPLICATE_CERT_POLICY = 4506, Certificate_Status_Code::V2_IDENTIFIERS_IN_V1_CERT = 4507,
  Certificate_Status_Code::CERT_IS_REVOKED = 5000, Certificate_Status_Code::CRL_BAD_SIGNATURE = 5001, Certificate_Status_Code::SIGNATURE_ERROR = 5002, Certificate_Status_Code::CERT_PUBKEY_INVALID = 5003,
  Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN = 5004, Certificate_Status_Code::SIGNATURE_ALGO_BAD_PARAMS = 5005
}
 
enum  Character_Set { LOCAL_CHARSET, UCS2_CHARSET, UTF8_CHARSET, LATIN1_CHARSET }
 
enum  Cipher_Dir : int { ENCRYPTION, DECRYPTION }
 
enum  CRL_Code : uint32_t {
  UNSPECIFIED = 0, KEY_COMPROMISE = 1, CA_COMPROMISE = 2, AFFILIATION_CHANGED = 3,
  SUPERSEDED = 4, CESSATION_OF_OPERATION = 5, CERTIFICATE_HOLD = 6, REMOVE_FROM_CRL = 8,
  PRIVLEDGE_WITHDRAWN = 9, PRIVILEGE_WITHDRAWN = 9, AA_COMPROMISE = 10, DELETE_CRL_ENTRY = 0xFF00,
  OCSP_GOOD = 0xFF01, OCSP_UNKNOWN = 0xFF02
}
 
enum  Decoder_Checking { NONE, IGNORE_WS, FULL_CHECK }
 
enum  DL_Group_Source { DL_Group_Source::Builtin, DL_Group_Source::RandomlyGenerated, DL_Group_Source::ExternalSource }
 
enum  EC_Group_Encoding { EC_DOMPAR_ENC_EXPLICIT = 0, EC_DOMPAR_ENC_IMPLICITCA = 1, EC_DOMPAR_ENC_OID = 2 }
 
enum  EC_Group_Source { EC_Group_Source::Builtin, EC_Group_Source::ExternalSource }
 
enum  ECIES_Flags : uint32_t {
  ECIES_Flags::NONE = 0, ECIES_Flags::SINGLE_HASH_MODE = 1, ECIES_Flags::COFACTOR_MODE = 2, ECIES_Flags::OLD_COFACTOR_MODE = 4,
  ECIES_Flags::CHECK_MODE = 8
}
 
enum  ErrorType {
  ErrorType::Unknown = 1, ErrorType::SystemError, ErrorType::NotImplemented, ErrorType::OutOfMemory,
  ErrorType::InternalError, ErrorType::IoError, ErrorType::InvalidObjectState = 100, ErrorType::KeyNotSet,
  ErrorType::InvalidArgument, ErrorType::InvalidKeyLength, ErrorType::InvalidNonceLength, ErrorType::LookupError,
  ErrorType::EncodingFailure, ErrorType::DecodingFailure, ErrorType::TLSError, ErrorType::HttpError,
  ErrorType::InvalidTag, ErrorType::RoughtimeError, ErrorType::OpenSSLError = 200, ErrorType::CommonCryptoError,
  ErrorType::Pkcs11Error, ErrorType::TPMError, ErrorType::DatabaseError, ErrorType::ZlibError = 300,
  ErrorType::Bzip2Error, ErrorType::LzmaError
}
 
enum  Key_Constraints {
  NO_CONSTRAINTS = 0, DIGITAL_SIGNATURE = 1 << 15, NON_REPUDIATION = 1 << 14, KEY_ENCIPHERMENT = 1 << 13,
  DATA_ENCIPHERMENT = 1 << 12, KEY_AGREEMENT = 1 << 11, KEY_CERT_SIGN = 1 << 10, CRL_SIGN = 1 << 9,
  ENCIPHER_ONLY = 1 << 8, DECIPHER_ONLY = 1 << 7
}
 
enum  Newhope_Mode { Newhope_Mode::SHA3, Newhope_Mode::BoringSSL }
 
enum  Newhope_Params {
  NEWHOPE_SENDABYTES = 1824, NEWHOPE_SENDBBYTES = 2048, NEWHOPE_OFFER_BYTES = 1824, NEWHOPE_ACCEPT_BYTES = 2048,
  NEWHOPE_SHARED_KEY_BYTES = 32, NEWHOPE_SEED_BYTES = 32, NEWHOPE_POLY_BYTES = 1792, CECPQ1_OFFER_BYTES = NEWHOPE_OFFER_BYTES + 32,
  CECPQ1_ACCEPT_BYTES = NEWHOPE_ACCEPT_BYTES + 32, CECPQ1_SHARED_KEY_BYTES = NEWHOPE_SHARED_KEY_BYTES + 32
}
 
enum  Signature_Format { IEEE_1363, DER_SEQUENCE }
 
enum  TPM_Storage_Type { TPM_Storage_Type::User, TPM_Storage_Type::System }
 
enum  Usage_Type {
  Usage_Type::UNSPECIFIED, Usage_Type::TLS_SERVER_AUTH, Usage_Type::TLS_CLIENT_AUTH, Usage_Type::CERTIFICATE_AUTHORITY,
  Usage_Type::OCSP_RESPONDER, Usage_Type::ENCRYPTION
}
 
enum  X509_Encoding { RAW_BER, PEM }
 

Functions

BigInt abs (const BigInt &n)
 
BOTAN_MALLOC_FN void * allocate_memory (size_t elems, size_t elem_size)
 
size_t almost_montgomery_inverse (BigInt &result, const BigInt &a, const BigInt &p)
 
void aont_package (RandomNumberGenerator &rng, BlockCipher *cipher, const uint8_t input[], size_t input_len, uint8_t output[])
 
void aont_unpackage (BlockCipher *cipher, const uint8_t input[], size_t input_len, uint8_t output[])
 
void argon2 (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, const uint8_t key[], size_t key_len, const uint8_t ad[], size_t ad_len, uint8_t mode, size_t threads, size_t M, size_t t)
 
bool argon2_check_pwhash (const char *password, size_t password_len, const std::string &hash)
 
std::string argon2_generate_pwhash (const char *password, size_t password_len, RandomNumberGenerator &rng, size_t p, size_t M, size_t t, uint8_t y=2, size_t salt_len=16, size_t output_len=32)
 
std::string asn1_class_to_string (ASN1_Tag type)
 
std::string asn1_tag_to_string (ASN1_Tag type)
 
void assertion_failure (const char *expr_str, const char *assertion_made, const char *func, const char *file, int line)
 
size_t base32_decode (uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
 
size_t base32_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
 
size_t base32_decode (uint8_t output[], const std::string &input, bool ignore_ws)
 
secure_vector< uint8_t > base32_decode (const char input[], size_t input_length, bool ignore_ws)
 
secure_vector< uint8_t > base32_decode (const std::string &input, bool ignore_ws)
 
template<typename Alloc >
std::string base32_encode (const std::vector< uint8_t, Alloc > &input)
 
size_t base32_encode (char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
 
std::string base32_encode (const uint8_t input[], size_t input_length)
 
std::vector< uint8_t > base58_check_decode (const std::string &s)
 
std::vector< uint8_t > base58_check_decode (const char input[], size_t input_length)
 
template<typename Alloc >
std::string base58_check_encode (const std::vector< uint8_t, Alloc > &vec)
 
std::string base58_check_encode (const uint8_t input[], size_t input_length)
 
std::vector< uint8_t > base58_decode (const std::string &s)
 
std::vector< uint8_t > base58_decode (const char input[], size_t input_length)
 
template<typename Alloc >
std::string base58_encode (const std::vector< uint8_t, Alloc > &vec)
 
std::string base58_encode (const uint8_t input[], size_t input_length)
 
size_t base64_decode (uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
 
size_t base64_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
 
size_t base64_decode (uint8_t output[], const std::string &input, bool ignore_ws)
 
secure_vector< uint8_t > base64_decode (const char input[], size_t input_length, bool ignore_ws)
 
secure_vector< uint8_t > base64_decode (const std::string &input, bool ignore_ws)
 
size_t base64_decode_max_output (size_t input_length)
 
template<typename Alloc >
std::string base64_encode (const std::vector< uint8_t, Alloc > &input)
 
size_t base64_encode (char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
 
std::string base64_encode (const uint8_t input[], size_t input_length)
 
size_t base64_encode_max_output (size_t input_length)
 
template<typename Base >
size_t base_decode (Base &&base, uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws=true)
 
template<typename Base >
size_t base_decode_full (Base &&base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
 
template<typename Vector , typename Base >
Vector base_decode_to_vec (Base &&base, const char input[], size_t input_length, bool ignore_ws)
 
template<class Base >
size_t base_encode (Base &&base, char output[], const uint8_t input[], size_t input_length, size_t &input_consumed, bool final_inputs)
 
template<typename Base >
std::string base_encode_to_string (Base &&base, const uint8_t input[], size_t input_length)
 
void bcrypt_pbkdf (uint8_t output[], size_t output_len, const char *pass, size_t pass_len, const uint8_t salt[], size_t salt_len, size_t rounds)
 
void bigint_add2 (word x[], size_t x_size, const word y[], size_t y_size)
 
word bigint_add2_nc (word x[], size_t x_size, const word y[], size_t y_size)
 
void bigint_add3 (word z[], const word x[], size_t x_size, const word y[], size_t y_size)
 
word bigint_add3_nc (word z[], const word x[], size_t x_size, const word y[], size_t y_size)
 
int32_t bigint_cmp (const word x[], size_t x_size, const word y[], size_t y_size)
 
void bigint_cnd_abs (word cnd, word x[], size_t size)
 
word bigint_cnd_add (word cnd, word x[], word x_size, const word y[], size_t y_size)
 
word bigint_cnd_add (word cnd, word x[], const word y[], size_t size)
 
void bigint_cnd_add_or_sub (CT::Mask< word > mask, word x[], const word y[], size_t size)
 
word bigint_cnd_addsub (CT::Mask< word > mask, word x[], const word y[], const word z[], size_t size)
 
word bigint_cnd_sub (word cnd, word x[], size_t x_size, const word y[], size_t y_size)
 
word bigint_cnd_sub (word cnd, word x[], const word y[], size_t size)
 
void bigint_cnd_swap (word cnd, word x[], word y[], size_t size)
 
void bigint_comba_mul16 (word z[32], const word x[16], const word y[16])
 
void bigint_comba_mul24 (word z[48], const word x[24], const word y[24])
 
void bigint_comba_mul4 (word z[8], const word x[4], const word y[4])
 
void bigint_comba_mul6 (word z[12], const word x[6], const word y[6])
 
void bigint_comba_mul8 (word z[16], const word x[8], const word y[8])
 
void bigint_comba_mul9 (word z[18], const word x[9], const word y[9])
 
void bigint_comba_sqr16 (word z[32], const word x[16])
 
void bigint_comba_sqr24 (word z[48], const word x[24])
 
void bigint_comba_sqr4 (word z[8], const word x[4])
 
void bigint_comba_sqr6 (word z[12], const word x[6])
 
void bigint_comba_sqr8 (word z[16], const word x[8])
 
void bigint_comba_sqr9 (word z[18], const word x[9])
 
CT::Mask< word > bigint_ct_is_eq (const word x[], size_t x_size, const word y[], size_t y_size)
 
CT::Mask< word > bigint_ct_is_lt (const word x[], size_t x_size, const word y[], size_t y_size, bool lt_or_equal=false)
 
word bigint_divop (word n1, word n0, word d)
 
word BOTAN_WARN_UNUSED_RESULT bigint_linmul2 (word x[], size_t x_size, word y)
 
void bigint_linmul3 (word z[], const word x[], size_t x_size, word y)
 
void bigint_mod_sub (word t[], const word s[], const word mod[], size_t mod_sw, word ws[])
 
template<size_t N>
void bigint_mod_sub_n (word t[], const word s[], const word mod[], word ws[])
 
word bigint_modop (word n1, word n0, word d)
 
void bigint_monty_redc (word z[], const word p[], size_t p_size, word p_dash, word workspace[], size_t ws_size)
 
void bigint_monty_redc_16 (word z[], const word p[], word p_dash, word ws[])
 
void bigint_monty_redc_16 (word z[], const word p[16], word p_dash, word ws[])
 
void bigint_monty_redc_24 (word z[], const word p[], word p_dash, word ws[])
 
void bigint_monty_redc_24 (word z[], const word p[24], word p_dash, word ws[])
 
void bigint_monty_redc_32 (word z[], const word p[], word p_dash, word ws[])
 
void bigint_monty_redc_32 (word z[], const word p[32], word p_dash, word ws[])
 
void bigint_monty_redc_4 (word z[], const word p[4], word p_dash, word ws[])
 
void bigint_monty_redc_4 (word z[], const word p[], word p_dash, word ws[])
 
void bigint_monty_redc_6 (word z[], const word p[], word p_dash, word ws[])
 
void bigint_monty_redc_6 (word z[], const word p[6], word p_dash, word ws[])
 
void bigint_monty_redc_8 (word z[], const word p[], word p_dash, word ws[])
 
void bigint_monty_redc_8 (word z[], const word p[8], word p_dash, word ws[])
 
void bigint_mul (word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
 
void bigint_shl1 (word x[], size_t x_size, size_t x_words, size_t word_shift, size_t bit_shift)
 
void bigint_shl2 (word y[], const word x[], size_t x_size, size_t word_shift, size_t bit_shift)
 
void bigint_shr1 (word x[], size_t x_size, size_t word_shift, size_t bit_shift)
 
void bigint_shr2 (word y[], const word x[], size_t x_size, size_t word_shift, size_t bit_shift)
 
void bigint_sqr (word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, word workspace[], size_t ws_size)
 
word bigint_sub2 (word x[], size_t x_size, const word y[], size_t y_size)
 
void bigint_sub2_rev (word x[], const word y[], size_t y_size)
 
word bigint_sub3 (word z[], const word x[], size_t x_size, const word y[], size_t y_size)
 
CT::Mask< word > bigint_sub_abs (word z[], const word x[], const word y[], size_t N, word ws[])
 
int32_t bigint_sub_abs (word z[], const word x[], size_t x_size, const word y[], size_t y_size)
 
template<typename T >
T bit_permute_step (T x, T mask, size_t shift)
 
size_t bit_size_to_32bit_size (size_t bit_size)
 
size_t bit_size_to_byte_size (size_t bit_size)
 
const BotanErrorCategorybotan_category () noexcept
 
template<typename T >
void bswap_4 (T x[4])
 
template<typename T , typename Alloc >
size_t buffer_insert (std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length)
 
template<typename T , typename Alloc , typename Alloc2 >
size_t buffer_insert (std::vector< T, Alloc > &buf, size_t buf_offset, const std::vector< T, Alloc2 > &input)
 
calendar_point calendar_value (const std::chrono::system_clock::time_point &time_point)
 
template<size_t S, int64_t MUL = 1>
void carry (int64_t &h0, int64_t &h1)
 
template<size_t S>
void carry0 (int64_t &h0, int64_t &h1)
 
template<size_t S>
void carry0 (int32_t &h0, int32_t &h1)
 
uint64_t carry_shift (const donna128 &a, size_t shift)
 
const uint8_t * cast_char_ptr_to_uint8 (const char *s)
 
uint8_t * cast_char_ptr_to_uint8 (char *s)
 
const char * cast_uint8_ptr_to_char (const uint8_t *b)
 
char * cast_uint8_ptr_to_char (uint8_t *b)
 
void CECPQ1_accept (uint8_t shared_key[CECPQ1_SHARED_KEY_BYTES], uint8_t send[CECPQ1_ACCEPT_BYTES], const uint8_t received[CECPQ1_OFFER_BYTES], RandomNumberGenerator &rng)
 
void CECPQ1_accept (uint8_t *shared_key, uint8_t *accept_message, const uint8_t *offer_message, RandomNumberGenerator &rng)
 
void CECPQ1_finish (uint8_t *shared_key, const CECPQ1_key &offer_key, const uint8_t *accept_message)
 
void CECPQ1_finish (uint8_t shared_key[CECPQ1_SHARED_KEY_BYTES], const CECPQ1_key &offer_key, const uint8_t received[CECPQ1_ACCEPT_BYTES])
 
void CECPQ1_offer (uint8_t send[CECPQ1_OFFER_BYTES], CECPQ1_key *offer_key_output, RandomNumberGenerator &rng)
 
void CECPQ1_offer (uint8_t *offer_message, CECPQ1_key *offer_key_output, RandomNumberGenerator &rng)
 
template<typename T >
uint8_t ceil_log2 (T x)
 
bool check_bcrypt (const std::string &pass, const std::string &hash)
 
bool check_passhash9 (const std::string &pass, const std::string &hash)
 
bool check_prime (const BigInt &n, RandomNumberGenerator &rng)
 
size_t checked_add (size_t x, size_t y, const char *file, int line)
 
PK_Signerchoose_sig_format (const Private_Key &key, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
 
PK_Signerchoose_sig_format (const Private_Key &key, const std::map< std::string, std::string > &opts, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
 
size_t clamp (size_t n, size_t lower_bound, size_t upper_bound)
 
std::string clean_ws (const std::string &s)
 
void clear_bytes (void *ptr, size_t bytes)
 
template<typename T >
void clear_mem (T *ptr, size_t n)
 
uint64_t combine_lower (const donna128 &a, size_t s1, const donna128 &b, size_t s2)
 
void commoncrypto_adjust_key_size (const uint8_t key[], size_t length, const CommonCryptor_Opts &opts, secure_vector< uint8_t > &full_key)
 
CommonCryptor_Opts commoncrypto_opts_from_algo (const std::string &algo)
 
CommonCryptor_Opts commoncrypto_opts_from_algo_name (const std::string &algo_name)
 
bool constant_time_compare (const uint8_t x[], const uint8_t y[], size_t len)
 
template<typename T >
void copy_mem (T *out, const T *in, size_t n)
 
template<typename T >
void copy_out_be (uint8_t out[], size_t out_bytes, const T in[])
 
template<typename T >
void copy_out_le (uint8_t out[], size_t out_bytes, const T in[])
 
template<typename T , typename Alloc >
void copy_out_vec_be (uint8_t out[], size_t out_bytes, const std::vector< T, Alloc > &in)
 
template<typename T , typename Alloc >
void copy_out_vec_le (uint8_t out[], size_t out_bytes, const std::vector< T, Alloc > &in)
 
AlternativeName create_alt_name (const Data_Store &info)
 
X509_DN create_dn (const Data_Store &info)
 
std::string create_hex_fingerprint (const uint8_t bits[], size_t bits_len, const std::string &hash_name)
 
template<typename Alloc >
std::string create_hex_fingerprint (const std::vector< uint8_t, Alloc > &vec, const std::string &hash_name)
 
std::unique_ptr< Private_Keycreate_private_key (const std::string &alg_name, RandomNumberGenerator &rng, const std::string &params, const std::string &provider)
 
uint8_t ct_compare_u8 (const uint8_t x[], const uint8_t y[], size_t len)
 
void ct_divide (const BigInt &x, const BigInt &y, BigInt &q_out, BigInt &r_out)
 
BigInt ct_divide (const BigInt &x, const BigInt &y)
 
void ct_divide_u8 (const BigInt &x, uint8_t y, BigInt &q_out, uint8_t &r_out)
 
BigInt ct_inverse_mod_odd_modulus (const BigInt &n, const BigInt &mod)
 
template<typename T >
T ct_is_zero (T x)
 
BigInt ct_modulo (const BigInt &x, const BigInt &y)
 
template<typename T >
size_t ctz (T n)
 
void curve25519_basepoint (uint8_t mypublic[32], const uint8_t secret[32])
 
void curve25519_donna (uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32])
 
void deallocate_memory (void *p, size_t elems, size_t elem_size)
 
gf2m decode_gf2m (const uint8_t *mem)
 
void divide (const BigInt &x, const BigInt &y, BigInt &q, BigInt &r)
 
size_t dl_exponent_size (size_t bits)
 
size_t dl_work_factor (size_t bits)
 
template<typename E , typename... Args>
void do_throw_error (const char *file, int line, const char *func, Args...args)
 
secure_vector< uint8_t > EC2OSP (const PointGFp &point, uint8_t format)
 
size_t ecp_work_factor (size_t bits)
 
void ed25519_gen_keypair (uint8_t *pk, uint8_t *sk, const uint8_t seed[32])
 
void ed25519_gen_keypair (uint8_t pk[32], uint8_t sk[64], const uint8_t seed[32])
 
void ed25519_sign (uint8_t sig[64], const uint8_t m[], size_t mlen, const uint8_t sk[64], const uint8_t domain_sep[], size_t domain_sep_len)
 
bool ed25519_verify (const uint8_t *m, size_t mlen, const uint8_t sig[64], const uint8_t *pk, const uint8_t domain_sep[], size_t domain_sep_len)
 
bool ed25519_verify (const uint8_t msg[], size_t msg_len, const uint8_t sig[64], const uint8_t pk[32], const uint8_t domain_sep[], size_t domain_sep_len)
 
uint32_t encode_gf2m (gf2m to_enc, uint8_t *mem)
 
std::string erase_chars (const std::string &str, const std::set< char > &chars)
 
template<typename T >
uint16_t expand_mask_16bit (T tst)
 
template<typename T >
T expand_top_bit (T a)
 
void fe_0 (fe &x)
 
void fe_1 (fe &x)
 
void fe_add (fe &x, const fe &a, const fe &b)
 
void fe_copy (fe &a, const fe &b)
 
void fe_frombytes (fe &x, const uint8_t *b)
 
void fe_invert (fe &x, const fe &z)
 
int fe_isnegative (const fe &x)
 
int fe_isnonzero (const fe &x)
 
void fe_mul (fe &x, const fe &a, const fe &b)
 
void fe_neg (fe &x, const fe &z)
 
void fe_pow22523 (fe &x, const fe &y)
 
void fe_sq (fe &x, const fe &z)
 
void fe_sq2 (fe &x, const fe &z)
 
void fe_sq_iter (fe &x, const fe &z, size_t iter)
 
void fe_sub (fe &x, const fe &a, const fe &b)
 
void fe_tobytes (uint8_t *b, const fe &x)
 
secure_vector< gf2mfind_roots_gf2m_decomp (const polyn_gf2m &polyn, size_t code_length)
 
 for (size_t r=0;r!=64;r+=8)
 
BigInt gcd (const BigInt &a, const BigInt &b)
 
void ge_double_scalarmult_vartime (uint8_t out[32], const uint8_t a[], const ge_p3 *A, const uint8_t b[])
 
void ge_double_scalarmult_vartime (uint8_t out[32], const uint8_t *a, const ge_p3 *A, const uint8_t *b)
 
int ge_frombytes_negate_vartime (ge_p3 *, const uint8_t *)
 
void ge_scalarmult_base (uint8_t out[32], const uint8_t in[32])
 
std::string generate_bcrypt (const std::string &pass, RandomNumberGenerator &rng, uint16_t work_factor, char version)
 
bool generate_dsa_primes (RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits, const std::vector< uint8_t > &seed_c, size_t offset)
 
std::vector< uint8_t > generate_dsa_primes (RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits)
 
McEliece_PrivateKey generate_mceliece_key (RandomNumberGenerator &rng, size_t ext_deg, size_t code_length, size_t t)
 
std::string generate_passhash9 (const std::string &pass, RandomNumberGenerator &rng, uint16_t work_factor, uint8_t alg_id)
 
BigInt generate_rfc6979_nonce (const BigInt &x, const BigInt &q, const BigInt &h, const std::string &hash)
 
BigInt generate_rsa_prime (RandomNumberGenerator &keygen_rng, RandomNumberGenerator &prime_test_rng, size_t bits, const BigInt &coprime, size_t prob)
 
BigInt generate_srp6_verifier (const std::string &identifier, const std::string &password, const std::vector< uint8_t > &salt, const std::string &group_id, const std::string &hash_id)
 
BigInt generate_srp6_verifier (const std::string &identifier, const std::string &password, const std::vector< uint8_t > &salt, const DL_Group &group, const std::string &hash_id)
 
AEAD_Modeget_aead (const std::string &name, Cipher_Dir direction)
 
BlockCipherModePaddingMethodget_bc_pad (const std::string &algo_spec)
 
template<typename T >
constexpr uint8_t get_byte (size_t byte_num, T input)
 
Keyed_Filterget_cipher (const std::string &algo_spec, Cipher_Dir direction)
 
Keyed_Filterget_cipher (const std::string &algo_spec, const SymmetricKey &key, Cipher_Dir direction)
 
Keyed_Filterget_cipher (const std::string &algo_spec, const SymmetricKey &key, const InitializationVector &iv, Cipher_Dir direction)
 
Cipher_Modeget_cipher_mode (const std::string &algo_spec, Cipher_Dir direction, const std::string &provider="")
 
EMEget_eme (const std::string &algo_spec)
 
EMSAget_emsa (const std::string &algo_spec)
 
std::vector< std::string > get_files_recursive (const std::string &dir)
 
KDFget_kdf (const std::string &algo_spec)
 
PBKDFget_pbkdf (const std::string &algo_spec, const std::string &provider="")
 
PBKDFget_s2k (const std::string &algo_spec)
 
const std::vector< std::string > get_sig_paddings (const std::string algo)
 
gf2m gray_to_lex (gf2m gray)
 
bool has_filesystem_impl ()
 
std::string hash_for_emsa (const std::string &algo_spec)
 
size_t hex_decode (uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool ignore_ws)
 
size_t hex_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
 
size_t hex_decode (uint8_t output[], const std::string &input, bool ignore_ws)
 
std::vector< uint8_t > hex_decode (const char input[], size_t input_length, bool ignore_ws)
 
std::vector< uint8_t > hex_decode (const std::string &input, bool ignore_ws)
 
secure_vector< uint8_t > hex_decode_locked (const char input[], size_t input_length, bool ignore_ws)
 
secure_vector< uint8_t > hex_decode_locked (const std::string &input, bool ignore_ws)
 
void hex_encode (char output[], const uint8_t input[], size_t input_length, bool uppercase)
 
template<typename Alloc >
std::string hex_encode (const std::vector< uint8_t, Alloc > &input, bool uppercase=true)
 
std::string hex_encode (const uint8_t input[], size_t input_length, bool uppercase)
 
template<typename T >
size_t high_bit (T n)
 
secure_vector< uint8_t > hkdf_expand_label (const std::string &hash_fn, const uint8_t secret[], size_t secret_len, const std::string &label, const uint8_t hash_val[], size_t hash_val_len, size_t length)
 
bool host_wildcard_match (const std::string &issued_, const std::string &host_)
 
uint8_t ieee1363_hash_id (const std::string &name)
 
size_t if_work_factor (size_t bits)
 
void initialize_allocator ()
 
BigInt inverse_euclid (const BigInt &x, const BigInt &modulus)
 
BigInt inverse_mod (const BigInt &n, const BigInt &mod)
 
std::string ipv4_to_string (uint32_t ip)
 
bool is_bailie_psw_probable_prime (const BigInt &n, const Modular_Reducer &mod_n)
 
bool is_bailie_psw_probable_prime (const BigInt &n)
 
bool is_lucas_probable_prime (const BigInt &C, const Modular_Reducer &mod_C)
 
bool is_miller_rabin_probable_prime (const BigInt &n, const Modular_Reducer &mod_n, RandomNumberGenerator &rng, size_t test_iterations)
 
bool is_passhash9_alg_supported (uint8_t alg_id)
 
BigInt is_perfect_square (const BigInt &C)
 
template<typename T >
constexpr bool is_power_of_2 (T arg)
 
bool is_prime (const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
 
int32_t jacobi (const BigInt &a, const BigInt &n)
 
std::string key_constraints_to_string (Key_Constraints constraints)
 
BigInt lcm (const BigInt &a, const BigInt &b)
 
gf2m lex_to_gray (gf2m lex)
 
uint64_t load_3 (const uint8_t in[3])
 
uint64_t load_4 (const uint8_t *in)
 
template<typename T >
T load_be (const uint8_t in[], size_t off)
 
template<typename T >
void load_be (const uint8_t in[], T &x0, T &x1)
 
template<typename T >
void load_be (const uint8_t in[], T &x0, T &x1, T &x2, T &x3)
 
template<typename T >
void load_be (const uint8_t in[], T &x0, T &x1, T &x2, T &x3, T &x4, T &x5, T &x6, T &x7)
 
template<typename T >
void load_be (T out[], const uint8_t in[], size_t count)
 
template<>
uint16_t load_be< uint16_t > (const uint8_t in[], size_t off)
 
template<>
uint32_t load_be< uint32_t > (const uint8_t in[], size_t off)
 
template<>
uint64_t load_be< uint64_t > (const uint8_t in[], size_t off)
 
template<typename T >
T load_le (const uint8_t in[], size_t off)
 
template<typename T >
void load_le (const uint8_t in[], T &x0, T &x1)
 
template<typename T >
void load_le (const uint8_t in[], T &x0, T &x1, T &x2, T &x3)
 
template<typename T >
void load_le (const uint8_t in[], T &x0, T &x1, T &x2, T &x3, T &x4, T &x5, T &x6, T &x7)
 
template<typename T >
void load_le (T out[], const uint8_t in[], size_t count)
 
template<>
uint16_t load_le< uint16_t > (const uint8_t in[], size_t off)
 
template<>
uint32_t load_le< uint32_t > (const uint8_t in[], size_t off)
 
template<>
uint64_t load_le< uint64_t > (const uint8_t in[], size_t off)
 
std::unique_ptr< Private_Keyload_private_key (const AlgorithmIdentifier &alg_id, const secure_vector< uint8_t > &key_bits)
 
std::unique_ptr< Public_Keyload_public_key (const AlgorithmIdentifier &alg_id, const std::vector< uint8_t > &key_bits)
 
size_t low_zero_bits (const BigInt &n)
 
std::unique_ptr< BlockCiphermake_commoncrypto_block_cipher (const std::string &name)
 
Cipher_Modemake_commoncrypto_cipher_mode (const std::string &name, Cipher_Dir direction)
 
std::unique_ptr< HashFunctionmake_commoncrypto_hash (const std::string &name)
 
Compression_Algorithmmake_compressor (const std::string &name)
 
Decompression_Algorithmmake_decompressor (const std::string &name)
 
boost::system::error_code make_error_code (Botan::ErrorType e)
 
std::unique_ptr< BlockCiphermake_openssl_block_cipher (const std::string &name)
 
Cipher_Modemake_openssl_cipher_mode (const std::string &name, Cipher_Dir direction)
 
std::unique_ptr< HashFunctionmake_openssl_hash (const std::string &name)
 
constexpr uint16_t make_uint16 (uint8_t i0, uint8_t i1)
 
constexpr uint32_t make_uint32 (uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3)
 
constexpr uint64_t make_uint64 (uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3, uint8_t i4, uint8_t i5, uint8_t i6, uint8_t i7)
 
template<class T , class... Args>
stlCompatibilityDetails::_Unique_if< T >::_Single_object make_unique (Args &&...args)
 
template<class T >
stlCompatibilityDetails::_Unique_if< T >::_Unknown_bound make_unique (size_t n)
 
template<class T , class... Args>
stlCompatibilityDetails::_Unique_if< T >::_Known_bound make_unique (Args &&...)=delete
 
template<typename K , typename V >
std::set< K > map_keys_as_set (const std::map< K, V > &kv)
 
template<typename T , typename Pred >
void map_remove_if (Pred pred, T &assoc)
 
secure_vector< uint8_t > mceies_decrypt (const McEliece_PrivateKey &privkey, const uint8_t ct[], size_t ct_len, const uint8_t ad[], size_t ad_len, const std::string &algo)
 
secure_vector< uint8_t > mceies_encrypt (const McEliece_PublicKey &pubkey, const uint8_t pt[], size_t pt_len, const uint8_t ad[], size_t ad_len, RandomNumberGenerator &rng, const std::string &algo)
 
void mceliece_decrypt (secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)
 
void mceliece_decrypt (secure_vector< uint8_t > &plaintext, secure_vector< uint8_t > &error_mask, const uint8_t ciphertext[], size_t ciphertext_len, const McEliece_PrivateKey &key)
 
secure_vector< uint8_t > mceliece_decrypt (secure_vector< gf2m > &error_pos, const uint8_t *ciphertext, size_t ciphertext_len, const McEliece_PrivateKey &key)
 
void mceliece_encrypt (secure_vector< uint8_t > &ciphertext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &plaintext, const McEliece_PublicKey &key, RandomNumberGenerator &rng)
 
size_t mceliece_work_factor (size_t n, size_t t)
 
void mgf1_mask (HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
 
size_t miller_rabin_test_iterations (size_t n_bits, size_t prob, bool random)
 
BigInt monty_execute (const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
 
BigInt monty_execute_vartime (const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)
 
word monty_inverse (word a)
 
BigInt monty_multi_exp (std::shared_ptr< const Montgomery_Params > params_p, const BigInt &x_bn, const BigInt &z1, const BigInt &y_bn, const BigInt &z2)
 
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute (std::shared_ptr< const Montgomery_Params > params, const BigInt &g, size_t window_bits, bool const_time)
 
void mul64x64_128 (uint64_t a, uint64_t b, uint64_t *lo, uint64_t *hi)
 
BigInt mul_add (const BigInt &a, const BigInt &b, const BigInt &c)
 
BigInt mul_sub (const BigInt &a, const BigInt &b, const BigInt &c)
 
PointGFp multi_exponentiate (const PointGFp &p1, const BigInt &z1, const PointGFp &p2, const BigInt &z2)
 
template<typename K , typename V >
void multimap_insert (std::multimap< K, V > &multimap, const K &key, const V &value)
 
void newhope_keygen (uint8_t send[NEWHOPE_SENDABYTES], newhope_poly *sk, RandomNumberGenerator &rng, Newhope_Mode=Newhope_Mode::SHA3)
 
void newhope_keygen (uint8_t *send, poly *sk, RandomNumberGenerator &rng, Newhope_Mode mode)
 
void newhope_shareda (uint8_t sharedkey[NEWHOPE_SHARED_KEY_BYTES], const newhope_poly *ska, const uint8_t *received, Newhope_Mode mode=Newhope_Mode::SHA3)
 
void newhope_shareda (uint8_t sharedkey[], const poly *sk, const uint8_t received[], Newhope_Mode mode)
 
void newhope_sharedb (uint8_t sharedkey[NEWHOPE_SHARED_KEY_BYTES], uint8_t send[], const uint8_t *received, RandomNumberGenerator &rng, Newhope_Mode mode=Newhope_Mode::SHA3)
 
void newhope_sharedb (uint8_t *sharedkey, uint8_t *send, const uint8_t *received, RandomNumberGenerator &rng, Newhope_Mode mode)
 
secure_vector< uint8_t > nist_key_unwrap (const uint8_t input[], size_t input_len, const BlockCipher &bc)
 
secure_vector< uint8_t > nist_key_unwrap_padded (const uint8_t input[], size_t input_len, const BlockCipher &bc)
 
std::vector< uint8_t > nist_key_wrap (const uint8_t input[], size_t input_len, const BlockCipher &bc)
 
std::vector< uint8_t > nist_key_wrap_padded (const uint8_t input[], size_t input_len, const BlockCipher &bc)
 
BigInt normalized_montgomery_inverse (const BigInt &a, const BigInt &p)
 
secure_vector< uint8_t > oaep_find_delim (uint8_t &valid_mask, const uint8_t input[], size_t input_len, const secure_vector< uint8_t > &Phash)
 
bool operator!= (const CRL_Entry &a1, const CRL_Entry &a2)
 
template<typename T , typename U >
bool operator!= (const secure_allocator< T > &, const secure_allocator< U > &)
 
bool operator!= (const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
 
bool operator!= (const OctetString &s1, const OctetString &s2)
 
bool operator!= (const X509_DN &dn1, const X509_DN &dn2)
 
bool operator!= (const CurveGFp &lhs, const CurveGFp &rhs)
 
bool operator!= (const OID &a, const OID &b)
 
bool operator!= (const PointGFp &lhs, const PointGFp &rhs)
 
bool operator!= (const ASN1_Time &, const ASN1_Time &)
 
bool operator!= (const EC_Group &lhs, const EC_Group &rhs)
 
bool operator!= (const X509_Certificate &cert1, const X509_Certificate &cert2)
 
bool operator!= (const BigInt &a, const BigInt &b)
 
bool operator!= (const BigInt &a, word b)
 
BigInt operator% (const BigInt &n, const BigInt &mod)
 
word operator% (const BigInt &n, word mod)
 
ECIES_Flags operator& (ECIES_Flags a, ECIES_Flags b)
 
BigInt operator* (const BigInt &x, const BigInt &y)
 
BigInt operator* (const BigInt &x, word y)
 
donna128 operator* (const donna128 &x, uint64_t y)
 
donna128 operator* (uint64_t y, const donna128 &x)
 
PointGFp operator* (const PointGFp &point, const BigInt &scalar)
 
PointGFp operator* (const BigInt &scalar, const PointGFp &point)
 
BigInt operator* (word x, const BigInt &y)
 
donna128 operator+ (const donna128 &x, const donna128 &y)
 
donna128 operator+ (const donna128 &x, uint64_t y)
 
OctetString operator+ (const OctetString &k1, const OctetString &k2)
 
OID operator+ (const OID &oid, uint32_t new_comp)
 
PointGFp operator+ (const PointGFp &lhs, const PointGFp &rhs)
 
BigInt operator+ (const BigInt &x, const BigInt &y)
 
BigInt operator+ (const BigInt &x, word y)
 
BigInt operator+ (word x, const BigInt &y)
 
template<typename T , typename Alloc , typename Alloc2 >
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, const std::vector< T, Alloc2 > &in)
 
template<typename T , typename Alloc >
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, T in)
 
template<typename T , typename Alloc , typename L >
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, const std::pair< const T *, L > &in)
 
template<typename T , typename Alloc , typename L >
std::vector< T, Alloc > & operator+= (std::vector< T, Alloc > &out, const std::pair< T *, L > &in)
 
PointGFp operator- (const PointGFp &lhs)
 
PointGFp operator- (const PointGFp &lhs, const PointGFp &rhs)
 
BigInt operator- (const BigInt &x, const BigInt &y)
 
BigInt operator- (const BigInt &x, word y)
 
BigInt operator/ (const BigInt &x, const BigInt &y)
 
BigInt operator/ (const BigInt &x, word y)
 
bool operator< (const X509_DN &dn1, const X509_DN &dn2)
 
bool operator< (const OID &a, const OID &b)
 
bool operator< (const ASN1_Time &, const ASN1_Time &)
 
bool operator< (const BigInt &a, const BigInt &b)
 
bool operator< (const BigInt &a, word b)
 
int operator<< (int fd, Pipe &pipe)
 
std::ostream & operator<< (std::ostream &stream, const BigInt &n)
 
std::ostream & operator<< (std::ostream &out, const X509_DN &dn)
 
BigInt operator<< (const BigInt &x, size_t shift)
 
std::ostream & operator<< (std::ostream &os, const GeneralName &gn)
 
std::ostream & operator<< (std::ostream &os, const GeneralSubtree &gs)
 
std::ostream & operator<< (std::ostream &out, Pipe &pipe)
 
bool operator<= (const ASN1_Time &, const ASN1_Time &)
 
bool operator<= (const BigInt &a, const BigInt &b)
 
bool operator<= (const BigInt &a, word b)
 
bool operator== (const CRL_Entry &a1, const CRL_Entry &a2)
 
template<typename T , typename U >
bool operator== (const secure_allocator< T > &, const secure_allocator< U > &)
 
bool operator== (const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
 
bool operator== (const OctetString &s1, const OctetString &s2)
 
bool operator== (const X509_DN &dn1, const X509_DN &dn2)
 
bool operator== (const ASN1_Time &, const ASN1_Time &)
 
bool operator== (const BigInt &a, const BigInt &b)
 
bool operator== (const BigInt &a, word b)
 
bool operator> (const ASN1_Time &, const ASN1_Time &)
 
bool operator> (const BigInt &a, const BigInt &b)
 
bool operator> (const BigInt &a, word b)
 
bool operator>= (const ASN1_Time &, const ASN1_Time &)
 
bool operator>= (const BigInt &a, const BigInt &b)
 
bool operator>= (const BigInt &a, word b)
 
int operator>> (int fd, Pipe &pipe)
 
std::istream & operator>> (std::istream &stream, BigInt &n)
 
std::istream & operator>> (std::istream &in, X509_DN &dn)
 
BigInt operator>> (const BigInt &x, size_t shift)
 
std::istream & operator>> (std::istream &in, Pipe &pipe)
 
OctetString operator^ (const OctetString &k1, const OctetString &k2)
 
template<typename Alloc , typename Alloc2 >
std::vector< uint8_t, Alloc > & operator^= (std::vector< uint8_t, Alloc > &out, const std::vector< uint8_t, Alloc2 > &in)
 
ECIES_Flags operator| (ECIES_Flags a, ECIES_Flags b)
 
donna128 operator| (const donna128 &x, const donna128 &y)
 
template<typename Alloc >
PointGFp OS2ECP (const std::vector< uint8_t, Alloc > &data, const CurveGFp &curve)
 
PointGFp OS2ECP (const uint8_t data[], size_t data_len, const CurveGFp &curve)
 
std::pair< BigInt, BigIntOS2ECP (const uint8_t data[], size_t data_len, const BigInt &curve_p, const BigInt &curve_a, const BigInt &curve_b)
 
std::vector< std::string > parse_algorithm_name (const std::string &namex)
 
std::vector< uint32_t > parse_asn1_oid (const std::string &oid)
 
bool passes_miller_rabin_test (const BigInt &n, const Modular_Reducer &mod_n, const std::shared_ptr< Montgomery_Params > &monty_n, const BigInt &a)
 
secure_vector< uint8_t > pbes2_decrypt (const secure_vector< uint8_t > &key_bits, const std::string &passphrase, const std::vector< uint8_t > &params)
 
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt (const secure_vector< uint8_t > &key_bits, const std::string &passphrase, std::chrono::milliseconds msec, const std::string &cipher, const std::string &digest, RandomNumberGenerator &rng)
 
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_iter (const secure_vector< uint8_t > &key_bits, const std::string &passphrase, size_t pbkdf_iter, const std::string &cipher, const std::string &digest, RandomNumberGenerator &rng)
 
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > pbes2_encrypt_msec (const secure_vector< uint8_t > &key_bits, const std::string &passphrase, std::chrono::milliseconds msec, size_t *out_iterations_if_nonnull, const std::string &cipher, const std::string &digest, RandomNumberGenerator &rng)
 
size_t pbkdf2 (MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, const std::string &password, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec)
 
void pbkdf2 (MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, const uint8_t salt[], size_t salt_len, size_t iterations)
 
std::vector< uint8_t > pkcs_hash_id (const std::string &name)
 
void poly_double_n (uint8_t buf[], size_t n)
 
void poly_double_n (uint8_t out[], const uint8_t in[], size_t n)
 
void poly_double_n_le (uint8_t out[], const uint8_t in[], size_t n)
 
bool poly_double_supported_size (size_t n)
 
BigInt power_mod (const BigInt &base, const BigInt &exp, const BigInt &mod)
 
template<typename T >
void prefetch_readonly (const T *addr, size_t length)
 
template<typename T >
void prefetch_readwrite (const T *addr, size_t length)
 
const BigIntprime_p192 ()
 
const BigIntprime_p224 ()
 
const BigIntprime_p256 ()
 
const BigIntprime_p384 ()
 
const BigIntprime_p521 ()
 
std::vector< std::string > probe_provider_private_key (const std::string &alg_name, const std::vector< std::string > possible)
 
template<typename T >
std::vector< std::string > probe_providers_of (const std::string &algo_spec, const std::vector< std::string > &possible)
 
bool quick_check_prime (const BigInt &n, RandomNumberGenerator &rng)
 
gf2m random_code_element (uint16_t code_length, RandomNumberGenerator &rng)
 
gf2m random_gf2m (RandomNumberGenerator &rng)
 
BigInt random_prime (RandomNumberGenerator &rng, size_t bits, const BigInt &coprime, size_t equiv, size_t modulo, size_t prob)
 
BigInt random_safe_prime (RandomNumberGenerator &rng, size_t bits)
 
std::map< std::string, std::string > read_cfg (std::istream &is)
 
std::map< std::string, std::string > read_kv (const std::string &kv)
 
void redc_mul (int64_t &s1, int64_t &s2, int64_t &s3, int64_t &s4, int64_t &s5, int64_t &s6, int64_t &X)
 
void redc_p192 (BigInt &x, secure_vector< word > &ws)
 
void redc_p224 (BigInt &x, secure_vector< word > &ws)
 
void redc_p256 (BigInt &x, secure_vector< word > &ws)
 
void redc_p384 (BigInt &x, secure_vector< word > &ws)
 
void redc_p521 (BigInt &x, secure_vector< word > &ws)
 
std::string replace_char (const std::string &str, char from_char, char to_char)
 
std::string replace_chars (const std::string &str, const std::set< char > &chars, char to_char)
 
BigInt ressol (const BigInt &x, const BigInt &p)
 
uint16_t reverse_bytes (uint16_t val)
 
uint32_t reverse_bytes (uint32_t val)
 
uint64_t reverse_bytes (uint64_t val)
 
secure_vector< uint8_t > rfc3394_keyunwrap (const secure_vector< uint8_t > &key, const SymmetricKey &kek)
 
secure_vector< uint8_t > rfc3394_keywrap (const secure_vector< uint8_t > &key, const SymmetricKey &kek)
 
size_t RFC4880_decode_count (uint8_t iter)
 
uint8_t RFC4880_encode_count (size_t desired_iterations)
 
size_t RFC4880_round_iterations (size_t iterations)
 
template<typename T >
T rotate_left (T input, size_t rot)
 
template<typename T >
T rotate_right (T input, size_t rot)
 
template<size_t ROT, typename T >
constexpr T rotl (T input)
 
template<typename T >
T rotl_var (T input, size_t rot)
 
template<size_t ROT, typename T >
constexpr T rotr (T input)
 
template<typename T >
T rotr_var (T input, size_t rot)
 
template<typename T >
constexpr T round_down (T n, T align_to)
 
size_t round_up (size_t n, size_t align_to)
 
std::string runtime_version_check (uint32_t major, uint32_t minor, uint32_t patch)
 
template<typename T >
bool same_mem (const T *p1, const T *p2, size_t n)
 
void sc_muladd (uint8_t *, const uint8_t *, const uint8_t *, const uint8_t *)
 
void sc_reduce (uint8_t *)
 
void scrypt (uint8_t output[], size_t output_len, const std::string &password, const uint8_t salt[], size_t salt_len, size_t N, size_t r, size_t p)
 
void scrypt (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, size_t N, size_t r, size_t p)
 
size_t scrypt_memory_usage (size_t N, size_t r, size_t p)
 
template<typename K , typename V >
search_map (const std::map< K, V > &mapping, const K &key, const V &null_result=V())
 
template<typename K , typename V , typename R >
search_map (const std::map< K, V > &mapping, const K &key, const R &null_result, const R &found_result)
 
void secure_scrub_memory (void *ptr, size_t n)
 
void set_mem (uint8_t *ptr, size_t n, uint8_t val)
 
void SHA3_round (uint64_t T[25], const uint64_t A[25], uint64_t RC)
 
const char * short_version_cstr ()
 
std::string short_version_string ()
 
bool sig_algo_and_pad_ok (const std::string algo, const std::string padding)
 
template<typename T >
size_t significant_bytes (T n)
 
std::vector< uint8_t > sm2_compute_za (HashFunction &hash, const std::string &user_id, const EC_Group &domain, const PointGFp &pubkey)
 
std::vector< std::string > split_on (const std::string &str, char delim)
 
std::vector< std::string > split_on_pred (const std::string &str, std::function< bool(char)> pred)
 
BigInt square (const BigInt &x)
 
std::pair< BigInt, SymmetricKeysrp6_client_agree (const std::string &identifier, const std::string &password, const std::string &group_id, const std::string &hash_id, const std::vector< uint8_t > &salt, const BigInt &B, RandomNumberGenerator &rng)
 
std::pair< BigInt, SymmetricKeysrp6_client_agree (const std::string &identifier, const std::string &password, const DL_Group &group, const std::string &hash_id, const std::vector< uint8_t > &salt, const BigInt &B, const size_t a_bits, RandomNumberGenerator &rng)
 
std::string srp6_group_identifier (const BigInt &N, const BigInt &g)
 
A store_be (out)
 
B store_be (out+32)
 
void store_be (uint16_t in, uint8_t out[2])
 
void store_be (uint32_t in, uint8_t out[4])
 
void store_be (uint64_t in, uint8_t out[8])
 
template<typename T >
void store_be (uint8_t out[], T x0, T x1)
 
template<typename T >
void store_be (uint8_t out[], T x0, T x1, T x2, T x3)
 
template<typename T >
void store_be (uint8_t out[], T x0, T x1, T x2, T x3, T x4, T x5, T x6, T x7)
 
void store_le (uint16_t in, uint8_t out[2])
 
void store_le (uint32_t in, uint8_t out[4])
 
void store_le (uint64_t in, uint8_t out[8])
 
template<typename T >
void store_le (uint8_t out[], T x0, T x1)
 
template<typename T >
void store_le (uint8_t out[], T x0, T x1, T x2, T x3)
 
template<typename T >
void store_le (uint8_t out[], T x0, T x1, T x2, T x3, T x4, T x5, T x6, T x7)
 
std::string string_join (const std::vector< std::string > &strs, char delim)
 
uint32_t string_to_ipv4 (const std::string &str)
 
BigInt sub_mul (const BigInt &a, const BigInt &b, const BigInt &c)
 
template<typename T >
void swap_bits (T &x, T &y, T mask, size_t shift)
 
std::vector< polyn_gf2msyndrome_init (polyn_gf2m const &generator, std::vector< gf2m > const &support, int n)
 
RandomNumberGeneratorsystem_rng ()
 
void throw_invalid_argument (const char *message, const char *func, const char *file)
 
void throw_invalid_state (const char *expr, const char *func, const char *file)
 
uint32_t timespec_to_u32bit (const std::string &timespec)
 
std::vector< uint8_t > to_byte_vector (const std::string &s)
 
std::string to_string (ErrorType type)
 Convert an ErrorType to string. More...
 
const char * to_string (Certificate_Status_Code code)
 
std::string to_string (const secure_vector< uint8_t > &bytes)
 
uint32_t to_u32bit (const std::string &str)
 
uint16_t to_uint16 (const std::string &str)
 
std::string tolower_string (const std::string &in)
 
template<typename T >
void typecast_copy (uint8_t out[], T in[], size_t N)
 
template<typename T >
void typecast_copy (T out[], const uint8_t in[], size_t N)
 
template<typename T >
void typecast_copy (uint8_t out[], T in)
 
template<typename T >
void typecast_copy (T &out, const uint8_t in[])
 
template<class To , class From >
To typecast_copy (const From *src) noexcept
 
std::string ucs2_to_utf8 (const uint8_t ucs2[], size_t len)
 
std::string ucs4_to_utf8 (const uint8_t ucs4[], size_t len)
 
template<typename T >
std::vector< Tunlock (const secure_vector< T > &in)
 
std::string utf8_to_latin1 (const std::string &utf8)
 
template<typename T >
bool value_exists (const std::vector< T > &vec, const T &val)
 
size_t var_ctz32 (uint32_t n)
 
void vartime_divide (const BigInt &x, const BigInt &y_arg, BigInt &q_out, BigInt &r_out)
 
void verify_cert_constraints_valid_for_key_type (const Public_Key &pub_key, Key_Constraints constraints)
 
bool verify_prime (const BigInt &n, RandomNumberGenerator &rng)
 
const char * version_cstr ()
 
uint32_t version_datestamp ()
 
uint32_t version_major ()
 
uint32_t version_minor ()
 
uint32_t version_patch ()
 
std::string version_string ()
 
 while (blocks >=4)
 
void word3_add (word *w2, word *w1, word *w0, word x)
 
void word3_muladd (word *w2, word *w1, word *w0, word x, word y)
 
void word3_muladd_2 (word *w2, word *w1, word *w0, word x, word y)
 
word word8_add2 (word x[8], const word y[8], word carry)
 
word word8_add3 (word z[8], const word x[8], const word y[8], word carry)
 
word word8_linmul2 (word x[8], word y, word carry)
 
word word8_linmul3 (word z[8], const word x[8], word y, word carry)
 
word word8_madd3 (word z[8], const word x[8], word y, word carry)
 
word word8_sub2 (word x[8], const word y[8], word carry)
 
word word8_sub2_rev (word x[8], const word y[8], word carry)
 
word word8_sub3 (word z[8], const word x[8], const word y[8], word carry)
 
word word_add (word x, word y, word *carry)
 
word word_madd2 (word a, word b, word *c)
 
word word_madd3 (word a, word b, word c, word *d)
 
word word_sub (word x, word y, word *carry)
 
bool x500_name_cmp (const std::string &name1, const std::string &name2)
 
Path_Validation_Result x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, const std::string &hostname, Usage_Type usage, std::chrono::system_clock::time_point ref_time, std::chrono::milliseconds ocsp_timeout, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_resp)
 
Path_Validation_Result x509_path_validate (const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, const std::string &hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_resp)
 
Path_Validation_Result x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, const std::string &hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_resp)
 
Path_Validation_Result x509_path_validate (const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, const std::string &hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_resp)
 
void xor_buf (uint8_t out[], const uint8_t in[], size_t length)
 
void xor_buf (uint8_t out[], const uint8_t in[], const uint8_t in2[], size_t length)
 
template<typename Alloc , typename Alloc2 >
void xor_buf (std::vector< uint8_t, Alloc > &out, const std::vector< uint8_t, Alloc2 > &in, size_t n)
 
template<typename Alloc >
void xor_buf (std::vector< uint8_t, Alloc > &out, const uint8_t *in, size_t n)
 
template<typename Alloc , typename Alloc2 >
void xor_buf (std::vector< uint8_t, Alloc > &out, const uint8_t *in, const std::vector< uint8_t, Alloc2 > &in2, size_t n)
 
template<typename T , typename Alloc >
void zap (std::vector< T, Alloc > &vec)
 
template<typename T , typename Alloc >
void zeroise (std::vector< T, Alloc > &vec)
 

Variables

void BOTAN_FUNC_ISA("avx2") SHACAL2 SIMD_8x32 A = SIMD_8x32::load_be(in)
 
const std::map< const std::string, std::vector< std::string > > allowed_signature_paddings
 
SIMD_8x32 B = SIMD_8x32::load_be(in+32)
 
SIMD_8x32 C = SIMD_8x32::load_be(in+64)
 
const uint32_t CAST_SBOX1 [256]
 
const uint32_t CAST_SBOX2 [256]
 
const uint32_t CAST_SBOX3 [256]
 
const uint32_t CAST_SBOX4 [256]
 
SIMD_8x32 D = SIMD_8x32::load_be(in+96)
 
const uint32_t DES_SPBOX1 [256]
 
const uint32_t DES_SPBOX2 [256]
 
const uint32_t DES_SPBOX3 [256]
 
const uint32_t DES_SPBOX4 [256]
 
const uint32_t DES_SPBOX5 [256]
 
const uint32_t DES_SPBOX6 [256]
 
const uint32_t DES_SPBOX7 [256]
 
const uint32_t DES_SPBOX8 [256]
 
SIMD_8x32 E = SIMD_8x32::load_be(in+128)
 
SIMD_8x32 F = SIMD_8x32::load_be(in+160)
 
SIMD_8x32 G = SIMD_8x32::load_be(in+192)
 
SIMD_8x32 H = SIMD_8x32::load_be(in+224)
 
const size_t HEX_CODEC_BUFFER_SIZE = 256
 
const uint32_t * input32 = reinterpret_cast<const uint32_t*>(reinterpret_cast<const void*>(input8))
 
void BOTAN_FUNC_ISA("arch=armv8.2-a+sm4") SM4 const uint32x4_t K1 = vld1q_u32(&m_RK[ 4])
 
const uint32x4_t K2 = vld1q_u32(&m_RK[ 8])
 
const uint32x4_t K3 = vld1q_u32(&m_RK[12])
 
const uint32x4_t K4 = vld1q_u32(&m_RK[16])
 
const uint32x4_t K5 = vld1q_u32(&m_RK[20])
 
const uint32x4_t K6 = vld1q_u32(&m_RK[24])
 
const uint32x4_t K7 = vld1q_u32(&m_RK[28])
 
const word MP_WORD_MAX = ~static_cast<word>(0)
 
uint32_t * output32 = reinterpret_cast<uint32_t*>(reinterpret_cast<void*>(output8))
 
const size_t PRIME_TABLE_SIZE = 6541
 
const uint16_t PRIMES []
 
const uint64_t STREEBOG_Ax [8][256]
 
const uint64_t STREEBOG_C [12][8]
 

Detailed Description

(C) 2018,2019 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2019 Jack Lloyd

Botan is released under the Simplified BSD License (see license.txt)

(C) 2018 Jack Lloyd (C) 2018 Ribose Inc

Botan is released under the Simplified BSD License (see license.txt)

Ordinary applications should never need to include or use this header. It is exposed only for specialized applications which want to implement new versions of public key crypto without merging them as changes to the library. One actual example of such usage is an application which creates RSA signatures using a custom TPM library. Unless you're doing something like that, you don't need anything here. Instead use pubkey.h which wraps these types safely and provides a stable application-oriented API.

XMSS WOTS Addressed Private Key (C) 2016 Matthias Gierlings

Botan is released under the Simplified BSD License (see license.txt)

XMSS WOTS Addressed Public Key (C) 2016,2017 Matthias Gierlings

Botan is released under the Simplified BSD License (see license.txt)

Typedef Documentation

typedef __vector unsigned int Botan::Altivec32x4

Definition at line 22 of file aes_power8.cpp.

typedef __vector unsigned long long Botan::Altivec64x2

Definition at line 21 of file aes_power8.cpp.

typedef __vector unsigned char Botan::Altivec8x16

Definition at line 23 of file aes_power8.cpp.

Definition at line 56 of file blake2b.h.

using Botan::byte = typedef std::uint8_t

Definition at line 89 of file types.h.

This type represents the validation status of an entire certificate path. There is one set of status codes for each certificate in the path.

Definition at line 29 of file x509path.h.

Definition at line 394 of file ec_group.h.

Definition at line 134 of file ed25519_fe.h.

typedef uint16_t Botan::gf2m

Definition at line 22 of file gf2m_small_m.h.

Alternate name for octet string showing intent to use as an IV

Definition at line 146 of file symkey.h.

For compatability with older versions

Definition at line 301 of file exceptn.h.

template<typename T >
using Botan::lock_guard_type = typedef lock_guard<T>

Definition at line 54 of file mutex.h.

Definition at line 139 of file mac.h.

Definition at line 52 of file mutex.h.

Definition at line 311 of file pk_keys.h.

Definition at line 313 of file pk_keys.h.

Definition at line 25 of file newhope.cpp.

Definition at line 53 of file mutex.h.

Convenience typedef

Definition at line 191 of file rng.h.

typedef PBKDF Botan::S2K

Definition at line 224 of file pbkdf.h.

using Botan::s32bit = typedef std::int32_t

Definition at line 93 of file types.h.

template<typename T >
using Botan::secure_deque = typedef std::deque<T, secure_allocator<T>>

Definition at line 66 of file secmem.h.

template<typename T >
using Botan::secure_vector = typedef std::vector<T, secure_allocator<T>>

Definition at line 65 of file secmem.h.

template<typename T >
using Botan::SecureVector = typedef secure_vector<T>

Definition at line 69 of file secmem.h.

Definition at line 71 of file sha160.h.

Definition at line 120 of file sm2.h.

Definition at line 117 of file sm2.h.

Definition at line 119 of file sm2.h.

Definition at line 116 of file sm2.h.

Alternate name for octet string showing intent to use as a key

Definition at line 141 of file symkey.h.

Definition at line 196 of file filters.h.

Definition at line 197 of file filters.h.

using Botan::u16bit = typedef std::uint16_t

Definition at line 90 of file types.h.

using Botan::u32bit = typedef std::uint32_t

Definition at line 91 of file types.h.

using Botan::u64bit = typedef std::uint64_t

Definition at line 92 of file types.h.

typedef std::vector< secure_vector< uint8_t > > Botan::wots_keysig_t

Definition at line 21 of file xmss_common_ops.h.

Definition at line 103 of file curve25519.h.

Definition at line 102 of file curve25519.h.

Definition at line 312 of file pk_keys.h.

Definition at line 386 of file asn1_obj.h.

Enumeration Type Documentation

anonymous enum
Enumerator
SM3_BLOCK_BYTES 
SM3_DIGEST_BYTES 

Definition at line 17 of file sm3.h.

17  {
18  SM3_BLOCK_BYTES = 64,
19  SM3_DIGEST_BYTES = 32
20 };
enum Botan::ASN1_Tag : uint32_t

ASN.1 Type and Class Tags This will become an enum class in a future major release

Enumerator
UNIVERSAL 
APPLICATION 
CONTEXT_SPECIFIC 
CONSTRUCTED 
PRIVATE 
EOC 
BOOLEAN 
INTEGER 
BIT_STRING 
OCTET_STRING 
NULL_TAG 
OBJECT_ID 
ENUMERATED 
SEQUENCE 
SET 
UTF8_STRING 
NUMERIC_STRING 
PRINTABLE_STRING 
T61_STRING 
IA5_STRING 
VISIBLE_STRING 
UNIVERSAL_STRING 
BMP_STRING 
UTC_TIME 
GENERALIZED_TIME 
UTC_OR_GENERALIZED_TIME 
NO_OBJECT 
DIRECTORY_STRING 

Definition at line 25 of file asn1_obj.h.

25  : uint32_t {
26  UNIVERSAL = 0x00,
27  APPLICATION = 0x40,
28  CONTEXT_SPECIFIC = 0x80,
29 
30  CONSTRUCTED = 0x20,
31 
33 
34  EOC = 0x00,
35  BOOLEAN = 0x01,
36  INTEGER = 0x02,
37  BIT_STRING = 0x03,
38  OCTET_STRING = 0x04,
39  NULL_TAG = 0x05,
40  OBJECT_ID = 0x06,
41  ENUMERATED = 0x0A,
42  SEQUENCE = 0x10,
43  SET = 0x11,
44 
45  UTF8_STRING = 0x0C,
46  NUMERIC_STRING = 0x12,
47  PRINTABLE_STRING = 0x13,
48  T61_STRING = 0x14,
49  IA5_STRING = 0x16,
50  VISIBLE_STRING = 0x1A,
51  UNIVERSAL_STRING = 0x1C,
52  BMP_STRING = 0x1E,
53 
54  UTC_TIME = 0x17,
55  GENERALIZED_TIME = 0x18,
57 
58  NO_OBJECT = 0xFF00,
59  DIRECTORY_STRING = 0xFF01
60 };

Certificate validation status code

Enumerator
OK 
VERIFIED 
OCSP_RESPONSE_GOOD 
OCSP_SIGNATURE_OK 
VALID_CRL_CHECKED 
OCSP_NO_HTTP 
FIRST_WARNING_STATUS 
CERT_SERIAL_NEGATIVE 
DN_TOO_LONG 
OCSP_NO_REVOCATION_URL 
OCSP_SERVER_NOT_AVAILABLE 
OSCP_NO_REVOCATION_URL 
OSCP_SERVER_NOT_AVAILABLE 
FIRST_ERROR_STATUS 
SIGNATURE_METHOD_TOO_WEAK 
UNTRUSTED_HASH 
NO_REVOCATION_DATA 
NO_MATCHING_CRLDP 
CERT_NOT_YET_VALID 
CERT_HAS_EXPIRED 
OCSP_NOT_YET_VALID 
OCSP_HAS_EXPIRED 
CRL_NOT_YET_VALID 
CRL_HAS_EXPIRED 
OCSP_IS_TOO_OLD 
CERT_ISSUER_NOT_FOUND 
CANNOT_ESTABLISH_TRUST 
CERT_CHAIN_LOOP 
CHAIN_LACKS_TRUST_ROOT 
CHAIN_NAME_MISMATCH 
POLICY_ERROR 
INVALID_USAGE 
CERT_CHAIN_TOO_LONG 
CA_CERT_NOT_FOR_CERT_ISSUER 
NAME_CONSTRAINT_ERROR 
CA_CERT_NOT_FOR_CRL_ISSUER 
OCSP_CERT_NOT_LISTED 
OCSP_BAD_STATUS 
CERT_NAME_NOMATCH 
UNKNOWN_CRITICAL_EXTENSION 
DUPLICATE_CERT_EXTENSION 
OCSP_SIGNATURE_ERROR 
OCSP_ISSUER_NOT_FOUND 
OCSP_RESPONSE_MISSING_KEYUSAGE 
OCSP_RESPONSE_INVALID 
EXT_IN_V1_V2_CERT 
DUPLICATE_CERT_POLICY 
V2_IDENTIFIERS_IN_V1_CERT 
CERT_IS_REVOKED 
CRL_BAD_SIGNATURE 
SIGNATURE_ERROR 
CERT_PUBKEY_INVALID 
SIGNATURE_ALGO_UNKNOWN 
SIGNATURE_ALGO_BAD_PARAMS 

Definition at line 17 of file pkix_enums.h.

17  {
18  OK = 0,
19  VERIFIED = 0,
20 
21  // Revocation status
25  OCSP_NO_HTTP = 4,
26 
27  // Warnings
30  DN_TOO_LONG = 501,
33 
34  // Typo versions of above - will be removed in future major release
37 
38  // Errors
39  FIRST_ERROR_STATUS = 1000,
40 
42  UNTRUSTED_HASH = 1001,
43  NO_REVOCATION_DATA = 1002,
44  NO_MATCHING_CRLDP = 1003,
45 
46  // Time problems
47  CERT_NOT_YET_VALID = 2000,
48  CERT_HAS_EXPIRED = 2001,
49  OCSP_NOT_YET_VALID = 2002,
50  OCSP_HAS_EXPIRED = 2003,
51  CRL_NOT_YET_VALID = 2004,
52  CRL_HAS_EXPIRED = 2005,
53  OCSP_IS_TOO_OLD = 2006,
54 
55  // Chain generation problems
56  CERT_ISSUER_NOT_FOUND = 3000,
58  CERT_CHAIN_LOOP = 3002,
60  CHAIN_NAME_MISMATCH = 3004,
61 
62  // Validation errors
63  POLICY_ERROR = 4000,
64  INVALID_USAGE = 4001,
65  CERT_CHAIN_TOO_LONG = 4002,
67  NAME_CONSTRAINT_ERROR = 4004,
68 
69  // Revocation errors
71  OCSP_CERT_NOT_LISTED = 4006,
72  OCSP_BAD_STATUS = 4007,
73 
74  // Other problems
75  CERT_NAME_NOMATCH = 4008,
78  OCSP_SIGNATURE_ERROR = 4501,
79  OCSP_ISSUER_NOT_FOUND = 4502,
81  OCSP_RESPONSE_INVALID = 4504,
82  EXT_IN_V1_V2_CERT = 4505,
83  DUPLICATE_CERT_POLICY = 4506,
85 
86  // Hard failures
87  CERT_IS_REVOKED = 5000,
88  CRL_BAD_SIGNATURE = 5001,
89  SIGNATURE_ERROR = 5002,
90  CERT_PUBKEY_INVALID = 5003,
93 };

The different charsets (nominally) supported by Botan.

Enumerator
LOCAL_CHARSET 
UCS2_CHARSET 
UTF8_CHARSET 
LATIN1_CHARSET 

Definition at line 43 of file charset.h.

enum Botan::Cipher_Dir : int

The two possible directions for cipher filters, determining whether they actually perform encryption or decryption.

Enumerator
ENCRYPTION 
DECRYPTION 

Definition at line 23 of file cipher_mode.h.

enum Botan::CRL_Code : uint32_t

X.509v2 CRL Reason Code. This will become an enum class in a future major release

Enumerator
UNSPECIFIED 
KEY_COMPROMISE 
CA_COMPROMISE 
AFFILIATION_CHANGED 
SUPERSEDED 
CESSATION_OF_OPERATION 
CERTIFICATE_HOLD 
REMOVE_FROM_CRL 
PRIVLEDGE_WITHDRAWN 
PRIVILEGE_WITHDRAWN 
AA_COMPROMISE 
DELETE_CRL_ENTRY 
OCSP_GOOD 
OCSP_UNKNOWN 

Definition at line 123 of file pkix_enums.h.

The type of checking to be performed by decoders: NONE - no checks, IGNORE_WS - perform checks, but ignore whitespaces, FULL_CHECK - perform checks, also complain about white spaces.

Enumerator
NONE 
IGNORE_WS 
FULL_CHECK 

Definition at line 171 of file filter.h.

Enumerator
Builtin 
RandomlyGenerated 
ExternalSource 

Definition at line 18 of file dl_group.h.

This class represents elliptic curce domain parameters

Enumerator
EC_DOMPAR_ENC_EXPLICIT 
EC_DOMPAR_ENC_IMPLICITCA 
EC_DOMPAR_ENC_OID 

Definition at line 23 of file ec_group.h.

Enumerator
Builtin 
ExternalSource 

Definition at line 29 of file ec_group.h.

enum Botan::ECIES_Flags : uint32_t
strong
Enumerator
NONE 
SINGLE_HASH_MODE 

if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key

COFACTOR_MODE 

(decryption only) if set: use cofactor multiplication during (ecdh) key agreement

OLD_COFACTOR_MODE 

if set: use ecdhc instead of ecdh

CHECK_MODE 

(decryption only) if set: test if the (ephemeral) public key is on the curve

Definition at line 27 of file ecies.h.

27  : uint32_t
28  {
29  NONE = 0,
30 
31  /// if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key
32  SINGLE_HASH_MODE = 1,
33 
34  /// (decryption only) if set: use cofactor multiplication during (ecdh) key agreement
35  COFACTOR_MODE = 2,
36 
37  /// if set: use ecdhc instead of ecdh
39 
40  /// (decryption only) if set: test if the (ephemeral) public key is on the curve
41  CHECK_MODE = 8
42  };
(decryption only) if set: test if the (ephemeral) public key is on the curve
if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key ...
if set: use ecdhc instead of ecdh
(decryption only) if set: use cofactor multiplication during (ecdh) key agreement ...
enum Botan::ErrorType
strong

Different types of errors that might occur

Enumerator
Unknown 

Some unknown error

SystemError 

An error while calling a system interface

NotImplemented 

An operation seems valid, but not supported by the current version

OutOfMemory 

Memory allocation failure

InternalError 

An internal error occurred

IoError 

An I/O error occurred

InvalidObjectState 

Invalid object state

KeyNotSet 

A key was not set on an object when this is required

InvalidArgument 

The application provided an argument which is invalid

InvalidKeyLength 

A key with invalid length was provided

InvalidNonceLength 

A nonce with invalid length was provided

LookupError 

An object type was requested but cannot be found

EncodingFailure 

Encoding a message or datum failed

DecodingFailure 

Decoding a message or datum failed

TLSError 

A TLS error (error_code will be the alert type)

HttpError 

An error during an HTTP operation

InvalidTag 

A message with an invalid authentication tag was detected

RoughtimeError 

An error during Roughtime validation

OpenSSLError 

An error when calling OpenSSL

CommonCryptoError 

An error when interacting with CommonCrypto API

Pkcs11Error 

An error when interacting with a PKCS11 device

TPMError 

An error when interacting with a TPM device

DatabaseError 

An error when interacting with a database

ZlibError 

An error when interacting with zlib

Bzip2Error 

An error when interacting with bzip2

LzmaError 

An error when interacting with lzma

Definition at line 20 of file exceptn.h.

20  {
21  /** Some unknown error */
22  Unknown = 1,
23  /** An error while calling a system interface */
25  /** An operation seems valid, but not supported by the current version */
27  /** Memory allocation failure */
29  /** An internal error occurred */
31  /** An I/O error occurred */
32  IoError,
33 
34  /** Invalid object state */
35  InvalidObjectState = 100,
36  /** A key was not set on an object when this is required */
37  KeyNotSet,
38  /** The application provided an argument which is invalid */
40  /** A key with invalid length was provided */
42  /** A nonce with invalid length was provided */
44  /** An object type was requested but cannot be found */
46  /** Encoding a message or datum failed */
48  /** Decoding a message or datum failed */
50  /** A TLS error (error_code will be the alert type) */
51  TLSError,
52  /** An error during an HTTP operation */
53  HttpError,
54  /** A message with an invalid authentication tag was detected */
55  InvalidTag,
56  /** An error during Roughtime validation */
58 
59  /** An error when calling OpenSSL */
60  OpenSSLError = 200,
61  /** An error when interacting with CommonCrypto API */
63  /** An error when interacting with a PKCS11 device */
65  /** An error when interacting with a TPM device */
66  TPMError,
67  /** An error when interacting with a database */
69 
70  /** An error when interacting with zlib */
71  ZlibError = 300,
72  /** An error when interacting with bzip2 */
73  Bzip2Error,
74  /** An error when interacting with lzma */
75  LzmaError,
76 
77 };

X.509v3 Key Constraints. If updating update copy in ffi.h

Enumerator
NO_CONSTRAINTS 
DIGITAL_SIGNATURE 
NON_REPUDIATION 
KEY_ENCIPHERMENT 
DATA_ENCIPHERMENT 
KEY_AGREEMENT 
KEY_CERT_SIGN 
CRL_SIGN 
ENCIPHER_ONLY 
DECIPHER_ONLY 

Definition at line 106 of file pkix_enums.h.

106  {
107  NO_CONSTRAINTS = 0,
108  DIGITAL_SIGNATURE = 1 << 15,
109  NON_REPUDIATION = 1 << 14,
110  KEY_ENCIPHERMENT = 1 << 13,
111  DATA_ENCIPHERMENT = 1 << 12,
112  KEY_AGREEMENT = 1 << 11,
113  KEY_CERT_SIGN = 1 << 10,
114  CRL_SIGN = 1 << 9,
115  ENCIPHER_ONLY = 1 << 8,
116  DECIPHER_ONLY = 1 << 7
117 };
Definition: ffi.h:1572
enum Botan::Newhope_Mode
strong

This chooses the XOF + hash for NewHope The official NewHope specification and reference implementation use SHA-3 and SHAKE-128. BoringSSL instead uses SHA-256 and AES-128 in CTR mode. CECPQ1 (x25519+NewHope) always uses BoringSSL's mode

Enumerator
SHA3 
BoringSSL 

Definition at line 58 of file newhope.h.

Enumerator
NEWHOPE_SENDABYTES 
NEWHOPE_SENDBBYTES 
NEWHOPE_OFFER_BYTES 
NEWHOPE_ACCEPT_BYTES 
NEWHOPE_SHARED_KEY_BYTES 
NEWHOPE_SEED_BYTES 
NEWHOPE_POLY_BYTES 
CECPQ1_OFFER_BYTES 
CECPQ1_ACCEPT_BYTES 
CECPQ1_SHARED_KEY_BYTES 

Definition at line 35 of file newhope.h.

The two types of signature format supported by Botan.

Enumerator
IEEE_1363 
DER_SEQUENCE 

Definition at line 23 of file pk_keys.h.

Enumerator
User 
System 

Definition at line 103 of file tpm.h.

enum Botan::Usage_Type
strong
Enumerator
UNSPECIFIED 
TLS_SERVER_AUTH 
TLS_CLIENT_AUTH 
CERTIFICATE_AUTHORITY 
OCSP_RESPONDER 
ENCRYPTION 

Definition at line 22 of file x509cert.h.

The two types of X509 encoding supported by Botan. This enum is not used anymore, and will be removed in a future major release.

Enumerator
RAW_BER 
PEM 

Definition at line 25 of file x509_key.h.

Function Documentation

BigInt Botan::abs ( const BigInt n)
inline

Return the absolute value

Parameters
nan integer
Returns
absolute value of n

Definition at line 58 of file numthry.h.

References Botan::BigInt::abs().

Referenced by gcd().

58 { return n.abs(); }
BOTAN_MALLOC_FN void * Botan::allocate_memory ( size_t  elems,
size_t  elem_size 
)

Allocate a memory buffer by some method. This should only be used for primitive types (uint8_t, uint32_t, etc).

Parameters
elemsthe number of elements
elem_sizethe size of each element
Returns
pointer to allocated and zeroed memory, or throw std::bad_alloc on failure

Definition at line 18 of file mem_ops.cpp.

References Botan::mlock_allocator::instance().

Referenced by Botan::secure_allocator< T >::allocate().

19  {
20  if(elems == 0 || elem_size == 0)
21  return nullptr;
22 
23 #if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
24  if(void* p = mlock_allocator::instance().allocate(elems, elem_size))
25  return p;
26 #endif
27 
28  void* ptr = std::calloc(elems, elem_size);
29  if(!ptr)
30  throw std::bad_alloc();
31  return ptr;
32  }
size_t Botan::almost_montgomery_inverse ( BigInt result,
const BigInt a,
const BigInt b 
)

Return a^-1 * 2^k mod b Returns k, between n and 2n Not const time

Definition at line 27 of file mod_inv.cpp.

References Botan::BigInt::is_even().

Referenced by normalized_montgomery_inverse().

30  {
31  size_t k = 0;
32 
33  BigInt u = p, v = a, r = 0, s = 1;
34 
35  while(v > 0)
36  {
37  if(u.is_even())
38  {
39  u >>= 1;
40  s <<= 1;
41  }
42  else if(v.is_even())
43  {
44  v >>= 1;
45  r <<= 1;
46  }
47  else if(u > v)
48  {
49  u -= v;
50  u >>= 1;
51  r += s;
52  s <<= 1;
53  }
54  else
55  {
56  v -= u;
57  v >>= 1;
58  s += r;
59  r <<= 1;
60  }
61 
62  ++k;
63  }
64 
65  if(r >= p)
66  {
67  r -= p;
68  }
69 
70  result = p - r;
71 
72  return k;
73  }
void Botan::aont_package ( RandomNumberGenerator rng,
BlockCipher cipher,
const uint8_t  input[],
size_t  input_len,
uint8_t  output[] 
)

Rivest's Package Tranform

Parameters
rngthe random number generator to use
cipherthe block cipher to use (aont_package takes ownership)
inputthe input data buffer
input_lenthe length of the input data in bytes
outputthe output data buffer (must be at least input_len + cipher->BLOCK_SIZE bytes long)

Definition at line 17 of file package.cpp.

References Botan::OctetString::begin(), Botan::BlockCipher::block_size(), BOTAN_ASSERT_EQUAL, clear_mem(), copy_mem(), Botan::BlockCipher::encrypt(), get_byte(), Botan::Pipe::process_msg(), Botan::Pipe::read(), Botan::Pipe::remaining(), Botan::SymmetricAlgorithm::set_key(), Botan::SymmetricAlgorithm::valid_keylength(), xor_buf(), and zeroise().

21  {
22  if(input_len <= 1)
23  throw Encoding_Error("Package transform cannot encode small inputs");
24 
25  const size_t BLOCK_SIZE = cipher->block_size();
26 
27  if(!cipher->valid_keylength(BLOCK_SIZE))
28  throw Invalid_Argument("AONT::package: Invalid cipher");
29 
30  // The all-zero string which is used both as the CTR IV and as K0
31  const std::string all_zeros(BLOCK_SIZE*2, '0');
32 
33  SymmetricKey package_key(rng, BLOCK_SIZE);
34 
35  Pipe pipe(new StreamCipher_Filter(new CTR_BE(cipher), package_key));
36 
37  pipe.process_msg(input, input_len);
38  const size_t remaining = pipe.remaining();
39  BOTAN_ASSERT_EQUAL(remaining, pipe.read(output, remaining), "Expected read size");
40 
41  // Set K0 (the all zero key)
42  cipher->set_key(SymmetricKey(all_zeros));
43 
44  secure_vector<uint8_t> buf(BLOCK_SIZE);
45 
46  const size_t blocks =
47  (input_len + BLOCK_SIZE - 1) / BLOCK_SIZE;
48 
49  uint8_t* final_block = output + input_len;
50  clear_mem(final_block, BLOCK_SIZE);
51 
52  // XOR the hash blocks into the final block
53  for(size_t i = 0; i != blocks; ++i)
54  {
55  const size_t left = std::min<size_t>(BLOCK_SIZE,
56  input_len - BLOCK_SIZE * i);
57 
58  zeroise(buf);
59  copy_mem(buf.data(), output + (BLOCK_SIZE * i), left);
60 
61  for(size_t j = 0; j != sizeof(i); ++j)
62  buf[BLOCK_SIZE - 1 - j] ^= get_byte(sizeof(i)-1-j, i);
63 
64  cipher->encrypt(buf.data());
65 
66  xor_buf(final_block, buf.data(), BLOCK_SIZE);
67  }
68 
69  // XOR the random package key into the final block
70  xor_buf(final_block, package_key.begin(), BLOCK_SIZE);
71  }
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:262
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition: assert.h:81
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
OctetString SymmetricKey
Definition: symkey.h:141
void zeroise(std::vector< T, Alloc > &vec)
Definition: secmem.h:117
void Botan::aont_unpackage ( BlockCipher cipher,
const uint8_t  input[],
size_t  input_len,
uint8_t  output[] 
)

Rivest's Package Tranform (Inversion)

Parameters
cipherthe block cipher to use (aont_package takes ownership)
inputthe input data buffer
input_lenthe length of the input data in bytes
outputthe output data buffer (must be at least input_len - cipher->BLOCK_SIZE bytes long)

Definition at line 73 of file package.cpp.

References Botan::BlockCipher::block_size(), BOTAN_ASSERT_EQUAL, copy_mem(), Botan::BlockCipher::encrypt(), get_byte(), Botan::Pipe::process_msg(), Botan::Pipe::read(), Botan::Pipe::remaining(), Botan::SymmetricAlgorithm::set_key(), Botan::SymmetricAlgorithm::valid_keylength(), xor_buf(), and zeroise().

76  {
77  const size_t BLOCK_SIZE = cipher->block_size();
78 
79  if(!cipher->valid_keylength(BLOCK_SIZE))
80  throw Invalid_Argument("AONT::unpackage: Invalid cipher");
81 
82  if(input_len < BLOCK_SIZE)
83  throw Invalid_Argument("AONT::unpackage: Input too short");
84 
85  // The all-zero string which is used both as the CTR IV and as K0
86  const std::string all_zeros(BLOCK_SIZE*2, '0');
87 
88  cipher->set_key(SymmetricKey(all_zeros));
89 
90  secure_vector<uint8_t> package_key(BLOCK_SIZE);
91  secure_vector<uint8_t> buf(BLOCK_SIZE);
92 
93  // Copy the package key (masked with the block hashes)
94  copy_mem(package_key.data(),
95  input + (input_len - BLOCK_SIZE),
96  BLOCK_SIZE);
97 
98  const size_t blocks = ((input_len - 1) / BLOCK_SIZE);
99 
100  // XOR the blocks into the package key bits
101  for(size_t i = 0; i != blocks; ++i)
102  {
103  const size_t left = std::min<size_t>(BLOCK_SIZE,
104  input_len - BLOCK_SIZE * (i+1));
105 
106  zeroise(buf);
107  copy_mem(buf.data(), input + (BLOCK_SIZE * i), left);
108 
109  for(size_t j = 0; j != sizeof(i); ++j)
110  buf[BLOCK_SIZE - 1 - j] ^= get_byte(sizeof(i)-1-j, i);
111 
112  cipher->encrypt(buf.data());
113 
114  xor_buf(package_key.data(), buf.data(), BLOCK_SIZE);
115  }
116 
117  Pipe pipe(new StreamCipher_Filter(new CTR_BE(cipher), package_key));
118 
119  pipe.process_msg(input, input_len - BLOCK_SIZE);
120 
121  const size_t remaining = pipe.remaining();
122  BOTAN_ASSERT_EQUAL(remaining, pipe.read(output, remaining), "Expected read size");
123  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:262
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition: assert.h:81
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
OctetString SymmetricKey
Definition: symkey.h:141
void zeroise(std::vector< T, Alloc > &vec)
Definition: secmem.h:117
void Botan::argon2 ( uint8_t  output[],
size_t  output_len,
const char *  password,
size_t  password_len,
const uint8_t  salt[],
size_t  salt_len,
const uint8_t  key[],
size_t  key_len,
const uint8_t  ad[],
size_t  ad_len,
uint8_t  y,
size_t  p,
size_t  M,
size_t  t 
)

Argon2 key derivation function

Parameters
outputthe output will be placed here
output_lenlength of output
passwordthe user password
password_lenthe length of password
saltthe salt
salt_lenlength of salt
keyan optional secret key
key_lenthe length of key
adan optional additional input
ad_lenthe length of ad
ythe Argon2 variant (0 = Argon2d, 1 = Argon2i, 2 = Argon2id)
pthe parallelization parameter
Mthe amount of memory to use in Kb
tthe number of iterations to use

Definition at line 410 of file argon2.cpp.

References B, BOTAN_ARG_CHECK, clear_mem(), and Botan::HashFunction::create_or_throw().

Referenced by argon2_check_pwhash(), argon2_generate_pwhash(), Botan::Argon2::derive_key(), and Botan::Argon2_Family::tune().

416  {
417  BOTAN_ARG_CHECK(mode == 0 || mode == 1 || mode == 2, "Unknown Argon2 mode parameter");
418  BOTAN_ARG_CHECK(output_len >= 4, "Invalid Argon2 output length");
419  BOTAN_ARG_CHECK(threads >= 1 && threads <= 128, "Invalid Argon2 threads parameter");
420  BOTAN_ARG_CHECK(M >= 8*threads && M <= 8192*1024, "Invalid Argon2 M parameter");
421  BOTAN_ARG_CHECK(t >= 1, "Invalid Argon2 t parameter");
422 
423  std::unique_ptr<HashFunction> blake2 = HashFunction::create_or_throw("BLAKE2b");
424 
425  const auto H0 = argon2_H0(*blake2, output_len,
426  password, password_len,
427  salt, salt_len,
428  key, key_len,
429  ad, ad_len,
430  mode, threads, M, t);
431 
432  const size_t memory = (M / (SYNC_POINTS*threads)) * (SYNC_POINTS*threads);
433 
434  secure_vector<uint64_t> B(memory * 1024/8);
435 
436  init_blocks(B, *blake2, H0, memory, threads);
437  process_blocks(B, t, memory, threads, mode);
438 
439  clear_mem(output, output_len);
440  extract_key(output, output_len, B, memory, threads);
441  }
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
SIMD_8x32 B
size_t salt_len
Definition: x509_obj.cpp:25
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
bool Botan::argon2_check_pwhash ( const char *  password,
size_t  password_len,
const std::string &  hash 
)

Check a previously created password hash

Parameters
passwordthe password to check against
password_lenthe length of password
hashthe stored hash to check against

Definition at line 57 of file argon2fmt.cpp.

References argon2(), base64_decode(), base64_decode_max_output(), constant_time_compare(), hash, split_on(), and to_u32bit().

59  {
60  const std::vector<std::string> parts = split_on(input_hash, '$');
61 
62  if(parts.size() != 5)
63  return false;
64 
65  uint8_t family = 0;
66 
67  if(parts[0] == "argon2d")
68  family = 0;
69  else if(parts[0] == "argon2i")
70  family = 1;
71  else if(parts[0] == "argon2id")
72  family = 2;
73  else
74  return false;
75 
76  if(parts[1] != "v=19")
77  return false;
78 
79  const std::vector<std::string> params = split_on(parts[2], ',');
80 
81  if(params.size() != 3)
82  return false;
83 
84  size_t M = 0, t = 0, p = 0;
85 
86  for(auto param_str : params)
87  {
88  const std::vector<std::string> param = split_on(param_str, '=');
89 
90  if(param.size() != 2)
91  return false;
92 
93  const std::string key = param[0];
94  const size_t val = to_u32bit(param[1]);
95  if(key == "m")
96  M = val;
97  else if(key == "t")
98  t = val;
99  else if(key == "p")
100  p = val;
101  else
102  return false;
103  }
104 
105  std::vector<uint8_t> salt(base64_decode_max_output(parts[3].size()));
106  salt.resize(base64_decode(salt.data(), parts[3], false));
107 
108  std::vector<uint8_t> hash(base64_decode_max_output(parts[4].size()));
109  hash.resize(base64_decode(hash.data(), parts[4], false));
110 
111  if(hash.size() < 4)
112  return false;
113 
114  std::vector<uint8_t> generated(hash.size());
115  argon2(generated.data(), generated.size(),
116  password, password_len,
117  salt.data(), salt.size(),
118  nullptr, 0,
119  nullptr, 0,
120  family, p, M, t);
121 
122  return constant_time_compare(generated.data(), hash.data(), generated.size());
123  }
size_t base64_decode_max_output(size_t input_length)
Definition: base64.cpp:243
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:148
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.h:82
uint32_t to_u32bit(const std::string &str)
Definition: parsing.cpp:35
size_t base64_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition: base64.cpp:200
void argon2(uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, const uint8_t key[], size_t key_len, const uint8_t ad[], size_t ad_len, uint8_t mode, size_t threads, size_t M, size_t t)
Definition: argon2.cpp:410
MechanismType hash
std::string Botan::argon2_generate_pwhash ( const char *  password,
size_t  password_len,
RandomNumberGenerator rng,
size_t  p,
size_t  M,
size_t  t,
uint8_t  y = 2,
size_t  salt_len = 16,
size_t  output_len = 32 
)

Definition at line 26 of file argon2fmt.cpp.

References argon2(), base64_encode(), and Botan::RandomNumberGenerator::randomize().

30  {
31  std::vector<uint8_t> salt(salt_len);
32  rng.randomize(salt.data(), salt.size());
33 
34  std::vector<uint8_t> output(output_len);
35  argon2(output.data(), output.size(),
36  password, password_len,
37  salt.data(), salt.size(),
38  nullptr, 0,
39  nullptr, 0,
40  y, p, M, t);
41 
42  std::ostringstream oss;
43 
44  if(y == 0)
45  oss << "$argon2d$";
46  else if(y == 1)
47  oss << "$argon2i$";
48  else
49  oss << "$argon2id$";
50 
51  oss << "v=19$m=" << M << ",t=" << t << ",p=" << p << "$";
52  oss << strip_padding(base64_encode(salt)) << "$" << strip_padding(base64_encode(output));
53 
54  return oss.str();
55  }
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:185
size_t salt_len
Definition: x509_obj.cpp:25
void argon2(uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, const uint8_t key[], size_t key_len, const uint8_t ad[], size_t ad_len, uint8_t mode, size_t threads, size_t M, size_t t)
Definition: argon2.cpp:410
std::string BOTAN_UNSTABLE_API Botan::asn1_class_to_string ( ASN1_Tag  type)

Definition at line 87 of file asn1_obj.cpp.

References APPLICATION, CONSTRUCTED, CONTEXT_SPECIFIC, NO_OBJECT, Botan::ASN1::to_string(), and UNIVERSAL.

Referenced by Botan::BER_Object::assert_is_a().

88  {
89  switch(type)
90  {
91  case UNIVERSAL:
92  return "UNIVERSAL";
93  case CONSTRUCTED:
94  return "CONSTRUCTED";
95  case CONTEXT_SPECIFIC:
96  return "CONTEXT_SPECIFIC";
97  case APPLICATION:
98  return "APPLICATION";
100  return "PRIVATE";
101  case Botan::NO_OBJECT:
102  return "NO_OBJECT";
103  default:
104  return "CLASS(" + std::to_string(static_cast<size_t>(type)) + ")";
105  }
106  }
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
MechanismType type
std::string BOTAN_UNSTABLE_API Botan::asn1_tag_to_string ( ASN1_Tag  type)

Definition at line 108 of file asn1_obj.cpp.

References BIT_STRING, BMP_STRING, BOOLEAN, ENUMERATED, GENERALIZED_TIME, IA5_STRING, INTEGER, NO_OBJECT, NULL_TAG, NUMERIC_STRING, OBJECT_ID, OCTET_STRING, PRINTABLE_STRING, SEQUENCE, SET, T61_STRING, Botan::ASN1::to_string(), UNIVERSAL_STRING, UTC_TIME, UTF8_STRING, and VISIBLE_STRING.

Referenced by Botan::BER_Object::assert_is_a().

109  {
110  switch(type)
111  {
112  case Botan::SEQUENCE:
113  return "SEQUENCE";
114 
115  case Botan::SET:
116  return "SET";
117 
119  return "PRINTABLE STRING";
120 
122  return "NUMERIC STRING";
123 
124  case Botan::IA5_STRING:
125  return "IA5 STRING";
126 
127  case Botan::T61_STRING:
128  return "T61 STRING";
129 
130  case Botan::UTF8_STRING:
131  return "UTF8 STRING";
132 
134  return "VISIBLE STRING";
135 
136  case Botan::BMP_STRING:
137  return "BMP STRING";
138 
140  return "UNIVERSAL STRING";
141 
142  case Botan::UTC_TIME:
143  return "UTC TIME";
144 
146  return "GENERALIZED TIME";
147 
148  case Botan::OCTET_STRING:
149  return "OCTET STRING";
150 
151  case Botan::BIT_STRING:
152  return "BIT STRING";
153 
154  case Botan::ENUMERATED:
155  return "ENUMERATED";
156 
157  case Botan::INTEGER:
158  return "INTEGER";
159 
160  case Botan::NULL_TAG:
161  return "NULL";
162 
163  case Botan::OBJECT_ID:
164  return "OBJECT";
165 
166  case Botan::BOOLEAN:
167  return "BOOLEAN";
168 
169  case Botan::NO_OBJECT:
170  return "NO_OBJECT";
171 
172  default:
173  return "TAG(" + std::to_string(static_cast<size_t>(type)) + ")";
174  }
175  }
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
MechanismType type
BOTAN_NORETURN void Botan::assertion_failure ( const char *  expr_str,
const char *  assertion_made,
const char *  func,
const char *  file,
int  line 
)

Called when an assertion fails Throws an Exception object

Definition at line 31 of file assert.cpp.

36  {
37  std::ostringstream format;
38 
39  format << "False assertion ";
40 
41  if(assertion_made && assertion_made[0] != 0)
42  format << "'" << assertion_made << "' (expression " << expr_str << ") ";
43  else
44  format << expr_str << " ";
45 
46  if(func)
47  format << "in " << func << " ";
48 
49  format << "@" << file << ":" << line;
50 
51  throw Internal_Error(format.str());
52  }
size_t Botan::base32_decode ( uint8_t  output[],
const char  input[],
size_t  input_length,
size_t &  input_consumed,
bool  final_inputs,
bool  ignore_ws = true 
)

Perform base32 decoding

Parameters
outputan array of at least base32_decode_max_output bytes
inputsome base32 input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding is allowed
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 195 of file base32.cpp.

References base_decode().

Referenced by base32_decode().

201  {
202  return base_decode(Base32(), out, in, input_length, input_consumed, final_inputs, ignore_ws);
203  }
size_t base_decode(Base &&base, uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws=true)
Definition: codec_base.h:124
size_t Botan::base32_decode ( uint8_t  output[],
const char  input[],
size_t  input_length,
bool  ignore_ws = true 
)

Perform base32 decoding

Parameters
outputan array of at least base32_decode_max_output bytes
inputsome base32 input
input_lengthlength of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 205 of file base32.cpp.

References base_decode_full().

209  {
210  return base_decode_full(Base32(), output, input, input_length, ignore_ws);
211  }
size_t base_decode_full(Base &&base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
Definition: codec_base.h:189
size_t Botan::base32_decode ( uint8_t  output[],
const std::string &  input,
bool  ignore_ws = true 
)

Perform base32 decoding

Parameters
outputan array of at least base32_decode_max_output bytes
inputsome base32 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 213 of file base32.cpp.

References base32_decode().

216  {
217  return base32_decode(output, input.data(), input.length(), ignore_ws);
218  }
secure_vector< uint8_t > base32_decode(const std::string &input, bool ignore_ws)
Definition: base32.cpp:227
secure_vector< uint8_t > Botan::base32_decode ( const char  input[],
size_t  input_length,
bool  ignore_ws = true 
)

Perform base32 decoding

Parameters
inputsome base32 input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base32 output

Definition at line 220 of file base32.cpp.

223  {
224  return base_decode_to_vec<secure_vector<uint8_t>>(Base32(), input, input_length, ignore_ws);
225  }
secure_vector< uint8_t > Botan::base32_decode ( const std::string &  input,
bool  ignore_ws = true 
)

Perform base32 decoding

Parameters
inputsome base32 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base32 output

Definition at line 227 of file base32.cpp.

References base32_decode().

229  {
230  return base32_decode(input.data(), input.size(), ignore_ws);
231  }
secure_vector< uint8_t > base32_decode(const std::string &input, bool ignore_ws)
Definition: base32.cpp:227
template<typename Alloc >
std::string Botan::base32_encode ( const std::vector< uint8_t, Alloc > &  input)

Perform base32 encoding

Parameters
inputsome input
Returns
base32 representation of input

Definition at line 50 of file base32.h.

References base32_encode().

51  {
52  return base32_encode(input.data(), input.size());
53  }
std::string base32_encode(const std::vector< uint8_t, Alloc > &input)
Definition: base32.h:50
size_t Botan::base32_encode ( char  output[],
const uint8_t  input[],
size_t  input_length,
size_t &  input_consumed,
bool  final_inputs 
)

Perform base32 encoding

Parameters
outputan array of at least base32_encode_max_output bytes
inputis some binary data
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding chars will be applied if needed
Returns
number of bytes written to output

Definition at line 180 of file base32.cpp.

References base_encode().

Referenced by base32_encode().

185  {
186  return base_encode(Base32(), out, in, input_length, input_consumed, final_inputs);
187  }
size_t base_encode(Base &&base, char output[], const uint8_t input[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: codec_base.h:34
std::string Botan::base32_encode ( const uint8_t  input[],
size_t  input_length 
)

Perform base32 encoding

Parameters
inputsome input
input_lengthlength of input in bytes
Returns
base32 representation of input

Definition at line 189 of file base32.cpp.

References base_encode_to_string().

191  {
192  return base_encode_to_string(Base32(), input, input_length);
193  }
std::string base_encode_to_string(Base &&base, const uint8_t input[], size_t input_length)
Definition: codec_base.h:86
std::vector<uint8_t> Botan::base58_check_decode ( const std::string &  s)
inline

Definition at line 69 of file base58.h.

References base58_check_decode().

70  {
71  return base58_check_decode(s.data(), s.size());
72  }
std::vector< uint8_t > base58_check_decode(const std::string &s)
Definition: base58.h:69
std::vector< uint8_t > Botan::base58_check_decode ( const char  input[],
size_t  input_length 
)

Perform base58 decoding with checksum

Definition at line 171 of file base58.cpp.

References base58_decode(), and load_be< uint32_t >().

Referenced by base58_check_decode().

172  {
173  std::vector<uint8_t> dec = base58_decode(input, input_length);
174 
175  if(dec.size() < 4)
176  throw Decoding_Error("Invalid base58 too short for checksum");
177 
178  const uint32_t computed_checksum = sha256_d_checksum(dec.data(), dec.size() - 4);
179  const uint32_t checksum = load_be<uint32_t>(&dec[dec.size()-4], 0);
180 
181  if(checksum != computed_checksum)
182  throw Decoding_Error("Invalid base58 checksum");
183 
184  dec.resize(dec.size() - 4);
185 
186  return dec;
187  }
uint32_t load_be< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:179
std::vector< uint8_t > base58_decode(const char input[], size_t input_length)
Definition: base58.cpp:144
template<typename Alloc >
std::string Botan::base58_check_encode ( const std::vector< uint8_t, Alloc > &  vec)
inline

Definition at line 59 of file base58.h.

References base58_check_encode().

60  {
61  return base58_check_encode(vec.data(), vec.size());
62  }
std::string base58_check_encode(const std::vector< uint8_t, Alloc > &vec)
Definition: base58.h:59
std::string Botan::base58_check_encode ( const uint8_t  input[],
size_t  input_length 
)

Perform base58 encoding with checksum

Definition at line 136 of file base58.cpp.

References base58_encode().

Referenced by base58_check_encode().

137  {
138  BigInt v(input, input_length);
139  v <<= 32;
140  v += sha256_d_checksum(input, input_length);
141  return base58_encode(v, count_leading_zeros(input, input_length, 0));
142  }
std::string base58_encode(const uint8_t input[], size_t input_length)
Definition: base58.cpp:130
std::vector<uint8_t> Botan::base58_decode ( const std::string &  s)
inline

Definition at line 64 of file base58.h.

References base58_decode().

65  {
66  return base58_decode(s.data(), s.size());
67  }
std::vector< uint8_t > base58_decode(const std::string &s)
Definition: base58.h:64
std::vector< uint8_t > Botan::base58_decode ( const char  input[],
size_t  input_length 
)

Perform base58 decoding

This is raw base58 encoding, without the checksum

Definition at line 144 of file base58.cpp.

References Botan::BigInt::binary_encode(), and Botan::BigInt::bytes().

Referenced by base58_check_decode(), and base58_decode().

145  {
146  const size_t leading_zeros = count_leading_zeros(input, input_length, '1');
147 
148  BigInt v;
149 
150  for(size_t i = leading_zeros; i != input_length; ++i)
151  {
152  const char c = input[i];
153 
154  if(c == ' ' || c == '\n')
155  continue;
156 
157  const uint8_t idx = base58_value_of(c);
158 
159  if(idx == 0xFF)
160  throw Decoding_Error("Invalid base58");
161 
162  v *= 58;
163  v += idx;
164  }
165 
166  std::vector<uint8_t> output(v.bytes() + leading_zeros);
167  v.binary_encode(output.data() + leading_zeros);
168  return output;
169  }
template<typename Alloc >
std::string Botan::base58_encode ( const std::vector< uint8_t, Alloc > &  vec)
inline

Definition at line 53 of file base58.h.

References base58_encode().

54  {
55  return base58_encode(vec.data(), vec.size());
56  }
std::string base58_encode(const std::vector< uint8_t, Alloc > &vec)
Definition: base58.h:53
std::string Botan::base58_encode ( const uint8_t  input[],
size_t  input_length 
)

Perform base58 encoding

This is raw base58 encoding, without the checksum

Definition at line 130 of file base58.cpp.

Referenced by base58_check_encode(), and base58_encode().

131  {
132  BigInt v(input, input_length);
133  return base58_encode(v, count_leading_zeros(input, input_length, 0));
134  }
std::string base58_encode(const uint8_t input[], size_t input_length)
Definition: base58.cpp:130
size_t Botan::base64_decode ( uint8_t  output[],
const char  input[],
size_t  input_length,
size_t &  input_consumed,
bool  final_inputs,
bool  ignore_ws = true 
)

Perform base64 decoding

Parameters
outputan array of at least base64_decode_max_output bytes
inputsome base64 input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding is allowed
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 200 of file base64.cpp.

References base_decode().

Referenced by argon2_check_pwhash(), base64_decode(), botan_base64_decode(), Botan::Roughtime::Chain::Chain(), check_passhash9(), Botan::PEM_Code::decode(), Botan::Base64_Decoder::end_msg(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::list_names(), Botan::Roughtime::servers_from_str(), and Botan::Base64_Decoder::write().

206  {
207  return base_decode(Base64(), out, in, input_length, input_consumed, final_inputs, ignore_ws);
208  }
size_t base_decode(Base &&base, uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws=true)
Definition: codec_base.h:124
size_t Botan::base64_decode ( uint8_t  output[],
const char  input[],
size_t  input_length,
bool  ignore_ws = true 
)

Perform base64 decoding

Parameters
outputan array of at least base64_decode_max_output bytes
inputsome base64 input
input_lengthlength of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 210 of file base64.cpp.

References base_decode_full().

214  {
215  return base_decode_full(Base64(), output, input, input_length, ignore_ws);
216  }
size_t base_decode_full(Base &&base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
Definition: codec_base.h:189
size_t Botan::base64_decode ( uint8_t  output[],
const std::string &  input,
bool  ignore_ws = true 
)

Perform base64 decoding

Parameters
outputan array of at least base64_decode_max_output bytes
inputsome base64 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 218 of file base64.cpp.

References base64_decode().

221  {
222  return base64_decode(output, input.data(), input.length(), ignore_ws);
223  }
secure_vector< uint8_t > base64_decode(const std::string &input, bool ignore_ws)
Definition: base64.cpp:232
secure_vector< uint8_t > Botan::base64_decode ( const char  input[],
size_t  input_length,
bool  ignore_ws = true 
)

Perform base64 decoding

Parameters
inputsome base64 input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base64 output

Definition at line 225 of file base64.cpp.

228  {
229  return base_decode_to_vec<secure_vector<uint8_t>>(Base64(), input, input_length, ignore_ws);
230  }
secure_vector< uint8_t > Botan::base64_decode ( const std::string &  input,
bool  ignore_ws = true 
)

Perform base64 decoding

Parameters
inputsome base64 input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded base64 output

Definition at line 232 of file base64.cpp.

References base64_decode().

234  {
235  return base64_decode(input.data(), input.size(), ignore_ws);
236  }
secure_vector< uint8_t > base64_decode(const std::string &input, bool ignore_ws)
Definition: base64.cpp:232
size_t Botan::base64_decode_max_output ( size_t  input_length)

Calculate the size of output buffer for base64_decode

Parameters
input_lengththe length of input in bytes
Returns
the size of output buffer in bytes

Definition at line 243 of file base64.cpp.

Referenced by argon2_check_pwhash(), and botan_base64_decode().

244  {
245  return Base64::decode_max_output(input_length);
246  }
template<typename Alloc >
std::string Botan::base64_encode ( const std::vector< uint8_t, Alloc > &  input)

Perform base64 encoding

Parameters
inputsome input
Returns
base64adecimal representation of input

Definition at line 50 of file base64.h.

References base64_encode().

51  {
52  return base64_encode(input.data(), input.size());
53  }
std::string base64_encode(const std::vector< uint8_t, Alloc > &input)
Definition: base64.h:50
size_t Botan::base64_encode ( char  output[],
const uint8_t  input[],
size_t  input_length,
size_t &  input_consumed,
bool  final_inputs 
)

Perform base64 encoding

Parameters
outputan array of at least base64_encode_max_output bytes
inputis some binary data
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding chars will be applied if needed
Returns
number of bytes written to output

Definition at line 185 of file base64.cpp.

References base_encode().

Referenced by argon2_generate_pwhash(), base64_encode(), Botan::OCSP::Request::base64_encode(), botan_base64_encode(), Botan::PEM_Code::encode(), generate_passhash9(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::remove(), Botan::Encrypted_PSK_Database::set(), and Botan::Roughtime::Chain::to_string().

190  {
191  return base_encode(Base64(), out, in, input_length, input_consumed, final_inputs);
192  }
size_t base_encode(Base &&base, char output[], const uint8_t input[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: codec_base.h:34
std::string Botan::base64_encode ( const uint8_t  input[],
size_t  input_length 
)

Perform base64 encoding

Parameters
inputsome input
input_lengthlength of input in bytes
Returns
base64adecimal representation of input

Definition at line 194 of file base64.cpp.

References base_encode_to_string().

196  {
197  return base_encode_to_string(Base64(), input, input_length);
198  }
std::string base_encode_to_string(Base &&base, const uint8_t input[], size_t input_length)
Definition: codec_base.h:86
size_t Botan::base64_encode_max_output ( size_t  input_length)

Calculate the size of output buffer for base64_encode

Parameters
input_lengththe length of input in bytes
Returns
the size of output buffer in bytes

Definition at line 238 of file base64.cpp.

239  {
240  return Base64::encode_max_output(input_length);
241  }
template<typename Base >
size_t Botan::base_decode ( Base &&  base,
uint8_t  output[],
const char  input[],
size_t  input_length,
size_t &  input_consumed,
bool  final_inputs,
bool  ignore_ws = true 
)

Perform decoding using the base provided

Parameters
baseobject giving access to the encodings specifications
outputan array of at least Base::decode_max_output bytes
inputsome base input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding is allowed
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 124 of file codec_base.h.

References clear_mem().

Referenced by base32_decode(), base64_decode(), and base_decode_full().

131  {
132  const size_t decoding_bytes_in = base.decoding_bytes_in();
133  const size_t decoding_bytes_out = base.decoding_bytes_out();
134 
135  uint8_t* out_ptr = output;
136  std::vector<uint8_t> decode_buf(decoding_bytes_in, 0);
137  size_t decode_buf_pos = 0;
138  size_t final_truncate = 0;
139 
140  clear_mem(output, base.decode_max_output(input_length));
141 
142  for(size_t i = 0; i != input_length; ++i)
143  {
144  const uint8_t bin = base.lookup_binary_value(input[i]);
145 
146  if(base.check_bad_char(bin, input[i], ignore_ws)) // May throw Invalid_Argument
147  {
148  decode_buf[decode_buf_pos] = bin;
149  ++decode_buf_pos;
150  }
151 
152  /*
153  * If we're at the end of the input, pad with 0s and truncate
154  */
155  if(final_inputs && (i == input_length - 1))
156  {
157  if(decode_buf_pos)
158  {
159  for(size_t j = decode_buf_pos; j < decoding_bytes_in; ++j)
160  { decode_buf[j] = 0; }
161 
162  final_truncate = decoding_bytes_in - decode_buf_pos;
163  decode_buf_pos = decoding_bytes_in;
164  }
165  }
166 
167  if(decode_buf_pos == decoding_bytes_in)
168  {
169  base.decode(out_ptr, decode_buf.data());
170 
171  out_ptr += decoding_bytes_out;
172  decode_buf_pos = 0;
173  input_consumed = i+1;
174  }
175  }
176 
177  while(input_consumed < input_length &&
178  base.lookup_binary_value(input[input_consumed]) == 0x80)
179  {
180  ++input_consumed;
181  }
182 
183  size_t written = (out_ptr - output) - base.bytes_to_remove(final_truncate);
184 
185  return written;
186  }
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
template<typename Base >
size_t Botan::base_decode_full ( Base &&  base,
uint8_t  output[],
const char  input[],
size_t  input_length,
bool  ignore_ws 
)

Definition at line 189 of file codec_base.h.

References base_decode().

Referenced by base32_decode(), base64_decode(), and base_decode_to_vec().

190  {
191  size_t consumed = 0;
192  const size_t written = base_decode(base, output, input, input_length, consumed, true, ignore_ws);
193 
194  if(consumed != input_length)
195  {
196  throw Invalid_Argument(base.name() + " decoding failed, input did not have full bytes");
197  }
198 
199  return written;
200  }
size_t base_decode(Base &&base, uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws=true)
Definition: codec_base.h:124
template<typename Vector , typename Base >
Vector Botan::base_decode_to_vec ( Base &&  base,
const char  input[],
size_t  input_length,
bool  ignore_ws 
)

Definition at line 203 of file codec_base.h.

References base_decode_full().

207  {
208  const size_t output_length = base.decode_max_output(input_length);
209  Vector bin(output_length);
210 
211  const size_t written =
212  base_decode_full(base, bin.data(), input, input_length, ignore_ws);
213 
214  bin.resize(written);
215  return bin;
216  }
size_t base_decode_full(Base &&base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
Definition: codec_base.h:189
template<class Base >
size_t Botan::base_encode ( Base &&  base,
char  output[],
const uint8_t  input[],
size_t  input_length,
size_t &  input_consumed,
bool  final_inputs 
)

Perform encoding using the base provided

Parameters
baseobject giving access to the encodings specifications
outputan array of at least base.encode_max_output bytes
inputis some binary data
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
final_inputstrue iff this is the last input, in which case padding chars will be applied if needed
Returns
number of bytes written to output

Definition at line 34 of file codec_base.h.

Referenced by base32_encode(), base64_encode(), and base_encode_to_string().

40  {
41  input_consumed = 0;
42 
43  const size_t encoding_bytes_in = base.encoding_bytes_in();
44  const size_t encoding_bytes_out = base.encoding_bytes_out();
45 
46  size_t input_remaining = input_length;
47  size_t output_produced = 0;
48 
49  while(input_remaining >= encoding_bytes_in)
50  {
51  base.encode(output + output_produced, input + input_consumed);
52 
53  input_consumed += encoding_bytes_in;
54  output_produced += encoding_bytes_out;
55  input_remaining -= encoding_bytes_in;
56  }
57 
58  if(final_inputs && input_remaining)
59  {
60  std::vector<uint8_t> remainder(encoding_bytes_in, 0);
61  for(size_t i = 0; i != input_remaining; ++i)
62  { remainder[i] = input[input_consumed + i]; }
63 
64  base.encode(output + output_produced, remainder.data());
65 
66  const size_t bits_consumed = base.bits_consumed();
67  const size_t remaining_bits_before_padding = base.remaining_bits_before_padding();
68 
69  size_t empty_bits = 8 * (encoding_bytes_in - input_remaining);
70  size_t index = output_produced + encoding_bytes_out - 1;
71  while(empty_bits >= remaining_bits_before_padding)
72  {
73  output[index--] = '=';
74  empty_bits -= bits_consumed;
75  }
76 
77  input_consumed += input_remaining;
78  output_produced += encoding_bytes_out;
79  }
80 
81  return output_produced;
82  }
template<typename Base >
std::string Botan::base_encode_to_string ( Base &&  base,
const uint8_t  input[],
size_t  input_length 
)

Definition at line 86 of file codec_base.h.

References base_encode(), and BOTAN_ASSERT_EQUAL.

Referenced by base32_encode(), and base64_encode().

87  {
88  const size_t output_length = base.encode_max_output(input_length);
89  std::string output(output_length, 0);
90 
91  size_t consumed = 0;
92  size_t produced = 0;
93 
94  if(output_length > 0)
95  {
96  produced = base_encode(base, &output.front(),
97  input, input_length,
98  consumed, true);
99  }
100 
101  BOTAN_ASSERT_EQUAL(consumed, input_length, "Consumed the entire input");
102  BOTAN_ASSERT_EQUAL(produced, output.size(), "Produced expected size");
103 
104  return output;
105  }
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition: assert.h:81
size_t base_encode(Base &&base, char output[], const uint8_t input[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: codec_base.h:34
void BOTAN_UNSTABLE_API Botan::bcrypt_pbkdf ( uint8_t  output[],
size_t  output_len,
const char *  pass,
size_t  pass_len,
const uint8_t  salt[],
size_t  salt_len,
size_t  rounds 
)

Bcrypt PBKDF compatible with OpenBSD bcrypt_pbkdf

Definition at line 130 of file bcrypt_pbkdf.cpp.

References BOTAN_ARG_CHECK, clear_mem(), and Botan::HashFunction::create_or_throw().

Referenced by Botan::Bcrypt_PBKDF::derive_key(), and Botan::Bcrypt_PBKDF_Family::tune().

134  {
135  BOTAN_ARG_CHECK(rounds >= 1, "Invalid rounds for Bcrypt PBKDF");
136 
137  // No output desired, so we are all done already...
138  if(output_len == 0)
139  return;
140 
141  BOTAN_ARG_CHECK(output_len <= 10*1024*1024, "Too much output for Bcrypt PBKDF");
142 
143  const size_t BCRYPT_BLOCK_SIZE = 32;
144  const size_t blocks = (output_len + BCRYPT_BLOCK_SIZE - 1) / BCRYPT_BLOCK_SIZE;
145 
146  std::unique_ptr<HashFunction> sha512 = HashFunction::create_or_throw("SHA-512");
147  const secure_vector<uint8_t> pass_hash = sha512->process(reinterpret_cast<const uint8_t*>(pass), pass_len);
148 
149  secure_vector<uint8_t> salt_hash(sha512->output_length());
150 
151  Blowfish blowfish;
152  secure_vector<uint8_t> out(BCRYPT_BLOCK_SIZE);
153  secure_vector<uint8_t> tmp(BCRYPT_BLOCK_SIZE);
154 
155  for(size_t block = 0; block != blocks; ++block)
156  {
157  clear_mem(out.data(), out.size());
158 
159  sha512->update(salt, salt_len);
160  sha512->update_be(static_cast<uint32_t>(block + 1));
161  sha512->final(salt_hash.data());
162 
163  bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
164 
165  for(size_t r = 1; r != rounds; ++r)
166  {
167  // Next salt is H(prev_output)
168  sha512->update(tmp);
169  sha512->final(salt_hash.data());
170 
171  bcrypt_round(blowfish, pass_hash, salt_hash, out, tmp);
172  }
173 
174  for(size_t i = 0; i != BCRYPT_BLOCK_SIZE; ++i)
175  {
176  const size_t dest = i * blocks + block;
177  if(dest < output_len)
178  output[dest] = out[i];
179  }
180  }
181  }
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
size_t salt_len
Definition: x509_obj.cpp:25
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
void Botan::bigint_add2 ( word  x[],
size_t  x_size,
const word  y[],
size_t  y_size 
)
inline

Two operand addition

Parameters
xthe first operand (and output)
x_sizesize of x
ythe second operand
y_sizesize of y (must be >= x_size)

Definition at line 280 of file mp_core.h.

References bigint_add2_nc().

Referenced by Botan::BigInt::add(), and mul_add().

282  {
283  x[x_size] += bigint_add2_nc(x, x_size, y, y_size);
284  }
word bigint_add2_nc(word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:227
word Botan::bigint_add2_nc ( word  x[],
size_t  x_size,
const word  y[],
size_t  y_size 
)
inline

Two operand addition with carry out

Definition at line 227 of file mp_core.h.

References BOTAN_ASSERT, carry(), word8_add2(), and word_add().

Referenced by bigint_add2().

228  {
229  word carry = 0;
230 
231  BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
232 
233  const size_t blocks = y_size - (y_size % 8);
234 
235  for(size_t i = 0; i != blocks; i += 8)
236  carry = word8_add2(x + i, y + i, carry);
237 
238  for(size_t i = blocks; i != y_size; ++i)
239  x[i] = word_add(x[i], y[i], &carry);
240 
241  for(size_t i = y_size; i != x_size; ++i)
242  x[i] = word_add(x[i], 0, &carry);
243 
244  return carry;
245  }
word word8_add2(word x[8], const word y[8], word carry)
Definition: mp_asmi.h:138
void carry(int64_t &h0, int64_t &h1)
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
word word_add(word x, word y, word *carry)
Definition: mp_asmi.h:107
void Botan::bigint_add3 ( word  z[],
const word  x[],
size_t  x_size,
const word  y[],
size_t  y_size 
)
inline

Three operand addition

Definition at line 289 of file mp_core.h.

References bigint_add3_nc().

Referenced by Botan::BigInt::add2().

292  {
293  z[x_size > y_size ? x_size : y_size] +=
294  bigint_add3_nc(z, x, x_size, y, y_size);
295  }
word bigint_add3_nc(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:250
word Botan::bigint_add3_nc ( word  z[],
const word  x[],
size_t  x_size,
const word  y[],
size_t  y_size 
)
inline

Three operand addition with carry out

Definition at line 250 of file mp_core.h.

References carry(), word8_add3(), and word_add().

Referenced by bigint_add3(), Botan::BigInt::mod_add(), and redc_p521().

253  {
254  if(x_size < y_size)
255  { return bigint_add3_nc(z, y, y_size, x, x_size); }
256 
257  word carry = 0;
258 
259  const size_t blocks = y_size - (y_size % 8);
260 
261  for(size_t i = 0; i != blocks; i += 8)
262  carry = word8_add3(z + i, x + i, y + i, carry);
263 
264  for(size_t i = blocks; i != y_size; ++i)
265  z[i] = word_add(x[i], y[i], &carry);
266 
267  for(size_t i = y_size; i != x_size; ++i)
268  z[i] = word_add(x[i], 0, &carry);
269 
270  return carry;
271  }
void carry(int64_t &h0, int64_t &h1)
word bigint_add3_nc(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:250
word word8_add3(word z[8], const word x[8], const word y[8], word carry)
Definition: mp_asmi.h:173
word word_add(word x, word y, word *carry)
Definition: mp_asmi.h:107
int32_t Botan::bigint_cmp ( const word  x[],
size_t  x_size,
const word  y[],
size_t  y_size 
)
inline

Compare x and y Return -1 if x < y Return 0 if x == y Return 1 if x > y

Definition at line 525 of file mp_core.h.

References BOTAN_DEBUG_ASSERT, Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lt(), Botan::CT::Mask< T >::is_zero(), and Botan::CT::unpoison().

Referenced by Botan::BigInt::add(), bigint_sub_abs(), Botan::BigInt::cmp(), and Botan::BigInt::cmp_word().

527  {
528  static_assert(sizeof(word) >= sizeof(uint32_t), "Size assumption");
529 
530  const word LT = static_cast<word>(-1);
531  const word EQ = 0;
532  const word GT = 1;
533 
534  const size_t common_elems = std::min(x_size, y_size);
535 
536  word result = EQ; // until found otherwise
537 
538  for(size_t i = 0; i != common_elems; i++)
539  {
540  const auto is_eq = CT::Mask<word>::is_equal(x[i], y[i]);
541  const auto is_lt = CT::Mask<word>::is_lt(x[i], y[i]);
542 
543  result = is_eq.select(result, is_lt.select(LT, GT));
544  }
545 
546  if(x_size < y_size)
547  {
548  word mask = 0;
549  for(size_t i = x_size; i != y_size; i++)
550  mask |= y[i];
551 
552  // If any bits were set in high part of y, then x < y
553  result = CT::Mask<word>::is_zero(mask).select(result, LT);
554  }
555  else if(y_size < x_size)
556  {
557  word mask = 0;
558  for(size_t i = y_size; i != x_size; i++)
559  mask |= x[i];
560 
561  // If any bits were set in high part of x, then x > y
562  result = CT::Mask<word>::is_zero(mask).select(result, GT);
563  }
564 
565  CT::unpoison(result);
566  BOTAN_DEBUG_ASSERT(result == LT || result == GT || result == EQ);
567  return static_cast<int32_t>(result);
568  }
#define BOTAN_DEBUG_ASSERT(expr)
Definition: assert.h:123
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:59
void Botan::bigint_cnd_abs ( word  cnd,
word  x[],
size_t  size 
)
inline

Definition at line 212 of file mp_core.h.

References carry(), Botan::CT::Mask< T >::expand(), and word_add().

213  {
214  const auto mask = CT::Mask<word>::expand(cnd);
215 
216  word carry = mask.if_set_return(1);
217  for(size_t i = 0; i != size; ++i)
218  {
219  const word z = word_add(~x[i], 0, &carry);
220  x[i] = mask.select(z, x[i]);
221  }
222  }
void carry(int64_t &h0, int64_t &h1)
word word_add(word x, word y, word *carry)
Definition: mp_asmi.h:107
word Botan::bigint_cnd_add ( word  cnd,
word  x[],
word  x_size,
const word  y[],
size_t  y_size 
)
inline

Definition at line 42 of file mp_core.h.

References BOTAN_ASSERT, carry(), Botan::CT::Mask< T >::expand(), word8_add3(), and word_add().

Referenced by bigint_cnd_add(), Botan::BigInt::ct_cond_add(), redc_p192(), redc_p224(), redc_p256(), and redc_p384().

44  {
45  BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
46 
47  const auto mask = CT::Mask<word>::expand(cnd);
48 
49  word carry = 0;
50 
51  const size_t blocks = y_size - (y_size % 8);
52  word z[8] = { 0 };
53 
54  for(size_t i = 0; i != blocks; i += 8)
55  {
56  carry = word8_add3(z, x + i, y + i, carry);
57  mask.select_n(x + i, z, x + i, 8);
58  }
59 
60  for(size_t i = blocks; i != y_size; ++i)
61  {
62  z[0] = word_add(x[i], y[i], &carry);
63  x[i] = mask.select(z[0], x[i]);
64  }
65 
66  for(size_t i = y_size; i != x_size; ++i)
67  {
68  z[0] = word_add(x[i], 0, &carry);
69  x[i] = mask.select(z[0], x[i]);
70  }
71 
72  return mask.if_set_return(carry);
73  }
void carry(int64_t &h0, int64_t &h1)
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
word word8_add3(word z[8], const word x[8], const word y[8], word carry)
Definition: mp_asmi.h:173
word word_add(word x, word y, word *carry)
Definition: mp_asmi.h:107
word Botan::bigint_cnd_add ( word  cnd,
word  x[],
const word  y[],
size_t  size 
)
inline

Definition at line 79 of file mp_core.h.

References bigint_cnd_add().

80  {
81  return bigint_cnd_add(cnd, x, size, y, size);
82  }
word bigint_cnd_add(word cnd, word x[], const word y[], size_t size)
Definition: mp_core.h:79
void Botan::bigint_cnd_add_or_sub ( CT::Mask< word >  mask,
word  x[],
const word  y[],
size_t  size 
)
inline

Definition at line 139 of file mp_core.h.

References carry(), Botan::CT::Mask< T >::select(), word8_add3(), word8_sub3(), word_add(), and word_sub().

140  {
141  const size_t blocks = size - (size % 8);
142 
143  word carry = 0;
144  word borrow = 0;
145 
146  word t0[8] = { 0 };
147  word t1[8] = { 0 };
148 
149  for(size_t i = 0; i != blocks; i += 8)
150  {
151  carry = word8_add3(t0, x + i, y + i, carry);
152  borrow = word8_sub3(t1, x + i, y + i, borrow);
153 
154  for(size_t j = 0; j != 8; ++j)
155  x[i+j] = mask.select(t0[j], t1[j]);
156  }
157 
158  for(size_t i = blocks; i != size; ++i)
159  {
160  const word a = word_add(x[i], y[i], &carry);
161  const word s = word_sub(x[i], y[i], &borrow);
162 
163  x[i] = mask.select(a, s);
164  }
165  }
void carry(int64_t &h0, int64_t &h1)
word word8_add3(word z[8], const word x[8], const word y[8], word carry)
Definition: mp_asmi.h:173
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
word word_add(word x, word y, word *carry)
Definition: mp_asmi.h:107
word word8_sub3(word z[8], const word x[8], const word y[8], word carry)
Definition: mp_asmi.h:310
word Botan::bigint_cnd_addsub ( CT::Mask< word >  mask,
word  x[],
const word  y[],
const word  z[],
size_t  size 
)
inline

Definition at line 176 of file mp_core.h.

References carry(), Botan::CT::Mask< T >::select(), word8_add3(), word8_sub3(), word_add(), and word_sub().

Referenced by bigint_mod_sub(), and bigint_mod_sub_n().

179  {
180  const size_t blocks = size - (size % 8);
181 
182  word carry = 0;
183  word borrow = 0;
184 
185  word t0[8] = { 0 };
186  word t1[8] = { 0 };
187 
188  for(size_t i = 0; i != blocks; i += 8)
189  {
190  carry = word8_add3(t0, x + i, y + i, carry);
191  borrow = word8_sub3(t1, x + i, z + i, borrow);
192 
193  for(size_t j = 0; j != 8; ++j)
194  x[i+j] = mask.select(t0[j], t1[j]);
195  }
196 
197  for(size_t i = blocks; i != size; ++i)
198  {
199  t0[0] = word_add(x[i], y[i], &carry);
200  t1[0] = word_sub(x[i], z[i], &borrow);
201  x[i] = mask.select(t0[0], t1[0]);
202  }
203 
204  return mask.select(carry, borrow);
205  }
void carry(int64_t &h0, int64_t &h1)
word word8_add3(word z[8], const word x[8], const word y[8], word carry)
Definition: mp_asmi.h:173
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
word word_add(word x, word y, word *carry)
Definition: mp_asmi.h:107
word word8_sub3(word z[8], const word x[8], const word y[8], word carry)
Definition: mp_asmi.h:310
word Botan::bigint_cnd_sub ( word  cnd,
word  x[],
size_t  x_size,
const word  y[],
size_t  y_size 
)
inline

Definition at line 88 of file mp_core.h.

References BOTAN_ASSERT, carry(), Botan::CT::Mask< T >::expand(), word8_sub3(), and word_sub().

Referenced by bigint_cnd_sub(), and redc_p521().

91  {
92  BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
93 
94  const auto mask = CT::Mask<word>::expand(cnd);
95 
96  word carry = 0;
97 
98  const size_t blocks = y_size - (y_size % 8);
99  word z[8] = { 0 };
100 
101  for(size_t i = 0; i != blocks; i += 8)
102  {
103  carry = word8_sub3(z, x + i, y + i, carry);
104  mask.select_n(x + i, z, x + i, 8);
105  }
106 
107  for(size_t i = blocks; i != y_size; ++i)
108  {
109  z[0] = word_sub(x[i], y[i], &carry);
110  x[i] = mask.select(z[0], x[i]);
111  }
112 
113  for(size_t i = y_size; i != x_size; ++i)
114  {
115  z[0] = word_sub(x[i], 0, &carry);
116  x[i] = mask.select(z[0], x[i]);
117  }
118 
119  return mask.if_set_return(carry);
120  }
void carry(int64_t &h0, int64_t &h1)
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
word word8_sub3(word z[8], const word x[8], const word y[8], word carry)
Definition: mp_asmi.h:310
word Botan::bigint_cnd_sub ( word  cnd,
word  x[],
const word  y[],
size_t  size 
)
inline

Definition at line 126 of file mp_core.h.

References bigint_cnd_sub().

127  {
128  return bigint_cnd_sub(cnd, x, size, y, size);
129  }
word bigint_cnd_sub(word cnd, word x[], const word y[], size_t size)
Definition: mp_core.h:126
void Botan::bigint_cnd_swap ( word  cnd,
word  x[],
word  y[],
size_t  size 
)
inline

Definition at line 29 of file mp_core.h.

References Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::ct_cond_swap().

30  {
31  const auto mask = CT::Mask<word>::expand(cnd);
32 
33  for(size_t i = 0; i != size; ++i)
34  {
35  const word a = x[i];
36  const word b = y[i];
37  x[i] = mask.select(b, a);
38  y[i] = mask.select(a, b);
39  }
40  }
void Botan::bigint_comba_mul16 ( word  z[32],
const word  x[16],
const word  y[16] 
)

Definition at line 805 of file mp_comba.cpp.

References word3_muladd().

Referenced by bigint_mul().

806  {
807  word w2 = 0, w1 = 0, w0 = 0;
808 
809  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 0]);
810  z[ 0] = w0; w0 = 0;
811 
812  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 1]);
813  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 0]);
814  z[ 1] = w1; w1 = 0;
815 
816  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 2]);
817  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 1]);
818  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 0]);
819  z[ 2] = w2; w2 = 0;
820 
821  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 3]);
822  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 2]);
823  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 1]);
824  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 0]);
825  z[ 3] = w0; w0 = 0;
826 
827  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 4]);
828  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 3]);
829  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 2]);
830  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 1]);
831  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 0]);
832  z[ 4] = w1; w1 = 0;
833 
834  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 5]);
835  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 4]);
836  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 3]);
837  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 2]);
838  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 1]);
839  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 0]);
840  z[ 5] = w2; w2 = 0;
841 
842  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 6]);
843  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 5]);
844  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 4]);
845  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 3]);
846  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 2]);
847  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 1]);
848  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 0]);
849  z[ 6] = w0; w0 = 0;
850 
851  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 7]);
852  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 6]);
853  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 5]);
854  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 4]);
855  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 3]);
856  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 2]);
857  word3_muladd(&w0, &w2, &w1, x[ 6], y[ 1]);
858  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 0]);
859  z[ 7] = w1; w1 = 0;
860 
861  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 8]);
862  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 7]);
863  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 6]);
864  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 5]);
865  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 4]);
866  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 3]);
867  word3_muladd(&w1, &w0, &w2, x[ 6], y[ 2]);
868  word3_muladd(&w1, &w0, &w2, x[ 7], y[ 1]);
869  word3_muladd(&w1, &w0, &w2, x[ 8], y[ 0]);
870  z[ 8] = w2; w2 = 0;
871 
872  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 9]);
873  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 8]);
874  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 7]);
875  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 6]);
876  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 5]);
877  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 4]);
878  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 3]);
879  word3_muladd(&w2, &w1, &w0, x[ 7], y[ 2]);
880  word3_muladd(&w2, &w1, &w0, x[ 8], y[ 1]);
881  word3_muladd(&w2, &w1, &w0, x[ 9], y[ 0]);
882  z[ 9] = w0; w0 = 0;
883 
884  word3_muladd(&w0, &w2, &w1, x[ 0], y[10]);
885  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 9]);
886  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 8]);
887  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 7]);
888  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 6]);
889  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 5]);
890  word3_muladd(&w0, &w2, &w1, x[ 6], y[ 4]);
891  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 3]);
892  word3_muladd(&w0, &w2, &w1, x[ 8], y[ 2]);
893  word3_muladd(&w0, &w2, &w1, x[ 9], y[ 1]);
894  word3_muladd(&w0, &w2, &w1, x[10], y[ 0]);
895  z[10] = w1; w1 = 0;
896 
897  word3_muladd(&w1, &w0, &w2, x[ 0], y[11]);
898  word3_muladd(&w1, &w0, &w2, x[ 1], y[10]);
899  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 9]);
900  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 8]);
901  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 7]);
902  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 6]);
903  word3_muladd(&w1, &w0, &w2, x[ 6], y[ 5]);
904  word3_muladd(&w1, &w0, &w2, x[ 7], y[ 4]);
905  word3_muladd(&w1, &w0, &w2, x[ 8], y[ 3]);
906  word3_muladd(&w1, &w0, &w2, x[ 9], y[ 2]);
907  word3_muladd(&w1, &w0, &w2, x[10], y[ 1]);
908  word3_muladd(&w1, &w0, &w2, x[11], y[ 0]);
909  z[11] = w2; w2 = 0;
910 
911  word3_muladd(&w2, &w1, &w0, x[ 0], y[12]);
912  word3_muladd(&w2, &w1, &w0, x[ 1], y[11]);
913  word3_muladd(&w2, &w1, &w0, x[ 2], y[10]);
914  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 9]);
915  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 8]);
916  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 7]);
917  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 6]);
918  word3_muladd(&w2, &w1, &w0, x[ 7], y[ 5]);
919  word3_muladd(&w2, &w1, &w0, x[ 8], y[ 4]);
920  word3_muladd(&w2, &w1, &w0, x[ 9], y[ 3]);
921  word3_muladd(&w2, &w1, &w0, x[10], y[ 2]);
922  word3_muladd(&w2, &w1, &w0, x[11], y[ 1]);
923  word3_muladd(&w2, &w1, &w0, x[12], y[ 0]);
924  z[12] = w0; w0 = 0;
925 
926  word3_muladd(&w0, &w2, &w1, x[ 0], y[13]);
927  word3_muladd(&w0, &w2, &w1, x[ 1], y[12]);
928  word3_muladd(&w0, &w2, &w1, x[ 2], y[11]);
929  word3_muladd(&w0, &w2, &w1, x[ 3], y[10]);
930  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 9]);
931  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 8]);
932  word3_muladd(&w0, &w2, &w1, x[ 6], y[ 7]);
933  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 6]);
934  word3_muladd(&w0, &w2, &w1, x[ 8], y[ 5]);
935  word3_muladd(&w0, &w2, &w1, x[ 9], y[ 4]);
936  word3_muladd(&w0, &w2, &w1, x[10], y[ 3]);
937  word3_muladd(&w0, &w2, &w1, x[11], y[ 2]);
938  word3_muladd(&w0, &w2, &w1, x[12], y[ 1]);
939  word3_muladd(&w0, &w2, &w1, x[13], y[ 0]);
940  z[13] = w1; w1 = 0;
941 
942  word3_muladd(&w1, &w0, &w2, x[ 0], y[14]);
943  word3_muladd(&w1, &w0, &w2, x[ 1], y[13]);
944  word3_muladd(&w1, &w0, &w2, x[ 2], y[12]);
945  word3_muladd(&w1, &w0, &w2, x[ 3], y[11]);
946  word3_muladd(&w1, &w0, &w2, x[ 4], y[10]);
947  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 9]);
948  word3_muladd(&w1, &w0, &w2, x[ 6], y[ 8]);
949  word3_muladd(&w1, &w0, &w2, x[ 7], y[ 7]);
950  word3_muladd(&w1, &w0, &w2, x[ 8], y[ 6]);
951  word3_muladd(&w1, &w0, &w2, x[ 9], y[ 5]);
952  word3_muladd(&w1, &w0, &w2, x[10], y[ 4]);
953  word3_muladd(&w1, &w0, &w2, x[11], y[ 3]);
954  word3_muladd(&w1, &w0, &w2, x[12], y[ 2]);
955  word3_muladd(&w1, &w0, &w2, x[13], y[ 1]);
956  word3_muladd(&w1, &w0, &w2, x[14], y[ 0]);
957  z[14] = w2; w2 = 0;
958 
959  word3_muladd(&w2, &w1, &w0, x[ 0], y[15]);
960  word3_muladd(&w2, &w1, &w0, x[ 1], y[14]);
961  word3_muladd(&w2, &w1, &w0, x[ 2], y[13]);
962  word3_muladd(&w2, &w1, &w0, x[ 3], y[12]);
963  word3_muladd(&w2, &w1, &w0, x[ 4], y[11]);
964  word3_muladd(&w2, &w1, &w0, x[ 5], y[10]);
965  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 9]);
966  word3_muladd(&w2, &w1, &w0, x[ 7], y[ 8]);
967  word3_muladd(&w2, &w1, &w0, x[ 8], y[ 7]);
968  word3_muladd(&w2, &w1, &w0, x[ 9], y[ 6]);
969  word3_muladd(&w2, &w1, &w0, x[10], y[ 5]);
970  word3_muladd(&w2, &w1, &w0, x[11], y[ 4]);
971  word3_muladd(&w2, &w1, &w0, x[12], y[ 3]);
972  word3_muladd(&w2, &w1, &w0, x[13], y[ 2]);
973  word3_muladd(&w2, &w1, &w0, x[14], y[ 1]);
974  word3_muladd(&w2, &w1, &w0, x[15], y[ 0]);
975  z[15] = w0; w0 = 0;
976 
977  word3_muladd(&w0, &w2, &w1, x[ 1], y[15]);
978  word3_muladd(&w0, &w2, &w1, x[ 2], y[14]);
979  word3_muladd(&w0, &w2, &w1, x[ 3], y[13]);
980  word3_muladd(&w0, &w2, &w1, x[ 4], y[12]);
981  word3_muladd(&w0, &w2, &w1, x[ 5], y[11]);
982  word3_muladd(&w0, &w2, &w1, x[ 6], y[10]);
983  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 9]);
984  word3_muladd(&w0, &w2, &w1, x[ 8], y[ 8]);
985  word3_muladd(&w0, &w2, &w1, x[ 9], y[ 7]);
986  word3_muladd(&w0, &w2, &w1, x[10], y[ 6]);
987  word3_muladd(&w0, &w2, &w1, x[11], y[ 5]);
988  word3_muladd(&w0, &w2, &w1, x[12], y[ 4]);
989  word3_muladd(&w0, &w2, &w1, x[13], y[ 3]);
990  word3_muladd(&w0, &w2, &w1, x[14], y[ 2]);
991  word3_muladd(&w0, &w2, &w1, x[15], y[ 1]);
992  z[16] = w1; w1 = 0;
993 
994  word3_muladd(&w1, &w0, &w2, x[ 2], y[15]);
995  word3_muladd(&w1, &w0, &w2, x[ 3], y[14]);
996  word3_muladd(&w1, &w0, &w2, x[ 4], y[13]);
997  word3_muladd(&w1, &w0, &w2, x[ 5], y[12]);
998  word3_muladd(&w1, &w0, &w2, x[ 6], y[11]);
999  word3_muladd(&w1, &w0, &w2, x[ 7], y[10]);
1000  word3_muladd(&w1, &w0, &w2, x[ 8], y[ 9]);
1001  word3_muladd(&w1, &w0, &w2, x[ 9], y[ 8]);
1002  word3_muladd(&w1, &w0, &w2, x[10], y[ 7]);
1003  word3_muladd(&w1, &w0, &w2, x[11], y[ 6]);
1004  word3_muladd(&w1, &w0, &w2, x[12], y[ 5]);
1005  word3_muladd(&w1, &w0, &w2, x[13], y[ 4]);
1006  word3_muladd(&w1, &w0, &w2, x[14], y[ 3]);
1007  word3_muladd(&w1, &w0, &w2, x[15], y[ 2]);
1008  z[17] = w2; w2 = 0;
1009 
1010  word3_muladd(&w2, &w1, &w0, x[ 3], y[15]);
1011  word3_muladd(&w2, &w1, &w0, x[ 4], y[14]);
1012  word3_muladd(&w2, &w1, &w0, x[ 5], y[13]);
1013  word3_muladd(&w2, &w1, &w0, x[ 6], y[12]);
1014  word3_muladd(&w2, &w1, &w0, x[ 7], y[11]);
1015  word3_muladd(&w2, &w1, &w0, x[ 8], y[10]);
1016  word3_muladd(&w2, &w1, &w0, x[ 9], y[ 9]);
1017  word3_muladd(&w2, &w1, &w0, x[10], y[ 8]);
1018  word3_muladd(&w2, &w1, &w0, x[11], y[ 7]);
1019  word3_muladd(&w2, &w1, &w0, x[12], y[ 6]);
1020  word3_muladd(&w2, &w1, &w0, x[13], y[ 5]);
1021  word3_muladd(&w2, &w1, &w0, x[14], y[ 4]);
1022  word3_muladd(&w2, &w1, &w0, x[15], y[ 3]);
1023  z[18] = w0; w0 = 0;
1024 
1025  word3_muladd(&w0, &w2, &w1, x[ 4], y[15]);
1026  word3_muladd(&w0, &w2, &w1, x[ 5], y[14]);
1027  word3_muladd(&w0, &w2, &w1, x[ 6], y[13]);
1028  word3_muladd(&w0, &w2, &w1, x[ 7], y[12]);
1029  word3_muladd(&w0, &w2, &w1, x[ 8], y[11]);
1030  word3_muladd(&w0, &w2, &w1, x[ 9], y[10]);
1031  word3_muladd(&w0, &w2, &w1, x[10], y[ 9]);
1032  word3_muladd(&w0, &w2, &w1, x[11], y[ 8]);
1033  word3_muladd(&w0, &w2, &w1, x[12], y[ 7]);
1034  word3_muladd(&w0, &w2, &w1, x[13], y[ 6]);
1035  word3_muladd(&w0, &w2, &w1, x[14], y[ 5]);
1036  word3_muladd(&w0, &w2, &w1, x[15], y[ 4]);
1037  z[19] = w1; w1 = 0;
1038 
1039  word3_muladd(&w1, &w0, &w2, x[ 5], y[15]);
1040  word3_muladd(&w1, &w0, &w2, x[ 6], y[14]);
1041  word3_muladd(&w1, &w0, &w2, x[ 7], y[13]);
1042  word3_muladd(&w1, &w0, &w2, x[ 8], y[12]);
1043  word3_muladd(&w1, &w0, &w2, x[ 9], y[11]);
1044  word3_muladd(&w1, &w0, &w2, x[10], y[10]);
1045  word3_muladd(&w1, &w0, &w2, x[11], y[ 9]);
1046  word3_muladd(&w1, &w0, &w2, x[12], y[ 8]);
1047  word3_muladd(&w1, &w0, &w2, x[13], y[ 7]);
1048  word3_muladd(&w1, &w0, &w2, x[14], y[ 6]);
1049  word3_muladd(&w1, &w0, &w2, x[15], y[ 5]);
1050  z[20] = w2; w2 = 0;
1051 
1052  word3_muladd(&w2, &w1, &w0, x[ 6], y[15]);
1053  word3_muladd(&w2, &w1, &w0, x[ 7], y[14]);
1054  word3_muladd(&w2, &w1, &w0, x[ 8], y[13]);
1055  word3_muladd(&w2, &w1, &w0, x[ 9], y[12]);
1056  word3_muladd(&w2, &w1, &w0, x[10], y[11]);
1057  word3_muladd(&w2, &w1, &w0, x[11], y[10]);
1058  word3_muladd(&w2, &w1, &w0, x[12], y[ 9]);
1059  word3_muladd(&w2, &w1, &w0, x[13], y[ 8]);
1060  word3_muladd(&w2, &w1, &w0, x[14], y[ 7]);
1061  word3_muladd(&w2, &w1, &w0, x[15], y[ 6]);
1062  z[21] = w0; w0 = 0;
1063 
1064  word3_muladd(&w0, &w2, &w1, x[ 7], y[15]);
1065  word3_muladd(&w0, &w2, &w1, x[ 8], y[14]);
1066  word3_muladd(&w0, &w2, &w1, x[ 9], y[13]);
1067  word3_muladd(&w0, &w2, &w1, x[10], y[12]);
1068  word3_muladd(&w0, &w2, &w1, x[11], y[11]);
1069  word3_muladd(&w0, &w2, &w1, x[12], y[10]);
1070  word3_muladd(&w0, &w2, &w1, x[13], y[ 9]);
1071  word3_muladd(&w0, &w2, &w1, x[14], y[ 8]);
1072  word3_muladd(&w0, &w2, &w1, x[15], y[ 7]);
1073  z[22] = w1; w1 = 0;
1074 
1075  word3_muladd(&w1, &w0, &w2, x[ 8], y[15]);
1076  word3_muladd(&w1, &w0, &w2, x[ 9], y[14]);
1077  word3_muladd(&w1, &w0, &w2, x[10], y[13]);
1078  word3_muladd(&w1, &w0, &w2, x[11], y[12]);
1079  word3_muladd(&w1, &w0, &w2, x[12], y[11]);
1080  word3_muladd(&w1, &w0, &w2, x[13], y[10]);
1081  word3_muladd(&w1, &w0, &w2, x[14], y[ 9]);
1082  word3_muladd(&w1, &w0, &w2, x[15], y[ 8]);
1083  z[23] = w2; w2 = 0;
1084 
1085  word3_muladd(&w2, &w1, &w0, x[ 9], y[15]);
1086  word3_muladd(&w2, &w1, &w0, x[10], y[14]);
1087  word3_muladd(&w2, &w1, &w0, x[11], y[13]);
1088  word3_muladd(&w2, &w1, &w0, x[12], y[12]);
1089  word3_muladd(&w2, &w1, &w0, x[13], y[11]);
1090  word3_muladd(&w2, &w1, &w0, x[14], y[10]);
1091  word3_muladd(&w2, &w1, &w0, x[15], y[ 9]);
1092  z[24] = w0; w0 = 0;
1093 
1094  word3_muladd(&w0, &w2, &w1, x[10], y[15]);
1095  word3_muladd(&w0, &w2, &w1, x[11], y[14]);
1096  word3_muladd(&w0, &w2, &w1, x[12], y[13]);
1097  word3_muladd(&w0, &w2, &w1, x[13], y[12]);
1098  word3_muladd(&w0, &w2, &w1, x[14], y[11]);
1099  word3_muladd(&w0, &w2, &w1, x[15], y[10]);
1100  z[25] = w1; w1 = 0;
1101 
1102  word3_muladd(&w1, &w0, &w2, x[11], y[15]);
1103  word3_muladd(&w1, &w0, &w2, x[12], y[14]);
1104  word3_muladd(&w1, &w0, &w2, x[13], y[13]);
1105  word3_muladd(&w1, &w0, &w2, x[14], y[12]);
1106  word3_muladd(&w1, &w0, &w2, x[15], y[11]);
1107  z[26] = w2; w2 = 0;
1108 
1109  word3_muladd(&w2, &w1, &w0, x[12], y[15]);
1110  word3_muladd(&w2, &w1, &w0, x[13], y[14]);
1111  word3_muladd(&w2, &w1, &w0, x[14], y[13]);
1112  word3_muladd(&w2, &w1, &w0, x[15], y[12]);
1113  z[27] = w0; w0 = 0;
1114 
1115  word3_muladd(&w0, &w2, &w1, x[13], y[15]);
1116  word3_muladd(&w0, &w2, &w1, x[14], y[14]);
1117  word3_muladd(&w0, &w2, &w1, x[15], y[13]);
1118  z[28] = w1; w1 = 0;
1119 
1120  word3_muladd(&w1, &w0, &w2, x[14], y[15]);
1121  word3_muladd(&w1, &w0, &w2, x[15], y[14]);
1122  z[29] = w2; w2 = 0;
1123 
1124  word3_muladd(&w2, &w1, &w0, x[15], y[15]);
1125  z[30] = w0;
1126  z[31] = w1;
1127  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void Botan::bigint_comba_mul24 ( word  z[48],
const word  x[24],
const word  y[24] 
)

Definition at line 1535 of file mp_comba.cpp.

References word3_muladd().

Referenced by bigint_mul().

1536  {
1537  word w2 = 0, w1 = 0, w0 = 0;
1538 
1539  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 0]);
1540  z[ 0] = w0; w0 = 0;
1541 
1542  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 1]);
1543  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 0]);
1544  z[ 1] = w1; w1 = 0;
1545 
1546  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 2]);
1547  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 1]);
1548  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 0]);
1549  z[ 2] = w2; w2 = 0;
1550 
1551  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 3]);
1552  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 2]);
1553  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 1]);
1554  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 0]);
1555  z[ 3] = w0; w0 = 0;
1556 
1557  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 4]);
1558  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 3]);
1559  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 2]);
1560  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 1]);
1561  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 0]);
1562  z[ 4] = w1; w1 = 0;
1563 
1564  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 5]);
1565  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 4]);
1566  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 3]);
1567  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 2]);
1568  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 1]);
1569  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 0]);
1570  z[ 5] = w2; w2 = 0;
1571 
1572  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 6]);
1573  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 5]);
1574  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 4]);
1575  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 3]);
1576  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 2]);
1577  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 1]);
1578  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 0]);
1579  z[ 6] = w0; w0 = 0;
1580 
1581  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 7]);
1582  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 6]);
1583  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 5]);
1584  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 4]);
1585  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 3]);
1586  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 2]);
1587  word3_muladd(&w0, &w2, &w1, x[ 6], y[ 1]);
1588  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 0]);
1589  z[ 7] = w1; w1 = 0;
1590 
1591  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 8]);
1592  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 7]);
1593  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 6]);
1594  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 5]);
1595  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 4]);
1596  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 3]);
1597  word3_muladd(&w1, &w0, &w2, x[ 6], y[ 2]);
1598  word3_muladd(&w1, &w0, &w2, x[ 7], y[ 1]);
1599  word3_muladd(&w1, &w0, &w2, x[ 8], y[ 0]);
1600  z[ 8] = w2; w2 = 0;
1601 
1602  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 9]);
1603  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 8]);
1604  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 7]);
1605  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 6]);
1606  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 5]);
1607  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 4]);
1608  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 3]);
1609  word3_muladd(&w2, &w1, &w0, x[ 7], y[ 2]);
1610  word3_muladd(&w2, &w1, &w0, x[ 8], y[ 1]);
1611  word3_muladd(&w2, &w1, &w0, x[ 9], y[ 0]);
1612  z[ 9] = w0; w0 = 0;
1613 
1614  word3_muladd(&w0, &w2, &w1, x[ 0], y[10]);
1615  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 9]);
1616  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 8]);
1617  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 7]);
1618  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 6]);
1619  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 5]);
1620  word3_muladd(&w0, &w2, &w1, x[ 6], y[ 4]);
1621  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 3]);
1622  word3_muladd(&w0, &w2, &w1, x[ 8], y[ 2]);
1623  word3_muladd(&w0, &w2, &w1, x[ 9], y[ 1]);
1624  word3_muladd(&w0, &w2, &w1, x[10], y[ 0]);
1625  z[10] = w1; w1 = 0;
1626 
1627  word3_muladd(&w1, &w0, &w2, x[ 0], y[11]);
1628  word3_muladd(&w1, &w0, &w2, x[ 1], y[10]);
1629  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 9]);
1630  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 8]);
1631  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 7]);
1632  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 6]);
1633  word3_muladd(&w1, &w0, &w2, x[ 6], y[ 5]);
1634  word3_muladd(&w1, &w0, &w2, x[ 7], y[ 4]);
1635  word3_muladd(&w1, &w0, &w2, x[ 8], y[ 3]);
1636  word3_muladd(&w1, &w0, &w2, x[ 9], y[ 2]);
1637  word3_muladd(&w1, &w0, &w2, x[10], y[ 1]);
1638  word3_muladd(&w1, &w0, &w2, x[11], y[ 0]);
1639  z[11] = w2; w2 = 0;
1640 
1641  word3_muladd(&w2, &w1, &w0, x[ 0], y[12]);
1642  word3_muladd(&w2, &w1, &w0, x[ 1], y[11]);
1643  word3_muladd(&w2, &w1, &w0, x[ 2], y[10]);
1644  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 9]);
1645  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 8]);
1646  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 7]);
1647  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 6]);
1648  word3_muladd(&w2, &w1, &w0, x[ 7], y[ 5]);
1649  word3_muladd(&w2, &w1, &w0, x[ 8], y[ 4]);
1650  word3_muladd(&w2, &w1, &w0, x[ 9], y[ 3]);
1651  word3_muladd(&w2, &w1, &w0, x[10], y[ 2]);
1652  word3_muladd(&w2, &w1, &w0, x[11], y[ 1]);
1653  word3_muladd(&w2, &w1, &w0, x[12], y[ 0]);
1654  z[12] = w0; w0 = 0;
1655 
1656  word3_muladd(&w0, &w2, &w1, x[ 0], y[13]);
1657  word3_muladd(&w0, &w2, &w1, x[ 1], y[12]);
1658  word3_muladd(&w0, &w2, &w1, x[ 2], y[11]);
1659  word3_muladd(&w0, &w2, &w1, x[ 3], y[10]);
1660  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 9]);
1661  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 8]);
1662  word3_muladd(&w0, &w2, &w1, x[ 6], y[ 7]);
1663  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 6]);
1664  word3_muladd(&w0, &w2, &w1, x[ 8], y[ 5]);
1665  word3_muladd(&w0, &w2, &w1, x[ 9], y[ 4]);
1666  word3_muladd(&w0, &w2, &w1, x[10], y[ 3]);
1667  word3_muladd(&w0, &w2, &w1, x[11], y[ 2]);
1668  word3_muladd(&w0, &w2, &w1, x[12], y[ 1]);
1669  word3_muladd(&w0, &w2, &w1, x[13], y[ 0]);
1670  z[13] = w1; w1 = 0;
1671 
1672  word3_muladd(&w1, &w0, &w2, x[ 0], y[14]);
1673  word3_muladd(&w1, &w0, &w2, x[ 1], y[13]);
1674  word3_muladd(&w1, &w0, &w2, x[ 2], y[12]);
1675  word3_muladd(&w1, &w0, &w2, x[ 3], y[11]);
1676  word3_muladd(&w1, &w0, &w2, x[ 4], y[10]);
1677  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 9]);
1678  word3_muladd(&w1, &w0, &w2, x[ 6], y[ 8]);
1679  word3_muladd(&w1, &w0, &w2, x[ 7], y[ 7]);
1680  word3_muladd(&w1, &w0, &w2, x[ 8], y[ 6]);
1681  word3_muladd(&w1, &w0, &w2, x[ 9], y[ 5]);
1682  word3_muladd(&w1, &w0, &w2, x[10], y[ 4]);
1683  word3_muladd(&w1, &w0, &w2, x[11], y[ 3]);
1684  word3_muladd(&w1, &w0, &w2, x[12], y[ 2]);
1685  word3_muladd(&w1, &w0, &w2, x[13], y[ 1]);
1686  word3_muladd(&w1, &w0, &w2, x[14], y[ 0]);
1687  z[14] = w2; w2 = 0;
1688 
1689  word3_muladd(&w2, &w1, &w0, x[ 0], y[15]);
1690  word3_muladd(&w2, &w1, &w0, x[ 1], y[14]);
1691  word3_muladd(&w2, &w1, &w0, x[ 2], y[13]);
1692  word3_muladd(&w2, &w1, &w0, x[ 3], y[12]);
1693  word3_muladd(&w2, &w1, &w0, x[ 4], y[11]);
1694  word3_muladd(&w2, &w1, &w0, x[ 5], y[10]);
1695  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 9]);
1696  word3_muladd(&w2, &w1, &w0, x[ 7], y[ 8]);
1697  word3_muladd(&w2, &w1, &w0, x[ 8], y[ 7]);
1698  word3_muladd(&w2, &w1, &w0, x[ 9], y[ 6]);
1699  word3_muladd(&w2, &w1, &w0, x[10], y[ 5]);
1700  word3_muladd(&w2, &w1, &w0, x[11], y[ 4]);
1701  word3_muladd(&w2, &w1, &w0, x[12], y[ 3]);
1702  word3_muladd(&w2, &w1, &w0, x[13], y[ 2]);
1703  word3_muladd(&w2, &w1, &w0, x[14], y[ 1]);
1704  word3_muladd(&w2, &w1, &w0, x[15], y[ 0]);
1705  z[15] = w0; w0 = 0;
1706 
1707  word3_muladd(&w0, &w2, &w1, x[ 0], y[16]);
1708  word3_muladd(&w0, &w2, &w1, x[ 1], y[15]);
1709  word3_muladd(&w0, &w2, &w1, x[ 2], y[14]);
1710  word3_muladd(&w0, &w2, &w1, x[ 3], y[13]);
1711  word3_muladd(&w0, &w2, &w1, x[ 4], y[12]);
1712  word3_muladd(&w0, &w2, &w1, x[ 5], y[11]);
1713  word3_muladd(&w0, &w2, &w1, x[ 6], y[10]);
1714  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 9]);
1715  word3_muladd(&w0, &w2, &w1, x[ 8], y[ 8]);
1716  word3_muladd(&w0, &w2, &w1, x[ 9], y[ 7]);
1717  word3_muladd(&w0, &w2, &w1, x[10], y[ 6]);
1718  word3_muladd(&w0, &w2, &w1, x[11], y[ 5]);
1719  word3_muladd(&w0, &w2, &w1, x[12], y[ 4]);
1720  word3_muladd(&w0, &w2, &w1, x[13], y[ 3]);
1721  word3_muladd(&w0, &w2, &w1, x[14], y[ 2]);
1722  word3_muladd(&w0, &w2, &w1, x[15], y[ 1]);
1723  word3_muladd(&w0, &w2, &w1, x[16], y[ 0]);
1724  z[16] = w1; w1 = 0;
1725 
1726  word3_muladd(&w1, &w0, &w2, x[ 0], y[17]);
1727  word3_muladd(&w1, &w0, &w2, x[ 1], y[16]);
1728  word3_muladd(&w1, &w0, &w2, x[ 2], y[15]);
1729  word3_muladd(&w1, &w0, &w2, x[ 3], y[14]);
1730  word3_muladd(&w1, &w0, &w2, x[ 4], y[13]);
1731  word3_muladd(&w1, &w0, &w2, x[ 5], y[12]);
1732  word3_muladd(&w1, &w0, &w2, x[ 6], y[11]);
1733  word3_muladd(&w1, &w0, &w2, x[ 7], y[10]);
1734  word3_muladd(&w1, &w0, &w2, x[ 8], y[ 9]);
1735  word3_muladd(&w1, &w0, &w2, x[ 9], y[ 8]);
1736  word3_muladd(&w1, &w0, &w2, x[10], y[ 7]);
1737  word3_muladd(&w1, &w0, &w2, x[11], y[ 6]);
1738  word3_muladd(&w1, &w0, &w2, x[12], y[ 5]);
1739  word3_muladd(&w1, &w0, &w2, x[13], y[ 4]);
1740  word3_muladd(&w1, &w0, &w2, x[14], y[ 3]);
1741  word3_muladd(&w1, &w0, &w2, x[15], y[ 2]);
1742  word3_muladd(&w1, &w0, &w2, x[16], y[ 1]);
1743  word3_muladd(&w1, &w0, &w2, x[17], y[ 0]);
1744  z[17] = w2; w2 = 0;
1745 
1746  word3_muladd(&w2, &w1, &w0, x[ 0], y[18]);
1747  word3_muladd(&w2, &w1, &w0, x[ 1], y[17]);
1748  word3_muladd(&w2, &w1, &w0, x[ 2], y[16]);
1749  word3_muladd(&w2, &w1, &w0, x[ 3], y[15]);
1750  word3_muladd(&w2, &w1, &w0, x[ 4], y[14]);
1751  word3_muladd(&w2, &w1, &w0, x[ 5], y[13]);
1752  word3_muladd(&w2, &w1, &w0, x[ 6], y[12]);
1753  word3_muladd(&w2, &w1, &w0, x[ 7], y[11]);
1754  word3_muladd(&w2, &w1, &w0, x[ 8], y[10]);
1755  word3_muladd(&w2, &w1, &w0, x[ 9], y[ 9]);
1756  word3_muladd(&w2, &w1, &w0, x[10], y[ 8]);
1757  word3_muladd(&w2, &w1, &w0, x[11], y[ 7]);
1758  word3_muladd(&w2, &w1, &w0, x[12], y[ 6]);
1759  word3_muladd(&w2, &w1, &w0, x[13], y[ 5]);
1760  word3_muladd(&w2, &w1, &w0, x[14], y[ 4]);
1761  word3_muladd(&w2, &w1, &w0, x[15], y[ 3]);
1762  word3_muladd(&w2, &w1, &w0, x[16], y[ 2]);
1763  word3_muladd(&w2, &w1, &w0, x[17], y[ 1]);
1764  word3_muladd(&w2, &w1, &w0, x[18], y[ 0]);
1765  z[18] = w0; w0 = 0;
1766 
1767  word3_muladd(&w0, &w2, &w1, x[ 0], y[19]);
1768  word3_muladd(&w0, &w2, &w1, x[ 1], y[18]);
1769  word3_muladd(&w0, &w2, &w1, x[ 2], y[17]);
1770  word3_muladd(&w0, &w2, &w1, x[ 3], y[16]);
1771  word3_muladd(&w0, &w2, &w1, x[ 4], y[15]);
1772  word3_muladd(&w0, &w2, &w1, x[ 5], y[14]);
1773  word3_muladd(&w0, &w2, &w1, x[ 6], y[13]);
1774  word3_muladd(&w0, &w2, &w1, x[ 7], y[12]);
1775  word3_muladd(&w0, &w2, &w1, x[ 8], y[11]);
1776  word3_muladd(&w0, &w2, &w1, x[ 9], y[10]);
1777  word3_muladd(&w0, &w2, &w1, x[10], y[ 9]);
1778  word3_muladd(&w0, &w2, &w1, x[11], y[ 8]);
1779  word3_muladd(&w0, &w2, &w1, x[12], y[ 7]);
1780  word3_muladd(&w0, &w2, &w1, x[13], y[ 6]);
1781  word3_muladd(&w0, &w2, &w1, x[14], y[ 5]);
1782  word3_muladd(&w0, &w2, &w1, x[15], y[ 4]);
1783  word3_muladd(&w0, &w2, &w1, x[16], y[ 3]);
1784  word3_muladd(&w0, &w2, &w1, x[17], y[ 2]);
1785  word3_muladd(&w0, &w2, &w1, x[18], y[ 1]);
1786  word3_muladd(&w0, &w2, &w1, x[19], y[ 0]);
1787  z[19] = w1; w1 = 0;
1788 
1789  word3_muladd(&w1, &w0, &w2, x[ 0], y[20]);
1790  word3_muladd(&w1, &w0, &w2, x[ 1], y[19]);
1791  word3_muladd(&w1, &w0, &w2, x[ 2], y[18]);
1792  word3_muladd(&w1, &w0, &w2, x[ 3], y[17]);
1793  word3_muladd(&w1, &w0, &w2, x[ 4], y[16]);
1794  word3_muladd(&w1, &w0, &w2, x[ 5], y[15]);
1795  word3_muladd(&w1, &w0, &w2, x[ 6], y[14]);
1796  word3_muladd(&w1, &w0, &w2, x[ 7], y[13]);
1797  word3_muladd(&w1, &w0, &w2, x[ 8], y[12]);
1798  word3_muladd(&w1, &w0, &w2, x[ 9], y[11]);
1799  word3_muladd(&w1, &w0, &w2, x[10], y[10]);
1800  word3_muladd(&w1, &w0, &w2, x[11], y[ 9]);
1801  word3_muladd(&w1, &w0, &w2, x[12], y[ 8]);
1802  word3_muladd(&w1, &w0, &w2, x[13], y[ 7]);
1803  word3_muladd(&w1, &w0, &w2, x[14], y[ 6]);
1804  word3_muladd(&w1, &w0, &w2, x[15], y[ 5]);
1805  word3_muladd(&w1, &w0, &w2, x[16], y[ 4]);
1806  word3_muladd(&w1, &w0, &w2, x[17], y[ 3]);
1807  word3_muladd(&w1, &w0, &w2, x[18], y[ 2]);
1808  word3_muladd(&w1, &w0, &w2, x[19], y[ 1]);
1809  word3_muladd(&w1, &w0, &w2, x[20], y[ 0]);
1810  z[20] = w2; w2 = 0;
1811 
1812  word3_muladd(&w2, &w1, &w0, x[ 0], y[21]);
1813  word3_muladd(&w2, &w1, &w0, x[ 1], y[20]);
1814  word3_muladd(&w2, &w1, &w0, x[ 2], y[19]);
1815  word3_muladd(&w2, &w1, &w0, x[ 3], y[18]);
1816  word3_muladd(&w2, &w1, &w0, x[ 4], y[17]);
1817  word3_muladd(&w2, &w1, &w0, x[ 5], y[16]);
1818  word3_muladd(&w2, &w1, &w0, x[ 6], y[15]);
1819  word3_muladd(&w2, &w1, &w0, x[ 7], y[14]);
1820  word3_muladd(&w2, &w1, &w0, x[ 8], y[13]);
1821  word3_muladd(&w2, &w1, &w0, x[ 9], y[12]);
1822  word3_muladd(&w2, &w1, &w0, x[10], y[11]);
1823  word3_muladd(&w2, &w1, &w0, x[11], y[10]);
1824  word3_muladd(&w2, &w1, &w0, x[12], y[ 9]);
1825  word3_muladd(&w2, &w1, &w0, x[13], y[ 8]);
1826  word3_muladd(&w2, &w1, &w0, x[14], y[ 7]);
1827  word3_muladd(&w2, &w1, &w0, x[15], y[ 6]);
1828  word3_muladd(&w2, &w1, &w0, x[16], y[ 5]);
1829  word3_muladd(&w2, &w1, &w0, x[17], y[ 4]);
1830  word3_muladd(&w2, &w1, &w0, x[18], y[ 3]);
1831  word3_muladd(&w2, &w1, &w0, x[19], y[ 2]);
1832  word3_muladd(&w2, &w1, &w0, x[20], y[ 1]);
1833  word3_muladd(&w2, &w1, &w0, x[21], y[ 0]);
1834  z[21] = w0; w0 = 0;
1835 
1836  word3_muladd(&w0, &w2, &w1, x[ 0], y[22]);
1837  word3_muladd(&w0, &w2, &w1, x[ 1], y[21]);
1838  word3_muladd(&w0, &w2, &w1, x[ 2], y[20]);
1839  word3_muladd(&w0, &w2, &w1, x[ 3], y[19]);
1840  word3_muladd(&w0, &w2, &w1, x[ 4], y[18]);
1841  word3_muladd(&w0, &w2, &w1, x[ 5], y[17]);
1842  word3_muladd(&w0, &w2, &w1, x[ 6], y[16]);
1843  word3_muladd(&w0, &w2, &w1, x[ 7], y[15]);
1844  word3_muladd(&w0, &w2, &w1, x[ 8], y[14]);
1845  word3_muladd(&w0, &w2, &w1, x[ 9], y[13]);
1846  word3_muladd(&w0, &w2, &w1, x[10], y[12]);
1847  word3_muladd(&w0, &w2, &w1, x[11], y[11]);
1848  word3_muladd(&w0, &w2, &w1, x[12], y[10]);
1849  word3_muladd(&w0, &w2, &w1, x[13], y[ 9]);
1850  word3_muladd(&w0, &w2, &w1, x[14], y[ 8]);
1851  word3_muladd(&w0, &w2, &w1, x[15], y[ 7]);
1852  word3_muladd(&w0, &w2, &w1, x[16], y[ 6]);
1853  word3_muladd(&w0, &w2, &w1, x[17], y[ 5]);
1854  word3_muladd(&w0, &w2, &w1, x[18], y[ 4]);
1855  word3_muladd(&w0, &w2, &w1, x[19], y[ 3]);
1856  word3_muladd(&w0, &w2, &w1, x[20], y[ 2]);
1857  word3_muladd(&w0, &w2, &w1, x[21], y[ 1]);
1858  word3_muladd(&w0, &w2, &w1, x[22], y[ 0]);
1859  z[22] = w1; w1 = 0;
1860 
1861  word3_muladd(&w1, &w0, &w2, x[ 0], y[23]);
1862  word3_muladd(&w1, &w0, &w2, x[ 1], y[22]);
1863  word3_muladd(&w1, &w0, &w2, x[ 2], y[21]);
1864  word3_muladd(&w1, &w0, &w2, x[ 3], y[20]);
1865  word3_muladd(&w1, &w0, &w2, x[ 4], y[19]);
1866  word3_muladd(&w1, &w0, &w2, x[ 5], y[18]);
1867  word3_muladd(&w1, &w0, &w2, x[ 6], y[17]);
1868  word3_muladd(&w1, &w0, &w2, x[ 7], y[16]);
1869  word3_muladd(&w1, &w0, &w2, x[ 8], y[15]);
1870  word3_muladd(&w1, &w0, &w2, x[ 9], y[14]);
1871  word3_muladd(&w1, &w0, &w2, x[10], y[13]);
1872  word3_muladd(&w1, &w0, &w2, x[11], y[12]);
1873  word3_muladd(&w1, &w0, &w2, x[12], y[11]);
1874  word3_muladd(&w1, &w0, &w2, x[13], y[10]);
1875  word3_muladd(&w1, &w0, &w2, x[14], y[ 9]);
1876  word3_muladd(&w1, &w0, &w2, x[15], y[ 8]);
1877  word3_muladd(&w1, &w0, &w2, x[16], y[ 7]);
1878  word3_muladd(&w1, &w0, &w2, x[17], y[ 6]);
1879  word3_muladd(&w1, &w0, &w2, x[18], y[ 5]);
1880  word3_muladd(&w1, &w0, &w2, x[19], y[ 4]);
1881  word3_muladd(&w1, &w0, &w2, x[20], y[ 3]);
1882  word3_muladd(&w1, &w0, &w2, x[21], y[ 2]);
1883  word3_muladd(&w1, &w0, &w2, x[22], y[ 1]);
1884  word3_muladd(&w1, &w0, &w2, x[23], y[ 0]);
1885  z[23] = w2; w2 = 0;
1886 
1887  word3_muladd(&w2, &w1, &w0, x[ 1], y[23]);
1888  word3_muladd(&w2, &w1, &w0, x[ 2], y[22]);
1889  word3_muladd(&w2, &w1, &w0, x[ 3], y[21]);
1890  word3_muladd(&w2, &w1, &w0, x[ 4], y[20]);
1891  word3_muladd(&w2, &w1, &w0, x[ 5], y[19]);
1892  word3_muladd(&w2, &w1, &w0, x[ 6], y[18]);
1893  word3_muladd(&w2, &w1, &w0, x[ 7], y[17]);
1894  word3_muladd(&w2, &w1, &w0, x[ 8], y[16]);
1895  word3_muladd(&w2, &w1, &w0, x[ 9], y[15]);
1896  word3_muladd(&w2, &w1, &w0, x[10], y[14]);
1897  word3_muladd(&w2, &w1, &w0, x[11], y[13]);
1898  word3_muladd(&w2, &w1, &w0, x[12], y[12]);
1899  word3_muladd(&w2, &w1, &w0, x[13], y[11]);
1900  word3_muladd(&w2, &w1, &w0, x[14], y[10]);
1901  word3_muladd(&w2, &w1, &w0, x[15], y[ 9]);
1902  word3_muladd(&w2, &w1, &w0, x[16], y[ 8]);
1903  word3_muladd(&w2, &w1, &w0, x[17], y[ 7]);
1904  word3_muladd(&w2, &w1, &w0, x[18], y[ 6]);
1905  word3_muladd(&w2, &w1, &w0, x[19], y[ 5]);
1906  word3_muladd(&w2, &w1, &w0, x[20], y[ 4]);
1907  word3_muladd(&w2, &w1, &w0, x[21], y[ 3]);
1908  word3_muladd(&w2, &w1, &w0, x[22], y[ 2]);
1909  word3_muladd(&w2, &w1, &w0, x[23], y[ 1]);
1910  z[24] = w0; w0 = 0;
1911 
1912  word3_muladd(&w0, &w2, &w1, x[ 2], y[23]);
1913  word3_muladd(&w0, &w2, &w1, x[ 3], y[22]);
1914  word3_muladd(&w0, &w2, &w1, x[ 4], y[21]);
1915  word3_muladd(&w0, &w2, &w1, x[ 5], y[20]);
1916  word3_muladd(&w0, &w2, &w1, x[ 6], y[19]);
1917  word3_muladd(&w0, &w2, &w1, x[ 7], y[18]);
1918  word3_muladd(&w0, &w2, &w1, x[ 8], y[17]);
1919  word3_muladd(&w0, &w2, &w1, x[ 9], y[16]);
1920  word3_muladd(&w0, &w2, &w1, x[10], y[15]);
1921  word3_muladd(&w0, &w2, &w1, x[11], y[14]);
1922  word3_muladd(&w0, &w2, &w1, x[12], y[13]);
1923  word3_muladd(&w0, &w2, &w1, x[13], y[12]);
1924  word3_muladd(&w0, &w2, &w1, x[14], y[11]);
1925  word3_muladd(&w0, &w2, &w1, x[15], y[10]);
1926  word3_muladd(&w0, &w2, &w1, x[16], y[ 9]);
1927  word3_muladd(&w0, &w2, &w1, x[17], y[ 8]);
1928  word3_muladd(&w0, &w2, &w1, x[18], y[ 7]);
1929  word3_muladd(&w0, &w2, &w1, x[19], y[ 6]);
1930  word3_muladd(&w0, &w2, &w1, x[20], y[ 5]);
1931  word3_muladd(&w0, &w2, &w1, x[21], y[ 4]);
1932  word3_muladd(&w0, &w2, &w1, x[22], y[ 3]);
1933  word3_muladd(&w0, &w2, &w1, x[23], y[ 2]);
1934  z[25] = w1; w1 = 0;
1935 
1936  word3_muladd(&w1, &w0, &w2, x[ 3], y[23]);
1937  word3_muladd(&w1, &w0, &w2, x[ 4], y[22]);
1938  word3_muladd(&w1, &w0, &w2, x[ 5], y[21]);
1939  word3_muladd(&w1, &w0, &w2, x[ 6], y[20]);
1940  word3_muladd(&w1, &w0, &w2, x[ 7], y[19]);
1941  word3_muladd(&w1, &w0, &w2, x[ 8], y[18]);
1942  word3_muladd(&w1, &w0, &w2, x[ 9], y[17]);
1943  word3_muladd(&w1, &w0, &w2, x[10], y[16]);
1944  word3_muladd(&w1, &w0, &w2, x[11], y[15]);
1945  word3_muladd(&w1, &w0, &w2, x[12], y[14]);
1946  word3_muladd(&w1, &w0, &w2, x[13], y[13]);
1947  word3_muladd(&w1, &w0, &w2, x[14], y[12]);
1948  word3_muladd(&w1, &w0, &w2, x[15], y[11]);
1949  word3_muladd(&w1, &w0, &w2, x[16], y[10]);
1950  word3_muladd(&w1, &w0, &w2, x[17], y[ 9]);
1951  word3_muladd(&w1, &w0, &w2, x[18], y[ 8]);
1952  word3_muladd(&w1, &w0, &w2, x[19], y[ 7]);
1953  word3_muladd(&w1, &w0, &w2, x[20], y[ 6]);
1954  word3_muladd(&w1, &w0, &w2, x[21], y[ 5]);
1955  word3_muladd(&w1, &w0, &w2, x[22], y[ 4]);
1956  word3_muladd(&w1, &w0, &w2, x[23], y[ 3]);
1957  z[26] = w2; w2 = 0;
1958 
1959  word3_muladd(&w2, &w1, &w0, x[ 4], y[23]);
1960  word3_muladd(&w2, &w1, &w0, x[ 5], y[22]);
1961  word3_muladd(&w2, &w1, &w0, x[ 6], y[21]);
1962  word3_muladd(&w2, &w1, &w0, x[ 7], y[20]);
1963  word3_muladd(&w2, &w1, &w0, x[ 8], y[19]);
1964  word3_muladd(&w2, &w1, &w0, x[ 9], y[18]);
1965  word3_muladd(&w2, &w1, &w0, x[10], y[17]);
1966  word3_muladd(&w2, &w1, &w0, x[11], y[16]);
1967  word3_muladd(&w2, &w1, &w0, x[12], y[15]);
1968  word3_muladd(&w2, &w1, &w0, x[13], y[14]);
1969  word3_muladd(&w2, &w1, &w0, x[14], y[13]);
1970  word3_muladd(&w2, &w1, &w0, x[15], y[12]);
1971  word3_muladd(&w2, &w1, &w0, x[16], y[11]);
1972  word3_muladd(&w2, &w1, &w0, x[17], y[10]);
1973  word3_muladd(&w2, &w1, &w0, x[18], y[ 9]);
1974  word3_muladd(&w2, &w1, &w0, x[19], y[ 8]);
1975  word3_muladd(&w2, &w1, &w0, x[20], y[ 7]);
1976  word3_muladd(&w2, &w1, &w0, x[21], y[ 6]);
1977  word3_muladd(&w2, &w1, &w0, x[22], y[ 5]);
1978  word3_muladd(&w2, &w1, &w0, x[23], y[ 4]);
1979  z[27] = w0; w0 = 0;
1980 
1981  word3_muladd(&w0, &w2, &w1, x[ 5], y[23]);
1982  word3_muladd(&w0, &w2, &w1, x[ 6], y[22]);
1983  word3_muladd(&w0, &w2, &w1, x[ 7], y[21]);
1984  word3_muladd(&w0, &w2, &w1, x[ 8], y[20]);
1985  word3_muladd(&w0, &w2, &w1, x[ 9], y[19]);
1986  word3_muladd(&w0, &w2, &w1, x[10], y[18]);
1987  word3_muladd(&w0, &w2, &w1, x[11], y[17]);
1988  word3_muladd(&w0, &w2, &w1, x[12], y[16]);
1989  word3_muladd(&w0, &w2, &w1, x[13], y[15]);
1990  word3_muladd(&w0, &w2, &w1, x[14], y[14]);
1991  word3_muladd(&w0, &w2, &w1, x[15], y[13]);
1992  word3_muladd(&w0, &w2, &w1, x[16], y[12]);
1993  word3_muladd(&w0, &w2, &w1, x[17], y[11]);
1994  word3_muladd(&w0, &w2, &w1, x[18], y[10]);
1995  word3_muladd(&w0, &w2, &w1, x[19], y[ 9]);
1996  word3_muladd(&w0, &w2, &w1, x[20], y[ 8]);
1997  word3_muladd(&w0, &w2, &w1, x[21], y[ 7]);
1998  word3_muladd(&w0, &w2, &w1, x[22], y[ 6]);
1999  word3_muladd(&w0, &w2, &w1, x[23], y[ 5]);
2000  z[28] = w1; w1 = 0;
2001 
2002  word3_muladd(&w1, &w0, &w2, x[ 6], y[23]);
2003  word3_muladd(&w1, &w0, &w2, x[ 7], y[22]);
2004  word3_muladd(&w1, &w0, &w2, x[ 8], y[21]);
2005  word3_muladd(&w1, &w0, &w2, x[ 9], y[20]);
2006  word3_muladd(&w1, &w0, &w2, x[10], y[19]);
2007  word3_muladd(&w1, &w0, &w2, x[11], y[18]);
2008  word3_muladd(&w1, &w0, &w2, x[12], y[17]);
2009  word3_muladd(&w1, &w0, &w2, x[13], y[16]);
2010  word3_muladd(&w1, &w0, &w2, x[14], y[15]);
2011  word3_muladd(&w1, &w0, &w2, x[15], y[14]);
2012  word3_muladd(&w1, &w0, &w2, x[16], y[13]);
2013  word3_muladd(&w1, &w0, &w2, x[17], y[12]);
2014  word3_muladd(&w1, &w0, &w2, x[18], y[11]);
2015  word3_muladd(&w1, &w0, &w2, x[19], y[10]);
2016  word3_muladd(&w1, &w0, &w2, x[20], y[ 9]);
2017  word3_muladd(&w1, &w0, &w2, x[21], y[ 8]);
2018  word3_muladd(&w1, &w0, &w2, x[22], y[ 7]);
2019  word3_muladd(&w1, &w0, &w2, x[23], y[ 6]);
2020  z[29] = w2; w2 = 0;
2021 
2022  word3_muladd(&w2, &w1, &w0, x[ 7], y[23]);
2023  word3_muladd(&w2, &w1, &w0, x[ 8], y[22]);
2024  word3_muladd(&w2, &w1, &w0, x[ 9], y[21]);
2025  word3_muladd(&w2, &w1, &w0, x[10], y[20]);
2026  word3_muladd(&w2, &w1, &w0, x[11], y[19]);
2027  word3_muladd(&w2, &w1, &w0, x[12], y[18]);
2028  word3_muladd(&w2, &w1, &w0, x[13], y[17]);
2029  word3_muladd(&w2, &w1, &w0, x[14], y[16]);
2030  word3_muladd(&w2, &w1, &w0, x[15], y[15]);
2031  word3_muladd(&w2, &w1, &w0, x[16], y[14]);
2032  word3_muladd(&w2, &w1, &w0, x[17], y[13]);
2033  word3_muladd(&w2, &w1, &w0, x[18], y[12]);
2034  word3_muladd(&w2, &w1, &w0, x[19], y[11]);
2035  word3_muladd(&w2, &w1, &w0, x[20], y[10]);
2036  word3_muladd(&w2, &w1, &w0, x[21], y[ 9]);
2037  word3_muladd(&w2, &w1, &w0, x[22], y[ 8]);
2038  word3_muladd(&w2, &w1, &w0, x[23], y[ 7]);
2039  z[30] = w0; w0 = 0;
2040 
2041  word3_muladd(&w0, &w2, &w1, x[ 8], y[23]);
2042  word3_muladd(&w0, &w2, &w1, x[ 9], y[22]);
2043  word3_muladd(&w0, &w2, &w1, x[10], y[21]);
2044  word3_muladd(&w0, &w2, &w1, x[11], y[20]);
2045  word3_muladd(&w0, &w2, &w1, x[12], y[19]);
2046  word3_muladd(&w0, &w2, &w1, x[13], y[18]);
2047  word3_muladd(&w0, &w2, &w1, x[14], y[17]);
2048  word3_muladd(&w0, &w2, &w1, x[15], y[16]);
2049  word3_muladd(&w0, &w2, &w1, x[16], y[15]);
2050  word3_muladd(&w0, &w2, &w1, x[17], y[14]);
2051  word3_muladd(&w0, &w2, &w1, x[18], y[13]);
2052  word3_muladd(&w0, &w2, &w1, x[19], y[12]);
2053  word3_muladd(&w0, &w2, &w1, x[20], y[11]);
2054  word3_muladd(&w0, &w2, &w1, x[21], y[10]);
2055  word3_muladd(&w0, &w2, &w1, x[22], y[ 9]);
2056  word3_muladd(&w0, &w2, &w1, x[23], y[ 8]);
2057  z[31] = w1; w1 = 0;
2058 
2059  word3_muladd(&w1, &w0, &w2, x[ 9], y[23]);
2060  word3_muladd(&w1, &w0, &w2, x[10], y[22]);
2061  word3_muladd(&w1, &w0, &w2, x[11], y[21]);
2062  word3_muladd(&w1, &w0, &w2, x[12], y[20]);
2063  word3_muladd(&w1, &w0, &w2, x[13], y[19]);
2064  word3_muladd(&w1, &w0, &w2, x[14], y[18]);
2065  word3_muladd(&w1, &w0, &w2, x[15], y[17]);
2066  word3_muladd(&w1, &w0, &w2, x[16], y[16]);
2067  word3_muladd(&w1, &w0, &w2, x[17], y[15]);
2068  word3_muladd(&w1, &w0, &w2, x[18], y[14]);
2069  word3_muladd(&w1, &w0, &w2, x[19], y[13]);
2070  word3_muladd(&w1, &w0, &w2, x[20], y[12]);
2071  word3_muladd(&w1, &w0, &w2, x[21], y[11]);
2072  word3_muladd(&w1, &w0, &w2, x[22], y[10]);
2073  word3_muladd(&w1, &w0, &w2, x[23], y[ 9]);
2074  z[32] = w2; w2 = 0;
2075 
2076  word3_muladd(&w2, &w1, &w0, x[10], y[23]);
2077  word3_muladd(&w2, &w1, &w0, x[11], y[22]);
2078  word3_muladd(&w2, &w1, &w0, x[12], y[21]);
2079  word3_muladd(&w2, &w1, &w0, x[13], y[20]);
2080  word3_muladd(&w2, &w1, &w0, x[14], y[19]);
2081  word3_muladd(&w2, &w1, &w0, x[15], y[18]);
2082  word3_muladd(&w2, &w1, &w0, x[16], y[17]);
2083  word3_muladd(&w2, &w1, &w0, x[17], y[16]);
2084  word3_muladd(&w2, &w1, &w0, x[18], y[15]);
2085  word3_muladd(&w2, &w1, &w0, x[19], y[14]);
2086  word3_muladd(&w2, &w1, &w0, x[20], y[13]);
2087  word3_muladd(&w2, &w1, &w0, x[21], y[12]);
2088  word3_muladd(&w2, &w1, &w0, x[22], y[11]);
2089  word3_muladd(&w2, &w1, &w0, x[23], y[10]);
2090  z[33] = w0; w0 = 0;
2091 
2092  word3_muladd(&w0, &w2, &w1, x[11], y[23]);
2093  word3_muladd(&w0, &w2, &w1, x[12], y[22]);
2094  word3_muladd(&w0, &w2, &w1, x[13], y[21]);
2095  word3_muladd(&w0, &w2, &w1, x[14], y[20]);
2096  word3_muladd(&w0, &w2, &w1, x[15], y[19]);
2097  word3_muladd(&w0, &w2, &w1, x[16], y[18]);
2098  word3_muladd(&w0, &w2, &w1, x[17], y[17]);
2099  word3_muladd(&w0, &w2, &w1, x[18], y[16]);
2100  word3_muladd(&w0, &w2, &w1, x[19], y[15]);
2101  word3_muladd(&w0, &w2, &w1, x[20], y[14]);
2102  word3_muladd(&w0, &w2, &w1, x[21], y[13]);
2103  word3_muladd(&w0, &w2, &w1, x[22], y[12]);
2104  word3_muladd(&w0, &w2, &w1, x[23], y[11]);
2105  z[34] = w1; w1 = 0;
2106 
2107  word3_muladd(&w1, &w0, &w2, x[12], y[23]);
2108  word3_muladd(&w1, &w0, &w2, x[13], y[22]);
2109  word3_muladd(&w1, &w0, &w2, x[14], y[21]);
2110  word3_muladd(&w1, &w0, &w2, x[15], y[20]);
2111  word3_muladd(&w1, &w0, &w2, x[16], y[19]);
2112  word3_muladd(&w1, &w0, &w2, x[17], y[18]);
2113  word3_muladd(&w1, &w0, &w2, x[18], y[17]);
2114  word3_muladd(&w1, &w0, &w2, x[19], y[16]);
2115  word3_muladd(&w1, &w0, &w2, x[20], y[15]);
2116  word3_muladd(&w1, &w0, &w2, x[21], y[14]);
2117  word3_muladd(&w1, &w0, &w2, x[22], y[13]);
2118  word3_muladd(&w1, &w0, &w2, x[23], y[12]);
2119  z[35] = w2; w2 = 0;
2120 
2121  word3_muladd(&w2, &w1, &w0, x[13], y[23]);
2122  word3_muladd(&w2, &w1, &w0, x[14], y[22]);
2123  word3_muladd(&w2, &w1, &w0, x[15], y[21]);
2124  word3_muladd(&w2, &w1, &w0, x[16], y[20]);
2125  word3_muladd(&w2, &w1, &w0, x[17], y[19]);
2126  word3_muladd(&w2, &w1, &w0, x[18], y[18]);
2127  word3_muladd(&w2, &w1, &w0, x[19], y[17]);
2128  word3_muladd(&w2, &w1, &w0, x[20], y[16]);
2129  word3_muladd(&w2, &w1, &w0, x[21], y[15]);
2130  word3_muladd(&w2, &w1, &w0, x[22], y[14]);
2131  word3_muladd(&w2, &w1, &w0, x[23], y[13]);
2132  z[36] = w0; w0 = 0;
2133 
2134  word3_muladd(&w0, &w2, &w1, x[14], y[23]);
2135  word3_muladd(&w0, &w2, &w1, x[15], y[22]);
2136  word3_muladd(&w0, &w2, &w1, x[16], y[21]);
2137  word3_muladd(&w0, &w2, &w1, x[17], y[20]);
2138  word3_muladd(&w0, &w2, &w1, x[18], y[19]);
2139  word3_muladd(&w0, &w2, &w1, x[19], y[18]);
2140  word3_muladd(&w0, &w2, &w1, x[20], y[17]);
2141  word3_muladd(&w0, &w2, &w1, x[21], y[16]);
2142  word3_muladd(&w0, &w2, &w1, x[22], y[15]);
2143  word3_muladd(&w0, &w2, &w1, x[23], y[14]);
2144  z[37] = w1; w1 = 0;
2145 
2146  word3_muladd(&w1, &w0, &w2, x[15], y[23]);
2147  word3_muladd(&w1, &w0, &w2, x[16], y[22]);
2148  word3_muladd(&w1, &w0, &w2, x[17], y[21]);
2149  word3_muladd(&w1, &w0, &w2, x[18], y[20]);
2150  word3_muladd(&w1, &w0, &w2, x[19], y[19]);
2151  word3_muladd(&w1, &w0, &w2, x[20], y[18]);
2152  word3_muladd(&w1, &w0, &w2, x[21], y[17]);
2153  word3_muladd(&w1, &w0, &w2, x[22], y[16]);
2154  word3_muladd(&w1, &w0, &w2, x[23], y[15]);
2155  z[38] = w2; w2 = 0;
2156 
2157  word3_muladd(&w2, &w1, &w0, x[16], y[23]);
2158  word3_muladd(&w2, &w1, &w0, x[17], y[22]);
2159  word3_muladd(&w2, &w1, &w0, x[18], y[21]);
2160  word3_muladd(&w2, &w1, &w0, x[19], y[20]);
2161  word3_muladd(&w2, &w1, &w0, x[20], y[19]);
2162  word3_muladd(&w2, &w1, &w0, x[21], y[18]);
2163  word3_muladd(&w2, &w1, &w0, x[22], y[17]);
2164  word3_muladd(&w2, &w1, &w0, x[23], y[16]);
2165  z[39] = w0; w0 = 0;
2166 
2167  word3_muladd(&w0, &w2, &w1, x[17], y[23]);
2168  word3_muladd(&w0, &w2, &w1, x[18], y[22]);
2169  word3_muladd(&w0, &w2, &w1, x[19], y[21]);
2170  word3_muladd(&w0, &w2, &w1, x[20], y[20]);
2171  word3_muladd(&w0, &w2, &w1, x[21], y[19]);
2172  word3_muladd(&w0, &w2, &w1, x[22], y[18]);
2173  word3_muladd(&w0, &w2, &w1, x[23], y[17]);
2174  z[40] = w1; w1 = 0;
2175 
2176  word3_muladd(&w1, &w0, &w2, x[18], y[23]);
2177  word3_muladd(&w1, &w0, &w2, x[19], y[22]);
2178  word3_muladd(&w1, &w0, &w2, x[20], y[21]);
2179  word3_muladd(&w1, &w0, &w2, x[21], y[20]);
2180  word3_muladd(&w1, &w0, &w2, x[22], y[19]);
2181  word3_muladd(&w1, &w0, &w2, x[23], y[18]);
2182  z[41] = w2; w2 = 0;
2183 
2184  word3_muladd(&w2, &w1, &w0, x[19], y[23]);
2185  word3_muladd(&w2, &w1, &w0, x[20], y[22]);
2186  word3_muladd(&w2, &w1, &w0, x[21], y[21]);
2187  word3_muladd(&w2, &w1, &w0, x[22], y[20]);
2188  word3_muladd(&w2, &w1, &w0, x[23], y[19]);
2189  z[42] = w0; w0 = 0;
2190 
2191  word3_muladd(&w0, &w2, &w1, x[20], y[23]);
2192  word3_muladd(&w0, &w2, &w1, x[21], y[22]);
2193  word3_muladd(&w0, &w2, &w1, x[22], y[21]);
2194  word3_muladd(&w0, &w2, &w1, x[23], y[20]);
2195  z[43] = w1; w1 = 0;
2196 
2197  word3_muladd(&w1, &w0, &w2, x[21], y[23]);
2198  word3_muladd(&w1, &w0, &w2, x[22], y[22]);
2199  word3_muladd(&w1, &w0, &w2, x[23], y[21]);
2200  z[44] = w2; w2 = 0;
2201 
2202  word3_muladd(&w2, &w1, &w0, x[22], y[23]);
2203  word3_muladd(&w2, &w1, &w0, x[23], y[22]);
2204  z[45] = w0; w0 = 0;
2205 
2206  word3_muladd(&w0, &w2, &w1, x[23], y[23]);
2207  z[46] = w1;
2208  z[47] = w2;
2209  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void Botan::bigint_comba_mul4 ( word  z[8],
const word  x[4],
const word  y[4] 
)

Definition at line 50 of file mp_comba.cpp.

References word3_muladd().

Referenced by bigint_mul().

51  {
52  word w2 = 0, w1 = 0, w0 = 0;
53 
54  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 0]);
55  z[ 0] = w0; w0 = 0;
56 
57  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 1]);
58  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 0]);
59  z[ 1] = w1; w1 = 0;
60 
61  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 2]);
62  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 1]);
63  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 0]);
64  z[ 2] = w2; w2 = 0;
65 
66  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 3]);
67  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 2]);
68  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 1]);
69  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 0]);
70  z[ 3] = w0; w0 = 0;
71 
72  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 3]);
73  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 2]);
74  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 1]);
75  z[ 4] = w1; w1 = 0;
76 
77  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 3]);
78  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 2]);
79  z[ 5] = w2; w2 = 0;
80 
81  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 3]);
82  z[ 6] = w0;
83  z[ 7] = w1;
84  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void Botan::bigint_comba_mul6 ( word  z[12],
const word  x[6],
const word  y[6] 
)

Definition at line 141 of file mp_comba.cpp.

References word3_muladd().

Referenced by bigint_mul().

142  {
143  word w2 = 0, w1 = 0, w0 = 0;
144 
145  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 0]);
146  z[ 0] = w0; w0 = 0;
147 
148  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 1]);
149  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 0]);
150  z[ 1] = w1; w1 = 0;
151 
152  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 2]);
153  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 1]);
154  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 0]);
155  z[ 2] = w2; w2 = 0;
156 
157  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 3]);
158  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 2]);
159  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 1]);
160  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 0]);
161  z[ 3] = w0; w0 = 0;
162 
163  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 4]);
164  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 3]);
165  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 2]);
166  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 1]);
167  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 0]);
168  z[ 4] = w1; w1 = 0;
169 
170  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 5]);
171  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 4]);
172  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 3]);
173  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 2]);
174  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 1]);
175  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 0]);
176  z[ 5] = w2; w2 = 0;
177 
178  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 5]);
179  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 4]);
180  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 3]);
181  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 2]);
182  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 1]);
183  z[ 6] = w0; w0 = 0;
184 
185  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 5]);
186  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 4]);
187  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 3]);
188  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 2]);
189  z[ 7] = w1; w1 = 0;
190 
191  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 5]);
192  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 4]);
193  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 3]);
194  z[ 8] = w2; w2 = 0;
195 
196  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 5]);
197  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 4]);
198  z[ 9] = w0; w0 = 0;
199 
200  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 5]);
201  z[10] = w1;
202  z[11] = w2;
203  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void Botan::bigint_comba_mul8 ( word  z[16],
const word  x[8],
const word  y[8] 
)

Definition at line 283 of file mp_comba.cpp.

References word3_muladd().

Referenced by bigint_mul().

284  {
285  word w2 = 0, w1 = 0, w0 = 0;
286 
287  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 0]);
288  z[ 0] = w0; w0 = 0;
289 
290  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 1]);
291  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 0]);
292  z[ 1] = w1; w1 = 0;
293 
294  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 2]);
295  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 1]);
296  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 0]);
297  z[ 2] = w2; w2 = 0;
298 
299  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 3]);
300  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 2]);
301  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 1]);
302  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 0]);
303  z[ 3] = w0; w0 = 0;
304 
305  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 4]);
306  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 3]);
307  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 2]);
308  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 1]);
309  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 0]);
310  z[ 4] = w1; w1 = 0;
311 
312  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 5]);
313  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 4]);
314  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 3]);
315  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 2]);
316  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 1]);
317  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 0]);
318  z[ 5] = w2; w2 = 0;
319 
320  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 6]);
321  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 5]);
322  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 4]);
323  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 3]);
324  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 2]);
325  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 1]);
326  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 0]);
327  z[ 6] = w0; w0 = 0;
328 
329  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 7]);
330  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 6]);
331  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 5]);
332  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 4]);
333  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 3]);
334  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 2]);
335  word3_muladd(&w0, &w2, &w1, x[ 6], y[ 1]);
336  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 0]);
337  z[ 7] = w1; w1 = 0;
338 
339  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 7]);
340  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 6]);
341  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 5]);
342  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 4]);
343  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 3]);
344  word3_muladd(&w1, &w0, &w2, x[ 6], y[ 2]);
345  word3_muladd(&w1, &w0, &w2, x[ 7], y[ 1]);
346  z[ 8] = w2; w2 = 0;
347 
348  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 7]);
349  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 6]);
350  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 5]);
351  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 4]);
352  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 3]);
353  word3_muladd(&w2, &w1, &w0, x[ 7], y[ 2]);
354  z[ 9] = w0; w0 = 0;
355 
356  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 7]);
357  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 6]);
358  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 5]);
359  word3_muladd(&w0, &w2, &w1, x[ 6], y[ 4]);
360  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 3]);
361  z[10] = w1; w1 = 0;
362 
363  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 7]);
364  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 6]);
365  word3_muladd(&w1, &w0, &w2, x[ 6], y[ 5]);
366  word3_muladd(&w1, &w0, &w2, x[ 7], y[ 4]);
367  z[11] = w2; w2 = 0;
368 
369  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 7]);
370  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 6]);
371  word3_muladd(&w2, &w1, &w0, x[ 7], y[ 5]);
372  z[12] = w0; w0 = 0;
373 
374  word3_muladd(&w0, &w2, &w1, x[ 6], y[ 7]);
375  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 6]);
376  z[13] = w1; w1 = 0;
377 
378  word3_muladd(&w1, &w0, &w2, x[ 7], y[ 7]);
379  z[14] = w2;
380  z[15] = w0;
381  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void Botan::bigint_comba_mul9 ( word  z[18],
const word  x[9],
const word  y[9] 
)

Definition at line 474 of file mp_comba.cpp.

References word3_muladd().

Referenced by bigint_mul().

475  {
476  word w2 = 0, w1 = 0, w0 = 0;
477 
478  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 0]);
479  z[ 0] = w0; w0 = 0;
480 
481  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 1]);
482  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 0]);
483  z[ 1] = w1; w1 = 0;
484 
485  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 2]);
486  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 1]);
487  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 0]);
488  z[ 2] = w2; w2 = 0;
489 
490  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 3]);
491  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 2]);
492  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 1]);
493  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 0]);
494  z[ 3] = w0; w0 = 0;
495 
496  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 4]);
497  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 3]);
498  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 2]);
499  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 1]);
500  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 0]);
501  z[ 4] = w1; w1 = 0;
502 
503  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 5]);
504  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 4]);
505  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 3]);
506  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 2]);
507  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 1]);
508  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 0]);
509  z[ 5] = w2; w2 = 0;
510 
511  word3_muladd(&w2, &w1, &w0, x[ 0], y[ 6]);
512  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 5]);
513  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 4]);
514  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 3]);
515  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 2]);
516  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 1]);
517  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 0]);
518  z[ 6] = w0; w0 = 0;
519 
520  word3_muladd(&w0, &w2, &w1, x[ 0], y[ 7]);
521  word3_muladd(&w0, &w2, &w1, x[ 1], y[ 6]);
522  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 5]);
523  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 4]);
524  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 3]);
525  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 2]);
526  word3_muladd(&w0, &w2, &w1, x[ 6], y[ 1]);
527  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 0]);
528  z[ 7] = w1; w1 = 0;
529 
530  word3_muladd(&w1, &w0, &w2, x[ 0], y[ 8]);
531  word3_muladd(&w1, &w0, &w2, x[ 1], y[ 7]);
532  word3_muladd(&w1, &w0, &w2, x[ 2], y[ 6]);
533  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 5]);
534  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 4]);
535  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 3]);
536  word3_muladd(&w1, &w0, &w2, x[ 6], y[ 2]);
537  word3_muladd(&w1, &w0, &w2, x[ 7], y[ 1]);
538  word3_muladd(&w1, &w0, &w2, x[ 8], y[ 0]);
539  z[ 8] = w2; w2 = 0;
540 
541  word3_muladd(&w2, &w1, &w0, x[ 1], y[ 8]);
542  word3_muladd(&w2, &w1, &w0, x[ 2], y[ 7]);
543  word3_muladd(&w2, &w1, &w0, x[ 3], y[ 6]);
544  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 5]);
545  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 4]);
546  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 3]);
547  word3_muladd(&w2, &w1, &w0, x[ 7], y[ 2]);
548  word3_muladd(&w2, &w1, &w0, x[ 8], y[ 1]);
549  z[ 9] = w0; w0 = 0;
550 
551  word3_muladd(&w0, &w2, &w1, x[ 2], y[ 8]);
552  word3_muladd(&w0, &w2, &w1, x[ 3], y[ 7]);
553  word3_muladd(&w0, &w2, &w1, x[ 4], y[ 6]);
554  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 5]);
555  word3_muladd(&w0, &w2, &w1, x[ 6], y[ 4]);
556  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 3]);
557  word3_muladd(&w0, &w2, &w1, x[ 8], y[ 2]);
558  z[10] = w1; w1 = 0;
559 
560  word3_muladd(&w1, &w0, &w2, x[ 3], y[ 8]);
561  word3_muladd(&w1, &w0, &w2, x[ 4], y[ 7]);
562  word3_muladd(&w1, &w0, &w2, x[ 5], y[ 6]);
563  word3_muladd(&w1, &w0, &w2, x[ 6], y[ 5]);
564  word3_muladd(&w1, &w0, &w2, x[ 7], y[ 4]);
565  word3_muladd(&w1, &w0, &w2, x[ 8], y[ 3]);
566  z[11] = w2; w2 = 0;
567 
568  word3_muladd(&w2, &w1, &w0, x[ 4], y[ 8]);
569  word3_muladd(&w2, &w1, &w0, x[ 5], y[ 7]);
570  word3_muladd(&w2, &w1, &w0, x[ 6], y[ 6]);
571  word3_muladd(&w2, &w1, &w0, x[ 7], y[ 5]);
572  word3_muladd(&w2, &w1, &w0, x[ 8], y[ 4]);
573  z[12] = w0; w0 = 0;
574 
575  word3_muladd(&w0, &w2, &w1, x[ 5], y[ 8]);
576  word3_muladd(&w0, &w2, &w1, x[ 6], y[ 7]);
577  word3_muladd(&w0, &w2, &w1, x[ 7], y[ 6]);
578  word3_muladd(&w0, &w2, &w1, x[ 8], y[ 5]);
579  z[13] = w1; w1 = 0;
580 
581  word3_muladd(&w1, &w0, &w2, x[ 6], y[ 8]);
582  word3_muladd(&w1, &w0, &w2, x[ 7], y[ 7]);
583  word3_muladd(&w1, &w0, &w2, x[ 8], y[ 6]);
584  z[14] = w2; w2 = 0;
585 
586  word3_muladd(&w2, &w1, &w0, x[ 7], y[ 8]);
587  word3_muladd(&w2, &w1, &w0, x[ 8], y[ 7]);
588  z[15] = w0; w0 = 0;
589 
590  word3_muladd(&w0, &w2, &w1, x[ 8], y[ 8]);
591  z[16] = w1;
592  z[17] = w2;
593  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void Botan::bigint_comba_sqr16 ( word  z[32],
const word  x[16] 
)

Definition at line 598 of file mp_comba.cpp.

References word3_muladd(), and word3_muladd_2().

Referenced by bigint_sqr().

599  {
600  word w2 = 0, w1 = 0, w0 = 0;
601 
602  word3_muladd (&w2, &w1, &w0, x[ 0], x[ 0]);
603  z[ 0] = w0; w0 = 0;
604 
605  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 1]);
606  z[ 1] = w1; w1 = 0;
607 
608  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 2]);
609  word3_muladd (&w1, &w0, &w2, x[ 1], x[ 1]);
610  z[ 2] = w2; w2 = 0;
611 
612  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[ 3]);
613  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 2]);
614  z[ 3] = w0; w0 = 0;
615 
616  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 4]);
617  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[ 3]);
618  word3_muladd (&w0, &w2, &w1, x[ 2], x[ 2]);
619  z[ 4] = w1; w1 = 0;
620 
621  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 5]);
622  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[ 4]);
623  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[ 3]);
624  z[ 5] = w2; w2 = 0;
625 
626  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[ 6]);
627  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 5]);
628  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[ 4]);
629  word3_muladd (&w2, &w1, &w0, x[ 3], x[ 3]);
630  z[ 6] = w0; w0 = 0;
631 
632  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 7]);
633  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[ 6]);
634  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[ 5]);
635  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[ 4]);
636  z[ 7] = w1; w1 = 0;
637 
638  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 8]);
639  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[ 7]);
640  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[ 6]);
641  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[ 5]);
642  word3_muladd (&w1, &w0, &w2, x[ 4], x[ 4]);
643  z[ 8] = w2; w2 = 0;
644 
645  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[ 9]);
646  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 8]);
647  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[ 7]);
648  word3_muladd_2(&w2, &w1, &w0, x[ 3], x[ 6]);
649  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[ 5]);
650  z[ 9] = w0; w0 = 0;
651 
652  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[10]);
653  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[ 9]);
654  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[ 8]);
655  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[ 7]);
656  word3_muladd_2(&w0, &w2, &w1, x[ 4], x[ 6]);
657  word3_muladd (&w0, &w2, &w1, x[ 5], x[ 5]);
658  z[10] = w1; w1 = 0;
659 
660  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[11]);
661  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[10]);
662  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[ 9]);
663  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[ 8]);
664  word3_muladd_2(&w1, &w0, &w2, x[ 4], x[ 7]);
665  word3_muladd_2(&w1, &w0, &w2, x[ 5], x[ 6]);
666  z[11] = w2; w2 = 0;
667 
668  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[12]);
669  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[11]);
670  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[10]);
671  word3_muladd_2(&w2, &w1, &w0, x[ 3], x[ 9]);
672  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[ 8]);
673  word3_muladd_2(&w2, &w1, &w0, x[ 5], x[ 7]);
674  word3_muladd (&w2, &w1, &w0, x[ 6], x[ 6]);
675  z[12] = w0; w0 = 0;
676 
677  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[13]);
678  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[12]);
679  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[11]);
680  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[10]);
681  word3_muladd_2(&w0, &w2, &w1, x[ 4], x[ 9]);
682  word3_muladd_2(&w0, &w2, &w1, x[ 5], x[ 8]);
683  word3_muladd_2(&w0, &w2, &w1, x[ 6], x[ 7]);
684  z[13] = w1; w1 = 0;
685 
686  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[14]);
687  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[13]);
688  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[12]);
689  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[11]);
690  word3_muladd_2(&w1, &w0, &w2, x[ 4], x[10]);
691  word3_muladd_2(&w1, &w0, &w2, x[ 5], x[ 9]);
692  word3_muladd_2(&w1, &w0, &w2, x[ 6], x[ 8]);
693  word3_muladd (&w1, &w0, &w2, x[ 7], x[ 7]);
694  z[14] = w2; w2 = 0;
695 
696  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[15]);
697  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[14]);
698  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[13]);
699  word3_muladd_2(&w2, &w1, &w0, x[ 3], x[12]);
700  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[11]);
701  word3_muladd_2(&w2, &w1, &w0, x[ 5], x[10]);
702  word3_muladd_2(&w2, &w1, &w0, x[ 6], x[ 9]);
703  word3_muladd_2(&w2, &w1, &w0, x[ 7], x[ 8]);
704  z[15] = w0; w0 = 0;
705 
706  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[15]);
707  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[14]);
708  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[13]);
709  word3_muladd_2(&w0, &w2, &w1, x[ 4], x[12]);
710  word3_muladd_2(&w0, &w2, &w1, x[ 5], x[11]);
711  word3_muladd_2(&w0, &w2, &w1, x[ 6], x[10]);
712  word3_muladd_2(&w0, &w2, &w1, x[ 7], x[ 9]);
713  word3_muladd (&w0, &w2, &w1, x[ 8], x[ 8]);
714  z[16] = w1; w1 = 0;
715 
716  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[15]);
717  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[14]);
718  word3_muladd_2(&w1, &w0, &w2, x[ 4], x[13]);
719  word3_muladd_2(&w1, &w0, &w2, x[ 5], x[12]);
720  word3_muladd_2(&w1, &w0, &w2, x[ 6], x[11]);
721  word3_muladd_2(&w1, &w0, &w2, x[ 7], x[10]);
722  word3_muladd_2(&w1, &w0, &w2, x[ 8], x[ 9]);
723  z[17] = w2; w2 = 0;
724 
725  word3_muladd_2(&w2, &w1, &w0, x[ 3], x[15]);
726  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[14]);
727  word3_muladd_2(&w2, &w1, &w0, x[ 5], x[13]);
728  word3_muladd_2(&w2, &w1, &w0, x[ 6], x[12]);
729  word3_muladd_2(&w2, &w1, &w0, x[ 7], x[11]);
730  word3_muladd_2(&w2, &w1, &w0, x[ 8], x[10]);
731  word3_muladd (&w2, &w1, &w0, x[ 9], x[ 9]);
732  z[18] = w0; w0 = 0;
733 
734  word3_muladd_2(&w0, &w2, &w1, x[ 4], x[15]);
735  word3_muladd_2(&w0, &w2, &w1, x[ 5], x[14]);
736  word3_muladd_2(&w0, &w2, &w1, x[ 6], x[13]);
737  word3_muladd_2(&w0, &w2, &w1, x[ 7], x[12]);
738  word3_muladd_2(&w0, &w2, &w1, x[ 8], x[11]);
739  word3_muladd_2(&w0, &w2, &w1, x[ 9], x[10]);
740  z[19] = w1; w1 = 0;
741 
742  word3_muladd_2(&w1, &w0, &w2, x[ 5], x[15]);
743  word3_muladd_2(&w1, &w0, &w2, x[ 6], x[14]);
744  word3_muladd_2(&w1, &w0, &w2, x[ 7], x[13]);
745  word3_muladd_2(&w1, &w0, &w2, x[ 8], x[12]);
746  word3_muladd_2(&w1, &w0, &w2, x[ 9], x[11]);
747  word3_muladd (&w1, &w0, &w2, x[10], x[10]);
748  z[20] = w2; w2 = 0;
749 
750  word3_muladd_2(&w2, &w1, &w0, x[ 6], x[15]);
751  word3_muladd_2(&w2, &w1, &w0, x[ 7], x[14]);
752  word3_muladd_2(&w2, &w1, &w0, x[ 8], x[13]);
753  word3_muladd_2(&w2, &w1, &w0, x[ 9], x[12]);
754  word3_muladd_2(&w2, &w1, &w0, x[10], x[11]);
755  z[21] = w0; w0 = 0;
756 
757  word3_muladd_2(&w0, &w2, &w1, x[ 7], x[15]);
758  word3_muladd_2(&w0, &w2, &w1, x[ 8], x[14]);
759  word3_muladd_2(&w0, &w2, &w1, x[ 9], x[13]);
760  word3_muladd_2(&w0, &w2, &w1, x[10], x[12]);
761  word3_muladd (&w0, &w2, &w1, x[11], x[11]);
762  z[22] = w1; w1 = 0;
763 
764  word3_muladd_2(&w1, &w0, &w2, x[ 8], x[15]);
765  word3_muladd_2(&w1, &w0, &w2, x[ 9], x[14]);
766  word3_muladd_2(&w1, &w0, &w2, x[10], x[13]);
767  word3_muladd_2(&w1, &w0, &w2, x[11], x[12]);
768  z[23] = w2; w2 = 0;
769 
770  word3_muladd_2(&w2, &w1, &w0, x[ 9], x[15]);
771  word3_muladd_2(&w2, &w1, &w0, x[10], x[14]);
772  word3_muladd_2(&w2, &w1, &w0, x[11], x[13]);
773  word3_muladd (&w2, &w1, &w0, x[12], x[12]);
774  z[24] = w0; w0 = 0;
775 
776  word3_muladd_2(&w0, &w2, &w1, x[10], x[15]);
777  word3_muladd_2(&w0, &w2, &w1, x[11], x[14]);
778  word3_muladd_2(&w0, &w2, &w1, x[12], x[13]);
779  z[25] = w1; w1 = 0;
780 
781  word3_muladd_2(&w1, &w0, &w2, x[11], x[15]);
782  word3_muladd_2(&w1, &w0, &w2, x[12], x[14]);
783  word3_muladd (&w1, &w0, &w2, x[13], x[13]);
784  z[26] = w2; w2 = 0;
785 
786  word3_muladd_2(&w2, &w1, &w0, x[12], x[15]);
787  word3_muladd_2(&w2, &w1, &w0, x[13], x[14]);
788  z[27] = w0; w0 = 0;
789 
790  word3_muladd_2(&w0, &w2, &w1, x[13], x[15]);
791  word3_muladd (&w0, &w2, &w1, x[14], x[14]);
792  z[28] = w1; w1 = 0;
793 
794  word3_muladd_2(&w1, &w0, &w2, x[14], x[15]);
795  z[29] = w2; w2 = 0;
796 
797  word3_muladd (&w2, &w1, &w0, x[15], x[15]);
798  z[30] = w0;
799  z[31] = w1;
800  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void word3_muladd_2(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:536
void Botan::bigint_comba_sqr24 ( word  z[48],
const word  x[24] 
)

Definition at line 1132 of file mp_comba.cpp.

References word3_muladd(), and word3_muladd_2().

Referenced by bigint_sqr().

1133  {
1134  word w2 = 0, w1 = 0, w0 = 0;
1135 
1136  word3_muladd (&w2, &w1, &w0, x[ 0], x[ 0]);
1137  z[ 0] = w0; w0 = 0;
1138 
1139  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 1]);
1140  z[ 1] = w1; w1 = 0;
1141 
1142  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 2]);
1143  word3_muladd (&w1, &w0, &w2, x[ 1], x[ 1]);
1144  z[ 2] = w2; w2 = 0;
1145 
1146  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[ 3]);
1147  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 2]);
1148  z[ 3] = w0; w0 = 0;
1149 
1150  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 4]);
1151  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[ 3]);
1152  word3_muladd (&w0, &w2, &w1, x[ 2], x[ 2]);
1153  z[ 4] = w1; w1 = 0;
1154 
1155  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 5]);
1156  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[ 4]);
1157  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[ 3]);
1158  z[ 5] = w2; w2 = 0;
1159 
1160  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[ 6]);
1161  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 5]);
1162  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[ 4]);
1163  word3_muladd (&w2, &w1, &w0, x[ 3], x[ 3]);
1164  z[ 6] = w0; w0 = 0;
1165 
1166  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 7]);
1167  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[ 6]);
1168  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[ 5]);
1169  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[ 4]);
1170  z[ 7] = w1; w1 = 0;
1171 
1172  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 8]);
1173  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[ 7]);
1174  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[ 6]);
1175  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[ 5]);
1176  word3_muladd (&w1, &w0, &w2, x[ 4], x[ 4]);
1177  z[ 8] = w2; w2 = 0;
1178 
1179  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[ 9]);
1180  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 8]);
1181  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[ 7]);
1182  word3_muladd_2(&w2, &w1, &w0, x[ 3], x[ 6]);
1183  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[ 5]);
1184  z[ 9] = w0; w0 = 0;
1185 
1186  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[10]);
1187  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[ 9]);
1188  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[ 8]);
1189  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[ 7]);
1190  word3_muladd_2(&w0, &w2, &w1, x[ 4], x[ 6]);
1191  word3_muladd (&w0, &w2, &w1, x[ 5], x[ 5]);
1192  z[10] = w1; w1 = 0;
1193 
1194  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[11]);
1195  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[10]);
1196  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[ 9]);
1197  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[ 8]);
1198  word3_muladd_2(&w1, &w0, &w2, x[ 4], x[ 7]);
1199  word3_muladd_2(&w1, &w0, &w2, x[ 5], x[ 6]);
1200  z[11] = w2; w2 = 0;
1201 
1202  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[12]);
1203  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[11]);
1204  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[10]);
1205  word3_muladd_2(&w2, &w1, &w0, x[ 3], x[ 9]);
1206  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[ 8]);
1207  word3_muladd_2(&w2, &w1, &w0, x[ 5], x[ 7]);
1208  word3_muladd (&w2, &w1, &w0, x[ 6], x[ 6]);
1209  z[12] = w0; w0 = 0;
1210 
1211  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[13]);
1212  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[12]);
1213  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[11]);
1214  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[10]);
1215  word3_muladd_2(&w0, &w2, &w1, x[ 4], x[ 9]);
1216  word3_muladd_2(&w0, &w2, &w1, x[ 5], x[ 8]);
1217  word3_muladd_2(&w0, &w2, &w1, x[ 6], x[ 7]);
1218  z[13] = w1; w1 = 0;
1219 
1220  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[14]);
1221  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[13]);
1222  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[12]);
1223  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[11]);
1224  word3_muladd_2(&w1, &w0, &w2, x[ 4], x[10]);
1225  word3_muladd_2(&w1, &w0, &w2, x[ 5], x[ 9]);
1226  word3_muladd_2(&w1, &w0, &w2, x[ 6], x[ 8]);
1227  word3_muladd (&w1, &w0, &w2, x[ 7], x[ 7]);
1228  z[14] = w2; w2 = 0;
1229 
1230  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[15]);
1231  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[14]);
1232  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[13]);
1233  word3_muladd_2(&w2, &w1, &w0, x[ 3], x[12]);
1234  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[11]);
1235  word3_muladd_2(&w2, &w1, &w0, x[ 5], x[10]);
1236  word3_muladd_2(&w2, &w1, &w0, x[ 6], x[ 9]);
1237  word3_muladd_2(&w2, &w1, &w0, x[ 7], x[ 8]);
1238  z[15] = w0; w0 = 0;
1239 
1240  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[16]);
1241  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[15]);
1242  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[14]);
1243  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[13]);
1244  word3_muladd_2(&w0, &w2, &w1, x[ 4], x[12]);
1245  word3_muladd_2(&w0, &w2, &w1, x[ 5], x[11]);
1246  word3_muladd_2(&w0, &w2, &w1, x[ 6], x[10]);
1247  word3_muladd_2(&w0, &w2, &w1, x[ 7], x[ 9]);
1248  word3_muladd (&w0, &w2, &w1, x[ 8], x[ 8]);
1249  z[16] = w1; w1 = 0;
1250 
1251  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[17]);
1252  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[16]);
1253  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[15]);
1254  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[14]);
1255  word3_muladd_2(&w1, &w0, &w2, x[ 4], x[13]);
1256  word3_muladd_2(&w1, &w0, &w2, x[ 5], x[12]);
1257  word3_muladd_2(&w1, &w0, &w2, x[ 6], x[11]);
1258  word3_muladd_2(&w1, &w0, &w2, x[ 7], x[10]);
1259  word3_muladd_2(&w1, &w0, &w2, x[ 8], x[ 9]);
1260  z[17] = w2; w2 = 0;
1261 
1262  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[18]);
1263  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[17]);
1264  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[16]);
1265  word3_muladd_2(&w2, &w1, &w0, x[ 3], x[15]);
1266  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[14]);
1267  word3_muladd_2(&w2, &w1, &w0, x[ 5], x[13]);
1268  word3_muladd_2(&w2, &w1, &w0, x[ 6], x[12]);
1269  word3_muladd_2(&w2, &w1, &w0, x[ 7], x[11]);
1270  word3_muladd_2(&w2, &w1, &w0, x[ 8], x[10]);
1271  word3_muladd (&w2, &w1, &w0, x[ 9], x[ 9]);
1272  z[18] = w0; w0 = 0;
1273 
1274  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[19]);
1275  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[18]);
1276  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[17]);
1277  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[16]);
1278  word3_muladd_2(&w0, &w2, &w1, x[ 4], x[15]);
1279  word3_muladd_2(&w0, &w2, &w1, x[ 5], x[14]);
1280  word3_muladd_2(&w0, &w2, &w1, x[ 6], x[13]);
1281  word3_muladd_2(&w0, &w2, &w1, x[ 7], x[12]);
1282  word3_muladd_2(&w0, &w2, &w1, x[ 8], x[11]);
1283  word3_muladd_2(&w0, &w2, &w1, x[ 9], x[10]);
1284  z[19] = w1; w1 = 0;
1285 
1286  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[20]);
1287  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[19]);
1288  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[18]);
1289  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[17]);
1290  word3_muladd_2(&w1, &w0, &w2, x[ 4], x[16]);
1291  word3_muladd_2(&w1, &w0, &w2, x[ 5], x[15]);
1292  word3_muladd_2(&w1, &w0, &w2, x[ 6], x[14]);
1293  word3_muladd_2(&w1, &w0, &w2, x[ 7], x[13]);
1294  word3_muladd_2(&w1, &w0, &w2, x[ 8], x[12]);
1295  word3_muladd_2(&w1, &w0, &w2, x[ 9], x[11]);
1296  word3_muladd (&w1, &w0, &w2, x[10], x[10]);
1297  z[20] = w2; w2 = 0;
1298 
1299  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[21]);
1300  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[20]);
1301  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[19]);
1302  word3_muladd_2(&w2, &w1, &w0, x[ 3], x[18]);
1303  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[17]);
1304  word3_muladd_2(&w2, &w1, &w0, x[ 5], x[16]);
1305  word3_muladd_2(&w2, &w1, &w0, x[ 6], x[15]);
1306  word3_muladd_2(&w2, &w1, &w0, x[ 7], x[14]);
1307  word3_muladd_2(&w2, &w1, &w0, x[ 8], x[13]);
1308  word3_muladd_2(&w2, &w1, &w0, x[ 9], x[12]);
1309  word3_muladd_2(&w2, &w1, &w0, x[10], x[11]);
1310  z[21] = w0; w0 = 0;
1311 
1312  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[22]);
1313  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[21]);
1314  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[20]);
1315  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[19]);
1316  word3_muladd_2(&w0, &w2, &w1, x[ 4], x[18]);
1317  word3_muladd_2(&w0, &w2, &w1, x[ 5], x[17]);
1318  word3_muladd_2(&w0, &w2, &w1, x[ 6], x[16]);
1319  word3_muladd_2(&w0, &w2, &w1, x[ 7], x[15]);
1320  word3_muladd_2(&w0, &w2, &w1, x[ 8], x[14]);
1321  word3_muladd_2(&w0, &w2, &w1, x[ 9], x[13]);
1322  word3_muladd_2(&w0, &w2, &w1, x[10], x[12]);
1323  word3_muladd (&w0, &w2, &w1, x[11], x[11]);
1324  z[22] = w1; w1 = 0;
1325 
1326  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[23]);
1327  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[22]);
1328  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[21]);
1329  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[20]);
1330  word3_muladd_2(&w1, &w0, &w2, x[ 4], x[19]);
1331  word3_muladd_2(&w1, &w0, &w2, x[ 5], x[18]);
1332  word3_muladd_2(&w1, &w0, &w2, x[ 6], x[17]);
1333  word3_muladd_2(&w1, &w0, &w2, x[ 7], x[16]);
1334  word3_muladd_2(&w1, &w0, &w2, x[ 8], x[15]);
1335  word3_muladd_2(&w1, &w0, &w2, x[ 9], x[14]);
1336  word3_muladd_2(&w1, &w0, &w2, x[10], x[13]);
1337  word3_muladd_2(&w1, &w0, &w2, x[11], x[12]);
1338  z[23] = w2; w2 = 0;
1339 
1340  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[23]);
1341  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[22]);
1342  word3_muladd_2(&w2, &w1, &w0, x[ 3], x[21]);
1343  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[20]);
1344  word3_muladd_2(&w2, &w1, &w0, x[ 5], x[19]);
1345  word3_muladd_2(&w2, &w1, &w0, x[ 6], x[18]);
1346  word3_muladd_2(&w2, &w1, &w0, x[ 7], x[17]);
1347  word3_muladd_2(&w2, &w1, &w0, x[ 8], x[16]);
1348  word3_muladd_2(&w2, &w1, &w0, x[ 9], x[15]);
1349  word3_muladd_2(&w2, &w1, &w0, x[10], x[14]);
1350  word3_muladd_2(&w2, &w1, &w0, x[11], x[13]);
1351  word3_muladd (&w2, &w1, &w0, x[12], x[12]);
1352  z[24] = w0; w0 = 0;
1353 
1354  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[23]);
1355  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[22]);
1356  word3_muladd_2(&w0, &w2, &w1, x[ 4], x[21]);
1357  word3_muladd_2(&w0, &w2, &w1, x[ 5], x[20]);
1358  word3_muladd_2(&w0, &w2, &w1, x[ 6], x[19]);
1359  word3_muladd_2(&w0, &w2, &w1, x[ 7], x[18]);
1360  word3_muladd_2(&w0, &w2, &w1, x[ 8], x[17]);
1361  word3_muladd_2(&w0, &w2, &w1, x[ 9], x[16]);
1362  word3_muladd_2(&w0, &w2, &w1, x[10], x[15]);
1363  word3_muladd_2(&w0, &w2, &w1, x[11], x[14]);
1364  word3_muladd_2(&w0, &w2, &w1, x[12], x[13]);
1365  z[25] = w1; w1 = 0;
1366 
1367  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[23]);
1368  word3_muladd_2(&w1, &w0, &w2, x[ 4], x[22]);
1369  word3_muladd_2(&w1, &w0, &w2, x[ 5], x[21]);
1370  word3_muladd_2(&w1, &w0, &w2, x[ 6], x[20]);
1371  word3_muladd_2(&w1, &w0, &w2, x[ 7], x[19]);
1372  word3_muladd_2(&w1, &w0, &w2, x[ 8], x[18]);
1373  word3_muladd_2(&w1, &w0, &w2, x[ 9], x[17]);
1374  word3_muladd_2(&w1, &w0, &w2, x[10], x[16]);
1375  word3_muladd_2(&w1, &w0, &w2, x[11], x[15]);
1376  word3_muladd_2(&w1, &w0, &w2, x[12], x[14]);
1377  word3_muladd (&w1, &w0, &w2, x[13], x[13]);
1378  z[26] = w2; w2 = 0;
1379 
1380  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[23]);
1381  word3_muladd_2(&w2, &w1, &w0, x[ 5], x[22]);
1382  word3_muladd_2(&w2, &w1, &w0, x[ 6], x[21]);
1383  word3_muladd_2(&w2, &w1, &w0, x[ 7], x[20]);
1384  word3_muladd_2(&w2, &w1, &w0, x[ 8], x[19]);
1385  word3_muladd_2(&w2, &w1, &w0, x[ 9], x[18]);
1386  word3_muladd_2(&w2, &w1, &w0, x[10], x[17]);
1387  word3_muladd_2(&w2, &w1, &w0, x[11], x[16]);
1388  word3_muladd_2(&w2, &w1, &w0, x[12], x[15]);
1389  word3_muladd_2(&w2, &w1, &w0, x[13], x[14]);
1390  z[27] = w0; w0 = 0;
1391 
1392  word3_muladd_2(&w0, &w2, &w1, x[ 5], x[23]);
1393  word3_muladd_2(&w0, &w2, &w1, x[ 6], x[22]);
1394  word3_muladd_2(&w0, &w2, &w1, x[ 7], x[21]);
1395  word3_muladd_2(&w0, &w2, &w1, x[ 8], x[20]);
1396  word3_muladd_2(&w0, &w2, &w1, x[ 9], x[19]);
1397  word3_muladd_2(&w0, &w2, &w1, x[10], x[18]);
1398  word3_muladd_2(&w0, &w2, &w1, x[11], x[17]);
1399  word3_muladd_2(&w0, &w2, &w1, x[12], x[16]);
1400  word3_muladd_2(&w0, &w2, &w1, x[13], x[15]);
1401  word3_muladd (&w0, &w2, &w1, x[14], x[14]);
1402  z[28] = w1; w1 = 0;
1403 
1404  word3_muladd_2(&w1, &w0, &w2, x[ 6], x[23]);
1405  word3_muladd_2(&w1, &w0, &w2, x[ 7], x[22]);
1406  word3_muladd_2(&w1, &w0, &w2, x[ 8], x[21]);
1407  word3_muladd_2(&w1, &w0, &w2, x[ 9], x[20]);
1408  word3_muladd_2(&w1, &w0, &w2, x[10], x[19]);
1409  word3_muladd_2(&w1, &w0, &w2, x[11], x[18]);
1410  word3_muladd_2(&w1, &w0, &w2, x[12], x[17]);
1411  word3_muladd_2(&w1, &w0, &w2, x[13], x[16]);
1412  word3_muladd_2(&w1, &w0, &w2, x[14], x[15]);
1413  z[29] = w2; w2 = 0;
1414 
1415  word3_muladd_2(&w2, &w1, &w0, x[ 7], x[23]);
1416  word3_muladd_2(&w2, &w1, &w0, x[ 8], x[22]);
1417  word3_muladd_2(&w2, &w1, &w0, x[ 9], x[21]);
1418  word3_muladd_2(&w2, &w1, &w0, x[10], x[20]);
1419  word3_muladd_2(&w2, &w1, &w0, x[11], x[19]);
1420  word3_muladd_2(&w2, &w1, &w0, x[12], x[18]);
1421  word3_muladd_2(&w2, &w1, &w0, x[13], x[17]);
1422  word3_muladd_2(&w2, &w1, &w0, x[14], x[16]);
1423  word3_muladd (&w2, &w1, &w0, x[15], x[15]);
1424  z[30] = w0; w0 = 0;
1425 
1426  word3_muladd_2(&w0, &w2, &w1, x[ 8], x[23]);
1427  word3_muladd_2(&w0, &w2, &w1, x[ 9], x[22]);
1428  word3_muladd_2(&w0, &w2, &w1, x[10], x[21]);
1429  word3_muladd_2(&w0, &w2, &w1, x[11], x[20]);
1430  word3_muladd_2(&w0, &w2, &w1, x[12], x[19]);
1431  word3_muladd_2(&w0, &w2, &w1, x[13], x[18]);
1432  word3_muladd_2(&w0, &w2, &w1, x[14], x[17]);
1433  word3_muladd_2(&w0, &w2, &w1, x[15], x[16]);
1434  z[31] = w1; w1 = 0;
1435 
1436  word3_muladd_2(&w1, &w0, &w2, x[ 9], x[23]);
1437  word3_muladd_2(&w1, &w0, &w2, x[10], x[22]);
1438  word3_muladd_2(&w1, &w0, &w2, x[11], x[21]);
1439  word3_muladd_2(&w1, &w0, &w2, x[12], x[20]);
1440  word3_muladd_2(&w1, &w0, &w2, x[13], x[19]);
1441  word3_muladd_2(&w1, &w0, &w2, x[14], x[18]);
1442  word3_muladd_2(&w1, &w0, &w2, x[15], x[17]);
1443  word3_muladd (&w1, &w0, &w2, x[16], x[16]);
1444  z[32] = w2; w2 = 0;
1445 
1446  word3_muladd_2(&w2, &w1, &w0, x[10], x[23]);
1447  word3_muladd_2(&w2, &w1, &w0, x[11], x[22]);
1448  word3_muladd_2(&w2, &w1, &w0, x[12], x[21]);
1449  word3_muladd_2(&w2, &w1, &w0, x[13], x[20]);
1450  word3_muladd_2(&w2, &w1, &w0, x[14], x[19]);
1451  word3_muladd_2(&w2, &w1, &w0, x[15], x[18]);
1452  word3_muladd_2(&w2, &w1, &w0, x[16], x[17]);
1453  z[33] = w0; w0 = 0;
1454 
1455  word3_muladd_2(&w0, &w2, &w1, x[11], x[23]);
1456  word3_muladd_2(&w0, &w2, &w1, x[12], x[22]);
1457  word3_muladd_2(&w0, &w2, &w1, x[13], x[21]);
1458  word3_muladd_2(&w0, &w2, &w1, x[14], x[20]);
1459  word3_muladd_2(&w0, &w2, &w1, x[15], x[19]);
1460  word3_muladd_2(&w0, &w2, &w1, x[16], x[18]);
1461  word3_muladd (&w0, &w2, &w1, x[17], x[17]);
1462  z[34] = w1; w1 = 0;
1463 
1464  word3_muladd_2(&w1, &w0, &w2, x[12], x[23]);
1465  word3_muladd_2(&w1, &w0, &w2, x[13], x[22]);
1466  word3_muladd_2(&w1, &w0, &w2, x[14], x[21]);
1467  word3_muladd_2(&w1, &w0, &w2, x[15], x[20]);
1468  word3_muladd_2(&w1, &w0, &w2, x[16], x[19]);
1469  word3_muladd_2(&w1, &w0, &w2, x[17], x[18]);
1470  z[35] = w2; w2 = 0;
1471 
1472  word3_muladd_2(&w2, &w1, &w0, x[13], x[23]);
1473  word3_muladd_2(&w2, &w1, &w0, x[14], x[22]);
1474  word3_muladd_2(&w2, &w1, &w0, x[15], x[21]);
1475  word3_muladd_2(&w2, &w1, &w0, x[16], x[20]);
1476  word3_muladd_2(&w2, &w1, &w0, x[17], x[19]);
1477  word3_muladd (&w2, &w1, &w0, x[18], x[18]);
1478  z[36] = w0; w0 = 0;
1479 
1480  word3_muladd_2(&w0, &w2, &w1, x[14], x[23]);
1481  word3_muladd_2(&w0, &w2, &w1, x[15], x[22]);
1482  word3_muladd_2(&w0, &w2, &w1, x[16], x[21]);
1483  word3_muladd_2(&w0, &w2, &w1, x[17], x[20]);
1484  word3_muladd_2(&w0, &w2, &w1, x[18], x[19]);
1485  z[37] = w1; w1 = 0;
1486 
1487  word3_muladd_2(&w1, &w0, &w2, x[15], x[23]);
1488  word3_muladd_2(&w1, &w0, &w2, x[16], x[22]);
1489  word3_muladd_2(&w1, &w0, &w2, x[17], x[21]);
1490  word3_muladd_2(&w1, &w0, &w2, x[18], x[20]);
1491  word3_muladd (&w1, &w0, &w2, x[19], x[19]);
1492  z[38] = w2; w2 = 0;
1493 
1494  word3_muladd_2(&w2, &w1, &w0, x[16], x[23]);
1495  word3_muladd_2(&w2, &w1, &w0, x[17], x[22]);
1496  word3_muladd_2(&w2, &w1, &w0, x[18], x[21]);
1497  word3_muladd_2(&w2, &w1, &w0, x[19], x[20]);
1498  z[39] = w0; w0 = 0;
1499 
1500  word3_muladd_2(&w0, &w2, &w1, x[17], x[23]);
1501  word3_muladd_2(&w0, &w2, &w1, x[18], x[22]);
1502  word3_muladd_2(&w0, &w2, &w1, x[19], x[21]);
1503  word3_muladd (&w0, &w2, &w1, x[20], x[20]);
1504  z[40] = w1; w1 = 0;
1505 
1506  word3_muladd_2(&w1, &w0, &w2, x[18], x[23]);
1507  word3_muladd_2(&w1, &w0, &w2, x[19], x[22]);
1508  word3_muladd_2(&w1, &w0, &w2, x[20], x[21]);
1509  z[41] = w2; w2 = 0;
1510 
1511  word3_muladd_2(&w2, &w1, &w0, x[19], x[23]);
1512  word3_muladd_2(&w2, &w1, &w0, x[20], x[22]);
1513  word3_muladd (&w2, &w1, &w0, x[21], x[21]);
1514  z[42] = w0; w0 = 0;
1515 
1516  word3_muladd_2(&w0, &w2, &w1, x[20], x[23]);
1517  word3_muladd_2(&w0, &w2, &w1, x[21], x[22]);
1518  z[43] = w1; w1 = 0;
1519 
1520  word3_muladd_2(&w1, &w0, &w2, x[21], x[23]);
1521  word3_muladd (&w1, &w0, &w2, x[22], x[22]);
1522  z[44] = w2; w2 = 0;
1523 
1524  word3_muladd_2(&w2, &w1, &w0, x[22], x[23]);
1525  z[45] = w0; w0 = 0;
1526 
1527  word3_muladd (&w0, &w2, &w1, x[23], x[23]);
1528  z[46] = w1;
1529  z[47] = w2;
1530  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void word3_muladd_2(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:536
void Botan::bigint_comba_sqr4 ( word  z[8],
const word  x[4] 
)

Definition at line 17 of file mp_comba.cpp.

References word3_muladd(), and word3_muladd_2().

Referenced by bigint_sqr().

18  {
19  word w2 = 0, w1 = 0, w0 = 0;
20 
21  word3_muladd (&w2, &w1, &w0, x[ 0], x[ 0]);
22  z[ 0] = w0; w0 = 0;
23 
24  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 1]);
25  z[ 1] = w1; w1 = 0;
26 
27  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 2]);
28  word3_muladd (&w1, &w0, &w2, x[ 1], x[ 1]);
29  z[ 2] = w2; w2 = 0;
30 
31  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[ 3]);
32  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 2]);
33  z[ 3] = w0; w0 = 0;
34 
35  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[ 3]);
36  word3_muladd (&w0, &w2, &w1, x[ 2], x[ 2]);
37  z[ 4] = w1; w1 = 0;
38 
39  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[ 3]);
40  z[ 5] = w2; w2 = 0;
41 
42  word3_muladd (&w2, &w1, &w0, x[ 3], x[ 3]);
43  z[ 6] = w0;
44  z[ 7] = w1;
45  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void word3_muladd_2(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:536
void Botan::bigint_comba_sqr6 ( word  z[12],
const word  x[6] 
)

Definition at line 89 of file mp_comba.cpp.

References word3_muladd(), and word3_muladd_2().

Referenced by bigint_sqr().

90  {
91  word w2 = 0, w1 = 0, w0 = 0;
92 
93  word3_muladd (&w2, &w1, &w0, x[ 0], x[ 0]);
94  z[ 0] = w0; w0 = 0;
95 
96  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 1]);
97  z[ 1] = w1; w1 = 0;
98 
99  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 2]);
100  word3_muladd (&w1, &w0, &w2, x[ 1], x[ 1]);
101  z[ 2] = w2; w2 = 0;
102 
103  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[ 3]);
104  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 2]);
105  z[ 3] = w0; w0 = 0;
106 
107  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 4]);
108  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[ 3]);
109  word3_muladd (&w0, &w2, &w1, x[ 2], x[ 2]);
110  z[ 4] = w1; w1 = 0;
111 
112  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 5]);
113  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[ 4]);
114  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[ 3]);
115  z[ 5] = w2; w2 = 0;
116 
117  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 5]);
118  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[ 4]);
119  word3_muladd (&w2, &w1, &w0, x[ 3], x[ 3]);
120  z[ 6] = w0; w0 = 0;
121 
122  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[ 5]);
123  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[ 4]);
124  z[ 7] = w1; w1 = 0;
125 
126  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[ 5]);
127  word3_muladd (&w1, &w0, &w2, x[ 4], x[ 4]);
128  z[ 8] = w2; w2 = 0;
129 
130  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[ 5]);
131  z[ 9] = w0; w0 = 0;
132 
133  word3_muladd (&w0, &w2, &w1, x[ 5], x[ 5]);
134  z[10] = w1;
135  z[11] = w2;
136  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void word3_muladd_2(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:536
void Botan::bigint_comba_sqr8 ( word  z[16],
const word  x[8] 
)

Definition at line 208 of file mp_comba.cpp.

References word3_muladd(), and word3_muladd_2().

Referenced by bigint_sqr().

209  {
210  word w2 = 0, w1 = 0, w0 = 0;
211 
212  word3_muladd (&w2, &w1, &w0, x[ 0], x[ 0]);
213  z[ 0] = w0; w0 = 0;
214 
215  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 1]);
216  z[ 1] = w1; w1 = 0;
217 
218  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 2]);
219  word3_muladd (&w1, &w0, &w2, x[ 1], x[ 1]);
220  z[ 2] = w2; w2 = 0;
221 
222  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[ 3]);
223  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 2]);
224  z[ 3] = w0; w0 = 0;
225 
226  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 4]);
227  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[ 3]);
228  word3_muladd (&w0, &w2, &w1, x[ 2], x[ 2]);
229  z[ 4] = w1; w1 = 0;
230 
231  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 5]);
232  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[ 4]);
233  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[ 3]);
234  z[ 5] = w2; w2 = 0;
235 
236  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[ 6]);
237  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 5]);
238  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[ 4]);
239  word3_muladd (&w2, &w1, &w0, x[ 3], x[ 3]);
240  z[ 6] = w0; w0 = 0;
241 
242  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 7]);
243  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[ 6]);
244  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[ 5]);
245  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[ 4]);
246  z[ 7] = w1; w1 = 0;
247 
248  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[ 7]);
249  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[ 6]);
250  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[ 5]);
251  word3_muladd (&w1, &w0, &w2, x[ 4], x[ 4]);
252  z[ 8] = w2; w2 = 0;
253 
254  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[ 7]);
255  word3_muladd_2(&w2, &w1, &w0, x[ 3], x[ 6]);
256  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[ 5]);
257  z[ 9] = w0; w0 = 0;
258 
259  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[ 7]);
260  word3_muladd_2(&w0, &w2, &w1, x[ 4], x[ 6]);
261  word3_muladd (&w0, &w2, &w1, x[ 5], x[ 5]);
262  z[10] = w1; w1 = 0;
263 
264  word3_muladd_2(&w1, &w0, &w2, x[ 4], x[ 7]);
265  word3_muladd_2(&w1, &w0, &w2, x[ 5], x[ 6]);
266  z[11] = w2; w2 = 0;
267 
268  word3_muladd_2(&w2, &w1, &w0, x[ 5], x[ 7]);
269  word3_muladd (&w2, &w1, &w0, x[ 6], x[ 6]);
270  z[12] = w0; w0 = 0;
271 
272  word3_muladd_2(&w0, &w2, &w1, x[ 6], x[ 7]);
273  z[13] = w1; w1 = 0;
274 
275  word3_muladd (&w1, &w0, &w2, x[ 7], x[ 7]);
276  z[14] = w2;
277  z[15] = w0;
278  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void word3_muladd_2(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:536
void Botan::bigint_comba_sqr9 ( word  z[18],
const word  x[9] 
)

Definition at line 386 of file mp_comba.cpp.

References word3_muladd(), and word3_muladd_2().

Referenced by bigint_sqr().

387  {
388  word w2 = 0, w1 = 0, w0 = 0;
389 
390  word3_muladd (&w2, &w1, &w0, x[ 0], x[ 0]);
391  z[ 0] = w0; w0 = 0;
392 
393  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 1]);
394  z[ 1] = w1; w1 = 0;
395 
396  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 2]);
397  word3_muladd (&w1, &w0, &w2, x[ 1], x[ 1]);
398  z[ 2] = w2; w2 = 0;
399 
400  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[ 3]);
401  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 2]);
402  z[ 3] = w0; w0 = 0;
403 
404  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 4]);
405  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[ 3]);
406  word3_muladd (&w0, &w2, &w1, x[ 2], x[ 2]);
407  z[ 4] = w1; w1 = 0;
408 
409  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 5]);
410  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[ 4]);
411  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[ 3]);
412  z[ 5] = w2; w2 = 0;
413 
414  word3_muladd_2(&w2, &w1, &w0, x[ 0], x[ 6]);
415  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 5]);
416  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[ 4]);
417  word3_muladd (&w2, &w1, &w0, x[ 3], x[ 3]);
418  z[ 6] = w0; w0 = 0;
419 
420  word3_muladd_2(&w0, &w2, &w1, x[ 0], x[ 7]);
421  word3_muladd_2(&w0, &w2, &w1, x[ 1], x[ 6]);
422  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[ 5]);
423  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[ 4]);
424  z[ 7] = w1; w1 = 0;
425 
426  word3_muladd_2(&w1, &w0, &w2, x[ 0], x[ 8]);
427  word3_muladd_2(&w1, &w0, &w2, x[ 1], x[ 7]);
428  word3_muladd_2(&w1, &w0, &w2, x[ 2], x[ 6]);
429  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[ 5]);
430  word3_muladd (&w1, &w0, &w2, x[ 4], x[ 4]);
431  z[ 8] = w2; w2 = 0;
432 
433  word3_muladd_2(&w2, &w1, &w0, x[ 1], x[ 8]);
434  word3_muladd_2(&w2, &w1, &w0, x[ 2], x[ 7]);
435  word3_muladd_2(&w2, &w1, &w0, x[ 3], x[ 6]);
436  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[ 5]);
437  z[ 9] = w0; w0 = 0;
438 
439  word3_muladd_2(&w0, &w2, &w1, x[ 2], x[ 8]);
440  word3_muladd_2(&w0, &w2, &w1, x[ 3], x[ 7]);
441  word3_muladd_2(&w0, &w2, &w1, x[ 4], x[ 6]);
442  word3_muladd (&w0, &w2, &w1, x[ 5], x[ 5]);
443  z[10] = w1; w1 = 0;
444 
445  word3_muladd_2(&w1, &w0, &w2, x[ 3], x[ 8]);
446  word3_muladd_2(&w1, &w0, &w2, x[ 4], x[ 7]);
447  word3_muladd_2(&w1, &w0, &w2, x[ 5], x[ 6]);
448  z[11] = w2; w2 = 0;
449 
450  word3_muladd_2(&w2, &w1, &w0, x[ 4], x[ 8]);
451  word3_muladd_2(&w2, &w1, &w0, x[ 5], x[ 7]);
452  word3_muladd (&w2, &w1, &w0, x[ 6], x[ 6]);
453  z[12] = w0; w0 = 0;
454 
455  word3_muladd_2(&w0, &w2, &w1, x[ 5], x[ 8]);
456  word3_muladd_2(&w0, &w2, &w1, x[ 6], x[ 7]);
457  z[13] = w1; w1 = 0;
458 
459  word3_muladd_2(&w1, &w0, &w2, x[ 6], x[ 8]);
460  word3_muladd (&w1, &w0, &w2, x[ 7], x[ 7]);
461  z[14] = w2; w2 = 0;
462 
463  word3_muladd_2(&w2, &w1, &w0, x[ 7], x[ 8]);
464  z[15] = w0; w0 = 0;
465 
466  word3_muladd (&w0, &w2, &w1, x[ 8], x[ 8]);
467  z[16] = w1;
468  z[17] = w2;
469  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void word3_muladd_2(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:536
CT::Mask<word> Botan::bigint_ct_is_eq ( const word  x[],
size_t  x_size,
const word  y[],
size_t  y_size 
)
inline

Definition at line 613 of file mp_core.h.

References Botan::CT::Mask< T >::is_zero().

Referenced by Botan::BigInt::is_equal().

615  {
616  const size_t common_elems = std::min(x_size, y_size);
617 
618  word diff = 0;
619 
620  for(size_t i = 0; i != common_elems; i++)
621  {
622  diff |= (x[i] ^ y[i]);
623  }
624 
625  // If any bits were set in high part of x/y, then they are not equal
626  if(x_size < y_size)
627  {
628  for(size_t i = x_size; i != y_size; i++)
629  diff |= y[i];
630  }
631  else if(y_size < x_size)
632  {
633  for(size_t i = y_size; i != x_size; i++)
634  diff |= x[i];
635  }
636 
637  return CT::Mask<word>::is_zero(diff);
638  }
CT::Mask<word> Botan::bigint_ct_is_lt ( const word  x[],
size_t  x_size,
const word  y[],
size_t  y_size,
bool  lt_or_equal = false 
)
inline

Compare x and y Return ~0 if x[0:x_size] < y[0:y_size] or 0 otherwise If lt_or_equal is true, returns ~0 also for x == y

Definition at line 576 of file mp_core.h.

References Botan::CT::Mask< T >::expand(), Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lt(), and Botan::CT::Mask< T >::is_zero().

Referenced by bigint_mod_sub(), bigint_mod_sub_n(), and Botan::BigInt::is_less_than().

579  {
580  const size_t common_elems = std::min(x_size, y_size);
581 
582  auto is_lt = CT::Mask<word>::expand(lt_or_equal);
583 
584  for(size_t i = 0; i != common_elems; i++)
585  {
586  const auto eq = CT::Mask<word>::is_equal(x[i], y[i]);
587  const auto lt = CT::Mask<word>::is_lt(x[i], y[i]);
588  is_lt = eq.select_mask(is_lt, lt);
589  }
590 
591  if(x_size < y_size)
592  {
593  word mask = 0;
594  for(size_t i = x_size; i != y_size; i++)
595  mask |= y[i];
596  // If any bits were set in high part of y, then is_lt should be forced true
597  is_lt |= CT::Mask<word>::expand(mask);
598  }
599  else if(y_size < x_size)
600  {
601  word mask = 0;
602  for(size_t i = y_size; i != x_size; i++)
603  mask |= x[i];
604 
605  // If any bits were set in high part of x, then is_lt should be false
606  is_lt &= CT::Mask<word>::is_zero(mask);
607  }
608 
609  return is_lt;
610  }
word Botan::bigint_divop ( word  n1,
word  n0,
word  d 
)
inline

Compute ((n1<<bits) + n0) / d

Definition at line 721 of file mp_core.h.

Referenced by bigint_modop(), and vartime_divide().

722  {
723  if(d == 0)
724  throw Invalid_Argument("bigint_divop divide by zero");
725 
726 #if defined(BOTAN_HAS_MP_DWORD)
727  return ((static_cast<dword>(n1) << BOTAN_MP_WORD_BITS) | n0) / d;
728 #else
729 
730  word high = n1 % d;
731  word quotient = 0;
732 
733  for(size_t i = 0; i != BOTAN_MP_WORD_BITS; ++i)
734  {
735  const word high_top_bit = high >> (BOTAN_MP_WORD_BITS-1);
736 
737  high <<= 1;
738  high |= (n0 >> (BOTAN_MP_WORD_BITS-1-i)) & 1;
739  quotient <<= 1;
740 
741  if(high_top_bit || high >= d)
742  {
743  high -= d;
744  quotient |= 1;
745  }
746  }
747 
748  return quotient;
749 #endif
750  }
word BOTAN_WARN_UNUSED_RESULT Botan::bigint_linmul2 ( word  x[],
size_t  x_size,
word  y 
)
inline

Definition at line 489 of file mp_core.h.

References carry(), word8_linmul2(), and word_madd2().

Referenced by Botan::BigInt::mul(), and Botan::BigInt::operator*=().

490  {
491  const size_t blocks = x_size - (x_size % 8);
492 
493  word carry = 0;
494 
495  for(size_t i = 0; i != blocks; i += 8)
496  carry = word8_linmul2(x + i, y, carry);
497 
498  for(size_t i = blocks; i != x_size; ++i)
499  x[i] = word_madd2(x[i], y, &carry);
500 
501  return carry;
502  }
void carry(int64_t &h0, int64_t &h1)
word word_madd2(word a, word b, word *c)
Definition: mp_madd.h:46
word word8_linmul2(word x[8], word y, word carry)
Definition: mp_asmi.h:346
void Botan::bigint_linmul3 ( word  z[],
const word  x[],
size_t  x_size,
word  y 
)
inline

Definition at line 504 of file mp_core.h.

References carry(), word8_linmul3(), and word_madd2().

Referenced by bigint_mul(), bigint_sqr(), Botan::BigInt::mul(), and operator*().

505  {
506  const size_t blocks = x_size - (x_size % 8);
507 
508  word carry = 0;
509 
510  for(size_t i = 0; i != blocks; i += 8)
511  carry = word8_linmul3(z + i, x + i, y, carry);
512 
513  for(size_t i = blocks; i != x_size; ++i)
514  z[i] = word_madd2(x[i], y, &carry);
515 
516  z[x_size] = carry;
517  }
word word8_linmul3(word z[8], const word x[8], word y, word carry)
Definition: mp_asmi.h:381
void carry(int64_t &h0, int64_t &h1)
word word_madd2(word a, word b, word *c)
Definition: mp_madd.h:46
void Botan::bigint_mod_sub ( word  t[],
const word  s[],
const word  mod[],
size_t  mod_sw,
word  ws[] 
)
inline

Set t to t-s modulo mod

Parameters
tfirst integer
ssecond integer
modthe modulus
mod_swsize of t, s, and mod
wsworkspace of size mod_sw

Definition at line 687 of file mp_core.h.

References bigint_cnd_addsub(), bigint_ct_is_lt(), bigint_sub3(), BOTAN_DEBUG_ASSERT, BOTAN_UNUSED, and carry().

Referenced by Botan::BigInt::mod_sub().

688  {
689  // is t < s or not?
690  const auto is_lt = bigint_ct_is_lt(t, mod_sw, s, mod_sw);
691 
692  // ws = p - s
693  const word borrow = bigint_sub3(ws, mod, mod_sw, s, mod_sw);
694 
695  // Compute either (t - s) or (t + (p - s)) depending on mask
696  const word carry = bigint_cnd_addsub(is_lt, t, ws, s, mod_sw);
697 
698  BOTAN_DEBUG_ASSERT(borrow == 0 && carry == 0);
699  BOTAN_UNUSED(carry, borrow);
700  }
void carry(int64_t &h0, int64_t &h1)
word bigint_sub3(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:342
word bigint_cnd_addsub(CT::Mask< word > mask, word x[], const word y[], const word z[], size_t size)
Definition: mp_core.h:176
#define BOTAN_DEBUG_ASSERT(expr)
Definition: assert.h:123
#define BOTAN_UNUSED(...)
Definition: assert.h:142
CT::Mask< word > bigint_ct_is_lt(const word x[], size_t x_size, const word y[], size_t y_size, bool lt_or_equal=false)
Definition: mp_core.h:576
template<size_t N>
void Botan::bigint_mod_sub_n ( word  t[],
const word  s[],
const word  mod[],
word  ws[] 
)
inline

Definition at line 703 of file mp_core.h.

References bigint_cnd_addsub(), bigint_ct_is_lt(), bigint_sub3(), BOTAN_DEBUG_ASSERT, BOTAN_UNUSED, and carry().

704  {
705  // is t < s or not?
706  const auto is_lt = bigint_ct_is_lt(t, N, s, N);
707 
708  // ws = p - s
709  const word borrow = bigint_sub3(ws, mod, N, s, N);
710 
711  // Compute either (t - s) or (t + (p - s)) depending on mask
712  const word carry = bigint_cnd_addsub(is_lt, t, ws, s, N);
713 
714  BOTAN_DEBUG_ASSERT(borrow == 0 && carry == 0);
715  BOTAN_UNUSED(carry, borrow);
716  }
void carry(int64_t &h0, int64_t &h1)
word bigint_sub3(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:342
word bigint_cnd_addsub(CT::Mask< word > mask, word x[], const word y[], const word z[], size_t size)
Definition: mp_core.h:176
#define BOTAN_DEBUG_ASSERT(expr)
Definition: assert.h:123
#define BOTAN_UNUSED(...)
Definition: assert.h:142
CT::Mask< word > bigint_ct_is_lt(const word x[], size_t x_size, const word y[], size_t y_size, bool lt_or_equal=false)
Definition: mp_core.h:576
word Botan::bigint_modop ( word  n1,
word  n0,
word  d 
)
inline

Compute ((n1<<bits) + n0) % d

Definition at line 755 of file mp_core.h.

References bigint_divop(), and word_madd2().

Referenced by operator%(), and Botan::BigInt::operator%=().

756  {
757  if(d == 0)
758  throw Invalid_Argument("bigint_modop divide by zero");
759 
760 #if defined(BOTAN_HAS_MP_DWORD)
761  return ((static_cast<dword>(n1) << BOTAN_MP_WORD_BITS) | n0) % d;
762 #else
763  word z = bigint_divop(n1, n0, d);
764  word dummy = 0;
765  z = word_madd2(z, d, &dummy);
766  return (n0-z);
767 #endif
768  }
word bigint_divop(word n1, word n0, word d)
Definition: mp_core.h:721
word word_madd2(word a, word b, word *c)
Definition: mp_madd.h:46
void Botan::bigint_monty_redc ( word  z[],
const word  p[],
size_t  p_size,
word  p_dash,
word  workspace[],
size_t  ws_size 
)

Montgomery Reduction

Parameters
zinteger to reduce, of size exactly 2*(p_size+1). Output is in the first p_size+1 words, higher words are set to zero.
pmodulus
p_sizesize of p
p_dashMontgomery value
workspacearray of at least 2*(p_size+1) words
ws_sizesize of workspace in words

Definition at line 109 of file mp_monty.cpp.

References bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), and BOTAN_ARG_CHECK.

Referenced by Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::redc(), Botan::Montgomery_Params::sqr(), and Botan::Montgomery_Params::square_this().

112  {
113  const size_t z_size = 2*(p_size+1);
114 
115  BOTAN_ARG_CHECK(ws_size >= z_size, "workspace too small");
116 
117  if(p_size == 4)
118  bigint_monty_redc_4(z, p, p_dash, ws);
119  else if(p_size == 6)
120  bigint_monty_redc_6(z, p, p_dash, ws);
121  else if(p_size == 8)
122  bigint_monty_redc_8(z, p, p_dash, ws);
123  else if(p_size == 16)
124  bigint_monty_redc_16(z, p, p_dash, ws);
125  else if(p_size == 24)
126  bigint_monty_redc_24(z, p, p_dash, ws);
127  else if(p_size == 32)
128  bigint_monty_redc_32(z, p, p_dash, ws);
129  else
130  bigint_monty_redc_generic(z, z_size, p, p_size, p_dash, ws);
131  }
void bigint_monty_redc_32(word z[], const word p[], word p_dash, word ws[])
void bigint_monty_redc_8(word z[], const word p[], word p_dash, word ws[])
void bigint_monty_redc_6(word z[], const word p[], word p_dash, word ws[])
void bigint_monty_redc_24(word z[], const word p[], word p_dash, word ws[])
void bigint_monty_redc_16(word z[], const word p[], word p_dash, word ws[])
void bigint_monty_redc_4(word z[], const word p[], word p_dash, word ws[])
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
void Botan::bigint_monty_redc_16 ( word  z[],
const word  p[],
word  p_dash,
word  ws[] 
)

Referenced by bigint_monty_redc().

void Botan::bigint_monty_redc_16 ( word  z[],
const word  p[16],
word  p_dash,
word  ws[] 
)

Definition at line 293 of file mp_monty_n.cpp.

References bigint_sub3(), clear_mem(), Botan::CT::conditional_copy_mem(), word3_add(), and word3_muladd().

294  {
295  word w2 = 0, w1 = 0, w0 = 0;
296  w0 = z[0];
297  ws[0] = w0 * p_dash;
298  word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
299  w0 = w1; w1 = w2; w2 = 0;
300  word3_muladd(&w2, &w1, &w0, ws[0], p[1]);
301  word3_add(&w2, &w1, &w0, z[1]);
302  ws[1] = w0 * p_dash;
303  word3_muladd(&w2, &w1, &w0, ws[1], p[0]);
304  w0 = w1; w1 = w2; w2 = 0;
305  word3_muladd(&w2, &w1, &w0, ws[0], p[2]);
306  word3_muladd(&w2, &w1, &w0, ws[1], p[1]);
307  word3_add(&w2, &w1, &w0, z[2]);
308  ws[2] = w0 * p_dash;
309  word3_muladd(&w2, &w1, &w0, ws[2], p[0]);
310  w0 = w1; w1 = w2; w2 = 0;
311  word3_muladd(&w2, &w1, &w0, ws[0], p[3]);
312  word3_muladd(&w2, &w1, &w0, ws[1], p[2]);
313  word3_muladd(&w2, &w1, &w0, ws[2], p[1]);
314  word3_add(&w2, &w1, &w0, z[3]);
315  ws[3] = w0 * p_dash;
316  word3_muladd(&w2, &w1, &w0, ws[3], p[0]);
317  w0 = w1; w1 = w2; w2 = 0;
318  word3_muladd(&w2, &w1, &w0, ws[0], p[4]);
319  word3_muladd(&w2, &w1, &w0, ws[1], p[3]);
320  word3_muladd(&w2, &w1, &w0, ws[2], p[2]);
321  word3_muladd(&w2, &w1, &w0, ws[3], p[1]);
322  word3_add(&w2, &w1, &w0, z[4]);
323  ws[4] = w0 * p_dash;
324  word3_muladd(&w2, &w1, &w0, ws[4], p[0]);
325  w0 = w1; w1 = w2; w2 = 0;
326  word3_muladd(&w2, &w1, &w0, ws[0], p[5]);
327  word3_muladd(&w2, &w1, &w0, ws[1], p[4]);
328  word3_muladd(&w2, &w1, &w0, ws[2], p[3]);
329  word3_muladd(&w2, &w1, &w0, ws[3], p[2]);
330  word3_muladd(&w2, &w1, &w0, ws[4], p[1]);
331  word3_add(&w2, &w1, &w0, z[5]);
332  ws[5] = w0 * p_dash;
333  word3_muladd(&w2, &w1, &w0, ws[5], p[0]);
334  w0 = w1; w1 = w2; w2 = 0;
335  word3_muladd(&w2, &w1, &w0, ws[0], p[6]);
336  word3_muladd(&w2, &w1, &w0, ws[1], p[5]);
337  word3_muladd(&w2, &w1, &w0, ws[2], p[4]);
338  word3_muladd(&w2, &w1, &w0, ws[3], p[3]);
339  word3_muladd(&w2, &w1, &w0, ws[4], p[2]);
340  word3_muladd(&w2, &w1, &w0, ws[5], p[1]);
341  word3_add(&w2, &w1, &w0, z[6]);
342  ws[6] = w0 * p_dash;
343  word3_muladd(&w2, &w1, &w0, ws[6], p[0]);
344  w0 = w1; w1 = w2; w2 = 0;
345  word3_muladd(&w2, &w1, &w0, ws[0], p[7]);
346  word3_muladd(&w2, &w1, &w0, ws[1], p[6]);
347  word3_muladd(&w2, &w1, &w0, ws[2], p[5]);
348  word3_muladd(&w2, &w1, &w0, ws[3], p[4]);
349  word3_muladd(&w2, &w1, &w0, ws[4], p[3]);
350  word3_muladd(&w2, &w1, &w0, ws[5], p[2]);
351  word3_muladd(&w2, &w1, &w0, ws[6], p[1]);
352  word3_add(&w2, &w1, &w0, z[7]);
353  ws[7] = w0 * p_dash;
354  word3_muladd(&w2, &w1, &w0, ws[7], p[0]);
355  w0 = w1; w1 = w2; w2 = 0;
356  word3_muladd(&w2, &w1, &w0, ws[0], p[8]);
357  word3_muladd(&w2, &w1, &w0, ws[1], p[7]);
358  word3_muladd(&w2, &w1, &w0, ws[2], p[6]);
359  word3_muladd(&w2, &w1, &w0, ws[3], p[5]);
360  word3_muladd(&w2, &w1, &w0, ws[4], p[4]);
361  word3_muladd(&w2, &w1, &w0, ws[5], p[3]);
362  word3_muladd(&w2, &w1, &w0, ws[6], p[2]);
363  word3_muladd(&w2, &w1, &w0, ws[7], p[1]);
364  word3_add(&w2, &w1, &w0, z[8]);
365  ws[8] = w0 * p_dash;
366  word3_muladd(&w2, &w1, &w0, ws[8], p[0]);
367  w0 = w1; w1 = w2; w2 = 0;
368  word3_muladd(&w2, &w1, &w0, ws[0], p[9]);
369  word3_muladd(&w2, &w1, &w0, ws[1], p[8]);
370  word3_muladd(&w2, &w1, &w0, ws[2], p[7]);
371  word3_muladd(&w2, &w1, &w0, ws[3], p[6]);
372  word3_muladd(&w2, &w1, &w0, ws[4], p[5]);
373  word3_muladd(&w2, &w1, &w0, ws[5], p[4]);
374  word3_muladd(&w2, &w1, &w0, ws[6], p[3]);
375  word3_muladd(&w2, &w1, &w0, ws[7], p[2]);
376  word3_muladd(&w2, &w1, &w0, ws[8], p[1]);
377  word3_add(&w2, &w1, &w0, z[9]);
378  ws[9] = w0 * p_dash;
379  word3_muladd(&w2, &w1, &w0, ws[9], p[0]);
380  w0 = w1; w1 = w2; w2 = 0;
381  word3_muladd(&w2, &w1, &w0, ws[0], p[10]);
382  word3_muladd(&w2, &w1, &w0, ws[1], p[9]);
383  word3_muladd(&w2, &w1, &w0, ws[2], p[8]);
384  word3_muladd(&w2, &w1, &w0, ws[3], p[7]);
385  word3_muladd(&w2, &w1, &w0, ws[4], p[6]);
386  word3_muladd(&w2, &w1, &w0, ws[5], p[5]);
387  word3_muladd(&w2, &w1, &w0, ws[6], p[4]);
388  word3_muladd(&w2, &w1, &w0, ws[7], p[3]);
389  word3_muladd(&w2, &w1, &w0, ws[8], p[2]);
390  word3_muladd(&w2, &w1, &w0, ws[9], p[1]);
391  word3_add(&w2, &w1, &w0, z[10]);
392  ws[10] = w0 * p_dash;
393  word3_muladd(&w2, &w1, &w0, ws[10], p[0]);
394  w0 = w1; w1 = w2; w2 = 0;
395  word3_muladd(&w2, &w1, &w0, ws[0], p[11]);
396  word3_muladd(&w2, &w1, &w0, ws[1], p[10]);
397  word3_muladd(&w2, &w1, &w0, ws[2], p[9]);
398  word3_muladd(&w2, &w1, &w0, ws[3], p[8]);
399  word3_muladd(&w2, &w1, &w0, ws[4], p[7]);
400  word3_muladd(&w2, &w1, &w0, ws[5], p[6]);
401  word3_muladd(&w2, &w1, &w0, ws[6], p[5]);
402  word3_muladd(&w2, &w1, &w0, ws[7], p[4]);
403  word3_muladd(&w2, &w1, &w0, ws[8], p[3]);
404  word3_muladd(&w2, &w1, &w0, ws[9], p[2]);
405  word3_muladd(&w2, &w1, &w0, ws[10], p[1]);
406  word3_add(&w2, &w1, &w0, z[11]);
407  ws[11] = w0 * p_dash;
408  word3_muladd(&w2, &w1, &w0, ws[11], p[0]);
409  w0 = w1; w1 = w2; w2 = 0;
410  word3_muladd(&w2, &w1, &w0, ws[0], p[12]);
411  word3_muladd(&w2, &w1, &w0, ws[1], p[11]);
412  word3_muladd(&w2, &w1, &w0, ws[2], p[10]);
413  word3_muladd(&w2, &w1, &w0, ws[3], p[9]);
414  word3_muladd(&w2, &w1, &w0, ws[4], p[8]);
415  word3_muladd(&w2, &w1, &w0, ws[5], p[7]);
416  word3_muladd(&w2, &w1, &w0, ws[6], p[6]);
417  word3_muladd(&w2, &w1, &w0, ws[7], p[5]);
418  word3_muladd(&w2, &w1, &w0, ws[8], p[4]);
419  word3_muladd(&w2, &w1, &w0, ws[9], p[3]);
420  word3_muladd(&w2, &w1, &w0, ws[10], p[2]);
421  word3_muladd(&w2, &w1, &w0, ws[11], p[1]);
422  word3_add(&w2, &w1, &w0, z[12]);
423  ws[12] = w0 * p_dash;
424  word3_muladd(&w2, &w1, &w0, ws[12], p[0]);
425  w0 = w1; w1 = w2; w2 = 0;
426  word3_muladd(&w2, &w1, &w0, ws[0], p[13]);
427  word3_muladd(&w2, &w1, &w0, ws[1], p[12]);
428  word3_muladd(&w2, &w1, &w0, ws[2], p[11]);
429  word3_muladd(&w2, &w1, &w0, ws[3], p[10]);
430  word3_muladd(&w2, &w1, &w0, ws[4], p[9]);
431  word3_muladd(&w2, &w1, &w0, ws[5], p[8]);
432  word3_muladd(&w2, &w1, &w0, ws[6], p[7]);
433  word3_muladd(&w2, &w1, &w0, ws[7], p[6]);
434  word3_muladd(&w2, &w1, &w0, ws[8], p[5]);
435  word3_muladd(&w2, &w1, &w0, ws[9], p[4]);
436  word3_muladd(&w2, &w1, &w0, ws[10], p[3]);
437  word3_muladd(&w2, &w1, &w0, ws[11], p[2]);
438  word3_muladd(&w2, &w1, &w0, ws[12], p[1]);
439  word3_add(&w2, &w1, &w0, z[13]);
440  ws[13] = w0 * p_dash;
441  word3_muladd(&w2, &w1, &w0, ws[13], p[0]);
442  w0 = w1; w1 = w2; w2 = 0;
443  word3_muladd(&w2, &w1, &w0, ws[0], p[14]);
444  word3_muladd(&w2, &w1, &w0, ws[1], p[13]);
445  word3_muladd(&w2, &w1, &w0, ws[2], p[12]);
446  word3_muladd(&w2, &w1, &w0, ws[3], p[11]);
447  word3_muladd(&w2, &w1, &w0, ws[4], p[10]);
448  word3_muladd(&w2, &w1, &w0, ws[5], p[9]);
449  word3_muladd(&w2, &w1, &w0, ws[6], p[8]);
450  word3_muladd(&w2, &w1, &w0, ws[7], p[7]);
451  word3_muladd(&w2, &w1, &w0, ws[8], p[6]);
452  word3_muladd(&w2, &w1, &w0, ws[9], p[5]);
453  word3_muladd(&w2, &w1, &w0, ws[10], p[4]);
454  word3_muladd(&w2, &w1, &w0, ws[11], p[3]);
455  word3_muladd(&w2, &w1, &w0, ws[12], p[2]);
456  word3_muladd(&w2, &w1, &w0, ws[13], p[1]);
457  word3_add(&w2, &w1, &w0, z[14]);
458  ws[14] = w0 * p_dash;
459  word3_muladd(&w2, &w1, &w0, ws[14], p[0]);
460  w0 = w1; w1 = w2; w2 = 0;
461  word3_muladd(&w2, &w1, &w0, ws[0], p[15]);
462  word3_muladd(&w2, &w1, &w0, ws[1], p[14]);
463  word3_muladd(&w2, &w1, &w0, ws[2], p[13]);
464  word3_muladd(&w2, &w1, &w0, ws[3], p[12]);
465  word3_muladd(&w2, &w1, &w0, ws[4], p[11]);
466  word3_muladd(&w2, &w1, &w0, ws[5], p[10]);
467  word3_muladd(&w2, &w1, &w0, ws[6], p[9]);
468  word3_muladd(&w2, &w1, &w0, ws[7], p[8]);
469  word3_muladd(&w2, &w1, &w0, ws[8], p[7]);
470  word3_muladd(&w2, &w1, &w0, ws[9], p[6]);
471  word3_muladd(&w2, &w1, &w0, ws[10], p[5]);
472  word3_muladd(&w2, &w1, &w0, ws[11], p[4]);
473  word3_muladd(&w2, &w1, &w0, ws[12], p[3]);
474  word3_muladd(&w2, &w1, &w0, ws[13], p[2]);
475  word3_muladd(&w2, &w1, &w0, ws[14], p[1]);
476  word3_add(&w2, &w1, &w0, z[15]);
477  ws[15] = w0 * p_dash;
478  word3_muladd(&w2, &w1, &w0, ws[15], p[0]);
479  w0 = w1; w1 = w2; w2 = 0;
480  word3_muladd(&w2, &w1, &w0, ws[1], p[15]);
481  word3_muladd(&w2, &w1, &w0, ws[2], p[14]);
482  word3_muladd(&w2, &w1, &w0, ws[3], p[13]);
483  word3_muladd(&w2, &w1, &w0, ws[4], p[12]);
484  word3_muladd(&w2, &w1, &w0, ws[5], p[11]);
485  word3_muladd(&w2, &w1, &w0, ws[6], p[10]);
486  word3_muladd(&w2, &w1, &w0, ws[7], p[9]);
487  word3_muladd(&w2, &w1, &w0, ws[8], p[8]);
488  word3_muladd(&w2, &w1, &w0, ws[9], p[7]);
489  word3_muladd(&w2, &w1, &w0, ws[10], p[6]);
490  word3_muladd(&w2, &w1, &w0, ws[11], p[5]);
491  word3_muladd(&w2, &w1, &w0, ws[12], p[4]);
492  word3_muladd(&w2, &w1, &w0, ws[13], p[3]);
493  word3_muladd(&w2, &w1, &w0, ws[14], p[2]);
494  word3_muladd(&w2, &w1, &w0, ws[15], p[1]);
495  word3_add(&w2, &w1, &w0, z[16]);
496  ws[0] = w0;
497  w0 = w1; w1 = w2; w2 = 0;
498  word3_muladd(&w2, &w1, &w0, ws[2], p[15]);
499  word3_muladd(&w2, &w1, &w0, ws[3], p[14]);
500  word3_muladd(&w2, &w1, &w0, ws[4], p[13]);
501  word3_muladd(&w2, &w1, &w0, ws[5], p[12]);
502  word3_muladd(&w2, &w1, &w0, ws[6], p[11]);
503  word3_muladd(&w2, &w1, &w0, ws[7], p[10]);
504  word3_muladd(&w2, &w1, &w0, ws[8], p[9]);
505  word3_muladd(&w2, &w1, &w0, ws[9], p[8]);
506  word3_muladd(&w2, &w1, &w0, ws[10], p[7]);
507  word3_muladd(&w2, &w1, &w0, ws[11], p[6]);
508  word3_muladd(&w2, &w1, &w0, ws[12], p[5]);
509  word3_muladd(&w2, &w1, &w0, ws[13], p[4]);
510  word3_muladd(&w2, &w1, &w0, ws[14], p[3]);
511  word3_muladd(&w2, &w1, &w0, ws[15], p[2]);
512  word3_add(&w2, &w1, &w0, z[17]);
513  ws[1] = w0;
514  w0 = w1; w1 = w2; w2 = 0;
515  word3_muladd(&w2, &w1, &w0, ws[3], p[15]);
516  word3_muladd(&w2, &w1, &w0, ws[4], p[14]);
517  word3_muladd(&w2, &w1, &w0, ws[5], p[13]);
518  word3_muladd(&w2, &w1, &w0, ws[6], p[12]);
519  word3_muladd(&w2, &w1, &w0, ws[7], p[11]);
520  word3_muladd(&w2, &w1, &w0, ws[8], p[10]);
521  word3_muladd(&w2, &w1, &w0, ws[9], p[9]);
522  word3_muladd(&w2, &w1, &w0, ws[10], p[8]);
523  word3_muladd(&w2, &w1, &w0, ws[11], p[7]);
524  word3_muladd(&w2, &w1, &w0, ws[12], p[6]);
525  word3_muladd(&w2, &w1, &w0, ws[13], p[5]);
526  word3_muladd(&w2, &w1, &w0, ws[14], p[4]);
527  word3_muladd(&w2, &w1, &w0, ws[15], p[3]);
528  word3_add(&w2, &w1, &w0, z[18]);
529  ws[2] = w0;
530  w0 = w1; w1 = w2; w2 = 0;
531  word3_muladd(&w2, &w1, &w0, ws[4], p[15]);
532  word3_muladd(&w2, &w1, &w0, ws[5], p[14]);
533  word3_muladd(&w2, &w1, &w0, ws[6], p[13]);
534  word3_muladd(&w2, &w1, &w0, ws[7], p[12]);
535  word3_muladd(&w2, &w1, &w0, ws[8], p[11]);
536  word3_muladd(&w2, &w1, &w0, ws[9], p[10]);
537  word3_muladd(&w2, &w1, &w0, ws[10], p[9]);
538  word3_muladd(&w2, &w1, &w0, ws[11], p[8]);
539  word3_muladd(&w2, &w1, &w0, ws[12], p[7]);
540  word3_muladd(&w2, &w1, &w0, ws[13], p[6]);
541  word3_muladd(&w2, &w1, &w0, ws[14], p[5]);
542  word3_muladd(&w2, &w1, &w0, ws[15], p[4]);
543  word3_add(&w2, &w1, &w0, z[19]);
544  ws[3] = w0;
545  w0 = w1; w1 = w2; w2 = 0;
546  word3_muladd(&w2, &w1, &w0, ws[5], p[15]);
547  word3_muladd(&w2, &w1, &w0, ws[6], p[14]);
548  word3_muladd(&w2, &w1, &w0, ws[7], p[13]);
549  word3_muladd(&w2, &w1, &w0, ws[8], p[12]);
550  word3_muladd(&w2, &w1, &w0, ws[9], p[11]);
551  word3_muladd(&w2, &w1, &w0, ws[10], p[10]);
552  word3_muladd(&w2, &w1, &w0, ws[11], p[9]);
553  word3_muladd(&w2, &w1, &w0, ws[12], p[8]);
554  word3_muladd(&w2, &w1, &w0, ws[13], p[7]);
555  word3_muladd(&w2, &w1, &w0, ws[14], p[6]);
556  word3_muladd(&w2, &w1, &w0, ws[15], p[5]);
557  word3_add(&w2, &w1, &w0, z[20]);
558  ws[4] = w0;
559  w0 = w1; w1 = w2; w2 = 0;
560  word3_muladd(&w2, &w1, &w0, ws[6], p[15]);
561  word3_muladd(&w2, &w1, &w0, ws[7], p[14]);
562  word3_muladd(&w2, &w1, &w0, ws[8], p[13]);
563  word3_muladd(&w2, &w1, &w0, ws[9], p[12]);
564  word3_muladd(&w2, &w1, &w0, ws[10], p[11]);
565  word3_muladd(&w2, &w1, &w0, ws[11], p[10]);
566  word3_muladd(&w2, &w1, &w0, ws[12], p[9]);
567  word3_muladd(&w2, &w1, &w0, ws[13], p[8]);
568  word3_muladd(&w2, &w1, &w0, ws[14], p[7]);
569  word3_muladd(&w2, &w1, &w0, ws[15], p[6]);
570  word3_add(&w2, &w1, &w0, z[21]);
571  ws[5] = w0;
572  w0 = w1; w1 = w2; w2 = 0;
573  word3_muladd(&w2, &w1, &w0, ws[7], p[15]);
574  word3_muladd(&w2, &w1, &w0, ws[8], p[14]);
575  word3_muladd(&w2, &w1, &w0, ws[9], p[13]);
576  word3_muladd(&w2, &w1, &w0, ws[10], p[12]);
577  word3_muladd(&w2, &w1, &w0, ws[11], p[11]);
578  word3_muladd(&w2, &w1, &w0, ws[12], p[10]);
579  word3_muladd(&w2, &w1, &w0, ws[13], p[9]);
580  word3_muladd(&w2, &w1, &w0, ws[14], p[8]);
581  word3_muladd(&w2, &w1, &w0, ws[15], p[7]);
582  word3_add(&w2, &w1, &w0, z[22]);
583  ws[6] = w0;
584  w0 = w1; w1 = w2; w2 = 0;
585  word3_muladd(&w2, &w1, &w0, ws[8], p[15]);
586  word3_muladd(&w2, &w1, &w0, ws[9], p[14]);
587  word3_muladd(&w2, &w1, &w0, ws[10], p[13]);
588  word3_muladd(&w2, &w1, &w0, ws[11], p[12]);
589  word3_muladd(&w2, &w1, &w0, ws[12], p[11]);
590  word3_muladd(&w2, &w1, &w0, ws[13], p[10]);
591  word3_muladd(&w2, &w1, &w0, ws[14], p[9]);
592  word3_muladd(&w2, &w1, &w0, ws[15], p[8]);
593  word3_add(&w2, &w1, &w0, z[23]);
594  ws[7] = w0;
595  w0 = w1; w1 = w2; w2 = 0;
596  word3_muladd(&w2, &w1, &w0, ws[9], p[15]);
597  word3_muladd(&w2, &w1, &w0, ws[10], p[14]);
598  word3_muladd(&w2, &w1, &w0, ws[11], p[13]);
599  word3_muladd(&w2, &w1, &w0, ws[12], p[12]);
600  word3_muladd(&w2, &w1, &w0, ws[13], p[11]);
601  word3_muladd(&w2, &w1, &w0, ws[14], p[10]);
602  word3_muladd(&w2, &w1, &w0, ws[15], p[9]);
603  word3_add(&w2, &w1, &w0, z[24]);
604  ws[8] = w0;
605  w0 = w1; w1 = w2; w2 = 0;
606  word3_muladd(&w2, &w1, &w0, ws[10], p[15]);
607  word3_muladd(&w2, &w1, &w0, ws[11], p[14]);
608  word3_muladd(&w2, &w1, &w0, ws[12], p[13]);
609  word3_muladd(&w2, &w1, &w0, ws[13], p[12]);
610  word3_muladd(&w2, &w1, &w0, ws[14], p[11]);
611  word3_muladd(&w2, &w1, &w0, ws[15], p[10]);
612  word3_add(&w2, &w1, &w0, z[25]);
613  ws[9] = w0;
614  w0 = w1; w1 = w2; w2 = 0;
615  word3_muladd(&w2, &w1, &w0, ws[11], p[15]);
616  word3_muladd(&w2, &w1, &w0, ws[12], p[14]);
617  word3_muladd(&w2, &w1, &w0, ws[13], p[13]);
618  word3_muladd(&w2, &w1, &w0, ws[14], p[12]);
619  word3_muladd(&w2, &w1, &w0, ws[15], p[11]);
620  word3_add(&w2, &w1, &w0, z[26]);
621  ws[10] = w0;
622  w0 = w1; w1 = w2; w2 = 0;
623  word3_muladd(&w2, &w1, &w0, ws[12], p[15]);
624  word3_muladd(&w2, &w1, &w0, ws[13], p[14]);
625  word3_muladd(&w2, &w1, &w0, ws[14], p[13]);
626  word3_muladd(&w2, &w1, &w0, ws[15], p[12]);
627  word3_add(&w2, &w1, &w0, z[27]);
628  ws[11] = w0;
629  w0 = w1; w1 = w2; w2 = 0;
630  word3_muladd(&w2, &w1, &w0, ws[13], p[15]);
631  word3_muladd(&w2, &w1, &w0, ws[14], p[14]);
632  word3_muladd(&w2, &w1, &w0, ws[15], p[13]);
633  word3_add(&w2, &w1, &w0, z[28]);
634  ws[12] = w0;
635  w0 = w1; w1 = w2; w2 = 0;
636  word3_muladd(&w2, &w1, &w0, ws[14], p[15]);
637  word3_muladd(&w2, &w1, &w0, ws[15], p[14]);
638  word3_add(&w2, &w1, &w0, z[29]);
639  ws[13] = w0;
640  w0 = w1; w1 = w2; w2 = 0;
641  word3_muladd(&w2, &w1, &w0, ws[15], p[15]);
642  word3_add(&w2, &w1, &w0, z[30]);
643  ws[14] = w0;
644  w0 = w1; w1 = w2; w2 = 0;
645  word3_add(&w2, &w1, &w0, z[31]);
646  ws[15] = w0;
647  w0 = w1; w1 = w2; w2 = 0;
648  word3_add(&w2, &w1, &w0, z[33]);
649  ws[16] = w0;
650  ws[17] = w1;
651  word borrow = bigint_sub3(ws + 16 + 1, ws, 16 + 1, p, 16);
652  CT::conditional_copy_mem(borrow, z, ws, ws + 17, 17);
653  clear_mem(z + 16, 2*(16+1) - 16);
654  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
word bigint_sub3(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:342
void word3_add(word *w2, word *w1, word *w0, word x)
Definition: mp_asmi.h:500
Mask< T > conditional_copy_mem(T cnd, T *to, const T *from0, const T *from1, size_t elems)
Definition: ct_utils.h:363
void Botan::bigint_monty_redc_24 ( word  z[],
const word  p[],
word  p_dash,
word  ws[] 
)

Referenced by bigint_monty_redc().

void Botan::bigint_monty_redc_24 ( word  z[],
const word  p[24],
word  p_dash,
word  ws[] 
)

Definition at line 656 of file mp_monty_n.cpp.

References bigint_sub3(), clear_mem(), Botan::CT::conditional_copy_mem(), word3_add(), and word3_muladd().

657  {
658  word w2 = 0, w1 = 0, w0 = 0;
659  w0 = z[0];
660  ws[0] = w0 * p_dash;
661  word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
662  w0 = w1; w1 = w2; w2 = 0;
663  word3_muladd(&w2, &w1, &w0, ws[0], p[1]);
664  word3_add(&w2, &w1, &w0, z[1]);
665  ws[1] = w0 * p_dash;
666  word3_muladd(&w2, &w1, &w0, ws[1], p[0]);
667  w0 = w1; w1 = w2; w2 = 0;
668  word3_muladd(&w2, &w1, &w0, ws[0], p[2]);
669  word3_muladd(&w2, &w1, &w0, ws[1], p[1]);
670  word3_add(&w2, &w1, &w0, z[2]);
671  ws[2] = w0 * p_dash;
672  word3_muladd(&w2, &w1, &w0, ws[2], p[0]);
673  w0 = w1; w1 = w2; w2 = 0;
674  word3_muladd(&w2, &w1, &w0, ws[0], p[3]);
675  word3_muladd(&w2, &w1, &w0, ws[1], p[2]);
676  word3_muladd(&w2, &w1, &w0, ws[2], p[1]);
677  word3_add(&w2, &w1, &w0, z[3]);
678  ws[3] = w0 * p_dash;
679  word3_muladd(&w2, &w1, &w0, ws[3], p[0]);
680  w0 = w1; w1 = w2; w2 = 0;
681  word3_muladd(&w2, &w1, &w0, ws[0], p[4]);
682  word3_muladd(&w2, &w1, &w0, ws[1], p[3]);
683  word3_muladd(&w2, &w1, &w0, ws[2], p[2]);
684  word3_muladd(&w2, &w1, &w0, ws[3], p[1]);
685  word3_add(&w2, &w1, &w0, z[4]);
686  ws[4] = w0 * p_dash;
687  word3_muladd(&w2, &w1, &w0, ws[4], p[0]);
688  w0 = w1; w1 = w2; w2 = 0;
689  word3_muladd(&w2, &w1, &w0, ws[0], p[5]);
690  word3_muladd(&w2, &w1, &w0, ws[1], p[4]);
691  word3_muladd(&w2, &w1, &w0, ws[2], p[3]);
692  word3_muladd(&w2, &w1, &w0, ws[3], p[2]);
693  word3_muladd(&w2, &w1, &w0, ws[4], p[1]);
694  word3_add(&w2, &w1, &w0, z[5]);
695  ws[5] = w0 * p_dash;
696  word3_muladd(&w2, &w1, &w0, ws[5], p[0]);
697  w0 = w1; w1 = w2; w2 = 0;
698  word3_muladd(&w2, &w1, &w0, ws[0], p[6]);
699  word3_muladd(&w2, &w1, &w0, ws[1], p[5]);
700  word3_muladd(&w2, &w1, &w0, ws[2], p[4]);
701  word3_muladd(&w2, &w1, &w0, ws[3], p[3]);
702  word3_muladd(&w2, &w1, &w0, ws[4], p[2]);
703  word3_muladd(&w2, &w1, &w0, ws[5], p[1]);
704  word3_add(&w2, &w1, &w0, z[6]);
705  ws[6] = w0 * p_dash;
706  word3_muladd(&w2, &w1, &w0, ws[6], p[0]);
707  w0 = w1; w1 = w2; w2 = 0;
708  word3_muladd(&w2, &w1, &w0, ws[0], p[7]);
709  word3_muladd(&w2, &w1, &w0, ws[1], p[6]);
710  word3_muladd(&w2, &w1, &w0, ws[2], p[5]);
711  word3_muladd(&w2, &w1, &w0, ws[3], p[4]);
712  word3_muladd(&w2, &w1, &w0, ws[4], p[3]);
713  word3_muladd(&w2, &w1, &w0, ws[5], p[2]);
714  word3_muladd(&w2, &w1, &w0, ws[6], p[1]);
715  word3_add(&w2, &w1, &w0, z[7]);
716  ws[7] = w0 * p_dash;
717  word3_muladd(&w2, &w1, &w0, ws[7], p[0]);
718  w0 = w1; w1 = w2; w2 = 0;
719  word3_muladd(&w2, &w1, &w0, ws[0], p[8]);
720  word3_muladd(&w2, &w1, &w0, ws[1], p[7]);
721  word3_muladd(&w2, &w1, &w0, ws[2], p[6]);
722  word3_muladd(&w2, &w1, &w0, ws[3], p[5]);
723  word3_muladd(&w2, &w1, &w0, ws[4], p[4]);
724  word3_muladd(&w2, &w1, &w0, ws[5], p[3]);
725  word3_muladd(&w2, &w1, &w0, ws[6], p[2]);
726  word3_muladd(&w2, &w1, &w0, ws[7], p[1]);
727  word3_add(&w2, &w1, &w0, z[8]);
728  ws[8] = w0 * p_dash;
729  word3_muladd(&w2, &w1, &w0, ws[8], p[0]);
730  w0 = w1; w1 = w2; w2 = 0;
731  word3_muladd(&w2, &w1, &w0, ws[0], p[9]);
732  word3_muladd(&w2, &w1, &w0, ws[1], p[8]);
733  word3_muladd(&w2, &w1, &w0, ws[2], p[7]);
734  word3_muladd(&w2, &w1, &w0, ws[3], p[6]);
735  word3_muladd(&w2, &w1, &w0, ws[4], p[5]);
736  word3_muladd(&w2, &w1, &w0, ws[5], p[4]);
737  word3_muladd(&w2, &w1, &w0, ws[6], p[3]);
738  word3_muladd(&w2, &w1, &w0, ws[7], p[2]);
739  word3_muladd(&w2, &w1, &w0, ws[8], p[1]);
740  word3_add(&w2, &w1, &w0, z[9]);
741  ws[9] = w0 * p_dash;
742  word3_muladd(&w2, &w1, &w0, ws[9], p[0]);
743  w0 = w1; w1 = w2; w2 = 0;
744  word3_muladd(&w2, &w1, &w0, ws[0], p[10]);
745  word3_muladd(&w2, &w1, &w0, ws[1], p[9]);
746  word3_muladd(&w2, &w1, &w0, ws[2], p[8]);
747  word3_muladd(&w2, &w1, &w0, ws[3], p[7]);
748  word3_muladd(&w2, &w1, &w0, ws[4], p[6]);
749  word3_muladd(&w2, &w1, &w0, ws[5], p[5]);
750  word3_muladd(&w2, &w1, &w0, ws[6], p[4]);
751  word3_muladd(&w2, &w1, &w0, ws[7], p[3]);
752  word3_muladd(&w2, &w1, &w0, ws[8], p[2]);
753  word3_muladd(&w2, &w1, &w0, ws[9], p[1]);
754  word3_add(&w2, &w1, &w0, z[10]);
755  ws[10] = w0 * p_dash;
756  word3_muladd(&w2, &w1, &w0, ws[10], p[0]);
757  w0 = w1; w1 = w2; w2 = 0;
758  word3_muladd(&w2, &w1, &w0, ws[0], p[11]);
759  word3_muladd(&w2, &w1, &w0, ws[1], p[10]);
760  word3_muladd(&w2, &w1, &w0, ws[2], p[9]);
761  word3_muladd(&w2, &w1, &w0, ws[3], p[8]);
762  word3_muladd(&w2, &w1, &w0, ws[4], p[7]);
763  word3_muladd(&w2, &w1, &w0, ws[5], p[6]);
764  word3_muladd(&w2, &w1, &w0, ws[6], p[5]);
765  word3_muladd(&w2, &w1, &w0, ws[7], p[4]);
766  word3_muladd(&w2, &w1, &w0, ws[8], p[3]);
767  word3_muladd(&w2, &w1, &w0, ws[9], p[2]);
768  word3_muladd(&w2, &w1, &w0, ws[10], p[1]);
769  word3_add(&w2, &w1, &w0, z[11]);
770  ws[11] = w0 * p_dash;
771  word3_muladd(&w2, &w1, &w0, ws[11], p[0]);
772  w0 = w1; w1 = w2; w2 = 0;
773  word3_muladd(&w2, &w1, &w0, ws[0], p[12]);
774  word3_muladd(&w2, &w1, &w0, ws[1], p[11]);
775  word3_muladd(&w2, &w1, &w0, ws[2], p[10]);
776  word3_muladd(&w2, &w1, &w0, ws[3], p[9]);
777  word3_muladd(&w2, &w1, &w0, ws[4], p[8]);
778  word3_muladd(&w2, &w1, &w0, ws[5], p[7]);
779  word3_muladd(&w2, &w1, &w0, ws[6], p[6]);
780  word3_muladd(&w2, &w1, &w0, ws[7], p[5]);
781  word3_muladd(&w2, &w1, &w0, ws[8], p[4]);
782  word3_muladd(&w2, &w1, &w0, ws[9], p[3]);
783  word3_muladd(&w2, &w1, &w0, ws[10], p[2]);
784  word3_muladd(&w2, &w1, &w0, ws[11], p[1]);
785  word3_add(&w2, &w1, &w0, z[12]);
786  ws[12] = w0 * p_dash;
787  word3_muladd(&w2, &w1, &w0, ws[12], p[0]);
788  w0 = w1; w1 = w2; w2 = 0;
789  word3_muladd(&w2, &w1, &w0, ws[0], p[13]);
790  word3_muladd(&w2, &w1, &w0, ws[1], p[12]);
791  word3_muladd(&w2, &w1, &w0, ws[2], p[11]);
792  word3_muladd(&w2, &w1, &w0, ws[3], p[10]);
793  word3_muladd(&w2, &w1, &w0, ws[4], p[9]);
794  word3_muladd(&w2, &w1, &w0, ws[5], p[8]);
795  word3_muladd(&w2, &w1, &w0, ws[6], p[7]);
796  word3_muladd(&w2, &w1, &w0, ws[7], p[6]);
797  word3_muladd(&w2, &w1, &w0, ws[8], p[5]);
798  word3_muladd(&w2, &w1, &w0, ws[9], p[4]);
799  word3_muladd(&w2, &w1, &w0, ws[10], p[3]);
800  word3_muladd(&w2, &w1, &w0, ws[11], p[2]);
801  word3_muladd(&w2, &w1, &w0, ws[12], p[1]);
802  word3_add(&w2, &w1, &w0, z[13]);
803  ws[13] = w0 * p_dash;
804  word3_muladd(&w2, &w1, &w0, ws[13], p[0]);
805  w0 = w1; w1 = w2; w2 = 0;
806  word3_muladd(&w2, &w1, &w0, ws[0], p[14]);
807  word3_muladd(&w2, &w1, &w0, ws[1], p[13]);
808  word3_muladd(&w2, &w1, &w0, ws[2], p[12]);
809  word3_muladd(&w2, &w1, &w0, ws[3], p[11]);
810  word3_muladd(&w2, &w1, &w0, ws[4], p[10]);
811  word3_muladd(&w2, &w1, &w0, ws[5], p[9]);
812  word3_muladd(&w2, &w1, &w0, ws[6], p[8]);
813  word3_muladd(&w2, &w1, &w0, ws[7], p[7]);
814  word3_muladd(&w2, &w1, &w0, ws[8], p[6]);
815  word3_muladd(&w2, &w1, &w0, ws[9], p[5]);
816  word3_muladd(&w2, &w1, &w0, ws[10], p[4]);
817  word3_muladd(&w2, &w1, &w0, ws[11], p[3]);
818  word3_muladd(&w2, &w1, &w0, ws[12], p[2]);
819  word3_muladd(&w2, &w1, &w0, ws[13], p[1]);
820  word3_add(&w2, &w1, &w0, z[14]);
821  ws[14] = w0 * p_dash;
822  word3_muladd(&w2, &w1, &w0, ws[14], p[0]);
823  w0 = w1; w1 = w2; w2 = 0;
824  word3_muladd(&w2, &w1, &w0, ws[0], p[15]);
825  word3_muladd(&w2, &w1, &w0, ws[1], p[14]);
826  word3_muladd(&w2, &w1, &w0, ws[2], p[13]);
827  word3_muladd(&w2, &w1, &w0, ws[3], p[12]);
828  word3_muladd(&w2, &w1, &w0, ws[4], p[11]);
829  word3_muladd(&w2, &w1, &w0, ws[5], p[10]);
830  word3_muladd(&w2, &w1, &w0, ws[6], p[9]);
831  word3_muladd(&w2, &w1, &w0, ws[7], p[8]);
832  word3_muladd(&w2, &w1, &w0, ws[8], p[7]);
833  word3_muladd(&w2, &w1, &w0, ws[9], p[6]);
834  word3_muladd(&w2, &w1, &w0, ws[10], p[5]);
835  word3_muladd(&w2, &w1, &w0, ws[11], p[4]);
836  word3_muladd(&w2, &w1, &w0, ws[12], p[3]);
837  word3_muladd(&w2, &w1, &w0, ws[13], p[2]);
838  word3_muladd(&w2, &w1, &w0, ws[14], p[1]);
839  word3_add(&w2, &w1, &w0, z[15]);
840  ws[15] = w0 * p_dash;
841  word3_muladd(&w2, &w1, &w0, ws[15], p[0]);
842  w0 = w1; w1 = w2; w2 = 0;
843  word3_muladd(&w2, &w1, &w0, ws[0], p[16]);
844  word3_muladd(&w2, &w1, &w0, ws[1], p[15]);
845  word3_muladd(&w2, &w1, &w0, ws[2], p[14]);
846  word3_muladd(&w2, &w1, &w0, ws[3], p[13]);
847  word3_muladd(&w2, &w1, &w0, ws[4], p[12]);
848  word3_muladd(&w2, &w1, &w0, ws[5], p[11]);
849  word3_muladd(&w2, &w1, &w0, ws[6], p[10]);
850  word3_muladd(&w2, &w1, &w0, ws[7], p[9]);
851  word3_muladd(&w2, &w1, &w0, ws[8], p[8]);
852  word3_muladd(&w2, &w1, &w0, ws[9], p[7]);
853  word3_muladd(&w2, &w1, &w0, ws[10], p[6]);
854  word3_muladd(&w2, &w1, &w0, ws[11], p[5]);
855  word3_muladd(&w2, &w1, &w0, ws[12], p[4]);
856  word3_muladd(&w2, &w1, &w0, ws[13], p[3]);
857  word3_muladd(&w2, &w1, &w0, ws[14], p[2]);
858  word3_muladd(&w2, &w1, &w0, ws[15], p[1]);
859  word3_add(&w2, &w1, &w0, z[16]);
860  ws[16] = w0 * p_dash;
861  word3_muladd(&w2, &w1, &w0, ws[16], p[0]);
862  w0 = w1; w1 = w2; w2 = 0;
863  word3_muladd(&w2, &w1, &w0, ws[0], p[17]);
864  word3_muladd(&w2, &w1, &w0, ws[1], p[16]);
865  word3_muladd(&w2, &w1, &w0, ws[2], p[15]);
866  word3_muladd(&w2, &w1, &w0, ws[3], p[14]);
867  word3_muladd(&w2, &w1, &w0, ws[4], p[13]);
868  word3_muladd(&w2, &w1, &w0, ws[5], p[12]);
869  word3_muladd(&w2, &w1, &w0, ws[6], p[11]);
870  word3_muladd(&w2, &w1, &w0, ws[7], p[10]);
871  word3_muladd(&w2, &w1, &w0, ws[8], p[9]);
872  word3_muladd(&w2, &w1, &w0, ws[9], p[8]);
873  word3_muladd(&w2, &w1, &w0, ws[10], p[7]);
874  word3_muladd(&w2, &w1, &w0, ws[11], p[6]);
875  word3_muladd(&w2, &w1, &w0, ws[12], p[5]);
876  word3_muladd(&w2, &w1, &w0, ws[13], p[4]);
877  word3_muladd(&w2, &w1, &w0, ws[14], p[3]);
878  word3_muladd(&w2, &w1, &w0, ws[15], p[2]);
879  word3_muladd(&w2, &w1, &w0, ws[16], p[1]);
880  word3_add(&w2, &w1, &w0, z[17]);
881  ws[17] = w0 * p_dash;
882  word3_muladd(&w2, &w1, &w0, ws[17], p[0]);
883  w0 = w1; w1 = w2; w2 = 0;
884  word3_muladd(&w2, &w1, &w0, ws[0], p[18]);
885  word3_muladd(&w2, &w1, &w0, ws[1], p[17]);
886  word3_muladd(&w2, &w1, &w0, ws[2], p[16]);
887  word3_muladd(&w2, &w1, &w0, ws[3], p[15]);
888  word3_muladd(&w2, &w1, &w0, ws[4], p[14]);
889  word3_muladd(&w2, &w1, &w0, ws[5], p[13]);
890  word3_muladd(&w2, &w1, &w0, ws[6], p[12]);
891  word3_muladd(&w2, &w1, &w0, ws[7], p[11]);
892  word3_muladd(&w2, &w1, &w0, ws[8], p[10]);
893  word3_muladd(&w2, &w1, &w0, ws[9], p[9]);
894  word3_muladd(&w2, &w1, &w0, ws[10], p[8]);
895  word3_muladd(&w2, &w1, &w0, ws[11], p[7]);
896  word3_muladd(&w2, &w1, &w0, ws[12], p[6]);
897  word3_muladd(&w2, &w1, &w0, ws[13], p[5]);
898  word3_muladd(&w2, &w1, &w0, ws[14], p[4]);
899  word3_muladd(&w2, &w1, &w0, ws[15], p[3]);
900  word3_muladd(&w2, &w1, &w0, ws[16], p[2]);
901  word3_muladd(&w2, &w1, &w0, ws[17], p[1]);
902  word3_add(&w2, &w1, &w0, z[18]);
903  ws[18] = w0 * p_dash;
904  word3_muladd(&w2, &w1, &w0, ws[18], p[0]);
905  w0 = w1; w1 = w2; w2 = 0;
906  word3_muladd(&w2, &w1, &w0, ws[0], p[19]);
907  word3_muladd(&w2, &w1, &w0, ws[1], p[18]);
908  word3_muladd(&w2, &w1, &w0, ws[2], p[17]);
909  word3_muladd(&w2, &w1, &w0, ws[3], p[16]);
910  word3_muladd(&w2, &w1, &w0, ws[4], p[15]);
911  word3_muladd(&w2, &w1, &w0, ws[5], p[14]);
912  word3_muladd(&w2, &w1, &w0, ws[6], p[13]);
913  word3_muladd(&w2, &w1, &w0, ws[7], p[12]);
914  word3_muladd(&w2, &w1, &w0, ws[8], p[11]);
915  word3_muladd(&w2, &w1, &w0, ws[9], p[10]);
916  word3_muladd(&w2, &w1, &w0, ws[10], p[9]);
917  word3_muladd(&w2, &w1, &w0, ws[11], p[8]);
918  word3_muladd(&w2, &w1, &w0, ws[12], p[7]);
919  word3_muladd(&w2, &w1, &w0, ws[13], p[6]);
920  word3_muladd(&w2, &w1, &w0, ws[14], p[5]);
921  word3_muladd(&w2, &w1, &w0, ws[15], p[4]);
922  word3_muladd(&w2, &w1, &w0, ws[16], p[3]);
923  word3_muladd(&w2, &w1, &w0, ws[17], p[2]);
924  word3_muladd(&w2, &w1, &w0, ws[18], p[1]);
925  word3_add(&w2, &w1, &w0, z[19]);
926  ws[19] = w0 * p_dash;
927  word3_muladd(&w2, &w1, &w0, ws[19], p[0]);
928  w0 = w1; w1 = w2; w2 = 0;
929  word3_muladd(&w2, &w1, &w0, ws[0], p[20]);
930  word3_muladd(&w2, &w1, &w0, ws[1], p[19]);
931  word3_muladd(&w2, &w1, &w0, ws[2], p[18]);
932  word3_muladd(&w2, &w1, &w0, ws[3], p[17]);
933  word3_muladd(&w2, &w1, &w0, ws[4], p[16]);
934  word3_muladd(&w2, &w1, &w0, ws[5], p[15]);
935  word3_muladd(&w2, &w1, &w0, ws[6], p[14]);
936  word3_muladd(&w2, &w1, &w0, ws[7], p[13]);
937  word3_muladd(&w2, &w1, &w0, ws[8], p[12]);
938  word3_muladd(&w2, &w1, &w0, ws[9], p[11]);
939  word3_muladd(&w2, &w1, &w0, ws[10], p[10]);
940  word3_muladd(&w2, &w1, &w0, ws[11], p[9]);
941  word3_muladd(&w2, &w1, &w0, ws[12], p[8]);
942  word3_muladd(&w2, &w1, &w0, ws[13], p[7]);
943  word3_muladd(&w2, &w1, &w0, ws[14], p[6]);
944  word3_muladd(&w2, &w1, &w0, ws[15], p[5]);
945  word3_muladd(&w2, &w1, &w0, ws[16], p[4]);
946  word3_muladd(&w2, &w1, &w0, ws[17], p[3]);
947  word3_muladd(&w2, &w1, &w0, ws[18], p[2]);
948  word3_muladd(&w2, &w1, &w0, ws[19], p[1]);
949  word3_add(&w2, &w1, &w0, z[20]);
950  ws[20] = w0 * p_dash;
951  word3_muladd(&w2, &w1, &w0, ws[20], p[0]);
952  w0 = w1; w1 = w2; w2 = 0;
953  word3_muladd(&w2, &w1, &w0, ws[0], p[21]);
954  word3_muladd(&w2, &w1, &w0, ws[1], p[20]);
955  word3_muladd(&w2, &w1, &w0, ws[2], p[19]);
956  word3_muladd(&w2, &w1, &w0, ws[3], p[18]);
957  word3_muladd(&w2, &w1, &w0, ws[4], p[17]);
958  word3_muladd(&w2, &w1, &w0, ws[5], p[16]);
959  word3_muladd(&w2, &w1, &w0, ws[6], p[15]);
960  word3_muladd(&w2, &w1, &w0, ws[7], p[14]);
961  word3_muladd(&w2, &w1, &w0, ws[8], p[13]);
962  word3_muladd(&w2, &w1, &w0, ws[9], p[12]);
963  word3_muladd(&w2, &w1, &w0, ws[10], p[11]);
964  word3_muladd(&w2, &w1, &w0, ws[11], p[10]);
965  word3_muladd(&w2, &w1, &w0, ws[12], p[9]);
966  word3_muladd(&w2, &w1, &w0, ws[13], p[8]);
967  word3_muladd(&w2, &w1, &w0, ws[14], p[7]);
968  word3_muladd(&w2, &w1, &w0, ws[15], p[6]);
969  word3_muladd(&w2, &w1, &w0, ws[16], p[5]);
970  word3_muladd(&w2, &w1, &w0, ws[17], p[4]);
971  word3_muladd(&w2, &w1, &w0, ws[18], p[3]);
972  word3_muladd(&w2, &w1, &w0, ws[19], p[2]);
973  word3_muladd(&w2, &w1, &w0, ws[20], p[1]);
974  word3_add(&w2, &w1, &w0, z[21]);
975  ws[21] = w0 * p_dash;
976  word3_muladd(&w2, &w1, &w0, ws[21], p[0]);
977  w0 = w1; w1 = w2; w2 = 0;
978  word3_muladd(&w2, &w1, &w0, ws[0], p[22]);
979  word3_muladd(&w2, &w1, &w0, ws[1], p[21]);
980  word3_muladd(&w2, &w1, &w0, ws[2], p[20]);
981  word3_muladd(&w2, &w1, &w0, ws[3], p[19]);
982  word3_muladd(&w2, &w1, &w0, ws[4], p[18]);
983  word3_muladd(&w2, &w1, &w0, ws[5], p[17]);
984  word3_muladd(&w2, &w1, &w0, ws[6], p[16]);
985  word3_muladd(&w2, &w1, &w0, ws[7], p[15]);
986  word3_muladd(&w2, &w1, &w0, ws[8], p[14]);
987  word3_muladd(&w2, &w1, &w0, ws[9], p[13]);
988  word3_muladd(&w2, &w1, &w0, ws[10], p[12]);
989  word3_muladd(&w2, &w1, &w0, ws[11], p[11]);
990  word3_muladd(&w2, &w1, &w0, ws[12], p[10]);
991  word3_muladd(&w2, &w1, &w0, ws[13], p[9]);
992  word3_muladd(&w2, &w1, &w0, ws[14], p[8]);
993  word3_muladd(&w2, &w1, &w0, ws[15], p[7]);
994  word3_muladd(&w2, &w1, &w0, ws[16], p[6]);
995  word3_muladd(&w2, &w1, &w0, ws[17], p[5]);
996  word3_muladd(&w2, &w1, &w0, ws[18], p[4]);
997  word3_muladd(&w2, &w1, &w0, ws[19], p[3]);
998  word3_muladd(&w2, &w1, &w0, ws[20], p[2]);
999  word3_muladd(&w2, &w1, &w0, ws[21], p[1]);
1000  word3_add(&w2, &w1, &w0, z[22]);
1001  ws[22] = w0 * p_dash;
1002  word3_muladd(&w2, &w1, &w0, ws[22], p[0]);
1003  w0 = w1; w1 = w2; w2 = 0;
1004  word3_muladd(&w2, &w1, &w0, ws[0], p[23]);
1005  word3_muladd(&w2, &w1, &w0, ws[1], p[22]);
1006  word3_muladd(&w2, &w1, &w0, ws[2], p[21]);
1007  word3_muladd(&w2, &w1, &w0, ws[3], p[20]);
1008  word3_muladd(&w2, &w1, &w0, ws[4], p[19]);
1009  word3_muladd(&w2, &w1, &w0, ws[5], p[18]);
1010  word3_muladd(&w2, &w1, &w0, ws[6], p[17]);
1011  word3_muladd(&w2, &w1, &w0, ws[7], p[16]);
1012  word3_muladd(&w2, &w1, &w0, ws[8], p[15]);
1013  word3_muladd(&w2, &w1, &w0, ws[9], p[14]);
1014  word3_muladd(&w2, &w1, &w0, ws[10], p[13]);
1015  word3_muladd(&w2, &w1, &w0, ws[11], p[12]);
1016  word3_muladd(&w2, &w1, &w0, ws[12], p[11]);
1017  word3_muladd(&w2, &w1, &w0, ws[13], p[10]);
1018  word3_muladd(&w2, &w1, &w0, ws[14], p[9]);
1019  word3_muladd(&w2, &w1, &w0, ws[15], p[8]);
1020  word3_muladd(&w2, &w1, &w0, ws[16], p[7]);
1021  word3_muladd(&w2, &w1, &w0, ws[17], p[6]);
1022  word3_muladd(&w2, &w1, &w0, ws[18], p[5]);
1023  word3_muladd(&w2, &w1, &w0, ws[19], p[4]);
1024  word3_muladd(&w2, &w1, &w0, ws[20], p[3]);
1025  word3_muladd(&w2, &w1, &w0, ws[21], p[2]);
1026  word3_muladd(&w2, &w1, &w0, ws[22], p[1]);
1027  word3_add(&w2, &w1, &w0, z[23]);
1028  ws[23] = w0 * p_dash;
1029  word3_muladd(&w2, &w1, &w0, ws[23], p[0]);
1030  w0 = w1; w1 = w2; w2 = 0;
1031  word3_muladd(&w2, &w1, &w0, ws[1], p[23]);
1032  word3_muladd(&w2, &w1, &w0, ws[2], p[22]);
1033  word3_muladd(&w2, &w1, &w0, ws[3], p[21]);
1034  word3_muladd(&w2, &w1, &w0, ws[4], p[20]);
1035  word3_muladd(&w2, &w1, &w0, ws[5], p[19]);
1036  word3_muladd(&w2, &w1, &w0, ws[6], p[18]);
1037  word3_muladd(&w2, &w1, &w0, ws[7], p[17]);
1038  word3_muladd(&w2, &w1, &w0, ws[8], p[16]);
1039  word3_muladd(&w2, &w1, &w0, ws[9], p[15]);
1040  word3_muladd(&w2, &w1, &w0, ws[10], p[14]);
1041  word3_muladd(&w2, &w1, &w0, ws[11], p[13]);
1042  word3_muladd(&w2, &w1, &w0, ws[12], p[12]);
1043  word3_muladd(&w2, &w1, &w0, ws[13], p[11]);
1044  word3_muladd(&w2, &w1, &w0, ws[14], p[10]);
1045  word3_muladd(&w2, &w1, &w0, ws[15], p[9]);
1046  word3_muladd(&w2, &w1, &w0, ws[16], p[8]);
1047  word3_muladd(&w2, &w1, &w0, ws[17], p[7]);
1048  word3_muladd(&w2, &w1, &w0, ws[18], p[6]);
1049  word3_muladd(&w2, &w1, &w0, ws[19], p[5]);
1050  word3_muladd(&w2, &w1, &w0, ws[20], p[4]);
1051  word3_muladd(&w2, &w1, &w0, ws[21], p[3]);
1052  word3_muladd(&w2, &w1, &w0, ws[22], p[2]);
1053  word3_muladd(&w2, &w1, &w0, ws[23], p[1]);
1054  word3_add(&w2, &w1, &w0, z[24]);
1055  ws[0] = w0;
1056  w0 = w1; w1 = w2; w2 = 0;
1057  word3_muladd(&w2, &w1, &w0, ws[2], p[23]);
1058  word3_muladd(&w2, &w1, &w0, ws[3], p[22]);
1059  word3_muladd(&w2, &w1, &w0, ws[4], p[21]);
1060  word3_muladd(&w2, &w1, &w0, ws[5], p[20]);
1061  word3_muladd(&w2, &w1, &w0, ws[6], p[19]);
1062  word3_muladd(&w2, &w1, &w0, ws[7], p[18]);
1063  word3_muladd(&w2, &w1, &w0, ws[8], p[17]);
1064  word3_muladd(&w2, &w1, &w0, ws[9], p[16]);
1065  word3_muladd(&w2, &w1, &w0, ws[10], p[15]);
1066  word3_muladd(&w2, &w1, &w0, ws[11], p[14]);
1067  word3_muladd(&w2, &w1, &w0, ws[12], p[13]);
1068  word3_muladd(&w2, &w1, &w0, ws[13], p[12]);
1069  word3_muladd(&w2, &w1, &w0, ws[14], p[11]);
1070  word3_muladd(&w2, &w1, &w0, ws[15], p[10]);
1071  word3_muladd(&w2, &w1, &w0, ws[16], p[9]);
1072  word3_muladd(&w2, &w1, &w0, ws[17], p[8]);
1073  word3_muladd(&w2, &w1, &w0, ws[18], p[7]);
1074  word3_muladd(&w2, &w1, &w0, ws[19], p[6]);
1075  word3_muladd(&w2, &w1, &w0, ws[20], p[5]);
1076  word3_muladd(&w2, &w1, &w0, ws[21], p[4]);
1077  word3_muladd(&w2, &w1, &w0, ws[22], p[3]);
1078  word3_muladd(&w2, &w1, &w0, ws[23], p[2]);
1079  word3_add(&w2, &w1, &w0, z[25]);
1080  ws[1] = w0;
1081  w0 = w1; w1 = w2; w2 = 0;
1082  word3_muladd(&w2, &w1, &w0, ws[3], p[23]);
1083  word3_muladd(&w2, &w1, &w0, ws[4], p[22]);
1084  word3_muladd(&w2, &w1, &w0, ws[5], p[21]);
1085  word3_muladd(&w2, &w1, &w0, ws[6], p[20]);
1086  word3_muladd(&w2, &w1, &w0, ws[7], p[19]);
1087  word3_muladd(&w2, &w1, &w0, ws[8], p[18]);
1088  word3_muladd(&w2, &w1, &w0, ws[9], p[17]);
1089  word3_muladd(&w2, &w1, &w0, ws[10], p[16]);
1090  word3_muladd(&w2, &w1, &w0, ws[11], p[15]);
1091  word3_muladd(&w2, &w1, &w0, ws[12], p[14]);
1092  word3_muladd(&w2, &w1, &w0, ws[13], p[13]);
1093  word3_muladd(&w2, &w1, &w0, ws[14], p[12]);
1094  word3_muladd(&w2, &w1, &w0, ws[15], p[11]);
1095  word3_muladd(&w2, &w1, &w0, ws[16], p[10]);
1096  word3_muladd(&w2, &w1, &w0, ws[17], p[9]);
1097  word3_muladd(&w2, &w1, &w0, ws[18], p[8]);
1098  word3_muladd(&w2, &w1, &w0, ws[19], p[7]);
1099  word3_muladd(&w2, &w1, &w0, ws[20], p[6]);
1100  word3_muladd(&w2, &w1, &w0, ws[21], p[5]);
1101  word3_muladd(&w2, &w1, &w0, ws[22], p[4]);
1102  word3_muladd(&w2, &w1, &w0, ws[23], p[3]);
1103  word3_add(&w2, &w1, &w0, z[26]);
1104  ws[2] = w0;
1105  w0 = w1; w1 = w2; w2 = 0;
1106  word3_muladd(&w2, &w1, &w0, ws[4], p[23]);
1107  word3_muladd(&w2, &w1, &w0, ws[5], p[22]);
1108  word3_muladd(&w2, &w1, &w0, ws[6], p[21]);
1109  word3_muladd(&w2, &w1, &w0, ws[7], p[20]);
1110  word3_muladd(&w2, &w1, &w0, ws[8], p[19]);
1111  word3_muladd(&w2, &w1, &w0, ws[9], p[18]);
1112  word3_muladd(&w2, &w1, &w0, ws[10], p[17]);
1113  word3_muladd(&w2, &w1, &w0, ws[11], p[16]);
1114  word3_muladd(&w2, &w1, &w0, ws[12], p[15]);
1115  word3_muladd(&w2, &w1, &w0, ws[13], p[14]);
1116  word3_muladd(&w2, &w1, &w0, ws[14], p[13]);
1117  word3_muladd(&w2, &w1, &w0, ws[15], p[12]);
1118  word3_muladd(&w2, &w1, &w0, ws[16], p[11]);
1119  word3_muladd(&w2, &w1, &w0, ws[17], p[10]);
1120  word3_muladd(&w2, &w1, &w0, ws[18], p[9]);
1121  word3_muladd(&w2, &w1, &w0, ws[19], p[8]);
1122  word3_muladd(&w2, &w1, &w0, ws[20], p[7]);
1123  word3_muladd(&w2, &w1, &w0, ws[21], p[6]);
1124  word3_muladd(&w2, &w1, &w0, ws[22], p[5]);
1125  word3_muladd(&w2, &w1, &w0, ws[23], p[4]);
1126  word3_add(&w2, &w1, &w0, z[27]);
1127  ws[3] = w0;
1128  w0 = w1; w1 = w2; w2 = 0;
1129  word3_muladd(&w2, &w1, &w0, ws[5], p[23]);
1130  word3_muladd(&w2, &w1, &w0, ws[6], p[22]);
1131  word3_muladd(&w2, &w1, &w0, ws[7], p[21]);
1132  word3_muladd(&w2, &w1, &w0, ws[8], p[20]);
1133  word3_muladd(&w2, &w1, &w0, ws[9], p[19]);
1134  word3_muladd(&w2, &w1, &w0, ws[10], p[18]);
1135  word3_muladd(&w2, &w1, &w0, ws[11], p[17]);
1136  word3_muladd(&w2, &w1, &w0, ws[12], p[16]);
1137  word3_muladd(&w2, &w1, &w0, ws[13], p[15]);
1138  word3_muladd(&w2, &w1, &w0, ws[14], p[14]);
1139  word3_muladd(&w2, &w1, &w0, ws[15], p[13]);
1140  word3_muladd(&w2, &w1, &w0, ws[16], p[12]);
1141  word3_muladd(&w2, &w1, &w0, ws[17], p[11]);
1142  word3_muladd(&w2, &w1, &w0, ws[18], p[10]);
1143  word3_muladd(&w2, &w1, &w0, ws[19], p[9]);
1144  word3_muladd(&w2, &w1, &w0, ws[20], p[8]);
1145  word3_muladd(&w2, &w1, &w0, ws[21], p[7]);
1146  word3_muladd(&w2, &w1, &w0, ws[22], p[6]);
1147  word3_muladd(&w2, &w1, &w0, ws[23], p[5]);
1148  word3_add(&w2, &w1, &w0, z[28]);
1149  ws[4] = w0;
1150  w0 = w1; w1 = w2; w2 = 0;
1151  word3_muladd(&w2, &w1, &w0, ws[6], p[23]);
1152  word3_muladd(&w2, &w1, &w0, ws[7], p[22]);
1153  word3_muladd(&w2, &w1, &w0, ws[8], p[21]);
1154  word3_muladd(&w2, &w1, &w0, ws[9], p[20]);
1155  word3_muladd(&w2, &w1, &w0, ws[10], p[19]);
1156  word3_muladd(&w2, &w1, &w0, ws[11], p[18]);
1157  word3_muladd(&w2, &w1, &w0, ws[12], p[17]);
1158  word3_muladd(&w2, &w1, &w0, ws[13], p[16]);
1159  word3_muladd(&w2, &w1, &w0, ws[14], p[15]);
1160  word3_muladd(&w2, &w1, &w0, ws[15], p[14]);
1161  word3_muladd(&w2, &w1, &w0, ws[16], p[13]);
1162  word3_muladd(&w2, &w1, &w0, ws[17], p[12]);
1163  word3_muladd(&w2, &w1, &w0, ws[18], p[11]);
1164  word3_muladd(&w2, &w1, &w0, ws[19], p[10]);
1165  word3_muladd(&w2, &w1, &w0, ws[20], p[9]);
1166  word3_muladd(&w2, &w1, &w0, ws[21], p[8]);
1167  word3_muladd(&w2, &w1, &w0, ws[22], p[7]);
1168  word3_muladd(&w2, &w1, &w0, ws[23], p[6]);
1169  word3_add(&w2, &w1, &w0, z[29]);
1170  ws[5] = w0;
1171  w0 = w1; w1 = w2; w2 = 0;
1172  word3_muladd(&w2, &w1, &w0, ws[7], p[23]);
1173  word3_muladd(&w2, &w1, &w0, ws[8], p[22]);
1174  word3_muladd(&w2, &w1, &w0, ws[9], p[21]);
1175  word3_muladd(&w2, &w1, &w0, ws[10], p[20]);
1176  word3_muladd(&w2, &w1, &w0, ws[11], p[19]);
1177  word3_muladd(&w2, &w1, &w0, ws[12], p[18]);
1178  word3_muladd(&w2, &w1, &w0, ws[13], p[17]);
1179  word3_muladd(&w2, &w1, &w0, ws[14], p[16]);
1180  word3_muladd(&w2, &w1, &w0, ws[15], p[15]);
1181  word3_muladd(&w2, &w1, &w0, ws[16], p[14]);
1182  word3_muladd(&w2, &w1, &w0, ws[17], p[13]);
1183  word3_muladd(&w2, &w1, &w0, ws[18], p[12]);
1184  word3_muladd(&w2, &w1, &w0, ws[19], p[11]);
1185  word3_muladd(&w2, &w1, &w0, ws[20], p[10]);
1186  word3_muladd(&w2, &w1, &w0, ws[21], p[9]);
1187  word3_muladd(&w2, &w1, &w0, ws[22], p[8]);
1188  word3_muladd(&w2, &w1, &w0, ws[23], p[7]);
1189  word3_add(&w2, &w1, &w0, z[30]);
1190  ws[6] = w0;
1191  w0 = w1; w1 = w2; w2 = 0;
1192  word3_muladd(&w2, &w1, &w0, ws[8], p[23]);
1193  word3_muladd(&w2, &w1, &w0, ws[9], p[22]);
1194  word3_muladd(&w2, &w1, &w0, ws[10], p[21]);
1195  word3_muladd(&w2, &w1, &w0, ws[11], p[20]);
1196  word3_muladd(&w2, &w1, &w0, ws[12], p[19]);
1197  word3_muladd(&w2, &w1, &w0, ws[13], p[18]);
1198  word3_muladd(&w2, &w1, &w0, ws[14], p[17]);
1199  word3_muladd(&w2, &w1, &w0, ws[15], p[16]);
1200  word3_muladd(&w2, &w1, &w0, ws[16], p[15]);
1201  word3_muladd(&w2, &w1, &w0, ws[17], p[14]);
1202  word3_muladd(&w2, &w1, &w0, ws[18], p[13]);
1203  word3_muladd(&w2, &w1, &w0, ws[19], p[12]);
1204  word3_muladd(&w2, &w1, &w0, ws[20], p[11]);
1205  word3_muladd(&w2, &w1, &w0, ws[21], p[10]);
1206  word3_muladd(&w2, &w1, &w0, ws[22], p[9]);
1207  word3_muladd(&w2, &w1, &w0, ws[23], p[8]);
1208  word3_add(&w2, &w1, &w0, z[31]);
1209  ws[7] = w0;
1210  w0 = w1; w1 = w2; w2 = 0;
1211  word3_muladd(&w2, &w1, &w0, ws[9], p[23]);
1212  word3_muladd(&w2, &w1, &w0, ws[10], p[22]);
1213  word3_muladd(&w2, &w1, &w0, ws[11], p[21]);
1214  word3_muladd(&w2, &w1, &w0, ws[12], p[20]);
1215  word3_muladd(&w2, &w1, &w0, ws[13], p[19]);
1216  word3_muladd(&w2, &w1, &w0, ws[14], p[18]);
1217  word3_muladd(&w2, &w1, &w0, ws[15], p[17]);
1218  word3_muladd(&w2, &w1, &w0, ws[16], p[16]);
1219  word3_muladd(&w2, &w1, &w0, ws[17], p[15]);
1220  word3_muladd(&w2, &w1, &w0, ws[18], p[14]);
1221  word3_muladd(&w2, &w1, &w0, ws[19], p[13]);
1222  word3_muladd(&w2, &w1, &w0, ws[20], p[12]);
1223  word3_muladd(&w2, &w1, &w0, ws[21], p[11]);
1224  word3_muladd(&w2, &w1, &w0, ws[22], p[10]);
1225  word3_muladd(&w2, &w1, &w0, ws[23], p[9]);
1226  word3_add(&w2, &w1, &w0, z[32]);
1227  ws[8] = w0;
1228  w0 = w1; w1 = w2; w2 = 0;
1229  word3_muladd(&w2, &w1, &w0, ws[10], p[23]);
1230  word3_muladd(&w2, &w1, &w0, ws[11], p[22]);
1231  word3_muladd(&w2, &w1, &w0, ws[12], p[21]);
1232  word3_muladd(&w2, &w1, &w0, ws[13], p[20]);
1233  word3_muladd(&w2, &w1, &w0, ws[14], p[19]);
1234  word3_muladd(&w2, &w1, &w0, ws[15], p[18]);
1235  word3_muladd(&w2, &w1, &w0, ws[16], p[17]);
1236  word3_muladd(&w2, &w1, &w0, ws[17], p[16]);
1237  word3_muladd(&w2, &w1, &w0, ws[18], p[15]);
1238  word3_muladd(&w2, &w1, &w0, ws[19], p[14]);
1239  word3_muladd(&w2, &w1, &w0, ws[20], p[13]);
1240  word3_muladd(&w2, &w1, &w0, ws[21], p[12]);
1241  word3_muladd(&w2, &w1, &w0, ws[22], p[11]);
1242  word3_muladd(&w2, &w1, &w0, ws[23], p[10]);
1243  word3_add(&w2, &w1, &w0, z[33]);
1244  ws[9] = w0;
1245  w0 = w1; w1 = w2; w2 = 0;
1246  word3_muladd(&w2, &w1, &w0, ws[11], p[23]);
1247  word3_muladd(&w2, &w1, &w0, ws[12], p[22]);
1248  word3_muladd(&w2, &w1, &w0, ws[13], p[21]);
1249  word3_muladd(&w2, &w1, &w0, ws[14], p[20]);
1250  word3_muladd(&w2, &w1, &w0, ws[15], p[19]);
1251  word3_muladd(&w2, &w1, &w0, ws[16], p[18]);
1252  word3_muladd(&w2, &w1, &w0, ws[17], p[17]);
1253  word3_muladd(&w2, &w1, &w0, ws[18], p[16]);
1254  word3_muladd(&w2, &w1, &w0, ws[19], p[15]);
1255  word3_muladd(&w2, &w1, &w0, ws[20], p[14]);
1256  word3_muladd(&w2, &w1, &w0, ws[21], p[13]);
1257  word3_muladd(&w2, &w1, &w0, ws[22], p[12]);
1258  word3_muladd(&w2, &w1, &w0, ws[23], p[11]);
1259  word3_add(&w2, &w1, &w0, z[34]);
1260  ws[10] = w0;
1261  w0 = w1; w1 = w2; w2 = 0;
1262  word3_muladd(&w2, &w1, &w0, ws[12], p[23]);
1263  word3_muladd(&w2, &w1, &w0, ws[13], p[22]);
1264  word3_muladd(&w2, &w1, &w0, ws[14], p[21]);
1265  word3_muladd(&w2, &w1, &w0, ws[15], p[20]);
1266  word3_muladd(&w2, &w1, &w0, ws[16], p[19]);
1267  word3_muladd(&w2, &w1, &w0, ws[17], p[18]);
1268  word3_muladd(&w2, &w1, &w0, ws[18], p[17]);
1269  word3_muladd(&w2, &w1, &w0, ws[19], p[16]);
1270  word3_muladd(&w2, &w1, &w0, ws[20], p[15]);
1271  word3_muladd(&w2, &w1, &w0, ws[21], p[14]);
1272  word3_muladd(&w2, &w1, &w0, ws[22], p[13]);
1273  word3_muladd(&w2, &w1, &w0, ws[23], p[12]);
1274  word3_add(&w2, &w1, &w0, z[35]);
1275  ws[11] = w0;
1276  w0 = w1; w1 = w2; w2 = 0;
1277  word3_muladd(&w2, &w1, &w0, ws[13], p[23]);
1278  word3_muladd(&w2, &w1, &w0, ws[14], p[22]);
1279  word3_muladd(&w2, &w1, &w0, ws[15], p[21]);
1280  word3_muladd(&w2, &w1, &w0, ws[16], p[20]);
1281  word3_muladd(&w2, &w1, &w0, ws[17], p[19]);
1282  word3_muladd(&w2, &w1, &w0, ws[18], p[18]);
1283  word3_muladd(&w2, &w1, &w0, ws[19], p[17]);
1284  word3_muladd(&w2, &w1, &w0, ws[20], p[16]);
1285  word3_muladd(&w2, &w1, &w0, ws[21], p[15]);
1286  word3_muladd(&w2, &w1, &w0, ws[22], p[14]);
1287  word3_muladd(&w2, &w1, &w0, ws[23], p[13]);
1288  word3_add(&w2, &w1, &w0, z[36]);
1289  ws[12] = w0;
1290  w0 = w1; w1 = w2; w2 = 0;
1291  word3_muladd(&w2, &w1, &w0, ws[14], p[23]);
1292  word3_muladd(&w2, &w1, &w0, ws[15], p[22]);
1293  word3_muladd(&w2, &w1, &w0, ws[16], p[21]);
1294  word3_muladd(&w2, &w1, &w0, ws[17], p[20]);
1295  word3_muladd(&w2, &w1, &w0, ws[18], p[19]);
1296  word3_muladd(&w2, &w1, &w0, ws[19], p[18]);
1297  word3_muladd(&w2, &w1, &w0, ws[20], p[17]);
1298  word3_muladd(&w2, &w1, &w0, ws[21], p[16]);
1299  word3_muladd(&w2, &w1, &w0, ws[22], p[15]);
1300  word3_muladd(&w2, &w1, &w0, ws[23], p[14]);
1301  word3_add(&w2, &w1, &w0, z[37]);
1302  ws[13] = w0;
1303  w0 = w1; w1 = w2; w2 = 0;
1304  word3_muladd(&w2, &w1, &w0, ws[15], p[23]);
1305  word3_muladd(&w2, &w1, &w0, ws[16], p[22]);
1306  word3_muladd(&w2, &w1, &w0, ws[17], p[21]);
1307  word3_muladd(&w2, &w1, &w0, ws[18], p[20]);
1308  word3_muladd(&w2, &w1, &w0, ws[19], p[19]);
1309  word3_muladd(&w2, &w1, &w0, ws[20], p[18]);
1310  word3_muladd(&w2, &w1, &w0, ws[21], p[17]);
1311  word3_muladd(&w2, &w1, &w0, ws[22], p[16]);
1312  word3_muladd(&w2, &w1, &w0, ws[23], p[15]);
1313  word3_add(&w2, &w1, &w0, z[38]);
1314  ws[14] = w0;
1315  w0 = w1; w1 = w2; w2 = 0;
1316  word3_muladd(&w2, &w1, &w0, ws[16], p[23]);
1317  word3_muladd(&w2, &w1, &w0, ws[17], p[22]);
1318  word3_muladd(&w2, &w1, &w0, ws[18], p[21]);
1319  word3_muladd(&w2, &w1, &w0, ws[19], p[20]);
1320  word3_muladd(&w2, &w1, &w0, ws[20], p[19]);
1321  word3_muladd(&w2, &w1, &w0, ws[21], p[18]);
1322  word3_muladd(&w2, &w1, &w0, ws[22], p[17]);
1323  word3_muladd(&w2, &w1, &w0, ws[23], p[16]);
1324  word3_add(&w2, &w1, &w0, z[39]);
1325  ws[15] = w0;
1326  w0 = w1; w1 = w2; w2 = 0;
1327  word3_muladd(&w2, &w1, &w0, ws[17], p[23]);
1328  word3_muladd(&w2, &w1, &w0, ws[18], p[22]);
1329  word3_muladd(&w2, &w1, &w0, ws[19], p[21]);
1330  word3_muladd(&w2, &w1, &w0, ws[20], p[20]);
1331  word3_muladd(&w2, &w1, &w0, ws[21], p[19]);
1332  word3_muladd(&w2, &w1, &w0, ws[22], p[18]);
1333  word3_muladd(&w2, &w1, &w0, ws[23], p[17]);
1334  word3_add(&w2, &w1, &w0, z[40]);
1335  ws[16] = w0;
1336  w0 = w1; w1 = w2; w2 = 0;
1337  word3_muladd(&w2, &w1, &w0, ws[18], p[23]);
1338  word3_muladd(&w2, &w1, &w0, ws[19], p[22]);
1339  word3_muladd(&w2, &w1, &w0, ws[20], p[21]);
1340  word3_muladd(&w2, &w1, &w0, ws[21], p[20]);
1341  word3_muladd(&w2, &w1, &w0, ws[22], p[19]);
1342  word3_muladd(&w2, &w1, &w0, ws[23], p[18]);
1343  word3_add(&w2, &w1, &w0, z[41]);
1344  ws[17] = w0;
1345  w0 = w1; w1 = w2; w2 = 0;
1346  word3_muladd(&w2, &w1, &w0, ws[19], p[23]);
1347  word3_muladd(&w2, &w1, &w0, ws[20], p[22]);
1348  word3_muladd(&w2, &w1, &w0, ws[21], p[21]);
1349  word3_muladd(&w2, &w1, &w0, ws[22], p[20]);
1350  word3_muladd(&w2, &w1, &w0, ws[23], p[19]);
1351  word3_add(&w2, &w1, &w0, z[42]);
1352  ws[18] = w0;
1353  w0 = w1; w1 = w2; w2 = 0;
1354  word3_muladd(&w2, &w1, &w0, ws[20], p[23]);
1355  word3_muladd(&w2, &w1, &w0, ws[21], p[22]);
1356  word3_muladd(&w2, &w1, &w0, ws[22], p[21]);
1357  word3_muladd(&w2, &w1, &w0, ws[23], p[20]);
1358  word3_add(&w2, &w1, &w0, z[43]);
1359  ws[19] = w0;
1360  w0 = w1; w1 = w2; w2 = 0;
1361  word3_muladd(&w2, &w1, &w0, ws[21], p[23]);
1362  word3_muladd(&w2, &w1, &w0, ws[22], p[22]);
1363  word3_muladd(&w2, &w1, &w0, ws[23], p[21]);
1364  word3_add(&w2, &w1, &w0, z[44]);
1365  ws[20] = w0;
1366  w0 = w1; w1 = w2; w2 = 0;
1367  word3_muladd(&w2, &w1, &w0, ws[22], p[23]);
1368  word3_muladd(&w2, &w1, &w0, ws[23], p[22]);
1369  word3_add(&w2, &w1, &w0, z[45]);
1370  ws[21] = w0;
1371  w0 = w1; w1 = w2; w2 = 0;
1372  word3_muladd(&w2, &w1, &w0, ws[23], p[23]);
1373  word3_add(&w2, &w1, &w0, z[46]);
1374  ws[22] = w0;
1375  w0 = w1; w1 = w2; w2 = 0;
1376  word3_add(&w2, &w1, &w0, z[47]);
1377  ws[23] = w0;
1378  w0 = w1; w1 = w2; w2 = 0;
1379  word3_add(&w2, &w1, &w0, z[49]);
1380  ws[24] = w0;
1381  ws[25] = w1;
1382  word borrow = bigint_sub3(ws + 24 + 1, ws, 24 + 1, p, 24);
1383  CT::conditional_copy_mem(borrow, z, ws, ws + 25, 25);
1384  clear_mem(z + 24, 2*(24+1) - 24);
1385  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
word bigint_sub3(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:342
void word3_add(word *w2, word *w1, word *w0, word x)
Definition: mp_asmi.h:500
Mask< T > conditional_copy_mem(T cnd, T *to, const T *from0, const T *from1, size_t elems)
Definition: ct_utils.h:363
void Botan::bigint_monty_redc_32 ( word  z[],
const word  p[],
word  p_dash,
word  ws[] 
)

Referenced by bigint_monty_redc().

void Botan::bigint_monty_redc_32 ( word  z[],
const word  p[32],
word  p_dash,
word  ws[] 
)

Definition at line 1387 of file mp_monty_n.cpp.

References bigint_sub3(), clear_mem(), Botan::CT::conditional_copy_mem(), word3_add(), and word3_muladd().

1388  {
1389  word w2 = 0, w1 = 0, w0 = 0;
1390  w0 = z[0];
1391  ws[0] = w0 * p_dash;
1392  word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
1393  w0 = w1; w1 = w2; w2 = 0;
1394  word3_muladd(&w2, &w1, &w0, ws[0], p[1]);
1395  word3_add(&w2, &w1, &w0, z[1]);
1396  ws[1] = w0 * p_dash;
1397  word3_muladd(&w2, &w1, &w0, ws[1], p[0]);
1398  w0 = w1; w1 = w2; w2 = 0;
1399  word3_muladd(&w2, &w1, &w0, ws[0], p[2]);
1400  word3_muladd(&w2, &w1, &w0, ws[1], p[1]);
1401  word3_add(&w2, &w1, &w0, z[2]);
1402  ws[2] = w0 * p_dash;
1403  word3_muladd(&w2, &w1, &w0, ws[2], p[0]);
1404  w0 = w1; w1 = w2; w2 = 0;
1405  word3_muladd(&w2, &w1, &w0, ws[0], p[3]);
1406  word3_muladd(&w2, &w1, &w0, ws[1], p[2]);
1407  word3_muladd(&w2, &w1, &w0, ws[2], p[1]);
1408  word3_add(&w2, &w1, &w0, z[3]);
1409  ws[3] = w0 * p_dash;
1410  word3_muladd(&w2, &w1, &w0, ws[3], p[0]);
1411  w0 = w1; w1 = w2; w2 = 0;
1412  word3_muladd(&w2, &w1, &w0, ws[0], p[4]);
1413  word3_muladd(&w2, &w1, &w0, ws[1], p[3]);
1414  word3_muladd(&w2, &w1, &w0, ws[2], p[2]);
1415  word3_muladd(&w2, &w1, &w0, ws[3], p[1]);
1416  word3_add(&w2, &w1, &w0, z[4]);
1417  ws[4] = w0 * p_dash;
1418  word3_muladd(&w2, &w1, &w0, ws[4], p[0]);
1419  w0 = w1; w1 = w2; w2 = 0;
1420  word3_muladd(&w2, &w1, &w0, ws[0], p[5]);
1421  word3_muladd(&w2, &w1, &w0, ws[1], p[4]);
1422  word3_muladd(&w2, &w1, &w0, ws[2], p[3]);
1423  word3_muladd(&w2, &w1, &w0, ws[3], p[2]);
1424  word3_muladd(&w2, &w1, &w0, ws[4], p[1]);
1425  word3_add(&w2, &w1, &w0, z[5]);
1426  ws[5] = w0 * p_dash;
1427  word3_muladd(&w2, &w1, &w0, ws[5], p[0]);
1428  w0 = w1; w1 = w2; w2 = 0;
1429  word3_muladd(&w2, &w1, &w0, ws[0], p[6]);
1430  word3_muladd(&w2, &w1, &w0, ws[1], p[5]);
1431  word3_muladd(&w2, &w1, &w0, ws[2], p[4]);
1432  word3_muladd(&w2, &w1, &w0, ws[3], p[3]);
1433  word3_muladd(&w2, &w1, &w0, ws[4], p[2]);
1434  word3_muladd(&w2, &w1, &w0, ws[5], p[1]);
1435  word3_add(&w2, &w1, &w0, z[6]);
1436  ws[6] = w0 * p_dash;
1437  word3_muladd(&w2, &w1, &w0, ws[6], p[0]);
1438  w0 = w1; w1 = w2; w2 = 0;
1439  word3_muladd(&w2, &w1, &w0, ws[0], p[7]);
1440  word3_muladd(&w2, &w1, &w0, ws[1], p[6]);
1441  word3_muladd(&w2, &w1, &w0, ws[2], p[5]);
1442  word3_muladd(&w2, &w1, &w0, ws[3], p[4]);
1443  word3_muladd(&w2, &w1, &w0, ws[4], p[3]);
1444  word3_muladd(&w2, &w1, &w0, ws[5], p[2]);
1445  word3_muladd(&w2, &w1, &w0, ws[6], p[1]);
1446  word3_add(&w2, &w1, &w0, z[7]);
1447  ws[7] = w0 * p_dash;
1448  word3_muladd(&w2, &w1, &w0, ws[7], p[0]);
1449  w0 = w1; w1 = w2; w2 = 0;
1450  word3_muladd(&w2, &w1, &w0, ws[0], p[8]);
1451  word3_muladd(&w2, &w1, &w0, ws[1], p[7]);
1452  word3_muladd(&w2, &w1, &w0, ws[2], p[6]);
1453  word3_muladd(&w2, &w1, &w0, ws[3], p[5]);
1454  word3_muladd(&w2, &w1, &w0, ws[4], p[4]);
1455  word3_muladd(&w2, &w1, &w0, ws[5], p[3]);
1456  word3_muladd(&w2, &w1, &w0, ws[6], p[2]);
1457  word3_muladd(&w2, &w1, &w0, ws[7], p[1]);
1458  word3_add(&w2, &w1, &w0, z[8]);
1459  ws[8] = w0 * p_dash;
1460  word3_muladd(&w2, &w1, &w0, ws[8], p[0]);
1461  w0 = w1; w1 = w2; w2 = 0;
1462  word3_muladd(&w2, &w1, &w0, ws[0], p[9]);
1463  word3_muladd(&w2, &w1, &w0, ws[1], p[8]);
1464  word3_muladd(&w2, &w1, &w0, ws[2], p[7]);
1465  word3_muladd(&w2, &w1, &w0, ws[3], p[6]);
1466  word3_muladd(&w2, &w1, &w0, ws[4], p[5]);
1467  word3_muladd(&w2, &w1, &w0, ws[5], p[4]);
1468  word3_muladd(&w2, &w1, &w0, ws[6], p[3]);
1469  word3_muladd(&w2, &w1, &w0, ws[7], p[2]);
1470  word3_muladd(&w2, &w1, &w0, ws[8], p[1]);
1471  word3_add(&w2, &w1, &w0, z[9]);
1472  ws[9] = w0 * p_dash;
1473  word3_muladd(&w2, &w1, &w0, ws[9], p[0]);
1474  w0 = w1; w1 = w2; w2 = 0;
1475  word3_muladd(&w2, &w1, &w0, ws[0], p[10]);
1476  word3_muladd(&w2, &w1, &w0, ws[1], p[9]);
1477  word3_muladd(&w2, &w1, &w0, ws[2], p[8]);
1478  word3_muladd(&w2, &w1, &w0, ws[3], p[7]);
1479  word3_muladd(&w2, &w1, &w0, ws[4], p[6]);
1480  word3_muladd(&w2, &w1, &w0, ws[5], p[5]);
1481  word3_muladd(&w2, &w1, &w0, ws[6], p[4]);
1482  word3_muladd(&w2, &w1, &w0, ws[7], p[3]);
1483  word3_muladd(&w2, &w1, &w0, ws[8], p[2]);
1484  word3_muladd(&w2, &w1, &w0, ws[9], p[1]);
1485  word3_add(&w2, &w1, &w0, z[10]);
1486  ws[10] = w0 * p_dash;
1487  word3_muladd(&w2, &w1, &w0, ws[10], p[0]);
1488  w0 = w1; w1 = w2; w2 = 0;
1489  word3_muladd(&w2, &w1, &w0, ws[0], p[11]);
1490  word3_muladd(&w2, &w1, &w0, ws[1], p[10]);
1491  word3_muladd(&w2, &w1, &w0, ws[2], p[9]);
1492  word3_muladd(&w2, &w1, &w0, ws[3], p[8]);
1493  word3_muladd(&w2, &w1, &w0, ws[4], p[7]);
1494  word3_muladd(&w2, &w1, &w0, ws[5], p[6]);
1495  word3_muladd(&w2, &w1, &w0, ws[6], p[5]);
1496  word3_muladd(&w2, &w1, &w0, ws[7], p[4]);
1497  word3_muladd(&w2, &w1, &w0, ws[8], p[3]);
1498  word3_muladd(&w2, &w1, &w0, ws[9], p[2]);
1499  word3_muladd(&w2, &w1, &w0, ws[10], p[1]);
1500  word3_add(&w2, &w1, &w0, z[11]);
1501  ws[11] = w0 * p_dash;
1502  word3_muladd(&w2, &w1, &w0, ws[11], p[0]);
1503  w0 = w1; w1 = w2; w2 = 0;
1504  word3_muladd(&w2, &w1, &w0, ws[0], p[12]);
1505  word3_muladd(&w2, &w1, &w0, ws[1], p[11]);
1506  word3_muladd(&w2, &w1, &w0, ws[2], p[10]);
1507  word3_muladd(&w2, &w1, &w0, ws[3], p[9]);
1508  word3_muladd(&w2, &w1, &w0, ws[4], p[8]);
1509  word3_muladd(&w2, &w1, &w0, ws[5], p[7]);
1510  word3_muladd(&w2, &w1, &w0, ws[6], p[6]);
1511  word3_muladd(&w2, &w1, &w0, ws[7], p[5]);
1512  word3_muladd(&w2, &w1, &w0, ws[8], p[4]);
1513  word3_muladd(&w2, &w1, &w0, ws[9], p[3]);
1514  word3_muladd(&w2, &w1, &w0, ws[10], p[2]);
1515  word3_muladd(&w2, &w1, &w0, ws[11], p[1]);
1516  word3_add(&w2, &w1, &w0, z[12]);
1517  ws[12] = w0 * p_dash;
1518  word3_muladd(&w2, &w1, &w0, ws[12], p[0]);
1519  w0 = w1; w1 = w2; w2 = 0;
1520  word3_muladd(&w2, &w1, &w0, ws[0], p[13]);
1521  word3_muladd(&w2, &w1, &w0, ws[1], p[12]);
1522  word3_muladd(&w2, &w1, &w0, ws[2], p[11]);
1523  word3_muladd(&w2, &w1, &w0, ws[3], p[10]);
1524  word3_muladd(&w2, &w1, &w0, ws[4], p[9]);
1525  word3_muladd(&w2, &w1, &w0, ws[5], p[8]);
1526  word3_muladd(&w2, &w1, &w0, ws[6], p[7]);
1527  word3_muladd(&w2, &w1, &w0, ws[7], p[6]);
1528  word3_muladd(&w2, &w1, &w0, ws[8], p[5]);
1529  word3_muladd(&w2, &w1, &w0, ws[9], p[4]);
1530  word3_muladd(&w2, &w1, &w0, ws[10], p[3]);
1531  word3_muladd(&w2, &w1, &w0, ws[11], p[2]);
1532  word3_muladd(&w2, &w1, &w0, ws[12], p[1]);
1533  word3_add(&w2, &w1, &w0, z[13]);
1534  ws[13] = w0 * p_dash;
1535  word3_muladd(&w2, &w1, &w0, ws[13], p[0]);
1536  w0 = w1; w1 = w2; w2 = 0;
1537  word3_muladd(&w2, &w1, &w0, ws[0], p[14]);
1538  word3_muladd(&w2, &w1, &w0, ws[1], p[13]);
1539  word3_muladd(&w2, &w1, &w0, ws[2], p[12]);
1540  word3_muladd(&w2, &w1, &w0, ws[3], p[11]);
1541  word3_muladd(&w2, &w1, &w0, ws[4], p[10]);
1542  word3_muladd(&w2, &w1, &w0, ws[5], p[9]);
1543  word3_muladd(&w2, &w1, &w0, ws[6], p[8]);
1544  word3_muladd(&w2, &w1, &w0, ws[7], p[7]);
1545  word3_muladd(&w2, &w1, &w0, ws[8], p[6]);
1546  word3_muladd(&w2, &w1, &w0, ws[9], p[5]);
1547  word3_muladd(&w2, &w1, &w0, ws[10], p[4]);
1548  word3_muladd(&w2, &w1, &w0, ws[11], p[3]);
1549  word3_muladd(&w2, &w1, &w0, ws[12], p[2]);
1550  word3_muladd(&w2, &w1, &w0, ws[13], p[1]);
1551  word3_add(&w2, &w1, &w0, z[14]);
1552  ws[14] = w0 * p_dash;
1553  word3_muladd(&w2, &w1, &w0, ws[14], p[0]);
1554  w0 = w1; w1 = w2; w2 = 0;
1555  word3_muladd(&w2, &w1, &w0, ws[0], p[15]);
1556  word3_muladd(&w2, &w1, &w0, ws[1], p[14]);
1557  word3_muladd(&w2, &w1, &w0, ws[2], p[13]);
1558  word3_muladd(&w2, &w1, &w0, ws[3], p[12]);
1559  word3_muladd(&w2, &w1, &w0, ws[4], p[11]);
1560  word3_muladd(&w2, &w1, &w0, ws[5], p[10]);
1561  word3_muladd(&w2, &w1, &w0, ws[6], p[9]);
1562  word3_muladd(&w2, &w1, &w0, ws[7], p[8]);
1563  word3_muladd(&w2, &w1, &w0, ws[8], p[7]);
1564  word3_muladd(&w2, &w1, &w0, ws[9], p[6]);
1565  word3_muladd(&w2, &w1, &w0, ws[10], p[5]);
1566  word3_muladd(&w2, &w1, &w0, ws[11], p[4]);
1567  word3_muladd(&w2, &w1, &w0, ws[12], p[3]);
1568  word3_muladd(&w2, &w1, &w0, ws[13], p[2]);
1569  word3_muladd(&w2, &w1, &w0, ws[14], p[1]);
1570  word3_add(&w2, &w1, &w0, z[15]);
1571  ws[15] = w0 * p_dash;
1572  word3_muladd(&w2, &w1, &w0, ws[15], p[0]);
1573  w0 = w1; w1 = w2; w2 = 0;
1574  word3_muladd(&w2, &w1, &w0, ws[0], p[16]);
1575  word3_muladd(&w2, &w1, &w0, ws[1], p[15]);
1576  word3_muladd(&w2, &w1, &w0, ws[2], p[14]);
1577  word3_muladd(&w2, &w1, &w0, ws[3], p[13]);
1578  word3_muladd(&w2, &w1, &w0, ws[4], p[12]);
1579  word3_muladd(&w2, &w1, &w0, ws[5], p[11]);
1580  word3_muladd(&w2, &w1, &w0, ws[6], p[10]);
1581  word3_muladd(&w2, &w1, &w0, ws[7], p[9]);
1582  word3_muladd(&w2, &w1, &w0, ws[8], p[8]);
1583  word3_muladd(&w2, &w1, &w0, ws[9], p[7]);
1584  word3_muladd(&w2, &w1, &w0, ws[10], p[6]);
1585  word3_muladd(&w2, &w1, &w0, ws[11], p[5]);
1586  word3_muladd(&w2, &w1, &w0, ws[12], p[4]);
1587  word3_muladd(&w2, &w1, &w0, ws[13], p[3]);
1588  word3_muladd(&w2, &w1, &w0, ws[14], p[2]);
1589  word3_muladd(&w2, &w1, &w0, ws[15], p[1]);
1590  word3_add(&w2, &w1, &w0, z[16]);
1591  ws[16] = w0 * p_dash;
1592  word3_muladd(&w2, &w1, &w0, ws[16], p[0]);
1593  w0 = w1; w1 = w2; w2 = 0;
1594  word3_muladd(&w2, &w1, &w0, ws[0], p[17]);
1595  word3_muladd(&w2, &w1, &w0, ws[1], p[16]);
1596  word3_muladd(&w2, &w1, &w0, ws[2], p[15]);
1597  word3_muladd(&w2, &w1, &w0, ws[3], p[14]);
1598  word3_muladd(&w2, &w1, &w0, ws[4], p[13]);
1599  word3_muladd(&w2, &w1, &w0, ws[5], p[12]);
1600  word3_muladd(&w2, &w1, &w0, ws[6], p[11]);
1601  word3_muladd(&w2, &w1, &w0, ws[7], p[10]);
1602  word3_muladd(&w2, &w1, &w0, ws[8], p[9]);
1603  word3_muladd(&w2, &w1, &w0, ws[9], p[8]);
1604  word3_muladd(&w2, &w1, &w0, ws[10], p[7]);
1605  word3_muladd(&w2, &w1, &w0, ws[11], p[6]);
1606  word3_muladd(&w2, &w1, &w0, ws[12], p[5]);
1607  word3_muladd(&w2, &w1, &w0, ws[13], p[4]);
1608  word3_muladd(&w2, &w1, &w0, ws[14], p[3]);
1609  word3_muladd(&w2, &w1, &w0, ws[15], p[2]);
1610  word3_muladd(&w2, &w1, &w0, ws[16], p[1]);
1611  word3_add(&w2, &w1, &w0, z[17]);
1612  ws[17] = w0 * p_dash;
1613  word3_muladd(&w2, &w1, &w0, ws[17], p[0]);
1614  w0 = w1; w1 = w2; w2 = 0;
1615  word3_muladd(&w2, &w1, &w0, ws[0], p[18]);
1616  word3_muladd(&w2, &w1, &w0, ws[1], p[17]);
1617  word3_muladd(&w2, &w1, &w0, ws[2], p[16]);
1618  word3_muladd(&w2, &w1, &w0, ws[3], p[15]);
1619  word3_muladd(&w2, &w1, &w0, ws[4], p[14]);
1620  word3_muladd(&w2, &w1, &w0, ws[5], p[13]);
1621  word3_muladd(&w2, &w1, &w0, ws[6], p[12]);
1622  word3_muladd(&w2, &w1, &w0, ws[7], p[11]);
1623  word3_muladd(&w2, &w1, &w0, ws[8], p[10]);
1624  word3_muladd(&w2, &w1, &w0, ws[9], p[9]);
1625  word3_muladd(&w2, &w1, &w0, ws[10], p[8]);
1626  word3_muladd(&w2, &w1, &w0, ws[11], p[7]);
1627  word3_muladd(&w2, &w1, &w0, ws[12], p[6]);
1628  word3_muladd(&w2, &w1, &w0, ws[13], p[5]);
1629  word3_muladd(&w2, &w1, &w0, ws[14], p[4]);
1630  word3_muladd(&w2, &w1, &w0, ws[15], p[3]);
1631  word3_muladd(&w2, &w1, &w0, ws[16], p[2]);
1632  word3_muladd(&w2, &w1, &w0, ws[17], p[1]);
1633  word3_add(&w2, &w1, &w0, z[18]);
1634  ws[18] = w0 * p_dash;
1635  word3_muladd(&w2, &w1, &w0, ws[18], p[0]);
1636  w0 = w1; w1 = w2; w2 = 0;
1637  word3_muladd(&w2, &w1, &w0, ws[0], p[19]);
1638  word3_muladd(&w2, &w1, &w0, ws[1], p[18]);
1639  word3_muladd(&w2, &w1, &w0, ws[2], p[17]);
1640  word3_muladd(&w2, &w1, &w0, ws[3], p[16]);
1641  word3_muladd(&w2, &w1, &w0, ws[4], p[15]);
1642  word3_muladd(&w2, &w1, &w0, ws[5], p[14]);
1643  word3_muladd(&w2, &w1, &w0, ws[6], p[13]);
1644  word3_muladd(&w2, &w1, &w0, ws[7], p[12]);
1645  word3_muladd(&w2, &w1, &w0, ws[8], p[11]);
1646  word3_muladd(&w2, &w1, &w0, ws[9], p[10]);
1647  word3_muladd(&w2, &w1, &w0, ws[10], p[9]);
1648  word3_muladd(&w2, &w1, &w0, ws[11], p[8]);
1649  word3_muladd(&w2, &w1, &w0, ws[12], p[7]);
1650  word3_muladd(&w2, &w1, &w0, ws[13], p[6]);
1651  word3_muladd(&w2, &w1, &w0, ws[14], p[5]);
1652  word3_muladd(&w2, &w1, &w0, ws[15], p[4]);
1653  word3_muladd(&w2, &w1, &w0, ws[16], p[3]);
1654  word3_muladd(&w2, &w1, &w0, ws[17], p[2]);
1655  word3_muladd(&w2, &w1, &w0, ws[18], p[1]);
1656  word3_add(&w2, &w1, &w0, z[19]);
1657  ws[19] = w0 * p_dash;
1658  word3_muladd(&w2, &w1, &w0, ws[19], p[0]);
1659  w0 = w1; w1 = w2; w2 = 0;
1660  word3_muladd(&w2, &w1, &w0, ws[0], p[20]);
1661  word3_muladd(&w2, &w1, &w0, ws[1], p[19]);
1662  word3_muladd(&w2, &w1, &w0, ws[2], p[18]);
1663  word3_muladd(&w2, &w1, &w0, ws[3], p[17]);
1664  word3_muladd(&w2, &w1, &w0, ws[4], p[16]);
1665  word3_muladd(&w2, &w1, &w0, ws[5], p[15]);
1666  word3_muladd(&w2, &w1, &w0, ws[6], p[14]);
1667  word3_muladd(&w2, &w1, &w0, ws[7], p[13]);
1668  word3_muladd(&w2, &w1, &w0, ws[8], p[12]);
1669  word3_muladd(&w2, &w1, &w0, ws[9], p[11]);
1670  word3_muladd(&w2, &w1, &w0, ws[10], p[10]);
1671  word3_muladd(&w2, &w1, &w0, ws[11], p[9]);
1672  word3_muladd(&w2, &w1, &w0, ws[12], p[8]);
1673  word3_muladd(&w2, &w1, &w0, ws[13], p[7]);
1674  word3_muladd(&w2, &w1, &w0, ws[14], p[6]);
1675  word3_muladd(&w2, &w1, &w0, ws[15], p[5]);
1676  word3_muladd(&w2, &w1, &w0, ws[16], p[4]);
1677  word3_muladd(&w2, &w1, &w0, ws[17], p[3]);
1678  word3_muladd(&w2, &w1, &w0, ws[18], p[2]);
1679  word3_muladd(&w2, &w1, &w0, ws[19], p[1]);
1680  word3_add(&w2, &w1, &w0, z[20]);
1681  ws[20] = w0 * p_dash;
1682  word3_muladd(&w2, &w1, &w0, ws[20], p[0]);
1683  w0 = w1; w1 = w2; w2 = 0;
1684  word3_muladd(&w2, &w1, &w0, ws[0], p[21]);
1685  word3_muladd(&w2, &w1, &w0, ws[1], p[20]);
1686  word3_muladd(&w2, &w1, &w0, ws[2], p[19]);
1687  word3_muladd(&w2, &w1, &w0, ws[3], p[18]);
1688  word3_muladd(&w2, &w1, &w0, ws[4], p[17]);
1689  word3_muladd(&w2, &w1, &w0, ws[5], p[16]);
1690  word3_muladd(&w2, &w1, &w0, ws[6], p[15]);
1691  word3_muladd(&w2, &w1, &w0, ws[7], p[14]);
1692  word3_muladd(&w2, &w1, &w0, ws[8], p[13]);
1693  word3_muladd(&w2, &w1, &w0, ws[9], p[12]);
1694  word3_muladd(&w2, &w1, &w0, ws[10], p[11]);
1695  word3_muladd(&w2, &w1, &w0, ws[11], p[10]);
1696  word3_muladd(&w2, &w1, &w0, ws[12], p[9]);
1697  word3_muladd(&w2, &w1, &w0, ws[13], p[8]);
1698  word3_muladd(&w2, &w1, &w0, ws[14], p[7]);
1699  word3_muladd(&w2, &w1, &w0, ws[15], p[6]);
1700  word3_muladd(&w2, &w1, &w0, ws[16], p[5]);
1701  word3_muladd(&w2, &w1, &w0, ws[17], p[4]);
1702  word3_muladd(&w2, &w1, &w0, ws[18], p[3]);
1703  word3_muladd(&w2, &w1, &w0, ws[19], p[2]);
1704  word3_muladd(&w2, &w1, &w0, ws[20], p[1]);
1705  word3_add(&w2, &w1, &w0, z[21]);
1706  ws[21] = w0 * p_dash;
1707  word3_muladd(&w2, &w1, &w0, ws[21], p[0]);
1708  w0 = w1; w1 = w2; w2 = 0;
1709  word3_muladd(&w2, &w1, &w0, ws[0], p[22]);
1710  word3_muladd(&w2, &w1, &w0, ws[1], p[21]);
1711  word3_muladd(&w2, &w1, &w0, ws[2], p[20]);
1712  word3_muladd(&w2, &w1, &w0, ws[3], p[19]);
1713  word3_muladd(&w2, &w1, &w0, ws[4], p[18]);
1714  word3_muladd(&w2, &w1, &w0, ws[5], p[17]);
1715  word3_muladd(&w2, &w1, &w0, ws[6], p[16]);
1716  word3_muladd(&w2, &w1, &w0, ws[7], p[15]);
1717  word3_muladd(&w2, &w1, &w0, ws[8], p[14]);
1718  word3_muladd(&w2, &w1, &w0, ws[9], p[13]);
1719  word3_muladd(&w2, &w1, &w0, ws[10], p[12]);
1720  word3_muladd(&w2, &w1, &w0, ws[11], p[11]);
1721  word3_muladd(&w2, &w1, &w0, ws[12], p[10]);
1722  word3_muladd(&w2, &w1, &w0, ws[13], p[9]);
1723  word3_muladd(&w2, &w1, &w0, ws[14], p[8]);
1724  word3_muladd(&w2, &w1, &w0, ws[15], p[7]);
1725  word3_muladd(&w2, &w1, &w0, ws[16], p[6]);
1726  word3_muladd(&w2, &w1, &w0, ws[17], p[5]);
1727  word3_muladd(&w2, &w1, &w0, ws[18], p[4]);
1728  word3_muladd(&w2, &w1, &w0, ws[19], p[3]);
1729  word3_muladd(&w2, &w1, &w0, ws[20], p[2]);
1730  word3_muladd(&w2, &w1, &w0, ws[21], p[1]);
1731  word3_add(&w2, &w1, &w0, z[22]);
1732  ws[22] = w0 * p_dash;
1733  word3_muladd(&w2, &w1, &w0, ws[22], p[0]);
1734  w0 = w1; w1 = w2; w2 = 0;
1735  word3_muladd(&w2, &w1, &w0, ws[0], p[23]);
1736  word3_muladd(&w2, &w1, &w0, ws[1], p[22]);
1737  word3_muladd(&w2, &w1, &w0, ws[2], p[21]);
1738  word3_muladd(&w2, &w1, &w0, ws[3], p[20]);
1739  word3_muladd(&w2, &w1, &w0, ws[4], p[19]);
1740  word3_muladd(&w2, &w1, &w0, ws[5], p[18]);
1741  word3_muladd(&w2, &w1, &w0, ws[6], p[17]);
1742  word3_muladd(&w2, &w1, &w0, ws[7], p[16]);
1743  word3_muladd(&w2, &w1, &w0, ws[8], p[15]);
1744  word3_muladd(&w2, &w1, &w0, ws[9], p[14]);
1745  word3_muladd(&w2, &w1, &w0, ws[10], p[13]);
1746  word3_muladd(&w2, &w1, &w0, ws[11], p[12]);
1747  word3_muladd(&w2, &w1, &w0, ws[12], p[11]);
1748  word3_muladd(&w2, &w1, &w0, ws[13], p[10]);
1749  word3_muladd(&w2, &w1, &w0, ws[14], p[9]);
1750  word3_muladd(&w2, &w1, &w0, ws[15], p[8]);
1751  word3_muladd(&w2, &w1, &w0, ws[16], p[7]);
1752  word3_muladd(&w2, &w1, &w0, ws[17], p[6]);
1753  word3_muladd(&w2, &w1, &w0, ws[18], p[5]);
1754  word3_muladd(&w2, &w1, &w0, ws[19], p[4]);
1755  word3_muladd(&w2, &w1, &w0, ws[20], p[3]);
1756  word3_muladd(&w2, &w1, &w0, ws[21], p[2]);
1757  word3_muladd(&w2, &w1, &w0, ws[22], p[1]);
1758  word3_add(&w2, &w1, &w0, z[23]);
1759  ws[23] = w0 * p_dash;
1760  word3_muladd(&w2, &w1, &w0, ws[23], p[0]);
1761  w0 = w1; w1 = w2; w2 = 0;
1762  word3_muladd(&w2, &w1, &w0, ws[0], p[24]);
1763  word3_muladd(&w2, &w1, &w0, ws[1], p[23]);
1764  word3_muladd(&w2, &w1, &w0, ws[2], p[22]);
1765  word3_muladd(&w2, &w1, &w0, ws[3], p[21]);
1766  word3_muladd(&w2, &w1, &w0, ws[4], p[20]);
1767  word3_muladd(&w2, &w1, &w0, ws[5], p[19]);
1768  word3_muladd(&w2, &w1, &w0, ws[6], p[18]);
1769  word3_muladd(&w2, &w1, &w0, ws[7], p[17]);
1770  word3_muladd(&w2, &w1, &w0, ws[8], p[16]);
1771  word3_muladd(&w2, &w1, &w0, ws[9], p[15]);
1772  word3_muladd(&w2, &w1, &w0, ws[10], p[14]);
1773  word3_muladd(&w2, &w1, &w0, ws[11], p[13]);
1774  word3_muladd(&w2, &w1, &w0, ws[12], p[12]);
1775  word3_muladd(&w2, &w1, &w0, ws[13], p[11]);
1776  word3_muladd(&w2, &w1, &w0, ws[14], p[10]);
1777  word3_muladd(&w2, &w1, &w0, ws[15], p[9]);
1778  word3_muladd(&w2, &w1, &w0, ws[16], p[8]);
1779  word3_muladd(&w2, &w1, &w0, ws[17], p[7]);
1780  word3_muladd(&w2, &w1, &w0, ws[18], p[6]);
1781  word3_muladd(&w2, &w1, &w0, ws[19], p[5]);
1782  word3_muladd(&w2, &w1, &w0, ws[20], p[4]);
1783  word3_muladd(&w2, &w1, &w0, ws[21], p[3]);
1784  word3_muladd(&w2, &w1, &w0, ws[22], p[2]);
1785  word3_muladd(&w2, &w1, &w0, ws[23], p[1]);
1786  word3_add(&w2, &w1, &w0, z[24]);
1787  ws[24] = w0 * p_dash;
1788  word3_muladd(&w2, &w1, &w0, ws[24], p[0]);
1789  w0 = w1; w1 = w2; w2 = 0;
1790  word3_muladd(&w2, &w1, &w0, ws[0], p[25]);
1791  word3_muladd(&w2, &w1, &w0, ws[1], p[24]);
1792  word3_muladd(&w2, &w1, &w0, ws[2], p[23]);
1793  word3_muladd(&w2, &w1, &w0, ws[3], p[22]);
1794  word3_muladd(&w2, &w1, &w0, ws[4], p[21]);
1795  word3_muladd(&w2, &w1, &w0, ws[5], p[20]);
1796  word3_muladd(&w2, &w1, &w0, ws[6], p[19]);
1797  word3_muladd(&w2, &w1, &w0, ws[7], p[18]);
1798  word3_muladd(&w2, &w1, &w0, ws[8], p[17]);
1799  word3_muladd(&w2, &w1, &w0, ws[9], p[16]);
1800  word3_muladd(&w2, &w1, &w0, ws[10], p[15]);
1801  word3_muladd(&w2, &w1, &w0, ws[11], p[14]);
1802  word3_muladd(&w2, &w1, &w0, ws[12], p[13]);
1803  word3_muladd(&w2, &w1, &w0, ws[13], p[12]);
1804  word3_muladd(&w2, &w1, &w0, ws[14], p[11]);
1805  word3_muladd(&w2, &w1, &w0, ws[15], p[10]);
1806  word3_muladd(&w2, &w1, &w0, ws[16], p[9]);
1807  word3_muladd(&w2, &w1, &w0, ws[17], p[8]);
1808  word3_muladd(&w2, &w1, &w0, ws[18], p[7]);
1809  word3_muladd(&w2, &w1, &w0, ws[19], p[6]);
1810  word3_muladd(&w2, &w1, &w0, ws[20], p[5]);
1811  word3_muladd(&w2, &w1, &w0, ws[21], p[4]);
1812  word3_muladd(&w2, &w1, &w0, ws[22], p[3]);
1813  word3_muladd(&w2, &w1, &w0, ws[23], p[2]);
1814  word3_muladd(&w2, &w1, &w0, ws[24], p[1]);
1815  word3_add(&w2, &w1, &w0, z[25]);
1816  ws[25] = w0 * p_dash;
1817  word3_muladd(&w2, &w1, &w0, ws[25], p[0]);
1818  w0 = w1; w1 = w2; w2 = 0;
1819  word3_muladd(&w2, &w1, &w0, ws[0], p[26]);
1820  word3_muladd(&w2, &w1, &w0, ws[1], p[25]);
1821  word3_muladd(&w2, &w1, &w0, ws[2], p[24]);
1822  word3_muladd(&w2, &w1, &w0, ws[3], p[23]);
1823  word3_muladd(&w2, &w1, &w0, ws[4], p[22]);
1824  word3_muladd(&w2, &w1, &w0, ws[5], p[21]);
1825  word3_muladd(&w2, &w1, &w0, ws[6], p[20]);
1826  word3_muladd(&w2, &w1, &w0, ws[7], p[19]);
1827  word3_muladd(&w2, &w1, &w0, ws[8], p[18]);
1828  word3_muladd(&w2, &w1, &w0, ws[9], p[17]);
1829  word3_muladd(&w2, &w1, &w0, ws[10], p[16]);
1830  word3_muladd(&w2, &w1, &w0, ws[11], p[15]);
1831  word3_muladd(&w2, &w1, &w0, ws[12], p[14]);
1832  word3_muladd(&w2, &w1, &w0, ws[13], p[13]);
1833  word3_muladd(&w2, &w1, &w0, ws[14], p[12]);
1834  word3_muladd(&w2, &w1, &w0, ws[15], p[11]);
1835  word3_muladd(&w2, &w1, &w0, ws[16], p[10]);
1836  word3_muladd(&w2, &w1, &w0, ws[17], p[9]);
1837  word3_muladd(&w2, &w1, &w0, ws[18], p[8]);
1838  word3_muladd(&w2, &w1, &w0, ws[19], p[7]);
1839  word3_muladd(&w2, &w1, &w0, ws[20], p[6]);
1840  word3_muladd(&w2, &w1, &w0, ws[21], p[5]);
1841  word3_muladd(&w2, &w1, &w0, ws[22], p[4]);
1842  word3_muladd(&w2, &w1, &w0, ws[23], p[3]);
1843  word3_muladd(&w2, &w1, &w0, ws[24], p[2]);
1844  word3_muladd(&w2, &w1, &w0, ws[25], p[1]);
1845  word3_add(&w2, &w1, &w0, z[26]);
1846  ws[26] = w0 * p_dash;
1847  word3_muladd(&w2, &w1, &w0, ws[26], p[0]);
1848  w0 = w1; w1 = w2; w2 = 0;
1849  word3_muladd(&w2, &w1, &w0, ws[0], p[27]);
1850  word3_muladd(&w2, &w1, &w0, ws[1], p[26]);
1851  word3_muladd(&w2, &w1, &w0, ws[2], p[25]);
1852  word3_muladd(&w2, &w1, &w0, ws[3], p[24]);
1853  word3_muladd(&w2, &w1, &w0, ws[4], p[23]);
1854  word3_muladd(&w2, &w1, &w0, ws[5], p[22]);
1855  word3_muladd(&w2, &w1, &w0, ws[6], p[21]);
1856  word3_muladd(&w2, &w1, &w0, ws[7], p[20]);
1857  word3_muladd(&w2, &w1, &w0, ws[8], p[19]);
1858  word3_muladd(&w2, &w1, &w0, ws[9], p[18]);
1859  word3_muladd(&w2, &w1, &w0, ws[10], p[17]);
1860  word3_muladd(&w2, &w1, &w0, ws[11], p[16]);
1861  word3_muladd(&w2, &w1, &w0, ws[12], p[15]);
1862  word3_muladd(&w2, &w1, &w0, ws[13], p[14]);
1863  word3_muladd(&w2, &w1, &w0, ws[14], p[13]);
1864  word3_muladd(&w2, &w1, &w0, ws[15], p[12]);
1865  word3_muladd(&w2, &w1, &w0, ws[16], p[11]);
1866  word3_muladd(&w2, &w1, &w0, ws[17], p[10]);
1867  word3_muladd(&w2, &w1, &w0, ws[18], p[9]);
1868  word3_muladd(&w2, &w1, &w0, ws[19], p[8]);
1869  word3_muladd(&w2, &w1, &w0, ws[20], p[7]);
1870  word3_muladd(&w2, &w1, &w0, ws[21], p[6]);
1871  word3_muladd(&w2, &w1, &w0, ws[22], p[5]);
1872  word3_muladd(&w2, &w1, &w0, ws[23], p[4]);
1873  word3_muladd(&w2, &w1, &w0, ws[24], p[3]);
1874  word3_muladd(&w2, &w1, &w0, ws[25], p[2]);
1875  word3_muladd(&w2, &w1, &w0, ws[26], p[1]);
1876  word3_add(&w2, &w1, &w0, z[27]);
1877  ws[27] = w0 * p_dash;
1878  word3_muladd(&w2, &w1, &w0, ws[27], p[0]);
1879  w0 = w1; w1 = w2; w2 = 0;
1880  word3_muladd(&w2, &w1, &w0, ws[0], p[28]);
1881  word3_muladd(&w2, &w1, &w0, ws[1], p[27]);
1882  word3_muladd(&w2, &w1, &w0, ws[2], p[26]);
1883  word3_muladd(&w2, &w1, &w0, ws[3], p[25]);
1884  word3_muladd(&w2, &w1, &w0, ws[4], p[24]);
1885  word3_muladd(&w2, &w1, &w0, ws[5], p[23]);
1886  word3_muladd(&w2, &w1, &w0, ws[6], p[22]);
1887  word3_muladd(&w2, &w1, &w0, ws[7], p[21]);
1888  word3_muladd(&w2, &w1, &w0, ws[8], p[20]);
1889  word3_muladd(&w2, &w1, &w0, ws[9], p[19]);
1890  word3_muladd(&w2, &w1, &w0, ws[10], p[18]);
1891  word3_muladd(&w2, &w1, &w0, ws[11], p[17]);
1892  word3_muladd(&w2, &w1, &w0, ws[12], p[16]);
1893  word3_muladd(&w2, &w1, &w0, ws[13], p[15]);
1894  word3_muladd(&w2, &w1, &w0, ws[14], p[14]);
1895  word3_muladd(&w2, &w1, &w0, ws[15], p[13]);
1896  word3_muladd(&w2, &w1, &w0, ws[16], p[12]);
1897  word3_muladd(&w2, &w1, &w0, ws[17], p[11]);
1898  word3_muladd(&w2, &w1, &w0, ws[18], p[10]);
1899  word3_muladd(&w2, &w1, &w0, ws[19], p[9]);
1900  word3_muladd(&w2, &w1, &w0, ws[20], p[8]);
1901  word3_muladd(&w2, &w1, &w0, ws[21], p[7]);
1902  word3_muladd(&w2, &w1, &w0, ws[22], p[6]);
1903  word3_muladd(&w2, &w1, &w0, ws[23], p[5]);
1904  word3_muladd(&w2, &w1, &w0, ws[24], p[4]);
1905  word3_muladd(&w2, &w1, &w0, ws[25], p[3]);
1906  word3_muladd(&w2, &w1, &w0, ws[26], p[2]);
1907  word3_muladd(&w2, &w1, &w0, ws[27], p[1]);
1908  word3_add(&w2, &w1, &w0, z[28]);
1909  ws[28] = w0 * p_dash;
1910  word3_muladd(&w2, &w1, &w0, ws[28], p[0]);
1911  w0 = w1; w1 = w2; w2 = 0;
1912  word3_muladd(&w2, &w1, &w0, ws[0], p[29]);
1913  word3_muladd(&w2, &w1, &w0, ws[1], p[28]);
1914  word3_muladd(&w2, &w1, &w0, ws[2], p[27]);
1915  word3_muladd(&w2, &w1, &w0, ws[3], p[26]);
1916  word3_muladd(&w2, &w1, &w0, ws[4], p[25]);
1917  word3_muladd(&w2, &w1, &w0, ws[5], p[24]);
1918  word3_muladd(&w2, &w1, &w0, ws[6], p[23]);
1919  word3_muladd(&w2, &w1, &w0, ws[7], p[22]);
1920  word3_muladd(&w2, &w1, &w0, ws[8], p[21]);
1921  word3_muladd(&w2, &w1, &w0, ws[9], p[20]);
1922  word3_muladd(&w2, &w1, &w0, ws[10], p[19]);
1923  word3_muladd(&w2, &w1, &w0, ws[11], p[18]);
1924  word3_muladd(&w2, &w1, &w0, ws[12], p[17]);
1925  word3_muladd(&w2, &w1, &w0, ws[13], p[16]);
1926  word3_muladd(&w2, &w1, &w0, ws[14], p[15]);
1927  word3_muladd(&w2, &w1, &w0, ws[15], p[14]);
1928  word3_muladd(&w2, &w1, &w0, ws[16], p[13]);
1929  word3_muladd(&w2, &w1, &w0, ws[17], p[12]);
1930  word3_muladd(&w2, &w1, &w0, ws[18], p[11]);
1931  word3_muladd(&w2, &w1, &w0, ws[19], p[10]);
1932  word3_muladd(&w2, &w1, &w0, ws[20], p[9]);
1933  word3_muladd(&w2, &w1, &w0, ws[21], p[8]);
1934  word3_muladd(&w2, &w1, &w0, ws[22], p[7]);
1935  word3_muladd(&w2, &w1, &w0, ws[23], p[6]);
1936  word3_muladd(&w2, &w1, &w0, ws[24], p[5]);
1937  word3_muladd(&w2, &w1, &w0, ws[25], p[4]);
1938  word3_muladd(&w2, &w1, &w0, ws[26], p[3]);
1939  word3_muladd(&w2, &w1, &w0, ws[27], p[2]);
1940  word3_muladd(&w2, &w1, &w0, ws[28], p[1]);
1941  word3_add(&w2, &w1, &w0, z[29]);
1942  ws[29] = w0 * p_dash;
1943  word3_muladd(&w2, &w1, &w0, ws[29], p[0]);
1944  w0 = w1; w1 = w2; w2 = 0;
1945  word3_muladd(&w2, &w1, &w0, ws[0], p[30]);
1946  word3_muladd(&w2, &w1, &w0, ws[1], p[29]);
1947  word3_muladd(&w2, &w1, &w0, ws[2], p[28]);
1948  word3_muladd(&w2, &w1, &w0, ws[3], p[27]);
1949  word3_muladd(&w2, &w1, &w0, ws[4], p[26]);
1950  word3_muladd(&w2, &w1, &w0, ws[5], p[25]);
1951  word3_muladd(&w2, &w1, &w0, ws[6], p[24]);
1952  word3_muladd(&w2, &w1, &w0, ws[7], p[23]);
1953  word3_muladd(&w2, &w1, &w0, ws[8], p[22]);
1954  word3_muladd(&w2, &w1, &w0, ws[9], p[21]);
1955  word3_muladd(&w2, &w1, &w0, ws[10], p[20]);
1956  word3_muladd(&w2, &w1, &w0, ws[11], p[19]);
1957  word3_muladd(&w2, &w1, &w0, ws[12], p[18]);
1958  word3_muladd(&w2, &w1, &w0, ws[13], p[17]);
1959  word3_muladd(&w2, &w1, &w0, ws[14], p[16]);
1960  word3_muladd(&w2, &w1, &w0, ws[15], p[15]);
1961  word3_muladd(&w2, &w1, &w0, ws[16], p[14]);
1962  word3_muladd(&w2, &w1, &w0, ws[17], p[13]);
1963  word3_muladd(&w2, &w1, &w0, ws[18], p[12]);
1964  word3_muladd(&w2, &w1, &w0, ws[19], p[11]);
1965  word3_muladd(&w2, &w1, &w0, ws[20], p[10]);
1966  word3_muladd(&w2, &w1, &w0, ws[21], p[9]);
1967  word3_muladd(&w2, &w1, &w0, ws[22], p[8]);
1968  word3_muladd(&w2, &w1, &w0, ws[23], p[7]);
1969  word3_muladd(&w2, &w1, &w0, ws[24], p[6]);
1970  word3_muladd(&w2, &w1, &w0, ws[25], p[5]);
1971  word3_muladd(&w2, &w1, &w0, ws[26], p[4]);
1972  word3_muladd(&w2, &w1, &w0, ws[27], p[3]);
1973  word3_muladd(&w2, &w1, &w0, ws[28], p[2]);
1974  word3_muladd(&w2, &w1, &w0, ws[29], p[1]);
1975  word3_add(&w2, &w1, &w0, z[30]);
1976  ws[30] = w0 * p_dash;
1977  word3_muladd(&w2, &w1, &w0, ws[30], p[0]);
1978  w0 = w1; w1 = w2; w2 = 0;
1979  word3_muladd(&w2, &w1, &w0, ws[0], p[31]);
1980  word3_muladd(&w2, &w1, &w0, ws[1], p[30]);
1981  word3_muladd(&w2, &w1, &w0, ws[2], p[29]);
1982  word3_muladd(&w2, &w1, &w0, ws[3], p[28]);
1983  word3_muladd(&w2, &w1, &w0, ws[4], p[27]);
1984  word3_muladd(&w2, &w1, &w0, ws[5], p[26]);
1985  word3_muladd(&w2, &w1, &w0, ws[6], p[25]);
1986  word3_muladd(&w2, &w1, &w0, ws[7], p[24]);
1987  word3_muladd(&w2, &w1, &w0, ws[8], p[23]);
1988  word3_muladd(&w2, &w1, &w0, ws[9], p[22]);
1989  word3_muladd(&w2, &w1, &w0, ws[10], p[21]);
1990  word3_muladd(&w2, &w1, &w0, ws[11], p[20]);
1991  word3_muladd(&w2, &w1, &w0, ws[12], p[19]);
1992  word3_muladd(&w2, &w1, &w0, ws[13], p[18]);
1993  word3_muladd(&w2, &w1, &w0, ws[14], p[17]);
1994  word3_muladd(&w2, &w1, &w0, ws[15], p[16]);
1995  word3_muladd(&w2, &w1, &w0, ws[16], p[15]);
1996  word3_muladd(&w2, &w1, &w0, ws[17], p[14]);
1997  word3_muladd(&w2, &w1, &w0, ws[18], p[13]);
1998  word3_muladd(&w2, &w1, &w0, ws[19], p[12]);
1999  word3_muladd(&w2, &w1, &w0, ws[20], p[11]);
2000  word3_muladd(&w2, &w1, &w0, ws[21], p[10]);
2001  word3_muladd(&w2, &w1, &w0, ws[22], p[9]);
2002  word3_muladd(&w2, &w1, &w0, ws[23], p[8]);
2003  word3_muladd(&w2, &w1, &w0, ws[24], p[7]);
2004  word3_muladd(&w2, &w1, &w0, ws[25], p[6]);
2005  word3_muladd(&w2, &w1, &w0, ws[26], p[5]);
2006  word3_muladd(&w2, &w1, &w0, ws[27], p[4]);
2007  word3_muladd(&w2, &w1, &w0, ws[28], p[3]);
2008  word3_muladd(&w2, &w1, &w0, ws[29], p[2]);
2009  word3_muladd(&w2, &w1, &w0, ws[30], p[1]);
2010  word3_add(&w2, &w1, &w0, z[31]);
2011  ws[31] = w0 * p_dash;
2012  word3_muladd(&w2, &w1, &w0, ws[31], p[0]);
2013  w0 = w1; w1 = w2; w2 = 0;
2014  word3_muladd(&w2, &w1, &w0, ws[1], p[31]);
2015  word3_muladd(&w2, &w1, &w0, ws[2], p[30]);
2016  word3_muladd(&w2, &w1, &w0, ws[3], p[29]);
2017  word3_muladd(&w2, &w1, &w0, ws[4], p[28]);
2018  word3_muladd(&w2, &w1, &w0, ws[5], p[27]);
2019  word3_muladd(&w2, &w1, &w0, ws[6], p[26]);
2020  word3_muladd(&w2, &w1, &w0, ws[7], p[25]);
2021  word3_muladd(&w2, &w1, &w0, ws[8], p[24]);
2022  word3_muladd(&w2, &w1, &w0, ws[9], p[23]);
2023  word3_muladd(&w2, &w1, &w0, ws[10], p[22]);
2024  word3_muladd(&w2, &w1, &w0, ws[11], p[21]);
2025  word3_muladd(&w2, &w1, &w0, ws[12], p[20]);
2026  word3_muladd(&w2, &w1, &w0, ws[13], p[19]);
2027  word3_muladd(&w2, &w1, &w0, ws[14], p[18]);
2028  word3_muladd(&w2, &w1, &w0, ws[15], p[17]);
2029  word3_muladd(&w2, &w1, &w0, ws[16], p[16]);
2030  word3_muladd(&w2, &w1, &w0, ws[17], p[15]);
2031  word3_muladd(&w2, &w1, &w0, ws[18], p[14]);
2032  word3_muladd(&w2, &w1, &w0, ws[19], p[13]);
2033  word3_muladd(&w2, &w1, &w0, ws[20], p[12]);
2034  word3_muladd(&w2, &w1, &w0, ws[21], p[11]);
2035  word3_muladd(&w2, &w1, &w0, ws[22], p[10]);
2036  word3_muladd(&w2, &w1, &w0, ws[23], p[9]);
2037  word3_muladd(&w2, &w1, &w0, ws[24], p[8]);
2038  word3_muladd(&w2, &w1, &w0, ws[25], p[7]);
2039  word3_muladd(&w2, &w1, &w0, ws[26], p[6]);
2040  word3_muladd(&w2, &w1, &w0, ws[27], p[5]);
2041  word3_muladd(&w2, &w1, &w0, ws[28], p[4]);
2042  word3_muladd(&w2, &w1, &w0, ws[29], p[3]);
2043  word3_muladd(&w2, &w1, &w0, ws[30], p[2]);
2044  word3_muladd(&w2, &w1, &w0, ws[31], p[1]);
2045  word3_add(&w2, &w1, &w0, z[32]);
2046  ws[0] = w0;
2047  w0 = w1; w1 = w2; w2 = 0;
2048  word3_muladd(&w2, &w1, &w0, ws[2], p[31]);
2049  word3_muladd(&w2, &w1, &w0, ws[3], p[30]);
2050  word3_muladd(&w2, &w1, &w0, ws[4], p[29]);
2051  word3_muladd(&w2, &w1, &w0, ws[5], p[28]);
2052  word3_muladd(&w2, &w1, &w0, ws[6], p[27]);
2053  word3_muladd(&w2, &w1, &w0, ws[7], p[26]);
2054  word3_muladd(&w2, &w1, &w0, ws[8], p[25]);
2055  word3_muladd(&w2, &w1, &w0, ws[9], p[24]);
2056  word3_muladd(&w2, &w1, &w0, ws[10], p[23]);
2057  word3_muladd(&w2, &w1, &w0, ws[11], p[22]);
2058  word3_muladd(&w2, &w1, &w0, ws[12], p[21]);
2059  word3_muladd(&w2, &w1, &w0, ws[13], p[20]);
2060  word3_muladd(&w2, &w1, &w0, ws[14], p[19]);
2061  word3_muladd(&w2, &w1, &w0, ws[15], p[18]);
2062  word3_muladd(&w2, &w1, &w0, ws[16], p[17]);
2063  word3_muladd(&w2, &w1, &w0, ws[17], p[16]);
2064  word3_muladd(&w2, &w1, &w0, ws[18], p[15]);
2065  word3_muladd(&w2, &w1, &w0, ws[19], p[14]);
2066  word3_muladd(&w2, &w1, &w0, ws[20], p[13]);
2067  word3_muladd(&w2, &w1, &w0, ws[21], p[12]);
2068  word3_muladd(&w2, &w1, &w0, ws[22], p[11]);
2069  word3_muladd(&w2, &w1, &w0, ws[23], p[10]);
2070  word3_muladd(&w2, &w1, &w0, ws[24], p[9]);
2071  word3_muladd(&w2, &w1, &w0, ws[25], p[8]);
2072  word3_muladd(&w2, &w1, &w0, ws[26], p[7]);
2073  word3_muladd(&w2, &w1, &w0, ws[27], p[6]);
2074  word3_muladd(&w2, &w1, &w0, ws[28], p[5]);
2075  word3_muladd(&w2, &w1, &w0, ws[29], p[4]);
2076  word3_muladd(&w2, &w1, &w0, ws[30], p[3]);
2077  word3_muladd(&w2, &w1, &w0, ws[31], p[2]);
2078  word3_add(&w2, &w1, &w0, z[33]);
2079  ws[1] = w0;
2080  w0 = w1; w1 = w2; w2 = 0;
2081  word3_muladd(&w2, &w1, &w0, ws[3], p[31]);
2082  word3_muladd(&w2, &w1, &w0, ws[4], p[30]);
2083  word3_muladd(&w2, &w1, &w0, ws[5], p[29]);
2084  word3_muladd(&w2, &w1, &w0, ws[6], p[28]);
2085  word3_muladd(&w2, &w1, &w0, ws[7], p[27]);
2086  word3_muladd(&w2, &w1, &w0, ws[8], p[26]);
2087  word3_muladd(&w2, &w1, &w0, ws[9], p[25]);
2088  word3_muladd(&w2, &w1, &w0, ws[10], p[24]);
2089  word3_muladd(&w2, &w1, &w0, ws[11], p[23]);
2090  word3_muladd(&w2, &w1, &w0, ws[12], p[22]);
2091  word3_muladd(&w2, &w1, &w0, ws[13], p[21]);
2092  word3_muladd(&w2, &w1, &w0, ws[14], p[20]);
2093  word3_muladd(&w2, &w1, &w0, ws[15], p[19]);
2094  word3_muladd(&w2, &w1, &w0, ws[16], p[18]);
2095  word3_muladd(&w2, &w1, &w0, ws[17], p[17]);
2096  word3_muladd(&w2, &w1, &w0, ws[18], p[16]);
2097  word3_muladd(&w2, &w1, &w0, ws[19], p[15]);
2098  word3_muladd(&w2, &w1, &w0, ws[20], p[14]);
2099  word3_muladd(&w2, &w1, &w0, ws[21], p[13]);
2100  word3_muladd(&w2, &w1, &w0, ws[22], p[12]);
2101  word3_muladd(&w2, &w1, &w0, ws[23], p[11]);
2102  word3_muladd(&w2, &w1, &w0, ws[24], p[10]);
2103  word3_muladd(&w2, &w1, &w0, ws[25], p[9]);
2104  word3_muladd(&w2, &w1, &w0, ws[26], p[8]);
2105  word3_muladd(&w2, &w1, &w0, ws[27], p[7]);
2106  word3_muladd(&w2, &w1, &w0, ws[28], p[6]);
2107  word3_muladd(&w2, &w1, &w0, ws[29], p[5]);
2108  word3_muladd(&w2, &w1, &w0, ws[30], p[4]);
2109  word3_muladd(&w2, &w1, &w0, ws[31], p[3]);
2110  word3_add(&w2, &w1, &w0, z[34]);
2111  ws[2] = w0;
2112  w0 = w1; w1 = w2; w2 = 0;
2113  word3_muladd(&w2, &w1, &w0, ws[4], p[31]);
2114  word3_muladd(&w2, &w1, &w0, ws[5], p[30]);
2115  word3_muladd(&w2, &w1, &w0, ws[6], p[29]);
2116  word3_muladd(&w2, &w1, &w0, ws[7], p[28]);
2117  word3_muladd(&w2, &w1, &w0, ws[8], p[27]);
2118  word3_muladd(&w2, &w1, &w0, ws[9], p[26]);
2119  word3_muladd(&w2, &w1, &w0, ws[10], p[25]);
2120  word3_muladd(&w2, &w1, &w0, ws[11], p[24]);
2121  word3_muladd(&w2, &w1, &w0, ws[12], p[23]);
2122  word3_muladd(&w2, &w1, &w0, ws[13], p[22]);
2123  word3_muladd(&w2, &w1, &w0, ws[14], p[21]);
2124  word3_muladd(&w2, &w1, &w0, ws[15], p[20]);
2125  word3_muladd(&w2, &w1, &w0, ws[16], p[19]);
2126  word3_muladd(&w2, &w1, &w0, ws[17], p[18]);
2127  word3_muladd(&w2, &w1, &w0, ws[18], p[17]);
2128  word3_muladd(&w2, &w1, &w0, ws[19], p[16]);
2129  word3_muladd(&w2, &w1, &w0, ws[20], p[15]);
2130  word3_muladd(&w2, &w1, &w0, ws[21], p[14]);
2131  word3_muladd(&w2, &w1, &w0, ws[22], p[13]);
2132  word3_muladd(&w2, &w1, &w0, ws[23], p[12]);
2133  word3_muladd(&w2, &w1, &w0, ws[24], p[11]);
2134  word3_muladd(&w2, &w1, &w0, ws[25], p[10]);
2135  word3_muladd(&w2, &w1, &w0, ws[26], p[9]);
2136  word3_muladd(&w2, &w1, &w0, ws[27], p[8]);
2137  word3_muladd(&w2, &w1, &w0, ws[28], p[7]);
2138  word3_muladd(&w2, &w1, &w0, ws[29], p[6]);
2139  word3_muladd(&w2, &w1, &w0, ws[30], p[5]);
2140  word3_muladd(&w2, &w1, &w0, ws[31], p[4]);
2141  word3_add(&w2, &w1, &w0, z[35]);
2142  ws[3] = w0;
2143  w0 = w1; w1 = w2; w2 = 0;
2144  word3_muladd(&w2, &w1, &w0, ws[5], p[31]);
2145  word3_muladd(&w2, &w1, &w0, ws[6], p[30]);
2146  word3_muladd(&w2, &w1, &w0, ws[7], p[29]);
2147  word3_muladd(&w2, &w1, &w0, ws[8], p[28]);
2148  word3_muladd(&w2, &w1, &w0, ws[9], p[27]);
2149  word3_muladd(&w2, &w1, &w0, ws[10], p[26]);
2150  word3_muladd(&w2, &w1, &w0, ws[11], p[25]);
2151  word3_muladd(&w2, &w1, &w0, ws[12], p[24]);
2152  word3_muladd(&w2, &w1, &w0, ws[13], p[23]);
2153  word3_muladd(&w2, &w1, &w0, ws[14], p[22]);
2154  word3_muladd(&w2, &w1, &w0, ws[15], p[21]);
2155  word3_muladd(&w2, &w1, &w0, ws[16], p[20]);
2156  word3_muladd(&w2, &w1, &w0, ws[17], p[19]);
2157  word3_muladd(&w2, &w1, &w0, ws[18], p[18]);
2158  word3_muladd(&w2, &w1, &w0, ws[19], p[17]);
2159  word3_muladd(&w2, &w1, &w0, ws[20], p[16]);
2160  word3_muladd(&w2, &w1, &w0, ws[21], p[15]);
2161  word3_muladd(&w2, &w1, &w0, ws[22], p[14]);
2162  word3_muladd(&w2, &w1, &w0, ws[23], p[13]);
2163  word3_muladd(&w2, &w1, &w0, ws[24], p[12]);
2164  word3_muladd(&w2, &w1, &w0, ws[25], p[11]);
2165  word3_muladd(&w2, &w1, &w0, ws[26], p[10]);
2166  word3_muladd(&w2, &w1, &w0, ws[27], p[9]);
2167  word3_muladd(&w2, &w1, &w0, ws[28], p[8]);
2168  word3_muladd(&w2, &w1, &w0, ws[29], p[7]);
2169  word3_muladd(&w2, &w1, &w0, ws[30], p[6]);
2170  word3_muladd(&w2, &w1, &w0, ws[31], p[5]);
2171  word3_add(&w2, &w1, &w0, z[36]);
2172  ws[4] = w0;
2173  w0 = w1; w1 = w2; w2 = 0;
2174  word3_muladd(&w2, &w1, &w0, ws[6], p[31]);
2175  word3_muladd(&w2, &w1, &w0, ws[7], p[30]);
2176  word3_muladd(&w2, &w1, &w0, ws[8], p[29]);
2177  word3_muladd(&w2, &w1, &w0, ws[9], p[28]);
2178  word3_muladd(&w2, &w1, &w0, ws[10], p[27]);
2179  word3_muladd(&w2, &w1, &w0, ws[11], p[26]);
2180  word3_muladd(&w2, &w1, &w0, ws[12], p[25]);
2181  word3_muladd(&w2, &w1, &w0, ws[13], p[24]);
2182  word3_muladd(&w2, &w1, &w0, ws[14], p[23]);
2183  word3_muladd(&w2, &w1, &w0, ws[15], p[22]);
2184  word3_muladd(&w2, &w1, &w0, ws[16], p[21]);
2185  word3_muladd(&w2, &w1, &w0, ws[17], p[20]);
2186  word3_muladd(&w2, &w1, &w0, ws[18], p[19]);
2187  word3_muladd(&w2, &w1, &w0, ws[19], p[18]);
2188  word3_muladd(&w2, &w1, &w0, ws[20], p[17]);
2189  word3_muladd(&w2, &w1, &w0, ws[21], p[16]);
2190  word3_muladd(&w2, &w1, &w0, ws[22], p[15]);
2191  word3_muladd(&w2, &w1, &w0, ws[23], p[14]);
2192  word3_muladd(&w2, &w1, &w0, ws[24], p[13]);
2193  word3_muladd(&w2, &w1, &w0, ws[25], p[12]);
2194  word3_muladd(&w2, &w1, &w0, ws[26], p[11]);
2195  word3_muladd(&w2, &w1, &w0, ws[27], p[10]);
2196  word3_muladd(&w2, &w1, &w0, ws[28], p[9]);
2197  word3_muladd(&w2, &w1, &w0, ws[29], p[8]);
2198  word3_muladd(&w2, &w1, &w0, ws[30], p[7]);
2199  word3_muladd(&w2, &w1, &w0, ws[31], p[6]);
2200  word3_add(&w2, &w1, &w0, z[37]);
2201  ws[5] = w0;
2202  w0 = w1; w1 = w2; w2 = 0;
2203  word3_muladd(&w2, &w1, &w0, ws[7], p[31]);
2204  word3_muladd(&w2, &w1, &w0, ws[8], p[30]);
2205  word3_muladd(&w2, &w1, &w0, ws[9], p[29]);
2206  word3_muladd(&w2, &w1, &w0, ws[10], p[28]);
2207  word3_muladd(&w2, &w1, &w0, ws[11], p[27]);
2208  word3_muladd(&w2, &w1, &w0, ws[12], p[26]);
2209  word3_muladd(&w2, &w1, &w0, ws[13], p[25]);
2210  word3_muladd(&w2, &w1, &w0, ws[14], p[24]);
2211  word3_muladd(&w2, &w1, &w0, ws[15], p[23]);
2212  word3_muladd(&w2, &w1, &w0, ws[16], p[22]);
2213  word3_muladd(&w2, &w1, &w0, ws[17], p[21]);
2214  word3_muladd(&w2, &w1, &w0, ws[18], p[20]);
2215  word3_muladd(&w2, &w1, &w0, ws[19], p[19]);
2216  word3_muladd(&w2, &w1, &w0, ws[20], p[18]);
2217  word3_muladd(&w2, &w1, &w0, ws[21], p[17]);
2218  word3_muladd(&w2, &w1, &w0, ws[22], p[16]);
2219  word3_muladd(&w2, &w1, &w0, ws[23], p[15]);
2220  word3_muladd(&w2, &w1, &w0, ws[24], p[14]);
2221  word3_muladd(&w2, &w1, &w0, ws[25], p[13]);
2222  word3_muladd(&w2, &w1, &w0, ws[26], p[12]);
2223  word3_muladd(&w2, &w1, &w0, ws[27], p[11]);
2224  word3_muladd(&w2, &w1, &w0, ws[28], p[10]);
2225  word3_muladd(&w2, &w1, &w0, ws[29], p[9]);
2226  word3_muladd(&w2, &w1, &w0, ws[30], p[8]);
2227  word3_muladd(&w2, &w1, &w0, ws[31], p[7]);
2228  word3_add(&w2, &w1, &w0, z[38]);
2229  ws[6] = w0;
2230  w0 = w1; w1 = w2; w2 = 0;
2231  word3_muladd(&w2, &w1, &w0, ws[8], p[31]);
2232  word3_muladd(&w2, &w1, &w0, ws[9], p[30]);
2233  word3_muladd(&w2, &w1, &w0, ws[10], p[29]);
2234  word3_muladd(&w2, &w1, &w0, ws[11], p[28]);
2235  word3_muladd(&w2, &w1, &w0, ws[12], p[27]);
2236  word3_muladd(&w2, &w1, &w0, ws[13], p[26]);
2237  word3_muladd(&w2, &w1, &w0, ws[14], p[25]);
2238  word3_muladd(&w2, &w1, &w0, ws[15], p[24]);
2239  word3_muladd(&w2, &w1, &w0, ws[16], p[23]);
2240  word3_muladd(&w2, &w1, &w0, ws[17], p[22]);
2241  word3_muladd(&w2, &w1, &w0, ws[18], p[21]);
2242  word3_muladd(&w2, &w1, &w0, ws[19], p[20]);
2243  word3_muladd(&w2, &w1, &w0, ws[20], p[19]);
2244  word3_muladd(&w2, &w1, &w0, ws[21], p[18]);
2245  word3_muladd(&w2, &w1, &w0, ws[22], p[17]);
2246  word3_muladd(&w2, &w1, &w0, ws[23], p[16]);
2247  word3_muladd(&w2, &w1, &w0, ws[24], p[15]);
2248  word3_muladd(&w2, &w1, &w0, ws[25], p[14]);
2249  word3_muladd(&w2, &w1, &w0, ws[26], p[13]);
2250  word3_muladd(&w2, &w1, &w0, ws[27], p[12]);
2251  word3_muladd(&w2, &w1, &w0, ws[28], p[11]);
2252  word3_muladd(&w2, &w1, &w0, ws[29], p[10]);
2253  word3_muladd(&w2, &w1, &w0, ws[30], p[9]);
2254  word3_muladd(&w2, &w1, &w0, ws[31], p[8]);
2255  word3_add(&w2, &w1, &w0, z[39]);
2256  ws[7] = w0;
2257  w0 = w1; w1 = w2; w2 = 0;
2258  word3_muladd(&w2, &w1, &w0, ws[9], p[31]);
2259  word3_muladd(&w2, &w1, &w0, ws[10], p[30]);
2260  word3_muladd(&w2, &w1, &w0, ws[11], p[29]);
2261  word3_muladd(&w2, &w1, &w0, ws[12], p[28]);
2262  word3_muladd(&w2, &w1, &w0, ws[13], p[27]);
2263  word3_muladd(&w2, &w1, &w0, ws[14], p[26]);
2264  word3_muladd(&w2, &w1, &w0, ws[15], p[25]);
2265  word3_muladd(&w2, &w1, &w0, ws[16], p[24]);
2266  word3_muladd(&w2, &w1, &w0, ws[17], p[23]);
2267  word3_muladd(&w2, &w1, &w0, ws[18], p[22]);
2268  word3_muladd(&w2, &w1, &w0, ws[19], p[21]);
2269  word3_muladd(&w2, &w1, &w0, ws[20], p[20]);
2270  word3_muladd(&w2, &w1, &w0, ws[21], p[19]);
2271  word3_muladd(&w2, &w1, &w0, ws[22], p[18]);
2272  word3_muladd(&w2, &w1, &w0, ws[23], p[17]);
2273  word3_muladd(&w2, &w1, &w0, ws[24], p[16]);
2274  word3_muladd(&w2, &w1, &w0, ws[25], p[15]);
2275  word3_muladd(&w2, &w1, &w0, ws[26], p[14]);
2276  word3_muladd(&w2, &w1, &w0, ws[27], p[13]);
2277  word3_muladd(&w2, &w1, &w0, ws[28], p[12]);
2278  word3_muladd(&w2, &w1, &w0, ws[29], p[11]);
2279  word3_muladd(&w2, &w1, &w0, ws[30], p[10]);
2280  word3_muladd(&w2, &w1, &w0, ws[31], p[9]);
2281  word3_add(&w2, &w1, &w0, z[40]);
2282  ws[8] = w0;
2283  w0 = w1; w1 = w2; w2 = 0;
2284  word3_muladd(&w2, &w1, &w0, ws[10], p[31]);
2285  word3_muladd(&w2, &w1, &w0, ws[11], p[30]);
2286  word3_muladd(&w2, &w1, &w0, ws[12], p[29]);
2287  word3_muladd(&w2, &w1, &w0, ws[13], p[28]);
2288  word3_muladd(&w2, &w1, &w0, ws[14], p[27]);
2289  word3_muladd(&w2, &w1, &w0, ws[15], p[26]);
2290  word3_muladd(&w2, &w1, &w0, ws[16], p[25]);
2291  word3_muladd(&w2, &w1, &w0, ws[17], p[24]);
2292  word3_muladd(&w2, &w1, &w0, ws[18], p[23]);
2293  word3_muladd(&w2, &w1, &w0, ws[19], p[22]);
2294  word3_muladd(&w2, &w1, &w0, ws[20], p[21]);
2295  word3_muladd(&w2, &w1, &w0, ws[21], p[20]);
2296  word3_muladd(&w2, &w1, &w0, ws[22], p[19]);
2297  word3_muladd(&w2, &w1, &w0, ws[23], p[18]);
2298  word3_muladd(&w2, &w1, &w0, ws[24], p[17]);
2299  word3_muladd(&w2, &w1, &w0, ws[25], p[16]);
2300  word3_muladd(&w2, &w1, &w0, ws[26], p[15]);
2301  word3_muladd(&w2, &w1, &w0, ws[27], p[14]);
2302  word3_muladd(&w2, &w1, &w0, ws[28], p[13]);
2303  word3_muladd(&w2, &w1, &w0, ws[29], p[12]);
2304  word3_muladd(&w2, &w1, &w0, ws[30], p[11]);
2305  word3_muladd(&w2, &w1, &w0, ws[31], p[10]);
2306  word3_add(&w2, &w1, &w0, z[41]);
2307  ws[9] = w0;
2308  w0 = w1; w1 = w2; w2 = 0;
2309  word3_muladd(&w2, &w1, &w0, ws[11], p[31]);
2310  word3_muladd(&w2, &w1, &w0, ws[12], p[30]);
2311  word3_muladd(&w2, &w1, &w0, ws[13], p[29]);
2312  word3_muladd(&w2, &w1, &w0, ws[14], p[28]);
2313  word3_muladd(&w2, &w1, &w0, ws[15], p[27]);
2314  word3_muladd(&w2, &w1, &w0, ws[16], p[26]);
2315  word3_muladd(&w2, &w1, &w0, ws[17], p[25]);
2316  word3_muladd(&w2, &w1, &w0, ws[18], p[24]);
2317  word3_muladd(&w2, &w1, &w0, ws[19], p[23]);
2318  word3_muladd(&w2, &w1, &w0, ws[20], p[22]);
2319  word3_muladd(&w2, &w1, &w0, ws[21], p[21]);
2320  word3_muladd(&w2, &w1, &w0, ws[22], p[20]);
2321  word3_muladd(&w2, &w1, &w0, ws[23], p[19]);
2322  word3_muladd(&w2, &w1, &w0, ws[24], p[18]);
2323  word3_muladd(&w2, &w1, &w0, ws[25], p[17]);
2324  word3_muladd(&w2, &w1, &w0, ws[26], p[16]);
2325  word3_muladd(&w2, &w1, &w0, ws[27], p[15]);
2326  word3_muladd(&w2, &w1, &w0, ws[28], p[14]);
2327  word3_muladd(&w2, &w1, &w0, ws[29], p[13]);
2328  word3_muladd(&w2, &w1, &w0, ws[30], p[12]);
2329  word3_muladd(&w2, &w1, &w0, ws[31], p[11]);
2330  word3_add(&w2, &w1, &w0, z[42]);
2331  ws[10] = w0;
2332  w0 = w1; w1 = w2; w2 = 0;
2333  word3_muladd(&w2, &w1, &w0, ws[12], p[31]);
2334  word3_muladd(&w2, &w1, &w0, ws[13], p[30]);
2335  word3_muladd(&w2, &w1, &w0, ws[14], p[29]);
2336  word3_muladd(&w2, &w1, &w0, ws[15], p[28]);
2337  word3_muladd(&w2, &w1, &w0, ws[16], p[27]);
2338  word3_muladd(&w2, &w1, &w0, ws[17], p[26]);
2339  word3_muladd(&w2, &w1, &w0, ws[18], p[25]);
2340  word3_muladd(&w2, &w1, &w0, ws[19], p[24]);
2341  word3_muladd(&w2, &w1, &w0, ws[20], p[23]);
2342  word3_muladd(&w2, &w1, &w0, ws[21], p[22]);
2343  word3_muladd(&w2, &w1, &w0, ws[22], p[21]);
2344  word3_muladd(&w2, &w1, &w0, ws[23], p[20]);
2345  word3_muladd(&w2, &w1, &w0, ws[24], p[19]);
2346  word3_muladd(&w2, &w1, &w0, ws[25], p[18]);
2347  word3_muladd(&w2, &w1, &w0, ws[26], p[17]);
2348  word3_muladd(&w2, &w1, &w0, ws[27], p[16]);
2349  word3_muladd(&w2, &w1, &w0, ws[28], p[15]);
2350  word3_muladd(&w2, &w1, &w0, ws[29], p[14]);
2351  word3_muladd(&w2, &w1, &w0, ws[30], p[13]);
2352  word3_muladd(&w2, &w1, &w0, ws[31], p[12]);
2353  word3_add(&w2, &w1, &w0, z[43]);
2354  ws[11] = w0;
2355  w0 = w1; w1 = w2; w2 = 0;
2356  word3_muladd(&w2, &w1, &w0, ws[13], p[31]);
2357  word3_muladd(&w2, &w1, &w0, ws[14], p[30]);
2358  word3_muladd(&w2, &w1, &w0, ws[15], p[29]);
2359  word3_muladd(&w2, &w1, &w0, ws[16], p[28]);
2360  word3_muladd(&w2, &w1, &w0, ws[17], p[27]);
2361  word3_muladd(&w2, &w1, &w0, ws[18], p[26]);
2362  word3_muladd(&w2, &w1, &w0, ws[19], p[25]);
2363  word3_muladd(&w2, &w1, &w0, ws[20], p[24]);
2364  word3_muladd(&w2, &w1, &w0, ws[21], p[23]);
2365  word3_muladd(&w2, &w1, &w0, ws[22], p[22]);
2366  word3_muladd(&w2, &w1, &w0, ws[23], p[21]);
2367  word3_muladd(&w2, &w1, &w0, ws[24], p[20]);
2368  word3_muladd(&w2, &w1, &w0, ws[25], p[19]);
2369  word3_muladd(&w2, &w1, &w0, ws[26], p[18]);
2370  word3_muladd(&w2, &w1, &w0, ws[27], p[17]);
2371  word3_muladd(&w2, &w1, &w0, ws[28], p[16]);
2372  word3_muladd(&w2, &w1, &w0, ws[29], p[15]);
2373  word3_muladd(&w2, &w1, &w0, ws[30], p[14]);
2374  word3_muladd(&w2, &w1, &w0, ws[31], p[13]);
2375  word3_add(&w2, &w1, &w0, z[44]);
2376  ws[12] = w0;
2377  w0 = w1; w1 = w2; w2 = 0;
2378  word3_muladd(&w2, &w1, &w0, ws[14], p[31]);
2379  word3_muladd(&w2, &w1, &w0, ws[15], p[30]);
2380  word3_muladd(&w2, &w1, &w0, ws[16], p[29]);
2381  word3_muladd(&w2, &w1, &w0, ws[17], p[28]);
2382  word3_muladd(&w2, &w1, &w0, ws[18], p[27]);
2383  word3_muladd(&w2, &w1, &w0, ws[19], p[26]);
2384  word3_muladd(&w2, &w1, &w0, ws[20], p[25]);
2385  word3_muladd(&w2, &w1, &w0, ws[21], p[24]);
2386  word3_muladd(&w2, &w1, &w0, ws[22], p[23]);
2387  word3_muladd(&w2, &w1, &w0, ws[23], p[22]);
2388  word3_muladd(&w2, &w1, &w0, ws[24], p[21]);
2389  word3_muladd(&w2, &w1, &w0, ws[25], p[20]);
2390  word3_muladd(&w2, &w1, &w0, ws[26], p[19]);
2391  word3_muladd(&w2, &w1, &w0, ws[27], p[18]);
2392  word3_muladd(&w2, &w1, &w0, ws[28], p[17]);
2393  word3_muladd(&w2, &w1, &w0, ws[29], p[16]);
2394  word3_muladd(&w2, &w1, &w0, ws[30], p[15]);
2395  word3_muladd(&w2, &w1, &w0, ws[31], p[14]);
2396  word3_add(&w2, &w1, &w0, z[45]);
2397  ws[13] = w0;
2398  w0 = w1; w1 = w2; w2 = 0;
2399  word3_muladd(&w2, &w1, &w0, ws[15], p[31]);
2400  word3_muladd(&w2, &w1, &w0, ws[16], p[30]);
2401  word3_muladd(&w2, &w1, &w0, ws[17], p[29]);
2402  word3_muladd(&w2, &w1, &w0, ws[18], p[28]);
2403  word3_muladd(&w2, &w1, &w0, ws[19], p[27]);
2404  word3_muladd(&w2, &w1, &w0, ws[20], p[26]);
2405  word3_muladd(&w2, &w1, &w0, ws[21], p[25]);
2406  word3_muladd(&w2, &w1, &w0, ws[22], p[24]);
2407  word3_muladd(&w2, &w1, &w0, ws[23], p[23]);
2408  word3_muladd(&w2, &w1, &w0, ws[24], p[22]);
2409  word3_muladd(&w2, &w1, &w0, ws[25], p[21]);
2410  word3_muladd(&w2, &w1, &w0, ws[26], p[20]);
2411  word3_muladd(&w2, &w1, &w0, ws[27], p[19]);
2412  word3_muladd(&w2, &w1, &w0, ws[28], p[18]);
2413  word3_muladd(&w2, &w1, &w0, ws[29], p[17]);
2414  word3_muladd(&w2, &w1, &w0, ws[30], p[16]);
2415  word3_muladd(&w2, &w1, &w0, ws[31], p[15]);
2416  word3_add(&w2, &w1, &w0, z[46]);
2417  ws[14] = w0;
2418  w0 = w1; w1 = w2; w2 = 0;
2419  word3_muladd(&w2, &w1, &w0, ws[16], p[31]);
2420  word3_muladd(&w2, &w1, &w0, ws[17], p[30]);
2421  word3_muladd(&w2, &w1, &w0, ws[18], p[29]);
2422  word3_muladd(&w2, &w1, &w0, ws[19], p[28]);
2423  word3_muladd(&w2, &w1, &w0, ws[20], p[27]);
2424  word3_muladd(&w2, &w1, &w0, ws[21], p[26]);
2425  word3_muladd(&w2, &w1, &w0, ws[22], p[25]);
2426  word3_muladd(&w2, &w1, &w0, ws[23], p[24]);
2427  word3_muladd(&w2, &w1, &w0, ws[24], p[23]);
2428  word3_muladd(&w2, &w1, &w0, ws[25], p[22]);
2429  word3_muladd(&w2, &w1, &w0, ws[26], p[21]);
2430  word3_muladd(&w2, &w1, &w0, ws[27], p[20]);
2431  word3_muladd(&w2, &w1, &w0, ws[28], p[19]);
2432  word3_muladd(&w2, &w1, &w0, ws[29], p[18]);
2433  word3_muladd(&w2, &w1, &w0, ws[30], p[17]);
2434  word3_muladd(&w2, &w1, &w0, ws[31], p[16]);
2435  word3_add(&w2, &w1, &w0, z[47]);
2436  ws[15] = w0;
2437  w0 = w1; w1 = w2; w2 = 0;
2438  word3_muladd(&w2, &w1, &w0, ws[17], p[31]);
2439  word3_muladd(&w2, &w1, &w0, ws[18], p[30]);
2440  word3_muladd(&w2, &w1, &w0, ws[19], p[29]);
2441  word3_muladd(&w2, &w1, &w0, ws[20], p[28]);
2442  word3_muladd(&w2, &w1, &w0, ws[21], p[27]);
2443  word3_muladd(&w2, &w1, &w0, ws[22], p[26]);
2444  word3_muladd(&w2, &w1, &w0, ws[23], p[25]);
2445  word3_muladd(&w2, &w1, &w0, ws[24], p[24]);
2446  word3_muladd(&w2, &w1, &w0, ws[25], p[23]);
2447  word3_muladd(&w2, &w1, &w0, ws[26], p[22]);
2448  word3_muladd(&w2, &w1, &w0, ws[27], p[21]);
2449  word3_muladd(&w2, &w1, &w0, ws[28], p[20]);
2450  word3_muladd(&w2, &w1, &w0, ws[29], p[19]);
2451  word3_muladd(&w2, &w1, &w0, ws[30], p[18]);
2452  word3_muladd(&w2, &w1, &w0, ws[31], p[17]);
2453  word3_add(&w2, &w1, &w0, z[48]);
2454  ws[16] = w0;
2455  w0 = w1; w1 = w2; w2 = 0;
2456  word3_muladd(&w2, &w1, &w0, ws[18], p[31]);
2457  word3_muladd(&w2, &w1, &w0, ws[19], p[30]);
2458  word3_muladd(&w2, &w1, &w0, ws[20], p[29]);
2459  word3_muladd(&w2, &w1, &w0, ws[21], p[28]);
2460  word3_muladd(&w2, &w1, &w0, ws[22], p[27]);
2461  word3_muladd(&w2, &w1, &w0, ws[23], p[26]);
2462  word3_muladd(&w2, &w1, &w0, ws[24], p[25]);
2463  word3_muladd(&w2, &w1, &w0, ws[25], p[24]);
2464  word3_muladd(&w2, &w1, &w0, ws[26], p[23]);
2465  word3_muladd(&w2, &w1, &w0, ws[27], p[22]);
2466  word3_muladd(&w2, &w1, &w0, ws[28], p[21]);
2467  word3_muladd(&w2, &w1, &w0, ws[29], p[20]);
2468  word3_muladd(&w2, &w1, &w0, ws[30], p[19]);
2469  word3_muladd(&w2, &w1, &w0, ws[31], p[18]);
2470  word3_add(&w2, &w1, &w0, z[49]);
2471  ws[17] = w0;
2472  w0 = w1; w1 = w2; w2 = 0;
2473  word3_muladd(&w2, &w1, &w0, ws[19], p[31]);
2474  word3_muladd(&w2, &w1, &w0, ws[20], p[30]);
2475  word3_muladd(&w2, &w1, &w0, ws[21], p[29]);
2476  word3_muladd(&w2, &w1, &w0, ws[22], p[28]);
2477  word3_muladd(&w2, &w1, &w0, ws[23], p[27]);
2478  word3_muladd(&w2, &w1, &w0, ws[24], p[26]);
2479  word3_muladd(&w2, &w1, &w0, ws[25], p[25]);
2480  word3_muladd(&w2, &w1, &w0, ws[26], p[24]);
2481  word3_muladd(&w2, &w1, &w0, ws[27], p[23]);
2482  word3_muladd(&w2, &w1, &w0, ws[28], p[22]);
2483  word3_muladd(&w2, &w1, &w0, ws[29], p[21]);
2484  word3_muladd(&w2, &w1, &w0, ws[30], p[20]);
2485  word3_muladd(&w2, &w1, &w0, ws[31], p[19]);
2486  word3_add(&w2, &w1, &w0, z[50]);
2487  ws[18] = w0;
2488  w0 = w1; w1 = w2; w2 = 0;
2489  word3_muladd(&w2, &w1, &w0, ws[20], p[31]);
2490  word3_muladd(&w2, &w1, &w0, ws[21], p[30]);
2491  word3_muladd(&w2, &w1, &w0, ws[22], p[29]);
2492  word3_muladd(&w2, &w1, &w0, ws[23], p[28]);
2493  word3_muladd(&w2, &w1, &w0, ws[24], p[27]);
2494  word3_muladd(&w2, &w1, &w0, ws[25], p[26]);
2495  word3_muladd(&w2, &w1, &w0, ws[26], p[25]);
2496  word3_muladd(&w2, &w1, &w0, ws[27], p[24]);
2497  word3_muladd(&w2, &w1, &w0, ws[28], p[23]);
2498  word3_muladd(&w2, &w1, &w0, ws[29], p[22]);
2499  word3_muladd(&w2, &w1, &w0, ws[30], p[21]);
2500  word3_muladd(&w2, &w1, &w0, ws[31], p[20]);
2501  word3_add(&w2, &w1, &w0, z[51]);
2502  ws[19] = w0;
2503  w0 = w1; w1 = w2; w2 = 0;
2504  word3_muladd(&w2, &w1, &w0, ws[21], p[31]);
2505  word3_muladd(&w2, &w1, &w0, ws[22], p[30]);
2506  word3_muladd(&w2, &w1, &w0, ws[23], p[29]);
2507  word3_muladd(&w2, &w1, &w0, ws[24], p[28]);
2508  word3_muladd(&w2, &w1, &w0, ws[25], p[27]);
2509  word3_muladd(&w2, &w1, &w0, ws[26], p[26]);
2510  word3_muladd(&w2, &w1, &w0, ws[27], p[25]);
2511  word3_muladd(&w2, &w1, &w0, ws[28], p[24]);
2512  word3_muladd(&w2, &w1, &w0, ws[29], p[23]);
2513  word3_muladd(&w2, &w1, &w0, ws[30], p[22]);
2514  word3_muladd(&w2, &w1, &w0, ws[31], p[21]);
2515  word3_add(&w2, &w1, &w0, z[52]);
2516  ws[20] = w0;
2517  w0 = w1; w1 = w2; w2 = 0;
2518  word3_muladd(&w2, &w1, &w0, ws[22], p[31]);
2519  word3_muladd(&w2, &w1, &w0, ws[23], p[30]);
2520  word3_muladd(&w2, &w1, &w0, ws[24], p[29]);
2521  word3_muladd(&w2, &w1, &w0, ws[25], p[28]);
2522  word3_muladd(&w2, &w1, &w0, ws[26], p[27]);
2523  word3_muladd(&w2, &w1, &w0, ws[27], p[26]);
2524  word3_muladd(&w2, &w1, &w0, ws[28], p[25]);
2525  word3_muladd(&w2, &w1, &w0, ws[29], p[24]);
2526  word3_muladd(&w2, &w1, &w0, ws[30], p[23]);
2527  word3_muladd(&w2, &w1, &w0, ws[31], p[22]);
2528  word3_add(&w2, &w1, &w0, z[53]);
2529  ws[21] = w0;
2530  w0 = w1; w1 = w2; w2 = 0;
2531  word3_muladd(&w2, &w1, &w0, ws[23], p[31]);
2532  word3_muladd(&w2, &w1, &w0, ws[24], p[30]);
2533  word3_muladd(&w2, &w1, &w0, ws[25], p[29]);
2534  word3_muladd(&w2, &w1, &w0, ws[26], p[28]);
2535  word3_muladd(&w2, &w1, &w0, ws[27], p[27]);
2536  word3_muladd(&w2, &w1, &w0, ws[28], p[26]);
2537  word3_muladd(&w2, &w1, &w0, ws[29], p[25]);
2538  word3_muladd(&w2, &w1, &w0, ws[30], p[24]);
2539  word3_muladd(&w2, &w1, &w0, ws[31], p[23]);
2540  word3_add(&w2, &w1, &w0, z[54]);
2541  ws[22] = w0;
2542  w0 = w1; w1 = w2; w2 = 0;
2543  word3_muladd(&w2, &w1, &w0, ws[24], p[31]);
2544  word3_muladd(&w2, &w1, &w0, ws[25], p[30]);
2545  word3_muladd(&w2, &w1, &w0, ws[26], p[29]);
2546  word3_muladd(&w2, &w1, &w0, ws[27], p[28]);
2547  word3_muladd(&w2, &w1, &w0, ws[28], p[27]);
2548  word3_muladd(&w2, &w1, &w0, ws[29], p[26]);
2549  word3_muladd(&w2, &w1, &w0, ws[30], p[25]);
2550  word3_muladd(&w2, &w1, &w0, ws[31], p[24]);
2551  word3_add(&w2, &w1, &w0, z[55]);
2552  ws[23] = w0;
2553  w0 = w1; w1 = w2; w2 = 0;
2554  word3_muladd(&w2, &w1, &w0, ws[25], p[31]);
2555  word3_muladd(&w2, &w1, &w0, ws[26], p[30]);
2556  word3_muladd(&w2, &w1, &w0, ws[27], p[29]);
2557  word3_muladd(&w2, &w1, &w0, ws[28], p[28]);
2558  word3_muladd(&w2, &w1, &w0, ws[29], p[27]);
2559  word3_muladd(&w2, &w1, &w0, ws[30], p[26]);
2560  word3_muladd(&w2, &w1, &w0, ws[31], p[25]);
2561  word3_add(&w2, &w1, &w0, z[56]);
2562  ws[24] = w0;
2563  w0 = w1; w1 = w2; w2 = 0;
2564  word3_muladd(&w2, &w1, &w0, ws[26], p[31]);
2565  word3_muladd(&w2, &w1, &w0, ws[27], p[30]);
2566  word3_muladd(&w2, &w1, &w0, ws[28], p[29]);
2567  word3_muladd(&w2, &w1, &w0, ws[29], p[28]);
2568  word3_muladd(&w2, &w1, &w0, ws[30], p[27]);
2569  word3_muladd(&w2, &w1, &w0, ws[31], p[26]);
2570  word3_add(&w2, &w1, &w0, z[57]);
2571  ws[25] = w0;
2572  w0 = w1; w1 = w2; w2 = 0;
2573  word3_muladd(&w2, &w1, &w0, ws[27], p[31]);
2574  word3_muladd(&w2, &w1, &w0, ws[28], p[30]);
2575  word3_muladd(&w2, &w1, &w0, ws[29], p[29]);
2576  word3_muladd(&w2, &w1, &w0, ws[30], p[28]);
2577  word3_muladd(&w2, &w1, &w0, ws[31], p[27]);
2578  word3_add(&w2, &w1, &w0, z[58]);
2579  ws[26] = w0;
2580  w0 = w1; w1 = w2; w2 = 0;
2581  word3_muladd(&w2, &w1, &w0, ws[28], p[31]);
2582  word3_muladd(&w2, &w1, &w0, ws[29], p[30]);
2583  word3_muladd(&w2, &w1, &w0, ws[30], p[29]);
2584  word3_muladd(&w2, &w1, &w0, ws[31], p[28]);
2585  word3_add(&w2, &w1, &w0, z[59]);
2586  ws[27] = w0;
2587  w0 = w1; w1 = w2; w2 = 0;
2588  word3_muladd(&w2, &w1, &w0, ws[29], p[31]);
2589  word3_muladd(&w2, &w1, &w0, ws[30], p[30]);
2590  word3_muladd(&w2, &w1, &w0, ws[31], p[29]);
2591  word3_add(&w2, &w1, &w0, z[60]);
2592  ws[28] = w0;
2593  w0 = w1; w1 = w2; w2 = 0;
2594  word3_muladd(&w2, &w1, &w0, ws[30], p[31]);
2595  word3_muladd(&w2, &w1, &w0, ws[31], p[30]);
2596  word3_add(&w2, &w1, &w0, z[61]);
2597  ws[29] = w0;
2598  w0 = w1; w1 = w2; w2 = 0;
2599  word3_muladd(&w2, &w1, &w0, ws[31], p[31]);
2600  word3_add(&w2, &w1, &w0, z[62]);
2601  ws[30] = w0;
2602  w0 = w1; w1 = w2; w2 = 0;
2603  word3_add(&w2, &w1, &w0, z[63]);
2604  ws[31] = w0;
2605  w0 = w1; w1 = w2; w2 = 0;
2606  word3_add(&w2, &w1, &w0, z[65]);
2607  ws[32] = w0;
2608  ws[33] = w1;
2609  word borrow = bigint_sub3(ws + 32 + 1, ws, 32 + 1, p, 32);
2610  CT::conditional_copy_mem(borrow, z, ws, ws + 33, 33);
2611  clear_mem(z + 32, 2*(32+1) - 32);
2612  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
word bigint_sub3(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:342
void word3_add(word *w2, word *w1, word *w0, word x)
Definition: mp_asmi.h:500
Mask< T > conditional_copy_mem(T cnd, T *to, const T *from0, const T *from1, size_t elems)
Definition: ct_utils.h:363
void Botan::bigint_monty_redc_4 ( word  z[],
const word  p[4],
word  p_dash,
word  ws[] 
)

Definition at line 15 of file mp_monty_n.cpp.

References clear_mem(), Botan::CT::conditional_copy_mem(), word3_add(), word3_muladd(), and word_sub().

16  {
17  word w2 = 0, w1 = 0, w0 = 0;
18  w0 = z[0];
19  ws[0] = w0 * p_dash;
20  word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
21  w0 = w1; w1 = w2; w2 = 0;
22  word3_muladd(&w2, &w1, &w0, ws[0], p[1]);
23  word3_add(&w2, &w1, &w0, z[1]);
24  ws[1] = w0 * p_dash;
25  word3_muladd(&w2, &w1, &w0, ws[1], p[0]);
26  w0 = w1; w1 = w2; w2 = 0;
27  word3_muladd(&w2, &w1, &w0, ws[0], p[2]);
28  word3_muladd(&w2, &w1, &w0, ws[1], p[1]);
29  word3_add(&w2, &w1, &w0, z[2]);
30  ws[2] = w0 * p_dash;
31  word3_muladd(&w2, &w1, &w0, ws[2], p[0]);
32  w0 = w1; w1 = w2; w2 = 0;
33  word3_muladd(&w2, &w1, &w0, ws[0], p[3]);
34  word3_muladd(&w2, &w1, &w0, ws[1], p[2]);
35  word3_muladd(&w2, &w1, &w0, ws[2], p[1]);
36  word3_add(&w2, &w1, &w0, z[3]);
37  ws[3] = w0 * p_dash;
38  word3_muladd(&w2, &w1, &w0, ws[3], p[0]);
39  w0 = w1; w1 = w2; w2 = 0;
40  word3_muladd(&w2, &w1, &w0, ws[1], p[3]);
41  word3_muladd(&w2, &w1, &w0, ws[2], p[2]);
42  word3_muladd(&w2, &w1, &w0, ws[3], p[1]);
43  word3_add(&w2, &w1, &w0, z[4]);
44  ws[0] = w0;
45  w0 = w1; w1 = w2; w2 = 0;
46  word3_muladd(&w2, &w1, &w0, ws[2], p[3]);
47  word3_muladd(&w2, &w1, &w0, ws[3], p[2]);
48  word3_add(&w2, &w1, &w0, z[5]);
49  ws[1] = w0;
50  w0 = w1; w1 = w2; w2 = 0;
51  word3_muladd(&w2, &w1, &w0, ws[3], p[3]);
52  word3_add(&w2, &w1, &w0, z[6]);
53  ws[2] = w0;
54  w0 = w1; w1 = w2; w2 = 0;
55  word3_add(&w2, &w1, &w0, z[7]);
56  ws[3] = w0;
57  w0 = w1; w1 = w2; w2 = 0;
58  word3_add(&w2, &w1, &w0, z[9]);
59  ws[4] = w0;
60  ws[5] = w1;
61  word borrow = 0;
62  ws[5] = word_sub(ws[0], p[0], &borrow);
63  ws[6] = word_sub(ws[1], p[1], &borrow);
64  ws[7] = word_sub(ws[2], p[2], &borrow);
65  ws[8] = word_sub(ws[3], p[3], &borrow);
66  ws[9] = word_sub(ws[4], 0, &borrow);
67  CT::conditional_copy_mem(borrow, z, ws, ws + 5, 5);
68  clear_mem(z + 4, 2*(4+1) - 4);
69  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
void word3_add(word *w2, word *w1, word *w0, word x)
Definition: mp_asmi.h:500
Mask< T > conditional_copy_mem(T cnd, T *to, const T *from0, const T *from1, size_t elems)
Definition: ct_utils.h:363
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
void Botan::bigint_monty_redc_4 ( word  z[],
const word  p[],
word  p_dash,
word  ws[] 
)

Referenced by bigint_monty_redc().

void Botan::bigint_monty_redc_6 ( word  z[],
const word  p[],
word  p_dash,
word  ws[] 
)

Referenced by bigint_monty_redc().

void Botan::bigint_monty_redc_6 ( word  z[],
const word  p[6],
word  p_dash,
word  ws[] 
)

Definition at line 71 of file mp_monty_n.cpp.

References clear_mem(), Botan::CT::conditional_copy_mem(), word3_add(), word3_muladd(), and word_sub().

72  {
73  word w2 = 0, w1 = 0, w0 = 0;
74  w0 = z[0];
75  ws[0] = w0 * p_dash;
76  word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
77  w0 = w1; w1 = w2; w2 = 0;
78  word3_muladd(&w2, &w1, &w0, ws[0], p[1]);
79  word3_add(&w2, &w1, &w0, z[1]);
80  ws[1] = w0 * p_dash;
81  word3_muladd(&w2, &w1, &w0, ws[1], p[0]);
82  w0 = w1; w1 = w2; w2 = 0;
83  word3_muladd(&w2, &w1, &w0, ws[0], p[2]);
84  word3_muladd(&w2, &w1, &w0, ws[1], p[1]);
85  word3_add(&w2, &w1, &w0, z[2]);
86  ws[2] = w0 * p_dash;
87  word3_muladd(&w2, &w1, &w0, ws[2], p[0]);
88  w0 = w1; w1 = w2; w2 = 0;
89  word3_muladd(&w2, &w1, &w0, ws[0], p[3]);
90  word3_muladd(&w2, &w1, &w0, ws[1], p[2]);
91  word3_muladd(&w2, &w1, &w0, ws[2], p[1]);
92  word3_add(&w2, &w1, &w0, z[3]);
93  ws[3] = w0 * p_dash;
94  word3_muladd(&w2, &w1, &w0, ws[3], p[0]);
95  w0 = w1; w1 = w2; w2 = 0;
96  word3_muladd(&w2, &w1, &w0, ws[0], p[4]);
97  word3_muladd(&w2, &w1, &w0, ws[1], p[3]);
98  word3_muladd(&w2, &w1, &w0, ws[2], p[2]);
99  word3_muladd(&w2, &w1, &w0, ws[3], p[1]);
100  word3_add(&w2, &w1, &w0, z[4]);
101  ws[4] = w0 * p_dash;
102  word3_muladd(&w2, &w1, &w0, ws[4], p[0]);
103  w0 = w1; w1 = w2; w2 = 0;
104  word3_muladd(&w2, &w1, &w0, ws[0], p[5]);
105  word3_muladd(&w2, &w1, &w0, ws[1], p[4]);
106  word3_muladd(&w2, &w1, &w0, ws[2], p[3]);
107  word3_muladd(&w2, &w1, &w0, ws[3], p[2]);
108  word3_muladd(&w2, &w1, &w0, ws[4], p[1]);
109  word3_add(&w2, &w1, &w0, z[5]);
110  ws[5] = w0 * p_dash;
111  word3_muladd(&w2, &w1, &w0, ws[5], p[0]);
112  w0 = w1; w1 = w2; w2 = 0;
113  word3_muladd(&w2, &w1, &w0, ws[1], p[5]);
114  word3_muladd(&w2, &w1, &w0, ws[2], p[4]);
115  word3_muladd(&w2, &w1, &w0, ws[3], p[3]);
116  word3_muladd(&w2, &w1, &w0, ws[4], p[2]);
117  word3_muladd(&w2, &w1, &w0, ws[5], p[1]);
118  word3_add(&w2, &w1, &w0, z[6]);
119  ws[0] = w0;
120  w0 = w1; w1 = w2; w2 = 0;
121  word3_muladd(&w2, &w1, &w0, ws[2], p[5]);
122  word3_muladd(&w2, &w1, &w0, ws[3], p[4]);
123  word3_muladd(&w2, &w1, &w0, ws[4], p[3]);
124  word3_muladd(&w2, &w1, &w0, ws[5], p[2]);
125  word3_add(&w2, &w1, &w0, z[7]);
126  ws[1] = w0;
127  w0 = w1; w1 = w2; w2 = 0;
128  word3_muladd(&w2, &w1, &w0, ws[3], p[5]);
129  word3_muladd(&w2, &w1, &w0, ws[4], p[4]);
130  word3_muladd(&w2, &w1, &w0, ws[5], p[3]);
131  word3_add(&w2, &w1, &w0, z[8]);
132  ws[2] = w0;
133  w0 = w1; w1 = w2; w2 = 0;
134  word3_muladd(&w2, &w1, &w0, ws[4], p[5]);
135  word3_muladd(&w2, &w1, &w0, ws[5], p[4]);
136  word3_add(&w2, &w1, &w0, z[9]);
137  ws[3] = w0;
138  w0 = w1; w1 = w2; w2 = 0;
139  word3_muladd(&w2, &w1, &w0, ws[5], p[5]);
140  word3_add(&w2, &w1, &w0, z[10]);
141  ws[4] = w0;
142  w0 = w1; w1 = w2; w2 = 0;
143  word3_add(&w2, &w1, &w0, z[11]);
144  ws[5] = w0;
145  w0 = w1; w1 = w2; w2 = 0;
146  word3_add(&w2, &w1, &w0, z[13]);
147  ws[6] = w0;
148  ws[7] = w1;
149  word borrow = 0;
150  ws[7] = word_sub(ws[0], p[0], &borrow);
151  ws[8] = word_sub(ws[1], p[1], &borrow);
152  ws[9] = word_sub(ws[2], p[2], &borrow);
153  ws[10] = word_sub(ws[3], p[3], &borrow);
154  ws[11] = word_sub(ws[4], p[4], &borrow);
155  ws[12] = word_sub(ws[5], p[5], &borrow);
156  ws[13] = word_sub(ws[6], 0, &borrow);
157  CT::conditional_copy_mem(borrow, z, ws, ws + 7, 7);
158  clear_mem(z + 6, 2*(6+1) - 6);
159  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
void word3_add(word *w2, word *w1, word *w0, word x)
Definition: mp_asmi.h:500
Mask< T > conditional_copy_mem(T cnd, T *to, const T *from0, const T *from1, size_t elems)
Definition: ct_utils.h:363
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
void Botan::bigint_monty_redc_8 ( word  z[],
const word  p[],
word  p_dash,
word  ws[] 
)

Referenced by bigint_monty_redc().

void Botan::bigint_monty_redc_8 ( word  z[],
const word  p[8],
word  p_dash,
word  ws[] 
)

Definition at line 161 of file mp_monty_n.cpp.

References clear_mem(), Botan::CT::conditional_copy_mem(), word3_add(), word3_muladd(), and word_sub().

162  {
163  word w2 = 0, w1 = 0, w0 = 0;
164  w0 = z[0];
165  ws[0] = w0 * p_dash;
166  word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
167  w0 = w1; w1 = w2; w2 = 0;
168  word3_muladd(&w2, &w1, &w0, ws[0], p[1]);
169  word3_add(&w2, &w1, &w0, z[1]);
170  ws[1] = w0 * p_dash;
171  word3_muladd(&w2, &w1, &w0, ws[1], p[0]);
172  w0 = w1; w1 = w2; w2 = 0;
173  word3_muladd(&w2, &w1, &w0, ws[0], p[2]);
174  word3_muladd(&w2, &w1, &w0, ws[1], p[1]);
175  word3_add(&w2, &w1, &w0, z[2]);
176  ws[2] = w0 * p_dash;
177  word3_muladd(&w2, &w1, &w0, ws[2], p[0]);
178  w0 = w1; w1 = w2; w2 = 0;
179  word3_muladd(&w2, &w1, &w0, ws[0], p[3]);
180  word3_muladd(&w2, &w1, &w0, ws[1], p[2]);
181  word3_muladd(&w2, &w1, &w0, ws[2], p[1]);
182  word3_add(&w2, &w1, &w0, z[3]);
183  ws[3] = w0 * p_dash;
184  word3_muladd(&w2, &w1, &w0, ws[3], p[0]);
185  w0 = w1; w1 = w2; w2 = 0;
186  word3_muladd(&w2, &w1, &w0, ws[0], p[4]);
187  word3_muladd(&w2, &w1, &w0, ws[1], p[3]);
188  word3_muladd(&w2, &w1, &w0, ws[2], p[2]);
189  word3_muladd(&w2, &w1, &w0, ws[3], p[1]);
190  word3_add(&w2, &w1, &w0, z[4]);
191  ws[4] = w0 * p_dash;
192  word3_muladd(&w2, &w1, &w0, ws[4], p[0]);
193  w0 = w1; w1 = w2; w2 = 0;
194  word3_muladd(&w2, &w1, &w0, ws[0], p[5]);
195  word3_muladd(&w2, &w1, &w0, ws[1], p[4]);
196  word3_muladd(&w2, &w1, &w0, ws[2], p[3]);
197  word3_muladd(&w2, &w1, &w0, ws[3], p[2]);
198  word3_muladd(&w2, &w1, &w0, ws[4], p[1]);
199  word3_add(&w2, &w1, &w0, z[5]);
200  ws[5] = w0 * p_dash;
201  word3_muladd(&w2, &w1, &w0, ws[5], p[0]);
202  w0 = w1; w1 = w2; w2 = 0;
203  word3_muladd(&w2, &w1, &w0, ws[0], p[6]);
204  word3_muladd(&w2, &w1, &w0, ws[1], p[5]);
205  word3_muladd(&w2, &w1, &w0, ws[2], p[4]);
206  word3_muladd(&w2, &w1, &w0, ws[3], p[3]);
207  word3_muladd(&w2, &w1, &w0, ws[4], p[2]);
208  word3_muladd(&w2, &w1, &w0, ws[5], p[1]);
209  word3_add(&w2, &w1, &w0, z[6]);
210  ws[6] = w0 * p_dash;
211  word3_muladd(&w2, &w1, &w0, ws[6], p[0]);
212  w0 = w1; w1 = w2; w2 = 0;
213  word3_muladd(&w2, &w1, &w0, ws[0], p[7]);
214  word3_muladd(&w2, &w1, &w0, ws[1], p[6]);
215  word3_muladd(&w2, &w1, &w0, ws[2], p[5]);
216  word3_muladd(&w2, &w1, &w0, ws[3], p[4]);
217  word3_muladd(&w2, &w1, &w0, ws[4], p[3]);
218  word3_muladd(&w2, &w1, &w0, ws[5], p[2]);
219  word3_muladd(&w2, &w1, &w0, ws[6], p[1]);
220  word3_add(&w2, &w1, &w0, z[7]);
221  ws[7] = w0 * p_dash;
222  word3_muladd(&w2, &w1, &w0, ws[7], p[0]);
223  w0 = w1; w1 = w2; w2 = 0;
224  word3_muladd(&w2, &w1, &w0, ws[1], p[7]);
225  word3_muladd(&w2, &w1, &w0, ws[2], p[6]);
226  word3_muladd(&w2, &w1, &w0, ws[3], p[5]);
227  word3_muladd(&w2, &w1, &w0, ws[4], p[4]);
228  word3_muladd(&w2, &w1, &w0, ws[5], p[3]);
229  word3_muladd(&w2, &w1, &w0, ws[6], p[2]);
230  word3_muladd(&w2, &w1, &w0, ws[7], p[1]);
231  word3_add(&w2, &w1, &w0, z[8]);
232  ws[0] = w0;
233  w0 = w1; w1 = w2; w2 = 0;
234  word3_muladd(&w2, &w1, &w0, ws[2], p[7]);
235  word3_muladd(&w2, &w1, &w0, ws[3], p[6]);
236  word3_muladd(&w2, &w1, &w0, ws[4], p[5]);
237  word3_muladd(&w2, &w1, &w0, ws[5], p[4]);
238  word3_muladd(&w2, &w1, &w0, ws[6], p[3]);
239  word3_muladd(&w2, &w1, &w0, ws[7], p[2]);
240  word3_add(&w2, &w1, &w0, z[9]);
241  ws[1] = w0;
242  w0 = w1; w1 = w2; w2 = 0;
243  word3_muladd(&w2, &w1, &w0, ws[3], p[7]);
244  word3_muladd(&w2, &w1, &w0, ws[4], p[6]);
245  word3_muladd(&w2, &w1, &w0, ws[5], p[5]);
246  word3_muladd(&w2, &w1, &w0, ws[6], p[4]);
247  word3_muladd(&w2, &w1, &w0, ws[7], p[3]);
248  word3_add(&w2, &w1, &w0, z[10]);
249  ws[2] = w0;
250  w0 = w1; w1 = w2; w2 = 0;
251  word3_muladd(&w2, &w1, &w0, ws[4], p[7]);
252  word3_muladd(&w2, &w1, &w0, ws[5], p[6]);
253  word3_muladd(&w2, &w1, &w0, ws[6], p[5]);
254  word3_muladd(&w2, &w1, &w0, ws[7], p[4]);
255  word3_add(&w2, &w1, &w0, z[11]);
256  ws[3] = w0;
257  w0 = w1; w1 = w2; w2 = 0;
258  word3_muladd(&w2, &w1, &w0, ws[5], p[7]);
259  word3_muladd(&w2, &w1, &w0, ws[6], p[6]);
260  word3_muladd(&w2, &w1, &w0, ws[7], p[5]);
261  word3_add(&w2, &w1, &w0, z[12]);
262  ws[4] = w0;
263  w0 = w1; w1 = w2; w2 = 0;
264  word3_muladd(&w2, &w1, &w0, ws[6], p[7]);
265  word3_muladd(&w2, &w1, &w0, ws[7], p[6]);
266  word3_add(&w2, &w1, &w0, z[13]);
267  ws[5] = w0;
268  w0 = w1; w1 = w2; w2 = 0;
269  word3_muladd(&w2, &w1, &w0, ws[7], p[7]);
270  word3_add(&w2, &w1, &w0, z[14]);
271  ws[6] = w0;
272  w0 = w1; w1 = w2; w2 = 0;
273  word3_add(&w2, &w1, &w0, z[15]);
274  ws[7] = w0;
275  w0 = w1; w1 = w2; w2 = 0;
276  word3_add(&w2, &w1, &w0, z[17]);
277  ws[8] = w0;
278  ws[9] = w1;
279  word borrow = 0;
280  ws[9] = word_sub(ws[0], p[0], &borrow);
281  ws[10] = word_sub(ws[1], p[1], &borrow);
282  ws[11] = word_sub(ws[2], p[2], &borrow);
283  ws[12] = word_sub(ws[3], p[3], &borrow);
284  ws[13] = word_sub(ws[4], p[4], &borrow);
285  ws[14] = word_sub(ws[5], p[5], &borrow);
286  ws[15] = word_sub(ws[6], p[6], &borrow);
287  ws[16] = word_sub(ws[7], p[7], &borrow);
288  ws[17] = word_sub(ws[8], 0, &borrow);
289  CT::conditional_copy_mem(borrow, z, ws, ws + 9, 9);
290  clear_mem(z + 8, 2*(8+1) - 8);
291  }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:451
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
void word3_add(word *w2, word *w1, word *w0, word x)
Definition: mp_asmi.h:500
Mask< T > conditional_copy_mem(T cnd, T *to, const T *from0, const T *from1, size_t elems)
Definition: ct_utils.h:363
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
void Botan::bigint_mul ( word  z[],
size_t  z_size,
const word  x[],
size_t  x_size,
size_t  x_sw,
const word  y[],
size_t  y_size,
size_t  y_sw,
word  workspace[],
size_t  ws_size 
)

Definition at line 298 of file mp_karat.cpp.

References bigint_comba_mul16(), bigint_comba_mul24(), bigint_comba_mul4(), bigint_comba_mul6(), bigint_comba_mul8(), bigint_comba_mul9(), bigint_linmul3(), and clear_mem().

Referenced by Botan::Montgomery_Params::mul(), Botan::BigInt::mul(), mul_add(), Botan::Montgomery_Params::mul_by(), and operator*().

302  {
303  clear_mem(z, z_size);
304 
305  if(x_sw == 1)
306  {
307  bigint_linmul3(z, y, y_sw, x[0]);
308  }
309  else if(y_sw == 1)
310  {
311  bigint_linmul3(z, x, x_sw, y[0]);
312  }
313  else if(sized_for_comba_mul<4>(x_sw, x_size, y_sw, y_size, z_size))
314  {
315  bigint_comba_mul4(z, x, y);
316  }
317  else if(sized_for_comba_mul<6>(x_sw, x_size, y_sw, y_size, z_size))
318  {
319  bigint_comba_mul6(z, x, y);
320  }
321  else if(sized_for_comba_mul<8>(x_sw, x_size, y_sw, y_size, z_size))
322  {
323  bigint_comba_mul8(z, x, y);
324  }
325  else if(sized_for_comba_mul<9>(x_sw, x_size, y_sw, y_size, z_size))
326  {
327  bigint_comba_mul9(z, x, y);
328  }
329  else if(sized_for_comba_mul<16>(x_sw, x_size, y_sw, y_size, z_size))
330  {
331  bigint_comba_mul16(z, x, y);
332  }
333  else if(sized_for_comba_mul<24>(x_sw, x_size, y_sw, y_size, z_size))
334  {
335  bigint_comba_mul24(z, x, y);
336  }
337  else if(x_sw < KARATSUBA_MULTIPLY_THRESHOLD ||
338  y_sw < KARATSUBA_MULTIPLY_THRESHOLD ||
339  !workspace)
340  {
341  basecase_mul(z, z_size, x, x_sw, y, y_sw);
342  }
343  else
344  {
345  const size_t N = karatsuba_size(z_size, x_size, x_sw, y_size, y_sw);
346 
347  if(N && z_size >= 2*N && ws_size >= 2*N)
348  karatsuba_mul(z, x, y, N, workspace);
349  else
350  basecase_mul(z, z_size, x, x_sw, y, y_sw);
351  }
352  }
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
void bigint_comba_mul4(word z[8], const word x[4], const word y[4])
Definition: mp_comba.cpp:50
void bigint_comba_mul9(word z[18], const word x[9], const word y[9])
Definition: mp_comba.cpp:474
void bigint_comba_mul24(word z[48], const word x[24], const word y[24])
Definition: mp_comba.cpp:1535
void bigint_linmul3(word z[], const word x[], size_t x_size, word y)
Definition: mp_core.h:504
void bigint_comba_mul8(word z[16], const word x[8], const word y[8])
Definition: mp_comba.cpp:283
void bigint_comba_mul16(word z[32], const word x[16], const word y[16])
Definition: mp_comba.cpp:805
void bigint_comba_mul6(word z[12], const word x[6], const word y[6])
Definition: mp_comba.cpp:141
void Botan::bigint_shl1 ( word  x[],
size_t  x_size,
size_t  x_words,
size_t  word_shift,
size_t  bit_shift 
)
inline

Definition at line 409 of file mp_core.h.

References carry(), carry_shift(), clear_mem(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::operator<<=().

411  {
412  copy_mem(x + word_shift, x, x_words);
413  clear_mem(x, word_shift);
414 
415  const auto carry_mask = CT::Mask<word>::expand(bit_shift);
416  const size_t carry_shift = carry_mask.if_set_return(BOTAN_MP_WORD_BITS - bit_shift);
417 
418  word carry = 0;
419  for(size_t i = word_shift; i != x_size; ++i)
420  {
421  const word w = x[i];
422  x[i] = (w << bit_shift) | carry;
423  carry = carry_mask.if_set_return(w >> carry_shift);
424  }
425  }
void carry(int64_t &h0, int64_t &h1)
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
uint64_t carry_shift(const donna128 &a, size_t shift)
Definition: donna128.h:116
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
void Botan::bigint_shl2 ( word  y[],
const word  x[],
size_t  x_size,
size_t  word_shift,
size_t  bit_shift 
)
inline

Definition at line 449 of file mp_core.h.

References carry(), carry_shift(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by operator<<().

451  {
452  copy_mem(y + word_shift, x, x_size);
453 
454  const auto carry_mask = CT::Mask<word>::expand(bit_shift);
455  const size_t carry_shift = carry_mask.if_set_return(BOTAN_MP_WORD_BITS - bit_shift);
456 
457  word carry = 0;
458  for(size_t i = word_shift; i != x_size + word_shift + 1; ++i)
459  {
460  const word w = y[i];
461  y[i] = (w << bit_shift) | carry;
462  carry = carry_mask.if_set_return(w >> carry_shift);
463  }
464  }
void carry(int64_t &h0, int64_t &h1)
uint64_t carry_shift(const donna128 &a, size_t shift)
Definition: donna128.h:116
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
void Botan::bigint_shr1 ( word  x[],
size_t  x_size,
size_t  word_shift,
size_t  bit_shift 
)
inline

Definition at line 427 of file mp_core.h.

References carry(), carry_shift(), clear_mem(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by Botan::BigInt::operator>>=().

429  {
430  const size_t top = x_size >= word_shift ? (x_size - word_shift) : 0;
431 
432  if(top > 0)
433  copy_mem(x, x + word_shift, top);
434  clear_mem(x + top, std::min(word_shift, x_size));
435 
436  const auto carry_mask = CT::Mask<word>::expand(bit_shift);
437  const size_t carry_shift = carry_mask.if_set_return(BOTAN_MP_WORD_BITS - bit_shift);
438 
439  word carry = 0;
440 
441  for(size_t i = 0; i != top; ++i)
442  {
443  const word w = x[top - i - 1];
444  x[top-i-1] = (w >> bit_shift) | carry;
445  carry = carry_mask.if_set_return(w << carry_shift);
446  }
447  }
void carry(int64_t &h0, int64_t &h1)
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
uint64_t carry_shift(const donna128 &a, size_t shift)
Definition: donna128.h:116
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
void Botan::bigint_shr2 ( word  y[],
const word  x[],
size_t  x_size,
size_t  word_shift,
size_t  bit_shift 
)
inline

Definition at line 466 of file mp_core.h.

References carry(), carry_shift(), copy_mem(), and Botan::CT::Mask< T >::expand().

Referenced by operator>>(), and redc_p521().

468  {
469  const size_t new_size = x_size < word_shift ? 0 : (x_size - word_shift);
470 
471  if(new_size > 0)
472  copy_mem(y, x + word_shift, new_size);
473 
474  const auto carry_mask = CT::Mask<word>::expand(bit_shift);
475  const size_t carry_shift = carry_mask.if_set_return(BOTAN_MP_WORD_BITS - bit_shift);
476 
477  word carry = 0;
478  for(size_t i = new_size; i > 0; --i)
479  {
480  word w = y[i-1];
481  y[i-1] = (w >> bit_shift) | carry;
482  carry = carry_mask.if_set_return(w << carry_shift);
483  }
484  }
void carry(int64_t &h0, int64_t &h1)
uint64_t carry_shift(const donna128 &a, size_t shift)
Definition: donna128.h:116
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
void Botan::bigint_sqr ( word  z[],
size_t  z_size,
const word  x[],
size_t  x_size,
size_t  x_sw,
word  workspace[],
size_t  ws_size 
)

Definition at line 357 of file mp_karat.cpp.

References bigint_comba_sqr16(), bigint_comba_sqr24(), bigint_comba_sqr4(), bigint_comba_sqr6(), bigint_comba_sqr8(), bigint_comba_sqr9(), bigint_linmul3(), BOTAN_ASSERT, and clear_mem().

Referenced by Botan::Montgomery_Params::sqr(), Botan::BigInt::square(), and Botan::Montgomery_Params::square_this().

360  {
361  clear_mem(z, z_size);
362 
363  BOTAN_ASSERT(z_size/2 >= x_sw, "Output size is sufficient");
364 
365  if(x_sw == 1)
366  {
367  bigint_linmul3(z, x, x_sw, x[0]);
368  }
369  else if(sized_for_comba_sqr<4>(x_sw, x_size, z_size))
370  {
371  bigint_comba_sqr4(z, x);
372  }
373  else if(sized_for_comba_sqr<6>(x_sw, x_size, z_size))
374  {
375  bigint_comba_sqr6(z, x);
376  }
377  else if(sized_for_comba_sqr<8>(x_sw, x_size, z_size))
378  {
379  bigint_comba_sqr8(z, x);
380  }
381  else if(sized_for_comba_sqr<9>(x_sw, x_size, z_size))
382  {
383  bigint_comba_sqr9(z, x);
384  }
385  else if(sized_for_comba_sqr<16>(x_sw, x_size, z_size))
386  {
387  bigint_comba_sqr16(z, x);
388  }
389  else if(sized_for_comba_sqr<24>(x_sw, x_size, z_size))
390  {
391  bigint_comba_sqr24(z, x);
392  }
393  else if(x_size < KARATSUBA_SQUARE_THRESHOLD || !workspace)
394  {
395  basecase_sqr(z, z_size, x, x_sw);
396  }
397  else
398  {
399  const size_t N = karatsuba_size(z_size, x_size, x_sw);
400 
401  if(N && z_size >= 2*N && ws_size >= 2*N)
402  karatsuba_sqr(z, x, N, workspace);
403  else
404  basecase_sqr(z, z_size, x, x_sw);
405  }
406  }
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
void bigint_linmul3(word z[], const word x[], size_t x_size, word y)
Definition: mp_core.h:504
void bigint_comba_sqr16(word z[32], const word x[16])
Definition: mp_comba.cpp:598
void bigint_comba_sqr24(word z[48], const word x[24])
Definition: mp_comba.cpp:1132
void bigint_comba_sqr9(word z[18], const word x[9])
Definition: mp_comba.cpp:386
void bigint_comba_sqr8(word z[16], const word x[8])
Definition: mp_comba.cpp:208
void bigint_comba_sqr4(word z[8], const word x[4])
Definition: mp_comba.cpp:17
void bigint_comba_sqr6(word z[12], const word x[6])
Definition: mp_comba.cpp:89
word Botan::bigint_sub2 ( word  x[],
size_t  x_size,
const word  y[],
size_t  y_size 
)
inline

Two operand subtraction

Definition at line 300 of file mp_core.h.

References BOTAN_ASSERT, word8_sub2(), and word_sub().

Referenced by Botan::BigInt::add(), redc_p192(), redc_p224(), redc_p256(), and redc_p384().

302  {
303  word borrow = 0;
304 
305  BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
306 
307  const size_t blocks = y_size - (y_size % 8);
308 
309  for(size_t i = 0; i != blocks; i += 8)
310  borrow = word8_sub2(x + i, y + i, borrow);
311 
312  for(size_t i = blocks; i != y_size; ++i)
313  x[i] = word_sub(x[i], y[i], &borrow);
314 
315  for(size_t i = y_size; i != x_size; ++i)
316  x[i] = word_sub(x[i], 0, &borrow);
317 
318  return borrow;
319  }
word word8_sub2(word x[8], const word y[8], word carry)
Definition: mp_asmi.h:240
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
void Botan::bigint_sub2_rev ( word  x[],
const word  y[],
size_t  y_size 
)
inline

Two operand subtraction, x = y - x; assumes y >= x

Definition at line 324 of file mp_core.h.

References BOTAN_ASSERT, word8_sub2_rev(), and word_sub().

Referenced by Botan::BigInt::add().

325  {
326  word borrow = 0;
327 
328  const size_t blocks = y_size - (y_size % 8);
329 
330  for(size_t i = 0; i != blocks; i += 8)
331  borrow = word8_sub2_rev(x + i, y + i, borrow);
332 
333  for(size_t i = blocks; i != y_size; ++i)
334  x[i] = word_sub(y[i], x[i], &borrow);
335 
336  BOTAN_ASSERT(borrow == 0, "y must be greater than x");
337  }
word word8_sub2_rev(word x[8], const word y[8], word carry)
Definition: mp_asmi.h:275
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
word Botan::bigint_sub3 ( word  z[],
const word  x[],
size_t  x_size,
const word  y[],
size_t  y_size 
)
inline

Three operand subtraction

Definition at line 342 of file mp_core.h.

References BOTAN_ASSERT, word8_sub3(), and word_sub().

Referenced by bigint_mod_sub(), bigint_mod_sub_n(), bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_sub_abs(), ct_divide(), ct_modulo(), Botan::BigInt::ct_reduce_below(), Botan::BigInt::mod_add(), and Botan::BigInt::reduce_below().

345  {
346  word borrow = 0;
347 
348  BOTAN_ASSERT(x_size >= y_size, "Expected sizes");
349 
350  const size_t blocks = y_size - (y_size % 8);
351 
352  for(size_t i = 0; i != blocks; i += 8)
353  borrow = word8_sub3(z + i, x + i, y + i, borrow);
354 
355  for(size_t i = blocks; i != y_size; ++i)
356  z[i] = word_sub(x[i], y[i], &borrow);
357 
358  for(size_t i = y_size; i != x_size; ++i)
359  z[i] = word_sub(x[i], 0, &borrow);
360 
361  return borrow;
362  }
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
word word8_sub3(word z[8], const word x[8], const word y[8], word carry)
Definition: mp_asmi.h:310
CT::Mask<word> Botan::bigint_sub_abs ( word  z[],
const word  x[],
const word  y[],
size_t  N,
word  ws[] 
)
inline

Return abs(x-y), ie if x >= y, then compute z = x - y Otherwise compute z = y - x No borrow is possible since the result is always >= 0

Returns ~0 if x >= y or 0 if x < y

Parameters
zoutput array of at least N words
xinput array of N words
yinput array of N words
Nlength of x and y
wsarray of at least 2*N words

Definition at line 377 of file mp_core.h.

References Botan::CT::conditional_copy_mem(), word8_sub3(), and word_sub().

Referenced by Botan::BigInt::add2(), and Botan::BigInt::rev_sub().

380  {
381  // Subtract in both direction then conditional copy out the result
382 
383  word* ws0 = ws;
384  word* ws1 = ws + N;
385 
386  word borrow0 = 0;
387  word borrow1 = 0;
388 
389  const size_t blocks = N - (N % 8);
390 
391  for(size_t i = 0; i != blocks; i += 8)
392  {
393  borrow0 = word8_sub3(ws0 + i, x + i, y + i, borrow0);
394  borrow1 = word8_sub3(ws1 + i, y + i, x + i, borrow1);
395  }
396 
397  for(size_t i = blocks; i != N; ++i)
398  {
399  ws0[i] = word_sub(x[i], y[i], &borrow0);
400  ws1[i] = word_sub(y[i], x[i], &borrow1);
401  }
402 
403  return CT::conditional_copy_mem(borrow0, z, ws1, ws0, N);
404  }
Mask< T > conditional_copy_mem(T cnd, T *to, const T *from0, const T *from1, size_t elems)
Definition: ct_utils.h:363
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
word word8_sub3(word z[8], const word x[8], const word y[8], word carry)
Definition: mp_asmi.h:310
int32_t Botan::bigint_sub_abs ( word  z[],
const word  x[],
size_t  x_size,
const word  y[],
size_t  y_size 
)
inline

Set z to abs(x-y), ie if x >= y, then compute z = x - y Otherwise compute z = y - x No borrow is possible since the result is always >= 0

Return the relative size of x vs y (-1, 0, 1)

Parameters
zoutput array of max(x_size,y_size) words
xinput param
x_sizelength of x
yinput param
y_sizelength of y

Definition at line 654 of file mp_core.h.

References bigint_cmp(), bigint_sub3(), Botan::CT::conditional_swap(), and Botan::CT::conditional_swap_ptr().

657  {
658  const int32_t relative_size = bigint_cmp(x, x_size, y, y_size);
659 
660  // Swap if relative_size == -1
661  const bool need_swap = relative_size < 0;
662  CT::conditional_swap_ptr(need_swap, x, y);
663  CT::conditional_swap(need_swap, x_size, y_size);
664 
665  /*
666  * We know at this point that x >= y so if y_size is larger than
667  * x_size, we are guaranteed they are just leading zeros which can
668  * be ignored
669  */
670  y_size = std::min(x_size, y_size);
671 
672  bigint_sub3(z, x, x_size, y, y_size);
673 
674  return relative_size;
675  }
void conditional_swap_ptr(bool cnd, T &x, T &y)
Definition: ct_utils.h:386
int32_t bigint_cmp(const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:525
word bigint_sub3(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:342
void conditional_swap(bool cnd, T &x, T &y)
Definition: ct_utils.h:375
template<typename T >
T Botan::bit_permute_step ( T  x,
T  mask,
size_t  shift 
)
inline

Definition at line 151 of file bit_ops.h.

References T.

152  {
153  /*
154  See https://reflectionsonsecurity.wordpress.com/2014/05/11/efficient-bit-permutation-using-delta-swaps/
155  and http://programming.sirrida.de/bit_perm.html
156  */
157  const T swap = ((x >> shift) ^ x) & mask;
158  return (x ^ swap) ^ (swap << shift);
159  }
fe T
Definition: ge.cpp:37
size_t Botan::bit_size_to_32bit_size ( size_t  bit_size)
inline

Definition at line 50 of file code_based_util.h.

Referenced by generate_mceliece_key(), mceliece_decrypt(), and Botan::McEliece_PrivateKey::McEliece_PrivateKey().

51  {
52  return (bit_size - 1) / 32 + 1;
53  }
size_t Botan::bit_size_to_byte_size ( size_t  bit_size)
inline

Definition at line 45 of file code_based_util.h.

Referenced by mceliece_decrypt().

46  {
47  return (bit_size - 1) / 8 + 1;
48  }
const BotanErrorCategory& Botan::botan_category ( )
inlinenoexcept

Definition at line 112 of file asio_error.h.

Referenced by make_error_code().

113  {
114  static BotanErrorCategory category;
115  return category;
116  }
template<typename T >
void Botan::bswap_4 ( T  x[4])
inline

Swap 4 Ts in an array

Definition at line 98 of file bswap.h.

References reverse_bytes().

Referenced by Botan::SIMD_4x32::bswap(), load_be(), and load_le().

99  {
100  x[0] = reverse_bytes(x[0]);
101  x[1] = reverse_bytes(x[1]);
102  x[2] = reverse_bytes(x[2]);
103  x[3] = reverse_bytes(x[3]);
104  }
uint64_t reverse_bytes(uint64_t val)
Definition: bswap.h:66
template<typename T , typename Alloc >
size_t Botan::buffer_insert ( std::vector< T, Alloc > &  buf,
size_t  buf_offset,
const T  input[],
size_t  input_length 
)

Definition at line 228 of file mem_ops.h.

References BOTAN_ASSERT_NOMSG, and copy_mem().

Referenced by Botan::Streebog::add_data(), Botan::MDx_HashFunction::add_data(), Botan::EME_PKCS1v15::pad(), Botan::CTR_BE::seek(), Botan::CTR_BE::set_iv(), Botan::OFB::set_iv(), Botan::Base64_Encoder::write(), and Botan::Hex_Encoder::write().

232  {
233  BOTAN_ASSERT_NOMSG(buf_offset <= buf.size());
234  const size_t to_copy = std::min(input_length, buf.size() - buf_offset);
235  if(to_copy > 0)
236  {
237  copy_mem(&buf[buf_offset], input, to_copy);
238  }
239  return to_copy;
240  }
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
template<typename T , typename Alloc , typename Alloc2 >
size_t Botan::buffer_insert ( std::vector< T, Alloc > &  buf,
size_t  buf_offset,
const std::vector< T, Alloc2 > &  input 
)

Definition at line 243 of file mem_ops.h.

References BOTAN_ASSERT_NOMSG, and copy_mem().

246  {
247  BOTAN_ASSERT_NOMSG(buf_offset <= buf.size());
248  const size_t to_copy = std::min(input.size(), buf.size() - buf_offset);
249  if(to_copy > 0)
250  {
251  copy_mem(&buf[buf_offset], input.data(), to_copy);
252  }
253  return to_copy;
254  }
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
calendar_point Botan::calendar_value ( const std::chrono::system_clock::time_point &  time_point)

Convert a time_point to a calendar_point

Parameters
time_pointa time point from the system clock
Returns
calendar_point object representing this time point

Definition at line 111 of file calendar.cpp.

Referenced by Botan::ASN1_Time::ASN1_Time().

113  {
114  std::tm tm = do_gmtime(std::chrono::system_clock::to_time_t(time_point));
115 
116  return calendar_point(tm.tm_year + 1900,
117  tm.tm_mon + 1,
118  tm.tm_mday,
119  tm.tm_hour,
120  tm.tm_min,
121  tm.tm_sec);
122  }
template<size_t S, int64_t MUL = 1>
void Botan::carry ( int64_t &  h0,
int64_t &  h1 
)
inline
template<size_t S>
void Botan::carry0 ( int64_t &  h0,
int64_t &  h1 
)
inline

Definition at line 44 of file ed25519_internal.h.

45  {
46  static_assert(S > 0 && S < 64, "Shift in range");
47 
48  const int64_t X1 = (static_cast<int64_t>(1) << S);
49  int64_t c = h0 >> S;
50  h1 += c;
51  h0 -= c * X1;
52  }
template<size_t S>
void Botan::carry0 ( int32_t &  h0,
int32_t &  h1 
)
inline

Definition at line 55 of file ed25519_internal.h.

56  {
57  static_assert(S > 0 && S < 32, "Shift in range");
58 
59  const int32_t X1 = (static_cast<int64_t>(1) << S);
60  int32_t c = h0 >> S;
61  h1 += c;
62  h0 -= c * X1;
63  }
uint64_t Botan::carry_shift ( const donna128 a,
size_t  shift 
)
inline

Definition at line 116 of file donna128.h.

Referenced by bigint_shl1(), bigint_shl2(), bigint_shr1(), and bigint_shr2().

117  {
118  return (a >> shift).lo();
119  }
const uint8_t* Botan::cast_char_ptr_to_uint8 ( const char *  s)
inline
uint8_t* Botan::cast_char_ptr_to_uint8 ( char *  s)
inline

Definition at line 200 of file mem_ops.h.

201  {
202  return reinterpret_cast<uint8_t*>(s);
203  }
const char* Botan::cast_uint8_ptr_to_char ( const uint8_t *  b)
inline
char* Botan::cast_uint8_ptr_to_char ( uint8_t *  b)
inline

Definition at line 205 of file mem_ops.h.

206  {
207  return reinterpret_cast<char*>(b);
208  }
void Botan::CECPQ1_accept ( uint8_t  shared_key[CECPQ1_SHARED_KEY_BYTES],
uint8_t  send[CECPQ1_ACCEPT_BYTES],
const uint8_t  received[CECPQ1_OFFER_BYTES],
RandomNumberGenerator rng 
)

Definition at line 26 of file cecpq1.cpp.

References BoringSSL, curve25519_basepoint(), curve25519_donna(), newhope_sharedb(), and Botan::RandomNumberGenerator::random_vec().

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange().

30  {
31  secure_vector<uint8_t> x25519_key = rng.random_vec(32);
32 
33  curve25519_basepoint(send, x25519_key.data());
34 
35  curve25519_donna(shared_key, x25519_key.data(), received);
36 
37  newhope_sharedb(shared_key + 32, send + 32, received + 32,
38  rng, Newhope_Mode::BoringSSL);
39  }
void curve25519_donna(uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32])
Definition: donna.cpp:440
void curve25519_basepoint(uint8_t mypublic[32], const uint8_t secret[32])
Definition: curve25519.cpp:16
void newhope_sharedb(uint8_t *sharedkey, uint8_t *send, const uint8_t *received, RandomNumberGenerator &rng, Newhope_Mode mode)
Definition: newhope.cpp:742
void Botan::CECPQ1_accept ( uint8_t *  shared_key,
uint8_t *  accept_message,
const uint8_t *  offer_message,
RandomNumberGenerator rng 
)
void Botan::CECPQ1_finish ( uint8_t *  shared_key,
const CECPQ1_key offer_key,
const uint8_t *  accept_message 
)
void Botan::CECPQ1_finish ( uint8_t  shared_key[CECPQ1_SHARED_KEY_BYTES],
const CECPQ1_key offer_key,
const uint8_t  received[CECPQ1_ACCEPT_BYTES] 
)

Definition at line 41 of file cecpq1.cpp.

References BoringSSL, curve25519_donna(), Botan::CECPQ1_key::m_newhope, Botan::CECPQ1_key::m_x25519, and newhope_shareda().

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange().

44  {
45  curve25519_donna(shared_key, offer_key.m_x25519.data(), received);
46 
47  newhope_shareda(shared_key + 32, &offer_key.m_newhope, received + 32,
48  Newhope_Mode::BoringSSL);
49  }
void curve25519_donna(uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32])
Definition: donna.cpp:440
void newhope_shareda(uint8_t sharedkey[], const poly *sk, const uint8_t received[], Newhope_Mode mode)
Definition: newhope.cpp:779
void Botan::CECPQ1_offer ( uint8_t  send[CECPQ1_OFFER_BYTES],
CECPQ1_key offer_key_output,
RandomNumberGenerator rng 
)

Definition at line 15 of file cecpq1.cpp.

References BoringSSL, curve25519_basepoint(), Botan::CECPQ1_key::m_newhope, Botan::CECPQ1_key::m_x25519, newhope_keygen(), and Botan::RandomNumberGenerator::random_vec().

Referenced by Botan::TLS::Server_Key_Exchange::Server_Key_Exchange().

18  {
19  offer_key_output->m_x25519 = rng.random_vec(32);
20  curve25519_basepoint(send, offer_key_output->m_x25519.data());
21 
22  newhope_keygen(send + 32, &offer_key_output->m_newhope,
23  rng, Newhope_Mode::BoringSSL);
24  }
void newhope_keygen(uint8_t *send, poly *sk, RandomNumberGenerator &rng, Newhope_Mode mode)
Definition: newhope.cpp:720
void curve25519_basepoint(uint8_t mypublic[32], const uint8_t secret[32])
Definition: curve25519.cpp:16
void Botan::CECPQ1_offer ( uint8_t *  offer_message,
CECPQ1_key offer_key_output,
RandomNumberGenerator rng 
)
template<typename T >
uint8_t Botan::ceil_log2 ( T  x)

Definition at line 119 of file bit_ops.h.

References T.

Referenced by Botan::McEliece_PublicKey::get_message_word_bit_length(), Botan::McEliece_PrivateKey::McEliece_PrivateKey(), and mceliece_work_factor().

120  {
121  static_assert(sizeof(T) < 32, "Abnormally large scalar");
122 
123  if(x >> (sizeof(T)*8-1))
124  return sizeof(T)*8;
125 
126  uint8_t result = 0;
127  T compare = 1;
128 
129  while(compare < x)
130  {
131  compare <<= 1;
132  result++;
133  }
134 
135  return result;
136  }
fe T
Definition: ge.cpp:37
bool Botan::check_bcrypt ( const std::string &  password,
const std::string &  hash 
)

Check a previously created password hash

Parameters
passwordthe password to check against
hashthe stored hash to check against

Definition at line 155 of file bcrypt.cpp.

References same_mem(), and to_uint16().

Referenced by botan_bcrypt_is_valid().

156  {
157  if(hash.size() != 60 ||
158  hash[0] != '$' || hash[1] != '2' || hash[3] != '$' || hash[6] != '$')
159  {
160  return false;
161  }
162 
163  const char bcrypt_version = hash[2];
164 
165  if(bcrypt_version != 'a' && bcrypt_version != 'b' && bcrypt_version != 'y')
166  {
167  return false;
168  }
169 
170  const uint16_t workfactor = to_uint16(hash.substr(4, 2));
171 
172  const std::vector<uint8_t> salt = bcrypt_base64_decode(hash.substr(7, 22));
173  if(salt.size() != 16)
174  return false;
175 
176  const std::string compare = make_bcrypt(pass, salt, workfactor, bcrypt_version);
177 
178  return same_mem(hash.data(), compare.data(), compare.size());
179  }
uint16_t to_uint16(const std::string &str)
Definition: parsing.cpp:25
bool same_mem(const T *p1, const T *p2, size_t n)
Definition: mem_ops.h:217
MechanismType hash
bool Botan::check_passhash9 ( const std::string &  password,
const std::string &  hash 
)

Check a previously created password hash

Parameters
passwordthe password to check against
hashthe stored hash to check against

Definition at line 78 of file passhash9.cpp.

References base64_decode(), Botan::OctetString::bits_of(), constant_time_compare(), Botan::PBKDF::derive_key(), load_be< uint16_t >(), and Botan::ASN1::to_string().

79  {
80  const size_t BINARY_LENGTH =
81  ALGID_BYTES +
82  WORKFACTOR_BYTES +
83  PASSHASH9_PBKDF_OUTPUT_LEN +
84  SALT_BYTES;
85 
86  const size_t BASE64_LENGTH =
87  MAGIC_PREFIX.size() + (BINARY_LENGTH * 8) / 6;
88 
89  if(hash.size() != BASE64_LENGTH)
90  return false;
91 
92  for(size_t i = 0; i != MAGIC_PREFIX.size(); ++i)
93  if(hash[i] != MAGIC_PREFIX[i])
94  return false;
95 
96  secure_vector<uint8_t> bin = base64_decode(hash.c_str() + MAGIC_PREFIX.size());
97 
98  if(bin.size() != BINARY_LENGTH)
99  return false;
100 
101  uint8_t alg_id = bin[0];
102 
103  const size_t work_factor = load_be<uint16_t>(&bin[ALGID_BYTES], 0);
104 
105  // Bug in the format, bad states shouldn't be representable, but are...
106  if(work_factor == 0)
107  return false;
108 
109  if(work_factor > 512)
110  throw Invalid_Argument("Requested passhash9 work factor " +
111  std::to_string(work_factor) + " is too large");
112 
113  const size_t kdf_iterations = WORK_FACTOR_SCALE * work_factor;
114 
115  std::unique_ptr<MessageAuthenticationCode> pbkdf_prf = get_pbkdf_prf(alg_id);
116 
117  if(!pbkdf_prf)
118  return false; // unknown algorithm, reject
119 
120  PKCS5_PBKDF2 kdf(pbkdf_prf.release()); // takes ownership of pointer
121 
122  secure_vector<uint8_t> cmp = kdf.derive_key(
123  PASSHASH9_PBKDF_OUTPUT_LEN,
124  pass,
125  &bin[ALGID_BYTES + WORKFACTOR_BYTES], SALT_BYTES,
126  kdf_iterations).bits_of();
127 
128  return constant_time_compare(cmp.data(),
129  &bin[ALGID_BYTES + WORKFACTOR_BYTES + SALT_BYTES],
130  PASSHASH9_PBKDF_OUTPUT_LEN);
131  }
uint16_t load_be< uint16_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:139
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.h:82
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
size_t base64_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition: base64.cpp:200
MechanismType hash
bool Botan::check_prime ( const BigInt n,
RandomNumberGenerator rng 
)
inline

Definition at line 202 of file numthry.h.

References is_prime().

203  { return is_prime(n, rng, 56); }
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition: numthry.cpp:228
size_t Botan::checked_add ( size_t  x,
size_t  y,
const char *  file,
int  line 
)
inline

Definition at line 26 of file safeint.h.

27  {
28  // TODO: use __builtin_x_overflow on GCC and Clang
29  size_t z = x + y;
30  if(z < x)
31  {
32  throw Integer_Overflow_Detected(file, line);
33  }
34  return z;
35  }
PK_Signer * Botan::choose_sig_format ( const Private_Key key,
RandomNumberGenerator rng,
const std::string &  hash_fn,
AlgorithmIdentifier alg_id 
)

Choose the default signature format for a certain public key signature scheme.

Parameters
keywill be the key to choose a padding scheme for
rngthe random generator to use
hash_fnis the desired hash function
alg_idwill be set to the chosen scheme
Returns
A PK_Signer object for generating signatures

Definition at line 318 of file x509_ca.cpp.

References Botan::X509_Object::choose_sig_format().

Referenced by Botan::X509::create_self_signed_cert(), and Botan::X509_CA::X509_CA().

322  {
323  return X509_Object::choose_sig_format(sig_algo, key, rng, hash_fn, "").release();
324  }
PK_Signer * choose_sig_format(const Private_Key &key, const std::map< std::string, std::string > &opts, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
Definition: x509_ca.cpp:326
PK_Signer * Botan::choose_sig_format ( const Private_Key key,
const std::map< std::string, std::string > &  opts,
RandomNumberGenerator rng,
const std::string &  hash_fn,
AlgorithmIdentifier alg_id 
)
* Choose the default signature format for a certain public key signature
* scheme.
*
* The only option recognized by opts at this moment is "padding"
* Find an entry from src/build-data/oids.txt under [signature] of the form
* <sig_algo>/<padding>[(<hash_algo>)] and add {"padding",<padding>}
* to opts.
* 
Parameters
keywill be the key to choose a padding scheme for
optscontains additional options for building the certificate
rngthe random generator to use
hash_fnis the desired hash function
alg_idwill be set to the chosen scheme
Returns
A PK_Signer object for generating signatures

Definition at line 326 of file x509_ca.cpp.

References Botan::X509_Object::choose_sig_format().

331  {
332  std::string padding;
333  if(opts.count("padding"))
334  padding = opts.at("padding");
335  return X509_Object::choose_sig_format(sig_algo, key, rng, hash_fn, padding).release();
336  }
PK_Signer * choose_sig_format(const Private_Key &key, const std::map< std::string, std::string > &opts, RandomNumberGenerator &rng, const std::string &hash_fn, AlgorithmIdentifier &sig_algo)
Definition: x509_ca.cpp:326
size_t Botan::clamp ( size_t  n,
size_t  lower_bound,
size_t  upper_bound 
)
inline

Clamp

Definition at line 45 of file rounding.h.

46  {
47  if(n < lower_bound)
48  return lower_bound;
49  if(n > upper_bound)
50  return upper_bound;
51  return n;
52  }
std::string Botan::clean_ws ( const std::string &  s)

Definition at line 13 of file read_cfg.cpp.

Referenced by read_cfg().

14  {
15  const char* ws = " \t\n";
16  auto start = s.find_first_not_of(ws);
17  auto end = s.find_last_not_of(ws);
18 
19  if(start == std::string::npos)
20  return "";
21 
22  if(end == std::string::npos)
23  return s.substr(start, end);
24  else
25  return s.substr(start, start + end + 1);
26  }
void Botan::clear_bytes ( void *  ptr,
size_t  bytes 
)
inline

Zero out some bytes. Warning: use secure_scrub_memory instead if the memory is about to be freed or otherwise the compiler thinks it can elide the writes.

Parameters
ptra pointer to memory to zero
bytesthe number of bytes to zero in ptr

Definition at line 97 of file mem_ops.h.

Referenced by clear_mem(), and Botan::Memory_Pool::Memory_Pool().

98  {
99  if(bytes > 0)
100  {
101  std::memset(ptr, 0, bytes);
102  }
103  }
template<typename T >
void Botan::clear_mem ( T ptr,
size_t  n 
)
inline

Zero memory before use. This simply calls memset and should not be used in cases where the compiler cannot see the call as a side-effecting operation (for example, if calling clear_mem before deallocating memory, the compiler would be allowed to omit the call to memset entirely under the as-if rule.)

Parameters
ptra pointer to an array of Ts to zero
nthe number of Ts pointed to by ptr

Definition at line 115 of file mem_ops.h.

References clear_bytes(), and T.

Referenced by aont_package(), argon2(), base_decode(), bcrypt_pbkdf(), bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), bigint_mul(), bigint_shl1(), bigint_shr1(), bigint_sqr(), Botan::BigInt::const_time_lookup(), Botan::Sodium::crypto_secretbox_xsalsa20poly1305(), Botan::Sodium::crypto_secretbox_xsalsa20poly1305_open(), Botan::BigInt::ct_reduce_below(), Botan::ZFEC::encode_shares(), Botan::BigInt::encode_words(), Botan::FE_25519::FE_25519(), Botan::Streebog::final_result(), Botan::MDx_HashFunction::final_result(), hex_decode(), Botan::PKCS11::MechanismWrapper::MechanismParameters::MechanismParameters(), Botan::PointGFp_Var_Point_Precompute::mul(), pbkdf2(), redc_p521(), Botan::Modular_Reducer::reduce(), Botan::BigInt::reduce_below(), Botan::BigInt::rev_sub(), Botan::polyn_gf2m::set_to_zero(), Botan::polyn_gf2m::sqmod_init(), Botan::StreamCipher::write_keystream(), Botan_FFI::write_output(), zeroise(), Botan::Zlib_Style_Stream< Stream, ByteType >::Zlib_Style_Stream(), and Botan::Zlib_Style_Stream< Stream, ByteType >::~Zlib_Style_Stream().

116  {
117  clear_bytes(ptr, sizeof(T)*n);
118  }
void clear_bytes(void *ptr, size_t bytes)
Definition: mem_ops.h:97
fe T
Definition: ge.cpp:37
uint64_t Botan::combine_lower ( const donna128 a,
size_t  s1,
const donna128 b,
size_t  s2 
)
inline

Definition at line 121 of file donna128.h.

References Botan::donna128::lo().

123  {
124  donna128 z = (a >> s1) | (b << s2);
125  return z.lo();
126  }
void Botan::commoncrypto_adjust_key_size ( const uint8_t  key[],
size_t  length,
const CommonCryptor_Opts opts,
secure_vector< uint8_t > &  full_key 
)

Definition at line 162 of file commoncrypto_utils.cpp.

References Botan::CommonCryptor_Opts::algo, and copy_mem().

164  {
165 
166  if(opts.algo == kCCAlgorithmBlowfish && length < 8)
167  {
168  size_t repeat;
169  switch(length)
170  {
171  case 1:
172  repeat = 8;
173  break;
174  case 2:
175  repeat = 4;
176  break;
177  case 3:
178  repeat = 3;
179  break;
180  default:
181  repeat = 2;
182  break;
183  }
184 
185  full_key.resize(length * repeat);
186  for(size_t i = 0; i < repeat; i++)
187  {
188  copy_mem(full_key.data() + i * length, key, length);
189  }
190  }
191  else if(opts.algo == kCCAlgorithm3DES && length == 16)
192  {
193  full_key += std::make_pair(key, 8);
194  }
195  }
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
CommonCryptor_Opts Botan::commoncrypto_opts_from_algo ( const std::string &  algo)

Definition at line 111 of file commoncrypto_utils.cpp.

References Botan::SCAN_Name::algo_name(), Botan::SCAN_Name::cipher_mode(), Botan::SCAN_Name::cipher_mode_pad(), commoncrypto_opts_from_algo_name(), Botan::CommonCryptor_Opts::mode, and Botan::CommonCryptor_Opts::padding.

Referenced by make_commoncrypto_cipher_mode().

112  {
113  SCAN_Name spec(algo);
114 
115  std::string algo_name = spec.algo_name();
116  std::string cipher_mode = spec.cipher_mode();
117  std::string cipher_mode_padding = spec.cipher_mode_pad();
118 
119  CommonCryptor_Opts opts = commoncrypto_opts_from_algo_name(algo_name);
120 
121  //TODO add CFB and XTS support
122  if(cipher_mode.empty() || cipher_mode == "ECB")
123  {
124  opts.mode = kCCModeECB;
125  }
126  else if(cipher_mode == "CBC")
127  {
128  opts.mode = kCCModeCBC;
129  }
130  else if(cipher_mode == "CTR")
131  {
132  opts.mode = kCCModeCTR;
133  }
134  else if(cipher_mode == "OFB")
135  {
136  opts.mode = kCCModeOFB;
137  }
138  else
139  {
140  throw CommonCrypto_Error("Unsupported cipher mode!");
141  }
142 
143  if(cipher_mode_padding == "NoPadding")
144  {
145  opts.padding = ccNoPadding;
146  }
147  /*
148  else if(cipher_mode_padding.empty() || cipher_mode_padding == "PKCS7")
149  {
150  opts.padding = ccPKCS7Padding;
151  }
152  */
153  else
154  {
155  throw CommonCrypto_Error("Unsupported cipher mode padding!");
156  }
157 
158  return opts;
159  }
CommonCryptor_Opts commoncrypto_opts_from_algo_name(const std::string &algo_name)
CommonCryptor_Opts Botan::commoncrypto_opts_from_algo_name ( const std::string &  algo_name)

Definition at line 51 of file commoncrypto_utils.cpp.

References Botan::CommonCryptor_Opts::algo, Botan::CommonCryptor_Opts::block_size, and Botan::CommonCryptor_Opts::key_spec.

Referenced by commoncrypto_opts_from_algo(), and make_commoncrypto_block_cipher().

52  {
53  CommonCryptor_Opts opts;
54 
55  if(algo_name.compare(0, 3, "AES") == 0)
56  {
57  opts.algo = kCCAlgorithmAES;
58  opts.block_size = kCCBlockSizeAES128;
59  if(algo_name == "AES-128")
60  {
61  opts.key_spec = Key_Length_Specification(kCCKeySizeAES128);
62  }
63  else if(algo_name == "AES-192")
64  {
65  opts.key_spec = Key_Length_Specification(kCCKeySizeAES192);
66  }
67  else if(algo_name == "AES-256")
68  {
69  opts.key_spec = Key_Length_Specification(kCCKeySizeAES256);
70  }
71  else
72  {
73  throw CommonCrypto_Error("Unknown AES algorithm");
74  }
75  }
76  else if(algo_name == "DES")
77  {
78  opts.algo = kCCAlgorithmDES;
79  opts.block_size = kCCBlockSizeDES;
80  opts.key_spec = Key_Length_Specification(kCCKeySizeDES);
81  }
82  else if(algo_name == "TripleDES")
83  {
84  opts.algo = kCCAlgorithm3DES;
85  opts.block_size = kCCBlockSize3DES;
86  opts.key_spec = Key_Length_Specification(16, kCCKeySize3DES, 8);
87  }
88  else if(algo_name == "Blowfish")
89  {
90  opts.algo = kCCAlgorithmBlowfish;
91  opts.block_size = kCCBlockSizeBlowfish;
92  opts.key_spec = Key_Length_Specification(1, kCCKeySizeMaxBlowfish, 1);
93  }
94  else if(algo_name == "CAST-128")
95  {
96  opts.algo = kCCAlgorithmCAST;
97  opts.block_size = kCCBlockSizeCAST;
98  // Botan's base implementation of CAST does not support shorter keys
99  // so we limit its minimum key size to 11 here.
100  opts.key_spec = Key_Length_Specification(11, kCCKeySizeMaxCAST, 1);
101  }
102  else
103  {
104  throw CommonCrypto_Error("Unsupported cipher");
105  }
106 
107  return opts;
108  }
bool Botan::constant_time_compare ( const uint8_t  x[],
const uint8_t  y[],
size_t  len 
)
inline
template<typename T >
void Botan::copy_mem ( T out,
const T in,
size_t  n 
)
inline

Copy memory

Parameters
outthe destination array
inthe source array
nthe number of elements of in/out

Definition at line 133 of file mem_ops.h.

References BOTAN_ASSERT_IMPLICATION, T, and type.

Referenced by Botan::TLS::Connection_Cipher_State::aead_nonce(), aont_package(), aont_unpackage(), bigint_shl1(), bigint_shl2(), bigint_shr1(), bigint_shr2(), botan_cipher_update(), botan_privkey_ed25519_get_privkey(), botan_privkey_x25519_get_privkey(), botan_pubkey_ed25519_get_pubkey(), botan_pubkey_x25519_get_pubkey(), buffer_insert(), commoncrypto_adjust_key_size(), Botan::Streebog::compress_64(), Botan::Sodium::crypto_auth_hmacsha512256(), Botan::Sodium::crypto_box_curve25519xsalsa20poly1305_seed_keypair(), curve25519_donna(), ed25519_gen_keypair(), Botan::BigInt::encode(), Botan::BigInt::encode_words(), Botan::CryptoBox::encrypt(), Botan::FE_25519::FE_25519(), Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::finish(), Botan::TLS::Stream_Handshake_IO::format(), Botan::CCM_Mode::format_b0(), Botan::CCM_Mode::format_c0(), Botan::TPM_Context::gen_random(), Botan::BER_Decoder::get_next_value(), Botan::GHASH::ghash_update(), hkdf_expand_label(), Botan::KDF1::kdf(), Botan::KDF1_18033::kdf(), Botan::KDF2::kdf(), Botan::X942_PRF::kdf(), Botan::SP800_108_Counter::kdf(), Botan::HKDF_Extract::kdf(), Botan::SP800_108_Feedback::kdf(), Botan::HKDF_Expand::kdf(), Botan::SP800_108_Pipeline::kdf(), mceies_encrypt(), mceliece_decrypt(), Botan::Montgomery_Params::mul_by(), nist_key_unwrap_padded(), nist_key_wrap_padded(), operator^(), Botan::PKCS5_PBKDF1::pbkdf(), Botan::DataSource_Memory::peek(), Botan::CFB_Encryption::process(), Botan::CBC_Decryption::process(), Botan::DataSource_Memory::read(), Botan::Blowfish::salted_set_key(), Botan::CTR_BE::seek(), Botan::TLS::Session_Keys::Session_Keys(), Botan::CFB_Mode::shift_register(), Botan::RTSS_Share::split(), Botan::polyn_gf2m::sqmod_init(), Botan::Montgomery_Params::square_this(), Botan::Buffered_Filter::write(), Botan::Base64_Encoder::write(), Botan::Base64_Decoder::write(), Botan::Hex_Encoder::write(), Botan::Hex_Decoder::write(), Botan::ChaCha::write_keystream(), and Botan_FFI::write_output().

134  {
135  static_assert(std::is_trivial<typename std::decay<T>::type>::value, "");
136  BOTAN_ASSERT_IMPLICATION(n > 0, in != nullptr && out != nullptr,
137  "If n > 0 then args are not null");
138 
139  if(in != nullptr && out != nullptr && n > 0)
140  {
141  std::memmove(out, in, sizeof(T)*n);
142  }
143  }
MechanismType type
#define BOTAN_ASSERT_IMPLICATION(expr1, expr2, msg)
Definition: assert.h:94
fe T
Definition: ge.cpp:37
template<typename T >
void Botan::copy_out_be ( uint8_t  out[],
size_t  out_bytes,
const T  in[] 
)

Definition at line 658 of file loadstor.h.

References get_byte(), store_be(), and T.

Referenced by copy_out_vec_be().

659  {
660  while(out_bytes >= sizeof(T))
661  {
662  store_be(in[0], out);
663  out += sizeof(T);
664  out_bytes -= sizeof(T);
665  in += 1;
666  }
667 
668  for(size_t i = 0; i != out_bytes; ++i)
669  out[i] = get_byte(i%8, in[0]);
670  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
fe T
Definition: ge.cpp:37
void store_be(uint8_t out[], T x0, T x1, T x2, T x3, T x4, T x5, T x6, T x7)
Definition: loadstor.h:644
template<typename T >
void Botan::copy_out_le ( uint8_t  out[],
size_t  out_bytes,
const T  in[] 
)

Definition at line 679 of file loadstor.h.

References get_byte(), store_le(), and T.

Referenced by Botan::SHAKE_128_Cipher::cipher(), copy_out_vec_le(), and Botan::Sodium::crypto_core_hsalsa20().

680  {
681  while(out_bytes >= sizeof(T))
682  {
683  store_le(in[0], out);
684  out += sizeof(T);
685  out_bytes -= sizeof(T);
686  in += 1;
687  }
688 
689  for(size_t i = 0; i != out_bytes; ++i)
690  out[i] = get_byte(sizeof(T) - 1 - (i % 8), in[0]);
691  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
void store_le(uint8_t out[], T x0, T x1, T x2, T x3, T x4, T x5, T x6, T x7)
Definition: loadstor.h:618
fe T
Definition: ge.cpp:37
template<typename T , typename Alloc >
void Botan::copy_out_vec_be ( uint8_t  out[],
size_t  out_bytes,
const std::vector< T, Alloc > &  in 
)

Definition at line 673 of file loadstor.h.

References copy_out_be().

674  {
675  copy_out_be(out, out_bytes, in.data());
676  }
void copy_out_be(uint8_t out[], size_t out_bytes, const T in[])
Definition: loadstor.h:658
template<typename T , typename Alloc >
void Botan::copy_out_vec_le ( uint8_t  out[],
size_t  out_bytes,
const std::vector< T, Alloc > &  in 
)

Definition at line 694 of file loadstor.h.

References copy_out_le().

Referenced by Botan::SHA_3::expand().

695  {
696  copy_out_le(out, out_bytes, in.data());
697  }
void copy_out_le(uint8_t out[], size_t out_bytes, const T in[])
Definition: loadstor.h:679
AlternativeName Botan::create_alt_name ( const Data_Store info)

Definition at line 186 of file datastor.cpp.

References Botan::AlternativeName::add_attribute(), and Botan::Data_Store::search_for().

187  {
188  auto names = info.search_for(
189  [](const std::string& key, const std::string&)
190  {
191  return (key == "RFC822" ||
192  key == "DNS" ||
193  key == "URI" ||
194  key == "IP");
195  });
196 
197  AlternativeName alt_name;
198 
199  for(auto i = names.begin(); i != names.end(); ++i)
200  alt_name.add_attribute(i->first, i->second);
201 
202  return alt_name;
203  }
X509_DN Botan::create_dn ( const Data_Store info)

Definition at line 167 of file datastor.cpp.

References Botan::X509_DN::add_attribute(), and Botan::Data_Store::search_for().

168  {
169  auto names = info.search_for(
170  [](const std::string& key, const std::string&)
171  {
172  return (key.find("X520.") != std::string::npos);
173  });
174 
175  X509_DN dn;
176 
177  for(auto i = names.begin(); i != names.end(); ++i)
178  dn.add_attribute(i->first, i->second);
179 
180  return dn;
181  }
std::string Botan::create_hex_fingerprint ( const uint8_t  bits[],
size_t  bits_len,
const std::string &  hash_name 
)

Definition at line 17 of file pk_keys.cpp.

References Botan::HashFunction::create_or_throw(), and hex_encode().

Referenced by create_hex_fingerprint(), Botan::X509_Certificate::fingerprint(), Botan::Private_Key::fingerprint_private(), and Botan::Public_Key::fingerprint_public().

20  {
21  std::unique_ptr<HashFunction> hash_fn(HashFunction::create_or_throw(hash_name));
22  const std::string hex_hash = hex_encode(hash_fn->process(bits, bits_len));
23 
24  std::string fprint;
25 
26  for(size_t i = 0; i != hex_hash.size(); i += 2)
27  {
28  if(i != 0)
29  fprint.push_back(':');
30 
31  fprint.push_back(hex_hash[i]);
32  fprint.push_back(hex_hash[i+1]);
33  }
34 
35  return fprint;
36  }
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition: hex.cpp:31
template<typename Alloc >
std::string Botan::create_hex_fingerprint ( const std::vector< uint8_t, Alloc > &  vec,
const std::string &  hash_name 
)

Definition at line 320 of file pk_keys.h.

References create_hex_fingerprint().

322  {
323  return create_hex_fingerprint(vec.data(), vec.size(), hash_name);
324  }
std::string create_hex_fingerprint(const std::vector< uint8_t, Alloc > &vec, const std::string &hash_name)
Definition: pk_keys.h:320
std::unique_ptr< Private_Key > Botan::create_private_key ( const std::string &  algo_name,
RandomNumberGenerator rng,
const std::string &  algo_params = "",
const std::string &  provider = "" 
)

Create a new key For ECC keys, algo_params specifies EC group (eg, "secp256r1") For DH/DSA/ElGamal keys, algo_params is DL group (eg, "modp/ietf/2048") For RSA, algo_params is integer keylength For McEliece, algo_params is n,t If algo_params is left empty, suitable default parameters are chosen.

Definition at line 264 of file pk_algs.cpp.

References BOTAN_UNUSED, split_on(), and to_u32bit().

Referenced by botan_privkey_create().

268  {
269  /*
270  * Default paramaters are chosen for work factor > 2**128 where possible
271  */
272 
273 #if defined(BOTAN_HAS_CURVE_25519)
274  if(alg_name == "Curve25519")
275  return std::unique_ptr<Private_Key>(new Curve25519_PrivateKey(rng));
276 #endif
277 
278 #if defined(BOTAN_HAS_RSA)
279  if(alg_name == "RSA")
280  {
281  const size_t rsa_bits = (params.empty() ? 3072 : to_u32bit(params));
282 #if defined(BOTAN_HAS_OPENSSL)
283  if(provider.empty() || provider == "openssl")
284  {
285  std::unique_ptr<Botan::Private_Key> pk;
286  if((pk = make_openssl_rsa_private_key(rng, rsa_bits)))
287  return pk;
288 
289  if(!provider.empty())
290  return nullptr;
291  }
292 #endif
293  return std::unique_ptr<Private_Key>(new RSA_PrivateKey(rng, rsa_bits));
294  }
295 #endif
296 
297 #if defined(BOTAN_HAS_MCELIECE)
298  if(alg_name == "McEliece")
299  {
300  std::vector<std::string> mce_param =
301  Botan::split_on(params.empty() ? "2960,57" : params, ',');
302 
303  if(mce_param.size() != 2)
304  throw Invalid_Argument("create_private_key bad McEliece parameters " + params);
305 
306  size_t mce_n = Botan::to_u32bit(mce_param[0]);
307  size_t mce_t = Botan::to_u32bit(mce_param[1]);
308 
309  return std::unique_ptr<Botan::Private_Key>(new Botan::McEliece_PrivateKey(rng, mce_n, mce_t));
310  }
311 #endif
312 
313 #if defined(BOTAN_HAS_XMSS_RFC8391)
314  if(alg_name == "XMSS")
315  {
316  return std::unique_ptr<Private_Key>(
317  new XMSS_PrivateKey(XMSS_Parameters(params.empty() ? "XMSS-SHA2_10_512" : params).oid(), rng));
318  }
319 #endif
320 
321 #if defined(BOTAN_HAS_ED25519)
322  if(alg_name == "Ed25519")
323  {
324  return std::unique_ptr<Private_Key>(new Ed25519_PrivateKey(rng));
325  }
326 #endif
327 
328  // ECC crypto
329 #if defined(BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO)
330 
331  if(alg_name == "ECDSA" ||
332  alg_name == "ECDH" ||
333  alg_name == "ECKCDSA" ||
334  alg_name == "ECGDSA" ||
335  alg_name == "SM2" ||
336  alg_name == "SM2_Sig" ||
337  alg_name == "SM2_Enc" ||
338  alg_name == "GOST-34.10" ||
339  alg_name == "GOST-34.10-2012-256" ||
340  alg_name == "GOST-34.10-2012-512")
341  {
342  const EC_Group ec_group(params.empty() ? default_ec_group_for(alg_name) : params);
343 
344 #if defined(BOTAN_HAS_ECDSA)
345  if(alg_name == "ECDSA")
346  return std::unique_ptr<Private_Key>(new ECDSA_PrivateKey(rng, ec_group));
347 #endif
348 
349 #if defined(BOTAN_HAS_ECDH)
350  if(alg_name == "ECDH")
351  return std::unique_ptr<Private_Key>(new ECDH_PrivateKey(rng, ec_group));
352 #endif
353 
354 #if defined(BOTAN_HAS_ECKCDSA)
355  if(alg_name == "ECKCDSA")
356  return std::unique_ptr<Private_Key>(new ECKCDSA_PrivateKey(rng, ec_group));
357 #endif
358 
359 #if defined(BOTAN_HAS_GOST_34_10_2001)
360  if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512")
361  return std::unique_ptr<Private_Key>(new GOST_3410_PrivateKey(rng, ec_group));
362 #endif
363 
364 #if defined(BOTAN_HAS_SM2)
365  if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc")
366  return std::unique_ptr<Private_Key>(new SM2_PrivateKey(rng, ec_group));
367 #endif
368 
369 #if defined(BOTAN_HAS_ECGDSA)
370  if(alg_name == "ECGDSA")
371  return std::unique_ptr<Private_Key>(new ECGDSA_PrivateKey(rng, ec_group));
372 #endif
373  }
374 #endif
375 
376  // DL crypto
377 #if defined(BOTAN_HAS_DL_GROUP)
378  if(alg_name == "DH" || alg_name == "DSA" || alg_name == "ElGamal")
379  {
380  std::string default_group = (alg_name == "DSA") ? "dsa/botan/2048" : "modp/ietf/2048";
381  DL_Group modp_group(params.empty() ? default_group : params);
382 
383 #if defined(BOTAN_HAS_DIFFIE_HELLMAN)
384  if(alg_name == "DH")
385  return std::unique_ptr<Private_Key>(new DH_PrivateKey(rng, modp_group));
386 #endif
387 
388 #if defined(BOTAN_HAS_DSA)
389  if(alg_name == "DSA")
390  return std::unique_ptr<Private_Key>(new DSA_PrivateKey(rng, modp_group));
391 #endif
392 
393 #if defined(BOTAN_HAS_ELGAMAL)
394  if(alg_name == "ElGamal")
395  return std::unique_ptr<Private_Key>(new ElGamal_PrivateKey(rng, modp_group));
396 #endif
397  }
398 #endif
399 
400  BOTAN_UNUSED(alg_name, rng, params, provider);
401 
402  return std::unique_ptr<Private_Key>();
403  }
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:148
uint32_t to_u32bit(const std::string &str)
Definition: parsing.cpp:35
#define BOTAN_UNUSED(...)
Definition: assert.h:142
uint8_t Botan::ct_compare_u8 ( const uint8_t  x[],
const uint8_t  y[],
size_t  len 
)

Memory comparison, input insensitive

Parameters
xa pointer to an array
ya pointer to another array
lenthe number of Ts in x and y
Returns
0xFF iff x[i] == y[i] forall i in [0...n) or 0x00 otherwise

Definition at line 56 of file mem_ops.cpp.

References Botan::CT::Mask< T >::is_zero().

Referenced by constant_time_compare(), and oaep_find_delim().

59  {
60  volatile uint8_t difference = 0;
61 
62  for(size_t i = 0; i != len; ++i)
63  difference |= (x[i] ^ y[i]);
64 
65  return CT::Mask<uint8_t>::is_zero(difference).value();
66  }
void Botan::ct_divide ( const BigInt x,
const BigInt y,
BigInt q,
BigInt r 
)

BigInt division, const time variant

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leak the sizes of x and y.

Parameters
xan integer
ya non-zero integer
qwill be set to x / y
rwill be set to x % y

Definition at line 52 of file divide.cpp.

References bigint_sub3(), Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::BigInt::ct_cond_swap(), Botan::BigInt::data(), Botan::BigInt::get_bit(), Botan::BigInt::mutable_data(), Botan::BigInt::Positive, Botan::BigInt::sig_words(), and Botan::BigInt::size().

Referenced by Botan::FPE_FE1::decrypt(), Botan::FPE_FE1::encrypt(), lcm(), and Botan::Modular_Reducer::Modular_Reducer().

53  {
54  const size_t x_words = x.sig_words();
55  const size_t y_words = y.sig_words();
56 
57  const size_t x_bits = x.bits();
58 
59  BigInt q(BigInt::Positive, x_words);
60  BigInt r(BigInt::Positive, y_words);
61  BigInt t(BigInt::Positive, y_words); // a temporary
62 
63  for(size_t i = 0; i != x_bits; ++i)
64  {
65  const size_t b = x_bits - 1 - i;
66  const bool x_b = x.get_bit(b);
67 
68  r *= 2;
69  r.conditionally_set_bit(0, x_b);
70 
71  const bool r_gte_y = bigint_sub3(t.mutable_data(), r.data(), r.size(), y.data(), y_words) == 0;
72 
73  q.conditionally_set_bit(b, r_gte_y);
74  r.ct_cond_swap(r_gte_y, t);
75  }
76 
77  sign_fixup(x, y, q, r);
78  r_out = r;
79  q_out = q;
80  }
word bigint_sub3(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:342
BigInt Botan::ct_divide ( const BigInt x,
const BigInt y 
)
inline

BigInt division, const time variant

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leak the sizes of x and y.

Parameters
xan integer
ya non-zero integer
Returns
x/y with remainder discarded

Definition at line 63 of file divide.h.

Referenced by divide().

64  {
65  BigInt q, r;
66  ct_divide(x, y, q, r);
67  return q;
68  }
BigInt ct_divide(const BigInt &x, const BigInt &y)
Definition: divide.h:63
void Botan::ct_divide_u8 ( const BigInt x,
uint8_t  y,
BigInt q,
uint8_t &  r 
)

BigInt division, const time variant

This runs with control flow independent of the values of x/y. Warning: the loop bounds still leak the sizes of x and y.

Parameters
xan integer
ya non-zero integer
qwill be set to x / y
rwill be set to x % y

Definition at line 82 of file divide.cpp.

References Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::BigInt::flip_sign(), Botan::BigInt::get_bit(), Botan::CT::Mask< T >::is_gte(), Botan::BigInt::is_negative(), Botan::BigInt::Positive, and Botan::BigInt::sig_words().

Referenced by operator/(), and Botan::BigInt::to_dec_string().

83  {
84  const size_t x_words = x.sig_words();
85  const size_t x_bits = x.bits();
86 
87  BigInt q(BigInt::Positive, x_words);
88  uint32_t r = 0;
89 
90  for(size_t i = 0; i != x_bits; ++i)
91  {
92  const size_t b = x_bits - 1 - i;
93  const bool x_b = x.get_bit(b);
94 
95  r *= 2;
96  r += x_b;
97 
98  const auto r_gte_y = CT::Mask<uint32_t>::is_gte(r, y);
99 
100  q.conditionally_set_bit(b, r_gte_y.is_set());
101  r = r_gte_y.select(r - y, r);
102  }
103 
104  if(x.is_negative())
105  {
106  q.flip_sign();
107  if(r != 0)
108  {
109  --q;
110  r = y - r;
111  }
112  }
113 
114  r_out = static_cast<uint8_t>(r);
115  q_out = q;
116  }
BigInt Botan::ct_inverse_mod_odd_modulus ( const BigInt x,
const BigInt modulus 
)

Deprecated modular inversion function. Use inverse_mod instead.

Definition at line 322 of file mod_inv.cpp.

323  {
324  return inverse_mod_odd_modulus(n, mod);
325  }
template<typename T >
T Botan::ct_is_zero ( T  x)
inline

If arg is zero, return ~0. Otherwise return 0

Definition at line 32 of file bit_ops.h.

Referenced by ctz(), high_bit(), and significant_bytes().

33  {
34  return expand_top_bit<T>(~x & (x - 1));
35  }
BigInt Botan::ct_modulo ( const BigInt x,
const BigInt modulo 
)

BigInt modulo, const time variant

Using this function is (slightly) cheaper than calling ct_divide and using only the remainder.

Parameters
xa non-negative integer
moduloa positive integer
Returns
result x % modulo

Definition at line 118 of file divide.cpp.

References bigint_sub3(), Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::BigInt::ct_cond_swap(), Botan::BigInt::data(), Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::BigInt::is_nonzero(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::Positive, Botan::BigInt::sig_words(), and Botan::BigInt::size().

Referenced by Botan::RSA_PrivateKey::check_key(), inverse_mod(), Botan::Modular_Reducer::reduce(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

119  {
120  if(y.is_negative() || y.is_zero())
121  throw Invalid_Argument("ct_modulo requires y > 0");
122 
123  const size_t y_words = y.sig_words();
124 
125  const size_t x_bits = x.bits();
126 
127  BigInt r(BigInt::Positive, y_words);
128  BigInt t(BigInt::Positive, y_words);
129 
130  for(size_t i = 0; i != x_bits; ++i)
131  {
132  const size_t b = x_bits - 1 - i;
133  const bool x_b = x.get_bit(b);
134 
135  r *= 2;
136  r.conditionally_set_bit(0, x_b);
137 
138  const bool r_gte_y = bigint_sub3(t.mutable_data(), r.data(), r.size(), y.data(), y_words) == 0;
139 
140  r.ct_cond_swap(r_gte_y, t);
141  }
142 
143  if(x.is_negative())
144  {
145  if(r.is_nonzero())
146  {
147  r = y - r;
148  }
149  }
150 
151  return r;
152  }
word bigint_sub3(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:342
template<typename T >
size_t Botan::ctz ( T  n)
inline

Count the trailing zero bits in n

Parameters
nan integer value
Returns
maximum x st 2^x divides n

Definition at line 99 of file bit_ops.h.

References ct_is_zero(), and T.

Referenced by low_zero_bits().

100  {
101  /*
102  * If n == 0 then this function will compute 8*sizeof(T)-1, so
103  * initialize lb to 1 if n == 0 to produce the expected result.
104  */
105  size_t lb = ct_is_zero(n) & 1;
106 
107  for(size_t s = 8*sizeof(T) / 2; s > 0; s /= 2)
108  {
109  const T mask = (static_cast<T>(1) << s) - 1;
110  const size_t z = s * (ct_is_zero(n & mask) & 1);
111  lb += z;
112  n >>= z;
113  }
114 
115  return lb;
116  }
T ct_is_zero(T x)
Definition: bit_ops.h:32
fe T
Definition: ge.cpp:37
void Botan::curve25519_basepoint ( uint8_t  mypublic[32],
const uint8_t  secret[32] 
)

Exponentiate by the x25519 base point

Parameters
mypublicoutput value
secretrandom scalar

Definition at line 16 of file curve25519.cpp.

References curve25519_donna().

Referenced by CECPQ1_accept(), CECPQ1_offer(), Botan::Curve25519_PrivateKey::check_key(), Botan::Sodium::crypto_scalarmult_curve25519_base(), and Botan::Curve25519_PrivateKey::Curve25519_PrivateKey().

17  {
18  const uint8_t basepoint[32] = { 9 };
19  curve25519_donna(mypublic, secret, basepoint);
20  }
void curve25519_donna(uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32])
Definition: donna.cpp:440
void Botan::curve25519_donna ( uint8_t  mypublic[32],
const uint8_t  secret[32],
const uint8_t  basepoint[32] 
)

Definition at line 440 of file donna.cpp.

References copy_mem(), Botan::CT::poison(), and Botan::CT::unpoison().

Referenced by CECPQ1_accept(), CECPQ1_finish(), Botan::Sodium::crypto_scalarmult_curve25519(), and curve25519_basepoint().

441  {
442  CT::poison(secret, 32);
443  CT::poison(basepoint, 32);
444 
445  uint64_t bp[5], x[5], z[5], zmone[5];
446  uint8_t e[32];
447 
448  copy_mem(e, secret, 32);
449  e[ 0] &= 248;
450  e[31] &= 127;
451  e[31] |= 64;
452 
453  fexpand(bp, basepoint);
454  cmult(x, z, e, bp);
455  crecip(zmone, z);
456  fmul(z, x, zmone);
457  fcontract(mypublic, z);
458 
459  CT::unpoison(secret, 32);
460  CT::unpoison(basepoint, 32);
461  CT::unpoison(mypublic, 32);
462  }
void poison(const T *p, size_t n)
Definition: ct_utils.h:48
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:59
void Botan::deallocate_memory ( void *  p,
size_t  elems,
size_t  elem_size 
)

Free a pointer returned by allocate_memory

Parameters
pthe pointer returned by allocate_memory
elemsthe number of elements, as passed to allocate_memory
elem_sizethe size of each element, as passed to allocate_memory

Definition at line 34 of file mem_ops.cpp.

References Botan::mlock_allocator::instance(), and secure_scrub_memory().

Referenced by Botan::secure_allocator< T >::deallocate().

35  {
36  if(p == nullptr)
37  return;
38 
39  secure_scrub_memory(p, elems * elem_size);
40 
41 #if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
42  if(mlock_allocator::instance().deallocate(p, elems, elem_size))
43  return;
44 #endif
45 
46  std::free(p);
47  }
void secure_scrub_memory(void *ptr, size_t n)
Definition: os_utils.cpp:66
gf2m Botan::decode_gf2m ( const uint8_t *  mem)

Definition at line 103 of file gf2m_small_m.cpp.

Referenced by Botan::polyn_gf2m::polyn_gf2m().

104  {
105  gf2m result;
106  result = mem[0] << 8;
107  result |= mem[1];
108  return result;
109  }
uint16_t gf2m
Definition: gf2m_small_m.h:22
void Botan::divide ( const BigInt x,
const BigInt y,
BigInt q,
BigInt r 
)
inline

Definition at line 45 of file divide.h.

References ct_divide().

49  {
50  ct_divide(x, y, q, r);
51  }
BigInt ct_divide(const BigInt &x, const BigInt &y)
Definition: divide.h:63
size_t Botan::dl_exponent_size ( size_t  prime_group_size)

Return the appropriate exponent size to use for a particular prime group. This is twice the size of the estimated cost of breaking the key using an index calculus attack; the assumption is that if an arbitrary discrete log on a group of size bits would take about 2^n effort, and thus using an exponent of size 2^(2*n) implies that all available attacks are about as easy (as e.g Pollard's kangaroo algorithm can compute the DL in sqrt(x) operations) while minimizing the exponent size for performance reasons.

Definition at line 52 of file workfactor.cpp.

Referenced by Botan::DL_Group::DL_Group().

53  {
54  /*
55  This uses a slightly tweaked version of the standard work factor
56  function above. It assumes k is 1 (thus overestimating the strength
57  of the prime group by 5-6 bits), and always returns at least 128 bits
58  (this only matters for very small primes).
59  */
60  const size_t min_workfactor = 64;
61  const double log2_k = 0;
62 
63  return 2 * std::max<size_t>(min_workfactor, nfs_workfactor(bits, log2_k));
64  }
size_t Botan::dl_work_factor ( size_t  prime_group_size)

Estimate work factor for discrete logarithm

Parameters
prime_group_sizesize of the group in bits
Returns
estimated security level for this group

Definition at line 46 of file workfactor.cpp.

References if_work_factor().

47  {
48  // Lacking better estimates...
49  return if_work_factor(bits);
50  }
size_t if_work_factor(size_t bits)
Definition: workfactor.cpp:38
template<typename E , typename... Args>
void Botan::do_throw_error ( const char *  file,
int  line,
const char *  func,
Args...  args 
)
inline

Definition at line 434 of file exceptn.h.

References E.

435  {
436  throw E(file, line, func, args...);
437  }
SIMD_8x32 E
secure_vector<uint8_t> Botan::EC2OSP ( const PointGFp point,
uint8_t  format 
)
inline

Definition at line 385 of file point_gfp.h.

386  {
387  std::vector<uint8_t> enc = point.encode(static_cast<PointGFp::Compression_Type>(format));
388  return secure_vector<uint8_t>(enc.begin(), enc.end());
389  }
size_t Botan::ecp_work_factor ( size_t  prime_group_size)

Estimate work factor for EC discrete logarithm

Parameters
prime_group_sizesize of the group in bits
Returns
estimated security level for this group

Definition at line 14 of file workfactor.cpp.

Referenced by Botan::EC_PublicKey::estimated_strength().

15  {
16  return bits / 2;
17  }
void Botan::ed25519_gen_keypair ( uint8_t *  pk,
uint8_t *  sk,
const uint8_t  seed[32] 
)

Definition at line 18 of file ed25519.cpp.

References copy_mem(), Botan::Buffered_Computation::final(), ge_scalarmult_base(), and Botan::Buffered_Computation::update().

Referenced by Botan::Sodium::crypto_sign_ed25519_seed_keypair(), and Botan::Ed25519_PrivateKey::Ed25519_PrivateKey().

19  {
20  uint8_t az[64];
21 
22  SHA_512 sha;
23  sha.update(seed, 32);
24  sha.final(az);
25  az[0] &= 248;
26  az[31] &= 63;
27  az[31] |= 64;
28 
29  ge_scalarmult_base(pk, az);
30 
31  // todo copy_mem
32  copy_mem(sk, seed, 32);
33  copy_mem(sk + 32, pk, 32);
34  }
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
void ge_scalarmult_base(uint8_t out[32], const uint8_t in[32])
Definition: ge.cpp:2118
void Botan::ed25519_gen_keypair ( uint8_t  pk[32],
uint8_t  sk[64],
const uint8_t  seed[32] 
)
void Botan::ed25519_sign ( uint8_t  sig[64],
const uint8_t  m[],
size_t  mlen,
const uint8_t  sk[64],
const uint8_t  domain_sep[],
size_t  domain_sep_len 
)

Definition at line 36 of file ed25519.cpp.

References Botan::Buffered_Computation::final(), ge_scalarmult_base(), sc_muladd(), sc_reduce(), and Botan::Buffered_Computation::update().

Referenced by Botan::Sodium::crypto_sign_ed25519_detached().

40  {
41  uint8_t az[64];
42  uint8_t nonce[64];
43  uint8_t hram[64];
44 
45  SHA_512 sha;
46 
47  sha.update(sk, 32);
48  sha.final(az);
49  az[0] &= 248;
50  az[31] &= 63;
51  az[31] |= 64;
52 
53  sha.update(domain_sep, domain_sep_len);
54  sha.update(az + 32, 32);
55  sha.update(m, mlen);
56  sha.final(nonce);
57 
58  sc_reduce(nonce);
59  ge_scalarmult_base(sig, nonce);
60 
61  sha.update(domain_sep, domain_sep_len);
62  sha.update(sig, 32);
63  sha.update(sk + 32, 32);
64  sha.update(m, mlen);
65  sha.final(hram);
66 
67  sc_reduce(hram);
68  sc_muladd(sig + 32, hram, az, nonce);
69  }
void sc_muladd(uint8_t *, const uint8_t *, const uint8_t *, const uint8_t *)
Definition: sc_muladd.cpp:26
void sc_reduce(uint8_t *)
Definition: sc_reduce.cpp:25
void ge_scalarmult_base(uint8_t out[32], const uint8_t in[32])
Definition: ge.cpp:2118
bool Botan::ed25519_verify ( const uint8_t *  m,
size_t  mlen,
const uint8_t  sig[64],
const uint8_t *  pk,
const uint8_t  domain_sep[],
size_t  domain_sep_len 
)

Definition at line 71 of file ed25519.cpp.

References A, constant_time_compare(), Botan::Buffered_Computation::final(), ge_double_scalarmult_vartime(), ge_frombytes_negate_vartime(), sc_reduce(), and Botan::Buffered_Computation::update().

Referenced by Botan::Sodium::crypto_sign_ed25519_verify_detached().

75  {
76  uint8_t h[64];
77  uint8_t rcheck[32];
78  ge_p3 A;
79  SHA_512 sha;
80 
81  if(sig[63] & 224)
82  {
83  return false;
84  }
85  if(ge_frombytes_negate_vartime(&A, pk) != 0)
86  {
87  return false;
88  }
89 
90  sha.update(domain_sep, domain_sep_len);
91  sha.update(sig, 32);
92  sha.update(pk, 32);
93  sha.update(m, mlen);
94  sha.final(h);
95  sc_reduce(h);
96 
97  ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32);
98 
99  return constant_time_compare(rcheck, sig, 32);
100  }
void sc_reduce(uint8_t *)
Definition: sc_reduce.cpp:25
void BOTAN_FUNC_ISA("avx2") SHACAL2 SIMD_8x32 A
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.h:82
int ge_frombytes_negate_vartime(ge_p3 *, const uint8_t *)
Definition: ge.cpp:458
void ge_double_scalarmult_vartime(uint8_t out[32], const uint8_t a[], const ge_p3 *A, const uint8_t b[])
bool Botan::ed25519_verify ( const uint8_t  msg[],
size_t  msg_len,
const uint8_t  sig[64],
const uint8_t  pk[32],
const uint8_t  domain_sep[],
size_t  domain_sep_len 
)
uint32_t Botan::encode_gf2m ( gf2m  to_enc,
uint8_t *  mem 
)

Definition at line 96 of file gf2m_small_m.cpp.

97  {
98  mem[0] = to_enc >> 8;
99  mem[1] = to_enc & 0xFF;
100  return sizeof(to_enc);
101  }
std::string Botan::erase_chars ( const std::string &  str,
const std::set< char > &  chars 
)

Erase characters from a string

Definition at line 292 of file parsing.cpp.

293  {
294  std::string out;
295 
296  for(auto c: str)
297  if(chars.count(c) == 0)
298  out += c;
299 
300  return out;
301  }
template<typename T >
uint16_t Botan::expand_mask_16bit ( T  tst)

Expand an input to a bit mask depending on it being being zero or non-zero

Parameters
tstthe input
Returns
the mask 0xFFFF if tst is non-zero and 0 otherwise

Definition at line 25 of file code_based_util.h.

Referenced by Botan::polyn_gf2m::calc_degree_secure(), Botan::polyn_gf2m::eea_with_coefficients(), and Botan::polyn_gf2m::patchup_deg_secure().

26  {
27  const uint16_t result = (tst != 0);
28  return ~(result - 1);
29  }
template<typename T >
T Botan::expand_top_bit ( T  a)
inline

If top bit of arg is set, return ~0. Otherwise return 0.

Definition at line 23 of file bit_ops.h.

References T.

Referenced by Botan::CT::Mask< T >::is_any_of(), and Botan::CT::Mask< T >::is_within_range().

24  {
25  return static_cast<T>(0) - (a >> (sizeof(T)*8-1));
26  }
fe T
Definition: ge.cpp:37
void Botan::fe_0 ( fe x)
inline

Definition at line 170 of file ed25519_fe.h.

171  {
172  x = FE_25519();
173  }
void Botan::fe_1 ( fe x)
inline

Definition at line 175 of file ed25519_fe.h.

Referenced by ge_frombytes_negate_vartime().

176  {
177  x = FE_25519(1);
178  }
void Botan::fe_add ( fe x,
const fe a,
const fe b 
)
inline

Definition at line 180 of file ed25519_fe.h.

References Botan::FE_25519::add().

Referenced by ge_frombytes_negate_vartime().

181  {
182  x = FE_25519::add(a, b);
183  }
void Botan::fe_copy ( fe a,
const fe b 
)
inline

Definition at line 154 of file ed25519_fe.h.

155  {
156  a = b;
157  }
void Botan::fe_frombytes ( fe x,
const uint8_t *  b 
)
inline

Definition at line 144 of file ed25519_fe.h.

References Botan::FE_25519::from_bytes().

Referenced by ge_frombytes_negate_vartime().

145  {
146  x.from_bytes(b);
147  }
void Botan::fe_invert ( fe x,
const fe z 
)
inline

Definition at line 215 of file ed25519_fe.h.

References Botan::FE_25519::invert().

216  {
217  x = FE_25519::invert(z);
218  }
int Botan::fe_isnegative ( const fe x)
inline

Definition at line 164 of file ed25519_fe.h.

References Botan::FE_25519::is_negative().

Referenced by ge_frombytes_negate_vartime().

165  {
166  return x.is_negative();
167  }
int Botan::fe_isnonzero ( const fe x)
inline

Definition at line 159 of file ed25519_fe.h.

References Botan::FE_25519::is_zero().

Referenced by ge_frombytes_negate_vartime().

160  {
161  return x.is_zero() ? 0 : 1;
162  }
void Botan::fe_mul ( fe x,
const fe a,
const fe b 
)
inline

Definition at line 195 of file ed25519_fe.h.

References Botan::FE_25519::mul().

Referenced by ge_frombytes_negate_vartime(), Botan::FE_25519::invert(), and Botan::FE_25519::pow_22523().

196  {
197  x = FE_25519::mul(a, b);
198  }
void Botan::fe_neg ( fe x,
const fe z 
)
inline

Definition at line 190 of file ed25519_fe.h.

References Botan::FE_25519::negate().

Referenced by ge_frombytes_negate_vartime().

191  {
192  x = FE_25519::negate(z);
193  }
void Botan::fe_pow22523 ( fe x,
const fe y 
)
inline

Definition at line 220 of file ed25519_fe.h.

References Botan::FE_25519::pow_22523().

Referenced by ge_frombytes_negate_vartime().

221  {
222  x = FE_25519::pow_22523(y);
223  }
void Botan::fe_sq ( fe x,
const fe z 
)
inline

Definition at line 200 of file ed25519_fe.h.

References Botan::FE_25519::sqr().

Referenced by ge_frombytes_negate_vartime(), Botan::FE_25519::invert(), and Botan::FE_25519::pow_22523().

201  {
202  x = FE_25519::sqr(z);
203  }
void Botan::fe_sq2 ( fe x,
const fe z 
)
inline

Definition at line 210 of file ed25519_fe.h.

References Botan::FE_25519::sqr2().

211  {
212  x = FE_25519::sqr2(z);
213  }
void Botan::fe_sq_iter ( fe x,
const fe z,
size_t  iter 
)
inline

Definition at line 205 of file ed25519_fe.h.

References Botan::FE_25519::sqr_iter().

Referenced by Botan::FE_25519::invert(), and Botan::FE_25519::pow_22523().

206  {
207  x = FE_25519::sqr_iter(z, iter);
208  }
void Botan::fe_sub ( fe x,
const fe a,
const fe b 
)
inline

Definition at line 185 of file ed25519_fe.h.

References Botan::FE_25519::sub().

Referenced by ge_frombytes_negate_vartime().

186  {
187  x = FE_25519::sub(a, b);
188  }
void Botan::fe_tobytes ( uint8_t *  b,
const fe x 
)
inline

Definition at line 149 of file ed25519_fe.h.

References Botan::FE_25519::to_bytes().

150  {
151  x.to_bytes(b);
152  }
secure_vector< gf2m > Botan::find_roots_gf2m_decomp ( const polyn_gf2m polyn,
size_t  code_length 
)

Find the roots of a polynomial over GF(2^m) using the method by Federenko et al.

Definition at line 308 of file gf2m_rootfind_dcmp.cpp.

309  {
310  gf2m_decomp_rootfind_state state(polyn, code_length);
311  return state.find_roots(polyn);
312  }
Botan::for ( size_t  r = 0; r != 64; r += 8)

Definition at line 52 of file shacal2_avx2.cpp.

53  {
54  SHACAL2_Fwd(A, B, C, D, E, F, G, H, m_RK[r+0]);
55  SHACAL2_Fwd(H, A, B, C, D, E, F, G, m_RK[r+1]);
56  SHACAL2_Fwd(G, H, A, B, C, D, E, F, m_RK[r+2]);
57  SHACAL2_Fwd(F, G, H, A, B, C, D, E, m_RK[r+3]);
58  SHACAL2_Fwd(E, F, G, H, A, B, C, D, m_RK[r+4]);
59  SHACAL2_Fwd(D, E, F, G, H, A, B, C, m_RK[r+5]);
60  SHACAL2_Fwd(C, D, E, F, G, H, A, B, m_RK[r+6]);
61  SHACAL2_Fwd(B, C, D, E, F, G, H, A, m_RK[r+7]);
62  }
SIMD_8x32 H
void BOTAN_FUNC_ISA("avx2") SHACAL2 SIMD_8x32 A
SIMD_8x32 D
SIMD_8x32 E
SIMD_8x32 G
SIMD_8x32 B
SIMD_8x32 F
SIMD_8x32 C
BigInt Botan::gcd ( const BigInt x,
const BigInt y 
)

Compute the greatest common divisor

Parameters
xa positive integer
ya positive integer
Returns
gcd(x,y)

Definition at line 81 of file numthry.cpp.

References abs(), Botan::BigInt::bits(), BOTAN_ASSERT_NOMSG, Botan::BigInt::const_time_poison(), Botan::BigInt::const_time_unpoison(), Botan::BigInt::ct_cond_add(), Botan::BigInt::ct_cond_swap(), Botan::CT::Mask< T >::expand(), Botan::BigInt::is_even(), Botan::BigInt::is_odd(), Botan::BigInt::is_zero(), low_zero_bits(), Botan::BigInt::Positive, Botan::BigInt::set_sign(), and Botan::CT::unpoison().

Referenced by botan_mp_gcd(), Botan::ECIES_Decryptor::ECIES_Decryptor(), generate_rsa_prime(), lcm(), and random_prime().

82  {
83  if(a.is_zero())
84  return abs(b);
85  if(b.is_zero())
86  return abs(a);
87  if(a == 1 || b == 1)
88  return 1;
89 
90  // See https://gcd.cr.yp.to/safegcd-20190413.pdf fig 1.2
91 
92  BigInt f = a;
93  BigInt g = b;
95  g.const_time_poison();
96 
97  f.set_sign(BigInt::Positive);
98  g.set_sign(BigInt::Positive);
99 
100  const size_t common2s = std::min(low_zero_bits(f), low_zero_bits(g));
101  CT::unpoison(common2s);
102 
103  f >>= common2s;
104  g >>= common2s;
105 
106  f.ct_cond_swap(f.is_even(), g);
107 
108  int32_t delta = 1;
109 
110  const size_t loop_cnt = safegcd_loop_bound(f.bits(), g.bits());
111 
112  BigInt newg, t;
113  for(size_t i = 0; i != loop_cnt; ++i)
114  {
115  sub_abs(newg, f, g);
116 
117  const bool need_swap = (g.is_odd() && delta > 0);
118 
119  // if(need_swap) { delta *= -1 } else { delta *= 1 }
120  delta *= CT::Mask<uint8_t>::expand(need_swap).if_not_set_return(2) - 1;
121  f.ct_cond_swap(need_swap, g);
122  g.ct_cond_swap(need_swap, newg);
123 
124  delta += 1;
125 
126  g.ct_cond_add(g.is_odd(), f);
127  g >>= 1;
128  }
129 
130  f <<= common2s;
131 
132  f.const_time_unpoison();
133  g.const_time_unpoison();
134 
135  BOTAN_ASSERT_NOMSG(g.is_zero());
136 
137  return f;
138  }
size_t low_zero_bits(const BigInt &n)
Definition: numthry.cpp:39
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
BigInt abs(const BigInt &n)
Definition: numthry.h:58
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:59
void const_time_poison() const
Definition: bigint.h:739
void Botan::ge_double_scalarmult_vartime ( uint8_t  out[32],
const uint8_t  a[],
const ge_p3 A,
const uint8_t  b[] 
)

Referenced by ed25519_verify().

void Botan::ge_double_scalarmult_vartime ( uint8_t  out[32],
const uint8_t *  a,
const ge_p3 A,
const uint8_t *  b 
)

Definition at line 519 of file ge.cpp.

522  {
523  static const ge_precomp Bi[8] =
524  {
525  {
526  { 25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605 },
527  { -12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378 },
528  { -8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546 },
529  },
530  {
531  { 15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024 },
532  { 16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574 },
533  { 30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357 },
534  },
535  {
536  { 10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380 },
537  { 4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306 },
538  { 19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942 },
539  },
540  {
541  { 5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766 },
542  { -30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701 },
543  { 28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300 },
544  },
545  {
546  { -22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, -1361450, -13062696, 13821877 },
547  { -6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, -7212327, 18853322, -14220951 },
548  { 4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, -10431137, 2207753, -3209784 },
549  },
550  {
551  { -25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, -663000, -31111463, -16132436 },
552  { 25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 15725684, 171356, 6466918 },
553  { 23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, -14088058, -30714912, 16193877 },
554  },
555  {
556  { -33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 4729455, -18074513, 9256800 },
557  { -25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 9761698, -19827198, 630305 },
558  { -13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, -15960994, -2449256, -14291300 },
559  },
560  {
561  { -3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 15033784, 25105118, -7894876 },
562  { -24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 1573892, -2625887, 2198790, -15804619 },
563  { -3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, -16236442, -32461234, -12290683 },
564  },
565  } ;
566 
567  int8_t aslide[256];
568  int8_t bslide[256];
569  ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
570  ge_p1p1 t;
571  ge_p3 u;
572  ge_p3 A2;
573  ge_p2 r;
574  int i;
575 
576  slide(aslide, a);
577  slide(bslide, b);
578 
579  ge_p3_to_cached(&Ai[0], A);
580  ge_p3_dbl(&t, A);
581  ge_p1p1_to_p3(&A2, &t);
582  ge_add(&t, &A2, &Ai[0]);
583  ge_p1p1_to_p3(&u, &t);
584  ge_p3_to_cached(&Ai[1], &u);
585  ge_add(&t, &A2, &Ai[1]);
586  ge_p1p1_to_p3(&u, &t);
587  ge_p3_to_cached(&Ai[2], &u);
588  ge_add(&t, &A2, &Ai[2]);
589  ge_p1p1_to_p3(&u, &t);
590  ge_p3_to_cached(&Ai[3], &u);
591  ge_add(&t, &A2, &Ai[3]);
592  ge_p1p1_to_p3(&u, &t);
593  ge_p3_to_cached(&Ai[4], &u);
594  ge_add(&t, &A2, &Ai[4]);
595  ge_p1p1_to_p3(&u, &t);
596  ge_p3_to_cached(&Ai[5], &u);
597  ge_add(&t, &A2, &Ai[5]);
598  ge_p1p1_to_p3(&u, &t);
599  ge_p3_to_cached(&Ai[6], &u);
600  ge_add(&t, &A2, &Ai[6]);
601  ge_p1p1_to_p3(&u, &t);
602  ge_p3_to_cached(&Ai[7], &u);
603 
604  ge_p2_0(&r);
605 
606  for(i = 255; i >= 0; --i)
607  {
608  if(aslide[i] || bslide[i])
609  {
610  break;
611  }
612  }
613 
614  for(; i >= 0; --i)
615  {
616  ge_p2_dbl(&t, &r);
617 
618  if(aslide[i] > 0)
619  {
620  ge_p1p1_to_p3(&u, &t);
621  ge_add(&t, &u, &Ai[aslide[i] >> 1]);
622  }
623  else if(aslide[i] < 0)
624  {
625  ge_p1p1_to_p3(&u, &t);
626  ge_sub(&t, &u, &Ai[(-aslide[i]) >> 1]);
627  }
628 
629  if(bslide[i] > 0)
630  {
631  ge_p1p1_to_p3(&u, &t);
632  ge_madd(&t, &u, &Bi[bslide[i] >> 1]);
633  }
634  else if(bslide[i] < 0)
635  {
636  ge_p1p1_to_p3(&u, &t);
637  ge_msub(&t, &u, &Bi[(-bslide[i]) >> 1]);
638  }
639 
640  ge_p1p1_to_p2(&r, &t);
641  }
642 
643  ge_tobytes(out, &r);
644  }
void BOTAN_FUNC_ISA("avx2") SHACAL2 SIMD_8x32 A
int Botan::ge_frombytes_negate_vartime ( ge_p3 h,
const uint8_t *  s 
)

Definition at line 458 of file ge.cpp.

References fe_1(), fe_add(), fe_frombytes(), fe_isnegative(), fe_isnonzero(), fe_mul(), fe_neg(), fe_pow22523(), fe_sq(), fe_sub(), Botan::ge_p3::T, Botan::ge_p3::X, Botan::ge_p3::Y, and Botan::ge_p3::Z.

Referenced by ed25519_verify().

459  {
460  static const fe d =
461  {
462  -10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116
463  } ;
464  static const fe sqrtm1 =
465  {
466  -32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482
467  } ;
468 
469  fe u;
470  fe v;
471  fe v3;
472  fe vxx;
473  fe check;
474 
475  fe_frombytes(h->Y, s);
476  fe_1(h->Z);
477  fe_sq(u, h->Y);
478  fe_mul(v, u, d);
479  fe_sub(u, u, h->Z); /* u = y^2-1 */
480  fe_add(v, v, h->Z); /* v = dy^2+1 */
481 
482  fe_sq(v3, v);
483  fe_mul(v3, v3, v); /* v3 = v^3 */
484  fe_sq(h->X, v3);
485  fe_mul(h->X, h->X, v);
486  fe_mul(h->X, h->X, u); /* x = uv^7 */
487 
488  fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
489  fe_mul(h->X, h->X, v3);
490  fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
491 
492  fe_sq(vxx, h->X);
493  fe_mul(vxx, vxx, v);
494  fe_sub(check, vxx, u); /* vx^2-u */
495  if(fe_isnonzero(check))
496  {
497  fe_add(check, vxx, u); /* vx^2+u */
498  if(fe_isnonzero(check))
499  {
500  return -1;
501  }
502  fe_mul(h->X, h->X, sqrtm1);
503  }
504 
505  if(fe_isnegative(h->X) == (s[31] >> 7))
506  { fe_neg(h->X, h->X); }
507 
508  fe_mul(h->T, h->X, h->Y);
509  return 0;
510  }
void fe_neg(fe &x, const fe &z)
Definition: ed25519_fe.h:190
void fe_add(fe &x, const fe &a, const fe &b)
Definition: ed25519_fe.h:180
void fe_sq(fe &x, const fe &z)
Definition: ed25519_fe.h:200
void fe_1(fe &x)
Definition: ed25519_fe.h:175
int fe_isnegative(const fe &x)
Definition: ed25519_fe.h:164
void fe_sub(fe &x, const fe &a, const fe &b)
Definition: ed25519_fe.h:185
int fe_isnonzero(const fe &x)
Definition: ed25519_fe.h:159
FE_25519 fe
Definition: ed25519_fe.h:134
void fe_frombytes(fe &x, const uint8_t *b)
Definition: ed25519_fe.h:144
void fe_pow22523(fe &x, const fe &y)
Definition: ed25519_fe.h:220
void fe_mul(fe &x, const fe &a, const fe &b)
Definition: ed25519_fe.h:195
void Botan::ge_scalarmult_base ( uint8_t  out[32],
const uint8_t  in[32] 
)

Definition at line 2118 of file ge.cpp.

References carry().

Referenced by ed25519_gen_keypair(), and ed25519_sign().

2119  {
2120  int8_t e[64];
2121  int8_t carry;
2122  ge_p1p1 r;
2123  ge_p2 s;
2124  ge_p3 h;
2125  ge_precomp t;
2126  int i;
2127 
2128  for(i = 0; i < 32; ++i)
2129  {
2130  e[2 * i + 0] = (a[i] >> 0) & 15;
2131  e[2 * i + 1] = (a[i] >> 4) & 15;
2132  }
2133  /* each e[i] is between 0 and 15 */
2134  /* e[63] is between 0 and 7 */
2135 
2136  carry = 0;
2137  for(i = 0; i < 63; ++i)
2138  {
2139  e[i] += carry;
2140  carry = e[i] + 8;
2141  carry >>= 4;
2142  e[i] -= carry << 4;
2143  }
2144  e[63] += carry;
2145  /* each e[i] is between -8 and 8 */
2146 
2147  ge_p3_0(&h);
2148  for(i = 1; i < 64; i += 2)
2149  {
2150  select(&t, B_precomp[i / 2], e[i]);
2151  ge_madd(&r, &h, &t);
2152  ge_p1p1_to_p3(&h, &r);
2153  }
2154 
2155  ge_p3_dbl(&r, &h);
2156  ge_p1p1_to_p2(&s, &r);
2157  ge_p2_dbl(&r, &s);
2158  ge_p1p1_to_p2(&s, &r);
2159  ge_p2_dbl(&r, &s);
2160  ge_p1p1_to_p2(&s, &r);
2161  ge_p2_dbl(&r, &s);
2162  ge_p1p1_to_p3(&h, &r);
2163 
2164  for(i = 0; i < 64; i += 2)
2165  {
2166  select(&t, B_precomp[i / 2], e[i]);
2167  ge_madd(&r, &h, &t);
2168  ge_p1p1_to_p3(&h, &r);
2169  }
2170 
2171  ge_p3_tobytes(out, &h);
2172  }
void carry(int64_t &h0, int64_t &h1)
std::string Botan::generate_bcrypt ( const std::string &  password,
RandomNumberGenerator rng,
uint16_t  work_factor = 12,
char  version = 'a' 
)

Create a password hash using Bcrypt

Warning
The password is truncated at at most 72 characters; characters after that do not have any effect on the resulting hash. To support longer passwords, consider pre-hashing the password, for example by using the hex encoding of SHA-256 of the password as the input to bcrypt.
Parameters
passwordthe password.
rnga random number generator
work_factorhow much work to do to slow down guessing attacks
versionwhich version to emit (may be 'a', 'b', or 'y' all of which have identical behavior in this implementation).
See also
https://www.usenix.org/events/usenix99/provos/provos_html/

Definition at line 137 of file bcrypt.cpp.

References Botan::RandomNumberGenerator::random_vec().

Referenced by botan_bcrypt_generate().

141  {
142  /*
143  2a, 2b and 2y are identical for our purposes because our implementation of 2a
144  never had the truncation or signed char bugs in the first place.
145  */
146 
147  if(version != 'a' && version != 'b' && version != 'y')
148  throw Invalid_Argument("Unknown bcrypt version '" + std::string(1, version) + "'");
149 
150  std::vector<uint8_t> salt;
151  rng.random_vec(salt, 16);
152  return make_bcrypt(pass, salt, work_factor, version);
153  }
bool Botan::generate_dsa_primes ( RandomNumberGenerator rng,
BigInt p_out,
BigInt q_out,
size_t  pbits,
size_t  qbits,
const std::vector< uint8_t > &  seed,
size_t  offset = 0 
)

Generate DSA parameters using the FIPS 186 kosherizer

Parameters
rnga random number generator
p_outwhere the prime p will be stored
q_outwhere the prime q will be stored
pbitshow long p will be in bits
qbitshow long q will be in bits
seedthe seed used to generate the parameters
offsetoptional offset from seed to start searching at
Returns
true if seed generated a valid DSA parameter set, otherwise false. p_out and q_out are only valid if true was returned.

Definition at line 39 of file dsa_gen.cpp.

References Botan::BigInt::binary_decode(), Botan::BigInt::bits(), Botan::HashFunction::create_or_throw(), hash, is_prime(), Botan::Modular_Reducer::reduce(), Botan::BigInt::set_bit(), Botan::ASN1::to_string(), and X.

Referenced by Botan::DL_Group::DL_Group(), and generate_dsa_primes().

44  {
45  if(!fips186_3_valid_size(pbits, qbits))
46  throw Invalid_Argument(
47  "FIPS 186-3 does not allow DSA domain parameters of " +
48  std::to_string(pbits) + "/" + std::to_string(qbits) + " bits long");
49 
50  if(seed_c.size() * 8 < qbits)
51  throw Invalid_Argument(
52  "Generating a DSA parameter set with a " + std::to_string(qbits) +
53  " bit long q requires a seed at least as many bits long");
54 
55  const std::string hash_name = "SHA-" + std::to_string(qbits);
56  std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw(hash_name));
57 
58  const size_t HASH_SIZE = hash->output_length();
59 
60  class Seed final
61  {
62  public:
63  explicit Seed(const std::vector<uint8_t>& s) : m_seed(s) {}
64 
65  const std::vector<uint8_t>& value() const { return m_seed; }
66 
67  Seed& operator++()
68  {
69  for(size_t j = m_seed.size(); j > 0; --j)
70  if(++m_seed[j-1])
71  break;
72  return (*this);
73  }
74  private:
75  std::vector<uint8_t> m_seed;
76  };
77 
78  Seed seed(seed_c);
79 
80  q.binary_decode(hash->process(seed.value()));
81  q.set_bit(qbits-1);
82  q.set_bit(0);
83 
84  if(!is_prime(q, rng, 128, true))
85  return false;
86 
87  const size_t n = (pbits-1) / (HASH_SIZE * 8),
88  b = (pbits-1) % (HASH_SIZE * 8);
89 
90  BigInt X;
91  std::vector<uint8_t> V(HASH_SIZE * (n+1));
92 
93  Modular_Reducer mod_2q(2*q);
94 
95  for(size_t j = 0; j != 4*pbits; ++j)
96  {
97  for(size_t k = 0; k <= n; ++k)
98  {
99  ++seed;
100  hash->update(seed.value());
101  hash->final(&V[HASH_SIZE * (n-k)]);
102  }
103 
104  if(j >= offset)
105  {
106  X.binary_decode(&V[HASH_SIZE - 1 - b/8],
107  V.size() - (HASH_SIZE - 1 - b/8));
108  X.set_bit(pbits-1);
109 
110  p = X - (mod_2q.reduce(X) - 1);
111 
112  if(p.bits() == pbits && is_prime(p, rng, 128, true))
113  return true;
114  }
115  }
116  return false;
117  }
fe X
Definition: ge.cpp:27
int(* final)(unsigned char *, CTX *)
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition: numthry.cpp:228
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
MechanismType hash
std::vector< uint8_t > Botan::generate_dsa_primes ( RandomNumberGenerator rng,
BigInt p_out,
BigInt q_out,
size_t  pbits,
size_t  qbits 
)

Generate DSA parameters using the FIPS 186 kosherizer

Parameters
rnga random number generator
p_outwhere the prime p will be stored
q_outwhere the prime q will be stored
pbitshow long p will be in bits
qbitshow long q will be in bits
Returns
random seed used to generate this parameter set

Definition at line 122 of file dsa_gen.cpp.

References generate_dsa_primes(), and Botan::RandomNumberGenerator::randomize().

125  {
126  while(true)
127  {
128  std::vector<uint8_t> seed(qbits / 8);
129  rng.randomize(seed.data(), seed.size());
130 
131  if(generate_dsa_primes(rng, p, q, pbits, qbits, seed))
132  return seed;
133  }
134  }
std::vector< uint8_t > generate_dsa_primes(RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits)
Definition: dsa_gen.cpp:122
McEliece_PrivateKey Botan::generate_mceliece_key ( RandomNumberGenerator rng,
size_t  ext_deg,
size_t  code_length,
size_t  t 
)

Definition at line 216 of file code_based_key_gen.cpp.

References bit_size_to_32bit_size(), F, H, Botan::polyn_gf2m::sqrt_mod_init(), store_le(), and syndrome_init().

Referenced by Botan::McEliece_PrivateKey::McEliece_PrivateKey().

217  {
218  const size_t codimension = t * ext_deg;
219 
220  if(code_length <= codimension)
221  {
222  throw Invalid_Argument("invalid McEliece parameters");
223  }
224 
225  std::shared_ptr<GF2m_Field> sp_field(new GF2m_Field(ext_deg));
226 
227  //pick the support.........
228  std::vector<gf2m> L(code_length);
229 
230  for(size_t i = 0; i != L.size(); i++)
231  {
232  L[i] = static_cast<gf2m>(i);
233  }
234  randomize_support(L, rng);
235  polyn_gf2m g(sp_field); // create as zero
236 
237  bool success = false;
238  std::unique_ptr<binary_matrix> R;
239 
240  do
241  {
242  // create a random irreducible polynomial
243  g = polyn_gf2m(t, rng, sp_field);
244 
245  try
246  {
247  R = generate_R(L, &g, sp_field, code_length, t);
248  success = true;
249  }
250  catch(const Invalid_State &)
251  {
252  }
253  } while (!success);
254 
255  std::vector<polyn_gf2m> sqrtmod = polyn_gf2m::sqrt_mod_init( g);
256  std::vector<polyn_gf2m> F = syndrome_init(g, L, static_cast<int>(code_length));
257 
258  // Each F[i] is the (precomputed) syndrome of the error vector with
259  // a single '1' in i-th position.
260  // We do not store the F[i] as polynomials of degree t , but
261  // as binary vectors of length ext_deg * t (this will
262  // speed up the syndrome computation)
263  //
264  std::vector<uint32_t> H(bit_size_to_32bit_size(codimension) * code_length);
265  uint32_t* sk = H.data();
266  for(size_t i = 0; i < code_length; ++i)
267  {
268  for(size_t l = 0; l < t; ++l)
269  {
270  const size_t k = (l * ext_deg) / 32;
271  const uint8_t j = (l * ext_deg) % 32;
272  sk[k] ^= static_cast<uint32_t>(F[i].get_coef(l)) << j;
273  if(j + ext_deg > 32)
274  {
275  sk[k + 1] ^= F[i].get_coef(l) >> (32 - j);
276  }
277  }
278  sk += bit_size_to_32bit_size(codimension);
279  }
280 
281  // We need the support L for decoding (decryption). In fact the
282  // inverse is needed
283 
284  std::vector<gf2m> Linv(code_length) ;
285  for(size_t i = 0; i != Linv.size(); ++i)
286  {
287  Linv[L[i]] = static_cast<gf2m>(i);
288  }
289  std::vector<uint8_t> pubmat(R->m_elem.size() * 4);
290  for(size_t i = 0; i < R->m_elem.size(); i++)
291  {
292  store_le(R->m_elem[i], &pubmat[i*4]);
293  }
294 
295  return McEliece_PrivateKey(g, H, sqrtmod, Linv, pubmat);
296  }
SIMD_8x32 H
size_t bit_size_to_32bit_size(size_t bit_size)
uint16_t gf2m
Definition: gf2m_small_m.h:22
SIMD_8x32 F
std::vector< polyn_gf2m > syndrome_init(polyn_gf2m const &generator, std::vector< gf2m > const &support, int n)
Definition: polyn_gf2m.cpp:721
void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:454
std::string Botan::generate_passhash9 ( const std::string &  password,
RandomNumberGenerator rng,
uint16_t  work_factor = 15,
uint8_t  alg_id = 4 
)

Create a password hash using PBKDF2

Parameters
passwordthe password
rnga random number generator
work_factorhow much work to do to slow down guessing attacks
alg_idspecifies which PRF to use with PBKDF2 0 is HMAC(SHA-1) 1 is HMAC(SHA-256) 2 is CMAC(Blowfish) 3 is HMAC(SHA-384) 4 is HMAC(SHA-512) all other values are currently undefined

Definition at line 44 of file passhash9.cpp.

References base64_encode(), BOTAN_ARG_CHECK, get_byte(), Botan::RandomNumberGenerator::randomize(), and Botan::ASN1::to_string().

48  {
49  BOTAN_ARG_CHECK(work_factor > 0 && work_factor < 512, "Invalid Passhash9 work factor");
50 
51  std::unique_ptr<MessageAuthenticationCode> prf = get_pbkdf_prf(alg_id);
52 
53  if(!prf)
54  throw Invalid_Argument("Passhash9: Algorithm id " +
55  std::to_string(alg_id) +
56  " is not defined");
57 
58  PKCS5_PBKDF2 kdf(prf.release()); // takes ownership of pointer
59 
60  secure_vector<uint8_t> salt(SALT_BYTES);
61  rng.randomize(salt.data(), salt.size());
62 
63  const size_t kdf_iterations = WORK_FACTOR_SCALE * work_factor;
64 
65  secure_vector<uint8_t> blob;
66  blob.push_back(alg_id);
67  blob.push_back(get_byte(0, work_factor));
68  blob.push_back(get_byte(1, work_factor));
69  blob += salt;
70  blob += kdf.derive_key(PASSHASH9_PBKDF_OUTPUT_LEN,
71  pass,
72  salt.data(), salt.size(),
73  kdf_iterations).bits_of();
74 
75  return MAGIC_PREFIX + base64_encode(blob);
76  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:185
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
BigInt Botan::generate_rfc6979_nonce ( const BigInt x,
const BigInt q,
const BigInt h,
const std::string &  hash 
)
Parameters
xthe secret (EC)DSA key
qthe group order
hthe message hash already reduced mod q
hashthe hash function used to generate h

Definition at line 49 of file rfc6979.cpp.

References Botan::RFC6979_Nonce_Generator::nonce_for().

53  {
54  RFC6979_Nonce_Generator gen(hash, q, x);
55  BigInt k = gen.nonce_for(h);
56  return k;
57  }
MechanismType hash
BigInt Botan::generate_rsa_prime ( RandomNumberGenerator keygen_rng,
RandomNumberGenerator prime_test_rng,
size_t  bits,
const BigInt coprime,
size_t  prob = 128 
)

Generate a prime suitable for RSA p/q

Parameters
keygen_rnga random number generator
prime_test_rnga random number generator
bitshow large the resulting prime should be in bits (must be >= 512)
coprimea positive integer that (prime - 1) should be coprime to
probuse test so false positive is bounded by 1/2**prob
Returns
random prime with the specified criteria

Definition at line 197 of file make_prm.cpp.

References Botan::BigInt::bits(), gcd(), Botan::BigInt::is_even(), is_miller_rabin_probable_prime(), miller_rabin_test_iterations(), and Botan::BigInt::set_bit().

Referenced by Botan::RSA_PrivateKey::RSA_PrivateKey().

202  {
203  if(bits < 512)
204  throw Invalid_Argument("generate_rsa_prime bits too small");
205 
206  /*
207  * The restriction on coprime <= 64 bits is arbitrary but generally speaking
208  * very large RSA public exponents are a bad idea both for performance and due
209  * to attacks on small d.
210  */
211  if(coprime <= 1 || coprime.is_even() || coprime.bits() > 64)
212  throw Invalid_Argument("generate_rsa_prime coprime must be small odd positive integer");
213 
214  const size_t MAX_ATTEMPTS = 32*1024;
215 
216  const size_t mr_trials = miller_rabin_test_iterations(bits, prob, true);
217 
218  while(true)
219  {
220  BigInt p(keygen_rng, bits);
221 
222  // Force high two bits so multiplication always results in expected n bit integer
223  p.set_bit(bits - 1);
224  p.set_bit(bits - 2);
225  p.set_bit(0);
226 
227  const word step = 2;
228 
229  Prime_Sieve sieve(p, bits);
230 
231  for(size_t attempt = 0; attempt <= MAX_ATTEMPTS; ++attempt)
232  {
233  p += step;
234 
235  sieve.step(step);
236 
237  if(sieve.passes() == false)
238  continue;
239 
240  Modular_Reducer mod_p(p);
241 
242  /*
243  * Do a single primality test first before checking coprimality, since
244  * currently a single Miller-Rabin test is faster than computing gcd,
245  * and this eliminates almost all wasted gcd computations.
246  */
247  if(is_miller_rabin_probable_prime(p, mod_p, prime_test_rng, 1) == false)
248  continue;
249 
250  /*
251  * Check if p - 1 and coprime are relatively prime.
252  */
253  if(gcd(p - 1, coprime) > 1)
254  continue;
255 
256  if(p.bits() > bits)
257  break;
258 
259  if(is_miller_rabin_probable_prime(p, mod_p, prime_test_rng, mr_trials) == true)
260  return p;
261  }
262  }
263  }
BigInt gcd(const BigInt &a, const BigInt &b)
Definition: numthry.cpp:81
size_t miller_rabin_test_iterations(size_t n_bits, size_t prob, bool random)
Definition: primality.cpp:165
bool is_miller_rabin_probable_prime(const BigInt &n, const Modular_Reducer &mod_n, RandomNumberGenerator &rng, size_t test_iterations)
Definition: primality.cpp:143
BigInt Botan::generate_srp6_verifier ( const std::string &  identifier,
const std::string &  password,
const std::vector< uint8_t > &  salt,
const std::string &  group_id,
const std::string &  hash_id 
)

Generate a new SRP-6 verifier

Parameters
identifiera username or other client identifier
passwordthe secret used to authenticate user
salta randomly chosen value, at least 128 bits long
group_idspecifies the shared SRP group
hash_idspecifies a secure hash function

Definition at line 127 of file srp6.cpp.

132  {
133  DL_Group group(group_id);
134  return generate_srp6_verifier(identifier, password, salt, group, hash_id);
135  }
BigInt generate_srp6_verifier(const std::string &identifier, const std::string &password, const std::vector< uint8_t > &salt, const DL_Group &group, const std::string &hash_id)
Definition: srp6.cpp:137
BigInt Botan::generate_srp6_verifier ( const std::string &  identifier,
const std::string &  password,
const std::vector< uint8_t > &  salt,
const DL_Group group,
const std::string &  hash_id 
)

Generate a new SRP-6 verifier

Parameters
identifiera username or other client identifier
passwordthe secret used to authenticate user
salta randomly chosen value, at least 128 bits long
groupspecifies the shared SRP group
hash_idspecifies a secure hash function

Definition at line 137 of file srp6.cpp.

References Botan::BigInt::bits(), and Botan::DL_Group::power_g_p().

142  {
143  const BigInt x = compute_x(hash_id, identifier, password, salt);
144  // FIXME: x should be size of hash fn so avoid computing x.bits() here
145  return group.power_g_p(x, x.bits());
146  }
AEAD_Mode* Botan::get_aead ( const std::string &  name,
Cipher_Dir  direction 
)
inline

Get an AEAD mode by name (eg "AES-128/GCM" or "Serpent/EAX")

Parameters
nameAEAD name
directionENCRYPTION or DECRYPTION

Definition at line 140 of file aead.h.

References Botan::AEAD_Mode::create().

141  {
142  return AEAD_Mode::create(name, direction, "").release();
143  }
std::string name
BlockCipherModePaddingMethod * Botan::get_bc_pad ( const std::string &  algo_spec)

Get a block cipher padding method by name

Get a block cipher padding mode by name (eg "NoPadding" or "PKCS7")

Parameters
algo_specblock cipher padding mode name

Definition at line 18 of file mode_pad.cpp.

Referenced by Botan::Cipher_Mode::create().

19  {
20  if(algo_spec == "NoPadding")
21  return new Null_Padding;
22 
23  if(algo_spec == "PKCS7")
24  return new PKCS7_Padding;
25 
26  if(algo_spec == "OneAndZeros")
27  return new OneAndZeros_Padding;
28 
29  if(algo_spec == "X9.23")
30  return new ANSI_X923_Padding;
31 
32  if(algo_spec == "ESP")
33  return new ESP_Padding;
34 
35  return nullptr;
36  }
template<typename T >
constexpr uint8_t Botan::get_byte ( size_t  byte_num,
T  input 
)
inline
Keyed_Filter* Botan::get_cipher ( const std::string &  algo_spec,
Cipher_Dir  direction 
)
inline

Factory method for general symmetric cipher filters. No key will be set in the filter.

Parameters
algo_specthe name of the desired cipher
directiondetermines whether the filter will be an encrypting or decrypting filter
Returns
pointer to the encryption or decryption filter

Definition at line 212 of file filters.h.

References Botan::Cipher_Mode::create_or_throw().

Referenced by get_cipher().

214  {
215  std::unique_ptr<Cipher_Mode> c(Cipher_Mode::create_or_throw(algo_spec, direction));
216  return new Cipher_Mode_Filter(c.release());
217  }
Keyed_Filter* Botan::get_cipher ( const std::string &  algo_spec,
const SymmetricKey key,
Cipher_Dir  direction 
)
inline

Factory method for general symmetric cipher filters.

Parameters
algo_specthe name of the desired cipher
keythe key to be used for encryption/decryption performed by the filter
directiondetermines whether the filter will be an encrypting or decrypting filter
Returns
pointer to the encryption or decryption filter

Definition at line 228 of file filters.h.

References get_cipher(), and Botan::Keyed_Filter::set_key().

231  {
232  Keyed_Filter* cipher = get_cipher(algo_spec, direction);
233  cipher->set_key(key);
234  return cipher;
235  }
Keyed_Filter * get_cipher(const std::string &algo_spec, const SymmetricKey &key, const InitializationVector &iv, Cipher_Dir direction)
Definition: filters.h:247
Keyed_Filter* Botan::get_cipher ( const std::string &  algo_spec,
const SymmetricKey key,
const InitializationVector iv,
Cipher_Dir  direction 
)
inline

Factory method for general symmetric cipher filters.

Parameters
algo_specthe name of the desired cipher
keythe key to be used for encryption/decryption performed by the filter
ivthe initialization vector to be used
directiondetermines whether the filter will be an encrypting or decrypting filter
Returns
pointer to newly allocated encryption or decryption filter

Definition at line 247 of file filters.h.

References get_cipher(), Botan::OctetString::length(), and Botan::Keyed_Filter::set_iv().

251  {
252  Keyed_Filter* cipher = get_cipher(algo_spec, key, direction);
253  if(iv.length())
254  cipher->set_iv(iv);
255  return cipher;
256  }
Keyed_Filter * get_cipher(const std::string &algo_spec, const SymmetricKey &key, const InitializationVector &iv, Cipher_Dir direction)
Definition: filters.h:247
Cipher_Mode* Botan::get_cipher_mode ( const std::string &  algo_spec,
Cipher_Dir  direction,
const std::string &  provider = "" 
)
inline

Get a cipher mode by name (eg "AES-128/CBC" or "Serpent/XTS")

Parameters
algo_speccipher name
directionENCRYPTION or DECRYPTION
providerprovider implementation to choose

Definition at line 189 of file cipher_mode.h.

References Botan::Cipher_Mode::create().

192  {
193  return Cipher_Mode::create(algo_spec, direction, provider).release();
194  }
EME * Botan::get_eme ( const std::string &  algo_spec)

Factory method for EME (message-encoding methods for encryption) objects

Parameters
algo_specthe name of the EME to create
Returns
pointer to newly allocated object of that type

Definition at line 27 of file eme.cpp.

References Botan::SCAN_Name::algo_name(), Botan::SCAN_Name::arg(), Botan::SCAN_Name::arg_count(), Botan::HashFunction::create(), hash, and parse_algorithm_name().

Referenced by Botan::PK_Ops::Decryption_with_EME::Decryption_with_EME(), and Botan::PK_Ops::Encryption_with_EME::Encryption_with_EME().

28  {
29 #if defined(BOTAN_HAS_EME_RAW)
30  if(algo_spec == "Raw")
31  return new EME_Raw;
32 #endif
33 
34 #if defined(BOTAN_HAS_EME_PKCS1)
35  if(algo_spec == "PKCS1v15" || algo_spec == "EME-PKCS1-v1_5")
36  return new EME_PKCS1v15;
37 #endif
38 
39 #if defined(BOTAN_HAS_EME_OAEP)
40  SCAN_Name req(algo_spec);
41 
42  if(req.algo_name() == "OAEP" ||
43  req.algo_name() == "EME-OAEP" ||
44  req.algo_name() == "EME1")
45  {
46  if(req.arg_count() == 1 ||
47  ((req.arg_count() == 2 || req.arg_count() == 3) && req.arg(1) == "MGF1"))
48  {
49  if(auto hash = HashFunction::create(req.arg(0)))
50  return new OAEP(hash.release(), req.arg(2, ""));
51  }
52  else if(req.arg_count() == 2 || req.arg_count() == 3)
53  {
54  auto mgf_params = parse_algorithm_name(req.arg(1));
55 
56  if(mgf_params.size() == 2 && mgf_params[0] == "MGF1")
57  {
58  auto hash = HashFunction::create(req.arg(0));
59  auto mgf1_hash = HashFunction::create(mgf_params[1]);
60 
61  if(hash && mgf1_hash)
62  {
63  return new OAEP(hash.release(), mgf1_hash.release(), req.arg(2, ""));
64  }
65  }
66  }
67  }
68 #endif
69 
70  throw Algorithm_Not_Found(algo_spec);
71  }
std::vector< std::string > parse_algorithm_name(const std::string &namex)
Definition: parsing.cpp:95
MechanismType hash
EMSA * Botan::get_emsa ( const std::string &  algo_spec)

Factory method for EMSA (message-encoding methods for signatures with appendix) objects

Parameters
algo_specthe name of the EMSA to create
Returns
pointer to newly allocated object of that type

Definition at line 44 of file emsa.cpp.

References Botan::SCAN_Name::algo_name(), Botan::SCAN_Name::arg(), Botan::SCAN_Name::arg_as_integer(), Botan::SCAN_Name::arg_count(), Botan::SCAN_Name::arg_count_between(), Botan::HashFunction::create(), hash, and salt_size.

45  {
46  SCAN_Name req(algo_spec);
47 
48 #if defined(BOTAN_HAS_EMSA1)
49  if(req.algo_name() == "EMSA1" && req.arg_count() == 1)
50  {
51  if(auto hash = HashFunction::create(req.arg(0)))
52  return new EMSA1(hash.release());
53  }
54 #endif
55 
56 #if defined(BOTAN_HAS_EMSA_PKCS1)
57  if(req.algo_name() == "EMSA_PKCS1" ||
58  req.algo_name() == "PKCS1v15" ||
59  req.algo_name() == "EMSA-PKCS1-v1_5" ||
60  req.algo_name() == "EMSA3")
61  {
62  if(req.arg_count() == 2 && req.arg(0) == "Raw")
63  {
64  return new EMSA_PKCS1v15_Raw(req.arg(1));
65  }
66  else if(req.arg_count() == 1)
67  {
68  if(req.arg(0) == "Raw")
69  {
70  return new EMSA_PKCS1v15_Raw;
71  }
72  else
73  {
74  if(auto hash = HashFunction::create(req.arg(0)))
75  {
76  return new EMSA_PKCS1v15(hash.release());
77  }
78  }
79  }
80  }
81 #endif
82 
83 #if defined(BOTAN_HAS_EMSA_PSSR)
84  if(req.algo_name() == "PSS_Raw" ||
85  req.algo_name() == "PSSR_Raw")
86  {
87  if(req.arg_count_between(1, 3) && req.arg(1, "MGF1") == "MGF1")
88  {
89  if(auto h = HashFunction::create(req.arg(0)))
90  {
91  if(req.arg_count() == 3)
92  {
93  const size_t salt_size = req.arg_as_integer(2, 0);
94  return new PSSR_Raw(h.release(), salt_size);
95  }
96  else
97  {
98  return new PSSR_Raw(h.release());
99  }
100  }
101  }
102  }
103 
104  if(req.algo_name() == "PSS" ||
105  req.algo_name() == "PSSR" ||
106  req.algo_name() == "EMSA-PSS" ||
107  req.algo_name() == "PSS-MGF1" ||
108  req.algo_name() == "EMSA4")
109  {
110  if(req.arg_count_between(1, 3) && req.arg(1, "MGF1") == "MGF1")
111  {
112  if(auto h = HashFunction::create(req.arg(0)))
113  {
114  if(req.arg_count() == 3)
115  {
116  const size_t salt_size = req.arg_as_integer(2, 0);
117  return new PSSR(h.release(), salt_size);
118  }
119  else
120  {
121  return new PSSR(h.release());
122  }
123  }
124  }
125  }
126 #endif
127 
128 #if defined(BOTAN_HAS_ISO_9796)
129  if(req.algo_name() == "ISO_9796_DS2")
130  {
131  if(req.arg_count_between(1, 3))
132  {
133  if(auto h = HashFunction::create(req.arg(0)))
134  {
135  const size_t salt_size = req.arg_as_integer(2, h->output_length());
136  const bool implicit = req.arg(1, "exp") == "imp";
137  return new ISO_9796_DS2(h.release(), implicit, salt_size);
138  }
139  }
140  }
141  //ISO-9796-2 DS 3 is deterministic and DS2 without a salt
142  if(req.algo_name() == "ISO_9796_DS3")
143  {
144  if(req.arg_count_between(1, 2))
145  {
146  if(auto h = HashFunction::create(req.arg(0)))
147  {
148  const bool implicit = req.arg(1, "exp") == "imp";
149  return new ISO_9796_DS3(h.release(), implicit);
150  }
151  }
152  }
153 #endif
154 
155 #if defined(BOTAN_HAS_EMSA_X931)
156  if(req.algo_name() == "EMSA_X931" ||
157  req.algo_name() == "EMSA2" ||
158  req.algo_name() == "X9.31")
159  {
160  if(req.arg_count() == 1)
161  {
162  if(auto hash = HashFunction::create(req.arg(0)))
163  {
164  return new EMSA_X931(hash.release());
165  }
166  }
167  }
168 #endif
169 
170 #if defined(BOTAN_HAS_EMSA_RAW)
171  if(req.algo_name() == "Raw")
172  {
173  if(req.arg_count() == 0)
174  {
175  return new EMSA_Raw;
176  }
177  else
178  {
179  auto hash = HashFunction::create(req.arg(0));
180  if(hash)
181  return new EMSA_Raw(hash->output_length());
182  }
183  }
184 #endif
185 
186  throw Algorithm_Not_Found(algo_spec);
187  }
size_t salt_size
MechanismType hash
BOTAN_TEST_API std::vector< std::string > Botan::get_files_recursive ( const std::string &  dir)

Definition at line 126 of file filesystem.cpp.

References BOTAN_UNUSED.

127  {
128  std::vector<std::string> files;
129 
130 #if defined(BOTAN_TARGET_OS_HAS_POSIX1)
131  files = impl_readdir(dir);
132 #elif defined(BOTAN_TARGET_OS_HAS_WIN32)
133  files = impl_win32(dir);
134 #else
135  BOTAN_UNUSED(dir);
136  throw No_Filesystem_Access();
137 #endif
138 
139  std::sort(files.begin(), files.end());
140 
141  return files;
142  }
#define BOTAN_UNUSED(...)
Definition: assert.h:142
KDF * Botan::get_kdf ( const std::string &  algo_spec)

Factory method for KDF (key derivation function)

Parameters
algo_specthe name of the KDF to create
Returns
pointer to newly allocated object of that type

Definition at line 241 of file kdf.cpp.

References Botan::SCAN_Name::algo_name(), and Botan::KDF::create().

Referenced by botan_kdf(), Botan::PK_Ops::KEM_Decryption_with_KDF::KEM_Decryption_with_KDF(), Botan::PK_Ops::KEM_Encryption_with_KDF::KEM_Encryption_with_KDF(), Botan::PK_Ops::Key_Agreement_with_KDF::Key_Agreement_with_KDF(), and Botan::TLS::Handshake_State::protocol_specific_prf().

242  {
243  SCAN_Name request(algo_spec);
244 
245  if(request.algo_name() == "Raw")
246  return nullptr; // No KDF
247 
248  //return KDF::create_or_throw(algo_spec).release();
249  auto kdf = KDF::create(algo_spec);
250  if(!kdf)
251  throw Algorithm_Not_Found(algo_spec);
252  return kdf.release();
253  }
PBKDF* Botan::get_pbkdf ( const std::string &  algo_spec,
const std::string &  provider = "" 
)
inline

Password based key derivation function factory method

Parameters
algo_specthe name of the desired PBKDF algorithm
providerthe provider to use
Returns
pointer to newly allocated object of that type

Definition at line 232 of file pbkdf.h.

References Botan::PBKDF::create_or_throw().

Referenced by get_s2k(), and Botan::TLS::Session_Manager_SQL::Session_Manager_SQL().

234  {
235  return PBKDF::create_or_throw(algo_spec, provider).release();
236  }
PBKDF* Botan::get_s2k ( const std::string &  algo_spec)
inline

Definition at line 238 of file pbkdf.h.

References get_pbkdf().

239  {
240  return get_pbkdf(algo_spec);
241  }
PBKDF * get_pbkdf(const std::string &algo_spec, const std::string &provider="")
Definition: pbkdf.h:232
BOTAN_TEST_API const std::vector< std::string > Botan::get_sig_paddings ( const std::string  algo)

Returns the allowed padding schemes when using the given algorithm (key type) for creating digital signatures.

Parameters
algothe algorithm for which to look up supported padding schemes
Returns
a vector of supported padding schemes

Definition at line 32 of file padding.cpp.

Referenced by sig_algo_and_pad_ok().

33  {
34  if(allowed_signature_paddings.count(algo) > 0)
35  return allowed_signature_paddings.at(algo);
36  return {};
37  }
const std::map< const std::string, std::vector< std::string > > allowed_signature_paddings
Definition: padding.cpp:20
gf2m Botan::gray_to_lex ( gf2m  gray)
inline

Definition at line 31 of file code_based_util.h.

32  {
33  gf2m result = gray ^ (gray >> 8);
34  result ^= (result >> 4);
35  result ^= (result >> 2);
36  result ^= (result >> 1);
37  return result;
38  }
uint16_t gf2m
Definition: gf2m_small_m.h:22
BOTAN_TEST_API bool Botan::has_filesystem_impl ( )

Definition at line 115 of file filesystem.cpp.

116  {
117 #if defined(BOTAN_TARGET_OS_HAS_POSIX1)
118  return true;
119 #elif defined(BOTAN_TARGET_OS_HAS_WIN32)
120  return true;
121 #else
122  return false;
123 #endif
124  }
std::string Botan::hash_for_emsa ( const std::string &  algo_spec)

Returns the hash function used in the given EMSA scheme If the hash function is not specified or not understood, returns "SHA-512"

Parameters
algo_specthe name of the EMSA
Returns
hash function used in the given EMSA scheme

Definition at line 189 of file emsa.cpp.

References Botan::SCAN_Name::arg(), and Botan::SCAN_Name::arg_count().

Referenced by Botan::PKCS11::MechanismWrapper::create_ecdsa_mechanism().

190  {
191  SCAN_Name emsa_name(algo_spec);
192 
193  if(emsa_name.arg_count() > 0)
194  {
195  const std::string pos_hash = emsa_name.arg(0);
196  return pos_hash;
197  }
198 
199  // If we don't understand what this is return a safe default
200 #if defined(BOTAN_HAS_SHA2_64)
201  return "SHA-512";
202 #else
203  return "SHA-256";
204 #endif
205  }
size_t Botan::hex_decode ( uint8_t  output[],
const char  input[],
size_t  input_length,
size_t &  input_consumed,
bool  ignore_ws = true 
)

Perform hex decoding

Parameters
outputan array of at least input_length/2 bytes
inputsome hex input
input_lengthlength of input in bytes
input_consumedis an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input.
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 89 of file hex.cpp.

References clear_mem().

Referenced by botan_hex_decode(), Botan::Hex_Decoder::end_msg(), Botan::Data_Store::get1_memvec(), hex_decode(), hex_decode_locked(), Botan::OctetString::OctetString(), Botan::UUID::UUID(), and Botan::Hex_Decoder::write().

94  {
95  uint8_t* out_ptr = output;
96  bool top_nibble = true;
97 
98  clear_mem(output, input_length / 2);
99 
100  for(size_t i = 0; i != input_length; ++i)
101  {
102  const uint8_t bin = hex_char_to_bin(input[i]);
103 
104  if(bin >= 0x10)
105  {
106  if(bin == 0x80 && ignore_ws)
107  continue;
108 
109  std::string bad_char(1, input[i]);
110  if(bad_char == "\t")
111  bad_char = "\\t";
112  else if(bad_char == "\n")
113  bad_char = "\\n";
114 
115  throw Invalid_Argument(
116  std::string("hex_decode: invalid hex character '") +
117  bad_char + "'");
118  }
119 
120  if(top_nibble)
121  *out_ptr |= bin << 4;
122  else
123  *out_ptr |= bin;
124 
125  top_nibble = !top_nibble;
126  if(top_nibble)
127  ++out_ptr;
128  }
129 
130  input_consumed = input_length;
131  size_t written = (out_ptr - output);
132 
133  /*
134  * We only got half of a uint8_t at the end; zap the half-written
135  * output and mark it as unread
136  */
137  if(!top_nibble)
138  {
139  *out_ptr = 0;
140  input_consumed -= 1;
141  }
142 
143  return written;
144  }
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
size_t Botan::hex_decode ( uint8_t  output[],
const char  input[],
size_t  input_length,
bool  ignore_ws = true 
)

Perform hex decoding

Parameters
outputan array of at least input_length/2 bytes
inputsome hex input
input_lengthlength of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 146 of file hex.cpp.

References hex_decode().

150  {
151  size_t consumed = 0;
152  size_t written = hex_decode(output, input, input_length,
153  consumed, ignore_ws);
154 
155  if(consumed != input_length)
156  throw Invalid_Argument("hex_decode: input did not have full bytes");
157 
158  return written;
159  }
std::vector< uint8_t > hex_decode(const std::string &input, bool ignore_ws)
Definition: hex.cpp:204
size_t Botan::hex_decode ( uint8_t  output[],
const std::string &  input,
bool  ignore_ws = true 
)

Perform hex decoding

Parameters
outputan array of at least input_length/2 bytes
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
number of bytes written to output

Definition at line 161 of file hex.cpp.

References hex_decode().

164  {
165  return hex_decode(output, input.data(), input.length(), ignore_ws);
166  }
std::vector< uint8_t > hex_decode(const std::string &input, bool ignore_ws)
Definition: hex.cpp:204
std::vector< uint8_t > Botan::hex_decode ( const char  input[],
size_t  input_length,
bool  ignore_ws = true 
)

Perform hex decoding

Parameters
inputsome hex input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 189 of file hex.cpp.

References hex_decode().

192  {
193  std::vector<uint8_t> bin(1 + input_length / 2);
194 
195  size_t written = hex_decode(bin.data(),
196  input,
197  input_length,
198  ignore_ws);
199 
200  bin.resize(written);
201  return bin;
202  }
std::vector< uint8_t > hex_decode(const std::string &input, bool ignore_ws)
Definition: hex.cpp:204
std::vector< uint8_t > Botan::hex_decode ( const std::string &  input,
bool  ignore_ws = true 
)

Perform hex decoding

Parameters
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 204 of file hex.cpp.

References hex_decode().

206  {
207  return hex_decode(input.data(), input.size(), ignore_ws);
208  }
std::vector< uint8_t > hex_decode(const std::string &input, bool ignore_ws)
Definition: hex.cpp:204
secure_vector< uint8_t > Botan::hex_decode_locked ( const char  input[],
size_t  input_length,
bool  ignore_ws = true 
)

Perform hex decoding

Parameters
inputsome hex input
input_lengththe length of input in bytes
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 168 of file hex.cpp.

References hex_decode().

Referenced by Botan::BigInt::decode(), hex_decode_locked(), and Botan::RTSS_Share::RTSS_Share().

171  {
172  secure_vector<uint8_t> bin(1 + input_length / 2);
173 
174  size_t written = hex_decode(bin.data(),
175  input,
176  input_length,
177  ignore_ws);
178 
179  bin.resize(written);
180  return bin;
181  }
std::vector< uint8_t > hex_decode(const std::string &input, bool ignore_ws)
Definition: hex.cpp:204
secure_vector< uint8_t > Botan::hex_decode_locked ( const std::string &  input,
bool  ignore_ws = true 
)

Perform hex decoding

Parameters
inputsome hex input
ignore_wsignore whitespace on input; if false, throw an exception if whitespace is encountered
Returns
decoded hex output

Definition at line 183 of file hex.cpp.

References hex_decode_locked().

185  {
186  return hex_decode_locked(input.data(), input.size(), ignore_ws);
187  }
secure_vector< uint8_t > hex_decode_locked(const std::string &input, bool ignore_ws)
Definition: hex.cpp:183
void Botan::hex_encode ( char  output[],
const uint8_t  input[],
size_t  input_length,
bool  uppercase = true 
)

Perform hex encoding

Parameters
outputan array of at least input_length*2 bytes
inputis some binary data
input_lengthlength of input in bytes
uppercaseshould output be upper or lower case?

Definition at line 31 of file hex.cpp.

Referenced by Botan::Data_Store::add(), botan_hex_encode(), create_hex_fingerprint(), hex_encode(), Botan::X509_Certificate::issuer_info(), Botan::TLS::Session_Manager_SQL::load_from_session_id(), Botan::TLS::Session_Manager_In_Memory::load_from_session_id(), Botan::TLS::Session_Manager_SQL::remove_entry(), Botan::TLS::Session_Manager_In_Memory::remove_entry(), Botan::TLS::Session_Manager_SQL::save(), Botan::TLS::Session_Manager_In_Memory::save(), Botan::X509_Certificate::subject_info(), Botan::BigInt::to_hex_string(), Botan::OctetString::to_string(), Botan::UUID::to_string(), Botan::RTSS_Share::to_string(), Botan::X509_Certificate::to_string(), Botan::HTTP::url_encode(), and Botan::UUID::UUID().

35  {
36  for(size_t i = 0; i != input_length; ++i)
37  {
38  const uint8_t n0 = (input[i] >> 4) & 0xF;
39  const uint8_t n1 = (input[i] ) & 0xF;
40 
41  output[2*i ] = hex_encode_nibble(n0, uppercase);
42  output[2*i+1] = hex_encode_nibble(n1, uppercase);
43  }
44  }
template<typename Alloc >
std::string Botan::hex_encode ( const std::vector< uint8_t, Alloc > &  input,
bool  uppercase = true 
)

Perform hex encoding

Parameters
inputsome input
uppercaseshould output be upper or lower case?
Returns
hexadecimal representation of input

Definition at line 46 of file hex.h.

References hex_encode().

48  {
49  return hex_encode(input.data(), input.size(), uppercase);
50  }
std::string hex_encode(const std::vector< uint8_t, Alloc > &input, bool uppercase=true)
Definition: hex.h:46
std::string Botan::hex_encode ( const uint8_t  input[],
size_t  input_length,
bool  uppercase = true 
)

Perform hex encoding

Parameters
inputsome input
input_lengthlength of input in bytes
uppercaseshould output be upper or lower case?
Returns
hexadecimal representation of input

Definition at line 46 of file hex.cpp.

References hex_encode().

49  {
50  std::string output(2 * input_length, 0);
51 
52  if(input_length)
53  hex_encode(&output.front(), input, input_length, uppercase);
54 
55  return output;
56  }
std::string hex_encode(const uint8_t input[], size_t input_length, bool uppercase)
Definition: hex.cpp:46
template<typename T >
size_t Botan::high_bit ( T  n)
inline

Return the index of the highest set bit T is an unsigned integer type

Parameters
nan integer value
Returns
index of the highest set bit in n

Definition at line 55 of file bit_ops.h.

References ct_is_zero(), and T.

Referenced by Botan::OID::encode_into(), random_prime(), and Botan::BigInt::top_bits_free().

56  {
57  size_t hb = 0;
58 
59  for(size_t s = 8*sizeof(T) / 2; s > 0; s /= 2)
60  {
61  const size_t z = s * ((~ct_is_zero(n >> s)) & 1);
62  hb += z;
63  n >>= z;
64  }
65 
66  hb += n;
67 
68  return hb;
69  }
T ct_is_zero(T x)
Definition: bit_ops.h:32
fe T
Definition: ge.cpp:37
secure_vector< uint8_t > Botan::hkdf_expand_label ( const std::string &  hash_fn,
const uint8_t  secret[],
size_t  secret_len,
const std::string &  label,
const uint8_t  hash_val[],
size_t  hash_val_len,
size_t  length 
)

HKDF-Expand-Label from TLS 1.3/QUIC

Parameters
hash_fnthe hash to use
secretthe secret bits
secret_lenthe length of secret
labelthe full label (no "TLS 1.3, " or "tls13 " prefix is applied)
hash_valthe previous hash value (used for chaining, may be empty)
hash_val_lenthe length of hash_val
lengththe desired output length

Definition at line 80 of file hkdf.cpp.

References BOTAN_ARG_CHECK, cast_char_ptr_to_uint8(), copy_mem(), Botan::MessageAuthenticationCode::create_or_throw(), and get_byte().

85  {
86  BOTAN_ARG_CHECK(length <= 0xFFFF, "HKDF-Expand-Label requested output too large");
87  BOTAN_ARG_CHECK(label.size() <= 0xFF, "HKDF-Expand-Label label too long");
88  BOTAN_ARG_CHECK(hash_val_len <= 0xFF, "HKDF-Expand-Label hash too long");
89 
90  const uint16_t length16 = static_cast<uint16_t>(length);
91 
92  auto mac = MessageAuthenticationCode::create_or_throw("HMAC(" + hash_fn + ")");
93 
94  HKDF_Expand hkdf(mac.release());
95 
96  secure_vector<uint8_t> output(length16);
97  std::vector<uint8_t> prefix(3 + label.size() + 1);
98 
99  prefix[0] = get_byte(0, length16);
100  prefix[1] = get_byte(1, length16);
101  prefix[2] = static_cast<uint8_t>(label.size());
102 
103  copy_mem(prefix.data() + 3,
104  cast_char_ptr_to_uint8(label.data()),
105  label.size());
106 
107  prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len);
108 
109  /*
110  * We do something a little dirty here to avoid copying the hash_val,
111  * making use of the fact that Botan's KDF interface supports label+salt,
112  * and knowing that our HKDF hashes first param label then param salt.
113  */
114  hkdf.kdf(output.data(), output.size(),
115  secret, secret_len,
116  hash_val, hash_val_len,
117  prefix.data(), prefix.size());
118 
119  return output;
120  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition: mem_ops.h:190
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
bool Botan::host_wildcard_match ( const std::string &  wildcard,
const std::string &  host 
)

Check if the given hostname is a match for the specified wildcard

Definition at line 339 of file parsing.cpp.

References tolower_string().

Referenced by Botan::X509_Certificate::matches_dns_name().

340  {
341  const std::string issued = tolower_string(issued_);
342  const std::string host = tolower_string(host_);
343 
344  if(host.empty() || issued.empty())
345  return false;
346 
347  /*
348  If there are embedded nulls in your issued name
349  Well I feel bad for you son
350  */
351  if(std::count(issued.begin(), issued.end(), char(0)) > 0)
352  return false;
353 
354  // If more than one wildcard, then issued name is invalid
355  const size_t stars = std::count(issued.begin(), issued.end(), '*');
356  if(stars > 1)
357  return false;
358 
359  // '*' is not a valid character in DNS names so should not appear on the host side
360  if(std::count(host.begin(), host.end(), '*') != 0)
361  return false;
362 
363  // Similarly a DNS name can't end in .
364  if(host[host.size() - 1] == '.')
365  return false;
366 
367  // And a host can't have an empty name component, so reject that
368  if(host.find("..") != std::string::npos)
369  return false;
370 
371  // Exact match: accept
372  if(issued == host)
373  {
374  return true;
375  }
376 
377  /*
378  Otherwise it might be a wildcard
379 
380  If the issued size is strictly longer than the hostname size it
381  couldn't possibly be a match, even if the issued value is a
382  wildcard. The only exception is when the wildcard ends up empty
383  (eg www.example.com matches www*.example.com)
384  */
385  if(issued.size() > host.size() + 1)
386  {
387  return false;
388  }
389 
390  // If no * at all then not a wildcard, and so not a match
391  if(stars != 1)
392  {
393  return false;
394  }
395 
396  /*
397  Now walk through the issued string, making sure every character
398  matches. When we come to the (singular) '*', jump forward in the
399  hostname by the corresponding amount. We know exactly how much
400  space the wildcard takes because it must be exactly `len(host) -
401  len(issued) + 1 chars`.
402 
403  We also verify that the '*' comes in the leftmost component, and
404  doesn't skip over any '.' in the hostname.
405  */
406  size_t dots_seen = 0;
407  size_t host_idx = 0;
408 
409  for(size_t i = 0; i != issued.size(); ++i)
410  {
411  dots_seen += (issued[i] == '.');
412 
413  if(issued[i] == '*')
414  {
415  // Fail: wildcard can only come in leftmost component
416  if(dots_seen > 0)
417  {
418  return false;
419  }
420 
421  /*
422  Since there is only one * we know the tail of the issued and
423  hostname must be an exact match. In this case advance host_idx
424  to match.
425  */
426  const size_t advance = (host.size() - issued.size() + 1);
427 
428  if(host_idx + advance > host.size()) // shouldn't happen
429  return false;
430 
431  // Can't be any intervening .s that we would have skipped
432  if(std::count(host.begin() + host_idx,
433  host.begin() + host_idx + advance, '.') != 0)
434  return false;
435 
436  host_idx += advance;
437  }
438  else
439  {
440  if(issued[i] != host[host_idx])
441  {
442  return false;
443  }
444 
445  host_idx += 1;
446  }
447  }
448 
449  // Wildcard issued name must have at least 3 components
450  if(dots_seen < 2)
451  {
452  return false;
453  }
454 
455  return true;
456  }
std::string tolower_string(const std::string &in)
Definition: parsing.cpp:327
uint8_t Botan::ieee1363_hash_id ( const std::string &  hash_name)

Return the IEEE 1363 hash identifier

Parameters
hash_namethe name of the hash function
Returns
uint8_t code identifying the hash, or 0 if not known

Definition at line 146 of file hash_id.cpp.

Referenced by Botan::EMSA_X931::EMSA_X931().

147  {
148  if(name == "SHA-160" || name == "SHA-1" || name == "SHA1")
149  return 0x33;
150 
151  if(name == "SHA-224") return 0x38;
152  if(name == "SHA-256") return 0x34;
153  if(name == "SHA-384") return 0x36;
154  if(name == "SHA-512") return 0x35;
155 
156  if(name == "RIPEMD-160") return 0x31;
157 
158  if(name == "Whirlpool") return 0x37;
159 
160  return 0;
161  }
std::string name
size_t Botan::if_work_factor ( size_t  n_bits)

Estimate work factor for integer factorization

Parameters
n_bitssize of modulus in bits
Returns
estimated security level for this modulus

Definition at line 38 of file workfactor.cpp.

Referenced by dl_work_factor(), Botan::RSA_PublicKey::estimated_strength(), and Botan::TPM_PrivateKey::estimated_strength().

39  {
40  // RFC 3766 estimates k at .02 and o(1) to be effectively zero for sizes of interest
41 
42  const double log2_k = -5.6438; // log2(.02)
43  return nfs_workfactor(bits, log2_k);
44  }
void BOTAN_UNSTABLE_API Botan::initialize_allocator ( )

Ensure the allocator is initialized

Definition at line 49 of file mem_ops.cpp.

References Botan::mlock_allocator::instance().

Referenced by Botan::Allocator_Initializer::Allocator_Initializer().

50  {
51 #if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
52  mlock_allocator::instance();
53 #endif
54  }
BigInt Botan::inverse_euclid ( const BigInt x,
const BigInt modulus 
)

Deprecated modular inversion function. Use inverse_mod instead.

Parameters
xa positive integer
modulusa positive integer
Returns
y st (x*y) % modulus == 1 or 0 if no such value

Definition at line 317 of file mod_inv.cpp.

References inverse_mod().

318  {
319  return inverse_mod(x, modulus);
320  }
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
Definition: mod_inv.cpp:250
BigInt Botan::inverse_mod ( const BigInt x,
const BigInt modulus 
)

Modular inversion. This algorithm is const time with respect to x, as long as x is less than modulus. It also avoids leaking information about the modulus, except that it does leak which of 3 categories the modulus is in: an odd integer, a power of 2, or some other even number, and if the modulus is even, leaks the power of 2 which divides the modulus.

Parameters
xa positive integer
modulusa positive integer
Returns
y st (x*y) % modulus == 1 or 0 if no such value

Definition at line 250 of file mod_inv.cpp.

References Botan::BigInt::bits(), BOTAN_ASSERT_NOMSG, Botan::BigInt::ct_cond_assign(), ct_modulo(), Botan::BigInt::is_even(), Botan::BigInt::is_negative(), Botan::BigInt::is_nonzero(), Botan::BigInt::is_odd(), Botan::BigInt::is_zero(), low_zero_bits(), Botan::BigInt::mask_bits(), Botan::BigInt::Positive, Botan::BigInt::power_of_2(), and Botan::BigInt::set_sign().

Referenced by botan_mp_mod_inverse(), Botan::RSA_PrivateKey::check_key(), Botan::Montgomery_Params::inv_mod_p(), inverse_euclid(), Botan::DL_Group::inverse_mod_p(), Botan::DL_Group::inverse_mod_q(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

251  {
252  if(mod.is_zero())
253  throw BigInt::DivideByZero();
254  if(mod.is_negative() || n.is_negative())
255  throw Invalid_Argument("inverse_mod: arguments must be non-negative");
256  if(n.is_zero() || (n.is_even() && mod.is_even()))
257  return 0;
258 
259  if(mod.is_odd())
260  {
261  /*
262  Fastpath for common case. This leaks information if n > mod
263  but we don't guarantee const time behavior in that case.
264  */
265  if(n < mod)
266  return inverse_mod_odd_modulus(n, mod);
267  else
268  return inverse_mod_odd_modulus(ct_modulo(n, mod), mod);
269  }
270 
271  const size_t mod_lz = low_zero_bits(mod);
272  BOTAN_ASSERT_NOMSG(mod_lz > 0);
273  const size_t mod_bits = mod.bits();
274  BOTAN_ASSERT_NOMSG(mod_bits > mod_lz);
275 
276  if(mod_lz == mod_bits - 1)
277  {
278  // In this case we are performing an inversion modulo 2^k
279  return inverse_mod_pow2(n, mod_lz);
280  }
281 
282  /*
283  * In this case we are performing an inversion modulo 2^k*o for
284  * some k > 1 and some odd (not necessarily prime) integer.
285  * Compute the inversions modulo 2^k and modulo o, then combine them
286  * using CRT, which is possible because 2^k and o are relatively prime.
287  */
288 
289  const BigInt o = mod >> mod_lz;
290  const BigInt n_redc = ct_modulo(n, o);
291  const BigInt inv_o = inverse_mod_odd_modulus(n_redc, o);
292  const BigInt inv_2k = inverse_mod_pow2(n, mod_lz);
293 
294  // No modular inverse in this case:
295  if(inv_o == 0 || inv_2k == 0)
296  return 0;
297 
298  const BigInt m2k = BigInt::power_of_2(mod_lz);
299  // Compute the CRT parameter
300  const BigInt c = inverse_mod_pow2(o, mod_lz);
301 
302  // Compute h = c*(inv_2k-inv_o) mod 2^k
303  BigInt h = c * (inv_2k - inv_o);
304  const bool h_neg = h.is_negative();
305  h.set_sign(BigInt::Positive);
306  h.mask_bits(mod_lz);
307  const bool h_nonzero = h.is_nonzero();
308  h.ct_cond_assign(h_nonzero && h_neg, m2k - h);
309 
310  // Return result inv_o + h * o
311  h *= o;
312  h += inv_o;
313  return h;
314  }
size_t low_zero_bits(const BigInt &n)
Definition: numthry.cpp:39
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
BigInt ct_modulo(const BigInt &x, const BigInt &y)
Definition: divide.cpp:118
std::string Botan::ipv4_to_string ( uint32_t  ip_addr)

Convert an IPv4 address to a string

Parameters
ip_addrthe IPv4 address to convert
Returns
string representation of the IPv4 address

Definition at line 278 of file parsing.cpp.

References get_byte(), and Botan::ASN1::to_string().

Referenced by Botan::AlternativeName::decode_from(), and Botan::GeneralName::decode_from().

279  {
280  std::string str;
281 
282  for(size_t i = 0; i != sizeof(ip); ++i)
283  {
284  if(i)
285  str += ".";
286  str += std::to_string(get_byte(i, ip));
287  }
288 
289  return str;
290  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
bool BOTAN_TEST_API Botan::is_bailie_psw_probable_prime ( const BigInt n,
const Modular_Reducer mod_n 
)

Perform Bailie-PSW primality test

This is a combination of Miller-Rabin with base 2 and a Lucas test. No known composite integer passes both tests, though it is conjectured that infinitely many composite counterexamples exist.

Parameters
nthe positive integer to test
mod_na pre-created Modular_Reducer for n
Returns
true if n seems probably prime, false if n is composite

Definition at line 92 of file primality.cpp.

References is_lucas_probable_prime(), and passes_miller_rabin_test().

Referenced by is_bailie_psw_probable_prime(), and is_prime().

93  {
94  auto monty_n = std::make_shared<Montgomery_Params>(n, mod_n);
95  return passes_miller_rabin_test(n, mod_n, monty_n, 2) && is_lucas_probable_prime(n, mod_n);
96  }
bool is_lucas_probable_prime(const BigInt &C, const Modular_Reducer &mod_C)
Definition: primality.cpp:17
bool passes_miller_rabin_test(const BigInt &n, const Modular_Reducer &mod_n, const std::shared_ptr< Montgomery_Params > &monty_n, const BigInt &a)
Definition: primality.cpp:104
bool Botan::is_bailie_psw_probable_prime ( const BigInt n)

Perform Bailie-PSW primality test

This is a combination of Miller-Rabin with base 2 and a Lucas test. No known composite integer passes both tests, though it is conjectured that infinitely many composite counterexamples exist.

Parameters
nthe positive integer to test
Returns
true if n seems probably prime, false if n is composite

Definition at line 98 of file primality.cpp.

References is_bailie_psw_probable_prime().

99  {
100  Modular_Reducer mod_n(n);
101  return is_bailie_psw_probable_prime(n, mod_n);
102  }
bool is_bailie_psw_probable_prime(const BigInt &n)
Definition: primality.cpp:98
bool BOTAN_TEST_API Botan::is_lucas_probable_prime ( const BigInt n,
const Modular_Reducer mod_n 
)

Perform Lucas primality test

See also
FIPS 186-4 C.3.3
Warning
it is possible to construct composite integers which pass this test alone.
Parameters
nthe positive integer to test
mod_na pre-created Modular_Reducer for n
Returns
true if n seems probably prime, false if n is composite

Definition at line 17 of file primality.cpp.

References Botan::BigInt::bits(), C, Botan::BigInt::ct_cond_add(), Botan::BigInt::ct_cond_assign(), D, Botan::BigInt::flip_sign(), Botan::BigInt::get_bit(), Botan::BigInt::is_even(), Botan::BigInt::is_negative(), Botan::BigInt::is_odd(), is_perfect_square(), jacobi(), Botan::Modular_Reducer::multiply(), Botan::Modular_Reducer::reduce(), and Botan::Modular_Reducer::square().

Referenced by is_bailie_psw_probable_prime(), is_prime(), and random_prime().

18  {
19  if(C <= 1)
20  return false;
21  else if(C == 2)
22  return true;
23  else if(C.is_even())
24  return false;
25  else if(C == 3 || C == 5 || C == 7 || C == 11 || C == 13)
26  return true;
27 
28  BigInt D = 5;
29 
30  for(;;)
31  {
32  int32_t j = jacobi(D, C);
33  if(j == 0)
34  return false;
35 
36  if(j == -1)
37  break;
38 
39  // Check 5, -7, 9, -11, 13, -15, 17, ...
40  if(D.is_negative())
41  {
42  D.flip_sign();
43  D += 2;
44  }
45  else
46  {
47  D += 2;
48  D.flip_sign();
49  }
50 
51  if(D == 17 && is_perfect_square(C).is_nonzero())
52  return false;
53  }
54 
55  const BigInt K = C + 1;
56  const size_t K_bits = K.bits() - 1;
57 
58  BigInt U = 1;
59  BigInt V = 1;
60 
61  BigInt Ut, Vt, U2, V2;
62 
63  for(size_t i = 0; i != K_bits; ++i)
64  {
65  const bool k_bit = K.get_bit(K_bits - 1 - i);
66 
67  Ut = mod_C.multiply(U, V);
68 
69  Vt = mod_C.reduce(mod_C.square(V) + mod_C.multiply(D, mod_C.square(U)));
70  Vt.ct_cond_add(Vt.is_odd(), C);
71  Vt >>= 1;
72  Vt = mod_C.reduce(Vt);
73 
74  U = Ut;
75  V = Vt;
76 
77  U2 = mod_C.reduce(Ut + Vt);
78  U2.ct_cond_add(U2.is_odd(), C);
79  U2 >>= 1;
80 
81  V2 = mod_C.reduce(Vt + Ut*D);
82  V2.ct_cond_add(V2.is_odd(), C);
83  V2 >>= 1;
84 
85  U.ct_cond_assign(k_bit, U2);
86  V.ct_cond_assign(k_bit, V2);
87  }
88 
89  return (U == 0);
90  }
SIMD_8x32 D
BigInt is_perfect_square(const BigInt &C)
Definition: numthry.cpp:196
SIMD_8x32 C
int32_t jacobi(const BigInt &a, const BigInt &n)
Definition: jacobi.cpp:15
bool BOTAN_TEST_API Botan::is_miller_rabin_probable_prime ( const BigInt n,
const Modular_Reducer mod_n,
RandomNumberGenerator rng,
size_t  t 
)

Perform t iterations of a Miller-Rabin primality test with random bases

Parameters
nthe positive integer to test
mod_na pre-created Modular_Reducer for n
rnga random number generator
tnumber of tests to perform
Returns
result of primality test

Definition at line 143 of file primality.cpp.

References BOTAN_ASSERT_NOMSG, passes_miller_rabin_test(), and Botan::BigInt::random_integer().

Referenced by generate_rsa_prime(), is_prime(), and random_prime().

147  {
148  BOTAN_ASSERT_NOMSG(n > 1);
149 
150  auto monty_n = std::make_shared<Montgomery_Params>(n, mod_n);
151 
152  for(size_t i = 0; i != test_iterations; ++i)
153  {
154  const BigInt a = BigInt::random_integer(rng, 2, n);
155 
156  if(!passes_miller_rabin_test(n, mod_n, monty_n, a))
157  return false;
158  }
159 
160  // Failed to find a counterexample
161  return true;
162  }
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
bool passes_miller_rabin_test(const BigInt &n, const Modular_Reducer &mod_n, const std::shared_ptr< Montgomery_Params > &monty_n, const BigInt &a)
Definition: primality.cpp:104
bool Botan::is_passhash9_alg_supported ( uint8_t  alg_id)

Check if the PRF used with PBKDF2 is supported

Parameters
alg_idalg_id used in generate_passhash9()

Definition at line 133 of file passhash9.cpp.

134  {
135  if (get_pbkdf_prf(alg_id))
136  {
137  return true;
138  }
139  return false;
140  }
BigInt Botan::is_perfect_square ( const BigInt x)

Test if the positive integer x is a perfect square ie if there exists some positive integer y st y*y == x See FIPS 186-4 sec C.4

Returns
0 if the integer is not a perfect square, otherwise returns the positive y st y*y == x

Definition at line 196 of file numthry.cpp.

References B, Botan::BigInt::bits(), C, Botan::BigInt::power_of_2(), and X.

Referenced by is_lucas_probable_prime().

197  {
198  if(C < 1)
199  throw Invalid_Argument("is_perfect_square requires C >= 1");
200  if(C == 1)
201  return 1;
202 
203  const size_t n = C.bits();
204  const size_t m = (n + 1) / 2;
205  const BigInt B = C + BigInt::power_of_2(m);
206 
207  BigInt X = BigInt::power_of_2(m) - 1;
208  BigInt X2 = (X*X);
209 
210  for(;;)
211  {
212  X = (X2 + C) / (2*X);
213  X2 = (X*X);
214 
215  if(X2 < B)
216  break;
217  }
218 
219  if(X2 == C)
220  return X;
221  else
222  return 0;
223  }
fe X
Definition: ge.cpp:27
SIMD_8x32 B
SIMD_8x32 C
template<typename T >
constexpr bool Botan::is_power_of_2 ( T  arg)
inline

Power of 2 test. T should be an unsigned integer type

Parameters
argan integer value
Returns
true iff arg is 2^n for some n > 0

Definition at line 43 of file bit_ops.h.

Referenced by Botan::MDx_HashFunction::MDx_HashFunction(), operator%(), Botan::BigInt::operator%=(), Botan::BigInt::operator/=(), Botan::Scrypt::Scrypt(), and Botan::CTR_BE::seek().

44  {
45  return (arg != 0) && (arg != 1) && ((arg & static_cast<T>(arg-1)) == 0);
46  }
bool Botan::is_prime ( const BigInt n,
RandomNumberGenerator rng,
size_t  prob = 64,
bool  is_random = false 
)

Check for primality

Parameters
na positive integer to test for primality
rnga random number generator
probchance of false positive is bounded by 1/2**prob
is_randomtrue if n was randomly chosen by us
Returns
true if all primality tests passed, otherwise false

Definition at line 228 of file numthry.cpp.

References Botan::BigInt::bits(), is_bailie_psw_probable_prime(), Botan::BigInt::is_even(), is_lucas_probable_prime(), is_miller_rabin_probable_prime(), Botan::RandomNumberGenerator::is_seeded(), miller_rabin_test_iterations(), PRIME_TABLE_SIZE, PRIMES, and Botan::BigInt::word_at().

Referenced by botan_mp_is_prime(), Botan::RSA_PrivateKey::check_key(), check_prime(), Botan::DL_Group::DL_Group(), generate_dsa_primes(), quick_check_prime(), random_safe_prime(), Botan::DL_Group::verify_group(), Botan::EC_Group::verify_group(), and verify_prime().

232  {
233  if(n == 2)
234  return true;
235  if(n <= 1 || n.is_even())
236  return false;
237 
238  const size_t n_bits = n.bits();
239 
240  // Fast path testing for small numbers (<= 65521)
241  if(n_bits <= 16)
242  {
243  const uint16_t num = static_cast<uint16_t>(n.word_at(0));
244 
245  return std::binary_search(PRIMES, PRIMES + PRIME_TABLE_SIZE, num);
246  }
247 
248  Modular_Reducer mod_n(n);
249 
250  if(rng.is_seeded())
251  {
252  const size_t t = miller_rabin_test_iterations(n_bits, prob, is_random);
253 
254  if(is_miller_rabin_probable_prime(n, mod_n, rng, t) == false)
255  return false;
256 
257  if(is_random)
258  return true;
259  else
260  return is_lucas_probable_prime(n, mod_n);
261  }
262  else
263  {
264  return is_bailie_psw_probable_prime(n, mod_n);
265  }
266  }
const size_t PRIME_TABLE_SIZE
Definition: numthry.h:287
bool is_lucas_probable_prime(const BigInt &C, const Modular_Reducer &mod_C)
Definition: primality.cpp:17
const uint16_t PRIMES[]
Definition: primes.cpp:12
size_t miller_rabin_test_iterations(size_t n_bits, size_t prob, bool random)
Definition: primality.cpp:165
bool is_bailie_psw_probable_prime(const BigInt &n, const Modular_Reducer &mod_n)
Definition: primality.cpp:92
bool is_miller_rabin_probable_prime(const BigInt &n, const Modular_Reducer &mod_n, RandomNumberGenerator &rng, size_t test_iterations)
Definition: primality.cpp:143
int32_t Botan::jacobi ( const BigInt a,
const BigInt n 
)

Compute the Jacobi symbol. If n is prime, this is equivalent to the Legendre symbol.

See also
http://mathworld.wolfram.com/JacobiSymbol.html
Parameters
ais a non-negative integer
nis an odd integer > 1
Returns
(n / m)

Definition at line 15 of file jacobi.cpp.

References Botan::BigInt::is_even(), Botan::BigInt::is_zero(), and low_zero_bits().

Referenced by Botan::DL_Group::DL_Group(), is_lucas_probable_prime(), and ressol().

16  {
17  if(n.is_even() || n < 2)
18  throw Invalid_Argument("jacobi: second argument must be odd and > 1");
19 
20  BigInt x = a % n;
21  BigInt y = n;
22  int32_t J = 1;
23 
24  while(y > 1)
25  {
26  x %= y;
27  if(x > y / 2)
28  {
29  x = y - x;
30  if(y % 4 == 3)
31  J = -J;
32  }
33  if(x.is_zero())
34  return 0;
35 
36  size_t shifts = low_zero_bits(x);
37  x >>= shifts;
38  if(shifts % 2)
39  {
40  word y_mod_8 = y % 8;
41  if(y_mod_8 == 3 || y_mod_8 == 5)
42  J = -J;
43  }
44 
45  if(x % 4 == 3 && y % 4 == 3)
46  J = -J;
47  std::swap(x, y);
48  }
49  return J;
50  }
size_t low_zero_bits(const BigInt &n)
Definition: numthry.cpp:39
std::string Botan::key_constraints_to_string ( Key_Constraints  constraints)

Definition at line 15 of file key_constraint.cpp.

References CRL_SIGN, DATA_ENCIPHERMENT, DECIPHER_ONLY, DIGITAL_SIGNATURE, ENCIPHER_ONLY, KEY_AGREEMENT, KEY_CERT_SIGN, KEY_ENCIPHERMENT, NO_CONSTRAINTS, and NON_REPUDIATION.

Referenced by verify_cert_constraints_valid_for_key_type().

16  {
17  std::vector<std::string> str;
18 
19  if(constraints == NO_CONSTRAINTS)
20  return "no_constraints";
21 
22  if(constraints & DIGITAL_SIGNATURE)
23  str.push_back("digital_signature");
24 
25  if(constraints & NON_REPUDIATION)
26  str.push_back("non_repudiation");
27 
28  if(constraints & KEY_ENCIPHERMENT)
29  str.push_back("key_encipherment");
30 
31  if(constraints & DATA_ENCIPHERMENT)
32  str.push_back("data_encipherment");
33 
34  if(constraints & KEY_AGREEMENT)
35  str.push_back("key_agreement");
36 
37  if(constraints & KEY_CERT_SIGN)
38  str.push_back("key_cert_sign");
39 
40  if(constraints & CRL_SIGN)
41  str.push_back("crl_sign");
42 
43  if(constraints & ENCIPHER_ONLY)
44  str.push_back("encipher_only");
45 
46  if(constraints & DECIPHER_ONLY)
47  str.push_back("decipher_only");
48 
49  // Not 0 (checked at start) but nothing matched above!
50  if(str.empty())
51  return "other_unknown_constraints";
52 
53  if(str.size() == 1)
54  return str[0];
55 
56  std::string out;
57  for(size_t i = 0; i < str.size() - 1; ++i)
58  {
59  out += str[i];
60  out += ',';
61  }
62  out += str[str.size() - 1];
63 
64  return out;
65  }
Definition: ffi.h:1572
BigInt Botan::lcm ( const BigInt x,
const BigInt y 
)

Least common multiple

Parameters
xa positive integer
ya positive integer
Returns
z, smallest integer such that z % x == 0 and z % y == 0

Definition at line 143 of file numthry.cpp.

References ct_divide(), and gcd().

Referenced by Botan::RSA_PrivateKey::check_key(), and Botan::RSA_PrivateKey::RSA_PrivateKey().

144  {
145  return ct_divide(a * b, gcd(a, b));
146  }
BigInt gcd(const BigInt &a, const BigInt &b)
Definition: numthry.cpp:81
void ct_divide(const BigInt &x, const BigInt &y, BigInt &q_out, BigInt &r_out)
Definition: divide.cpp:52
gf2m Botan::lex_to_gray ( gf2m  lex)
inline

Definition at line 40 of file code_based_util.h.

Referenced by syndrome_init().

41  {
42  return (lex >> 1) ^ lex;
43  }
uint64_t Botan::load_3 ( const uint8_t  in[3])
inline

Definition at line 19 of file ed25519_internal.h.

Referenced by Botan::FE_25519::from_bytes(), sc_muladd(), and sc_reduce().

20  {
21  return static_cast<uint64_t>(in[0]) |
22  (static_cast<uint64_t>(in[1]) << 8) |
23  (static_cast<uint64_t>(in[2]) << 16);
24  }
uint64_t Botan::load_4 ( const uint8_t *  in)
inline

Definition at line 26 of file ed25519_internal.h.

References load_le< uint32_t >().

Referenced by Botan::FE_25519::from_bytes(), sc_muladd(), and sc_reduce().

27  {
28  return load_le<uint32_t>(in, 0);
29  }
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:198
template<typename T >
T Botan::load_be ( const uint8_t  in[],
size_t  off 
)
inline

Load a big-endian word

Parameters
ina pointer to some bytes
offan offset into the array
Returns
off'th T of in, as a big-endian value

Definition at line 107 of file loadstor.h.

References T.

Referenced by Botan::Blowfish::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::XTEA::decrypt_n(), Botan::XTEA::encrypt_n(), Botan::Blowfish::encrypt_n(), Botan::CAST_128::encrypt_n(), and Botan::SIMD_4x32::load_be().

108  {
109  in += off * sizeof(T);
110  T out = 0;
111  for(size_t i = 0; i != sizeof(T); ++i)
112  out = static_cast<T>((out << 8) | in[i]);
113  return out;
114  }
fe T
Definition: ge.cpp:37
template<typename T >
void Botan::load_be ( const uint8_t  in[],
T x0,
T x1 
)
inline

Load two big-endian words

Parameters
ina pointer to some bytes
x0where the first word will be written
x1where the second word will be written

Definition at line 349 of file loadstor.h.

350  {
351  x0 = load_be<T>(in, 0);
352  x1 = load_be<T>(in, 1);
353  }
template<typename T >
void Botan::load_be ( const uint8_t  in[],
T x0,
T x1,
T x2,
T x3 
)
inline

Load four big-endian words

Parameters
ina pointer to some bytes
x0where the first word will be written
x1where the second word will be written
x2where the third word will be written
x3where the fourth word will be written

Definition at line 364 of file loadstor.h.

366  {
367  x0 = load_be<T>(in, 0);
368  x1 = load_be<T>(in, 1);
369  x2 = load_be<T>(in, 2);
370  x3 = load_be<T>(in, 3);
371  }
template<typename T >
void Botan::load_be ( const uint8_t  in[],
T x0,
T x1,
T x2,
T x3,
T x4,
T x5,
T x6,
T x7 
)
inline

Load eight big-endian words

Parameters
ina pointer to some bytes
x0where the first word will be written
x1where the second word will be written
x2where the third word will be written
x3where the fourth word will be written
x4where the fifth word will be written
x5where the sixth word will be written
x6where the seventh word will be written
x7where the eighth word will be written

Definition at line 386 of file loadstor.h.

389  {
390  x0 = load_be<T>(in, 0);
391  x1 = load_be<T>(in, 1);
392  x2 = load_be<T>(in, 2);
393  x3 = load_be<T>(in, 3);
394  x4 = load_be<T>(in, 4);
395  x5 = load_be<T>(in, 5);
396  x6 = load_be<T>(in, 6);
397  x7 = load_be<T>(in, 7);
398  }
template<typename T >
void Botan::load_be ( T  out[],
const uint8_t  in[],
size_t  count 
)
inline

Load a variable number of big-endian words

Parameters
outthe output array of words
inthe input array of bytes
counthow many words are in in

Definition at line 407 of file loadstor.h.

References bswap_4(), reverse_bytes(), and typecast_copy().

410  {
411  if(count > 0)
412  {
413 #if defined(BOTAN_TARGET_CPU_IS_BIG_ENDIAN)
414  typecast_copy(out, in, count);
415 
416 #elif defined(BOTAN_TARGET_CPU_IS_LITTLE_ENDIAN)
417  typecast_copy(out, in, count);
418  const size_t blocks = count - (count % 4);
419  const size_t left = count - blocks;
420 
421  for(size_t i = 0; i != blocks; i += 4)
422  bswap_4(out + i);
423 
424  for(size_t i = 0; i != left; ++i)
425  out[blocks+i] = reverse_bytes(out[blocks+i]);
426 #else
427  for(size_t i = 0; i != count; ++i)
428  out[i] = load_be<T>(in, i);
429 #endif
430  }
431  }
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
void bswap_4(T x[4])
Definition: bswap.h:98
uint16_t reverse_bytes(uint16_t val)
Definition: bswap.h:25
template<>
uint16_t Botan::load_be< uint16_t > ( const uint8_t  in[],
size_t  off 
)
inline

Load a big-endian uint16_t

Parameters
ina pointer to some bytes
offan offset into the array
Returns
off'th uint16_t of in, as a big-endian value

Definition at line 139 of file loadstor.h.

References make_uint16(), and typecast_copy().

Referenced by Botan::TLS::Datagram_Handshake_IO::add_record(), check_passhash9(), Botan::KASUMI::decrypt_n(), Botan::MISTY1::decrypt_n(), Botan::KASUMI::encrypt_n(), Botan::MISTY1::encrypt_n(), and ucs2_to_utf8().

140  {
141  in += off * sizeof(uint16_t);
142 
143 #if defined(BOTAN_ENDIAN_N2B)
144  uint16_t x;
145  typecast_copy(x, in);
146  return BOTAN_ENDIAN_N2B(x);
147 #else
148  return make_uint16(in[0], in[1]);
149 #endif
150  }
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition: loadstor.h:54
template<>
uint32_t Botan::load_be< uint32_t > ( const uint8_t  in[],
size_t  off 
)
inline

Load a big-endian uint32_t

Parameters
ina pointer to some bytes
offan offset into the array
Returns
off'th uint32_t of in, as a big-endian value

Definition at line 179 of file loadstor.h.

References make_uint32(), and typecast_copy().

Referenced by base58_check_decode(), Botan::SHA_256::compress_digest(), Botan::AlternativeName::decode_from(), Botan::GeneralName::decode_from(), Botan::CAST_256::decrypt_n(), Botan::Noekeon::decrypt_n(), Botan::SM4::decrypt_n(), Botan::SHACAL2::decrypt_n(), Botan::SEED::decrypt_n(), Botan::SM4::encrypt_n(), Botan::Noekeon::encrypt_n(), Botan::CAST_256::encrypt_n(), Botan::SEED::encrypt_n(), Botan::SHACAL2::encrypt_n(), Botan::HOTP::generate_hotp(), Botan::CTR_BE::seek(), and ucs4_to_utf8().

180  {
181  in += off * sizeof(uint32_t);
182 #if defined(BOTAN_ENDIAN_N2B)
183  uint32_t x;
184  typecast_copy(x, in);
185  return BOTAN_ENDIAN_N2B(x);
186 #else
187  return make_uint32(in[0], in[1], in[2], in[3]);
188 #endif
189  }
constexpr uint32_t make_uint32(uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3)
Definition: loadstor.h:67
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
template<>
uint64_t Botan::load_be< uint64_t > ( const uint8_t  in[],
size_t  off 
)
inline

Load a big-endian uint64_t

Parameters
ina pointer to some bytes
offan offset into the array
Returns
off'th uint64_t of in, as a big-endian value

Definition at line 217 of file loadstor.h.

References make_uint64(), and typecast_copy().

Referenced by Botan::SHA_512::compress_digest(), Botan::TLS::Session::decrypt(), nist_key_unwrap_padded(), and Botan::TLS::Server_Hello::random_signals_downgrade().

218  {
219  in += off * sizeof(uint64_t);
220 #if defined(BOTAN_ENDIAN_N2B)
221  uint64_t x;
222  typecast_copy(x, in);
223  return BOTAN_ENDIAN_N2B(x);
224 #else
225  return make_uint64(in[0], in[1], in[2], in[3],
226  in[4], in[5], in[6], in[7]);
227 #endif
228  }
constexpr uint64_t make_uint64(uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3, uint8_t i4, uint8_t i5, uint8_t i6, uint8_t i7)
Definition: loadstor.h:87
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
template<typename T >
T Botan::load_le ( const uint8_t  in[],
size_t  off 
)
inline

Load a little-endian word

Parameters
ina pointer to some bytes
offan offset into the array
Returns
off'th T of in, as a litte-endian value

Definition at line 123 of file loadstor.h.

References T.

Referenced by Botan::Twofish::decrypt_n(), Botan::Threefish_512::decrypt_n(), Botan::Serpent::decrypt_n(), Botan::Twofish::encrypt_n(), Botan::Serpent::encrypt_n(), Botan::Threefish_512::encrypt_n(), and Botan::SIMD_4x32::load_le().

124  {
125  in += off * sizeof(T);
126  T out = 0;
127  for(size_t i = 0; i != sizeof(T); ++i)
128  out = (out << 8) | in[sizeof(T)-1-i];
129  return out;
130  }
fe T
Definition: ge.cpp:37
template<typename T >
void Botan::load_le ( const uint8_t  in[],
T x0,
T x1 
)
inline

Load two little-endian words

Parameters
ina pointer to some bytes
x0where the first word will be written
x1where the second word will be written

Definition at line 257 of file loadstor.h.

258  {
259  x0 = load_le<T>(in, 0);
260  x1 = load_le<T>(in, 1);
261  }
template<typename T >
void Botan::load_le ( const uint8_t  in[],
T x0,
T x1,
T x2,
T x3 
)
inline

Load four little-endian words

Parameters
ina pointer to some bytes
x0where the first word will be written
x1where the second word will be written
x2where the third word will be written
x3where the fourth word will be written

Definition at line 272 of file loadstor.h.

274  {
275  x0 = load_le<T>(in, 0);
276  x1 = load_le<T>(in, 1);
277  x2 = load_le<T>(in, 2);
278  x3 = load_le<T>(in, 3);
279  }
template<typename T >
void Botan::load_le ( const uint8_t  in[],
T x0,
T x1,
T x2,
T x3,
T x4,
T x5,
T x6,
T x7 
)
inline

Load eight little-endian words

Parameters
ina pointer to some bytes
x0where the first word will be written
x1where the second word will be written
x2where the third word will be written
x3where the fourth word will be written
x4where the fifth word will be written
x5where the sixth word will be written
x6where the seventh word will be written
x7where the eighth word will be written

Definition at line 294 of file loadstor.h.

297  {
298  x0 = load_le<T>(in, 0);
299  x1 = load_le<T>(in, 1);
300  x2 = load_le<T>(in, 2);
301  x3 = load_le<T>(in, 3);
302  x4 = load_le<T>(in, 4);
303  x5 = load_le<T>(in, 5);
304  x6 = load_le<T>(in, 6);
305  x7 = load_le<T>(in, 7);
306  }
template<typename T >
void Botan::load_le ( T  out[],
const uint8_t  in[],
size_t  count 
)
inline

Load a variable number of little-endian words

Parameters
outthe output array of words
inthe input array of bytes
counthow many words are in in

Definition at line 315 of file loadstor.h.

References bswap_4(), reverse_bytes(), and typecast_copy().

318  {
319  if(count > 0)
320  {
321 #if defined(BOTAN_TARGET_CPU_IS_LITTLE_ENDIAN)
322  typecast_copy(out, in, count);
323 
324 #elif defined(BOTAN_TARGET_CPU_IS_BIG_ENDIAN)
325  typecast_copy(out, in, count);
326 
327  const size_t blocks = count - (count % 4);
328  const size_t left = count - blocks;
329 
330  for(size_t i = 0; i != blocks; i += 4)
331  bswap_4(out + i);
332 
333  for(size_t i = 0; i != left; ++i)
334  out[blocks+i] = reverse_bytes(out[blocks+i]);
335 #else
336  for(size_t i = 0; i != count; ++i)
337  out[i] = load_le<T>(in, i);
338 #endif
339  }
340  }
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
void bswap_4(T x[4])
Definition: bswap.h:98
uint16_t reverse_bytes(uint16_t val)
Definition: bswap.h:25
template<>
uint16_t Botan::load_le< uint16_t > ( const uint8_t  in[],
size_t  off 
)
inline

Load a little-endian uint16_t

Parameters
ina pointer to some bytes
offan offset into the array
Returns
off'th uint16_t of in, as a little-endian value

Definition at line 159 of file loadstor.h.

References make_uint16(), and typecast_copy().

160  {
161  in += off * sizeof(uint16_t);
162 
163 #if defined(BOTAN_ENDIAN_N2L)
164  uint16_t x;
165  typecast_copy(x, in);
166  return BOTAN_ENDIAN_N2L(x);
167 #else
168  return make_uint16(in[1], in[0]);
169 #endif
170  }
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition: loadstor.h:54
template<>
uint32_t Botan::load_le< uint32_t > ( const uint8_t  in[],
size_t  off 
)
inline

Load a little-endian uint32_t

Parameters
ina pointer to some bytes
offan offset into the array
Returns
off'th uint32_t of in, as a little-endian value

Definition at line 198 of file loadstor.h.

References make_uint32(), and typecast_copy().

Referenced by Botan::Sodium::crypto_core_hsalsa20(), Botan::GOST_28147_89::decrypt_n(), Botan::GOST_28147_89::encrypt_n(), load_4(), random_prime(), Botan::RDRAND_RNG::rdrand(), Botan::RDRAND_RNG::rdrand_status(), Botan::Salsa20::seek(), Botan::ChaCha::seek(), Botan::Salsa20::set_iv(), and Botan::ChaCha::set_iv().

199  {
200  in += off * sizeof(uint32_t);
201 #if defined(BOTAN_ENDIAN_N2L)
202  uint32_t x;
203  typecast_copy(x, in);
204  return BOTAN_ENDIAN_N2L(x);
205 #else
206  return make_uint32(in[3], in[2], in[1], in[0]);
207 #endif
208  }
constexpr uint32_t make_uint32(uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3)
Definition: loadstor.h:67
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
template<>
uint64_t Botan::load_le< uint64_t > ( const uint8_t  in[],
size_t  off 
)
inline

Load a little-endian uint64_t

Parameters
ina pointer to some bytes
offan offset into the array
Returns
off'th uint64_t of in, as a little-endian value

Definition at line 237 of file loadstor.h.

References make_uint64(), and typecast_copy().

Referenced by Botan::SHA_3::absorb(), Botan::Threefish_512::set_tweak(), and Botan::Sodium::sodium_free().

238  {
239  in += off * sizeof(uint64_t);
240 #if defined(BOTAN_ENDIAN_N2L)
241  uint64_t x;
242  typecast_copy(x, in);
243  return BOTAN_ENDIAN_N2L(x);
244 #else
245  return make_uint64(in[7], in[6], in[5], in[4],
246  in[3], in[2], in[1], in[0]);
247 #endif
248  }
constexpr uint64_t make_uint64(uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3, uint8_t i4, uint8_t i5, uint8_t i6, uint8_t i7)
Definition: loadstor.h:87
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
std::unique_ptr< Private_Key > Botan::load_private_key ( const AlgorithmIdentifier alg_id,
const secure_vector< uint8_t > &  key_bits 
)

Definition at line 163 of file pk_algs.cpp.

References Botan::AlgorithmIdentifier::get_oid(), and Botan::OID::to_formatted_string().

165  {
166  const std::string alg_name = alg_id.get_oid().to_formatted_string();
167 
168 #if defined(BOTAN_HAS_RSA)
169  if(alg_name == "RSA")
170  return std::unique_ptr<Private_Key>(new RSA_PrivateKey(alg_id, key_bits));
171 #endif
172 
173 #if defined(BOTAN_HAS_CURVE_25519)
174  if(alg_name == "Curve25519")
175  return std::unique_ptr<Private_Key>(new Curve25519_PrivateKey(alg_id, key_bits));
176 #endif
177 
178 #if defined(BOTAN_HAS_ECDSA)
179  if(alg_name == "ECDSA")
180  return std::unique_ptr<Private_Key>(new ECDSA_PrivateKey(alg_id, key_bits));
181 #endif
182 
183 #if defined(BOTAN_HAS_ECDH)
184  if(alg_name == "ECDH")
185  return std::unique_ptr<Private_Key>(new ECDH_PrivateKey(alg_id, key_bits));
186 #endif
187 
188 #if defined(BOTAN_HAS_DIFFIE_HELLMAN)
189  if(alg_name == "DH")
190  return std::unique_ptr<Private_Key>(new DH_PrivateKey(alg_id, key_bits));
191 #endif
192 
193 #if defined(BOTAN_HAS_DSA)
194  if(alg_name == "DSA")
195  return std::unique_ptr<Private_Key>(new DSA_PrivateKey(alg_id, key_bits));
196 #endif
197 
198 #if defined(BOTAN_HAS_MCELIECE)
199  if(alg_name == "McEliece")
200  return std::unique_ptr<Private_Key>(new McEliece_PrivateKey(key_bits));
201 #endif
202 
203 #if defined(BOTAN_HAS_ECGDSA)
204  if(alg_name == "ECGDSA")
205  return std::unique_ptr<Private_Key>(new ECGDSA_PrivateKey(alg_id, key_bits));
206 #endif
207 
208 #if defined(BOTAN_HAS_ECKCDSA)
209  if(alg_name == "ECKCDSA")
210  return std::unique_ptr<Private_Key>(new ECKCDSA_PrivateKey(alg_id, key_bits));
211 #endif
212 
213 #if defined(BOTAN_HAS_ED25519)
214  if(alg_name == "Ed25519")
215  return std::unique_ptr<Private_Key>(new Ed25519_PrivateKey(alg_id, key_bits));
216 #endif
217 
218 #if defined(BOTAN_HAS_GOST_34_10_2001)
219  if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512")
220  return std::unique_ptr<Private_Key>(new GOST_3410_PrivateKey(alg_id, key_bits));
221 #endif
222 
223 #if defined(BOTAN_HAS_SM2)
224  if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc")
225  return std::unique_ptr<Private_Key>(new SM2_PrivateKey(alg_id, key_bits));
226 #endif
227 
228 #if defined(BOTAN_HAS_ELGAMAL)
229  if(alg_name == "ElGamal")
230  return std::unique_ptr<Private_Key>(new ElGamal_PrivateKey(alg_id, key_bits));
231 #endif
232 
233 #if defined(BOTAN_HAS_XMSS_RFC8391)
234  if(alg_name == "XMSS")
235  return std::unique_ptr<Private_Key>(new XMSS_PrivateKey(key_bits));
236 #endif
237 
238  throw Decoding_Error("Unknown or unavailable public key algorithm " + alg_name);
239  }
std::unique_ptr< Public_Key > Botan::load_public_key ( const AlgorithmIdentifier alg_id,
const std::vector< uint8_t > &  key_bits 
)

Definition at line 82 of file pk_algs.cpp.

References Botan::AlgorithmIdentifier::get_oid(), split_on(), and Botan::OID::to_formatted_string().

Referenced by Botan::X509::load_key().

84  {
85  const std::string oid_str = alg_id.get_oid().to_formatted_string();
86  const std::vector<std::string> alg_info = split_on(oid_str, '/');
87  const std::string alg_name = alg_info[0];
88 
89 #if defined(BOTAN_HAS_RSA)
90  if(alg_name == "RSA")
91  return std::unique_ptr<Public_Key>(new RSA_PublicKey(alg_id, key_bits));
92 #endif
93 
94 #if defined(BOTAN_HAS_CURVE_25519)
95  if(alg_name == "Curve25519")
96  return std::unique_ptr<Public_Key>(new Curve25519_PublicKey(alg_id, key_bits));
97 #endif
98 
99 #if defined(BOTAN_HAS_MCELIECE)
100  if(alg_name == "McEliece")
101  return std::unique_ptr<Public_Key>(new McEliece_PublicKey(key_bits));
102 #endif
103 
104 #if defined(BOTAN_HAS_ECDSA)
105  if(alg_name == "ECDSA")
106  return std::unique_ptr<Public_Key>(new ECDSA_PublicKey(alg_id, key_bits));
107 #endif
108 
109 #if defined(BOTAN_HAS_ECDH)
110  if(alg_name == "ECDH")
111  return std::unique_ptr<Public_Key>(new ECDH_PublicKey(alg_id, key_bits));
112 #endif
113 
114 #if defined(BOTAN_HAS_DIFFIE_HELLMAN)
115  if(alg_name == "DH")
116  return std::unique_ptr<Public_Key>(new DH_PublicKey(alg_id, key_bits));
117 #endif
118 
119 #if defined(BOTAN_HAS_DSA)
120  if(alg_name == "DSA")
121  return std::unique_ptr<Public_Key>(new DSA_PublicKey(alg_id, key_bits));
122 #endif
123 
124 #if defined(BOTAN_HAS_ELGAMAL)
125  if(alg_name == "ElGamal")
126  return std::unique_ptr<Public_Key>(new ElGamal_PublicKey(alg_id, key_bits));
127 #endif
128 
129 #if defined(BOTAN_HAS_ECGDSA)
130  if(alg_name == "ECGDSA")
131  return std::unique_ptr<Public_Key>(new ECGDSA_PublicKey(alg_id, key_bits));
132 #endif
133 
134 #if defined(BOTAN_HAS_ECKCDSA)
135  if(alg_name == "ECKCDSA")
136  return std::unique_ptr<Public_Key>(new ECKCDSA_PublicKey(alg_id, key_bits));
137 #endif
138 
139 #if defined(BOTAN_HAS_ED25519)
140  if(alg_name == "Ed25519")
141  return std::unique_ptr<Public_Key>(new Ed25519_PublicKey(alg_id, key_bits));
142 #endif
143 
144 #if defined(BOTAN_HAS_GOST_34_10_2001)
145  if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512")
146  return std::unique_ptr<Public_Key>(new GOST_3410_PublicKey(alg_id, key_bits));
147 #endif
148 
149 #if defined(BOTAN_HAS_SM2)
150  if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc")
151  return std::unique_ptr<Public_Key>(new SM2_PublicKey(alg_id, key_bits));
152 #endif
153 
154 #if defined(BOTAN_HAS_XMSS_RFC8391)
155  if(alg_name == "XMSS")
156  return std::unique_ptr<Public_Key>(new XMSS_PublicKey(key_bits));
157 #endif
158 
159  throw Decoding_Error("Unknown or unavailable public key algorithm " + alg_name);
160  }
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:148
size_t Botan::low_zero_bits ( const BigInt x)
Parameters
xan integer
Returns
count of the low zero bits in x, or, equivalently, the largest value of n such that 2^n divides x evenly. Returns zero if x is equal to zero.

Definition at line 39 of file numthry.cpp.

References Botan::CT::Mask< T >::cleared(), ctz(), Botan::CT::Mask< T >::expand(), Botan::BigInt::size(), and Botan::BigInt::word_at().

Referenced by gcd(), inverse_mod(), jacobi(), passes_miller_rabin_test(), and ressol().

40  {
41  size_t low_zero = 0;
42 
43  auto seen_nonempty_word = CT::Mask<word>::cleared();
44 
45  for(size_t i = 0; i != n.size(); ++i)
46  {
47  const word x = n.word_at(i);
48 
49  // ctz(0) will return sizeof(word)
50  const size_t tz_x = ctz(x);
51 
52  // if x > 0 we want to count tz_x in total but not any
53  // further words, so set the mask after the addition
54  low_zero += seen_nonempty_word.if_not_set_return(tz_x);
55 
56  seen_nonempty_word |= CT::Mask<word>::expand(x);
57  }
58 
59  // if we saw no words with x > 0 then n == 0 and the value we have
60  // computed is meaningless. Instead return 0 in that case.
61  return seen_nonempty_word.if_set_return(low_zero);
62  }
size_t ctz(T n)
Definition: bit_ops.h:99
std::unique_ptr< BlockCipher > Botan::make_commoncrypto_block_cipher ( const std::string &  name)

Definition at line 150 of file commoncrypto_block.cpp.

References commoncrypto_opts_from_algo_name().

Referenced by Botan::BlockCipher::create().

151  {
152 
153  try
154  {
155  CommonCryptor_Opts opts = commoncrypto_opts_from_algo_name(name);
156  return std::unique_ptr<BlockCipher>(new CommonCrypto_BlockCipher(name, opts));
157  }
158  catch(CommonCrypto_Error& e)
159  {
160  return nullptr;
161  }
162  }
CommonCryptor_Opts commoncrypto_opts_from_algo_name(const std::string &algo_name)
std::string name
Cipher_Mode * Botan::make_commoncrypto_cipher_mode ( const std::string &  name,
Cipher_Dir  direction 
)

Definition at line 234 of file commoncrypto_mode.cpp.

References commoncrypto_opts_from_algo().

Referenced by Botan::Cipher_Mode::create().

235  {
236 
237  try
238  {
239  CommonCryptor_Opts opts = commoncrypto_opts_from_algo(name);
240  return new CommonCrypto_Cipher_Mode(name, direction, opts);
241  }
242  catch(CommonCrypto_Error& e)
243  {
244  return nullptr;
245  }
246  }
CommonCryptor_Opts commoncrypto_opts_from_algo(const std::string &algo)
std::string name
std::unique_ptr< HashFunction > Botan::make_commoncrypto_hash ( const std::string &  name)

Definition at line 97 of file commoncrypto_hash.cpp.

References MAKE_COMMONCRYPTO_HASH_1, MAKE_COMMONCRYPTO_HASH_2, and MAKE_COMMONCRYPTO_HASH_3.

Referenced by Botan::HashFunction::create().

98  {
99 #define MAKE_COMMONCRYPTO_HASH_3(name, hash, ctx) \
100  std::unique_ptr<HashFunction>( \
101  new CommonCrypto_HashFunction<CC_ ## ctx ## _CTX >({ \
102  name, \
103  CC_ ## hash ## _DIGEST_LENGTH, \
104  CC_ ## hash ## _BLOCK_BYTES, \
105  CC_ ## hash ## _Init, \
106  CC_ ## hash ## _Update, \
107  CC_ ## hash ## _Final \
108  }));
109 
110 #define MAKE_COMMONCRYPTO_HASH_2(name, id) \
111  MAKE_COMMONCRYPTO_HASH_3(name, id, id)
112 
113 #define MAKE_COMMONCRYPTO_HASH_1(id) \
114  MAKE_COMMONCRYPTO_HASH_2(#id, id)
115 
116 #if defined(BOTAN_HAS_SHA2_32)
117  if(name == "SHA-224")
118  return MAKE_COMMONCRYPTO_HASH_3(name, SHA224, SHA256);
119  if(name == "SHA-256")
120  return MAKE_COMMONCRYPTO_HASH_2(name, SHA256);
121 #endif
122 #if defined(BOTAN_HAS_SHA2_64)
123  if(name == "SHA-384")
124  return MAKE_COMMONCRYPTO_HASH_3(name, SHA384, SHA512);
125  if(name == "SHA-512")
126  return MAKE_COMMONCRYPTO_HASH_2(name, SHA512);
127 #endif
128 
129 #if defined(BOTAN_HAS_SHA1)
130  if(name == "SHA-160" || name == "SHA-1" || name == "SHA1")
131  return MAKE_COMMONCRYPTO_HASH_2(name, SHA1);
132 #endif
133 
134 #if defined(BOTAN_HAS_MD5)
135  if(name == "MD5")
136  return MAKE_COMMONCRYPTO_HASH_1(MD5);
137 #endif
138 
139 #if defined(BOTAN_HAS_MD4)
140  if(name == "MD4")
141  return MAKE_COMMONCRYPTO_HASH_1(MD4);
142 #endif
143  return nullptr;
144  }
#define MAKE_COMMONCRYPTO_HASH_1(id)
std::string name
#define MAKE_COMMONCRYPTO_HASH_2(name, id)
#define MAKE_COMMONCRYPTO_HASH_3(name, hash, ctx)
Compression_Algorithm * Botan::make_compressor ( const std::string &  name)

Definition at line 27 of file compression.cpp.

References BOTAN_UNUSED.

Referenced by Botan::Compression_Algorithm::create().

28  {
29 #if defined(BOTAN_HAS_ZLIB)
30  if(name == "Zlib" || name == "zlib")
31  return new Zlib_Compression;
32  if(name == "Gzip" || name == "gzip" || name == "gz")
33  return new Gzip_Compression;
34  if(name == "Deflate" || name == "deflate")
35  return new Deflate_Compression;
36 #endif
37 
38 #if defined(BOTAN_HAS_BZIP2)
39  if(name == "bzip2" || name == "bz2" || name == "Bzip2")
40  return new Bzip2_Compression;
41 #endif
42 
43 #if defined(BOTAN_HAS_LZMA)
44  if(name == "lzma" || name == "xz" || name == "LZMA")
45  return new LZMA_Compression;
46 #endif
47 
49  return nullptr;
50  }
std::string name
#define BOTAN_UNUSED(...)
Definition: assert.h:142
Decompression_Algorithm * Botan::make_decompressor ( const std::string &  name)

Definition at line 71 of file compression.cpp.

References BOTAN_UNUSED.

Referenced by Botan::Decompression_Algorithm::create().

72  {
73 #if defined(BOTAN_HAS_ZLIB)
74  if(name == "Zlib" || name == "zlib")
75  return new Zlib_Decompression;
76  if(name == "Gzip" || name == "gzip" || name == "gz")
77  return new Gzip_Decompression;
78  if(name == "Deflate" || name == "deflate")
79  return new Deflate_Decompression;
80 #endif
81 
82 #if defined(BOTAN_HAS_BZIP2)
83  if(name == "bzip2" || name == "bz2" || name == "Bzip2")
84  return new Bzip2_Decompression;
85 #endif
86 
87 #if defined(BOTAN_HAS_LZMA)
88  if(name == "lzma" || name == "xz" || name == "LZMA")
89  return new LZMA_Decompression;
90 #endif
91 
93  return nullptr;
94  }
std::string name
#define BOTAN_UNUSED(...)
Definition: assert.h:142
boost::system::error_code Botan::make_error_code ( Botan::ErrorType  e)
inline

Definition at line 118 of file asio_error.h.

References botan_category().

119  {
120  return boost::system::error_code(static_cast<int>(e), Botan::botan_category());
121  }
const BotanErrorCategory & botan_category() noexcept
Definition: asio_error.h:112
std::unique_ptr< BlockCipher > Botan::make_openssl_block_cipher ( const std::string &  name)

Definition at line 200 of file openssl_block.cpp.

References MAKE_OPENSSL_BLOCK, and MAKE_OPENSSL_BLOCK_KEYLEN.

Referenced by Botan::BlockCipher::create().

201  {
202 #define MAKE_OPENSSL_BLOCK(evp_fn) \
203  std::unique_ptr<BlockCipher>(new OpenSSL_BlockCipher(name, evp_fn()))
204 #define MAKE_OPENSSL_BLOCK_KEYLEN(evp_fn, kl_min, kl_max, kl_mod) \
205  std::unique_ptr<BlockCipher>(new OpenSSL_BlockCipher(name, evp_fn(), kl_min, kl_max, kl_mod))
206 
207 #if defined(BOTAN_HAS_AES) && !defined(OPENSSL_NO_AES)
208  if(name == "AES-128")
209  return MAKE_OPENSSL_BLOCK(EVP_aes_128_ecb);
210  if(name == "AES-192")
211  return MAKE_OPENSSL_BLOCK(EVP_aes_192_ecb);
212  if(name == "AES-256")
213  return MAKE_OPENSSL_BLOCK(EVP_aes_256_ecb);
214 #endif
215 
216 #if defined(BOTAN_HAS_CAMELLIA) && !defined(OPENSSL_NO_CAMELLIA)
217  if(name == "Camellia-128")
218  return MAKE_OPENSSL_BLOCK(EVP_camellia_128_ecb);
219  if(name == "Camellia-192")
220  return MAKE_OPENSSL_BLOCK(EVP_camellia_192_ecb);
221  if(name == "Camellia-256")
222  return MAKE_OPENSSL_BLOCK(EVP_camellia_256_ecb);
223 #endif
224 
225 #if defined(BOTAN_HAS_DES) && !defined(OPENSSL_NO_DES)
226  if(name == "TripleDES")
227  return MAKE_OPENSSL_BLOCK_KEYLEN(EVP_des_ede3_ecb, 16, 24, 8);
228 #endif
229 
230  return nullptr;
231  }
std::string name
#define MAKE_OPENSSL_BLOCK(evp_fn)
#define MAKE_OPENSSL_BLOCK_KEYLEN(evp_fn, kl_min, kl_max, kl_mod)
Cipher_Mode * Botan::make_openssl_cipher_mode ( const std::string &  name,
Cipher_Dir  direction 
)

Definition at line 215 of file openssl_mode.cpp.

References MAKE_OPENSSL_MODE.

Referenced by Botan::Cipher_Mode::create().

216  {
217 #define MAKE_OPENSSL_MODE(evp_fn) \
218  new OpenSSL_Cipher_Mode(name, (evp_fn)(), direction)
219 
220 #if defined(BOTAN_HAS_AES) && defined(BOTAN_HAS_MODE_CBC) && !defined(OPENSSL_NO_AES)
221  if(name == "AES-128/CBC/NoPadding")
222  return MAKE_OPENSSL_MODE(EVP_aes_128_cbc);
223  if(name == "AES-192/CBC/NoPadding")
224  return MAKE_OPENSSL_MODE(EVP_aes_192_cbc);
225  if(name == "AES-256/CBC/NoPadding")
226  return MAKE_OPENSSL_MODE(EVP_aes_256_cbc);
227 #endif
228 
229 #undef MAKE_OPENSSL_MODE
230  return nullptr;
231  }
std::string name
#define MAKE_OPENSSL_MODE(evp_fn)
std::unique_ptr< HashFunction > Botan::make_openssl_hash ( const std::string &  name)

Definition at line 104 of file openssl_hash.cpp.

References MAKE_OPENSSL_HASH.

Referenced by Botan::HashFunction::create().

105  {
106 #define MAKE_OPENSSL_HASH(fn) \
107  std::unique_ptr<HashFunction>(new OpenSSL_HashFunction(name, fn ()))
108 
109 #if defined(BOTAN_HAS_SHA2_32) && !defined(OPENSSL_NO_SHA256)
110  if(name == "SHA-224")
111  return MAKE_OPENSSL_HASH(EVP_sha224);
112  if(name == "SHA-256")
113  return MAKE_OPENSSL_HASH(EVP_sha256);
114 #endif
115 
116 #if defined(BOTAN_HAS_SHA2_64) && !defined(OPENSSL_NO_SHA512)
117  if(name == "SHA-384")
118  return MAKE_OPENSSL_HASH(EVP_sha384);
119  if(name == "SHA-512")
120  return MAKE_OPENSSL_HASH(EVP_sha512);
121 #endif
122 
123 #if defined(BOTAN_HAS_SHA1) && !defined(OPENSSL_NO_SHA)
124  if(name == "SHA-160" || name == "SHA-1" || name == "SHA1")
125  return MAKE_OPENSSL_HASH(EVP_sha1);
126 #endif
127 
128 #if defined(BOTAN_HAS_MD5) && !defined(OPENSSL_NO_MD5)
129  if(name == "MD5")
130  return MAKE_OPENSSL_HASH(EVP_md5);
131  #endif
132 
133  return nullptr;
134  }
#define MAKE_OPENSSL_HASH(fn)
std::string name
constexpr uint16_t Botan::make_uint16 ( uint8_t  i0,
uint8_t  i1 
)
inline

Make a uint16_t from two bytes

Parameters
i0the first byte
i1the second byte
Returns
i0 || i1

Definition at line 54 of file loadstor.h.

Referenced by Botan::TLS::Certificate_Req::Certificate_Req(), Botan::TLS::TLS_Data_Reader::get_uint16_t(), load_be< uint16_t >(), load_le< uint16_t >(), random_gf2m(), Botan::RTSS_Share::reconstruct(), Botan::TLS::Session_Manager_SQL::Session_Manager_SQL(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data().

55  {
56  return static_cast<uint16_t>((static_cast<uint16_t>(i0) << 8) | i1);
57  }
constexpr uint32_t Botan::make_uint32 ( uint8_t  i0,
uint8_t  i1,
uint8_t  i2,
uint8_t  i3 
)
inline

Make a uint32_t from four bytes

Parameters
i0the first byte
i1the second byte
i2the third byte
i3the fourth byte
Returns
i0 || i1 || i2 || i3

Definition at line 67 of file loadstor.h.

Referenced by Botan::TLS::Certificate::Certificate(), Botan::TLS::Certificate_Status::Certificate_Status(), Botan::TLS::Stream_Handshake_IO::get_next_record(), Botan::TLS::TLS_Data_Reader::get_uint32_t(), load_be< uint32_t >(), load_le< uint32_t >(), and Botan::SIMD_4x32::splat_u8().

68  {
69  return ((static_cast<uint32_t>(i0) << 24) |
70  (static_cast<uint32_t>(i1) << 16) |
71  (static_cast<uint32_t>(i2) << 8) |
72  (static_cast<uint32_t>(i3)));
73  }
constexpr uint64_t Botan::make_uint64 ( uint8_t  i0,
uint8_t  i1,
uint8_t  i2,
uint8_t  i3,
uint8_t  i4,
uint8_t  i5,
uint8_t  i6,
uint8_t  i7 
)
inline

Make a uint64_t from eight bytes

Parameters
i0the first byte
i1the second byte
i2the third byte
i3the fourth byte
i4the fifth byte
i5the sixth byte
i6the seventh byte
i7the eighth byte
Returns
i0 || i1 || i2 || i3 || i4 || i5 || i6 || i7

Definition at line 87 of file loadstor.h.

Referenced by load_be< uint64_t >(), and load_le< uint64_t >().

89  {
90  return ((static_cast<uint64_t>(i0) << 56) |
91  (static_cast<uint64_t>(i1) << 48) |
92  (static_cast<uint64_t>(i2) << 40) |
93  (static_cast<uint64_t>(i3) << 32) |
94  (static_cast<uint64_t>(i4) << 24) |
95  (static_cast<uint64_t>(i5) << 16) |
96  (static_cast<uint64_t>(i6) << 8) |
97  (static_cast<uint64_t>(i7)));
98  }
template<class T , class... Args>
stlCompatibilityDetails::_Unique_if<T>::_Single_object Botan::make_unique ( Args &&...  args)

Definition at line 62 of file stl_compatibility.h.

References T.

63  {
64  return std::unique_ptr<T>(new T(std::forward<Args>(args)...));
65  }
fe T
Definition: ge.cpp:37
template<class T >
stlCompatibilityDetails::_Unique_if<T>::_Unknown_bound Botan::make_unique ( size_t  n)

Definition at line 68 of file stl_compatibility.h.

References type.

69  {
70  typedef typename std::remove_extent<T>::type U;
71  return std::unique_ptr<T>(new U[n]());
72  }
MechanismType type
template<class T , class... Args>
stlCompatibilityDetails::_Unique_if<T>::_Known_bound Botan::make_unique ( Args &&  ...)
delete
template<typename K , typename V >
std::set<K> Botan::map_keys_as_set ( const std::map< K, V > &  kv)

Return the keys of a map as a std::set

Definition at line 34 of file stl_util.h.

35  {
36  std::set<K> s;
37  for(auto&& i : kv)
38  {
39  s.insert(i.first);
40  }
41  return s;
42  }
template<typename T , typename Pred >
void Botan::map_remove_if ( Pred  pred,
T assoc 
)

Definition at line 96 of file stl_util.h.

Referenced by Botan::TLS::Channel::activate_session().

97  {
98  auto i = assoc.begin();
99  while(i != assoc.end())
100  {
101  if(pred(i->first))
102  assoc.erase(i++);
103  else
104  i++;
105  }
106  }
secure_vector< uint8_t > Botan::mceies_decrypt ( const McEliece_PrivateKey privkey,
const uint8_t  ct[],
size_t  ct_len,
const uint8_t  ad[],
size_t  ad_len,
const std::string &  aead = "AES-256/OCB" 
)

McEliece Integrated Encryption System Derive a shared key using MCE KEM and decrypt/authenticate the ciphertext and AD using AES-256 in OCB mode.

Definition at line 70 of file mceies.cpp.

References Botan::AEAD_Mode::create_or_throw(), Botan::PK_KEM_Decryptor::decrypt(), DECRYPTION, and Botan::McEliece_PublicKey::get_code_length().

Referenced by botan_mceies_decrypt().

74  {
75  try
76  {
77  Null_RNG null_rng;
78  PK_KEM_Decryptor kem_op(privkey, null_rng, "KDF1(SHA-512)");
79 
80  const size_t mce_code_bytes = (privkey.get_code_length() + 7) / 8;
81 
82  std::unique_ptr<AEAD_Mode> aead = AEAD_Mode::create_or_throw(algo, DECRYPTION);
83 
84  const size_t nonce_len = aead->default_nonce_length();
85 
86  if(ct_len < mce_code_bytes + nonce_len + aead->tag_size())
87  throw Decoding_Error("Input message too small to be valid");
88 
89  const secure_vector<uint8_t> mce_key = kem_op.decrypt(ct, mce_code_bytes, 64);
90 
91  aead->set_key(aead_key(mce_key, *aead));
92  aead->set_associated_data(ad, ad_len);
93 
94  secure_vector<uint8_t> pt(ct + mce_code_bytes + nonce_len, ct + ct_len);
95 
96  aead->start(&ct[mce_code_bytes], nonce_len);
97  aead->finish(pt, 0);
98  return pt;
99  }
100  catch(Invalid_Authentication_Tag&)
101  {
102  throw;
103  }
104  catch(std::exception& e)
105  {
106  throw Decoding_Error("mce_decrypt failed: " + std::string(e.what()));
107  }
108  }
secure_vector< uint8_t > Botan::mceies_encrypt ( const McEliece_PublicKey pubkey,
const uint8_t  pt[],
size_t  pt_len,
const uint8_t  ad[],
size_t  ad_len,
RandomNumberGenerator rng,
const std::string &  aead = "AES-256/OCB" 
)

McEliece Integrated Encryption System Derive a shared key using MCE KEM and encrypt/authenticate the plaintext and AD using AES-256 in OCB mode.

Definition at line 35 of file mceies.cpp.

References BOTAN_ASSERT, copy_mem(), Botan::AEAD_Mode::create_or_throw(), Botan::PK_KEM_Encryptor::encrypt(), ENCRYPTION, Botan::McEliece_PublicKey::get_code_length(), and Botan::RandomNumberGenerator::random_vec().

Referenced by botan_mceies_encrypt().

40  {
41  PK_KEM_Encryptor kem_op(pubkey, rng, "KDF1(SHA-512)");
42 
43  secure_vector<uint8_t> mce_ciphertext, mce_key;
44  kem_op.encrypt(mce_ciphertext, mce_key, 64, rng);
45 
46  const size_t mce_code_bytes = (pubkey.get_code_length() + 7) / 8;
47 
48  BOTAN_ASSERT(mce_ciphertext.size() == mce_code_bytes, "Unexpected size");
49 
50  std::unique_ptr<AEAD_Mode> aead = AEAD_Mode::create_or_throw(algo, ENCRYPTION);
51 
52  const size_t nonce_len = aead->default_nonce_length();
53 
54  aead->set_key(aead_key(mce_key, *aead));
55  aead->set_associated_data(ad, ad_len);
56 
57  const secure_vector<uint8_t> nonce = rng.random_vec(nonce_len);
58 
59  secure_vector<uint8_t> msg(mce_ciphertext.size() + nonce.size() + pt_len);
60  copy_mem(msg.data(), mce_ciphertext.data(), mce_ciphertext.size());
61  copy_mem(msg.data() + mce_ciphertext.size(), nonce.data(), nonce.size());
62  copy_mem(msg.data() + mce_ciphertext.size() + nonce.size(), pt, pt_len);
63 
64  aead->start(nonce);
65  aead->finish(msg, mce_ciphertext.size() + nonce.size());
66  return msg;
67  }
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
void Botan::mceliece_decrypt ( secure_vector< uint8_t > &  plaintext_out,
secure_vector< uint8_t > &  error_mask_out,
const secure_vector< uint8_t > &  ciphertext,
const McEliece_PrivateKey key 
)

Definition at line 130 of file goppa_code.cpp.

Referenced by Botan::McEliece_PrivateKey::check_key(), and mceliece_decrypt().

134  {
135  mceliece_decrypt(plaintext_out, error_mask_out, ciphertext.data(), ciphertext.size(), key);
136  }
secure_vector< uint8_t > mceliece_decrypt(secure_vector< gf2m > &error_pos, const uint8_t *ciphertext, size_t ciphertext_len, const McEliece_PrivateKey &key)
Definition: goppa_code.cpp:166
void Botan::mceliece_decrypt ( secure_vector< uint8_t > &  plaintext,
secure_vector< uint8_t > &  error_mask,
const uint8_t  ciphertext[],
size_t  ciphertext_len,
const McEliece_PrivateKey key 
)

Definition at line 138 of file goppa_code.cpp.

References Botan::McEliece_PublicKey::get_code_length(), and mceliece_decrypt().

144  {
145  secure_vector<gf2m> error_pos;
146  plaintext = mceliece_decrypt(error_pos, ciphertext, ciphertext_len, key);
147 
148  const size_t code_length = key.get_code_length();
149  secure_vector<uint8_t> result((code_length+7)/8);
150  for(auto&& pos : error_pos)
151  {
152  if(pos > code_length)
153  {
154  throw Invalid_Argument("error position larger than code size");
155  }
156  result[pos / 8] |= (1 << (pos % 8));
157  }
158 
159  error_mask = result;
160  }
secure_vector< uint8_t > mceliece_decrypt(secure_vector< gf2m > &error_pos, const uint8_t *ciphertext, size_t ciphertext_len, const McEliece_PrivateKey &key)
Definition: goppa_code.cpp:166
secure_vector< uint8_t > Botan::mceliece_decrypt ( secure_vector< gf2m > &  error_pos,
const uint8_t *  ciphertext,
size_t  ciphertext_len,
const McEliece_PrivateKey key 
)

p_err_pos_len must point to the available length of error_pos on input, the function will set it to the actual number of errors returned in the error_pos array

Definition at line 166 of file goppa_code.cpp.

References bit_size_to_32bit_size(), bit_size_to_byte_size(), copy_mem(), Botan::McEliece_PublicKey::get_code_length(), Botan::McEliece_PrivateKey::get_codimension(), Botan::polyn_gf2m::get_degree(), Botan::McEliece_PrivateKey::get_dimension(), Botan::McEliece_PrivateKey::get_goppa_polyn(), Botan::McEliece_PrivateKey::get_H_coeffs(), Botan::McEliece_PrivateKey::get_Linv(), Botan::McEliece_PublicKey::get_message_word_bit_length(), Botan::polyn_gf2m::get_sp_field(), and Botan::McEliece_PrivateKey::get_sqrtmod().

170  {
171 
172  const size_t dimension = key.get_dimension();
173  const size_t codimension = key.get_codimension();
174  const uint32_t t = key.get_goppa_polyn().get_degree();
175  polyn_gf2m syndrome_polyn(key.get_goppa_polyn().get_sp_field()); // init as zero polyn
176  const unsigned unused_pt_bits = dimension % 8;
177  const uint8_t unused_pt_bits_mask = (1 << unused_pt_bits) - 1;
178 
179  if(ciphertext_len != (key.get_code_length()+7)/8)
180  {
181  throw Invalid_Argument("wrong size of McEliece ciphertext");
182  }
183  const size_t cleartext_len = (key.get_message_word_bit_length()+7)/8;
184 
185  if(cleartext_len != bit_size_to_byte_size(dimension))
186  {
187  throw Invalid_Argument("mce-decryption: wrong length of cleartext buffer");
188  }
189 
190  secure_vector<uint32_t> syndrome_vec(bit_size_to_32bit_size(codimension));
191  matrix_arr_mul(key.get_H_coeffs(),
192  key.get_code_length(),
193  bit_size_to_32bit_size(codimension),
194  ciphertext,
195  syndrome_vec.data(), syndrome_vec.size());
196 
197  secure_vector<uint8_t> syndrome_byte_vec(bit_size_to_byte_size(codimension));
198  const size_t syndrome_byte_vec_size = syndrome_byte_vec.size();
199  for(size_t i = 0; i < syndrome_byte_vec_size; i++)
200  {
201  syndrome_byte_vec[i] = static_cast<uint8_t>(syndrome_vec[i/4] >> (8 * (i % 4)));
202  }
203 
204  syndrome_polyn = polyn_gf2m(t-1, syndrome_byte_vec.data(), bit_size_to_byte_size(codimension), key.get_goppa_polyn().get_sp_field());
205 
206  syndrome_polyn.get_degree();
207  error_pos = goppa_decode(syndrome_polyn, key.get_goppa_polyn(), key.get_sqrtmod(), key.get_Linv());
208 
209  const size_t nb_err = error_pos.size();
210 
211  secure_vector<uint8_t> cleartext(cleartext_len);
212  copy_mem(cleartext.data(), ciphertext, cleartext_len);
213 
214  for(size_t i = 0; i < nb_err; i++)
215  {
216  gf2m current = error_pos[i];
217 
218  if(current >= cleartext_len * 8)
219  {
220  // an invalid position, this shouldn't happen
221  continue;
222  }
223  cleartext[current / 8] ^= (1 << (current % 8));
224  }
225 
226  if(unused_pt_bits)
227  {
228  cleartext[cleartext_len - 1] &= unused_pt_bits_mask;
229  }
230 
231  return cleartext;
232  }
size_t bit_size_to_32bit_size(size_t bit_size)
uint16_t gf2m
Definition: gf2m_small_m.h:22
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
size_t bit_size_to_byte_size(size_t bit_size)
void Botan::mceliece_encrypt ( secure_vector< uint8_t > &  ciphertext_out,
secure_vector< uint8_t > &  error_mask_out,
const secure_vector< uint8_t > &  plaintext,
const McEliece_PublicKey key,
RandomNumberGenerator rng 
)

Definition at line 120 of file mceliece.cpp.

References Botan::McEliece_PublicKey::get_code_length(), Botan::McEliece_PublicKey::get_public_matrix(), and Botan::McEliece_PublicKey::get_t().

Referenced by Botan::McEliece_PrivateKey::check_key().

125  {
126  const uint16_t code_length = static_cast<uint16_t>(key.get_code_length());
127 
128  secure_vector<uint8_t> error_mask = create_random_error_vector(code_length, key.get_t(), rng);
129 
130  secure_vector<uint8_t> ciphertext = mult_by_pubkey(plaintext, key.get_public_matrix(),
131  key.get_code_length(), key.get_t());
132 
133  ciphertext ^= error_mask;
134 
135  ciphertext_out.swap(ciphertext);
136  error_mask_out.swap(error_mask);
137  }
size_t Botan::mceliece_work_factor ( size_t  code_size,
size_t  t 
)

Estimate work factor for McEliece

Returns
estimated security level for these key parameters

Definition at line 95 of file mce_workfactor.cpp.

References ceil_log2().

Referenced by Botan::McEliece_PublicKey::estimated_strength().

96  {
97  const size_t k = n - ceil_log2(n) * t;
98 
99  double min = cout_total(n, k, t, 0, 0); // correspond a p=1
100  for(size_t p = 0; p != t / 2; ++p)
101  {
102  double lwf = best_wf(n, k + 1, t, p);
103  if(lwf < 0)
104  break;
105 
106  min = std::min(min, lwf);
107  }
108 
109  return static_cast<size_t>(min);
110  }
uint8_t ceil_log2(T x)
Definition: bit_ops.h:119
void Botan::mgf1_mask ( HashFunction hash,
const uint8_t  in[],
size_t  in_len,
uint8_t  out[],
size_t  out_len 
)

MGF1 from PKCS #1 v2.0

Parameters
hashhash function to use
ininput buffer
in_lensize of the input buffer in bytes
outoutput buffer
out_lensize of the output buffer in bytes

Definition at line 14 of file mgf1.cpp.

References Botan::Buffered_Computation::final(), Botan::Buffered_Computation::output_length(), Botan::Buffered_Computation::update(), Botan::Buffered_Computation::update_be(), and xor_buf().

17  {
18  uint32_t counter = 0;
19 
20  secure_vector<uint8_t> buffer(hash.output_length());
21  while(out_len)
22  {
23  hash.update(in, in_len);
24  hash.update_be(counter);
25  hash.final(buffer.data());
26 
27  const size_t xored = std::min<size_t>(buffer.size(), out_len);
28  xor_buf(out, buffer.data(), xored);
29  out += xored;
30  out_len -= xored;
31 
32  ++counter;
33  }
34  }
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:262
MechanismType hash
size_t Botan::miller_rabin_test_iterations ( size_t  n_bits,
size_t  prob,
bool  random 
)

Return required number of Miller-Rabin tests in order to reach the specified probability of error.

Parameters
n_bitsthe bit-length of the integer being tested
probchance of false positive is bounded by 1/2**prob
randomis set if (and only if) the integer was randomly generated by us and thus cannot have been maliciously constructed.

Definition at line 165 of file primality.cpp.

Referenced by generate_rsa_prime(), is_prime(), and random_prime().

166  {
167  const size_t base = (prob + 2) / 2; // worst case 4^-t error rate
168 
169  /*
170  * If the candidate prime was maliciously constructed, we can't rely
171  * on arguments based on p being random.
172  */
173  if(random == false)
174  return base;
175 
176  /*
177  * For randomly chosen numbers we can use the estimates from
178  * http://www.math.dartmouth.edu/~carlp/PDF/paper88.pdf
179  *
180  * These values are derived from the inequality for p(k,t) given on
181  * the second page.
182  */
183  if(prob <= 128)
184  {
185  if(n_bits >= 1536)
186  return 4; // < 2^-133
187  if(n_bits >= 1024)
188  return 6; // < 2^-133
189  if(n_bits >= 512)
190  return 12; // < 2^-129
191  if(n_bits >= 256)
192  return 29; // < 2^-128
193  }
194 
195  /*
196  If the user desires a smaller error probability than we have
197  precomputed error estimates for, just fall back to using the worst
198  case error rate.
199  */
200  return base;
201  }
BigInt Botan::monty_execute ( const Montgomery_Exponentation_State &  precomputed_state,
const BigInt k,
size_t  max_k_bits 
)

Definition at line 165 of file monty_exp.cpp.

Referenced by passes_miller_rabin_test(), and power_mod().

167  {
168  return precomputed_state.exponentiation(k, max_k_bits);
169  }
BigInt Botan::monty_execute_vartime ( const Montgomery_Exponentation_State &  precomputed_state,
const BigInt k 
)

Definition at line 171 of file monty_exp.cpp.

173  {
174  return precomputed_state.exponentiation_vartime(k);
175  }
word Botan::monty_inverse ( word  a)

Definition at line 327 of file mod_inv.cpp.

References MP_WORD_MAX.

Referenced by Botan::Montgomery_Params::Montgomery_Params().

328  {
329  if(a % 2 == 0)
330  throw Invalid_Argument("monty_inverse only valid for odd integers");
331 
332  /*
333  * From "A New Algorithm for Inversion mod p^k" by Çetin Kaya Koç
334  * https://eprint.iacr.org/2017/411.pdf sections 5 and 7.
335  */
336 
337  word b = 1;
338  word r = 0;
339 
340  for(size_t i = 0; i != BOTAN_MP_WORD_BITS; ++i)
341  {
342  const word bi = b % 2;
343  r >>= 1;
344  r += bi << (BOTAN_MP_WORD_BITS - 1);
345 
346  b -= a * bi;
347  b >>= 1;
348  }
349 
350  // Now invert in addition space
351  r = (MP_WORD_MAX - r) + 1;
352 
353  return r;
354  }
const word MP_WORD_MAX
Definition: mp_core.h:22
BigInt Botan::monty_multi_exp ( std::shared_ptr< const Montgomery_Params params_p,
const BigInt x,
const BigInt z1,
const BigInt y,
const BigInt z2 
)

Return (x^z1 * y^z2) % p

Definition at line 177 of file monty_exp.cpp.

References Botan::BigInt::bits(), Botan::BigInt::get_substring(), H, Botan::BigInt::is_negative(), Botan::Montgomery_Int::mul(), Botan::Montgomery_Int::mul_by(), round_up(), Botan::Montgomery_Int::square(), Botan::Montgomery_Int::square_this(), and Botan::Montgomery_Int::value().

Referenced by Botan::DL_Group::multi_exponentiate().

182  {
183  if(z1.is_negative() || z2.is_negative())
184  throw Invalid_Argument("multi_exponentiate exponents must be positive");
185 
186  const size_t z_bits = round_up(std::max(z1.bits(), z2.bits()), 2);
187 
188  secure_vector<word> ws;
189 
190  const Montgomery_Int one(params_p, params_p->R1(), false);
191  //const Montgomery_Int one(params_p, 1);
192 
193  const Montgomery_Int x1(params_p, x_bn);
194  const Montgomery_Int x2 = x1.square(ws);
195  const Montgomery_Int x3 = x2.mul(x1, ws);
196 
197  const Montgomery_Int y1(params_p, y_bn);
198  const Montgomery_Int y2 = y1.square(ws);
199  const Montgomery_Int y3 = y2.mul(y1, ws);
200 
201  const Montgomery_Int y1x1 = y1.mul(x1, ws);
202  const Montgomery_Int y1x2 = y1.mul(x2, ws);
203  const Montgomery_Int y1x3 = y1.mul(x3, ws);
204 
205  const Montgomery_Int y2x1 = y2.mul(x1, ws);
206  const Montgomery_Int y2x2 = y2.mul(x2, ws);
207  const Montgomery_Int y2x3 = y2.mul(x3, ws);
208 
209  const Montgomery_Int y3x1 = y3.mul(x1, ws);
210  const Montgomery_Int y3x2 = y3.mul(x2, ws);
211  const Montgomery_Int y3x3 = y3.mul(x3, ws);
212 
213  const Montgomery_Int* M[16] = {
214  &one,
215  &x1, // 0001
216  &x2, // 0010
217  &x3, // 0011
218  &y1, // 0100
219  &y1x1,
220  &y1x2,
221  &y1x3,
222  &y2, // 1000
223  &y2x1,
224  &y2x2,
225  &y2x3,
226  &y3, // 1100
227  &y3x1,
228  &y3x2,
229  &y3x3
230  };
231 
232  Montgomery_Int H = one;
233 
234  for(size_t i = 0; i != z_bits; i += 2)
235  {
236  if(i > 0)
237  {
238  H.square_this(ws);
239  H.square_this(ws);
240  }
241 
242  const uint32_t z1_b = z1.get_substring(z_bits - i - 2, 2);
243  const uint32_t z2_b = z2.get_substring(z_bits - i - 2, 2);
244 
245  const uint32_t z12 = (4*z2_b) + z1_b;
246 
247  H.mul_by(*M[z12], ws);
248  }
249 
250  return H.value();
251  }
SIMD_8x32 H
size_t round_up(size_t n, size_t align_to)
Definition: rounding.h:21
std::shared_ptr< const Montgomery_Exponentation_State > Botan::monty_precompute ( std::shared_ptr< const Montgomery_Params params,
const BigInt g,
size_t  window_bits,
bool  const_time 
)

Definition at line 157 of file monty_exp.cpp.

Referenced by passes_miller_rabin_test(), and power_mod().

161  {
162  return std::make_shared<const Montgomery_Exponentation_State>(params, g, window_bits, const_time);
163  }
void Botan::mul64x64_128 ( uint64_t  a,
uint64_t  b,
uint64_t *  lo,
uint64_t *  hi 
)
inline

Perform a 64x64->128 bit multiplication

Definition at line 85 of file mul128.h.

Referenced by operator*(), word_madd2(), and word_madd3().

86  {
87 #if defined(BOTAN_FAST_64X64_MUL)
88  BOTAN_FAST_64X64_MUL(a, b, lo, hi);
89 #else
90 
91  /*
92  * Do a 64x64->128 multiply using four 32x32->64 multiplies plus
93  * some adds and shifts. Last resort for CPUs like UltraSPARC (with
94  * 64-bit registers/ALU, but no 64x64->128 multiply) or 32-bit CPUs.
95  */
96  const size_t HWORD_BITS = 32;
97  const uint32_t HWORD_MASK = 0xFFFFFFFF;
98 
99  const uint32_t a_hi = (a >> HWORD_BITS);
100  const uint32_t a_lo = (a & HWORD_MASK);
101  const uint32_t b_hi = (b >> HWORD_BITS);
102  const uint32_t b_lo = (b & HWORD_MASK);
103 
104  uint64_t x0 = static_cast<uint64_t>(a_hi) * b_hi;
105  uint64_t x1 = static_cast<uint64_t>(a_lo) * b_hi;
106  uint64_t x2 = static_cast<uint64_t>(a_hi) * b_lo;
107  uint64_t x3 = static_cast<uint64_t>(a_lo) * b_lo;
108 
109  // this cannot overflow as (2^32-1)^2 + 2^32-1 < 2^64-1
110  x2 += x3 >> HWORD_BITS;
111 
112  // this one can overflow
113  x2 += x1;
114 
115  // propagate the carry if any
116  x0 += static_cast<uint64_t>(static_cast<bool>(x2 < x1)) << HWORD_BITS;
117 
118  *hi = x0 + (x2 >> HWORD_BITS);
119  *lo = ((x2 & HWORD_MASK) << HWORD_BITS) + (x3 & HWORD_MASK);
120 #endif
121  }
BigInt Botan::mul_add ( const BigInt a,
const BigInt b,
const BigInt c 
)

Fused multiply-add

Parameters
aan integer
ban integer
can integer
Returns
(a*b)+c

Definition at line 30 of file mp_numth.cpp.

References bigint_add2(), bigint_mul(), Botan::BigInt::data(), Botan::BigInt::is_negative(), Botan::BigInt::mutable_data(), Botan::BigInt::Negative, Botan::BigInt::Positive, Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::size().

31  {
32  if(c.is_negative())
33  throw Invalid_Argument("mul_add: Third argument must be > 0");
34 
35  BigInt::Sign sign = BigInt::Positive;
36  if(a.sign() != b.sign())
37  sign = BigInt::Negative;
38 
39  const size_t a_sw = a.sig_words();
40  const size_t b_sw = b.sig_words();
41  const size_t c_sw = c.sig_words();
42 
43  BigInt r(sign, std::max(a_sw + b_sw, c_sw) + 1);
44  secure_vector<word> workspace(r.size());
45 
46  bigint_mul(r.mutable_data(), r.size(),
47  a.data(), a.size(), a_sw,
48  b.data(), b.size(), b_sw,
49  workspace.data(), workspace.size());
50 
51  const size_t r_size = std::max(r.sig_words(), c_sw);
52  bigint_add2(r.mutable_data(), r_size, c.data(), c_sw);
53  return r;
54  }
void bigint_mul(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
Definition: mp_karat.cpp:298
void bigint_add2(word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:280
BigInt Botan::mul_sub ( const BigInt a,
const BigInt b,
const BigInt c 
)

Fused multiply-subtract

Parameters
aan integer
ban integer
can integer
Returns
(a*b)-c

Definition at line 73 of file mp_numth.cpp.

References Botan::BigInt::is_negative(), and Botan::BigInt::is_zero().

74  {
75  if(c.is_negative() || c.is_zero())
76  throw Invalid_Argument("mul_sub: Third argument must be > 0");
77 
78  BigInt r = a;
79  r *= b;
80  r -= c;
81  return r;
82  }
PointGFp Botan::multi_exponentiate ( const PointGFp p1,
const BigInt z1,
const PointGFp p2,
const BigInt z2 
)

ECC point multiexponentiation - not constant time!

Parameters
p1a point
z1a scalar
p2a point
z2a scalar
Returns
(p1 * z1 + p2 * z2)

Definition at line 25 of file point_mul.cpp.

References Botan::PointGFp_Multi_Point_Precompute::multi_exp().

27  {
28  PointGFp_Multi_Point_Precompute xy_mul(x, y);
29  return xy_mul.multi_exp(z1, z2);
30  }
template<typename K , typename V >
void Botan::multimap_insert ( std::multimap< K, V > &  multimap,
const K &  key,
const V &  value 
)
void Botan::newhope_keygen ( uint8_t  send[NEWHOPE_SENDABYTES],
newhope_poly sk,
RandomNumberGenerator rng,
Newhope_Mode  = Newhope_Mode::SHA3 
)
void Botan::newhope_keygen ( uint8_t *  send,
poly sk,
RandomNumberGenerator rng,
Newhope_Mode  mode 
)

Definition at line 720 of file newhope.cpp.

References NEWHOPE_SEED_BYTES, and Botan::RandomNumberGenerator::randomize().

Referenced by CECPQ1_offer().

722  {
723  poly a, e, r, pk;
724  uint8_t seed[NEWHOPE_SEED_BYTES];
725 
726  rng.randomize(seed, NEWHOPE_SEED_BYTES);
727 
728  gen_a(&a, seed, mode);
729 
730  poly_getnoise(rng, sk);
731  poly_ntt(sk);
732 
733  poly_getnoise(rng, &e);
734  poly_ntt(&e);
735 
736  poly_pointwise(&r, sk, &a);
737  poly_add(&pk, &e, &r);
738 
739  encode_a(send, &pk, seed);
740  }
newhope_poly poly
Definition: newhope.cpp:25
void Botan::newhope_shareda ( uint8_t  sharedkey[NEWHOPE_SHARED_KEY_BYTES],
const newhope_poly ska,
const uint8_t *  received,
Newhope_Mode  mode = Newhope_Mode::SHA3 
)
void Botan::newhope_shareda ( uint8_t  sharedkey[],
const poly sk,
const uint8_t  received[],
Newhope_Mode  mode 
)

Definition at line 779 of file newhope.cpp.

References Botan::HashFunction::create_or_throw(), hash, and SHA3.

Referenced by CECPQ1_finish().

783  {
784  poly v, bp, c;
785 
786  decode_b(&bp, &c, received);
787 
788  poly_pointwise(&v, sk, &bp);
789  poly_invntt(&v);
790 
791  rec(sharedkey, &v, &c);
792 
793  const std::string kdf_hash = (mode == Newhope_Mode::SHA3) ? "SHA-3(256)" : "SHA-256";
794  std::unique_ptr<HashFunction> hash = HashFunction::create_or_throw(kdf_hash);
795 
796  hash->update(sharedkey, 32);
797  hash->final(sharedkey);
798  }
newhope_poly poly
Definition: newhope.cpp:25
MechanismType hash
void Botan::newhope_sharedb ( uint8_t  sharedkey[NEWHOPE_SHARED_KEY_BYTES],
uint8_t  send[],
const uint8_t *  received,
RandomNumberGenerator rng,
Newhope_Mode  mode = Newhope_Mode::SHA3 
)
void Botan::newhope_sharedb ( uint8_t *  sharedkey,
uint8_t *  send,
const uint8_t *  received,
RandomNumberGenerator rng,
Newhope_Mode  mode 
)

Definition at line 742 of file newhope.cpp.

References Botan::HashFunction::create_or_throw(), hash, NEWHOPE_SEED_BYTES, and SHA3.

Referenced by CECPQ1_accept().

745  {
746  poly sp, ep, v, a, pka, c, epp, bp;
747  uint8_t seed[NEWHOPE_SEED_BYTES];
748 
749  decode_a(&pka, seed, received);
750  gen_a(&a, seed, mode);
751 
752  poly_getnoise(rng, &sp);
753  poly_ntt(&sp);
754  poly_getnoise(rng, &ep);
755  poly_ntt(&ep);
756 
757  poly_pointwise(&bp, &a, &sp);
758  poly_add(&bp, &bp, &ep);
759 
760  poly_pointwise(&v, &pka, &sp);
761  poly_invntt(&v);
762 
763  poly_getnoise(rng, &epp);
764  poly_add(&v, &v, &epp);
765 
766  helprec(&c, &v, rng);
767 
768  encode_b(send, &bp, &c);
769 
770  rec(sharedkey, &v, &c);
771 
772  const std::string kdf_hash = (mode == Newhope_Mode::SHA3) ? "SHA-3(256)" : "SHA-256";
773  std::unique_ptr<HashFunction> hash = HashFunction::create_or_throw(kdf_hash);
774 
775  hash->update(sharedkey, 32);
776  hash->final(sharedkey);
777  }
newhope_poly poly
Definition: newhope.cpp:25
MechanismType hash
secure_vector< uint8_t > Botan::nist_key_unwrap ( const uint8_t  input[],
size_t  input_len,
const BlockCipher bc 
)
Parameters
inputthe value to be decrypted, output of nist_key_wrap
input_lenlength of input
bca keyed 128-bit block cipher that will be used to decrypt input
Returns
input decrypted under NIST key wrap algorithm Throws an exception if decryption fails.

Definition at line 113 of file nist_keywrap.cpp.

References Botan::BlockCipher::block_size().

Referenced by rfc3394_keyunwrap().

116  {
117  if(bc.block_size() != 16)
118  throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
119 
120  if(input_len < 16 || input_len % 8 != 0)
121  throw Invalid_Argument("Bad input size for NIST key unwrap");
122 
123  uint64_t ICV_out = 0;
124 
125  secure_vector<uint8_t> R = raw_nist_key_unwrap(input, input_len, bc, ICV_out);
126 
127  if(ICV_out != 0xA6A6A6A6A6A6A6A6)
128  throw Invalid_Authentication_Tag("NIST key unwrap failed");
129 
130  return R;
131  }
secure_vector< uint8_t > Botan::nist_key_unwrap_padded ( const uint8_t  input[],
size_t  input_len,
const BlockCipher bc 
)
Parameters
inputthe value to be decrypted, output of nist_key_wrap
input_lenlength of input
bca keyed 128-bit block cipher that will be used to decrypt input
Returns
input decrypted under NIST key wrap algorithm Throws an exception if decryption fails.

Definition at line 161 of file nist_keywrap.cpp.

References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::decrypt(), and load_be< uint64_t >().

Referenced by Botan::Encrypted_PSK_Database::get(), and Botan::Encrypted_PSK_Database::list_names().

164  {
165  if(bc.block_size() != 16)
166  throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
167 
168  if(input_len < 16 || input_len % 8 != 0)
169  throw Invalid_Argument("Bad input size for NIST key unwrap");
170 
171  uint64_t ICV_out = 0;
172  secure_vector<uint8_t> R;
173 
174  if(input_len == 16)
175  {
176  secure_vector<uint8_t> block(input, input + input_len);
177  bc.decrypt(block);
178 
179  ICV_out = load_be<uint64_t>(block.data(), 0);
180  R.resize(8);
181  copy_mem(R.data(), block.data() + 8, 8);
182  }
183  else
184  {
185  R = raw_nist_key_unwrap(input, input_len, bc, ICV_out);
186  }
187 
188  if((ICV_out >> 32) != 0xA65959A6)
189  throw Invalid_Authentication_Tag("NIST key unwrap failed");
190 
191  const size_t len = (ICV_out & 0xFFFFFFFF);
192 
193  if(R.size() < 8 || len > R.size() || len < R.size() - 8)
194  throw Invalid_Authentication_Tag("NIST key unwrap failed");
195 
196  const size_t padding = R.size() - len;
197 
198  for(size_t i = 0; i != padding; ++i)
199  {
200  if(R[R.size() - i - 1] != 0)
201  throw Invalid_Authentication_Tag("NIST key unwrap failed");
202  }
203 
204  R.resize(R.size() - padding);
205 
206  return R;
207  }
uint64_t load_be< uint64_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:217
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
std::vector< uint8_t > Botan::nist_key_wrap ( const uint8_t  input[],
size_t  input_len,
const BlockCipher bc 
)

Key wrap. See RFC 3394 and NIST SP800-38F

Parameters
inputthe value to be encrypted
input_lenlength of input, must be a multiple of 8
bca keyed 128-bit block cipher that will be used to encrypt input
Returns
input encrypted under NIST key wrap algorithm

Definition at line 99 of file nist_keywrap.cpp.

References Botan::BlockCipher::block_size().

Referenced by rfc3394_keywrap().

102  {
103  if(bc.block_size() != 16)
104  throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
105 
106  if(input_len % 8 != 0)
107  throw Invalid_Argument("Bad input size for NIST key wrap");
108 
109  return raw_nist_key_wrap(input, input_len, bc, 0xA6A6A6A6A6A6A6A6);
110  }
std::vector< uint8_t > Botan::nist_key_wrap_padded ( const uint8_t  input[],
size_t  input_len,
const BlockCipher bc 
)

KWP (key wrap with padding). See RFC 5649 and NIST SP800-38F

Parameters
inputthe value to be encrypted
input_lenlength of input
bca keyed 128-bit block cipher that will be used to encrypt input
Returns
input encrypted under NIST key wrap algorithm

Definition at line 134 of file nist_keywrap.cpp.

References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::encrypt(), and store_be().

Referenced by Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::remove(), and Botan::Encrypted_PSK_Database::set().

137  {
138  if(bc.block_size() != 16)
139  throw Invalid_Argument("NIST key wrap algorithm requires a 128-bit cipher");
140 
141  const uint64_t ICV = 0xA65959A600000000 | static_cast<uint32_t>(input_len);
142 
143  if(input_len <= 8)
144  {
145  /*
146  * Special case for small inputs: if input <= 8 bytes just use ECB
147  */
148  std::vector<uint8_t> block(16);
149  store_be(ICV, block.data());
150  copy_mem(block.data() + 8, input, input_len);
151  bc.encrypt(block);
152  return block;
153  }
154  else
155  {
156  return raw_nist_key_wrap(input, input_len, bc, ICV);
157  }
158  }
A store_be(out)
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
BigInt Botan::normalized_montgomery_inverse ( const BigInt a,
const BigInt b 
)

Call almost_montgomery_inverse and correct the result to a^-1 mod b

Definition at line 75 of file mod_inv.cpp.

References almost_montgomery_inverse(), and Botan::BigInt::is_odd().

76  {
77  BigInt r;
78  size_t k = almost_montgomery_inverse(r, a, p);
79 
80  for(size_t i = 0; i != k; ++i)
81  {
82  if(r.is_odd())
83  r += p;
84  r >>= 1;
85  }
86 
87  return r;
88  }
size_t almost_montgomery_inverse(BigInt &result, const BigInt &a, const BigInt &p)
Definition: mod_inv.cpp:27
secure_vector< uint8_t > BOTAN_TEST_API Botan::oaep_find_delim ( uint8_t &  valid_mask,
const uint8_t  input[],
size_t  input_len,
const secure_vector< uint8_t > &  Phash 
)

Definition at line 95 of file oaep.cpp.

References Botan::CT::Mask< T >::cleared(), Botan::CT::copy_output(), ct_compare_u8(), Botan::CT::Mask< T >::if_set_return(), Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_zero(), Botan::CT::poison(), Botan::CT::Mask< T >::set(), and Botan::CT::unpoison().

98  {
99  const size_t hlen = Phash.size();
100 
101  // Too short to be valid, reject immediately
102  if(input_len < 1 + 2*hlen)
103  {
104  return secure_vector<uint8_t>();
105  }
106 
107  CT::poison(input, input_len);
108 
109  size_t delim_idx = 2 * hlen;
110  CT::Mask<uint8_t> waiting_for_delim = CT::Mask<uint8_t>::set();
111  CT::Mask<uint8_t> bad_input_m = CT::Mask<uint8_t>::cleared();
112 
113  for(size_t i = delim_idx; i < input_len; ++i)
114  {
115  const auto zero_m = CT::Mask<uint8_t>::is_zero(input[i]);
116  const auto one_m = CT::Mask<uint8_t>::is_equal(input[i], 1);
117 
118  const auto add_m = waiting_for_delim & zero_m;
119 
120  bad_input_m |= waiting_for_delim & ~(zero_m | one_m);
121 
122  delim_idx += add_m.if_set_return(1);
123 
124  waiting_for_delim &= zero_m;
125  }
126 
127  // If we never saw any non-zero byte, then it's not valid input
128  bad_input_m |= waiting_for_delim;
129  bad_input_m |= CT::Mask<uint8_t>::is_zero(ct_compare_u8(&input[hlen], Phash.data(), hlen));
130 
131  delim_idx += 1;
132 
133  valid_mask = (~bad_input_m).unpoisoned_value();
134  const secure_vector<uint8_t> output = CT::copy_output(bad_input_m, input, input_len, delim_idx);
135 
136  CT::unpoison(input, input_len);
137 
138  return output;
139  }
void poison(const T *p, size_t n)
Definition: ct_utils.h:48
uint8_t ct_compare_u8(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.cpp:56
secure_vector< uint8_t > copy_output(CT::Mask< uint8_t > bad_input, const uint8_t input[], size_t input_length, size_t offset)
Definition: ct_utils.cpp:13
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:59
bool Botan::operator!= ( const CRL_Entry ,
const CRL_Entry  
)

Test two CRL entries for inequality in at least one field.

Definition at line 58 of file crl_ent.cpp.

59  {
60  return !(a1 == a2);
61  }
template<typename T , typename U >
bool Botan::operator!= ( const secure_allocator< T > &  ,
const secure_allocator< U > &   
)
inline

Definition at line 62 of file secmem.h.

63  { return false; }
bool Botan::operator!= ( const AlgorithmIdentifier a1,
const AlgorithmIdentifier a2 
)

Definition at line 82 of file alg_id.cpp.

83  {
84  return !(a1 == a2);
85  }
bool Botan::operator!= ( const OctetString x,
const OctetString y 
)

Compare two strings

Parameters
xan octet string
yan octet string
Returns
if x is not equal to y

Definition at line 106 of file symkey.cpp.

107  {
108  return !(s1 == s2);
109  }
bool Botan::operator!= ( const X509_DN dn1,
const X509_DN dn2 
)

Definition at line 174 of file x509_dn.cpp.

175  {
176  return !(dn1 == dn2);
177  }
bool Botan::operator!= ( const CurveGFp lhs,
const CurveGFp rhs 
)
inline

Definition at line 247 of file curve_gfp.h.

248  {
249  return !(lhs == rhs);
250  }
bool Botan::operator!= ( const OID a,
const OID b 
)
inline

Compare two OIDs.

Parameters
athe first OID
bthe second OID
Returns
true if a is not equal to b

Definition at line 311 of file asn1_obj.h.

312  {
313  return !(a == b);
314  }
bool Botan::operator!= ( const PointGFp lhs,
const PointGFp rhs 
)
inline

Definition at line 355 of file point_gfp.h.

356  {
357  return !(rhs == lhs);
358  }
bool Botan::operator!= ( const ASN1_Time t1,
const ASN1_Time t2 
)

Definition at line 277 of file asn1_time.cpp.

References Botan::ASN1_Time::cmp().

278  { return (t1.cmp(t2) != 0); }
bool Botan::operator!= ( const EC_Group lhs,
const EC_Group rhs 
)
inline

Definition at line 387 of file ec_group.h.

389  {
390  return !(lhs == rhs);
391  }
bool Botan::operator!= ( const X509_Certificate cert1,
const X509_Certificate cert2 
)

Check two certificates for inequality

Parameters
cert1The first certificate
cert2The second certificate
Returns
true if the arguments represent different certificates, false if they are binary identical

Definition at line 831 of file x509cert.cpp.

832  {
833  return !(cert1 == cert2);
834  }
bool Botan::operator!= ( const BigInt a,
const BigInt b 
)
inline

Definition at line 1111 of file bigint.h.

References Botan::BigInt::is_equal().

1112  { return !a.is_equal(b); }
bool Botan::operator!= ( const BigInt a,
word  b 
)
inline

Definition at line 1124 of file bigint.h.

References Botan::BigInt::cmp_word().

1125  { return (a.cmp_word(b) != 0); }
BigInt Botan::operator% ( const BigInt n,
const BigInt mod 
)

Definition at line 131 of file big_ops3.cpp.

References Botan::BigInt::is_negative(), Botan::BigInt::is_positive(), Botan::BigInt::is_zero(), Botan::BigInt::sig_words(), vartime_divide(), and Botan::BigInt::word_at().

132  {
133  if(mod.is_zero())
134  throw BigInt::DivideByZero();
135  if(mod.is_negative())
136  throw Invalid_Argument("BigInt::operator%: modulus must be > 0");
137  if(n.is_positive() && mod.is_positive() && n < mod)
138  return n;
139 
140  if(mod.sig_words() == 1)
141  {
142  return n % mod.word_at(0);
143  }
144 
145  BigInt q, r;
146  vartime_divide(n, mod, q, r);
147  return r;
148  }
void vartime_divide(const BigInt &x, const BigInt &y_arg, BigInt &q_out, BigInt &r_out)
Definition: divide.cpp:159
word Botan::operator% ( const BigInt n,
word  mod 
)

Definition at line 153 of file big_ops3.cpp.

References bigint_modop(), is_power_of_2(), Botan::BigInt::Negative, Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::word_at().

154  {
155  if(mod == 0)
156  throw BigInt::DivideByZero();
157 
158  if(mod == 1)
159  return 0;
160 
161  word remainder = 0;
162 
163  if(is_power_of_2(mod))
164  {
165  remainder = (n.word_at(0) & (mod - 1));
166  }
167  else
168  {
169  const size_t sw = n.sig_words();
170  for(size_t i = sw; i > 0; --i)
171  {
172  remainder = bigint_modop(remainder, n.word_at(i-1), mod);
173  }
174  }
175 
176  if(remainder && n.sign() == BigInt::Negative)
177  return mod - remainder;
178  return remainder;
179  }
constexpr bool is_power_of_2(T arg)
Definition: bit_ops.h:43
word bigint_modop(word n1, word n0, word d)
Definition: mp_core.h:755
ECIES_Flags Botan::operator& ( ECIES_Flags  a,
ECIES_Flags  b 
)
inline

Definition at line 49 of file ecies.h.

50  {
51  return static_cast<ECIES_Flags>(static_cast<uint32_t>(a) & static_cast<uint32_t>(b));
52  }
ECIES_Flags
Definition: ecies.h:27
BigInt Botan::operator* ( const BigInt x,
const BigInt y 
)

Definition at line 45 of file big_ops3.cpp.

References bigint_linmul3(), bigint_mul(), Botan::BigInt::data(), Botan::BigInt::Positive, Botan::BigInt::sig_words(), Botan::BigInt::sign(), Botan::BigInt::size(), and Botan::BigInt::word_at().

46  {
47  const size_t x_sw = x.sig_words();
48  const size_t y_sw = y.sig_words();
49 
50  BigInt z(BigInt::Positive, x.size() + y.size());
51 
52  if(x_sw == 1 && y_sw)
53  bigint_linmul3(z.mutable_data(), y.data(), y_sw, x.word_at(0));
54  else if(y_sw == 1 && x_sw)
55  bigint_linmul3(z.mutable_data(), x.data(), x_sw, y.word_at(0));
56  else if(x_sw && y_sw)
57  {
58  secure_vector<word> workspace(z.size());
59 
60  bigint_mul(z.mutable_data(), z.size(),
61  x.data(), x.size(), x_sw,
62  y.data(), y.size(), y_sw,
63  workspace.data(), workspace.size());
64  }
65 
66  z.cond_flip_sign(x_sw > 0 && y_sw > 0 && x.sign() != y.sign());
67 
68  return z;
69  }
void bigint_linmul3(word z[], const word x[], size_t x_size, word y)
Definition: mp_core.h:504
void bigint_mul(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
Definition: mp_karat.cpp:298
BigInt Botan::operator* ( const BigInt x,
word  y 
)

Definition at line 74 of file big_ops3.cpp.

References bigint_linmul3(), Botan::BigInt::data(), Botan::BigInt::mutable_data(), Botan::BigInt::Positive, Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), and Botan::BigInt::sign().

75  {
76  const size_t x_sw = x.sig_words();
77 
78  BigInt z(BigInt::Positive, x_sw + 1);
79 
80  if(x_sw && y)
81  {
82  bigint_linmul3(z.mutable_data(), x.data(), x_sw, y);
83  z.set_sign(x.sign());
84  }
85 
86  return z;
87  }
void bigint_linmul3(word z[], const word x[], size_t x_size, word y)
Definition: mp_core.h:504
donna128 Botan::operator* ( const donna128 x,
uint64_t  y 
)
inline

Definition at line 83 of file donna128.h.

References BOTAN_ARG_CHECK, Botan::donna128::hi(), Botan::donna128::lo(), and mul64x64_128().

84  {
85  BOTAN_ARG_CHECK(x.hi() == 0, "High 64 bits of donna128 set to zero during multiply");
86 
87  uint64_t lo = 0, hi = 0;
88  mul64x64_128(x.lo(), y, &lo, &hi);
89  return donna128(lo, hi);
90  }
void mul64x64_128(uint64_t a, uint64_t b, uint64_t *lo, uint64_t *hi)
Definition: mul128.h:85
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
donna128 Botan::operator* ( uint64_t  y,
const donna128 x 
)
inline

Definition at line 92 of file donna128.h.

93  {
94  return x * y;
95  }
PointGFp Botan::operator* ( const PointGFp point,
const BigInt scalar 
)
inline

Definition at line 378 of file point_gfp.h.

379  {
380  return scalar * point;
381  }
PointGFp Botan::operator* ( const BigInt scalar,
const PointGFp point 
)

Point multiplication operator

Parameters
scalarthe scalar value
pointthe point value
Returns
scalar*point on the curve

Definition at line 394 of file point_gfp.cpp.

References Botan::PointGFp::add(), Botan::BigInt::bits(), BOTAN_DEBUG_ASSERT, Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::PointGFp::mult2(), Botan::PointGFp::on_the_curve(), Botan::PointGFp::WORKSPACE_SIZE, and Botan::PointGFp::zero().

395  {
396  BOTAN_DEBUG_ASSERT(point.on_the_curve());
397 
398  const size_t scalar_bits = scalar.bits();
399 
400  std::vector<BigInt> ws(PointGFp::WORKSPACE_SIZE);
401 
402  PointGFp R[2] = { point.zero(), point };
403 
404  for(size_t i = scalar_bits; i > 0; i--)
405  {
406  const size_t b = scalar.get_bit(i - 1);
407  R[b ^ 1].add(R[b], ws);
408  R[b].mult2(ws);
409  }
410 
411  if(scalar.is_negative())
412  R[0].negate();
413 
414  BOTAN_DEBUG_ASSERT(R[0].on_the_curve());
415 
416  return R[0];
417  }
#define BOTAN_DEBUG_ASSERT(expr)
Definition: assert.h:123
BigInt Botan::operator* ( word  x,
const BigInt y 
)
inline

Definition at line 1097 of file bigint.h.

1097 { return y*x; }
donna128 Botan::operator+ ( const donna128 x,
const donna128 y 
)
inline

Definition at line 97 of file donna128.h.

98  {
99  donna128 z = x;
100  z += y;
101  return z;
102  }
donna128 Botan::operator+ ( const donna128 x,
uint64_t  y 
)
inline

Definition at line 104 of file donna128.h.

105  {
106  donna128 z = x;
107  z += y;
108  return z;
109  }
OctetString Botan::operator+ ( const OctetString x,
const OctetString y 
)

Concatenate two strings

Parameters
xan octet string
yan octet string
Returns
x concatenated with y

Definition at line 114 of file symkey.cpp.

References Botan::OctetString::bits_of().

115  {
116  secure_vector<uint8_t> out;
117  out += k1.bits_of();
118  out += k2.bits_of();
119  return OctetString(out);
120  }
OID Botan::operator+ ( const OID oid,
uint32_t  new_comp 
)

Append another component onto the OID.

Parameters
oidthe OID to add the new component to
new_compthe new component to add

Definition at line 122 of file asn1_oid.cpp.

References Botan::OID::get_components().

123  {
124  std::vector<uint32_t> val = oid.get_components();
125  val.push_back(new_component);
126  return OID(std::move(val));
127  }
PointGFp Botan::operator+ ( const PointGFp lhs,
const PointGFp rhs 
)
inline

Definition at line 366 of file point_gfp.h.

367  {
368  PointGFp tmp(lhs);
369  return tmp += rhs;
370  }
BigInt Botan::operator+ ( const BigInt x,
const BigInt y 
)
inline

Definition at line 1070 of file bigint.h.

References Botan::BigInt::add2(), Botan::BigInt::data(), Botan::BigInt::sig_words(), and Botan::BigInt::sign().

1071  {
1072  return BigInt::add2(x, y.data(), y.sig_words(), y.sign());
1073  }
BigInt Botan::operator+ ( const BigInt x,
word  y 
)
inline

Definition at line 1075 of file bigint.h.

References Botan::BigInt::add2(), and Botan::BigInt::Positive.

1076  {
1077  return BigInt::add2(x, &y, 1, BigInt::Positive);
1078  }
BigInt Botan::operator+ ( word  x,
const BigInt y 
)
inline

Definition at line 1080 of file bigint.h.

1081  {
1082  return y + x;
1083  }
template<typename T , typename Alloc , typename Alloc2 >
std::vector<T, Alloc>& Botan::operator+= ( std::vector< T, Alloc > &  out,
const std::vector< T, Alloc2 > &  in 
)

Definition at line 79 of file secmem.h.

81  {
82  out.reserve(out.size() + in.size());
83  out.insert(out.end(), in.begin(), in.end());
84  return out;
85  }
template<typename T , typename Alloc >
std::vector<T, Alloc>& Botan::operator+= ( std::vector< T, Alloc > &  out,
T  in 
)

Definition at line 88 of file secmem.h.

89  {
90  out.push_back(in);
91  return out;
92  }
template<typename T , typename Alloc , typename L >
std::vector<T, Alloc>& Botan::operator+= ( std::vector< T, Alloc > &  out,
const std::pair< const T *, L > &  in 
)

Definition at line 95 of file secmem.h.

97  {
98  out.reserve(out.size() + in.second);
99  out.insert(out.end(), in.first, in.first + in.second);
100  return out;
101  }
template<typename T , typename Alloc , typename L >
std::vector<T, Alloc>& Botan::operator+= ( std::vector< T, Alloc > &  out,
const std::pair< T *, L > &  in 
)

Definition at line 104 of file secmem.h.

106  {
107  out.reserve(out.size() + in.second);
108  out.insert(out.end(), in.first, in.first + in.second);
109  return out;
110  }
PointGFp Botan::operator- ( const PointGFp lhs)
inline

Definition at line 361 of file point_gfp.h.

References Botan::PointGFp::negate().

362  {
363  return PointGFp(lhs).negate();
364  }
PointGFp Botan::operator- ( const PointGFp lhs,
const PointGFp rhs 
)
inline

Definition at line 372 of file point_gfp.h.

373  {
374  PointGFp tmp(lhs);
375  return tmp -= rhs;
376  }
BigInt Botan::operator- ( const BigInt x,
const BigInt y 
)
inline

Definition at line 1085 of file bigint.h.

References Botan::BigInt::add2(), Botan::BigInt::data(), Botan::BigInt::reverse_sign(), and Botan::BigInt::sig_words().

1086  {
1087  return BigInt::add2(x, y.data(), y.sig_words(), y.reverse_sign());
1088  }
BigInt Botan::operator- ( const BigInt x,
word  y 
)
inline

Definition at line 1090 of file bigint.h.

References Botan::BigInt::add2(), and Botan::BigInt::Negative.

1091  {
1092  return BigInt::add2(x, &y, 1, BigInt::Negative);
1093  }
BigInt Botan::operator/ ( const BigInt x,
const BigInt y 
)

Definition at line 92 of file big_ops3.cpp.

References Botan::BigInt::sig_words(), vartime_divide(), and Botan::BigInt::word_at().

93  {
94  if(y.sig_words() == 1)
95  {
96  return x / y.word_at(0);
97  }
98 
99  BigInt q, r;
100  vartime_divide(x, y, q, r);
101  return q;
102  }
void vartime_divide(const BigInt &x, const BigInt &y_arg, BigInt &q_out, BigInt &r_out)
Definition: divide.cpp:159
BigInt Botan::operator/ ( const BigInt x,
word  y 
)

Definition at line 107 of file big_ops3.cpp.

References ct_divide_u8(), and vartime_divide().

108  {
109  if(y == 0)
110  throw BigInt::DivideByZero();
111  else if(y == 1)
112  return x;
113  else if(y == 2)
114  return (x >> 1);
115  else if(y <= 255)
116  {
117  BigInt q;
118  uint8_t r;
119  ct_divide_u8(x, static_cast<uint8_t>(y), q, r);
120  return q;
121  }
122 
123  BigInt q, r;
124  vartime_divide(x, y, q, r);
125  return q;
126  }
void vartime_divide(const BigInt &x, const BigInt &y_arg, BigInt &q_out, BigInt &r_out)
Definition: divide.cpp:159
void ct_divide_u8(const BigInt &x, uint8_t y, BigInt &q_out, uint8_t &r_out)
Definition: divide.cpp:82
bool Botan::operator< ( const X509_DN dn1,
const X509_DN dn2 
)

Definition at line 182 of file x509_dn.cpp.

References BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, Botan::X509_DN::get_attributes(), and x500_name_cmp().

183  {
184  auto attr1 = dn1.get_attributes();
185  auto attr2 = dn2.get_attributes();
186 
187  // If they are not the same size, choose the smaller as the "lessor"
188  if(attr1.size() < attr2.size())
189  return true;
190  if(attr1.size() > attr2.size())
191  return false;
192 
193  // We know they are the same # of elements, now compare the OIDs:
194  auto p1 = attr1.begin();
195  auto p2 = attr2.begin();
196 
197  while(p1 != attr1.end() && p2 != attr2.end())
198  {
199  if(p1->first != p2->first)
200  {
201  return (p1->first < p2->first);
202  }
203 
204  ++p1;
205  ++p2;
206  }
207 
208  // We know this is true because maps have the same size
209  BOTAN_ASSERT_NOMSG(p1 == attr1.end());
210  BOTAN_ASSERT_NOMSG(p2 == attr2.end());
211 
212  // Now we know all elements have the same OIDs, compare
213  // their string values:
214 
215  p1 = attr1.begin();
216  p2 = attr2.begin();
217  while(p1 != attr1.end() && p2 != attr2.end())
218  {
219  BOTAN_DEBUG_ASSERT(p1->first == p2->first);
220 
221  // They may be binary different but same by X.500 rules, check this
222  if(!x500_name_cmp(p1->second, p2->second))
223  {
224  // If they are not (by X.500) the same string, pick the
225  // lexicographic first as the lessor
226  return (p1->second < p2->second);
227  }
228 
229  ++p1;
230  ++p2;
231  }
232 
233  // if we reach here, then the DNs should be identical
234  BOTAN_DEBUG_ASSERT(dn1 == dn2);
235  return false;
236  }
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
#define BOTAN_DEBUG_ASSERT(expr)
Definition: assert.h:123
bool x500_name_cmp(const std::string &name1, const std::string &name2)
Definition: parsing.cpp:212
bool Botan::operator< ( const OID a,
const OID b 
)

Compare two OIDs.

Parameters
athe first OID
bthe second OID
Returns
true if a is lexicographically smaller than b

Definition at line 132 of file asn1_oid.cpp.

References Botan::OID::get_components().

133  {
134  const std::vector<uint32_t>& oid1 = a.get_components();
135  const std::vector<uint32_t>& oid2 = b.get_components();
136 
137  return std::lexicographical_compare(oid1.begin(), oid1.end(),
138  oid2.begin(), oid2.end());
139  }
bool Botan::operator< ( const ASN1_Time t1,
const ASN1_Time t2 
)

Definition at line 285 of file asn1_time.cpp.

References Botan::ASN1_Time::cmp().

286  { return (t1.cmp(t2) < 0); }
bool Botan::operator< ( const BigInt a,
const BigInt b 
)
inline

Definition at line 1117 of file bigint.h.

References Botan::BigInt::is_less_than().

1118  { return a.is_less_than(b); }
bool Botan::operator< ( const BigInt a,
word  b 
)
inline

Definition at line 1130 of file bigint.h.

References Botan::BigInt::cmp_word().

1131  { return (a.cmp_word(b) < 0); }
int Botan::operator<< ( int  out,
Pipe pipe 
)

Stream output operator; dumps the results from pipe's default message to the output stream.

Parameters
outfile descriptor for an open output stream
pipethe pipe

Definition at line 17 of file fd_unix.cpp.

References Botan::Pipe::read(), and Botan::Pipe::remaining().

18  {
19  secure_vector<uint8_t> buffer(BOTAN_DEFAULT_BUFFER_SIZE);
20  while(pipe.remaining())
21  {
22  size_t got = pipe.read(buffer.data(), buffer.size());
23  size_t position = 0;
24  while(got)
25  {
26  ssize_t ret = ::write(fd, &buffer[position], got);
27  if(ret < 0)
28  throw Stream_IO_Error("Pipe output operator (unixfd) has failed");
29 
30  position += static_cast<size_t>(ret);
31  got -= static_cast<size_t>(ret);
32  }
33  }
34  return fd;
35  }
std::ostream & Botan::operator<< ( std::ostream &  stream,
const BigInt n 
)

Definition at line 17 of file big_io.cpp.

References Botan::BigInt::to_dec_string(), and Botan::BigInt::to_hex_string().

18  {
19  size_t base = 10;
20  if(stream.flags() & std::ios::hex)
21  base = 16;
22  if(stream.flags() & std::ios::oct)
23  throw Invalid_Argument("Octal output of BigInt not supported");
24 
25  if(n == 0)
26  stream.write("0", 1);
27  else
28  {
29  if(n < 0)
30  stream.write("-", 1);
31 
32  std::string enc;
33 
34  if(base == 10)
35  enc = n.to_dec_string();
36  else
37  enc = n.to_hex_string();
38 
39  size_t skip = 0;
40  while(skip < enc.size() && enc[skip] == '0')
41  ++skip;
42  stream.write(&enc[skip], enc.size() - skip);
43  }
44  if(!stream.good())
45  throw Stream_IO_Error("BigInt output operator has failed");
46  return stream;
47  }
std::ostream & Botan::operator<< ( std::ostream &  out,
const X509_DN dn 
)

Definition at line 333 of file x509_dn.cpp.

References Botan::X509_DN::dn_info().

334  {
335  auto info = dn.dn_info();
336 
337  for(size_t i = 0; i != info.size(); ++i)
338  {
339  out << to_short_form(info[i].first) << "=\"";
340  for(char c : info[i].second.value())
341  {
342  if(c == '\\' || c == '\"')
343  {
344  out << "\\";
345  }
346  out << c;
347  }
348  out << "\"";
349 
350  if(i + 1 < info.size())
351  {
352  out << ",";
353  }
354  }
355  return out;
356  }
BigInt Botan::operator<< ( const BigInt x,
size_t  shift 
)

Definition at line 184 of file big_ops3.cpp.

References bigint_shl2(), Botan::BigInt::data(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), and Botan::BigInt::sign().

185  {
186  const size_t shift_words = shift / BOTAN_MP_WORD_BITS,
187  shift_bits = shift % BOTAN_MP_WORD_BITS;
188 
189  const size_t x_sw = x.sig_words();
190 
191  BigInt y(x.sign(), x_sw + shift_words + (shift_bits ? 1 : 0));
192  bigint_shl2(y.mutable_data(), x.data(), x_sw, shift_words, shift_bits);
193  return y;
194  }
void bigint_shl2(word y[], const word x[], size_t x_size, size_t word_shift, size_t bit_shift)
Definition: mp_core.h:449
std::ostream & Botan::operator<< ( std::ostream &  os,
const GeneralName gn 
)

Definition at line 225 of file name_constraint.cpp.

References Botan::GeneralName::name(), and Botan::GeneralName::type().

226  {
227  os << gn.type() << ":" << gn.name();
228  return os;
229  }
std::ostream & Botan::operator<< ( std::ostream &  os,
const GeneralSubtree gs 
)

Definition at line 268 of file name_constraint.cpp.

References Botan::GeneralSubtree::base(), Botan::GeneralSubtree::maximum(), and Botan::GeneralSubtree::minimum().

269  {
270  os << gs.minimum() << "," << gs.maximum() << "," << gs.base();
271  return os;
272  }
std::ostream & Botan::operator<< ( std::ostream &  out,
Pipe pipe 
)

Stream output operator; dumps the results from pipe's default message to the output stream.

Parameters
outan output stream
pipethe pipe

Definition at line 17 of file pipe_io.cpp.

References cast_uint8_ptr_to_char(), Botan::Pipe::read(), and Botan::Pipe::remaining().

18  {
19  secure_vector<uint8_t> buffer(BOTAN_DEFAULT_BUFFER_SIZE);
20  while(stream.good() && pipe.remaining())
21  {
22  const size_t got = pipe.read(buffer.data(), buffer.size());
23  stream.write(cast_uint8_ptr_to_char(buffer.data()), got);
24  }
25  if(!stream.good())
26  throw Stream_IO_Error("Pipe output operator (iostream) has failed");
27  return stream;
28  }
const char * cast_uint8_ptr_to_char(const uint8_t *b)
Definition: mem_ops.h:195
bool Botan::operator<= ( const ASN1_Time t1,
const ASN1_Time t2 
)

Definition at line 280 of file asn1_time.cpp.

References Botan::ASN1_Time::cmp().

281  { return (t1.cmp(t2) <= 0); }
bool Botan::operator<= ( const BigInt a,
const BigInt b 
)
inline

Definition at line 1113 of file bigint.h.

References Botan::BigInt::cmp().

1114  { return (a.cmp(b) <= 0); }
bool Botan::operator<= ( const BigInt a,
word  b 
)
inline

Definition at line 1126 of file bigint.h.

References Botan::BigInt::cmp_word().

1127  { return (a.cmp_word(b) <= 0); }
bool Botan::operator== ( const CRL_Entry ,
const CRL_Entry  
)

Test two CRL entries for equality in all fields.

Definition at line 44 of file crl_ent.cpp.

References Botan::CRL_Entry::expire_time(), Botan::CRL_Entry::reason_code(), and Botan::CRL_Entry::serial_number().

45  {
46  if(a1.serial_number() != a2.serial_number())
47  return false;
48  if(a1.expire_time() != a2.expire_time())
49  return false;
50  if(a1.reason_code() != a2.reason_code())
51  return false;
52  return true;
53  }
template<typename T , typename U >
bool Botan::operator== ( const secure_allocator< T > &  ,
const secure_allocator< U > &   
)
inline

Definition at line 58 of file secmem.h.

59  { return true; }
bool Botan::operator== ( const AlgorithmIdentifier a1,
const AlgorithmIdentifier a2 
)

Definition at line 65 of file alg_id.cpp.

References Botan::AlgorithmIdentifier::get_oid(), Botan::AlgorithmIdentifier::get_parameters(), and Botan::AlgorithmIdentifier::parameters_are_null_or_empty().

66  {
67  if(a1.get_oid() != a2.get_oid())
68  return false;
69 
70  /*
71  * Treat NULL and empty as equivalent
72  */
73  if(a1.parameters_are_null_or_empty() &&
74  a2.parameters_are_null_or_empty())
75  {
76  return true;
77  }
78 
79  return (a1.get_parameters() == a2.get_parameters());
80  }
bool Botan::operator== ( const OctetString x,
const OctetString y 
)

Compare two strings

Parameters
xan octet string
yan octet string
Returns
if x is equal to y

Definition at line 98 of file symkey.cpp.

References Botan::OctetString::bits_of().

99  {
100  return (s1.bits_of() == s2.bits_of());
101  }
bool Botan::operator== ( const X509_DN dn1,
const X509_DN dn2 
)

Definition at line 146 of file x509_dn.cpp.

References Botan::X509_DN::get_attributes(), and x500_name_cmp().

147  {
148  auto attr1 = dn1.get_attributes();
149  auto attr2 = dn2.get_attributes();
150 
151  if(attr1.size() != attr2.size()) return false;
152 
153  auto p1 = attr1.begin();
154  auto p2 = attr2.begin();
155 
156  while(true)
157  {
158  if(p1 == attr1.end() && p2 == attr2.end())
159  break;
160  if(p1 == attr1.end()) return false;
161  if(p2 == attr2.end()) return false;
162  if(p1->first != p2->first) return false;
163  if(!x500_name_cmp(p1->second, p2->second))
164  return false;
165  ++p1;
166  ++p2;
167  }
168  return true;
169  }
bool x500_name_cmp(const std::string &name1, const std::string &name2)
Definition: parsing.cpp:212
bool Botan::operator== ( const ASN1_Time t1,
const ASN1_Time t2 
)

Definition at line 275 of file asn1_time.cpp.

References Botan::ASN1_Time::cmp().

276  { return (t1.cmp(t2) == 0); }
bool Botan::operator== ( const BigInt a,
const BigInt b 
)
inline

Definition at line 1109 of file bigint.h.

1110  { return a.is_equal(b); }
bool Botan::operator== ( const BigInt a,
word  b 
)
inline

Definition at line 1122 of file bigint.h.

References Botan::BigInt::cmp_word().

1123  { return (a.cmp_word(b) == 0); }
bool Botan::operator> ( const ASN1_Time t1,
const ASN1_Time t2 
)

Definition at line 287 of file asn1_time.cpp.

References Botan::ASN1_Time::cmp().

288  { return (t1.cmp(t2) > 0); }
bool Botan::operator> ( const BigInt a,
const BigInt b 
)
inline

Definition at line 1119 of file bigint.h.

References Botan::BigInt::is_less_than().

1120  { return b.is_less_than(a); }
bool Botan::operator> ( const BigInt a,
word  b 
)
inline

Definition at line 1132 of file bigint.h.

References Botan::BigInt::cmp_word().

1133  { return (a.cmp_word(b) > 0); }
bool Botan::operator>= ( const ASN1_Time t1,
const ASN1_Time t2 
)

Definition at line 282 of file asn1_time.cpp.

References Botan::ASN1_Time::cmp().

283  { return (t1.cmp(t2) >= 0); }
bool Botan::operator>= ( const BigInt a,
const BigInt b 
)
inline

Definition at line 1115 of file bigint.h.

References Botan::BigInt::cmp().

1116  { return (a.cmp(b) >= 0); }
bool Botan::operator>= ( const BigInt a,
word  b 
)
inline

Definition at line 1128 of file bigint.h.

References Botan::BigInt::cmp_word().

1129  { return (a.cmp_word(b) >= 0); }
int Botan::operator>> ( int  in,
Pipe pipe 
)

File descriptor input operator; dumps the remaining bytes of input to the (assumed open) pipe message.

Parameters
infile descriptor for an open input stream
pipethe pipe

Definition at line 40 of file fd_unix.cpp.

References Botan::Pipe::write().

41  {
42  secure_vector<uint8_t> buffer(BOTAN_DEFAULT_BUFFER_SIZE);
43  while(true)
44  {
45  ssize_t ret = ::read(fd, buffer.data(), buffer.size());
46  if(ret < 0)
47  throw Stream_IO_Error("Pipe input operator (unixfd) has failed");
48  else if(ret == 0)
49  break;
50  pipe.write(buffer.data(), static_cast<size_t>(ret));
51  }
52  return fd;
53  }
std::istream & Botan::operator>> ( std::istream &  stream,
BigInt n 
)

Definition at line 52 of file big_io.cpp.

53  {
54  std::string str;
55  std::getline(stream, str);
56  if(stream.bad() || (stream.fail() && !stream.eof()))
57  throw Stream_IO_Error("BigInt input operator has failed");
58  n = BigInt(str);
59  return stream;
60  }
std::istream & Botan::operator>> ( std::istream &  in,
X509_DN dn 
)

Definition at line 358 of file x509_dn.cpp.

References Botan::X509_DN::add_attribute(), and Botan::X509_DN::deref_info_field().

359  {
360  in >> std::noskipws;
361  do
362  {
363  std::string key;
364  std::string val;
365  char c;
366 
367  while(in.good())
368  {
369  in >> c;
370 
371  if(std::isspace(c) && key.empty())
372  continue;
373  else if(!std::isspace(c))
374  {
375  key.push_back(c);
376  break;
377  }
378  else
379  break;
380  }
381 
382  while(in.good())
383  {
384  in >> c;
385 
386  if(!std::isspace(c) && c != '=')
387  key.push_back(c);
388  else if(c == '=')
389  break;
390  else
391  throw Invalid_Argument("Ill-formed X.509 DN");
392  }
393 
394  bool in_quotes = false;
395  while(in.good())
396  {
397  in >> c;
398 
399  if(std::isspace(c))
400  {
401  if(!in_quotes && !val.empty())
402  break;
403  else if(in_quotes)
404  val.push_back(' ');
405  }
406  else if(c == '"')
407  in_quotes = !in_quotes;
408  else if(c == '\\')
409  {
410  if(in.good())
411  in >> c;
412  val.push_back(c);
413  }
414  else if(c == ',' && !in_quotes)
415  break;
416  else
417  val.push_back(c);
418  }
419 
420  if(!key.empty() && !val.empty())
421  dn.add_attribute(X509_DN::deref_info_field(key),val);
422  else
423  break;
424  }
425  while(in.good());
426  return in;
427  }
BigInt Botan::operator>> ( const BigInt x,
size_t  shift 
)

Definition at line 199 of file big_ops3.cpp.

References bigint_shr2(), Botan::BigInt::data(), Botan::BigInt::is_negative(), Botan::BigInt::Positive, Botan::BigInt::sig_words(), and Botan::BigInt::sign().

200  {
201  const size_t shift_words = shift / BOTAN_MP_WORD_BITS;
202  const size_t shift_bits = shift % BOTAN_MP_WORD_BITS;
203  const size_t x_sw = x.sig_words();
204 
205  BigInt y(x.sign(), x_sw - shift_words);
206  bigint_shr2(y.mutable_data(), x.data(), x_sw, shift_words, shift_bits);
207 
208  if(x.is_negative() && y.is_zero())
209  y.set_sign(BigInt::Positive);
210 
211  return y;
212  }
void bigint_shr2(word y[], const word x[], size_t x_size, size_t word_shift, size_t bit_shift)
Definition: mp_core.h:466
std::istream & Botan::operator>> ( std::istream &  in,
Pipe pipe 
)

Stream input operator; dumps the remaining bytes of input to the (assumed open) pipe message.

Parameters
inthe input stream
pipethe pipe

Definition at line 33 of file pipe_io.cpp.

References cast_uint8_ptr_to_char(), and Botan::Pipe::write().

34  {
35  secure_vector<uint8_t> buffer(BOTAN_DEFAULT_BUFFER_SIZE);
36  while(stream.good())
37  {
38  stream.read(cast_uint8_ptr_to_char(buffer.data()), buffer.size());
39  const size_t got = static_cast<size_t>(stream.gcount());
40  pipe.write(buffer.data(), got);
41  }
42  if(stream.bad() || (stream.fail() && !stream.eof()))
43  throw Stream_IO_Error("Pipe input operator (iostream) has failed");
44  return stream;
45  }
const char * cast_uint8_ptr_to_char(const uint8_t *b)
Definition: mem_ops.h:195
OctetString Botan::operator^ ( const OctetString x,
const OctetString y 
)

XOR two strings

Parameters
xan octet string
yan octet string
Returns
x XORed with y

Definition at line 125 of file symkey.cpp.

References Botan::OctetString::begin(), copy_mem(), Botan::OctetString::length(), and xor_buf().

126  {
127  secure_vector<uint8_t> out(std::max(k1.length(), k2.length()));
128 
129  copy_mem(out.data(), k1.begin(), k1.length());
130  xor_buf(out.data(), k2.begin(), k2.length());
131  return OctetString(out);
132  }
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:262
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:133
template<typename Alloc , typename Alloc2 >
std::vector<uint8_t, Alloc>& Botan::operator^= ( std::vector< uint8_t, Alloc > &  out,
const std::vector< uint8_t, Alloc2 > &  in 
)

Definition at line 353 of file mem_ops.h.

References xor_buf().

355  {
356  if(out.size() < in.size())
357  out.resize(in.size());
358 
359  xor_buf(out.data(), in.data(), in.size());
360  return out;
361  }
void xor_buf(std::vector< uint8_t, Alloc > &out, const uint8_t *in, const std::vector< uint8_t, Alloc2 > &in2, size_t n)
Definition: mem_ops.h:343
ECIES_Flags Botan::operator| ( ECIES_Flags  a,
ECIES_Flags  b 
)
inline

Definition at line 44 of file ecies.h.

45  {
46  return static_cast<ECIES_Flags>(static_cast<uint32_t>(a) | static_cast<uint32_t>(b));
47  }
ECIES_Flags
Definition: ecies.h:27
donna128 Botan::operator| ( const donna128 x,
const donna128 y 
)
inline

Definition at line 111 of file donna128.h.

References Botan::donna128::hi(), and Botan::donna128::lo().

112  {
113  return donna128(x.lo() | y.lo(), x.hi() | y.hi());
114  }
template<typename Alloc >
PointGFp Botan::OS2ECP ( const std::vector< uint8_t, Alloc > &  data,
const CurveGFp curve 
)

Definition at line 414 of file point_gfp.h.

References OS2ECP().

415  { return OS2ECP(data.data(), data.size(), curve); }
PointGFp OS2ECP(const std::vector< uint8_t, Alloc > &data, const CurveGFp &curve)
Definition: point_gfp.h:414
PointGFp Botan::OS2ECP ( const uint8_t  data[],
size_t  data_len,
const CurveGFp curve 
)

Perform point decoding Use EC_Group::OS2ECP instead

Definition at line 667 of file point_gfp.cpp.

References Botan::CurveGFp::get_a(), Botan::CurveGFp::get_b(), and Botan::CurveGFp::get_p().

Referenced by Botan::EC_Group::OS2ECP(), and OS2ECP().

669  {
670  // Should we really be doing this?
671  if(data_len <= 1)
672  return PointGFp(curve); // return zero
673 
674  std::pair<BigInt, BigInt> xy = OS2ECP(data, data_len, curve.get_p(), curve.get_a(), curve.get_b());
675 
676  PointGFp point(curve, xy.first, xy.second);
677 
678  if(!point.on_the_curve())
679  throw Illegal_Point("OS2ECP: Decoded point was not on the curve");
680 
681  return point;
682  }
std::pair< BigInt, BigInt > OS2ECP(const uint8_t data[], size_t data_len, const BigInt &curve_p, const BigInt &curve_a, const BigInt &curve_b)
Definition: point_gfp.cpp:684
std::pair< BigInt, BigInt > BOTAN_UNSTABLE_API Botan::OS2ECP ( const uint8_t  data[],
size_t  data_len,
const BigInt curve_p,
const BigInt curve_a,
const BigInt curve_b 
)

Perform point decoding Use EC_Group::OS2ECP instead

Parameters
datathe encoded point
data_lenlength of data in bytes
curve_pthe curve equation prime
curve_athe curve equation a parameter
curve_bthe curve equation b parameter

Definition at line 684 of file point_gfp.cpp.

References Botan::BigInt::decode(), and Botan::ASN1::to_string().

688  {
689  if(data_len <= 1)
690  throw Decoding_Error("OS2ECP invalid point");
691 
692  const uint8_t pc = data[0];
693 
694  BigInt x, y;
695 
696  if(pc == 2 || pc == 3)
697  {
698  //compressed form
699  x = BigInt::decode(&data[1], data_len - 1);
700 
701  const bool y_mod_2 = ((pc & 0x01) == 1);
702  y = decompress_point(y_mod_2, x, curve_p, curve_a, curve_b);
703  }
704  else if(pc == 4)
705  {
706  const size_t l = (data_len - 1) / 2;
707 
708  // uncompressed form
709  x = BigInt::decode(&data[1], l);
710  y = BigInt::decode(&data[l+1], l);
711  }
712  else if(pc == 6 || pc == 7)
713  {
714  const size_t l = (data_len - 1) / 2;
715 
716  // hybrid form
717  x = BigInt::decode(&data[1], l);
718  y = BigInt::decode(&data[l+1], l);
719 
720  const bool y_mod_2 = ((pc & 0x01) == 1);
721 
722  if(decompress_point(y_mod_2, x, curve_p, curve_a, curve_b) != y)
723  throw Illegal_Point("OS2ECP: Decoding error in hybrid format");
724  }
725  else
726  throw Invalid_Argument("OS2ECP: Unknown format type " + std::to_string(pc));
727 
728  return std::make_pair(x, y);
729  }
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition: pem.cpp:68
std::vector< std::string > Botan::parse_algorithm_name ( const std::string &  scan_name)

Parse a SCAN-style algorithm name

Parameters
scan_namethe name
Returns
the name components

Definition at line 95 of file parsing.cpp.

References name.

Referenced by Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), get_eme(), and Botan::X509_Object::hash_used_for_signature().

96  {
97  if(namex.find('(') == std::string::npos &&
98  namex.find(')') == std::string::npos)
99  return std::vector<std::string>(1, namex);
100 
101  std::string name = namex, substring;
102  std::vector<std::string> elems;
103  size_t level = 0;
104 
105  elems.push_back(name.substr(0, name.find('(')));
106  name = name.substr(name.find('('));
107 
108  for(auto i = name.begin(); i != name.end(); ++i)
109  {
110  char c = *i;
111 
112  if(c == '(')
113  ++level;
114  if(c == ')')
115  {
116  if(level == 1 && i == name.end() - 1)
117  {
118  if(elems.size() == 1)
119  elems.push_back(substring.substr(1));
120  else
121  elems.push_back(substring);
122  return elems;
123  }
124 
125  if(level == 0 || (level == 1 && i != name.end() - 1))
126  throw Invalid_Algorithm_Name(namex);
127  --level;
128  }
129 
130  if(c == ',' && level == 1)
131  {
132  if(elems.size() == 1)
133  elems.push_back(substring.substr(1));
134  else
135  elems.push_back(substring);
136  substring.clear();
137  }
138  else
139  substring += c;
140  }
141 
142  if(!substring.empty())
143  throw Invalid_Algorithm_Name(namex);
144 
145  return elems;
146  }
std::string name
std::vector< uint32_t > Botan::parse_asn1_oid ( const std::string &  oid)

Parse an ASN.1 OID

Parameters
oidthe OID in string form
Returns
OID components

Definition at line 199 of file parsing.cpp.

References BOTAN_UNUSED, and Botan::OID::get_components().

200  {
201 #if defined(BOTAN_HAS_ASN1)
202  return OID(oid).get_components();
203 #else
204  BOTAN_UNUSED(oid);
205  throw Not_Implemented("ASN1 support not available");
206 #endif
207  }
#define BOTAN_UNUSED(...)
Definition: assert.h:142
bool Botan::passes_miller_rabin_test ( const BigInt n,
const Modular_Reducer mod_n,
const std::shared_ptr< Montgomery_Params > &  monty_n,
const BigInt a 
)

Perform a single Miller-Rabin test with specified base

Parameters
nthe positive integer to test
mod_na pre-created Modular_Reducer for n
monty_nMontgomery parameters for n
athe base to check
Returns
result of primality test

Definition at line 104 of file primality.cpp.

References Botan::BigInt::bits(), BOTAN_ASSERT_NOMSG, low_zero_bits(), monty_execute(), monty_precompute(), and Botan::Modular_Reducer::square().

Referenced by is_bailie_psw_probable_prime(), and is_miller_rabin_probable_prime().

108  {
109  BOTAN_ASSERT_NOMSG(n > 1);
110 
111  const BigInt n_minus_1 = n - 1;
112  const size_t s = low_zero_bits(n_minus_1);
113  const BigInt nm1_s = n_minus_1 >> s;
114  const size_t n_bits = n.bits();
115 
116  const size_t powm_window = 4;
117 
118  auto powm_a_n = monty_precompute(monty_n, a, powm_window);
119 
120  BigInt y = monty_execute(*powm_a_n, nm1_s, n_bits);
121 
122  if(y == 1 || y == n_minus_1)
123  return true;
124 
125  for(size_t i = 1; i != s; ++i)
126  {
127  y = mod_n.square(y);
128 
129  if(y == 1) // found a non-trivial square root
130  return false;
131 
132  /*
133  -1 is the trivial square root of unity, so ``a`` is not a
134  witness for this number - give up
135  */
136  if(y == n_minus_1)
137  return true;
138  }
139 
140  return false;
141  }
size_t low_zero_bits(const BigInt &n)
Definition: numthry.cpp:39
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(std::shared_ptr< const Montgomery_Params > params, const BigInt &g, size_t window_bits, bool const_time)
Definition: monty_exp.cpp:157
BigInt monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
Definition: monty_exp.cpp:165
secure_vector< uint8_t > Botan::pbes2_decrypt ( const secure_vector< uint8_t > &  key_bits,
const std::string &  passphrase,
const std::vector< uint8_t > &  params 
)

Decrypt a PKCS #5 v2.0 encrypted stream

Parameters
key_bitsthe input
passphrasethe passphrase to use for decryption
paramsthe PBES2 parameters

Definition at line 303 of file pbes2.cpp.

References Botan::Cipher_Mode::create(), Botan::PEM_Code::decode(), Botan::BER_Decoder::decode(), DECRYPTION, Botan::BER_Decoder::end_cons(), Botan::AlgorithmIdentifier::get_oid(), Botan::AlgorithmIdentifier::get_parameters(), OCTET_STRING, Botan::OIDS::oid2str_or_throw(), SEQUENCE, split_on(), and Botan::BER_Decoder::start_cons().

306  {
307  AlgorithmIdentifier kdf_algo, enc_algo;
308 
309  BER_Decoder(params)
310  .start_cons(SEQUENCE)
311  .decode(kdf_algo)
312  .decode(enc_algo)
313  .end_cons();
314 
315  const std::string cipher = OIDS::oid2str_or_throw(enc_algo.get_oid());
316  const std::vector<std::string> cipher_spec = split_on(cipher, '/');
317  if(cipher_spec.size() != 2)
318  throw Decoding_Error("PBE-PKCS5 v2.0: Invalid cipher spec " + cipher);
319  if(!known_pbes_cipher_mode(cipher_spec[1]))
320  throw Decoding_Error("PBE-PKCS5 v2.0: Don't know param format for " + cipher);
321 
322  secure_vector<uint8_t> iv;
323  BER_Decoder(enc_algo.get_parameters()).decode(iv, OCTET_STRING).verify_end();
324 
325  std::unique_ptr<Cipher_Mode> dec = Cipher_Mode::create(cipher, DECRYPTION);
326  if(!dec)
327  throw Decoding_Error("PBE-PKCS5 cannot decrypt no cipher " + cipher);
328 
329  dec->set_key(derive_key(passphrase, kdf_algo, dec->key_spec().maximum_keylength()));
330 
331  dec->start(iv);
332 
333  secure_vector<uint8_t> buf = key_bits;
334  dec->finish(buf);
335 
336  return buf;
337  }
BOTAN_UNSTABLE_API std::string oid2str_or_throw(const OID &oid)
Definition: oids.cpp:121
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:148
secure_vector< uint8_t > decode(DataSource &source, std::string &label)
Definition: pem.cpp:68
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt ( const secure_vector< uint8_t > &  key_bits,
const std::string &  passphrase,
std::chrono::milliseconds  msec,
const std::string &  cipher,
const std::string &  digest,
RandomNumberGenerator rng 
)

Encrypt with PBES2 from PKCS #5 v2.0

Parameters
key_bitsthe input
passphrasethe passphrase to use for encryption
msechow many milliseconds to run PBKDF2
cipherspecifies the block cipher to use to encrypt
digestspecifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)")
rnga random number generator

Definition at line 260 of file pbes2.cpp.

266  {
267  size_t msec_in_iterations_out = static_cast<size_t>(msec.count());
268  return pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);
269  // return value msec_in_iterations_out discarded
270  }
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt_iter ( const secure_vector< uint8_t > &  key_bits,
const std::string &  passphrase,
size_t  iterations,
const std::string &  cipher,
const std::string &  digest,
RandomNumberGenerator rng 
)

Encrypt with PBES2 from PKCS #5 v2.0

Parameters
key_bitsthe input
passphrasethe passphrase to use for encryption
iterationshow many iterations to run PBKDF2
cipherspecifies the block cipher to use to encrypt
digestspecifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)")
rnga random number generator

Definition at line 292 of file pbes2.cpp.

Referenced by Botan::PKCS8::BER_encode_encrypted_pbkdf_iter().

298  {
299  return pbes2_encrypt_shared(key_bits, passphrase, nullptr, pbkdf_iter, cipher, digest, rng);
300  }
std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt_msec ( const secure_vector< uint8_t > &  key_bits,
const std::string &  passphrase,
std::chrono::milliseconds  msec,
size_t *  out_iterations_if_nonnull,
const std::string &  cipher,
const std::string &  digest,
RandomNumberGenerator rng 
)

Encrypt with PBES2 from PKCS #5 v2.0

Parameters
key_bitsthe input
passphrasethe passphrase to use for encryption
msechow many milliseconds to run PBKDF2
out_iterations_if_nonnullif not null, set to the number of PBKDF iterations used
cipherspecifies the block cipher to use to encrypt
digestspecifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)")
rnga random number generator

Definition at line 273 of file pbes2.cpp.

Referenced by Botan::PKCS8::BER_encode(), and Botan::PKCS8::BER_encode_encrypted_pbkdf_msec().

280  {
281  size_t msec_in_iterations_out = static_cast<size_t>(msec.count());
282 
283  auto ret = pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);
284 
285  if(out_iterations_if_nonnull)
286  *out_iterations_if_nonnull = msec_in_iterations_out;
287 
288  return ret;
289  }
size_t Botan::pbkdf2 ( MessageAuthenticationCode prf,
uint8_t  out[],
size_t  out_len,
const std::string &  password,
const uint8_t  salt[],
size_t  salt_len,
size_t  iterations,
std::chrono::milliseconds  msec 
)

Definition at line 35 of file pbkdf2.cpp.

References Botan::PBKDF2::derive_key(), Botan::PBKDF2::iterations(), and salt_len.

Referenced by Botan::PBKDF2::derive_key(), Botan::PKCS5_PBKDF2::pbkdf(), and scrypt().

42  {
43  if(iterations == 0)
44  {
45  iterations = PBKDF2(prf, out_len, msec).iterations();
46  }
47 
48  PBKDF2 pbkdf2(prf, iterations);
49 
50  pbkdf2.derive_key(out, out_len,
51  password.c_str(), password.size(),
52  salt, salt_len);
53 
54  return iterations;
55  }
void pbkdf2(MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, const uint8_t salt[], size_t salt_len, size_t iterations)
Definition: pbkdf2.cpp:108
size_t salt_len
Definition: x509_obj.cpp:25
void Botan::pbkdf2 ( MessageAuthenticationCode prf,
uint8_t  out[],
size_t  out_len,
const uint8_t  salt[],
size_t  salt_len,
size_t  iterations 
)

Perform PBKDF2. The prf is assumed to be keyed already.

Definition at line 108 of file pbkdf2.cpp.

References BOTAN_ASSERT_NOMSG, clear_mem(), Botan::Buffered_Computation::final(), Botan::Buffered_Computation::output_length(), Botan::Buffered_Computation::update(), Botan::Buffered_Computation::update_be(), and xor_buf().

114  {
115  if(iterations == 0)
116  throw Invalid_Argument("PBKDF2: Invalid iteration count");
117 
118  clear_mem(out, out_len);
119 
120  if(out_len == 0)
121  return;
122 
123  const size_t prf_sz = prf.output_length();
124  BOTAN_ASSERT_NOMSG(prf_sz > 0);
125 
126  secure_vector<uint8_t> U(prf_sz);
127 
128  uint32_t counter = 1;
129  while(out_len)
130  {
131  const size_t prf_output = std::min<size_t>(prf_sz, out_len);
132 
133  prf.update(salt, salt_len);
134  prf.update_be(counter++);
135  prf.final(U.data());
136 
137  xor_buf(out, U.data(), prf_output);
138 
139  for(size_t i = 1; i != iterations; ++i)
140  {
141  prf.update(U);
142  prf.final(U.data());
143  xor_buf(out, U.data(), prf_output);
144  }
145 
146  out_len -= prf_output;
147  out += prf_output;
148  }
149  }
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:262
size_t salt_len
Definition: x509_obj.cpp:25
std::vector< uint8_t > Botan::pkcs_hash_id ( const std::string &  hash_name)

Return the PKCS #1 hash identifier

See also
RFC 3447 section 9.2
Parameters
hash_namethe name of the hash function
Returns
uint8_t sequence identifying the hash
Exceptions
Invalid_Argumentif the hash has no known PKCS #1 hash id

Definition at line 77 of file hash_id.cpp.

Referenced by botan_pkcs_hash_id(), Botan::EMSA_PKCS1v15::EMSA_PKCS1v15(), and Botan::EMSA_PKCS1v15_Raw::EMSA_PKCS1v15_Raw().

78  {
79  // Special case for SSL/TLS RSA signatures
80  if(name == "Parallel(MD5,SHA-160)")
81  return std::vector<uint8_t>();
82 
83  // If you add a value to this function, also update test_hash_id.cpp
84 
85  if(name == "MD5")
86  return std::vector<uint8_t>(MD5_PKCS_ID,
87  MD5_PKCS_ID + sizeof(MD5_PKCS_ID));
88 
89  if(name == "RIPEMD-160")
90  return std::vector<uint8_t>(RIPEMD_160_PKCS_ID,
91  RIPEMD_160_PKCS_ID + sizeof(RIPEMD_160_PKCS_ID));
92 
93  if(name == "SHA-160" || name == "SHA-1" || name == "SHA1")
94  return std::vector<uint8_t>(SHA_160_PKCS_ID,
95  SHA_160_PKCS_ID + sizeof(SHA_160_PKCS_ID));
96 
97  if(name == "SHA-224")
98  return std::vector<uint8_t>(SHA_224_PKCS_ID,
99  SHA_224_PKCS_ID + sizeof(SHA_224_PKCS_ID));
100 
101  if(name == "SHA-256")
102  return std::vector<uint8_t>(SHA_256_PKCS_ID,
103  SHA_256_PKCS_ID + sizeof(SHA_256_PKCS_ID));
104 
105  if(name == "SHA-384")
106  return std::vector<uint8_t>(SHA_384_PKCS_ID,
107  SHA_384_PKCS_ID + sizeof(SHA_384_PKCS_ID));
108 
109  if(name == "SHA-512")
110  return std::vector<uint8_t>(SHA_512_PKCS_ID,
111  SHA_512_PKCS_ID + sizeof(SHA_512_PKCS_ID));
112 
113  if(name == "SHA-512-256")
114  return std::vector<uint8_t>(SHA_512_256_PKCS_ID,
115  SHA_512_256_PKCS_ID + sizeof(SHA_512_256_PKCS_ID));
116 
117  if(name == "SHA-3(224)")
118  return std::vector<uint8_t>(SHA3_224_PKCS_ID,
119  SHA3_224_PKCS_ID + sizeof(SHA3_224_PKCS_ID));
120 
121  if(name == "SHA-3(256)")
122  return std::vector<uint8_t>(SHA3_256_PKCS_ID,
123  SHA3_256_PKCS_ID + sizeof(SHA3_256_PKCS_ID));
124 
125  if(name == "SHA-3(384)")
126  return std::vector<uint8_t>(SHA3_384_PKCS_ID,
127  SHA3_384_PKCS_ID + sizeof(SHA3_384_PKCS_ID));
128 
129  if(name == "SHA-3(512)")
130  return std::vector<uint8_t>(SHA3_512_PKCS_ID,
131  SHA3_512_PKCS_ID + sizeof(SHA3_512_PKCS_ID));
132 
133  if(name == "SM3")
134  return std::vector<uint8_t>(SM3_PKCS_ID, SM3_PKCS_ID + sizeof(SM3_PKCS_ID));
135 
136  if(name == "Tiger(24,3)")
137  return std::vector<uint8_t>(TIGER_PKCS_ID,
138  TIGER_PKCS_ID + sizeof(TIGER_PKCS_ID));
139 
140  throw Invalid_Argument("No PKCS #1 identifier for " + name);
141  }
std::string name
void Botan::poly_double_n ( uint8_t  buf[],
size_t  n 
)
inline

Definition at line 27 of file poly_dbl.h.

References poly_double_n().

28  {
29  return poly_double_n(buf, buf, n);
30  }
void poly_double_n(uint8_t buf[], size_t n)
Definition: poly_dbl.h:27
void BOTAN_TEST_API Botan::poly_double_n ( uint8_t  out[],
const uint8_t  in[],
size_t  n 
)

Polynomial doubling in GF(2^n)

Definition at line 73 of file poly_dbl.cpp.

Referenced by Botan::CMAC::poly_double(), poly_double_n(), and Botan::SIV_Mode::S2V().

74  {
75  switch(n)
76  {
77  case 8:
78  return poly_double<1, MinWeightPolynomial::P64>(out, in);
79  case 16:
80  return poly_double<2, MinWeightPolynomial::P128>(out, in);
81  case 24:
82  return poly_double<3, MinWeightPolynomial::P192>(out, in);
83  case 32:
84  return poly_double<4, MinWeightPolynomial::P256>(out, in);
85  case 64:
86  return poly_double<8, MinWeightPolynomial::P512>(out, in);
87  case 128:
88  return poly_double<16, MinWeightPolynomial::P1024>(out, in);
89  default:
90  throw Invalid_Argument("Unsupported size for poly_double_n");
91  }
92  }
void BOTAN_TEST_API Botan::poly_double_n_le ( uint8_t  out[],
const uint8_t  in[],
size_t  n 
)

Definition at line 94 of file poly_dbl.cpp.

Referenced by Botan::XTS_Mode::update_tweak().

95  {
96  switch(n)
97  {
98  case 8:
99  return poly_double_le<1, MinWeightPolynomial::P64>(out, in);
100  case 16:
101  return poly_double_le<2, MinWeightPolynomial::P128>(out, in);
102  case 24:
103  return poly_double_le<3, MinWeightPolynomial::P192>(out, in);
104  case 32:
105  return poly_double_le<4, MinWeightPolynomial::P256>(out, in);
106  case 64:
107  return poly_double_le<8, MinWeightPolynomial::P512>(out, in);
108  case 128:
109  return poly_double_le<16, MinWeightPolynomial::P1024>(out, in);
110  default:
111  throw Invalid_Argument("Unsupported size for poly_double_n_le");
112  }
113  }
bool Botan::poly_double_supported_size ( size_t  n)
inline

Returns true iff poly_double_n is implemented for this size.

Definition at line 22 of file poly_dbl.h.

Referenced by Botan::CMAC::CMAC(), and Botan::XTS_Mode::XTS_Mode().

23  {
24  return (n == 8 || n == 16 || n == 24 || n == 32 || n == 64 || n == 128);
25  }
BigInt Botan::power_mod ( const BigInt b,
const BigInt x,
const BigInt m 
)

Modular exponentation

Parameters
ban integer base
xa positive exponent
ma positive modulus
Returns
(b^x) % m

Definition at line 151 of file numthry.cpp.

References Botan::BigInt::bits(), Botan::BigInt::ct_cond_assign(), Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::BigInt::is_odd(), Botan::BigInt::is_zero(), monty_execute(), monty_precompute(), Botan::Modular_Reducer::multiply(), Botan::Modular_Reducer::reduce(), and Botan::Modular_Reducer::square().

Referenced by botan_mp_powmod(), ressol(), srp6_client_agree(), Botan::SRP6_Server_Session::step2(), and Botan::DL_Group::verify_public_element().

152  {
153  if(mod.is_negative() || mod == 1)
154  {
155  return 0;
156  }
157 
158  if(base.is_zero() || mod.is_zero())
159  {
160  if(exp.is_zero())
161  return 1;
162  return 0;
163  }
164 
165  Modular_Reducer reduce_mod(mod);
166 
167  const size_t exp_bits = exp.bits();
168 
169  if(mod.is_odd())
170  {
171  const size_t powm_window = 4;
172 
173  auto monty_mod = std::make_shared<Montgomery_Params>(mod, reduce_mod);
174  auto powm_base_mod = monty_precompute(monty_mod, reduce_mod.reduce(base), powm_window);
175  return monty_execute(*powm_base_mod, exp, exp_bits);
176  }
177 
178  /*
179  Support for even modulus is just a convenience and not considered
180  cryptographically important, so this implementation is slow ...
181  */
182  BigInt accum = 1;
183  BigInt g = reduce_mod.reduce(base);
184  BigInt t;
185 
186  for(size_t i = 0; i != exp_bits; ++i)
187  {
188  t = reduce_mod.multiply(g, accum);
189  g = reduce_mod.square(g);
190  accum.ct_cond_assign(exp.get_bit(i), t);
191  }
192  return accum;
193  }
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(std::shared_ptr< const Montgomery_Params > params, const BigInt &g, size_t window_bits, bool const_time)
Definition: monty_exp.cpp:157
BigInt monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
Definition: monty_exp.cpp:165
template<typename T >
void Botan::prefetch_readonly ( const T addr,
size_t  length 
)
inline

Definition at line 16 of file prefetch.h.

References Botan::CPUID::cache_line_size(), and T.

17  {
18 #if defined(__GNUG__)
19  const size_t Ts_per_cache_line = CPUID::cache_line_size() / sizeof(T);
20 
21  for(size_t i = 0; i <= length; i += Ts_per_cache_line)
22  __builtin_prefetch(addr + i, 0);
23 #endif
24  }
fe T
Definition: ge.cpp:37
template<typename T >
void Botan::prefetch_readwrite ( const T addr,
size_t  length 
)
inline

Definition at line 27 of file prefetch.h.

References Botan::CPUID::cache_line_size(), and T.

28  {
29 #if defined(__GNUG__)
30  const size_t Ts_per_cache_line = CPUID::cache_line_size() / sizeof(T);
31 
32  for(size_t i = 0; i <= length; i += Ts_per_cache_line)
33  __builtin_prefetch(addr + i, 1);
34 #endif
35  }
fe T
Definition: ge.cpp:37
const BigInt & Botan::prime_p192 ( )

Definition at line 105 of file nistp_redc.cpp.

106  {
107  static const BigInt p192("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF");
108  return p192;
109  }
const BigInt & Botan::prime_p224 ( )

Definition at line 200 of file nistp_redc.cpp.

201  {
202  static const BigInt p224("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001");
203  return p224;
204  }
const BigInt & Botan::prime_p256 ( )

Definition at line 302 of file nistp_redc.cpp.

303  {
304  static const BigInt p256("0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF");
305  return p256;
306  }
const BigInt & Botan::prime_p384 ( )

Definition at line 430 of file nistp_redc.cpp.

431  {
432  static const BigInt p384("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF");
433  return p384;
434  }
const BigInt & Botan::prime_p521 ( )

NIST Prime reduction functions.

Reduces the value in place

ws is a workspace function which is used as a temporary, and will be resized as needed.

Definition at line 15 of file nistp_redc.cpp.

16  {
17  static const BigInt p521("0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
18  "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF");
19 
20  return p521;
21  }
std::vector< std::string > Botan::probe_provider_private_key ( const std::string &  alg_name,
const std::vector< std::string >  possible 
)

Definition at line 406 of file pk_algs.cpp.

References BOTAN_UNUSED.

408  {
409  std::vector<std::string> providers;
410  for(auto&& prov : possible)
411  {
412  if(prov == "base" ||
413 #if defined(BOTAN_HAS_OPENSSL)
414  (prov == "openssl" && alg_name == "RSA") ||
415 #endif
416  0)
417  {
418  providers.push_back(prov); // available
419  }
420  }
421 
422  BOTAN_UNUSED(alg_name);
423 
424  return providers;
425  }
#define BOTAN_UNUSED(...)
Definition: assert.h:142
template<typename T >
std::vector<std::string> Botan::probe_providers_of ( const std::string &  algo_spec,
const std::vector< std::string > &  possible 
)

Definition at line 107 of file scan_name.h.

109  {
110  std::vector<std::string> providers;
111  for(auto&& prov : possible)
112  {
113  std::unique_ptr<T> o(T::create(algo_spec, prov));
114  if(o)
115  {
116  providers.push_back(prov); // available
117  }
118  }
119  return providers;
120  }
bool Botan::quick_check_prime ( const BigInt n,
RandomNumberGenerator rng 
)
inline

Definition at line 198 of file numthry.h.

References is_prime().

199  { return is_prime(n, rng, 32); }
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition: numthry.cpp:228
gf2m Botan::random_code_element ( uint16_t  code_length,
RandomNumberGenerator rng 
)

Definition at line 71 of file polyn_gf2m.cpp.

References random_gf2m().

Referenced by Botan::polyn_gf2m::polyn_gf2m().

72  {
73  if(code_length == 0)
74  {
75  throw Invalid_Argument("random_code_element() was supplied a code length of zero");
76  }
77  const unsigned nlz = nlz_16bit(code_length-1);
78  const gf2m mask = (1 << (16-nlz)) - 1;
79 
80  gf2m result;
81 
82  do
83  {
84  result = random_gf2m(rng);
85  result &= mask;
86  } while(result >= code_length); // rejection sampling
87 
88  return result;
89  }
uint16_t gf2m
Definition: gf2m_small_m.h:22
gf2m random_gf2m(RandomNumberGenerator &rng)
Definition: polyn_gf2m.cpp:64
gf2m Botan::random_gf2m ( RandomNumberGenerator rng)

Definition at line 64 of file polyn_gf2m.cpp.

References make_uint16(), and Botan::RandomNumberGenerator::randomize().

Referenced by random_code_element().

65  {
66  uint8_t b[2];
67  rng.randomize(b, sizeof(b));
68  return make_uint16(b[1], b[0]);
69  }
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition: loadstor.h:54
BigInt Botan::random_prime ( RandomNumberGenerator rng,
size_t  bits,
const BigInt coprime = 0,
size_t  equiv = 1,
size_t  equiv_mod = 2,
size_t  prob = 128 
)

Randomly generate a prime suitable for discrete logarithm parameters

Parameters
rnga random number generator
bitshow large the resulting prime should be in bits
coprimea positive integer that (prime - 1) should be coprime to
equiva non-negative number that the result should be equivalent to modulo equiv_mod
equiv_modthe modulus equiv should be checked against
probuse test so false positive is bounded by 1/2**prob
Returns
random prime with the specified criteria

Definition at line 77 of file make_prm.cpp.

References Botan::BigInt::bits(), gcd(), high_bit(), Botan::BigInt::is_even(), is_lucas_probable_prime(), is_miller_rabin_probable_prime(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), load_le< uint32_t >(), miller_rabin_test_iterations(), Botan::RandomNumberGenerator::next_byte(), PRIME_TABLE_SIZE, PRIMES, Botan::RandomNumberGenerator::randomize(), Botan::BigInt::set_bit(), and Botan::ASN1::to_string().

Referenced by Botan::DL_Group::DL_Group(), and random_safe_prime().

81  {
82  if(bits <= 1)
83  {
84  throw Invalid_Argument("random_prime: Can't make a prime of " +
85  std::to_string(bits) + " bits");
86  }
87  if(coprime.is_negative() || (!coprime.is_zero() && coprime.is_even()) || coprime.bits() >= bits)
88  {
89  throw Invalid_Argument("random_prime: invalid coprime");
90  }
91  if(modulo == 0)
92  {
93  throw Invalid_Argument("random_prime: Invalid modulo value");
94  }
95 
96  equiv %= modulo;
97 
98  if(equiv == 0)
99  throw Invalid_Argument("random_prime Invalid value for equiv/modulo");
100 
101  // Handle small values:
102 
103  if(bits <= 16)
104  {
105  if(equiv != 1 || modulo != 2 || coprime != 0)
106  throw Not_Implemented("random_prime equiv/modulo/coprime options not usable for small primes");
107 
108  if(bits == 2)
109  {
110  return ((rng.next_byte() % 2) ? 2 : 3);
111  }
112  else if(bits == 3)
113  {
114  return ((rng.next_byte() % 2) ? 5 : 7);
115  }
116  else if(bits == 4)
117  {
118  return ((rng.next_byte() % 2) ? 11 : 13);
119  }
120  else
121  {
122  for(;;)
123  {
124  // This is slightly biased, but for small primes it does not seem to matter
125  uint8_t b[4];
126  rng.randomize(b, 4);
127  const size_t idx = load_le<uint32_t>(b, 0) % PRIME_TABLE_SIZE;
128  const uint16_t small_prime = PRIMES[idx];
129 
130  if(high_bit(small_prime) == bits)
131  return small_prime;
132  }
133  }
134  }
135 
136  const size_t MAX_ATTEMPTS = 32*1024;
137 
138  const size_t mr_trials = miller_rabin_test_iterations(bits, prob, true);
139 
140  while(true)
141  {
142  BigInt p(rng, bits);
143 
144  // Force lowest and two top bits on
145  p.set_bit(bits - 1);
146  p.set_bit(bits - 2);
147  p.set_bit(0);
148 
149  // Force p to be equal to equiv mod modulo
150  p += (modulo - (p % modulo)) + equiv;
151 
152  Prime_Sieve sieve(p, bits);
153 
154  for(size_t attempt = 0; attempt <= MAX_ATTEMPTS; ++attempt)
155  {
156  p += modulo;
157 
158  sieve.step(modulo);
159 
160  // p can be even if modulo is odd, continue on in that case
161  if(p.is_even() || sieve.passes(true) == false)
162  continue;
163 
164  Modular_Reducer mod_p(p);
165 
166  if(coprime > 1)
167  {
168  /*
169  First do a single M-R iteration to quickly elimate most non-primes,
170  before doing the coprimality check which is expensive
171  */
172  if(is_miller_rabin_probable_prime(p, mod_p, rng, 1) == false)
173  continue;
174 
175  /*
176  * Check if p - 1 and coprime are relatively prime, using gcd.
177  * The gcd computation is const-time
178  */
179  if(gcd(p - 1, coprime) > 1)
180  continue;
181  }
182 
183  if(p.bits() > bits)
184  break;
185 
186  if(is_miller_rabin_probable_prime(p, mod_p, rng, mr_trials) == false)
187  continue;
188 
189  if(prob > 32 && !is_lucas_probable_prime(p, mod_p))
190  continue;
191 
192  return p;
193  }
194  }
195  }
const size_t PRIME_TABLE_SIZE
Definition: numthry.h:287
bool is_lucas_probable_prime(const BigInt &C, const Modular_Reducer &mod_C)
Definition: primality.cpp:17
const uint16_t PRIMES[]
Definition: primes.cpp:12
BigInt gcd(const BigInt &a, const BigInt &b)
Definition: numthry.cpp:81
size_t miller_rabin_test_iterations(size_t n_bits, size_t prob, bool random)
Definition: primality.cpp:165
uint32_t load_le< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:198
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
size_t high_bit(T n)
Definition: bit_ops.h:55
bool is_miller_rabin_probable_prime(const BigInt &n, const Modular_Reducer &mod_n, RandomNumberGenerator &rng, size_t test_iterations)
Definition: primality.cpp:143
BigInt Botan::random_safe_prime ( RandomNumberGenerator rng,
size_t  bits 
)

Return a 'safe' prime, of the form p=2*q+1 with q prime

Parameters
rnga random number generator
bitsis how long the resulting prime should be
Returns
prime randomly chosen from safe primes of length bits

Definition at line 268 of file make_prm.cpp.

References is_prime(), random_prime(), and Botan::ASN1::to_string().

Referenced by Botan::DL_Group::DL_Group().

269  {
270  if(bits <= 64)
271  throw Invalid_Argument("random_safe_prime: Can't make a prime of " +
272  std::to_string(bits) + " bits");
273 
274  const size_t error_bound = 128;
275 
276  BigInt q, p;
277  for(;;)
278  {
279  /*
280  Generate q == 2 (mod 3), since otherwise [in the case of q == 1 (mod 3)],
281  2*q+1 == 3 (mod 3) and so certainly not prime.
282  */
283  q = random_prime(rng, bits - 1, 0, 2, 3, error_bound);
284  p = (q << 1) + 1;
285 
286  if(is_prime(p, rng, error_bound, true))
287  {
288  return p;
289  }
290  }
291  }
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition: numthry.cpp:228
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
BigInt random_prime(RandomNumberGenerator &rng, size_t bits, const BigInt &coprime, size_t equiv, size_t modulo, size_t prob)
Definition: make_prm.cpp:77
std::map< std::string, std::string > Botan::read_cfg ( std::istream &  is)

Definition at line 28 of file read_cfg.cpp.

References clean_ws(), and Botan::ASN1::to_string().

Referenced by Botan::TLS::Text_Policy::Text_Policy().

29  {
30  std::map<std::string, std::string> kv;
31  size_t line = 0;
32 
33  while(is.good())
34  {
35  std::string s;
36 
37  std::getline(is, s);
38 
39  ++line;
40 
41  if(s.empty() || s[0] == '#')
42  continue;
43 
44  s = clean_ws(s.substr(0, s.find('#')));
45 
46  if(s.empty())
47  continue;
48 
49  auto eq = s.find("=");
50 
51  if(eq == std::string::npos || eq == 0 || eq == s.size() - 1)
52  throw Decoding_Error("Bad read_cfg input '" + s + "' on line " + std::to_string(line));
53 
54  const std::string key = clean_ws(s.substr(0, eq));
55  const std::string val = clean_ws(s.substr(eq + 1, std::string::npos));
56 
57  kv[key] = val;
58  }
59 
60  return kv;
61  }
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
std::string clean_ws(const std::string &s)
Definition: read_cfg.cpp:13
std::map< std::string, std::string > Botan::read_kv ( const std::string &  kv)

Accepts key value pairs deliminated by commas:

"" (returns empty map) "K=V" (returns map {'K': 'V'}) "K1=V1,K2=V2" "K1=V1,K2=V2,K3=V3" "K1=V1,K2=V2,K3=a_value\,with\,commas_and_\=equals"

Values may be empty, keys must be non-empty and unique. Duplicate keys cause an exception.

Within both key and value, comma and equals can be escaped with backslash. Backslash can also be escaped.

Definition at line 12 of file read_kv.cpp.

References split_on().

13  {
14  std::map<std::string, std::string> m;
15  if(kv == "")
16  return m;
17 
18  std::vector<std::string> parts;
19 
20  try
21  {
22  parts = split_on(kv, ',');
23  }
24  catch(std::exception&)
25  {
26  throw Invalid_Argument("Bad KV spec");
27  }
28 
29  bool escaped = false;
30  bool reading_key = true;
31  std::string cur_key;
32  std::string cur_val;
33 
34  for(char c : kv)
35  {
36  if(c == '\\' && !escaped)
37  {
38  escaped = true;
39  }
40  else if(c == ',' && !escaped)
41  {
42  if(cur_key.empty())
43  throw Invalid_Argument("Bad KV spec empty key");
44 
45  if(m.find(cur_key) != m.end())
46  throw Invalid_Argument("Bad KV spec duplicated key");
47  m[cur_key] = cur_val;
48  cur_key = "";
49  cur_val = "";
50  reading_key = true;
51  }
52  else if(c == '=' && !escaped)
53  {
54  if(reading_key == false)
55  throw Invalid_Argument("Bad KV spec unexpected equals sign");
56  reading_key = false;
57  }
58  else
59  {
60  if(reading_key)
61  cur_key += c;
62  else
63  cur_val += c;
64 
65  if(escaped)
66  escaped = false;
67  }
68  }
69 
70  if(!cur_key.empty())
71  {
72  if(reading_key == false)
73  {
74  if(m.find(cur_key) != m.end())
75  throw Invalid_Argument("Bad KV spec duplicated key");
76  m[cur_key] = cur_val;
77  }
78  else
79  throw Invalid_Argument("Bad KV spec incomplete string");
80  }
81 
82  return m;
83  }
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:148
void Botan::redc_mul ( int64_t &  s1,
int64_t &  s2,
int64_t &  s3,
int64_t &  s4,
int64_t &  s5,
int64_t &  s6,
int64_t &  X 
)
inline

Definition at line 65 of file ed25519_internal.h.

Referenced by sc_muladd(), and sc_reduce().

72  {
73  s1 += X * 666643;
74  s2 += X * 470296;
75  s3 += X * 654183;
76  s4 -= X * 997805;
77  s5 += X * 136657;
78  s6 -= X * 683901;
79  X = 0;
80  }
fe X
Definition: ge.cpp:27
void Botan::redc_p192 ( BigInt x,
secure_vector< word > &  ws 
)

Definition at line 111 of file nistp_redc.cpp.

References bigint_cnd_add(), bigint_sub2(), BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_UNUSED, Botan::BigInt::grow_to(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::CT::unpoison().

112  {
113  BOTAN_UNUSED(ws);
114 
115  static const size_t p192_limbs = 192 / BOTAN_MP_WORD_BITS;
116 
117  x.grow_to(2*p192_limbs);
118  word* xw = x.mutable_data();
119 
120  const uint64_t X00 = get_uint32(xw, 0);
121  const uint64_t X01 = get_uint32(xw, 1);
122  const uint64_t X02 = get_uint32(xw, 2);
123  const uint64_t X03 = get_uint32(xw, 3);
124  const uint64_t X04 = get_uint32(xw, 4);
125  const uint64_t X05 = get_uint32(xw, 5);
126  const uint64_t X06 = get_uint32(xw, 6);
127  const uint64_t X07 = get_uint32(xw, 7);
128  const uint64_t X08 = get_uint32(xw, 8);
129  const uint64_t X09 = get_uint32(xw, 9);
130  const uint64_t X10 = get_uint32(xw, 10);
131  const uint64_t X11 = get_uint32(xw, 11);
132 
133  const uint64_t S0 = X00 + X06 + X10;
134  const uint64_t S1 = X01 + X07 + X11;
135  const uint64_t S2 = X02 + X06 + X08 + X10;
136  const uint64_t S3 = X03 + X07 + X09 + X11;
137  const uint64_t S4 = X04 + X08 + X10;
138  const uint64_t S5 = X05 + X09 + X11;
139 
140  uint64_t S = 0;
141  uint32_t R0 = 0, R1 = 0;
142 
143  S += S0;
144  R0 = static_cast<uint32_t>(S);
145  S >>= 32;
146 
147  S += S1;
148  R1 = static_cast<uint32_t>(S);
149  S >>= 32;
150 
151  set_words(xw, 0, R0, R1);
152 
153  S += S2;
154  R0 = static_cast<uint32_t>(S);
155  S >>= 32;
156 
157  S += S3;
158  R1 = static_cast<uint32_t>(S);
159  S >>= 32;
160 
161  set_words(xw, 2, R0, R1);
162 
163  S += S4;
164  R0 = static_cast<uint32_t>(S);
165  S >>= 32;
166 
167  S += S5;
168  R1 = static_cast<uint32_t>(S);
169  S >>= 32;
170 
171  set_words(xw, 4, R0, R1);
172 
173  // No underflow possible
174 
175  /*
176  This is a table of (i*P-192) % 2**192 for i in 1...3
177  */
178  static const word p192_mults[3][p192_limbs] = {
179 #if (BOTAN_MP_WORD_BITS == 64)
180  {0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFE, 0xFFFFFFFFFFFFFFFF},
181  {0xFFFFFFFFFFFFFFFE, 0xFFFFFFFFFFFFFFFD, 0xFFFFFFFFFFFFFFFF},
182  {0xFFFFFFFFFFFFFFFD, 0xFFFFFFFFFFFFFFFC, 0xFFFFFFFFFFFFFFFF},
183 #else
184  {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
185  {0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
186  {0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
187 #endif
188  };
189 
190  CT::unpoison(S);
191  BOTAN_ASSERT(S <= 2, "Expected overflow");
192 
193  BOTAN_ASSERT_NOMSG(x.size() >= p192_limbs + 1);
194  x.mask_bits(192);
195  word borrow = bigint_sub2(x.mutable_data(), p192_limbs + 1, p192_mults[S], p192_limbs);
196  BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
197  bigint_cnd_add(borrow, x.mutable_data(), p192_limbs + 1, p192_mults[0], p192_limbs);
198  }
word bigint_sub2(word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:300
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
#define BOTAN_DEBUG_ASSERT(expr)
Definition: assert.h:123
word bigint_cnd_add(word cnd, word x[], word x_size, const word y[], size_t y_size)
Definition: mp_core.h:42
#define BOTAN_UNUSED(...)
Definition: assert.h:142
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:59
void Botan::redc_p224 ( BigInt x,
secure_vector< word > &  ws 
)

Definition at line 206 of file nistp_redc.cpp.

References bigint_cnd_add(), bigint_sub2(), BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_UNUSED, Botan::BigInt::grow_to(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::CT::unpoison().

207  {
208  static const size_t p224_limbs = (BOTAN_MP_WORD_BITS == 32) ? 7 : 4;
209 
210  BOTAN_UNUSED(ws);
211 
212  x.grow_to(2*p224_limbs);
213  word* xw = x.mutable_data();
214 
215  const int64_t X00 = get_uint32(xw, 0);
216  const int64_t X01 = get_uint32(xw, 1);
217  const int64_t X02 = get_uint32(xw, 2);
218  const int64_t X03 = get_uint32(xw, 3);
219  const int64_t X04 = get_uint32(xw, 4);
220  const int64_t X05 = get_uint32(xw, 5);
221  const int64_t X06 = get_uint32(xw, 6);
222  const int64_t X07 = get_uint32(xw, 7);
223  const int64_t X08 = get_uint32(xw, 8);
224  const int64_t X09 = get_uint32(xw, 9);
225  const int64_t X10 = get_uint32(xw, 10);
226  const int64_t X11 = get_uint32(xw, 11);
227  const int64_t X12 = get_uint32(xw, 12);
228  const int64_t X13 = get_uint32(xw, 13);
229 
230  // One full copy of P224 is added, so the result is always positive
231 
232  const int64_t S0 = 0x00000001 + X00 - X07 - X11;
233  const int64_t S1 = 0x00000000 + X01 - X08 - X12;
234  const int64_t S2 = 0x00000000 + X02 - X09 - X13;
235  const int64_t S3 = 0xFFFFFFFF + X03 + X07 + X11 - X10;
236  const int64_t S4 = 0xFFFFFFFF + X04 + X08 + X12 - X11;
237  const int64_t S5 = 0xFFFFFFFF + X05 + X09 + X13 - X12;
238  const int64_t S6 = 0xFFFFFFFF + X06 + X10 - X13;
239 
240  int64_t S = 0;
241  uint32_t R0 = 0, R1 = 0;
242 
243  S += S0;
244  R0 = static_cast<uint32_t>(S);
245  S >>= 32;
246 
247  S += S1;
248  R1 = static_cast<uint32_t>(S);
249  S >>= 32;
250 
251  set_words(xw, 0, R0, R1);
252 
253  S += S2;
254  R0 = static_cast<uint32_t>(S);
255  S >>= 32;
256 
257  S += S3;
258  R1 = static_cast<uint32_t>(S);
259  S >>= 32;
260 
261  set_words(xw, 2, R0, R1);
262 
263  S += S4;
264  R0 = static_cast<uint32_t>(S);
265  S >>= 32;
266 
267  S += S5;
268  R1 = static_cast<uint32_t>(S);
269  S >>= 32;
270 
271  set_words(xw, 4, R0, R1);
272 
273  S += S6;
274  R0 = static_cast<uint32_t>(S);
275  S >>= 32;
276 
277  set_words(xw, 6, R0, 0);
278 
279  static const word p224_mults[3][p224_limbs] = {
280 #if (BOTAN_MP_WORD_BITS == 64)
281  {0x0000000000000001, 0xFFFFFFFF00000000, 0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFF},
282  {0x0000000000000002, 0xFFFFFFFE00000000, 0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFF},
283  {0x0000000000000003, 0xFFFFFFFD00000000, 0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFF},
284 #else
285  {0x00000001, 0x00000000, 0x00000000, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
286  {0x00000002, 0x00000000, 0x00000000, 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
287  {0x00000003, 0x00000000, 0x00000000, 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF}
288 #endif
289 
290  };
291 
292  CT::unpoison(S);
293  BOTAN_ASSERT(S >= 0 && S <= 2, "Expected overflow");
294 
295  BOTAN_ASSERT_NOMSG(x.size() >= p224_limbs + 1);
296  x.mask_bits(224);
297  word borrow = bigint_sub2(x.mutable_data(), p224_limbs + 1, p224_mults[S], p224_limbs);
298  BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
299  bigint_cnd_add(borrow, x.mutable_data(), p224_limbs + 1, p224_mults[0], p224_limbs);
300  }
word bigint_sub2(word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:300
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
#define BOTAN_DEBUG_ASSERT(expr)
Definition: assert.h:123
word bigint_cnd_add(word cnd, word x[], word x_size, const word y[], size_t y_size)
Definition: mp_core.h:42
#define BOTAN_UNUSED(...)
Definition: assert.h:142
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:59
void Botan::redc_p256 ( BigInt x,
secure_vector< word > &  ws 
)

Definition at line 308 of file nistp_redc.cpp.

References bigint_cnd_add(), bigint_sub2(), BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_UNUSED, Botan::BigInt::grow_to(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::CT::unpoison().

309  {
310  static const size_t p256_limbs = (BOTAN_MP_WORD_BITS == 32) ? 8 : 4;
311 
312  BOTAN_UNUSED(ws);
313 
314  x.grow_to(2*p256_limbs);
315  word* xw = x.mutable_data();
316 
317  const int64_t X00 = get_uint32(xw, 0);
318  const int64_t X01 = get_uint32(xw, 1);
319  const int64_t X02 = get_uint32(xw, 2);
320  const int64_t X03 = get_uint32(xw, 3);
321  const int64_t X04 = get_uint32(xw, 4);
322  const int64_t X05 = get_uint32(xw, 5);
323  const int64_t X06 = get_uint32(xw, 6);
324  const int64_t X07 = get_uint32(xw, 7);
325  const int64_t X08 = get_uint32(xw, 8);
326  const int64_t X09 = get_uint32(xw, 9);
327  const int64_t X10 = get_uint32(xw, 10);
328  const int64_t X11 = get_uint32(xw, 11);
329  const int64_t X12 = get_uint32(xw, 12);
330  const int64_t X13 = get_uint32(xw, 13);
331  const int64_t X14 = get_uint32(xw, 14);
332  const int64_t X15 = get_uint32(xw, 15);
333 
334  // Adds 6 * P-256 to prevent underflow
335  const int64_t S0 = 0xFFFFFFFA + X00 + X08 + X09 - (X11 + X12 + X13) - X14;
336  const int64_t S1 = 0xFFFFFFFF + X01 + X09 + X10 - X12 - (X13 + X14 + X15);
337  const int64_t S2 = 0xFFFFFFFF + X02 + X10 + X11 - (X13 + X14 + X15);
338  const int64_t S3 = 0x00000005 + X03 + (X11 + X12)*2 + X13 - X15 - X08 - X09;
339  const int64_t S4 = 0x00000000 + X04 + (X12 + X13)*2 + X14 - X09 - X10;
340  const int64_t S5 = 0x00000000 + X05 + (X13 + X14)*2 + X15 - X10 - X11;
341  const int64_t S6 = 0x00000006 + X06 + X13 + X14*3 + X15*2 - X08 - X09;
342  const int64_t S7 = 0xFFFFFFFA + X07 + X15*3 + X08 - X10 - (X11 + X12 + X13);
343 
344  int64_t S = 0;
345 
346  uint32_t R0 = 0, R1 = 0;
347 
348  S += S0;
349  R0 = static_cast<uint32_t>(S);
350  S >>= 32;
351 
352  S += S1;
353  R1 = static_cast<uint32_t>(S);
354  S >>= 32;
355 
356  set_words(xw, 0, R0, R1);
357 
358  S += S2;
359  R0 = static_cast<uint32_t>(S);
360  S >>= 32;
361 
362  S += S3;
363  R1 = static_cast<uint32_t>(S);
364  S >>= 32;
365 
366  set_words(xw, 2, R0, R1);
367 
368  S += S4;
369  R0 = static_cast<uint32_t>(S);
370  S >>= 32;
371 
372  S += S5;
373  R1 = static_cast<uint32_t>(S);
374  S >>= 32;
375 
376  set_words(xw, 4, R0, R1);
377 
378  S += S6;
379  R0 = static_cast<uint32_t>(S);
380  S >>= 32;
381 
382  S += S7;
383  R1 = static_cast<uint32_t>(S);
384  S >>= 32;
385  set_words(xw, 6, R0, R1);
386 
387  S += 5; // the top digits of 6*P-256
388 
389  /*
390  This is a table of (i*P-256) % 2**256 for i in 1...10
391  */
392  static const word p256_mults[11][p256_limbs] = {
393 #if (BOTAN_MP_WORD_BITS == 64)
394  {0xFFFFFFFFFFFFFFFF, 0x00000000FFFFFFFF, 0x0000000000000000, 0xFFFFFFFF00000001},
395  {0xFFFFFFFFFFFFFFFE, 0x00000001FFFFFFFF, 0x0000000000000000, 0xFFFFFFFE00000002},
396  {0xFFFFFFFFFFFFFFFD, 0x00000002FFFFFFFF, 0x0000000000000000, 0xFFFFFFFD00000003},
397  {0xFFFFFFFFFFFFFFFC, 0x00000003FFFFFFFF, 0x0000000000000000, 0xFFFFFFFC00000004},
398  {0xFFFFFFFFFFFFFFFB, 0x00000004FFFFFFFF, 0x0000000000000000, 0xFFFFFFFB00000005},
399  {0xFFFFFFFFFFFFFFFA, 0x00000005FFFFFFFF, 0x0000000000000000, 0xFFFFFFFA00000006},
400  {0xFFFFFFFFFFFFFFF9, 0x00000006FFFFFFFF, 0x0000000000000000, 0xFFFFFFF900000007},
401  {0xFFFFFFFFFFFFFFF8, 0x00000007FFFFFFFF, 0x0000000000000000, 0xFFFFFFF800000008},
402  {0xFFFFFFFFFFFFFFF7, 0x00000008FFFFFFFF, 0x0000000000000000, 0xFFFFFFF700000009},
403  {0xFFFFFFFFFFFFFFF6, 0x00000009FFFFFFFF, 0x0000000000000000, 0xFFFFFFF60000000A},
404  {0xFFFFFFFFFFFFFFF5, 0x0000000AFFFFFFFF, 0x0000000000000000, 0xFFFFFFF50000000B},
405 #else
406  {0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0xFFFFFFFF},
407  {0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000001, 0x00000000, 0x00000000, 0x00000002, 0xFFFFFFFE},
408  {0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000002, 0x00000000, 0x00000000, 0x00000003, 0xFFFFFFFD},
409  {0xFFFFFFFC, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000003, 0x00000000, 0x00000000, 0x00000004, 0xFFFFFFFC},
410  {0xFFFFFFFB, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000004, 0x00000000, 0x00000000, 0x00000005, 0xFFFFFFFB},
411  {0xFFFFFFFA, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000005, 0x00000000, 0x00000000, 0x00000006, 0xFFFFFFFA},
412  {0xFFFFFFF9, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0xFFFFFFF9},
413  {0xFFFFFFF8, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000007, 0x00000000, 0x00000000, 0x00000008, 0xFFFFFFF8},
414  {0xFFFFFFF7, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000008, 0x00000000, 0x00000000, 0x00000009, 0xFFFFFFF7},
415  {0xFFFFFFF6, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000009, 0x00000000, 0x00000000, 0x0000000A, 0xFFFFFFF6},
416  {0xFFFFFFF5, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000000A, 0x00000000, 0x00000000, 0x0000000B, 0xFFFFFFF5},
417 #endif
418  };
419 
420  CT::unpoison(S);
421  BOTAN_ASSERT(S >= 0 && S <= 10, "Expected overflow");
422 
423  BOTAN_ASSERT_NOMSG(x.size() >= p256_limbs + 1);
424  x.mask_bits(256);
425  word borrow = bigint_sub2(x.mutable_data(), p256_limbs + 1, p256_mults[S], p256_limbs);
426  BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
427  bigint_cnd_add(borrow, x.mutable_data(), p256_limbs + 1, p256_mults[0], p256_limbs);
428  }
word bigint_sub2(word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:300
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
#define BOTAN_DEBUG_ASSERT(expr)
Definition: assert.h:123
word bigint_cnd_add(word cnd, word x[], word x_size, const word y[], size_t y_size)
Definition: mp_core.h:42
#define BOTAN_UNUSED(...)
Definition: assert.h:142
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:59
void Botan::redc_p384 ( BigInt x,
secure_vector< word > &  ws 
)

Definition at line 436 of file nistp_redc.cpp.

References bigint_cnd_add(), bigint_sub2(), BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_UNUSED, Botan::BigInt::grow_to(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::CT::unpoison().

437  {
438  BOTAN_UNUSED(ws);
439 
440  static const size_t p384_limbs = (BOTAN_MP_WORD_BITS == 32) ? 12 : 6;
441 
442  x.grow_to(2*p384_limbs);
443  word* xw = x.mutable_data();
444 
445  const int64_t X00 = get_uint32(xw, 0);
446  const int64_t X01 = get_uint32(xw, 1);
447  const int64_t X02 = get_uint32(xw, 2);
448  const int64_t X03 = get_uint32(xw, 3);
449  const int64_t X04 = get_uint32(xw, 4);
450  const int64_t X05 = get_uint32(xw, 5);
451  const int64_t X06 = get_uint32(xw, 6);
452  const int64_t X07 = get_uint32(xw, 7);
453  const int64_t X08 = get_uint32(xw, 8);
454  const int64_t X09 = get_uint32(xw, 9);
455  const int64_t X10 = get_uint32(xw, 10);
456  const int64_t X11 = get_uint32(xw, 11);
457  const int64_t X12 = get_uint32(xw, 12);
458  const int64_t X13 = get_uint32(xw, 13);
459  const int64_t X14 = get_uint32(xw, 14);
460  const int64_t X15 = get_uint32(xw, 15);
461  const int64_t X16 = get_uint32(xw, 16);
462  const int64_t X17 = get_uint32(xw, 17);
463  const int64_t X18 = get_uint32(xw, 18);
464  const int64_t X19 = get_uint32(xw, 19);
465  const int64_t X20 = get_uint32(xw, 20);
466  const int64_t X21 = get_uint32(xw, 21);
467  const int64_t X22 = get_uint32(xw, 22);
468  const int64_t X23 = get_uint32(xw, 23);
469 
470  // One copy of P-384 is added to prevent underflow
471  const int64_t S0 = 0xFFFFFFFF + X00 + X12 + X20 + X21 - X23;
472  const int64_t S1 = 0x00000000 + X01 + X13 + X22 + X23 - X12 - X20;
473  const int64_t S2 = 0x00000000 + X02 + X14 + X23 - X13 - X21;
474  const int64_t S3 = 0xFFFFFFFF + X03 + X12 + X15 + X20 + X21 - X14 - X22 - X23;
475  const int64_t S4 = 0xFFFFFFFE + X04 + X12 + X13 + X16 + X20 + X21*2 + X22 - X15 - X23*2;
476  const int64_t S5 = 0xFFFFFFFF + X05 + X13 + X14 + X17 + X21 + X22*2 + X23 - X16;
477  const int64_t S6 = 0xFFFFFFFF + X06 + X14 + X15 + X18 + X22 + X23*2 - X17;
478  const int64_t S7 = 0xFFFFFFFF + X07 + X15 + X16 + X19 + X23 - X18;
479  const int64_t S8 = 0xFFFFFFFF + X08 + X16 + X17 + X20 - X19;
480  const int64_t S9 = 0xFFFFFFFF + X09 + X17 + X18 + X21 - X20;
481  const int64_t SA = 0xFFFFFFFF + X10 + X18 + X19 + X22 - X21;
482  const int64_t SB = 0xFFFFFFFF + X11 + X19 + X20 + X23 - X22;
483 
484  int64_t S = 0;
485 
486  uint32_t R0 = 0, R1 = 0;
487 
488  S += S0;
489  R0 = static_cast<uint32_t>(S);
490  S >>= 32;
491 
492  S += S1;
493  R1 = static_cast<uint32_t>(S);
494  S >>= 32;
495 
496  set_words(xw, 0, R0, R1);
497 
498  S += S2;
499  R0 = static_cast<uint32_t>(S);
500  S >>= 32;
501 
502  S += S3;
503  R1 = static_cast<uint32_t>(S);
504  S >>= 32;
505 
506  set_words(xw, 2, R0, R1);
507 
508  S += S4;
509  R0 = static_cast<uint32_t>(S);
510  S >>= 32;
511 
512  S += S5;
513  R1 = static_cast<uint32_t>(S);
514  S >>= 32;
515 
516  set_words(xw, 4, R0, R1);
517 
518  S += S6;
519  R0 = static_cast<uint32_t>(S);
520  S >>= 32;
521 
522  S += S7;
523  R1 = static_cast<uint32_t>(S);
524  S >>= 32;
525 
526  set_words(xw, 6, R0, R1);
527 
528  S += S8;
529  R0 = static_cast<uint32_t>(S);
530  S >>= 32;
531 
532  S += S9;
533  R1 = static_cast<uint32_t>(S);
534  S >>= 32;
535 
536  set_words(xw, 8, R0, R1);
537 
538  S += SA;
539  R0 = static_cast<uint32_t>(S);
540  S >>= 32;
541 
542  S += SB;
543  R1 = static_cast<uint32_t>(S);
544  S >>= 32;
545 
546  set_words(xw, 10, R0, R1);
547 
548  /*
549  This is a table of (i*P-384) % 2**384 for i in 1...4
550  */
551  static const word p384_mults[5][p384_limbs] = {
552 #if (BOTAN_MP_WORD_BITS == 64)
553  {0x00000000FFFFFFFF, 0xFFFFFFFF00000000, 0xFFFFFFFFFFFFFFFE, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF},
554  {0x00000001FFFFFFFE, 0xFFFFFFFE00000000, 0xFFFFFFFFFFFFFFFD, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF},
555  {0x00000002FFFFFFFD, 0xFFFFFFFD00000000, 0xFFFFFFFFFFFFFFFC, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF},
556  {0x00000003FFFFFFFC, 0xFFFFFFFC00000000, 0xFFFFFFFFFFFFFFFB, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF},
557  {0x00000004FFFFFFFB, 0xFFFFFFFB00000000, 0xFFFFFFFFFFFFFFFA, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF},
558 
559 #else
560  {0xFFFFFFFF, 0x00000000, 0x00000000, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFFFF,
561  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
562  {0xFFFFFFFE, 0x00000001, 0x00000000, 0xFFFFFFFE, 0xFFFFFFFD, 0xFFFFFFFF,
563  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
564  {0xFFFFFFFD, 0x00000002, 0x00000000, 0xFFFFFFFD, 0xFFFFFFFC, 0xFFFFFFFF,
565  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
566  {0xFFFFFFFC, 0x00000003, 0x00000000, 0xFFFFFFFC, 0xFFFFFFFB, 0xFFFFFFFF,
567  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
568  {0xFFFFFFFB, 0x00000004, 0x00000000, 0xFFFFFFFB, 0xFFFFFFFA, 0xFFFFFFFF,
569  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
570 #endif
571  };
572 
573  CT::unpoison(S);
574  BOTAN_ASSERT(S >= 0 && S <= 4, "Expected overflow");
575 
576  BOTAN_ASSERT_NOMSG(x.size() >= p384_limbs + 1);
577  x.mask_bits(384);
578  word borrow = bigint_sub2(x.mutable_data(), p384_limbs + 1, p384_mults[S], p384_limbs);
579  BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
580  bigint_cnd_add(borrow, x.mutable_data(), p384_limbs + 1, p384_mults[0], p384_limbs);
581  }
word bigint_sub2(word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:300
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
#define BOTAN_DEBUG_ASSERT(expr)
Definition: assert.h:123
word bigint_cnd_add(word cnd, word x[], word x_size, const word y[], size_t y_size)
Definition: mp_core.h:42
#define BOTAN_UNUSED(...)
Definition: assert.h:142
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:59
void Botan::redc_p521 ( BigInt x,
secure_vector< word > &  ws 
)

Definition at line 23 of file nistp_redc.cpp.

References bigint_add3_nc(), bigint_cnd_sub(), bigint_shr2(), BOTAN_ASSERT_EQUAL, carry(), clear_mem(), Botan::BigInt::data(), Botan::CT::Mask< T >::expand(), Botan::BigInt::grow_to(), Botan::CT::Mask< T >::is_equal(), Botan::BigInt::mask_bits(), MP_WORD_MAX, Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::BigInt::word_at().

24  {
25  const size_t p_full_words = 521 / BOTAN_MP_WORD_BITS;
26  const size_t p_top_bits = 521 % BOTAN_MP_WORD_BITS;
27  const size_t p_words = p_full_words + 1;
28 
29 #if (BOTAN_MP_WORD_BITS == 64)
30  static const word p521_words[p_words] = {
31  0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF,
32  0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF,
33  0x1FF };
34 #else
35  static const word p521_words[p_words] = {
36  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
37  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
38  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
39  0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
40  0x1FF };
41 #endif
42 
43  if(ws.size() < p_words + 1)
44  ws.resize(p_words + 1);
45 
46  clear_mem(ws.data(), ws.size());
47  bigint_shr2(ws.data(), x.data(), std::min(x.size(), 2*p_words), p_full_words, p_top_bits);
48 
49  x.mask_bits(521);
50  x.grow_to(p_words);
51 
52  // Word-level carry will be zero
53  word carry = bigint_add3_nc(x.mutable_data(), x.data(), p_words, ws.data(), p_words);
54  BOTAN_ASSERT_EQUAL(carry, 0, "Final carry in P-521 reduction");
55 
56  const word top_word = x.word_at(p_full_words);
57 
58  /*
59  * Check if we need to reduce modulo P
60  * There are two possible cases:
61  * - The result overflowed past 521 bits, in which case bit 522 will be set
62  * - The result is exactly 2**521 - 1
63  */
64  const auto bit_522_set = CT::Mask<word>::expand(top_word >> p_top_bits);
65 
66  word and_512 = MP_WORD_MAX;
67  for(size_t i = 0; i != p_full_words; ++i)
68  and_512 &= x.word_at(i);
69  const auto all_512_low_bits_set = CT::Mask<word>::is_equal(and_512, MP_WORD_MAX);
70  const auto has_p521_top_word = CT::Mask<word>::is_equal(top_word, 0x1FF);
71  const auto is_p521 = all_512_low_bits_set & has_p521_top_word;
72 
73  const auto needs_reduction = is_p521 | bit_522_set;
74 
75  bigint_cnd_sub(needs_reduction.value(), x.mutable_data(), p521_words, p_words);
76  }
void bigint_shr2(word y[], const word x[], size_t x_size, size_t word_shift, size_t bit_shift)
Definition: mp_core.h:466
void carry(int64_t &h0, int64_t &h1)
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115
word bigint_add3_nc(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:250
word bigint_cnd_sub(word cnd, word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:88
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition: assert.h:81
const word MP_WORD_MAX
Definition: mp_core.h:22
std::string Botan::replace_char ( const std::string &  str,
char  from_char,
char  to_char 
)

Replace a character in a string

Parameters
strthe input string
from_charthe character to replace
to_charthe character to replace it with
Returns
str with all instances of from_char replaced by to_char

Definition at line 316 of file parsing.cpp.

317  {
318  std::string out = str;
319 
320  for(size_t i = 0; i != out.size(); ++i)
321  if(out[i] == from_char)
322  out[i] = to_char;
323 
324  return out;
325  }
std::string Botan::replace_chars ( const std::string &  str,
const std::set< char > &  from_chars,
char  to_char 
)

Replace a character in a string

Parameters
strthe input string
from_charsthe characters to replace
to_charthe character to replace it with
Returns
str with all instances of from_chars replaced by to_char

Definition at line 303 of file parsing.cpp.

306  {
307  std::string out = str;
308 
309  for(size_t i = 0; i != out.size(); ++i)
310  if(chars.count(out[i]))
311  out[i] = to_char;
312 
313  return out;
314  }
BigInt Botan::ressol ( const BigInt x,
const BigInt p 
)

Compute the square root of x modulo a prime using the Tonelli-Shanks algorithm

Parameters
xthe input
pthe prime
Returns
y such that (y*y)p == x, or -1 if no such integer

Definition at line 16 of file ressol.cpp.

References Botan::BigInt::is_even(), jacobi(), low_zero_bits(), Botan::Modular_Reducer::multiply(), power_mod(), Botan::BigInt::power_of_2(), and Botan::Modular_Reducer::square().

17  {
18  if(p <= 1 || p.is_even())
19  throw Invalid_Argument("ressol: invalid prime");
20 
21  if(a == 0)
22  return 0;
23  else if(a < 0)
24  throw Invalid_Argument("ressol: value to solve for must be positive");
25  else if(a >= p)
26  throw Invalid_Argument("ressol: value to solve for must be less than p");
27 
28  if(p == 2)
29  return a;
30 
31  if(jacobi(a, p) != 1) // not a quadratic residue
32  return -BigInt(1);
33 
34  if(p % 4 == 3) // The easy case
35  {
36  return power_mod(a, ((p+1) >> 2), p);
37  }
38 
39  size_t s = low_zero_bits(p - 1);
40  BigInt q = p >> s;
41 
42  q -= 1;
43  q >>= 1;
44 
45  Modular_Reducer mod_p(p);
46 
47  BigInt r = power_mod(a, q, p);
48  BigInt n = mod_p.multiply(a, mod_p.square(r));
49  r = mod_p.multiply(r, a);
50 
51  if(n == 1)
52  return r;
53 
54  // find random quadratic nonresidue z
55  word z = 2;
56  for(;;)
57  {
58  if(jacobi(z, p) == -1) // found one
59  break;
60 
61  z += 1; // try next z
62 
63  /*
64  * The expected number of tests to find a non-residue modulo a
65  * prime is 2. If we have not found one after 256 then almost
66  * certainly we have been given a non-prime p.
67  */
68  if(z >= 256)
69  return -BigInt(1);
70  }
71 
72  BigInt c = power_mod(z, (q << 1) + 1, p);
73 
74  while(n > 1)
75  {
76  q = n;
77 
78  size_t i = 0;
79  while(q != 1)
80  {
81  q = mod_p.square(q);
82  ++i;
83 
84  if(i >= s)
85  {
86  return -BigInt(1);
87  }
88  }
89 
90  c = power_mod(c, BigInt::power_of_2(s-i-1), p);
91  r = mod_p.multiply(r, c);
92  c = mod_p.square(c);
93  n = mod_p.multiply(n, c);
94  s = i;
95  }
96 
97  return r;
98  }
size_t low_zero_bits(const BigInt &n)
Definition: numthry.cpp:39
BigInt power_mod(const BigInt &base, const BigInt &exp, const BigInt &mod)
Definition: numthry.cpp:151
int32_t jacobi(const BigInt &a, const BigInt &n)
Definition: jacobi.cpp:15
uint16_t Botan::reverse_bytes ( uint16_t  val)
inline

Swap a 16 bit integer

Definition at line 25 of file bswap.h.

Referenced by load_be(), and load_le().

26  {
27 #if defined(BOTAN_BUILD_COMPILER_IS_GCC) || defined(BOTAN_BUILD_COMPILER_IS_CLANG) || defined(BOTAN_BUILD_COMPILER_IS_XLC)
28  return __builtin_bswap16(val);
29 #else
30  return static_cast<uint16_t>((val << 8) | (val >> 8));
31 #endif
32  }
uint32_t Botan::reverse_bytes ( uint32_t  val)
inline

Swap a 32 bit integer

Definition at line 37 of file bswap.h.

References reverse_bytes().

38  {
39 #if defined(BOTAN_BUILD_COMPILER_IS_GCC) || defined(BOTAN_BUILD_COMPILER_IS_CLANG) || defined(BOTAN_BUILD_COMPILER_IS_XLC)
40  return __builtin_bswap32(val);
41 
42 #elif defined(BOTAN_BUILD_COMPILER_IS_MSVC)
43  return _byteswap_ulong(val);
44 
45 #elif defined(BOTAN_USE_GCC_INLINE_ASM) && defined(BOTAN_TARGET_CPU_IS_X86_FAMILY)
46 
47  // GCC-style inline assembly for x86 or x86-64
48  asm("bswapl %0" : "=r" (val) : "0" (val));
49  return val;
50 
51 #else
52  // Generic implementation
53  uint16_t hi = static_cast<uint16_t>(val >> 16);
54  uint16_t lo = static_cast<uint16_t>(val);
55 
56  hi = reverse_bytes(hi);
57  lo = reverse_bytes(lo);
58 
59  return (static_cast<uint32_t>(lo) << 16) | hi;
60 #endif
61  }
uint64_t reverse_bytes(uint64_t val)
Definition: bswap.h:66
uint64_t Botan::reverse_bytes ( uint64_t  val)
inline

Swap a 64 bit integer

Definition at line 66 of file bswap.h.

Referenced by bswap_4(), and reverse_bytes().

67  {
68 #if defined(BOTAN_BUILD_COMPILER_IS_GCC) || defined(BOTAN_BUILD_COMPILER_IS_CLANG) || defined(BOTAN_BUILD_COMPILER_IS_XLC)
69  return __builtin_bswap64(val);
70 
71 #elif defined(BOTAN_BUILD_COMPILER_IS_MSVC)
72  return _byteswap_uint64(val);
73 
74 #elif defined(BOTAN_USE_GCC_INLINE_ASM) && defined(BOTAN_TARGET_ARCH_IS_X86_64)
75  // GCC-style inline assembly for x86-64
76  asm("bswapq %0" : "=r" (val) : "0" (val));
77  return val;
78 
79 #else
80  /* Generic implementation. Defined in terms of 32-bit bswap so any
81  * optimizations in that version can help.
82  */
83 
84  uint32_t hi = static_cast<uint32_t>(val >> 32);
85  uint32_t lo = static_cast<uint32_t>(val);
86 
87  hi = reverse_bytes(hi);
88  lo = reverse_bytes(lo);
89 
90  return (static_cast<uint64_t>(lo) << 32) | hi;
91 #endif
92  }
uint64_t reverse_bytes(uint64_t val)
Definition: bswap.h:66
secure_vector< uint8_t > Botan::rfc3394_keyunwrap ( const secure_vector< uint8_t > &  key,
const SymmetricKey kek 
)

Decrypt a key under a key encryption key using the algorithm described in RFC 3394

Parameters
keythe encrypted key to decrypt
kekthe key encryption key
Returns
key decrypted under kek

Definition at line 28 of file rfc3394.cpp.

References BOTAN_ARG_CHECK, Botan::BlockCipher::create_or_throw(), nist_key_unwrap(), Botan::OctetString::size(), and Botan::ASN1::to_string().

Referenced by botan_key_unwrap3394().

30  {
31  BOTAN_ARG_CHECK(kek.size() == 16 || kek.size() == 24 || kek.size() == 32,
32  "Invalid KEK length for NIST key wrap");
33 
34  BOTAN_ARG_CHECK(key.size() >= 16 && key.size() % 8 == 0,
35  "Bad input key size for NIST key unwrap");
36 
37  const std::string cipher_name = "AES-" + std::to_string(8*kek.size());
38  std::unique_ptr<BlockCipher> aes(BlockCipher::create_or_throw(cipher_name));
39  aes->set_key(kek);
40 
41  return nist_key_unwrap(key.data(), key.size(), *aes);
42  }
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
secure_vector< uint8_t > nist_key_unwrap(const uint8_t input[], size_t input_len, const BlockCipher &bc)
secure_vector< uint8_t > Botan::rfc3394_keywrap ( const secure_vector< uint8_t > &  key,
const SymmetricKey kek 
)

Encrypt a key under a key encryption key using the algorithm described in RFC 3394

Parameters
keythe plaintext key to encrypt
kekthe key encryption key
Returns
key encrypted under kek

Definition at line 14 of file rfc3394.cpp.

References BOTAN_ARG_CHECK, Botan::BlockCipher::create_or_throw(), nist_key_wrap(), Botan::OctetString::size(), and Botan::ASN1::to_string().

Referenced by botan_key_wrap3394().

16  {
17  BOTAN_ARG_CHECK(kek.size() == 16 || kek.size() == 24 || kek.size() == 32,
18  "Invalid KEK length for NIST key wrap");
19 
20  const std::string cipher_name = "AES-" + std::to_string(8*kek.size());
21  std::unique_ptr<BlockCipher> aes(BlockCipher::create_or_throw(cipher_name));
22  aes->set_key(kek);
23 
24  std::vector<uint8_t> wrapped = nist_key_wrap(key.data(), key.size(), *aes);
25  return secure_vector<uint8_t>(wrapped.begin(), wrapped.end());
26  }
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
std::vector< uint8_t > nist_key_wrap(const uint8_t input[], size_t input_len, const BlockCipher &bc)
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
size_t Botan::RFC4880_decode_count ( uint8_t  encoded_iter)

Decode the iteration count from RFC 4880 encoding

Definition at line 69 of file pgp_s2k.cpp.

Referenced by Botan::OpenPGP_S2K::decode_count(), and RFC4880_round_iterations().

70  {
71  return OPENPGP_S2K_ITERS[iter];
72  }
uint8_t Botan::RFC4880_encode_count ( size_t  iterations)

RFC 4880 encodes the iteration count to a single-byte value

Definition at line 56 of file pgp_s2k.cpp.

Referenced by Botan::OpenPGP_S2K::encode_count(), and RFC4880_round_iterations().

57  {
58  if(desired_iterations <= OPENPGP_S2K_ITERS[0])
59  return 0;
60 
61  if(desired_iterations >= OPENPGP_S2K_ITERS[255])
62  return 255;
63 
64  auto i = std::lower_bound(OPENPGP_S2K_ITERS, OPENPGP_S2K_ITERS + 256, desired_iterations);
65 
66  return static_cast<uint8_t>(i - OPENPGP_S2K_ITERS);
67  }
size_t Botan::RFC4880_round_iterations ( size_t  iterations)
inline

Round an arbitrary iteration count to next largest iteration count supported by RFC4880 encoding.

Definition at line 40 of file pgp_s2k.h.

References RFC4880_decode_count(), and RFC4880_encode_count().

Referenced by Botan::RFC4880_S2K_Family::tune().

41  {
42  return RFC4880_decode_count(RFC4880_encode_count(iterations));
43  }
size_t RFC4880_decode_count(uint8_t iter)
Definition: pgp_s2k.cpp:69
uint8_t RFC4880_encode_count(size_t desired_iterations)
Definition: pgp_s2k.cpp:56
template<typename T >
T Botan::rotate_left ( T  input,
size_t  rot 
)
inline

Definition at line 96 of file rotate.h.

References rotl_var(), and T.

97  {
98  // rotl_var does not reduce
99  return rotl_var(input, rot % (8 * sizeof(T)));
100  }
T rotl_var(T input, size_t rot)
Definition: rotate.h:48
fe T
Definition: ge.cpp:37
template<typename T >
T Botan::rotate_right ( T  input,
size_t  rot 
)
inline

Definition at line 104 of file rotate.h.

References rotr_var(), and T.

105  {
106  // rotr_var does not reduce
107  return rotr_var(input, rot % (8 * sizeof(T)));
108  }
T rotr_var(T input, size_t rot)
Definition: rotate.h:60
fe T
Definition: ge.cpp:37
template<size_t ROT, typename T >
constexpr T Botan::rotl ( T  input)
inline

Bit rotation left by a compile-time constant amount

Parameters
inputthe input word
Returns
input rotated left by ROT bits

Definition at line 23 of file rotate.h.

References T.

24  {
25  static_assert(ROT > 0 && ROT < 8*sizeof(T), "Invalid rotation constant");
26  return static_cast<T>((input << ROT) | (input >> (8*sizeof(T) - ROT)));
27  }
fe T
Definition: ge.cpp:37
template<typename T >
T Botan::rotl_var ( T  input,
size_t  rot 
)
inline

Bit rotation left, variable rotation amount

Parameters
inputthe input word
rotthe number of bits to rotate, must be between 0 and sizeof(T)*8-1
Returns
input rotated left by rot bits

Definition at line 48 of file rotate.h.

References T.

Referenced by rotate_left().

49  {
50  return rot ? static_cast<T>((input << rot) | (input >> (sizeof(T)*8 - rot))) : input;
51  }
fe T
Definition: ge.cpp:37
template<size_t ROT, typename T >
constexpr T Botan::rotr ( T  input)
inline

Bit rotation right by a compile-time constant amount

Parameters
inputthe input word
Returns
input rotated right by ROT bits

Definition at line 35 of file rotate.h.

References T.

36  {
37  static_assert(ROT > 0 && ROT < 8*sizeof(T), "Invalid rotation constant");
38  return static_cast<T>((input >> ROT) | (input << (8*sizeof(T) - ROT)));
39  }
fe T
Definition: ge.cpp:37
template<typename T >
T Botan::rotr_var ( T  input,
size_t  rot 
)
inline

Bit rotation right, variable rotation amount

Parameters
inputthe input word
rotthe number of bits to rotate, must be between 0 and sizeof(T)*8-1
Returns
input rotated right by rot bits

Definition at line 60 of file rotate.h.

References T.

Referenced by rotate_right().

61  {
62  return rot ? static_cast<T>((input >> rot) | (input << (sizeof(T)*8 - rot))) : input;
63  }
fe T
Definition: ge.cpp:37
template<typename T >
constexpr T Botan::round_down ( T  n,
T  align_to 
)
inline

Round down

Parameters
nan integer
align_tothe alignment boundary
Returns
n rounded down to a multiple of align_to

Definition at line 37 of file rounding.h.

Referenced by Botan::Buffered_Filter::write().

38  {
39  return (align_to == 0) ? n : (n - (n % align_to));
40  }
size_t Botan::round_up ( size_t  n,
size_t  align_to 
)
inline

Round up

Parameters
na non-negative integer
align_tothe alignment boundary
Returns
n rounded up to a multiple of align_to

Definition at line 21 of file rounding.h.

References BOTAN_ARG_CHECK.

Referenced by Botan::BigInt::binary_decode(), Botan::BigInt::bytes(), Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::finish(), monty_multi_exp(), Botan::PointGFp_Base_Point_Precompute::mul(), Botan::PointGFp_Var_Point_Precompute::mul(), Botan::PointGFp_Multi_Point_Precompute::multi_exp(), Botan::CBC_Encryption::output_length(), Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::output_length(), Botan::PointGFp_Base_Point_Precompute::PointGFp_Base_Point_Precompute(), Botan::BigInt::randomize(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data().

22  {
23  BOTAN_ARG_CHECK(align_to != 0, "align_to must not be 0");
24 
25  if(n % align_to)
26  n += align_to - (n % align_to);
27  return n;
28  }
#define BOTAN_ARG_CHECK(expr, msg)
Definition: assert.h:37
std::string Botan::runtime_version_check ( uint32_t  major,
uint32_t  minor,
uint32_t  patch 
)

Usable for checking that the DLL version loaded at runtime exactly matches the compile-time version. Call using BOTAN_VERSION_* macro values. Returns the empty string if an exact match, otherwise an appropriate message. Added with 1.11.26.

Definition at line 84 of file version.cpp.

References short_version_string(), version_major(), version_minor(), and version_patch().

87  {
88  if(major != version_major() || minor != version_minor() || patch != version_patch())
89  {
90  std::ostringstream oss;
91  oss << "Warning: linked version (" << short_version_string() << ")"
92  << " does not match version built against "
93  << "(" << major << '.' << minor << '.' << patch << ")\n";
94  return oss.str();
95  }
96 
97  return "";
98  }
uint32_t version_major()
Definition: version.cpp:80
uint32_t version_patch()
Definition: version.cpp:82
uint32_t version_minor()
Definition: version.cpp:81
std::string short_version_string()
Definition: version.cpp:70
template<typename T >
bool Botan::same_mem ( const T p1,
const T p2,
size_t  n 
)
inline

Memory comparison, input insensitive

Parameters
p1a pointer to an array
p2a pointer to another array
nthe number of Ts in p1 and p2
Returns
true iff p1[i] == p2[i] forall i in [0...n)

Definition at line 217 of file mem_ops.h.

References T.

Referenced by check_bcrypt(), Botan::PK_Verifier::check_signature(), Botan::Sodium::crypto_verify_16(), Botan::Sodium::crypto_verify_32(), Botan::Sodium::crypto_verify_64(), Botan::TLS::Session::decrypt(), and Botan::RTSS_Share::reconstruct().

218  {
219  volatile T difference = 0;
220 
221  for(size_t i = 0; i != n; ++i)
222  difference |= (p1[i] ^ p2[i]);
223 
224  return difference == 0;
225  }
fe T
Definition: ge.cpp:37
void Botan::sc_muladd ( uint8_t *  s,
const uint8_t *  a,
const uint8_t *  b,
const uint8_t *  c 
)

Definition at line 26 of file sc_muladd.cpp.

References load_3(), load_4(), and redc_mul().

Referenced by ed25519_sign().

27  {
28  const int32_t MASK = 0x1fffff;
29 
30  const int64_t a0 = MASK & load_3(a);
31  const int64_t a1 = MASK & (load_4(a + 2) >> 5);
32  const int64_t a2 = MASK & (load_3(a + 5) >> 2);
33  const int64_t a3 = MASK & (load_4(a + 7) >> 7);
34  const int64_t a4 = MASK & (load_4(a + 10) >> 4);
35  const int64_t a5 = MASK & (load_3(a + 13) >> 1);
36  const int64_t a6 = MASK & (load_4(a + 15) >> 6);
37  const int64_t a7 = MASK & (load_3(a + 18) >> 3);
38  const int64_t a8 = MASK & load_3(a + 21);
39  const int64_t a9 = MASK & (load_4(a + 23) >> 5);
40  const int64_t a10 = MASK & (load_3(a + 26) >> 2);
41  const int64_t a11 = (load_4(a + 28) >> 7);
42  const int64_t b0 = MASK & load_3(b);
43  const int64_t b1 = MASK & (load_4(b + 2) >> 5);
44  const int64_t b2 = MASK & (load_3(b + 5) >> 2);
45  const int64_t b3 = MASK & (load_4(b + 7) >> 7);
46  const int64_t b4 = MASK & (load_4(b + 10) >> 4);
47  const int64_t b5 = MASK & (load_3(b + 13) >> 1);
48  const int64_t b6 = MASK & (load_4(b + 15) >> 6);
49  const int64_t b7 = MASK & (load_3(b + 18) >> 3);
50  const int64_t b8 = MASK & load_3(b + 21);
51  const int64_t b9 = MASK & (load_4(b + 23) >> 5);
52  const int64_t b10 = MASK & (load_3(b + 26) >> 2);
53  const int64_t b11 = (load_4(b + 28) >> 7);
54  const int64_t c0 = MASK & load_3(c);
55  const int64_t c1 = MASK & (load_4(c + 2) >> 5);
56  const int64_t c2 = MASK & (load_3(c + 5) >> 2);
57  const int64_t c3 = MASK & (load_4(c + 7) >> 7);
58  const int64_t c4 = MASK & (load_4(c + 10) >> 4);
59  const int64_t c5 = MASK & (load_3(c + 13) >> 1);
60  const int64_t c6 = MASK & (load_4(c + 15) >> 6);
61  const int64_t c7 = MASK & (load_3(c + 18) >> 3);
62  const int64_t c8 = MASK & load_3(c + 21);
63  const int64_t c9 = MASK & (load_4(c + 23) >> 5);
64  const int64_t c10 = MASK & (load_3(c + 26) >> 2);
65  const int64_t c11 = (load_4(c + 28) >> 7);
66 
67  int64_t s0 = c0 + a0*b0;
68  int64_t s1 = c1 + a0*b1 + a1*b0;
69  int64_t s2 = c2 + a0*b2 + a1*b1 + a2*b0;
70  int64_t s3 = c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0;
71  int64_t s4 = c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0;
72  int64_t s5 = c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0;
73  int64_t s6 = c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0;
74  int64_t s7 = c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0;
75  int64_t s8 = c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0;
76  int64_t s9 = c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0;
77  int64_t s10 = c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0;
78  int64_t s11 = c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0;
79  int64_t s12 = a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1;
80  int64_t s13 = a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2;
81  int64_t s14 = a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3;
82  int64_t s15 = a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4;
83  int64_t s16 = a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5;
84  int64_t s17 = a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6;
85  int64_t s18 = a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7;
86  int64_t s19 = a8*b11 + a9*b10 + a10*b9 + a11*b8;
87  int64_t s20 = a9*b11 + a10*b10 + a11*b9;
88  int64_t s21 = a10*b11 + a11*b10;
89  int64_t s22 = a11*b11;
90  int64_t s23 = 0;
91 
92  carry<21>(s0, s1);
93  carry<21>(s2, s3);
94  carry<21>(s4, s5);
95  carry<21>(s6, s7);
96  carry<21>(s8, s9);
97  carry<21>(s10, s11);
98  carry<21>(s12, s13);
99  carry<21>(s14, s15);
100  carry<21>(s16, s17);
101  carry<21>(s18, s19);
102  carry<21>(s20, s21);
103  carry<21>(s22, s23);
104 
105  carry<21>(s1, s2);
106  carry<21>(s3, s4);
107  carry<21>(s5, s6);
108  carry<21>(s7, s8);
109  carry<21>(s9, s10);
110  carry<21>(s11, s12);
111  carry<21>(s13, s14);
112  carry<21>(s15, s16);
113  carry<21>(s17, s18);
114  carry<21>(s19, s20);
115  carry<21>(s21, s22);
116 
117  redc_mul(s11, s12, s13, s14, s15, s16, s23);
118  redc_mul(s10, s11, s12, s13, s14, s15, s22);
119  redc_mul( s9, s10, s11, s12, s13, s14, s21);
120  redc_mul( s8, s9, s10, s11, s12, s13, s20);
121  redc_mul( s7, s8, s9, s10, s11, s12, s19);
122  redc_mul( s6, s7, s8, s9, s10, s11, s18);
123 
124  carry<21>(s6, s7);
125  carry<21>(s8, s9);
126  carry<21>(s10, s11);
127  carry<21>(s12, s13);
128  carry<21>(s14, s15);
129  carry<21>(s16, s17);
130 
131  carry<21>(s7, s8);
132  carry<21>(s9, s10);
133  carry<21>(s11, s12);
134  carry<21>(s13, s14);
135  carry<21>(s15, s16);
136 
137  redc_mul(s5, s6, s7, s8, s9, s10, s17);
138  redc_mul(s4, s5, s6, s7, s8, s9, s16);
139  redc_mul(s3, s4, s5, s6, s7, s8, s15);
140  redc_mul(s2, s3, s4, s5, s6, s7, s14);
141  redc_mul(s1, s2, s3, s4, s5, s6, s13);
142  redc_mul(s0, s1, s2, s3, s4, s5, s12);
143 
144  carry<21>(s0, s1);
145  carry<21>(s2, s3);
146  carry<21>(s4, s5);
147  carry<21>(s6, s7);
148  carry<21>(s8, s9);
149  carry<21>(s10, s11);
150 
151  carry<21>(s1, s2);
152  carry<21>(s3, s4);
153  carry<21>(s5, s6);
154  carry<21>(s7, s8);
155  carry<21>(s9, s10);
156  carry<21>(s11, s12);
157 
158  redc_mul(s0, s1, s2, s3, s4, s5, s12);
159 
160  carry0<21>(s0, s1);
161  carry0<21>(s1, s2);
162  carry0<21>(s2, s3);
163  carry0<21>(s3, s4);
164  carry0<21>(s4, s5);
165  carry0<21>(s5, s6);
166  carry0<21>(s6, s7);
167  carry0<21>(s7, s8);
168  carry0<21>(s8, s9);
169  carry0<21>(s9, s10);
170  carry0<21>(s10, s11);
171  carry0<21>(s11, s12);
172 
173  redc_mul(s0, s1, s2, s3, s4, s5, s12);
174 
175  carry0<21>(s0, s1);
176  carry0<21>(s1, s2);
177  carry0<21>(s2, s3);
178  carry0<21>(s3, s4);
179  carry0<21>(s4, s5);
180  carry0<21>(s5, s6);
181  carry0<21>(s6, s7);
182  carry0<21>(s7, s8);
183  carry0<21>(s8, s9);
184  carry0<21>(s9, s10);
185  carry0<21>(s10, s11);
186 
187  s[0] = static_cast<uint8_t>(s0 >> 0);
188  s[1] = static_cast<uint8_t>(s0 >> 8);
189  s[2] = static_cast<uint8_t>((s0 >> 16) | (s1 << 5));
190  s[3] = static_cast<uint8_t>(s1 >> 3);
191  s[4] = static_cast<uint8_t>(s1 >> 11);
192  s[5] = static_cast<uint8_t>((s1 >> 19) | (s2 << 2));
193  s[6] = static_cast<uint8_t>(s2 >> 6);
194  s[7] = static_cast<uint8_t>((s2 >> 14) | (s3 << 7));
195  s[8] = static_cast<uint8_t>(s3 >> 1);
196  s[9] = static_cast<uint8_t>(s3 >> 9);
197  s[10] = static_cast<uint8_t>((s3 >> 17) | (s4 << 4));
198  s[11] = static_cast<uint8_t>(s4 >> 4);
199  s[12] = static_cast<uint8_t>(s4 >> 12);
200  s[13] = static_cast<uint8_t>((s4 >> 20) | (s5 << 1));
201  s[14] = static_cast<uint8_t>(s5 >> 7);
202  s[15] = static_cast<uint8_t>((s5 >> 15) | (s6 << 6));
203  s[16] = static_cast<uint8_t>(s6 >> 2);
204  s[17] = static_cast<uint8_t>(s6 >> 10);
205  s[18] = static_cast<uint8_t>((s6 >> 18) | (s7 << 3));
206  s[19] = static_cast<uint8_t>(s7 >> 5);
207  s[20] = static_cast<uint8_t>(s7 >> 13);
208  s[21] = static_cast<uint8_t>(s8 >> 0);
209  s[22] = static_cast<uint8_t>(s8 >> 8);
210  s[23] = static_cast<uint8_t>((s8 >> 16) | (s9 << 5));
211  s[24] = static_cast<uint8_t>(s9 >> 3);
212  s[25] = static_cast<uint8_t>(s9 >> 11);
213  s[26] = static_cast<uint8_t>((s9 >> 19) | (s10 << 2));
214  s[27] = static_cast<uint8_t>(s10 >> 6);
215  s[28] = static_cast<uint8_t>((s10 >> 14) | (s11 << 7));
216  s[29] = static_cast<uint8_t>(s11 >> 1);
217  s[30] = static_cast<uint8_t>(s11 >> 9);
218  s[31] = static_cast<uint8_t>(s11 >> 17);
219  }
uint64_t load_4(const uint8_t *in)
uint64_t load_3(const uint8_t in[3])
void redc_mul(int64_t &s1, int64_t &s2, int64_t &s3, int64_t &s4, int64_t &s5, int64_t &s6, int64_t &X)
void Botan::sc_reduce ( uint8_t *  s)

Definition at line 25 of file sc_reduce.cpp.

References load_3(), load_4(), and redc_mul().

Referenced by ed25519_sign(), and ed25519_verify().

26  {
27  const uint32_t MASK = 0x1fffff;
28 
29  int64_t s0 = MASK & load_3(s);
30  int64_t s1 = MASK & (load_4(s + 2) >> 5);
31  int64_t s2 = MASK & (load_3(s + 5) >> 2);
32  int64_t s3 = MASK & (load_4(s + 7) >> 7);
33  int64_t s4 = MASK & (load_4(s + 10) >> 4);
34  int64_t s5 = MASK & (load_3(s + 13) >> 1);
35  int64_t s6 = MASK & (load_4(s + 15) >> 6);
36  int64_t s7 = MASK & (load_3(s + 18) >> 3);
37  int64_t s8 = MASK & load_3(s + 21);
38  int64_t s9 = MASK & (load_4(s + 23) >> 5);
39  int64_t s10 = MASK & (load_3(s + 26) >> 2);
40  int64_t s11 = MASK & (load_4(s + 28) >> 7);
41  int64_t s12 = MASK & (load_4(s + 31) >> 4);
42  int64_t s13 = MASK & (load_3(s + 34) >> 1);
43  int64_t s14 = MASK & (load_4(s + 36) >> 6);
44  int64_t s15 = MASK & (load_3(s + 39) >> 3);
45  int64_t s16 = MASK & load_3(s + 42);
46  int64_t s17 = MASK & (load_4(s + 44) >> 5);
47  int64_t s18 = MASK & (load_3(s + 47) >> 2);
48  int64_t s19 = MASK & (load_4(s + 49) >> 7);
49  int64_t s20 = MASK & (load_4(s + 52) >> 4);
50  int64_t s21 = MASK & (load_3(s + 55) >> 1);
51  int64_t s22 = MASK & (load_4(s + 57) >> 6);
52  int64_t s23 = (load_4(s + 60) >> 3);
53 
54  redc_mul(s11, s12, s13, s14, s15, s16, s23);
55  redc_mul(s10, s11, s12, s13, s14, s15, s22);
56  redc_mul( s9, s10, s11, s12, s13, s14, s21);
57  redc_mul( s8, s9, s10, s11, s12, s13, s20);
58  redc_mul( s7, s8, s9, s10, s11, s12, s19);
59  redc_mul( s6, s7, s8, s9, s10, s11, s18);
60 
61  carry<21>(s6, s7);
62  carry<21>(s8, s9);
63  carry<21>(s10, s11);
64  carry<21>(s12, s13);
65  carry<21>(s14, s15);
66  carry<21>(s16, s17);
67 
68  carry<21>(s7, s8);
69  carry<21>(s9, s10);
70  carry<21>(s11, s12);
71  carry<21>(s13, s14);
72  carry<21>(s15, s16);
73 
74  redc_mul(s5, s6, s7, s8, s9, s10, s17);
75  redc_mul(s4, s5, s6, s7, s8, s9, s16);
76  redc_mul(s3, s4, s5, s6, s7, s8, s15);
77  redc_mul(s2, s3, s4, s5, s6, s7, s14);
78  redc_mul(s1, s2, s3, s4, s5, s6, s13);
79  redc_mul(s0, s1, s2, s3, s4, s5, s12);
80 
81  carry<21>(s0, s1);
82  carry<21>(s2, s3);
83  carry<21>(s4, s5);
84  carry<21>(s6, s7);
85  carry<21>(s8, s9);
86  carry<21>(s10, s11);
87 
88  carry<21>(s1, s2);
89  carry<21>(s3, s4);
90  carry<21>(s5, s6);
91  carry<21>(s7, s8);
92  carry<21>(s9, s10);
93  carry<21>(s11, s12);
94 
95  redc_mul(s0, s1, s2, s3, s4, s5, s12);
96 
97  carry0<21>(s0, s1);
98  carry0<21>(s1, s2);
99  carry0<21>(s2, s3);
100  carry0<21>(s3, s4);
101  carry0<21>(s4, s5);
102  carry0<21>(s5, s6);
103  carry0<21>(s6, s7);
104  carry0<21>(s7, s8);
105  carry0<21>(s8, s9);
106  carry0<21>(s9, s10);
107  carry0<21>(s10, s11);
108  carry0<21>(s11, s12);
109 
110  redc_mul(s0, s1, s2, s3, s4, s5, s12);
111 
112  carry0<21>(s0, s1);
113  carry0<21>(s1, s2);
114  carry0<21>(s2, s3);
115  carry0<21>(s3, s4);
116  carry0<21>(s4, s5);
117  carry0<21>(s5, s6);
118  carry0<21>(s6, s7);
119  carry0<21>(s7, s8);
120  carry0<21>(s8, s9);
121  carry0<21>(s9, s10);
122  carry0<21>(s10, s11);
123  carry0<21>(s11, s12);
124 
125  s[0] = static_cast<uint8_t>(s0 >> 0);
126  s[1] = static_cast<uint8_t>(s0 >> 8);
127  s[2] = static_cast<uint8_t>((s0 >> 16) | (s1 << 5));
128  s[3] = static_cast<uint8_t>(s1 >> 3);
129  s[4] = static_cast<uint8_t>(s1 >> 11);
130  s[5] = static_cast<uint8_t>((s1 >> 19) | (s2 << 2));
131  s[6] = static_cast<uint8_t>(s2 >> 6);
132  s[7] = static_cast<uint8_t>((s2 >> 14) | (s3 << 7));
133  s[8] = static_cast<uint8_t>(s3 >> 1);
134  s[9] = static_cast<uint8_t>(s3 >> 9);
135  s[10] = static_cast<uint8_t>((s3 >> 17) | (s4 << 4));
136  s[11] = static_cast<uint8_t>(s4 >> 4);
137  s[12] = static_cast<uint8_t>(s4 >> 12);
138  s[13] = static_cast<uint8_t>((s4 >> 20) | (s5 << 1));
139  s[14] = static_cast<uint8_t>(s5 >> 7);
140  s[15] = static_cast<uint8_t>((s5 >> 15) | (s6 << 6));
141  s[16] = static_cast<uint8_t>(s6 >> 2);
142  s[17] = static_cast<uint8_t>(s6 >> 10);
143  s[18] = static_cast<uint8_t>((s6 >> 18) | (s7 << 3));
144  s[19] = static_cast<uint8_t>(s7 >> 5);
145  s[20] = static_cast<uint8_t>(s7 >> 13);
146  s[21] = static_cast<uint8_t>(s8 >> 0);
147  s[22] = static_cast<uint8_t>(s8 >> 8);
148  s[23] = static_cast<uint8_t>((s8 >> 16) | (s9 << 5));
149  s[24] = static_cast<uint8_t>(s9 >> 3);
150  s[25] = static_cast<uint8_t>(s9 >> 11);
151  s[26] = static_cast<uint8_t>((s9 >> 19) | (s10 << 2));
152  s[27] = static_cast<uint8_t>(s10 >> 6);
153  s[28] = static_cast<uint8_t>((s10 >> 14) | (s11 << 7));
154  s[29] = static_cast<uint8_t>(s11 >> 1);
155  s[30] = static_cast<uint8_t>(s11 >> 9);
156  s[31] = static_cast<uint8_t>(s11 >> 17);
157  }
uint64_t load_4(const uint8_t *in)
uint64_t load_3(const uint8_t in[3])
void redc_mul(int64_t &s1, int64_t &s2, int64_t &s3, int64_t &s4, int64_t &s5, int64_t &s6, int64_t &X)
void Botan::scrypt ( uint8_t  output[],
size_t  output_len,
const std::string &  password,
const uint8_t  salt[],
size_t  salt_len,
size_t  N,
size_t  r,
size_t  p 
)
inline

Scrypt key derivation function (RFC 7914) Before 2.8 this function was the primary interface for scrypt

Parameters
outputthe output will be placed here
output_lenlength of output
passwordthe user password
saltthe salt
salt_lenlength of salt
Nthe CPU/Memory cost parameter, must be power of 2
rthe block size parameter
pthe parallelization parameter

Suitable parameters for most uses would be N = 32768, r = 8, p = 1

Scrypt uses approximately (p + N + 1) * 128 * r bytes of memory

Definition at line 109 of file scrypt.h.

References salt_len, and scrypt().

113  {
114  return scrypt(output, output_len,
115  password.c_str(), password.size(),
116  salt, salt_len,
117  N, r, p);
118  }
void scrypt(uint8_t output[], size_t output_len, const std::string &password, const uint8_t salt[], size_t salt_len, size_t N, size_t r, size_t p)
Definition: scrypt.h:109
size_t salt_len
Definition: x509_obj.cpp:25
void Botan::scrypt ( uint8_t  output[],
size_t  output_len,
const char *  password,
size_t  password_len,
const uint8_t  salt[],
size_t  salt_len,
size_t  N,
size_t  r,
size_t  p 
)

Scrypt key derivation function (RFC 7914)

Parameters
outputthe output will be placed here
output_lenlength of output
passwordthe user password
password_lenlength of password
saltthe salt
salt_lenlength of salt
Nthe CPU/Memory cost parameter, must be power of 2
rthe block size parameter
pthe parallelization parameter

Suitable parameters for most uses would be N = 32768, r = 8, p = 1

Scrypt uses approximately (p + N + 1) * 128 * r bytes of memory

Definition at line 211 of file scrypt.cpp.

References B, cast_char_ptr_to_uint8(), Botan::MessageAuthenticationCode::create_or_throw(), pbkdf2(), and salt_len.

Referenced by Botan::Scrypt::derive_key(), scrypt(), and Botan::Scrypt_Family::tune().

215  {
216  const size_t S = 128 * r;
217  secure_vector<uint8_t> B(p * S);
218  // temp space
219  secure_vector<uint8_t> V((N+1) * S);
220 
221  auto hmac_sha256 = MessageAuthenticationCode::create_or_throw("HMAC(SHA-256)");
222 
223  try
224  {
225  hmac_sha256->set_key(cast_char_ptr_to_uint8(password), password_len);
226  }
227  catch(Invalid_Key_Length&)
228  {
229  throw Invalid_Argument("Scrypt cannot accept passphrases of the provided length");
230  }
231 
232  pbkdf2(*hmac_sha256.get(),
233  B.data(), B.size(),
234  salt, salt_len,
235  1);
236 
237  // these can be parallel
238  for(size_t i = 0; i != p; ++i)
239  {
240  scryptROMmix(r, N, &B[128*r*i], V);
241  }
242 
243  pbkdf2(*hmac_sha256.get(),
244  output, output_len,
245  B.data(), B.size(),
246  1);
247  }
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition: mem_ops.h:190
SIMD_8x32 B
size_t salt_len
Definition: x509_obj.cpp:25
size_t pbkdf2(MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, const std::string &password, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec)
Definition: pbkdf2.cpp:35
size_t Botan::scrypt_memory_usage ( size_t  N,
size_t  r,
size_t  p 
)
inline

Definition at line 120 of file scrypt.h.

Referenced by Botan::Scrypt::total_memory_usage(), and Botan::Scrypt_Family::tune().

121  {
122  return 128 * r * (N + p);
123  }
template<typename K , typename V >
V Botan::search_map ( const std::map< K, V > &  mapping,
const K &  key,
const V &  null_result = V() 
)
inline

Definition at line 52 of file stl_util.h.

Referenced by Botan::HTTP::http_sync().

55  {
56  auto i = mapping.find(key);
57  if(i == mapping.end())
58  return null_result;
59  return i->second;
60  }
template<typename K , typename V , typename R >
R Botan::search_map ( const std::map< K, V > &  mapping,
const K &  key,
const R &  null_result,
const R &  found_result 
)
inline

Definition at line 63 of file stl_util.h.

65  {
66  auto i = mapping.find(key);
67  if(i == mapping.end())
68  return null_result;
69  return found_result;
70  }
void Botan::secure_scrub_memory ( void *  ptr,
size_t  n 
)

Scrub memory contents in a way that a compiler should not elide, using some system specific technique. Note that this function might not zero the memory (for example, in some hypothetical implementation it might combine the memory contents with the output of a system PRNG), but if you can detect any difference in behavior at runtime then the clearing is side-effecting and you can just use clear_mem.

Use this function to scrub memory just before deallocating it, or on a stack buffer before returning from the function.

Parameters
ptra pointer to memory to scrub
nthe number of bytes pointed to by ptr

Definition at line 66 of file os_utils.cpp.

Referenced by botan_scrub_mem(), deallocate_memory(), Botan::OS::free_locked_pages(), Botan::GHASH::ghash_update(), Botan::Sodium::sodium_free(), Botan::Sodium::sodium_memzero(), Botan::FE_25519::~FE_25519(), and Botan::newhope_poly::~newhope_poly().

67  {
68 #if defined(BOTAN_TARGET_OS_HAS_RTLSECUREZEROMEMORY)
69  ::RtlSecureZeroMemory(ptr, n);
70 
71 #elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_BZERO)
72  ::explicit_bzero(ptr, n);
73 
74 #elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_MEMSET)
75  (void)::explicit_memset(ptr, 0, n);
76 
77 #elif defined(BOTAN_USE_VOLATILE_MEMSET_FOR_ZERO) && (BOTAN_USE_VOLATILE_MEMSET_FOR_ZERO == 1)
78  /*
79  Call memset through a static volatile pointer, which the compiler
80  should not elide. This construct should be safe in conforming
81  compilers, but who knows. I did confirm that on x86-64 GCC 6.1 and
82  Clang 3.8 both create code that saves the memset address in the
83  data segment and unconditionally loads and jumps to that address.
84  */
85  static void* (*const volatile memset_ptr)(void*, int, size_t) = std::memset;
86  (memset_ptr)(ptr, 0, n);
87 #else
88 
89  volatile uint8_t* p = reinterpret_cast<volatile uint8_t*>(ptr);
90 
91  for(size_t i = 0; i != n; ++i)
92  p[i] = 0;
93 #endif
94  }
void Botan::set_mem ( uint8_t *  ptr,
size_t  n,
uint8_t  val 
)
inline

Set memory to a fixed value

Parameters
ptra pointer to an array of bytes
nthe number of Ts pointed to by ptr
valthe value to set each byte to

Definition at line 182 of file mem_ops.h.

183  {
184  if(n > 0)
185  {
186  std::memset(ptr, val, n);
187  }
188  }
void Botan::SHA3_round ( uint64_t  T[25],
const uint64_t  A[25],
uint64_t  RC 
)
inline

Definition at line 53 of file sha3_round.h.

Referenced by Botan::SHA_3::permute().

54  {
55 #if defined(BOTAN_HAS_BROKEN_CLANG_SHA3)
56  const auto [C0,C1,C2,C3,C4] = xor_CNs(A);
57 #else
58  const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20];
59  const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21];
60  const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22];
61  const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23];
62  const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24];
63 #endif
64 
65  const uint64_t D0 = rotl<1>(C0) ^ C3;
66  const uint64_t D1 = rotl<1>(C1) ^ C4;
67  const uint64_t D2 = rotl<1>(C2) ^ C0;
68  const uint64_t D3 = rotl<1>(C3) ^ C1;
69  const uint64_t D4 = rotl<1>(C4) ^ C2;
70 
71  const uint64_t B00 = A[ 0] ^ D1;
72  const uint64_t B01 = rotl<44>(A[ 6] ^ D2);
73  const uint64_t B02 = rotl<43>(A[12] ^ D3);
74  const uint64_t B03 = rotl<21>(A[18] ^ D4);
75  const uint64_t B04 = rotl<14>(A[24] ^ D0);
76  T[ 0] = B00 ^ (~B01 & B02) ^ RC;
77  T[ 1] = B01 ^ (~B02 & B03);
78  T[ 2] = B02 ^ (~B03 & B04);
79  T[ 3] = B03 ^ (~B04 & B00);
80  T[ 4] = B04 ^ (~B00 & B01);
81 
82  const uint64_t B05 = rotl<28>(A[ 3] ^ D4);
83  const uint64_t B06 = rotl<20>(A[ 9] ^ D0);
84  const uint64_t B07 = rotl< 3>(A[10] ^ D1);
85  const uint64_t B08 = rotl<45>(A[16] ^ D2);
86  const uint64_t B09 = rotl<61>(A[22] ^ D3);
87  T[ 5] = B05 ^ (~B06 & B07);
88  T[ 6] = B06 ^ (~B07 & B08);
89  T[ 7] = B07 ^ (~B08 & B09);
90  T[ 8] = B08 ^ (~B09 & B05);
91  T[ 9] = B09 ^ (~B05 & B06);
92 
93  const uint64_t B10 = rotl< 1>(A[ 1] ^ D2);
94  const uint64_t B11 = rotl< 6>(A[ 7] ^ D3);
95  const uint64_t B12 = rotl<25>(A[13] ^ D4);
96  const uint64_t B13 = rotl< 8>(A[19] ^ D0);
97  const uint64_t B14 = rotl<18>(A[20] ^ D1);
98  T[10] = B10 ^ (~B11 & B12);
99  T[11] = B11 ^ (~B12 & B13);
100  T[12] = B12 ^ (~B13 & B14);
101  T[13] = B13 ^ (~B14 & B10);
102  T[14] = B14 ^ (~B10 & B11);
103 
104  const uint64_t B15 = rotl<27>(A[ 4] ^ D0);
105  const uint64_t B16 = rotl<36>(A[ 5] ^ D1);
106  const uint64_t B17 = rotl<10>(A[11] ^ D2);
107  const uint64_t B18 = rotl<15>(A[17] ^ D3);
108  const uint64_t B19 = rotl<56>(A[23] ^ D4);
109  T[15] = B15 ^ (~B16 & B17);
110  T[16] = B16 ^ (~B17 & B18);
111  T[17] = B17 ^ (~B18 & B19);
112  T[18] = B18 ^ (~B19 & B15);
113  T[19] = B19 ^ (~B15 & B16);
114 
115  const uint64_t B20 = rotl<62>(A[ 2] ^ D3);
116  const uint64_t B21 = rotl<55>(A[ 8] ^ D4);
117  const uint64_t B22 = rotl<39>(A[14] ^ D0);
118  const uint64_t B23 = rotl<41>(A[15] ^ D1);
119  const uint64_t B24 = rotl< 2>(A[21] ^ D2);
120  T[20] = B20 ^ (~B21 & B22);
121  T[21] = B21 ^ (~B22 & B23);
122  T[22] = B22 ^ (~B23 & B24);
123  T[23] = B23 ^ (~B24 & B20);
124  T[24] = B24 ^ (~B20 & B21);
125  }
void BOTAN_FUNC_ISA("avx2") SHACAL2 SIMD_8x32 A
fe T
Definition: ge.cpp:37
const char * Botan::short_version_cstr ( )

Same as version_short_string except returning a pointer to the string.

Definition at line 22 of file version.cpp.

References STR.

Referenced by short_version_string().

23  {
24  return STR(BOTAN_VERSION_MAJOR) "."
25  STR(BOTAN_VERSION_MINOR) "."
26  STR(BOTAN_VERSION_PATCH)
27 #if defined(BOTAN_VERSION_SUFFIX)
28  STR(BOTAN_VERSION_SUFFIX)
29 #endif
30  ;
31  }
#define STR(macro)
Definition: version.cpp:20
std::string Botan::short_version_string ( )

Return a version string of the form "MAJOR.MINOR.PATCH" where each of the values is an integer.

Definition at line 70 of file version.cpp.

References short_version_cstr().

Referenced by runtime_version_check().

71  {
72  return std::string(short_version_cstr());
73  }
const char * short_version_cstr()
Definition: version.cpp:22
bool Botan::sig_algo_and_pad_ok ( const std::string  algo,
const std::string  padding 
)

Returns true iff the given padding scheme is valid for the given signature algorithm (key type).

Parameters
algothe signature algorithm to be used
paddingthe padding scheme to be used

Definition at line 39 of file padding.cpp.

References get_sig_paddings().

Referenced by Botan::EMSA1::config_for_x509(), Botan::PSSR::config_for_x509(), and Botan::EMSA_PKCS1v15::config_for_x509().

40  {
41  std::vector<std::string> pads = get_sig_paddings(algo);
42  return std::find(pads.begin(), pads.end(), padding) != pads.end();
43  }
const std::vector< std::string > get_sig_paddings(const std::string algo)
Definition: padding.cpp:32
template<typename T >
size_t Botan::significant_bytes ( T  n)
inline

Return the number of significant bytes in n

Parameters
nan integer value
Returns
number of significant bytes in n

Definition at line 77 of file bit_ops.h.

References ct_is_zero().

78  {
79  size_t b = 0;
80 
81  for(size_t s = 8*sizeof(n) / 2; s >= 8; s /= 2)
82  {
83  const size_t z = s * (~ct_is_zero(n >> s) & 1);
84  b += z/8;
85  n >>= z;
86  }
87 
88  b += (n != 0);
89 
90  return b;
91  }
T ct_is_zero(T x)
Definition: bit_ops.h:32
std::vector< uint8_t > Botan::sm2_compute_za ( HashFunction hash,
const std::string &  user_id,
const EC_Group domain,
const PointGFp pubkey 
)

Definition at line 52 of file sm2.cpp.

References Botan::BigInt::encode_1363(), Botan::Buffered_Computation::final(), Botan::EC_Group::get_a(), Botan::PointGFp::get_affine_x(), Botan::PointGFp::get_affine_y(), Botan::EC_Group::get_b(), get_byte(), Botan::EC_Group::get_g_x(), Botan::EC_Group::get_g_y(), Botan::EC_Group::get_p_bytes(), Botan::Buffered_Computation::output_length(), and Botan::Buffered_Computation::update().

Referenced by botan_pubkey_sm2_compute_za().

56  {
57  if(user_id.size() >= 8192)
58  throw Invalid_Argument("SM2 user id too long to represent");
59 
60  const uint16_t uid_len = static_cast<uint16_t>(8 * user_id.size());
61 
62  hash.update(get_byte(0, uid_len));
63  hash.update(get_byte(1, uid_len));
64  hash.update(user_id);
65 
66  const size_t p_bytes = domain.get_p_bytes();
67 
68  hash.update(BigInt::encode_1363(domain.get_a(), p_bytes));
69  hash.update(BigInt::encode_1363(domain.get_b(), p_bytes));
70  hash.update(BigInt::encode_1363(domain.get_g_x(), p_bytes));
71  hash.update(BigInt::encode_1363(domain.get_g_y(), p_bytes));
72  hash.update(BigInt::encode_1363(pubkey.get_affine_x(), p_bytes));
73  hash.update(BigInt::encode_1363(pubkey.get_affine_y(), p_bytes));
74 
75  std::vector<uint8_t> za(hash.output_length());
76  hash.final(za.data());
77 
78  return za;
79  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
MechanismType hash
std::vector< std::string > Botan::split_on ( const std::string &  str,
char  delim 
)

Split a string

Parameters
strthe input string
delimthe delimitor
Returns
string split by delim

Definition at line 148 of file parsing.cpp.

References split_on_pred().

Referenced by argon2_check_pwhash(), Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), Botan::PKCS11::MechanismWrapper::create_ecdh_mechanism(), create_private_key(), Botan::TLS::Text_Policy::get_list(), Botan::X509_Object::hash_used_for_signature(), Botan::TLS::Text_Policy::key_exchange_groups(), load_public_key(), pbes2_decrypt(), read_kv(), string_to_ipv4(), Botan::X509_Object::verify_signature(), Botan::OCSP::Response::verify_signature(), and Botan::X509_Cert_Options::X509_Cert_Options().

149  {
150  return split_on_pred(str, [delim](char c) { return c == delim; });
151  }
std::vector< std::string > split_on_pred(const std::string &str, std::function< bool(char)> pred)
Definition: parsing.cpp:153
std::vector< std::string > Botan::split_on_pred ( const std::string &  str,
std::function< bool(char)>  pred 
)

Split a string on a character predicate

Parameters
strthe input string
predthe predicate

This function will likely be removed in a future release

Definition at line 153 of file parsing.cpp.

Referenced by split_on().

155  {
156  std::vector<std::string> elems;
157  if(str.empty()) return elems;
158 
159  std::string substr;
160  for(auto i = str.begin(); i != str.end(); ++i)
161  {
162  if(pred(*i))
163  {
164  if(!substr.empty())
165  elems.push_back(substr);
166  substr.clear();
167  }
168  else
169  substr += *i;
170  }
171 
172  if(substr.empty())
173  throw Invalid_Argument("Unable to split string: " + str);
174  elems.push_back(substr);
175 
176  return elems;
177  }
BigInt Botan::square ( const BigInt x)
Parameters
xan integer
Returns
(x*x)

Definition at line 19 of file mp_numth.cpp.

References Botan::BigInt::square().

Referenced by Botan::Modular_Reducer::cube(), and Botan::Modular_Reducer::square().

20  {
21  BigInt z = x;
22  secure_vector<word> ws;
23  z.square(ws);
24  return z;
25  }
std::pair< BigInt, SymmetricKey > Botan::srp6_client_agree ( const std::string &  username,
const std::string &  password,
const std::string &  group_id,
const std::string &  hash_id,
const std::vector< uint8_t > &  salt,
const BigInt B,
RandomNumberGenerator rng 
)

SRP6a Client side

Parameters
usernamethe username we are attempting login for
passwordthe password we are attempting to use
group_idspecifies the shared SRP group
hash_idspecifies a secure hash function
saltis the salt value sent by the server
Bis the server's public value
rngis a random number generator
Returns
(A,K) the client public key and the shared secret key

Definition at line 77 of file srp6.cpp.

References Botan::DL_Group::exponent_bits().

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange().

84  {
85  DL_Group group(group_id);
86  const size_t a_bits = group.exponent_bits();
87 
88  return srp6_client_agree(identifier, password, group, hash_id, salt, B, a_bits, rng);
89  }
std::pair< BigInt, SymmetricKey > srp6_client_agree(const std::string &identifier, const std::string &password, const DL_Group &group, const std::string &hash_id, const std::vector< uint8_t > &salt, const BigInt &B, const size_t a_bits, RandomNumberGenerator &rng)
Definition: srp6.cpp:92
SIMD_8x32 B
std::pair< BigInt, SymmetricKey > Botan::srp6_client_agree ( const std::string &  username,
const std::string &  password,
const DL_Group group,
const std::string &  hash_id,
const std::vector< uint8_t > &  salt,
const BigInt B,
size_t  a_bits,
RandomNumberGenerator rng 
)

SRP6a Client side

Parameters
usernamethe username we are attempting login for
passwordthe password we are attempting to use
groupspecifies the shared SRP group
hash_idspecifies a secure hash function
saltis the salt value sent by the server
Bis the server's public value
a_bitssize of secret exponent in bits
rngis a random number generator
Returns
(A,K) the client public key and the shared secret key

Definition at line 92 of file srp6.cpp.

References A, Botan::BigInt::encode_1363(), Botan::DL_Group::get_g(), Botan::DL_Group::get_p(), Botan::DL_Group::mod_p(), Botan::DL_Group::p_bytes(), Botan::DL_Group::power_g_p(), and power_mod().

100  {
101  const BigInt& g = group.get_g();
102  const BigInt& p = group.get_p();
103 
104  const size_t p_bytes = group.p_bytes();
105 
106  if(B <= 0 || B >= p)
107  throw Decoding_Error("Invalid SRP parameter from server");
108 
109  const BigInt k = hash_seq(hash_id, p_bytes, p, g);
110 
111  const BigInt a(rng, a_bits);
112 
113  const BigInt A = group.power_g_p(a, a_bits);
114 
115  const BigInt u = hash_seq(hash_id, p_bytes, A, B);
116 
117  const BigInt x = compute_x(hash_id, identifier, password, salt);
118 
119  const BigInt S = power_mod(group.mod_p(B - (k * power_mod(g, x, p))),
120  group.mod_p(a + (u * x)), p);
121 
122  const SymmetricKey Sk(BigInt::encode_1363(S, p_bytes));
123 
124  return std::make_pair(A, Sk);
125  }
BigInt power_mod(const BigInt &base, const BigInt &exp, const BigInt &mod)
Definition: numthry.cpp:151
void BOTAN_FUNC_ISA("avx2") SHACAL2 SIMD_8x32 A
SIMD_8x32 B
OctetString SymmetricKey
Definition: symkey.h:141
std::string Botan::srp6_group_identifier ( const BigInt N,
const BigInt g 
)

Return the group id for this SRP param set, or else thrown an exception

Parameters
Nthe group modulus
gthe group generator
Returns
group identifier

Definition at line 53 of file srp6.cpp.

References Botan::BigInt::bits(), and Botan::ASN1::to_string().

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange().

54  {
55  /*
56  This function assumes that only one 'standard' SRP parameter set has
57  been defined for a particular bitsize. As of this writing that is the case.
58  */
59  try
60  {
61  const std::string group_name = "modp/srp/" + std::to_string(N.bits());
62 
63  DL_Group group(group_name);
64 
65  if(group.get_p() == N && group.get_g() == g)
66  return group_name;
67  }
68  catch(...)
69  {
70  }
71 
72  // If we didn't return, the group was unknown or did not match
73  throw Invalid_Argument("Invalid or unknown SRP group parameters");
74  }
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
A Botan::store_be ( out  )
H Botan::store_be ( out+  32)
void Botan::store_be ( uint16_t  in,
uint8_t  out[2] 
)
inline

Store a big-endian uint16_t

Parameters
inthe input uint16_t
outthe byte array to write to

Definition at line 438 of file loadstor.h.

References get_byte(), and typecast_copy().

439  {
440 #if defined(BOTAN_ENDIAN_N2B)
441  uint16_t o = BOTAN_ENDIAN_N2B(in);
442  typecast_copy(out, o);
443 #else
444  out[0] = get_byte(0, in);
445  out[1] = get_byte(1, in);
446 #endif
447  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
void Botan::store_be ( uint32_t  in,
uint8_t  out[4] 
)
inline

Store a big-endian uint32_t

Parameters
inthe input uint32_t
outthe byte array to write to

Definition at line 470 of file loadstor.h.

References get_byte(), and typecast_copy().

471  {
472 #if defined(BOTAN_ENDIAN_B2N)
473  uint32_t o = BOTAN_ENDIAN_B2N(in);
474  typecast_copy(out, o);
475 #else
476  out[0] = get_byte(0, in);
477  out[1] = get_byte(1, in);
478  out[2] = get_byte(2, in);
479  out[3] = get_byte(3, in);
480 #endif
481  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
void Botan::store_be ( uint64_t  in,
uint8_t  out[8] 
)
inline

Store a big-endian uint64_t

Parameters
inthe input uint64_t
outthe byte array to write to

Definition at line 506 of file loadstor.h.

References get_byte(), and typecast_copy().

507  {
508 #if defined(BOTAN_ENDIAN_B2N)
509  uint64_t o = BOTAN_ENDIAN_B2N(in);
510  typecast_copy(out, o);
511 #else
512  out[0] = get_byte(0, in);
513  out[1] = get_byte(1, in);
514  out[2] = get_byte(2, in);
515  out[3] = get_byte(3, in);
516  out[4] = get_byte(4, in);
517  out[5] = get_byte(5, in);
518  out[6] = get_byte(6, in);
519  out[7] = get_byte(7, in);
520 #endif
521  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
template<typename T >
void Botan::store_be ( uint8_t  out[],
T  x0,
T  x1 
)
inline

Store two big-endian words

Parameters
outthe output byte array
x0the first word
x1the second word

Definition at line 565 of file loadstor.h.

References store_be(), and T.

566  {
567  store_be(x0, out + (0 * sizeof(T)));
568  store_be(x1, out + (1 * sizeof(T)));
569  }
fe T
Definition: ge.cpp:37
void store_be(uint8_t out[], T x0, T x1, T x2, T x3, T x4, T x5, T x6, T x7)
Definition: loadstor.h:644
template<typename T >
void Botan::store_be ( uint8_t  out[],
T  x0,
T  x1,
T  x2,
T  x3 
)
inline

Store four big-endian words

Parameters
outthe output byte array
x0the first word
x1the second word
x2the third word
x3the fourth word

Definition at line 597 of file loadstor.h.

References store_be(), and T.

598  {
599  store_be(x0, out + (0 * sizeof(T)));
600  store_be(x1, out + (1 * sizeof(T)));
601  store_be(x2, out + (2 * sizeof(T)));
602  store_be(x3, out + (3 * sizeof(T)));
603  }
fe T
Definition: ge.cpp:37
void store_be(uint8_t out[], T x0, T x1, T x2, T x3, T x4, T x5, T x6, T x7)
Definition: loadstor.h:644
template<typename T >
void Botan::store_be ( uint8_t  out[],
T  x0,
T  x1,
T  x2,
T  x3,
T  x4,
T  x5,
T  x6,
T  x7 
)
inline

Store eight big-endian words

Parameters
outthe output byte array
x0the first word
x1the second word
x2the third word
x3the fourth word
x4the fifth word
x5the sixth word
x6the seventh word
x7the eighth word

Definition at line 644 of file loadstor.h.

References store_be(), and T.

646  {
647  store_be(x0, out + (0 * sizeof(T)));
648  store_be(x1, out + (1 * sizeof(T)));
649  store_be(x2, out + (2 * sizeof(T)));
650  store_be(x3, out + (3 * sizeof(T)));
651  store_be(x4, out + (4 * sizeof(T)));
652  store_be(x5, out + (5 * sizeof(T)));
653  store_be(x6, out + (6 * sizeof(T)));
654  store_be(x7, out + (7 * sizeof(T)));
655  }
fe T
Definition: ge.cpp:37
void store_be(uint8_t out[], T x0, T x1, T x2, T x3, T x4, T x5, T x6, T x7)
Definition: loadstor.h:644
void Botan::store_le ( uint16_t  in,
uint8_t  out[2] 
)
inline
void Botan::store_le ( uint32_t  in,
uint8_t  out[4] 
)
inline

Store a little-endian uint32_t

Parameters
inthe input uint32_t
outthe byte array to write to

Definition at line 488 of file loadstor.h.

References get_byte(), and typecast_copy().

489  {
490 #if defined(BOTAN_ENDIAN_L2N)
491  uint32_t o = BOTAN_ENDIAN_L2N(in);
492  typecast_copy(out, o);
493 #else
494  out[0] = get_byte(3, in);
495  out[1] = get_byte(2, in);
496  out[2] = get_byte(1, in);
497  out[3] = get_byte(0, in);
498 #endif
499  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
void Botan::store_le ( uint64_t  in,
uint8_t  out[8] 
)
inline

Store a little-endian uint64_t

Parameters
inthe input uint64_t
outthe byte array to write to

Definition at line 528 of file loadstor.h.

References get_byte(), and typecast_copy().

529  {
530 #if defined(BOTAN_ENDIAN_L2N)
531  uint64_t o = BOTAN_ENDIAN_L2N(in);
532  typecast_copy(out, o);
533 #else
534  out[0] = get_byte(7, in);
535  out[1] = get_byte(6, in);
536  out[2] = get_byte(5, in);
537  out[3] = get_byte(4, in);
538  out[4] = get_byte(3, in);
539  out[5] = get_byte(2, in);
540  out[6] = get_byte(1, in);
541  out[7] = get_byte(0, in);
542 #endif
543  }
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
void typecast_copy(uint8_t out[], T in[], size_t N)
Definition: mem_ops.h:145
template<typename T >
void Botan::store_le ( uint8_t  out[],
T  x0,
T  x1 
)
inline

Store two little-endian words

Parameters
outthe output byte array
x0the first word
x1the second word

Definition at line 552 of file loadstor.h.

References store_le(), and T.

553  {
554  store_le(x0, out + (0 * sizeof(T)));
555  store_le(x1, out + (1 * sizeof(T)));
556  }
void store_le(uint8_t out[], T x0, T x1, T x2, T x3, T x4, T x5, T x6, T x7)
Definition: loadstor.h:618
fe T
Definition: ge.cpp:37
template<typename T >
void Botan::store_le ( uint8_t  out[],
T  x0,
T  x1,
T  x2,
T  x3 
)
inline

Store four little-endian words

Parameters
outthe output byte array
x0the first word
x1the second word
x2the third word
x3the fourth word

Definition at line 580 of file loadstor.h.

References store_le(), and T.

581  {
582  store_le(x0, out + (0 * sizeof(T)));
583  store_le(x1, out + (1 * sizeof(T)));
584  store_le(x2, out + (2 * sizeof(T)));
585  store_le(x3, out + (3 * sizeof(T)));
586  }
void store_le(uint8_t out[], T x0, T x1, T x2, T x3, T x4, T x5, T x6, T x7)
Definition: loadstor.h:618
fe T
Definition: ge.cpp:37
template<typename T >
void Botan::store_le ( uint8_t  out[],
T  x0,
T  x1,
T  x2,
T  x3,
T  x4,
T  x5,
T  x6,
T  x7 
)
inline

Store eight little-endian words

Parameters
outthe output byte array
x0the first word
x1the second word
x2the third word
x3the fourth word
x4the fifth word
x5the sixth word
x6the seventh word
x7the eighth word

Definition at line 618 of file loadstor.h.

References store_le(), and T.

620  {
621  store_le(x0, out + (0 * sizeof(T)));
622  store_le(x1, out + (1 * sizeof(T)));
623  store_le(x2, out + (2 * sizeof(T)));
624  store_le(x3, out + (3 * sizeof(T)));
625  store_le(x4, out + (4 * sizeof(T)));
626  store_le(x5, out + (5 * sizeof(T)));
627  store_le(x6, out + (6 * sizeof(T)));
628  store_le(x7, out + (7 * sizeof(T)));
629  }
void store_le(uint8_t out[], T x0, T x1, T x2, T x3, T x4, T x5, T x6, T x7)
Definition: loadstor.h:618
fe T
Definition: ge.cpp:37
std::string Botan::string_join ( const std::vector< std::string > &  strs,
char  delim 
)

Join a string

Parameters
strsstrings to join
delimthe delimitor
Returns
string joined by delim

Definition at line 182 of file parsing.cpp.

Referenced by Botan::Parallel::name(), and Botan::CPUID::to_string().

183  {
184  std::string out = "";
185 
186  for(size_t i = 0; i != strs.size(); ++i)
187  {
188  if(i != 0)
189  out += delim;
190  out += strs[i];
191  }
192 
193  return out;
194  }
uint32_t Botan::string_to_ipv4 ( const std::string &  ip_str)

Convert a string representation of an IPv4 address to a number

Parameters
ip_strthe string representation
Returns
integer IPv4 address

Definition at line 253 of file parsing.cpp.

References split_on(), and to_u32bit().

254  {
255  std::vector<std::string> parts = split_on(str, '.');
256 
257  if(parts.size() != 4)
258  throw Decoding_Error("Invalid IP string " + str);
259 
260  uint32_t ip = 0;
261 
262  for(auto part = parts.begin(); part != parts.end(); ++part)
263  {
264  uint32_t octet = to_u32bit(*part);
265 
266  if(octet > 255)
267  throw Decoding_Error("Invalid IP string " + str);
268 
269  ip = (ip << 8) | (octet & 0xFF);
270  }
271 
272  return ip;
273  }
std::vector< std::string > split_on(const std::string &str, char delim)
Definition: parsing.cpp:148
uint32_t to_u32bit(const std::string &str)
Definition: parsing.cpp:35
BigInt Botan::sub_mul ( const BigInt a,
const BigInt b,
const BigInt c 
)

Fused subtract-multiply

Parameters
aan integer
ban integer
can integer
Returns
(a-b)*c

Definition at line 59 of file mp_numth.cpp.

References Botan::BigInt::is_negative().

60  {
61  if(a.is_negative() || b.is_negative())
62  throw Invalid_Argument("sub_mul: First two arguments must be >= 0");
63 
64  BigInt r = a;
65  r -= b;
66  r *= c;
67  return r;
68  }
template<typename T >
void Botan::swap_bits ( T x,
T y,
T  mask,
size_t  shift 
)
inline

Definition at line 162 of file bit_ops.h.

References T.

163  {
164  const T swap = ((x >> shift) ^ y) & mask;
165  x ^= swap << shift;
166  y ^= swap;
167  }
fe T
Definition: ge.cpp:37
std::vector< polyn_gf2m > Botan::syndrome_init ( polyn_gf2m const &  generator,
std::vector< gf2m > const &  support,
int  n 
)

Definition at line 721 of file polyn_gf2m.cpp.

References Botan::polyn_gf2m::get_degree(), lex_to_gray(), and Botan::polyn_gf2m::m_sp_field.

Referenced by generate_mceliece_key().

722  {
723  int i,j,t;
724  gf2m a;
725 
726 
727  std::shared_ptr<GF2m_Field> m_sp_field = generator.m_sp_field;
728 
729  std::vector<polyn_gf2m> result;
730  t = generator.get_degree();
731 
732  //g(z)=g_t+g_(t-1).z^(t-1)+......+g_1.z+g_0
733  //f(z)=f_(t-1).z^(t-1)+......+f_1.z+f_0
734 
735  for(j=0;j<n;j++)
736  {
737  result.push_back(polyn_gf2m( t-1, m_sp_field));
738 
739  (*&result[j]).set_coef(t-1,1);
740  for(i=t-2;i>=0;i--)
741  {
742  (*&result[j]).set_coef(i, (generator)[i+1] ^
743  m_sp_field->gf_mul(lex_to_gray(support[j]),result[j][i+1]));
744  }
745  a = ((generator)[0] ^ m_sp_field->gf_mul(lex_to_gray(support[j]),result[j][0]));
746  for(i=0;i<t;i++)
747  {
748  (*&result[j]).set_coef(i, m_sp_field->gf_div(result[j][i],a));
749  }
750  }
751  return result;
752  }
gf2m lex_to_gray(gf2m lex)
uint16_t gf2m
Definition: gf2m_small_m.h:22
RandomNumberGenerator & Botan::system_rng ( )

Return a shared reference to a global PRNG instance provided by the operating system. For instance might be instantiated by /dev/urandom or CryptGenRandom.

Definition at line 283 of file system_rng.cpp.

Referenced by Botan::System_RNG::accepts_input(), Botan::System_RNG::add_entropy(), botan_pk_op_decrypt_create(), botan_pk_op_encrypt_create(), botan_pk_op_key_agreement_create(), botan_pk_op_sign_create(), botan_rng_reseed(), Botan::System_RNG::clear(), Botan::System_RNG::is_seeded(), Botan::System_RNG::name(), Botan::Sodium::randombytes_buf(), Botan::System_RNG::randomize(), and Botan::Stateful_RNG::randomize_with_ts_input().

284  {
285  static System_RNG_Impl g_system_rng;
286  return g_system_rng;
287  }
BOTAN_NORETURN void BOTAN_UNSTABLE_API Botan::throw_invalid_argument ( const char *  message,
const char *  func,
const char *  file 
)

Called when an invalid argument is used Throws Invalid_Argument

Definition at line 13 of file assert.cpp.

16  {
17  std::ostringstream format;
18  format << message << " in " << func << ":" << file;
19  throw Invalid_Argument(format.str());
20  }
BOTAN_NORETURN void BOTAN_UNSTABLE_API Botan::throw_invalid_state ( const char *  message,
const char *  func,
const char *  file 
)

Called when an invalid state is encountered Throws Invalid_State

Definition at line 22 of file assert.cpp.

25  {
26  std::ostringstream format;
27  format << "Invalid state: " << expr << " was false in " << func << ":" << file;
28  throw Invalid_State(format.str());
29  }
uint32_t Botan::timespec_to_u32bit ( const std::string &  timespec)

Convert a time specification to a number

Parameters
timespecthe time specification
Returns
number of seconds represented by timespec

Definition at line 64 of file parsing.cpp.

References Botan::Charset::is_digit(), and to_u32bit().

65  {
66  if(timespec.empty())
67  return 0;
68 
69  const char suffix = timespec[timespec.size()-1];
70  std::string value = timespec.substr(0, timespec.size()-1);
71 
72  uint32_t scale = 1;
73 
74  if(Charset::is_digit(suffix))
75  value += suffix;
76  else if(suffix == 's')
77  scale = 1;
78  else if(suffix == 'm')
79  scale = 60;
80  else if(suffix == 'h')
81  scale = 60 * 60;
82  else if(suffix == 'd')
83  scale = 24 * 60 * 60;
84  else if(suffix == 'y')
85  scale = 365 * 24 * 60 * 60;
86  else
87  throw Decoding_Error("timespec_to_u32bit: Bad input " + timespec);
88 
89  return scale * to_u32bit(value);
90  }
uint32_t to_u32bit(const std::string &str)
Definition: parsing.cpp:35
bool is_digit(char c)
Definition: charset.cpp:210
std::vector<uint8_t> Botan::to_byte_vector ( const std::string &  s)
inline

Definition at line 20 of file stl_util.h.

Referenced by Botan::TLS::Channel::key_material_export().

21  {
22  return std::vector<uint8_t>(s.cbegin(), s.cend());
23  }
std::string Botan::to_string ( ErrorType  type)

Convert an ErrorType to string.

Definition at line 11 of file exceptn.cpp.

References Bzip2Error, CommonCryptoError, DatabaseError, DecodingFailure, EncodingFailure, HttpError, InternalError, InvalidArgument, InvalidKeyLength, InvalidNonceLength, InvalidObjectState, InvalidTag, IoError, KeyNotSet, LookupError, LzmaError, NotImplemented, OpenSSLError, OutOfMemory, Pkcs11Error, RoughtimeError, SystemError, TLSError, TPMError, Unknown, and ZlibError.

Referenced by Botan::OctetString::as_string(), Botan::OID::as_string(), botan_x509_cert_validation_status(), Botan::BotanErrorCategory::message(), and Botan::Path_Validation_Result::status_string().

12  {
13  switch(type)
14  {
15  case ErrorType::Unknown:
16  return "Unknown";
17  case ErrorType::SystemError:
18  return "SystemError";
19  case ErrorType::NotImplemented:
20  return "NotImplemented";
21  case ErrorType::OutOfMemory:
22  return "OutOfMemory";
23  case ErrorType::InternalError:
24  return "InternalError";
25  case ErrorType::IoError:
26  return "IoError";
27  case ErrorType::InvalidObjectState :
28  return "InvalidObjectState";
29  case ErrorType::KeyNotSet:
30  return "KeyNotSet";
31  case ErrorType::InvalidArgument:
32  return "InvalidArgument";
33  case ErrorType::InvalidKeyLength:
34  return "InvalidKeyLength";
35  case ErrorType::InvalidNonceLength:
36  return "InvalidNonceLength";
37  case ErrorType::LookupError:
38  return "LookupError";
39  case ErrorType::EncodingFailure:
40  return "EncodingFailure";
41  case ErrorType::DecodingFailure:
42  return "DecodingFailure";
43  case ErrorType::TLSError:
44  return "TLSError";
45  case ErrorType::HttpError:
46  return "HttpError";
47  case ErrorType::InvalidTag:
48  return "InvalidTag";
49  case ErrorType::RoughtimeError:
50  return "RoughtimeError";
51  case ErrorType::OpenSSLError :
52  return "OpenSSLError";
53  case ErrorType::CommonCryptoError:
54  return "CommonCryptoError";
55  case ErrorType::Pkcs11Error:
56  return "Pkcs11Error";
57  case ErrorType::TPMError:
58  return "TPMError";
59  case ErrorType::DatabaseError:
60  return "DatabaseError";
61  case ErrorType::ZlibError :
62  return "ZlibError";
63  case ErrorType::Bzip2Error:
64  return "Bzip2Error" ;
65  case ErrorType::LzmaError:
66  return "LzmaError";
67  }
68 
69  // No default case in above switch so compiler warns
70  return "Unrecognized Botan error";
71  }
MechanismType type
const char * Botan::to_string ( Certificate_Status_Code  code)

Convert a status code to a human readable diagnostic message

Parameters
codethe certifcate status
Returns
string literal constant, or nullptr if code unknown

Definition at line 11 of file cert_status.cpp.

References CA_CERT_NOT_FOR_CERT_ISSUER, CA_CERT_NOT_FOR_CRL_ISSUER, CANNOT_ESTABLISH_TRUST, CERT_CHAIN_LOOP, CERT_CHAIN_TOO_LONG, CERT_HAS_EXPIRED, CERT_IS_REVOKED, CERT_ISSUER_NOT_FOUND, CERT_NAME_NOMATCH, CERT_NOT_YET_VALID, CERT_PUBKEY_INVALID, CERT_SERIAL_NEGATIVE, CHAIN_LACKS_TRUST_ROOT, CHAIN_NAME_MISMATCH, CRL_BAD_SIGNATURE, CRL_HAS_EXPIRED, CRL_NOT_YET_VALID, DN_TOO_LONG, DUPLICATE_CERT_EXTENSION, DUPLICATE_CERT_POLICY, EXT_IN_V1_V2_CERT, INVALID_USAGE, NAME_CONSTRAINT_ERROR, NO_MATCHING_CRLDP, NO_REVOCATION_DATA, OCSP_BAD_STATUS, OCSP_CERT_NOT_LISTED, OCSP_HAS_EXPIRED, OCSP_IS_TOO_OLD, OCSP_ISSUER_NOT_FOUND, OCSP_NO_HTTP, OCSP_NO_REVOCATION_URL, OCSP_NOT_YET_VALID, OCSP_RESPONSE_GOOD, OCSP_RESPONSE_INVALID, OCSP_RESPONSE_MISSING_KEYUSAGE, OCSP_SERVER_NOT_AVAILABLE, OCSP_SIGNATURE_ERROR, OCSP_SIGNATURE_OK, POLICY_ERROR, SIGNATURE_ALGO_BAD_PARAMS, SIGNATURE_ALGO_UNKNOWN, SIGNATURE_ERROR, SIGNATURE_METHOD_TOO_WEAK, UNKNOWN_CRITICAL_EXTENSION, UNTRUSTED_HASH, V2_IDENTIFIERS_IN_V1_CERT, VALID_CRL_CHECKED, and VERIFIED.

12  {
13  switch(code)
14  {
15  case Certificate_Status_Code::VERIFIED:
16  return "Verified";
17  case Certificate_Status_Code::OCSP_RESPONSE_GOOD:
18  return "OCSP response accepted as affirming unrevoked status for certificate";
19  case Certificate_Status_Code::OCSP_SIGNATURE_OK:
20  return "Signature on OCSP response was found valid";
21  case Certificate_Status_Code::VALID_CRL_CHECKED:
22  return "Valid CRL examined";
23 
24  case Certificate_Status_Code::CERT_SERIAL_NEGATIVE:
25  return "Certificate serial number is negative";
26  case Certificate_Status_Code::DN_TOO_LONG:
27  return "Distinguished name too long";
28  case Certificate_Status_Code::OCSP_NO_REVOCATION_URL:
29  return "OCSP URL not available";
30  case Certificate_Status_Code::OCSP_SERVER_NOT_AVAILABLE:
31  return "OCSP server not available";
32 
33  case Certificate_Status_Code::NO_REVOCATION_DATA:
34  return "No revocation data";
35  case Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK:
36  return "Signature method too weak";
37  case Certificate_Status_Code::UNTRUSTED_HASH:
38  return "Hash function used is considered too weak for security";
39 
40  case Certificate_Status_Code::CERT_NOT_YET_VALID:
41  return "Certificate is not yet valid";
42  case Certificate_Status_Code::CERT_HAS_EXPIRED:
43  return "Certificate has expired";
44  case Certificate_Status_Code::OCSP_NOT_YET_VALID:
45  return "OCSP is not yet valid";
46  case Certificate_Status_Code::OCSP_HAS_EXPIRED:
47  return "OCSP response has expired";
48  case Certificate_Status_Code::OCSP_IS_TOO_OLD:
49  return "OCSP response is too old";
50  case Certificate_Status_Code::CRL_NOT_YET_VALID:
51  return "CRL response is not yet valid";
52  case Certificate_Status_Code::CRL_HAS_EXPIRED:
53  return "CRL has expired";
54 
55  case Certificate_Status_Code::CERT_ISSUER_NOT_FOUND:
56  return "Certificate issuer not found";
57  case Certificate_Status_Code::CANNOT_ESTABLISH_TRUST:
58  return "Cannot establish trust";
59  case Certificate_Status_Code::CERT_CHAIN_LOOP:
60  return "Loop in certificate chain";
61  case Certificate_Status_Code::CHAIN_LACKS_TRUST_ROOT:
62  return "Certificate chain does not end in a CA certificate";
63  case Certificate_Status_Code::CHAIN_NAME_MISMATCH:
64  return "Certificate issuer does not match subject of issuing cert";
65 
66  case Certificate_Status_Code::POLICY_ERROR:
67  return "Certificate policy error";
68  case Certificate_Status_Code::DUPLICATE_CERT_POLICY:
69  return "Certificate contains duplicate policy";
70  case Certificate_Status_Code::INVALID_USAGE:
71  return "Certificate does not allow the requested usage";
72  case Certificate_Status_Code::CERT_CHAIN_TOO_LONG:
73  return "Certificate chain too long";
74  case Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER:
75  return "CA certificate not allowed to issue certs";
76  case Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER:
77  return "CA certificate not allowed to issue CRLs";
78  case Certificate_Status_Code::NO_MATCHING_CRLDP:
79  return "No CRL with matching distribution point for certificate";
80  case Certificate_Status_Code::OCSP_CERT_NOT_LISTED:
81  return "OCSP cert not listed";
82  case Certificate_Status_Code::OCSP_BAD_STATUS:
83  return "OCSP bad status";
84  case Certificate_Status_Code::CERT_NAME_NOMATCH:
85  return "Certificate does not match provided name";
86  case Certificate_Status_Code::NAME_CONSTRAINT_ERROR:
87  return "Certificate does not pass name constraint";
88  case Certificate_Status_Code::UNKNOWN_CRITICAL_EXTENSION:
89  return "Unknown critical extension encountered";
90  case Certificate_Status_Code::DUPLICATE_CERT_EXTENSION:
91  return "Duplicate certificate extension encountered";
92  case Certificate_Status_Code::EXT_IN_V1_V2_CERT:
93  return "Encountered extension in certificate with version that does not allow it";
94  case Certificate_Status_Code::V2_IDENTIFIERS_IN_V1_CERT:
95  return "Encountered v2 identifiers in v1 certificate";
96  case Certificate_Status_Code::OCSP_SIGNATURE_ERROR:
97  return "OCSP signature error";
98  case Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND:
99  return "Unable to find certificate issusing OCSP response";
100  case Certificate_Status_Code::OCSP_RESPONSE_MISSING_KEYUSAGE:
101  return "OCSP issuer's keyusage prohibits OCSP";
102  case Certificate_Status_Code::OCSP_RESPONSE_INVALID:
103  return "OCSP parsing valid";
104  case Certificate_Status_Code::OCSP_NO_HTTP:
105  return "OCSP requests not available, no HTTP support compiled in";
106  case Certificate_Status_Code::CERT_IS_REVOKED:
107  return "Certificate is revoked";
108  case Certificate_Status_Code::CRL_BAD_SIGNATURE:
109  return "CRL bad signature";
110  case Certificate_Status_Code::SIGNATURE_ERROR:
111  return "Signature error";
112  case Certificate_Status_Code::CERT_PUBKEY_INVALID:
113  return "Certificate public key invalid";
114  case Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN:
115  return "Certificate signed with unknown/unavailable algorithm";
116  case Certificate_Status_Code::SIGNATURE_ALGO_BAD_PARAMS:
117  return "Certificate signature has invalid parameters";
118 
119  // intentionally no default so we are warned if new enum values are added
120  }
121 
122  return nullptr;
123  }
std::string Botan::to_string ( const secure_vector< uint8_t > &  bytes)
inline

Definition at line 25 of file stl_util.h.

26  {
27  return std::string(bytes.cbegin(), bytes.cend());
28  }
uint32_t Botan::to_u32bit ( const std::string &  str)

Convert a string to a number

Parameters
strthe string to convert
Returns
number value of the string

Definition at line 35 of file parsing.cpp.

Referenced by Botan::SCAN_Name::arg_as_integer(), argon2_check_pwhash(), create_private_key(), Botan::Data_Store::get1_uint32(), Botan::TLS::Text_Policy::get_len(), Botan::HTTP::http_sync(), string_to_ipv4(), timespec_to_u32bit(), and to_uint16().

36  {
37  // std::stoul is not strict enough. Ensure that str is digit only [0-9]*
38  for(const char chr : str)
39  {
40  if(chr < '0' || chr > '9')
41  {
42  std::string chrAsString(1, chr);
43  throw Invalid_Argument("String contains non-digit char: " + chrAsString);
44  }
45  }
46 
47  const unsigned long int x = std::stoul(str);
48 
49  if(sizeof(unsigned long int) > 4)
50  {
51  // x might be uint64
52  if (x > std::numeric_limits<uint32_t>::max())
53  {
54  throw Invalid_Argument("Integer value of " + str + " exceeds 32 bit range");
55  }
56  }
57 
58  return static_cast<uint32_t>(x);
59  }
uint16_t Botan::to_uint16 ( const std::string &  str)

Convert a string to a number

Parameters
strthe string to convert
Returns
number value of the string

Definition at line 25 of file parsing.cpp.

References to_u32bit().

Referenced by check_bcrypt(), and Botan::TLS::Text_Policy::srtp_profiles().

26  {
27  const uint32_t x = to_u32bit(str);
28 
29  if(x >> 16)
30  throw Invalid_Argument("Integer value exceeds 16 bit range");
31 
32  return static_cast<uint16_t>(x);
33  }
uint32_t to_u32bit(const std::string &str)
Definition: parsing.cpp:35
std::string Botan::tolower_string ( const std::string &  in)

Definition at line 327 of file parsing.cpp.

Referenced by host_wildcard_match().

328  {
329  std::string s = in;
330  for(size_t i = 0; i != s.size(); ++i)
331  {
332  const int cu = static_cast<unsigned char>(s[i]);
333  if(std::isalpha(cu))
334  s[i] = static_cast<char>(std::tolower(cu));
335  }
336  return s;
337  }
template<typename T >
void Botan::typecast_copy ( uint8_t  out[],
T  in[],
size_t  N 
)
inline

Definition at line 145 of file mem_ops.h.

References BOTAN_IS_TRIVIALLY_COPYABLE, and T.

Referenced by Botan::Roughtime::Response::from_bits(), load_be(), load_be< uint16_t >(), load_be< uint32_t >(), load_be< uint64_t >(), load_le(), load_le< uint16_t >(), load_le< uint32_t >(), load_le< uint64_t >(), store_be(), store_le(), typecast_copy(), and xor_buf().

146  {
147  static_assert(BOTAN_IS_TRIVIALLY_COPYABLE(T), "");
148  std::memcpy(out, in, sizeof(T)*N);
149  }
#define BOTAN_IS_TRIVIALLY_COPYABLE(T)
Definition: mem_ops.h:124
fe T
Definition: ge.cpp:37
template<typename T >
void Botan::typecast_copy ( T  out[],
const uint8_t  in[],
size_t  N 
)
inline

Definition at line 151 of file mem_ops.h.

References T.

152  {
153  static_assert(std::is_trivial<T>::value, "");
154  std::memcpy(out, in, sizeof(T)*N);
155  }
fe T
Definition: ge.cpp:37
template<typename T >
void Botan::typecast_copy ( uint8_t  out[],
T  in 
)
inline

Definition at line 157 of file mem_ops.h.

References typecast_copy().

158  {
159  typecast_copy(out, &in, 1);
160  }
To typecast_copy(const From *src) noexcept
Definition: mem_ops.h:168
template<typename T >
void Botan::typecast_copy ( T out,
const uint8_t  in[] 
)
inline

Definition at line 162 of file mem_ops.h.

References type, and typecast_copy().

163  {
164  static_assert(std::is_trivial<typename std::decay<T>::type>::value, "");
165  typecast_copy(&out, in, 1);
166  }
To typecast_copy(const From *src) noexcept
Definition: mem_ops.h:168
MechanismType type
template<class To , class From >
To Botan::typecast_copy ( const From *  src)
inlinenoexcept

Definition at line 168 of file mem_ops.h.

References BOTAN_IS_TRIVIALLY_COPYABLE.

169  {
170  static_assert(BOTAN_IS_TRIVIALLY_COPYABLE(From) && std::is_trivial<To>::value, "");
171  To dst;
172  std::memcpy(&dst, src, sizeof(To));
173  return dst;
174  }
#define BOTAN_IS_TRIVIALLY_COPYABLE(T)
Definition: mem_ops.h:124
std::string BOTAN_UNSTABLE_API Botan::ucs2_to_utf8 ( const uint8_t  ucs2[],
size_t  len 
)

Convert a sequence of UCS-2 (big endian) characters to a UTF-8 string This is used for ASN.1 BMPString type

Parameters
ucs2the sequence of UCS-2 characters
lenlength of ucs2 in bytes, must be a multiple of 2

Definition at line 61 of file charset.cpp.

References load_be< uint16_t >().

Referenced by Botan::ASN1_String::decode_from().

62  {
63  if(len % 2 != 0)
64  throw Decoding_Error("Invalid length for UCS-2 string");
65 
66  const size_t chars = len / 2;
67 
68  std::string s;
69  for(size_t i = 0; i != chars; ++i)
70  {
71  const uint16_t c = load_be<uint16_t>(ucs2, i);
72  append_utf8_for(s, c);
73  }
74 
75  return s;
76  }
uint16_t load_be< uint16_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:139
std::string BOTAN_UNSTABLE_API Botan::ucs4_to_utf8 ( const uint8_t  ucs4[],
size_t  len 
)

Convert a sequence of UCS-4 (big endian) characters to a UTF-8 string This is used for ASN.1 UniversalString type

Parameters
ucs4the sequence of UCS-4 characters
lenlength of ucs4 in bytes, must be a multiple of 4

Definition at line 78 of file charset.cpp.

References load_be< uint32_t >().

Referenced by Botan::ASN1_String::decode_from().

79  {
80  if(len % 4 != 0)
81  throw Decoding_Error("Invalid length for UCS-4 string");
82 
83  const size_t chars = len / 4;
84 
85  std::string s;
86  for(size_t i = 0; i != chars; ++i)
87  {
88  const uint32_t c = load_be<uint32_t>(ucs4, i);
89  append_utf8_for(s, c);
90  }
91 
92  return s;
93  }
uint32_t load_be< uint32_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:179
template<typename T >
std::vector<T> Botan::unlock ( const secure_vector< T > &  in)
std::string BOTAN_UNSTABLE_API Botan::utf8_to_latin1 ( const std::string &  utf8)

Convert a UTF-8 string to Latin-1 If a character outside the Latin-1 range is encountered, an exception is thrown.

Definition at line 98 of file charset.cpp.

Referenced by Botan::ASN1_String::iso_8859(), and Botan::Charset::transcode().

99  {
100  std::string iso8859;
101 
102  size_t position = 0;
103  while(position != utf8.size())
104  {
105  const uint8_t c1 = static_cast<uint8_t>(utf8[position++]);
106 
107  if(c1 <= 0x7F)
108  {
109  iso8859 += static_cast<char>(c1);
110  }
111  else if(c1 >= 0xC0 && c1 <= 0xC7)
112  {
113  if(position == utf8.size())
114  throw Decoding_Error("UTF-8: sequence truncated");
115 
116  const uint8_t c2 = static_cast<uint8_t>(utf8[position++]);
117  const uint8_t iso_char = ((c1 & 0x07) << 6) | (c2 & 0x3F);
118 
119  if(iso_char <= 0x7F)
120  throw Decoding_Error("UTF-8: sequence longer than needed");
121 
122  iso8859 += static_cast<char>(iso_char);
123  }
124  else
125  throw Decoding_Error("UTF-8: Unicode chars not in Latin1 used");
126  }
127 
128  return iso8859;
129  }
template<typename T >
bool Botan::value_exists ( const std::vector< T > &  vec,
const T val 
)

Existence check for values

Definition at line 86 of file stl_util.h.

Referenced by Botan::TLS::Policy::acceptable_ciphersuite(), Botan::TLS::Policy::allowed_signature_hash(), Botan::TLS::Policy::allowed_signature_method(), Botan::TLS::Policy::choose_key_exchange_group(), Botan::TLS::Policy::ciphersuite_list(), and Botan::TLS::Client_Hello::Client_Hello().

88  {
89  for(size_t i = 0; i != vec.size(); ++i)
90  if(vec[i] == val)
91  return true;
92  return false;
93  }
size_t Botan::var_ctz32 ( uint32_t  n)
inline

Definition at line 139 of file bit_ops.h.

140  {
141 #if defined(BOTAN_BUILD_COMPILER_IS_GCC) || defined(BOTAN_BUILD_COMPILER_IS_CLANG)
142  if(n == 0)
143  return 32;
144  return __builtin_ctz(n);
145 #else
146  return ctz<uint32_t>(n);
147 #endif
148  }
void BOTAN_UNSTABLE_API Botan::vartime_divide ( const BigInt x,
const BigInt y,
BigInt q,
BigInt r 
)

BigInt Division

Parameters
xan integer
ya non-zero integer
qwill be set to x / y
rwill be set to x % y

Definition at line 159 of file divide.cpp.

References bigint_divop(), BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, Botan::BigInt::grow_to(), Botan::CT::Mask< T >::is_equal(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), MP_WORD_MAX, Botan::BigInt::mutable_data(), Botan::BigInt::Positive, Botan::BigInt::reduce_below(), Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::top_bits_free(), and Botan::BigInt::word_at().

Referenced by botan_mp_div(), operator%(), and operator/().

160  {
161  if(y_arg.is_zero())
162  throw BigInt::DivideByZero();
163 
164  const size_t y_words = y_arg.sig_words();
165 
166  BOTAN_ASSERT_NOMSG(y_words > 0);
167 
168  BigInt y = y_arg;
169 
170  BigInt r = x;
171  BigInt q = 0;
172  secure_vector<word> ws;
173 
174  r.set_sign(BigInt::Positive);
175  y.set_sign(BigInt::Positive);
176 
177  // Calculate shifts needed to normalize y with high bit set
178  const size_t shifts = y.top_bits_free();
179 
180  y <<= shifts;
181  r <<= shifts;
182 
183  // we know y has not changed size, since we only shifted up to set high bit
184  const size_t t = y_words - 1;
185  const size_t n = std::max(y_words, r.sig_words()) - 1; // r may have changed size however
186 
187  BOTAN_ASSERT_NOMSG(n >= t);
188 
189  q.grow_to(n - t + 1);
190 
191  word* q_words = q.mutable_data();
192 
193  BigInt shifted_y = y << (BOTAN_MP_WORD_BITS * (n-t));
194 
195  // Set q_{n-t} to number of times r > shifted_y
196  q_words[n-t] = r.reduce_below(shifted_y, ws);
197 
198  const word y_t0 = y.word_at(t);
199  const word y_t1 = y.word_at(t-1);
200  BOTAN_DEBUG_ASSERT((y_t0 >> (BOTAN_MP_WORD_BITS-1)) == 1);
201 
202  for(size_t j = n; j != t; --j)
203  {
204  const word x_j0 = r.word_at(j);
205  const word x_j1 = r.word_at(j-1);
206  const word x_j2 = r.word_at(j-2);
207 
208  word qjt = bigint_divop(x_j0, x_j1, y_t0);
209 
210  qjt = CT::Mask<word>::is_equal(x_j0, y_t0).select(MP_WORD_MAX, qjt);
211 
212  // Per HAC 14.23, this operation is required at most twice
213  qjt -= division_check(qjt, y_t0, y_t1, x_j0, x_j1, x_j2);
214  qjt -= division_check(qjt, y_t0, y_t1, x_j0, x_j1, x_j2);
215  BOTAN_DEBUG_ASSERT(division_check(qjt, y_t0, y_t1, x_j0, x_j1, x_j2) == false);
216 
217  shifted_y >>= BOTAN_MP_WORD_BITS;
218  // Now shifted_y == y << (BOTAN_MP_WORD_BITS * (j-t-1))
219 
220  // TODO this sequence could be better
221  r -= qjt * shifted_y;
222  qjt -= r.is_negative();
223  r += static_cast<word>(r.is_negative()) * shifted_y;
224 
225  q_words[j-t-1] = qjt;
226  }
227 
228  r >>= shifts;
229 
230  sign_fixup(x, y_arg, q, r);
231 
232  r_out = r;
233  q_out = q;
234  }
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
word bigint_divop(word n1, word n0, word d)
Definition: mp_core.h:721
#define BOTAN_DEBUG_ASSERT(expr)
Definition: assert.h:123
const word MP_WORD_MAX
Definition: mp_core.h:22
void Botan::verify_cert_constraints_valid_for_key_type ( const Public_Key pub_key,
Key_Constraints  constraints 
)

Check that key constraints are permitted for a specific public key.

Parameters
pub_keythe public key on which the constraints shall be enforced on
constraintsthe constraints that shall be enforced on the key
Exceptions
Invalid_Argumentif the given constraints are not permitted for this key

Definition at line 70 of file key_constraint.cpp.

References Botan::Public_Key::algo_name(), CRL_SIGN, DATA_ENCIPHERMENT, DECIPHER_ONLY, DIGITAL_SIGNATURE, ENCIPHER_ONLY, KEY_AGREEMENT, KEY_CERT_SIGN, key_constraints_to_string(), KEY_ENCIPHERMENT, name, and NON_REPUDIATION.

Referenced by Botan::X509::create_cert_req(), and Botan::X509::create_self_signed_cert().

72  {
73  const std::string name = pub_key.algo_name();
74 
75  size_t permitted = 0;
76 
77  const bool can_agree = (name == "DH" || name == "ECDH");
78  const bool can_encrypt = (name == "RSA" || name == "ElGamal");
79 
80  const bool can_sign =
81  (name == "RSA" || name == "DSA" ||
82  name == "ECDSA" || name == "ECGDSA" || name == "ECKCDSA" || name == "Ed25519" ||
83  name == "GOST-34.10" || name == "GOST-34.10-2012-256" || name == "GOST-34.10-2012-512");
84 
85  if(can_agree)
86  {
87  permitted |= KEY_AGREEMENT | ENCIPHER_ONLY | DECIPHER_ONLY;
88  }
89 
90  if(can_encrypt)
91  {
92  permitted |= KEY_ENCIPHERMENT | DATA_ENCIPHERMENT;
93  }
94 
95  if(can_sign)
96  {
98  }
99 
100  if(Key_Constraints(constraints & permitted) != constraints)
101  {
102  throw Invalid_Argument("Invalid " + name + " constraints " + key_constraints_to_string(constraints));
103  }
104  }
Definition: ffi.h:1572
std::string name
std::string key_constraints_to_string(Key_Constraints constraints)
Key_Constraints
Definition: pkix_enums.h:106
bool Botan::verify_prime ( const BigInt n,
RandomNumberGenerator rng 
)
inline

Definition at line 206 of file numthry.h.

References is_prime().

207  { return is_prime(n, rng, 80); }
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition: numthry.cpp:228
const char * Botan::version_cstr ( )

Same as version_string() except returning a pointer to a statically allocated string.

Returns
version string

Definition at line 33 of file version.cpp.

References STR.

Referenced by botan_version_string(), and version_string().

34  {
35 
36  /*
37  It is intentional that this string is a compile-time constant;
38  it makes it much easier to find in binaries.
39  */
40 
41  return "Botan " STR(BOTAN_VERSION_MAJOR) "."
42  STR(BOTAN_VERSION_MINOR) "."
43  STR(BOTAN_VERSION_PATCH)
44 #if defined(BOTAN_VERSION_SUFFIX)
45  STR(BOTAN_VERSION_SUFFIX)
46 #endif
47  " ("
48 #if defined(BOTAN_UNSAFE_FUZZER_MODE)
49  "UNSAFE FUZZER MODE BUILD "
50 #endif
51  BOTAN_VERSION_RELEASE_TYPE
52 #if (BOTAN_VERSION_DATESTAMP != 0)
53  ", dated " STR(BOTAN_VERSION_DATESTAMP)
54 #endif
55  ", revision " BOTAN_VERSION_VC_REVISION
56  ", distribution " BOTAN_DISTRIBUTION_INFO ")";
57  }
#define STR(macro)
Definition: version.cpp:20
uint32_t Botan::version_datestamp ( )

Return the date this version of botan was released, in an integer of the form YYYYMMDD. For instance a version released on May 21, 2013 would return the integer 20130521. If the currently running version is not an official release, this function will return 0 instead.

Returns
release date, or zero if unreleased

Definition at line 75 of file version.cpp.

Referenced by botan_version_datestamp().

75 { return BOTAN_VERSION_DATESTAMP; }
uint32_t Botan::version_major ( )

Get the major version number.

Returns
major version number

Definition at line 80 of file version.cpp.

Referenced by botan_version_major(), and runtime_version_check().

80 { return BOTAN_VERSION_MAJOR; }
uint32_t Botan::version_minor ( )

Get the minor version number.

Returns
minor version number

Definition at line 81 of file version.cpp.

Referenced by botan_version_minor(), and runtime_version_check().

81 { return BOTAN_VERSION_MINOR; }
uint32_t Botan::version_patch ( )

Get the patch number.

Returns
patch number

Definition at line 82 of file version.cpp.

Referenced by botan_version_patch(), and runtime_version_check().

82 { return BOTAN_VERSION_PATCH; }
std::string Botan::version_string ( )

Get a human-readable string identifying the version of Botan. No particular format should be assumed.

Returns
version string

Definition at line 65 of file version.cpp.

References version_cstr().

66  {
67  return std::string(version_cstr());
68  }
const char * version_cstr()
Definition: version.cpp:33
Botan::while ( blocks >=  4)

Definition at line 65 of file sm4_armv8.cpp.

References SM4_E.

66  {
67  uint32x4_t B0 = bswap_32(vld1q_u32(input32));
68  uint32x4_t B1 = bswap_32(vld1q_u32(input32+4));
69  uint32x4_t B2 = bswap_32(vld1q_u32(input32+8));
70  uint32x4_t B3 = bswap_32(vld1q_u32(input32+12));
71 
72  SM4_E(B0, B1, B2, B3, K0);
73  SM4_E(B0, B1, B2, B3, K1);
74  SM4_E(B0, B1, B2, B3, K2);
75  SM4_E(B0, B1, B2, B3, K3);
76  SM4_E(B0, B1, B2, B3, K4);
77  SM4_E(B0, B1, B2, B3, K5);
78  SM4_E(B0, B1, B2, B3, K6);
79  SM4_E(B0, B1, B2, B3, K7);
80 
81  vst1q_u32(output32 , bqswap_32(B0));
82  vst1q_u32(output32+ 4, bqswap_32(B1));
83  vst1q_u32(output32+ 8, bqswap_32(B2));
84  vst1q_u32(output32+12, bqswap_32(B3));
85 
86  input32 += 4*4;
87  output32 += 4*4;
88  blocks -= 4;
89  }
void BOTAN_FUNC_ISA("arch=armv8.2-a+sm4") SM4 const uint32x4_t K1
Definition: sm4_armv8.cpp:54
const uint32x4_t K5
Definition: sm4_armv8.cpp:58
uint32_t * output32
Definition: sm4_armv8.cpp:63
const uint32_t * input32
Definition: sm4_armv8.cpp:62
const uint32x4_t K2
Definition: sm4_armv8.cpp:55
const uint32x4_t K4
Definition: sm4_armv8.cpp:57
const uint32x4_t K3
Definition: sm4_armv8.cpp:56
const uint32x4_t K6
Definition: sm4_armv8.cpp:59
#define SM4_E(B0, B1, B2, B3, K)
Definition: sm4_armv8.cpp:41
const uint32x4_t K7
Definition: sm4_armv8.cpp:60
void Botan::word3_add ( word *  w2,
word *  w1,
word *  w0,
word  x 
)
inline

Definition at line 500 of file mp_asmi.h.

Referenced by bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), and bigint_monty_redc_8().

501  {
502 #if defined(BOTAN_MP_USE_X86_32_ASM)
503  asm(R"(
504  addl %[x],%[w0]
505  adcl $0,%[w1]
506  adcl $0,%[w2]
507  )"
508  : [w0]"=r"(*w0), [w1]"=r"(*w1), [w2]"=r"(*w2)
509  : [x]"r"(x), "0"(*w0), "1"(*w1), "2"(*w2)
510  : "cc");
511 
512 #elif defined(BOTAN_MP_USE_X86_64_ASM)
513 
514  asm(R"(
515  addq %[x],%[w0]
516  adcq $0,%[w1]
517  adcq $0,%[w2]
518  )"
519  : [w0]"=r"(*w0), [w1]"=r"(*w1), [w2]"=r"(*w2)
520  : [x]"r"(x), "0"(*w0), "1"(*w1), "2"(*w2)
521  : "cc");
522 
523 #else
524  *w0 += x;
525  word c1 = (*w0 < x);
526  *w1 += c1;
527  word c2 = (*w1 < c1);
528  *w2 += c2;
529 #endif
530  }
void Botan::word3_muladd ( word *  w2,
word *  w1,
word *  w0,
word  x,
word  y 
)
inline

Definition at line 451 of file mp_asmi.h.

References carry(), and word_madd2().

Referenced by bigint_comba_mul16(), bigint_comba_mul24(), bigint_comba_mul4(), bigint_comba_mul6(), bigint_comba_mul8(), bigint_comba_mul9(), bigint_comba_sqr16(), bigint_comba_sqr24(), bigint_comba_sqr4(), bigint_comba_sqr6(), bigint_comba_sqr8(), bigint_comba_sqr9(), bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), and bigint_monty_redc_8().

452  {
453 #if defined(BOTAN_MP_USE_X86_32_ASM)
454  word z0 = 0, z1 = 0;
455 
456  asm("mull %[y]"
457  : "=a"(z0),"=d"(z1)
458  : "a"(x), [y]"rm"(y)
459  : "cc");
460 
461  asm(R"(
462  addl %[z0],%[w0]
463  adcl %[z1],%[w1]
464  adcl $0,%[w2]
465  )"
466  : [w0]"=r"(*w0), [w1]"=r"(*w1), [w2]"=r"(*w2)
467  : [z0]"r"(z0), [z1]"r"(z1), "0"(*w0), "1"(*w1), "2"(*w2)
468  : "cc");
469 
470 #elif defined(BOTAN_MP_USE_X86_64_ASM)
471 
472  word z0 = 0, z1 = 0;
473 
474  asm("mulq %[y]"
475  : "=a"(z0),"=d"(z1)
476  : "a"(x), [y]"rm"(y)
477  : "cc");
478 
479  asm(R"(
480  addq %[z0],%[w0]
481  adcq %[z1],%[w1]
482  adcq $0,%[w2]
483  )"
484  : [w0]"=r"(*w0), [w1]"=r"(*w1), [w2]"=r"(*w2)
485  : [z0]"r"(z0), [z1]"r"(z1), "0"(*w0), "1"(*w1), "2"(*w2)
486  : "cc");
487 
488 #else
489  word carry = *w0;
490  *w0 = word_madd2(x, y, &carry);
491  *w1 += carry;
492  *w2 += (*w1 < carry);
493 #endif
494  }
void carry(int64_t &h0, int64_t &h1)
word word_madd2(word a, word b, word *c)
Definition: mp_madd.h:46
void Botan::word3_muladd_2 ( word *  w2,
word *  w1,
word *  w0,
word  x,
word  y 
)
inline

Definition at line 536 of file mp_asmi.h.

References carry(), word_add(), and word_madd2().

Referenced by bigint_comba_sqr16(), bigint_comba_sqr24(), bigint_comba_sqr4(), bigint_comba_sqr6(), bigint_comba_sqr8(), and bigint_comba_sqr9().

537  {
538 #if defined(BOTAN_MP_USE_X86_32_ASM)
539 
540  word z0 = 0, z1 = 0;
541 
542  asm("mull %[y]"
543  : "=a"(z0),"=d"(z1)
544  : "a"(x), [y]"rm"(y)
545  : "cc");
546 
547  asm(R"(
548  addl %[z0],%[w0]
549  adcl %[z1],%[w1]
550  adcl $0,%[w2]
551 
552  addl %[z0],%[w0]
553  adcl %[z1],%[w1]
554  adcl $0,%[w2]
555  )"
556  : [w0]"=r"(*w0), [w1]"=r"(*w1), [w2]"=r"(*w2)
557  : [z0]"r"(z0), [z1]"r"(z1), "0"(*w0), "1"(*w1), "2"(*w2)
558  : "cc");
559 
560 #elif defined(BOTAN_MP_USE_X86_64_ASM)
561 
562  word z0 = 0, z1 = 0;
563 
564  asm("mulq %[y]"
565  : "=a"(z0),"=d"(z1)
566  : "a"(x), [y]"rm"(y)
567  : "cc");
568 
569  asm(R"(
570  addq %[z0],%[w0]
571  adcq %[z1],%[w1]
572  adcq $0,%[w2]
573 
574  addq %[z0],%[w0]
575  adcq %[z1],%[w1]
576  adcq $0,%[w2]
577  )"
578  : [w0]"=r"(*w0), [w1]"=r"(*w1), [w2]"=r"(*w2)
579  : [z0]"r"(z0), [z1]"r"(z1), "0"(*w0), "1"(*w1), "2"(*w2)
580  : "cc");
581 
582 #else
583  word carry = 0;
584  x = word_madd2(x, y, &carry);
585  y = carry;
586 
587  word top = (y >> (BOTAN_MP_WORD_BITS-1));
588  y <<= 1;
589  y |= (x >> (BOTAN_MP_WORD_BITS-1));
590  x <<= 1;
591 
592  carry = 0;
593  *w0 = word_add(*w0, x, &carry);
594  *w1 = word_add(*w1, y, &carry);
595  *w2 = word_add(*w2, top, &carry);
596 #endif
597  }
void carry(int64_t &h0, int64_t &h1)
word word_madd2(word a, word b, word *c)
Definition: mp_madd.h:46
word word_add(word x, word y, word *carry)
Definition: mp_asmi.h:107
word Botan::word8_add2 ( word  x[8],
const word  y[8],
word  carry 
)
inline

Definition at line 138 of file mp_asmi.h.

References carry(), and word_add().

Referenced by bigint_add2_nc().

139  {
140 #if defined(BOTAN_MP_USE_X86_32_ASM)
141  asm(
142  ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "adcl"))
143  : [carry]"=r"(carry)
144  : [x]"r"(x), [y]"r"(y), "0"(carry)
145  : "cc", "memory");
146  return carry;
147 
148 #elif defined(BOTAN_MP_USE_X86_64_ASM)
149 
150  asm(
151  ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "adcq"))
152  : [carry]"=r"(carry)
153  : [x]"r"(x), [y]"r"(y), "0"(carry)
154  : "cc", "memory");
155  return carry;
156 
157 #else
158  x[0] = word_add(x[0], y[0], &carry);
159  x[1] = word_add(x[1], y[1], &carry);
160  x[2] = word_add(x[2], y[2], &carry);
161  x[3] = word_add(x[3], y[3], &carry);
162  x[4] = word_add(x[4], y[4], &carry);
163  x[5] = word_add(x[5], y[5], &carry);
164  x[6] = word_add(x[6], y[6], &carry);
165  x[7] = word_add(x[7], y[7], &carry);
166  return carry;
167 #endif
168  }
void carry(int64_t &h0, int64_t &h1)
word word_add(word x, word y, word *carry)
Definition: mp_asmi.h:107
word Botan::word8_add3 ( word  z[8],
const word  x[8],
const word  y[8],
word  carry 
)
inline

Definition at line 173 of file mp_asmi.h.

References carry(), and word_add().

Referenced by bigint_add3_nc(), bigint_cnd_add(), bigint_cnd_add_or_sub(), and bigint_cnd_addsub().

175  {
176 #if defined(BOTAN_MP_USE_X86_32_ASM)
177  asm(
178  ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "adcl"))
179  : [carry]"=r"(carry)
180  : [x]"r"(x), [y]"r"(y), [z]"r"(z), "0"(carry)
181  : "cc", "memory");
182  return carry;
183 
184 #elif defined(BOTAN_MP_USE_X86_64_ASM)
185 
186  asm(
187  ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "adcq"))
188  : [carry]"=r"(carry)
189  : [x]"r"(x), [y]"r"(y), [z]"r"(z), "0"(carry)
190  : "cc", "memory");
191  return carry;
192 
193 #else
194  z[0] = word_add(x[0], y[0], &carry);
195  z[1] = word_add(x[1], y[1], &carry);
196  z[2] = word_add(x[2], y[2], &carry);
197  z[3] = word_add(x[3], y[3], &carry);
198  z[4] = word_add(x[4], y[4], &carry);
199  z[5] = word_add(x[5], y[5], &carry);
200  z[6] = word_add(x[6], y[6], &carry);
201  z[7] = word_add(x[7], y[7], &carry);
202  return carry;
203 #endif
204  }
void carry(int64_t &h0, int64_t &h1)
word word_add(word x, word y, word *carry)
Definition: mp_asmi.h:107
word Botan::word8_linmul2 ( word  x[8],
word  y,
word  carry 
)
inline

Definition at line 346 of file mp_asmi.h.

References carry(), and word_madd2().

Referenced by bigint_linmul2().

347  {
348 #if defined(BOTAN_MP_USE_X86_32_ASM)
349  asm(
350  DO_8_TIMES(LINMUL_OP, "x")
351  : [carry]"=r"(carry)
352  : [x]"r"(x), [y]"rm"(y), "0"(carry)
353  : "cc", "%eax", "%edx");
354  return carry;
355 
356 #elif defined(BOTAN_MP_USE_X86_64_ASM)
357 
358  asm(
359  DO_8_TIMES(LINMUL_OP, "x")
360  : [carry]"=r"(carry)
361  : [x]"r"(x), [y]"rm"(y), "0"(carry)
362  : "cc", "%rax", "%rdx");
363  return carry;
364 
365 #else
366  x[0] = word_madd2(x[0], y, &carry);
367  x[1] = word_madd2(x[1], y, &carry);
368  x[2] = word_madd2(x[2], y, &carry);
369  x[3] = word_madd2(x[3], y, &carry);
370  x[4] = word_madd2(x[4], y, &carry);
371  x[5] = word_madd2(x[5], y, &carry);
372  x[6] = word_madd2(x[6], y, &carry);
373  x[7] = word_madd2(x[7], y, &carry);
374  return carry;
375 #endif
376  }
void carry(int64_t &h0, int64_t &h1)
word word_madd2(word a, word b, word *c)
Definition: mp_madd.h:46
word Botan::word8_linmul3 ( word  z[8],
const word  x[8],
word  y,
word  carry 
)
inline

Definition at line 381 of file mp_asmi.h.

References carry(), and word_madd2().

Referenced by bigint_linmul3().

382  {
383 #if defined(BOTAN_MP_USE_X86_32_ASM)
384  asm(
385  DO_8_TIMES(LINMUL_OP, "z")
386  : [carry]"=r"(carry)
387  : [z]"r"(z), [x]"r"(x), [y]"rm"(y), "0"(carry)
388  : "cc", "%eax", "%edx");
389  return carry;
390 
391 #elif defined(BOTAN_MP_USE_X86_64_ASM)
392  asm(
393  DO_8_TIMES(LINMUL_OP, "z")
394  : [carry]"=r"(carry)
395  : [z]"r"(z), [x]"r"(x), [y]"rm"(y), "0"(carry)
396  : "cc", "%rax", "%rdx");
397  return carry;
398 
399 #else
400  z[0] = word_madd2(x[0], y, &carry);
401  z[1] = word_madd2(x[1], y, &carry);
402  z[2] = word_madd2(x[2], y, &carry);
403  z[3] = word_madd2(x[3], y, &carry);
404  z[4] = word_madd2(x[4], y, &carry);
405  z[5] = word_madd2(x[5], y, &carry);
406  z[6] = word_madd2(x[6], y, &carry);
407  z[7] = word_madd2(x[7], y, &carry);
408  return carry;
409 #endif
410  }
void carry(int64_t &h0, int64_t &h1)
word word_madd2(word a, word b, word *c)
Definition: mp_madd.h:46
word Botan::word8_madd3 ( word  z[8],
const word  x[8],
word  y,
word  carry 
)
inline

Definition at line 415 of file mp_asmi.h.

References carry(), and word_madd3().

416  {
417 #if defined(BOTAN_MP_USE_X86_32_ASM)
418  asm(
419  DO_8_TIMES(MULADD_OP, "")
420  : [carry]"=r"(carry)
421  : [z]"r"(z), [x]"r"(x), [y]"rm"(y), "0"(carry)
422  : "cc", "%eax", "%edx");
423  return carry;
424 
425 #elif defined(BOTAN_MP_USE_X86_64_ASM)
426 
427  asm(
428  DO_8_TIMES(MULADD_OP, "")
429  : [carry]"=r"(carry)
430  : [z]"r"(z), [x]"r"(x), [y]"rm"(y), "0"(carry)
431  : "cc", "%rax", "%rdx");
432  return carry;
433 
434 #else
435  z[0] = word_madd3(x[0], y, z[0], &carry);
436  z[1] = word_madd3(x[1], y, z[1], &carry);
437  z[2] = word_madd3(x[2], y, z[2], &carry);
438  z[3] = word_madd3(x[3], y, z[3], &carry);
439  z[4] = word_madd3(x[4], y, z[4], &carry);
440  z[5] = word_madd3(x[5], y, z[5], &carry);
441  z[6] = word_madd3(x[6], y, z[6], &carry);
442  z[7] = word_madd3(x[7], y, z[7], &carry);
443  return carry;
444 #endif
445  }
void carry(int64_t &h0, int64_t &h1)
word word_madd3(word a, word b, word c, word *d)
Definition: mp_madd.h:92
word Botan::word8_sub2 ( word  x[8],
const word  y[8],
word  carry 
)
inline

Definition at line 240 of file mp_asmi.h.

References carry(), and word_sub().

Referenced by bigint_sub2().

241  {
242 #if defined(BOTAN_MP_USE_X86_32_ASM)
243  asm(
244  ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "sbbl"))
245  : [carry]"=r"(carry)
246  : [x]"r"(x), [y]"r"(y), "0"(carry)
247  : "cc", "memory");
248  return carry;
249 
250 #elif defined(BOTAN_MP_USE_X86_64_ASM)
251 
252  asm(
253  ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "sbbq"))
254  : [carry]"=r"(carry)
255  : [x]"r"(x), [y]"r"(y), "0"(carry)
256  : "cc", "memory");
257  return carry;
258 
259 #else
260  x[0] = word_sub(x[0], y[0], &carry);
261  x[1] = word_sub(x[1], y[1], &carry);
262  x[2] = word_sub(x[2], y[2], &carry);
263  x[3] = word_sub(x[3], y[3], &carry);
264  x[4] = word_sub(x[4], y[4], &carry);
265  x[5] = word_sub(x[5], y[5], &carry);
266  x[6] = word_sub(x[6], y[6], &carry);
267  x[7] = word_sub(x[7], y[7], &carry);
268  return carry;
269 #endif
270  }
void carry(int64_t &h0, int64_t &h1)
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
word Botan::word8_sub2_rev ( word  x[8],
const word  y[8],
word  carry 
)
inline

Definition at line 275 of file mp_asmi.h.

References carry(), and word_sub().

Referenced by bigint_sub2_rev().

276  {
277 #if defined(BOTAN_MP_USE_X86_32_ASM)
278  asm(
279  ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbl"))
280  : [carry]"=r"(carry)
281  : [x]"r"(y), [y]"r"(x), [z]"r"(x), "0"(carry)
282  : "cc", "memory");
283  return carry;
284 
285 #elif defined(BOTAN_MP_USE_X86_64_ASM)
286 
287  asm(
288  ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbq"))
289  : [carry]"=r"(carry)
290  : [x]"r"(y), [y]"r"(x), [z]"r"(x), "0"(carry)
291  : "cc", "memory");
292  return carry;
293 
294 #else
295  x[0] = word_sub(y[0], x[0], &carry);
296  x[1] = word_sub(y[1], x[1], &carry);
297  x[2] = word_sub(y[2], x[2], &carry);
298  x[3] = word_sub(y[3], x[3], &carry);
299  x[4] = word_sub(y[4], x[4], &carry);
300  x[5] = word_sub(y[5], x[5], &carry);
301  x[6] = word_sub(y[6], x[6], &carry);
302  x[7] = word_sub(y[7], x[7], &carry);
303  return carry;
304 #endif
305  }
void carry(int64_t &h0, int64_t &h1)
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
word Botan::word8_sub3 ( word  z[8],
const word  x[8],
const word  y[8],
word  carry 
)
inline

Definition at line 310 of file mp_asmi.h.

References carry(), and word_sub().

Referenced by bigint_cnd_add_or_sub(), bigint_cnd_addsub(), bigint_cnd_sub(), bigint_sub3(), and bigint_sub_abs().

312  {
313 #if defined(BOTAN_MP_USE_X86_32_ASM)
314  asm(
315  ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbl"))
316  : [carry]"=r"(carry)
317  : [x]"r"(x), [y]"r"(y), [z]"r"(z), "0"(carry)
318  : "cc", "memory");
319  return carry;
320 
321 #elif defined(BOTAN_MP_USE_X86_64_ASM)
322 
323  asm(
324  ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbq"))
325  : [carry]"=r"(carry)
326  : [x]"r"(x), [y]"r"(y), [z]"r"(z), "0"(carry)
327  : "cc", "memory");
328  return carry;
329 
330 #else
331  z[0] = word_sub(x[0], y[0], &carry);
332  z[1] = word_sub(x[1], y[1], &carry);
333  z[2] = word_sub(x[2], y[2], &carry);
334  z[3] = word_sub(x[3], y[3], &carry);
335  z[4] = word_sub(x[4], y[4], &carry);
336  z[5] = word_sub(x[5], y[5], &carry);
337  z[6] = word_sub(x[6], y[6], &carry);
338  z[7] = word_sub(x[7], y[7], &carry);
339  return carry;
340 #endif
341  }
void carry(int64_t &h0, int64_t &h1)
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:209
word Botan::word_add ( word  x,
word  y,
word *  carry 
)
inline

Definition at line 107 of file mp_asmi.h.

References carry().

Referenced by bigint_add2_nc(), bigint_add3_nc(), bigint_cnd_abs(), bigint_cnd_add(), bigint_cnd_add_or_sub(), bigint_cnd_addsub(), word3_muladd_2(), word8_add2(), and word8_add3().

108  {
109 #if defined(BOTAN_MP_USE_X86_32_ASM)
110  asm(
111  ADD_OR_SUBTRACT(ASM("adcl %[y],%[x]"))
112  : [x]"=r"(x), [carry]"=r"(*carry)
113  : "0"(x), [y]"rm"(y), "1"(*carry)
114  : "cc");
115  return x;
116 
117 #elif defined(BOTAN_MP_USE_X86_64_ASM)
118 
119  asm(
120  ADD_OR_SUBTRACT(ASM("adcq %[y],%[x]"))
121  : [x]"=r"(x), [carry]"=r"(*carry)
122  : "0"(x), [y]"rm"(y), "1"(*carry)
123  : "cc");
124  return x;
125 
126 #else
127  word z = x + y;
128  word c1 = (z < x);
129  z += *carry;
130  *carry = c1 | (z < *carry);
131  return z;
132 #endif
133  }
void carry(int64_t &h0, int64_t &h1)
word Botan::word_madd2 ( word  a,
word  b,
word *  c 
)
inline

Definition at line 46 of file mp_madd.h.

References carry(), and mul64x64_128().

Referenced by bigint_linmul2(), bigint_linmul3(), bigint_modop(), word3_muladd(), word3_muladd_2(), word8_linmul2(), and word8_linmul3().

47  {
48 #if defined(BOTAN_MP_USE_X86_32_ASM)
49  asm(R"(
50  mull %[b]
51  addl %[c],%[a]
52  adcl $0,%[carry]
53  )"
54  : [a]"=a"(a), [b]"=rm"(b), [carry]"=&d"(*c)
55  : "0"(a), "1"(b), [c]"g"(*c) : "cc");
56 
57  return a;
58 
59 #elif defined(BOTAN_MP_USE_X86_64_ASM)
60  asm(R"(
61  mulq %[b]
62  addq %[c],%[a]
63  adcq $0,%[carry]
64  )"
65  : [a]"=a"(a), [b]"=rm"(b), [carry]"=&d"(*c)
66  : "0"(a), "1"(b), [c]"g"(*c) : "cc");
67 
68  return a;
69 
70 #elif defined(BOTAN_HAS_MP_DWORD)
71  const dword s = static_cast<dword>(a) * b + *c;
72  *c = static_cast<word>(s >> BOTAN_MP_WORD_BITS);
73  return static_cast<word>(s);
74 #else
75  static_assert(BOTAN_MP_WORD_BITS == 64, "Unexpected word size");
76 
77  word hi = 0, lo = 0;
78 
79  mul64x64_128(a, b, &lo, &hi);
80 
81  lo += *c;
82  hi += (lo < *c); // carry?
83 
84  *c = hi;
85  return lo;
86 #endif
87  }
void mul64x64_128(uint64_t a, uint64_t b, uint64_t *lo, uint64_t *hi)
Definition: mul128.h:85
void carry(int64_t &h0, int64_t &h1)
word Botan::word_madd3 ( word  a,
word  b,
word  c,
word *  d 
)
inline

Definition at line 92 of file mp_madd.h.

References carry(), and mul64x64_128().

Referenced by word8_madd3().

93  {
94 #if defined(BOTAN_MP_USE_X86_32_ASM)
95  asm(R"(
96  mull %[b]
97 
98  addl %[c],%[a]
99  adcl $0,%[carry]
100 
101  addl %[d],%[a]
102  adcl $0,%[carry]
103  )"
104  : [a]"=a"(a), [b]"=rm"(b), [carry]"=&d"(*d)
105  : "0"(a), "1"(b), [c]"g"(c), [d]"g"(*d) : "cc");
106 
107  return a;
108 
109 #elif defined(BOTAN_MP_USE_X86_64_ASM)
110  asm(R"(
111  mulq %[b]
112  addq %[c],%[a]
113  adcq $0,%[carry]
114  addq %[d],%[a]
115  adcq $0,%[carry]
116  )"
117  : [a]"=a"(a), [b]"=rm"(b), [carry]"=&d"(*d)
118  : "0"(a), "1"(b), [c]"g"(c), [d]"g"(*d) : "cc");
119 
120  return a;
121 
122 #elif defined(BOTAN_HAS_MP_DWORD)
123  const dword s = static_cast<dword>(a) * b + c + *d;
124  *d = static_cast<word>(s >> BOTAN_MP_WORD_BITS);
125  return static_cast<word>(s);
126 #else
127  static_assert(BOTAN_MP_WORD_BITS == 64, "Unexpected word size");
128 
129  word hi = 0, lo = 0;
130 
131  mul64x64_128(a, b, &lo, &hi);
132 
133  lo += c;
134  hi += (lo < c); // carry?
135 
136  lo += *d;
137  hi += (lo < *d); // carry?
138 
139  *d = hi;
140  return lo;
141 #endif
142  }
void mul64x64_128(uint64_t a, uint64_t b, uint64_t *lo, uint64_t *hi)
Definition: mul128.h:85
void carry(int64_t &h0, int64_t &h1)
word Botan::word_sub ( word  x,
word  y,
word *  carry 
)
inline

Definition at line 209 of file mp_asmi.h.

References carry().

Referenced by bigint_cnd_add_or_sub(), bigint_cnd_addsub(), bigint_cnd_sub(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), bigint_sub2(), bigint_sub2_rev(), bigint_sub3(), bigint_sub_abs(), word8_sub2(), word8_sub2_rev(), and word8_sub3().

210  {
211 #if defined(BOTAN_MP_USE_X86_32_ASM)
212  asm(
213  ADD_OR_SUBTRACT(ASM("sbbl %[y],%[x]"))
214  : [x]"=r"(x), [carry]"=r"(*carry)
215  : "0"(x), [y]"rm"(y), "1"(*carry)
216  : "cc");
217  return x;
218 
219 #elif defined(BOTAN_MP_USE_X86_64_ASM)
220 
221  asm(
222  ADD_OR_SUBTRACT(ASM("sbbq %[y],%[x]"))
223  : [x]"=r"(x), [carry]"=r"(*carry)
224  : "0"(x), [y]"rm"(y), "1"(*carry)
225  : "cc");
226  return x;
227 
228 #else
229  word t0 = x - y;
230  word c1 = (t0 > x);
231  word z = t0 - *carry;
232  *carry = c1 | (z > t0);
233  return z;
234 #endif
235  }
void carry(int64_t &h0, int64_t &h1)
bool Botan::x500_name_cmp ( const std::string &  name1,
const std::string &  name2 
)

Compare two names using the X.509 comparison algorithm

Parameters
name1the first name
name2the second name
Returns
true if name1 is the same as name2 by the X.509 comparison rules

Definition at line 212 of file parsing.cpp.

References Botan::Charset::caseless_cmp(), and Botan::Charset::is_space().

Referenced by operator<(), and operator==().

213  {
214  auto p1 = name1.begin();
215  auto p2 = name2.begin();
216 
217  while((p1 != name1.end()) && Charset::is_space(*p1)) ++p1;
218  while((p2 != name2.end()) && Charset::is_space(*p2)) ++p2;
219 
220  while(p1 != name1.end() && p2 != name2.end())
221  {
222  if(Charset::is_space(*p1))
223  {
224  if(!Charset::is_space(*p2))
225  return false;
226 
227  while((p1 != name1.end()) && Charset::is_space(*p1)) ++p1;
228  while((p2 != name2.end()) && Charset::is_space(*p2)) ++p2;
229 
230  if(p1 == name1.end() && p2 == name2.end())
231  return true;
232  if(p1 == name1.end() || p2 == name2.end())
233  return false;
234  }
235 
236  if(!Charset::caseless_cmp(*p1, *p2))
237  return false;
238  ++p1;
239  ++p2;
240  }
241 
242  while((p1 != name1.end()) && Charset::is_space(*p1)) ++p1;
243  while((p2 != name2.end()) && Charset::is_space(*p2)) ++p2;
244 
245  if((p1 != name1.end()) || (p2 != name2.end()))
246  return false;
247  return true;
248  }
bool caseless_cmp(char a, char b)
Definition: charset.cpp:275
bool is_space(char c)
Definition: charset.cpp:221
Path_Validation_Result Botan::x509_path_validate ( const std::vector< X509_Certificate > &  end_certs,
const Path_Validation_Restrictions restrictions,
const std::vector< Certificate_Store * > &  trusted_roots,
const std::string &  hostname = "",
Usage_Type  usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point  validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds  ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::shared_ptr< const OCSP::Response >> &  ocsp_resp = {} 
)

PKIX Path Validation

Parameters
end_certscertificate chain to validate (with end entity certificate in end_certs[0])
restrictionspath validation restrictions
trusted_rootslist of certificate stores that contain trusted certificates
hostnameif not empty, compared against the DNS name in end_certs[0]
usageif not set to UNSPECIFIED, compared against the key usage in end_certs[0]
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation note: when enabled, OCSP check is softfail by default: if the OCSP server is not reachable, Path_Validation_Result::successful_validation() will return true. Hardfail OCSP check can be achieve by also calling Path_Validation_Result::no_warnings().

Definition at line 846 of file x509path.cpp.

References Botan::PKIX::build_all_certificate_paths(), Botan::PKIX::check_chain(), Botan::PKIX::check_crl(), Botan::PKIX::check_ocsp(), Botan::Path_Validation_Restrictions::max_ocsp_age(), Botan::PKIX::merge_revocation_status(), Botan::Path_Validation_Restrictions::minimum_key_strength(), Botan::Path_Validation_Restrictions::ocsp_all_intermediates(), OCSP_NO_HTTP, OK, Botan::Path_Validation_Restrictions::require_revocation_information(), and Botan::Path_Validation_Restrictions::trusted_hashes().

Referenced by botan_x509_cert_verify(), botan_x509_cert_verify_with_crl(), Botan::TLS::Callbacks::tls_verify_cert_chain(), and x509_path_validate().

855  {
856  if(end_certs.empty())
857  {
858  throw Invalid_Argument("x509_path_validate called with no subjects");
859  }
860 
861  std::shared_ptr<const X509_Certificate> end_entity(std::make_shared<const X509_Certificate>(end_certs[0]));
862  std::vector<std::shared_ptr<const X509_Certificate>> end_entity_extra;
863  for(size_t i = 1; i < end_certs.size(); ++i)
864  {
865  end_entity_extra.push_back(std::make_shared<const X509_Certificate>(end_certs[i]));
866  }
867 
868  std::vector<std::vector<std::shared_ptr<const X509_Certificate>>> cert_paths;
869  Certificate_Status_Code path_building_result = PKIX::build_all_certificate_paths(cert_paths, trusted_roots, end_entity, end_entity_extra);
870 
871  // If we cannot successfully build a chain to a trusted self-signed root, stop now
872  if(path_building_result != Certificate_Status_Code::OK)
873  {
874  return Path_Validation_Result(path_building_result);
875  }
876 
877  std::vector<Path_Validation_Result> error_results;
878  // Try validating all the potentially valid paths and return the first one to validate properly
879  for(auto cert_path : cert_paths)
880  {
882  PKIX::check_chain(cert_path, ref_time,
883  hostname, usage,
884  restrictions.minimum_key_strength(),
885  restrictions.trusted_hashes());
886 
887  CertificatePathStatusCodes crl_status =
888  PKIX::check_crl(cert_path, trusted_roots, ref_time);
889 
890  CertificatePathStatusCodes ocsp_status;
891 
892  if(ocsp_resp.size() > 0)
893  {
894  ocsp_status = PKIX::check_ocsp(cert_path, ocsp_resp, trusted_roots, ref_time, restrictions.max_ocsp_age());
895  }
896 
897  if(ocsp_status.empty() && ocsp_timeout != std::chrono::milliseconds(0))
898  {
899 #if defined(BOTAN_TARGET_OS_HAS_THREADS) && defined(BOTAN_HAS_HTTP_UTIL)
900  ocsp_status = PKIX::check_ocsp_online(cert_path, trusted_roots, ref_time,
901  ocsp_timeout, restrictions.ocsp_all_intermediates());
902 #else
903  ocsp_status.resize(1);
904  ocsp_status[0].insert(Certificate_Status_Code::OCSP_NO_HTTP);
905 #endif
906  }
907 
908  PKIX::merge_revocation_status(status, crl_status, ocsp_status,
909  restrictions.require_revocation_information(),
910  restrictions.ocsp_all_intermediates());
911 
912  Path_Validation_Result pvd(status, std::move(cert_path));
913  if(pvd.successful_validation())
914  {
915  return pvd;
916  }
917  else
918  {
919  error_results.push_back(std::move(pvd));
920  }
921  }
922  return error_results[0];
923  }
CertificatePathStatusCodes check_chain(const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, std::chrono::system_clock::time_point ref_time, const std::string &hostname, Usage_Type usage, size_t min_signature_algo_strength, const std::set< std::string > &trusted_hashes)
Definition: x509path.cpp:32
void merge_revocation_status(CertificatePathStatusCodes &chain_status, const CertificatePathStatusCodes &crl_status, const CertificatePathStatusCodes &ocsp_status, bool require_rev_on_end_entity, bool require_rev_on_intermediates)
Definition: x509path.cpp:772
CertificatePathStatusCodes check_ocsp(const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_responses, const std::vector< Certificate_Store * > &certstores, std::chrono::system_clock::time_point ref_time, std::chrono::seconds max_ocsp_age=std::chrono::seconds::zero())
Definition: x509path.cpp:214
CertificatePathStatusCodes check_crl(const std::vector< std::shared_ptr< const X509_Certificate >> &cert_path, const std::vector< std::shared_ptr< const X509_CRL >> &crls, std::chrono::system_clock::time_point ref_time)
Definition: x509path.cpp:265
Certificate_Status_Code build_all_certificate_paths(std::vector< std::vector< std::shared_ptr< const X509_Certificate >>> &cert_paths, const std::vector< Certificate_Store * > &trusted_certstores, const std::shared_ptr< const X509_Certificate > &end_entity, const std::vector< std::shared_ptr< const X509_Certificate >> &end_entity_extra)
Definition: x509path.cpp:629
std::vector< std::set< Certificate_Status_Code > > CertificatePathStatusCodes
Definition: x509path.h:29
Certificate_Status_Code
Definition: pkix_enums.h:17
Path_Validation_Result Botan::x509_path_validate ( const X509_Certificate end_cert,
const Path_Validation_Restrictions restrictions,
const std::vector< Certificate_Store * > &  trusted_roots,
const std::string &  hostname = "",
Usage_Type  usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point  validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds  ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::shared_ptr< const OCSP::Response >> &  ocsp_resp = {} 
)

PKIX Path Validation

Parameters
end_certcertificate to validate
restrictionspath validation restrictions
trusted_rootslist of stores that contain trusted certificates
hostnameif not empty, compared against the DNS name in end_cert
usageif not set to UNSPECIFIED, compared against the key usage in end_cert
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation

Definition at line 925 of file x509path.cpp.

References x509_path_validate().

934  {
935  std::vector<X509_Certificate> certs;
936  certs.push_back(end_cert);
937  return x509_path_validate(certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
938  }
Path_Validation_Result x509_path_validate(const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, const std::string &hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_resp)
Definition: x509path.cpp:956
Path_Validation_Result Botan::x509_path_validate ( const std::vector< X509_Certificate > &  end_certs,
const Path_Validation_Restrictions restrictions,
const Certificate_Store store,
const std::string &  hostname = "",
Usage_Type  usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point  validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds  ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::shared_ptr< const OCSP::Response >> &  ocsp_resp = {} 
)

PKIX Path Validation

Parameters
end_certscertificate chain to validate
restrictionspath validation restrictions
storestore that contains trusted certificates
hostnameif not empty, compared against the DNS name in end_certs[0]
usageif not set to UNSPECIFIED, compared against the key usage in end_certs[0]
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation

Definition at line 940 of file x509path.cpp.

References x509_path_validate().

949  {
950  std::vector<Certificate_Store*> trusted_roots;
951  trusted_roots.push_back(const_cast<Certificate_Store*>(&store));
952 
953  return x509_path_validate(end_certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
954  }
Path_Validation_Result x509_path_validate(const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, const std::string &hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_resp)
Definition: x509path.cpp:956
Path_Validation_Result Botan::x509_path_validate ( const X509_Certificate end_cert,
const Path_Validation_Restrictions restrictions,
const Certificate_Store store,
const std::string &  hostname = "",
Usage_Type  usage = Usage_Type::UNSPECIFIED,
std::chrono::system_clock::time_point  validation_time = std::chrono::system_clock::now(),
std::chrono::milliseconds  ocsp_timeout = std::chrono::milliseconds(0),
const std::vector< std::shared_ptr< const OCSP::Response >> &  ocsp_resp = {} 
)

PKIX Path Validation

Parameters
end_certcertificate to validate
restrictionspath validation restrictions
storestore that contains trusted certificates
hostnameif not empty, compared against the DNS name in end_cert
usageif not set to UNSPECIFIED, compared against the key usage in end_cert
validation_timewhat reference time to use for validation
ocsp_timeouttimeout for OCSP operations, 0 disables OCSP check
ocsp_respadditional OCSP responses to consider (eg from peer)
Returns
result of the path validation

Definition at line 956 of file x509path.cpp.

References x509_path_validate().

965  {
966  std::vector<X509_Certificate> certs;
967  certs.push_back(end_cert);
968 
969  std::vector<Certificate_Store*> trusted_roots;
970  trusted_roots.push_back(const_cast<Certificate_Store*>(&store));
971 
972  return x509_path_validate(certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
973  }
Path_Validation_Result x509_path_validate(const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, const std::string &hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_resp)
Definition: x509path.cpp:956
void Botan::xor_buf ( uint8_t  out[],
const uint8_t  in[],
size_t  length 
)
inline

XOR arrays. Postcondition out[i] = in[i] ^ out[i] forall i = 0...length

Parameters
outthe input/output buffer
inthe read-only input buffer
lengththe length of the buffers

Definition at line 262 of file mem_ops.h.

References typecast_copy().

Referenced by Botan::TLS::Connection_Cipher_State::aead_nonce(), aont_package(), aont_unpackage(), Botan::XMSS_WOTS_PublicKey::chain(), Botan::Salsa20::cipher(), Botan::RC4::cipher(), Botan::CTR_BE::cipher(), Botan::OFB::cipher(), Botan::SHAKE_128_Cipher::cipher(), Botan::ChaCha::cipher(), Botan::DESX::decrypt_n(), Botan::Lion::decrypt_n(), Botan::BlockCipher::decrypt_n_xex(), Botan::Block_Cipher_Fixed_Params< 8, 24 >::decrypt_n_xex(), Botan::DESX::encrypt_n(), Botan::Lion::encrypt_n(), Botan::BlockCipher::encrypt_n_xex(), Botan::Block_Cipher_Fixed_Params< 8, 24 >::encrypt_n_xex(), Botan::XTS_Encryption::finish(), Botan::EAX_Encryption::finish(), Botan::CCM_Encryption::finish(), Botan::XTS_Decryption::finish(), Botan::CTS_Encryption::finish(), Botan::OCB_Encryption::finish(), Botan::CCM_Decryption::finish(), Botan::OCB_Decryption::finish(), Botan::CTS_Decryption::finish(), mgf1_mask(), operator^(), Botan::OctetString::operator^=(), operator^=(), pbkdf2(), Botan::CFB_Encryption::process(), Botan::CBC_Encryption::process(), Botan::CBC_Decryption::process(), Botan::SIV_Mode::S2V(), and xor_buf().

265  {
266  const size_t blocks = length - (length % 32);
267 
268  for(size_t i = 0; i != blocks; i += 32)
269  {
270  uint64_t x[4];
271  uint64_t y[4];
272 
273  typecast_copy(x, out + i, 4);
274  typecast_copy(y, in + i, 4);
275 
276  x[0] ^= y[0];
277  x[1] ^= y[1];
278  x[2] ^= y[2];
279  x[3] ^= y[3];
280 
281  typecast_copy(out + i, x, 4);
282  }
283 
284  for(size_t i = blocks; i != length; ++i)
285  {
286  out[i] ^= in[i];
287  }
288  }
To typecast_copy(const From *src) noexcept
Definition: mem_ops.h:168
void Botan::xor_buf ( uint8_t  out[],
const uint8_t  in[],
const uint8_t  in2[],
size_t  length 
)
inline

XOR arrays. Postcondition out[i] = in[i] ^ in2[i] forall i = 0...length

Parameters
outthe output buffer
inthe first input buffer
in2the second output buffer
lengththe length of the three buffers

Definition at line 297 of file mem_ops.h.

References typecast_copy().

301  {
302  const size_t blocks = length - (length % 32);
303 
304  for(size_t i = 0; i != blocks; i += 32)
305  {
306  uint64_t x[4];
307  uint64_t y[4];
308 
309  typecast_copy(x, in + i, 4);
310  typecast_copy(y, in2 + i, 4);
311 
312  x[0] ^= y[0];
313  x[1] ^= y[1];
314  x[2] ^= y[2];
315  x[3] ^= y[3];
316 
317  typecast_copy(out + i, x, 4);
318  }
319 
320  for(size_t i = blocks; i != length; ++i)
321  {
322  out[i] = in[i] ^ in2[i];
323  }
324  }
To typecast_copy(const From *src) noexcept
Definition: mem_ops.h:168
template<typename Alloc , typename Alloc2 >
void Botan::xor_buf ( std::vector< uint8_t, Alloc > &  out,
const std::vector< uint8_t, Alloc2 > &  in,
size_t  n 
)

Definition at line 327 of file mem_ops.h.

References xor_buf().

330  {
331  xor_buf(out.data(), in.data(), n);
332  }
void xor_buf(std::vector< uint8_t, Alloc > &out, const uint8_t *in, const std::vector< uint8_t, Alloc2 > &in2, size_t n)
Definition: mem_ops.h:343
template<typename Alloc >
void Botan::xor_buf ( std::vector< uint8_t, Alloc > &  out,
const uint8_t *  in,
size_t  n 
)

Definition at line 335 of file mem_ops.h.

References xor_buf().

338  {
339  xor_buf(out.data(), in, n);
340  }
void xor_buf(std::vector< uint8_t, Alloc > &out, const uint8_t *in, const std::vector< uint8_t, Alloc2 > &in2, size_t n)
Definition: mem_ops.h:343
template<typename Alloc , typename Alloc2 >
void Botan::xor_buf ( std::vector< uint8_t, Alloc > &  out,
const uint8_t *  in,
const std::vector< uint8_t, Alloc2 > &  in2,
size_t  n 
)

Definition at line 343 of file mem_ops.h.

References xor_buf().

347  {
348  xor_buf(out.data(), in, in2.data(), n);
349  }
void xor_buf(std::vector< uint8_t, Alloc > &out, const uint8_t *in, const std::vector< uint8_t, Alloc2 > &in2, size_t n)
Definition: mem_ops.h:343
template<typename T , typename Alloc >
void Botan::zap ( std::vector< T, Alloc > &  vec)
template<typename T , typename Alloc >
void Botan::zeroise ( std::vector< T, Alloc > &  vec)

Variable Documentation

BOTAN_FUNC_ISA ("avx2") void SHACAL2 SIMD_8x32 Botan::A = SIMD_8x32::load_be(in)
const std::map<const std::string, std::vector<std::string> > Botan::allowed_signature_paddings
Initial value:
=
{
{ "DSA", {"EMSA1"} },
{ "ECDSA", {"EMSA1"} },
{ "ECGDSA", {"EMSA1"} },
{ "ECKCDSA", {"EMSA1"} },
{ "GOST-34.10", {"EMSA1"} },
{ "GOST-34.10-2012-256", {"EMSA1"} },
{ "GOST-34.10-2012-512", {"EMSA1"} },
{ "RSA", {"EMSA4", "EMSA3"} },
}

Definition at line 20 of file padding.cpp.

SIMD_8x32 Botan::B = SIMD_8x32::load_be(in+32)
SIMD_8x32 Botan::C = SIMD_8x32::load_be(in+64)
const uint32_t Botan::CAST_SBOX1[256]

Definition at line 15 of file cast_sboxes.h.

const uint32_t Botan::CAST_SBOX2[256]

Definition at line 60 of file cast_sboxes.h.

const uint32_t Botan::CAST_SBOX3[256]

Definition at line 105 of file cast_sboxes.h.

const uint32_t Botan::CAST_SBOX4[256]

Definition at line 150 of file cast_sboxes.h.

SIMD_8x32 Botan::D = SIMD_8x32::load_be(in+96)
const uint32_t Botan::DES_SPBOX1

Definition at line 12 of file des_tab.cpp.

const uint32_t Botan::DES_SPBOX2

Definition at line 57 of file des_tab.cpp.

const uint32_t Botan::DES_SPBOX3

Definition at line 102 of file des_tab.cpp.

const uint32_t Botan::DES_SPBOX4

Definition at line 147 of file des_tab.cpp.

const uint32_t Botan::DES_SPBOX5

Definition at line 192 of file des_tab.cpp.

const uint32_t Botan::DES_SPBOX6

Definition at line 237 of file des_tab.cpp.

const uint32_t Botan::DES_SPBOX7

Definition at line 282 of file des_tab.cpp.

const uint32_t Botan::DES_SPBOX8

Definition at line 327 of file des_tab.cpp.

SIMD_8x32 Botan::E = SIMD_8x32::load_be(in+128)
SIMD_8x32 Botan::F = SIMD_8x32::load_be(in+160)
SIMD_8x32 Botan::G = SIMD_8x32::load_be(in+192)
SIMD_8x32 Botan::H = SIMD_8x32::load_be(in+224)
const size_t Botan::HEX_CODEC_BUFFER_SIZE = 256

Size used for internal buffer in hex encoder/decoder

Definition at line 18 of file hex_filt.cpp.

const uint32_t * Botan::input32 = reinterpret_cast<const uint32_t*>(reinterpret_cast<const void*>(input8))

Definition at line 62 of file sm4_armv8.cpp.

void BOTAN_FUNC_ISA ("arch=armv8.2-a+sm4") SM4 const uint32x4_t Botan::K1 = vld1q_u32(&m_RK[ 4])

Definition at line 54 of file sm4_armv8.cpp.

const uint32x4_t Botan::K2 = vld1q_u32(&m_RK[ 8])

Definition at line 55 of file sm4_armv8.cpp.

const uint32x4_t Botan::K3 = vld1q_u32(&m_RK[12])

Definition at line 56 of file sm4_armv8.cpp.

const uint32x4_t Botan::K4 = vld1q_u32(&m_RK[16])

Definition at line 57 of file sm4_armv8.cpp.

const uint32x4_t Botan::K5 = vld1q_u32(&m_RK[20])

Definition at line 58 of file sm4_armv8.cpp.

const uint32x4_t Botan::K6 = vld1q_u32(&m_RK[24])

Definition at line 59 of file sm4_armv8.cpp.

const uint32x4_t Botan::K7 = vld1q_u32(&m_RK[28])

Definition at line 60 of file sm4_armv8.cpp.

const word Botan::MP_WORD_MAX = ~static_cast<word>(0)

Definition at line 22 of file mp_core.h.

Referenced by monty_inverse(), redc_p521(), and vartime_divide().

uint32_t * Botan::output32 = reinterpret_cast<uint32_t*>(reinterpret_cast<void*>(output8))

Definition at line 63 of file sm4_armv8.cpp.

const size_t Botan::PRIME_TABLE_SIZE = 6541

The size of the PRIMES[] array

Definition at line 287 of file numthry.h.

Referenced by Botan::DL_Group::DL_Group(), is_prime(), and random_prime().

const uint16_t Botan::PRIMES

A const array of all odd primes less than 65535

Definition at line 12 of file primes.cpp.

Referenced by Botan::DL_Group::DL_Group(), is_prime(), and random_prime().

const uint64_t Botan::STREEBOG_Ax

Definition at line 34 of file streebog_precalc.cpp.

const uint64_t Botan::STREEBOG_C

Definition at line 742 of file streebog_precalc.cpp.